summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303221823.patch (renamed from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303142231.patch)565
-rw-r--r--3.2.40/0000_README2
-rw-r--r--3.2.40/4420_grsecurity-2.9.1-3.2.40-201303221825.patch (renamed from 3.2.40/4420_grsecurity-2.9.1-3.2.40-201303142234.patch)852
-rw-r--r--3.8.3/1001_linux-3.8.2.patch3093
-rw-r--r--3.8.3/1002_linux-3.8.3.patch4814
-rw-r--r--3.8.4/0000_README (renamed from 3.8.3/0000_README)10
-rw-r--r--3.8.4/1003_linux-3.8.4.patch2902
-rw-r--r--3.8.4/4420_grsecurity-2.9.1-3.8.4-201303221826.patch (renamed from 3.8.3/4420_grsecurity-2.9.1-3.8.3-201303142235.patch)11692
-rw-r--r--3.8.4/4425_grsec_remove_EI_PAX.patch (renamed from 3.8.3/4425_grsec_remove_EI_PAX.patch)0
-rw-r--r--3.8.4/4430_grsec-remove-localversion-grsec.patch (renamed from 3.8.3/4430_grsec-remove-localversion-grsec.patch)0
-rw-r--r--3.8.4/4435_grsec-mute-warnings.patch (renamed from 3.8.3/4435_grsec-mute-warnings.patch)0
-rw-r--r--3.8.4/4440_grsec-remove-protected-paths.patch (renamed from 3.8.3/4440_grsec-remove-protected-paths.patch)0
-rw-r--r--3.8.4/4450_grsec-kconfig-default-gids.patch (renamed from 3.8.3/4450_grsec-kconfig-default-gids.patch)0
-rw-r--r--3.8.4/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.8.3/4465_selinux-avc_audit-log-curr_ip.patch)0
-rw-r--r--3.8.4/4470_disable-compat_vdso.patch (renamed from 3.8.3/4470_disable-compat_vdso.patch)0
15 files changed, 11173 insertions, 12757 deletions
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303142231.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303221823.patch
index 966075e..27cb164 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303142231.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303221823.patch
@@ -265,7 +265,7 @@ index 334258c..1e8f4ff 100644
M: Liam Girdwood <lrg@slimlogic.co.uk>
M: Mark Brown <broonie@opensource.wolfsonmicro.com>
diff --git a/Makefile b/Makefile
-index b0e245e..1c8b6ed 100644
+index b0e245e..e2589d0 100644
--- a/Makefile
+++ b/Makefile
@@ -221,8 +221,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -358,7 +358,7 @@ index b0e245e..1c8b6ed 100644
+else
+ $(Q)echo "warning, your gcc version does not support plugins, you should upgrade it to gcc 4.5 at least"
+endif
-+ $(Q)echo "PAX_MEMORY_STACKLEAK and constification will be less secure"
++ $(Q)echo "PAX_MEMORY_STACKLEAK, constification, PAX_LATENT_ENTROPY and other features will be less secure. PAX_SIZE_OVERFLOW will not be active."
+endif
+endif
+
@@ -2753,6 +2753,18 @@ index 285aae8..61dbab6 100644
.alloc_coherent = ia64_swiotlb_alloc_coherent,
.free_coherent = swiotlb_free_coherent,
.map_page = swiotlb_map_page,
+diff --git a/arch/ia64/kernel/perfmon.c b/arch/ia64/kernel/perfmon.c
+index f178270..2dcff27 100644
+--- a/arch/ia64/kernel/perfmon.c
++++ b/arch/ia64/kernel/perfmon.c
+@@ -2372,7 +2372,6 @@ pfm_smpl_buffer_alloc(struct task_struct *task, struct file *filp, pfm_context_t
+ */
+ insert_vm_struct(mm, vma);
+
+- mm->total_vm += size >> PAGE_SHIFT;
+ vm_stat_account(vma->vm_mm, vma->vm_flags, vma->vm_file,
+ vma_pages(vma));
+ up_write(&task->mm->mmap_sem);
diff --git a/arch/ia64/kernel/sys_ia64.c b/arch/ia64/kernel/sys_ia64.c
index 609d500..acd0429 100644
--- a/arch/ia64/kernel/sys_ia64.c
@@ -24038,7 +24050,7 @@ index e6d925f..6bde4d6 100644
.disabled_by_bios = vmx_disabled_by_bios,
.hardware_setup = hardware_setup,
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 271fddf..ea708b4 100644
+index 271fddf..fe56f44 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -82,7 +82,7 @@ static void update_cr8_intercept(struct kvm_vcpu *vcpu);
@@ -24050,7 +24062,19 @@ index 271fddf..ea708b4 100644
EXPORT_SYMBOL_GPL(kvm_x86_ops);
int ignore_msrs = 0;
-@@ -1430,15 +1430,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(struct kvm_vcpu *vcpu,
+@@ -925,6 +925,11 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 data)
+ /* ...but clean it before doing the actual write */
+ vcpu->arch.time_offset = data & ~(PAGE_MASK | 1);
+
++ /* Check that the address is 32-byte aligned. */
++ if (vcpu->arch.time_offset &
++ (sizeof(struct pvclock_vcpu_time_info) - 1))
++ break;
++
+ vcpu->arch.time_page =
+ gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT);
+
+@@ -1430,15 +1435,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(struct kvm_vcpu *vcpu,
struct kvm_cpuid2 *cpuid,
struct kvm_cpuid_entry2 __user *entries)
{
@@ -24074,7 +24098,7 @@ index 271fddf..ea708b4 100644
vcpu->arch.cpuid_nent = cpuid->nent;
kvm_apic_set_version(vcpu);
return 0;
-@@ -1451,16 +1456,20 @@ static int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu,
+@@ -1451,16 +1461,20 @@ static int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu,
struct kvm_cpuid2 *cpuid,
struct kvm_cpuid_entry2 __user *entries)
{
@@ -24098,7 +24122,7 @@ index 271fddf..ea708b4 100644
return 0;
out:
-@@ -1678,7 +1687,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu,
+@@ -1678,7 +1692,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu,
static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
struct kvm_interrupt *irq)
{
@@ -24107,7 +24131,7 @@ index 271fddf..ea708b4 100644
return -EINVAL;
if (irqchip_in_kernel(vcpu->kvm))
return -ENXIO;
-@@ -3300,10 +3309,10 @@ static struct notifier_block kvmclock_cpufreq_notifier_block = {
+@@ -3300,10 +3314,10 @@ static struct notifier_block kvmclock_cpufreq_notifier_block = {
.notifier_call = kvmclock_cpufreq_notifier
};
@@ -48725,24 +48749,34 @@ index 032ebae..6a3532c 100644
q.int_ops = &sg_ops;
diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c
-index b6992b7..9fa7547 100644
+index b6992b7..ff830bd 100644
--- a/drivers/message/fusion/mptbase.c
+++ b/drivers/message/fusion/mptbase.c
-@@ -6709,8 +6709,14 @@ procmpt_iocinfo_read(char *buf, char **start, off_t offset, int request, int *eo
- len += sprintf(buf+len, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
+@@ -6710,7 +6710,12 @@ procmpt_iocinfo_read(char *buf, char **start, off_t offset, int request, int *eo
len += sprintf(buf+len, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
+ len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
+#ifdef CONFIG_GRKERNSEC_HIDESYM
-+ len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
+ NULL, NULL);
+#else
- len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
(void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
+#endif
+
/*
* Rounding UP to nearest 4-kB boundary here...
*/
+@@ -6723,7 +6728,11 @@ procmpt_iocinfo_read(char *buf, char **start, off_t offset, int request, int *eo
+ ioc->facts.GlobalCredits);
+
+ len += sprintf(buf+len, " Frames @ 0x%p (Dma @ 0x%p)\n",
++#ifdef CONFIG_GRKERNSEC_HIDESYM
++ NULL, NULL);
++#else
+ (void *)ioc->alloc, (void *)(ulong)ioc->alloc_dma);
++#endif
+ sz = (ioc->reply_sz * ioc->reply_depth) + 128;
+ len += sprintf(buf+len, " {CurRepSz=%d} x {CurRepDepth=%d} = %d bytes ^= 0x%x\n",
+ ioc->reply_sz, ioc->reply_depth, ioc->reply_sz*ioc->reply_depth, sz);
diff --git a/drivers/message/fusion/mptsas.c b/drivers/message/fusion/mptsas.c
index 83873e3..e360e9a 100644
--- a/drivers/message/fusion/mptsas.c
@@ -75307,7 +75341,7 @@ index 0133b5a..3710d09 100644
(unsigned long) create_aout_tables((char __user *) bprm->p, bprm);
#ifdef __alpha__
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
-index a64fde6..621e25d 100644
+index a64fde6..f7af3a5e 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -31,6 +31,7 @@
@@ -75929,7 +75963,7 @@ index a64fde6..621e25d 100644
/* set_brk can never work. Avoid overflows. */
send_sig(SIGKILL, current, 0);
retval = -EINVAL;
-@@ -877,17 +1300,43 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+@@ -877,17 +1300,44 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
goto out_free_dentry;
}
if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
@@ -75945,19 +75979,20 @@ index a64fde6..621e25d 100644
+#ifdef CONFIG_PAX_RANDMMAP
+ if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
-+ unsigned long start, size;
++ unsigned long start, size, flags, vm_flags;
+
+ start = ELF_PAGEALIGN(elf_brk);
+ size = PAGE_SIZE + ((pax_get_random_long() & ((1UL << 22) - 1UL)) << 4);
++ flags = MAP_FIXED | MAP_PRIVATE;
++ vm_flags = VM_DONTEXPAND | VM_RESERVED;
++
+ down_write(&current->mm->mmap_sem);
++ start = get_unmapped_area(NULL, start, PAGE_ALIGN(size), 0, flags);
+ retval = -ENOMEM;
-+ if (!find_vma_intersection(current->mm, start, start + size + PAGE_SIZE)) {
-+ unsigned long prot = PROT_NONE;
-+
-+ current->mm->brk_gap = PAGE_ALIGN(size) >> PAGE_SHIFT;
++ if (!IS_ERR_VALUE(start) && !find_vma_intersection(current->mm, start, start + size + PAGE_SIZE)) {
+// if (current->personality & ADDR_NO_RANDOMIZE)
+// prot = PROT_READ;
-+ start = do_mmap(NULL, start, size, prot, MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE, 0);
++ start = mmap_region(NULL, start, PAGE_ALIGN(size), flags, vm_flags, 0);
+ retval = IS_ERR_VALUE(start) ? start : 0;
+ }
+ up_write(&current->mm->mmap_sem);
@@ -75979,7 +76014,7 @@ index a64fde6..621e25d 100644
load_bias);
if (!IS_ERR((void *)elf_entry)) {
/*
-@@ -1112,8 +1561,10 @@ static int dump_seek(struct file *file, loff_t off)
+@@ -1112,8 +1562,10 @@ static int dump_seek(struct file *file, loff_t off)
unsigned long n = off;
if (n > PAGE_SIZE)
n = PAGE_SIZE;
@@ -75991,7 +76026,7 @@ index a64fde6..621e25d 100644
off -= n;
}
free_page((unsigned long)buf);
-@@ -1125,7 +1576,7 @@ static int dump_seek(struct file *file, loff_t off)
+@@ -1125,7 +1577,7 @@ static int dump_seek(struct file *file, loff_t off)
* Decide what to dump of a segment, part, all or none.
*/
static unsigned long vma_dump_size(struct vm_area_struct *vma,
@@ -76000,7 +76035,7 @@ index a64fde6..621e25d 100644
{
#define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
-@@ -1159,7 +1610,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma,
+@@ -1159,7 +1611,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma,
if (vma->vm_file == NULL)
return 0;
@@ -76009,7 +76044,7 @@ index a64fde6..621e25d 100644
goto whole;
/*
-@@ -1255,8 +1706,11 @@ static int writenote(struct memelfnote *men, struct file *file,
+@@ -1255,8 +1707,11 @@ static int writenote(struct memelfnote *men, struct file *file,
#undef DUMP_WRITE
#define DUMP_WRITE(addr, nr) \
@@ -76022,7 +76057,7 @@ index a64fde6..621e25d 100644
static void fill_elf_header(struct elfhdr *elf, int segs,
u16 machine, u32 flags, u8 osabi)
-@@ -1385,9 +1839,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
+@@ -1385,9 +1840,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
{
elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
int i = 0;
@@ -76034,7 +76069,7 @@ index a64fde6..621e25d 100644
fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
}
-@@ -1973,7 +2427,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un
+@@ -1973,7 +2428,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un
phdr.p_offset = offset;
phdr.p_vaddr = vma->vm_start;
phdr.p_paddr = 0;
@@ -76043,7 +76078,7 @@ index a64fde6..621e25d 100644
phdr.p_memsz = vma->vm_end - vma->vm_start;
offset += phdr.p_filesz;
phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
-@@ -2006,7 +2460,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un
+@@ -2006,7 +2461,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un
unsigned long addr;
unsigned long end;
@@ -76052,7 +76087,7 @@ index a64fde6..621e25d 100644
for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
struct page *page;
-@@ -2015,6 +2469,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un
+@@ -2015,6 +2470,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un
page = get_dump_page(addr);
if (page) {
void *kaddr = kmap(page);
@@ -76060,7 +76095,7 @@ index a64fde6..621e25d 100644
stop = ((size += PAGE_SIZE) > limit) ||
!dump_write(file, kaddr, PAGE_SIZE);
kunmap(page);
-@@ -2042,6 +2497,97 @@ out:
+@@ -2042,6 +2498,97 @@ out:
#endif /* USE_ELF_CORE_DUMP */
@@ -77139,7 +77174,7 @@ index a5bf577..6d19845 100644
return hit;
}
diff --git a/fs/compat.c b/fs/compat.c
-index 46b93d1..84978fe 100644
+index 46b93d1..191dbaa 100644
--- a/fs/compat.c
+++ b/fs/compat.c
@@ -133,8 +133,8 @@ asmlinkage long compat_sys_utimes(char __user *filename, struct compat_timeval _
@@ -77260,7 +77295,17 @@ index 46b93d1..84978fe 100644
goto out;
if (!file->f_op)
goto out;
-@@ -1469,11 +1487,35 @@ int compat_do_execve(char * filename,
+@@ -1460,6 +1478,9 @@ out:
+ return ret;
+ }
+
++extern void gr_handle_exec_args_compat(struct linux_binprm *bprm,
++ compat_uptr_t __user *argv);
++
+ /*
+ * compat_do_execve() is mostly a copy of do_execve(), with the exception
+ * that it processes 32 bit argv and envp pointers.
+@@ -1469,11 +1490,35 @@ int compat_do_execve(char * filename,
compat_uptr_t __user *envp,
struct pt_regs * regs)
{
@@ -77296,7 +77341,7 @@ index 46b93d1..84978fe 100644
retval = unshare_files(&displaced);
if (retval)
-@@ -1499,12 +1541,26 @@ int compat_do_execve(char * filename,
+@@ -1499,12 +1544,26 @@ int compat_do_execve(char * filename,
if (IS_ERR(file))
goto out_unmark;
@@ -77323,7 +77368,7 @@ index 46b93d1..84978fe 100644
retval = bprm_mm_init(bprm);
if (retval)
goto out_file;
-@@ -1521,24 +1577,63 @@ int compat_do_execve(char * filename,
+@@ -1521,24 +1580,63 @@ int compat_do_execve(char * filename,
if (retval < 0)
goto out;
@@ -77391,7 +77436,7 @@ index 46b93d1..84978fe 100644
current->fs->in_exec = 0;
current->in_execve = 0;
acct_update_integrals(current);
-@@ -1547,6 +1642,14 @@ int compat_do_execve(char * filename,
+@@ -1547,6 +1645,14 @@ int compat_do_execve(char * filename,
put_files_struct(displaced);
return retval;
@@ -77406,7 +77451,7 @@ index 46b93d1..84978fe 100644
out:
if (bprm->mm) {
acct_arg_size(bprm, 0);
-@@ -1717,6 +1820,8 @@ int compat_core_sys_select(int n, compat_ulong_t __user *inp,
+@@ -1717,6 +1823,8 @@ int compat_core_sys_select(int n, compat_ulong_t __user *inp,
struct fdtable *fdt;
long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
@@ -77415,7 +77460,7 @@ index 46b93d1..84978fe 100644
if (n < 0)
goto out_nofds;
-@@ -2157,7 +2262,7 @@ asmlinkage long compat_sys_nfsservctl(int cmd,
+@@ -2157,7 +2265,7 @@ asmlinkage long compat_sys_nfsservctl(int cmd,
oldfs = get_fs();
set_fs(KERNEL_DS);
/* The __user pointer casts are valid because of the set_fs() */
@@ -77702,7 +77747,7 @@ index ff57421..f65f88a 100644
out_free_fd:
diff --git a/fs/exec.c b/fs/exec.c
-index 86fafc6..0f75c42 100644
+index 86fafc6..a435ef7 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -56,12 +56,34 @@
@@ -77909,7 +77954,7 @@ index 86fafc6..0f75c42 100644
#endif
ret = expand_stack(vma, stack_base);
+
-+#if !defined(CONFIG_STACK_GROWSUP) && defined(CONFIG_PAX_ASLR)
++#if !defined(CONFIG_STACK_GROWSUP) && defined(CONFIG_PAX_RANDMMAP)
+ if (!ret && (mm->pax_flags & MF_PAX_RANDMMAP) && STACK_TOP <= 0xFFFFFFFFU && STACK_TOP > vma->vm_end) {
+ unsigned long size, flags, vm_flags;
+
@@ -77922,7 +77967,7 @@ index 86fafc6..0f75c42 100644
+#ifdef CONFIG_X86
+ if (!ret) {
+ size = mmap_min_addr + ((mm->delta_mmap ^ mm->delta_stack) & (0xFFUL << PAGE_SHIFT));
-+ ret = 0 != mmap_region(NULL, 0, size, flags, vm_flags, 0);
++ ret = 0 != mmap_region(NULL, 0, PAGE_ALIGN(size), flags, vm_flags, 0);
+ }
+#endif
+
@@ -80998,7 +81043,7 @@ index fde92d1..6256b88 100644
lock_kernel();
diff --git a/fs/namei.c b/fs/namei.c
-index b0afbd4..2b96439 100644
+index b0afbd4..a4dd3a0 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -224,6 +224,14 @@ int generic_permission(struct inode *inode, int mask,
@@ -81098,7 +81143,7 @@ index b0afbd4..2b96439 100644
path_put(&nd->path);
return_err:
return err;
-@@ -1091,13 +1112,20 @@ static int do_path_lookup(int dfd, const char *name,
+@@ -1091,13 +1112,22 @@ static int do_path_lookup(int dfd, const char *name,
int retval = path_init(dfd, name, flags, nd);
if (!retval)
retval = path_walk(name, nd);
@@ -81108,10 +81153,12 @@ index b0afbd4..2b96439 100644
+
+ if (likely(!retval)) {
+ if (nd->path.dentry && nd->path.dentry->d_inode) {
-+ if (*name != '/' && !gr_chroot_fchdir(nd->path.dentry, nd->path.mnt))
-+ retval = -ENOENT;
+ if (!audit_dummy_context())
+ audit_inode(name, nd->path.dentry);
++ if (*name != '/' && !gr_chroot_fchdir(nd->path.dentry, nd->path.mnt)) {
++ path_put(&nd->path);
++ retval = -ENOENT;
++ }
+ }
+ }
if (nd->root.mnt) {
@@ -81122,7 +81169,7 @@ index b0afbd4..2b96439 100644
return retval;
}
-@@ -1251,6 +1279,11 @@ static int __lookup_one_len(const char *name, struct qstr *this,
+@@ -1251,6 +1281,11 @@ static int __lookup_one_len(const char *name, struct qstr *this,
if (!len)
return -EACCES;
@@ -81134,7 +81181,7 @@ index b0afbd4..2b96439 100644
hash = init_name_hash();
while (len--) {
c = *(const unsigned char *)name++;
-@@ -1576,6 +1609,20 @@ int may_open(struct path *path, int acc_mode, int flag)
+@@ -1576,6 +1611,20 @@ int may_open(struct path *path, int acc_mode, int flag)
if (error)
goto err_out;
@@ -81155,7 +81202,7 @@ index b0afbd4..2b96439 100644
if (flag & O_TRUNC) {
error = get_write_access(inode);
if (error)
-@@ -1620,6 +1667,17 @@ static int __open_namei_create(struct nameidata *nd, struct path *path,
+@@ -1620,6 +1669,17 @@ static int __open_namei_create(struct nameidata *nd, struct path *path,
{
int error;
struct dentry *dir = nd->path.dentry;
@@ -81173,7 +81220,7 @@ index b0afbd4..2b96439 100644
if (!IS_POSIXACL(dir->d_inode))
mode &= ~current_umask();
-@@ -1627,6 +1685,8 @@ static int __open_namei_create(struct nameidata *nd, struct path *path,
+@@ -1627,6 +1687,8 @@ static int __open_namei_create(struct nameidata *nd, struct path *path,
if (error)
goto out_unlock;
error = vfs_create(dir->d_inode, path->dentry, mode, nd);
@@ -81182,7 +81229,7 @@ index b0afbd4..2b96439 100644
out_unlock:
mutex_unlock(&dir->d_inode->i_mutex);
dput(nd->path.dentry);
-@@ -1684,6 +1744,7 @@ struct file *do_filp_open(int dfd, const char *pathname,
+@@ -1684,6 +1746,7 @@ struct file *do_filp_open(int dfd, const char *pathname,
struct nameidata nd;
int error;
struct path path;
@@ -81190,7 +81237,7 @@ index b0afbd4..2b96439 100644
struct dentry *dir;
int count = 0;
int will_write;
-@@ -1709,6 +1770,22 @@ struct file *do_filp_open(int dfd, const char *pathname,
+@@ -1709,6 +1772,22 @@ struct file *do_filp_open(int dfd, const char *pathname,
&nd, flag);
if (error)
return ERR_PTR(error);
@@ -81213,7 +81260,7 @@ index b0afbd4..2b96439 100644
goto ok;
}
-@@ -1795,6 +1872,19 @@ do_last:
+@@ -1795,6 +1874,19 @@ do_last:
/*
* It already exists.
*/
@@ -81233,7 +81280,7 @@ index b0afbd4..2b96439 100644
mutex_unlock(&dir->d_inode->i_mutex);
audit_inode(pathname, path.dentry);
-@@ -1887,6 +1977,14 @@ do_link:
+@@ -1887,6 +1979,14 @@ do_link:
error = security_inode_follow_link(path.dentry, &nd);
if (error)
goto exit_dput;
@@ -81248,7 +81295,7 @@ index b0afbd4..2b96439 100644
error = __do_follow_link(&path, &nd);
if (error) {
/* Does someone understand code flow here? Or it is only
-@@ -1915,9 +2013,24 @@ do_link:
+@@ -1915,9 +2015,24 @@ do_link:
}
dir = nd.path.dentry;
mutex_lock(&dir->d_inode->i_mutex);
@@ -81273,7 +81320,7 @@ index b0afbd4..2b96439 100644
goto do_last;
}
-@@ -1984,6 +2097,10 @@ struct dentry *lookup_create(struct nameidata *nd, int is_dir)
+@@ -1984,6 +2099,10 @@ struct dentry *lookup_create(struct nameidata *nd, int is_dir)
}
return dentry;
eexist:
@@ -81284,7 +81331,7 @@ index b0afbd4..2b96439 100644
dput(dentry);
dentry = ERR_PTR(-EEXIST);
fail:
-@@ -2061,6 +2178,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode,
+@@ -2061,6 +2180,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode,
error = may_mknod(mode);
if (error)
goto out_dput;
@@ -81302,7 +81349,7 @@ index b0afbd4..2b96439 100644
error = mnt_want_write(nd.path.mnt);
if (error)
goto out_dput;
-@@ -2081,6 +2209,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode,
+@@ -2081,6 +2211,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode,
}
out_drop_write:
mnt_drop_write(nd.path.mnt);
@@ -81312,7 +81359,7 @@ index b0afbd4..2b96439 100644
out_dput:
dput(dentry);
out_unlock:
-@@ -2134,6 +2265,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode)
+@@ -2134,6 +2267,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode)
if (IS_ERR(dentry))
goto out_unlock;
@@ -81324,7 +81371,7 @@ index b0afbd4..2b96439 100644
if (!IS_POSIXACL(nd.path.dentry->d_inode))
mode &= ~current_umask();
error = mnt_want_write(nd.path.mnt);
-@@ -2145,6 +2281,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode)
+@@ -2145,6 +2283,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode)
error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
out_drop_write:
mnt_drop_write(nd.path.mnt);
@@ -81335,7 +81382,7 @@ index b0afbd4..2b96439 100644
out_dput:
dput(dentry);
out_unlock:
-@@ -2226,6 +2366,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
+@@ -2226,6 +2368,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
char * name;
struct dentry *dentry;
struct nameidata nd;
@@ -81344,7 +81391,7 @@ index b0afbd4..2b96439 100644
error = user_path_parent(dfd, pathname, &nd, &name);
if (error)
-@@ -2250,6 +2392,17 @@ static long do_rmdir(int dfd, const char __user *pathname)
+@@ -2250,6 +2394,17 @@ static long do_rmdir(int dfd, const char __user *pathname)
error = PTR_ERR(dentry);
if (IS_ERR(dentry))
goto exit2;
@@ -81362,7 +81409,7 @@ index b0afbd4..2b96439 100644
error = mnt_want_write(nd.path.mnt);
if (error)
goto exit3;
-@@ -2257,6 +2410,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
+@@ -2257,6 +2412,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
if (error)
goto exit4;
error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
@@ -81371,7 +81418,7 @@ index b0afbd4..2b96439 100644
exit4:
mnt_drop_write(nd.path.mnt);
exit3:
-@@ -2318,6 +2473,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
+@@ -2318,6 +2475,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
struct dentry *dentry;
struct nameidata nd;
struct inode *inode = NULL;
@@ -81380,7 +81427,7 @@ index b0afbd4..2b96439 100644
error = user_path_parent(dfd, pathname, &nd, &name);
if (error)
-@@ -2337,8 +2494,19 @@ static long do_unlinkat(int dfd, const char __user *pathname)
+@@ -2337,8 +2496,19 @@ static long do_unlinkat(int dfd, const char __user *pathname)
if (nd.last.name[nd.last.len])
goto slashes;
inode = dentry->d_inode;
@@ -81401,7 +81448,7 @@ index b0afbd4..2b96439 100644
error = mnt_want_write(nd.path.mnt);
if (error)
goto exit2;
-@@ -2346,6 +2514,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
+@@ -2346,6 +2516,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
if (error)
goto exit3;
error = vfs_unlink(nd.path.dentry->d_inode, dentry);
@@ -81410,7 +81457,7 @@ index b0afbd4..2b96439 100644
exit3:
mnt_drop_write(nd.path.mnt);
exit2:
-@@ -2424,6 +2594,11 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname,
+@@ -2424,6 +2596,11 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname,
if (IS_ERR(dentry))
goto out_unlock;
@@ -81422,7 +81469,7 @@ index b0afbd4..2b96439 100644
error = mnt_want_write(nd.path.mnt);
if (error)
goto out_dput;
-@@ -2431,6 +2606,8 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname,
+@@ -2431,6 +2608,8 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname,
if (error)
goto out_drop_write;
error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
@@ -81431,7 +81478,7 @@ index b0afbd4..2b96439 100644
out_drop_write:
mnt_drop_write(nd.path.mnt);
out_dput:
-@@ -2524,6 +2701,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
+@@ -2524,6 +2703,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
error = PTR_ERR(new_dentry);
if (IS_ERR(new_dentry))
goto out_unlock;
@@ -81452,7 +81499,7 @@ index b0afbd4..2b96439 100644
error = mnt_want_write(nd.path.mnt);
if (error)
goto out_dput;
-@@ -2531,6 +2722,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
+@@ -2531,6 +2724,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
if (error)
goto out_drop_write;
error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
@@ -81461,7 +81508,7 @@ index b0afbd4..2b96439 100644
out_drop_write:
mnt_drop_write(nd.path.mnt);
out_dput:
-@@ -2708,6 +2901,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
+@@ -2708,6 +2903,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
char *to;
int error;
@@ -81470,7 +81517,7 @@ index b0afbd4..2b96439 100644
error = user_path_parent(olddfd, oldname, &oldnd, &from);
if (error)
goto exit;
-@@ -2764,6 +2959,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
+@@ -2764,6 +2961,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
if (new_dentry == trap)
goto exit5;
@@ -81483,7 +81530,7 @@ index b0afbd4..2b96439 100644
error = mnt_want_write(oldnd.path.mnt);
if (error)
goto exit5;
-@@ -2773,6 +2974,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
+@@ -2773,6 +2976,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
goto exit6;
error = vfs_rename(old_dir->d_inode, old_dentry,
new_dir->d_inode, new_dentry);
@@ -81493,7 +81540,7 @@ index b0afbd4..2b96439 100644
exit6:
mnt_drop_write(oldnd.path.mnt);
exit5:
-@@ -2798,6 +3002,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
+@@ -2798,6 +3004,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
{
@@ -81502,7 +81549,7 @@ index b0afbd4..2b96439 100644
int len;
len = PTR_ERR(link);
-@@ -2807,7 +3013,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
+@@ -2807,7 +3015,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
len = strlen(link);
if (len > (unsigned) buflen)
len = buflen;
@@ -86042,10 +86089,10 @@ index 0000000..1b9afa9
+endif
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
new file mode 100644
-index 0000000..5aba5a8
+index 0000000..1edd4b5
--- /dev/null
+++ b/grsecurity/gracl.c
-@@ -0,0 +1,4197 @@
+@@ -0,0 +1,4201 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -86071,6 +86118,7 @@ index 0000000..5aba5a8
+#include <linux/stop_machine.h>
+#include <linux/fdtable.h>
+#include <linux/percpu.h>
++#include <linux/posix-timers.h>
+
+#include <asm/uaccess.h>
+#include <asm/errno.h>
@@ -88348,6 +88396,9 @@ index 0000000..5aba5a8
+
+ task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
+ task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
++
++ if (i == RLIMIT_CPU)
++ update_rlimit_cpu(task, proc->res[i].rlim_cur);
+ }
+
+ return;
@@ -96556,6 +96607,19 @@ index 78e9047..ff39f6b 100644
/* handle uniform packets for scsi type devices (scsi,atapi) */
int (*generic_packet) (struct cdrom_device_info *,
struct packet_command *);
+diff --git a/include/linux/compat.h b/include/linux/compat.h
+index 510266f..9d64053 100644
+--- a/include/linux/compat.h
++++ b/include/linux/compat.h
+@@ -271,7 +271,7 @@ extern int compat_ptrace_request(struct task_struct *child,
+ extern long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
+ compat_ulong_t addr, compat_ulong_t data);
+ asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid,
+- compat_long_t addr, compat_long_t data);
++ compat_ulong_t addr, compat_ulong_t data);
+
+ /*
+ * epoll (fs/eventpoll.c) compat bits follow ...
diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h
index 450fa59..16b904d 100644
--- a/include/linux/compiler-gcc4.h
@@ -98104,17 +98168,16 @@ index 0000000..18863d1
+#define GR_BRUTE_DAEMON_MSG "bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for "
diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
new file mode 100644
-index 0000000..6e2f8bc
+index 0000000..9ced8a0
--- /dev/null
+++ b/include/linux/grsecurity.h
-@@ -0,0 +1,226 @@
+@@ -0,0 +1,222 @@
+#ifndef GR_SECURITY_H
+#define GR_SECURITY_H
+#include <linux/fs.h>
+#include <linux/fs_struct.h>
+#include <linux/binfmts.h>
+#include <linux/gracl.h>
-+#include <linux/compat.h>
+
+/* notify of brain-dead configs */
+#if defined(CONFIG_GRKERNSEC_PROC_USER) && defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
@@ -98184,9 +98247,6 @@ index 0000000..6e2f8bc
+void gr_log_chroot_exec(const struct dentry *dentry,
+ const struct vfsmount *mnt);
+void gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv);
-+#ifdef CONFIG_COMPAT
-+void gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv);
-+#endif
+void gr_log_remount(const char *devname, const int retval);
+void gr_log_unmount(const char *devname, const int retval);
+void gr_log_mount(const char *from, const char *to, const int retval);
@@ -98900,7 +98960,7 @@ index 3797270..7765ede 100644
struct mca_bus {
u64 default_dma_mask;
diff --git a/include/linux/mm.h b/include/linux/mm.h
-index 11e5be6..8ff8c91 100644
+index 11e5be6..8a2af3a 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -106,7 +106,14 @@ extern unsigned int kobjsize(const void *objp);
@@ -99023,7 +99083,19 @@ index 11e5be6..8ff8c91 100644
struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
unsigned long pfn, unsigned long size, pgprot_t);
-@@ -1332,7 +1365,13 @@ extern void memory_failure(unsigned long pfn, int trapno);
+@@ -1263,6 +1296,11 @@ void vm_stat_account(struct mm_struct *, unsigned long, struct file *, long);
+ static inline void vm_stat_account(struct mm_struct *mm,
+ unsigned long flags, struct file *file, long pages)
+ {
++#ifdef CONFIG_PAX_RANDMMAP
++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)))
++#endif
++
++ mm->total_vm += pages;
+ }
+ #endif /* CONFIG_PROC_FS */
+
+@@ -1332,7 +1370,13 @@ extern void memory_failure(unsigned long pfn, int trapno);
extern int __memory_failure(unsigned long pfn, int trapno, int ref);
extern int sysctl_memory_failure_early_kill;
extern int sysctl_memory_failure_recovery;
@@ -99039,7 +99111,7 @@ index 11e5be6..8ff8c91 100644
#endif /* __KERNEL__ */
#endif /* _LINUX_MM_H */
diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
-index 9d12ed5..9d9dab3 100644
+index 9d12ed5..6d9707a 100644
--- a/include/linux/mm_types.h
+++ b/include/linux/mm_types.h
@@ -186,6 +186,8 @@ struct vm_area_struct {
@@ -99051,15 +99123,6 @@ index 9d12ed5..9d9dab3 100644
};
struct core_thread {
-@@ -235,7 +237,7 @@ struct mm_struct {
- unsigned long total_vm, locked_vm, shared_vm, exec_vm;
- unsigned long stack_vm, reserved_vm, def_flags, nr_ptes;
- unsigned long start_code, end_code, start_data, end_data;
-- unsigned long start_brk, brk, start_stack;
-+ unsigned long brk_gap, start_brk, brk, start_stack;
- unsigned long arg_start, arg_end, env_start, env_end;
-
- unsigned long saved_auxv[AT_VECTOR_SIZE]; /* for /proc/PID/auxv */
@@ -287,6 +289,24 @@ struct mm_struct {
#ifdef CONFIG_MMU_NOTIFIER
struct mmu_notifier_mm *mmu_notifier_mm;
@@ -99614,7 +99677,7 @@ index 34066ff..e95d744 100644
/********** include/linux/timer.h **********/
/*
diff --git a/include/linux/posix-timers.h b/include/linux/posix-timers.h
-index 4f71bf4..cd2f68e 100644
+index 4f71bf4..724d413 100644
--- a/include/linux/posix-timers.h
+++ b/include/linux/posix-timers.h
@@ -82,7 +82,8 @@ struct k_clock {
@@ -99627,6 +99690,14 @@ index 4f71bf4..cd2f68e 100644
void register_posix_clock(const clockid_t clock_id, struct k_clock *new_clock);
+@@ -117,6 +118,6 @@ void set_process_cpu_timer(struct task_struct *task, unsigned int clock_idx,
+
+ long clock_nanosleep_restart(struct restart_block *restart_block);
+
+-void update_rlimit_cpu(unsigned long rlim_new);
++void update_rlimit_cpu(struct task_struct *task, unsigned long rlim_new);
+
+ #endif
diff --git a/include/linux/prefetch.h b/include/linux/prefetch.h
index af7c36a..a93005c 100644
--- a/include/linux/prefetch.h
@@ -103473,7 +103544,7 @@ index a2a1659..df8479c 100644
get_task_struct(p);
read_unlock(&tasklist_lock);
diff --git a/kernel/fork.c b/kernel/fork.c
-index c28f804..3a04506 100644
+index c28f804..4f038a3 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -240,21 +240,26 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
@@ -103522,7 +103593,16 @@ index c28f804..3a04506 100644
mm->map_count = 0;
cpumask_clear(mm_cpumask(mm));
mm->mm_rb = RB_ROOT;
-@@ -319,7 +324,7 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
+@@ -311,15 +316,13 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
+ struct file *file;
+
+ if (mpnt->vm_flags & VM_DONTCOPY) {
+- long pages = vma_pages(mpnt);
+- mm->total_vm -= pages;
+ vm_stat_account(mm, mpnt->vm_flags, mpnt->vm_file,
+- -pages);
++ -vma_pages(mpnt));
+ continue;
}
charge = 0;
if (mpnt->vm_flags & VM_ACCOUNT) {
@@ -103531,7 +103611,7 @@ index c28f804..3a04506 100644
if (security_vm_enough_memory(len))
goto fail_nomem;
charge = len;
-@@ -336,6 +341,7 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
+@@ -336,6 +339,7 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
tmp->vm_flags &= ~VM_LOCKED;
tmp->vm_mm = mm;
tmp->vm_next = tmp->vm_prev = NULL;
@@ -103539,7 +103619,7 @@ index c28f804..3a04506 100644
anon_vma_link(tmp);
file = tmp->vm_file;
if (file) {
-@@ -385,6 +391,31 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
+@@ -385,6 +389,31 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
if (retval)
goto out;
}
@@ -103571,7 +103651,7 @@ index c28f804..3a04506 100644
/* a new mm has just been created */
arch_dup_mmap(oldmm, mm);
retval = 0;
-@@ -735,13 +766,20 @@ static int copy_fs(unsigned long clone_flags, struct task_struct *tsk)
+@@ -735,13 +764,20 @@ static int copy_fs(unsigned long clone_flags, struct task_struct *tsk)
write_unlock(&fs->lock);
return -EAGAIN;
}
@@ -103593,7 +103673,7 @@ index c28f804..3a04506 100644
return 0;
}
-@@ -913,6 +951,8 @@ static int copy_signal(unsigned long clone_flags, struct task_struct *tsk)
+@@ -913,6 +949,8 @@ static int copy_signal(unsigned long clone_flags, struct task_struct *tsk)
sig->oom_adj = current->signal->oom_adj;
@@ -103602,7 +103682,7 @@ index c28f804..3a04506 100644
return 0;
}
-@@ -1036,12 +1076,16 @@ static struct task_struct *copy_process(unsigned long clone_flags,
+@@ -1036,12 +1074,16 @@ static struct task_struct *copy_process(unsigned long clone_flags,
DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
#endif
retval = -EAGAIN;
@@ -103621,7 +103701,7 @@ index c28f804..3a04506 100644
retval = copy_creds(p, clone_flags);
if (retval < 0)
-@@ -1263,6 +1307,11 @@ static struct task_struct *copy_process(unsigned long clone_flags,
+@@ -1263,6 +1305,11 @@ static struct task_struct *copy_process(unsigned long clone_flags,
goto bad_fork_free_pid;
}
@@ -103633,7 +103713,7 @@ index c28f804..3a04506 100644
if (clone_flags & CLONE_THREAD) {
atomic_inc(&current->signal->count);
atomic_inc(&current->signal->live);
-@@ -1337,6 +1386,8 @@ bad_fork_cleanup_count:
+@@ -1337,6 +1384,8 @@ bad_fork_cleanup_count:
bad_fork_free:
free_task(p);
fork_out:
@@ -103642,7 +103722,7 @@ index c28f804..3a04506 100644
return ERR_PTR(retval);
}
-@@ -1430,6 +1481,8 @@ long do_fork(unsigned long clone_flags,
+@@ -1430,6 +1479,8 @@ long do_fork(unsigned long clone_flags,
if (clone_flags & CLONE_PARENT_SETTID)
put_user(nr, parent_tidptr);
@@ -103651,7 +103731,7 @@ index c28f804..3a04506 100644
if (clone_flags & CLONE_VFORK) {
p->vfork_done = &vfork;
init_completion(&vfork);
-@@ -1562,7 +1615,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
+@@ -1562,7 +1613,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
return 0;
/* don't need lock here; in the worst case we'll do useless copy */
@@ -103660,7 +103740,7 @@ index c28f804..3a04506 100644
return 0;
*new_fsp = copy_fs_struct(fs);
-@@ -1685,7 +1738,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
+@@ -1685,7 +1736,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
fs = current->fs;
write_lock(&fs->lock);
current->fs = new_fs;
@@ -105747,10 +105827,10 @@ index fce7198..4f23a7e 100644
{
struct pid *pid;
diff --git a/kernel/posix-cpu-timers.c b/kernel/posix-cpu-timers.c
-index 5c9dc22..7652dca 100644
+index 5c9dc22..6971ae8 100644
--- a/kernel/posix-cpu-timers.c
+++ b/kernel/posix-cpu-timers.c
-@@ -6,9 +6,11 @@
+@@ -6,23 +6,25 @@
#include <linux/posix-timers.h>
#include <linux/errno.h>
#include <linux/math64.h>
@@ -105762,6 +105842,25 @@ index 5c9dc22..7652dca 100644
/*
* Called after updating RLIMIT_CPU to set timer expiration if necessary.
+ */
+-void update_rlimit_cpu(unsigned long rlim_new)
++void update_rlimit_cpu(struct task_struct *task, unsigned long rlim_new)
+ {
+ cputime_t cputime = secs_to_cputime(rlim_new);
+- struct signal_struct *const sig = current->signal;
++ struct signal_struct *const sig = task->signal;
+
+ if (cputime_eq(sig->it[CPUCLOCK_PROF].expires, cputime_zero) ||
+ cputime_gt(sig->it[CPUCLOCK_PROF].expires, cputime)) {
+- spin_lock_irq(&current->sighand->siglock);
+- set_process_cpu_timer(current, CPUCLOCK_PROF, &cputime, NULL);
+- spin_unlock_irq(&current->sighand->siglock);
++ spin_lock_irq(&task->sighand->siglock);
++ set_process_cpu_timer(task, CPUCLOCK_PROF, &cputime, NULL);
++ spin_unlock_irq(&task->sighand->siglock);
+ }
+ }
+
@@ -516,6 +518,8 @@ static void cleanup_timers(struct list_head *head,
*/
void posix_cpu_timers_exit(struct task_struct *tsk)
@@ -106232,7 +106331,7 @@ index dfadc5b..7f59404 100644
}
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
-index 05625f6..741869b 100644
+index 05625f6..123e351 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -56,7 +56,7 @@ static void ptrace_untrace(struct task_struct *child)
@@ -106529,6 +106628,15 @@ index 05625f6..741869b 100644
switch (request) {
case PTRACE_PEEKTEXT:
case PTRACE_PEEKDATA:
+@@ -720,7 +799,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request,
+ }
+
+ asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid,
+- compat_long_t addr, compat_long_t data)
++ compat_ulong_t addr, compat_ulong_t data)
+ {
+ struct task_struct *child;
+ long ret;
@@ -740,20 +819,30 @@ asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid,
goto out;
}
@@ -107282,7 +107390,7 @@ index 04a0252..4ee2bbb 100644
struct tasklet_struct *list;
diff --git a/kernel/sys.c b/kernel/sys.c
-index e9512b1..f07185f 100644
+index e9512b1..dec4030 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -133,6 +133,12 @@ static int set_one_prio(struct task_struct *p, int niceval, int error)
@@ -107444,6 +107552,15 @@ index e9512b1..f07185f 100644
if (gid != old_fsgid) {
new->fsgid = gid;
goto change_okay;
+@@ -1282,7 +1323,7 @@ SYSCALL_DEFINE2(setrlimit, unsigned int, resource, struct rlimit __user *, rlim)
+ if (new_rlim.rlim_cur == RLIM_INFINITY)
+ goto out;
+
+- update_rlimit_cpu(new_rlim.rlim_cur);
++ update_rlimit_cpu(current, new_rlim.rlim_cur);
+ out:
+ return 0;
+ }
@@ -1454,7 +1495,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
error = get_dumpable(me->mm);
break;
@@ -110486,7 +110603,7 @@ index 2d846cf..8d5cdd8 100644
capable(CAP_IPC_LOCK))
ret = do_mlockall(flags);
diff --git a/mm/mmap.c b/mm/mmap.c
-index 4b80cbf..89f7b42 100644
+index 4b80cbf..abfd61a 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -29,6 +29,7 @@
@@ -110684,13 +110801,19 @@ index 4b80cbf..89f7b42 100644
return area;
}
-@@ -898,14 +979,11 @@ none:
+@@ -898,15 +979,22 @@ none:
void vm_stat_account(struct mm_struct *mm, unsigned long flags,
struct file *file, long pages)
{
- const unsigned long stack_flags
- = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
--
++
++#ifdef CONFIG_PAX_RANDMMAP
++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)))
++#endif
++
++ mm->total_vm += pages;
+
if (file) {
mm->shared_vm += pages;
if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
@@ -110698,9 +110821,13 @@ index 4b80cbf..89f7b42 100644
- } else if (flags & stack_flags)
+ } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
mm->stack_vm += pages;
++#ifdef CONFIG_PAX_RANDMMAP
++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)))
++#endif
if (flags & (VM_RESERVED|VM_IO))
mm->reserved_vm += pages;
-@@ -932,7 +1010,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+ }
+@@ -932,7 +1020,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
* (the exception is when the underlying filesystem is noexec
* mounted, in which case we dont add PROT_EXEC.)
*/
@@ -110709,7 +110836,7 @@ index 4b80cbf..89f7b42 100644
if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
prot |= PROT_EXEC;
-@@ -958,7 +1036,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+@@ -958,7 +1046,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
/* Obtain the address to map to. we verify (or select) it and ensure
* that it represents a valid section of the address space.
*/
@@ -110718,7 +110845,7 @@ index 4b80cbf..89f7b42 100644
if (addr & ~PAGE_MASK)
return addr;
-@@ -969,6 +1047,36 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+@@ -969,6 +1057,36 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
@@ -110755,7 +110882,7 @@ index 4b80cbf..89f7b42 100644
if (flags & MAP_LOCKED)
if (!can_do_mlock())
return -EPERM;
-@@ -980,6 +1088,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+@@ -980,6 +1098,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
locked += mm->locked_vm;
lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
lock_limit >>= PAGE_SHIFT;
@@ -110763,7 +110890,7 @@ index 4b80cbf..89f7b42 100644
if (locked > lock_limit && !capable(CAP_IPC_LOCK))
return -EAGAIN;
}
-@@ -1053,6 +1162,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+@@ -1053,6 +1172,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
if (error)
return error;
@@ -110773,7 +110900,7 @@ index 4b80cbf..89f7b42 100644
return mmap_region(file, addr, len, flags, vm_flags, pgoff);
}
EXPORT_SYMBOL(do_mmap_pgoff);
-@@ -1065,10 +1177,10 @@ EXPORT_SYMBOL(do_mmap_pgoff);
+@@ -1065,10 +1187,10 @@ EXPORT_SYMBOL(do_mmap_pgoff);
*/
int vma_wants_writenotify(struct vm_area_struct *vma)
{
@@ -110786,7 +110913,7 @@ index 4b80cbf..89f7b42 100644
return 0;
/* The backer wishes to know when pages are first written to? */
-@@ -1117,14 +1229,24 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
+@@ -1117,17 +1239,32 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
unsigned long charged = 0;
struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
@@ -110813,7 +110940,15 @@ index 4b80cbf..89f7b42 100644
}
/* Check against address space limit. */
-@@ -1173,6 +1295,16 @@ munmap_back:
++
++#ifdef CONFIG_PAX_RANDMMAP
++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (vm_flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)))
++#endif
++
+ if (!may_expand_vm(mm, len >> PAGE_SHIFT))
+ return -ENOMEM;
+
+@@ -1173,6 +1310,16 @@ munmap_back:
goto unacct_error;
}
@@ -110830,7 +110965,7 @@ index 4b80cbf..89f7b42 100644
vma->vm_mm = mm;
vma->vm_start = addr;
vma->vm_end = addr + len;
-@@ -1180,8 +1312,9 @@ munmap_back:
+@@ -1180,8 +1327,9 @@ munmap_back:
vma->vm_page_prot = vm_get_page_prot(vm_flags);
vma->vm_pgoff = pgoff;
@@ -110841,7 +110976,7 @@ index 4b80cbf..89f7b42 100644
if (vm_flags & (VM_GROWSDOWN|VM_GROWSUP))
goto free_vma;
if (vm_flags & VM_DENYWRITE) {
-@@ -1195,6 +1328,19 @@ munmap_back:
+@@ -1195,6 +1343,19 @@ munmap_back:
error = file->f_op->mmap(file, vma);
if (error)
goto unmap_and_free_vma;
@@ -110861,7 +110996,7 @@ index 4b80cbf..89f7b42 100644
if (vm_flags & VM_EXECUTABLE)
added_exe_file_vma(mm);
-@@ -1207,6 +1353,8 @@ munmap_back:
+@@ -1207,6 +1368,8 @@ munmap_back:
pgoff = vma->vm_pgoff;
vm_flags = vma->vm_flags;
} else if (vm_flags & VM_SHARED) {
@@ -110870,7 +111005,7 @@ index 4b80cbf..89f7b42 100644
error = shmem_zero_setup(vma);
if (error)
goto free_vma;
-@@ -1218,6 +1366,11 @@ munmap_back:
+@@ -1218,14 +1381,19 @@ munmap_back:
vma_link(mm, vma, prev, rb_link, rb_parent);
file = vma->vm_file;
@@ -110882,15 +111017,16 @@ index 4b80cbf..89f7b42 100644
/* Once vma denies write, undo our temporary denial count */
if (correct_wcount)
atomic_inc(&inode->i_writecount);
-@@ -1226,6 +1379,7 @@ out:
+ out:
+ perf_event_mmap(vma);
- mm->total_vm += len >> PAGE_SHIFT;
+- mm->total_vm += len >> PAGE_SHIFT;
vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
+ track_exec_limit(mm, addr, addr + len, vm_flags);
if (vm_flags & VM_LOCKED) {
/*
* makes pages present; downgrades, drops, reacquires mmap_sem
-@@ -1248,6 +1402,12 @@ unmap_and_free_vma:
+@@ -1248,6 +1416,12 @@ unmap_and_free_vma:
unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
charged = 0;
free_vma:
@@ -110903,7 +111039,7 @@ index 4b80cbf..89f7b42 100644
kmem_cache_free(vm_area_cachep, vma);
unacct_error:
if (charged)
-@@ -1255,6 +1415,62 @@ unacct_error:
+@@ -1255,6 +1429,62 @@ unacct_error:
return error;
}
@@ -110966,7 +111102,7 @@ index 4b80cbf..89f7b42 100644
/* Get an address range which is currently unmapped.
* For shmat() with addr=0.
*
-@@ -1274,6 +1490,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
+@@ -1274,6 +1504,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
struct mm_struct *mm = current->mm;
struct vm_area_struct *vma;
unsigned long start_addr;
@@ -110974,7 +111110,7 @@ index 4b80cbf..89f7b42 100644
if (len > TASK_SIZE)
return -ENOMEM;
-@@ -1281,18 +1498,23 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
+@@ -1281,18 +1512,23 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
if (flags & MAP_FIXED)
return addr;
@@ -111005,7 +111141,7 @@ index 4b80cbf..89f7b42 100644
}
full_search:
-@@ -1303,34 +1525,40 @@ full_search:
+@@ -1303,34 +1539,40 @@ full_search:
* Start a new search - just in case we missed
* some holes.
*/
@@ -111057,7 +111193,7 @@ index 4b80cbf..89f7b42 100644
mm->free_area_cache = addr;
mm->cached_hole_size = ~0UL;
}
-@@ -1348,7 +1576,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1348,7 +1590,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
{
struct vm_area_struct *vma;
struct mm_struct *mm = current->mm;
@@ -111067,7 +111203,7 @@ index 4b80cbf..89f7b42 100644
/* requested length too big for entire address space */
if (len > TASK_SIZE)
-@@ -1357,13 +1586,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1357,13 +1600,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
if (flags & MAP_FIXED)
return addr;
@@ -111090,7 +111226,7 @@ index 4b80cbf..89f7b42 100644
}
/* check if free_area_cache is useful for us */
-@@ -1378,7 +1612,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1378,7 +1626,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
/* make sure it can fit in the remaining address space */
if (addr > len) {
vma = find_vma(mm, addr-len);
@@ -111099,7 +111235,7 @@ index 4b80cbf..89f7b42 100644
/* remember the address as a hint for next time */
return (mm->free_area_cache = addr-len);
}
-@@ -1395,7 +1629,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1395,7 +1643,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
* return with success:
*/
vma = find_vma(mm, addr);
@@ -111108,7 +111244,7 @@ index 4b80cbf..89f7b42 100644
/* remember the address as a hint for next time */
return (mm->free_area_cache = addr);
-@@ -1404,8 +1638,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1404,8 +1652,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
mm->cached_hole_size = vma->vm_start - addr;
/* try just below the current vma->vm_start */
@@ -111119,7 +111255,7 @@ index 4b80cbf..89f7b42 100644
bottomup:
/*
-@@ -1414,13 +1648,21 @@ bottomup:
+@@ -1414,13 +1662,21 @@ bottomup:
* can happen with large stack limits and large mmap()
* allocations.
*/
@@ -111143,7 +111279,7 @@ index 4b80cbf..89f7b42 100644
mm->cached_hole_size = ~0UL;
return addr;
-@@ -1429,6 +1671,12 @@ bottomup:
+@@ -1429,6 +1685,12 @@ bottomup:
void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
{
@@ -111156,7 +111292,7 @@ index 4b80cbf..89f7b42 100644
/*
* Is this a new hole at the highest possible address?
*/
-@@ -1436,8 +1684,10 @@ void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
+@@ -1436,8 +1698,10 @@ void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
mm->free_area_cache = addr;
/* dont allow allocations above current base */
@@ -111168,7 +111304,7 @@ index 4b80cbf..89f7b42 100644
}
unsigned long
-@@ -1510,40 +1760,49 @@ struct vm_area_struct *find_vma(struct mm_struct *mm, unsigned long addr)
+@@ -1510,40 +1774,49 @@ struct vm_area_struct *find_vma(struct mm_struct *mm, unsigned long addr)
EXPORT_SYMBOL(find_vma);
@@ -111243,7 +111379,7 @@ index 4b80cbf..89f7b42 100644
/*
* Verify that the stack growth is acceptable and
-@@ -1561,6 +1820,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -1561,6 +1834,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
return -ENOMEM;
/* Stack limit test */
@@ -111251,7 +111387,7 @@ index 4b80cbf..89f7b42 100644
if (size > rlim[RLIMIT_STACK].rlim_cur)
return -ENOMEM;
-@@ -1570,6 +1830,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -1570,6 +1844,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
unsigned long limit;
locked = mm->locked_vm + grow;
limit = rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT;
@@ -111259,7 +111395,15 @@ index 4b80cbf..89f7b42 100644
if (locked > limit && !capable(CAP_IPC_LOCK))
return -ENOMEM;
}
-@@ -1600,37 +1861,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -1588,7 +1863,6 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+ return -ENOMEM;
+
+ /* Ok, everything looks good - let it rip */
+- mm->total_vm += grow;
+ if (vma->vm_flags & VM_LOCKED)
+ mm->locked_vm += grow;
+ vm_stat_account(mm, vma->vm_flags, vma->vm_file, grow);
+@@ -1600,37 +1874,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
* PA-RISC uses this for its stack; IA64 for its Register Backing Store.
* vma is the last one with address > vma->vm_end. Have to extend vma.
*/
@@ -111317,7 +111461,7 @@ index 4b80cbf..89f7b42 100644
unsigned long size, grow;
size = address - vma->vm_start;
-@@ -1643,6 +1915,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
+@@ -1643,6 +1928,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
vma->vm_end = address;
}
}
@@ -111326,7 +111470,7 @@ index 4b80cbf..89f7b42 100644
anon_vma_unlock(vma);
return error;
}
-@@ -1655,6 +1929,8 @@ static int expand_downwards(struct vm_area_struct *vma,
+@@ -1655,6 +1942,8 @@ static int expand_downwards(struct vm_area_struct *vma,
unsigned long address)
{
int error;
@@ -111335,7 +111479,7 @@ index 4b80cbf..89f7b42 100644
/*
* We must make sure the anon_vma is allocated
-@@ -1668,6 +1944,15 @@ static int expand_downwards(struct vm_area_struct *vma,
+@@ -1668,6 +1957,15 @@ static int expand_downwards(struct vm_area_struct *vma,
if (error)
return error;
@@ -111351,7 +111495,7 @@ index 4b80cbf..89f7b42 100644
anon_vma_lock(vma);
/*
-@@ -1677,9 +1962,17 @@ static int expand_downwards(struct vm_area_struct *vma,
+@@ -1677,9 +1975,17 @@ static int expand_downwards(struct vm_area_struct *vma,
*/
/* Somebody else might have raced and expanded it already */
@@ -111370,7 +111514,7 @@ index 4b80cbf..89f7b42 100644
size = vma->vm_end - address;
grow = (vma->vm_start - address) >> PAGE_SHIFT;
-@@ -1689,21 +1982,60 @@ static int expand_downwards(struct vm_area_struct *vma,
+@@ -1689,21 +1995,60 @@ static int expand_downwards(struct vm_area_struct *vma,
if (!error) {
vma->vm_start = address;
vma->vm_pgoff -= grow;
@@ -111431,7 +111575,7 @@ index 4b80cbf..89f7b42 100644
return expand_upwards(vma, address);
}
-@@ -1727,6 +2059,14 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr)
+@@ -1727,6 +2072,14 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr)
#else
int expand_stack(struct vm_area_struct *vma, unsigned long address)
{
@@ -111446,10 +111590,11 @@ index 4b80cbf..89f7b42 100644
return expand_downwards(vma, address);
}
-@@ -1768,6 +2108,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -1768,7 +2121,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
do {
long nrpages = vma_pages(vma);
+- mm->total_vm -= nrpages;
+#ifdef CONFIG_PAX_SEGMEXEC
+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
+ vma = remove_vma(vma);
@@ -111457,10 +111602,10 @@ index 4b80cbf..89f7b42 100644
+ }
+#endif
+
- mm->total_vm -= nrpages;
vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
vma = remove_vma(vma);
-@@ -1813,6 +2160,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
+ } while (vma);
+@@ -1813,6 +2172,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
insertion_point = (prev ? &prev->vm_next : &mm->mmap);
vma->vm_prev = NULL;
do {
@@ -111477,7 +111622,7 @@ index 4b80cbf..89f7b42 100644
rb_erase(&vma->vm_rb, &mm->mm_rb);
mm->map_count--;
tail_vma = vma;
-@@ -1840,10 +2197,25 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -1840,10 +2209,25 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
struct mempolicy *pol;
struct vm_area_struct *new;
@@ -111503,7 +111648,7 @@ index 4b80cbf..89f7b42 100644
if (mm->map_count >= sysctl_max_map_count)
return -ENOMEM;
-@@ -1851,6 +2223,16 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -1851,6 +2235,16 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
if (!new)
return -ENOMEM;
@@ -111520,7 +111665,7 @@ index 4b80cbf..89f7b42 100644
/* most fields are the same, copy all, and then fixup */
*new = *vma;
-@@ -1861,8 +2243,29 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -1861,8 +2255,29 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
}
@@ -111550,7 +111695,7 @@ index 4b80cbf..89f7b42 100644
kmem_cache_free(vm_area_cachep, new);
return PTR_ERR(pol);
}
-@@ -1883,6 +2286,28 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -1883,6 +2298,28 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
else
vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
@@ -111579,7 +111724,7 @@ index 4b80cbf..89f7b42 100644
return 0;
}
-@@ -1891,11 +2316,30 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -1891,11 +2328,30 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
* work. This now handles partial unmappings.
* Jeremy Fitzhardinge <jeremy@goop.org>
*/
@@ -111610,7 +111755,7 @@ index 4b80cbf..89f7b42 100644
if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
return -EINVAL;
-@@ -1959,6 +2403,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
+@@ -1959,6 +2415,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
/* Fix up all other VM information */
remove_vma_list(mm, vma);
@@ -111619,7 +111764,7 @@ index 4b80cbf..89f7b42 100644
return 0;
}
-@@ -1971,22 +2417,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
+@@ -1971,22 +2429,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
profile_munmap(addr);
@@ -111648,7 +111793,7 @@ index 4b80cbf..89f7b42 100644
/*
* this is really a simplified "do_mmap". it only handles
* anonymous maps. eventually we may be able to do some
-@@ -2000,6 +2442,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2000,6 +2454,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
struct rb_node ** rb_link, * rb_parent;
pgoff_t pgoff = addr >> PAGE_SHIFT;
int error;
@@ -111656,7 +111801,7 @@ index 4b80cbf..89f7b42 100644
len = PAGE_ALIGN(len);
if (!len)
-@@ -2011,16 +2454,30 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2011,16 +2466,30 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
@@ -111688,7 +111833,7 @@ index 4b80cbf..89f7b42 100644
locked += mm->locked_vm;
lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
lock_limit >>= PAGE_SHIFT;
-@@ -2037,22 +2494,22 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2037,22 +2506,22 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
/*
* Clear old maps. this also does some error checking for us
*/
@@ -111715,7 +111860,7 @@ index 4b80cbf..89f7b42 100644
return -ENOMEM;
/* Can we just expand an old private anonymous mapping? */
-@@ -2066,7 +2523,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2066,7 +2535,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
*/
vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
if (!vma) {
@@ -111724,7 +111869,7 @@ index 4b80cbf..89f7b42 100644
return -ENOMEM;
}
-@@ -2078,11 +2535,12 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2078,11 +2547,12 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
vma->vm_page_prot = vm_get_page_prot(flags);
vma_link(mm, vma, prev, rb_link, rb_parent);
out:
@@ -111739,7 +111884,7 @@ index 4b80cbf..89f7b42 100644
return addr;
}
-@@ -2129,8 +2587,10 @@ void exit_mmap(struct mm_struct *mm)
+@@ -2129,8 +2599,10 @@ void exit_mmap(struct mm_struct *mm)
* Walk the list again, actually closing and freeing it,
* with preemption enabled, without holding any MM locks.
*/
@@ -111751,7 +111896,7 @@ index 4b80cbf..89f7b42 100644
BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
}
-@@ -2144,6 +2604,10 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
+@@ -2144,6 +2616,10 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
struct vm_area_struct * __vma, * prev;
struct rb_node ** rb_link, * rb_parent;
@@ -111762,7 +111907,7 @@ index 4b80cbf..89f7b42 100644
/*
* The vm_pgoff of a purely anonymous vma should be irrelevant
* until its first write fault, when page's anon_vma and index
-@@ -2166,7 +2630,22 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
+@@ -2166,7 +2642,22 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
if ((vma->vm_flags & VM_ACCOUNT) &&
security_vm_enough_memory_mm(mm, vma_pages(vma)))
return -ENOMEM;
@@ -111785,7 +111930,7 @@ index 4b80cbf..89f7b42 100644
return 0;
}
-@@ -2184,6 +2663,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
+@@ -2184,6 +2675,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
struct rb_node **rb_link, *rb_parent;
struct mempolicy *pol;
@@ -111794,7 +111939,7 @@ index 4b80cbf..89f7b42 100644
/*
* If anonymous vma has not yet been faulted, update new pgoff
* to match new location, to increase its chance of merging.
-@@ -2227,6 +2708,35 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
+@@ -2227,6 +2720,35 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
return new_vma;
}
@@ -111830,20 +111975,15 @@ index 4b80cbf..89f7b42 100644
/*
* Return true if the calling process may expand its vm space by the passed
* number of pages
-@@ -2238,6 +2748,12 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
+@@ -2238,6 +2760,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT;
-+#ifdef CONFIG_PAX_RANDMMAP
-+ if (mm->pax_flags & MF_PAX_RANDMMAP)
-+ cur -= mm->brk_gap;
-+#endif
-+
+ gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
if (cur + npages > lim)
return 0;
return 1;
-@@ -2307,6 +2823,22 @@ int install_special_mapping(struct mm_struct *mm,
+@@ -2307,6 +2830,22 @@ int install_special_mapping(struct mm_struct *mm,
vma->vm_start = addr;
vma->vm_end = addr + len;
@@ -112093,7 +112233,7 @@ index 1737c7e..c7faeb4 100644
if (nstart < prev->vm_end)
diff --git a/mm/mremap.c b/mm/mremap.c
-index 3e98d79..1706cec 100644
+index 3e98d79..36c2b5d 100644
--- a/mm/mremap.c
+++ b/mm/mremap.c
@@ -112,6 +112,12 @@ static void move_ptes(struct vm_area_struct *vma, pmd_t *old_pmd,
@@ -112109,7 +112249,15 @@ index 3e98d79..1706cec 100644
set_pte_at(mm, new_addr, new_pte, pte);
}
-@@ -271,6 +277,11 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr,
+@@ -232,7 +238,6 @@ static unsigned long move_vma(struct vm_area_struct *vma,
+ * If this were a serious issue, we'd add a flag to do_munmap().
+ */
+ hiwater_vm = mm->hiwater_vm;
+- mm->total_vm += new_len >> PAGE_SHIFT;
+ vm_stat_account(mm, vma->vm_flags, vma->vm_file, new_len>>PAGE_SHIFT);
+
+ if (do_munmap(mm, old_addr, old_len) < 0) {
+@@ -271,6 +276,11 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr,
if (is_vm_hugetlb_page(vma))
goto Einval;
@@ -112121,7 +112269,7 @@ index 3e98d79..1706cec 100644
/* We can't remap across vm area boundaries */
if (old_len > vma->vm_end - addr)
goto Efault;
-@@ -327,20 +338,25 @@ static unsigned long mremap_to(unsigned long addr,
+@@ -327,20 +337,25 @@ static unsigned long mremap_to(unsigned long addr,
unsigned long ret = -EINVAL;
unsigned long charged = 0;
unsigned long map_flags;
@@ -112152,7 +112300,7 @@ index 3e98d79..1706cec 100644
goto out;
ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
-@@ -412,6 +428,7 @@ unsigned long do_mremap(unsigned long addr,
+@@ -412,6 +427,7 @@ unsigned long do_mremap(unsigned long addr,
struct vm_area_struct *vma;
unsigned long ret = -EINVAL;
unsigned long charged = 0;
@@ -112160,7 +112308,7 @@ index 3e98d79..1706cec 100644
if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
goto out;
-@@ -430,6 +447,17 @@ unsigned long do_mremap(unsigned long addr,
+@@ -430,6 +446,17 @@ unsigned long do_mremap(unsigned long addr,
if (!new_len)
goto out;
@@ -112178,7 +112326,15 @@ index 3e98d79..1706cec 100644
if (flags & MREMAP_FIXED) {
if (flags & MREMAP_MAYMOVE)
ret = mremap_to(addr, old_len, new_addr, new_len);
-@@ -476,6 +504,7 @@ unsigned long do_mremap(unsigned long addr,
+@@ -468,7 +495,6 @@ unsigned long do_mremap(unsigned long addr,
+ vma_adjust(vma, vma->vm_start,
+ addr + new_len, vma->vm_pgoff, NULL);
+
+- mm->total_vm += pages;
+ vm_stat_account(mm, vma->vm_flags, vma->vm_file, pages);
+ if (vma->vm_flags & VM_LOCKED) {
+ mm->locked_vm += pages;
+@@ -476,6 +502,7 @@ unsigned long do_mremap(unsigned long addr,
addr + new_len);
}
ret = addr;
@@ -112186,7 +112342,7 @@ index 3e98d79..1706cec 100644
goto out;
}
}
-@@ -502,7 +531,13 @@ unsigned long do_mremap(unsigned long addr,
+@@ -502,7 +529,13 @@ unsigned long do_mremap(unsigned long addr,
ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
if (ret)
goto out;
@@ -120289,7 +120445,7 @@ index c4c6732..bc63d84 100644
int security_settime(struct timespec *ts, struct timezone *tz)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index a106754..ca3a589 100644
+index a106754..bdb434e 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -76,6 +76,7 @@
@@ -120352,6 +120508,15 @@ index a106754..ca3a589 100644
default:
rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
break;
+@@ -2366,7 +2368,7 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
+ initrlim = init_task.signal->rlim + i;
+ rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
+ }
+- update_rlimit_cpu(current->signal->rlim[RLIMIT_CPU].rlim_cur);
++ update_rlimit_cpu(current, current->signal->rlim[RLIMIT_CPU].rlim_cur);
+ }
+ }
+
@@ -5457,7 +5459,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
#endif
@@ -120397,6 +120562,19 @@ index ff17820..d68084c 100644
if (!ss_initialized) {
avtab_cache_init();
if (policydb_read(&policydb, fp)) {
+diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
+index f3cb9ed..22c91e3 100644
+--- a/security/selinux/xfrm.c
++++ b/security/selinux/xfrm.c
+@@ -309,7 +309,7 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
+
+ if (old_ctx) {
+ new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len,
+- GFP_KERNEL);
++ GFP_ATOMIC);
+ if (!new_ctx)
+ return -ENOMEM;
+
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index c33b6bb..b51f19e 100644
--- a/security/smack/smack_lsm.c
@@ -127916,6 +128094,25 @@ index 83b3dde..835bee7 100644
} else
break;
}
+diff --git a/virt/kvm/ioapic.c b/virt/kvm/ioapic.c
+index 9fe140b..69969ae 100644
+--- a/virt/kvm/ioapic.c
++++ b/virt/kvm/ioapic.c
+@@ -71,9 +71,12 @@ static unsigned long ioapic_read_indirect(struct kvm_ioapic *ioapic,
+ u32 redir_index = (ioapic->ioregsel - 0x10) >> 1;
+ u64 redir_content;
+
+- ASSERT(redir_index < IOAPIC_NUM_PINS);
++ if (redir_index < IOAPIC_NUM_PINS)
++ redir_content =
++ ioapic->redirtbl[redir_index].bits;
++ else
++ redir_content = ~0ULL;
+
+- redir_content = ioapic->redirtbl[redir_index].bits;
+ result = (ioapic->ioregsel & 0x1) ?
+ (redir_content >> 32) & 0xffffffff :
+ redir_content & 0xffffffff;
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index 82b6fdc..57cc875 100644
--- a/virt/kvm/kvm_main.c
diff --git a/3.2.40/0000_README b/3.2.40/0000_README
index 6682017..da39e23 100644
--- a/3.2.40/0000_README
+++ b/3.2.40/0000_README
@@ -78,7 +78,7 @@ Patch: 1039_linux-3.2.40.patch
From: http://www.kernel.org
Desc: Linux 3.2.40
-Patch: 4420_grsecurity-2.9.1-3.2.40-201303142234.patch
+Patch: 4420_grsecurity-2.9.1-3.2.40-201303221825.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.40/4420_grsecurity-2.9.1-3.2.40-201303142234.patch b/3.2.40/4420_grsecurity-2.9.1-3.2.40-201303221825.patch
index c85236f..cd03fe7 100644
--- a/3.2.40/4420_grsecurity-2.9.1-3.2.40-201303142234.patch
+++ b/3.2.40/4420_grsecurity-2.9.1-3.2.40-201303221825.patch
@@ -194,7 +194,7 @@ index dfa6fc6..65f7dbe 100644
+zconf.lex.c
zoffset.h
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
-index ddbf18e..2c5d501 100644
+index ddbf18e..53d74a7 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -853,6 +853,9 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
@@ -207,7 +207,7 @@ index ddbf18e..2c5d501 100644
hashdist= [KNL,NUMA] Large hashes allocated during boot
are distributed across NUMA nodes. Defaults on
for 64-bit NUMA, off otherwise.
-@@ -1940,6 +1943,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
+@@ -1940,6 +1943,18 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
the specified number of seconds. This is to be used if
your oopses keep scrolling off the screen.
@@ -218,6 +218,11 @@ index ddbf18e..2c5d501 100644
+
+ pax_softmode= 0/1 to disable/enable PaX softmode on boot already.
+
++ pax_extra_latent_entropy
++ Enable a very simple form of latent entropy extraction
++ from the first 4GB of memory as the bootmem allocator
++ passes the memory pages to the buddy allocator.
++
pcbit= [HW,ISDN]
pcd. [PARIDE]
@@ -255,7 +260,7 @@ index 88fd7f5..b318a78 100644
==============================================================
diff --git a/Makefile b/Makefile
-index 47af1e9..e2ebb6d 100644
+index 47af1e9..4da6852 100644
--- a/Makefile
+++ b/Makefile
@@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -339,7 +344,7 @@ index 47af1e9..e2ebb6d 100644
+else
+ $(Q)echo "warning, your gcc version does not support plugins, you should upgrade it to gcc 4.5 at least"
+endif
-+ $(Q)echo "PAX_MEMORY_STACKLEAK and other features will be less secure"
++ $(Q)echo "PAX_MEMORY_STACKLEAK, constification, PAX_LATENT_ENTROPY and other features will be less secure. PAX_SIZE_OVERFLOW will not be active."
+endif
+endif
+
@@ -2760,6 +2765,18 @@ index 77597e5..6f28f3f 100644
{
.notifier_call = palinfo_cpu_callback,
.priority = 0,
+diff --git a/arch/ia64/kernel/perfmon.c b/arch/ia64/kernel/perfmon.c
+index 89accc6..e888968 100644
+--- a/arch/ia64/kernel/perfmon.c
++++ b/arch/ia64/kernel/perfmon.c
+@@ -2370,7 +2370,6 @@ pfm_smpl_buffer_alloc(struct task_struct *task, struct file *filp, pfm_context_t
+ */
+ insert_vm_struct(mm, vma);
+
+- mm->total_vm += size >> PAGE_SHIFT;
+ vm_stat_account(vma->vm_mm, vma->vm_flags, vma->vm_file,
+ vma_pages(vma));
+ up_write(&task->mm->mmap_sem);
diff --git a/arch/ia64/kernel/salinfo.c b/arch/ia64/kernel/salinfo.c
index 79802e5..1a89ec5 100644
--- a/arch/ia64/kernel/salinfo.c
@@ -21810,7 +21827,7 @@ index 407789b..5570a86 100644
vmx->exit_reason = vmcs_read32(VM_EXIT_REASON);
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index f4063fd..3c40814 100644
+index f4063fd..b395ad7 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1348,8 +1348,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data)
@@ -21824,7 +21841,19 @@ index f4063fd..3c40814 100644
u8 blob_size = lm ? kvm->arch.xen_hvm_config.blob_size_64
: kvm->arch.xen_hvm_config.blob_size_32;
u32 page_num = data & ~PAGE_MASK;
-@@ -2168,6 +2168,8 @@ long kvm_arch_dev_ioctl(struct file *filp,
+@@ -1603,6 +1603,11 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 data)
+ /* ...but clean it before doing the actual write */
+ vcpu->arch.time_offset = data & ~(PAGE_MASK | 1);
+
++ /* Check that the address is 32-byte aligned. */
++ if (vcpu->arch.time_offset &
++ (sizeof(struct pvclock_vcpu_time_info) - 1))
++ break;
++
+ vcpu->arch.time_page =
+ gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT);
+
+@@ -2168,6 +2173,8 @@ long kvm_arch_dev_ioctl(struct file *filp,
if (n < msr_list.nmsrs)
goto out;
r = -EFAULT;
@@ -21833,7 +21862,7 @@ index f4063fd..3c40814 100644
if (copy_to_user(user_msr_list->indices, &msrs_to_save,
num_msrs_to_save * sizeof(u32)))
goto out;
-@@ -2343,15 +2345,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(struct kvm_vcpu *vcpu,
+@@ -2343,15 +2350,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(struct kvm_vcpu *vcpu,
struct kvm_cpuid2 *cpuid,
struct kvm_cpuid_entry2 __user *entries)
{
@@ -21857,7 +21886,7 @@ index f4063fd..3c40814 100644
vcpu->arch.cpuid_nent = cpuid->nent;
kvm_apic_set_version(vcpu);
kvm_x86_ops->cpuid_update(vcpu);
-@@ -2366,15 +2373,19 @@ static int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu,
+@@ -2366,15 +2378,19 @@ static int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu,
struct kvm_cpuid2 *cpuid,
struct kvm_cpuid_entry2 __user *entries)
{
@@ -21880,7 +21909,7 @@ index f4063fd..3c40814 100644
return 0;
out:
-@@ -2749,7 +2760,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu,
+@@ -2749,7 +2765,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu,
static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
struct kvm_interrupt *irq)
{
@@ -21889,7 +21918,7 @@ index f4063fd..3c40814 100644
return -EINVAL;
if (irqchip_in_kernel(vcpu->kvm))
return -ENXIO;
-@@ -5191,7 +5202,7 @@ static void kvm_set_mmio_spte_mask(void)
+@@ -5191,7 +5207,7 @@ static void kvm_set_mmio_spte_mask(void)
kvm_mmu_set_mmio_spte_mask(mask);
}
@@ -32857,7 +32886,7 @@ index 012a9d2..3b2267c 100644
return container_of(adapter, struct intel_gmbus, adapter)->force_bit;
}
diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
-index 878b989..ea158f5 100644
+index 878b989..17fe410 100644
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
@@ -189,7 +189,7 @@ i915_gem_object_set_to_gpu_domain(struct drm_i915_gem_object *obj,
@@ -32869,7 +32898,7 @@ index 878b989..ea158f5 100644
/* The actual obj->write_domain will be updated with
* pending_write_domain after we emit the accumulated flush for all
-@@ -904,9 +904,9 @@ i915_gem_check_execbuffer(struct drm_i915_gem_execbuffer2 *exec)
+@@ -904,18 +904,23 @@ i915_gem_check_execbuffer(struct drm_i915_gem_execbuffer2 *exec)
static int
validate_exec_list(struct drm_i915_gem_exec_object2 *exec,
@@ -32877,10 +32906,28 @@ index 878b989..ea158f5 100644
+ unsigned int count)
{
- int i;
+-
+ unsigned int i;
-
++ int relocs_total = 0;
++ int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry);
++
for (i = 0; i < count; i++) {
char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr;
+ int length; /* limited by fault_in_pages_readable() */
+
+- /* First check for malicious input causing overflow */
+- if (exec[i].relocation_count >
+- INT_MAX / sizeof(struct drm_i915_gem_relocation_entry))
++ /* First check for malicious input causing overflow in
++ * the worst case where we need to allocate the entire
++ * relocation tree as a single array.
++ */
++ if (exec[i].relocation_count > relocs_max - relocs_total)
+ return -EINVAL;
++ relocs_total += exec[i].relocation_count;
+
+ length = exec[i].relocation_count *
+ sizeof(struct drm_i915_gem_relocation_entry);
diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c
index 93e74fb..4a1182d 100644
--- a/drivers/gpu/drm/i915/i915_irq.c
@@ -36585,7 +36632,7 @@ index 668f5c6..65df5f2 100644
dev->req->sg.length : dev->req->data_len;
diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c
-index e9c6a60..daf6a33 100644
+index e9c6a60..a1d04d6 100644
--- a/drivers/message/fusion/mptbase.c
+++ b/drivers/message/fusion/mptbase.c
@@ -6753,8 +6753,13 @@ static int mpt_iocinfo_proc_show(struct seq_file *m, void *v)
@@ -36602,6 +36649,18 @@ index e9c6a60..daf6a33 100644
/*
* Rounding UP to nearest 4-kB boundary here...
*/
+@@ -6767,7 +6772,11 @@ static int mpt_iocinfo_proc_show(struct seq_file *m, void *v)
+ ioc->facts.GlobalCredits);
+
+ seq_printf(m, " Frames @ 0x%p (Dma @ 0x%p)\n",
++#ifdef CONFIG_GRKERNSEC_HIDESYM
++ NULL, NULL);
++#else
+ (void *)ioc->alloc, (void *)(ulong)ioc->alloc_dma);
++#endif
+ sz = (ioc->reply_sz * ioc->reply_depth) + 128;
+ seq_printf(m, " {CurRepSz=%d} x {CurRepDepth=%d} = %d bytes ^= 0x%x\n",
+ ioc->reply_sz, ioc->reply_depth, ioc->reply_sz*ioc->reply_depth, sz);
diff --git a/drivers/message/fusion/mptsas.c b/drivers/message/fusion/mptsas.c
index 9d95042..b808101 100644
--- a/drivers/message/fusion/mptsas.c
@@ -45278,7 +45337,7 @@ index a6395bd..f1e376a 100644
(unsigned long) create_aout_tables((char __user *) bprm->p, bprm);
#ifdef __alpha__
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
-index 8dd615c..60fbfd2 100644
+index 8dd615c..0efdaed 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -32,6 +32,7 @@
@@ -45891,7 +45950,7 @@ index 8dd615c..60fbfd2 100644
/* set_brk can never work. Avoid overflows. */
send_sig(SIGKILL, current, 0);
retval = -EINVAL;
-@@ -881,17 +1300,43 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+@@ -881,17 +1300,44 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
goto out_free_dentry;
}
if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
@@ -45907,19 +45966,20 @@ index 8dd615c..60fbfd2 100644
+#ifdef CONFIG_PAX_RANDMMAP
+ if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
-+ unsigned long start, size;
++ unsigned long start, size, flags, vm_flags;
+
+ start = ELF_PAGEALIGN(elf_brk);
+ size = PAGE_SIZE + ((pax_get_random_long() & ((1UL << 22) - 1UL)) << 4);
++ flags = MAP_FIXED | MAP_PRIVATE;
++ vm_flags = VM_DONTEXPAND | VM_RESERVED;
++
+ down_write(&current->mm->mmap_sem);
++ start = get_unmapped_area(NULL, start, PAGE_ALIGN(size), 0, flags);
+ retval = -ENOMEM;
-+ if (!find_vma_intersection(current->mm, start, start + size + PAGE_SIZE)) {
-+ unsigned long prot = PROT_NONE;
-+
-+ current->mm->brk_gap = PAGE_ALIGN(size) >> PAGE_SHIFT;
++ if (!IS_ERR_VALUE(start) && !find_vma_intersection(current->mm, start, start + size + PAGE_SIZE)) {
+// if (current->personality & ADDR_NO_RANDOMIZE)
+// prot = PROT_READ;
-+ start = do_mmap(NULL, start, size, prot, MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE, 0);
++ start = mmap_region(NULL, start, PAGE_ALIGN(size), flags, vm_flags, 0);
+ retval = IS_ERR_VALUE(start) ? start : 0;
+ }
+ up_write(&current->mm->mmap_sem);
@@ -45941,7 +46001,7 @@ index 8dd615c..60fbfd2 100644
load_bias);
if (!IS_ERR((void *)elf_entry)) {
/*
-@@ -1098,7 +1543,7 @@ out:
+@@ -1098,7 +1544,7 @@ out:
* Decide what to dump of a segment, part, all or none.
*/
static unsigned long vma_dump_size(struct vm_area_struct *vma,
@@ -45950,7 +46010,7 @@ index 8dd615c..60fbfd2 100644
{
#define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
-@@ -1132,7 +1577,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma,
+@@ -1132,7 +1578,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma,
if (vma->vm_file == NULL)
return 0;
@@ -45959,7 +46019,7 @@ index 8dd615c..60fbfd2 100644
goto whole;
/*
-@@ -1354,9 +1799,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
+@@ -1354,9 +1800,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
{
elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
int i = 0;
@@ -45971,7 +46031,7 @@ index 8dd615c..60fbfd2 100644
fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
}
-@@ -1851,14 +2296,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
+@@ -1851,14 +2297,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
}
static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
@@ -45988,7 +46048,7 @@ index 8dd615c..60fbfd2 100644
return size;
}
-@@ -1952,7 +2397,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -1952,7 +2398,7 @@ static int elf_core_dump(struct coredump_params *cprm)
dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
@@ -45997,7 +46057,7 @@ index 8dd615c..60fbfd2 100644
offset += elf_core_extra_data_size();
e_shoff = offset;
-@@ -1966,10 +2411,12 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -1966,10 +2412,12 @@ static int elf_core_dump(struct coredump_params *cprm)
offset = dataoff;
size += sizeof(*elf);
@@ -46010,7 +46070,7 @@ index 8dd615c..60fbfd2 100644
if (size > cprm->limit
|| !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
goto end_coredump;
-@@ -1983,7 +2430,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -1983,7 +2431,7 @@ static int elf_core_dump(struct coredump_params *cprm)
phdr.p_offset = offset;
phdr.p_vaddr = vma->vm_start;
phdr.p_paddr = 0;
@@ -46019,7 +46079,7 @@ index 8dd615c..60fbfd2 100644
phdr.p_memsz = vma->vm_end - vma->vm_start;
offset += phdr.p_filesz;
phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
-@@ -1994,6 +2441,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -1994,6 +2442,7 @@ static int elf_core_dump(struct coredump_params *cprm)
phdr.p_align = ELF_EXEC_PAGESIZE;
size += sizeof(phdr);
@@ -46027,7 +46087,7 @@ index 8dd615c..60fbfd2 100644
if (size > cprm->limit
|| !dump_write(cprm->file, &phdr, sizeof(phdr)))
goto end_coredump;
-@@ -2018,7 +2466,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2018,7 +2467,7 @@ static int elf_core_dump(struct coredump_params *cprm)
unsigned long addr;
unsigned long end;
@@ -46036,7 +46096,7 @@ index 8dd615c..60fbfd2 100644
for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
struct page *page;
-@@ -2027,6 +2475,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2027,6 +2476,7 @@ static int elf_core_dump(struct coredump_params *cprm)
page = get_dump_page(addr);
if (page) {
void *kaddr = kmap(page);
@@ -46044,7 +46104,7 @@ index 8dd615c..60fbfd2 100644
stop = ((size += PAGE_SIZE) > cprm->limit) ||
!dump_write(cprm->file, kaddr,
PAGE_SIZE);
-@@ -2044,6 +2493,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2044,6 +2494,7 @@ static int elf_core_dump(struct coredump_params *cprm)
if (e_phnum == PN_XNUM) {
size += sizeof(*shdr4extnum);
@@ -46052,7 +46112,7 @@ index 8dd615c..60fbfd2 100644
if (size > cprm->limit
|| !dump_write(cprm->file, shdr4extnum,
sizeof(*shdr4extnum)))
-@@ -2064,6 +2514,97 @@ out:
+@@ -2064,6 +2515,97 @@ out:
#endif /* CONFIG_ELF_CORE */
@@ -47233,7 +47293,7 @@ index 451b9b8..12e5a03 100644
out_free_fd:
diff --git a/fs/exec.c b/fs/exec.c
-index 312e297..4814b4e 100644
+index 312e297..6fe2fe2 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -55,12 +55,34 @@
@@ -47345,28 +47405,22 @@ index 312e297..4814b4e 100644
return 0;
err:
up_write(&mm->mmap_sem);
-@@ -396,19 +432,7 @@ err:
- return err;
- }
-
--struct user_arg_ptr {
--#ifdef CONFIG_COMPAT
-- bool is_compat;
--#endif
-- union {
-- const char __user *const __user *native;
--#ifdef CONFIG_COMPAT
+@@ -403,12 +439,12 @@ struct user_arg_ptr {
+ union {
+ const char __user *const __user *native;
+ #ifdef CONFIG_COMPAT
- compat_uptr_t __user *compat;
--#endif
-- } ptr;
--};
--
++ const compat_uptr_t __user *compat;
+ #endif
+ } ptr;
+ };
+
-static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
+const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
{
const char __user *native;
-@@ -417,14 +441,14 @@ static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
+@@ -417,14 +453,14 @@ static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
compat_uptr_t compat;
if (get_user(compat, argv.ptr.compat + nr))
@@ -47383,7 +47437,7 @@ index 312e297..4814b4e 100644
return native;
}
-@@ -443,11 +467,12 @@ static int count(struct user_arg_ptr argv, int max)
+@@ -443,11 +479,12 @@ static int count(struct user_arg_ptr argv, int max)
if (!p)
break;
@@ -47398,7 +47452,7 @@ index 312e297..4814b4e 100644
if (fatal_signal_pending(current))
return -ERESTARTNOHAND;
-@@ -477,7 +502,7 @@ static int copy_strings(int argc, struct user_arg_ptr argv,
+@@ -477,7 +514,7 @@ static int copy_strings(int argc, struct user_arg_ptr argv,
ret = -EFAULT;
str = get_user_arg_ptr(argv, argc);
@@ -47407,7 +47461,7 @@ index 312e297..4814b4e 100644
goto out;
len = strnlen_user(str, MAX_ARG_STRLEN);
-@@ -559,7 +584,7 @@ int copy_strings_kernel(int argc, const char *const *__argv,
+@@ -559,7 +596,7 @@ int copy_strings_kernel(int argc, const char *const *__argv,
int r;
mm_segment_t oldfs = get_fs();
struct user_arg_ptr argv = {
@@ -47416,7 +47470,7 @@ index 312e297..4814b4e 100644
};
set_fs(KERNEL_DS);
-@@ -594,7 +619,8 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
+@@ -594,7 +631,8 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
unsigned long new_end = old_end - shift;
struct mmu_gather tlb;
@@ -47426,7 +47480,7 @@ index 312e297..4814b4e 100644
/*
* ensure there are no vmas between where we want to go
-@@ -603,6 +629,10 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
+@@ -603,6 +641,10 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
if (vma != find_vma(mm, new_start))
return -EFAULT;
@@ -47437,7 +47491,7 @@ index 312e297..4814b4e 100644
/*
* cover the whole range: [new_start, old_end)
*/
-@@ -683,10 +713,6 @@ int setup_arg_pages(struct linux_binprm *bprm,
+@@ -683,10 +725,6 @@ int setup_arg_pages(struct linux_binprm *bprm,
stack_top = arch_align_stack(stack_top);
stack_top = PAGE_ALIGN(stack_top);
@@ -47448,7 +47502,7 @@ index 312e297..4814b4e 100644
stack_shift = vma->vm_end - stack_top;
bprm->p -= stack_shift;
-@@ -698,8 +724,28 @@ int setup_arg_pages(struct linux_binprm *bprm,
+@@ -698,8 +736,28 @@ int setup_arg_pages(struct linux_binprm *bprm,
bprm->exec -= stack_shift;
down_write(&mm->mmap_sem);
@@ -47477,7 +47531,7 @@ index 312e297..4814b4e 100644
/*
* Adjust stack execute permissions; explicitly enable for
* EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
-@@ -718,13 +764,6 @@ int setup_arg_pages(struct linux_binprm *bprm,
+@@ -718,13 +776,6 @@ int setup_arg_pages(struct linux_binprm *bprm,
goto out_unlock;
BUG_ON(prev != vma);
@@ -47491,12 +47545,12 @@ index 312e297..4814b4e 100644
/* mprotect_fixup is overkill to remove the temporary stack flags */
vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
-@@ -748,6 +787,27 @@ int setup_arg_pages(struct linux_binprm *bprm,
+@@ -748,6 +799,27 @@ int setup_arg_pages(struct linux_binprm *bprm,
#endif
current->mm->start_stack = bprm->p;
ret = expand_stack(vma, stack_base);
+
-+#if !defined(CONFIG_STACK_GROWSUP) && defined(CONFIG_PAX_ASLR)
++#if !defined(CONFIG_STACK_GROWSUP) && defined(CONFIG_PAX_RANDMMAP)
+ if (!ret && (mm->pax_flags & MF_PAX_RANDMMAP) && STACK_TOP <= 0xFFFFFFFFU && STACK_TOP > vma->vm_end) {
+ unsigned long size, flags, vm_flags;
+
@@ -47509,7 +47563,7 @@ index 312e297..4814b4e 100644
+#ifdef CONFIG_X86
+ if (!ret) {
+ size = mmap_min_addr + ((mm->delta_mmap ^ mm->delta_stack) & (0xFFUL << PAGE_SHIFT));
-+ ret = 0 != mmap_region(NULL, 0, size, flags, vm_flags, 0);
++ ret = 0 != mmap_region(NULL, 0, PAGE_ALIGN(size), flags, vm_flags, 0);
+ }
+#endif
+
@@ -47519,7 +47573,7 @@ index 312e297..4814b4e 100644
if (ret)
ret = -EFAULT;
-@@ -782,6 +842,8 @@ struct file *open_exec(const char *name)
+@@ -782,6 +854,8 @@ struct file *open_exec(const char *name)
fsnotify_open(file);
@@ -47528,7 +47582,7 @@ index 312e297..4814b4e 100644
err = deny_write_access(file);
if (err)
goto exit;
-@@ -805,7 +867,7 @@ int kernel_read(struct file *file, loff_t offset,
+@@ -805,7 +879,7 @@ int kernel_read(struct file *file, loff_t offset,
old_fs = get_fs();
set_fs(get_ds());
/* The cast to a user pointer is valid due to the set_fs() */
@@ -47537,7 +47591,7 @@ index 312e297..4814b4e 100644
set_fs(old_fs);
return result;
}
-@@ -1070,6 +1132,21 @@ void set_task_comm(struct task_struct *tsk, char *buf)
+@@ -1070,6 +1144,21 @@ void set_task_comm(struct task_struct *tsk, char *buf)
perf_event_comm(tsk);
}
@@ -47559,7 +47613,7 @@ index 312e297..4814b4e 100644
int flush_old_exec(struct linux_binprm * bprm)
{
int retval;
-@@ -1084,6 +1161,7 @@ int flush_old_exec(struct linux_binprm * bprm)
+@@ -1084,6 +1173,7 @@ int flush_old_exec(struct linux_binprm * bprm)
set_mm_exe_file(bprm->mm, bprm->file);
@@ -47567,7 +47621,7 @@ index 312e297..4814b4e 100644
/*
* Release all of the old mmap stuff
*/
-@@ -1116,10 +1194,6 @@ EXPORT_SYMBOL(would_dump);
+@@ -1116,10 +1206,6 @@ EXPORT_SYMBOL(would_dump);
void setup_new_exec(struct linux_binprm * bprm)
{
@@ -47578,7 +47632,7 @@ index 312e297..4814b4e 100644
arch_pick_mmap_layout(current->mm);
/* This is the point of no return */
-@@ -1130,18 +1204,7 @@ void setup_new_exec(struct linux_binprm * bprm)
+@@ -1130,18 +1216,7 @@ void setup_new_exec(struct linux_binprm * bprm)
else
set_dumpable(current->mm, suid_dumpable);
@@ -47598,7 +47652,7 @@ index 312e297..4814b4e 100644
/* Set the new mm task size. We have to do that late because it may
* depend on TIF_32BIT which is only updated in flush_thread() on
-@@ -1266,7 +1329,7 @@ int check_unsafe_exec(struct linux_binprm *bprm)
+@@ -1266,7 +1341,7 @@ int check_unsafe_exec(struct linux_binprm *bprm)
}
rcu_read_unlock();
@@ -47607,7 +47661,7 @@ index 312e297..4814b4e 100644
bprm->unsafe |= LSM_UNSAFE_SHARE;
} else {
res = -EAGAIN;
-@@ -1461,6 +1524,28 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
+@@ -1461,6 +1536,31 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
EXPORT_SYMBOL(search_binary_handler);
@@ -47633,10 +47687,13 @@ index 312e297..4814b4e 100644
+static inline void increment_exec_counter(void) {}
+#endif
+
++extern void gr_handle_exec_args(struct linux_binprm *bprm,
++ struct user_arg_ptr argv);
++
/*
* sys_execve() executes a new program.
