* [gentoo-commits] proj/hardened-patchset:master commit in: 3.2.51/, 3.11.2/, 2.6.32/, 3.11.1/
@ 2013-09-29 19:12 Anthony G. Basile
0 siblings, 0 replies; only message in thread
From: Anthony G. Basile @ 2013-09-29 19:12 UTC (permalink / raw
To: gentoo-commits
commit: 290728f2970dde95a2499c72844cff0e09f97bae
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sun Sep 29 19:13:23 2013 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sun Sep 29 19:13:23 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=290728f2
Grsec/PaX: 2.9.1-{2.6.32.61,3.2.51,3.11.2}-201309281102
---
2.6.32/0000_README | 2 +-
..._grsecurity-2.9.1-2.6.32.61-201309281101.patch} | 88 +-
2.6.32/4440_grsec-remove-protected-paths.patch | 2 +-
2.6.32/4450_grsec-kconfig-default-gids.patch | 12 +-
2.6.32/4465_selinux-avc_audit-log-curr_ip.patch | 2 +-
{3.11.1 => 3.11.2}/0000_README | 6 +-
3.11.2/1001_linux-3.11.2.patch | 4419 ++++++++++++++++++++
...4420_grsecurity-2.9.1-3.11.2-201309281103.patch | 757 ++--
{3.11.1 => 3.11.2}/4425_grsec_remove_EI_PAX.patch | 0
.../4427_force_XATTR_PAX_tmpfs.patch | 0
.../4430_grsec-remove-localversion-grsec.patch | 0
{3.11.1 => 3.11.2}/4435_grsec-mute-warnings.patch | 0
.../4440_grsec-remove-protected-paths.patch | 0
.../4450_grsec-kconfig-default-gids.patch | 0
.../4465_selinux-avc_audit-log-curr_ip.patch | 0
{3.11.1 => 3.11.2}/4470_disable-compat_vdso.patch | 0
{3.11.1 => 3.11.2}/4475_emutramp_default_on.patch | 0
3.2.51/0000_README | 2 +-
...420_grsecurity-2.9.1-3.2.51-201309281102.patch} | 347 +-
19 files changed, 5079 insertions(+), 558 deletions(-)
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index c481225..381f8d3 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -38,7 +38,7 @@ Patch: 1060_linux-2.6.32.61.patch
From: http://www.kernel.org
Desc: Linux 2.6.32.61
-Patch: 4420_grsecurity-2.9.1-2.6.32.61-201309052115.patch
+Patch: 4420_grsecurity-2.9.1-2.6.32.61-201309281101.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201309052115.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201309281101.patch
similarity index 99%
rename from 2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201309052115.patch
rename to 2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201309281101.patch
index 41ba8b2..80f4104 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201309052115.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201309281101.patch
@@ -45625,7 +45625,7 @@ index 3beb26d..6ce9c4a 100644
INIT_LIST_HEAD(&rdev->fence_drv.emited);
INIT_LIST_HEAD(&rdev->fence_drv.signaled);
diff --git a/drivers/gpu/drm/radeon/radeon_ioc32.c b/drivers/gpu/drm/radeon/radeon_ioc32.c
-index a1bf11d..4a123c0 100644
+index a1bf11de..4a123c0 100644
--- a/drivers/gpu/drm/radeon/radeon_ioc32.c
+++ b/drivers/gpu/drm/radeon/radeon_ioc32.c
@@ -368,7 +368,7 @@ static int compat_radeon_cp_setparam(struct file *file, unsigned int cmd,
@@ -91904,10 +91904,10 @@ index 0000000..5a3ac97
+}
diff --git a/grsecurity/gracl_ip.c b/grsecurity/gracl_ip.c
new file mode 100644
-index 0000000..b6b5239
+index 0000000..462a28e
--- /dev/null
+++ b/grsecurity/gracl_ip.c
-@@ -0,0 +1,388 @@
+@@ -0,0 +1,387 @@
+#include <linux/kernel.h>
+#include <asm/uaccess.h>
+#include <asm/errno.h>
@@ -92000,6 +92000,8 @@ index 0000000..b6b5239
+ return gr_sockfamilies[family];
+}
+
++extern const struct net_proto_family *net_families[NPROTO] __read_mostly;
++
+int
+gr_search_socket(const int domain, const int type, const int protocol)
+{
@@ -92079,10 +92081,7 @@ index 0000000..b6b5239
+ if (domain == PF_INET)
+ gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
+ gr_socktype_to_name(type), gr_proto_to_name(protocol));
-+ else
-+#ifndef CONFIG_IPV6
-+ if (domain != PF_INET6)
-+#endif
++ else if (net_families[domain] != NULL)
+ gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain),
+ gr_socktype_to_name(type), protocol);
+
@@ -95482,7 +95481,7 @@ index 0000000..7512ea9
+}
diff --git a/grsecurity/grsec_sysctl.c b/grsecurity/grsec_sysctl.c
new file mode 100644
-index 0000000..5a6d4bc
+index 0000000..5a6d4bc1
--- /dev/null
+++ b/grsecurity/grsec_sysctl.c
@@ -0,0 +1,527 @@
@@ -111522,7 +111521,7 @@ index aaca868..2ebecdc 100644
err = -EPERM;
goto out;
diff --git a/mm/mlock.c b/mm/mlock.c
-index 2d846cf..ca1e492 100644
+index 2d846cf..1183f13 100644
--- a/mm/mlock.c
+++ b/mm/mlock.c
@@ -13,6 +13,7 @@
@@ -111625,7 +111624,15 @@ index 2d846cf..ca1e492 100644
newflags = vma->vm_flags | VM_LOCKED;
if (!(flags & MCL_CURRENT))
-@@ -570,6 +572,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
+@@ -545,6 +547,7 @@ static int do_mlockall(int flags)
+
+ /* Ignore errors */
+ mlock_fixup(vma, &prev, vma->vm_start, vma->vm_end, newflags);
++ cond_resched();
+ }
+ out:
+ return 0;
+@@ -570,6 +573,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
lock_limit >>= PAGE_SHIFT;
ret = -ENOMEM;
@@ -118962,7 +118969,7 @@ index e04c9f8..51bc18e 100644
+ (rtt >> sctp_rto_alpha);
} else {
diff --git a/net/socket.c b/net/socket.c
-index bf9fc68..0ea7e39 100644
+index bf9fc68..27b436e 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -87,6 +87,7 @@
@@ -118995,6 +119002,15 @@ index bf9fc68..0ea7e39 100644
static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
unsigned long nr_segs, loff_t pos);
+@@ -148,7 +164,7 @@ static const struct file_operations socket_file_ops = {
+ */
+
+ static DEFINE_SPINLOCK(net_family_lock);
+-static const struct net_proto_family *net_families[NPROTO] __read_mostly;
++const struct net_proto_family *net_families[NPROTO] __read_mostly;
+
+ /*
+ * Statistics counters of the socket lists
@@ -298,7 +314,7 @@ static int sockfs_get_sb(struct file_system_type *fs_type,
mnt);
}
@@ -119013,24 +119029,28 @@ index bf9fc68..0ea7e39 100644
/* Compatibility.
-@@ -1283,6 +1301,16 @@ SYSCALL_DEFINE3(socket, int, family, int, type, int, protocol)
- if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
- flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
+@@ -1174,6 +1192,20 @@ static int __sock_create(struct net *net, int family, int type, int protocol,
+ if (err)
+ return err;
-+ if(!gr_search_socket(family, type, protocol)) {
-+ retval = -EACCES;
-+ goto out;
++ if(!kern && !gr_search_socket(family, type, protocol)) {
++ if (net_families[family] == NULL)
++ return -EAFNOSUPPORT;
++ else
++ return -EACCES;
+ }
+
-+ if (gr_handle_sock_all(family, type, protocol)) {
-+ retval = -EACCES;
-+ goto out;
++ if (!kern && gr_handle_sock_all(family, type, protocol)) {
++ if (net_families[family] == NULL)
++ return -EAFNOSUPPORT;
++ else
++ return -EACCES;
+ }
+
- retval = sock_create(family, type, protocol, &sock);
- if (retval < 0)
- goto out;
-@@ -1415,6 +1443,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen)
+ /*
+ * Allocate the socket and allow the family to set things up. if
+ * the protocol is 0, the family is instructed to select an appropriate
+@@ -1415,6 +1447,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen)
if (sock) {
err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
if (err >= 0) {
@@ -119045,7 +119065,7 @@ index bf9fc68..0ea7e39 100644
err = security_socket_bind(sock,
(struct sockaddr *)&address,
addrlen);
-@@ -1423,6 +1459,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen)
+@@ -1423,6 +1463,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen)
(struct sockaddr *)
&address, addrlen);
}
@@ -119053,7 +119073,7 @@ index bf9fc68..0ea7e39 100644
fput_light(sock->file, fput_needed);
}
return err;
-@@ -1446,10 +1483,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, backlog)
+@@ -1446,10 +1487,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, backlog)
if ((unsigned)backlog > somaxconn)
backlog = somaxconn;
@@ -119074,7 +119094,7 @@ index bf9fc68..0ea7e39 100644
fput_light(sock->file, fput_needed);
}
return err;
-@@ -1492,6 +1539,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
+@@ -1492,6 +1543,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
newsock->type = sock->type;
newsock->ops = sock->ops;
@@ -119093,7 +119113,7 @@ index bf9fc68..0ea7e39 100644
/*
* We don't need try_module_get here, as the listening socket (sock)
* has the protocol module (sock->ops->owner) held.
-@@ -1534,6 +1593,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
+@@ -1534,6 +1597,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
fd_install(newfd, newfile);
err = newfd;
@@ -119102,7 +119122,7 @@ index bf9fc68..0ea7e39 100644
out_put:
fput_light(sock->file, fput_needed);
out:
-@@ -1571,6 +1632,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,
+@@ -1571,6 +1636,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,
int, addrlen)
{
struct socket *sock;
@@ -119110,7 +119130,7 @@ index bf9fc68..0ea7e39 100644
struct sockaddr_storage address;
int err, fput_needed;
-@@ -1581,6 +1643,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,
+@@ -1581,6 +1647,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,
if (err < 0)
goto out_put;
@@ -119128,7 +119148,7 @@ index bf9fc68..0ea7e39 100644
err =
security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
if (err)
-@@ -1728,7 +1801,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
+@@ -1728,7 +1805,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
struct socket *sock;
struct iovec iov;
struct msghdr msg;
@@ -119137,7 +119157,7 @@ index bf9fc68..0ea7e39 100644
int err, err2;
int fput_needed;
-@@ -1882,6 +1955,8 @@ SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned, flags)
+@@ -1882,6 +1959,8 @@ SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned, flags)
int err, ctl_len, iov_size, total_len;
int fput_needed;
@@ -119146,7 +119166,7 @@ index bf9fc68..0ea7e39 100644
err = -EFAULT;
if (MSG_CMSG_COMPAT & flags) {
if (get_compat_msghdr(&msg_sys, msg_compat))
-@@ -1987,7 +2062,7 @@ SYSCALL_DEFINE3(recvmsg, int, fd, struct msghdr __user *, msg,
+@@ -1987,7 +2066,7 @@ SYSCALL_DEFINE3(recvmsg, int, fd, struct msghdr __user *, msg,
int fput_needed;
/* kernel mode address */
@@ -119155,7 +119175,7 @@ index bf9fc68..0ea7e39 100644
/* user mode address pointers */
struct sockaddr __user *uaddr;
-@@ -2022,7 +2097,7 @@ SYSCALL_DEFINE3(recvmsg, int, fd, struct msghdr __user *, msg,
+@@ -2022,7 +2101,7 @@ SYSCALL_DEFINE3(recvmsg, int, fd, struct msghdr __user *, msg,
* kernel msghdr to use the kernel address space)
*/
diff --git a/2.6.32/4440_grsec-remove-protected-paths.patch b/2.6.32/4440_grsec-remove-protected-paths.patch
index 339cc6e..38d465e 100644
--- a/2.6.32/4440_grsec-remove-protected-paths.patch
+++ b/2.6.32/4440_grsec-remove-protected-paths.patch
@@ -6,7 +6,7 @@ the filesystem.
diff -Naur a/grsecurity/Makefile b/grsecurity/Makefile
--- a/grsecurity/Makefile 2011-10-19 19:48:21.000000000 -0400
+++ b/grsecurity/Makefile 2011-10-19 19:50:44.000000000 -0400
-@@ -29,10 +29,4 @@
+@@ -34,10 +34,4 @@
ifdef CONFIG_GRKERNSEC_HIDESYM
extra-y := grsec_hidesym.o
$(obj)/grsec_hidesym.o:
diff --git a/2.6.32/4450_grsec-kconfig-default-gids.patch b/2.6.32/4450_grsec-kconfig-default-gids.patch
index 87aa8e4..3dfdc8f 100644
--- a/2.6.32/4450_grsec-kconfig-default-gids.patch
+++ b/2.6.32/4450_grsec-kconfig-default-gids.patch
@@ -16,7 +16,7 @@ from shooting themselves in the foot.
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
--- a/grsecurity/Kconfig 2012-10-13 09:51:35.000000000 -0400
+++ b/grsecurity/Kconfig 2012-10-13 09:52:32.000000000 -0400
-@@ -570,7 +570,7 @@
+@@ -572,7 +572,7 @@
config GRKERNSEC_AUDIT_GID
int "GID for auditing"
depends on GRKERNSEC_AUDIT_GROUP
@@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
config GRKERNSEC_EXECLOG
bool "Exec logging"
-@@ -790,7 +790,7 @@
+@@ -792,7 +792,7 @@
config GRKERNSEC_TPE_UNTRUSTED_GID
int "GID for TPE-untrusted users"
depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
@@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Setting this GID determines what group TPE restrictions will be
*enabled* for. If the sysctl option is enabled, a sysctl option
-@@ -799,7 +799,7 @@
+@@ -801,7 +801,7 @@
config GRKERNSEC_TPE_TRUSTED_GID
int "GID for TPE-trusted users"
depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
@@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Setting this GID determines what group TPE restrictions will be
*disabled* for. If the sysctl option is enabled, a sysctl option
-@@ -892,7 +892,7 @@
+@@ -894,7 +894,7 @@
config GRKERNSEC_SOCKET_ALL_GID
int "GID to deny all sockets for"
depends on GRKERNSEC_SOCKET_ALL
@@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Here you can choose the GID to disable socket access for. Remember to
add the users you want socket access disabled for to the GID
-@@ -913,7 +913,7 @@
+@@ -915,7 +915,7 @@
config GRKERNSEC_SOCKET_CLIENT_GID
int "GID to deny client sockets for"
depends on GRKERNSEC_SOCKET_CLIENT
@@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Here you can choose the GID to disable client socket access for.
Remember to add the users you want client socket access disabled for to
-@@ -931,7 +931,7 @@
+@@ -933,7 +933,7 @@
config GRKERNSEC_SOCKET_SERVER_GID
int "GID to deny server sockets for"
depends on GRKERNSEC_SOCKET_SERVER
diff --git a/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch b/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch
index 19027c3..418ae16 100644
--- a/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
--- a/grsecurity/Kconfig 2011-04-17 18:47:02.000000000 -0400
+++ b/grsecurity/Kconfig 2011-04-17 18:51:15.000000000 -0400
-@@ -990,6 +990,27 @@
+@@ -1027,6 +1027,27 @@
menu "Logging Options"
depends on GRKERNSEC
diff --git a/3.11.1/0000_README b/3.11.2/0000_README
similarity index 92%
rename from 3.11.1/0000_README
rename to 3.11.2/0000_README
index da0f1cd..b666b59 100644
--- a/3.11.1/0000_README
+++ b/3.11.2/0000_README
@@ -2,7 +2,11 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-2.9.1-3.11.1-201309221838.patch
+Patch: 1001_linux-3.11.2.patch
+From: http://www.kernel.org
+Desc: Linux 3.11.2
+
+Patch: 4420_grsecurity-2.9.1-3.11.2-201309281103.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.11.2/1001_linux-3.11.2.patch b/3.11.2/1001_linux-3.11.2.patch
new file mode 100644
index 0000000..5d8bdf1
--- /dev/null
+++ b/3.11.2/1001_linux-3.11.2.patch
@@ -0,0 +1,4419 @@
+diff --git a/Makefile b/Makefile
+index efd2396..aede319 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 3
+ PATCHLEVEL = 11
+-SUBLEVEL = 1
++SUBLEVEL = 2
+ EXTRAVERSION =
+ NAME = Linux for Workgroups
+
+diff --git a/arch/arc/include/asm/sections.h b/arch/arc/include/asm/sections.h
+index 6fc1159..764f1e3 100644
+--- a/arch/arc/include/asm/sections.h
++++ b/arch/arc/include/asm/sections.h
+@@ -11,7 +11,6 @@
+
+ #include <asm-generic/sections.h>
+
+-extern char _int_vec_base_lds[];
+ extern char __arc_dccm_base[];
+ extern char __dtb_start[];
+
+diff --git a/arch/arc/kernel/head.S b/arch/arc/kernel/head.S
+index 2a913f8..0f944f0 100644
+--- a/arch/arc/kernel/head.S
++++ b/arch/arc/kernel/head.S
+@@ -34,6 +34,9 @@ stext:
+ ; IDENTITY Reg [ 3 2 1 0 ]
+ ; (cpu-id) ^^^ => Zero for UP ARC700
+ ; => #Core-ID if SMP (Master 0)
++ ; Note that non-boot CPUs might not land here if halt-on-reset and
++ ; instead breath life from @first_lines_of_secondary, but we still
++ ; need to make sure only boot cpu takes this path.
+ GET_CPU_ID r5
+ cmp r5, 0
+ jnz arc_platform_smp_wait_to_boot
+@@ -98,6 +101,8 @@ stext:
+
+ first_lines_of_secondary:
+
++ sr @_int_vec_base_lds, [AUX_INTR_VEC_BASE]
++
+ ; setup per-cpu idle task as "current" on this CPU
+ ld r0, [@secondary_idle_tsk]
+ SET_CURR_TASK_ON_CPU r0, r1
+diff --git a/arch/arc/kernel/irq.c b/arch/arc/kernel/irq.c
+index 305b3f8..5fc9245 100644
+--- a/arch/arc/kernel/irq.c
++++ b/arch/arc/kernel/irq.c
+@@ -24,7 +24,6 @@
+ * -Needed for each CPU (hence not foldable into init_IRQ)
+ *
+ * what it does ?
+- * -setup Vector Table Base Reg - in case Linux not linked at 0x8000_0000
+ * -Disable all IRQs (on CPU side)
+ * -Optionally, setup the High priority Interrupts as Level 2 IRQs
+ */
+diff --git a/arch/arc/kernel/setup.c b/arch/arc/kernel/setup.c
+index 6b08345..e818563 100644
+--- a/arch/arc/kernel/setup.c
++++ b/arch/arc/kernel/setup.c
+@@ -47,10 +47,7 @@ void read_arc_build_cfg_regs(void)
+ READ_BCR(AUX_IDENTITY, cpu->core);
+
+ cpu->timers = read_aux_reg(ARC_REG_TIMERS_BCR);
+-
+ cpu->vec_base = read_aux_reg(AUX_INTR_VEC_BASE);
+- if (cpu->vec_base == 0)
+- cpu->vec_base = (unsigned int)_int_vec_base_lds;
+
+ READ_BCR(ARC_REG_D_UNCACH_BCR, uncached_space);
+ cpu->uncached_base = uncached_space.start << 24;
+diff --git a/arch/arm/mach-versatile/include/mach/platform.h b/arch/arm/mach-versatile/include/mach/platform.h
+index ec08740..6f938cc 100644
+--- a/arch/arm/mach-versatile/include/mach/platform.h
++++ b/arch/arm/mach-versatile/include/mach/platform.h
+@@ -231,12 +231,14 @@
+ /* PCI space */
+ #define VERSATILE_PCI_BASE 0x41000000 /* PCI Interface */
+ #define VERSATILE_PCI_CFG_BASE 0x42000000
++#define VERSATILE_PCI_IO_BASE 0x43000000
+ #define VERSATILE_PCI_MEM_BASE0 0x44000000
+ #define VERSATILE_PCI_MEM_BASE1 0x50000000
+ #define VERSATILE_PCI_MEM_BASE2 0x60000000
+ /* Sizes of above maps */
+ #define VERSATILE_PCI_BASE_SIZE 0x01000000
+ #define VERSATILE_PCI_CFG_BASE_SIZE 0x02000000
++#define VERSATILE_PCI_IO_BASE_SIZE 0x01000000
+ #define VERSATILE_PCI_MEM_BASE0_SIZE 0x0c000000 /* 32Mb */
+ #define VERSATILE_PCI_MEM_BASE1_SIZE 0x10000000 /* 256Mb */
+ #define VERSATILE_PCI_MEM_BASE2_SIZE 0x10000000 /* 256Mb */
+diff --git a/arch/arm/mach-versatile/pci.c b/arch/arm/mach-versatile/pci.c
+index e92e5e0..c97be4e 100644
+--- a/arch/arm/mach-versatile/pci.c
++++ b/arch/arm/mach-versatile/pci.c
+@@ -43,9 +43,9 @@
+ #define PCI_IMAP0 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x0)
+ #define PCI_IMAP1 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x4)
+ #define PCI_IMAP2 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x8)
+-#define PCI_SMAP0 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x10)
+-#define PCI_SMAP1 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x14)
+-#define PCI_SMAP2 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x18)
++#define PCI_SMAP0 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x14)
++#define PCI_SMAP1 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x18)
++#define PCI_SMAP2 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x1c)
+ #define PCI_SELFID __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0xc)
+
+ #define DEVICE_ID_OFFSET 0x00
+@@ -170,8 +170,8 @@ static struct pci_ops pci_versatile_ops = {
+ .write = versatile_write_config,
+ };
+
+-static struct resource io_mem = {
+- .name = "PCI I/O space",
++static struct resource unused_mem = {
++ .name = "PCI unused",
+ .start = VERSATILE_PCI_MEM_BASE0,
+ .end = VERSATILE_PCI_MEM_BASE0+VERSATILE_PCI_MEM_BASE0_SIZE-1,
+ .flags = IORESOURCE_MEM,
+@@ -195,9 +195,9 @@ static int __init pci_versatile_setup_resources(struct pci_sys_data *sys)
+ {
+ int ret = 0;
+
+- ret = request_resource(&iomem_resource, &io_mem);
++ ret = request_resource(&iomem_resource, &unused_mem);
+ if (ret) {
+- printk(KERN_ERR "PCI: unable to allocate I/O "
++ printk(KERN_ERR "PCI: unable to allocate unused "
+ "memory region (%d)\n", ret);
+ goto out;
+ }
+@@ -205,7 +205,7 @@ static int __init pci_versatile_setup_resources(struct pci_sys_data *sys)
+ if (ret) {
+ printk(KERN_ERR "PCI: unable to allocate non-prefetchable "
+ "memory region (%d)\n", ret);
+- goto release_io_mem;
++ goto release_unused_mem;
+ }
+ ret = request_resource(&iomem_resource, &pre_mem);
+ if (ret) {
+@@ -225,8 +225,8 @@ static int __init pci_versatile_setup_resources(struct pci_sys_data *sys)
+
+ release_non_mem:
+ release_resource(&non_mem);
+- release_io_mem:
+- release_resource(&io_mem);
++ release_unused_mem:
++ release_resource(&unused_mem);
+ out:
+ return ret;
+ }
+@@ -246,7 +246,7 @@ int __init pci_versatile_setup(int nr, struct pci_sys_data *sys)
+ goto out;
+ }
+
+- ret = pci_ioremap_io(0, VERSATILE_PCI_MEM_BASE0);
++ ret = pci_ioremap_io(0, VERSATILE_PCI_IO_BASE);
+ if (ret)
+ goto out;
+
+@@ -295,6 +295,19 @@ int __init pci_versatile_setup(int nr, struct pci_sys_data *sys)
+ __raw_writel(PHYS_OFFSET, local_pci_cfg_base + PCI_BASE_ADDRESS_2);
+
+ /*
++ * For many years the kernel and QEMU were symbiotically buggy
++ * in that they both assumed the same broken IRQ mapping.
++ * QEMU therefore attempts to auto-detect old broken kernels
++ * so that they still work on newer QEMU as they did on old
++ * QEMU. Since we now use the correct (ie matching-hardware)
++ * IRQ mapping we write a definitely different value to a
++ * PCI_INTERRUPT_LINE register to tell QEMU that we expect
++ * real hardware behaviour and it need not be backwards
++ * compatible for us. This write is harmless on real hardware.
++ */
++ __raw_writel(0, VERSATILE_PCI_VIRT_BASE+PCI_INTERRUPT_LINE);
++
++ /*
+ * Do not to map Versatile FPGA PCI device into memory space
+ */
+ pci_slot_ignore |= (1 << myslot);
+@@ -327,13 +340,13 @@ static int __init versatile_map_irq(const struct pci_dev *dev, u8 slot, u8 pin)
+ {
+ int irq;
+
+- /* slot, pin, irq
+- * 24 1 IRQ_SIC_PCI0
+- * 25 1 IRQ_SIC_PCI1
+- * 26 1 IRQ_SIC_PCI2
+- * 27 1 IRQ_SIC_PCI3
++ /*
++ * Slot INTA INTB INTC INTD
++ * 31 PCI1 PCI2 PCI3 PCI0
++ * 30 PCI0 PCI1 PCI2 PCI3
++ * 29 PCI3 PCI0 PCI1 PCI2
+ */
+- irq = IRQ_SIC_PCI0 + ((slot - 24 + pin - 1) & 3);
++ irq = IRQ_SIC_PCI0 + ((slot + 2 + pin - 1) & 3);
+
+ return irq;
+ }
+diff --git a/arch/arm/xen/enlighten.c b/arch/arm/xen/enlighten.c
+index 8a6295c..7071fca 100644
+--- a/arch/arm/xen/enlighten.c
++++ b/arch/arm/xen/enlighten.c
+@@ -273,12 +273,15 @@ core_initcall(xen_guest_init);
+
+ static int __init xen_pm_init(void)
+ {
++ if (!xen_domain())
++ return -ENODEV;
++
+ pm_power_off = xen_power_off;
+ arm_pm_restart = xen_restart;
+
+ return 0;
+ }
+-subsys_initcall(xen_pm_init);
++late_initcall(xen_pm_init);
+
+ static irqreturn_t xen_arm_callback(int irq, void *arg)
+ {
+diff --git a/arch/arm64/kernel/perf_event.c b/arch/arm64/kernel/perf_event.c
+index 12e6ccb..cea1594 100644
+--- a/arch/arm64/kernel/perf_event.c
++++ b/arch/arm64/kernel/perf_event.c
+@@ -325,7 +325,10 @@ validate_event(struct pmu_hw_events *hw_events,
+ if (is_software_event(event))
+ return 1;
+
+- if (event->pmu != leader_pmu || event->state <= PERF_EVENT_STATE_OFF)
++ if (event->pmu != leader_pmu || event->state < PERF_EVENT_STATE_OFF)
++ return 1;
++
++ if (event->state == PERF_EVENT_STATE_OFF && !event->attr.enable_on_exec)
+ return 1;
+
+ return armpmu->get_event_idx(hw_events, &fake_event) >= 0;
+@@ -781,7 +784,7 @@ static const unsigned armv8_pmuv3_perf_cache_map[PERF_COUNT_HW_CACHE_MAX]
+ /*
+ * PMXEVTYPER: Event selection reg
+ */
+-#define ARMV8_EVTYPE_MASK 0xc00000ff /* Mask for writable bits */
++#define ARMV8_EVTYPE_MASK 0xc80000ff /* Mask for writable bits */
+ #define ARMV8_EVTYPE_EVENT 0xff /* Mask for EVENT bits */
+
+ /*
+diff --git a/arch/mips/ath79/clock.c b/arch/mips/ath79/clock.c
+index 765ef30..733017b 100644
+--- a/arch/mips/ath79/clock.c
++++ b/arch/mips/ath79/clock.c
+@@ -164,7 +164,7 @@ static void __init ar933x_clocks_init(void)
+ ath79_ahb_clk.rate = freq / t;
+ }
+
+- ath79_wdt_clk.rate = ath79_ref_clk.rate;
++ ath79_wdt_clk.rate = ath79_ahb_clk.rate;
+ ath79_uart_clk.rate = ath79_ref_clk.rate;
+ }
+
+diff --git a/arch/powerpc/kernel/align.c b/arch/powerpc/kernel/align.c
+index ee5b690..52e5758 100644
+--- a/arch/powerpc/kernel/align.c
++++ b/arch/powerpc/kernel/align.c
+@@ -764,6 +764,16 @@ int fix_alignment(struct pt_regs *regs)
+ nb = aligninfo[instr].len;
+ flags = aligninfo[instr].flags;
+
++ /* ldbrx/stdbrx overlap lfs/stfs in the DSISR unfortunately */
++ if (IS_XFORM(instruction) && ((instruction >> 1) & 0x3ff) == 532) {
++ nb = 8;
++ flags = LD+SW;
++ } else if (IS_XFORM(instruction) &&
++ ((instruction >> 1) & 0x3ff) == 660) {
++ nb = 8;
++ flags = ST+SW;
++ }
++
+ /* Byteswap little endian loads and stores */
+ swiz = 0;
+ if (regs->msr & MSR_LE) {
+diff --git a/arch/powerpc/kvm/book3s_xics.c b/arch/powerpc/kvm/book3s_xics.c
+index 94c1dd4..a3a5cb8 100644
+--- a/arch/powerpc/kvm/book3s_xics.c
++++ b/arch/powerpc/kvm/book3s_xics.c
+@@ -19,6 +19,7 @@
+ #include <asm/hvcall.h>
+ #include <asm/xics.h>
+ #include <asm/debug.h>
++#include <asm/time.h>
+
+ #include <linux/debugfs.h>
+ #include <linux/seq_file.h>
+diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c
+index c11c823..54b998f 100644
+--- a/arch/powerpc/platforms/pseries/setup.c
++++ b/arch/powerpc/platforms/pseries/setup.c
+@@ -354,7 +354,7 @@ static int alloc_dispatch_log_kmem_cache(void)
+ }
+ early_initcall(alloc_dispatch_log_kmem_cache);
+
+-static void pSeries_idle(void)
++static void pseries_lpar_idle(void)
+ {
+ /* This would call on the cpuidle framework, and the back-end pseries
+ * driver to go to idle states
+@@ -362,10 +362,22 @@ static void pSeries_idle(void)
+ if (cpuidle_idle_call()) {
+ /* On error, execute default handler
+ * to go into low thread priority and possibly
+- * low power mode.
++ * low power mode by cedeing processor to hypervisor
+ */
+- HMT_low();
+- HMT_very_low();
++
++ /* Indicate to hypervisor that we are idle. */
++ get_lppaca()->idle = 1;
++
++ /*
++ * Yield the processor to the hypervisor. We return if
++ * an external interrupt occurs (which are driven prior
++ * to returning here) or if a prod occurs from another
++ * processor. When returning here, external interrupts
++ * are enabled.
++ */
++ cede_processor();
++
++ get_lppaca()->idle = 0;
+ }
+ }
+
+@@ -456,15 +468,14 @@ static void __init pSeries_setup_arch(void)
+
+ pSeries_nvram_init();
+
+- if (firmware_has_feature(FW_FEATURE_SPLPAR)) {
++ if (firmware_has_feature(FW_FEATURE_LPAR)) {
+ vpa_init(boot_cpuid);
+- ppc_md.power_save = pSeries_idle;
+- }
+-
+- if (firmware_has_feature(FW_FEATURE_LPAR))
++ ppc_md.power_save = pseries_lpar_idle;
+ ppc_md.enable_pmcs = pseries_lpar_enable_pmcs;
+- else
++ } else {
++ /* No special idle routine */
+ ppc_md.enable_pmcs = power4_enable_pmcs;
++ }
+
+ ppc_md.pcibios_root_bridge_prepare = pseries_root_bridge_prepare;
+
+diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
+index d5f10a4..7092392 100644
+--- a/arch/s390/net/bpf_jit_comp.c
++++ b/arch/s390/net/bpf_jit_comp.c
+@@ -805,7 +805,7 @@ static struct bpf_binary_header *bpf_alloc_binary(unsigned int bpfsize,
+ return NULL;
+ memset(header, 0, sz);
+ header->pages = sz / PAGE_SIZE;
+- hole = sz - bpfsize + sizeof(*header);
++ hole = sz - (bpfsize + sizeof(*header));
+ /* Insert random number of illegal instructions before BPF code
+ * and make sure the first instruction starts at an even address.
+ */
+diff --git a/arch/um/include/shared/os.h b/arch/um/include/shared/os.h
+index 95feaa4..c70a234 100644
+--- a/arch/um/include/shared/os.h
++++ b/arch/um/include/shared/os.h
+@@ -200,6 +200,7 @@ extern int os_unmap_memory(void *addr, int len);
+ extern int os_drop_memory(void *addr, int length);
+ extern int can_drop_memory(void);
+ extern void os_flush_stdout(void);
++extern int os_mincore(void *addr, unsigned long len);
+
+ /* execvp.c */
+ extern int execvp_noalloc(char *buf, const char *file, char *const argv[]);
+diff --git a/arch/um/kernel/Makefile b/arch/um/kernel/Makefile
+index babe218..d8b78a0 100644
+--- a/arch/um/kernel/Makefile
++++ b/arch/um/kernel/Makefile
+@@ -13,7 +13,7 @@ clean-files :=
+ obj-y = config.o exec.o exitcode.o irq.o ksyms.o mem.o \
+ physmem.o process.o ptrace.o reboot.o sigio.o \
+ signal.o smp.o syscall.o sysrq.o time.o tlb.o trap.o \
+- um_arch.o umid.o skas/
++ um_arch.o umid.o maccess.o skas/
+
+ obj-$(CONFIG_BLK_DEV_INITRD) += initrd.o
+ obj-$(CONFIG_GPROF) += gprof_syms.o
+diff --git a/arch/um/kernel/maccess.c b/arch/um/kernel/maccess.c
+new file mode 100644
+index 0000000..1f3d5c4
+--- /dev/null
++++ b/arch/um/kernel/maccess.c
+@@ -0,0 +1,24 @@
++/*
++ * Copyright (C) 2013 Richard Weinberger <richrd@nod.at>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License version 2 as
++ * published by the Free Software Foundation.
++ */
++
++#include <linux/uaccess.h>
++#include <linux/kernel.h>
++#include <os.h>
++
++long probe_kernel_read(void *dst, const void *src, size_t size)
++{
++ void *psrc = (void *)rounddown((unsigned long)src, PAGE_SIZE);
++
++ if ((unsigned long)src < PAGE_SIZE || size <= 0)
++ return -EFAULT;
++
++ if (os_mincore(psrc, size + src - psrc) <= 0)
++ return -EFAULT;
++
++ return __probe_kernel_read(dst, src, size);
++}
+diff --git a/arch/um/os-Linux/process.c b/arch/um/os-Linux/process.c
+index b8f34c9..67b9c8f 100644
+--- a/arch/um/os-Linux/process.c
++++ b/arch/um/os-Linux/process.c
+@@ -4,6 +4,7 @@
+ */
+
+ #include <stdio.h>
++#include <stdlib.h>
+ #include <unistd.h>
+ #include <errno.h>
+ #include <signal.h>
+@@ -232,6 +233,57 @@ out:
+ return ok;
+ }
+
++static int os_page_mincore(void *addr)
++{
++ char vec[2];
++ int ret;
++
++ ret = mincore(addr, UM_KERN_PAGE_SIZE, vec);
++ if (ret < 0) {
++ if (errno == ENOMEM || errno == EINVAL)
++ return 0;
++ else
++ return -errno;
++ }
++
++ return vec[0] & 1;
++}
++
++int os_mincore(void *addr, unsigned long len)
++{
++ char *vec;
++ int ret, i;
++
++ if (len <= UM_KERN_PAGE_SIZE)
++ return os_page_mincore(addr);
++
++ vec = calloc(1, (len + UM_KERN_PAGE_SIZE - 1) / UM_KERN_PAGE_SIZE);
++ if (!vec)
++ return -ENOMEM;
++
++ ret = mincore(addr, UM_KERN_PAGE_SIZE, vec);
++ if (ret < 0) {
++ if (errno == ENOMEM || errno == EINVAL)
++ ret = 0;
++ else
++ ret = -errno;
++
++ goto out;
++ }
++
++ for (i = 0; i < ((len + UM_KERN_PAGE_SIZE - 1) / UM_KERN_PAGE_SIZE); i++) {
++ if (!(vec[i] & 1)) {
++ ret = 0;
++ goto out;
++ }
++ }
++
++ ret = 1;
++out:
++ free(vec);
++ return ret;
++}
++
+ void init_new_thread_signals(void)
+ {
+ set_handler(SIGSEGV);
+diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c
+index bccfca6..665a730 100644
+--- a/arch/x86/ia32/ia32_signal.c
++++ b/arch/x86/ia32/ia32_signal.c
+@@ -457,7 +457,7 @@ int ia32_setup_rt_frame(int sig, struct ksignal *ksig,
+ else
+ put_user_ex(0, &frame->uc.uc_flags);
+ put_user_ex(0, &frame->uc.uc_link);
+- err |= __compat_save_altstack(&frame->uc.uc_stack, regs->sp);
++ compat_save_altstack_ex(&frame->uc.uc_stack, regs->sp);
+
+ if (ksig->ka.sa.sa_flags & SA_RESTORER)
+ restorer = ksig->ka.sa.sa_restorer;
+diff --git a/arch/x86/include/asm/checksum_32.h b/arch/x86/include/asm/checksum_32.h
+index 46fc474..f50de69 100644
+--- a/arch/x86/include/asm/checksum_32.h
++++ b/arch/x86/include/asm/checksum_32.h
+@@ -49,9 +49,15 @@ static inline __wsum csum_partial_copy_from_user(const void __user *src,
+ int len, __wsum sum,
+ int *err_ptr)
+ {
++ __wsum ret;
++
+ might_sleep();
+- return csum_partial_copy_generic((__force void *)src, dst,
+- len, sum, err_ptr, NULL);
++ stac();
++ ret = csum_partial_copy_generic((__force void *)src, dst,
++ len, sum, err_ptr, NULL);
++ clac();
++
++ return ret;
+ }
+
+ /*
+@@ -176,10 +182,16 @@ static inline __wsum csum_and_copy_to_user(const void *src,
+ int len, __wsum sum,
+ int *err_ptr)
+ {
++ __wsum ret;
++
+ might_sleep();
+- if (access_ok(VERIFY_WRITE, dst, len))
+- return csum_partial_copy_generic(src, (__force void *)dst,
+- len, sum, NULL, err_ptr);
++ if (access_ok(VERIFY_WRITE, dst, len)) {
++ stac();
++ ret = csum_partial_copy_generic(src, (__force void *)dst,
++ len, sum, NULL, err_ptr);
++ clac();
++ return ret;
++ }
+
+ if (len)
+ *err_ptr = -EFAULT;
+diff --git a/arch/x86/include/asm/mce.h b/arch/x86/include/asm/mce.h
+index 29e3093..aa97342 100644
+--- a/arch/x86/include/asm/mce.h
++++ b/arch/x86/include/asm/mce.h
+@@ -32,11 +32,20 @@
+ #define MCI_STATUS_PCC (1ULL<<57) /* processor context corrupt */
+ #define MCI_STATUS_S (1ULL<<56) /* Signaled machine check */
+ #define MCI_STATUS_AR (1ULL<<55) /* Action required */
+-#define MCACOD 0xffff /* MCA Error Code */
++
++/*
++ * Note that the full MCACOD field of IA32_MCi_STATUS MSR is
++ * bits 15:0. But bit 12 is the 'F' bit, defined for corrected
++ * errors to indicate that errors are being filtered by hardware.
++ * We should mask out bit 12 when looking for specific signatures
++ * of uncorrected errors - so the F bit is deliberately skipped
++ * in this #define.
