* [gentoo-commits] proj/hardened-patchset:master commit in: 4.2.6/
@ 2015-11-13 11:51 Anthony G. Basile
0 siblings, 0 replies; 8+ messages in thread
From: Anthony G. Basile @ 2015-11-13 11:51 UTC (permalink / raw
To: gentoo-commits
commit: ef4e6b9ae3aaf03c60f72e1e507df27fe3dce242
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Fri Nov 13 11:55:00 2015 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Fri Nov 13 11:55:00 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=ef4e6b9a
grsecurity-3.1-4.2.6-201511122040
4.2.6/0000_README | 2 +-
...> 4420_grsecurity-3.1-4.2.6-201511122040.patch} | 247 ++++++++++++++++-----
2 files changed, 188 insertions(+), 61 deletions(-)
diff --git a/4.2.6/0000_README b/4.2.6/0000_README
index 235ce67..9993992 100644
--- a/4.2.6/0000_README
+++ b/4.2.6/0000_README
@@ -6,7 +6,7 @@ Patch: 1005_linux-4.2.6.patch
From: http://www.kernel.org
Desc: Linux 4.2.6
-Patch: 4420_grsecurity-3.1-4.2.6-201511092040.patch
+Patch: 4420_grsecurity-3.1-4.2.6-201511122040.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.2.6/4420_grsecurity-3.1-4.2.6-201511092040.patch b/4.2.6/4420_grsecurity-3.1-4.2.6-201511122040.patch
similarity index 99%
rename from 4.2.6/4420_grsecurity-3.1-4.2.6-201511092040.patch
rename to 4.2.6/4420_grsecurity-3.1-4.2.6-201511122040.patch
index e91c83d..2f80639 100644
--- a/4.2.6/4420_grsecurity-3.1-4.2.6-201511092040.patch
+++ b/4.2.6/4420_grsecurity-3.1-4.2.6-201511122040.patch
@@ -23000,6 +23000,18 @@ index 0f457e6..5970c0a 100644
#define BIOS_END 0x00100000
#define BIOS_ROM_BASE 0xffe00000
+diff --git a/arch/x86/include/uapi/asm/svm.h b/arch/x86/include/uapi/asm/svm.h
+index b5d7640..8a4add8 100644
+--- a/arch/x86/include/uapi/asm/svm.h
++++ b/arch/x86/include/uapi/asm/svm.h
+@@ -100,6 +100,7 @@
+ { SVM_EXIT_EXCP_BASE + UD_VECTOR, "UD excp" }, \
+ { SVM_EXIT_EXCP_BASE + PF_VECTOR, "PF excp" }, \
+ { SVM_EXIT_EXCP_BASE + NM_VECTOR, "NM excp" }, \
++ { SVM_EXIT_EXCP_BASE + AC_VECTOR, "AC excp" }, \
+ { SVM_EXIT_EXCP_BASE + MC_VECTOR, "MC excp" }, \
+ { SVM_EXIT_INTR, "interrupt" }, \
+ { SVM_EXIT_NMI, "nmi" }, \
diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile
index 0f15af4..501a76a 100644
--- a/arch/x86/kernel/Makefile
@@ -29920,10 +29932,70 @@ index 0f67d7e..4b9fa11 100644
goto error;
walker->ptep_user[walker->level - 1] = ptep_user;
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
-index 2d32b67..2cd298b 100644
+index 2d32b67..06cac10 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
-@@ -3586,7 +3586,11 @@ static void reload_tss(struct kvm_vcpu *vcpu)
+@@ -1106,6 +1106,8 @@ static void init_vmcb(struct vcpu_svm *svm, bool init_event)
+ set_exception_intercept(svm, PF_VECTOR);
+ set_exception_intercept(svm, UD_VECTOR);
+ set_exception_intercept(svm, MC_VECTOR);
++ set_exception_intercept(svm, AC_VECTOR);
++ set_exception_intercept(svm, DB_VECTOR);
+
+ set_intercept(svm, INTERCEPT_INTR);
+ set_intercept(svm, INTERCEPT_NMI);
+@@ -1641,20 +1643,13 @@ static void svm_set_segment(struct kvm_vcpu *vcpu,
+ mark_dirty(svm->vmcb, VMCB_SEG);
+ }
+
+-static void update_db_bp_intercept(struct kvm_vcpu *vcpu)
++static void update_bp_intercept(struct kvm_vcpu *vcpu)
+ {
+ struct vcpu_svm *svm = to_svm(vcpu);
+
+- clr_exception_intercept(svm, DB_VECTOR);
+ clr_exception_intercept(svm, BP_VECTOR);
+
+- if (svm->nmi_singlestep)
+- set_exception_intercept(svm, DB_VECTOR);
+-
+ if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) {
+- if (vcpu->guest_debug &
+- (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))
+- set_exception_intercept(svm, DB_VECTOR);
+ if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP)
+ set_exception_intercept(svm, BP_VECTOR);
+ } else
+@@ -1760,7 +1755,6 @@ static int db_interception(struct vcpu_svm *svm)
+ if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP))
+ svm->vmcb->save.rflags &=
+ ~(X86_EFLAGS_TF | X86_EFLAGS_RF);
+- update_db_bp_intercept(&svm->vcpu);
+ }
+
+ if (svm->vcpu.guest_debug &
+@@ -1795,6 +1789,12 @@ static int ud_interception(struct vcpu_svm *svm)
+ return 1;
+ }
+
++static int ac_interception(struct vcpu_svm *svm)
++{
++ kvm_queue_exception_e(&svm->vcpu, AC_VECTOR, 0);
++ return 1;
++}
++
+ static void svm_fpu_activate(struct kvm_vcpu *vcpu)
+ {
+ struct vcpu_svm *svm = to_svm(vcpu);
+@@ -3369,6 +3369,7 @@ static int (*const svm_exit_handlers[])(struct vcpu_svm *svm) = {
+ [SVM_EXIT_EXCP_BASE + PF_VECTOR] = pf_interception,
+ [SVM_EXIT_EXCP_BASE + NM_VECTOR] = nm_interception,
+ [SVM_EXIT_EXCP_BASE + MC_VECTOR] = mc_interception,
++ [SVM_EXIT_EXCP_BASE + AC_VECTOR] = ac_interception,
+ [SVM_EXIT_INTR] = intr_interception,
+ [SVM_EXIT_NMI] = nmi_interception,
+ [SVM_EXIT_SMI] = nop_on_interception,
+@@ -3586,7 +3587,11 @@ static void reload_tss(struct kvm_vcpu *vcpu)
int cpu = raw_smp_processor_id();
struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
@@ -29935,6 +30007,14 @@ index 2d32b67..2cd298b 100644
load_TR_desc();
}
+@@ -3752,7 +3757,6 @@ static void enable_nmi_window(struct kvm_vcpu *vcpu)
+ */
+ svm->nmi_singlestep = true;
+ svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF);
+- update_db_bp_intercept(vcpu);
+ }
+
+ static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr)
@@ -3982,6 +3986,10 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
#endif
#endif
@@ -29946,8 +30026,17 @@ index 2d32b67..2cd298b 100644
reload_tss(vcpu);
local_irq_disable();
+@@ -4374,7 +4382,7 @@ static struct kvm_x86_ops svm_x86_ops = {
+ .vcpu_load = svm_vcpu_load,
+ .vcpu_put = svm_vcpu_put,
+
+- .update_db_bp_intercept = update_db_bp_intercept,
++ .update_db_bp_intercept = update_bp_intercept,
+ .get_msr = svm_get_msr,
+ .set_msr = svm_set_msr,
+ .get_segment_base = svm_get_segment_base,
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index aa9e8229..ab09cc4 100644
+index aa9e8229..6223041 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -1440,12 +1440,12 @@ static void vmcs_write64(unsigned long field, u64 value)
@@ -29965,6 +30054,15 @@ index aa9e8229..ab09cc4 100644
{
vmcs_writel(field, vmcs_readl(field) | mask);
}
+@@ -1567,7 +1567,7 @@ static void update_exception_bitmap(struct kvm_vcpu *vcpu)
+ u32 eb;
+
+ eb = (1u << PF_VECTOR) | (1u << UD_VECTOR) | (1u << MC_VECTOR) |
+- (1u << NM_VECTOR) | (1u << DB_VECTOR);
++ (1u << NM_VECTOR) | (1u << DB_VECTOR) | (1u << AC_VECTOR);
+ if ((vcpu->guest_debug &
+ (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) ==
+ (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP))
@@ -1705,7 +1705,11 @@ static void reload_tss(void)
struct desc_struct *descs;
@@ -30017,7 +30115,17 @@ index aa9e8229..ab09cc4 100644
rdmsr(MSR_IA32_SYSENTER_CS, low32, high32);
vmcs_write32(HOST_IA32_SYSENTER_CS, low32);
-@@ -6097,11 +6108,17 @@ static __init int hardware_setup(void)
+@@ -5118,6 +5129,9 @@ static int handle_exception(struct kvm_vcpu *vcpu)
+ return handle_rmode_exception(vcpu, ex_no, error_code);
+
+ switch (ex_no) {
++ case AC_VECTOR:
++ kvm_queue_exception_e(vcpu, AC_VECTOR, error_code);
++ return 1;
+ case DB_VECTOR:
+ dr6 = vmcs_readl(EXIT_QUALIFICATION);
+ if (!(vcpu->guest_debug &
+@@ -6097,11 +6111,17 @@ static __init int hardware_setup(void)
* page upon invalidation. No need to do anything if not
* using the APIC_ACCESS_ADDR VMCS field.
*/
@@ -30039,7 +30147,7 @@ index aa9e8229..ab09cc4 100644
if (enable_ept && !cpu_has_vmx_ept_2m_page())
kvm_disable_largepages();
-@@ -6112,14 +6129,16 @@ static __init int hardware_setup(void)
+@@ -6112,14 +6132,16 @@ static __init int hardware_setup(void)
if (!cpu_has_vmx_apicv())
enable_apicv = 0;
@@ -30061,7 +30169,7 @@ index aa9e8229..ab09cc4 100644
vmx_disable_intercept_for_msr(MSR_FS_BASE, false);
vmx_disable_intercept_for_msr(MSR_GS_BASE, false);
-@@ -6174,10 +6193,12 @@ static __init int hardware_setup(void)
+@@ -6174,10 +6196,12 @@ static __init int hardware_setup(void)
enable_pml = 0;
if (!enable_pml) {
@@ -30078,7 +30186,7 @@ index aa9e8229..ab09cc4 100644
}
return alloc_kvm_area();
-@@ -8380,6 +8401,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -8380,6 +8404,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
"jmp 2f \n\t"
"1: " __ex(ASM_VMX_VMRESUME) "\n\t"
"2: "
@@ -30091,7 +30199,7 @@ index aa9e8229..ab09cc4 100644
/* Save guest registers, load host registers, keep flags */
"mov %0, %c[wordsize](%%" _ASM_SP ") \n\t"
"pop %0 \n\t"
-@@ -8432,6 +8459,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -8432,6 +8462,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
#endif
[cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)),
[wordsize]"i"(sizeof(ulong))
@@ -30103,7 +30211,7 @@ index aa9e8229..ab09cc4 100644
: "cc", "memory"
#ifdef CONFIG_X86_64
, "rax", "rbx", "rdi", "rsi"
-@@ -8445,7 +8477,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -8445,7 +8480,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
if (debugctlmsr)
update_debugctlmsr(debugctlmsr);
@@ -30112,7 +30220,7 @@ index aa9e8229..ab09cc4 100644
/*
* The sysexit path does not restore ds/es, so we must set them to
* a reasonable value ourselves.
-@@ -8454,8 +8486,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -8454,8 +8489,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
* may be executed in interrupt context, which saves and restore segments
* around it, nullifying its effect.
*/
@@ -51133,7 +51241,7 @@ index 332bb8a..e6adcd1 100644
u32 entry_offset, dump, no_entries, buf_offset = 0;
int i, k, ops_cnt, ops_index, dump_size = 0;
diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
-index f790f61..f1faafe 100644
+index f790f61..cb663ef8 100644
--- a/drivers/net/ethernet/realtek/r8169.c
+++ b/drivers/net/ethernet/realtek/r8169.c
@@ -788,22 +788,22 @@ struct rtl8169_private {
@@ -51163,6 +51271,16 @@ index f790f61..f1faafe 100644
int (*set_speed)(struct net_device *, u8 aneg, u16 sp, u8 dpx, u32 adv);
int (*get_settings)(struct net_device *, struct ethtool_cmd *);
+@@ -7361,6 +7361,9 @@ process_pkt:
+
+ rtl8169_rx_vlan_tag(desc, skb);
+
++ if (skb->pkt_type == PACKET_MULTICAST)
++ dev->stats.multicast++;
++
+ napi_gro_receive(&tp->napi, skb);
+
+ u64_stats_update_begin(&tp->rx_stats.syncp);
diff --git a/drivers/net/ethernet/sfc/ptp.c b/drivers/net/ethernet/sfc/ptp.c
index ad62615..a4c124d 100644
--- a/drivers/net/ethernet/sfc/ptp.c
@@ -74473,7 +74591,7 @@ index 4c55668..eeae150 100644
fd_offset + ex.a_text);
if (error != N_DATADDR(ex))
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
-index 6b65996..17bd3c4 100644
+index 6b65996..be797cf 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -35,6 +35,7 @@
@@ -75007,6 +75125,32 @@ index 6b65996..17bd3c4 100644
loc = kmalloc(sizeof(*loc), GFP_KERNEL);
if (!loc) {
+@@ -759,16 +1127,16 @@ static int load_elf_binary(struct linux_binprm *bprm)
+ */
+ would_dump(bprm, interpreter);
+
+- retval = kernel_read(interpreter, 0, bprm->buf,
+- BINPRM_BUF_SIZE);
+- if (retval != BINPRM_BUF_SIZE) {
+- if (retval >= 0)
+- retval = -EIO;
+- goto out_free_dentry;
+- }
+-
+ /* Get the exec headers */
+- loc->interp_elf_ex = *((struct elfhdr *)bprm->buf);
++ retval = kernel_read(interpreter, 0,
++ (void *)&loc->interp_elf_ex,
++ sizeof(loc->interp_elf_ex));
++ if (retval != sizeof(loc->interp_elf_ex)) {
++ if (retval >= 0)
++ retval = -EIO;
++ goto out_free_dentry;
++ }
++
+ break;
+ }
+ elf_ppnt++;
@@ -840,6 +1208,77 @@ static int load_elf_binary(struct linux_binprm *bprm)
/* Do this immediately, since STACK_TOP as used in setup_arg_pages
may depend on the personality. */
@@ -75549,50 +75693,6 @@ index b823fac..c5155de 100644
if (ret) {
btrfs_end_transaction(trans, root);
goto out;
-diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
-index b54e630..a1c76da 100644
---- a/fs/btrfs/inode.c
-+++ b/fs/btrfs/inode.c
-@@ -5632,6 +5632,7 @@ static int btrfs_real_readdir(struct file *file, struct dir_context *ctx)
- char *name_ptr;
- int name_len;
- int is_curr = 0; /* ctx->pos points to the current index? */
-+ bool emitted;
-
- /* FIXME, use a real flag for deciding about the key type */
- if (root->fs_info->tree_root == root)
-@@ -5660,6 +5661,7 @@ static int btrfs_real_readdir(struct file *file, struct dir_context *ctx)
- if (ret < 0)
- goto err;
-
-+ emitted = false;
- while (1) {
- leaf = path->nodes[0];
- slot = path->slots[0];
-@@ -5739,6 +5741,7 @@ skip:
-
- if (over)
- goto nopos;
-+ emitted = true;
- di_len = btrfs_dir_name_len(leaf, di) +
- btrfs_dir_data_len(leaf, di) + sizeof(*di);
- di_cur += di_len;
-@@ -5756,6 +5759,15 @@ next:
- goto nopos;
- }
-
-+ /*
-+ * If we haven't emitted any dir entry, we must not touch ctx->pos as
-+ * it was was set to the termination value in previous call. We assume
-+ * that "." and ".." were emitted if we reach this point and set the
-+ * termination value as well for an empty directory.
-+ */
-+ if (ctx->pos > 2 && !emitted)
-+ goto nopos;
-+
- /* Reached end of directory/root. Bump pos past the last item. */
- ctx->pos++;
-
diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
index cd7ef34..1e31ae3 100644
--- a/fs/btrfs/super.c
@@ -76886,10 +76986,24 @@ index e3b44ca..e0d94f1 100644
dcache_init();
inode_init();
diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
-index c711be8..23b8df9 100644
+index c711be8..79cf56b 100644
--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
-@@ -402,6 +402,10 @@ EXPORT_SYMBOL_GPL(debugfs_create_file_size);
+@@ -271,8 +271,12 @@ static struct dentry *start_creating(const char *name, struct dentry *parent)
+ dput(dentry);
+ dentry = ERR_PTR(-EEXIST);
+ }
+- if (IS_ERR(dentry))
++
++ if (IS_ERR(dentry)) {
+ mutex_unlock(&d_inode(parent)->i_mutex);
++ simple_release_fs(&debugfs_mount, &debugfs_mount_count);
++ }
++
+ return dentry;
+ }
+
+@@ -402,6 +406,10 @@ EXPORT_SYMBOL_GPL(debugfs_create_file_size);
* If debugfs is not enabled in the kernel, the value -%ENODEV will be
* returned.
*/
@@ -76900,7 +77014,7 @@ index c711be8..23b8df9 100644
struct dentry *debugfs_create_dir(const char *name, struct dentry *parent)
{
struct dentry *dentry = start_creating(name, parent);
-@@ -414,7 +418,12 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent)
+@@ -414,7 +422,12 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent)
if (unlikely(!inode))
return failed_creating(dentry);
@@ -120073,6 +120187,19 @@ index 45cb16a..cef4ecd 100644
if (!cn->procdir) {
pr_err("Unable to proc dir entry\n");
return -ENOMEM;
+diff --git a/net/ipv4/netfilter/nf_nat_pptp.c b/net/ipv4/netfilter/nf_nat_pptp.c
+index 657d230..b3ca21b 100644
+--- a/net/ipv4/netfilter/nf_nat_pptp.c
++++ b/net/ipv4/netfilter/nf_nat_pptp.c
+@@ -45,7 +45,7 @@ static void pptp_nat_expected(struct nf_conn *ct,
+ struct net *net = nf_ct_net(ct);
+ const struct nf_conn *master = ct->master;
+ struct nf_conntrack_expect *other_exp;
+- struct nf_conntrack_tuple t;
++ struct nf_conntrack_tuple t = {};
+ const struct nf_ct_pptp_master *ct_pptp_info;
+ const struct nf_nat_pptp *nat_pptp_info;
+ struct nf_nat_range range;
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index 05ff44b..da00000 100644
--- a/net/ipv4/ping.c
@@ -124844,7 +124971,7 @@ index b304068..462d24e 100644
if (*p != INT_CONF) {
fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianness? %#x\n",
diff --git a/scripts/dtc/checks.c b/scripts/dtc/checks.c
-index e81a8c7..a615ad7 100644
+index e81a8c74..a615ad7 100644
--- a/scripts/dtc/checks.c
+++ b/scripts/dtc/checks.c
@@ -277,7 +277,7 @@ NODE_ERROR(duplicate_property_names, NULL);
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [gentoo-commits] proj/hardened-patchset:master commit in: 4.2.6/
@ 2015-11-15 16:26 Anthony G. Basile
0 siblings, 0 replies; 8+ messages in thread
From: Anthony G. Basile @ 2015-11-15 16:26 UTC (permalink / raw
To: gentoo-commits
commit: abddbbc666308272b2792e65f7c9e208e9bfddbb
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sun Nov 15 16:32:15 2015 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sun Nov 15 16:32:15 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=abddbbc6
grsecurity-3.1-4.2.6-201511141543
4.2.6/0000_README | 2 +-
...> 4420_grsecurity-3.1-4.2.6-201511141543.patch} | 356 +++++++++++++++------
2 files changed, 268 insertions(+), 90 deletions(-)
diff --git a/4.2.6/0000_README b/4.2.6/0000_README
index 9993992..7ec57e5 100644
--- a/4.2.6/0000_README
+++ b/4.2.6/0000_README
@@ -6,7 +6,7 @@ Patch: 1005_linux-4.2.6.patch
From: http://www.kernel.org
Desc: Linux 4.2.6
-Patch: 4420_grsecurity-3.1-4.2.6-201511122040.patch
+Patch: 4420_grsecurity-3.1-4.2.6-201511141543.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.2.6/4420_grsecurity-3.1-4.2.6-201511122040.patch b/4.2.6/4420_grsecurity-3.1-4.2.6-201511141543.patch
similarity index 99%
rename from 4.2.6/4420_grsecurity-3.1-4.2.6-201511122040.patch
rename to 4.2.6/4420_grsecurity-3.1-4.2.6-201511141543.patch
index 2f80639..27bda59 100644
--- a/4.2.6/4420_grsecurity-3.1-4.2.6-201511122040.patch
+++ b/4.2.6/4420_grsecurity-3.1-4.2.6-201511141543.patch
@@ -75612,7 +75612,7 @@ index 54114b4..580cfc9 100644
WARN_ON(trans->transid != btrfs_header_generation(parent));
diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c
-index a2ae427..53c2e98 100644
+index a2ae427..d028233 100644
--- a/fs/btrfs/delayed-inode.c
+++ b/fs/btrfs/delayed-inode.c
@@ -462,7 +462,7 @@ static int __btrfs_add_delayed_deletion_item(struct btrfs_delayed_node *node,
@@ -75642,8 +75642,25 @@ index a2ae427..53c2e98 100644
ret = btrfs_wq_run_delayed_node(delayed_root, fs_info, 0);
if (ret)
+@@ -1690,7 +1690,7 @@ int btrfs_should_delete_dir_index(struct list_head *del_list,
+ *
+ */
+ int btrfs_readdir_delayed_dir_index(struct dir_context *ctx,
+- struct list_head *ins_list)
++ struct list_head *ins_list, bool *emitted)
+ {
+ struct btrfs_dir_item *di;
+ struct btrfs_delayed_item *curr, *next;
+@@ -1734,6 +1734,7 @@ int btrfs_readdir_delayed_dir_index(struct dir_context *ctx,
+
+ if (over)
+ return 1;
++ *emitted = true;
+ }
+ return 0;
+ }
diff --git a/fs/btrfs/delayed-inode.h b/fs/btrfs/delayed-inode.h
-index f70119f..ab5894d 100644
+index f70119f..b7d2bb4 100644
--- a/fs/btrfs/delayed-inode.h
+++ b/fs/btrfs/delayed-inode.h
@@ -43,7 +43,7 @@ struct btrfs_delayed_root {
@@ -75664,6 +75681,15 @@ index f70119f..ab5894d 100644
delayed_root->nodes = 0;
spin_lock_init(&delayed_root->lock);
init_waitqueue_head(&delayed_root->wait);
+@@ -144,7 +144,7 @@ void btrfs_put_delayed_items(struct list_head *ins_list,
+ int btrfs_should_delete_dir_index(struct list_head *del_list,
+ u64 index);
+ int btrfs_readdir_delayed_dir_index(struct dir_context *ctx,
+- struct list_head *ins_list);
++ struct list_head *ins_list, bool *emitted);
+
+ /* for init */
+ int __init btrfs_delayed_inode_init(void);
diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c
index b823fac..c5155de 100644
--- a/fs/btrfs/file.c
@@ -75693,6 +75719,56 @@ index b823fac..c5155de 100644
if (ret) {
btrfs_end_transaction(trans, root);
goto out;
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index b54e630..6ecf999 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -5632,6 +5632,7 @@ static int btrfs_real_readdir(struct file *file, struct dir_context *ctx)
+ char *name_ptr;
+ int name_len;
+ int is_curr = 0; /* ctx->pos points to the current index? */
++ bool emitted;
+
+ /* FIXME, use a real flag for deciding about the key type */
+ if (root->fs_info->tree_root == root)
+@@ -5660,6 +5661,7 @@ static int btrfs_real_readdir(struct file *file, struct dir_context *ctx)
+ if (ret < 0)
+ goto err;
+
++ emitted = false;
+ while (1) {
+ leaf = path->nodes[0];
+ slot = path->slots[0];
+@@ -5739,6 +5741,7 @@ skip:
+
+ if (over)
+ goto nopos;
++ emitted = true;
+ di_len = btrfs_dir_name_len(leaf, di) +
+ btrfs_dir_data_len(leaf, di) + sizeof(*di);
+ di_cur += di_len;
+@@ -5751,11 +5754,20 @@ next:
+ if (key_type == BTRFS_DIR_INDEX_KEY) {
+ if (is_curr)
+ ctx->pos++;
+- ret = btrfs_readdir_delayed_dir_index(ctx, &ins_list);
++ ret = btrfs_readdir_delayed_dir_index(ctx, &ins_list, &emitted);
+ if (ret)
+ goto nopos;
+ }
+
++ /*
++ * If we haven't emitted any dir entry, we must not touch ctx->pos as
++ * it was was set to the termination value in previous call. We assume
++ * that "." and ".." were emitted if we reach this point and set the
++ * termination value as well for an empty directory.
++ */
++ if (ctx->pos > 2 && !emitted)
++ goto nopos;
++
+ /* Reached end of directory/root. Bump pos past the last item. */
+ ctx->pos++;
+
diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
index cd7ef34..1e31ae3 100644
--- a/fs/btrfs/super.c
@@ -125501,14 +125577,14 @@ index 99ca6e7..3a1a1a1 100644
rm -f $(objtree)/.scmversion
$(CONFIG_SHELL) $(srctree)/scripts/mkversion > $(objtree)/.tmp_version
diff --git a/scripts/package/builddeb b/scripts/package/builddeb
-index 88dbf23..d1b4291 100755
+index 88dbf23..c8c6e81 100755
--- a/scripts/package/builddeb
+++ b/scripts/package/builddeb
@@ -304,6 +304,7 @@ fi
(cd $srctree; find arch/$SRCARCH -name module.lds -o -name Kbuild.platforms -o -name Platform) >> "$objtree/debian/hdrsrcfiles"
(cd $srctree; find $(find arch/$SRCARCH -name include -o -name scripts -type d) -type f) >> "$objtree/debian/hdrsrcfiles"
(cd $objtree; find arch/$SRCARCH/include Module.symvers include scripts -type f) >> "$objtree/debian/hdrobjfiles"
-+(cd $objtree; find tools/gcc -name \*.so >> "$objtree/debian/hdrobjfiles")
++(cd $objtree; find tools/gcc -name \*.so -o -name gcc-common.h >> "$objtree/debian/hdrobjfiles")
destdir=$kernel_headers_dir/usr/src/linux-headers-$version
mkdir -p "$destdir"
(cd $srctree; tar -c -f - -T -) < "$objtree/debian/hdrsrcfiles" | (cd $destdir; tar -xf -)
@@ -125645,7 +125721,7 @@ index c0a932d..817c587 100755
# Find all available archs
find_all_archs()
diff --git a/security/Kconfig b/security/Kconfig
-index bf4ec46..d32a3b8 100644
+index bf4ec46..faa8418 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -4,6 +4,985 @@
@@ -126596,7 +126672,7 @@ index bf4ec46..d32a3b8 100644
+
+config PAX_SIZE_OVERFLOW_DISABLE_KILL
+ bool "Do not kill process on overflow detection"
-+ default y
++ default n
+ depends on PAX_SIZE_OVERFLOW
+
+config PAX_LATENT_ENTROPY
@@ -129633,10 +129709,10 @@ index 0000000..7514850
+fi
diff --git a/tools/gcc/initify_plugin.c b/tools/gcc/initify_plugin.c
new file mode 100644
-index 0000000..294ac43
+index 0000000..2abfe4b
--- /dev/null
+++ b/tools/gcc/initify_plugin.c
-@@ -0,0 +1,450 @@
+@@ -0,0 +1,552 @@
+/*
+ * Copyright 2011-2015 by Emese Revfy <re.emese@gmail.com>
+ * Licensed under the GPL v2, or (at your option) v3
@@ -129656,13 +129732,16 @@ index 0000000..294ac43
+
+int plugin_is_GPL_compatible;
+
-+static bool verbose = false;
-+
+static struct plugin_info initify_plugin_info = {
-+ .version = "20150524a",
++ .version = "20151113",
+ .help = "initify_plugin\n",
+};
+
++/* nocapture attribute:
++ * * to mark nocapture function arguments. If used on a vararg argument it applies to all of them
++ * that have no other uses.
++ * * attribute value 0 is ignored to allow reusing print attribute arguments
++ */
+static tree handle_nocapture_attribute(tree *node, tree __unused name, tree args, int __unused flags, bool *no_add_attrs)
+{
+ tree orig_attr, arg;
@@ -129673,7 +129752,6 @@ index 0000000..294ac43
+ case FUNCTION_TYPE:
+ case METHOD_TYPE:
+ break;
-+
+ case TYPE_DECL: {
+ const_tree fntype = TREE_TYPE(*node);
+
@@ -129683,10 +129761,9 @@ index 0000000..294ac43
+ break;
+ // FALLTHROUGH
+ }
-+
+ default:
-+ error("%s: %qE attribute only applies to functions", __func__, name);
+ debug_tree(*node);
++ error("%s: %qE attribute only applies to functions", __func__, name);
+ return NULL_TREE;
+ }
+
@@ -129694,8 +129771,12 @@ index 0000000..294ac43
+ tree position = TREE_VALUE(arg);
+
+ if (TREE_CODE(position) != INTEGER_CST) {
-+ error("%s: parameter isn't an integer", __func__);
-+ debug_tree(arg);
++ error("%qE parameter of the %qE attribute isn't an integer (fn: %qE)", position, name, *node);
++ return NULL_TREE;
++ }
++
++ if (tree_int_cst_lt(position, integer_minus_one_node)) {
++ error("%qE parameter of the %qE attribute less than 0 (fn: %qE)", position, name, *node);
+ return NULL_TREE;
+ }
+ }
@@ -129742,7 +129823,6 @@ index 0000000..294ac43
+
+ if (!strncmp(str, ".init.", 6))
+ return str;
-+
+ if (!strncmp(str, ".exit.", 6))
+ return str;
+ }
@@ -129770,11 +129850,9 @@ index 0000000..294ac43
+ }
+ break;
+ }
-+
+ default:
+ break;
+ }
-+
+ return NULL_TREE;
+}
+
@@ -129795,6 +129873,164 @@ index 0000000..294ac43
+ return true;
+}
+
++static bool is_syscall(const_tree fn)
++{
++ if (!strncmp(DECL_NAME_POINTER(fn), "sys_", 4))
++ return true;
++
++ if (!strncmp(DECL_NAME_POINTER(fn), "sys32_", 6))
++ return true;
++
++ if (!strncmp(DECL_NAME_POINTER(fn), "compat_sys_", 11))
++ return true;
++
++ return false;
++}
++
++static bool is_nocapture_param(const gcall *stmt, int fn_arg_count)
++{
++ const_tree attr, attr_val;
++ int fntype_arg_len;
++ const_tree fndecl = gimple_call_fndecl(stmt);
++
++ gcc_assert(DECL_ABSTRACT_ORIGIN(fndecl) == NULL_TREE);
++
++ if (is_syscall(fndecl))
++ return true;
++
++ fntype_arg_len = type_num_arguments(TREE_TYPE(fndecl));
++ attr = lookup_attribute("nocapture", DECL_ATTRIBUTES(fndecl));
++ if (attr == NULL_TREE)
++ return false;
++
++ for (attr_val = TREE_VALUE(attr); attr_val; attr_val = TREE_CHAIN(attr_val)) {
++ int attr_arg_val = (int)tree_to_shwi(TREE_VALUE(attr_val));
++
++ if (attr_arg_val == -1)
++ return true;
++ if (attr_arg_val == fn_arg_count)
++ return true;
++ if (attr_arg_val > fntype_arg_len && fn_arg_count >= attr_arg_val)
++ return true;
++ }
++
++ return false;
++}
++
++static bool compare_vardecls(const_tree vardecl, tree op)
++{
++ tree decl, offset;
++ HOST_WIDE_INT bitsize, bitpos;
++ enum machine_mode mode;
++ int unsignedp, volatilep;
++ enum tree_code code = TREE_CODE(op);
++
++ if (TREE_CODE_CLASS(code) == tcc_exceptional && code != SSA_NAME)
++ return false;
++
++ if (code == ADDR_EXPR)
++ op = TREE_OPERAND(op, 0);
++
++ if (TREE_CODE(op) == COMPONENT_REF)
++ return false;
++
++ decl = get_inner_reference(op, &bitsize, &bitpos, &offset, &mode, &unsignedp, &volatilep, true);
++
++ switch (TREE_CODE_CLASS(TREE_CODE(decl))) {
++ case tcc_constant:
++ case tcc_statement:
++ return false;
++ default:
++ break;
++ }
++
++ switch (TREE_CODE(decl)) {
++#if BUILDING_GCC_VERSION >= 4006
++ case MEM_REF:
++#endif
++ case TARGET_MEM_REF:
++ decl = TREE_OPERAND(decl, 0);
++ break;
++ default:
++ break;
++ }
++
++ if (TREE_CODE(decl) == ADDR_EXPR)
++ decl = TREE_OPERAND(decl, 0);
++ if (TREE_CODE(decl) == SSA_NAME)
++ decl = SSA_NAME_VAR(decl);
++ if (decl == NULL_TREE)
++ return false;
++
++ if (!DECL_P(decl)) {
++ debug_tree(op);
++ debug_tree(decl);
++ gcc_unreachable();
++ }
++
++ if (!VAR_P(decl))
++ return false;
++ if (!DECL_NAME(decl))
++ return false;
++
++ if (decl != vardecl && strcmp(DECL_NAME_POINTER(decl), DECL_NAME_POINTER(vardecl)))
++ return false;
++
++ gcc_assert(TREE_CODE(op) != SSA_NAME);
++ return true;
++}
++
++static bool search_capture_use(const_tree vardecl, gimple stmt)
++{
++ unsigned int i;
++
++ for (i = 0; i < gimple_num_ops(stmt); i++) {
++ unsigned int arg_count;
++ const_tree fndecl;
++ tree op = *(gimple_op_ptr(stmt, i));
++
++ if (op == NULL_TREE)
++ continue;
++ if (is_gimple_constant(op))
++ continue;
++
++ if (!compare_vardecls(vardecl, op))
++ continue;
++
++ if (!is_gimple_call(stmt))
++ return true;
++
++ // return, fndecl
++ gcc_assert(i >= 3);
++ arg_count = i - 2;
++ if (is_nocapture_param(as_a_const_gcall(stmt), (int)arg_count))
++ continue;
++
++ fndecl = gimple_call_fndecl(stmt);
++ gcc_assert(fndecl != NULL_TREE);
++// inform(gimple_location(stmt), "nocapture attribute is missing (fn: %E, arg: %u)\n", fndecl, arg_count);
++ return true;
++
++ }
++ return false;
++}
++
++static bool has_capture_use_local_var(const_tree vardecl)
++{
++ basic_block bb;
++
++ FOR_ALL_BB_FN(bb, cfun) {
++ gimple_stmt_iterator gsi;
++
++ for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
++ if (search_capture_use(vardecl, gsi_stmt(gsi)))
++ return true;
++ }
++ }
++
++ return false;
++}
++
+static void search_local_strs(bool initexit)
+{
+ unsigned int i;
@@ -129803,16 +130039,21 @@ index 0000000..294ac43
+ FOR_EACH_LOCAL_DECL(cfun, i, var) {
+ tree str, init_val = DECL_INITIAL(var);
+
-+ if (init_val == NULL_TREE)
++ if (init_val == NULL_TREE || init_val == error_mark_node)
+ continue;
++ // !!! str local vars
+ if (strcmp(DECL_NAME_POINTER(var), "__func__"))
+ continue;
+
++ if (has_capture_use_local_var(var))
++ continue;
++
+ str = get_string_cst(init_val);
+ gcc_assert(str);
+
-+ if (set_init_exit_section(var, initexit) && verbose)
-+ inform(DECL_SOURCE_LOCATION(var), "initified local var: %s: %s", DECL_NAME_POINTER(current_function_decl), TREE_STRING_POINTER(str));
++ if (set_init_exit_section(var, initexit)) {
++// inform(DECL_SOURCE_LOCATION(var), "initified local var: %s: %s", DECL_NAME_POINTER(current_function_decl), TREE_STRING_POINTER(str));
++ }
+ }
+}
+
@@ -129853,70 +130094,6 @@ index 0000000..294ac43
+ return TREE_OPERAND(decl, 0);
+}
+
-+static bool is_syscall(const_tree fn)
-+{
-+ if (!strncmp(DECL_NAME_POINTER(fn), "sys_", 4))
-+ return true;
-+
-+ if (!strncmp(DECL_NAME_POINTER(fn), "sys32_", 6))
-+ return true;
-+
-+ if (!strncmp(DECL_NAME_POINTER(fn), "compat_sys_", 11))
-+ return true;
-+
-+ return false;
-+}
-+
-+static bool is_vararg(const_tree fn)
-+{
-+ tree arg_list;
-+
-+ arg_list = TYPE_ARG_TYPES(TREE_TYPE(fn));
-+ if (arg_list == NULL_TREE)
-+ return false;
-+
-+ return tree_last(arg_list) != void_list_node;
-+}
-+
-+// __printf(1, 0), 0: turn off the varargs checking
-+static bool check_varargs(const_tree attr)
-+{
-+ const_tree attr_val;
-+
-+ for (attr_val = TREE_VALUE(attr); attr_val; attr_val = TREE_CHAIN(attr_val)) {
-+ if (TREE_VALUE(attr_val) == integer_zero_node)
-+ return false;
-+ }
-+ return true;
-+}
-+
-+static bool is_nocapture_param(const_gimple stmt, unsigned int num)
-+{
-+ unsigned int attr_arg_val = 0;
-+ tree attr_val;
-+ const_tree attr;
-+ const_tree fndecl = gimple_call_fndecl(stmt);
-+
-+ gcc_assert(DECL_ABSTRACT_ORIGIN(fndecl) == NULL_TREE);
-+
-+ if (is_syscall(fndecl))
-+ return true;
-+
-+ attr = lookup_attribute("nocapture", DECL_ATTRIBUTES(fndecl));
-+ for (attr_val = TREE_VALUE(attr); attr_val; attr_val = TREE_CHAIN(attr_val)) {
-+ attr_arg_val = (unsigned int)tree_to_uhwi(TREE_VALUE(attr_val));
-+
-+ if (attr_arg_val == num + 1)
-+ return true;
-+ }
-+
-+ if (!is_vararg(fndecl))
-+ return false;
-+ if (!check_varargs(attr))
-+ return false;
-+ return attr_arg_val < num + 1;
-+}
-+
+static void search_str_param(gcall *stmt, bool initexit)
+{
+ unsigned int num;
@@ -129928,12 +130105,13 @@ index 0000000..294ac43
+ if (str == NULL_TREE)
+ continue;
+
-+ if (!is_nocapture_param(stmt, num))
++ if (!is_nocapture_param(stmt, num + 1))
+ continue;
+
+ var = create_tmp_assign(stmt, num);
-+ if (set_init_exit_section(var, initexit) && verbose)
-+ inform(gimple_location(stmt), "initified function arg: %s: [%s]", DECL_NAME_POINTER(current_function_decl), TREE_STRING_POINTER(str));
++ if (set_init_exit_section(var, initexit)) {
++// inform(gimple_location(stmt), "initified function arg: %E: [%E]", current_function_decl, str);
++ }
+ }
+}
+
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [gentoo-commits] proj/hardened-patchset:master commit in: 4.2.6/
@ 2015-11-18 9:47 Anthony G. Basile
0 siblings, 0 replies; 8+ messages in thread
From: Anthony G. Basile @ 2015-11-18 9:47 UTC (permalink / raw
To: gentoo-commits
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=UTF-8, Size: 135302 bytes --]
commit: eaaa44972b7ad8d289587ded544c4513f4b40732
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Wed Nov 18 09:53:20 2015 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Wed Nov 18 09:53:20 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=eaaa4497
grsecurity-3.1-4.2.6-201511172005
4.2.6/0000_README | 6 +-
4.2.6/1005_linux-4.2.6.patch | 3380 --------------------
...> 4420_grsecurity-3.1-4.2.6-201511172005.patch} | 251 +-
3 files changed, 226 insertions(+), 3411 deletions(-)
diff --git a/4.2.6/0000_README b/4.2.6/0000_README
index 7ec57e5..730b6c8 100644
--- a/4.2.6/0000_README
+++ b/4.2.6/0000_README
@@ -2,11 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 1005_linux-4.2.6.patch
-From: http://www.kernel.org
-Desc: Linux 4.2.6
-
-Patch: 4420_grsecurity-3.1-4.2.6-201511141543.patch
+Patch: 4420_grsecurity-3.1-4.2.6-201511172005.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.2.6/1005_linux-4.2.6.patch b/4.2.6/1005_linux-4.2.6.patch
deleted file mode 100644
index 8a09a7b..0000000
--- a/4.2.6/1005_linux-4.2.6.patch
+++ /dev/null
@@ -1,3380 +0,0 @@
-diff --git a/Makefile b/Makefile
-index 96076dc..9ef3739 100644
---- a/Makefile
-+++ b/Makefile
-@@ -1,6 +1,6 @@
- VERSION = 4
- PATCHLEVEL = 2
--SUBLEVEL = 5
-+SUBLEVEL = 6
- EXTRAVERSION =
- NAME = Hurr durr I'ma sheep
-
-diff --git a/arch/arm/boot/dts/am57xx-beagle-x15.dts b/arch/arm/boot/dts/am57xx-beagle-x15.dts
-index a63bf78..03385fa 100644
---- a/arch/arm/boot/dts/am57xx-beagle-x15.dts
-+++ b/arch/arm/boot/dts/am57xx-beagle-x15.dts
-@@ -415,11 +415,12 @@
- /* SMPS9 unused */
-
- ldo1_reg: ldo1 {
-- /* VDD_SD */
-+ /* VDD_SD / VDDSHV8 */
- regulator-name = "ldo1";
- regulator-min-microvolt = <1800000>;
- regulator-max-microvolt = <3300000>;
- regulator-boot-on;
-+ regulator-always-on;
- };
-
- ldo2_reg: ldo2 {
-diff --git a/arch/arm/boot/dts/armada-385-db-ap.dts b/arch/arm/boot/dts/armada-385-db-ap.dts
-index 89f5a95..4047621 100644
---- a/arch/arm/boot/dts/armada-385-db-ap.dts
-+++ b/arch/arm/boot/dts/armada-385-db-ap.dts
-@@ -46,7 +46,7 @@
-
- / {
- model = "Marvell Armada 385 Access Point Development Board";
-- compatible = "marvell,a385-db-ap", "marvell,armada385", "marvell,armada38x";
-+ compatible = "marvell,a385-db-ap", "marvell,armada385", "marvell,armada380";
-
- chosen {
- stdout-path = "serial1:115200n8";
-diff --git a/arch/arm/boot/dts/berlin2q.dtsi b/arch/arm/boot/dts/berlin2q.dtsi
-index 63a4849..d4dbd28 100644
---- a/arch/arm/boot/dts/berlin2q.dtsi
-+++ b/arch/arm/boot/dts/berlin2q.dtsi
-@@ -152,7 +152,7 @@
- };
-
- usb_phy2: phy@a2f400 {
-- compatible = "marvell,berlin2-usb-phy";
-+ compatible = "marvell,berlin2cd-usb-phy";
- reg = <0xa2f400 0x128>;
- #phy-cells = <0>;
- resets = <&chip_rst 0x104 14>;
-@@ -170,7 +170,7 @@
- };
-
- usb_phy0: phy@b74000 {
-- compatible = "marvell,berlin2-usb-phy";
-+ compatible = "marvell,berlin2cd-usb-phy";
- reg = <0xb74000 0x128>;
- #phy-cells = <0>;
- resets = <&chip_rst 0x104 12>;
-@@ -178,7 +178,7 @@
- };
-
- usb_phy1: phy@b78000 {
-- compatible = "marvell,berlin2-usb-phy";
-+ compatible = "marvell,berlin2cd-usb-phy";
- reg = <0xb78000 0x128>;
- #phy-cells = <0>;
- resets = <&chip_rst 0x104 13>;
-diff --git a/arch/arm/boot/dts/exynos5420-peach-pit.dts b/arch/arm/boot/dts/exynos5420-peach-pit.dts
-index 8f4d76c..1b95da7 100644
---- a/arch/arm/boot/dts/exynos5420-peach-pit.dts
-+++ b/arch/arm/boot/dts/exynos5420-peach-pit.dts
-@@ -915,6 +915,11 @@
- };
- };
-
-+&pmu_system_controller {
-+ assigned-clocks = <&pmu_system_controller 0>;
-+ assigned-clock-parents = <&clock CLK_FIN_PLL>;
-+};
-+
- &rtc {
- status = "okay";
- clocks = <&clock CLK_RTC>, <&max77802 MAX77802_CLK_32K_AP>;
-diff --git a/arch/arm/boot/dts/exynos5800-peach-pi.dts b/arch/arm/boot/dts/exynos5800-peach-pi.dts
-index 7d5b386..8f40c7e 100644
---- a/arch/arm/boot/dts/exynos5800-peach-pi.dts
-+++ b/arch/arm/boot/dts/exynos5800-peach-pi.dts
-@@ -878,6 +878,11 @@
- };
- };
-
-+&pmu_system_controller {
-+ assigned-clocks = <&pmu_system_controller 0>;
-+ assigned-clock-parents = <&clock CLK_FIN_PLL>;
-+};
-+
- &rtc {
- status = "okay";
- clocks = <&clock CLK_RTC>, <&max77802 MAX77802_CLK_32K_AP>;
-diff --git a/arch/arm/boot/dts/imx7d.dtsi b/arch/arm/boot/dts/imx7d.dtsi
-index c42cf8d..9accbae 100644
---- a/arch/arm/boot/dts/imx7d.dtsi
-+++ b/arch/arm/boot/dts/imx7d.dtsi
-@@ -340,10 +340,10 @@
- status = "disabled";
- };
-
-- uart2: serial@30870000 {
-+ uart2: serial@30890000 {
- compatible = "fsl,imx7d-uart",
- "fsl,imx6q-uart";
-- reg = <0x30870000 0x10000>;
-+ reg = <0x30890000 0x10000>;
- interrupts = <GIC_SPI 27 IRQ_TYPE_LEVEL_HIGH>;
- clocks = <&clks IMX7D_UART2_ROOT_CLK>,
- <&clks IMX7D_UART2_ROOT_CLK>;
-diff --git a/arch/arm/boot/dts/ste-hrefv60plus.dtsi b/arch/arm/boot/dts/ste-hrefv60plus.dtsi
-index 810cda7..9c2387b 100644
---- a/arch/arm/boot/dts/ste-hrefv60plus.dtsi
-+++ b/arch/arm/boot/dts/ste-hrefv60plus.dtsi
-@@ -56,7 +56,7 @@
- /* VMMCI level-shifter enable */
- default_hrefv60_cfg2 {
- pins = "GPIO169_D22";
-- ste,config = <&gpio_out_lo>;
-+ ste,config = <&gpio_out_hi>;
- };
- /* VMMCI level-shifter voltage select */
- default_hrefv60_cfg3 {
-diff --git a/arch/arm/kvm/Kconfig b/arch/arm/kvm/Kconfig
-index bfb915d..dd5fc1e 100644
---- a/arch/arm/kvm/Kconfig
-+++ b/arch/arm/kvm/Kconfig
-@@ -21,6 +21,7 @@ config KVM
- depends on MMU && OF
- select PREEMPT_NOTIFIERS
- select ANON_INODES
-+ select ARM_GIC
- select HAVE_KVM_CPU_RELAX_INTERCEPT
- select HAVE_KVM_ARCH_TLB_FLUSH_ALL
- select KVM_MMIO
-diff --git a/arch/arm/mach-exynos/pm_domains.c b/arch/arm/mach-exynos/pm_domains.c
-index 4a87e86..7c21760 100644
---- a/arch/arm/mach-exynos/pm_domains.c
-+++ b/arch/arm/mach-exynos/pm_domains.c
-@@ -200,15 +200,15 @@ no_clk:
- args.args_count = 0;
- child_domain = of_genpd_get_from_provider(&args);
- if (IS_ERR(child_domain))
-- goto next_pd;
-+ continue;
-
- if (of_parse_phandle_with_args(np, "power-domains",
- "#power-domain-cells", 0, &args) != 0)
-- goto next_pd;
-+ continue;
-
- parent_domain = of_genpd_get_from_provider(&args);
- if (IS_ERR(parent_domain))
-- goto next_pd;
-+ continue;
-
- if (pm_genpd_add_subdomain(parent_domain, child_domain))
- pr_warn("%s failed to add subdomain: %s\n",
-@@ -216,8 +216,6 @@ no_clk:
- else
- pr_info("%s has as child subdomain: %s.\n",
- parent_domain->name, child_domain->name);
--next_pd:
-- of_node_put(np);
- }
-
- return 0;
-diff --git a/arch/arm/plat-orion/common.c b/arch/arm/plat-orion/common.c
-index 2235081..8861c36 100644
---- a/arch/arm/plat-orion/common.c
-+++ b/arch/arm/plat-orion/common.c
-@@ -495,7 +495,7 @@ void __init orion_ge00_switch_init(struct dsa_platform_data *d, int irq)
-
- d->netdev = &orion_ge00.dev;
- for (i = 0; i < d->nr_chips; i++)
-- d->chip[i].host_dev = &orion_ge00_shared.dev;
-+ d->chip[i].host_dev = &orion_ge_mvmdio.dev;
- orion_switch_device.dev.platform_data = d;
-
- platform_device_register(&orion_switch_device);
-diff --git a/arch/arm/vdso/vdsomunge.c b/arch/arm/vdso/vdsomunge.c
-index aedec81..f645527 100644
---- a/arch/arm/vdso/vdsomunge.c
-+++ b/arch/arm/vdso/vdsomunge.c
-@@ -45,7 +45,6 @@
- * it does.
