summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--3.14.27/0000_README2
-rw-r--r--3.14.27/4420_grsecurity-3.0-3.14.27-201501042018.patch (renamed from 3.14.27/4420_grsecurity-3.0-3.14.27-201412280859.patch)829
-rw-r--r--3.18.1/0000_README2
-rw-r--r--3.18.1/4420_grsecurity-3.0-3.18.1-201501042021.patch (renamed from 3.18.1/4420_grsecurity-3.0-3.18.1-201412281149.patch)556
-rw-r--r--3.2.66/0000_README2
-rw-r--r--3.2.66/4420_grsecurity-3.0-3.2.66-201501051839.patch (renamed from 3.2.66/4420_grsecurity-3.0-3.2.65-201412280855.patch)1306
6 files changed, 2328 insertions, 369 deletions
diff --git a/3.14.27/0000_README b/3.14.27/0000_README
index 677dcac..c7d2136 100644
--- a/3.14.27/0000_README
+++ b/3.14.27/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.0-3.14.27-201412280859.patch
+Patch: 4420_grsecurity-3.0-3.14.27-201501042018.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.14.27/4420_grsecurity-3.0-3.14.27-201412280859.patch b/3.14.27/4420_grsecurity-3.0-3.14.27-201501042018.patch
index 55abedd..c044d35 100644
--- a/3.14.27/4420_grsecurity-3.0-3.14.27-201412280859.patch
+++ b/3.14.27/4420_grsecurity-3.0-3.14.27-201501042018.patch
@@ -23058,7 +23058,7 @@ index c5a9cb9..228d280 100644
/*
diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
-index 02553d6..54e9bd5 100644
+index 02553d6..d1fcecb 100644
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -60,6 +60,8 @@
@@ -24015,6 +24015,27 @@ index 02553d6..54e9bd5 100644
/*
* The iretq could re-enable interrupts:
*/
+@@ -1070,15 +1566,15 @@ native_irq_return_ldt:
+ SWAPGS
+ movq PER_CPU_VAR(espfix_waddr),%rdi
+ movq %rax,(0*8)(%rdi) /* RAX */
+- movq (2*8)(%rsp),%rax /* RIP */
++ movq (2*8 + RIP-RIP)(%rsp),%rax /* RIP */
+ movq %rax,(1*8)(%rdi)
+- movq (3*8)(%rsp),%rax /* CS */
++ movq (2*8 + CS-RIP)(%rsp),%rax /* CS */
+ movq %rax,(2*8)(%rdi)
+- movq (4*8)(%rsp),%rax /* RFLAGS */
++ movq (2*8 + EFLAGS-RIP)(%rsp),%rax /* RFLAGS */
+ movq %rax,(3*8)(%rdi)
+- movq (6*8)(%rsp),%rax /* SS */
++ movq (2*8 + SS-RIP)(%rsp),%rax /* SS */
+ movq %rax,(5*8)(%rdi)
+- movq (5*8)(%rsp),%rax /* RSP */
++ movq (2*8 + RSP-RIP)(%rsp),%rax /* RSP */
+ movq %rax,(4*8)(%rdi)
+ andl $0xffff0000,%eax
+ popq_cfi %rdi
@@ -1132,7 +1628,7 @@ ENTRY(retint_kernel)
jmp exit_intr
#endif
@@ -26400,26 +26421,30 @@ index 1b10af8..45bfbec 100644
EXPORT_SYMBOL_GPL(pv_time_ops);
diff --git a/arch/x86/kernel/paravirt_patch_64.c b/arch/x86/kernel/paravirt_patch_64.c
-index a1da673..2c72d5b 100644
+index a1da673..b6f5831 100644
--- a/arch/x86/kernel/paravirt_patch_64.c
+++ b/arch/x86/kernel/paravirt_patch_64.c
-@@ -9,7 +9,9 @@ DEF_NATIVE(pv_irq_ops, save_fl, "pushfq; popq %rax");
+@@ -9,7 +9,11 @@ DEF_NATIVE(pv_irq_ops, save_fl, "pushfq; popq %rax");
DEF_NATIVE(pv_mmu_ops, read_cr2, "movq %cr2, %rax");
DEF_NATIVE(pv_mmu_ops, read_cr3, "movq %cr3, %rax");
DEF_NATIVE(pv_mmu_ops, write_cr3, "movq %rdi, %cr3");
++
+#ifndef CONFIG_PAX_MEMORY_UDEREF
DEF_NATIVE(pv_mmu_ops, flush_tlb_single, "invlpg (%rdi)");
+#endif
++
DEF_NATIVE(pv_cpu_ops, clts, "clts");
DEF_NATIVE(pv_cpu_ops, wbinvd, "wbinvd");
-@@ -57,7 +59,9 @@ unsigned native_patch(u8 type, u16 clobbers, void *ibuf,
+@@ -57,7 +61,11 @@ unsigned native_patch(u8 type, u16 clobbers, void *ibuf,
PATCH_SITE(pv_mmu_ops, read_cr3);
PATCH_SITE(pv_mmu_ops, write_cr3);
PATCH_SITE(pv_cpu_ops, clts);
++
+#ifndef CONFIG_PAX_MEMORY_UDEREF
PATCH_SITE(pv_mmu_ops, flush_tlb_single);
+#endif
++
PATCH_SITE(pv_cpu_ops, wbinvd);
patch_site:
@@ -27966,7 +27991,7 @@ index 1c113db..287b42e 100644
static int trace_irq_vector_refcount;
static DEFINE_MUTEX(irq_vector_mutex);
diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
-index f9d976e..3b48355 100644
+index f9d976e..488b635 100644
--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -66,7 +66,7 @@
@@ -28111,7 +28136,16 @@ index f9d976e..3b48355 100644
tsk->thread.error_code = error_code;
tsk->thread.trap_nr = X86_TRAP_GP;
-@@ -410,7 +451,7 @@ struct bad_iret_stack *fixup_bad_iret(struct bad_iret_stack *s)
+@@ -404,13 +445,16 @@ struct bad_iret_stack *fixup_bad_iret(struct bad_iret_stack *s)
+ container_of(task_pt_regs(current),
+ struct bad_iret_stack, regs);
+
++ if ((current->thread.sp0 ^ (unsigned long)s) < THREAD_SIZE)
++ new_stack = s;
++
+ /* Copy the IRET target to the new stack. */
+ memmove(&new_stack->regs.ip, (void *)s->regs.sp, 5*8);
+
/* Copy the remainder of the stack from the current stack. */
memmove(new_stack, s, offsetof(struct bad_iret_stack, regs.ip));
@@ -28120,7 +28154,7 @@ index f9d976e..3b48355 100644
return new_stack;
}
#endif
-@@ -490,7 +531,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code)
+@@ -490,7 +534,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code)
/* It's safe to allow irq's after DR6 has been saved */
preempt_conditional_sti(regs);
@@ -28129,7 +28163,7 @@ index f9d976e..3b48355 100644
handle_vm86_trap((struct kernel_vm86_regs *) regs, error_code,
X86_TRAP_DB);
preempt_conditional_cli(regs);
-@@ -505,7 +546,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code)
+@@ -505,7 +549,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code)
* We already checked v86 mode above, so we can check for kernel mode
* by just checking the CPL of CS.
*/
@@ -28138,7 +28172,7 @@ index f9d976e..3b48355 100644
tsk->thread.debugreg6 &= ~DR_STEP;
set_tsk_thread_flag(tsk, TIF_SINGLESTEP);
regs->flags &= ~X86_EFLAGS_TF;
-@@ -537,7 +578,7 @@ void math_error(struct pt_regs *regs, int error_code, int trapnr)
+@@ -537,7 +581,7 @@ void math_error(struct pt_regs *regs, int error_code, int trapnr)
return;
conditional_sti(regs);
@@ -28733,9 +28767,18 @@ index c697625..a032162 100644
out:
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
-index 38d3751..e6fcffb 100644
+index 38d3751..1702329 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
+@@ -3401,7 +3401,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt)
+ int cr = ctxt->modrm_reg;
+ u64 efer = 0;
+
+- static u64 cr_reserved_bits[] = {
++ static const u64 cr_reserved_bits[] = {
+ 0xffffffff00000000ULL,
+ 0, 0, 0, /* CR3 checked later */
+ CR4_RESERVED_BITS,
@@ -3436,7 +3436,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt)
ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
@@ -53179,7 +53222,7 @@ index 9cd706d..6ff2de7 100644
if (cfg->uart_flags & UPF_CONS_FLOW) {
diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
-index 27b5554..8131d9d 100644
+index 27b5554..3075055 100644
--- a/drivers/tty/serial/serial_core.c
+++ b/drivers/tty/serial/serial_core.c
@@ -1451,7 +1451,7 @@ static void uart_hangup(struct tty_struct *tty)
@@ -53214,7 +53257,7 @@ index 27b5554..8131d9d 100644
return retval;
err_dec_count:
- port->count--;
-+ atomic_inc(&port->count);
++ atomic_dec(&port->count);
mutex_unlock(&port->mutex);
goto end;
}
@@ -63644,7 +63687,7 @@ index e846a32..bb06bd0 100644
return res;
}
diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
-index f488bba..bb63254 100644
+index f488bba..735d752 100644
--- a/fs/isofs/rock.c
+++ b/fs/isofs/rock.c
@@ -30,6 +30,7 @@ struct rock_state {
@@ -63674,6 +63717,16 @@ index f488bba..bb63254 100644
bh = sb_bread(rs->inode->i_sb, rs->cont_extent);
if (bh) {
memcpy(rs->buffer, bh->b_data + rs->cont_offset,
+@@ -356,6 +362,9 @@ repeat:
+ rs.cont_size = isonum_733(rr->u.CE.size);
+ break;
+ case SIG('E', 'R'):
++ /* Invalid length of ER tag id? */
++ if (rr->u.ER.len_id + offsetof(struct rock_ridge, u.ER.data) > rr->len)
++ goto out;
+ ISOFS_SB(inode->i_sb)->s_rock = 1;
+ printk(KERN_DEBUG "ISO 9660 Extensions: ");
+ {
diff --git a/fs/jffs2/erase.c b/fs/jffs2/erase.c
index 4a6cf28..d3a29d3 100644
--- a/fs/jffs2/erase.c
@@ -63716,7 +63769,7 @@ index e2b7483..855bca3 100644
if (jfs_inode_cachep == NULL)
return -ENOMEM;
diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c
-index 39c0143..d54fad4 100644
+index 39c0143..829bfe5 100644
--- a/fs/kernfs/dir.c
+++ b/fs/kernfs/dir.c
@@ -28,7 +28,7 @@ DEFINE_MUTEX(kernfs_mutex);
@@ -63728,6 +63781,25 @@ index 39c0143..d54fad4 100644
{
unsigned long hash = init_name_hash();
unsigned int len = strlen(name);
+@@ -729,11 +729,17 @@ static int kernfs_iop_mkdir(struct inode *dir, struct dentry *dentry,
+ {
+ struct kernfs_node *parent = dir->i_private;
+ struct kernfs_dir_ops *kdops = kernfs_root(parent)->dir_ops;
++ int ret;
+
+ if (!kdops || !kdops->mkdir)
+ return -EPERM;
+
+- return kdops->mkdir(parent, dentry->d_name.name, mode);
++ ret = kdops->mkdir(parent, dentry->d_name.name, mode);
++
++ if (!ret)
++ ret = kernfs_iop_lookup(dir, dentry, 0);
++
++ return ret;
+ }
+
+ static int kernfs_iop_rmdir(struct inode *dir, struct dentry *dentry)
diff --git a/fs/kernfs/file.c b/fs/kernfs/file.c
index d29640b..32d2b6b 100644
--- a/fs/kernfs/file.c
@@ -67904,8 +67976,22 @@ index e18b988..f1d4ad0f 100644
{
int err;
+diff --git a/fs/udf/dir.c b/fs/udf/dir.c
+index a012c51..a7690b4 100644
+--- a/fs/udf/dir.c
++++ b/fs/udf/dir.c
+@@ -167,7 +167,8 @@ static int udf_readdir(struct file *file, struct dir_context *ctx)
+ continue;
+ }
+
+- flen = udf_get_filename(dir->i_sb, nameptr, fname, lfi);
++ flen = udf_get_filename(dir->i_sb, nameptr, lfi, fname,
++ UDF_NAME_LEN);
+ if (!flen)
+ continue;
+
diff --git a/fs/udf/inode.c b/fs/udf/inode.c
-index 287cd5f..c693331 100644
+index 287cd5f..5252259 100644
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -51,7 +51,6 @@ MODULE_LICENSE("GPL");
@@ -67916,7 +68002,12 @@ index 287cd5f..c693331 100644
static int udf_sync_inode(struct inode *inode);
static int udf_alloc_i_data(struct inode *inode, size_t size);
static sector_t inode_getblk(struct inode *, sector_t, int *, int *);
-@@ -1282,8 +1281,11 @@ static void __udf_read_inode(struct inode *inode)
+@@ -1278,15 +1277,27 @@ update_time:
+ */
+ #define UDF_MAX_ICB_NESTING 1024
+
+-static void __udf_read_inode(struct inode *inode)
++static int udf_read_inode(struct inode *inode)
{
struct buffer_head *bh = NULL;
struct fileEntry *fe;
@@ -67924,11 +68015,43 @@ index 287cd5f..c693331 100644
uint16_t ident;
struct udf_inode_info *iinfo = UDF_I(inode);
+ struct udf_sb_info *sbi = UDF_SB(inode->i_sb);
++ struct kernel_lb_addr *iloc = &iinfo->i_location;
+ unsigned int link_count;
unsigned int indirections = 0;
++ int ret = -EIO;
reread:
-@@ -1316,6 +1318,7 @@ reread:
++ if (iloc->logicalBlockNum >=
++ sbi->s_partmaps[iloc->partitionReferenceNum].s_partition_len) {
++ udf_debug("block=%d, partition=%d out of range\n",
++ iloc->logicalBlockNum, iloc->partitionReferenceNum);
++ return -EIO;
++ }
++
+ /*
+ * Set defaults, but the inode is still incomplete!
+ * Note: get_new_inode() sets the following on a new inode:
+@@ -1299,29 +1310,26 @@ reread:
+ * i_nlink = 1
+ * i_op = NULL;
+ */
+- bh = udf_read_ptagged(inode->i_sb, &iinfo->i_location, 0, &ident);
++ bh = udf_read_ptagged(inode->i_sb, iloc, 0, &ident);
+ if (!bh) {
+ udf_err(inode->i_sb, "(ino %ld) failed !bh\n", inode->i_ino);
+- make_bad_inode(inode);
+- return;
++ return -EIO;
+ }
+
+ if (ident != TAG_IDENT_FE && ident != TAG_IDENT_EFE &&
+ ident != TAG_IDENT_USE) {
+ udf_err(inode->i_sb, "(ino %ld) failed ident=%d\n",
+ inode->i_ino, ident);
+- brelse(bh);
+- make_bad_inode(inode);
+- return;
++ goto out;
}
fe = (struct fileEntry *)bh->b_data;
@@ -67936,9 +68059,41 @@ index 287cd5f..c693331 100644
if (fe->icbTag.strategyType == cpu_to_le16(4096)) {
struct buffer_head *ibh;
-@@ -1353,22 +1356,6 @@ reread:
- make_bad_inode(inode);
- return;
+
+- ibh = udf_read_ptagged(inode->i_sb, &iinfo->i_location, 1,
+- &ident);
++ ibh = udf_read_ptagged(inode->i_sb, iloc, 1, &ident);
+ if (ident == TAG_IDENT_IE && ibh) {
+ struct kernel_lb_addr loc;
+ struct indirectEntry *ie;
+@@ -1330,7 +1338,6 @@ reread:
+ loc = lelb_to_cpu(ie->indirectICB.extLocation);
+
+ if (ie->indirectICB.extLength) {
+- brelse(bh);
+ brelse(ibh);
+ memcpy(&iinfo->i_location, &loc,
+ sizeof(struct kernel_lb_addr));
+@@ -1339,9 +1346,9 @@ reread:
+ "too many ICBs in ICB hierarchy"
+ " (max %d supported)\n",
+ UDF_MAX_ICB_NESTING);
+- make_bad_inode(inode);
+- return;
++ goto out;
+ }
++ brelse(bh);
+ goto reread;
+ }
+ }
+@@ -1349,26 +1356,8 @@ reread:
+ } else if (fe->icbTag.strategyType != cpu_to_le16(4)) {
+ udf_err(inode->i_sb, "unsupported strategy type: %d\n",
+ le16_to_cpu(fe->icbTag.strategyType));
+- brelse(bh);
+- make_bad_inode(inode);
+- return;
++ goto out;
}
- udf_fill_inode(inode, bh);
-
@@ -67959,15 +68114,109 @@ index 287cd5f..c693331 100644
if (fe->icbTag.strategyType == cpu_to_le16(4))
iinfo->i_strat4096 = 0;
else /* if (fe->icbTag.strategyType == cpu_to_le16(4096)) */
-@@ -1558,6 +1545,7 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+@@ -1385,11 +1374,10 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_EFE)) {
+ iinfo->i_efe = 1;
+ iinfo->i_use = 0;
+- if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
+- sizeof(struct extendedFileEntry))) {
+- make_bad_inode(inode);
+- return;
+- }
++ ret = udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
++ sizeof(struct extendedFileEntry));
++ if (ret)
++ goto out;
+ memcpy(iinfo->i_ext.i_data,
+ bh->b_data + sizeof(struct extendedFileEntry),
+ inode->i_sb->s_blocksize -
+@@ -1397,11 +1385,10 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ } else if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_FE)) {
+ iinfo->i_efe = 0;
+ iinfo->i_use = 0;
+- if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
+- sizeof(struct fileEntry))) {
+- make_bad_inode(inode);
+- return;
+- }
++ ret = udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
++ sizeof(struct fileEntry));
++ if (ret)
++ goto out;
+ memcpy(iinfo->i_ext.i_data,
+ bh->b_data + sizeof(struct fileEntry),
+ inode->i_sb->s_blocksize - sizeof(struct fileEntry));
+@@ -1411,18 +1398,18 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ iinfo->i_lenAlloc = le32_to_cpu(
+ ((struct unallocSpaceEntry *)bh->b_data)->
+ lengthAllocDescs);
+- if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
+- sizeof(struct unallocSpaceEntry))) {
+- make_bad_inode(inode);
+- return;
+- }
++ ret = udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
++ sizeof(struct unallocSpaceEntry));
++ if (ret)
++ goto out;
+ memcpy(iinfo->i_ext.i_data,
+ bh->b_data + sizeof(struct unallocSpaceEntry),
+ inode->i_sb->s_blocksize -
+ sizeof(struct unallocSpaceEntry));
+- return;
++ return 0;
+ }
+
++ ret = -EIO;
+ read_lock(&sbi->s_cred_lock);
+ i_uid_write(inode, le32_to_cpu(fe->uid));
+ if (!uid_valid(inode->i_uid) ||
+@@ -1496,6 +1483,20 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ iinfo->i_checkpoint = le32_to_cpu(efe->checkpoint);
+ }
+
++ /* Sanity checks for files in ICB so that we don't get confused later */
++ if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) {
++ /*
++ * For file in ICB data is stored in allocation descriptor
++ * so sizes should match
++ */
++ if (iinfo->i_lenAlloc != inode->i_size)
++ goto out;
++ /* File in ICB has to fit in there... */
++ if (inode->i_size > inode->i_sb->s_blocksize -
++ udf_file_entry_alloc_offset(inode))
++ goto out;
++ }
++
+ switch (fe->icbTag.fileType) {
+ case ICBTAG_FILE_TYPE_DIRECTORY:
+ inode->i_op = &udf_dir_inode_operations;
+@@ -1544,8 +1545,7 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ default:
+ udf_err(inode->i_sb, "(ino %ld) failed unknown file type=%d\n",
+ inode->i_ino, fe->icbTag.fileType);
+- make_bad_inode(inode);
+- return;
++ goto out;
+ }
+ if (S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode)) {
+ struct deviceSpec *dsea =
+@@ -1556,8 +1556,12 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ le32_to_cpu(dsea->minorDeviceIdent)));
+ /* Developer ID ??? */
} else
- make_bad_inode(inode);
+- make_bad_inode(inode);
++ goto out;
}
++ ret = 0;
++out:
+ brelse(bh);
++ return ret;
}
static int udf_alloc_i_data(struct inode *inode, size_t size)
-@@ -1671,7 +1659,7 @@ static int udf_update_inode(struct inode *inode, int do_sync)
+@@ -1671,7 +1675,7 @@ static int udf_update_inode(struct inode *inode, int do_sync)
FE_PERM_U_DELETE | FE_PERM_U_CHATTR));
fe->permissions = cpu_to_le32(udfperms);
@@ -67976,6 +68225,49 @@ index 287cd5f..c693331 100644
fe->fileLinkCount = cpu_to_le16(inode->i_nlink - 1);
else
fe->fileLinkCount = cpu_to_le16(inode->i_nlink);
+@@ -1837,32 +1841,23 @@ struct inode *udf_iget(struct super_block *sb, struct kernel_lb_addr *ino)
+ {
+ unsigned long block = udf_get_lb_pblock(sb, ino, 0);
+ struct inode *inode = iget_locked(sb, block);
++ int err;
+
+ if (!inode)
+- return NULL;
++ return ERR_PTR(-ENOMEM);
+
+- if (inode->i_state & I_NEW) {
+- memcpy(&UDF_I(inode)->i_location, ino, sizeof(struct kernel_lb_addr));
+- __udf_read_inode(inode);
+- unlock_new_inode(inode);
+- }
+-
+- if (is_bad_inode(inode))
+- goto out_iput;
++ if (!(inode->i_state & I_NEW))
++ return inode;
+
+- if (ino->logicalBlockNum >= UDF_SB(sb)->
+- s_partmaps[ino->partitionReferenceNum].s_partition_len) {
+- udf_debug("block=%d, partition=%d out of range\n",
+- ino->logicalBlockNum, ino->partitionReferenceNum);
+- make_bad_inode(inode);
+- goto out_iput;
++ memcpy(&UDF_I(inode)->i_location, ino, sizeof(struct kernel_lb_addr));