++ */
++#define MCACOD 0xefff /* MCA Error Code */
+
+ /* Architecturally defined codes from SDM Vol. 3B Chapter 15 */
+ #define MCACOD_SCRUB 0x00C0 /* 0xC0-0xCF Memory Scrubbing */
+-#define MCACOD_SCRUBMSK 0xfff0
++#define MCACOD_SCRUBMSK 0xeff0 /* Skip bit 12 ('F' bit) */
+ #define MCACOD_L3WB 0x017A /* L3 Explicit Writeback */
+ #define MCACOD_DATA 0x0134 /* Data Load */
+ #define MCACOD_INSTR 0x0150 /* Instruction Fetch */
+diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
+index cdbf367..be12c53 100644
+--- a/arch/x86/include/asm/mmu_context.h
++++ b/arch/x86/include/asm/mmu_context.h
+@@ -45,22 +45,28 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
+ /* Re-load page tables */
+ load_cr3(next->pgd);
+
+- /* stop flush ipis for the previous mm */
++ /* Stop flush ipis for the previous mm */
+ cpumask_clear_cpu(cpu, mm_cpumask(prev));
+
+- /*
+- * load the LDT, if the LDT is different:
+- */
++ /* Load the LDT, if the LDT is different: */
+ if (unlikely(prev->context.ldt != next->context.ldt))
+ load_LDT_nolock(&next->context);
+ }
+ #ifdef CONFIG_SMP
+- else {
++ else {
+ this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK);
+ BUG_ON(this_cpu_read(cpu_tlbstate.active_mm) != next);
+
+- if (!cpumask_test_and_set_cpu(cpu, mm_cpumask(next))) {
+- /* We were in lazy tlb mode and leave_mm disabled
++ if (!cpumask_test_cpu(cpu, mm_cpumask(next))) {
++ /*
++ * On established mms, the mm_cpumask is only changed
++ * from irq context, from ptep_clear_flush() while in
++ * lazy tlb mode, and here. Irqs are blocked during
++ * schedule, protecting us from simultaneous changes.
++ */
++ cpumask_set_cpu(cpu, mm_cpumask(next));
++ /*
++ * We were in lazy tlb mode and leave_mm disabled
+ * tlb flush IPI delivery. We must reload CR3
+ * to make sure to use no freed page tables.
+ */
+diff --git a/arch/x86/kernel/amd_nb.c b/arch/x86/kernel/amd_nb.c
+index 3048ded..59554dc 100644
+--- a/arch/x86/kernel/amd_nb.c
++++ b/arch/x86/kernel/amd_nb.c
+@@ -20,6 +20,7 @@ const struct pci_device_id amd_nb_misc_ids[] = {
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_10H_NB_MISC) },
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_15H_NB_F3) },
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_15H_M10H_F3) },
++ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_15H_M30H_NB_F3) },
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_16H_NB_F3) },
+ {}
+ };
+@@ -27,6 +28,7 @@ EXPORT_SYMBOL(amd_nb_misc_ids);
+
+ static const struct pci_device_id amd_nb_link_ids[] = {
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_15H_NB_F4) },
++ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_15H_M30H_NB_F4) },
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_16H_NB_F4) },
+ {}
+ };
+@@ -81,13 +83,20 @@ int amd_cache_northbridges(void)
+ next_northbridge(misc, amd_nb_misc_ids);
+ node_to_amd_nb(i)->link = link =
+ next_northbridge(link, amd_nb_link_ids);
+- }
++ }
+
++ /* GART present only on Fam15h upto model 0fh */
+ if (boot_cpu_data.x86 == 0xf || boot_cpu_data.x86 == 0x10 ||
+- boot_cpu_data.x86 == 0x15)
++ (boot_cpu_data.x86 == 0x15 && boot_cpu_data.x86_model < 0x10))
+ amd_northbridges.flags |= AMD_NB_GART;
+
+ /*
++ * Check for L3 cache presence.
++ */
++ if (!cpuid_edx(0x80000006))
++ return 0;
++
++ /*
+ * Some CPU families support L3 Cache Index Disable. There are some
+ * limitations because of E382 and E388 on family 0x10.
+ */
+diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
+index cf91358..d859eea 100644
+--- a/arch/x86/kernel/signal.c
++++ b/arch/x86/kernel/signal.c
+@@ -358,7 +358,7 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig,
+ else
+ put_user_ex(0, &frame->uc.uc_flags);
+ put_user_ex(0, &frame->uc.uc_link);
+- err |= __save_altstack(&frame->uc.uc_stack, regs->sp);
++ save_altstack_ex(&frame->uc.uc_stack, regs->sp);
+
+ /* Set up to return from userspace. */
+ restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
+@@ -423,7 +423,7 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig,
+ else
+ put_user_ex(0, &frame->uc.uc_flags);
+ put_user_ex(0, &frame->uc.uc_link);
+- err |= __save_altstack(&frame->uc.uc_stack, regs->sp);
++ save_altstack_ex(&frame->uc.uc_stack, regs->sp);
+
+ /* Set up to return from userspace. If provided, use a stub
+ already in userspace. */
+@@ -490,7 +490,7 @@ static int x32_setup_rt_frame(struct ksignal *ksig,
+ else
+ put_user_ex(0, &frame->uc.uc_flags);
+ put_user_ex(0, &frame->uc.uc_link);
+- err |= __compat_save_altstack(&frame->uc.uc_stack, regs->sp);
++ compat_save_altstack_ex(&frame->uc.uc_stack, regs->sp);
+ put_user_ex(0, &frame->uc.uc__pad0);
+
+ if (ksig->ka.sa.sa_flags & SA_RESTORER) {
+diff --git a/arch/x86/lib/csum-wrappers_64.c b/arch/x86/lib/csum-wrappers_64.c
+index 25b7ae8..7609e0e 100644
+--- a/arch/x86/lib/csum-wrappers_64.c
++++ b/arch/x86/lib/csum-wrappers_64.c
+@@ -6,6 +6,7 @@
+ */
+ #include <asm/checksum.h>
+ #include <linux/module.h>
++#include <asm/smap.h>
+
+ /**
+ * csum_partial_copy_from_user - Copy and checksum from user space.
+@@ -52,8 +53,10 @@ csum_partial_copy_from_user(const void __user *src, void *dst,
+ len -= 2;
+ }
+ }
++ stac();
+ isum = csum_partial_copy_generic((__force const void *)src,
+ dst, len, isum, errp, NULL);
++ clac();
+ if (unlikely(*errp))
+ goto out_err;
+
+@@ -82,6 +85,8 @@ __wsum
+ csum_partial_copy_to_user(const void *src, void __user *dst,
+ int len, __wsum isum, int *errp)
+ {
++ __wsum ret;
++
+ might_sleep();
+
+ if (unlikely(!access_ok(VERIFY_WRITE, dst, len))) {
+@@ -105,8 +110,11 @@ csum_partial_copy_to_user(const void *src, void __user *dst,
+ }
+
+ *errp = 0;
+- return csum_partial_copy_generic(src, (void __force *)dst,
+- len, isum, NULL, errp);
++ stac();
++ ret = csum_partial_copy_generic(src, (void __force *)dst,
++ len, isum, NULL, errp);
++ clac();
++ return ret;
+ }
+ EXPORT_SYMBOL(csum_partial_copy_to_user);
+
+diff --git a/arch/xtensa/kernel/xtensa_ksyms.c b/arch/xtensa/kernel/xtensa_ksyms.c
+index d8507f8..74a60c7 100644
+--- a/arch/xtensa/kernel/xtensa_ksyms.c
++++ b/arch/xtensa/kernel/xtensa_ksyms.c
+@@ -25,6 +25,7 @@
+ #include <asm/io.h>
+ #include <asm/page.h>
+ #include <asm/pgalloc.h>
++#include <asm/ftrace.h>
+ #ifdef CONFIG_BLK_DEV_FD
+ #include <asm/floppy.h>
+ #endif
+diff --git a/crypto/api.c b/crypto/api.c
+index 3b61803..37c4c72 100644
+--- a/crypto/api.c
++++ b/crypto/api.c
+@@ -34,6 +34,8 @@ EXPORT_SYMBOL_GPL(crypto_alg_sem);
+ BLOCKING_NOTIFIER_HEAD(crypto_chain);
+ EXPORT_SYMBOL_GPL(crypto_chain);
+
++static struct crypto_alg *crypto_larval_wait(struct crypto_alg *alg);
++
+ struct crypto_alg *crypto_mod_get(struct crypto_alg *alg)
+ {
+ return try_module_get(alg->cra_module) ? crypto_alg_get(alg) : NULL;
+@@ -144,8 +146,11 @@ static struct crypto_alg *crypto_larval_add(const char *name, u32 type,
+ }
+ up_write(&crypto_alg_sem);
+
+- if (alg != &larval->alg)
++ if (alg != &larval->alg) {
+ kfree(larval);
++ if (crypto_is_larval(alg))
++ alg = crypto_larval_wait(alg);
++ }
+
+ return alg;
+ }
+diff --git a/drivers/acpi/acpi_lpss.c b/drivers/acpi/acpi_lpss.c
+index 6a38218..fb78bb9 100644
+--- a/drivers/acpi/acpi_lpss.c
++++ b/drivers/acpi/acpi_lpss.c
+@@ -257,12 +257,13 @@ static int acpi_lpss_create_device(struct acpi_device *adev,
+ pdata->mmio_size = resource_size(&rentry->res);
+ pdata->mmio_base = ioremap(rentry->res.start,
+ pdata->mmio_size);
+- pdata->dev_desc = dev_desc;
+ break;
+ }
+
+ acpi_dev_free_resource_list(&resource_list);
+
++ pdata->dev_desc = dev_desc;
++
+ if (dev_desc->clk_required) {
+ ret = register_device_clock(adev, pdata);
+ if (ret) {
+diff --git a/drivers/acpi/pci_root.c b/drivers/acpi/pci_root.c
+index 5917839..a67853e 100644
+--- a/drivers/acpi/pci_root.c
++++ b/drivers/acpi/pci_root.c
+@@ -378,6 +378,7 @@ static int acpi_pci_root_add(struct acpi_device *device,
+ struct acpi_pci_root *root;
+ u32 flags, base_flags;
+ acpi_handle handle = device->handle;
++ bool no_aspm = false, clear_aspm = false;
+
+ root = kzalloc(sizeof(struct acpi_pci_root), GFP_KERNEL);
+ if (!root)
+@@ -437,27 +438,6 @@ static int acpi_pci_root_add(struct acpi_device *device,
+ flags = base_flags = OSC_PCI_SEGMENT_GROUPS_SUPPORT;
+ acpi_pci_osc_support(root, flags);
+
+- /*
+- * TBD: Need PCI interface for enumeration/configuration of roots.
+- */
+-
+- /*
+- * Scan the Root Bridge
+- * --------------------
+- * Must do this prior to any attempt to bind the root device, as the
+- * PCI namespace does not get created until this call is made (and
+- * thus the root bridge's pci_dev does not exist).
+- */
+- root->bus = pci_acpi_scan_root(root);
+- if (!root->bus) {
+- dev_err(&device->dev,
+- "Bus %04x:%02x not present in PCI namespace\n",
+- root->segment, (unsigned int)root->secondary.start);
+- result = -ENODEV;
+- goto end;
+- }
+-
+- /* Indicate support for various _OSC capabilities. */
+ if (pci_ext_cfg_avail())
+ flags |= OSC_EXT_PCI_CONFIG_SUPPORT;
+ if (pcie_aspm_support_enabled()) {
+@@ -471,7 +451,7 @@ static int acpi_pci_root_add(struct acpi_device *device,
+ if (ACPI_FAILURE(status)) {
+ dev_info(&device->dev, "ACPI _OSC support "
+ "notification failed, disabling PCIe ASPM\n");
+- pcie_no_aspm();
++ no_aspm = true;
+ flags = base_flags;
+ }
+ }
+@@ -503,7 +483,7 @@ static int acpi_pci_root_add(struct acpi_device *device,
+ * We have ASPM control, but the FADT indicates
+ * that it's unsupported. Clear it.
+ */
+- pcie_clear_aspm(root->bus);
++ clear_aspm = true;
+ }
+ } else {
+ dev_info(&device->dev,
+@@ -512,7 +492,14 @@ static int acpi_pci_root_add(struct acpi_device *device,
+ acpi_format_exception(status), flags);
+ dev_info(&device->dev,
+ "ACPI _OSC control for PCIe not granted, disabling ASPM\n");
+- pcie_no_aspm();
++ /*
++ * We want to disable ASPM here, but aspm_disabled
++ * needs to remain in its state from boot so that we
++ * properly handle PCIe 1.1 devices. So we set this
++ * flag here, to defer the action until after the ACPI
++ * root scan.
++ */
++ no_aspm = true;
+ }
+ } else {
+ dev_info(&device->dev,
+@@ -520,6 +507,33 @@ static int acpi_pci_root_add(struct acpi_device *device,
+ "(_OSC support mask: 0x%02x)\n", flags);
+ }
+
++ /*
++ * TBD: Need PCI interface for enumeration/configuration of roots.
++ */
++
++ /*
++ * Scan the Root Bridge
++ * --------------------
++ * Must do this prior to any attempt to bind the root device, as the
++ * PCI namespace does not get created until this call is made (and
++ * thus the root bridge's pci_dev does not exist).
++ */
++ root->bus = pci_acpi_scan_root(root);
++ if (!root->bus) {
++ dev_err(&device->dev,
++ "Bus %04x:%02x not present in PCI namespace\n",
++ root->segment, (unsigned int)root->secondary.start);
++ result = -ENODEV;
++ goto end;
++ }
++
++ if (clear_aspm) {
++ dev_info(&device->dev, "Disabling ASPM (FADT indicates it is unsupported)\n");
++ pcie_clear_aspm(root->bus);
++ }
++ if (no_aspm)
++ pcie_no_aspm();
++
+ pci_acpi_add_bus_pm_notifier(device, root->bus);
+ if (device->wakeup.flags.run_wake)
+ device_set_run_wake(root->bus->bridge, true);
+diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c
+index a439602..c8dac74 100644
+--- a/drivers/base/firmware_class.c
++++ b/drivers/base/firmware_class.c
+@@ -868,8 +868,15 @@ static int _request_firmware_load(struct firmware_priv *fw_priv, bool uevent,
+ goto err_del_dev;
+ }
+
++ mutex_lock(&fw_lock);
++ list_add(&buf->pending_list, &pending_fw_head);
++ mutex_unlock(&fw_lock);
++
+ retval = device_create_file(f_dev, &dev_attr_loading);
+ if (retval) {
++ mutex_lock(&fw_lock);
++ list_del_init(&buf->pending_list);
++ mutex_unlock(&fw_lock);
+ dev_err(f_dev, "%s: device_create_file failed\n", __func__);
+ goto err_del_bin_attr;
+ }
+@@ -884,10 +891,6 @@ static int _request_firmware_load(struct firmware_priv *fw_priv, bool uevent,
+ kobject_uevent(&fw_priv->dev.kobj, KOBJ_ADD);
+ }
+
+- mutex_lock(&fw_lock);
+- list_add(&buf->pending_list, &pending_fw_head);
+- mutex_unlock(&fw_lock);
+-
+ wait_for_completion(&buf->completion);
+
+ cancel_delayed_work_sync(&fw_priv->timeout_work);
+diff --git a/drivers/base/regmap/regmap-debugfs.c b/drivers/base/regmap/regmap-debugfs.c
+index 5349575..6c2652a 100644
+--- a/drivers/base/regmap/regmap-debugfs.c
++++ b/drivers/base/regmap/regmap-debugfs.c
+@@ -85,8 +85,8 @@ static unsigned int regmap_debugfs_get_dump_start(struct regmap *map,
+ unsigned int reg_offset;
+
+ /* Suppress the cache if we're using a subrange */
+- if (from)
+- return from;
++ if (base)
++ return base;
+
+ /*
+ * If we don't have a cache build one so we don't have to do a
+diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
+index 4ad2ad9..45aa20a 100644
+--- a/drivers/block/rbd.c
++++ b/drivers/block/rbd.c
+@@ -1557,11 +1557,12 @@ rbd_img_obj_request_read_callback(struct rbd_obj_request *obj_request)
+ obj_request, obj_request->img_request, obj_request->result,
+ xferred, length);
+ /*
+- * ENOENT means a hole in the image. We zero-fill the
+- * entire length of the request. A short read also implies
+- * zero-fill to the end of the request. Either way we
+- * update the xferred count to indicate the whole request
+- * was satisfied.
++ * ENOENT means a hole in the image. We zero-fill the entire
++ * length of the request. A short read also implies zero-fill
++ * to the end of the request. An error requires the whole
++ * length of the request to be reported finished with an error
++ * to the block layer. In each case we update the xferred
++ * count to indicate the whole request was satisfied.
+ */
+ rbd_assert(obj_request->type != OBJ_REQUEST_NODATA);
+ if (obj_request->result == -ENOENT) {
+@@ -1570,14 +1571,13 @@ rbd_img_obj_request_read_callback(struct rbd_obj_request *obj_request)
+ else
+ zero_pages(obj_request->pages, 0, length);
+ obj_request->result = 0;
+- obj_request->xferred = length;
+ } else if (xferred < length && !obj_request->result) {
+ if (obj_request->type == OBJ_REQUEST_BIO)
+ zero_bio_chain(obj_request->bio_list, xferred);
+ else
+ zero_pages(obj_request->pages, xferred, length);
+- obj_request->xferred = length;
+ }
++ obj_request->xferred = length;
+ obj_request_done_set(obj_request);
+ }
+
+diff --git a/drivers/clk/clk-wm831x.c b/drivers/clk/clk-wm831x.c
+index 1b3f8c9..1d5af3f 100644
+--- a/drivers/clk/clk-wm831x.c
++++ b/drivers/clk/clk-wm831x.c
+@@ -360,6 +360,8 @@ static int wm831x_clk_probe(struct platform_device *pdev)
+ if (!clkdata)
+ return -ENOMEM;
+
++ clkdata->wm831x = wm831x;
++
+ /* XTAL_ENA can only be set via OTP/InstantConfig so just read once */
+ ret = wm831x_reg_read(wm831x, WM831X_CLOCK_CONTROL_2);
+ if (ret < 0) {
+diff --git a/drivers/cpuidle/coupled.c b/drivers/cpuidle/coupled.c
+index 2a297f8..fe853903 100644
+--- a/drivers/cpuidle/coupled.c
++++ b/drivers/cpuidle/coupled.c
+@@ -106,6 +106,7 @@ struct cpuidle_coupled {
+ cpumask_t coupled_cpus;
+ int requested_state[NR_CPUS];
+ atomic_t ready_waiting_counts;
++ atomic_t abort_barrier;
+ int online_count;
+ int refcnt;
+ int prevent;
+@@ -122,12 +123,19 @@ static DEFINE_MUTEX(cpuidle_coupled_lock);
+ static DEFINE_PER_CPU(struct call_single_data, cpuidle_coupled_poke_cb);
+
+ /*
+- * The cpuidle_coupled_poked_mask mask is used to avoid calling
++ * The cpuidle_coupled_poke_pending mask is used to avoid calling
+ * __smp_call_function_single with the per cpu call_single_data struct already
+ * in use. This prevents a deadlock where two cpus are waiting for each others
+ * call_single_data struct to be available
+ */
+-static cpumask_t cpuidle_coupled_poked_mask;
++static cpumask_t cpuidle_coupled_poke_pending;
++
++/*
++ * The cpuidle_coupled_poked mask is used to ensure that each cpu has been poked
++ * once to minimize entering the ready loop with a poke pending, which would
++ * require aborting and retrying.
++ */
++static cpumask_t cpuidle_coupled_poked;
+
+ /**
+ * cpuidle_coupled_parallel_barrier - synchronize all online coupled cpus
+@@ -291,10 +299,11 @@ static inline int cpuidle_coupled_get_state(struct cpuidle_device *dev,
+ return state;
+ }
+
+-static void cpuidle_coupled_poked(void *info)
++static void cpuidle_coupled_handle_poke(void *info)
+ {
+ int cpu = (unsigned long)info;
+- cpumask_clear_cpu(cpu, &cpuidle_coupled_poked_mask);
++ cpumask_set_cpu(cpu, &cpuidle_coupled_poked);
++ cpumask_clear_cpu(cpu, &cpuidle_coupled_poke_pending);
+ }
+
+ /**
+@@ -313,7 +322,7 @@ static void cpuidle_coupled_poke(int cpu)
+ {
+ struct call_single_data *csd = &per_cpu(cpuidle_coupled_poke_cb, cpu);
+
+- if (!cpumask_test_and_set_cpu(cpu, &cpuidle_coupled_poked_mask))
++ if (!cpumask_test_and_set_cpu(cpu, &cpuidle_coupled_poke_pending))
+ __smp_call_function_single(cpu, csd, 0);
+ }
+
+@@ -340,30 +349,19 @@ static void cpuidle_coupled_poke_others(int this_cpu,
+ * @coupled: the struct coupled that contains the current cpu
+ * @next_state: the index in drv->states of the requested state for this cpu
+ *
+- * Updates the requested idle state for the specified cpuidle device,
+- * poking all coupled cpus out of idle if necessary to let them see the new
+- * state.
++ * Updates the requested idle state for the specified cpuidle device.
++ * Returns the number of waiting cpus.
+ */
+-static void cpuidle_coupled_set_waiting(int cpu,
++static int cpuidle_coupled_set_waiting(int cpu,
+ struct cpuidle_coupled *coupled, int next_state)
+ {
+- int w;
+-
+ coupled->requested_state[cpu] = next_state;
+
+ /*
+- * If this is the last cpu to enter the waiting state, poke
+- * all the other cpus out of their waiting state so they can
+- * enter a deeper state. This can race with one of the cpus
+- * exiting the waiting state due to an interrupt and
+- * decrementing waiting_count, see comment below.
+- *
+ * The atomic_inc_return provides a write barrier to order the write
+ * to requested_state with the later write that increments ready_count.
+ */
+- w = atomic_inc_return(&coupled->ready_waiting_counts) & WAITING_MASK;
+- if (w == coupled->online_count)
+- cpuidle_coupled_poke_others(cpu, coupled);
++ return atomic_inc_return(&coupled->ready_waiting_counts) & WAITING_MASK;
+ }
+
+ /**
+@@ -410,19 +408,33 @@ static void cpuidle_coupled_set_done(int cpu, struct cpuidle_coupled *coupled)
+ * been processed and the poke bit has been cleared.
+ *
+ * Other interrupts may also be processed while interrupts are enabled, so
+- * need_resched() must be tested after turning interrupts off again to make sure
++ * need_resched() must be tested after this function returns to make sure
+ * the interrupt didn't schedule work that should take the cpu out of idle.
+ *
+- * Returns 0 if need_resched was false, -EINTR if need_resched was true.
++ * Returns 0 if no poke was pending, 1 if a poke was cleared.
+ */
+ static int cpuidle_coupled_clear_pokes(int cpu)
+ {
++ if (!cpumask_test_cpu(cpu, &cpuidle_coupled_poke_pending))
++ return 0;
++
+ local_irq_enable();
+- while (cpumask_test_cpu(cpu, &cpuidle_coupled_poked_mask))
++ while (cpumask_test_cpu(cpu, &cpuidle_coupled_poke_pending))
+ cpu_relax();
+ local_irq_disable();
+
+- return need_resched() ? -EINTR : 0;
++ return 1;
++}
++
++static bool cpuidle_coupled_any_pokes_pending(struct cpuidle_coupled *coupled)
++{
++ cpumask_t cpus;
++ int ret;
++
++ cpumask_and(&cpus, cpu_online_mask, &coupled->coupled_cpus);
++ ret = cpumask_and(&cpus, &cpuidle_coupled_poke_pending, &cpus);
++
++ return ret;
+ }
+
+ /**
+@@ -449,12 +461,14 @@ int cpuidle_enter_state_coupled(struct cpuidle_device *dev,
+ {
+ int entered_state = -1;
+ struct cpuidle_coupled *coupled = dev->coupled;
++ int w;
+
+ if (!coupled)
+ return -EINVAL;
+
+ while (coupled->prevent) {
+- if (cpuidle_coupled_clear_pokes(dev->cpu)) {
++ cpuidle_coupled_clear_pokes(dev->cpu);
++ if (need_resched()) {
+ local_irq_enable();
+ return entered_state;
+ }
+@@ -465,15 +479,37 @@ int cpuidle_enter_state_coupled(struct cpuidle_device *dev,
+ /* Read barrier ensures online_count is read after prevent is cleared */
+ smp_rmb();
+
+- cpuidle_coupled_set_waiting(dev->cpu, coupled, next_state);
++reset:
++ cpumask_clear_cpu(dev->cpu, &cpuidle_coupled_poked);
++
++ w = cpuidle_coupled_set_waiting(dev->cpu, coupled, next_state);
++ /*
++ * If this is the last cpu to enter the waiting state, poke
++ * all the other cpus out of their waiting state so they can
++ * enter a deeper state. This can race with one of the cpus
++ * exiting the waiting state due to an interrupt and
++ * decrementing waiting_count, see comment below.
++ */
++ if (w == coupled->online_count) {
++ cpumask_set_cpu(dev->cpu, &cpuidle_coupled_poked);
++ cpuidle_coupled_poke_others(dev->cpu, coupled);
++ }
+
+ retry:
+ /*
+ * Wait for all coupled cpus to be idle, using the deepest state
+- * allowed for a single cpu.
++ * allowed for a single cpu. If this was not the poking cpu, wait
++ * for at least one poke before leaving to avoid a race where
++ * two cpus could arrive at the waiting loop at the same time,
++ * but the first of the two to arrive could skip the loop without
++ * processing the pokes from the last to arrive.
+ */
+- while (!cpuidle_coupled_cpus_waiting(coupled)) {
+- if (cpuidle_coupled_clear_pokes(dev->cpu)) {
++ while (!cpuidle_coupled_cpus_waiting(coupled) ||
++ !cpumask_test_cpu(dev->cpu, &cpuidle_coupled_poked)) {
++ if (cpuidle_coupled_clear_pokes(dev->cpu))
++ continue;
++
++ if (need_resched()) {
+ cpuidle_coupled_set_not_waiting(dev->cpu, coupled);
+ goto out;
+ }
+@@ -487,12 +523,19 @@ retry:
+ dev->safe_state_index);
+ }
+
+- if (cpuidle_coupled_clear_pokes(dev->cpu)) {
++ cpuidle_coupled_clear_pokes(dev->cpu);
++ if (need_resched()) {
+ cpuidle_coupled_set_not_waiting(dev->cpu, coupled);
+ goto out;
+ }
+
+ /*
++ * Make sure final poke status for this cpu is visible before setting
++ * cpu as ready.
++ */
++ smp_wmb();
++
++ /*
+ * All coupled cpus are probably idle. There is a small chance that
+ * one of the other cpus just became active. Increment the ready count,
+ * and spin until all coupled cpus have incremented the counter. Once a
+@@ -511,6 +554,28 @@ retry:
+ cpu_relax();
+ }
+
++ /*
++ * Make sure read of all cpus ready is done before reading pending pokes
++ */
++ smp_rmb();
++
++ /*
++ * There is a small chance that a cpu left and reentered idle after this
++ * cpu saw that all cpus were waiting. The cpu that reentered idle will
++ * have sent this cpu a poke, which will still be pending after the
++ * ready loop. The pending interrupt may be lost by the interrupt
++ * controller when entering the deep idle state. It's not possible to
++ * clear a pending interrupt without turning interrupts on and handling
++ * it, and it's too late to turn on interrupts here, so reset the
++ * coupled idle state of all cpus and retry.
++ */
++ if (cpuidle_coupled_any_pokes_pending(coupled)) {
++ cpuidle_coupled_set_done(dev->cpu, coupled);
++ /* Wait for all cpus to see the pending pokes */
++ cpuidle_coupled_parallel_barrier(dev, &coupled->abort_barrier);
++ goto reset;
++ }
++
+ /* all cpus have acked the coupled state */
+ next_state = cpuidle_coupled_get_state(dev, coupled);
+
+@@ -596,7 +661,7 @@ have_coupled:
+ coupled->refcnt++;
+
+ csd = &per_cpu(cpuidle_coupled_poke_cb, dev->cpu);
+- csd->func = cpuidle_coupled_poked;
++ csd->func = cpuidle_coupled_handle_poke;
+ csd->info = (void *)(unsigned long)dev->cpu;
+
+ return 0;
+diff --git a/drivers/edac/amd64_edac.c b/drivers/edac/amd64_edac.c
+index 8b6a034..8b3d901 100644
+--- a/drivers/edac/amd64_edac.c
++++ b/drivers/edac/amd64_edac.c
+@@ -2470,8 +2470,15 @@ static int amd64_init_one_instance(struct pci_dev *F2)
+ layers[0].size = pvt->csels[0].b_cnt;
+ layers[0].is_virt_csrow = true;
+ layers[1].type = EDAC_MC_LAYER_CHANNEL;
+- layers[1].size = pvt->channel_count;
++
++ /*
++ * Always allocate two channels since we can have setups with DIMMs on
++ * only one channel. Also, this simplifies handling later for the price
++ * of a couple of KBs tops.
++ */
++ layers[1].size = 2;
+ layers[1].is_virt_csrow = false;
++
+ mci = edac_mc_alloc(nid, ARRAY_SIZE(layers), layers, 0);
+ if (!mci)
+ goto err_siblings;
+diff --git a/drivers/gpu/drm/drm_edid.c b/drivers/gpu/drm/drm_edid.c
+index 95d6f4b..70fc133 100644
+--- a/drivers/gpu/drm/drm_edid.c
++++ b/drivers/gpu/drm/drm_edid.c
+@@ -125,6 +125,9 @@ static struct edid_quirk {
+
+ /* ViewSonic VA2026w */
+ { "VSC", 5020, EDID_QUIRK_FORCE_REDUCED_BLANKING },
++
++ /* Medion MD 30217 PG */
++ { "MED", 0x7b8, EDID_QUIRK_PREFER_LARGE_75 },
+ };
+
+ /*
+diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
+index be79f47..ca40d1b 100644
+--- a/drivers/gpu/drm/i915/intel_display.c
++++ b/drivers/gpu/drm/i915/intel_display.c
+@@ -7809,6 +7809,19 @@ intel_modeset_pipe_config(struct drm_crtc *crtc,
+ pipe_config->cpu_transcoder = to_intel_crtc(crtc)->pipe;
+ pipe_config->shared_dpll = DPLL_ID_PRIVATE;
+
++ /*
++ * Sanitize sync polarity flags based on requested ones. If neither
++ * positive or negative polarity is requested, treat this as meaning
++ * negative polarity.
++ */
++ if (!(pipe_config->adjusted_mode.flags &
++ (DRM_MODE_FLAG_PHSYNC | DRM_MODE_FLAG_NHSYNC)))
++ pipe_config->adjusted_mode.flags |= DRM_MODE_FLAG_NHSYNC;
++
++ if (!(pipe_config->adjusted_mode.flags &
++ (DRM_MODE_FLAG_PVSYNC | DRM_MODE_FLAG_NVSYNC)))
++ pipe_config->adjusted_mode.flags |= DRM_MODE_FLAG_NVSYNC;
++
+ /* Compute a starting value for pipe_config->pipe_bpp taking the source
+ * plane pixel format and any sink constraints into account. Returns the
+ * source plane bpp so that dithering can be selected on mismatches
+diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
+index 36668d1..5956445 100644
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -63,6 +63,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type,
+ struct hid_report_enum *report_enum = device->report_enum + type;
+ struct hid_report *report;
+
++ if (id >= HID_MAX_IDS)
++ return NULL;
+ if (report_enum->report_id_hash[id])
+ return report_enum->report_id_hash[id];
+
+@@ -404,8 +406,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item)
+
+ case HID_GLOBAL_ITEM_TAG_REPORT_ID:
+ parser->global.report_id = item_udata(item);
+- if (parser->global.report_id == 0) {
+- hid_err(parser->device, "report_id 0 is invalid\n");
++ if (parser->global.report_id == 0 ||
++ parser->global.report_id >= HID_MAX_IDS) {
++ hid_err(parser->device, "report_id %u is invalid\n",
++ parser->global.report_id);
+ return -1;
+ }
+ return 0;
+@@ -575,7 +579,7 @@ static void hid_close_report(struct hid_device *device)
+ for (i = 0; i < HID_REPORT_TYPES; i++) {
+ struct hid_report_enum *report_enum = device->report_enum + i;
+
+- for (j = 0; j < 256; j++) {
++ for (j = 0; j < HID_MAX_IDS; j++) {
+ struct hid_report *report = report_enum->report_id_hash[j];
+ if (report)
+ hid_free_report(report);
+@@ -1152,7 +1156,12 @@ EXPORT_SYMBOL_GPL(hid_output_report);
+
+ int hid_set_field(struct hid_field *field, unsigned offset, __s32 value)
+ {
+- unsigned size = field->report_size;
++ unsigned size;
++
++ if (!field)
++ return -1;
++
++ size = field->report_size;
+
+ hid_dump_input(field->report->device, field->usage + offset, value);
+
+@@ -1597,6 +1606,7 @@ static const struct hid_device_id hid_have_special_driver[] = {
+ { HID_USB_DEVICE(USB_VENDOR_ID_KENSINGTON, USB_DEVICE_ID_KS_SLIMBLADE) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_KEYTOUCH, USB_DEVICE_ID_KEYTOUCH_IEC) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_GENIUS_GX_IMPERATOR) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_ERGO_525V) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_EASYPEN_I405X) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_MOUSEPEN_I608X) },
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index ffe4c7a..22134d4 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -135,9 +135,9 @@
+ #define USB_DEVICE_ID_APPLE_ALU_WIRELESS_2009_JIS 0x023b
+ #define USB_DEVICE_ID_APPLE_ALU_WIRELESS_2011_ANSI 0x0255
+ #define USB_DEVICE_ID_APPLE_ALU_WIRELESS_2011_ISO 0x0256
+-#define USB_DEVICE_ID_APPLE_WELLSPRING8_ANSI 0x0291
+-#define USB_DEVICE_ID_APPLE_WELLSPRING8_ISO 0x0292
+-#define USB_DEVICE_ID_APPLE_WELLSPRING8_JIS 0x0293
++#define USB_DEVICE_ID_APPLE_WELLSPRING8_ANSI 0x0290
++#define USB_DEVICE_ID_APPLE_WELLSPRING8_ISO 0x0291
++#define USB_DEVICE_ID_APPLE_WELLSPRING8_JIS 0x0292
+ #define USB_DEVICE_ID_APPLE_FOUNTAIN_TP_ONLY 0x030a
+ #define USB_DEVICE_ID_APPLE_GEYSER1_TP_ONLY 0x030b
+ #define USB_DEVICE_ID_APPLE_IRCONTROL 0x8240
+@@ -482,6 +482,7 @@
+ #define USB_VENDOR_ID_KYE 0x0458
+ #define USB_DEVICE_ID_KYE_ERGO_525V 0x0087
+ #define USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE 0x0138
++#define USB_DEVICE_ID_GENIUS_GX_IMPERATOR 0x4018
+ #define USB_DEVICE_ID_KYE_GPEN_560 0x5003
+ #define USB_DEVICE_ID_KYE_EASYPEN_I405X 0x5010
+ #define USB_DEVICE_ID_KYE_MOUSEPEN_I608X 0x5011
+@@ -658,6 +659,7 @@
+ #define USB_DEVICE_ID_NTRIG_TOUCH_SCREEN_16 0x0012
+ #define USB_DEVICE_ID_NTRIG_TOUCH_SCREEN_17 0x0013
+ #define USB_DEVICE_ID_NTRIG_TOUCH_SCREEN_18 0x0014
++#define USB_DEVICE_ID_NTRIG_DUOSENSE 0x1500
+
+ #define USB_VENDOR_ID_ONTRAK 0x0a07
+ #define USB_DEVICE_ID_ONTRAK_ADU100 0x0064
+diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
+index 7480799..3fc4034 100644
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -340,7 +340,7 @@ static int hidinput_get_battery_property(struct power_supply *psy,
+ {
+ struct hid_device *dev = container_of(psy, struct hid_device, battery);
+ int ret = 0;
+- __u8 buf[2] = {};
++ __u8 *buf;
+
+ switch (prop) {
+ case POWER_SUPPLY_PROP_PRESENT:
+@@ -349,12 +349,19 @@ static int hidinput_get_battery_property(struct power_supply *psy,
+ break;
+
+ case POWER_SUPPLY_PROP_CAPACITY:
++
++ buf = kmalloc(2 * sizeof(__u8), GFP_KERNEL);
++ if (!buf) {
++ ret = -ENOMEM;
++ break;
++ }
+ ret = dev->hid_get_raw_report(dev, dev->battery_report_id,
+- buf, sizeof(buf),
++ buf, 2,
+ dev->battery_report_type);
+
+ if (ret != 2) {
+ ret = -ENODATA;
++ kfree(buf);
+ break;
+ }
+ ret = 0;
+@@ -364,6 +371,7 @@ static int hidinput_get_battery_property(struct power_supply *psy,
+ buf[1] <= dev->battery_max)
+ val->intval = (100 * (buf[1] - dev->battery_min)) /
+ (dev->battery_max - dev->battery_min);
++ kfree(buf);
+ break;
+
+ case POWER_SUPPLY_PROP_MODEL_NAME:
+diff --git a/drivers/hid/hid-kye.c b/drivers/hid/hid-kye.c
+index 1e2ee2aa..7384512 100644
+--- a/drivers/hid/hid-kye.c
++++ b/drivers/hid/hid-kye.c
+@@ -268,6 +268,26 @@ static __u8 easypen_m610x_rdesc_fixed[] = {
+ 0xC0 /* End Collection */
+ };
+
++static __u8 *kye_consumer_control_fixup(struct hid_device *hdev, __u8 *rdesc,
++ unsigned int *rsize, int offset, const char *device_name) {
++ /*
++ * the fixup that need to be done:
++ * - change Usage Maximum in the Comsumer Control
++ * (report ID 3) to a reasonable value
++ */
++ if (*rsize >= offset + 31 &&
++ /* Usage Page (Consumer Devices) */
++ rdesc[offset] == 0x05 && rdesc[offset + 1] == 0x0c &&
++ /* Usage (Consumer Control) */
++ rdesc[offset + 2] == 0x09 && rdesc[offset + 3] == 0x01 &&
++ /* Usage Maximum > 12287 */
++ rdesc[offset + 10] == 0x2a && rdesc[offset + 12] > 0x2f) {
++ hid_info(hdev, "fixing up %s report descriptor\n", device_name);
++ rdesc[offset + 12] = 0x2f;
++ }
++ return rdesc;
++}
++
+ static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+ unsigned int *rsize)
+ {
+@@ -315,23 +335,12 @@ static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+ }
+ break;
+ case USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE:
+- /*
+- * the fixup that need to be done:
+- * - change Usage Maximum in the Comsumer Control
+- * (report ID 3) to a reasonable value
+- */
+- if (*rsize >= 135 &&
+- /* Usage Page (Consumer Devices) */
+- rdesc[104] == 0x05 && rdesc[105] == 0x0c &&
+- /* Usage (Consumer Control) */
+- rdesc[106] == 0x09 && rdesc[107] == 0x01 &&
+- /* Usage Maximum > 12287 */
+- rdesc[114] == 0x2a && rdesc[116] > 0x2f) {
+- hid_info(hdev,
+- "fixing up Genius Gila Gaming Mouse "
+- "report descriptor\n");
+- rdesc[116] = 0x2f;
+- }
++ rdesc = kye_consumer_control_fixup(hdev, rdesc, rsize, 104,
++ "Genius Gila Gaming Mouse");
++ break;
++ case USB_DEVICE_ID_GENIUS_GX_IMPERATOR:
++ rdesc = kye_consumer_control_fixup(hdev, rdesc, rsize, 83,
++ "Genius Gx Imperator Keyboard");
+ break;
+ }
+ return rdesc;
+@@ -428,6 +437,8 @@ static const struct hid_device_id kye_devices[] = {
+ USB_DEVICE_ID_KYE_EASYPEN_M610X) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_KYE,
+ USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_KYE,
++ USB_DEVICE_ID_GENIUS_GX_IMPERATOR) },
+ { }
+ };
+ MODULE_DEVICE_TABLE(hid, kye_devices);
+diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c
+index ef95102..5482156 100644
+--- a/drivers/hid/hid-ntrig.c
++++ b/drivers/hid/hid-ntrig.c
+@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev)
+ struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT].