- */
-
--#include <byteswap.h>
- #include <elf.h>
- #include <errno.h>
- #include <fcntl.h>
-@@ -59,6 +58,16 @@
- #include <sys/types.h>
- #include <unistd.h>
-
-+#define swab16(x) \
-+ ((((x) & 0x00ff) << 8) | \
-+ (((x) & 0xff00) >> 8))
-+
-+#define swab32(x) \
-+ ((((x) & 0x000000ff) << 24) | \
-+ (((x) & 0x0000ff00) << 8) | \
-+ (((x) & 0x00ff0000) >> 8) | \
-+ (((x) & 0xff000000) >> 24))
-+
- #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
- #define HOST_ORDER ELFDATA2LSB
- #elif __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
-@@ -104,17 +113,17 @@ static void cleanup(void)
-
- static Elf32_Word read_elf_word(Elf32_Word word, bool swap)
- {
-- return swap ? bswap_32(word) : word;
-+ return swap ? swab32(word) : word;
- }
-
- static Elf32_Half read_elf_half(Elf32_Half half, bool swap)
- {
-- return swap ? bswap_16(half) : half;
-+ return swap ? swab16(half) : half;
- }
-
- static void write_elf_word(Elf32_Word val, Elf32_Word *dst, bool swap)
- {
-- *dst = swap ? bswap_32(val) : val;
-+ *dst = swap ? swab32(val) : val;
- }
-
- int main(int argc, char **argv)
-diff --git a/arch/arm64/kernel/armv8_deprecated.c b/arch/arm64/kernel/armv8_deprecated.c
-index 7922c2e..7ac3920 100644
---- a/arch/arm64/kernel/armv8_deprecated.c
-+++ b/arch/arm64/kernel/armv8_deprecated.c
-@@ -279,22 +279,24 @@ static void register_insn_emulation_sysctl(struct ctl_table *table)
- */
- #define __user_swpX_asm(data, addr, res, temp, B) \
- __asm__ __volatile__( \
-- " mov %w2, %w1\n" \
-- "0: ldxr"B" %w1, [%3]\n" \
-- "1: stxr"B" %w0, %w2, [%3]\n" \
-+ "0: ldxr"B" %w2, [%3]\n" \
-+ "1: stxr"B" %w0, %w1, [%3]\n" \
- " cbz %w0, 2f\n" \
- " mov %w0, %w4\n" \
-+ " b 3f\n" \
- "2:\n" \
-+ " mov %w1, %w2\n" \
-+ "3:\n" \
- " .pushsection .fixup,\"ax\"\n" \
- " .align 2\n" \
-- "3: mov %w0, %w5\n" \
-- " b 2b\n" \
-+ "4: mov %w0, %w5\n" \
-+ " b 3b\n" \
- " .popsection" \
- " .pushsection __ex_table,\"a\"\n" \
- " .align 3\n" \
-- " .quad 0b, 3b\n" \
-- " .quad 1b, 3b\n" \
-- " .popsection" \
-+ " .quad 0b, 4b\n" \
-+ " .quad 1b, 4b\n" \
-+ " .popsection\n" \
- : "=&r" (res), "+r" (data), "=&r" (temp) \
- : "r" (addr), "i" (-EAGAIN), "i" (-EFAULT) \
- : "memory")
-diff --git a/arch/arm64/kernel/stacktrace.c b/arch/arm64/kernel/stacktrace.c
-index 407991b..ccb6078 100644
---- a/arch/arm64/kernel/stacktrace.c
-+++ b/arch/arm64/kernel/stacktrace.c
-@@ -48,11 +48,7 @@ int notrace unwind_frame(struct stackframe *frame)
-
- frame->sp = fp + 0x10;
- frame->fp = *(unsigned long *)(fp);
-- /*
-- * -4 here because we care about the PC at time of bl,
-- * not where the return will go.
-- */
-- frame->pc = *(unsigned long *)(fp + 8) - 4;
-+ frame->pc = *(unsigned long *)(fp + 8);
-
- return 0;
- }
-diff --git a/arch/arm64/kernel/suspend.c b/arch/arm64/kernel/suspend.c
-index 8297d50..44ca414 100644
---- a/arch/arm64/kernel/suspend.c
-+++ b/arch/arm64/kernel/suspend.c
-@@ -80,17 +80,21 @@ int cpu_suspend(unsigned long arg, int (*fn)(unsigned long))
- if (ret == 0) {
- /*
- * We are resuming from reset with TTBR0_EL1 set to the
-- * idmap to enable the MMU; restore the active_mm mappings in
-- * TTBR0_EL1 unless the active_mm == &init_mm, in which case
-- * the thread entered cpu_suspend with TTBR0_EL1 set to
-- * reserved TTBR0 page tables and should be restored as such.
-+ * idmap to enable the MMU; set the TTBR0 to the reserved
-+ * page tables to prevent speculative TLB allocations, flush
-+ * the local tlb and set the default tcr_el1.t0sz so that
-+ * the TTBR0 address space set-up is properly restored.
-+ * If the current active_mm != &init_mm we entered cpu_suspend
-+ * with mappings in TTBR0 that must be restored, so we switch
-+ * them back to complete the address space configuration
-+ * restoration before returning.
- */
-- if (mm == &init_mm)
-- cpu_set_reserved_ttbr0();
-- else
-- cpu_switch_mm(mm->pgd, mm);
--
-+ cpu_set_reserved_ttbr0();
- flush_tlb_all();
-+ cpu_set_default_tcr_t0sz();
-+
-+ if (mm != &init_mm)
-+ cpu_switch_mm(mm->pgd, mm);
-
- /*
- * Restore per-cpu offset before any kernel
-diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c
-index caffb10..5607693 100644
---- a/arch/powerpc/kernel/rtas.c
-+++ b/arch/powerpc/kernel/rtas.c
-@@ -1041,6 +1041,9 @@ asmlinkage int ppc_rtas(struct rtas_args __user *uargs)
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
-
-+ if (!rtas.entry)
-+ return -EINVAL;
-+
- if (copy_from_user(&args, uargs, 3 * sizeof(u32)) != 0)
- return -EFAULT;
-
-diff --git a/arch/um/kernel/trap.c b/arch/um/kernel/trap.c
-index 557232f..5610b18 100644
---- a/arch/um/kernel/trap.c
-+++ b/arch/um/kernel/trap.c
-@@ -220,7 +220,7 @@ unsigned long segv(struct faultinfo fi, unsigned long ip, int is_user,
- show_regs(container_of(regs, struct pt_regs, regs));
- panic("Segfault with no mm");
- }
-- else if (!is_user && address < TASK_SIZE) {
-+ else if (!is_user && address > PAGE_SIZE && address < TASK_SIZE) {
- show_regs(container_of(regs, struct pt_regs, regs));
- panic("Kernel tried to access user memory at addr 0x%lx, ip 0x%lx",
- address, ip);
-diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index 7d69afd..16edc0f 100644
---- a/arch/x86/boot/compressed/eboot.c
-+++ b/arch/x86/boot/compressed/eboot.c
-@@ -667,6 +667,7 @@ setup_gop32(struct screen_info *si, efi_guid_t *proto,
- bool conout_found = false;
- void *dummy = NULL;
- u32 h = handles[i];
-+ u32 current_fb_base;
-
- status = efi_call_early(handle_protocol, h,
- proto, (void **)&gop32);
-@@ -678,7 +679,7 @@ setup_gop32(struct screen_info *si, efi_guid_t *proto,
- if (status == EFI_SUCCESS)
- conout_found = true;
-
-- status = __gop_query32(gop32, &info, &size, &fb_base);
-+ status = __gop_query32(gop32, &info, &size, ¤t_fb_base);
- if (status == EFI_SUCCESS && (!first_gop || conout_found)) {
- /*
- * Systems that use the UEFI Console Splitter may
-@@ -692,6 +693,7 @@ setup_gop32(struct screen_info *si, efi_guid_t *proto,
- pixel_format = info->pixel_format;
- pixel_info = info->pixel_information;
- pixels_per_scan_line = info->pixels_per_scan_line;
-+ fb_base = current_fb_base;
-
- /*
- * Once we've found a GOP supporting ConOut,
-@@ -770,6 +772,7 @@ setup_gop64(struct screen_info *si, efi_guid_t *proto,
- bool conout_found = false;
- void *dummy = NULL;
- u64 h = handles[i];
-+ u32 current_fb_base;
-
- status = efi_call_early(handle_protocol, h,
- proto, (void **)&gop64);
-@@ -781,7 +784,7 @@ setup_gop64(struct screen_info *si, efi_guid_t *proto,
- if (status == EFI_SUCCESS)
- conout_found = true;
-
-- status = __gop_query64(gop64, &info, &size, &fb_base);
-+ status = __gop_query64(gop64, &info, &size, ¤t_fb_base);
- if (status == EFI_SUCCESS && (!first_gop || conout_found)) {
- /*
- * Systems that use the UEFI Console Splitter may
-@@ -795,6 +798,7 @@ setup_gop64(struct screen_info *si, efi_guid_t *proto,
- pixel_format = info->pixel_format;
- pixel_info = info->pixel_information;
- pixels_per_scan_line = info->pixels_per_scan_line;
-+ fb_base = current_fb_base;
-
- /*
- * Once we've found a GOP supporting ConOut,
-diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c
-index 5880b48..11b46d9 100644
---- a/arch/x86/kernel/apic/io_apic.c
-+++ b/arch/x86/kernel/apic/io_apic.c
-@@ -2547,7 +2547,9 @@ void __init setup_ioapic_dest(void)
- mask = apic->target_cpus();
-
- chip = irq_data_get_irq_chip(idata);
-- chip->irq_set_affinity(idata, mask, false);
-+ /* Might be lapic_chip for irq 0 */
-+ if (chip->irq_set_affinity)
-+ chip->irq_set_affinity(idata, mask, false);
- }
- }
- #endif
-diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
-index 777ad2f..3cebc65 100644
---- a/arch/x86/xen/enlighten.c
-+++ b/arch/x86/xen/enlighten.c
-@@ -33,7 +33,7 @@
- #include <linux/memblock.h>
- #include <linux/edd.h>
-
--#ifdef CONFIG_KEXEC_CORE
-+#ifdef CONFIG_KEXEC
- #include <linux/kexec.h>
- #endif
-
-@@ -1804,7 +1804,7 @@ static struct notifier_block xen_hvm_cpu_notifier = {
- .notifier_call = xen_hvm_cpu_notify,
- };
-
--#ifdef CONFIG_KEXEC_CORE
-+#ifdef CONFIG_KEXEC
- static void xen_hvm_shutdown(void)
- {
- native_machine_shutdown();
-@@ -1838,7 +1838,7 @@ static void __init xen_hvm_guest_init(void)
- x86_init.irqs.intr_init = xen_init_IRQ;
- xen_hvm_init_time_ops();
- xen_hvm_init_mmu_ops();
--#ifdef CONFIG_KEXEC_CORE
-+#ifdef CONFIG_KEXEC
- machine_ops.shutdown = xen_hvm_shutdown;
- machine_ops.crash_shutdown = xen_hvm_crash_shutdown;
- #endif
-diff --git a/block/blk-core.c b/block/blk-core.c
-index 627ed0c..1955ed3 100644
---- a/block/blk-core.c
-+++ b/block/blk-core.c
-@@ -578,7 +578,7 @@ void blk_cleanup_queue(struct request_queue *q)
- q->queue_lock = &q->__queue_lock;
- spin_unlock_irq(lock);
-
-- bdi_destroy(&q->backing_dev_info);
-+ bdi_unregister(&q->backing_dev_info);
-
- /* @q is and will stay empty, shutdown and put */
- blk_put_queue(q);
-diff --git a/block/blk-mq-tag.c b/block/blk-mq-tag.c
-index 9115c6d..2735198 100644
---- a/block/blk-mq-tag.c
-+++ b/block/blk-mq-tag.c
-@@ -628,6 +628,7 @@ void blk_mq_free_tags(struct blk_mq_tags *tags)
- {
- bt_free(&tags->bitmap_tags);
- bt_free(&tags->breserved_tags);
-+ free_cpumask_var(tags->cpumask);
- kfree(tags);
- }
-
-diff --git a/block/blk-mq.c b/block/blk-mq.c
-index c699026..4d6ff52 100644
---- a/block/blk-mq.c
-+++ b/block/blk-mq.c
-@@ -2263,10 +2263,8 @@ void blk_mq_free_tag_set(struct blk_mq_tag_set *set)
- int i;
-
- for (i = 0; i < set->nr_hw_queues; i++) {
-- if (set->tags[i]) {
-+ if (set->tags[i])
- blk_mq_free_rq_map(set, set->tags[i], i);
-- free_cpumask_var(set->tags[i]->cpumask);
-- }
- }
-
- kfree(set->tags);
-diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c
-index 6264b38..145ddb6 100644
---- a/block/blk-sysfs.c
-+++ b/block/blk-sysfs.c
-@@ -502,6 +502,7 @@ static void blk_release_queue(struct kobject *kobj)
- struct request_queue *q =
- container_of(kobj, struct request_queue, kobj);
-
-+ bdi_exit(&q->backing_dev_info);
- blkcg_exit_queue(q);
-
- if (q->elevator) {
-diff --git a/crypto/ablkcipher.c b/crypto/ablkcipher.c
-index b788f16..b4ffc5b 100644
---- a/crypto/ablkcipher.c
-+++ b/crypto/ablkcipher.c
-@@ -706,7 +706,7 @@ struct crypto_ablkcipher *crypto_alloc_ablkcipher(const char *alg_name,
- err:
- if (err != -EAGAIN)
- break;
-- if (signal_pending(current)) {
-+ if (fatal_signal_pending(current)) {
- err = -EINTR;
- break;
- }
-diff --git a/crypto/algapi.c b/crypto/algapi.c
-index 3c079b7..b603b34 100644
---- a/crypto/algapi.c
-+++ b/crypto/algapi.c
-@@ -335,7 +335,7 @@ static void crypto_wait_for_test(struct crypto_larval *larval)
- crypto_alg_tested(larval->alg.cra_driver_name, 0);
- }
-
-- err = wait_for_completion_interruptible(&larval->completion);
-+ err = wait_for_completion_killable(&larval->completion);
- WARN_ON(err);
-
- out:
-diff --git a/crypto/api.c b/crypto/api.c
-index afe4610..bbc147c 100644
---- a/crypto/api.c
-+++ b/crypto/api.c
-@@ -172,7 +172,7 @@ static struct crypto_alg *crypto_larval_wait(struct crypto_alg *alg)
- struct crypto_larval *larval = (void *)alg;
- long timeout;
-
-- timeout = wait_for_completion_interruptible_timeout(
-+ timeout = wait_for_completion_killable_timeout(
- &larval->completion, 60 * HZ);
-
- alg = larval->adult;
-@@ -445,7 +445,7 @@ struct crypto_tfm *crypto_alloc_base(const char *alg_name, u32 type, u32 mask)
- err:
- if (err != -EAGAIN)
- break;
-- if (signal_pending(current)) {
-+ if (fatal_signal_pending(current)) {
- err = -EINTR;
- break;
- }
-@@ -562,7 +562,7 @@ void *crypto_alloc_tfm(const char *alg_name,
- err:
- if (err != -EAGAIN)
- break;
-- if (signal_pending(current)) {
-+ if (fatal_signal_pending(current)) {
- err = -EINTR;
- break;
- }
-diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c
-index 08ea286..d59fb4e 100644
---- a/crypto/crypto_user.c
-+++ b/crypto/crypto_user.c
-@@ -376,7 +376,7 @@ static struct crypto_alg *crypto_user_skcipher_alg(const char *name, u32 type,
- err = PTR_ERR(alg);
- if (err != -EAGAIN)
- break;
-- if (signal_pending(current)) {
-+ if (fatal_signal_pending(current)) {
- err = -EINTR;
- break;
- }
-diff --git a/drivers/block/nvme-core.c b/drivers/block/nvme-core.c
-index 7920c27..cf91c11 100644
---- a/drivers/block/nvme-core.c
-+++ b/drivers/block/nvme-core.c
-@@ -597,6 +597,7 @@ static void req_completion(struct nvme_queue *nvmeq, void *ctx,
- struct nvme_iod *iod = ctx;
- struct request *req = iod_get_private(iod);
- struct nvme_cmd_info *cmd_rq = blk_mq_rq_to_pdu(req);
-+ bool requeue = false;
-
- u16 status = le16_to_cpup(&cqe->status) >> 1;
-
-@@ -605,12 +606,13 @@ static void req_completion(struct nvme_queue *nvmeq, void *ctx,
- && (jiffies - req->start_time) < req->timeout) {
- unsigned long flags;
-
-+ requeue = true;
- blk_mq_requeue_request(req);
- spin_lock_irqsave(req->q->queue_lock, flags);
- if (!blk_queue_stopped(req->q))
- blk_mq_kick_requeue_list(req->q);
- spin_unlock_irqrestore(req->q->queue_lock, flags);
-- return;
-+ goto release_iod;
- }
- if (req->cmd_type == REQ_TYPE_DRV_PRIV) {
- if (cmd_rq->ctx == CMD_CTX_CANCELLED)
-@@ -631,7 +633,7 @@ static void req_completion(struct nvme_queue *nvmeq, void *ctx,
- dev_warn(nvmeq->dev->dev,
- "completing aborted command with status:%04x\n",
- status);
--
-+ release_iod:
- if (iod->nents) {
- dma_unmap_sg(nvmeq->dev->dev, iod->sg, iod->nents,
- rq_data_dir(req) ? DMA_TO_DEVICE : DMA_FROM_DEVICE);
-@@ -644,7 +646,8 @@ static void req_completion(struct nvme_queue *nvmeq, void *ctx,
- }
- nvme_free_iod(nvmeq->dev, iod);
-
-- blk_mq_complete_request(req);
-+ if (likely(!requeue))
-+ blk_mq_complete_request(req);
- }
-
- /* length is in bytes. gfp flags indicates whether we may sleep. */
-@@ -1764,7 +1767,7 @@ static int nvme_submit_io(struct nvme_ns *ns, struct nvme_user_io __user *uio)
-
- length = (io.nblocks + 1) << ns->lba_shift;
- meta_len = (io.nblocks + 1) * ns->ms;
-- metadata = (void __user *)(unsigned long)io.metadata;
-+ metadata = (void __user *)(uintptr_t)io.metadata;
- write = io.opcode & 1;
-
- if (ns->ext) {
-@@ -1804,7 +1807,7 @@ static int nvme_submit_io(struct nvme_ns *ns, struct nvme_user_io __user *uio)
- c.rw.metadata = cpu_to_le64(meta_dma);
-
- status = __nvme_submit_sync_cmd(ns->queue, &c, NULL,
-- (void __user *)io.addr, length, NULL, 0);
-+ (void __user *)(uintptr_t)io.addr, length, NULL, 0);
- unmap:
- if (meta) {
- if (status == NVME_SC_SUCCESS && !write) {
-@@ -1846,7 +1849,7 @@ static int nvme_user_cmd(struct nvme_dev *dev, struct nvme_ns *ns,
- timeout = msecs_to_jiffies(cmd.timeout_ms);
-
- status = __nvme_submit_sync_cmd(ns ? ns->queue : dev->admin_q, &c,
-- NULL, (void __user *)cmd.addr, cmd.data_len,
-+ NULL, (void __user *)(uintptr_t)cmd.addr, cmd.data_len,
- &cmd.result, timeout);
- if (status >= 0) {
- if (put_user(cmd.result, &ucmd->result))
-diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
-index 324bf35..017b7d5 100644
---- a/drivers/block/rbd.c
-+++ b/drivers/block/rbd.c
-@@ -96,6 +96,8 @@ static int atomic_dec_return_safe(atomic_t *v)
- #define RBD_MINORS_PER_MAJOR 256
- #define RBD_SINGLE_MAJOR_PART_SHIFT 4
-
-+#define RBD_MAX_PARENT_CHAIN_LEN 16
-+
- #define RBD_SNAP_DEV_NAME_PREFIX "snap_"
- #define RBD_MAX_SNAP_NAME_LEN \
- (NAME_MAX - (sizeof (RBD_SNAP_DEV_NAME_PREFIX) - 1))
-@@ -426,7 +428,7 @@ static ssize_t rbd_add_single_major(struct bus_type *bus, const char *buf,
- size_t count);
- static ssize_t rbd_remove_single_major(struct bus_type *bus, const char *buf,
- size_t count);
--static int rbd_dev_image_probe(struct rbd_device *rbd_dev, bool mapping);
-+static int rbd_dev_image_probe(struct rbd_device *rbd_dev, int depth);
- static void rbd_spec_put(struct rbd_spec *spec);
-
- static int rbd_dev_id_to_minor(int dev_id)
-@@ -3819,6 +3821,9 @@ static int rbd_init_disk(struct rbd_device *rbd_dev)
- q->limits.discard_zeroes_data = 1;
-
- blk_queue_merge_bvec(q, rbd_merge_bvec);
-+ if (!ceph_test_opt(rbd_dev->rbd_client->client, NOCRC))
-+ q->backing_dev_info.capabilities |= BDI_CAP_STABLE_WRITES;
-+
- disk->queue = q;
-
- q->queuedata = rbd_dev;
-@@ -5169,44 +5174,51 @@ out_err:
- return ret;
- }
-
--static int rbd_dev_probe_parent(struct rbd_device *rbd_dev)
-+/*
-+ * @depth is rbd_dev_image_probe() -> rbd_dev_probe_parent() ->
-+ * rbd_dev_image_probe() recursion depth, which means it's also the
-+ * length of the already discovered part of the parent chain.
-+ */
-+static int rbd_dev_probe_parent(struct rbd_device *rbd_dev, int depth)
- {
- struct rbd_device *parent = NULL;
-- struct rbd_spec *parent_spec;
-- struct rbd_client *rbdc;
- int ret;
-
- if (!rbd_dev->parent_spec)
- return 0;
-- /*
-- * We need to pass a reference to the client and the parent
-- * spec when creating the parent rbd_dev. Images related by
-- * parent/child relationships always share both.
-- */
-- parent_spec = rbd_spec_get(rbd_dev->parent_spec);
-- rbdc = __rbd_get_client(rbd_dev->rbd_client);
-
-- ret = -ENOMEM;
-- parent = rbd_dev_create(rbdc, parent_spec, NULL);
-- if (!parent)
-+ if (++depth > RBD_MAX_PARENT_CHAIN_LEN) {
-+ pr_info("parent chain is too long (%d)\n", depth);
-+ ret = -EINVAL;
- goto out_err;
-+ }
-
-- ret = rbd_dev_image_probe(parent, false);
-+ parent = rbd_dev_create(rbd_dev->rbd_client, rbd_dev->parent_spec,
-+ NULL);
-+ if (!parent) {
-+ ret = -ENOMEM;
-+ goto out_err;
-+ }
-+
-+ /*
-+ * Images related by parent/child relationships always share
-+ * rbd_client and spec/parent_spec, so bump their refcounts.
-+ */
-+ __rbd_get_client(rbd_dev->rbd_client);
-+ rbd_spec_get(rbd_dev->parent_spec);
-+
-+ ret = rbd_dev_image_probe(parent, depth);
- if (ret < 0)
- goto out_err;
-+
- rbd_dev->parent = parent;
- atomic_set(&rbd_dev->parent_ref, 1);
--
- return 0;
-+
- out_err:
-- if (parent) {
-- rbd_dev_unparent(rbd_dev);
-+ rbd_dev_unparent(rbd_dev);
-+ if (parent)
- rbd_dev_destroy(parent);
-- } else {
-- rbd_put_client(rbdc);
-- rbd_spec_put(parent_spec);
-- }
--
- return ret;
- }
-
-@@ -5324,7 +5336,7 @@ static void rbd_dev_image_release(struct rbd_device *rbd_dev)
- * parent), initiate a watch on its header object before using that
- * object to get detailed information about the rbd image.
- */
--static int rbd_dev_image_probe(struct rbd_device *rbd_dev, bool mapping)
-+static int rbd_dev_image_probe(struct rbd_device *rbd_dev, int depth)
- {
- int ret;
-
-@@ -5342,7 +5354,7 @@ static int rbd_dev_image_probe(struct rbd_device *rbd_dev, bool mapping)
- if (ret)
- goto err_out_format;
-
-- if (mapping) {
-+ if (!depth) {
- ret = rbd_dev_header_watch_sync(rbd_dev);
- if (ret) {
- if (ret == -ENOENT)
-@@ -5363,7 +5375,7 @@ static int rbd_dev_image_probe(struct rbd_device *rbd_dev, bool mapping)
- * Otherwise this is a parent image, identified by pool, image
- * and snap ids - need to fill in names for those ids.
- */
-- if (mapping)
-+ if (!depth)
- ret = rbd_spec_fill_snap_id(rbd_dev);
- else
- ret = rbd_spec_fill_names(rbd_dev);
-@@ -5385,12 +5397,12 @@ static int rbd_dev_image_probe(struct rbd_device *rbd_dev, bool mapping)
- * Need to warn users if this image is the one being
- * mapped and has a parent.
- */
-- if (mapping && rbd_dev->parent_spec)
-+ if (!depth && rbd_dev->parent_spec)
- rbd_warn(rbd_dev,
- "WARNING: kernel layering is EXPERIMENTAL!");
- }
-
-- ret = rbd_dev_probe_parent(rbd_dev);
-+ ret = rbd_dev_probe_parent(rbd_dev, depth);
- if (ret)
- goto err_out_probe;
-
-@@ -5401,7 +5413,7 @@ static int rbd_dev_image_probe(struct rbd_device *rbd_dev, bool mapping)
- err_out_probe:
- rbd_dev_unprobe(rbd_dev);
- err_out_watch:
-- if (mapping)
-+ if (!depth)
- rbd_dev_header_unwatch_sync(rbd_dev);
- out_header_name:
- kfree(rbd_dev->header_name);
-@@ -5464,7 +5476,7 @@ static ssize_t do_rbd_add(struct bus_type *bus,
- spec = NULL; /* rbd_dev now owns this */
- rbd_opts = NULL; /* rbd_dev now owns this */
-
-- rc = rbd_dev_image_probe(rbd_dev, true);
-+ rc = rbd_dev_image_probe(rbd_dev, 0);
- if (rc < 0)
- goto err_out_rbd_dev;
-
-diff --git a/drivers/block/xen-blkfront.c b/drivers/block/xen-blkfront.c
-index 7a8a73f..d68b08a 100644
---- a/drivers/block/xen-blkfront.c
-+++ b/drivers/block/xen-blkfront.c
-@@ -1984,7 +1984,8 @@ static void blkback_changed(struct xenbus_device *dev,
- break;
- /* Missed the backend's Closing state -- fallthrough */
- case XenbusStateClosing:
-- blkfront_closing(info);
-+ if (info)
-+ blkfront_closing(info);
- break;
- }
- }
-diff --git a/drivers/bus/arm-ccn.c b/drivers/bus/arm-ccn.c
-index 7d9879e..395cb7f 100644
---- a/drivers/bus/arm-ccn.c
-+++ b/drivers/bus/arm-ccn.c
-@@ -1188,7 +1188,8 @@ static int arm_ccn_pmu_cpu_notifier(struct notifier_block *nb,
- break;
- perf_pmu_migrate_context(&dt->pmu, cpu, target);
- cpumask_set_cpu(target, &dt->cpu);
-- WARN_ON(irq_set_affinity(ccn->irq, &dt->cpu) != 0);
-+ if (ccn->irq)
-+ WARN_ON(irq_set_affinity(ccn->irq, &dt->cpu) != 0);
- default:
- break;
- }
-diff --git a/drivers/clk/clkdev.c b/drivers/clk/clkdev.c
-index c0eaf09..779b6ff 100644
---- a/drivers/clk/clkdev.c
-+++ b/drivers/clk/clkdev.c
-@@ -333,7 +333,8 @@ int clk_add_alias(const char *alias, const char *alias_dev_name,
- if (IS_ERR(r))
- return PTR_ERR(r);
-
-- l = clkdev_create(r, alias, "%s", alias_dev_name);
-+ l = clkdev_create(r, alias, alias_dev_name ? "%s" : NULL,
-+ alias_dev_name);
- clk_put(r);
-
- return l ? 0 : -ENODEV;
-diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
-index fcb929e..aba2117 100644
---- a/drivers/cpufreq/intel_pstate.c
-+++ b/drivers/cpufreq/intel_pstate.c
-@@ -766,6 +766,11 @@ static inline void intel_pstate_sample(struct cpudata *cpu)
- local_irq_save(flags);
- rdmsrl(MSR_IA32_APERF, aperf);
- rdmsrl(MSR_IA32_MPERF, mperf);
-+ if (cpu->prev_mperf == mperf) {
-+ local_irq_restore(flags);
-+ return;
-+ }
-+
- tsc = native_read_tsc();
- local_irq_restore(flags);
-
-diff --git a/drivers/edac/sb_edac.c b/drivers/edac/sb_edac.c
-index ca78311..91cf710 100644
---- a/drivers/edac/sb_edac.c
-+++ b/drivers/edac/sb_edac.c
-@@ -1648,6 +1648,7 @@ static int sbridge_mci_bind_devs(struct mem_ctl_info *mci,
- {
- struct sbridge_pvt *pvt = mci->pvt_info;
- struct pci_dev *pdev;
-+ u8 saw_chan_mask = 0;
- int i;
-
- for (i = 0; i < sbridge_dev->n_devs; i++) {
-@@ -1681,6 +1682,7 @@ static int sbridge_mci_bind_devs(struct mem_ctl_info *mci,
- {
- int id = pdev->device - PCI_DEVICE_ID_INTEL_SBRIDGE_IMC_TAD0;
- pvt->pci_tad[id] = pdev;
-+ saw_chan_mask |= 1 << id;
- }
- break;
- case PCI_DEVICE_ID_INTEL_SBRIDGE_IMC_DDRIO:
-@@ -1701,10 +1703,8 @@ static int sbridge_mci_bind_devs(struct mem_ctl_info *mci,
- !pvt-> pci_tad || !pvt->pci_ras || !pvt->pci_ta)
- goto enodev;
-
-- for (i = 0; i < NUM_CHANNELS; i++) {
-- if (!pvt->pci_tad[i])
-- goto enodev;
-- }
-+ if (saw_chan_mask != 0x0f)
-+ goto enodev;
- return 0;
-
- enodev:
-diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu.h b/drivers/gpu/drm/amd/amdgpu/amdgpu.h
-index f7b49d5c..e3305a5 100644
---- a/drivers/gpu/drm/amd/amdgpu/amdgpu.h
-+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu.h
-@@ -1583,6 +1583,7 @@ struct amdgpu_pm {
- u8 fan_max_rpm;
- /* dpm */
- bool dpm_enabled;
-+ bool sysfs_initialized;
- struct amdgpu_dpm dpm;
- const struct firmware *fw; /* SMC firmware */
- uint32_t fw_version;
-diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c
-index ed13baa..91c7556 100644
---- a/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c
-+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c
-@@ -693,6 +693,9 @@ int amdgpu_pm_sysfs_init(struct amdgpu_device *adev)
- {
- int ret;
-
-+ if (adev->pm.sysfs_initialized)
-+ return 0;
-+
- if (adev->pm.funcs->get_temperature == NULL)
- return 0;
- adev->pm.int_hwmon_dev = hwmon_device_register_with_groups(adev->dev,
-@@ -721,6 +724,8 @@ int amdgpu_pm_sysfs_init(struct amdgpu_device *adev)
- return ret;
- }
-
-+ adev->pm.sysfs_initialized = true;
-+
- return 0;
- }
-
-diff --git a/drivers/gpu/drm/amd/amdgpu/kv_dpm.c b/drivers/gpu/drm/amd/amdgpu/kv_dpm.c
-index 9745ed3..7e9154c 100644
---- a/drivers/gpu/drm/amd/amdgpu/kv_dpm.c
-+++ b/drivers/gpu/drm/amd/amdgpu/kv_dpm.c
-@@ -2997,6 +2997,9 @@ static int kv_dpm_late_init(void *handle)
- struct amdgpu_device *adev = (struct amdgpu_device *)handle;
- int ret;
-
-+ if (!amdgpu_dpm)
-+ return 0;
-+
- /* init the sysfs and debugfs files late */
- ret = amdgpu_pm_sysfs_init(adev);
- if (ret)
-diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
-index fed7483..4e8d72d 100644
---- a/drivers/gpu/drm/drm_crtc.c
-+++ b/drivers/gpu/drm/drm_crtc.c
-@@ -4221,7 +4221,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length,
- struct drm_property_blob *blob;
- int ret;
-
-- if (!length)
-+ if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob))
- return ERR_PTR(-EINVAL);
-
- blob = kzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL);
-@@ -4573,7 +4573,7 @@ int drm_mode_createblob_ioctl(struct drm_device *dev,
- * not associated with any file_priv. */
- mutex_lock(&dev->mode_config.blob_lock);
- out_resp->blob_id = blob->base.id;
-- list_add_tail(&file_priv->blobs, &blob->head_file);
-+ list_add_tail(&blob->head_file, &file_priv->blobs);
- mutex_unlock(&dev->mode_config.blob_lock);
-
- return 0;
-diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c
-index 27a2426..1f94219 100644
---- a/drivers/gpu/drm/drm_dp_mst_topology.c
-+++ b/drivers/gpu/drm/drm_dp_mst_topology.c
-@@ -1193,17 +1193,18 @@ static struct drm_dp_mst_branch *drm_dp_get_mst_branch_device(struct drm_dp_mst_
-
- list_for_each_entry(port, &mstb->ports, next) {
- if (port->port_num == port_num) {
-- if (!port->mstb) {
-+ mstb = port->mstb;
-+ if (!mstb) {
- DRM_ERROR("failed to lookup MSTB with lct %d, rad %02x\n", lct, rad[0]);
-- return NULL;
-+ goto out;
- }
-
-- mstb = port->mstb;
- break;
- }
- }
- }
- kref_get(&mstb->kref);
-+out:
- mutex_unlock(&mgr->lock);
- return mstb;
- }
-diff --git a/drivers/gpu/drm/i915/i915_gem_userptr.c b/drivers/gpu/drm/i915/i915_gem_userptr.c
-index 8fd431b..a96b900 100644
---- a/drivers/gpu/drm/i915/i915_gem_userptr.c
-+++ b/drivers/gpu/drm/i915/i915_gem_userptr.c
-@@ -804,7 +804,10 @@ static const struct drm_i915_gem_object_ops i915_gem_userptr_ops = {
- * Also note, that the object created here is not currently a "first class"
- * object, in that several ioctls are banned. These are the CPU access
- * ioctls: mmap(), pwrite and pread. In practice, you are expected to use
-- * direct access via your pointer rather than use those ioctls.
-+ * direct access via your pointer rather than use those ioctls. Another
-+ * restriction is that we do not allow userptr surfaces to be pinned to the
-+ * hardware and so we reject any attempt to create a framebuffer out of a
-+ * userptr.
