summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2016-12-16 20:18:35 -0500
committerAnthony G. Basile <blueness@gentoo.org>2016-12-16 20:18:35 -0500
commitb7bdfc99e1ee690ec80d1917d4f2568a8248bb03 (patch)
tree13b92af1fde596eb9d3bc904f6c1823171fbe93b
parentgrsecurity-3.1-4.8.14-201612110933 (diff)
downloadhardened-patchset-20161215.tar.gz
hardened-patchset-20161215.tar.bz2
hardened-patchset-20161215.zip
grsecurity-3.1-4.8.15-20161215192320161215
-rw-r--r--4.8.15/0000_README (renamed from 4.8.14/0000_README)6
-rw-r--r--4.8.15/1012_linux-4.8.13.patch (renamed from 4.8.14/1012_linux-4.8.13.patch)0
-rw-r--r--4.8.15/1013_linux-4.8.14.patch (renamed from 4.8.14/1013_linux-4.8.14.patch)0
-rw-r--r--4.8.15/1014_linux-4.8.15.patch1042
-rw-r--r--4.8.15/4420_grsecurity-3.1-4.8.15-201612151923.patch (renamed from 4.8.14/4420_grsecurity-3.1-4.8.14-201612110933.patch)32
-rw-r--r--4.8.15/4425_grsec_remove_EI_PAX.patch (renamed from 4.8.14/4425_grsec_remove_EI_PAX.patch)0
-rw-r--r--4.8.15/4427_force_XATTR_PAX_tmpfs.patch (renamed from 4.8.14/4427_force_XATTR_PAX_tmpfs.patch)0
-rw-r--r--4.8.15/4430_grsec-remove-localversion-grsec.patch (renamed from 4.8.14/4430_grsec-remove-localversion-grsec.patch)0
-rw-r--r--4.8.15/4435_grsec-mute-warnings.patch (renamed from 4.8.14/4435_grsec-mute-warnings.patch)0
-rw-r--r--4.8.15/4440_grsec-remove-protected-paths.patch (renamed from 4.8.14/4440_grsec-remove-protected-paths.patch)0
-rw-r--r--4.8.15/4450_grsec-kconfig-default-gids.patch (renamed from 4.8.14/4450_grsec-kconfig-default-gids.patch)0
-rw-r--r--4.8.15/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 4.8.14/4465_selinux-avc_audit-log-curr_ip.patch)0
-rw-r--r--4.8.15/4470_disable-compat_vdso.patch (renamed from 4.8.14/4470_disable-compat_vdso.patch)0
-rw-r--r--4.8.15/4475_emutramp_default_on.patch (renamed from 4.8.14/4475_emutramp_default_on.patch)0
14 files changed, 1068 insertions, 12 deletions
diff --git a/4.8.14/0000_README b/4.8.15/0000_README
index e2c9a03..cd91d08 100644
--- a/4.8.14/0000_README
+++ b/4.8.15/0000_README
@@ -10,7 +10,11 @@ Patch: 1013_linux-4.8.14.patch
From: http://www.kernel.org
Desc: Linux 4.8.14
-Patch: 4420_grsecurity-3.1-4.8.14-201612110933.patch
+Patch: 1014_linux-4.8.15.patch
+From: http://www.kernel.org
+Desc: Linux 4.8.15
+
+Patch: 4420_grsecurity-3.1-4.8.15-201612151923.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.8.14/1012_linux-4.8.13.patch b/4.8.15/1012_linux-4.8.13.patch
index c742393..c742393 100644
--- a/4.8.14/1012_linux-4.8.13.patch
+++ b/4.8.15/1012_linux-4.8.13.patch
diff --git a/4.8.14/1013_linux-4.8.14.patch b/4.8.15/1013_linux-4.8.14.patch
index 63d837b..63d837b 100644
--- a/4.8.14/1013_linux-4.8.14.patch
+++ b/4.8.15/1013_linux-4.8.14.patch
diff --git a/4.8.15/1014_linux-4.8.15.patch b/4.8.15/1014_linux-4.8.15.patch
new file mode 100644
index 0000000..9b7b2f4
--- /dev/null
+++ b/4.8.15/1014_linux-4.8.15.patch
@@ -0,0 +1,1042 @@
+diff --git a/Makefile b/Makefile
+index 6a74924..c7f0e79 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 8
+-SUBLEVEL = 14
++SUBLEVEL = 15
+ EXTRAVERSION =
+ NAME = Psychotic Stoned Sheep
+
+diff --git a/arch/arm/boot/dts/imx7s.dtsi b/arch/arm/boot/dts/imx7s.dtsi
+index 1e90bdb..fb307de 100644
+--- a/arch/arm/boot/dts/imx7s.dtsi
++++ b/arch/arm/boot/dts/imx7s.dtsi
+@@ -640,9 +640,8 @@
+ reg = <0x30730000 0x10000>;
+ interrupts = <GIC_SPI 5 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&clks IMX7D_LCDIF_PIXEL_ROOT_CLK>,
+- <&clks IMX7D_CLK_DUMMY>,
+- <&clks IMX7D_CLK_DUMMY>;
+- clock-names = "pix", "axi", "disp_axi";
++ <&clks IMX7D_LCDIF_PIXEL_ROOT_CLK>;
++ clock-names = "pix", "axi";
+ status = "disabled";
+ };
+ };
+diff --git a/arch/arm/boot/dts/orion5x-linkstation-lsgl.dts b/arch/arm/boot/dts/orion5x-linkstation-lsgl.dts
+index 1cf644b..51dc734 100644
+--- a/arch/arm/boot/dts/orion5x-linkstation-lsgl.dts
++++ b/arch/arm/boot/dts/orion5x-linkstation-lsgl.dts
+@@ -82,6 +82,10 @@
+ gpios = <&gpio0 9 GPIO_ACTIVE_HIGH>;
+ };
+
++&sata {
++ nr-ports = <2>;
++};
++
+ &ehci1 {
+ status = "okay";
+ };
+diff --git a/arch/m68k/include/asm/delay.h b/arch/m68k/include/asm/delay.h
+index d28fa8f..c598d84 100644
+--- a/arch/m68k/include/asm/delay.h
++++ b/arch/m68k/include/asm/delay.h
+@@ -114,6 +114,6 @@ static inline void __udelay(unsigned long usecs)
+ */
+ #define HZSCALE (268435456 / (1000000 / HZ))
+
+-#define ndelay(n) __delay(DIV_ROUND_UP((n) * ((((HZSCALE) >> 11) * (loops_per_jiffy >> 11)) >> 6), 1000));
++#define ndelay(n) __delay(DIV_ROUND_UP((n) * ((((HZSCALE) >> 11) * (loops_per_jiffy >> 11)) >> 6), 1000))
+
+ #endif /* defined(_M68K_DELAY_H) */
+diff --git a/arch/parisc/include/asm/pgtable.h b/arch/parisc/include/asm/pgtable.h
+index c2c43f7..3a4ed9f 100644
+--- a/arch/parisc/include/asm/pgtable.h
++++ b/arch/parisc/include/asm/pgtable.h
+@@ -65,9 +65,9 @@ static inline void purge_tlb_entries(struct mm_struct *mm, unsigned long addr)
+ unsigned long flags; \
+ spin_lock_irqsave(&pa_tlb_lock, flags); \