+ report_id_hash[0x0d];
+
+- if (!report)
++ if (!report || report->maxfield < 1 ||
++ report->field[0]->report_count < 1)
+ return -EINVAL;
+
+ hid_hw_request(hdev, report, HID_REQ_GET_REPORT);
+diff --git a/drivers/hid/hid-picolcd_cir.c b/drivers/hid/hid-picolcd_cir.c
+index e346038..59d5eb1 100644
+--- a/drivers/hid/hid-picolcd_cir.c
++++ b/drivers/hid/hid-picolcd_cir.c
+@@ -145,6 +145,7 @@ void picolcd_exit_cir(struct picolcd_data *data)
+ struct rc_dev *rdev = data->rc_dev;
+
+ data->rc_dev = NULL;
+- rc_unregister_device(rdev);
++ if (rdev)
++ rc_unregister_device(rdev);
+ }
+
+diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
+index b48092d..acbb0210 100644
+--- a/drivers/hid/hid-picolcd_core.c
++++ b/drivers/hid/hid-picolcd_core.c
+@@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev,
+ buf += 10;
+ cnt -= 10;
+ }
+- if (!report)
++ if (!report || report->maxfield != 1)
+ return -EINVAL;
+
+ while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r'))
+diff --git a/drivers/hid/hid-picolcd_fb.c b/drivers/hid/hid-picolcd_fb.c
+index 591f6b2..c930ab8 100644
+--- a/drivers/hid/hid-picolcd_fb.c
++++ b/drivers/hid/hid-picolcd_fb.c
+@@ -593,10 +593,14 @@ err_nomem:
+ void picolcd_exit_framebuffer(struct picolcd_data *data)
+ {
+ struct fb_info *info = data->fb_info;
+- struct picolcd_fb_data *fbdata = info->par;
++ struct picolcd_fb_data *fbdata;
+ unsigned long flags;
+
++ if (!info)
++ return;
++
+ device_remove_file(&data->hdev->dev, &dev_attr_fb_update_rate);
++ fbdata = info->par;
+
+ /* disconnect framebuffer from HID dev */
+ spin_lock_irqsave(&fbdata->lock, flags);
+diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c
+index d29112f..2dcd7d9 100644
+--- a/drivers/hid/hid-pl.c
++++ b/drivers/hid/hid-pl.c
+@@ -132,8 +132,14 @@ static int plff_init(struct hid_device *hid)
+ strong = &report->field[0]->value[2];
+ weak = &report->field[0]->value[3];
+ debug("detected single-field device");
+- } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 &&
+- report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) {
++ } else if (report->field[0]->maxusage == 1 &&
++ report->field[0]->usage[0].hid ==
++ (HID_UP_LED | 0x43) &&
++ report->maxfield >= 4 &&
++ report->field[0]->report_count >= 1 &&
++ report->field[1]->report_count >= 1 &&
++ report->field[2]->report_count >= 1 &&
++ report->field[3]->report_count >= 1) {
+ report->field[0]->value[0] = 0x00;
+ report->field[1]->value[0] = 0x00;
+ strong = &report->field[2]->value[0];
+diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c
+index ca749810..aa34755 100644
+--- a/drivers/hid/hid-sensor-hub.c
++++ b/drivers/hid/hid-sensor-hub.c
+@@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id,
+
+ mutex_lock(&data->mutex);
+ report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT);
+- if (!report || (field_index >= report->maxfield)) {
++ if (!report || (field_index >= report->maxfield) ||
++ report->field[field_index]->report_count < 1) {
+ ret = -EINVAL;
+ goto done_proc;
+ }
+diff --git a/drivers/hid/hid-speedlink.c b/drivers/hid/hid-speedlink.c
+index a2f587d..7112f3e 100644
+--- a/drivers/hid/hid-speedlink.c
++++ b/drivers/hid/hid-speedlink.c
+@@ -3,7 +3,7 @@
+ * Fixes "jumpy" cursor and removes nonexistent keyboard LEDS from
+ * the HID descriptor.
+ *
+- * Copyright (c) 2011 Stefan Kriwanek <mail@stefankriwanek.de>
++ * Copyright (c) 2011, 2013 Stefan Kriwanek <dev@stefankriwanek.de>
+ */
+
+ /*
+@@ -46,8 +46,13 @@ static int speedlink_event(struct hid_device *hdev, struct hid_field *field,
+ struct hid_usage *usage, __s32 value)
+ {
+ /* No other conditions due to usage_table. */
+- /* Fix "jumpy" cursor (invalid events sent by device). */
+- if (value == 256)
++
++ /* This fixes the "jumpy" cursor occuring due to invalid events sent
++ * by the device. Some devices only send them with value==+256, others
++ * don't. However, catching abs(value)>=256 is restrictive enough not
++ * to interfere with devices that were bug-free (has been tested).
++ */
++ if (abs(value) >= 256)
+ return 1;
+ /* Drop useless distance 0 events (on button clicks etc.) as well */
+ if (value == 0)
+diff --git a/drivers/hid/hid-wiimote-core.c b/drivers/hid/hid-wiimote-core.c
+index 0c06054..6602098 100644
+--- a/drivers/hid/hid-wiimote-core.c
++++ b/drivers/hid/hid-wiimote-core.c
+@@ -212,10 +212,12 @@ static __u8 select_drm(struct wiimote_data *wdata)
+
+ if (ir == WIIPROTO_FLAG_IR_BASIC) {
+ if (wdata->state.flags & WIIPROTO_FLAG_ACCEL) {
+- if (ext)
+- return WIIPROTO_REQ_DRM_KAIE;
+- else
+- return WIIPROTO_REQ_DRM_KAI;
++ /* GEN10 and ealier devices bind IR formats to DRMs.
++ * Hence, we cannot use DRM_KAI here as it might be
++ * bound to IR_EXT. Use DRM_KAIE unconditionally so we
++ * work with all devices and our parsers can use the
++ * fixed formats, too. */
++ return WIIPROTO_REQ_DRM_KAIE;
+ } else {
+ return WIIPROTO_REQ_DRM_KIE;
+ }
+diff --git a/drivers/hid/hidraw.c b/drivers/hid/hidraw.c
+index 6f1feb2..dbfe300 100644
+--- a/drivers/hid/hidraw.c
++++ b/drivers/hid/hidraw.c
+@@ -113,7 +113,7 @@ static ssize_t hidraw_send_report(struct file *file, const char __user *buffer,
+ __u8 *buf;
+ int ret = 0;
+
+- if (!hidraw_table[minor]) {
++ if (!hidraw_table[minor] || !hidraw_table[minor]->exist) {
+ ret = -ENODEV;
+ goto out;
+ }
+@@ -261,7 +261,7 @@ static int hidraw_open(struct inode *inode, struct file *file)
+ }
+
+ mutex_lock(&minors_lock);
+- if (!hidraw_table[minor]) {
++ if (!hidraw_table[minor] || !hidraw_table[minor]->exist) {
+ err = -ENODEV;
+ goto out_unlock;
+ }
+@@ -302,39 +302,38 @@ static int hidraw_fasync(int fd, struct file *file, int on)
+ return fasync_helper(fd, file, on, &list->fasync);
+ }
+
++static void drop_ref(struct hidraw *hidraw, int exists_bit)
++{
++ if (exists_bit) {
++ hid_hw_close(hidraw->hid);
++ hidraw->exist = 0;
++ if (hidraw->open)
++ wake_up_interruptible(&hidraw->wait);
++ } else {
++ --hidraw->open;
++ }
++
++ if (!hidraw->open && !hidraw->exist) {
++ device_destroy(hidraw_class, MKDEV(hidraw_major, hidraw->minor));
++ hidraw_table[hidraw->minor] = NULL;
++ kfree(hidraw);
++ }
++}
++
+ static int hidraw_release(struct inode * inode, struct file * file)
+ {
+ unsigned int minor = iminor(inode);
+- struct hidraw *dev;
+ struct hidraw_list *list = file->private_data;
+- int ret;
+- int i;
+
+ mutex_lock(&minors_lock);
+- if (!hidraw_table[minor]) {
+- ret = -ENODEV;
+- goto unlock;
+- }
+
+ list_del(&list->node);
+- dev = hidraw_table[minor];
+- if (!--dev->open) {
+- if (list->hidraw->exist) {
+- hid_hw_power(dev->hid, PM_HINT_NORMAL);
+- hid_hw_close(dev->hid);
+- } else {
+- kfree(list->hidraw);
+- }
+- }
+-
+- for (i = 0; i < HIDRAW_BUFFER_SIZE; ++i)
+- kfree(list->buffer[i].value);
+ kfree(list);
+- ret = 0;
+-unlock:
+- mutex_unlock(&minors_lock);
+
+- return ret;
++ drop_ref(hidraw_table[minor], 0);
++
++ mutex_unlock(&minors_lock);
++ return 0;
+ }
+
+ static long hidraw_ioctl(struct file *file, unsigned int cmd,
+@@ -539,18 +538,9 @@ void hidraw_disconnect(struct hid_device *hid)
+ struct hidraw *hidraw = hid->hidraw;
+
+ mutex_lock(&minors_lock);
+- hidraw->exist = 0;
+-
+- device_destroy(hidraw_class, MKDEV(hidraw_major, hidraw->minor));
+
+- hidraw_table[hidraw->minor] = NULL;
++ drop_ref(hidraw, 1);
+
+- if (hidraw->open) {
+- hid_hw_close(hid);
+- wake_up_interruptible(&hidraw->wait);
+- } else {
+- kfree(hidraw);
+- }
+ mutex_unlock(&minors_lock);
+ }
+ EXPORT_SYMBOL_GPL(hidraw_disconnect);
+diff --git a/drivers/hid/usbhid/hid-quirks.c b/drivers/hid/usbhid/hid-quirks.c
+index 19b8360..0734552 100644
+--- a/drivers/hid/usbhid/hid-quirks.c
++++ b/drivers/hid/usbhid/hid-quirks.c
+@@ -109,6 +109,8 @@ static const struct hid_blacklist {
+ { USB_VENDOR_ID_SIGMA_MICRO, USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD, HID_QUIRK_NO_INIT_REPORTS },
+ { USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_MOUSEPEN_I608X, HID_QUIRK_MULTI_INPUT },
+ { USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_EASYPEN_M610X, HID_QUIRK_MULTI_INPUT },
++ { USB_VENDOR_ID_NTRIG, USB_DEVICE_ID_NTRIG_DUOSENSE, HID_QUIRK_NO_INIT_REPORTS },
++
+ { 0, 0 }
+ };
+
+diff --git a/drivers/input/mouse/bcm5974.c b/drivers/input/mouse/bcm5974.c
+index 4ef4d5e..a73f961 100644
+--- a/drivers/input/mouse/bcm5974.c
++++ b/drivers/input/mouse/bcm5974.c
+@@ -89,9 +89,9 @@
+ #define USB_DEVICE_ID_APPLE_WELLSPRING7A_ISO 0x025a
+ #define USB_DEVICE_ID_APPLE_WELLSPRING7A_JIS 0x025b
+ /* MacbookAir6,2 (unibody, June 2013) */
+-#define USB_DEVICE_ID_APPLE_WELLSPRING8_ANSI 0x0291
+-#define USB_DEVICE_ID_APPLE_WELLSPRING8_ISO 0x0292
+-#define USB_DEVICE_ID_APPLE_WELLSPRING8_JIS 0x0293
++#define USB_DEVICE_ID_APPLE_WELLSPRING8_ANSI 0x0290
++#define USB_DEVICE_ID_APPLE_WELLSPRING8_ISO 0x0291
++#define USB_DEVICE_ID_APPLE_WELLSPRING8_JIS 0x0292
+
+ #define BCM5974_DEVICE(prod) { \
+ .match_flags = (USB_DEVICE_ID_MATCH_DEVICE | \
+diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
+index eec0d3e..15e9b57 100644
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -890,56 +890,54 @@ static int dma_pte_clear_range(struct dmar_domain *domain,
+ return order;
+ }
+
++static void dma_pte_free_level(struct dmar_domain *domain, int level,
++ struct dma_pte *pte, unsigned long pfn,
++ unsigned long start_pfn, unsigned long last_pfn)
++{
++ pfn = max(start_pfn, pfn);
++ pte = &pte[pfn_level_offset(pfn, level)];
++
++ do {
++ unsigned long level_pfn;
++ struct dma_pte *level_pte;
++
++ if (!dma_pte_present(pte) || dma_pte_superpage(pte))
++ goto next;
++
++ level_pfn = pfn & level_mask(level - 1);
++ level_pte = phys_to_virt(dma_pte_addr(pte));
++
++ if (level > 2)
++ dma_pte_free_level(domain, level - 1, level_pte,
++ level_pfn, start_pfn, last_pfn);
++
++ /* If range covers entire pagetable, free it */
++ if (!(start_pfn > level_pfn ||
++ last_pfn < level_pfn + level_size(level))) {
++ dma_clear_pte(pte);
++ domain_flush_cache(domain, pte, sizeof(*pte));
++ free_pgtable_page(level_pte);
++ }
++next:
++ pfn += level_size(level);
++ } while (!first_pte_in_page(++pte) && pfn <= last_pfn);
++}
++
+ /* free page table pages. last level pte should already be cleared */
+ static void dma_pte_free_pagetable(struct dmar_domain *domain,
+ unsigned long start_pfn,
+ unsigned long last_pfn)
+ {
+ int addr_width = agaw_to_width(domain->agaw) - VTD_PAGE_SHIFT;
+- struct dma_pte *first_pte, *pte;
+- int total = agaw_to_level(domain->agaw);
+- int level;
+- unsigned long tmp;
+- int large_page = 2;
+
+ BUG_ON(addr_width < BITS_PER_LONG && start_pfn >> addr_width);
+ BUG_ON(addr_width < BITS_PER_LONG && last_pfn >> addr_width);
+ BUG_ON(start_pfn > last_pfn);
+
+ /* We don't need lock here; nobody else touches the iova range */
+- level = 2;
+- while (level <= total) {
+- tmp = align_to_level(start_pfn, level);
+-
+- /* If we can't even clear one PTE at this level, we're done */
+- if (tmp + level_size(level) - 1 > last_pfn)
+- return;
+-
+- do {
+- large_page = level;
+- first_pte = pte = dma_pfn_level_pte(domain, tmp, level, &large_page);
+- if (large_page > level)
+- level = large_page + 1;
+- if (!pte) {
+- tmp = align_to_level(tmp + 1, level + 1);
+- continue;
+- }
+- do {
+- if (dma_pte_present(pte)) {
+- free_pgtable_page(phys_to_virt(dma_pte_addr(pte)));
+- dma_clear_pte(pte);
+- }
+- pte++;
+- tmp += level_size(level);
+- } while (!first_pte_in_page(pte) &&
+- tmp + level_size(level) - 1 <= last_pfn);
++ dma_pte_free_level(domain, agaw_to_level(domain->agaw),
++ domain->pgd, 0, start_pfn, last_pfn);
+
+- domain_flush_cache(domain, first_pte,
+- (void *)pte - (void *)first_pte);
+-
+- } while (tmp && tmp + level_size(level) - 1 <= last_pfn);
+- level++;
+- }
+ /* free pgd */
+ if (start_pfn == 0 && last_pfn == DOMAIN_MAX_PFN(domain->gaw)) {
+ free_pgtable_page(domain->pgd);
+diff --git a/drivers/leds/leds-wm831x-status.c b/drivers/leds/leds-wm831x-status.c
+index 120815a..5a19abd 100644
+--- a/drivers/leds/leds-wm831x-status.c
++++ b/drivers/leds/leds-wm831x-status.c
+@@ -230,9 +230,9 @@ static int wm831x_status_probe(struct platform_device *pdev)
+ int id = pdev->id % ARRAY_SIZE(chip_pdata->status);
+ int ret;
+
+- res = platform_get_resource(pdev, IORESOURCE_IO, 0);
++ res = platform_get_resource(pdev, IORESOURCE_REG, 0);
+ if (res == NULL) {
+- dev_err(&pdev->dev, "No I/O resource\n");
++ dev_err(&pdev->dev, "No register resource\n");
+ ret = -EINVAL;
+ goto err;
+ }
+diff --git a/drivers/media/common/siano/smsdvb-main.c b/drivers/media/common/siano/smsdvb-main.c
+index 0862622..63676a8 100644
+--- a/drivers/media/common/siano/smsdvb-main.c
++++ b/drivers/media/common/siano/smsdvb-main.c
+@@ -276,7 +276,8 @@ static void smsdvb_update_per_slices(struct smsdvb_client_t *client,
+
+ /* Legacy PER/BER */
+ tmp = p->ets_packets * 65535;
+- do_div(tmp, p->ts_packets + p->ets_packets);
++ if (p->ts_packets + p->ets_packets)
++ do_div(tmp, p->ts_packets + p->ets_packets);
+ client->legacy_per = tmp;
+ }
+
+diff --git a/drivers/media/dvb-frontends/mb86a20s.c b/drivers/media/dvb-frontends/mb86a20s.c
+index 856374b..2c7217f 100644
+--- a/drivers/media/dvb-frontends/mb86a20s.c
++++ b/drivers/media/dvb-frontends/mb86a20s.c
+@@ -157,7 +157,6 @@ static struct regdata mb86a20s_init2[] = {
+ { 0x45, 0x04 }, /* CN symbol 4 */
+ { 0x48, 0x04 }, /* CN manual mode */
+
+- { 0x50, 0xd5 }, { 0x51, 0x01 }, /* Serial */
+ { 0x50, 0xd6 }, { 0x51, 0x1f },
+ { 0x50, 0xd2 }, { 0x51, 0x03 },
+ { 0x50, 0xd7 }, { 0x51, 0xbf },
+@@ -1860,16 +1859,15 @@ static int mb86a20s_initfe(struct dvb_frontend *fe)
+ dev_dbg(&state->i2c->dev, "%s: IF=%d, IF reg=0x%06llx\n",
+ __func__, state->if_freq, (long long)pll);
+
+- if (!state->config->is_serial) {
++ if (!state->config->is_serial)
+ regD5 &= ~1;
+
+- rc = mb86a20s_writereg(state, 0x50, 0xd5);
+- if (rc < 0)
+- goto err;
+- rc = mb86a20s_writereg(state, 0x51, regD5);
+- if (rc < 0)
+- goto err;
+- }
++ rc = mb86a20s_writereg(state, 0x50, 0xd5);
++ if (rc < 0)
++ goto err;
++ rc = mb86a20s_writereg(state, 0x51, regD5);
++ if (rc < 0)
++ goto err;
+
+ rc = mb86a20s_writeregdata(state, mb86a20s_init2);
+ if (rc < 0)
+diff --git a/drivers/media/pci/cx88/cx88.h b/drivers/media/pci/cx88/cx88.h
+index afe0eae..28893a6 100644
+--- a/drivers/media/pci/cx88/cx88.h
++++ b/drivers/media/pci/cx88/cx88.h
+@@ -259,7 +259,7 @@ struct cx88_input {
+ };
+
+ enum cx88_audio_chip {
+- CX88_AUDIO_WM8775,
++ CX88_AUDIO_WM8775 = 1,
+ CX88_AUDIO_TVAUDIO,
+ };
+
+diff --git a/drivers/media/platform/exynos-gsc/gsc-core.c b/drivers/media/platform/exynos-gsc/gsc-core.c
+index 559fab2..1ec60264 100644
+--- a/drivers/media/platform/exynos-gsc/gsc-core.c
++++ b/drivers/media/platform/exynos-gsc/gsc-core.c
+@@ -1122,10 +1122,14 @@ static int gsc_probe(struct platform_device *pdev)
+ goto err_clk;
+ }
+
+- ret = gsc_register_m2m_device(gsc);
++ ret = v4l2_device_register(dev, &gsc->v4l2_dev);
+ if (ret)
+ goto err_clk;
+
++ ret = gsc_register_m2m_device(gsc);
++ if (ret)
++ goto err_v4l2;
++
+ platform_set_drvdata(pdev, gsc);
+ pm_runtime_enable(dev);
+ ret = pm_runtime_get_sync(&pdev->dev);
+@@ -1147,6 +1151,8 @@ err_pm:
+ pm_runtime_put(dev);
+ err_m2m:
+ gsc_unregister_m2m_device(gsc);
++err_v4l2:
++ v4l2_device_unregister(&gsc->v4l2_dev);
+ err_clk:
+ gsc_clk_put(gsc);
+ return ret;
+@@ -1157,6 +1163,7 @@ static int gsc_remove(struct platform_device *pdev)
+ struct gsc_dev *gsc = platform_get_drvdata(pdev);
+
+ gsc_unregister_m2m_device(gsc);
++ v4l2_device_unregister(&gsc->v4l2_dev);
+
+ vb2_dma_contig_cleanup_ctx(gsc->alloc_ctx);
+ pm_runtime_disable(&pdev->dev);
+diff --git a/drivers/media/platform/exynos-gsc/gsc-core.h b/drivers/media/platform/exynos-gsc/gsc-core.h
+index cc19bba..76435d3 100644
+--- a/drivers/media/platform/exynos-gsc/gsc-core.h
++++ b/drivers/media/platform/exynos-gsc/gsc-core.h
+@@ -343,6 +343,7 @@ struct gsc_dev {
+ unsigned long state;
+ struct vb2_alloc_ctx *alloc_ctx;
+ struct video_device vdev;
++ struct v4l2_device v4l2_dev;
+ };
+
+ /**
+diff --git a/drivers/media/platform/exynos-gsc/gsc-m2m.c b/drivers/media/platform/exynos-gsc/gsc-m2m.c
+index 40a73f7..e576ff2 100644
+--- a/drivers/media/platform/exynos-gsc/gsc-m2m.c
++++ b/drivers/media/platform/exynos-gsc/gsc-m2m.c
+@@ -751,6 +751,7 @@ int gsc_register_m2m_device(struct gsc_dev *gsc)
+ gsc->vdev.release = video_device_release_empty;
+ gsc->vdev.lock = &gsc->lock;
+ gsc->vdev.vfl_dir = VFL_DIR_M2M;
++ gsc->vdev.v4l2_dev = &gsc->v4l2_dev;
+ snprintf(gsc->vdev.name, sizeof(gsc->vdev.name), "%s.%d:m2m",
+ GSC_MODULE_NAME, gsc->id);
+
+diff --git a/drivers/media/platform/exynos4-is/fimc-lite.c b/drivers/media/platform/exynos4-is/fimc-lite.c
+index 08fbfed..e85dc4f 100644
+--- a/drivers/media/platform/exynos4-is/fimc-lite.c
++++ b/drivers/media/platform/exynos4-is/fimc-lite.c
+@@ -90,7 +90,7 @@ static const struct fimc_fmt fimc_lite_formats[] = {
+ .name = "RAW10 (GRBG)",
+ .fourcc = V4L2_PIX_FMT_SGRBG10,
+ .colorspace = V4L2_COLORSPACE_SRGB,
+- .depth = { 10 },
++ .depth = { 16 },
+ .color = FIMC_FMT_RAW10,
+ .memplanes = 1,
+ .mbus_code = V4L2_MBUS_FMT_SGRBG10_1X10,
+@@ -99,7 +99,7 @@ static const struct fimc_fmt fimc_lite_formats[] = {
+ .name = "RAW12 (GRBG)",
+ .fourcc = V4L2_PIX_FMT_SGRBG12,
+ .colorspace = V4L2_COLORSPACE_SRGB,
+- .depth = { 12 },
++ .depth = { 16 },
+ .color = FIMC_FMT_RAW12,
+ .memplanes = 1,
+ .mbus_code = V4L2_MBUS_FMT_SGRBG12_1X12,
+diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c
+index 19f556c..91f21e2 100644
+--- a/drivers/media/platform/exynos4-is/media-dev.c
++++ b/drivers/media/platform/exynos4-is/media-dev.c
+@@ -1530,9 +1530,9 @@ static int fimc_md_probe(struct platform_device *pdev)
+ err_unlock:
+ mutex_unlock(&fmd->media_dev.graph_mutex);
+ err_clk:
+- media_device_unregister(&fmd->media_dev);
+ fimc_md_put_clocks(fmd);
+ fimc_md_unregister_entities(fmd);
++ media_device_unregister(&fmd->media_dev);
+ err_md:
+ v4l2_device_unregister(&fmd->v4l2_dev);
+ return ret;
+diff --git a/drivers/mmc/host/tmio_mmc_dma.c b/drivers/mmc/host/tmio_mmc_dma.c
+index 47bdb8f..65edb4a 100644
+--- a/drivers/mmc/host/tmio_mmc_dma.c
++++ b/drivers/mmc/host/tmio_mmc_dma.c
+@@ -104,6 +104,7 @@ static void tmio_mmc_start_dma_rx(struct tmio_mmc_host *host)
+ pio:
+ if (!desc) {
+ /* DMA failed, fall back to PIO */
++ tmio_mmc_enable_dma(host, false);
+ if (ret >= 0)
+ ret = -EIO;
+ host->chan_rx = NULL;
+@@ -116,7 +117,6 @@ pio:
+ }
+ dev_warn(&host->pdev->dev,
+ "DMA failed: %d, falling back to PIO\n", ret);
+- tmio_mmc_enable_dma(host, false);
+ }
+
+ dev_dbg(&host->pdev->dev, "%s(): desc %p, cookie %d, sg[%d]\n", __func__,
+@@ -185,6 +185,7 @@ static void tmio_mmc_start_dma_tx(struct tmio_mmc_host *host)
+ pio:
+ if (!desc) {
+ /* DMA failed, fall back to PIO */
++ tmio_mmc_enable_dma(host, false);
+ if (ret >= 0)
+ ret = -EIO;
+ host->chan_tx = NULL;
+@@ -197,7 +198,6 @@ pio:
+ }
+ dev_warn(&host->pdev->dev,
+ "DMA failed: %d, falling back to PIO\n", ret);
+- tmio_mmc_enable_dma(host, false);
+ }
+
+ dev_dbg(&host->pdev->dev, "%s(): desc %p, cookie %d\n", __func__,
+diff --git a/drivers/mtd/nand/nand_base.c b/drivers/mtd/nand/nand_base.c
+index dfcd0a5..fb8c4de 100644
+--- a/drivers/mtd/nand/nand_base.c
++++ b/drivers/mtd/nand/nand_base.c
+@@ -2793,7 +2793,9 @@ static void nand_set_defaults(struct nand_chip *chip, int busw)
+
+ if (!chip->select_chip)
+ chip->select_chip = nand_select_chip;
+- if (!chip->read_byte)
++
++ /* If called twice, pointers that depend on busw may need to be reset */
++ if (!chip->read_byte || chip->read_byte == nand_read_byte)
+ chip->read_byte = busw ? nand_read_byte16 : nand_read_byte;
+ if (!chip->read_word)
+ chip->read_word = nand_read_word;
+@@ -2801,9 +2803,9 @@ static void nand_set_defaults(struct nand_chip *chip, int busw)
+ chip->block_bad = nand_block_bad;
+ if (!chip->block_markbad)
+ chip->block_markbad = nand_default_block_markbad;
+- if (!chip->write_buf)
++ if (!chip->write_buf || chip->write_buf == nand_write_buf)
+ chip->write_buf = busw ? nand_write_buf16 : nand_write_buf;
+- if (!chip->read_buf)
++ if (!chip->read_buf || chip->read_buf == nand_read_buf)
+ chip->read_buf = busw ? nand_read_buf16 : nand_read_buf;
+ if (!chip->scan_bbt)
+ chip->scan_bbt = nand_default_bbt;
+diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c
+index 5df49d3..c95bfb1 100644
+--- a/drivers/mtd/ubi/wl.c
++++ b/drivers/mtd/ubi/wl.c
+@@ -1069,6 +1069,9 @@ static int wear_leveling_worker(struct ubi_device *ubi, struct ubi_work *wrk,
+ if (!(e2->ec - e1->ec >= UBI_WL_THRESHOLD)) {
+ dbg_wl("no WL needed: min used EC %d, max free EC %d",
+ e1->ec, e2->ec);
++
++ /* Give the unused PEB back */
++ wl_tree_add(e2, &ubi->free);
+ goto out_cancel;
+ }
+ self_check_in_wl_tree(ubi, e1, &ubi->used);
+diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
+index b017818..90ab292 100644
+--- a/drivers/net/ethernet/marvell/mvneta.c
++++ b/drivers/net/ethernet/marvell/mvneta.c
+@@ -138,7 +138,9 @@
+ #define MVNETA_GMAC_FORCE_LINK_PASS BIT(1)
+ #define MVNETA_GMAC_CONFIG_MII_SPEED BIT(5)
+ #define MVNETA_GMAC_CONFIG_GMII_SPEED BIT(6)
++#define MVNETA_GMAC_AN_SPEED_EN BIT(7)
+ #define MVNETA_GMAC_CONFIG_FULL_DUPLEX BIT(12)
++#define MVNETA_GMAC_AN_DUPLEX_EN BIT(13)
+ #define MVNETA_MIB_COUNTERS_BASE 0x3080
+ #define MVNETA_MIB_LATE_COLLISION 0x7c
+ #define MVNETA_DA_FILT_SPEC_MCAST 0x3400
+@@ -915,6 +917,13 @@ static void mvneta_defaults_set(struct mvneta_port *pp)
+ /* Assign port SDMA configuration */
+ mvreg_write(pp, MVNETA_SDMA_CONFIG, val);
+
++ /* Disable PHY polling in hardware, since we're using the
++ * kernel phylib to do this.
++ */
++ val = mvreg_read(pp, MVNETA_UNIT_CONTROL);
++ val &= ~MVNETA_PHY_POLLING_ENABLE;
++ mvreg_write(pp, MVNETA_UNIT_CONTROL, val);
++
+ mvneta_set_ucast_table(pp, -1);
+ mvneta_set_special_mcast_table(pp, -1);
+ mvneta_set_other_mcast_table(pp, -1);
+@@ -2307,7 +2316,9 @@ static void mvneta_adjust_link(struct net_device *ndev)
+ val = mvreg_read(pp, MVNETA_GMAC_AUTONEG_CONFIG);
+ val &= ~(MVNETA_GMAC_CONFIG_MII_SPEED |
+ MVNETA_GMAC_CONFIG_GMII_SPEED |
+- MVNETA_GMAC_CONFIG_FULL_DUPLEX);
++ MVNETA_GMAC_CONFIG_FULL_DUPLEX |
++ MVNETA_GMAC_AN_SPEED_EN |
++ MVNETA_GMAC_AN_DUPLEX_EN);
+
+ if (phydev->duplex)
+ val |= MVNETA_GMAC_CONFIG_FULL_DUPLEX;
+diff --git a/drivers/net/wireless/ath/ath9k/ar9003_phy.c b/drivers/net/wireless/ath/ath9k/ar9003_phy.c
+index 1f694ab..77d3a70 100644
+--- a/drivers/net/wireless/ath/ath9k/ar9003_phy.c
++++ b/drivers/net/wireless/ath/ath9k/ar9003_phy.c
+@@ -1173,6 +1173,10 @@ skip_ws_det:
+ * is_on == 0 means MRC CCK is OFF (more noise imm)
+ */
+ bool is_on = param ? 1 : 0;
++
++ if (ah->caps.rx_chainmask == 1)
++ break;
++
+ REG_RMW_FIELD(ah, AR_PHY_MRC_CCK_CTRL,
+ AR_PHY_MRC_CCK_ENABLE, is_on);
+ REG_RMW_FIELD(ah, AR_PHY_MRC_CCK_CTRL,
+diff --git a/drivers/net/wireless/ath/ath9k/ath9k.h b/drivers/net/wireless/ath/ath9k/ath9k.h
+index c1224b5..020b9b3 100644
+--- a/drivers/net/wireless/ath/ath9k/ath9k.h
++++ b/drivers/net/wireless/ath/ath9k/ath9k.h
+@@ -79,10 +79,6 @@ struct ath_config {
+ sizeof(struct ath_buf_state)); \
+ } while (0)
+
+-#define ATH_RXBUF_RESET(_bf) do { \
+- (_bf)->bf_stale = false; \
+- } while (0)
+-
+ /**
+ * enum buffer_type - Buffer type flags
+ *
+@@ -317,6 +313,7 @@ struct ath_rx {
+ struct ath_descdma rxdma;
+ struct ath_rx_edma rx_edma[ATH9K_RX_QUEUE_MAX];
+
++ struct ath_buf *buf_hold;
+ struct sk_buff *frag;
+
+ u32 ampdu_ref;
+diff --git a/drivers/net/wireless/ath/ath9k/recv.c b/drivers/net/wireless/ath/ath9k/recv.c
+index 865e043..b4902b3 100644
+--- a/drivers/net/wireless/ath/ath9k/recv.c
++++ b/drivers/net/wireless/ath/ath9k/recv.c
+@@ -42,8 +42,6 @@ static void ath_rx_buf_link(struct ath_softc *sc, struct ath_buf *bf)
+ struct ath_desc *ds;
+ struct sk_buff *skb;
+
+- ATH_RXBUF_RESET(bf);
+-
+ ds = bf->bf_desc;
+ ds->ds_link = 0; /* link to null */
+ ds->ds_data = bf->bf_buf_addr;
+@@ -70,6 +68,14 @@ static void ath_rx_buf_link(struct ath_softc *sc, struct ath_buf *bf)
+ sc->rx.rxlink = &ds->ds_link;
+ }
+
++static void ath_rx_buf_relink(struct ath_softc *sc, struct ath_buf *bf)
++{
++ if (sc->rx.buf_hold)
++ ath_rx_buf_link(sc, sc->rx.buf_hold);
++
++ sc->rx.buf_hold = bf;
++}
++
+ static void ath_setdefantenna(struct ath_softc *sc, u32 antenna)
+ {
+ /* XXX block beacon interrupts */
+@@ -117,7 +123,6 @@ static bool ath_rx_edma_buf_link(struct ath_softc *sc,
+
+ skb = bf->bf_mpdu;
+
+- ATH_RXBUF_RESET(bf);
+ memset(skb->data, 0, ah->caps.rx_status_len);
+ dma_sync_single_for_device(sc->dev, bf->bf_buf_addr,
+ ah->caps.rx_status_len, DMA_TO_DEVICE);
+@@ -432,6 +437,7 @@ int ath_startrecv(struct ath_softc *sc)
+ if (list_empty(&sc->rx.rxbuf))
+ goto start_recv;
+
++ sc->rx.buf_hold = NULL;
+ sc->rx.rxlink = NULL;
+ list_for_each_entry_safe(bf, tbf, &sc->rx.rxbuf, list) {
+ ath_rx_buf_link(sc, bf);
+@@ -677,6 +683,9 @@ static struct ath_buf *ath_get_next_rx_buf(struct ath_softc *sc,
+ }
+
+ bf = list_first_entry(&sc->rx.rxbuf, struct ath_buf, list);
++ if (bf == sc->rx.buf_hold)
++ return NULL;
++
+ ds = bf->bf_desc;
+
+ /*
+@@ -1375,7 +1384,7 @@ requeue:
+ if (edma) {
+ ath_rx_edma_buf_link(sc, qtype);
+ } else {
+- ath_rx_buf_link(sc, bf);
++ ath_rx_buf_relink(sc, bf);
+ ath9k_hw_rxena(ah);
+ }
+ } while (1);
+diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c
+index 9279927..ab64683 100644
+--- a/drivers/net/wireless/ath/ath9k/xmit.c
++++ b/drivers/net/wireless/ath/ath9k/xmit.c
+@@ -2602,6 +2602,7 @@ void ath_tx_node_init(struct ath_softc *sc, struct ath_node *an)
+ for (acno = 0, ac = &an->ac[acno];
+ acno < IEEE80211_NUM_ACS; acno++, ac++) {
+ ac->sched = false;
++ ac->clear_ps_filter = true;
+ ac->txq = sc->tx.txq_map[acno];
+ INIT_LIST_HEAD(&ac->tid_q);
+ }
+diff --git a/drivers/net/wireless/brcm80211/brcmsmac/dma.c b/drivers/net/wireless/brcm80211/brcmsmac/dma.c
+index 1860c57..4fb9635 100644
+--- a/drivers/net/wireless/brcm80211/brcmsmac/dma.c
++++ b/drivers/net/wireless/brcm80211/brcmsmac/dma.c
+@@ -1015,9 +1015,10 @@ static bool dma64_txidle(struct dma_info *di)
+
+ /*
+ * post receive buffers
+- * return false is refill failed completely and ring is empty this will stall
+- * the rx dma and user might want to call rxfill again asap. This unlikely
+- * happens on memory-rich NIC, but often on memory-constrained dongle
++ * Return false if refill failed completely or dma mapping failed. The ring
++ * is empty, which will stall the rx dma and user might want to call rxfill
++ * again asap. This is unlikely to happen on a memory-rich NIC, but often on
++ * memory-constrained dongle.
+ */
+ bool dma_rxfill(struct dma_pub *pub)
+ {
+@@ -1078,6 +1079,8 @@ bool dma_rxfill(struct dma_pub *pub)
+
+ pa = dma_map_single(di->dmadev, p->data, di->rxbufsize,
+ DMA_FROM_DEVICE);
++ if (dma_mapping_error(di->dmadev, pa))
++ return false;
+
+ /* save the free packet pointer */
+ di->rxp[rxout] = p;
+@@ -1284,7 +1287,11 @@ static void dma_txenq(struct dma_info *di, struct sk_buff *p)
+
+ /* get physical address of buffer start */
+ pa = dma_map_single(di->dmadev, data, len, DMA_TO_DEVICE);
+-
++ /* if mapping failed, free skb */
++ if (dma_mapping_error(di->dmadev, pa)) {
++ brcmu_pkt_buf_free_skb(p);
++ return;
++ }
+ /* With a DMA segment list, Descriptor table is filled
+ * using the segment list instead of looping over
+ * buffers in multi-chain DMA. Therefore, EOF for SGLIST
+diff --git a/drivers/of/base.c b/drivers/of/base.c
+index 5c54279..bf8432f 100644
+--- a/drivers/of/base.c
++++ b/drivers/of/base.c
+@@ -1629,6 +1629,7 @@ void of_alias_scan(void * (*dt_alloc)(u64 size, u64 align))
+ ap = dt_alloc(sizeof(*ap) + len + 1, 4);
+ if (!ap)
+ continue;
++ memset(ap, 0, sizeof(*ap) + len + 1);
+ ap->alias = start;
+ of_alias_add(ap, np, id, start, len);
+ }
+diff --git a/drivers/pinctrl/pinctrl-at91.c b/drivers/pinctrl/pinctrl-at91.c
+index b90a3a0..19afb9a 100644
+--- a/drivers/pinctrl/pinctrl-at91.c
++++ b/drivers/pinctrl/pinctrl-at91.c
+@@ -325,7 +325,7 @@ static void at91_mux_disable_interrupt(void __iomem *pio, unsigned mask)
+
+ static unsigned at91_mux_get_pullup(void __iomem *pio, unsigned pin)
+ {
+- return (readl_relaxed(pio + PIO_PUSR) >> pin) & 0x1;
++ return !((readl_relaxed(pio + PIO_PUSR) >> pin) & 0x1);
+ }
+
+ static void at91_mux_set_pullup(void __iomem *pio, unsigned mask, bool on)
+@@ -445,7 +445,7 @@ static void at91_mux_pio3_set_debounce(void __iomem *pio, unsigned mask,
+
+ static bool at91_mux_pio3_get_pulldown(void __iomem *pio, unsigned pin)
+ {
+- return (__raw_readl(pio + PIO_PPDSR) >> pin) & 0x1;
++ return !((__raw_readl(pio + PIO_PPDSR) >> pin) & 0x1);
+ }
+
+ static void at91_mux_pio3_set_pulldown(void __iomem *pio, unsigned mask, bool is_on)
+diff --git a/drivers/scsi/mpt3sas/Makefile b/drivers/scsi/mpt3sas/Makefile
+index 4c1d2e7..efb0c4c 100644
+--- a/drivers/scsi/mpt3sas/Makefile
++++ b/drivers/scsi/mpt3sas/Makefile
+@@ -1,5 +1,5 @@
+ # mpt3sas makefile
+-obj-m += mpt3sas.o
++obj-$(CONFIG_SCSI_MPT3SAS) += mpt3sas.o
+ mpt3sas-y += mpt3sas_base.o \
+ mpt3sas_config.o \
+ mpt3sas_scsih.o \
+diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
+index 86fcf2c..2783dd7 100644
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -2419,14 +2419,9 @@ sd_read_cache_type(struct scsi_disk *sdkp, unsigned char *buffer)
+ }
+ }
+
+- if (modepage == 0x3F) {
+- sd_printk(KERN_ERR, sdkp, "No Caching mode page "
+- "present\n");
+- goto defaults;
+- } else if ((buffer[offset] & 0x3f) != modepage) {
+- sd_printk(KERN_ERR, sdkp, "Got wrong page\n");
+- goto defaults;
+- }
++ sd_printk(KERN_ERR, sdkp, "No Caching mode page found\n");
++ goto defaults;
++
+ Page_found:
+ if (modepage == 8) {
+ sdkp->WCE = ((buffer[offset + 2] & 0x04) != 0);
+diff --git a/drivers/staging/comedi/drivers/dt282x.c b/drivers/staging/comedi/drivers/dt282x.c
+index c1950e3..674b236 100644
+--- a/drivers/staging/comedi/drivers/dt282x.c
++++ b/drivers/staging/comedi/drivers/dt282x.c
+@@ -264,8 +264,9 @@ struct dt282x_private {
+ } \
+ udelay(5); \
+ } \
+- if (_i) \
++ if (_i) { \
+ b \
++ } \
+ } while (0)
+
+ static int prep_ai_dma(struct comedi_device *dev, int chan, int size);
+diff --git a/drivers/staging/zram/zram_drv.c b/drivers/staging/zram/zram_drv.c
+index e77fb6e..8f54c50 100644
+--- a/drivers/staging/zram/zram_drv.c
++++ b/drivers/staging/zram/zram_drv.c
+@@ -445,6 +445,14 @@ static int zram_bvec_write(struct zram *zram, struct bio_vec *bvec, u32 index,
+ goto out;
+ }
+
++ /*
++ * zram_slot_free_notify could miss free so that let's
++ * double check.