*/
-@@ -1469,6 +1554,11 @@ static int do_execve_common(const char *filename,
+@@ -1469,6 +1569,11 @@ static int do_execve_common(const char *filename,
struct user_arg_ptr envp,
struct pt_regs *regs)
{
@@ -47648,7 +47705,7 @@ index 312e297..4814b4e 100644
struct linux_binprm *bprm;
struct file *file;
struct files_struct *displaced;
-@@ -1476,6 +1566,8 @@ static int do_execve_common(const char *filename,
+@@ -1476,6 +1581,8 @@ static int do_execve_common(const char *filename,
int retval;
const struct cred *cred = current_cred();
@@ -47657,7 +47714,7 @@ index 312e297..4814b4e 100644
/*
* We move the actual failure in case of RLIMIT_NPROC excess from
* set*uid() to execve() because too many poorly written programs
-@@ -1516,12 +1608,27 @@ static int do_execve_common(const char *filename,
+@@ -1516,12 +1623,27 @@ static int do_execve_common(const char *filename,
if (IS_ERR(file))
goto out_unmark;
@@ -47685,7 +47742,7 @@ index 312e297..4814b4e 100644
retval = bprm_mm_init(bprm);
if (retval)
goto out_file;
-@@ -1538,24 +1645,65 @@ static int do_execve_common(const char *filename,
+@@ -1538,24 +1660,65 @@ static int do_execve_common(const char *filename,
if (retval < 0)
goto out;
@@ -47755,7 +47812,7 @@ index 312e297..4814b4e 100644
current->fs->in_exec = 0;
current->in_execve = 0;
acct_update_integrals(current);
-@@ -1564,6 +1712,14 @@ static int do_execve_common(const char *filename,
+@@ -1564,6 +1727,14 @@ static int do_execve_common(const char *filename,
put_files_struct(displaced);
return retval;
@@ -47770,7 +47827,7 @@ index 312e297..4814b4e 100644
out:
if (bprm->mm) {
acct_arg_size(bprm, 0);
-@@ -1637,7 +1793,7 @@ static int expand_corename(struct core_name *cn)
+@@ -1637,7 +1808,7 @@ static int expand_corename(struct core_name *cn)
{
char *old_corename = cn->corename;
@@ -47779,7 +47836,7 @@ index 312e297..4814b4e 100644
cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL);
if (!cn->corename) {
-@@ -1734,7 +1890,7 @@ static int format_corename(struct core_name *cn, long signr)
+@@ -1734,7 +1905,7 @@ static int format_corename(struct core_name *cn, long signr)
int pid_in_pattern = 0;
int err = 0;
@@ -47788,7 +47845,7 @@ index 312e297..4814b4e 100644
cn->corename = kmalloc(cn->size, GFP_KERNEL);
cn->used = 0;
-@@ -1831,6 +1987,250 @@ out:
+@@ -1831,6 +2002,250 @@ out:
return ispipe;
}
@@ -48039,7 +48096,7 @@ index 312e297..4814b4e 100644
static int zap_process(struct task_struct *start, int exit_code)
{
struct task_struct *t;
-@@ -2004,17 +2404,17 @@ static void coredump_finish(struct mm_struct *mm)
+@@ -2004,17 +2419,17 @@ static void coredump_finish(struct mm_struct *mm)
void set_dumpable(struct mm_struct *mm, int value)
{
switch (value) {
@@ -48060,7 +48117,7 @@ index 312e297..4814b4e 100644
set_bit(MMF_DUMP_SECURELY, &mm->flags);
smp_wmb();
set_bit(MMF_DUMPABLE, &mm->flags);
-@@ -2027,7 +2427,7 @@ static int __get_dumpable(unsigned long mm_flags)
+@@ -2027,7 +2442,7 @@ static int __get_dumpable(unsigned long mm_flags)
int ret;
ret = mm_flags & MMF_DUMPABLE_MASK;
@@ -48069,7 +48126,7 @@ index 312e297..4814b4e 100644
}
int get_dumpable(struct mm_struct *mm)
-@@ -2042,17 +2442,17 @@ static void wait_for_dump_helpers(struct file *file)
+@@ -2042,17 +2457,17 @@ static void wait_for_dump_helpers(struct file *file)
pipe = file->f_path.dentry->d_inode->i_pipe;
pipe_lock(pipe);
@@ -48092,7 +48149,7 @@ index 312e297..4814b4e 100644
pipe_unlock(pipe);
}
-@@ -2113,7 +2513,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2113,7 +2528,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
int retval = 0;
int flag = 0;
int ispipe;
@@ -48102,7 +48159,7 @@ index 312e297..4814b4e 100644
struct coredump_params cprm = {
.signr = signr,
.regs = regs,
-@@ -2128,6 +2529,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2128,6 +2544,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
audit_core_dumps(signr);
@@ -48112,7 +48169,7 @@ index 312e297..4814b4e 100644
binfmt = mm->binfmt;
if (!binfmt || !binfmt->core_dump)
goto fail;
-@@ -2138,14 +2542,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2138,14 +2557,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
if (!cred)
goto fail;
/*
@@ -48133,7 +48190,7 @@ index 312e297..4814b4e 100644
}
retval = coredump_wait(exit_code, &core_state);
-@@ -2195,7 +2601,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2195,7 +2616,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
}
cprm.limit = RLIM_INFINITY;
@@ -48142,7 +48199,7 @@ index 312e297..4814b4e 100644
if (core_pipe_limit && (core_pipe_limit < dump_count)) {
printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
task_tgid_vnr(current), current->comm);
-@@ -2222,9 +2628,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2222,9 +2643,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
} else {
struct inode *inode;
@@ -48162,7 +48219,7 @@ index 312e297..4814b4e 100644
cprm.file = filp_open(cn.corename,
O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag,
0600);
-@@ -2265,7 +2681,7 @@ close_fail:
+@@ -2265,7 +2696,7 @@ close_fail:
filp_close(cprm.file, NULL);
fail_dropcount:
if (ispipe)
@@ -48171,7 +48228,7 @@ index 312e297..4814b4e 100644
fail_unlock:
kfree(cn.corename);
fail_corename:
-@@ -2284,7 +2700,7 @@ fail:
+@@ -2284,7 +2715,7 @@ fail:
*/
int dump_write(struct file *file, const void *addr, int nr)
{
@@ -48210,6 +48267,28 @@ index a203892..4e64db5 100644
return 0;
}
return 1;
+diff --git a/fs/ext3/super.c b/fs/ext3/super.c
+index 922d289..b7f314f 100644
+--- a/fs/ext3/super.c
++++ b/fs/ext3/super.c
+@@ -374,7 +374,7 @@ static struct block_device *ext3_blkdev_get(dev_t dev, struct super_block *sb)
+ return bdev;
+
+ fail:
+- ext3_msg(sb, "error: failed to open journal device %s: %ld",
++ ext3_msg(sb, KERN_ERR, "error: failed to open journal device %s: %ld",
+ __bdevname(dev, b), PTR_ERR(bdev));
+
+ return NULL;
+@@ -902,7 +902,7 @@ static ext3_fsblk_t get_sb_block(void **data, struct super_block *sb)
+ /*todo: use simple_strtoll with >32bit ext3 */
+ sb_block = simple_strtoul(options, &options, 0);
+ if (*options && *options != ',') {
+- ext3_msg(sb, "error: invalid sb specification: %s",
++ ext3_msg(sb, KERN_ERR, "error: invalid sb specification: %s",
+ (char *) *data);
+ return 1;
+ }
diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
index 484ffee..08d7602 100644
--- a/fs/ext4/balloc.c
@@ -50251,7 +50330,7 @@ index fcc50ab..c3dacf26 100644
lock_flocks();
diff --git a/fs/namei.c b/fs/namei.c
-index 9680cef..d943724 100644
+index 9680cef..36c9152 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -279,16 +279,32 @@ int generic_permission(struct inode *inode, int mask)
@@ -50344,17 +50423,11 @@ index 9680cef..d943724 100644
put_link(nd, &link, cookie);
}
}
-@@ -1624,6 +1644,19 @@ static int path_lookupat(int dfd, const char *name,
+@@ -1624,6 +1644,13 @@ static int path_lookupat(int dfd, const char *name,
if (!err)
err = complete_walk(nd);
+ if (!err && !(nd->flags & LOOKUP_PARENT)) {
-+#ifdef CONFIG_GRKERNSEC
-+ if (flags & LOOKUP_RCU) {
-+ path_put(&nd->path);
-+ err = -ECHILD;
-+ } else
-+#endif
+ if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
+ path_put(&nd->path);
+ err = -ENOENT;
@@ -50364,23 +50437,20 @@ index 9680cef..d943724 100644
if (!err && nd->flags & LOOKUP_DIRECTORY) {
if (!nd->inode->i_op->lookup) {
path_put(&nd->path);
-@@ -1651,6 +1684,15 @@ static int do_path_lookup(int dfd, const char *name,
- retval = path_lookupat(dfd, name, flags | LOOKUP_REVAL, nd);
-
- if (likely(!retval)) {
+@@ -1655,6 +1682,12 @@ static int do_path_lookup(int dfd, const char *name,
+ if (nd->path.dentry && nd->inode)
+ audit_inode(name, nd->path.dentry);
+ }
+ if (*name != '/' && nd->path.dentry && nd->inode) {
-+#ifdef CONFIG_GRKERNSEC
-+ if (flags & LOOKUP_RCU)
-+ return -ECHILD;
-+#endif
-+ if (!gr_chroot_fchdir(nd->path.dentry, nd->path.mnt))
++ if (!gr_chroot_fchdir(nd->path.dentry, nd->path.mnt)) {
++ path_put(&nd->path);
+ return -ENOENT;
++ }
+ }
-+
- if (unlikely(!audit_dummy_context())) {
- if (nd->path.dentry && nd->inode)
- audit_inode(name, nd->path.dentry);
-@@ -1784,7 +1826,13 @@ struct dentry *lookup_one_len(const char *name, struct dentry *base, int len)
+ }
+ return retval;
+ }
+@@ -1784,7 +1817,13 @@ struct dentry *lookup_one_len(const char *name, struct dentry *base, int len)
if (!len)
return ERR_PTR(-EACCES);
@@ -50394,7 +50464,7 @@ index 9680cef..d943724 100644
while (len--) {
c = *(const unsigned char *)name++;
if (c == '/' || c == '\0')
-@@ -2048,6 +2096,13 @@ static int may_open(struct path *path, int acc_mode, int flag)
+@@ -2048,6 +2087,13 @@ static int may_open(struct path *path, int acc_mode, int flag)
if (flag & O_NOATIME && !inode_owner_or_capable(inode))
return -EPERM;
@@ -50408,7 +50478,7 @@ index 9680cef..d943724 100644
return 0;
}
-@@ -2083,7 +2138,7 @@ static inline int open_to_namei_flags(int flag)
+@@ -2083,7 +2129,7 @@ static inline int open_to_namei_flags(int flag)
/*
* Handle the last step of open()
*/
@@ -50417,16 +50487,10 @@ index 9680cef..d943724 100644
const struct open_flags *op, const char *pathname)
{
struct dentry *dir = nd->path.dentry;
-@@ -2109,16 +2164,44 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
+@@ -2109,16 +2155,32 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
error = complete_walk(nd);
if (error)
return ERR_PTR(error);
-+#ifdef CONFIG_GRKERNSEC
-+ if (nd->flags & LOOKUP_RCU) {
-+ error = -ECHILD;
-+ goto exit;
-+ }
-+#endif
+ if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
+ error = -ENOENT;
+ goto exit;
@@ -50445,12 +50509,6 @@ index 9680cef..d943724 100644
error = complete_walk(nd);
if (error)
return ERR_PTR(error);
-+#ifdef CONFIG_GRKERNSEC
-+ if (nd->flags & LOOKUP_RCU) {
-+ error = -ECHILD;
-+ goto exit;
-+ }
-+#endif
+ if (!gr_acl_handle_hidden_file(dir, nd->path.mnt)) {
+ error = -ENOENT;
+ goto exit;
@@ -50462,7 +50520,7 @@ index 9680cef..d943724 100644
audit_inode(pathname, dir);
goto ok;
}
-@@ -2134,18 +2217,37 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
+@@ -2134,18 +2196,31 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
!symlink_ok);
if (error < 0)
return ERR_PTR(error);
@@ -50478,12 +50536,6 @@ index 9680cef..d943724 100644
error = complete_walk(nd);
if (error)
return ERR_PTR(error);
-+#ifdef CONFIG_GRKERNSEC
-+ if (nd->flags & LOOKUP_RCU) {
-+ error = -ECHILD;
-+ goto exit;
-+ }
-+#endif
+ if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
+ error = -ENOENT;
+ goto exit;
@@ -50501,7 +50553,7 @@ index 9680cef..d943724 100644
audit_inode(pathname, nd->path.dentry);
goto ok;
}
-@@ -2180,6 +2282,17 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
+@@ -2180,6 +2255,17 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
/* Negative dentry, just create the file */
if (!dentry->d_inode) {
int mode = op->mode;
@@ -50519,7 +50571,7 @@ index 9680cef..d943724 100644
if (!IS_POSIXACL(dir->d_inode))
mode &= ~current_umask();
/*
-@@ -2203,6 +2316,8 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
+@@ -2203,6 +2289,8 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
error = vfs_create(dir->d_inode, dentry, mode, nd);
if (error)
goto exit_mutex_unlock;
@@ -50528,7 +50580,7 @@ index 9680cef..d943724 100644
mutex_unlock(&dir->d_inode->i_mutex);
dput(nd->path.dentry);
nd->path.dentry = dentry;
-@@ -2212,6 +2327,19 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
+@@ -2212,6 +2300,19 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
/*
* It already exists.
*/
@@ -50548,7 +50600,7 @@ index 9680cef..d943724 100644
mutex_unlock(&dir->d_inode->i_mutex);
audit_inode(pathname, path->dentry);
-@@ -2230,11 +2358,17 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
+@@ -2230,11 +2331,17 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
if (!path->dentry->d_inode)
goto exit_dput;
@@ -50567,7 +50619,7 @@ index 9680cef..d943724 100644
/* Why this, you ask? _Now_ we might have grown LOOKUP_JUMPED... */
error = complete_walk(nd);
if (error)
-@@ -2242,6 +2376,12 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
+@@ -2242,6 +2349,12 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
error = -EISDIR;
if (S_ISDIR(nd->inode->i_mode))
goto exit;
@@ -50580,7 +50632,7 @@ index 9680cef..d943724 100644
ok:
if (!S_ISREG(nd->inode->i_mode))
will_truncate = 0;
-@@ -2314,7 +2454,7 @@ static struct file *path_openat(int dfd, const char *pathname,
+@@ -2314,7 +2427,7 @@ static struct file *path_openat(int dfd, const char *pathname,
if (unlikely(error))
goto out_filp;
@@ -50589,7 +50641,7 @@ index 9680cef..d943724 100644
while (unlikely(!filp)) { /* trailing symlink */
struct path link = path;
void *cookie;
-@@ -2329,8 +2469,9 @@ static struct file *path_openat(int dfd, const char *pathname,
+@@ -2329,8 +2442,9 @@ static struct file *path_openat(int dfd, const char *pathname,
error = follow_link(&link, nd, &cookie);
if (unlikely(error))
filp = ERR_PTR(error);
@@ -50601,7 +50653,7 @@ index 9680cef..d943724 100644
put_link(nd, &link, cookie);
}
out:
-@@ -2424,6 +2565,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, struct path *path
+@@ -2424,6 +2538,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, struct path *path
*path = nd.path;
return dentry;
eexist:
@@ -50613,7 +50665,7 @@ index 9680cef..d943724 100644
dput(dentry);
dentry = ERR_PTR(-EEXIST);
fail:
-@@ -2446,6 +2592,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, struct pat
+@@ -2446,6 +2565,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, struct pat
}
EXPORT_SYMBOL(user_path_create);
@@ -50634,7 +50686,7 @@ index 9680cef..d943724 100644
int vfs_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
{
int error = may_create(dir, dentry);
-@@ -2513,6 +2673,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode,
+@@ -2513,6 +2646,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode,
error = mnt_want_write(path.mnt);
if (error)
goto out_dput;
@@ -50652,7 +50704,7 @@ index 9680cef..d943724 100644
error = security_path_mknod(&path, dentry, mode, dev);
if (error)
goto out_drop_write;
-@@ -2530,6 +2701,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode,
+@@ -2530,6 +2674,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode,
}
out_drop_write:
mnt_drop_write(path.mnt);
@@ -50662,7 +50714,7 @@ index 9680cef..d943724 100644
out_dput:
dput(dentry);
mutex_unlock(&path.dentry->d_inode->i_mutex);
-@@ -2579,12 +2753,21 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode)
+@@ -2579,12 +2726,21 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode)
error = mnt_want_write(path.mnt);
if (error)
goto out_dput;
@@ -50684,7 +50736,7 @@ index 9680cef..d943724 100644
out_dput:
dput(dentry);
mutex_unlock(&path.dentry->d_inode->i_mutex);
-@@ -2664,6 +2847,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
+@@ -2664,6 +2820,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
char * name;
struct dentry *dentry;
struct nameidata nd;
@@ -50693,7 +50745,7 @@ index 9680cef..d943724 100644
error = user_path_parent(dfd, pathname, &nd, &name);
if (error)
-@@ -2692,6 +2877,15 @@ static long do_rmdir(int dfd, const char __user *pathname)
+@@ -2692,6 +2850,15 @@ static long do_rmdir(int dfd, const char __user *pathname)
error = -ENOENT;
goto exit3;
}
@@ -50709,7 +50761,7 @@ index 9680cef..d943724 100644
error = mnt_want_write(nd.path.mnt);
if (error)
goto exit3;
-@@ -2699,6 +2893,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
+@@ -2699,6 +2866,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
if (error)
goto exit4;
error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
@@ -50718,7 +50770,7 @@ index 9680cef..d943724 100644
exit4:
mnt_drop_write(nd.path.mnt);
exit3:
-@@ -2761,6 +2957,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
+@@ -2761,6 +2930,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
struct dentry *dentry;
struct nameidata nd;
struct inode *inode = NULL;
@@ -50727,7 +50779,7 @@ index 9680cef..d943724 100644
error = user_path_parent(dfd, pathname, &nd, &name);
if (error)
-@@ -2783,6 +2981,16 @@ static long do_unlinkat(int dfd, const char __user *pathname)
+@@ -2783,6 +2954,16 @@ static long do_unlinkat(int dfd, const char __user *pathname)
if (!inode)
goto slashes;
ihold(inode);
@@ -50744,7 +50796,7 @@ index 9680cef..d943724 100644
error = mnt_want_write(nd.path.mnt);
if (error)
goto exit2;
-@@ -2790,6 +2998,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
+@@ -2790,6 +2971,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
if (error)
goto exit3;
error = vfs_unlink(nd.path.dentry->d_inode, dentry);
@@ -50753,7 +50805,7 @@ index 9680cef..d943724 100644
exit3:
mnt_drop_write(nd.path.mnt);
exit2:
-@@ -2865,10 +3075,18 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname,
+@@ -2865,10 +3048,18 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname,
error = mnt_want_write(path.mnt);
if (error)
goto out_dput;
@@ -50772,7 +50824,7 @@ index 9680cef..d943724 100644
out_drop_write:
mnt_drop_write(path.mnt);
out_dput:
-@@ -2940,6 +3158,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
+@@ -2940,6 +3131,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
{
struct dentry *new_dentry;
struct path old_path, new_path;
@@ -50780,7 +50832,7 @@ index 9680cef..d943724 100644
int how = 0;
int error;
-@@ -2963,7 +3182,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
+@@ -2963,7 +3155,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
if (error)
return error;
@@ -50789,7 +50841,7 @@ index 9680cef..d943724 100644
error = PTR_ERR(new_dentry);
if (IS_ERR(new_dentry))
goto out;
-@@ -2974,13 +3193,30 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
+@@ -2974,13 +3166,30 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
error = mnt_want_write(new_path.mnt);
if (error)
goto out_dput;
@@ -50820,7 +50872,7 @@ index 9680cef..d943724 100644
dput(new_dentry);
mutex_unlock(&new_path.dentry->d_inode->i_mutex);
path_put(&new_path);
-@@ -3208,6 +3444,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
+@@ -3208,6 +3417,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
if (new_dentry == trap)
goto exit5;
@@ -50833,7 +50885,7 @@ index 9680cef..d943724 100644
error = mnt_want_write(oldnd.path.mnt);
if (error)
goto exit5;
-@@ -3217,6 +3459,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
+@@ -3217,6 +3432,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
goto exit6;
error = vfs_rename(old_dir->d_inode, old_dentry,
new_dir->d_inode, new_dentry);
@@ -50843,7 +50895,7 @@ index 9680cef..d943724 100644
exit6:
mnt_drop_write(oldnd.path.mnt);
exit5:
-@@ -3242,6 +3487,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
+@@ -3242,6 +3460,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
{
@@ -50852,7 +50904,7 @@ index 9680cef..d943724 100644
int len;
len = PTR_ERR(link);
-@@ -3251,7 +3498,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
+@@ -3251,7 +3471,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
len = strlen(link);
if (len > (unsigned) buflen)
len = buflen;
@@ -54756,10 +54808,10 @@ index 0000000..1b9afa9
+endif
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
new file mode 100644
-index 0000000..740ce0b
+index 0000000..e3890d0
--- /dev/null
+++ b/grsecurity/gracl.c
-@@ -0,0 +1,4212 @@
+@@ -0,0 +1,4216 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -54785,6 +54837,7 @@ index 0000000..740ce0b
+#include <linux/stop_machine.h>
+#include <linux/fdtable.h>
+#include <linux/percpu.h>
++#include <linux/posix-timers.h>
+
+#include <asm/uaccess.h>
+#include <asm/errno.h>
@@ -57078,6 +57131,9 @@ index 0000000..740ce0b
+
+ task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
+ task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
++
++ if (i == RLIMIT_CPU)
++ update_rlimit_cpu(task, proc->res[i].rlim_cur);
+ }
+
+ return;
@@ -61476,10 +61532,10 @@ index 0000000..b79fe50
+#endif
diff --git a/grsecurity/grsec_exec.c b/grsecurity/grsec_exec.c
new file mode 100644
-index 0000000..2b05ada
+index 0000000..ee1f60f
--- /dev/null
+++ b/grsecurity/grsec_exec.c
-@@ -0,0 +1,146 @@
+@@ -0,0 +1,159 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/file.h>
@@ -61491,6 +61547,7 @@ index 0000000..2b05ada
+#include <linux/grinternal.h>
+#include <linux/capability.h>
+#include <linux/module.h>
++#include <linux/compat.h>
+
+#include <asm/uaccess.h>
+
@@ -61499,6 +61556,18 @@ index 0000000..2b05ada
+static DEFINE_MUTEX(gr_exec_arg_mutex);
+#endif
+
++struct user_arg_ptr {
++#ifdef CONFIG_COMPAT
++ bool is_compat;
++#endif
++ union {
++ const char __user *const __user *native;
++#ifdef CONFIG_COMPAT
++ const compat_uptr_t __user *compat;
++#endif
++ } ptr;
++};
++
+extern const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr);
+
+void
@@ -64583,6 +64652,19 @@ index 04ffb2e..6799180 100644
extern struct cleancache_ops
cleancache_register_ops(struct cleancache_ops *ops);
+diff --git a/include/linux/compat.h b/include/linux/compat.h
+index d42bd48..af682d2 100644
+--- a/include/linux/compat.h
++++ b/include/linux/compat.h
+@@ -334,7 +334,7 @@ extern int compat_ptrace_request(struct task_struct *child,
+ extern long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
+ compat_ulong_t addr, compat_ulong_t data);
+ asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid,
+- compat_long_t addr, compat_long_t data);
++ compat_ulong_t addr, compat_ulong_t data);
+
+ /*
+ * epoll (fs/eventpoll.c) compat bits follow ...
diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h
index dfadc96..23c5182 100644
--- a/include/linux/compiler-gcc4.h
@@ -65990,10 +66072,10 @@ index 0000000..2bd4c8d
+#define GR_BRUTE_DAEMON_MSG "bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for "
diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
new file mode 100644
-index 0000000..88c3d04
+index 0000000..14100e6
--- /dev/null
+++ b/include/linux/grsecurity.h
-@@ -0,0 +1,236 @@
+@@ -0,0 +1,221 @@
+#ifndef GR_SECURITY_H
+#define GR_SECURITY_H
+#include <linux/fs.h>
@@ -66015,20 +66097,6 @@ index 0000000..88c3d04
+#error "CONFIG_PAX enabled, but no PaX options are enabled."
+#endif
+
-+#include <linux/compat.h>
-+
-+struct user_arg_ptr {
-+#ifdef CONFIG_COMPAT
-+ bool is_compat;
-+#endif
-+ union {
-+ const char __user *const __user *native;
-+#ifdef CONFIG_COMPAT
-+ compat_uptr_t __user *compat;
-+#endif
-+ } ptr;
-+};
-+
+void gr_handle_brute_attach(unsigned long mm_flags);
+void gr_handle_brute_check(void);
+void gr_handle_kernel_exploit(void);
@@ -66082,7 +66150,6 @@ index 0000000..88c3d04
+ const struct vfsmount *mnt);
+void gr_log_chroot_exec(const struct dentry *dentry,
+ const struct vfsmount *mnt);
-+void gr_handle_exec_args(struct linux_binprm *bprm, struct user_arg_ptr argv);
+void gr_log_remount(const char *devname, const int retval);
+void gr_log_unmount(const char *devname, const int retval);
+void gr_log_mount(const char *from, const char *to, const int retval);
@@ -66626,7 +66693,7 @@ index 3797270..7765ede 100644
struct mca_bus {
u64 default_dma_mask;
diff --git a/include/linux/mm.h b/include/linux/mm.h
-index 4baadd1..8699dc0 100644
+index 4baadd1..8745271 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -115,7 +115,14 @@ extern unsigned int kobjsize(const void *objp);
@@ -66794,7 +66861,19 @@ index 4baadd1..8699dc0 100644
struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
unsigned long pfn, unsigned long size, pgprot_t);
-@@ -1614,7 +1625,7 @@ extern int unpoison_memory(unsigned long pfn);
+@@ -1534,6 +1545,11 @@ void vm_stat_account(struct mm_struct *, unsigned long, struct file *, long);
+ static inline void vm_stat_account(struct mm_struct *mm,
+ unsigned long flags, struct file *file, long pages)
+ {
++#ifdef CONFIG_PAX_RANDMMAP
++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)))
++#endif
++
++ mm->total_vm += pages;
+ }
+ #endif /* CONFIG_PROC_FS */
+
+@@ -1614,7 +1630,7 @@ extern int unpoison_memory(unsigned long pfn);
extern int sysctl_memory_failure_early_kill;
extern int sysctl_memory_failure_recovery;
extern void shake_page(struct page *p, int access);
@@ -66803,7 +66882,7 @@ index 4baadd1..8699dc0 100644
extern int soft_offline_page(struct page *page, int flags);
extern void dump_page(struct page *page);
-@@ -1628,5 +1639,11 @@ extern void copy_user_huge_page(struct page *dst, struct page *src,
+@@ -1628,5 +1644,11 @@ extern void copy_user_huge_page(struct page *dst, struct page *src,
unsigned int pages_per_huge_page);
#endif /* CONFIG_TRANSPARENT_HUGEPAGE || CONFIG_HUGETLBFS */
@@ -66816,7 +66895,7 @@ index 4baadd1..8699dc0 100644
#endif /* __KERNEL__ */
#endif /* _LINUX_MM_H */
diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
-index 5b42f1b..9782147 100644
+index 5b42f1b..759e4b4 100644
--- a/include/linux/mm_types.h
+++ b/include/linux/mm_types.h
@@ -253,6 +253,8 @@ struct vm_area_struct {
@@ -66828,15 +66907,6 @@ index 5b42f1b..9782147 100644
};
struct core_thread {
-@@ -327,7 +329,7 @@ struct mm_struct {
- unsigned long def_flags;
- unsigned long nr_ptes; /* Page table pages */
- unsigned long start_code, end_code, start_data, end_data;
-- unsigned long start_brk, brk, start_stack;
-+ unsigned long brk_gap, start_brk, brk, start_stack;
- unsigned long arg_start, arg_end, env_start, env_end;
-
- unsigned long saved_auxv[AT_VECTOR_SIZE]; /* for /proc/PID/auxv */
@@ -389,6 +391,24 @@ struct mm_struct {
#ifdef CONFIG_CPUMASK_OFFSTACK
struct cpumask cpumask_allocation;
@@ -69741,7 +69811,7 @@ index 2531811..040d4d4 100644
next_state = Reset;
return 0;
diff --git a/init/main.c b/init/main.c
-index 5d0eb1d..7b1084c 100644
+index 5d0eb1d..b462edb 100644
--- a/init/main.c
+++ b/init/main.c
@@ -96,6 +96,8 @@ static inline void mark_rodata_ro(void) { }
@@ -69843,15 +69913,7 @@ index 5d0eb1d..7b1084c 100644
}
return ret;
-@@ -707,12 +765,22 @@ int __init_or_module do_one_initcall(initcall_t fn)
-
- extern initcall_t __initcall_start[], __initcall_end[], __early_initcall_end[];
-
-+#ifdef CONFIG_PAX_LATENT_ENTROPY
-+u64 latent_entropy;
-+#endif
-+
- static void __init do_initcalls(void)
+@@ -711,8 +769,14 @@ static void __init do_initcalls(void)
{
initcall_t *fn;
@@ -69859,15 +69921,15 @@ index 5d0eb1d..7b1084c 100644
+ for (fn = __early_initcall_end; fn < __initcall_end; fn++) {
do_one_initcall(*fn);
+
-+#ifdef CONFIG_PAX_LATENT_ENTROPY
-+ add_device_randomness(&latent_entropy, sizeof(latent_entropy));
++#ifdef LATENT_ENTROPY_PLUGIN
++ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy));
+#endif
+
+ }
}
/*
-@@ -738,8 +806,14 @@ static void __init do_pre_smp_initcalls(void)
+@@ -738,8 +802,14 @@ static void __init do_pre_smp_initcalls(void)
{
initcall_t *fn;
@@ -69875,15 +69937,15 @@ index 5d0eb1d..7b1084c 100644
+ for (fn = __initcall_start; fn < __early_initcall_end; fn++) {
do_one_initcall(*fn);
+
-+#ifdef CONFIG_PAX_LATENT_ENTROPY
-+ add_device_randomness(&latent_entropy, sizeof(latent_entropy));
++#ifdef LATENT_ENTROPY_PLUGIN
++ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy));
+#endif
+
+ }
}
static void run_init_process(const char *init_filename)
-@@ -821,7 +895,7 @@ static int __init kernel_init(void * unused)
+@@ -821,7 +891,7 @@ static int __init kernel_init(void * unused)
do_basic_setup();
/* Open the /dev/console on the rootfs, this should never fail */
@@ -69892,7 +69954,7 @@ index 5d0eb1d..7b1084c 100644
printk(KERN_WARNING "Warning: unable to open an initial console.\n");
(void) sys_dup(0);
-@@ -834,11 +908,13 @@ static int __init kernel_init(void * unused)
+@@ -834,11 +904,13 @@ static int __init kernel_init(void * unused)
if (!ramdisk_execute_command)
ramdisk_execute_command = "/init";
@@ -70831,7 +70893,7 @@ index 234e152..0ae0243 100644
{
struct signal_struct *sig = current->signal;
diff --git a/kernel/fork.c b/kernel/fork.c
-index ce0c182..07a5f7a 100644
+index ce0c182..2d6bd03 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -270,19 +270,24 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
@@ -70955,17 +71017,18 @@ index ce0c182..07a5f7a 100644
mm->map_count = 0;
cpumask_clear(mm_cpumask(mm));
mm->mm_rb = RB_ROOT;
-@@ -341,8 +411,6 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
+@@ -341,63 +411,16 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
prev = NULL;
for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) {
- struct file *file;
-
if (mpnt->vm_flags & VM_DONTCOPY) {
- long pages = vma_pages(mpnt);
- mm->total_vm -= pages;
-@@ -350,54 +418,11 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
- -pages);
+- long pages = vma_pages(mpnt);
+- mm->total_vm -= pages;
+ vm_stat_account(mm, mpnt->vm_flags, mpnt->vm_file,
+- -pages);
++ -vma_pages(mpnt));
continue;
}
- charge = 0;
@@ -71023,7 +71086,7 @@ index ce0c182..07a5f7a 100644
/*
* Link in the new vma and copy the page table entries.
-@@ -420,6 +445,31 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
+@@ -420,6 +443,31 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
if (retval)
goto out;
}
@@ -71055,7 +71118,7 @@ index ce0c182..07a5f7a 100644
/* a new mm has just been created */
arch_dup_mmap(oldmm, mm);
retval = 0;
-@@ -428,14 +478,6 @@ out:
+@@ -428,14 +476,6 @@ out:
flush_tlb_mm(oldmm);
up_write(&oldmm->mmap_sem);
return retval;
@@ -71070,7 +71133,7 @@ index ce0c182..07a5f7a 100644
}
static inline int mm_alloc_pgd(struct mm_struct *mm)
-@@ -647,6 +689,26 @@ struct mm_struct *get_task_mm(struct task_struct *task)
+@@ -647,6 +687,26 @@ struct mm_struct *get_task_mm(struct task_struct *task)
}
EXPORT_SYMBOL_GPL(get_task_mm);
@@ -71097,7 +71160,7 @@ index ce0c182..07a5f7a 100644
/* Please note the differences between mmput and mm_release.
* mmput is called whenever we stop holding onto a mm_struct,
* error success whatever.
-@@ -832,13 +894,20 @@ static int copy_fs(unsigned long clone_flags, struct task_struct *tsk)
+@@ -832,13 +892,20 @@ static int copy_fs(unsigned long clone_flags, struct task_struct *tsk)
spin_unlock(&fs->lock);
return -EAGAIN;
}
@@ -71119,7 +71182,7 @@ index ce0c182..07a5f7a 100644
return 0;
}
-@@ -1104,6 +1173,9 @@ static struct task_struct *copy_process(unsigned long clone_flags,
+@@ -1104,6 +1171,9 @@ static struct task_struct *copy_process(unsigned long clone_flags,
DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
#endif
retval = -EAGAIN;
@@ -71129,7 +71192,7 @@ index ce0c182..07a5f7a 100644
if (atomic_read(&p->real_cred->user->processes) >=
task_rlimit(p, RLIMIT_NPROC)) {
if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
-@@ -1341,6 +1413,11 @@ static struct task_struct *copy_process(unsigned long clone_flags,
+@@ -1341,6 +1411,11 @@ static struct task_struct *copy_process(unsigned long clone_flags,
goto bad_fork_free_pid;
}
@@ -71141,7 +71204,7 @@ index ce0c182..07a5f7a 100644
if (clone_flags & CLONE_THREAD) {
current->signal->nr_threads++;
atomic_inc(&current->signal->live);
-@@ -1421,6 +1498,8 @@ bad_fork_cleanup_count:
+@@ -1421,6 +1496,8 @@ bad_fork_cleanup_count:
bad_fork_free:
free_task(p);
fork_out:
@@ -71150,7 +71213,7 @@ index ce0c182..07a5f7a 100644
return ERR_PTR(retval);
}
-@@ -1521,6 +1600,8 @@ long do_fork(unsigned long clone_flags,
+@@ -1521,6 +1598,8 @@ long do_fork(unsigned long clone_flags,
if (clone_flags & CLONE_PARENT_SETTID)
put_user(nr, parent_tidptr);
@@ -71159,7 +71222,7 @@ index ce0c182..07a5f7a 100644
if (clone_flags & CLONE_VFORK) {
p->vfork_done = &vfork;
init_completion(&vfork);
-@@ -1630,7 +1711,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
+@@ -1630,7 +1709,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
return 0;
/* don't need lock here; in the worst case we'll do useless copy */
@@ -71168,7 +71231,7 @@ index ce0c182..07a5f7a 100644
return 0;
*new_fsp = copy_fs_struct(fs);
-@@ -1719,7 +1800,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
+@@ -1719,7 +1798,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
fs = current->fs;
spin_lock(&fs->lock);
current->fs = new_fs;
@@ -73029,7 +73092,7 @@ index 76b8e77..a2930e8 100644
}
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
-index 67fedad..5333587 100644
+index 67fedad..32d32a04 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -211,7 +211,8 @@ int ptrace_check_attach(struct task_struct *child, bool ignore_state)
@@ -73154,6 +73217,15 @@ index 67fedad..5333587 100644
}
int generic_ptrace_pokedata(struct task_struct *tsk, unsigned long addr,
+@@ -1050,7 +1075,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request,
+ }
+
+ asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid,
+- compat_long_t addr, compat_long_t data)
++ compat_ulong_t addr, compat_ulong_t data)
+ {
+ struct task_struct *child;
+ long ret;
@@ -1066,14 +1091,21 @@ asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid,
goto out;
}
@@ -77223,7 +77295,7 @@ index 4f4f53b..de8e432 100644
capable(CAP_IPC_LOCK))
ret = do_mlockall(flags);
diff --git a/mm/mmap.c b/mm/mmap.c
-index eae90af..0704837 100644
+index eae90af..b3c47a1 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -30,6 +30,7 @@
@@ -77423,13 +77495,19 @@ index eae90af..0704837 100644
if (err)
return NULL;
khugepaged_enter_vma_merge(area);
-@@ -921,14 +1002,11 @@ none:
+@@ -921,15 +1002,22 @@ none:
void vm_stat_account(struct mm_struct *mm, unsigned long flags,
struct file *file, long pages)
{
- const unsigned long stack_flags
- = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
--
++
++#ifdef CONFIG_PAX_RANDMMAP
++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)))
++#endif
++
++ mm->total_vm += pages;
+
if (file) {
mm->shared_vm += pages;
if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
@@ -77437,9 +77515,13 @@ index eae90af..0704837 100644
- } else if (flags & stack_flags)
+ } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
mm->stack_vm += pages;
++#ifdef CONFIG_PAX_RANDMMAP
++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)))
++#endif
if (flags & (VM_RESERVED|VM_IO))
mm->reserved_vm += pages;
-@@ -955,7 +1033,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+ }
+@@ -955,7 +1043,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
* (the exception is when the underlying filesystem is noexec
* mounted, in which case we dont add PROT_EXEC.)
*/
@@ -77448,7 +77530,7 @@ index eae90af..0704837 100644
if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
prot |= PROT_EXEC;
-@@ -981,7 +1059,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+@@ -981,7 +1069,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
/* Obtain the address to map to. we verify (or select) it and ensure
* that it represents a valid section of the address space.
*/
@@ -77457,7 +77539,7 @@ index eae90af..0704837 100644
if (addr & ~PAGE_MASK)
return addr;
-@@ -992,6 +1070,36 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+@@ -992,6 +1080,36 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
@@ -77494,7 +77576,7 @@ index eae90af..0704837 100644
if (flags & MAP_LOCKED)
if (!can_do_mlock())
return -EPERM;
-@@ -1003,6 +1111,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+@@ -1003,6 +1121,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
locked += mm->locked_vm;
lock_limit = rlimit(RLIMIT_MEMLOCK);
lock_limit >>= PAGE_SHIFT;
@@ -77502,7 +77584,7 @@ index eae90af..0704837 100644
if (locked > lock_limit && !capable(CAP_IPC_LOCK))
return -EAGAIN;
}
-@@ -1073,6 +1182,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+@@ -1073,6 +1192,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
if (error)
return error;
@@ -77512,7 +77594,7 @@ index eae90af..0704837 100644
return mmap_region(file, addr, len, flags, vm_flags, pgoff);
}
EXPORT_SYMBOL(do_mmap_pgoff);
-@@ -1153,7 +1265,7 @@ int vma_wants_writenotify(struct vm_area_struct *vma)
+@@ -1153,7 +1275,7 @@ int vma_wants_writenotify(struct vm_area_struct *vma)
vm_flags_t vm_flags = vma->vm_flags;
/* If it was private or non-writable, the write bit is already clear */
@@ -77521,7 +77603,7 @@ index eae90af..0704837 100644
return 0;
/* The backer wishes to know when pages are first written to? */
-@@ -1202,14 +1314,24 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
+@@ -1202,17 +1324,32 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
unsigned long charged = 0;
struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
@@ -77548,7 +77630,15 @@ index eae90af..0704837 100644
}
/* Check against address space limit. */
-@@ -1258,6 +1380,16 @@ munmap_back:
++
++#ifdef CONFIG_PAX_RANDMMAP
++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (vm_flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)))
++#endif
++
+ if (!may_expand_vm(mm, len >> PAGE_SHIFT))
+ return -ENOMEM;
+
+@@ -1258,6 +1395,16 @@ munmap_back:
goto unacct_error;
}
@@ -77565,7 +77655,7 @@ index eae90af..0704837 100644
vma->vm_mm = mm;
vma->vm_start = addr;
vma->vm_end = addr + len;
-@@ -1266,8 +1398,9 @@ munmap_back:
+@@ -1266,8 +1413,9 @@ munmap_back:
vma->vm_pgoff = pgoff;
INIT_LIST_HEAD(&vma->anon_vma_chain);
@@ -77576,7 +77666,7 @@ index eae90af..0704837 100644
if (vm_flags & (VM_GROWSDOWN|VM_GROWSUP))
goto free_vma;
if (vm_flags & VM_DENYWRITE) {
-@@ -1281,6 +1414,19 @@ munmap_back:
+@@ -1281,6 +1429,19 @@ munmap_back:
error = file->f_op->mmap(file, vma);
if (error)
goto unmap_and_free_vma;
@@ -77596,7 +77686,7 @@ index eae90af..0704837 100644
if (vm_flags & VM_EXECUTABLE)
added_exe_file_vma(mm);
-@@ -1293,6 +1439,8 @@ munmap_back:
+@@ -1293,6 +1454,8 @@ munmap_back:
pgoff = vma->vm_pgoff;
vm_flags = vma->vm_flags;
} else if (vm_flags & VM_SHARED) {
@@ -77605,7 +77695,7 @@ index eae90af..0704837 100644
error = shmem_zero_setup(vma);
if (error)
goto free_vma;
-@@ -1316,6 +1464,11 @@ munmap_back:
+@@ -1316,14 +1479,19 @@ munmap_back:
vma_link(mm, vma, prev, rb_link, rb_parent);
file = vma->vm_file;
@@ -77617,15 +77707,16 @@ index eae90af..0704837 100644
/* Once vma denies write, undo our temporary denial count */
if (correct_wcount)
atomic_inc(&inode->i_writecount);
-@@ -1324,6 +1477,7 @@ out:
+ out:
+ perf_event_mmap(vma);
- mm->total_vm += len >> PAGE_SHIFT;
+- mm->total_vm += len >> PAGE_SHIFT;
vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
+ track_exec_limit(mm, addr, addr + len, vm_flags);
if (vm_flags & VM_LOCKED) {
if (!mlock_vma_pages_range(vma, addr, addr + len))
mm->locked_vm += (len >> PAGE_SHIFT);
-@@ -1341,6 +1495,12 @@ unmap_and_free_vma:
+@@ -1341,6 +1509,12 @@ unmap_and_free_vma:
unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
charged = 0;
free_vma:
@@ -77638,7 +77729,7 @@ index eae90af..0704837 100644
kmem_cache_free(vm_area_cachep, vma);
unacct_error:
if (charged)
-@@ -1348,6 +1508,62 @@ unacct_error:
+@@ -1348,6 +1522,62 @@ unacct_error:
return error;
}
@@ -77701,7 +77792,7 @@ index eae90af..0704837 100644
/* Get an address range which is currently unmapped.
* For shmat() with addr=0.
*
-@@ -1367,6 +1583,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
+@@ -1367,6 +1597,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
struct mm_struct *mm = current->mm;
struct vm_area_struct *vma;
unsigned long start_addr;
@@ -77709,7 +77800,7 @@ index eae90af..0704837 100644
if (len > TASK_SIZE)
return -ENOMEM;
-@@ -1374,18 +1591,23 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
+@@ -1374,18 +1605,23 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
if (flags & MAP_FIXED)
return addr;
@@ -77740,7 +77831,7 @@ index eae90af..0704837 100644
}
full_search:
-@@ -1396,34 +1618,40 @@ full_search:
+@@ -1396,34 +1632,40 @@ full_search:
* Start a new search - just in case we missed
* some holes.
*/
@@ -77792,7 +77883,7 @@ index eae90af..0704837 100644
mm->free_area_cache = addr;
mm->cached_hole_size = ~0UL;
}
-@@ -1441,7 +1669,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1441,7 +1683,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
{
struct vm_area_struct *vma;
struct mm_struct *mm = current->mm;
@@ -77802,7 +77893,7 @@ index eae90af..0704837 100644
/* requested length too big for entire address space */
if (len > TASK_SIZE)
-@@ -1450,13 +1679,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1450,13 +1693,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
if (flags & MAP_FIXED)
return addr;
@@ -77825,7 +77916,7 @@ index eae90af..0704837 100644
}
/* check if free_area_cache is useful for us */
-@@ -1471,7 +1705,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1471,7 +1719,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
/* make sure it can fit in the remaining address space */
if (addr > len) {
vma = find_vma(mm, addr-len);
@@ -77834,7 +77925,7 @@ index eae90af..0704837 100644
/* remember the address as a hint for next time */
return (mm->free_area_cache = addr-len);
}
-@@ -1488,7 +1722,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1488,7 +1736,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
* return with success:
*/
vma = find_vma(mm, addr);
@@ -77843,7 +77934,7 @@ index eae90af..0704837 100644
/* remember the address as a hint for next time */
return (mm->free_area_cache = addr);
-@@ -1497,8 +1731,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1497,8 +1745,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
mm->cached_hole_size = vma->vm_start - addr;
/* try just below the current vma->vm_start */
@@ -77854,7 +77945,7 @@ index eae90af..0704837 100644
bottomup:
/*
-@@ -1507,13 +1741,21 @@ bottomup:
+@@ -1507,13 +1755,21 @@ bottomup:
* can happen with large stack limits and large mmap()
* allocations.
*/
@@ -77878,7 +77969,7 @@ index eae90af..0704837 100644
mm->cached_hole_size = ~0UL;
return addr;
-@@ -1522,6 +1764,12 @@ bottomup:
+@@ -1522,6 +1778,12 @@ bottomup:
void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
{
@@ -77891,7 +77982,7 @@ index eae90af..0704837 100644
/*
* Is this a new hole at the highest possible address?
*/
-@@ -1529,8 +1777,10 @@ void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
+@@ -1529,8 +1791,10 @@ void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
mm->free_area_cache = addr;
/* dont allow allocations above current base */
@@ -77903,7 +77994,7 @@ index eae90af..0704837 100644
}
unsigned long
-@@ -1603,40 +1853,50 @@ struct vm_area_struct *find_vma(struct mm_struct *mm, unsigned long addr)
+@@ -1603,40 +1867,50 @@ struct vm_area_struct *find_vma(struct mm_struct *mm, unsigned long addr)
EXPORT_SYMBOL(find_vma);
@@ -77979,7 +78070,7 @@ index eae90af..0704837 100644
/*
* Verify that the stack growth is acceptable and
-@@ -1654,6 +1914,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -1654,6 +1928,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
return -ENOMEM;
/* Stack limit test */
@@ -77987,7 +78078,7 @@ index eae90af..0704837 100644
if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
return -ENOMEM;
-@@ -1664,6 +1925,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -1664,6 +1939,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
locked = mm->locked_vm + grow;
limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
limit >>= PAGE_SHIFT;
@@ -77995,7 +78086,15 @@ index eae90af..0704837 100644
if (locked > limit && !capable(CAP_IPC_LOCK))
return -ENOMEM;
}
-@@ -1694,37 +1956,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -1682,7 +1958,6 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+ return -ENOMEM;
+
+ /* Ok, everything looks good - let it rip */
+- mm->total_vm += grow;
+ if (vma->vm_flags & VM_LOCKED)
+ mm->locked_vm += grow;
+ vm_stat_account(mm, vma->vm_flags, vma->vm_file, grow);
+@@ -1694,37 +1969,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
* PA-RISC uses this for its stack; IA64 for its Register Backing Store.
* vma is the last one with address > vma->vm_end. Have to extend vma.
*/
@@ -78053,7 +78152,7 @@ index eae90af..0704837 100644
unsigned long size, grow;
size = address - vma->vm_start;
-@@ -1739,6 +2012,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
+@@ -1739,6 +2025,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
}
}
}
@@ -78062,7 +78161,7 @@ index eae90af..0704837 100644
vma_unlock_anon_vma(vma);
khugepaged_enter_vma_merge(vma);
return error;
-@@ -1752,6 +2027,8 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -1752,6 +2040,8 @@ int expand_downwards(struct vm_area_struct *vma,
unsigned long address)
{
int error;
@@ -78071,7 +78170,7 @@ index eae90af..0704837 100644
/*
* We must make sure the anon_vma is allocated
-@@ -1765,6 +2042,15 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -1765,6 +2055,15 @@ int expand_downwards(struct vm_area_struct *vma,
if (error)
return error;
@@ -78087,7 +78186,7 @@ index eae90af..0704837 100644
vma_lock_anon_vma(vma);
/*
-@@ -1774,9 +2060,17 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -1774,9 +2073,17 @@ int expand_downwards(struct vm_area_struct *vma,
*/
/* Somebody else might have raced and expanded it already */
@@ -78106,7 +78205,7 @@ index eae90af..0704837 100644
size = vma->vm_end - address;
grow = (vma->vm_start - address) >> PAGE_SHIFT;
-@@ -1786,18 +2080,48 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -1786,18 +2093,48 @@ int expand_downwards(struct vm_area_struct *vma,
if (!error) {
vma->vm_start = address;
vma->vm_pgoff -= grow;
@@ -78155,7 +78254,7 @@ index eae90af..0704837 100644
return expand_upwards(vma, address);
}
-@@ -1820,6 +2144,14 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr)
+@@ -1820,6 +2157,14 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr)
#else
int expand_stack(struct vm_area_struct *vma, unsigned long address)
{
@@ -78170,10 +78269,11 @@ index eae90af..0704837 100644
return expand_downwards(vma, address);
}
-@@ -1860,6 +2192,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -1860,7 +2205,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
do {
long nrpages = vma_pages(vma);
+- mm->total_vm -= nrpages;
+#ifdef CONFIG_PAX_SEGMEXEC
+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
+ vma = remove_vma(vma);
@@ -78181,10 +78281,10 @@ index eae90af..0704837 100644
+ }
+#endif
+
- mm->total_vm -= nrpages;
vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
vma = remove_vma(vma);
-@@ -1905,6 +2244,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
+ } while (vma);
+@@ -1905,6 +2256,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
insertion_point = (prev ? &prev->vm_next : &mm->mmap);
vma->vm_prev = NULL;
do {
@@ -78201,7 +78301,7 @@ index eae90af..0704837 100644
rb_erase(&vma->vm_rb, &mm->mm_rb);
mm->map_count--;
tail_vma = vma;
-@@ -1933,14 +2282,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -1933,14 +2294,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
struct vm_area_struct *new;
int err = -ENOMEM;
@@ -78235,7 +78335,7 @@ index eae90af..0704837 100644
/* most fields are the same, copy all, and then fixup */
*new = *vma;
-@@ -1953,6 +2321,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -1953,6 +2333,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
}
@@ -78258,7 +78358,7 @@ index eae90af..0704837 100644
pol = mpol_dup(vma_policy(vma));
if (IS_ERR(pol)) {
err = PTR_ERR(pol);
-@@ -1978,6 +2362,42 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -1978,6 +2374,42 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
else
err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
@@ -78301,7 +78401,7 @@ index eae90af..0704837 100644
/* Success. */
if (!err)
return 0;
-@@ -1990,10 +2410,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -1990,10 +2422,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
removed_exe_file_vma(mm);
fput(new->vm_file);
}
@@ -78321,7 +78421,7 @@ index eae90af..0704837 100644
kmem_cache_free(vm_area_cachep, new);
out_err:
return err;
-@@ -2006,6 +2434,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2006,6 +2446,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
unsigned long addr, int new_below)
{
@@ -78337,7 +78437,7 @@ index eae90af..0704837 100644
if (mm->map_count >= sysctl_max_map_count)
return -ENOMEM;
-@@ -2017,11 +2454,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2017,11 +2466,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
* work. This now handles partial unmappings.
* Jeremy Fitzhardinge <jeremy@goop.org>
*/
@@ -78368,7 +78468,7 @@ index eae90af..0704837 100644
if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
return -EINVAL;
-@@ -2096,6 +2552,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
+@@ -2096,6 +2564,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
/* Fix up all other VM information */
remove_vma_list(mm, vma);
@@ -78377,7 +78477,7 @@ index eae90af..0704837 100644
return 0;
}
-@@ -2108,22 +2566,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
+@@ -2108,22 +2578,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
profile_munmap(addr);
@@ -78406,7 +78506,7 @@ index eae90af..0704837 100644
/*
* this is really a simplified "do_mmap". it only handles
* anonymous maps. eventually we may be able to do some
-@@ -2137,6 +2591,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2137,6 +2603,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
struct rb_node ** rb_link, * rb_parent;
pgoff_t pgoff = addr >> PAGE_SHIFT;
int error;
@@ -78414,7 +78514,7 @@ index eae90af..0704837 100644
len = PAGE_ALIGN(len);
if (!len)
-@@ -2148,16 +2603,30 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2148,16 +2615,30 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
@@ -78446,7 +78546,7 @@ index eae90af..0704837 100644
locked += mm->locked_vm;
lock_limit = rlimit(RLIMIT_MEMLOCK);
lock_limit >>= PAGE_SHIFT;
-@@ -2174,22 +2643,22 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2174,22 +2655,22 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
/*
* Clear old maps. this also does some error checking for us
*/
@@ -78473,7 +78573,7 @@ index eae90af..0704837 100644
return -ENOMEM;
/* Can we just expand an old private anonymous mapping? */
-@@ -2203,7 +2672,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2203,7 +2684,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
*/
vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
if (!vma) {
@@ -78482,7 +78582,7 @@ index eae90af..0704837 100644
return -ENOMEM;
}
-@@ -2217,11 +2686,12 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2217,11 +2698,12 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
vma_link(mm, vma, prev, rb_link, rb_parent);
out:
perf_event_mmap(vma);
@@ -78497,7 +78597,7 @@ index eae90af..0704837 100644
return addr;
}
-@@ -2268,8 +2738,10 @@ void exit_mmap(struct mm_struct *mm)
+@@ -2268,8 +2750,10 @@ void exit_mmap(struct mm_struct *mm)
* Walk the list again, actually closing and freeing it,
* with preemption enabled, without holding any MM locks.
*/
@@ -78509,7 +78609,7 @@ index eae90af..0704837 100644
BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
}
-@@ -2283,6 +2755,13 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
+@@ -2283,6 +2767,13 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
struct vm_area_struct * __vma, * prev;
struct rb_node ** rb_link, * rb_parent;
@@ -78523,7 +78623,7 @@ index eae90af..0704837 100644
/*
* The vm_pgoff of a purely anonymous vma should be irrelevant
* until its first write fault, when page's anon_vma and index
-@@ -2305,7 +2784,22 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
+@@ -2305,7 +2796,22 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
if ((vma->vm_flags & VM_ACCOUNT) &&
security_vm_enough_memory_mm(mm, vma_pages(vma)))
return -ENOMEM;
@@ -78546,7 +78646,7 @@ index eae90af..0704837 100644
return 0;
}
-@@ -2323,6 +2817,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
+@@ -2323,6 +2829,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
struct rb_node **rb_link, *rb_parent;
struct mempolicy *pol;
@@ -78555,7 +78655,7 @@ index eae90af..0704837 100644
/*
* If anonymous vma has not yet been faulted, update new pgoff
* to match new location, to increase its chance of merging.
-@@ -2373,6 +2869,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
+@@ -2373,6 +2881,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
return NULL;
}
@@ -78595,20 +78695,15 @@ index eae90af..0704837 100644
/*
* Return true if the calling process may expand its vm space by the passed
* number of pages
-@@ -2384,6 +2913,12 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
+@@ -2384,6 +2925,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
-+#ifdef CONFIG_PAX_RANDMMAP
-+ if (mm->pax_flags & MF_PAX_RANDMMAP)
-+ cur -= mm->brk_gap;
-+#endif
-+
+ gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
if (cur + npages > lim)
return 0;
return 1;
-@@ -2454,6 +2989,22 @@ int install_special_mapping(struct mm_struct *mm,
+@@ -2454,6 +2996,22 @@ int install_special_mapping(struct mm_struct *mm,
vma->vm_start = addr;
vma->vm_end = addr + len;
@@ -78862,7 +78957,7 @@ index 5a688a2..27e031c 100644
if (nstart < prev->vm_end)
diff --git a/mm/mremap.c b/mm/mremap.c
-index d6959cb..18a402a 100644
+index d6959cb..c9e1e45 100644
--- a/mm/mremap.c
+++ b/mm/mremap.c
@@ -106,6 +106,12 @@ static void move_ptes(struct vm_area_struct *vma, pmd_t *old_pmd,
@@ -78878,7 +78973,15 @@ index d6959cb..18a402a 100644
set_pte_at(mm, new_addr, new_pte, pte);
}
-@@ -290,6 +296,11 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr,
+@@ -251,7 +257,6 @@ static unsigned long move_vma(struct vm_area_struct *vma,
+ * If this were a serious issue, we'd add a flag to do_munmap().
+ */
+ hiwater_vm = mm->hiwater_vm;
+- mm->total_vm += new_len >> PAGE_SHIFT;
+ vm_stat_account(mm, vma->vm_flags, vma->vm_file, new_len>>PAGE_SHIFT);
+
+ if (do_munmap(mm, old_addr, old_len) < 0) {
+@@ -290,6 +295,11 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr,
if (is_vm_hugetlb_page(vma))
goto Einval;
@@ -78890,7 +78993,7 @@ index d6959cb..18a402a 100644
/* We can't remap across vm area boundaries */
if (old_len > vma->vm_end - addr)
goto Efault;
-@@ -346,20 +357,25 @@ static unsigned long mremap_to(unsigned long addr,
+@@ -346,20 +356,25 @@ static unsigned long mremap_to(unsigned long addr,
unsigned long ret = -EINVAL;
unsigned long charged = 0;
unsigned long map_flags;
@@ -78921,7 +79024,7 @@ index d6959cb..18a402a 100644
goto out;
ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
-@@ -431,6 +447,7 @@ unsigned long do_mremap(unsigned long addr,
+@@ -431,6 +446,7 @@ unsigned long do_mremap(unsigned long addr,
struct vm_area_struct *vma;
unsigned long ret = -EINVAL;
unsigned long charged = 0;
@@ -78929,7 +79032,7 @@ index d6959cb..18a402a 100644
if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
goto out;
-@@ -449,6 +466,17 @@ unsigned long do_mremap(unsigned long addr,
+@@ -449,6 +465,17 @@ unsigned long do_mremap(unsigned long addr,
if (!new_len)
goto out;
@@ -78947,7 +79050,15 @@ index d6959cb..18a402a 100644
if (flags & MREMAP_FIXED) {
if (flags & MREMAP_MAYMOVE)
ret = mremap_to(addr, old_len, new_addr, new_len);
-@@ -498,6 +526,7 @@ unsigned long do_mremap(unsigned long addr,
+@@ -490,7 +517,6 @@ unsigned long do_mremap(unsigned long addr,
+ goto out;
+ }
+
+- mm->total_vm += pages;
+ vm_stat_account(mm, vma->vm_flags, vma->vm_file, pages);
+ if (vma->vm_flags & VM_LOCKED) {
+ mm->locked_vm += pages;
+@@ -498,6 +524,7 @@ unsigned long do_mremap(unsigned long addr,
addr + new_len);
}
ret = addr;
@@ -78955,7 +79066,7 @@ index d6959cb..18a402a 100644
goto out;
}
}
-@@ -524,7 +553,13 @@ unsigned long do_mremap(unsigned long addr,
+@@ -524,7 +551,13 @@ unsigned long do_mremap(unsigned long addr,
ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
if (ret)
goto out;
@@ -79056,10 +79167,18 @@ index 50f0824..97710b4 100644
.next = NULL,
};
diff --git a/mm/page_alloc.c b/mm/page_alloc.c
-index 5c028e2..4f0e54f 100644
+index 5c028e2..501e1e9 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
-@@ -341,7 +341,7 @@ out:
+@@ -57,6 +57,7 @@
+ #include <linux/ftrace_event.h>
+ #include <linux/memcontrol.h>
+ #include <linux/prefetch.h>
++#include <linux/random.h>
+
+ #include <asm/tlbflush.h>
+ #include <asm/div64.h>
+@@ -341,7 +342,7 @@ out:
* This usage means that zero-order pages may not be compound.
*/
@@ -79068,7 +79187,7 @@ index 5c028e2..4f0e54f 100644
{
__free_pages_ok(page, compound_order(page));
}
-@@ -654,6 +654,10 @@ static bool free_pages_prepare(struct page *page, unsigned int order)
+@@ -654,6 +655,10 @@ static bool free_pages_prepare(struct page *page, unsigned int order)
int i;
int bad = 0;
@@ -79079,7 +79198,7 @@ index 5c028e2..4f0e54f 100644
trace_mm_page_free_direct(page, order);
kmemcheck_free_shadow(page, order);
-@@ -669,6 +673,12 @@ static bool free_pages_prepare(struct page *page, unsigned int order)
+@@ -669,6 +674,12 @@ static bool free_pages_prepare(struct page *page, unsigned int order)
debug_check_no_obj_freed(page_address(page),
PAGE_SIZE << order);
}
@@ -79092,7 +79211,48 @@ index 5c028e2..4f0e54f 100644
arch_free_page(page, order);
kernel_map_pages(page, 1 << order, 0);
-@@ -784,8 +794,10 @@ static int prep_new_page(struct page *page, int order, gfp_t gfp_flags)
+@@ -692,6 +703,19 @@ static void __free_pages_ok(struct page *page, unsigned int order)
+ local_irq_restore(flags);
+ }
+
++#ifdef CONFIG_PAX_LATENT_ENTROPY
++bool __meminitdata extra_latent_entropy;
++
++static int __init setup_pax_extra_latent_entropy(char *str)
++{
++ extra_latent_entropy = true;
++ return 0;
++}
++early_param("pax_extra_latent_entropy", setup_pax_extra_latent_entropy);
++
++volatile u64 latent_entropy;
++#endif
++
+ /*
+ * permit the bootmem allocator to evade page validation on high-order frees
+ */
+@@ -715,6 +739,20 @@ void __meminit __free_pages_bootmem(struct page *page, unsigned int order)
+ set_page_count(p, 0);
+ }
+
++#ifdef CONFIG_PAX_LATENT_ENTROPY
++ if (extra_latent_entropy && !PageHighMem(page) && page_to_pfn(page) < 0x100000) {
++ unsigned int nr_pages = 1 << order;
++ u64 hash = 0;
++ size_t index, end = PAGE_SIZE * nr_pages / sizeof hash;
++ const u64 *data = lowmem_page_address(page);
++
++ for (index = 0; index < end; index++)
++ hash ^= hash + data[index];
++ latent_entropy ^= hash;
++ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy));
++ }
++#endif
++
+ set_page_refcounted(page);
+ __free_pages(page, order);
+ }
+@@ -784,8 +822,10 @@ static int prep_new_page(struct page *page, int order, gfp_t gfp_flags)
arch_alloc_page(page, order);
kernel_map_pages(page, 1 << order, 1);
@@ -79103,7 +79263,7 @@ index 5c028e2..4f0e54f 100644
if (order && (gfp_flags & __GFP_COMP))
prep_compound_page(page, order);
-@@ -3395,7 +3407,13 @@ static int pageblock_is_reserved(unsigned long start_pfn, unsigned long end_pfn)
+@@ -3395,7 +3435,13 @@ static int pageblock_is_reserved(unsigned long start_pfn, unsigned long end_pfn)
unsigned long pfn;
for (pfn = start_pfn; pfn < end_pfn; pfn++) {
@@ -83195,6 +83355,23 @@ index 8c25419..47a51ae 100644
}
int udp6_seq_show(struct seq_file *seq, void *v)
+diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
+index c24f25a..f4b49c5 100644
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -2584,8 +2584,10 @@ bed:
+ NULL, NULL, NULL);
+
+ /* Check if the we got some results */
+- if (!self->cachedaddr)
+- return -EAGAIN; /* Didn't find any devices */
++ if (!self->cachedaddr) {
++ err = -EAGAIN; /* Didn't find any devices */
++ goto out;
++ }
+ daddr = self->cachedaddr;
+ /* Cleanup */
+ self->cachedaddr = 0;
diff --git a/net/irda/ircomm/ircomm_tty.c b/net/irda/ircomm/ircomm_tty.c
index 253695d..9481ce8 100644
--- a/net/irda/ircomm/ircomm_tty.c
@@ -85953,10 +86130,10 @@ index 38f6617..e70b72b 100755
exuberant()
diff --git a/security/Kconfig b/security/Kconfig
-index 51bd5a0..595fa16 100644
+index 51bd5a0..cedcdeb 100644
--- a/security/Kconfig
+++ b/security/Kconfig
-@@ -4,6 +4,902 @@
+@@ -4,6 +4,907 @@
menu "Security options"
@@ -86839,6 +87016,11 @@ index 51bd5a0..595fa16 100644
+ there is little 'natural' source of entropy normally. The cost
+ is some slowdown of the boot process.
+
++ When pax_extra_latent_entropy is passed on the kernel command line,
++ entropy will be extracted from up to the first 4GB of RAM while the
++ runtime memory allocator is being initialized. This costs even more
++ slowdown of the boot process.
++
+ Note that the implementation requires a gcc with plugin support,
+ i.e., gcc 4.5 or newer. You may need to install the supporting
+ headers explicitly in addition to the normal gcc package.
@@ -86859,7 +87041,7 @@ index 51bd5a0..595fa16 100644
config KEYS
bool "Enable access key retention support"
help
-@@ -169,7 +1065,7 @@ config INTEL_TXT
+@@ -169,7 +1070,7 @@ config INTEL_TXT
config LSM_MMAP_MIN_ADDR
int "Low address space for LSM to protect from user allocation"
depends on SECURITY && SECURITY_SELINUX
@@ -87275,6 +87457,19 @@ index b43813c..74be837 100644
}
#else
static inline int selinux_xfrm_enabled(void)
+diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
+index 48665ec..8ab2951 100644
+--- a/security/selinux/xfrm.c
++++ b/security/selinux/xfrm.c
+@@ -310,7 +310,7 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
+
+ if (old_ctx) {
+ new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len,
+- GFP_KERNEL);
++ GFP_ATOMIC);
+ if (!new_ctx)
+ return -ENOMEM;
+
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 7db62b4..ee4d949 100644
--- a/security/smack/smack_lsm.c
@@ -89311,10 +89506,10 @@ index 0000000..0408e06
+}
diff --git a/tools/gcc/latent_entropy_plugin.c b/tools/gcc/latent_entropy_plugin.c
new file mode 100644
-index 0000000..1276616
+index 0000000..b5395ba
--- /dev/null
+++ b/tools/gcc/latent_entropy_plugin.c
-@@ -0,0 +1,321 @@
+@@ -0,0 +1,327 @@
+/*
+ * Copyright 2012-2013 by the PaX Team <pageexec@freemail.hu>
+ * Licensed under the GPL v2
@@ -89355,6 +89550,7 @@ index 0000000..1276616
+#include "rtl.h"
+#include "emit-rtl.h"
+#include "tree-flow.h"
++#include "langhooks.h"
+
+#if BUILDING_GCC_VERSION >= 4008
+#define TODO_dump_func 0
@@ -89365,7 +89561,7 @@ index 0000000..1276616
+static tree latent_entropy_decl;
+
+static struct plugin_info latent_entropy_plugin_info = {
-+ .version = "201302112000",
++ .version = "201303102320",
+ .help = NULL
+};
+
@@ -89589,6 +89785,8 @@ index 0000000..1276616
+
+static void start_unit_callback(void *gcc_data, void *user_data)
+{
++ tree latent_entropy_type;
++
+#if BUILDING_GCC_VERSION >= 4007
+ seed = get_random_seed(false);
+#else
@@ -89599,16 +89797,19 @@ index 0000000..1276616
+ if (in_lto_p)
+ return;
+
-+ // extern u64 latent_entropy
-+ latent_entropy_decl = build_decl(UNKNOWN_LOCATION, VAR_DECL, get_identifier("latent_entropy"), unsigned_intDI_type_node);
++ // extern volatile u64 latent_entropy
++ gcc_assert(TYPE_PRECISION(long_long_unsigned_type_node) == 64);
++ latent_entropy_type = build_qualified_type(long_long_unsigned_type_node, TYPE_QUALS(long_long_unsigned_type_node) | TYPE_QUAL_VOLATILE);
++ latent_entropy_decl = build_decl(UNKNOWN_LOCATION, VAR_DECL, get_identifier("latent_entropy"), latent_entropy_type);
+
+ TREE_STATIC(latent_entropy_decl) = 1;
+ TREE_PUBLIC(latent_entropy_decl) = 1;
+ TREE_USED(latent_entropy_decl) = 1;
+ TREE_THIS_VOLATILE(latent_entropy_decl) = 1;
+ DECL_EXTERNAL(latent_entropy_decl) = 1;
-+ DECL_ARTIFICIAL(latent_entropy_decl) = 0;
++ DECL_ARTIFICIAL(latent_entropy_decl) = 1;
+ DECL_INITIAL(latent_entropy_decl) = NULL;
++ lang_hooks.decls.pushdecl(latent_entropy_decl);
+// DECL_ASSEMBLER_NAME(latent_entropy_decl);
+// varpool_finalize_decl(latent_entropy_decl);
+// varpool_mark_needed_node(latent_entropy_decl);
@@ -95320,6 +95521,25 @@ index 6789d78..4afd019e 100644
+ .endm
+
#endif
+diff --git a/virt/kvm/ioapic.c b/virt/kvm/ioapic.c
+index 3eed61e..79647cd 100644
+--- a/virt/kvm/ioapic.c
++++ b/virt/kvm/ioapic.c
+@@ -73,9 +73,12 @@ static unsigned long ioapic_read_indirect(struct kvm_ioapic *ioapic,
+ u32 redir_index = (ioapic->ioregsel - 0x10) >> 1;
+ u64 redir_content;
+
+- ASSERT(redir_index < IOAPIC_NUM_PINS);
++ if (redir_index < IOAPIC_NUM_PINS)
++ redir_content =
++ ioapic->redirtbl[redir_index].bits;
++ else
++ redir_content = ~0ULL;
+
+- redir_content = ioapic->redirtbl[redir_index].bits;
+ result = (ioapic->ioregsel & 0x1) ?
+ (redir_content >> 32) & 0xffffffff :
+ redir_content & 0xffffffff;
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index ec747dc..38a8e47 100644
--- a/virt/kvm/kvm_main.c
diff --git a/3.8.3/1001_linux-3.8.2.patch b/3.8.3/1001_linux-3.8.2.patch
deleted file mode 100644
index 0952288..0000000
--- a/3.8.3/1001_linux-3.8.2.patch
+++ /dev/null
@@ -1,3093 +0,0 @@
-diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
-index 6c72381..986614d 100644
---- a/Documentation/kernel-parameters.txt
-+++ b/Documentation/kernel-parameters.txt
-@@ -564,6 +564,8 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
- UART at the specified I/O port or MMIO address,
- switching to the matching ttyS device later. The
- options are the same as for ttyS, above.
-+ hvc<n> Use the hypervisor console device <n>. This is for
-+ both Xen and PowerPC hypervisors.
-
- If the device connected to the port is not a TTY but a braille
- device, prepend "brl," before the device type, for instance
-@@ -754,6 +756,7 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
-
- earlyprintk= [X86,SH,BLACKFIN]
- earlyprintk=vga
-+ earlyprintk=xen
- earlyprintk=serial[,ttySn[,baudrate]]
- earlyprintk=ttySn[,baudrate]
- earlyprintk=dbgp[debugController#]
-@@ -771,6 +774,8 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
- The VGA output is eventually overwritten by the real
- console.
-
-+ The xen output can only be used by Xen PV guests.
-+
- ekgdboc= [X86,KGDB] Allow early kernel console debugging
- ekgdboc=kbd
-
-diff --git a/Makefile b/Makefile
-index 746c856..20d5318 100644
---- a/Makefile
-+++ b/Makefile
-@@ -1,6 +1,6 @@
- VERSION = 3
- PATCHLEVEL = 8
--SUBLEVEL = 1
-+SUBLEVEL = 2
- EXTRAVERSION =
- NAME = Unicycling Gorilla
-
-diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index f8fa411..c205035 100644
---- a/arch/x86/boot/compressed/eboot.c
-+++ b/arch/x86/boot/compressed/eboot.c
-@@ -19,23 +19,28 @@
-
- static efi_system_table_t *sys_table;
-
-+static void efi_char16_printk(efi_char16_t *str)
-+{
-+ struct efi_simple_text_output_protocol *out;
-+
-+ out = (struct efi_simple_text_output_protocol *)sys_table->con_out;
-+ efi_call_phys2(out->output_string, out, str);
-+}
-+
- static void efi_printk(char *str)
- {
- char *s8;
-
- for (s8 = str; *s8; s8++) {
-- struct efi_simple_text_output_protocol *out;
- efi_char16_t ch[2] = { 0 };
-
- ch[0] = *s8;
-- out = (struct efi_simple_text_output_protocol *)sys_table->con_out;
--
- if (*s8 == '\n') {
- efi_char16_t nl[2] = { '\r', 0 };
-- efi_call_phys2(out->output_string, out, nl);
-+ efi_char16_printk(nl);
- }
-
-- efi_call_phys2(out->output_string, out, ch);
-+ efi_char16_printk(ch);
- }
- }
-
-@@ -709,7 +714,12 @@ static efi_status_t handle_ramdisks(efi_loaded_image_t *image,
- if ((u8 *)p >= (u8 *)filename_16 + sizeof(filename_16))
- break;
-
-- *p++ = *str++;
-+ if (*str == '/') {
-+ *p++ = '\\';
-+ *str++;
-+ } else {
-+ *p++ = *str++;
-+ }
- }
-
- *p = '\0';
-@@ -737,7 +747,9 @@ static efi_status_t handle_ramdisks(efi_loaded_image_t *image,
- status = efi_call_phys5(fh->open, fh, &h, filename_16,
- EFI_FILE_MODE_READ, (u64)0);
- if (status != EFI_SUCCESS) {
-- efi_printk("Failed to open initrd file\n");
-+ efi_printk("Failed to open initrd file: ");
-+ efi_char16_printk(filename_16);
-+ efi_printk("\n");
- goto close_handles;
- }
-
-diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
-index b994cc8..cbf5121 100644
---- a/arch/x86/kernel/apic/apic.c
-+++ b/arch/x86/kernel/apic/apic.c
-@@ -131,7 +131,7 @@ static int __init parse_lapic(char *arg)
- {
- if (config_enabled(CONFIG_X86_32) && !arg)
- force_enable_local_apic = 1;
-- else if (!strncmp(arg, "notscdeadline", 13))
-+ else if (arg && !strncmp(arg, "notscdeadline", 13))
- setup_clear_cpu_cap(X86_FEATURE_TSC_DEADLINE_TIMER);
- return 0;
- }
-diff --git a/arch/x86/kernel/head.c b/arch/x86/kernel/head.c
-index 48d9d4e..992f442 100644
---- a/arch/x86/kernel/head.c
-+++ b/arch/x86/kernel/head.c
-@@ -5,8 +5,6 @@
- #include <asm/setup.h>
- #include <asm/bios_ebda.h>
-
--#define BIOS_LOWMEM_KILOBYTES 0x413
--
- /*
- * The BIOS places the EBDA/XBDA at the top of conventional
- * memory, and usually decreases the reported amount of
-@@ -16,17 +14,30 @@
- * chipset: reserve a page before VGA to prevent PCI prefetch
- * into it (errata #56). Usually the page is reserved anyways,
- * unless you have no PS/2 mouse plugged in.
-+ *
-+ * This functions is deliberately very conservative. Losing
-+ * memory in the bottom megabyte is rarely a problem, as long
-+ * as we have enough memory to install the trampoline. Using
-+ * memory that is in use by the BIOS or by some DMA device
-+ * the BIOS didn't shut down *is* a big problem.
- */
-+
-+#define BIOS_LOWMEM_KILOBYTES 0x413
-+#define LOWMEM_CAP 0x9f000U /* Absolute maximum */
-+#define INSANE_CUTOFF 0x20000U /* Less than this = insane */
-+
- void __init reserve_ebda_region(void)
- {
- unsigned int lowmem, ebda_addr;
-
-- /* To determine the position of the EBDA and the */
-- /* end of conventional memory, we need to look at */
-- /* the BIOS data area. In a paravirtual environment */
-- /* that area is absent. We'll just have to assume */
-- /* that the paravirt case can handle memory setup */
-- /* correctly, without our help. */
-+ /*
-+ * To determine the position of the EBDA and the
-+ * end of conventional memory, we need to look at
-+ * the BIOS data area. In a paravirtual environment
-+ * that area is absent. We'll just have to assume
-+ * that the paravirt case can handle memory setup
-+ * correctly, without our help.
-+ */
- if (paravirt_enabled())
- return;
-
-@@ -37,19 +48,23 @@ void __init reserve_ebda_region(void)
- /* start of EBDA area */
- ebda_addr = get_bios_ebda();
-
-- /* Fixup: bios puts an EBDA in the top 64K segment */
-- /* of conventional memory, but does not adjust lowmem. */
-- if ((lowmem - ebda_addr) <= 0x10000)
-- lowmem = ebda_addr;
-+ /*
-+ * Note: some old Dells seem to need 4k EBDA without
-+ * reporting so, so just consider the memory above 0x9f000
-+ * to be off limits (bugzilla 2990).
-+ */
-+
-+ /* If the EBDA address is below 128K, assume it is bogus */
-+ if (ebda_addr < INSANE_CUTOFF)
-+ ebda_addr = LOWMEM_CAP;
-
-- /* Fixup: bios does not report an EBDA at all. */
-- /* Some old Dells seem to need 4k anyhow (bugzilla 2990) */
-- if ((ebda_addr == 0) && (lowmem >= 0x9f000))
-- lowmem = 0x9f000;
-+ /* If lowmem is less than 128K, assume it is bogus */
-+ if (lowmem < INSANE_CUTOFF)
-+ lowmem = LOWMEM_CAP;
-
-- /* Paranoia: should never happen, but... */
-- if ((lowmem == 0) || (lowmem >= 0x100000))
-- lowmem = 0x9f000;
-+ /* Use the lower of the lowmem and EBDA markers as the cutoff */
-+ lowmem = min(lowmem, ebda_addr);
-+ lowmem = min(lowmem, LOWMEM_CAP); /* Absolute cap */
-
- /* reserve all memory between lowmem and the 1MB mark */
- memblock_reserve(lowmem, 0x100000 - lowmem);
-diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c
-index 928bf83..e2cd38f 100644
---- a/arch/x86/platform/efi/efi.c
-+++ b/arch/x86/platform/efi/efi.c
-@@ -85,9 +85,10 @@ int efi_enabled(int facility)
- }
- EXPORT_SYMBOL(efi_enabled);
-
-+static bool disable_runtime = false;
- static int __init setup_noefi(char *arg)
- {
-- clear_bit(EFI_RUNTIME_SERVICES, &x86_efi_facility);
-+ disable_runtime = true;
- return 0;
- }
- early_param("noefi", setup_noefi);
-@@ -734,7 +735,7 @@ void __init efi_init(void)
- if (!efi_is_native())
- pr_info("No EFI runtime due to 32/64-bit mismatch with kernel\n");
- else {
-- if (efi_runtime_init())
-+ if (disable_runtime || efi_runtime_init())
- return;
- set_bit(EFI_RUNTIME_SERVICES, &x86_efi_facility);
- }
-diff --git a/block/genhd.c b/block/genhd.c
-index 3993ebf..7dcfdd8 100644
---- a/block/genhd.c
-+++ b/block/genhd.c
-@@ -25,7 +25,7 @@ static DEFINE_MUTEX(block_class_lock);
- struct kobject *block_depr;
-
- /* for extended dynamic devt allocation, currently only one major is used */
--#define MAX_EXT_DEVT (1 << MINORBITS)
-+#define NR_EXT_DEVT (1 << MINORBITS)
-
- /* For extended devt allocation. ext_devt_mutex prevents look up
- * results from going away underneath its user.
-@@ -422,17 +422,18 @@ int blk_alloc_devt(struct hd_struct *part, dev_t *devt)
- do {
- if (!idr_pre_get(&ext_devt_idr, GFP_KERNEL))
- return -ENOMEM;
-+ mutex_lock(&ext_devt_mutex);
- rc = idr_get_new(&ext_devt_idr, part, &idx);
-+ if (!rc && idx >= NR_EXT_DEVT) {
-+ idr_remove(&ext_devt_idr, idx);
-+ rc = -EBUSY;
-+ }
-+ mutex_unlock(&ext_devt_mutex);
- } while (rc == -EAGAIN);
-
- if (rc)
- return rc;
-
-- if (idx > MAX_EXT_DEVT) {
-- idr_remove(&ext_devt_idr, idx);
-- return -EBUSY;
-- }
--
- *devt = MKDEV(BLOCK_EXT_MAJOR, blk_mangle_minor(idx));
- return 0;
- }
-@@ -646,7 +647,6 @@ void del_gendisk(struct gendisk *disk)
- disk_part_iter_exit(&piter);
-
- invalidate_partition(disk, 0);
-- blk_free_devt(disk_to_dev(disk)->devt);
- set_capacity(disk, 0);
- disk->flags &= ~GENHD_FL_UP;
-
-@@ -664,6 +664,7 @@ void del_gendisk(struct gendisk *disk)
- if (!sysfs_deprecated)
- sysfs_remove_link(block_depr, dev_name(disk_to_dev(disk)));
- device_del(disk_to_dev(disk));
-+ blk_free_devt(disk_to_dev(disk)->devt);
- }
- EXPORT_SYMBOL(del_gendisk);
-
-diff --git a/block/partition-generic.c b/block/partition-generic.c
-index f1d1451..1cb4dec 100644
---- a/block/partition-generic.c
-+++ b/block/partition-generic.c
-@@ -249,11 +249,11 @@ void delete_partition(struct gendisk *disk, int partno)
- if (!part)
- return;
-
-- blk_free_devt(part_devt(part));
- rcu_assign_pointer(ptbl->part[partno], NULL);
- rcu_assign_pointer(ptbl->last_lookup, NULL);
- kobject_put(part->holder_dir);
- device_del(part_to_dev(part));
-+ blk_free_devt(part_devt(part));
-
- hd_struct_put(part);
- }
-diff --git a/drivers/acpi/Kconfig b/drivers/acpi/Kconfig
-index 38c5078..f5ae996 100644
---- a/drivers/acpi/Kconfig
-+++ b/drivers/acpi/Kconfig
-@@ -268,7 +268,8 @@ config ACPI_CUSTOM_DSDT
- default ACPI_CUSTOM_DSDT_FILE != ""
-
- config ACPI_INITRD_TABLE_OVERRIDE
-- bool "ACPI tables can be passed via uncompressed cpio in initrd"
-+ bool "ACPI tables override via initrd"
-+ depends on BLK_DEV_INITRD && X86
- default n
- help
- This option provides functionality to override arbitrary ACPI tables
-diff --git a/drivers/acpi/sleep.c b/drivers/acpi/sleep.c
-index 2fcc67d..df85051 100644
---- a/drivers/acpi/sleep.c
-+++ b/drivers/acpi/sleep.c
-@@ -177,6 +177,14 @@ static struct dmi_system_id __initdata acpisleep_dmi_table[] = {
- },
- {
- .callback = init_nvs_nosave,
-+ .ident = "Sony Vaio VGN-FW41E_H",
-+ .matches = {
-+ DMI_MATCH(DMI_SYS_VENDOR, "Sony Corporation"),
-+ DMI_MATCH(DMI_PRODUCT_NAME, "VGN-FW41E_H"),
-+ },
-+ },
-+ {
-+ .callback = init_nvs_nosave,
- .ident = "Sony Vaio VGN-FW21E",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "Sony Corporation"),
-diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
-index 4979127..72e3e12 100644
---- a/drivers/ata/ahci.c
-+++ b/drivers/ata/ahci.c
-@@ -265,6 +265,30 @@ static const struct pci_device_id ahci_pci_tbl[] = {
- { PCI_VDEVICE(INTEL, 0x9c07), board_ahci }, /* Lynx Point-LP RAID */
- { PCI_VDEVICE(INTEL, 0x9c0e), board_ahci }, /* Lynx Point-LP RAID */
- { PCI_VDEVICE(INTEL, 0x9c0f), board_ahci }, /* Lynx Point-LP RAID */
-+ { PCI_VDEVICE(INTEL, 0x1f22), board_ahci }, /* Avoton AHCI */
-+ { PCI_VDEVICE(INTEL, 0x1f23), board_ahci }, /* Avoton AHCI */
-+ { PCI_VDEVICE(INTEL, 0x1f24), board_ahci }, /* Avoton RAID */
-+ { PCI_VDEVICE(INTEL, 0x1f25), board_ahci }, /* Avoton RAID */
-+ { PCI_VDEVICE(INTEL, 0x1f26), board_ahci }, /* Avoton RAID */
-+ { PCI_VDEVICE(INTEL, 0x1f27), board_ahci }, /* Avoton RAID */
-+ { PCI_VDEVICE(INTEL, 0x1f2e), board_ahci }, /* Avoton RAID */
-+ { PCI_VDEVICE(INTEL, 0x1f2f), board_ahci }, /* Avoton RAID */
-+ { PCI_VDEVICE(INTEL, 0x1f32), board_ahci }, /* Avoton AHCI */
-+ { PCI_VDEVICE(INTEL, 0x1f33), board_ahci }, /* Avoton AHCI */
-+ { PCI_VDEVICE(INTEL, 0x1f34), board_ahci }, /* Avoton RAID */
-+ { PCI_VDEVICE(INTEL, 0x1f35), board_ahci }, /* Avoton RAID */
-+ { PCI_VDEVICE(INTEL, 0x1f36), board_ahci }, /* Avoton RAID */
-+ { PCI_VDEVICE(INTEL, 0x1f37), board_ahci }, /* Avoton RAID */
-+ { PCI_VDEVICE(INTEL, 0x1f3e), board_ahci }, /* Avoton RAID */
-+ { PCI_VDEVICE(INTEL, 0x1f3f), board_ahci }, /* Avoton RAID */
-+ { PCI_VDEVICE(INTEL, 0x8d02), board_ahci }, /* Wellsburg AHCI */
-+ { PCI_VDEVICE(INTEL, 0x8d04), board_ahci }, /* Wellsburg RAID */
-+ { PCI_VDEVICE(INTEL, 0x8d06), board_ahci }, /* Wellsburg RAID */
-+ { PCI_VDEVICE(INTEL, 0x8d0e), board_ahci }, /* Wellsburg RAID */
-+ { PCI_VDEVICE(INTEL, 0x8d62), board_ahci }, /* Wellsburg AHCI */
-+ { PCI_VDEVICE(INTEL, 0x8d64), board_ahci }, /* Wellsburg RAID */
-+ { PCI_VDEVICE(INTEL, 0x8d66), board_ahci }, /* Wellsburg RAID */
-+ { PCI_VDEVICE(INTEL, 0x8d6e), board_ahci }, /* Wellsburg RAID */
-
- /* JMicron 360/1/3/5/6, match class to avoid IDE function */
- { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
-diff --git a/drivers/ata/ata_piix.c b/drivers/ata/ata_piix.c
-index 174eca6..d2ba439 100644
---- a/drivers/ata/ata_piix.c
-+++ b/drivers/ata/ata_piix.c
-@@ -317,6 +317,23 @@ static const struct pci_device_id piix_pci_tbl[] = {
- { 0x8086, 0x9c09, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
- /* SATA Controller IDE (DH89xxCC) */
- { 0x8086, 0x2326, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
-+ /* SATA Controller IDE (Avoton) */
-+ { 0x8086, 0x1f20, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata_snb },
-+ /* SATA Controller IDE (Avoton) */
-+ { 0x8086, 0x1f21, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata_snb },
-+ /* SATA Controller IDE (Avoton) */
-+ { 0x8086, 0x1f30, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
-+ /* SATA Controller IDE (Avoton) */
-+ { 0x8086, 0x1f31, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
-+ /* SATA Controller IDE (Wellsburg) */
-+ { 0x8086, 0x8d00, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata_snb },
-+ /* SATA Controller IDE (Wellsburg) */
-+ { 0x8086, 0x8d08, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
-+ /* SATA Controller IDE (Wellsburg) */
-+ { 0x8086, 0x8d60, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata_snb },
-+ /* SATA Controller IDE (Wellsburg) */
-+ { 0x8086, 0x8d68, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
-+
- { } /* terminate list */
- };
-
-diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
-index 043ddcc..eb591fb 100644
---- a/drivers/block/nbd.c
-+++ b/drivers/block/nbd.c
-@@ -595,12 +595,20 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd,
- struct request sreq;
-
- dev_info(disk_to_dev(nbd->disk), "NBD_DISCONNECT\n");
-+ if (!nbd->sock)
-+ return -EINVAL;
-
-+ mutex_unlock(&nbd->tx_lock);
-+ fsync_bdev(bdev);
-+ mutex_lock(&nbd->tx_lock);
- blk_rq_init(NULL, &sreq);
- sreq.cmd_type = REQ_TYPE_SPECIAL;
- nbd_cmd(&sreq) = NBD_CMD_DISC;
-+
-+ /* Check again after getting mutex back. */
- if (!nbd->sock)
- return -EINVAL;
-+
- nbd_send_req(nbd, &sreq);
- return 0;
- }
-@@ -614,6 +622,7 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd,
- nbd_clear_que(nbd);
- BUG_ON(!list_empty(&nbd->queue_head));
- BUG_ON(!list_empty(&nbd->waiting_queue));
-+ kill_bdev(bdev);
- if (file)
- fput(file);
- return 0;
-@@ -702,6 +711,7 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd,
- nbd->file = NULL;
- nbd_clear_que(nbd);
- dev_warn(disk_to_dev(nbd->disk), "queue cleared\n");
-+ kill_bdev(bdev);
- queue_flag_clear_unlocked(QUEUE_FLAG_DISCARD, nbd->disk->queue);
- if (file)
- fput(file);
-diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c
-index 5ac841f..de1f319 100644
---- a/drivers/block/xen-blkback/blkback.c
-+++ b/drivers/block/xen-blkback/blkback.c
-@@ -46,6 +46,7 @@
- #include <xen/xen.h>
- #include <asm/xen/hypervisor.h>
- #include <asm/xen/hypercall.h>
-+#include <xen/balloon.h>
- #include "common.h"
-
- /*
-@@ -239,6 +240,7 @@ static void free_persistent_gnts(struct rb_root *root, unsigned int num)
- ret = gnttab_unmap_refs(unmap, NULL, pages,
- segs_to_unmap);
- BUG_ON(ret);
-+ free_xenballooned_pages(segs_to_unmap, pages);
- segs_to_unmap = 0;
- }
-
-@@ -527,8 +529,8 @@ static int xen_blkbk_map(struct blkif_request *req,
- GFP_KERNEL);
- if (!persistent_gnt)
- return -ENOMEM;
-- persistent_gnt->page = alloc_page(GFP_KERNEL);
-- if (!persistent_gnt->page) {
-+ if (alloc_xenballooned_pages(1, &persistent_gnt->page,
-+ false)) {
- kfree(persistent_gnt);
- return -ENOMEM;
- }
-@@ -879,7 +881,6 @@ static int dispatch_rw_block_io(struct xen_blkif *blkif,
- goto fail_response;
- }
-
-- preq.dev = req->u.rw.handle;
- preq.sector_number = req->u.rw.sector_number;
- preq.nr_sects = 0;
-
-diff --git a/drivers/block/xen-blkback/xenbus.c b/drivers/block/xen-blkback/xenbus.c
-index 6398072..5e237f6 100644
---- a/drivers/block/xen-blkback/xenbus.c
-+++ b/drivers/block/xen-blkback/xenbus.c
-@@ -367,6 +367,7 @@ static int xen_blkbk_remove(struct xenbus_device *dev)
- be->blkif = NULL;
- }
-
-+ kfree(be->mode);
- kfree(be);
- dev_set_drvdata(&dev->dev, NULL);
- return 0;
-@@ -502,6 +503,7 @@ static void backend_changed(struct xenbus_watch *watch,
- = container_of(watch, struct backend_info, backend_watch);
- struct xenbus_device *dev = be->dev;
- int cdrom = 0;
-+ unsigned long handle;
- char *device_type;
-
- DPRINTK("");
-@@ -521,10 +523,10 @@ static void backend_changed(struct xenbus_watch *watch,
- return;
- }
-
-- if ((be->major || be->minor) &&
-- ((be->major != major) || (be->minor != minor))) {
-- pr_warn(DRV_PFX "changing physical device (from %x:%x to %x:%x) not supported.\n",
-- be->major, be->minor, major, minor);
-+ if (be->major | be->minor) {
-+ if (be->major != major || be->minor != minor)
-+ pr_warn(DRV_PFX "changing physical device (from %x:%x to %x:%x) not supported.\n",
-+ be->major, be->minor, major, minor);
- return;
- }
-
-@@ -542,36 +544,33 @@ static void backend_changed(struct xenbus_watch *watch,
- kfree(device_type);
- }
-
-- if (be->major == 0 && be->minor == 0) {
-- /* Front end dir is a number, which is used as the handle. */
--
-- char *p = strrchr(dev->otherend, '/') + 1;
-- long handle;
-- err = strict_strtoul(p, 0, &handle);
-- if (err)
-- return;
-+ /* Front end dir is a number, which is used as the handle. */
-+ err = strict_strtoul(strrchr(dev->otherend, '/') + 1, 0, &handle);
-+ if (err)
-+ return;
-
-- be->major = major;
-- be->minor = minor;
-+ be->major = major;
-+ be->minor = minor;
-
-- err = xen_vbd_create(be->blkif, handle, major, minor,
-- (NULL == strchr(be->mode, 'w')), cdrom);
-- if (err) {
-- be->major = 0;
-- be->minor = 0;
-- xenbus_dev_fatal(dev, err, "creating vbd structure");
-- return;
-- }
-+ err = xen_vbd_create(be->blkif, handle, major, minor,
-+ !strchr(be->mode, 'w'), cdrom);
-
-+ if (err)
-+ xenbus_dev_fatal(dev, err, "creating vbd structure");
-+ else {
- err = xenvbd_sysfs_addif(dev);
- if (err) {
- xen_vbd_free(&be->blkif->vbd);
-- be->major = 0;
-- be->minor = 0;
- xenbus_dev_fatal(dev, err, "creating sysfs entries");
-- return;
- }
-+ }
-
-+ if (err) {
-+ kfree(be->mode);
-+ be->mode = NULL;
-+ be->major = 0;
-+ be->minor = 0;
-+ } else {
- /* We're potentially connected now */
- xen_update_blkif_status(be->blkif);
- }
-diff --git a/drivers/block/xen-blkfront.c b/drivers/block/xen-blkfront.c
-index 11043c1..c3dae2e 100644
---- a/drivers/block/xen-blkfront.c
-+++ b/drivers/block/xen-blkfront.c
-@@ -791,7 +791,7 @@ static void blkif_restart_queue(struct work_struct *work)
- static void blkif_free(struct blkfront_info *info, int suspend)
- {
- struct llist_node *all_gnts;
-- struct grant *persistent_gnt;
-+ struct grant *persistent_gnt, *tmp;
- struct llist_node *n;
-
- /* Prevent new requests being issued until we fix things up. */
-@@ -805,10 +805,17 @@ static void blkif_free(struct blkfront_info *info, int suspend)
- /* Remove all persistent grants */
- if (info->persistent_gnts_c) {
- all_gnts = llist_del_all(&info->persistent_gnts);
-- llist_for_each_entry_safe(persistent_gnt, n, all_gnts, node) {
-+ persistent_gnt = llist_entry(all_gnts, typeof(*(persistent_gnt)), node);
-+ while (persistent_gnt) {
- gnttab_end_foreign_access(persistent_gnt->gref, 0, 0UL);
- __free_page(pfn_to_page(persistent_gnt->pfn));
-- kfree(persistent_gnt);
-+ tmp = persistent_gnt;
-+ n = persistent_gnt->node.next;
-+ if (n)
-+ persistent_gnt = llist_entry(n, typeof(*(persistent_gnt)), node);
-+ else
-+ persistent_gnt = NULL;
-+ kfree(tmp);
- }
- info->persistent_gnts_c = 0;
- }
-diff --git a/drivers/firewire/core-device.c b/drivers/firewire/core-device.c
-index 3873d53..af3e8aa 100644
---- a/drivers/firewire/core-device.c
-+++ b/drivers/firewire/core-device.c
-@@ -1020,6 +1020,10 @@ static void fw_device_init(struct work_struct *work)
- ret = idr_pre_get(&fw_device_idr, GFP_KERNEL) ?