+ old_pte = *ptep; \
+- set_pte(ptep, pteval); \
+ if (pte_inserted(old_pte)) \
+ purge_tlb_entries(mm, addr); \
++ set_pte(ptep, pteval); \
+ spin_unlock_irqrestore(&pa_tlb_lock, flags); \
+ } while (0)
+
+@@ -478,8 +478,8 @@ static inline int ptep_test_and_clear_young(struct vm_area_struct *vma, unsigned
+ spin_unlock_irqrestore(&pa_tlb_lock, flags);
+ return 0;
+ }
+- set_pte(ptep, pte_mkold(pte));
+ purge_tlb_entries(vma->vm_mm, addr);
++ set_pte(ptep, pte_mkold(pte));
+ spin_unlock_irqrestore(&pa_tlb_lock, flags);
+ return 1;
+ }
+@@ -492,9 +492,9 @@ static inline pte_t ptep_get_and_clear(struct mm_struct *mm, unsigned long addr,
+
+ spin_lock_irqsave(&pa_tlb_lock, flags);
+ old_pte = *ptep;
+- set_pte(ptep, __pte(0));
+ if (pte_inserted(old_pte))
+ purge_tlb_entries(mm, addr);
++ set_pte(ptep, __pte(0));
+ spin_unlock_irqrestore(&pa_tlb_lock, flags);
+
+ return old_pte;
+@@ -504,8 +504,8 @@ static inline void ptep_set_wrprotect(struct mm_struct *mm, unsigned long addr,
+ {
+ unsigned long flags;
+ spin_lock_irqsave(&pa_tlb_lock, flags);
+- set_pte(ptep, pte_wrprotect(*ptep));
+ purge_tlb_entries(mm, addr);
++ set_pte(ptep, pte_wrprotect(*ptep));
+ spin_unlock_irqrestore(&pa_tlb_lock, flags);
+ }
+
+diff --git a/arch/parisc/kernel/cache.c b/arch/parisc/kernel/cache.c
+index c2259d4..bbb314eb 100644
+--- a/arch/parisc/kernel/cache.c
++++ b/arch/parisc/kernel/cache.c
+@@ -393,6 +393,15 @@ void __init parisc_setup_cache_timing(void)
+
+ /* calculate TLB flush threshold */
+
++ /* On SMP machines, skip the TLB measure of kernel text which
++ * has been mapped as huge pages. */
++ if (num_online_cpus() > 1 && !parisc_requires_coherency()) {
++ threshold = max(cache_info.it_size, cache_info.dt_size);
++ threshold *= PAGE_SIZE;
++ threshold /= num_online_cpus();
++ goto set_tlb_threshold;
++ }
++
+ alltime = mfctl(16);
+ flush_tlb_all();
+ alltime = mfctl(16) - alltime;
+@@ -411,6 +420,8 @@ void __init parisc_setup_cache_timing(void)
+ alltime, size, rangetime);
+
+ threshold = PAGE_ALIGN(num_online_cpus() * size * alltime / rangetime);
++
++set_tlb_threshold:
+ if (threshold)
+ parisc_tlb_flush_threshold = threshold;
+ printk(KERN_INFO "TLB flush threshold set to %lu KiB\n",
+diff --git a/arch/parisc/kernel/pacache.S b/arch/parisc/kernel/pacache.S
+index 6755219..a4761b7 100644
+--- a/arch/parisc/kernel/pacache.S
++++ b/arch/parisc/kernel/pacache.S
+@@ -886,19 +886,10 @@ ENTRY(flush_dcache_page_asm)
+ fdc,m r31(%r28)
+ fdc,m r31(%r28)
+ fdc,m r31(%r28)
+- cmpb,COND(<<) %r28, %r25,1b
++ cmpb,COND(<<) %r28, %r25,1b
+ fdc,m r31(%r28)
+
+ sync
+-
+-#ifdef CONFIG_PA20
+- pdtlb,l %r0(%r25)
+-#else
+- tlb_lock %r20,%r21,%r22
+- pdtlb %r0(%r25)
+- tlb_unlock %r20,%r21,%r22
+-#endif
+-
+ bv %r0(%r2)
+ nop
+ .exit
+@@ -973,17 +964,6 @@ ENTRY(flush_icache_page_asm)
+ fic,m %r31(%sr4,%r28)
+
+ sync
+-
+-#ifdef CONFIG_PA20
+- pdtlb,l %r0(%r28)
+- pitlb,l %r0(%sr4,%r25)
+-#else
+- tlb_lock %r20,%r21,%r22
+- pdtlb %r0(%r28)
+- pitlb %r0(%sr4,%r25)
+- tlb_unlock %r20,%r21,%r22
+-#endif
+-
+ bv %r0(%r2)
+ nop
+ .exit
+diff --git a/arch/powerpc/boot/Makefile b/arch/powerpc/boot/Makefile
+index 1a2a6e8..1894beb 100644
+--- a/arch/powerpc/boot/Makefile
++++ b/arch/powerpc/boot/Makefile
+@@ -78,7 +78,8 @@ src-wlib-y := string.S crt0.S crtsavres.S stdio.c main.c \
+ ns16550.c serial.c simple_alloc.c div64.S util.S \
+ gunzip_util.c elf_util.c $(zlib) devtree.c stdlib.c \
+ oflib.c ofconsole.c cuboot.c mpsc.c cpm-serial.c \
+- uartlite.c mpc52xx-psc.c opal.c opal-calls.S
++ uartlite.c mpc52xx-psc.c opal.c
++src-wlib-$(CONFIG_PPC64_BOOT_WRAPPER) += opal-calls.S
+ src-wlib-$(CONFIG_40x) += 4xx.c planetcore.c
+ src-wlib-$(CONFIG_44x) += 4xx.c ebony.c bamboo.c
+ src-wlib-$(CONFIG_8xx) += mpc8xx.c planetcore.c fsl-soc.c
+diff --git a/arch/powerpc/boot/opal.c b/arch/powerpc/boot/opal.c
+index d7b4fd4..0272570 100644
+--- a/arch/powerpc/boot/opal.c
++++ b/arch/powerpc/boot/opal.c
+@@ -13,7 +13,7 @@
+ #include <libfdt.h>
+ #include "../include/asm/opal-api.h"
+
+-#ifdef __powerpc64__
++#ifdef CONFIG_PPC64_BOOT_WRAPPER
+
+ /* Global OPAL struct used by opal-call.S */
+ struct opal {
+diff --git a/arch/powerpc/kernel/eeh_driver.c b/arch/powerpc/kernel/eeh_driver.c
+index 29aa8d1..248f28b 100644
+--- a/arch/powerpc/kernel/eeh_driver.c
++++ b/arch/powerpc/kernel/eeh_driver.c
+@@ -671,8 +671,10 @@ static int eeh_reset_device(struct eeh_pe *pe, struct pci_bus *bus,
+
+ /* Clear frozen state */
+ rc = eeh_clear_pe_frozen_state(pe, false);
+- if (rc)
++ if (rc) {
++ pci_unlock_rescan_remove();
+ return rc;
++ }
+
+ /* Give the system 5 seconds to finish running the user-space
+ * hotplug shutdown scripts, e.g. ifdown for ethernet. Yes,
+diff --git a/arch/powerpc/mm/hash64_4k.c b/arch/powerpc/mm/hash64_4k.c
+index 42c702b..6fa450c 100644
+--- a/arch/powerpc/mm/hash64_4k.c
++++ b/arch/powerpc/mm/hash64_4k.c
+@@ -55,7 +55,7 @@ int __hash_page_4K(unsigned long ea, unsigned long access, unsigned long vsid,
+ */
+ rflags = htab_convert_pte_flags(new_pte);
+
+- if (!cpu_has_feature(CPU_FTR_NOEXECUTE) &&
++ if (cpu_has_feature(CPU_FTR_NOEXECUTE) &&
+ !cpu_has_feature(CPU_FTR_COHERENT_ICACHE))
+ rflags = hash_page_do_lazy_icache(rflags, __pte(old_pte), trap);
+
+diff --git a/arch/powerpc/mm/hash64_64k.c b/arch/powerpc/mm/hash64_64k.c
+index 3bbbea0..1a68cb1 100644
+--- a/arch/powerpc/mm/hash64_64k.c
++++ b/arch/powerpc/mm/hash64_64k.c
+@@ -87,7 +87,7 @@ int __hash_page_4K(unsigned long ea, unsigned long access, unsigned long vsid,
+ subpg_pte = new_pte & ~subpg_prot;
+ rflags = htab_convert_pte_flags(subpg_pte);
+
+- if (!cpu_has_feature(CPU_FTR_NOEXECUTE) &&
++ if (cpu_has_feature(CPU_FTR_NOEXECUTE) &&
+ !cpu_has_feature(CPU_FTR_COHERENT_ICACHE)) {
+
+ /*
+@@ -258,7 +258,7 @@ int __hash_page_64K(unsigned long ea, unsigned long access,
+
+ rflags = htab_convert_pte_flags(new_pte);
+
+- if (!cpu_has_feature(CPU_FTR_NOEXECUTE) &&
++ if (cpu_has_feature(CPU_FTR_NOEXECUTE) &&
+ !cpu_has_feature(CPU_FTR_COHERENT_ICACHE))
+ rflags = hash_page_do_lazy_icache(rflags, __pte(old_pte), trap);
+
+diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
+index a4e070a..8c925ec 100644
+--- a/arch/x86/events/core.c
++++ b/arch/x86/events/core.c
+@@ -68,7 +68,7 @@ u64 x86_perf_event_update(struct perf_event *event)
+ int shift = 64 - x86_pmu.cntval_bits;
+ u64 prev_raw_count, new_raw_count;
+ int idx = hwc->idx;
+- s64 delta;
++ u64 delta;
+
+ if (idx == INTEL_PMC_IDX_FIXED_BTS)
+ return 0;
+diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c
+index 4c9a79b..3ef34c6 100644
+--- a/arch/x86/events/intel/core.c
++++ b/arch/x86/events/intel/core.c
+@@ -4024,7 +4024,7 @@ __init int intel_pmu_init(void)
+
+ /* Support full width counters using alternative MSR range */
+ if (x86_pmu.intel_cap.full_width_write) {
+- x86_pmu.max_period = x86_pmu.cntval_mask;
++ x86_pmu.max_period = x86_pmu.cntval_mask >> 1;
+ x86_pmu.perfctr = MSR_IA32_PMC0;
+ pr_cont("full-width counters, ");
+ }
+diff --git a/crypto/Makefile b/crypto/Makefile
+index 99cc64ac..bd6a029 100644
+--- a/crypto/Makefile
++++ b/crypto/Makefile
+@@ -40,6 +40,7 @@ obj-$(CONFIG_CRYPTO_ECDH) += ecdh_generic.o
+
+ $(obj)/rsapubkey-asn1.o: $(obj)/rsapubkey-asn1.c $(obj)/rsapubkey-asn1.h
+ $(obj)/rsaprivkey-asn1.o: $(obj)/rsaprivkey-asn1.c $(obj)/rsaprivkey-asn1.h
++$(obj)/rsa_helper.o: $(obj)/rsapubkey-asn1.h $(obj)/rsaprivkey-asn1.h
+ clean-files += rsapubkey-asn1.c rsapubkey-asn1.h
+ clean-files += rsaprivkey-asn1.c rsaprivkey-asn1.h
+
+diff --git a/crypto/mcryptd.c b/crypto/mcryptd.c
+index 86fb59b..c6e9920 100644
+--- a/crypto/mcryptd.c
++++ b/crypto/mcryptd.c
+@@ -254,18 +254,22 @@ static void *mcryptd_alloc_instance(struct crypto_alg *alg, unsigned int head,
+ goto out;
+ }
+
+-static inline void mcryptd_check_internal(struct rtattr **tb, u32 *type,
++static inline bool mcryptd_check_internal(struct rtattr **tb, u32 *type,
+ u32 *mask)
+ {
+ struct crypto_attr_type *algt;
+
+ algt = crypto_get_attr_type(tb);
+ if (IS_ERR(algt))
+- return;
+- if ((algt->type & CRYPTO_ALG_INTERNAL))
+- *type |= CRYPTO_ALG_INTERNAL;
+- if ((algt->mask & CRYPTO_ALG_INTERNAL))
+- *mask |= CRYPTO_ALG_INTERNAL;
++ return false;
++
++ *type |= algt->type & CRYPTO_ALG_INTERNAL;
++ *mask |= algt->mask & CRYPTO_ALG_INTERNAL;
++
++ if (*type & *mask & CRYPTO_ALG_INTERNAL)
++ return true;
++ else
++ return false;
+ }
+
+ static int mcryptd_hash_init_tfm(struct crypto_tfm *tfm)
+@@ -492,7 +496,8 @@ static int mcryptd_create_hash(struct crypto_template *tmpl, struct rtattr **tb,
+ u32 mask = 0;
+ int err;
+
+- mcryptd_check_internal(tb, &type, &mask);
++ if (!mcryptd_check_internal(tb, &type, &mask))
++ return -EINVAL;
+
+ halg = ahash_attr_alg(tb[1], type, mask);
+ if (IS_ERR(halg))
+diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c
+index 2accf78..93e0d83 100644
+--- a/drivers/acpi/nfit/core.c
++++ b/drivers/acpi/nfit/core.c
+@@ -94,7 +94,7 @@ static struct acpi_device *to_acpi_dev(struct acpi_nfit_desc *acpi_desc)
+ return to_acpi_device(acpi_desc->dev);
+ }
+
+-static int xlat_status(void *buf, unsigned int cmd, u32 status)
++static int xlat_bus_status(void *buf, unsigned int cmd, u32 status)
+ {
+ struct nd_cmd_clear_error *clear_err;
+ struct nd_cmd_ars_status *ars_status;
+@@ -113,7 +113,7 @@ static int xlat_status(void *buf, unsigned int cmd, u32 status)
+ flags = ND_ARS_PERSISTENT | ND_ARS_VOLATILE;
+ if ((status >> 16 & flags) == 0)
+ return -ENOTTY;
+- break;
++ return 0;
+ case ND_CMD_ARS_START:
+ /* ARS is in progress */
+ if ((status & 0xffff) == NFIT_ARS_START_BUSY)
+@@ -122,7 +122,7 @@ static int xlat_status(void *buf, unsigned int cmd, u32 status)
+ /* Command failed */
+ if (status & 0xffff)
+ return -EIO;
+- break;
++ return 0;
+ case ND_CMD_ARS_STATUS:
+ ars_status = buf;
+ /* Command failed */
+@@ -146,7 +146,8 @@ static int xlat_status(void *buf, unsigned int cmd, u32 status)
+ * then just continue with the returned results.
+ */
+ if (status == NFIT_ARS_STATUS_INTR) {
+- if (ars_status->flags & NFIT_ARS_F_OVERFLOW)
++ if (ars_status->out_length >= 40 && (ars_status->flags
++ & NFIT_ARS_F_OVERFLOW))
+ return -ENOSPC;
+ return 0;
+ }
+@@ -154,7 +155,7 @@ static int xlat_status(void *buf, unsigned int cmd, u32 status)
+ /* Unknown status */
+ if (status >> 16)
+ return -EIO;
+- break;
++ return 0;
+ case ND_CMD_CLEAR_ERROR:
+ clear_err = buf;
+ if (status & 0xffff)
+@@ -163,7 +164,7 @@ static int xlat_status(void *buf, unsigned int cmd, u32 status)
+ return -EIO;
+ if (clear_err->length > clear_err->cleared)
+ return clear_err->cleared;
+- break;
++ return 0;
+ default:
+ break;
+ }
+@@ -174,6 +175,16 @@ static int xlat_status(void *buf, unsigned int cmd, u32 status)
+ return 0;
+ }
+
++static int xlat_status(struct nvdimm *nvdimm, void *buf, unsigned int cmd,
++ u32 status)
++{
++ if (!nvdimm)
++ return xlat_bus_status(buf, cmd, status);
++ if (status)
++ return -EIO;
++ return 0;
++}
++
+ static int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc,
+ struct nvdimm *nvdimm, unsigned int cmd, void *buf,
+ unsigned int buf_len, int *cmd_rc)
+@@ -298,7 +309,8 @@ static int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc,
+
+ for (i = 0, offset = 0; i < desc->out_num; i++) {
+ u32 out_size = nd_cmd_out_size(nvdimm, cmd, desc, i, buf,
+- (u32 *) out_obj->buffer.pointer);
++ (u32 *) out_obj->buffer.pointer,
++ out_obj->buffer.length - offset);
+
+ if (offset + out_size > out_obj->buffer.length) {
+ dev_dbg(dev, "%s:%s output object underflow cmd: %s field: %d\n",
+@@ -333,7 +345,8 @@ static int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc,
+ */
+ rc = buf_len - offset - in_buf.buffer.length;
+ if (cmd_rc)
+- *cmd_rc = xlat_status(buf, cmd, fw_status);
++ *cmd_rc = xlat_status(nvdimm, buf, cmd,
++ fw_status);
+ } else {
+ dev_err(dev, "%s:%s underrun cmd: %s buf_len: %d out_len: %d\n",
+ __func__, dimm_name, cmd_name, buf_len,
+@@ -343,7 +356,7 @@ static int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc,
+ } else {
+ rc = 0;
+ if (cmd_rc)
+- *cmd_rc = xlat_status(buf, cmd, fw_status);
++ *cmd_rc = xlat_status(nvdimm, buf, cmd, fw_status);
+ }
+
+ out:
+@@ -1857,19 +1870,32 @@ static int ars_get_status(struct acpi_nfit_desc *acpi_desc)
+ return cmd_rc;
+ }
+
+-static int ars_status_process_records(struct nvdimm_bus *nvdimm_bus,
++static int ars_status_process_records(struct acpi_nfit_desc *acpi_desc,
+ struct nd_cmd_ars_status *ars_status)
+ {
++ struct nvdimm_bus *nvdimm_bus = acpi_desc->nvdimm_bus;
+ int rc;
+ u32 i;
+
++ /*
++ * First record starts at 44 byte offset from the start of the
++ * payload.
++ */
++ if (ars_status->out_length < 44)
++ return 0;
+ for (i = 0; i < ars_status->num_records; i++) {
++ /* only process full records */
++ if (ars_status->out_length
++ < 44 + sizeof(struct nd_ars_record) * (i + 1))
++ break;
+ rc = nvdimm_bus_add_poison(nvdimm_bus,
+ ars_status->records[i].err_address,
+ ars_status->records[i].length);
+ if (rc)
+ return rc;
+ }
++ if (i < ars_status->num_records)
++ dev_warn(acpi_desc->dev, "detected truncated ars results\n");
+
+ return 0;
+ }
+@@ -2122,8 +2148,7 @@ static int acpi_nfit_query_poison(struct acpi_nfit_desc *acpi_desc,
+ if (rc < 0 && rc != -ENOSPC)
+ return rc;
+
+- if (ars_status_process_records(acpi_desc->nvdimm_bus,
+- acpi_desc->ars_status))
++ if (ars_status_process_records(acpi_desc, acpi_desc->ars_status))
+ return -ENOMEM;
+
+ return 0;
+diff --git a/drivers/acpi/sleep.c b/drivers/acpi/sleep.c
+index 2b38c1b..7a2e4d4 100644
+--- a/drivers/acpi/sleep.c
++++ b/drivers/acpi/sleep.c
+@@ -47,32 +47,15 @@ static void acpi_sleep_tts_switch(u32 acpi_state)
+ }
+ }
+
+-static void acpi_sleep_pts_switch(u32 acpi_state)
+-{
+- acpi_status status;
+-
+- status = acpi_execute_simple_method(NULL, "\\_PTS", acpi_state);
+- if (ACPI_FAILURE(status) && status != AE_NOT_FOUND) {
+- /*
+- * OS can't evaluate the _PTS object correctly. Some warning
+- * message will be printed. But it won't break anything.
+- */
+- printk(KERN_NOTICE "Failure in evaluating _PTS object\n");
+- }
+-}
+-
+-static int sleep_notify_reboot(struct notifier_block *this,
++static int tts_notify_reboot(struct notifier_block *this,
+ unsigned long code, void *x)
+ {
+ acpi_sleep_tts_switch(ACPI_STATE_S5);
+-
+- acpi_sleep_pts_switch(ACPI_STATE_S5);
+-
+ return NOTIFY_DONE;
+ }
+
+-static struct notifier_block sleep_notifier = {
+- .notifier_call = sleep_notify_reboot,
++static struct notifier_block tts_notifier = {
++ .notifier_call = tts_notify_reboot,
+ .next = NULL,
+ .priority = 0,
+ };
+@@ -916,9 +899,9 @@ int __init acpi_sleep_init(void)
+ pr_info(PREFIX "(supports%s)\n", supported);
+
+ /*
+- * Register the sleep_notifier to reboot notifier list so that the _TTS
+- * and _PTS object can also be evaluated when the system enters S5.
++ * Register the tts_notifier to reboot notifier list so that the _TTS
++ * object can also be evaluated when the system enters S5.
+ */
+- register_reboot_notifier(&sleep_notifier);
++ register_reboot_notifier(&tts_notifier);
+ return 0;
+ }
+diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c
+index 5163c8f..5497f7f 100644
+--- a/drivers/block/zram/zram_drv.c
++++ b/drivers/block/zram/zram_drv.c
+@@ -1413,8 +1413,14 @@ static ssize_t hot_remove_store(struct class *class,
+ return ret ? ret : count;
+ }
+
++/*
++ * NOTE: hot_add attribute is not the usual read-only sysfs attribute. In a
++ * sense that reading from this file does alter the state of your system -- it
++ * creates a new un-initialized zram device and returns back this device's
++ * device_id (or an error code if it fails to create a new device).
++ */
+ static struct class_attribute zram_control_class_attrs[] = {
+- __ATTR_RO(hot_add),
++ __ATTR(hot_add, 0400, hot_add_show, NULL),
+ __ATTR_WO(hot_remove),
+ __ATTR_NULL,
+ };
+diff --git a/drivers/crypto/caam/ctrl.c b/drivers/crypto/caam/ctrl.c
+index 0ec112e..2341f37 100644
+--- a/drivers/crypto/caam/ctrl.c
++++ b/drivers/crypto/caam/ctrl.c
+@@ -557,8 +557,9 @@ static int caam_probe(struct platform_device *pdev)
+ * Enable DECO watchdogs and, if this is a PHYS_ADDR_T_64BIT kernel,
+ * long pointers in master configuration register
+ */
+- clrsetbits_32(&ctrl->mcr, MCFGR_AWCACHE_MASK, MCFGR_AWCACHE_CACH |
+- MCFGR_AWCACHE_BUFF | MCFGR_WDENABLE | MCFGR_LARGE_BURST |
++ clrsetbits_32(&ctrl->mcr, MCFGR_AWCACHE_MASK | MCFGR_LONG_PTR,
++ MCFGR_AWCACHE_CACH | MCFGR_AWCACHE_BUFF |
++ MCFGR_WDENABLE | MCFGR_LARGE_BURST |
+ (sizeof(dma_addr_t) == sizeof(u64) ? MCFGR_LONG_PTR : 0));
+
+ /*
+diff --git a/drivers/crypto/marvell/hash.c b/drivers/crypto/marvell/hash.c
+index b111e14..13e89af 100644
+--- a/drivers/crypto/marvell/hash.c
++++ b/drivers/crypto/marvell/hash.c
+@@ -168,12 +168,11 @@ static void mv_cesa_ahash_std_step(struct ahash_request *req)
+ mv_cesa_adjust_op(engine, &creq->op_tmpl);
+ memcpy_toio(engine->sram, &creq->op_tmpl, sizeof(creq->op_tmpl));
+
+- digsize = crypto_ahash_digestsize(crypto_ahash_reqtfm(req));
+- for (i = 0; i < digsize / 4; i++)
+- writel_relaxed(creq->state[i], engine->regs + CESA_IVDIG(i));
+-
+- mv_cesa_adjust_op(engine, &creq->op_tmpl);
+- memcpy_toio(engine->sram, &creq->op_tmpl, sizeof(creq->op_tmpl));
++ if (!sreq->offset) {
++ digsize = crypto_ahash_digestsize(crypto_ahash_reqtfm(req));
++ for (i = 0; i < digsize / 4; i++)
++ writel_relaxed(creq->state[i], engine->regs + CESA_IVDIG(i));
++ }
+
+ if (creq->cache_ptr)
+ memcpy_toio(engine->sram + CESA_SA_DATA_SRAM_OFFSET,
+diff --git a/drivers/dax/dax.c b/drivers/dax/dax.c
+index ff64313..4894199 100644
+--- a/drivers/dax/dax.c
++++ b/drivers/dax/dax.c
+@@ -324,7 +324,7 @@ static int check_vma(struct dax_dev *dax_dev, struct vm_area_struct *vma,
+ return -ENXIO;
+
+ /* prevent private mappings from being established */
+- if ((vma->vm_flags & VM_SHARED) != VM_SHARED) {
++ if ((vma->vm_flags & VM_MAYSHARE) != VM_MAYSHARE) {
+ dev_info(dev, "%s: %s: fail, attempted private mapping\n",
+ current->comm, func);
+ return -EINVAL;
+diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_core.c b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+index bfb91d8..1006af4 100644
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+@@ -872,23 +872,25 @@ static int peak_usb_create_dev(const struct peak_usb_adapter *peak_usb_adapter,
+ static void peak_usb_disconnect(struct usb_interface *intf)
+ {
+ struct peak_usb_device *dev;
++ struct peak_usb_device *dev_prev_siblings;
+
+ /* unregister as many netdev devices as siblings */
+- for (dev = usb_get_intfdata(intf); dev; dev = dev->prev_siblings) {
++ for (dev = usb_get_intfdata(intf); dev; dev = dev_prev_siblings) {
+ struct net_device *netdev = dev->netdev;
+ char name[IFNAMSIZ];
+
++ dev_prev_siblings = dev->prev_siblings;
+ dev->state &= ~PCAN_USB_STATE_CONNECTED;
+ strncpy(name, netdev->name, IFNAMSIZ);
+
+ unregister_netdev(netdev);
+- free_candev(netdev);
+
+ kfree(dev->cmd_buf);
+ dev->next_siblings = NULL;
+ if (dev->adapter->dev_free)
+ dev->adapter->dev_free(dev);
+
++ free_candev(netdev);
+ dev_info(&intf->dev, "%s removed\n", name);
+ }
+
+diff --git a/drivers/nvdimm/bus.c b/drivers/nvdimm/bus.c
+index a8b6949..23d4a17 100644
+--- a/drivers/nvdimm/bus.c
++++ b/drivers/nvdimm/bus.c
+@@ -715,7 +715,7 @@ EXPORT_SYMBOL_GPL(nd_cmd_in_size);
+
+ u32 nd_cmd_out_size(struct nvdimm *nvdimm, int cmd,
+ const struct nd_cmd_desc *desc, int idx, const u32 *in_field,
+- const u32 *out_field)
++ const u32 *out_field, unsigned long remainder)
+ {
+ if (idx >= desc->out_num)
+ return UINT_MAX;
+@@ -727,9 +727,24 @@ u32 nd_cmd_out_size(struct nvdimm *nvdimm, int cmd,
+ return in_field[1];
+ else if (nvdimm && cmd == ND_CMD_VENDOR && idx == 2)
+ return out_field[1];
+- else if (!nvdimm && cmd == ND_CMD_ARS_STATUS && idx == 2)
+- return out_field[1] - 8;
+- else if (cmd == ND_CMD_CALL) {
++ else if (!nvdimm && cmd == ND_CMD_ARS_STATUS && idx == 2) {
++ /*
++ * Per table 9-276 ARS Data in ACPI 6.1, out_field[1] is
++ * "Size of Output Buffer in bytes, including this
++ * field."
++ */
++ if (out_field[1] < 4)
++ return 0;
++ /*
++ * ACPI 6.1 is ambiguous if 'status' is included in the
++ * output size. If we encounter an output size that
++ * overshoots the remainder by 4 bytes, assume it was
++ * including 'status'.
++ */
++ if (out_field[1] - 8 == remainder)
++ return remainder;
++ return out_field[1] - 4;
++ } else if (cmd == ND_CMD_CALL) {
+ struct nd_cmd_pkg *pkg = (struct nd_cmd_pkg *) in_field;
+
+ return pkg->nd_size_out;
+@@ -876,7 +891,7 @@ static int __nd_ioctl(struct nvdimm_bus *nvdimm_bus, struct nvdimm *nvdimm,
+ /* process an output envelope */
+ for (i = 0; i < desc->out_num; i++) {
+ u32 out_size = nd_cmd_out_size(nvdimm, cmd, desc, i,
+- (u32 *) in_env, (u32 *) out_env);
++ (u32 *) in_env, (u32 *) out_env, 0);
+ u32 copy;
+
+ if (out_size == UINT_MAX) {
+diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
+index 7080ce2..8214eba 100644
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -1323,18 +1323,20 @@ lpfc_sli_ringtxcmpl_put(struct lpfc_hba *phba, struct lpfc_sli_ring *pring,
+ {
+ lockdep_assert_held(&phba->hbalock);
+
+- BUG_ON(!piocb || !piocb->vport);
++ BUG_ON(!piocb);
+
+ list_add_tail(&piocb->list, &pring->txcmplq);
+ piocb->iocb_flag |= LPFC_IO_ON_TXCMPLQ;
+
+ if ((unlikely(pring->ringno == LPFC_ELS_RING)) &&
+ (piocb->iocb.ulpCommand != CMD_ABORT_XRI_CN) &&
+- (piocb->iocb.ulpCommand != CMD_CLOSE_XRI_CN) &&
+- (!(piocb->vport->load_flag & FC_UNLOADING)))
+- mod_timer(&piocb->vport->els_tmofunc,
+- jiffies +
+- msecs_to_jiffies(1000 * (phba->fc_ratov << 1)));
++ (piocb->iocb.ulpCommand != CMD_CLOSE_XRI_CN)) {
++ BUG_ON(!piocb->vport);
++ if (!(piocb->vport->load_flag & FC_UNLOADING))
++ mod_timer(&piocb->vport->els_tmofunc,
++ jiffies +
++ msecs_to_jiffies(1000 * (phba->fc_ratov << 1)));
++ }
+
+ return 0;
+ }
+diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c
+index e3b30ea..a504e2e0 100644
+--- a/drivers/vhost/vsock.c
++++ b/drivers/vhost/vsock.c
+@@ -506,7 +506,7 @@ static void vhost_vsock_reset_orphans(struct sock *sk)
+ * executing.
+ */
+
+- if (!vhost_vsock_get(vsk->local_addr.svm_cid)) {
++ if (!vhost_vsock_get(vsk->remote_addr.svm_cid)) {
+ sock_set_flag(sk, SOCK_DONE);
+ vsk->peer_shutdown = SHUTDOWN_MASK;
+ sk->sk_state = SS_UNCONNECTED;
+diff --git a/fs/ceph/dir.c b/fs/ceph/dir.c
+index df4b3e6..93142bf 100644
+--- a/fs/ceph/dir.c
++++ b/fs/ceph/dir.c
+@@ -1257,26 +1257,30 @@ static int ceph_d_revalidate(struct dentry *dentry, unsigned int flags)
+ return -ECHILD;
+
+ op = ceph_snap(dir) == CEPH_SNAPDIR ?
+- CEPH_MDS_OP_LOOKUPSNAP : CEPH_MDS_OP_LOOKUP;
++ CEPH_MDS_OP_LOOKUPSNAP : CEPH_MDS_OP_GETATTR;
+ req = ceph_mdsc_create_request(mdsc, op, USE_ANY_MDS);
+ if (!IS_ERR(req)) {
+ req->r_dentry = dget(dentry);
+- req->r_num_caps = 2;
++ req->r_num_caps = op == CEPH_MDS_OP_GETATTR ? 1 : 2;
+
+ mask = CEPH_STAT_CAP_INODE | CEPH_CAP_AUTH_SHARED;
+ if (ceph_security_xattr_wanted(dir))
+ mask |= CEPH_CAP_XATTR_SHARED;
+ req->r_args.getattr.mask = mask;
+
+- req->r_locked_dir = dir;
+ err = ceph_mdsc_do_request(mdsc, NULL, req);
+- if (err == 0 || err == -ENOENT) {
+- if (dentry == req->r_dentry) {
+- valid = !d_unhashed(dentry);
+- } else {
+- d_invalidate(req->r_dentry);
+- err = -EAGAIN;
+- }
++ switch (err) {
++ case 0:
++ if (d_really_is_positive(dentry) &&
++ d_inode(dentry) == req->r_target_inode)
++ valid = 1;
++ break;
++ case -ENOENT:
++ if (d_really_is_negative(dentry))
++ valid = 1;
++ /* Fallthrough */
++ default:
++ break;
+ }
+ ceph_mdsc_put_request(req);
+ dout("d_revalidate %p lookup result=%d\n",
+diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
+index 4ff9251..eb5373a 100644
+--- a/fs/fuse/dir.c
++++ b/fs/fuse/dir.c
+@@ -1709,8 +1709,6 @@ static int fuse_setattr(struct dentry *entry, struct iattr *attr)
+ return -EACCES;
+
+ if (attr->ia_valid & (ATTR_KILL_SUID | ATTR_KILL_SGID)) {
+- int kill;
+-
+ attr->ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID |
+ ATTR_MODE);
+ /*
+@@ -1722,12 +1720,11 @@ static int fuse_setattr(struct dentry *entry, struct iattr *attr)
+ return ret;
+
+ attr->ia_mode = inode->i_mode;
+- kill = should_remove_suid(entry);
+- if (kill & ATTR_KILL_SUID) {
++ if (inode->i_mode & S_ISUID) {
+ attr->ia_valid |= ATTR_MODE;
+ attr->ia_mode &= ~S_ISUID;
+ }
+- if (kill & ATTR_KILL_SGID) {
++ if ((inode->i_mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
+ attr->ia_valid |= ATTR_MODE;
+ attr->ia_mode &= ~S_ISGID;
+ }
+diff --git a/include/linux/cpu.h b/include/linux/cpu.h
+index 797d9c8..c8938eb 100644
+--- a/include/linux/cpu.h
++++ b/include/linux/cpu.h
+@@ -105,22 +105,16 @@ extern bool cpuhp_tasks_frozen;
+ { .notifier_call = fn, .priority = pri }; \
+ __register_cpu_notifier(&fn##_nb); \
+ }
+-#else /* #if defined(CONFIG_HOTPLUG_CPU) || !defined(MODULE) */
+-#define cpu_notifier(fn, pri) do { (void)(fn); } while (0)
+-#define __cpu_notifier(fn, pri) do { (void)(fn); } while (0)
+-#endif /* #else #if defined(CONFIG_HOTPLUG_CPU) || !defined(MODULE) */
+
+-#ifdef CONFIG_HOTPLUG_CPU
+ extern int register_cpu_notifier(struct notifier_block *nb);
+ extern int __register_cpu_notifier(struct notifier_block *nb);
+ extern void unregister_cpu_notifier(struct notifier_block *nb);
+ extern void __unregister_cpu_notifier(struct notifier_block *nb);
+-#else
+
+-#ifndef MODULE
+-extern int register_cpu_notifier(struct notifier_block *nb);
+-extern int __register_cpu_notifier(struct notifier_block *nb);
+-#else
++#else /* #if defined(CONFIG_HOTPLUG_CPU) || !defined(MODULE) */
++#define cpu_notifier(fn, pri) do { (void)(fn); } while (0)
++#define __cpu_notifier(fn, pri) do { (void)(fn); } while (0)
++
+ static inline int register_cpu_notifier(struct notifier_block *nb)
+ {
+ return 0;
+@@ -130,7 +124,6 @@ static inline int __register_cpu_notifier(struct notifier_block *nb)
+ {
+ return 0;
+ }
+-#endif
+
+ static inline void unregister_cpu_notifier(struct notifier_block *nb)
+ {
+diff --git a/include/linux/libnvdimm.h b/include/linux/libnvdimm.h
+index bbfce62..d02d65d 100644
+--- a/include/linux/libnvdimm.h
++++ b/include/linux/libnvdimm.h
+@@ -153,7 +153,7 @@ u32 nd_cmd_in_size(struct nvdimm *nvdimm, int cmd,
+ const struct nd_cmd_desc *desc, int idx, void *buf);
+ u32 nd_cmd_out_size(struct nvdimm *nvdimm, int cmd,
+ const struct nd_cmd_desc *desc, int idx, const u32 *in_field,
+- const u32 *out_field);
++ const u32 *out_field, unsigned long remainder);
+ int nvdimm_bus_check_dimm_count(struct nvdimm_bus *nvdimm_bus, int dimm_count);
+ struct nd_region *nvdimm_pmem_region_create(struct nvdimm_bus *nvdimm_bus,
+ struct nd_region_desc *ndr_desc);
+diff --git a/include/uapi/linux/can.h b/include/uapi/linux/can.h
+index 9692cda..c48d93a 100644
+--- a/include/uapi/linux/can.h
++++ b/include/uapi/linux/can.h
+@@ -196,5 +196,6 @@ struct can_filter {
+ };
+
+ #define CAN_INV_FILTER 0x20000000U /* to be set in can_filter.can_id */
++#define CAN_RAW_FILTER_MAX 512 /* maximum number of can_filter set via setsockopt() */
+
+ #endif /* !_UAPI_CAN_H */
+diff --git a/kernel/cpu.c b/kernel/cpu.c
+index 341bf80..73fb59f 100644
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -578,7 +578,6 @@ void __init cpuhp_threads_init(void)
+ kthread_unpark(this_cpu_read(cpuhp_state.thread));
+ }
+
+-#ifdef CONFIG_HOTPLUG_CPU
+ EXPORT_SYMBOL(register_cpu_notifier);
+ EXPORT_SYMBOL(__register_cpu_notifier);
+ void unregister_cpu_notifier(struct notifier_block *nb)
+@@ -595,6 +594,7 @@ void __unregister_cpu_notifier(struct notifier_block *nb)
+ }
+ EXPORT_SYMBOL(__unregister_cpu_notifier);
+
++#ifdef CONFIG_HOTPLUG_CPU
+ /**
+ * clear_tasks_mm_cpumask - Safely clear tasks' mm_cpumask for a CPU
+ * @cpu: a CPU id