++ */
++ if (unlikely(meta->table[index].handle ||
++ zram_test_flag(meta, index, ZRAM_ZERO)))
++ zram_free_page(zram, index);
++
+ ret = lzo1x_1_compress(uncmem, PAGE_SIZE, src, &clen,
+ meta->compress_workmem);
+
+@@ -504,6 +512,20 @@ out:
+ return ret;
+ }
+
++static void handle_pending_slot_free(struct zram *zram)
++{
++ struct zram_slot_free *free_rq;
++
++ spin_lock(&zram->slot_free_lock);
++ while (zram->slot_free_rq) {
++ free_rq = zram->slot_free_rq;
++ zram->slot_free_rq = free_rq->next;
++ zram_free_page(zram, free_rq->index);
++ kfree(free_rq);
++ }
++ spin_unlock(&zram->slot_free_lock);
++}
++
+ static int zram_bvec_rw(struct zram *zram, struct bio_vec *bvec, u32 index,
+ int offset, struct bio *bio, int rw)
+ {
+@@ -511,10 +533,12 @@ static int zram_bvec_rw(struct zram *zram, struct bio_vec *bvec, u32 index,
+
+ if (rw == READ) {
+ down_read(&zram->lock);
++ handle_pending_slot_free(zram);
+ ret = zram_bvec_read(zram, bvec, index, offset, bio);
+ up_read(&zram->lock);
+ } else {
+ down_write(&zram->lock);
++ handle_pending_slot_free(zram);
+ ret = zram_bvec_write(zram, bvec, index, offset);
+ up_write(&zram->lock);
+ }
+@@ -522,11 +546,13 @@ static int zram_bvec_rw(struct zram *zram, struct bio_vec *bvec, u32 index,
+ return ret;
+ }
+
+-static void zram_reset_device(struct zram *zram)
++static void zram_reset_device(struct zram *zram, bool reset_capacity)
+ {
+ size_t index;
+ struct zram_meta *meta;
+
++ flush_work(&zram->free_work);
++
+ down_write(&zram->init_lock);
+ if (!zram->init_done) {
+ up_write(&zram->init_lock);
+@@ -551,7 +577,8 @@ static void zram_reset_device(struct zram *zram)
+ memset(&zram->stats, 0, sizeof(zram->stats));
+
+ zram->disksize = 0;
+- set_capacity(zram->disk, 0);
++ if (reset_capacity)
++ set_capacity(zram->disk, 0);
+ up_write(&zram->init_lock);
+ }
+
+@@ -635,7 +662,7 @@ static ssize_t reset_store(struct device *dev,
+ if (bdev)
+ fsync_bdev(bdev);
+
+- zram_reset_device(zram);
++ zram_reset_device(zram, true);
+ return len;
+ }
+
+@@ -720,16 +747,40 @@ error:
+ bio_io_error(bio);
+ }
+
++static void zram_slot_free(struct work_struct *work)
++{
++ struct zram *zram;
++
++ zram = container_of(work, struct zram, free_work);
++ down_write(&zram->lock);
++ handle_pending_slot_free(zram);
++ up_write(&zram->lock);
++}
++
++static void add_slot_free(struct zram *zram, struct zram_slot_free *free_rq)
++{
++ spin_lock(&zram->slot_free_lock);
++ free_rq->next = zram->slot_free_rq;
++ zram->slot_free_rq = free_rq;
++ spin_unlock(&zram->slot_free_lock);
++}
++
+ static void zram_slot_free_notify(struct block_device *bdev,
+ unsigned long index)
+ {
+ struct zram *zram;
++ struct zram_slot_free *free_rq;
+
+ zram = bdev->bd_disk->private_data;
+- down_write(&zram->lock);
+- zram_free_page(zram, index);
+- up_write(&zram->lock);
+ atomic64_inc(&zram->stats.notify_free);
++
++ free_rq = kmalloc(sizeof(struct zram_slot_free), GFP_ATOMIC);
++ if (!free_rq)
++ return;
++
++ free_rq->index = index;
++ add_slot_free(zram, free_rq);
++ schedule_work(&zram->free_work);
+ }
+
+ static const struct block_device_operations zram_devops = {
+@@ -776,6 +827,10 @@ static int create_device(struct zram *zram, int device_id)
+ init_rwsem(&zram->lock);
+ init_rwsem(&zram->init_lock);
+
++ INIT_WORK(&zram->free_work, zram_slot_free);
++ spin_lock_init(&zram->slot_free_lock);
++ zram->slot_free_rq = NULL;
++
+ zram->queue = blk_alloc_queue(GFP_KERNEL);
+ if (!zram->queue) {
+ pr_err("Error allocating disk queue for device %d\n",
+@@ -902,10 +957,12 @@ static void __exit zram_exit(void)
+ for (i = 0; i < num_devices; i++) {
+ zram = &zram_devices[i];
+
+- get_disk(zram->disk);
+ destroy_device(zram);
+- zram_reset_device(zram);
+- put_disk(zram->disk);
++ /*
++ * Shouldn't access zram->disk after destroy_device
++ * because destroy_device already released zram->disk.
++ */
++ zram_reset_device(zram, false);
+ }
+
+ unregister_blkdev(zram_major, "zram");
+diff --git a/drivers/staging/zram/zram_drv.h b/drivers/staging/zram/zram_drv.h
+index 9e57bfb..97a3acf 100644
+--- a/drivers/staging/zram/zram_drv.h
++++ b/drivers/staging/zram/zram_drv.h
+@@ -94,11 +94,20 @@ struct zram_meta {
+ struct zs_pool *mem_pool;
+ };
+
++struct zram_slot_free {
++ unsigned long index;
++ struct zram_slot_free *next;
++};
++
+ struct zram {
+ struct zram_meta *meta;
+ struct rw_semaphore lock; /* protect compression buffers, table,
+ * 32bit stat counters against concurrent
+ * notifications, reads and writes */
++
++ struct work_struct free_work; /* handle pending free request */
++ struct zram_slot_free *slot_free_rq; /* list head of free request */
++
+ struct request_queue *queue;
+ struct gendisk *disk;
+ int init_done;
+@@ -109,6 +118,7 @@ struct zram {
+ * we can store in a disk.
+ */
+ u64 disksize; /* bytes */
++ spinlock_t slot_free_lock;
+
+ struct zram_stats stats;
+ };
+diff --git a/drivers/target/target_core_alua.c b/drivers/target/target_core_alua.c
+index cbe48ab..f608fbc 100644
+--- a/drivers/target/target_core_alua.c
++++ b/drivers/target/target_core_alua.c
+@@ -730,7 +730,7 @@ static int core_alua_write_tpg_metadata(
+ if (ret < 0)
+ pr_err("Error writing ALUA metadata file: %s\n", path);
+ fput(file);
+- return ret ? -EIO : 0;
++ return (ret < 0) ? -EIO : 0;
+ }
+
+ /*
+diff --git a/drivers/target/target_core_pr.c b/drivers/target/target_core_pr.c
+index bd78faf..adec5a8 100644
+--- a/drivers/target/target_core_pr.c
++++ b/drivers/target/target_core_pr.c
+@@ -1949,7 +1949,7 @@ static int __core_scsi3_write_aptpl_to_file(
+ pr_debug("Error writing APTPL metadata file: %s\n", path);
+ fput(file);
+
+- return ret ? -EIO : 0;
++ return (ret < 0) ? -EIO : 0;
+ }
+
+ /*
+diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
+index 366af83..20689b9 100644
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -850,7 +850,8 @@ void disassociate_ctty(int on_exit)
+ struct pid *tty_pgrp = tty_get_pgrp(tty);
+ if (tty_pgrp) {
+ kill_pgrp(tty_pgrp, SIGHUP, on_exit);
+- kill_pgrp(tty_pgrp, SIGCONT, on_exit);
++ if (!on_exit)
++ kill_pgrp(tty_pgrp, SIGCONT, on_exit);
+ put_pid(tty_pgrp);
+ }
+ }
+diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
+index 8a230f0..d3318a0 100644
+--- a/drivers/usb/class/cdc-wdm.c
++++ b/drivers/usb/class/cdc-wdm.c
+@@ -209,6 +209,7 @@ skip_error:
+ static void wdm_int_callback(struct urb *urb)
+ {
+ int rv = 0;
++ int responding;
+ int status = urb->status;
+ struct wdm_device *desc;
+ struct usb_cdc_notification *dr;
+@@ -262,8 +263,8 @@ static void wdm_int_callback(struct urb *urb)
+
+ spin_lock(&desc->iuspin);
+ clear_bit(WDM_READ, &desc->flags);
+- set_bit(WDM_RESPONDING, &desc->flags);
+- if (!test_bit(WDM_DISCONNECTING, &desc->flags)
++ responding = test_and_set_bit(WDM_RESPONDING, &desc->flags);
++ if (!responding && !test_bit(WDM_DISCONNECTING, &desc->flags)
+ && !test_bit(WDM_SUSPENDING, &desc->flags)) {
+ rv = usb_submit_urb(desc->response, GFP_ATOMIC);
+ dev_dbg(&desc->intf->dev, "%s: usb_submit_urb %d",
+@@ -685,16 +686,20 @@ static void wdm_rxwork(struct work_struct *work)
+ {
+ struct wdm_device *desc = container_of(work, struct wdm_device, rxwork);
+ unsigned long flags;
+- int rv;
++ int rv = 0;
++ int responding;
+
+ spin_lock_irqsave(&desc->iuspin, flags);
+ if (test_bit(WDM_DISCONNECTING, &desc->flags)) {
+ spin_unlock_irqrestore(&desc->iuspin, flags);
+ } else {
++ responding = test_and_set_bit(WDM_RESPONDING, &desc->flags);
+ spin_unlock_irqrestore(&desc->iuspin, flags);
+- rv = usb_submit_urb(desc->response, GFP_KERNEL);
++ if (!responding)
++ rv = usb_submit_urb(desc->response, GFP_KERNEL);
+ if (rv < 0 && rv != -EPERM) {
+ spin_lock_irqsave(&desc->iuspin, flags);
++ clear_bit(WDM_RESPONDING, &desc->flags);
+ if (!test_bit(WDM_DISCONNECTING, &desc->flags))
+ schedule_work(&desc->rxwork);
+ spin_unlock_irqrestore(&desc->iuspin, flags);
+diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
+index 7199adc..a6b2cab 100644
+--- a/drivers/usb/core/config.c
++++ b/drivers/usb/core/config.c
+@@ -424,7 +424,8 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx,
+
+ memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE);
+ if (config->desc.bDescriptorType != USB_DT_CONFIG ||
+- config->desc.bLength < USB_DT_CONFIG_SIZE) {
++ config->desc.bLength < USB_DT_CONFIG_SIZE ||
++ config->desc.bLength > size) {
+ dev_err(ddev, "invalid descriptor for config index %d: "
+ "type = 0x%X, length = %d\n", cfgidx,
+ config->desc.bDescriptorType, config->desc.bLength);
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index 558313d..17c3785 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -2918,7 +2918,6 @@ int usb_port_suspend(struct usb_device *udev, pm_message_t msg)
+ {
+ struct usb_hub *hub = usb_hub_to_struct_hub(udev->parent);
+ struct usb_port *port_dev = hub->ports[udev->portnum - 1];
+- enum pm_qos_flags_status pm_qos_stat;
+ int port1 = udev->portnum;
+ int status;
+ bool really_suspend = true;
+@@ -2956,7 +2955,7 @@ int usb_port_suspend(struct usb_device *udev, pm_message_t msg)
+ status);
+ /* bail if autosuspend is requested */
+ if (PMSG_IS_AUTO(msg))
+- return status;
++ goto err_wakeup;
+ }
+ }
+
+@@ -2965,14 +2964,16 @@ int usb_port_suspend(struct usb_device *udev, pm_message_t msg)
+ usb_set_usb2_hardware_lpm(udev, 0);
+
+ if (usb_disable_ltm(udev)) {
+- dev_err(&udev->dev, "%s Failed to disable LTM before suspend\n.",
+- __func__);
+- return -ENOMEM;
++ dev_err(&udev->dev, "Failed to disable LTM before suspend\n.");
++ status = -ENOMEM;
++ if (PMSG_IS_AUTO(msg))
++ goto err_ltm;
+ }
+ if (usb_unlocked_disable_lpm(udev)) {
+- dev_err(&udev->dev, "%s Failed to disable LPM before suspend\n.",
+- __func__);
+- return -ENOMEM;
++ dev_err(&udev->dev, "Failed to disable LPM before suspend\n.");
++ status = -ENOMEM;
++ if (PMSG_IS_AUTO(msg))
++ goto err_lpm3;
+ }
+
+ /* see 7.1.7.6 */
+@@ -3000,28 +3001,31 @@ int usb_port_suspend(struct usb_device *udev, pm_message_t msg)
+ if (status) {
+ dev_dbg(hub->intfdev, "can't suspend port %d, status %d\n",
+ port1, status);
+- /* paranoia: "should not happen" */
+- if (udev->do_remote_wakeup) {
+- if (!hub_is_superspeed(hub->hdev)) {
+- (void) usb_control_msg(udev,
+- usb_sndctrlpipe(udev, 0),
+- USB_REQ_CLEAR_FEATURE,
+- USB_RECIP_DEVICE,
+- USB_DEVICE_REMOTE_WAKEUP, 0,
+- NULL, 0,
+- USB_CTRL_SET_TIMEOUT);
+- } else
+- (void) usb_disable_function_remotewakeup(udev);
+-
+- }
+
++ /* Try to enable USB3 LPM and LTM again */
++ usb_unlocked_enable_lpm(udev);
++ err_lpm3:
++ usb_enable_ltm(udev);
++ err_ltm:
+ /* Try to enable USB2 hardware LPM again */
+ if (udev->usb2_hw_lpm_capable == 1)
+ usb_set_usb2_hardware_lpm(udev, 1);
+
+- /* Try to enable USB3 LTM and LPM again */
+- usb_enable_ltm(udev);
+- usb_unlocked_enable_lpm(udev);
++ if (udev->do_remote_wakeup) {
++ if (udev->speed < USB_SPEED_SUPER)
++ usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
++ USB_REQ_CLEAR_FEATURE,
++ USB_RECIP_DEVICE,
++ USB_DEVICE_REMOTE_WAKEUP, 0,
++ NULL, 0, USB_CTRL_SET_TIMEOUT);
++ else
++ usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
++ USB_REQ_CLEAR_FEATURE,
++ USB_RECIP_INTERFACE,
++ USB_INTRF_FUNC_SUSPEND, 0,
++ NULL, 0, USB_CTRL_SET_TIMEOUT);
++ }
++ err_wakeup:
+
+ /* System sleep transitions should never fail */
+ if (!PMSG_IS_AUTO(msg))
+@@ -3039,16 +3043,7 @@ int usb_port_suspend(struct usb_device *udev, pm_message_t msg)
+ usb_set_device_state(udev, USB_STATE_SUSPENDED);
+ }
+
+- /*
+- * Check whether current status meets the requirement of
+- * usb port power off mechanism
+- */
+- pm_qos_stat = dev_pm_qos_flags(&port_dev->dev,
+- PM_QOS_FLAG_NO_POWER_OFF);
+- if (!udev->do_remote_wakeup
+- && pm_qos_stat != PM_QOS_FLAGS_ALL
+- && udev->persist_enabled
+- && !status) {
++ if (status == 0 && !udev->do_remote_wakeup && udev->persist_enabled) {
+ pm_runtime_put_sync(&port_dev->dev);
+ port_dev->did_runtime_put = true;
+ }
+diff --git a/drivers/usb/core/port.c b/drivers/usb/core/port.c
+index d6b0fad..9909911 100644
+--- a/drivers/usb/core/port.c
++++ b/drivers/usb/core/port.c
+@@ -89,22 +89,19 @@ static int usb_port_runtime_resume(struct device *dev)
+ retval = usb_hub_set_port_power(hdev, hub, port1, true);
+ if (port_dev->child && !retval) {
+ /*
+- * Wait for usb hub port to be reconnected in order to make
+- * the resume procedure successful.
++ * Attempt to wait for usb hub port to be reconnected in order
++ * to make the resume procedure successful. The device may have
++ * disconnected while the port was powered off, so ignore the
++ * return status.
+ */
+ retval = hub_port_debounce_be_connected(hub, port1);
+- if (retval < 0) {
++ if (retval < 0)
+ dev_dbg(&port_dev->dev, "can't get reconnection after setting port power on, status %d\n",
+ retval);
+- goto out;
+- }
+ usb_clear_port_feature(hdev, port1, USB_PORT_FEAT_C_ENABLE);
+-
+- /* Set return value to 0 if debounce successful */
+ retval = 0;
+ }
+
+-out:
+ clear_bit(port1, hub->busy_bits);
+ usb_autopm_put_interface(intf);
+ return retval;
+diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
+index f77083f..14d28d6 100644
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -1508,6 +1508,15 @@ static int dwc3_gadget_start(struct usb_gadget *g,
+ int irq;
+ u32 reg;
+
++ irq = platform_get_irq(to_platform_device(dwc->dev), 0);
++ ret = request_threaded_irq(irq, dwc3_interrupt, dwc3_thread_interrupt,
++ IRQF_SHARED | IRQF_ONESHOT, "dwc3", dwc);
++ if (ret) {
++ dev_err(dwc->dev, "failed to request irq #%d --> %d\n",
++ irq, ret);
++ goto err0;
++ }
++
+ spin_lock_irqsave(&dwc->lock, flags);
+
+ if (dwc->gadget_driver) {
+@@ -1515,7 +1524,7 @@ static int dwc3_gadget_start(struct usb_gadget *g,
+ dwc->gadget.name,
+ dwc->gadget_driver->driver.name);
+ ret = -EBUSY;
+- goto err0;
++ goto err1;
+ }
+
+ dwc->gadget_driver = driver;
+@@ -1551,42 +1560,38 @@ static int dwc3_gadget_start(struct usb_gadget *g,
+ ret = __dwc3_gadget_ep_enable(dep, &dwc3_gadget_ep0_desc, NULL, false);
+ if (ret) {
+ dev_err(dwc->dev, "failed to enable %s\n", dep->name);
+- goto err0;
++ goto err2;
+ }
+
+ dep = dwc->eps[1];
+ ret = __dwc3_gadget_ep_enable(dep, &dwc3_gadget_ep0_desc, NULL, false);
+ if (ret) {
+ dev_err(dwc->dev, "failed to enable %s\n", dep->name);
+- goto err1;
++ goto err3;
+ }
+
+ /* begin to receive SETUP packets */
+ dwc->ep0state = EP0_SETUP_PHASE;
+ dwc3_ep0_out_start(dwc);
+
+- irq = platform_get_irq(to_platform_device(dwc->dev), 0);
+- ret = request_threaded_irq(irq, dwc3_interrupt, dwc3_thread_interrupt,
+- IRQF_SHARED | IRQF_ONESHOT, "dwc3", dwc);
+- if (ret) {
+- dev_err(dwc->dev, "failed to request irq #%d --> %d\n",
+- irq, ret);
+- goto err1;
+- }
+-
+ dwc3_gadget_enable_irq(dwc);
+
+ spin_unlock_irqrestore(&dwc->lock, flags);
+
+ return 0;
+
+-err1:
++err3:
+ __dwc3_gadget_ep_disable(dwc->eps[0]);
+
+-err0:
++err2:
+ dwc->gadget_driver = NULL;
++
++err1:
+ spin_unlock_irqrestore(&dwc->lock, flags);
+
++ free_irq(irq, dwc);
++
++err0:
+ return ret;
+ }
+
+@@ -1600,9 +1605,6 @@ static int dwc3_gadget_stop(struct usb_gadget *g,
+ spin_lock_irqsave(&dwc->lock, flags);
+
+ dwc3_gadget_disable_irq(dwc);
+- irq = platform_get_irq(to_platform_device(dwc->dev), 0);
+- free_irq(irq, dwc);
+-
+ __dwc3_gadget_ep_disable(dwc->eps[0]);
+ __dwc3_gadget_ep_disable(dwc->eps[1]);
+
+@@ -1610,6 +1612,9 @@ static int dwc3_gadget_stop(struct usb_gadget *g,
+
+ spin_unlock_irqrestore(&dwc->lock, flags);
+
++ irq = platform_get_irq(to_platform_device(dwc->dev), 0);
++ free_irq(irq, dwc);
++
+ return 0;
+ }
+
+diff --git a/drivers/usb/gadget/uvc_queue.c b/drivers/usb/gadget/uvc_queue.c
+index e617047..0bb5d50 100644
+--- a/drivers/usb/gadget/uvc_queue.c
++++ b/drivers/usb/gadget/uvc_queue.c
+@@ -193,12 +193,16 @@ static int uvc_queue_buffer(struct uvc_video_queue *queue,
+
+ mutex_lock(&queue->mutex);
+ ret = vb2_qbuf(&queue->queue, buf);
++ if (ret < 0)
++ goto done;
++
+ spin_lock_irqsave(&queue->irqlock, flags);
+ ret = (queue->flags & UVC_QUEUE_PAUSED) != 0;
+ queue->flags &= ~UVC_QUEUE_PAUSED;
+ spin_unlock_irqrestore(&queue->irqlock, flags);
+- mutex_unlock(&queue->mutex);
+
++done:
++ mutex_unlock(&queue->mutex);
+ return ret;
+ }
+
+diff --git a/drivers/usb/host/ehci-mxc.c b/drivers/usb/host/ehci-mxc.c
+index e4c34ac..4c166e1 100644
+--- a/drivers/usb/host/ehci-mxc.c
++++ b/drivers/usb/host/ehci-mxc.c
+@@ -184,7 +184,7 @@ static int ehci_mxc_drv_remove(struct platform_device *pdev)
+ if (pdata && pdata->exit)
+ pdata->exit(pdev);
+
+- if (pdata->otg)
++ if (pdata && pdata->otg)
+ usb_phy_shutdown(pdata->otg);
+
+ clk_disable_unprepare(priv->usbclk);
+diff --git a/drivers/usb/host/ohci-pci.c b/drivers/usb/host/ohci-pci.c
+index 279b049..ec337c2 100644
+--- a/drivers/usb/host/ohci-pci.c
++++ b/drivers/usb/host/ohci-pci.c
+@@ -289,7 +289,7 @@ static struct pci_driver ohci_pci_driver = {
+ .remove = usb_hcd_pci_remove,
+ .shutdown = usb_hcd_pci_shutdown,
+
+-#ifdef CONFIG_PM_SLEEP
++#ifdef CONFIG_PM
+ .driver = {
+ .pm = &usb_hcd_pci_pm_ops
+ },
+diff --git a/drivers/usb/host/xhci-ext-caps.h b/drivers/usb/host/xhci-ext-caps.h
+index 8d7a132..9fe3225 100644
+--- a/drivers/usb/host/xhci-ext-caps.h
++++ b/drivers/usb/host/xhci-ext-caps.h
+@@ -71,7 +71,7 @@
+
+ /* USB 2.0 xHCI 1.0 hardware LMP capability - section 7.2.2.1.3.2 */
+ #define XHCI_HLC (1 << 19)
+-#define XHCI_BLC (1 << 19)
++#define XHCI_BLC (1 << 20)
+
+ /* command register values to disable interrupts and halt the HC */
+ /* start/stop HC execution - do not write unless HC is halted*/
+diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c
+index 51e22bf..6eca5a5 100644
+--- a/drivers/usb/host/xhci-plat.c
++++ b/drivers/usb/host/xhci-plat.c
+@@ -24,7 +24,7 @@ static void xhci_plat_quirks(struct device *dev, struct xhci_hcd *xhci)
+ * here that the generic code does not try to make a pci_dev from our
+ * dev struct in order to setup MSI
+ */
+- xhci->quirks |= XHCI_BROKEN_MSI;
++ xhci->quirks |= XHCI_PLAT;
+ }
+
+ /* called during probe() after chip reset completes */
+diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
+index 9478caa..b3c4162 100644
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -343,9 +343,14 @@ static void __maybe_unused xhci_msix_sync_irqs(struct xhci_hcd *xhci)
+ static int xhci_try_enable_msi(struct usb_hcd *hcd)
+ {
+ struct xhci_hcd *xhci = hcd_to_xhci(hcd);
+- struct pci_dev *pdev = to_pci_dev(xhci_to_hcd(xhci)->self.controller);
++ struct pci_dev *pdev;
+ int ret;
+
++ /* The xhci platform device has set up IRQs through usb_add_hcd. */
++ if (xhci->quirks & XHCI_PLAT)
++ return 0;
++
++ pdev = to_pci_dev(xhci_to_hcd(xhci)->self.controller);
+ /*
+ * Some Fresco Logic host controllers advertise MSI, but fail to
+ * generate interrupts. Don't even try to enable MSI.
+@@ -3581,10 +3586,21 @@ void xhci_free_dev(struct usb_hcd *hcd, struct usb_device *udev)
+ {
+ struct xhci_hcd *xhci = hcd_to_xhci(hcd);
+ struct xhci_virt_device *virt_dev;
++ struct device *dev = hcd->self.controller;
+ unsigned long flags;
+ u32 state;
+ int i, ret;
+
++#ifndef CONFIG_USB_DEFAULT_PERSIST
++ /*
++ * We called pm_runtime_get_noresume when the device was attached.
++ * Decrement the counter here to allow controller to runtime suspend
++ * if no devices remain.
++ */
++ if (xhci->quirks & XHCI_RESET_ON_RESUME)
++ pm_runtime_put_noidle(dev);
++#endif
++
+ ret = xhci_check_args(hcd, udev, NULL, 0, true, __func__);
+ /* If the host is halted due to driver unload, we still need to free the
+ * device.
+@@ -3656,6 +3672,7 @@ static int xhci_reserve_host_control_ep_resources(struct xhci_hcd *xhci)
+ int xhci_alloc_dev(struct usb_hcd *hcd, struct usb_device *udev)
+ {
+ struct xhci_hcd *xhci = hcd_to_xhci(hcd);
++ struct device *dev = hcd->self.controller;
+ unsigned long flags;
+ int timeleft;
+ int ret;
+@@ -3708,6 +3725,16 @@ int xhci_alloc_dev(struct usb_hcd *hcd, struct usb_device *udev)
+ goto disable_slot;
+ }
+ udev->slot_id = xhci->slot_id;
++
++#ifndef CONFIG_USB_DEFAULT_PERSIST
++ /*
++ * If resetting upon resume, we can't put the controller into runtime
++ * suspend if there is a device attached.
++ */
++ if (xhci->quirks & XHCI_RESET_ON_RESUME)
++ pm_runtime_get_noresume(dev);
++#endif
++
+ /* Is this a LS or FS device under a HS hub? */
+ /* Hub or peripherial? */
+ return 1;
+diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h
+index c338741..6ab1e60 100644
+--- a/drivers/usb/host/xhci.h
++++ b/drivers/usb/host/xhci.h
+@@ -1542,6 +1542,7 @@ struct xhci_hcd {
+ #define XHCI_SPURIOUS_REBOOT (1 << 13)
+ #define XHCI_COMP_MODE_QUIRK (1 << 14)
+ #define XHCI_AVOID_BEI (1 << 15)
++#define XHCI_PLAT (1 << 16)
+ unsigned int num_active_eps;
+ unsigned int limit_active_eps;
+ /* There are two roothubs to keep track of bus suspend info for */
+diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c
+index b013001..84657e0 100644
+--- a/drivers/usb/serial/mos7720.c
++++ b/drivers/usb/serial/mos7720.c
+@@ -374,7 +374,7 @@ static int write_parport_reg_nonblock(struct mos7715_parport *mos_parport,
+ kfree(urbtrack);
+ return -ENOMEM;
+ }
+- urbtrack->setup = kmalloc(sizeof(*urbtrack->setup), GFP_KERNEL);
++ urbtrack->setup = kmalloc(sizeof(*urbtrack->setup), GFP_ATOMIC);
+ if (!urbtrack->setup) {
+ usb_free_urb(urbtrack->urb);
+ kfree(urbtrack);
+@@ -382,8 +382,8 @@ static int write_parport_reg_nonblock(struct mos7715_parport *mos_parport,
+ }
+ urbtrack->setup->bRequestType = (__u8)0x40;
+ urbtrack->setup->bRequest = (__u8)0x0e;
+- urbtrack->setup->wValue = get_reg_value(reg, dummy);
+- urbtrack->setup->wIndex = get_reg_index(reg);
++ urbtrack->setup->wValue = cpu_to_le16(get_reg_value(reg, dummy));
++ urbtrack->setup->wIndex = cpu_to_le16(get_reg_index(reg));
+ urbtrack->setup->wLength = 0;
+ usb_fill_control_urb(urbtrack->urb, usbdev,
+ usb_sndctrlpipe(usbdev, 0),
+diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c
+index 04cdeb8..c4d2298 100644
+--- a/drivers/xen/grant-table.c
++++ b/drivers/xen/grant-table.c
+@@ -730,9 +730,18 @@ void gnttab_request_free_callback(struct gnttab_free_callback *callback,
+ void (*fn)(void *), void *arg, u16 count)
+ {
+ unsigned long flags;
++ struct gnttab_free_callback *cb;
++
+ spin_lock_irqsave(&gnttab_list_lock, flags);
+- if (callback->next)
+- goto out;
++
++ /* Check if the callback is already on the list */
++ cb = gnttab_free_callback_list;
++ while (cb) {
++ if (cb == callback)
++ goto out;
++ cb = cb->next;
++ }
++
+ callback->fn = fn;
+ callback->arg = arg;
+ callback->count = count;
+diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
+index 238a055..9877a2a 100644
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -3312,6 +3312,9 @@ static long btrfs_ioctl_dev_replace(struct btrfs_root *root, void __user *arg)
+
+ switch (p->cmd) {
+ case BTRFS_IOCTL_DEV_REPLACE_CMD_START:
++ if (root->fs_info->sb->s_flags & MS_RDONLY)
++ return -EROFS;
++
+ if (atomic_xchg(
+ &root->fs_info->mutually_exclusive_operation_running,
+ 1)) {
+diff --git a/fs/ceph/ioctl.c b/fs/ceph/ioctl.c
+index e0b4ef3..a5ce62e 100644
+--- a/fs/ceph/ioctl.c
++++ b/fs/ceph/ioctl.c
+@@ -196,8 +196,10 @@ static long ceph_ioctl_get_dataloc(struct file *file, void __user *arg)
+ r = ceph_calc_file_object_mapping(&ci->i_layout, dl.file_offset, len,
+ &dl.object_no, &dl.object_offset,
+ &olen);
+- if (r < 0)
++ if (r < 0) {
++ up_read(&osdc->map_sem);
+ return -EIO;
++ }
+ dl.file_offset -= dl.object_offset;
+ dl.object_size = ceph_file_layout_object_size(ci->i_layout);
+ dl.block_size = ceph_file_layout_su(ci->i_layout);
+diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
+index d67c550..37950c6 100644
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -379,6 +379,7 @@ cifs_reconnect(struct TCP_Server_Info *server)
+ try_to_freeze();
+
+ /* we should try only the port we connected to before */
++ mutex_lock(&server->srv_mutex);
+ rc = generic_ip_connect(server);
+ if (rc) {
+ cifs_dbg(FYI, "reconnect error %d\n", rc);
+@@ -390,6 +391,7 @@ cifs_reconnect(struct TCP_Server_Info *server)
+ server->tcpStatus = CifsNeedNegotiate;
+ spin_unlock(&GlobalMid_Lock);
+ }
++ mutex_unlock(&server->srv_mutex);
+ } while (server->tcpStatus == CifsNeedReconnect);
+
+ return rc;
+diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c
+index b0c4334..f851d03 100644
+--- a/fs/cifs/smb2misc.c
++++ b/fs/cifs/smb2misc.c
+@@ -417,96 +417,108 @@ cifs_ses_oplock_break(struct work_struct *work)
+ }
+
+ static bool
+-smb2_is_valid_lease_break(char *buffer, struct TCP_Server_Info *server)
++smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp,
++ struct smb2_lease_break_work *lw)
+ {
+- struct smb2_lease_break *rsp = (struct smb2_lease_break *)buffer;
+- struct list_head *tmp, *tmp1, *tmp2;
+- struct cifs_ses *ses;
+- struct cifs_tcon *tcon;
+- struct cifsInodeInfo *cinode;
++ bool found;
++ __u8 lease_state;
++ struct list_head *tmp;
+ struct cifsFileInfo *cfile;
+ struct cifs_pending_open *open;
+- struct smb2_lease_break_work *lw;
+- bool found;
++ struct cifsInodeInfo *cinode;
+ int ack_req = le32_to_cpu(rsp->Flags &
+ SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED);
+
+- lw = kmalloc(sizeof(struct smb2_lease_break_work), GFP_KERNEL);
+- if (!lw)
+- return false;
++ lease_state = smb2_map_lease_to_oplock(rsp->NewLeaseState);
+
+- INIT_WORK(&lw->lease_break, cifs_ses_oplock_break);
+- lw->lease_state = rsp->NewLeaseState;
++ list_for_each(tmp, &tcon->openFileList) {
++ cfile = list_entry(tmp, struct cifsFileInfo, tlist);
++ cinode = CIFS_I(cfile->dentry->d_inode);
+
+- cifs_dbg(FYI, "Checking for lease break\n");
++ if (memcmp(cinode->lease_key, rsp->LeaseKey,
++ SMB2_LEASE_KEY_SIZE))
++ continue;
+
+- /* look up tcon based on tid & uid */
+- spin_lock(&cifs_tcp_ses_lock);
+- list_for_each(tmp, &server->smb_ses_list) {
+- ses = list_entry(tmp, struct cifs_ses, smb_ses_list);
++ cifs_dbg(FYI, "found in the open list\n");
++ cifs_dbg(FYI, "lease key match, lease break 0x%d\n",
++ le32_to_cpu(rsp->NewLeaseState));
+
+- spin_lock(&cifs_file_list_lock);
+- list_for_each(tmp1, &ses->tcon_list) {
+- tcon = list_entry(tmp1, struct cifs_tcon, tcon_list);
++ smb2_set_oplock_level(cinode, lease_state);
+
+- cifs_stats_inc(&tcon->stats.cifs_stats.num_oplock_brks);
+- list_for_each(tmp2, &tcon->openFileList) {
+- cfile = list_entry(tmp2, struct cifsFileInfo,
+- tlist);
+- cinode = CIFS_I(cfile->dentry->d_inode);
++ if (ack_req)
++ cfile->oplock_break_cancelled = false;
++ else
++ cfile->oplock_break_cancelled = true;
+
+- if (memcmp(cinode->lease_key, rsp->LeaseKey,
+- SMB2_LEASE_KEY_SIZE))
+- continue;
++ queue_work(cifsiod_wq, &cfile->oplock_break);
++ kfree(lw);
++ return true;
++ }
+
+- cifs_dbg(FYI, "found in the open list\n");
+- cifs_dbg(FYI, "lease key match, lease break 0x%d\n",
+- le32_to_cpu(rsp->NewLeaseState));
++ found = false;
++ list_for_each_entry(open, &tcon->pending_opens, olist) {
++ if (memcmp(open->lease_key, rsp->LeaseKey,
++ SMB2_LEASE_KEY_SIZE))
++ continue;
++
++ if (!found && ack_req) {
++ found = true;
++ memcpy(lw->lease_key, open->lease_key,
++ SMB2_LEASE_KEY_SIZE);
++ lw->tlink = cifs_get_tlink(open->tlink);
++ queue_work(cifsiod_wq, &lw->lease_break);
++ }
+
+- smb2_set_oplock_level(cinode,
+- smb2_map_lease_to_oplock(rsp->NewLeaseState));
++ cifs_dbg(FYI, "found in the pending open list\n");
++ cifs_dbg(FYI, "lease key match, lease break 0x%d\n",
++ le32_to_cpu(rsp->NewLeaseState));
+
+- if (ack_req)
+- cfile->oplock_break_cancelled = false;
+- else
+- cfile->oplock_break_cancelled = true;
++ open->oplock = lease_state;
++ }
++ return found;
++}
+
+- queue_work(cifsiod_wq, &cfile->oplock_break);
++static bool
++smb2_is_valid_lease_break(char *buffer)
++{
++ struct smb2_lease_break *rsp = (struct smb2_lease_break *)buffer;
++ struct list_head *tmp, *tmp1, *tmp2;
++ struct TCP_Server_Info *server;
++ struct cifs_ses *ses;
++ struct cifs_tcon *tcon;
++ struct smb2_lease_break_work *lw;
+
+- spin_unlock(&cifs_file_list_lock);
+- spin_unlock(&cifs_tcp_ses_lock);
+- return true;
+- }
++ lw = kmalloc(sizeof(struct smb2_lease_break_work), GFP_KERNEL);
++ if (!lw)
++ return false;
+
+- found = false;
+- list_for_each_entry(open, &tcon->pending_opens, olist) {
+- if (memcmp(open->lease_key, rsp->LeaseKey,
+- SMB2_LEASE_KEY_SIZE))
+- continue;
++ INIT_WORK(&lw->lease_break, cifs_ses_oplock_break);
++ lw->lease_state = rsp->NewLeaseState;
+
+- if (!found && ack_req) {
+- found = true;
+- memcpy(lw->lease_key, open->lease_key,
+- SMB2_LEASE_KEY_SIZE);
+- lw->tlink = cifs_get_tlink(open->tlink);
+- queue_work(cifsiod_wq,
+- &lw->lease_break);
+- }
++ cifs_dbg(FYI, "Checking for lease break\n");
++
++ /* look up tcon based on tid & uid */
++ spin_lock(&cifs_tcp_ses_lock);
++ list_for_each(tmp, &cifs_tcp_ses_list) {
++ server = list_entry(tmp, struct TCP_Server_Info, tcp_ses_list);
+
+- cifs_dbg(FYI, "found in the pending open list\n");
+- cifs_dbg(FYI, "lease key match, lease break 0x%d\n",
+- le32_to_cpu(rsp->NewLeaseState));
++ list_for_each(tmp1, &server->smb_ses_list) {
++ ses = list_entry(tmp1, struct cifs_ses, smb_ses_list);
+
+- open->oplock =
+- smb2_map_lease_to_oplock(rsp->NewLeaseState);
+- }
+- if (found) {
+- spin_unlock(&cifs_file_list_lock);
+- spin_unlock(&cifs_tcp_ses_lock);
+- return true;
++ spin_lock(&cifs_file_list_lock);
++ list_for_each(tmp2, &ses->tcon_list) {
++ tcon = list_entry(tmp2, struct cifs_tcon,
++ tcon_list);
++ cifs_stats_inc(
++ &tcon->stats.cifs_stats.num_oplock_brks);
++ if (smb2_tcon_has_lease(tcon, rsp, lw)) {
++ spin_unlock(&cifs_file_list_lock);
++ spin_unlock(&cifs_tcp_ses_lock);
++ return true;
++ }
+ }
++ spin_unlock(&cifs_file_list_lock);
+ }
+- spin_unlock(&cifs_file_list_lock);
+ }
+ spin_unlock(&cifs_tcp_ses_lock);
+ kfree(lw);
+@@ -532,7 +544,7 @@ smb2_is_valid_oplock_break(char *buffer, struct TCP_Server_Info *server)
+ if (rsp->StructureSize !=
+ smb2_rsp_struct_sizes[SMB2_OPLOCK_BREAK_HE]) {
+ if (le16_to_cpu(rsp->StructureSize) == 44)
+- return smb2_is_valid_lease_break(buffer, server);
++ return smb2_is_valid_lease_break(buffer);
+ else
+ return false;
+ }
+diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
+index c2ca04e..ea4d188 100644
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -1890,6 +1890,26 @@ static int ext4_writepage(struct page *page,
+ return ret;
+ }
+
++static int mpage_submit_page(struct mpage_da_data *mpd, struct page *page)
++{
++ int len;
++ loff_t size = i_size_read(mpd->inode);
++ int err;
++
++ BUG_ON(page->index != mpd->first_page);
++ if (page->index == size >> PAGE_CACHE_SHIFT)
++ len = size & ~PAGE_CACHE_MASK;
++ else
++ len = PAGE_CACHE_SIZE;
++ clear_page_dirty_for_io(page);
++ err = ext4_bio_write_page(&mpd->io_submit, page, len, mpd->wbc);
++ if (!err)
++ mpd->wbc->nr_to_write--;
++ mpd->first_page++;
++
++ return err;
++}
++
+ #define BH_FLAGS ((1 << BH_Unwritten) | (1 << BH_Delay))
+
+ /*
+@@ -1904,82 +1924,94 @@ static int ext4_writepage(struct page *page,
+ *
+ * @mpd - extent of blocks
+ * @lblk - logical number of the block in the file
+- * @b_state - b_state of the buffer head added
++ * @bh - buffer head we want to add to the extent
+ *
+- * the function is used to collect contig. blocks in same state
++ * The function is used to collect contig. blocks in the same state. If the
++ * buffer doesn't require mapping for writeback and we haven't started the
++ * extent of buffers to map yet, the function returns 'true' immediately - the
++ * caller can write the buffer right away. Otherwise the function returns true
++ * if the block has been added to the extent, false if the block couldn't be
++ * added.