- idr_get_new(&fw_device_idr, device, &minor) :
- -ENOMEM;
-+ if (minor >= 1 << MINORBITS) {
-+ idr_remove(&fw_device_idr, minor);
-+ minor = -ENOSPC;
-+ }
- up_write(&fw_device_rwsem);
-
- if (ret < 0)
-diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c
-index f5596db..bcb201c 100644
---- a/drivers/firmware/efivars.c
-+++ b/drivers/firmware/efivars.c
-@@ -79,6 +79,7 @@
- #include <linux/device.h>
- #include <linux/slab.h>
- #include <linux/pstore.h>
-+#include <linux/ctype.h>
-
- #include <linux/fs.h>
- #include <linux/ramfs.h>
-@@ -900,6 +901,48 @@ static struct inode *efivarfs_get_inode(struct super_block *sb,
- return inode;
- }
-
-+/*
-+ * Return true if 'str' is a valid efivarfs filename of the form,
-+ *
-+ * VariableName-12345678-1234-1234-1234-1234567891bc
-+ */
-+static bool efivarfs_valid_name(const char *str, int len)
-+{
-+ static const char dashes[GUID_LEN] = {
-+ [8] = 1, [13] = 1, [18] = 1, [23] = 1
-+ };
-+ const char *s = str + len - GUID_LEN;
-+ int i;
-+
-+ /*
-+ * We need a GUID, plus at least one letter for the variable name,
-+ * plus the '-' separator
-+ */
-+ if (len < GUID_LEN + 2)
-+ return false;
-+
-+ /* GUID should be right after the first '-' */
-+ if (s - 1 != strchr(str, '-'))
-+ return false;
-+
-+ /*
-+ * Validate that 's' is of the correct format, e.g.
-+ *
-+ * 12345678-1234-1234-1234-123456789abc
-+ */
-+ for (i = 0; i < GUID_LEN; i++) {
-+ if (dashes[i]) {
-+ if (*s++ != '-')
-+ return false;
-+ } else {
-+ if (!isxdigit(*s++))
-+ return false;
-+ }
-+ }
-+
-+ return true;
-+}
-+
- static void efivarfs_hex_to_guid(const char *str, efi_guid_t *guid)
- {
- guid->b[0] = hex_to_bin(str[6]) << 4 | hex_to_bin(str[7]);
-@@ -928,11 +971,7 @@ static int efivarfs_create(struct inode *dir, struct dentry *dentry,
- struct efivar_entry *var;
- int namelen, i = 0, err = 0;
-
-- /*
-- * We need a GUID, plus at least one letter for the variable name,
-- * plus the '-' separator
-- */
-- if (dentry->d_name.len < GUID_LEN + 2)
-+ if (!efivarfs_valid_name(dentry->d_name.name, dentry->d_name.len))
- return -EINVAL;
-
- inode = efivarfs_get_inode(dir->i_sb, dir, mode, 0);
-@@ -1004,6 +1043,84 @@ static int efivarfs_unlink(struct inode *dir, struct dentry *dentry)
- return -EINVAL;
- };
-
-+/*
-+ * Compare two efivarfs file names.
-+ *
-+ * An efivarfs filename is composed of two parts,
-+ *
-+ * 1. A case-sensitive variable name
-+ * 2. A case-insensitive GUID
-+ *
-+ * So we need to perform a case-sensitive match on part 1 and a
-+ * case-insensitive match on part 2.
-+ */
-+static int efivarfs_d_compare(const struct dentry *parent, const struct inode *pinode,
-+ const struct dentry *dentry, const struct inode *inode,
-+ unsigned int len, const char *str,
-+ const struct qstr *name)
-+{
-+ int guid = len - GUID_LEN;
-+
-+ if (name->len != len)
-+ return 1;
-+
-+ /* Case-sensitive compare for the variable name */
-+ if (memcmp(str, name->name, guid))
-+ return 1;
-+
-+ /* Case-insensitive compare for the GUID */
-+ return strncasecmp(name->name + guid, str + guid, GUID_LEN);
-+}
-+
-+static int efivarfs_d_hash(const struct dentry *dentry,
-+ const struct inode *inode, struct qstr *qstr)
-+{
-+ unsigned long hash = init_name_hash();
-+ const unsigned char *s = qstr->name;
-+ unsigned int len = qstr->len;
-+
-+ if (!efivarfs_valid_name(s, len))
-+ return -EINVAL;
-+
-+ while (len-- > GUID_LEN)
-+ hash = partial_name_hash(*s++, hash);
-+
-+ /* GUID is case-insensitive. */
-+ while (len--)
-+ hash = partial_name_hash(tolower(*s++), hash);
-+
-+ qstr->hash = end_name_hash(hash);
-+ return 0;
-+}
-+
-+/*
-+ * Retaining negative dentries for an in-memory filesystem just wastes
-+ * memory and lookup time: arrange for them to be deleted immediately.
-+ */
-+static int efivarfs_delete_dentry(const struct dentry *dentry)
-+{
-+ return 1;
-+}
-+
-+static struct dentry_operations efivarfs_d_ops = {
-+ .d_compare = efivarfs_d_compare,
-+ .d_hash = efivarfs_d_hash,
-+ .d_delete = efivarfs_delete_dentry,
-+};
-+
-+static struct dentry *efivarfs_alloc_dentry(struct dentry *parent, char *name)
-+{
-+ struct qstr q;
-+
-+ q.name = name;
-+ q.len = strlen(name);
-+
-+ if (efivarfs_d_hash(NULL, NULL, &q))
-+ return NULL;
-+
-+ return d_alloc(parent, &q);
-+}
-+
- static int efivarfs_fill_super(struct super_block *sb, void *data, int silent)
- {
- struct inode *inode = NULL;
-@@ -1019,6 +1136,7 @@ static int efivarfs_fill_super(struct super_block *sb, void *data, int silent)
- sb->s_blocksize_bits = PAGE_CACHE_SHIFT;
- sb->s_magic = EFIVARFS_MAGIC;
- sb->s_op = &efivarfs_ops;
-+ sb->s_d_op = &efivarfs_d_ops;
- sb->s_time_gran = 1;
-
- inode = efivarfs_get_inode(sb, NULL, S_IFDIR | 0755, 0);
-@@ -1059,7 +1177,7 @@ static int efivarfs_fill_super(struct super_block *sb, void *data, int silent)
- if (!inode)
- goto fail_name;
-
-- dentry = d_alloc_name(root, name);
-+ dentry = efivarfs_alloc_dentry(root, name);
- if (!dentry)
- goto fail_inode;
-
-@@ -1109,8 +1227,20 @@ static struct file_system_type efivarfs_type = {
- .kill_sb = efivarfs_kill_sb,
- };
-
-+/*
-+ * Handle negative dentry.
-+ */
-+static struct dentry *efivarfs_lookup(struct inode *dir, struct dentry *dentry,
-+ unsigned int flags)
-+{
-+ if (dentry->d_name.len > NAME_MAX)
-+ return ERR_PTR(-ENAMETOOLONG);
-+ d_add(dentry, NULL);
-+ return NULL;
-+}
-+
- static const struct inode_operations efivarfs_dir_inode_operations = {
-- .lookup = simple_lookup,
-+ .lookup = efivarfs_lookup,
- .unlink = efivarfs_unlink,
- .create = efivarfs_create,
- };
-diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
-index eb2ee11..ceb3040 100644
---- a/drivers/hid/hid-core.c
-+++ b/drivers/hid/hid-core.c
-@@ -1697,6 +1697,7 @@ static const struct hid_device_id hid_have_special_driver[] = {
- { HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_NAVIGATION_CONTROLLER) },
- { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS3_CONTROLLER) },
- { HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_VAIO_VGX_MOUSE) },
-+ { HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_VAIO_VGP_MOUSE) },
- { HID_USB_DEVICE(USB_VENDOR_ID_SUNPLUS, USB_DEVICE_ID_SUNPLUS_WDESKTOP) },
- { HID_USB_DEVICE(USB_VENDOR_ID_THRUSTMASTER, 0xb300) },
- { HID_USB_DEVICE(USB_VENDOR_ID_THRUSTMASTER, 0xb304) },
-@@ -2070,6 +2071,7 @@ static const struct hid_device_id hid_ignore_list[] = {
- { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_HYBRID) },
- { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_HEATCONTROL) },
- { HID_USB_DEVICE(USB_VENDOR_ID_MADCATZ, USB_DEVICE_ID_MADCATZ_BEATPAD) },
-+ { HID_USB_DEVICE(USB_VENDOR_ID_MASTERKIT, USB_DEVICE_ID_MASTERKIT_MA901RADIO) },
- { HID_USB_DEVICE(USB_VENDOR_ID_MCC, USB_DEVICE_ID_MCC_PMD1024LS) },
- { HID_USB_DEVICE(USB_VENDOR_ID_MCC, USB_DEVICE_ID_MCC_PMD1208LS) },
- { HID_USB_DEVICE(USB_VENDOR_ID_MICROCHIP, USB_DEVICE_ID_PICKIT1) },
-diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
-index 34e2547..266e2ae 100644
---- a/drivers/hid/hid-ids.h
-+++ b/drivers/hid/hid-ids.h
-@@ -554,6 +554,9 @@
- #define USB_VENDOR_ID_MADCATZ 0x0738
- #define USB_DEVICE_ID_MADCATZ_BEATPAD 0x4540
-
-+#define USB_VENDOR_ID_MASTERKIT 0x16c0
-+#define USB_DEVICE_ID_MASTERKIT_MA901RADIO 0x05df
-+
- #define USB_VENDOR_ID_MCC 0x09db
- #define USB_DEVICE_ID_MCC_PMD1024LS 0x0076
- #define USB_DEVICE_ID_MCC_PMD1208LS 0x007a
-@@ -709,6 +712,7 @@
-
- #define USB_VENDOR_ID_SONY 0x054c
- #define USB_DEVICE_ID_SONY_VAIO_VGX_MOUSE 0x024b
-+#define USB_DEVICE_ID_SONY_VAIO_VGP_MOUSE 0x0374
- #define USB_DEVICE_ID_SONY_PS3_BDREMOTE 0x0306
- #define USB_DEVICE_ID_SONY_PS3_CONTROLLER 0x0268
- #define USB_DEVICE_ID_SONY_NAVIGATION_CONTROLLER 0x042f
-diff --git a/drivers/hid/hid-sony.c b/drivers/hid/hid-sony.c
-index 7f33ebf..126d6ae 100644
---- a/drivers/hid/hid-sony.c
-+++ b/drivers/hid/hid-sony.c
-@@ -43,9 +43,19 @@ static __u8 *sony_report_fixup(struct hid_device *hdev, __u8 *rdesc,
- {
- struct sony_sc *sc = hid_get_drvdata(hdev);
-
-- if ((sc->quirks & VAIO_RDESC_CONSTANT) &&
-- *rsize >= 56 && rdesc[54] == 0x81 && rdesc[55] == 0x07) {
-- hid_info(hdev, "Fixing up Sony Vaio VGX report descriptor\n");
-+ /*
-+ * Some Sony RF receivers wrongly declare the mouse pointer as a
-+ * a constant non-data variable.
-+ */
-+ if ((sc->quirks & VAIO_RDESC_CONSTANT) && *rsize >= 56 &&
-+ /* usage page: generic desktop controls */
-+ /* rdesc[0] == 0x05 && rdesc[1] == 0x01 && */
-+ /* usage: mouse */
-+ rdesc[2] == 0x09 && rdesc[3] == 0x02 &&
-+ /* input (usage page for x,y axes): constant, variable, relative */
-+ rdesc[54] == 0x81 && rdesc[55] == 0x07) {
-+ hid_info(hdev, "Fixing up Sony RF Receiver report descriptor\n");
-+ /* input: data, variable, relative */
- rdesc[55] = 0x06;
- }
-
-@@ -217,6 +227,8 @@ static const struct hid_device_id sony_devices[] = {
- .driver_data = SIXAXIS_CONTROLLER_BT },
- { HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_VAIO_VGX_MOUSE),
- .driver_data = VAIO_RDESC_CONSTANT },
-+ { HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_VAIO_VGP_MOUSE),
-+ .driver_data = VAIO_RDESC_CONSTANT },
- { }
- };
- MODULE_DEVICE_TABLE(hid, sony_devices);
-diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c
-index d5088ce..7ccf328 100644
---- a/drivers/infiniband/ulp/srp/ib_srp.c
-+++ b/drivers/infiniband/ulp/srp/ib_srp.c
-@@ -700,23 +700,24 @@ static int srp_reconnect_target(struct srp_target_port *target)
- struct Scsi_Host *shost = target->scsi_host;
- int i, ret;
-
-- if (target->state != SRP_TARGET_LIVE)
-- return -EAGAIN;
--
- scsi_target_block(&shost->shost_gendev);
-
- srp_disconnect_target(target);
- /*
-- * Now get a new local CM ID so that we avoid confusing the
-- * target in case things are really fouled up.
-+ * Now get a new local CM ID so that we avoid confusing the target in
-+ * case things are really fouled up. Doing so also ensures that all CM
-+ * callbacks will have finished before a new QP is allocated.
- */
- ret = srp_new_cm_id(target);
-- if (ret)
-- goto unblock;
--
-- ret = srp_create_target_ib(target);
-- if (ret)
-- goto unblock;
-+ /*
-+ * Whether or not creating a new CM ID succeeded, create a new
-+ * QP. This guarantees that all completion callback function
-+ * invocations have finished before request resetting starts.
-+ */
-+ if (ret == 0)
-+ ret = srp_create_target_ib(target);
-+ else
-+ srp_create_target_ib(target);
-
- for (i = 0; i < SRP_CMD_SQ_SIZE; ++i) {
- struct srp_request *req = &target->req_ring[i];
-@@ -728,11 +729,12 @@ static int srp_reconnect_target(struct srp_target_port *target)
- for (i = 0; i < SRP_SQ_SIZE; ++i)
- list_add(&target->tx_ring[i]->list, &target->free_tx);
-
-- ret = srp_connect_target(target);
-+ if (ret == 0)
-+ ret = srp_connect_target(target);
-
--unblock:
- scsi_target_unblock(&shost->shost_gendev, ret == 0 ? SDEV_RUNNING :
- SDEV_TRANSPORT_OFFLINE);
-+ target->transport_offline = !!ret;
-
- if (ret)
- goto err;
-@@ -1352,6 +1354,12 @@ static int srp_queuecommand(struct Scsi_Host *shost, struct scsi_cmnd *scmnd)
- unsigned long flags;
- int len;
-
-+ if (unlikely(target->transport_offline)) {
-+ scmnd->result = DID_NO_CONNECT << 16;
-+ scmnd->scsi_done(scmnd);
-+ return 0;
-+ }
-+
- spin_lock_irqsave(&target->lock, flags);
- iu = __srp_get_tx_iu(target, SRP_IU_CMD);
- if (!iu)
-@@ -1695,6 +1703,9 @@ static int srp_send_tsk_mgmt(struct srp_target_port *target,
- struct srp_iu *iu;
- struct srp_tsk_mgmt *tsk_mgmt;
-
-+ if (!target->connected || target->qp_in_error)
-+ return -1;
-+
- init_completion(&target->tsk_mgmt_done);
-
- spin_lock_irq(&target->lock);
-@@ -1736,7 +1747,7 @@ static int srp_abort(struct scsi_cmnd *scmnd)
-
- shost_printk(KERN_ERR, target->scsi_host, "SRP abort called\n");
-
-- if (!req || target->qp_in_error || !srp_claim_req(target, req, scmnd))
-+ if (!req || !srp_claim_req(target, req, scmnd))
- return FAILED;
- srp_send_tsk_mgmt(target, req->index, scmnd->device->lun,
- SRP_TSK_ABORT_TASK);
-@@ -1754,8 +1765,6 @@ static int srp_reset_device(struct scsi_cmnd *scmnd)
-
- shost_printk(KERN_ERR, target->scsi_host, "SRP reset_device called\n");
-
-- if (target->qp_in_error)
-- return FAILED;
- if (srp_send_tsk_mgmt(target, SRP_TAG_NO_REQ, scmnd->device->lun,
- SRP_TSK_LUN_RESET))
- return FAILED;
-@@ -1972,7 +1981,6 @@ static int srp_add_target(struct srp_host *host, struct srp_target_port *target)
- spin_unlock(&host->target_lock);
-
- target->state = SRP_TARGET_LIVE;
-- target->connected = false;
-
- scsi_scan_target(&target->scsi_host->shost_gendev,
- 0, target->scsi_id, SCAN_WILD_CARD, 0);
-diff --git a/drivers/infiniband/ulp/srp/ib_srp.h b/drivers/infiniband/ulp/srp/ib_srp.h
-index de2d0b3..66fbedd 100644
---- a/drivers/infiniband/ulp/srp/ib_srp.h
-+++ b/drivers/infiniband/ulp/srp/ib_srp.h
-@@ -140,6 +140,7 @@ struct srp_target_port {
- unsigned int cmd_sg_cnt;
- unsigned int indirect_size;
- bool allow_ext_sg;
-+ bool transport_offline;
-
- /* Everything above this point is used in the hot path of
- * command processing. Try to keep them packed into cachelines.
-diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c
-index faf10ba..b6ecddb 100644
---- a/drivers/iommu/amd_iommu_init.c
-+++ b/drivers/iommu/amd_iommu_init.c
-@@ -1876,11 +1876,6 @@ static int amd_iommu_init_dma(void)
- struct amd_iommu *iommu;
- int ret;
-
-- init_device_table_dma();
--
-- for_each_iommu(iommu)
-- iommu_flush_all_caches(iommu);
--
- if (iommu_pass_through)
- ret = amd_iommu_init_passthrough();
- else
-@@ -1889,6 +1884,11 @@ static int amd_iommu_init_dma(void)
- if (ret)
- return ret;
-
-+ init_device_table_dma();
-+
-+ for_each_iommu(iommu)
-+ iommu_flush_all_caches(iommu);
-+
- amd_iommu_init_api();
-
- amd_iommu_init_notifier();
-diff --git a/drivers/media/pci/cx18/cx18-alsa-main.c b/drivers/media/pci/cx18/cx18-alsa-main.c
-index 8e971ff..b2c8c34 100644
---- a/drivers/media/pci/cx18/cx18-alsa-main.c
-+++ b/drivers/media/pci/cx18/cx18-alsa-main.c
-@@ -197,7 +197,7 @@ err_exit:
- return ret;
- }
-
--static int __init cx18_alsa_load(struct cx18 *cx)
-+static int cx18_alsa_load(struct cx18 *cx)
- {
- struct v4l2_device *v4l2_dev = &cx->v4l2_dev;
- struct cx18_stream *s;
-diff --git a/drivers/media/pci/cx18/cx18-alsa-pcm.h b/drivers/media/pci/cx18/cx18-alsa-pcm.h
-index d26e51f..e2b2c5b 100644
---- a/drivers/media/pci/cx18/cx18-alsa-pcm.h
-+++ b/drivers/media/pci/cx18/cx18-alsa-pcm.h
-@@ -20,7 +20,7 @@
- * 02111-1307 USA
- */
-
--int __init snd_cx18_pcm_create(struct snd_cx18_card *cxsc);
-+int snd_cx18_pcm_create(struct snd_cx18_card *cxsc);
-
- /* Used by cx18-mailbox to announce the PCM data to the module */
- void cx18_alsa_announce_pcm_data(struct snd_cx18_card *card, u8 *pcm_data,
-diff --git a/drivers/media/pci/ivtv/ivtv-alsa-main.c b/drivers/media/pci/ivtv/ivtv-alsa-main.c
-index 4a221c6..e970cfa 100644
---- a/drivers/media/pci/ivtv/ivtv-alsa-main.c
-+++ b/drivers/media/pci/ivtv/ivtv-alsa-main.c
-@@ -205,7 +205,7 @@ err_exit:
- return ret;
- }
-
--static int __init ivtv_alsa_load(struct ivtv *itv)
-+static int ivtv_alsa_load(struct ivtv *itv)
- {
- struct v4l2_device *v4l2_dev = &itv->v4l2_dev;
- struct ivtv_stream *s;
-diff --git a/drivers/media/pci/ivtv/ivtv-alsa-pcm.h b/drivers/media/pci/ivtv/ivtv-alsa-pcm.h
-index 23dfe0d..186814e 100644
---- a/drivers/media/pci/ivtv/ivtv-alsa-pcm.h
-+++ b/drivers/media/pci/ivtv/ivtv-alsa-pcm.h
-@@ -20,4 +20,4 @@
- * 02111-1307 USA
- */
-
--int __init snd_ivtv_pcm_create(struct snd_ivtv_card *itvsc);
-+int snd_ivtv_pcm_create(struct snd_ivtv_card *itvsc);
-diff --git a/drivers/media/platform/omap/omap_vout.c b/drivers/media/platform/omap/omap_vout.c
-index 35cc526..8e9a668 100644
---- a/drivers/media/platform/omap/omap_vout.c
-+++ b/drivers/media/platform/omap/omap_vout.c
-@@ -205,19 +205,21 @@ static u32 omap_vout_uservirt_to_phys(u32 virtp)
- struct vm_area_struct *vma;
- struct mm_struct *mm = current->mm;
-
-- vma = find_vma(mm, virtp);
- /* For kernel direct-mapped memory, take the easy way */
-- if (virtp >= PAGE_OFFSET) {
-- physp = virt_to_phys((void *) virtp);
-- } else if (vma && (vma->vm_flags & VM_IO) && vma->vm_pgoff) {
-+ if (virtp >= PAGE_OFFSET)
-+ return virt_to_phys((void *) virtp);
-+
-+ down_read(&current->mm->mmap_sem);
-+ vma = find_vma(mm, virtp);
-+ if (vma && (vma->vm_flags & VM_IO) && vma->vm_pgoff) {
- /* this will catch, kernel-allocated, mmaped-to-usermode
- addresses */
- physp = (vma->vm_pgoff << PAGE_SHIFT) + (virtp - vma->vm_start);
-+ up_read(&current->mm->mmap_sem);
- } else {
- /* otherwise, use get_user_pages() for general userland pages */
- int res, nr_pages = 1;
- struct page *pages;
-- down_read(&current->mm->mmap_sem);
-
- res = get_user_pages(current, current->mm, virtp, nr_pages, 1,
- 0, &pages, NULL);
-diff --git a/drivers/media/rc/rc-main.c b/drivers/media/rc/rc-main.c
-index 601d1ac1..d593bc6 100644
---- a/drivers/media/rc/rc-main.c
-+++ b/drivers/media/rc/rc-main.c
-@@ -789,8 +789,10 @@ static ssize_t show_protocols(struct device *device,
- } else if (dev->raw) {
- enabled = dev->raw->enabled_protocols;
- allowed = ir_raw_get_allowed_protocols();
-- } else
-+ } else {
-+ mutex_unlock(&dev->lock);
- return -ENODEV;
-+ }
-
- IR_dprintk(1, "allowed - 0x%llx, enabled - 0x%llx\n",
- (long long)allowed,
-diff --git a/drivers/media/v4l2-core/v4l2-device.c b/drivers/media/v4l2-core/v4l2-device.c
-index 513969f..98a7f5e 100644
---- a/drivers/media/v4l2-core/v4l2-device.c
-+++ b/drivers/media/v4l2-core/v4l2-device.c
-@@ -159,31 +159,21 @@ int v4l2_device_register_subdev(struct v4l2_device *v4l2_dev,
- sd->v4l2_dev = v4l2_dev;
- if (sd->internal_ops && sd->internal_ops->registered) {
- err = sd->internal_ops->registered(sd);
-- if (err) {
-- module_put(sd->owner);
-- return err;
-- }
-+ if (err)
-+ goto error_module;
- }
-
- /* This just returns 0 if either of the two args is NULL */
- err = v4l2_ctrl_add_handler(v4l2_dev->ctrl_handler, sd->ctrl_handler, NULL);
-- if (err) {
-- if (sd->internal_ops && sd->internal_ops->unregistered)
-- sd->internal_ops->unregistered(sd);
-- module_put(sd->owner);
-- return err;
-- }
-+ if (err)
-+ goto error_unregister;
-
- #if defined(CONFIG_MEDIA_CONTROLLER)
- /* Register the entity. */
- if (v4l2_dev->mdev) {
- err = media_device_register_entity(v4l2_dev->mdev, entity);
-- if (err < 0) {
-- if (sd->internal_ops && sd->internal_ops->unregistered)
-- sd->internal_ops->unregistered(sd);
-- module_put(sd->owner);
-- return err;
-- }
-+ if (err < 0)
-+ goto error_unregister;
- }
- #endif
-
-@@ -192,6 +182,14 @@ int v4l2_device_register_subdev(struct v4l2_device *v4l2_dev,
- spin_unlock(&v4l2_dev->lock);
-
- return 0;
-+
-+error_unregister:
-+ if (sd->internal_ops && sd->internal_ops->unregistered)
-+ sd->internal_ops->unregistered(sd);
-+error_module:
-+ module_put(sd->owner);
-+ sd->v4l2_dev = NULL;
-+ return err;
- }
- EXPORT_SYMBOL_GPL(v4l2_device_register_subdev);
-
-diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c
-index 806e34c..0568273 100644
---- a/drivers/net/wireless/b43/main.c
-+++ b/drivers/net/wireless/b43/main.c
-@@ -4214,7 +4214,6 @@ redo:
- mutex_unlock(&wl->mutex);
- cancel_delayed_work_sync(&dev->periodic_work);
- cancel_work_sync(&wl->tx_work);
-- cancel_work_sync(&wl->firmware_load);
- mutex_lock(&wl->mutex);
- dev = wl->current_dev;
- if (!dev || b43_status(dev) < B43_STAT_STARTED) {
-@@ -5434,6 +5433,7 @@ static void b43_bcma_remove(struct bcma_device *core)
- /* We must cancel any work here before unregistering from ieee80211,
- * as the ieee80211 unreg will destroy the workqueue. */
- cancel_work_sync(&wldev->restart_work);
-+ cancel_work_sync(&wl->firmware_load);
-
- B43_WARN_ON(!wl);
- if (!wldev->fw.ucode.data)
-@@ -5510,6 +5510,7 @@ static void b43_ssb_remove(struct ssb_device *sdev)
- /* We must cancel any work here before unregistering from ieee80211,
- * as the ieee80211 unreg will destroy the workqueue. */
- cancel_work_sync(&wldev->restart_work);
-+ cancel_work_sync(&wl->firmware_load);
-
- B43_WARN_ON(!wl);
- if (!wldev->fw.ucode.data)
-diff --git a/drivers/power/ab8500_btemp.c b/drivers/power/ab8500_btemp.c
-index 20e2a7d..056222e 100644
---- a/drivers/power/ab8500_btemp.c
-+++ b/drivers/power/ab8500_btemp.c
-@@ -1123,7 +1123,7 @@ static void __exit ab8500_btemp_exit(void)
- platform_driver_unregister(&ab8500_btemp_driver);
- }
-
--subsys_initcall_sync(ab8500_btemp_init);
-+device_initcall(ab8500_btemp_init);
- module_exit(ab8500_btemp_exit);
-
- MODULE_LICENSE("GPL v2");
-diff --git a/drivers/power/abx500_chargalg.c b/drivers/power/abx500_chargalg.c
-index 2970891..eb7b4a6 100644
---- a/drivers/power/abx500_chargalg.c
-+++ b/drivers/power/abx500_chargalg.c
-@@ -1698,7 +1698,7 @@ static ssize_t abx500_chargalg_sysfs_charger(struct kobject *kobj,
- static struct attribute abx500_chargalg_en_charger = \
- {
- .name = "chargalg",
-- .mode = S_IWUGO,
-+ .mode = S_IWUSR,
- };
-
- static struct attribute *abx500_chargalg_chg[] = {
-diff --git a/drivers/power/bq27x00_battery.c b/drivers/power/bq27x00_battery.c
-index 36b34ef..7087d0d 100644
---- a/drivers/power/bq27x00_battery.c
-+++ b/drivers/power/bq27x00_battery.c
-@@ -448,7 +448,6 @@ static void bq27x00_update(struct bq27x00_device_info *di)
- cache.temperature = bq27x00_battery_read_temperature(di);
- if (!is_bq27425)
- cache.cycle_count = bq27x00_battery_read_cyct(di);
-- cache.cycle_count = bq27x00_battery_read_cyct(di);
- cache.power_avg =
- bq27x00_battery_read_pwr_avg(di, BQ27x00_POWER_AVG);
-
-@@ -696,7 +695,6 @@ static int bq27x00_powersupply_init(struct bq27x00_device_info *di)
- int ret;
-
- di->bat.type = POWER_SUPPLY_TYPE_BATTERY;
-- di->chip = BQ27425;
- if (di->chip == BQ27425) {
- di->bat.properties = bq27425_battery_props;
- di->bat.num_properties = ARRAY_SIZE(bq27425_battery_props);
-diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
-index 8f14c42..6894b3e 100644
---- a/drivers/staging/comedi/comedi_fops.c
-+++ b/drivers/staging/comedi/comedi_fops.c
-@@ -1779,7 +1779,7 @@ static unsigned int comedi_poll(struct file *file, poll_table *wait)
-
- mask = 0;
- read_subdev = comedi_get_read_subdevice(dev_file_info);
-- if (read_subdev) {
-+ if (read_subdev && read_subdev->async) {
- poll_wait(file, &read_subdev->async->wait_head, wait);
- if (!read_subdev->busy
- || comedi_buf_read_n_available(read_subdev->async) > 0
-@@ -1789,7 +1789,7 @@ static unsigned int comedi_poll(struct file *file, poll_table *wait)
- }
- }
- write_subdev = comedi_get_write_subdevice(dev_file_info);
-- if (write_subdev) {
-+ if (write_subdev && write_subdev->async) {
- poll_wait(file, &write_subdev->async->wait_head, wait);
- comedi_buf_write_alloc(write_subdev->async,
- write_subdev->async->prealloc_bufsz);
-@@ -1831,7 +1831,7 @@ static ssize_t comedi_write(struct file *file, const char __user *buf,
- }
-
- s = comedi_get_write_subdevice(dev_file_info);
-- if (s == NULL) {
-+ if (s == NULL || s->async == NULL) {
- retval = -EIO;
- goto done;
- }
-@@ -1942,7 +1942,7 @@ static ssize_t comedi_read(struct file *file, char __user *buf, size_t nbytes,
- }
-
- s = comedi_get_read_subdevice(dev_file_info);
-- if (s == NULL) {
-+ if (s == NULL || s->async == NULL) {
- retval = -EIO;
- goto done;
- }
-diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
-index f2aa754..96f4981 100644
---- a/drivers/target/target_core_device.c
-+++ b/drivers/target/target_core_device.c
-@@ -1182,24 +1182,18 @@ static struct se_lun *core_dev_get_lun(struct se_portal_group *tpg, u32 unpacked
-
- struct se_lun_acl *core_dev_init_initiator_node_lun_acl(
- struct se_portal_group *tpg,
-+ struct se_node_acl *nacl,
- u32 mapped_lun,
-- char *initiatorname,
- int *ret)
- {
- struct se_lun_acl *lacl;
-- struct se_node_acl *nacl;
-
-- if (strlen(initiatorname) >= TRANSPORT_IQN_LEN) {
-+ if (strlen(nacl->initiatorname) >= TRANSPORT_IQN_LEN) {
- pr_err("%s InitiatorName exceeds maximum size.\n",
- tpg->se_tpg_tfo->get_fabric_name());
- *ret = -EOVERFLOW;
- return NULL;
- }
-- nacl = core_tpg_get_initiator_node_acl(tpg, initiatorname);
-- if (!nacl) {
-- *ret = -EINVAL;
-- return NULL;
-- }
- lacl = kzalloc(sizeof(struct se_lun_acl), GFP_KERNEL);
- if (!lacl) {
- pr_err("Unable to allocate memory for struct se_lun_acl.\n");
-@@ -1210,7 +1204,8 @@ struct se_lun_acl *core_dev_init_initiator_node_lun_acl(
- INIT_LIST_HEAD(&lacl->lacl_list);
- lacl->mapped_lun = mapped_lun;
- lacl->se_lun_nacl = nacl;
-- snprintf(lacl->initiatorname, TRANSPORT_IQN_LEN, "%s", initiatorname);
-+ snprintf(lacl->initiatorname, TRANSPORT_IQN_LEN, "%s",
-+ nacl->initiatorname);
-
- return lacl;
- }
-diff --git a/drivers/target/target_core_fabric_configfs.c b/drivers/target/target_core_fabric_configfs.c
-index c57bbbc..04c775c 100644
---- a/drivers/target/target_core_fabric_configfs.c
-+++ b/drivers/target/target_core_fabric_configfs.c
-@@ -354,9 +354,17 @@ static struct config_group *target_fabric_make_mappedlun(
- ret = -EINVAL;
- goto out;
- }
-+ if (mapped_lun > (TRANSPORT_MAX_LUNS_PER_TPG-1)) {
-+ pr_err("Mapped LUN: %lu exceeds TRANSPORT_MAX_LUNS_PER_TPG"
-+ "-1: %u for Target Portal Group: %u\n", mapped_lun,
-+ TRANSPORT_MAX_LUNS_PER_TPG-1,
-+ se_tpg->se_tpg_tfo->tpg_get_tag(se_tpg));
-+ ret = -EINVAL;
-+ goto out;
-+ }
-
-- lacl = core_dev_init_initiator_node_lun_acl(se_tpg, mapped_lun,
-- config_item_name(acl_ci), &ret);
-+ lacl = core_dev_init_initiator_node_lun_acl(se_tpg, se_nacl,
-+ mapped_lun, &ret);
- if (!lacl) {
- ret = -EINVAL;
- goto out;
-diff --git a/drivers/target/target_core_internal.h b/drivers/target/target_core_internal.h
-index 93e9c1f..396e1eb 100644
---- a/drivers/target/target_core_internal.h
-+++ b/drivers/target/target_core_internal.h
-@@ -45,7 +45,7 @@ struct se_lun *core_dev_add_lun(struct se_portal_group *, struct se_device *, u3
- int core_dev_del_lun(struct se_portal_group *, u32);
- struct se_lun *core_get_lun_from_tpg(struct se_portal_group *, u32);
- struct se_lun_acl *core_dev_init_initiator_node_lun_acl(struct se_portal_group *,
-- u32, char *, int *);
-+ struct se_node_acl *, u32, int *);
- int core_dev_add_initiator_node_lun_acl(struct se_portal_group *,
- struct se_lun_acl *, u32, u32);
- int core_dev_del_initiator_node_lun_acl(struct se_portal_group *,
-diff --git a/drivers/target/target_core_tpg.c b/drivers/target/target_core_tpg.c
-index 5192ac0..9169d6a 100644
---- a/drivers/target/target_core_tpg.c
-+++ b/drivers/target/target_core_tpg.c
-@@ -111,16 +111,10 @@ struct se_node_acl *core_tpg_get_initiator_node_acl(
- struct se_node_acl *acl;
-
- spin_lock_irq(&tpg->acl_node_lock);
-- list_for_each_entry(acl, &tpg->acl_node_list, acl_list) {
-- if (!strcmp(acl->initiatorname, initiatorname) &&
-- !acl->dynamic_node_acl) {
-- spin_unlock_irq(&tpg->acl_node_lock);
-- return acl;
-- }
-- }
-+ acl = __core_tpg_get_initiator_node_acl(tpg, initiatorname);
- spin_unlock_irq(&tpg->acl_node_lock);
-
-- return NULL;
-+ return acl;
- }
-
- /* core_tpg_add_node_to_devs():
-diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h
-index 4999563..1dae91d 100644
---- a/drivers/usb/dwc3/core.h
-+++ b/drivers/usb/dwc3/core.h
-@@ -405,7 +405,6 @@ struct dwc3_event_buffer {
- * @number: endpoint number (1 - 15)
- * @type: set to bmAttributes & USB_ENDPOINT_XFERTYPE_MASK
- * @resource_index: Resource transfer index
-- * @current_uf: Current uf received through last event parameter
- * @interval: the intervall on which the ISOC transfer is started
- * @name: a human readable name e.g. ep1out-bulk
- * @direction: true for TX, false for RX
-@@ -439,7 +438,6 @@ struct dwc3_ep {
- u8 number;
- u8 type;
- u8 resource_index;
-- u16 current_uf;
- u32 interval;
-
- char name[20];
-diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
-index 2fdd767..09835b6 100644
---- a/drivers/usb/dwc3/gadget.c
-+++ b/drivers/usb/dwc3/gadget.c
-@@ -754,21 +754,18 @@ static void dwc3_prepare_one_trb(struct dwc3_ep *dep,
- struct dwc3 *dwc = dep->dwc;
- struct dwc3_trb *trb;
-
-- unsigned int cur_slot;
--
- dev_vdbg(dwc->dev, "%s: req %p dma %08llx length %d%s%s\n",
- dep->name, req, (unsigned long long) dma,
- length, last ? " last" : "",
- chain ? " chain" : "");
-
-- trb = &dep->trb_pool[dep->free_slot & DWC3_TRB_MASK];
-- cur_slot = dep->free_slot;
-- dep->free_slot++;
--
- /* Skip the LINK-TRB on ISOC */
-- if (((cur_slot & DWC3_TRB_MASK) == DWC3_TRB_NUM - 1) &&
-+ if (((dep->free_slot & DWC3_TRB_MASK) == DWC3_TRB_NUM - 1) &&
- usb_endpoint_xfer_isoc(dep->endpoint.desc))
-- return;
-+ dep->free_slot++;
-+
-+ trb = &dep->trb_pool[dep->free_slot & DWC3_TRB_MASK];
-+ dep->free_slot++;
-
- if (!req->trb) {
- dwc3_gadget_move_request_queued(req);
-@@ -1091,7 +1088,10 @@ static int __dwc3_gadget_ep_queue(struct dwc3_ep *dep, struct dwc3_request *req)
- * notion of current microframe.
- */
- if (usb_endpoint_xfer_isoc(dep->endpoint.desc)) {
-- dwc3_stop_active_transfer(dwc, dep->number);
-+ if (list_empty(&dep->req_queued)) {
-+ dwc3_stop_active_transfer(dwc, dep->number);
-+ dep->flags = DWC3_EP_ENABLED;
-+ }
- return 0;
- }
-
-@@ -1117,16 +1117,6 @@ static int __dwc3_gadget_ep_queue(struct dwc3_ep *dep, struct dwc3_request *req)
- dep->name);
- }
-
-- /*
-- * 3. Missed ISOC Handling. We need to start isoc transfer on the saved
-- * uframe number.
-- */
-- if (usb_endpoint_xfer_isoc(dep->endpoint.desc) &&
-- (dep->flags & DWC3_EP_MISSED_ISOC)) {
-- __dwc3_gadget_start_isoc(dwc, dep, dep->current_uf);
-- dep->flags &= ~DWC3_EP_MISSED_ISOC;
-- }
--
- return 0;
- }
-
-@@ -1689,14 +1679,29 @@ static int dwc3_cleanup_done_reqs(struct dwc3 *dwc, struct dwc3_ep *dep,
- if (trb_status == DWC3_TRBSTS_MISSED_ISOC) {
- dev_dbg(dwc->dev, "incomplete IN transfer %s\n",
- dep->name);
-- dep->current_uf = event->parameters &
-- ~(dep->interval - 1);
-+ /*
-+ * If missed isoc occurred and there is
-+ * no request queued then issue END
-+ * TRANSFER, so that core generates
-+ * next xfernotready and we will issue
-+ * a fresh START TRANSFER.
-+ * If there are still queued request
-+ * then wait, do not issue either END
-+ * or UPDATE TRANSFER, just attach next
-+ * request in request_list during
-+ * giveback.If any future queued request
-+ * is successfully transferred then we
-+ * will issue UPDATE TRANSFER for all
-+ * request in the request_list.
-+ */
- dep->flags |= DWC3_EP_MISSED_ISOC;
- } else {
- dev_err(dwc->dev, "incomplete IN transfer %s\n",
- dep->name);
- status = -ECONNRESET;
- }
-+ } else {
-+ dep->flags &= ~DWC3_EP_MISSED_ISOC;
- }
- } else {
- if (count && (event->status & DEPEVT_STATUS_SHORT))
-@@ -1723,6 +1728,23 @@ static int dwc3_cleanup_done_reqs(struct dwc3 *dwc, struct dwc3_ep *dep,
- break;
- } while (1);
-
-+ if (usb_endpoint_xfer_isoc(dep->endpoint.desc) &&
-+ list_empty(&dep->req_queued)) {
-+ if (list_empty(&dep->request_list)) {
-+ /*
-+ * If there is no entry in request list then do
-+ * not issue END TRANSFER now. Just set PENDING
-+ * flag, so that END TRANSFER is issued when an
-+ * entry is added into request list.
-+ */
-+ dep->flags = DWC3_EP_PENDING_REQUEST;
-+ } else {
-+ dwc3_stop_active_transfer(dwc, dep->number);
-+ dep->flags = DWC3_EP_ENABLED;
-+ }
-+ return 1;
-+ }
-+
- if ((event->status & DEPEVT_STATUS_IOC) &&
- (trb->ctrl & DWC3_TRB_CTRL_IOC))
- return 0;
-@@ -2157,6 +2179,26 @@ static void dwc3_gadget_conndone_interrupt(struct dwc3 *dwc)
- break;
- }
-
-+ /* Enable USB2 LPM Capability */
-+
-+ if ((dwc->revision > DWC3_REVISION_194A)
-+ && (speed != DWC3_DCFG_SUPERSPEED)) {
-+ reg = dwc3_readl(dwc->regs, DWC3_DCFG);
-+ reg |= DWC3_DCFG_LPM_CAP;
-+ dwc3_writel(dwc->regs, DWC3_DCFG, reg);
-+
-+ reg = dwc3_readl(dwc->regs, DWC3_DCTL);
-+ reg &= ~(DWC3_DCTL_HIRD_THRES_MASK | DWC3_DCTL_L1_HIBER_EN);
-+
-+ /*
-+ * TODO: This should be configurable. For now using
-+ * maximum allowed HIRD threshold value of 0b1100
-+ */
-+ reg |= DWC3_DCTL_HIRD_THRES(12);
-+
-+ dwc3_writel(dwc->regs, DWC3_DCTL, reg);
-+ }
-+
- /* Recent versions support automatic phy suspend and don't need this */
- if (dwc->revision < DWC3_REVISION_194A) {
- /* Suspend unneeded PHY */
-@@ -2463,20 +2505,8 @@ int dwc3_gadget_init(struct dwc3 *dwc)
- DWC3_DEVTEN_DISCONNEVTEN);
- dwc3_writel(dwc->regs, DWC3_DEVTEN, reg);
-
-- /* Enable USB2 LPM and automatic phy suspend only on recent versions */
-+ /* automatic phy suspend only on recent versions */
- if (dwc->revision >= DWC3_REVISION_194A) {
-- reg = dwc3_readl(dwc->regs, DWC3_DCFG);
-- reg |= DWC3_DCFG_LPM_CAP;
-- dwc3_writel(dwc->regs, DWC3_DCFG, reg);
--
-- reg = dwc3_readl(dwc->regs, DWC3_DCTL);
-- reg &= ~(DWC3_DCTL_HIRD_THRES_MASK | DWC3_DCTL_L1_HIBER_EN);
--
-- /* TODO: This should be configurable */
-- reg |= DWC3_DCTL_HIRD_THRES(28);
--
-- dwc3_writel(dwc->regs, DWC3_DCTL, reg);
--
- dwc3_gadget_usb2_phy_suspend(dwc, false);
- dwc3_gadget_usb3_phy_suspend(dwc, false);
- }
-diff --git a/fs/direct-io.c b/fs/direct-io.c
-index cf5b44b..f853263 100644
---- a/fs/direct-io.c
-+++ b/fs/direct-io.c
-@@ -261,9 +261,9 @@ static ssize_t dio_complete(struct dio *dio, loff_t offset, ssize_t ret, bool is
- dio->end_io(dio->iocb, offset, transferred,
- dio->private, ret, is_async);
- } else {
-+ inode_dio_done(dio->inode);
- if (is_async)
- aio_complete(dio->iocb, ret, 0);
-- inode_dio_done(dio->inode);
- }
-
- return ret;
-diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
-index cf18217..2f2e0da 100644
---- a/fs/ext4/balloc.c
-+++ b/fs/ext4/balloc.c
-@@ -358,7 +358,7 @@ void ext4_validate_block_bitmap(struct super_block *sb,
- }
-
- /**
-- * ext4_read_block_bitmap()
-+ * ext4_read_block_bitmap_nowait()
- * @sb: super block
- * @block_group: given block group
- *
-@@ -457,6 +457,8 @@ ext4_read_block_bitmap(struct super_block *sb, ext4_group_t block_group)
- struct buffer_head *bh;
-
- bh = ext4_read_block_bitmap_nowait(sb, block_group);
-+ if (!bh)
-+ return NULL;
- if (ext4_wait_block_bitmap(sb, block_group, bh)) {
- put_bh(bh);
- return NULL;
-@@ -482,11 +484,16 @@ static int ext4_has_free_clusters(struct ext4_sb_info *sbi,
-
- free_clusters = percpu_counter_read_positive(fcc);
- dirty_clusters = percpu_counter_read_positive(dcc);
-- root_clusters = EXT4_B2C(sbi, ext4_r_blocks_count(sbi->s_es));
-+
-+ /*
-+ * r_blocks_count should always be multiple of the cluster ratio so
-+ * we are safe to do a plane bit shift only.
-+ */
-+ root_clusters = ext4_r_blocks_count(sbi->s_es) >> sbi->s_cluster_bits;
-
- if (free_clusters - (nclusters + root_clusters + dirty_clusters) <
- EXT4_FREECLUSTERS_WATERMARK) {
-- free_clusters = EXT4_C2B(sbi, percpu_counter_sum_positive(fcc));
-+ free_clusters = percpu_counter_sum_positive(fcc);
- dirty_clusters = percpu_counter_sum_positive(dcc);
- }
- /* Check whether we have space after accounting for current
-diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
-index 5ae1674..d42a8c4 100644
---- a/fs/ext4/extents.c
-+++ b/fs/ext4/extents.c
-@@ -725,6 +725,7 @@ ext4_ext_find_extent(struct inode *inode, ext4_lblk_t block,
- struct ext4_extent_header *eh;
- struct buffer_head *bh;
- short int depth, i, ppos = 0, alloc = 0;
-+ int ret;
-
- eh = ext_inode_hdr(inode);
- depth = ext_depth(inode);
-@@ -752,12 +753,15 @@ ext4_ext_find_extent(struct inode *inode, ext4_lblk_t block,
- path[ppos].p_ext = NULL;
-
- bh = sb_getblk(inode->i_sb, path[ppos].p_block);
-- if (unlikely(!bh))
-+ if (unlikely(!bh)) {
-+ ret = -ENOMEM;
- goto err;
-+ }
- if (!bh_uptodate_or_lock(bh)) {
- trace_ext4_ext_load_extent(inode, block,
- path[ppos].p_block);
-- if (bh_submit_read(bh) < 0) {
-+ ret = bh_submit_read(bh);
-+ if (ret < 0) {
- put_bh(bh);
- goto err;
- }
-@@ -768,13 +772,15 @@ ext4_ext_find_extent(struct inode *inode, ext4_lblk_t block,
- put_bh(bh);
- EXT4_ERROR_INODE(inode,
- "ppos %d > depth %d", ppos, depth);
-+ ret = -EIO;
- goto err;
- }
- path[ppos].p_bh = bh;
- path[ppos].p_hdr = eh;
- i--;
-
-- if (ext4_ext_check_block(inode, eh, i, bh))
-+ ret = ext4_ext_check_block(inode, eh, i, bh);
-+ if (ret < 0)
- goto err;
- }
-
-@@ -796,7 +802,7 @@ err:
- ext4_ext_drop_refs(path);
- if (alloc)
- kfree(path);
-- return ERR_PTR(-EIO);
-+ return ERR_PTR(ret);
- }
-
- /*
-@@ -951,7 +957,7 @@ static int ext4_ext_split(handle_t *handle, struct inode *inode,
- }
- bh = sb_getblk(inode->i_sb, newblock);
- if (!bh) {
-- err = -EIO;
-+ err = -ENOMEM;
- goto cleanup;
- }
- lock_buffer(bh);
-@@ -1024,7 +1030,7 @@ static int ext4_ext_split(handle_t *handle, struct inode *inode,
- newblock = ablocks[--a];
- bh = sb_getblk(inode->i_sb, newblock);
- if (!bh) {
-- err = -EIO;
-+ err = -ENOMEM;
- goto cleanup;
- }
- lock_buffer(bh);
-@@ -1136,11 +1142,8 @@ static int ext4_ext_grow_indepth(handle_t *handle, struct inode *inode,
- return err;
-
- bh = sb_getblk(inode->i_sb, newblock);
-- if (!bh) {
-- err = -EIO;
-- ext4_std_error(inode->i_sb, err);
-- return err;
-- }
-+ if (!bh)
-+ return -ENOMEM;
- lock_buffer(bh);
-
- err = ext4_journal_get_create_access(handle, bh);
-diff --git a/fs/ext4/indirect.c b/fs/ext4/indirect.c
-index 20862f9..8d83d1e 100644
---- a/fs/ext4/indirect.c
-+++ b/fs/ext4/indirect.c
-@@ -146,6 +146,7 @@ static Indirect *ext4_get_branch(struct inode *inode, int depth,
- struct super_block *sb = inode->i_sb;
- Indirect *p = chain;
- struct buffer_head *bh;
-+ int ret = -EIO;
-
- *err = 0;
- /* i_data is not going away, no lock needed */
-@@ -154,8 +155,10 @@ static Indirect *ext4_get_branch(struct inode *inode, int depth,
- goto no_block;
- while (--depth) {
- bh = sb_getblk(sb, le32_to_cpu(p->key));
-- if (unlikely(!bh))
-+ if (unlikely(!bh)) {
-+ ret = -ENOMEM;
- goto failure;
-+ }
-
- if (!bh_uptodate_or_lock(bh)) {
- if (bh_submit_read(bh) < 0) {
-@@ -177,7 +180,7 @@ static Indirect *ext4_get_branch(struct inode *inode, int depth,
- return NULL;
-
- failure:
-- *err = -EIO;
-+ *err = ret;
- no_block:
- return p;
- }
-@@ -471,7 +474,7 @@ static int ext4_alloc_branch(handle_t *handle, struct inode *inode,
- */
- bh = sb_getblk(inode->i_sb, new_blocks[n-1]);
- if (unlikely(!bh)) {
-- err = -EIO;
-+ err = -ENOMEM;
- goto failed;
- }
-
-diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
-index 387c47c..93a3408 100644
---- a/fs/ext4/inline.c
-+++ b/fs/ext4/inline.c
-@@ -1188,7 +1188,7 @@ static int ext4_convert_inline_data_nolock(handle_t *handle,
-
- data_bh = sb_getblk(inode->i_sb, map.m_pblk);
- if (!data_bh) {
-- error = -EIO;
-+ error = -ENOMEM;
- goto out_restore;
- }
-
-diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
-index cbfe13b..39f1fa7 100644
---- a/fs/ext4/inode.c
-+++ b/fs/ext4/inode.c
-@@ -714,7 +714,7 @@ struct buffer_head *ext4_getblk(handle_t *handle, struct inode *inode,
-
- bh = sb_getblk(inode->i_sb, map.m_pblk);
- if (!bh) {
-- *errp = -EIO;
-+ *errp = -ENOMEM;
- return NULL;
- }
- if (map.m_flags & EXT4_MAP_NEW) {
-@@ -2977,9 +2977,9 @@ static void ext4_end_io_dio(struct kiocb *iocb, loff_t offset,
- if (!(io_end->flag & EXT4_IO_END_UNWRITTEN)) {
- ext4_free_io_end(io_end);
- out:
-+ inode_dio_done(inode);
- if (is_async)
- aio_complete(iocb, ret, 0);
-- inode_dio_done(inode);
- return;
- }
-
-@@ -3660,11 +3660,8 @@ static int __ext4_get_inode_loc(struct inode *inode,
- iloc->offset = (inode_offset % inodes_per_block) * EXT4_INODE_SIZE(sb);
-
- bh = sb_getblk(sb, block);
-- if (!bh) {
-- EXT4_ERROR_INODE_BLOCK(inode, block,
-- "unable to read itable block");
-- return -EIO;
-- }
-+ if (!bh)
-+ return -ENOMEM;
- if (!buffer_uptodate(bh)) {
- lock_buffer(bh);
-
-diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
-index 1bf6fe7..061727a 100644
---- a/fs/ext4/mballoc.c
-+++ b/fs/ext4/mballoc.c
-@@ -4136,7 +4136,7 @@ static void ext4_mb_add_n_trim(struct ext4_allocation_context *ac)
- /* The max size of hash table is PREALLOC_TB_SIZE */
- order = PREALLOC_TB_SIZE - 1;
- /* Add the prealloc space to lg */
-- rcu_read_lock();
-+ spin_lock(&lg->lg_prealloc_lock);
- list_for_each_entry_rcu(tmp_pa, &lg->lg_prealloc_list[order],
- pa_inode_list) {
- spin_lock(&tmp_pa->pa_lock);
-@@ -4160,12 +4160,12 @@ static void ext4_mb_add_n_trim(struct ext4_allocation_context *ac)
- if (!added)
- list_add_tail_rcu(&pa->pa_inode_list,
- &lg->lg_prealloc_list[order]);
-- rcu_read_unlock();
-+ spin_unlock(&lg->lg_prealloc_lock);
-
- /* Now trim the list to be not more than 8 elements */
- if (lg_prealloc_count > 8) {
- ext4_mb_discard_lg_preallocations(sb, lg,
-- order, lg_prealloc_count);
-+ order, lg_prealloc_count);
- return;
- }
- return ;
-diff --git a/fs/ext4/mmp.c b/fs/ext4/mmp.c
-index fe7c63f..44734f1 100644
---- a/fs/ext4/mmp.c
-+++ b/fs/ext4/mmp.c
-@@ -80,6 +80,8 @@ static int read_mmp_block(struct super_block *sb, struct buffer_head **bh,
- * is not blocked in the elevator. */
- if (!*bh)
- *bh = sb_getblk(sb, mmp_block);
-+ if (!*bh)
-+ return -ENOMEM;
- if (*bh) {
- get_bh(*bh);
- lock_buffer(*bh);
-diff --git a/fs/ext4/page-io.c b/fs/ext4/page-io.c
-index 0016fbc..b42d04f 100644
---- a/fs/ext4/page-io.c
-+++ b/fs/ext4/page-io.c
-@@ -103,14 +103,13 @@ static int ext4_end_io(ext4_io_end_t *io)
- "(inode %lu, offset %llu, size %zd, error %d)",
- inode->i_ino, offset, size, ret);
- }
-- if (io->iocb)
-- aio_complete(io->iocb, io->result, 0);
--
-- if (io->flag & EXT4_IO_END_DIRECT)
-- inode_dio_done(inode);
- /* Wake up anyone waiting on unwritten extent conversion */
- if (atomic_dec_and_test(&EXT4_I(inode)->i_unwritten))
- wake_up_all(ext4_ioend_wq(inode));
-+ if (io->flag & EXT4_IO_END_DIRECT)
-+ inode_dio_done(inode);
-+ if (io->iocb)
-+ aio_complete(io->iocb, io->result, 0);
- return ret;
- }
-
-diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
-index d99387b..02824dc 100644
---- a/fs/ext4/resize.c
-+++ b/fs/ext4/resize.c
-@@ -334,7 +334,7 @@ static struct buffer_head *bclean(handle_t *handle, struct super_block *sb,
-
- bh = sb_getblk(sb, blk);
- if (!bh)
-- return ERR_PTR(-EIO);
-+ return ERR_PTR(-ENOMEM);
- if ((err = ext4_journal_get_write_access(handle, bh))) {
- brelse(bh);
- bh = ERR_PTR(err);
-@@ -411,7 +411,7 @@ static int set_flexbg_block_bitmap(struct super_block *sb, handle_t *handle,
-
- bh = sb_getblk(sb, flex_gd->groups[group].block_bitmap);
- if (!bh)
-- return -EIO;
-+ return -ENOMEM;
-
- err = ext4_journal_get_write_access(handle, bh);
- if (err)
-@@ -501,7 +501,7 @@ static int setup_new_flex_group_blocks(struct super_block *sb,
-
- gdb = sb_getblk(sb, block);
- if (!gdb) {
-- err = -EIO;
-+ err = -ENOMEM;
- goto out;
- }
-
-@@ -1065,7 +1065,7 @@ static void update_backups(struct super_block *sb, int blk_off, char *data,
-
- bh = sb_getblk(sb, backup_block);
- if (!bh) {
-- err = -EIO;
-+ err = -ENOMEM;
- break;
- }
- ext4_debug("update metadata backup %llu(+%llu)\n",
-diff --git a/fs/ext4/super.c b/fs/ext4/super.c
-index 3d4fb81..0465f36 100644
---- a/fs/ext4/super.c
-+++ b/fs/ext4/super.c
-@@ -4008,7 +4008,7 @@ no_journal:
- !(sb->s_flags & MS_RDONLY)) {
- err = ext4_enable_quotas(sb);
- if (err)
-- goto failed_mount7;
-+ goto failed_mount8;
- }
- #endif /* CONFIG_QUOTA */
-
-@@ -4035,6 +4035,10 @@ cantfind_ext4:
- ext4_msg(sb, KERN_ERR, "VFS: Can't find ext4 filesystem");
- goto failed_mount;
-
-+#ifdef CONFIG_QUOTA
-+failed_mount8:
-+ kobject_del(&sbi->s_kobj);
-+#endif
- failed_mount7:
- ext4_unregister_li_request(sb);
- failed_mount6:
-@@ -5005,9 +5009,9 @@ static int ext4_enable_quotas(struct super_block *sb)
- DQUOT_USAGE_ENABLED);
- if (err) {
- ext4_warning(sb,
-- "Failed to enable quota (type=%d) "
-- "tracking. Please run e2fsck to fix.",
-- type);
-+ "Failed to enable quota tracking "
-+ "(type=%d, err=%d). Please run "
-+ "e2fsck to fix.", type, err);
- return err;
- }
- }
-diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
-index 3a91ebc..b93846b 100644
---- a/fs/ext4/xattr.c
-+++ b/fs/ext4/xattr.c
-@@ -549,7 +549,7 @@ ext4_xattr_release_block(handle_t *handle, struct inode *inode,
- error = ext4_handle_dirty_xattr_block(handle, inode, bh);
- if (IS_SYNC(inode))
- ext4_handle_sync(handle);
-- dquot_free_block(inode, 1);
-+ dquot_free_block(inode, EXT4_C2B(EXT4_SB(inode->i_sb), 1));
- ea_bdebug(bh, "refcount now=%d; releasing",
- le32_to_cpu(BHDR(bh)->h_refcount));
- }
-@@ -832,7 +832,8 @@ inserted:
- else {
- /* The old block is released after updating
- the inode. */
-- error = dquot_alloc_block(inode, 1);
-+ error = dquot_alloc_block(inode,
-+ EXT4_C2B(EXT4_SB(sb), 1));
- if (error)
- goto cleanup;
- error = ext4_journal_get_write_access(handle,
-@@ -887,16 +888,17 @@ inserted:
-
- new_bh = sb_getblk(sb, block);
- if (!new_bh) {
-+ error = -ENOMEM;
- getblk_failed:
- ext4_free_blocks(handle, inode, NULL, block, 1,
- EXT4_FREE_BLOCKS_METADATA);
-- error = -EIO;
- goto cleanup;
- }
- lock_buffer(new_bh);
- error = ext4_journal_get_create_access(handle, new_bh);
- if (error) {
- unlock_buffer(new_bh);
-+ error = -EIO;
- goto getblk_failed;
- }
- memcpy(new_bh->b_data, s->base, new_bh->b_size);
-@@ -928,7 +930,7 @@ cleanup:
- return error;
-
- cleanup_dquot:
-- dquot_free_block(inode, 1);
-+ dquot_free_block(inode, EXT4_C2B(EXT4_SB(sb), 1));
- goto cleanup;
-
- bad_block:
-diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
-index b7c09f9..315e1f8 100644
---- a/fs/fuse/dir.c
-+++ b/fs/fuse/dir.c
-@@ -682,7 +682,14 @@ static int fuse_unlink(struct inode *dir, struct dentry *entry)
-
- spin_lock(&fc->lock);
- fi->attr_version = ++fc->attr_version;
-- drop_nlink(inode);
-+ /*
-+ * If i_nlink == 0 then unlink doesn't make sense, yet this can
-+ * happen if userspace filesystem is careless. It would be
-+ * difficult to enforce correct nlink usage so just ignore this
-+ * condition here
-+ */
-+ if (inode->i_nlink > 0)
-+ drop_nlink(inode);
- spin_unlock(&fc->lock);
- fuse_invalidate_attr(inode);
- fuse_invalidate_attr(dir);
-diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
-index ac8ed96c..a8309c6 100644
---- a/fs/nfsd/nfs4state.c
-+++ b/fs/nfsd/nfs4state.c
-@@ -1060,6 +1060,8 @@ free_client(struct nfs4_client *clp)
- }
- free_svc_cred(&clp->cl_cred);
- kfree(clp->cl_name.data);
-+ idr_remove_all(&clp->cl_stateids);
-+ idr_destroy(&clp->cl_stateids);
- kfree(clp);
- }
-
-diff --git a/fs/ocfs2/aops.c b/fs/ocfs2/aops.c
-index 6577432..340bd02 100644
---- a/fs/ocfs2/aops.c
-+++ b/fs/ocfs2/aops.c
-@@ -593,9 +593,9 @@ static void ocfs2_dio_end_io(struct kiocb *iocb,
- level = ocfs2_iocb_rw_locked_level(iocb);
- ocfs2_rw_unlock(inode, level);
-
-+ inode_dio_done(inode);
- if (is_async)
- aio_complete(iocb, ret, 0);
-- inode_dio_done(inode);
- }
-
- /*
-diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
-index f169da4..b7e74b5 100644
---- a/fs/ocfs2/suballoc.c
-+++ b/fs/ocfs2/suballoc.c
-@@ -642,7 +642,7 @@ ocfs2_block_group_alloc_discontig(handle_t *handle,
- * cluster groups will be staying in cache for the duration of
- * this operation.
- */
-- ac->ac_allow_chain_relink = 0;
-+ ac->ac_disable_chain_relink = 1;
-
- /* Claim the first region */
- status = ocfs2_block_group_claim_bits(osb, handle, ac, min_bits,
-@@ -1823,7 +1823,7 @@ static int ocfs2_search_chain(struct ocfs2_alloc_context *ac,
- * Do this *after* figuring out how many bits we're taking out
- * of our target group.
- */
-- if (ac->ac_allow_chain_relink &&
-+ if (!ac->ac_disable_chain_relink &&
- (prev_group_bh) &&
- (ocfs2_block_group_reasonably_empty(bg, res->sr_bits))) {
- status = ocfs2_relink_block_group(handle, alloc_inode,
-@@ -1928,7 +1928,6 @@ static int ocfs2_claim_suballoc_bits(struct ocfs2_alloc_context *ac,
-
- victim = ocfs2_find_victim_chain(cl);
- ac->ac_chain = victim;
-- ac->ac_allow_chain_relink = 1;
-
- status = ocfs2_search_chain(ac, handle, bits_wanted, min_bits,
- res, &bits_left);
-@@ -1947,7 +1946,7 @@ static int ocfs2_claim_suballoc_bits(struct ocfs2_alloc_context *ac,
- * searching each chain in order. Don't allow chain relinking
- * because we only calculate enough journal credits for one
- * relink per alloc. */
-- ac->ac_allow_chain_relink = 0;
-+ ac->ac_disable_chain_relink = 1;
- for (i = 0; i < le16_to_cpu(cl->cl_next_free_rec); i ++) {
- if (i == victim)
- continue;
-diff --git a/fs/ocfs2/suballoc.h b/fs/ocfs2/suballoc.h
-index b8afabf..a36d0aa 100644
---- a/fs/ocfs2/suballoc.h
-+++ b/fs/ocfs2/suballoc.h
-@@ -49,7 +49,7 @@ struct ocfs2_alloc_context {
-
- /* these are used by the chain search */
- u16 ac_chain;
-- int ac_allow_chain_relink;
-+ int ac_disable_chain_relink;
- group_search_t *ac_group_search;
-
- u64 ac_last_group;
-diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c
-index 0ba9ea1..2e3ea30 100644
---- a/fs/ocfs2/xattr.c
-+++ b/fs/ocfs2/xattr.c
-@@ -7189,7 +7189,7 @@ int ocfs2_init_security_and_acl(struct inode *dir,
- struct buffer_head *dir_bh = NULL;
-
- ret = ocfs2_init_security_get(inode, dir, qstr, NULL);
-- if (!ret) {
-+ if (ret) {
- mlog_errno(ret);
- goto leave;
- }
-diff --git a/fs/pstore/platform.c b/fs/pstore/platform.c
-index 5ea2e77..86d1038 100644
---- a/fs/pstore/platform.c
-+++ b/fs/pstore/platform.c
-@@ -96,6 +96,27 @@ static const char *get_reason_str(enum kmsg_dump_reason reason)
- }
- }
-
-+bool pstore_cannot_block_path(enum kmsg_dump_reason reason)
-+{
-+ /*
-+ * In case of NMI path, pstore shouldn't be blocked
-+ * regardless of reason.
-+ */
-+ if (in_nmi())
-+ return true;
-+
-+ switch (reason) {
-+ /* In panic case, other cpus are stopped by smp_send_stop(). */
-+ case KMSG_DUMP_PANIC:
-+ /* Emergency restart shouldn't be blocked by spin lock. */
-+ case KMSG_DUMP_EMERG:
-+ return true;
-+ default:
-+ return false;
-+ }
-+}
-+EXPORT_SYMBOL_GPL(pstore_cannot_block_path);
-+
- /*
- * callback from kmsg_dump. (s2,l2) has the most recently
- * written bytes, older bytes are in (s1,l1). Save as much
-@@ -114,10 +135,12 @@ static void pstore_dump(struct kmsg_dumper *dumper,
-
- why = get_reason_str(reason);
-
-- if (in_nmi()) {
-- is_locked = spin_trylock(&psinfo->buf_lock);
-- if (!is_locked)
-- pr_err("pstore dump routine blocked in NMI, may corrupt error record\n");
-+ if (pstore_cannot_block_path(reason)) {
-+ is_locked = spin_trylock_irqsave(&psinfo->buf_lock, flags);
-+ if (!is_locked) {
-+ pr_err("pstore dump routine blocked in %s path, may corrupt error record\n"
-+ , in_nmi() ? "NMI" : why);
-+ }
- } else
- spin_lock_irqsave(&psinfo->buf_lock, flags);
- oopscount++;
-@@ -143,9 +166,9 @@ static void pstore_dump(struct kmsg_dumper *dumper,
- total += hsize + len;
- part++;
- }
-- if (in_nmi()) {
-+ if (pstore_cannot_block_path(reason)) {
- if (is_locked)
-- spin_unlock(&psinfo->buf_lock);
-+ spin_unlock_irqrestore(&psinfo->buf_lock, flags);
- } else
- spin_unlock_irqrestore(&psinfo->buf_lock, flags);
- }
-diff --git a/fs/ubifs/orphan.c b/fs/ubifs/orphan.c
-index 769701c..ba32da3 100644
---- a/fs/ubifs/orphan.c
-+++ b/fs/ubifs/orphan.c
-@@ -126,13 +126,14 @@ void ubifs_delete_orphan(struct ubifs_info *c, ino_t inum)
- else if (inum > o->inum)
- p = p->rb_right;
- else {
-- if (o->dnext) {
-+ if (o->del) {
- spin_unlock(&c->orphan_lock);
- dbg_gen("deleted twice ino %lu",
- (unsigned long)inum);
- return;
- }
-- if (o->cnext) {
-+ if (o->cmt) {
-+ o->del = 1;
- o->dnext = c->orph_dnext;
- c->orph_dnext = o;
- spin_unlock(&c->orphan_lock);
-@@ -172,7 +173,9 @@ int ubifs_orphan_start_commit(struct ubifs_info *c)
- last = &c->orph_cnext;
- list_for_each_entry(orphan, &c->orph_new, new_list) {
- ubifs_assert(orphan->new);
-+ ubifs_assert(!orphan->cmt);
- orphan->new = 0;
-+ orphan->cmt = 1;
- *last = orphan;
- last = &orphan->cnext;
- }
-@@ -299,7 +302,9 @@ static int write_orph_node(struct ubifs_info *c, int atomic)
- cnext = c->orph_cnext;
- for (i = 0; i < cnt; i++) {
- orphan = cnext;
-+ ubifs_assert(orphan->cmt);
- orph->inos[i] = cpu_to_le64(orphan->inum);
-+ orphan->cmt = 0;
- cnext = orphan->cnext;
- orphan->cnext = NULL;
- }
-@@ -378,6 +383,7 @@ static int consolidate(struct ubifs_info *c)
- list_for_each_entry(orphan, &c->orph_list, list) {
- if (orphan->new)
- continue;
-+ orphan->cmt = 1;
- *last = orphan;
- last = &orphan->cnext;
- cnt += 1;
-@@ -442,6 +448,7 @@ static void erase_deleted(struct ubifs_info *c)
- orphan = dnext;
- dnext = orphan->dnext;
- ubifs_assert(!orphan->new);
-+ ubifs_assert(orphan->del);
- rb_erase(&orphan->rb, &c->orph_tree);
- list_del(&orphan->list);
- c->tot_orphans -= 1;
-@@ -531,6 +538,7 @@ static int insert_dead_orphan(struct ubifs_info *c, ino_t inum)
- rb_link_node(&orphan->rb, parent, p);
- rb_insert_color(&orphan->rb, &c->orph_tree);
- list_add_tail(&orphan->list, &c->orph_list);
-+ orphan->del = 1;
- orphan->dnext = c->orph_dnext;
- c->orph_dnext = orphan;
- dbg_mnt("ino %lu, new %d, tot %d", (unsigned long)inum,
-diff --git a/fs/ubifs/ubifs.h b/fs/ubifs/ubifs.h
-index d133c27..b2babce 100644
---- a/fs/ubifs/ubifs.h
-+++ b/fs/ubifs/ubifs.h
-@@ -904,6 +904,8 @@ struct ubifs_budget_req {
- * @dnext: next orphan to delete
- * @inum: inode number
- * @new: %1 => added since the last commit, otherwise %0
-+ * @cmt: %1 => commit pending, otherwise %0
-+ * @del: %1 => delete pending, otherwise %0
- */
- struct ubifs_orphan {
- struct rb_node rb;
-@@ -912,7 +914,9 @@ struct ubifs_orphan {
- struct ubifs_orphan *cnext;
- struct ubifs_orphan *dnext;
- ino_t inum;
-- int new;
-+ unsigned new:1;
-+ unsigned cmt:1;
-+ unsigned del:1;
- };
-
- /**
-diff --git a/fs/xfs/xfs_bmap.c b/fs/xfs/xfs_bmap.c
-index cdb2d33..572a858 100644
---- a/fs/xfs/xfs_bmap.c
-+++ b/fs/xfs/xfs_bmap.c
-@@ -147,7 +147,10 @@ xfs_bmap_local_to_extents(
- xfs_fsblock_t *firstblock, /* first block allocated in xaction */
- xfs_extlen_t total, /* total blocks needed by transaction */
- int *logflagsp, /* inode logging flags */
-- int whichfork); /* data or attr fork */
-+ int whichfork, /* data or attr fork */
-+ void (*init_fn)(struct xfs_buf *bp,
-+ struct xfs_inode *ip,
-+ struct xfs_ifork *ifp));
-
- /*
- * Search the extents list for the inode, for the extent containing bno.
-@@ -357,7 +360,42 @@ xfs_bmap_add_attrfork_extents(
- }
-
- /*
-- * Called from xfs_bmap_add_attrfork to handle local format files.
-+ * Block initialisation functions for local to extent format conversion.
-+ * As these get more complex, they will be moved to the relevant files,
-+ * but for now they are too simple to worry about.
-+ */
-+STATIC void
-+xfs_bmap_local_to_extents_init_fn(
-+ struct xfs_buf *bp,
-+ struct xfs_inode *ip,
-+ struct xfs_ifork *ifp)
-+{
-+ bp->b_ops = &xfs_bmbt_buf_ops;
-+ memcpy(bp->b_addr, ifp->if_u1.if_data, ifp->if_bytes);
-+}
-+
-+STATIC void
-+xfs_symlink_local_to_remote(
-+ struct xfs_buf *bp,
-+ struct xfs_inode *ip,
-+ struct xfs_ifork *ifp)
-+{
-+ /* remote symlink blocks are not verifiable until CRCs come along */
-+ bp->b_ops = NULL;
-+ memcpy(bp->b_addr, ifp->if_u1.if_data, ifp->if_bytes);
-+}
-+
-+/*
-+ * Called from xfs_bmap_add_attrfork to handle local format files. Each
-+ * different data fork content type needs a different callout to do the
-+ * conversion. Some are basic and only require special block initialisation
-+ * callouts for the data formating, others (directories) are so specialised they
-+ * handle everything themselves.
-+ *
-+ * XXX (dgc): investigate whether directory conversion can use the generic
-+ * formatting callout. It should be possible - it's just a very complex
-+ * formatter. it would also require passing the transaction through to the init
-+ * function.
- */
- STATIC int /* error */
- xfs_bmap_add_attrfork_local(
-@@ -368,25 +406,29 @@ xfs_bmap_add_attrfork_local(
- int *flags) /* inode logging flags */
- {
- xfs_da_args_t dargs; /* args for dir/attr code */
-- int error; /* error return value */
-- xfs_mount_t *mp; /* mount structure pointer */
-
- if (ip->i_df.if_bytes <= XFS_IFORK_DSIZE(ip))
- return 0;
-+
- if (S_ISDIR(ip->i_d.di_mode)) {
-- mp = ip->i_mount;
- memset(&dargs, 0, sizeof(dargs));
- dargs.dp = ip;
- dargs.firstblock = firstblock;
- dargs.flist = flist;
-- dargs.total = mp->m_dirblkfsbs;
-+ dargs.total = ip->i_mount->m_dirblkfsbs;
- dargs.whichfork = XFS_DATA_FORK;
- dargs.trans = tp;
-- error = xfs_dir2_sf_to_block(&dargs);
-- } else
-- error = xfs_bmap_local_to_extents(tp, ip, firstblock, 1, flags,
-- XFS_DATA_FORK);
-- return error;
-+ return xfs_dir2_sf_to_block(&dargs);
-+ }
-+
-+ if (S_ISLNK(ip->i_d.di_mode))
-+ return xfs_bmap_local_to_extents(tp, ip, firstblock, 1,
-+ flags, XFS_DATA_FORK,
-+ xfs_symlink_local_to_remote);
-+
-+ return xfs_bmap_local_to_extents(tp, ip, firstblock, 1, flags,
-+ XFS_DATA_FORK,
-+ xfs_bmap_local_to_extents_init_fn);
- }
-
- /*
-@@ -3221,7 +3263,10 @@ xfs_bmap_local_to_extents(
- xfs_fsblock_t *firstblock, /* first block allocated in xaction */
- xfs_extlen_t total, /* total blocks needed by transaction */
- int *logflagsp, /* inode logging flags */
-- int whichfork) /* data or attr fork */
-+ int whichfork,
-+ void (*init_fn)(struct xfs_buf *bp,
-+ struct xfs_inode *ip,
-+ struct xfs_ifork *ifp))
- {
- int error; /* error return value */
- int flags; /* logging flags returned */
-@@ -3241,12 +3286,12 @@ xfs_bmap_local_to_extents(
- xfs_buf_t *bp; /* buffer for extent block */
- xfs_bmbt_rec_host_t *ep;/* extent record pointer */
-
-+ ASSERT((ifp->if_flags &
-+ (XFS_IFINLINE|XFS_IFEXTENTS|XFS_IFEXTIREC)) == XFS_IFINLINE);
- memset(&args, 0, sizeof(args));
- args.tp = tp;
- args.mp = ip->i_mount;
- args.firstblock = *firstblock;
-- ASSERT((ifp->if_flags &
-- (XFS_IFINLINE|XFS_IFEXTENTS|XFS_IFEXTIREC)) == XFS_IFINLINE);
- /*
- * Allocate a block. We know we need only one, since the
- * file currently fits in an inode.
-@@ -3262,17 +3307,20 @@ xfs_bmap_local_to_extents(
- args.mod = args.minleft = args.alignment = args.wasdel =
- args.isfl = args.minalignslop = 0;
- args.minlen = args.maxlen = args.prod = 1;
-- if ((error = xfs_alloc_vextent(&args)))
-+ error = xfs_alloc_vextent(&args);
-+ if (error)
- goto done;
-- /*
-- * Can't fail, the space was reserved.
-- */
-+
-+ /* Can't fail, the space was reserved. */
- ASSERT(args.fsbno != NULLFSBLOCK);
- ASSERT(args.len == 1);
- *firstblock = args.fsbno;
- bp = xfs_btree_get_bufl(args.mp, tp, args.fsbno, 0);
-- bp->b_ops = &xfs_bmbt_buf_ops;
-- memcpy(bp->b_addr, ifp->if_u1.if_data, ifp->if_bytes);
-+
-+ /* initialise the block and copy the data */
-+ init_fn(bp, ip, ifp);
-+
-+ /* account for the change in fork size and log everything */
- xfs_trans_log_buf(tp, bp, 0, ifp->if_bytes - 1);
- xfs_bmap_forkoff_reset(args.mp, ip, whichfork);
- xfs_idata_realloc(ip, -ifp->if_bytes, whichfork);
-@@ -4919,8 +4967,32 @@ xfs_bmapi_write(
- XFS_STATS_INC(xs_blk_mapw);
-
- if (XFS_IFORK_FORMAT(ip, whichfork) == XFS_DINODE_FMT_LOCAL) {
-+ /*
-+ * XXX (dgc): This assumes we are only called for inodes that
-+ * contain content neutral data in local format. Anything that
-+ * contains caller-specific data in local format that needs
-+ * transformation to move to a block format needs to do the
-+ * conversion to extent format itself.
-+ *
-+ * Directory data forks and attribute forks handle this
-+ * themselves, but with the addition of metadata verifiers every
-+ * data fork in local format now contains caller specific data
-+ * and as such conversion through this function is likely to be
-+ * broken.
-+ *
-+ * The only likely user of this branch is for remote symlinks,
-+ * but we cannot overwrite the data fork contents of the symlink
-+ * (EEXIST occurs higher up the stack) and so it will never go
-+ * from local format to extent format here. Hence I don't think
-+ * this branch is ever executed intentionally and we should
-+ * consider removing it and asserting that xfs_bmapi_write()
-+ * cannot be called directly on local format forks. i.e. callers
-+ * are completely responsible for local to extent format
-+ * conversion, not xfs_bmapi_write().
-+ */
- error = xfs_bmap_local_to_extents(tp, ip, firstblock, total,
-- &bma.logflags, whichfork);
-+ &bma.logflags, whichfork,
-+ xfs_bmap_local_to_extents_init_fn);
- if (error)
- goto error0;
- }
-diff --git a/include/linux/llist.h b/include/linux/llist.h
-index d0ab98f..a5199f6 100644
---- a/include/linux/llist.h
-+++ b/include/linux/llist.h
-@@ -125,31 +125,6 @@ static inline void init_llist_head(struct llist_head *list)
- (pos) = llist_entry((pos)->member.next, typeof(*(pos)), member))
-
- /**
-- * llist_for_each_entry_safe - iterate safely against remove over some entries
-- * of lock-less list of given type.
-- * @pos: the type * to use as a loop cursor.
-- * @n: another type * to use as a temporary storage.
-- * @node: the fist entry of deleted list entries.
-- * @member: the name of the llist_node with the struct.
-- *
-- * In general, some entries of the lock-less list can be traversed
-- * safely only after being removed from list, so start with an entry
-- * instead of list head. This variant allows removal of entries
-- * as we iterate.
-- *
-- * If being used on entries deleted from lock-less list directly, the
-- * traverse order is from the newest to the oldest added entry. If
-- * you want to traverse from the oldest to the newest, you must
-- * reverse the order by yourself before traversing.
-- */
--#define llist_for_each_entry_safe(pos, n, node, member) \
-- for ((pos) = llist_entry((node), typeof(*(pos)), member), \
-- (n) = (pos)->member.next; \
-- &(pos)->member != NULL; \
-- (pos) = llist_entry(n, typeof(*(pos)), member), \
-- (n) = (&(pos)->member != NULL) ? (pos)->member.next : NULL)
--
--/**
- * llist_empty - tests whether a lock-less list is empty
- * @head: the list to test
- *
-diff --git a/include/linux/pstore.h b/include/linux/pstore.h
-index 1788909..75d0176 100644
---- a/include/linux/pstore.h
-+++ b/include/linux/pstore.h
-@@ -68,12 +68,18 @@ struct pstore_info {
-
- #ifdef CONFIG_PSTORE
- extern int pstore_register(struct pstore_info *);
-+extern bool pstore_cannot_block_path(enum kmsg_dump_reason reason);
- #else
- static inline int
- pstore_register(struct pstore_info *psi)
- {
- return -ENODEV;
- }
-+static inline bool
-+pstore_cannot_block_path(enum kmsg_dump_reason reason)
-+{
-+ return false;
-+}
- #endif
-
- #endif /*_LINUX_PSTORE_H*/
-diff --git a/include/linux/quota.h b/include/linux/quota.h
-index 58fdef12..d133711 100644
---- a/include/linux/quota.h
-+++ b/include/linux/quota.h
-@@ -405,6 +405,7 @@ struct quota_module_name {
- #define INIT_QUOTA_MODULE_NAMES {\
- {QFMT_VFS_OLD, "quota_v1"},\
- {QFMT_VFS_V0, "quota_v2"},\
-+ {QFMT_VFS_V1, "quota_v2"},\
- {0, NULL}}
-
- #endif /* _QUOTA_ */
-diff --git a/kernel/cgroup.c b/kernel/cgroup.c
-index 4855892..1e23664 100644
---- a/kernel/cgroup.c
-+++ b/kernel/cgroup.c
-@@ -426,12 +426,20 @@ static void __put_css_set(struct css_set *cg, int taskexit)
- struct cgroup *cgrp = link->cgrp;
- list_del(&link->cg_link_list);
- list_del(&link->cgrp_link_list);
-+
-+ /*
-+ * We may not be holding cgroup_mutex, and if cgrp->count is
-+ * dropped to 0 the cgroup can be destroyed at any time, hence
-+ * rcu_read_lock is used to keep it alive.
-+ */
-+ rcu_read_lock();
- if (atomic_dec_and_test(&cgrp->count) &&
- notify_on_release(cgrp)) {
- if (taskexit)
- set_bit(CGRP_RELEASABLE, &cgrp->flags);
- check_for_release(cgrp);
- }
-+ rcu_read_unlock();
-
- kfree(link);
- }
-diff --git a/kernel/cpuset.c b/kernel/cpuset.c
-index 7bb63ee..5bb9bf1 100644
---- a/kernel/cpuset.c
-+++ b/kernel/cpuset.c
-@@ -2511,8 +2511,16 @@ void cpuset_print_task_mems_allowed(struct task_struct *tsk)
-
- dentry = task_cs(tsk)->css.cgroup->dentry;
- spin_lock(&cpuset_buffer_lock);
-- snprintf(cpuset_name, CPUSET_NAME_LEN,
-- dentry ? (const char *)dentry->d_name.name : "/");
-+
-+ if (!dentry) {
-+ strcpy(cpuset_name, "/");
-+ } else {
-+ spin_lock(&dentry->d_lock);
-+ strlcpy(cpuset_name, (const char *)dentry->d_name.name,
-+ CPUSET_NAME_LEN);
-+ spin_unlock(&dentry->d_lock);
-+ }
-+
- nodelist_scnprintf(cpuset_nodelist, CPUSET_NODELIST_LEN,
- tsk->mems_allowed);
- printk(KERN_INFO "%s cpuset=%s mems_allowed=%s\n",
-diff --git a/kernel/posix-timers.c b/kernel/posix-timers.c
-index 69185ae..e885be1 100644
---- a/kernel/posix-timers.c
-+++ b/kernel/posix-timers.c
-@@ -639,6 +639,13 @@ static struct k_itimer *__lock_timer(timer_t timer_id, unsigned long *flags)
- {
- struct k_itimer *timr;
-
-+ /*
-+ * timer_t could be any type >= int and we want to make sure any
-+ * @timer_id outside positive int range fails lookup.