++ err = udf_read_inode(inode);
++ if (err < 0) {
++ iget_failed(inode);
++ return ERR_PTR(err);
+ }
++ unlock_new_inode(inode);
+
+ return inode;
+-
+- out_iput:
+- iput(inode);
+- return NULL;
+ }
+
+ int udf_add_aext(struct inode *inode, struct extent_position *epos,
diff --git a/fs/udf/misc.c b/fs/udf/misc.c
index c175b4d..8f36a16 100644
--- a/fs/udf/misc.c
@@ -67989,6 +68281,486 @@ index c175b4d..8f36a16 100644
u8 checksum = 0;
int i;
for (i = 0; i < sizeof(struct tag); ++i)
+diff --git a/fs/udf/namei.c b/fs/udf/namei.c
+index 9737cba..e5ae1c3 100644
+--- a/fs/udf/namei.c
++++ b/fs/udf/namei.c
+@@ -233,7 +233,8 @@ static struct fileIdentDesc *udf_find_entry(struct inode *dir,
+ if (!lfi)
+ continue;
+
+- flen = udf_get_filename(dir->i_sb, nameptr, fname, lfi);
++ flen = udf_get_filename(dir->i_sb, nameptr, lfi, fname,
++ UDF_NAME_LEN);
+ if (flen && udf_match(flen, fname, child->len, child->name))
+ goto out_ok;
+ }
+@@ -270,9 +271,8 @@ static struct dentry *udf_lookup(struct inode *dir, struct dentry *dentry,
+ NULL, 0),
+ };
+ inode = udf_iget(dir->i_sb, lb);
+- if (!inode) {
+- return ERR_PTR(-EACCES);
+- }
++ if (IS_ERR(inode))
++ return inode;
+ } else
+ #endif /* UDF_RECOVERY */
+
+@@ -285,9 +285,8 @@ static struct dentry *udf_lookup(struct inode *dir, struct dentry *dentry,
+
+ loc = lelb_to_cpu(cfi.icb.extLocation);
+ inode = udf_iget(dir->i_sb, &loc);
+- if (!inode) {
+- return ERR_PTR(-EACCES);
+- }
++ if (IS_ERR(inode))
++ return ERR_CAST(inode);
+ }
+
+ return d_splice_alias(inode, dentry);
+@@ -1221,7 +1220,7 @@ static struct dentry *udf_get_parent(struct dentry *child)
+ struct udf_fileident_bh fibh;
+
+ if (!udf_find_entry(child->d_inode, &dotdot, &fibh, &cfi))
+- goto out_unlock;
++ return ERR_PTR(-EACCES);
+
+ if (fibh.sbh != fibh.ebh)
+ brelse(fibh.ebh);
+@@ -1229,12 +1228,10 @@ static struct dentry *udf_get_parent(struct dentry *child)
+
+ tloc = lelb_to_cpu(cfi.icb.extLocation);
+ inode = udf_iget(child->d_inode->i_sb, &tloc);
+- if (!inode)
+- goto out_unlock;
++ if (IS_ERR(inode))
++ return ERR_CAST(inode);
+
+ return d_obtain_alias(inode);
+-out_unlock:
+- return ERR_PTR(-EACCES);
+ }
+
+
+@@ -1251,8 +1248,8 @@ static struct dentry *udf_nfs_get_inode(struct super_block *sb, u32 block,
+ loc.partitionReferenceNum = partref;
+ inode = udf_iget(sb, &loc);
+
+- if (inode == NULL)
+- return ERR_PTR(-ENOMEM);
++ if (IS_ERR(inode))
++ return ERR_CAST(inode);
+
+ if (generation && inode->i_generation != generation) {
+ iput(inode);
+diff --git a/fs/udf/super.c b/fs/udf/super.c
+index 3306b9f..a1e0eda 100644
+--- a/fs/udf/super.c
++++ b/fs/udf/super.c
+@@ -956,12 +956,14 @@ struct inode *udf_find_metadata_inode_efe(struct super_block *sb,
+
+ metadata_fe = udf_iget(sb, &addr);
+
+- if (metadata_fe == NULL)
++ if (IS_ERR(metadata_fe)) {
+ udf_warn(sb, "metadata inode efe not found\n");
+- else if (UDF_I(metadata_fe)->i_alloc_type != ICBTAG_FLAG_AD_SHORT) {
++ return metadata_fe;
++ }
++ if (UDF_I(metadata_fe)->i_alloc_type != ICBTAG_FLAG_AD_SHORT) {
+ udf_warn(sb, "metadata inode efe does not have short allocation descriptors!\n");
+ iput(metadata_fe);
+- metadata_fe = NULL;
++ return ERR_PTR(-EIO);
+ }
+
+ return metadata_fe;
+@@ -973,6 +975,7 @@ static int udf_load_metadata_files(struct super_block *sb, int partition)
+ struct udf_part_map *map;
+ struct udf_meta_data *mdata;
+ struct kernel_lb_addr addr;
++ struct inode *fe;
+
+ map = &sbi->s_partmaps[partition];
+ mdata = &map->s_type_specific.s_metadata;
+@@ -981,22 +984,24 @@ static int udf_load_metadata_files(struct super_block *sb, int partition)
+ udf_debug("Metadata file location: block = %d part = %d\n",
+ mdata->s_meta_file_loc, map->s_partition_num);
+
+- mdata->s_metadata_fe = udf_find_metadata_inode_efe(sb,
+- mdata->s_meta_file_loc, map->s_partition_num);
+-
+- if (mdata->s_metadata_fe == NULL) {
++ fe = udf_find_metadata_inode_efe(sb, mdata->s_meta_file_loc,
++ map->s_partition_num);
++ if (IS_ERR(fe)) {
+ /* mirror file entry */
+ udf_debug("Mirror metadata file location: block = %d part = %d\n",
+ mdata->s_mirror_file_loc, map->s_partition_num);
+
+- mdata->s_mirror_fe = udf_find_metadata_inode_efe(sb,
+- mdata->s_mirror_file_loc, map->s_partition_num);
++ fe = udf_find_metadata_inode_efe(sb, mdata->s_mirror_file_loc,
++ map->s_partition_num);
+
+- if (mdata->s_mirror_fe == NULL) {
++ if (IS_ERR(fe)) {
+ udf_err(sb, "Both metadata and mirror metadata inode efe can not found\n");
+- return -EIO;
++ return PTR_ERR(fe);
+ }
+- }
++ mdata->s_mirror_fe = fe;
++ } else
++ mdata->s_metadata_fe = fe;
++
+
+ /*
+ * bitmap file entry
+@@ -1010,15 +1015,16 @@ static int udf_load_metadata_files(struct super_block *sb, int partition)
+ udf_debug("Bitmap file location: block = %d part = %d\n",
+ addr.logicalBlockNum, addr.partitionReferenceNum);
+
+- mdata->s_bitmap_fe = udf_iget(sb, &addr);
+- if (mdata->s_bitmap_fe == NULL) {
++ fe = udf_iget(sb, &addr);
++ if (IS_ERR(fe)) {
+ if (sb->s_flags & MS_RDONLY)
+ udf_warn(sb, "bitmap inode efe not found but it's ok since the disc is mounted read-only\n");
+ else {
+ udf_err(sb, "bitmap inode efe not found and attempted read-write mount\n");
+- return -EIO;
++ return PTR_ERR(fe);
+ }
+- }
++ } else
++ mdata->s_bitmap_fe = fe;
+ }
+
+ udf_debug("udf_load_metadata_files Ok\n");
+@@ -1106,13 +1112,15 @@ static int udf_fill_partdesc_info(struct super_block *sb,
+ phd->unallocSpaceTable.extPosition),
+ .partitionReferenceNum = p_index,
+ };
++ struct inode *inode;
+
+- map->s_uspace.s_table = udf_iget(sb, &loc);
+- if (!map->s_uspace.s_table) {
++ inode = udf_iget(sb, &loc);
++ if (IS_ERR(inode)) {
+ udf_debug("cannot load unallocSpaceTable (part %d)\n",
+ p_index);
+- return -EIO;
++ return PTR_ERR(inode);
+ }
++ map->s_uspace.s_table = inode;
+ map->s_partition_flags |= UDF_PART_FLAG_UNALLOC_TABLE;
+ udf_debug("unallocSpaceTable (part %d) @ %ld\n",
+ p_index, map->s_uspace.s_table->i_ino);
+@@ -1139,14 +1147,15 @@ static int udf_fill_partdesc_info(struct super_block *sb,
+ phd->freedSpaceTable.extPosition),
+ .partitionReferenceNum = p_index,
+ };
++ struct inode *inode;
+
+- map->s_fspace.s_table = udf_iget(sb, &loc);
+- if (!map->s_fspace.s_table) {
++ inode = udf_iget(sb, &loc);
++ if (IS_ERR(inode)) {
+ udf_debug("cannot load freedSpaceTable (part %d)\n",
+ p_index);
+- return -EIO;
++ return PTR_ERR(inode);
+ }
+-
++ map->s_fspace.s_table = inode;
+ map->s_partition_flags |= UDF_PART_FLAG_FREED_TABLE;
+ udf_debug("freedSpaceTable (part %d) @ %ld\n",
+ p_index, map->s_fspace.s_table->i_ino);
+@@ -1173,6 +1182,7 @@ static void udf_find_vat_block(struct super_block *sb, int p_index,
+ struct udf_part_map *map = &sbi->s_partmaps[p_index];
+ sector_t vat_block;
+ struct kernel_lb_addr ino;
++ struct inode *inode;
+
+ /*
+ * VAT file entry is in the last recorded block. Some broken disks have
+@@ -1181,10 +1191,13 @@ static void udf_find_vat_block(struct super_block *sb, int p_index,
+ ino.partitionReferenceNum = type1_index;
+ for (vat_block = start_block;
+ vat_block >= map->s_partition_root &&
+- vat_block >= start_block - 3 &&
+- !sbi->s_vat_inode; vat_block--) {
++ vat_block >= start_block - 3; vat_block--) {
+ ino.logicalBlockNum = vat_block - map->s_partition_root;
+- sbi->s_vat_inode = udf_iget(sb, &ino);
++ inode = udf_iget(sb, &ino);
++ if (!IS_ERR(inode)) {
++ sbi->s_vat_inode = inode;
++ break;
++ }
+ }
+ }
+
+@@ -2200,10 +2213,10 @@ static int udf_fill_super(struct super_block *sb, void *options, int silent)
+ /* assign inodes by physical block number */
+ /* perhaps it's not extensible enough, but for now ... */
+ inode = udf_iget(sb, &rootdir);
+- if (!inode) {
++ if (IS_ERR(inode)) {
+ udf_err(sb, "Error in udf_iget, block=%d, partition=%d\n",
+ rootdir.logicalBlockNum, rootdir.partitionReferenceNum);
+- ret = -EIO;
++ ret = PTR_ERR(inode);
+ goto error_out;
+ }
+
+diff --git a/fs/udf/symlink.c b/fs/udf/symlink.c
+index d7c6dbe..0422b7b 100644
+--- a/fs/udf/symlink.c
++++ b/fs/udf/symlink.c
+@@ -30,49 +30,73 @@
+ #include <linux/buffer_head.h>
+ #include "udf_i.h"
+
+-static void udf_pc_to_char(struct super_block *sb, unsigned char *from,
+- int fromlen, unsigned char *to)
++static int udf_pc_to_char(struct super_block *sb, unsigned char *from,
++ int fromlen, unsigned char *to, int tolen)
+ {
+ struct pathComponent *pc;
+ int elen = 0;
++ int comp_len;
+ unsigned char *p = to;
+
++ /* Reserve one byte for terminating \0 */
++ tolen--;
+ while (elen < fromlen) {
+ pc = (struct pathComponent *)(from + elen);
++ elen += sizeof(struct pathComponent);
+ switch (pc->componentType) {
+ case 1:
+ /*
+ * Symlink points to some place which should be agreed
+ * upon between originator and receiver of the media. Ignore.
+ */
+- if (pc->lengthComponentIdent > 0)
++ if (pc->lengthComponentIdent > 0) {
++ elen += pc->lengthComponentIdent;
+ break;
++ }
+ /* Fall through */
+ case 2:
++ if (tolen == 0)
++ return -ENAMETOOLONG;
+ p = to;
+ *p++ = '/';
++ tolen--;
+ break;
+ case 3:
++ if (tolen < 3)
++ return -ENAMETOOLONG;
+ memcpy(p, "../", 3);
+ p += 3;
++ tolen -= 3;
+ break;
+ case 4:
++ if (tolen < 2)
++ return -ENAMETOOLONG;
+ memcpy(p, "./", 2);
+ p += 2;
++ tolen -= 2;
+ /* that would be . - just ignore */
+ break;
+ case 5:
+- p += udf_get_filename(sb, pc->componentIdent, p,
+- pc->lengthComponentIdent);
++ elen += pc->lengthComponentIdent;
++ if (elen > fromlen)
++ return -EIO;
++ comp_len = udf_get_filename(sb, pc->componentIdent,
++ pc->lengthComponentIdent,
++ p, tolen);
++ p += comp_len;
++ tolen -= comp_len;
++ if (tolen == 0)
++ return -ENAMETOOLONG;
+ *p++ = '/';
++ tolen--;
+ break;
+ }
+- elen += sizeof(struct pathComponent) + pc->lengthComponentIdent;
+ }
+ if (p > to + 1)
+ p[-1] = '\0';
+ else
+ p[0] = '\0';
++ return 0;
+ }
+
+ static int udf_symlink_filler(struct file *file, struct page *page)
+@@ -80,11 +104,17 @@ static int udf_symlink_filler(struct file *file, struct page *page)
+ struct inode *inode = page->mapping->host;
+ struct buffer_head *bh = NULL;
+ unsigned char *symlink;
+- int err = -EIO;
++ int err;
+ unsigned char *p = kmap(page);
+ struct udf_inode_info *iinfo;
+ uint32_t pos;
+
++ /* We don't support symlinks longer than one block */
++ if (inode->i_size > inode->i_sb->s_blocksize) {
++ err = -ENAMETOOLONG;
++ goto out_unmap;
++ }
++
+ iinfo = UDF_I(inode);
+ pos = udf_block_map(inode, 0);
+
+@@ -94,14 +124,18 @@ static int udf_symlink_filler(struct file *file, struct page *page)
+ } else {
+ bh = sb_bread(inode->i_sb, pos);
+
+- if (!bh)
+- goto out;
++ if (!bh) {
++ err = -EIO;
++ goto out_unlock_inode;
++ }
+
+ symlink = bh->b_data;
+ }
+
+- udf_pc_to_char(inode->i_sb, symlink, inode->i_size, p);
++ err = udf_pc_to_char(inode->i_sb, symlink, inode->i_size, p, PAGE_SIZE);
+ brelse(bh);
++ if (err)
++ goto out_unlock_inode;
+
+ up_read(&iinfo->i_data_sem);
+ SetPageUptodate(page);
+@@ -109,9 +143,10 @@ static int udf_symlink_filler(struct file *file, struct page *page)
+ unlock_page(page);
+ return 0;
+
+-out:
++out_unlock_inode:
+ up_read(&iinfo->i_data_sem);
+ SetPageError(page);
++out_unmap:
+ kunmap(page);
+ unlock_page(page);
+ return err;
+diff --git a/fs/udf/udfdecl.h b/fs/udf/udfdecl.h
+index be7dabb..6b10c98 100644
+--- a/fs/udf/udfdecl.h
++++ b/fs/udf/udfdecl.h
+@@ -143,7 +143,6 @@ extern int udf_expand_file_adinicb(struct inode *);
+ extern struct buffer_head *udf_expand_dir_adinicb(struct inode *, int *, int *);
+ extern struct buffer_head *udf_bread(struct inode *, int, int, int *);
+ extern int udf_setsize(struct inode *, loff_t);
+-extern void udf_read_inode(struct inode *);
+ extern void udf_evict_inode(struct inode *);
+ extern int udf_write_inode(struct inode *, struct writeback_control *wbc);
+ extern long udf_block_map(struct inode *, sector_t);
+@@ -201,7 +200,8 @@ udf_get_lb_pblock(struct super_block *sb, struct kernel_lb_addr *loc,
+ }
+
+ /* unicode.c */
+-extern int udf_get_filename(struct super_block *, uint8_t *, uint8_t *, int);
++extern int udf_get_filename(struct super_block *, uint8_t *, int, uint8_t *,
++ int);
+ extern int udf_put_filename(struct super_block *, const uint8_t *, uint8_t *,
+ int);
+ extern int udf_build_ustr(struct ustr *, dstring *, int);
+diff --git a/fs/udf/unicode.c b/fs/udf/unicode.c
+index 44b815e..d29c06f 100644
+--- a/fs/udf/unicode.c
++++ b/fs/udf/unicode.c
+@@ -28,7 +28,8 @@
+
+ #include "udf_sb.h"
+
+-static int udf_translate_to_linux(uint8_t *, uint8_t *, int, uint8_t *, int);
++static int udf_translate_to_linux(uint8_t *, int, uint8_t *, int, uint8_t *,
++ int);
+
+ static int udf_char_to_ustr(struct ustr *dest, const uint8_t *src, int strlen)
+ {
+@@ -333,8 +334,8 @@ try_again:
+ return u_len + 1;
+ }
+
+-int udf_get_filename(struct super_block *sb, uint8_t *sname, uint8_t *dname,
+- int flen)
++int udf_get_filename(struct super_block *sb, uint8_t *sname, int slen,
++ uint8_t *dname, int dlen)
+ {
+ struct ustr *filename, *unifilename;
+ int len = 0;
+@@ -347,7 +348,7 @@ int udf_get_filename(struct super_block *sb, uint8_t *sname, uint8_t *dname,
+ if (!unifilename)
+ goto out1;
+
+- if (udf_build_ustr_exact(unifilename, sname, flen))
++ if (udf_build_ustr_exact(unifilename, sname, slen))
+ goto out2;
+
+ if (UDF_QUERY_FLAG(sb, UDF_FLAG_UTF8)) {
+@@ -366,7 +367,8 @@ int udf_get_filename(struct super_block *sb, uint8_t *sname, uint8_t *dname,
+ } else
+ goto out2;
+
+- len = udf_translate_to_linux(dname, filename->u_name, filename->u_len,
++ len = udf_translate_to_linux(dname, dlen,
++ filename->u_name, filename->u_len,
+ unifilename->u_name, unifilename->u_len);
+ out2:
+ kfree(unifilename);
+@@ -403,10 +405,12 @@ int udf_put_filename(struct super_block *sb, const uint8_t *sname,
+ #define EXT_MARK '.'
+ #define CRC_MARK '#'
+ #define EXT_SIZE 5
++/* Number of chars we need to store generated CRC to make filename unique */
++#define CRC_LEN 5
+
+-static int udf_translate_to_linux(uint8_t *newName, uint8_t *udfName,
+- int udfLen, uint8_t *fidName,
+- int fidNameLen)
++static int udf_translate_to_linux(uint8_t *newName, int newLen,
++ uint8_t *udfName, int udfLen,
++ uint8_t *fidName, int fidNameLen)
+ {
+ int index, newIndex = 0, needsCRC = 0;
+ int extIndex = 0, newExtIndex = 0, hasExt = 0;
+@@ -440,7 +444,7 @@ static int udf_translate_to_linux(uint8_t *newName, uint8_t *udfName,
+ newExtIndex = newIndex;
+ }
+ }
+- if (newIndex < 256)
++ if (newIndex < newLen)
+ newName[newIndex++] = curr;
+ else
+ needsCRC = 1;
+@@ -468,13 +472,13 @@ static int udf_translate_to_linux(uint8_t *newName, uint8_t *udfName,
+ }
+ ext[localExtIndex++] = curr;
+ }
+- maxFilenameLen = 250 - localExtIndex;
++ maxFilenameLen = newLen - CRC_LEN - localExtIndex;
+ if (newIndex > maxFilenameLen)
+ newIndex = maxFilenameLen;
+ else
+ newIndex = newExtIndex;
+- } else if (newIndex > 250)
+- newIndex = 250;
++ } else if (newIndex > newLen - CRC_LEN)
++ newIndex = newLen - CRC_LEN;
+ newName[newIndex++] = CRC_MARK;
+ valueCRC = crc_itu_t(0, fidName, fidNameLen);
+ newName[newIndex++] = hexChar[(valueCRC & 0xf000) >> 12];
diff --git a/fs/ufs/swab.h b/fs/ufs/swab.h
index 8d974c4..b82f6ec 100644
--- a/fs/ufs/swab.h
@@ -100570,9 +101342,18 @@ index d074d06..ad3cfcf 100644
if (ogm_packet->flags & BATADV_DIRECTLINK)
has_directlink_flag = true;
diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
-index c46387a..6ad5ef9 100644
+index c46387a..3b6c10e 100644
--- a/net/batman-adv/fragmentation.c
+++ b/net/batman-adv/fragmentation.c
+@@ -251,7 +251,7 @@ batadv_frag_merge_packets(struct hlist_head *chain, struct sk_buff *skb)
+ kfree(entry);
+
+ /* Make room for the rest of the fragments. */
+- if (pskb_expand_head(skb_out, 0, size - skb->len, GFP_ATOMIC) < 0) {
++ if (pskb_expand_head(skb_out, 0, size - skb_out->len, GFP_ATOMIC) < 0) {
+ kfree_skb(skb_out);
+ skb_out = NULL;
+ goto free;
@@ -450,7 +450,7 @@ bool batadv_frag_send_packet(struct sk_buff *skb,
frag_header.packet_type = BATADV_UNICAST_FRAG;
frag_header.version = BATADV_COMPAT_VERSION;
diff --git a/3.18.1/0000_README b/3.18.1/0000_README
index 2f3438b..dae7762 100644
--- a/3.18.1/0000_README
+++ b/3.18.1/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.0-3.18.1-201412281149.patch
+Patch: 4420_grsecurity-3.0-3.18.1-201501042021.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.18.1/4420_grsecurity-3.0-3.18.1-201412281149.patch b/3.18.1/4420_grsecurity-3.0-3.18.1-201501042021.patch
index 9709c10..9090c69 100644
--- a/3.18.1/4420_grsecurity-3.0-3.18.1-201412281149.patch
+++ b/3.18.1/4420_grsecurity-3.0-3.18.1-201501042021.patch
@@ -962,7 +962,7 @@ index 89c4b5c..847a7be 100644
kexec is a system call that implements the ability to shutdown your
current kernel, and to start another kernel. It is like a reboot
diff --git a/arch/arm/include/asm/atomic.h b/arch/arm/include/asm/atomic.h
-index e22c119..9531fcc 100644
+index e22c119..8fa9957 100644
--- a/arch/arm/include/asm/atomic.h
+++ b/arch/arm/include/asm/atomic.h
@@ -18,17 +18,41 @@
@@ -1007,11 +1007,12 @@ index e22c119..9531fcc 100644
#if __LINUX_ARM_ARCH__ >= 6
-@@ -38,7 +62,25 @@
+@@ -38,26 +62,50 @@
* to ensure that the update happens.