+ */
+-static int mpage_add_bh_to_extent(struct mpage_da_data *mpd, ext4_lblk_t lblk,
+- unsigned long b_state)
++static bool mpage_add_bh_to_extent(struct mpage_da_data *mpd, ext4_lblk_t lblk,
++ struct buffer_head *bh)
+ {
+ struct ext4_map_blocks *map = &mpd->map;
+
+- /* Don't go larger than mballoc is willing to allocate */
+- if (map->m_len >= MAX_WRITEPAGES_EXTENT_LEN)
+- return 0;
++ /* Buffer that doesn't need mapping for writeback? */
++ if (!buffer_dirty(bh) || !buffer_mapped(bh) ||
++ (!buffer_delay(bh) && !buffer_unwritten(bh))) {
++ /* So far no extent to map => we write the buffer right away */
++ if (map->m_len == 0)
++ return true;
++ return false;
++ }
+
+ /* First block in the extent? */
+ if (map->m_len == 0) {
+ map->m_lblk = lblk;
+ map->m_len = 1;
+- map->m_flags = b_state & BH_FLAGS;
+- return 1;
++ map->m_flags = bh->b_state & BH_FLAGS;
++ return true;
+ }
+
++ /* Don't go larger than mballoc is willing to allocate */
++ if (map->m_len >= MAX_WRITEPAGES_EXTENT_LEN)
++ return false;
++
+ /* Can we merge the block to our big extent? */
+ if (lblk == map->m_lblk + map->m_len &&
+- (b_state & BH_FLAGS) == map->m_flags) {
++ (bh->b_state & BH_FLAGS) == map->m_flags) {
+ map->m_len++;
+- return 1;
++ return true;
+ }
+- return 0;
++ return false;
+ }
+
+-static bool add_page_bufs_to_extent(struct mpage_da_data *mpd,
+- struct buffer_head *head,
+- struct buffer_head *bh,
+- ext4_lblk_t lblk)
++/*
++ * mpage_process_page_bufs - submit page buffers for IO or add them to extent
++ *
++ * @mpd - extent of blocks for mapping
++ * @head - the first buffer in the page
++ * @bh - buffer we should start processing from
++ * @lblk - logical number of the block in the file corresponding to @bh
++ *
++ * Walk through page buffers from @bh upto @head (exclusive) and either submit
++ * the page for IO if all buffers in this page were mapped and there's no
++ * accumulated extent of buffers to map or add buffers in the page to the
++ * extent of buffers to map. The function returns 1 if the caller can continue
++ * by processing the next page, 0 if it should stop adding buffers to the
++ * extent to map because we cannot extend it anymore. It can also return value
++ * < 0 in case of error during IO submission.
++ */
++static int mpage_process_page_bufs(struct mpage_da_data *mpd,
++ struct buffer_head *head,
++ struct buffer_head *bh,
++ ext4_lblk_t lblk)
+ {
+ struct inode *inode = mpd->inode;
++ int err;
+ ext4_lblk_t blocks = (i_size_read(inode) + (1 << inode->i_blkbits) - 1)
+ >> inode->i_blkbits;
+
+ do {
+ BUG_ON(buffer_locked(bh));
+
+- if (!buffer_dirty(bh) || !buffer_mapped(bh) ||
+- (!buffer_delay(bh) && !buffer_unwritten(bh)) ||
+- lblk >= blocks) {
++ if (lblk >= blocks || !mpage_add_bh_to_extent(mpd, lblk, bh)) {
+ /* Found extent to map? */
+ if (mpd->map.m_len)
+- return false;
+- if (lblk >= blocks)
+- return true;
+- continue;
++ return 0;
++ /* Everything mapped so far and we hit EOF */
++ break;
+ }
+- if (!mpage_add_bh_to_extent(mpd, lblk, bh->b_state))
+- return false;
+ } while (lblk++, (bh = bh->b_this_page) != head);
+- return true;
+-}
+-
+-static int mpage_submit_page(struct mpage_da_data *mpd, struct page *page)
+-{
+- int len;
+- loff_t size = i_size_read(mpd->inode);
+- int err;
+-
+- BUG_ON(page->index != mpd->first_page);
+- if (page->index == size >> PAGE_CACHE_SHIFT)
+- len = size & ~PAGE_CACHE_MASK;
+- else
+- len = PAGE_CACHE_SIZE;
+- clear_page_dirty_for_io(page);
+- err = ext4_bio_write_page(&mpd->io_submit, page, len, mpd->wbc);
+- if (!err)
+- mpd->wbc->nr_to_write--;
+- mpd->first_page++;
+-
+- return err;
++ /* So far everything mapped? Submit the page for IO. */
++ if (mpd->map.m_len == 0) {
++ err = mpage_submit_page(mpd, head->b_page);
++ if (err < 0)
++ return err;
++ }
++ return lblk < blocks;
+ }
+
+ /*
+@@ -2003,8 +2035,6 @@ static int mpage_map_and_submit_buffers(struct mpage_da_data *mpd)
+ struct inode *inode = mpd->inode;
+ struct buffer_head *head, *bh;
+ int bpp_bits = PAGE_CACHE_SHIFT - inode->i_blkbits;
+- ext4_lblk_t blocks = (i_size_read(inode) + (1 << inode->i_blkbits) - 1)
+- >> inode->i_blkbits;
+ pgoff_t start, end;
+ ext4_lblk_t lblk;
+ sector_t pblock;
+@@ -2039,18 +2069,26 @@ static int mpage_map_and_submit_buffers(struct mpage_da_data *mpd)
+ */
+ mpd->map.m_len = 0;
+ mpd->map.m_flags = 0;
+- add_page_bufs_to_extent(mpd, head, bh,
+- lblk);
++ /*
++ * FIXME: If dioread_nolock supports
++ * blocksize < pagesize, we need to make
++ * sure we add size mapped so far to
++ * io_end->size as the following call
++ * can submit the page for IO.
++ */
++ err = mpage_process_page_bufs(mpd, head,
++ bh, lblk);
+ pagevec_release(&pvec);
+- return 0;
++ if (err > 0)
++ err = 0;
++ return err;
+ }
+ if (buffer_delay(bh)) {
+ clear_buffer_delay(bh);
+ bh->b_blocknr = pblock++;
+ }
+ clear_buffer_unwritten(bh);
+- } while (++lblk < blocks &&
+- (bh = bh->b_this_page) != head);
++ } while (lblk++, (bh = bh->b_this_page) != head);
+
+ /*
+ * FIXME: This is going to break if dioread_nolock
+@@ -2319,14 +2357,10 @@ static int mpage_prepare_extent_to_map(struct mpage_da_data *mpd)
+ lblk = ((ext4_lblk_t)page->index) <<
+ (PAGE_CACHE_SHIFT - blkbits);
+ head = page_buffers(page);
+- if (!add_page_bufs_to_extent(mpd, head, head, lblk))
++ err = mpage_process_page_bufs(mpd, head, head, lblk);
++ if (err <= 0)
+ goto out;
+- /* So far everything mapped? Submit the page for IO. */
+- if (mpd->map.m_len == 0) {
+- err = mpage_submit_page(mpd, page);
+- if (err < 0)
+- goto out;
+- }
++ err = 0;
+
+ /*
+ * Accumulated enough dirty pages? This doesn't apply
+@@ -4566,7 +4600,9 @@ int ext4_setattr(struct dentry *dentry, struct iattr *attr)
+ ext4_journal_stop(handle);
+ }
+
+- if (attr->ia_valid & ATTR_SIZE) {
++ if (attr->ia_valid & ATTR_SIZE && attr->ia_size != inode->i_size) {
++ handle_t *handle;
++ loff_t oldsize = inode->i_size;
+
+ if (!(ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))) {
+ struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
+@@ -4574,73 +4610,60 @@ int ext4_setattr(struct dentry *dentry, struct iattr *attr)
+ if (attr->ia_size > sbi->s_bitmap_maxbytes)
+ return -EFBIG;
+ }
+- }
+-
+- if (S_ISREG(inode->i_mode) &&
+- attr->ia_valid & ATTR_SIZE &&
+- (attr->ia_size < inode->i_size)) {
+- handle_t *handle;
+-
+- handle = ext4_journal_start(inode, EXT4_HT_INODE, 3);
+- if (IS_ERR(handle)) {
+- error = PTR_ERR(handle);
+- goto err_out;
+- }
+- if (ext4_handle_valid(handle)) {
+- error = ext4_orphan_add(handle, inode);
+- orphan = 1;
+- }
+- EXT4_I(inode)->i_disksize = attr->ia_size;
+- rc = ext4_mark_inode_dirty(handle, inode);
+- if (!error)
+- error = rc;
+- ext4_journal_stop(handle);
+-
+- if (ext4_should_order_data(inode)) {
+- error = ext4_begin_ordered_truncate(inode,
++ if (S_ISREG(inode->i_mode) &&
++ (attr->ia_size < inode->i_size)) {
++ if (ext4_should_order_data(inode)) {
++ error = ext4_begin_ordered_truncate(inode,
+ attr->ia_size);
+- if (error) {
+- /* Do as much error cleanup as possible */
+- handle = ext4_journal_start(inode,
+- EXT4_HT_INODE, 3);
+- if (IS_ERR(handle)) {
+- ext4_orphan_del(NULL, inode);
++ if (error)
+ goto err_out;
+- }
+- ext4_orphan_del(handle, inode);
+- orphan = 0;
+- ext4_journal_stop(handle);
++ }
++ handle = ext4_journal_start(inode, EXT4_HT_INODE, 3);
++ if (IS_ERR(handle)) {
++ error = PTR_ERR(handle);
++ goto err_out;
++ }
++ if (ext4_handle_valid(handle)) {
++ error = ext4_orphan_add(handle, inode);
++ orphan = 1;
++ }
++ EXT4_I(inode)->i_disksize = attr->ia_size;
++ rc = ext4_mark_inode_dirty(handle, inode);
++ if (!error)
++ error = rc;
++ ext4_journal_stop(handle);
++ if (error) {
++ ext4_orphan_del(NULL, inode);
+ goto err_out;
+ }
+ }
+- }
+-
+- if (attr->ia_valid & ATTR_SIZE) {
+- if (attr->ia_size != inode->i_size) {
+- loff_t oldsize = inode->i_size;
+
+- i_size_write(inode, attr->ia_size);
+- /*
+- * Blocks are going to be removed from the inode. Wait
+- * for dio in flight. Temporarily disable
+- * dioread_nolock to prevent livelock.
+- */
+- if (orphan) {
+- if (!ext4_should_journal_data(inode)) {
+- ext4_inode_block_unlocked_dio(inode);
+- inode_dio_wait(inode);
+- ext4_inode_resume_unlocked_dio(inode);
+- } else
+- ext4_wait_for_tail_page_commit(inode);
+- }
+- /*
+- * Truncate pagecache after we've waited for commit
+- * in data=journal mode to make pages freeable.
+- */
+- truncate_pagecache(inode, oldsize, inode->i_size);
++ i_size_write(inode, attr->ia_size);
++ /*
++ * Blocks are going to be removed from the inode. Wait
++ * for dio in flight. Temporarily disable
++ * dioread_nolock to prevent livelock.
++ */
++ if (orphan) {
++ if (!ext4_should_journal_data(inode)) {
++ ext4_inode_block_unlocked_dio(inode);
++ inode_dio_wait(inode);
++ ext4_inode_resume_unlocked_dio(inode);
++ } else
++ ext4_wait_for_tail_page_commit(inode);
+ }
+- ext4_truncate(inode);
++ /*
++ * Truncate pagecache after we've waited for commit
++ * in data=journal mode to make pages freeable.
++ */
++ truncate_pagecache(inode, oldsize, inode->i_size);
+ }
++ /*
++ * We want to call ext4_truncate() even if attr->ia_size ==
++ * inode->i_size for cases like truncation of fallocated space
++ */
++ if (attr->ia_valid & ATTR_SIZE)
++ ext4_truncate(inode);
+
+ if (!rc) {
+ setattr_copy(inode, attr);
+diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
+index 72a5d5b..8fec28f 100644
+--- a/fs/fuse/dir.c
++++ b/fs/fuse/dir.c
+@@ -1174,6 +1174,8 @@ static int parse_dirfile(char *buf, size_t nbytes, struct file *file,
+ return -EIO;
+ if (reclen > nbytes)
+ break;
++ if (memchr(dirent->name, '/', dirent->namelen) != NULL)
++ return -EIO;
+
+ if (!dir_emit(ctx, dirent->name, dirent->namelen,
+ dirent->ino, dirent->type))
+@@ -1320,6 +1322,8 @@ static int parse_dirplusfile(char *buf, size_t nbytes, struct file *file,
+ return -EIO;
+ if (reclen > nbytes)
+ break;
++ if (memchr(dirent->name, '/', dirent->namelen) != NULL)
++ return -EIO;
+
+ if (!over) {
+ /* We fill entries into dstbuf only as much as
+@@ -1590,6 +1594,7 @@ int fuse_do_setattr(struct inode *inode, struct iattr *attr,
+ struct file *file)
+ {
+ struct fuse_conn *fc = get_fuse_conn(inode);
++ struct fuse_inode *fi = get_fuse_inode(inode);
+ struct fuse_req *req;
+ struct fuse_setattr_in inarg;
+ struct fuse_attr_out outarg;
+@@ -1617,8 +1622,10 @@ int fuse_do_setattr(struct inode *inode, struct iattr *attr,
+ if (IS_ERR(req))
+ return PTR_ERR(req);
+
+- if (is_truncate)
++ if (is_truncate) {
+ fuse_set_nowrite(inode);
++ set_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);
++ }
+
+ memset(&inarg, 0, sizeof(inarg));
+ memset(&outarg, 0, sizeof(outarg));
+@@ -1680,12 +1687,14 @@ int fuse_do_setattr(struct inode *inode, struct iattr *attr,
+ invalidate_inode_pages2(inode->i_mapping);
+ }
+
++ clear_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);
+ return 0;
+
+ error:
+ if (is_truncate)
+ fuse_release_nowrite(inode);
+
++ clear_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);
+ return err;
+ }
+
+@@ -1749,6 +1758,8 @@ static int fuse_setxattr(struct dentry *entry, const char *name,
+ fc->no_setxattr = 1;
+ err = -EOPNOTSUPP;
+ }
++ if (!err)
++ fuse_invalidate_attr(inode);
+ return err;
+ }
+
+@@ -1878,6 +1889,8 @@ static int fuse_removexattr(struct dentry *entry, const char *name)
+ fc->no_removexattr = 1;
+ err = -EOPNOTSUPP;
+ }
++ if (!err)
++ fuse_invalidate_attr(inode);
+ return err;
+ }
+
+diff --git a/fs/fuse/file.c b/fs/fuse/file.c
+index 5c121fe..d409dea 100644
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -629,7 +629,8 @@ static void fuse_read_update_size(struct inode *inode, loff_t size,
+ struct fuse_inode *fi = get_fuse_inode(inode);
+
+ spin_lock(&fc->lock);
+- if (attr_ver == fi->attr_version && size < inode->i_size) {
++ if (attr_ver == fi->attr_version && size < inode->i_size &&
++ !test_bit(FUSE_I_SIZE_UNSTABLE, &fi->state)) {
+ fi->attr_version = ++fc->attr_version;
+ i_size_write(inode, size);
+ }
+@@ -1032,12 +1033,16 @@ static ssize_t fuse_perform_write(struct file *file,
+ {
+ struct inode *inode = mapping->host;
+ struct fuse_conn *fc = get_fuse_conn(inode);
++ struct fuse_inode *fi = get_fuse_inode(inode);
+ int err = 0;
+ ssize_t res = 0;
+
+ if (is_bad_inode(inode))
+ return -EIO;
+
++ if (inode->i_size < pos + iov_iter_count(ii))
++ set_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);
++
+ do {
+ struct fuse_req *req;
+ ssize_t count;
+@@ -1073,6 +1078,7 @@ static ssize_t fuse_perform_write(struct file *file,
+ if (res > 0)
+ fuse_write_update_size(inode, pos);
+
++ clear_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);
+ fuse_invalidate_attr(inode);
+
+ return res > 0 ? res : err;
+@@ -1529,7 +1535,6 @@ static int fuse_writepage_locked(struct page *page)
+
+ inc_bdi_stat(mapping->backing_dev_info, BDI_WRITEBACK);
+ inc_zone_page_state(tmp_page, NR_WRITEBACK_TEMP);
+- end_page_writeback(page);
+
+ spin_lock(&fc->lock);
+ list_add(&req->writepages_entry, &fi->writepages);
+@@ -1537,6 +1542,8 @@ static int fuse_writepage_locked(struct page *page)
+ fuse_flush_writepages(inode);
+ spin_unlock(&fc->lock);
+
++ end_page_writeback(page);
++
+ return 0;
+
+ err_free:
+diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h
+index fde7249..5ced199 100644
+--- a/fs/fuse/fuse_i.h
++++ b/fs/fuse/fuse_i.h
+@@ -115,6 +115,8 @@ struct fuse_inode {
+ enum {
+ /** Advise readdirplus */
+ FUSE_I_ADVISE_RDPLUS,
++ /** An operation changing file size is in progress */
++ FUSE_I_SIZE_UNSTABLE,
+ };
+
+ struct fuse_conn;
+diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
+index 0b57859..e0fe703 100644
+--- a/fs/fuse/inode.c
++++ b/fs/fuse/inode.c
+@@ -201,7 +201,8 @@ void fuse_change_attributes(struct inode *inode, struct fuse_attr *attr,
+ struct timespec old_mtime;
+
+ spin_lock(&fc->lock);
+- if (attr_version != 0 && fi->attr_version > attr_version) {
++ if ((attr_version != 0 && fi->attr_version > attr_version) ||
++ test_bit(FUSE_I_SIZE_UNSTABLE, &fi->state)) {
+ spin_unlock(&fc->lock);
+ return;
+ }
+diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c
+index c348d6d..e5d408a 100644
+--- a/fs/isofs/inode.c
++++ b/fs/isofs/inode.c
+@@ -117,8 +117,8 @@ static void destroy_inodecache(void)
+
+ static int isofs_remount(struct super_block *sb, int *flags, char *data)
+ {
+- /* we probably want a lot more here */
+- *flags |= MS_RDONLY;
++ if (!(*flags & MS_RDONLY))
++ return -EROFS;
+ return 0;
+ }
+
+@@ -763,15 +763,6 @@ root_found:
+ */
+ s->s_maxbytes = 0x80000000000LL;
+
+- /*
+- * The CDROM is read-only, has no nodes (devices) on it, and since
+- * all of the files appear to be owned by root, we really do not want
+- * to allow suid. (suid or devices will not show up unless we have
+- * Rock Ridge extensions)
+- */
+-
+- s->s_flags |= MS_RDONLY /* | MS_NODEV | MS_NOSUID */;
+-
+ /* Set this for reference. Its not currently used except on write
+ which we don't have .. */
+
+@@ -1530,6 +1521,9 @@ struct inode *isofs_iget(struct super_block *sb,
+ static struct dentry *isofs_mount(struct file_system_type *fs_type,
+ int flags, const char *dev_name, void *data)
+ {
++ /* We don't support read-write mounts */
++ if (!(flags & MS_RDONLY))
++ return ERR_PTR(-EACCES);
+ return mount_bdev(fs_type, flags, dev_name, data, isofs_fill_super);
+ }
+
+diff --git a/fs/ocfs2/extent_map.c b/fs/ocfs2/extent_map.c
+index 2487116..8460647 100644
+--- a/fs/ocfs2/extent_map.c
++++ b/fs/ocfs2/extent_map.c
+@@ -781,7 +781,6 @@ int ocfs2_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo,
+ cpos = map_start >> osb->s_clustersize_bits;
+ mapping_end = ocfs2_clusters_for_bytes(inode->i_sb,
+ map_start + map_len);
+- mapping_end -= cpos;
+ is_last = 0;
+ while (cpos < mapping_end && !is_last) {
+ u32 fe_flags;
+diff --git a/fs/proc/root.c b/fs/proc/root.c
+index e0a790d..0e0e83c 100644
+--- a/fs/proc/root.c
++++ b/fs/proc/root.c
+@@ -110,7 +110,8 @@ static struct dentry *proc_mount(struct file_system_type *fs_type,
+ ns = task_active_pid_ns(current);
+ options = data;
+
+- if (!current_user_ns()->may_mount_proc)
++ if (!current_user_ns()->may_mount_proc ||
++ !ns_capable(ns->user_ns, CAP_SYS_ADMIN))
+ return ERR_PTR(-EPERM);
+ }
+
+diff --git a/include/linux/compat.h b/include/linux/compat.h
+index 7f0c1dd..ec1aee4 100644
+--- a/include/linux/compat.h
++++ b/include/linux/compat.h
+@@ -669,6 +669,13 @@ asmlinkage long compat_sys_sigaltstack(const compat_stack_t __user *uss_ptr,
+
+ int compat_restore_altstack(const compat_stack_t __user *uss);
+ int __compat_save_altstack(compat_stack_t __user *, unsigned long);
++#define compat_save_altstack_ex(uss, sp) do { \
++ compat_stack_t __user *__uss = uss; \
++ struct task_struct *t = current; \
++ put_user_ex(ptr_to_compat((void __user *)t->sas_ss_sp), &__uss->ss_sp); \
++ put_user_ex(sas_ss_flags(sp), &__uss->ss_flags); \
++ put_user_ex(t->sas_ss_size, &__uss->ss_size); \
++} while (0);
+
+ asmlinkage long compat_sys_sched_rr_get_interval(compat_pid_t pid,
+ struct compat_timespec __user *interval);
+diff --git a/include/linux/hid.h b/include/linux/hid.h
+index 0c48991..ff545cc 100644
+--- a/include/linux/hid.h
++++ b/include/linux/hid.h
+@@ -393,10 +393,12 @@ struct hid_report {
+ struct hid_device *device; /* associated device */
+ };
+
++#define HID_MAX_IDS 256
++
+ struct hid_report_enum {
+ unsigned numbered;
+ struct list_head report_list;
+- struct hid_report *report_id_hash[256];
++ struct hid_report *report_id_hash[HID_MAX_IDS];
+ };
+
+ #define HID_REPORT_TYPES 3
+diff --git a/include/linux/pci_ids.h b/include/linux/pci_ids.h
+index 3bed2e8..d1fe5d0 100644
+--- a/include/linux/pci_ids.h
++++ b/include/linux/pci_ids.h
+@@ -518,6 +518,8 @@
+ #define PCI_DEVICE_ID_AMD_11H_NB_MISC 0x1303
+ #define PCI_DEVICE_ID_AMD_11H_NB_LINK 0x1304
+ #define PCI_DEVICE_ID_AMD_15H_M10H_F3 0x1403
++#define PCI_DEVICE_ID_AMD_15H_M30H_NB_F3 0x141d
++#define PCI_DEVICE_ID_AMD_15H_M30H_NB_F4 0x141e
+ #define PCI_DEVICE_ID_AMD_15H_NB_F0 0x1600
+ #define PCI_DEVICE_ID_AMD_15H_NB_F1 0x1601
+ #define PCI_DEVICE_ID_AMD_15H_NB_F2 0x1602
+diff --git a/include/linux/rculist.h b/include/linux/rculist.h
+index f4b1001..4106721 100644
+--- a/include/linux/rculist.h
++++ b/include/linux/rculist.h
+@@ -267,8 +267,9 @@ static inline void list_splice_init_rcu(struct list_head *list,
+ */
+ #define list_first_or_null_rcu(ptr, type, member) \
+ ({struct list_head *__ptr = (ptr); \
+- struct list_head __rcu *__next = list_next_rcu(__ptr); \
+- likely(__ptr != __next) ? container_of(__next, type, member) : NULL; \
++ struct list_head *__next = ACCESS_ONCE(__ptr->next); \
++ likely(__ptr != __next) ? \
++ list_entry_rcu(__next, type, member) : NULL; \
+ })
+
+ /**
+diff --git a/include/linux/signal.h b/include/linux/signal.h
+index d897484..2ac423b 100644
+--- a/include/linux/signal.h
++++ b/include/linux/signal.h
+@@ -434,6 +434,14 @@ void signals_init(void);
+ int restore_altstack(const stack_t __user *);
+ int __save_altstack(stack_t __user *, unsigned long);
+
++#define save_altstack_ex(uss, sp) do { \
++ stack_t __user *__uss = uss; \
++ struct task_struct *t = current; \
++ put_user_ex((void __user *)t->sas_ss_sp, &__uss->ss_sp); \
++ put_user_ex(sas_ss_flags(sp), &__uss->ss_flags); \
++ put_user_ex(t->sas_ss_size, &__uss->ss_size); \
++} while (0);
++
+ #ifdef CONFIG_PROC_FS
+ struct seq_file;
+ extern void render_sigset_t(struct seq_file *, const char *, sigset_t *);
+diff --git a/include/linux/usb/hcd.h b/include/linux/usb/hcd.h
+index 1e88377..3e541e6 100644
+--- a/include/linux/usb/hcd.h
++++ b/include/linux/usb/hcd.h
+@@ -411,7 +411,7 @@ extern int usb_hcd_pci_probe(struct pci_dev *dev,
+ extern void usb_hcd_pci_remove(struct pci_dev *dev);
+ extern void usb_hcd_pci_shutdown(struct pci_dev *dev);
+
+-#ifdef CONFIG_PM_SLEEP
++#ifdef CONFIG_PM
+ extern const struct dev_pm_ops usb_hcd_pci_pm_ops;
+ #endif
+ #endif /* CONFIG_PCI */
+diff --git a/ipc/msg.c b/ipc/msg.c
+index 9f29d9e..b65fdf1 100644
+--- a/ipc/msg.c
++++ b/ipc/msg.c
+@@ -680,16 +680,18 @@ long do_msgsnd(int msqid, long mtype, void __user *mtext,
+ goto out_unlock1;
+ }
+
++ ipc_lock_object(&msq->q_perm);
++
+ for (;;) {
+ struct msg_sender s;
+
+ err = -EACCES;
+ if (ipcperms(ns, &msq->q_perm, S_IWUGO))
+- goto out_unlock1;
++ goto out_unlock0;
+
+ err = security_msg_queue_msgsnd(msq, msg, msgflg);
+ if (err)
+- goto out_unlock1;
++ goto out_unlock0;
+
+ if (msgsz + msq->q_cbytes <= msq->q_qbytes &&
+ 1 + msq->q_qnum <= msq->q_qbytes) {
+@@ -699,10 +701,9 @@ long do_msgsnd(int msqid, long mtype, void __user *mtext,
+ /* queue full, wait: */
+ if (msgflg & IPC_NOWAIT) {
+ err = -EAGAIN;
+- goto out_unlock1;
++ goto out_unlock0;
+ }
+
+- ipc_lock_object(&msq->q_perm);
+ ss_add(msq, &s);
+
+ if (!ipc_rcu_getref(msq)) {
+@@ -730,10 +731,7 @@ long do_msgsnd(int msqid, long mtype, void __user *mtext,
+ goto out_unlock0;
+ }
+
+- ipc_unlock_object(&msq->q_perm);
+ }
+-
+- ipc_lock_object(&msq->q_perm);
+ msq->q_lspid = task_tgid_vnr(current);
+ msq->q_stime = get_seconds();
+
+diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
+index f356974..ad8e1bd 100644
+--- a/kernel/events/uprobes.c
++++ b/kernel/events/uprobes.c
+@@ -1682,12 +1682,10 @@ static bool handle_trampoline(struct pt_regs *regs)
+ tmp = ri;
+ ri = ri->next;
+ kfree(tmp);
++ utask->depth--;
+
+ if (!chained)
+ break;
+-
+- utask->depth--;
+-
+ BUG_ON(!ri);
+ }
+
+diff --git a/kernel/fork.c b/kernel/fork.c
+index bf46287..200a7a2 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -1173,10 +1173,11 @@ static struct task_struct *copy_process(unsigned long clone_flags,
+ return ERR_PTR(-EINVAL);
+
+ /*
+- * If the new process will be in a different pid namespace
+- * don't allow the creation of threads.
++ * If the new process will be in a different pid namespace don't
++ * allow it to share a thread group or signal handlers with the
++ * forking task.
+ */
+- if ((clone_flags & (CLONE_VM|CLONE_NEWPID)) &&
++ if ((clone_flags & (CLONE_SIGHAND | CLONE_NEWPID)) &&
+ (task_active_pid_ns(current) !=
+ current->nsproxy->pid_ns_for_children))
+ return ERR_PTR(-EINVAL);
+diff --git a/kernel/pid.c b/kernel/pid.c
+index 66505c1..ebe5e80 100644
+--- a/kernel/pid.c
++++ b/kernel/pid.c
+@@ -265,6 +265,7 @@ void free_pid(struct pid *pid)
+ struct pid_namespace *ns = upid->ns;
+ hlist_del_rcu(&upid->pid_chain);
+ switch(--ns->nr_hashed) {
++ case 2:
+ case 1:
+ /* When all that is left in the pid namespace
+ * is the reaper wake up the reaper. The reaper
+diff --git a/mm/huge_memory.c b/mm/huge_memory.c
+index a92012a..f2820fb 100644
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -2296,6 +2296,8 @@ static void collapse_huge_page(struct mm_struct *mm,
+ goto out;
+
+ vma = find_vma(mm, address);
++ if (!vma)
++ goto out;
+ hstart = (vma->vm_start + ~HPAGE_PMD_MASK) & HPAGE_PMD_MASK;
+ hend = vma->vm_end & HPAGE_PMD_MASK;
+ if (address < hstart || address + HPAGE_PMD_SIZE > hend)
+diff --git a/mm/memcontrol.c b/mm/memcontrol.c
+index 0878ff7..aa44621 100644
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -5616,7 +5616,13 @@ static int compare_thresholds(const void *a, const void *b)
+ const struct mem_cgroup_threshold *_a = a;
+ const struct mem_cgroup_threshold *_b = b;
+
+- return _a->threshold - _b->threshold;
++ if (_a->threshold > _b->threshold)
++ return 1;
++
++ if (_a->threshold < _b->threshold)
++ return -1;
++
++ return 0;
+ }
+
+ static int mem_cgroup_oom_notify_cb(struct mem_cgroup *memcg)
+diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c
+index dd47889..dbc0a73 100644
+--- a/net/ceph/osd_client.c
++++ b/net/ceph/osd_client.c
+@@ -2129,6 +2129,8 @@ int ceph_osdc_start_request(struct ceph_osd_client *osdc,
+ dout("osdc_start_request failed map, "
+ " will retry %lld\n", req->r_tid);
+ rc = 0;
++ } else {
++ __unregister_request(osdc, req);
+ }
+ goto out_unlock;
+ }
+diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c
+index 603ddd9..dbd9a47 100644
+--- a/net/ceph/osdmap.c
++++ b/net/ceph/osdmap.c
+@@ -1129,7 +1129,7 @@ static int *calc_pg_raw(struct ceph_osdmap *osdmap, struct ceph_pg pgid,
+
+ /* pg_temp? */
+ pgid.seed = ceph_stable_mod(pgid.seed, pool->pg_num,
+- pool->pgp_num_mask);
++ pool->pg_num_mask);
+ pg = __lookup_pg_mapping(&osdmap->pg_temp, pgid);
+ if (pg) {
+ *num = pg->len;
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index cc9e02d..7a98d52 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -2851,14 +2851,6 @@ static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata,
+ ieee80211_rx_bss_put(local, bss);
+ sdata->vif.bss_conf.beacon_rate = bss->beacon_rate;
+ }
+-
+- if (!sdata->u.mgd.associated ||
+- !ether_addr_equal(mgmt->bssid, sdata->u.mgd.associated->bssid))
+- return;
+-
+- ieee80211_sta_process_chanswitch(sdata, rx_status->mactime,
+- elems, true);
+-
+ }
+
+
+@@ -3147,6 +3139,9 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
+
+ ieee80211_rx_bss_info(sdata, mgmt, len, rx_status, &elems);
+
++ ieee80211_sta_process_chanswitch(sdata, rx_status->mactime,
++ &elems, true);
++
+ if (ieee80211_sta_wmm_params(local, sdata, elems.wmm_param,
+ elems.wmm_param_len))
+ changed |= BSS_CHANGED_QOS;
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index 8860dd5..9552da2 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -3376,6 +3376,7 @@ static struct snd_pci_quirk msi_black_list[] = {
+ SND_PCI_QUIRK(0x1043, 0x81f2, "ASUS", 0), /* Athlon64 X2 + nvidia */
+ SND_PCI_QUIRK(0x1043, 0x81f6, "ASUS", 0), /* nvidia */
+ SND_PCI_QUIRK(0x1043, 0x822d, "ASUS", 0), /* Athlon64 X2 + nvidia MCP55 */
++ SND_PCI_QUIRK(0x1179, 0xfb44, "Toshiba Satellite C870", 0), /* AMD Hudson */
+ SND_PCI_QUIRK(0x1849, 0x0888, "ASRock", 0), /* Athlon64 X2 + nvidia */
+ SND_PCI_QUIRK(0xa0a0, 0x0575, "Aopen MZ915-M", 0), /* ICH6 */
+ {}
+diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
+index 9f35862..45850f6 100644
+--- a/sound/pci/hda/patch_hdmi.c
++++ b/sound/pci/hda/patch_hdmi.c
+@@ -67,6 +67,8 @@ struct hdmi_spec_per_pin {
+ struct delayed_work work;
+ struct snd_kcontrol *eld_ctl;
+ int repoll_count;
++ bool setup; /* the stream has been set up by prepare callback */
++ int channels; /* current number of channels */
+ bool non_pcm;
+ bool chmap_set; /* channel-map override by ALSA API? */
+ unsigned char chmap[8]; /* ALSA API channel-map */
+@@ -551,6 +553,17 @@ static int hdmi_channel_allocation(struct hdmi_eld *eld, int channels)
+ }
+ }
+
++ if (!ca) {
++ /* if there was no match, select the regular ALSA channel
++ * allocation with the matching number of channels */
++ for (i = 0; i < ARRAY_SIZE(channel_allocations); i++) {
++ if (channels == channel_allocations[i].channels) {
++ ca = channel_allocations[i].ca_index;
++ break;
++ }
++ }
++ }
++
+ snd_print_channel_allocation(eld->info.spk_alloc, buf, sizeof(buf));
+ snd_printdd("HDMI: select CA 0x%x for %d-channel allocation: %s\n",
+ ca, channels, buf);
+@@ -868,18 +881,19 @@ static bool hdmi_infoframe_uptodate(struct hda_codec *codec, hda_nid_t pin_nid,
+ return true;
+ }
+
+-static void hdmi_setup_audio_infoframe(struct hda_codec *codec, int pin_idx,
+- bool non_pcm,
+- struct snd_pcm_substream *substream)
++static void hdmi_setup_audio_infoframe(struct hda_codec *codec,
++ struct hdmi_spec_per_pin *per_pin,
++ bool non_pcm)
+ {
+- struct hdmi_spec *spec = codec->spec;
+- struct hdmi_spec_per_pin *per_pin = get_pin(spec, pin_idx);
+ hda_nid_t pin_nid = per_pin->pin_nid;
+- int channels = substream->runtime->channels;
++ int channels = per_pin->channels;
+ struct hdmi_eld *eld;
+ int ca;
+ union audio_infoframe ai;
+
++ if (!channels)
++ return;
++
+ eld = &per_pin->sink_eld;
+ if (!eld->monitor_present)
+ return;
+@@ -1329,6 +1343,7 @@ static void hdmi_present_sense(struct hdmi_spec_per_pin *per_pin, int repoll)
+ eld_changed = true;
+ }
+ if (update_eld) {
++ bool old_eld_valid = pin_eld->eld_valid;
+ pin_eld->eld_valid = eld->eld_valid;
+ eld_changed = pin_eld->eld_size != eld->eld_size ||
+ memcmp(pin_eld->eld_buffer, eld->eld_buffer,
+@@ -1338,6 +1353,18 @@ static void hdmi_present_sense(struct hdmi_spec_per_pin *per_pin, int repoll)
+ eld->eld_size);
+ pin_eld->eld_size = eld->eld_size;
+ pin_eld->info = eld->info;
++
++ /* Haswell-specific workaround: re-setup when the transcoder is
++ * changed during the stream playback
++ */
++ if (codec->vendor_id == 0x80862807 &&
++ eld->eld_valid && !old_eld_valid && per_pin->setup) {
++ snd_hda_codec_write(codec, pin_nid, 0,
++ AC_VERB_SET_AMP_GAIN_MUTE,
++ AMP_OUT_UNMUTE);
++ hdmi_setup_audio_infoframe(codec, per_pin,
++ per_pin->non_pcm);
++ }
+ }
+ mutex_unlock(&pin_eld->lock);
+
+@@ -1510,14 +1537,17 @@ static int generic_hdmi_playback_pcm_prepare(struct hda_pcm_stream *hinfo,
+ hda_nid_t cvt_nid = hinfo->nid;
+ struct hdmi_spec *spec = codec->spec;
+ int pin_idx = hinfo_to_pin_index(spec, hinfo);
+- hda_nid_t pin_nid = get_pin(spec, pin_idx)->pin_nid;
++ struct hdmi_spec_per_pin *per_pin = get_pin(spec, pin_idx);
++ hda_nid_t pin_nid = per_pin->pin_nid;
+ bool non_pcm;
+
+ non_pcm = check_non_pcm_per_cvt(codec, cvt_nid);
++ per_pin->channels = substream->runtime->channels;
++ per_pin->setup = true;
+
+ hdmi_set_channel_count(codec, cvt_nid, substream->runtime->channels);
+
+- hdmi_setup_audio_infoframe(codec, pin_idx, non_pcm, substream);
++ hdmi_setup_audio_infoframe(codec, per_pin, non_pcm);
+
+ return hdmi_setup_stream(codec, cvt_nid, pin_nid, stream_tag, format);
+ }
+@@ -1557,6 +1587,9 @@ static int hdmi_pcm_close(struct hda_pcm_stream *hinfo,
+ snd_hda_spdif_ctls_unassign(codec, pin_idx);
+ per_pin->chmap_set = false;
+ memset(per_pin->chmap, 0, sizeof(per_pin->chmap));
++
++ per_pin->setup = false;
++ per_pin->channels = 0;
+ }
+
+ return 0;
+@@ -1692,8 +1725,7 @@ static int hdmi_chmap_ctl_put(struct snd_kcontrol *kcontrol,
+ per_pin->chmap_set = true;
+ memcpy(per_pin->chmap, chmap, sizeof(chmap));
+ if (prepared)
+- hdmi_setup_audio_infoframe(codec, pin_idx, per_pin->non_pcm,
+- substream);
++ hdmi_setup_audio_infoframe(codec, per_pin, per_pin->non_pcm);
+
+ return 0;
+ }
+diff --git a/sound/soc/codecs/mc13783.c b/sound/soc/codecs/mc13783.c
+index 5402dfb..8a8d936 100644
+--- a/sound/soc/codecs/mc13783.c
++++ b/sound/soc/codecs/mc13783.c
+@@ -126,6 +126,10 @@ static int mc13783_write(struct snd_soc_codec *codec,
+
+ ret = mc13xxx_reg_write(priv->mc13xxx, reg, value);
+
++ /* include errata fix for spi audio problems */
++ if (reg == MC13783_AUDIO_CODEC || reg == MC13783_AUDIO_DAC)
++ ret = mc13xxx_reg_write(priv->mc13xxx, reg, value);
++
+ mc13xxx_unlock(priv->mc13xxx);
+
+ return ret;
+diff --git a/sound/soc/codecs/wm8960.c b/sound/soc/codecs/wm8960.c
+index 0a4ffdd..5e5af89 100644
+--- a/sound/soc/codecs/wm8960.c
++++ b/sound/soc/codecs/wm8960.c
+@@ -857,9 +857,9 @@ static int wm8960_set_dai_pll(struct snd_soc_dai *codec_dai, int pll_id,
+ if (pll_div.k) {
+ reg |= 0x20;
+
+- snd_soc_write(codec, WM8960_PLL2, (pll_div.k >> 18) & 0x3f);
+- snd_soc_write(codec, WM8960_PLL3, (pll_div.k >> 9) & 0x1ff);
+- snd_soc_write(codec, WM8960_PLL4, pll_div.k & 0x1ff);
++ snd_soc_write(codec, WM8960_PLL2, (pll_div.k >> 16) & 0xff);
++ snd_soc_write(codec, WM8960_PLL3, (pll_div.k >> 8) & 0xff);
++ snd_soc_write(codec, WM8960_PLL4, pll_div.k & 0xff);
+ }
+ snd_soc_write(codec, WM8960_PLL1, reg);
+
diff --git a/3.11.1/4420_grsecurity-2.9.1-3.11.1-201309221838.patch b/3.11.2/4420_grsecurity-2.9.1-3.11.2-201309281103.patch
similarity index 99%
rename from 3.11.1/4420_grsecurity-2.9.1-3.11.1-201309221838.patch
rename to 3.11.2/4420_grsecurity-2.9.1-3.11.2-201309281103.patch
index f7acb39..3abf324 100644
--- a/3.11.1/4420_grsecurity-2.9.1-3.11.1-201309221838.patch
+++ b/3.11.2/4420_grsecurity-2.9.1-3.11.2-201309281103.patch
@@ -281,7 +281,7 @@ index 7f9d4f5..6d1afd6 100644
pcd. [PARIDE]
diff --git a/Makefile b/Makefile
-index efd2396..682975d 100644
+index aede319..6bf55a4 100644
--- a/Makefile
+++ b/Makefile
@@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -2745,10 +2745,10 @@ index 2c7cc1e..ab2e911 100644
mcr p15, 0, r4, c2, c0, 0 @ load page table pointer
#endif
diff --git a/arch/arm/kernel/module.c b/arch/arm/kernel/module.c
-index 85c3fb6..b3068b1 100644
+index 85c3fb6..054c2dc 100644
--- a/arch/arm/kernel/module.c
+++ b/arch/arm/kernel/module.c
-@@ -37,12 +37,37 @@
+@@ -37,12 +37,39 @@
#endif
#ifdef CONFIG_MMU
@@ -2779,11 +2779,13 @@ index 85c3fb6..b3068b1 100644
+{
+ module_free(mod, module_region);
+}
++EXPORT_SYMBOL(module_free_exec);
+
+void *module_alloc_exec(unsigned long size)
+{
+ return __module_alloc(size, PAGE_KERNEL_EXEC);
+}
++EXPORT_SYMBOL(module_alloc_exec);
+#endif
#endif
@@ -3128,7 +3130,7 @@ index ab517fc..9adf2fa 100644
/*
* on V7-M there is no need to copy the vector table to a dedicated
diff --git a/arch/arm/kernel/vmlinux.lds.S b/arch/arm/kernel/vmlinux.lds.S
-index 7bcee5c..64c9c5f 100644
+index 7bcee5c..e2f3249 100644
--- a/arch/arm/kernel/vmlinux.lds.S
+++ b/arch/arm/kernel/vmlinux.lds.S
@@ -8,7 +8,11 @@
@@ -3144,6 +3146,15 @@ index 7bcee5c..64c9c5f 100644
#define PROC_INFO \
. = ALIGN(4); \
VMLINUX_SYMBOL(__proc_info_begin) = .; \
+@@ -34,7 +38,7 @@
+ #endif
+
+ #if (defined(CONFIG_SMP_ON_UP) && !defined(CONFIG_DEBUG_SPINLOCK)) || \
+- defined(CONFIG_GENERIC_BUG)
++ defined(CONFIG_GENERIC_BUG) || defined(CONFIG_PAX_REFCOUNT)
+ #define ARM_EXIT_KEEP(x) x
+ #define ARM_EXIT_DISCARD(x)
+ #else
@@ -90,6 +94,11 @@ SECTIONS
_text = .;
HEAD_TEXT
@@ -13233,7 +13244,7 @@ index bae3aba..c1788c1 100644
set_fs(KERNEL_DS);
has_dumped = 1;
diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c
-index bccfca6..a312009 100644
+index 665a730..8e7a67a 100644
--- a/arch/x86/ia32/ia32_signal.c
+++ b/arch/x86/ia32/ia32_signal.c
@@ -338,7 +338,7 @@ static void __user *get_sigframe(struct ksignal *ksig, struct pt_regs *regs,
@@ -13263,12 +13274,7 @@ index bccfca6..a312009 100644
};
frame = get_sigframe(ksig, regs, sizeof(*frame), &fpstate);
-@@ -457,20 +457,22 @@ int ia32_setup_rt_frame(int sig, struct ksignal *ksig,
- else
- put_user_ex(0, &frame->uc.uc_flags);
- put_user_ex(0, &frame->uc.uc_link);
-- err |= __compat_save_altstack(&frame->uc.uc_stack, regs->sp);
-+ __compat_save_altstack_ex(&frame->uc.uc_stack, regs->sp);
+@@ -461,16 +461,18 @@ int ia32_setup_rt_frame(int sig, struct ksignal *ksig,
if (ksig->ka.sa.sa_flags & SA_RESTORER)
restorer = ksig->ka.sa.sa_restorer;
@@ -14738,7 +14744,7 @@ index 9863ee3..4a1f8e1 100644
return _PAGE_CACHE_WC;
else if (pg_flags == _PGMT_UC_MINUS)
diff --git a/arch/x86/include/asm/checksum_32.h b/arch/x86/include/asm/checksum_32.h
-index 46fc474..b02b0f9 100644
+index f50de69..2b0a458 100644
--- a/arch/x86/include/asm/checksum_32.h
+++ b/arch/x86/include/asm/checksum_32.h
@@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_generic(const void *src, void *dst,
@@ -14756,24 +14762,24 @@ index 46fc474..b02b0f9 100644
/*
* Note: when you get a NULL pointer exception here this means someone
* passed in an incorrect kernel address to one of these functions.