-+ */
-+ if ((unsigned long long)timer_id > INT_MAX)
-+ return NULL;
-+
- rcu_read_lock();
- timr = idr_find(&posix_timers_id, (int)timer_id);
- if (timr) {
-diff --git a/kernel/sysctl_binary.c b/kernel/sysctl_binary.c
-index 5a63844..0ddf3a0 100644
---- a/kernel/sysctl_binary.c
-+++ b/kernel/sysctl_binary.c
-@@ -1194,9 +1194,10 @@ static ssize_t bin_dn_node_address(struct file *file,
-
- /* Convert the decnet address to binary */
- result = -EIO;
-- nodep = strchr(buf, '.') + 1;
-+ nodep = strchr(buf, '.');
- if (!nodep)
- goto out;
-+ ++nodep;
-
- area = simple_strtoul(buf, NULL, 10);
- node = simple_strtoul(nodep, NULL, 10);
-diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
-index 41473b4..43defd1 100644
---- a/kernel/trace/ftrace.c
-+++ b/kernel/trace/ftrace.c
-@@ -3970,37 +3970,51 @@ static void ftrace_init_module(struct module *mod,
- ftrace_process_locs(mod, start, end);
- }
-
--static int ftrace_module_notify(struct notifier_block *self,
-- unsigned long val, void *data)
-+static int ftrace_module_notify_enter(struct notifier_block *self,
-+ unsigned long val, void *data)
- {
- struct module *mod = data;
-
-- switch (val) {
-- case MODULE_STATE_COMING:
-+ if (val == MODULE_STATE_COMING)
- ftrace_init_module(mod, mod->ftrace_callsites,
- mod->ftrace_callsites +
- mod->num_ftrace_callsites);
-- break;
-- case MODULE_STATE_GOING:
-+ return 0;
-+}
-+
-+static int ftrace_module_notify_exit(struct notifier_block *self,
-+ unsigned long val, void *data)
-+{
-+ struct module *mod = data;
-+
-+ if (val == MODULE_STATE_GOING)
- ftrace_release_mod(mod);
-- break;
-- }
-
- return 0;
- }
- #else
--static int ftrace_module_notify(struct notifier_block *self,
-- unsigned long val, void *data)
-+static int ftrace_module_notify_enter(struct notifier_block *self,
-+ unsigned long val, void *data)
-+{
-+ return 0;
-+}
-+static int ftrace_module_notify_exit(struct notifier_block *self,
-+ unsigned long val, void *data)
- {
- return 0;
- }
- #endif /* CONFIG_MODULES */
-
--struct notifier_block ftrace_module_nb = {
-- .notifier_call = ftrace_module_notify,
-+struct notifier_block ftrace_module_enter_nb = {
-+ .notifier_call = ftrace_module_notify_enter,
- .priority = INT_MAX, /* Run before anything that can use kprobes */
- };
-
-+struct notifier_block ftrace_module_exit_nb = {
-+ .notifier_call = ftrace_module_notify_exit,
-+ .priority = INT_MIN, /* Run after anything that can remove kprobes */
-+};
-+
- extern unsigned long __start_mcount_loc[];
- extern unsigned long __stop_mcount_loc[];
-
-@@ -4032,9 +4046,13 @@ void __init ftrace_init(void)
- __start_mcount_loc,
- __stop_mcount_loc);
-
-- ret = register_module_notifier(&ftrace_module_nb);
-+ ret = register_module_notifier(&ftrace_module_enter_nb);
-+ if (ret)
-+ pr_warning("Failed to register trace ftrace module enter notifier\n");
-+
-+ ret = register_module_notifier(&ftrace_module_exit_nb);
- if (ret)
-- pr_warning("Failed to register trace ftrace module notifier\n");
-+ pr_warning("Failed to register trace ftrace module exit notifier\n");
-
- set_ftrace_early_filters();
-
-diff --git a/kernel/workqueue.c b/kernel/workqueue.c
-index 033ad5b..3a3a98f 100644
---- a/kernel/workqueue.c
-+++ b/kernel/workqueue.c
-@@ -138,6 +138,7 @@ struct worker {
- };
-
- struct work_struct *current_work; /* L: work being processed */
-+ work_func_t current_func; /* L: current_work's fn */
- struct cpu_workqueue_struct *current_cwq; /* L: current_work's cwq */
- struct list_head scheduled; /* L: scheduled works */
- struct task_struct *task; /* I: worker task */
-@@ -910,7 +911,8 @@ static struct worker *__find_worker_executing_work(struct global_cwq *gcwq,
- struct hlist_node *tmp;
-
- hlist_for_each_entry(worker, tmp, bwh, hentry)
-- if (worker->current_work == work)
-+ if (worker->current_work == work &&
-+ worker->current_func == work->func)
- return worker;
- return NULL;
- }
-@@ -920,9 +922,27 @@ static struct worker *__find_worker_executing_work(struct global_cwq *gcwq,
- * @gcwq: gcwq of interest
- * @work: work to find worker for
- *
-- * Find a worker which is executing @work on @gcwq. This function is
-- * identical to __find_worker_executing_work() except that this
-- * function calculates @bwh itself.
-+ * Find a worker which is executing @work on @gcwq by searching
-+ * @gcwq->busy_hash which is keyed by the address of @work. For a worker
-+ * to match, its current execution should match the address of @work and
-+ * its work function. This is to avoid unwanted dependency between
-+ * unrelated work executions through a work item being recycled while still
-+ * being executed.
-+ *
-+ * This is a bit tricky. A work item may be freed once its execution
-+ * starts and nothing prevents the freed area from being recycled for
-+ * another work item. If the same work item address ends up being reused
-+ * before the original execution finishes, workqueue will identify the
-+ * recycled work item as currently executing and make it wait until the
-+ * current execution finishes, introducing an unwanted dependency.
-+ *
-+ * This function checks the work item address, work function and workqueue
-+ * to avoid false positives. Note that this isn't complete as one may
-+ * construct a work function which can introduce dependency onto itself
-+ * through a recycled work item. Well, if somebody wants to shoot oneself
-+ * in the foot that badly, there's only so much we can do, and if such
-+ * deadlock actually occurs, it should be easy to locate the culprit work
-+ * function.
- *
- * CONTEXT:
- * spin_lock_irq(gcwq->lock).
-@@ -2168,7 +2188,6 @@ __acquires(&gcwq->lock)
- struct global_cwq *gcwq = pool->gcwq;
- struct hlist_head *bwh = busy_worker_head(gcwq, work);
- bool cpu_intensive = cwq->wq->flags & WQ_CPU_INTENSIVE;
-- work_func_t f = work->func;
- int work_color;
- struct worker *collision;
- #ifdef CONFIG_LOCKDEP
-@@ -2208,6 +2227,7 @@ __acquires(&gcwq->lock)
- debug_work_deactivate(work);
- hlist_add_head(&worker->hentry, bwh);
- worker->current_work = work;
-+ worker->current_func = work->func;
- worker->current_cwq = cwq;
- work_color = get_work_color(work);
-
-@@ -2240,7 +2260,7 @@ __acquires(&gcwq->lock)
- lock_map_acquire_read(&cwq->wq->lockdep_map);
- lock_map_acquire(&lockdep_map);
- trace_workqueue_execute_start(work);
-- f(work);
-+ worker->current_func(work);
- /*
- * While we must be careful to not use "work" after this, the trace
- * point will only record its address.
-@@ -2252,7 +2272,8 @@ __acquires(&gcwq->lock)
- if (unlikely(in_atomic() || lockdep_depth(current) > 0)) {
- pr_err("BUG: workqueue leaked lock or atomic: %s/0x%08x/%d\n"
- " last function: %pf\n",
-- current->comm, preempt_count(), task_pid_nr(current), f);
-+ current->comm, preempt_count(), task_pid_nr(current),
-+ worker->current_func);
- debug_show_held_locks(current);
- dump_stack();
- }
-@@ -2266,6 +2287,7 @@ __acquires(&gcwq->lock)
- /* we're done with it, release */
- hlist_del_init(&worker->hentry);
- worker->current_work = NULL;
-+ worker->current_func = NULL;
- worker->current_cwq = NULL;
- cwq_dec_nr_in_flight(cwq, work_color);
- }
-diff --git a/lib/idr.c b/lib/idr.c
-index 6482390..ca5aa00 100644
---- a/lib/idr.c
-+++ b/lib/idr.c
-@@ -625,7 +625,14 @@ void *idr_get_next(struct idr *idp, int *nextidp)
- return p;
- }
-
-- id += 1 << n;
-+ /*
-+ * Proceed to the next layer at the current level. Unlike
-+ * idr_for_each(), @id isn't guaranteed to be aligned to
-+ * layer boundary at this point and adding 1 << n may
-+ * incorrectly skip IDs. Make sure we jump to the
-+ * beginning of the next layer using round_up().
-+ */
-+ id = round_up(id + 1, 1 << n);
- while (n < fls(id)) {
- n += IDR_BITS;
- p = *--paa;
-diff --git a/mm/mmap.c b/mm/mmap.c
-index d1e4124..8832b87 100644
---- a/mm/mmap.c
-+++ b/mm/mmap.c
-@@ -2169,9 +2169,28 @@ int expand_downwards(struct vm_area_struct *vma,
- return error;
- }
-
-+/*
-+ * Note how expand_stack() refuses to expand the stack all the way to
-+ * abut the next virtual mapping, *unless* that mapping itself is also
-+ * a stack mapping. We want to leave room for a guard page, after all
-+ * (the guard page itself is not added here, that is done by the
-+ * actual page faulting logic)
-+ *
-+ * This matches the behavior of the guard page logic (see mm/memory.c:
-+ * check_stack_guard_page()), which only allows the guard page to be
-+ * removed under these circumstances.
-+ */
- #ifdef CONFIG_STACK_GROWSUP
- int expand_stack(struct vm_area_struct *vma, unsigned long address)
- {
-+ struct vm_area_struct *next;
-+
-+ address &= PAGE_MASK;
-+ next = vma->vm_next;
-+ if (next && next->vm_start == address + PAGE_SIZE) {
-+ if (!(next->vm_flags & VM_GROWSUP))
-+ return -ENOMEM;
-+ }
- return expand_upwards(vma, address);
- }
-
-@@ -2194,6 +2213,14 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr)
- #else
- int expand_stack(struct vm_area_struct *vma, unsigned long address)
- {
-+ struct vm_area_struct *prev;
-+
-+ address &= PAGE_MASK;
-+ prev = vma->vm_prev;
-+ if (prev && prev->vm_end == address) {
-+ if (!(prev->vm_flags & VM_GROWSDOWN))
-+ return -ENOMEM;
-+ }
- return expand_downwards(vma, address);
- }
-
-diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
-index dbf12ac..2d34b6b 100644
---- a/net/sunrpc/svc.c
-+++ b/net/sunrpc/svc.c
-@@ -515,15 +515,6 @@ EXPORT_SYMBOL_GPL(svc_create_pooled);
-
- void svc_shutdown_net(struct svc_serv *serv, struct net *net)
- {
-- /*
-- * The set of xprts (contained in the sv_tempsocks and
-- * sv_permsocks lists) is now constant, since it is modified
-- * only by accepting new sockets (done by service threads in
-- * svc_recv) or aging old ones (done by sv_temptimer), or
-- * configuration changes (excluded by whatever locking the
-- * caller is using--nfsd_mutex in the case of nfsd). So it's
-- * safe to traverse those lists and shut everything down:
-- */
- svc_close_net(serv, net);
-
- if (serv->sv_shutdown)
-diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
-index b8e47fa..ca71056 100644
---- a/net/sunrpc/svc_xprt.c
-+++ b/net/sunrpc/svc_xprt.c
-@@ -856,7 +856,6 @@ static void svc_age_temp_xprts(unsigned long closure)
- struct svc_serv *serv = (struct svc_serv *)closure;
- struct svc_xprt *xprt;
- struct list_head *le, *next;
-- LIST_HEAD(to_be_aged);
-
- dprintk("svc_age_temp_xprts\n");
-
-@@ -877,25 +876,15 @@ static void svc_age_temp_xprts(unsigned long closure)
- if (atomic_read(&xprt->xpt_ref.refcount) > 1 ||
- test_bit(XPT_BUSY, &xprt->xpt_flags))
- continue;
-- svc_xprt_get(xprt);
-- list_move(le, &to_be_aged);
-+ list_del_init(le);
- set_bit(XPT_CLOSE, &xprt->xpt_flags);
- set_bit(XPT_DETACHED, &xprt->xpt_flags);
-- }
-- spin_unlock_bh(&serv->sv_lock);
--
-- while (!list_empty(&to_be_aged)) {
-- le = to_be_aged.next;
-- /* fiddling the xpt_list node is safe 'cos we're XPT_DETACHED */
-- list_del_init(le);
-- xprt = list_entry(le, struct svc_xprt, xpt_list);
--
- dprintk("queuing xprt %p for closing\n", xprt);
-
- /* a thread will dequeue and close it soon */
- svc_xprt_enqueue(xprt);
-- svc_xprt_put(xprt);
- }
-+ spin_unlock_bh(&serv->sv_lock);
-
- mod_timer(&serv->sv_temptimer, jiffies + svc_conn_age_period * HZ);
- }
-@@ -959,21 +948,24 @@ void svc_close_xprt(struct svc_xprt *xprt)
- }
- EXPORT_SYMBOL_GPL(svc_close_xprt);
-
--static void svc_close_list(struct svc_serv *serv, struct list_head *xprt_list, struct net *net)
-+static int svc_close_list(struct svc_serv *serv, struct list_head *xprt_list, struct net *net)
- {
- struct svc_xprt *xprt;
-+ int ret = 0;
-
- spin_lock(&serv->sv_lock);
- list_for_each_entry(xprt, xprt_list, xpt_list) {
- if (xprt->xpt_net != net)
- continue;
-+ ret++;
- set_bit(XPT_CLOSE, &xprt->xpt_flags);
-- set_bit(XPT_BUSY, &xprt->xpt_flags);
-+ svc_xprt_enqueue(xprt);
- }
- spin_unlock(&serv->sv_lock);
-+ return ret;
- }
-
--static void svc_clear_pools(struct svc_serv *serv, struct net *net)
-+static struct svc_xprt *svc_dequeue_net(struct svc_serv *serv, struct net *net)
- {
- struct svc_pool *pool;
- struct svc_xprt *xprt;
-@@ -988,42 +980,46 @@ static void svc_clear_pools(struct svc_serv *serv, struct net *net)
- if (xprt->xpt_net != net)
- continue;
- list_del_init(&xprt->xpt_ready);
-+ spin_unlock_bh(&pool->sp_lock);
-+ return xprt;
- }
- spin_unlock_bh(&pool->sp_lock);
- }
-+ return NULL;
- }
-
--static void svc_clear_list(struct svc_serv *serv, struct list_head *xprt_list, struct net *net)
-+static void svc_clean_up_xprts(struct svc_serv *serv, struct net *net)
- {
- struct svc_xprt *xprt;
-- struct svc_xprt *tmp;
-- LIST_HEAD(victims);
--
-- spin_lock(&serv->sv_lock);
-- list_for_each_entry_safe(xprt, tmp, xprt_list, xpt_list) {
-- if (xprt->xpt_net != net)
-- continue;
-- list_move(&xprt->xpt_list, &victims);
-- }
-- spin_unlock(&serv->sv_lock);
-
-- list_for_each_entry_safe(xprt, tmp, &victims, xpt_list)
-+ while ((xprt = svc_dequeue_net(serv, net))) {
-+ set_bit(XPT_CLOSE, &xprt->xpt_flags);
- svc_delete_xprt(xprt);
-+ }
- }
-
-+/*
-+ * Server threads may still be running (especially in the case where the
-+ * service is still running in other network namespaces).
-+ *
-+ * So we shut down sockets the same way we would on a running server, by
-+ * setting XPT_CLOSE, enqueuing, and letting a thread pick it up to do
-+ * the close. In the case there are no such other threads,
-+ * threads running, svc_clean_up_xprts() does a simple version of a
-+ * server's main event loop, and in the case where there are other
-+ * threads, we may need to wait a little while and then check again to
-+ * see if they're done.
-+ */
- void svc_close_net(struct svc_serv *serv, struct net *net)
- {
-- svc_close_list(serv, &serv->sv_tempsocks, net);
-- svc_close_list(serv, &serv->sv_permsocks, net);
-+ int delay = 0;
-
-- svc_clear_pools(serv, net);
-- /*
-- * At this point the sp_sockets lists will stay empty, since
-- * svc_xprt_enqueue will not add new entries without taking the
-- * sp_lock and checking XPT_BUSY.
-- */
-- svc_clear_list(serv, &serv->sv_tempsocks, net);
-- svc_clear_list(serv, &serv->sv_permsocks, net);
-+ while (svc_close_list(serv, &serv->sv_permsocks, net) +
-+ svc_close_list(serv, &serv->sv_tempsocks, net)) {
-+
-+ svc_clean_up_xprts(serv, net);
-+ msleep(delay++);
-+ }
- }
-
- /*
-diff --git a/sound/pci/bt87x.c b/sound/pci/bt87x.c
-index cdd100d..9febe55 100644
---- a/sound/pci/bt87x.c
-+++ b/sound/pci/bt87x.c
-@@ -836,6 +836,8 @@ static struct {
- {0x7063, 0x2000}, /* pcHDTV HD-2000 TV */
- };
-
-+static struct pci_driver driver;
-+
- /* return the id of the card, or a negative value if it's blacklisted */
- static int snd_bt87x_detect_card(struct pci_dev *pci)
- {
-@@ -962,11 +964,24 @@ static DEFINE_PCI_DEVICE_TABLE(snd_bt87x_default_ids) = {
- { }
- };
-
--static struct pci_driver bt87x_driver = {
-+static struct pci_driver driver = {
- .name = KBUILD_MODNAME,
- .id_table = snd_bt87x_ids,
- .probe = snd_bt87x_probe,
- .remove = snd_bt87x_remove,
- };
-
--module_pci_driver(bt87x_driver);
-+static int __init alsa_card_bt87x_init(void)
-+{
-+ if (load_all)
-+ driver.id_table = snd_bt87x_default_ids;
-+ return pci_register_driver(&driver);
-+}
-+
-+static void __exit alsa_card_bt87x_exit(void)
-+{
-+ pci_unregister_driver(&driver);
-+}
-+
-+module_init(alsa_card_bt87x_init)
-+module_exit(alsa_card_bt87x_exit)
-diff --git a/sound/pci/emu10k1/emu10k1_main.c b/sound/pci/emu10k1/emu10k1_main.c
-index a7c296a..e6b0166 100644
---- a/sound/pci/emu10k1/emu10k1_main.c
-+++ b/sound/pci/emu10k1/emu10k1_main.c
-@@ -862,6 +862,12 @@ static int snd_emu10k1_emu1010_init(struct snd_emu10k1 *emu)
- filename, emu->firmware->size);
- }
-
-+ err = snd_emu1010_load_firmware(emu);
-+ if (err != 0) {
-+ snd_printk(KERN_INFO "emu1010: Loading Firmware failed\n");
-+ return err;
-+ }
-+
- /* ID, should read & 0x7f = 0x55 when FPGA programmed. */
- snd_emu1010_fpga_read(emu, EMU_HANA_ID, &reg);
- if ((reg & 0x3f) != 0x15) {
-diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
-index b14813d..c690b2a 100644
---- a/sound/pci/hda/patch_hdmi.c
-+++ b/sound/pci/hda/patch_hdmi.c
-@@ -1573,6 +1573,9 @@ static int generic_hdmi_build_jack(struct hda_codec *codec, int pin_idx)
-
- if (pcmdev > 0)
- sprintf(hdmi_str + strlen(hdmi_str), ",pcm=%d", pcmdev);
-+ if (!is_jack_detectable(codec, per_pin->pin_nid))
-+ strncat(hdmi_str, " Phantom",
-+ sizeof(hdmi_str) - strlen(hdmi_str) - 1);
-
- return snd_hda_jack_add_kctl(codec, per_pin->pin_nid, hdmi_str, 0);
- }
diff --git a/3.8.3/1002_linux-3.8.3.patch b/3.8.3/1002_linux-3.8.3.patch
deleted file mode 100644
index 6b6c562..0000000
--- a/3.8.3/1002_linux-3.8.3.patch
+++ /dev/null
@@ -1,4814 +0,0 @@
-diff --git a/Makefile b/Makefile
-index 20d5318..8c49fc9b 100644
---- a/Makefile
-+++ b/Makefile
-@@ -1,6 +1,6 @@
- VERSION = 3
- PATCHLEVEL = 8
--SUBLEVEL = 2
-+SUBLEVEL = 3
- EXTRAVERSION =
- NAME = Unicycling Gorilla
-
-diff --git a/arch/arm/boot/dts/kirkwood-dns320.dts b/arch/arm/boot/dts/kirkwood-dns320.dts
-index 5bb0bf3..c9c44b2 100644
---- a/arch/arm/boot/dts/kirkwood-dns320.dts
-+++ b/arch/arm/boot/dts/kirkwood-dns320.dts
-@@ -42,12 +42,10 @@
-
- ocp@f1000000 {
- serial@12000 {
-- clock-frequency = <166666667>;
- status = "okay";
- };
-
- serial@12100 {
-- clock-frequency = <166666667>;
- status = "okay";
- };
- };
-diff --git a/arch/arm/boot/dts/kirkwood-dns325.dts b/arch/arm/boot/dts/kirkwood-dns325.dts
-index d430713..e4e4930 100644
---- a/arch/arm/boot/dts/kirkwood-dns325.dts
-+++ b/arch/arm/boot/dts/kirkwood-dns325.dts
-@@ -50,7 +50,6 @@
- };
- };
- serial@12000 {
-- clock-frequency = <200000000>;
- status = "okay";
- };
- };
-diff --git a/arch/arm/boot/dts/kirkwood-dockstar.dts b/arch/arm/boot/dts/kirkwood-dockstar.dts
-index 2e3dd34..0196cf6 100644
---- a/arch/arm/boot/dts/kirkwood-dockstar.dts
-+++ b/arch/arm/boot/dts/kirkwood-dockstar.dts
-@@ -37,7 +37,6 @@
- };
- };
- serial@12000 {
-- clock-frequency = <200000000>;
- status = "ok";
- };
-
-diff --git a/arch/arm/boot/dts/kirkwood-dreamplug.dts b/arch/arm/boot/dts/kirkwood-dreamplug.dts
-index f2d386c..e21ae48 100644
---- a/arch/arm/boot/dts/kirkwood-dreamplug.dts
-+++ b/arch/arm/boot/dts/kirkwood-dreamplug.dts
-@@ -38,7 +38,6 @@
- };
- };
- serial@12000 {
-- clock-frequency = <200000000>;
- status = "ok";
- };
-
-diff --git a/arch/arm/boot/dts/kirkwood-goflexnet.dts b/arch/arm/boot/dts/kirkwood-goflexnet.dts
-index 1b133e0..bd83b8f 100644
---- a/arch/arm/boot/dts/kirkwood-goflexnet.dts
-+++ b/arch/arm/boot/dts/kirkwood-goflexnet.dts
-@@ -73,7 +73,6 @@
- };
- };
- serial@12000 {
-- clock-frequency = <200000000>;
- status = "ok";
- };
-
-diff --git a/arch/arm/boot/dts/kirkwood-ib62x0.dts b/arch/arm/boot/dts/kirkwood-ib62x0.dts
-index 71902da..5335b1a 100644
---- a/arch/arm/boot/dts/kirkwood-ib62x0.dts
-+++ b/arch/arm/boot/dts/kirkwood-ib62x0.dts
-@@ -51,7 +51,6 @@
- };
- };
- serial@12000 {
-- clock-frequency = <200000000>;
- status = "okay";
- };
-
-diff --git a/arch/arm/boot/dts/kirkwood-iconnect.dts b/arch/arm/boot/dts/kirkwood-iconnect.dts
-index 504f16b..12ccf74 100644
---- a/arch/arm/boot/dts/kirkwood-iconnect.dts
-+++ b/arch/arm/boot/dts/kirkwood-iconnect.dts
-@@ -78,7 +78,6 @@
- };
- };
- serial@12000 {
-- clock-frequency = <200000000>;
- status = "ok";
- };
-
-diff --git a/arch/arm/boot/dts/kirkwood-iomega_ix2_200.dts b/arch/arm/boot/dts/kirkwood-iomega_ix2_200.dts
-index 6cae459..93c3afb 100644
---- a/arch/arm/boot/dts/kirkwood-iomega_ix2_200.dts
-+++ b/arch/arm/boot/dts/kirkwood-iomega_ix2_200.dts
-@@ -115,7 +115,6 @@
- };
-
- serial@12000 {
-- clock-frequency = <200000000>;
- status = "ok";
- };
-
-diff --git a/arch/arm/boot/dts/kirkwood-km_kirkwood.dts b/arch/arm/boot/dts/kirkwood-km_kirkwood.dts
-index 8db3123..5bbd054 100644
---- a/arch/arm/boot/dts/kirkwood-km_kirkwood.dts
-+++ b/arch/arm/boot/dts/kirkwood-km_kirkwood.dts
-@@ -34,7 +34,6 @@
- };
-
- serial@12000 {
-- clock-frequency = <200000000>;
- status = "ok";
- };
-
-diff --git a/arch/arm/boot/dts/kirkwood-lschlv2.dts b/arch/arm/boot/dts/kirkwood-lschlv2.dts
-index 9510c9e..9f55d95 100644
---- a/arch/arm/boot/dts/kirkwood-lschlv2.dts
-+++ b/arch/arm/boot/dts/kirkwood-lschlv2.dts
-@@ -13,7 +13,6 @@
-
- ocp@f1000000 {
- serial@12000 {
-- clock-frequency = <166666667>;
- status = "okay";
- };
- };
-diff --git a/arch/arm/boot/dts/kirkwood-lsxhl.dts b/arch/arm/boot/dts/kirkwood-lsxhl.dts
-index 739019c..5c84c11 100644
---- a/arch/arm/boot/dts/kirkwood-lsxhl.dts
-+++ b/arch/arm/boot/dts/kirkwood-lsxhl.dts
-@@ -13,7 +13,6 @@
-
- ocp@f1000000 {
- serial@12000 {
-- clock-frequency = <200000000>;
- status = "okay";
- };
- };
-diff --git a/arch/arm/boot/dts/kirkwood-mplcec4.dts b/arch/arm/boot/dts/kirkwood-mplcec4.dts
-index 262c654..07be213 100644
---- a/arch/arm/boot/dts/kirkwood-mplcec4.dts
-+++ b/arch/arm/boot/dts/kirkwood-mplcec4.dts
-@@ -91,7 +91,6 @@
- };
-
- serial@12000 {
-- clock-frequency = <200000000>;
- status = "ok";
- };
-
-diff --git a/arch/arm/boot/dts/kirkwood-ns2-common.dtsi b/arch/arm/boot/dts/kirkwood-ns2-common.dtsi
-index 77d21ab..f0245c1 100644
---- a/arch/arm/boot/dts/kirkwood-ns2-common.dtsi
-+++ b/arch/arm/boot/dts/kirkwood-ns2-common.dtsi
-@@ -23,7 +23,6 @@
- };
-
- serial@12000 {
-- clock-frequency = <166666667>;
- status = "okay";
- };
-
-diff --git a/arch/arm/boot/dts/kirkwood-nsa310.dts b/arch/arm/boot/dts/kirkwood-nsa310.dts
-index 5509f96..28d05e4 100644
---- a/arch/arm/boot/dts/kirkwood-nsa310.dts
-+++ b/arch/arm/boot/dts/kirkwood-nsa310.dts
-@@ -18,7 +18,6 @@
- ocp@f1000000 {
-
- serial@12000 {
-- clock-frequency = <200000000>;
- status = "ok";
- };
-
-diff --git a/arch/arm/boot/dts/kirkwood-openblocks_a6.dts b/arch/arm/boot/dts/kirkwood-openblocks_a6.dts
-index 49d3d74..f3cc7c4 100644
---- a/arch/arm/boot/dts/kirkwood-openblocks_a6.dts
-+++ b/arch/arm/boot/dts/kirkwood-openblocks_a6.dts
-@@ -18,12 +18,10 @@
-
- ocp@f1000000 {
- serial@12000 {
-- clock-frequency = <200000000>;
- status = "ok";
- };
-
- serial@12100 {
-- clock-frequency = <200000000>;
- status = "ok";
- };
-
-diff --git a/arch/arm/boot/dts/kirkwood-topkick.dts b/arch/arm/boot/dts/kirkwood-topkick.dts
-index cd15452..7dd19ff 100644
---- a/arch/arm/boot/dts/kirkwood-topkick.dts
-+++ b/arch/arm/boot/dts/kirkwood-topkick.dts
-@@ -17,7 +17,6 @@
-
- ocp@f1000000 {
- serial@12000 {
-- clock-frequency = <200000000>;
- status = "ok";
- };
-
-diff --git a/arch/arm/boot/dts/kirkwood.dtsi b/arch/arm/boot/dts/kirkwood.dtsi
-index d6ab442..ad26d92 100644
---- a/arch/arm/boot/dts/kirkwood.dtsi
-+++ b/arch/arm/boot/dts/kirkwood.dtsi
-@@ -38,6 +38,7 @@
- interrupt-controller;
- #interrupt-cells = <2>;
- interrupts = <35>, <36>, <37>, <38>;
-+ clocks = <&gate_clk 7>;
- };
-
- gpio1: gpio@10140 {
-@@ -49,6 +50,7 @@
- interrupt-controller;
- #interrupt-cells = <2>;
- interrupts = <39>, <40>, <41>;
-+ clocks = <&gate_clk 7>;
- };
-
- serial@12000 {
-@@ -57,7 +59,6 @@
- reg-shift = <2>;
- interrupts = <33>;
- clocks = <&gate_clk 7>;
-- /* set clock-frequency in board dts */
- status = "disabled";
- };
-
-@@ -67,7 +68,6 @@
- reg-shift = <2>;
- interrupts = <34>;
- clocks = <&gate_clk 7>;
-- /* set clock-frequency in board dts */
- status = "disabled";
- };
-
-@@ -75,6 +75,7 @@
- compatible = "marvell,kirkwood-rtc", "marvell,orion-rtc";
- reg = <0x10300 0x20>;
- interrupts = <53>;
-+ clocks = <&gate_clk 7>;
- };
-
- spi@10600 {
-diff --git a/arch/arm/configs/mxs_defconfig b/arch/arm/configs/mxs_defconfig
-index 7bf5351..a55b206 100644
---- a/arch/arm/configs/mxs_defconfig
-+++ b/arch/arm/configs/mxs_defconfig
-@@ -118,6 +118,7 @@ CONFIG_FRAMEBUFFER_CONSOLE=y
- CONFIG_FONTS=y
- CONFIG_LOGO=y
- CONFIG_USB=y
-+CONFIG_USB_EHCI_HCD=y
- CONFIG_USB_CHIPIDEA=y
- CONFIG_USB_CHIPIDEA_HOST=y
- CONFIG_USB_STORAGE=y
-diff --git a/arch/arm/include/asm/delay.h b/arch/arm/include/asm/delay.h
-index ab98fdd..720799f 100644
---- a/arch/arm/include/asm/delay.h
-+++ b/arch/arm/include/asm/delay.h
-@@ -24,6 +24,7 @@ extern struct arm_delay_ops {
- void (*delay)(unsigned long);
- void (*const_udelay)(unsigned long);
- void (*udelay)(unsigned long);
-+ bool const_clock;
- } arm_delay_ops;
-
- #define __delay(n) arm_delay_ops.delay(n)
-diff --git a/arch/arm/include/asm/mmu.h b/arch/arm/include/asm/mmu.h
-index 9f77e78..e3d5554 100644
---- a/arch/arm/include/asm/mmu.h
-+++ b/arch/arm/include/asm/mmu.h
-@@ -5,15 +5,15 @@
-
- typedef struct {
- #ifdef CONFIG_CPU_HAS_ASID
-- u64 id;
-+ atomic64_t id;
- #endif
-- unsigned int vmalloc_seq;
-+ unsigned int vmalloc_seq;
- } mm_context_t;
-
- #ifdef CONFIG_CPU_HAS_ASID
- #define ASID_BITS 8
- #define ASID_MASK ((~0ULL) << ASID_BITS)
--#define ASID(mm) ((mm)->context.id & ~ASID_MASK)
-+#define ASID(mm) ((mm)->context.id.counter & ~ASID_MASK)
- #else
- #define ASID(mm) (0)
- #endif
-@@ -26,7 +26,7 @@ typedef struct {
- * modified for 2.6 by Hyok S. Choi <hyok.choi@samsung.com>
- */
- typedef struct {
-- unsigned long end_brk;
-+ unsigned long end_brk;
- } mm_context_t;
-
- #endif
-diff --git a/arch/arm/include/asm/mmu_context.h b/arch/arm/include/asm/mmu_context.h
-index e1f644b..863a661 100644
---- a/arch/arm/include/asm/mmu_context.h
-+++ b/arch/arm/include/asm/mmu_context.h
-@@ -25,7 +25,7 @@ void __check_vmalloc_seq(struct mm_struct *mm);
- #ifdef CONFIG_CPU_HAS_ASID
-
- void check_and_switch_context(struct mm_struct *mm, struct task_struct *tsk);
--#define init_new_context(tsk,mm) ({ mm->context.id = 0; })
-+#define init_new_context(tsk,mm) ({ atomic64_set(&mm->context.id, 0); 0; })
-
- #else /* !CONFIG_CPU_HAS_ASID */
-
-diff --git a/arch/arm/include/asm/pgtable.h b/arch/arm/include/asm/pgtable.h
-index 9c82f988..c094749 100644
---- a/arch/arm/include/asm/pgtable.h
-+++ b/arch/arm/include/asm/pgtable.h
-@@ -240,7 +240,8 @@ static inline pte_t pte_mkspecial(pte_t pte) { return pte; }
-
- static inline pte_t pte_modify(pte_t pte, pgprot_t newprot)
- {
-- const pteval_t mask = L_PTE_XN | L_PTE_RDONLY | L_PTE_USER | L_PTE_NONE;
-+ const pteval_t mask = L_PTE_XN | L_PTE_RDONLY | L_PTE_USER |
-+ L_PTE_NONE | L_PTE_VALID;
- pte_val(pte) = (pte_val(pte) & ~mask) | (pgprot_val(newprot) & mask);
- return pte;
- }
-diff --git a/arch/arm/kernel/asm-offsets.c b/arch/arm/kernel/asm-offsets.c
-index c985b48..cf10d18 100644
---- a/arch/arm/kernel/asm-offsets.c
-+++ b/arch/arm/kernel/asm-offsets.c
-@@ -107,7 +107,7 @@ int main(void)
- BLANK();
- #endif
- #ifdef CONFIG_CPU_HAS_ASID
-- DEFINE(MM_CONTEXT_ID, offsetof(struct mm_struct, context.id));
-+ DEFINE(MM_CONTEXT_ID, offsetof(struct mm_struct, context.id.counter));
- BLANK();
- #endif
- DEFINE(VMA_VM_MM, offsetof(struct vm_area_struct, vm_mm));
-diff --git a/arch/arm/kernel/head.S b/arch/arm/kernel/head.S
-index 486a15a..e0eb9a1 100644
---- a/arch/arm/kernel/head.S
-+++ b/arch/arm/kernel/head.S
-@@ -184,13 +184,22 @@ __create_page_tables:
- orr r3, r3, #3 @ PGD block type
- mov r6, #4 @ PTRS_PER_PGD
- mov r7, #1 << (55 - 32) @ L_PGD_SWAPPER
--1: str r3, [r0], #4 @ set bottom PGD entry bits
-+1:
-+#ifdef CONFIG_CPU_ENDIAN_BE8
- str r7, [r0], #4 @ set top PGD entry bits
-+ str r3, [r0], #4 @ set bottom PGD entry bits
-+#else
-+ str r3, [r0], #4 @ set bottom PGD entry bits
-+ str r7, [r0], #4 @ set top PGD entry bits
-+#endif
- add r3, r3, #0x1000 @ next PMD table
- subs r6, r6, #1
- bne 1b
-
- add r4, r4, #0x1000 @ point to the PMD tables
-+#ifdef CONFIG_CPU_ENDIAN_BE8
-+ add r4, r4, #4 @ we only write the bottom word
-+#endif
- #endif
-
- ldr r7, [r10, #PROCINFO_MM_MMUFLAGS] @ mm_mmuflags
-@@ -258,6 +267,11 @@ __create_page_tables:
- addne r6, r6, #1 << SECTION_SHIFT
- strne r6, [r3]
-
-+#if defined(CONFIG_LPAE) && defined(CONFIG_CPU_ENDIAN_BE8)
-+ sub r4, r4, #4 @ Fixup page table pointer
-+ @ for 64-bit descriptors
-+#endif
-+
- #ifdef CONFIG_DEBUG_LL
- #if !defined(CONFIG_DEBUG_ICEDCC) && !defined(CONFIG_DEBUG_SEMIHOSTING)
- /*
-@@ -276,13 +290,17 @@ __create_page_tables:
- orr r3, r7, r3, lsl #SECTION_SHIFT
- #ifdef CONFIG_ARM_LPAE
- mov r7, #1 << (54 - 32) @ XN
-+#ifdef CONFIG_CPU_ENDIAN_BE8
-+ str r7, [r0], #4
-+ str r3, [r0], #4
- #else
-- orr r3, r3, #PMD_SECT_XN
--#endif
- str r3, [r0], #4
--#ifdef CONFIG_ARM_LPAE
- str r7, [r0], #4
- #endif
-+#else
-+ orr r3, r3, #PMD_SECT_XN
-+ str r3, [r0], #4
-+#endif
-
- #else /* CONFIG_DEBUG_ICEDCC || CONFIG_DEBUG_SEMIHOSTING */
- /* we don't need any serial debugging mappings */
-diff --git a/arch/arm/kernel/perf_event_v7.c b/arch/arm/kernel/perf_event_v7.c
-index 4fbc757..89ede24 100644
---- a/arch/arm/kernel/perf_event_v7.c
-+++ b/arch/arm/kernel/perf_event_v7.c
-@@ -774,7 +774,7 @@ static const unsigned armv7_a7_perf_cache_map[PERF_COUNT_HW_CACHE_MAX]
- /*
- * PMXEVTYPER: Event selection reg
- */
--#define ARMV7_EVTYPE_MASK 0xc00000ff /* Mask for writable bits */
-+#define ARMV7_EVTYPE_MASK 0xc80000ff /* Mask for writable bits */
- #define ARMV7_EVTYPE_EVENT 0xff /* Mask for EVENT bits */
-
- /*
-diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c
-index 84f4cbf..58af91c 100644
---- a/arch/arm/kernel/smp.c
-+++ b/arch/arm/kernel/smp.c
-@@ -693,6 +693,9 @@ static int cpufreq_callback(struct notifier_block *nb,
- if (freq->flags & CPUFREQ_CONST_LOOPS)
- return NOTIFY_OK;
-
-+ if (arm_delay_ops.const_clock)
-+ return NOTIFY_OK;
-+
- if (!per_cpu(l_p_j_ref, cpu)) {
- per_cpu(l_p_j_ref, cpu) =
- per_cpu(cpu_data, cpu).loops_per_jiffy;
-diff --git a/arch/arm/lib/delay.c b/arch/arm/lib/delay.c
-index 0dc5385..6b93f6a 100644
---- a/arch/arm/lib/delay.c
-+++ b/arch/arm/lib/delay.c
-@@ -77,6 +77,7 @@ void __init register_current_timer_delay(const struct delay_timer *timer)
- arm_delay_ops.delay = __timer_delay;
- arm_delay_ops.const_udelay = __timer_const_udelay;
- arm_delay_ops.udelay = __timer_udelay;
-+ arm_delay_ops.const_clock = true;
- delay_calibrated = true;
- } else {
- pr_info("Ignoring duplicate/late registration of read_current_timer delay\n");
-diff --git a/arch/arm/mm/alignment.c b/arch/arm/mm/alignment.c
-index b820eda..db26e2e 100644
---- a/arch/arm/mm/alignment.c
-+++ b/arch/arm/mm/alignment.c
-@@ -749,7 +749,6 @@ do_alignment(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
- unsigned long instr = 0, instrptr;
- int (*handler)(unsigned long addr, unsigned long instr, struct pt_regs *regs);
- unsigned int type;
-- mm_segment_t fs;
- unsigned int fault;
- u16 tinstr = 0;
- int isize = 4;
-@@ -760,16 +759,15 @@ do_alignment(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
-
- instrptr = instruction_pointer(regs);
-
-- fs = get_fs();
-- set_fs(KERNEL_DS);
- if (thumb_mode(regs)) {
-- fault = __get_user(tinstr, (u16 *)(instrptr & ~1));
-+ u16 *ptr = (u16 *)(instrptr & ~1);
-+ fault = probe_kernel_address(ptr, tinstr);
- if (!fault) {
- if (cpu_architecture() >= CPU_ARCH_ARMv7 &&
- IS_T32(tinstr)) {
- /* Thumb-2 32-bit */
- u16 tinst2 = 0;
-- fault = __get_user(tinst2, (u16 *)(instrptr+2));
-+ fault = probe_kernel_address(ptr + 1, tinst2);
- instr = (tinstr << 16) | tinst2;
- thumb2_32b = 1;
- } else {
-@@ -778,8 +776,7 @@ do_alignment(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
- }
- }
- } else
-- fault = __get_user(instr, (u32 *)instrptr);
-- set_fs(fs);
-+ fault = probe_kernel_address(instrptr, instr);
-
- if (fault) {
- type = TYPE_FAULT;
-diff --git a/arch/arm/mm/context.c b/arch/arm/mm/context.c
-index bc4a5e9..d07df17 100644
---- a/arch/arm/mm/context.c
-+++ b/arch/arm/mm/context.c
-@@ -149,9 +149,9 @@ static int is_reserved_asid(u64 asid)
- return 0;
- }
-
--static void new_context(struct mm_struct *mm, unsigned int cpu)
-+static u64 new_context(struct mm_struct *mm, unsigned int cpu)
- {
-- u64 asid = mm->context.id;
-+ u64 asid = atomic64_read(&mm->context.id);
- u64 generation = atomic64_read(&asid_generation);
-
- if (asid != 0 && is_reserved_asid(asid)) {
-@@ -178,13 +178,14 @@ static void new_context(struct mm_struct *mm, unsigned int cpu)
- cpumask_clear(mm_cpumask(mm));
- }
-
-- mm->context.id = asid;
-+ return asid;
- }
-
- void check_and_switch_context(struct mm_struct *mm, struct task_struct *tsk)
- {
- unsigned long flags;
- unsigned int cpu = smp_processor_id();
-+ u64 asid;
-
- if (unlikely(mm->context.vmalloc_seq != init_mm.context.vmalloc_seq))
- __check_vmalloc_seq(mm);
-@@ -195,20 +196,24 @@ void check_and_switch_context(struct mm_struct *mm, struct task_struct *tsk)
- */
- cpu_set_reserved_ttbr0();
-
-- if (!((mm->context.id ^ atomic64_read(&asid_generation)) >> ASID_BITS)
-- && atomic64_xchg(&per_cpu(active_asids, cpu), mm->context.id))
-+ asid = atomic64_read(&mm->context.id);
-+ if (!((asid ^ atomic64_read(&asid_generation)) >> ASID_BITS)
-+ && atomic64_xchg(&per_cpu(active_asids, cpu), asid))
- goto switch_mm_fastpath;
-
- raw_spin_lock_irqsave(&cpu_asid_lock, flags);
- /* Check that our ASID belongs to the current generation. */
-- if ((mm->context.id ^ atomic64_read(&asid_generation)) >> ASID_BITS)
-- new_context(mm, cpu);
--
-- atomic64_set(&per_cpu(active_asids, cpu), mm->context.id);
-- cpumask_set_cpu(cpu, mm_cpumask(mm));
-+ asid = atomic64_read(&mm->context.id);
-+ if ((asid ^ atomic64_read(&asid_generation)) >> ASID_BITS) {
-+ asid = new_context(mm, cpu);
-+ atomic64_set(&mm->context.id, asid);
-+ }
-
- if (cpumask_test_and_clear_cpu(cpu, &tlb_flush_pending))
- local_flush_tlb_all();
-+
-+ atomic64_set(&per_cpu(active_asids, cpu), asid);
-+ cpumask_set_cpu(cpu, mm_cpumask(mm));
- raw_spin_unlock_irqrestore(&cpu_asid_lock, flags);
-
- switch_mm_fastpath:
-diff --git a/arch/arm/vfp/vfpmodule.c b/arch/arm/vfp/vfpmodule.c
-index 3b44e0d..5dfbb0b 100644
---- a/arch/arm/vfp/vfpmodule.c
-+++ b/arch/arm/vfp/vfpmodule.c
-@@ -413,7 +413,7 @@ void VFP_bounce(u32 trigger, u32 fpexc, struct pt_regs *regs)
- * If there isn't a second FP instruction, exit now. Note that
- * the FPEXC.FP2V bit is valid only if FPEXC.EX is 1.
- */
-- if (fpexc ^ (FPEXC_EX | FPEXC_FP2V))
-+ if ((fpexc & (FPEXC_EX | FPEXC_FP2V)) != (FPEXC_EX | FPEXC_FP2V))
- goto exit;
-
- /*
-diff --git a/arch/powerpc/kernel/setup_64.c b/arch/powerpc/kernel/setup_64.c
-index 6da881b..8d97eb4 100644
---- a/arch/powerpc/kernel/setup_64.c
-+++ b/arch/powerpc/kernel/setup_64.c
-@@ -156,6 +156,15 @@ early_param("smt-enabled", early_smt_enabled);
- #define check_smt_enabled()
- #endif /* CONFIG_SMP */
-
-+/** Fix up paca fields required for the boot cpu */
-+static void fixup_boot_paca(void)
-+{
-+ /* The boot cpu is started */
-+ get_paca()->cpu_start = 1;
-+ /* Allow percpu accesses to work until we setup percpu data */
-+ get_paca()->data_offset = 0;
-+}
-+
- /*
- * Early initialization entry point. This is called by head.S
- * with MMU translation disabled. We rely on the "feature" of
-@@ -185,6 +194,7 @@ void __init early_setup(unsigned long dt_ptr)
- /* Assume we're on cpu 0 for now. Don't write to the paca yet! */
- initialise_paca(&boot_paca, 0);
- setup_paca(&boot_paca);
-+ fixup_boot_paca();
-
- /* Initialize lockdep early or else spinlocks will blow */
- lockdep_init();
-@@ -205,11 +215,7 @@ void __init early_setup(unsigned long dt_ptr)
-
- /* Now we know the logical id of our boot cpu, setup the paca. */
- setup_paca(&paca[boot_cpuid]);
--
-- /* Fix up paca fields required for the boot cpu */
-- get_paca()->cpu_start = 1;
-- /* Allow percpu accesses to "work" until we setup percpu data */
-- get_paca()->data_offset = 0;
-+ fixup_boot_paca();
-
- /* Probe the machine type */
- probe_machine();
-diff --git a/arch/tile/include/asm/compat.h b/arch/tile/include/asm/compat.h
-index 88f3c22..59e3574 100644
---- a/arch/tile/include/asm/compat.h
-+++ b/arch/tile/include/asm/compat.h
-@@ -296,6 +296,9 @@ long compat_sys_sync_file_range2(int fd, unsigned int flags,
- long compat_sys_fallocate(int fd, int mode,
- u32 offset_lo, u32 offset_hi,
- u32 len_lo, u32 len_hi);
-+long compat_sys_llseek(unsigned int fd, unsigned int offset_high,
-+ unsigned int offset_low, loff_t __user * result,
-+ unsigned int origin);
-
- /* Assembly trampoline to avoid clobbering r0. */
- long _compat_sys_rt_sigreturn(void);
-diff --git a/arch/tile/kernel/compat.c b/arch/tile/kernel/compat.c
-index 7f72401..d8e3b7e 100644
---- a/arch/tile/kernel/compat.c
-+++ b/arch/tile/kernel/compat.c
-@@ -76,6 +76,18 @@ long compat_sys_fallocate(int fd, int mode,
- ((loff_t)len_hi << 32) | len_lo);
- }
-
-+/*
-+ * Avoid bug in generic sys_llseek() that specifies offset_high and
-+ * offset_low as "unsigned long", thus making it possible to pass
-+ * a sign-extended high 32 bits in offset_low.
-+ */
-+long compat_sys_llseek(unsigned int fd, unsigned int offset_high,
-+ unsigned int offset_low, loff_t __user * result,
-+ unsigned int origin)
-+{
-+ return sys_llseek(fd, offset_high, offset_low, result, origin);
-+}
-+
- /* Provide the compat syscall number to call mapping. */
- #undef __SYSCALL
- #define __SYSCALL(nr, call) [nr] = (call),
-@@ -83,6 +95,7 @@ long compat_sys_fallocate(int fd, int mode,
- /* See comments in sys.c */
- #define compat_sys_fadvise64_64 sys32_fadvise64_64
- #define compat_sys_readahead sys32_readahead
-+#define sys_llseek compat_sys_llseek
-
- /* Call the assembly trampolines where necessary. */
- #define compat_sys_rt_sigreturn _compat_sys_rt_sigreturn
-diff --git a/arch/x86/kernel/kvmclock.c b/arch/x86/kernel/kvmclock.c
-index 220a360..5bedbdd 100644
---- a/arch/x86/kernel/kvmclock.c
-+++ b/arch/x86/kernel/kvmclock.c
-@@ -218,6 +218,9 @@ static void kvm_shutdown(void)
- void __init kvmclock_init(void)
- {
- unsigned long mem;
-+ int size;
-+
-+ size = PAGE_ALIGN(sizeof(struct pvclock_vsyscall_time_info)*NR_CPUS);
-
- if (!kvm_para_available())
- return;
-@@ -231,16 +234,14 @@ void __init kvmclock_init(void)
- printk(KERN_INFO "kvm-clock: Using msrs %x and %x",
- msr_kvm_system_time, msr_kvm_wall_clock);
-
-- mem = memblock_alloc(sizeof(struct pvclock_vsyscall_time_info)*NR_CPUS,
-- PAGE_SIZE);
-+ mem = memblock_alloc(size, PAGE_SIZE);
- if (!mem)
- return;
- hv_clock = __va(mem);
-
- if (kvm_register_clock("boot clock")) {
- hv_clock = NULL;
-- memblock_free(mem,
-- sizeof(struct pvclock_vsyscall_time_info)*NR_CPUS);
-+ memblock_free(mem, size);
- return;
- }
- pv_time_ops.sched_clock = kvm_clock_read;
-@@ -275,7 +276,7 @@ int __init kvm_setup_vsyscall_timeinfo(void)
- struct pvclock_vcpu_time_info *vcpu_time;
- unsigned int size;
-
-- size = sizeof(struct pvclock_vsyscall_time_info)*NR_CPUS;
-+ size = PAGE_ALIGN(sizeof(struct pvclock_vsyscall_time_info)*NR_CPUS);
-
- preempt_disable();
- cpu = smp_processor_id();
-diff --git a/arch/x86/kernel/pvclock.c b/arch/x86/kernel/pvclock.c
-index 85c3959..2cb9470 100644
---- a/arch/x86/kernel/pvclock.c
-+++ b/arch/x86/kernel/pvclock.c
-@@ -185,7 +185,7 @@ int __init pvclock_init_vsyscall(struct pvclock_vsyscall_time_info *i,
-
- for (idx = 0; idx <= (PVCLOCK_FIXMAP_END-PVCLOCK_FIXMAP_BEGIN); idx++) {
- __set_fixmap(PVCLOCK_FIXMAP_BEGIN + idx,
-- __pa_symbol(i) + (idx*PAGE_SIZE),
-+ __pa(i) + (idx*PAGE_SIZE),
- PAGE_KERNEL_VVAR);
- }
-
-diff --git a/arch/x86/pci/xen.c b/arch/x86/pci/xen.c
-index 56ab749..94e7662 100644
---- a/arch/x86/pci/xen.c
-+++ b/arch/x86/pci/xen.c
-@@ -162,6 +162,9 @@ static int xen_setup_msi_irqs(struct pci_dev *dev, int nvec, int type)
- struct msi_desc *msidesc;
- int *v;
-
-+ if (type == PCI_CAP_ID_MSI && nvec > 1)
-+ return 1;
-+
- v = kzalloc(sizeof(int) * max(1, nvec), GFP_KERNEL);
- if (!v)
- return -ENOMEM;
-@@ -220,6 +223,9 @@ static int xen_hvm_setup_msi_irqs(struct pci_dev *dev, int nvec, int type)
- struct msi_desc *msidesc;
- struct msi_msg msg;
-
-+ if (type == PCI_CAP_ID_MSI && nvec > 1)
-+ return 1;
-+
- list_for_each_entry(msidesc, &dev->msi_list, list) {
- __read_msi_msg(msidesc, &msg);
- pirq = MSI_ADDR_EXT_DEST_ID(msg.address_hi) |
-@@ -263,6 +269,9 @@ static int xen_initdom_setup_msi_irqs(struct pci_dev *dev, int nvec, int type)
- int ret = 0;
- struct msi_desc *msidesc;
-
-+ if (type == PCI_CAP_ID_MSI && nvec > 1)
-+ return 1;
-+
- list_for_each_entry(msidesc, &dev->msi_list, list) {
- struct physdev_map_pirq map_irq;
- domid_t domid;
-diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
-index e014092..2262003 100644
---- a/arch/x86/xen/enlighten.c
-+++ b/arch/x86/xen/enlighten.c
-@@ -67,6 +67,7 @@
- #include <asm/hypervisor.h>
- #include <asm/mwait.h>
- #include <asm/pci_x86.h>
-+#include <asm/pat.h>
-
- #ifdef CONFIG_ACPI
- #include <linux/acpi.h>
-@@ -1417,7 +1418,14 @@ asmlinkage void __init xen_start_kernel(void)
- */
- acpi_numa = -1;
- #endif
--
-+#ifdef CONFIG_X86_PAT
-+ /*
-+ * For right now disable the PAT. We should remove this once
-+ * git commit 8eaffa67b43e99ae581622c5133e20b0f48bcef1
-+ * (xen/pat: Disable PAT support for now) is reverted.
-+ */
-+ pat_enabled = 0;
-+#endif
- /* Don't do the full vcpu_info placement stuff until we have a
- possible map and a non-dummy shared_info. */
- per_cpu(xen_vcpu, 0) = &HYPERVISOR_shared_info->vcpu_info[0];
-diff --git a/crypto/ablkcipher.c b/crypto/ablkcipher.c
-index 533de95..7d4a8d2 100644
---- a/crypto/ablkcipher.c
-+++ b/crypto/ablkcipher.c
-@@ -388,9 +388,9 @@ static int crypto_ablkcipher_report(struct sk_buff *skb, struct crypto_alg *alg)
- {
- struct crypto_report_blkcipher rblkcipher;
-
-- snprintf(rblkcipher.type, CRYPTO_MAX_ALG_NAME, "%s", "ablkcipher");
-- snprintf(rblkcipher.geniv, CRYPTO_MAX_ALG_NAME, "%s",
-- alg->cra_ablkcipher.geniv ?: "<default>");
-+ strncpy(rblkcipher.type, "ablkcipher", sizeof(rblkcipher.type));
-+ strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "<default>",
-+ sizeof(rblkcipher.geniv));
-
- rblkcipher.blocksize = alg->cra_blocksize;
- rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize;
-@@ -469,9 +469,9 @@ static int crypto_givcipher_report(struct sk_buff *skb, struct crypto_alg *alg)
- {
- struct crypto_report_blkcipher rblkcipher;
-
-- snprintf(rblkcipher.type, CRYPTO_MAX_ALG_NAME, "%s", "givcipher");
-- snprintf(rblkcipher.geniv, CRYPTO_MAX_ALG_NAME, "%s",
-- alg->cra_ablkcipher.geniv ?: "<built-in>");
-+ strncpy(rblkcipher.type, "givcipher", sizeof(rblkcipher.type));
-+ strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "<built-in>",
-+ sizeof(rblkcipher.geniv));
-
- rblkcipher.blocksize = alg->cra_blocksize;
- rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize;
-diff --git a/crypto/aead.c b/crypto/aead.c
-index 0b8121e..27bc487 100644
---- a/crypto/aead.c
-+++ b/crypto/aead.c
-@@ -117,9 +117,8 @@ static int crypto_aead_report(struct sk_buff *skb, struct crypto_alg *alg)
- struct crypto_report_aead raead;
- struct aead_alg *aead = &alg->cra_aead;
-
-- snprintf(raead.type, CRYPTO_MAX_ALG_NAME, "%s", "aead");
-- snprintf(raead.geniv, CRYPTO_MAX_ALG_NAME, "%s",
-- aead->geniv ?: "<built-in>");
-+ strncpy(raead.type, "aead", sizeof(raead.type));
-+ strncpy(raead.geniv, aead->geniv ?: "<built-in>", sizeof(raead.geniv));
-
- raead.blocksize = alg->cra_blocksize;
- raead.maxauthsize = aead->maxauthsize;
-@@ -203,8 +202,8 @@ static int crypto_nivaead_report(struct sk_buff *skb, struct crypto_alg *alg)
- struct crypto_report_aead raead;
- struct aead_alg *aead = &alg->cra_aead;
-
-- snprintf(raead.type, CRYPTO_MAX_ALG_NAME, "%s", "nivaead");
-- snprintf(raead.geniv, CRYPTO_MAX_ALG_NAME, "%s", aead->geniv);
-+ strncpy(raead.type, "nivaead", sizeof(raead.type));
-+ strncpy(raead.geniv, aead->geniv, sizeof(raead.geniv));
-
- raead.blocksize = alg->cra_blocksize;
- raead.maxauthsize = aead->maxauthsize;
-diff --git a/crypto/ahash.c b/crypto/ahash.c
-index 3887856..793a27f 100644
---- a/crypto/ahash.c
-+++ b/crypto/ahash.c
-@@ -404,7 +404,7 @@ static int crypto_ahash_report(struct sk_buff *skb, struct crypto_alg *alg)
- {
- struct crypto_report_hash rhash;
-
-- snprintf(rhash.type, CRYPTO_MAX_ALG_NAME, "%s", "ahash");
-+ strncpy(rhash.type, "ahash", sizeof(rhash.type));
-
- rhash.blocksize = alg->cra_blocksize;
- rhash.digestsize = __crypto_hash_alg_common(alg)->digestsize;
-diff --git a/crypto/blkcipher.c b/crypto/blkcipher.c
-index a8d85a1..c44e014 100644
---- a/crypto/blkcipher.c
-+++ b/crypto/blkcipher.c
-@@ -499,9 +499,9 @@ static int crypto_blkcipher_report(struct sk_buff *skb, struct crypto_alg *alg)
- {
- struct crypto_report_blkcipher rblkcipher;
-
-- snprintf(rblkcipher.type, CRYPTO_MAX_ALG_NAME, "%s", "blkcipher");
-- snprintf(rblkcipher.geniv, CRYPTO_MAX_ALG_NAME, "%s",
-- alg->cra_blkcipher.geniv ?: "<default>");
-+ strncpy(rblkcipher.type, "blkcipher", sizeof(rblkcipher.type));
-+ strncpy(rblkcipher.geniv, alg->cra_blkcipher.geniv ?: "<default>",
-+ sizeof(rblkcipher.geniv));
-
- rblkcipher.blocksize = alg->cra_blocksize;
- rblkcipher.min_keysize = alg->cra_blkcipher.min_keysize;
-diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c
-index 35d700a..f6d9baf 100644
---- a/crypto/crypto_user.c
-+++ b/crypto/crypto_user.c
-@@ -75,7 +75,7 @@ static int crypto_report_cipher(struct sk_buff *skb, struct crypto_alg *alg)
- {
- struct crypto_report_cipher rcipher;
-
-- snprintf(rcipher.type, CRYPTO_MAX_ALG_NAME, "%s", "cipher");
-+ strncpy(rcipher.type, "cipher", sizeof(rcipher.type));
-
- rcipher.blocksize = alg->cra_blocksize;
- rcipher.min_keysize = alg->cra_cipher.cia_min_keysize;
-@@ -94,8 +94,7 @@ static int crypto_report_comp(struct sk_buff *skb, struct crypto_alg *alg)
- {
- struct crypto_report_comp rcomp;
-
-- snprintf(rcomp.type, CRYPTO_MAX_ALG_NAME, "%s", "compression");
--
-+ strncpy(rcomp.type, "compression", sizeof(rcomp.type));
- if (nla_put(skb, CRYPTOCFGA_REPORT_COMPRESS,
- sizeof(struct crypto_report_comp), &rcomp))
- goto nla_put_failure;
-@@ -108,12 +107,14 @@ nla_put_failure:
- static int crypto_report_one(struct crypto_alg *alg,
- struct crypto_user_alg *ualg, struct sk_buff *skb)
- {
-- memcpy(&ualg->cru_name, &alg->cra_name, sizeof(ualg->cru_name));
-- memcpy(&ualg->cru_driver_name, &alg->cra_driver_name,
-- sizeof(ualg->cru_driver_name));
-- memcpy(&ualg->cru_module_name, module_name(alg->cra_module),
-- CRYPTO_MAX_ALG_NAME);
--
-+ strncpy(ualg->cru_name, alg->cra_name, sizeof(ualg->cru_name));
-+ strncpy(ualg->cru_driver_name, alg->cra_driver_name,
-+ sizeof(ualg->cru_driver_name));
-+ strncpy(ualg->cru_module_name, module_name(alg->cra_module),
-+ sizeof(ualg->cru_module_name));
-+
-+ ualg->cru_type = 0;
-+ ualg->cru_mask = 0;
- ualg->cru_flags = alg->cra_flags;
- ualg->cru_refcnt = atomic_read(&alg->cra_refcnt);
-
-@@ -122,8 +123,7 @@ static int crypto_report_one(struct crypto_alg *alg,
- if (alg->cra_flags & CRYPTO_ALG_LARVAL) {
- struct crypto_report_larval rl;
-
-- snprintf(rl.type, CRYPTO_MAX_ALG_NAME, "%s", "larval");
--
-+ strncpy(rl.type, "larval", sizeof(rl.type));
- if (nla_put(skb, CRYPTOCFGA_REPORT_LARVAL,
- sizeof(struct crypto_report_larval), &rl))
- goto nla_put_failure;
-diff --git a/crypto/pcompress.c b/crypto/pcompress.c
-index 04e083f..7140fe7 100644
---- a/crypto/pcompress.c
-+++ b/crypto/pcompress.c
-@@ -53,8 +53,7 @@ static int crypto_pcomp_report(struct sk_buff *skb, struct crypto_alg *alg)
- {
- struct crypto_report_comp rpcomp;
-
-- snprintf(rpcomp.type, CRYPTO_MAX_ALG_NAME, "%s", "pcomp");
--
-+ strncpy(rpcomp.type, "pcomp", sizeof(rpcomp.type));
- if (nla_put(skb, CRYPTOCFGA_REPORT_COMPRESS,
- sizeof(struct crypto_report_comp), &rpcomp))
- goto nla_put_failure;
-diff --git a/crypto/rng.c b/crypto/rng.c
-index f3b7894..e0a25c2 100644
---- a/crypto/rng.c
-+++ b/crypto/rng.c
-@@ -65,7 +65,7 @@ static int crypto_rng_report(struct sk_buff *skb, struct crypto_alg *alg)
- {
- struct crypto_report_rng rrng;
-
-- snprintf(rrng.type, CRYPTO_MAX_ALG_NAME, "%s", "rng");
-+ strncpy(rrng.type, "rng", sizeof(rrng.type));
-
- rrng.seedsize = alg->cra_rng.seedsize;
-
-diff --git a/crypto/shash.c b/crypto/shash.c
-index f426330f..929058a 100644
---- a/crypto/shash.c
-+++ b/crypto/shash.c
-@@ -530,7 +530,8 @@ static int crypto_shash_report(struct sk_buff *skb, struct crypto_alg *alg)
- struct crypto_report_hash rhash;
- struct shash_alg *salg = __crypto_shash_alg(alg);
-
-- snprintf(rhash.type, CRYPTO_MAX_ALG_NAME, "%s", "shash");
-+ strncpy(rhash.type, "shash", sizeof(rhash.type));
-+
- rhash.blocksize = alg->cra_blocksize;
- rhash.digestsize = salg->digestsize;
-
-diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c
-index de1f319..e34a7b4 100644
---- a/drivers/block/xen-blkback/blkback.c
-+++ b/drivers/block/xen-blkback/blkback.c
-@@ -881,6 +881,7 @@ static int dispatch_rw_block_io(struct xen_blkif *blkif,
- goto fail_response;
- }
-
-+ preq.dev = req->u.rw.handle;
- preq.sector_number = req->u.rw.sector_number;
- preq.nr_sects = 0;
-
-diff --git a/drivers/char/hw_random/core.c b/drivers/char/hw_random/core.c
-index 1bafb40..69ae597 100644
---- a/drivers/char/hw_random/core.c
-+++ b/drivers/char/hw_random/core.c
-@@ -40,6 +40,7 @@
- #include <linux/init.h>
- #include <linux/miscdevice.h>
- #include <linux/delay.h>
-+#include <linux/slab.h>
- #include <asm/uaccess.h>
-
-
-@@ -52,8 +53,12 @@ static struct hwrng *current_rng;
- static LIST_HEAD(rng_list);
- static DEFINE_MUTEX(rng_mutex);
- static int data_avail;
--static u8 rng_buffer[SMP_CACHE_BYTES < 32 ? 32 : SMP_CACHE_BYTES]
-- __cacheline_aligned;
-+static u8 *rng_buffer;
-+
-+static size_t rng_buffer_size(void)
-+{
-+ return SMP_CACHE_BYTES < 32 ? 32 : SMP_CACHE_BYTES;
-+}
-
- static inline int hwrng_init(struct hwrng *rng)
- {
-@@ -116,7 +121,7 @@ static ssize_t rng_dev_read(struct file *filp, char __user *buf,
-
- if (!data_avail) {
- bytes_read = rng_get_data(current_rng, rng_buffer,
-- sizeof(rng_buffer),
-+ rng_buffer_size(),
- !(filp->f_flags & O_NONBLOCK));
- if (bytes_read < 0) {
- err = bytes_read;
-@@ -307,6 +312,14 @@ int hwrng_register(struct hwrng *rng)
-
- mutex_lock(&rng_mutex);
-
-+ /* kmalloc makes this safe for virt_to_page() in virtio_rng.c */
-+ err = -ENOMEM;
-+ if (!rng_buffer) {
-+ rng_buffer = kmalloc(rng_buffer_size(), GFP_KERNEL);
-+ if (!rng_buffer)
-+ goto out_unlock;
-+ }
-+
- /* Must not register two RNGs with the same name. */
- err = -EEXIST;
- list_for_each_entry(tmp, &rng_list, list) {
-diff --git a/drivers/char/random.c b/drivers/char/random.c
-index 85e81ec..57d4b15 100644
---- a/drivers/char/random.c
-+++ b/drivers/char/random.c
-@@ -852,6 +852,7 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min,
- int reserved)
- {
- unsigned long flags;
-+ int wakeup_write = 0;
-
- /* Hold lock while accounting */
- spin_lock_irqsave(&r->lock, flags);
-@@ -873,10 +874,8 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min,
- else
- r->entropy_count = reserved;
-
-- if (r->entropy_count < random_write_wakeup_thresh) {
-- wake_up_interruptible(&random_write_wait);
-- kill_fasync(&fasync, SIGIO, POLL_OUT);
-- }
-+ if (r->entropy_count < random_write_wakeup_thresh)
-+ wakeup_write = 1;
- }
-
- DEBUG_ENT("debiting %zu entropy credits from %s%s\n",
-@@ -884,6 +883,11 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min,
-
- spin_unlock_irqrestore(&r->lock, flags);
-
-+ if (wakeup_write) {
-+ wake_up_interruptible(&random_write_wait);
-+ kill_fasync(&fasync, SIGIO, POLL_OUT);
-+ }
-+
- return nbytes;
- }
-
-diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c
-index fce2000..1110478 100644
---- a/drivers/connector/cn_proc.c
-+++ b/drivers/connector/cn_proc.c
-@@ -313,6 +313,12 @@ static void cn_proc_mcast_ctl(struct cn_msg *msg,
- (task_active_pid_ns(current) != &init_pid_ns))
- return;
-
-+ /* Can only change if privileged. */
-+ if (!capable(CAP_NET_ADMIN)) {
-+ err = EPERM;
-+ goto out;
-+ }
-+
- mc_op = (enum proc_cn_mcast_op *)msg->data;
- switch (*mc_op) {
- case PROC_CN_MCAST_LISTEN:
-@@ -325,6 +331,8 @@ static void cn_proc_mcast_ctl(struct cn_msg *msg,
- err = EINVAL;
- break;
- }
-+
-+out:
- cn_proc_ack(err, msg->seq, msg->ack);
- }
-
-diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c
-index 982f1f5..4cd392d 100644
---- a/drivers/firmware/dmi_scan.c
-+++ b/drivers/firmware/dmi_scan.c
-@@ -442,7 +442,6 @@ static int __init dmi_present(const char __iomem *p)
- static int __init smbios_present(const char __iomem *p)
- {
- u8 buf[32];
-- int offset = 0;
-
- memcpy_fromio(buf, p, 32);
- if ((buf[5] < 32) && dmi_checksum(buf, buf[5])) {
-@@ -461,9 +460,9 @@ static int __init smbios_present(const char __iomem *p)
- dmi_ver = 0x0206;
- break;
- }
-- offset = 16;
-+ return memcmp(p + 16, "_DMI_", 5) || dmi_present(p + 16);
- }
-- return dmi_present(buf + offset);
-+ return 1;
- }
-
- void __init dmi_scan_machine(void)
-diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c
-index bcb201c..2a2e145 100644
---- a/drivers/firmware/efivars.c
-+++ b/drivers/firmware/efivars.c
-@@ -406,10 +406,11 @@ static efi_status_t
- get_var_data(struct efivars *efivars, struct efi_variable *var)
- {
- efi_status_t status;
-+ unsigned long flags;
-
-- spin_lock(&efivars->lock);
-+ spin_lock_irqsave(&efivars->lock, flags);
- status = get_var_data_locked(efivars, var);
-- spin_unlock(&efivars->lock);
-+ spin_unlock_irqrestore(&efivars->lock, flags);
-
- if (status != EFI_SUCCESS) {
- printk(KERN_WARNING "efivars: get_variable() failed 0x%lx!\n",
-@@ -418,6 +419,44 @@ get_var_data(struct efivars *efivars, struct efi_variable *var)
- return status;
- }
-
-+static efi_status_t
-+check_var_size_locked(struct efivars *efivars, u32 attributes,
-+ unsigned long size)
-+{
-+ u64 storage_size, remaining_size, max_size;
-+ efi_status_t status;
-+ const struct efivar_operations *fops = efivars->ops;
-+
-+ if (!efivars->ops->query_variable_info)
-+ return EFI_UNSUPPORTED;
-+
-+ status = fops->query_variable_info(attributes, &storage_size,
-+ &remaining_size, &max_size);
-+
-+ if (status != EFI_SUCCESS)
-+ return status;
-+
-+ if (!storage_size || size > remaining_size || size > max_size ||
-+ (remaining_size - size) < (storage_size / 2))
-+ return EFI_OUT_OF_RESOURCES;
-+
-+ return status;
-+}
-+
-+
-+static efi_status_t
-+check_var_size(struct efivars *efivars, u32 attributes, unsigned long size)
-+{
-+ efi_status_t status;
-+ unsigned long flags;
-+
-+ spin_lock_irqsave(&efivars->lock, flags);
-+ status = check_var_size_locked(efivars, attributes, size);
-+ spin_unlock_irqrestore(&efivars->lock, flags);
-+
-+ return status;
-+}
-+
- static ssize_t
- efivar_guid_read(struct efivar_entry *entry, char *buf)
- {
-@@ -538,14 +577,19 @@ efivar_store_raw(struct efivar_entry *entry, const char *buf, size_t count)
- return -EINVAL;
- }
-
-- spin_lock(&efivars->lock);
-- status = efivars->ops->set_variable(new_var->VariableName,
-- &new_var->VendorGuid,
-- new_var->Attributes,
-- new_var->DataSize,
-- new_var->Data);
-+ spin_lock_irq(&efivars->lock);
-+
-+ status = check_var_size_locked(efivars, new_var->Attributes,
-+ new_var->DataSize + utf16_strsize(new_var->VariableName, 1024));
-
-- spin_unlock(&efivars->lock);
-+ if (status == EFI_SUCCESS || status == EFI_UNSUPPORTED)
-+ status = efivars->ops->set_variable(new_var->VariableName,
-+ &new_var->VendorGuid,
-+ new_var->Attributes,
-+ new_var->DataSize,
-+ new_var->Data);
-+
-+ spin_unlock_irq(&efivars->lock);
-
- if (status != EFI_SUCCESS) {
- printk(KERN_WARNING "efivars: set_variable() failed: status=%lx\n",
-@@ -694,8 +738,7 @@ static ssize_t efivarfs_file_write(struct file *file,
- u32 attributes;
- struct inode *inode = file->f_mapping->host;
- unsigned long datasize = count - sizeof(attributes);
-- unsigned long newdatasize;
-- u64 storage_size, remaining_size, max_size;
-+ unsigned long newdatasize, varsize;
- ssize_t bytes = 0;
-
- if (count < sizeof(attributes))
-@@ -714,28 +757,18 @@ static ssize_t efivarfs_file_write(struct file *file,
- * amounts of memory. Pick a default size of 64K if
- * QueryVariableInfo() isn't supported by the firmware.
- */
-- spin_lock(&efivars->lock);
-
-- if (!efivars->ops->query_variable_info)
-- status = EFI_UNSUPPORTED;
-- else {
-- const struct efivar_operations *fops = efivars->ops;
-- status = fops->query_variable_info(attributes, &storage_size,
-- &remaining_size, &max_size);
-- }
--
-- spin_unlock(&efivars->lock);
-+ varsize = datasize + utf16_strsize(var->var.VariableName, 1024);
-+ status = check_var_size(efivars, attributes, varsize);
-
- if (status != EFI_SUCCESS) {
- if (status != EFI_UNSUPPORTED)
- return efi_status_to_err(status);
-
-- remaining_size = 65536;
-+ if (datasize > 65536)
-+ return -ENOSPC;
- }
-
-- if (datasize > remaining_size)
-- return -ENOSPC;
--
- data = kmalloc(datasize, GFP_KERNEL);
- if (!data)
- return -ENOMEM;
-@@ -755,7 +788,20 @@ static ssize_t efivarfs_file_write(struct file *file,
- * set_variable call, and removal of the variable from the efivars
- * list (in the case of an authenticated delete).
- */
-- spin_lock(&efivars->lock);
-+ spin_lock_irq(&efivars->lock);
-+
-+ /*
-+ * Ensure that the available space hasn't shrunk below the safe level
-+ */
-+
-+ status = check_var_size_locked(efivars, attributes, varsize);
-+
-+ if (status != EFI_SUCCESS && status != EFI_UNSUPPORTED) {
-+ spin_unlock_irq(&efivars->lock);
-+ kfree(data);
-+
-+ return efi_status_to_err(status);
-+ }
-
- status = efivars->ops->set_variable(var->var.VariableName,
- &var->var.VendorGuid,
-@@ -763,7 +809,7 @@ static ssize_t efivarfs_file_write(struct file *file,
- data);
-
- if (status != EFI_SUCCESS) {
-- spin_unlock(&efivars->lock);
-+ spin_unlock_irq(&efivars->lock);
- kfree(data);
-
- return efi_status_to_err(status);
-@@ -784,21 +830,21 @@ static ssize_t efivarfs_file_write(struct file *file,
- NULL);
-
- if (status == EFI_BUFFER_TOO_SMALL) {
-- spin_unlock(&efivars->lock);
-+ spin_unlock_irq(&efivars->lock);
- mutex_lock(&inode->i_mutex);
- i_size_write(inode, newdatasize + sizeof(attributes));
- mutex_unlock(&inode->i_mutex);
-
- } else if (status == EFI_NOT_FOUND) {
- list_del(&var->list);
-- spin_unlock(&efivars->lock);
-+ spin_unlock_irq(&efivars->lock);
- efivar_unregister(var);
- drop_nlink(inode);
- d_delete(file->f_dentry);
- dput(file->f_dentry);
-
- } else {
-- spin_unlock(&efivars->lock);
-+ spin_unlock_irq(&efivars->lock);
- pr_warn("efivarfs: inconsistent EFI variable implementation? "
- "status = %lx\n", status);
- }
-@@ -820,11 +866,11 @@ static ssize_t efivarfs_file_read(struct file *file, char __user *userbuf,
- void *data;
- ssize_t size = 0;
-
-- spin_lock(&efivars->lock);
-+ spin_lock_irq(&efivars->lock);
- status = efivars->ops->get_variable(var->var.VariableName,
- &var->var.VendorGuid,
- &attributes, &datasize, NULL);
-- spin_unlock(&efivars->lock);
-+ spin_unlock_irq(&efivars->lock);
-
- if (status != EFI_BUFFER_TOO_SMALL)
- return efi_status_to_err(status);
-@@ -834,12 +880,12 @@ static ssize_t efivarfs_file_read(struct file *file, char __user *userbuf,
- if (!data)
- return -ENOMEM;
-
-- spin_lock(&efivars->lock);
-+ spin_lock_irq(&efivars->lock);
- status = efivars->ops->get_variable(var->var.VariableName,
- &var->var.VendorGuid,
- &attributes, &datasize,
- (data + sizeof(attributes)));
-- spin_unlock(&efivars->lock);
-+ spin_unlock_irq(&efivars->lock);
-
- if (status != EFI_SUCCESS) {
- size = efi_status_to_err(status);
-@@ -921,8 +967,8 @@ static bool efivarfs_valid_name(const char *str, int len)
- if (len < GUID_LEN + 2)
- return false;
-
-- /* GUID should be right after the first '-' */
-- if (s - 1 != strchr(str, '-'))
-+ /* GUID must be preceded by a '-' */
-+ if (*(s - 1) != '-')
- return false;
-
- /*
-@@ -1005,9 +1051,9 @@ static int efivarfs_create(struct inode *dir, struct dentry *dentry,
- goto out;
-
- kobject_uevent(&var->kobj, KOBJ_ADD);
-- spin_lock(&efivars->lock);
-+ spin_lock_irq(&efivars->lock);
- list_add(&var->list, &efivars->list);
-- spin_unlock(&efivars->lock);
-+ spin_unlock_irq(&efivars->lock);
- d_instantiate(dentry, inode);
- dget(dentry);
- out:
-@@ -1024,7 +1070,7 @@ static int efivarfs_unlink(struct inode *dir, struct dentry *dentry)
- struct efivars *efivars = var->efivars;
- efi_status_t status;
-
-- spin_lock(&efivars->lock);
-+ spin_lock_irq(&efivars->lock);
-
- status = efivars->ops->set_variable(var->var.VariableName,
- &var->var.VendorGuid,
-@@ -1032,14 +1078,14 @@ static int efivarfs_unlink(struct inode *dir, struct dentry *dentry)
-
- if (status == EFI_SUCCESS || status == EFI_NOT_FOUND) {
- list_del(&var->list);
-- spin_unlock(&efivars->lock);
-+ spin_unlock_irq(&efivars->lock);
- efivar_unregister(var);
- drop_nlink(dentry->d_inode);
- dput(dentry);
- return 0;
- }
-
-- spin_unlock(&efivars->lock);
-+ spin_unlock_irq(&efivars->lock);
- return -EINVAL;
- };
-
-@@ -1110,15 +1156,22 @@ static struct dentry_operations efivarfs_d_ops = {
-
- static struct dentry *efivarfs_alloc_dentry(struct dentry *parent, char *name)
- {
-+ struct dentry *d;
- struct qstr q;
-+ int err;
-
- q.name = name;
- q.len = strlen(name);
-
-- if (efivarfs_d_hash(NULL, NULL, &q))
-- return NULL;
-+ err = efivarfs_d_hash(NULL, NULL, &q);
-+ if (err)
-+ return ERR_PTR(err);
-
-- return d_alloc(parent, &q);
-+ d = d_alloc(parent, &q);
-+ if (d)
-+ return d;
-+
-+ return ERR_PTR(-ENOMEM);
- }
-
- static int efivarfs_fill_super(struct super_block *sb, void *data, int silent)
-@@ -1128,6 +1181,7 @@ static int efivarfs_fill_super(struct super_block *sb, void *data, int silent)
- struct efivar_entry *entry, *n;
- struct efivars *efivars = &__efivars;
- char *name;
-+ int err = -ENOMEM;
-
- efivarfs_sb = sb;
-
-@@ -1178,19 +1232,21 @@ static int efivarfs_fill_super(struct super_block *sb, void *data, int silent)
- goto fail_name;
-
- dentry = efivarfs_alloc_dentry(root, name);
-- if (!dentry)
-+ if (IS_ERR(dentry)) {
-+ err = PTR_ERR(dentry);
- goto fail_inode;
-+ }
-
- /* copied by the above to local storage in the dentry. */
- kfree(name);
-
-- spin_lock(&efivars->lock);
-+ spin_lock_irq(&efivars->lock);
- efivars->ops->get_variable(entry->var.VariableName,
- &entry->var.VendorGuid,
- &entry->var.Attributes,
- &size,
- NULL);
-- spin_unlock(&efivars->lock);
-+ spin_unlock_irq(&efivars->lock);
-
- mutex_lock(&inode->i_mutex);
- inode->i_private = entry;
-@@ -1206,7 +1262,7 @@ fail_inode:
- fail_name:
- kfree(name);
- fail:
-- return -ENOMEM;
-+ return err;
- }
-
- static struct dentry *efivarfs_mount(struct file_system_type *fs_type,
-@@ -1253,7 +1309,7 @@ static int efi_pstore_open(struct pstore_info *psi)
- {
- struct efivars *efivars = psi->data;
-
-- spin_lock(&efivars->lock);
-+ spin_lock_irq(&efivars->lock);
- efivars->walk_entry = list_first_entry(&efivars->list,
- struct efivar_entry, list);
- return 0;
-@@ -1263,7 +1319,7 @@ static int efi_pstore_close(struct pstore_info *psi)
- {
- struct efivars *efivars = psi->data;
-
-- spin_unlock(&efivars->lock);
-+ spin_unlock_irq(&efivars->lock);
- return 0;
- }
-
-@@ -1337,22 +1393,22 @@ static int efi_pstore_write(enum pstore_type_id type,
- efi_guid_t vendor = LINUX_EFI_CRASH_GUID;
- struct efivars *efivars = psi->data;
- int i, ret = 0;
-- u64 storage_space, remaining_space, max_variable_size;
- efi_status_t status = EFI_NOT_FOUND;
-+ unsigned long flags;
-
-- spin_lock(&efivars->lock);
-+ spin_lock_irqsave(&efivars->lock, flags);
-
- /*
- * Check if there is a space enough to log.
- * size: a size of logging data
- * DUMP_NAME_LEN * 2: a maximum size of variable name
- */
-- status = efivars->ops->query_variable_info(PSTORE_EFI_ATTRIBUTES,
-- &storage_space,
-- &remaining_space,
-- &max_variable_size);
-- if (status || remaining_space < size + DUMP_NAME_LEN * 2) {
-- spin_unlock(&efivars->lock);
-+
-+ status = check_var_size_locked(efivars, PSTORE_EFI_ATTRIBUTES,
-+ size + DUMP_NAME_LEN * 2);
-+
-+ if (status) {
-+ spin_unlock_irqrestore(&efivars->lock, flags);
- *id = part;
- return -ENOSPC;
- }
-@@ -1366,7 +1422,7 @@ static int efi_pstore_write(enum pstore_type_id type,
- efivars->ops->set_variable(efi_name, &vendor, PSTORE_EFI_ATTRIBUTES,
- size, psi->buf);
-
-- spin_unlock(&efivars->lock);
-+ spin_unlock_irqrestore(&efivars->lock, flags);
-
- if (size)
- ret = efivar_create_sysfs_entry(efivars,
-@@ -1393,7 +1449,7 @@ static int efi_pstore_erase(enum pstore_type_id type, u64 id, int count,
- sprintf(name, "dump-type%u-%u-%d-%lu", type, (unsigned int)id, count,
- time.tv_sec);
-
-- spin_lock(&efivars->lock);
-+ spin_lock_irq(&efivars->lock);
-
- for (i = 0; i < DUMP_NAME_LEN; i++)
- efi_name[i] = name[i];
-@@ -1437,7 +1493,7 @@ static int efi_pstore_erase(enum pstore_type_id type, u64 id, int count,
- if (found)
- list_del(&found->list);
-
-- spin_unlock(&efivars->lock);
-+ spin_unlock_irq(&efivars->lock);
-
- if (found)
- efivar_unregister(found);
-@@ -1507,7 +1563,7 @@ static ssize_t efivar_create(struct file *filp, struct kobject *kobj,
- return -EINVAL;
- }
-
-- spin_lock(&efivars->lock);
-+ spin_lock_irq(&efivars->lock);
-
- /*
- * Does this variable already exist?
-@@ -1525,10 +1581,18 @@ static ssize_t efivar_create(struct file *filp, struct kobject *kobj,
- }
- }
- if (found) {
-- spin_unlock(&efivars->lock);
-+ spin_unlock_irq(&efivars->lock);
- return -EINVAL;
- }
-
-+ status = check_var_size_locked(efivars, new_var->Attributes,
-+ new_var->DataSize + utf16_strsize(new_var->VariableName, 1024));
-+
-+ if (status && status != EFI_UNSUPPORTED) {
-+ spin_unlock_irq(&efivars->lock);
-+ return efi_status_to_err(status);
-+ }
-+
- /* now *really* create the variable via EFI */
- status = efivars->ops->set_variable(new_var->VariableName,
- &new_var->VendorGuid,
-@@ -1539,10 +1603,10 @@ static ssize_t efivar_create(struct file *filp, struct kobject *kobj,
- if (status != EFI_SUCCESS) {
- printk(KERN_WARNING "efivars: set_variable() failed: status=%lx\n",
- status);
-- spin_unlock(&efivars->lock);
-+ spin_unlock_irq(&efivars->lock);
- return -EIO;
- }
-- spin_unlock(&efivars->lock);
-+ spin_unlock_irq(&efivars->lock);
-
- /* Create the entry in sysfs. Locking is not required here */
- status = efivar_create_sysfs_entry(efivars,
-@@ -1570,7 +1634,7 @@ static ssize_t efivar_delete(struct file *filp, struct kobject *kobj,
- if (!capable(CAP_SYS_ADMIN))
- return -EACCES;
-
-- spin_lock(&efivars->lock);
-+ spin_lock_irq(&efivars->lock);
-
- /*
- * Does this variable already exist?
-@@ -1588,7 +1652,7 @@ static ssize_t efivar_delete(struct file *filp, struct kobject *kobj,
- }
- }
- if (!found) {
-- spin_unlock(&efivars->lock);
-+ spin_unlock_irq(&efivars->lock);
- return -EINVAL;
- }
- /* force the Attributes/DataSize to 0 to ensure deletion */
-@@ -1604,12 +1668,12 @@ static ssize_t efivar_delete(struct file *filp, struct kobject *kobj,
- if (status != EFI_SUCCESS) {
- printk(KERN_WARNING "efivars: set_variable() failed: status=%lx\n",
- status);
-- spin_unlock(&efivars->lock);
-+ spin_unlock_irq(&efivars->lock);
- return -EIO;
- }
- list_del(&search_efivar->list);
- /* We need to release this lock before unregistering. */
-- spin_unlock(&efivars->lock);
-+ spin_unlock_irq(&efivars->lock);
- efivar_unregister(search_efivar);
-
- /* It's dead Jim.... */
-@@ -1724,9 +1788,9 @@ efivar_create_sysfs_entry(struct efivars *efivars,
- kfree(short_name);
- short_name = NULL;
-
-- spin_lock(&efivars->lock);
-+ spin_lock_irq(&efivars->lock);
- list_add(&new_efivar->list, &efivars->list);
-- spin_unlock(&efivars->lock);
-+ spin_unlock_irq(&efivars->lock);
-
- return 0;
- }
-@@ -1795,9 +1859,9 @@ void unregister_efivars(struct efivars *efivars)
- struct efivar_entry *entry, *n;
-
- list_for_each_entry_safe(entry, n, &efivars->list, list) {
-- spin_lock(&efivars->lock);
-+ spin_lock_irq(&efivars->lock);
- list_del(&entry->list);
-- spin_unlock(&efivars->lock);
-+ spin_unlock_irq(&efivars->lock);
- efivar_unregister(entry);
- }
- if (efivars->new_var)
-diff --git a/drivers/gpio/gpio-mvebu.c b/drivers/gpio/gpio-mvebu.c
-index 6819d63..456663c 100644
---- a/drivers/gpio/gpio-mvebu.c
-+++ b/drivers/gpio/gpio-mvebu.c
-@@ -41,6 +41,7 @@
- #include <linux/io.h>
- #include <linux/of_irq.h>
- #include <linux/of_device.h>
-+#include <linux/clk.h>
- #include <linux/pinctrl/consumer.h>
-
- /*
-@@ -495,6 +496,7 @@ static int mvebu_gpio_probe(struct platform_device *pdev)
- struct resource *res;
- struct irq_chip_generic *gc;
- struct irq_chip_type *ct;
-+ struct clk *clk;
- unsigned int ngpios;
- int soc_variant;
- int i, cpu, id;
-@@ -528,6 +530,11 @@ static int mvebu_gpio_probe(struct platform_device *pdev)
- return id;
- }
-
-+ clk = devm_clk_get(&pdev->dev, NULL);
-+ /* Not all SoCs require a clock.*/
-+ if (!IS_ERR(clk))
-+ clk_prepare_enable(clk);
-+
- mvchip->soc_variant = soc_variant;
- mvchip->chip.label = dev_name(&pdev->dev);
- mvchip->chip.dev = &pdev->dev;
-diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c
-index 99daa89..5206f24 100644
---- a/drivers/gpu/drm/i915/i915_dma.c
-+++ b/drivers/gpu/drm/i915/i915_dma.c
-@@ -1297,19 +1297,21 @@ static int i915_load_modeset_init(struct drm_device *dev)
- if (ret)
- goto cleanup_vga_switcheroo;
-
-+ ret = drm_irq_install(dev);
-+ if (ret)
-+ goto cleanup_gem_stolen;
-+
-+ /* Important: The output setup functions called by modeset_init need
-+ * working irqs for e.g. gmbus and dp aux transfers. */
- intel_modeset_init(dev);
-
- ret = i915_gem_init(dev);
- if (ret)
-- goto cleanup_gem_stolen;
--
-- intel_modeset_gem_init(dev);
-+ goto cleanup_irq;
-
- INIT_WORK(&dev_priv->console_resume_work, intel_console_resume);
-
-- ret = drm_irq_install(dev);
-- if (ret)
-- goto cleanup_gem;
-+ intel_modeset_gem_init(dev);
-
- /* Always safe in the mode setting case. */
- /* FIXME: do pre/post-mode set stuff in core KMS code */
-@@ -1317,7 +1319,10 @@ static int i915_load_modeset_init(struct drm_device *dev)
-
- ret = intel_fbdev_init(dev);
- if (ret)
-- goto cleanup_irq;
-+ goto cleanup_gem;
-+
-+ /* Only enable hotplug handling once the fbdev is fully set up. */
-+ dev_priv->enable_hotplug_processing = true;
-
- drm_kms_helper_poll_init(dev);
-
-@@ -1326,13 +1331,13 @@ static int i915_load_modeset_init(struct drm_device *dev)
-
- return 0;
-
--cleanup_irq:
-- drm_irq_uninstall(dev);
- cleanup_gem:
- mutex_lock(&dev->struct_mutex);
- i915_gem_cleanup_ringbuffer(dev);
- mutex_unlock(&dev->struct_mutex);
- i915_gem_cleanup_aliasing_ppgtt(dev);
-+cleanup_irq:
-+ drm_irq_uninstall(dev);
- cleanup_gem_stolen:
- i915_gem_cleanup_stolen(dev);
- cleanup_vga_switcheroo:
-diff --git a/drivers/gpu/drm/i915/i915_drv.c b/drivers/gpu/drm/i915/i915_drv.c
-index 1172658..fb6454c 100644
---- a/drivers/gpu/drm/i915/i915_drv.c
-+++ b/drivers/gpu/drm/i915/i915_drv.c
-@@ -377,15 +377,15 @@ static const struct pci_device_id pciidlist[] = { /* aka */
- INTEL_VGA_DEVICE(0x0A06, &intel_haswell_m_info), /* ULT GT1 mobile */
- INTEL_VGA_DEVICE(0x0A16, &intel_haswell_m_info), /* ULT GT2 mobile */
- INTEL_VGA_DEVICE(0x0A26, &intel_haswell_m_info), /* ULT GT2 mobile */
-- INTEL_VGA_DEVICE(0x0D12, &intel_haswell_d_info), /* CRW GT1 desktop */
-+ INTEL_VGA_DEVICE(0x0D02, &intel_haswell_d_info), /* CRW GT1 desktop */
-+ INTEL_VGA_DEVICE(0x0D12, &intel_haswell_d_info), /* CRW GT2 desktop */
- INTEL_VGA_DEVICE(0x0D22, &intel_haswell_d_info), /* CRW GT2 desktop */
-- INTEL_VGA_DEVICE(0x0D32, &intel_haswell_d_info), /* CRW GT2 desktop */
-- INTEL_VGA_DEVICE(0x0D1A, &intel_haswell_d_info), /* CRW GT1 server */
-+ INTEL_VGA_DEVICE(0x0D0A, &intel_haswell_d_info), /* CRW GT1 server */
-+ INTEL_VGA_DEVICE(0x0D1A, &intel_haswell_d_info), /* CRW GT2 server */
- INTEL_VGA_DEVICE(0x0D2A, &intel_haswell_d_info), /* CRW GT2 server */
-- INTEL_VGA_DEVICE(0x0D3A, &intel_haswell_d_info), /* CRW GT2 server */
-- INTEL_VGA_DEVICE(0x0D16, &intel_haswell_m_info), /* CRW GT1 mobile */
-+ INTEL_VGA_DEVICE(0x0D06, &intel_haswell_m_info), /* CRW GT1 mobile */
-+ INTEL_VGA_DEVICE(0x0D16, &intel_haswell_m_info), /* CRW GT2 mobile */
- INTEL_VGA_DEVICE(0x0D26, &intel_haswell_m_info), /* CRW GT2 mobile */
-- INTEL_VGA_DEVICE(0x0D36, &intel_haswell_m_info), /* CRW GT2 mobile */
- INTEL_VGA_DEVICE(0x0f30, &intel_valleyview_m_info),
- INTEL_VGA_DEVICE(0x0157, &intel_valleyview_m_info),
- INTEL_VGA_DEVICE(0x0155, &intel_valleyview_d_info),
-@@ -486,6 +486,7 @@ static int i915_drm_freeze(struct drm_device *dev)
- intel_modeset_disable(dev);
-
- drm_irq_uninstall(dev);
-+ dev_priv->enable_hotplug_processing = false;
- }
-
- i915_save_state(dev);
-@@ -562,9 +563,19 @@ static int __i915_drm_thaw(struct drm_device *dev)
- error = i915_gem_init_hw(dev);
- mutex_unlock(&dev->struct_mutex);
-
-+ /* We need working interrupts for modeset enabling ... */
-+ drm_irq_install(dev);
-+
- intel_modeset_init_hw(dev);
- intel_modeset_setup_hw_state(dev, false);
-- drm_irq_install(dev);
-+
-+ /*
-+ * ... but also need to make sure that hotplug processing
-+ * doesn't cause havoc. Like in the driver load code we don't
-+ * bother with the tiny race here where we might loose hotplug
-+ * notifications.