*/
-#define ATOMIC_OP(op, c_op, asm_op) \
+-static inline void atomic_##op(int i, atomic_t *v) \
+#ifdef CONFIG_PAX_REFCOUNT
+#define __OVERFLOW_POST \
+ " bvc 3f\n" \
@@ -1022,20 +1023,24 @@ index e22c119..9531fcc 100644
+" mov %0, %1\n" \
+ "2: " REFCOUNT_TRAP_INSN "\n"\
+ "3:\n"
-+#define __OVERFLOW_EXTABLE \
-+ "4:\n"
++#define __OVERFLOW_EXTABLE \
++ "4:\n" \
+ _ASM_EXTABLE(2b, 4b)
+#else
+#define __OVERFLOW_POST
++#define __OVERFLOW_POST_RETURN
+#define __OVERFLOW_EXTABLE
+#endif
+
+#define __ATOMIC_OP(op, suffix, c_op, asm_op, post_op, extable) \
- static inline void atomic_##op(int i, atomic_t *v) \
++static inline void atomic_##op##suffix(int i, atomic##suffix##_t *v) \
{ \
unsigned long tmp; \
-@@ -48,15 +90,20 @@ static inline void atomic_##op(int i, atomic_t *v) \
- __asm__ __volatile__("@ atomic_" #op "\n" \
+ int result; \
+ \
+ prefetchw(&v->counter); \
+- __asm__ __volatile__("@ atomic_" #op "\n" \
++ __asm__ __volatile__("@ atomic_" #op #suffix "\n" \
"1: ldrex %0, [%3]\n" \
" " #asm_op " %0, %0, %4\n" \
+ post_op \
@@ -1050,15 +1055,21 @@ index e22c119..9531fcc 100644
} \
-#define ATOMIC_OP_RETURN(op, c_op, asm_op) \
+-static inline int atomic_##op##_return(int i, atomic_t *v) \
+#define ATOMIC_OP(op, c_op, asm_op) __ATOMIC_OP(op, , c_op, asm_op, , )\
+ __ATOMIC_OP(op, _unchecked, c_op, asm_op##s, __OVERFLOW_POST, __OVERFLOW_EXTABLE)
+
+#define __ATOMIC_OP_RETURN(op, suffix, c_op, asm_op, post_op, extable) \
- static inline int atomic_##op##_return(int i, atomic_t *v) \
++static inline int atomic_##op##_return##suffix(int i, atomic##suffix##_t *v)\
{ \
unsigned long tmp; \
-@@ -68,9 +115,11 @@ static inline int atomic_##op##_return(int i, atomic_t *v) \
- __asm__ __volatile__("@ atomic_" #op "_return\n" \
+ int result; \
+@@ -65,12 +113,14 @@ static inline int atomic_##op##_return(int i, atomic_t *v) \
+ smp_mb(); \
+ prefetchw(&v->counter); \
+ \
+- __asm__ __volatile__("@ atomic_" #op "_return\n" \
++ __asm__ __volatile__("@ atomic_" #op "_return" #suffix "\n" \
"1: ldrex %0, [%3]\n" \
" " #asm_op " %0, %0, %4\n" \
+ post_op \
@@ -1070,7 +1081,7 @@ index e22c119..9531fcc 100644
: "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) \
: "r" (&v->counter), "Ir" (i) \
: "cc"); \
-@@ -80,6 +129,9 @@ static inline int atomic_##op##_return(int i, atomic_t *v) \
+@@ -80,6 +130,9 @@ static inline int atomic_##op##_return(int i, atomic_t *v) \
return result; \
}
@@ -1080,7 +1091,7 @@ index e22c119..9531fcc 100644
static inline int atomic_cmpxchg(atomic_t *ptr, int old, int new)
{
int oldval;
-@@ -115,12 +167,24 @@ static inline int __atomic_add_unless(atomic_t *v, int a, int u)
+@@ -115,12 +168,24 @@ static inline int __atomic_add_unless(atomic_t *v, int a, int u)
__asm__ __volatile__ ("@ atomic_add_unless\n"
"1: ldrex %0, [%4]\n"
" teq %0, %5\n"
@@ -1108,7 +1119,7 @@ index e22c119..9531fcc 100644
: "=&r" (oldval), "=&r" (newval), "=&r" (tmp), "+Qo" (v->counter)
: "r" (&v->counter), "r" (u), "r" (a)
: "cc");
-@@ -131,6 +195,28 @@ static inline int __atomic_add_unless(atomic_t *v, int a, int u)
+@@ -131,14 +196,36 @@ static inline int __atomic_add_unless(atomic_t *v, int a, int u)
return oldval;
}
@@ -1137,19 +1148,53 @@ index e22c119..9531fcc 100644
#else /* ARM_ARCH_6 */
#ifdef CONFIG_SMP
-@@ -175,6 +261,11 @@ static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
+ #error SMP not supported on pre-ARMv6 CPUs
+ #endif
+
+-#define ATOMIC_OP(op, c_op, asm_op) \
+-static inline void atomic_##op(int i, atomic_t *v) \
++#define __ATOMIC_OP(op, suffix, c_op, asm_op) \
++static inline void atomic_##op##suffix(int i, atomic##suffix##_t *v) \
+ { \
+ unsigned long flags; \
+ \
+@@ -147,8 +234,11 @@ static inline void atomic_##op(int i, atomic_t *v) \
+ raw_local_irq_restore(flags); \
+ } \
+
+-#define ATOMIC_OP_RETURN(op, c_op, asm_op) \
+-static inline int atomic_##op##_return(int i, atomic_t *v) \
++#define ATOMIC_OP(op, c_op, asm_op) __ATOMIC_OP(op, , c_op, asm_op) \
++ __ATOMIC_OP(op, _unchecked, c_op, asm_op)
++
++#define __ATOMIC_OP_RETURN(op, suffix, c_op, asm_op) \
++static inline int atomic_##op##_return##suffix(int i, atomic##suffix##_t *v)\
+ { \
+ unsigned long flags; \
+ int val; \
+@@ -161,6 +251,9 @@ static inline int atomic_##op##_return(int i, atomic_t *v) \
+ return val; \
+ }
+
++#define ATOMIC_OP_RETURN(op, c_op, asm_op) __ATOMIC_OP_RETURN(op, , c_op, asm_op)\
++ __ATOMIC_OP_RETURN(op, _unchecked, c_op, asm_op)
++
+ static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
+ {
+ int ret;
+@@ -175,6 +268,11 @@ static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
return ret;
}
+static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
+{
-+ return atomic_cmpxchg(v, old, new);
++ return atomic_cmpxchg((atomic_t *)v, old, new);
+}
+
static inline int __atomic_add_unless(atomic_t *v, int a, int u)
{
int c, old;
-@@ -196,16 +287,38 @@ ATOMIC_OPS(sub, -=, sub)
+@@ -196,16 +294,38 @@ ATOMIC_OPS(sub, -=, sub)
#undef ATOMIC_OPS
#undef ATOMIC_OP_RETURN
@@ -1188,7 +1233,7 @@ index e22c119..9531fcc 100644
#define atomic_dec_return(v) (atomic_sub_return(1, v))
#define atomic_sub_and_test(i, v) (atomic_sub_return(i, v) == 0)
-@@ -216,6 +329,14 @@ typedef struct {
+@@ -216,6 +336,14 @@ typedef struct {
long long counter;
} atomic64_t;
@@ -1203,7 +1248,7 @@ index e22c119..9531fcc 100644
#define ATOMIC64_INIT(i) { (i) }
#ifdef CONFIG_ARM_LPAE
-@@ -232,6 +353,19 @@ static inline long long atomic64_read(const atomic64_t *v)
+@@ -232,6 +360,19 @@ static inline long long atomic64_read(const atomic64_t *v)
return result;
}
@@ -1223,7 +1268,7 @@ index e22c119..9531fcc 100644
static inline void atomic64_set(atomic64_t *v, long long i)
{
__asm__ __volatile__("@ atomic64_set\n"
-@@ -240,6 +374,15 @@ static inline void atomic64_set(atomic64_t *v, long long i)
+@@ -240,6 +381,15 @@ static inline void atomic64_set(atomic64_t *v, long long i)
: "r" (&v->counter), "r" (i)
);
}
@@ -1239,7 +1284,7 @@ index e22c119..9531fcc 100644
#else
static inline long long atomic64_read(const atomic64_t *v)
{
-@@ -254,6 +397,19 @@ static inline long long atomic64_read(const atomic64_t *v)
+@@ -254,6 +404,19 @@ static inline long long atomic64_read(const atomic64_t *v)
return result;
}
@@ -1259,7 +1304,7 @@ index e22c119..9531fcc 100644
static inline void atomic64_set(atomic64_t *v, long long i)
{
long long tmp;
-@@ -268,29 +424,57 @@ static inline void atomic64_set(atomic64_t *v, long long i)
+@@ -268,29 +431,57 @@ static inline void atomic64_set(atomic64_t *v, long long i)
: "r" (&v->counter), "r" (i)
: "cc");
}
@@ -1323,7 +1368,7 @@ index e22c119..9531fcc 100644
{ \
long long result; \
unsigned long tmp; \
-@@ -298,13 +482,15 @@ static inline long long atomic64_##op##_return(long long i, atomic64_t *v) \
+@@ -298,13 +489,15 @@ static inline long long atomic64_##op##_return(long long i, atomic64_t *v) \
smp_mb(); \
prefetchw(&v->counter); \
\
@@ -1341,7 +1386,7 @@ index e22c119..9531fcc 100644
: "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) \
: "r" (&v->counter), "r" (i) \
: "cc"); \
-@@ -314,6 +500,9 @@ static inline long long atomic64_##op##_return(long long i, atomic64_t *v) \
+@@ -314,6 +507,9 @@ static inline long long atomic64_##op##_return(long long i, atomic64_t *v) \
return result; \
}
@@ -1351,7 +1396,7 @@ index e22c119..9531fcc 100644
#define ATOMIC64_OPS(op, op1, op2) \
ATOMIC64_OP(op, op1, op2) \
ATOMIC64_OP_RETURN(op, op1, op2)
-@@ -323,7 +512,12 @@ ATOMIC64_OPS(sub, subs, sbc)
+@@ -323,7 +519,12 @@ ATOMIC64_OPS(sub, subs, sbc)
#undef ATOMIC64_OPS
#undef ATOMIC64_OP_RETURN
@@ -1364,7 +1409,7 @@ index e22c119..9531fcc 100644
static inline long long atomic64_cmpxchg(atomic64_t *ptr, long long old,
long long new)
-@@ -351,6 +545,31 @@ static inline long long atomic64_cmpxchg(atomic64_t *ptr, long long old,
+@@ -351,6 +552,31 @@ static inline long long atomic64_cmpxchg(atomic64_t *ptr, long long old,
return oldval;
}
@@ -1396,7 +1441,7 @@ index e22c119..9531fcc 100644
static inline long long atomic64_xchg(atomic64_t *ptr, long long new)
{
long long result;
-@@ -376,21 +595,35 @@ static inline long long atomic64_xchg(atomic64_t *ptr, long long new)
+@@ -376,21 +602,35 @@ static inline long long atomic64_xchg(atomic64_t *ptr, long long new)
static inline long long atomic64_dec_if_positive(atomic64_t *v)
{
long long result;
@@ -1438,7 +1483,7 @@ index e22c119..9531fcc 100644
: "=&r" (result), "=&r" (tmp), "+Qo" (v->counter)
: "r" (&v->counter)
: "cc");
-@@ -414,13 +647,25 @@ static inline int atomic64_add_unless(atomic64_t *v, long long a, long long u)
+@@ -414,13 +654,25 @@ static inline int atomic64_add_unless(atomic64_t *v, long long a, long long u)
" teq %0, %5\n"
" teqeq %H0, %H5\n"
" moveq %1, #0\n"
@@ -1467,7 +1512,7 @@ index e22c119..9531fcc 100644
: "=&r" (val), "+r" (ret), "=&r" (tmp), "+Qo" (v->counter)
: "r" (&v->counter), "r" (u), "r" (a)
: "cc");
-@@ -433,10 +678,13 @@ static inline int atomic64_add_unless(atomic64_t *v, long long a, long long u)
+@@ -433,10 +685,13 @@ static inline int atomic64_add_unless(atomic64_t *v, long long a, long long u)
#define atomic64_add_negative(a, v) (atomic64_add_return((a), (v)) < 0)
#define atomic64_inc(v) atomic64_add(1LL, (v))
@@ -16130,7 +16175,7 @@ index 9863ee3..4a1f8e1 100644
return _PAGE_CACHE_WC;
else if (pg_flags == _PGMT_UC_MINUS)
diff --git a/arch/x86/include/asm/calling.h b/arch/x86/include/asm/calling.h
-index 76659b6..6e0b30a 100644
+index 76659b6..72b8439 100644
--- a/arch/x86/include/asm/calling.h
+++ b/arch/x86/include/asm/calling.h
@@ -82,107 +82,117 @@ For 32-bit we have the following conventions - kernel is built with
@@ -16257,7 +16302,7 @@ index 76659b6..6e0b30a 100644
.if \skiprax
.else
- movq \offset+72(%rsp), %rax
-+ movq RAX(%rsp), %rax
++ movq ORIG_RAX(%rsp), %rax
.endif
.endm
@@ -23016,7 +23061,7 @@ index 344b63f..ccdac7a 100644
#endif
diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
-index c0226ab..b1d8cdd 100644
+index c0226ab..96a8ab7 100644
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -59,6 +59,8 @@
@@ -23686,7 +23731,7 @@ index c0226ab..b1d8cdd 100644
/*
* sysretq will re-enable interrupts:
*/
-@@ -494,11 +963,14 @@ sysret_audit:
+@@ -494,12 +963,15 @@ sysret_audit:
/* Do syscall tracing */
tracesys:
@@ -23696,12 +23741,14 @@ index c0226ab..b1d8cdd 100644
call syscall_trace_enter_phase1
test %rax, %rax
jnz tracesys_phase2 /* if needed, run the slow path */
+- LOAD_ARGS 0 /* else restore clobbered regs */
+
+ pax_erase_kstack
+
- LOAD_ARGS 0 /* else restore clobbered regs */
++ LOAD_ARGS /* else restore clobbered regs */
jmp system_call_fastpath /* and return to the fast path */
+ tracesys_phase2:
@@ -510,12 +982,14 @@ tracesys_phase2:
movq %rax,%rdx
call syscall_trace_enter_phase2
@@ -23894,6 +23941,27 @@ index c0226ab..b1d8cdd 100644
/*
* The iretq could re-enable interrupts:
*/
+@@ -845,15 +1333,15 @@ native_irq_return_ldt:
+ SWAPGS
+ movq PER_CPU_VAR(espfix_waddr),%rdi
+ movq %rax,(0*8)(%rdi) /* RAX */
+- movq (2*8)(%rsp),%rax /* RIP */
++ movq (2*8 + RIP-RIP)(%rsp),%rax /* RIP */
+ movq %rax,(1*8)(%rdi)
+- movq (3*8)(%rsp),%rax /* CS */
++ movq (2*8 + CS-RIP)(%rsp),%rax /* CS */
+ movq %rax,(2*8)(%rdi)
+- movq (4*8)(%rsp),%rax /* RFLAGS */
++ movq (2*8 + EFLAGS-RIP)(%rsp),%rax /* RFLAGS */
+ movq %rax,(3*8)(%rdi)
+- movq (6*8)(%rsp),%rax /* SS */
++ movq (2*8 + SS-RIP)(%rsp),%rax /* SS */
+ movq %rax,(5*8)(%rdi)
+- movq (5*8)(%rsp),%rax /* RSP */
++ movq (2*8 + RSP-RIP)(%rsp),%rax /* RSP */
+ movq %rax,(4*8)(%rdi)
+ andl $0xffff0000,%eax
+ popq_cfi %rdi
@@ -907,7 +1395,7 @@ ENTRY(retint_kernel)
jmp exit_intr
#endif
@@ -26362,26 +26430,30 @@ index 548d25f..f8fb99c 100644
EXPORT_SYMBOL_GPL(pv_time_ops);
diff --git a/arch/x86/kernel/paravirt_patch_64.c b/arch/x86/kernel/paravirt_patch_64.c
-index a1da673..2c72d5b 100644
+index a1da673..b6f5831 100644
--- a/arch/x86/kernel/paravirt_patch_64.c
+++ b/arch/x86/kernel/paravirt_patch_64.c
-@@ -9,7 +9,9 @@ DEF_NATIVE(pv_irq_ops, save_fl, "pushfq; popq %rax");
+@@ -9,7 +9,11 @@ DEF_NATIVE(pv_irq_ops, save_fl, "pushfq; popq %rax");
DEF_NATIVE(pv_mmu_ops, read_cr2, "movq %cr2, %rax");
DEF_NATIVE(pv_mmu_ops, read_cr3, "movq %cr3, %rax");
DEF_NATIVE(pv_mmu_ops, write_cr3, "movq %rdi, %cr3");
++
+#ifndef CONFIG_PAX_MEMORY_UDEREF
DEF_NATIVE(pv_mmu_ops, flush_tlb_single, "invlpg (%rdi)");
+#endif
++
DEF_NATIVE(pv_cpu_ops, clts, "clts");
DEF_NATIVE(pv_cpu_ops, wbinvd, "wbinvd");
-@@ -57,7 +59,9 @@ unsigned native_patch(u8 type, u16 clobbers, void *ibuf,
+@@ -57,7 +61,11 @@ unsigned native_patch(u8 type, u16 clobbers, void *ibuf,
PATCH_SITE(pv_mmu_ops, read_cr3);
PATCH_SITE(pv_mmu_ops, write_cr3);
PATCH_SITE(pv_cpu_ops, clts);
++
+#ifndef CONFIG_PAX_MEMORY_UDEREF
PATCH_SITE(pv_mmu_ops, flush_tlb_single);
+#endif
++
PATCH_SITE(pv_cpu_ops, wbinvd);
patch_site:
@@ -27898,7 +27970,7 @@ index 1c113db..287b42e 100644
static int trace_irq_vector_refcount;
static DEFINE_MUTEX(irq_vector_mutex);
diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
-index de801f2..f189dcf 100644
+index de801f2..4a4c4af 100644
--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -67,7 +67,7 @@
@@ -28043,7 +28115,16 @@ index de801f2..f189dcf 100644
tsk->thread.error_code = error_code;
tsk->thread.trap_nr = X86_TRAP_GP;
-@@ -433,7 +474,7 @@ struct bad_iret_stack *fixup_bad_iret(struct bad_iret_stack *s)
+@@ -427,13 +468,16 @@ struct bad_iret_stack *fixup_bad_iret(struct bad_iret_stack *s)
+ container_of(task_pt_regs(current),
+ struct bad_iret_stack, regs);
+
++ if ((current->thread.sp0 ^ (unsigned long)s) < THREAD_SIZE)
++ new_stack = s;
++
+ /* Copy the IRET target to the new stack. */
+ memmove(&new_stack->regs.ip, (void *)s->regs.sp, 5*8);
+
/* Copy the remainder of the stack from the current stack. */
memmove(new_stack, s, offsetof(struct bad_iret_stack, regs.ip));
@@ -28052,7 +28133,7 @@ index de801f2..f189dcf 100644
return new_stack;
}
#endif
-@@ -518,7 +559,7 @@ dotraplinkage void do_debug(struct pt_regs *regs, long error_code)
+@@ -518,7 +562,7 @@ dotraplinkage void do_debug(struct pt_regs *regs, long error_code)
/* It's safe to allow irq's after DR6 has been saved */
preempt_conditional_sti(regs);
@@ -28061,7 +28142,7 @@ index de801f2..f189dcf 100644
handle_vm86_trap((struct kernel_vm86_regs *) regs, error_code,
X86_TRAP_DB);
preempt_conditional_cli(regs);
-@@ -533,7 +574,7 @@ dotraplinkage void do_debug(struct pt_regs *regs, long error_code)
+@@ -533,7 +577,7 @@ dotraplinkage void do_debug(struct pt_regs *regs, long error_code)
* We already checked v86 mode above, so we can check for kernel mode
* by just checking the CPL of CS.