-@@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_from_user(const void __user *src,
- int *err_ptr)
- {
- might_sleep();
-- return csum_partial_copy_generic((__force void *)src, dst,
-+ return csum_partial_copy_generic_from_user((__force void *)src, dst,
- len, sum, err_ptr, NULL);
- }
+@@ -53,7 +61,7 @@ static inline __wsum csum_partial_copy_from_user(const void __user *src,
-@@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_user(const void *src,
- {
might_sleep();
- if (access_ok(VERIFY_WRITE, dst, len))
-- return csum_partial_copy_generic(src, (__force void *)dst,
-+ return csum_partial_copy_generic_to_user(src, (__force void *)dst,
- len, sum, NULL, err_ptr);
+ stac();
+- ret = csum_partial_copy_generic((__force void *)src, dst,
++ ret = csum_partial_copy_generic_from_user((__force void *)src, dst,
+ len, sum, err_ptr, NULL);
+ clac();
- if (len)
+@@ -187,7 +195,7 @@ static inline __wsum csum_and_copy_to_user(const void *src,
+ might_sleep();
+ if (access_ok(VERIFY_WRITE, dst, len)) {
+ stac();
+- ret = csum_partial_copy_generic(src, (__force void *)dst,
++ ret = csum_partial_copy_generic_to_user(src, (__force void *)dst,
+ len, sum, NULL, err_ptr);
+ clac();
+ return ret;
diff --git a/arch/x86/include/asm/cmpxchg.h b/arch/x86/include/asm/cmpxchg.h
index d47786a..ce1b05d 100644
--- a/arch/x86/include/asm/cmpxchg.h
@@ -15760,7 +15766,7 @@ index 5f55e69..e20bfb1 100644
#ifdef CONFIG_SMP
diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
-index cdbf367..ce8f82b 100644
+index be12c53..2124e35 100644
--- a/arch/x86/include/asm/mmu_context.h
+++ b/arch/x86/include/asm/mmu_context.h
@@ -24,6 +24,20 @@ void destroy_context(struct mm_struct *mm);
@@ -15838,13 +15844,12 @@ index cdbf367..ce8f82b 100644
load_cr3(next->pgd);
+#endif
- /* stop flush ipis for the previous mm */
+ /* Stop flush ipis for the previous mm */
cpumask_clear_cpu(cpu, mm_cpumask(prev));
-@@ -53,9 +106,63 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
- */
+@@ -51,9 +104,63 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
+ /* Load the LDT, if the LDT is different: */
if (unlikely(prev->context.ldt != next->context.ldt))
load_LDT_nolock(&next->context);
-- }
+
+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
+ if (!(__supported_pte_mask & _PAGE_NX)) {
@@ -15859,14 +15864,14 @@ index cdbf367..ce8f82b 100644
+ if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
+ prev->context.user_cs_limit != next->context.user_cs_limit))
+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
- #ifdef CONFIG_SMP
++#ifdef CONFIG_SMP
+ else if (unlikely(tlbstate != TLBSTATE_OK))
+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
+#endif
+#endif
+
-+ }
- else {
+ }
++ else {
+
+#ifdef CONFIG_PAX_PER_CPU_PGD
+ pax_open_kernel();
@@ -15901,11 +15906,12 @@ index cdbf367..ce8f82b 100644
+ load_cr3(get_cpu_pgd(cpu, kernel));
+#endif
+
-+#ifdef CONFIG_SMP
+ #ifdef CONFIG_SMP
+- else {
this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK);
BUG_ON(this_cpu_read(cpu_tlbstate.active_mm) != next);
-@@ -64,11 +171,28 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
+@@ -70,11 +177,28 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
* tlb flush IPI delivery. We must reload CR3
* to make sure to use no freed page tables.
*/
@@ -25235,7 +25241,7 @@ index 5cdff03..80fa283 100644
* Up to this point, the boot CPU has been using .init.data
* area. Reload any changed state for the boot CPU.
diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
-index cf91358..a7081ea 100644
+index d859eea..44e17c4 100644
--- a/arch/x86/kernel/signal.c
+++ b/arch/x86/kernel/signal.c
@@ -190,7 +190,7 @@ static unsigned long align_sigframe(unsigned long sp)
@@ -25268,12 +25274,8 @@ index cf91358..a7081ea 100644
if (err)
return -EFAULT;
-@@ -358,10 +358,13 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig,
- else
- put_user_ex(0, &frame->uc.uc_flags);
- put_user_ex(0, &frame->uc.uc_link);
-- err |= __save_altstack(&frame->uc.uc_stack, regs->sp);
-+ __save_altstack_ex(&frame->uc.uc_stack, regs->sp);
+@@ -361,7 +361,10 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig,
+ save_altstack_ex(&frame->uc.uc_stack, regs->sp);
/* Set up to return from userspace. */
- restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
@@ -25293,15 +25295,6 @@ index cf91358..a7081ea 100644
} put_user_catch(err);
err |= copy_siginfo_to_user(&frame->info, &ksig->info);
-@@ -423,7 +426,7 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig,
- else
- put_user_ex(0, &frame->uc.uc_flags);
- put_user_ex(0, &frame->uc.uc_link);
-- err |= __save_altstack(&frame->uc.uc_stack, regs->sp);
-+ __save_altstack_ex(&frame->uc.uc_stack, regs->sp);
-
- /* Set up to return from userspace. If provided, use a stub
- already in userspace. */
@@ -609,7 +612,12 @@ setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs)
{
int usig = signr_convert(ksig->sig);
@@ -27941,38 +27934,37 @@ index 2419d5f..953ee51 100644
CFI_RESTORE_STATE
diff --git a/arch/x86/lib/csum-wrappers_64.c b/arch/x86/lib/csum-wrappers_64.c
-index 25b7ae8..c40113e 100644
+index 7609e0e..b449b98 100644
--- a/arch/x86/lib/csum-wrappers_64.c
+++ b/arch/x86/lib/csum-wrappers_64.c
-@@ -52,8 +52,12 @@ csum_partial_copy_from_user(const void __user *src, void *dst,
+@@ -53,10 +53,12 @@ csum_partial_copy_from_user(const void __user *src, void *dst,
len -= 2;
}
}
-- isum = csum_partial_copy_generic((__force const void *)src,
+ pax_open_userland();
-+ stac();
+ stac();
+- isum = csum_partial_copy_generic((__force const void *)src,
+ isum = csum_partial_copy_generic((const void __force_kernel *)____m(src),
dst, len, isum, errp, NULL);
-+ clac();
+ clac();
+ pax_close_userland();
if (unlikely(*errp))
goto out_err;
-@@ -105,8 +109,13 @@ csum_partial_copy_to_user(const void *src, void __user *dst,
+@@ -110,10 +112,12 @@ csum_partial_copy_to_user(const void *src, void __user *dst,
}
*errp = 0;
-- return csum_partial_copy_generic(src, (void __force *)dst,
+ pax_open_userland();
-+ stac();
-+ isum = csum_partial_copy_generic(src, (void __force_kernel *)____m(dst),
- len, isum, NULL, errp);
-+ clac();
+ stac();
+- ret = csum_partial_copy_generic(src, (void __force *)dst,
++ ret = csum_partial_copy_generic(src, (void __force_kernel *)____m(dst),
+ len, isum, NULL, errp);
+ clac();
+ pax_close_userland();
-+ return isum;
+ return ret;
}
EXPORT_SYMBOL(csum_partial_copy_to_user);
-
diff --git a/arch/x86/lib/getuser.S b/arch/x86/lib/getuser.S
index a451235..1daa956 100644
--- a/arch/x86/lib/getuser.S
@@ -34319,7 +34311,7 @@ index 290792a..416f287 100644
spin_lock_init(&blkcg->lock);
INIT_RADIX_TREE(&blkcg->blkg_tree, GFP_ATOMIC);
diff --git a/block/blk-iopoll.c b/block/blk-iopoll.c
-index 4b8d9b54..ff76220 100644
+index 4b8d9b54..a7178c0 100644
--- a/block/blk-iopoll.c
+++ b/block/blk-iopoll.c
@@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopoll *iopoll)
@@ -34327,7 +34319,7 @@ index 4b8d9b54..ff76220 100644
EXPORT_SYMBOL(blk_iopoll_complete);
-static void blk_iopoll_softirq(struct softirq_action *h)
-+static void blk_iopoll_softirq(void)
++static __latent_entropy void blk_iopoll_softirq(void)
{
struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
int rearm = 0, budget = blk_iopoll_budget;
@@ -34345,7 +34337,7 @@ index 623e1cd..ca1e109 100644
bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
else
diff --git a/block/blk-softirq.c b/block/blk-softirq.c
-index ec9e606..2244d4e 100644
+index ec9e606..3f38839 100644
--- a/block/blk-softirq.c
+++ b/block/blk-softirq.c
@@ -18,7 +18,7 @@ static DEFINE_PER_CPU(struct list_head, blk_cpu_done);
@@ -34353,7 +34345,7 @@ index ec9e606..2244d4e 100644
* while passing them to the queue registered handler.
*/
-static void blk_done_softirq(struct softirq_action *h)
-+static void blk_done_softirq(void)
++static __latent_entropy void blk_done_softirq(void)
{
struct list_head *cpu_list, local_list;
@@ -34513,32 +34505,6 @@ index a5ffcc9..3cedc9c 100644
if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
goto error;
-diff --git a/crypto/api.c b/crypto/api.c
-index 3b61803..37c4c72 100644
---- a/crypto/api.c
-+++ b/crypto/api.c
-@@ -34,6 +34,8 @@ EXPORT_SYMBOL_GPL(crypto_alg_sem);
- BLOCKING_NOTIFIER_HEAD(crypto_chain);
- EXPORT_SYMBOL_GPL(crypto_chain);
-
-+static struct crypto_alg *crypto_larval_wait(struct crypto_alg *alg);
-+
- struct crypto_alg *crypto_mod_get(struct crypto_alg *alg)
- {
- return try_module_get(alg->cra_module) ? crypto_alg_get(alg) : NULL;
-@@ -144,8 +146,11 @@ static struct crypto_alg *crypto_larval_add(const char *name, u32 type,
- }
- up_write(&crypto_alg_sem);
-
-- if (alg != &larval->alg)
-+ if (alg != &larval->alg) {
- kfree(larval);
-+ if (crypto_is_larval(alg))
-+ alg = crypto_larval_wait(alg);
-+ }
-
- return alg;
- }
diff --git a/crypto/cryptd.c b/crypto/cryptd.c
index 7bdd61b..afec999 100644
--- a/crypto/cryptd.c
@@ -35969,19 +35935,18 @@ index e8d11b6..7b1b36f 100644
}
EXPORT_SYMBOL_GPL(unregister_syscore_ops);
diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
-index 62b6c2c..4a11354 100644
+index 62b6c2c..002d10f 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
-@@ -1189,6 +1189,8 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
+@@ -1189,6 +1189,7 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
int err;
u32 cp;
+ memset(&arg64, 0, sizeof(arg64));
-+
err = 0;
err |=
copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
-@@ -3010,7 +3012,7 @@ static void start_io(ctlr_info_t *h)
+@@ -3010,7 +3011,7 @@ static void start_io(ctlr_info_t *h)
while (!list_empty(&h->reqQ)) {
c = list_entry(h->reqQ.next, CommandList_struct, list);
/* can't do anything if fifo is full */
@@ -35990,7 +35955,7 @@ index 62b6c2c..4a11354 100644
dev_warn(&h->pdev->dev, "fifo full\n");
break;
}
-@@ -3020,7 +3022,7 @@ static void start_io(ctlr_info_t *h)
+@@ -3020,7 +3021,7 @@ static void start_io(ctlr_info_t *h)
h->Qdepth--;
/* Tell the controller execute command */
@@ -35999,7 +35964,7 @@ index 62b6c2c..4a11354 100644
/* Put job onto the completed Q */
addQ(&h->cmpQ, c);
-@@ -3446,17 +3448,17 @@ startio:
+@@ -3446,17 +3447,17 @@ startio:
static inline unsigned long get_next_completion(ctlr_info_t *h)
{
@@ -36020,7 +35985,7 @@ index 62b6c2c..4a11354 100644
(h->interrupts_enabled == 0));
}
-@@ -3489,7 +3491,7 @@ static inline u32 next_command(ctlr_info_t *h)
+@@ -3489,7 +3490,7 @@ static inline u32 next_command(ctlr_info_t *h)
u32 a;
if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant)))
@@ -36029,7 +35994,7 @@ index 62b6c2c..4a11354 100644
if ((*(h->reply_pool_head) & 1) == (h->reply_pool_wraparound)) {
a = *(h->reply_pool_head); /* Next cmd in ring buffer */
-@@ -4046,7 +4048,7 @@ static void cciss_put_controller_into_performant_mode(ctlr_info_t *h)
+@@ -4046,7 +4047,7 @@ static void cciss_put_controller_into_performant_mode(ctlr_info_t *h)
trans_support & CFGTBL_Trans_use_short_tags);
/* Change the access methods to the performant access methods */
@@ -36038,7 +36003,7 @@ index 62b6c2c..4a11354 100644
h->transMethod = CFGTBL_Trans_Performant;
return;
-@@ -4319,7 +4321,7 @@ static int cciss_pci_init(ctlr_info_t *h)
+@@ -4319,7 +4320,7 @@ static int cciss_pci_init(ctlr_info_t *h)
if (prod_index < 0)
return -ENODEV;
h->product_name = products[prod_index].product_name;
@@ -36047,7 +36012,7 @@ index 62b6c2c..4a11354 100644
if (cciss_board_disabled(h)) {
dev_warn(&h->pdev->dev, "controller appears to be disabled\n");
-@@ -5051,7 +5053,7 @@ reinit_after_soft_reset:
+@@ -5051,7 +5052,7 @@ reinit_after_soft_reset:
}
/* make sure the board interrupts are off */
@@ -36056,7 +36021,7 @@ index 62b6c2c..4a11354 100644
rc = cciss_request_irq(h, do_cciss_msix_intr, do_cciss_intx);
if (rc)
goto clean2;
-@@ -5101,7 +5103,7 @@ reinit_after_soft_reset:
+@@ -5101,7 +5102,7 @@ reinit_after_soft_reset:
* fake ones to scoop up any residual completions.
*/
spin_lock_irqsave(&h->lock, flags);
@@ -36065,7 +36030,7 @@ index 62b6c2c..4a11354 100644
spin_unlock_irqrestore(&h->lock, flags);
free_irq(h->intr[h->intr_mode], h);
rc = cciss_request_irq(h, cciss_msix_discard_completions,
-@@ -5121,9 +5123,9 @@ reinit_after_soft_reset:
+@@ -5121,9 +5122,9 @@ reinit_after_soft_reset:
dev_info(&h->pdev->dev, "Board READY.\n");
dev_info(&h->pdev->dev,
"Waiting for stale completions to drain.\n");
@@ -36077,7 +36042,7 @@ index 62b6c2c..4a11354 100644
rc = controller_reset_failed(h->cfgtable);
if (rc)
-@@ -5146,7 +5148,7 @@ reinit_after_soft_reset:
+@@ -5146,7 +5147,7 @@ reinit_after_soft_reset:
cciss_scsi_setup(h);
/* Turn the interrupts on so we can service requests */
@@ -36086,7 +36051,7 @@ index 62b6c2c..4a11354 100644
/* Get the firmware version */
inq_buff = kzalloc(sizeof(InquiryData_struct), GFP_KERNEL);
-@@ -5218,7 +5220,7 @@ static void cciss_shutdown(struct pci_dev *pdev)
+@@ -5218,7 +5219,7 @@ static void cciss_shutdown(struct pci_dev *pdev)
kfree(flush_buf);
if (return_code != IO_OK)
dev_warn(&h->pdev->dev, "Error flushing cache\n");
@@ -38551,10 +38516,10 @@ index 3d92a7c..9a9cfd7 100644
iir = I915_READ(IIR);
diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
-index be79f47..95e150b 100644
+index ca40d1b..6baacfd 100644
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
-@@ -9418,13 +9418,13 @@ struct intel_quirk {
+@@ -9431,13 +9431,13 @@ struct intel_quirk {
int subsystem_vendor;
int subsystem_device;
void (*hook)(struct drm_device *dev);
@@ -38570,7 +38535,7 @@ index be79f47..95e150b 100644
static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
{
-@@ -9432,18 +9432,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
+@@ -9445,18 +9445,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
return 1;
}
@@ -39427,41 +39392,10 @@ index 5360e5a..c2c0d26 100644
err = drm_debugfs_create_files(dc->debugfs_files,
ARRAY_SIZE(debugfs_files),
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
-index 36668d1..9f4ccb0 100644
+index 5956445..1d30d7e 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
-@@ -63,6 +63,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type,
- struct hid_report_enum *report_enum = device->report_enum + type;
- struct hid_report *report;
-
-+ if (id >= HID_MAX_IDS)
-+ return NULL;
- if (report_enum->report_id_hash[id])
- return report_enum->report_id_hash[id];
-
-@@ -404,8 +406,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item)
-
- case HID_GLOBAL_ITEM_TAG_REPORT_ID:
- parser->global.report_id = item_udata(item);
-- if (parser->global.report_id == 0) {
-- hid_err(parser->device, "report_id 0 is invalid\n");
-+ if (parser->global.report_id == 0 ||
-+ parser->global.report_id >= HID_MAX_IDS) {
-+ hid_err(parser->device, "report_id %u is invalid\n",
-+ parser->global.report_id);
- return -1;
- }
- return 0;
-@@ -575,7 +579,7 @@ static void hid_close_report(struct hid_device *device)
- for (i = 0; i < HID_REPORT_TYPES; i++) {
- struct hid_report_enum *report_enum = device->report_enum + i;
-
-- for (j = 0; j < 256; j++) {
-+ for (j = 0; j < HID_MAX_IDS; j++) {
- struct hid_report *report = report_enum->report_id_hash[j];
- if (report)
- hid_free_report(report);
-@@ -755,6 +759,56 @@ int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size)
+@@ -759,6 +759,56 @@ int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size)
}
EXPORT_SYMBOL_GPL(hid_parse_report);
@@ -39518,21 +39452,7 @@ index 36668d1..9f4ccb0 100644
/**
* hid_open_report - open a driver-specific device report
*
-@@ -1152,7 +1206,12 @@ EXPORT_SYMBOL_GPL(hid_output_report);
-
- int hid_set_field(struct hid_field *field, unsigned offset, __s32 value)
- {
-- unsigned size = field->report_size;
-+ unsigned size;
-+
-+ if (!field)
-+ return -1;
-+
-+ size = field->report_size;
-
- hid_dump_input(field->report->device, field->usage + offset, value);
-
-@@ -2285,7 +2344,7 @@ EXPORT_SYMBOL_GPL(hid_ignore);
+@@ -2295,7 +2345,7 @@ EXPORT_SYMBOL_GPL(hid_ignore);
int hid_add_device(struct hid_device *hdev)
{
@@ -39541,7 +39461,7 @@ index 36668d1..9f4ccb0 100644
int ret;
if (WARN_ON(hdev->status & HID_STAT_ADDED))
-@@ -2319,7 +2378,7 @@ int hid_add_device(struct hid_device *hdev)
+@@ -2329,7 +2379,7 @@ int hid_add_device(struct hid_device *hdev)
/* XXX hack, any other cleaner solution after the driver core
* is converted to allow more than 20 bytes as the device name? */
dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
@@ -39815,68 +39735,6 @@ index cb0e361..2aa275e 100644
}
for (r = 0; r < report->maxfield; r++) {
-diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c
-index ef95102..5482156 100644
---- a/drivers/hid/hid-ntrig.c
-+++ b/drivers/hid/hid-ntrig.c
-@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev)
- struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT].
- report_id_hash[0x0d];
-
-- if (!report)
-+ if (!report || report->maxfield < 1 ||
-+ report->field[0]->report_count < 1)
- return -EINVAL;
-
- hid_hw_request(hdev, report, HID_REQ_GET_REPORT);
-diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
-index b48092d..72bba1e 100644
---- a/drivers/hid/hid-picolcd_core.c
-+++ b/drivers/hid/hid-picolcd_core.c
-@@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev,
- buf += 10;
- cnt -= 10;
- }
-- if (!report)
-+ if (!report || report->maxfield < 1)
- return -EINVAL;
-
- while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r'))
-diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c
-index d29112f..2dcd7d9 100644
---- a/drivers/hid/hid-pl.c
-+++ b/drivers/hid/hid-pl.c
-@@ -132,8 +132,14 @@ static int plff_init(struct hid_device *hid)
- strong = &report->field[0]->value[2];
- weak = &report->field[0]->value[3];
- debug("detected single-field device");
-- } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 &&
-- report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) {
-+ } else if (report->field[0]->maxusage == 1 &&
-+ report->field[0]->usage[0].hid ==
-+ (HID_UP_LED | 0x43) &&
-+ report->maxfield >= 4 &&
-+ report->field[0]->report_count >= 1 &&
-+ report->field[1]->report_count >= 1 &&
-+ report->field[2]->report_count >= 1 &&
-+ report->field[3]->report_count >= 1) {
- report->field[0]->value[0] = 0x00;
- report->field[1]->value[0] = 0x00;
- strong = &report->field[2]->value[0];
-diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c
-index ca749810..aa34755 100644
---- a/drivers/hid/hid-sensor-hub.c
-+++ b/drivers/hid/hid-sensor-hub.c
-@@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id,
-
- mutex_lock(&data->mutex);
- report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT);
-- if (!report || (field_index >= report->maxfield)) {
-+ if (!report || (field_index >= report->maxfield) ||
-+ report->field[field_index]->report_count < 1) {
- ret = -EINVAL;
- goto done_proc;
- }
diff --git a/drivers/hid/hid-steelseries.c b/drivers/hid/hid-steelseries.c
index d164911..ef42e86 100644
--- a/drivers/hid/hid-steelseries.c
@@ -47364,10 +47222,10 @@ index f379c7f..e8fc69c 100644
transport_setup_device(&rport->dev);
diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
-index 86fcf2c..26d8594 100644
+index 2783dd7..d20395b 100644
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
-@@ -2938,7 +2938,7 @@ static int sd_probe(struct device *dev)
+@@ -2933,7 +2933,7 @@ static int sd_probe(struct device *dev)
sdkp->disk = gd;
sdkp->index = index;
atomic_set(&sdkp->openers, 0);
@@ -48853,10 +48711,10 @@ index d5cc3ac..3263411 100644
if (get_user(c, buf))
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
-index 366af83..6db51c3 100644
+index 20689b9..7fd3a31 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
-@@ -3467,7 +3467,7 @@ EXPORT_SYMBOL_GPL(get_current_tty);
+@@ -3468,7 +3468,7 @@ EXPORT_SYMBOL_GPL(get_current_tty);
void tty_default_fops(struct file_operations *fops)
{
@@ -49287,7 +49145,7 @@ index 014dc99..4d25fd7 100644
wake_up(&usb_kill_urb_queue);
usb_put_urb(urb);
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
-index 558313d..8cadfa5 100644
+index 17c3785..deffb11 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -27,6 +27,7 @@
@@ -49298,7 +49156,7 @@ index 558313d..8cadfa5 100644
#include <asm/uaccess.h>
#include <asm/byteorder.h>
-@@ -4426,6 +4427,10 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1,
+@@ -4421,6 +4422,10 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1,
goto done;
return;
}
@@ -49349,7 +49207,7 @@ index 7dad603..350f7a9 100644
INIT_LIST_HEAD(&dev->ep0.urb_list);
dev->ep0.desc.bLength = USB_DT_ENDPOINT_SIZE;
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
-index f77083f..f3e2e34 100644
+index 14d28d6..5f511ac 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -550,8 +550,6 @@ static int __dwc3_gadget_ep_enable(struct dwc3_ep *dep,
@@ -52541,7 +52399,7 @@ index 89dec7f..361b0d75 100644
fd_offset + ex.a_text);
if (error != N_DATADDR(ex)) {
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
-index 100edcc..ed95731 100644
+index 100edcc..244db37 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -34,6 +34,7 @@
@@ -52695,7 +52553,22 @@ index 100edcc..ed95731 100644
error = -ENOMEM;
goto out_close;
}
-@@ -538,6 +567,315 @@ out:
+@@ -525,9 +554,11 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
+ elf_bss = ELF_PAGESTART(elf_bss + ELF_MIN_ALIGN - 1);
+
+ /* Map the last of the bss segment */
+- error = vm_brk(elf_bss, last_bss - elf_bss);
+- if (BAD_ADDR(error))
+- goto out_close;
++ if (last_bss > elf_bss) {
++ error = vm_brk(elf_bss, last_bss - elf_bss);
++ if (BAD_ADDR(error))
++ goto out_close;
++ }
+ }
+
+ error = load_addr;
+@@ -538,6 +569,315 @@ out:
return error;
}
@@ -53011,7 +52884,7 @@ index 100edcc..ed95731 100644
/*
* These are the functions used to load ELF style executables and shared
* libraries. There is no binary dependent code anywhere else.
-@@ -554,6 +892,11 @@ static unsigned long randomize_stack_top(unsigned long stack_top)
+@@ -554,6 +894,11 @@ static unsigned long randomize_stack_top(unsigned long stack_top)
{
unsigned int random_variable = 0;
@@ -53023,7 +52896,7 @@ index 100edcc..ed95731 100644
if ((current->flags & PF_RANDOMIZE) &&
!(current->personality & ADDR_NO_RANDOMIZE)) {
random_variable = get_random_int() & STACK_RND_MASK;
-@@ -572,7 +915,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -572,7 +917,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
unsigned long load_addr = 0, load_bias = 0;
int load_addr_set = 0;
char * elf_interpreter = NULL;
@@ -53032,7 +52905,7 @@ index 100edcc..ed95731 100644
struct elf_phdr *elf_ppnt, *elf_phdata;
unsigned long elf_bss, elf_brk;
int retval, i;
-@@ -582,12 +925,12 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -582,12 +927,12 @@ static int load_elf_binary(struct linux_binprm *bprm)
unsigned long start_code, end_code, start_data, end_data;
unsigned long reloc_func_desc __maybe_unused = 0;
int executable_stack = EXSTACK_DEFAULT;
@@ -53046,7 +52919,7 @@ index 100edcc..ed95731 100644
loc = kmalloc(sizeof(*loc), GFP_KERNEL);
if (!loc) {
-@@ -723,11 +1066,81 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -723,11 +1068,81 @@ static int load_elf_binary(struct linux_binprm *bprm)
goto out_free_dentry;
/* OK, This is the point of no return */
@@ -53129,7 +53002,7 @@ index 100edcc..ed95731 100644
if (elf_read_implies_exec(loc->elf_ex, executable_stack))
current->personality |= READ_IMPLIES_EXEC;
-@@ -817,6 +1230,20 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -817,6 +1232,20 @@ static int load_elf_binary(struct linux_binprm *bprm)
#else
load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
#endif
@@ -53150,7 +53023,7 @@ index 100edcc..ed95731 100644
}
error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
-@@ -849,9 +1276,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -849,9 +1278,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
* allowed task size. Note that p_filesz must always be
* <= p_memsz so it is only necessary to check p_memsz.
*/
@@ -53163,7 +53036,7 @@ index 100edcc..ed95731 100644
/* set_brk can never work. Avoid overflows. */
send_sig(SIGKILL, current, 0);
retval = -EINVAL;
-@@ -890,17 +1317,45 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -890,17 +1319,45 @@ static int load_elf_binary(struct linux_binprm *bprm)
goto out_free_dentry;
}
if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
@@ -53215,7 +53088,7 @@ index 100edcc..ed95731 100644
load_bias);
if (!IS_ERR((void *)elf_entry)) {
/*
-@@ -1122,7 +1577,7 @@ static bool always_dump_vma(struct vm_area_struct *vma)
+@@ -1122,7 +1579,7 @@ static bool always_dump_vma(struct vm_area_struct *vma)
* Decide what to dump of a segment, part, all or none.