-+ * */
-+ dev_priv->enable_hotplug_processing = true;
- }
-
- intel_opregion_init(dev);
-diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h
-index 7339a4b..66ad64f 100644
---- a/drivers/gpu/drm/i915/i915_drv.h
-+++ b/drivers/gpu/drm/i915/i915_drv.h
-@@ -672,6 +672,7 @@ typedef struct drm_i915_private {
-
- u32 hotplug_supported_mask;
- struct work_struct hotplug_work;
-+ bool enable_hotplug_processing;
-
- int num_pipe;
- int num_pch_pll;
-diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c
-index fe84338..3c00403 100644
---- a/drivers/gpu/drm/i915/i915_irq.c
-+++ b/drivers/gpu/drm/i915/i915_irq.c
-@@ -287,6 +287,10 @@ static void i915_hotplug_work_func(struct work_struct *work)
- struct drm_mode_config *mode_config = &dev->mode_config;
- struct intel_encoder *encoder;
-
-+ /* HPD irq before everything is fully set up. */
-+ if (!dev_priv->enable_hotplug_processing)
-+ return;
-+
- mutex_lock(&mode_config->mutex);
- DRM_DEBUG_KMS("running encoder hotplug functions\n");
-
-diff --git a/drivers/gpu/drm/i915/intel_crt.c b/drivers/gpu/drm/i915/intel_crt.c
-index 06b1786..b52ed09 100644
---- a/drivers/gpu/drm/i915/intel_crt.c
-+++ b/drivers/gpu/drm/i915/intel_crt.c
-@@ -88,7 +88,7 @@ static void intel_disable_crt(struct intel_encoder *encoder)
- u32 temp;
-
- temp = I915_READ(crt->adpa_reg);
-- temp &= ~(ADPA_HSYNC_CNTL_DISABLE | ADPA_VSYNC_CNTL_DISABLE);
-+ temp |= ADPA_HSYNC_CNTL_DISABLE | ADPA_VSYNC_CNTL_DISABLE;
- temp &= ~ADPA_DAC_ENABLE;
- I915_WRITE(crt->adpa_reg, temp);
- }
-diff --git a/drivers/gpu/drm/i915/intel_pm.c b/drivers/gpu/drm/i915/intel_pm.c
-index 3280cff..dde0ded 100644
---- a/drivers/gpu/drm/i915/intel_pm.c
-+++ b/drivers/gpu/drm/i915/intel_pm.c
-@@ -2572,7 +2572,7 @@ static void gen6_enable_rps(struct drm_device *dev)
- I915_WRITE(GEN6_RC_SLEEP, 0);
- I915_WRITE(GEN6_RC1e_THRESHOLD, 1000);
- I915_WRITE(GEN6_RC6_THRESHOLD, 50000);
-- I915_WRITE(GEN6_RC6p_THRESHOLD, 100000);
-+ I915_WRITE(GEN6_RC6p_THRESHOLD, 150000);
- I915_WRITE(GEN6_RC6pp_THRESHOLD, 64000); /* unused */
-
- /* Check if we are enabling RC6 */
-diff --git a/drivers/gpu/drm/radeon/radeon_combios.c b/drivers/gpu/drm/radeon/radeon_combios.c
-index 3e403bd..78edadc 100644
---- a/drivers/gpu/drm/radeon/radeon_combios.c
-+++ b/drivers/gpu/drm/radeon/radeon_combios.c
-@@ -970,6 +970,15 @@ struct radeon_encoder_primary_dac *radeon_combios_get_primary_dac_info(struct
- found = 1;
- }
-
-+ /* quirks */
-+ /* Radeon 9100 (R200) */
-+ if ((dev->pdev->device == 0x514D) &&
-+ (dev->pdev->subsystem_vendor == 0x174B) &&
-+ (dev->pdev->subsystem_device == 0x7149)) {
-+ /* vbios value is bad, use the default */
-+ found = 0;
-+ }
-+
- if (!found) /* fallback to defaults */
- radeon_legacy_get_primary_dac_info_from_table(rdev, p_dac);
-
-diff --git a/drivers/gpu/drm/radeon/radeon_irq_kms.c b/drivers/gpu/drm/radeon/radeon_irq_kms.c
-index 90374dd..48f80cd 100644
---- a/drivers/gpu/drm/radeon/radeon_irq_kms.c
-+++ b/drivers/gpu/drm/radeon/radeon_irq_kms.c
-@@ -400,6 +400,9 @@ void radeon_irq_kms_enable_afmt(struct radeon_device *rdev, int block)
- {
- unsigned long irqflags;
-
-+ if (!rdev->ddev->irq_enabled)
-+ return;
-+
- spin_lock_irqsave(&rdev->irq.lock, irqflags);
- rdev->irq.afmt[block] = true;
- radeon_irq_set(rdev);
-@@ -419,6 +422,9 @@ void radeon_irq_kms_disable_afmt(struct radeon_device *rdev, int block)
- {
- unsigned long irqflags;
-
-+ if (!rdev->ddev->irq_enabled)
-+ return;
-+
- spin_lock_irqsave(&rdev->irq.lock, irqflags);
- rdev->irq.afmt[block] = false;
- radeon_irq_set(rdev);
-@@ -438,6 +444,9 @@ void radeon_irq_kms_enable_hpd(struct radeon_device *rdev, unsigned hpd_mask)
- unsigned long irqflags;
- int i;
-
-+ if (!rdev->ddev->irq_enabled)
-+ return;
-+
- spin_lock_irqsave(&rdev->irq.lock, irqflags);
- for (i = 0; i < RADEON_MAX_HPD_PINS; ++i)
- rdev->irq.hpd[i] |= !!(hpd_mask & (1 << i));
-@@ -458,6 +467,9 @@ void radeon_irq_kms_disable_hpd(struct radeon_device *rdev, unsigned hpd_mask)
- unsigned long irqflags;
- int i;
-
-+ if (!rdev->ddev->irq_enabled)
-+ return;
-+
- spin_lock_irqsave(&rdev->irq.lock, irqflags);
- for (i = 0; i < RADEON_MAX_HPD_PINS; ++i)
- rdev->irq.hpd[i] &= !(hpd_mask & (1 << i));
-diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c
-index 9500f2f..8758f38c 100644
---- a/drivers/hid/hid-logitech-dj.c
-+++ b/drivers/hid/hid-logitech-dj.c
-@@ -459,19 +459,25 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev,
- struct dj_report *dj_report)
- {
- struct hid_device *hdev = djrcv_dev->hdev;
-- int sent_bytes;
-+ struct hid_report *report;
-+ struct hid_report_enum *output_report_enum;
-+ u8 *data = (u8 *)(&dj_report->device_index);
-+ int i;
-
-- if (!hdev->hid_output_raw_report) {
-- dev_err(&hdev->dev, "%s:"
-- "hid_output_raw_report is null\n", __func__);
-+ output_report_enum = &hdev->report_enum[HID_OUTPUT_REPORT];
-+ report = output_report_enum->report_id_hash[REPORT_ID_DJ_SHORT];
-+
-+ if (!report) {
-+ dev_err(&hdev->dev, "%s: unable to find dj report\n", __func__);
- return -ENODEV;
- }
-
-- sent_bytes = hdev->hid_output_raw_report(hdev, (u8 *) dj_report,
-- sizeof(struct dj_report),
-- HID_OUTPUT_REPORT);
-+ for (i = 0; i < report->field[0]->report_count; i++)
-+ report->field[0]->value[i] = data[i];
-+
-+ usbhid_submit_report(hdev, report, USB_DIR_OUT);
-
-- return (sent_bytes < 0) ? sent_bytes : 0;
-+ return 0;
- }
-
- static int logi_dj_recv_query_paired_devices(struct dj_receiver_dev *djrcv_dev)
-diff --git a/drivers/hwmon/pmbus/ltc2978.c b/drivers/hwmon/pmbus/ltc2978.c
-index 9652a2c..a58de38 100644
---- a/drivers/hwmon/pmbus/ltc2978.c
-+++ b/drivers/hwmon/pmbus/ltc2978.c
-@@ -62,7 +62,7 @@ struct ltc2978_data {
- int temp_min, temp_max;
- int vout_min[8], vout_max[8];
- int iout_max[2];
-- int temp2_max[2];
-+ int temp2_max;
- struct pmbus_driver_info info;
- };
-
-@@ -204,10 +204,9 @@ static int ltc3880_read_word_data(struct i2c_client *client, int page, int reg)
- ret = pmbus_read_word_data(client, page,
- LTC3880_MFR_TEMPERATURE2_PEAK);
- if (ret >= 0) {
-- if (lin11_to_val(ret)
-- > lin11_to_val(data->temp2_max[page]))
-- data->temp2_max[page] = ret;
-- ret = data->temp2_max[page];
-+ if (lin11_to_val(ret) > lin11_to_val(data->temp2_max))
-+ data->temp2_max = ret;
-+ ret = data->temp2_max;
- }
- break;
- case PMBUS_VIRT_READ_VIN_MIN:
-@@ -248,11 +247,11 @@ static int ltc2978_write_word_data(struct i2c_client *client, int page,
-
- switch (reg) {
- case PMBUS_VIRT_RESET_IOUT_HISTORY:
-- data->iout_max[page] = 0x7fff;
-+ data->iout_max[page] = 0x7c00;
- ret = ltc2978_clear_peaks(client, page, data->id);
- break;
- case PMBUS_VIRT_RESET_TEMP2_HISTORY:
-- data->temp2_max[page] = 0x7fff;
-+ data->temp2_max = 0x7c00;
- ret = ltc2978_clear_peaks(client, page, data->id);
- break;
- case PMBUS_VIRT_RESET_VOUT_HISTORY:
-@@ -262,12 +261,12 @@ static int ltc2978_write_word_data(struct i2c_client *client, int page,
- break;
- case PMBUS_VIRT_RESET_VIN_HISTORY:
- data->vin_min = 0x7bff;
-- data->vin_max = 0;
-+ data->vin_max = 0x7c00;
- ret = ltc2978_clear_peaks(client, page, data->id);
- break;
- case PMBUS_VIRT_RESET_TEMP_HISTORY:
- data->temp_min = 0x7bff;
-- data->temp_max = 0x7fff;
-+ data->temp_max = 0x7c00;
- ret = ltc2978_clear_peaks(client, page, data->id);
- break;
- default:
-@@ -321,12 +320,13 @@ static int ltc2978_probe(struct i2c_client *client,
- info = &data->info;
- info->write_word_data = ltc2978_write_word_data;
-
-- data->vout_min[0] = 0xffff;
- data->vin_min = 0x7bff;
-+ data->vin_max = 0x7c00;
- data->temp_min = 0x7bff;
-- data->temp_max = 0x7fff;
-+ data->temp_max = 0x7c00;
-+ data->temp2_max = 0x7c00;
-
-- switch (id->driver_data) {
-+ switch (data->id) {
- case ltc2978:
- info->read_word_data = ltc2978_read_word_data;
- info->pages = 8;
-@@ -336,7 +336,6 @@ static int ltc2978_probe(struct i2c_client *client,
- for (i = 1; i < 8; i++) {
- info->func[i] = PMBUS_HAVE_VOUT
- | PMBUS_HAVE_STATUS_VOUT;
-- data->vout_min[i] = 0xffff;
- }
- break;
- case ltc3880:
-@@ -352,11 +351,14 @@ static int ltc2978_probe(struct i2c_client *client,
- | PMBUS_HAVE_IOUT | PMBUS_HAVE_STATUS_IOUT
- | PMBUS_HAVE_POUT
- | PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP;
-- data->vout_min[1] = 0xffff;
-+ data->iout_max[0] = 0x7c00;
-+ data->iout_max[1] = 0x7c00;
- break;
- default:
- return -ENODEV;
- }
-+ for (i = 0; i < info->pages; i++)
-+ data->vout_min[i] = 0xffff;
-
- return pmbus_do_probe(client, id, info);
- }
-diff --git a/drivers/hwmon/sht15.c b/drivers/hwmon/sht15.c
-index 1c85d39..8047fed 100644
---- a/drivers/hwmon/sht15.c
-+++ b/drivers/hwmon/sht15.c
-@@ -926,7 +926,13 @@ static int sht15_probe(struct platform_device *pdev)
- if (voltage)
- data->supply_uV = voltage;
-
-- regulator_enable(data->reg);
-+ ret = regulator_enable(data->reg);
-+ if (ret != 0) {
-+ dev_err(&pdev->dev,
-+ "failed to enable regulator: %d\n", ret);
-+ return ret;
-+ }
-+
- /*
- * Setup a notifier block to update this if another device
- * causes the voltage to change
-diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c
-index f7369f9..2ae151e 100644
---- a/drivers/md/dm-crypt.c
-+++ b/drivers/md/dm-crypt.c
-@@ -1234,20 +1234,6 @@ static int crypt_decode_key(u8 *key, char *hex, unsigned int size)
- return 0;
- }
-
--/*
-- * Encode key into its hex representation
-- */
--static void crypt_encode_key(char *hex, u8 *key, unsigned int size)
--{
-- unsigned int i;
--
-- for (i = 0; i < size; i++) {
-- sprintf(hex, "%02x", *key);
-- hex += 2;
-- key++;
-- }
--}
--
- static void crypt_free_tfms(struct crypt_config *cc)
- {
- unsigned i;
-@@ -1717,11 +1703,11 @@ static int crypt_map(struct dm_target *ti, struct bio *bio)
- return DM_MAPIO_SUBMITTED;
- }
-
--static int crypt_status(struct dm_target *ti, status_type_t type,
-- unsigned status_flags, char *result, unsigned maxlen)
-+static void crypt_status(struct dm_target *ti, status_type_t type,
-+ unsigned status_flags, char *result, unsigned maxlen)
- {
- struct crypt_config *cc = ti->private;
-- unsigned int sz = 0;
-+ unsigned i, sz = 0;
-
- switch (type) {
- case STATUSTYPE_INFO:
-@@ -1731,17 +1717,11 @@ static int crypt_status(struct dm_target *ti, status_type_t type,
- case STATUSTYPE_TABLE:
- DMEMIT("%s ", cc->cipher_string);
-
-- if (cc->key_size > 0) {
-- if ((maxlen - sz) < ((cc->key_size << 1) + 1))
-- return -ENOMEM;
--
-- crypt_encode_key(result + sz, cc->key, cc->key_size);
-- sz += cc->key_size << 1;
-- } else {
-- if (sz >= maxlen)
-- return -ENOMEM;
-- result[sz++] = '-';
-- }
-+ if (cc->key_size > 0)
-+ for (i = 0; i < cc->key_size; i++)
-+ DMEMIT("%02x", cc->key[i]);
-+ else
-+ DMEMIT("-");
-
- DMEMIT(" %llu %s %llu", (unsigned long long)cc->iv_offset,
- cc->dev->name, (unsigned long long)cc->start);
-@@ -1751,7 +1731,6 @@ static int crypt_status(struct dm_target *ti, status_type_t type,
-
- break;
- }
-- return 0;
- }
-
- static void crypt_postsuspend(struct dm_target *ti)
-@@ -1845,7 +1824,7 @@ static int crypt_iterate_devices(struct dm_target *ti,
-
- static struct target_type crypt_target = {
- .name = "crypt",
-- .version = {1, 12, 0},
-+ .version = {1, 12, 1},
- .module = THIS_MODULE,
- .ctr = crypt_ctr,
- .dtr = crypt_dtr,
-diff --git a/drivers/md/dm-delay.c b/drivers/md/dm-delay.c
-index cc1bd04..c0d03b0 100644
---- a/drivers/md/dm-delay.c
-+++ b/drivers/md/dm-delay.c
-@@ -293,8 +293,8 @@ static int delay_map(struct dm_target *ti, struct bio *bio)
- return delay_bio(dc, dc->read_delay, bio);
- }
-
--static int delay_status(struct dm_target *ti, status_type_t type,
-- unsigned status_flags, char *result, unsigned maxlen)
-+static void delay_status(struct dm_target *ti, status_type_t type,
-+ unsigned status_flags, char *result, unsigned maxlen)
- {
- struct delay_c *dc = ti->private;
- int sz = 0;
-@@ -314,8 +314,6 @@ static int delay_status(struct dm_target *ti, status_type_t type,
- dc->write_delay);
- break;
- }
--
-- return 0;
- }
-
- static int delay_iterate_devices(struct dm_target *ti,
-@@ -337,7 +335,7 @@ out:
-
- static struct target_type delay_target = {
- .name = "delay",
-- .version = {1, 2, 0},
-+ .version = {1, 2, 1},
- .module = THIS_MODULE,
- .ctr = delay_ctr,
- .dtr = delay_dtr,
-diff --git a/drivers/md/dm-flakey.c b/drivers/md/dm-flakey.c
-index 9721f2f..5d6c04c 100644
---- a/drivers/md/dm-flakey.c
-+++ b/drivers/md/dm-flakey.c
-@@ -337,8 +337,8 @@ static int flakey_end_io(struct dm_target *ti, struct bio *bio, int error)
- return error;
- }
-
--static int flakey_status(struct dm_target *ti, status_type_t type,
-- unsigned status_flags, char *result, unsigned maxlen)
-+static void flakey_status(struct dm_target *ti, status_type_t type,
-+ unsigned status_flags, char *result, unsigned maxlen)
- {
- unsigned sz = 0;
- struct flakey_c *fc = ti->private;
-@@ -368,7 +368,6 @@ static int flakey_status(struct dm_target *ti, status_type_t type,
-
- break;
- }
-- return 0;
- }
-
- static int flakey_ioctl(struct dm_target *ti, unsigned int cmd, unsigned long arg)
-@@ -411,7 +410,7 @@ static int flakey_iterate_devices(struct dm_target *ti, iterate_devices_callout_
-
- static struct target_type flakey_target = {
- .name = "flakey",
-- .version = {1, 3, 0},
-+ .version = {1, 3, 1},
- .module = THIS_MODULE,
- .ctr = flakey_ctr,
- .dtr = flakey_dtr,
-diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
-index 0666b5d..eee353d 100644
---- a/drivers/md/dm-ioctl.c
-+++ b/drivers/md/dm-ioctl.c
-@@ -1067,6 +1067,7 @@ static void retrieve_status(struct dm_table *table,
- num_targets = dm_table_get_num_targets(table);
- for (i = 0; i < num_targets; i++) {
- struct dm_target *ti = dm_table_get_target(table, i);
-+ size_t l;
-
- remaining = len - (outptr - outbuf);
- if (remaining <= sizeof(struct dm_target_spec)) {
-@@ -1093,14 +1094,17 @@ static void retrieve_status(struct dm_table *table,
- if (ti->type->status) {
- if (param->flags & DM_NOFLUSH_FLAG)
- status_flags |= DM_STATUS_NOFLUSH_FLAG;
-- if (ti->type->status(ti, type, status_flags, outptr, remaining)) {
-- param->flags |= DM_BUFFER_FULL_FLAG;
-- break;
-- }
-+ ti->type->status(ti, type, status_flags, outptr, remaining);
- } else
- outptr[0] = '\0';
-
-- outptr += strlen(outptr) + 1;
-+ l = strlen(outptr) + 1;
-+ if (l == remaining) {
-+ param->flags |= DM_BUFFER_FULL_FLAG;
-+ break;
-+ }
-+
-+ outptr += l;
- used = param->data_start + (outptr - outbuf);
-
- outptr = align_ptr(outptr);
-diff --git a/drivers/md/dm-linear.c b/drivers/md/dm-linear.c
-index 328cad5..5be301c 100644
---- a/drivers/md/dm-linear.c
-+++ b/drivers/md/dm-linear.c
-@@ -95,8 +95,8 @@ static int linear_map(struct dm_target *ti, struct bio *bio)
- return DM_MAPIO_REMAPPED;
- }
-
--static int linear_status(struct dm_target *ti, status_type_t type,
-- unsigned status_flags, char *result, unsigned maxlen)
-+static void linear_status(struct dm_target *ti, status_type_t type,
-+ unsigned status_flags, char *result, unsigned maxlen)
- {
- struct linear_c *lc = (struct linear_c *) ti->private;
-
-@@ -110,7 +110,6 @@ static int linear_status(struct dm_target *ti, status_type_t type,
- (unsigned long long)lc->start);
- break;
- }
-- return 0;
- }
-
- static int linear_ioctl(struct dm_target *ti, unsigned int cmd,
-@@ -155,7 +154,7 @@ static int linear_iterate_devices(struct dm_target *ti,
-
- static struct target_type linear_target = {
- .name = "linear",
-- .version = {1, 2, 0},
-+ .version = {1, 2, 1},
- .module = THIS_MODULE,
- .ctr = linear_ctr,
- .dtr = linear_dtr,
-diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c
-index 573bd04..d267bb5 100644
---- a/drivers/md/dm-mpath.c
-+++ b/drivers/md/dm-mpath.c
-@@ -1378,8 +1378,8 @@ static void multipath_resume(struct dm_target *ti)
- * [priority selector-name num_ps_args [ps_args]*
- * num_paths num_selector_args [path_dev [selector_args]* ]+ ]+
- */
--static int multipath_status(struct dm_target *ti, status_type_t type,
-- unsigned status_flags, char *result, unsigned maxlen)
-+static void multipath_status(struct dm_target *ti, status_type_t type,
-+ unsigned status_flags, char *result, unsigned maxlen)
- {
- int sz = 0;
- unsigned long flags;
-@@ -1485,8 +1485,6 @@ static int multipath_status(struct dm_target *ti, status_type_t type,
- }
-
- spin_unlock_irqrestore(&m->lock, flags);
--
-- return 0;
- }
-
- static int multipath_message(struct dm_target *ti, unsigned argc, char **argv)
-@@ -1695,7 +1693,7 @@ out:
- *---------------------------------------------------------------*/
- static struct target_type multipath_target = {
- .name = "multipath",
-- .version = {1, 5, 0},
-+ .version = {1, 5, 1},
- .module = THIS_MODULE,
- .ctr = multipath_ctr,
- .dtr = multipath_dtr,
-diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c
-index 9e58dbd..5a578d8 100644
---- a/drivers/md/dm-raid.c
-+++ b/drivers/md/dm-raid.c
-@@ -1201,8 +1201,8 @@ static int raid_map(struct dm_target *ti, struct bio *bio)
- return DM_MAPIO_SUBMITTED;
- }
-
--static int raid_status(struct dm_target *ti, status_type_t type,
-- unsigned status_flags, char *result, unsigned maxlen)
-+static void raid_status(struct dm_target *ti, status_type_t type,
-+ unsigned status_flags, char *result, unsigned maxlen)
- {
- struct raid_set *rs = ti->private;
- unsigned raid_param_cnt = 1; /* at least 1 for chunksize */
-@@ -1344,8 +1344,6 @@ static int raid_status(struct dm_target *ti, status_type_t type,
- DMEMIT(" -");
- }
- }
--
-- return 0;
- }
-
- static int raid_iterate_devices(struct dm_target *ti, iterate_devices_callout_fn fn, void *data)
-@@ -1405,7 +1403,7 @@ static void raid_resume(struct dm_target *ti)
-
- static struct target_type raid_target = {
- .name = "raid",
-- .version = {1, 4, 1},
-+ .version = {1, 4, 2},
- .module = THIS_MODULE,
- .ctr = raid_ctr,
- .dtr = raid_dtr,
-diff --git a/drivers/md/dm-raid1.c b/drivers/md/dm-raid1.c
-index fa51918..7f24190 100644
---- a/drivers/md/dm-raid1.c
-+++ b/drivers/md/dm-raid1.c
-@@ -1347,8 +1347,8 @@ static char device_status_char(struct mirror *m)
- }
-
-
--static int mirror_status(struct dm_target *ti, status_type_t type,
-- unsigned status_flags, char *result, unsigned maxlen)
-+static void mirror_status(struct dm_target *ti, status_type_t type,
-+ unsigned status_flags, char *result, unsigned maxlen)
- {
- unsigned int m, sz = 0;
- struct mirror_set *ms = (struct mirror_set *) ti->private;
-@@ -1383,8 +1383,6 @@ static int mirror_status(struct dm_target *ti, status_type_t type,
- if (ms->features & DM_RAID1_HANDLE_ERRORS)
- DMEMIT(" 1 handle_errors");
- }
--
-- return 0;
- }
-
- static int mirror_iterate_devices(struct dm_target *ti,
-@@ -1403,7 +1401,7 @@ static int mirror_iterate_devices(struct dm_target *ti,
-
- static struct target_type mirror_target = {
- .name = "mirror",
-- .version = {1, 13, 1},
-+ .version = {1, 13, 2},
- .module = THIS_MODULE,
- .ctr = mirror_ctr,
- .dtr = mirror_dtr,
-diff --git a/drivers/md/dm-snap.c b/drivers/md/dm-snap.c
-index 59fc18a..df74f9f 100644
---- a/drivers/md/dm-snap.c
-+++ b/drivers/md/dm-snap.c
-@@ -1837,8 +1837,8 @@ static void snapshot_merge_resume(struct dm_target *ti)
- start_merge(s);
- }
-
--static int snapshot_status(struct dm_target *ti, status_type_t type,
-- unsigned status_flags, char *result, unsigned maxlen)
-+static void snapshot_status(struct dm_target *ti, status_type_t type,
-+ unsigned status_flags, char *result, unsigned maxlen)
- {
- unsigned sz = 0;
- struct dm_snapshot *snap = ti->private;
-@@ -1884,8 +1884,6 @@ static int snapshot_status(struct dm_target *ti, status_type_t type,
- maxlen - sz);
- break;
- }
--
-- return 0;
- }
-
- static int snapshot_iterate_devices(struct dm_target *ti,
-@@ -2139,8 +2137,8 @@ static void origin_resume(struct dm_target *ti)
- ti->max_io_len = get_origin_minimum_chunksize(dev->bdev);
- }
-
--static int origin_status(struct dm_target *ti, status_type_t type,
-- unsigned status_flags, char *result, unsigned maxlen)
-+static void origin_status(struct dm_target *ti, status_type_t type,
-+ unsigned status_flags, char *result, unsigned maxlen)
- {
- struct dm_dev *dev = ti->private;
-
-@@ -2153,8 +2151,6 @@ static int origin_status(struct dm_target *ti, status_type_t type,
- snprintf(result, maxlen, "%s", dev->name);
- break;
- }
--
-- return 0;
- }
-
- static int origin_merge(struct dm_target *ti, struct bvec_merge_data *bvm,
-@@ -2181,7 +2177,7 @@ static int origin_iterate_devices(struct dm_target *ti,
-
- static struct target_type origin_target = {
- .name = "snapshot-origin",
-- .version = {1, 8, 0},
-+ .version = {1, 8, 1},
- .module = THIS_MODULE,
- .ctr = origin_ctr,
- .dtr = origin_dtr,
-@@ -2194,7 +2190,7 @@ static struct target_type origin_target = {
-
- static struct target_type snapshot_target = {
- .name = "snapshot",
-- .version = {1, 11, 0},
-+ .version = {1, 11, 1},
- .module = THIS_MODULE,
- .ctr = snapshot_ctr,
- .dtr = snapshot_dtr,
-@@ -2307,3 +2303,5 @@ module_exit(dm_snapshot_exit);
- MODULE_DESCRIPTION(DM_NAME " snapshot target");
- MODULE_AUTHOR("Joe Thornber");
- MODULE_LICENSE("GPL");
-+MODULE_ALIAS("dm-snapshot-origin");
-+MODULE_ALIAS("dm-snapshot-merge");
-diff --git a/drivers/md/dm-stripe.c b/drivers/md/dm-stripe.c
-index c89cde8..aaecefa 100644
---- a/drivers/md/dm-stripe.c
-+++ b/drivers/md/dm-stripe.c
-@@ -312,8 +312,8 @@ static int stripe_map(struct dm_target *ti, struct bio *bio)
- *
- */
-
--static int stripe_status(struct dm_target *ti, status_type_t type,
-- unsigned status_flags, char *result, unsigned maxlen)
-+static void stripe_status(struct dm_target *ti, status_type_t type,
-+ unsigned status_flags, char *result, unsigned maxlen)
- {
- struct stripe_c *sc = (struct stripe_c *) ti->private;
- char buffer[sc->stripes + 1];
-@@ -340,7 +340,6 @@ static int stripe_status(struct dm_target *ti, status_type_t type,
- (unsigned long long)sc->stripe[i].physical_start);
- break;
- }
-- return 0;
- }
-
- static int stripe_end_io(struct dm_target *ti, struct bio *bio, int error)
-@@ -428,7 +427,7 @@ static int stripe_merge(struct dm_target *ti, struct bvec_merge_data *bvm,
-
- static struct target_type stripe_target = {
- .name = "striped",
-- .version = {1, 5, 0},
-+ .version = {1, 5, 1},
- .module = THIS_MODULE,
- .ctr = stripe_ctr,
- .dtr = stripe_dtr,
-diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c
-index 5409607..7a66d73 100644
---- a/drivers/md/dm-thin.c
-+++ b/drivers/md/dm-thin.c
-@@ -2299,8 +2299,8 @@ static void emit_flags(struct pool_features *pf, char *result,
- * <transaction id> <used metadata sectors>/<total metadata sectors>
- * <used data sectors>/<total data sectors> <held metadata root>
- */
--static int pool_status(struct dm_target *ti, status_type_t type,
-- unsigned status_flags, char *result, unsigned maxlen)
-+static void pool_status(struct dm_target *ti, status_type_t type,
-+ unsigned status_flags, char *result, unsigned maxlen)
- {
- int r;
- unsigned sz = 0;
-@@ -2326,32 +2326,41 @@ static int pool_status(struct dm_target *ti, status_type_t type,
- if (!(status_flags & DM_STATUS_NOFLUSH_FLAG) && !dm_suspended(ti))
- (void) commit_or_fallback(pool);
-
-- r = dm_pool_get_metadata_transaction_id(pool->pmd,
-- &transaction_id);
-- if (r)
-- return r;
-+ r = dm_pool_get_metadata_transaction_id(pool->pmd, &transaction_id);
-+ if (r) {
-+ DMERR("dm_pool_get_metadata_transaction_id returned %d", r);
-+ goto err;
-+ }
-
-- r = dm_pool_get_free_metadata_block_count(pool->pmd,
-- &nr_free_blocks_metadata);
-- if (r)
-- return r;
-+ r = dm_pool_get_free_metadata_block_count(pool->pmd, &nr_free_blocks_metadata);
-+ if (r) {
-+ DMERR("dm_pool_get_free_metadata_block_count returned %d", r);
-+ goto err;
-+ }
-
- r = dm_pool_get_metadata_dev_size(pool->pmd, &nr_blocks_metadata);
-- if (r)
-- return r;
-+ if (r) {
-+ DMERR("dm_pool_get_metadata_dev_size returned %d", r);
-+ goto err;
-+ }
-
-- r = dm_pool_get_free_block_count(pool->pmd,
-- &nr_free_blocks_data);
-- if (r)
-- return r;
-+ r = dm_pool_get_free_block_count(pool->pmd, &nr_free_blocks_data);
-+ if (r) {
-+ DMERR("dm_pool_get_free_block_count returned %d", r);
-+ goto err;
-+ }
-
- r = dm_pool_get_data_dev_size(pool->pmd, &nr_blocks_data);
-- if (r)
-- return r;
-+ if (r) {
-+ DMERR("dm_pool_get_data_dev_size returned %d", r);
-+ goto err;
-+ }
-
- r = dm_pool_get_metadata_snap(pool->pmd, &held_root);
-- if (r)
-- return r;
-+ if (r) {
-+ DMERR("dm_pool_get_metadata_snap returned %d", r);
-+ goto err;
-+ }
-
- DMEMIT("%llu %llu/%llu %llu/%llu ",
- (unsigned long long)transaction_id,
-@@ -2388,8 +2397,10 @@ static int pool_status(struct dm_target *ti, status_type_t type,
- emit_flags(&pt->requested_pf, result, sz, maxlen);
- break;
- }
-+ return;
-
-- return 0;
-+err:
-+ DMEMIT("Error");
- }
-
- static int pool_iterate_devices(struct dm_target *ti,
-@@ -2468,7 +2479,7 @@ static struct target_type pool_target = {
- .name = "thin-pool",
- .features = DM_TARGET_SINGLETON | DM_TARGET_ALWAYS_WRITEABLE |
- DM_TARGET_IMMUTABLE,
-- .version = {1, 6, 0},
-+ .version = {1, 6, 1},
- .module = THIS_MODULE,
- .ctr = pool_ctr,
- .dtr = pool_dtr,
-@@ -2676,8 +2687,8 @@ static void thin_postsuspend(struct dm_target *ti)
- /*
- * <nr mapped sectors> <highest mapped sector>
- */
--static int thin_status(struct dm_target *ti, status_type_t type,
-- unsigned status_flags, char *result, unsigned maxlen)
-+static void thin_status(struct dm_target *ti, status_type_t type,
-+ unsigned status_flags, char *result, unsigned maxlen)
- {
- int r;
- ssize_t sz = 0;
-@@ -2687,7 +2698,7 @@ static int thin_status(struct dm_target *ti, status_type_t type,
-
- if (get_pool_mode(tc->pool) == PM_FAIL) {
- DMEMIT("Fail");
-- return 0;
-+ return;
- }
-
- if (!tc->td)
-@@ -2696,12 +2707,16 @@ static int thin_status(struct dm_target *ti, status_type_t type,
- switch (type) {
- case STATUSTYPE_INFO:
- r = dm_thin_get_mapped_count(tc->td, &mapped);
-- if (r)
-- return r;
-+ if (r) {
-+ DMERR("dm_thin_get_mapped_count returned %d", r);
-+ goto err;
-+ }
-
- r = dm_thin_get_highest_mapped_block(tc->td, &highest);
-- if (r < 0)
-- return r;
-+ if (r < 0) {
-+ DMERR("dm_thin_get_highest_mapped_block returned %d", r);
-+ goto err;
-+ }
-
- DMEMIT("%llu ", mapped * tc->pool->sectors_per_block);
- if (r)
-@@ -2721,7 +2736,10 @@ static int thin_status(struct dm_target *ti, status_type_t type,
- }
- }
-
-- return 0;
-+ return;
-+
-+err:
-+ DMEMIT("Error");
- }
-
- static int thin_iterate_devices(struct dm_target *ti,
-@@ -2748,7 +2766,7 @@ static int thin_iterate_devices(struct dm_target *ti,
-
- static struct target_type thin_target = {
- .name = "thin",
-- .version = {1, 7, 0},
-+ .version = {1, 7, 1},
- .module = THIS_MODULE,
- .ctr = thin_ctr,
- .dtr = thin_dtr,
-diff --git a/drivers/md/dm-verity.c b/drivers/md/dm-verity.c
-index 52cde98..6ad5383 100644
---- a/drivers/md/dm-verity.c
-+++ b/drivers/md/dm-verity.c
-@@ -508,8 +508,8 @@ static int verity_map(struct dm_target *ti, struct bio *bio)
- /*
- * Status: V (valid) or C (corruption found)
- */
--static int verity_status(struct dm_target *ti, status_type_t type,
-- unsigned status_flags, char *result, unsigned maxlen)
-+static void verity_status(struct dm_target *ti, status_type_t type,
-+ unsigned status_flags, char *result, unsigned maxlen)
- {
- struct dm_verity *v = ti->private;
- unsigned sz = 0;
-@@ -540,8 +540,6 @@ static int verity_status(struct dm_target *ti, status_type_t type,
- DMEMIT("%02x", v->salt[x]);
- break;
- }
--
-- return 0;
- }
-
- static int verity_ioctl(struct dm_target *ti, unsigned cmd,
-@@ -860,7 +858,7 @@ bad:
-
- static struct target_type verity_target = {
- .name = "verity",
-- .version = {1, 1, 0},
-+ .version = {1, 1, 1},
- .module = THIS_MODULE,
- .ctr = verity_ctr,
- .dtr = verity_dtr,
-diff --git a/drivers/md/dm.c b/drivers/md/dm.c
-index 314a0e2..0d8f086 100644
---- a/drivers/md/dm.c
-+++ b/drivers/md/dm.c
-@@ -1973,15 +1973,27 @@ static void __bind_mempools(struct mapped_device *md, struct dm_table *t)
- {
- struct dm_md_mempools *p = dm_table_get_md_mempools(t);
-
-- if (md->io_pool && (md->tio_pool || dm_table_get_type(t) == DM_TYPE_BIO_BASED) && md->bs) {
-- /*
-- * The md already has necessary mempools. Reload just the
-- * bioset because front_pad may have changed because
-- * a different table was loaded.
-- */
-- bioset_free(md->bs);
-- md->bs = p->bs;
-- p->bs = NULL;
-+ if (md->io_pool && md->bs) {
-+ /* The md already has necessary mempools. */
-+ if (dm_table_get_type(t) == DM_TYPE_BIO_BASED) {
-+ /*
-+ * Reload bioset because front_pad may have changed
-+ * because a different table was loaded.
-+ */
-+ bioset_free(md->bs);
-+ md->bs = p->bs;
-+ p->bs = NULL;
-+ } else if (dm_table_get_type(t) == DM_TYPE_REQUEST_BASED) {
-+ BUG_ON(!md->tio_pool);
-+ /*
-+ * There's no need to reload with request-based dm
-+ * because the size of front_pad doesn't change.
-+ * Note for future: If you are to reload bioset,
-+ * prep-ed requests in the queue may refer
-+ * to bio from the old bioset, so you must walk
-+ * through the queue to unprep.
-+ */
-+ }
- goto out;
- }
-
-@@ -2421,7 +2433,7 @@ static void dm_queue_flush(struct mapped_device *md)
- */
- struct dm_table *dm_swap_table(struct mapped_device *md, struct dm_table *table)
- {
-- struct dm_table *live_map, *map = ERR_PTR(-EINVAL);
-+ struct dm_table *live_map = NULL, *map = ERR_PTR(-EINVAL);
- struct queue_limits limits;
- int r;
-
-@@ -2444,10 +2456,12 @@ struct dm_table *dm_swap_table(struct mapped_device *md, struct dm_table *table)
- dm_table_put(live_map);
- }
-
-- r = dm_calculate_queue_limits(table, &limits);
-- if (r) {
-- map = ERR_PTR(r);
-- goto out;
-+ if (!live_map) {
-+ r = dm_calculate_queue_limits(table, &limits);
-+ if (r) {
-+ map = ERR_PTR(r);
-+ goto out;
-+ }
- }
-
- map = __bind(md, table, &limits);
-diff --git a/drivers/md/md.c b/drivers/md/md.c
-index 3db3d1b..f363135 100644
---- a/drivers/md/md.c
-+++ b/drivers/md/md.c
-@@ -307,6 +307,10 @@ static void md_make_request(struct request_queue *q, struct bio *bio)
- bio_io_error(bio);
- return;
- }
-+ if (mddev->ro == 1 && unlikely(rw == WRITE)) {
-+ bio_endio(bio, bio_sectors(bio) == 0 ? 0 : -EROFS);
-+ return;
-+ }
- smp_rmb(); /* Ensure implications of 'active' are visible */
- rcu_read_lock();
- if (mddev->suspended) {
-@@ -2994,6 +2998,9 @@ rdev_size_store(struct md_rdev *rdev, const char *buf, size_t len)
- } else if (!sectors)
- sectors = (i_size_read(rdev->bdev->bd_inode) >> 9) -
- rdev->data_offset;
-+ if (!my_mddev->pers->resize)
-+ /* Cannot change size for RAID0 or Linear etc */
-+ return -EINVAL;
- }
- if (sectors < my_mddev->dev_sectors)
- return -EINVAL; /* component must fit device */
-diff --git a/drivers/md/raid0.c b/drivers/md/raid0.c
-index 24b3597..d9babda 100644
---- a/drivers/md/raid0.c
-+++ b/drivers/md/raid0.c
-@@ -289,7 +289,7 @@ abort:
- kfree(conf->strip_zone);
- kfree(conf->devlist);
- kfree(conf);
-- *private_conf = NULL;
-+ *private_conf = ERR_PTR(err);
- return err;
- }
-
-@@ -411,7 +411,8 @@ static sector_t raid0_size(struct mddev *mddev, sector_t sectors, int raid_disks
- "%s does not support generic reshape\n", __func__);
-
- rdev_for_each(rdev, mddev)
-- array_sectors += rdev->sectors;
-+ array_sectors += (rdev->sectors &
-+ ~(sector_t)(mddev->chunk_sectors-1));
-
- return array_sectors;
- }
-diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
-index d5bddfc..75b1f89 100644
---- a/drivers/md/raid1.c
-+++ b/drivers/md/raid1.c
-@@ -967,6 +967,7 @@ static void raid1_unplug(struct blk_plug_cb *cb, bool from_schedule)
- bio_list_merge(&conf->pending_bio_list, &plug->pending);
- conf->pending_count += plug->pending_cnt;
- spin_unlock_irq(&conf->device_lock);
-+ wake_up(&conf->wait_barrier);
- md_wakeup_thread(mddev->thread);
- kfree(plug);
- return;
-diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
-index 64d4824..8d925dc 100644
---- a/drivers/md/raid10.c
-+++ b/drivers/md/raid10.c
-@@ -1073,6 +1073,7 @@ static void raid10_unplug(struct blk_plug_cb *cb, bool from_schedule)
- bio_list_merge(&conf->pending_bio_list, &plug->pending);
- conf->pending_count += plug->pending_cnt;
- spin_unlock_irq(&conf->device_lock);
-+ wake_up(&conf->wait_barrier);
- md_wakeup_thread(mddev->thread);
- kfree(plug);
- return;
-diff --git a/drivers/memstick/host/rtsx_pci_ms.c b/drivers/memstick/host/rtsx_pci_ms.c
-index f5ddb82..64a779c 100644
---- a/drivers/memstick/host/rtsx_pci_ms.c
-+++ b/drivers/memstick/host/rtsx_pci_ms.c
-@@ -426,6 +426,9 @@ static void rtsx_pci_ms_request(struct memstick_host *msh)
-
- dev_dbg(ms_dev(host), "--> %s\n", __func__);
-
-+ if (rtsx_pci_card_exclusive_check(host->pcr, RTSX_MS_CARD))
-+ return;
-+
- schedule_work(&host->handle_req);
- }
-
-@@ -441,6 +444,10 @@ static int rtsx_pci_ms_set_param(struct memstick_host *msh,
- dev_dbg(ms_dev(host), "%s: param = %d, value = %d\n",
- __func__, param, value);
-
-+ err = rtsx_pci_card_exclusive_check(host->pcr, RTSX_MS_CARD);
-+ if (err)
-+ return err;
-+
- switch (param) {
- case MEMSTICK_POWER:
- if (value == MEMSTICK_POWER_ON)
-diff --git a/drivers/mfd/rtsx_pcr.c b/drivers/mfd/rtsx_pcr.c
-index 9fc5700..1e2d120 100644
---- a/drivers/mfd/rtsx_pcr.c
-+++ b/drivers/mfd/rtsx_pcr.c
-@@ -713,6 +713,25 @@ int rtsx_pci_card_power_off(struct rtsx_pcr *pcr, int card)
- }
- EXPORT_SYMBOL_GPL(rtsx_pci_card_power_off);
-
-+int rtsx_pci_card_exclusive_check(struct rtsx_pcr *pcr, int card)
-+{
-+ unsigned int cd_mask[] = {
-+ [RTSX_SD_CARD] = SD_EXIST,
-+ [RTSX_MS_CARD] = MS_EXIST
-+ };
-+
-+ if (!pcr->ms_pmos) {
-+ /* When using single PMOS, accessing card is not permitted
-+ * if the existing card is not the designated one.
-+ */
-+ if (pcr->card_exist & (~cd_mask[card]))
-+ return -EIO;
-+ }
-+
-+ return 0;
-+}
-+EXPORT_SYMBOL_GPL(rtsx_pci_card_exclusive_check);
-+
- int rtsx_pci_switch_output_voltage(struct rtsx_pcr *pcr, u8 voltage)
- {
- if (pcr->ops->switch_output_voltage)
-@@ -758,7 +777,7 @@ static void rtsx_pci_card_detect(struct work_struct *work)
- struct delayed_work *dwork;
- struct rtsx_pcr *pcr;
- unsigned long flags;
-- unsigned int card_detect = 0;
-+ unsigned int card_detect = 0, card_inserted, card_removed;
- u32 irq_status;
-
- dwork = to_delayed_work(work);
-@@ -766,25 +785,35 @@ static void rtsx_pci_card_detect(struct work_struct *work)
-
- dev_dbg(&(pcr->pci->dev), "--> %s\n", __func__);
-
-+ mutex_lock(&pcr->pcr_mutex);
- spin_lock_irqsave(&pcr->lock, flags);
-
- irq_status = rtsx_pci_readl(pcr, RTSX_BIPR);
- dev_dbg(&(pcr->pci->dev), "irq_status: 0x%08x\n", irq_status);
-
-- if (pcr->card_inserted || pcr->card_removed) {
-+ irq_status &= CARD_EXIST;
-+ card_inserted = pcr->card_inserted & irq_status;
-+ card_removed = pcr->card_removed;
-+ pcr->card_inserted = 0;
-+ pcr->card_removed = 0;
-+
-+ spin_unlock_irqrestore(&pcr->lock, flags);
-+
-+ if (card_inserted || card_removed) {
- dev_dbg(&(pcr->pci->dev),
- "card_inserted: 0x%x, card_removed: 0x%x\n",
-- pcr->card_inserted, pcr->card_removed);
-+ card_inserted, card_removed);
-
- if (pcr->ops->cd_deglitch)
-- pcr->card_inserted = pcr->ops->cd_deglitch(pcr);
-+ card_inserted = pcr->ops->cd_deglitch(pcr);
-+
-+ card_detect = card_inserted | card_removed;
-
-- card_detect = pcr->card_inserted | pcr->card_removed;
-- pcr->card_inserted = 0;
-- pcr->card_removed = 0;
-+ pcr->card_exist |= card_inserted;
-+ pcr->card_exist &= ~card_removed;
- }
-
-- spin_unlock_irqrestore(&pcr->lock, flags);
-+ mutex_unlock(&pcr->pcr_mutex);
-
- if ((card_detect & SD_EXIST) && pcr->slots[RTSX_SD_CARD].card_event)
- pcr->slots[RTSX_SD_CARD].card_event(
-@@ -836,10 +865,6 @@ static irqreturn_t rtsx_pci_isr(int irq, void *dev_id)
- }
- }
-
-- if (pcr->card_inserted || pcr->card_removed)
-- schedule_delayed_work(&pcr->carddet_work,
-- msecs_to_jiffies(200));
--
- if (int_reg & (NEED_COMPLETE_INT | DELINK_INT)) {
- if (int_reg & (TRANS_FAIL_INT | DELINK_INT)) {
- pcr->trans_result = TRANS_RESULT_FAIL;
-@@ -852,6 +877,10 @@ static irqreturn_t rtsx_pci_isr(int irq, void *dev_id)
- }
- }
-
-+ if (pcr->card_inserted || pcr->card_removed)
-+ schedule_delayed_work(&pcr->carddet_work,
-+ msecs_to_jiffies(200));
-+
- spin_unlock(&pcr->lock);
- return IRQ_HANDLED;
- }
-@@ -974,6 +1003,14 @@ static int rtsx_pci_init_hw(struct rtsx_pcr *pcr)
- return err;
- }
-
-+ /* No CD interrupt if probing driver with card inserted.
-+ * So we need to initialize pcr->card_exist here.
-+ */
-+ if (pcr->ops->cd_deglitch)
-+ pcr->card_exist = pcr->ops->cd_deglitch(pcr);
-+ else
-+ pcr->card_exist = rtsx_pci_readl(pcr, RTSX_BIPR) & CARD_EXIST;
-+
- return 0;
- }
-
-diff --git a/drivers/mmc/host/rtsx_pci_sdmmc.c b/drivers/mmc/host/rtsx_pci_sdmmc.c
-index f74b5ad..468c923 100644
---- a/drivers/mmc/host/rtsx_pci_sdmmc.c
-+++ b/drivers/mmc/host/rtsx_pci_sdmmc.c
-@@ -678,12 +678,19 @@ static void sdmmc_request(struct mmc_host *mmc, struct mmc_request *mrq)
- struct mmc_command *cmd = mrq->cmd;
- struct mmc_data *data = mrq->data;
- unsigned int data_size = 0;
-+ int err;
-
- if (host->eject) {
- cmd->error = -ENOMEDIUM;
- goto finish;
- }
-
-+ err = rtsx_pci_card_exclusive_check(host->pcr, RTSX_SD_CARD);
-+ if (err) {
-+ cmd->error = err;
-+ goto finish;
-+ }
-+
- mutex_lock(&pcr->pcr_mutex);
-
- rtsx_pci_start_run(pcr);
-@@ -901,6 +908,9 @@ static void sdmmc_set_ios(struct mmc_host *mmc, struct mmc_ios *ios)
- if (host->eject)
- return;
-
-+ if (rtsx_pci_card_exclusive_check(host->pcr, RTSX_SD_CARD))
-+ return;
-+
- mutex_lock(&pcr->pcr_mutex);
-
- rtsx_pci_start_run(pcr);
-@@ -1073,6 +1083,10 @@ static int sdmmc_switch_voltage(struct mmc_host *mmc, struct mmc_ios *ios)
- if (host->eject)
- return -ENOMEDIUM;
-
-+ err = rtsx_pci_card_exclusive_check(host->pcr, RTSX_SD_CARD);
-+ if (err)
-+ return err;
-+
- mutex_lock(&pcr->pcr_mutex);
-
- rtsx_pci_start_run(pcr);
-@@ -1122,6 +1136,10 @@ static int sdmmc_execute_tuning(struct mmc_host *mmc, u32 opcode)
- if (host->eject)
- return -ENOMEDIUM;
-
-+ err = rtsx_pci_card_exclusive_check(host->pcr, RTSX_SD_CARD);
-+ if (err)
-+ return err;
-+
- mutex_lock(&pcr->pcr_mutex);
-
- rtsx_pci_start_run(pcr);
-diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
-index bdb0869..f0b38fa 100644
---- a/drivers/net/ethernet/broadcom/tg3.c
-+++ b/drivers/net/ethernet/broadcom/tg3.c
-@@ -1843,6 +1843,8 @@ static void tg3_link_report(struct tg3 *tp)
-
- tg3_ump_link_report(tp);
- }
-+
-+ tp->link_up = netif_carrier_ok(tp->dev);
- }
-
- static u16 tg3_advert_flowctrl_1000X(u8 flow_ctrl)
-@@ -2496,12 +2498,6 @@ static int tg3_phy_reset_5703_4_5(struct tg3 *tp)
- return err;
- }
-
--static void tg3_carrier_on(struct tg3 *tp)
--{
-- netif_carrier_on(tp->dev);
-- tp->link_up = true;
--}
--
- static void tg3_carrier_off(struct tg3 *tp)
- {
- netif_carrier_off(tp->dev);
-@@ -2527,7 +2523,7 @@ static int tg3_phy_reset(struct tg3 *tp)
- return -EBUSY;
-
- if (netif_running(tp->dev) && tp->link_up) {
-- tg3_carrier_off(tp);
-+ netif_carrier_off(tp->dev);
- tg3_link_report(tp);
- }
-
-@@ -4225,9 +4221,9 @@ static bool tg3_test_and_report_link_chg(struct tg3 *tp, int curr_link_up)
- {
- if (curr_link_up != tp->link_up) {
- if (curr_link_up) {
-- tg3_carrier_on(tp);
-+ netif_carrier_on(tp->dev);
- } else {
-- tg3_carrier_off(tp);
-+ netif_carrier_off(tp->dev);
- if (tp->phy_flags & TG3_PHYFLG_MII_SERDES)
- tp->phy_flags &= ~TG3_PHYFLG_PARALLEL_DETECT;
- }
-diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c
-index 643c883..1f93880 100644
---- a/drivers/net/ethernet/intel/e1000e/netdev.c
-+++ b/drivers/net/ethernet/intel/e1000e/netdev.c
-@@ -5549,7 +5549,7 @@ static int __e1000_shutdown(struct pci_dev *pdev, bool *enable_wake,
- */
- e1000e_release_hw_control(adapter);
-
-- pci_disable_device(pdev);
-+ pci_clear_master(pdev);
-
- return 0;
- }
-diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c
-index 9b73670..6214181 100644
---- a/drivers/net/usb/smsc95xx.c
-+++ b/drivers/net/usb/smsc95xx.c
-@@ -1340,6 +1340,8 @@ static int smsc95xx_enter_suspend0(struct usbnet *dev)
- ret = smsc95xx_read_reg_nopm(dev, PM_CTRL, &val);
- if (ret < 0)
- netdev_warn(dev->net, "Error reading PM_CTRL\n");
-+ else
-+ ret = 0;
-
- return ret;
- }
-@@ -1392,6 +1394,8 @@ static int smsc95xx_enter_suspend1(struct usbnet *dev)
- ret = smsc95xx_write_reg_nopm(dev, PM_CTRL, val);
- if (ret < 0)
- netdev_warn(dev->net, "Error writing PM_CTRL\n");
-+ else
-+ ret = 0;
-
- return ret;
- }
-@@ -1413,6 +1417,8 @@ static int smsc95xx_enter_suspend2(struct usbnet *dev)
- ret = smsc95xx_write_reg_nopm(dev, PM_CTRL, val);
- if (ret < 0)
- netdev_warn(dev->net, "Error writing PM_CTRL\n");
-+ else
-+ ret = 0;
-
- return ret;
- }
-diff --git a/drivers/net/wireless/ath/ath9k/common.h b/drivers/net/wireless/ath/ath9k/common.h
-index 5f845be..050ca4a 100644
---- a/drivers/net/wireless/ath/ath9k/common.h
-+++ b/drivers/net/wireless/ath/ath9k/common.h
-@@ -27,7 +27,7 @@
- #define WME_MAX_BA WME_BA_BMP_SIZE
- #define ATH_TID_MAX_BUFS (2 * WME_MAX_BA)
-
--#define ATH_RSSI_DUMMY_MARKER 0x127
-+#define ATH_RSSI_DUMMY_MARKER 127
- #define ATH_RSSI_LPF_LEN 10
- #define RSSI_LPF_THRESHOLD -20
- #define ATH_RSSI_EP_MULTIPLIER (1<<7)
-diff --git a/drivers/net/wireless/ath/ath9k/htc.h b/drivers/net/wireless/ath/ath9k/htc.h
-index 96bfb18..d3b099d 100644
---- a/drivers/net/wireless/ath/ath9k/htc.h
-+++ b/drivers/net/wireless/ath/ath9k/htc.h
-@@ -22,6 +22,7 @@
- #include <linux/firmware.h>
- #include <linux/skbuff.h>
- #include <linux/netdevice.h>
-+#include <linux/etherdevice.h>
- #include <linux/leds.h>
- #include <linux/slab.h>
- #include <net/mac80211.h>
-diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
-index b6a5a08..8788621 100644
---- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
-+++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
-@@ -1067,15 +1067,19 @@ static bool ath9k_rx_prepare(struct ath9k_htc_priv *priv,
-
- last_rssi = priv->rx.last_rssi;
-
-- if (likely(last_rssi != ATH_RSSI_DUMMY_MARKER))
-- rxbuf->rxstatus.rs_rssi = ATH_EP_RND(last_rssi,
-- ATH_RSSI_EP_MULTIPLIER);
-+ if (ieee80211_is_beacon(hdr->frame_control) &&
-+ !is_zero_ether_addr(common->curbssid) &&
-+ ether_addr_equal(hdr->addr3, common->curbssid)) {
-+ s8 rssi = rxbuf->rxstatus.rs_rssi;
-
-- if (rxbuf->rxstatus.rs_rssi < 0)
-- rxbuf->rxstatus.rs_rssi = 0;
-+ if (likely(last_rssi != ATH_RSSI_DUMMY_MARKER))
-+ rssi = ATH_EP_RND(last_rssi, ATH_RSSI_EP_MULTIPLIER);
-
-- if (ieee80211_is_beacon(fc))
-- priv->ah->stats.avgbrssi = rxbuf->rxstatus.rs_rssi;
-+ if (rssi < 0)
-+ rssi = 0;
-+
-+ priv->ah->stats.avgbrssi = rssi;
-+ }
-
- rx_status->mactime = be64_to_cpu(rxbuf->rxstatus.rs_tstamp);
- rx_status->band = hw->conf.channel->band;
-diff --git a/drivers/net/wireless/ath/ath9k/hw.c b/drivers/net/wireless/ath/ath9k/hw.c
-index 7cb7870..e26f92d 100644
---- a/drivers/net/wireless/ath/ath9k/hw.c
-+++ b/drivers/net/wireless/ath/ath9k/hw.c
-@@ -1480,7 +1480,9 @@ static bool ath9k_hw_chip_reset(struct ath_hw *ah,
- reset_type = ATH9K_RESET_POWER_ON;
- else
- reset_type = ATH9K_RESET_COLD;
-- }
-+ } else if (ah->chip_fullsleep || REG_READ(ah, AR_Q_TXE) ||
-+ (REG_READ(ah, AR_CR) & AR_CR_RXE))
-+ reset_type = ATH9K_RESET_COLD;
-
- if (!ath9k_hw_set_reset_reg(ah, reset_type))
- return false;
-diff --git a/drivers/net/wireless/iwlwifi/iwl-devtrace.h b/drivers/net/wireless/iwlwifi/iwl-devtrace.h
-index dc7e26b..c85eb37 100644
---- a/drivers/net/wireless/iwlwifi/iwl-devtrace.h
-+++ b/drivers/net/wireless/iwlwifi/iwl-devtrace.h
-@@ -349,25 +349,23 @@ TRACE_EVENT(iwlwifi_dev_rx_data,
- TRACE_EVENT(iwlwifi_dev_hcmd,
- TP_PROTO(const struct device *dev,
- struct iwl_host_cmd *cmd, u16 total_size,
-- const void *hdr, size_t hdr_len),
-- TP_ARGS(dev, cmd, total_size, hdr, hdr_len),
-+ struct iwl_cmd_header *hdr),
-+ TP_ARGS(dev, cmd, total_size, hdr),
- TP_STRUCT__entry(
- DEV_ENTRY
- __dynamic_array(u8, hcmd, total_size)
- __field(u32, flags)
- ),
- TP_fast_assign(
-- int i, offset = hdr_len;
-+ int i, offset = sizeof(*hdr);
-
- DEV_ASSIGN;
- __entry->flags = cmd->flags;
-- memcpy(__get_dynamic_array(hcmd), hdr, hdr_len);
-+ memcpy(__get_dynamic_array(hcmd), hdr, sizeof(*hdr));
-
- for (i = 0; i < IWL_MAX_CMD_TFDS; i++) {
- if (!cmd->len[i])
- continue;
-- if (!(cmd->dataflags[i] & IWL_HCMD_DFL_NOCOPY))
-- continue;
- memcpy((u8 *)__get_dynamic_array(hcmd) + offset,
- cmd->data[i], cmd->len[i]);
- offset += cmd->len[i];
-diff --git a/drivers/net/wireless/iwlwifi/pcie/internal.h b/drivers/net/wireless/iwlwifi/pcie/internal.h
-index d91d2e8..bc5e9ec 100644
---- a/drivers/net/wireless/iwlwifi/pcie/internal.h
-+++ b/drivers/net/wireless/iwlwifi/pcie/internal.h
-@@ -182,6 +182,15 @@ struct iwl_queue {
- #define TFD_TX_CMD_SLOTS 256
- #define TFD_CMD_SLOTS 32
-
-+/*
-+ * The FH will write back to the first TB only, so we need
-+ * to copy some data into the buffer regardless of whether
-+ * it should be mapped or not. This indicates how much to
-+ * copy, even for HCMDs it must be big enough to fit the
-+ * DRAM scratch from the TX cmd, at least 16 bytes.
-+ */
-+#define IWL_HCMD_MIN_COPY_SIZE 16
-+
- struct iwl_pcie_txq_entry {
- struct iwl_device_cmd *cmd;
- struct iwl_device_cmd *copy_cmd;
-diff --git a/drivers/net/wireless/iwlwifi/pcie/tx.c b/drivers/net/wireless/iwlwifi/pcie/tx.c
-index 6c5b867..c6cd922 100644
---- a/drivers/net/wireless/iwlwifi/pcie/tx.c
-+++ b/drivers/net/wireless/iwlwifi/pcie/tx.c
-@@ -1131,10 +1131,12 @@ static int iwl_pcie_enqueue_hcmd(struct iwl_trans *trans,
- void *dup_buf = NULL;
- dma_addr_t phys_addr;
- int idx;
-- u16 copy_size, cmd_size;
-+ u16 copy_size, cmd_size, dma_size;
- bool had_nocopy = false;
- int i;
- u32 cmd_pos;
-+ const u8 *cmddata[IWL_MAX_CMD_TFDS];
-+ u16 cmdlen[IWL_MAX_CMD_TFDS];
-
- copy_size = sizeof(out_cmd->hdr);
- cmd_size = sizeof(out_cmd->hdr);
-@@ -1143,8 +1145,23 @@ static int iwl_pcie_enqueue_hcmd(struct iwl_trans *trans,
- BUILD_BUG_ON(IWL_MAX_CMD_TFDS > IWL_NUM_OF_TBS - 1);
-
- for (i = 0; i < IWL_MAX_CMD_TFDS; i++) {
-+ cmddata[i] = cmd->data[i];
-+ cmdlen[i] = cmd->len[i];
-+
- if (!cmd->len[i])
- continue;
-+
-+ /* need at least IWL_HCMD_MIN_COPY_SIZE copied */
-+ if (copy_size < IWL_HCMD_MIN_COPY_SIZE) {
-+ int copy = IWL_HCMD_MIN_COPY_SIZE - copy_size;
-+
-+ if (copy > cmdlen[i])
-+ copy = cmdlen[i];
-+ cmdlen[i] -= copy;
-+ cmddata[i] += copy;
-+ copy_size += copy;
-+ }
-+
- if (cmd->dataflags[i] & IWL_HCMD_DFL_NOCOPY) {
- had_nocopy = true;
- if (WARN_ON(cmd->dataflags[i] & IWL_HCMD_DFL_DUP)) {
-@@ -1164,7 +1181,7 @@ static int iwl_pcie_enqueue_hcmd(struct iwl_trans *trans,
- goto free_dup_buf;
- }
-
-- dup_buf = kmemdup(cmd->data[i], cmd->len[i],
-+ dup_buf = kmemdup(cmddata[i], cmdlen[i],
- GFP_ATOMIC);
- if (!dup_buf)
- return -ENOMEM;
-@@ -1174,7 +1191,7 @@ static int iwl_pcie_enqueue_hcmd(struct iwl_trans *trans,
- idx = -EINVAL;
- goto free_dup_buf;
- }
-- copy_size += cmd->len[i];
-+ copy_size += cmdlen[i];
- }
- cmd_size += cmd->len[i];
- }
-@@ -1221,14 +1238,31 @@ static int iwl_pcie_enqueue_hcmd(struct iwl_trans *trans,
-
- /* and copy the data that needs to be copied */
- cmd_pos = offsetof(struct iwl_device_cmd, payload);
-+ copy_size = sizeof(out_cmd->hdr);
- for (i = 0; i < IWL_MAX_CMD_TFDS; i++) {
-- if (!cmd->len[i])
-+ int copy = 0;
-+
-+ if (!cmd->len)
- continue;
-- if (cmd->dataflags[i] & (IWL_HCMD_DFL_NOCOPY |
-- IWL_HCMD_DFL_DUP))
-- break;
-- memcpy((u8 *)out_cmd + cmd_pos, cmd->data[i], cmd->len[i]);
-- cmd_pos += cmd->len[i];
-+
-+ /* need at least IWL_HCMD_MIN_COPY_SIZE copied */
-+ if (copy_size < IWL_HCMD_MIN_COPY_SIZE) {
-+ copy = IWL_HCMD_MIN_COPY_SIZE - copy_size;
-+
-+ if (copy > cmd->len[i])
-+ copy = cmd->len[i];
-+ }
-+
-+ /* copy everything if not nocopy/dup */
-+ if (!(cmd->dataflags[i] & (IWL_HCMD_DFL_NOCOPY |
-+ IWL_HCMD_DFL_DUP)))
-+ copy = cmd->len[i];
-+
-+ if (copy) {
-+ memcpy((u8 *)out_cmd + cmd_pos, cmd->data[i], copy);
-+ cmd_pos += copy;
-+ copy_size += copy;
-+ }
- }
-
- WARN_ON_ONCE(txq->entries[idx].copy_cmd);
-@@ -1254,7 +1288,14 @@ static int iwl_pcie_enqueue_hcmd(struct iwl_trans *trans,
- out_cmd->hdr.cmd, le16_to_cpu(out_cmd->hdr.sequence),
- cmd_size, q->write_ptr, idx, trans_pcie->cmd_queue);
-
-- phys_addr = dma_map_single(trans->dev, &out_cmd->hdr, copy_size,
-+ /*
-+ * If the entire command is smaller than IWL_HCMD_MIN_COPY_SIZE, we must
-+ * still map at least that many bytes for the hardware to write back to.
-+ * We have enough space, so that's not a problem.
-+ */
-+ dma_size = max_t(u16, copy_size, IWL_HCMD_MIN_COPY_SIZE);
-+
-+ phys_addr = dma_map_single(trans->dev, &out_cmd->hdr, dma_size,
- DMA_BIDIRECTIONAL);
- if (unlikely(dma_mapping_error(trans->dev, phys_addr))) {
- idx = -ENOMEM;
-@@ -1262,14 +1303,15 @@ static int iwl_pcie_enqueue_hcmd(struct iwl_trans *trans,
- }
-
- dma_unmap_addr_set(out_meta, mapping, phys_addr);
-- dma_unmap_len_set(out_meta, len, copy_size);
-+ dma_unmap_len_set(out_meta, len, dma_size);
-
- iwl_pcie_txq_build_tfd(trans, txq, phys_addr, copy_size, 1);
-
-+ /* map the remaining (adjusted) nocopy/dup fragments */
- for (i = 0; i < IWL_MAX_CMD_TFDS; i++) {
-- const void *data = cmd->data[i];
-+ const void *data = cmddata[i];
-
-- if (!cmd->len[i])
-+ if (!cmdlen[i])
- continue;
- if (!(cmd->dataflags[i] & (IWL_HCMD_DFL_NOCOPY |
- IWL_HCMD_DFL_DUP)))
-@@ -1277,7 +1319,7 @@ static int iwl_pcie_enqueue_hcmd(struct iwl_trans *trans,
- if (cmd->dataflags[i] & IWL_HCMD_DFL_DUP)
- data = dup_buf;
- phys_addr = dma_map_single(trans->dev, (void *)data,
-- cmd->len[i], DMA_BIDIRECTIONAL);
-+ cmdlen[i], DMA_BIDIRECTIONAL);
- if (dma_mapping_error(trans->dev, phys_addr)) {
- iwl_pcie_tfd_unmap(trans, out_meta,
- &txq->tfds[q->write_ptr],
-@@ -1286,7 +1328,7 @@ static int iwl_pcie_enqueue_hcmd(struct iwl_trans *trans,
- goto out;
- }
-
-- iwl_pcie_txq_build_tfd(trans, txq, phys_addr, cmd->len[i], 0);
-+ iwl_pcie_txq_build_tfd(trans, txq, phys_addr, cmdlen[i], 0);
- }
-
- out_meta->flags = cmd->flags;
-@@ -1296,8 +1338,7 @@ static int iwl_pcie_enqueue_hcmd(struct iwl_trans *trans,
-
- txq->need_update = 1;
-
-- trace_iwlwifi_dev_hcmd(trans->dev, cmd, cmd_size,
-- &out_cmd->hdr, copy_size);
-+ trace_iwlwifi_dev_hcmd(trans->dev, cmd, cmd_size, &out_cmd->hdr);
-
- /* start timer if queue currently empty */
- if (q->read_ptr == q->write_ptr && trans_pcie->wd_timeout)
-diff --git a/drivers/net/wireless/libertas/if_sdio.c b/drivers/net/wireless/libertas/if_sdio.c
-index 739309e..4557833 100644
---- a/drivers/net/wireless/libertas/if_sdio.c
-+++ b/drivers/net/wireless/libertas/if_sdio.c
-@@ -825,6 +825,11 @@ static void if_sdio_finish_power_on(struct if_sdio_card *card)
-
- sdio_release_host(func);
-
-+ /* Set fw_ready before queuing any commands so that
-+ * lbs_thread won't block from sending them to firmware.
-+ */
-+ priv->fw_ready = 1;
-+
- /*
- * FUNC_INIT is required for SD8688 WLAN/BT multiple functions
- */
-@@ -839,7 +844,6 @@ static void if_sdio_finish_power_on(struct if_sdio_card *card)
- netdev_alert(priv->dev, "CMD_FUNC_INIT cmd failed\n");
- }
-
-- priv->fw_ready = 1;
- wake_up(&card->pwron_waitq);
-
- if (!card->started) {
-diff --git a/drivers/net/wireless/mwifiex/pcie.c b/drivers/net/wireless/mwifiex/pcie.c
-index b879e13..0bbea88 100644
---- a/drivers/net/wireless/mwifiex/pcie.c
-+++ b/drivers/net/wireless/mwifiex/pcie.c
-@@ -291,7 +291,7 @@ static int mwifiex_pm_wakeup_card(struct mwifiex_adapter *adapter)
- i++;
- usleep_range(10, 20);
- /* 50ms max wait */
-- if (i == 50000)
-+ if (i == 5000)
- break;
- }
-
-diff --git a/drivers/platform/x86/acer-wmi.c b/drivers/platform/x86/acer-wmi.c
-index afed701..684ce75 100644
---- a/drivers/platform/x86/acer-wmi.c
-+++ b/drivers/platform/x86/acer-wmi.c
-@@ -1204,6 +1204,9 @@ static acpi_status WMID_set_capabilities(void)
- devices = *((u32 *) obj->buffer.pointer);
- } else if (obj->type == ACPI_TYPE_INTEGER) {
- devices = (u32) obj->integer.value;
-+ } else {
-+ kfree(out.pointer);
-+ return AE_ERROR;
- }
- } else {
- kfree(out.pointer);
-diff --git a/drivers/platform/x86/sony-laptop.c b/drivers/platform/x86/sony-laptop.c
-index b8ad71f..0fe987f 100644
---- a/drivers/platform/x86/sony-laptop.c
-+++ b/drivers/platform/x86/sony-laptop.c
-@@ -1534,7 +1534,7 @@ static int sony_nc_rfkill_set(void *data, bool blocked)
- int argument = sony_rfkill_address[(long) data] + 0x100;
-
- if (!blocked)
-- argument |= 0x030000;
-+ argument |= 0x070000;
-
- return sony_call_snc_handle(sony_rfkill_handle, argument, &result);
- }
-diff --git a/drivers/rtc/rtc-mv.c b/drivers/rtc/rtc-mv.c
-index 57233c8..8f87fec 100644
---- a/drivers/rtc/rtc-mv.c
-+++ b/drivers/rtc/rtc-mv.c
-@@ -14,6 +14,7 @@
- #include <linux/platform_device.h>
- #include <linux/of.h>
- #include <linux/delay.h>
-+#include <linux/clk.h>
- #include <linux/gfp.h>
- #include <linux/module.h>
-
-@@ -41,6 +42,7 @@ struct rtc_plat_data {
- struct rtc_device *rtc;
- void __iomem *ioaddr;
- int irq;
-+ struct clk *clk;
- };
-
- static int mv_rtc_set_time(struct device *dev, struct rtc_time *tm)
-@@ -221,6 +223,7 @@ static int mv_rtc_probe(struct platform_device *pdev)
- struct rtc_plat_data *pdata;
- resource_size_t size;
- u32 rtc_time;
-+ int ret = 0;
-
- res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
- if (!res)
-@@ -239,11 +242,17 @@ static int mv_rtc_probe(struct platform_device *pdev)
- if (!pdata->ioaddr)
- return -ENOMEM;
-
-+ pdata->clk = devm_clk_get(&pdev->dev, NULL);
-+ /* Not all SoCs require a clock.*/
-+ if (!IS_ERR(pdata->clk))
-+ clk_prepare_enable(pdata->clk);
-+
- /* make sure the 24 hours mode is enabled */
- rtc_time = readl(pdata->ioaddr + RTC_TIME_REG_OFFS);
- if (rtc_time & RTC_HOURS_12H_MODE) {
- dev_err(&pdev->dev, "24 Hours mode not supported.\n");
-- return -EINVAL;
-+ ret = -EINVAL;
-+ goto out;
- }
-
- /* make sure it is actually functional */
-@@ -252,7 +261,8 @@ static int mv_rtc_probe(struct platform_device *pdev)
- rtc_time = readl(pdata->ioaddr + RTC_TIME_REG_OFFS);
- if (rtc_time == 0x01000000) {
- dev_err(&pdev->dev, "internal RTC not ticking\n");
-- return -ENODEV;
-+ ret = -ENODEV;
-+ goto out;
- }
- }
-
-@@ -268,8 +278,10 @@ static int mv_rtc_probe(struct platform_device *pdev)
- } else
- pdata->rtc = rtc_device_register(pdev->name, &pdev->dev,
- &mv_rtc_ops, THIS_MODULE);
-- if (IS_ERR(pdata->rtc))
-- return PTR_ERR(pdata->rtc);
-+ if (IS_ERR(pdata->rtc)) {
-+ ret = PTR_ERR(pdata->rtc);
-+ goto out;
-+ }
-
- if (pdata->irq >= 0) {
- writel(0, pdata->ioaddr + RTC_ALARM_INTERRUPT_MASK_REG_OFFS);
-@@ -282,6 +294,11 @@ static int mv_rtc_probe(struct platform_device *pdev)
- }
-
- return 0;
-+out:
-+ if (!IS_ERR(pdata->clk))
-+ clk_disable_unprepare(pdata->clk);
-+
-+ return ret;
- }
-
- static int __exit mv_rtc_remove(struct platform_device *pdev)
-@@ -292,6 +309,9 @@ static int __exit mv_rtc_remove(struct platform_device *pdev)
- device_init_wakeup(&pdev->dev, 0);
-
- rtc_device_unregister(pdata->rtc);
-+ if (!IS_ERR(pdata->clk))
-+ clk_disable_unprepare(pdata->clk);
-+
- return 0;
- }
-
-diff --git a/drivers/scsi/dc395x.c b/drivers/scsi/dc395x.c
-index 865c64f..fed486bf 100644
---- a/drivers/scsi/dc395x.c
-+++ b/drivers/scsi/dc395x.c
-@@ -3747,13 +3747,13 @@ static struct DeviceCtlBlk *device_alloc(struct AdapterCtlBlk *acb,
- dcb->max_command = 1;
- dcb->target_id = target;
- dcb->target_lun = lun;
-+ dcb->dev_mode = eeprom->target[target].cfg0;
- #ifndef DC395x_NO_DISCONNECT
- dcb->identify_msg =
- IDENTIFY(dcb->dev_mode & NTC_DO_DISCONNECT, lun);
- #else
- dcb->identify_msg = IDENTIFY(0, lun);
- #endif
-- dcb->dev_mode = eeprom->target[target].cfg0;
- dcb->inquiry7 = 0;
- dcb->sync_mode = 0;
- dcb->min_nego_period = clock_period[period_index];
-diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
-index 0144078..9f4e560 100644
---- a/drivers/scsi/storvsc_drv.c
-+++ b/drivers/scsi/storvsc_drv.c
-@@ -467,6 +467,7 @@ static struct scatterlist *create_bounce_buffer(struct scatterlist *sgl,
- if (!bounce_sgl)
- return NULL;
-
-+ sg_init_table(bounce_sgl, num_pages);
- for (i = 0; i < num_pages; i++) {
- page_buf = alloc_page(GFP_ATOMIC);
- if (!page_buf)
-diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
-index 339f97f..42a2bf7 100644
---- a/drivers/target/iscsi/iscsi_target.c
-+++ b/drivers/target/iscsi/iscsi_target.c
-@@ -3570,6 +3570,10 @@ check_rsp_state:
- spin_lock_bh(&cmd->istate_lock);
- cmd->i_state = ISTATE_SENT_STATUS;
- spin_unlock_bh(&cmd->istate_lock);
-+
-+ if (atomic_read(&conn->check_immediate_queue))
-+ return 1;
-+
- continue;
- } else if (ret == 2) {
- /* Still must send status,
-@@ -3659,7 +3663,7 @@ check_rsp_state:
- }
-
- if (atomic_read(&conn->check_immediate_queue))
-- break;
-+ return 1;
- }
-
- return 0;
-@@ -3703,12 +3707,15 @@ restart:
- signal_pending(current))
- goto transport_err;
-
-+get_immediate:
- ret = handle_immediate_queue(conn);
- if (ret < 0)
- goto transport_err;
-
- ret = handle_response_queue(conn);
-- if (ret == -EAGAIN)
-+ if (ret == 1)
-+ goto get_immediate;
-+ else if (ret == -EAGAIN)
- goto restart;
- else if (ret < 0)
- goto transport_err;
-diff --git a/drivers/target/target_core_pscsi.c b/drivers/target/target_core_pscsi.c
-index 2bcfd79..55b9530 100644
---- a/drivers/target/target_core_pscsi.c
-+++ b/drivers/target/target_core_pscsi.c
-@@ -940,7 +940,6 @@ pscsi_map_sg(struct se_cmd *cmd, struct scatterlist *sgl, u32 sgl_nents,
- bio = NULL;
- }
-
-- page++;
- len -= bytes;
- data_len -= bytes;
- off = 0;
-diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
-index cbf7168..2a89588 100644
---- a/drivers/usb/core/hub.c
-+++ b/drivers/usb/core/hub.c
-@@ -2538,70 +2538,35 @@ static int hub_port_wait_reset(struct usb_hub *hub, int port1,
- if ((portstatus & USB_PORT_STAT_RESET))
- goto delay;
-
-- /*
-- * Some buggy devices require a warm reset to be issued even
-- * when the port appears not to be connected.
-+ if (hub_port_warm_reset_required(hub, portstatus))
-+ return -ENOTCONN;
-+
-+ /* Device went away? */
-+ if (!(portstatus & USB_PORT_STAT_CONNECTION))
-+ return -ENOTCONN;
-+
-+ /* bomb out completely if the connection bounced. A USB 3.0
-+ * connection may bounce if multiple warm resets were issued,
-+ * but the device may have successfully re-connected. Ignore it.
- */
-- if (!warm) {
-- /*
-- * Some buggy devices can cause an NEC host controller
-- * to transition to the "Error" state after a hot port
-- * reset. This will show up as the port state in
-- * "Inactive", and the port may also report a
-- * disconnect. Forcing a warm port reset seems to make
-- * the device work.
-- *
-- * See https://bugzilla.kernel.org/show_bug.cgi?id=41752
-- */
-- if (hub_port_warm_reset_required(hub, portstatus)) {
-- int ret;
--
-- if ((portchange & USB_PORT_STAT_C_CONNECTION))
-- clear_port_feature(hub->hdev, port1,
-- USB_PORT_FEAT_C_CONNECTION);
-- if (portchange & USB_PORT_STAT_C_LINK_STATE)
-- clear_port_feature(hub->hdev, port1,
-- USB_PORT_FEAT_C_PORT_LINK_STATE);
-- if (portchange & USB_PORT_STAT_C_RESET)
-- clear_port_feature(hub->hdev, port1,
-- USB_PORT_FEAT_C_RESET);
-- dev_dbg(hub->intfdev, "hot reset failed, warm reset port %d\n",
-- port1);
-- ret = hub_port_reset(hub, port1,
-- udev, HUB_BH_RESET_TIME,
-- true);
-- if ((portchange & USB_PORT_STAT_C_CONNECTION))
-- clear_port_feature(hub->hdev, port1,
-- USB_PORT_FEAT_C_CONNECTION);
-- return ret;
-- }
-- /* Device went away? */
-- if (!(portstatus & USB_PORT_STAT_CONNECTION))
-- return -ENOTCONN;
--
-- /* bomb out completely if the connection bounced */
-- if ((portchange & USB_PORT_STAT_C_CONNECTION))
-- return -ENOTCONN;
--
-- if ((portstatus & USB_PORT_STAT_ENABLE)) {
-- if (hub_is_wusb(hub))
-- udev->speed = USB_SPEED_WIRELESS;
-- else if (hub_is_superspeed(hub->hdev))
-- udev->speed = USB_SPEED_SUPER;
-- else if (portstatus & USB_PORT_STAT_HIGH_SPEED)
-- udev->speed = USB_SPEED_HIGH;
-- else if (portstatus & USB_PORT_STAT_LOW_SPEED)
-- udev->speed = USB_SPEED_LOW;
-- else
-- udev->speed = USB_SPEED_FULL;
-+ if (!hub_is_superspeed(hub->hdev) &&
-+ (portchange & USB_PORT_STAT_C_CONNECTION))
-+ return -ENOTCONN;
-+
-+ if ((portstatus & USB_PORT_STAT_ENABLE)) {
-+ if (!udev)
- return 0;
-- }
-- } else {
-- if (!(portstatus & USB_PORT_STAT_CONNECTION) ||
-- hub_port_warm_reset_required(hub,
-- portstatus))
-- return -ENOTCONN;
-
-+ if (hub_is_wusb(hub))
-+ udev->speed = USB_SPEED_WIRELESS;
-+ else if (hub_is_superspeed(hub->hdev))
-+ udev->speed = USB_SPEED_SUPER;
-+ else if (portstatus & USB_PORT_STAT_HIGH_SPEED)
-+ udev->speed = USB_SPEED_HIGH;
-+ else if (portstatus & USB_PORT_STAT_LOW_SPEED)
-+ udev->speed = USB_SPEED_LOW;
-+ else
-+ udev->speed = USB_SPEED_FULL;
- return 0;
- }
-
-@@ -2619,16 +2584,16 @@ delay:
- }
-
- static void hub_port_finish_reset(struct usb_hub *hub, int port1,
-- struct usb_device *udev, int *status, bool warm)
-+ struct usb_device *udev, int *status)
- {
- switch (*status) {
- case 0:
-- if (!warm) {
-- struct usb_hcd *hcd;
-- /* TRSTRCY = 10 ms; plus some extra */
-- msleep(10 + 40);
-+ /* TRSTRCY = 10 ms; plus some extra */
-+ msleep(10 + 40);
-+ if (udev) {
-+ struct usb_hcd *hcd = bus_to_hcd(udev->bus);
-+
- update_devnum(udev, 0);
-- hcd = bus_to_hcd(udev->bus);
- /* The xHC may think the device is already reset,
- * so ignore the status.
- */
-@@ -2640,14 +2605,15 @@ static void hub_port_finish_reset(struct usb_hub *hub, int port1,
- case -ENODEV:
- clear_port_feature(hub->hdev,
- port1, USB_PORT_FEAT_C_RESET);
-- /* FIXME need disconnect() for NOTATTACHED device */
- if (hub_is_superspeed(hub->hdev)) {
- clear_port_feature(hub->hdev, port1,
- USB_PORT_FEAT_C_BH_PORT_RESET);
- clear_port_feature(hub->hdev, port1,
- USB_PORT_FEAT_C_PORT_LINK_STATE);
-+ clear_port_feature(hub->hdev, port1,
-+ USB_PORT_FEAT_C_CONNECTION);
- }
-- if (!warm)
-+ if (udev)
- usb_set_device_state(udev, *status
- ? USB_STATE_NOTATTACHED
- : USB_STATE_DEFAULT);
-@@ -2660,18 +2626,30 @@ static int hub_port_reset(struct usb_hub *hub, int port1,
- struct usb_device *udev, unsigned int delay, bool warm)
- {
- int i, status;
-+ u16 portchange, portstatus;
-
-- if (!warm) {
-- /* Block EHCI CF initialization during the port reset.
-- * Some companion controllers don't like it when they mix.
-- */
-- down_read(&ehci_cf_port_reset_rwsem);
-- } else {
-- if (!hub_is_superspeed(hub->hdev)) {
-+ if (!hub_is_superspeed(hub->hdev)) {
-+ if (warm) {
- dev_err(hub->intfdev, "only USB3 hub support "
- "warm reset\n");
- return -EINVAL;
- }
-+ /* Block EHCI CF initialization during the port reset.
-+ * Some companion controllers don't like it when they mix.
-+ */
-+ down_read(&ehci_cf_port_reset_rwsem);
-+ } else if (!warm) {
-+ /*
-+ * If the caller hasn't explicitly requested a warm reset,
-+ * double check and see if one is needed.
-+ */
-+ status = hub_port_status(hub, port1,
-+ &portstatus, &portchange);
-+ if (status < 0)
-+ goto done;
-+
-+ if (hub_port_warm_reset_required(hub, portstatus))
-+ warm = true;
- }
-
- /* Reset the port */
-@@ -2692,10 +2670,33 @@ static int hub_port_reset(struct usb_hub *hub, int port1,
- status);
- }
-
-- /* return on disconnect or reset */
-+ /* Check for disconnect or reset */
- if (status == 0 || status == -ENOTCONN || status == -ENODEV) {
-- hub_port_finish_reset(hub, port1, udev, &status, warm);
-- goto done;
-+ hub_port_finish_reset(hub, port1, udev, &status);
-+
-+ if (!hub_is_superspeed(hub->hdev))
-+ goto done;
-+
-+ /*
-+ * If a USB 3.0 device migrates from reset to an error
-+ * state, re-issue the warm reset.
-+ */
-+ if (hub_port_status(hub, port1,
-+ &portstatus, &portchange) < 0)
-+ goto done;
-+
-+ if (!hub_port_warm_reset_required(hub, portstatus))
-+ goto done;
-+
-+ /*
-+ * If the port is in SS.Inactive or Compliance Mode, the
-+ * hot or warm reset failed. Try another warm reset.
-+ */
-+ if (!warm) {
-+ dev_dbg(hub->intfdev, "hot reset failed, warm reset port %d\n",
-+ port1);
-+ warm = true;
-+ }
- }
-
- dev_dbg (hub->intfdev,
-@@ -2709,7 +2710,7 @@ static int hub_port_reset(struct usb_hub *hub, int port1,
- port1);
-
- done:
-- if (!warm)
-+ if (!hub_is_superspeed(hub->hdev))
- up_read(&ehci_cf_port_reset_rwsem);
-
- return status;
-@@ -4740,12 +4741,21 @@ static void hub_events(void)
- */
- if (hub_port_warm_reset_required(hub, portstatus)) {
- int status;
-+ struct usb_device *udev =
-+ hub->ports[i - 1]->child;
-
- dev_dbg(hub_dev, "warm reset port %d\n", i);
-- status = hub_port_reset(hub, i, NULL,
-- HUB_BH_RESET_TIME, true);
-- if (status < 0)
-- hub_port_disable(hub, i, 1);
-+ if (!udev) {
-+ status = hub_port_reset(hub, i,
-+ NULL, HUB_BH_RESET_TIME,
-+ true);
-+ if (status < 0)
-+ hub_port_disable(hub, i, 1);
-+ } else {
-+ usb_lock_device(udev);
-+ status = usb_reset_device(udev);
-+ usb_unlock_device(udev);
-+ }
- connect_change = 0;
- }
-
-diff --git a/drivers/usb/host/ehci-timer.c b/drivers/usb/host/ehci-timer.c
-index f904071..20dbdcb 100644
---- a/drivers/usb/host/ehci-timer.c
-+++ b/drivers/usb/host/ehci-timer.c
-@@ -113,15 +113,14 @@ static void ehci_poll_ASS(struct ehci_hcd *ehci)
-
- if (want != actual) {
-
-- /* Poll again later */
-- ehci_enable_event(ehci, EHCI_HRTIMER_POLL_ASS, true);
-- ++ehci->ASS_poll_count;
-- return;
-+ /* Poll again later, but give up after about 20 ms */
-+ if (ehci->ASS_poll_count++ < 20) {
-+ ehci_enable_event(ehci, EHCI_HRTIMER_POLL_ASS, true);
-+ return;
-+ }
-+ ehci_dbg(ehci, "Waited too long for the async schedule status (%x/%x), giving up\n",
-+ want, actual);
- }
--
-- if (ehci->ASS_poll_count > 20)
-- ehci_dbg(ehci, "ASS poll count reached %d\n",
-- ehci->ASS_poll_count);
- ehci->ASS_poll_count = 0;
-
- /* The status is up-to-date; restart or stop the schedule as needed */
-@@ -160,14 +159,14 @@ static void ehci_poll_PSS(struct ehci_hcd *ehci)
-
- if (want != actual) {
-
-- /* Poll again later */
-- ehci_enable_event(ehci, EHCI_HRTIMER_POLL_PSS, true);
-- return;
-+ /* Poll again later, but give up after about 20 ms */
-+ if (ehci->PSS_poll_count++ < 20) {
-+ ehci_enable_event(ehci, EHCI_HRTIMER_POLL_PSS, true);
-+ return;
-+ }
-+ ehci_dbg(ehci, "Waited too long for the periodic schedule status (%x/%x), giving up\n",
-+ want, actual);
- }
--
-- if (ehci->PSS_poll_count > 20)
-- ehci_dbg(ehci, "PSS poll count reached %d\n",
-- ehci->PSS_poll_count);
- ehci->PSS_poll_count = 0;
-
- /* The status is up-to-date; restart or stop the schedule as needed */
-diff --git a/drivers/w1/masters/w1-gpio.c b/drivers/w1/masters/w1-gpio.c
-index 85b363a..d39dfa4 100644
---- a/drivers/w1/masters/w1-gpio.c
-+++ b/drivers/w1/masters/w1-gpio.c
-@@ -72,7 +72,7 @@ static int w1_gpio_probe_dt(struct platform_device *pdev)
- return 0;
- }
-
--static int __init w1_gpio_probe(struct platform_device *pdev)
-+static int w1_gpio_probe(struct platform_device *pdev)
- {
- struct w1_bus_master *master;
- struct w1_gpio_platform_data *pdata;
-diff --git a/drivers/watchdog/Kconfig b/drivers/watchdog/Kconfig
-index 7f809fd..19fa73a 100644
---- a/drivers/watchdog/Kconfig
-+++ b/drivers/watchdog/Kconfig
-@@ -79,6 +79,7 @@ config DA9052_WATCHDOG
- config DA9055_WATCHDOG
- tristate "Dialog Semiconductor DA9055 Watchdog"
- depends on MFD_DA9055
-+ select WATCHDOG_CORE
- help
- If you say yes here you get support for watchdog on the Dialog
- Semiconductor DA9055 PMIC.
-diff --git a/drivers/watchdog/sp5100_tco.c b/drivers/watchdog/sp5100_tco.c
-index 2b0e000..e3b8f75 100644
---- a/drivers/watchdog/sp5100_tco.c
-+++ b/drivers/watchdog/sp5100_tco.c
-@@ -361,7 +361,7 @@ static unsigned char sp5100_tco_setupdevice(void)
- {
- struct pci_dev *dev = NULL;
- const char *dev_name = NULL;
-- u32 val;
-+ u32 val, tmp_val;
- u32 index_reg, data_reg, base_addr;
-
- /* Match the PCI device */
-@@ -497,30 +497,19 @@ static unsigned char sp5100_tco_setupdevice(void)
- pr_debug("Got 0x%04x from resource tree\n", val);
- }
-
-- /* Restore to the low three bits, if chipset is SB8x0(or later) */
-- if (sp5100_tco_pci->revision >= 0x40) {
-- u8 reserved_bit;
-- reserved_bit = inb(base_addr) & 0x7;
-- val |= (u32)reserved_bit;
-- }
-+ /* Restore to the low three bits */
-+ outb(base_addr+0, index_reg);
-+ tmp_val = val | (inb(data_reg) & 0x7);
-
- /* Re-programming the watchdog timer base address */
- outb(base_addr+0, index_reg);
-- /* Low three bits of BASE are reserved */
-- outb((val >> 0) & 0xf8, data_reg);
-+ outb((tmp_val >> 0) & 0xff, data_reg);
- outb(base_addr+1, index_reg);
-- outb((val >> 8) & 0xff, data_reg);
-+ outb((tmp_val >> 8) & 0xff, data_reg);
- outb(base_addr+2, index_reg);
-- outb((val >> 16) & 0xff, data_reg);
-+ outb((tmp_val >> 16) & 0xff, data_reg);
- outb(base_addr+3, index_reg);
-- outb((val >> 24) & 0xff, data_reg);
--
-- /*
-- * Clear unnecessary the low three bits,
-- * if chipset is SB8x0(or later)
-- */
-- if (sp5100_tco_pci->revision >= 0x40)
-- val &= ~0x7;
-+ outb((tmp_val >> 24) & 0xff, data_reg);
-
- if (!request_mem_region_exclusive(val, SP5100_WDT_MEM_MAP_SIZE,
- dev_name)) {
-diff --git a/drivers/xen/xenbus/xenbus_client.c b/drivers/xen/xenbus/xenbus_client.c
-index bcf3ba4..61786be 100644
---- a/drivers/xen/xenbus/xenbus_client.c
-+++ b/drivers/xen/xenbus/xenbus_client.c
-@@ -30,6 +30,7 @@
- * IN THE SOFTWARE.
- */
-
-+#include <linux/mm.h>
- #include <linux/slab.h>
- #include <linux/types.h>
- #include <linux/spinlock.h>
-diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
-index cc93b23..659ea81 100644
---- a/fs/btrfs/inode.c
-+++ b/fs/btrfs/inode.c
-@@ -265,6 +265,7 @@ static noinline int cow_file_range_inline(struct btrfs_trans_handle *trans,
- return 1;
- }
-
-+ set_bit(BTRFS_INODE_NEEDS_FULL_SYNC, &BTRFS_I(inode)->runtime_flags);
- btrfs_delalloc_release_metadata(inode, end + 1 - start);
- btrfs_drop_extent_cache(inode, start, aligned_end - 1, 0);
- return 0;
-@@ -2469,6 +2470,7 @@ int btrfs_orphan_cleanup(struct btrfs_root *root)
- */
- set_bit(BTRFS_INODE_HAS_ORPHAN_ITEM,
- &BTRFS_I(inode)->runtime_flags);
-+ atomic_inc(&root->orphan_inodes);
-
- /* if we have links, this was a truncate, lets do that */
- if (inode->i_nlink) {
-@@ -2491,6 +2493,8 @@ int btrfs_orphan_cleanup(struct btrfs_root *root)
- goto out;
-
- ret = btrfs_truncate(inode);
-+ if (ret)
-+ btrfs_orphan_del(NULL, inode);
- } else {
- nr_unlink++;
- }
-diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
-index 9027bb1..b6818ee 100644
---- a/fs/btrfs/tree-log.c
-+++ b/fs/btrfs/tree-log.c
-@@ -3281,6 +3281,7 @@ static int log_one_extent(struct btrfs_trans_handle *trans,
- int ret;
- bool skip_csum = BTRFS_I(inode)->flags & BTRFS_INODE_NODATASUM;
-
-+insert:
- INIT_LIST_HEAD(&ordered_sums);
- btrfs_init_map_token(&token);
- key.objectid = btrfs_ino(inode);
-@@ -3296,6 +3297,23 @@ static int log_one_extent(struct btrfs_trans_handle *trans,
- leaf = path->nodes[0];
- fi = btrfs_item_ptr(leaf, path->slots[0],
- struct btrfs_file_extent_item);
-+
-+ /*
-+ * If we are overwriting an inline extent with a real one then we need
-+ * to just delete the inline extent as it may not be large enough to
-+ * have the entire file_extent_item.
-+ */
-+ if (ret && btrfs_token_file_extent_type(leaf, fi, &token) ==
-+ BTRFS_FILE_EXTENT_INLINE) {
-+ ret = btrfs_del_item(trans, log, path);
-+ btrfs_release_path(path);
-+ if (ret) {
-+ path->really_keep_locks = 0;
-+ return ret;
-+ }
-+ goto insert;
-+ }
-+
- btrfs_set_token_file_extent_generation(leaf, fi, em->generation,
- &token);
- if (test_bit(EXTENT_FLAG_PREALLOC, &em->flags)) {
-diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
-index 5cbb7f4..ac8ff8d 100644
---- a/fs/btrfs/volumes.c
-+++ b/fs/btrfs/volumes.c
-@@ -647,6 +647,7 @@ static int __btrfs_close_devices(struct btrfs_fs_devices *fs_devices)
- new_device->writeable = 0;
- new_device->in_fs_metadata = 0;
- new_device->can_discard = 0;
-+ spin_lock_init(&new_device->io_lock);
- list_replace_rcu(&device->dev_list, &new_device->dev_list);
-
- call_rcu(&device->rcu, free_device);
-diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
-index de7f916..e328339 100644
---- a/fs/cifs/cifsfs.c
-+++ b/fs/cifs/cifsfs.c
-@@ -558,6 +558,11 @@ cifs_get_root(struct smb_vol *vol, struct super_block *sb)
- dentry = ERR_PTR(-ENOENT);
- break;
- }
-+ if (!S_ISDIR(dir->i_mode)) {
-+ dput(dentry);
-+ dentry = ERR_PTR(-ENOTDIR);
-+ break;
-+ }
-
- /* skip separators */
- while (*s == sep)
-diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
-index c9c7aa7..bceffe7 100644
---- a/fs/cifs/smb2ops.c
-+++ b/fs/cifs/smb2ops.c
-@@ -744,4 +744,5 @@ struct smb_version_values smb30_values = {
- .cap_unix = 0,
- .cap_nt_find = SMB2_NT_FIND,
- .cap_large_files = SMB2_LARGE_FILES,
-+ .oplock_read = SMB2_OPLOCK_LEVEL_II,
- };
-diff --git a/fs/compat.c b/fs/compat.c
-index 015e1e1..a06dcbc 100644
---- a/fs/compat.c
-+++ b/fs/compat.c
-@@ -558,6 +558,10 @@ ssize_t compat_rw_copy_check_uvector(int type,
- }
- *ret_pointer = iov;
-
-+ ret = -EFAULT;
-+ if (!access_ok(VERIFY_READ, uvector, nr_segs*sizeof(*uvector)))
-+ goto out;
-+
- /*
- * Single unix specification:
- * We should -EINVAL if an element length is not >= 0 and fitting an
-@@ -1080,17 +1084,12 @@ static ssize_t compat_do_readv_writev(int type, struct file *file,
- if (!file->f_op)
- goto out;
-
-- ret = -EFAULT;
-- if (!access_ok(VERIFY_READ, uvector, nr_segs*sizeof(*uvector)))
-- goto out;
--
-- tot_len = compat_rw_copy_check_uvector(type, uvector, nr_segs,
-+ ret = compat_rw_copy_check_uvector(type, uvector, nr_segs,
- UIO_FASTIOV, iovstack, &iov);
-- if (tot_len == 0) {
-- ret = 0;
-+ if (ret <= 0)
- goto out;
-- }
-
-+ tot_len = ret;
- ret = rw_verify_area(type, file, pos, tot_len);
- if (ret < 0)
- goto out;
-diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
-index 2f2e0da..92e68b3 100644
---- a/fs/ext4/balloc.c
-+++ b/fs/ext4/balloc.c
-@@ -635,7 +635,7 @@ ext4_fsblk_t ext4_count_free_clusters(struct super_block *sb)
- brelse(bitmap_bh);
- printk(KERN_DEBUG "ext4_count_free_clusters: stored = %llu"
- ", computed = %llu, %llu\n",
-- EXT4_B2C(EXT4_SB(sb), ext4_free_blocks_count(es)),
-+ EXT4_NUM_B2C(EXT4_SB(sb), ext4_free_blocks_count(es)),
- desc_count, bitmap_count);
- return bitmap_count;
- #else
-diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
-index 061727a..28bbf9b 100644
---- a/fs/ext4/mballoc.c
-+++ b/fs/ext4/mballoc.c
-@@ -3444,7 +3444,7 @@ ext4_mb_new_inode_pa(struct ext4_allocation_context *ac)
- win = offs;
-
- ac->ac_b_ex.fe_logical = ac->ac_o_ex.fe_logical -
-- EXT4_B2C(sbi, win);
-+ EXT4_NUM_B2C(sbi, win);
- BUG_ON(ac->ac_o_ex.fe_logical < ac->ac_b_ex.fe_logical);
- BUG_ON(ac->ac_o_ex.fe_len > ac->ac_b_ex.fe_len);
- }
-@@ -4590,7 +4590,7 @@ do_more:
- EXT4_BLOCKS_PER_GROUP(sb);
- count -= overflow;
- }
-- count_clusters = EXT4_B2C(sbi, count);
-+ count_clusters = EXT4_NUM_B2C(sbi, count);
- bitmap_bh = ext4_read_block_bitmap(sb, block_group);
- if (!bitmap_bh) {
- err = -EIO;
-@@ -4832,11 +4832,11 @@ int ext4_group_add_blocks(handle_t *handle, struct super_block *sb,
- ext4_group_desc_csum_set(sb, block_group, desc);
- ext4_unlock_group(sb, block_group);
- percpu_counter_add(&sbi->s_freeclusters_counter,
-- EXT4_B2C(sbi, blocks_freed));
-+ EXT4_NUM_B2C(sbi, blocks_freed));
-
- if (sbi->s_log_groups_per_flex) {
- ext4_group_t flex_group = ext4_flex_group(sbi, block_group);
-- atomic_add(EXT4_B2C(sbi, blocks_freed),
-+ atomic_add(EXT4_NUM_B2C(sbi, blocks_freed),
- &sbi->s_flex_groups[flex_group].free_clusters);
- }
-
-diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
-index 02824dc..1aab70d 100644
---- a/fs/ext4/resize.c
-+++ b/fs/ext4/resize.c
-@@ -1247,7 +1247,7 @@ static int ext4_setup_new_descs(handle_t *handle, struct super_block *sb,
-
- ext4_inode_table_set(sb, gdp, group_data->inode_table);
- ext4_free_group_clusters_set(sb, gdp,
-- EXT4_B2C(sbi, group_data->free_blocks_count));
-+ EXT4_NUM_B2C(sbi, group_data->free_blocks_count));
- ext4_free_inodes_set(sb, gdp, EXT4_INODES_PER_GROUP(sb));
- if (ext4_has_group_desc_csum(sb))
- ext4_itable_unused_set(sb, gdp,
-@@ -1349,7 +1349,7 @@ static void ext4_update_super(struct super_block *sb,
-
- /* Update the free space counts */
- percpu_counter_add(&sbi->s_freeclusters_counter,
-- EXT4_B2C(sbi, free_blocks));
-+ EXT4_NUM_B2C(sbi, free_blocks));
- percpu_counter_add(&sbi->s_freeinodes_counter,
- EXT4_INODES_PER_GROUP(sb) * flex_gd->count);
-
-@@ -1360,7 +1360,7 @@ static void ext4_update_super(struct super_block *sb,
- sbi->s_log_groups_per_flex) {
- ext4_group_t flex_group;
- flex_group = ext4_flex_group(sbi, group_data[0].group);
-- atomic_add(EXT4_B2C(sbi, free_blocks),
-+ atomic_add(EXT4_NUM_B2C(sbi, free_blocks),
- &sbi->s_flex_groups[flex_group].free_clusters);
- atomic_add(EXT4_INODES_PER_GROUP(sb) * flex_gd->count,
- &sbi->s_flex_groups[flex_group].free_inodes);
-diff --git a/fs/ext4/super.c b/fs/ext4/super.c
-index 0465f36..5fa223d 100644
---- a/fs/ext4/super.c
-+++ b/fs/ext4/super.c
-@@ -3235,7 +3235,7 @@ int ext4_calculate_overhead(struct super_block *sb)
- }
- /* Add the journal blocks as well */
- if (sbi->s_journal)
-- overhead += EXT4_B2C(sbi, sbi->s_journal->j_maxlen);
-+ overhead += EXT4_NUM_B2C(sbi, sbi->s_journal->j_maxlen);
-
- sbi->s_overhead = overhead;
- smp_wmb();
-diff --git a/fs/namei.c b/fs/namei.c
-index 43a97ee..ec97aef 100644
---- a/fs/namei.c
-+++ b/fs/namei.c
-@@ -693,8 +693,6 @@ void nd_jump_link(struct nameidata *nd, struct path *path)
- nd->path = *path;
- nd->inode = nd->path.dentry->d_inode;
- nd->flags |= LOOKUP_JUMPED;
--
-- BUG_ON(nd->inode->i_op->follow_link);
- }
-
- static inline void put_link(struct nameidata *nd, struct path *link, void *cookie)
-diff --git a/fs/nfs/nfs4filelayout.c b/fs/nfs/nfs4filelayout.c
-index 194c484..49eeb04 100644
---- a/fs/nfs/nfs4filelayout.c
-+++ b/fs/nfs/nfs4filelayout.c
-@@ -99,7 +99,8 @@ static void filelayout_reset_write(struct nfs_write_data *data)
-
- task->tk_status = pnfs_write_done_resend_to_mds(hdr->inode,
- &hdr->pages,
-- hdr->completion_ops);
-+ hdr->completion_ops,
-+ hdr->dreq);
- }
- }
-
-@@ -119,7 +120,8 @@ static void filelayout_reset_read(struct nfs_read_data *data)
-
- task->tk_status = pnfs_read_done_resend_to_mds(hdr->inode,
- &hdr->pages,
-- hdr->completion_ops);
-+ hdr->completion_ops,
-+ hdr->dreq);
- }
- }
-
-diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
-index efda60d..3cb5e77 100644
---- a/fs/nfs/nfs4proc.c
-+++ b/fs/nfs/nfs4proc.c
-@@ -6087,11 +6087,13 @@ static struct page **nfs4_alloc_pages(size_t size, gfp_t gfp_flags)
- static void nfs4_layoutget_release(void *calldata)
- {
- struct nfs4_layoutget *lgp = calldata;
-- struct nfs_server *server = NFS_SERVER(lgp->args.inode);
-+ struct inode *inode = lgp->args.inode;
-+ struct nfs_server *server = NFS_SERVER(inode);
- size_t max_pages = max_response_pages(server);
-
- dprintk("--> %s\n", __func__);
- nfs4_free_pages(lgp->args.layout.pages, max_pages);
-+ pnfs_put_layout_hdr(NFS_I(inode)->layout);
- put_nfs_open_context(lgp->args.ctx);
- kfree(calldata);
- dprintk("<-- %s\n", __func__);
-@@ -6106,7 +6108,8 @@ static const struct rpc_call_ops nfs4_layoutget_call_ops = {
- struct pnfs_layout_segment *
- nfs4_proc_layoutget(struct nfs4_layoutget *lgp, gfp_t gfp_flags)
- {
-- struct nfs_server *server = NFS_SERVER(lgp->args.inode);
-+ struct inode *inode = lgp->args.inode;
-+ struct nfs_server *server = NFS_SERVER(inode);
- size_t max_pages = max_response_pages(server);
- struct rpc_task *task;
- struct rpc_message msg = {
-@@ -6136,6 +6139,10 @@ nfs4_proc_layoutget(struct nfs4_layoutget *lgp, gfp_t gfp_flags)
- lgp->res.layoutp = &lgp->args.layout;
- lgp->res.seq_res.sr_slot = NULL;
- nfs41_init_sequence(&lgp->args.seq_args, &lgp->res.seq_res, 0);
-+
-+ /* nfs4_layoutget_release calls pnfs_put_layout_hdr */
-+ pnfs_get_layout_hdr(NFS_I(inode)->layout);
-+
- task = rpc_run_task(&task_setup_data);
- if (IS_ERR(task))
- return ERR_CAST(task);
-diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
-index 6be70f6..97767c8 100644
---- a/fs/nfs/pnfs.c
-+++ b/fs/nfs/pnfs.c
-@@ -1422,13 +1422,15 @@ EXPORT_SYMBOL_GPL(pnfs_generic_pg_test);
-
- int pnfs_write_done_resend_to_mds(struct inode *inode,
- struct list_head *head,
-- const struct nfs_pgio_completion_ops *compl_ops)
-+ const struct nfs_pgio_completion_ops *compl_ops,
-+ struct nfs_direct_req *dreq)
- {
- struct nfs_pageio_descriptor pgio;
- LIST_HEAD(failed);
-
- /* Resend all requests through the MDS */
- nfs_pageio_init_write(&pgio, inode, FLUSH_STABLE, compl_ops);
-+ pgio.pg_dreq = dreq;
- while (!list_empty(head)) {
- struct nfs_page *req = nfs_list_entry(head->next);
-
-@@ -1463,7 +1465,8 @@ static void pnfs_ld_handle_write_error(struct nfs_write_data *data)
- if (!test_and_set_bit(NFS_IOHDR_REDO, &hdr->flags))
- data->task.tk_status = pnfs_write_done_resend_to_mds(hdr->inode,
- &hdr->pages,
-- hdr->completion_ops);
-+ hdr->completion_ops,
-+ hdr->dreq);
- }
-
- /*
-@@ -1578,13 +1581,15 @@ EXPORT_SYMBOL_GPL(pnfs_generic_pg_writepages);
-
- int pnfs_read_done_resend_to_mds(struct inode *inode,
- struct list_head *head,
-- const struct nfs_pgio_completion_ops *compl_ops)
-+ const struct nfs_pgio_completion_ops *compl_ops,
-+ struct nfs_direct_req *dreq)
- {
- struct nfs_pageio_descriptor pgio;
- LIST_HEAD(failed);
-
- /* Resend all requests through the MDS */
- nfs_pageio_init_read(&pgio, inode, compl_ops);
-+ pgio.pg_dreq = dreq;
- while (!list_empty(head)) {
- struct nfs_page *req = nfs_list_entry(head->next);
-
-@@ -1615,7 +1620,8 @@ static void pnfs_ld_handle_read_error(struct nfs_read_data *data)
- if (!test_and_set_bit(NFS_IOHDR_REDO, &hdr->flags))
- data->task.tk_status = pnfs_read_done_resend_to_mds(hdr->inode,
- &hdr->pages,
-- hdr->completion_ops);
-+ hdr->completion_ops,
-+ hdr->dreq);
- }
-
- /*
-diff --git a/fs/nfs/pnfs.h b/fs/nfs/pnfs.h
-index 97cb358..94ba804 100644
---- a/fs/nfs/pnfs.h
-+++ b/fs/nfs/pnfs.h
-@@ -230,9 +230,11 @@ struct pnfs_layout_segment *pnfs_update_layout(struct inode *ino,
-
- void nfs4_deviceid_mark_client_invalid(struct nfs_client *clp);
- int pnfs_read_done_resend_to_mds(struct inode *inode, struct list_head *head,
-- const struct nfs_pgio_completion_ops *compl_ops);
-+ const struct nfs_pgio_completion_ops *compl_ops,
-+ struct nfs_direct_req *dreq);
- int pnfs_write_done_resend_to_mds(struct inode *inode, struct list_head *head,
-- const struct nfs_pgio_completion_ops *compl_ops);
-+ const struct nfs_pgio_completion_ops *compl_ops,
-+ struct nfs_direct_req *dreq);
- struct nfs4_threshold *pnfs_mdsthreshold_alloc(void);
-
- /* nfs4_deviceid_flags */
-diff --git a/fs/nfs/unlink.c b/fs/nfs/unlink.c
-index 3f79c77..6edc807 100644
---- a/fs/nfs/unlink.c
-+++ b/fs/nfs/unlink.c
-@@ -336,20 +336,14 @@ static void nfs_async_rename_done(struct rpc_task *task, void *calldata)
- struct inode *old_dir = data->old_dir;
- struct inode *new_dir = data->new_dir;
- struct dentry *old_dentry = data->old_dentry;
-- struct dentry *new_dentry = data->new_dentry;
-
- if (!NFS_PROTO(old_dir)->rename_done(task, old_dir, new_dir)) {
- rpc_restart_call_prepare(task);
- return;
- }
-
-- if (task->tk_status != 0) {
-+ if (task->tk_status != 0)
- nfs_cancel_async_unlink(old_dentry);
-- return;
-- }
--
-- d_drop(old_dentry);
-- d_drop(new_dentry);
- }
-
- /**
-@@ -550,6 +544,18 @@ nfs_sillyrename(struct inode *dir, struct dentry *dentry)
- error = rpc_wait_for_completion_task(task);
- if (error == 0)
- error = task->tk_status;
-+ switch (error) {
-+ case 0:
-+ /* The rename succeeded */
-+ nfs_set_verifier(dentry, nfs_save_change_attribute(dir));
-+ d_move(dentry, sdentry);
-+ break;
-+ case -ERESTARTSYS:
-+ /* The result of the rename is unknown. Play it safe by
-+ * forcing a new lookup */
-+ d_drop(dentry);
-+ d_drop(sdentry);
-+ }
- rpc_put_task(task);
- out_dput:
- dput(sdentry);
-diff --git a/fs/pipe.c b/fs/pipe.c
-index bd3479d..8e2e73f 100644
---- a/fs/pipe.c
-+++ b/fs/pipe.c
-@@ -863,6 +863,9 @@ pipe_rdwr_open(struct inode *inode, struct file *filp)
- {
- int ret = -ENOENT;
-
-+ if (!(filp->f_mode & (FMODE_READ|FMODE_WRITE)))
-+ return -EINVAL;
-+
- mutex_lock(&inode->i_mutex);
-
- if (inode->i_pipe) {
-diff --git a/fs/proc/namespaces.c b/fs/proc/namespaces.c
-index b7a4719..66b51c0 100644
---- a/fs/proc/namespaces.c
-+++ b/fs/proc/namespaces.c
-@@ -118,7 +118,7 @@ static void *proc_ns_follow_link(struct dentry *dentry, struct nameidata *nd)
- struct super_block *sb = inode->i_sb;
- struct proc_inode *ei = PROC_I(inode);
- struct task_struct *task;
-- struct dentry *ns_dentry;
-+ struct path ns_path;
- void *error = ERR_PTR(-EACCES);
-
- task = get_proc_task(inode);
-@@ -128,14 +128,14 @@ static void *proc_ns_follow_link(struct dentry *dentry, struct nameidata *nd)
- if (!ptrace_may_access(task, PTRACE_MODE_READ))
- goto out_put_task;
-
-- ns_dentry = proc_ns_get_dentry(sb, task, ei->ns_ops);
-- if (IS_ERR(ns_dentry)) {
-- error = ERR_CAST(ns_dentry);
-+ ns_path.dentry = proc_ns_get_dentry(sb, task, ei->ns_ops);
-+ if (IS_ERR(ns_path.dentry)) {
-+ error = ERR_CAST(ns_path.dentry);
- goto out_put_task;
- }
-
-- dput(nd->path.dentry);
-- nd->path.dentry = ns_dentry;
-+ ns_path.mnt = mntget(nd->path.mnt);
-+ nd_jump_link(nd, &ns_path);
- error = NULL;
-
- out_put_task:
-diff --git a/include/linux/device-mapper.h b/include/linux/device-mapper.h
-index bf6afa2..a5cda3e 100644
---- a/include/linux/device-mapper.h
-+++ b/include/linux/device-mapper.h
-@@ -68,8 +68,8 @@ typedef void (*dm_postsuspend_fn) (struct dm_target *ti);
- typedef int (*dm_preresume_fn) (struct dm_target *ti);
- typedef void (*dm_resume_fn) (struct dm_target *ti);
-
--typedef int (*dm_status_fn) (struct dm_target *ti, status_type_t status_type,
-- unsigned status_flags, char *result, unsigned maxlen);
-+typedef void (*dm_status_fn) (struct dm_target *ti, status_type_t status_type,
-+ unsigned status_flags, char *result, unsigned maxlen);
-
- typedef int (*dm_message_fn) (struct dm_target *ti, unsigned argc, char **argv);
-
-diff --git a/include/linux/mfd/rtsx_pci.h b/include/linux/mfd/rtsx_pci.h
-index 4b117a3..acf4d31 100644
---- a/include/linux/mfd/rtsx_pci.h
-+++ b/include/linux/mfd/rtsx_pci.h
-@@ -735,6 +735,7 @@ struct rtsx_pcr {
-
- unsigned int card_inserted;
- unsigned int card_removed;
-+ unsigned int card_exist;
-
- struct delayed_work carddet_work;
- struct delayed_work idle_work;
-@@ -799,6 +800,7 @@ int rtsx_pci_switch_clock(struct rtsx_pcr *pcr, unsigned int card_clock,
- u8 ssc_depth, bool initial_mode, bool double_clk, bool vpclk);
- int rtsx_pci_card_power_on(struct rtsx_pcr *pcr, int card);
- int rtsx_pci_card_power_off(struct rtsx_pcr *pcr, int card);
-+int rtsx_pci_card_exclusive_check(struct rtsx_pcr *pcr, int card);
- int rtsx_pci_switch_output_voltage(struct rtsx_pcr *pcr, u8 voltage);
- unsigned int rtsx_pci_card_exist(struct rtsx_pcr *pcr);
- void rtsx_pci_complete_unfinished_transfer(struct rtsx_pcr *pcr);
-diff --git a/ipc/msg.c b/ipc/msg.c
-index 950572f..31cd1bf 100644
---- a/ipc/msg.c
-+++ b/ipc/msg.c
-@@ -820,15 +820,17 @@ long do_msgrcv(int msqid, void __user *buf, size_t bufsz, long msgtyp,
- struct msg_msg *copy = NULL;
- unsigned long copy_number = 0;
-
-+ ns = current->nsproxy->ipc_ns;
-+
- if (msqid < 0 || (long) bufsz < 0)
- return -EINVAL;
- if (msgflg & MSG_COPY) {
-- copy = prepare_copy(buf, bufsz, msgflg, &msgtyp, &copy_number);
-+ copy = prepare_copy(buf, min_t(size_t, bufsz, ns->msg_ctlmax),
-+ msgflg, &msgtyp, &copy_number);
- if (IS_ERR(copy))
- return PTR_ERR(copy);
- }
- mode = convert_mode(&msgtyp, msgflg);
-- ns = current->nsproxy->ipc_ns;
-
- msq = msg_lock_check(ns, msqid);
- if (IS_ERR(msq)) {
-diff --git a/ipc/msgutil.c b/ipc/msgutil.c
-index ebfcbfa..5df8e4b 100644
---- a/ipc/msgutil.c
-+++ b/ipc/msgutil.c
-@@ -117,9 +117,6 @@ struct msg_msg *copy_msg(struct msg_msg *src, struct msg_msg *dst)
- if (alen > DATALEN_MSG)
- alen = DATALEN_MSG;
-
-- dst->next = NULL;
-- dst->security = NULL;
--
- memcpy(dst + 1, src + 1, alen);
-
- len -= alen;
-diff --git a/kernel/fork.c b/kernel/fork.c
-index c535f33..5630e52 100644
---- a/kernel/fork.c
-+++ b/kernel/fork.c
-@@ -1141,6 +1141,9 @@ static struct task_struct *copy_process(unsigned long clone_flags,
- if ((clone_flags & (CLONE_NEWNS|CLONE_FS)) == (CLONE_NEWNS|CLONE_FS))
- return ERR_PTR(-EINVAL);
-
-+ if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
-+ return ERR_PTR(-EINVAL);
-+
- /*
- * Thread groups must share signals as well, and detached threads
- * can only be started up within the thread group.
-@@ -1801,7 +1804,7 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
- * If unsharing a user namespace must also unshare the thread.
- */
- if (unshare_flags & CLONE_NEWUSER)
-- unshare_flags |= CLONE_THREAD;
-+ unshare_flags |= CLONE_THREAD | CLONE_FS;
- /*
- * If unsharing a pid namespace must also unshare the thread.
- */
-diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c
-index d58e552..e78feff 100644
---- a/kernel/time/tick-sched.c
-+++ b/kernel/time/tick-sched.c
-@@ -564,14 +564,19 @@ void tick_nohz_idle_enter(void)
- */
- void tick_nohz_irq_exit(void)
- {
-+ unsigned long flags;
- struct tick_sched *ts = &__get_cpu_var(tick_cpu_sched);
-
- if (!ts->inidle)
- return;
-
-- /* Cancel the timer because CPU already waken up from the C-states*/
-+ local_irq_save(flags);
-+
-+ /* Cancel the timer because CPU already waken up from the C-states */
- menu_hrtimer_cancel();
- __tick_nohz_idle_enter(ts);
-+
-+ local_irq_restore(flags);
- }
-
- /**
-diff --git a/kernel/trace/Kconfig b/kernel/trace/Kconfig
-index 5d89335..2747967 100644
---- a/kernel/trace/Kconfig
-+++ b/kernel/trace/Kconfig
-@@ -416,24 +416,28 @@ config PROBE_EVENTS
- def_bool n
-
- config DYNAMIC_FTRACE
-- bool "enable/disable ftrace tracepoints dynamically"
-+ bool "enable/disable function tracing dynamically"
- depends on FUNCTION_TRACER
- depends on HAVE_DYNAMIC_FTRACE
- default y
- help
-- This option will modify all the calls to ftrace dynamically
-- (will patch them out of the binary image and replace them
-- with a No-Op instruction) as they are called. A table is
-- created to dynamically enable them again.
-+ This option will modify all the calls to function tracing
-+ dynamically (will patch them out of the binary image and
-+ replace them with a No-Op instruction) on boot up. During
-+ compile time, a table is made of all the locations that ftrace
-+ can function trace, and this table is linked into the kernel
-+ image. When this is enabled, functions can be individually
-+ enabled, and the functions not enabled will not affect
-+ performance of the system.
-+
-+ See the files in /sys/kernel/debug/tracing:
-+ available_filter_functions
-+ set_ftrace_filter
-+ set_ftrace_notrace
-
- This way a CONFIG_FUNCTION_TRACER kernel is slightly larger, but
- otherwise has native performance as long as no tracing is active.
-
-- The changes to the code are done by a kernel thread that
-- wakes up once a second and checks to see if any ftrace calls
-- were made. If so, it runs stop_machine (stops all CPUS)
-- and modifies the code to jump over the call to ftrace.
--
- config FUNCTION_PROFILER
- bool "Kernel function profiler"
- depends on FUNCTION_TRACER
-diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
-index 2b042c4..dbfe36a7 100644
---- a/kernel/user_namespace.c
-+++ b/kernel/user_namespace.c
-@@ -21,6 +21,7 @@
- #include <linux/uaccess.h>
- #include <linux/ctype.h>
- #include <linux/projid.h>
-+#include <linux/fs_struct.h>
-
- static struct kmem_cache *user_ns_cachep __read_mostly;
-
-@@ -803,6 +804,9 @@ static int userns_install(struct nsproxy *nsproxy, void *ns)
- if (atomic_read(&current->mm->mm_users) > 1)
- return -EINVAL;
-
-+ if (current->fs->users != 1)
-+ return -EINVAL;
-+
- if (!ns_capable(user_ns, CAP_SYS_ADMIN))
- return -EPERM;
-
-diff --git a/mm/mempolicy.c b/mm/mempolicy.c
-index e2df1c1..3df6d12 100644
---- a/mm/mempolicy.c
-+++ b/mm/mempolicy.c
-@@ -2386,8 +2386,8 @@ restart:
- *mpol_new = *n->policy;
- atomic_set(&mpol_new->refcnt, 1);
- sp_node_init(n_new, n->end, end, mpol_new);
-- sp_insert(sp, n_new);
- n->end = start;
-+ sp_insert(sp, n_new);
- n_new = NULL;
- mpol_new = NULL;
- break;
-diff --git a/mm/process_vm_access.c b/mm/process_vm_access.c
-index 926b466..fd26d04 100644
---- a/mm/process_vm_access.c
-+++ b/mm/process_vm_access.c
-@@ -429,12 +429,6 @@ compat_process_vm_rw(compat_pid_t pid,
- if (flags != 0)
- return -EINVAL;
-
-- if (!access_ok(VERIFY_READ, lvec, liovcnt * sizeof(*lvec)))
-- goto out;
--
-- if (!access_ok(VERIFY_READ, rvec, riovcnt * sizeof(*rvec)))
-- goto out;
--
- if (vm_write)
- rc = compat_rw_copy_check_uvector(WRITE, lvec, liovcnt,
- UIO_FASTIOV, iovstack_l,
-@@ -459,8 +453,6 @@ free_iovecs:
- kfree(iov_r);
- if (iov_l != iovstack_l)
- kfree(iov_l);
--
--out:
- return rc;
- }
-
-diff --git a/net/ieee802154/6lowpan.c b/net/ieee802154/6lowpan.c
-index f651da6..76c3d0a 100644
---- a/net/ieee802154/6lowpan.c
-+++ b/net/ieee802154/6lowpan.c
-@@ -1234,7 +1234,7 @@ static inline int __init lowpan_netlink_init(void)
- return rtnl_link_register(&lowpan_link_ops);
- }
-
--static inline void __init lowpan_netlink_fini(void)
-+static inline void lowpan_netlink_fini(void)
- {
- rtnl_link_unregister(&lowpan_link_ops);
- }
-diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
-index f75ba1a..9979bf8 100644
---- a/net/mac80211/mlme.c
-+++ b/net/mac80211/mlme.c
-@@ -4072,6 +4072,17 @@ void ieee80211_mgd_stop(struct ieee80211_sub_if_data *sdata)
- {
- struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
-
-+ /*
-+ * Make sure some work items will not run after this,
-+ * they will not do anything but might not have been
-+ * cancelled when disconnecting.
-+ */
-+ cancel_work_sync(&ifmgd->monitor_work);
-+ cancel_work_sync(&ifmgd->beacon_connection_loss_work);
-+ cancel_work_sync(&ifmgd->request_smps_work);
-+ cancel_work_sync(&ifmgd->csa_connection_drop_work);
-+ cancel_work_sync(&ifmgd->chswitch_work);
-+
- mutex_lock(&ifmgd->mtx);
- if (ifmgd->assoc_data)
- ieee80211_destroy_assoc_data(sdata, false);
-diff --git a/net/sunrpc/xprt.c b/net/sunrpc/xprt.c
-index 33811db..ab02588 100644
---- a/net/sunrpc/xprt.c
-+++ b/net/sunrpc/xprt.c
-@@ -485,13 +485,17 @@ EXPORT_SYMBOL_GPL(xprt_wake_pending_tasks);
- * xprt_wait_for_buffer_space - wait for transport output buffer to clear
- * @task: task to be put to sleep
- * @action: function pointer to be executed after wait
-+ *
-+ * Note that we only set the timer for the case of RPC_IS_SOFT(), since
-+ * we don't in general want to force a socket disconnection due to
-+ * an incomplete RPC call transmission.
- */
- void xprt_wait_for_buffer_space(struct rpc_task *task, rpc_action action)
- {
- struct rpc_rqst *req = task->tk_rqstp;
- struct rpc_xprt *xprt = req->rq_xprt;
-
-- task->tk_timeout = req->rq_timeout;
-+ task->tk_timeout = RPC_IS_SOFT(task) ? req->rq_timeout : 0;
- rpc_sleep_on(&xprt->pending, task, action);
- }
- EXPORT_SYMBOL_GPL(xprt_wait_for_buffer_space);
-diff --git a/security/keys/compat.c b/security/keys/compat.c
-index 1c26176..d65fa7f 100644
---- a/security/keys/compat.c
-+++ b/security/keys/compat.c
-@@ -40,12 +40,12 @@ static long compat_keyctl_instantiate_key_iov(
- ARRAY_SIZE(iovstack),
- iovstack, &iov);
- if (ret < 0)
-- return ret;
-+ goto err;
- if (ret == 0)
- goto no_payload_free;
-
- ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid);
--
-+err:
- if (iov != iovstack)
- kfree(iov);
- return ret;
-diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
-index 58dfe08..42defae 100644
---- a/security/keys/process_keys.c
-+++ b/security/keys/process_keys.c
-@@ -57,7 +57,7 @@ int install_user_keyrings(void)
-
- kenter("%p{%u}", user, uid);
-
-- if (user->uid_keyring) {
-+ if (user->uid_keyring && user->session_keyring) {
- kleave(" = 0 [exist]");
- return 0;
- }
-@@ -839,7 +839,7 @@ void key_change_session_keyring(struct callback_head *twork)
- new-> sgid = old-> sgid;
- new->fsgid = old->fsgid;
- new->user = get_uid(old->user);
-- new->user_ns = get_user_ns(new->user_ns);
-+ new->user_ns = get_user_ns(old->user_ns);
- new->group_info = get_group_info(old->group_info);
-
- new->securebits = old->securebits;
-diff --git a/sound/core/vmaster.c b/sound/core/vmaster.c
-index 8575861..0097f36 100644
---- a/sound/core/vmaster.c
-+++ b/sound/core/vmaster.c
-@@ -213,7 +213,10 @@ static int slave_put(struct snd_kcontrol *kcontrol,
- }
- if (!changed)
- return 0;
-- return slave_put_val(slave, ucontrol);
-+ err = slave_put_val(slave, ucontrol);
-+ if (err < 0)
-+ return err;
-+ return 1;
- }
-
- static int slave_tlv_cmd(struct snd_kcontrol *kcontrol,
-diff --git a/sound/pci/ice1712/ice1712.c b/sound/pci/ice1712/ice1712.c
-index 2ffdc35..806407a 100644
---- a/sound/pci/ice1712/ice1712.c
-+++ b/sound/pci/ice1712/ice1712.c
-@@ -2594,6 +2594,8 @@ static int snd_ice1712_create(struct snd_card *card,
- snd_ice1712_proc_init(ice);
- synchronize_irq(pci->irq);
-
-+ card->private_data = ice;
-+
- err = pci_request_regions(pci, "ICE1712");
- if (err < 0) {
- kfree(ice);
diff --git a/3.8.3/0000_README b/3.8.4/0000_README
index 072a299..db5e01b 100644
--- a/3.8.3/0000_README
+++ b/3.8.4/0000_README
@@ -2,15 +2,11 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 1001_linux-3.8.2.patch
+Patch: 1003_linux-3.8.4.patch
From: http://www.kernel.org
-Desc: Linux 3.8.2
+Desc: Linux 3.8.4
-Patch: 1002_linux-3.8.3.patch
-From: http://www.kernel.org
-Desc: Linux 3.8.3
-
-Patch: 4420_grsecurity-2.9.1-3.8.3-201303142235.patch
+Patch: 4420_grsecurity-2.9.1-3.8.4-201303221826.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.8.4/1003_linux-3.8.4.patch b/3.8.4/1003_linux-3.8.4.patch
new file mode 100644
index 0000000..132702f
--- /dev/null
+++ b/3.8.4/1003_linux-3.8.4.patch
@@ -0,0 +1,2902 @@
+diff --git a/Documentation/devicetree/bindings/tty/serial/of-serial.txt b/Documentation/devicetree/bindings/tty/serial/of-serial.txt
+index 1e1145c..8f01cb1 100644
+--- a/Documentation/devicetree/bindings/tty/serial/of-serial.txt
++++ b/Documentation/devicetree/bindings/tty/serial/of-serial.txt
+@@ -11,6 +11,9 @@ Required properties:
+ - "nvidia,tegra20-uart"
+ - "nxp,lpc3220-uart"
+ - "ibm,qpace-nwp-serial"
++ - "altr,16550-FIFO32"
++ - "altr,16550-FIFO64"
++ - "altr,16550-FIFO128"
+ - "serial" if the port type is unknown.
+ - reg : offset and length of the register set for the device.
+ - interrupts : should contain uart interrupt.
+diff --git a/Makefile b/Makefile
+index 8c49fc9b..e20f162 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 3
+ PATCHLEVEL = 8
+-SUBLEVEL = 3
++SUBLEVEL = 4
+ EXTRAVERSION =
+ NAME = Unicycling Gorilla
+
+diff --git a/arch/arm/mach-at91/board-foxg20.c b/arch/arm/mach-at91/board-foxg20.c
+index 191d37c..1478294 100644
+--- a/arch/arm/mach-at91/board-foxg20.c
++++ b/arch/arm/mach-at91/board-foxg20.c
+@@ -176,6 +176,7 @@ static struct w1_gpio_platform_data w1_gpio_pdata = {
+ /* If you choose to use a pin other than PB16 it needs to be 3.3V */
+ .pin = AT91_PIN_PB16,
+ .is_open_drain = 1,
++ .ext_pullup_enable_pin = -EINVAL,
+ };
+
+ static struct platform_device w1_device = {
+diff --git a/arch/arm/mach-at91/board-stamp9g20.c b/arch/arm/mach-at91/board-stamp9g20.c
+index 48a962b..58a6758 100644
+--- a/arch/arm/mach-at91/board-stamp9g20.c
++++ b/arch/arm/mach-at91/board-stamp9g20.c
+@@ -188,6 +188,7 @@ static struct spi_board_info portuxg20_spi_devices[] = {
+ static struct w1_gpio_platform_data w1_gpio_pdata = {
+ .pin = AT91_PIN_PA29,
+ .is_open_drain = 1,
++ .ext_pullup_enable_pin = -EINVAL,
+ };
+
+ static struct platform_device w1_device = {
+diff --git a/arch/arm/mach-davinci/dma.c b/arch/arm/mach-davinci/dma.c
+index a685e97..45b7c71 100644
+--- a/arch/arm/mach-davinci/dma.c
++++ b/arch/arm/mach-davinci/dma.c
+@@ -743,6 +743,9 @@ EXPORT_SYMBOL(edma_free_channel);
+ */
+ int edma_alloc_slot(unsigned ctlr, int slot)
+ {
++ if (!edma_cc[ctlr])
++ return -EINVAL;
++
+ if (slot >= 0)
+ slot = EDMA_CHAN_SLOT(slot);
+
+diff --git a/arch/arm/mach-ixp4xx/vulcan-setup.c b/arch/arm/mach-ixp4xx/vulcan-setup.c
+index 2798f43..1dddc1b 100644
+--- a/arch/arm/mach-ixp4xx/vulcan-setup.c
++++ b/arch/arm/mach-ixp4xx/vulcan-setup.c
+@@ -163,6 +163,7 @@ static struct platform_device vulcan_max6369 = {
+
+ static struct w1_gpio_platform_data vulcan_w1_gpio_pdata = {
+ .pin = 14,
++ .ext_pullup_enable_pin = -EINVAL,
+ };
+
+ static struct platform_device vulcan_w1_gpio = {
+diff --git a/arch/arm/mach-kirkwood/board-dt.c b/arch/arm/mach-kirkwood/board-dt.c
+index de4fd2b..e714ead 100644
+--- a/arch/arm/mach-kirkwood/board-dt.c
++++ b/arch/arm/mach-kirkwood/board-dt.c
+@@ -41,16 +41,12 @@ static void __init kirkwood_legacy_clk_init(void)
+
+ struct device_node *np = of_find_compatible_node(
+ NULL, NULL, "marvell,kirkwood-gating-clock");
+-
+ struct of_phandle_args clkspec;
++ struct clk *clk;
+
+ clkspec.np = np;
+ clkspec.args_count = 1;
+
+- clkspec.args[0] = CGC_BIT_GE0;
+- orion_clkdev_add(NULL, "mv643xx_eth_port.0",
+- of_clk_get_from_provider(&clkspec));
+-
+ clkspec.args[0] = CGC_BIT_PEX0;
+ orion_clkdev_add("0", "pcie",
+ of_clk_get_from_provider(&clkspec));
+@@ -63,14 +59,24 @@ static void __init kirkwood_legacy_clk_init(void)
+ orion_clkdev_add("1", "pcie",
+ of_clk_get_from_provider(&clkspec));
+
+- clkspec.args[0] = CGC_BIT_GE1;
+- orion_clkdev_add(NULL, "mv643xx_eth_port.1",
+- of_clk_get_from_provider(&clkspec));
+-
+ clkspec.args[0] = CGC_BIT_SDIO;
+ orion_clkdev_add(NULL, "mvsdio",
+ of_clk_get_from_provider(&clkspec));
+
++ /*
++ * The ethernet interfaces forget the MAC address assigned by
++ * u-boot if the clocks are turned off. Until proper DT support
++ * is available we always enable them for now.
++ */
++ clkspec.args[0] = CGC_BIT_GE0;
++ clk = of_clk_get_from_provider(&clkspec);
++ orion_clkdev_add(NULL, "mv643xx_eth_port.0", clk);
++ clk_prepare_enable(clk);
++
++ clkspec.args[0] = CGC_BIT_GE1;
++ clk = of_clk_get_from_provider(&clkspec);
++ orion_clkdev_add(NULL, "mv643xx_eth_port.1", clk);
++ clk_prepare_enable(clk);
+ }
+
+ static void __init kirkwood_of_clk_init(void)
+diff --git a/arch/arm/mach-pxa/raumfeld.c b/arch/arm/mach-pxa/raumfeld.c
+index 25b08bfa..6283fcb 100644
+--- a/arch/arm/mach-pxa/raumfeld.c
++++ b/arch/arm/mach-pxa/raumfeld.c
+@@ -505,6 +505,7 @@ static struct w1_gpio_platform_data w1_gpio_platform_data = {
+ .pin = GPIO_ONE_WIRE,
+ .is_open_drain = 0,
+ .enable_external_pullup = w1_enable_external_pullup,
++ .ext_pullup_enable_pin = -EINVAL,
+ };
+
+ struct platform_device raumfeld_w1_gpio_device = {
+diff --git a/arch/powerpc/include/asm/mmu-hash64.h b/arch/powerpc/include/asm/mmu-hash64.h
+index 2fdb47a..b59e06f 100644
+--- a/arch/powerpc/include/asm/mmu-hash64.h
++++ b/arch/powerpc/include/asm/mmu-hash64.h
+@@ -343,17 +343,16 @@ extern void slb_set_size(u16 size);
+ /*
+ * VSID allocation (256MB segment)
+ *
+- * We first generate a 38-bit "proto-VSID". For kernel addresses this
+- * is equal to the ESID | 1 << 37, for user addresses it is:
+- * (context << USER_ESID_BITS) | (esid & ((1U << USER_ESID_BITS) - 1)
++ * We first generate a 37-bit "proto-VSID". Proto-VSIDs are generated
++ * from mmu context id and effective segment id of the address.
+ *
+- * This splits the proto-VSID into the below range
+- * 0 - (2^(CONTEXT_BITS + USER_ESID_BITS) - 1) : User proto-VSID range
+- * 2^(CONTEXT_BITS + USER_ESID_BITS) - 2^(VSID_BITS) : Kernel proto-VSID range
+- *
+- * We also have CONTEXT_BITS + USER_ESID_BITS = VSID_BITS - 1
+- * That is, we assign half of the space to user processes and half
+- * to the kernel.
++ * For user processes max context id is limited to ((1ul << 19) - 5)
++ * for kernel space, we use the top 4 context ids to map address as below
++ * NOTE: each context only support 64TB now.
++ * 0x7fffc - [ 0xc000000000000000 - 0xc0003fffffffffff ]
++ * 0x7fffd - [ 0xd000000000000000 - 0xd0003fffffffffff ]
++ * 0x7fffe - [ 0xe000000000000000 - 0xe0003fffffffffff ]
++ * 0x7ffff - [ 0xf000000000000000 - 0xf0003fffffffffff ]
+ *
+ * The proto-VSIDs are then scrambled into real VSIDs with the
+ * multiplicative hash:
+@@ -363,41 +362,49 @@ extern void slb_set_size(u16 size);
+ * VSID_MULTIPLIER is prime, so in particular it is
+ * co-prime to VSID_MODULUS, making this a 1:1 scrambling function.
+ * Because the modulus is 2^n-1 we can compute it efficiently without
+- * a divide or extra multiply (see below).
+- *
+- * This scheme has several advantages over older methods:
+- *
+- * - We have VSIDs allocated for every kernel address
+- * (i.e. everything above 0xC000000000000000), except the very top
+- * segment, which simplifies several things.
++ * a divide or extra multiply (see below). The scramble function gives
++ * robust scattering in the hash table (at least based on some initial
++ * results).
+ *
+- * - We allow for USER_ESID_BITS significant bits of ESID and
+- * CONTEXT_BITS bits of context for user addresses.
+- * i.e. 64T (46 bits) of address space for up to half a million contexts.
++ * We also consider VSID 0 special. We use VSID 0 for slb entries mapping
++ * bad address. This enables us to consolidate bad address handling in
++ * hash_page.
+ *
+- * - The scramble function gives robust scattering in the hash
+- * table (at least based on some initial results). The previous
+- * method was more susceptible to pathological cases giving excessive
+- * hash collisions.
++ * We also need to avoid the last segment of the last context, because that
++ * would give a protovsid of 0x1fffffffff. That will result in a VSID 0
++ * because of the modulo operation in vsid scramble. But the vmemmap
++ * (which is what uses region 0xf) will never be close to 64TB in size
++ * (it's 56 bytes per page of system memory).
+ */
+
++#define CONTEXT_BITS 19
++#define ESID_BITS 18
++#define ESID_BITS_1T 6
++
++/*
++ * 256MB segment
++ * The proto-VSID space has 2^(CONTEX_BITS + ESID_BITS) - 1 segments
++ * available for user + kernel mapping. The top 4 contexts are used for
++ * kernel mapping. Each segment contains 2^28 bytes. Each
++ * context maps 2^46 bytes (64TB) so we can support 2^19-1 contexts
++ * (19 == 37 + 28 - 46).
++ */
++#define MAX_USER_CONTEXT ((ASM_CONST(1) << CONTEXT_BITS) - 5)
++
+ /*
+ * This should be computed such that protovosid * vsid_mulitplier
+ * doesn't overflow 64 bits. It should also be co-prime to vsid_modulus
+ */
+ #define VSID_MULTIPLIER_256M ASM_CONST(12538073) /* 24-bit prime */
+-#define VSID_BITS_256M 38
++#define VSID_BITS_256M (CONTEXT_BITS + ESID_BITS)
+ #define VSID_MODULUS_256M ((1UL<<VSID_BITS_256M)-1)
+
+ #define VSID_MULTIPLIER_1T ASM_CONST(12538073) /* 24-bit prime */
+-#define VSID_BITS_1T 26
++#define VSID_BITS_1T (CONTEXT_BITS + ESID_BITS_1T)
+ #define VSID_MODULUS_1T ((1UL<<VSID_BITS_1T)-1)
+
+-#define CONTEXT_BITS 19
+-#define USER_ESID_BITS 18
+-#define USER_ESID_BITS_1T 6
+
+-#define USER_VSID_RANGE (1UL << (USER_ESID_BITS + SID_SHIFT))
++#define USER_VSID_RANGE (1UL << (ESID_BITS + SID_SHIFT))
+
+ /*
+ * This macro generates asm code to compute the VSID scramble
+@@ -421,7 +428,8 @@ extern void slb_set_size(u16 size);
+ srdi rx,rt,VSID_BITS_##size; \
+ clrldi rt,rt,(64-VSID_BITS_##size); \
+ add rt,rt,rx; /* add high and low bits */ \
+- /* Now, r3 == VSID (mod 2^36-1), and lies between 0 and \
++ /* NOTE: explanation based on VSID_BITS_##size = 36 \
++ * Now, r3 == VSID (mod 2^36-1), and lies between 0 and \
+ * 2^36-1+2^28-1. That in particular means that if r3 >= \
+ * 2^36-1, then r3+1 has the 2^36 bit set. So, if r3+1 has \
+ * the bit clear, r3 already has the answer we want, if it \
+@@ -513,34 +521,6 @@ typedef struct {
+ })
+ #endif /* 1 */
+
+-/*
+- * This is only valid for addresses >= PAGE_OFFSET
+- * The proto-VSID space is divided into two class
+- * User: 0 to 2^(CONTEXT_BITS + USER_ESID_BITS) -1
+- * kernel: 2^(CONTEXT_BITS + USER_ESID_BITS) to 2^(VSID_BITS) - 1
+- *
+- * With KERNEL_START at 0xc000000000000000, the proto vsid for
+- * the kernel ends up with 0xc00000000 (36 bits). With 64TB
+- * support we need to have kernel proto-VSID in the
+- * [2^37 to 2^38 - 1] range due to the increased USER_ESID_BITS.
+- */
+-static inline unsigned long get_kernel_vsid(unsigned long ea, int ssize)
+-{
+- unsigned long proto_vsid;
+- /*
+- * We need to make sure proto_vsid for the kernel is
+- * >= 2^(CONTEXT_BITS + USER_ESID_BITS[_1T])
+- */
+- if (ssize == MMU_SEGSIZE_256M) {
+- proto_vsid = ea >> SID_SHIFT;
+- proto_vsid |= (1UL << (CONTEXT_BITS + USER_ESID_BITS));
+- return vsid_scramble(proto_vsid, 256M);
+- }
+- proto_vsid = ea >> SID_SHIFT_1T;
+- proto_vsid |= (1UL << (CONTEXT_BITS + USER_ESID_BITS_1T));
+- return vsid_scramble(proto_vsid, 1T);
+-}
+-
+ /* Returns the segment size indicator for a user address */
+ static inline int user_segment_size(unsigned long addr)
+ {
+@@ -550,17 +530,41 @@ static inline int user_segment_size(unsigned long addr)
+ return MMU_SEGSIZE_256M;
+ }
+
+-/* This is only valid for user addresses (which are below 2^44) */
+ static inline unsigned long get_vsid(unsigned long context, unsigned long ea,
+ int ssize)
+ {
++ /*
++ * Bad address. We return VSID 0 for that
++ */
++ if ((ea & ~REGION_MASK) >= PGTABLE_RANGE)
++ return 0;
++
+ if (ssize == MMU_SEGSIZE_256M)
+- return vsid_scramble((context << USER_ESID_BITS)
++ return vsid_scramble((context << ESID_BITS)
+ | (ea >> SID_SHIFT), 256M);
+- return vsid_scramble((context << USER_ESID_BITS_1T)
++ return vsid_scramble((context << ESID_BITS_1T)
+ | (ea >> SID_SHIFT_1T), 1T);
+ }
+
++/*
++ * This is only valid for addresses >= PAGE_OFFSET
++ *
++ * For kernel space, we use the top 4 context ids to map address as below
++ * 0x7fffc - [ 0xc000000000000000 - 0xc0003fffffffffff ]
++ * 0x7fffd - [ 0xd000000000000000 - 0xd0003fffffffffff ]
++ * 0x7fffe - [ 0xe000000000000000 - 0xe0003fffffffffff ]
++ * 0x7ffff - [ 0xf000000000000000 - 0xf0003fffffffffff ]
++ */
++static inline unsigned long get_kernel_vsid(unsigned long ea, int ssize)
++{
++ unsigned long context;
++
++ /*
++ * kernel take the top 4 context from the available range
++ */
++ context = (MAX_USER_CONTEXT) + ((ea >> 60) - 0xc) + 1;
++ return get_vsid(context, ea, ssize);
++}
+ #endif /* __ASSEMBLY__ */
+
+ #endif /* _ASM_POWERPC_MMU_HASH64_H_ */
+diff --git a/arch/powerpc/kernel/cputable.c b/arch/powerpc/kernel/cputable.c
+index 75a3d71..19599ef 100644
+--- a/arch/powerpc/kernel/cputable.c
++++ b/arch/powerpc/kernel/cputable.c
+@@ -275,7 +275,7 @@ static struct cpu_spec __initdata cpu_specs[] = {
+ .cpu_features = CPU_FTRS_PPC970,
+ .cpu_user_features = COMMON_USER_POWER4 |
+ PPC_FEATURE_HAS_ALTIVEC_COMP,
+- .mmu_features = MMU_FTR_HPTE_TABLE,
++ .mmu_features = MMU_FTRS_PPC970,
+ .icache_bsize = 128,
+ .dcache_bsize = 128,
+ .num_pmcs = 8,
+diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S
+index 4665e82..3684cbd 100644
+--- a/arch/powerpc/kernel/exceptions-64s.S
++++ b/arch/powerpc/kernel/exceptions-64s.S
+@@ -1268,20 +1268,36 @@ do_ste_alloc:
+ _GLOBAL(do_stab_bolted)
+ stw r9,PACA_EXSLB+EX_CCR(r13) /* save CR in exc. frame */
+ std r11,PACA_EXSLB+EX_SRR0(r13) /* save SRR0 in exc. frame */
++ mfspr r11,SPRN_DAR /* ea */
+
++ /*
++ * check for bad kernel/user address
++ * (ea & ~REGION_MASK) >= PGTABLE_RANGE
++ */
++ rldicr. r9,r11,4,(63 - 46 - 4)
++ li r9,0 /* VSID = 0 for bad address */
++ bne- 0f
++
++ /*
++ * Calculate VSID:
++ * This is the kernel vsid, we take the top for context from
++ * the range. context = (MAX_USER_CONTEXT) + ((ea >> 60) - 0xc) + 1
++ * Here we know that (ea >> 60) == 0xc
++ */
++ lis r9,(MAX_USER_CONTEXT + 1)@ha
++ addi r9,r9,(MAX_USER_CONTEXT + 1)@l
++
++ srdi r10,r11,SID_SHIFT
++ rldimi r10,r9,ESID_BITS,0 /* proto vsid */
++ ASM_VSID_SCRAMBLE(r10, r9, 256M)
++ rldic r9,r10,12,16 /* r9 = vsid << 12 */
++
++0:
+ /* Hash to the primary group */
+ ld r10,PACASTABVIRT(r13)
+- mfspr r11,SPRN_DAR
+- srdi r11,r11,28
++ srdi r11,r11,SID_SHIFT
+ rldimi r10,r11,7,52 /* r10 = first ste of the group */
+
+- /* Calculate VSID */
+- /* This is a kernel address, so protovsid = ESID | 1 << 37 */
+- li r9,0x1
+- rldimi r11,r9,(CONTEXT_BITS + USER_ESID_BITS),0
+- ASM_VSID_SCRAMBLE(r11, r9, 256M)
+- rldic r9,r11,12,16 /* r9 = vsid << 12 */
+-
+ /* Search the primary group for a free entry */
+ 1: ld r11,0(r10) /* Test valid bit of the current ste */
+ andi. r11,r11,0x80
+diff --git a/arch/powerpc/kvm/book3s_64_mmu_host.c b/arch/powerpc/kvm/book3s_64_mmu_host.c
+index ead58e3..5d7d29a 100644
+--- a/arch/powerpc/kvm/book3s_64_mmu_host.c
++++ b/arch/powerpc/kvm/book3s_64_mmu_host.c
+@@ -326,8 +326,8 @@ int kvmppc_mmu_init(struct kvm_vcpu *vcpu)
+ vcpu3s->context_id[0] = err;
+
+ vcpu3s->proto_vsid_max = ((vcpu3s->context_id[0] + 1)
+- << USER_ESID_BITS) - 1;
+- vcpu3s->proto_vsid_first = vcpu3s->context_id[0] << USER_ESID_BITS;
++ << ESID_BITS) - 1;
++ vcpu3s->proto_vsid_first = vcpu3s->context_id[0] << ESID_BITS;
+ vcpu3s->proto_vsid_next = vcpu3s->proto_vsid_first;
+
+ kvmppc_mmu_hpte_init(vcpu);
+diff --git a/arch/powerpc/mm/hash_utils_64.c b/arch/powerpc/mm/hash_utils_64.c
+index 3a292be..004630b 100644
+--- a/arch/powerpc/mm/hash_utils_64.c
++++ b/arch/powerpc/mm/hash_utils_64.c
+@@ -194,6 +194,11 @@ int htab_bolt_mapping(unsigned long vstart, unsigned long vend,
+ unsigned long vpn = hpt_vpn(vaddr, vsid, ssize);
+ unsigned long tprot = prot;
+
++ /*
++ * If we hit a bad address return error.
++ */
++ if (!vsid)
++ return -1;
+ /* Make kernel text executable */
+ if (overlaps_kernel_text(vaddr, vaddr + step))
+ tprot &= ~HPTE_R_N;
+@@ -758,6 +763,8 @@ void __init early_init_mmu(void)
+ /* Initialize stab / SLB management */
+ if (mmu_has_feature(MMU_FTR_SLB))
+ slb_initialize();
++ else
++ stab_initialize(get_paca()->stab_real);
+ }
+
+ #ifdef CONFIG_SMP
+@@ -921,11 +928,6 @@ int hash_page(unsigned long ea, unsigned long access, unsigned long trap)
+ DBG_LOW("hash_page(ea=%016lx, access=%lx, trap=%lx\n",
+ ea, access, trap);
+
+- if ((ea & ~REGION_MASK) >= PGTABLE_RANGE) {
+- DBG_LOW(" out of pgtable range !\n");
+- return 1;
+- }
+-
+ /* Get region & vsid */
+ switch (REGION_ID(ea)) {
+ case USER_REGION_ID:
+@@ -956,6 +958,11 @@ int hash_page(unsigned long ea, unsigned long access, unsigned long trap)
+ }
+ DBG_LOW(" mm=%p, mm->pgdir=%p, vsid=%016lx\n", mm, mm->pgd, vsid);
+
++ /* Bad address. */
++ if (!vsid) {
++ DBG_LOW("Bad address!\n");
++ return 1;
++ }
+ /* Get pgdir */
+ pgdir = mm->pgd;
+ if (pgdir == NULL)
+@@ -1125,6 +1132,8 @@ void hash_preload(struct mm_struct *mm, unsigned long ea,
+ /* Get VSID */
+ ssize = user_segment_size(ea);
+ vsid = get_vsid(mm->context.id, ea, ssize);
++ if (!vsid)
++ return;
+
+ /* Hash doesn't like irqs */
+ local_irq_save(flags);
+@@ -1217,6 +1226,9 @@ static void kernel_map_linear_page(unsigned long vaddr, unsigned long lmi)
+ hash = hpt_hash(vpn, PAGE_SHIFT, mmu_kernel_ssize);
+ hpteg = ((hash & htab_hash_mask) * HPTES_PER_GROUP);
+
++ /* Don't create HPTE entries for bad address */
++ if (!vsid)
++ return;
+ ret = ppc_md.hpte_insert(hpteg, vpn, __pa(vaddr),
+ mode, HPTE_V_BOLTED,
+ mmu_linear_psize, mmu_kernel_ssize);
+diff --git a/arch/powerpc/mm/mmu_context_hash64.c b/arch/powerpc/mm/mmu_context_hash64.c
+index 40bc5b0..d1d1b92 100644
+--- a/arch/powerpc/mm/mmu_context_hash64.c
++++ b/arch/powerpc/mm/mmu_context_hash64.c
+@@ -29,15 +29,6 @@
+ static DEFINE_SPINLOCK(mmu_context_lock);
+ static DEFINE_IDA(mmu_context_ida);
+
+-/*
+- * 256MB segment
+- * The proto-VSID space has 2^(CONTEX_BITS + USER_ESID_BITS) - 1 segments
+- * available for user mappings. Each segment contains 2^28 bytes. Each
+- * context maps 2^46 bytes (64TB) so we can support 2^19-1 contexts
+- * (19 == 37 + 28 - 46).
+- */
+-#define MAX_CONTEXT ((1UL << CONTEXT_BITS) - 1)
+-
+ int __init_new_context(void)
+ {
+ int index;
+@@ -56,7 +47,7 @@ again:
+ else if (err)
+ return err;
+
+- if (index > MAX_CONTEXT) {
++ if (index > MAX_USER_CONTEXT) {
+ spin_lock(&mmu_context_lock);
+ ida_remove(&mmu_context_ida, index);
+ spin_unlock(&mmu_context_lock);
+diff --git a/arch/powerpc/mm/pgtable_64.c b/arch/powerpc/mm/pgtable_64.c
+index e212a27..654258f 100644
+--- a/arch/powerpc/mm/pgtable_64.c
++++ b/arch/powerpc/mm/pgtable_64.c
+@@ -61,7 +61,7 @@
+ #endif
+
+ #ifdef CONFIG_PPC_STD_MMU_64
+-#if TASK_SIZE_USER64 > (1UL << (USER_ESID_BITS + SID_SHIFT))
++#if TASK_SIZE_USER64 > (1UL << (ESID_BITS + SID_SHIFT))
+ #error TASK_SIZE_USER64 exceeds user VSID range
+ #endif
+ #endif
+diff --git a/arch/powerpc/mm/slb_low.S b/arch/powerpc/mm/slb_low.S
+index 1a16ca2..17aa6df 100644
+--- a/arch/powerpc/mm/slb_low.S
++++ b/arch/powerpc/mm/slb_low.S
+@@ -31,10 +31,15 @@
+ * No other registers are examined or changed.
+ */
+ _GLOBAL(slb_allocate_realmode)
+- /* r3 = faulting address */
++ /*
++ * check for bad kernel/user address
++ * (ea & ~REGION_MASK) >= PGTABLE_RANGE
++ */
++ rldicr. r9,r3,4,(63 - 46 - 4)
++ bne- 8f
+
+ srdi r9,r3,60 /* get region */
+- srdi r10,r3,28 /* get esid */
++ srdi r10,r3,SID_SHIFT /* get esid */
+ cmpldi cr7,r9,0xc /* cmp PAGE_OFFSET for later use */
+
+ /* r3 = address, r10 = esid, cr7 = <> PAGE_OFFSET */
+@@ -56,12 +61,14 @@ _GLOBAL(slb_allocate_realmode)
+ */
+ _GLOBAL(slb_miss_kernel_load_linear)
+ li r11,0
+- li r9,0x1
+ /*
+- * for 1T we shift 12 bits more. slb_finish_load_1T will do
+- * the necessary adjustment
++ * context = (MAX_USER_CONTEXT) + ((ea >> 60) - 0xc) + 1
++ * r9 = region id.
+ */
+- rldimi r10,r9,(CONTEXT_BITS + USER_ESID_BITS),0
++ addis r9,r9,(MAX_USER_CONTEXT - 0xc + 1)@ha
++ addi r9,r9,(MAX_USER_CONTEXT - 0xc + 1)@l
++
++
+ BEGIN_FTR_SECTION
+ b slb_finish_load
+ END_MMU_FTR_SECTION_IFCLR(MMU_FTR_1T_SEGMENT)
+@@ -91,24 +98,19 @@ _GLOBAL(slb_miss_kernel_load_vmemmap)
+ _GLOBAL(slb_miss_kernel_load_io)
+ li r11,0
+ 6:
+- li r9,0x1
+ /*
+- * for 1T we shift 12 bits more. slb_finish_load_1T will do
+- * the necessary adjustment
++ * context = (MAX_USER_CONTEXT) + ((ea >> 60) - 0xc) + 1
++ * r9 = region id.
+ */
+- rldimi r10,r9,(CONTEXT_BITS + USER_ESID_BITS),0
++ addis r9,r9,(MAX_USER_CONTEXT - 0xc + 1)@ha
++ addi r9,r9,(MAX_USER_CONTEXT - 0xc + 1)@l
++
+ BEGIN_FTR_SECTION
+ b slb_finish_load
+ END_MMU_FTR_SECTION_IFCLR(MMU_FTR_1T_SEGMENT)
+ b slb_finish_load_1T
+
+-0: /* user address: proto-VSID = context << 15 | ESID. First check
+- * if the address is within the boundaries of the user region
+- */
+- srdi. r9,r10,USER_ESID_BITS
+- bne- 8f /* invalid ea bits set */
+-
+-
++0:
+ /* when using slices, we extract the psize off the slice bitmaps
+ * and then we need to get the sllp encoding off the mmu_psize_defs
+ * array.
+@@ -164,15 +166,13 @@ END_MMU_FTR_SECTION_IFCLR(MMU_FTR_1T_SEGMENT)
+ ld r9,PACACONTEXTID(r13)
+ BEGIN_FTR_SECTION
+ cmpldi r10,0x1000
+-END_MMU_FTR_SECTION_IFSET(MMU_FTR_1T_SEGMENT)
+- rldimi r10,r9,USER_ESID_BITS,0
+-BEGIN_FTR_SECTION
+ bge slb_finish_load_1T
+ END_MMU_FTR_SECTION_IFSET(MMU_FTR_1T_SEGMENT)
+ b slb_finish_load
+
+ 8: /* invalid EA */
+ li r10,0 /* BAD_VSID */
++ li r9,0 /* BAD_VSID */
+ li r11,SLB_VSID_USER /* flags don't much matter */
+ b slb_finish_load
+
+@@ -221,8 +221,6 @@ _GLOBAL(slb_allocate_user)
+
+ /* get context to calculate proto-VSID */
+ ld r9,PACACONTEXTID(r13)
+- rldimi r10,r9,USER_ESID_BITS,0
+-
+ /* fall through slb_finish_load */
+
+ #endif /* __DISABLED__ */
+@@ -231,9 +229,10 @@ _GLOBAL(slb_allocate_user)
+ /*
+ * Finish loading of an SLB entry and return
+ *
+- * r3 = EA, r10 = proto-VSID, r11 = flags, clobbers r9, cr7 = <> PAGE_OFFSET
++ * r3 = EA, r9 = context, r10 = ESID, r11 = flags, clobbers r9, cr7 = <> PAGE_OFFSET
+ */
+ slb_finish_load:
++ rldimi r10,r9,ESID_BITS,0
+ ASM_VSID_SCRAMBLE(r10,r9,256M)
+ /*
+ * bits above VSID_BITS_256M need to be ignored from r10
+@@ -298,10 +297,11 @@ _GLOBAL(slb_compare_rr_to_size)
+ /*
+ * Finish loading of a 1T SLB entry (for the kernel linear mapping) and return.
+ *
+- * r3 = EA, r10 = proto-VSID, r11 = flags, clobbers r9
++ * r3 = EA, r9 = context, r10 = ESID(256MB), r11 = flags, clobbers r9
+ */
+ slb_finish_load_1T:
+- srdi r10,r10,40-28 /* get 1T ESID */
++ srdi r10,r10,(SID_SHIFT_1T - SID_SHIFT) /* get 1T ESID */
++ rldimi r10,r9,ESID_BITS_1T,0
+ ASM_VSID_SCRAMBLE(r10,r9,1T)
+ /*
+ * bits above VSID_BITS_1T need to be ignored from r10
+diff --git a/arch/powerpc/mm/tlb_hash64.c b/arch/powerpc/mm/tlb_hash64.c
+index 0d82ef5..023ec8a 100644
+--- a/arch/powerpc/mm/tlb_hash64.c
++++ b/arch/powerpc/mm/tlb_hash64.c
+@@ -82,11 +82,11 @@ void hpte_need_flush(struct mm_struct *mm, unsigned long addr,
+ if (!is_kernel_addr(addr)) {
+ ssize = user_segment_size(addr);
+ vsid = get_vsid(mm->context.id, addr, ssize);
+- WARN_ON(vsid == 0);
+ } else {
+ vsid = get_kernel_vsid(addr, mmu_kernel_ssize);
+ ssize = mmu_kernel_ssize;
+ }
++ WARN_ON(vsid == 0);
+ vpn = hpt_vpn(addr, vsid, ssize);
+ rpte = __real_pte(__pte(pte), ptep);
+
+diff --git a/arch/s390/include/asm/tlbflush.h b/arch/s390/include/asm/tlbflush.h
+index 1d8fe2b..6b32af3 100644
+--- a/arch/s390/include/asm/tlbflush.h
++++ b/arch/s390/include/asm/tlbflush.h
+@@ -74,8 +74,6 @@ static inline void __tlb_flush_idte(unsigned long asce)
+
+ static inline void __tlb_flush_mm(struct mm_struct * mm)
+ {
+- if (unlikely(cpumask_empty(mm_cpumask(mm))))
+- return;
+ /*
+ * If the machine has IDTE we prefer to do a per mm flush
+ * on all cpus instead of doing a local flush if the mm
+diff --git a/arch/s390/kernel/entry.S b/arch/s390/kernel/entry.S
+index 5502285..94feff7 100644
+--- a/arch/s390/kernel/entry.S
++++ b/arch/s390/kernel/entry.S
+@@ -636,7 +636,8 @@ ENTRY(mcck_int_handler)
+ UPDATE_VTIME %r14,%r15,__LC_MCCK_ENTER_TIMER
+ mcck_skip:
+ SWITCH_ASYNC __LC_GPREGS_SAVE_AREA+32,__LC_PANIC_STACK,PAGE_SHIFT
+- mvc __PT_R0(64,%r11),__LC_GPREGS_SAVE_AREA
++ stm %r0,%r7,__PT_R0(%r11)
++ mvc __PT_R8(32,%r11),__LC_GPREGS_SAVE_AREA+32
+ stm %r8,%r9,__PT_PSW(%r11)
+ xc __SF_BACKCHAIN(4,%r15),__SF_BACKCHAIN(%r15)
+ l %r1,BASED(.Ldo_machine_check)
+diff --git a/arch/s390/kernel/entry64.S b/arch/s390/kernel/entry64.S
+index 6d34e0c..082b845 100644
+--- a/arch/s390/kernel/entry64.S
++++ b/arch/s390/kernel/entry64.S
+@@ -678,8 +678,9 @@ ENTRY(mcck_int_handler)
+ UPDATE_VTIME %r14,__LC_MCCK_ENTER_TIMER
+ LAST_BREAK %r14
+ mcck_skip:
+- lghi %r14,__LC_GPREGS_SAVE_AREA
+- mvc __PT_R0(128,%r11),0(%r14)
++ lghi %r14,__LC_GPREGS_SAVE_AREA+64
++ stmg %r0,%r7,__PT_R0(%r11)
++ mvc __PT_R8(64,%r11),0(%r14)
+ stmg %r8,%r9,__PT_PSW(%r11)
+ xc __SF_BACKCHAIN(8,%r15),__SF_BACKCHAIN(%r15)
+ lgr %r2,%r11 # pass pointer to pt_regs
+diff --git a/arch/x86/kernel/cpu/perf_event_intel_ds.c b/arch/x86/kernel/cpu/perf_event_intel_ds.c
+index 826054a..b05a575 100644
+--- a/arch/x86/kernel/cpu/perf_event_intel_ds.c
++++ b/arch/x86/kernel/cpu/perf_event_intel_ds.c
+@@ -729,3 +729,13 @@ void intel_ds_init(void)
+ }
+ }
+ }
++
++void perf_restore_debug_store(void)
++{
++ struct debug_store *ds = __this_cpu_read(cpu_hw_events.ds);
++
++ if (!x86_pmu.bts && !x86_pmu.pebs)
++ return;
++
++ wrmsrl(MSR_IA32_DS_AREA, (unsigned long)ds);
++}
+diff --git a/arch/x86/power/cpu.c b/arch/x86/power/cpu.c
+index 120cee1..3c68768 100644
+--- a/arch/x86/power/cpu.c
++++ b/arch/x86/power/cpu.c
+@@ -11,6 +11,7 @@
+ #include <linux/suspend.h>
+ #include <linux/export.h>
+ #include <linux/smp.h>
++#include <linux/perf_event.h>
+
+ #include <asm/pgtable.h>
+ #include <asm/proto.h>
+@@ -228,6 +229,7 @@ static void __restore_processor_state(struct saved_context *ctxt)
+ do_fpu_end();
+ x86_platform.restore_sched_clock_state();
+ mtrr_bp_restore();
++ perf_restore_debug_store();
+ }
+
+ /* Needed by apm.c */
+diff --git a/drivers/block/loop.c b/drivers/block/loop.c
+index ae12512..8bc6d39 100644
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -1285,11 +1285,9 @@ static int loop_set_capacity(struct loop_device *lo, struct block_device *bdev)
+ /* the width of sector_t may be narrow for bit-shift */
+ sz = sec;
+ sz <<= 9;
+- mutex_lock(&bdev->bd_mutex);
+ bd_set_size(bdev, sz);
+ /* let user-space know about the new size */
+ kobject_uevent(&disk_to_dev(bdev->bd_disk)->kobj, KOBJ_CHANGE);
+- mutex_unlock(&bdev->bd_mutex);
+
+ out:
+ return err;
+@@ -1858,11 +1856,15 @@ static int __init loop_init(void)
+ max_part = (1UL << part_shift) - 1;
+ }
+
+- if ((1UL << part_shift) > DISK_MAX_PARTS)
+- return -EINVAL;
++ if ((1UL << part_shift) > DISK_MAX_PARTS) {
++ err = -EINVAL;
++ goto misc_out;
++ }
+
+- if (max_loop > 1UL << (MINORBITS - part_shift))
+- return -EINVAL;
++ if (max_loop > 1UL << (MINORBITS - part_shift)) {
++ err = -EINVAL;
++ goto misc_out;
++ }
+
+ /*
+ * If max_loop is specified, create that many devices upfront.
+@@ -1880,8 +1882,10 @@ static int __init loop_init(void)
+ range = 1UL << MINORBITS;
+ }
+
+- if (register_blkdev(LOOP_MAJOR, "loop"))
+- return -EIO;
++ if (register_blkdev(LOOP_MAJOR, "loop")) {
++ err = -EIO;
++ goto misc_out;
++ }
+
+ blk_register_region(MKDEV(LOOP_MAJOR, 0), range,
+ THIS_MODULE, loop_probe, NULL, NULL);
+@@ -1894,6 +1898,10 @@ static int __init loop_init(void)
+
+ printk(KERN_INFO "loop: module loaded\n");
+ return 0;
++
++misc_out:
++ misc_deregister(&loop_misc);
++ return err;
+ }
+
+ static int loop_exit_cb(int id, void *ptr, void *data)
+diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c
+index b65c103..1acc4e0 100644
+--- a/drivers/char/hw_random/virtio-rng.c
++++ b/drivers/char/hw_random/virtio-rng.c
+@@ -92,14 +92,22 @@ static int probe_common(struct virtio_device *vdev)
+ {
+ int err;
+
++ if (vq) {
++ /* We only support one device for now */
++ return -EBUSY;
++ }
+ /* We expect a single virtqueue. */
+ vq = virtio_find_single_vq(vdev, random_recv_done, "input");
+- if (IS_ERR(vq))
+- return PTR_ERR(vq);
++ if (IS_ERR(vq)) {
++ err = PTR_ERR(vq);
++ vq = NULL;
++ return err;
++ }
+
+ err = hwrng_register(&virtio_hwrng);
+ if (err) {
+ vdev->config->del_vqs(vdev);
++ vq = NULL;
+ return err;
+ }
+
+@@ -112,6 +120,7 @@ static void remove_common(struct virtio_device *vdev)
+ busy = false;
+ hwrng_unregister(&virtio_hwrng);
+ vdev->config->del_vqs(vdev);
++ vq = NULL;
+ }
+
+ static int virtrng_probe(struct virtio_device *vdev)
+diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c
+index 5206f24..99daa89 100644
+--- a/drivers/gpu/drm/i915/i915_dma.c
++++ b/drivers/gpu/drm/i915/i915_dma.c
+@@ -1297,21 +1297,19 @@ static int i915_load_modeset_init(struct drm_device *dev)
+ if (ret)
+ goto cleanup_vga_switcheroo;
+
+- ret = drm_irq_install(dev);
+- if (ret)
+- goto cleanup_gem_stolen;
+-
+- /* Important: The output setup functions called by modeset_init need
+- * working irqs for e.g. gmbus and dp aux transfers. */
+ intel_modeset_init(dev);
+
+ ret = i915_gem_init(dev);
+ if (ret)
+- goto cleanup_irq;
++ goto cleanup_gem_stolen;
++
++ intel_modeset_gem_init(dev);
+
+ INIT_WORK(&dev_priv->console_resume_work, intel_console_resume);
+
+- intel_modeset_gem_init(dev);
++ ret = drm_irq_install(dev);
++ if (ret)
++ goto cleanup_gem;
+
+ /* Always safe in the mode setting case. */
+ /* FIXME: do pre/post-mode set stuff in core KMS code */
+@@ -1319,10 +1317,7 @@ static int i915_load_modeset_init(struct drm_device *dev)
+
+ ret = intel_fbdev_init(dev);
+ if (ret)
+- goto cleanup_gem;
+-
+- /* Only enable hotplug handling once the fbdev is fully set up. */
+- dev_priv->enable_hotplug_processing = true;
++ goto cleanup_irq;
+
+ drm_kms_helper_poll_init(dev);
+
+@@ -1331,13 +1326,13 @@ static int i915_load_modeset_init(struct drm_device *dev)
+
+ return 0;
+
++cleanup_irq:
++ drm_irq_uninstall(dev);
+ cleanup_gem:
+ mutex_lock(&dev->struct_mutex);
+ i915_gem_cleanup_ringbuffer(dev);
+ mutex_unlock(&dev->struct_mutex);
+ i915_gem_cleanup_aliasing_ppgtt(dev);
+-cleanup_irq:
+- drm_irq_uninstall(dev);
+ cleanup_gem_stolen:
+ i915_gem_cleanup_stolen(dev);
+ cleanup_vga_switcheroo:
+diff --git a/drivers/gpu/drm/i915/i915_drv.c b/drivers/gpu/drm/i915/i915_drv.c
+index fb6454c..79f5fc5 100644
+--- a/drivers/gpu/drm/i915/i915_drv.c
++++ b/drivers/gpu/drm/i915/i915_drv.c
+@@ -486,7 +486,6 @@ static int i915_drm_freeze(struct drm_device *dev)
+ intel_modeset_disable(dev);
+
+ drm_irq_uninstall(dev);
+- dev_priv->enable_hotplug_processing = false;
+ }
+
+ i915_save_state(dev);
+@@ -563,19 +562,9 @@ static int __i915_drm_thaw(struct drm_device *dev)
+ error = i915_gem_init_hw(dev);
+ mutex_unlock(&dev->struct_mutex);
+
+- /* We need working interrupts for modeset enabling ... */
+- drm_irq_install(dev);
+-
+ intel_modeset_init_hw(dev);
+ intel_modeset_setup_hw_state(dev, false);
+-
+- /*
+- * ... but also need to make sure that hotplug processing
+- * doesn't cause havoc. Like in the driver load code we don't
+- * bother with the tiny race here where we might loose hotplug
+- * notifications.
+- * */
+- dev_priv->enable_hotplug_processing = true;
++ drm_irq_install(dev);
+ }
+
+ intel_opregion_init(dev);
+diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h
+index 66ad64f..7339a4b 100644
+--- a/drivers/gpu/drm/i915/i915_drv.h
++++ b/drivers/gpu/drm/i915/i915_drv.h
+@@ -672,7 +672,6 @@ typedef struct drm_i915_private {
+
+ u32 hotplug_supported_mask;
+ struct work_struct hotplug_work;
+- bool enable_hotplug_processing;
+
+ int num_pipe;
+ int num_pch_pll;
+diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c
+index 3c00403..fe84338 100644
+--- a/drivers/gpu/drm/i915/i915_irq.c
++++ b/drivers/gpu/drm/i915/i915_irq.c
+@@ -287,10 +287,6 @@ static void i915_hotplug_work_func(struct work_struct *work)
+ struct drm_mode_config *mode_config = &dev->mode_config;
+ struct intel_encoder *encoder;
+
+- /* HPD irq before everything is fully set up. */
+- if (!dev_priv->enable_hotplug_processing)
+- return;
+-
+ mutex_lock(&mode_config->mutex);
+ DRM_DEBUG_KMS("running encoder hotplug functions\n");
+
+diff --git a/drivers/hwmon/lineage-pem.c b/drivers/hwmon/lineage-pem.c
+index 41df29f..ebbb9f4 100644
+--- a/drivers/hwmon/lineage-pem.c
++++ b/drivers/hwmon/lineage-pem.c
+@@ -422,6 +422,7 @@ static struct attribute *pem_input_attributes[] = {
+ &sensor_dev_attr_in2_input.dev_attr.attr,
+ &sensor_dev_attr_curr1_input.dev_attr.attr,
+ &sensor_dev_attr_power1_input.dev_attr.attr,
++ NULL
+ };
+
+ static const struct attribute_group pem_input_group = {
+@@ -432,6 +433,7 @@ static struct attribute *pem_fan_attributes[] = {
+ &sensor_dev_attr_fan1_input.dev_attr.attr,
+ &sensor_dev_attr_fan2_input.dev_attr.attr,
+ &sensor_dev_attr_fan3_input.dev_attr.attr,
++ NULL
+ };
+
+ static const struct attribute_group pem_fan_group = {
+diff --git a/drivers/hwmon/pmbus/ltc2978.c b/drivers/hwmon/pmbus/ltc2978.c
+index a58de38..6d61307 100644
+--- a/drivers/hwmon/pmbus/ltc2978.c
++++ b/drivers/hwmon/pmbus/ltc2978.c
+@@ -59,7 +59,7 @@ enum chips { ltc2978, ltc3880 };
+ struct ltc2978_data {
+ enum chips id;
+ int vin_min, vin_max;
+- int temp_min, temp_max;
++ int temp_min, temp_max[2];
+ int vout_min[8], vout_max[8];
+ int iout_max[2];
+ int temp2_max;
+@@ -113,9 +113,10 @@ static int ltc2978_read_word_data_common(struct i2c_client *client, int page,
+ ret = pmbus_read_word_data(client, page,
+ LTC2978_MFR_TEMPERATURE_PEAK);
+ if (ret >= 0) {
+- if (lin11_to_val(ret) > lin11_to_val(data->temp_max))
+- data->temp_max = ret;
+- ret = data->temp_max;
++ if (lin11_to_val(ret)
++ > lin11_to_val(data->temp_max[page]))
++ data->temp_max[page] = ret;
++ ret = data->temp_max[page];
+ }
+ break;
+ case PMBUS_VIRT_RESET_VOUT_HISTORY:
+@@ -266,7 +267,7 @@ static int ltc2978_write_word_data(struct i2c_client *client, int page,
+ break;
+ case PMBUS_VIRT_RESET_TEMP_HISTORY:
+ data->temp_min = 0x7bff;
+- data->temp_max = 0x7c00;
++ data->temp_max[page] = 0x7c00;
+ ret = ltc2978_clear_peaks(client, page, data->id);
+ break;
+ default:
+@@ -323,7 +324,8 @@ static int ltc2978_probe(struct i2c_client *client,
+ data->vin_min = 0x7bff;
+ data->vin_max = 0x7c00;
+ data->temp_min = 0x7bff;
+- data->temp_max = 0x7c00;
++ for (i = 0; i < ARRAY_SIZE(data->temp_max); i++)
++ data->temp_max[i] = 0x7c00;
+ data->temp2_max = 0x7c00;
+
+ switch (data->id) {
+diff --git a/drivers/mtd/nand/nand_base.c b/drivers/mtd/nand/nand_base.c
+index 3766682..db04f53 100644
+--- a/drivers/mtd/nand/nand_base.c
++++ b/drivers/mtd/nand/nand_base.c
+@@ -1527,6 +1527,14 @@ static int nand_do_read_ops(struct mtd_info *mtd, loff_t from,
+ oobreadlen -= toread;
+ }
+ }
++
++ if (chip->options & NAND_NEED_READRDY) {
++ /* Apply delay or wait for ready/busy pin */
++ if (!chip->dev_ready)
++ udelay(chip->chip_delay);
++ else
++ nand_wait_ready(mtd);
++ }
+ } else {
+ memcpy(buf, chip->buffers->databuf + col, bytes);
+ buf += bytes;
+@@ -1791,6 +1799,14 @@ static int nand_do_read_oob(struct mtd_info *mtd, loff_t from,
+ len = min(len, readlen);
+ buf = nand_transfer_oob(chip, buf, ops, len);
+
++ if (chip->options & NAND_NEED_READRDY) {
++ /* Apply delay or wait for ready/busy pin */
++ if (!chip->dev_ready)
++ udelay(chip->chip_delay);
++ else
++ nand_wait_ready(mtd);
++ }
++
+ readlen -= len;
+ if (!readlen)
+ break;
+diff --git a/drivers/mtd/nand/nand_ids.c b/drivers/mtd/nand/nand_ids.c
+index e3aa274..9c61238 100644
+--- a/drivers/mtd/nand/nand_ids.c
++++ b/drivers/mtd/nand/nand_ids.c
+@@ -22,49 +22,51 @@
+ * 512 512 Byte page size
+ */
+ struct nand_flash_dev nand_flash_ids[] = {
++#define SP_OPTIONS NAND_NEED_READRDY
++#define SP_OPTIONS16 (SP_OPTIONS | NAND_BUSWIDTH_16)
+
+ #ifdef CONFIG_MTD_NAND_MUSEUM_IDS
+- {"NAND 1MiB 5V 8-bit", 0x6e, 256, 1, 0x1000, 0},
+- {"NAND 2MiB 5V 8-bit", 0x64, 256, 2, 0x1000, 0},
+- {"NAND 4MiB 5V 8-bit", 0x6b, 512, 4, 0x2000, 0},
+- {"NAND 1MiB 3,3V 8-bit", 0xe8, 256, 1, 0x1000, 0},
+- {"NAND 1MiB 3,3V 8-bit", 0xec, 256, 1, 0x1000, 0},
+- {"NAND 2MiB 3,3V 8-bit", 0xea, 256, 2, 0x1000, 0},
+- {"NAND 4MiB 3,3V 8-bit", 0xd5, 512, 4, 0x2000, 0},
+- {"NAND 4MiB 3,3V 8-bit", 0xe3, 512, 4, 0x2000, 0},
+- {"NAND 4MiB 3,3V 8-bit", 0xe5, 512, 4, 0x2000, 0},
+- {"NAND 8MiB 3,3V 8-bit", 0xd6, 512, 8, 0x2000, 0},
+-
+- {"NAND 8MiB 1,8V 8-bit", 0x39, 512, 8, 0x2000, 0},
+- {"NAND 8MiB 3,3V 8-bit", 0xe6, 512, 8, 0x2000, 0},
+- {"NAND 8MiB 1,8V 16-bit", 0x49, 512, 8, 0x2000, NAND_BUSWIDTH_16},
+- {"NAND 8MiB 3,3V 16-bit", 0x59, 512, 8, 0x2000, NAND_BUSWIDTH_16},
++ {"NAND 1MiB 5V 8-bit", 0x6e, 256, 1, 0x1000, SP_OPTIONS},
++ {"NAND 2MiB 5V 8-bit", 0x64, 256, 2, 0x1000, SP_OPTIONS},
++ {"NAND 4MiB 5V 8-bit", 0x6b, 512, 4, 0x2000, SP_OPTIONS},
++ {"NAND 1MiB 3,3V 8-bit", 0xe8, 256, 1, 0x1000, SP_OPTIONS},
++ {"NAND 1MiB 3,3V 8-bit", 0xec, 256, 1, 0x1000, SP_OPTIONS},
++ {"NAND 2MiB 3,3V 8-bit", 0xea, 256, 2, 0x1000, SP_OPTIONS},
++ {"NAND 4MiB 3,3V 8-bit", 0xd5, 512, 4, 0x2000, SP_OPTIONS},
++ {"NAND 4MiB 3,3V 8-bit", 0xe3, 512, 4, 0x2000, SP_OPTIONS},
++ {"NAND 4MiB 3,3V 8-bit", 0xe5, 512, 4, 0x2000, SP_OPTIONS},
++ {"NAND 8MiB 3,3V 8-bit", 0xd6, 512, 8, 0x2000, SP_OPTIONS},
++
++ {"NAND 8MiB 1,8V 8-bit", 0x39, 512, 8, 0x2000, SP_OPTIONS},
++ {"NAND 8MiB 3,3V 8-bit", 0xe6, 512, 8, 0x2000, SP_OPTIONS},
++ {"NAND 8MiB 1,8V 16-bit", 0x49, 512, 8, 0x2000, SP_OPTIONS16},
++ {"NAND 8MiB 3,3V 16-bit", 0x59, 512, 8, 0x2000, SP_OPTIONS16},
+ #endif
+
+- {"NAND 16MiB 1,8V 8-bit", 0x33, 512, 16, 0x4000, 0},
+- {"NAND 16MiB 3,3V 8-bit", 0x73, 512, 16, 0x4000, 0},
+- {"NAND 16MiB 1,8V 16-bit", 0x43, 512, 16, 0x4000, NAND_BUSWIDTH_16},
+- {"NAND 16MiB 3,3V 16-bit", 0x53, 512, 16, 0x4000, NAND_BUSWIDTH_16},
+-
+- {"NAND 32MiB 1,8V 8-bit", 0x35, 512, 32, 0x4000, 0},
+- {"NAND 32MiB 3,3V 8-bit", 0x75, 512, 32, 0x4000, 0},
+- {"NAND 32MiB 1,8V 16-bit", 0x45, 512, 32, 0x4000, NAND_BUSWIDTH_16},
+- {"NAND 32MiB 3,3V 16-bit", 0x55, 512, 32, 0x4000, NAND_BUSWIDTH_16},
+-
+- {"NAND 64MiB 1,8V 8-bit", 0x36, 512, 64, 0x4000, 0},
+- {"NAND 64MiB 3,3V 8-bit", 0x76, 512, 64, 0x4000, 0},
+- {"NAND 64MiB 1,8V 16-bit", 0x46, 512, 64, 0x4000, NAND_BUSWIDTH_16},
+- {"NAND 64MiB 3,3V 16-bit", 0x56, 512, 64, 0x4000, NAND_BUSWIDTH_16},
+-
+- {"NAND 128MiB 1,8V 8-bit", 0x78, 512, 128, 0x4000, 0},
+- {"NAND 128MiB 1,8V 8-bit", 0x39, 512, 128, 0x4000, 0},
+- {"NAND 128MiB 3,3V 8-bit", 0x79, 512, 128, 0x4000, 0},
+- {"NAND 128MiB 1,8V 16-bit", 0x72, 512, 128, 0x4000, NAND_BUSWIDTH_16},
+- {"NAND 128MiB 1,8V 16-bit", 0x49, 512, 128, 0x4000, NAND_BUSWIDTH_16},
+- {"NAND 128MiB 3,3V 16-bit", 0x74, 512, 128, 0x4000, NAND_BUSWIDTH_16},
+- {"NAND 128MiB 3,3V 16-bit", 0x59, 512, 128, 0x4000, NAND_BUSWIDTH_16},
+-
+- {"NAND 256MiB 3,3V 8-bit", 0x71, 512, 256, 0x4000, 0},
++ {"NAND 16MiB 1,8V 8-bit", 0x33, 512, 16, 0x4000, SP_OPTIONS},
++ {"NAND 16MiB 3,3V 8-bit", 0x73, 512, 16, 0x4000, SP_OPTIONS},
++ {"NAND 16MiB 1,8V 16-bit", 0x43, 512, 16, 0x4000, SP_OPTIONS16},
++ {"NAND 16MiB 3,3V 16-bit", 0x53, 512, 16, 0x4000, SP_OPTIONS16},
++
++ {"NAND 32MiB 1,8V 8-bit", 0x35, 512, 32, 0x4000, SP_OPTIONS},
++ {"NAND 32MiB 3,3V 8-bit", 0x75, 512, 32, 0x4000, SP_OPTIONS},
++ {"NAND 32MiB 1,8V 16-bit", 0x45, 512, 32, 0x4000, SP_OPTIONS16},
++ {"NAND 32MiB 3,3V 16-bit", 0x55, 512, 32, 0x4000, SP_OPTIONS16},
++
++ {"NAND 64MiB 1,8V 8-bit", 0x36, 512, 64, 0x4000, SP_OPTIONS},
++ {"NAND 64MiB 3,3V 8-bit", 0x76, 512, 64, 0x4000, SP_OPTIONS},
++ {"NAND 64MiB 1,8V 16-bit", 0x46, 512, 64, 0x4000, SP_OPTIONS16},
++ {"NAND 64MiB 3,3V 16-bit", 0x56, 512, 64, 0x4000, SP_OPTIONS16},
++
++ {"NAND 128MiB 1,8V 8-bit", 0x78, 512, 128, 0x4000, SP_OPTIONS},
++ {"NAND 128MiB 1,8V 8-bit", 0x39, 512, 128, 0x4000, SP_OPTIONS},
++ {"NAND 128MiB 3,3V 8-bit", 0x79, 512, 128, 0x4000, SP_OPTIONS},
++ {"NAND 128MiB 1,8V 16-bit", 0x72, 512, 128, 0x4000, SP_OPTIONS16},
++ {"NAND 128MiB 1,8V 16-bit", 0x49, 512, 128, 0x4000, SP_OPTIONS16},
++ {"NAND 128MiB 3,3V 16-bit", 0x74, 512, 128, 0x4000, SP_OPTIONS16},
++ {"NAND 128MiB 3,3V 16-bit", 0x59, 512, 128, 0x4000, SP_OPTIONS16},
++
++ {"NAND 256MiB 3,3V 8-bit", 0x71, 512, 256, 0x4000, SP_OPTIONS},
+
+ /*
+ * These are the new chips with large page size. The pagesize and the
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index b7d45f3..a079da17 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1943,7 +1943,6 @@ int bond_release(struct net_device *bond_dev, struct net_device *slave_dev)
+ }
+
+ block_netpoll_tx();
+- call_netdevice_notifiers(NETDEV_RELEASE, bond_dev);
+ write_lock_bh(&bond->lock);
+
+ slave = bond_get_slave_by_dev(bond, slave_dev);
+@@ -2047,8 +2046,10 @@ int bond_release(struct net_device *bond_dev, struct net_device *slave_dev)
+ write_unlock_bh(&bond->lock);
+ unblock_netpoll_tx();
+
+- if (bond->slave_cnt == 0)
++ if (bond->slave_cnt == 0) {
+ call_netdevice_notifiers(NETDEV_CHANGEADDR, bond->dev);
++ call_netdevice_notifiers(NETDEV_RELEASE, bond->dev);
++ }
+
+ bond_compute_features(bond);
+ if (!(bond_dev->features & NETIF_F_VLAN_CHALLENGED) &&
+diff --git a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
+index 0035c01..bfcb8bc 100644
+--- a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
++++ b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
+@@ -2075,7 +2075,7 @@ static int atl1c_tx_map(struct atl1c_adapter *adapter,
+ if (unlikely(pci_dma_mapping_error(adapter->pdev,
+ buffer_info->dma)))
+ goto err_dma;
+-
++ ATL1C_SET_BUFFER_STATE(buffer_info, ATL1C_BUFFER_BUSY);
+ ATL1C_SET_PCIMAP_TYPE(buffer_info, ATL1C_PCIMAP_SINGLE,
+ ATL1C_PCIMAP_TODEVICE);
+ mapped_len += map_len;
+diff --git a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
+index 88291bb..bf3f4bc 100644
+--- a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
+@@ -1434,12 +1434,11 @@ int mlx4_en_alloc_resources(struct mlx4_en_priv *priv)
+ }
+
+ #ifdef CONFIG_RFS_ACCEL
+- priv->dev->rx_cpu_rmap = alloc_irq_cpu_rmap(priv->mdev->dev->caps.comp_pool);
+- if (!priv->dev->rx_cpu_rmap)
+- goto err;
+-
+- INIT_LIST_HEAD(&priv->filters);
+- spin_lock_init(&priv->filters_lock);
++ if (priv->mdev->dev->caps.comp_pool) {
++ priv->dev->rx_cpu_rmap = alloc_irq_cpu_rmap(priv->mdev->dev->caps.comp_pool);
++ if (!priv->dev->rx_cpu_rmap)
++ goto err;
++ }
+ #endif
+
+ return 0;
+@@ -1634,6 +1633,11 @@ int mlx4_en_init_netdev(struct mlx4_en_dev *mdev, int port,
+ if (err)
+ goto out;
+
++#ifdef CONFIG_RFS_ACCEL
++ INIT_LIST_HEAD(&priv->filters);
++ spin_lock_init(&priv->filters_lock);
++#endif
++
+ /* Allocate page for receive rings */
+ err = mlx4_alloc_hwq_res(mdev->dev, &priv->res,
+ MLX4_EN_PAGE_SIZE, MLX4_EN_PAGE_SIZE);
+diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
+index d3fb97d..e5cb723 100644
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -628,6 +628,7 @@ void macvlan_common_setup(struct net_device *dev)
+ ether_setup(dev);
+
+ dev->priv_flags &= ~(IFF_XMIT_DST_RELEASE | IFF_TX_SKB_SHARING);
++ dev->priv_flags |= IFF_UNICAST_FLT;
+ dev->netdev_ops = &macvlan_netdev_ops;
+ dev->destructor = free_netdev;
+ dev->header_ops = &macvlan_hard_header_ops,
+diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
+index ad86660..8efe47a 100644
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -1139,6 +1139,8 @@ static int team_port_del(struct team *team, struct net_device *port_dev)
+ netdev_set_master(port_dev, NULL);
+ team_port_disable_netpoll(port);
+ vlan_vids_del_by_dev(port_dev, dev);
++ dev_uc_unsync(port_dev, dev);
++ dev_mc_unsync(port_dev, dev);
+ dev_close(port_dev);
+ team_port_leave(team, port);
+ team_port_set_orig_dev_addr(port);
+diff --git a/drivers/net/tun.c b/drivers/net/tun.c
+index 2917a86..cb95fe5 100644
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -748,6 +748,8 @@ static netdev_tx_t tun_net_xmit(struct sk_buff *skb, struct net_device *dev)
+ goto drop;
+ skb_orphan(skb);
+
++ nf_reset(skb);
++
+ /* Enqueue packet */
+ skb_queue_tail(&tfile->socket.sk->sk_receive_queue, skb);
+
+diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
+index 656230e..6993bfa 100644
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -1491,6 +1491,15 @@ static __net_init int vxlan_init_net(struct net *net)
+ static __net_exit void vxlan_exit_net(struct net *net)
+ {
+ struct vxlan_net *vn = net_generic(net, vxlan_net_id);
++ struct vxlan_dev *vxlan;
++ struct hlist_node *pos;
++ unsigned h;
++
++ rtnl_lock();
++ for (h = 0; h < VNI_HASH_SIZE; ++h)
++ hlist_for_each_entry(vxlan, pos, &vn->vni_list[h], hlist)
++ dev_close(vxlan->dev);
++ rtnl_unlock();
+
+ if (vn->sock) {
+ sk_release_kernel(vn->sock->sk);
+diff --git a/drivers/staging/comedi/drivers/dt9812.c b/drivers/staging/comedi/drivers/dt9812.c
+index 1767998..3e7f961 100644
+--- a/drivers/staging/comedi/drivers/dt9812.c
++++ b/drivers/staging/comedi/drivers/dt9812.c
+@@ -948,12 +948,13 @@ static int dt9812_di_rinsn(struct comedi_device *dev,
+ unsigned int *data)
+ {
+ struct comedi_dt9812 *devpriv = dev->private;
++ unsigned int channel = CR_CHAN(insn->chanspec);
+ int n;
+ u8 bits = 0;
+
+ dt9812_digital_in(devpriv->slot, &bits);
+ for (n = 0; n < insn->n; n++)
+- data[n] = ((1 << insn->chanspec) & bits) != 0;
++ data[n] = ((1 << channel) & bits) != 0;
+ return n;
+ }
+
+@@ -962,12 +963,13 @@ static int dt9812_do_winsn(struct comedi_device *dev,
+ unsigned int *data)
+ {
+ struct comedi_dt9812 *devpriv = dev->private;
++ unsigned int channel = CR_CHAN(insn->chanspec);
+ int n;
+ u8 bits = 0;
+
+ dt9812_digital_out_shadow(devpriv->slot, &bits);
+ for (n = 0; n < insn->n; n++) {
+- u8 mask = 1 << insn->chanspec;
++ u8 mask = 1 << channel;
+
+ bits &= ~mask;
+ if (data[n])
+@@ -982,13 +984,13 @@ static int dt9812_ai_rinsn(struct comedi_device *dev,
+ unsigned int *data)
+ {
+ struct comedi_dt9812 *devpriv = dev->private;
++ unsigned int channel = CR_CHAN(insn->chanspec);
+ int n;
+
+ for (n = 0; n < insn->n; n++) {
+ u16 value = 0;
+
+- dt9812_analog_in(devpriv->slot, insn->chanspec, &value,
+- DT9812_GAIN_1);
++ dt9812_analog_in(devpriv->slot, channel, &value, DT9812_GAIN_1);
+ data[n] = value;
+ }
+ return n;
+@@ -999,12 +1001,13 @@ static int dt9812_ao_rinsn(struct comedi_device *dev,
+ unsigned int *data)
+ {
+ struct comedi_dt9812 *devpriv = dev->private;
++ unsigned int channel = CR_CHAN(insn->chanspec);
+ int n;
+ u16 value;
+
+ for (n = 0; n < insn->n; n++) {
+ value = 0;
+- dt9812_analog_out_shadow(devpriv->slot, insn->chanspec, &value);
++ dt9812_analog_out_shadow(devpriv->slot, channel, &value);
+ data[n] = value;
+ }
+ return n;
+@@ -1015,10 +1018,11 @@ static int dt9812_ao_winsn(struct comedi_device *dev,
+ unsigned int *data)
+ {
+ struct comedi_dt9812 *devpriv = dev->private;
++ unsigned int channel = CR_CHAN(insn->chanspec);
+ int n;
+
+ for (n = 0; n < insn->n; n++)
+- dt9812_analog_out(devpriv->slot, insn->chanspec, data[n]);
++ dt9812_analog_out(devpriv->slot, channel, data[n]);
+ return n;
+ }
+
+diff --git a/drivers/staging/vt6656/main_usb.c b/drivers/staging/vt6656/main_usb.c
+index f33086d..f726970 100644
+--- a/drivers/staging/vt6656/main_usb.c
++++ b/drivers/staging/vt6656/main_usb.c
+@@ -644,8 +644,6 @@ static int vt6656_suspend(struct usb_interface *intf, pm_message_t message)
+ if (device->flags & DEVICE_FLAGS_OPENED)
+ device_close(device->dev);
+
+- usb_put_dev(interface_to_usbdev(intf));
+-
+ return 0;
+ }
+
+@@ -656,8 +654,6 @@ static int vt6656_resume(struct usb_interface *intf)
+ if (!device || !device->dev)
+ return -ENODEV;
+
+- usb_get_dev(interface_to_usbdev(intf));
+-
+ if (!(device->flags & DEVICE_FLAGS_OPENED))
+ device_open(device->dev);
+
+diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
+index 79ff3a5..ac35c90 100644
+--- a/drivers/tty/pty.c
++++ b/drivers/tty/pty.c
+@@ -47,7 +47,6 @@ static void pty_close(struct tty_struct *tty, struct file *filp)
+ /* Review - krefs on tty_link ?? */
+ if (!tty->link)
+ return;
+- tty->link->packet = 0;
+ set_bit(TTY_OTHER_CLOSED, &tty->link->flags);
+ wake_up_interruptible(&tty->link->read_wait);
+ wake_up_interruptible(&tty->link->write_wait);
+diff --git a/drivers/tty/serial/8250/8250.c b/drivers/tty/serial/8250/8250.c
+index f932043..733f22c 100644
+--- a/drivers/tty/serial/8250/8250.c
++++ b/drivers/tty/serial/8250/8250.c
+@@ -308,7 +308,28 @@ static const struct serial8250_config uart_config[] = {
+ },
+ [PORT_8250_CIR] = {
+ .name = "CIR port"
+- }
++ },
++ [PORT_ALTR_16550_F32] = {
++ .name = "Altera 16550 FIFO32",
++ .fifo_size = 32,
++ .tx_loadsz = 32,
++ .fcr = UART_FCR_ENABLE_FIFO | UART_FCR_R_TRIG_10,
++ .flags = UART_CAP_FIFO | UART_CAP_AFE,
++ },
++ [PORT_ALTR_16550_F64] = {
++ .name = "Altera 16550 FIFO64",
++ .fifo_size = 64,
++ .tx_loadsz = 64,
++ .fcr = UART_FCR_ENABLE_FIFO | UART_FCR_R_TRIG_10,
++ .flags = UART_CAP_FIFO | UART_CAP_AFE,
++ },
++ [PORT_ALTR_16550_F128] = {
++ .name = "Altera 16550 FIFO128",
++ .fifo_size = 128,
++ .tx_loadsz = 128,
++ .fcr = UART_FCR_ENABLE_FIFO | UART_FCR_R_TRIG_10,
++ .flags = UART_CAP_FIFO | UART_CAP_AFE,
++ },
+ };
+
+ /* Uart divisor latch read */
+@@ -3430,3 +3451,32 @@ module_param_array(probe_rsa, ulong, &probe_rsa_count, 0444);
+ MODULE_PARM_DESC(probe_rsa, "Probe I/O ports for RSA");
+ #endif
+ MODULE_ALIAS_CHARDEV_MAJOR(TTY_MAJOR);
++
++#ifndef MODULE
++/* This module was renamed to 8250_core in 3.7. Keep the old "8250" name
++ * working as well for the module options so we don't break people. We
++ * need to keep the names identical and the convenient macros will happily
++ * refuse to let us do that by failing the build with redefinition errors
++ * of global variables. So we stick them inside a dummy function to avoid
++ * those conflicts. The options still get parsed, and the redefined
++ * MODULE_PARAM_PREFIX lets us keep the "8250." syntax alive.
++ *
++ * This is hacky. I'm sorry.
++ */
++static void __used s8250_options(void)
++{
++#undef MODULE_PARAM_PREFIX
++#define MODULE_PARAM_PREFIX "8250."
++
++ module_param_cb(share_irqs, &param_ops_uint, &share_irqs, 0644);
++ module_param_cb(nr_uarts, &param_ops_uint, &nr_uarts, 0644);
++ module_param_cb(skip_txen_test, &param_ops_uint, &skip_txen_test, 0644);
++#ifdef CONFIG_SERIAL_8250_RSA
++ __module_param_call(MODULE_PARAM_PREFIX, probe_rsa,
++ &param_array_ops, .arr = &__param_arr_probe_rsa,
++ 0444, -1);
++#endif
++}
++#else
++MODULE_ALIAS("8250");
++#endif
+diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c
+index a27a98e..5cdb092 100644
+--- a/drivers/tty/serial/8250/8250_pci.c
++++ b/drivers/tty/serial/8250/8250_pci.c
+@@ -1321,6 +1321,7 @@ pci_wch_ch353_setup(struct serial_private *priv,
+
+ /* Unknown vendors/cards - this should not be in linux/pci_ids.h */
+ #define PCI_SUBDEVICE_ID_UNKNOWN_0x1584 0x1584
++#define PCI_SUBDEVICE_ID_UNKNOWN_0x1588 0x1588
+
+ /*
+ * Master list of serial port init/setup/exit quirks.
+@@ -1592,15 +1593,6 @@ static struct pci_serial_quirk pci_serial_quirks[] __refdata = {
+ },
+ {
+ .vendor = PCI_VENDOR_ID_PLX,
+- .device = PCI_DEVICE_ID_PLX_9050,
+- .subvendor = PCI_VENDOR_ID_PLX,
+- .subdevice = PCI_SUBDEVICE_ID_UNKNOWN_0x1584,
+- .init = pci_plx9050_init,
+- .setup = pci_default_setup,
+- .exit = pci_plx9050_exit,
+- },
+- {
+- .vendor = PCI_VENDOR_ID_PLX,
+ .device = PCI_DEVICE_ID_PLX_ROMULUS,
+ .subvendor = PCI_VENDOR_ID_PLX,
+ .subdevice = PCI_DEVICE_ID_PLX_ROMULUS,
+@@ -3456,7 +3448,12 @@ static struct pci_device_id serial_pci_tbl[] = {
+ { PCI_VENDOR_ID_PLX, PCI_DEVICE_ID_PLX_9050,
+ PCI_VENDOR_ID_PLX,
+ PCI_SUBDEVICE_ID_UNKNOWN_0x1584, 0, 0,
+- pbn_b0_4_115200 },
++ pbn_b2_4_115200 },
++ /* Unknown card - subdevice 0x1588 */
++ { PCI_VENDOR_ID_PLX, PCI_DEVICE_ID_PLX_9050,
++ PCI_VENDOR_ID_PLX,
++ PCI_SUBDEVICE_ID_UNKNOWN_0x1588, 0, 0,
++ pbn_b2_8_115200 },
+ { PCI_VENDOR_ID_PLX, PCI_DEVICE_ID_PLX_9050,
+ PCI_SUBVENDOR_ID_KEYSPAN,
+ PCI_SUBDEVICE_ID_KEYSPAN_SX2, 0, 0,
+@@ -4449,6 +4446,10 @@ static struct pci_device_id serial_pci_tbl[] = {
+ PCI_VENDOR_ID_IBM, 0x0299,
+ 0, 0, pbn_b0_bt_2_115200 },
+
++ { PCI_VENDOR_ID_NETMOS, PCI_DEVICE_ID_NETMOS_9835,
++ 0x1000, 0x0012,
++ 0, 0, pbn_b0_bt_2_115200 },
++
+ { PCI_VENDOR_ID_NETMOS, PCI_DEVICE_ID_NETMOS_9901,
+ 0xA000, 0x1000,
+ 0, 0, pbn_b0_1_115200 },
+diff --git a/drivers/tty/serial/8250/8250_pnp.c b/drivers/tty/serial/8250/8250_pnp.c
+index 35d9ab9..b3455a9 100644
+--- a/drivers/tty/serial/8250/8250_pnp.c
++++ b/drivers/tty/serial/8250/8250_pnp.c
+@@ -429,6 +429,7 @@ serial_pnp_probe(struct pnp_dev *dev, const struct pnp_device_id *dev_id)
+ {
+ struct uart_8250_port uart;
+ int ret, line, flags = dev_id->driver_data;
++ struct resource *res = NULL;
+
+ if (flags & UNKNOWN_DEV) {
+ ret = serial_pnp_guess_board(dev);
+@@ -439,11 +440,12 @@ serial_pnp_probe(struct pnp_dev *dev, const struct pnp_device_id *dev_id)
+ memset(&uart, 0, sizeof(uart));
+ if (pnp_irq_valid(dev, 0))
+ uart.port.irq = pnp_irq(dev, 0);
+- if ((flags & CIR_PORT) && pnp_port_valid(dev, 2)) {
+- uart.port.iobase = pnp_port_start(dev, 2);
+- uart.port.iotype = UPIO_PORT;
+- } else if (pnp_port_valid(dev, 0)) {
+- uart.port.iobase = pnp_port_start(dev, 0);
++ if ((flags & CIR_PORT) && pnp_port_valid(dev, 2))
++ res = pnp_get_resource(dev, IORESOURCE_IO, 2);
++ else if (pnp_port_valid(dev, 0))
++ res = pnp_get_resource(dev, IORESOURCE_IO, 0);
++ if (pnp_resource_enabled(res)) {
++ uart.port.iobase = res->start;
+ uart.port.iotype = UPIO_PORT;
+ } else if (pnp_mem_valid(dev, 0)) {
+ uart.port.mapbase = pnp_mem_start(dev, 0);
+diff --git a/drivers/tty/serial/Kconfig b/drivers/tty/serial/Kconfig
+index 59c23d0..02e706e 100644
+--- a/drivers/tty/serial/Kconfig
++++ b/drivers/tty/serial/Kconfig
+@@ -209,14 +209,14 @@ config SERIAL_SAMSUNG
+ config SERIAL_SAMSUNG_UARTS_4
+ bool
+ depends on PLAT_SAMSUNG
+- default y if !(CPU_S3C2410 || SERIAL_S3C2412 || CPU_S3C2440 || CPU_S3C2442)
++ default y if !(CPU_S3C2410 || CPU_S3C2412 || CPU_S3C2440 || CPU_S3C2442)
+ help
+ Internal node for the common case of 4 Samsung compatible UARTs
+
+ config SERIAL_SAMSUNG_UARTS
+ int
+ depends on PLAT_SAMSUNG
+- default 6 if ARCH_S5P6450
++ default 6 if CPU_S5P6450
+ default 4 if SERIAL_SAMSUNG_UARTS_4 || CPU_S3C2416
+ default 3
+ help
+diff --git a/drivers/tty/serial/of_serial.c b/drivers/tty/serial/of_serial.c
+index e7cae1c..3490629 100644
+--- a/drivers/tty/serial/of_serial.c
++++ b/drivers/tty/serial/of_serial.c
+@@ -240,6 +240,12 @@ static struct of_device_id of_platform_serial_table[] = {
+ { .compatible = "ns16850", .data = (void *)PORT_16850, },
+ { .compatible = "nvidia,tegra20-uart", .data = (void *)PORT_TEGRA, },
+ { .compatible = "nxp,lpc3220-uart", .data = (void *)PORT_LPC3220, },
++ { .compatible = "altr,16550-FIFO32",
++ .data = (void *)PORT_ALTR_16550_F32, },
++ { .compatible = "altr,16550-FIFO64",
++ .data = (void *)PORT_ALTR_16550_F64, },
++ { .compatible = "altr,16550-FIFO128",
++ .data = (void *)PORT_ALTR_16550_F128, },
+ #ifdef CONFIG_SERIAL_OF_PLATFORM_NWPSERIAL
+ { .compatible = "ibm,qpace-nwp-serial",
+ .data = (void *)PORT_NWPSERIAL, },
+diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c
+index 45d9161..cd1f861 100644
+--- a/drivers/tty/tty_buffer.c
++++ b/drivers/tty/tty_buffer.c
+@@ -473,7 +473,7 @@ static void flush_to_ldisc(struct work_struct *work)
+ struct tty_ldisc *disc;
+
+ tty = port->itty;
+- if (WARN_RATELIMIT(tty == NULL, "tty is NULL\n"))
++ if (tty == NULL)
+ return;
+
+ disc = tty_ldisc_ref(tty);
+diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
+index 5f0cb41..122d056 100644
+--- a/drivers/usb/class/cdc-wdm.c
++++ b/drivers/usb/class/cdc-wdm.c
+@@ -56,6 +56,7 @@ MODULE_DEVICE_TABLE (usb, wdm_ids);
+ #define WDM_RESPONDING 7
+ #define WDM_SUSPENDING 8
+ #define WDM_RESETTING 9
++#define WDM_OVERFLOW 10
+
+ #define WDM_MAX 16
+
+@@ -155,6 +156,7 @@ static void wdm_in_callback(struct urb *urb)
+ {
+ struct wdm_device *desc = urb->context;
+ int status = urb->status;
++ int length = urb->actual_length;
+
+ spin_lock(&desc->iuspin);
+ clear_bit(WDM_RESPONDING, &desc->flags);
+@@ -185,9 +187,17 @@ static void wdm_in_callback(struct urb *urb)
+ }
+
+ desc->rerr = status;
+- desc->reslength = urb->actual_length;
+- memmove(desc->ubuf + desc->length, desc->inbuf, desc->reslength);
+- desc->length += desc->reslength;
++ if (length + desc->length > desc->wMaxCommand) {
++ /* The buffer would overflow */
++ set_bit(WDM_OVERFLOW, &desc->flags);
++ } else {
++ /* we may already be in overflow */
++ if (!test_bit(WDM_OVERFLOW, &desc->flags)) {
++ memmove(desc->ubuf + desc->length, desc->inbuf, length);
++ desc->length += length;
++ desc->reslength = length;
++ }
++ }
+ skip_error:
+ wake_up(&desc->wait);
+
+@@ -435,6 +445,11 @@ retry:
+ rv = -ENODEV;
+ goto err;
+ }
++ if (test_bit(WDM_OVERFLOW, &desc->flags)) {
++ clear_bit(WDM_OVERFLOW, &desc->flags);
++ rv = -ENOBUFS;
++ goto err;
++ }
+ i++;
+ if (file->f_flags & O_NONBLOCK) {
+ if (!test_bit(WDM_READ, &desc->flags)) {
+@@ -478,6 +493,7 @@ retry:
+ spin_unlock_irq(&desc->iuspin);
+ goto retry;
+ }
++
+ if (!desc->reslength) { /* zero length read */
+ dev_dbg(&desc->intf->dev, "%s: zero length - clearing WDM_READ\n", __func__);
+ clear_bit(WDM_READ, &desc->flags);
+@@ -1004,6 +1020,7 @@ static int wdm_post_reset(struct usb_interface *intf)
+ struct wdm_device *desc = wdm_find_device(intf);
+ int rv;
+
++ clear_bit(WDM_OVERFLOW, &desc->flags);
+ clear_bit(WDM_RESETTING, &desc->flags);
+ rv = recover_from_urb_loss(desc);
+ mutex_unlock(&desc->wlock);
+diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
+index 3a4004a..f00c749 100644
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -575,6 +575,7 @@ static int dwc3_remove(struct platform_device *pdev)
+ break;
+ }
+
++ dwc3_free_event_buffers(dwc);
+ dwc3_core_exit(dwc);
+
+ return 0;
+diff --git a/drivers/usb/host/ehci-q.c b/drivers/usb/host/ehci-q.c
+index fd252f0..eda2cf4 100644
+--- a/drivers/usb/host/ehci-q.c
++++ b/drivers/usb/host/ehci-q.c
+@@ -135,7 +135,7 @@ qh_refresh (struct ehci_hcd *ehci, struct ehci_qh *qh)
+ * qtd is updated in qh_completions(). Update the QH
+ * overlay here.
+ */
+- if (cpu_to_hc32(ehci, qtd->qtd_dma) == qh->hw->hw_current) {
++ if (qh->hw->hw_token & ACTIVE_BIT(ehci)) {
+ qh->hw->hw_qtd_next = qtd->hw_next;
+ qtd = NULL;
+ }
+@@ -449,11 +449,19 @@ qh_completions (struct ehci_hcd *ehci, struct ehci_qh *qh)
+ else if (last_status == -EINPROGRESS && !urb->unlinked)
+ continue;
+
+- /* qh unlinked; token in overlay may be most current */
+- if (state == QH_STATE_IDLE
+- && cpu_to_hc32(ehci, qtd->qtd_dma)
+- == hw->hw_current) {
++ /*
++ * If this was the active qtd when the qh was unlinked
++ * and the overlay's token is active, then the overlay
++ * hasn't been written back to the qtd yet so use its
++ * token instead of the qtd's. After the qtd is
++ * processed and removed, the overlay won't be valid
++ * any more.
++ */
++ if (state == QH_STATE_IDLE &&
++ qh->qtd_list.next == &qtd->qtd_list &&
++ (hw->hw_token & ACTIVE_BIT(ehci))) {
+ token = hc32_to_cpu(ehci, hw->hw_token);
++ hw->hw_token &= ~ACTIVE_BIT(ehci);
+
+ /* An unlink may leave an incomplete
+ * async transaction in the TT buffer.
+diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
+index edc0f0d..4747d1c 100644
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -85,6 +85,7 @@ static const struct usb_device_id id_table[] = {
+ { USB_DEVICE(0x10C4, 0x813F) }, /* Tams Master Easy Control */
+ { USB_DEVICE(0x10C4, 0x814A) }, /* West Mountain Radio RIGblaster P&P */
+ { USB_DEVICE(0x10C4, 0x814B) }, /* West Mountain Radio RIGtalk */
++ { USB_DEVICE(0x2405, 0x0003) }, /* West Mountain Radio RIGblaster Advantage */
+ { USB_DEVICE(0x10C4, 0x8156) }, /* B&G H3000 link cable */
+ { USB_DEVICE(0x10C4, 0x815E) }, /* Helicomm IP-Link 1220-DVM */
+ { USB_DEVICE(0x10C4, 0x815F) }, /* Timewave HamLinkUSB */
+@@ -150,6 +151,25 @@ static const struct usb_device_id id_table[] = {
+ { USB_DEVICE(0x1BE3, 0x07A6) }, /* WAGO 750-923 USB Service Cable */
+ { USB_DEVICE(0x1E29, 0x0102) }, /* Festo CPX-USB */
+ { USB_DEVICE(0x1E29, 0x0501) }, /* Festo CMSP */
++ { USB_DEVICE(0x1FB9, 0x0100) }, /* Lake Shore Model 121 Current Source */
++ { USB_DEVICE(0x1FB9, 0x0200) }, /* Lake Shore Model 218A Temperature Monitor */
++ { USB_DEVICE(0x1FB9, 0x0201) }, /* Lake Shore Model 219 Temperature Monitor */
++ { USB_DEVICE(0x1FB9, 0x0202) }, /* Lake Shore Model 233 Temperature Transmitter */
++ { USB_DEVICE(0x1FB9, 0x0203) }, /* Lake Shore Model 235 Temperature Transmitter */
++ { USB_DEVICE(0x1FB9, 0x0300) }, /* Lake Shore Model 335 Temperature Controller */
++ { USB_DEVICE(0x1FB9, 0x0301) }, /* Lake Shore Model 336 Temperature Controller */
++ { USB_DEVICE(0x1FB9, 0x0302) }, /* Lake Shore Model 350 Temperature Controller */
++ { USB_DEVICE(0x1FB9, 0x0303) }, /* Lake Shore Model 371 AC Bridge */
++ { USB_DEVICE(0x1FB9, 0x0400) }, /* Lake Shore Model 411 Handheld Gaussmeter */
++ { USB_DEVICE(0x1FB9, 0x0401) }, /* Lake Shore Model 425 Gaussmeter */
++ { USB_DEVICE(0x1FB9, 0x0402) }, /* Lake Shore Model 455A Gaussmeter */
++ { USB_DEVICE(0x1FB9, 0x0403) }, /* Lake Shore Model 475A Gaussmeter */
++ { USB_DEVICE(0x1FB9, 0x0404) }, /* Lake Shore Model 465 Three Axis Gaussmeter */
++ { USB_DEVICE(0x1FB9, 0x0600) }, /* Lake Shore Model 625A Superconducting MPS */
++ { USB_DEVICE(0x1FB9, 0x0601) }, /* Lake Shore Model 642A Magnet Power Supply */
++ { USB_DEVICE(0x1FB9, 0x0602) }, /* Lake Shore Model 648 Magnet Power Supply */
++ { USB_DEVICE(0x1FB9, 0x0700) }, /* Lake Shore Model 737 VSM Controller */
++ { USB_DEVICE(0x1FB9, 0x0701) }, /* Lake Shore Model 776 Hall Matrix */
+ { USB_DEVICE(0x3195, 0xF190) }, /* Link Instruments MSO-19 */
+ { USB_DEVICE(0x3195, 0xF280) }, /* Link Instruments MSO-28 */
+ { USB_DEVICE(0x3195, 0xF281) }, /* Link Instruments MSO-28 */
+diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
+index f7d339d..558adfc 100644
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -341,6 +341,8 @@ static void option_instat_callback(struct urb *urb);
+ #define CINTERION_PRODUCT_EU3_E 0x0051
+ #define CINTERION_PRODUCT_EU3_P 0x0052
+ #define CINTERION_PRODUCT_PH8 0x0053
++#define CINTERION_PRODUCT_AH6 0x0055
++#define CINTERION_PRODUCT_PLS8 0x0060
+
+ /* Olivetti products */
+ #define OLIVETTI_VENDOR_ID 0x0b3c
+@@ -579,6 +581,7 @@ static const struct usb_device_id option_ids[] = {
+ { USB_DEVICE(QUANTA_VENDOR_ID, 0xea42),
+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1c05, USB_CLASS_COMM, 0x02, 0xff) },
++ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1c1f, USB_CLASS_COMM, 0x02, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1c23, USB_CLASS_COMM, 0x02, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E173, 0xff, 0xff, 0xff),
+ .driver_info = (kernel_ulong_t) &net_intf1_blacklist },
+@@ -1260,6 +1263,8 @@ static const struct usb_device_id option_ids[] = {
+ { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_EU3_E) },
+ { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_EU3_P) },
+ { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PH8) },
++ { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AH6) },
++ { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PLS8) },
+ { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDM) },
+ { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDMNET) },
+ { USB_DEVICE(SIEMENS_VENDOR_ID, CINTERION_PRODUCT_HC25_MDM) },
+diff --git a/drivers/usb/serial/qcaux.c b/drivers/usb/serial/qcaux.c
+index 9b1b96f..31f81c3 100644
+--- a/drivers/usb/serial/qcaux.c
++++ b/drivers/usb/serial/qcaux.c
+@@ -69,6 +69,7 @@ static struct usb_device_id id_table[] = {
+ { USB_VENDOR_AND_INTERFACE_INFO(UTSTARCOM_VENDOR_ID, 0xff, 0xfd, 0xff) }, /* NMEA */
+ { USB_VENDOR_AND_INTERFACE_INFO(UTSTARCOM_VENDOR_ID, 0xff, 0xfe, 0xff) }, /* WMC */
+ { USB_VENDOR_AND_INTERFACE_INFO(UTSTARCOM_VENDOR_ID, 0xff, 0xff, 0xff) }, /* DIAG */
++ { USB_DEVICE_AND_INTERFACE_INFO(0x1fac, 0x0151, 0xff, 0xff, 0xff) },
+ { },
+ };
+ MODULE_DEVICE_TABLE(usb, id_table);
+diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c
+index 2466254..59b32b7 100644
+--- a/drivers/usb/serial/qcserial.c
++++ b/drivers/usb/serial/qcserial.c
+@@ -197,12 +197,15 @@ static int qcprobe(struct usb_serial *serial, const struct usb_device_id *id)
+
+ if (is_gobi1k) {
+ /* Gobi 1K USB layout:
+- * 0: serial port (doesn't respond)
++ * 0: DM/DIAG (use libqcdm from ModemManager for communication)
+ * 1: serial port (doesn't respond)
+ * 2: AT-capable modem port
+ * 3: QMI/net
+ */
+- if (ifnum == 2)
++ if (ifnum == 0) {
++ dev_dbg(dev, "Gobi 1K DM/DIAG interface found\n");
++ altsetting = 1;
++ } else if (ifnum == 2)
+ dev_dbg(dev, "Modem port found\n");
+ else
+ altsetting = -1;
+diff --git a/drivers/usb/storage/initializers.c b/drivers/usb/storage/initializers.c
+index 7ab9046..105d900 100644
+--- a/drivers/usb/storage/initializers.c
++++ b/drivers/usb/storage/initializers.c
+@@ -92,8 +92,8 @@ int usb_stor_ucr61s2b_init(struct us_data *us)
+ return 0;
+ }
+
+-/* This places the HUAWEI usb dongles in multi-port mode */
+-static int usb_stor_huawei_feature_init(struct us_data *us)
++/* This places the HUAWEI E220 devices in multi-port mode */
++int usb_stor_huawei_e220_init(struct us_data *us)
+ {
+ int result;
+
+@@ -104,75 +104,3 @@ static int usb_stor_huawei_feature_init(struct us_data *us)
+ US_DEBUGP("Huawei mode set result is %d\n", result);
+ return 0;
+ }
+-
+-/*
+- * It will send a scsi switch command called rewind' to huawei dongle.
+- * When the dongle receives this command at the first time,
+- * it will reboot immediately. After rebooted, it will ignore this command.
+- * So it is unnecessary to read its response.
+- */
+-static int usb_stor_huawei_scsi_init(struct us_data *us)
+-{
+- int result = 0;
+- int act_len = 0;
+- struct bulk_cb_wrap *bcbw = (struct bulk_cb_wrap *) us->iobuf;
+- char rewind_cmd[] = {0x11, 0x06, 0x20, 0x00, 0x00, 0x01, 0x01, 0x00,
+- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
+-
+- bcbw->Signature = cpu_to_le32(US_BULK_CB_SIGN);
+- bcbw->Tag = 0;
+- bcbw->DataTransferLength = 0;
+- bcbw->Flags = bcbw->Lun = 0;
+- bcbw->Length = sizeof(rewind_cmd);
+- memset(bcbw->CDB, 0, sizeof(bcbw->CDB));
+- memcpy(bcbw->CDB, rewind_cmd, sizeof(rewind_cmd));
+-
+- result = usb_stor_bulk_transfer_buf(us, us->send_bulk_pipe, bcbw,
+- US_BULK_CB_WRAP_LEN, &act_len);
+- US_DEBUGP("transfer actual length=%d, result=%d\n", act_len, result);
+- return result;
+-}
+-
+-/*
+- * It tries to find the supported Huawei USB dongles.
+- * In Huawei, they assign the following product IDs
+- * for all of their mobile broadband dongles,
+- * including the new dongles in the future.
+- * So if the product ID is not included in this list,
+- * it means it is not Huawei's mobile broadband dongles.
+- */
+-static int usb_stor_huawei_dongles_pid(struct us_data *us)
+-{
+- struct usb_interface_descriptor *idesc;
+- int idProduct;
+-
+- idesc = &us->pusb_intf->cur_altsetting->desc;
+- idProduct = le16_to_cpu(us->pusb_dev->descriptor.idProduct);
+- /* The first port is CDROM,
+- * means the dongle in the single port mode,
+- * and a switch command is required to be sent. */
+- if (idesc && idesc->bInterfaceNumber == 0) {
+- if ((idProduct == 0x1001)
+- || (idProduct == 0x1003)
+- || (idProduct == 0x1004)
+- || (idProduct >= 0x1401 && idProduct <= 0x1500)
+- || (idProduct >= 0x1505 && idProduct <= 0x1600)
+- || (idProduct >= 0x1c02 && idProduct <= 0x2202)) {
+- return 1;
+- }
+- }
+- return 0;
+-}
+-
+-int usb_stor_huawei_init(struct us_data *us)
+-{
+- int result = 0;
+-
+- if (usb_stor_huawei_dongles_pid(us)) {
+- if (le16_to_cpu(us->pusb_dev->descriptor.idProduct) >= 0x1446)
+- result = usb_stor_huawei_scsi_init(us);
+- else
+- result = usb_stor_huawei_feature_init(us);
+- }
+- return result;
+-}
+diff --git a/drivers/usb/storage/initializers.h b/drivers/usb/storage/initializers.h
+index 5376d4f..529327f 100644
+--- a/drivers/usb/storage/initializers.h
++++ b/drivers/usb/storage/initializers.h
+@@ -46,5 +46,5 @@ int usb_stor_euscsi_init(struct us_data *us);
+ * flash reader */
+ int usb_stor_ucr61s2b_init(struct us_data *us);
+
+-/* This places the HUAWEI usb dongles in multi-port mode */
+-int usb_stor_huawei_init(struct us_data *us);
++/* This places the HUAWEI E220 devices in multi-port mode */
++int usb_stor_huawei_e220_init(struct us_data *us);
+diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h
+index 72923b5..d305a5a 100644
+--- a/drivers/usb/storage/unusual_devs.h
++++ b/drivers/usb/storage/unusual_devs.h
+@@ -1527,10 +1527,335 @@ UNUSUAL_DEV( 0x1210, 0x0003, 0x0100, 0x0100,
+ /* Reported by fangxiaozhi <huananhu@huawei.com>
+ * This brings the HUAWEI data card devices into multi-port mode
+ */
+-UNUSUAL_VENDOR_INTF(0x12d1, 0x08, 0x06, 0x50,
++UNUSUAL_DEV( 0x12d1, 0x1001, 0x0000, 0x0000,
+ "HUAWEI MOBILE",
+ "Mass Storage",
+- USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_init,
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1003, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1004, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1401, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1402, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1403, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1404, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1405, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1406, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1407, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1408, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1409, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x140A, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x140B, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x140C, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x140D, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x140E, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x140F, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1410, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1411, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1412, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1413, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1414, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1415, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1416, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1417, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1418, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1419, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x141A, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x141B, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x141C, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x141D, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x141E, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x141F, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1420, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1421, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1422, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1423, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1424, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1425, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1426, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1427, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1428, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1429, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x142A, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x142B, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x142C, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x142D, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x142E, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x142F, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1430, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1431, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1432, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1433, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1434, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1435, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1436, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1437, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1438, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x1439, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x143A, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x143B, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x143C, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x143D, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x143E, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
++ 0),
++UNUSUAL_DEV( 0x12d1, 0x143F, 0x0000, 0x0000,
++ "HUAWEI MOBILE",
++ "Mass Storage",
++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_huawei_e220_init,
+ 0),
+
+ /* Reported by Vilius Bilinkevicius <vilisas AT xxx DOT lt) */
+diff --git a/drivers/video/atmel_lcdfb.c b/drivers/video/atmel_lcdfb.c
+index 12cf5f3..025428e 100644
+--- a/drivers/video/atmel_lcdfb.c
++++ b/drivers/video/atmel_lcdfb.c
+@@ -422,17 +422,22 @@ static int atmel_lcdfb_check_var(struct fb_var_screeninfo *var,
+ = var->bits_per_pixel;
+ break;
+ case 16:
++ /* Older SOCs use IBGR:555 rather than BGR:565. */
++ if (sinfo->have_intensity_bit)
++ var->green.length = 5;
++ else
++ var->green.length = 6;
++
+ if (sinfo->lcd_wiring_mode == ATMEL_LCDC_WIRING_RGB) {
+- /* RGB:565 mode */
+- var->red.offset = 11;
++ /* RGB:5X5 mode */
++ var->red.offset = var->green.length + 5;
+ var->blue.offset = 0;
+ } else {
+- /* BGR:565 mode */
++ /* BGR:5X5 mode */
+ var->red.offset = 0;
+- var->blue.offset = 11;
++ var->blue.offset = var->green.length + 5;
+ }
+ var->green.offset = 5;
+- var->green.length = 6;
+ var->red.length = var->blue.length = 5;
+ break;
+ case 32:
+@@ -679,8 +684,7 @@ static int atmel_lcdfb_setcolreg(unsigned int regno, unsigned int red,
+
+ case FB_VISUAL_PSEUDOCOLOR:
+ if (regno < 256) {
+- if (cpu_is_at91sam9261() || cpu_is_at91sam9263()
+- || cpu_is_at91sam9rl()) {
++ if (sinfo->have_intensity_bit) {
+ /* old style I+BGR:555 */
+ val = ((red >> 11) & 0x001f);
+ val |= ((green >> 6) & 0x03e0);
+@@ -870,6 +874,10 @@ static int __init atmel_lcdfb_probe(struct platform_device *pdev)
+ }
+ sinfo->info = info;
+ sinfo->pdev = pdev;
++ if (cpu_is_at91sam9261() || cpu_is_at91sam9263() ||
++ cpu_is_at91sam9rl()) {
++ sinfo->have_intensity_bit = true;
++ }
+
+ strcpy(info->fix.id, sinfo->pdev->name);
+ info->flags = ATMEL_LCDFB_FBINFO_DEFAULT;
+diff --git a/drivers/w1/masters/w1-gpio.c b/drivers/w1/masters/w1-gpio.c
+index d39dfa4..012817a 100644
+--- a/drivers/w1/masters/w1-gpio.c
++++ b/drivers/w1/masters/w1-gpio.c
+@@ -158,7 +158,7 @@ static int w1_gpio_probe(struct platform_device *pdev)
+ return err;
+ }
+
+-static int __exit w1_gpio_remove(struct platform_device *pdev)
++static int w1_gpio_remove(struct platform_device *pdev)
+ {
+ struct w1_bus_master *master = platform_get_drvdata(pdev);
+ struct w1_gpio_platform_data *pdata = pdev->dev.platform_data;
+@@ -210,7 +210,7 @@ static struct platform_driver w1_gpio_driver = {
+ .of_match_table = of_match_ptr(w1_gpio_dt_ids),
+ },
+ .probe = w1_gpio_probe,
+- .remove = __exit_p(w1_gpio_remove),
++ .remove = w1_gpio_remove,
+ .suspend = w1_gpio_suspend,
+ .resume = w1_gpio_resume,
+ };
+diff --git a/drivers/w1/w1.c b/drivers/w1/w1.c
+index 7994d933..7ce277d 100644
+--- a/drivers/w1/w1.c
++++ b/drivers/w1/w1.c
+@@ -924,7 +924,8 @@ void w1_search(struct w1_master *dev, u8 search_type, w1_slave_found_callback cb
+ tmp64 = (triplet_ret >> 2);
+ rn |= (tmp64 << i);
+
+- if (kthread_should_stop()) {
++ /* ensure we're called from kthread and not by netlink callback */
++ if (!dev->priv && kthread_should_stop()) {
+ mutex_unlock(&dev->bus_mutex);
+ dev_dbg(&dev->dev, "Abort w1_search\n");
+ return;
+diff --git a/drivers/xen/xen-pciback/pciback_ops.c b/drivers/xen/xen-pciback/pciback_ops.c
+index 37c1f82..b98cf0c 100644
+--- a/drivers/xen/xen-pciback/pciback_ops.c
++++ b/drivers/xen/xen-pciback/pciback_ops.c
+@@ -113,7 +113,8 @@ void xen_pcibk_reset_device(struct pci_dev *dev)
+ if (dev->msi_enabled)
+ pci_disable_msi(dev);
+ #endif
+- pci_disable_device(dev);
++ if (pci_is_enabled(dev))
++ pci_disable_device(dev);
+
+ pci_write_config_word(dev, PCI_COMMAND, 0);
+
+diff --git a/fs/block_dev.c b/fs/block_dev.c
+index 78333a3..78edf76 100644
+--- a/fs/block_dev.c
++++ b/fs/block_dev.c
+@@ -1033,7 +1033,9 @@ void bd_set_size(struct block_device *bdev, loff_t size)
+ {
+ unsigned bsize = bdev_logical_block_size(bdev);
+
+- bdev->bd_inode->i_size = size;
++ mutex_lock(&bdev->bd_inode->i_mutex);
++ i_size_write(bdev->bd_inode, size);
++ mutex_unlock(&bdev->bd_inode->i_mutex);
+ while (bsize < PAGE_CACHE_SIZE) {
+ if (size & bsize)
+ break;
+diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
+index ac8ff8d..1fd234a 100644
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -681,6 +681,12 @@ int btrfs_close_devices(struct btrfs_fs_devices *fs_devices)
+ __btrfs_close_devices(fs_devices);
+ free_fs_devices(fs_devices);
+ }
++ /*
++ * Wait for rcu kworkers under __btrfs_close_devices
++ * to finish all blkdev_puts so device is really
++ * free when umount is done.
++ */
++ rcu_barrier();
+ return ret;
+ }
+
+diff --git a/fs/ext3/super.c b/fs/ext3/super.c
+index 6e50223..0a7f2d0b 100644
+--- a/fs/ext3/super.c
++++ b/fs/ext3/super.c
+@@ -353,7 +353,7 @@ static struct block_device *ext3_blkdev_get(dev_t dev, struct super_block *sb)
+ return bdev;
+
+ fail:
+- ext3_msg(sb, "error: failed to open journal device %s: %ld",
++ ext3_msg(sb, KERN_ERR, "error: failed to open journal device %s: %ld",
+ __bdevname(dev, b), PTR_ERR(bdev));
+
+ return NULL;
+@@ -887,7 +887,7 @@ static ext3_fsblk_t get_sb_block(void **data, struct super_block *sb)
+ /*todo: use simple_strtoll with >32bit ext3 */
+ sb_block = simple_strtoul(options, &options, 0);
+ if (*options && *options != ',') {
+- ext3_msg(sb, "error: invalid sb specification: %s",
++ ext3_msg(sb, KERN_ERR, "error: invalid sb specification: %s",
+ (char *) *data);
+ return 1;
+ }
+diff --git a/include/linux/mtd/nand.h b/include/linux/mtd/nand.h
+index 7ccb3c5..ef52d9c 100644
+--- a/include/linux/mtd/nand.h
++++ b/include/linux/mtd/nand.h
+@@ -187,6 +187,13 @@ typedef enum {
+ * This happens with the Renesas AG-AND chips, possibly others.
+ */
+ #define BBT_AUTO_REFRESH 0x00000080
++/*
++ * Chip requires ready check on read (for auto-incremented sequential read).
++ * True only for small page devices; large page devices do not support
++ * autoincrement.
++ */
++#define NAND_NEED_READRDY 0x00000100
++
+ /* Chip does not allow subpage writes */
+ #define NAND_NO_SUBPAGE_WRITE 0x00000200
+
+diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
+index 6bfb2faa..a280650 100644
+--- a/include/linux/perf_event.h
++++ b/include/linux/perf_event.h
+@@ -794,6 +794,12 @@ static inline int __perf_event_disable(void *info) { return -1; }
+ static inline void perf_event_task_tick(void) { }
+ #endif
+
++#if defined(CONFIG_PERF_EVENTS) && defined(CONFIG_CPU_SUP_INTEL)
++extern void perf_restore_debug_store(void);
++#else
++static inline void perf_restore_debug_store(void) { }
++#endif
++
+ #define perf_output_put(handle, x) perf_output_copy((handle), &(x), sizeof(x))
+
+ /*
+diff --git a/include/uapi/linux/serial_core.h b/include/uapi/linux/serial_core.h
+index 8f6e50a..c019b24 100644
+--- a/include/uapi/linux/serial_core.h
++++ b/include/uapi/linux/serial_core.h
+@@ -51,7 +51,10 @@
+ #define PORT_8250_CIR 23 /* CIR infrared port, has its own driver */
+ #define PORT_XR17V35X 24 /* Exar XR17V35x UARTs */
+ #define PORT_BRCM_TRUMANAGE 25
+-#define PORT_MAX_8250 25 /* max port ID */
++#define PORT_ALTR_16550_F32 26 /* Altera 16550 UART with 32 FIFOs */
++#define PORT_ALTR_16550_F64 27 /* Altera 16550 UART with 64 FIFOs */
++#define PORT_ALTR_16550_F128 28 /* Altera 16550 UART with 128 FIFOs */
++#define PORT_MAX_8250 28 /* max port ID */
+
+ /*
+ * ARM specific type numbers. These are not currently guaranteed
+diff --git a/include/video/atmel_lcdc.h b/include/video/atmel_lcdc.h
+index 28447f1..5f0e234 100644
+--- a/include/video/atmel_lcdc.h
++++ b/include/video/atmel_lcdc.h
+@@ -62,6 +62,7 @@ struct atmel_lcdfb_info {
+ void (*atmel_lcdfb_power_control)(int on);
+ struct fb_monspecs *default_monspecs;
+ u32 pseudo_palette[16];
++ bool have_intensity_bit;
+ };
+
+ #define ATMEL_LCDC_DMABADDR1 0x00
+diff --git a/kernel/signal.c b/kernel/signal.c
+index 3d09cf6..7591ccc 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -485,6 +485,9 @@ flush_signal_handlers(struct task_struct *t, int force_default)
+ if (force_default || ka->sa.sa_handler != SIG_IGN)
+ ka->sa.sa_handler = SIG_DFL;
+ ka->sa.sa_flags = 0;
++#ifdef SA_RESTORER
++ ka->sa.sa_restorer = NULL;
++#endif
+ sigemptyset(&ka->sa.sa_mask);
+ ka++;
+ }
+diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c
+index acc9f4c..2897e40 100644
+--- a/net/bridge/br_mdb.c
++++ b/net/bridge/br_mdb.c
+@@ -82,6 +82,7 @@ static int br_mdb_fill_info(struct sk_buff *skb, struct netlink_callback *cb,
+ port = p->port;
+ if (port) {
+ struct br_mdb_entry e;
++ memset(&e, 0, sizeof(e));
+ e.ifindex = port->dev->ifindex;
+ e.state = p->state;
+ if (p->addr.proto == htons(ETH_P_IP))
+@@ -138,6 +139,7 @@ static int br_mdb_dump(struct sk_buff *skb, struct netlink_callback *cb)
+ break;
+
+ bpm = nlmsg_data(nlh);
++ memset(bpm, 0, sizeof(*bpm));
+ bpm->ifindex = dev->ifindex;
+ if (br_mdb_fill_info(skb, cb, dev) < 0)
+ goto out;
+@@ -173,6 +175,7 @@ static int nlmsg_populate_mdb_fill(struct sk_buff *skb,
+ return -EMSGSIZE;
+
+ bpm = nlmsg_data(nlh);
++ memset(bpm, 0, sizeof(*bpm));
+ bpm->family = AF_BRIDGE;
+ bpm->ifindex = dev->ifindex;
+ nest = nla_nest_start(skb, MDBA_MDB);
+@@ -230,6 +233,7 @@ void br_mdb_notify(struct net_device *dev, struct net_bridge_port *port,
+ {
+ struct br_mdb_entry entry;
+
++ memset(&entry, 0, sizeof(entry));
+ entry.ifindex = port->dev->ifindex;
+ entry.addr.proto = group->proto;
+ entry.addr.u.ip4 = group->u.ip4;
+diff --git a/net/core/dev.c b/net/core/dev.c
+index f64e439..1339f77 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -3419,6 +3419,7 @@ ncls:
+ }
+ switch (rx_handler(&skb)) {
+ case RX_HANDLER_CONSUMED:
++ ret = NET_RX_SUCCESS;
+ goto unlock;
+ case RX_HANDLER_ANOTHER:
+ goto another_round;
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index 1868625..798f920 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -976,6 +976,7 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
+ * report anything.
+ */
+ ivi.spoofchk = -1;
++ memset(ivi.mac, 0, sizeof(ivi.mac));
+ if (dev->netdev_ops->ndo_get_vf_config(dev, i, &ivi))
+ break;
+ vf_mac.vf =
+diff --git a/net/dcb/dcbnl.c b/net/dcb/dcbnl.c
+index 1b588e2..21291f1 100644
+--- a/net/dcb/dcbnl.c
++++ b/net/dcb/dcbnl.c
+@@ -284,6 +284,7 @@ static int dcbnl_getperm_hwaddr(struct net_device *netdev, struct nlmsghdr *nlh,
+ if (!netdev->dcbnl_ops->getpermhwaddr)
+ return -EOPNOTSUPP;
+
++ memset(perm_addr, 0, sizeof(perm_addr));
+ netdev->dcbnl_ops->getpermhwaddr(netdev, perm_addr);
+
+ return nla_put(skb, DCB_ATTR_PERM_HWADDR, sizeof(perm_addr), perm_addr);
+@@ -1042,6 +1043,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
+
+ if (ops->ieee_getets) {
+ struct ieee_ets ets;
++ memset(&ets, 0, sizeof(ets));
+ err = ops->ieee_getets(netdev, &ets);
+ if (!err &&
+ nla_put(skb, DCB_ATTR_IEEE_ETS, sizeof(ets), &ets))
+@@ -1050,6 +1052,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
+
+ if (ops->ieee_getmaxrate) {
+ struct ieee_maxrate maxrate;
++ memset(&maxrate, 0, sizeof(maxrate));
+ err = ops->ieee_getmaxrate(netdev, &maxrate);
+ if (!err) {
+ err = nla_put(skb, DCB_ATTR_IEEE_MAXRATE,
+@@ -1061,6 +1064,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
+
+ if (ops->ieee_getpfc) {
+ struct ieee_pfc pfc;
++ memset(&pfc, 0, sizeof(pfc));
+ err = ops->ieee_getpfc(netdev, &pfc);
+ if (!err &&
+ nla_put(skb, DCB_ATTR_IEEE_PFC, sizeof(pfc), &pfc))
+@@ -1094,6 +1098,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
+ /* get peer info if available */
+ if (ops->ieee_peer_getets) {
+ struct ieee_ets ets;
++ memset(&ets, 0, sizeof(ets));
+ err = ops->ieee_peer_getets(netdev, &ets);
+ if (!err &&
+ nla_put(skb, DCB_ATTR_IEEE_PEER_ETS, sizeof(ets), &ets))
+@@ -1102,6 +1107,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
+
+ if (ops->ieee_peer_getpfc) {
+ struct ieee_pfc pfc;
++ memset(&pfc, 0, sizeof(pfc));
+ err = ops->ieee_peer_getpfc(netdev, &pfc);
+ if (!err &&
+ nla_put(skb, DCB_ATTR_IEEE_PEER_PFC, sizeof(pfc), &pfc))
+@@ -1280,6 +1286,7 @@ static int dcbnl_cee_fill(struct sk_buff *skb, struct net_device *netdev)
+ /* peer info if available */
+ if (ops->cee_peer_getpg) {
+ struct cee_pg pg;
++ memset(&pg, 0, sizeof(pg));
+ err = ops->cee_peer_getpg(netdev, &pg);
+ if (!err &&
+ nla_put(skb, DCB_ATTR_CEE_PEER_PG, sizeof(pg), &pg))
+@@ -1288,6 +1295,7 @@ static int dcbnl_cee_fill(struct sk_buff *skb, struct net_device *netdev)
+
+ if (ops->cee_peer_getpfc) {
+ struct cee_pfc pfc;
++ memset(&pfc, 0, sizeof(pfc));
+ err = ops->cee_peer_getpfc(netdev, &pfc);
+ if (!err &&
+ nla_put(skb, DCB_ATTR_CEE_PEER_PFC, sizeof(pfc), &pfc))
+diff --git a/net/ieee802154/6lowpan.h b/net/ieee802154/6lowpan.h
+index 8c2251f..bba5f83 100644
+--- a/net/ieee802154/6lowpan.h
++++ b/net/ieee802154/6lowpan.h
+@@ -84,7 +84,7 @@
+ (memcmp(addr1, addr2, length >> 3) == 0)
+
+ /* local link, i.e. FE80::/10 */
+-#define is_addr_link_local(a) (((a)->s6_addr16[0]) == 0x80FE)
++#define is_addr_link_local(a) (((a)->s6_addr16[0]) == htons(0xFE80))
+
+ /*
+ * check whether we can compress the IID to 16 bits,
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index ad70a96..66702d3 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -5498,6 +5498,9 @@ int tcp_rcv_established(struct sock *sk, struct sk_buff *skb,
+ if (tcp_checksum_complete_user(sk, skb))
+ goto csum_error;
+
++ if ((int)skb->truesize > sk->sk_forward_alloc)
++ goto step5;
++
+ /* Predicted packet is in window by definition.
+ * seq == rcv_nxt and rcv_wup <= rcv_nxt.
+ * Hence, check seq<=rcv_wup reduces to:
+@@ -5509,9 +5512,6 @@ int tcp_rcv_established(struct sock *sk, struct sk_buff *skb,
+
+ tcp_rcv_rtt_measure_ts(sk, skb);
+
+- if ((int)skb->truesize > sk->sk_forward_alloc)
+- goto step5;
+-
+ NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPHPHITS);
+
+ /* Bulk data transfer: receiver */
+diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
+index a52d864..b196852 100644
+--- a/net/ipv6/ip6_input.c
++++ b/net/ipv6/ip6_input.c
+@@ -270,7 +270,8 @@ int ip6_mc_input(struct sk_buff *skb)
+ * IPv6 multicast router mode is now supported ;)
+ */
+ if (dev_net(skb->dev)->ipv6.devconf_all->mc_forwarding &&
+- !(ipv6_addr_type(&hdr->daddr) & IPV6_ADDR_LINKLOCAL) &&
++ !(ipv6_addr_type(&hdr->daddr) &
++ (IPV6_ADDR_LOOPBACK|IPV6_ADDR_LINKLOCAL)) &&
+ likely(!(IP6CB(skb)->flags & IP6SKB_FORWARDED))) {
+ /*
+ * Okay, we try to forward - split and duplicate
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index 6f9f7b6..5845613 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -1990,7 +1990,8 @@ void rt6_purge_dflt_routers(struct net *net)
+ restart:
+ read_lock_bh(&table->tb6_lock);
+ for (rt = table->tb6_root.leaf; rt; rt = rt->dst.rt6_next) {
+- if (rt->rt6i_flags & (RTF_DEFAULT | RTF_ADDRCONF)) {
++ if (rt->rt6i_flags & (RTF_DEFAULT | RTF_ADDRCONF) &&
++ (!rt->rt6i_idev || rt->rt6i_idev->cnf.accept_ra != 2)) {
+ dst_hold(&rt->dst);
+ read_unlock_bh(&table->tb6_lock);
+ ip6_del_rt(rt);
+diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
+index 716605c..044e9e1 100644
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -355,6 +355,7 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh
+ l2tp_xmit_skb(session, skb, session->hdr_len);
+
+ sock_put(ps->tunnel_sock);
++ sock_put(sk);
+
+ return error;
+
+diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
+index 847d495..8a6c6ea 100644
+--- a/net/netlabel/netlabel_unlabeled.c
++++ b/net/netlabel/netlabel_unlabeled.c
+@@ -1189,8 +1189,6 @@ static int netlbl_unlabel_staticlist(struct sk_buff *skb,
+ struct netlbl_unlhsh_walk_arg cb_arg;
+ u32 skip_bkt = cb->args[0];
+ u32 skip_chain = cb->args[1];
+- u32 skip_addr4 = cb->args[2];
+- u32 skip_addr6 = cb->args[3];
+ u32 iter_bkt;
+ u32 iter_chain = 0, iter_addr4 = 0, iter_addr6 = 0;
+ struct netlbl_unlhsh_iface *iface;
+@@ -1215,7 +1213,7 @@ static int netlbl_unlabel_staticlist(struct sk_buff *skb,
+ continue;
+ netlbl_af4list_foreach_rcu(addr4,
+ &iface->addr4_list) {
+- if (iter_addr4++ < skip_addr4)
++ if (iter_addr4++ < cb->args[2])
+ continue;
+ if (netlbl_unlabel_staticlist_gen(
+ NLBL_UNLABEL_C_STATICLIST,
+@@ -1231,7 +1229,7 @@ static int netlbl_unlabel_staticlist(struct sk_buff *skb,
+ #if IS_ENABLED(CONFIG_IPV6)
+ netlbl_af6list_foreach_rcu(addr6,
+ &iface->addr6_list) {
+- if (iter_addr6++ < skip_addr6)
++ if (iter_addr6++ < cb->args[3])
+ continue;
+ if (netlbl_unlabel_staticlist_gen(
+ NLBL_UNLABEL_C_STATICLIST,
+@@ -1250,10 +1248,10 @@ static int netlbl_unlabel_staticlist(struct sk_buff *skb,
+
+ unlabel_staticlist_return:
+ rcu_read_unlock();
+- cb->args[0] = skip_bkt;
+- cb->args[1] = skip_chain;
+- cb->args[2] = skip_addr4;
+- cb->args[3] = skip_addr6;
++ cb->args[0] = iter_bkt;
++ cb->args[1] = iter_chain;
++ cb->args[2] = iter_addr4;
++ cb->args[3] = iter_addr6;
+ return skb->len;
+ }
+
+@@ -1273,12 +1271,9 @@ static int netlbl_unlabel_staticlistdef(struct sk_buff *skb,
+ {
+ struct netlbl_unlhsh_walk_arg cb_arg;
+ struct netlbl_unlhsh_iface *iface;
+- u32 skip_addr4 = cb->args[0];
+- u32 skip_addr6 = cb->args[1];
+- u32 iter_addr4 = 0;
++ u32 iter_addr4 = 0, iter_addr6 = 0;
+ struct netlbl_af4list *addr4;
+ #if IS_ENABLED(CONFIG_IPV6)
+- u32 iter_addr6 = 0;
+ struct netlbl_af6list *addr6;
+ #endif
+
+@@ -1292,7 +1287,7 @@ static int netlbl_unlabel_staticlistdef(struct sk_buff *skb,
+ goto unlabel_staticlistdef_return;
+
+ netlbl_af4list_foreach_rcu(addr4, &iface->addr4_list) {
+- if (iter_addr4++ < skip_addr4)
++ if (iter_addr4++ < cb->args[0])
+ continue;
+ if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF,
+ iface,
+@@ -1305,7 +1300,7 @@ static int netlbl_unlabel_staticlistdef(struct sk_buff *skb,
+ }
+ #if IS_ENABLED(CONFIG_IPV6)
+ netlbl_af6list_foreach_rcu(addr6, &iface->addr6_list) {
+- if (iter_addr6++ < skip_addr6)
++ if (iter_addr6++ < cb->args[1])
+ continue;
+ if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF,
+ iface,
+@@ -1320,8 +1315,8 @@ static int netlbl_unlabel_staticlistdef(struct sk_buff *skb,
+
+ unlabel_staticlistdef_return:
+ rcu_read_unlock();
+- cb->args[0] = skip_addr4;
+- cb->args[1] = skip_addr6;
++ cb->args[0] = iter_addr4;
++ cb->args[1] = iter_addr6;
+ return skb->len;
+ }
+
+diff --git a/net/rds/message.c b/net/rds/message.c
+index f0a4658..aff589c 100644
+--- a/net/rds/message.c
++++ b/net/rds/message.c
+@@ -197,6 +197,9 @@ struct rds_message *rds_message_alloc(unsigned int extra_len, gfp_t gfp)
+ {
+ struct rds_message *rm;
+
++ if (extra_len > KMALLOC_MAX_SIZE - sizeof(struct rds_message))
++ return NULL;
++
+ rm = kzalloc(sizeof(struct rds_message) + extra_len, gfp);
+ if (!rm)
+ goto out;
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index cedd9bf..9ef5c73 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -5653,6 +5653,9 @@ static int sctp_getsockopt_assoc_stats(struct sock *sk, int len,
+ if (len < sizeof(sctp_assoc_t))
+ return -EINVAL;
+
++ /* Allow the struct to grow and fill in as much as possible */
++ len = min_t(size_t, len, sizeof(sas));
++
+ if (copy_from_user(&sas, optval, len))
+ return -EFAULT;
+
+@@ -5686,9 +5689,6 @@ static int sctp_getsockopt_assoc_stats(struct sock *sk, int len,
+ /* Mark beginning of a new observation period */
+ asoc->stats.max_obs_rto = asoc->rto_min;
+
+- /* Allow the struct to grow and fill in as much as possible */
+- len = min_t(size_t, len, sizeof(sas));
+-
+ if (put_user(len, optlen))
+ return -EFAULT;
+
+diff --git a/scripts/Makefile.headersinst b/scripts/Makefile.headersinst
+index 06ba4a7..e253917 100644
+--- a/scripts/Makefile.headersinst
++++ b/scripts/Makefile.headersinst
+@@ -8,7 +8,7 @@
+ # ==========================================================================
+
+ # called may set destination dir (when installing to asm/)
+-_dst := $(or $(destination-y),$(dst),$(obj))
++_dst := $(if $(destination-y),$(destination-y),$(if $(dst),$(dst),$(obj)))
+
+ # generated header directory
+ gen := $(if $(gen),$(gen),$(subst include/,include/generated/,$(obj)))
+@@ -48,13 +48,14 @@ all-files := $(header-y) $(genhdr-y) $(wrapper-files)
+ output-files := $(addprefix $(installdir)/, $(all-files))
+
+ input-files := $(foreach hdr, $(header-y), \
+- $(or \
++ $(if $(wildcard $(srcdir)/$(hdr)), \
+ $(wildcard $(srcdir)/$(hdr)), \
+- $(wildcard $(oldsrcdir)/$(hdr)), \
+- $(error Missing UAPI file $(srcdir)/$(hdr)) \
++ $(if $(wildcard $(oldsrcdir)/$(hdr)), \
++ $(wildcard $(oldsrcdir)/$(hdr)), \
++ $(error Missing UAPI file $(srcdir)/$(hdr))) \
+ )) \
+ $(foreach hdr, $(genhdr-y), \
+- $(or \
++ $(if $(wildcard $(gendir)/$(hdr)), \
+ $(wildcard $(gendir)/$(hdr)), \
+ $(error Missing generated UAPI file $(gendir)/$(hdr)) \
+ ))
+diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
+index 48665ec..8ab2951 100644
+--- a/security/selinux/xfrm.c
++++ b/security/selinux/xfrm.c
+@@ -310,7 +310,7 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
+
+ if (old_ctx) {
+ new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len,
+- GFP_KERNEL);
++ GFP_ATOMIC);
+ if (!new_ctx)
+ return -ENOMEM;
+
+diff --git a/sound/core/seq/seq_timer.c b/sound/core/seq/seq_timer.c
+index 160b1bd..24d44b2 100644
+--- a/sound/core/seq/seq_timer.c
++++ b/sound/core/seq/seq_timer.c
+@@ -290,10 +290,10 @@ int snd_seq_timer_open(struct snd_seq_queue *q)
+ tid.device = SNDRV_TIMER_GLOBAL_SYSTEM;
+ err = snd_timer_open(&t, str, &tid, q->queue);
+ }
+- if (err < 0) {
+- snd_printk(KERN_ERR "seq fatal error: cannot create timer (%i)\n", err);
+- return err;
+- }
++ }
++ if (err < 0) {
++ snd_printk(KERN_ERR "seq fatal error: cannot create timer (%i)\n", err);
++ return err;
+ }
+ t->callback = snd_seq_timer_interrupt;
+ t->callback_data = q;
+diff --git a/tools/usb/ffs-test.c b/tools/usb/ffs-test.c
+index 8674b9e..fe1e66b 100644
+--- a/tools/usb/ffs-test.c
++++ b/tools/usb/ffs-test.c
+@@ -38,7 +38,7 @@
+ #include <unistd.h>
+ #include <tools/le_byteshift.h>
+
+-#include "../../include/linux/usb/functionfs.h"
++#include "../../include/uapi/linux/usb/functionfs.h"
+
+
+ /******************** Little Endian Handling ********************************/
diff --git a/3.8.3/4420_grsecurity-2.9.1-3.8.3-201303142235.patch b/3.8.4/4420_grsecurity-2.9.1-3.8.4-201303221826.patch
index ef25e2b..dc85ee6 100644
--- a/3.8.3/4420_grsecurity-2.9.1-3.8.3-201303142235.patch
+++ b/3.8.4/4420_grsecurity-2.9.1-3.8.4-201303221826.patch
@@ -259,7 +259,7 @@ index 986614d..e8bfedc 100644
pcd. [PARIDE]
diff --git a/Makefile b/Makefile
-index 8c49fc9b..9a2af09 100644
+index e20f162..11365cc 100644
--- a/Makefile
+++ b/Makefile
@@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -341,7 +341,7 @@ index 8c49fc9b..9a2af09 100644
+else
+ $(Q)echo "warning, your gcc version does not support plugins, you should upgrade it to gcc 4.5 at least"
+endif
-+ $(Q)echo "PAX_MEMORY_STACKLEAK and other features will be less secure"
++ $(Q)echo "PAX_MEMORY_STACKLEAK, constification, PAX_LATENT_ENTROPY and other features will be less secure. PAX_SIZE_OVERFLOW will not be active."
+endif
+endif
+
@@ -2838,7 +2838,7 @@ index 5f66206..dce492f 100644
};
diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c
-index c6dec5f..f853532 100644
+index c6dec5f..e0fddd1 100644
--- a/arch/arm/kernel/process.c
+++ b/arch/arm/kernel/process.c
@@ -28,7 +28,6 @@
@@ -2885,6 +2885,18 @@ index c6dec5f..f853532 100644
#ifdef CONFIG_MMU
/*
* The vectors page is always readable from user space for the
+@@ -470,9 +464,8 @@ static int __init gate_vma_init(void)
+ {
+ gate_vma.vm_start = 0xffff0000;
+ gate_vma.vm_end = 0xffff0000 + PAGE_SIZE;
+- gate_vma.vm_page_prot = PAGE_READONLY_EXEC;
+- gate_vma.vm_flags = VM_READ | VM_EXEC |
+- VM_MAYREAD | VM_MAYEXEC;
++ gate_vma.vm_flags = VM_NONE;
++ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
+ return 0;
+ }
+ arch_initcall(gate_vma_init);
diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
index 03deeff..741ce88 100644
--- a/arch/arm/kernel/ptrace.c
@@ -2967,6 +2979,40 @@ index 3f6cbb2..6d856f5 100644
#endif
#ifdef MULTI_TLB
cpu_tlb = *list->tlb;
+diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c
+index 56f72d2..6924200 100644
+--- a/arch/arm/kernel/signal.c
++++ b/arch/arm/kernel/signal.c
+@@ -433,22 +433,14 @@ setup_return(struct pt_regs *regs, struct k_sigaction *ka,
+ __put_user(sigreturn_codes[idx+1], rc+1))
+ return 1;
+
+- if (cpsr & MODE32_BIT) {
+- /*
+- * 32-bit code can use the new high-page
+- * signal return code support.
+- */
+- retcode = KERN_SIGRETURN_CODE + (idx << 2) + thumb;
+- } else {
+- /*
+- * Ensure that the instruction cache sees
+- * the return code written onto the stack.
+- */
+- flush_icache_range((unsigned long)rc,
+- (unsigned long)(rc + 2));
++ /*
++ * Ensure that the instruction cache sees
++ * the return code written onto the stack.
++ */
++ flush_icache_range((unsigned long)rc,
++ (unsigned long)(rc + 2));
+
+- retcode = ((unsigned long)rc) + thumb;
+- }
++ retcode = ((unsigned long)rc) + thumb;
+ }
+
+ regs->ARM_r0 = usig;
diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c
index 58af91c..343ce99 100644
--- a/arch/arm/kernel/smp.c
@@ -2981,7 +3027,7 @@ index 58af91c..343ce99 100644
void __init smp_set_ops(struct smp_operations *ops)
{
diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c
-index b0179b8..b7b16c7 100644
+index b0179b8..829510e 100644
--- a/arch/arm/kernel/traps.c
+++ b/arch/arm/kernel/traps.c
@@ -57,7 +57,7 @@ static void dump_mem(const char *, const char *, unsigned long, unsigned long);
@@ -3022,9 +3068,17 @@ index b0179b8..b7b16c7 100644
}
return 0;
-@@ -849,5 +856,9 @@ void __init early_trap_init(void *vectors_base)
- sigreturn_codes, sizeof(sigreturn_codes));
+@@ -841,13 +848,10 @@ void __init early_trap_init(void *vectors_base)
+ */
+ kuser_get_tls_init(vectors);
+- /*
+- * Copy signal return handlers into the vector page, and
+- * set sigreturn to be a pointer to these.
+- */
+- memcpy((void *)(vectors + KERN_SIGRETURN_CODE - CONFIG_VECTORS_BASE),
+- sigreturn_codes, sizeof(sigreturn_codes));
+-
flush_icache_range(vectors, vectors + PAGE_SIZE);
- modify_domain(DOMAIN_USER, DOMAIN_CLIENT);
+
@@ -3488,8 +3542,73 @@ index 3fd629d..8b1aca9 100644
help
This option enables or disables the use of domain switching
via the set_fs() function.
+diff --git a/arch/arm/mm/alignment.c b/arch/arm/mm/alignment.c
+index db26e2e..ee44569 100644
+--- a/arch/arm/mm/alignment.c
++++ b/arch/arm/mm/alignment.c
+@@ -211,10 +211,12 @@ union offset_union {
+ #define __get16_unaligned_check(ins,val,addr) \
+ do { \
+ unsigned int err = 0, v, a = addr; \
++ pax_open_userland(); \
+ __get8_unaligned_check(ins,v,a,err); \
+ val = v << ((BE) ? 8 : 0); \
+ __get8_unaligned_check(ins,v,a,err); \
+ val |= v << ((BE) ? 0 : 8); \
++ pax_close_userland(); \
+ if (err) \
+ goto fault; \
+ } while (0)
+@@ -228,6 +230,7 @@ union offset_union {
+ #define __get32_unaligned_check(ins,val,addr) \
+ do { \
+ unsigned int err = 0, v, a = addr; \
++ pax_open_userland(); \
+ __get8_unaligned_check(ins,v,a,err); \
+ val = v << ((BE) ? 24 : 0); \
+ __get8_unaligned_check(ins,v,a,err); \
+@@ -236,6 +239,7 @@ union offset_union {
+ val |= v << ((BE) ? 8 : 16); \
+ __get8_unaligned_check(ins,v,a,err); \
+ val |= v << ((BE) ? 0 : 24); \
++ pax_close_userland(); \
+ if (err) \
+ goto fault; \
+ } while (0)
+@@ -249,6 +253,7 @@ union offset_union {
+ #define __put16_unaligned_check(ins,val,addr) \
+ do { \
+ unsigned int err = 0, v = val, a = addr; \
++ pax_open_userland(); \
+ __asm__( FIRST_BYTE_16 \
+ ARM( "1: "ins" %1, [%2], #1\n" ) \
+ THUMB( "1: "ins" %1, [%2]\n" ) \
+@@ -268,6 +273,7 @@ union offset_union {
+ " .popsection\n" \
+ : "=r" (err), "=&r" (v), "=&r" (a) \
+ : "0" (err), "1" (v), "2" (a)); \
++ pax_close_userland(); \
+ if (err) \
+ goto fault; \
+ } while (0)
+@@ -281,6 +287,7 @@ union offset_union {
+ #define __put32_unaligned_check(ins,val,addr) \
+ do { \
+ unsigned int err = 0, v = val, a = addr; \
++ pax_open_userland(); \
+ __asm__( FIRST_BYTE_32 \
+ ARM( "1: "ins" %1, [%2], #1\n" ) \
+ THUMB( "1: "ins" %1, [%2]\n" ) \
+@@ -310,6 +317,7 @@ union offset_union {
+ " .popsection\n" \
+ : "=r" (err), "=&r" (v), "=&r" (a) \
+ : "0" (err), "1" (v), "2" (a)); \
++ pax_close_userland(); \
+ if (err) \
+ goto fault; \
+ } while (0)
diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
-index 5dbf13f..6393f55 100644
+index 5dbf13f..1a60561 100644
--- a/arch/arm/mm/fault.c
+++ b/arch/arm/mm/fault.c
@@ -25,6 +25,7 @@
@@ -3511,10 +3630,10 @@ index 5dbf13f..6393f55 100644
+ {
+ if (current->signal->curr_ip)
+ printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", &current->signal->curr_ip, current->comm, task_pid_nr(current),
-+ from_kuid(&init_user_ns, current_uid()), from_kuid(&init_user_ns, current_euid()));
++ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
+ else
+ printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", current->comm, task_pid_nr(current),
-+ from_kuid(&init_user_ns, current_uid()), from_kuid(&init_user_ns, current_euid()));
++ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
+ }
+#endif
+
@@ -3577,10 +3696,10 @@ index 5dbf13f..6393f55 100644
+ if (addr < TASK_SIZE && is_domain_fault(fsr)) {
+ if (current->signal->curr_ip)
+ printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to access userland memory at %08lx\n", &current->signal->curr_ip, current->comm, task_pid_nr(current),
-+ from_kuid(&init_user_ns, current_uid()), from_kuid(&init_user_ns, current_euid()), addr);
++ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), addr);
+ else
+ printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to access userland memory at %08lx\n", current->comm, task_pid_nr(current),
-+ from_kuid(&init_user_ns, current_uid()), from_kuid(&init_user_ns, current_euid()), addr);
++ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), addr);
+ goto die;
+ }
+#endif
@@ -3592,19 +3711,30 @@ index 5dbf13f..6393f55 100644
printk(KERN_ALERT "Unhandled fault: %s (0x%03x) at 0x%08lx\n",
inf->name, fsr, addr);
-@@ -575,9 +637,38 @@ do_PrefetchAbort(unsigned long addr, unsigned int ifsr, struct pt_regs *regs)
+@@ -575,9 +637,49 @@ do_PrefetchAbort(unsigned long addr, unsigned int ifsr, struct pt_regs *regs)
const struct fsr_info *inf = ifsr_info + fsr_fs(ifsr);
struct siginfo info;
++ if (user_mode(regs)) {
++ if (addr == 0xffff0fe0UL) {
++ /*
++ * PaX: __kuser_get_tls emulation
++ */
++ regs->ARM_r0 = current_thread_info()->tp_value;
++ regs->ARM_pc = regs->ARM_lr;
++ return;
++ }
++ }
++
+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
-+ if (!user_mode(regs) && (is_domain_fault(ifsr) || is_xn_fault(ifsr))) {
++ else if (is_domain_fault(ifsr) || is_xn_fault(ifsr)) {
+ if (current->signal->curr_ip)
+ printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to execute %s memory at %08lx\n", &current->signal->curr_ip, current->comm, task_pid_nr(current),
-+ from_kuid(&init_user_ns, current_uid()), from_kuid(&init_user_ns, current_euid()),
++ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()),
+ addr >= TASK_SIZE ? "non-executable kernel" : "userland", addr);
+ else
+ printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to execute %s memory at %08lx\n", current->comm, task_pid_nr(current),
-+ from_kuid(&init_user_ns, current_uid()), from_kuid(&init_user_ns, current_euid()),
++ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()),
+ addr >= TASK_SIZE ? "non-executable kernel" : "userland", addr);
+ goto die;
+ }
@@ -3847,7 +3977,7 @@ index 10062ce..aa96dd7 100644
mm->unmap_area = arch_unmap_area_topdown;
}
diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c
-index ce328c7..f82bebb 100644
+index ce328c7..35b88dc 100644
--- a/arch/arm/mm/mmu.c
+++ b/arch/arm/mm/mmu.c
@@ -35,6 +35,23 @@
@@ -3924,7 +4054,8 @@ index ce328c7..f82bebb 100644
},
[MT_HIGH_VECTORS] = {
.prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY |
- L_PTE_USER | L_PTE_RDONLY,
+- L_PTE_USER | L_PTE_RDONLY,
++ L_PTE_RDONLY,
.prot_l1 = PMD_TYPE_TABLE,
- .domain = DOMAIN_USER,
+ .domain = DOMAIN_VECTORS,
@@ -6535,7 +6666,7 @@ index 4684e33..acc4d19e 100644
ld r4,_DAR(r1)
bl .bad_page_fault
diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S
-index 4665e82..080ea99 100644
+index 3684cbd..bc89eab 100644
--- a/arch/powerpc/kernel/exceptions-64s.S
+++ b/arch/powerpc/kernel/exceptions-64s.S
@@ -1206,10 +1206,10 @@ handle_page_fault:
@@ -12655,7 +12786,7 @@ index 0e1cbfc..5623683 100644
#define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
diff --git a/arch/x86/include/asm/bitops.h b/arch/x86/include/asm/bitops.h
-index 6dfd019..0c6699f 100644
+index 6dfd019..28e188d 100644
--- a/arch/x86/include/asm/bitops.h
+++ b/arch/x86/include/asm/bitops.h
@@ -40,7 +40,7 @@
@@ -12667,6 +12798,15 @@ index 6dfd019..0c6699f 100644
#define CONST_MASK(nr) (1 << ((nr) & 7))
/**
+@@ -486,7 +486,7 @@ static inline int fls(int x)
+ * at position 64.
+ */
+ #ifdef CONFIG_X86_64
+-static __always_inline int fls64(__u64 x)
++static __always_inline long fls64(__u64 x)
+ {
+ int bitpos = -1;
+ /*
diff --git a/arch/x86/include/asm/boot.h b/arch/x86/include/asm/boot.h
index 4fa687a..60f2d39 100644
--- a/arch/x86/include/asm/boot.h
@@ -12843,7 +12983,7 @@ index 2d9075e..b75a844 100644
"4:\n"
".previous\n"
diff --git a/arch/x86/include/asm/desc.h b/arch/x86/include/asm/desc.h
-index 8bf1c06..f723dfd 100644
+index 8bf1c06..b6ae785 100644
--- a/arch/x86/include/asm/desc.h
+++ b/arch/x86/include/asm/desc.h
@@ -4,6 +4,7 @@
@@ -12951,6 +13091,15 @@ index 8bf1c06..f723dfd 100644
}
#define _LDT_empty(info) \
+@@ -287,7 +300,7 @@ static inline void load_LDT(mm_context_t *pc)
+ preempt_enable();
+ }
+
+-static inline unsigned long get_desc_base(const struct desc_struct *desc)
++static inline unsigned long __intentional_overflow(-1) get_desc_base(const struct desc_struct *desc)
+ {
+ return (unsigned)(desc->base0 | ((desc->base1) << 16) | ((desc->base2) << 24));
+ }
@@ -311,7 +324,7 @@ static inline void set_desc_limit(struct desc_struct *desc, unsigned long limit)
}
@@ -13053,6 +13202,19 @@ index 278441f..b95a174 100644
};
} __attribute__((packed));
+diff --git a/arch/x86/include/asm/div64.h b/arch/x86/include/asm/div64.h
+index ced283a..ffe04cc 100644
+--- a/arch/x86/include/asm/div64.h
++++ b/arch/x86/include/asm/div64.h
+@@ -39,7 +39,7 @@
+ __mod; \
+ })
+
+-static inline u64 div_u64_rem(u64 dividend, u32 divisor, u32 *remainder)
++static inline u64 __intentional_overflow(-1) div_u64_rem(u64 dividend, u32 divisor, u32 *remainder)
+ {
+ union {
+ u64 v64;
diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h
index 9c999c1..3860cb8 100644
--- a/arch/x86/include/asm/elf.h
@@ -13256,9 +13418,26 @@ index a203659..9889f1c 100644
extern struct legacy_pic *legacy_pic;
extern struct legacy_pic null_legacy_pic;
diff --git a/arch/x86/include/asm/io.h b/arch/x86/include/asm/io.h
-index d8e8eef..15b1179 100644
+index d8e8eef..1765f78 100644
--- a/arch/x86/include/asm/io.h
+++ b/arch/x86/include/asm/io.h
+@@ -51,12 +51,12 @@ static inline void name(type val, volatile void __iomem *addr) \
+ "m" (*(volatile type __force *)addr) barrier); }
+
+ build_mmio_read(readb, "b", unsigned char, "=q", :"memory")
+-build_mmio_read(readw, "w", unsigned short, "=r", :"memory")
+-build_mmio_read(readl, "l", unsigned int, "=r", :"memory")
++build_mmio_read(__intentional_overflow(-1) readw, "w", unsigned short, "=r", :"memory")
++build_mmio_read(__intentional_overflow(-1) readl, "l", unsigned int, "=r", :"memory")
+
+ build_mmio_read(__readb, "b", unsigned char, "=q", )
+-build_mmio_read(__readw, "w", unsigned short, "=r", )
+-build_mmio_read(__readl, "l", unsigned int, "=r", )
++build_mmio_read(__intentional_overflow(-1) __readw, "w", unsigned short, "=r", )
++build_mmio_read(__intentional_overflow(-1) __readl, "l", unsigned int, "=r", )
+
+ build_mmio_write(writeb, "b", unsigned char, "q", :"memory")
+ build_mmio_write(writew, "w", unsigned short, "r", :"memory")
@@ -184,7 +184,7 @@ static inline void __iomem *ioremap(resource_size_t offset, unsigned long size)
return ioremap_nocache(offset, size);
}
@@ -13322,6 +13501,21 @@ index d3ddd17..c9fb0cc 100644
#define flush_insn_slot(p) do { } while (0)
+diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
+index dc87b65..85039f9 100644
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -419,8 +419,8 @@ struct kvm_vcpu_arch {
+ gpa_t time;
+ struct pvclock_vcpu_time_info hv_clock;
+ unsigned int hw_tsc_khz;
+- unsigned int time_offset;
+- struct page *time_page;
++ struct gfn_to_hva_cache pv_time;
++ bool pv_time_enabled;
+ /* set guest stopped flag in pvclock flags field */
+ bool pvclock_set_guest_stopped_request;
+
diff --git a/arch/x86/include/asm/local.h b/arch/x86/include/asm/local.h
index 2d89e39..baee879 100644
--- a/arch/x86/include/asm/local.h
@@ -13795,9 +13989,18 @@ index 320f7bb..e89f8f8 100644
extern unsigned long __phys_addr(unsigned long);
#define __phys_reloc_hide(x) (x)
diff --git a/arch/x86/include/asm/paravirt.h b/arch/x86/include/asm/paravirt.h
-index 5edd174..9cf5821 100644
+index 5edd174..c395822 100644
--- a/arch/x86/include/asm/paravirt.h
+++ b/arch/x86/include/asm/paravirt.h
+@@ -564,7 +564,7 @@ static inline pmd_t __pmd(pmdval_t val)
+ return (pmd_t) { ret };
+ }
+
+-static inline pmdval_t pmd_val(pmd_t pmd)
++static inline __intentional_overflow(-1) pmdval_t pmd_val(pmd_t pmd)
+ {
+ pmdval_t ret;
+
@@ -630,6 +630,18 @@ static inline void set_pgd(pgd_t *pgdp, pgd_t pgd)
val);
}
@@ -17379,7 +17582,7 @@ index 4914e94..60b06e3 100644
intel_ds_init();
diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore.c b/arch/x86/kernel/cpu/perf_event_intel_uncore.c
-index b43200d..7fdcdbb 100644
+index b43200d..d235b3e 100644
--- a/arch/x86/kernel/cpu/perf_event_intel_uncore.c
+++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.c
@@ -2428,7 +2428,7 @@ static void __init uncore_types_exit(struct intel_uncore_type **types)
@@ -17387,10 +17590,37 @@ index b43200d..7fdcdbb 100644
{
struct intel_uncore_pmu *pmus;
- struct attribute_group *events_group;
-+ attribute_group_no_const *events_group;
++ attribute_group_no_const *attr_group;
struct attribute **attrs;
int i, j;
+@@ -2455,19 +2455,19 @@ static int __init uncore_type_init(struct intel_uncore_type *type)
+ while (type->event_descs[i].attr.attr.name)
+ i++;
+
+- events_group = kzalloc(sizeof(struct attribute *) * (i + 1) +
+- sizeof(*events_group), GFP_KERNEL);
+- if (!events_group)
++ attr_group = kzalloc(sizeof(struct attribute *) * (i + 1) +
++ sizeof(*attr_group), GFP_KERNEL);
++ if (!attr_group)
+ goto fail;
+
+- attrs = (struct attribute **)(events_group + 1);
+- events_group->name = "events";
+- events_group->attrs = attrs;
++ attrs = (struct attribute **)(attr_group + 1);
++ attr_group->name = "events";
++ attr_group->attrs = attrs;
+
+ for (j = 0; j < i; j++)
+ attrs[j] = &type->event_descs[j].attr.attr;
+
+- type->events_group = events_group;
++ type->events_group = attr_group;
+ }
+
+ type->pmu_group = &uncore_pmu_attr_group;
@@ -2826,7 +2826,7 @@ static int
return NOTIFY_OK;
}
@@ -22215,7 +22445,7 @@ index 8b24289..d37b58b 100644
bss_resource.start = virt_to_phys(&__bss_start);
bss_resource.end = virt_to_phys(&__bss_stop)-1;
diff --git a/arch/x86/kernel/setup_percpu.c b/arch/x86/kernel/setup_percpu.c
-index 5cdff03..5810740 100644
+index 5cdff03..80fa283 100644
--- a/arch/x86/kernel/setup_percpu.c
+++ b/arch/x86/kernel/setup_percpu.c
@@ -21,19 +21,17 @@
@@ -22242,6 +22472,15 @@ index 5cdff03..5810740 100644
[0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
};
EXPORT_SYMBOL(__per_cpu_offset);
+@@ -66,7 +64,7 @@ static bool __init pcpu_need_numa(void)
+ {
+ #ifdef CONFIG_NEED_MULTIPLE_NODES
+ pg_data_t *last = NULL;
+- unsigned int cpu;
++ int cpu;
+
+ for_each_possible_cpu(cpu) {
+ int node = early_cpu_to_node(cpu);
@@ -155,10 +153,10 @@ static inline void setup_percpu_segment(int cpu)
{
#ifdef CONFIG_X86_32
@@ -23748,10 +23987,64 @@ index 9120ae1..238abc0 100644
vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index c243b81..9eb193f 100644
+index c243b81..b692af3 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
-@@ -1692,8 +1692,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data)
+@@ -1408,10 +1408,9 @@ static int kvm_guest_time_update(struct kvm_vcpu *v)
+ unsigned long flags, this_tsc_khz;
+ struct kvm_vcpu_arch *vcpu = &v->arch;
+ struct kvm_arch *ka = &v->kvm->arch;
+- void *shared_kaddr;
+ s64 kernel_ns, max_kernel_ns;
+ u64 tsc_timestamp, host_tsc;
+- struct pvclock_vcpu_time_info *guest_hv_clock;
++ struct pvclock_vcpu_time_info guest_hv_clock;
+ u8 pvclock_flags;
+ bool use_master_clock;
+
+@@ -1465,7 +1464,7 @@ static int kvm_guest_time_update(struct kvm_vcpu *v)
+
+ local_irq_restore(flags);
+
+- if (!vcpu->time_page)
++ if (!vcpu->pv_time_enabled)
+ return 0;
+
+ /*
+@@ -1527,12 +1526,12 @@ static int kvm_guest_time_update(struct kvm_vcpu *v)
+ */
+ vcpu->hv_clock.version += 2;
+
+- shared_kaddr = kmap_atomic(vcpu->time_page);
+-
+- guest_hv_clock = shared_kaddr + vcpu->time_offset;
++ if (unlikely(kvm_read_guest_cached(v->kvm, &vcpu->pv_time,
++ &guest_hv_clock, sizeof(guest_hv_clock))))
++ return 0;
+
+ /* retain PVCLOCK_GUEST_STOPPED if set in guest copy */
+- pvclock_flags = (guest_hv_clock->flags & PVCLOCK_GUEST_STOPPED);
++ pvclock_flags = (guest_hv_clock.flags & PVCLOCK_GUEST_STOPPED);
+
+ if (vcpu->pvclock_set_guest_stopped_request) {
+ pvclock_flags |= PVCLOCK_GUEST_STOPPED;
+@@ -1545,12 +1544,9 @@ static int kvm_guest_time_update(struct kvm_vcpu *v)
+
+ vcpu->hv_clock.flags = pvclock_flags;
+
+- memcpy(shared_kaddr + vcpu->time_offset, &vcpu->hv_clock,
+- sizeof(vcpu->hv_clock));
+-
+- kunmap_atomic(shared_kaddr);
+-
+- mark_page_dirty(v->kvm, vcpu->time >> PAGE_SHIFT);
++ kvm_write_guest_cached(v->kvm, &vcpu->pv_time,
++ &vcpu->hv_clock,
++ sizeof(vcpu->hv_clock));
+ return 0;
+ }
+
+@@ -1692,8 +1688,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data)
{
struct kvm *kvm = vcpu->kvm;
int lm = is_long_mode(vcpu);
@@ -23762,7 +24055,51 @@ index c243b81..9eb193f 100644
u8 blob_size = lm ? kvm->arch.xen_hvm_config.blob_size_64
: kvm->arch.xen_hvm_config.blob_size_32;
u32 page_num = data & ~PAGE_MASK;
-@@ -2571,6 +2571,8 @@ long kvm_arch_dev_ioctl(struct file *filp,
+@@ -1839,10 +1835,7 @@ static int kvm_pv_enable_async_pf(struct kvm_vcpu *vcpu, u64 data)
+
+ static void kvmclock_reset(struct kvm_vcpu *vcpu)
+ {
+- if (vcpu->arch.time_page) {
+- kvm_release_page_dirty(vcpu->arch.time_page);
+- vcpu->arch.time_page = NULL;
+- }
++ vcpu->arch.pv_time_enabled = false;
+ }
+
+ static void accumulate_steal_time(struct kvm_vcpu *vcpu)
+@@ -1948,6 +1941,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
+ break;
+ case MSR_KVM_SYSTEM_TIME_NEW:
+ case MSR_KVM_SYSTEM_TIME: {
++ u64 gpa_offset;
+ kvmclock_reset(vcpu);
+
+ vcpu->arch.time = data;
+@@ -1957,14 +1951,17 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
+ if (!(data & 1))
+ break;
+
+- /* ...but clean it before doing the actual write */
+- vcpu->arch.time_offset = data & ~(PAGE_MASK | 1);
++ gpa_offset = data & ~(PAGE_MASK | 1);
+
+- vcpu->arch.time_page =
+- gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT);
++ /* Check that the address is 32-byte aligned. */
++ if (gpa_offset & (sizeof(struct pvclock_vcpu_time_info) - 1))
++ break;
+
+- if (is_error_page(vcpu->arch.time_page))
+- vcpu->arch.time_page = NULL;
++ if (kvm_gfn_to_hva_cache_init(vcpu->kvm,
++ &vcpu->arch.pv_time, data & ~1ULL))
++ vcpu->arch.pv_time_enabled = false;
++ else
++ vcpu->arch.pv_time_enabled = true;
+
+ break;
+ }
+@@ -2571,6 +2568,8 @@ long kvm_arch_dev_ioctl(struct file *filp,
if (n < msr_list.nmsrs)
goto out;
r = -EFAULT;
@@ -23771,7 +24108,7 @@ index c243b81..9eb193f 100644
if (copy_to_user(user_msr_list->indices, &msrs_to_save,
num_msrs_to_save * sizeof(u32)))
goto out;
-@@ -2700,7 +2702,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu,
+@@ -2700,7 +2699,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu,
static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
struct kvm_interrupt *irq)
{
@@ -23780,7 +24117,16 @@ index c243b81..9eb193f 100644
return -EINVAL;
if (irqchip_in_kernel(vcpu->kvm))
return -ENXIO;
-@@ -5213,7 +5215,7 @@ static struct notifier_block pvclock_gtod_notifier = {
+@@ -2967,7 +2966,7 @@ static int kvm_vcpu_ioctl_x86_set_xcrs(struct kvm_vcpu *vcpu,
+ */
+ static int kvm_set_guest_paused(struct kvm_vcpu *vcpu)
+ {
+- if (!vcpu->arch.time_page)
++ if (!vcpu->arch.pv_time_enabled)
+ return -EINVAL;
+ vcpu->arch.pvclock_set_guest_stopped_request = true;
+ kvm_make_request(KVM_REQ_CLOCK_UPDATE, vcpu);
+@@ -5213,7 +5212,7 @@ static struct notifier_block pvclock_gtod_notifier = {
};
#endif
@@ -23789,6 +24135,14 @@ index c243b81..9eb193f 100644
{
int r;
struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
+@@ -6661,6 +6660,7 @@ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
+ goto fail_free_wbinvd_dirty_mask;
+
+ vcpu->arch.ia32_tsc_adjust_msr = 0x0;
++ vcpu->arch.pv_time_enabled = false;
+ kvm_async_pf_hash_reset(vcpu);
+ kvm_pmu_init(vcpu);
+
diff --git a/arch/x86/lguest/boot.c b/arch/x86/lguest/boot.c
index df4176c..23ce092 100644
--- a/arch/x86/lguest/boot.c
@@ -26731,7 +27085,7 @@ index 903ec1e..c4166b2 100644
}
diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
-index fb674fd..272f369 100644
+index fb674fd..1be28b9 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -13,12 +13,19 @@
@@ -26917,7 +27271,7 @@ index fb674fd..272f369 100644
if (pte && pte_present(*pte) && !pte_exec(*pte))
- printk(nx_warning, from_kuid(&init_user_ns, current_uid()));
-+ printk(nx_warning, from_kuid(&init_user_ns, current_uid()), current->comm, task_pid_nr(current));
++ printk(nx_warning, from_kuid_munged(&init_user_ns, current_uid()), current->comm, task_pid_nr(current));
}
+#ifdef CONFIG_PAX_KERNEXEC
@@ -26925,10 +27279,10 @@ index fb674fd..272f369 100644
+ if (current->signal->curr_ip)
+ printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
+ &current->signal->curr_ip, current->comm, task_pid_nr(current),
-+ from_kuid(&init_user_ns, current_uid()), from_kuid(&init_user_ns, current_euid()));
++ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
+ else
+ printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", current->comm, task_pid_nr(current),
-+ from_kuid(&init_user_ns, current_uid()), from_kuid(&init_user_ns, current_euid()));
++ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
+ }
+#endif
+
@@ -28427,6 +28781,19 @@ index dc0b727..f612039 100644
{
might_sleep();
if (is_enabled()) /* recheck and proper locking in *_core() */
+diff --git a/arch/x86/mm/numa.c b/arch/x86/mm/numa.c
+index 8504f36..5fc68f2 100644
+--- a/arch/x86/mm/numa.c
++++ b/arch/x86/mm/numa.c
+@@ -478,7 +478,7 @@ static bool __init numa_meminfo_cover_memory(const struct numa_meminfo *mi)
+ return true;
+ }
+
+-static int __init numa_register_memblks(struct numa_meminfo *mi)
++static int __init __intentional_overflow(-1) numa_register_memblks(struct numa_meminfo *mi)
+ {
+ unsigned long uninitialized_var(pfn_align);
+ int i, nid;
diff --git a/arch/x86/mm/pageattr-test.c b/arch/x86/mm/pageattr-test.c
index b008656..773eac2 100644
--- a/arch/x86/mm/pageattr-test.c
@@ -28907,6 +29274,28 @@ index a69bcb8..19068ab 100644
/*
* It's enough to flush this one mapping.
+diff --git a/arch/x86/mm/physaddr.c b/arch/x86/mm/physaddr.c
+index d2e2735..5c6586f 100644
+--- a/arch/x86/mm/physaddr.c
++++ b/arch/x86/mm/physaddr.c
+@@ -8,7 +8,7 @@
+
+ #ifdef CONFIG_X86_64
+
+-unsigned long __phys_addr(unsigned long x)
++unsigned long __intentional_overflow(-1) __phys_addr(unsigned long x)
+ {
+ if (x >= __START_KERNEL_map) {
+ x -= __START_KERNEL_map;
+@@ -45,7 +45,7 @@ EXPORT_SYMBOL(__virt_addr_valid);
+ #else
+
+ #ifdef CONFIG_DEBUG_VIRTUAL
+-unsigned long __phys_addr(unsigned long x)
++unsigned long __intentional_overflow(-1) __phys_addr(unsigned long x)
+ {
+ /* VMALLOC_* aren't constants */
+ VIRTUAL_BUG_ON(x < PAGE_OFFSET);
diff --git a/arch/x86/mm/setup_nx.c b/arch/x86/mm/setup_nx.c
index 410531d..0f16030 100644
--- a/arch/x86/mm/setup_nx.c
@@ -30136,10 +30525,10 @@ index d6ee929..3637cb5 100644
.getproplen = olpc_dt_getproplen,
.getproperty = olpc_dt_getproperty,
diff --git a/arch/x86/power/cpu.c b/arch/x86/power/cpu.c
-index 120cee1..b2db75a 100644
+index 3c68768..07e82b8 100644
--- a/arch/x86/power/cpu.c
+++ b/arch/x86/power/cpu.c
-@@ -133,7 +133,7 @@ static void do_fpu_end(void)
+@@ -134,7 +134,7 @@ static void do_fpu_end(void)
static void fix_processor_context(void)
{
int cpu = smp_processor_id();
@@ -30148,7 +30537,7 @@ index 120cee1..b2db75a 100644
set_tss_desc(cpu, t); /*
* This just modifies memory; should not be
-@@ -143,8 +143,6 @@ static void fix_processor_context(void)
+@@ -144,8 +144,6 @@ static void fix_processor_context(void)
*/
#ifdef CONFIG_X86_64
@@ -31417,6 +31806,19 @@ index ea61ca9..3fdd70d 100644
static void delete_gpe_attr_array(void)
{
+diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c
+index 6cd7805..07facb3 100644
+--- a/drivers/ata/libahci.c
++++ b/drivers/ata/libahci.c
+@@ -1230,7 +1230,7 @@ int ahci_kick_engine(struct ata_port *ap)
+ }
+ EXPORT_SYMBOL_GPL(ahci_kick_engine);
+
+-static int ahci_exec_polled_cmd(struct ata_port *ap, int pmp,
++static int __intentional_overflow(-1) ahci_exec_polled_cmd(struct ata_port *ap, int pmp,
+ struct ata_taskfile *tf, int is_cmd, u16 flags,
+ unsigned long timeout_msec)
+ {
diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
index 46cd3f4..0871ad0 100644
--- a/drivers/ata/libata-core.c
@@ -33037,7 +33439,7 @@ index a9eccfc..f5efe87 100644
static struct asender_cmd asender_tbl[] = {
[P_PING] = { 0, got_Ping },
diff --git a/drivers/block/loop.c b/drivers/block/loop.c
-index ae12512..37fa397 100644
+index 8bc6d39..f492563 100644
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -226,7 +226,7 @@ static int __do_lo_send_write(struct file *file,
@@ -34603,7 +35005,7 @@ index 8a7c48b..72effc2 100644
if (IS_GEN6(dev) || IS_GEN7(dev)) {
seq_printf(m,
diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c
-index 5206f24..7af0a0a 100644
+index 99daa89..84ebd44 100644
--- a/drivers/gpu/drm/i915/i915_dma.c
+++ b/drivers/gpu/drm/i915/i915_dma.c
@@ -1253,7 +1253,7 @@ static bool i915_switcheroo_can_switch(struct pci_dev *pdev)
@@ -34616,7 +35018,7 @@ index 5206f24..7af0a0a 100644
return can_switch;
}
diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h
-index 66ad64f..a865871 100644
+index 7339a4b..445aaba 100644
--- a/drivers/gpu/drm/i915/i915_drv.h
+++ b/drivers/gpu/drm/i915/i915_drv.h
@@ -656,7 +656,7 @@ typedef struct drm_i915_private {
@@ -34628,7 +35030,7 @@ index 66ad64f..a865871 100644
/* protects the irq masks */
spinlock_t irq_lock;
-@@ -1103,7 +1103,7 @@ struct drm_i915_gem_object {
+@@ -1102,7 +1102,7 @@ struct drm_i915_gem_object {
* will be page flipped away on the next vblank. When it
* reaches 0, dev_priv->pending_flip_queue will be woken up.
*/
@@ -34637,7 +35039,7 @@ index 66ad64f..a865871 100644
};
#define to_gem_object(obj) (&((struct drm_i915_gem_object *)(obj))->base)
-@@ -1634,7 +1634,7 @@ extern struct i2c_adapter *intel_gmbus_get_adapter(
+@@ -1633,7 +1633,7 @@ extern struct i2c_adapter *intel_gmbus_get_adapter(
struct drm_i915_private *dev_priv, unsigned port);
extern void intel_gmbus_set_speed(struct i2c_adapter *adapter, int speed);
extern void intel_gmbus_force_bit(struct i2c_adapter *adapter, bool force_bit);
@@ -34647,7 +35049,7 @@ index 66ad64f..a865871 100644
return container_of(adapter, struct intel_gmbus, adapter)->force_bit;
}
diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
-index 26d08bb..fccb984 100644
+index 26d08bb..e24fb51 100644
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
@@ -672,7 +672,7 @@ i915_gem_execbuffer_move_to_gpu(struct intel_ring_buffer *ring,
@@ -34659,7 +35061,7 @@ index 26d08bb..fccb984 100644
flush_domains |= obj->base.write_domain;
}
-@@ -703,9 +703,9 @@ i915_gem_check_execbuffer(struct drm_i915_gem_execbuffer2 *exec)
+@@ -703,18 +703,23 @@ i915_gem_check_execbuffer(struct drm_i915_gem_execbuffer2 *exec)
static int
validate_exec_list(struct drm_i915_gem_exec_object2 *exec,
@@ -34668,9 +35070,35 @@ index 26d08bb..fccb984 100644
{
- int i;
+ unsigned int i;
++ int relocs_total = 0;
++ int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry);
for (i = 0; i < count; i++) {
char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr;
+ int length; /* limited by fault_in_pages_readable() */
+
+- /* First check for malicious input causing overflow */
+- if (exec[i].relocation_count >
+- INT_MAX / sizeof(struct drm_i915_gem_relocation_entry))
++ /* First check for malicious input causing overflow in
++ * the worst case where we need to allocate the entire
++ * relocation tree as a single array.
++ */
++ if (exec[i].relocation_count > relocs_max - relocs_total)
+ return -EINVAL;
++ relocs_total += exec[i].relocation_count;
+
+ length = exec[i].relocation_count *
+ sizeof(struct drm_i915_gem_relocation_entry);
+@@ -1197,7 +1202,7 @@ i915_gem_execbuffer2(struct drm_device *dev, void *data,
+ return -ENOMEM;
+ }
+ ret = copy_from_user(exec2_list,
+- (struct drm_i915_relocation_entry __user *)
++ (struct drm_i915_gem_exec_object2 __user *)
+ (uintptr_t) args->buffers_ptr,
+ sizeof(*exec2_list) * args->buffer_count);
+ if (ret != 0) {
diff --git a/drivers/gpu/drm/i915/i915_ioc32.c b/drivers/gpu/drm/i915/i915_ioc32.c
index 3c59584..500f2e9 100644
--- a/drivers/gpu/drm/i915/i915_ioc32.c
@@ -34707,10 +35135,10 @@ index 3c59584..500f2e9 100644
return ret;
diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c
-index 3c00403..5a5c6c9 100644
+index fe84338..a863190 100644
--- a/drivers/gpu/drm/i915/i915_irq.c
+++ b/drivers/gpu/drm/i915/i915_irq.c
-@@ -539,7 +539,7 @@ static irqreturn_t valleyview_irq_handler(int irq, void *arg)
+@@ -535,7 +535,7 @@ static irqreturn_t valleyview_irq_handler(int irq, void *arg)
u32 pipe_stats[I915_MAX_PIPES];
bool blc_event;
@@ -34719,7 +35147,7 @@ index 3c00403..5a5c6c9 100644
while (true) {
iir = I915_READ(VLV_IIR);
-@@ -692,7 +692,7 @@ static irqreturn_t ivybridge_irq_handler(int irq, void *arg)
+@@ -688,7 +688,7 @@ static irqreturn_t ivybridge_irq_handler(int irq, void *arg)
irqreturn_t ret = IRQ_NONE;
int i;
@@ -34728,7 +35156,7 @@ index 3c00403..5a5c6c9 100644
/* disable master interrupt before clearing iir */
de_ier = I915_READ(DEIER);
-@@ -764,7 +764,7 @@ static irqreturn_t ironlake_irq_handler(int irq, void *arg)
+@@ -760,7 +760,7 @@ static irqreturn_t ironlake_irq_handler(int irq, void *arg)
int ret = IRQ_NONE;
u32 de_iir, gt_iir, de_ier, pch_iir, pm_iir;
@@ -34737,7 +35165,7 @@ index 3c00403..5a5c6c9 100644
/* disable master interrupt before clearing iir */
de_ier = I915_READ(DEIER);
-@@ -1791,7 +1791,7 @@ static void ironlake_irq_preinstall(struct drm_device *dev)
+@@ -1787,7 +1787,7 @@ static void ironlake_irq_preinstall(struct drm_device *dev)
{
drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
@@ -34746,7 +35174,7 @@ index 3c00403..5a5c6c9 100644
I915_WRITE(HWSTAM, 0xeffe);
-@@ -1817,7 +1817,7 @@ static void valleyview_irq_preinstall(struct drm_device *dev)
+@@ -1813,7 +1813,7 @@ static void valleyview_irq_preinstall(struct drm_device *dev)
drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
int pipe;
@@ -34755,7 +35183,7 @@ index 3c00403..5a5c6c9 100644
/* VLV magic */
I915_WRITE(VLV_IMR, 0);
-@@ -2112,7 +2112,7 @@ static void i8xx_irq_preinstall(struct drm_device * dev)
+@@ -2108,7 +2108,7 @@ static void i8xx_irq_preinstall(struct drm_device * dev)
drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
int pipe;
@@ -34764,7 +35192,7 @@ index 3c00403..5a5c6c9 100644
for_each_pipe(pipe)
I915_WRITE(PIPESTAT(pipe), 0);
-@@ -2163,7 +2163,7 @@ static irqreturn_t i8xx_irq_handler(int irq, void *arg)
+@@ -2159,7 +2159,7 @@ static irqreturn_t i8xx_irq_handler(int irq, void *arg)
I915_DISPLAY_PLANE_A_FLIP_PENDING_INTERRUPT |
I915_DISPLAY_PLANE_B_FLIP_PENDING_INTERRUPT;
@@ -34773,7 +35201,7 @@ index 3c00403..5a5c6c9 100644
iir = I915_READ16(IIR);
if (iir == 0)
-@@ -2248,7 +2248,7 @@ static void i915_irq_preinstall(struct drm_device * dev)
+@@ -2244,7 +2244,7 @@ static void i915_irq_preinstall(struct drm_device * dev)
drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
int pipe;
@@ -34782,7 +35210,7 @@ index 3c00403..5a5c6c9 100644
if (I915_HAS_HOTPLUG(dev)) {
I915_WRITE(PORT_HOTPLUG_EN, 0);
-@@ -2343,7 +2343,7 @@ static irqreturn_t i915_irq_handler(int irq, void *arg)
+@@ -2339,7 +2339,7 @@ static irqreturn_t i915_irq_handler(int irq, void *arg)
};
int pipe, ret = IRQ_NONE;
@@ -34791,7 +35219,7 @@ index 3c00403..5a5c6c9 100644
iir = I915_READ(IIR);
do {
-@@ -2469,7 +2469,7 @@ static void i965_irq_preinstall(struct drm_device * dev)
+@@ -2465,7 +2465,7 @@ static void i965_irq_preinstall(struct drm_device * dev)
drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
int pipe;
@@ -34800,7 +35228,7 @@ index 3c00403..5a5c6c9 100644
I915_WRITE(PORT_HOTPLUG_EN, 0);
I915_WRITE(PORT_HOTPLUG_STAT, I915_READ(PORT_HOTPLUG_STAT));
-@@ -2576,7 +2576,7 @@ static irqreturn_t i965_irq_handler(int irq, void *arg)
+@@ -2572,7 +2572,7 @@ static irqreturn_t i965_irq_handler(int irq, void *arg)
int irq_received;
int ret = IRQ_NONE, pipe;
@@ -36214,6 +36642,32 @@ index 1f95bba..9530f87 100644
(u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr,
sdata, wqe->wr.wr.atomic.swap);
goto send_comp;
+diff --git a/drivers/infiniband/hw/mthca/mthca_cmd.c b/drivers/infiniband/hw/mthca/mthca_cmd.c
+index 9d3e5c1..d9afe4a 100644
+--- a/drivers/infiniband/hw/mthca/mthca_cmd.c
++++ b/drivers/infiniband/hw/mthca/mthca_cmd.c
+@@ -772,7 +772,7 @@ static void mthca_setup_cmd_doorbells(struct mthca_dev *dev, u64 base)
+ mthca_dbg(dev, "Mapped doorbell page for posting FW commands\n");
+ }
+
+-int mthca_QUERY_FW(struct mthca_dev *dev)
++int __intentional_overflow(-1) mthca_QUERY_FW(struct mthca_dev *dev)
+ {
+ struct mthca_mailbox *mailbox;
+ u32 *outbox;
+diff --git a/drivers/infiniband/hw/mthca/mthca_mr.c b/drivers/infiniband/hw/mthca/mthca_mr.c
+index ed9a989..e0c5871 100644
+--- a/drivers/infiniband/hw/mthca/mthca_mr.c
++++ b/drivers/infiniband/hw/mthca/mthca_mr.c
+@@ -426,7 +426,7 @@ static inline u32 adjust_key(struct mthca_dev *dev, u32 key)
+ return key;
+ }
+
+-int mthca_mr_alloc(struct mthca_dev *dev, u32 pd, int buffer_size_shift,
++int __intentional_overflow(-1) mthca_mr_alloc(struct mthca_dev *dev, u32 pd, int buffer_size_shift,
+ u64 iova, u64 total_size, u32 access, struct mthca_mr *mr)
+ {
+ struct mthca_mailbox *mailbox;
diff --git a/drivers/infiniband/hw/nes/nes.c b/drivers/infiniband/hw/nes/nes.c
index 5b152a3..c1f3e83 100644
--- a/drivers/infiniband/hw/nes/nes.c
@@ -37003,6 +37457,19 @@ index a5ebc00..982886f 100644
end_switcher_text - start_switcher_text);
printk(KERN_INFO "lguest: mapped switcher at %p\n",
+diff --git a/drivers/lguest/page_tables.c b/drivers/lguest/page_tables.c
+index 3b62be16..e33134a 100644
+--- a/drivers/lguest/page_tables.c
++++ b/drivers/lguest/page_tables.c
+@@ -532,7 +532,7 @@ void pin_page(struct lg_cpu *cpu, unsigned long vaddr)
+ /*:*/
+
+ #ifdef CONFIG_X86_PAE
+-static void release_pmd(pmd_t *spmd)
++static void __intentional_overflow(-1) release_pmd(pmd_t *spmd)
+ {
+ /* If the entry's not present, there's nothing to release. */
+ if (pmd_flags(*spmd) & _PAGE_PRESENT) {
diff --git a/drivers/lguest/x86/core.c b/drivers/lguest/x86/core.c
index 4af12e1..0e89afe 100644
--- a/drivers/lguest/x86/core.c
@@ -37928,7 +38395,7 @@ index 29b2172..a7c5b31 100644
dev->req->sg.length : dev->req->data_len;
diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c
-index fb69baa..cf7ad22 100644
+index fb69baa..3aeea2e 100644
--- a/drivers/message/fusion/mptbase.c
+++ b/drivers/message/fusion/mptbase.c
@@ -6755,8 +6755,13 @@ static int mpt_iocinfo_proc_show(struct seq_file *m, void *v)
@@ -37945,6 +38412,18 @@ index fb69baa..cf7ad22 100644
/*
* Rounding UP to nearest 4-kB boundary here...
*/
+@@ -6769,7 +6774,11 @@ static int mpt_iocinfo_proc_show(struct seq_file *m, void *v)
+ ioc->facts.GlobalCredits);
+
+ seq_printf(m, " Frames @ 0x%p (Dma @ 0x%p)\n",
++#ifdef CONFIG_GRKERNSEC_HIDESYM
++ NULL, NULL);
++#else
+ (void *)ioc->alloc, (void *)(ulong)ioc->alloc_dma);
++#endif
+ sz = (ioc->reply_sz * ioc->reply_depth) + 128;
+ seq_printf(m, " {CurRepSz=%d} x {CurRepDepth=%d} = %d bytes ^= 0x%x\n",
+ ioc->reply_sz, ioc->reply_depth, ioc->reply_sz*ioc->reply_depth, sz);
diff --git a/drivers/message/fusion/mptsas.c b/drivers/message/fusion/mptsas.c
index fa43c39..daeb158 100644
--- a/drivers/message/fusion/mptsas.c
@@ -38709,10 +39188,10 @@ index 8dd6ba5..419cc1d 100644
struct sm_sysfs_attribute *vendor_attribute;
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
-index b7d45f3..b5c89d9 100644
+index a079da17..f86ffd5 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
-@@ -4861,7 +4861,7 @@ static unsigned int bond_get_num_tx_queues(void)
+@@ -4862,7 +4862,7 @@ static unsigned int bond_get_num_tx_queues(void)
return tx_queues;
}
@@ -39022,10 +39501,10 @@ index 1e9cb0b..7839125 100644
priv = netdev_priv(dev);
priv->phy = phy;
diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
-index d3fb97d..19520c7 100644
+index e5cb723..1fc0461 100644
--- a/drivers/net/macvlan.c
+++ b/drivers/net/macvlan.c
-@@ -851,13 +851,15 @@ static const struct nla_policy macvlan_policy[IFLA_MACVLAN_MAX + 1] = {
+@@ -852,13 +852,15 @@ static const struct nla_policy macvlan_policy[IFLA_MACVLAN_MAX + 1] = {
int macvlan_link_register(struct rtnl_link_ops *ops)
{
/* common fields */
@@ -39048,7 +39527,7 @@ index d3fb97d..19520c7 100644
return rtnl_link_register(ops);
};
-@@ -913,7 +915,7 @@ static int macvlan_device_event(struct notifier_block *unused,
+@@ -914,7 +916,7 @@ static int macvlan_device_event(struct notifier_block *unused,
return NOTIFY_DONE;
}
@@ -39105,10 +39584,10 @@ index 508570e..f706dc7 100644
err = 0;
break;
diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
-index ad86660..9fd0884 100644
+index 8efe47a..a8075c5 100644
--- a/drivers/net/team/team.c
+++ b/drivers/net/team/team.c
-@@ -2601,7 +2601,7 @@ static int team_device_event(struct notifier_block *unused,
+@@ -2603,7 +2603,7 @@ static int team_device_event(struct notifier_block *unused,
return NOTIFY_DONE;
}
@@ -39118,10 +39597,10 @@ index ad86660..9fd0884 100644
};
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
-index 2917a86..edd463f 100644
+index cb95fe5..a5bdab5 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
-@@ -1836,7 +1836,7 @@ unlock:
+@@ -1838,7 +1838,7 @@ unlock:
}
static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
@@ -39130,7 +39609,7 @@ index 2917a86..edd463f 100644
{
struct tun_file *tfile = file->private_data;
struct tun_struct *tun;
-@@ -1848,6 +1848,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
+@@ -1850,6 +1850,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
int vnet_hdr_sz;
int ret;
@@ -39232,7 +39711,7 @@ index cd8ccb2..cff5144 100644
hso_start_serial_device(serial_table[i], GFP_NOIO);
hso_kick_transmit(dev2ser(serial_table[i]));
diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
-index 656230e..15525a8 100644
+index 6993bfa..9053a34 100644
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -1428,7 +1428,7 @@ nla_put_failure:
@@ -39244,6 +39723,19 @@ index 656230e..15525a8 100644
.kind = "vxlan",
.maxtype = IFLA_VXLAN_MAX,
.policy = vxlan_policy,
+diff --git a/drivers/net/wireless/at76c50x-usb.c b/drivers/net/wireless/at76c50x-usb.c
+index 77fa428..996b355 100644
+--- a/drivers/net/wireless/at76c50x-usb.c
++++ b/drivers/net/wireless/at76c50x-usb.c
+@@ -353,7 +353,7 @@ static int at76_dfu_get_state(struct usb_device *udev, u8 *state)
+ }
+
+ /* Convert timeout from the DFU status to jiffies */
+-static inline unsigned long at76_get_timeout(struct dfu_status *s)
++static inline unsigned long __intentional_overflow(-1) at76_get_timeout(struct dfu_status *s)
+ {
+ return msecs_to_jiffies((s->poll_timeout[2] << 16)
+ | (s->poll_timeout[1] << 8)
diff --git a/drivers/net/wireless/ath/ath9k/ar9002_mac.c b/drivers/net/wireless/ath/ath9k/ar9002_mac.c
index 8d78253..bebbb68 100644
--- a/drivers/net/wireless/ath/ath9k/ar9002_mac.c
@@ -39848,6 +40340,19 @@ index ed2c3ec..deda85a 100644
start_switch_worker();
}
+diff --git a/drivers/oprofile/oprofile_files.c b/drivers/oprofile/oprofile_files.c
+index 84a208d..d61b0a1 100644
+--- a/drivers/oprofile/oprofile_files.c
++++ b/drivers/oprofile/oprofile_files.c
+@@ -27,7 +27,7 @@ unsigned long oprofile_time_slice;
+
+ #ifdef CONFIG_OPROFILE_EVENT_MULTIPLEX
+
+-static ssize_t timeout_read(struct file *file, char __user *buf,
++static ssize_t __intentional_overflow(-1) timeout_read(struct file *file, char __user *buf,
+ size_t count, loff_t *offset)
+ {
+ return oprofilefs_ulong_to_user(jiffies_to_msecs(oprofile_time_slice),
diff --git a/drivers/oprofile/oprofile_stats.c b/drivers/oprofile/oprofile_stats.c
index 917d28e..d62d981 100644
--- a/drivers/oprofile/oprofile_stats.c
@@ -40469,7 +40974,7 @@ index cc439fd..8fa30df 100644
#endif /* CONFIG_SYSFS */
diff --git a/drivers/power/power_supply_core.c b/drivers/power/power_supply_core.c
-index 8a7cfb3..493e0a2 100644
+index 8a7cfb3..72e6e9b 100644
--- a/drivers/power/power_supply_core.c
+++ b/drivers/power/power_supply_core.c
@@ -24,7 +24,10 @@
@@ -40484,11 +40989,12 @@ index 8a7cfb3..493e0a2 100644
static int __power_supply_changed_work(struct device *dev, void *data)
{
-@@ -393,7 +396,6 @@ static int __init power_supply_class_init(void)
+@@ -393,7 +396,7 @@ static int __init power_supply_class_init(void)
return PTR_ERR(power_supply_class);
power_supply_class->dev_uevent = power_supply_uevent;
- power_supply_init_attrs(&power_supply_dev_type);
++ power_supply_init_attrs();
return 0;
}
@@ -42429,10 +42935,10 @@ index 19083ef..6e34e97 100644
}
EXPORT_SYMBOL_GPL(n_tty_inherit_ops);
diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
-index 79ff3a5..1fe9399 100644
+index ac35c90..c47deac 100644
--- a/drivers/tty/pty.c
+++ b/drivers/tty/pty.c
-@@ -791,8 +791,10 @@ static void __init unix98_pty_init(void)
+@@ -790,8 +790,10 @@ static void __init unix98_pty_init(void)
panic("Couldn't register Unix98 pts driver");
/* Now create the /dev/ptmx special device */
@@ -43436,75 +43942,6 @@ index 35f10bf..6a38a0b 100644
if (!left--) {
if (instance->disconnected)
-diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
-index 5f0cb41..122d056 100644
---- a/drivers/usb/class/cdc-wdm.c
-+++ b/drivers/usb/class/cdc-wdm.c
-@@ -56,6 +56,7 @@ MODULE_DEVICE_TABLE (usb, wdm_ids);
- #define WDM_RESPONDING 7
- #define WDM_SUSPENDING 8
- #define WDM_RESETTING 9
-+#define WDM_OVERFLOW 10
-
- #define WDM_MAX 16
-
-@@ -155,6 +156,7 @@ static void wdm_in_callback(struct urb *urb)
- {
- struct wdm_device *desc = urb->context;
- int status = urb->status;
-+ int length = urb->actual_length;
-
- spin_lock(&desc->iuspin);
- clear_bit(WDM_RESPONDING, &desc->flags);
-@@ -185,9 +187,17 @@ static void wdm_in_callback(struct urb *urb)
- }
-
- desc->rerr = status;
-- desc->reslength = urb->actual_length;
-- memmove(desc->ubuf + desc->length, desc->inbuf, desc->reslength);
-- desc->length += desc->reslength;
-+ if (length + desc->length > desc->wMaxCommand) {
-+ /* The buffer would overflow */
-+ set_bit(WDM_OVERFLOW, &desc->flags);
-+ } else {
-+ /* we may already be in overflow */
-+ if (!test_bit(WDM_OVERFLOW, &desc->flags)) {
-+ memmove(desc->ubuf + desc->length, desc->inbuf, length);
-+ desc->length += length;
-+ desc->reslength = length;
-+ }
-+ }
- skip_error:
- wake_up(&desc->wait);
-
-@@ -435,6 +445,11 @@ retry:
- rv = -ENODEV;
- goto err;
- }
-+ if (test_bit(WDM_OVERFLOW, &desc->flags)) {
-+ clear_bit(WDM_OVERFLOW, &desc->flags);
-+ rv = -ENOBUFS;
-+ goto err;
-+ }
- i++;
- if (file->f_flags & O_NONBLOCK) {
- if (!test_bit(WDM_READ, &desc->flags)) {
-@@ -478,6 +493,7 @@ retry:
- spin_unlock_irq(&desc->iuspin);
- goto retry;
- }
-+
- if (!desc->reslength) { /* zero length read */
- dev_dbg(&desc->intf->dev, "%s: zero length - clearing WDM_READ\n", __func__);
- clear_bit(WDM_READ, &desc->flags);
-@@ -1004,6 +1020,7 @@ static int wdm_post_reset(struct usb_interface *intf)
- struct wdm_device *desc = wdm_find_device(intf);
- int rv;
-
-+ clear_bit(WDM_OVERFLOW, &desc->flags);
- clear_bit(WDM_RESETTING, &desc->flags);
- rv = recover_from_urb_loss(desc);
- mutex_unlock(&desc->wlock);
diff --git a/drivers/usb/core/devices.c b/drivers/usb/core/devices.c
index cbacea9..246cccd 100644
--- a/drivers/usb/core/devices.c
@@ -43558,6 +43995,19 @@ index 8e64adf..9a33a3c 100644
if (atomic_read(&urb->reject))
wake_up(&usb_kill_urb_queue);
usb_put_urb(urb);
+diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
+index 131f736..99004c3 100644
+--- a/drivers/usb/core/message.c
++++ b/drivers/usb/core/message.c
+@@ -129,7 +129,7 @@ static int usb_internal_control_msg(struct usb_device *usb_dev,
+ * method can wait for it to complete. Since you don't have a handle on the
+ * URB used, you can't cancel the request.
+ */
+-int usb_control_msg(struct usb_device *dev, unsigned int pipe, __u8 request,
++int __intentional_overflow(-1) usb_control_msg(struct usb_device *dev, unsigned int pipe, __u8 request,
+ __u8 requesttype, __u16 value, __u16 index, void *data,
+ __u16 size, int timeout)
+ {
diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c
index 818e4a0..0fc9589 100644
--- a/drivers/usb/core/sysfs.c
@@ -47264,6 +47714,28 @@ index 03bc1d3..6205356 100644
else {
qstr.len = autofs4_getpath(sbi, dentry, &name);
if (!qstr.len) {
+diff --git a/fs/befs/endian.h b/fs/befs/endian.h
+index 2722387..c8dd2a7 100644
+--- a/fs/befs/endian.h
++++ b/fs/befs/endian.h
+@@ -11,7 +11,7 @@
+
+ #include <asm/byteorder.h>
+
+-static inline u64
++static inline u64 __intentional_overflow(-1)
+ fs64_to_cpu(const struct super_block *sb, fs64 n)
+ {
+ if (BEFS_SB(sb)->byte_order == BEFS_BYTESEX_LE)
+@@ -29,7 +29,7 @@ cpu_to_fs64(const struct super_block *sb, u64 n)
+ return (__force fs64)cpu_to_be64(n);
+ }
+
+-static inline u32
++static inline u32 __intentional_overflow(-1)
+ fs32_to_cpu(const struct super_block *sb, fs32 n)
+ {
+ if (BEFS_SB(sb)->byte_order == BEFS_BYTESEX_LE)
diff --git a/fs/befs/linuxvfs.c b/fs/befs/linuxvfs.c
index 2b3bda8..6a2d4be 100644
--- a/fs/befs/linuxvfs.c
@@ -47358,7 +47830,7 @@ index 6043567..16a9239 100644
fd_offset + ex.a_text);
if (error != N_DATADDR(ex)) {
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
-index 0c42cdb..9551bb8 100644
+index 0c42cdb..12478dd 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -33,6 +33,7 @@
@@ -47855,7 +48327,7 @@ index 0c42cdb..9551bb8 100644
loc = kmalloc(sizeof(*loc), GFP_KERNEL);
if (!loc) {
-@@ -715,11 +1050,82 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -715,11 +1050,81 @@ static int load_elf_binary(struct linux_binprm *bprm)
goto out_free_dentry;
/* OK, This is the point of no return */
@@ -47876,7 +48348,6 @@ index 0c42cdb..9551bb8 100644
+#ifdef CONFIG_PAX_ASLR
+ current->mm->delta_mmap = 0UL;
+ current->mm->delta_stack = 0UL;
-+ current->mm->aslr_gap = 0UL;
+#endif
+
+ current->mm->def_flags = 0;
@@ -47939,7 +48410,7 @@ index 0c42cdb..9551bb8 100644
if (elf_read_implies_exec(loc->elf_ex, executable_stack))
current->personality |= READ_IMPLIES_EXEC;
-@@ -810,6 +1216,20 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -810,6 +1215,20 @@ static int load_elf_binary(struct linux_binprm *bprm)
#else
load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
#endif
@@ -47960,7 +48431,7 @@ index 0c42cdb..9551bb8 100644
}
error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
-@@ -842,9 +1262,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -842,9 +1261,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
* allowed task size. Note that p_filesz must always be
* <= p_memsz so it is only necessary to check p_memsz.
*/
@@ -47973,7 +48444,7 @@ index 0c42cdb..9551bb8 100644
/* set_brk can never work. Avoid overflows. */
send_sig(SIGKILL, current, 0);
retval = -EINVAL;
-@@ -883,17 +1303,44 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -883,17 +1302,45 @@ static int load_elf_binary(struct linux_binprm *bprm)
goto out_free_dentry;
}
if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
@@ -47989,23 +48460,24 @@ index 0c42cdb..9551bb8 100644
+#ifdef CONFIG_PAX_RANDMMAP
+ if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
-+ unsigned long start, size;
++ unsigned long start, size, flags, vm_flags;
+
+ start = ELF_PAGEALIGN(elf_brk);
+ size = PAGE_SIZE + ((pax_get_random_long() & ((1UL << 22) - 1UL)) << 4);
-+ down_read(&current->mm->mmap_sem);
-+ retval = -ENOMEM;
-+ if (!find_vma_intersection(current->mm, start, start + size + PAGE_SIZE)) {
-+ unsigned long prot = PROT_NONE;
++ flags = MAP_FIXED | MAP_PRIVATE;
++ vm_flags = VM_DONTEXPAND | VM_DONTDUMP;
+
-+ up_read(&current->mm->mmap_sem);
-+ current->mm->aslr_gap += PAGE_ALIGN(size) >> PAGE_SHIFT;
++ down_write(&current->mm->mmap_sem);
++ start = get_unmapped_area(NULL, start, PAGE_ALIGN(size), 0, flags);
++ retval = -ENOMEM;
++ if (!IS_ERR_VALUE(start) && !find_vma_intersection(current->mm, start, start + size + PAGE_SIZE)) {
+// if (current->personality & ADDR_NO_RANDOMIZE)
-+// prot = PROT_READ;
-+ start = vm_mmap(NULL, start, size, prot, MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE, 0);
++// vm_flags |= VM_READ | VM_MAYREAD;
++ start = mmap_region(NULL, start, PAGE_ALIGN(size), flags, vm_flags, 0);
++ up_write(&current->mm->mmap_sem);
+ retval = IS_ERR_VALUE(start) ? start : 0;
+ } else
-+ up_read(&current->mm->mmap_sem);
++ up_write(&current->mm->mmap_sem);
+ if (retval == 0)
+ retval = set_brk(start + size, start + size + PAGE_SIZE);
+ if (retval < 0) {
@@ -48301,7 +48773,7 @@ index b96fc6c..431d628 100644
__bio_for_each_segment(bvec, bio, i, 0) {
char *addr = page_address(bvec->bv_page);
diff --git a/fs/block_dev.c b/fs/block_dev.c
-index 78333a3..23dcb4d 100644
+index 78edf76..da14f3f 100644
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -651,7 +651,7 @@ static bool bd_may_claim(struct block_device *bdev, struct block_device *whole,
@@ -49492,7 +49964,7 @@ index b2a34a1..162fa69 100644
return rc;
}
diff --git a/fs/exec.c b/fs/exec.c
-index 20df02c..81c9e78 100644
+index 20df02c..09b65a1 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -55,6 +55,17 @@
@@ -49617,28 +50089,16 @@ index 20df02c..81c9e78 100644
return 0;
err:
up_write(&mm->mmap_sem);
-@@ -384,19 +421,7 @@ err:
- return err;
- }
+@@ -396,7 +433,7 @@ struct user_arg_ptr {
+ } ptr;
+ };
--struct user_arg_ptr {
--#ifdef CONFIG_COMPAT
-- bool is_compat;
--#endif
-- union {
-- const char __user *const __user *native;
--#ifdef CONFIG_COMPAT
-- const compat_uptr_t __user *compat;
--#endif
-- } ptr;
--};
--
-static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
+const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
{
const char __user *native;
-@@ -405,14 +430,14 @@ static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
+@@ -405,14 +442,14 @@ static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
compat_uptr_t compat;
if (get_user(compat, argv.ptr.compat + nr))
@@ -49655,7 +50115,7 @@ index 20df02c..81c9e78 100644
return native;
}
-@@ -431,7 +456,7 @@ static int count(struct user_arg_ptr argv, int max)
+@@ -431,7 +468,7 @@ static int count(struct user_arg_ptr argv, int max)
if (!p)
break;
@@ -49664,7 +50124,7 @@ index 20df02c..81c9e78 100644
return -EFAULT;
if (i >= max)
-@@ -466,7 +491,7 @@ static int copy_strings(int argc, struct user_arg_ptr argv,
+@@ -466,7 +503,7 @@ static int copy_strings(int argc, struct user_arg_ptr argv,
ret = -EFAULT;
str = get_user_arg_ptr(argv, argc);
@@ -49673,7 +50133,7 @@ index 20df02c..81c9e78 100644
goto out;
len = strnlen_user(str, MAX_ARG_STRLEN);
-@@ -548,7 +573,7 @@ int copy_strings_kernel(int argc, const char *const *__argv,
+@@ -548,7 +585,7 @@ int copy_strings_kernel(int argc, const char *const *__argv,
int r;
mm_segment_t oldfs = get_fs();
struct user_arg_ptr argv = {
@@ -49682,7 +50142,7 @@ index 20df02c..81c9e78 100644
};
set_fs(KERNEL_DS);
-@@ -583,7 +608,8 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
+@@ -583,7 +620,8 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
unsigned long new_end = old_end - shift;
struct mmu_gather tlb;
@@ -49692,7 +50152,7 @@ index 20df02c..81c9e78 100644
/*
* ensure there are no vmas between where we want to go
-@@ -592,6 +618,10 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
+@@ -592,6 +630,10 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
if (vma != find_vma(mm, new_start))
return -EFAULT;
@@ -49703,7 +50163,7 @@ index 20df02c..81c9e78 100644
/*
* cover the whole range: [new_start, old_end)
*/
-@@ -672,10 +702,6 @@ int setup_arg_pages(struct linux_binprm *bprm,
+@@ -672,10 +714,6 @@ int setup_arg_pages(struct linux_binprm *bprm,
stack_top = arch_align_stack(stack_top);
stack_top = PAGE_ALIGN(stack_top);
@@ -49714,7 +50174,7 @@ index 20df02c..81c9e78 100644
stack_shift = vma->vm_end - stack_top;
bprm->p -= stack_shift;
-@@ -687,8 +713,28 @@ int setup_arg_pages(struct linux_binprm *bprm,
+@@ -687,8 +725,28 @@ int setup_arg_pages(struct linux_binprm *bprm,
bprm->exec -= stack_shift;
down_write(&mm->mmap_sem);
@@ -49743,7 +50203,7 @@ index 20df02c..81c9e78 100644
/*
* Adjust stack execute permissions; explicitly enable for
* EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
-@@ -707,13 +753,6 @@ int setup_arg_pages(struct linux_binprm *bprm,
+@@ -707,13 +765,6 @@ int setup_arg_pages(struct linux_binprm *bprm,
goto out_unlock;
BUG_ON(prev != vma);
@@ -49757,12 +50217,12 @@ index 20df02c..81c9e78 100644
/* mprotect_fixup is overkill to remove the temporary stack flags */
vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
-@@ -737,6 +776,30 @@ int setup_arg_pages(struct linux_binprm *bprm,
+@@ -737,6 +788,27 @@ int setup_arg_pages(struct linux_binprm *bprm,
#endif
current->mm->start_stack = bprm->p;
ret = expand_stack(vma, stack_base);
+
-+#if !defined(CONFIG_STACK_GROWSUP) && defined(CONFIG_PAX_ASLR)
++#if !defined(CONFIG_STACK_GROWSUP) && defined(CONFIG_PAX_RANDMMAP)
+ if (!ret && (mm->pax_flags & MF_PAX_RANDMMAP) && STACK_TOP <= 0xFFFFFFFFU && STACK_TOP > vma->vm_end) {
+ unsigned long size, flags, vm_flags;
+
@@ -49774,11 +50234,8 @@ index 20df02c..81c9e78 100644
+
+#ifdef CONFIG_X86
+ if (!ret) {
-+ current->mm->aslr_gap += size >> PAGE_SHIFT;
+ size = mmap_min_addr + ((mm->delta_mmap ^ mm->delta_stack) & (0xFFUL << PAGE_SHIFT));
-+ ret = 0 != mmap_region(NULL, 0, size, flags, vm_flags, 0);
-+ if (!ret)
-+ current->mm->aslr_gap += size >> PAGE_SHIFT;
++ ret = 0 != mmap_region(NULL, 0, PAGE_ALIGN(size), flags, vm_flags, 0);
+ }
+#endif
+
@@ -49788,7 +50245,7 @@ index 20df02c..81c9e78 100644
if (ret)
ret = -EFAULT;
-@@ -772,6 +835,8 @@ struct file *open_exec(const char *name)
+@@ -772,6 +844,8 @@ struct file *open_exec(const char *name)
fsnotify_open(file);
@@ -49797,7 +50254,7 @@ index 20df02c..81c9e78 100644
err = deny_write_access(file);
if (err)
goto exit;
-@@ -795,7 +860,7 @@ int kernel_read(struct file *file, loff_t offset,
+@@ -795,7 +869,7 @@ int kernel_read(struct file *file, loff_t offset,
old_fs = get_fs();
set_fs(get_ds());
/* The cast to a user pointer is valid due to the set_fs() */
@@ -49806,7 +50263,7 @@ index 20df02c..81c9e78 100644
set_fs(old_fs);
return result;
}
-@@ -1247,7 +1312,7 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
+@@ -1247,7 +1321,7 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
}
rcu_read_unlock();
@@ -49815,7 +50272,7 @@ index 20df02c..81c9e78 100644
bprm->unsafe |= LSM_UNSAFE_SHARE;
} else {
res = -EAGAIN;
-@@ -1447,6 +1512,28 @@ int search_binary_handler(struct linux_binprm *bprm)
+@@ -1447,6 +1521,31 @@ int search_binary_handler(struct linux_binprm *bprm)
EXPORT_SYMBOL(search_binary_handler);
@@ -49841,10 +50298,13 @@ index 20df02c..81c9e78 100644
+static inline void increment_exec_counter(void) {}
+#endif
+
++extern void gr_handle_exec_args(struct linux_binprm *bprm,
++ struct user_arg_ptr argv);
++
/*
* sys_execve() executes a new program.
*/
-@@ -1454,6 +1541,11 @@ static int do_execve_common(const char *filename,
+@@ -1454,6 +1553,11 @@ static int do_execve_common(const char *filename,
struct user_arg_ptr argv,
struct user_arg_ptr envp)
{
@@ -49856,7 +50316,7 @@ index 20df02c..81c9e78 100644
struct linux_binprm *bprm;
struct file *file;
struct files_struct *displaced;
-@@ -1461,6 +1553,8 @@ static int do_execve_common(const char *filename,
+@@ -1461,6 +1565,8 @@ static int do_execve_common(const char *filename,
int retval;
const struct cred *cred = current_cred();
@@ -49865,7 +50325,7 @@ index 20df02c..81c9e78 100644
/*
* We move the actual failure in case of RLIMIT_NPROC excess from
* set*uid() to execve() because too many poorly written programs
-@@ -1501,12 +1595,27 @@ static int do_execve_common(const char *filename,
+@@ -1501,12 +1607,27 @@ static int do_execve_common(const char *filename,
if (IS_ERR(file))
goto out_unmark;
@@ -49893,7 +50353,7 @@ index 20df02c..81c9e78 100644
retval = bprm_mm_init(bprm);
if (retval)
goto out_file;
-@@ -1523,24 +1632,65 @@ static int do_execve_common(const char *filename,
+@@ -1523,24 +1644,65 @@ static int do_execve_common(const char *filename,
if (retval < 0)
goto out;
@@ -49963,7 +50423,7 @@ index 20df02c..81c9e78 100644
current->fs->in_exec = 0;
current->in_execve = 0;
acct_update_integrals(current);
-@@ -1549,6 +1699,14 @@ static int do_execve_common(const char *filename,
+@@ -1549,6 +1711,14 @@ static int do_execve_common(const char *filename,
put_files_struct(displaced);
return retval;
@@ -49978,7 +50438,7 @@ index 20df02c..81c9e78 100644
out:
if (bprm->mm) {
acct_arg_size(bprm, 0);
-@@ -1697,3 +1855,253 @@ asmlinkage long compat_sys_execve(const char __user * filename,
+@@ -1697,3 +1867,253 @@ asmlinkage long compat_sys_execve(const char __user * filename,
return error;
}
#endif
@@ -50099,7 +50559,7 @@ index 20df02c..81c9e78 100644
+ else
+ printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
+ printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
-+ from_kuid(&init_user_ns, task_uid(tsk)), from_kuid(&init_user_ns, task_euid(tsk)), pc, sp);
++ from_kuid_munged(&init_user_ns, task_uid(tsk)), from_kuid_munged(&init_user_ns, task_euid(tsk)), pc, sp);
+ free_page((unsigned long)buffer_exec);
+ free_page((unsigned long)buffer_fault);
+ pax_report_insns(regs, pc, sp);
@@ -50118,10 +50578,10 @@ index 20df02c..81c9e78 100644
+ if (current->signal->curr_ip)
+ printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
+ &current->signal->curr_ip, current->comm, task_pid_nr(current),
-+ from_kuid(&init_user_ns, current_uid()), from_kuid(&init_user_ns, current_euid()));
++ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
+ else
+ printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", current->comm, task_pid_nr(current),
-+ from_kuid(&init_user_ns, current_uid()), from_kuid(&init_user_ns, current_euid()));
++ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
+ print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
+ show_regs(regs);
+ force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
@@ -52337,7 +52797,7 @@ index a94e331..060bce3 100644
lock_flocks();
diff --git a/fs/namei.c b/fs/namei.c
-index ec97aef..eedf4fe 100644
+index ec97aef..e67718d 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -319,16 +319,32 @@ int generic_permission(struct inode *inode, int mask)
@@ -52440,17 +52900,11 @@ index ec97aef..eedf4fe 100644
put_link(nd, &link, cookie);
}
}
-@@ -1984,6 +2002,19 @@ static int path_lookupat(int dfd, const char *name,
+@@ -1984,6 +2002,13 @@ static int path_lookupat(int dfd, const char *name,
if (!err)
err = complete_walk(nd);
+ if (!err && !(nd->flags & LOOKUP_PARENT)) {
-+#ifdef CONFIG_GRKERNSEC
-+ if (flags & LOOKUP_RCU) {
-+ path_put(&nd->path);
-+ err = -ECHILD;
-+ } else
-+#endif
+ if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
+ path_put(&nd->path);
+ err = -ENOENT;
@@ -52460,26 +52914,24 @@ index ec97aef..eedf4fe 100644
if (!err && nd->flags & LOOKUP_DIRECTORY) {
if (!nd->inode->i_op->lookup) {
path_put(&nd->path);
-@@ -2011,8 +2042,17 @@ static int filename_lookup(int dfd, struct filename *name,
+@@ -2011,8 +2036,15 @@ static int filename_lookup(int dfd, struct filename *name,
retval = path_lookupat(dfd, name->name,
flags | LOOKUP_REVAL, nd);
- if (likely(!retval))
+ if (likely(!retval)) {
+ audit_inode(name, nd->path.dentry, flags & LOOKUP_PARENT);
+ if (name->name[0] != '/' && nd->path.dentry && nd->inode) {
-+#ifdef CONFIG_GRKERNSEC
-+ if (flags & LOOKUP_RCU)
-+ return -ECHILD;
-+#endif
-+ if (!gr_chroot_fchdir(nd->path.dentry, nd->path.mnt))
++ if (!gr_chroot_fchdir(nd->path.dentry, nd->path.mnt)) {
++ path_put(&nd->path);
+ return -ENOENT;
++ }
+ }
- audit_inode(name, nd->path.dentry, flags & LOOKUP_PARENT);
+ }
return retval;
}
-@@ -2390,6 +2430,13 @@ static int may_open(struct path *path, int acc_mode, int flag)
+@@ -2390,6 +2422,13 @@ static int may_open(struct path *path, int acc_mode, int flag)
if (flag & O_NOATIME && !inode_owner_or_capable(inode))
return -EPERM;
@@ -52493,7 +52945,7 @@ index ec97aef..eedf4fe 100644
return 0;
}
-@@ -2611,7 +2658,7 @@ looked_up:
+@@ -2611,7 +2650,7 @@ looked_up:
* cleared otherwise prior to returning.
*/
static int lookup_open(struct nameidata *nd, struct path *path,
@@ -52502,7 +52954,7 @@ index ec97aef..eedf4fe 100644
const struct open_flags *op,
bool got_write, int *opened)
{
-@@ -2646,6 +2693,17 @@ static int lookup_open(struct nameidata *nd, struct path *path,
+@@ -2646,6 +2685,17 @@ static int lookup_open(struct nameidata *nd, struct path *path,
/* Negative dentry, just create the file */
if (!dentry->d_inode && (op->open_flag & O_CREAT)) {
umode_t mode = op->mode;
@@ -52520,7 +52972,7 @@ index ec97aef..eedf4fe 100644
if (!IS_POSIXACL(dir->d_inode))
mode &= ~current_umask();
/*
-@@ -2667,6 +2725,8 @@ static int lookup_open(struct nameidata *nd, struct path *path,
+@@ -2667,6 +2717,8 @@ static int lookup_open(struct nameidata *nd, struct path *path,
nd->flags & LOOKUP_EXCL);
if (error)
goto out_dput;
@@ -52529,7 +52981,7 @@ index ec97aef..eedf4fe 100644
}
out_no_open:
path->dentry = dentry;
-@@ -2681,7 +2741,7 @@ out_dput:
+@@ -2681,7 +2733,7 @@ out_dput:
/*
* Handle the last step of open()
*/
@@ -52538,16 +52990,10 @@ index ec97aef..eedf4fe 100644
struct file *file, const struct open_flags *op,
int *opened, struct filename *name)
{
-@@ -2710,16 +2770,44 @@ static int do_last(struct nameidata *nd, struct path *path,
+@@ -2710,16 +2762,32 @@ static int do_last(struct nameidata *nd, struct path *path,
error = complete_walk(nd);
if (error)
return error;
-+#ifdef CONFIG_GRKERNSEC
-+ if (nd->flags & LOOKUP_RCU) {
-+ error = -ECHILD;
-+ goto out;
-+ }
-+#endif
+ if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
+ error = -ENOENT;
+ goto out;
@@ -52566,12 +53012,6 @@ index ec97aef..eedf4fe 100644
error = complete_walk(nd);
if (error)
return error;
-+#ifdef CONFIG_GRKERNSEC
-+ if (nd->flags & LOOKUP_RCU) {
-+ error = -ECHILD;
-+ goto out;
-+ }
-+#endif
+ if (!gr_acl_handle_hidden_file(dir, nd->path.mnt)) {
+ error = -ENOENT;
+ goto out;
@@ -52583,7 +53023,7 @@ index ec97aef..eedf4fe 100644
audit_inode(name, dir, 0);
goto finish_open;
}
-@@ -2768,7 +2856,7 @@ retry_lookup:
+@@ -2768,7 +2836,7 @@ retry_lookup:
*/
}
mutex_lock(&dir->d_inode->i_mutex);
@@ -52592,7 +53032,7 @@ index ec97aef..eedf4fe 100644
mutex_unlock(&dir->d_inode->i_mutex);
if (error <= 0) {
-@@ -2792,11 +2880,28 @@ retry_lookup:
+@@ -2792,11 +2860,28 @@ retry_lookup:
goto finish_open_created;
}
@@ -52622,7 +53062,7 @@ index ec97aef..eedf4fe 100644
/*
* If atomic_open() acquired write access it is dropped now due to
-@@ -2837,6 +2942,11 @@ finish_lookup:
+@@ -2837,6 +2922,11 @@ finish_lookup:
}
}
BUG_ON(inode != path->dentry->d_inode);
@@ -52634,7 +53074,7 @@ index ec97aef..eedf4fe 100644
return 1;
}
-@@ -2846,7 +2956,6 @@ finish_lookup:
+@@ -2846,7 +2936,6 @@ finish_lookup:
save_parent.dentry = nd->path.dentry;
save_parent.mnt = mntget(path->mnt);
nd->path.dentry = path->dentry;
@@ -52642,17 +53082,11 @@ index ec97aef..eedf4fe 100644
}
nd->inode = inode;
/* Why this, you ask? _Now_ we might have grown LOOKUP_JUMPED... */
-@@ -2855,6 +2964,22 @@ finish_lookup:
+@@ -2855,6 +2944,16 @@ finish_lookup:
path_put(&save_parent);
return error;
}
+
-+#ifdef CONFIG_GRKERNSEC
-+ if (nd->flags & LOOKUP_RCU) {
-+ error = -ECHILD;
-+ goto out;
-+ }
-+#endif
+ if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
+ error = -ENOENT;
+ goto out;
@@ -52665,7 +53099,7 @@ index ec97aef..eedf4fe 100644
error = -EISDIR;
if ((open_flag & O_CREAT) && S_ISDIR(nd->inode->i_mode))
goto out;
-@@ -2953,7 +3078,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
+@@ -2953,7 +3052,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
if (unlikely(error))
goto out;
@@ -52674,7 +53108,7 @@ index ec97aef..eedf4fe 100644
while (unlikely(error > 0)) { /* trailing symlink */
struct path link = path;
void *cookie;
-@@ -2971,7 +3096,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
+@@ -2971,7 +3070,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
error = follow_link(&link, nd, &cookie);
if (unlikely(error))
break;
@@ -52683,7 +53117,7 @@ index ec97aef..eedf4fe 100644
put_link(nd, &link, cookie);
}
out:
-@@ -3071,8 +3196,12 @@ struct dentry *kern_path_create(int dfd, const char *pathname,
+@@ -3071,8 +3170,12 @@ struct dentry *kern_path_create(int dfd, const char *pathname,
goto unlock;
error = -EEXIST;
@@ -52697,7 +53131,7 @@ index ec97aef..eedf4fe 100644
/*
* Special case - lookup gave negative, but... we had foo/bar/
* From the vfs_mknod() POV we just have a negative dentry -
-@@ -3124,6 +3253,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname,
+@@ -3124,6 +3227,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname,
}
EXPORT_SYMBOL(user_path_create);
@@ -52718,7 +53152,7 @@ index ec97aef..eedf4fe 100644
int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
{
int error = may_create(dir, dentry);
-@@ -3186,6 +3329,17 @@ retry:
+@@ -3186,6 +3303,17 @@ retry:
if (!IS_POSIXACL(path.dentry->d_inode))
mode &= ~current_umask();
@@ -52736,7 +53170,7 @@ index ec97aef..eedf4fe 100644
error = security_path_mknod(&path, dentry, mode, dev);
if (error)
goto out;
-@@ -3202,6 +3356,8 @@ retry:
+@@ -3202,6 +3330,8 @@ retry:
break;
}
out:
@@ -52745,7 +53179,7 @@ index ec97aef..eedf4fe 100644
done_path_create(&path, dentry);
if (retry_estale(error, lookup_flags)) {
lookup_flags |= LOOKUP_REVAL;
-@@ -3254,9 +3410,16 @@ retry:
+@@ -3254,9 +3384,16 @@ retry:
if (!IS_POSIXACL(path.dentry->d_inode))
mode &= ~current_umask();
@@ -52762,7 +53196,7 @@ index ec97aef..eedf4fe 100644
done_path_create(&path, dentry);
if (retry_estale(error, lookup_flags)) {
lookup_flags |= LOOKUP_REVAL;
-@@ -3337,6 +3500,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
+@@ -3337,6 +3474,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
struct filename *name;
struct dentry *dentry;
struct nameidata nd;
@@ -52771,7 +53205,7 @@ index ec97aef..eedf4fe 100644
unsigned int lookup_flags = 0;
retry:
name = user_path_parent(dfd, pathname, &nd, lookup_flags);
-@@ -3369,10 +3534,21 @@ retry:
+@@ -3369,10 +3508,21 @@ retry:
error = -ENOENT;
goto exit3;
}
@@ -52793,7 +53227,7 @@ index ec97aef..eedf4fe 100644
exit3:
dput(dentry);
exit2:
-@@ -3438,6 +3614,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
+@@ -3438,6 +3588,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
struct dentry *dentry;
struct nameidata nd;
struct inode *inode = NULL;
@@ -52802,7 +53236,7 @@ index ec97aef..eedf4fe 100644
unsigned int lookup_flags = 0;
retry:
name = user_path_parent(dfd, pathname, &nd, lookup_flags);
-@@ -3464,10 +3642,22 @@ retry:
+@@ -3464,10 +3616,22 @@ retry:
if (!inode)
goto slashes;
ihold(inode);
@@ -52825,7 +53259,7 @@ index ec97aef..eedf4fe 100644
exit2:
dput(dentry);
}
-@@ -3545,9 +3735,17 @@ retry:
+@@ -3545,9 +3709,17 @@ retry:
if (IS_ERR(dentry))
goto out_putname;
@@ -52843,7 +53277,7 @@ index ec97aef..eedf4fe 100644
done_path_create(&path, dentry);
if (retry_estale(error, lookup_flags)) {
lookup_flags |= LOOKUP_REVAL;
-@@ -3621,6 +3819,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
+@@ -3621,6 +3793,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
{
struct dentry *new_dentry;
struct path old_path, new_path;
@@ -52851,7 +53285,7 @@ index ec97aef..eedf4fe 100644
int how = 0;
int error;
-@@ -3644,7 +3843,7 @@ retry:
+@@ -3644,7 +3817,7 @@ retry:
if (error)
return error;
@@ -52860,7 +53294,7 @@ index ec97aef..eedf4fe 100644
(how & LOOKUP_REVAL));
error = PTR_ERR(new_dentry);
if (IS_ERR(new_dentry))
-@@ -3656,11 +3855,28 @@ retry:
+@@ -3656,11 +3829,28 @@ retry:
error = may_linkat(&old_path);
if (unlikely(error))
goto out_dput;
@@ -52889,7 +53323,7 @@ index ec97aef..eedf4fe 100644
done_path_create(&new_path, new_dentry);
if (retry_estale(error, how)) {
how |= LOOKUP_REVAL;
-@@ -3906,12 +4122,21 @@ retry:
+@@ -3906,12 +4096,21 @@ retry:
if (new_dentry == trap)
goto exit5;
@@ -52911,7 +53345,7 @@ index ec97aef..eedf4fe 100644
exit5:
dput(new_dentry);
exit4:
-@@ -3943,6 +4168,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
+@@ -3943,6 +4142,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
{
@@ -52920,7 +53354,7 @@ index ec97aef..eedf4fe 100644
int len;
len = PTR_ERR(link);
-@@ -3952,7 +4179,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
+@@ -3952,7 +4153,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
len = strlen(link);
if (len > (unsigned) buflen)
len = buflen;
@@ -54913,6 +55347,28 @@ index 1ccfa53..0848f95 100644
} else if (mm) {
pid_t tid = vm_is_stack(priv->task, vma, is_pid);
+diff --git a/fs/qnx6/qnx6.h b/fs/qnx6/qnx6.h
+index b00fcc9..e0c6381 100644
+--- a/fs/qnx6/qnx6.h
++++ b/fs/qnx6/qnx6.h
+@@ -74,7 +74,7 @@ enum {
+ BYTESEX_BE,
+ };
+
+-static inline __u64 fs64_to_cpu(struct qnx6_sb_info *sbi, __fs64 n)
++static inline __u64 __intentional_overflow(-1) fs64_to_cpu(struct qnx6_sb_info *sbi, __fs64 n)
+ {
+ if (sbi->s_bytesex == BYTESEX_LE)
+ return le64_to_cpu((__force __le64)n);
+@@ -90,7 +90,7 @@ static inline __fs64 cpu_to_fs64(struct qnx6_sb_info *sbi, __u64 n)
+ return (__force __fs64)cpu_to_be64(n);
+ }
+
+-static inline __u32 fs32_to_cpu(struct qnx6_sb_info *sbi, __fs32 n)
++static inline __u32 __intentional_overflow(-1) fs32_to_cpu(struct qnx6_sb_info *sbi, __fs32 n)
+ {
+ if (sbi->s_bytesex == BYTESEX_LE)
+ return le32_to_cpu((__force __le32)n);
diff --git a/fs/quota/netlink.c b/fs/quota/netlink.c
index 16e8abb..2dcf914 100644
--- a/fs/quota/netlink.c
@@ -55436,6 +55892,32 @@ index 3c9eb56..9dea5be 100644
if (!IS_ERR(page))
free_page((unsigned long)page);
}
+diff --git a/fs/sysv/sysv.h b/fs/sysv/sysv.h
+index 69d4889..a810bd4 100644
+--- a/fs/sysv/sysv.h
++++ b/fs/sysv/sysv.h
+@@ -188,7 +188,7 @@ static inline u32 PDP_swab(u32 x)
+ #endif
+ }
+
+-static inline __u32 fs32_to_cpu(struct sysv_sb_info *sbi, __fs32 n)
++static inline __u32 __intentional_overflow(-1) fs32_to_cpu(struct sysv_sb_info *sbi, __fs32 n)
+ {
+ if (sbi->s_bytesex == BYTESEX_PDP)
+ return PDP_swab((__force __u32)n);
+diff --git a/fs/ubifs/io.c b/fs/ubifs/io.c
+index e18b988..f1d4ad0f 100644
+--- a/fs/ubifs/io.c
++++ b/fs/ubifs/io.c
+@@ -155,7 +155,7 @@ int ubifs_leb_change(struct ubifs_info *c, int lnum, const void *buf, int len)
+ return err;
+ }
+
+-int ubifs_leb_unmap(struct ubifs_info *c, int lnum)
++int __intentional_overflow(-1) ubifs_leb_unmap(struct ubifs_info *c, int lnum)
+ {
+ int err;
+
diff --git a/fs/udf/misc.c b/fs/udf/misc.c
index c175b4d..8f36a16 100644
--- a/fs/udf/misc.c
@@ -55449,6 +55931,28 @@ index c175b4d..8f36a16 100644
u8 checksum = 0;
int i;
for (i = 0; i < sizeof(struct tag); ++i)
+diff --git a/fs/ufs/swab.h b/fs/ufs/swab.h
+index 8d974c4..b82f6ec 100644
+--- a/fs/ufs/swab.h
++++ b/fs/ufs/swab.h
+@@ -22,7 +22,7 @@ enum {
+ BYTESEX_BE
+ };
+
+-static inline u64
++static inline u64 __intentional_overflow(-1)
+ fs64_to_cpu(struct super_block *sbp, __fs64 n)
+ {
+ if (UFS_SB(sbp)->s_bytesex == BYTESEX_LE)
+@@ -40,7 +40,7 @@ cpu_to_fs64(struct super_block *sbp, u64 n)
+ return (__force __fs64)cpu_to_be64(n);
+ }
+
+-static inline u32
++static inline u32 __intentional_overflow(-1)
+ fs32_to_cpu(struct super_block *sbp, __fs32 n)
+ {
+ if (UFS_SB(sbp)->s_bytesex == BYTESEX_LE)
diff --git a/fs/utimes.c b/fs/utimes.c
index f4fb7ec..3fe03c0 100644
--- a/fs/utimes.c
@@ -56686,10 +57190,10 @@ index 0000000..1b9afa9
+endif
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
new file mode 100644
-index 0000000..0767b2e
+index 0000000..ab45812
--- /dev/null
+++ b/grsecurity/gracl.c
-@@ -0,0 +1,4067 @@
+@@ -0,0 +1,4071 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -56717,6 +57221,7 @@ index 0000000..0767b2e
+#include <linux/percpu.h>
+#include <linux/lglock.h>
+#include <linux/hugetlb.h>
++#include <linux/posix-timers.h>
+#include "../fs/mount.h"
+
+#include <asm/uaccess.h>
@@ -59026,6 +59531,9 @@ index 0000000..0767b2e
+
+ task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
+ task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
++
++ if (i == RLIMIT_CPU)
++ update_rlimit_cpu(task, proc->res[i].rlim_cur);
+ }
+
+ return;
@@ -63283,10 +63791,10 @@ index 0000000..207d409
+#endif
diff --git a/grsecurity/grsec_exec.c b/grsecurity/grsec_exec.c
new file mode 100644
-index 0000000..abfa971
+index 0000000..387032b
--- /dev/null
+++ b/grsecurity/grsec_exec.c
-@@ -0,0 +1,174 @@
+@@ -0,0 +1,187 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/file.h>
@@ -63298,6 +63806,7 @@ index 0000000..abfa971
+#include <linux/grinternal.h>
+#include <linux/capability.h>
+#include <linux/module.h>
++#include <linux/compat.h>
+
+#include <asm/uaccess.h>
+
@@ -63306,6 +63815,18 @@ index 0000000..abfa971
+static DEFINE_MUTEX(gr_exec_arg_mutex);
+#endif
+
++struct user_arg_ptr {
++#ifdef CONFIG_COMPAT
++ bool is_compat;
++#endif
++ union {
++ const char __user *const __user *native;
++#ifdef CONFIG_COMPAT
++ const compat_uptr_t __user *compat;
++#endif
++ } ptr;
++};
++
+extern const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr);
+
+void
@@ -66379,6 +66900,36 @@ index 42e55de..1cd0e66 100644
extern struct cleancache_ops
cleancache_register_ops(struct cleancache_ops *ops);
+diff --git a/include/linux/compat.h b/include/linux/compat.h
+index dec7e2d..45db13f 100644
+--- a/include/linux/compat.h
++++ b/include/linux/compat.h
+@@ -311,14 +311,14 @@ long compat_sys_msgsnd(int first, int second, int third, void __user *uptr);
+ long compat_sys_msgrcv(int first, int second, int msgtyp, int third,
+ int version, void __user *uptr);
+ long compat_sys_shmat(int first, int second, compat_uptr_t third, int version,
+- void __user *uptr);
++ void __user *uptr) __intentional_overflow(0);
+ #else
+ long compat_sys_semctl(int semid, int semnum, int cmd, int arg);
+ long compat_sys_msgsnd(int msqid, struct compat_msgbuf __user *msgp,
+ compat_ssize_t msgsz, int msgflg);
+ long compat_sys_msgrcv(int msqid, struct compat_msgbuf __user *msgp,
+ compat_ssize_t msgsz, long msgtyp, int msgflg);
+-long compat_sys_shmat(int shmid, compat_uptr_t shmaddr, int shmflg);
++long compat_sys_shmat(int shmid, compat_uptr_t shmaddr, int shmflg) __intentional_overflow(0);
+ #endif
+ long compat_sys_msgctl(int first, int second, void __user *uptr);
+ long compat_sys_shmctl(int first, int second, void __user *uptr);
+@@ -414,7 +414,7 @@ extern int compat_ptrace_request(struct task_struct *child,
+ extern long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
+ compat_ulong_t addr, compat_ulong_t data);
+ asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid,
+- compat_long_t addr, compat_long_t data);
++ compat_ulong_t addr, compat_ulong_t data);
+
+ /*
+ * epoll (fs/eventpoll.c) compat bits follow ...
diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h
index 662fd1b..e801992 100644
--- a/include/linux/compiler-gcc4.h
@@ -66554,6 +67105,27 @@ index dd852b7..72924c0 100644
+#define ACCESS_ONCE_RW(x) (*(volatile typeof(x) *)&(x))
#endif /* __LINUX_COMPILER_H */
+diff --git a/include/linux/completion.h b/include/linux/completion.h
+index 51494e6..0fd1b61 100644
+--- a/include/linux/completion.h
++++ b/include/linux/completion.h
+@@ -78,13 +78,13 @@ static inline void init_completion(struct completion *x)
+
+ extern void wait_for_completion(struct completion *);
+ extern int wait_for_completion_interruptible(struct completion *x);
+-extern int wait_for_completion_killable(struct completion *x);
++extern int wait_for_completion_killable(struct completion *x) __intentional_overflow(-1);
+ extern unsigned long wait_for_completion_timeout(struct completion *x,
+ unsigned long timeout);
+ extern long wait_for_completion_interruptible_timeout(
+- struct completion *x, unsigned long timeout);
++ struct completion *x, unsigned long timeout) __intentional_overflow(-1);
+ extern long wait_for_completion_killable_timeout(
+- struct completion *x, unsigned long timeout);
++ struct completion *x, unsigned long timeout) __intentional_overflow(-1);
+ extern bool try_wait_for_completion(struct completion *x);
+ extern bool completion_done(struct completion *x);
+
diff --git a/include/linux/configfs.h b/include/linux/configfs.h
index 34025df..d94bbbc 100644
--- a/include/linux/configfs.h
@@ -66624,6 +67196,58 @@ index 24cd1037..20a63aae 100644
#ifdef CONFIG_CPU_IDLE
+diff --git a/include/linux/cpumask.h b/include/linux/cpumask.h
+index 0325602..5e9feff 100644
+--- a/include/linux/cpumask.h
++++ b/include/linux/cpumask.h
+@@ -118,17 +118,17 @@ static inline unsigned int cpumask_first(const struct cpumask *srcp)
+ }
+
+ /* Valid inputs for n are -1 and 0. */
+-static inline unsigned int cpumask_next(int n, const struct cpumask *srcp)
++static inline unsigned int __intentional_overflow(-1) cpumask_next(int n, const struct cpumask *srcp)
+ {
+ return n+1;
+ }
+
+-static inline unsigned int cpumask_next_zero(int n, const struct cpumask *srcp)
++static inline unsigned int __intentional_overflow(-1) cpumask_next_zero(int n, const struct cpumask *srcp)
+ {
+ return n+1;
+ }
+
+-static inline unsigned int cpumask_next_and(int n,
++static inline unsigned int __intentional_overflow(-1) cpumask_next_and(int n,
+ const struct cpumask *srcp,
+ const struct cpumask *andp)
+ {
+@@ -167,7 +167,7 @@ static inline unsigned int cpumask_first(const struct cpumask *srcp)
+ *
+ * Returns >= nr_cpu_ids if no further cpus set.
+ */
+-static inline unsigned int cpumask_next(int n, const struct cpumask *srcp)
++static inline unsigned int __intentional_overflow(-1) cpumask_next(int n, const struct cpumask *srcp)
+ {
+ /* -1 is a legal arg here. */
+ if (n != -1)
+@@ -182,7 +182,7 @@ static inline unsigned int cpumask_next(int n, const struct cpumask *srcp)
+ *
+ * Returns >= nr_cpu_ids if no further cpus unset.
+ */
+-static inline unsigned int cpumask_next_zero(int n, const struct cpumask *srcp)
++static inline unsigned int __intentional_overflow(-1) cpumask_next_zero(int n, const struct cpumask *srcp)
+ {
+ /* -1 is a legal arg here. */
+ if (n != -1)
+@@ -190,7 +190,7 @@ static inline unsigned int cpumask_next_zero(int n, const struct cpumask *srcp)
+ return find_next_zero_bit(cpumask_bits(srcp), nr_cpumask_bits, n+1);
+ }
+
+-int cpumask_next_and(int n, const struct cpumask *, const struct cpumask *);
++int cpumask_next_and(int n, const struct cpumask *, const struct cpumask *) __intentional_overflow(-1);
+ int cpumask_any_but(const struct cpumask *mask, unsigned int cpu);
+
+ /**
diff --git a/include/linux/cred.h b/include/linux/cred.h
index 04421e8..6bce4ef 100644
--- a/include/linux/cred.h
@@ -66667,6 +67291,19 @@ index b92eadf..b4ecdc1 100644
#define crt_ablkcipher crt_u.ablkcipher
#define crt_aead crt_u.aead
+diff --git a/include/linux/ctype.h b/include/linux/ctype.h
+index 8acfe31..6ffccd63 100644
+--- a/include/linux/ctype.h
++++ b/include/linux/ctype.h
+@@ -56,7 +56,7 @@ static inline unsigned char __toupper(unsigned char c)
+ * Fast implementation of tolower() for internal usage. Do not use in your
+ * code.
+ */
+-static inline char _tolower(const char c)
++static inline unsigned char _tolower(const unsigned char c)
+ {
+ return c | 0x20;
+ }
diff --git a/include/linux/decompress/mm.h b/include/linux/decompress/mm.h
index 7925bf0..d5143d2 100644
--- a/include/linux/decompress/mm.h
@@ -66790,6 +67427,25 @@ index 8c9048e..16a4665 100644
#endif
+diff --git a/include/linux/err.h b/include/linux/err.h
+index f2edce2..cc2082c 100644
+--- a/include/linux/err.h
++++ b/include/linux/err.h
+@@ -19,12 +19,12 @@
+
+ #define IS_ERR_VALUE(x) unlikely((x) >= (unsigned long)-MAX_ERRNO)
+
+-static inline void * __must_check ERR_PTR(long error)
++static inline void * __must_check __intentional_overflow(-1) ERR_PTR(long error)
+ {
+ return (void *) error;
+ }
+
+-static inline long __must_check PTR_ERR(const void *ptr)
++static inline long __must_check __intentional_overflow(-1) PTR_ERR(const void *ptr)
+ {
+ return (long) ptr;
+ }
diff --git a/include/linux/extcon.h b/include/linux/extcon.h
index fcb51c8..bdafcf6 100644
--- a/include/linux/extcon.h
@@ -67870,10 +68526,10 @@ index 0000000..2bd4c8d
+#define GR_BRUTE_DAEMON_MSG "bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for "
diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
new file mode 100644
-index 0000000..1ae241a
+index 0000000..8da63a4
--- /dev/null
+++ b/include/linux/grsecurity.h
-@@ -0,0 +1,257 @@
+@@ -0,0 +1,242 @@
+#ifndef GR_SECURITY_H
+#define GR_SECURITY_H
+#include <linux/fs.h>
@@ -67895,20 +68551,6 @@ index 0000000..1ae241a
+#error "CONFIG_PAX enabled, but no PaX options are enabled."
+#endif
+
-+#include <linux/compat.h>
-+
-+struct user_arg_ptr {
-+#ifdef CONFIG_COMPAT
-+ bool is_compat;
-+#endif
-+ union {
-+ const char __user *const __user *native;
-+#ifdef CONFIG_COMPAT
-+ const compat_uptr_t __user *compat;
-+#endif
-+ } ptr;
-+};
-+
+void gr_handle_brute_attach(unsigned long mm_flags);
+void gr_handle_brute_check(void);
+void gr_handle_kernel_exploit(void);
@@ -67962,7 +68604,6 @@ index 0000000..1ae241a
+ const struct vfsmount *mnt);
+void gr_log_chroot_exec(const struct dentry *dentry,
+ const struct vfsmount *mnt);
-+void gr_handle_exec_args(struct linux_binprm *bprm, struct user_arg_ptr argv);
+void gr_log_remount(const char *devname, const int retval);
+void gr_log_unmount(const char *devname, const int retval);
+void gr_log_mount(const char *from, const char *to, const int retval);
@@ -68585,8 +69226,39 @@ index cc6d2aa..c10ee83 100644
/**
* list_move - delete from one list and add as another's head
* @list: the entry to move
+diff --git a/include/linux/math64.h b/include/linux/math64.h
+index b8ba855..0148090 100644
+--- a/include/linux/math64.h
++++ b/include/linux/math64.h
+@@ -14,7 +14,7 @@
+ * This is commonly provided by 32bit archs to provide an optimized 64bit
+ * divide.
+ */
+-static inline u64 div_u64_rem(u64 dividend, u32 divisor, u32 *remainder)
++static inline u64 __intentional_overflow(-1) div_u64_rem(u64 dividend, u32 divisor, u32 *remainder)
+ {
+ *remainder = dividend % divisor;
+ return dividend / divisor;
+@@ -50,7 +50,7 @@ static inline s64 div64_s64(s64 dividend, s64 divisor)
+ #define div64_long(x,y) div_s64((x),(y))
+
+ #ifndef div_u64_rem
+-static inline u64 div_u64_rem(u64 dividend, u32 divisor, u32 *remainder)
++static inline u64 __intentional_overflow(-1) div_u64_rem(u64 dividend, u32 divisor, u32 *remainder)
+ {
+ *remainder = do_div(dividend, divisor);
+ return dividend;
+@@ -79,7 +79,7 @@ extern s64 div64_s64(s64 dividend, s64 divisor);
+ * divide.
+ */
+ #ifndef div_u64
+-static inline u64 div_u64(u64 dividend, u32 divisor)
++static inline u64 __intentional_overflow(-1) div_u64(u64 dividend, u32 divisor)
+ {
+ u32 remainder;
+ return div_u64_rem(dividend, divisor, &remainder);
diff --git a/include/linux/mm.h b/include/linux/mm.h
-index 66e2f7c..ea88001 100644
+index 66e2f7c..a398fb2 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -101,6 +101,11 @@ extern unsigned int kobjsize(const void *objp);
@@ -68751,7 +69423,19 @@ index 66e2f7c..ea88001 100644
#ifdef CONFIG_ARCH_USES_NUMA_PROT_NONE
unsigned long change_prot_numa(struct vm_area_struct *vma,
unsigned long start, unsigned long end);
-@@ -1721,7 +1730,7 @@ extern int unpoison_memory(unsigned long pfn);
+@@ -1649,6 +1658,11 @@ void vm_stat_account(struct mm_struct *, unsigned long, struct file *, long);
+ static inline void vm_stat_account(struct mm_struct *mm,
+ unsigned long flags, struct file *file, long pages)
+ {
++
++#ifdef CONFIG_PAX_RANDMMAP
++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)))
++#endif
++
+ mm->total_vm += pages;
+ }
+ #endif /* CONFIG_PROC_FS */
+@@ -1721,7 +1735,7 @@ extern int unpoison_memory(unsigned long pfn);
extern int sysctl_memory_failure_early_kill;
extern int sysctl_memory_failure_recovery;
extern void shake_page(struct page *p, int access);
@@ -68760,7 +69444,7 @@ index 66e2f7c..ea88001 100644
extern int soft_offline_page(struct page *page, int flags);
extern void dump_page(struct page *page);
-@@ -1752,5 +1761,11 @@ static inline unsigned int debug_guardpage_minorder(void) { return 0; }
+@@ -1752,5 +1766,11 @@ static inline unsigned int debug_guardpage_minorder(void) { return 0; }
static inline bool page_is_guard(struct page *page) { return false; }
#endif /* CONFIG_DEBUG_PAGEALLOC */
@@ -68773,7 +69457,7 @@ index 66e2f7c..ea88001 100644
#endif /* __KERNEL__ */
#endif /* _LINUX_MM_H */
diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
-index f8f5162..a039af9 100644
+index f8f5162..3aaf20f 100644
--- a/include/linux/mm_types.h
+++ b/include/linux/mm_types.h
@@ -288,6 +288,8 @@ struct vm_area_struct {
@@ -68785,15 +69469,6 @@ index f8f5162..a039af9 100644
};
struct core_thread {
-@@ -362,7 +364,7 @@ struct mm_struct {
- unsigned long def_flags;
- unsigned long nr_ptes; /* Page table pages */
- unsigned long start_code, end_code, start_data, end_data;
-- unsigned long start_brk, brk, start_stack;
-+ unsigned long aslr_gap, start_brk, brk, start_stack;
- unsigned long arg_start, arg_end, env_start, env_end;
-
- unsigned long saved_auxv[AT_VECTOR_SIZE]; /* for /proc/PID/auxv */
@@ -436,6 +438,24 @@ struct mm_struct {
int first_nid;
#endif
@@ -69256,7 +69931,7 @@ index 45fc162..01a4068 100644
/**
* struct hotplug_slot_info - used to notify the hotplug pci core of the state of the slot
diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
-index 6bfb2faa..e5bc5e5 100644
+index a280650..2b67b91 100644
--- a/include/linux/perf_event.h
+++ b/include/linux/perf_event.h
@@ -328,8 +328,8 @@ struct perf_event {
@@ -69281,7 +69956,7 @@ index 6bfb2faa..e5bc5e5 100644
/*
* Protect attach/detach and child_list:
-@@ -801,7 +801,7 @@ static inline void perf_event_task_tick(void) { }
+@@ -807,7 +807,7 @@ static inline void perf_restore_debug_store(void) { }
*/
#define perf_cpu_notifier(fn) \
do { \
@@ -69616,7 +70291,7 @@ index c20635c..2f5def4 100644
static inline void anon_vma_merge(struct vm_area_struct *vma,
struct vm_area_struct *next)
diff --git a/include/linux/sched.h b/include/linux/sched.h
-index d211247..a5cbf38b 100644
+index d211247..eac6c2c 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -61,6 +61,7 @@ struct bio_list;
@@ -69627,6 +70302,15 @@ index d211247..a5cbf38b 100644
/*
* List of flags we want to share for kernel threads,
+@@ -327,7 +328,7 @@ extern char __sched_text_start[], __sched_text_end[];
+ extern int in_sched_functions(unsigned long addr);
+
+ #define MAX_SCHEDULE_TIMEOUT LONG_MAX
+-extern signed long schedule_timeout(signed long timeout);
++extern signed long schedule_timeout(signed long timeout) __intentional_overflow(-1);
+ extern signed long schedule_timeout_interruptible(signed long timeout);