*/
@@ -28070,7 +28151,7 @@ index de801f2..f189dcf 100644
tsk->thread.debugreg6 &= ~DR_STEP;
set_tsk_thread_flag(tsk, TIF_SINGLESTEP);
regs->flags &= ~X86_EFLAGS_TF;
-@@ -566,7 +607,7 @@ static void math_error(struct pt_regs *regs, int error_code, int trapnr)
+@@ -566,7 +610,7 @@ static void math_error(struct pt_regs *regs, int error_code, int trapnr)
return;
conditional_sti(regs);
@@ -28656,9 +28737,18 @@ index 976e3a5..8bb998c 100644
out:
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
-index 9f8a2fa..565eb4f 100644
+index 9f8a2fa..2df3c3f 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
+@@ -3519,7 +3519,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt)
+ int cr = ctxt->modrm_reg;
+ u64 efer = 0;
+
+- static u64 cr_reserved_bits[] = {
++ static const u64 cr_reserved_bits[] = {
+ 0xffffffff00000000ULL,
+ 0, 0, 0, /* CR3 checked later */
+ CR4_RESERVED_BITS,
@@ -3554,7 +3554,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt)
ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
@@ -34156,7 +34246,7 @@ index 6440221..f84b5c7 100644
+ pax_force_retaddr
ret
diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
-index 3f62734..097bf93 100644
+index 3f62734..a57894f 100644
--- a/arch/x86/net/bpf_jit_comp.c
+++ b/arch/x86/net/bpf_jit_comp.c
@@ -13,7 +13,11 @@
@@ -34199,14 +34289,21 @@ index 3f62734..097bf93 100644
prog->bpf_func = (void *)image;
prog->jited = true;
}
-@@ -982,7 +989,6 @@ void bpf_jit_free(struct bpf_prog *fp)
- if (!fp->jited)
- goto free_filter;
+@@ -979,12 +986,8 @@ void bpf_jit_free(struct bpf_prog *fp)
+ unsigned long addr = (unsigned long)fp->bpf_func & PAGE_MASK;
+ struct bpf_binary_header *header = (void *)addr;
-- set_memory_rw(addr, header->pages);
- bpf_jit_binary_free(header);
+- if (!fp->jited)
+- goto free_filter;
++ if (fp->jited)
++ bpf_jit_binary_free(header);
- free_filter:
+- set_memory_rw(addr, header->pages);
+- bpf_jit_binary_free(header);
+-
+-free_filter:
+ bpf_prog_unlock_free(fp);
+ }
diff --git a/arch/x86/oprofile/backtrace.c b/arch/x86/oprofile/backtrace.c
index 5d04be5..2beeaa2 100644
--- a/arch/x86/oprofile/backtrace.c
@@ -39186,25 +39283,16 @@ index b0c18ed..1713a80 100644
cpu_notifier_register_begin();
diff --git a/drivers/cpufreq/cpufreq-dt.c b/drivers/cpufreq/cpufreq-dt.c
-index f657c57..ada41b6 100644
+index f657c57..31d97ae 100644
--- a/drivers/cpufreq/cpufreq-dt.c
+++ b/drivers/cpufreq/cpufreq-dt.c
-@@ -345,6 +345,7 @@ static int dt_cpufreq_probe(struct platform_device *pdev)
- struct device *cpu_dev;
- struct regulator *cpu_reg;
- struct clk *cpu_clk;
-+ void *fptr;
- int ret;
-
- /*
-@@ -362,7 +363,10 @@ static int dt_cpufreq_probe(struct platform_device *pdev)
+@@ -362,7 +362,9 @@ static int dt_cpufreq_probe(struct platform_device *pdev)
if (!IS_ERR(cpu_reg))
regulator_put(cpu_reg);
- dt_cpufreq_driver.driver_data = dev_get_platdata(&pdev->dev);
-+ fptr = dev_get_platdata(&pdev->dev);
+ pax_open_kernel();
-+ *(void **)&dt_cpufreq_driver.driver_data = fptr;
++ *(void **)&dt_cpufreq_driver.driver_data = dev_get_platdata(&pdev->dev);
+ pax_close_kernel();
ret = cpufreq_register_driver(&dt_cpufreq_driver);
@@ -53107,7 +53195,7 @@ index c78f43a..22b1dab 100644
if (cfg->uart_flags & UPF_CONS_FLOW) {
diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
-index eaeb9a0..2691250 100644
+index eaeb9a0..01a238c 100644
--- a/drivers/tty/serial/serial_core.c
+++ b/drivers/tty/serial/serial_core.c
@@ -1339,7 +1339,7 @@ static void uart_close(struct tty_struct *tty, struct file *filp)
@@ -53142,7 +53230,7 @@ index eaeb9a0..2691250 100644
return retval;
err_dec_count:
- port->count--;
-+ atomic_inc(&port->count);
++ atomic_dec(&port->count);
mutex_unlock(&port->mutex);
goto end;
}
@@ -63473,7 +63561,7 @@ index 26753ba..d19eb34 100644
return res;
}
diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
-index f488bba..bb63254 100644
+index f488bba..735d752 100644
--- a/fs/isofs/rock.c
+++ b/fs/isofs/rock.c
@@ -30,6 +30,7 @@ struct rock_state {
@@ -63503,6 +63591,16 @@ index f488bba..bb63254 100644
bh = sb_bread(rs->inode->i_sb, rs->cont_extent);
if (bh) {
memcpy(rs->buffer, bh->b_data + rs->cont_offset,
+@@ -356,6 +362,9 @@ repeat:
+ rs.cont_size = isonum_733(rr->u.CE.size);
+ break;
+ case SIG('E', 'R'):
++ /* Invalid length of ER tag id? */
++ if (rr->u.ER.len_id + offsetof(struct rock_ridge, u.ER.data) > rr->len)
++ goto out;
+ ISOFS_SB(inode->i_sb)->s_rock = 1;
+ printk(KERN_DEBUG "ISO 9660 Extensions: ");
+ {
diff --git a/fs/jffs2/erase.c b/fs/jffs2/erase.c
index 4a6cf28..d3a29d3 100644
--- a/fs/jffs2/erase.c
@@ -63545,7 +63643,7 @@ index 93e897e..a863de4 100644
if (jfs_inode_cachep == NULL)
return -ENOMEM;
diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c
-index 1c77193..a50091d 100644
+index 1c77193..5cfb7b57 100644
--- a/fs/kernfs/dir.c
+++ b/fs/kernfs/dir.c
@@ -182,7 +182,7 @@ struct kernfs_node *kernfs_get_parent(struct kernfs_node *kn)
@@ -63557,6 +63655,17 @@ index 1c77193..a50091d 100644
{
unsigned long hash = init_name_hash();
unsigned int len = strlen(name);
+@@ -829,6 +829,10 @@ static int kernfs_iop_mkdir(struct inode *dir, struct dentry *dentry,
+ ret = scops->mkdir(parent, dentry->d_name.name, mode);
+
+ kernfs_put_active(parent);
++
++ if (!ret)
++ ret = kernfs_iop_lookup(dir, dentry, 0);
++
+ return ret;
+ }
+
diff --git a/fs/kernfs/file.c b/fs/kernfs/file.c
index 4429d6d..9831f52 100644
--- a/fs/kernfs/file.c
@@ -67605,6 +67714,45 @@ index fb08b0c..65fcc7e 100644
{
int err;
+diff --git a/fs/udf/dir.c b/fs/udf/dir.c
+index a012c51..a7690b4 100644
+--- a/fs/udf/dir.c
++++ b/fs/udf/dir.c
+@@ -167,7 +167,8 @@ static int udf_readdir(struct file *file, struct dir_context *ctx)
+ continue;
+ }
+
+- flen = udf_get_filename(dir->i_sb, nameptr, fname, lfi);
++ flen = udf_get_filename(dir->i_sb, nameptr, lfi, fname,
++ UDF_NAME_LEN);
+ if (!flen)
+ continue;
+
+diff --git a/fs/udf/inode.c b/fs/udf/inode.c
+index c9b4df5..5bc71d9 100644
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -1489,6 +1489,20 @@ reread:
+ }
+ inode->i_generation = iinfo->i_unique;
+
++ /* Sanity checks for files in ICB so that we don't get confused later */
++ if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) {
++ /*
++ * For file in ICB data is stored in allocation descriptor
++ * so sizes should match
++ */
++ if (iinfo->i_lenAlloc != inode->i_size)
++ goto out;
++ /* File in ICB has to fit in there... */
++ if (inode->i_size > inode->i_sb->s_blocksize -
++ udf_file_entry_alloc_offset(inode))
++ goto out;
++ }
++
+ switch (fe->icbTag.fileType) {
+ case ICBTAG_FILE_TYPE_DIRECTORY:
+ inode->i_op = &udf_dir_inode_operations;
diff --git a/fs/udf/misc.c b/fs/udf/misc.c
index c175b4d..8f36a16 100644
--- a/fs/udf/misc.c
@@ -67618,6 +67766,257 @@ index c175b4d..8f36a16 100644
u8 checksum = 0;
int i;
for (i = 0; i < sizeof(struct tag); ++i)
+diff --git a/fs/udf/namei.c b/fs/udf/namei.c
+index c12e260..6ff19b5 100644
+--- a/fs/udf/namei.c
++++ b/fs/udf/namei.c
+@@ -233,7 +233,8 @@ static struct fileIdentDesc *udf_find_entry(struct inode *dir,
+ if (!lfi)
+ continue;
+
+- flen = udf_get_filename(dir->i_sb, nameptr, fname, lfi);
++ flen = udf_get_filename(dir->i_sb, nameptr, lfi, fname,
++ UDF_NAME_LEN);
+ if (flen && udf_match(flen, fname, child->len, child->name))
+ goto out_ok;
+ }
+diff --git a/fs/udf/symlink.c b/fs/udf/symlink.c
+index 6fb7945..ac10ca9 100644
+--- a/fs/udf/symlink.c
++++ b/fs/udf/symlink.c
+@@ -30,49 +30,73 @@
+ #include <linux/buffer_head.h>
+ #include "udf_i.h"
+
+-static void udf_pc_to_char(struct super_block *sb, unsigned char *from,
+- int fromlen, unsigned char *to)
++static int udf_pc_to_char(struct super_block *sb, unsigned char *from,
++ int fromlen, unsigned char *to, int tolen)
+ {
+ struct pathComponent *pc;
+ int elen = 0;
++ int comp_len;
+ unsigned char *p = to;
+
++ /* Reserve one byte for terminating \0 */
++ tolen--;
+ while (elen < fromlen) {
+ pc = (struct pathComponent *)(from + elen);
++ elen += sizeof(struct pathComponent);
+ switch (pc->componentType) {
+ case 1:
+ /*
+ * Symlink points to some place which should be agreed
+ * upon between originator and receiver of the media. Ignore.
+ */
+- if (pc->lengthComponentIdent > 0)
++ if (pc->lengthComponentIdent > 0) {
++ elen += pc->lengthComponentIdent;
+ break;
++ }
+ /* Fall through */
+ case 2:
++ if (tolen == 0)
++ return -ENAMETOOLONG;
+ p = to;
+ *p++ = '/';
++ tolen--;
+ break;
+ case 3:
++ if (tolen < 3)
++ return -ENAMETOOLONG;
+ memcpy(p, "../", 3);
+ p += 3;
++ tolen -= 3;
+ break;
+ case 4:
++ if (tolen < 2)
++ return -ENAMETOOLONG;
+ memcpy(p, "./", 2);
+ p += 2;
++ tolen -= 2;
+ /* that would be . - just ignore */
+ break;
+ case 5:
+- p += udf_get_filename(sb, pc->componentIdent, p,
+- pc->lengthComponentIdent);
++ elen += pc->lengthComponentIdent;
++ if (elen > fromlen)
++ return -EIO;
++ comp_len = udf_get_filename(sb, pc->componentIdent,
++ pc->lengthComponentIdent,
++ p, tolen);
++ p += comp_len;
++ tolen -= comp_len;
++ if (tolen == 0)
++ return -ENAMETOOLONG;
+ *p++ = '/';
++ tolen--;
+ break;
+ }
+- elen += sizeof(struct pathComponent) + pc->lengthComponentIdent;
+ }
+ if (p > to + 1)
+ p[-1] = '\0';
+ else
+ p[0] = '\0';
++ return 0;
+ }
+
+ static int udf_symlink_filler(struct file *file, struct page *page)
+@@ -80,11 +104,17 @@ static int udf_symlink_filler(struct file *file, struct page *page)
+ struct inode *inode = page->mapping->host;
+ struct buffer_head *bh = NULL;
+ unsigned char *symlink;
+- int err = -EIO;
++ int err;
+ unsigned char *p = kmap(page);
+ struct udf_inode_info *iinfo;
+ uint32_t pos;
+
++ /* We don't support symlinks longer than one block */
++ if (inode->i_size > inode->i_sb->s_blocksize) {
++ err = -ENAMETOOLONG;
++ goto out_unmap;
++ }
++
+ iinfo = UDF_I(inode);
+ pos = udf_block_map(inode, 0);
+
+@@ -94,14 +124,18 @@ static int udf_symlink_filler(struct file *file, struct page *page)
+ } else {
+ bh = sb_bread(inode->i_sb, pos);
+
+- if (!bh)
+- goto out;
++ if (!bh) {
++ err = -EIO;
++ goto out_unlock_inode;
++ }
+
+ symlink = bh->b_data;
+ }
+
+- udf_pc_to_char(inode->i_sb, symlink, inode->i_size, p);
++ err = udf_pc_to_char(inode->i_sb, symlink, inode->i_size, p, PAGE_SIZE);
+ brelse(bh);
++ if (err)
++ goto out_unlock_inode;
+
+ up_read(&iinfo->i_data_sem);
+ SetPageUptodate(page);
+@@ -109,9 +143,10 @@ static int udf_symlink_filler(struct file *file, struct page *page)
+ unlock_page(page);
+ return 0;
+
+-out:
++out_unlock_inode:
+ up_read(&iinfo->i_data_sem);
+ SetPageError(page);
++out_unmap:
+ kunmap(page);
+ unlock_page(page);
+ return err;
+diff --git a/fs/udf/udfdecl.h b/fs/udf/udfdecl.h
+index 1cc3c99..47bb3f5 100644
+--- a/fs/udf/udfdecl.h
++++ b/fs/udf/udfdecl.h
+@@ -211,7 +211,8 @@ udf_get_lb_pblock(struct super_block *sb, struct kernel_lb_addr *loc,
+ }
+
+ /* unicode.c */
+-extern int udf_get_filename(struct super_block *, uint8_t *, uint8_t *, int);
++extern int udf_get_filename(struct super_block *, uint8_t *, int, uint8_t *,
++ int);
+ extern int udf_put_filename(struct super_block *, const uint8_t *, uint8_t *,
+ int);
+ extern int udf_build_ustr(struct ustr *, dstring *, int);
+diff --git a/fs/udf/unicode.c b/fs/udf/unicode.c
+index afd470e..b84fee3 100644
+--- a/fs/udf/unicode.c
++++ b/fs/udf/unicode.c
+@@ -28,7 +28,8 @@
+
+ #include "udf_sb.h"
+
+-static int udf_translate_to_linux(uint8_t *, uint8_t *, int, uint8_t *, int);
++static int udf_translate_to_linux(uint8_t *, int, uint8_t *, int, uint8_t *,
++ int);
+
+ static int udf_char_to_ustr(struct ustr *dest, const uint8_t *src, int strlen)
+ {
+@@ -333,8 +334,8 @@ try_again:
+ return u_len + 1;
+ }
+
+-int udf_get_filename(struct super_block *sb, uint8_t *sname, uint8_t *dname,
+- int flen)
++int udf_get_filename(struct super_block *sb, uint8_t *sname, int slen,
++ uint8_t *dname, int dlen)
+ {
+ struct ustr *filename, *unifilename;
+ int len = 0;
+@@ -347,7 +348,7 @@ int udf_get_filename(struct super_block *sb, uint8_t *sname, uint8_t *dname,
+ if (!unifilename)
+ goto out1;
+
+- if (udf_build_ustr_exact(unifilename, sname, flen))
++ if (udf_build_ustr_exact(unifilename, sname, slen))
+ goto out2;
+
+ if (UDF_QUERY_FLAG(sb, UDF_FLAG_UTF8)) {
+@@ -366,7 +367,8 @@ int udf_get_filename(struct super_block *sb, uint8_t *sname, uint8_t *dname,
+ } else
+ goto out2;
+
+- len = udf_translate_to_linux(dname, filename->u_name, filename->u_len,
++ len = udf_translate_to_linux(dname, dlen,
++ filename->u_name, filename->u_len,
+ unifilename->u_name, unifilename->u_len);
+ out2:
+ kfree(unifilename);
+@@ -403,10 +405,12 @@ int udf_put_filename(struct super_block *sb, const uint8_t *sname,
+ #define EXT_MARK '.'
+ #define CRC_MARK '#'
+ #define EXT_SIZE 5
++/* Number of chars we need to store generated CRC to make filename unique */
++#define CRC_LEN 5
+
+-static int udf_translate_to_linux(uint8_t *newName, uint8_t *udfName,
+- int udfLen, uint8_t *fidName,
+- int fidNameLen)
++static int udf_translate_to_linux(uint8_t *newName, int newLen,
++ uint8_t *udfName, int udfLen,
++ uint8_t *fidName, int fidNameLen)
+ {
+ int index, newIndex = 0, needsCRC = 0;
+ int extIndex = 0, newExtIndex = 0, hasExt = 0;
+@@ -439,7 +443,7 @@ static int udf_translate_to_linux(uint8_t *newName, uint8_t *udfName,
+ newExtIndex = newIndex;
+ }
+ }
+- if (newIndex < 256)
++ if (newIndex < newLen)
+ newName[newIndex++] = curr;
+ else
+ needsCRC = 1;
+@@ -467,13 +471,13 @@ static int udf_translate_to_linux(uint8_t *newName, uint8_t *udfName,
+ }
+ ext[localExtIndex++] = curr;
+ }
+- maxFilenameLen = 250 - localExtIndex;
++ maxFilenameLen = newLen - CRC_LEN - localExtIndex;
+ if (newIndex > maxFilenameLen)
+ newIndex = maxFilenameLen;
+ else
+ newIndex = newExtIndex;
+- } else if (newIndex > 250)
+- newIndex = 250;
++ } else if (newIndex > newLen - CRC_LEN)
++ newIndex = newLen - CRC_LEN;
+ newName[newIndex++] = CRC_MARK;
+ valueCRC = crc_itu_t(0, fidName, fidNameLen);
+ newName[newIndex++] = hex_asc_upper_hi(valueCRC >> 8);
diff --git a/fs/ufs/swab.h b/fs/ufs/swab.h
index 8d974c4..b82f6ec 100644
--- a/fs/ufs/swab.h
@@ -87678,10 +88077,10 @@ index e420a0c..38137fa 100644
task->sessionid = sessionid;
task->loginuid = loginuid;
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
-index d6594e4..00348e4 100644
+index d6594e4..597264b 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
-@@ -143,7 +143,7 @@ bpf_jit_binary_alloc(unsigned int proglen, u8 **image_ptr,
+@@ -143,14 +143,17 @@ bpf_jit_binary_alloc(unsigned int proglen, u8 **image_ptr,
* random section of illegal instructions.