*/
static unsigned long vma_dump_size(struct vm_area_struct *vma,
@@ -53224,7 +53097,7 @@ index 100edcc..ed95731 100644
{
#define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
-@@ -1160,7 +1615,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma,
+@@ -1160,7 +1617,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma,
if (vma->vm_file == NULL)
return 0;
@@ -53233,7 +53106,7 @@ index 100edcc..ed95731 100644
goto whole;
/*
-@@ -1385,9 +1840,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
+@@ -1385,9 +1842,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
{
elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
int i = 0;
@@ -53245,7 +53118,7 @@ index 100edcc..ed95731 100644
fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
}
-@@ -1396,7 +1851,7 @@ static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata,
+@@ -1396,7 +1853,7 @@ static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata,
{
mm_segment_t old_fs = get_fs();
set_fs(KERNEL_DS);
@@ -53254,7 +53127,7 @@ index 100edcc..ed95731 100644
set_fs(old_fs);
fill_note(note, "CORE", NT_SIGINFO, sizeof(*csigdata), csigdata);
}
-@@ -2017,14 +2472,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
+@@ -2017,14 +2474,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
}
static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
@@ -53271,7 +53144,7 @@ index 100edcc..ed95731 100644
return size;
}
-@@ -2117,7 +2572,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2117,7 +2574,7 @@ static int elf_core_dump(struct coredump_params *cprm)
dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
@@ -53280,7 +53153,7 @@ index 100edcc..ed95731 100644
offset += elf_core_extra_data_size();
e_shoff = offset;
-@@ -2131,10 +2586,12 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2131,10 +2588,12 @@ static int elf_core_dump(struct coredump_params *cprm)
offset = dataoff;
size += sizeof(*elf);
@@ -53293,7 +53166,7 @@ index 100edcc..ed95731 100644
if (size > cprm->limit
|| !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
goto end_coredump;
-@@ -2148,7 +2605,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2148,7 +2607,7 @@ static int elf_core_dump(struct coredump_params *cprm)
phdr.p_offset = offset;
phdr.p_vaddr = vma->vm_start;
phdr.p_paddr = 0;
@@ -53302,7 +53175,7 @@ index 100edcc..ed95731 100644
phdr.p_memsz = vma->vm_end - vma->vm_start;
offset += phdr.p_filesz;
phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
-@@ -2159,6 +2616,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2159,6 +2618,7 @@ static int elf_core_dump(struct coredump_params *cprm)
phdr.p_align = ELF_EXEC_PAGESIZE;
size += sizeof(phdr);
@@ -53310,7 +53183,7 @@ index 100edcc..ed95731 100644
if (size > cprm->limit
|| !dump_write(cprm->file, &phdr, sizeof(phdr)))
goto end_coredump;
-@@ -2183,7 +2641,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2183,7 +2643,7 @@ static int elf_core_dump(struct coredump_params *cprm)
unsigned long addr;
unsigned long end;
@@ -53319,7 +53192,7 @@ index 100edcc..ed95731 100644
for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
struct page *page;
-@@ -2192,6 +2650,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2192,6 +2652,7 @@ static int elf_core_dump(struct coredump_params *cprm)
page = get_dump_page(addr);
if (page) {
void *kaddr = kmap(page);
@@ -53327,7 +53200,7 @@ index 100edcc..ed95731 100644
stop = ((size += PAGE_SIZE) > cprm->limit) ||
!dump_write(cprm->file, kaddr,
PAGE_SIZE);
-@@ -2209,6 +2668,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2209,6 +2670,7 @@ static int elf_core_dump(struct coredump_params *cprm)
if (e_phnum == PN_XNUM) {
size += sizeof(*shdr4extnum);
@@ -53335,7 +53208,7 @@ index 100edcc..ed95731 100644
if (size > cprm->limit
|| !dump_write(cprm->file, shdr4extnum,
sizeof(*shdr4extnum)))
-@@ -2229,6 +2689,167 @@ out:
+@@ -2229,6 +2691,167 @@ out:
#endif /* CONFIG_ELF_CORE */
@@ -53657,7 +53530,7 @@ index a4b38f9..f86a509 100644
spin_lock_init(&delayed_root->lock);
init_waitqueue_head(&delayed_root->wait);
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
-index 238a055..1e33cd5 100644
+index 9877a2a..7ebf9ab 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -3097,9 +3097,12 @@ static long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg)
@@ -57333,10 +57206,10 @@ index 1d55f94..088da65 100644
}
diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
-index 72a5d5b..c991011 100644
+index 8fec28f..cd40dba 100644
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
-@@ -1433,7 +1433,7 @@ static char *read_link(struct dentry *dentry)
+@@ -1437,7 +1437,7 @@ static char *read_link(struct dentry *dentry)
return link;
}
@@ -60028,10 +59901,10 @@ index 7129046..f2779c6 100644
kfree(ctl_table_arg);
goto out;
diff --git a/fs/proc/root.c b/fs/proc/root.c
-index e0a790d..21e095e 100644
+index 0e0e83c..005ba6a 100644
--- a/fs/proc/root.c
+++ b/fs/proc/root.c
-@@ -182,7 +182,15 @@ void __init proc_root_init(void)
+@@ -183,7 +183,15 @@ void __init proc_root_init(void)
#ifdef CONFIG_PROC_DEVICETREE
proc_device_tree_init();
#endif
@@ -67426,10 +67299,10 @@ index 0000000..a340c17
+}
diff --git a/grsecurity/gracl_ip.c b/grsecurity/gracl_ip.c
new file mode 100644
-index 0000000..8132048
+index 0000000..f056b81
--- /dev/null
+++ b/grsecurity/gracl_ip.c
-@@ -0,0 +1,387 @@
+@@ -0,0 +1,386 @@
+#include <linux/kernel.h>
+#include <asm/uaccess.h>
+#include <asm/errno.h>
@@ -67521,6 +67394,8 @@ index 0000000..8132048
+ return gr_sockfamilies[family];
+}
+
++extern const struct net_proto_family __rcu *net_families[NPROTO] __read_mostly;
++
+int
+gr_search_socket(const int domain, const int type, const int protocol)
+{
@@ -67600,10 +67475,7 @@ index 0000000..8132048
+ if (domain == PF_INET)
+ gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
+ gr_socktype_to_name(type), gr_proto_to_name(protocol));
-+ else
-+#ifndef CONFIG_IPV6
-+ if (domain != PF_INET6)
-+#endif
++ else if (rcu_access_pointer(net_families[domain]) != NULL)
+ gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain),
+ gr_socktype_to_name(type), protocol);
+
@@ -72535,7 +72407,7 @@ index 1ec14a7..d0654a2 100644
/**
* struct clk_init_data - holds init data that's common to all clocks and is
diff --git a/include/linux/compat.h b/include/linux/compat.h
-index 7f0c1dd..206ac34 100644
+index ec1aee4..1077986 100644
--- a/include/linux/compat.h
+++ b/include/linux/compat.h
@@ -312,7 +312,7 @@ compat_sys_get_robust_list(int pid, compat_uptr_t __user *head_ptr,
@@ -72556,14 +72428,6 @@ index 7f0c1dd..206ac34 100644
asmlinkage long compat_sys_lookup_dcookie(u32, u32, char __user *, size_t);
/*
-@@ -669,6 +669,7 @@ asmlinkage long compat_sys_sigaltstack(const compat_stack_t __user *uss_ptr,
-
- int compat_restore_altstack(const compat_stack_t __user *uss);
- int __compat_save_altstack(compat_stack_t __user *, unsigned long);
-+void __compat_save_altstack_ex(compat_stack_t __user *, unsigned long);
-
- asmlinkage long compat_sys_sched_rr_get_interval(compat_pid_t pid,
- struct compat_timespec __user *interval);
diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h
index 842de22..7f3a41f 100644
--- a/include/linux/compiler-gcc4.h
@@ -73242,7 +73106,7 @@ index 1c804b0..1432c2b 100644
/*
diff --git a/include/linux/genhd.h b/include/linux/genhd.h
-index 9f3c275..911b591 100644
+index 9f3c275..8bdff5d 100644
--- a/include/linux/genhd.h
+++ b/include/linux/genhd.h
@@ -194,7 +194,7 @@ struct gendisk {
@@ -73254,6 +73118,15 @@ index 9f3c275..911b591 100644
struct disk_events *ev;
#ifdef CONFIG_BLK_DEV_INTEGRITY
struct blk_integrity *integrity;
+@@ -435,7 +435,7 @@ extern void disk_flush_events(struct gendisk *disk, unsigned int mask);
+ extern unsigned int disk_clear_events(struct gendisk *disk, unsigned int mask);
+
+ /* drivers/char/random.c */
+-extern void add_disk_randomness(struct gendisk *disk);
++extern void add_disk_randomness(struct gendisk *disk) __latent_entropy;
+ extern void rand_initialize_disk(struct gendisk *disk);
+
+ static inline sector_t get_start_sect(struct block_device *bdev)
diff --git a/include/linux/genl_magic_func.h b/include/linux/genl_magic_func.h
index 023bc34..b02b46a 100644
--- a/include/linux/genl_magic_func.h
@@ -74589,24 +74462,10 @@ index 0000000..e7ffaaf
+
+#endif
diff --git a/include/linux/hid.h b/include/linux/hid.h
-index 0c48991..76e41d8 100644
+index ff545cc..76e41d8 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
-@@ -393,10 +393,12 @@ struct hid_report {
- struct hid_device *device; /* associated device */
- };
-
-+#define HID_MAX_IDS 256
-+
- struct hid_report_enum {
- unsigned numbered;
- struct list_head report_list;
-- struct hid_report *report_id_hash[256];
-+ struct hid_report *report_id_hash[HID_MAX_IDS];
- };
-
- #define HID_REPORT_TYPES 3
-@@ -747,6 +749,10 @@ void hid_output_report(struct hid_report *report, __u8 *data);
+@@ -749,6 +749,10 @@ void hid_output_report(struct hid_report *report, __u8 *data);
struct hid_device *hid_allocate_device(void);
struct hid_report *hid_register_report(struct hid_device *device, unsigned type, unsigned id);
int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size);
@@ -76143,10 +76002,10 @@ index 34a1e10..03a6d03 100644
struct proc_ns {
void *ns;
diff --git a/include/linux/random.h b/include/linux/random.h
-index 3b9377d..943ad4a 100644
+index 3b9377d..e418336 100644
--- a/include/linux/random.h
+++ b/include/linux/random.h
-@@ -10,6 +10,16 @@
+@@ -10,9 +10,19 @@
extern void add_device_randomness(const void *, unsigned int);
@@ -76161,8 +76020,13 @@ index 3b9377d..943ad4a 100644
+}
+
extern void add_input_randomness(unsigned int type, unsigned int code,
- unsigned int value);
- extern void add_interrupt_randomness(int irq, int irq_flags);
+- unsigned int value);
+-extern void add_interrupt_randomness(int irq, int irq_flags);
++ unsigned int value) __latent_entropy;
++extern void add_interrupt_randomness(int irq, int irq_flags) __latent_entropy;
+
+ extern void get_random_bytes(void *buf, int nbytes);
+ extern void get_random_bytes_arch(void *buf, int nbytes);
@@ -32,6 +42,11 @@ void prandom_seed(u32 seed);
u32 prandom_u32_state(struct rnd_state *);
void prandom_bytes_state(struct rnd_state *state, void *buf, int nbytes);
@@ -76176,7 +76040,7 @@ index 3b9377d..943ad4a 100644
* Handle minimum values for seeds
*/
diff --git a/include/linux/rculist.h b/include/linux/rculist.h
-index f4b1001..8ddb2b6 100644
+index 4106721..132d42c 100644
--- a/include/linux/rculist.h
+++ b/include/linux/rculist.h
@@ -44,6 +44,9 @@ extern void __list_add_rcu(struct list_head *new,
@@ -76642,18 +76506,6 @@ index 429c199..4d42e38 100644
};
/* shm_mode upper byte flags */
-diff --git a/include/linux/signal.h b/include/linux/signal.h
-index d897484..323ba98 100644
---- a/include/linux/signal.h
-+++ b/include/linux/signal.h
-@@ -433,6 +433,7 @@ void signals_init(void);
-
- int restore_altstack(const stack_t __user *);
- int __save_altstack(stack_t __user *, unsigned long);
-+void __save_altstack_ex(stack_t __user *, unsigned long);
-
- #ifdef CONFIG_PROC_FS
- struct seq_file;
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 3b71a4e..5c9f309 100644
--- a/include/linux/skbuff.h
@@ -79442,7 +79294,7 @@ index ae1996d..a35f2cc 100644
if (u->mq_bytes + mq_bytes < u->mq_bytes ||
u->mq_bytes + mq_bytes > rlimit(RLIMIT_MSGQUEUE)) {
diff --git a/ipc/msg.c b/ipc/msg.c
-index 9f29d9e..8f284e0 100644
+index b65fdf1..89ec2b1 100644
--- a/ipc/msg.c
+++ b/ipc/msg.c
@@ -291,18 +291,19 @@ static inline int msg_security(struct kern_ipc_perm *ipcp, int msgflg)
@@ -80358,7 +80210,7 @@ index ca65997..60df03d 100644
/* Callchain handling */
extern struct perf_callchain_entry *
diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
-index f356974..cb8c570 100644
+index ad8e1bd..fed7ba9 100644
--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -1556,7 +1556,7 @@ static int is_trap_at_addr(struct mm_struct *mm, unsigned long vaddr)
@@ -80431,7 +80283,7 @@ index a949819..a5f127d 100644
{
struct signal_struct *sig = current->signal;
diff --git a/kernel/fork.c b/kernel/fork.c
-index bf46287..2af185d 100644
+index 200a7a2..43e52da 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -319,7 +319,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
@@ -80680,7 +80532,7 @@ index bf46287..2af185d 100644
unsigned long stack_start,
unsigned long stack_size,
int __user *child_tidptr,
-@@ -1200,6 +1250,9 @@ static struct task_struct *copy_process(unsigned long clone_flags,
+@@ -1201,6 +1251,9 @@ static struct task_struct *copy_process(unsigned long clone_flags,
DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
#endif
retval = -EAGAIN;
@@ -80690,7 +80542,7 @@ index bf46287..2af185d 100644
if (atomic_read(&p->real_cred->user->processes) >=
task_rlimit(p, RLIMIT_NPROC)) {
if (p->real_cred->user != INIT_USER &&
-@@ -1449,6 +1502,11 @@ static struct task_struct *copy_process(unsigned long clone_flags,
+@@ -1450,6 +1503,11 @@ static struct task_struct *copy_process(unsigned long clone_flags,
goto bad_fork_free_pid;
}
@@ -80702,7 +80554,7 @@ index bf46287..2af185d 100644
if (likely(p->pid)) {
ptrace_init_task(p, (clone_flags & CLONE_PTRACE) || trace);
-@@ -1534,6 +1592,8 @@ bad_fork_cleanup_count:
+@@ -1535,6 +1593,8 @@ bad_fork_cleanup_count:
bad_fork_free:
free_task(p);
fork_out:
@@ -80711,7 +80563,7 @@ index bf46287..2af185d 100644
return ERR_PTR(retval);
}
-@@ -1604,6 +1664,7 @@ long do_fork(unsigned long clone_flags,
+@@ -1605,6 +1665,7 @@ long do_fork(unsigned long clone_flags,
p = copy_process(clone_flags, stack_start, stack_size,
child_tidptr, NULL, trace);
@@ -80719,7 +80571,7 @@ index bf46287..2af185d 100644
/*
* Do this prior waking up the new thread - the thread pointer
* might get invalid after that point, if the thread exits quickly.
-@@ -1618,6 +1679,8 @@ long do_fork(unsigned long clone_flags,
+@@ -1619,6 +1680,8 @@ long do_fork(unsigned long clone_flags,
if (clone_flags & CLONE_PARENT_SETTID)
put_user(nr, parent_tidptr);
@@ -80728,7 +80580,7 @@ index bf46287..2af185d 100644
if (clone_flags & CLONE_VFORK) {
p->vfork_done = &vfork;
init_completion(&vfork);
-@@ -1734,7 +1797,7 @@ void __init proc_caches_init(void)
+@@ -1735,7 +1798,7 @@ void __init proc_caches_init(void)
mm_cachep = kmem_cache_create("mm_struct",
sizeof(struct mm_struct), ARCH_MIN_MMSTRUCT_ALIGN,
SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_NOTRACK, NULL);
@@ -80737,7 +80589,7 @@ index bf46287..2af185d 100644
mmap_init();
nsproxy_cache_init();
}
-@@ -1774,7 +1837,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
+@@ -1775,7 +1838,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
return 0;
/* don't need lock here; in the worst case we'll do useless copy */
@@ -80746,7 +80598,7 @@ index bf46287..2af185d 100644
return 0;
*new_fsp = copy_fs_struct(fs);
-@@ -1886,7 +1949,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
+@@ -1887,7 +1950,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
fs = current->fs;
spin_lock(&fs->lock);
current->fs = new_fs;
@@ -80848,7 +80700,7 @@ index 9b22d03..6295b62 100644
prev->next = info->next;
else
diff --git a/kernel/hrtimer.c b/kernel/hrtimer.c
-index 383319b..cd2b391 100644
+index 383319b..56ebb13 100644
--- a/kernel/hrtimer.c
+++ b/kernel/hrtimer.c
@@ -1438,7 +1438,7 @@ void hrtimer_peek_ahead_timers(void)
@@ -80856,7 +80708,7 @@ index 383319b..cd2b391 100644
}
-static void run_hrtimer_softirq(struct softirq_action *h)
-+static void run_hrtimer_softirq(void)
++static __latent_entropy void run_hrtimer_softirq(void)
{
hrtimer_peek_ahead_timers();
}
@@ -82351,7 +82203,7 @@ index 8018646..b6a5b4f 100644
}
EXPORT_SYMBOL(__stack_chk_fail);
diff --git a/kernel/pid.c b/kernel/pid.c
-index 66505c1..87af12c 100644
+index ebe5e80..5d6d634 100644
--- a/kernel/pid.c
+++ b/kernel/pid.c
@@ -33,6 +33,7 @@
@@ -82371,7 +82223,7 @@ index 66505c1..87af12c 100644
int pid_max_min = RESERVED_PIDS + 1;
int pid_max_max = PID_MAX_LIMIT;
-@@ -439,10 +440,18 @@ EXPORT_SYMBOL(pid_task);
+@@ -440,10 +441,18 @@ EXPORT_SYMBOL(pid_task);
*/
struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
{
@@ -82391,7 +82243,7 @@ index 66505c1..87af12c 100644
}
struct task_struct *find_task_by_vpid(pid_t vnr)
-@@ -450,6 +459,14 @@ struct task_struct *find_task_by_vpid(pid_t vnr)
+@@ -451,6 +460,14 @@ struct task_struct *find_task_by_vpid(pid_t vnr)
return find_task_by_pid_ns(vnr, task_active_pid_ns(current));
}
@@ -82789,7 +82641,7 @@ index cce6ba8..7c758b1f 100644
}
return till_stall_check * HZ + RCU_STALL_DELAY_DELTA;
diff --git a/kernel/rcutiny.c b/kernel/rcutiny.c
-index aa34411..78e5ccb 100644
+index aa34411..4832cd4 100644
--- a/kernel/rcutiny.c
+++ b/kernel/rcutiny.c
@@ -45,7 +45,7 @@
@@ -82806,7 +82658,7 @@ index aa34411..78e5ccb 100644
}
-static void rcu_process_callbacks(struct softirq_action *unused)
-+static void rcu_process_callbacks(void)
++static __latent_entropy void rcu_process_callbacks(void)
{
__rcu_process_callbacks(&rcu_sched_ctrlblk);
__rcu_process_callbacks(&rcu_bh_ctrlblk);
@@ -82978,7 +82830,7 @@ index f4871e5..8ef5741 100644
for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
per_cpu(rcu_torture_count, cpu)[i] = 0;
diff --git a/kernel/rcutree.c b/kernel/rcutree.c
-index 068de3a..df7da65 100644
+index 068de3a..5e7db2f 100644
--- a/kernel/rcutree.c
+++ b/kernel/rcutree.c
@@ -358,9 +358,9 @@ static void rcu_eqs_enter_common(struct rcu_dynticks *rdtp, long long oldval,
@@ -83107,7 +82959,7 @@ index 068de3a..df7da65 100644
* Do RCU core processing for the current CPU.
*/
-static void rcu_process_callbacks(struct softirq_action *unused)
-+static void rcu_process_callbacks(void)
++static __latent_entropy void rcu_process_callbacks(void)
{
struct rcu_state *rsp;
@@ -83724,7 +83576,7 @@ index 05c39f0..442e6fe 100644
#else
static void register_sched_domain_sysctl(void)
diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
-index 68f1609..640ba13 100644
+index 68f1609..2a9fe8a 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -869,7 +869,7 @@ void task_numa_fault(int node, int pages, bool migrated)
@@ -83741,7 +83593,7 @@ index 68f1609..640ba13 100644
* Also triggered for nohz idle balancing (with nohz_balancing_kick set).
*/
-static void run_rebalance_domains(struct softirq_action *h)
-+static void run_rebalance_domains(void)
++static __latent_entropy void run_rebalance_domains(void)
{
int this_cpu = smp_processor_id();
struct rq *this_rq = cpu_rq(this_cpu);
@@ -83759,7 +83611,7 @@ index ef0a7b2..1b728c1 100644
#define sched_class_highest (&stop_sched_class)
#define for_each_class(class) \
diff --git a/kernel/signal.c b/kernel/signal.c
-index 50e4107..08bcb94 100644
+index 50e4107..9409983 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -51,12 +51,12 @@ static struct kmem_cache *sigqueue_cachep;
@@ -83885,24 +83737,7 @@ index 50e4107..08bcb94 100644
if (p && (tgid <= 0 || task_tgid_vnr(p) == tgid)) {
error = check_kill_permission(sig, info, p);
/*
-@@ -3219,6 +3250,16 @@ int __save_altstack(stack_t __user *uss, unsigned long sp)
- __put_user(t->sas_ss_size, &uss->ss_size);
- }
-
-+#ifdef CONFIG_X86
-+void __save_altstack_ex(stack_t __user *uss, unsigned long sp)
-+{
-+ struct task_struct *t = current;
-+ put_user_ex((void __user *)t->sas_ss_sp, &uss->ss_sp);
-+ put_user_ex(sas_ss_flags(sp), &uss->ss_flags);
-+ put_user_ex(t->sas_ss_size, &uss->ss_size);
-+}
-+#endif
-+
- #ifdef CONFIG_COMPAT
- COMPAT_SYSCALL_DEFINE2(sigaltstack,
- const compat_stack_t __user *, uss_ptr,
-@@ -3240,8 +3281,8 @@ COMPAT_SYSCALL_DEFINE2(sigaltstack,
+@@ -3240,8 +3271,8 @@ COMPAT_SYSCALL_DEFINE2(sigaltstack,
}
seg = get_fs();
set_fs(KERNEL_DS);
@@ -83913,23 +83748,6 @@ index 50e4107..08bcb94 100644
compat_user_stack_pointer());
set_fs(seg);
if (ret >= 0 && uoss_ptr) {
-@@ -3268,6 +3309,16 @@ int __compat_save_altstack(compat_stack_t __user *uss, unsigned long sp)
- __put_user(sas_ss_flags(sp), &uss->ss_flags) |
- __put_user(t->sas_ss_size, &uss->ss_size);
- }
-+
-+#ifdef CONFIG_X86
-+void __compat_save_altstack_ex(compat_stack_t __user *uss, unsigned long sp)
-+{
-+ struct task_struct *t = current;
-+ put_user_ex(ptr_to_compat((void __user *)t->sas_ss_sp), &uss->ss_sp);
-+ put_user_ex(sas_ss_flags(sp), &uss->ss_flags);
-+ put_user_ex(t->sas_ss_size, &uss->ss_size);
-+}
-+#endif
- #endif
-
- #ifdef __ARCH_WANT_SYS_SIGPENDING
diff --git a/kernel/smpboot.c b/kernel/smpboot.c
index eb89e18..a4e6792 100644
--- a/kernel/smpboot.c
@@ -83953,7 +83771,7 @@ index eb89e18..a4e6792 100644
mutex_unlock(&smpboot_threads_lock);
put_online_cpus();
diff --git a/kernel/softirq.c b/kernel/softirq.c
-index be3d351..9e4d5f2 100644
+index be3d351..e57af82 100644
--- a/kernel/softirq.c
+++ b/kernel/softirq.c
@@ -53,11 +53,11 @@ irq_cpustat_t irq_stat[NR_CPUS] ____cacheline_aligned;
@@ -83993,7 +83811,7 @@ index be3d351..9e4d5f2 100644
EXPORT_SYMBOL(__tasklet_hi_schedule_first);
-static void tasklet_action(struct softirq_action *a)
-+static void tasklet_action(void)
++static __latent_entropy void tasklet_action(void)
{
struct tasklet_struct *list;
@@ -84002,7 +83820,7 @@ index be3d351..9e4d5f2 100644
}
-static void tasklet_hi_action(struct softirq_action *a)
-+static void tasklet_hi_action(void)
++static __latent_entropy void tasklet_hi_action(void)
{
struct tasklet_struct *list;
@@ -84652,7 +84470,7 @@ index 0b537f2..40d6c20 100644
return -ENOMEM;
return 0;
diff --git a/kernel/timer.c b/kernel/timer.c
-index 4296d13..8998609 100644
+index 4296d13..0164b04 100644
--- a/kernel/timer.c
+++ b/kernel/timer.c
@@ -1366,7 +1366,7 @@ void update_process_times(int user_tick)
@@ -84660,7 +84478,7 @@ index 4296d13..8998609 100644
* This function runs timers and the timer-tq in bottom half context.
*/
-static void run_timer_softirq(struct softirq_action *h)
-+static void run_timer_softirq(void)
++static __latent_entropy void run_timer_softirq(void)
{
struct tvec_base *base = __this_cpu_read(tvec_bases);
@@ -85763,6 +85581,19 @@ index c24c2f7..06e070b 100644
+ pax_close_kernel();
+}
+EXPORT_SYMBOL(pax_list_del_rcu);
+diff --git a/lib/percpu-refcount.c b/lib/percpu-refcount.c
+index 7deeb62..144eb47 100644
+--- a/lib/percpu-refcount.c
++++ b/lib/percpu-refcount.c
+@@ -29,7 +29,7 @@
+ * can't hit 0 before we've added up all the percpu refs.
+ */
+
+-#define PCPU_COUNT_BIAS (1U << 31)
++#define PCPU_COUNT_BIAS (1U << 30)
+
+ /**
+ * percpu_ref_init - initialize a percpu refcount
diff --git a/lib/radix-tree.c b/lib/radix-tree.c
index e796429..6e38f9f 100644
--- a/lib/radix-tree.c
@@ -87290,7 +87121,7 @@ index 6f0c244..6d1ae32 100644
err = -EPERM;
goto out;
diff --git a/mm/mlock.c b/mm/mlock.c
-index 79b7cf7..9944291 100644
+index 79b7cf7..37472bf 100644
--- a/mm/mlock.c
+++ b/mm/mlock.c
@@ -13,6 +13,7 @@
@@ -87340,7 +87171,7 @@ index 79b7cf7..9944291 100644
if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
error = do_mlock(start, len, 1);
up_write(¤t->mm->mmap_sem);
-@@ -500,6 +510,11 @@ static int do_mlockall(int flags)
+@@ -500,12 +510,18 @@ static int do_mlockall(int flags)
for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
vm_flags_t newflags;
@@ -87352,7 +87183,14 @@ index 79b7cf7..9944291 100644
newflags = vma->vm_flags & ~VM_LOCKED;
if (flags & MCL_CURRENT)
newflags |= VM_LOCKED;
-@@ -532,6 +547,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
+
+ /* Ignore errors */
+ mlock_fixup(vma, &prev, vma->vm_start, vma->vm_end, newflags);
++ cond_resched();
+ }
+ out:
+ return 0;
+@@ -532,6 +548,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
lock_limit >>= PAGE_SHIFT;
ret = -ENOMEM;
@@ -91477,7 +91315,7 @@ index 8ab48cd..57b1a80 100644
return err;
diff --git a/net/core/dev.c b/net/core/dev.c
-index 26755dd..5020ced 100644
+index 26755dd..2a232de 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1680,14 +1680,14 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
@@ -91520,7 +91358,7 @@ index 26755dd..5020ced 100644
EXPORT_SYMBOL(netif_rx_ni);
-static void net_tx_action(struct softirq_action *h)
-+static void net_tx_action(void)
++static __latent_entropy void net_tx_action(void)
{
struct softnet_data *sd = &__get_cpu_var(softnet_data);
@@ -91538,7 +91376,7 @@ index 26755dd..5020ced 100644
EXPORT_SYMBOL(netif_napi_del);
-static void net_rx_action(struct softirq_action *h)
-+static void net_rx_action(void)
++static __latent_entropy void net_rx_action(void)
{
struct softnet_data *sd = &__get_cpu_var(softnet_data);
unsigned long time_limit = jiffies + 2;
@@ -93358,6 +93196,96 @@ index 90747f1..505320d 100644
.kind = "ip6gretap",
.maxtype = IFLA_GRE_MAX,
.policy = ip6gre_policy,
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index e7ceb6c..44df1c9 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1040,6 +1040,8 @@ static inline int ip6_ufo_append_data(struct sock *sk,
+ * udp datagram
+ */
+ if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL) {
++ struct frag_hdr fhdr;
++
+ skb = sock_alloc_send_skb(sk,
+ hh_len + fragheaderlen + transhdrlen + 20,
+ (flags & MSG_DONTWAIT), &err);
+@@ -1061,12 +1063,6 @@ static inline int ip6_ufo_append_data(struct sock *sk,
+ skb->protocol = htons(ETH_P_IPV6);
+ skb->ip_summed = CHECKSUM_PARTIAL;
+ skb->csum = 0;
+- }
+-
+- err = skb_append_datato_frags(sk,skb, getfrag, from,
+- (length - transhdrlen));
+- if (!err) {
+- struct frag_hdr fhdr;
+
+ /* Specify the length of each IPv6 datagram fragment.
+ * It has to be a multiple of 8.
+@@ -1077,15 +1073,10 @@ static inline int ip6_ufo_append_data(struct sock *sk,
+ ipv6_select_ident(&fhdr, rt);
+ skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
+ __skb_queue_tail(&sk->sk_write_queue, skb);
+-
+- return 0;
+ }
+- /* There is not enough support do UPD LSO,
+- * so follow normal path
+- */
+- kfree_skb(skb);
+
+- return err;
++ return skb_append_datato_frags(sk, skb, getfrag, from,
++ (length - transhdrlen));
+ }
+
+ static inline struct ipv6_opt_hdr *ip6_opt_dup(struct ipv6_opt_hdr *src,
+@@ -1252,27 +1243,27 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
+ * --yoshfuji
+ */
+
++ if ((length > mtu) && dontfrag && (sk->sk_protocol == IPPROTO_UDP ||
++ sk->sk_protocol == IPPROTO_RAW)) {
++ ipv6_local_rxpmtu(sk, fl6, mtu-exthdrlen);
++ return -EMSGSIZE;
++ }
++
++ skb = skb_peek_tail(&sk->sk_write_queue);
+ cork->length += length;
+- if (length > mtu) {
+- int proto = sk->sk_protocol;
+- if (dontfrag && (proto == IPPROTO_UDP || proto == IPPROTO_RAW)){
+- ipv6_local_rxpmtu(sk, fl6, mtu-exthdrlen);
+- return -EMSGSIZE;
+- }
+-
+- if (proto == IPPROTO_UDP &&
+- (rt->dst.dev->features & NETIF_F_UFO)) {
+-
+- err = ip6_ufo_append_data(sk, getfrag, from, length,
+- hh_len, fragheaderlen,
+- transhdrlen, mtu, flags, rt);
+- if (err)
+- goto error;
+- return 0;
+- }
++ if (((length > mtu) ||
++ (skb && skb_is_gso(skb))) &&
++ (sk->sk_protocol == IPPROTO_UDP) &&
++ (rt->dst.dev->features & NETIF_F_UFO)) {
++ err = ip6_ufo_append_data(sk, getfrag, from, length,
++ hh_len, fragheaderlen,
++ transhdrlen, mtu, flags, rt);
++ if (err)
++ goto error;
++ return 0;
+ }
+
+- if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL)
++ if (!skb)
+ goto alloc_new_skb;
+
+ while (length > 0) {
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 46ba243..576f50e 100644
--- a/net/ipv6/ip6_tunnel.c
@@ -95749,7 +95677,7 @@ index 9a5c4c9..46e4b29 100644
table = kmemdup(sctp_net_table, sizeof(sctp_net_table), GFP_KERNEL);
diff --git a/net/socket.c b/net/socket.c
-index b2d7c62..04f19ea 100644
+index b2d7c62..441a7ef 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -88,6 +88,7 @@
@@ -95769,6 +95697,15 @@ index b2d7c62..04f19ea 100644
static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
unsigned long nr_segs, loff_t pos);
+@@ -162,7 +165,7 @@ static const struct file_operations socket_file_ops = {
+ */
+
+ static DEFINE_SPINLOCK(net_family_lock);
+-static const struct net_proto_family __rcu *net_families[NPROTO] __read_mostly;
++const struct net_proto_family __rcu *net_families[NPROTO] __read_mostly;
+
+ /*
+ * Statistics counters of the socket lists
@@ -327,7 +330,7 @@ static struct dentry *sockfs_mount(struct file_system_type *fs_type,
&sockfs_dentry_operations, SOCKFS_MAGIC);
}
@@ -95787,24 +95724,28 @@ index b2d7c62..04f19ea 100644
/* Compatibility.
-@@ -1394,6 +1399,16 @@ SYSCALL_DEFINE3(socket, int, family, int, type, int, protocol)
- if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
- flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
+@@ -1283,6 +1288,20 @@ int __sock_create(struct net *net, int family, int type, int protocol,
+ if (err)
+ return err;
-+ if(!gr_search_socket(family, type, protocol)) {
-+ retval = -EACCES;
-+ goto out;
++ if(!kern && !gr_search_socket(family, type, protocol)) {
++ if (rcu_access_pointer(net_families[family]) == NULL)
++ return -EAFNOSUPPORT;
++ else
++ return -EACCES;
+ }
+
-+ if (gr_handle_sock_all(family, type, protocol)) {
-+ retval = -EACCES;
-+ goto out;
++ if (!kern && gr_handle_sock_all(family, type, protocol)) {
++ if (rcu_access_pointer(net_families[family]) == NULL)
++ return -EAFNOSUPPORT;
++ else
++ return -EACCES;
+ }
+
- retval = sock_create(family, type, protocol, &sock);
- if (retval < 0)
- goto out;
-@@ -1521,6 +1536,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen)
+ /*
+ * Allocate the socket and allow the family to set things up. if
+ * the protocol is 0, the family is instructed to select an appropriate
+@@ -1521,6 +1540,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen)
if (sock) {
err = move_addr_to_kernel(umyaddr, addrlen, &address);
if (err >= 0) {
@@ -95819,7 +95760,7 @@ index b2d7c62..04f19ea 100644
err = security_socket_bind(sock,
(struct sockaddr *)&address,
addrlen);
-@@ -1529,6 +1552,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen)
+@@ -1529,6 +1556,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen)
(struct sockaddr *)
&address, addrlen);
}
@@ -95827,7 +95768,7 @@ index b2d7c62..04f19ea 100644
fput_light(sock->file, fput_needed);
}
return err;
-@@ -1552,10 +1576,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, backlog)
+@@ -1552,10 +1580,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, backlog)
if ((unsigned int)backlog > somaxconn)
backlog = somaxconn;
@@ -95848,7 +95789,7 @@ index b2d7c62..04f19ea 100644
fput_light(sock->file, fput_needed);
}
return err;
-@@ -1599,6 +1633,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
+@@ -1599,6 +1637,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
newsock->type = sock->type;
newsock->ops = sock->ops;
@@ -95867,7 +95808,7 @@ index b2d7c62..04f19ea 100644
/*
* We don't need try_module_get here, as the listening socket (sock)
* has the protocol module (sock->ops->owner) held.
-@@ -1644,6 +1690,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
+@@ -1644,6 +1694,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
fd_install(newfd, newfile);
err = newfd;
@@ -95876,7 +95817,7 @@ index b2d7c62..04f19ea 100644
out_put:
fput_light(sock->file, fput_needed);
out:
-@@ -1676,6 +1724,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,
+@@ -1676,6 +1728,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,
int, addrlen)
{
struct socket *sock;
@@ -95884,7 +95825,7 @@ index b2d7c62..04f19ea 100644
struct sockaddr_storage address;
int err, fput_needed;
-@@ -1686,6 +1735,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,
+@@ -1686,6 +1739,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,
if (err < 0)
goto out_put;
@@ -95902,7 +95843,7 @@ index b2d7c62..04f19ea 100644
err =
security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
if (err)
-@@ -1767,6 +1827,8 @@ SYSCALL_DEFINE3(getpeername, int, fd, struct sockaddr __user *, usockaddr,
+@@ -1767,6 +1831,8 @@ SYSCALL_DEFINE3(getpeername, int, fd, struct sockaddr __user *, usockaddr,
* the protocol.
*/
@@ -95911,7 +95852,7 @@ index b2d7c62..04f19ea 100644
SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,
unsigned int, flags, struct sockaddr __user *, addr,
int, addr_len)
-@@ -1833,7 +1895,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
+@@ -1833,7 +1899,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
struct socket *sock;
struct iovec iov;
struct msghdr msg;
@@ -95920,7 +95861,7 @@ index b2d7c62..04f19ea 100644
int err, err2;
int fput_needed;
-@@ -2040,7 +2102,7 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
+@@ -2040,7 +2106,7 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
* checking falls down on this.
*/
if (copy_from_user(ctl_buf,
@@ -95929,7 +95870,7 @@ index b2d7c62..04f19ea 100644
ctl_len))
goto out_freectl;
msg_sys->msg_control = ctl_buf;
-@@ -2191,7 +2253,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
+@@ -2191,7 +2257,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
int err, total_len, len;
/* kernel mode address */
@@ -95938,7 +95879,7 @@ index b2d7c62..04f19ea 100644
/* user mode address pointers */
struct sockaddr __user *uaddr;
-@@ -2219,7 +2281,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
+@@ -2219,7 +2285,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
* kernel msghdr to use the kernel address space)
*/
@@ -95947,7 +95888,7 @@ index b2d7c62..04f19ea 100644
uaddr_len = COMPAT_NAMELEN(msg);
if (MSG_CMSG_COMPAT & flags) {
err = verify_compat_iovec(msg_sys, iov, &addr, VERIFY_WRITE);
-@@ -2974,7 +3036,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd,
+@@ -2974,7 +3040,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd,
old_fs = get_fs();
set_fs(KERNEL_DS);
err = dev_ioctl(net, cmd,
@@ -95956,7 +95897,7 @@ index b2d7c62..04f19ea 100644
set_fs(old_fs);
return err;
-@@ -3083,7 +3145,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd,
+@@ -3083,7 +3149,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd,
old_fs = get_fs();
set_fs(KERNEL_DS);
@@ -95965,7 +95906,7 @@ index b2d7c62..04f19ea 100644
set_fs(old_fs);
if (cmd == SIOCGIFMAP && !err) {
-@@ -3188,7 +3250,7 @@ static int routing_ioctl(struct net *net, struct socket *sock,
+@@ -3188,7 +3254,7 @@ static int routing_ioctl(struct net *net, struct socket *sock,
ret |= __get_user(rtdev, &(ur4->rt_dev));
if (rtdev) {
ret |= copy_from_user(devname, compat_ptr(rtdev), 15);
@@ -95974,7 +95915,7 @@ index b2d7c62..04f19ea 100644
devname[15] = 0;
} else
r4.rt_dev = NULL;
-@@ -3414,8 +3476,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname,
+@@ -3414,8 +3480,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname,
int __user *uoptlen;
int err;
@@ -95985,7 +95926,7 @@ index b2d7c62..04f19ea 100644
set_fs(KERNEL_DS);
if (level == SOL_SOCKET)
-@@ -3435,7 +3497,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname,
+@@ -3435,7 +3501,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname,
char __user *uoptval;
int err;
@@ -101154,7 +101095,7 @@ index 0000000..698da67
+}
diff --git a/tools/gcc/latent_entropy_plugin.c b/tools/gcc/latent_entropy_plugin.c
new file mode 100644
-index 0000000..2ef6fd9
+index 0000000..cd6c242
--- /dev/null
+++ b/tools/gcc/latent_entropy_plugin.c
@@ -0,0 +1,321 @@
@@ -101450,7 +101391,7 @@ index 0000000..2ef6fd9
+ TREE_THIS_VOLATILE(latent_entropy_decl) = 1;
+ DECL_EXTERNAL(latent_entropy_decl) = 1;
+ DECL_ARTIFICIAL(latent_entropy_decl) = 1;
-+ DECL_INITIAL(latent_entropy_decl) = NULL;
++ DECL_INITIAL(latent_entropy_decl) = build_int_cstu(long_long_unsigned_type_node, get_random_const());
+ lang_hooks.decls.pushdecl(latent_entropy_decl);
+// DECL_ASSEMBLER_NAME(latent_entropy_decl);
+// varpool_finalize_decl(latent_entropy_decl);
diff --git a/3.11.1/4425_grsec_remove_EI_PAX.patch b/3.11.2/4425_grsec_remove_EI_PAX.patch
similarity index 100%
rename from 3.11.1/4425_grsec_remove_EI_PAX.patch
rename to 3.11.2/4425_grsec_remove_EI_PAX.patch
diff --git a/3.11.1/4427_force_XATTR_PAX_tmpfs.patch b/3.11.2/4427_force_XATTR_PAX_tmpfs.patch
similarity index 100%
rename from 3.11.1/4427_force_XATTR_PAX_tmpfs.patch
rename to 3.11.2/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/3.11.1/4430_grsec-remove-localversion-grsec.patch b/3.11.2/4430_grsec-remove-localversion-grsec.patch
similarity index 100%
rename from 3.11.1/4430_grsec-remove-localversion-grsec.patch
rename to 3.11.2/4430_grsec-remove-localversion-grsec.patch
diff --git a/3.11.1/4435_grsec-mute-warnings.patch b/3.11.2/4435_grsec-mute-warnings.patch
similarity index 100%
rename from 3.11.1/4435_grsec-mute-warnings.patch
rename to 3.11.2/4435_grsec-mute-warnings.patch
diff --git a/3.11.1/4440_grsec-remove-protected-paths.patch b/3.11.2/4440_grsec-remove-protected-paths.patch
similarity index 100%
rename from 3.11.1/4440_grsec-remove-protected-paths.patch
rename to 3.11.2/4440_grsec-remove-protected-paths.patch
diff --git a/3.11.1/4450_grsec-kconfig-default-gids.patch b/3.11.2/4450_grsec-kconfig-default-gids.patch
similarity index 100%
rename from 3.11.1/4450_grsec-kconfig-default-gids.patch
rename to 3.11.2/4450_grsec-kconfig-default-gids.patch
diff --git a/3.11.1/4465_selinux-avc_audit-log-curr_ip.patch b/3.11.2/4465_selinux-avc_audit-log-curr_ip.patch
similarity index 100%
rename from 3.11.1/4465_selinux-avc_audit-log-curr_ip.patch
rename to 3.11.2/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/3.11.1/4470_disable-compat_vdso.patch b/3.11.2/4470_disable-compat_vdso.patch
similarity index 100%
rename from 3.11.1/4470_disable-compat_vdso.patch
rename to 3.11.2/4470_disable-compat_vdso.patch
diff --git a/3.11.1/4475_emutramp_default_on.patch b/3.11.2/4475_emutramp_default_on.patch
similarity index 100%
rename from 3.11.1/4475_emutramp_default_on.patch
rename to 3.11.2/4475_emutramp_default_on.patch
diff --git a/3.2.51/0000_README b/3.2.51/0000_README
index cf0a0fe..e87b456 100644
--- a/3.2.51/0000_README
+++ b/3.2.51/0000_README
@@ -122,7 +122,7 @@ Patch: 1050_linux-3.2.51.patch
From: http://www.kernel.org
Desc: Linux 3.2.51
-Patch: 4420_grsecurity-2.9.1-3.2.51-201309181906.patch
+Patch: 4420_grsecurity-2.9.1-3.2.51-201309281102.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.51/4420_grsecurity-2.9.1-3.2.51-201309181906.patch b/3.2.51/4420_grsecurity-2.9.1-3.2.51-201309281102.patch
similarity index 99%
rename from 3.2.51/4420_grsecurity-2.9.1-3.2.51-201309181906.patch
rename to 3.2.51/4420_grsecurity-2.9.1-3.2.51-201309281102.patch
index 6cc3546..79a6bf4 100644
--- a/3.2.51/4420_grsecurity-2.9.1-3.2.51-201309181906.patch
+++ b/3.2.51/4420_grsecurity-2.9.1-3.2.51-201309281102.patch
@@ -30191,7 +30191,7 @@ index af00795..2bb8105 100644
#define XCHAL_ICACHE_SIZE 32768 /* I-cache size in bytes or 0 */
#define XCHAL_DCACHE_SIZE 32768 /* D-cache size in bytes or 0 */
diff --git a/block/blk-iopoll.c b/block/blk-iopoll.c
-index 58916af..eb9dbcf6 100644
+index 58916af..9b538a6 100644
--- a/block/blk-iopoll.c
+++ b/block/blk-iopoll.c
@@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopoll *iopoll)
@@ -30199,7 +30199,7 @@ index 58916af..eb9dbcf6 100644
EXPORT_SYMBOL(blk_iopoll_complete);
-static void blk_iopoll_softirq(struct softirq_action *h)
-+static void blk_iopoll_softirq(void)
++static __latent_entropy void blk_iopoll_softirq(void)
{
struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
int rearm = 0, budget = blk_iopoll_budget;
@@ -30226,7 +30226,7 @@ index 623e1cd..ca1e109 100644
bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
else
diff --git a/block/blk-softirq.c b/block/blk-softirq.c
-index 1366a89..dfb3871 100644
+index 1366a89..88178fe 100644
--- a/block/blk-softirq.c
+++ b/block/blk-softirq.c
@@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head, blk_cpu_done);
@@ -30234,7 +30234,7 @@ index 1366a89..dfb3871 100644
* while passing them to the queue registered handler.