- *
- * If you think this is a good interface to use to pass GPU memory between
- * drivers, please use dma-buf instead. In fact, wherever possible use
-diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
-index 107c6c0..10b1b65 100644
---- a/drivers/gpu/drm/i915/intel_display.c
-+++ b/drivers/gpu/drm/i915/intel_display.c
-@@ -1729,6 +1729,8 @@ static void i9xx_enable_pll(struct intel_crtc *crtc)
- I915_READ(DPLL(!crtc->pipe)) | DPLL_DVO_2X_MODE);
- }
-
-+ I915_WRITE(reg, dpll);
-+
- /* Wait for the clocks to stabilize. */
- POSTING_READ(reg);
- udelay(150);
-@@ -14070,6 +14072,11 @@ static int intel_user_framebuffer_create_handle(struct drm_framebuffer *fb,
- struct intel_framebuffer *intel_fb = to_intel_framebuffer(fb);
- struct drm_i915_gem_object *obj = intel_fb->obj;
-
-+ if (obj->userptr.mm) {
-+ DRM_DEBUG("attempting to use a userptr for a framebuffer, denied\n");
-+ return -EINVAL;
-+ }
-+
- return drm_gem_handle_create(file, &obj->base, handle);
- }
-
-diff --git a/drivers/gpu/drm/i915/intel_lrc.c b/drivers/gpu/drm/i915/intel_lrc.c
-index 7f2161a..504728b 100644
---- a/drivers/gpu/drm/i915/intel_lrc.c
-+++ b/drivers/gpu/drm/i915/intel_lrc.c
-@@ -1250,6 +1250,7 @@ static int gen8_emit_flush_render(struct intel_ringbuffer *ringbuf,
- if (flush_domains) {
- flags |= PIPE_CONTROL_RENDER_TARGET_CACHE_FLUSH;
- flags |= PIPE_CONTROL_DEPTH_CACHE_FLUSH;
-+ flags |= PIPE_CONTROL_FLUSH_ENABLE;
- }
-
- if (invalidate_domains) {
-diff --git a/drivers/gpu/drm/i915/intel_ringbuffer.c b/drivers/gpu/drm/i915/intel_ringbuffer.c
-index 3817a6f..ba672aa 100644
---- a/drivers/gpu/drm/i915/intel_ringbuffer.c
-+++ b/drivers/gpu/drm/i915/intel_ringbuffer.c
-@@ -342,6 +342,7 @@ gen7_render_ring_flush(struct intel_engine_cs *ring,
- if (flush_domains) {
- flags |= PIPE_CONTROL_RENDER_TARGET_CACHE_FLUSH;
- flags |= PIPE_CONTROL_DEPTH_CACHE_FLUSH;
-+ flags |= PIPE_CONTROL_FLUSH_ENABLE;
- }
- if (invalidate_domains) {
- flags |= PIPE_CONTROL_TLB_INVALIDATE;
-@@ -412,6 +413,7 @@ gen8_render_ring_flush(struct intel_engine_cs *ring,
- if (flush_domains) {
- flags |= PIPE_CONTROL_RENDER_TARGET_CACHE_FLUSH;
- flags |= PIPE_CONTROL_DEPTH_CACHE_FLUSH;
-+ flags |= PIPE_CONTROL_FLUSH_ENABLE;
- }
- if (invalidate_domains) {
- flags |= PIPE_CONTROL_TLB_INVALIDATE;
-diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
-index af1ee51..0b22394 100644
---- a/drivers/gpu/drm/nouveau/nouveau_gem.c
-+++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
-@@ -227,11 +227,12 @@ nouveau_gem_info(struct drm_file *file_priv, struct drm_gem_object *gem,
- struct nouveau_bo *nvbo = nouveau_gem_object(gem);
- struct nvkm_vma *vma;
-
-- if (nvbo->bo.mem.mem_type == TTM_PL_TT)
-+ if (is_power_of_2(nvbo->valid_domains))
-+ rep->domain = nvbo->valid_domains;
-+ else if (nvbo->bo.mem.mem_type == TTM_PL_TT)
- rep->domain = NOUVEAU_GEM_DOMAIN_GART;
- else
- rep->domain = NOUVEAU_GEM_DOMAIN_VRAM;
--
- rep->offset = nvbo->bo.offset;
- if (cli->vm) {
- vma = nouveau_bo_vma_find(nvbo, cli->vm);
-diff --git a/drivers/gpu/drm/radeon/atombios_encoders.c b/drivers/gpu/drm/radeon/atombios_encoders.c
-index 65adb9c..bb29214 100644
---- a/drivers/gpu/drm/radeon/atombios_encoders.c
-+++ b/drivers/gpu/drm/radeon/atombios_encoders.c
-@@ -237,6 +237,7 @@ void radeon_atom_backlight_init(struct radeon_encoder *radeon_encoder,
- backlight_update_status(bd);
-
- DRM_INFO("radeon atom DIG backlight initialized\n");
-+ rdev->mode_info.bl_encoder = radeon_encoder;
-
- return;
-
-@@ -1624,9 +1625,14 @@ radeon_atom_encoder_dpms_avivo(struct drm_encoder *encoder, int mode)
- } else
- atom_execute_table(rdev->mode_info.atom_context, index, (uint32_t *)&args);
- if (radeon_encoder->devices & (ATOM_DEVICE_LCD_SUPPORT)) {
-- struct radeon_encoder_atom_dig *dig = radeon_encoder->enc_priv;
-+ if (rdev->mode_info.bl_encoder) {
-+ struct radeon_encoder_atom_dig *dig = radeon_encoder->enc_priv;
-
-- atombios_set_backlight_level(radeon_encoder, dig->backlight_level);
-+ atombios_set_backlight_level(radeon_encoder, dig->backlight_level);
-+ } else {
-+ args.ucAction = ATOM_LCD_BLON;
-+ atom_execute_table(rdev->mode_info.atom_context, index, (uint32_t *)&args);
-+ }
- }
- break;
- case DRM_MODE_DPMS_STANDBY:
-@@ -1706,8 +1712,13 @@ radeon_atom_encoder_dpms_dig(struct drm_encoder *encoder, int mode)
- if (ASIC_IS_DCE4(rdev))
- atombios_dig_encoder_setup(encoder, ATOM_ENCODER_CMD_DP_VIDEO_ON, 0);
- }
-- if (radeon_encoder->devices & (ATOM_DEVICE_LCD_SUPPORT))
-- atombios_set_backlight_level(radeon_encoder, dig->backlight_level);
-+ if (radeon_encoder->devices & (ATOM_DEVICE_LCD_SUPPORT)) {
-+ if (rdev->mode_info.bl_encoder)
-+ atombios_set_backlight_level(radeon_encoder, dig->backlight_level);
-+ else
-+ atombios_dig_transmitter_setup(encoder,
-+ ATOM_TRANSMITTER_ACTION_LCD_BLON, 0, 0);
-+ }
- if (ext_encoder)
- atombios_external_encoder_setup(encoder, ext_encoder, ATOM_ENABLE);
- break;
-diff --git a/drivers/gpu/drm/radeon/radeon.h b/drivers/gpu/drm/radeon/radeon.h
-index f03b7eb..b6cbd81 100644
---- a/drivers/gpu/drm/radeon/radeon.h
-+++ b/drivers/gpu/drm/radeon/radeon.h
-@@ -1658,6 +1658,7 @@ struct radeon_pm {
- u8 fan_max_rpm;
- /* dpm */
- bool dpm_enabled;
-+ bool sysfs_initialized;
- struct radeon_dpm dpm;
- };
-
-diff --git a/drivers/gpu/drm/radeon/radeon_encoders.c b/drivers/gpu/drm/radeon/radeon_encoders.c
-index ef99917..c6ee802 100644
---- a/drivers/gpu/drm/radeon/radeon_encoders.c
-+++ b/drivers/gpu/drm/radeon/radeon_encoders.c
-@@ -194,7 +194,6 @@ static void radeon_encoder_add_backlight(struct radeon_encoder *radeon_encoder,
- radeon_atom_backlight_init(radeon_encoder, connector);
- else
- radeon_legacy_backlight_init(radeon_encoder, connector);
-- rdev->mode_info.bl_encoder = radeon_encoder;
- }
- }
-
-diff --git a/drivers/gpu/drm/radeon/radeon_legacy_encoders.c b/drivers/gpu/drm/radeon/radeon_legacy_encoders.c
-index 4571530..30de433 100644
---- a/drivers/gpu/drm/radeon/radeon_legacy_encoders.c
-+++ b/drivers/gpu/drm/radeon/radeon_legacy_encoders.c
-@@ -441,6 +441,7 @@ void radeon_legacy_backlight_init(struct radeon_encoder *radeon_encoder,
- backlight_update_status(bd);
-
- DRM_INFO("radeon legacy LVDS backlight initialized\n");
-+ rdev->mode_info.bl_encoder = radeon_encoder;
-
- return;
-
-diff --git a/drivers/gpu/drm/radeon/radeon_pm.c b/drivers/gpu/drm/radeon/radeon_pm.c
-index 948c331..9176432 100644
---- a/drivers/gpu/drm/radeon/radeon_pm.c
-+++ b/drivers/gpu/drm/radeon/radeon_pm.c
-@@ -720,10 +720,14 @@ static umode_t hwmon_attributes_visible(struct kobject *kobj,
- struct radeon_device *rdev = dev_get_drvdata(dev);
- umode_t effective_mode = attr->mode;
-
-- /* Skip limit attributes if DPM is not enabled */
-+ /* Skip attributes if DPM is not enabled */
- if (rdev->pm.pm_method != PM_METHOD_DPM &&
- (attr == &sensor_dev_attr_temp1_crit.dev_attr.attr ||
-- attr == &sensor_dev_attr_temp1_crit_hyst.dev_attr.attr))
-+ attr == &sensor_dev_attr_temp1_crit_hyst.dev_attr.attr ||
-+ attr == &sensor_dev_attr_pwm1.dev_attr.attr ||
-+ attr == &sensor_dev_attr_pwm1_enable.dev_attr.attr ||
-+ attr == &sensor_dev_attr_pwm1_max.dev_attr.attr ||
-+ attr == &sensor_dev_attr_pwm1_min.dev_attr.attr))
- return 0;
-
- /* Skip fan attributes if fan is not present */
-@@ -1529,19 +1533,23 @@ int radeon_pm_late_init(struct radeon_device *rdev)
-
- if (rdev->pm.pm_method == PM_METHOD_DPM) {
- if (rdev->pm.dpm_enabled) {
-- ret = device_create_file(rdev->dev, &dev_attr_power_dpm_state);
-- if (ret)
-- DRM_ERROR("failed to create device file for dpm state\n");
-- ret = device_create_file(rdev->dev, &dev_attr_power_dpm_force_performance_level);
-- if (ret)
-- DRM_ERROR("failed to create device file for dpm state\n");
-- /* XXX: these are noops for dpm but are here for backwards compat */
-- ret = device_create_file(rdev->dev, &dev_attr_power_profile);
-- if (ret)
-- DRM_ERROR("failed to create device file for power profile\n");
-- ret = device_create_file(rdev->dev, &dev_attr_power_method);
-- if (ret)
-- DRM_ERROR("failed to create device file for power method\n");
-+ if (!rdev->pm.sysfs_initialized) {
-+ ret = device_create_file(rdev->dev, &dev_attr_power_dpm_state);
-+ if (ret)
-+ DRM_ERROR("failed to create device file for dpm state\n");
-+ ret = device_create_file(rdev->dev, &dev_attr_power_dpm_force_performance_level);
-+ if (ret)
-+ DRM_ERROR("failed to create device file for dpm state\n");
-+ /* XXX: these are noops for dpm but are here for backwards compat */
-+ ret = device_create_file(rdev->dev, &dev_attr_power_profile);
-+ if (ret)
-+ DRM_ERROR("failed to create device file for power profile\n");
-+ ret = device_create_file(rdev->dev, &dev_attr_power_method);
-+ if (ret)
-+ DRM_ERROR("failed to create device file for power method\n");
-+ if (!ret)
-+ rdev->pm.sysfs_initialized = true;
-+ }
-
- mutex_lock(&rdev->pm.mutex);
- ret = radeon_dpm_late_enable(rdev);
-@@ -1557,7 +1565,8 @@ int radeon_pm_late_init(struct radeon_device *rdev)
- }
- }
- } else {
-- if (rdev->pm.num_power_states > 1) {
-+ if ((rdev->pm.num_power_states > 1) &&
-+ (!rdev->pm.sysfs_initialized)) {
- /* where's the best place to put these? */
- ret = device_create_file(rdev->dev, &dev_attr_power_profile);
- if (ret)
-@@ -1565,6 +1574,8 @@ int radeon_pm_late_init(struct radeon_device *rdev)
- ret = device_create_file(rdev->dev, &dev_attr_power_method);
- if (ret)
- DRM_ERROR("failed to create device file for power method\n");
-+ if (!ret)
-+ rdev->pm.sysfs_initialized = true;
- }
- }
- return ret;
-diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
-index 620bb5c..15a8d77 100644
---- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
-+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
-@@ -1458,6 +1458,9 @@ static void __exit vmwgfx_exit(void)
- drm_pci_exit(&driver, &vmw_pci_driver);
- }
-
-+MODULE_INFO(vmw_patch, "ed7d78b2");
-+MODULE_INFO(vmw_patch, "54c12bc3");
-+
- module_init(vmwgfx_init);
- module_exit(vmwgfx_exit);
-
-diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
-index d26a6da..d8896ed 100644
---- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
-+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
-@@ -636,7 +636,8 @@ extern int vmw_user_dmabuf_alloc(struct vmw_private *dev_priv,
- uint32_t size,
- bool shareable,
- uint32_t *handle,
-- struct vmw_dma_buffer **p_dma_buf);
-+ struct vmw_dma_buffer **p_dma_buf,
-+ struct ttm_base_object **p_base);
- extern int vmw_user_dmabuf_reference(struct ttm_object_file *tfile,
- struct vmw_dma_buffer *dma_buf,
- uint32_t *handle);
-@@ -650,7 +651,8 @@ extern uint32_t vmw_dmabuf_validate_node(struct ttm_buffer_object *bo,
- uint32_t cur_validate_node);
- extern void vmw_dmabuf_validate_clear(struct ttm_buffer_object *bo);
- extern int vmw_user_dmabuf_lookup(struct ttm_object_file *tfile,
-- uint32_t id, struct vmw_dma_buffer **out);
-+ uint32_t id, struct vmw_dma_buffer **out,
-+ struct ttm_base_object **base);
- extern int vmw_stream_claim_ioctl(struct drm_device *dev, void *data,
- struct drm_file *file_priv);
- extern int vmw_stream_unref_ioctl(struct drm_device *dev, void *data,
-diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
-index 97ad3bc..aee1c6c 100644
---- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
-+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
-@@ -887,7 +887,8 @@ static int vmw_translate_mob_ptr(struct vmw_private *dev_priv,
- struct vmw_relocation *reloc;
- int ret;
-
-- ret = vmw_user_dmabuf_lookup(sw_context->fp->tfile, handle, &vmw_bo);
-+ ret = vmw_user_dmabuf_lookup(sw_context->fp->tfile, handle, &vmw_bo,
-+ NULL);
- if (unlikely(ret != 0)) {
- DRM_ERROR("Could not find or use MOB buffer.\n");
- ret = -EINVAL;
-@@ -949,7 +950,8 @@ static int vmw_translate_guest_ptr(struct vmw_private *dev_priv,
- struct vmw_relocation *reloc;
- int ret;
-
-- ret = vmw_user_dmabuf_lookup(sw_context->fp->tfile, handle, &vmw_bo);
-+ ret = vmw_user_dmabuf_lookup(sw_context->fp->tfile, handle, &vmw_bo,
-+ NULL);
- if (unlikely(ret != 0)) {
- DRM_ERROR("Could not find or use GMR region.\n");
- ret = -EINVAL;
-diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c b/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c
-index 87e39f6..e189898 100644
---- a/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c
-+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c
-@@ -484,7 +484,7 @@ int vmw_overlay_ioctl(struct drm_device *dev, void *data,
- goto out_unlock;
- }
-
-- ret = vmw_user_dmabuf_lookup(tfile, arg->handle, &buf);
-+ ret = vmw_user_dmabuf_lookup(tfile, arg->handle, &buf, NULL);
- if (ret)
- goto out_unlock;
-
-diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c b/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c
-index 210ef15..c5b4c47 100644
---- a/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c
-+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c
-@@ -356,7 +356,7 @@ int vmw_user_lookup_handle(struct vmw_private *dev_priv,
- }
-
- *out_surf = NULL;
-- ret = vmw_user_dmabuf_lookup(tfile, handle, out_buf);
-+ ret = vmw_user_dmabuf_lookup(tfile, handle, out_buf, NULL);
- return ret;
- }
-
-@@ -483,7 +483,8 @@ int vmw_user_dmabuf_alloc(struct vmw_private *dev_priv,
- uint32_t size,
- bool shareable,
- uint32_t *handle,
-- struct vmw_dma_buffer **p_dma_buf)
-+ struct vmw_dma_buffer **p_dma_buf,
-+ struct ttm_base_object **p_base)
- {
- struct vmw_user_dma_buffer *user_bo;
- struct ttm_buffer_object *tmp;
-@@ -517,6 +518,10 @@ int vmw_user_dmabuf_alloc(struct vmw_private *dev_priv,
- }
-
- *p_dma_buf = &user_bo->dma;
-+ if (p_base) {
-+ *p_base = &user_bo->prime.base;
-+ kref_get(&(*p_base)->refcount);
-+ }
- *handle = user_bo->prime.base.hash.key;
-
- out_no_base_object:
-@@ -633,6 +638,7 @@ int vmw_user_dmabuf_synccpu_ioctl(struct drm_device *dev, void *data,
- struct vmw_dma_buffer *dma_buf;
- struct vmw_user_dma_buffer *user_bo;
- struct ttm_object_file *tfile = vmw_fpriv(file_priv)->tfile;
-+ struct ttm_base_object *buffer_base;
- int ret;
-
- if ((arg->flags & (drm_vmw_synccpu_read | drm_vmw_synccpu_write)) == 0
-@@ -645,7 +651,8 @@ int vmw_user_dmabuf_synccpu_ioctl(struct drm_device *dev, void *data,
-
- switch (arg->op) {
- case drm_vmw_synccpu_grab:
-- ret = vmw_user_dmabuf_lookup(tfile, arg->handle, &dma_buf);
-+ ret = vmw_user_dmabuf_lookup(tfile, arg->handle, &dma_buf,
-+ &buffer_base);
- if (unlikely(ret != 0))
- return ret;
-
-@@ -653,6 +660,7 @@ int vmw_user_dmabuf_synccpu_ioctl(struct drm_device *dev, void *data,
- dma);
- ret = vmw_user_dmabuf_synccpu_grab(user_bo, tfile, arg->flags);
- vmw_dmabuf_unreference(&dma_buf);
-+ ttm_base_object_unref(&buffer_base);
- if (unlikely(ret != 0 && ret != -ERESTARTSYS &&
- ret != -EBUSY)) {
- DRM_ERROR("Failed synccpu grab on handle 0x%08x.\n",
-@@ -694,7 +702,8 @@ int vmw_dmabuf_alloc_ioctl(struct drm_device *dev, void *data,
- return ret;
-
- ret = vmw_user_dmabuf_alloc(dev_priv, vmw_fpriv(file_priv)->tfile,
-- req->size, false, &handle, &dma_buf);
-+ req->size, false, &handle, &dma_buf,
-+ NULL);
- if (unlikely(ret != 0))
- goto out_no_dmabuf;
-
-@@ -723,7 +732,8 @@ int vmw_dmabuf_unref_ioctl(struct drm_device *dev, void *data,
- }
-
- int vmw_user_dmabuf_lookup(struct ttm_object_file *tfile,
-- uint32_t handle, struct vmw_dma_buffer **out)
-+ uint32_t handle, struct vmw_dma_buffer **out,
-+ struct ttm_base_object **p_base)
- {
- struct vmw_user_dma_buffer *vmw_user_bo;
- struct ttm_base_object *base;
-@@ -745,7 +755,10 @@ int vmw_user_dmabuf_lookup(struct ttm_object_file *tfile,
- vmw_user_bo = container_of(base, struct vmw_user_dma_buffer,
- prime.base);
- (void)ttm_bo_reference(&vmw_user_bo->dma.base);
-- ttm_base_object_unref(&base);
-+ if (p_base)
-+ *p_base = base;
-+ else
-+ ttm_base_object_unref(&base);
- *out = &vmw_user_bo->dma;
-
- return 0;
-@@ -1006,7 +1019,7 @@ int vmw_dumb_create(struct drm_file *file_priv,
-
- ret = vmw_user_dmabuf_alloc(dev_priv, vmw_fpriv(file_priv)->tfile,
- args->size, false, &args->handle,
-- &dma_buf);
-+ &dma_buf, NULL);
- if (unlikely(ret != 0))
- goto out_no_dmabuf;
-
-@@ -1034,7 +1047,7 @@ int vmw_dumb_map_offset(struct drm_file *file_priv,
- struct vmw_dma_buffer *out_buf;
- int ret;
-
-- ret = vmw_user_dmabuf_lookup(tfile, handle, &out_buf);
-+ ret = vmw_user_dmabuf_lookup(tfile, handle, &out_buf, NULL);
- if (ret != 0)
- return -EINVAL;
-
-diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_shader.c b/drivers/gpu/drm/vmwgfx/vmwgfx_shader.c
-index 6a4584a..d2751ad 100644
---- a/drivers/gpu/drm/vmwgfx/vmwgfx_shader.c
-+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_shader.c
-@@ -470,7 +470,7 @@ int vmw_shader_define_ioctl(struct drm_device *dev, void *data,
-
- if (arg->buffer_handle != SVGA3D_INVALID_ID) {
- ret = vmw_user_dmabuf_lookup(tfile, arg->buffer_handle,
-- &buffer);
-+ &buffer, NULL);
- if (unlikely(ret != 0)) {
- DRM_ERROR("Could not find buffer for shader "
- "creation.\n");
-diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-index 4ecdbf3..17a4107 100644
---- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-@@ -43,6 +43,7 @@ struct vmw_user_surface {
- struct vmw_surface srf;
- uint32_t size;
- struct drm_master *master;
-+ struct ttm_base_object *backup_base;
- };
-
- /**
-@@ -652,6 +653,8 @@ static void vmw_user_surface_base_release(struct ttm_base_object **p_base)
- struct vmw_resource *res = &user_srf->srf.res;
-
- *p_base = NULL;
-+ if (user_srf->backup_base)
-+ ttm_base_object_unref(&user_srf->backup_base);
- vmw_resource_unreference(&res);
- }
-
-@@ -846,7 +849,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data,
- res->backup_size,
- true,
- &backup_handle,
-- &res->backup);
-+ &res->backup,
-+ &user_srf->backup_base);
- if (unlikely(ret != 0)) {
- vmw_resource_unreference(&res);
- goto out_unlock;
-@@ -1309,7 +1313,8 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data,
-
- if (req->buffer_handle != SVGA3D_INVALID_ID) {
- ret = vmw_user_dmabuf_lookup(tfile, req->buffer_handle,
-- &res->backup);
-+ &res->backup,
-+ &user_srf->backup_base);
- } else if (req->drm_surface_flags &
- drm_vmw_surface_flag_create_buffer)
- ret = vmw_user_dmabuf_alloc(dev_priv, tfile,
-@@ -1317,7 +1322,8 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data,
- req->drm_surface_flags &
- drm_vmw_surface_flag_shareable,
- &backup_handle,
-- &res->backup);
-+ &res->backup,
-+ &user_srf->backup_base);
-
- if (unlikely(ret != 0)) {
- vmw_resource_unreference(&res);
-diff --git a/drivers/i2c/busses/i2c-mv64xxx.c b/drivers/i2c/busses/i2c-mv64xxx.c
-index 30059c1..5801227 100644
---- a/drivers/i2c/busses/i2c-mv64xxx.c
-+++ b/drivers/i2c/busses/i2c-mv64xxx.c
-@@ -669,8 +669,6 @@ mv64xxx_i2c_can_offload(struct mv64xxx_i2c_data *drv_data)
- struct i2c_msg *msgs = drv_data->msgs;
- int num = drv_data->num_msgs;
-
-- return false;
--
- if (!drv_data->offload_enabled)
- return false;
-
-diff --git a/drivers/iio/accel/st_accel_core.c b/drivers/iio/accel/st_accel_core.c
-index 4002e64..c472477 100644
---- a/drivers/iio/accel/st_accel_core.c
-+++ b/drivers/iio/accel/st_accel_core.c
-@@ -149,8 +149,6 @@
- #define ST_ACCEL_4_BDU_MASK 0x40
- #define ST_ACCEL_4_DRDY_IRQ_ADDR 0x21
- #define ST_ACCEL_4_DRDY_IRQ_INT1_MASK 0x04
--#define ST_ACCEL_4_IG1_EN_ADDR 0x21
--#define ST_ACCEL_4_IG1_EN_MASK 0x08
- #define ST_ACCEL_4_MULTIREAD_BIT true
-
- /* CUSTOM VALUES FOR SENSOR 5 */
-@@ -484,10 +482,6 @@ static const struct st_sensor_settings st_accel_sensors_settings[] = {
- .drdy_irq = {
- .addr = ST_ACCEL_4_DRDY_IRQ_ADDR,
- .mask_int1 = ST_ACCEL_4_DRDY_IRQ_INT1_MASK,
-- .ig1 = {
-- .en_addr = ST_ACCEL_4_IG1_EN_ADDR,
-- .en_mask = ST_ACCEL_4_IG1_EN_MASK,
-- },
- },
- .multi_read_bit = ST_ACCEL_4_MULTIREAD_BIT,
- .bootime = 2, /* guess */
-diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c
-index 3a972eb..8be7352 100644
---- a/drivers/infiniband/core/cm.c
-+++ b/drivers/infiniband/core/cm.c
-@@ -873,6 +873,11 @@ retest:
- case IB_CM_SIDR_REQ_RCVD:
- spin_unlock_irq(&cm_id_priv->lock);
- cm_reject_sidr_req(cm_id_priv, IB_SIDR_REJECT);
-+ spin_lock_irq(&cm.lock);
-+ if (!RB_EMPTY_NODE(&cm_id_priv->sidr_id_node))
-+ rb_erase(&cm_id_priv->sidr_id_node,
-+ &cm.remote_sidr_table);
-+ spin_unlock_irq(&cm.lock);
- break;
- case IB_CM_REQ_SENT:
- case IB_CM_MRA_REQ_RCVD:
-@@ -3112,7 +3117,10 @@ int ib_send_cm_sidr_rep(struct ib_cm_id *cm_id,
- spin_unlock_irqrestore(&cm_id_priv->lock, flags);
-
- spin_lock_irqsave(&cm.lock, flags);
-- rb_erase(&cm_id_priv->sidr_id_node, &cm.remote_sidr_table);
-+ if (!RB_EMPTY_NODE(&cm_id_priv->sidr_id_node)) {
-+ rb_erase(&cm_id_priv->sidr_id_node, &cm.remote_sidr_table);
-+ RB_CLEAR_NODE(&cm_id_priv->sidr_id_node);
-+ }
- spin_unlock_irqrestore(&cm.lock, flags);
- return 0;
-
-diff --git a/drivers/input/mouse/alps.c b/drivers/input/mouse/alps.c
-index 4d24686..41e6cb5 100644
---- a/drivers/input/mouse/alps.c
-+++ b/drivers/input/mouse/alps.c
-@@ -100,7 +100,7 @@ static const struct alps_nibble_commands alps_v6_nibble_commands[] = {
- #define ALPS_FOUR_BUTTONS 0x40 /* 4 direction button present */
- #define ALPS_PS2_INTERLEAVED 0x80 /* 3-byte PS/2 packet interleaved with
- 6-byte ALPS packet */
--#define ALPS_DELL 0x100 /* device is a Dell laptop */
-+#define ALPS_STICK_BITS 0x100 /* separate stick button bits */
- #define ALPS_BUTTONPAD 0x200 /* device is a clickpad */
-
- static const struct alps_model_info alps_model_data[] = {
-@@ -159,6 +159,43 @@ static const struct alps_protocol_info alps_v8_protocol_data = {
- ALPS_PROTO_V8, 0x18, 0x18, 0
- };
-
-+/*
-+ * Some v2 models report the stick buttons in separate bits
-+ */
-+static const struct dmi_system_id alps_dmi_has_separate_stick_buttons[] = {
-+#if defined(CONFIG_DMI) && defined(CONFIG_X86)
-+ {
-+ /* Extrapolated from other entries */
-+ .matches = {
-+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
-+ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude D420"),
-+ },
-+ },
-+ {
-+ /* Reported-by: Hans de Bruin <jmdebruin@xmsnet.nl> */
-+ .matches = {
-+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
-+ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude D430"),
-+ },
-+ },
-+ {
-+ /* Reported-by: Hans de Goede <hdegoede@redhat.com> */
-+ .matches = {
-+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
-+ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude D620"),
-+ },
-+ },
-+ {
-+ /* Extrapolated from other entries */
-+ .matches = {
-+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
-+ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude D630"),
-+ },
-+ },
-+#endif
-+ { }
-+};
-+
- static void alps_set_abs_params_st(struct alps_data *priv,
- struct input_dev *dev1);
- static void alps_set_abs_params_semi_mt(struct alps_data *priv,
-@@ -253,9 +290,8 @@ static void alps_process_packet_v1_v2(struct psmouse *psmouse)
- return;
- }
-
-- /* Dell non interleaved V2 dualpoint has separate stick button bits */
-- if (priv->proto_version == ALPS_PROTO_V2 &&
-- priv->flags == (ALPS_DELL | ALPS_PASS | ALPS_DUALPOINT)) {
-+ /* Some models have separate stick button bits */
-+ if (priv->flags & ALPS_STICK_BITS) {
- left |= packet[0] & 1;
- right |= packet[0] & 2;
- middle |= packet[0] & 4;
-@@ -2552,8 +2588,6 @@ static int alps_set_protocol(struct psmouse *psmouse,
- priv->byte0 = protocol->byte0;
- priv->mask0 = protocol->mask0;
- priv->flags = protocol->flags;
-- if (dmi_name_in_vendors("Dell"))
-- priv->flags |= ALPS_DELL;
-
- priv->x_max = 2000;
- priv->y_max = 1400;
-@@ -2568,6 +2602,8 @@ static int alps_set_protocol(struct psmouse *psmouse,
- priv->set_abs_params = alps_set_abs_params_st;
- priv->x_max = 1023;
- priv->y_max = 767;
-+ if (dmi_check_system(alps_dmi_has_separate_stick_buttons))
-+ priv->flags |= ALPS_STICK_BITS;
- break;
-
- case ALPS_PROTO_V3:
-diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
-index 658ee39..1b10e5fd 100644
---- a/drivers/iommu/amd_iommu.c
-+++ b/drivers/iommu/amd_iommu.c
-@@ -1974,8 +1974,8 @@ static void set_dte_entry(u16 devid, struct protection_domain *domain, bool ats)
- static void clear_dte_entry(u16 devid)
- {
- /* remove entry from the device table seen by the hardware */
-- amd_iommu_dev_table[devid].data[0] = IOMMU_PTE_P | IOMMU_PTE_TV;
-- amd_iommu_dev_table[devid].data[1] = 0;
-+ amd_iommu_dev_table[devid].data[0] = IOMMU_PTE_P | IOMMU_PTE_TV;
-+ amd_iommu_dev_table[devid].data[1] &= DTE_FLAG_MASK;
-
- amd_iommu_apply_erratum_63(devid);
- }
-diff --git a/drivers/iommu/amd_iommu_types.h b/drivers/iommu/amd_iommu_types.h
-index f659088..c9b6472 100644
---- a/drivers/iommu/amd_iommu_types.h
-+++ b/drivers/iommu/amd_iommu_types.h
-@@ -295,6 +295,7 @@
- #define IOMMU_PTE_IR (1ULL << 61)
- #define IOMMU_PTE_IW (1ULL << 62)
-
-+#define DTE_FLAG_MASK (0x3ffULL << 32)
- #define DTE_FLAG_IOTLB (0x01UL << 32)
- #define DTE_FLAG_GV (0x01ULL << 55)
- #define DTE_GLX_SHIFT (56)
-diff --git a/drivers/iommu/amd_iommu_v2.c b/drivers/iommu/amd_iommu_v2.c
-index f7b875b..c3b8a5b 100644
---- a/drivers/iommu/amd_iommu_v2.c
-+++ b/drivers/iommu/amd_iommu_v2.c
-@@ -516,6 +516,13 @@ static void do_fault(struct work_struct *work)
- goto out;
- }
-
-+ if (!(vma->vm_flags & (VM_READ | VM_EXEC | VM_WRITE))) {
-+ /* handle_mm_fault would BUG_ON() */
-+ up_read(&mm->mmap_sem);
-+ handle_fault_error(fault);
-+ goto out;
-+ }
-+
- ret = handle_mm_fault(mm, vma, address, write);
- if (ret & VM_FAULT_ERROR) {
- /* failed to service fault */
-diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
-index 7553cb9..bd1b8ad 100644
---- a/drivers/iommu/intel-iommu.c
-+++ b/drivers/iommu/intel-iommu.c
-@@ -2109,15 +2109,19 @@ static int __domain_mapping(struct dmar_domain *domain, unsigned long iov_pfn,
- return -ENOMEM;
- /* It is large page*/
- if (largepage_lvl > 1) {
-+ unsigned long nr_superpages, end_pfn;
-+
- pteval |= DMA_PTE_LARGE_PAGE;
- lvl_pages = lvl_to_nr_pages(largepage_lvl);
-+
-+ nr_superpages = sg_res / lvl_pages;
-+ end_pfn = iov_pfn + nr_superpages * lvl_pages - 1;
-+
- /*
- * Ensure that old small page tables are
-- * removed to make room for superpage,
-- * if they exist.
-+ * removed to make room for superpage(s).
- */
-- dma_pte_free_pagetable(domain, iov_pfn,
-- iov_pfn + lvl_pages - 1);
-+ dma_pte_free_pagetable(domain, iov_pfn, end_pfn);
- } else {
- pteval &= ~(uint64_t)DMA_PTE_LARGE_PAGE;
- }
-diff --git a/drivers/irqchip/irq-tegra.c b/drivers/irqchip/irq-tegra.c
-index f67bbd8..ab5353a 100644
---- a/drivers/irqchip/irq-tegra.c
-+++ b/drivers/irqchip/irq-tegra.c
-@@ -215,6 +215,7 @@ static struct irq_chip tegra_ictlr_chip = {
- .irq_unmask = tegra_unmask,
- .irq_retrigger = tegra_retrigger,
- .irq_set_wake = tegra_set_wake,
-+ .irq_set_type = irq_chip_set_type_parent,
- .flags = IRQCHIP_MASK_ON_SUSPEND,
- #ifdef CONFIG_SMP
- .irq_set_affinity = irq_chip_set_affinity_parent,
-diff --git a/drivers/md/dm-cache-metadata.c b/drivers/md/dm-cache-metadata.c
-index 20cc36b..0a17d1b 100644
---- a/drivers/md/dm-cache-metadata.c
-+++ b/drivers/md/dm-cache-metadata.c
-@@ -634,10 +634,10 @@ static int __commit_transaction(struct dm_cache_metadata *cmd,
-
- disk_super = dm_block_data(sblock);
-
-+ disk_super->flags = cpu_to_le32(cmd->flags);
- if (mutator)
- update_flags(disk_super, mutator);
-
-- disk_super->flags = cpu_to_le32(cmd->flags);
- disk_super->mapping_root = cpu_to_le64(cmd->root);
- disk_super->hint_root = cpu_to_le64(cmd->hint_root);
- disk_super->discard_root = cpu_to_le64(cmd->discard_root);
-diff --git a/drivers/md/md.c b/drivers/md/md.c
-index e25f00f..95e7b72 100644
---- a/drivers/md/md.c
-+++ b/drivers/md/md.c
-@@ -8030,8 +8030,7 @@ static int remove_and_add_spares(struct mddev *mddev,
- !test_bit(Bitmap_sync, &rdev->flags)))
- continue;
-
-- if (rdev->saved_raid_disk < 0)
-- rdev->recovery_offset = 0;
-+ rdev->recovery_offset = 0;
- if (mddev->pers->
- hot_add_disk(mddev, rdev) == 0) {
- if (sysfs_link_rdev(mddev, rdev))
-diff --git a/drivers/md/persistent-data/dm-btree-remove.c b/drivers/md/persistent-data/dm-btree-remove.c
-index 4222f77..1dac15d 100644
---- a/drivers/md/persistent-data/dm-btree-remove.c
-+++ b/drivers/md/persistent-data/dm-btree-remove.c
-@@ -301,11 +301,16 @@ static void redistribute3(struct dm_btree_info *info, struct btree_node *parent,
- {
- int s;
- uint32_t max_entries = le32_to_cpu(left->header.max_entries);
-- unsigned target = (nr_left + nr_center + nr_right) / 3;
-- BUG_ON(target > max_entries);
-+ unsigned total = nr_left + nr_center + nr_right;
-+ unsigned target_right = total / 3;
-+ unsigned remainder = (target_right * 3) != total;
-+ unsigned target_left = target_right + remainder;
-+
-+ BUG_ON(target_left > max_entries);
-+ BUG_ON(target_right > max_entries);
-
- if (nr_left < nr_right) {
-- s = nr_left - target;
-+ s = nr_left - target_left;
-
- if (s < 0 && nr_center < -s) {
- /* not enough in central node */
-@@ -316,10 +321,10 @@ static void redistribute3(struct dm_btree_info *info, struct btree_node *parent,
- } else
- shift(left, center, s);
-
-- shift(center, right, target - nr_right);
-+ shift(center, right, target_right - nr_right);
-
- } else {
-- s = target - nr_right;
-+ s = target_right - nr_right;
- if (s > 0 && nr_center < s) {
- /* not enough in central node */
- shift(center, right, nr_center);
-@@ -329,7 +334,7 @@ static void redistribute3(struct dm_btree_info *info, struct btree_node *parent,
- } else
- shift(center, right, s);
-
-- shift(left, center, nr_left - target);
-+ shift(left, center, nr_left - target_left);
- }
-
- *key_ptr(parent, c->index) = center->keys[0];
-diff --git a/drivers/md/persistent-data/dm-btree.c b/drivers/md/persistent-data/dm-btree.c
-index c7726ce..d6e4703 100644
---- a/drivers/md/persistent-data/dm-btree.c
-+++ b/drivers/md/persistent-data/dm-btree.c
-@@ -523,7 +523,7 @@ static int btree_split_beneath(struct shadow_spine *s, uint64_t key)
-
- r = new_block(s->info, &right);
- if (r < 0) {
-- /* FIXME: put left */
-+ unlock_block(s->info, left);
- return r;
- }
-
-diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
-index 967a4ed..d10d300 100644
---- a/drivers/md/raid1.c
-+++ b/drivers/md/raid1.c
-@@ -2249,7 +2249,7 @@ static int narrow_write_error(struct r1bio *r1_bio, int i)
- bio_trim(wbio, sector - r1_bio->sector, sectors);
- wbio->bi_iter.bi_sector += rdev->data_offset;
- wbio->bi_bdev = rdev->bdev;
-- if (submit_bio_wait(WRITE, wbio) == 0)
-+ if (submit_bio_wait(WRITE, wbio) < 0)
- /* failure! */
- ok = rdev_set_badblocks(rdev, sector,
- sectors, 0)
-diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
-index 38c58e1..d4b70d9 100644
---- a/drivers/md/raid10.c
-+++ b/drivers/md/raid10.c
-@@ -2580,7 +2580,7 @@ static int narrow_write_error(struct r10bio *r10_bio, int i)
- choose_data_offset(r10_bio, rdev) +
- (sector - r10_bio->sector));
- wbio->bi_bdev = rdev->bdev;
-- if (submit_bio_wait(WRITE, wbio) == 0)
-+ if (submit_bio_wait(WRITE, wbio) < 0)
- /* Failure! */
- ok = rdev_set_badblocks(rdev, sector,
- sectors, 0)
-diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
-index f757023..0d4f7b1 100644
---- a/drivers/md/raid5.c
-+++ b/drivers/md/raid5.c
-@@ -3505,6 +3505,7 @@ returnbi:
- }
- if (!discard_pending &&
- test_bit(R5_Discard, &sh->dev[sh->pd_idx].flags)) {
-+ int hash;
- clear_bit(R5_Discard, &sh->dev[sh->pd_idx].flags);
- clear_bit(R5_UPTODATE, &sh->dev[sh->pd_idx].flags);
- if (sh->qd_idx >= 0) {
-@@ -3518,16 +3519,17 @@ returnbi:
- * no updated data, so remove it from hash list and the stripe
- * will be reinitialized
- */
-- spin_lock_irq(&conf->device_lock);
- unhash:
-+ hash = sh->hash_lock_index;
-+ spin_lock_irq(conf->hash_locks + hash);
- remove_hash(sh);
-+ spin_unlock_irq(conf->hash_locks + hash);
- if (head_sh->batch_head) {
- sh = list_first_entry(&sh->batch_list,
- struct stripe_head, batch_list);
- if (sh != head_sh)
- goto unhash;
- }
-- spin_unlock_irq(&conf->device_lock);
- sh = head_sh;
-
- if (test_bit(STRIPE_SYNC_REQUESTED, &sh->state))
-diff --git a/drivers/media/dvb-frontends/m88ds3103.c b/drivers/media/dvb-frontends/m88ds3103.c
-index e9b2d2b..377fb69 100644
---- a/drivers/media/dvb-frontends/m88ds3103.c
-+++ b/drivers/media/dvb-frontends/m88ds3103.c
-@@ -18,6 +18,27 @@
-
- static struct dvb_frontend_ops m88ds3103_ops;
-
-+/* write single register with mask */
-+static int m88ds3103_update_bits(struct m88ds3103_dev *dev,
-+ u8 reg, u8 mask, u8 val)
-+{
-+ int ret;
-+ u8 tmp;
-+
-+ /* no need for read if whole reg is written */
-+ if (mask != 0xff) {
-+ ret = regmap_bulk_read(dev->regmap, reg, &tmp, 1);
-+ if (ret)
-+ return ret;
-+
-+ val &= mask;
-+ tmp &= ~mask;
-+ val |= tmp;
-+ }
-+
-+ return regmap_bulk_write(dev->regmap, reg, &val, 1);
-+}
-+
- /* write reg val table using reg addr auto increment */
- static int m88ds3103_wr_reg_val_tab(struct m88ds3103_dev *dev,
- const struct m88ds3103_reg_val *tab, int tab_len)
-@@ -394,10 +415,10 @@ static int m88ds3103_set_frontend(struct dvb_frontend *fe)
- u8tmp2 = 0x00; /* 0b00 */
- break;
- }
-- ret = regmap_update_bits(dev->regmap, 0x22, 0xc0, u8tmp1 << 6);
-+ ret = m88ds3103_update_bits(dev, 0x22, 0xc0, u8tmp1 << 6);
- if (ret)
- goto err;
-- ret = regmap_update_bits(dev->regmap, 0x24, 0xc0, u8tmp2 << 6);
-+ ret = m88ds3103_update_bits(dev, 0x24, 0xc0, u8tmp2 << 6);
- if (ret)
- goto err;
- }
-@@ -455,13 +476,13 @@ static int m88ds3103_set_frontend(struct dvb_frontend *fe)
- if (ret)
- goto err;
- }
-- ret = regmap_update_bits(dev->regmap, 0x9d, 0x08, 0x08);
-+ ret = m88ds3103_update_bits(dev, 0x9d, 0x08, 0x08);
- if (ret)
- goto err;
- ret = regmap_write(dev->regmap, 0xf1, 0x01);
- if (ret)
- goto err;
-- ret = regmap_update_bits(dev->regmap, 0x30, 0x80, 0x80);
-+ ret = m88ds3103_update_bits(dev, 0x30, 0x80, 0x80);
- if (ret)
- goto err;
- }
-@@ -498,7 +519,7 @@ static int m88ds3103_set_frontend(struct dvb_frontend *fe)
- switch (dev->cfg->ts_mode) {
- case M88DS3103_TS_SERIAL:
- case M88DS3103_TS_SERIAL_D7:
-- ret = regmap_update_bits(dev->regmap, 0x29, 0x20, u8tmp1);
-+ ret = m88ds3103_update_bits(dev, 0x29, 0x20, u8tmp1);
- if (ret)
- goto err;
- u8tmp1 = 0;
-@@ -567,11 +588,11 @@ static int m88ds3103_set_frontend(struct dvb_frontend *fe)
- if (ret)
- goto err;
-
-- ret = regmap_update_bits(dev->regmap, 0x4d, 0x02, dev->cfg->spec_inv << 1);
-+ ret = m88ds3103_update_bits(dev, 0x4d, 0x02, dev->cfg->spec_inv << 1);
- if (ret)
- goto err;
-
-- ret = regmap_update_bits(dev->regmap, 0x30, 0x10, dev->cfg->agc_inv << 4);
-+ ret = m88ds3103_update_bits(dev, 0x30, 0x10, dev->cfg->agc_inv << 4);
- if (ret)
- goto err;
-
-@@ -625,13 +646,13 @@ static int m88ds3103_init(struct dvb_frontend *fe)
- dev->warm = false;
-
- /* wake up device from sleep */
-- ret = regmap_update_bits(dev->regmap, 0x08, 0x01, 0x01);
-+ ret = m88ds3103_update_bits(dev, 0x08, 0x01, 0x01);
- if (ret)
- goto err;
-- ret = regmap_update_bits(dev->regmap, 0x04, 0x01, 0x00);
-+ ret = m88ds3103_update_bits(dev, 0x04, 0x01, 0x00);
- if (ret)
- goto err;
-- ret = regmap_update_bits(dev->regmap, 0x23, 0x10, 0x00);
-+ ret = m88ds3103_update_bits(dev, 0x23, 0x10, 0x00);
- if (ret)
- goto err;
-
-@@ -749,18 +770,18 @@ static int m88ds3103_sleep(struct dvb_frontend *fe)
- utmp = 0x29;
- else
- utmp = 0x27;
-- ret = regmap_update_bits(dev->regmap, utmp, 0x01, 0x00);
-+ ret = m88ds3103_update_bits(dev, utmp, 0x01, 0x00);
- if (ret)
- goto err;
-
- /* sleep */
-- ret = regmap_update_bits(dev->regmap, 0x08, 0x01, 0x00);
-+ ret = m88ds3103_update_bits(dev, 0x08, 0x01, 0x00);
- if (ret)
- goto err;
-- ret = regmap_update_bits(dev->regmap, 0x04, 0x01, 0x01);
-+ ret = m88ds3103_update_bits(dev, 0x04, 0x01, 0x01);
- if (ret)
- goto err;
-- ret = regmap_update_bits(dev->regmap, 0x23, 0x10, 0x10);
-+ ret = m88ds3103_update_bits(dev, 0x23, 0x10, 0x10);
- if (ret)
- goto err;
-
-@@ -992,12 +1013,12 @@ static int m88ds3103_set_tone(struct dvb_frontend *fe,
- }
-
- utmp = tone << 7 | dev->cfg->envelope_mode << 5;
-- ret = regmap_update_bits(dev->regmap, 0xa2, 0xe0, utmp);
-+ ret = m88ds3103_update_bits(dev, 0xa2, 0xe0, utmp);
- if (ret)
- goto err;
-
- utmp = 1 << 2;
-- ret = regmap_update_bits(dev->regmap, 0xa1, reg_a1_mask, utmp);
-+ ret = m88ds3103_update_bits(dev, 0xa1, reg_a1_mask, utmp);
- if (ret)
- goto err;
-
-@@ -1047,7 +1068,7 @@ static int m88ds3103_set_voltage(struct dvb_frontend *fe,
- voltage_dis ^= dev->cfg->lnb_en_pol;
-
- utmp = voltage_dis << 1 | voltage_sel << 0;
-- ret = regmap_update_bits(dev->regmap, 0xa2, 0x03, utmp);
-+ ret = m88ds3103_update_bits(dev, 0xa2, 0x03, utmp);
- if (ret)
- goto err;
-
-@@ -1080,7 +1101,7 @@ static int m88ds3103_diseqc_send_master_cmd(struct dvb_frontend *fe,
- }
-
- utmp = dev->cfg->envelope_mode << 5;
-- ret = regmap_update_bits(dev->regmap, 0xa2, 0xe0, utmp);
-+ ret = m88ds3103_update_bits(dev, 0xa2, 0xe0, utmp);
- if (ret)
- goto err;
-
-@@ -1115,12 +1136,12 @@ static int m88ds3103_diseqc_send_master_cmd(struct dvb_frontend *fe,
- } else {
- dev_dbg(&client->dev, "diseqc tx timeout\n");
-
-- ret = regmap_update_bits(dev->regmap, 0xa1, 0xc0, 0x40);
-+ ret = m88ds3103_update_bits(dev, 0xa1, 0xc0, 0x40);
- if (ret)
- goto err;
- }
-
-- ret = regmap_update_bits(dev->regmap, 0xa2, 0xc0, 0x80);
-+ ret = m88ds3103_update_bits(dev, 0xa2, 0xc0, 0x80);
- if (ret)
- goto err;
-
-@@ -1152,7 +1173,7 @@ static int m88ds3103_diseqc_send_burst(struct dvb_frontend *fe,
- }
-
- utmp = dev->cfg->envelope_mode << 5;
-- ret = regmap_update_bits(dev->regmap, 0xa2, 0xe0, utmp);
-+ ret = m88ds3103_update_bits(dev, 0xa2, 0xe0, utmp);
- if (ret)
- goto err;
-
-@@ -1194,12 +1215,12 @@ static int m88ds3103_diseqc_send_burst(struct dvb_frontend *fe,
- } else {
- dev_dbg(&client->dev, "diseqc tx timeout\n");
-
-- ret = regmap_update_bits(dev->regmap, 0xa1, 0xc0, 0x40);
-+ ret = m88ds3103_update_bits(dev, 0xa1, 0xc0, 0x40);
- if (ret)
- goto err;
- }
-
-- ret = regmap_update_bits(dev->regmap, 0xa2, 0xc0, 0x80);
-+ ret = m88ds3103_update_bits(dev, 0xa2, 0xc0, 0x80);
- if (ret)
- goto err;
-
-@@ -1435,13 +1456,13 @@ static int m88ds3103_probe(struct i2c_client *client,
- goto err_kfree;
-
- /* sleep */
-- ret = regmap_update_bits(dev->regmap, 0x08, 0x01, 0x00);
-+ ret = m88ds3103_update_bits(dev, 0x08, 0x01, 0x00);
- if (ret)
- goto err_kfree;
-- ret = regmap_update_bits(dev->regmap, 0x04, 0x01, 0x01);
-+ ret = m88ds3103_update_bits(dev, 0x04, 0x01, 0x01);
- if (ret)
- goto err_kfree;
-- ret = regmap_update_bits(dev->regmap, 0x23, 0x10, 0x10);
-+ ret = m88ds3103_update_bits(dev, 0x23, 0x10, 0x10);
- if (ret)
- goto err_kfree;
-
-diff --git a/drivers/media/dvb-frontends/si2168.c b/drivers/media/dvb-frontends/si2168.c
-index 25e238c..cb6a49b 100644
---- a/drivers/media/dvb-frontends/si2168.c
-+++ b/drivers/media/dvb-frontends/si2168.c
-@@ -502,6 +502,10 @@ static int si2168_init(struct dvb_frontend *fe)
- /* firmware is in the new format */
- for (remaining = fw->size; remaining > 0; remaining -= 17) {
- len = fw->data[fw->size - remaining];
-+ if (len > SI2168_ARGLEN) {
-+ ret = -EINVAL;
-+ break;
-+ }
- memcpy(cmd.args, &fw->data[(fw->size - remaining) + 1], len);
- cmd.wlen = len;
- cmd.rlen = 1;
-diff --git a/drivers/media/tuners/si2157.c b/drivers/media/tuners/si2157.c
-index a6245ef..416c865 100644
---- a/drivers/media/tuners/si2157.c
-+++ b/drivers/media/tuners/si2157.c
-@@ -166,6 +166,10 @@ static int si2157_init(struct dvb_frontend *fe)
-
- for (remaining = fw->size; remaining > 0; remaining -= 17) {
- len = fw->data[fw->size - remaining];
-+ if (len > SI2157_ARGLEN) {
-+ dev_err(&client->dev, "Bad firmware length\n");
-+ goto err_release_firmware;
-+ }
- memcpy(cmd.args, &fw->data[(fw->size - remaining) + 1], len);
- cmd.wlen = len;
- cmd.rlen = 1;
-diff --git a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
-index c3cac4c..197a4f2 100644
---- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
-+++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
-@@ -34,6 +34,14 @@ static int rtl28xxu_ctrl_msg(struct dvb_usb_device *d, struct rtl28xxu_req *req)
- unsigned int pipe;
- u8 requesttype;
-
-+ mutex_lock(&d->usb_mutex);
-+
-+ if (req->size > sizeof(dev->buf)) {
-+ dev_err(&d->intf->dev, "too large message %u\n", req->size);
-+ ret = -EINVAL;
-+ goto err_mutex_unlock;
-+ }
-+
- if (req->index & CMD_WR_FLAG) {
- /* write */
- memcpy(dev->buf, req->data, req->size);
-@@ -50,14 +58,17 @@ static int rtl28xxu_ctrl_msg(struct dvb_usb_device *d, struct rtl28xxu_req *req)
- dvb_usb_dbg_usb_control_msg(d->udev, 0, requesttype, req->value,
- req->index, dev->buf, req->size);
- if (ret < 0)
-- goto err;
-+ goto err_mutex_unlock;
-
- /* read request, copy returned data to return buf */
- if (requesttype == (USB_TYPE_VENDOR | USB_DIR_IN))
- memcpy(req->data, dev->buf, req->size);
-
-+ mutex_unlock(&d->usb_mutex);
-+
- return 0;
--err:
-+err_mutex_unlock:
-+ mutex_unlock(&d->usb_mutex);
- dev_dbg(&d->intf->dev, "failed=%d\n", ret);
- return ret;
- }
-diff --git a/drivers/media/usb/dvb-usb-v2/rtl28xxu.h b/drivers/media/usb/dvb-usb-v2/rtl28xxu.h
-index 9f6115a..1380629 100644
---- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.h
-+++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.h
-@@ -71,7 +71,7 @@
-
-
- struct rtl28xxu_dev {
-- u8 buf[28];
-+ u8 buf[128];
- u8 chip_id;
- u8 tuner;
- char *tuner_name;
-diff --git a/drivers/mmc/card/mmc_test.c b/drivers/mmc/card/mmc_test.c
-index b78cf5d..7fc9174 100644
---- a/drivers/mmc/card/mmc_test.c
-+++ b/drivers/mmc/card/mmc_test.c
-@@ -2263,15 +2263,12 @@ static int mmc_test_profile_sglen_r_nonblock_perf(struct mmc_test_card *test)
- /*
- * eMMC hardware reset.
- */
--static int mmc_test_hw_reset(struct mmc_test_card *test)
-+static int mmc_test_reset(struct mmc_test_card *test)
- {
- struct mmc_card *card = test->card;
- struct mmc_host *host = card->host;
- int err;
-
-- if (!mmc_card_mmc(card) || !mmc_can_reset(card))
-- return RESULT_UNSUP_CARD;
--
- err = mmc_hw_reset(host);
- if (!err)
- return RESULT_OK;
-@@ -2605,8 +2602,8 @@ static const struct mmc_test_case mmc_test_cases[] = {
- },
-
- {
-- .name = "eMMC hardware reset",
-- .run = mmc_test_hw_reset,
-+ .name = "Reset test",
-+ .run = mmc_test_reset,
- },
- };
-
-diff --git a/drivers/mmc/core/mmc.c b/drivers/mmc/core/mmc.c
-index e726903..f6cd995 100644
---- a/drivers/mmc/core/mmc.c
-+++ b/drivers/mmc/core/mmc.c
-@@ -1924,7 +1924,6 @@ EXPORT_SYMBOL(mmc_can_reset);
- static int mmc_reset(struct mmc_host *host)
- {
- struct mmc_card *card = host->card;
-- u32 status;
-
- if (!(host->caps & MMC_CAP_HW_RESET) || !host->ops->hw_reset)
- return -EOPNOTSUPP;
-@@ -1937,12 +1936,6 @@ static int mmc_reset(struct mmc_host *host)
-
- host->ops->hw_reset(host);
-
-- /* If the reset has happened, then a status command will fail */
-- if (!mmc_send_status(card, &status)) {
-- mmc_host_clk_release(host);
-- return -ENOSYS;
-- }
--
- /* Set initial state and call mmc_set_ios */
- mmc_set_initial_state(host);
- mmc_host_clk_release(host);
-diff --git a/drivers/net/wireless/ath/ath9k/init.c b/drivers/net/wireless/ath/ath9k/init.c
-index eff0e53..bfddc9e 100644
---- a/drivers/net/wireless/ath/ath9k/init.c
-+++ b/drivers/net/wireless/ath/ath9k/init.c
-@@ -874,6 +874,7 @@ static void ath9k_set_hw_capab(struct ath_softc *sc, struct ieee80211_hw *hw)
- hw->max_rate_tries = 10;
- hw->sta_data_size = sizeof(struct ath_node);
- hw->vif_data_size = sizeof(struct ath_vif);
-+ hw->extra_tx_headroom = 4;
-
- hw->wiphy->available_antennas_rx = BIT(ah->caps.max_rxchains) - 1;
- hw->wiphy->available_antennas_tx = BIT(ah->caps.max_txchains) - 1;
-diff --git a/drivers/net/wireless/iwlwifi/dvm/lib.c b/drivers/net/wireless/iwlwifi/dvm/lib.c
-index 1d2223d..e7d3566 100644
---- a/drivers/net/wireless/iwlwifi/dvm/lib.c
-+++ b/drivers/net/wireless/iwlwifi/dvm/lib.c
-@@ -1022,7 +1022,7 @@ static void iwlagn_wowlan_program_keys(struct ieee80211_hw *hw,
- u8 *pn = seq.ccmp.pn;
-
- ieee80211_get_key_rx_seq(key, i, &seq);
-- aes_sc->pn = cpu_to_le64(
-+ aes_sc[i].pn = cpu_to_le64(
- (u64)pn[5] |
- ((u64)pn[4] << 8) |
- ((u64)pn[3] << 16) |
-diff --git a/drivers/net/wireless/iwlwifi/iwl-7000.c b/drivers/net/wireless/iwlwifi/iwl-7000.c
-index cc35f79..d7acbd1 100644
---- a/drivers/net/wireless/iwlwifi/iwl-7000.c
-+++ b/drivers/net/wireless/iwlwifi/iwl-7000.c
-@@ -348,6 +348,6 @@ const struct iwl_cfg iwl7265d_n_cfg = {
- };
-
- MODULE_FIRMWARE(IWL7260_MODULE_FIRMWARE(IWL7260_UCODE_API_OK));
--MODULE_FIRMWARE(IWL3160_MODULE_FIRMWARE(IWL3160_UCODE_API_OK));
-+MODULE_FIRMWARE(IWL3160_MODULE_FIRMWARE(IWL7260_UCODE_API_OK));
- MODULE_FIRMWARE(IWL7265_MODULE_FIRMWARE(IWL7260_UCODE_API_OK));
- MODULE_FIRMWARE(IWL7265D_MODULE_FIRMWARE(IWL7260_UCODE_API_OK));
-diff --git a/drivers/net/wireless/iwlwifi/mvm/d3.c b/drivers/net/wireless/iwlwifi/mvm/d3.c
-index 4165d10..f60b89b 100644
---- a/drivers/net/wireless/iwlwifi/mvm/d3.c
-+++ b/drivers/net/wireless/iwlwifi/mvm/d3.c
-@@ -274,18 +274,13 @@ static void iwl_mvm_wowlan_program_keys(struct ieee80211_hw *hw,
- break;
- case WLAN_CIPHER_SUITE_CCMP:
- if (sta) {
-- u8 *pn = seq.ccmp.pn;
-+ u64 pn64;
-
- aes_sc = data->rsc_tsc->all_tsc_rsc.aes.unicast_rsc;
- aes_tx_sc = &data->rsc_tsc->all_tsc_rsc.aes.tsc;
-
-- ieee80211_get_key_tx_seq(key, &seq);
-- aes_tx_sc->pn = cpu_to_le64((u64)pn[5] |
-- ((u64)pn[4] << 8) |
-- ((u64)pn[3] << 16) |
-- ((u64)pn[2] << 24) |
-- ((u64)pn[1] << 32) |
-- ((u64)pn[0] << 40));
-+ pn64 = atomic64_read(&key->tx_pn);
-+ aes_tx_sc->pn = cpu_to_le64(pn64);
- } else {
- aes_sc = data->rsc_tsc->all_tsc_rsc.aes.multicast_rsc;
- }
-@@ -298,12 +293,12 @@ static void iwl_mvm_wowlan_program_keys(struct ieee80211_hw *hw,
- u8 *pn = seq.ccmp.pn;
-
- ieee80211_get_key_rx_seq(key, i, &seq);
-- aes_sc->pn = cpu_to_le64((u64)pn[5] |
-- ((u64)pn[4] << 8) |
-- ((u64)pn[3] << 16) |
-- ((u64)pn[2] << 24) |
-- ((u64)pn[1] << 32) |
-- ((u64)pn[0] << 40));
-+ aes_sc[i].pn = cpu_to_le64((u64)pn[5] |
-+ ((u64)pn[4] << 8) |
-+ ((u64)pn[3] << 16) |
-+ ((u64)pn[2] << 24) |
-+ ((u64)pn[1] << 32) |
-+ ((u64)pn[0] << 40));
- }
- data->use_rsc_tsc = true;
- break;
-@@ -1446,15 +1441,15 @@ static void iwl_mvm_d3_update_gtks(struct ieee80211_hw *hw,
-
- switch (key->cipher) {
- case WLAN_CIPHER_SUITE_CCMP:
-- iwl_mvm_aes_sc_to_seq(&sc->aes.tsc, &seq);
- iwl_mvm_set_aes_rx_seq(sc->aes.unicast_rsc, key);
-+ atomic64_set(&key->tx_pn, le64_to_cpu(sc->aes.tsc.pn));
- break;
- case WLAN_CIPHER_SUITE_TKIP:
- iwl_mvm_tkip_sc_to_seq(&sc->tkip.tsc, &seq);
- iwl_mvm_set_tkip_rx_seq(sc->tkip.unicast_rsc, key);
-+ ieee80211_set_key_tx_seq(key, &seq);
- break;
- }
-- ieee80211_set_key_tx_seq(key, &seq);
-
- /* that's it for this key */
- return;
-diff --git a/drivers/net/wireless/iwlwifi/mvm/fw.c b/drivers/net/wireless/iwlwifi/mvm/fw.c
-index eb10c5e..b49367e 100644
---- a/drivers/net/wireless/iwlwifi/mvm/fw.c
-+++ b/drivers/net/wireless/iwlwifi/mvm/fw.c
-@@ -364,7 +364,7 @@ int iwl_run_init_mvm_ucode(struct iwl_mvm *mvm, bool read_nvm)
- * abort after reading the nvm in case RF Kill is on, we will complete
- * the init seq later when RF kill will switch to off
- */
-- if (iwl_mvm_is_radio_killed(mvm)) {
-+ if (iwl_mvm_is_radio_hw_killed(mvm)) {
- IWL_DEBUG_RF_KILL(mvm,
- "jump over all phy activities due to RF kill\n");
- iwl_remove_notification(&mvm->notif_wait, &calib_wait);
-@@ -397,7 +397,7 @@ int iwl_run_init_mvm_ucode(struct iwl_mvm *mvm, bool read_nvm)
- ret = iwl_wait_notification(&mvm->notif_wait, &calib_wait,
- MVM_UCODE_CALIB_TIMEOUT);
-
-- if (ret && iwl_mvm_is_radio_killed(mvm)) {
-+ if (ret && iwl_mvm_is_radio_hw_killed(mvm)) {
- IWL_DEBUG_RF_KILL(mvm, "RFKILL while calibrating.\n");
- ret = 1;
- }
-diff --git a/drivers/net/wireless/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/iwlwifi/mvm/mac80211.c
-index dfdab38..f82019c 100644
---- a/drivers/net/wireless/iwlwifi/mvm/mac80211.c
-+++ b/drivers/net/wireless/iwlwifi/mvm/mac80211.c
-@@ -2373,6 +2373,7 @@ static void iwl_mvm_stop_ap_ibss(struct ieee80211_hw *hw,
- iwl_mvm_remove_time_event(mvm, mvmvif,
- &mvmvif->time_event_data);
- RCU_INIT_POINTER(mvm->csa_vif, NULL);
-+ mvmvif->csa_countdown = false;
- }
-
- if (rcu_access_pointer(mvm->csa_tx_blocked_vif) == vif) {
-diff --git a/drivers/net/wireless/iwlwifi/mvm/mvm.h b/drivers/net/wireless/iwlwifi/mvm/mvm.h
-index 2d4bad5..4a6f162 100644
---- a/drivers/net/wireless/iwlwifi/mvm/mvm.h
-+++ b/drivers/net/wireless/iwlwifi/mvm/mvm.h
-@@ -848,6 +848,11 @@ static inline bool iwl_mvm_is_radio_killed(struct iwl_mvm *mvm)
- test_bit(IWL_MVM_STATUS_HW_CTKILL, &mvm->status);
- }
-
-+static inline bool iwl_mvm_is_radio_hw_killed(struct iwl_mvm *mvm)
-+{
-+ return test_bit(IWL_MVM_STATUS_HW_RFKILL, &mvm->status);
-+}
-+
- /* Must be called with rcu_read_lock() held and it can only be
- * released when mvmsta is not needed anymore.
- */
-diff --git a/drivers/net/wireless/iwlwifi/mvm/ops.c b/drivers/net/wireless/iwlwifi/mvm/ops.c
-index e4fa500..61c2b0a 100644
---- a/drivers/net/wireless/iwlwifi/mvm/ops.c
-+++ b/drivers/net/wireless/iwlwifi/mvm/ops.c
-@@ -582,6 +582,7 @@ iwl_op_mode_mvm_start(struct iwl_trans *trans, const struct iwl_cfg *cfg,
- ieee80211_unregister_hw(mvm->hw);
- iwl_mvm_leds_exit(mvm);
- out_free:
-+ flush_delayed_work(&mvm->fw_dump_wk);
- iwl_phy_db_free(mvm->phy_db);
- kfree(mvm->scan_cmd);
- if (!cfg->no_power_up_nic_in_init || !mvm->nvm_file_name)
-diff --git a/drivers/net/wireless/iwlwifi/pcie/drv.c b/drivers/net/wireless/iwlwifi/pcie/drv.c
-index 9f65c1c..865d578d 100644
---- a/drivers/net/wireless/iwlwifi/pcie/drv.c
-+++ b/drivers/net/wireless/iwlwifi/pcie/drv.c
-@@ -414,6 +414,11 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
- {IWL_PCI_DEVICE(0x095A, 0x5590, iwl7265_2ac_cfg)},
- {IWL_PCI_DEVICE(0x095B, 0x5290, iwl7265_2ac_cfg)},
- {IWL_PCI_DEVICE(0x095A, 0x5490, iwl7265_2ac_cfg)},
-+ {IWL_PCI_DEVICE(0x095A, 0x5F10, iwl7265_2ac_cfg)},
-+ {IWL_PCI_DEVICE(0x095B, 0x5212, iwl7265_2ac_cfg)},
-+ {IWL_PCI_DEVICE(0x095B, 0x520A, iwl7265_2ac_cfg)},
-+ {IWL_PCI_DEVICE(0x095A, 0x9000, iwl7265_2ac_cfg)},
-+ {IWL_PCI_DEVICE(0x095A, 0x9400, iwl7265_2ac_cfg)},
-
- /* 8000 Series */
- {IWL_PCI_DEVICE(0x24F3, 0x0010, iwl8260_2ac_cfg)},
-diff --git a/drivers/net/wireless/rtlwifi/pci.h b/drivers/net/wireless/rtlwifi/pci.h
-index d4567d1..5da6703 100644
---- a/drivers/net/wireless/rtlwifi/pci.h
-+++ b/drivers/net/wireless/rtlwifi/pci.h
-@@ -247,6 +247,8 @@ struct rtl_pci {
- /* MSI support */
- bool msi_support;
- bool using_msi;
-+ /* interrupt clear before set */
-+ bool int_clear;
- };
-
- struct mp_adapter {
-diff --git a/drivers/net/wireless/rtlwifi/rtl8821ae/hw.c b/drivers/net/wireless/rtlwifi/rtl8821ae/hw.c
-index b7f18e21..6e9418e 100644
---- a/drivers/net/wireless/rtlwifi/rtl8821ae/hw.c
-+++ b/drivers/net/wireless/rtlwifi/rtl8821ae/hw.c
-@@ -2253,11 +2253,28 @@ void rtl8821ae_set_qos(struct ieee80211_hw *hw, int aci)
- }
- }
-
-+static void rtl8821ae_clear_interrupt(struct ieee80211_hw *hw)
-+{
-+ struct rtl_priv *rtlpriv = rtl_priv(hw);
-+ u32 tmp = rtl_read_dword(rtlpriv, REG_HISR);
-+
-+ rtl_write_dword(rtlpriv, REG_HISR, tmp);
-+
-+ tmp = rtl_read_dword(rtlpriv, REG_HISRE);
-+ rtl_write_dword(rtlpriv, REG_HISRE, tmp);
-+
-+ tmp = rtl_read_dword(rtlpriv, REG_HSISR);
-+ rtl_write_dword(rtlpriv, REG_HSISR, tmp);
-+}
-+
- void rtl8821ae_enable_interrupt(struct ieee80211_hw *hw)
- {
- struct rtl_priv *rtlpriv = rtl_priv(hw);
- struct rtl_pci *rtlpci = rtl_pcidev(rtl_pcipriv(hw));
-
-+ if (!rtlpci->int_clear)
-+ rtl8821ae_clear_interrupt(hw);/*clear it here first*/
-+
- rtl_write_dword(rtlpriv, REG_HIMR, rtlpci->irq_mask[0] & 0xFFFFFFFF);
- rtl_write_dword(rtlpriv, REG_HIMRE, rtlpci->irq_mask[1] & 0xFFFFFFFF);
- rtlpci->irq_enabled = true;
-diff --git a/drivers/net/wireless/rtlwifi/rtl8821ae/sw.c b/drivers/net/wireless/rtlwifi/rtl8821ae/sw.c
-index a4988121..8ee141a 100644
---- a/drivers/net/wireless/rtlwifi/rtl8821ae/sw.c
-+++ b/drivers/net/wireless/rtlwifi/rtl8821ae/sw.c
-@@ -96,6 +96,7 @@ int rtl8821ae_init_sw_vars(struct ieee80211_hw *hw)
-
- rtl8821ae_bt_reg_init(hw);
- rtlpci->msi_support = rtlpriv->cfg->mod_params->msi_support;
-+ rtlpci->int_clear = rtlpriv->cfg->mod_params->int_clear;
- rtlpriv->btcoexist.btc_ops = rtl_btc_get_ops_pointer();
-
- rtlpriv->dm.dm_initialgain_enable = 1;
-@@ -167,6 +168,7 @@ int rtl8821ae_init_sw_vars(struct ieee80211_hw *hw)
- rtlpriv->psc.swctrl_lps = rtlpriv->cfg->mod_params->swctrl_lps;
- rtlpriv->psc.fwctrl_lps = rtlpriv->cfg->mod_params->fwctrl_lps;
- rtlpci->msi_support = rtlpriv->cfg->mod_params->msi_support;
-+ rtlpci->msi_support = rtlpriv->cfg->mod_params->int_clear;
- if (rtlpriv->cfg->mod_params->disable_watchdog)
- pr_info("watchdog disabled\n");
- rtlpriv->psc.reg_fwctrl_lps = 3;
-@@ -308,6 +310,7 @@ static struct rtl_mod_params rtl8821ae_mod_params = {
- .swctrl_lps = false,
- .fwctrl_lps = true,
- .msi_support = true,
-+ .int_clear = true,
- .debug = DBG_EMERG,
- .disable_watchdog = 0,
- };
-@@ -437,6 +440,7 @@ module_param_named(fwlps, rtl8821ae_mod_params.fwctrl_lps, bool, 0444);
- module_param_named(msi, rtl8821ae_mod_params.msi_support, bool, 0444);
- module_param_named(disable_watchdog, rtl8821ae_mod_params.disable_watchdog,
- bool, 0444);
-+module_param_named(int_clear, rtl8821ae_mod_params.int_clear, bool, 0444);
- MODULE_PARM_DESC(swenc, "Set to 1 for software crypto (default 0)\n");
- MODULE_PARM_DESC(ips, "Set to 0 to not use link power save (default 1)\n");
- MODULE_PARM_DESC(swlps, "Set to 1 to use SW control power save (default 0)\n");
-@@ -444,6 +448,7 @@ MODULE_PARM_DESC(fwlps, "Set to 1 to use FW control power save (default 1)\n");
- MODULE_PARM_DESC(msi, "Set to 1 to use MSI interrupts mode (default 1)\n");
- MODULE_PARM_DESC(debug, "Set debug level (0-5) (default 0)");
- MODULE_PARM_DESC(disable_watchdog, "Set to 1 to disable the watchdog (default 0)\n");
-+MODULE_PARM_DESC(int_clear, "Set to 1 to disable interrupt clear before set (default 0)\n");
-
- static SIMPLE_DEV_PM_OPS(rtlwifi_pm_ops, rtl_pci_suspend, rtl_pci_resume);
-
-diff --git a/drivers/net/wireless/rtlwifi/wifi.h b/drivers/net/wireless/rtlwifi/wifi.h
-index 2b770b5..0a3570a 100644
---- a/drivers/net/wireless/rtlwifi/wifi.h
-+++ b/drivers/net/wireless/rtlwifi/wifi.h
-@@ -2234,6 +2234,9 @@ struct rtl_mod_params {
-
- /* default 0: 1 means disable */
- bool disable_watchdog;
-+
-+ /* default 0: 1 means do not disable interrupts */
-+ bool int_clear;
- };
-
- struct rtl_hal_usbint_cfg {
-diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
-index 312f23a..9261868 100644
---- a/drivers/pci/pci-sysfs.c
-+++ b/drivers/pci/pci-sysfs.c
-@@ -216,7 +216,7 @@ static ssize_t numa_node_store(struct device *dev,
- if (ret)
- return ret;
-
-- if (!node_online(node))
-+ if (node >= MAX_NUMNODES || !node_online(node))
- return -EINVAL;
-
- add_taint(TAINT_FIRMWARE_WORKAROUND, LOCKDEP_STILL_OK);
-diff --git a/drivers/pinctrl/intel/pinctrl-baytrail.c b/drivers/pinctrl/intel/pinctrl-baytrail.c
-index 2062c22..b260221 100644
---- a/drivers/pinctrl/intel/pinctrl-baytrail.c
-+++ b/drivers/pinctrl/intel/pinctrl-baytrail.c
-@@ -146,7 +146,7 @@ struct byt_gpio_pin_context {
- struct byt_gpio {
- struct gpio_chip chip;
- struct platform_device *pdev;
-- spinlock_t lock;
-+ raw_spinlock_t lock;
- void __iomem *reg_base;
- struct pinctrl_gpio_range *range;
- struct byt_gpio_pin_context *saved_context;
-@@ -174,11 +174,11 @@ static void byt_gpio_clear_triggering(struct byt_gpio *vg, unsigned offset)
- unsigned long flags;
- u32 value;
-
-- spin_lock_irqsave(&vg->lock, flags);
-+ raw_spin_lock_irqsave(&vg->lock, flags);
- value = readl(reg);
- value &= ~(BYT_TRIG_POS | BYT_TRIG_NEG | BYT_TRIG_LVL);
- writel(value, reg);
-- spin_unlock_irqrestore(&vg->lock, flags);
-+ raw_spin_unlock_irqrestore(&vg->lock, flags);
- }
-
- static u32 byt_get_gpio_mux(struct byt_gpio *vg, unsigned offset)
-@@ -201,6 +201,9 @@ static int byt_gpio_request(struct gpio_chip *chip, unsigned offset)
- struct byt_gpio *vg = to_byt_gpio(chip);
- void __iomem *reg = byt_gpio_reg(chip, offset, BYT_CONF0_REG);
- u32 value, gpio_mux;
-+ unsigned long flags;
-+
-+ raw_spin_lock_irqsave(&vg->lock, flags);
-
- /*
- * In most cases, func pin mux 000 means GPIO function.
-@@ -214,18 +217,16 @@ static int byt_gpio_request(struct gpio_chip *chip, unsigned offset)
- value = readl(reg) & BYT_PIN_MUX;
- gpio_mux = byt_get_gpio_mux(vg, offset);
- if (WARN_ON(gpio_mux != value)) {
-- unsigned long flags;
--
-- spin_lock_irqsave(&vg->lock, flags);
- value = readl(reg) & ~BYT_PIN_MUX;
- value |= gpio_mux;
- writel(value, reg);
-- spin_unlock_irqrestore(&vg->lock, flags);
-
- dev_warn(&vg->pdev->dev,
- "pin %u forcibly re-configured as GPIO\n", offset);
- }
-
-+ raw_spin_unlock_irqrestore(&vg->lock, flags);
-+
- pm_runtime_get(&vg->pdev->dev);
-
- return 0;
-@@ -250,7 +251,7 @@ static int byt_irq_type(struct irq_data *d, unsigned type)
- if (offset >= vg->chip.ngpio)
- return -EINVAL;
-
-- spin_lock_irqsave(&vg->lock, flags);
-+ raw_spin_lock_irqsave(&vg->lock, flags);
- value = readl(reg);
-
- WARN(value & BYT_DIRECT_IRQ_EN,
-@@ -269,7 +270,7 @@ static int byt_irq_type(struct irq_data *d, unsigned type)
- else if (type & IRQ_TYPE_LEVEL_MASK)
- __irq_set_handler_locked(d->irq, handle_level_irq);
-
-- spin_unlock_irqrestore(&vg->lock, flags);
-+ raw_spin_unlock_irqrestore(&vg->lock, flags);
-
- return 0;
- }
-@@ -277,7 +278,15 @@ static int byt_irq_type(struct irq_data *d, unsigned type)
- static int byt_gpio_get(struct gpio_chip *chip, unsigned offset)
- {
- void __iomem *reg = byt_gpio_reg(chip, offset, BYT_VAL_REG);
-- return readl(reg) & BYT_LEVEL;
-+ struct byt_gpio *vg = to_byt_gpio(chip);
-+ unsigned long flags;
-+ u32 val;
-+
-+ raw_spin_lock_irqsave(&vg->lock, flags);
-+ val = readl(reg);
-+ raw_spin_unlock_irqrestore(&vg->lock, flags);
-+
-+ return val & BYT_LEVEL;
- }
-
- static void byt_gpio_set(struct gpio_chip *chip, unsigned offset, int value)
-@@ -287,7 +296,7 @@ static void byt_gpio_set(struct gpio_chip *chip, unsigned offset, int value)
- unsigned long flags;
- u32 old_val;
-
-- spin_lock_irqsave(&vg->lock, flags);
-+ raw_spin_lock_irqsave(&vg->lock, flags);
-
- old_val = readl(reg);
-
-@@ -296,7 +305,7 @@ static void byt_gpio_set(struct gpio_chip *chip, unsigned offset, int value)
- else
- writel(old_val & ~BYT_LEVEL, reg);
-
-- spin_unlock_irqrestore(&vg->lock, flags);
-+ raw_spin_unlock_irqrestore(&vg->lock, flags);
- }
-
- static int byt_gpio_direction_input(struct gpio_chip *chip, unsigned offset)
-@@ -306,13 +315,13 @@ static int byt_gpio_direction_input(struct gpio_chip *chip, unsigned offset)
- unsigned long flags;
- u32 value;
-
-- spin_lock_irqsave(&vg->lock, flags);
-+ raw_spin_lock_irqsave(&vg->lock, flags);
-
- value = readl(reg) | BYT_DIR_MASK;
- value &= ~BYT_INPUT_EN; /* active low */
- writel(value, reg);
-
-- spin_unlock_irqrestore(&vg->lock, flags);
-+ raw_spin_unlock_irqrestore(&vg->lock, flags);
-
- return 0;
- }
-@@ -326,7 +335,7 @@ static int byt_gpio_direction_output(struct gpio_chip *chip,
- unsigned long flags;
- u32 reg_val;
-
-- spin_lock_irqsave(&vg->lock, flags);
-+ raw_spin_lock_irqsave(&vg->lock, flags);
-
- /*
- * Before making any direction modifications, do a check if gpio
-@@ -345,7 +354,7 @@ static int byt_gpio_direction_output(struct gpio_chip *chip,
- else
- writel(reg_val & ~BYT_LEVEL, reg);
-
-- spin_unlock_irqrestore(&vg->lock, flags);
-+ raw_spin_unlock_irqrestore(&vg->lock, flags);
-
- return 0;
- }
-@@ -354,18 +363,19 @@ static void byt_gpio_dbg_show(struct seq_file *s, struct gpio_chip *chip)
- {
- struct byt_gpio *vg = to_byt_gpio(chip);
- int i;
-- unsigned long flags;
- u32 conf0, val, offs;
-
-- spin_lock_irqsave(&vg->lock, flags);
--
- for (i = 0; i < vg->chip.ngpio; i++) {
- const char *pull_str = NULL;
- const char *pull = NULL;
-+ unsigned long flags;
- const char *label;
- offs = vg->range->pins[i] * 16;
-+
-+ raw_spin_lock_irqsave(&vg->lock, flags);
- conf0 = readl(vg->reg_base + offs + BYT_CONF0_REG);
- val = readl(vg->reg_base + offs + BYT_VAL_REG);
-+ raw_spin_unlock_irqrestore(&vg->lock, flags);
-
- label = gpiochip_is_requested(chip, i);
- if (!label)
-@@ -418,7 +428,6 @@ static void byt_gpio_dbg_show(struct seq_file *s, struct gpio_chip *chip)
-
- seq_puts(s, "\n");
- }
-- spin_unlock_irqrestore(&vg->lock, flags);
- }
-
- static void byt_gpio_irq_handler(unsigned irq, struct irq_desc *desc)
-@@ -450,8 +459,10 @@ static void byt_irq_ack(struct irq_data *d)
- unsigned offset = irqd_to_hwirq(d);
- void __iomem *reg;
-
-+ raw_spin_lock(&vg->lock);
- reg = byt_gpio_reg(&vg->chip, offset, BYT_INT_STAT_REG);
- writel(BIT(offset % 32), reg);
-+ raw_spin_unlock(&vg->lock);
- }
-
- static void byt_irq_unmask(struct irq_data *d)
-@@ -463,9 +474,9 @@ static void byt_irq_unmask(struct irq_data *d)
- void __iomem *reg;
- u32 value;
-
-- spin_lock_irqsave(&vg->lock, flags);
--
- reg = byt_gpio_reg(&vg->chip, offset, BYT_CONF0_REG);
-+
-+ raw_spin_lock_irqsave(&vg->lock, flags);
- value = readl(reg);
-
- switch (irqd_get_trigger_type(d)) {
-@@ -486,7 +497,7 @@ static void byt_irq_unmask(struct irq_data *d)
-
- writel(value, reg);
-
-- spin_unlock_irqrestore(&vg->lock, flags);
-+ raw_spin_unlock_irqrestore(&vg->lock, flags);
- }
-
- static void byt_irq_mask(struct irq_data *d)
-@@ -578,7 +589,7 @@ static int byt_gpio_probe(struct platform_device *pdev)
- if (IS_ERR(vg->reg_base))
- return PTR_ERR(vg->reg_base);
-
-- spin_lock_init(&vg->lock);
-+ raw_spin_lock_init(&vg->lock);
-
- gc = &vg->chip;
- gc->label = dev_name(&pdev->dev);
-diff --git a/drivers/scsi/mvsas/mv_sas.c b/drivers/scsi/mvsas/mv_sas.c
-index 454536c..9c78074 100644
---- a/drivers/scsi/mvsas/mv_sas.c
-+++ b/drivers/scsi/mvsas/mv_sas.c
-@@ -887,6 +887,8 @@ static void mvs_slot_free(struct mvs_info *mvi, u32 rx_desc)
- static void mvs_slot_task_free(struct mvs_info *mvi, struct sas_task *task,
- struct mvs_slot_info *slot, u32 slot_idx)
- {
-+ if (!slot)
-+ return;
- if (!slot->task)
- return;
- if (!sas_protocol_ata(task->task_proto))
-diff --git a/drivers/staging/iio/accel/sca3000_ring.c b/drivers/staging/iio/accel/sca3000_ring.c
-index 23685e7..bd2c69f 100644
---- a/drivers/staging/iio/accel/sca3000_ring.c
-+++ b/drivers/staging/iio/accel/sca3000_ring.c
-@@ -116,7 +116,7 @@ static int sca3000_read_first_n_hw_rb(struct iio_buffer *r,
- if (ret)
- goto error_ret;
-
-- for (i = 0; i < num_read; i++)
-+ for (i = 0; i < num_read / sizeof(u16); i++)
- *(((u16 *)rx) + i) = be16_to_cpup((__be16 *)rx + i);
-
- if (copy_to_user(buf, rx, num_read))
-diff --git a/drivers/staging/iio/adc/mxs-lradc.c b/drivers/staging/iio/adc/mxs-lradc.c
-index d7c5223..2931ea9 100644
---- a/drivers/staging/iio/adc/mxs-lradc.c
-+++ b/drivers/staging/iio/adc/mxs-lradc.c
-@@ -919,11 +919,12 @@ static int mxs_lradc_read_raw(struct iio_dev *iio_dev,
- case IIO_CHAN_INFO_OFFSET:
- if (chan->type == IIO_TEMP) {
- /* The calculated value from the ADC is in Kelvin, we
-- * want Celsius for hwmon so the offset is
-- * -272.15 * scale
-+ * want Celsius for hwmon so the offset is -273.15
-+ * The offset is applied before scaling so it is
-+ * actually -213.15 * 4 / 1.012 = -1079.644268
- */
-- *val = -1075;
-- *val2 = 691699;
-+ *val = -1079;
-+ *val2 = 644268;
-
- return IIO_VAL_INT_PLUS_MICRO;
- }
-diff --git a/drivers/thermal/samsung/exynos_tmu.c b/drivers/thermal/samsung/exynos_tmu.c
-index c96ff10..af68d06 100644
---- a/drivers/thermal/samsung/exynos_tmu.c
-+++ b/drivers/thermal/samsung/exynos_tmu.c
-@@ -933,7 +933,7 @@ static void exynos4412_tmu_set_emulation(struct exynos_tmu_data *data,
-
- if (data->soc == SOC_ARCH_EXYNOS5260)
- emul_con = EXYNOS5260_EMUL_CON;
-- if (data->soc == SOC_ARCH_EXYNOS5433)
-+ else if (data->soc == SOC_ARCH_EXYNOS5433)
- emul_con = EXYNOS5433_TMU_EMUL_CON;
- else if (data->soc == SOC_ARCH_EXYNOS7)
- emul_con = EXYNOS7_TMU_REG_EMUL_CON;
-diff --git a/drivers/tty/serial/8250/8250_dma.c b/drivers/tty/serial/8250/8250_dma.c
-index 21d01a4..e508939 100644
---- a/drivers/tty/serial/8250/8250_dma.c
-+++ b/drivers/tty/serial/8250/8250_dma.c
-@@ -80,10 +80,6 @@ int serial8250_tx_dma(struct uart_8250_port *p)
- return 0;
-
- dma->tx_size = CIRC_CNT_TO_END(xmit->head, xmit->tail, UART_XMIT_SIZE);
-- if (dma->tx_size < p->port.fifosize) {
-- ret = -EINVAL;
-- goto err;
-- }
-
- desc = dmaengine_prep_slave_single(dma->txchan,
- dma->tx_addr + xmit->tail,
-diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
-index c79d336..c47d3e4 100644
---- a/drivers/usb/host/xhci-pci.c
-+++ b/drivers/usb/host/xhci-pci.c
-@@ -147,6 +147,7 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci)
- if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
- pdev->device == PCI_DEVICE_ID_INTEL_LYNXPOINT_LP_XHCI) {
- xhci->quirks |= XHCI_SPURIOUS_REBOOT;
-+ xhci->quirks |= XHCI_SPURIOUS_WAKEUP;
- }
- if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
- (pdev->device == PCI_DEVICE_ID_INTEL_SUNRISEPOINT_LP_XHCI ||
-diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
-index 8aadf3d..63041c1 100644
---- a/drivers/usb/host/xhci-ring.c
-+++ b/drivers/usb/host/xhci-ring.c
-@@ -2239,6 +2239,7 @@ static int handle_tx_event(struct xhci_hcd *xhci,
- u32 trb_comp_code;
- int ret = 0;
- int td_num = 0;
-+ bool handling_skipped_tds = false;
-
- slot_id = TRB_TO_SLOT_ID(le32_to_cpu(event->flags));
- xdev = xhci->devs[slot_id];
-@@ -2372,6 +2373,10 @@ static int handle_tx_event(struct xhci_hcd *xhci,
- ep->skip = true;
- xhci_dbg(xhci, "Miss service interval error, set skip flag\n");
- goto cleanup;
-+ case COMP_PING_ERR:
-+ ep->skip = true;
-+ xhci_dbg(xhci, "No Ping response error, Skip one Isoc TD\n");
-+ goto cleanup;
- default:
- if (xhci_is_vendor_info_code(xhci, trb_comp_code)) {
- status = 0;
-@@ -2508,13 +2513,18 @@ static int handle_tx_event(struct xhci_hcd *xhci,
- ep, &status);
-
- cleanup:
-+
-+
-+ handling_skipped_tds = ep->skip &&
-+ trb_comp_code != COMP_MISSED_INT &&
-+ trb_comp_code != COMP_PING_ERR;
-+
- /*
-- * Do not update event ring dequeue pointer if ep->skip is set.
-- * Will roll back to continue process missed tds.
-+ * Do not update event ring dequeue pointer if we're in a loop
-+ * processing missed tds.
- */
-- if (trb_comp_code == COMP_MISSED_INT || !ep->skip) {
-+ if (!handling_skipped_tds)
- inc_deq(xhci, xhci->event_ring);
-- }
-
- if (ret) {
- urb = td->urb;
-@@ -2549,7 +2559,7 @@ cleanup:
- * Process them as short transfer until reach the td pointed by
- * the event.
- */
-- } while (ep->skip && trb_comp_code != COMP_MISSED_INT);
-+ } while (handling_skipped_tds);
-
- return 0;
- }
-diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c
-index ebcec8c..f49d262 100644
---- a/drivers/usb/serial/qcserial.c
-+++ b/drivers/usb/serial/qcserial.c
-@@ -153,6 +153,8 @@ static const struct usb_device_id id_table[] = {
- {DEVICE_SWI(0x1199, 0x9056)}, /* Sierra Wireless Modem */
- {DEVICE_SWI(0x1199, 0x9060)}, /* Sierra Wireless Modem */
- {DEVICE_SWI(0x1199, 0x9061)}, /* Sierra Wireless Modem */
-+ {DEVICE_SWI(0x1199, 0x9070)}, /* Sierra Wireless MC74xx/EM74xx */
-+ {DEVICE_SWI(0x1199, 0x9071)}, /* Sierra Wireless MC74xx/EM74xx */
- {DEVICE_SWI(0x413c, 0x81a2)}, /* Dell Wireless 5806 Gobi(TM) 4G LTE Mobile Broadband Card */
- {DEVICE_SWI(0x413c, 0x81a3)}, /* Dell Wireless 5570 HSPA+ (42Mbps) Mobile Broadband Card */
- {DEVICE_SWI(0x413c, 0x81a4)}, /* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card */
-diff --git a/drivers/video/console/fbcon.c b/drivers/video/console/fbcon.c
-index 1aaf893..92f3949 100644
---- a/drivers/video/console/fbcon.c
-+++ b/drivers/video/console/fbcon.c
-@@ -1093,6 +1093,7 @@ static void fbcon_init(struct vc_data *vc, int init)
- con_copy_unimap(vc, svc);
-
- ops = info->fbcon_par;
-+ ops->cur_blink_jiffies = msecs_to_jiffies(vc->vc_cur_blink_ms);
- p->con_rotate = initial_rotation;
- set_blitting_type(vc, info);
-
-diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
-index f490b61..641d3dc 100644
---- a/fs/btrfs/ioctl.c
-+++ b/fs/btrfs/ioctl.c
-@@ -4649,7 +4649,7 @@ locked:
-
- if (bctl->flags & ~(BTRFS_BALANCE_ARGS_MASK | BTRFS_BALANCE_TYPE_MASK)) {
- ret = -EINVAL;
-- goto out_bargs;
-+ goto out_bctl;
- }
-
- do_balance:
-@@ -4663,12 +4663,15 @@ do_balance:
- need_unlock = false;
-
- ret = btrfs_balance(bctl, bargs);
-+ bctl = NULL;
-
- if (arg) {
- if (copy_to_user(arg, bargs, sizeof(*bargs)))
- ret = -EFAULT;
- }
-
-+out_bctl:
-+ kfree(bctl);
- out_bargs:
- kfree(bargs);
- out_unlock:
-diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
-index 84d693d..871fcb6 100644
---- a/fs/overlayfs/copy_up.c
-+++ b/fs/overlayfs/copy_up.c
-@@ -81,11 +81,11 @@ static int ovl_copy_up_data(struct path *old, struct path *new, loff_t len)
- if (len == 0)
- return 0;
-
-- old_file = ovl_path_open(old, O_RDONLY);
-+ old_file = ovl_path_open(old, O_LARGEFILE | O_RDONLY);
- if (IS_ERR(old_file))
- return PTR_ERR(old_file);
-
-- new_file = ovl_path_open(new, O_WRONLY);
-+ new_file = ovl_path_open(new, O_LARGEFILE | O_WRONLY);
- if (IS_ERR(new_file)) {
- error = PTR_ERR(new_file);
- goto out_fput;
-@@ -267,7 +267,7 @@ out:
-
- out_cleanup:
- ovl_cleanup(wdir, newdentry);
-- goto out;
-+ goto out2;
- }
-
- /*
-diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
-index d9da5a4..ec0c2a0 100644
---- a/fs/overlayfs/inode.c
-+++ b/fs/overlayfs/inode.c
-@@ -363,6 +363,9 @@ struct inode *ovl_d_select_inode(struct dentry *dentry, unsigned file_flags)
- ovl_path_upper(dentry, &realpath);
- }
-
-+ if (realpath.dentry->d_flags & DCACHE_OP_SELECT_INODE)
-+ return realpath.dentry->d_op->d_select_inode(realpath.dentry, file_flags);
-+
- return d_backing_inode(realpath.dentry);
- }
-
-diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
-index 79073d6..e38ee0f 100644
---- a/fs/overlayfs/super.c
-+++ b/fs/overlayfs/super.c
-@@ -544,6 +544,7 @@ static void ovl_put_super(struct super_block *sb)
- mntput(ufs->upper_mnt);
- for (i = 0; i < ufs->numlower; i++)
- mntput(ufs->lower_mnt[i]);
-+ kfree(ufs->lower_mnt);
-
- kfree(ufs->config.lowerdir);
- kfree(ufs->config.upperdir);
-@@ -1048,6 +1049,7 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
- oe->lowerstack[i].dentry = stack[i].dentry;
- oe->lowerstack[i].mnt = ufs->lower_mnt[i];
- }
-+ kfree(stack);
-
- root_dentry->d_fsdata = oe;
-
-diff --git a/include/linux/backing-dev.h b/include/linux/backing-dev.h
-index 0fe9df9..fe0ab98 100644
---- a/include/linux/backing-dev.h
-+++ b/include/linux/backing-dev.h
-@@ -18,13 +18,17 @@
- #include <linux/slab.h>
-
- int __must_check bdi_init(struct backing_dev_info *bdi);
--void bdi_destroy(struct backing_dev_info *bdi);
-+void bdi_exit(struct backing_dev_info *bdi);
-
- __printf(3, 4)
- int bdi_register(struct backing_dev_info *bdi, struct device *parent,
- const char *fmt, ...);
- int bdi_register_dev(struct backing_dev_info *bdi, dev_t dev);
-+void bdi_unregister(struct backing_dev_info *bdi);
-+
- int __must_check bdi_setup_and_register(struct backing_dev_info *, char *);
-+void bdi_destroy(struct backing_dev_info *bdi);
-+
- void wb_start_writeback(struct bdi_writeback *wb, long nr_pages,
- bool range_cyclic, enum wb_reason reason);
- void wb_start_background_writeback(struct bdi_writeback *wb);
-diff --git a/include/linux/omap-dma.h b/include/linux/omap-dma.h
-index e5a7013..88fa8af 100644
---- a/include/linux/omap-dma.h
-+++ b/include/linux/omap-dma.h
-@@ -17,7 +17,7 @@
-
- #include <linux/platform_device.h>
-
--#define INT_DMA_LCD 25
-+#define INT_DMA_LCD (NR_IRQS_LEGACY + 25)
-
- #define OMAP1_DMA_TOUT_IRQ (1 << 0)
- #define OMAP_DMA_DROP_IRQ (1 << 1)
-diff --git a/include/sound/soc.h b/include/sound/soc.h
-index 93df8bf..334d0d2 100644
---- a/include/sound/soc.h
-+++ b/include/sound/soc.h
-@@ -86,7 +86,7 @@
- .access = SNDRV_CTL_ELEM_ACCESS_TLV_READ | \
- SNDRV_CTL_ELEM_ACCESS_READWRITE, \
- .tlv.p = (tlv_array),\
-- .info = snd_soc_info_volsw, \
-+ .info = snd_soc_info_volsw_sx, \
- .get = snd_soc_get_volsw_sx,\
- .put = snd_soc_put_volsw_sx, \
- .private_value = (unsigned long)&(struct soc_mixer_control) \
-@@ -156,7 +156,7 @@
- .access = SNDRV_CTL_ELEM_ACCESS_TLV_READ | \
- SNDRV_CTL_ELEM_ACCESS_READWRITE, \
- .tlv.p = (tlv_array), \
-- .info = snd_soc_info_volsw, \
-+ .info = snd_soc_info_volsw_sx, \
- .get = snd_soc_get_volsw_sx, \
- .put = snd_soc_put_volsw_sx, \
- .private_value = (unsigned long)&(struct soc_mixer_control) \
-@@ -573,6 +573,8 @@ int snd_soc_put_enum_double(struct snd_kcontrol *kcontrol,
- struct snd_ctl_elem_value *ucontrol);
- int snd_soc_info_volsw(struct snd_kcontrol *kcontrol,
- struct snd_ctl_elem_info *uinfo);
-+int snd_soc_info_volsw_sx(struct snd_kcontrol *kcontrol,
-+ struct snd_ctl_elem_info *uinfo);
- #define snd_soc_info_bool_ext snd_ctl_boolean_mono_info
- int snd_soc_get_volsw(struct snd_kcontrol *kcontrol,
- struct snd_ctl_elem_value *ucontrol);
-diff --git a/include/sound/wm8904.h b/include/sound/wm8904.h
-index 898be3a..6d8f8fb 100644
---- a/include/sound/wm8904.h
-+++ b/include/sound/wm8904.h
-@@ -119,7 +119,7 @@
- #define WM8904_MIC_REGS 2
- #define WM8904_GPIO_REGS 4
- #define WM8904_DRC_REGS 4
--#define WM8904_EQ_REGS 25
-+#define WM8904_EQ_REGS 24
-
- /**
- * DRC configurations are specified with a label and a set of register
-diff --git a/kernel/module.c b/kernel/module.c
-index b86b7bf..8f051a1 100644
---- a/kernel/module.c
-+++ b/kernel/module.c
-@@ -1063,11 +1063,15 @@ void symbol_put_addr(void *addr)
- if (core_kernel_text(a))
- return;
-
-- /* module_text_address is safe here: we're supposed to have reference
-- * to module from symbol_get, so it can't go away. */
-+ /*
-+ * Even though we hold a reference on the module; we still need to
-+ * disable preemption in order to safely traverse the data structure.
-+ */
-+ preempt_disable();
- modaddr = __module_text_address(a);
- BUG_ON(!modaddr);
- module_put(modaddr);
-+ preempt_enable();
- }
- EXPORT_SYMBOL_GPL(symbol_put_addr);
-
-diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
-index 0a17af35..da7f826 100644
---- a/kernel/sched/deadline.c
-+++ b/kernel/sched/deadline.c
-@@ -1066,8 +1066,9 @@ select_task_rq_dl(struct task_struct *p, int cpu, int sd_flag, int flags)
- int target = find_later_rq(p);
-
- if (target != -1 &&
-- dl_time_before(p->dl.deadline,
-- cpu_rq(target)->dl.earliest_dl.curr))
-+ (dl_time_before(p->dl.deadline,
-+ cpu_rq(target)->dl.earliest_dl.curr) ||
-+ (cpu_rq(target)->dl.dl_nr_running == 0)))
- cpu = target;
- }
- rcu_read_unlock();
-@@ -1417,7 +1418,8 @@ static struct rq *find_lock_later_rq(struct task_struct *task, struct rq *rq)
-
- later_rq = cpu_rq(cpu);
-
-- if (!dl_time_before(task->dl.deadline,
-+ if (later_rq->dl.dl_nr_running &&
-+ !dl_time_before(task->dl.deadline,
- later_rq->dl.earliest_dl.curr)) {
- /*
- * Target rq has tasks of equal or earlier deadline,
-diff --git a/kernel/trace/trace_stack.c b/kernel/trace/trace_stack.c
-index 3f34496..9696901 100644
---- a/kernel/trace/trace_stack.c
-+++ b/kernel/trace/trace_stack.c
-@@ -94,6 +94,12 @@ check_stack(unsigned long ip, unsigned long *stack)
- local_irq_save(flags);
- arch_spin_lock(&max_stack_lock);
-
-+ /*
-+ * RCU may not be watching, make it see us.
-+ * The stack trace code uses rcu_sched.
-+ */
-+ rcu_irq_enter();
-+
- /* In case another CPU set the tracer_frame on us */
- if (unlikely(!frame_size))
- this_size -= tracer_frame;
-@@ -174,6 +180,7 @@ check_stack(unsigned long ip, unsigned long *stack)
- }
-
- out:
-+ rcu_irq_exit();
- arch_spin_unlock(&max_stack_lock);
- local_irq_restore(flags);
- }
-diff --git a/lib/fault-inject.c b/lib/fault-inject.c
-index f1cdeb0..6a823a5 100644
---- a/lib/fault-inject.c
-+++ b/lib/fault-inject.c
-@@ -44,7 +44,7 @@ static void fail_dump(struct fault_attr *attr)
- printk(KERN_NOTICE "FAULT_INJECTION: forcing a failure.\n"
- "name %pd, interval %lu, probability %lu, "
- "space %d, times %d\n", attr->dname,
-- attr->probability, attr->interval,
-+ attr->interval, attr->probability,
- atomic_read(&attr->space),
- atomic_read(&attr->times));
- if (attr->verbose > 1)
-diff --git a/mm/backing-dev.c b/mm/backing-dev.c
-index dac5bf5..dc07d88 100644
---- a/mm/backing-dev.c
-+++ b/mm/backing-dev.c
-@@ -823,7 +823,7 @@ static void bdi_remove_from_list(struct backing_dev_info *bdi)
- synchronize_rcu_expedited();
- }
-
--void bdi_destroy(struct backing_dev_info *bdi)
-+void bdi_unregister(struct backing_dev_info *bdi)
- {
- /* make sure nobody finds us on the bdi_list anymore */
- bdi_remove_from_list(bdi);
-@@ -835,9 +835,19 @@ void bdi_destroy(struct backing_dev_info *bdi)
- device_unregister(bdi->dev);
- bdi->dev = NULL;
- }
-+}
-
-+void bdi_exit(struct backing_dev_info *bdi)
-+{
-+ WARN_ON_ONCE(bdi->dev);
- wb_exit(&bdi->wb);
- }
-+
-+void bdi_destroy(struct backing_dev_info *bdi)
-+{
-+ bdi_unregister(bdi);
-+ bdi_exit(bdi);
-+}
- EXPORT_SYMBOL(bdi_destroy);
-
- /*
-diff --git a/mm/filemap.c b/mm/filemap.c
-index 1283fc8..3fd68ee 100644
---- a/mm/filemap.c
-+++ b/mm/filemap.c
-@@ -2488,6 +2488,11 @@ again:
- break;
- }
-
-+ if (fatal_signal_pending(current)) {
-+ status = -EINTR;
-+ break;
-+ }
-+
- status = a_ops->write_begin(file, mapping, pos, bytes, flags,
- &page, &fsdata);
- if (unlikely(status < 0))
-@@ -2525,10 +2530,6 @@ again:
- written += copied;
-
- balance_dirty_pages_ratelimited(mapping);
-- if (fatal_signal_pending(current)) {
-- status = -EINTR;
-- break;
-- }
- } while (iov_iter_count(i));
-
- return written ? written : status;
-diff --git a/mm/huge_memory.c b/mm/huge_memory.c
-index 097c7a4..da0ac6a 100644
---- a/mm/huge_memory.c
-+++ b/mm/huge_memory.c
-@@ -2132,7 +2132,8 @@ static int __collapse_huge_page_isolate(struct vm_area_struct *vma,
- for (_pte = pte; _pte < pte+HPAGE_PMD_NR;
- _pte++, address += PAGE_SIZE) {
- pte_t pteval = *_pte;
-- if (pte_none(pteval) || is_zero_pfn(pte_pfn(pteval))) {
-+ if (pte_none(pteval) || (pte_present(pteval) &&
-+ is_zero_pfn(pte_pfn(pteval)))) {
- if (++none_or_zero <= khugepaged_max_ptes_none)
- continue;
- else
-diff --git a/net/mac80211/debugfs.c b/net/mac80211/debugfs.c
-index 3ea8b7d..58d9a81 100644
---- a/net/mac80211/debugfs.c
-+++ b/net/mac80211/debugfs.c
-@@ -148,7 +148,7 @@ static ssize_t hwflags_read(struct file *file, char __user *user_buf,
-
- for (i = 0; i < NUM_IEEE80211_HW_FLAGS; i++) {
- if (test_bit(i, local->hw.flags))
-- pos += scnprintf(pos, end - pos, "%s",
-+ pos += scnprintf(pos, end - pos, "%s\n",
- hw_flag_names[i]);
- }
-
-diff --git a/net/netfilter/ipset/ip_set_list_set.c b/net/netfilter/ipset/ip_set_list_set.c
-index a1fe537..5a30ce6 100644
---- a/net/netfilter/ipset/ip_set_list_set.c
-+++ b/net/netfilter/ipset/ip_set_list_set.c
-@@ -297,7 +297,7 @@ list_set_uadd(struct ip_set *set, void *value, const struct ip_set_ext *ext,
- ip_set_timeout_expired(ext_timeout(n, set))))
- n = NULL;
-
-- e = kzalloc(set->dsize, GFP_KERNEL);
-+ e = kzalloc(set->dsize, GFP_ATOMIC);
- if (!e)
- return -ENOMEM;
- e->id = d->id;
-diff --git a/sound/hda/ext/hdac_ext_bus.c b/sound/hda/ext/hdac_ext_bus.c
-index 0aa5d9e..d85aa1a 100644
---- a/sound/hda/ext/hdac_ext_bus.c
-+++ b/sound/hda/ext/hdac_ext_bus.c
-@@ -19,6 +19,7 @@
-
- #include <linux/module.h>
- #include <linux/slab.h>
-+#include <linux/io.h>
- #include <sound/hdaudio_ext.h>
-
- MODULE_DESCRIPTION("HDA extended core");
-diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
-index d1a2cb6..ca37446 100644
---- a/sound/pci/hda/hda_codec.c
-+++ b/sound/pci/hda/hda_codec.c
-@@ -3438,10 +3438,8 @@ int snd_hda_codec_build_pcms(struct hda_codec *codec)
- int dev, err;
-
- err = snd_hda_codec_parse_pcms(codec);
-- if (err < 0) {
-- snd_hda_codec_reset(codec);
-+ if (err < 0)
- return err;
-- }
-
- /* attach a new PCM streams */
- list_for_each_entry(cpcm, &codec->pcm_list_head, list) {
-diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
-index ca03c40..2f0ec7c 100644
---- a/sound/pci/hda/patch_conexant.c
-+++ b/sound/pci/hda/patch_conexant.c
-@@ -819,6 +819,7 @@ static const struct snd_pci_quirk cxt5066_fixups[] = {
- SND_PCI_QUIRK(0x17aa, 0x21da, "Lenovo X220", CXT_PINCFG_LENOVO_TP410),
- SND_PCI_QUIRK(0x17aa, 0x21db, "Lenovo X220-tablet", CXT_PINCFG_LENOVO_TP410),
- SND_PCI_QUIRK(0x17aa, 0x38af, "Lenovo IdeaPad Z560", CXT_FIXUP_MUTE_LED_EAPD),
-+ SND_PCI_QUIRK(0x17aa, 0x390b, "Lenovo G50-80", CXT_FIXUP_STEREO_DMIC),
- SND_PCI_QUIRK(0x17aa, 0x3975, "Lenovo U300s", CXT_FIXUP_STEREO_DMIC),
- SND_PCI_QUIRK(0x17aa, 0x3977, "Lenovo IdeaPad U310", CXT_FIXUP_STEREO_DMIC),
- SND_PCI_QUIRK(0x17aa, 0x397b, "Lenovo S205", CXT_FIXUP_STEREO_DMIC),
-diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c
-index 100d92b..05977ae 100644
---- a/sound/soc/soc-ops.c
-+++ b/sound/soc/soc-ops.c
-@@ -207,6 +207,34 @@ int snd_soc_info_volsw(struct snd_kcontrol *kcontrol,
- EXPORT_SYMBOL_GPL(snd_soc_info_volsw);
-
- /**
-+ * snd_soc_info_volsw_sx - Mixer info callback for SX TLV controls
-+ * @kcontrol: mixer control
-+ * @uinfo: control element information
-+ *
-+ * Callback to provide information about a single mixer control, or a double
-+ * mixer control that spans 2 registers of the SX TLV type. SX TLV controls
-+ * have a range that represents both positive and negative values either side
-+ * of zero but without a sign bit.
-+ *
-+ * Returns 0 for success.
-+ */
-+int snd_soc_info_volsw_sx(struct snd_kcontrol *kcontrol,
-+ struct snd_ctl_elem_info *uinfo)
-+{
-+ struct soc_mixer_control *mc =
-+ (struct soc_mixer_control *)kcontrol->private_value;
-+
-+ snd_soc_info_volsw(kcontrol, uinfo);
-+ /* Max represents the number of levels in an SX control not the
-+ * maximum value, so add the minimum value back on
-+ */
-+ uinfo->value.integer.max += mc->min;
-+
-+ return 0;
-+}
-+EXPORT_SYMBOL_GPL(snd_soc_info_volsw_sx);
-+
-+/**
- * snd_soc_get_volsw - single mixer get callback
- * @kcontrol: mixer control
- * @ucontrol: control element information
-diff --git a/virt/kvm/irqchip.c b/virt/kvm/irqchip.c
-index 21c1424..d7ea8e2 100644
---- a/virt/kvm/irqchip.c
-+++ b/virt/kvm/irqchip.c
-@@ -213,11 +213,15 @@ int kvm_set_irq_routing(struct kvm *kvm,
- goto out;
-
- r = -EINVAL;
-- if (ue->flags)
-+ if (ue->flags) {
-+ kfree(e);
- goto out;
-+ }
- r = setup_routing_entry(new, e, ue);
-- if (r)
-+ if (r) {
-+ kfree(e);
- goto out;
-+ }
- ++ue;
- }
-
diff --git a/4.2.6/4420_grsecurity-3.1-4.2.6-201511141543.patch b/4.2.6/4420_grsecurity-3.1-4.2.6-201511172005.patch
similarity index 99%
rename from 4.2.6/4420_grsecurity-3.1-4.2.6-201511141543.patch
rename to 4.2.6/4420_grsecurity-3.1-4.2.6-201511172005.patch
index 27bda59..3806d62 100644
--- a/4.2.6/4420_grsecurity-3.1-4.2.6-201511141543.patch
+++ b/4.2.6/4420_grsecurity-3.1-4.2.6-201511172005.patch
@@ -26061,7 +26061,7 @@ index 0e2d96f..5889003 100644
+ .fill PAGE_SIZE_asm - GDT_SIZE,1,0
+ .endr
diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
-index 1d40ca8..4d38dbd 100644
+index 1d40ca8..2dbedb3 100644
--- a/arch/x86/kernel/head_64.S
+++ b/arch/x86/kernel/head_64.S
@@ -20,6 +20,8 @@
@@ -26086,7 +26086,17 @@ index 1d40ca8..4d38dbd 100644
.text
__HEAD
-@@ -89,11 +97,33 @@ startup_64:
+@@ -65,6 +73,9 @@ startup_64:
+ * tables and then reload them.
+ */
+
++ /* Sanitize CPU configuration */
++ call verify_cpu
++
+ /*
+ * Compute the delta between the address I am compiled to run at and the
+ * address I am actually running at.
+@@ -89,11 +100,33 @@ startup_64:
* Fixup the physical addresses in the page table
*/
addq %rbp, early_level4_pgt + (L4_START_KERNEL*8)(%rip)
@@ -26122,11 +26132,15 @@ index 1d40ca8..4d38dbd 100644
/*
* Set up the identity mapping for the switchover. These
-@@ -174,11 +204,12 @@ ENTRY(secondary_startup_64)
+@@ -174,11 +207,16 @@ ENTRY(secondary_startup_64)
* after the boot processor executes this code.
*/
++ /* Sanitize CPU configuration */
++ call verify_cpu
++
+ orq $-1, %rbp
++
movq $(init_level4_pgt - __START_KERNEL_map), %rax
1:
@@ -26137,7 +26151,7 @@ index 1d40ca8..4d38dbd 100644
movq %rcx, %cr4
/* Setup early boot stage 4 level pagetables. */
-@@ -199,10 +230,21 @@ ENTRY(secondary_startup_64)
+@@ -199,10 +237,21 @@ ENTRY(secondary_startup_64)
movl $MSR_EFER, %ecx
rdmsr
btsl $_EFER_SCE, %eax /* Enable System Call */
@@ -26160,7 +26174,7 @@ index 1d40ca8..4d38dbd 100644
1: wrmsr /* Make changes effective */
/* Setup cr0 */
-@@ -282,6 +324,7 @@ ENTRY(secondary_startup_64)
+@@ -282,12 +331,15 @@ ENTRY(secondary_startup_64)
* REX.W + FF /5 JMP m16:64 Jump far, absolute indirect,
* address given in m16:64.
*/
@@ -26168,7 +26182,15 @@ index 1d40ca8..4d38dbd 100644
movq initial_code(%rip),%rax
pushq $0 # fake return address to stop unwinder
pushq $__KERNEL_CS # set correct cs
-@@ -313,7 +356,7 @@ ENDPROC(start_cpu0)
+ pushq %rax # target address in negative space
+ lretq
+
++#include "verify_cpu.S"
++
+ #ifdef CONFIG_HOTPLUG_CPU
+ /*
+ * Boot CPU0 entry point. It's called from play_dead(). Everything has been set
+@@ -313,7 +365,7 @@ ENDPROC(start_cpu0)
.quad INIT_PER_CPU_VAR(irq_stack_union)
GLOBAL(stack_start)
@@ -26177,7 +26199,7 @@ index 1d40ca8..4d38dbd 100644
.word 0
__FINITDATA
-@@ -393,7 +436,7 @@ early_idt_handler_common:
+@@ -393,7 +445,7 @@ early_idt_handler_common:
call dump_stack
#ifdef CONFIG_KALLSYMS
leaq early_idt_ripmsg(%rip),%rdi
@@ -26186,7 +26208,7 @@ index 1d40ca8..4d38dbd 100644
call __print_symbol
#endif
#endif /* EARLY_PRINTK */
-@@ -422,6 +465,7 @@ ENDPROC(early_idt_handler_common)
+@@ -422,6 +474,7 @@ ENDPROC(early_idt_handler_common)
early_recursion_flag:
.long 0
@@ -26194,7 +26216,7 @@ index 1d40ca8..4d38dbd 100644
#ifdef CONFIG_EARLY_PRINTK
early_idt_msg:
.asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
-@@ -444,40 +488,67 @@ GLOBAL(name)
+@@ -444,40 +497,67 @@ GLOBAL(name)
__INITDATA
NEXT_PAGE(early_level4_pgt)
.fill 511,8,0
@@ -26274,7 +26296,7 @@ index 1d40ca8..4d38dbd 100644
NEXT_PAGE(level2_kernel_pgt)
/*
-@@ -494,31 +565,79 @@ NEXT_PAGE(level2_kernel_pgt)
+@@ -494,31 +574,79 @@ NEXT_PAGE(level2_kernel_pgt)
KERNEL_IMAGE_SIZE/PMD_SIZE)
NEXT_PAGE(level2_fixmap_pgt)
@@ -29417,7 +29439,7 @@ index 6647624..2056791 100644
force_sig_info(SIGSEGV, SEND_SIG_FORCED, current);
}
diff --git a/arch/x86/kernel/verify_cpu.S b/arch/x86/kernel/verify_cpu.S
-index b9242ba..50c5edd 100644
+index b9242ba..ae8c9cf 100644
--- a/arch/x86/kernel/verify_cpu.S
+++ b/arch/x86/kernel/verify_cpu.S
@@ -20,6 +20,7 @@
@@ -29428,6 +29450,42 @@ index b9242ba..50c5edd 100644
*
* verify_cpu, returns the status of longmode and SSE in register %eax.
* 0: Success 1: Failure
+@@ -34,10 +35,11 @@
+ #include <asm/msr-index.h>
+
+ verify_cpu:
+- pushfl # Save caller passed flags
+- pushl $0 # Kill any dangerous flags
+- popfl
++ pushf # Save caller passed flags
++ push $0 # Kill any dangerous flags
++ popf
+
++#ifndef __x86_64__
+ pushfl # standard way to check for cpuid
+ popl %eax
+ movl %eax,%ebx
+@@ -48,6 +50,7 @@ verify_cpu:
+ popl %eax
+ cmpl %eax,%ebx
+ jz verify_cpu_no_longmode # cpu has no cpuid
++#endif
+
+ movl $0x0,%eax # See if cpuid 1 is implemented
+ cpuid
+@@ -130,10 +133,10 @@ verify_cpu_sse_test:
+ jmp verify_cpu_sse_test # try again
+
+ verify_cpu_no_longmode:
+- popfl # Restore caller passed flags
++ popf # Restore caller passed flags
+ movl $1,%eax
+ ret
+ verify_cpu_sse_ok:
+- popfl # Restore caller passed flags
++ popf # Restore caller passed flags
+ xorl %eax, %eax
+ ret
diff --git a/arch/x86/kernel/vm86_32.c b/arch/x86/kernel/vm86_32.c
index fc9db6e..2c5865d 100644
--- a/arch/x86/kernel/vm86_32.c
@@ -34763,7 +34821,7 @@ index 844b06d..f363c86 100644
const char *arch_vma_name(struct vm_area_struct *vma)
diff --git a/arch/x86/mm/mmio-mod.c b/arch/x86/mm/mmio-mod.c
-index 0057a7a..95c7edd 100644
+index 0057a7acc..95c7edd 100644
--- a/arch/x86/mm/mmio-mod.c
+++ b/arch/x86/mm/mmio-mod.c
@@ -194,7 +194,7 @@ static void pre(struct kmmio_probe *p, struct pt_regs *regs,
@@ -86026,11 +86084,11 @@ index 0000000..31f8fe4
+endmenu
diff --git a/grsecurity/Makefile b/grsecurity/Makefile
new file mode 100644
-index 0000000..30ababb
+index 0000000..6fb2175
--- /dev/null
+++ b/grsecurity/Makefile
@@ -0,0 +1,54 @@
-+# grsecurity – access control and security hardening for Linux
++# grsecurity - access control and security hardening for Linux
+# All code in this directory and various hooks located throughout the Linux kernel are
+# Copyright (C) 2001-2014 Bradley Spengler, Open Source Security, Inc.
+# http://www.grsecurity.net spender@grsecurity.net
@@ -103454,6 +103512,24 @@ index d5fe9f2..8da10ed 100644
void __ip_select_ident(struct net *net, struct iphdr *iph, int segs);
static inline void ip_select_ident_segs(struct net *net, struct sk_buff *skb,
+diff --git a/include/net/ip6_tunnel.h b/include/net/ip6_tunnel.h
+index b8529aa..b0f7445 100644
+--- a/include/net/ip6_tunnel.h
++++ b/include/net/ip6_tunnel.h
+@@ -83,11 +83,12 @@ static inline void ip6tunnel_xmit(struct sock *sk, struct sk_buff *skb,
+ err = ip6_local_out_sk(sk, skb);
+
+ if (net_xmit_eval(err) == 0) {
+- struct pcpu_sw_netstats *tstats = this_cpu_ptr(dev->tstats);
++ struct pcpu_sw_netstats *tstats = get_cpu_ptr(dev->tstats);
+ u64_stats_update_begin(&tstats->syncp);
+ tstats->tx_bytes += pkt_len;
+ tstats->tx_packets++;
+ u64_stats_update_end(&tstats->syncp);
++ put_cpu_ptr(tstats);
+ } else {
+ stats->tx_errors++;
+ stats->tx_aborted_errors++;
diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h
index 5fa643b..d871e20 100644
--- a/include/net/ip_fib.h
@@ -103467,6 +103543,25 @@ index 5fa643b..d871e20 100644
FIB_RES_NH(res).nh_saddr : \
fib_info_update_nh_saddr((net), &FIB_RES_NH(res)))
#define FIB_RES_GW(res) (FIB_RES_NH(res).nh_gw)
+diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h
+index d8214cb..9c2897e 100644
+--- a/include/net/ip_tunnels.h
++++ b/include/net/ip_tunnels.h
+@@ -207,12 +207,13 @@ static inline void iptunnel_xmit_stats(int err,
+ struct pcpu_sw_netstats __percpu *stats)
+ {
+ if (err > 0) {
+- struct pcpu_sw_netstats *tstats = this_cpu_ptr(stats);
++ struct pcpu_sw_netstats *tstats = get_cpu_ptr(stats);
+
+ u64_stats_update_begin(&tstats->syncp);
+ tstats->tx_bytes += err;
+ tstats->tx_packets++;
+ u64_stats_update_end(&tstats->syncp);
++ put_cpu_ptr(tstats);
+ } else if (err < 0) {
+ err_stats->tx_errors++;
+ err_stats->tx_aborted_errors++;
diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
index 4e3731e..a242e28 100644
--- a/include/net/ip_vs.h
@@ -108825,10 +108920,20 @@ index 564f786..361a18e 100644
if (pm_wakeup_pending()) {
diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
-index cf8c242..84e7843 100644
+index cf8c242..16bca7e 100644
--- a/kernel/printk/printk.c
+++ b/kernel/printk/printk.c
-@@ -475,7 +475,7 @@ static int log_store(int facility, int level,
+@@ -269,6 +269,9 @@ static u32 clear_idx;
+ #define PREFIX_MAX 32
+ #define LOG_LINE_MAX (1024 - PREFIX_MAX)
+
++#define LOG_LEVEL(v) ((v) & 0x07)
++#define LOG_FACILITY(v) ((v) >> 3 & 0xff)
++
+ /* record buffer */
+ #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
+ #define LOG_ALIGN 4
+@@ -475,7 +478,7 @@ static int log_store(int facility, int level,
return msg->text_len;
}
@@ -108837,7 +108942,7 @@ index cf8c242..84e7843 100644
static int syslog_action_restricted(int type)
{
-@@ -498,6 +498,11 @@ int check_syslog_permissions(int type, int source)
+@@ -498,6 +501,11 @@ int check_syslog_permissions(int type, int source)
if (source == SYSLOG_FROM_PROC && type != SYSLOG_ACTION_OPEN)
goto ok;
@@ -108849,6 +108954,32 @@ index cf8c242..84e7843 100644
if (syslog_action_restricted(type)) {
if (capable(CAP_SYSLOG))
goto ok;
+@@ -611,7 +619,6 @@ struct devkmsg_user {
+ static ssize_t devkmsg_write(struct kiocb *iocb, struct iov_iter *from)
+ {
+ char *buf, *line;
+- int i;
+ int level = default_message_loglevel;
+ int facility = 1; /* LOG_USER */
+ size_t len = iov_iter_count(from);
+@@ -641,12 +648,13 @@ static ssize_t devkmsg_write(struct kiocb *iocb, struct iov_iter *from)
+ line = buf;
+ if (line[0] == '<') {
+ char *endp = NULL;
++ unsigned int u;
+
+- i = simple_strtoul(line+1, &endp, 10);
++ u = simple_strtoul(line + 1, &endp, 10);
+ if (endp && endp[0] == '>') {
+- level = i & 7;
+- if (i >> 3)
+- facility = i >> 3;
++ level = LOG_LEVEL(u);
++ if (LOG_FACILITY(u) != 0)
++ facility = LOG_FACILITY(u);
+ endp++;
+ len -= endp - line;
+ line = endp;
diff --git a/kernel/profile.c b/kernel/profile.c
index a7bcd28..5b368fa 100644
--- a/kernel/profile.c
@@ -122752,13 +122883,13 @@ index 9c8fab0..5080c7c 100644
static const struct nla_policy nft_match_policy[NFTA_MATCH_MAX + 1] = {
diff --git a/net/netfilter/xt_gradm.c b/net/netfilter/xt_gradm.c
new file mode 100644
-index 0000000..c566332
+index 0000000..a7cb915
--- /dev/null
+++ b/net/netfilter/xt_gradm.c
@@ -0,0 +1,51 @@
+/*
+ * gradm match for netfilter
-+ * Copyright © Zbigniew Krzystolik, 2010
++ * Copyright (c) Zbigniew Krzystolik, 2010
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License; either version
@@ -124396,10 +124527,18 @@ index 350cca3..a108fc5 100644
sub->evt.event = htohl(event, sub->swap);
sub->evt.found_lower = htohl(found_lower, sub->swap);
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
-index 94f6582..b71ef93 100644
+index 94f6582..2272bfc 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
-@@ -802,6 +802,12 @@ static struct sock *unix_find_other(struct net *net,
+@@ -440,6 +440,7 @@ static void unix_release_sock(struct sock *sk, int embrion)
+ if (state == TCP_LISTEN)
+ unix_release_sock(skb->sk, 1);
+ /* passed fds are erased in the kfree_skb hook */
++ UNIXCB(skb).consumed = skb->len;
+ kfree_skb(skb);
+ }
+
+@@ -802,6 +803,12 @@ static struct sock *unix_find_other(struct net *net,
err = -ECONNREFUSED;
if (!S_ISSOCK(inode->i_mode))
goto put_fail;
@@ -124412,7 +124551,7 @@ index 94f6582..b71ef93 100644
u = unix_find_socket_byinode(inode);
if (!u)
goto put_fail;
-@@ -822,6 +828,13 @@ static struct sock *unix_find_other(struct net *net,
+@@ -822,6 +829,13 @@ static struct sock *unix_find_other(struct net *net,
if (u) {
struct dentry *dentry;
dentry = unix_sk(u)->path.dentry;
@@ -124426,7 +124565,7 @@ index 94f6582..b71ef93 100644
if (dentry)
touch_atime(&unix_sk(u)->path);
} else
-@@ -855,12 +868,18 @@ static int unix_mknod(const char *sun_path, umode_t mode, struct path *res)
+@@ -855,12 +869,18 @@ static int unix_mknod(const char *sun_path, umode_t mode, struct path *res)
*/
err = security_path_mknod(&path, dentry, mode, 0);
if (!err) {
@@ -124445,7 +124584,67 @@ index 94f6582..b71ef93 100644
done_path_create(&path, dentry);
return err;
}
-@@ -2455,11 +2474,14 @@ static unsigned int unix_dgram_poll(struct file *file, struct socket *sock,
+@@ -1798,6 +1818,7 @@ alloc_skb:
+ * this - does no harm
+ */
+ consume_skb(newskb);
++ newskb = NULL;
+ }
+
+ if (skb_append_pagefrags(skb, page, offset, size)) {
+@@ -1810,8 +1831,11 @@ alloc_skb:
+ skb->truesize += size;
+ atomic_add(size, &sk->sk_wmem_alloc);
+
+- if (newskb)
++ if (newskb) {
++ spin_lock(&other->sk_receive_queue.lock);
+ __skb_queue_tail(&other->sk_receive_queue, newskb);
++ spin_unlock(&other->sk_receive_queue.lock);
++ }
+
+ unix_state_unlock(other);
+ mutex_unlock(&unix_sk(other)->readlock);
+@@ -2071,6 +2095,7 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state)
+
+ do {
+ int chunk;
++ bool drop_skb;
+ struct sk_buff *skb, *last;
+
+ unix_state_lock(sk);
+@@ -2151,7 +2176,11 @@ unlock:
+ }
+
+ chunk = min_t(unsigned int, unix_skb_len(skb) - skip, size);
++ skb_get(skb);
+ chunk = state->recv_actor(skb, skip, chunk, state);
++ drop_skb = !unix_skb_len(skb);
++ /* skb is only safe to use if !drop_skb */
++ consume_skb(skb);
+ if (chunk < 0) {
+ if (copied == 0)
+ copied = -EFAULT;
+@@ -2160,6 +2189,18 @@ unlock:
+ copied += chunk;
+ size -= chunk;
+
++ if (drop_skb) {
++ /* the skb was touched by a concurrent reader;
++ * we should not expect anything from this skb
++ * anymore and assume it invalid - we can be
++ * sure it was dropped from the socket queue
++ *
++ * let's report a short read
++ */
++ err = 0;
++ break;
++ }
++
+ /* Mark read part of skb as used */
+ if (!(flags & MSG_PEEK)) {
+ UNIXCB(skb).consumed += chunk;
+@@ -2455,11 +2496,14 @@ static unsigned int unix_dgram_poll(struct file *file, struct socket *sock,
writable = unix_writable(sk);
other = unix_peer_get(sk);
if (other) {
@@ -124462,7 +124661,7 @@ index 94f6582..b71ef93 100644
sock_put(other);
}
-@@ -2556,9 +2578,13 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+@@ -2556,9 +2600,13 @@ static int unix_seq_show(struct seq_file *seq, void *v)
seq_puts(seq, "Num RefCount Protocol Flags Type St "
"Inode Path\n");
else {
@@ -124477,7 +124676,7 @@ index 94f6582..b71ef93 100644
seq_printf(seq, "%pK: %08X %08X %08X %04X %02X %5lu",
s,
-@@ -2583,10 +2609,29 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+@@ -2583,10 +2631,29 @@ static int unix_seq_show(struct seq_file *seq, void *v)
seq_putc(seq, '@');
i++;
}
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [gentoo-commits] proj/hardened-patchset:master commit in: 4.2.6/
@ 2015-11-19 20:10 Anthony G. Basile
0 siblings, 0 replies; 8+ messages in thread
From: Anthony G. Basile @ 2015-11-19 20:10 UTC (permalink / raw
To: gentoo-commits
commit: 8dd436b8f0b7757796302b67f683cdddd359824d
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Thu Nov 19 20:16:53 2015 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Thu Nov 19 20:16:53 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=8dd436b8
grsecurity-3.1-4.2.6-201511182042
4.2.6/0000_README | 2 +-
...> 4420_grsecurity-3.1-4.2.6-201511182042.patch} | 55 ++++++++++++++++++++--
2 files changed, 51 insertions(+), 6 deletions(-)
diff --git a/4.2.6/0000_README b/4.2.6/0000_README
index 730b6c8..9ebf533 100644
--- a/4.2.6/0000_README
+++ b/4.2.6/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.1-4.2.6-201511172005.patch
+Patch: 4420_grsecurity-3.1-4.2.6-201511182042.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.2.6/4420_grsecurity-3.1-4.2.6-201511172005.patch b/4.2.6/4420_grsecurity-3.1-4.2.6-201511182042.patch
similarity index 99%
rename from 4.2.6/4420_grsecurity-3.1-4.2.6-201511172005.patch
rename to 4.2.6/4420_grsecurity-3.1-4.2.6-201511182042.patch
index 3806d62..ec705cc 100644
--- a/4.2.6/4420_grsecurity-3.1-4.2.6-201511172005.patch
+++ b/4.2.6/4420_grsecurity-3.1-4.2.6-201511182042.patch
@@ -17126,7 +17126,7 @@ index e970320..c006fea 100644
GCOV_PROFILE := n
diff --git a/arch/x86/entry/vdso/vdso2c.h b/arch/x86/entry/vdso/vdso2c.h
-index 0224987..8deb742 100644
+index 0224987..0359810 100644
--- a/arch/x86/entry/vdso/vdso2c.h
+++ b/arch/x86/entry/vdso/vdso2c.h
@@ -12,7 +12,7 @@ static void BITSFUNC(go)(void *raw_addr, size_t raw_len,
@@ -17147,6 +17147,24 @@ index 0224987..8deb742 100644
ELF(Sym) *sym = raw_addr + GET_LE(&symtab_hdr->sh_offset) +
GET_LE(&symtab_hdr->sh_entsize) * i;
const char *name = raw_addr + GET_LE(&strtab_hdr->sh_offset) +
+@@ -140,7 +140,7 @@ static void BITSFUNC(go)(void *raw_addr, size_t raw_len,
+ fprintf(outfile, "#include <asm/vdso.h>\n");
+ fprintf(outfile, "\n");
+ fprintf(outfile,
+- "static unsigned char raw_data[%lu] __page_aligned_data = {",
++ "static unsigned char raw_data[%lu] __page_aligned_rodata = {",
+ mapping_size);
+ for (j = 0; j < stripped_len; j++) {
+ if (j % 10 == 0)
+@@ -150,7 +150,7 @@ static void BITSFUNC(go)(void *raw_addr, size_t raw_len,
+ }
+ fprintf(outfile, "\n};\n\n");
+
+- fprintf(outfile, "static struct page *pages[%lu];\n\n",
++ fprintf(outfile, "static struct page *pages[%lu] __read_only;\n\n",
+ mapping_size / 4096);
+
+ fprintf(outfile, "const struct vdso_image %s = {\n", name);
diff --git a/arch/x86/entry/vdso/vma.c b/arch/x86/entry/vdso/vma.c
index 1c9f750..cfddb1a 100644
--- a/arch/x86/entry/vdso/vma.c
@@ -17314,6 +17332,19 @@ index 2dcc6ff..082dc7a 100644
BUILD_BUG_ON((unsigned long)__fix_to_virt(VSYSCALL_PAGE) !=
(unsigned long)VSYSCALL_ADDR);
+diff --git a/arch/x86/entry/vsyscall/vsyscall_emu_64.S b/arch/x86/entry/vsyscall/vsyscall_emu_64.S
+index c9596a9..805b68d 100644
+--- a/arch/x86/entry/vsyscall/vsyscall_emu_64.S
++++ b/arch/x86/entry/vsyscall/vsyscall_emu_64.S
+@@ -12,7 +12,7 @@
+ #include <asm/page_types.h>
+ #include <asm/unistd_64.h>
+
+-__PAGE_ALIGNED_DATA
++.section ".data..read_only", "a"
+ .globl __vsyscall_page
+ .balign PAGE_SIZE, 0xcc
+ .type __vsyscall_page, @object
diff --git a/arch/x86/ia32/ia32_aout.c b/arch/x86/ia32/ia32_aout.c
index ae6aad1..719d6d9 100644
--- a/arch/x86/ia32/ia32_aout.c
@@ -34620,7 +34651,7 @@ index 9c0ff04..9020d5f 100644
return (void *)vaddr;
diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c
-index b9c78f3..9ca7e24 100644
+index b9c78f3..c757af4 100644
--- a/arch/x86/mm/ioremap.c
+++ b/arch/x86/mm/ioremap.c
@@ -59,8 +59,8 @@ static int __ioremap_check_ram(unsigned long start_pfn, unsigned long nr_pages,
@@ -34691,7 +34722,7 @@ index b9c78f3..9ca7e24 100644
}
-static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
-+static pte_t __bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
++static pte_t __bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_rodata;
+static pte_t *bm_pte __read_only = __bm_pte;
static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
@@ -82421,7 +82452,7 @@ index ce065cf..8974fed 100644
static struct pid *
get_children_pid(struct inode *inode, struct pid *pid_prev, loff_t pos)
diff --git a/fs/proc/base.c b/fs/proc/base.c
-index aa50d1a..7a62b7a 100644
+index aa50d1a..c202cde 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -113,6 +113,14 @@ struct pid_entry {
@@ -82553,7 +82584,7 @@ index aa50d1a..7a62b7a 100644
+ rcu_read_unlock();
+
+ if (!pid->hide_pid)
-+ return false;
++ return ptrace_may_access(task, PTRACE_MODE_READ | PTRACE_MODE_NOAUDIT);
+#endif
+
if (pid->hide_pid < hide_pid_min)
@@ -112919,6 +112950,20 @@ index dc07d88..3929c29 100644
if (err) {
bdi_destroy(bdi);
return err;
+diff --git a/mm/debug.c b/mm/debug.c
+index 76089dd..dd37b9b 100644
+--- a/mm/debug.c
++++ b/mm/debug.c
+@@ -127,6 +127,9 @@ static const struct trace_print_flags vmaflags_names[] = {
+ {VM_RAND_READ, "randread" },
+ {VM_DONTCOPY, "dontcopy" },
+ {VM_DONTEXPAND, "dontexpand" },
++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
++ {VM_PAGEEXEC, "pageexec" },
++#endif
+ {VM_ACCOUNT, "account" },
+ {VM_NORESERVE, "noreserve" },
+ {VM_HUGETLB, "hugetlb" },
diff --git a/mm/dmapool.c b/mm/dmapool.c
index fd5fe43..39ea317 100644
--- a/mm/dmapool.c
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [gentoo-commits] proj/hardened-patchset:master commit in: 4.2.6/
@ 2015-11-24 8:47 Anthony G. Basile
0 siblings, 0 replies; 8+ messages in thread
From: Anthony G. Basile @ 2015-11-24 8:47 UTC (permalink / raw
To: gentoo-commits
commit: 9417a236d9dfc4d648ce711a2fac162a6fe2a353
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Tue Nov 24 08:54:22 2015 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Tue Nov 24 08:54:22 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=9417a236
grsecurity-3.1-4.2.6-201511211841
4.2.6/0000_README | 2 +-
...> 4420_grsecurity-3.1-4.2.6-201511211841.patch} | 338 ++++++++++++++-------
2 files changed, 229 insertions(+), 111 deletions(-)
diff --git a/4.2.6/0000_README b/4.2.6/0000_README
index 9ebf533..454ccd7 100644
--- a/4.2.6/0000_README
+++ b/4.2.6/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.1-4.2.6-201511182042.patch
+Patch: 4420_grsecurity-3.1-4.2.6-201511211841.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.2.6/4420_grsecurity-3.1-4.2.6-201511182042.patch b/4.2.6/4420_grsecurity-3.1-4.2.6-201511211841.patch
similarity index 99%
rename from 4.2.6/4420_grsecurity-3.1-4.2.6-201511182042.patch
rename to 4.2.6/4420_grsecurity-3.1-4.2.6-201511211841.patch
index ec705cc..30663c2 100644
--- a/4.2.6/4420_grsecurity-3.1-4.2.6-201511182042.patch
+++ b/4.2.6/4420_grsecurity-3.1-4.2.6-201511211841.patch
@@ -77233,7 +77233,7 @@ index e4141f2..d8263e8 100644
i += packet_length_size;
if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
diff --git a/fs/exec.c b/fs/exec.c
-index 1977c2a..b6b953a 100644
+index 1977c2a..53bf9a0 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -56,8 +56,20 @@
@@ -77729,7 +77729,7 @@ index 1977c2a..b6b953a 100644
out:
if (bprm->mm) {
acct_arg_size(bprm, 0);
-@@ -1743,3 +1918,324 @@ COMPAT_SYSCALL_DEFINE5(execveat, int, fd,
+@@ -1743,3 +1918,313 @@ COMPAT_SYSCALL_DEFINE5(execveat, int, fd,
argv, envp, flags);
}
#endif
@@ -78035,22 +78035,11 @@ index 1977c2a..b6b953a 100644
+
+#ifdef CONFIG_PAX_SIZE_OVERFLOW
+
-+#ifdef CONFIG_PAX_SIZE_OVERFLOW_DISABLE_KILL
-+static DEFINE_RATELIMIT_STATE(size_overflow_ratelimit, 15 * HZ, 3);
-+#endif
-+
+void __nocapture(1, 3, 4) __used report_size_overflow(const char *file, unsigned int line, const char *func, const char *ssa_name)
+{
-+#ifdef CONFIG_PAX_SIZE_OVERFLOW_DISABLE_KILL
-+ if (__ratelimit(&size_overflow_ratelimit)) {
-+ printk(KERN_EMERG "PAX: size overflow detected in function %s %s:%u %s", func, file, line, ssa_name);
-+ dump_stack();
-+ }
-+#else
+ printk(KERN_EMERG "PAX: size overflow detected in function %s %s:%u %s", func, file, line, ssa_name);
+ dump_stack();
+ do_group_exit(SIGKILL);
-+#endif
+}
+EXPORT_SYMBOL(report_size_overflow);
+#endif
@@ -97435,7 +97424,7 @@ index dfaa7b3..58cebfb 100644
* Mark a position in code as unreachable. This can be used to
* suppress control flow warnings after asm blocks that transfer
diff --git a/include/linux/compiler.h b/include/linux/compiler.h
-index e08a6ae..2e5e776 100644
+index e08a6ae..8d965c5 100644
--- a/include/linux/compiler.h
+++ b/include/linux/compiler.h
@@ -5,11 +5,14 @@
@@ -97507,46 +97496,63 @@ index e08a6ae..2e5e776 100644
#endif
/* Indirect macros required for expanded argument pasting, eg. __LINE__. */
-@@ -201,27 +225,27 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
- static __always_inline void __read_once_size(const volatile void *p, void *res, int size)
- {
- switch (size) {
+@@ -198,34 +222,6 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
+
+ #include <uapi/linux/types.h>
+
+-static __always_inline void __read_once_size(const volatile void *p, void *res, int size)
+-{
+- switch (size) {
- case 1: *(__u8 *)res = *(volatile __u8 *)p; break;
- case 2: *(__u16 *)res = *(volatile __u16 *)p; break;
- case 4: *(__u32 *)res = *(volatile __u32 *)p; break;
- case 8: *(__u64 *)res = *(volatile __u64 *)p; break;
-+ case 1: *(__u8 *)res = *(const volatile __u8 *)p; break;
-+ case 2: *(__u16 *)res = *(const volatile __u16 *)p; break;
-+ case 4: *(__u32 *)res = *(const volatile __u32 *)p; break;
-+ case 8: *(__u64 *)res = *(const volatile __u64 *)p; break;
- default:
- barrier();
+- default:
+- barrier();
- __builtin_memcpy((void *)res, (const void *)p, size);
-+ __builtin_memcpy(res, (const void *)p, size);
- barrier();
- }
- }
-
+- barrier();
+- }
+-}
+-
-static __always_inline void __write_once_size(volatile void *p, void *res, int size)
-+static __always_inline void __write_once_size(volatile void *p, const void *res, int size)
- {
- switch (size) {
+-{
+- switch (size) {
- case 1: *(volatile __u8 *)p = *(__u8 *)res; break;
- case 2: *(volatile __u16 *)p = *(__u16 *)res; break;
- case 4: *(volatile __u32 *)p = *(__u32 *)res; break;
- case 8: *(volatile __u64 *)p = *(__u64 *)res; break;
-+ case 1: *(volatile __u8 *)p = *(const __u8 *)res; break;
-+ case 2: *(volatile __u16 *)p = *(const __u16 *)res; break;
-+ case 4: *(volatile __u32 *)p = *(const __u32 *)res; break;
-+ case 8: *(volatile __u64 *)p = *(const __u64 *)res; break;
- default:
- barrier();
+- default:
+- barrier();
- __builtin_memcpy((void *)p, (const void *)res, size);
-+ __builtin_memcpy((void *)p, res, size);
- barrier();
- }
- }
-@@ -370,6 +394,38 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
+- barrier();
+- }
+-}
+-
+ /*
+ * Prevent the compiler from merging or refetching reads or writes. The
+ * compiler is also forbidden from reordering successive instances of
+@@ -248,11 +244,16 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
+ * required ordering.
+ */
+
+-#define READ_ONCE(x) \
+- ({ union { typeof(x) __val; char __c[1]; } __u; __read_once_size(&(x), __u.__c, sizeof(x)); __u.__val; })
++#define READ_ONCE(x) ({ \
++ typeof(x) __val = *(volatile typeof(x) *)&(x); \
++ __val; \
++})
+
+-#define WRITE_ONCE(x, val) \
+- ({ union { typeof(x) __val; char __c[1]; } __u = { .__val = (val) }; __write_once_size(&(x), __u.__c, sizeof(x)); __u.__val; })
++#define WRITE_ONCE(x, val) ({ \
++ typeof(x) __val = (val); \
++ (x) = *(volatile typeof(x) *)&__val; \
++ __val; \
++})
+
+ /**
+ * READ_ONCE_CTRL - Read a value heading a control dependency
+@@ -370,6 +371,38 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
# define __attribute_const__ /* unimplemented */
#endif
@@ -97585,7 +97591,7 @@ index e08a6ae..2e5e776 100644
/*
* Tell gcc if a function is cold. The compiler will assume any path
* directly leading to the call is unlikely.
-@@ -379,6 +435,22 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
+@@ -379,6 +412,22 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
#define __cold
#endif
@@ -97608,7 +97614,7 @@ index e08a6ae..2e5e776 100644
/* Simple shorthand for a section definition */
#ifndef __section
# define __section(S) __attribute__ ((__section__(#S)))
-@@ -393,6 +465,8 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
+@@ -393,6 +442,8 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
# define __same_type(a, b) __builtin_types_compatible_p(typeof(a), typeof(b))
#endif
@@ -97617,7 +97623,7 @@ index e08a6ae..2e5e776 100644
/* Is this type a native word size -- useful for atomic operations */
#ifndef __native_word
# define __native_word(t) (sizeof(t) == sizeof(char) || sizeof(t) == sizeof(short) || sizeof(t) == sizeof(int) || sizeof(t) == sizeof(long))
-@@ -472,8 +546,9 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
+@@ -472,8 +523,9 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
*/
#define __ACCESS_ONCE(x) ({ \
__maybe_unused typeof(x) __var = (__force typeof(x)) 0; \
@@ -103391,7 +103397,7 @@ index 5122b5e..598b440 100644
void v9fs_register_trans(struct p9_trans_module *m);
void v9fs_unregister_trans(struct p9_trans_module *m);
diff --git a/include/net/af_unix.h b/include/net/af_unix.h
-index cb1b9bb..56b3ee0 100644
+index cb1b9bb..deaf939 100644
--- a/include/net/af_unix.h
+++ b/include/net/af_unix.h
@@ -36,7 +36,7 @@ struct unix_skb_parms {
@@ -103403,6 +103409,14 @@ index cb1b9bb..56b3ee0 100644
#define UNIXCB(skb) (*(struct unix_skb_parms *)&((skb)->cb))
+@@ -62,6 +62,7 @@ struct unix_sock {
+ #define UNIX_GC_CANDIDATE 0
+ #define UNIX_GC_MAYBE_CYCLE 1
+ struct socket_wq peer_wq;
++ wait_queue_t wait;
+ };
+
+ static inline struct unix_sock *unix_sk(struct sock *sk)
diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
index 2239a37..a83461f 100644
--- a/include/net/bluetooth/l2cap.h
@@ -124572,10 +124586,19 @@ index 350cca3..a108fc5 100644
sub->evt.event = htohl(event, sub->swap);
sub->evt.found_lower = htohl(found_lower, sub->swap);
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
-index 94f6582..2272bfc 100644
+index 94f6582..0883e68 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
-@@ -440,6 +440,7 @@ static void unix_release_sock(struct sock *sk, int embrion)
+@@ -420,6 +420,8 @@ static void unix_release_sock(struct sock *sk, int embrion)
+ skpair = unix_peer(sk);
+
+ if (skpair != NULL) {
++ if (sk->sk_type != SOCK_STREAM)
++ remove_wait_queue(&unix_sk(skpair)->peer_wait, &u->wait);
+ if (sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET) {
+ unix_state_lock(skpair);
+ /* No more writes */
+@@ -440,6 +442,7 @@ static void unix_release_sock(struct sock *sk, int embrion)
if (state == TCP_LISTEN)
unix_release_sock(skb->sk, 1);
/* passed fds are erased in the kfree_skb hook */
@@ -124583,7 +124606,32 @@ index 94f6582..2272bfc 100644
kfree_skb(skb);
}
-@@ -802,6 +803,12 @@ static struct sock *unix_find_other(struct net *net,
+@@ -636,6 +639,16 @@ static struct proto unix_proto = {
+ */
+ static struct lock_class_key af_unix_sk_receive_queue_lock_key;
+
++static int peer_wake(wait_queue_t *wait, unsigned mode, int sync, void *key)
++{
++ struct unix_sock *u;
++
++ u = container_of(wait, struct unix_sock, wait);
++ wake_up_interruptible_sync_poll(sk_sleep(&u->sk), key);
++
++ return 0;
++}
++
+ static struct sock *unix_create1(struct net *net, struct socket *sock, int kern)
+ {
+ struct sock *sk = NULL;
+@@ -664,6 +677,7 @@ static struct sock *unix_create1(struct net *net, struct socket *sock, int kern)
+ INIT_LIST_HEAD(&u->link);
+ mutex_init(&u->readlock); /* single task reading lock */
+ init_waitqueue_head(&u->peer_wait);
++ init_waitqueue_func_entry(&u->wait, peer_wake);
+ unix_insert_socket(unix_sockets_unbound(sk), sk);
+ out:
+ if (sk == NULL)
+@@ -802,6 +816,12 @@ static struct sock *unix_find_other(struct net *net,
err = -ECONNREFUSED;
if (!S_ISSOCK(inode->i_mode))
goto put_fail;
@@ -124596,7 +124644,7 @@ index 94f6582..2272bfc 100644
u = unix_find_socket_byinode(inode);
if (!u)
goto put_fail;
-@@ -822,6 +829,13 @@ static struct sock *unix_find_other(struct net *net,
+@@ -822,6 +842,13 @@ static struct sock *unix_find_other(struct net *net,
if (u) {
struct dentry *dentry;
dentry = unix_sk(u)->path.dentry;
@@ -124610,7 +124658,7 @@ index 94f6582..2272bfc 100644
if (dentry)
touch_atime(&unix_sk(u)->path);
} else
-@@ -855,12 +869,18 @@ static int unix_mknod(const char *sun_path, umode_t mode, struct path *res)
+@@ -855,12 +882,18 @@ static int unix_mknod(const char *sun_path, umode_t mode, struct path *res)
*/
err = security_path_mknod(&path, dentry, mode, 0);
if (!err) {
@@ -124629,7 +124677,68 @@ index 94f6582..2272bfc 100644
done_path_create(&path, dentry);
return err;
}
-@@ -1798,6 +1818,7 @@ alloc_skb:
+@@ -1030,7 +1063,10 @@ restart:
+ */
+ if (unix_peer(sk)) {
+ struct sock *old_peer = unix_peer(sk);
++
++ remove_wait_queue(&unix_sk(old_peer)->peer_wait, &unix_sk(sk)->wait);
+ unix_peer(sk) = other;
++ add_wait_queue(&unix_sk(other)->peer_wait, &unix_sk(sk)->wait);
+ unix_state_double_unlock(sk, other);
+
+ if (other != old_peer)
+@@ -1038,8 +1074,12 @@ restart:
+ sock_put(old_peer);
+ } else {
+ unix_peer(sk) = other;
++ add_wait_queue(&unix_sk(other)->peer_wait, &unix_sk(sk)->wait);
+ unix_state_double_unlock(sk, other);
+ }
++ /* New remote may have created write space for us */
++ wake_up_interruptible_sync_poll(sk_sleep(sk),
++ POLLOUT | POLLWRNORM | POLLWRBAND);
+ return 0;
+
+ out_unlock:
+@@ -1194,6 +1234,8 @@ restart:
+
+ sock_hold(sk);
+ unix_peer(newsk) = sk;
++ if (sk->sk_type == SOCK_SEQPACKET)
++ add_wait_queue(&unix_sk(sk)->peer_wait, &unix_sk(newsk)->wait);
+ newsk->sk_state = TCP_ESTABLISHED;
+ newsk->sk_type = sk->sk_type;
+ init_peercred(newsk);
+@@ -1220,6 +1262,8 @@ restart:
+
+ smp_mb__after_atomic(); /* sock_hold() does an atomic_inc() */
+ unix_peer(sk) = newsk;
++ if (sk->sk_type == SOCK_SEQPACKET)
++ add_wait_queue(&unix_sk(newsk)->peer_wait, &unix_sk(sk)->wait);
+
+ unix_state_unlock(sk);
+
+@@ -1254,6 +1298,10 @@ static int unix_socketpair(struct socket *socka, struct socket *sockb)
+ sock_hold(skb);
+ unix_peer(ska) = skb;
+ unix_peer(skb) = ska;
++ if (ska->sk_type != SOCK_STREAM) {
++ add_wait_queue(&unix_sk(ska)->peer_wait, &unix_sk(skb)->wait);
++ add_wait_queue(&unix_sk(skb)->peer_wait, &unix_sk(ska)->wait);
++ }
+ init_peercred(ska);
+ init_peercred(skb);
+
+@@ -1565,6 +1613,7 @@ restart:
+ unix_state_lock(sk);
+ if (unix_peer(sk) == other) {
+ unix_peer(sk) = NULL;
++ remove_wait_queue(&unix_sk(other)->peer_wait, &u->wait);
+ unix_state_unlock(sk);
+
+ unix_dgram_disconnected(sk, other);
+@@ -1798,6 +1847,7 @@ alloc_skb:
* this - does no harm
*/
consume_skb(newskb);
@@ -124637,7 +124746,7 @@ index 94f6582..2272bfc 100644
}
if (skb_append_pagefrags(skb, page, offset, size)) {
-@@ -1810,8 +1831,11 @@ alloc_skb:
+@@ -1810,8 +1860,11 @@ alloc_skb:
skb->truesize += size;
atomic_add(size, &sk->sk_wmem_alloc);
@@ -124650,7 +124759,7 @@ index 94f6582..2272bfc 100644
unix_state_unlock(other);
mutex_unlock(&unix_sk(other)->readlock);
-@@ -2071,6 +2095,7 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state)
+@@ -2071,6 +2124,7 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state)
do {
int chunk;
@@ -124658,7 +124767,7 @@ index 94f6582..2272bfc 100644
struct sk_buff *skb, *last;
unix_state_lock(sk);
-@@ -2151,7 +2176,11 @@ unlock:
+@@ -2151,7 +2205,11 @@ unlock:
}
chunk = min_t(unsigned int, unix_skb_len(skb) - skip, size);
@@ -124670,7 +124779,7 @@ index 94f6582..2272bfc 100644
if (chunk < 0) {
if (copied == 0)
copied = -EFAULT;
-@@ -2160,6 +2189,18 @@ unlock:
+@@ -2160,6 +2218,18 @@ unlock:
copied += chunk;
size -= chunk;
@@ -124689,24 +124798,15 @@ index 94f6582..2272bfc 100644
/* Mark read part of skb as used */
if (!(flags & MSG_PEEK)) {
UNIXCB(skb).consumed += chunk;
-@@ -2455,11 +2496,14 @@ static unsigned int unix_dgram_poll(struct file *file, struct socket *sock,
- writable = unix_writable(sk);
+@@ -2456,7 +2526,6 @@ static unsigned int unix_dgram_poll(struct file *file, struct socket *sock,
other = unix_peer_get(sk);
if (other) {
-- if (unix_peer(other) != sk) {
-+ unix_state_lock(other);
-+ if (!sock_flag(other, SOCK_DEAD) && unix_peer(other) != sk) {
-+ unix_state_unlock(other);
- sock_poll_wait(file, &unix_sk(other)->peer_wait, wait);
+ if (unix_peer(other) != sk) {
+- sock_poll_wait(file, &unix_sk(other)->peer_wait, wait);
if (unix_recvq_full(other))
writable = 0;
-- }
-+ } else
-+ unix_state_unlock(other);
- sock_put(other);
- }
-
-@@ -2556,9 +2600,13 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+ }
+@@ -2556,9 +2625,13 @@ static int unix_seq_show(struct seq_file *seq, void *v)
seq_puts(seq, "Num RefCount Protocol Flags Type St "
"Inode Path\n");
else {
@@ -124721,7 +124821,7 @@ index 94f6582..2272bfc 100644
seq_printf(seq, "%pK: %08X %08X %08X %04X %02X %5lu",
s,
-@@ -2583,10 +2631,29 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+@@ -2583,10 +2656,29 @@ static int unix_seq_show(struct seq_file *seq, void *v)
seq_putc(seq, '@');
i++;
}
@@ -125965,10 +126065,10 @@ index c0a932d..817c587 100755
# Find all available archs
find_all_archs()
diff --git a/security/Kconfig b/security/Kconfig
-index bf4ec46..faa8418 100644
+index bf4ec46..6748ce1 100644
--- a/security/Kconfig
+++ b/security/Kconfig
-@@ -4,6 +4,985 @@
+@@ -4,6 +4,980 @@
menu "Security options"
@@ -126914,11 +127014,6 @@ index bf4ec46..faa8418 100644
+ i.e., gcc 4.5 or newer. You may need to install the supporting
+ headers explicitly in addition to the normal gcc package.
+
-+config PAX_SIZE_OVERFLOW_DISABLE_KILL
-+ bool "Do not kill process on overflow detection"
-+ default n
-+ depends on PAX_SIZE_OVERFLOW
-+
+config PAX_LATENT_ENTROPY
+ bool "Generate some entropy during boot and runtime"
+ default y if GRKERNSEC_CONFIG_AUTO
@@ -126954,7 +127049,7 @@ index bf4ec46..faa8418 100644
source security/keys/Kconfig
config SECURITY_DMESG_RESTRICT
-@@ -104,7 +1083,7 @@ config INTEL_TXT
+@@ -104,7 +1078,7 @@ config INTEL_TXT
config LSM_MMAP_MIN_ADDR
int "Low address space for LSM to protect from user allocation"
depends on SECURITY && SECURITY_SELINUX
@@ -129143,15 +129238,19 @@ index 0000000..b884a56
+}
diff --git a/tools/gcc/gcc-common.h b/tools/gcc/gcc-common.h
new file mode 100644
-index 0000000..9660b09
+index 0000000..5f73f93
--- /dev/null
+++ b/tools/gcc/gcc-common.h
-@@ -0,0 +1,790 @@
+@@ -0,0 +1,813 @@
+#ifndef GCC_COMMON_H_INCLUDED
+#define GCC_COMMON_H_INCLUDED
+
-+#include "plugin.h"
+#include "bversion.h"
++#if BUILDING_GCC_VERSION >= 6000
++#include "gcc-plugin.h"
++#else
++#include "plugin.h"
++#endif
+#include "plugin-version.h"
+#include "config.h"
+#include "system.h"
@@ -129749,6 +129848,21 @@ index 0000000..9660b09
+#define NODE_IMPLICIT_ALIAS(node) (node)->cpp_implicit_alias
+#endif
+
++#if BUILDING_GCC_VERSION < 6000
++#define get_inner_reference(exp, pbitsize, pbitpos, poffset, pmode, punsignedp, preversep, pvolatilep, keep_aligning) get_inner_reference(exp, pbitsize, pbitpos, poffset, pmode, punsignedp, pvolatilep, keep_aligning)
++#define gen_rtx_set(ARG0, ARG1) gen_rtx_SET(VOIDmode, (ARG0), (ARG1))
++#endif
++
++#if BUILDING_GCC_VERSION == 5000
++// gimple related
++template <>
++template <>
++inline bool is_a_helper<const gassign *>::test(const_gimple gs)
++{
++ return gs->code == GIMPLE_ASSIGN;
++}
++#endif
++
+#if BUILDING_GCC_VERSION >= 5000
+#define TODO_verify_ssa TODO_verify_il
+#define TODO_verify_flow TODO_verify_il
@@ -129851,6 +129965,13 @@ index 0000000..9660b09
+ symtab->remove_cgraph_duplication_hook(entry);
+}
+
++
++#if BUILDING_GCC_VERSION >= 6000
++typedef gimple *gimple_ptr;
++typedef const gimple *const_gimple;
++#define gimple gimple_ptr
++#endif
++
+// gimple related
+static inline gimple gimple_build_assign_with_ops(enum tree_code subcode, tree lhs, tree op1, tree op2 MEM_STAT_DECL)
+{
@@ -129859,13 +129980,6 @@ index 0000000..9660b09
+
+template <>
+template <>
-+inline bool is_a_helper<const gassign *>::test(const_gimple gs)
-+{
-+ return gs->code == GIMPLE_ASSIGN;
-+}
-+
-+template <>
-+template <>
+inline bool is_a_helper<const greturn *>::test(const_gimple gs)
+{
+ return gs->code == GIMPLE_RETURN;
@@ -129936,6 +130050,10 @@ index 0000000..9660b09
+}
+#endif
+
++#if BUILDING_GCC_VERSION >= 6000
++#define gen_rtx_set(ARG0, ARG1) gen_rtx_SET((ARG0), (ARG1))
++#endif
++
+#endif
diff --git a/tools/gcc/gen-random-seed.sh b/tools/gcc/gen-random-seed.sh
new file mode 100644
@@ -129953,7 +130071,7 @@ index 0000000..7514850
+fi
diff --git a/tools/gcc/initify_plugin.c b/tools/gcc/initify_plugin.c
new file mode 100644
-index 0000000..2abfe4b
+index 0000000..b5684e8
--- /dev/null
+++ b/tools/gcc/initify_plugin.c
@@ -0,0 +1,552 @@
@@ -130166,7 +130284,7 @@ index 0000000..2abfe4b
+ tree decl, offset;
+ HOST_WIDE_INT bitsize, bitpos;
+ enum machine_mode mode;
-+ int unsignedp, volatilep;
++ int unsignedp, reversep, volatilep;
+ enum tree_code code = TREE_CODE(op);
+
+ if (TREE_CODE_CLASS(code) == tcc_exceptional && code != SSA_NAME)
@@ -130178,7 +130296,7 @@ index 0000000..2abfe4b
+ if (TREE_CODE(op) == COMPONENT_REF)
+ return false;
+
-+ decl = get_inner_reference(op, &bitsize, &bitpos, &offset, &mode, &unsignedp, &volatilep, true);
++ decl = get_inner_reference(op, &bitsize, &bitpos, &offset, &mode, &unsignedp, &reversep, &volatilep, true);
+
+ switch (TREE_CODE_CLASS(TREE_CODE(decl))) {
+ case tcc_constant:
@@ -132715,10 +132833,10 @@ index 0000000..4c7f7c6
+targets += size_overflow_hash.h size_overflow_hash_aux.h disable_size_overflow_hash.h
diff --git a/tools/gcc/size_overflow_plugin/disable_size_overflow_hash.data b/tools/gcc/size_overflow_plugin/disable_size_overflow_hash.data
new file mode 100644
-index 0000000..0adc842
+index 0000000..b0e0cdf
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin/disable_size_overflow_hash.data
-@@ -0,0 +1,12414 @@
+@@ -0,0 +1,12419 @@
+disable_so_interrupt_pnode_gru_message_queue_desc_4 interrupt_pnode gru_message_queue_desc 0 4 NULL
+disable_so_bch_btree_insert_fndecl_12 bch_btree_insert fndecl 0 12 NULL
+disable_so_macvlan_sync_address_fndecl_22 macvlan_sync_address fndecl 0 22 NULL nohasharray
@@ -144419,7 +144537,8 @@ index 0000000..0adc842
+disable_so_freq_offset_khz_uhf_dib0090_config_61716 freq_offset_khz_uhf dib0090_config 0 61716 NULL
+disable_so_sha1_generic_block_fn_fndecl_61724 sha1_generic_block_fn fndecl 3 61724 NULL
+disable_so_xc4000_get_signal_fndecl_61727 xc4000_get_signal fndecl 0 61727 NULL
-+disable_so_vf_addr_hi_bnx2x_vf_mbx_61734 vf_addr_hi bnx2x_vf_mbx 0 61734 NULL
++disable_so_vf_addr_hi_bnx2x_vf_mbx_61734 vf_addr_hi bnx2x_vf_mbx 0 61734 NULL nohasharray
++enable_so_exit_info_2_vmcb_control_area_61734 exit_info_2 vmcb_control_area 0 61734 &disable_so_vf_addr_hi_bnx2x_vf_mbx_61734
+disable_so_pcxhr_update_timer_pos_fndecl_61736 pcxhr_update_timer_pos fndecl 3 61736 NULL nohasharray
+disable_so_adis16480_set_filter_freq_fndecl_61736 adis16480_set_filter_freq fndecl 0 61736 &disable_so_pcxhr_update_timer_pos_fndecl_61736 nohasharray
+disable_so_xfs_daddr_to_agbno_fndecl_61736 xfs_daddr_to_agbno fndecl 0-2 61736 &disable_so_adis16480_set_filter_freq_fndecl_61736
@@ -145133,6 +145252,10 @@ index 0000000..0adc842
+enable_so_read_fw_status_reg_megasas_instance_template_13572 read_fw_status_reg megasas_instance_template 0 13572 NULL
+enable_so_eip_x86_emulate_ctxt_12354 eip x86_emulate_ctxt 0 12354 NULL
+enable_so_next_rip_x86_instruction_info_56868 next_rip x86_instruction_info 0 56868 NULL
++enable_so_exit_int_info_vmcb_control_area_18357 exit_int_info vmcb_control_area 0 18357 NULL
++enable_so_exit_info_1_vmcb_control_area_20200 exit_info_1 vmcb_control_area 0 20200 NULL
++enable_so_event_inj_vmcb_control_area_23434 event_inj vmcb_control_area 0 23434 NULL
++enable_so_iopm_base_pa_vmcb_control_area_57998 iopm_base_pa vmcb_control_area 0 57998 NULL
diff --git a/tools/gcc/size_overflow_plugin/generate_size_overflow_hash.sh b/tools/gcc/size_overflow_plugin/generate_size_overflow_hash.sh
new file mode 100644
index 0000000..be9724d
@@ -145666,7 +145789,7 @@ index 0000000..37e2e91
+#endif
diff --git a/tools/gcc/size_overflow_plugin/intentional_overflow.c b/tools/gcc/size_overflow_plugin/intentional_overflow.c
new file mode 100644
-index 0000000..62eb578
+index 0000000..a662b4b
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin/intentional_overflow.c
@@ -0,0 +1,947 @@
@@ -145908,10 +146031,10 @@ index 0000000..62eb578
+ break;
+ }
+ case FIELD_DECL:
-+ case VAR_DECL:
+ // !!! temporarily ignore bitfield types
+ if (DECL_BIT_FIELD_TYPE(node))
+ return MARK_YES;
++ case VAR_DECL:
+ if (is_end_intentional_intentional_attr(node))
+ return MARK_END_INTENTIONAL;
+ if (is_turn_off_intentional_attr(node))
@@ -147290,10 +147413,10 @@ index 0000000..ab2d25a
+}
diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
new file mode 100644
-index 0000000..a883e73
+index 0000000..b683d96
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
-@@ -0,0 +1,20743 @@
+@@ -0,0 +1,20738 @@
+enable_so_recv_ctrl_pipe_us_data_0 recv_ctrl_pipe us_data 0 0 NULL
+enable_so___earlyonly_bootmem_alloc_fndecl_3 __earlyonly_bootmem_alloc fndecl 2-3-4 3 NULL
+enable_so_size_ttm_mem_reg_8 size ttm_mem_reg 0 8 NULL
@@ -153024,8 +153147,7 @@ index 0000000..a883e73
+enable_so_rfcomm_send_frame_fndecl_18352 rfcomm_send_frame fndecl 3 18352 NULL
+enable_so_mgsl_load_tx_dma_buffer_fndecl_18355 mgsl_load_tx_dma_buffer fndecl 3 18355 NULL
+enable_so_vm_pgoff_vm_area_struct_18357 vm_pgoff vm_area_struct 0 18357 NULL nohasharray
-+enable_so_exit_int_info_vmcb_control_area_18357 exit_int_info vmcb_control_area 0 18357 &enable_so_vm_pgoff_vm_area_struct_18357 nohasharray
-+enable_so_elfnotes_sz_vardecl_vmcore_c_18357 elfnotes_sz vardecl_vmcore.c 0 18357 &enable_so_exit_int_info_vmcb_control_area_18357
++enable_so_elfnotes_sz_vardecl_vmcore_c_18357 elfnotes_sz vardecl_vmcore.c 0 18357 &enable_so_vm_pgoff_vm_area_struct_18357
+enable_so_lbs_rdrf_write_fndecl_18361 lbs_rdrf_write fndecl 3 18361 NULL
+enable_so_ascii2desc_fndecl_18370 ascii2desc fndecl 0-3 18370 NULL
+enable_so_ecryptfs_write_lower_fndecl_18373 ecryptfs_write_lower fndecl 4 18373 NULL
@@ -153596,7 +153718,6 @@ index 0000000..a883e73
+enable_so_iram_base_intel_sst_drv_20196 iram_base intel_sst_drv 0 20196 &enable_so_agp_memory_reserved_vardecl_20196
+enable_so_qxl_gem_object_create_with_handle_fndecl_20198 qxl_gem_object_create_with_handle fndecl 4 20198 NULL
+enable_so_fpage_size_genwqe_sgl_20199 fpage_size genwqe_sgl 0 20199 NULL
-+enable_so_exit_info_1_vmcb_control_area_20200 exit_info_1 vmcb_control_area 0 20200 NULL
+enable_so_sectors_per_block_bits_dm_bufio_client_20202 sectors_per_block_bits dm_bufio_client 0 20202 NULL
+enable_so_max_frame_size__mgslpc_info_20204 max_frame_size _mgslpc_info 0 20204 NULL
+enable_so_sbq_len_rx_ring_20205 sbq_len rx_ring 0 20205 NULL
@@ -154632,8 +154753,7 @@ index 0000000..a883e73
+enable_so_max_snd_interval_23422 max snd_interval 0 23422 NULL
+enable_so_configfs_read_file_fndecl_23424 configfs_read_file fndecl 3 23424 NULL
+enable_so___qib_get_user_pages_fndecl_23426 __qib_get_user_pages fndecl 1 23426 NULL
-+enable_so_event_inj_vmcb_control_area_23434 event_inj vmcb_control_area 0 23434 NULL nohasharray
-+enable_so_nilfs_attach_snapshot_fndecl_23434 nilfs_attach_snapshot fndecl 2 23434 &enable_so_event_inj_vmcb_control_area_23434
++enable_so_nilfs_attach_snapshot_fndecl_23434 nilfs_attach_snapshot fndecl 2 23434 NULL
+enable_so_ftdi_instances_vardecl_ftdi_elan_c_23438 ftdi_instances vardecl_ftdi-elan.c 0 23438 NULL
+enable_so_set_xfer_rate_fndecl_23440 set_xfer_rate fndecl 2 23440 NULL
+enable_so_mei_cl_recv_fndecl_23442 mei_cl_recv fndecl 0-3 23442 NULL
@@ -165673,7 +165793,6 @@ index 0000000..a883e73
+enable_so_faultin_page_fndecl_57994 faultin_page fndecl 3 57994 NULL
+enable_so_perf_sample_ustack_size_fndecl_57995 perf_sample_ustack_size fndecl 0-2-1 57995 NULL
+enable_so_max_idx_node_sz_ubifs_info_57997 max_idx_node_sz ubifs_info 0 57997 NULL
-+enable_so_iopm_base_pa_vmcb_control_area_57998 iopm_base_pa vmcb_control_area 0 57998 NULL
+enable_so_SSIDlen_StatusRid_58002 SSIDlen StatusRid 0 58002 NULL nohasharray
+enable_so_di_size_dinode_58002 di_size dinode 0 58002 &enable_so_SSIDlen_StatusRid_58002
+enable_so_set_alt_usb_function_58003 set_alt usb_function 0 58003 NULL
@@ -166843,7 +166962,6 @@ index 0000000..a883e73
+enable_so_do_lfb_size_fndecl_61720 do_lfb_size fndecl 0 61720 NULL
+enable_so_dm_bufio_new_fndecl_61727 dm_bufio_new fndecl 2 61727 NULL
+enable_so_btrfs_prev_leaf_fndecl_61728 btrfs_prev_leaf fndecl 0 61728 NULL
-+enable_so_exit_info_2_vmcb_control_area_61734 exit_info_2 vmcb_control_area 0 61734 NULL
+enable_so_n_patterns_cfg80211_wowlan_61737 n_patterns cfg80211_wowlan 0 61737 NULL
+enable_so_pci_msix_vec_count_fndecl_61742 pci_msix_vec_count fndecl 0 61742 NULL
+enable_so_count_nfs_pgio_args_61745 count nfs_pgio_args 0 61745 NULL nohasharray
@@ -170562,7 +170680,7 @@ index 0000000..317cd6c
+
diff --git a/tools/gcc/size_overflow_plugin/size_overflow_transform.c b/tools/gcc/size_overflow_plugin/size_overflow_transform.c
new file mode 100644
-index 0000000..78e16db
+index 0000000..a974b2d
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin/size_overflow_transform.c
@@ -0,0 +1,746 @@
@@ -170752,7 +170870,7 @@ index 0000000..78e16db
+ if (skip_types(orig_node))
+ return head;
+ // !!! temporarily ignore bitfield types
-+ if (DECL_BIT_FIELD_TYPE(orig_node))
++ if (orig_code == FIELD_DECL && DECL_BIT_FIELD_TYPE(orig_node))
+ return head;
+
+ // find a defining marked caller argument or struct field for arg
@@ -171110,7 +171228,7 @@ index 0000000..78e16db
+ return head;
+
+ // !!! temporarily ignore bitfield types
-+ if (DECL_BIT_FIELD_TYPE(decl))
++ if (TREE_CODE(decl) == FIELD_DECL && DECL_BIT_FIELD_TYPE(decl))
+ return head;
+
+ next_node = get_interesting_function_next_node(decl, 0);
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [gentoo-commits] proj/hardened-patchset:master commit in: 4.2.6/
@ 2015-11-24 8:58 Anthony G. Basile
0 siblings, 0 replies; 8+ messages in thread
From: Anthony G. Basile @ 2015-11-24 8:58 UTC (permalink / raw
To: gentoo-commits
commit: 38964b55adf113b8b1ccdf56092263b4ef9a7578
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Tue Nov 24 09:05:09 2015 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Tue Nov 24 09:05:09 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=38964b55
grsecurity-3.1-4.2.6-201511232037
4.2.6/0000_README | 2 +-
...> 4420_grsecurity-3.1-4.2.6-201511232037.patch} | 175 ++++++++++++++++++---
2 files changed, 150 insertions(+), 27 deletions(-)
diff --git a/4.2.6/0000_README b/4.2.6/0000_README
index 454ccd7..91bcf5d 100644
--- a/4.2.6/0000_README
+++ b/4.2.6/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.1-4.2.6-201511211841.patch
+Patch: 4420_grsecurity-3.1-4.2.6-201511232037.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.2.6/4420_grsecurity-3.1-4.2.6-201511211841.patch b/4.2.6/4420_grsecurity-3.1-4.2.6-201511232037.patch
similarity index 99%
rename from 4.2.6/4420_grsecurity-3.1-4.2.6-201511211841.patch
rename to 4.2.6/4420_grsecurity-3.1-4.2.6-201511232037.patch
index 30663c2..32f511d 100644
--- a/4.2.6/4420_grsecurity-3.1-4.2.6-201511211841.patch
+++ b/4.2.6/4420_grsecurity-3.1-4.2.6-201511232037.patch
@@ -23775,7 +23775,7 @@ index 04f0fe5..3c0598c 100644
/*
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
-index cb9e5df..0d25636 100644
+index cb9e5df..0849dd8 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -91,60 +91,6 @@ static const struct cpu_dev default_cpu = {
@@ -23839,7 +23839,19 @@ index cb9e5df..0d25636 100644
static int __init x86_mpx_setup(char *s)
{
/* require an exact match without trailing characters */
-@@ -287,6 +233,109 @@ static __always_inline void setup_smap(struct cpuinfo_x86 *c)
+@@ -272,10 +218,9 @@ __setup("nosmap", setup_disable_smap);
+
+ static __always_inline void setup_smap(struct cpuinfo_x86 *c)
+ {
+- unsigned long eflags;
++ unsigned long eflags = native_save_fl();
+
+ /* This should have been cleared long ago */
+- raw_local_save_flags(eflags);
+ BUG_ON(eflags & X86_EFLAGS_AC);
+
+ if (cpu_has(c, X86_FEATURE_SMAP)) {
+@@ -287,6 +232,109 @@ static __always_inline void setup_smap(struct cpuinfo_x86 *c)
}
}
@@ -23949,7 +23961,7 @@ index cb9e5df..0d25636 100644
/*
* Some CPU features depend on higher CPUID levels, which may not always
* be available due to CPUID level capping or broken virtualization
-@@ -387,7 +436,7 @@ void switch_to_new_gdt(int cpu)
+@@ -387,7 +435,7 @@ void switch_to_new_gdt(int cpu)
{
struct desc_ptr gdt_descr;
@@ -23958,7 +23970,7 @@ index cb9e5df..0d25636 100644
gdt_descr.size = GDT_SIZE - 1;
load_gdt(&gdt_descr);
/* Reload the per-cpu base */
-@@ -918,6 +967,20 @@ static void identify_cpu(struct cpuinfo_x86 *c)
+@@ -918,6 +966,20 @@ static void identify_cpu(struct cpuinfo_x86 *c)
setup_smep(c);
setup_smap(c);
@@ -23979,7 +23991,7 @@ index cb9e5df..0d25636 100644
/*
* The vendor-specific functions might have changed features.
* Now we do "generic changes."
-@@ -992,7 +1055,7 @@ void enable_sep_cpu(void)
+@@ -992,7 +1054,7 @@ void enable_sep_cpu(void)
int cpu;
cpu = get_cpu();
@@ -23988,7 +24000,7 @@ index cb9e5df..0d25636 100644
if (!boot_cpu_has(X86_FEATURE_SEP))
goto out;
-@@ -1138,10 +1201,12 @@ static __init int setup_disablecpuid(char *arg)
+@@ -1138,10 +1200,12 @@ static __init int setup_disablecpuid(char *arg)
}
__setup("clearcpuid=", setup_disablecpuid);
@@ -24004,7 +24016,7 @@ index cb9e5df..0d25636 100644
DEFINE_PER_CPU_FIRST(union irq_stack_union,
irq_stack_union) __aligned(PAGE_SIZE) __visible;
-@@ -1253,21 +1318,21 @@ EXPORT_PER_CPU_SYMBOL(current_task);
+@@ -1253,21 +1317,21 @@ EXPORT_PER_CPU_SYMBOL(current_task);
DEFINE_PER_CPU(int, __preempt_count) = INIT_PREEMPT_COUNT;
EXPORT_PER_CPU_SYMBOL(__preempt_count);
@@ -24033,7 +24045,7 @@ index cb9e5df..0d25636 100644
/*
* Clear all 6 debug registers:
*/
-@@ -1343,7 +1408,7 @@ void cpu_init(void)
+@@ -1343,7 +1407,7 @@ void cpu_init(void)
*/
load_ucode_ap();
@@ -24042,7 +24054,7 @@ index cb9e5df..0d25636 100644
oist = &per_cpu(orig_ist, cpu);
#ifdef CONFIG_NUMA
-@@ -1375,7 +1440,6 @@ void cpu_init(void)
+@@ -1375,7 +1439,6 @@ void cpu_init(void)
wrmsrl(MSR_KERNEL_GS_BASE, 0);
barrier();
@@ -24050,7 +24062,7 @@ index cb9e5df..0d25636 100644
x2apic_setup();
/*
-@@ -1427,7 +1491,7 @@ void cpu_init(void)
+@@ -1427,7 +1490,7 @@ void cpu_init(void)
{
int cpu = smp_processor_id();
struct task_struct *curr = current;
@@ -25391,7 +25403,7 @@ index dc60810..6c8a1fa 100644
}
diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c
-index 50ec9af..bb871ca 100644
+index 50ec9af..32d7f10 100644
--- a/arch/x86/kernel/fpu/signal.c
+++ b/arch/x86/kernel/fpu/signal.c
@@ -54,7 +54,7 @@ static inline int check_for_xstate(struct fxregs_state __user *buf,
@@ -25480,8 +25492,34 @@ index 50ec9af..bb871ca 100644
err = -1;
} else {
sanitize_restored_xstate(tsk, &env, xfeatures, fx_only);
+@@ -385,20 +387,19 @@ fpu__alloc_mathframe(unsigned long sp, int ia32_frame,
+ */
+ void fpu__init_prepare_fx_sw_frame(void)
+ {
+- int fsave_header_size = sizeof(struct fregs_state);
+ int size = xstate_size + FP_XSTATE_MAGIC2_SIZE;
+
+- if (config_enabled(CONFIG_X86_32))
+- size += fsave_header_size;
+-
+ fx_sw_reserved.magic1 = FP_XSTATE_MAGIC1;
+ fx_sw_reserved.extended_size = size;
+ fx_sw_reserved.xfeatures = xfeatures_mask;
+ fx_sw_reserved.xstate_size = xstate_size;
+
+- if (config_enabled(CONFIG_IA32_EMULATION)) {
++ if (config_enabled(CONFIG_IA32_EMULATION) ||
++ config_enabled(CONFIG_X86_32)) {
++ int fsave_header_size = sizeof(struct fregs_state);
++
+ fx_sw_reserved_ia32 = fx_sw_reserved;
+- fx_sw_reserved_ia32.extended_size += fsave_header_size;
++ fx_sw_reserved_ia32.extended_size = size + fsave_header_size;
+ }
+ }
+
diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
-index 62fc001..5ce38be 100644
+index 62fc001..099cbd7 100644
--- a/arch/x86/kernel/fpu/xstate.c
+++ b/arch/x86/kernel/fpu/xstate.c
@@ -93,14 +93,14 @@ EXPORT_SYMBOL_GPL(cpu_has_xfeatures);
@@ -25501,16 +25539,15 @@ index 62fc001..5ce38be 100644
/*
* None of the feature bits are in init state. So nothing else
-@@ -402,7 +402,7 @@ void *get_xsave_addr(struct xregs_state *xsave, int xstate_feature)
+@@ -402,7 +402,6 @@ void *get_xsave_addr(struct xregs_state *xsave, int xstate_feature)
if (!boot_cpu_has(X86_FEATURE_XSAVE))
return NULL;
- xsave = ¤t->thread.fpu.state.xsave;
-+ xsave = ¤t->thread.fpu.state->xsave;
/*
* We should not ever be requesting features that we
* have not enabled. Remember that pcntxt_mask is
-@@ -457,5 +457,5 @@ const void *get_xsave_field_ptr(int xsave_state)
+@@ -457,5 +456,5 @@ const void *get_xsave_field_ptr(int xsave_state)
*/
fpu__save(fpu);
@@ -34900,6 +34937,78 @@ index 0057a7acc..95c7edd 100644
{
might_sleep();
if (is_enabled()) /* recheck and proper locking in *_core() */
+diff --git a/arch/x86/mm/mpx.c b/arch/x86/mm/mpx.c
+index db1b0bc..c28f618 100644
+--- a/arch/x86/mm/mpx.c
++++ b/arch/x86/mm/mpx.c
+@@ -622,6 +622,29 @@ static unsigned long mpx_bd_entry_to_bt_addr(struct mm_struct *mm,
+ }
+
+ /*
++ * We only want to do a 4-byte get_user() on 32-bit. Otherwise,
++ * we might run off the end of the bounds table if we are on
++ * a 64-bit kernel and try to get 8 bytes.
++ */
++int get_user_bd_entry(struct mm_struct *mm, unsigned long *bd_entry_ret,
++ long __user *bd_entry_ptr)
++{
++ u32 bd_entry_32;
++ int ret;
++
++ if (is_64bit_mm(mm))
++ return get_user(*bd_entry_ret, bd_entry_ptr);
++
++ /*
++ * Note that get_user() uses the type of the *pointer* to
++ * establish the size of the get, not the destination.
++ */
++ ret = get_user(bd_entry_32, (u32 __user *)bd_entry_ptr);
++ *bd_entry_ret = bd_entry_32;
++ return ret;
++}
++
++/*
+ * Get the base of bounds tables pointed by specific bounds
+ * directory entry.
+ */
+@@ -641,7 +664,7 @@ static int get_bt_addr(struct mm_struct *mm,
+ int need_write = 0;
+
+ pagefault_disable();
+- ret = get_user(bd_entry, bd_entry_ptr);
++ ret = get_user_bd_entry(mm, &bd_entry, bd_entry_ptr);
+ pagefault_enable();
+ if (!ret)
+ break;
+@@ -736,11 +759,23 @@ static unsigned long mpx_get_bt_entry_offset_bytes(struct mm_struct *mm,
+ */
+ static inline unsigned long bd_entry_virt_space(struct mm_struct *mm)
+ {
+- unsigned long long virt_space = (1ULL << boot_cpu_data.x86_virt_bits);
+- if (is_64bit_mm(mm))
+- return virt_space / MPX_BD_NR_ENTRIES_64;
+- else
+- return virt_space / MPX_BD_NR_ENTRIES_32;
++ unsigned long long virt_space;
++ unsigned long long GB = (1ULL << 30);
++
++ /*
++ * This covers 32-bit emulation as well as 32-bit kernels
++ * running on 64-bit harware.
++ */
++ if (!is_64bit_mm(mm))
++ return (4ULL * GB) / MPX_BD_NR_ENTRIES_32;
++
++ /*
++ * 'x86_virt_bits' returns what the hardware is capable
++ * of, and returns the full >32-bit adddress space when
++ * running 32-bit kernels on 64-bit hardware.
++ */
++ virt_space = (1ULL << boot_cpu_data.x86_virt_bits);
++ return virt_space / MPX_BD_NR_ENTRIES_64;
+ }
+
+ /*
diff --git a/arch/x86/mm/numa.c b/arch/x86/mm/numa.c
index 4053bb5..b1ad3dc 100644
--- a/arch/x86/mm/numa.c
@@ -52060,10 +52169,10 @@ index dab2513..4c4b65d 100644
return msecs_to_jiffies((s->poll_timeout[2] << 16)
| (s->poll_timeout[1] << 8)
diff --git a/drivers/net/wireless/ath/ath10k/ce.c b/drivers/net/wireless/ath/ath10k/ce.c
-index e508c65..fb0dbae 100644
+index e508c65..3fd90eb 100644
--- a/drivers/net/wireless/ath/ath10k/ce.c
+++ b/drivers/net/wireless/ath/ath10k/ce.c
-@@ -896,7 +896,7 @@ static int ath10k_ce_init_dest_ring(struct ath10k *ar,
+@@ -896,12 +896,12 @@ static int ath10k_ce_init_dest_ring(struct ath10k *ar,
return 0;
}
@@ -52072,6 +52181,21 @@ index e508c65..fb0dbae 100644
ath10k_ce_alloc_src_ring(struct ath10k *ar, unsigned int ce_id,
const struct ce_attr *attr)
{
+ struct ath10k_ce_ring *src_ring;
+- u32 nentries = attr->src_nentries;
++ unsigned long nentries = attr->src_nentries;
+ dma_addr_t base_addr;
+
+ nentries = roundup_pow_of_two(nentries);
+@@ -968,7 +968,7 @@ ath10k_ce_alloc_dest_ring(struct ath10k *ar, unsigned int ce_id,
+ const struct ce_attr *attr)
+ {
+ struct ath10k_ce_ring *dest_ring;
+- u32 nentries;
++ unsigned long nentries;
+ dma_addr_t base_addr;
+
+ nentries = roundup_pow_of_two(attr->dest_nentries);
diff --git a/drivers/net/wireless/ath/ath10k/htc.c b/drivers/net/wireless/ath/ath10k/htc.c
index 32d9ff1..0952b33 100644
--- a/drivers/net/wireless/ath/ath10k/htc.c
@@ -129238,10 +129362,10 @@ index 0000000..b884a56
+}
diff --git a/tools/gcc/gcc-common.h b/tools/gcc/gcc-common.h
new file mode 100644
-index 0000000..5f73f93
+index 0000000..2ec0551
--- /dev/null
+++ b/tools/gcc/gcc-common.h
-@@ -0,0 +1,813 @@
+@@ -0,0 +1,812 @@
+#ifndef GCC_COMMON_H_INCLUDED
+#define GCC_COMMON_H_INCLUDED
+
@@ -129848,12 +129972,7 @@ index 0000000..5f73f93
+#define NODE_IMPLICIT_ALIAS(node) (node)->cpp_implicit_alias
+#endif
+
-+#if BUILDING_GCC_VERSION < 6000
-+#define get_inner_reference(exp, pbitsize, pbitpos, poffset, pmode, punsignedp, preversep, pvolatilep, keep_aligning) get_inner_reference(exp, pbitsize, pbitpos, poffset, pmode, punsignedp, pvolatilep, keep_aligning)
-+#define gen_rtx_set(ARG0, ARG1) gen_rtx_SET(VOIDmode, (ARG0), (ARG1))
-+#endif
-+
-+#if BUILDING_GCC_VERSION == 5000
++#if BUILDING_GCC_VERSION >= 5000 && BUILDING_GCC_VERSION < 6000
+// gimple related
+template <>
+template <>
@@ -129965,7 +130084,6 @@ index 0000000..5f73f93
+ symtab->remove_cgraph_duplication_hook(entry);
+}
+
-+
+#if BUILDING_GCC_VERSION >= 6000
+typedef gimple *gimple_ptr;
+typedef const gimple *const_gimple;
@@ -130050,6 +130168,11 @@ index 0000000..5f73f93
+}
+#endif
+
++#if BUILDING_GCC_VERSION < 6000
++#define get_inner_reference(exp, pbitsize, pbitpos, poffset, pmode, punsignedp, preversep, pvolatilep, keep_aligning) get_inner_reference(exp, pbitsize, pbitpos, poffset, pmode, punsignedp, pvolatilep, keep_aligning)
++#define gen_rtx_set(ARG0, ARG1) gen_rtx_SET(VOIDmode, (ARG0), (ARG1))
++#endif
++
+#if BUILDING_GCC_VERSION >= 6000
+#define gen_rtx_set(ARG0, ARG1) gen_rtx_SET((ARG0), (ARG1))
+#endif
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [gentoo-commits] proj/hardened-patchset:master commit in: 4.2.6/
@ 2015-11-29 23:57 Anthony G. Basile
0 siblings, 0 replies; 8+ messages in thread
From: Anthony G. Basile @ 2015-11-29 23:57 UTC (permalink / raw
To: gentoo-commits
commit: 3db7f02c577b8b6e79b5f0926beed52f7ec501e8
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Mon Nov 30 00:03:26 2015 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Mon Nov 30 00:03:26 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=3db7f02c
grsecurity-3.1-4.2.6-201511282239
4.2.6/0000_README | 2 +-
...> 4420_grsecurity-3.1-4.2.6-201511282239.patch} | 699 +++++++++++++++------
2 files changed, 500 insertions(+), 201 deletions(-)
diff --git a/4.2.6/0000_README b/4.2.6/0000_README
index 91bcf5d..ef0e3e5 100644
--- a/4.2.6/0000_README
+++ b/4.2.6/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.1-4.2.6-201511232037.patch
+Patch: 4420_grsecurity-3.1-4.2.6-201511282239.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.2.6/4420_grsecurity-3.1-4.2.6-201511232037.patch b/4.2.6/4420_grsecurity-3.1-4.2.6-201511282239.patch
similarity index 99%
rename from 4.2.6/4420_grsecurity-3.1-4.2.6-201511232037.patch
rename to 4.2.6/4420_grsecurity-3.1-4.2.6-201511282239.patch
index 32f511d..3903e3d 100644
--- a/4.2.6/4420_grsecurity-3.1-4.2.6-201511232037.patch
+++ b/4.2.6/4420_grsecurity-3.1-4.2.6-201511282239.patch
@@ -3356,7 +3356,7 @@ index 8b60fde..8d986dd 100644
# ifdef CONFIG_ARM_KERNMEM_PERMS
. = ALIGN(1<<SECTION_SHIFT);
diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c
-index f9c341c..7430436 100644
+index f9c341c..c9cead1 100644
--- a/arch/arm/kvm/arm.c
+++ b/arch/arm/kvm/arm.c
@@ -57,7 +57,7 @@ static unsigned long hyp_default_vectors;
@@ -3395,15 +3395,6 @@ index f9c341c..7430436 100644
kvm->arch.vmid = kvm_next_vmid;
kvm_next_vmid++;
-@@ -1110,7 +1110,7 @@ struct kvm_vcpu *kvm_mpidr_to_vcpu(struct kvm *kvm, unsigned long mpidr)
- /**
- * Initialize Hyp-mode and memory mappings on all CPUs.
- */
--int kvm_arch_init(void *opaque)
-+int kvm_arch_init(const void *opaque)
- {
- int err;
- int ret, cpu;
diff --git a/arch/arm/lib/clear_user.S b/arch/arm/lib/clear_user.S
index 1710fd7..ec3e014 100644
--- a/arch/arm/lib/clear_user.S
@@ -7113,19 +7104,6 @@ index 8ea28e6..c8873d5 100644
info.si_code = FPE_INTOVF;
info.si_signo = SIGFPE;
-diff --git a/arch/mips/kvm/mips.c b/arch/mips/kvm/mips.c
-index cd4c129..290c518 100644
---- a/arch/mips/kvm/mips.c
-+++ b/arch/mips/kvm/mips.c
-@@ -1016,7 +1016,7 @@ long kvm_arch_vm_ioctl(struct file *filp, unsigned int ioctl, unsigned long arg)
- return r;
- }
-
--int kvm_arch_init(void *opaque)
-+int kvm_arch_init(const void *opaque)
- {
- if (kvm_mips_callbacks) {
- kvm_err("kvm: module already exists\n");
diff --git a/arch/mips/mm/fault.c b/arch/mips/mm/fault.c
index 852a41c..75b9d38 100644
--- a/arch/mips/mm/fault.c
@@ -9391,19 +9369,6 @@ index b457bfa..9018cde 100644
if (IS_ERR_VALUE(vdso_base)) {
rc = vdso_base;
goto fail_mmapsem;
-diff --git a/arch/powerpc/kvm/powerpc.c b/arch/powerpc/kvm/powerpc.c
-index e5dde32..557af3d 100644
---- a/arch/powerpc/kvm/powerpc.c
-+++ b/arch/powerpc/kvm/powerpc.c
-@@ -1404,7 +1404,7 @@ void kvmppc_init_lpid(unsigned long nr_lpids_param)
- }
- EXPORT_SYMBOL_GPL(kvmppc_init_lpid);
-
--int kvm_arch_init(void *opaque)
-+int kvm_arch_init(const void *opaque)
- {
- return 0;
- }
diff --git a/arch/powerpc/lib/usercopy_64.c b/arch/powerpc/lib/usercopy_64.c
index 5eea6f3..5d10396 100644
--- a/arch/powerpc/lib/usercopy_64.c
@@ -22069,7 +22034,7 @@ index cd79194..6a9956f 100644
}
diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
-index a8df874..ef0e34f 100644
+index a8df874..43b72d3 100644
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -7,6 +7,7 @@
@@ -22117,7 +22082,7 @@ index a8df874..ef0e34f 100644
+ _cond_resched(); \
+ if (__get_user(__c_ao, (char __user *)__addr)) \
+ break; \
-+ if (type != VERIFY_WRITE) { \
++ if ((type) != VERIFY_WRITE) { \
+ __addr = __addr_ao; \
+ continue; \
+ } \
@@ -30058,7 +30023,7 @@ index 0f67d7e..4b9fa11 100644
goto error;
walker->ptep_user[walker->level - 1] = ptep_user;
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
-index 2d32b67..06cac10 100644
+index 2d32b67..976f46e 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -1106,6 +1106,8 @@ static void init_vmcb(struct vcpu_svm *svm, bool init_event)
@@ -30152,6 +30117,15 @@ index 2d32b67..06cac10 100644
reload_tss(vcpu);
local_irq_disable();
+@@ -4355,7 +4363,7 @@ static void svm_sched_in(struct kvm_vcpu *vcpu, int cpu)
+ {
+ }
+
+-static struct kvm_x86_ops svm_x86_ops = {
++static struct kvm_x86_ops svm_x86_ops __read_only = {
+ .cpu_has_kvm_support = has_svm,
+ .disabled_by_bios = is_disabled,
+ .hardware_setup = svm_hardware_setup,
@@ -4374,7 +4382,7 @@ static struct kvm_x86_ops svm_x86_ops = {
.vcpu_load = svm_vcpu_load,
.vcpu_put = svm_vcpu_put,
@@ -30162,7 +30136,7 @@ index 2d32b67..06cac10 100644
.set_msr = svm_set_msr,
.get_segment_base = svm_get_segment_base,
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index aa9e8229..6223041 100644
+index aa9e8229..5f643bf 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -1440,12 +1440,12 @@ static void vmcs_write64(unsigned long field, u64 value)
@@ -30256,40 +30230,32 @@ index aa9e8229..6223041 100644
* using the APIC_ACCESS_ADDR VMCS field.
*/
- if (!flexpriority_enabled)
-- kvm_x86_ops->set_apic_access_page_addr = NULL;
+ if (!flexpriority_enabled) {
+ pax_open_kernel();
-+ *(void **)&kvm_x86_ops->set_apic_access_page_addr = NULL;
+ kvm_x86_ops->set_apic_access_page_addr = NULL;
+ pax_close_kernel();
+ }
- if (!cpu_has_vmx_tpr_shadow())
-- kvm_x86_ops->update_cr8_intercept = NULL;
+ if (!cpu_has_vmx_tpr_shadow()) {
+ pax_open_kernel();
-+ *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
+ kvm_x86_ops->update_cr8_intercept = NULL;
+ pax_close_kernel();
+ }
if (enable_ept && !cpu_has_vmx_ept_2m_page())
kvm_disable_largepages();
-@@ -6112,14 +6132,16 @@ static __init int hardware_setup(void)
+@@ -6112,6 +6132,7 @@ static __init int hardware_setup(void)
if (!cpu_has_vmx_apicv())
enable_apicv = 0;
+ pax_open_kernel();
if (enable_apicv)
-- kvm_x86_ops->update_cr8_intercept = NULL;
-+ *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
+ kvm_x86_ops->update_cr8_intercept = NULL;
else {
-- kvm_x86_ops->hwapic_irr_update = NULL;
-- kvm_x86_ops->hwapic_isr_update = NULL;
-- kvm_x86_ops->deliver_posted_interrupt = NULL;
-- kvm_x86_ops->sync_pir_to_irr = vmx_sync_pir_to_irr_dummy;
-+ *(void **)&kvm_x86_ops->hwapic_irr_update = NULL;
-+ *(void **)&kvm_x86_ops->hwapic_isr_update = NULL;
-+ *(void **)&kvm_x86_ops->deliver_posted_interrupt = NULL;
-+ *(void **)&kvm_x86_ops->sync_pir_to_irr = vmx_sync_pir_to_irr_dummy;
+@@ -6120,6 +6141,7 @@ static __init int hardware_setup(void)
+ kvm_x86_ops->deliver_posted_interrupt = NULL;
+ kvm_x86_ops->sync_pir_to_irr = vmx_sync_pir_to_irr_dummy;
}
+ pax_close_kernel();
@@ -30299,15 +30265,11 @@ index aa9e8229..6223041 100644
enable_pml = 0;
if (!enable_pml) {
-- kvm_x86_ops->slot_enable_log_dirty = NULL;
-- kvm_x86_ops->slot_disable_log_dirty = NULL;
-- kvm_x86_ops->flush_log_dirty = NULL;
-- kvm_x86_ops->enable_log_dirty_pt_masked = NULL;
+ pax_open_kernel();
-+ *(void **)&kvm_x86_ops->slot_enable_log_dirty = NULL;
-+ *(void **)&kvm_x86_ops->slot_disable_log_dirty = NULL;
-+ *(void **)&kvm_x86_ops->flush_log_dirty = NULL;
-+ *(void **)&kvm_x86_ops->enable_log_dirty_pt_masked = NULL;
+ kvm_x86_ops->slot_enable_log_dirty = NULL;
+ kvm_x86_ops->slot_disable_log_dirty = NULL;
+ kvm_x86_ops->flush_log_dirty = NULL;
+ kvm_x86_ops->enable_log_dirty_pt_masked = NULL;
+ pax_close_kernel();
}
@@ -30367,8 +30329,17 @@ index aa9e8229..6223041 100644
#endif
vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP)
+@@ -10309,7 +10354,7 @@ static void vmx_enable_log_dirty_pt_masked(struct kvm *kvm,
+ kvm_mmu_clear_dirty_pt_masked(kvm, memslot, offset, mask);
+ }
+
+-static struct kvm_x86_ops vmx_x86_ops = {
++static struct kvm_x86_ops vmx_x86_ops __read_only = {
+ .cpu_has_kvm_support = cpu_has_kvm_support,
+ .disabled_by_bios = vmx_disabled_by_bios,
+ .hardware_setup = hardware_setup,
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 373328b7..ebd267f 100644
+index 373328b7..310cf2f 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1842,8 +1842,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data)
@@ -30427,15 +30398,6 @@ index 373328b7..ebd267f 100644
guest_xsave->region, sizeof(struct fxregs_state));
}
return 0;
-@@ -5788,7 +5790,7 @@ static struct notifier_block pvclock_gtod_notifier = {
- };
- #endif
-
--int kvm_arch_init(void *opaque)
-+int kvm_arch_init(const void *opaque)
- {
- int r;
- struct kvm_x86_ops *ops = opaque;
@@ -7217,7 +7219,7 @@ int kvm_arch_vcpu_ioctl_translate(struct kvm_vcpu *vcpu,
int kvm_arch_vcpu_ioctl_get_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
{
@@ -37754,7 +37716,7 @@ index ea5815c..5880da6 100644
scatterwalk_start(&walk, sg);
diff --git a/crypto/zlib.c b/crypto/zlib.c
-index d51a30a..fb1f8af 100644
+index d51a30a..b6891a3 100644
--- a/crypto/zlib.c
+++ b/crypto/zlib.c
@@ -95,10 +95,10 @@ static int zlib_compress_setup(struct crypto_pcomp *tfm, const void *params,
@@ -37770,6 +37732,34 @@ index d51a30a..fb1f8af 100644
: DEF_MEM_LEVEL;
workspacesize = zlib_deflate_workspacesize(window_bits, mem_level);
+@@ -108,15 +108,15 @@ static int zlib_compress_setup(struct crypto_pcomp *tfm, const void *params,
+
+ ret = zlib_deflateInit2(stream,
+ tb[ZLIB_COMP_LEVEL]
+- ? nla_get_u32(tb[ZLIB_COMP_LEVEL])
++ ? nla_get_s32(tb[ZLIB_COMP_LEVEL])
+ : Z_DEFAULT_COMPRESSION,
+ tb[ZLIB_COMP_METHOD]
+- ? nla_get_u32(tb[ZLIB_COMP_METHOD])
++ ? nla_get_s32(tb[ZLIB_COMP_METHOD])
+ : Z_DEFLATED,
+ window_bits,
+ mem_level,
+ tb[ZLIB_COMP_STRATEGY]
+- ? nla_get_u32(tb[ZLIB_COMP_STRATEGY])
++ ? nla_get_s32(tb[ZLIB_COMP_STRATEGY])
+ : Z_DEFAULT_STRATEGY);
+ if (ret != Z_OK) {
+ vfree(stream->workspace);
+@@ -224,7 +224,7 @@ static int zlib_decompress_setup(struct crypto_pcomp *tfm, const void *params,
+ zlib_decomp_exit(ctx);
+
+ ctx->decomp_windowBits = tb[ZLIB_DECOMP_WINDOWBITS]
+- ? nla_get_u32(tb[ZLIB_DECOMP_WINDOWBITS])
++ ? nla_get_s32(tb[ZLIB_DECOMP_WINDOWBITS])
+ : DEF_WBITS;
+
+ stream->workspace = vzalloc(zlib_inflate_workspacesize());
diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c
index 8c2fe2f..fc47c12 100644
--- a/drivers/acpi/acpi_video.c
@@ -47136,6 +47126,74 @@ index 4d9b195..455075c 100644
return -EFAULT;
} else {
memcpy(buf, dp, left);
+diff --git a/drivers/isdn/hisax/config.c b/drivers/isdn/hisax/config.c
+index b33f53b..bf04d2a 100644
+--- a/drivers/isdn/hisax/config.c
++++ b/drivers/isdn/hisax/config.c
+@@ -1896,7 +1896,7 @@ static void EChannel_proc_rcv(struct hisax_d_if *d_if)
+ ptr--;
+ *ptr++ = '\n';
+ *ptr = 0;
+- HiSax_putstatus(cs, NULL, "%s", cs->dlog);
++ HiSax_putstatus(cs, NULL, cs->dlog);
+ } else
+ HiSax_putstatus(cs, "LogEcho: ",
+ "warning Frame too big (%d)",
+diff --git a/drivers/isdn/hisax/hfc_pci.c b/drivers/isdn/hisax/hfc_pci.c
+index 4a48255..90449e1 100644
+--- a/drivers/isdn/hisax/hfc_pci.c
++++ b/drivers/isdn/hisax/hfc_pci.c
+@@ -901,7 +901,7 @@ Begin:
+ ptr--;
+ *ptr++ = '\n';
+ *ptr = 0;
+- HiSax_putstatus(cs, NULL, "%s", cs->dlog);
++ HiSax_putstatus(cs, NULL, cs->dlog);
+ } else
+ HiSax_putstatus(cs, "LogEcho: ", "warning Frame too big (%d)", total - 3);
+ }
+diff --git a/drivers/isdn/hisax/hfc_sx.c b/drivers/isdn/hisax/hfc_sx.c
+index b1fad81..13b2151 100644
+--- a/drivers/isdn/hisax/hfc_sx.c
++++ b/drivers/isdn/hisax/hfc_sx.c
+@@ -674,7 +674,7 @@ receive_emsg(struct IsdnCardState *cs)
+ ptr--;
+ *ptr++ = '\n';
+ *ptr = 0;
+- HiSax_putstatus(cs, NULL, "%s", cs->dlog);
++ HiSax_putstatus(cs, NULL, cs->dlog);
+ } else
+ HiSax_putstatus(cs, "LogEcho: ", "warning Frame too big (%d)", skb->len);
+ }
+diff --git a/drivers/isdn/hisax/q931.c b/drivers/isdn/hisax/q931.c
+index b420f8b..ba4beb2 100644
+--- a/drivers/isdn/hisax/q931.c
++++ b/drivers/isdn/hisax/q931.c
+@@ -1179,7 +1179,7 @@ LogFrame(struct IsdnCardState *cs, u_char *buf, int size)
+ dp--;
+ *dp++ = '\n';
+ *dp = 0;
+- HiSax_putstatus(cs, NULL, "%s", cs->dlog);
++ HiSax_putstatus(cs, NULL, cs->dlog);
+ } else
+ HiSax_putstatus(cs, "LogFrame: ", "warning Frame too big (%d)", size);
+ }
+@@ -1246,7 +1246,7 @@ dlogframe(struct IsdnCardState *cs, struct sk_buff *skb, int dir)
+ }
+ if (finish) {
+ *dp = 0;
+- HiSax_putstatus(cs, NULL, "%s", cs->dlog);
++ HiSax_putstatus(cs, NULL, cs->dlog);
+ return;
+ }
+ if ((0xfe & buf[0]) == PROTO_DIS_N0) { /* 1TR6 */
+@@ -1509,5 +1509,5 @@ dlogframe(struct IsdnCardState *cs, struct sk_buff *skb, int dir)
+ dp += sprintf(dp, "Unknown protocol %x!", buf[0]);
+ }
+ *dp = 0;
+- HiSax_putstatus(cs, NULL, "%s", cs->dlog);
++ HiSax_putstatus(cs, NULL, cs->dlog);
+ }
diff --git a/drivers/isdn/i4l/isdn_common.c b/drivers/isdn/i4l/isdn_common.c
index 9b856e1..fa03c92 100644
--- a/drivers/isdn/i4l/isdn_common.c
@@ -47925,9 +47983,18 @@ index d10d300..6169233 100644
"md/raid1:%s: read error corrected "
"(%d sectors at %llu on %s)\n",
diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
-index d4b70d9..3e3bbb8 100644
+index d4b70d9..54d3a62 100644
--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
+@@ -1157,7 +1157,7 @@ static void __make_request(struct mddev *mddev, struct bio *bio)
+ struct md_rdev *blocked_rdev;
+ struct blk_plug_cb *cb;
+ struct raid10_plug_cb *plug = NULL;
+- int sectors_handled;
++ sector_t sectors_handled;
+ int max_sectors;
+ int sectors;
+
@@ -1934,7 +1934,7 @@ static void end_sync_read(struct bio *bio, int error)
/* The write handler will notice the lack of
* R10BIO_Uptodate and record any errors etc
@@ -75933,10 +76000,113 @@ index b823fac..c5155de 100644
btrfs_end_transaction(trans, root);
goto out;
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
-index b54e630..6ecf999 100644
+index b54e630..48bd25c 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
-@@ -5632,6 +5632,7 @@ static int btrfs_real_readdir(struct file *file, struct dir_context *ctx)
+@@ -4184,6 +4184,47 @@ static int truncate_space_check(struct btrfs_trans_handle *trans,
+
+ }
+
++static int truncate_inline_extent(struct inode *inode,
++ struct btrfs_path *path,
++ struct btrfs_key *found_key,
++ const u64 item_end,
++ const u64 new_size)
++{
++ struct extent_buffer *leaf = path->nodes[0];
++ int slot = path->slots[0];
++ struct btrfs_file_extent_item *fi;
++ u32 size = (u32)(new_size - found_key->offset);
++ struct btrfs_root *root = BTRFS_I(inode)->root;
++
++ fi = btrfs_item_ptr(leaf, slot, struct btrfs_file_extent_item);
++
++ if (btrfs_file_extent_compression(leaf, fi) != BTRFS_COMPRESS_NONE) {
++ loff_t offset = new_size;
++ loff_t page_end = ALIGN(offset, PAGE_CACHE_SIZE);
++
++ /*
++ * Zero out the remaining of the last page of our inline extent,
++ * instead of directly truncating our inline extent here - that
++ * would be much more complex (decompressing all the data, then
++ * compressing the truncated data, which might be bigger than
++ * the size of the inline extent, resize the extent, etc).
++ * We release the path because to get the page we might need to
++ * read the extent item from disk (data not in the page cache).
++ */
++ btrfs_release_path(path);
++ return btrfs_truncate_page(inode, offset, page_end - offset, 0);
++ }
++
++ btrfs_set_file_extent_ram_bytes(leaf, fi, size);
++ size = btrfs_file_extent_calc_inline_size(size);
++ btrfs_truncate_item(root, path, size, 1);
++
++ if (test_bit(BTRFS_ROOT_REF_COWS, &root->state))
++ inode_sub_bytes(inode, item_end + 1 - new_size);
++
++ return 0;
++}
++
+ /*
+ * this can truncate away extent items, csum items and directory items.
+ * It starts at a high offset and removes keys until it can't find
+@@ -4378,27 +4419,40 @@ search_again:
+ * special encodings
+ */
+ if (!del_item &&
+- btrfs_file_extent_compression(leaf, fi) == 0 &&
+ btrfs_file_extent_encryption(leaf, fi) == 0 &&
+ btrfs_file_extent_other_encoding(leaf, fi) == 0) {
+- u32 size = new_size - found_key.offset;
+-
+- if (test_bit(BTRFS_ROOT_REF_COWS, &root->state))
+- inode_sub_bytes(inode, item_end + 1 -
+- new_size);
+
+ /*
+- * update the ram bytes to properly reflect
+- * the new size of our item
++ * Need to release path in order to truncate a
++ * compressed extent. So delete any accumulated
++ * extent items so far.
+ */
+- btrfs_set_file_extent_ram_bytes(leaf, fi, size);
+- size =
+- btrfs_file_extent_calc_inline_size(size);
+- btrfs_truncate_item(root, path, size, 1);
++ if (btrfs_file_extent_compression(leaf, fi) !=
++ BTRFS_COMPRESS_NONE && pending_del_nr) {
++ err = btrfs_del_items(trans, root, path,
++ pending_del_slot,
++ pending_del_nr);
++ if (err) {
++ btrfs_abort_transaction(trans,
++ root,
++ err);
++ goto error;
++ }
++ pending_del_nr = 0;
++ }
++
++ err = truncate_inline_extent(inode, path,
++ &found_key,
++ item_end,
++ new_size);
++ if (err) {
++ btrfs_abort_transaction(trans,
++ root, err);
++ goto error;
++ }
+ } else if (test_bit(BTRFS_ROOT_REF_COWS,
+ &root->state)) {
+- inode_sub_bytes(inode, item_end + 1 -
+- found_key.offset);
++ inode_sub_bytes(inode, item_end + 1 - new_size);
+ }
+ }
+ delete:
+@@ -5632,6 +5686,7 @@ static int btrfs_real_readdir(struct file *file, struct dir_context *ctx)
char *name_ptr;
int name_len;
int is_curr = 0; /* ctx->pos points to the current index? */
@@ -75944,7 +76114,7 @@ index b54e630..6ecf999 100644
/* FIXME, use a real flag for deciding about the key type */
if (root->fs_info->tree_root == root)
-@@ -5660,6 +5661,7 @@ static int btrfs_real_readdir(struct file *file, struct dir_context *ctx)
+@@ -5660,6 +5715,7 @@ static int btrfs_real_readdir(struct file *file, struct dir_context *ctx)
if (ret < 0)
goto err;
@@ -75952,7 +76122,7 @@ index b54e630..6ecf999 100644
while (1) {
leaf = path->nodes[0];
slot = path->slots[0];
-@@ -5739,6 +5741,7 @@ skip:
+@@ -5739,6 +5795,7 @@ skip:
if (over)
goto nopos;
@@ -75960,7 +76130,7 @@ index b54e630..6ecf999 100644
di_len = btrfs_dir_name_len(leaf, di) +
btrfs_dir_data_len(leaf, di) + sizeof(*di);
di_cur += di_len;
-@@ -5751,11 +5754,20 @@ next:
+@@ -5751,11 +5808,20 @@ next:
if (key_type == BTRFS_DIR_INDEX_KEY) {
if (is_curr)
ctx->pos++;
@@ -84430,7 +84600,7 @@ index ce9e39f..5c5a436 100644
{
const struct seq_operations *op = ((struct seq_file *)file->private_data)->op;
diff --git a/fs/splice.c b/fs/splice.c
-index 5fc1e50..6ae8957 100644
+index 5fc1e50..fcc355d 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -192,7 +192,7 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
@@ -84499,9 +84669,17 @@ index 5fc1e50..6ae8957 100644
sd->need_wakeup = true;
}
-@@ -810,10 +810,10 @@ static int splice_from_pipe_feed(struct pipe_inode_info *pipe, struct splice_des
+@@ -809,11 +809,18 @@ static int splice_from_pipe_feed(struct pipe_inode_info *pipe, struct splice_des
+ */
static int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
{
++ /*
++ * Check for signal early to make process killable when there are
++ * always buffers available
++ */
++ if (signal_pending(current))
++ return -ERESTARTSYS;
++
while (!pipe->nrbufs) {
- if (!pipe->writers)
+ if (!atomic_read(&pipe->writers))
@@ -84512,7 +84690,15 @@ index 5fc1e50..6ae8957 100644
return 0;
if (sd->flags & SPLICE_F_NONBLOCK)
-@@ -1028,7 +1028,7 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
+@@ -884,6 +891,7 @@ ssize_t __splice_from_pipe(struct pipe_inode_info *pipe, struct splice_desc *sd,
+
+ splice_from_pipe_begin(sd);
+ do {
++ cond_resched();
+ ret = splice_from_pipe_next(pipe, sd);
+ if (ret > 0)
+ ret = splice_from_pipe_feed(pipe, sd, actor);
+@@ -1028,7 +1036,7 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
ops->release(pipe, buf);
pipe->curbuf = (pipe->curbuf + 1) & (pipe->buffers - 1);
pipe->nrbufs--;
@@ -84521,7 +84707,7 @@ index 5fc1e50..6ae8957 100644
sd.need_wakeup = true;
} else {
buf->offset += ret;
-@@ -1188,7 +1188,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
+@@ -1188,7 +1196,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
* out of the pipe right after the splice_to_pipe(). So set
* PIPE_READERS appropriately.
*/
@@ -84530,7 +84716,7 @@ index 5fc1e50..6ae8957 100644
current->splice_pipe = pipe;
}
-@@ -1495,6 +1495,7 @@ static int get_iovec_page_array(const struct iovec __user *iov,
+@@ -1495,6 +1503,7 @@ static int get_iovec_page_array(const struct iovec __user *iov,
partial[buffers].offset = off;
partial[buffers].len = plen;
@@ -84538,7 +84724,7 @@ index 5fc1e50..6ae8957 100644
off = 0;
len -= plen;
-@@ -1726,9 +1727,9 @@ static int ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
+@@ -1726,9 +1735,9 @@ static int ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
ret = -ERESTARTSYS;
break;
}
@@ -84550,7 +84736,7 @@ index 5fc1e50..6ae8957 100644
if (flags & SPLICE_F_NONBLOCK) {
ret = -EAGAIN;
break;
-@@ -1760,7 +1761,7 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
+@@ -1760,7 +1769,7 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
pipe_lock(pipe);
while (pipe->nrbufs >= pipe->buffers) {
@@ -84559,7 +84745,7 @@ index 5fc1e50..6ae8957 100644
send_sig(SIGPIPE, current, 0);
ret = -EPIPE;
break;
-@@ -1773,9 +1774,9 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
+@@ -1773,9 +1782,9 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
ret = -ERESTARTSYS;
break;
}
@@ -84571,7 +84757,7 @@ index 5fc1e50..6ae8957 100644
}
pipe_unlock(pipe);
-@@ -1811,14 +1812,14 @@ retry:
+@@ -1811,14 +1820,14 @@ retry:
pipe_double_lock(ipipe, opipe);
do {
@@ -84588,7 +84774,7 @@ index 5fc1e50..6ae8957 100644
break;
/*
-@@ -1915,7 +1916,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
+@@ -1915,7 +1924,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
pipe_double_lock(ipipe, opipe);
do {
@@ -84597,7 +84783,7 @@ index 5fc1e50..6ae8957 100644
send_sig(SIGPIPE, current, 0);
if (!ret)
ret = -EPIPE;
-@@ -1960,7 +1961,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
+@@ -1960,7 +1969,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
* return EAGAIN if we have the potential of some data in the
* future, otherwise just return 0
*/
@@ -84752,6 +84938,28 @@ index 94374e4..b5da3a1 100644
return PTR_ERR(kn);
}
+diff --git a/fs/sysv/inode.c b/fs/sysv/inode.c
+index 590ad92..02fa1dc 100644
+--- a/fs/sysv/inode.c
++++ b/fs/sysv/inode.c
+@@ -162,15 +162,8 @@ void sysv_set_inode(struct inode *inode, dev_t rdev)
+ inode->i_fop = &sysv_dir_operations;
+ inode->i_mapping->a_ops = &sysv_aops;
+ } else if (S_ISLNK(inode->i_mode)) {
+- if (inode->i_blocks) {
+- inode->i_op = &sysv_symlink_inode_operations;
+- inode->i_mapping->a_ops = &sysv_aops;
+- } else {
+- inode->i_op = &simple_symlink_inode_operations;
+- inode->i_link = (char *)SYSV_I(inode)->i_data;
+- nd_terminate_link(inode->i_link, inode->i_size,
+- sizeof(SYSV_I(inode)->i_data) - 1);
+- }
++ inode->i_op = &sysv_symlink_inode_operations;
++ inode->i_mapping->a_ops = &sysv_aops;
+ } else
+ init_special_inode(inode, inode->i_mode, rdev);
+ }
diff --git a/fs/sysv/sysv.h b/fs/sysv/sysv.h
index 6c21228..9afd5fe 100644
--- a/fs/sysv/sysv.h
@@ -100227,28 +100435,6 @@ index 484604d..0f6c5b6 100644
if (atomic_sub_and_test((int) count, &kref->refcount)) {
release(kref);
-diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
-index 05e99b8..484b1f97 100644
---- a/include/linux/kvm_host.h
-+++ b/include/linux/kvm_host.h
-@@ -468,7 +468,7 @@ static inline void kvm_irqfd_exit(void)
- {
- }
- #endif
--int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
-+int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
- struct module *module);
- void kvm_exit(void);
-
-@@ -678,7 +678,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(struct kvm_vcpu *vcpu,
- struct kvm_guest_debug *dbg);
- int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
-
--int kvm_arch_init(void *opaque);
-+int kvm_arch_init(const void *opaque);
- void kvm_arch_exit(void);
-
- int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
diff --git a/include/linux/libata.h b/include/linux/libata.h
index c9cfbcd..46986db 100644
--- a/include/linux/libata.h
@@ -108964,7 +109150,7 @@ index 04e91ff..2419384 100644
}
EXPORT_SYMBOL(__stack_chk_fail);
diff --git a/kernel/pid.c b/kernel/pid.c
-index 4fd07d5..02bce4f 100644
+index 4fd07d5..856f804 100644
--- a/kernel/pid.c
+++ b/kernel/pid.c
@@ -33,6 +33,7 @@
@@ -109004,7 +109190,7 @@ index 4fd07d5..02bce4f 100644
}
struct task_struct *find_task_by_vpid(pid_t vnr)
-@@ -462,6 +471,14 @@ struct task_struct *find_task_by_vpid(pid_t vnr)
+@@ -462,13 +471,21 @@ struct task_struct *find_task_by_vpid(pid_t vnr)
return find_task_by_pid_ns(vnr, task_active_pid_ns(current));
}
@@ -109019,6 +109205,23 @@ index 4fd07d5..02bce4f 100644
struct pid *get_task_pid(struct task_struct *task, enum pid_type type)
{
struct pid *pid;
+ rcu_read_lock();
+ if (type != PIDTYPE_PID)
+ task = task->group_leader;
+- pid = get_pid(task->pids[type].pid);
++ pid = get_pid(rcu_dereference(task->pids[type].pid));
+ rcu_read_unlock();
+ return pid;
+ }
+@@ -529,7 +546,7 @@ pid_t __task_pid_nr_ns(struct task_struct *task, enum pid_type type,
+ if (likely(pid_alive(task))) {
+ if (type != PIDTYPE_PID)
+ task = task->group_leader;
+- nr = pid_nr_ns(task->pids[type].pid, ns);
++ nr = pid_nr_ns(rcu_dereference(task->pids[type].pid), ns);
+ }
+ rcu_read_unlock();
+
diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c
index a65ba13..f600dbb 100644
--- a/kernel/pid_namespace.c
@@ -112151,6 +112354,19 @@ index e2894b2..23751b3 100644
help
If you want to debug problems which hang or crash the kernel early
on boot and the crashing machine has a FireWire port, you can use
+diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan
+index 39f24d6..cf80221 100644
+--- a/lib/Kconfig.kasan
++++ b/lib/Kconfig.kasan
+@@ -5,7 +5,7 @@ if HAVE_ARCH_KASAN
+
+ config KASAN
+ bool "KASan: runtime memory debugger"
+- depends on SLUB_DEBUG
++ depends on SLUB_DEBUG && !GRKERNSEC_KSTACKOVERFLOW
+ select CONSTRUCTORS
+ help
+ Enables kernel address sanitizer - runtime memory debugger,
diff --git a/lib/Makefile b/lib/Makefile
index 6897b52..466bda9 100644
--- a/lib/Makefile
@@ -117868,7 +118084,7 @@ index 68ff8a5..40c7a70 100644
if (len > buflen)
diff --git a/mm/vmalloc.c b/mm/vmalloc.c
-index 2faaa29..7ac7a6d 100644
+index 2faaa29..b4893f8 100644
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -40,20 +40,65 @@ struct vfree_deferred {
@@ -118099,7 +118315,17 @@ index 2faaa29..7ac7a6d 100644
if (flags & VM_IOREMAP)
align = 1ul << clamp_t(int, fls_long(size),
PAGE_SHIFT, IOREMAP_MAX_ORDER);
-@@ -1531,13 +1638,36 @@ EXPORT_SYMBOL(vfree);
+@@ -1345,7 +1452,9 @@ static struct vm_struct *__get_vm_area_node(unsigned long size,
+ if (unlikely(!area))
+ return NULL;
+
++#ifndef CONFIG_GRKERNSEC_KSTACKOVERFLOW
+ if (!(flags & VM_NO_GUARD))
++#endif
+ size += PAGE_SIZE;
+
+ va = alloc_vmap_area(size, align, start, end, node, gfp_mask);
+@@ -1531,13 +1640,36 @@ EXPORT_SYMBOL(vfree);
*/
void vunmap(const void *addr)
{
@@ -118139,7 +118365,7 @@ index 2faaa29..7ac7a6d 100644
/**
* vmap - map an array of pages into virtually contiguous space
* @pages: array of page pointers
-@@ -1558,6 +1688,11 @@ void *vmap(struct page **pages, unsigned int count,
+@@ -1558,6 +1690,11 @@ void *vmap(struct page **pages, unsigned int count,
if (count > totalram_pages)
return NULL;
@@ -118151,7 +118377,7 @@ index 2faaa29..7ac7a6d 100644
area = get_vm_area_caller((count << PAGE_SHIFT), flags,
__builtin_return_address(0));
if (!area)
-@@ -1662,6 +1797,14 @@ void *__vmalloc_node_range(unsigned long size, unsigned long align,
+@@ -1662,6 +1799,14 @@ void *__vmalloc_node_range(unsigned long size, unsigned long align,
if (!size || (size >> PAGE_SHIFT) > totalram_pages)
goto fail;
@@ -118166,7 +118392,7 @@ index 2faaa29..7ac7a6d 100644
area = __get_vm_area_node(size, align, VM_ALLOC | VM_UNINITIALIZED |
vm_flags, start, end, node, gfp_mask, caller);
if (!area)
-@@ -1715,6 +1858,14 @@ static void *__vmalloc_node(unsigned long size, unsigned long align,
+@@ -1715,6 +1860,14 @@ static void *__vmalloc_node(unsigned long size, unsigned long align,
gfp_mask, prot, 0, node, caller);
}
@@ -118181,7 +118407,7 @@ index 2faaa29..7ac7a6d 100644
void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
{
return __vmalloc_node(size, 1, gfp_mask, prot, NUMA_NO_NODE,
-@@ -1838,10 +1989,9 @@ EXPORT_SYMBOL(vzalloc_node);
+@@ -1838,10 +1991,9 @@ EXPORT_SYMBOL(vzalloc_node);
* For tight control over page level allocator and protection flags
* use __vmalloc() instead.
*/
@@ -118193,7 +118419,7 @@ index 2faaa29..7ac7a6d 100644
NUMA_NO_NODE, __builtin_return_address(0));
}
-@@ -2148,6 +2298,8 @@ int remap_vmalloc_range_partial(struct vm_area_struct *vma, unsigned long uaddr,
+@@ -2148,6 +2300,8 @@ int remap_vmalloc_range_partial(struct vm_area_struct *vma, unsigned long uaddr,
{
struct vm_struct *area;
@@ -118202,7 +118428,7 @@ index 2faaa29..7ac7a6d 100644
size = PAGE_ALIGN(size);
if (!PAGE_ALIGNED(uaddr) || !PAGE_ALIGNED(kaddr))
-@@ -2630,7 +2782,11 @@ static int s_show(struct seq_file *m, void *p)
+@@ -2630,7 +2784,11 @@ static int s_show(struct seq_file *m, void *p)
v->addr, v->addr + v->size, v->size);
if (v->caller)
@@ -118214,7 +118440,7 @@ index 2faaa29..7ac7a6d 100644
if (v->nr_pages)
seq_printf(m, " pages=%d", v->nr_pages);
-@@ -2688,52 +2844,5 @@ static int __init proc_vmalloc_init(void)
+@@ -2688,52 +2846,5 @@ static int __init proc_vmalloc_init(void)
}
module_init(proc_vmalloc_init);
@@ -125374,10 +125600,10 @@ index 55c96cb..e4e88ab 100644
__clean-files := $(filter-out $(no-clean-files), $(__clean-files))
diff --git a/scripts/Makefile.host b/scripts/Makefile.host
-index 133edfa..c9aa07f 100644
+index 133edfa..4d180d9 100644
--- a/scripts/Makefile.host
+++ b/scripts/Makefile.host
-@@ -20,7 +20,19 @@
+@@ -20,7 +20,25 @@
# Will compile qconf as a C++ program, and menu as a C program.
# They are linked as C++ code to the executable qconf
@@ -125391,13 +125617,19 @@ index 133edfa..c9aa07f 100644
+# libkconfig.so as the executable conf.
+# Note: Shared libraries consisting of C++ files are not supported
+
++# hostcc-option
++# Usage: cflags-y += $(call hostcc-option,-march=winchip-c6,-march=i586)
++
++hostcc-option = $(call try-run,\
++ $(HOSTCC) $(HOSTCFLAGS) $(HOST_EXTRACFLAGS) $(1) -c -x c /dev/null -o "$$TMP",$(1),$(2))
++
__hostprogs := $(sort $(hostprogs-y) $(hostprogs-m))
+__hostlibs := $(sort $(hostlibs-y) $(hostlibs-m))
+__hostcxxlibs := $(sort $(hostcxxlibs-y) $(hostcxxlibs-m))
# C code
# Executables compiled from a single .c file
-@@ -42,6 +54,19 @@ host-cxxmulti := $(foreach m,$(__hostprogs),$(if $($(m)-cxxobjs),$(m)))
+@@ -42,6 +60,19 @@ host-cxxmulti := $(foreach m,$(__hostprogs),$(if $($(m)-cxxobjs),$(m)))
# C++ Object (.o) files compiled from .cc files
host-cxxobjs := $(sort $(foreach m,$(host-cxxmulti),$($(m)-cxxobjs)))