*/
size = round_up(proglen + sizeof(*hdr) + 128, PAGE_SIZE);
@@ -87690,7 +88089,17 @@ index d6594e4..00348e4 100644
if (hdr == NULL)
return NULL;
-@@ -163,7 +163,7 @@ bpf_jit_binary_alloc(unsigned int proglen, u8 **image_ptr,
+ /* Fill space with illegal/arch-dep instructions. */
+ bpf_fill_ill_insns(hdr, size);
+
++ pax_open_kernel();
+ hdr->pages = size / PAGE_SIZE;
++ pax_close_kernel();
++
+ hole = min_t(unsigned int, size - (proglen + sizeof(*hdr)),
+ PAGE_SIZE - sizeof(*hdr));
+ start = (prandom_u32() % hole) & ~(alignment - 1);
+@@ -163,7 +166,7 @@ bpf_jit_binary_alloc(unsigned int proglen, u8 **image_ptr,
void bpf_jit_binary_free(struct bpf_binary_header *hdr)
{
@@ -100205,9 +100614,18 @@ index 1e80539..676c37a 100644
if (ogm_packet->flags & BATADV_DIRECTLINK)
has_directlink_flag = true;
diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
-index fc1835c..eead856 100644
+index fc1835c..42f2c2f 100644
--- a/net/batman-adv/fragmentation.c
+++ b/net/batman-adv/fragmentation.c
+@@ -251,7 +251,7 @@ batadv_frag_merge_packets(struct hlist_head *chain, struct sk_buff *skb)
+ kfree(entry);
+
+ /* Make room for the rest of the fragments. */
+- if (pskb_expand_head(skb_out, 0, size - skb->len, GFP_ATOMIC) < 0) {
++ if (pskb_expand_head(skb_out, 0, size - skb_out->len, GFP_ATOMIC) < 0) {
+ kfree_skb(skb_out);
+ skb_out = NULL;
+ goto free;
@@ -450,7 +450,7 @@ bool batadv_frag_send_packet(struct sk_buff *skb,
frag_header.packet_type = BATADV_UNICAST_FRAG;
frag_header.version = BATADV_COMPAT_VERSION;
diff --git a/3.2.66/0000_README b/3.2.66/0000_README
index 96a6e23..d4ad1aa 100644
--- a/3.2.66/0000_README
+++ b/3.2.66/0000_README
@@ -182,7 +182,7 @@ Patch: 1065_linux-3.2.66.patch
From: http://www.kernel.org
Desc: Linux 3.2.66
-Patch: 4420_grsecurity-3.0-3.2.65-201412280855.patch
+Patch: 4420_grsecurity-3.0-3.2.66-201501051839.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.66/4420_grsecurity-3.0-3.2.65-201412280855.patch b/3.2.66/4420_grsecurity-3.0-3.2.66-201501051839.patch
index ac5d45e..a07d1dd 100644
--- a/3.2.66/4420_grsecurity-3.0-3.2.65-201412280855.patch
+++ b/3.2.66/4420_grsecurity-3.0-3.2.66-201501051839.patch
@@ -278,7 +278,7 @@ index 88fd7f5..b318a78 100644
==============================================================
diff --git a/Makefile b/Makefile
-index 1433109..a4bb56c 100644
+index f08f8bf..f762039 100644
--- a/Makefile
+++ b/Makefile
@@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -980,7 +980,7 @@ index b7c5d5d..4b0c4ed 100644
9999:
.if \inc == 1
diff --git a/arch/arm/include/asm/atomic.h b/arch/arm/include/asm/atomic.h
-index 86976d0..269b872 100644
+index 86976d0..15420e6 100644
--- a/arch/arm/include/asm/atomic.h
+++ b/arch/arm/include/asm/atomic.h
@@ -15,6 +15,10 @@
@@ -1000,7 +1000,7 @@ index 86976d0..269b872 100644
#define atomic_read(v) (*(volatile int *)&(v)->counter)
+static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
+{
-+ return v->counter;
++ return *(const volatile int *)&v->counter;
+}
#define atomic_set(v,i) (((v)->counter) = (i))
+static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
@@ -6467,7 +6467,7 @@ index 0cfece4..2f1a0e5 100644
struct spu_context *ctx = vma->vm_file->private_data;
unsigned long offset = address - vma->vm_start;
diff --git a/arch/powerpc/platforms/cell/spufs/inode.c b/arch/powerpc/platforms/cell/spufs/inode.c
-index 70ec4e9..3e7a115 100644
+index 941d5cb..1803d9e 100644
--- a/arch/powerpc/platforms/cell/spufs/inode.c
+++ b/arch/powerpc/platforms/cell/spufs/inode.c
@@ -811,6 +811,7 @@ static struct file_system_type spufs_type = {
@@ -7047,7 +7047,7 @@ index 07dd35e..2c6f765 100644
#include <asm-generic/atomic64.h>
diff --git a/arch/sparc/include/asm/atomic_64.h b/arch/sparc/include/asm/atomic_64.h
-index 9f421df..b81fc12 100644
+index 9f421df..71e4800 100644
--- a/arch/sparc/include/asm/atomic_64.h
+++ b/arch/sparc/include/asm/atomic_64.h
@@ -14,18 +14,40 @@
@@ -7056,12 +7056,12 @@ index 9f421df..b81fc12 100644
#define atomic_read(v) (*(volatile int *)&(v)->counter)
+static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
+{
-+ return v->counter;
++ return *(const volatile int *)&v->counter;
+}
#define atomic64_read(v) (*(volatile long *)&(v)->counter)
+static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
+{
-+ return v->counter;
++ return *(const volatile long *)&v->counter;
+}
#define atomic_set(v, i) (((v)->counter) = i)
@@ -12220,7 +12220,7 @@ index 20370c6..a2eb9b0 100644
"popl %%ebp\n\t"
"popl %%edi\n\t"
diff --git a/arch/x86/include/asm/atomic.h b/arch/x86/include/asm/atomic.h
-index 58cb6d4..9503df6 100644
+index 58cb6d4..a8df22ae 100644
--- a/arch/x86/include/asm/atomic.h
+++ b/arch/x86/include/asm/atomic.h
@@ -22,7 +22,18 @@
@@ -12473,6 +12473,15 @@ index 58cb6d4..9503df6 100644
: "+m" (v->counter), "=qm" (c)
: "ir" (i) : "memory");
return c;
+@@ -170,7 +332,7 @@ static inline int atomic_add_negative(int i, atomic_t *v)
+ *
+ * Atomically adds @i to @v and returns @i + @v
+ */
+-static inline int atomic_add_return(int i, atomic_t *v)
++static inline int __intentional_overflow(-1) atomic_add_return(int i, atomic_t *v)
+ {
+ #ifdef CONFIG_M386
+ int __i;
@@ -179,7 +341,7 @@ static inline int atomic_add_return(int i, atomic_t *v)
goto no_xadd;
#endif
@@ -12482,7 +12491,7 @@ index 58cb6d4..9503df6 100644
#ifdef CONFIG_M386
no_xadd: /* Legacy 386 processor */
-@@ -192,6 +354,34 @@ no_xadd: /* Legacy 386 processor */
+@@ -192,21 +354,58 @@ no_xadd: /* Legacy 386 processor */
}
/**
@@ -12517,7 +12526,13 @@ index 58cb6d4..9503df6 100644
* atomic_sub_return - subtract integer and return
* @v: pointer of type atomic_t
* @i: integer value to subtract
-@@ -204,9 +394,18 @@ static inline int atomic_sub_return(int i, atomic_t *v)
+ *
+ * Atomically subtracts @i from @v and returns @v - @i
+ */
+-static inline int atomic_sub_return(int i, atomic_t *v)
++static inline int __intentional_overflow(-1) atomic_sub_return(int i, atomic_t *v)
+ {
+ return atomic_add_return(-i, v);
}
#define atomic_inc_return(v) (atomic_add_return(1, v))
@@ -13517,10 +13532,10 @@ index 30d737e..9830a9b 100644
static inline void __user *compat_ptr(compat_uptr_t uptr)
{
diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
-index a315f1c..540df6a 100644
+index b8a5fe5..fbbe2c2 100644
--- a/arch/x86/include/asm/cpufeature.h
+++ b/arch/x86/include/asm/cpufeature.h
-@@ -197,8 +197,9 @@
+@@ -198,8 +198,9 @@
/* Intel-defined CPU features, CPUID level 0x00000007:0 (ebx), word 9 */
#define X86_FEATURE_FSGSBASE (9*32+ 0) /* {RD/WR}{FS/GS}BASE instructions*/
@@ -13531,7 +13546,7 @@ index a315f1c..540df6a 100644
#if defined(__KERNEL__) && !defined(__ASSEMBLY__)
-@@ -363,7 +364,7 @@ static __always_inline __pure bool __static_cpu_has(u16 bit)
+@@ -364,7 +365,7 @@ static __always_inline __pure bool __static_cpu_has(u16 bit)
".section .discard,\"aw\",@progbits\n"
" .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
".previous\n"
@@ -17866,10 +17881,10 @@ index 25f24dc..4094a7f 100644
obj-y += proc.o capflags.o powerflags.o common.o
obj-y += vmware.o hypervisor.o sched.o mshyperv.o
diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
-index f07becc..b17b101 100644
+index 2d44a28..c33f4c8 100644
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
-@@ -694,7 +694,7 @@ static unsigned int __cpuinit amd_size_cache(struct cpuinfo_x86 *c,
+@@ -701,7 +701,7 @@ static unsigned int __cpuinit amd_size_cache(struct cpuinfo_x86 *c,
unsigned int size)
{
/* AMD errata T13 (order #21922) */
@@ -19674,7 +19689,7 @@ index 0fa4f89..40ff646 100644
/*
diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
-index 9d28dbac..9d8b7a4 100644
+index 9d28dbac..43bde59 100644
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -56,6 +56,8 @@
@@ -20377,6 +20392,27 @@ index 9d28dbac..9d8b7a4 100644
/*
* The iretq could re-enable interrupts:
*/
+@@ -890,15 +1227,15 @@ native_irq_return_ldt:
+ SWAPGS
+ movq PER_CPU_VAR(espfix_waddr),%rdi
+ movq %rax,(0*8)(%rdi) /* RAX */
+- movq (2*8)(%rsp),%rax /* RIP */
++ movq (2*8 + RIP-RIP)(%rsp),%rax /* RIP */
+ movq %rax,(1*8)(%rdi)
+- movq (3*8)(%rsp),%rax /* CS */
++ movq (2*8 + CS-RIP)(%rsp),%rax /* CS */
+ movq %rax,(2*8)(%rdi)
+- movq (4*8)(%rsp),%rax /* RFLAGS */
++ movq (2*8 + EFLAGS-RIP)(%rsp),%rax /* RFLAGS */
+ movq %rax,(3*8)(%rdi)
+- movq (6*8)(%rsp),%rax /* SS */
++ movq (2*8 + SS-RIP)(%rsp),%rax /* SS */
+ movq %rax,(5*8)(%rdi)
+- movq (5*8)(%rsp),%rax /* RSP */
++ movq (2*8 + RSP-RIP)(%rsp),%rax /* RSP */
+ movq %rax,(4*8)(%rdi)
+ andl $0xffff0000,%eax
+ popq_cfi %rdi
@@ -954,7 +1291,7 @@ ENTRY(retint_kernel)
jmp exit_intr
#endif
@@ -20668,7 +20704,7 @@ index 9d28dbac..9d8b7a4 100644
/*
* End of kprobes section
diff --git a/arch/x86/kernel/espfix_64.c b/arch/x86/kernel/espfix_64.c
-index 94d857f..5bce89c 100644
+index 94d857f..6042d8a 100644
--- a/arch/x86/kernel/espfix_64.c
+++ b/arch/x86/kernel/espfix_64.c
@@ -70,8 +70,7 @@ static DEFINE_MUTEX(espfix_init_mutex);
@@ -20681,7 +20717,7 @@ index 94d857f..5bce89c 100644
static unsigned int page_random, slot_random;
-@@ -122,14 +121,17 @@ static void init_espfix_random(void)
+@@ -122,14 +121,16 @@ static void init_espfix_random(void)
void __init init_espfix_bsp(void)
{
pgd_t *pgd_p;
@@ -20696,14 +20732,13 @@ index 94d857f..5bce89c 100644
pgd_populate(&init_mm, pgd_p, (pud_t *)espfix_pud_page);
+#ifdef CONFIG_PAX_PER_CPU_PGD
-+ clone_pgd_range(get_cpu_pgd(0, kernel) + index, swapper_pg_dir + index, 1);
-+ clone_pgd_range(get_cpu_pgd(0, user) + index, swapper_pg_dir + index, 1);
++ clone_pgd_range(get_cpu_pgd(0) + index, swapper_pg_dir + index, 1);
+#endif
+
/* Randomize the locations */
init_espfix_random();
-@@ -197,7 +199,7 @@ void init_espfix_ap(void)
+@@ -197,7 +198,7 @@ void init_espfix_ap(void)
set_pte(&pte_p[n*PTE_STRIDE], pte);
/* Job is done for this CPU and any CPU which shares this page */
@@ -22231,26 +22266,10 @@ index 7da647d..6e9fab5 100644
reset_current_kprobe();
preempt_enable_no_resched();
diff --git a/arch/x86/kernel/kvm.c b/arch/x86/kernel/kvm.c
-index a9c2116..1a3dcdb 100644
+index 4b6701e..1a3dcdb 100644
--- a/arch/x86/kernel/kvm.c
+++ b/arch/x86/kernel/kvm.c
-@@ -419,7 +419,14 @@ static void kvm_leave_lazy_mmu(void)
- static void __init paravirt_ops_setup(void)
- {
- pv_info.name = "KVM";
-- pv_info.paravirt_enabled = 1;
-+
-+ /*
-+ * KVM isn't paravirt in the sense of paravirt_enabled. A KVM
-+ * guest kernel works like a bare metal kernel with additional
-+ * features, and paravirt_enabled is about features that are
-+ * missing.
-+ */
-+ pv_info.paravirt_enabled = 0;
-
- if (kvm_para_has_feature(KVM_FEATURE_NOP_IO_DELAY))
- pv_cpu_ops.io_delay = kvm_io_delay;
-@@ -437,6 +444,7 @@ static void __init paravirt_ops_setup(void)
+@@ -444,6 +444,7 @@ static void __init paravirt_ops_setup(void)
pv_mmu_ops.set_pud = kvm_set_pud;
#if PAGETABLE_LEVELS == 4
pv_mmu_ops.set_pgd = kvm_set_pgd;
@@ -22258,7 +22277,7 @@ index a9c2116..1a3dcdb 100644
#endif
#endif
pv_mmu_ops.flush_tlb_user = kvm_flush_tlb;
-@@ -579,7 +587,7 @@ static int __cpuinit kvm_cpu_notify(struct notifier_block *self,
+@@ -586,7 +587,7 @@ static int __cpuinit kvm_cpu_notify(struct notifier_block *self,
return NOTIFY_OK;
}
@@ -22267,18 +22286,6 @@ index a9c2116..1a3dcdb 100644
.notifier_call = kvm_cpu_notify,
};
#endif
-diff --git a/arch/x86/kernel/kvmclock.c b/arch/x86/kernel/kvmclock.c
-index 44842d7..e90eca0 100644
---- a/arch/x86/kernel/kvmclock.c
-+++ b/arch/x86/kernel/kvmclock.c
-@@ -203,7 +203,6 @@ void __init kvmclock_init(void)
- #endif
- kvm_get_preset_lpj();
- clocksource_register_hz(&kvm_clock, NSEC_PER_SEC);
-- pv_info.paravirt_enabled = 1;
- pv_info.name = "KVM";
-
- if (kvm_para_has_feature(KVM_FEATURE_CLOCKSOURCE_STABLE_BIT))
diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
index 0a8e65e..288a4b0 100644
--- a/arch/x86/kernel/ldt.c
@@ -24354,25 +24361,13 @@ index dd5fbf4..b7f2232 100644
return pc;
}
diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
-index bcfec2d..36ed955 100644
+index 7af7338..36ed955 100644
--- a/arch/x86/kernel/tls.c
+++ b/arch/x86/kernel/tls.c
-@@ -28,6 +28,37 @@ static int get_free_idx(void)
- return -ESRCH;
- }
+@@ -40,6 +40,22 @@ static bool tls_desc_okay(const struct user_desc *info)
+ if (!info->seg_32bit)
+ return false;
-+static bool tls_desc_okay(const struct user_desc *info)
-+{
-+ if (LDT_empty(info))
-+ return true;
-+
-+ /*
-+ * espfix is required for 16-bit data segments, but espfix
-+ * only works for LDT segments.
-+ */
-+ if (!info->seg_32bit)
-+ return false;
-+
+ /* Only allow data segments in the TLS array. */
+ if (info->contents > 1)
+ return false;
@@ -24389,23 +24384,10 @@ index bcfec2d..36ed955 100644
+ if (info->seg_not_present)
+ return false;
+
-+ return true;
-+}
-+
- static void set_tls_desc(struct task_struct *p, int idx,
- const struct user_desc *info, int n)
- {
-@@ -67,6 +98,9 @@ int do_set_thread_area(struct task_struct *p, int idx,
- if (copy_from_user(&info, u_info, sizeof(info)))
- return -EFAULT;
-
-+ if (!tls_desc_okay(&info))
-+ return -EINVAL;
-+
- if (idx == -1)
- idx = info.entry_number;
+ return true;
+ }
-@@ -85,6 +119,11 @@ int do_set_thread_area(struct task_struct *p, int idx,
+@@ -103,6 +119,11 @@ int do_set_thread_area(struct task_struct *p, int idx,
if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
return -EINVAL;
@@ -24417,15 +24399,7 @@ index bcfec2d..36ed955 100644
set_tls_desc(p, idx, &info, 1);
return 0;
-@@ -197,6 +236,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
- {
- struct user_desc infobuf[GDT_ENTRY_TLS_ENTRIES];
- const struct user_desc *info;
-+ int i;
-
- if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) ||
- (pos % sizeof(struct user_desc)) != 0 ||
-@@ -205,11 +245,15 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
+@@ -224,7 +245,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
if (kbuf)
info = kbuf;
@@ -24434,14 +24408,6 @@ index bcfec2d..36ed955 100644
return -EFAULT;
else
info = infobuf;
-
-+ for (i = 0; i < count / sizeof(struct user_desc); i++)
-+ if (!tls_desc_okay(info + i))
-+ return -EINVAL;
-+
- set_tls_desc(target,
- GDT_ENTRY_TLS_MIN + (pos / sizeof(struct user_desc)),
- info, count / sizeof(struct user_desc));
diff --git a/arch/x86/kernel/trampoline_32.S b/arch/x86/kernel/trampoline_32.S
index 451c0a7..e57f551 100644
--- a/arch/x86/kernel/trampoline_32.S
@@ -24491,7 +24457,7 @@ index 09ff517..df19fbff 100644
.short 0
.quad 0x00cf9b000000ffff # __KERNEL32_CS
diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
-index 2aff347..a6d2a52 100644
+index 2aff347..d83c9a9 100644
--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -70,12 +70,6 @@ asmlinkage int system_call(void);
@@ -24621,7 +24587,16 @@ index 2aff347..a6d2a52 100644
die("general protection fault", regs, error_code);
}
-@@ -389,7 +423,7 @@ struct bad_iret_stack *fixup_bad_iret(struct bad_iret_stack *s)
+@@ -383,13 +417,16 @@ struct bad_iret_stack *fixup_bad_iret(struct bad_iret_stack *s)
+ container_of(task_pt_regs(current),
+ struct bad_iret_stack, regs);
+
++ if ((current->thread.sp0 ^ (unsigned long)s) < THREAD_SIZE)
++ new_stack = s;
++
+ /* Copy the IRET target to the new stack. */
+ memmove(&new_stack->regs.ip, (void *)s->regs.sp, 5*8);
+
/* Copy the remainder of the stack from the current stack. */
memmove(new_stack, s, offsetof(struct bad_iret_stack, regs.ip));
@@ -24630,7 +24605,7 @@ index 2aff347..a6d2a52 100644
return new_stack;
}
#endif
-@@ -460,7 +494,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code)
+@@ -460,7 +497,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code)
/* It's safe to allow irq's after DR6 has been saved */
preempt_conditional_sti(regs);
@@ -24639,7 +24614,7 @@ index 2aff347..a6d2a52 100644
handle_vm86_trap((struct kernel_vm86_regs *) regs, error_code,
X86_TRAP_DB);
preempt_conditional_cli(regs);
-@@ -474,7 +508,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code)
+@@ -474,7 +511,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code)
* We already checked v86 mode above, so we can check for kernel mode
* by just checking the CPL of CS.
*/
@@ -24648,7 +24623,7 @@ index 2aff347..a6d2a52 100644
tsk->thread.debugreg6 &= ~DR_STEP;
set_tsk_thread_flag(tsk, TIF_SINGLESTEP);
regs->flags &= ~X86_EFLAGS_TF;
-@@ -504,7 +538,7 @@ void math_error(struct pt_regs *regs, int error_code, int trapnr)
+@@ -504,7 +541,7 @@ void math_error(struct pt_regs *regs, int error_code, int trapnr)
return;
conditional_sti(regs);
@@ -24657,7 +24632,7 @@ index 2aff347..a6d2a52 100644
{
if (!fixup_exception(regs)) {
task->thread.error_code = error_code;
-@@ -617,8 +651,8 @@ asmlinkage void __attribute__((weak)) smp_threshold_interrupt(void)
+@@ -617,8 +654,8 @@ asmlinkage void __attribute__((weak)) smp_threshold_interrupt(void)
void __math_state_restore(struct task_struct *tsk)
{
/* We need a safe address that is cheap to find and that is already
@@ -25141,7 +25116,7 @@ index 7110911..069da9c 100644
/*
* Encountered an error while doing the restore from the
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
-index f0ac042..0ca3004 100644
+index f0ac042..ea3fe9c 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -249,6 +249,7 @@ struct gprefix {
@@ -25179,6 +25154,15 @@ index f0ac042..0ca3004 100644
} while (0)
/* instruction has only one source operand, destination is implicit (e.g. mul, div, imul, idiv) */
+@@ -3003,7 +3000,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt)
+ int cr = ctxt->modrm_reg;
+ u64 efer = 0;
+
+- static u64 cr_reserved_bits[] = {
++ static const u64 cr_reserved_bits[] = {
+ 0xffffffff00000000ULL,
+ 0, 0, 0, /* CR3 checked later */
+ CR4_RESERVED_BITS,
@@ -3038,7 +3035,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt)
ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
@@ -25392,7 +25376,7 @@ index 8831c43..98f1a3e 100644
vmx->exit_reason = vmcs_read32(VM_EXIT_REASON);
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 2d7d0df..2de279c0 100644
+index bb179cc..2de279c0 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -668,6 +668,8 @@ EXPORT_SYMBOL_GPL(kvm_set_cr4);
@@ -25480,15 +25464,6 @@ index 2d7d0df..2de279c0 100644
return -EINVAL;
if (irqchip_in_kernel(vcpu->kvm))
return -ENXIO;
-@@ -4846,7 +4859,7 @@ static int handle_emulation_failure(struct kvm_vcpu *vcpu)
-
- ++vcpu->stat.insn_emulation_fail;
- trace_kvm_emulate_insn_failed(vcpu);
-- if (!is_guest_mode(vcpu)) {
-+ if (!is_guest_mode(vcpu) && kvm_x86_ops->get_cpl(vcpu) == 0) {
- vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
- vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION;
- vcpu->run->internal.ndata = 0;
@@ -5209,7 +5222,7 @@ static void kvm_set_mmio_spte_mask(void)
kvm_mmu_set_mmio_spte_mask(mask);
}
@@ -38072,7 +38047,7 @@ index 98723cb..10ca85b 100644
return -EINVAL;
}
diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
-index 3f1799b..7d5796a 100644
+index 09851ce..4ba7573 100644
--- a/drivers/gpu/drm/drm_crtc.c
+++ b/drivers/gpu/drm/drm_crtc.c
@@ -1379,7 +1379,7 @@ int drm_mode_getconnector(struct drm_device *dev, void *data,
@@ -38113,7 +38088,7 @@ index 3f1799b..7d5796a 100644
if (get_user(out_id, &set_connectors_ptr[i])) {
ret = -EFAULT;
goto out;
-@@ -1846,7 +1846,7 @@ int drm_mode_dirtyfb_ioctl(struct drm_device *dev,
+@@ -1856,7 +1856,7 @@ int drm_mode_dirtyfb_ioctl(struct drm_device *dev,
fb = obj_to_fb(obj);
num_clips = r->num_clips;
@@ -38122,7 +38097,7 @@ index 3f1799b..7d5796a 100644
if (!num_clips != !clips_ptr) {
ret = -EINVAL;
-@@ -2272,7 +2272,7 @@ int drm_mode_getproperty_ioctl(struct drm_device *dev,
+@@ -2282,7 +2282,7 @@ int drm_mode_getproperty_ioctl(struct drm_device *dev,
out_resp->flags = property->flags;
if ((out_resp->count_values >= value_count) && value_count) {
@@ -38131,7 +38106,7 @@ index 3f1799b..7d5796a 100644
for (i = 0; i < value_count; i++) {
if (copy_to_user(values_ptr + i, &property->values[i], sizeof(uint64_t))) {
ret = -EFAULT;
-@@ -2285,7 +2285,7 @@ int drm_mode_getproperty_ioctl(struct drm_device *dev,
+@@ -2295,7 +2295,7 @@ int drm_mode_getproperty_ioctl(struct drm_device *dev,
if (property->flags & DRM_MODE_PROP_ENUM) {
if ((out_resp->count_enum_blobs >= enum_count) && enum_count) {
copied = 0;
@@ -38140,7 +38115,7 @@ index 3f1799b..7d5796a 100644
list_for_each_entry(prop_enum, &property->enum_blob_list, head) {
if (copy_to_user(&enum_ptr[copied].value, &prop_enum->value, sizeof(uint64_t))) {
-@@ -2293,7 +2293,7 @@ int drm_mode_getproperty_ioctl(struct drm_device *dev,
+@@ -2303,7 +2303,7 @@ int drm_mode_getproperty_ioctl(struct drm_device *dev,
goto done;
}
@@ -38149,7 +38124,7 @@ index 3f1799b..7d5796a 100644
&prop_enum->name, DRM_PROP_NAME_LEN)) {
ret = -EFAULT;
goto done;
-@@ -2308,7 +2308,7 @@ int drm_mode_getproperty_ioctl(struct drm_device *dev,
+@@ -2318,7 +2318,7 @@ int drm_mode_getproperty_ioctl(struct drm_device *dev,
if ((out_resp->count_enum_blobs >= blob_count) && blob_count) {
copied = 0;
blob_id_ptr = (uint32_t *)(unsigned long)out_resp->enum_blob_ptr;
@@ -38158,7 +38133,7 @@ index 3f1799b..7d5796a 100644
list_for_each_entry(prop_blob, &property->enum_blob_list, head) {
if (put_user(prop_blob->base.id, blob_id_ptr + copied)) {
-@@ -2369,7 +2369,7 @@ int drm_mode_getblob_ioctl(struct drm_device *dev,
+@@ -2379,7 +2379,7 @@ int drm_mode_getblob_ioctl(struct drm_device *dev,
struct drm_mode_get_blob *out_resp = data;
struct drm_property_blob *blob;
int ret = 0;
@@ -38167,7 +38142,7 @@ index 3f1799b..7d5796a 100644
if (!drm_core_check_feature(dev, DRIVER_MODESET))
return -EINVAL;
-@@ -2383,7 +2383,7 @@ int drm_mode_getblob_ioctl(struct drm_device *dev,
+@@ -2393,7 +2393,7 @@ int drm_mode_getblob_ioctl(struct drm_device *dev,
blob = obj_to_blob(obj);
if (out_resp->length == blob->length) {
@@ -43785,20 +43760,6 @@ index 0564192..75b16f5 100644
NGENE_ID(0x18c3, 0xabc3, ngene_info_cineS2),
NGENE_ID(0x18c3, 0xabc4, ngene_info_cineS2),
NGENE_ID(0x18c3, 0xdb01, ngene_info_satixS2),
-diff --git a/drivers/media/dvb/ttusb-dec/ttusbdecfe.c b/drivers/media/dvb/ttusb-dec/ttusbdecfe.c
-index 21260aa..852870b 100644
---- a/drivers/media/dvb/ttusb-dec/ttusbdecfe.c
-+++ b/drivers/media/dvb/ttusb-dec/ttusbdecfe.c
-@@ -154,6 +154,9 @@ static int ttusbdecfe_dvbs_diseqc_send_master_cmd(struct dvb_frontend* fe, struc
- 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00 };
-
-+ if (cmd->msg_len > sizeof(b) - 4)
-+ return -EINVAL;
-+
- memcpy(&b[4], cmd->msg, cmd->msg_len);
-
- state->config->send_command(fe, 0x72,
diff --git a/drivers/media/radio/radio-cadet.c b/drivers/media/radio/radio-cadet.c
index 16a089f..1661b11 100644
--- a/drivers/media/radio/radio-cadet.c
@@ -45069,6 +45030,45 @@ index cf95bd8d..f61f675 100644
/* check to see if we are clearing active */
if (!strlen(ifname) || buf[0] == '\n') {
+diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
+index 1eac27f..ecd3827 100644
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -721,7 +721,7 @@ static int can_newlink(struct net *src_net, struct net_device *dev,
+ return -EOPNOTSUPP;
+ }
+
+-static struct rtnl_link_ops can_link_ops __read_mostly = {
++static struct rtnl_link_ops can_link_ops = {
+ .kind = "can",
+ .maxtype = IFLA_CAN_MAX,
+ .policy = can_policy,
+diff --git a/drivers/net/can/vcan.c b/drivers/net/can/vcan.c
+index f93e2d6..f1cbbc2 100644
+--- a/drivers/net/can/vcan.c
++++ b/drivers/net/can/vcan.c
+@@ -154,7 +154,7 @@ static void vcan_setup(struct net_device *dev)
+ dev->destructor = free_netdev;
+ }
+
+-static struct rtnl_link_ops vcan_link_ops __read_mostly = {
++static struct rtnl_link_ops vcan_link_ops = {
+ .kind = "vcan",
+ .setup = vcan_setup,
+ };
+diff --git a/drivers/net/dummy.c b/drivers/net/dummy.c
+index 99b1145..54ce102 100644
+--- a/drivers/net/dummy.c
++++ b/drivers/net/dummy.c
+@@ -150,7 +150,7 @@ static int dummy_validate(struct nlattr *tb[], struct nlattr *data[])
+ return 0;
+ }
+
+-static struct rtnl_link_ops dummy_link_ops __read_mostly = {
++static struct rtnl_link_ops dummy_link_ops = {
+ .kind = "dummy",
+ .setup = dummy_setup,
+ .validate = dummy_validate,
diff --git a/drivers/net/ethernet/8390/ax88796.c b/drivers/net/ethernet/8390/ax88796.c
index e9f8432..45308e6 100644
--- a/drivers/net/ethernet/8390/ax88796.c
@@ -45704,6 +45704,19 @@ index d4d2bc1..14b8672 100644
};
static int stmmac_init_fs(struct net_device *dev)
+diff --git a/drivers/net/ifb.c b/drivers/net/ifb.c
+index 00f1367..bfcb2f6 100644
+--- a/drivers/net/ifb.c
++++ b/drivers/net/ifb.c
+@@ -251,7 +251,7 @@ static int ifb_validate(struct nlattr *tb[], struct nlattr *data[])
+ return 0;
+ }
+
+-static struct rtnl_link_ops ifb_link_ops __read_mostly = {
++static struct rtnl_link_ops ifb_link_ops = {
+ .kind = "ifb",
+ .priv_size = sizeof(struct ifb_private),
+ .setup = ifb_setup,
diff --git a/drivers/net/loopback.c b/drivers/net/loopback.c
index d0893e4..14b0d44 100644
--- a/drivers/net/loopback.c
@@ -45753,10 +45766,19 @@ index fed39de..8adf3152 100644
};
diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
-index b0f9015..edcb1f3 100644
+index 0e6e57e..060e208 100644
--- a/drivers/net/macvtap.c
+++ b/drivers/net/macvtap.c
-@@ -924,7 +924,7 @@ static long macvtap_ioctl(struct file *file, unsigned int cmd,
+@@ -351,7 +351,7 @@ static void macvtap_setup(struct net_device *dev)
+ dev->tx_queue_len = TUN_READQ_SIZE;
+ }
+
+-static struct rtnl_link_ops macvtap_link_ops __read_mostly = {
++static struct rtnl_link_ops macvtap_link_ops = {
+ .kind = "macvtap",
+ .setup = macvtap_setup,
+ .newlink = macvtap_newlink,
+@@ -927,7 +927,7 @@ static long macvtap_ioctl(struct file *file, unsigned int cmd,
return -ENOLINK;
ret = 0;
@@ -45765,7 +45787,7 @@ index b0f9015..edcb1f3 100644
put_user(q->flags, &ifr->ifr_flags))
ret = -EFAULT;
dev_put(vlan->dev);
-@@ -1085,7 +1085,7 @@ static int macvtap_device_event(struct notifier_block *unused,
+@@ -1088,7 +1088,7 @@ static int macvtap_device_event(struct notifier_block *unused,
return NOTIFY_DONE;
}
@@ -45902,10 +45924,10 @@ index 46db5c5..37c1536 100644
err = platform_driver_register(&sk_isa_driver);
if (err)
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
-index ee1aab0..7d4fd21 100644
+index 2fbbca6..761d265 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
-@@ -186,7 +186,6 @@ static void __tun_detach(struct tun_struct *tun)
+@@ -187,7 +187,6 @@ static void __tun_detach(struct tun_struct *tun)
netif_tx_lock_bh(tun->dev);
netif_carrier_off(tun->dev);
tun->tfile = NULL;
@@ -45913,7 +45935,7 @@ index ee1aab0..7d4fd21 100644
netif_tx_unlock_bh(tun->dev);
/* Drop read queue */
-@@ -359,7 +358,7 @@ static void tun_free_netdev(struct net_device *dev)
+@@ -360,7 +359,7 @@ static void tun_free_netdev(struct net_device *dev)
{
struct tun_struct *tun = netdev_priv(dev);
@@ -45922,7 +45944,16 @@ index ee1aab0..7d4fd21 100644
}
/* Net device open. */
-@@ -983,10 +982,18 @@ static int tun_recvmsg(struct kiocb *iocb, struct socket *sock,
+@@ -931,7 +930,7 @@ static int tun_validate(struct nlattr *tb[], struct nlattr *data[])
+ return -EINVAL;
+ }
+
+-static struct rtnl_link_ops tun_link_ops __read_mostly = {
++static struct rtnl_link_ops tun_link_ops = {
+ .kind = DRV_NAME,
+ .priv_size = sizeof(struct tun_struct),
+ .setup = tun_setup,
+@@ -988,10 +987,18 @@ static int tun_recvmsg(struct kiocb *iocb, struct socket *sock,
return ret;
}
@@ -45941,7 +45972,7 @@ index ee1aab0..7d4fd21 100644
};
static struct proto tun_proto = {
-@@ -1113,10 +1120,11 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
+@@ -1118,10 +1125,11 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
tun->vnet_hdr_sz = sizeof(struct virtio_net_hdr);
err = -ENOMEM;
@@ -45954,7 +45985,7 @@ index ee1aab0..7d4fd21 100644
tun->socket.wq = &tun->wq;
init_waitqueue_head(&tun->wq.wait);
tun->socket.ops = &tun_socket_ops;
-@@ -1177,7 +1185,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
+@@ -1182,7 +1190,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
return 0;
err_free_sk:
@@ -45963,7 +45994,7 @@ index ee1aab0..7d4fd21 100644
err_free_dev:
free_netdev(dev);
failed:
-@@ -1236,7 +1244,7 @@ static int set_offload(struct tun_struct *tun, unsigned long arg)
+@@ -1241,7 +1249,7 @@ static int set_offload(struct tun_struct *tun, unsigned long arg)
}
static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
@@ -45972,7 +46003,7 @@ index ee1aab0..7d4fd21 100644
{
struct tun_file *tfile = file->private_data;
struct tun_struct *tun;
-@@ -1247,6 +1255,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
+@@ -1252,6 +1260,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
int vnet_hdr_sz;
int ret;
@@ -57436,7 +57467,7 @@ index b4d2438..0935840 100644
kunmap(page);
if (ret != len)
diff --git a/fs/ceph/dir.c b/fs/ceph/dir.c
-index 9895400..78a67e7 100644
+index 7903e62..096162e 100644
--- a/fs/ceph/dir.c
+++ b/fs/ceph/dir.c
@@ -244,7 +244,7 @@ static int ceph_readdir(struct file *filp, void *dirent, filldir_t filldir)
@@ -57817,7 +57848,7 @@ index 52a820a..1d8ab03 100644
/*
diff --git a/fs/coda/cache.c b/fs/coda/cache.c
-index 6901578..d402eb5 100644
+index 4b2e5cb..67b96bb 100644
--- a/fs/coda/cache.c
+++ b/fs/coda/cache.c
@@ -24,7 +24,7 @@
@@ -58125,7 +58156,7 @@ index 739fb59..5385976 100644
static int __init init_cramfs_fs(void)
{
diff --git a/fs/dcache.c b/fs/dcache.c
-index d322929..9f4b8167 100644
+index 3f65742..9a9eeb5 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -103,11 +103,11 @@ static unsigned int d_hash_shift __read_mostly;
@@ -58144,7 +58175,7 @@ index d322929..9f4b8167 100644
return dentry_hashtable + (hash & D_HASHMASK);
}
-@@ -3057,7 +3057,8 @@ void __init vfs_caches_init(unsigned long mempages)
+@@ -3080,7 +3080,8 @@ void __init vfs_caches_init(unsigned long mempages)
mempages -= reserve;
names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
@@ -58155,7 +58186,7 @@ index d322929..9f4b8167 100644
dcache_init();
inode_init();
diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
-index 01951c6b..01de40e 100644
+index 6ac0893..238a21a 100644
--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
@@ -145,6 +145,7 @@ static struct file_system_type debug_fs_type = {
@@ -61790,7 +61821,7 @@ index 2f9197f..e2f03bf 100644
-/* Actual filesystem name is iso9660, as requested in filesystems.c */
-MODULE_ALIAS("iso9660");
diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
-index ee62cc0..26859de 100644
+index ee62cc0..1780949 100644
--- a/fs/isofs/rock.c
+++ b/fs/isofs/rock.c
@@ -30,6 +30,7 @@ struct rock_state {
@@ -61820,6 +61851,16 @@ index ee62cc0..26859de 100644
bh = sb_bread(rs->inode->i_sb, rs->cont_extent);
if (bh) {
memcpy(rs->buffer, bh->b_data + rs->cont_offset,
+@@ -356,6 +362,9 @@ repeat:
+ rs.cont_size = isonum_733(rr->u.CE.size);
+ break;
+ case SIG('E', 'R'):
++ /* Invalid length of ER tag id? */
++ if (rr->u.ER.len_id + offsetof(struct rock_ridge, u.ER.data) > rr->len)
++ goto out;
+ ISOFS_SB(inode->i_sb)->s_rock = 1;
+ printk(KERN_DEBUG "ISO 9660 Extensions: ");
+ {
diff --git a/fs/jffs2/erase.c b/fs/jffs2/erase.c
index e513f19..2ab1351 100644
--- a/fs/jffs2/erase.c
@@ -61882,7 +61923,7 @@ index a44eff076..a4bf76a 100644
if (jfs_inode_cachep == NULL)
return -ENOMEM;
diff --git a/fs/libfs.c b/fs/libfs.c
-index f6d411e..e82a08d 100644
+index ce85edf..56ab3c0 100644
--- a/fs/libfs.c
+++ b/fs/libfs.c
@@ -165,6 +165,9 @@ int dcache_readdir(struct file * filp, void * dirent, filldir_t filldir)
@@ -61892,7 +61933,7 @@ index f6d411e..e82a08d 100644
+ char d_name[sizeof(next->d_iname)];
+ const unsigned char *name;
+
- next = list_entry(p, struct dentry, d_u.d_child);
+ next = list_entry(p, struct dentry, d_child);
spin_lock_nested(&next->d_lock, DENTRY_D_LOCK_NESTED);
if (!simple_positive(next)) {
@@ -174,7 +177,12 @@ int dcache_readdir(struct file * filp, void * dirent, filldir_t filldir)
@@ -66252,8 +66293,22 @@ index 201bcfc..cee4d16 100644
/*
* Inode slab cache constructor.
+diff --git a/fs/udf/dir.c b/fs/udf/dir.c
+index eb8bfe2..7ab52de 100644
+--- a/fs/udf/dir.c
++++ b/fs/udf/dir.c
+@@ -163,7 +163,8 @@ static int do_udf_readdir(struct inode *dir, struct file *filp,
+ struct kernel_lb_addr tloc = lelb_to_cpu(cfi.icb.extLocation);
+
+ iblock = udf_get_lb_pblock(dir->i_sb, &tloc, 0);
+- flen = udf_get_filename(dir->i_sb, nameptr, fname, lfi);
++ flen = udf_get_filename(dir->i_sb, nameptr, lfi, fname,
++ UDF_NAME_LEN);
+ dt_type = DT_UNKNOWN;
+ }
+
diff --git a/fs/udf/inode.c b/fs/udf/inode.c
-index af37ce3..c0346e6 100644
+index a0f6ded..645d7053 100644
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -50,7 +50,6 @@ MODULE_LICENSE("GPL");
@@ -66264,18 +66319,12 @@ index af37ce3..c0346e6 100644
static int udf_sync_inode(struct inode *inode);
static int udf_alloc_i_data(struct inode *inode, size_t size);
static struct buffer_head *inode_getblk(struct inode *, sector_t, int *,
-@@ -1176,13 +1175,25 @@ update_time:
- return 0;
- }
+@@ -1183,15 +1182,28 @@ update_time:
+ */
+ #define UDF_MAX_ICB_NESTING 1024
-+/*
-+ * Maximum length of linked list formed by ICB hierarchy. The chosen number is
-+ * arbitrary - just that we hopefully don't limit any real use of rewritten
-+ * inode on write-once media but avoid looping for too long on corrupted media.
-+ */
-+#define UDF_MAX_ICB_NESTING 1024
-+
- static void __udf_read_inode(struct inode *inode)
+-static void __udf_read_inode(struct inode *inode)
++static int udf_read_inode(struct inode *inode)
{
struct buffer_head *bh = NULL;
struct fileEntry *fe;
@@ -66283,14 +66332,44 @@ index af37ce3..c0346e6 100644
uint16_t ident;
struct udf_inode_info *iinfo = UDF_I(inode);
+ struct udf_sb_info *sbi = UDF_SB(inode->i_sb);
++ struct kernel_lb_addr *iloc = &iinfo->i_location;
+ unsigned int link_count;
-+ unsigned int indirections = 0;
++
+ unsigned int indirections = 0;
++ int ret = -EIO;
-+reread:
+ reread:
++ if (iloc->logicalBlockNum >=
++ sbi->s_partmaps[iloc->partitionReferenceNum].s_partition_len) {
++ udf_debug("block=%d, partition=%d out of range\n",
++ iloc->logicalBlockNum, iloc->partitionReferenceNum);
++ return -EIO;
++ }
++
/*
* Set defaults, but the inode is still incomplete!
* Note: get_new_inode() sets the following on a new inode:
-@@ -1212,6 +1223,7 @@ static void __udf_read_inode(struct inode *inode)
+@@ -1204,29 +1216,26 @@ reread:
+ * i_nlink = 1
+ * i_op = NULL;
+ */
+- bh = udf_read_ptagged(inode->i_sb, &iinfo->i_location, 0, &ident);
++ bh = udf_read_ptagged(inode->i_sb, iloc, 0, &ident);
+ if (!bh) {
+ udf_err(inode->i_sb, "(ino %ld) failed !bh\n", inode->i_ino);
+- make_bad_inode(inode);
+- return;
++ return -EIO;
+ }
+
+ if (ident != TAG_IDENT_FE && ident != TAG_IDENT_EFE &&
+ ident != TAG_IDENT_USE) {
+ udf_err(inode->i_sb, "(ino %ld) failed ident=%d\n",
+ inode->i_ino, ident);
+- brelse(bh);
+- make_bad_inode(inode);
+- return;
++ goto out;
}
fe = (struct fileEntry *)bh->b_data;
@@ -66298,50 +66377,41 @@ index af37ce3..c0346e6 100644
if (fe->icbTag.strategyType == cpu_to_le16(4096)) {
struct buffer_head *ibh;
-@@ -1219,28 +1231,26 @@ static void __udf_read_inode(struct inode *inode)
- ibh = udf_read_ptagged(inode->i_sb, &iinfo->i_location, 1,
- &ident);
+
+- ibh = udf_read_ptagged(inode->i_sb, &iinfo->i_location, 1,
+- &ident);
++ ibh = udf_read_ptagged(inode->i_sb, iloc, 1, &ident);
if (ident == TAG_IDENT_IE && ibh) {
-- struct buffer_head *nbh = NULL;
struct kernel_lb_addr loc;
struct indirectEntry *ie;
-
- ie = (struct indirectEntry *)ibh->b_data;
+@@ -1235,7 +1244,6 @@ reread:
loc = lelb_to_cpu(ie->indirectICB.extLocation);
-- if (ie->indirectICB.extLength &&
-- (nbh = udf_read_ptagged(inode->i_sb, &loc, 0,
-- &ident))) {
-- if (ident == TAG_IDENT_FE ||
-- ident == TAG_IDENT_EFE) {
-- memcpy(&iinfo->i_location,
-- &loc,
-- sizeof(struct kernel_lb_addr));
-- brelse(bh);
-- brelse(ibh);
-- brelse(nbh);
-- __udf_read_inode(inode);
-+ if (ie->indirectICB.extLength) {
-+ brelse(bh);
-+ brelse(ibh);
-+ memcpy(&iinfo->i_location, &loc,
-+ sizeof(struct kernel_lb_addr));
-+ if (++indirections > UDF_MAX_ICB_NESTING) {
-+ udf_err(inode->i_sb,
-+ "too many ICBs in ICB hierarchy"
-+ " (max %d supported)\n",
-+ UDF_MAX_ICB_NESTING);
-+ make_bad_inode(inode);
- return;
+ if (ie->indirectICB.extLength) {
+- brelse(bh);
+ brelse(ibh);
+ memcpy(&iinfo->i_location, &loc,
+ sizeof(struct kernel_lb_addr));
+@@ -1244,9 +1252,9 @@ reread:
+ "too many ICBs in ICB hierarchy"
+ " (max %d supported)\n",
+ UDF_MAX_ICB_NESTING);
+- make_bad_inode(inode);
+- return;
++ goto out;
}
-- brelse(nbh);
-+ goto reread;
++ brelse(bh);
+ goto reread;
}
}
- brelse(ibh);
-@@ -1251,23 +1261,6 @@ static void __udf_read_inode(struct inode *inode)
- make_bad_inode(inode);
- return;
+@@ -1254,27 +1262,8 @@ reread:
+ } else if (fe->icbTag.strategyType != cpu_to_le16(4)) {
+ udf_err(inode->i_sb, "unsupported strategy type: %d\n",
+ le16_to_cpu(fe->icbTag.strategyType));
+- brelse(bh);
+- make_bad_inode(inode);
+- return;
++ goto out;
}
- udf_fill_inode(inode, bh);
-
@@ -66363,7 +66433,64 @@ index af37ce3..c0346e6 100644
if (fe->icbTag.strategyType == cpu_to_le16(4))
iinfo->i_strat4096 = 0;
else /* if (fe->icbTag.strategyType == cpu_to_le16(4096)) */
-@@ -1371,7 +1364,6 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+@@ -1291,11 +1280,10 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_EFE)) {
+ iinfo->i_efe = 1;
+ iinfo->i_use = 0;
+- if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
+- sizeof(struct extendedFileEntry))) {
+- make_bad_inode(inode);
+- return;
+- }
++ ret = udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
++ sizeof(struct extendedFileEntry));
++ if (ret)
++ goto out;
+ memcpy(iinfo->i_ext.i_data,
+ bh->b_data + sizeof(struct extendedFileEntry),
+ inode->i_sb->s_blocksize -
+@@ -1303,11 +1291,10 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ } else if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_FE)) {
+ iinfo->i_efe = 0;
+ iinfo->i_use = 0;
+- if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
+- sizeof(struct fileEntry))) {
+- make_bad_inode(inode);
+- return;
+- }
++ ret = udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
++ sizeof(struct fileEntry));
++ if (ret)
++ goto out;
+ memcpy(iinfo->i_ext.i_data,
+ bh->b_data + sizeof(struct fileEntry),
+ inode->i_sb->s_blocksize - sizeof(struct fileEntry));
+@@ -1317,18 +1304,18 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ iinfo->i_lenAlloc = le32_to_cpu(
+ ((struct unallocSpaceEntry *)bh->b_data)->
+ lengthAllocDescs);
+- if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
+- sizeof(struct unallocSpaceEntry))) {
+- make_bad_inode(inode);
+- return;
+- }
++ ret = udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
++ sizeof(struct unallocSpaceEntry));
++ if (ret)
++ goto out;
+ memcpy(iinfo->i_ext.i_data,
+ bh->b_data + sizeof(struct unallocSpaceEntry),
+ inode->i_sb->s_blocksize -
+ sizeof(struct unallocSpaceEntry));
+- return;
++ return 0;
+ }
+
++ ret = -EIO;
+ read_lock(&sbi->s_cred_lock);
+ inode->i_uid = le32_to_cpu(fe->uid);
+ if (inode->i_uid == -1 ||
+@@ -1378,7 +1365,6 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
iinfo->i_unique = le64_to_cpu(fe->uniqueID);
iinfo->i_lenEAttr = le32_to_cpu(fe->lengthExtendedAttr);
iinfo->i_lenAlloc = le32_to_cpu(fe->lengthAllocDescs);
@@ -66371,24 +66498,54 @@ index af37ce3..c0346e6 100644
} else {
inode->i_blocks = le64_to_cpu(efe->logicalBlocksRecorded) <<
(inode->i_sb->s_blocksize_bits - 9);
-@@ -1392,8 +1384,6 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+@@ -1399,8 +1385,20 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
iinfo->i_unique = le64_to_cpu(efe->uniqueID);
iinfo->i_lenEAttr = le32_to_cpu(efe->lengthExtendedAttr);
iinfo->i_lenAlloc = le32_to_cpu(efe->lengthAllocDescs);
- offset = sizeof(struct extendedFileEntry) +
- iinfo->i_lenEAttr;
++ }
++
++ /* Sanity checks for files in ICB so that we don't get confused later */
++ if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) {
++ /*
++ * For file in ICB data is stored in allocation descriptor
++ * so sizes should match
++ */
++ if (iinfo->i_lenAlloc != inode->i_size)
++ goto out;
++ /* File in ICB has to fit in there... */
++ if (inode->i_size > inode->i_sb->s_blocksize -
++ udf_file_entry_alloc_offset(inode))
++ goto out;
}
switch (fe->icbTag.fileType) {
-@@ -1458,6 +1448,7 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+@@ -1451,8 +1449,7 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ default:
+ udf_err(inode->i_sb, "(ino %ld) failed unknown file type=%d\n",
+ inode->i_ino, fe->icbTag.fileType);
+- make_bad_inode(inode);
+- return;
++ goto out;
+ }
+ if (S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode)) {
+ struct deviceSpec *dsea =
+@@ -1463,8 +1460,12 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ le32_to_cpu(dsea->minorDeviceIdent)));
+ /* Developer ID ??? */
} else
- make_bad_inode(inode);
+- make_bad_inode(inode);
++ goto out;
}
++ ret = 0;
++out:
+ brelse(bh);
++ return ret;
}
static int udf_alloc_i_data(struct inode *inode, size_t size)
-@@ -1570,7 +1561,7 @@ static int udf_update_inode(struct inode *inode, int do_sync)
+@@ -1577,7 +1578,7 @@ static int udf_update_inode(struct inode *inode, int do_sync)
FE_PERM_U_DELETE | FE_PERM_U_CHATTR));
fe->permissions = cpu_to_le32(udfperms);
@@ -66397,6 +66554,49 @@ index af37ce3..c0346e6 100644
fe->fileLinkCount = cpu_to_le16(inode->i_nlink - 1);
else
fe->fileLinkCount = cpu_to_le16(inode->i_nlink);
+@@ -1738,32 +1739,23 @@ struct inode *udf_iget(struct super_block *sb, struct kernel_lb_addr *ino)
+ {
+ unsigned long block = udf_get_lb_pblock(sb, ino, 0);
+ struct inode *inode = iget_locked(sb, block);
++ int err;
+
+ if (!inode)
+- return NULL;
++ return ERR_PTR(-ENOMEM);
+
+- if (inode->i_state & I_NEW) {
+- memcpy(&UDF_I(inode)->i_location, ino, sizeof(struct kernel_lb_addr));
+- __udf_read_inode(inode);
+- unlock_new_inode(inode);
+- }
+-
+- if (is_bad_inode(inode))
+- goto out_iput;
++ if (!(inode->i_state & I_NEW))
++ return inode;
+
+- if (ino->logicalBlockNum >= UDF_SB(sb)->
+- s_partmaps[ino->partitionReferenceNum].s_partition_len) {
+- udf_debug("block=%d, partition=%d out of range\n",
+- ino->logicalBlockNum, ino->partitionReferenceNum);
+- make_bad_inode(inode);
+- goto out_iput;
++ memcpy(&UDF_I(inode)->i_location, ino, sizeof(struct kernel_lb_addr));
++ err = udf_read_inode(inode);
++ if (err < 0) {
++ iget_failed(inode);
++ return ERR_PTR(err);
+ }
++ unlock_new_inode(inode);
+
+ return inode;
+-
+- out_iput:
+- iput(inode);
+- return NULL;
+ }
+
+ int udf_add_aext(struct inode *inode, struct extent_position *epos,
diff --git a/fs/udf/misc.c b/fs/udf/misc.c
index c175b4d..8f36a16 100644
--- a/fs/udf/misc.c
@@ -66410,8 +66610,81 @@ index c175b4d..8f36a16 100644
u8 checksum = 0;
int i;
for (i = 0; i < sizeof(struct tag); ++i)
+diff --git a/fs/udf/namei.c b/fs/udf/namei.c
+index 71c97fb..d86a93a 100644
+--- a/fs/udf/namei.c
++++ b/fs/udf/namei.c
+@@ -235,7 +235,8 @@ static struct fileIdentDesc *udf_find_entry(struct inode *dir,
+ if (!lfi)
+ continue;
+
+- flen = udf_get_filename(dir->i_sb, nameptr, fname, lfi);
++ flen = udf_get_filename(dir->i_sb, nameptr, lfi, fname,
++ UDF_NAME_LEN);
+ if (flen && udf_match(flen, fname, child->len, child->name))
+ goto out_ok;
+ }
+@@ -272,9 +273,8 @@ static struct dentry *udf_lookup(struct inode *dir, struct dentry *dentry,
+ NULL, 0),
+ };
+ inode = udf_iget(dir->i_sb, lb);
+- if (!inode) {
+- return ERR_PTR(-EACCES);
+- }
++ if (IS_ERR(inode))
++ return inode;
+ } else
+ #endif /* UDF_RECOVERY */
+
+@@ -287,9 +287,8 @@ static struct dentry *udf_lookup(struct inode *dir, struct dentry *dentry,
+
+ loc = lelb_to_cpu(cfi.icb.extLocation);
+ inode = udf_iget(dir->i_sb, &loc);
+- if (!inode) {
+- return ERR_PTR(-EACCES);
+- }
++ if (IS_ERR(inode))
++ return ERR_CAST(inode);
+ }
+
+ return d_splice_alias(inode, dentry);
+@@ -1211,7 +1210,7 @@ static struct dentry *udf_get_parent(struct dentry *child)
+ struct udf_fileident_bh fibh;
+
+ if (!udf_find_entry(child->d_inode, &dotdot, &fibh, &cfi))
+- goto out_unlock;
++ return ERR_PTR(-EACCES);
+
+ if (fibh.sbh != fibh.ebh)
+ brelse(fibh.ebh);
+@@ -1219,12 +1218,10 @@ static struct dentry *udf_get_parent(struct dentry *child)
+
+ tloc = lelb_to_cpu(cfi.icb.extLocation);
+ inode = udf_iget(child->d_inode->i_sb, &tloc);
+- if (!inode)
+- goto out_unlock;
++ if (IS_ERR(inode))
++ return ERR_CAST(inode);
+
+ return d_obtain_alias(inode);
+-out_unlock:
+- return ERR_PTR(-EACCES);
+ }
+
+
+@@ -1241,8 +1238,8 @@ static struct dentry *udf_nfs_get_inode(struct super_block *sb, u32 block,
+ loc.partitionReferenceNum = partref;
+ inode = udf_iget(sb, &loc);
+
+- if (inode == NULL)
+- return ERR_PTR(-ENOMEM);
++ if (IS_ERR(inode))
++ return ERR_CAST(inode);
+
+ if (generation && inode->i_generation != generation) {
+ iput(inode);
diff --git a/fs/udf/super.c b/fs/udf/super.c
-index f66439e..9af489f 100644
+index f66439e..247cfef 100644
--- a/fs/udf/super.c
+++ b/fs/udf/super.c
@@ -116,6 +116,7 @@ static struct file_system_type udf_fstype = {
@@ -66422,6 +66695,419 @@ index f66439e..9af489f 100644
static struct kmem_cache *udf_inode_cachep;
+@@ -838,12 +839,14 @@ struct inode *udf_find_metadata_inode_efe(struct super_block *sb,
+
+ metadata_fe = udf_iget(sb, &addr);
+
+- if (metadata_fe == NULL)
++ if (IS_ERR(metadata_fe)) {
+ udf_warn(sb, "metadata inode efe not found\n");
+- else if (UDF_I(metadata_fe)->i_alloc_type != ICBTAG_FLAG_AD_SHORT) {
++ return metadata_fe;
++ }
++ if (UDF_I(metadata_fe)->i_alloc_type != ICBTAG_FLAG_AD_SHORT) {
+ udf_warn(sb, "metadata inode efe does not have short allocation descriptors!\n");
+ iput(metadata_fe);
+- metadata_fe = NULL;
++ return ERR_PTR(-EIO);
+ }
+
+ return metadata_fe;
+@@ -855,6 +858,7 @@ static int udf_load_metadata_files(struct super_block *sb, int partition)
+ struct udf_part_map *map;
+ struct udf_meta_data *mdata;
+ struct kernel_lb_addr addr;
++ struct inode *fe;
+
+ map = &sbi->s_partmaps[partition];
+ mdata = &map->s_type_specific.s_metadata;
+@@ -863,22 +867,24 @@ static int udf_load_metadata_files(struct super_block *sb, int partition)
+ udf_debug("Metadata file location: block = %d part = %d\n",
+ mdata->s_meta_file_loc, map->s_partition_num);
+
+- mdata->s_metadata_fe = udf_find_metadata_inode_efe(sb,
+- mdata->s_meta_file_loc, map->s_partition_num);
+-
+- if (mdata->s_metadata_fe == NULL) {
++ fe = udf_find_metadata_inode_efe(sb, mdata->s_meta_file_loc,
++ map->s_partition_num);
++ if (IS_ERR(fe)) {
+ /* mirror file entry */
+ udf_debug("Mirror metadata file location: block = %d part = %d\n",
+ mdata->s_mirror_file_loc, map->s_partition_num);
+
+- mdata->s_mirror_fe = udf_find_metadata_inode_efe(sb,
+- mdata->s_mirror_file_loc, map->s_partition_num);
++ fe = udf_find_metadata_inode_efe(sb, mdata->s_mirror_file_loc,
++ map->s_partition_num);
+
+- if (mdata->s_mirror_fe == NULL) {
++ if (IS_ERR(fe)) {
+ udf_err(sb, "Both metadata and mirror metadata inode efe can not found\n");
+- goto error_exit;
++ return PTR_ERR(fe);
+ }
+- }
++ mdata->s_mirror_fe = fe;
++ } else
++ mdata->s_metadata_fe = fe;
++
+
+ /*
+ * bitmap file entry
+@@ -892,24 +898,21 @@ static int udf_load_metadata_files(struct super_block *sb, int partition)
+ udf_debug("Bitmap file location: block = %d part = %d\n",
+ addr.logicalBlockNum, addr.partitionReferenceNum);
+
+- mdata->s_bitmap_fe = udf_iget(sb, &addr);
+-
+- if (mdata->s_bitmap_fe == NULL) {
++ fe = udf_iget(sb, &addr);
++ if (IS_ERR(fe)) {
+ if (sb->s_flags & MS_RDONLY)
+ udf_warn(sb, "bitmap inode efe not found but it's ok since the disc is mounted read-only\n");
+ else {
+ udf_err(sb, "bitmap inode efe not found and attempted read-write mount\n");
+- goto error_exit;
++ return PTR_ERR(fe);
+ }
+- }
++ } else
++ mdata->s_bitmap_fe = fe;
+ }
+
+ udf_debug("udf_load_metadata_files Ok\n");
+
+ return 0;
+-
+-error_exit:
+- return 1;
+ }
+
+ static void udf_load_fileset(struct super_block *sb, struct buffer_head *bh,
+@@ -997,13 +1000,15 @@ static int udf_fill_partdesc_info(struct super_block *sb,
+ phd->unallocSpaceTable.extPosition),
+ .partitionReferenceNum = p_index,
+ };
++ struct inode *inode;
+
+- map->s_uspace.s_table = udf_iget(sb, &loc);
+- if (!map->s_uspace.s_table) {
++ inode = udf_iget(sb, &loc);
++ if (IS_ERR(inode)) {
+ udf_debug("cannot load unallocSpaceTable (part %d)\n",
+ p_index);
+- return 1;
++ return PTR_ERR(inode);
+ }
++ map->s_uspace.s_table = inode;
+ map->s_partition_flags |= UDF_PART_FLAG_UNALLOC_TABLE;
+ udf_debug("unallocSpaceTable (part %d) @ %ld\n",
+ p_index, map->s_uspace.s_table->i_ino);
+@@ -1032,14 +1037,15 @@ static int udf_fill_partdesc_info(struct super_block *sb,
+ phd->freedSpaceTable.extPosition),
+ .partitionReferenceNum = p_index,
+ };
++ struct inode *inode;
+
+- map->s_fspace.s_table = udf_iget(sb, &loc);
+- if (!map->s_fspace.s_table) {
++ inode = udf_iget(sb, &loc);
++ if (IS_ERR(inode)) {
+ udf_debug("cannot load freedSpaceTable (part %d)\n",
+ p_index);
+- return 1;
++ return PTR_ERR(inode);
+ }
+-
++ map->s_fspace.s_table = inode;
+ map->s_partition_flags |= UDF_PART_FLAG_FREED_TABLE;
+ udf_debug("freedSpaceTable (part %d) @ %ld\n",
+ p_index, map->s_fspace.s_table->i_ino);
+@@ -1068,6 +1074,7 @@ static void udf_find_vat_block(struct super_block *sb, int p_index,
+ struct udf_part_map *map = &sbi->s_partmaps[p_index];
+ sector_t vat_block;
+ struct kernel_lb_addr ino;
++ struct inode *inode;
+
+ /*
+ * VAT file entry is in the last recorded block. Some broken disks have
+@@ -1076,10 +1083,13 @@ static void udf_find_vat_block(struct super_block *sb, int p_index,
+ ino.partitionReferenceNum = type1_index;
+ for (vat_block = start_block;
+ vat_block >= map->s_partition_root &&
+- vat_block >= start_block - 3 &&
+- !sbi->s_vat_inode; vat_block--) {
++ vat_block >= start_block - 3; vat_block--) {
+ ino.logicalBlockNum = vat_block - map->s_partition_root;
+- sbi->s_vat_inode = udf_iget(sb, &ino);
++ inode = udf_iget(sb, &ino);
++ if (!IS_ERR(inode)) {
++ sbi->s_vat_inode = inode;
++ break;
++ }
+ }
+ }
+
+@@ -2058,9 +2068,10 @@ static int udf_fill_super(struct super_block *sb, void *options, int silent)
+ /* assign inodes by physical block number */
+ /* perhaps it's not extensible enough, but for now ... */
+ inode = udf_iget(sb, &rootdir);
+- if (!inode) {
++ if (IS_ERR(inode)) {
+ udf_err(sb, "Error in udf_iget, block=%d, partition=%d\n",
+ rootdir.logicalBlockNum, rootdir.partitionReferenceNum);
++ ret = PTR_ERR(inode);
+ goto error_out;
+ }
+
+diff --git a/fs/udf/symlink.c b/fs/udf/symlink.c
+index b1d4488..0422b7b 100644
+--- a/fs/udf/symlink.c
++++ b/fs/udf/symlink.c
+@@ -30,43 +30,73 @@
+ #include <linux/buffer_head.h>
+ #include "udf_i.h"
+
+-static void udf_pc_to_char(struct super_block *sb, unsigned char *from,
+- int fromlen, unsigned char *to)
++static int udf_pc_to_char(struct super_block *sb, unsigned char *from,
++ int fromlen, unsigned char *to, int tolen)
+ {
+ struct pathComponent *pc;
+ int elen = 0;
++ int comp_len;
+ unsigned char *p = to;
+
++ /* Reserve one byte for terminating \0 */
++ tolen--;
+ while (elen < fromlen) {
+ pc = (struct pathComponent *)(from + elen);
++ elen += sizeof(struct pathComponent);
+ switch (pc->componentType) {
+ case 1:
+- if (pc->lengthComponentIdent == 0) {
+- p = to;
+- *p++ = '/';
++ /*
++ * Symlink points to some place which should be agreed
++ * upon between originator and receiver of the media. Ignore.
++ */
++ if (pc->lengthComponentIdent > 0) {
++ elen += pc->lengthComponentIdent;
++ break;
+ }
++ /* Fall through */
++ case 2:
++ if (tolen == 0)
++ return -ENAMETOOLONG;
++ p = to;
++ *p++ = '/';
++ tolen--;
+ break;
+ case 3:
++ if (tolen < 3)
++ return -ENAMETOOLONG;
+ memcpy(p, "../", 3);
+ p += 3;
++ tolen -= 3;
+ break;
+ case 4:
++ if (tolen < 2)
++ return -ENAMETOOLONG;
+ memcpy(p, "./", 2);
+ p += 2;
++ tolen -= 2;
+ /* that would be . - just ignore */
+ break;
+ case 5:
+- p += udf_get_filename(sb, pc->componentIdent, p,
+- pc->lengthComponentIdent);
++ elen += pc->lengthComponentIdent;
++ if (elen > fromlen)
++ return -EIO;
++ comp_len = udf_get_filename(sb, pc->componentIdent,
++ pc->lengthComponentIdent,
++ p, tolen);
++ p += comp_len;
++ tolen -= comp_len;
++ if (tolen == 0)
++ return -ENAMETOOLONG;
+ *p++ = '/';
++ tolen--;
+ break;
+ }
+- elen += sizeof(struct pathComponent) + pc->lengthComponentIdent;
+ }
+ if (p > to + 1)
+ p[-1] = '\0';
+ else
+ p[0] = '\0';
++ return 0;
+ }
+
+ static int udf_symlink_filler(struct file *file, struct page *page)
+@@ -74,11 +104,17 @@ static int udf_symlink_filler(struct file *file, struct page *page)
+ struct inode *inode = page->mapping->host;
+ struct buffer_head *bh = NULL;
+ unsigned char *symlink;
+- int err = -EIO;
++ int err;
+ unsigned char *p = kmap(page);
+ struct udf_inode_info *iinfo;
+ uint32_t pos;
+
++ /* We don't support symlinks longer than one block */
++ if (inode->i_size > inode->i_sb->s_blocksize) {
++ err = -ENAMETOOLONG;
++ goto out_unmap;
++ }
++
+ iinfo = UDF_I(inode);
+ pos = udf_block_map(inode, 0);
+
+@@ -88,14 +124,18 @@ static int udf_symlink_filler(struct file *file, struct page *page)
+ } else {
+ bh = sb_bread(inode->i_sb, pos);
+
+- if (!bh)
+- goto out;
++ if (!bh) {
++ err = -EIO;
++ goto out_unlock_inode;
++ }
+
+ symlink = bh->b_data;
+ }
+
+- udf_pc_to_char(inode->i_sb, symlink, inode->i_size, p);
++ err = udf_pc_to_char(inode->i_sb, symlink, inode->i_size, p, PAGE_SIZE);
+ brelse(bh);
++ if (err)
++ goto out_unlock_inode;
+
+ up_read(&iinfo->i_data_sem);
+ SetPageUptodate(page);
+@@ -103,9 +143,10 @@ static int udf_symlink_filler(struct file *file, struct page *page)
+ unlock_page(page);
+ return 0;
+
+-out:
++out_unlock_inode:
+ up_read(&iinfo->i_data_sem);
+ SetPageError(page);
++out_unmap:
+ kunmap(page);
+ unlock_page(page);
+ return err;
+diff --git a/fs/udf/udfdecl.h b/fs/udf/udfdecl.h
+index f34e6fc..3156eb1 100644
+--- a/fs/udf/udfdecl.h
++++ b/fs/udf/udfdecl.h
+@@ -149,7 +149,6 @@ extern int udf_expand_file_adinicb(struct inode *);
+ extern struct buffer_head *udf_expand_dir_adinicb(struct inode *, int *, int *);
+ extern struct buffer_head *udf_bread(struct inode *, int, int, int *);
+ extern int udf_setsize(struct inode *, loff_t);
+-extern void udf_read_inode(struct inode *);
+ extern void udf_evict_inode(struct inode *);
+ extern int udf_write_inode(struct inode *, struct writeback_control *wbc);
+ extern long udf_block_map(struct inode *, sector_t);
+@@ -207,7 +206,8 @@ udf_get_lb_pblock(struct super_block *sb, struct kernel_lb_addr *loc,
+ }
+
+ /* unicode.c */
+-extern int udf_get_filename(struct super_block *, uint8_t *, uint8_t *, int);
++extern int udf_get_filename(struct super_block *, uint8_t *, int, uint8_t *,
++ int);
+ extern int udf_put_filename(struct super_block *, const uint8_t *, uint8_t *,
+ int);
+ extern int udf_build_ustr(struct ustr *, dstring *, int);
+diff --git a/fs/udf/unicode.c b/fs/udf/unicode.c
+index 44b815e..d29c06f 100644
+--- a/fs/udf/unicode.c
++++ b/fs/udf/unicode.c
+@@ -28,7 +28,8 @@
+
+ #include "udf_sb.h"
+
+-static int udf_translate_to_linux(uint8_t *, uint8_t *, int, uint8_t *, int);
++static int udf_translate_to_linux(uint8_t *, int, uint8_t *, int, uint8_t *,
++ int);
+
+ static int udf_char_to_ustr(struct ustr *dest, const uint8_t *src, int strlen)
+ {
+@@ -333,8 +334,8 @@ try_again:
+ return u_len + 1;
+ }
+
+-int udf_get_filename(struct super_block *sb, uint8_t *sname, uint8_t *dname,
+- int flen)
++int udf_get_filename(struct super_block *sb, uint8_t *sname, int slen,
++ uint8_t *dname, int dlen)
+ {
+ struct ustr *filename, *unifilename;
+ int len = 0;
+@@ -347,7 +348,7 @@ int udf_get_filename(struct super_block *sb, uint8_t *sname, uint8_t *dname,
+ if (!unifilename)
+ goto out1;
+
+- if (udf_build_ustr_exact(unifilename, sname, flen))
++ if (udf_build_ustr_exact(unifilename, sname, slen))
+ goto out2;
+
+ if (UDF_QUERY_FLAG(sb, UDF_FLAG_UTF8)) {
+@@ -366,7 +367,8 @@ int udf_get_filename(struct super_block *sb, uint8_t *sname, uint8_t *dname,
+ } else
+ goto out2;
+
+- len = udf_translate_to_linux(dname, filename->u_name, filename->u_len,
++ len = udf_translate_to_linux(dname, dlen,
++ filename->u_name, filename->u_len,
+ unifilename->u_name, unifilename->u_len);
+ out2:
+ kfree(unifilename);
+@@ -403,10 +405,12 @@ int udf_put_filename(struct super_block *sb, const uint8_t *sname,
+ #define EXT_MARK '.'