*/
-static void blk_done_softirq(struct softirq_action *h)
-+static void blk_done_softirq(void)
++static __latent_entropy void blk_done_softirq(void)
{
struct list_head *cpu_list, local_list;
@@ -31889,19 +31889,18 @@ index e8d11b6..7b1b36f 100644
}
EXPORT_SYMBOL_GPL(unregister_syscore_ops);
diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
-index d3446f6..12de1df 100644
+index d3446f6..61ddf2c 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
-@@ -1186,6 +1186,8 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
+@@ -1186,6 +1186,7 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
int err;
u32 cp;
+ memset(&arg64, 0, sizeof(arg64));
-+
err = 0;
err |=
copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
-@@ -3007,7 +3009,7 @@ static void start_io(ctlr_info_t *h)
+@@ -3007,7 +3008,7 @@ static void start_io(ctlr_info_t *h)
while (!list_empty(&h->reqQ)) {
c = list_entry(h->reqQ.next, CommandList_struct, list);
/* can't do anything if fifo is full */
@@ -31910,7 +31909,7 @@ index d3446f6..12de1df 100644
dev_warn(&h->pdev->dev, "fifo full\n");
break;
}
-@@ -3017,7 +3019,7 @@ static void start_io(ctlr_info_t *h)
+@@ -3017,7 +3018,7 @@ static void start_io(ctlr_info_t *h)
h->Qdepth--;
/* Tell the controller execute command */
@@ -31919,7 +31918,7 @@ index d3446f6..12de1df 100644
/* Put job onto the completed Q */
addQ(&h->cmpQ, c);
-@@ -3443,17 +3445,17 @@ startio:
+@@ -3443,17 +3444,17 @@ startio:
static inline unsigned long get_next_completion(ctlr_info_t *h)
{
@@ -31940,7 +31939,7 @@ index d3446f6..12de1df 100644
(h->interrupts_enabled == 0));
}
-@@ -3486,7 +3488,7 @@ static inline u32 next_command(ctlr_info_t *h)
+@@ -3486,7 +3487,7 @@ static inline u32 next_command(ctlr_info_t *h)
u32 a;
if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant)))
@@ -31949,7 +31948,7 @@ index d3446f6..12de1df 100644
if ((*(h->reply_pool_head) & 1) == (h->reply_pool_wraparound)) {
a = *(h->reply_pool_head); /* Next cmd in ring buffer */
-@@ -4044,7 +4046,7 @@ static void __devinit cciss_put_controller_into_performant_mode(ctlr_info_t *h)
+@@ -4044,7 +4045,7 @@ static void __devinit cciss_put_controller_into_performant_mode(ctlr_info_t *h)
trans_support & CFGTBL_Trans_use_short_tags);
/* Change the access methods to the performant access methods */
@@ -31958,7 +31957,7 @@ index d3446f6..12de1df 100644
h->transMethod = CFGTBL_Trans_Performant;
return;
-@@ -4316,7 +4318,7 @@ static int __devinit cciss_pci_init(ctlr_info_t *h)
+@@ -4316,7 +4317,7 @@ static int __devinit cciss_pci_init(ctlr_info_t *h)
if (prod_index < 0)
return -ENODEV;
h->product_name = products[prod_index].product_name;
@@ -31967,7 +31966,7 @@ index d3446f6..12de1df 100644
if (cciss_board_disabled(h)) {
dev_warn(&h->pdev->dev, "controller appears to be disabled\n");
-@@ -5041,7 +5043,7 @@ reinit_after_soft_reset:
+@@ -5041,7 +5042,7 @@ reinit_after_soft_reset:
}
/* make sure the board interrupts are off */
@@ -31976,7 +31975,7 @@ index d3446f6..12de1df 100644
rc = cciss_request_irq(h, do_cciss_msix_intr, do_cciss_intx);
if (rc)
goto clean2;
-@@ -5093,7 +5095,7 @@ reinit_after_soft_reset:
+@@ -5093,7 +5094,7 @@ reinit_after_soft_reset:
* fake ones to scoop up any residual completions.
*/
spin_lock_irqsave(&h->lock, flags);
@@ -31985,7 +31984,7 @@ index d3446f6..12de1df 100644
spin_unlock_irqrestore(&h->lock, flags);
free_irq(h->intr[h->intr_mode], h);
rc = cciss_request_irq(h, cciss_msix_discard_completions,
-@@ -5113,9 +5115,9 @@ reinit_after_soft_reset:
+@@ -5113,9 +5114,9 @@ reinit_after_soft_reset:
dev_info(&h->pdev->dev, "Board READY.\n");
dev_info(&h->pdev->dev,
"Waiting for stale completions to drain.\n");
@@ -31997,7 +31996,7 @@ index d3446f6..12de1df 100644
rc = controller_reset_failed(h->cfgtable);
if (rc)
-@@ -5138,7 +5140,7 @@ reinit_after_soft_reset:
+@@ -5138,7 +5139,7 @@ reinit_after_soft_reset:
cciss_scsi_setup(h);
/* Turn the interrupts on so we can service requests */
@@ -32006,7 +32005,7 @@ index d3446f6..12de1df 100644
/* Get the firmware version */
inq_buff = kzalloc(sizeof(InquiryData_struct), GFP_KERNEL);
-@@ -5211,7 +5213,7 @@ static void cciss_shutdown(struct pci_dev *pdev)
+@@ -5211,7 +5212,7 @@ static void cciss_shutdown(struct pci_dev *pdev)
kfree(flush_buf);
if (return_code != IO_OK)
dev_warn(&h->pdev->dev, "Error flushing cache\n");
@@ -49227,7 +49226,7 @@ index a6395bd..f1e376a 100644
(unsigned long) create_aout_tables((char __user *) bprm->p, bprm);
#ifdef __alpha__
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
-index 8dd615c..0d06360 100644
+index 8dd615c..65b7958 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -32,6 +32,7 @@
@@ -49381,7 +49380,26 @@ index 8dd615c..0d06360 100644
error = -ENOMEM;
goto out_close;
}
-@@ -528,6 +557,315 @@ out:
+@@ -513,11 +542,13 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
+ elf_bss = ELF_PAGESTART(elf_bss + ELF_MIN_ALIGN - 1);
+
+ /* Map the last of the bss segment */
+- down_write(¤t->mm->mmap_sem);
+- error = do_brk(elf_bss, last_bss - elf_bss);
+- up_write(¤t->mm->mmap_sem);
+- if (BAD_ADDR(error))
+- goto out_close;
++ if (last_bss > elf_bss) {
++ down_write(¤t->mm->mmap_sem);
++ error = do_brk(elf_bss, last_bss - elf_bss);
++ up_write(¤t->mm->mmap_sem);
++ if (BAD_ADDR(error))
++ goto out_close;
++ }
+ }
+
+ error = load_addr;
+@@ -528,6 +559,315 @@ out:
return error;
}
@@ -49697,7 +49715,7 @@ index 8dd615c..0d06360 100644
/*
* These are the functions used to load ELF style executables and shared
* libraries. There is no binary dependent code anywhere else.
-@@ -544,6 +882,11 @@ static unsigned long randomize_stack_top(unsigned long stack_top)
+@@ -544,6 +884,11 @@ static unsigned long randomize_stack_top(unsigned long stack_top)
{
unsigned int random_variable = 0;
@@ -49709,7 +49727,7 @@ index 8dd615c..0d06360 100644
if ((current->flags & PF_RANDOMIZE) &&
!(current->personality & ADDR_NO_RANDOMIZE)) {
random_variable = get_random_int() & STACK_RND_MASK;
-@@ -562,7 +905,7 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+@@ -562,7 +907,7 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
unsigned long load_addr = 0, load_bias = 0;
int load_addr_set = 0;
char * elf_interpreter = NULL;
@@ -49718,7 +49736,7 @@ index 8dd615c..0d06360 100644
struct elf_phdr *elf_ppnt, *elf_phdata;
unsigned long elf_bss, elf_brk;
int retval, i;
-@@ -572,11 +915,11 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+@@ -572,11 +917,11 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
unsigned long start_code, end_code, start_data, end_data;
unsigned long reloc_func_desc __maybe_unused = 0;
int executable_stack = EXSTACK_DEFAULT;
@@ -49731,7 +49749,7 @@ index 8dd615c..0d06360 100644
loc = kmalloc(sizeof(*loc), GFP_KERNEL);
if (!loc) {
-@@ -713,11 +1056,81 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+@@ -713,11 +1058,81 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
/* OK, This is the point of no return */
current->flags &= ~PF_FORKNOEXEC;
@@ -49814,7 +49832,7 @@ index 8dd615c..0d06360 100644
if (elf_read_implies_exec(loc->elf_ex, executable_stack))
current->personality |= READ_IMPLIES_EXEC;
-@@ -808,6 +1221,20 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+@@ -808,6 +1223,20 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
#else
load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
#endif
@@ -49835,7 +49853,7 @@ index 8dd615c..0d06360 100644
}
error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
-@@ -840,9 +1267,9 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+@@ -840,9 +1269,9 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
* allowed task size. Note that p_filesz must always be
* <= p_memsz so it is only necessary to check p_memsz.
*/
@@ -49848,7 +49866,7 @@ index 8dd615c..0d06360 100644
/* set_brk can never work. Avoid overflows. */
send_sig(SIGKILL, current, 0);
retval = -EINVAL;
-@@ -881,17 +1308,44 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+@@ -881,17 +1310,44 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
goto out_free_dentry;
}
if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
@@ -49899,7 +49917,7 @@ index 8dd615c..0d06360 100644
load_bias);
if (!IS_ERR((void *)elf_entry)) {
/*
-@@ -1098,7 +1552,7 @@ out:
+@@ -1098,7 +1554,7 @@ out:
* Decide what to dump of a segment, part, all or none.
*/
static unsigned long vma_dump_size(struct vm_area_struct *vma,
@@ -49908,7 +49926,7 @@ index 8dd615c..0d06360 100644
{
#define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
-@@ -1132,7 +1586,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma,
+@@ -1132,7 +1588,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma,
if (vma->vm_file == NULL)
return 0;
@@ -49917,7 +49935,7 @@ index 8dd615c..0d06360 100644
goto whole;
/*
-@@ -1354,9 +1808,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
+@@ -1354,9 +1810,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
{
elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
int i = 0;
@@ -49929,7 +49947,7 @@ index 8dd615c..0d06360 100644
fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
}
-@@ -1851,14 +2305,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
+@@ -1851,14 +2307,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
}
static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
@@ -49946,7 +49964,7 @@ index 8dd615c..0d06360 100644
return size;
}
-@@ -1952,7 +2406,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -1952,7 +2408,7 @@ static int elf_core_dump(struct coredump_params *cprm)
dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
@@ -49955,7 +49973,7 @@ index 8dd615c..0d06360 100644
offset += elf_core_extra_data_size();
e_shoff = offset;
-@@ -1966,10 +2420,12 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -1966,10 +2422,12 @@ static int elf_core_dump(struct coredump_params *cprm)
offset = dataoff;
size += sizeof(*elf);
@@ -49968,7 +49986,7 @@ index 8dd615c..0d06360 100644
if (size > cprm->limit
|| !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
goto end_coredump;
-@@ -1983,7 +2439,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -1983,7 +2441,7 @@ static int elf_core_dump(struct coredump_params *cprm)
phdr.p_offset = offset;
phdr.p_vaddr = vma->vm_start;
phdr.p_paddr = 0;
@@ -49977,7 +49995,7 @@ index 8dd615c..0d06360 100644
phdr.p_memsz = vma->vm_end - vma->vm_start;
offset += phdr.p_filesz;
phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
-@@ -1994,6 +2450,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -1994,6 +2452,7 @@ static int elf_core_dump(struct coredump_params *cprm)
phdr.p_align = ELF_EXEC_PAGESIZE;
size += sizeof(phdr);
@@ -49985,7 +50003,7 @@ index 8dd615c..0d06360 100644
if (size > cprm->limit
|| !dump_write(cprm->file, &phdr, sizeof(phdr)))
goto end_coredump;
-@@ -2018,7 +2475,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2018,7 +2477,7 @@ static int elf_core_dump(struct coredump_params *cprm)
unsigned long addr;
unsigned long end;
@@ -49994,7 +50012,7 @@ index 8dd615c..0d06360 100644
for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
struct page *page;
-@@ -2027,6 +2484,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2027,6 +2486,7 @@ static int elf_core_dump(struct coredump_params *cprm)
page = get_dump_page(addr);
if (page) {
void *kaddr = kmap(page);
@@ -50002,7 +50020,7 @@ index 8dd615c..0d06360 100644
stop = ((size += PAGE_SIZE) > cprm->limit) ||
!dump_write(cprm->file, kaddr,
PAGE_SIZE);
-@@ -2044,6 +2502,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2044,6 +2504,7 @@ static int elf_core_dump(struct coredump_params *cprm)
if (e_phnum == PN_XNUM) {
size += sizeof(*shdr4extnum);
@@ -50010,7 +50028,7 @@ index 8dd615c..0d06360 100644
if (size > cprm->limit
|| !dump_write(cprm->file, shdr4extnum,
sizeof(*shdr4extnum)))
-@@ -2064,6 +2523,167 @@ out:
+@@ -2064,6 +2525,167 @@ out:
#endif /* CONFIG_ELF_CORE */
@@ -65286,10 +65304,10 @@ index 0000000..b20f6e9
+}
diff --git a/grsecurity/gracl_ip.c b/grsecurity/gracl_ip.c
new file mode 100644
-index 0000000..db7cc23
+index 0000000..35f8064
--- /dev/null
+++ b/grsecurity/gracl_ip.c
-@@ -0,0 +1,387 @@
+@@ -0,0 +1,386 @@
+#include <linux/kernel.h>
+#include <asm/uaccess.h>
+#include <asm/errno.h>
@@ -65381,6 +65399,8 @@ index 0000000..db7cc23
+ return gr_sockfamilies[family];
+}
+
++extern const struct net_proto_family __rcu *net_families[NPROTO] __read_mostly;
++
+int
+gr_search_socket(const int domain, const int type, const int protocol)
+{
@@ -65460,10 +65480,7 @@ index 0000000..db7cc23
+ if (domain == PF_INET)
+ gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
+ gr_socktype_to_name(type), gr_proto_to_name(protocol));
-+ else
-+#ifndef CONFIG_IPV6
-+ if (domain != PF_INET6)
-+#endif
++ else if (rcu_access_pointer(net_families[domain]) != NULL)
+ gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain),
+ gr_socktype_to_name(type), protocol);
+
@@ -71192,7 +71209,7 @@ index 82924bf..1aa58e7 100644
int trace_set_clr_event(const char *system, const char *event, int set);
diff --git a/include/linux/genhd.h b/include/linux/genhd.h
-index 4eec461..84c73cf 100644
+index 4eec461..4ff5db5 100644
--- a/include/linux/genhd.h
+++ b/include/linux/genhd.h
@@ -185,7 +185,7 @@ struct gendisk {
@@ -71204,6 +71221,15 @@ index 4eec461..84c73cf 100644
struct disk_events *ev;
#ifdef CONFIG_BLK_DEV_INTEGRITY
struct blk_integrity *integrity;
+@@ -420,7 +420,7 @@ extern void disk_flush_events(struct gendisk *disk, unsigned int mask);
+ extern unsigned int disk_clear_events(struct gendisk *disk, unsigned int mask);
+
+ /* drivers/char/random.c */
+-extern void add_disk_randomness(struct gendisk *disk);
++extern void add_disk_randomness(struct gendisk *disk) __latent_entropy;
+ extern void rand_initialize_disk(struct gendisk *disk);
+
+ static inline sector_t get_start_sect(struct block_device *bdev)
diff --git a/include/linux/gfp.h b/include/linux/gfp.h
index 3a76faf..c0592c7 100644
--- a/include/linux/gfp.h
@@ -74058,10 +74084,10 @@ index 800f113..12c82ec 100644
}
diff --git a/include/linux/random.h b/include/linux/random.h
-index 29e217a..a2b27bc 100644
+index 29e217a..a76bcd0 100644
--- a/include/linux/random.h
+++ b/include/linux/random.h
-@@ -51,6 +51,16 @@ struct rnd_state {
+@@ -51,9 +51,19 @@ struct rnd_state {
extern void rand_initialize_irq(int irq);
extern void add_device_randomness(const void *, unsigned int);
@@ -74076,8 +74102,13 @@ index 29e217a..a2b27bc 100644
+}
+
extern void add_input_randomness(unsigned int type, unsigned int code,
- unsigned int value);
- extern void add_interrupt_randomness(int irq, int irq_flags);
+- unsigned int value);
+-extern void add_interrupt_randomness(int irq, int irq_flags);
++ unsigned int value) __latent_entropy;
++extern void add_interrupt_randomness(int irq, int irq_flags) __latent_entropy;
+
+ extern void get_random_bytes(void *buf, int nbytes);
+ extern void get_random_bytes_arch(void *buf, int nbytes);
@@ -71,12 +81,17 @@ void srandom32(u32 seed);
u32 prandom32(struct rnd_state *);
@@ -78651,7 +78682,7 @@ index 9b22d03..6295b62 100644
prev->next = info->next;
else
diff --git a/kernel/hrtimer.c b/kernel/hrtimer.c
-index 60f7e32..76ccd96 100644
+index 60f7e32..d703ad4 100644
--- a/kernel/hrtimer.c
+++ b/kernel/hrtimer.c
@@ -1414,7 +1414,7 @@ void hrtimer_peek_ahead_timers(void)
@@ -78659,7 +78690,7 @@ index 60f7e32..76ccd96 100644
}
-static void run_hrtimer_softirq(struct softirq_action *h)
-+static void run_hrtimer_softirq(void)
++static __latent_entropy void run_hrtimer_softirq(void)
{
struct hrtimer_cpu_base *cpu_base = &__get_cpu_var(hrtimer_bases);
@@ -80654,7 +80685,7 @@ index 67fedad..32d32a04 100644
}
diff --git a/kernel/rcutiny.c b/kernel/rcutiny.c
-index 636af6d..8af70ab 100644
+index 636af6d..90b936f 100644
--- a/kernel/rcutiny.c
+++ b/kernel/rcutiny.c
@@ -46,7 +46,7 @@
@@ -80671,7 +80702,7 @@ index 636af6d..8af70ab 100644
}
-static void rcu_process_callbacks(struct softirq_action *unused)
-+static void rcu_process_callbacks(void)
++static __latent_entropy void rcu_process_callbacks(void)
{
__rcu_process_callbacks(&rcu_sched_ctrlblk);
__rcu_process_callbacks(&rcu_bh_ctrlblk);
@@ -80853,7 +80884,7 @@ index 764825c..3aa6ac4 100644
for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
per_cpu(rcu_torture_count, cpu)[i] = 0;
diff --git a/kernel/rcutree.c b/kernel/rcutree.c
-index 1aa52af..f2b89e8 100644
+index 1aa52af..d2875ad 100644
--- a/kernel/rcutree.c
+++ b/kernel/rcutree.c
@@ -369,9 +369,9 @@ void rcu_enter_nohz(void)
@@ -80934,7 +80965,7 @@ index 1aa52af..f2b89e8 100644
* Do RCU core processing for the current CPU.
*/
-static void rcu_process_callbacks(struct softirq_action *unused)
-+static void rcu_process_callbacks(void)
++static __latent_entropy void rcu_process_callbacks(void)
{
trace_rcu_utilization("Start RCU core");
__rcu_process_callbacks(&rcu_sched_state,
@@ -81369,7 +81400,7 @@ index f280df1..da1281d 100644
#ifdef CONFIG_RT_GROUP_SCHED
/*
diff --git a/kernel/sched_fair.c b/kernel/sched_fair.c
-index 59474c5..490e67f 100644
+index 59474c5..efcae8d 100644
--- a/kernel/sched_fair.c
+++ b/kernel/sched_fair.c
@@ -4801,7 +4801,7 @@ static void nohz_idle_balance(int this_cpu, enum cpu_idle_type idle) { }
@@ -81377,7 +81408,7 @@ index 59474c5..490e67f 100644
* Also triggered for nohz idle balancing (with nohz_balancing_kick set).
*/
-static void run_rebalance_domains(struct softirq_action *h)
-+static void run_rebalance_domains(void)
++static __latent_entropy void run_rebalance_domains(void)
{
int this_cpu = smp_processor_id();
struct rq *this_rq = cpu_rq(this_cpu);
@@ -81549,7 +81580,7 @@ index 9e800b2..1533ba5 100644
raw_spin_unlock_irq(&call_function.lock);
}
diff --git a/kernel/softirq.c b/kernel/softirq.c
-index 2c71d91..f6c64a4 100644
+index 2c71d91..6b690a4 100644
--- a/kernel/softirq.c
+++ b/kernel/softirq.c
@@ -52,11 +52,11 @@ irq_cpustat_t irq_stat[NR_CPUS] ____cacheline_aligned;
@@ -81589,7 +81620,7 @@ index 2c71d91..f6c64a4 100644
EXPORT_SYMBOL(__tasklet_hi_schedule_first);
-static void tasklet_action(struct softirq_action *a)
-+static void tasklet_action(void)
++static __latent_entropy void tasklet_action(void)
{
struct tasklet_struct *list;
@@ -81598,7 +81629,7 @@ index 2c71d91..f6c64a4 100644
}
-static void tasklet_hi_action(struct softirq_action *a)
-+static void tasklet_hi_action(void)
++static __latent_entropy void tasklet_hi_action(void)
{
struct tasklet_struct *list;
@@ -82468,7 +82499,7 @@ index 0b537f2..40d6c20 100644
return -ENOMEM;
return 0;
diff --git a/kernel/timer.c b/kernel/timer.c
-index f8b05a4..9769e5b 100644
+index f8b05a4..ece06b3 100644
--- a/kernel/timer.c
+++ b/kernel/timer.c
@@ -1308,7 +1308,7 @@ void update_process_times(int user_tick)
@@ -82476,7 +82507,7 @@ index f8b05a4..9769e5b 100644
* This function runs timers and the timer-tq in bottom half context.
*/
-static void run_timer_softirq(struct softirq_action *h)
-+static void run_timer_softirq(void)
++static __latent_entropy void run_timer_softirq(void)
{
struct tvec_base *base = __this_cpu_read(tvec_bases);
@@ -85175,7 +85206,7 @@ index 09d6a9d..c514c22 100644
err = -EPERM;
goto out;
diff --git a/mm/mlock.c b/mm/mlock.c
-index 4f4f53b..02d443a 100644
+index 4f4f53b..dbc8aec 100644
--- a/mm/mlock.c
+++ b/mm/mlock.c
@@ -13,6 +13,7 @@
@@ -85225,7 +85256,7 @@ index 4f4f53b..02d443a 100644
if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
error = do_mlock(start, len, 1);
up_write(¤t->mm->mmap_sem);
-@@ -523,17 +533,22 @@ SYSCALL_DEFINE2(munlock, unsigned long, start, size_t, len)
+@@ -523,23 +533,29 @@ SYSCALL_DEFINE2(munlock, unsigned long, start, size_t, len)
static int do_mlockall(int flags)
{
struct vm_area_struct * vma, * prev = NULL;
@@ -85251,7 +85282,14 @@ index 4f4f53b..02d443a 100644
newflags = vma->vm_flags | VM_LOCKED;
if (!(flags & MCL_CURRENT))
newflags &= ~VM_LOCKED;
-@@ -566,6 +581,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
+
+ /* Ignore errors */
+ mlock_fixup(vma, &prev, vma->vm_start, vma->vm_end, newflags);
++ cond_resched();
+ }
+ out:
+ return 0;
+@@ -566,6 +582,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
lock_limit >>= PAGE_SHIFT;
ret = -ENOMEM;
@@ -89880,7 +89918,7 @@ index 68bbf9f..5ef0d12 100644
return err;
diff --git a/net/core/dev.c b/net/core/dev.c
-index 8e455b8..0e05f5f 100644
+index 8e455b8..4ebd90f 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1142,10 +1142,14 @@ void dev_load(struct net *net, const char *name)
@@ -89939,7 +89977,7 @@ index 8e455b8..0e05f5f 100644
EXPORT_SYMBOL(netif_rx_ni);
-static void net_tx_action(struct softirq_action *h)
-+static void net_tx_action(void)
++static __latent_entropy void net_tx_action(void)
{
struct softnet_data *sd = &__get_cpu_var(softnet_data);
@@ -89957,7 +89995,7 @@ index 8e455b8..0e05f5f 100644
EXPORT_SYMBOL(netif_napi_del);
-static void net_rx_action(struct softirq_action *h)
-+static void net_rx_action(void)
++static __latent_entropy void net_rx_action(void)
{
struct softnet_data *sd = &__get_cpu_var(softnet_data);
unsigned long time_limit = jiffies + 2;
@@ -92001,7 +92039,7 @@ index 1567fb1..29af910 100644
dst = NULL;
}
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
-index db60043..33181b7 100644
+index db60043..7f8a2c1 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -600,8 +600,8 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
@@ -92033,6 +92071,92 @@ index db60043..33181b7 100644
}
int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
+@@ -1125,6 +1122,8 @@ static inline int ip6_ufo_append_data(struct sock *sk,
+ * udp datagram
+ */
+ if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL) {
++ struct frag_hdr fhdr;
++
+ skb = sock_alloc_send_skb(sk,
+ hh_len + fragheaderlen + transhdrlen + 20,
+ (flags & MSG_DONTWAIT), &err);
+@@ -1145,12 +1144,6 @@ static inline int ip6_ufo_append_data(struct sock *sk,
+
+ skb->ip_summed = CHECKSUM_PARTIAL;
+ skb->csum = 0;
+- }
+-
+- err = skb_append_datato_frags(sk,skb, getfrag, from,
+- (length - transhdrlen));
+- if (!err) {
+- struct frag_hdr fhdr;
+
+ /* Specify the length of each IPv6 datagram fragment.
+ * It has to be a multiple of 8.
+@@ -1161,15 +1154,10 @@ static inline int ip6_ufo_append_data(struct sock *sk,
+ ipv6_select_ident(&fhdr, rt);
+ skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
+ __skb_queue_tail(&sk->sk_write_queue, skb);
+-
+- return 0;
+ }
+- /* There is not enough support do UPD LSO,
+- * so follow normal path
+- */
+- kfree_skb(skb);
+
+- return err;
++ return skb_append_datato_frags(sk, skb, getfrag, from,
++ (length - transhdrlen));
+ }
+
+ static inline struct ipv6_opt_hdr *ip6_opt_dup(struct ipv6_opt_hdr *src,
+@@ -1342,27 +1330,27 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
+ * --yoshfuji
+ */
+
++ if ((length > mtu) && dontfrag && (sk->sk_protocol == IPPROTO_UDP ||
++ sk->sk_protocol == IPPROTO_RAW)) {
++ ipv6_local_rxpmtu(sk, fl6, mtu-exthdrlen);
++ return -EMSGSIZE;
++ }
++
++ skb = skb_peek_tail(&sk->sk_write_queue);
+ cork->length += length;
+- if (length > mtu) {
+- int proto = sk->sk_protocol;
+- if (dontfrag && (proto == IPPROTO_UDP || proto == IPPROTO_RAW)){
+- ipv6_local_rxpmtu(sk, fl6, mtu-exthdrlen);
+- return -EMSGSIZE;
+- }
+-
+- if (proto == IPPROTO_UDP &&
+- (rt->dst.dev->features & NETIF_F_UFO)) {
+-
+- err = ip6_ufo_append_data(sk, getfrag, from, length,
+- hh_len, fragheaderlen,
+- transhdrlen, mtu, flags, rt);
+- if (err)
+- goto error;
+- return 0;
+- }
++ if (((length > mtu) ||
++ (skb && skb_is_gso(skb))) &&
++ (sk->sk_protocol == IPPROTO_UDP) &&
++ (rt->dst.dev->features & NETIF_F_UFO)) {
++ err = ip6_ufo_append_data(sk, getfrag, from, length,
++ hh_len, fragheaderlen,
++ transhdrlen, mtu, flags, rt);
++ if (err)
++ goto error;
++ return 0;
+ }
+
+- if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL)
++ if (!skb)
+ goto alloc_new_skb;
+
+ while (length > 0) {
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index b204df8..8f274f4 100644
--- a/net/ipv6/ipv6_sockglue.c
@@ -94607,7 +94731,7 @@ index 8da4481..d02565e 100644
+ (rtt >> sctp_rto_alpha);
} else {
diff --git a/net/socket.c b/net/socket.c
-index cf546a3..f7c6c75 100644
+index cf546a3..a9b550f 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -88,6 +88,7 @@
@@ -94627,6 +94751,15 @@ index cf546a3..f7c6c75 100644
static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
unsigned long nr_segs, loff_t pos);
+@@ -156,7 +159,7 @@ static const struct file_operations socket_file_ops = {
+ */
+
+ static DEFINE_SPINLOCK(net_family_lock);
+-static const struct net_proto_family __rcu *net_families[NPROTO] __read_mostly;
++const struct net_proto_family __rcu *net_families[NPROTO] __read_mostly;
+
+ /*
+ * Statistics counters of the socket lists
@@ -321,7 +324,7 @@ static struct dentry *sockfs_mount(struct file_system_type *fs_type,
&sockfs_dentry_operations, SOCKFS_MAGIC);
}
@@ -94645,24 +94778,28 @@ index cf546a3..f7c6c75 100644
/* Compatibility.
-@@ -1319,6 +1324,16 @@ SYSCALL_DEFINE3(socket, int, family, int, type, int, protocol)
- if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
- flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
+@@ -1207,6 +1212,20 @@ int __sock_create(struct net *net, int family, int type, int protocol,
+ if (err)
+ return err;
-+ if(!gr_search_socket(family, type, protocol)) {
-+ retval = -EACCES;
-+ goto out;
++ if(!kern && !gr_search_socket(family, type, protocol)) {
++ if (rcu_access_pointer(net_families[family]) == NULL)
++ return -EAFNOSUPPORT;
++ else
++ return -EACCES;
+ }
+
-+ if (gr_handle_sock_all(family, type, protocol)) {
-+ retval = -EACCES;
-+ goto out;
++ if (!kern && gr_handle_sock_all(family, type, protocol)) {
++ if (rcu_access_pointer(net_families[family]) == NULL)
++ return -EAFNOSUPPORT;
++ else
++ return -EACCES;
+ }
+
- retval = sock_create(family, type, protocol, &sock);
- if (retval < 0)
- goto out;
-@@ -1431,6 +1446,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen)
+ /*
+ * Allocate the socket and allow the family to set things up. if
+ * the protocol is 0, the family is instructed to select an appropriate
+@@ -1431,6 +1450,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen)
if (sock) {
err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
if (err >= 0) {
@@ -94677,7 +94814,7 @@ index cf546a3..f7c6c75 100644
err = security_socket_bind(sock,
(struct sockaddr *)&address,
addrlen);
-@@ -1439,6 +1462,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen)
+@@ -1439,6 +1466,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen)
(struct sockaddr *)
&address, addrlen);
}
@@ -94685,7 +94822,7 @@ index cf546a3..f7c6c75 100644
fput_light(sock->file, fput_needed);
}
return err;
-@@ -1462,10 +1486,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, backlog)
+@@ -1462,10 +1490,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, backlog)
if ((unsigned)backlog > somaxconn)
backlog = somaxconn;
@@ -94706,7 +94843,7 @@ index cf546a3..f7c6c75 100644
fput_light(sock->file, fput_needed);
}
return err;
-@@ -1509,6 +1543,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
+@@ -1509,6 +1547,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
newsock->type = sock->type;
newsock->ops = sock->ops;
@@ -94725,7 +94862,7 @@ index cf546a3..f7c6c75 100644
/*
* We don't need try_module_get here, as the listening socket (sock)
* has the protocol module (sock->ops->owner) held.
-@@ -1547,6 +1593,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
+@@ -1547,6 +1597,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
fd_install(newfd, newfile);
err = newfd;
@@ -94734,7 +94871,7 @@ index cf546a3..f7c6c75 100644
out_put:
fput_light(sock->file, fput_needed);
out:
-@@ -1579,6 +1627,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,
+@@ -1579,6 +1631,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,
int, addrlen)
{
struct socket *sock;
@@ -94742,7 +94879,7 @@ index cf546a3..f7c6c75 100644
struct sockaddr_storage address;
int err, fput_needed;
-@@ -1589,6 +1638,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,
+@@ -1589,6 +1642,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,
if (err < 0)
goto out_put;
@@ -94760,7 +94897,7 @@ index cf546a3..f7c6c75 100644
err =
security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
if (err)
-@@ -1670,6 +1730,8 @@ SYSCALL_DEFINE3(getpeername, int, fd, struct sockaddr __user *, usockaddr,
+@@ -1670,6 +1734,8 @@ SYSCALL_DEFINE3(getpeername, int, fd, struct sockaddr __user *, usockaddr,
* the protocol.
*/
@@ -94769,7 +94906,7 @@ index cf546a3..f7c6c75 100644
SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,
unsigned, flags, struct sockaddr __user *, addr,
int, addr_len)
-@@ -1736,7 +1798,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
+@@ -1736,7 +1802,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
struct socket *sock;
struct iovec iov;
struct msghdr msg;
@@ -94778,7 +94915,7 @@ index cf546a3..f7c6c75 100644
int err, err2;
int fput_needed;
-@@ -1950,7 +2012,7 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
+@@ -1950,7 +2016,7 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
* checking falls down on this.
*/
if (copy_from_user(ctl_buf,
@@ -94787,7 +94924,7 @@ index cf546a3..f7c6c75 100644
ctl_len))
goto out_freectl;
msg_sys->msg_control = ctl_buf;
-@@ -2101,7 +2163,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
+@@ -2101,7 +2167,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
int err, iov_size, total_len, len;
/* kernel mode address */
@@ -94796,7 +94933,7 @@ index cf546a3..f7c6c75 100644
/* user mode address pointers */
struct sockaddr __user *uaddr;
-@@ -2131,7 +2193,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
+@@ -2131,7 +2197,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
* kernel msghdr to use the kernel address space)
*/
@@ -94805,7 +94942,7 @@ index cf546a3..f7c6c75 100644
uaddr_len = COMPAT_NAMELEN(msg);
if (MSG_CMSG_COMPAT & flags) {
err = verify_compat_iovec(msg_sys, iov,
-@@ -2772,7 +2834,7 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
+@@ -2772,7 +2838,7 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
}
ifr = compat_alloc_user_space(buf_size);
@@ -94814,7 +94951,7 @@ index cf546a3..f7c6c75 100644
if (copy_in_user(&ifr->ifr_name, &ifr32->ifr_name, IFNAMSIZ))
return -EFAULT;
-@@ -2796,12 +2858,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
+@@ -2796,12 +2862,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
offsetof(struct ethtool_rxnfc, fs.ring_cookie));
if (copy_in_user(rxnfc, compat_rxnfc,
@@ -94831,7 +94968,7 @@ index cf546a3..f7c6c75 100644
copy_in_user(&rxnfc->rule_cnt, &compat_rxnfc->rule_cnt,
sizeof(rxnfc->rule_cnt)))
return -EFAULT;
-@@ -2813,12 +2875,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
+@@ -2813,12 +2879,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
if (convert_out) {
if (copy_in_user(compat_rxnfc, rxnfc,
@@ -94848,7 +94985,7 @@ index cf546a3..f7c6c75 100644
copy_in_user(&compat_rxnfc->rule_cnt, &rxnfc->rule_cnt,
sizeof(rxnfc->rule_cnt)))
return -EFAULT;
-@@ -2888,7 +2950,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd,
+@@ -2888,7 +2954,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd,
old_fs = get_fs();
set_fs(KERNEL_DS);
err = dev_ioctl(net, cmd,
@@ -94857,7 +94994,7 @@ index cf546a3..f7c6c75 100644
set_fs(old_fs);
return err;
-@@ -2997,7 +3059,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd,
+@@ -2997,7 +3063,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd,
old_fs = get_fs();
set_fs(KERNEL_DS);
@@ -94866,7 +95003,7 @@ index cf546a3..f7c6c75 100644
set_fs(old_fs);
if (cmd == SIOCGIFMAP && !err) {
-@@ -3102,7 +3164,7 @@ static int routing_ioctl(struct net *net, struct socket *sock,
+@@ -3102,7 +3168,7 @@ static int routing_ioctl(struct net *net, struct socket *sock,
ret |= __get_user(rtdev, &(ur4->rt_dev));
if (rtdev) {
ret |= copy_from_user(devname, compat_ptr(rtdev), 15);
@@ -94875,7 +95012,7 @@ index cf546a3..f7c6c75 100644
devname[15] = 0;
} else
r4.rt_dev = NULL;
-@@ -3342,8 +3404,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname,
+@@ -3342,8 +3408,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname,
int __user *uoptlen;
int err;
@@ -94886,7 +95023,7 @@ index cf546a3..f7c6c75 100644
set_fs(KERNEL_DS);
if (level == SOL_SOCKET)
-@@ -3363,7 +3425,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname,
+@@ -3363,7 +3429,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname,
char __user *uoptval;
int err;
@@ -101206,7 +101343,7 @@ index 0000000..698da67
+}
diff --git a/tools/gcc/latent_entropy_plugin.c b/tools/gcc/latent_entropy_plugin.c
new file mode 100644
-index 0000000..2ef6fd9
+index 0000000..cd6c242
--- /dev/null
+++ b/tools/gcc/latent_entropy_plugin.c
@@ -0,0 +1,321 @@
@@ -101502,7 +101639,7 @@ index 0000000..2ef6fd9
+ TREE_THIS_VOLATILE(latent_entropy_decl) = 1;
+ DECL_EXTERNAL(latent_entropy_decl) = 1;
+ DECL_ARTIFICIAL(latent_entropy_decl) = 1;
-+ DECL_INITIAL(latent_entropy_decl) = NULL;
++ DECL_INITIAL(latent_entropy_decl) = build_int_cstu(long_long_unsigned_type_node, get_random_const());
+ lang_hooks.decls.pushdecl(latent_entropy_decl);
+// DECL_ASSEMBLER_NAME(latent_entropy_decl);
+// varpool_finalize_decl(latent_entropy_decl);
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2013-09-29 19:12 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-09-29 19:12 [gentoo-commits] proj/hardened-patchset:master commit in: 3.2.51/, 3.11.2/, 2.6.32/, 3.11.1/ Anthony G. Basile
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox