summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2016-02-02 01:45:53 -0500
committerAnthony G. Basile <blueness@gentoo.org>2016-02-02 01:45:53 -0500
commit82e4e2c3535f481b3bd0ddfc1d6669ca2e0e8909 (patch)
treed4b14a9077b35687470531e406cd8a96bf2a5e25
parentgrsecurity-3.1-4.3.4-201601292206 (diff)
downloadhardened-patchset-82e4e2c3535f481b3bd0ddfc1d6669ca2e0e8909.tar.gz
hardened-patchset-82e4e2c3535f481b3bd0ddfc1d6669ca2e0e8909.tar.bz2
hardened-patchset-82e4e2c3535f481b3bd0ddfc1d6669ca2e0e8909.zip
grsecurity-3.1-4.3.5-20160131161120160131
-rw-r--r--4.3.4/1003_linux-4.3.4.patch1863
-rw-r--r--4.3.5/0000_README (renamed from 4.3.4/0000_README)6
-rw-r--r--4.3.5/4420_grsecurity-3.1-4.3.5-201601311611.patch (renamed from 4.3.4/4420_grsecurity-3.1-4.3.4-201601292206.patch)1419
-rw-r--r--4.3.5/4425_grsec_remove_EI_PAX.patch (renamed from 4.3.4/4425_grsec_remove_EI_PAX.patch)0
-rw-r--r--4.3.5/4427_force_XATTR_PAX_tmpfs.patch (renamed from 4.3.4/4427_force_XATTR_PAX_tmpfs.patch)0
-rw-r--r--4.3.5/4430_grsec-remove-localversion-grsec.patch (renamed from 4.3.4/4430_grsec-remove-localversion-grsec.patch)0
-rw-r--r--4.3.5/4435_grsec-mute-warnings.patch (renamed from 4.3.4/4435_grsec-mute-warnings.patch)0
-rw-r--r--4.3.5/4440_grsec-remove-protected-paths.patch (renamed from 4.3.4/4440_grsec-remove-protected-paths.patch)0
-rw-r--r--4.3.5/4450_grsec-kconfig-default-gids.patch (renamed from 4.3.4/4450_grsec-kconfig-default-gids.patch)0
-rw-r--r--4.3.5/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 4.3.4/4465_selinux-avc_audit-log-curr_ip.patch)0
-rw-r--r--4.3.5/4470_disable-compat_vdso.patch (renamed from 4.3.4/4470_disable-compat_vdso.patch)0
-rw-r--r--4.3.5/4475_emutramp_default_on.patch (renamed from 4.3.4/4475_emutramp_default_on.patch)0
12 files changed, 309 insertions, 2979 deletions
diff --git a/4.3.4/1003_linux-4.3.4.patch b/4.3.4/1003_linux-4.3.4.patch
deleted file mode 100644
index 0e103a4..0000000
--- a/4.3.4/1003_linux-4.3.4.patch
+++ /dev/null
@@ -1,1863 +0,0 @@
-diff --git a/Makefile b/Makefile
-index 2070d16..69430ed 100644
---- a/Makefile
-+++ b/Makefile
-@@ -1,6 +1,6 @@
- VERSION = 4
- PATCHLEVEL = 3
--SUBLEVEL = 3
-+SUBLEVEL = 4
- EXTRAVERSION =
- NAME = Blurry Fish Butt
-
-diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
-index 739a4a6..2f6e3c6 100644
---- a/drivers/acpi/osl.c
-+++ b/drivers/acpi/osl.c
-@@ -81,6 +81,7 @@ static struct workqueue_struct *kacpid_wq;
- static struct workqueue_struct *kacpi_notify_wq;
- static struct workqueue_struct *kacpi_hotplug_wq;
- static bool acpi_os_initialized;
-+unsigned int acpi_sci_irq = INVALID_ACPI_IRQ;
-
- /*
- * This list of permanent mappings is for memory that may be accessed from
-@@ -856,17 +857,19 @@ acpi_os_install_interrupt_handler(u32 gsi, acpi_osd_handler handler,
- acpi_irq_handler = NULL;
- return AE_NOT_ACQUIRED;
- }
-+ acpi_sci_irq = irq;
-
- return AE_OK;
- }
-
--acpi_status acpi_os_remove_interrupt_handler(u32 irq, acpi_osd_handler handler)
-+acpi_status acpi_os_remove_interrupt_handler(u32 gsi, acpi_osd_handler handler)
- {
-- if (irq != acpi_gbl_FADT.sci_interrupt)
-+ if (gsi != acpi_gbl_FADT.sci_interrupt || !acpi_sci_irq_valid())
- return AE_BAD_PARAMETER;
-
-- free_irq(irq, acpi_irq);
-+ free_irq(acpi_sci_irq, acpi_irq);
- acpi_irq_handler = NULL;
-+ acpi_sci_irq = INVALID_ACPI_IRQ;
-
- return AE_OK;
- }
-@@ -1180,8 +1183,8 @@ void acpi_os_wait_events_complete(void)
- * Make sure the GPE handler or the fixed event handler is not used
- * on another CPU after removal.
- */
-- if (acpi_irq_handler)
-- synchronize_hardirq(acpi_gbl_FADT.sci_interrupt);
-+ if (acpi_sci_irq_valid())
-+ synchronize_hardirq(acpi_sci_irq);
- flush_workqueue(kacpid_wq);
- flush_workqueue(kacpi_notify_wq);
- }
-diff --git a/drivers/acpi/sleep.c b/drivers/acpi/sleep.c
-index 2f0d4db..3fe1fbe 100644
---- a/drivers/acpi/sleep.c
-+++ b/drivers/acpi/sleep.c
-@@ -632,14 +632,16 @@ static int acpi_freeze_prepare(void)
- acpi_enable_wakeup_devices(ACPI_STATE_S0);
- acpi_enable_all_wakeup_gpes();
- acpi_os_wait_events_complete();
-- enable_irq_wake(acpi_gbl_FADT.sci_interrupt);
-+ if (acpi_sci_irq_valid())
-+ enable_irq_wake(acpi_sci_irq);
- return 0;
- }
-
- static void acpi_freeze_restore(void)
- {
- acpi_disable_wakeup_devices(ACPI_STATE_S0);
-- disable_irq_wake(acpi_gbl_FADT.sci_interrupt);
-+ if (acpi_sci_irq_valid())
-+ disable_irq_wake(acpi_sci_irq);
- acpi_enable_all_runtime_gpes();
- }
-
-diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
-index f8319a0..39be5ac 100644
---- a/drivers/char/tpm/tpm.h
-+++ b/drivers/char/tpm/tpm.h
-@@ -115,6 +115,13 @@ enum tpm2_startup_types {
- TPM2_SU_STATE = 0x0001,
- };
-
-+enum tpm2_start_method {
-+ TPM2_START_ACPI = 2,
-+ TPM2_START_FIFO = 6,
-+ TPM2_START_CRB = 7,
-+ TPM2_START_CRB_WITH_ACPI = 8,
-+};
-+
- struct tpm_chip;
-
- struct tpm_vendor_specific {
-diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c
-index 1267322..2b971b3 100644
---- a/drivers/char/tpm/tpm_crb.c
-+++ b/drivers/char/tpm/tpm_crb.c
-@@ -34,12 +34,6 @@ enum crb_defaults {
- CRB_ACPI_START_INDEX = 1,
- };
-
--enum crb_start_method {
-- CRB_SM_ACPI_START = 2,
-- CRB_SM_CRB = 7,
-- CRB_SM_CRB_WITH_ACPI_START = 8,
--};
--
- struct acpi_tpm2 {
- struct acpi_table_header hdr;
- u16 platform_class;
-@@ -220,12 +214,6 @@ static int crb_acpi_add(struct acpi_device *device)
- u64 pa;
- int rc;
-
-- chip = tpmm_chip_alloc(dev, &tpm_crb);
-- if (IS_ERR(chip))
-- return PTR_ERR(chip);
--
-- chip->flags = TPM_CHIP_FLAG_TPM2;
--
- status = acpi_get_table(ACPI_SIG_TPM2, 1,
- (struct acpi_table_header **) &buf);
- if (ACPI_FAILURE(status)) {
-@@ -233,13 +221,15 @@ static int crb_acpi_add(struct acpi_device *device)
- return -ENODEV;
- }
-
-- /* At least some versions of AMI BIOS have a bug that TPM2 table has
-- * zero address for the control area and therefore we must fail.
-- */
-- if (!buf->control_area_pa) {
-- dev_err(dev, "TPM2 ACPI table has a zero address for the control area\n");
-- return -EINVAL;
-- }
-+ /* Should the FIFO driver handle this? */
-+ if (buf->start_method == TPM2_START_FIFO)
-+ return -ENODEV;
-+
-+ chip = tpmm_chip_alloc(dev, &tpm_crb);
-+ if (IS_ERR(chip))
-+ return PTR_ERR(chip);
-+
-+ chip->flags = TPM_CHIP_FLAG_TPM2;
-
- if (buf->hdr.length < sizeof(struct acpi_tpm2)) {
- dev_err(dev, "TPM2 ACPI table has wrong size");
-@@ -259,11 +249,11 @@ static int crb_acpi_add(struct acpi_device *device)
- * report only ACPI start but in practice seems to require both
- * ACPI start and CRB start.
- */
-- if (sm == CRB_SM_CRB || sm == CRB_SM_CRB_WITH_ACPI_START ||
-+ if (sm == TPM2_START_CRB || sm == TPM2_START_FIFO ||
- !strcmp(acpi_device_hid(device), "MSFT0101"))
- priv->flags |= CRB_FL_CRB_START;
-
-- if (sm == CRB_SM_ACPI_START || sm == CRB_SM_CRB_WITH_ACPI_START)
-+ if (sm == TPM2_START_ACPI || sm == TPM2_START_CRB_WITH_ACPI)
- priv->flags |= CRB_FL_ACPI_START;
-
- priv->cca = (struct crb_control_area __iomem *)
-diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c
-index f2dffa7..696ef1d 100644
---- a/drivers/char/tpm/tpm_tis.c
-+++ b/drivers/char/tpm/tpm_tis.c
-@@ -1,6 +1,6 @@
- /*
- * Copyright (C) 2005, 2006 IBM Corporation
-- * Copyright (C) 2014 Intel Corporation
-+ * Copyright (C) 2014, 2015 Intel Corporation
- *
- * Authors:
- * Leendert van Doorn <leendert@watson.ibm.com>
-@@ -28,6 +28,7 @@
- #include <linux/wait.h>
- #include <linux/acpi.h>
- #include <linux/freezer.h>
-+#include <acpi/actbl2.h>
- #include "tpm.h"
-
- enum tis_access {
-@@ -65,6 +66,17 @@ enum tis_defaults {
- TIS_LONG_TIMEOUT = 2000, /* 2 sec */
- };
-
-+struct tpm_info {
-+ unsigned long start;
-+ unsigned long len;
-+ unsigned int irq;
-+};
-+
-+static struct tpm_info tis_default_info = {
-+ .start = TIS_MEM_BASE,
-+ .len = TIS_MEM_LEN,
-+ .irq = 0,
-+};
-
- /* Some timeout values are needed before it is known whether the chip is
- * TPM 1.0 or TPM 2.0.
-@@ -91,26 +103,54 @@ struct priv_data {
- };
-
- #if defined(CONFIG_PNP) && defined(CONFIG_ACPI)
--static int is_itpm(struct pnp_dev *dev)
-+static int has_hid(struct acpi_device *dev, const char *hid)
- {
-- struct acpi_device *acpi = pnp_acpi_device(dev);
- struct acpi_hardware_id *id;
-
-- if (!acpi)
-- return 0;
--
-- list_for_each_entry(id, &acpi->pnp.ids, list) {
-- if (!strcmp("INTC0102", id->id))
-+ list_for_each_entry(id, &dev->pnp.ids, list)
-+ if (!strcmp(hid, id->id))
- return 1;
-- }
-
- return 0;
- }
-+
-+static inline int is_itpm(struct acpi_device *dev)
-+{
-+ return has_hid(dev, "INTC0102");
-+}
-+
-+static inline int is_fifo(struct acpi_device *dev)
-+{
-+ struct acpi_table_tpm2 *tbl;
-+ acpi_status st;
-+
-+ /* TPM 1.2 FIFO */
-+ if (!has_hid(dev, "MSFT0101"))
-+ return 1;
-+
-+ st = acpi_get_table(ACPI_SIG_TPM2, 1,
-+ (struct acpi_table_header **) &tbl);
-+ if (ACPI_FAILURE(st)) {
-+ dev_err(&dev->dev, "failed to get TPM2 ACPI table\n");
-+ return 0;
-+ }
-+
-+ if (le32_to_cpu(tbl->start_method) != TPM2_START_FIFO)
-+ return 0;
-+
-+ /* TPM 2.0 FIFO */
-+ return 1;
-+}
- #else
--static inline int is_itpm(struct pnp_dev *dev)
-+static inline int is_itpm(struct acpi_device *dev)
- {
- return 0;
- }
-+
-+static inline int is_fifo(struct acpi_device *dev)
-+{
-+ return 1;
-+}
- #endif
-
- /* Before we attempt to access the TPM we must see that the valid bit is set.
-@@ -600,9 +640,8 @@ static void tpm_tis_remove(struct tpm_chip *chip)
- release_locality(chip, chip->vendor.locality, 1);
- }
-
--static int tpm_tis_init(struct device *dev, acpi_handle acpi_dev_handle,
-- resource_size_t start, resource_size_t len,
-- unsigned int irq)
-+static int tpm_tis_init(struct device *dev, struct tpm_info *tpm_info,
-+ acpi_handle acpi_dev_handle)
- {
- u32 vendor, intfcaps, intmask;
- int rc, i, irq_s, irq_e, probe;
-@@ -622,7 +661,7 @@ static int tpm_tis_init(struct device *dev, acpi_handle acpi_dev_handle,
- chip->acpi_dev_handle = acpi_dev_handle;
- #endif
-
-- chip->vendor.iobase = devm_ioremap(dev, start, len);
-+ chip->vendor.iobase = devm_ioremap(dev, tpm_info->start, tpm_info->len);
- if (!chip->vendor.iobase)
- return -EIO;
-
-@@ -707,7 +746,7 @@ static int tpm_tis_init(struct device *dev, acpi_handle acpi_dev_handle,
- chip->vendor.iobase +
- TPM_INT_ENABLE(chip->vendor.locality));
- if (interrupts)
-- chip->vendor.irq = irq;
-+ chip->vendor.irq = tpm_info->irq;
- if (interrupts && !chip->vendor.irq) {
- irq_s =
- ioread8(chip->vendor.iobase +
-@@ -890,27 +929,27 @@ static SIMPLE_DEV_PM_OPS(tpm_tis_pm, tpm_pm_suspend, tpm_tis_resume);
- static int tpm_tis_pnp_init(struct pnp_dev *pnp_dev,
- const struct pnp_device_id *pnp_id)
- {
-- resource_size_t start, len;
-- unsigned int irq = 0;
-+ struct tpm_info tpm_info = tis_default_info;
- acpi_handle acpi_dev_handle = NULL;
-
-- start = pnp_mem_start(pnp_dev, 0);
-- len = pnp_mem_len(pnp_dev, 0);
-+ tpm_info.start = pnp_mem_start(pnp_dev, 0);
-+ tpm_info.len = pnp_mem_len(pnp_dev, 0);
-
- if (pnp_irq_valid(pnp_dev, 0))
-- irq = pnp_irq(pnp_dev, 0);
-+ tpm_info.irq = pnp_irq(pnp_dev, 0);
- else
- interrupts = false;
-
-- if (is_itpm(pnp_dev))
-- itpm = true;
--
- #ifdef CONFIG_ACPI
-- if (pnp_acpi_device(pnp_dev))
-+ if (pnp_acpi_device(pnp_dev)) {
-+ if (is_itpm(pnp_acpi_device(pnp_dev)))
-+ itpm = true;
-+
- acpi_dev_handle = pnp_acpi_device(pnp_dev)->handle;
-+ }
- #endif
-
-- return tpm_tis_init(&pnp_dev->dev, acpi_dev_handle, start, len, irq);
-+ return tpm_tis_init(&pnp_dev->dev, &tpm_info, acpi_dev_handle);
- }
-
- static struct pnp_device_id tpm_pnp_tbl[] = {
-@@ -930,6 +969,7 @@ MODULE_DEVICE_TABLE(pnp, tpm_pnp_tbl);
- static void tpm_tis_pnp_remove(struct pnp_dev *dev)
- {
- struct tpm_chip *chip = pnp_get_drvdata(dev);
-+
- tpm_chip_unregister(chip);
- tpm_tis_remove(chip);
- }
-@@ -950,6 +990,79 @@ module_param_string(hid, tpm_pnp_tbl[TIS_HID_USR_IDX].id,
- MODULE_PARM_DESC(hid, "Set additional specific HID for this driver to probe");
- #endif
-
-+#ifdef CONFIG_ACPI
-+static int tpm_check_resource(struct acpi_resource *ares, void *data)
-+{
-+ struct tpm_info *tpm_info = (struct tpm_info *) data;
-+ struct resource res;
-+
-+ if (acpi_dev_resource_interrupt(ares, 0, &res)) {
-+ tpm_info->irq = res.start;
-+ } else if (acpi_dev_resource_memory(ares, &res)) {
-+ tpm_info->start = res.start;
-+ tpm_info->len = resource_size(&res);
-+ }
-+
-+ return 1;
-+}
-+
-+static int tpm_tis_acpi_init(struct acpi_device *acpi_dev)
-+{
-+ struct list_head resources;
-+ struct tpm_info tpm_info = tis_default_info;
-+ int ret;
-+
-+ if (!is_fifo(acpi_dev))
-+ return -ENODEV;
-+
-+ INIT_LIST_HEAD(&resources);
-+ ret = acpi_dev_get_resources(acpi_dev, &resources, tpm_check_resource,
-+ &tpm_info);
-+ if (ret < 0)
-+ return ret;
-+
-+ acpi_dev_free_resource_list(&resources);
-+
-+ if (!tpm_info.irq)
-+ interrupts = false;
-+
-+ if (is_itpm(acpi_dev))
-+ itpm = true;
-+
-+ return tpm_tis_init(&acpi_dev->dev, &tpm_info, acpi_dev->handle);
-+}
-+
-+static int tpm_tis_acpi_remove(struct acpi_device *dev)
-+{
-+ struct tpm_chip *chip = dev_get_drvdata(&dev->dev);
-+
-+ tpm_chip_unregister(chip);
-+ tpm_tis_remove(chip);
-+
-+ return 0;
-+}
-+
-+static struct acpi_device_id tpm_acpi_tbl[] = {
-+ {"MSFT0101", 0}, /* TPM 2.0 */
-+ /* Add new here */
-+ {"", 0}, /* User Specified */
-+ {"", 0} /* Terminator */
-+};
-+MODULE_DEVICE_TABLE(acpi, tpm_acpi_tbl);
-+
-+static struct acpi_driver tis_acpi_driver = {
-+ .name = "tpm_tis",
-+ .ids = tpm_acpi_tbl,
-+ .ops = {
-+ .add = tpm_tis_acpi_init,
-+ .remove = tpm_tis_acpi_remove,
-+ },
-+ .drv = {
-+ .pm = &tpm_tis_pm,
-+ },
-+};
-+#endif
-+
- static struct platform_driver tis_drv = {
- .driver = {
- .name = "tpm_tis",
-@@ -966,9 +1079,25 @@ static int __init init_tis(void)
- {
- int rc;
- #ifdef CONFIG_PNP
-- if (!force)
-- return pnp_register_driver(&tis_pnp_driver);
-+ if (!force) {
-+ rc = pnp_register_driver(&tis_pnp_driver);
-+ if (rc)
-+ return rc;
-+ }
-+#endif
-+#ifdef CONFIG_ACPI
-+ if (!force) {
-+ rc = acpi_bus_register_driver(&tis_acpi_driver);
-+ if (rc) {
-+#ifdef CONFIG_PNP
-+ pnp_unregister_driver(&tis_pnp_driver);
- #endif
-+ return rc;
-+ }
-+ }
-+#endif
-+ if (!force)
-+ return 0;
-
- rc = platform_driver_register(&tis_drv);
- if (rc < 0)
-@@ -978,7 +1107,7 @@ static int __init init_tis(void)
- rc = PTR_ERR(pdev);
- goto err_dev;
- }
-- rc = tpm_tis_init(&pdev->dev, NULL, TIS_MEM_BASE, TIS_MEM_LEN, 0);
-+ rc = tpm_tis_init(&pdev->dev, &tis_default_info, NULL);
- if (rc)
- goto err_init;
- return 0;
-@@ -992,9 +1121,14 @@ err_dev:
- static void __exit cleanup_tis(void)
- {
- struct tpm_chip *chip;
--#ifdef CONFIG_PNP
-+#if defined(CONFIG_PNP) || defined(CONFIG_ACPI)
- if (!force) {
-+#ifdef CONFIG_ACPI
-+ acpi_bus_unregister_driver(&tis_acpi_driver);
-+#endif
-+#ifdef CONFIG_PNP
- pnp_unregister_driver(&tis_pnp_driver);
-+#endif
- return;
- }
- #endif
-diff --git a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
-index 2795d6d..8b5988e 100644
---- a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
-+++ b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
-@@ -1016,13 +1016,12 @@ static int atl1c_setup_ring_resources(struct atl1c_adapter *adapter)
- sizeof(struct atl1c_recv_ret_status) * rx_desc_count +
- 8 * 4;
-
-- ring_header->desc = pci_alloc_consistent(pdev, ring_header->size,
-- &ring_header->dma);
-+ ring_header->desc = dma_zalloc_coherent(&pdev->dev, ring_header->size,
-+ &ring_header->dma, GFP_KERNEL);
- if (unlikely(!ring_header->desc)) {
-- dev_err(&pdev->dev, "pci_alloc_consistend failed\n");
-+ dev_err(&pdev->dev, "could not get memory for DMA buffer\n");
- goto err_nomem;
- }
-- memset(ring_header->desc, 0, ring_header->size);
- /* init TPD ring */
-
- tpd_ring[0].dma = roundup(ring_header->dma, 8);
-diff --git a/drivers/net/ethernet/freescale/gianfar.c b/drivers/net/ethernet/freescale/gianfar.c
-index ce38d26..bcb933e 100644
---- a/drivers/net/ethernet/freescale/gianfar.c
-+++ b/drivers/net/ethernet/freescale/gianfar.c
-@@ -894,7 +894,8 @@ static int gfar_of_init(struct platform_device *ofdev, struct net_device **pdev)
- FSL_GIANFAR_DEV_HAS_VLAN |
- FSL_GIANFAR_DEV_HAS_MAGIC_PACKET |
- FSL_GIANFAR_DEV_HAS_EXTENDED_HASH |
-- FSL_GIANFAR_DEV_HAS_TIMER;
-+ FSL_GIANFAR_DEV_HAS_TIMER |
-+ FSL_GIANFAR_DEV_HAS_RX_FILER;
-
- err = of_property_read_string(np, "phy-connection-type", &ctype);
-
-@@ -1393,8 +1394,9 @@ static int gfar_probe(struct platform_device *ofdev)
- priv->rx_queue[i]->rxic = DEFAULT_RXIC;
- }
-
-- /* always enable rx filer */
-- priv->rx_filer_enable = 1;
-+ /* Always enable rx filer if available */
-+ priv->rx_filer_enable =
-+ (priv->device_flags & FSL_GIANFAR_DEV_HAS_RX_FILER) ? 1 : 0;
- /* Enable most messages by default */
- priv->msg_enable = (NETIF_MSG_IFUP << 1 ) - 1;
- /* use pritority h/w tx queue scheduling for single queue devices */
-diff --git a/drivers/net/ethernet/freescale/gianfar.h b/drivers/net/ethernet/freescale/gianfar.h
-index 8c19948..3755372 100644
---- a/drivers/net/ethernet/freescale/gianfar.h
-+++ b/drivers/net/ethernet/freescale/gianfar.h
-@@ -917,6 +917,7 @@ struct gfar {
- #define FSL_GIANFAR_DEV_HAS_BD_STASHING 0x00000200
- #define FSL_GIANFAR_DEV_HAS_BUF_STASHING 0x00000400
- #define FSL_GIANFAR_DEV_HAS_TIMER 0x00000800
-+#define FSL_GIANFAR_DEV_HAS_RX_FILER 0x00002000
-
- #if (MAXGROUPS == 2)
- #define DEFAULT_MAPPING 0xAA
-diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c
-index 2f87909..60ccc29 100644
---- a/drivers/net/ethernet/qualcomm/qca_spi.c
-+++ b/drivers/net/ethernet/qualcomm/qca_spi.c
-@@ -736,9 +736,8 @@ qcaspi_netdev_tx_timeout(struct net_device *dev)
- netdev_info(qca->net_dev, "Transmit timeout at %ld, latency %ld\n",
- jiffies, jiffies - dev->trans_start);
- qca->net_dev->stats.tx_errors++;
-- /* wake the queue if there is room */
-- if (qcaspi_tx_ring_has_space(&qca->txr))
-- netif_wake_queue(dev);
-+ /* Trigger tx queue flush and QCA7000 reset */
-+ qca->sync = QCASPI_SYNC_UNKNOWN;
- }
-
- static int
-diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c
-index a484d8b..f3cbf90c 100644
---- a/drivers/net/ethernet/renesas/sh_eth.c
-+++ b/drivers/net/ethernet/renesas/sh_eth.c
-@@ -1481,6 +1481,7 @@ static int sh_eth_rx(struct net_device *ndev, u32 intr_status, int *quota)
- if (mdp->cd->shift_rd0)
- desc_status >>= 16;
-
-+ skb = mdp->rx_skbuff[entry];
- if (desc_status & (RD_RFS1 | RD_RFS2 | RD_RFS3 | RD_RFS4 |
- RD_RFS5 | RD_RFS6 | RD_RFS10)) {
- ndev->stats.rx_errors++;
-@@ -1496,12 +1497,11 @@ static int sh_eth_rx(struct net_device *ndev, u32 intr_status, int *quota)
- ndev->stats.rx_missed_errors++;
- if (desc_status & RD_RFS10)
- ndev->stats.rx_over_errors++;
-- } else {
-+ } else if (skb) {
- if (!mdp->cd->hw_swap)
- sh_eth_soft_swap(
- phys_to_virt(ALIGN(rxdesc->addr, 4)),
- pkt_len + 2);
-- skb = mdp->rx_skbuff[entry];
- mdp->rx_skbuff[entry] = NULL;
- if (mdp->cd->rpadir)
- skb_reserve(skb, NET_IP_ALIGN);
-diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c
-index cf6312f..e13ad6c 100644
---- a/drivers/net/phy/micrel.c
-+++ b/drivers/net/phy/micrel.c
-@@ -339,9 +339,18 @@ static int ksz9021_config_init(struct phy_device *phydev)
- {
- const struct device *dev = &phydev->dev;
- const struct device_node *of_node = dev->of_node;
-+ const struct device *dev_walker;
-
-- if (!of_node && dev->parent->of_node)
-- of_node = dev->parent->of_node;
-+ /* The Micrel driver has a deprecated option to place phy OF
-+ * properties in the MAC node. Walk up the tree of devices to
-+ * find a device with an OF node.
-+ */
-+ dev_walker = &phydev->dev;
-+ do {
-+ of_node = dev_walker->of_node;
-+ dev_walker = dev_walker->parent;
-+
-+ } while (!of_node && dev_walker);
-
- if (of_node) {
- ksz9021_load_values_from_of(phydev, of_node,
-diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
-index 5e0b432..0a37f84 100644
---- a/drivers/net/ppp/pppoe.c
-+++ b/drivers/net/ppp/pppoe.c
-@@ -568,6 +568,9 @@ static int pppoe_create(struct net *net, struct socket *sock, int kern)
- sk->sk_family = PF_PPPOX;
- sk->sk_protocol = PX_PROTO_OE;
-
-+ INIT_WORK(&pppox_sk(sk)->proto.pppoe.padt_work,
-+ pppoe_unbind_sock_work);
-+
- return 0;
- }
-
-@@ -632,8 +635,6 @@ static int pppoe_connect(struct socket *sock, struct sockaddr *uservaddr,
-
- lock_sock(sk);
-
-- INIT_WORK(&po->proto.pppoe.padt_work, pppoe_unbind_sock_work);
--
- error = -EINVAL;
- if (sp->sa_protocol != PX_PROTO_OE)
- goto end;
-@@ -663,8 +664,13 @@ static int pppoe_connect(struct socket *sock, struct sockaddr *uservaddr,
- po->pppoe_dev = NULL;
- }
-
-- memset(sk_pppox(po) + 1, 0,
-- sizeof(struct pppox_sock) - sizeof(struct sock));
-+ po->pppoe_ifindex = 0;
-+ memset(&po->pppoe_pa, 0, sizeof(po->pppoe_pa));
-+ memset(&po->pppoe_relay, 0, sizeof(po->pppoe_relay));
-+ memset(&po->chan, 0, sizeof(po->chan));
-+ po->next = NULL;
-+ po->num = 0;
-+
- sk->sk_state = PPPOX_NONE;
- }
-
-diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c
-index 686f37d..b910cae 100644
---- a/drivers/net/ppp/pptp.c
-+++ b/drivers/net/ppp/pptp.c
-@@ -418,6 +418,9 @@ static int pptp_bind(struct socket *sock, struct sockaddr *uservaddr,
- struct pptp_opt *opt = &po->proto.pptp;
- int error = 0;
-
-+ if (sockaddr_len < sizeof(struct sockaddr_pppox))
-+ return -EINVAL;
-+
- lock_sock(sk);
-
- opt->src_addr = sp->sa_addr.pptp;
-@@ -439,6 +442,9 @@ static int pptp_connect(struct socket *sock, struct sockaddr *uservaddr,
- struct flowi4 fl4;
- int error = 0;
-
-+ if (sockaddr_len < sizeof(struct sockaddr_pppox))
-+ return -EINVAL;
-+
- if (sp->sa_protocol != PX_PROTO_PPTP)
- return -EINVAL;
-
-diff --git a/drivers/net/usb/cdc_mbim.c b/drivers/net/usb/cdc_mbim.c
-index efc18e0..b6ea6ff 100644
---- a/drivers/net/usb/cdc_mbim.c
-+++ b/drivers/net/usb/cdc_mbim.c
-@@ -158,7 +158,7 @@ static int cdc_mbim_bind(struct usbnet *dev, struct usb_interface *intf)
- if (!cdc_ncm_comm_intf_is_mbim(intf->cur_altsetting))
- goto err;
-
-- ret = cdc_ncm_bind_common(dev, intf, data_altsetting, 0);
-+ ret = cdc_ncm_bind_common(dev, intf, data_altsetting, dev->driver_info->data);
- if (ret)
- goto err;
-
-@@ -582,6 +582,26 @@ static const struct driver_info cdc_mbim_info_zlp = {
- .tx_fixup = cdc_mbim_tx_fixup,
- };
-
-+/* The spefication explicitly allows NDPs to be placed anywhere in the
-+ * frame, but some devices fail unless the NDP is placed after the IP
-+ * packets. Using the CDC_NCM_FLAG_NDP_TO_END flags to force this
-+ * behaviour.
-+ *
-+ * Note: The current implementation of this feature restricts each NTB
-+ * to a single NDP, implying that multiplexed sessions cannot share an
-+ * NTB. This might affect performace for multiplexed sessions.
-+ */
-+static const struct driver_info cdc_mbim_info_ndp_to_end = {
-+ .description = "CDC MBIM",
-+ .flags = FLAG_NO_SETINT | FLAG_MULTI_PACKET | FLAG_WWAN,
-+ .bind = cdc_mbim_bind,
-+ .unbind = cdc_mbim_unbind,
-+ .manage_power = cdc_mbim_manage_power,
-+ .rx_fixup = cdc_mbim_rx_fixup,
-+ .tx_fixup = cdc_mbim_tx_fixup,
-+ .data = CDC_NCM_FLAG_NDP_TO_END,
-+};
-+
- static const struct usb_device_id mbim_devs[] = {
- /* This duplicate NCM entry is intentional. MBIM devices can
- * be disguised as NCM by default, and this is necessary to
-@@ -597,6 +617,10 @@ static const struct usb_device_id mbim_devs[] = {
- { USB_VENDOR_AND_INTERFACE_INFO(0x0bdb, USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE),
- .driver_info = (unsigned long)&cdc_mbim_info,
- },
-+ /* Huawei E3372 fails unless NDP comes after the IP packets */
-+ { USB_DEVICE_AND_INTERFACE_INFO(0x12d1, 0x157d, USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE),
-+ .driver_info = (unsigned long)&cdc_mbim_info_ndp_to_end,
-+ },
- /* default entry */
- { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE),
- .driver_info = (unsigned long)&cdc_mbim_info_zlp,
-diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
-index db40175..fa41a6d 100644
---- a/drivers/net/usb/cdc_ncm.c
-+++ b/drivers/net/usb/cdc_ncm.c
-@@ -1006,10 +1006,18 @@ static struct usb_cdc_ncm_ndp16 *cdc_ncm_ndp(struct cdc_ncm_ctx *ctx, struct sk_
- * NTH16 header as we would normally do. NDP isn't written to the SKB yet, and
- * the wNdpIndex field in the header is actually not consistent with reality. It will be later.
- */
-- if (ctx->drvflags & CDC_NCM_FLAG_NDP_TO_END)
-+ if (ctx->drvflags & CDC_NCM_FLAG_NDP_TO_END) {
- if (ctx->delayed_ndp16->dwSignature == sign)
- return ctx->delayed_ndp16;
-
-+ /* We can only push a single NDP to the end. Return
-+ * NULL to send what we've already got and queue this
-+ * skb for later.
-+ */
-+ else if (ctx->delayed_ndp16->dwSignature)
-+ return NULL;
-+ }
-+
- /* follow the chain of NDPs, looking for a match */
- while (ndpoffset) {
- ndp16 = (struct usb_cdc_ncm_ndp16 *)(skb->data + ndpoffset);
-diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
-index d9427ca..2e32c41 100644
---- a/drivers/net/usb/r8152.c
-+++ b/drivers/net/usb/r8152.c
-@@ -3067,17 +3067,6 @@ static int rtl8152_open(struct net_device *netdev)
-
- mutex_lock(&tp->control);
-
-- /* The WORK_ENABLE may be set when autoresume occurs */
-- if (test_bit(WORK_ENABLE, &tp->flags)) {
-- clear_bit(WORK_ENABLE, &tp->flags);
-- usb_kill_urb(tp->intr_urb);
-- cancel_delayed_work_sync(&tp->schedule);
--
-- /* disable the tx/rx, if the workqueue has enabled them. */
-- if (netif_carrier_ok(netdev))
-- tp->rtl_ops.disable(tp);
-- }
--
- tp->rtl_ops.up(tp);
-
- rtl8152_set_speed(tp, AUTONEG_ENABLE,
-@@ -3124,12 +3113,6 @@ static int rtl8152_close(struct net_device *netdev)
- } else {
- mutex_lock(&tp->control);
-
-- /* The autosuspend may have been enabled and wouldn't
-- * be disable when autoresume occurs, because the
-- * netif_running() would be false.
-- */
-- rtl_runtime_suspend_enable(tp, false);
--
- tp->rtl_ops.down(tp);
-
- mutex_unlock(&tp->control);
-@@ -3512,7 +3495,7 @@ static int rtl8152_resume(struct usb_interface *intf)
- netif_device_attach(tp->netdev);
- }
-
-- if (netif_running(tp->netdev)) {
-+ if (netif_running(tp->netdev) && tp->netdev->flags & IFF_UP) {
- if (test_bit(SELECTIVE_SUSPEND, &tp->flags)) {
- rtl_runtime_suspend_enable(tp, false);
- clear_bit(SELECTIVE_SUSPEND, &tp->flags);
-@@ -3532,6 +3515,8 @@ static int rtl8152_resume(struct usb_interface *intf)
- }
- usb_submit_urb(tp->intr_urb, GFP_KERNEL);
- } else if (test_bit(SELECTIVE_SUSPEND, &tp->flags)) {
-+ if (tp->netdev->flags & IFF_UP)
-+ rtl_runtime_suspend_enable(tp, false);
- clear_bit(SELECTIVE_SUSPEND, &tp->flags);
- }
-
-diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
-index c9e309c..374feba 100644
---- a/drivers/net/vrf.c
-+++ b/drivers/net/vrf.c
-@@ -581,6 +581,7 @@ static int vrf_newlink(struct net *src_net, struct net_device *dev,
- {
- struct net_vrf *vrf = netdev_priv(dev);
- struct net_vrf_dev *vrf_ptr;
-+ int err;
-
- if (!data || !data[IFLA_VRF_TABLE])
- return -EINVAL;
-@@ -589,16 +590,25 @@ static int vrf_newlink(struct net *src_net, struct net_device *dev,
-
- dev->priv_flags |= IFF_VRF_MASTER;
-
-+ err = -ENOMEM;
- vrf_ptr = kmalloc(sizeof(*dev->vrf_ptr), GFP_KERNEL);
- if (!vrf_ptr)
-- return -ENOMEM;
-+ goto out_fail;
-
- vrf_ptr->ifindex = dev->ifindex;
- vrf_ptr->tb_id = vrf->tb_id;
-
-+ err = register_netdevice(dev);
-+ if (err < 0)
-+ goto out_fail;
-+
- rcu_assign_pointer(dev->vrf_ptr, vrf_ptr);
-
-- return register_netdev(dev);
-+ return 0;
-+
-+out_fail:
-+ kfree(vrf_ptr);
-+ return err;
- }
-
- static size_t vrf_nl_getsize(const struct net_device *dev)
-diff --git a/drivers/platform/x86/toshiba_acpi.c b/drivers/platform/x86/toshiba_acpi.c
-index f2372f4..d2de91c 100644
---- a/drivers/platform/x86/toshiba_acpi.c
-+++ b/drivers/platform/x86/toshiba_acpi.c
-@@ -2676,6 +2676,7 @@ static int toshiba_acpi_add(struct acpi_device *acpi_dev)
- ret = toshiba_function_keys_get(dev, &special_functions);
- dev->kbd_function_keys_supported = !ret;
-
-+ dev->hotkey_event_type = 0;
- if (toshiba_acpi_setup_keyboard(dev))
- pr_info("Unable to activate hotkeys\n");
-
-diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
-index b30e742..26ca4f9 100644
---- a/drivers/usb/class/cdc-acm.c
-+++ b/drivers/usb/class/cdc-acm.c
-@@ -1838,6 +1838,11 @@ static const struct usb_device_id acm_ids[] = {
- },
- #endif
-
-+ /* Exclude Infineon Flash Loader utility */
-+ { USB_DEVICE(0x058b, 0x0041),
-+ .driver_info = IGNORE_DEVICE,
-+ },
-+
- /* control interfaces without any protocol set */
- { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM,
- USB_CDC_PROTO_NONE) },
-diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
-index b9ddf0c..894894f 100644
---- a/drivers/usb/core/config.c
-+++ b/drivers/usb/core/config.c
-@@ -115,7 +115,8 @@ static void usb_parse_ss_endpoint_companion(struct device *ddev, int cfgno,
- USB_SS_MULT(desc->bmAttributes) > 3) {
- dev_warn(ddev, "Isoc endpoint has Mult of %d in "
- "config %d interface %d altsetting %d ep %d: "
-- "setting to 3\n", desc->bmAttributes + 1,
-+ "setting to 3\n",
-+ USB_SS_MULT(desc->bmAttributes),
- cfgno, inum, asnum, ep->desc.bEndpointAddress);
- ep->ss_ep_comp.bmAttributes = 2;
- }
-diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
-index 431839b..522f766 100644
---- a/drivers/usb/core/hub.c
-+++ b/drivers/usb/core/hub.c
-@@ -124,6 +124,10 @@ struct usb_hub *usb_hub_to_struct_hub(struct usb_device *hdev)
-
- int usb_device_supports_lpm(struct usb_device *udev)
- {
-+ /* Some devices have trouble with LPM */
-+ if (udev->quirks & USB_QUIRK_NO_LPM)
-+ return 0;
-+
- /* USB 2.1 (and greater) devices indicate LPM support through
- * their USB 2.0 Extended Capabilities BOS descriptor.
- */
-@@ -4503,6 +4507,8 @@ hub_port_init (struct usb_hub *hub, struct usb_device *udev, int port1,
- goto fail;
- }
-
-+ usb_detect_quirks(udev);
-+
- if (udev->wusb == 0 && le16_to_cpu(udev->descriptor.bcdUSB) >= 0x0201) {
- retval = usb_get_bos_descriptor(udev);
- if (!retval) {
-@@ -4701,7 +4707,6 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus,
- if (status < 0)
- goto loop;
-
-- usb_detect_quirks(udev);
- if (udev->quirks & USB_QUIRK_DELAY_INIT)
- msleep(1000);
-
-@@ -5317,9 +5322,6 @@ static int usb_reset_and_verify_device(struct usb_device *udev)
- if (udev->usb2_hw_lpm_enabled == 1)
- usb_set_usb2_hardware_lpm(udev, 0);
-
-- bos = udev->bos;
-- udev->bos = NULL;
--
- /* Disable LPM and LTM while we reset the device and reinstall the alt
- * settings. Device-initiated LPM settings, and system exit latency
- * settings are cleared when the device is reset, so we have to set
-@@ -5328,15 +5330,18 @@ static int usb_reset_and_verify_device(struct usb_device *udev)
- ret = usb_unlocked_disable_lpm(udev);
- if (ret) {
- dev_err(&udev->dev, "%s Failed to disable LPM\n.", __func__);
-- goto re_enumerate;
-+ goto re_enumerate_no_bos;
- }
- ret = usb_disable_ltm(udev);
- if (ret) {
- dev_err(&udev->dev, "%s Failed to disable LTM\n.",
- __func__);
-- goto re_enumerate;
-+ goto re_enumerate_no_bos;
- }
-
-+ bos = udev->bos;
-+ udev->bos = NULL;
-+
- for (i = 0; i < SET_CONFIG_TRIES; ++i) {
-
- /* ep0 maxpacket size may change; let the HCD know about it.
-@@ -5433,10 +5438,11 @@ done:
- return 0;
-
- re_enumerate:
-- /* LPM state doesn't matter when we're about to destroy the device. */
-- hub_port_logical_disconnect(parent_hub, port1);
- usb_release_bos_descriptor(udev);
- udev->bos = bos;
-+re_enumerate_no_bos:
-+ /* LPM state doesn't matter when we're about to destroy the device. */
-+ hub_port_logical_disconnect(parent_hub, port1);
- return -ENODEV;
- }
-
-diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
-index f5a3819..017c1de 100644
---- a/drivers/usb/core/quirks.c
-+++ b/drivers/usb/core/quirks.c
-@@ -199,6 +199,12 @@ static const struct usb_device_id usb_quirk_list[] = {
- { USB_DEVICE(0x1a0a, 0x0200), .driver_info =
- USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL },
-
-+ /* Blackmagic Design Intensity Shuttle */
-+ { USB_DEVICE(0x1edb, 0xbd3b), .driver_info = USB_QUIRK_NO_LPM },
-+
-+ /* Blackmagic Design UltraStudio SDI */
-+ { USB_DEVICE(0x1edb, 0xbd4f), .driver_info = USB_QUIRK_NO_LPM },
-+
- { } /* terminating entry must be last */
- };
-
-diff --git a/drivers/usb/gadget/udc/pxa27x_udc.c b/drivers/usb/gadget/udc/pxa27x_udc.c
-index 670ac0b..001a3b7 100644
---- a/drivers/usb/gadget/udc/pxa27x_udc.c
-+++ b/drivers/usb/gadget/udc/pxa27x_udc.c
-@@ -2536,6 +2536,9 @@ static int pxa_udc_suspend(struct platform_device *_dev, pm_message_t state)
- udc->pullup_resume = udc->pullup_on;
- dplus_pullup(udc, 0);
-
-+ if (udc->driver)
-+ udc->driver->disconnect(&udc->gadget);
-+
- return 0;
- }
-
-diff --git a/drivers/usb/host/ohci-at91.c b/drivers/usb/host/ohci-at91.c
-index 342ffd1..8c6e15b 100644
---- a/drivers/usb/host/ohci-at91.c
-+++ b/drivers/usb/host/ohci-at91.c
-@@ -473,6 +473,8 @@ static int ohci_hcd_at91_drv_probe(struct platform_device *pdev)
- if (!pdata)
- return -ENOMEM;
-
-+ pdev->dev.platform_data = pdata;
-+
- if (!of_property_read_u32(np, "num-ports", &ports))
- pdata->ports = ports;
-
-@@ -483,6 +485,7 @@ static int ohci_hcd_at91_drv_probe(struct platform_device *pdev)
- */
- if (i >= pdata->ports) {
- pdata->vbus_pin[i] = -EINVAL;
-+ pdata->overcurrent_pin[i] = -EINVAL;
- continue;
- }
-
-@@ -513,10 +516,8 @@ static int ohci_hcd_at91_drv_probe(struct platform_device *pdev)
- }
-
- at91_for_each_port(i) {
-- if (i >= pdata->ports) {
-- pdata->overcurrent_pin[i] = -EINVAL;
-- continue;
-- }
-+ if (i >= pdata->ports)
-+ break;
-
- pdata->overcurrent_pin[i] =
- of_get_named_gpio_flags(np, "atmel,oc-gpio", i, &flags);
-@@ -552,8 +553,6 @@ static int ohci_hcd_at91_drv_probe(struct platform_device *pdev)
- }
- }
-
-- pdev->dev.platform_data = pdata;
--
- device_init_wakeup(&pdev->dev, 1);
- return usb_hcd_at91_probe(&ohci_at91_hc_driver, pdev);
- }
-diff --git a/drivers/usb/host/whci/qset.c b/drivers/usb/host/whci/qset.c
-index dc31c42..9f1c053 100644
---- a/drivers/usb/host/whci/qset.c
-+++ b/drivers/usb/host/whci/qset.c
-@@ -377,6 +377,10 @@ static int qset_fill_page_list(struct whc *whc, struct whc_std *std, gfp_t mem_f
- if (std->pl_virt == NULL)
- return -ENOMEM;
- std->dma_addr = dma_map_single(whc->wusbhc.dev, std->pl_virt, pl_len, DMA_TO_DEVICE);
-+ if (dma_mapping_error(whc->wusbhc.dev, std->dma_addr)) {
-+ kfree(std->pl_virt);
-+ return -EFAULT;
-+ }
-
- for (p = 0; p < std->num_pointers; p++) {
- std->pl_virt[p].buf_ptr = cpu_to_le64(dma_addr);
-diff --git a/drivers/usb/musb/Kconfig b/drivers/usb/musb/Kconfig
-index 1f2037b..45c83ba 100644
---- a/drivers/usb/musb/Kconfig
-+++ b/drivers/usb/musb/Kconfig
-@@ -159,7 +159,7 @@ config USB_TI_CPPI_DMA
-
- config USB_TI_CPPI41_DMA
- bool 'TI CPPI 4.1 (AM335x)'
-- depends on ARCH_OMAP
-+ depends on ARCH_OMAP && DMADEVICES
- select TI_CPPI41
-
- config USB_TUSB_OMAP_DMA
-diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
-index eac7cca..7d4f51a 100644
---- a/drivers/usb/serial/cp210x.c
-+++ b/drivers/usb/serial/cp210x.c
-@@ -132,7 +132,6 @@ static const struct usb_device_id id_table[] = {
- { USB_DEVICE(0x10C4, 0xEA60) }, /* Silicon Labs factory default */
- { USB_DEVICE(0x10C4, 0xEA61) }, /* Silicon Labs factory default */
- { USB_DEVICE(0x10C4, 0xEA70) }, /* Silicon Labs factory default */
-- { USB_DEVICE(0x10C4, 0xEA80) }, /* Silicon Labs factory default */
- { USB_DEVICE(0x10C4, 0xEA71) }, /* Infinity GPS-MIC-1 Radio Monophone */
- { USB_DEVICE(0x10C4, 0xF001) }, /* Elan Digital Systems USBscope50 */
- { USB_DEVICE(0x10C4, 0xF002) }, /* Elan Digital Systems USBwave12 */
-diff --git a/drivers/usb/serial/usb-serial-simple.c b/drivers/usb/serial/usb-serial-simple.c
-index 3658662..a204782 100644
---- a/drivers/usb/serial/usb-serial-simple.c
-+++ b/drivers/usb/serial/usb-serial-simple.c
-@@ -53,6 +53,7 @@ DEVICE(funsoft, FUNSOFT_IDS);
-
- /* Infineon Flashloader driver */
- #define FLASHLOADER_IDS() \
-+ { USB_DEVICE_INTERFACE_CLASS(0x058b, 0x0041, USB_CLASS_CDC_DATA) }, \
- { USB_DEVICE(0x8087, 0x0716) }
- DEVICE(flashloader, FLASHLOADER_IDS);
-
-diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c
-index f689219..43b1caf 100644
---- a/drivers/usb/storage/uas.c
-+++ b/drivers/usb/storage/uas.c
-@@ -796,6 +796,10 @@ static int uas_slave_configure(struct scsi_device *sdev)
- if (devinfo->flags & US_FL_NO_REPORT_OPCODES)
- sdev->no_report_opcodes = 1;
-
-+ /* A few buggy USB-ATA bridges don't understand FUA */
-+ if (devinfo->flags & US_FL_BROKEN_FUA)
-+ sdev->broken_fua = 1;
-+
- scsi_change_queue_depth(sdev, devinfo->qdepth - 2);
- return 0;
- }
-diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h
-index 6b24791..7ffe420 100644
---- a/drivers/usb/storage/unusual_devs.h
-+++ b/drivers/usb/storage/unusual_devs.h
-@@ -1987,7 +1987,7 @@ UNUSUAL_DEV( 0x14cd, 0x6600, 0x0201, 0x0201,
- US_FL_IGNORE_RESIDUE ),
-
- /* Reported by Michael Büsch <m@bues.ch> */
--UNUSUAL_DEV( 0x152d, 0x0567, 0x0114, 0x0114,
-+UNUSUAL_DEV( 0x152d, 0x0567, 0x0114, 0x0116,
- "JMicron",
- "USB to ATA/ATAPI Bridge",
- USB_SC_DEVICE, USB_PR_DEVICE, NULL,
-diff --git a/drivers/usb/storage/unusual_uas.h b/drivers/usb/storage/unusual_uas.h
-index c85ea53..ccc113e 100644
---- a/drivers/usb/storage/unusual_uas.h
-+++ b/drivers/usb/storage/unusual_uas.h
-@@ -132,7 +132,7 @@ UNUSUAL_DEV(0x152d, 0x0567, 0x0000, 0x9999,
- "JMicron",
- "JMS567",
- USB_SC_DEVICE, USB_PR_DEVICE, NULL,
-- US_FL_NO_REPORT_OPCODES),
-+ US_FL_BROKEN_FUA | US_FL_NO_REPORT_OPCODES),
-
- /* Reported-by: Hans de Goede <hdegoede@redhat.com> */
- UNUSUAL_DEV(0x2109, 0x0711, 0x0000, 0x9999,
-diff --git a/include/linux/acpi.h b/include/linux/acpi.h
-index 43856d1..1ae6ba0 100644
---- a/include/linux/acpi.h
-+++ b/include/linux/acpi.h
-@@ -193,6 +193,12 @@ int acpi_ioapic_registered(acpi_handle handle, u32 gsi_base);
- void acpi_irq_stats_init(void);
- extern u32 acpi_irq_handled;
- extern u32 acpi_irq_not_handled;
-+extern unsigned int acpi_sci_irq;
-+#define INVALID_ACPI_IRQ ((unsigned)-1)
-+static inline bool acpi_sci_irq_valid(void)
-+{
-+ return acpi_sci_irq != INVALID_ACPI_IRQ;
-+}
-
- extern int sbf_port;
- extern unsigned long acpi_realmode_flags;
-diff --git a/include/linux/usb/quirks.h b/include/linux/usb/quirks.h
-index 9948c87..1d0043d 100644
---- a/include/linux/usb/quirks.h
-+++ b/include/linux/usb/quirks.h
-@@ -47,4 +47,7 @@
- /* device generates spurious wakeup, ignore remote wakeup capability */
- #define USB_QUIRK_IGNORE_REMOTE_WAKEUP BIT(9)
-
-+/* device can't handle Link Power Management */
-+#define USB_QUIRK_NO_LPM BIT(10)
-+
- #endif /* __LINUX_USB_QUIRKS_H */
-diff --git a/include/net/dst.h b/include/net/dst.h
-index 9261d92..e7fa2e2 100644
---- a/include/net/dst.h
-+++ b/include/net/dst.h
-@@ -322,6 +322,39 @@ static inline void skb_dst_force(struct sk_buff *skb)
- }
- }
-
-+/**
-+ * dst_hold_safe - Take a reference on a dst if possible
-+ * @dst: pointer to dst entry
-+ *
-+ * This helper returns false if it could not safely
-+ * take a reference on a dst.
-+ */
-+static inline bool dst_hold_safe(struct dst_entry *dst)
-+{
-+ if (dst->flags & DST_NOCACHE)
-+ return atomic_inc_not_zero(&dst->__refcnt);
-+ dst_hold(dst);
-+ return true;
-+}
-+
-+/**
-+ * skb_dst_force_safe - makes sure skb dst is refcounted
-+ * @skb: buffer
-+ *
-+ * If dst is not yet refcounted and not destroyed, grab a ref on it.
-+ */
-+static inline void skb_dst_force_safe(struct sk_buff *skb)
-+{
-+ if (skb_dst_is_noref(skb)) {
-+ struct dst_entry *dst = skb_dst(skb);
-+
-+ if (!dst_hold_safe(dst))
-+ dst = NULL;
-+
-+ skb->_skb_refdst = (unsigned long)dst;
-+ }
-+}
-+
-
- /**
- * __skb_tunnel_rx - prepare skb for rx reinsert
-diff --git a/include/net/inetpeer.h b/include/net/inetpeer.h
-index 4a6009d..235c781 100644
---- a/include/net/inetpeer.h
-+++ b/include/net/inetpeer.h
-@@ -78,6 +78,7 @@ void inet_initpeers(void) __init;
- static inline void inetpeer_set_addr_v4(struct inetpeer_addr *iaddr, __be32 ip)
- {
- iaddr->a4.addr = ip;
-+ iaddr->a4.vif = 0;
- iaddr->family = AF_INET;
- }
-
-diff --git a/include/net/sock.h b/include/net/sock.h
-index e237170..bca709a 100644
---- a/include/net/sock.h
-+++ b/include/net/sock.h
-@@ -387,6 +387,7 @@ struct sock {
- sk_no_check_rx : 1,
- sk_userlocks : 4,
- sk_protocol : 8,
-+#define SK_PROTOCOL_MAX U8_MAX
- sk_type : 16;
- kmemcheck_bitfield_end(flags);
- int sk_wmem_queued;
-@@ -724,6 +725,8 @@ enum sock_flags {
- SOCK_SELECT_ERR_QUEUE, /* Wake select on error queue */
- };
-
-+#define SK_FLAGS_TIMESTAMP ((1UL << SOCK_TIMESTAMP) | (1UL << SOCK_TIMESTAMPING_RX_SOFTWARE))
-+
- static inline void sock_copy_flags(struct sock *nsk, struct sock *osk)
- {
- nsk->sk_flags = osk->sk_flags;
-@@ -798,7 +801,7 @@ void sk_stream_write_space(struct sock *sk);
- static inline void __sk_add_backlog(struct sock *sk, struct sk_buff *skb)
- {
- /* dont let skb dst not refcounted, we are going to leave rcu lock */
-- skb_dst_force(skb);
-+ skb_dst_force_safe(skb);
-
- if (!sk->sk_backlog.tail)
- sk->sk_backlog.head = skb;
-diff --git a/include/net/vxlan.h b/include/net/vxlan.h
-index 480a319..f4a4972 100644
---- a/include/net/vxlan.h
-+++ b/include/net/vxlan.h
-@@ -79,7 +79,7 @@ struct vxlanhdr {
- };
-
- /* VXLAN header flags. */
--#define VXLAN_HF_RCO BIT(24)
-+#define VXLAN_HF_RCO BIT(21)
- #define VXLAN_HF_VNI BIT(27)
- #define VXLAN_HF_GBP BIT(31)
-
-diff --git a/include/uapi/linux/Kbuild b/include/uapi/linux/Kbuild
-index f7b2db4..7fc5733 100644
---- a/include/uapi/linux/Kbuild
-+++ b/include/uapi/linux/Kbuild
-@@ -186,6 +186,7 @@ header-y += if_tunnel.h
- header-y += if_vlan.h
- header-y += if_x25.h
- header-y += igmp.h
-+header-y += ila.h
- header-y += in6.h
- header-y += inet_diag.h
- header-y += in.h
-diff --git a/lib/rhashtable.c b/lib/rhashtable.c
-index a54ff89..aa388a7 100644
---- a/lib/rhashtable.c
-+++ b/lib/rhashtable.c
-@@ -503,10 +503,11 @@ int rhashtable_walk_init(struct rhashtable *ht, struct rhashtable_iter *iter)
- if (!iter->walker)
- return -ENOMEM;
-
-- mutex_lock(&ht->mutex);
-- iter->walker->tbl = rht_dereference(ht->tbl, ht);
-+ spin_lock(&ht->lock);
-+ iter->walker->tbl =
-+ rcu_dereference_protected(ht->tbl, lockdep_is_held(&ht->lock));
- list_add(&iter->walker->list, &iter->walker->tbl->walkers);
-- mutex_unlock(&ht->mutex);
-+ spin_unlock(&ht->lock);
-
- return 0;
- }
-@@ -520,10 +521,10 @@ EXPORT_SYMBOL_GPL(rhashtable_walk_init);
- */
- void rhashtable_walk_exit(struct rhashtable_iter *iter)
- {
-- mutex_lock(&iter->ht->mutex);
-+ spin_lock(&iter->ht->lock);
- if (iter->walker->tbl)
- list_del(&iter->walker->list);
-- mutex_unlock(&iter->ht->mutex);
-+ spin_unlock(&iter->ht->lock);
- kfree(iter->walker);
- }
- EXPORT_SYMBOL_GPL(rhashtable_walk_exit);
-@@ -547,14 +548,12 @@ int rhashtable_walk_start(struct rhashtable_iter *iter)
- {
- struct rhashtable *ht = iter->ht;
-
-- mutex_lock(&ht->mutex);
-+ rcu_read_lock();
-
-+ spin_lock(&ht->lock);
- if (iter->walker->tbl)
- list_del(&iter->walker->list);
--
-- rcu_read_lock();
--
-- mutex_unlock(&ht->mutex);
-+ spin_unlock(&ht->lock);
-
- if (!iter->walker->tbl) {
- iter->walker->tbl = rht_dereference_rcu(ht->tbl, ht);
-@@ -723,9 +722,6 @@ int rhashtable_init(struct rhashtable *ht,
- if (params->nulls_base && params->nulls_base < (1U << RHT_BASE_SHIFT))
- return -EINVAL;
-
-- if (params->nelem_hint)
-- size = rounded_hashtable_size(params);
--
- memset(ht, 0, sizeof(*ht));
- mutex_init(&ht->mutex);
- spin_lock_init(&ht->lock);
-@@ -745,6 +741,9 @@ int rhashtable_init(struct rhashtable *ht,
-
- ht->p.min_size = max(ht->p.min_size, HASH_MIN_SIZE);
-
-+ if (params->nelem_hint)
-+ size = rounded_hashtable_size(&ht->p);
-+
- /* The maximum (not average) chain length grows with the
- * size of the hash table, at a rate of (log N)/(log log N).
- * The value of 16 is selected so that even if the hash
-diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
-index ae3a47f..fbd0acf 100644
---- a/net/ax25/af_ax25.c
-+++ b/net/ax25/af_ax25.c
-@@ -805,6 +805,9 @@ static int ax25_create(struct net *net, struct socket *sock, int protocol,
- struct sock *sk;
- ax25_cb *ax25;
-
-+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
-+ return -EINVAL;
-+
- if (!net_eq(net, &init_net))
- return -EAFNOSUPPORT;
-
-diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
-index f315c8d..15cb6c5 100644
---- a/net/bluetooth/sco.c
-+++ b/net/bluetooth/sco.c
-@@ -519,6 +519,9 @@ static int sco_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_le
- if (!addr || addr->sa_family != AF_BLUETOOTH)
- return -EINVAL;
-
-+ if (addr_len < sizeof(struct sockaddr_sco))
-+ return -EINVAL;
-+
- lock_sock(sk);
-
- if (sk->sk_state != BT_OPEN) {
-diff --git a/net/core/skbuff.c b/net/core/skbuff.c
-index fab4599..1c1f87c 100644
---- a/net/core/skbuff.c
-+++ b/net/core/skbuff.c
-@@ -3643,7 +3643,8 @@ static void __skb_complete_tx_timestamp(struct sk_buff *skb,
- serr->ee.ee_info = tstype;
- if (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID) {
- serr->ee.ee_data = skb_shinfo(skb)->tskey;
-- if (sk->sk_protocol == IPPROTO_TCP)
-+ if (sk->sk_protocol == IPPROTO_TCP &&
-+ sk->sk_type == SOCK_STREAM)
- serr->ee.ee_data -= sk->sk_tskey;
- }
-
-@@ -4268,7 +4269,8 @@ static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb)
- return NULL;
- }
-
-- memmove(skb->data - ETH_HLEN, skb->data - VLAN_ETH_HLEN, 2 * ETH_ALEN);
-+ memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len - VLAN_HLEN,
-+ 2 * ETH_ALEN);
- skb->mac_header += VLAN_HLEN;
- return skb;
- }
-diff --git a/net/core/sock.c b/net/core/sock.c
-index 3307c02..dbbda99 100644
---- a/net/core/sock.c
-+++ b/net/core/sock.c
-@@ -422,8 +422,6 @@ static void sock_warn_obsolete_bsdism(const char *name)
- }
- }
-
--#define SK_FLAGS_TIMESTAMP ((1UL << SOCK_TIMESTAMP) | (1UL << SOCK_TIMESTAMPING_RX_SOFTWARE))
--
- static void sock_disable_timestamp(struct sock *sk, unsigned long flags)
- {
- if (sk->sk_flags & flags) {
-@@ -862,7 +860,8 @@ set_rcvbuf:
-
- if (val & SOF_TIMESTAMPING_OPT_ID &&
- !(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID)) {
-- if (sk->sk_protocol == IPPROTO_TCP) {
-+ if (sk->sk_protocol == IPPROTO_TCP &&
-+ sk->sk_type == SOCK_STREAM) {
- if (sk->sk_state != TCP_ESTABLISHED) {
- ret = -EINVAL;
- break;
-diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
-index 675cf94..6feddca 100644
---- a/net/decnet/af_decnet.c
-+++ b/net/decnet/af_decnet.c
-@@ -678,6 +678,9 @@ static int dn_create(struct net *net, struct socket *sock, int protocol,
- {
- struct sock *sk;
-
-+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
-+ return -EINVAL;
-+
- if (!net_eq(net, &init_net))
- return -EAFNOSUPPORT;
-
-diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
-index 1d0c3ad..4b16cf3 100644
---- a/net/ipv4/af_inet.c
-+++ b/net/ipv4/af_inet.c
-@@ -261,6 +261,9 @@ static int inet_create(struct net *net, struct socket *sock, int protocol,
- int try_loading_module = 0;
- int err;
-
-+ if (protocol < 0 || protocol >= IPPROTO_MAX)
-+ return -EINVAL;
-+
- sock->state = SS_UNCONNECTED;
-
- /* Look for the requested type/protocol pair. */
-diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c
-index e0fcbbb..bd903fe 100644
---- a/net/ipv4/fou.c
-+++ b/net/ipv4/fou.c
-@@ -24,6 +24,7 @@ struct fou {
- u16 type;
- struct udp_offload udp_offloads;
- struct list_head list;
-+ struct rcu_head rcu;
- };
-
- #define FOU_F_REMCSUM_NOPARTIAL BIT(0)
-@@ -417,7 +418,7 @@ static void fou_release(struct fou *fou)
- list_del(&fou->list);
- udp_tunnel_sock_release(sock);
-
-- kfree(fou);
-+ kfree_rcu(fou, rcu);
- }
-
- static int fou_encap_init(struct sock *sk, struct fou *fou, struct fou_cfg *cfg)
-diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
-index a7739c8..d77be28 100644
---- a/net/ipv4/tcp_ipv4.c
-+++ b/net/ipv4/tcp_ipv4.c
-@@ -1509,7 +1509,7 @@ bool tcp_prequeue(struct sock *sk, struct sk_buff *skb)
- if (likely(sk->sk_rx_dst))
- skb_dst_drop(skb);
- else
-- skb_dst_force(skb);
-+ skb_dst_force_safe(skb);
-
- __skb_queue_tail(&tp->ucopy.prequeue, skb);
- tp->ucopy.memory += skb->truesize;
-@@ -1710,8 +1710,7 @@ void inet_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
- {
- struct dst_entry *dst = skb_dst(skb);
-
-- if (dst) {
-- dst_hold(dst);
-+ if (dst && dst_hold_safe(dst)) {
- sk->sk_rx_dst = dst;
- inet_sk(sk)->rx_dst_ifindex = skb->skb_iif;
- }
-diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
-index 3dbee0d..c958596 100644
---- a/net/ipv4/tcp_output.c
-+++ b/net/ipv4/tcp_output.c
-@@ -3147,7 +3147,7 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn)
- {
- struct tcp_sock *tp = tcp_sk(sk);
- struct tcp_fastopen_request *fo = tp->fastopen_req;
-- int syn_loss = 0, space, err = 0, copied;
-+ int syn_loss = 0, space, err = 0;
- unsigned long last_syn_loss = 0;
- struct sk_buff *syn_data;
-
-@@ -3185,17 +3185,18 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn)
- goto fallback;
- syn_data->ip_summed = CHECKSUM_PARTIAL;
- memcpy(syn_data->cb, syn->cb, sizeof(syn->cb));
-- copied = copy_from_iter(skb_put(syn_data, space), space,
-- &fo->data->msg_iter);
-- if (unlikely(!copied)) {
-- kfree_skb(syn_data);
-- goto fallback;
-- }
-- if (copied != space) {
-- skb_trim(syn_data, copied);
-- space = copied;
-+ if (space) {
-+ int copied = copy_from_iter(skb_put(syn_data, space), space,
-+ &fo->data->msg_iter);
-+ if (unlikely(!copied)) {
-+ kfree_skb(syn_data);
-+ goto fallback;
-+ }
-+ if (copied != space) {
-+ skb_trim(syn_data, copied);
-+ space = copied;
-+ }
- }
--
- /* No more data pending in inet_wait_for_connect() */
- if (space == fo->size)
- fo->data = NULL;
-diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
-index 3939dd2..ddd3511 100644
---- a/net/ipv6/addrconf.c
-+++ b/net/ipv6/addrconf.c
-@@ -349,6 +349,12 @@ static struct inet6_dev *ipv6_add_dev(struct net_device *dev)
- setup_timer(&ndev->rs_timer, addrconf_rs_timer,
- (unsigned long)ndev);
- memcpy(&ndev->cnf, dev_net(dev)->ipv6.devconf_dflt, sizeof(ndev->cnf));
-+
-+ if (ndev->cnf.stable_secret.initialized)
-+ ndev->addr_gen_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY;
-+ else
-+ ndev->addr_gen_mode = IN6_ADDR_GEN_MODE_EUI64;
-+
- ndev->cnf.mtu6 = dev->mtu;
- ndev->cnf.sysctl = NULL;
- ndev->nd_parms = neigh_parms_alloc(dev, &nd_tbl);
-@@ -2453,7 +2459,7 @@ ok:
- #ifdef CONFIG_IPV6_OPTIMISTIC_DAD
- if (in6_dev->cnf.optimistic_dad &&
- !net->ipv6.devconf_all->forwarding && sllao)
-- addr_flags = IFA_F_OPTIMISTIC;
-+ addr_flags |= IFA_F_OPTIMISTIC;
- #endif
-
- /* Do not allow to create too much of autoconfigured
-diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
-index 38d66dd..df095ee 100644
---- a/net/ipv6/af_inet6.c
-+++ b/net/ipv6/af_inet6.c
-@@ -109,6 +109,9 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol,
- int try_loading_module = 0;
- int err;
-
-+ if (protocol < 0 || protocol >= IPPROTO_MAX)
-+ return -EINVAL;
-+
- /* Look for the requested type/protocol pair. */
- lookup_protocol:
- err = -ESOCKTNOSUPPORT;
-diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
-index 3c7b931..e5ea177 100644
---- a/net/ipv6/ip6_gre.c
-+++ b/net/ipv6/ip6_gre.c
-@@ -1571,13 +1571,11 @@ static int ip6gre_changelink(struct net_device *dev, struct nlattr *tb[],
- return -EEXIST;
- } else {
- t = nt;
--
-- ip6gre_tunnel_unlink(ign, t);
-- ip6gre_tnl_change(t, &p, !tb[IFLA_MTU]);
-- ip6gre_tunnel_link(ign, t);
-- netdev_state_change(dev);
- }
-
-+ ip6gre_tunnel_unlink(ign, t);
-+ ip6gre_tnl_change(t, &p, !tb[IFLA_MTU]);
-+ ip6gre_tunnel_link(ign, t);
- return 0;
- }
-
-diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
-index 9e9b77b..8935dc1 100644
---- a/net/ipv6/tcp_ipv6.c
-+++ b/net/ipv6/tcp_ipv6.c
-@@ -93,10 +93,9 @@ static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
- {
- struct dst_entry *dst = skb_dst(skb);
-
-- if (dst) {
-+ if (dst && dst_hold_safe(dst)) {
- const struct rt6_info *rt = (const struct rt6_info *)dst;
-
-- dst_hold(dst);
- sk->sk_rx_dst = dst;
- inet_sk(sk)->rx_dst_ifindex = skb->skb_iif;
- inet6_sk(sk)->rx_dst_cookie = rt6_get_cookie(rt);
-diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
-index fae6822..25f63a8 100644
---- a/net/irda/af_irda.c
-+++ b/net/irda/af_irda.c
-@@ -1086,6 +1086,9 @@ static int irda_create(struct net *net, struct socket *sock, int protocol,
- struct sock *sk;
- struct irda_sock *self;
-
-+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
-+ return -EINVAL;
-+
- if (net != &init_net)
- return -EAFNOSUPPORT;
-
-diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
-index 5009582..cad8c4b 100644
---- a/net/openvswitch/conntrack.c
-+++ b/net/openvswitch/conntrack.c
-@@ -53,6 +53,8 @@ struct ovs_conntrack_info {
- struct md_labels labels;
- };
-
-+static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info);
-+
- static u16 key_to_nfproto(const struct sw_flow_key *key)
- {
- switch (ntohs(key->eth.type)) {
-@@ -141,6 +143,7 @@ static void __ovs_ct_update_key(struct sw_flow_key *key, u8 state,
- * previously sent the packet to conntrack via the ct action.
- */
- static void ovs_ct_update_key(const struct sk_buff *skb,
-+ const struct ovs_conntrack_info *info,
- struct sw_flow_key *key, bool post_ct)
- {
- const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt;
-@@ -158,13 +161,15 @@ static void ovs_ct_update_key(const struct sk_buff *skb,
- zone = nf_ct_zone(ct);
- } else if (post_ct) {
- state = OVS_CS_F_TRACKED | OVS_CS_F_INVALID;
-+ if (info)
-+ zone = &info->zone;
- }
- __ovs_ct_update_key(key, state, zone, ct);
- }
-
- void ovs_ct_fill_key(const struct sk_buff *skb, struct sw_flow_key *key)
- {
-- ovs_ct_update_key(skb, key, false);
-+ ovs_ct_update_key(skb, NULL, key, false);
- }
-
- int ovs_ct_put_key(const struct sw_flow_key *key, struct sk_buff *skb)
-@@ -418,7 +423,7 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key,
- }
- }
-
-- ovs_ct_update_key(skb, key, true);
-+ ovs_ct_update_key(skb, info, key, true);
-
- return 0;
- }
-@@ -708,7 +713,7 @@ int ovs_ct_copy_action(struct net *net, const struct nlattr *attr,
- nf_conntrack_get(&ct_info.ct->ct_general);
- return 0;
- err_free_ct:
-- nf_conntrack_free(ct_info.ct);
-+ __ovs_ct_free_action(&ct_info);
- return err;
- }
-
-@@ -750,6 +755,11 @@ void ovs_ct_free_action(const struct nlattr *a)
- {
- struct ovs_conntrack_info *ct_info = nla_data(a);
-
-+ __ovs_ct_free_action(ct_info);
-+}
-+
-+static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info)
-+{
- if (ct_info->helper)
- module_put(ct_info->helper->me);
- if (ct_info->ct)
-diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
-index 7ec667d..b5c2cf2 100644
---- a/net/sched/sch_api.c
-+++ b/net/sched/sch_api.c
-@@ -950,7 +950,7 @@ qdisc_create(struct net_device *dev, struct netdev_queue *dev_queue,
- }
- lockdep_set_class(qdisc_lock(sch), &qdisc_tx_lock);
- if (!netif_is_multiqueue(dev))
-- sch->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT;
-+ sch->flags |= TCQ_F_ONETXQUEUE;
- }
-
- sch->handle = handle;
-diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
-index e917d27..40677cf 100644
---- a/net/sctp/ipv6.c
-+++ b/net/sctp/ipv6.c
-@@ -635,6 +635,7 @@ static struct sock *sctp_v6_create_accept_sk(struct sock *sk,
- struct sock *newsk;
- struct ipv6_pinfo *newnp, *np = inet6_sk(sk);
- struct sctp6_sock *newsctp6sk;
-+ struct ipv6_txoptions *opt;
-
- newsk = sk_alloc(sock_net(sk), PF_INET6, GFP_KERNEL, sk->sk_prot, 0);
- if (!newsk)
-@@ -654,6 +655,13 @@ static struct sock *sctp_v6_create_accept_sk(struct sock *sk,
-
- memcpy(newnp, np, sizeof(struct ipv6_pinfo));
-
-+ rcu_read_lock();
-+ opt = rcu_dereference(np->opt);
-+ if (opt)
-+ opt = ipv6_dup_options(newsk, opt);
-+ RCU_INIT_POINTER(newnp->opt, opt);
-+ rcu_read_unlock();
-+
- /* Initialize sk's sport, dport, rcv_saddr and daddr for getsockname()
- * and getpeername().
- */
-diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
-index 7954c52..8d67d72 100644
---- a/net/sctp/sm_make_chunk.c
-+++ b/net/sctp/sm_make_chunk.c
-@@ -1652,7 +1652,7 @@ static sctp_cookie_param_t *sctp_pack_cookie(const struct sctp_endpoint *ep,
-
- /* Set an expiration time for the cookie. */
- cookie->c.expiration = ktime_add(asoc->cookie_life,
-- ktime_get());
-+ ktime_get_real());
-
- /* Copy the peer's init packet. */
- memcpy(&cookie->c.peer_init[0], init_chunk->chunk_hdr,
-@@ -1780,7 +1780,7 @@ no_hmac:
- if (sock_flag(ep->base.sk, SOCK_TIMESTAMP))
- kt = skb_get_ktime(skb);
- else
-- kt = ktime_get();
-+ kt = ktime_get_real();
-
- if (!asoc && ktime_before(bear_cookie->expiration, kt)) {
- /*
-diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index 3ec88be..84b1b50 100644
---- a/net/sctp/socket.c
-+++ b/net/sctp/socket.c
-@@ -7163,6 +7163,7 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk,
- newsk->sk_type = sk->sk_type;
- newsk->sk_bound_dev_if = sk->sk_bound_dev_if;
- newsk->sk_flags = sk->sk_flags;
-+ newsk->sk_tsflags = sk->sk_tsflags;
- newsk->sk_no_check_tx = sk->sk_no_check_tx;
- newsk->sk_no_check_rx = sk->sk_no_check_rx;
- newsk->sk_reuse = sk->sk_reuse;
-@@ -7195,6 +7196,9 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk,
- newinet->mc_ttl = 1;
- newinet->mc_index = 0;
- newinet->mc_list = NULL;
-+
-+ if (newsk->sk_flags & SK_FLAGS_TIMESTAMP)
-+ net_enable_timestamp();
- }
-
- static inline void sctp_copy_descendant(struct sock *sk_to,
-diff --git a/net/socket.c b/net/socket.c
-index 9963a0b..f3fbe17 100644
---- a/net/socket.c
-+++ b/net/socket.c
-@@ -1702,6 +1702,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
- msg.msg_name = addr ? (struct sockaddr *)&address : NULL;
- /* We assume all kernel code knows the size of sockaddr_storage */
- msg.msg_namelen = 0;
-+ msg.msg_iocb = NULL;
- if (sock->file->f_flags & O_NONBLOCK)
- flags |= MSG_DONTWAIT;
- err = sock_recvmsg(sock, &msg, iov_iter_count(&msg.msg_iter), flags);
-diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
-index 86f2e7c..73bdf1b 100644
---- a/net/tipc/udp_media.c
-+++ b/net/tipc/udp_media.c
-@@ -162,7 +162,7 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
- if (skb_headroom(skb) < UDP_MIN_HEADROOM) {
- err = pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC);
- if (err)
-- goto tx_error;
-+ return err;
- }
-
- clone = skb_clone(skb, GFP_ATOMIC);
-diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
-index 128b098..0fc6dba 100644
---- a/net/unix/af_unix.c
-+++ b/net/unix/af_unix.c
-@@ -2255,14 +2255,7 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state)
- /* Lock the socket to prevent queue disordering
- * while sleeps in memcpy_tomsg
- */
-- err = mutex_lock_interruptible(&u->readlock);
-- if (unlikely(err)) {
-- /* recvmsg() in non blocking mode is supposed to return -EAGAIN
-- * sk_rcvtimeo is not honored by mutex_lock_interruptible()
-- */
-- err = noblock ? -EAGAIN : -ERESTARTSYS;
-- goto out;
-- }
-+ mutex_lock(&u->readlock);
-
- if (flags & MSG_PEEK)
- skip = sk_peek_offset(sk, flags);
-@@ -2306,12 +2299,12 @@ again:
- timeo = unix_stream_data_wait(sk, timeo, last,
- last_len);
-
-- if (signal_pending(current) ||
-- mutex_lock_interruptible(&u->readlock)) {
-+ if (signal_pending(current)) {
- err = sock_intr_errno(timeo);
- goto out;
- }
-
-+ mutex_lock(&u->readlock);
- continue;
- unlock:
- unix_state_unlock(sk);
-diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
-index 0b9ec78..26f0e0a 100644
---- a/security/keys/keyctl.c
-+++ b/security/keys/keyctl.c
-@@ -757,16 +757,16 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
-
- /* the key is probably readable - now try to read it */
- can_read_key:
-- ret = key_validate(key);
-- if (ret == 0) {
-- ret = -EOPNOTSUPP;
-- if (key->type->read) {
-- /* read the data with the semaphore held (since we
-- * might sleep) */
-- down_read(&key->sem);
-+ ret = -EOPNOTSUPP;
-+ if (key->type->read) {
-+ /* Read the data with the semaphore held (since we might sleep)
-+ * to protect against the key being updated or revoked.
-+ */
-+ down_read(&key->sem);
-+ ret = key_validate(key);
-+ if (ret == 0)
- ret = key->type->read(key, buffer, buflen);
-- up_read(&key->sem);
-- }
-+ up_read(&key->sem);
- }
-
- error2:
-diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
-index 43b4cdd..7877e5c 100644
---- a/security/keys/process_keys.c
-+++ b/security/keys/process_keys.c
-@@ -794,6 +794,7 @@ long join_session_keyring(const char *name)
- ret = PTR_ERR(keyring);
- goto error2;
- } else if (keyring == new->session_keyring) {
-+ key_put(keyring);
- ret = 0;
- goto error2;
- }
diff --git a/4.3.4/0000_README b/4.3.5/0000_README
index ce73e44..e49fbae 100644
--- a/4.3.4/0000_README
+++ b/4.3.5/0000_README
@@ -2,11 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 1003_linux-4.3.4.patch
-From: http://www.kernel.org
-Desc: Linux 4.3.4
-
-Patch: 4420_grsecurity-3.1-4.3.4-201601292206.patch
+Patch: 4420_grsecurity-3.1-4.3.5-201601311611.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.3.4/4420_grsecurity-3.1-4.3.4-201601292206.patch b/4.3.5/4420_grsecurity-3.1-4.3.5-201601311611.patch
index 92cf754..63ba087 100644
--- a/4.3.4/4420_grsecurity-3.1-4.3.4-201601292206.patch
+++ b/4.3.5/4420_grsecurity-3.1-4.3.5-201601311611.patch
@@ -452,7 +452,7 @@ index 6fccb69..60c7c7a 100644
A toggle value indicating if modules are allowed to be loaded
diff --git a/Makefile b/Makefile
-index 69430ed..8fa626c 100644
+index efc7a76..aa435e3 100644
--- a/Makefile
+++ b/Makefile
@@ -298,7 +298,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -4743,7 +4743,7 @@ index 7cd1514..0307305 100644
}
diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c
-index b8efb8c..0b8f924 100644
+index 4d25fd0..0b8f924 100644
--- a/arch/arm/net/bpf_jit_32.c
+++ b/arch/arm/net/bpf_jit_32.c
@@ -20,6 +20,7 @@
@@ -4819,24 +4819,7 @@ index b8efb8c..0b8f924 100644
return (u64)err << 32 | ntohl(ret);
}
-@@ -182,31 +167,19 @@ static inline int mem_words_used(struct jit_ctx *ctx)
- return fls(ctx->seen & SEEN_MEM);
- }
-
--static inline bool is_load_to_a(u16 inst)
--{
-- switch (inst) {
-- case BPF_LD | BPF_W | BPF_LEN:
-- case BPF_LD | BPF_W | BPF_ABS:
-- case BPF_LD | BPF_H | BPF_ABS:
-- case BPF_LD | BPF_B | BPF_ABS:
-- return true;
-- default:
-- return false;
-- }
--}
--
- static void jit_fill_hole(void *area, unsigned int size)
+@@ -186,8 +171,10 @@ static void jit_fill_hole(void *area, unsigned int size)
{
u32 *ptr;
/* We are guaranteed to have aligned memory. */
@@ -4847,22 +4830,7 @@ index b8efb8c..0b8f924 100644
}
static void build_prologue(struct jit_ctx *ctx)
- {
- u16 reg_set = saved_regs(ctx);
-- u16 first_inst = ctx->skf->insns[0].code;
- u16 off;
-
- #ifdef CONFIG_FRAME_POINTER
-@@ -236,7 +209,7 @@ static void build_prologue(struct jit_ctx *ctx)
- emit(ARM_MOV_I(r_X, 0), ctx);
-
- /* do not leak kernel data to userspace */
-- if ((first_inst != (BPF_RET | BPF_K)) && !(is_load_to_a(first_inst)))
-+ if (bpf_needs_clear_a(&ctx->skf->insns[0]))
- emit(ARM_MOV_I(r_A, 0), ctx);
-
- /* stack space for the BPF_MEM words */
-@@ -556,6 +529,9 @@ static int build_body(struct jit_ctx *ctx)
+@@ -542,6 +529,9 @@ static int build_body(struct jit_ctx *ctx)
case BPF_LD | BPF_B | BPF_ABS:
load_order = 0;
load:
@@ -4872,7 +4840,7 @@ index b8efb8c..0b8f924 100644
emit_mov_i(r_off, k, ctx);
load_common:
ctx->seen |= SEEN_DATA | SEEN_CALL;
-@@ -570,18 +546,6 @@ load_common:
+@@ -556,18 +546,6 @@ load_common:
condt = ARM_COND_HI;
}
@@ -4891,7 +4859,7 @@ index b8efb8c..0b8f924 100644
_emit(condt, ARM_ADD_R(r_scratch, r_off, r_skb_data),
ctx);
-@@ -744,7 +708,8 @@ load_ind:
+@@ -730,7 +708,8 @@ load_ind:
case BPF_ALU | BPF_RSH | BPF_K:
if (unlikely(k > 31))
return -1;
@@ -7129,47 +7097,6 @@ index 5c81fdd..db158d3 100644
int __virt_addr_valid(const volatile void *kaddr)
{
return pfn_valid(PFN_DOWN(virt_to_phys(kaddr)));
-diff --git a/arch/mips/net/bpf_jit.c b/arch/mips/net/bpf_jit.c
-index 0c4a133..26e947d 100644
---- a/arch/mips/net/bpf_jit.c
-+++ b/arch/mips/net/bpf_jit.c
-@@ -521,19 +521,6 @@ static inline u16 align_sp(unsigned int num)
- return num;
- }
-
--static bool is_load_to_a(u16 inst)
--{
-- switch (inst) {
-- case BPF_LD | BPF_W | BPF_LEN:
-- case BPF_LD | BPF_W | BPF_ABS:
-- case BPF_LD | BPF_H | BPF_ABS:
-- case BPF_LD | BPF_B | BPF_ABS:
-- return true;
-- default:
-- return false;
-- }
--}
--
- static void save_bpf_jit_regs(struct jit_ctx *ctx, unsigned offset)
- {
- int i = 0, real_off = 0;
-@@ -614,7 +601,6 @@ static unsigned int get_stack_depth(struct jit_ctx *ctx)
-
- static void build_prologue(struct jit_ctx *ctx)
- {
-- u16 first_inst = ctx->skf->insns[0].code;
- int sp_off;
-
- /* Calculate the total offset for the stack pointer */
-@@ -641,7 +627,7 @@ static void build_prologue(struct jit_ctx *ctx)
- emit_jit_reg_move(r_X, r_zero, ctx);
-
- /* Do not leak kernel data to userspace */
-- if ((first_inst != (BPF_RET | BPF_K)) && !(is_load_to_a(first_inst)))
-+ if (bpf_needs_clear_a(&ctx->skf->insns[0]))
- emit_jit_reg_move(r_A, r_zero, ctx);
- }
-
diff --git a/arch/mips/sgi-ip27/ip27-nmi.c b/arch/mips/sgi-ip27/ip27-nmi.c
index a2358b4..7cead4f 100644
--- a/arch/mips/sgi-ip27/ip27-nmi.c
@@ -8591,10 +8518,10 @@ index 62cfb0c..50c6402 100644
#define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
#define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h
-index a908ada..f3c8966 100644
+index 2220f7a..5a9420e 100644
--- a/arch/powerpc/include/asm/reg.h
+++ b/arch/powerpc/include/asm/reg.h
-@@ -252,6 +252,7 @@
+@@ -253,6 +253,7 @@
#define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
#define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
#define DSISR_NOHPTE 0x40000000 /* no translation found */
@@ -9014,10 +8941,10 @@ index c94d2e0..992a9ce 100644
sechdrs, module);
#endif
diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
-index 75b6676..41c72b5 100644
+index 646bf4d..36d4d76 100644
--- a/arch/powerpc/kernel/process.c
+++ b/arch/powerpc/kernel/process.c
-@@ -1033,8 +1033,8 @@ void show_regs(struct pt_regs * regs)
+@@ -1051,8 +1051,8 @@ void show_regs(struct pt_regs * regs)
* Lookup NIP late so we have the best change of getting the
* above info out without failing
*/
@@ -9028,7 +8955,7 @@ index 75b6676..41c72b5 100644
#endif
show_stack(current, (unsigned long *) regs->gpr[1]);
if (!user_mode(regs))
-@@ -1550,10 +1550,10 @@ void show_stack(struct task_struct *tsk, unsigned long *stack)
+@@ -1568,10 +1568,10 @@ void show_stack(struct task_struct *tsk, unsigned long *stack)
newsp = stack[0];
ip = stack[STACK_FRAME_LR_SAVE];
if (!firstframe || ip != lr) {
@@ -9041,7 +8968,7 @@ index 75b6676..41c72b5 100644
(void *)current->ret_stack[curr_frame].ret);
curr_frame--;
}
-@@ -1573,7 +1573,7 @@ void show_stack(struct task_struct *tsk, unsigned long *stack)
+@@ -1591,7 +1591,7 @@ void show_stack(struct task_struct *tsk, unsigned long *stack)
struct pt_regs *regs = (struct pt_regs *)
(sp + STACK_FRAME_OVERHEAD);
lr = regs->link;
@@ -9050,7 +8977,7 @@ index 75b6676..41c72b5 100644
regs->trap, (void *)regs->nip, (void *)lr);
firstframe = 1;
}
-@@ -1609,49 +1609,3 @@ void notrace __ppc64_runlatch_off(void)
+@@ -1627,49 +1627,3 @@ void notrace __ppc64_runlatch_off(void)
mtspr(SPRN_CTRLT, ctrl);
}
#endif /* CONFIG_PPC64 */
@@ -9140,10 +9067,10 @@ index 737c0d0..59c7417 100644
if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
-index 0dbee46..97b77b9 100644
+index ef7c24e..755a485 100644
--- a/arch/powerpc/kernel/signal_32.c
+++ b/arch/powerpc/kernel/signal_32.c
-@@ -1014,7 +1014,7 @@ int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset,
+@@ -1018,7 +1018,7 @@ int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset,
/* Save user registers on the stack */
frame = &rt_sf->uc.uc_mcontext;
addr = frame;
@@ -9153,10 +9080,10 @@ index 0dbee46..97b77b9 100644
tramp = current->mm->context.vdso_base + vdso32_rt_sigtramp;
} else {
diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
-index 20756df..300e2a4 100644
+index c676ece..188c057 100644
--- a/arch/powerpc/kernel/signal_64.c
+++ b/arch/powerpc/kernel/signal_64.c
-@@ -765,7 +765,7 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs
+@@ -769,7 +769,7 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs
current->thread.fp_state.fpscr = 0;
/* Set up to return from userspace. */
@@ -9463,31 +9390,6 @@ index 0f432a7..abfe841 100644
/* If hint, make sure it matches our alignment restrictions */
if (!fixed && addr) {
addr = _ALIGN_UP(addr, 1ul << pshift);
-diff --git a/arch/powerpc/net/bpf_jit_comp.c b/arch/powerpc/net/bpf_jit_comp.c
-index 17cea18..264c473 100644
---- a/arch/powerpc/net/bpf_jit_comp.c
-+++ b/arch/powerpc/net/bpf_jit_comp.c
-@@ -78,18 +78,9 @@ static void bpf_jit_build_prologue(struct bpf_prog *fp, u32 *image,
- PPC_LI(r_X, 0);
- }
-
-- switch (filter[0].code) {
-- case BPF_RET | BPF_K:
-- case BPF_LD | BPF_W | BPF_LEN:
-- case BPF_LD | BPF_W | BPF_ABS:
-- case BPF_LD | BPF_H | BPF_ABS:
-- case BPF_LD | BPF_B | BPF_ABS:
-- /* first instruction sets A register (or is RET 'constant') */
-- break;
-- default:
-- /* make sure we dont leak kernel information to user */
-+ /* make sure we dont leak kernel information to user */
-+ if (bpf_needs_clear_a(&filter[0]))
- PPC_LI(r_A, 0);
-- }
- }
-
- static void bpf_jit_build_epilogue(u32 *image, struct codegen_context *ctx)
diff --git a/arch/powerpc/platforms/cell/spufs/file.c b/arch/powerpc/platforms/cell/spufs/file.c
index 5038fd5..87a2033 100644
--- a/arch/powerpc/platforms/cell/spufs/file.c
@@ -12341,35 +12243,6 @@ index 4ac88b7..bac6cb2 100644
#endif /* CONFIG_SMP */
#endif /* CONFIG_DEBUG_DCFLUSH */
}
-diff --git a/arch/sparc/net/bpf_jit_comp.c b/arch/sparc/net/bpf_jit_comp.c
-index f8b9f71..17e71d2 100644
---- a/arch/sparc/net/bpf_jit_comp.c
-+++ b/arch/sparc/net/bpf_jit_comp.c
-@@ -420,22 +420,9 @@ void bpf_jit_compile(struct bpf_prog *fp)
- }
- emit_reg_move(O7, r_saved_O7);
-
-- switch (filter[0].code) {
-- case BPF_RET | BPF_K:
-- case BPF_LD | BPF_W | BPF_LEN:
-- case BPF_LD | BPF_W | BPF_ABS:
-- case BPF_LD | BPF_H | BPF_ABS:
-- case BPF_LD | BPF_B | BPF_ABS:
-- /* The first instruction sets the A register (or is
-- * a "RET 'constant'")
-- */
-- break;
-- default:
-- /* Make sure we dont leak kernel information to the
-- * user.
-- */
-+ /* Make sure we dont leak kernel information to the user. */
-+ if (bpf_needs_clear_a(&filter[0]))
- emit_clear(r_A); /* A = 0 */
-- }
-
- for (i = 0; i < flen; i++) {
- unsigned int K = filter[i].k;
diff --git a/arch/tile/Kconfig b/arch/tile/Kconfig
index 106c21b..185bf0f 100644
--- a/arch/tile/Kconfig
@@ -18490,7 +18363,7 @@ index cfe3b95..d01b118 100644
int bitpos = -1;
/*
diff --git a/arch/x86/include/asm/boot.h b/arch/x86/include/asm/boot.h
-index 4fa687a..4ca636f 100644
+index 6b8d6e8..3cbf4f8 100644
--- a/arch/x86/include/asm/boot.h
+++ b/arch/x86/include/asm/boot.h
@@ -6,7 +6,7 @@
@@ -19789,7 +19662,7 @@ index 55234d5..7e3c4bf 100644
atomic_t perf_rdpmc_allowed; /* nonzero if rdpmc is allowed */
} mm_context_t;
diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
-index 379cd36..8ef26be 100644
+index bfd9b2a..a931fef 100644
--- a/arch/x86/include/asm/mmu_context.h
+++ b/arch/x86/include/asm/mmu_context.h
@@ -46,7 +46,7 @@ struct ldt_struct {
@@ -19825,7 +19698,7 @@ index 379cd36..8ef26be 100644
return 0;
}
static inline void destroy_context(struct mm_struct *mm) {}
-@@ -98,26 +115,95 @@ static inline void load_mm_ldt(struct mm_struct *mm)
+@@ -98,19 +115,84 @@ static inline void load_mm_ldt(struct mm_struct *mm)
static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
{
@@ -19910,18 +19783,19 @@ index 379cd36..8ef26be 100644
this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK);
this_cpu_write(cpu_tlbstate.active_mm, next);
#endif
- cpumask_set_cpu(cpu, mm_cpumask(next));
-
- /* Re-load page tables */
+@@ -144,7 +226,11 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
+ * ordering guarantee we need.
+ *
+ */
+#ifdef CONFIG_PAX_PER_CPU_PGD
+ pax_switch_mm(next, cpu);
+#else
load_cr3(next->pgd);
+#endif
+
trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL);
- /* Stop flush ipis for the previous mm */
-@@ -142,9 +228,31 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
+@@ -170,9 +256,31 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
if (unlikely(prev->context.ldt != next->context.ldt))
load_mm_ldt(next);
#endif
@@ -19954,9 +19828,9 @@ index 379cd36..8ef26be 100644
this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK);
BUG_ON(this_cpu_read(cpu_tlbstate.active_mm) != next);
-@@ -161,13 +269,30 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
- * tlb flush IPI delivery. We must reload CR3
- * to make sure to use no freed page tables.
+@@ -193,13 +301,30 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
+ * As above, load_cr3() is serializing and orders TLB
+ * fills with respect to the mm_cpumask write.
*/
+
+#ifndef CONFIG_PAX_PER_CPU_PGD
@@ -20162,10 +20036,10 @@ index b3bebf9..cb419e7 100644
#define __phys_reloc_hide(x) (x)
diff --git a/arch/x86/include/asm/paravirt.h b/arch/x86/include/asm/paravirt.h
-index 10d0596..16a2a7c 100644
+index c759b3c..043875b 100644
--- a/arch/x86/include/asm/paravirt.h
+++ b/arch/x86/include/asm/paravirt.h
-@@ -530,7 +530,7 @@ static inline pmd_t __pmd(pmdval_t val)
+@@ -536,7 +536,7 @@ static inline pmd_t __pmd(pmdval_t val)
return (pmd_t) { ret };
}
@@ -20174,7 +20048,7 @@ index 10d0596..16a2a7c 100644
{
pmdval_t ret;
-@@ -596,6 +596,18 @@ static inline void set_pgd(pgd_t *pgdp, pgd_t pgd)
+@@ -602,6 +602,18 @@ static inline void set_pgd(pgd_t *pgdp, pgd_t pgd)
val);
}
@@ -20193,7 +20067,7 @@ index 10d0596..16a2a7c 100644
static inline void pgd_clear(pgd_t *pgdp)
{
set_pgd(pgdp, __pgd(0));
-@@ -680,6 +692,21 @@ static inline void __set_fixmap(unsigned /* enum fixed_addresses */ idx,
+@@ -686,6 +698,21 @@ static inline void __set_fixmap(unsigned /* enum fixed_addresses */ idx,
pv_mmu_ops.set_fixmap(idx, phys, flags);
}
@@ -20215,7 +20089,7 @@ index 10d0596..16a2a7c 100644
#if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
#ifdef CONFIG_QUEUED_SPINLOCKS
-@@ -903,7 +930,7 @@ extern void default_banner(void);
+@@ -909,7 +936,7 @@ extern void default_banner(void);
#define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
#define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
@@ -20224,7 +20098,7 @@ index 10d0596..16a2a7c 100644
#endif
#define INTERRUPT_RETURN \
-@@ -973,6 +1000,21 @@ extern void default_banner(void);
+@@ -979,6 +1006,21 @@ extern void default_banner(void);
PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_usergs_sysret64), \
CLBR_NONE, \
jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_usergs_sysret64))
@@ -20247,10 +20121,10 @@ index 10d0596..16a2a7c 100644
#endif /* __ASSEMBLY__ */
diff --git a/arch/x86/include/asm/paravirt_types.h b/arch/x86/include/asm/paravirt_types.h
-index 31247b5..6b5b8ef 100644
+index 3d44191..1992d40 100644
--- a/arch/x86/include/asm/paravirt_types.h
+++ b/arch/x86/include/asm/paravirt_types.h
-@@ -84,7 +84,7 @@ struct pv_init_ops {
+@@ -89,7 +89,7 @@ struct pv_init_ops {
*/
unsigned (*patch)(u8 type, u16 clobber, void *insnbuf,
unsigned long addr, unsigned len);
@@ -20259,7 +20133,7 @@ index 31247b5..6b5b8ef 100644
struct pv_lazy_ops {
-@@ -92,12 +92,12 @@ struct pv_lazy_ops {
+@@ -97,12 +97,12 @@ struct pv_lazy_ops {
void (*enter)(void);
void (*leave)(void);
void (*flush)(void);
@@ -20274,7 +20148,7 @@ index 31247b5..6b5b8ef 100644
struct pv_cpu_ops {
/* hooks for various privileged instructions */
-@@ -190,7 +190,7 @@ struct pv_cpu_ops {
+@@ -195,7 +195,7 @@ struct pv_cpu_ops {
void (*start_context_switch)(struct task_struct *prev);
void (*end_context_switch)(struct task_struct *next);
@@ -20283,7 +20157,7 @@ index 31247b5..6b5b8ef 100644
struct pv_irq_ops {
/*
-@@ -213,7 +213,7 @@ struct pv_irq_ops {
+@@ -218,7 +218,7 @@ struct pv_irq_ops {
#ifdef CONFIG_X86_64
void (*adjust_exception_frame)(void);
#endif
@@ -20292,7 +20166,7 @@ index 31247b5..6b5b8ef 100644
struct pv_apic_ops {
#ifdef CONFIG_X86_LOCAL_APIC
-@@ -221,7 +221,7 @@ struct pv_apic_ops {
+@@ -226,7 +226,7 @@ struct pv_apic_ops {
unsigned long start_eip,
unsigned long start_esp);
#endif
@@ -20301,7 +20175,7 @@ index 31247b5..6b5b8ef 100644
struct pv_mmu_ops {
unsigned long (*read_cr2)(void);
-@@ -311,6 +311,7 @@ struct pv_mmu_ops {
+@@ -316,6 +316,7 @@ struct pv_mmu_ops {
struct paravirt_callee_save make_pud;
void (*set_pgd)(pgd_t *pudp, pgd_t pgdval);
@@ -20309,7 +20183,7 @@ index 31247b5..6b5b8ef 100644
#endif /* CONFIG_PGTABLE_LEVELS == 4 */
#endif /* CONFIG_PGTABLE_LEVELS >= 3 */
-@@ -322,7 +323,13 @@ struct pv_mmu_ops {
+@@ -327,7 +328,13 @@ struct pv_mmu_ops {
an mfn. We can tell which is which from the index. */
void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
phys_addr_t phys, pgprot_t flags);
@@ -20324,7 +20198,7 @@ index 31247b5..6b5b8ef 100644
struct arch_spinlock;
#ifdef CONFIG_SMP
-@@ -344,11 +351,14 @@ struct pv_lock_ops {
+@@ -349,11 +356,14 @@ struct pv_lock_ops {
struct paravirt_callee_save lock_spinning;
void (*unlock_kick)(struct arch_spinlock *lock, __ticket_t ticket);
#endif /* !CONFIG_QUEUED_SPINLOCKS */
@@ -20341,7 +20215,7 @@ index 31247b5..6b5b8ef 100644
struct paravirt_patch_template {
struct pv_init_ops pv_init_ops;
struct pv_time_ops pv_time_ops;
-@@ -357,7 +367,7 @@ struct paravirt_patch_template {
+@@ -362,7 +372,7 @@ struct paravirt_patch_template {
struct pv_apic_ops pv_apic_ops;
struct pv_mmu_ops pv_mmu_ops;
struct pv_lock_ops pv_lock_ops;
@@ -20954,7 +20828,7 @@ index b12f810..aedcc13 100644
/*
diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
-index 19577dd..f4acc54 100644
+index b7692da..c888b3b 100644
--- a/arch/x86/include/asm/processor.h
+++ b/arch/x86/include/asm/processor.h
@@ -136,7 +136,7 @@ struct cpuinfo_x86 {
@@ -21047,7 +20921,7 @@ index 19577dd..f4acc54 100644
#else
/* sp0 on x86_32 is special in and around vm86 mode. */
return this_cpu_read_stable(cpu_current_top_of_stack);
-@@ -695,19 +702,29 @@ static inline void spin_lock_prefetch(const void *x)
+@@ -696,19 +703,29 @@ static inline void spin_lock_prefetch(const void *x)
#define TOP_OF_INIT_STACK ((unsigned long)&init_stack + sizeof(init_stack) - \
TOP_OF_KERNEL_STACK_PADDING)
@@ -21078,7 +20952,7 @@ index 19577dd..f4acc54 100644
}
extern unsigned long thread_saved_pc(struct task_struct *tsk);
-@@ -722,12 +739,7 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk);
+@@ -723,12 +740,7 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk);
* "struct pt_regs" is possible, but they may contain the
* completely wrong values.
*/
@@ -21092,7 +20966,7 @@ index 19577dd..f4acc54 100644
#define KSTK_ESP(task) (task_pt_regs(task)->sp)
-@@ -741,13 +753,13 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk);
+@@ -742,13 +754,13 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk);
* particular problem by preventing anything from being mapped
* at the maximum canonical address.
*/
@@ -21108,7 +20982,7 @@ index 19577dd..f4acc54 100644
#define TASK_SIZE (test_thread_flag(TIF_ADDR32) ? \
IA32_PAGE_OFFSET : TASK_SIZE_MAX)
-@@ -758,7 +770,8 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk);
+@@ -759,7 +771,8 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk);
#define STACK_TOP_MAX TASK_SIZE_MAX
#define INIT_THREAD { \
@@ -21118,7 +20992,7 @@ index 19577dd..f4acc54 100644
}
/*
-@@ -781,6 +794,10 @@ extern void start_thread(struct pt_regs *regs, unsigned long new_ip,
+@@ -782,6 +795,10 @@ extern void start_thread(struct pt_regs *regs, unsigned long new_ip,
*/
#define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
@@ -21129,7 +21003,7 @@ index 19577dd..f4acc54 100644
#define KSTK_EIP(task) (task_pt_regs(task)->ip)
/* Get/set a process' ability to use the timestamp counter instruction */
-@@ -826,7 +843,7 @@ static inline uint32_t hypervisor_cpuid_base(const char *sig, uint32_t leaves)
+@@ -827,7 +844,7 @@ static inline uint32_t hypervisor_cpuid_base(const char *sig, uint32_t leaves)
return 0;
}
@@ -21138,7 +21012,7 @@ index 19577dd..f4acc54 100644
extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
void default_idle(void);
-@@ -836,6 +853,6 @@ bool xen_set_default_idle(void);
+@@ -837,6 +854,6 @@ bool xen_set_default_idle(void);
#define xen_set_default_idle 0
#endif
@@ -24055,7 +23929,7 @@ index be4febc..f7af533 100644
return &cache_private_group;
diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
-index 9d014b82..8186c29 100644
+index 6b2c822..84c8d34 100644
--- a/arch/x86/kernel/cpu/mcheck/mce.c
+++ b/arch/x86/kernel/cpu/mcheck/mce.c
@@ -47,6 +47,7 @@
@@ -24134,7 +24008,7 @@ index 9d014b82..8186c29 100644
wait_for_panic();
if (!mca_cfg.monarch_timeout)
goto out;
-@@ -1654,7 +1654,7 @@ static void unexpected_machine_check(struct pt_regs *regs, long error_code)
+@@ -1665,7 +1665,7 @@ static void unexpected_machine_check(struct pt_regs *regs, long error_code)
}
/* Call the installed machine check handler for this CPU setup. */
@@ -24143,7 +24017,7 @@ index 9d014b82..8186c29 100644
unexpected_machine_check;
/*
-@@ -1683,7 +1683,9 @@ void mcheck_cpu_init(struct cpuinfo_x86 *c)
+@@ -1694,7 +1694,9 @@ void mcheck_cpu_init(struct cpuinfo_x86 *c)
return;
}
@@ -24153,7 +24027,7 @@ index 9d014b82..8186c29 100644
__mcheck_cpu_init_generic();
__mcheck_cpu_init_vendor(c);
-@@ -1714,7 +1716,7 @@ void mcheck_cpu_clear(struct cpuinfo_x86 *c)
+@@ -1725,7 +1727,7 @@ void mcheck_cpu_clear(struct cpuinfo_x86 *c)
*/
static DEFINE_SPINLOCK(mce_chrdev_state_lock);
@@ -24162,7 +24036,7 @@ index 9d014b82..8186c29 100644
static int mce_chrdev_open_exclu; /* already open exclusive? */
static int mce_chrdev_open(struct inode *inode, struct file *file)
-@@ -1722,7 +1724,7 @@ static int mce_chrdev_open(struct inode *inode, struct file *file)
+@@ -1733,7 +1735,7 @@ static int mce_chrdev_open(struct inode *inode, struct file *file)
spin_lock(&mce_chrdev_state_lock);
if (mce_chrdev_open_exclu ||
@@ -24171,7 +24045,7 @@ index 9d014b82..8186c29 100644
spin_unlock(&mce_chrdev_state_lock);
return -EBUSY;
-@@ -1730,7 +1732,7 @@ static int mce_chrdev_open(struct inode *inode, struct file *file)
+@@ -1741,7 +1743,7 @@ static int mce_chrdev_open(struct inode *inode, struct file *file)
if (file->f_flags & O_EXCL)
mce_chrdev_open_exclu = 1;
@@ -24180,7 +24054,7 @@ index 9d014b82..8186c29 100644
spin_unlock(&mce_chrdev_state_lock);
-@@ -1741,7 +1743,7 @@ static int mce_chrdev_release(struct inode *inode, struct file *file)
+@@ -1752,7 +1754,7 @@ static int mce_chrdev_release(struct inode *inode, struct file *file)
{
spin_lock(&mce_chrdev_state_lock);
@@ -24189,7 +24063,7 @@ index 9d014b82..8186c29 100644
mce_chrdev_open_exclu = 0;
spin_unlock(&mce_chrdev_state_lock);
-@@ -2421,7 +2423,7 @@ static __init void mce_init_banks(void)
+@@ -2432,7 +2434,7 @@ static __init void mce_init_banks(void)
for (i = 0; i < mca_cfg.banks; i++) {
struct mce_bank *b = &mce_banks[i];
@@ -24198,7 +24072,7 @@ index 9d014b82..8186c29 100644
sysfs_attr_init(&a->attr);
a->attr.name = b->attrname;
-@@ -2528,7 +2530,7 @@ struct dentry *mce_get_debugfs_dir(void)
+@@ -2539,7 +2541,7 @@ struct dentry *mce_get_debugfs_dir(void)
static void mce_reset(void)
{
cpu_missing = 0;
@@ -28439,7 +28313,7 @@ index 2f355d2..e75ed0a 100644
return ret;
diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c
-index 02693dd..33a1546 100644
+index f660d63..564a120 100644
--- a/arch/x86/kernel/reboot.c
+++ b/arch/x86/kernel/reboot.c
@@ -70,6 +70,11 @@ static int __init set_bios_reboot(const struct dmi_system_id *d)
@@ -28494,7 +28368,7 @@ index 02693dd..33a1546 100644
/* Acer */
{ /* Handle reboot issue on Acer Aspire one */
-@@ -511,7 +538,7 @@ void __attribute__((weak)) mach_reboot_fixups(void)
+@@ -519,7 +546,7 @@ void __attribute__((weak)) mach_reboot_fixups(void)
* This means that this function can never return, it can misbehave
* by not rebooting properly and hanging.
*/
@@ -28503,7 +28377,7 @@ index 02693dd..33a1546 100644
{
int i;
int attempt = 0;
-@@ -631,13 +658,13 @@ void native_machine_shutdown(void)
+@@ -639,13 +666,13 @@ void native_machine_shutdown(void)
#endif
}
@@ -28519,7 +28393,7 @@ index 02693dd..33a1546 100644
{
pr_notice("machine restart\n");
-@@ -646,7 +673,7 @@ static void native_machine_restart(char *__unused)
+@@ -654,7 +681,7 @@ static void native_machine_restart(char *__unused)
__machine_emergency_restart(0);
}
@@ -28528,7 +28402,7 @@ index 02693dd..33a1546 100644
{
/* Stop other cpus and apics */
machine_shutdown();
-@@ -656,7 +683,7 @@ static void native_machine_halt(void)
+@@ -664,7 +691,7 @@ static void native_machine_halt(void)
stop_this_cpu(NULL);
}
@@ -28537,7 +28411,7 @@ index 02693dd..33a1546 100644
{
if (pm_power_off) {
if (!reboot_force)
-@@ -665,9 +692,10 @@ static void native_machine_power_off(void)
+@@ -673,9 +700,10 @@ static void native_machine_power_off(void)
}
/* A fallback in case there is no PM info available */
tboot_shutdown(TB_SHUTDOWN_HALT);
@@ -28733,7 +28607,7 @@ index e4fcb87..9c06c55 100644
* Up to this point, the boot CPU has been using .init.data
* area. Reload any changed state for the boot CPU.
diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
-index da52e6b..8c18d64 100644
+index 7d2b2ed..6c92c5f 100644
--- a/arch/x86/kernel/signal.c
+++ b/arch/x86/kernel/signal.c
@@ -189,7 +189,7 @@ static unsigned long align_sigframe(unsigned long sp)
@@ -28826,7 +28700,7 @@ index 12c8286..aa65d13 100644
.smp_prepare_cpus = native_smp_prepare_cpus,
.smp_cpus_done = native_smp_cpus_done,
diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c
-index 892ee2e5..be6b3f6 100644
+index fbabe4f..c686333 100644
--- a/arch/x86/kernel/smpboot.c
+++ b/arch/x86/kernel/smpboot.c
@@ -213,14 +213,17 @@ static void notrace start_secondary(void *unused)
@@ -28851,7 +28725,7 @@ index 892ee2e5..be6b3f6 100644
/*
* Check TSC synchronization with the BP:
*/
-@@ -809,16 +812,15 @@ void common_cpu_up(unsigned int cpu, struct task_struct *idle)
+@@ -810,16 +813,15 @@ void common_cpu_up(unsigned int cpu, struct task_struct *idle)
alternatives_enable_smp();
per_cpu(current_task, cpu) = idle;
@@ -28870,7 +28744,7 @@ index 892ee2e5..be6b3f6 100644
}
/*
-@@ -839,9 +841,11 @@ static int do_boot_cpu(int apicid, int cpu, struct task_struct *idle)
+@@ -840,9 +842,11 @@ static int do_boot_cpu(int apicid, int cpu, struct task_struct *idle)
unsigned long timeout;
idle->thread.sp = (unsigned long) (((struct pt_regs *)
@@ -28883,7 +28757,7 @@ index 892ee2e5..be6b3f6 100644
initial_code = (unsigned long)start_secondary;
stack_start = idle->thread.sp;
-@@ -989,6 +993,15 @@ int native_cpu_up(unsigned int cpu, struct task_struct *tidle)
+@@ -990,6 +994,15 @@ int native_cpu_up(unsigned int cpu, struct task_struct *tidle)
common_cpu_up(cpu, tidle);
@@ -30121,48 +29995,10 @@ index 736e6ab..b2e3094 100644
goto error;
walker->ptep_user[walker->level - 1] = ptep_user;
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
-index d7f8938..bc95a50 100644
+index 22d1813..bc95a50 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
-@@ -1108,6 +1108,7 @@ static void init_vmcb(struct vcpu_svm *svm)
- set_exception_intercept(svm, UD_VECTOR);
- set_exception_intercept(svm, MC_VECTOR);
- set_exception_intercept(svm, AC_VECTOR);
-+ set_exception_intercept(svm, DB_VECTOR);
-
- set_intercept(svm, INTERCEPT_INTR);
- set_intercept(svm, INTERCEPT_NMI);
-@@ -1642,20 +1643,13 @@ static void svm_set_segment(struct kvm_vcpu *vcpu,
- mark_dirty(svm->vmcb, VMCB_SEG);
- }
-
--static void update_db_bp_intercept(struct kvm_vcpu *vcpu)
-+static void update_bp_intercept(struct kvm_vcpu *vcpu)
- {
- struct vcpu_svm *svm = to_svm(vcpu);
-
-- clr_exception_intercept(svm, DB_VECTOR);
- clr_exception_intercept(svm, BP_VECTOR);
-
-- if (svm->nmi_singlestep)
-- set_exception_intercept(svm, DB_VECTOR);
--
- if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) {
-- if (vcpu->guest_debug &
-- (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))
-- set_exception_intercept(svm, DB_VECTOR);
- if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP)
- set_exception_intercept(svm, BP_VECTOR);
- } else
-@@ -1761,7 +1755,6 @@ static int db_interception(struct vcpu_svm *svm)
- if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP))
- svm->vmcb->save.rflags &=
- ~(X86_EFLAGS_TF | X86_EFLAGS_RF);
-- update_db_bp_intercept(&svm->vcpu);
- }
-
- if (svm->vcpu.guest_debug &
-@@ -3595,7 +3588,11 @@ static void reload_tss(struct kvm_vcpu *vcpu)
+@@ -3588,7 +3588,11 @@ static void reload_tss(struct kvm_vcpu *vcpu)
int cpu = raw_smp_processor_id();
struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
@@ -30174,15 +30010,7 @@ index d7f8938..bc95a50 100644
load_TR_desc();
}
-@@ -3761,7 +3758,6 @@ static void enable_nmi_window(struct kvm_vcpu *vcpu)
- */
- svm->nmi_singlestep = true;
- svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF);
-- update_db_bp_intercept(vcpu);
- }
-
- static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr)
-@@ -3991,6 +3987,10 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -3983,6 +3987,10 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
#endif
#endif
@@ -30193,7 +30021,7 @@ index d7f8938..bc95a50 100644
reload_tss(vcpu);
local_irq_disable();
-@@ -4364,7 +4364,7 @@ static void svm_sched_in(struct kvm_vcpu *vcpu, int cpu)
+@@ -4356,7 +4364,7 @@ static void svm_sched_in(struct kvm_vcpu *vcpu, int cpu)
{
}
@@ -30202,17 +30030,8 @@ index d7f8938..bc95a50 100644
.cpu_has_kvm_support = has_svm,
.disabled_by_bios = is_disabled,
.hardware_setup = svm_hardware_setup,
-@@ -4383,7 +4383,7 @@ static struct kvm_x86_ops svm_x86_ops = {
- .vcpu_load = svm_vcpu_load,
- .vcpu_put = svm_vcpu_put,
-
-- .update_db_bp_intercept = update_db_bp_intercept,
-+ .update_db_bp_intercept = update_bp_intercept,
- .get_msr = svm_get_msr,
- .set_msr = svm_set_msr,
- .get_segment_base = svm_get_segment_base,
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index 343d369..95ade96 100644
+index 2e0bd48..c18c0bf 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -1440,12 +1440,12 @@ static void vmcs_write64(unsigned long field, u64 value)
@@ -30262,7 +30081,7 @@ index 343d369..95ade96 100644
{
u64 host_tsc, tsc_offset;
-@@ -4450,7 +4458,10 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx)
+@@ -4451,7 +4459,10 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx)
unsigned long cr4;
vmcs_writel(HOST_CR0, read_cr0() & ~X86_CR0_TS); /* 22.2.3 */
@@ -30273,7 +30092,7 @@ index 343d369..95ade96 100644
/* Save the most likely value for this task's CR4 in the VMCS. */
cr4 = cr4_read_shadow();
-@@ -4477,7 +4488,7 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx)
+@@ -4478,7 +4489,7 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx)
vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
vmx->host_idt_base = dt.address;
@@ -30282,7 +30101,7 @@ index 343d369..95ade96 100644
rdmsr(MSR_IA32_SYSENTER_CS, low32, high32);
vmcs_write32(HOST_IA32_SYSENTER_CS, low32);
-@@ -6015,11 +6026,17 @@ static __init int hardware_setup(void)
+@@ -6016,11 +6027,17 @@ static __init int hardware_setup(void)
* page upon invalidation. No need to do anything if not
* using the APIC_ACCESS_ADDR VMCS field.
*/
@@ -30302,7 +30121,7 @@ index 343d369..95ade96 100644
if (enable_ept && !cpu_has_vmx_ept_2m_page())
kvm_disable_largepages();
-@@ -6030,6 +6047,7 @@ static __init int hardware_setup(void)
+@@ -6031,6 +6048,7 @@ static __init int hardware_setup(void)
if (!cpu_has_vmx_apicv())
enable_apicv = 0;
@@ -30310,7 +30129,7 @@ index 343d369..95ade96 100644
if (enable_apicv)
kvm_x86_ops->update_cr8_intercept = NULL;
else {
-@@ -6038,6 +6056,7 @@ static __init int hardware_setup(void)
+@@ -6039,6 +6057,7 @@ static __init int hardware_setup(void)
kvm_x86_ops->deliver_posted_interrupt = NULL;
kvm_x86_ops->sync_pir_to_irr = vmx_sync_pir_to_irr_dummy;
}
@@ -30318,7 +30137,7 @@ index 343d369..95ade96 100644
vmx_disable_intercept_for_msr(MSR_FS_BASE, false);
vmx_disable_intercept_for_msr(MSR_GS_BASE, false);
-@@ -6092,10 +6111,12 @@ static __init int hardware_setup(void)
+@@ -6093,10 +6112,12 @@ static __init int hardware_setup(void)
enable_pml = 0;
if (!enable_pml) {
@@ -30331,7 +30150,7 @@ index 343d369..95ade96 100644
}
return alloc_kvm_area();
-@@ -8351,6 +8372,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -8352,6 +8373,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
"jmp 2f \n\t"
"1: " __ex(ASM_VMX_VMRESUME) "\n\t"
"2: "
@@ -30344,7 +30163,7 @@ index 343d369..95ade96 100644
/* Save guest registers, load host registers, keep flags */
"mov %0, %c[wordsize](%%" _ASM_SP ") \n\t"
"pop %0 \n\t"
-@@ -8403,6 +8430,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -8404,6 +8431,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
#endif
[cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)),
[wordsize]"i"(sizeof(ulong))
@@ -30356,7 +30175,7 @@ index 343d369..95ade96 100644
: "cc", "memory"
#ifdef CONFIG_X86_64
, "rax", "rbx", "rdi", "rsi"
-@@ -8416,7 +8448,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -8417,7 +8449,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
if (debugctlmsr)
update_debugctlmsr(debugctlmsr);
@@ -30365,7 +30184,7 @@ index 343d369..95ade96 100644
/*
* The sysexit path does not restore ds/es, so we must set them to
* a reasonable value ourselves.
-@@ -8425,8 +8457,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -8426,8 +8458,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
* may be executed in interrupt context, which saves and restore segments
* around it, nullifying its effect.
*/
@@ -30386,7 +30205,7 @@ index 343d369..95ade96 100644
#endif
vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP)
-@@ -10280,7 +10322,7 @@ static void vmx_enable_log_dirty_pt_masked(struct kvm *kvm,
+@@ -10281,7 +10323,7 @@ static void vmx_enable_log_dirty_pt_masked(struct kvm *kvm,
kvm_mmu_clear_dirty_pt_masked(kvm, memslot, offset, mask);
}
@@ -30396,7 +30215,7 @@ index 343d369..95ade96 100644
.disabled_by_bios = vmx_disabled_by_bios,
.hardware_setup = hardware_setup,
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 43609af..f8b7b2c 100644
+index 37bbbf8..4a8338d 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1828,8 +1828,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data)
@@ -30455,7 +30274,7 @@ index 43609af..f8b7b2c 100644
guest_xsave->region, sizeof(struct fxregs_state));
}
return 0;
-@@ -6214,6 +6216,7 @@ void kvm_arch_mmu_notifier_invalidate_page(struct kvm *kvm,
+@@ -6215,6 +6217,7 @@ void kvm_arch_mmu_notifier_invalidate_page(struct kvm *kvm,
* exiting to the userspace. Otherwise, the value will be returned to the
* userspace.
*/
@@ -30463,7 +30282,7 @@ index 43609af..f8b7b2c 100644
static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
{
int r;
-@@ -6437,6 +6440,7 @@ out:
+@@ -6438,6 +6441,7 @@ out:
return r;
}
@@ -30471,7 +30290,7 @@ index 43609af..f8b7b2c 100644
static inline int vcpu_block(struct kvm *kvm, struct kvm_vcpu *vcpu)
{
if (!kvm_arch_vcpu_runnable(vcpu)) {
-@@ -6976,7 +6980,7 @@ int kvm_arch_vcpu_ioctl_translate(struct kvm_vcpu *vcpu,
+@@ -6977,7 +6981,7 @@ int kvm_arch_vcpu_ioctl_translate(struct kvm_vcpu *vcpu,
int kvm_arch_vcpu_ioctl_get_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
{
struct fxregs_state *fxsave =
@@ -30480,7 +30299,7 @@ index 43609af..f8b7b2c 100644
memcpy(fpu->fpr, fxsave->st_space, 128);
fpu->fcw = fxsave->cwd;
-@@ -6993,7 +6997,7 @@ int kvm_arch_vcpu_ioctl_get_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
+@@ -6994,7 +6998,7 @@ int kvm_arch_vcpu_ioctl_get_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
{
struct fxregs_state *fxsave =
@@ -30489,7 +30308,7 @@ index 43609af..f8b7b2c 100644
memcpy(fxsave->st_space, fpu->fpr, 128);
fxsave->cwd = fpu->fcw;
-@@ -7009,9 +7013,9 @@ int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
+@@ -7010,9 +7014,9 @@ int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
static void fx_init(struct kvm_vcpu *vcpu)
{
@@ -30501,7 +30320,7 @@ index 43609af..f8b7b2c 100644
host_xcr0 | XSTATE_COMPACTION_ENABLED;
/*
-@@ -7035,7 +7039,7 @@ void kvm_load_guest_fpu(struct kvm_vcpu *vcpu)
+@@ -7036,7 +7040,7 @@ void kvm_load_guest_fpu(struct kvm_vcpu *vcpu)
kvm_put_guest_xcr0(vcpu);
vcpu->guest_fpu_loaded = 1;
__kernel_fpu_begin();
@@ -30510,7 +30329,7 @@ index 43609af..f8b7b2c 100644
trace_kvm_fpu(1);
}
-@@ -7324,6 +7328,8 @@ bool kvm_vcpu_compatible(struct kvm_vcpu *vcpu)
+@@ -7325,6 +7329,8 @@ bool kvm_vcpu_compatible(struct kvm_vcpu *vcpu)
struct static_key kvm_no_apic_vcpu __read_mostly;
@@ -30519,7 +30338,7 @@ index 43609af..f8b7b2c 100644
int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
{
struct page *page;
-@@ -7340,11 +7346,14 @@ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
+@@ -7341,11 +7347,14 @@ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
else
vcpu->arch.mp_state = KVM_MP_STATE_UNINITIALIZED;
@@ -30538,7 +30357,7 @@ index 43609af..f8b7b2c 100644
vcpu->arch.pio_data = page_address(page);
kvm_set_tsc_khz(vcpu, max_tsc_khz);
-@@ -7398,6 +7407,9 @@ fail_mmu_destroy:
+@@ -7399,6 +7408,9 @@ fail_mmu_destroy:
kvm_mmu_destroy(vcpu);
fail_free_pio_data:
free_page((unsigned long)vcpu->arch.pio_data);
@@ -30548,7 +30367,7 @@ index 43609af..f8b7b2c 100644
fail:
return r;
}
-@@ -7415,6 +7427,8 @@ void kvm_arch_vcpu_uninit(struct kvm_vcpu *vcpu)
+@@ -7416,6 +7428,8 @@ void kvm_arch_vcpu_uninit(struct kvm_vcpu *vcpu)
free_page((unsigned long)vcpu->arch.pio_data);
if (!irqchip_in_kernel(vcpu->kvm))
static_key_slow_dec(&kvm_no_apic_vcpu);
@@ -30558,7 +30377,7 @@ index 43609af..f8b7b2c 100644
void kvm_arch_sched_in(struct kvm_vcpu *vcpu, int cpu)
diff --git a/arch/x86/lguest/boot.c b/arch/x86/lguest/boot.c
-index a0d09f6..92ede76 100644
+index a43b2ea..e64e453 100644
--- a/arch/x86/lguest/boot.c
+++ b/arch/x86/lguest/boot.c
@@ -1336,9 +1336,10 @@ static __init int early_put_chars(u32 vtermno, const char *buf, int count)
@@ -34975,7 +34794,7 @@ index 0057a7acc..95c7edd 100644
might_sleep();
if (is_enabled()) /* recheck and proper locking in *_core() */
diff --git a/arch/x86/mm/mpx.c b/arch/x86/mm/mpx.c
-index 71fc79a..3dd1f49 100644
+index 78e47ff..17c3093 100644
--- a/arch/x86/mm/mpx.c
+++ b/arch/x86/mm/mpx.c
@@ -193,7 +193,7 @@ static int mpx_insn_decode(struct insn *insn,
@@ -35673,7 +35492,7 @@ index 90555bf..f5f1828 100644
}
diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
-index 8ddb5d0..6f70318 100644
+index 8f4cc3d..7143a15 100644
--- a/arch/x86/mm/tlb.c
+++ b/arch/x86/mm/tlb.c
@@ -45,7 +45,11 @@ void leave_mm(int cpu)
@@ -37148,7 +36967,7 @@ index c7b15f3..cc09a65 100644
This is the Linux Xen port. Enabling this will allow the
kernel to boot in a paravirtualized environment under the
diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
-index 993b7a7..59dec9a 100644
+index aeb385d..ff5dc9e 100644
--- a/arch/x86/xen/enlighten.c
+++ b/arch/x86/xen/enlighten.c
@@ -130,8 +130,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
@@ -37245,7 +37064,7 @@ index 993b7a7..59dec9a 100644
pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry;
pv_cpu_ops.load_gdt = xen_load_gdt;
-@@ -1567,7 +1566,17 @@ asmlinkage __visible void __init xen_start_kernel(void)
+@@ -1569,7 +1568,17 @@ asmlinkage __visible void __init xen_start_kernel(void)
__userpte_alloc_gfp &= ~__GFP_HIGHMEM;
/* Work out if we support NX */
@@ -37264,7 +37083,7 @@ index 993b7a7..59dec9a 100644
/* Get mfn list */
xen_build_dynamic_phys_to_machine();
-@@ -1595,13 +1604,6 @@ asmlinkage __visible void __init xen_start_kernel(void)
+@@ -1597,13 +1606,6 @@ asmlinkage __visible void __init xen_start_kernel(void)
machine_ops = xen_machine_ops;
@@ -40596,7 +40415,7 @@ index e3536da..b1617f0 100644
intf->proc_dir = NULL;
diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c
-index 654f6f3..b36fbf4 100644
+index 54bccf7..f7a4fa9 100644
--- a/drivers/char/ipmi/ipmi_si_intf.c
+++ b/drivers/char/ipmi/ipmi_si_intf.c
@@ -300,7 +300,7 @@ struct smi_info {
@@ -40620,26 +40439,7 @@ index 654f6f3..b36fbf4 100644
#define SI_MAX_PARMS 4
-@@ -1208,14 +1208,14 @@ static int smi_start_processing(void *send_info,
-
- new_smi->intf = intf;
-
-- /* Try to claim any interrupts. */
-- if (new_smi->irq_setup)
-- new_smi->irq_setup(new_smi);
--
- /* Set up the timer that drives the interface. */
- setup_timer(&new_smi->si_timer, smi_timeout, (long)new_smi);
- smi_mod_timer(new_smi, jiffies + SI_TIMEOUT_JIFFIES);
-
-+ /* Try to claim any interrupts. */
-+ if (new_smi->irq_setup)
-+ new_smi->irq_setup(new_smi);
-+
- /*
- * Check if the user forcefully enabled the daemon.
- */
-@@ -3598,7 +3598,7 @@ static int try_smi_init(struct smi_info *new_smi)
+@@ -3613,7 +3613,7 @@ static int try_smi_init(struct smi_info *new_smi)
atomic_set(&new_smi->req_events, 0);
new_smi->run_to_completion = false;
for (i = 0; i < SI_NUM_STATS; i++)
@@ -41183,40 +40983,6 @@ index b5bcd77..0f7bd99 100644
return 0;
}
-diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c
-index 30f5228..c19e7fc 100644
---- a/drivers/connector/connector.c
-+++ b/drivers/connector/connector.c
-@@ -178,26 +178,21 @@ static int cn_call_callback(struct sk_buff *skb)
- *
- * It checks skb, netlink header and msg sizes, and calls callback helper.
- */
--static void cn_rx_skb(struct sk_buff *__skb)
-+static void cn_rx_skb(struct sk_buff *skb)
- {
- struct nlmsghdr *nlh;
-- struct sk_buff *skb;
- int len, err;
-
-- skb = skb_get(__skb);
--
- if (skb->len >= NLMSG_HDRLEN) {
- nlh = nlmsg_hdr(skb);
- len = nlmsg_len(nlh);
-
- if (len < (int)sizeof(struct cn_msg) ||
- skb->len < nlh->nlmsg_len ||
-- len > CONNECTOR_MAX_MSG_SIZE) {
-- kfree_skb(skb);
-+ len > CONNECTOR_MAX_MSG_SIZE)
- return;
-- }
-
-- err = cn_call_callback(skb);
-+ err = cn_call_callback(skb_get(skb));
- if (err < 0)
- kfree_skb(skb);
- }
diff --git a/drivers/cpufreq/acpi-cpufreq.c b/drivers/cpufreq/acpi-cpufreq.c
index cec1ee2..d8e33a0 100644
--- a/drivers/cpufreq/acpi-cpufreq.c
@@ -45350,7 +45116,7 @@ index 2106066..e759b59 100644
/* copy over all the bus versions */
if (dev->bus && dev->bus->pm) {
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
-index 70a11ac..9852312 100644
+index c0fbf4e..865f19d 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -2575,7 +2575,7 @@ EXPORT_SYMBOL_GPL(hid_ignore);
@@ -46993,10 +46759,10 @@ index 532e2a2..a60aa73 100644
CMD_SET_TYPE(cmd, CMD_COMPL_WAIT);
}
diff --git a/drivers/iommu/arm-smmu-v3.c b/drivers/iommu/arm-smmu-v3.c
-index 286e890..c2220cc 100644
+index ef78620..5b5d477 100644
--- a/drivers/iommu/arm-smmu-v3.c
+++ b/drivers/iommu/arm-smmu-v3.c
-@@ -1516,7 +1516,7 @@ static int arm_smmu_domain_finalise(struct iommu_domain *domain)
+@@ -1517,7 +1517,7 @@ static int arm_smmu_domain_finalise(struct iommu_domain *domain)
.iommu_dev = smmu->dev,
};
@@ -49283,18 +49049,6 @@ index 641ad8f..02eacb9 100644
select DVB_LNBP21 if MEDIA_SUBDRV_AUTOSELECT
select DVB_STV090x if MEDIA_SUBDRV_AUTOSELECT
select DVB_STB6100 if MEDIA_SUBDRV_AUTOSELECT
-diff --git a/drivers/media/platform/vivid/vivid-osd.c b/drivers/media/platform/vivid/vivid-osd.c
-index 084d346..e15eef6 100644
---- a/drivers/media/platform/vivid/vivid-osd.c
-+++ b/drivers/media/platform/vivid/vivid-osd.c
-@@ -85,6 +85,7 @@ static int vivid_fb_ioctl(struct fb_info *info, unsigned cmd, unsigned long arg)
- case FBIOGET_VBLANK: {
- struct fb_vblank vblank;
-
-+ memset(&vblank, 0, sizeof(vblank));
- vblank.flags = FB_VBLANK_HAVE_COUNT | FB_VBLANK_HAVE_VCOUNT |
- FB_VBLANK_HAVE_VSYNC;
- vblank.count = 0;
diff --git a/drivers/media/radio/radio-cadet.c b/drivers/media/radio/radio-cadet.c
index 82affae..42833ec 100644
--- a/drivers/media/radio/radio-cadet.c
@@ -52173,7 +51927,7 @@ index 4421bf54..c07afb0 100644
netdev_tx_completed_queue(ring->tx_queue, packets, bytes);
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
-index 443632d..7b43236 100644
+index 394744b..de2161e 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
@@ -2025,8 +2025,11 @@ static void mlx5e_build_netdev(struct net_device *netdev)
@@ -52631,10 +52385,10 @@ index f761288..a1024be 100644
r = get_phy_id(bus, addr, &phy_id, is_c45, &c45_ids);
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
-index ed00446..943fe2c 100644
+index 9a863c6..8e2d8c9 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
-@@ -1047,7 +1047,6 @@ ppp_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
+@@ -1045,7 +1045,6 @@ ppp_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
struct ppp_stats stats;
struct ppp_comp_stats cstats;
@@ -52642,7 +52396,7 @@ index ed00446..943fe2c 100644
switch (cmd) {
case SIOCGPPPSTATS:
-@@ -1069,8 +1068,7 @@ ppp_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
+@@ -1067,8 +1066,7 @@ ppp_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
break;
case SIOCGPPPVER:
@@ -52733,20 +52487,10 @@ index b910cae..f55670b 100644
end:
release_sock(sk);
diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
-index 079f7ad..7e59810 100644
+index 27ed252..80cffde 100644
--- a/drivers/net/slip/slhc.c
+++ b/drivers/net/slip/slhc.c
-@@ -94,6 +94,9 @@ slhc_init(int rslots, int tslots)
- register struct cstate *ts;
- struct slcompress *comp;
-
-+ if (rslots <= 0 || tslots <= 0 || rslots >= 256 || tslots >= 256)
-+ goto out_fail;
-+
- comp = kzalloc(sizeof(struct slcompress), GFP_KERNEL);
- if (! comp)
- goto out_fail;
-@@ -487,7 +490,7 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize)
+@@ -491,7 +491,7 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize)
register struct tcphdr *thp;
register struct iphdr *ip;
register struct cstate *cs;
@@ -52756,7 +52500,7 @@ index 079f7ad..7e59810 100644
/* We've got a compressed packet; read the change byte */
diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
-index 651d35e..4249181 100644
+index 59fefca..b1422b1 100644
--- a/drivers/net/team/team.c
+++ b/drivers/net/team/team.c
@@ -2107,7 +2107,7 @@ static unsigned int team_get_num_rx_queues(void)
@@ -52976,10 +52720,10 @@ index 374feba..01ba30e 100644
.priv_size = sizeof(struct net_vrf),
diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
-index c1587ec..dcd13ca 100644
+index 40b5f8a..f934a2f 100644
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
-@@ -3037,7 +3037,7 @@ static struct net *vxlan_get_link_net(const struct net_device *dev)
+@@ -3043,7 +3043,7 @@ static struct net *vxlan_get_link_net(const struct net_device *dev)
return vxlan->net;
}
@@ -52988,7 +52732,7 @@ index c1587ec..dcd13ca 100644
.kind = "vxlan",
.maxtype = IFLA_VXLAN_MAX,
.policy = vxlan_policy,
-@@ -3085,7 +3085,7 @@ static int vxlan_lowerdev_event(struct notifier_block *unused,
+@@ -3091,7 +3091,7 @@ static int vxlan_lowerdev_event(struct notifier_block *unused,
return NOTIFY_DONE;
}
@@ -59213,7 +58957,7 @@ index 4d64e5c4..e21932a 100644
wake_up(&usb_kill_urb_queue);
usb_put_urb(urb);
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
-index 522f766..6ddc50b 100644
+index 6208433..fe57c7f 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -26,6 +26,7 @@
@@ -59224,7 +58968,7 @@ index 522f766..6ddc50b 100644
#include <asm/uaccess.h>
#include <asm/byteorder.h>
-@@ -4665,6 +4666,10 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus,
+@@ -4702,6 +4703,10 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus,
goto done;
return;
}
@@ -59236,7 +58980,7 @@ index 522f766..6ddc50b 100644
unit_load = 150;
else
diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c
-index cfc68c1..38f943f 100644
+index c54fd8b..6e9f011 100644
--- a/drivers/usb/core/sysfs.c
+++ b/drivers/usb/core/sysfs.c
@@ -244,7 +244,7 @@ static ssize_t urbnum_show(struct device *dev, struct device_attribute *attr,
@@ -59593,10 +59337,10 @@ index c47d3e4..35bcc1e 100644
/* Device for a quirk */
#define PCI_VENDOR_ID_FRESCO_LOGIC 0x1b73
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
-index 385f9f5..fe0610e 100644
+index e40c300..7eb36da 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
-@@ -4843,7 +4843,7 @@ int xhci_gen_setup(struct usb_hcd *hcd, xhci_get_quirks_t get_quirks)
+@@ -4851,7 +4851,7 @@ int xhci_gen_setup(struct usb_hcd *hcd, xhci_get_quirks_t get_quirks)
int retval;
/* Accept arbitrarily long scatter-gather lists */
@@ -100260,36 +100004,6 @@ index 674e3e2..f68af19 100644
void do_close_on_exec(struct files_struct *);
int iterate_fd(struct files_struct *, unsigned,
int (*)(const void *, struct file *, unsigned),
-diff --git a/include/linux/filter.h b/include/linux/filter.h
-index fa2cab9..d42a5b8 100644
---- a/include/linux/filter.h
-+++ b/include/linux/filter.h
-@@ -459,6 +459,25 @@ static inline void bpf_jit_free(struct bpf_prog *fp)
-
- #define BPF_ANC BIT(15)
-
-+static inline bool bpf_needs_clear_a(const struct sock_filter *first)
-+{
-+ switch (first->code) {
-+ case BPF_RET | BPF_K:
-+ case BPF_LD | BPF_W | BPF_LEN:
-+ return false;
-+
-+ case BPF_LD | BPF_W | BPF_ABS:
-+ case BPF_LD | BPF_H | BPF_ABS:
-+ case BPF_LD | BPF_B | BPF_ABS:
-+ if (first->k == SKF_AD_OFF + SKF_AD_ALU_XOR_X)
-+ return true;
-+ return false;
-+
-+ default:
-+ return true;
-+ }
-+}
-+
- static inline u16 bpf_anc_helper(const struct sock_filter *ftest)
- {
- BUG_ON(ftest->code & BPF_ANC);
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 72d8a84..d67bd25 100644
--- a/include/linux/fs.h
@@ -104183,7 +103897,7 @@ index 556ec1e..38c19c9 100644
/*
diff --git a/include/linux/sched.h b/include/linux/sched.h
-index b7b9501..f1e65cf 100644
+index f477e87..f1e65cf 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -7,7 +7,7 @@
@@ -104250,11 +103964,10 @@ index b7b9501..f1e65cf 100644
/*
* Bits in flags field of signal_struct.
-@@ -830,12 +855,22 @@ struct user_struct {
- unsigned long mq_bytes; /* How many bytes can be allocated to mqueue? */
+@@ -831,12 +856,21 @@ struct user_struct {
#endif
unsigned long locked_shm; /* How many pages of mlocked shm ? */
-+ unsigned long unix_inflight; /* How many files in flight in unix sockets */
+ unsigned long unix_inflight; /* How many files in flight in unix sockets */
+ atomic_long_t pipe_bufs; /* how many pages are allocated in pipe buffers */
#ifdef CONFIG_KEYS
@@ -104273,7 +103986,7 @@ index b7b9501..f1e65cf 100644
/* Hash table maintenance information */
struct hlist_node uidhash_node;
kuid_t uid;
-@@ -843,7 +878,7 @@ struct user_struct {
+@@ -844,7 +878,7 @@ struct user_struct {
#ifdef CONFIG_PERF_EVENTS
atomic_long_t locked_vm;
#endif
@@ -104282,7 +103995,7 @@ index b7b9501..f1e65cf 100644
extern int uids_sysfs_init(void);
-@@ -1378,6 +1413,9 @@ struct tlbflush_unmap_batch {
+@@ -1379,6 +1413,9 @@ struct tlbflush_unmap_batch {
struct task_struct {
volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */
void *stack;
@@ -104292,7 +104005,7 @@ index b7b9501..f1e65cf 100644
atomic_t usage;
unsigned int flags; /* per process flags, defined below */
unsigned int ptrace;
-@@ -1510,8 +1548,8 @@ struct task_struct {
+@@ -1511,8 +1548,8 @@ struct task_struct {
struct list_head thread_node;
struct completion *vfork_done; /* for vfork() */
@@ -104303,7 +104016,7 @@ index b7b9501..f1e65cf 100644
cputime_t utime, stime, utimescaled, stimescaled;
cputime_t gtime;
-@@ -1534,11 +1572,6 @@ struct task_struct {
+@@ -1535,11 +1572,6 @@ struct task_struct {
struct task_cputime cputime_expires;
struct list_head cpu_timers[3];
@@ -104315,7 +104028,7 @@ index b7b9501..f1e65cf 100644
char comm[TASK_COMM_LEN]; /* executable name excluding path
- access with [gs]et_task_comm (which lock
it with task_lock())
-@@ -1554,6 +1587,8 @@ struct task_struct {
+@@ -1555,6 +1587,8 @@ struct task_struct {
/* hung task detection */
unsigned long last_switch_count;
#endif
@@ -104324,7 +104037,7 @@ index b7b9501..f1e65cf 100644
/* filesystem information */
struct fs_struct *fs;
/* open file information */
-@@ -1630,6 +1665,10 @@ struct task_struct {
+@@ -1631,6 +1665,10 @@ struct task_struct {
gfp_t lockdep_reclaim_gfp;
#endif
@@ -104335,7 +104048,7 @@ index b7b9501..f1e65cf 100644
/* journalling filesystem info */
void *journal_info;
-@@ -1668,6 +1707,10 @@ struct task_struct {
+@@ -1669,6 +1707,10 @@ struct task_struct {
/* cg_list protected by css_set_lock and tsk->alloc_lock */
struct list_head cg_list;
#endif
@@ -104346,7 +104059,7 @@ index b7b9501..f1e65cf 100644
#ifdef CONFIG_FUTEX
struct robust_list_head __user *robust_list;
#ifdef CONFIG_COMPAT
-@@ -1783,7 +1826,7 @@ struct task_struct {
+@@ -1784,7 +1826,7 @@ struct task_struct {
* Number of functions that haven't been traced
* because of depth overrun.
*/
@@ -104355,7 +104068,7 @@ index b7b9501..f1e65cf 100644
/* Pause for the tracing */
atomic_t tracing_graph_pause;
#endif
-@@ -1812,22 +1855,89 @@ struct task_struct {
+@@ -1813,22 +1855,89 @@ struct task_struct {
unsigned long task_state_change;
#endif
int pagefault_disabled;
@@ -104455,7 +104168,7 @@ index b7b9501..f1e65cf 100644
/* Future-safe accessor for struct task_struct's cpus_allowed. */
#define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
-@@ -1909,7 +2019,7 @@ struct pid_namespace;
+@@ -1910,7 +2019,7 @@ struct pid_namespace;
pid_t __task_pid_nr_ns(struct task_struct *task, enum pid_type type,
struct pid_namespace *ns);
@@ -104464,7 +104177,7 @@ index b7b9501..f1e65cf 100644
{
return tsk->pid;
}
-@@ -2270,6 +2380,25 @@ extern u64 sched_clock_cpu(int cpu);
+@@ -2271,6 +2380,25 @@ extern u64 sched_clock_cpu(int cpu);
extern void sched_clock_init(void);
@@ -104490,7 +104203,7 @@ index b7b9501..f1e65cf 100644
#ifndef CONFIG_HAVE_UNSTABLE_SCHED_CLOCK
static inline void sched_clock_tick(void)
{
-@@ -2398,7 +2527,9 @@ extern void set_curr_task(int cpu, struct task_struct *p);
+@@ -2399,7 +2527,9 @@ extern void set_curr_task(int cpu, struct task_struct *p);
void yield(void);
union thread_union {
@@ -104500,7 +104213,7 @@ index b7b9501..f1e65cf 100644
unsigned long stack[THREAD_SIZE/sizeof(long)];
};
-@@ -2431,6 +2562,7 @@ extern struct pid_namespace init_pid_ns;
+@@ -2432,6 +2562,7 @@ extern struct pid_namespace init_pid_ns;
*/
extern struct task_struct *find_task_by_vpid(pid_t nr);
@@ -104508,7 +104221,7 @@ index b7b9501..f1e65cf 100644
extern struct task_struct *find_task_by_pid_ns(pid_t nr,
struct pid_namespace *ns);
-@@ -2462,7 +2594,7 @@ extern void proc_caches_init(void);
+@@ -2463,7 +2594,7 @@ extern void proc_caches_init(void);
extern void flush_signals(struct task_struct *);
extern void ignore_signals(struct task_struct *);
extern void flush_signal_handlers(struct task_struct *, int force_default);
@@ -104517,7 +104230,7 @@ index b7b9501..f1e65cf 100644
static inline int dequeue_signal_lock(struct task_struct *tsk, sigset_t *mask, siginfo_t *info)
{
-@@ -2608,7 +2740,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
+@@ -2609,7 +2740,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
extern void exit_itimers(struct signal_struct *);
extern void flush_itimer_signals(void);
@@ -104526,7 +104239,7 @@ index b7b9501..f1e65cf 100644
extern int do_execve(struct filename *,
const char __user * const __user *,
-@@ -2723,11 +2855,13 @@ static inline int thread_group_empty(struct task_struct *p)
+@@ -2724,11 +2855,13 @@ static inline int thread_group_empty(struct task_struct *p)
* It must not be nested with write_lock_irq(&tasklist_lock),
* neither inside nor outside.
*/
@@ -104540,7 +104253,7 @@ index b7b9501..f1e65cf 100644
static inline void task_unlock(struct task_struct *p)
{
spin_unlock(&p->alloc_lock);
-@@ -2813,9 +2947,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
+@@ -2814,9 +2947,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
#define task_stack_end_corrupted(task) \
(*(end_of_stack(task)) != STACK_END_MAGIC)
@@ -104763,7 +104476,7 @@ index ab1e039..ad4229e 100644
static inline void disallow_signal(int sig)
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
-index 4398411..4856c34 100644
+index 23ce309..861c28f 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -799,7 +799,7 @@ struct sk_buff *__alloc_skb(unsigned int size, gfp_t priority, int flags,
@@ -105274,7 +104987,7 @@ index e7a018e..49f8b17 100644
extern dma_addr_t swiotlb_map_page(struct device *dev, struct page *page,
unsigned long offset, size_t size,
diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
-index a460e2e..de02ef1 100644
+index 42c36bb..ac90c15 100644
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -102,7 +102,12 @@ union bpf_attr;
@@ -105571,7 +105284,7 @@ index 00c9d68..bc0188b 100644
struct tty_ldisc {
diff --git a/include/linux/types.h b/include/linux/types.h
-index c314989..4e6e3a4 100644
+index 89f63da..66ab9c0 100644
--- a/include/linux/types.h
+++ b/include/linux/types.h
@@ -176,10 +176,26 @@ typedef struct {
@@ -105699,7 +105412,7 @@ index 99c1b4d..562e6f3 100644
static inline void put_unaligned_le16(u16 val, void *p)
diff --git a/include/linux/usb.h b/include/linux/usb.h
-index 447fe29..07a9cf0 100644
+index 4aec211..0181378 100644
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -363,7 +363,7 @@ struct usb_bus {
@@ -105711,7 +105424,7 @@ index 447fe29..07a9cf0 100644
int devnum_next; /* Next open device number in
* round-robin allocation */
-@@ -592,7 +592,7 @@ struct usb_device {
+@@ -596,7 +596,7 @@ struct usb_device {
int maxchild;
u32 quirks;
@@ -105720,7 +105433,7 @@ index 447fe29..07a9cf0 100644
unsigned long active_duration;
-@@ -1785,10 +1785,10 @@ void usb_sg_wait(struct usb_sg_request *io);
+@@ -1789,10 +1789,10 @@ void usb_sg_wait(struct usb_sg_request *io);
/* NOTE: these are not the standard USB_ENDPOINT_XFER_* values!! */
/* (yet ... they're the values used by usbfs) */
@@ -108404,27 +108117,6 @@ index 35bac8e..8de1d69 100644
if (!access_ok(VERIFY_READ, uattr, 1))
return -EFAULT;
-diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
-index b074b23..36c6efe 100644
---- a/kernel/bpf/verifier.c
-+++ b/kernel/bpf/verifier.c
-@@ -1058,6 +1058,16 @@ static int check_alu_op(struct reg_state *regs, struct bpf_insn *insn)
- return -EINVAL;
- }
-
-+ if ((opcode == BPF_LSH || opcode == BPF_RSH ||
-+ opcode == BPF_ARSH) && BPF_SRC(insn->code) == BPF_K) {
-+ int size = BPF_CLASS(insn->code) == BPF_ALU64 ? 64 : 32;
-+
-+ if (insn->imm < 0 || insn->imm >= size) {
-+ verbose("invalid shift %d\n", insn->imm);
-+ return -EINVAL;
-+ }
-+ }
-+
- /* pattern match 'bpf_add Rx, imm' instruction */
- if (opcode == BPF_ADD && BPF_CLASS(insn->code) == BPF_ALU64 &&
- regs[insn->dst_reg].type == FRAME_PTR &&
diff --git a/kernel/capability.c b/kernel/capability.c
index 45432b5..988f1e4 100644
--- a/kernel/capability.c
@@ -114066,10 +113758,10 @@ index 44d2cc0..337ccab 100644
write_seqcount_begin(&tk_core.seq);
diff --git a/kernel/time/timer.c b/kernel/time/timer.c
-index 84190f0..6f4ccad 100644
+index 101240b..f2822a4 100644
--- a/kernel/time/timer.c
+++ b/kernel/time/timer.c
-@@ -1406,7 +1406,7 @@ void update_process_times(int user_tick)
+@@ -1422,7 +1422,7 @@ void update_process_times(int user_tick)
/*
* This function runs timers and the timer-tq in bottom half context.
*/
@@ -117229,7 +116921,7 @@ index 842ecd7..c8f2fc5 100644
err = -EPERM;
goto out;
diff --git a/mm/mlock.c b/mm/mlock.c
-index 25936680..d0eff96 100644
+index 25936680..1770c1d 100644
--- a/mm/mlock.c
+++ b/mm/mlock.c
@@ -14,6 +14,7 @@
@@ -117271,15 +116963,18 @@ index 25936680..d0eff96 100644
/* Here we know that vma->vm_start <= nstart < vma->vm_end. */
newflags = vma->vm_flags & ~VM_LOCKED;
-@@ -628,6 +637,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, start, size_t, len)
+@@ -628,6 +637,10 @@ SYSCALL_DEFINE2(mlock, unsigned long, start, size_t, len)
locked += current->mm->locked_vm;
/* check against resource limits */
-+ gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
++ if (locked > (ULONG_MAX >> PAGE_SHIFT))
++ gr_learn_resource(current, RLIMIT_MEMLOCK, ULONG_MAX, 1);
++ else
++ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
error = do_mlock(start, len, 1);
-@@ -669,6 +679,11 @@ static int do_mlockall(int flags)
+@@ -669,6 +682,11 @@ static int do_mlockall(int flags)
for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
vm_flags_t newflags;
@@ -117291,15 +116986,17 @@ index 25936680..d0eff96 100644
newflags = vma->vm_flags & ~VM_LOCKED;
if (flags & MCL_CURRENT)
newflags |= VM_LOCKED;
-@@ -700,8 +715,10 @@ SYSCALL_DEFINE1(mlockall, int, flags)
+@@ -700,8 +718,12 @@ SYSCALL_DEFINE1(mlockall, int, flags)
lock_limit >>= PAGE_SHIFT;
ret = -ENOMEM;
-+
-+ gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
-+
- down_write(&current->mm->mmap_sem);
--
+- down_write(&current->mm->mmap_sem);
+
++ down_write(&current->mm->mmap_sem);
++ if (current->mm->total_vm > (ULONG_MAX >> PAGE_SHIFT))
++ gr_learn_resource(current, RLIMIT_MEMLOCK, ULONG_MAX, 1);
++ else
++ gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
capable(CAP_IPC_LOCK))
ret = do_mlockall(flags);
@@ -117317,7 +117014,7 @@ index fdadf91..5f527d1 100644
.priority = IPC_CALLBACK_PRI, /* use lowest priority */
};
diff --git a/mm/mmap.c b/mm/mmap.c
-index 79bcc9f..481e0f5c 100644
+index 79bcc9f..ee68a7e 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -42,6 +42,7 @@
@@ -117547,15 +117244,18 @@ index 79bcc9f..481e0f5c 100644
mm->stack_vm += pages;
}
#endif /* CONFIG_PROC_FS */
-@@ -1251,6 +1340,7 @@ static inline int mlock_future_check(struct mm_struct *mm,
+@@ -1251,6 +1340,10 @@ static inline int mlock_future_check(struct mm_struct *mm,
locked += mm->locked_vm;
lock_limit = rlimit(RLIMIT_MEMLOCK);
lock_limit >>= PAGE_SHIFT;
-+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
++ if (locked > (ULONG_MAX >> PAGE_SHIFT))
++ gr_learn_resource(current, RLIMIT_MEMLOCK, ULONG_MAX, 1);
++ else
++ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
if (locked > lock_limit && !capable(CAP_IPC_LOCK))
return -EAGAIN;
}
-@@ -1278,7 +1368,7 @@ unsigned long do_mmap(struct file *file, unsigned long addr,
+@@ -1278,7 +1371,7 @@ unsigned long do_mmap(struct file *file, unsigned long addr,
* (the exception is when the underlying filesystem is noexec
* mounted, in which case we dont add PROT_EXEC.)
*/
@@ -117564,7 +117264,7 @@ index 79bcc9f..481e0f5c 100644
if (!(file && path_noexec(&file->f_path)))
prot |= PROT_EXEC;
-@@ -1301,7 +1391,7 @@ unsigned long do_mmap(struct file *file, unsigned long addr,
+@@ -1301,7 +1394,7 @@ unsigned long do_mmap(struct file *file, unsigned long addr,
/* Obtain the address to map to. we verify (or select) it and ensure
* that it represents a valid section of the address space.
*/
@@ -117573,7 +117273,7 @@ index 79bcc9f..481e0f5c 100644
if (addr & ~PAGE_MASK)
return addr;
-@@ -1312,6 +1402,43 @@ unsigned long do_mmap(struct file *file, unsigned long addr,
+@@ -1312,6 +1405,43 @@ unsigned long do_mmap(struct file *file, unsigned long addr,
vm_flags |= calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
@@ -117617,7 +117317,7 @@ index 79bcc9f..481e0f5c 100644
if (flags & MAP_LOCKED)
if (!can_do_mlock())
return -EPERM;
-@@ -1399,6 +1526,9 @@ unsigned long do_mmap(struct file *file, unsigned long addr,
+@@ -1399,6 +1529,9 @@ unsigned long do_mmap(struct file *file, unsigned long addr,
vm_flags |= VM_NORESERVE;
}
@@ -117627,7 +117327,7 @@ index 79bcc9f..481e0f5c 100644
addr = mmap_region(file, addr, len, vm_flags, pgoff);
if (!IS_ERR_VALUE(addr) &&
((vm_flags & VM_LOCKED) ||
-@@ -1493,7 +1623,7 @@ int vma_wants_writenotify(struct vm_area_struct *vma)
+@@ -1493,7 +1626,7 @@ int vma_wants_writenotify(struct vm_area_struct *vma)
const struct vm_operations_struct *vm_ops = vma->vm_ops;
/* If it was private or non-writable, the write bit is already clear */
@@ -117636,7 +117336,7 @@ index 79bcc9f..481e0f5c 100644
return 0;
/* The backer wishes to know when pages are first written to? */
-@@ -1544,7 +1674,22 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
+@@ -1544,7 +1677,22 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
struct rb_node **rb_link, *rb_parent;
unsigned long charged = 0;
@@ -117659,7 +117359,7 @@ index 79bcc9f..481e0f5c 100644
if (!may_expand_vm(mm, len >> PAGE_SHIFT)) {
unsigned long nr_pages;
-@@ -1567,6 +1712,7 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
+@@ -1567,6 +1715,7 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
&rb_parent)) {
if (do_munmap(mm, addr, len))
return -ENOMEM;
@@ -117667,7 +117367,7 @@ index 79bcc9f..481e0f5c 100644
}
/*
-@@ -1598,6 +1744,16 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
+@@ -1598,6 +1747,16 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
goto unacct_error;
}
@@ -117684,7 +117384,7 @@ index 79bcc9f..481e0f5c 100644
vma->vm_mm = mm;
vma->vm_start = addr;
vma->vm_end = addr + len;
-@@ -1628,6 +1784,13 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
+@@ -1628,6 +1787,13 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
if (error)
goto unmap_and_free_vma;
@@ -117698,7 +117398,7 @@ index 79bcc9f..481e0f5c 100644
/* Can addr have changed??
*
* Answer: Yes, several device drivers can do it in their
-@@ -1646,6 +1809,12 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
+@@ -1646,6 +1812,12 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
}
vma_link(mm, vma, prev, rb_link, rb_parent);
@@ -117711,7 +117411,7 @@ index 79bcc9f..481e0f5c 100644
/* Once vma denies write, undo our temporary denial count */
if (file) {
if (vm_flags & VM_SHARED)
-@@ -1658,6 +1827,7 @@ out:
+@@ -1658,6 +1830,7 @@ out:
perf_event_mmap(vma);
vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
@@ -117719,7 +117419,7 @@ index 79bcc9f..481e0f5c 100644
if (vm_flags & VM_LOCKED) {
if (!((vm_flags & VM_SPECIAL) || is_vm_hugetlb_page(vma) ||
vma == get_gate_vma(current->mm)))
-@@ -1695,6 +1865,12 @@ allow_write_and_free_vma:
+@@ -1695,6 +1868,12 @@ allow_write_and_free_vma:
if (vm_flags & VM_DENYWRITE)
allow_write_access(file);
free_vma:
@@ -117732,7 +117432,7 @@ index 79bcc9f..481e0f5c 100644
kmem_cache_free(vm_area_cachep, vma);
unacct_error:
if (charged)
-@@ -1702,7 +1878,63 @@ unacct_error:
+@@ -1702,7 +1881,63 @@ unacct_error:
return error;
}
@@ -117797,7 +117497,7 @@ index 79bcc9f..481e0f5c 100644
{
/*
* We implement the search by looking for an rbtree node that
-@@ -1750,11 +1982,29 @@ unsigned long unmapped_area(struct vm_unmapped_area_info *info)
+@@ -1750,11 +1985,29 @@ unsigned long unmapped_area(struct vm_unmapped_area_info *info)
}
}
@@ -117828,7 +117528,7 @@ index 79bcc9f..481e0f5c 100644
if (gap_end >= low_limit && gap_end - gap_start >= length)
goto found;
-@@ -1804,7 +2054,7 @@ found:
+@@ -1804,7 +2057,7 @@ found:
return gap_start;
}
@@ -117837,7 +117537,7 @@ index 79bcc9f..481e0f5c 100644
{
struct mm_struct *mm = current->mm;
struct vm_area_struct *vma;
-@@ -1858,6 +2108,24 @@ check_current:
+@@ -1858,6 +2111,24 @@ check_current:
gap_end = vma->vm_start;
if (gap_end < low_limit)
return -ENOMEM;
@@ -117862,7 +117562,7 @@ index 79bcc9f..481e0f5c 100644
if (gap_start <= high_limit && gap_end - gap_start >= length)
goto found;
-@@ -1921,6 +2189,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
+@@ -1921,6 +2192,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
struct mm_struct *mm = current->mm;
struct vm_area_struct *vma;
struct vm_unmapped_area_info info;
@@ -117870,7 +117570,7 @@ index 79bcc9f..481e0f5c 100644
if (len > TASK_SIZE - mmap_min_addr)
return -ENOMEM;
-@@ -1928,11 +2197,15 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
+@@ -1928,11 +2200,15 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
if (flags & MAP_FIXED)
return addr;
@@ -117887,7 +117587,7 @@ index 79bcc9f..481e0f5c 100644
return addr;
}
-@@ -1941,6 +2214,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
+@@ -1941,6 +2217,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
info.low_limit = mm->mmap_base;
info.high_limit = TASK_SIZE;
info.align_mask = 0;
@@ -117895,7 +117595,7 @@ index 79bcc9f..481e0f5c 100644
return vm_unmapped_area(&info);
}
#endif
-@@ -1959,6 +2233,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1959,6 +2236,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
struct mm_struct *mm = current->mm;
unsigned long addr = addr0;
struct vm_unmapped_area_info info;
@@ -117903,7 +117603,7 @@ index 79bcc9f..481e0f5c 100644
/* requested length too big for entire address space */
if (len > TASK_SIZE - mmap_min_addr)
-@@ -1967,12 +2242,16 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1967,12 +2245,16 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
if (flags & MAP_FIXED)
return addr;
@@ -117921,7 +117621,7 @@ index 79bcc9f..481e0f5c 100644
return addr;
}
-@@ -1981,6 +2260,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1981,6 +2263,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
info.low_limit = max(PAGE_SIZE, mmap_min_addr);
info.high_limit = mm->mmap_base;
info.align_mask = 0;
@@ -117929,7 +117629,7 @@ index 79bcc9f..481e0f5c 100644
addr = vm_unmapped_area(&info);
/*
-@@ -1993,6 +2273,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1993,6 +2276,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
VM_BUG_ON(addr != -ENOMEM);
info.flags = 0;
info.low_limit = TASK_UNMAPPED_BASE;
@@ -117942,7 +117642,7 @@ index 79bcc9f..481e0f5c 100644
info.high_limit = TASK_SIZE;
addr = vm_unmapped_area(&info);
}
-@@ -2093,6 +2379,28 @@ find_vma_prev(struct mm_struct *mm, unsigned long addr,
+@@ -2093,6 +2382,28 @@ find_vma_prev(struct mm_struct *mm, unsigned long addr,
return vma;
}
@@ -117971,7 +117671,7 @@ index 79bcc9f..481e0f5c 100644
/*
* Verify that the stack growth is acceptable and
* update accounting. This is shared with both the
-@@ -2110,8 +2418,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -2110,8 +2421,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
/* Stack limit test */
actual_size = size;
@@ -117981,15 +117681,18 @@ index 79bcc9f..481e0f5c 100644
if (actual_size > READ_ONCE(rlim[RLIMIT_STACK].rlim_cur))
return -ENOMEM;
-@@ -2122,6 +2429,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -2122,6 +2432,10 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
locked = mm->locked_vm + grow;
limit = READ_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
limit >>= PAGE_SHIFT;
-+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
++ if (locked > (ULONG_MAX >> PAGE_SHIFT))
++ gr_learn_resource(current, RLIMIT_MEMLOCK, ULONG_MAX, 1);
++ else
++ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
if (locked > limit && !capable(CAP_IPC_LOCK))
return -ENOMEM;
}
-@@ -2151,37 +2459,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -2151,37 +2465,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
* PA-RISC uses this for its stack; IA64 for its Register Backing Store.
* vma is the last one with address > vma->vm_end. Have to extend vma.
*/
@@ -118047,7 +117750,7 @@ index 79bcc9f..481e0f5c 100644
unsigned long size, grow;
size = address - vma->vm_start;
-@@ -2216,6 +2535,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
+@@ -2216,6 +2541,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
}
}
}
@@ -118056,7 +117759,7 @@ index 79bcc9f..481e0f5c 100644
vma_unlock_anon_vma(vma);
khugepaged_enter_vma_merge(vma, vma->vm_flags);
validate_mm(vma->vm_mm);
-@@ -2230,6 +2551,8 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -2230,6 +2557,8 @@ int expand_downwards(struct vm_area_struct *vma,
unsigned long address)
{
int error;
@@ -118065,7 +117768,7 @@ index 79bcc9f..481e0f5c 100644
/*
* We must make sure the anon_vma is allocated
-@@ -2243,6 +2566,15 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -2243,6 +2572,15 @@ int expand_downwards(struct vm_area_struct *vma,
if (error)
return error;
@@ -118081,7 +117784,7 @@ index 79bcc9f..481e0f5c 100644
vma_lock_anon_vma(vma);
/*
-@@ -2252,9 +2584,17 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -2252,9 +2590,17 @@ int expand_downwards(struct vm_area_struct *vma,
*/
/* Somebody else might have raced and expanded it already */
@@ -118100,7 +117803,7 @@ index 79bcc9f..481e0f5c 100644
size = vma->vm_end - address;
grow = (vma->vm_start - address) >> PAGE_SHIFT;
-@@ -2279,13 +2619,27 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -2279,13 +2625,27 @@ int expand_downwards(struct vm_area_struct *vma,
vma->vm_pgoff -= grow;
anon_vma_interval_tree_post_update_vma(vma);
vma_gap_update(vma);
@@ -118128,7 +117831,7 @@ index 79bcc9f..481e0f5c 100644
khugepaged_enter_vma_merge(vma, vma->vm_flags);
validate_mm(vma->vm_mm);
return error;
-@@ -2385,6 +2739,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -2385,6 +2745,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
do {
long nrpages = vma_pages(vma);
@@ -118142,7 +117845,7 @@ index 79bcc9f..481e0f5c 100644
if (vma->vm_flags & VM_ACCOUNT)
nr_accounted += nrpages;
vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
-@@ -2429,6 +2790,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2429,6 +2796,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
insertion_point = (prev ? &prev->vm_next : &mm->mmap);
vma->vm_prev = NULL;
do {
@@ -118159,7 +117862,7 @@ index 79bcc9f..481e0f5c 100644
vma_rb_erase(vma, &mm->mm_rb);
mm->map_count--;
tail_vma = vma;
-@@ -2456,14 +2827,33 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2456,14 +2833,33 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
struct vm_area_struct *new;
int err;
@@ -118193,7 +117896,7 @@ index 79bcc9f..481e0f5c 100644
/* most fields are the same, copy all, and then fixup */
*new = *vma;
-@@ -2476,6 +2866,22 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2476,6 +2872,22 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
}
@@ -118216,7 +117919,7 @@ index 79bcc9f..481e0f5c 100644
err = vma_dup_policy(vma, new);
if (err)
goto out_free_vma;
-@@ -2496,6 +2902,38 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2496,6 +2908,38 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
else
err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
@@ -118255,7 +117958,7 @@ index 79bcc9f..481e0f5c 100644
/* Success. */
if (!err)
return 0;
-@@ -2505,10 +2943,18 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2505,10 +2949,18 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
new->vm_ops->close(new);
if (new->vm_file)
fput(new->vm_file);
@@ -118275,7 +117978,7 @@ index 79bcc9f..481e0f5c 100644
kmem_cache_free(vm_area_cachep, new);
return err;
}
-@@ -2520,6 +2966,15 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2520,6 +2972,15 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
unsigned long addr, int new_below)
{
@@ -118291,7 +117994,7 @@ index 79bcc9f..481e0f5c 100644
if (mm->map_count >= sysctl_max_map_count)
return -ENOMEM;
-@@ -2531,11 +2986,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2531,11 +2992,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
* work. This now handles partial unmappings.
* Jeremy Fitzhardinge <jeremy@goop.org>
*/
@@ -118322,7 +118025,7 @@ index 79bcc9f..481e0f5c 100644
if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
return -EINVAL;
-@@ -2613,6 +3087,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
+@@ -2613,6 +3093,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
/* Fix up all other VM information */
remove_vma_list(mm, vma);
@@ -118331,7 +118034,7 @@ index 79bcc9f..481e0f5c 100644
return 0;
}
-@@ -2621,6 +3097,13 @@ int vm_munmap(unsigned long start, size_t len)
+@@ -2621,6 +3103,13 @@ int vm_munmap(unsigned long start, size_t len)
int ret;
struct mm_struct *mm = current->mm;
@@ -118345,7 +118048,7 @@ index 79bcc9f..481e0f5c 100644
down_write(&mm->mmap_sem);
ret = do_munmap(mm, start, len);
up_write(&mm->mmap_sem);
-@@ -2667,6 +3150,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size,
+@@ -2667,6 +3156,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size,
down_write(&mm->mmap_sem);
vma = find_vma(mm, start);
@@ -118357,7 +118060,7 @@ index 79bcc9f..481e0f5c 100644
if (!vma || !(vma->vm_flags & VM_SHARED))
goto out;
-@@ -2703,16 +3191,6 @@ out:
+@@ -2703,16 +3197,6 @@ out:
return ret;
}
@@ -118374,7 +118077,7 @@ index 79bcc9f..481e0f5c 100644
/*
* this is really a simplified "do_mmap". it only handles
* anonymous maps. eventually we may be able to do some
-@@ -2726,6 +3204,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2726,6 +3210,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
struct rb_node **rb_link, *rb_parent;
pgoff_t pgoff = addr >> PAGE_SHIFT;
int error;
@@ -118382,7 +118085,7 @@ index 79bcc9f..481e0f5c 100644
len = PAGE_ALIGN(len);
if (!len)
-@@ -2733,10 +3212,24 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2733,10 +3218,24 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
@@ -118407,7 +118110,7 @@ index 79bcc9f..481e0f5c 100644
error = mlock_future_check(mm, mm->def_flags, len);
if (error)
return error;
-@@ -2754,16 +3247,17 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2754,16 +3253,17 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
&rb_parent)) {
if (do_munmap(mm, addr, len))
return -ENOMEM;
@@ -118427,7 +118130,7 @@ index 79bcc9f..481e0f5c 100644
return -ENOMEM;
/* Can we just expand an old private anonymous mapping? */
-@@ -2777,7 +3271,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2777,7 +3277,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
*/
vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
if (!vma) {
@@ -118436,7 +118139,7 @@ index 79bcc9f..481e0f5c 100644
return -ENOMEM;
}
-@@ -2791,10 +3285,11 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2791,10 +3291,11 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
vma_link(mm, vma, prev, rb_link, rb_parent);
out:
perf_event_mmap(vma);
@@ -118450,7 +118153,7 @@ index 79bcc9f..481e0f5c 100644
return addr;
}
-@@ -2856,6 +3351,7 @@ void exit_mmap(struct mm_struct *mm)
+@@ -2856,6 +3357,7 @@ void exit_mmap(struct mm_struct *mm)
while (vma) {
if (vma->vm_flags & VM_ACCOUNT)
nr_accounted += vma_pages(vma);
@@ -118458,7 +118161,7 @@ index 79bcc9f..481e0f5c 100644
vma = remove_vma(vma);
}
vm_unacct_memory(nr_accounted);
-@@ -2870,6 +3366,10 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -2870,6 +3372,10 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
struct vm_area_struct *prev;
struct rb_node **rb_link, *rb_parent;
@@ -118469,7 +118172,7 @@ index 79bcc9f..481e0f5c 100644
if (find_vma_links(mm, vma->vm_start, vma->vm_end,
&prev, &rb_link, &rb_parent))
return -ENOMEM;
-@@ -2877,6 +3377,9 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -2877,6 +3383,9 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
security_vm_enough_memory_mm(mm, vma_pages(vma)))
return -ENOMEM;
@@ -118479,7 +118182,7 @@ index 79bcc9f..481e0f5c 100644
/*
* The vm_pgoff of a purely anonymous vma should be irrelevant
* until its first write fault, when page's anon_vma and index
-@@ -2894,7 +3397,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -2894,7 +3403,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
vma->vm_pgoff = vma->vm_start >> PAGE_SHIFT;
}
@@ -118501,7 +118204,7 @@ index 79bcc9f..481e0f5c 100644
return 0;
}
-@@ -2913,6 +3430,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
+@@ -2913,6 +3436,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
struct rb_node **rb_link, *rb_parent;
bool faulted_in_anon_vma = true;
@@ -118510,7 +118213,7 @@ index 79bcc9f..481e0f5c 100644
/*
* If anonymous vma has not yet been faulted, update new pgoff
* to match new location, to increase its chance of merging.
-@@ -2979,6 +3498,39 @@ out:
+@@ -2979,6 +3504,39 @@ out:
return NULL;
}
@@ -118550,15 +118253,19 @@ index 79bcc9f..481e0f5c 100644
/*
* Return true if the calling process may expand its vm space by the passed
* number of pages
-@@ -2990,6 +3542,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
+@@ -2990,6 +3548,11 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
-+ gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
++ if ((cur + npages) > (ULONG_MAX >> PAGE_SHIFT))
++ gr_learn_resource(current, RLIMIT_AS, ULONG_MAX, 1);
++ else
++ gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
++
if (cur + npages > lim)
return 0;
return 1;
-@@ -3064,6 +3617,22 @@ static struct vm_area_struct *__install_special_mapping(
+@@ -3064,6 +3627,22 @@ static struct vm_area_struct *__install_special_mapping(
vma->vm_start = addr;
vma->vm_end = addr + len;
@@ -121892,22 +121599,6 @@ index ea748c9..79056c3 100644
.kind = "bridge",
.priv_size = sizeof(struct net_bridge),
.setup = br_dev_setup,
-diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c
-index 4ca449a..49d8d28 100644
---- a/net/bridge/br_stp_if.c
-+++ b/net/bridge/br_stp_if.c
-@@ -130,7 +130,10 @@ static void br_stp_start(struct net_bridge *br)
- char *envp[] = { NULL };
- struct net_bridge_port *p;
-
-- r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
-+ if (net_eq(dev_net(br->dev), &init_net))
-+ r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
-+ else
-+ r = -ENOENT;
-
- spin_lock_bh(&br->lock);
-
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 48b6b01..cf544f3 100644
--- a/net/bridge/netfilter/ebtables.c
@@ -122219,7 +121910,7 @@ index 617088a..0364f4f 100644
return err;
diff --git a/net/core/dev.c b/net/core/dev.c
-index c14748d..b500378 100644
+index 6369c45..86ce9a7 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1748,7 +1748,7 @@ int __dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
@@ -122231,7 +121922,7 @@ index c14748d..b500378 100644
kfree_skb(skb);
return NET_RX_DROP;
}
-@@ -3162,7 +3162,7 @@ recursion_alert:
+@@ -3167,7 +3167,7 @@ recursion_alert:
drop:
rcu_read_unlock_bh();
@@ -122240,7 +121931,7 @@ index c14748d..b500378 100644
kfree_skb_list(skb);
return rc;
out:
-@@ -3514,7 +3514,7 @@ drop:
+@@ -3519,7 +3519,7 @@ drop:
local_irq_restore(flags);
@@ -122249,7 +121940,7 @@ index c14748d..b500378 100644
kfree_skb(skb);
return NET_RX_DROP;
}
-@@ -3591,7 +3591,7 @@ int netif_rx_ni(struct sk_buff *skb)
+@@ -3596,7 +3596,7 @@ int netif_rx_ni(struct sk_buff *skb)
}
EXPORT_SYMBOL(netif_rx_ni);
@@ -122258,7 +121949,7 @@ index c14748d..b500378 100644
{
struct softnet_data *sd = this_cpu_ptr(&softnet_data);
-@@ -3929,7 +3929,7 @@ ncls:
+@@ -3934,7 +3934,7 @@ ncls:
ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev);
} else {
drop:
@@ -122267,7 +121958,7 @@ index c14748d..b500378 100644
kfree_skb(skb);
/* Jamal, now you will not able to escape explaining
* me how you were going to use this. :-)
-@@ -4822,7 +4822,7 @@ out_unlock:
+@@ -4827,7 +4827,7 @@ out_unlock:
return work;
}
@@ -122276,7 +121967,7 @@ index c14748d..b500378 100644
{
struct softnet_data *sd = this_cpu_ptr(&softnet_data);
unsigned long time_limit = jiffies + 2;
-@@ -6914,8 +6914,8 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev,
+@@ -6919,8 +6919,8 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev,
} else {
netdev_stats_to_stats64(storage, &dev->stats);
}
@@ -122306,27 +121997,8 @@ index b94b1d2..da3ed7c 100644
}
EXPORT_SYMBOL(dev_load);
-diff --git a/net/core/dst.c b/net/core/dst.c
-index d6a5a0b..8852021 100644
---- a/net/core/dst.c
-+++ b/net/core/dst.c
-@@ -301,12 +301,13 @@ void dst_release(struct dst_entry *dst)
- {
- if (dst) {
- int newrefcnt;
-+ unsigned short nocache = dst->flags & DST_NOCACHE;
-
- newrefcnt = atomic_dec_return(&dst->__refcnt);
- if (unlikely(newrefcnt < 0))
- net_warn_ratelimited("%s: dst:%p refcnt:%d\n",
- __func__, dst, newrefcnt);
-- if (!newrefcnt && unlikely(dst->flags & DST_NOCACHE))
-+ if (!newrefcnt && unlikely(nocache))
- call_rcu(&dst->rcu_head, dst_destroy_rcu);
- }
- }
diff --git a/net/core/filter.c b/net/core/filter.c
-index bb18c36..a0c92a7 100644
+index 49b4487..a0c92a7 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -584,7 +584,11 @@ do_pass:
@@ -122351,19 +122023,7 @@ index bb18c36..a0c92a7 100644
masks = kmalloc_array(flen, sizeof(*masks), GFP_KERNEL);
if (!masks)
-@@ -781,6 +785,11 @@ static int bpf_check_classic(const struct sock_filter *filter,
- if (ftest->k == 0)
- return -EINVAL;
- break;
-+ case BPF_ALU | BPF_LSH | BPF_K:
-+ case BPF_ALU | BPF_RSH | BPF_K:
-+ if (ftest->k >= 32)
-+ return -EINVAL;
-+ break;
- case BPF_LD | BPF_MEM:
- case BPF_LDX | BPF_MEM:
- case BPF_ST:
-@@ -1057,7 +1066,7 @@ int bpf_prog_create(struct bpf_prog **pfp, struct sock_fprog_kern *fprog)
+@@ -1062,7 +1066,7 @@ int bpf_prog_create(struct bpf_prog **pfp, struct sock_fprog_kern *fprog)
if (!fp)
return -ENOMEM;
@@ -122552,10 +122212,10 @@ index 8bdada2..d7048c2 100644
iph->ttl = 64;
iph->protocol = IPPROTO_UDP;
diff --git a/net/core/pktgen.c b/net/core/pktgen.c
-index de8d5cc..bf8443a 100644
+index 4da4d51..ef1aa60 100644
--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
-@@ -3827,7 +3827,7 @@ static int __net_init pg_net_init(struct net *net)
+@@ -3829,7 +3829,7 @@ static int __net_init pg_net_init(struct net *net)
pn->net = net;
INIT_LIST_HEAD(&pn->pktgen_threads);
pn->pktgen_exiting = false;
@@ -124028,7 +123688,7 @@ index ade7737..70ed9be 100644
goto err_reg;
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
-index 0a2b61d..e6e7d27 100644
+index 064f1a0..e6e7d27 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -786,7 +786,7 @@ static void tcp_update_pacing_rate(struct sock *sk)
@@ -124040,17 +123700,7 @@ index 0a2b61d..e6e7d27 100644
sk->sk_max_pacing_rate);
}
-@@ -2525,6 +2525,9 @@ static void tcp_cwnd_reduction(struct sock *sk, const int prior_unsacked,
- int newly_acked_sacked = prior_unsacked -
- (tp->packets_out - tp->sacked_out);
-
-+ if (newly_acked_sacked <= 0 || WARN_ON_ONCE(!tp->prior_cwnd))
-+ return;
-+
- tp->prr_delivered += newly_acked_sacked;
- if (delta < 0) {
- u64 dividend = (u64)tp->snd_ssthresh * tp->prr_delivered +
-@@ -4647,7 +4650,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb,
+@@ -4650,7 +4650,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb,
* simplifies code)
*/
static void
@@ -124059,7 +123709,7 @@ index 0a2b61d..e6e7d27 100644
struct sk_buff *head, struct sk_buff *tail,
u32 start, u32 end)
{
-@@ -5642,6 +5645,7 @@ discard:
+@@ -5645,6 +5645,7 @@ discard:
tcp_paws_reject(&tp->rx_opt, 0))
goto discard_and_undo;
@@ -124067,7 +123717,7 @@ index 0a2b61d..e6e7d27 100644
if (th->syn) {
/* We see SYN without ACK. It is attempt of
* simultaneous connect with crossed SYNs.
-@@ -5693,6 +5697,7 @@ discard:
+@@ -5696,6 +5697,7 @@ discard:
goto discard;
#endif
}
@@ -124075,7 +123725,7 @@ index 0a2b61d..e6e7d27 100644
/* "fifth, if neither of the SYN or RST bits is set then
* drop the segment and return."
*/
-@@ -5739,7 +5744,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
+@@ -5742,7 +5744,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
goto discard;
if (th->syn) {
@@ -124084,7 +123734,7 @@ index 0a2b61d..e6e7d27 100644
goto discard;
if (icsk->icsk_af_ops->conn_request(sk, skb) < 0)
return 1;
-@@ -6069,7 +6074,7 @@ struct request_sock *inet_reqsk_alloc(const struct request_sock_ops *ops,
+@@ -6072,7 +6074,7 @@ struct request_sock *inet_reqsk_alloc(const struct request_sock_ops *ops,
kmemcheck_annotate_bitfield(ireq, flags);
ireq->opt = NULL;
@@ -124353,7 +124003,7 @@ index fd840c7..b517627 100644
struct iphdr *iph = ip_hdr(skb);
int ihl = iph->ihl * 4;
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
-index c10a9ee..c621a01 100644
+index 126ff90..e9ba962 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -192,11 +192,11 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
@@ -124372,7 +124022,7 @@ index c10a9ee..c621a01 100644
@@ -274,19 +274,18 @@ static struct ctl_table xfrm4_policy_table[] = {
- static int __net_init xfrm4_net_init(struct net *net)
+ static int __net_init xfrm4_net_sysctl_init(struct net *net)
{
- struct ctl_table *table;
+ ctl_table_no_const *table = NULL;
@@ -124395,7 +124045,7 @@ index c10a9ee..c621a01 100644
if (!hdr)
goto err_reg;
-@@ -294,8 +293,7 @@ static int __net_init xfrm4_net_init(struct net *net)
+@@ -294,8 +293,7 @@ static int __net_init xfrm4_net_sysctl_init(struct net *net)
return 0;
err_reg:
@@ -124418,7 +124068,7 @@ index 983bb99..ebc39e1 100644
Support for IPsec ESP.
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
-index ddd3511..22c903e 100644
+index 5462bfd..22c903e 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -178,7 +178,7 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = {
@@ -124554,25 +124204,7 @@ index ddd3511..22c903e 100644
struct net *net = ctl->extra2;
struct ipv6_stable_secret *secret = ctl->data;
-@@ -5349,13 +5356,10 @@ static int addrconf_sysctl_stable_secret(struct ctl_table *ctl, int write,
- goto out;
- }
-
-- if (!write) {
-- err = snprintf(str, sizeof(str), "%pI6",
-- &secret->secret);
-- if (err >= sizeof(str)) {
-- err = -EIO;
-- goto out;
-- }
-+ err = snprintf(str, sizeof(str), "%pI6", &secret->secret);
-+ if (err >= sizeof(str)) {
-+ err = -EIO;
-+ goto out;
- }
-
- err = proc_dostring(&lctl, write, buffer, lenp, ppos);
-@@ -5403,7 +5407,7 @@ int addrconf_sysctl_ignore_routes_with_linkdown(struct ctl_table *ctl,
+@@ -5400,7 +5407,7 @@ int addrconf_sysctl_ignore_routes_with_linkdown(struct ctl_table *ctl,
int *valp = ctl->data;
int val = *valp;
loff_t pos = *ppos;
@@ -125107,7 +124739,7 @@ index 45243bb..cdb398e 100644
struct ctl_table *ipv6_icmp_table;
int err;
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
-index 8935dc1..bdfd1ee 100644
+index a71fb26..072547c 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -102,6 +102,10 @@ static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
@@ -125121,7 +124753,7 @@ index 8935dc1..bdfd1ee 100644
static __u32 tcp_v6_init_sequence(const struct sk_buff *skb)
{
return secure_tcpv6_sequence_number(ipv6_hdr(skb)->daddr.s6_addr32,
-@@ -1285,6 +1289,9 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
+@@ -1287,6 +1291,9 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
return 0;
reset:
@@ -125131,7 +124763,7 @@ index 8935dc1..bdfd1ee 100644
tcp_v6_send_reset(sk, skb);
discard:
if (opt_skb)
-@@ -1394,12 +1401,20 @@ static int tcp_v6_rcv(struct sk_buff *skb)
+@@ -1396,12 +1403,20 @@ static int tcp_v6_rcv(struct sk_buff *skb)
sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest,
inet6_iif(skb));
@@ -125154,7 +124786,7 @@ index 8935dc1..bdfd1ee 100644
if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
-@@ -1451,6 +1466,10 @@ csum_error:
+@@ -1453,6 +1468,10 @@ csum_error:
bad_packet:
TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
} else {
@@ -125218,7 +124850,7 @@ index 8379fc2..faac798 100644
kfree_skb(skb);
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
-index da55e0c..3c30bd8 100644
+index d51a18d..36a6399 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -218,11 +218,11 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
@@ -125237,7 +124869,7 @@ index da55e0c..3c30bd8 100644
@@ -329,19 +329,19 @@ static struct ctl_table xfrm6_policy_table[] = {
- static int __net_init xfrm6_net_init(struct net *net)
+ static int __net_init xfrm6_net_sysctl_init(struct net *net)
{
- struct ctl_table *table;
+ ctl_table_no_const *table = NULL;
@@ -125260,7 +124892,7 @@ index da55e0c..3c30bd8 100644
if (!hdr)
goto err_reg;
-@@ -349,8 +349,7 @@ static int __net_init xfrm6_net_init(struct net *net)
+@@ -349,8 +349,7 @@ static int __net_init xfrm6_net_sysctl_init(struct net *net)
return 0;
err_reg:
@@ -127088,7 +126720,7 @@ index f226709..0e735a8 100644
ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len);
diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
-index e82a1ad..a7df216b 100644
+index 16bc83b..a7df216b 100644
--- a/net/sched/sch_generic.c
+++ b/net/sched/sch_generic.c
@@ -349,7 +349,7 @@ void netif_carrier_on(struct net_device *dev)
@@ -127109,18 +126741,6 @@ index e82a1ad..a7df216b 100644
linkwatch_fire_event(dev);
}
}
-@@ -658,8 +658,10 @@ static void qdisc_rcu_free(struct rcu_head *head)
- {
- struct Qdisc *qdisc = container_of(head, struct Qdisc, rcu_head);
-
-- if (qdisc_is_percpu_stats(qdisc))
-+ if (qdisc_is_percpu_stats(qdisc)) {
- free_percpu(qdisc->cpu_bstats);
-+ free_percpu(qdisc->cpu_qstats);
-+ }
-
- kfree((char *) qdisc - qdisc->padded);
- }
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index 40677cf..9656f92 100644
--- a/net/sctp/ipv6.c
@@ -127259,7 +126879,7 @@ index 6098d4c..9920c54 100644
* We should no longer have much work to do here as the
* real work has been done as explicit commands above.
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
-index d7eaa73..9042a5d 100644
+index c89586e..dd962f7 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -2976,7 +2976,7 @@ sctp_disposition_t sctp_sf_eat_data_6_2(struct net *net,
@@ -127306,9 +126926,9 @@ index d7eaa73..9042a5d 100644
-
- retval = SCTP_DISPOSITION_CONSUME;
- sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
-
-@@ -4844,7 +4837,7 @@ sctp_disposition_t sctp_sf_do_9_1_prm_abort(
+ if (abort)
+ sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
+@@ -4845,7 +4838,7 @@ sctp_disposition_t sctp_sf_do_9_1_prm_abort(
SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
@@ -127317,7 +126937,7 @@ index d7eaa73..9042a5d 100644
}
/* We tried an illegal operation on an association which is closed. */
-@@ -4959,12 +4952,10 @@ sctp_disposition_t sctp_sf_cookie_wait_prm_abort(
+@@ -4960,12 +4953,10 @@ sctp_disposition_t sctp_sf_cookie_wait_prm_abort(
sctp_cmd_seq_t *commands)
{
struct sctp_chunk *abort = arg;
@@ -127328,9 +126948,9 @@ index d7eaa73..9042a5d 100644
SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
- retval = SCTP_DISPOSITION_CONSUME;
- sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
-
-@@ -4983,7 +4974,7 @@ sctp_disposition_t sctp_sf_cookie_wait_prm_abort(
+ if (abort)
+ sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
+@@ -4985,7 +4976,7 @@ sctp_disposition_t sctp_sf_cookie_wait_prm_abort(
sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
SCTP_PERR(SCTP_ERROR_USER_ABORT));
@@ -127340,7 +126960,7 @@ index d7eaa73..9042a5d 100644
/*
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index 84b1b50..e2a95d3 100644
+index 9dee804..7e2f09d 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -972,7 +972,7 @@ static int sctp_setsockopt_bindx(struct sock *sk,
@@ -127374,7 +126994,7 @@ index 84b1b50..e2a95d3 100644
if (unlikely(!kaddrs))
return -ENOMEM;
-@@ -2194,11 +2197,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval,
+@@ -2193,11 +2196,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval,
{
struct sctp_association *asoc;
struct sctp_ulpevent *event;
@@ -127389,7 +127009,7 @@ index 84b1b50..e2a95d3 100644
/* At the time when a user app subscribes to SCTP_SENDER_DRY_EVENT,
* if there is no data to be sent or retransmit, the stack will
-@@ -4373,13 +4378,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
+@@ -4372,13 +4377,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
int __user *optlen)
{
@@ -127407,7 +127027,7 @@ index 84b1b50..e2a95d3 100644
return -EFAULT;
return 0;
}
-@@ -4397,6 +4405,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
+@@ -4396,6 +4404,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
*/
static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optval, int __user *optlen)
{
@@ -127416,7 +127036,7 @@ index 84b1b50..e2a95d3 100644
/* Applicable to UDP-style socket only */
if (sctp_style(sk, TCP))
return -EOPNOTSUPP;
-@@ -4405,7 +4415,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv
+@@ -4404,7 +4414,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv
len = sizeof(int);
if (put_user(len, optlen))
return -EFAULT;
@@ -127426,7 +127046,7 @@ index 84b1b50..e2a95d3 100644
return -EFAULT;
return 0;
}
-@@ -4779,12 +4790,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len,
+@@ -4778,12 +4789,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len,
*/
static int sctp_getsockopt_initmsg(struct sock *sk, int len, char __user *optval, int __user *optlen)
{
@@ -127443,7 +127063,7 @@ index 84b1b50..e2a95d3 100644
return -EFAULT;
return 0;
}
-@@ -4825,6 +4839,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
+@@ -4824,6 +4838,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
->addr_to_user(sp, &temp);
if (space_left < addrlen)
return -ENOMEM;
@@ -127452,7 +127072,7 @@ index 84b1b50..e2a95d3 100644
if (copy_to_user(to, &temp, addrlen))
return -EFAULT;
to += addrlen;
-@@ -4928,7 +4944,7 @@ static int sctp_getsockopt_local_addrs(struct sock *sk, int len,
+@@ -4927,7 +4943,7 @@ static int sctp_getsockopt_local_addrs(struct sock *sk, int len,
to = optval + offsetof(struct sctp_getaddrs, addrs);
space_left = len - offsetof(struct sctp_getaddrs, addrs);
@@ -127461,7 +127081,7 @@ index 84b1b50..e2a95d3 100644
if (!addrs)
return -ENOMEM;
-@@ -5777,7 +5793,7 @@ static int sctp_getsockopt_assoc_ids(struct sock *sk, int len,
+@@ -5776,7 +5792,7 @@ static int sctp_getsockopt_assoc_ids(struct sock *sk, int len,
len = sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num;
@@ -127471,10 +127091,10 @@ index 84b1b50..e2a95d3 100644
return -ENOMEM;
diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c
-index 26d50c5..289fe22 100644
+index 3e0fc51..289fe22 100644
--- a/net/sctp/sysctl.c
+++ b/net/sctp/sysctl.c
-@@ -317,10 +317,10 @@ static int proc_sctp_do_hmac_alg(struct ctl_table *ctl, int write,
+@@ -317,7 +317,7 @@ static int proc_sctp_do_hmac_alg(struct ctl_table *ctl, int write,
loff_t *ppos)
{
struct net *net = current->nsproxy->net_ns;
@@ -127482,11 +127102,7 @@ index 26d50c5..289fe22 100644
+ ctl_table_no_const tbl;
bool changed = false;
char *none = "none";
-- char tmp[8];
-+ char tmp[8] = {0};
- int ret;
-
- memset(&tbl, 0, sizeof(struct ctl_table));
+ char tmp[8] = {0};
@@ -365,7 +365,7 @@ static int proc_sctp_do_rto_min(struct ctl_table *ctl, int write,
struct net *net = current->nsproxy->net_ns;
unsigned int min = *(unsigned int *) ctl->extra1;
@@ -128221,7 +127837,7 @@ index 350cca3..a108fc5 100644
sub->evt.event = htohl(event, sub->swap);
sub->evt.found_lower = htohl(found_lower, sub->swap);
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
-index 0fc6dba..8355d2c 100644
+index 7926de1..8355d2c 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -918,6 +918,12 @@ static struct sock *unix_find_other(struct net *net,
@@ -128251,186 +127867,27 @@ index 0fc6dba..8355d2c 100644
if (dentry)
touch_atime(&unix_sk(u)->path);
} else
-@@ -952,32 +965,26 @@ fail:
- return NULL;
- }
-
--static int unix_mknod(const char *sun_path, umode_t mode, struct path *res)
-+static int unix_mknod(struct dentry *dentry, struct path *path, umode_t mode,
-+ struct path *res)
- {
-- struct dentry *dentry;
-- struct path path;
-- int err = 0;
-- /*
-- * Get the parent directory, calculate the hash for last
-- * component.
-- */
-- dentry = kern_path_create(AT_FDCWD, sun_path, &path, 0);
-- err = PTR_ERR(dentry);
-- if (IS_ERR(dentry))
-- return err;
-+ int err;
+@@ -959,13 +972,19 @@ static int unix_mknod(struct dentry *dentry, struct path *path, umode_t mode,
-- /*
-- * All right, let's create it.
-- */
-- err = security_path_mknod(&path, dentry, mode, 0);
-+ err = security_path_mknod(path, dentry, mode, 0);
+ err = security_path_mknod(path, dentry, mode, 0);
if (!err) {
-- err = vfs_mknod(d_inode(path.dentry), dentry, mode, 0);
+ if (!gr_acl_handle_mknod(dentry, path->dentry, path->mnt, mode)) {
+ err = -EACCES;
+ goto out;
+ }
-+ err = vfs_mknod(d_inode(path->dentry), dentry, mode, 0);
+ err = vfs_mknod(d_inode(path->dentry), dentry, mode, 0);
if (!err) {
-- res->mnt = mntget(path.mnt);
-+ res->mnt = mntget(path->mnt);
+ res->mnt = mntget(path->mnt);
res->dentry = dget(dentry);
+ gr_handle_create(dentry, path->mnt);
}
}
-- done_path_create(&path, dentry);
-+
-+out:
- return err;
- }
-
-@@ -988,10 +995,12 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
- struct unix_sock *u = unix_sk(sk);
- struct sockaddr_un *sunaddr = (struct sockaddr_un *)uaddr;
- char *sun_path = sunaddr->sun_path;
-- int err;
-+ int err, name_err;
- unsigned int hash;
- struct unix_address *addr;
- struct hlist_head *list;
-+ struct path path;
-+ struct dentry *dentry;
-
- err = -EINVAL;
- if (sunaddr->sun_family != AF_UNIX)
-@@ -1007,14 +1016,34 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
- goto out;
- addr_len = err;
-
-+ name_err = 0;
-+ dentry = NULL;
-+ if (sun_path[0]) {
-+ /* Get the parent directory, calculate the hash for last
-+ * component.
-+ */
-+ dentry = kern_path_create(AT_FDCWD, sun_path, &path, 0);
-+
-+ if (IS_ERR(dentry)) {
-+ /* delay report until after 'already bound' check */
-+ name_err = PTR_ERR(dentry);
-+ dentry = NULL;
-+ }
-+ }
-+
- err = mutex_lock_interruptible(&u->readlock);
- if (err)
-- goto out;
-+ goto out_path;
-
- err = -EINVAL;
- if (u->addr)
- goto out_up;
-+ if (name_err) {
-+ err = name_err == -EEXIST ? -EADDRINUSE : name_err;
-+ goto out_up;
-+ }
-+
- err = -ENOMEM;
- addr = kmalloc(sizeof(*addr)+addr_len, GFP_KERNEL);
- if (!addr)
-@@ -1025,11 +1054,11 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
- addr->hash = hash ^ sk->sk_type;
- atomic_set(&addr->refcnt, 1);
-
-- if (sun_path[0]) {
-- struct path path;
-+ if (dentry) {
-+ struct path u_path;
- umode_t mode = S_IFSOCK |
- (SOCK_INODE(sock)->i_mode & ~current_umask());
-- err = unix_mknod(sun_path, mode, &path);
-+ err = unix_mknod(dentry, &path, mode, &u_path);
- if (err) {
- if (err == -EEXIST)
- err = -EADDRINUSE;
-@@ -1037,9 +1066,9 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
- goto out_up;
- }
- addr->hash = UNIX_HASH_SIZE;
-- hash = d_backing_inode(path.dentry)->i_ino & (UNIX_HASH_SIZE-1);
-+ hash = d_backing_inode(dentry)->i_ino & (UNIX_HASH_SIZE - 1);
- spin_lock(&unix_table_lock);
-- u->path = path;
-+ u->path = u_path;
- list = &unix_socket_table[hash];
- } else {
- spin_lock(&unix_table_lock);
-@@ -1062,6 +1091,10 @@ out_unlock:
- spin_unlock(&unix_table_lock);
- out_up:
- mutex_unlock(&u->readlock);
-+out_path:
-+ if (dentry)
-+ done_path_create(&path, dentry);
-+
- out:
++out:
return err;
}
-@@ -1498,6 +1531,21 @@ static void unix_destruct_scm(struct sk_buff *skb)
- sock_wfree(skb);
- }
-+/*
-+ * The "user->unix_inflight" variable is protected by the garbage
-+ * collection lock, and we just read it locklessly here. If you go
-+ * over the limit, there might be a tiny race in actually noticing
-+ * it across threads. Tough.
-+ */
-+static inline bool too_many_unix_fds(struct task_struct *p)
-+{
-+ struct user_struct *user = current_user();
-+
-+ if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE)))
-+ return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN);
-+ return false;
-+}
-+
- #define MAX_RECURSION_LEVEL 4
-
- static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
-@@ -1506,6 +1554,9 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
- unsigned char max_level = 0;
- int unix_sock_count = 0;
-
-+ if (too_many_unix_fds(current))
-+ return -ETOOMANYREFS;
-+
- for (i = scm->fp->count - 1; i >= 0; i--) {
- struct sock *sk = unix_get_socket(scm->fp->fp[i]);
-
-@@ -1527,10 +1578,8 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
- if (!UNIXCB(skb).fp)
- return -ENOMEM;
-
-- if (unix_sock_count) {
-- for (i = scm->fp->count - 1; i >= 0; i--)
-- unix_inflight(scm->fp->fp[i]);
-- }
-+ for (i = scm->fp->count - 1; i >= 0; i--)
-+ unix_inflight(scm->fp->fp[i]);
- return max_level;
- }
-
-@@ -2301,6 +2350,7 @@ again:
+@@ -2331,6 +2350,7 @@ again:
if (signal_pending(current)) {
err = sock_intr_errno(timeo);
@@ -128438,7 +127895,7 @@ index 0fc6dba..8355d2c 100644
goto out;
}
-@@ -2765,9 +2815,13 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+@@ -2795,9 +2815,13 @@ static int unix_seq_show(struct seq_file *seq, void *v)
seq_puts(seq, "Num RefCount Protocol Flags Type St "
"Inode Path\n");
else {
@@ -128453,7 +127910,7 @@ index 0fc6dba..8355d2c 100644
seq_printf(seq, "%pK: %08X %08X %08X %04X %02X %5lu",
s,
-@@ -2792,10 +2846,29 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+@@ -2822,10 +2846,29 @@ static int unix_seq_show(struct seq_file *seq, void *v)
seq_putc(seq, '@');
i++;
}
@@ -128487,56 +127944,6 @@ index 0fc6dba..8355d2c 100644
seq_putc(seq, '\n');
}
-diff --git a/net/unix/garbage.c b/net/unix/garbage.c
-index a73a226..8fcdc22 100644
---- a/net/unix/garbage.c
-+++ b/net/unix/garbage.c
-@@ -120,11 +120,11 @@ void unix_inflight(struct file *fp)
- {
- struct sock *s = unix_get_socket(fp);
-
-+ spin_lock(&unix_gc_lock);
-+
- if (s) {
- struct unix_sock *u = unix_sk(s);
-
-- spin_lock(&unix_gc_lock);
--
- if (atomic_long_inc_return(&u->inflight) == 1) {
- BUG_ON(!list_empty(&u->link));
- list_add_tail(&u->link, &gc_inflight_list);
-@@ -132,25 +132,28 @@ void unix_inflight(struct file *fp)
- BUG_ON(list_empty(&u->link));
- }
- unix_tot_inflight++;
-- spin_unlock(&unix_gc_lock);
- }
-+ fp->f_cred->user->unix_inflight++;
-+ spin_unlock(&unix_gc_lock);
- }
-
- void unix_notinflight(struct file *fp)
- {
- struct sock *s = unix_get_socket(fp);
-
-+ spin_lock(&unix_gc_lock);
-+
- if (s) {
- struct unix_sock *u = unix_sk(s);
-
-- spin_lock(&unix_gc_lock);
- BUG_ON(list_empty(&u->link));
-
- if (atomic_long_dec_and_test(&u->inflight))
- list_del_init(&u->link);
- unix_tot_inflight--;
-- spin_unlock(&unix_gc_lock);
- }
-+ fp->f_cred->user->unix_inflight--;
-+ spin_unlock(&unix_gc_lock);
- }
-
- static void scan_inflight(struct sock *x, void (*func)(struct unix_sock *),
diff --git a/net/unix/sysctl_net_unix.c b/net/unix/sysctl_net_unix.c
index b3d5150..ff3a837 100644
--- a/net/unix/sysctl_net_unix.c
@@ -128692,7 +128099,7 @@ index 0917f04..f4e3d8c 100644
if (!proc_create("x25/route", S_IRUGO, init_net.proc_net,
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
-index 94af3d0..7db10b8 100644
+index bacd30b..f8ddfe7 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -325,7 +325,7 @@ static void xfrm_policy_kill(struct xfrm_policy *policy)
@@ -128744,7 +128151,7 @@ index 94af3d0..7db10b8 100644
return 0;
mtu = dst_mtu(dst->child);
-@@ -2832,8 +2833,6 @@ int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
+@@ -2831,8 +2832,6 @@ int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
dst_ops->link_failure = xfrm_link_failure;
if (likely(dst_ops->neigh_lookup == NULL))
dst_ops->neigh_lookup = xfrm_neigh_lookup;
@@ -128753,7 +128160,7 @@ index 94af3d0..7db10b8 100644
rcu_assign_pointer(xfrm_policy_afinfo[afinfo->family], afinfo);
}
spin_unlock(&xfrm_policy_afinfo_lock);
-@@ -2887,7 +2886,6 @@ int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo)
+@@ -2866,7 +2865,6 @@ int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo)
dst_ops->check = NULL;
dst_ops->negative_advice = NULL;
dst_ops->link_failure = NULL;
@@ -128761,7 +128168,7 @@ index 94af3d0..7db10b8 100644
}
return err;
}
-@@ -3285,7 +3283,7 @@ static int xfrm_policy_migrate(struct xfrm_policy *pol,
+@@ -3247,7 +3245,7 @@ static int xfrm_policy_migrate(struct xfrm_policy *pol,
sizeof(pol->xfrm_vec[i].saddr));
pol->xfrm_vec[i].encap_family = mp->new_family;
/* flush bundles */
@@ -131348,27 +130755,6 @@ index ffd2025..df062c9 100644
/* PCM3052 register definitions */
-diff --git a/sound/core/hrtimer.c b/sound/core/hrtimer.c
-index f845ecf..656d9a9 100644
---- a/sound/core/hrtimer.c
-+++ b/sound/core/hrtimer.c
-@@ -90,7 +90,7 @@ static int snd_hrtimer_start(struct snd_timer *t)
- struct snd_hrtimer *stime = t->private_data;
-
- atomic_set(&stime->running, 0);
-- hrtimer_cancel(&stime->hrt);
-+ hrtimer_try_to_cancel(&stime->hrt);
- hrtimer_start(&stime->hrt, ns_to_ktime(t->sticks * resolution),
- HRTIMER_MODE_REL);
- atomic_set(&stime->running, 1);
-@@ -101,6 +101,7 @@ static int snd_hrtimer_stop(struct snd_timer *t)
- {
- struct snd_hrtimer *stime = t->private_data;
- atomic_set(&stime->running, 0);
-+ hrtimer_try_to_cancel(&stime->hrt);
- return 0;
- }
-
diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c
index 58550cc..4687a93 100644
--- a/sound/core/oss/pcm_oss.c
@@ -131445,7 +130831,7 @@ index 58550cc..4687a93 100644
}
} else if (runtime->access == SNDRV_PCM_ACCESS_RW_NONINTERLEAVED) {
diff --git a/sound/core/pcm_compat.c b/sound/core/pcm_compat.c
-index b48b434..e2ba787 100644
+index 9630e9f..2071ac2 100644
--- a/sound/core/pcm_compat.c
+++ b/sound/core/pcm_compat.c
@@ -31,7 +31,7 @@ static int snd_pcm_ioctl_delay_compat(struct snd_pcm_substream *substream,
@@ -131476,7 +130862,7 @@ index 75888dd..c940854 100644
default:
result = -EINVAL;
diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
-index b64f20d..a68addd 100644
+index 13cfa81..a68addd 100644
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -446,7 +446,7 @@ static ssize_t snd_seq_read(struct file *file, char __user *buf, size_t count,
@@ -131504,15 +130890,6 @@ index b64f20d..a68addd 100644
event.data.ext.ptr = ptr;
}
#endif
-@@ -1962,7 +1962,7 @@ static int snd_seq_ioctl_remove_events(struct snd_seq_client *client,
- * No restrictions so for a user client we can clear
- * the whole fifo
- */
-- if (client->type == USER_CLIENT)
-+ if (client->type == USER_CLIENT && client->data.user.fifo)
- snd_seq_fifo_clear(client->data.user.fifo);
- }
-
@@ -2420,7 +2420,7 @@ int snd_seq_kernel_client_ctl(int clientid, unsigned int cmd, void *arg)
if (client == NULL)
return -ENXIO;
@@ -131523,10 +130900,10 @@ index b64f20d..a68addd 100644
return result;
}
diff --git a/sound/core/seq/seq_compat.c b/sound/core/seq/seq_compat.c
-index 81f7c10..296bd6fd 100644
+index 6517590..9905cee 100644
--- a/sound/core/seq/seq_compat.c
+++ b/sound/core/seq/seq_compat.c
-@@ -59,7 +59,7 @@ static int snd_seq_call_port_info_ioctl(struct snd_seq_client *client, unsigned
+@@ -60,7 +60,7 @@ static int snd_seq_call_port_info_ioctl(struct snd_seq_client *client, unsigned
data->kernel = NULL;
fs = snd_enter_user();
@@ -131566,21 +130943,6 @@ index 8010766..4bd361f 100644
err = -EFAULT;
goto __error;
}
-diff --git a/sound/core/seq/seq_queue.c b/sound/core/seq/seq_queue.c
-index 7dfd0f4..0bec02e 100644
---- a/sound/core/seq/seq_queue.c
-+++ b/sound/core/seq/seq_queue.c
-@@ -142,8 +142,10 @@ static struct snd_seq_queue *queue_new(int owner, int locked)
- static void queue_delete(struct snd_seq_queue *q)
- {
- /* stop and release the timer */
-+ mutex_lock(&q->timer_mutex);
- snd_seq_timer_stop(q->timer);
- snd_seq_timer_close(q);
-+ mutex_unlock(&q->timer_mutex);
- /* wait until access free */
- snd_use_lock_sync(&q->use_lock);
- /* release resources... */
diff --git a/sound/core/sound.c b/sound/core/sound.c
index 175f9e4..3518d31 100644
--- a/sound/core/sound.c
@@ -131594,171 +130956,6 @@ index 175f9e4..3518d31 100644
}
#endif /* modular kernel */
-diff --git a/sound/core/timer.c b/sound/core/timer.c
-index 31f40f0..4e8d7bf 100644
---- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -73,7 +73,7 @@ struct snd_timer_user {
- struct timespec tstamp; /* trigger tstamp */
- wait_queue_head_t qchange_sleep;
- struct fasync_struct *fasync;
-- struct mutex tread_sem;
-+ struct mutex ioctl_lock;
- };
-
- /* list of timers */
-@@ -215,11 +215,13 @@ static void snd_timer_check_master(struct snd_timer_instance *master)
- slave->slave_id == master->slave_id) {
- list_move_tail(&slave->open_list, &master->slave_list_head);
- spin_lock_irq(&slave_active_lock);
-+ spin_lock(&master->timer->lock);
- slave->master = master;
- slave->timer = master->timer;
- if (slave->flags & SNDRV_TIMER_IFLG_RUNNING)
- list_add_tail(&slave->active_list,
- &master->slave_active_head);
-+ spin_unlock(&master->timer->lock);
- spin_unlock_irq(&slave_active_lock);
- }
- }
-@@ -346,15 +348,18 @@ int snd_timer_close(struct snd_timer_instance *timeri)
- timer->hw.close)
- timer->hw.close(timer);
- /* remove slave links */
-+ spin_lock_irq(&slave_active_lock);
-+ spin_lock(&timer->lock);
- list_for_each_entry_safe(slave, tmp, &timeri->slave_list_head,
- open_list) {
-- spin_lock_irq(&slave_active_lock);
-- _snd_timer_stop(slave, 1, SNDRV_TIMER_EVENT_RESOLUTION);
- list_move_tail(&slave->open_list, &snd_timer_slave_list);
- slave->master = NULL;
- slave->timer = NULL;
-- spin_unlock_irq(&slave_active_lock);
-+ list_del_init(&slave->ack_list);
-+ list_del_init(&slave->active_list);
- }
-+ spin_unlock(&timer->lock);
-+ spin_unlock_irq(&slave_active_lock);
- mutex_unlock(&register_mutex);
- }
- out:
-@@ -441,9 +446,12 @@ static int snd_timer_start_slave(struct snd_timer_instance *timeri)
-
- spin_lock_irqsave(&slave_active_lock, flags);
- timeri->flags |= SNDRV_TIMER_IFLG_RUNNING;
-- if (timeri->master)
-+ if (timeri->master && timeri->timer) {
-+ spin_lock(&timeri->timer->lock);
- list_add_tail(&timeri->active_list,
- &timeri->master->slave_active_head);
-+ spin_unlock(&timeri->timer->lock);
-+ }
- spin_unlock_irqrestore(&slave_active_lock, flags);
- return 1; /* delayed start */
- }
-@@ -489,6 +497,8 @@ static int _snd_timer_stop(struct snd_timer_instance * timeri,
- if (!keep_flag) {
- spin_lock_irqsave(&slave_active_lock, flags);
- timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
-+ list_del_init(&timeri->ack_list);
-+ list_del_init(&timeri->active_list);
- spin_unlock_irqrestore(&slave_active_lock, flags);
- }
- goto __end;
-@@ -694,7 +704,7 @@ void snd_timer_interrupt(struct snd_timer * timer, unsigned long ticks_left)
- } else {
- ti->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
- if (--timer->running)
-- list_del(&ti->active_list);
-+ list_del_init(&ti->active_list);
- }
- if ((timer->hw.flags & SNDRV_TIMER_HW_TASKLET) ||
- (ti->flags & SNDRV_TIMER_IFLG_FAST))
-@@ -1253,7 +1263,7 @@ static int snd_timer_user_open(struct inode *inode, struct file *file)
- return -ENOMEM;
- spin_lock_init(&tu->qlock);
- init_waitqueue_head(&tu->qchange_sleep);
-- mutex_init(&tu->tread_sem);
-+ mutex_init(&tu->ioctl_lock);
- tu->ticks = 1;
- tu->queue_size = 128;
- tu->queue = kmalloc(tu->queue_size * sizeof(struct snd_timer_read),
-@@ -1273,8 +1283,10 @@ static int snd_timer_user_release(struct inode *inode, struct file *file)
- if (file->private_data) {
- tu = file->private_data;
- file->private_data = NULL;
-+ mutex_lock(&tu->ioctl_lock);
- if (tu->timeri)
- snd_timer_close(tu->timeri);
-+ mutex_unlock(&tu->ioctl_lock);
- kfree(tu->queue);
- kfree(tu->tqueue);
- kfree(tu);
-@@ -1512,7 +1524,6 @@ static int snd_timer_user_tselect(struct file *file,
- int err = 0;
-
- tu = file->private_data;
-- mutex_lock(&tu->tread_sem);
- if (tu->timeri) {
- snd_timer_close(tu->timeri);
- tu->timeri = NULL;
-@@ -1556,7 +1567,6 @@ static int snd_timer_user_tselect(struct file *file,
- }
-
- __err:
-- mutex_unlock(&tu->tread_sem);
- return err;
- }
-
-@@ -1769,7 +1779,7 @@ enum {
- SNDRV_TIMER_IOCTL_PAUSE_OLD = _IO('T', 0x23),
- };
-
--static long snd_timer_user_ioctl(struct file *file, unsigned int cmd,
-+static long __snd_timer_user_ioctl(struct file *file, unsigned int cmd,
- unsigned long arg)
- {
- struct snd_timer_user *tu;
-@@ -1786,17 +1796,11 @@ static long snd_timer_user_ioctl(struct file *file, unsigned int cmd,
- {
- int xarg;
-
-- mutex_lock(&tu->tread_sem);
-- if (tu->timeri) { /* too late */
-- mutex_unlock(&tu->tread_sem);
-+ if (tu->timeri) /* too late */
- return -EBUSY;
-- }
-- if (get_user(xarg, p)) {
-- mutex_unlock(&tu->tread_sem);
-+ if (get_user(xarg, p))
- return -EFAULT;
-- }
- tu->tread = xarg ? 1 : 0;
-- mutex_unlock(&tu->tread_sem);
- return 0;
- }
- case SNDRV_TIMER_IOCTL_GINFO:
-@@ -1829,6 +1833,18 @@ static long snd_timer_user_ioctl(struct file *file, unsigned int cmd,
- return -ENOTTY;
- }
-
-+static long snd_timer_user_ioctl(struct file *file, unsigned int cmd,
-+ unsigned long arg)
-+{
-+ struct snd_timer_user *tu = file->private_data;
-+ long ret;
-+
-+ mutex_lock(&tu->ioctl_lock);
-+ ret = __snd_timer_user_ioctl(file, cmd, arg);
-+ mutex_unlock(&tu->ioctl_lock);
-+ return ret;
-+}
-+
- static int snd_timer_user_fasync(int fd, struct file * file, int on)
- {
- struct snd_timer_user *tu;
diff --git a/sound/drivers/mts64.c b/sound/drivers/mts64.c
index 2a008a9..a1efb3f 100644
--- a/sound/drivers/mts64.c
diff --git a/4.3.4/4425_grsec_remove_EI_PAX.patch b/4.3.5/4425_grsec_remove_EI_PAX.patch
index 2a1aa6c..2a1aa6c 100644
--- a/4.3.4/4425_grsec_remove_EI_PAX.patch
+++ b/4.3.5/4425_grsec_remove_EI_PAX.patch
diff --git a/4.3.4/4427_force_XATTR_PAX_tmpfs.patch b/4.3.5/4427_force_XATTR_PAX_tmpfs.patch
index d03130d..d03130d 100644
--- a/4.3.4/4427_force_XATTR_PAX_tmpfs.patch
+++ b/4.3.5/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/4.3.4/4430_grsec-remove-localversion-grsec.patch b/4.3.5/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/4.3.4/4430_grsec-remove-localversion-grsec.patch
+++ b/4.3.5/4430_grsec-remove-localversion-grsec.patch
diff --git a/4.3.4/4435_grsec-mute-warnings.patch b/4.3.5/4435_grsec-mute-warnings.patch
index b7564e4..b7564e4 100644
--- a/4.3.4/4435_grsec-mute-warnings.patch
+++ b/4.3.5/4435_grsec-mute-warnings.patch
diff --git a/4.3.4/4440_grsec-remove-protected-paths.patch b/4.3.5/4440_grsec-remove-protected-paths.patch
index 741546d..741546d 100644
--- a/4.3.4/4440_grsec-remove-protected-paths.patch
+++ b/4.3.5/4440_grsec-remove-protected-paths.patch
diff --git a/4.3.4/4450_grsec-kconfig-default-gids.patch b/4.3.5/4450_grsec-kconfig-default-gids.patch
index c56ca90..c56ca90 100644
--- a/4.3.4/4450_grsec-kconfig-default-gids.patch
+++ b/4.3.5/4450_grsec-kconfig-default-gids.patch
diff --git a/4.3.4/4465_selinux-avc_audit-log-curr_ip.patch b/4.3.5/4465_selinux-avc_audit-log-curr_ip.patch
index d2e466f..d2e466f 100644
--- a/4.3.4/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/4.3.5/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/4.3.4/4470_disable-compat_vdso.patch b/4.3.5/4470_disable-compat_vdso.patch
index 8fd85dc..8fd85dc 100644
--- a/4.3.4/4470_disable-compat_vdso.patch
+++ b/4.3.5/4470_disable-compat_vdso.patch
diff --git a/4.3.4/4475_emutramp_default_on.patch b/4.3.5/4475_emutramp_default_on.patch
index afd6019..afd6019 100644
--- a/4.3.4/4475_emutramp_default_on.patch
+++ b/4.3.5/4475_emutramp_default_on.patch