+diff --git a/kernel/locking/rtmutex.c b/kernel/locking/rtmutex.c
+index 1ec0f48..2c49d76 100644
+--- a/kernel/locking/rtmutex.c
++++ b/kernel/locking/rtmutex.c
+@@ -65,8 +65,72 @@ static inline void clear_rt_mutex_waiters(struct rt_mutex *lock)
+
+ static void fixup_rt_mutex_waiters(struct rt_mutex *lock)
+ {
+- if (!rt_mutex_has_waiters(lock))
+- clear_rt_mutex_waiters(lock);
++ unsigned long owner, *p = (unsigned long *) &lock->owner;
++
++ if (rt_mutex_has_waiters(lock))
++ return;
++
++ /*
++ * The rbtree has no waiters enqueued, now make sure that the
++ * lock->owner still has the waiters bit set, otherwise the
++ * following can happen:
++ *
++ * CPU 0 CPU 1 CPU2
++ * l->owner=T1
++ * rt_mutex_lock(l)
++ * lock(l->lock)
++ * l->owner = T1 | HAS_WAITERS;
++ * enqueue(T2)
++ * boost()
++ * unlock(l->lock)
++ * block()
++ *
++ * rt_mutex_lock(l)
++ * lock(l->lock)
++ * l->owner = T1 | HAS_WAITERS;
++ * enqueue(T3)
++ * boost()
++ * unlock(l->lock)
++ * block()
++ * signal(->T2) signal(->T3)
++ * lock(l->lock)
++ * dequeue(T2)
++ * deboost()
++ * unlock(l->lock)
++ * lock(l->lock)
++ * dequeue(T3)
++ * ==> wait list is empty
++ * deboost()
++ * unlock(l->lock)
++ * lock(l->lock)
++ * fixup_rt_mutex_waiters()
++ * if (wait_list_empty(l) {
++ * l->owner = owner
++ * owner = l->owner & ~HAS_WAITERS;
++ * ==> l->owner = T1
++ * }
++ * lock(l->lock)
++ * rt_mutex_unlock(l) fixup_rt_mutex_waiters()
++ * if (wait_list_empty(l) {
++ * owner = l->owner & ~HAS_WAITERS;
++ * cmpxchg(l->owner, T1, NULL)
++ * ===> Success (l->owner = NULL)
++ *
++ * l->owner = owner
++ * ==> l->owner = T1
++ * }
++ *
++ * With the check for the waiter bit in place T3 on CPU2 will not
++ * overwrite. All tasks fiddling with the waiters bit are
++ * serialized by l->lock, so nothing else can modify the waiters
++ * bit. If the bit is set then nothing can change l->owner either
++ * so the simple RMW is safe. The cmpxchg() will simply fail if it
++ * happens in the middle of the RMW because the waiters bit is
++ * still set.
++ */
++ owner = READ_ONCE(*p);
++ if (owner & RT_MUTEX_HAS_WAITERS)
++ WRITE_ONCE(*p, owner & ~RT_MUTEX_HAS_WAITERS);
+ }
+
+ /*
+diff --git a/kernel/locking/rtmutex_common.h b/kernel/locking/rtmutex_common.h
+index 4f5f83c..e317e1c 100644
+--- a/kernel/locking/rtmutex_common.h
++++ b/kernel/locking/rtmutex_common.h
+@@ -75,8 +75,9 @@ task_top_pi_waiter(struct task_struct *p)
+
+ static inline struct task_struct *rt_mutex_owner(struct rt_mutex *lock)
+ {
+- return (struct task_struct *)
+- ((unsigned long)lock->owner & ~RT_MUTEX_OWNER_MASKALL);
++ unsigned long owner = (unsigned long) READ_ONCE(lock->owner);
++
++ return (struct task_struct *) (owner & ~RT_MUTEX_OWNER_MASKALL);
+ }
+
+ /*
+diff --git a/kernel/sched/auto_group.c b/kernel/sched/auto_group.c
+index a5d966c..418d9b6 100644
+--- a/kernel/sched/auto_group.c
++++ b/kernel/sched/auto_group.c
+@@ -192,6 +192,7 @@ int proc_sched_autogroup_set_nice(struct task_struct *p, int nice)
+ {
+ static unsigned long next = INITIAL_JIFFIES;
+ struct autogroup *ag;
++ unsigned long shares;
+ int err;
+
+ if (nice < MIN_NICE || nice > MAX_NICE)
+@@ -210,9 +211,10 @@ int proc_sched_autogroup_set_nice(struct task_struct *p, int nice)
+
+ next = HZ / 10 + jiffies;
+ ag = autogroup_task_get(p);
++ shares = scale_load(sched_prio_to_weight[nice + 20]);
+
+ down_write(&ag->lock);
+- err = sched_group_set_shares(ag->tg, sched_prio_to_weight[nice + 20]);
++ err = sched_group_set_shares(ag->tg, shares);
+ if (!err)
+ ag->nice = nice;
+ up_write(&ag->lock);
+diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
+index 7e6df7a..67f8fa9 100644
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -2849,7 +2849,7 @@ static bool batadv_send_my_tt_response(struct batadv_priv *bat_priv,
+ &tvlv_tt_data,
+ &tt_change,
+ &tt_len);
+- if (!tt_len)
++ if (!tt_len || !tvlv_len)
+ goto unlock;
+
+ /* Copy the last orig_node's OGM buffer */
+@@ -2867,7 +2867,7 @@ static bool batadv_send_my_tt_response(struct batadv_priv *bat_priv,
+ &tvlv_tt_data,
+ &tt_change,
+ &tt_len);
+- if (!tt_len)
++ if (!tt_len || !tvlv_len)
+ goto out;
+
+ /* fill the rest of the tvlv with the real TT entries */
+diff --git a/net/can/raw.c b/net/can/raw.c
+index 972c187..b075f02 100644
+--- a/net/can/raw.c
++++ b/net/can/raw.c
+@@ -499,6 +499,9 @@ static int raw_setsockopt(struct socket *sock, int level, int optname,
+ if (optlen % sizeof(struct can_filter) != 0)
+ return -EINVAL;
+
++ if (optlen > CAN_RAW_FILTER_MAX * sizeof(struct can_filter))
++ return -EINVAL;
++
+ count = optlen / sizeof(struct can_filter);
+
+ if (count > 1) {
diff --git a/4.8.14/4420_grsecurity-3.1-4.8.14-201612110933.patch b/4.8.15/4420_grsecurity-3.1-4.8.15-201612151923.patch
index c16e8f5..f7b8b72 100644
--- a/4.8.14/4420_grsecurity-3.1-4.8.14-201612110933.patch
+++ b/4.8.15/4420_grsecurity-3.1-4.8.15-201612151923.patch
@@ -407,7 +407,7 @@ index ffab8b5..b8fcd61 100644
A toggle value indicating if modules are allowed to be loaded
diff --git a/Makefile b/Makefile
-index 6a74924..c5a7b40 100644
+index c7f0e79..0a12dea 100644
--- a/Makefile
+++ b/Makefile
@@ -302,7 +302,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -7873,7 +7873,7 @@ index f08dda3..ea6aa1b 100644
#endif
diff --git a/arch/parisc/include/asm/pgtable.h b/arch/parisc/include/asm/pgtable.h
-index c2c43f7..b08ffd9 100644
+index 3a4ed9f..29b7218 100644
--- a/arch/parisc/include/asm/pgtable.h
+++ b/arch/parisc/include/asm/pgtable.h
@@ -236,6 +236,17 @@ static inline void purge_tlb_entries(struct mm_struct *mm, unsigned long addr)
@@ -19051,7 +19051,7 @@ index b28200d..e93e14d 100644
while (amd_iommu_v2_event_descs[i].attr.attr.name)
diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
-index a4e070a..6804f87 100644
+index 8c925ec..287eaab 100644
--- a/arch/x86/events/core.c
+++ b/arch/x86/events/core.c
@@ -1545,7 +1545,7 @@ static void __init pmu_check_apic(void)
@@ -19091,7 +19091,7 @@ index a4e070a..6804f87 100644
pagefault_enable();
}
diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c
-index 4c9a79b..7c0d6ca 100644
+index 3ef34c6..166e15a 100644
--- a/arch/x86/events/intel/core.c
+++ b/arch/x86/events/intel/core.c
@@ -2408,6 +2408,8 @@ __intel_get_event_constraints(struct cpu_hw_events *cpuc, int idx,
@@ -41805,10 +41805,10 @@ index 7cfbda4..74f738c 100644
set_no_mwait, "Extensa 5220", {
DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
diff --git a/drivers/acpi/sleep.c b/drivers/acpi/sleep.c
-index 2b38c1b..61fcc2b 100644
+index 7a2e4d4..0de00c5 100644
--- a/drivers/acpi/sleep.c
+++ b/drivers/acpi/sleep.c
-@@ -171,7 +171,7 @@ static int __init init_nvs_nosave(const struct dmi_system_id *d)
+@@ -154,7 +154,7 @@ static int __init init_nvs_nosave(const struct dmi_system_id *d)
return 0;
}
@@ -147937,7 +147937,7 @@ index 9b5f044..b8b0a33 100644
}
__initcall(ioresources_init);
diff --git a/kernel/sched/auto_group.c b/kernel/sched/auto_group.c
-index a5d966c..9c2d28b 100644
+index 418d9b6..45ff39b 100644
--- a/kernel/sched/auto_group.c
+++ b/kernel/sched/auto_group.c
@@ -9,7 +9,7 @@
@@ -152038,9 +152038,18 @@ index 6c707bf..c8d0529 100644
return sys_fadvise64_64(fd, offset, len, advice);
}
diff --git a/mm/filemap.c b/mm/filemap.c
-index ced9ef6..e042a5b 100644
+index ced9ef6..b3151bf 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
+@@ -1688,7 +1688,7 @@ static ssize_t do_generic_file_read(struct file *filp, loff_t *ppos,
+ int error = 0;
+
+ if (unlikely(*ppos >= inode->i_sb->s_maxbytes))
+- return -EINVAL;
++ return 0;
+ iov_iter_truncate(iter, inode->i_sb->s_maxbytes);
+
+ index = *ppos >> PAGE_SHIFT;
@@ -2334,7 +2334,7 @@ int generic_file_mmap(struct file * file, struct vm_area_struct * vma)
struct address_space *mapping = file->f_mapping;
@@ -158571,7 +158580,7 @@ index c76021b..3aef377 100644
};
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
-index 7e6df7a..474128b 100644
+index 67f8fa9..4b611eb 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -664,7 +664,7 @@ bool batadv_tt_local_add(struct net_device *soft_iface, const u8 *addr,
@@ -204352,10 +204361,10 @@ index 0000000..4aabb55
+size_mei_msg_data_65529_fields size mei_msg_data 0 65529 NULL
diff --git a/scripts/gcc-plugins/size_overflow_plugin/e_fns.data b/scripts/gcc-plugins/size_overflow_plugin/e_fns.data
new file mode 100644
-index 0000000..269bba1
+index 0000000..510c554
--- /dev/null
+++ b/scripts/gcc-plugins/size_overflow_plugin/e_fns.data
-@@ -0,0 +1,5527 @@
+@@ -0,0 +1,5528 @@
+logi_dj_recv_query_paired_devices_fndecl_13_fns logi_dj_recv_query_paired_devices fndecl 0 13 NULL
+response_length_ib_uverbs_ex_destroy_wq_resp_15_fns response_length ib_uverbs_ex_destroy_wq_resp 0 15 NULL
+kfd_wait_on_events_fndecl_19_fns kfd_wait_on_events fndecl 2 19 NULL
@@ -206853,6 +206862,7 @@ index 0000000..269bba1
+si_lasti_bfs_sb_info_29842_fns si_lasti bfs_sb_info 0 29842 NULL
+len_ethtool_dump_29843_fns len ethtool_dump 0 29843 NULL
+fq_alloc_node_fndecl_29850_fns fq_alloc_node fndecl 1 29850 NULL
++nd_cmd_out_size_fndecl_29867_fns nd_cmd_out_size fndecl 0-7 29867 NULL
+nfs_idmap_lookup_id_fndecl_29879_fns nfs_idmap_lookup_id fndecl 2 29879 NULL
+parport_write_fndecl_29886_fns parport_write fndecl 0 29886 NULL
+length_ndis_80211_pmkid_29893_fns length ndis_80211_pmkid 0 29893 NULL
diff --git a/4.8.14/4425_grsec_remove_EI_PAX.patch b/4.8.15/4425_grsec_remove_EI_PAX.patch
index 594598a..594598a 100644
--- a/4.8.14/4425_grsec_remove_EI_PAX.patch
+++ b/4.8.15/4425_grsec_remove_EI_PAX.patch
diff --git a/4.8.14/4427_force_XATTR_PAX_tmpfs.patch b/4.8.15/4427_force_XATTR_PAX_tmpfs.patch
index caecb91..caecb91 100644
--- a/4.8.14/4427_force_XATTR_PAX_tmpfs.patch
+++ b/4.8.15/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/4.8.14/4430_grsec-remove-localversion-grsec.patch b/4.8.15/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/4.8.14/4430_grsec-remove-localversion-grsec.patch
+++ b/4.8.15/4430_grsec-remove-localversion-grsec.patch
diff --git a/4.8.14/4435_grsec-mute-warnings.patch b/4.8.15/4435_grsec-mute-warnings.patch
index 8929222..8929222 100644
--- a/4.8.14/4435_grsec-mute-warnings.patch
+++ b/4.8.15/4435_grsec-mute-warnings.patch
diff --git a/4.8.14/4440_grsec-remove-protected-paths.patch b/4.8.15/4440_grsec-remove-protected-paths.patch
index 741546d..741546d 100644
--- a/4.8.14/4440_grsec-remove-protected-paths.patch
+++ b/4.8.15/4440_grsec-remove-protected-paths.patch
diff --git a/4.8.14/4450_grsec-kconfig-default-gids.patch b/4.8.15/4450_grsec-kconfig-default-gids.patch
index cee6e27..cee6e27 100644
--- a/4.8.14/4450_grsec-kconfig-default-gids.patch
+++ b/4.8.15/4450_grsec-kconfig-default-gids.patch
diff --git a/4.8.14/4465_selinux-avc_audit-log-curr_ip.patch b/4.8.15/4465_selinux-avc_audit-log-curr_ip.patch
index 06a5294..06a5294 100644
--- a/4.8.14/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/4.8.15/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/4.8.14/4470_disable-compat_vdso.patch b/4.8.15/4470_disable-compat_vdso.patch
index 1e4b84a..1e4b84a 100644
--- a/4.8.14/4470_disable-compat_vdso.patch
+++ b/4.8.15/4470_disable-compat_vdso.patch
diff --git a/4.8.14/4475_emutramp_default_on.patch b/4.8.15/4475_emutramp_default_on.patch
index 7b468ee..7b468ee 100644
--- a/4.8.14/4475_emutramp_default_on.patch
+++ b/4.8.15/4475_emutramp_default_on.patch