+ #define CRC_MARK '#'
+ #define EXT_SIZE 5
++/* Number of chars we need to store generated CRC to make filename unique */
++#define CRC_LEN 5
+
+-static int udf_translate_to_linux(uint8_t *newName, uint8_t *udfName,
+- int udfLen, uint8_t *fidName,
+- int fidNameLen)
++static int udf_translate_to_linux(uint8_t *newName, int newLen,
++ uint8_t *udfName, int udfLen,
++ uint8_t *fidName, int fidNameLen)
+ {
+ int index, newIndex = 0, needsCRC = 0;
+ int extIndex = 0, newExtIndex = 0, hasExt = 0;
+@@ -440,7 +444,7 @@ static int udf_translate_to_linux(uint8_t *newName, uint8_t *udfName,
+ newExtIndex = newIndex;
+ }
+ }
+- if (newIndex < 256)
++ if (newIndex < newLen)
+ newName[newIndex++] = curr;
+ else
+ needsCRC = 1;
+@@ -468,13 +472,13 @@ static int udf_translate_to_linux(uint8_t *newName, uint8_t *udfName,
+ }
+ ext[localExtIndex++] = curr;
+ }
+- maxFilenameLen = 250 - localExtIndex;
++ maxFilenameLen = newLen - CRC_LEN - localExtIndex;
+ if (newIndex > maxFilenameLen)
+ newIndex = maxFilenameLen;
+ else
+ newIndex = newExtIndex;
+- } else if (newIndex > 250)
+- newIndex = 250;
++ } else if (newIndex > newLen - CRC_LEN)
++ newIndex = newLen - CRC_LEN;
+ newName[newIndex++] = CRC_MARK;
+ valueCRC = crc_itu_t(0, fidName, fidNameLen);
+ newName[newIndex++] = hexChar[(valueCRC & 0xf000) >> 12];
diff --git a/fs/ufs/super.c b/fs/ufs/super.c
index 3915ade..00fcbf4 100644
--- a/fs/ufs/super.c
@@ -77882,7 +78568,7 @@ index 77ff547..181834f 100644
#define pud_none(pud) 0
#define pud_bad(pud) 0
diff --git a/include/asm-generic/atomic-long.h b/include/asm-generic/atomic-long.h
-index b7babf0..97f4c4f 100644
+index b7babf0..1e4b4f1 100644
--- a/include/asm-generic/atomic-long.h
+++ b/include/asm-generic/atomic-long.h
@@ -22,6 +22,12 @@
@@ -78143,7 +78829,15 @@ index b7babf0..97f4c4f 100644
static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
{
atomic_t *v = (atomic_t *)l;
-@@ -218,6 +356,16 @@ static inline long atomic_long_add_return(long i, atomic_long_t *l)
+@@ -211,13 +349,23 @@ static inline int atomic_long_add_negative(long i, atomic_long_t *l)
+ return atomic_add_negative(i, v);
+ }
+
+-static inline long atomic_long_add_return(long i, atomic_long_t *l)
++static inline long __intentional_overflow(-1) atomic_long_add_return(long i, atomic_long_t *l)
+ {
+ atomic_t *v = (atomic_t *)l;
+
return (long)atomic_add_return(i, v);
}
@@ -79529,13 +80223,13 @@ index 8acfe31..6ffccd63 100644
return c | 0x20;
}
diff --git a/include/linux/dcache.h b/include/linux/dcache.h
-index 1dfe974..3811bc2 100644
+index 99374de..6388abb 100644
--- a/include/linux/dcache.h
+++ b/include/linux/dcache.h
@@ -142,7 +142,7 @@ struct dentry {
+ struct list_head d_alias; /* inode alias list */
+ struct rcu_head d_rcu;
} d_u;
- struct list_head d_subdirs; /* our children */
- struct list_head d_alias; /* inode alias list */
-};
+} __randomize_layout;
@@ -83406,7 +84100,7 @@ index 9aaf5bf..d5ee2a5 100644
}
diff --git a/include/linux/sched.h b/include/linux/sched.h
-index cb34ff4..df196d4 100644
+index cb34ff4..c086c98 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -101,6 +101,7 @@ struct bio_list;
@@ -83635,6 +84329,15 @@ index cb34ff4..df196d4 100644
#ifdef CONFIG_FUNCTION_GRAPH_TRACER
/* Index of current stored address in ret_stack */
int curr_ret_stack;
+@@ -1560,7 +1633,7 @@ struct task_struct {
+ * Number of functions that haven't been traced
+ * because of depth overrun.
+ */
+- atomic_t trace_overrun;
++ atomic_unchecked_t trace_overrun;
+ /* Pause for the tracing */
+ atomic_t tracing_graph_pause;
+ #endif
@@ -1581,7 +1654,54 @@ struct task_struct {
#ifdef CONFIG_HAVE_HW_BREAKPOINT
atomic_t ptrace_bp_refcnt;
@@ -86024,7 +86727,7 @@ index e6454b6..7a6b6bc 100644
static inline struct page *sk_stream_alloc_page(struct sock *sk)
{
diff --git a/include/net/tcp.h b/include/net/tcp.h
-index 238255b..d91d5ca 100644
+index e90235f..b943bda 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -426,6 +426,25 @@ extern __u32 syncookie_secret[2][16-4+SHA_DIGEST_WORDS];
@@ -87734,7 +88437,7 @@ index b463871..59495fd 100644
* nsown_capable - Check superior capability to one's own user_ns
* @cap: The capability in question
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
-index ffcf896..a88b61f 100644
+index eafb6dd..59c908d 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -4755,6 +4755,14 @@ static void cgroup_release_agent(struct work_struct *work)
@@ -93681,7 +94384,7 @@ index 92cac05..89f0de9 100644
ret = -EIO;
bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt,
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
-index dcbafed..9feb3de 100644
+index dcbafed..bba19b9 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -1610,12 +1610,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec)
@@ -93722,6 +94425,15 @@ index dcbafed..9feb3de 100644
int ftrace_graph_entry_stub(struct ftrace_graph_ent *trace)
{
return 0;
+@@ -4088,7 +4091,7 @@ static int alloc_retstack_tasklist(struct ftrace_ret_stack **ret_stack_list)
+
+ if (t->ret_stack == NULL) {
+ atomic_set(&t->tracing_graph_pause, 0);
+- atomic_set(&t->trace_overrun, 0);
++ atomic_set_unchecked(&t->trace_overrun, 0);
+ t->curr_ret_stack = -1;
+ /* Make sure the tasks see the -1 first: */
+ smp_wmb();
@@ -4191,6 +4194,10 @@ ftrace_suspend_notifier_call(struct notifier_block *bl, unsigned long state,
return NOTIFY_DONE;
}
@@ -93741,6 +94453,15 @@ index dcbafed..9feb3de 100644
register_pm_notifier(&ftrace_suspend_notifier);
ftrace_graph_active++;
+@@ -4288,7 +4294,7 @@ static void
+ graph_init_task(struct task_struct *t, struct ftrace_ret_stack *ret_stack)
+ {
+ atomic_set(&t->tracing_graph_pause, 0);
+- atomic_set(&t->trace_overrun, 0);
++ atomic_set_unchecked(&t->trace_overrun, 0);
+ t->ftrace_timestamp = 0;
+ /* make curr_ret_stack visible before we add the ret_stack */
+ smp_wmb();
diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
index b252661..45b218f 100644
--- a/kernel/trace/ring_buffer.c
@@ -94133,6 +94854,28 @@ index 875fed4..7a76cbb 100644
}
}
+diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c
+index a7d2a4c..b034c76 100644
+--- a/kernel/trace/trace_functions_graph.c
++++ b/kernel/trace/trace_functions_graph.c
+@@ -108,7 +108,7 @@ ftrace_push_return_trace(unsigned long ret, unsigned long func, int *depth,
+
+ /* The return trace stack is full */
+ if (current->curr_ret_stack == FTRACE_RETFUNC_DEPTH - 1) {
+- atomic_inc(&current->trace_overrun);
++ atomic_inc_unchecked(&current->trace_overrun);
+ return -EBUSY;
+ }
+
+@@ -171,7 +171,7 @@ ftrace_pop_return_trace(struct ftrace_graph_ret *trace, unsigned long *ret,
+ *ret = current->ret_stack[index].ret;
+ trace->func = current->ret_stack[index].func;
+ trace->calltime = current->ret_stack[index].calltime;
+- trace->overrun = atomic_read(&current->trace_overrun);
++ trace->overrun = atomic_read_unchecked(&current->trace_overrun);
+ trace->depth = index;
+ }
+
diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c
index 00d527c..7c5b1a3 100644
--- a/kernel/trace/trace_kprobe.c
@@ -96140,7 +96883,7 @@ index 51901b1..79af2f4 100644
/* keep elevated page count for bad page */
return ret;
diff --git a/mm/memory.c b/mm/memory.c
-index 5a7f314..f1012e1 100644
+index 628cadc..4db2e08 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -462,8 +462,12 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud,
@@ -101038,6 +101781,19 @@ index 963f285..3e3874d 100644
struct vlan_net *vn;
vn = net_generic(net, vlan_net_id);
+diff --git a/net/8021q/vlan_netlink.c b/net/8021q/vlan_netlink.c
+index c705612..8f2e391 100644
+--- a/net/8021q/vlan_netlink.c
++++ b/net/8021q/vlan_netlink.c
+@@ -214,7 +214,7 @@ nla_put_failure:
+ return -EMSGSIZE;
+ }
+
+-struct rtnl_link_ops vlan_link_ops __read_mostly = {
++struct rtnl_link_ops vlan_link_ops = {
+ .kind = "vlan",
+ .maxtype = IFLA_VLAN_MAX,
+ .policy = vlan_policy,
diff --git a/net/9p/client.c b/net/9p/client.c
index 854ca7a..fc1bfc8 100644
--- a/net/9p/client.c
@@ -101584,6 +102340,19 @@ index 398a297..83fc29c 100644
return 0;
/* Okay, we found ICMPv6 header */
+diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
+index 99a48a39..f0638fe 100644
+--- a/net/bridge/br_netlink.c
++++ b/net/bridge/br_netlink.c
+@@ -225,7 +225,7 @@ static int br_dev_newlink(struct net *src_net, struct net_device *dev,
+ return register_netdevice(dev);
+ }
+
+-struct rtnl_link_ops br_link_ops __read_mostly = {
++struct rtnl_link_ops br_link_ops = {
+ .kind = "bridge",
+ .priv_size = sizeof(struct net_bridge),
+ .setup = br_dev_setup,
diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c
index 5449294..c1d8d99 100644
--- a/net/bridge/netfilter/ebt_ulog.c
@@ -101832,7 +102601,7 @@ index 84efbe4..51d47bc 100644
list_del(&p->list);
goto out;
diff --git a/net/caif/chnl_net.c b/net/caif/chnl_net.c
-index 8656909..a2ae45d 100644
+index 8656909..a448555 100644
--- a/net/caif/chnl_net.c
+++ b/net/caif/chnl_net.c
@@ -74,7 +74,6 @@ static int chnl_recv_cb(struct cflayer *layr, struct cfpkt *pkt)
@@ -101905,6 +102674,15 @@ index 8656909..a2ae45d 100644
}
/* Update statistics. */
+@@ -508,7 +515,7 @@ static const struct nla_policy ipcaif_policy[IFLA_CAIF_MAX + 1] = {
+ };
+
+
+-static struct rtnl_link_ops ipcaif_link_ops __read_mostly = {
++static struct rtnl_link_ops ipcaif_link_ops = {
+ .kind = "caif",
+ .priv_size = sizeof(struct chnl_net),
+ .setup = ipcaif_net_setup,
diff --git a/net/can/af_can.c b/net/can/af_can.c
index 0ce2ad0..cb92a90 100644
--- a/net/can/af_can.c
@@ -102995,7 +103773,7 @@ index 39a2d29..f39c0fe 100644
Econet is a fairly old and slow networking protocol mainly used by
Acorn computers to access file and print servers. It uses native
diff --git a/net/ieee802154/6lowpan.c b/net/ieee802154/6lowpan.c
-index 5d42df2..10638af 100644
+index 5d42df2..e6c3389 100644
--- a/net/ieee802154/6lowpan.c
+++ b/net/ieee802154/6lowpan.c
@@ -329,7 +329,7 @@ static int lowpan_header_create(struct sk_buff *skb,
@@ -103007,6 +103785,15 @@ index 5d42df2..10638af 100644
/* replace the top byte with new ECN | DSCP format */
*hc06_ptr = tmp;
hc06_ptr += 4;
+@@ -837,7 +837,7 @@ static void lowpan_dellink(struct net_device *dev, struct list_head *head)
+ dev_put(real_dev);
+ }
+
+-static struct rtnl_link_ops lowpan_link_ops __read_mostly = {
++static struct rtnl_link_ops lowpan_link_ops = {
+ .kind = "lowpan",
+ .priv_size = sizeof(struct lowpan_dev_info),
+ .setup = lowpan_setup,
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 5d228de..91bdee5 100644
--- a/net/ipv4/af_inet.c
@@ -103241,7 +104028,7 @@ index 92fc5f6..b790d91 100644
break;
case NETDEV_DOWN:
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
-index 76da979..0e9428c 100644
+index 1cdb4a9..b5efed8 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -699,7 +699,7 @@ __be32 fib_info_update_nh_saddr(struct net *net, struct fib_nh *nh)
@@ -104241,7 +105028,7 @@ index afe6886..297e5fb 100644
/* step 6: check the URG bit */
tcp_urg(sk, skb, th);
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
-index 26eb8e2..14989a5 100644
+index b4e0eb4..4df4e3a 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -87,6 +87,9 @@ int sysctl_tcp_tw_reuse __read_mostly;
@@ -104254,7 +105041,7 @@ index 26eb8e2..14989a5 100644
#ifdef CONFIG_TCP_MD5SIG
static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
-@@ -1636,6 +1639,9 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
+@@ -1631,6 +1634,9 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
return 0;
reset:
@@ -104264,7 +105051,7 @@ index 26eb8e2..14989a5 100644
tcp_v4_send_reset(rsk, skb);
discard:
kfree_skb(skb);
-@@ -1698,12 +1704,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
+@@ -1693,12 +1699,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
TCP_SKB_CB(skb)->sacked = 0;
sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
@@ -104287,7 +105074,7 @@ index 26eb8e2..14989a5 100644
if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
-@@ -1753,6 +1766,10 @@ no_tcp_socket:
+@@ -1748,6 +1761,10 @@ no_tcp_socket:
bad_packet:
TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
} else {
@@ -104298,7 +105085,7 @@ index 26eb8e2..14989a5 100644
tcp_v4_send_reset(NULL, skb);
}
-@@ -2413,7 +2430,11 @@ static void get_openreq4(const struct sock *sk, const struct request_sock *req,
+@@ -2408,7 +2425,11 @@ static void get_openreq4(const struct sock *sk, const struct request_sock *req,
0, /* non standard timer */
0, /* open_requests have no inode */
atomic_read(&sk->sk_refcnt),
@@ -104310,7 +105097,7 @@ index 26eb8e2..14989a5 100644
len);
}
-@@ -2463,7 +2484,12 @@ static void get_tcp4_sock(struct sock *sk, struct seq_file *f, int i, int *len)
+@@ -2458,7 +2479,12 @@ static void get_tcp4_sock(struct sock *sk, struct seq_file *f, int i, int *len)
sock_i_uid(sk),
icsk->icsk_probes_out,
sock_i_ino(sk),
@@ -104324,7 +105111,7 @@ index 26eb8e2..14989a5 100644
jiffies_to_clock_t(icsk->icsk_rto),
jiffies_to_clock_t(icsk->icsk_ack.ato),
(icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
-@@ -2491,7 +2517,13 @@ static void get_timewait4_sock(const struct inet_timewait_sock *tw,
+@@ -2486,7 +2512,13 @@ static void get_timewait4_sock(const struct inet_timewait_sock *tw,
" %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %pK%n",
i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
@@ -104339,7 +105126,7 @@ index 26eb8e2..14989a5 100644
}
#define TMPSZ 150
-@@ -2662,7 +2694,7 @@ static void __net_exit tcp_sk_exit_batch(struct list_head *net_exit_list)
+@@ -2657,7 +2689,7 @@ static void __net_exit tcp_sk_exit_batch(struct list_head *net_exit_list)
inet_twsk_purge(&tcp_hashinfo, &tcp_death_row, AF_INET);
}
@@ -104349,7 +105136,7 @@ index 26eb8e2..14989a5 100644
.exit = tcp_sk_exit,
.exit_batch = tcp_sk_exit_batch,
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
-index 66363b6..b0654a3 100644
+index 00e1530..47b4f16 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -27,6 +27,10 @@
@@ -104363,7 +105150,7 @@ index 66363b6..b0654a3 100644
int sysctl_tcp_syncookies __read_mostly = 1;
EXPORT_SYMBOL(sysctl_tcp_syncookies);
-@@ -751,6 +755,10 @@ listen_overflow:
+@@ -746,6 +750,10 @@ listen_overflow:
embryonic_reset:
NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
@@ -105021,7 +105808,7 @@ index 166a57c..dc4e6b8 100644
struct ctl_table *ipv6_icmp_table;
int err;
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
-index 057a9d2..bc870ad 100644
+index 655cc60..c49497a 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -93,6 +93,10 @@ static struct tcp_md5sig_key *tcp_v6_md5_do_lookup(struct sock *sk,
@@ -105035,7 +105822,7 @@ index 057a9d2..bc870ad 100644
static void tcp_v6_hash(struct sock *sk)
{
if (sk->sk_state != TCP_CLOSE) {
-@@ -1657,6 +1661,9 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
+@@ -1652,6 +1656,9 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
return 0;
reset:
@@ -105045,7 +105832,7 @@ index 057a9d2..bc870ad 100644
tcp_v6_send_reset(sk, skb);
discard:
if (opt_skb)
-@@ -1736,12 +1743,20 @@ static int tcp_v6_rcv(struct sk_buff *skb)
+@@ -1731,12 +1738,20 @@ static int tcp_v6_rcv(struct sk_buff *skb)
TCP_SKB_CB(skb)->sacked = 0;
sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
@@ -105068,7 +105855,7 @@ index 057a9d2..bc870ad 100644
if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
-@@ -1789,6 +1804,10 @@ no_tcp_socket:
+@@ -1784,6 +1799,10 @@ no_tcp_socket:
bad_packet:
TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
} else {
@@ -105079,7 +105866,7 @@ index 057a9d2..bc870ad 100644
tcp_v6_send_reset(NULL, skb);
}
-@@ -2049,7 +2068,13 @@ static void get_openreq6(struct seq_file *seq,
+@@ -2044,7 +2063,13 @@ static void get_openreq6(struct seq_file *seq,
uid,
0, /* non standard timer */
0, /* open_requests have no inode */
@@ -105094,7 +105881,7 @@ index 057a9d2..bc870ad 100644
}
static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
-@@ -2099,7 +2124,12 @@ static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
+@@ -2094,7 +2119,12 @@ static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
sock_i_uid(sp),
icsk->icsk_probes_out,
sock_i_ino(sp),
@@ -105108,7 +105895,7 @@ index 057a9d2..bc870ad 100644
jiffies_to_clock_t(icsk->icsk_rto),
jiffies_to_clock_t(icsk->icsk_ack.ato),
(icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong,
-@@ -2134,7 +2164,13 @@ static void get_timewait6_sock(struct seq_file *seq,
+@@ -2129,7 +2159,13 @@ static void get_timewait6_sock(struct seq_file *seq,
dest->s6_addr32[2], dest->s6_addr32[3], destp,
tw->tw_substate, 0, 0,
3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
@@ -107283,19 +108070,6 @@ index 7635107..4670276 100644
_proto("Tx RESPONSE %%%u", ntohl(hdr->serial));
ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len);
-diff --git a/net/sctp/auth.c b/net/sctp/auth.c
-index 333926d..53d455c 100644
---- a/net/sctp/auth.c
-+++ b/net/sctp/auth.c
-@@ -866,8 +866,6 @@ int sctp_auth_set_key(struct sctp_endpoint *ep,
- list_add(&cur_key->key_list, sh_keys);
-
- cur_key->key = key;
-- sctp_auth_key_hold(key);
--
- return 0;
- nomem:
- if (!replace)
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index 0b6a391..febcef2 100644
--- a/net/sctp/ipv6.c
@@ -107406,20 +108180,6 @@ index de35e01..ef925b0 100644
}
static int sctp_v4_protosw_init(void)
-diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
-index d8d4704..c40952c 100644
---- a/net/sctp/sm_make_chunk.c
-+++ b/net/sctp/sm_make_chunk.c
-@@ -2570,6 +2570,9 @@ do_addr_param:
- addr_param = param.v + sizeof(sctp_addip_param_t);
-
- af = sctp_get_af_specific(param_type2af(param.p->type));
-+ if (af == NULL)
-+ break;
-+
- af->from_addr_param(&addr, addr_param,
- htons(asoc->peer.port), 0);
-
diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
index 76388b0..a967f68 100644
--- a/net/sctp/sm_sideeffect.c