@@ -125417,7 +125649,7 @@ index 133edfa..c9aa07f 100644
# output directory for programs/.o files
# hostprogs-y := tools/build may have been specified.
# Retrieve also directory of .o files from prog-objs or prog-cxxobjs notation
-@@ -56,6 +81,10 @@ host-cmulti := $(addprefix $(obj)/,$(host-cmulti))
+@@ -56,6 +87,10 @@ host-cmulti := $(addprefix $(obj)/,$(host-cmulti))
host-cobjs := $(addprefix $(obj)/,$(host-cobjs))
host-cxxmulti := $(addprefix $(obj)/,$(host-cxxmulti))
host-cxxobjs := $(addprefix $(obj)/,$(host-cxxobjs))
@@ -125428,7 +125660,7 @@ index 133edfa..c9aa07f 100644
host-objdirs := $(addprefix $(obj)/,$(host-objdirs))
obj-dirs += $(host-objdirs)
-@@ -124,5 +153,37 @@ quiet_cmd_host-cxxobjs = HOSTCXX $@
+@@ -124,5 +159,37 @@ quiet_cmd_host-cxxobjs = HOSTCXX $@
$(host-cxxobjs): $(obj)/%.o: $(src)/%.cc FORCE
$(call if_changed_dep,host-cxxobjs)
@@ -128792,10 +129024,10 @@ index 0000000..0c96d8a
+}
diff --git a/tools/gcc/constify_plugin.c b/tools/gcc/constify_plugin.c
new file mode 100644
-index 0000000..b884a56
+index 0000000..0b98f34
--- /dev/null
+++ b/tools/gcc/constify_plugin.c
-@@ -0,0 +1,564 @@
+@@ -0,0 +1,571 @@
+/*
+ * Copyright 2011 by Emese Revfy <re.emese@gmail.com>
+ * Copyright 2011-2015 by PaX Team <pageexec@freemail.hu>
@@ -128813,13 +129045,15 @@ index 0000000..b884a56
+
+#include "gcc-common.h"
+
-+// unused C type flag in all versions 4.5-5.0
++// unused C type flag in all versions 4.5-6
+#define TYPE_CONSTIFY_VISITED(TYPE) TYPE_LANG_FLAG_4(TYPE)
+
+int plugin_is_GPL_compatible;
+
++static bool constify = true;
++
+static struct plugin_info const_plugin_info = {
-+ .version = "201401270210",
++ .version = "201511290250",
+ .help = "no-constify\tturn off constification\n",
+};
+
@@ -128868,17 +129102,15 @@ index 0000000..b884a56
+
+ if (is_fptr(field))
+ cinfo->has_fptr_field = true;
-+ else if (!TREE_READONLY(field))
-+ cinfo->has_writable_field = true;
-+
-+ if (code == RECORD_TYPE || code == UNION_TYPE) {
++ else if (code == RECORD_TYPE || code == UNION_TYPE) {
+ if (lookup_attribute("do_const", TYPE_ATTRIBUTES(type)))
+ cinfo->has_do_const_field = true;
+ else if (lookup_attribute("no_const", TYPE_ATTRIBUTES(type)))
+ cinfo->has_no_const_field = true;
+ else
+ constifiable(type, cinfo);
-+ }
++ } else if (!TREE_READONLY(field))
++ cinfo->has_writable_field = true;
+ }
+}
+
@@ -128904,7 +129136,7 @@ index 0000000..b884a56
+ }
+
+ constifiable(node, &cinfo);
-+ if ((!cinfo.has_fptr_field || cinfo.has_writable_field) && !cinfo.has_do_const_field)
++ if ((!cinfo.has_fptr_field || cinfo.has_writable_field || cinfo.has_no_const_field) && !cinfo.has_do_const_field)
+ return false;
+
+ return TYPE_READONLY(node);
@@ -129028,13 +129260,21 @@ index 0000000..b884a56
+ }
+
+ constifiable(type, &cinfo);
-+ if ((cinfo.has_fptr_field && !cinfo.has_writable_field) || lookup_attribute("do_const", TYPE_ATTRIBUTES(type))) {
-+ deconstify_tree(*node);
-+ TYPE_CONSTIFY_VISITED(TREE_TYPE(*node)) = 1;
++ if ((cinfo.has_fptr_field && !cinfo.has_writable_field && !cinfo.has_no_const_field) || lookup_attribute("do_const", TYPE_ATTRIBUTES(type))) {
++ if (constify) {
++ if TYPE_P(*node)
++ deconstify_type(*node);
++ else
++ deconstify_tree(*node);
++ }
++ if (TYPE_P(*node))
++ TYPE_CONSTIFY_VISITED(*node) = 1;
++ else
++ TYPE_CONSTIFY_VISITED(TREE_TYPE(*node)) = 1;
+ return NULL_TREE;
+ }
+
-+ if (TYPE_FIELDS(type))
++ if (constify && TYPE_FIELDS(type))
+ error("%qE attribute used on type %qT that is not constified", name, type);
+ return NULL_TREE;
+}
@@ -129131,7 +129371,7 @@ index 0000000..b884a56
+ constifiable(type, &cinfo);
+
+ if (lookup_attribute("no_const", TYPE_ATTRIBUTES(type))) {
-+ if ((cinfo.has_fptr_field && !cinfo.has_writable_field) || cinfo.has_do_const_field) {
++ if ((cinfo.has_fptr_field && !cinfo.has_writable_field && !cinfo.has_no_const_field) || cinfo.has_do_const_field) {
+ deconstify_type(type);
+ TYPE_CONSTIFY_VISITED(type) = 1;
+ } else
@@ -129140,7 +129380,7 @@ index 0000000..b884a56
+ }
+
+ if (lookup_attribute("do_const", TYPE_ATTRIBUTES(type))) {
-+ if (!cinfo.has_writable_field) {
++ if (!cinfo.has_writable_field && !cinfo.has_no_const_field) {
+ error("'do_const' attribute used on type %qT that is%sconstified", type, cinfo.has_fptr_field ? " " : " not ");
+ return;
+ }
@@ -129148,7 +129388,7 @@ index 0000000..b884a56
+ return;
+ }
+
-+ if (cinfo.has_fptr_field && !cinfo.has_writable_field) {
++ if (cinfo.has_fptr_field && !cinfo.has_writable_field && !cinfo.has_no_const_field) {
+ if (lookup_attribute("do_const", TYPE_ATTRIBUTES(type))) {
+ error("'do_const' attribute used on type %qT that is constified", type);
+ return;
@@ -129322,7 +129562,6 @@ index 0000000..b884a56
+ const int argc = plugin_info->argc;
+ const struct plugin_argument * const argv = plugin_info->argv;
+ int i;
-+ bool constify = true;
+
+ struct register_pass_info check_local_variables_pass_info;
+
@@ -130194,7 +130433,7 @@ index 0000000..7514850
+fi
diff --git a/tools/gcc/initify_plugin.c b/tools/gcc/initify_plugin.c
new file mode 100644
-index 0000000..b5684e8
+index 0000000..39c0731
--- /dev/null
+++ b/tools/gcc/initify_plugin.c
@@ -0,0 +1,552 @@
@@ -130218,7 +130457,7 @@ index 0000000..b5684e8
+int plugin_is_GPL_compatible;
+
+static struct plugin_info initify_plugin_info = {
-+ .version = "20151113",
++ .version = "20151128",
+ .help = "initify_plugin\n",
+};
+
@@ -130504,7 +130743,7 @@ index 0000000..b5684e8
+{
+ basic_block bb;
+
-+ FOR_ALL_BB_FN(bb, cfun) {
++ FOR_EACH_BB_FN(bb, cfun) {
+ gimple_stmt_iterator gsi;
+
+ for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
@@ -130618,7 +130857,7 @@ index 0000000..b5684e8
+{
+ basic_block bb;
+
-+ FOR_ALL_BB_FN(bb, cfun) {
++ FOR_EACH_BB_FN(bb, cfun) {
+ gimple_stmt_iterator gsi;
+
+ for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
@@ -130946,10 +131185,10 @@ index 0000000..457d54e
+}
diff --git a/tools/gcc/kernexec_plugin.c b/tools/gcc/kernexec_plugin.c
new file mode 100644
-index 0000000..4838c8a
+index 0000000..6b8ef9a
--- /dev/null
+++ b/tools/gcc/kernexec_plugin.c
-@@ -0,0 +1,551 @@
+@@ -0,0 +1,549 @@
+/*
+ * Copyright 2011-2015 by the PaX Team <pageexec@freemail.hu>
+ * Licensed under the GPL v2
@@ -131150,6 +131389,8 @@ index 0000000..4838c8a
+ continue;
+ call_stmt = as_a_gcall(stmt);
+ fn = gimple_call_fn(call_stmt);
++ if (!fn)
++ continue;
+ if (TREE_CODE(fn) == ADDR_EXPR)
+ continue;
+ if (TREE_CODE(fn) != SSA_NAME)
@@ -131185,14 +131426,12 @@ index 0000000..4838c8a
+{
+ rtx btsq;
+ rtvec argvec, constraintvec, labelvec;
-+ int line;
+
+ // create asm volatile("btsq $63,(%%rsp)":::)
+ argvec = rtvec_alloc(0);
+ constraintvec = rtvec_alloc(0);
+ labelvec = rtvec_alloc(0);
-+ line = expand_location(RTL_LOCATION(insn)).line;
-+ btsq = gen_rtx_ASM_OPERANDS(VOIDmode, "btsq $63,(%%rsp)", empty_string, 0, argvec, constraintvec, labelvec, line);
++ btsq = gen_rtx_ASM_OPERANDS(VOIDmode, "btsq $63,(%%rsp)", empty_string, 0, argvec, constraintvec, labelvec, RTL_LOCATION(insn));
+ MEM_VOLATILE_P(btsq) = 1;
+// RTX_FRAME_RELATED_P(btsq) = 1; // not for ASM_OPERANDS
+ emit_insn_before(btsq, insn);
@@ -131203,14 +131442,12 @@ index 0000000..4838c8a
+{
+ rtx orq;
+ rtvec argvec, constraintvec, labelvec;
-+ int line;
+
+ // create asm volatile("orq %%r12,(%%rsp)":::)
+ argvec = rtvec_alloc(0);
+ constraintvec = rtvec_alloc(0);
+ labelvec = rtvec_alloc(0);
-+ line = expand_location(RTL_LOCATION(insn)).line;
-+ orq = gen_rtx_ASM_OPERANDS(VOIDmode, "orq %%r12,(%%rsp)", empty_string, 0, argvec, constraintvec, labelvec, line);
++ orq = gen_rtx_ASM_OPERANDS(VOIDmode, "orq %%r12,(%%rsp)", empty_string, 0, argvec, constraintvec, labelvec, RTL_LOCATION(insn));
+ MEM_VOLATILE_P(orq) = 1;
+// RTX_FRAME_RELATED_P(orq) = 1; // not for ASM_OPERANDS
+ emit_insn_before(orq, insn);
@@ -131979,7 +132216,7 @@ index 0000000..f76c1c6
+}
diff --git a/tools/gcc/randomize_layout_plugin.c b/tools/gcc/randomize_layout_plugin.c
new file mode 100644
-index 0000000..06a039c
+index 0000000..444b8bd
--- /dev/null
+++ b/tools/gcc/randomize_layout_plugin.c
@@ -0,0 +1,930 @@
@@ -132694,7 +132931,7 @@ index 0000000..06a039c
+
+ handle_local_var_initializers();
+
-+ FOR_ALL_BB_FN(bb, cfun) {
++ FOR_EACH_BB_FN(bb, cfun) {
+ gimple_stmt_iterator gsi;
+
+ for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
@@ -132924,10 +133161,12 @@ index 0000000..c4b24b9
+size_overflow_hash_aux.h
diff --git a/tools/gcc/size_overflow_plugin/Makefile b/tools/gcc/size_overflow_plugin/Makefile
new file mode 100644
-index 0000000..4c7f7c6
+index 0000000..f74d85a
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin/Makefile
-@@ -0,0 +1,26 @@
+@@ -0,0 +1,28 @@
++HOST_EXTRACXXFLAGS += $(call hostcc-option, -fno-ipa-icf)
++
+$(HOSTLIBS)-$(CONFIG_PAX_SIZE_OVERFLOW) += size_overflow_plugin.so
+always := $($(HOSTLIBS)-y)
+
@@ -132956,10 +133195,10 @@ index 0000000..4c7f7c6
+targets += size_overflow_hash.h size_overflow_hash_aux.h disable_size_overflow_hash.h
diff --git a/tools/gcc/size_overflow_plugin/disable_size_overflow_hash.data b/tools/gcc/size_overflow_plugin/disable_size_overflow_hash.data
new file mode 100644
-index 0000000..b0e0cdf
+index 0000000..8ce9ec1
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin/disable_size_overflow_hash.data
-@@ -0,0 +1,12419 @@
+@@ -0,0 +1,12422 @@
+disable_so_interrupt_pnode_gru_message_queue_desc_4 interrupt_pnode gru_message_queue_desc 0 4 NULL
+disable_so_bch_btree_insert_fndecl_12 bch_btree_insert fndecl 0 12 NULL
+disable_so_macvlan_sync_address_fndecl_22 macvlan_sync_address fndecl 0 22 NULL nohasharray
@@ -145379,6 +145618,9 @@ index 0000000..b0e0cdf
+enable_so_exit_info_1_vmcb_control_area_20200 exit_info_1 vmcb_control_area 0 20200 NULL
+enable_so_event_inj_vmcb_control_area_23434 event_inj vmcb_control_area 0 23434 NULL
+enable_so_iopm_base_pa_vmcb_control_area_57998 iopm_base_pa vmcb_control_area 0 57998 NULL
++enable_so_i_size_lo_ext4_inode_40153 i_size_lo ext4_inode 0 40153 NULL
++enable_so_i_size_high_ext4_inode_18545 i_size_high ext4_inode 0 18545 NULL
++enable_so_nr_kvm_queued_interrupt_34927 nr kvm_queued_interrupt 0 34927 NULL
diff --git a/tools/gcc/size_overflow_plugin/generate_size_overflow_hash.sh b/tools/gcc/size_overflow_plugin/generate_size_overflow_hash.sh
new file mode 100644
index 0000000..be9724d
@@ -145490,7 +145732,7 @@ index 0000000..be9724d
+exit 0
diff --git a/tools/gcc/size_overflow_plugin/insert_size_overflow_asm.c b/tools/gcc/size_overflow_plugin/insert_size_overflow_asm.c
new file mode 100644
-index 0000000..37e2e91
+index 0000000..cc20d48
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin/insert_size_overflow_asm.c
@@ -0,0 +1,416 @@
@@ -145834,7 +146076,7 @@ index 0000000..37e2e91
+{
+ basic_block bb;
+
-+ FOR_ALL_BB_FN(bb, cfun) {
++ FOR_EACH_BB_FN(bb, cfun) {
+ gimple_stmt_iterator gsi;
+
+ for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
@@ -145912,10 +146154,10 @@ index 0000000..37e2e91
+#endif
diff --git a/tools/gcc/size_overflow_plugin/intentional_overflow.c b/tools/gcc/size_overflow_plugin/intentional_overflow.c
new file mode 100644
-index 0000000..a662b4b
+index 0000000..3bf5a4e
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin/intentional_overflow.c
-@@ -0,0 +1,947 @@
+@@ -0,0 +1,1010 @@
+/*
+ * Copyright 2011-2015 by Emese Revfy <re.emese@gmail.com>
+ * Licensed under the GPL v2, or (at your option) v3
@@ -146291,6 +146533,9 @@ index 0000000..a662b4b
+ // handle MARK_TURN_OFF early on the caller
+ if (is_turn_off_intentional_attr(orig_cur_fndecl))
+ return MARK_TURN_OFF;
++ // handle MARK_END_INTENTIONAL on the caller
++ if (is_end_intentional_intentional_attr(orig_cur_fndecl))
++ return MARK_END_INTENTIONAL;
+
+ switch (gimple_code(stmt)) {
+ case GIMPLE_RETURN:
@@ -146863,6 +147108,66 @@ index 0000000..a662b4b
+ so_stmt = get_dup_stmt(visited, stmt);
+ create_up_and_down_cast(visited, so_stmt, lhs_type, gimple_assign_rhs1(so_stmt));
+}
++
++/* gcc intentional overflow
++ * e.g., skb_set_network_header(), skb_set_mac_header()
++ * -, int offset + u16 network_header
++ * offset = -x->props.header_len
++ * skb->network_header += offset;
++ *
++ * SSA
++ * _141 = -_140;
++ * _154 = (short unsigned int) _141;
++ * _155 = (size_overflow_type_SI) _154;
++ * _156 = _154 + _155;
++ * _157 = (short unsigned int) _156;
++ */
++static bool is_short_cast_neg(const_tree rhs)
++{
++ const_tree cast_rhs;
++ const_gimple neg_stmt;
++ gimple neg_cast_stmt, cast_stmt = get_def_stmt(rhs);
++
++ if (!cast_stmt || !gimple_assign_cast_p(cast_stmt))
++ return false;
++
++ cast_rhs = gimple_assign_rhs1(cast_stmt);
++ if (GET_MODE_BITSIZE(TYPE_MODE(TREE_TYPE(cast_rhs))) >= GET_MODE_BITSIZE(TYPE_MODE(TREE_TYPE(rhs))))
++ return false;
++
++ neg_cast_stmt = get_def_stmt(cast_rhs);
++ if (!neg_cast_stmt || !gimple_assign_cast_p(neg_cast_stmt))
++ return false;
++
++ neg_stmt = get_def_stmt(gimple_assign_rhs1(neg_cast_stmt));
++ if (!neg_stmt || !is_gimple_assign(neg_stmt))
++ return false;
++ return gimple_assign_rhs_code(neg_stmt) == NEGATE_EXPR;
++}
++
++bool neg_short_add_intentional_overflow(gassign *unary_stmt)
++{
++ const_tree rhs1, add_rhs1, add_rhs2, cast_rhs;
++ const_gimple add_stmt;
++ gimple cast_stmt;
++
++ rhs1 = gimple_assign_rhs1(unary_stmt);
++
++ cast_stmt = get_def_stmt(rhs1);
++ if (!cast_stmt || !gimple_assign_cast_p(cast_stmt))
++ return false;
++ cast_rhs = gimple_assign_rhs1(cast_stmt);
++ if (GET_MODE_BITSIZE(TYPE_MODE(TREE_TYPE(cast_rhs))) <= GET_MODE_BITSIZE(TYPE_MODE(TREE_TYPE(rhs1))))
++ return false;
++
++ add_stmt = get_def_stmt(cast_rhs);
++ if (!add_stmt || !is_gimple_assign(add_stmt) || gimple_assign_rhs_code(add_stmt) != PLUS_EXPR)
++ return false;
++
++ add_rhs1 = gimple_assign_rhs1(add_stmt);
++ add_rhs2 = gimple_assign_rhs2(add_stmt);
++ return is_short_cast_neg(add_rhs1) || is_short_cast_neg(add_rhs2);
++}
diff --git a/tools/gcc/size_overflow_plugin/remove_unnecessary_dup.c b/tools/gcc/size_overflow_plugin/remove_unnecessary_dup.c
new file mode 100644
index 0000000..5622b51
@@ -147008,10 +147313,10 @@ index 0000000..5622b51
+
diff --git a/tools/gcc/size_overflow_plugin/size_overflow.h b/tools/gcc/size_overflow_plugin/size_overflow.h
new file mode 100644
-index 0000000..2d733e1
+index 0000000..5fd6c28
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin/size_overflow.h
-@@ -0,0 +1,322 @@
+@@ -0,0 +1,323 @@
+#ifndef SIZE_OVERFLOW_H
+#define SIZE_OVERFLOW_H
+
@@ -147215,6 +147520,7 @@ index 0000000..2d733e1
+extern bool is_a_neg_overflow(const gassign *stmt, const_tree rhs);
+extern enum intentional_overflow_type add_mul_intentional_overflow(const gassign *stmt);
+extern void unsigned_signed_cast_intentional_overflow(struct visited *visited, gassign *stmt);
++extern bool neg_short_add_intentional_overflow(gassign *stmt);
+
+
+// insert_size_overflow_asm.c
@@ -147336,7 +147642,7 @@ index 0000000..2d733e1
+#endif
diff --git a/tools/gcc/size_overflow_plugin/size_overflow_debug.c b/tools/gcc/size_overflow_plugin/size_overflow_debug.c
new file mode 100644
-index 0000000..ab2d25a
+index 0000000..fc58e16
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin/size_overflow_debug.c
@@ -0,0 +1,194 @@
@@ -147387,7 +147693,7 @@ index 0000000..ab2d25a
+ fprintf(file, "dump_function function_name: %s\n", cgraph_node_name(node));
+
+ fprintf(file, "\nstmts:\n");
-+ FOR_ALL_BB_FN(bb, DECL_STRUCT_FUNCTION(NODE_DECL(node))) {
++ FOR_EACH_BB_FN(bb, DECL_STRUCT_FUNCTION(NODE_DECL(node))) {
+ gimple_stmt_iterator si;
+
+ fprintf(file, "<bb %u>:\n", bb->index);
@@ -147536,10 +147842,10 @@ index 0000000..ab2d25a
+}
diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
new file mode 100644
-index 0000000..b683d96
+index 0000000..2d4a6ed
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
-@@ -0,0 +1,20738 @@
+@@ -0,0 +1,20735 @@
+enable_so_recv_ctrl_pipe_us_data_0 recv_ctrl_pipe us_data 0 0 NULL
+enable_so___earlyonly_bootmem_alloc_fndecl_3 __earlyonly_bootmem_alloc fndecl 2-3-4 3 NULL
+enable_so_size_ttm_mem_reg_8 size ttm_mem_reg 0 8 NULL
@@ -153319,7 +153625,6 @@ index 0000000..b683d96
+enable_so_tomoyo_update_domain_fndecl_18537 tomoyo_update_domain fndecl 2 18537 NULL
+enable_so_progress_kcopyd_job_18540 progress kcopyd_job 0 18540 NULL
+enable_so_sect_floppy_struct_18543 sect floppy_struct 0 18543 NULL
-+enable_so_i_size_high_ext4_inode_18545 i_size_high ext4_inode 0 18545 NULL
+enable_so_ubi_leb_write_fndecl_18549 ubi_leb_write fndecl 5-4 18549 NULL
+enable_so_xfs_efi_init_fndecl_18551 xfs_efi_init fndecl 2 18551 NULL
+enable_so_inodes_squashfs_sb_info_18553 inodes squashfs_sb_info 0 18553 NULL nohasharray
@@ -158580,7 +158885,6 @@ index 0000000..b683d96
+enable_so_consume_size_vmci_qp_alloc_info_34922 consume_size vmci_qp_alloc_info 0 34922 NULL
+enable_so_rcc__DMABUFFERENTRY_34925 rcc _DMABUFFERENTRY 0 34925 NULL
+enable_so_shared_secret_len_net_conf_34926 shared_secret_len net_conf 0 34926 NULL
-+enable_so_nr_kvm_queued_interrupt_34927 nr kvm_queued_interrupt 0 34927 NULL
+enable_so_port_fops_write_fndecl_34928 port_fops_write fndecl 3 34928 NULL
+enable_so_len_wil6210_mbox_hdr_34930 len wil6210_mbox_hdr 0 34930 NULL
+enable_so_swiotlb_init_with_tbl_fndecl_34935 swiotlb_init_with_tbl fndecl 2 34935 NULL
@@ -160293,7 +160597,6 @@ index 0000000..b683d96
+enable_so_port_fops_read_fndecl_40137 port_fops_read fndecl 3 40137 &enable_so_num_jumbo_rxd_netxen_adapter_40137
+enable_so_off_fuse_notify_inval_inode_out_40142 off fuse_notify_inval_inode_out 0 40142 NULL
+enable_so_isr_wakeups_read_fndecl_40148 isr_wakeups_read fndecl 3 40148 NULL
-+enable_so_i_size_lo_ext4_inode_40153 i_size_lo ext4_inode 0 40153 NULL
+enable_so_ftdi_elan_edset_single_fndecl_40157 ftdi_elan_edset_single fndecl 0 40157 NULL
+enable_so_xfs_ialloc_get_rec_fndecl_40163 xfs_ialloc_get_rec fndecl 2 40163 NULL
+enable_so_at24_bin_read_fndecl_40165 at24_bin_read fndecl 6 40165 NULL nohasharray
@@ -168378,7 +168681,7 @@ index 0000000..17bc0d8
+enable_so_zpios_read_fndecl_64734 zpios_read fndecl 3 64734 NULL
diff --git a/tools/gcc/size_overflow_plugin/size_overflow_ipa.c b/tools/gcc/size_overflow_plugin/size_overflow_ipa.c
new file mode 100644
-index 0000000..c8ebf92
+index 0000000..d972178
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin/size_overflow_ipa.c
@@ -0,0 +1,1226 @@
@@ -169092,7 +169395,7 @@ index 0000000..c8ebf92
+
+ set_current_function_decl(cur_fndecl);
+
-+ FOR_ALL_BB_FN(bb, cfun) {
++ FOR_EACH_BB_FN(bb, cfun) {
+ gimple_stmt_iterator gsi;
+
+ for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
@@ -170121,7 +170424,7 @@ index 0000000..6075e8f
+
diff --git a/tools/gcc/size_overflow_plugin/size_overflow_plugin.c b/tools/gcc/size_overflow_plugin/size_overflow_plugin.c
new file mode 100644
-index 0000000..a82cc026
+index 0000000..29a5c26
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin/size_overflow_plugin.c
@@ -0,0 +1,318 @@
@@ -170156,7 +170459,7 @@ index 0000000..a82cc026
+tree size_overflow_type_TI;
+
+static struct plugin_info size_overflow_plugin_info = {
-+ .version = "20151029",
++ .version = "20151128",
+ .help = "no-size-overflow\tturn off size overflow checking\n",
+};
+
@@ -170803,10 +171106,10 @@ index 0000000..317cd6c
+
diff --git a/tools/gcc/size_overflow_plugin/size_overflow_transform.c b/tools/gcc/size_overflow_plugin/size_overflow_transform.c
new file mode 100644
-index 0000000..a974b2d
+index 0000000..8f42c7e
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin/size_overflow_transform.c
-@@ -0,0 +1,746 @@
+@@ -0,0 +1,749 @@
+/*
+ * Copyright 2011-2015 by Emese Revfy <re.emese@gmail.com>
+ * Licensed under the GPL v2, or (at your option) v3
@@ -171291,6 +171594,9 @@ index 0000000..a974b2d
+ return decl;
+
+ fnptr = gimple_call_fn(call_stmt);
++ if (fnptr == NULL_TREE)
++ return NULL_TREE;
++
+ // !!! assertot kell irni 0-ra, mert csak az lehet ott
+ if (is_gimple_constant(fnptr))
+ return NULL_TREE;
@@ -171408,7 +171714,7 @@ index 0000000..a974b2d
+
+ next_node_ret = get_interesting_function_next_node(current_function_decl, 0);
+
-+ FOR_ALL_BB_FN(bb, cfun) {
++ FOR_EACH_BB_FN(bb, cfun) {
+ gimple_stmt_iterator gsi;
+
+ for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
@@ -171517,7 +171823,7 @@ index 0000000..a974b2d
+{
+ basic_block bb;
+
-+ FOR_ALL_BB_FN(bb, cfun) {
++ FOR_EACH_BB_FN(bb, cfun) {
+ gimple_stmt_iterator si;
+
+ for (si = gsi_start_bb(bb); !gsi_end_p(si); gsi_next(&si))
@@ -171555,10 +171861,10 @@ index 0000000..a974b2d
+}
diff --git a/tools/gcc/size_overflow_plugin/size_overflow_transform_core.c b/tools/gcc/size_overflow_plugin/size_overflow_transform_core.c
new file mode 100644
-index 0000000..460c047
+index 0000000..8a30b3b
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin/size_overflow_transform_core.c
-@@ -0,0 +1,1008 @@
+@@ -0,0 +1,1010 @@
+/*
+ * Copyright 2011-2015 by Emese Revfy <re.emese@gmail.com>
+ * Licensed under the GPL v2, or (at your option) v3
@@ -172113,6 +172419,8 @@ index 0000000..460c047
+
+ if (is_const_plus_unsigned_signed_truncation(rhs))
+ return;
++ if (is_gimple_assign(stmt) && neg_short_add_intentional_overflow(as_a_gassign(stmt)))
++ return;
+
+ type_max = cast_a_tree(size_overflow_type, TYPE_MAX_VALUE(rhs_type));
+ // typemax (-1) < typemin (0)
@@ -173011,7 +173319,7 @@ index 0000000..155e2c5
+}
diff --git a/tools/gcc/structleak_plugin.c b/tools/gcc/structleak_plugin.c
new file mode 100644
-index 0000000..e9dbd4b
+index 0000000..debe0cc
--- /dev/null
+++ b/tools/gcc/structleak_plugin.c
@@ -0,0 +1,287 @@
@@ -173043,7 +173351,7 @@ index 0000000..e9dbd4b
+
+#include "gcc-common.h"
+
-+// unused C type flag in all versions 4.5-5.0
++// unused C type flag in all versions 4.5-6
+#define TYPE_USERSPACE(TYPE) TYPE_LANG_FLAG_5(TYPE)
+
+int plugin_is_GPL_compatible;
@@ -173360,7 +173668,7 @@ index 0a578fe..b81f62d 100644
})
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index 5a2a78a..4f322d3 100644
+index 5a2a78a..890e7fb 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -81,12 +81,17 @@ LIST_HEAD(vm_list);
@@ -173461,15 +173769,6 @@ index 5a2a78a..4f322d3 100644
hardware_disable_all_nolock();
r = -EBUSY;
}
-@@ -3436,7 +3449,7 @@ static void kvm_sched_out(struct preempt_notifier *pn,
- kvm_arch_vcpu_put(vcpu);
- }
-
--int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
-+int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
- struct module *module)
- {
- int r;
@@ -3483,7 +3496,7 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
if (!vcpu_align)
vcpu_align = __alignof__(struct kvm_vcpu);
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [gentoo-commits] proj/hardened-patchset:master commit in: 4.2.6/
@ 2015-12-06 9:08 Anthony G. Basile
0 siblings, 0 replies; 8+ messages in thread
From: Anthony G. Basile @ 2015-12-06 9:08 UTC (permalink / raw
To: gentoo-commits
commit: 00011c59dc27a3b5c8a147cd36b11aa969f76b42
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sun Dec 6 09:14:58 2015 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sun Dec 6 09:14:58 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=00011c59
grsecurity-3.1-4.2.6-201512051918
4.2.6/0000_README | 2 +-
...> 4420_grsecurity-3.1-4.2.6-201512051918.patch} | 750 +++++++++++++++++++--
2 files changed, 689 insertions(+), 63 deletions(-)
diff --git a/4.2.6/0000_README b/4.2.6/0000_README
index ef0e3e5..ec4db38 100644
--- a/4.2.6/0000_README
+++ b/4.2.6/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.1-4.2.6-201511282239.patch
+Patch: 4420_grsecurity-3.1-4.2.6-201512051918.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.2.6/4420_grsecurity-3.1-4.2.6-201511282239.patch b/4.2.6/4420_grsecurity-3.1-4.2.6-201512051918.patch
similarity index 99%
rename from 4.2.6/4420_grsecurity-3.1-4.2.6-201511282239.patch
rename to 4.2.6/4420_grsecurity-3.1-4.2.6-201512051918.patch
index 3903e3d..9b88420 100644
--- a/4.2.6/4420_grsecurity-3.1-4.2.6-201511282239.patch
+++ b/4.2.6/4420_grsecurity-3.1-4.2.6-201512051918.patch
@@ -406,7 +406,7 @@ index 6fccb69..60c7c7a 100644
A toggle value indicating if modules are allowed to be loaded
diff --git a/Makefile b/Makefile
-index 9ef3739..20b7716 100644
+index 9ef3739..df5234b 100644
--- a/Makefile
+++ b/Makefile
@@ -298,7 +298,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -431,7 +431,7 @@ index 9ef3739..20b7716 100644
$(Q)$(MAKE) $(build)=scripts/basic
$(Q)rm -f .tmp_quiet_recordmcount
-@@ -615,6 +617,74 @@ endif
+@@ -615,6 +617,79 @@ endif
# Tell gcc to never replace conditional load with a non-conditional one
KBUILD_CFLAGS += $(call cc-option,--param=allow-store-data-races=0)
@@ -496,6 +496,11 @@ index 9ef3739..20b7716 100644
+gcc-plugins:
+ifeq ($(call cc-ifversion, -ge, 0405, y), y)
+ $(error Your gcc installation does not support plugins. If the necessary headers for plugin support are missing, they should be installed. On Debian, apt-get install gcc-<ver>-plugin-dev. If you choose to ignore this error and lessen the improvements provided by this patch, re-run make with the DISABLE_PAX_PLUGINS=y argument.))
++ifeq ($(call cc-ifversion, -ge, 0408, y), y)
++ $(CONFIG_SHELL) -x $(srctree)/scripts/gcc-plugin.sh "$(HOSTCXX)" "$(HOSTCXX)" "$(CC)"
++else
++ $(CONFIG_SHELL) -x $(srctree)/scripts/gcc-plugin.sh "$(HOSTCC)" "$(HOSTCXX)" "$(CC)"
++endif
+else
+ $(Q)echo "warning, your gcc version does not support plugins, you should upgrade it to gcc 4.5 at least"
+endif
@@ -506,7 +511,7 @@ index 9ef3739..20b7716 100644
ifdef CONFIG_READABLE_ASM
# Disable optimizations that make assembler listings hard to read.
# reorder blocks reorders the control in the function
-@@ -714,7 +784,7 @@ KBUILD_CFLAGS += $(call cc-option, -gsplit-dwarf, -g)
+@@ -714,7 +789,7 @@ KBUILD_CFLAGS += $(call cc-option, -gsplit-dwarf, -g)
else
KBUILD_CFLAGS += -g
endif
@@ -515,7 +520,7 @@ index 9ef3739..20b7716 100644
endif
ifdef CONFIG_DEBUG_INFO_DWARF4
KBUILD_CFLAGS += $(call cc-option, -gdwarf-4,)
-@@ -886,7 +956,7 @@ export mod_sign_cmd
+@@ -886,7 +961,7 @@ export mod_sign_cmd
ifeq ($(KBUILD_EXTMOD),)
@@ -524,7 +529,7 @@ index 9ef3739..20b7716 100644
vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
$(core-y) $(core-m) $(drivers-y) $(drivers-m) \
-@@ -936,6 +1006,8 @@ endif
+@@ -936,6 +1011,8 @@ endif
# The actual objects are generated when descending,
# make sure no implicit rule kicks in
@@ -533,7 +538,7 @@ index 9ef3739..20b7716 100644
$(sort $(vmlinux-deps)): $(vmlinux-dirs) ;
# Handle descending into subdirectories listed in $(vmlinux-dirs)
-@@ -945,7 +1017,7 @@ $(sort $(vmlinux-deps)): $(vmlinux-dirs) ;
+@@ -945,7 +1022,7 @@ $(sort $(vmlinux-deps)): $(vmlinux-dirs) ;
# Error messages still appears in the original language
PHONY += $(vmlinux-dirs)
@@ -542,7 +547,7 @@ index 9ef3739..20b7716 100644
$(Q)$(MAKE) $(build)=$@
define filechk_kernel.release
-@@ -988,10 +1060,13 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \
+@@ -988,10 +1065,13 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \
archprepare: archheaders archscripts prepare1 scripts_basic
@@ -556,7 +561,7 @@ index 9ef3739..20b7716 100644
prepare: prepare0
# Generate some files
-@@ -1099,6 +1174,8 @@ all: modules
+@@ -1099,6 +1179,8 @@ all: modules
# using awk while concatenating to the final file.
PHONY += modules
@@ -565,7 +570,7 @@ index 9ef3739..20b7716 100644
modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux) modules.builtin
$(Q)$(AWK) '!x[$$0]++' $(vmlinux-dirs:%=$(objtree)/%/modules.order) > $(objtree)/modules.order
@$(kecho) ' Building modules, stage 2.';
-@@ -1114,7 +1191,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin)
+@@ -1114,7 +1196,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin)
# Target to prepare building external modules
PHONY += modules_prepare
@@ -574,7 +579,7 @@ index 9ef3739..20b7716 100644
# Target to install modules
PHONY += modules_install
-@@ -1180,7 +1257,10 @@ MRPROPER_FILES += .config .config.old .version .old_version \
+@@ -1180,7 +1262,10 @@ MRPROPER_FILES += .config .config.old .version .old_version \
Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \
signing_key.priv signing_key.x509 x509.genkey \
extra_certificates signing_key.x509.keyid \
@@ -586,7 +591,7 @@ index 9ef3739..20b7716 100644
# clean - Delete most, but leave enough to build external modules
#
-@@ -1219,7 +1299,7 @@ distclean: mrproper
+@@ -1219,7 +1304,7 @@ distclean: mrproper
@find $(srctree) $(RCS_FIND_IGNORE) \
\( -name '*.orig' -o -name '*.rej' -o -name '*~' \
-o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \
@@ -595,7 +600,7 @@ index 9ef3739..20b7716 100644
-type f -print | xargs rm -f
-@@ -1385,6 +1465,8 @@ PHONY += $(module-dirs) modules
+@@ -1385,6 +1470,8 @@ PHONY += $(module-dirs) modules
$(module-dirs): crmodverdir $(objtree)/Module.symvers
$(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@)
@@ -604,7 +609,7 @@ index 9ef3739..20b7716 100644
modules: $(module-dirs)
@$(kecho) ' Building modules, stage 2.';
$(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost
-@@ -1525,17 +1607,21 @@ else
+@@ -1525,17 +1612,21 @@ else
target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@))
endif
@@ -630,7 +635,7 @@ index 9ef3739..20b7716 100644
$(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
%.symtypes: %.c prepare scripts FORCE
$(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
-@@ -1547,11 +1633,15 @@ endif
+@@ -1547,11 +1638,15 @@ endif
$(build)=$(build-dir)
# Make sure the latest headers are built for Documentation
Documentation/: headers_install
@@ -22034,7 +22039,7 @@ index cd79194..6a9956f 100644
}
diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
-index a8df874..43b72d3 100644
+index a8df874..3dcbd7c 100644
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -7,6 +7,7 @@
@@ -22215,9 +22220,12 @@ index a8df874..43b72d3 100644
"2:\n" \
_ASM_EXTABLE_EX(1b, 2b) \
: ltype(x) : "m" (__m(addr)))
-@@ -409,13 +461,24 @@ do { \
+@@ -407,15 +459,26 @@ do { \
+ #define __get_user_nocheck(x, ptr, size) \
+ ({ \
int __gu_err; \
- unsigned long __gu_val; \
+- unsigned long __gu_val; \
++ __inttype(*(ptr)) __gu_val; \
__get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
- (x) = (__force __typeof__(*(ptr)))__gu_val; \
+ (x) = (__typeof__(*(ptr)))__gu_val; \
@@ -41354,6 +41362,47 @@ index 8d2a772..33826c9 100644
err = pci_request_regions(pdev, name);
if (err)
+diff --git a/drivers/crypto/nx/nx-aes-ccm.c b/drivers/crypto/nx/nx-aes-ccm.c
+index e4311ce..a1d0848 100644
+--- a/drivers/crypto/nx/nx-aes-ccm.c
++++ b/drivers/crypto/nx/nx-aes-ccm.c
+@@ -412,7 +412,7 @@ static int ccm_nx_decrypt(struct aead_request *req,
+ processed += to_process;
+ } while (processed < nbytes);
+
+- rc = memcmp(csbcpb->cpb.aes_ccm.out_pat_or_mac, priv->oauth_tag,
++ rc = crypto_memneq(csbcpb->cpb.aes_ccm.out_pat_or_mac, priv->oauth_tag,
+ authsize) ? -EBADMSG : 0;
+ out:
+ spin_unlock_irqrestore(&nx_ctx->lock, irq_flags);
+diff --git a/drivers/crypto/nx/nx-aes-gcm.c b/drivers/crypto/nx/nx-aes-gcm.c
+index 92c993f..1c478bc 100644
+--- a/drivers/crypto/nx/nx-aes-gcm.c
++++ b/drivers/crypto/nx/nx-aes-gcm.c
+@@ -414,7 +414,7 @@ mac:
+ itag, req->src, req->assoclen + nbytes,
+ crypto_aead_authsize(crypto_aead_reqtfm(req)),
+ SCATTERWALK_FROM_SG);
+- rc = memcmp(itag, otag,
++ rc = crypto_memneq(itag, otag,
+ crypto_aead_authsize(crypto_aead_reqtfm(req))) ?
+ -EBADMSG : 0;
+ }
+diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c
+index 83aca95..4e6d4ea 100644
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -1025,8 +1025,8 @@ static void ipsec_esp_decrypt_swauth_done(struct device *dev,
+ icvdata = &edesc->link_tbl[0];
+
+ sg = sg_last(req->dst, edesc->dst_nents ? : 1);
+- err = memcmp(icvdata, (char *)sg_virt(sg) + sg->length -
+- ctx->authsize, ctx->authsize) ? -EBADMSG : 0;
++ err = crypto_memneq(icvdata, (char *)sg_virt(sg) + sg->length -
++ ctx->authsize, ctx->authsize) ? -EBADMSG : 0;
+ }
+
+ kfree(edesc);
diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
index ca1b362..01cae6a 100644
--- a/drivers/devfreq/devfreq.c
@@ -47789,7 +47838,7 @@ index 3e32f4e..01e0a7f 100644
void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
diff --git a/drivers/md/md.c b/drivers/md/md.c
-index 95e7b72..11002b9 100644
+index 95e7b72..3d67ca6 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -197,10 +197,10 @@ EXPORT_SYMBOL_GPL(bio_clone_mddev);
@@ -47861,7 +47910,20 @@ index 95e7b72..11002b9 100644
INIT_LIST_HEAD(&rdev->same_set);
init_waitqueue_head(&rdev->blocked_wait);
-@@ -7256,7 +7256,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
+@@ -5723,9 +5723,10 @@ static int get_array_info(struct mddev *mddev, void __user *arg)
+ info.patch_version = MD_PATCHLEVEL_VERSION;
+ info.ctime = mddev->ctime;
+ info.level = mddev->level;
+- info.size = mddev->dev_sectors / 2;
+- if (info.size != mddev->dev_sectors / 2) /* overflow */
++ if (2 * (sector_t)INT_MAX < mddev->dev_sectors) /* overflow */
+ info.size = -1;
++ else
++ info.size = mddev->dev_sectors / 2;
+ info.nr_disks = nr;
+ info.raid_disks = mddev->raid_disks;
+ info.md_minor = mddev->md_minor;
+@@ -7256,7 +7257,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
spin_unlock(&pers_lock);
seq_printf(seq, "\n");
@@ -47870,7 +47932,7 @@ index 95e7b72..11002b9 100644
return 0;
}
if (v == (void*)2) {
-@@ -7359,7 +7359,7 @@ static int md_seq_open(struct inode *inode, struct file *file)
+@@ -7359,7 +7360,7 @@ static int md_seq_open(struct inode *inode, struct file *file)
return error;
seq = file->private_data;
@@ -47879,7 +47941,7 @@ index 95e7b72..11002b9 100644
return error;
}
-@@ -7376,7 +7376,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait)
+@@ -7376,7 +7377,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait)
/* always allow read */
mask = POLLIN | POLLRDNORM;
@@ -47888,7 +47950,7 @@ index 95e7b72..11002b9 100644
mask |= POLLERR | POLLPRI;
return mask;
}
-@@ -7472,7 +7472,7 @@ static int is_mddev_idle(struct mddev *mddev, int init)
+@@ -7472,7 +7473,7 @@ static int is_mddev_idle(struct mddev *mddev, int init)
struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
(int)part_stat_read(&disk->part0, sectors[1]) -
@@ -47961,9 +48023,18 @@ index 3e6d115..ffecdeb 100644
/*----------------------------------------------------------------*/
diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
-index d10d300..6169233 100644
+index d10d300..dbdcf89 100644
--- a/drivers/md/raid1.c
+++ b/drivers/md/raid1.c
+@@ -1095,7 +1095,7 @@ static void make_request(struct mddev *mddev, struct bio * bio)
+ struct blk_plug_cb *cb;
+ struct raid1_plug_cb *plug = NULL;
+ int first_clone;
+- int sectors_handled;
++ sector_t sectors_handled;
+ int max_sectors;
+ sector_t start_next_window;
+
@@ -1937,7 +1937,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio)
if (r1_sync_page_io(rdev, sect, s,
bio->bi_io_vec[idx].bv_page,
@@ -51790,6 +51861,45 @@ index 487be20..f4c87bc 100644
break;
err = 0;
break;
+diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
+index 2ed7506..cf82b13 100644
+--- a/drivers/net/ppp/pppoe.c
++++ b/drivers/net/ppp/pppoe.c
+@@ -568,6 +568,9 @@ static int pppoe_create(struct net *net, struct socket *sock, int kern)
+ sk->sk_family = PF_PPPOX;
+ sk->sk_protocol = PX_PROTO_OE;
+
++ INIT_WORK(&pppox_sk(sk)->proto.pppoe.padt_work,
++ pppoe_unbind_sock_work);
++
+ return 0;
+ }
+
+@@ -632,8 +635,6 @@ static int pppoe_connect(struct socket *sock, struct sockaddr *uservaddr,
+
+ lock_sock(sk);
+
+- INIT_WORK(&po->proto.pppoe.padt_work, pppoe_unbind_sock_work);
+-
+ error = -EINVAL;
+ if (sp->sa_protocol != PX_PROTO_OE)
+ goto end;
+@@ -663,8 +664,13 @@ static int pppoe_connect(struct socket *sock, struct sockaddr *uservaddr,
+ po->pppoe_dev = NULL;
+ }
+
+- memset(sk_pppox(po) + 1, 0,
+- sizeof(struct pppox_sock) - sizeof(struct sock));
++ po->pppoe_ifindex = 0;
++ memset(&po->pppoe_pa, 0, sizeof(po->pppoe_pa));
++ memset(&po->pppoe_relay, 0, sizeof(po->pppoe_relay));
++ memset(&po->chan, 0, sizeof(po->chan));
++ po->next = NULL;
++ po->num = 0;
++
+ sk->sk_state = PPPOX_NONE;
+ }
+
diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
index 079f7ad..7e59810 100644
--- a/drivers/net/slip/slhc.c
@@ -52144,6 +52254,28 @@ index 5920c99..ff2e4a5 100644
};
static void
+diff --git a/drivers/net/wan/x25_asy.c b/drivers/net/wan/x25_asy.c
+index 5c47b01..cd39025 100644
+--- a/drivers/net/wan/x25_asy.c
++++ b/drivers/net/wan/x25_asy.c
+@@ -549,16 +549,12 @@ static void x25_asy_receive_buf(struct tty_struct *tty,
+
+ static int x25_asy_open_tty(struct tty_struct *tty)
+ {
+- struct x25_asy *sl = tty->disc_data;
++ struct x25_asy *sl;
+ int err;
+
+ if (tty->ops->write == NULL)
+ return -EOPNOTSUPP;
+
+- /* First make sure we're not already connected. */
+- if (sl && sl->magic == X25_ASY_MAGIC)
+- return -EEXIST;
+-
+ /* OK. Find a free X.25 channel to use. */
+ sl = x25_asy_alloc();
+ if (sl == NULL)
diff --git a/drivers/net/wan/z85230.c b/drivers/net/wan/z85230.c
index 2f0bd69..e46ed7b 100644
--- a/drivers/net/wan/z85230.c
@@ -56230,8 +56362,68 @@ index 8f1cd19..ba7a8f1 100644
INIT_LIST_HEAD(&dev->t10_wwn.t10_vpd_list);
spin_lock_init(&dev->t10_wwn.t10_vpd_lock);
INIT_LIST_HEAD(&dev->t10_pr.registration_list);
+diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c
+index e318ddb..9444c7b 100644
+--- a/drivers/target/target_core_sbc.c
++++ b/drivers/target/target_core_sbc.c
+@@ -339,7 +339,8 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o
+ return 0;
+ }
+
+-static sense_reason_t xdreadwrite_callback(struct se_cmd *cmd, bool success)
++static sense_reason_t xdreadwrite_callback(struct se_cmd *cmd, bool success,
++ int *post_ret)
+ {
+ unsigned char *buf, *addr;
+ struct scatterlist *sg;
+@@ -405,7 +406,8 @@ sbc_execute_rw(struct se_cmd *cmd)
+ cmd->data_direction);
+ }
+
+-static sense_reason_t compare_and_write_post(struct se_cmd *cmd, bool success)
++static sense_reason_t compare_and_write_post(struct se_cmd *cmd, bool success,
++ int *post_ret)
+ {
+ struct se_device *dev = cmd->se_dev;
+
+@@ -415,8 +417,10 @@ static sense_reason_t compare_and_write_post(struct se_cmd *cmd, bool success)
+ * sent to the backend driver.
+ */
+ spin_lock_irq(&cmd->t_state_lock);
+- if ((cmd->transport_state & CMD_T_SENT) && !cmd->scsi_status)
++ if ((cmd->transport_state & CMD_T_SENT) && !cmd->scsi_status) {
+ cmd->se_cmd_flags |= SCF_COMPARE_AND_WRITE_POST;
++ *post_ret = 1;
++ }
+ spin_unlock_irq(&cmd->t_state_lock);
+
+ /*
+@@ -428,7 +432,8 @@ static sense_reason_t compare_and_write_post(struct se_cmd *cmd, bool success)
+ return TCM_NO_SENSE;
+ }
+
+-static sense_reason_t compare_and_write_callback(struct se_cmd *cmd, bool success)
++static sense_reason_t compare_and_write_callback(struct se_cmd *cmd, bool success,
++ int *post_ret)
+ {
+ struct se_device *dev = cmd->se_dev;
+ struct scatterlist *write_sg = NULL, *sg;
+@@ -524,11 +529,11 @@ static sense_reason_t compare_and_write_callback(struct se_cmd *cmd, bool succes
+
+ if (block_size < PAGE_SIZE) {
+ sg_set_page(&write_sg[i], m.page, block_size,
+- block_size);
++ m.piter.sg->offset + block_size);
+ } else {
+ sg_miter_next(&m);
+ sg_set_page(&write_sg[i], m.page, block_size,
+- 0);
++ m.piter.sg->offset);
+ }
+ len -= block_size;
+ i++;
diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
-index ce8574b..98d6199 100644
+index ce8574b..0634ccb 100644
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -1181,7 +1181,7 @@ transport_check_alloc_task_attr(struct se_cmd *cmd)
@@ -56243,6 +56435,42 @@ index ce8574b..98d6199 100644
pr_debug("Allocated se_ordered_id: %u for Task Attr: 0x%02x on %s\n",
cmd->se_ordered_id, cmd->sam_task_attr,
dev->transport->name);
+@@ -1610,7 +1610,7 @@ bool target_stop_cmd(struct se_cmd *cmd, unsigned long *flags)
+ void transport_generic_request_failure(struct se_cmd *cmd,
+ sense_reason_t sense_reason)
+ {
+- int ret = 0;
++ int ret = 0, post_ret = 0;
+
+ pr_debug("-----[ Storage Engine Exception for cmd: %p ITT: 0x%08llx"
+ " CDB: 0x%02x\n", cmd, cmd->tag, cmd->t_task_cdb[0]);
+@@ -1632,7 +1632,7 @@ void transport_generic_request_failure(struct se_cmd *cmd,
+ */
+ if ((cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE) &&
+ cmd->transport_complete_callback)
+- cmd->transport_complete_callback(cmd, false);
++ cmd->transport_complete_callback(cmd, false, &post_ret);
+
+ switch (sense_reason) {
+ case TCM_NON_EXISTENT_LUN:
+@@ -2027,11 +2027,13 @@ static void target_complete_ok_work(struct work_struct *work)
+ */
+ if (cmd->transport_complete_callback) {
+ sense_reason_t rc;
++ bool caw = (cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE);
++ bool zero_dl = !(cmd->data_length);
++ int post_ret = 0;
+
+- rc = cmd->transport_complete_callback(cmd, true);
+- if (!rc && !(cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE_POST)) {
+- if ((cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE) &&
+- !cmd->data_length)
++ rc = cmd->transport_complete_callback(cmd, true, &post_ret);
++ if (!rc && !post_ret) {
++ if (caw && zero_dl)
+ goto queue_rsp;
+
+ return;
diff --git a/drivers/thermal/cpu_cooling.c b/drivers/thermal/cpu_cooling.c
index 42c6f71..1c64309 100644
--- a/drivers/thermal/cpu_cooling.c
@@ -83985,7 +84213,7 @@ index 510413eb..34d9a8c 100644
seq_printf(p, "softirq %llu", (unsigned long long)sum_softirq);
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
-index ca1e091..a048795 100644
+index ca1e091..12dd9f1 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -13,12 +13,19 @@
@@ -84110,7 +84338,17 @@ index ca1e091..a048795 100644
show_map_vma(m, v, is_pid);
m_cache_vma(m, v);
return 0;
-@@ -620,9 +655,18 @@ static int show_smap(struct seq_file *m, void *v, int is_pid)
+@@ -585,6 +620,9 @@ static void show_smap_vma_flags(struct seq_file *m, struct vm_area_struct *vma)
+ [ilog2(VM_RAND_READ)] = "rr",
+ [ilog2(VM_DONTCOPY)] = "dc",
+ [ilog2(VM_DONTEXPAND)] = "de",
++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
++ [ilog2(VM_PAGEEXEC)] = "px",
++#endif
+ [ilog2(VM_ACCOUNT)] = "ac",
+ [ilog2(VM_NORESERVE)] = "nr",
+ [ilog2(VM_HUGETLB)] = "ht",
+@@ -620,9 +658,18 @@ static int show_smap(struct seq_file *m, void *v, int is_pid)
.private = &mss,
};
@@ -84131,7 +84369,7 @@ index ca1e091..a048795 100644
show_map_vma(m, vma, is_pid);
-@@ -641,7 +685,11 @@ static int show_smap(struct seq_file *m, void *v, int is_pid)
+@@ -641,7 +688,11 @@ static int show_smap(struct seq_file *m, void *v, int is_pid)
"KernelPageSize: %8lu kB\n"
"MMUPageSize: %8lu kB\n"
"Locked: %8lu kB\n",
@@ -84143,7 +84381,7 @@ index ca1e091..a048795 100644
mss.resident >> 10,
(unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
mss.shared_clean >> 10,
-@@ -1491,6 +1539,13 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid)
+@@ -1491,6 +1542,13 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid)
char buffer[64];
int nid;
@@ -84157,7 +84395,7 @@ index ca1e091..a048795 100644
if (!mm)
return 0;
-@@ -1505,11 +1560,15 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid)
+@@ -1505,11 +1563,15 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid)
mpol_to_str(buffer, sizeof(buffer), proc_priv->task_mempolicy);
}
@@ -104300,6 +104538,20 @@ index 343d922..7959cde 100644
int __rtnl_link_register(struct rtnl_link_ops *ops);
void __rtnl_link_unregister(struct rtnl_link_ops *ops);
+diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h
+index 2738f6f..49dda38 100644
+--- a/include/net/sch_generic.h
++++ b/include/net/sch_generic.h
+@@ -61,6 +61,9 @@ struct Qdisc {
+ */
+ #define TCQ_F_WARN_NONWC (1 << 16)
+ #define TCQ_F_CPUSTATS 0x20 /* run using percpu statistics */
++#define TCQ_F_NOPARENT 0x40 /* root of its hierarchy :
++ * qdisc_tree_decrease_qlen() should stop.
++ */
+ u32 limit;
+ const struct Qdisc_ops *ops;
+ struct qdisc_size_table __rcu *stab;
diff --git a/include/net/sctp/checksum.h b/include/net/sctp/checksum.h
index 4a5b9a3..ca27d73 100644
--- a/include/net/sctp/checksum.h
@@ -104643,9 +104895,18 @@ index 334d0d2..a4327ba 100644
struct snd_soc_dai_link_component {
const char *name;
diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h
-index 17ae2d6..2c06382 100644
+index 17ae2d6..24974e9 100644
--- a/include/target/target_core_base.h
+++ b/include/target/target_core_base.h
+@@ -480,7 +480,7 @@ struct se_cmd {
+ struct kref cmd_kref;
+ const struct target_core_fabric_ops *se_tfo;
+ sense_reason_t (*execute_cmd)(struct se_cmd *);
+- sense_reason_t (*transport_complete_callback)(struct se_cmd *, bool);
++ sense_reason_t (*transport_complete_callback)(struct se_cmd *, bool, int *);
+ void *protocol_data;
+
+ unsigned char *t_task_cdb;
@@ -751,7 +751,7 @@ struct se_device {
atomic_long_t write_bytes;
/* Active commands on this virtual SE device */
@@ -121145,7 +121406,7 @@ index 0330ab2..4745d2c 100644
goto err_reg;
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
-index 728f5b3..dc51cbe 100644
+index 728f5b3..ab3c61c 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -767,7 +767,7 @@ static void tcp_update_pacing_rate(struct sock *sk)
@@ -121174,7 +121435,15 @@ index 728f5b3..dc51cbe 100644
if (th->syn) {
/* We see SYN without ACK. It is attempt of
* simultaneous connect with crossed SYNs.
-@@ -5653,6 +5654,7 @@ discard:
+@@ -5620,6 +5621,7 @@ discard:
+ }
+
+ tp->rcv_nxt = TCP_SKB_CB(skb)->seq + 1;
++ tp->copied_seq = tp->rcv_nxt;
+ tp->rcv_wup = TCP_SKB_CB(skb)->seq + 1;
+
+ /* RFC1323: The window in SYN & SYN/ACK segments is
+@@ -5653,6 +5655,7 @@ discard:
goto discard;
#endif
}
@@ -121182,7 +121451,7 @@ index 728f5b3..dc51cbe 100644
/* "fifth, if neither of the SYN or RST bits is set then
* drop the segment and return."
*/
-@@ -5699,7 +5701,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
+@@ -5699,7 +5702,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
goto discard;
if (th->syn) {
@@ -121191,7 +121460,7 @@ index 728f5b3..dc51cbe 100644
goto discard;
if (icsk->icsk_af_ops->conn_request(sk, skb) < 0)
return 1;
-@@ -6026,7 +6028,7 @@ struct request_sock *inet_reqsk_alloc(const struct request_sock_ops *ops,
+@@ -6026,7 +6029,7 @@ struct request_sock *inet_reqsk_alloc(const struct request_sock_ops *ops,
kmemcheck_annotate_bitfield(ireq, flags);
ireq->opt = NULL;
@@ -124037,8 +124306,92 @@ index f226709..0e735a8 100644
_proto("Tx RESPONSE %%%u", ntohl(hdr->serial));
ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len);
+diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
+index f06aa01..1a0aa2a 100644
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -253,7 +253,8 @@ int qdisc_set_default(const char *name)
+ }
+
+ /* We know handle. Find qdisc among all qdisc's attached to device
+- (root qdisc, all its children, children of children etc.)
++ * (root qdisc, all its children, children of children etc.)
++ * Note: caller either uses rtnl or rcu_read_lock()
+ */
+
+ static struct Qdisc *qdisc_match_from_root(struct Qdisc *root, u32 handle)
+@@ -264,7 +265,7 @@ static struct Qdisc *qdisc_match_from_root(struct Qdisc *root, u32 handle)
+ root->handle == handle)
+ return root;
+
+- list_for_each_entry(q, &root->list, list) {
++ list_for_each_entry_rcu(q, &root->list, list) {
+ if (q->handle == handle)
+ return q;
+ }
+@@ -277,15 +278,18 @@ void qdisc_list_add(struct Qdisc *q)
+ struct Qdisc *root = qdisc_dev(q)->qdisc;
+
+ WARN_ON_ONCE(root == &noop_qdisc);
+- list_add_tail(&q->list, &root->list);
++ ASSERT_RTNL();
++ list_add_tail_rcu(&q->list, &root->list);
+ }
+ }
+ EXPORT_SYMBOL(qdisc_list_add);
+
+ void qdisc_list_del(struct Qdisc *q)
+ {
+- if ((q->parent != TC_H_ROOT) && !(q->flags & TCQ_F_INGRESS))
+- list_del(&q->list);
++ if ((q->parent != TC_H_ROOT) && !(q->flags & TCQ_F_INGRESS)) {
++ ASSERT_RTNL();
++ list_del_rcu(&q->list);
++ }
+ }
+ EXPORT_SYMBOL(qdisc_list_del);
+
+@@ -750,14 +754,18 @@ void qdisc_tree_decrease_qlen(struct Qdisc *sch, unsigned int n)
+ if (n == 0)
+ return;
+ drops = max_t(int, n, 0);
++ rcu_read_lock();
+ while ((parentid = sch->parent)) {
+ if (TC_H_MAJ(parentid) == TC_H_MAJ(TC_H_INGRESS))
+- return;
++ break;
+
++ if (sch->flags & TCQ_F_NOPARENT)
++ break;
++ /* TODO: perform the search on a per txq basis */
+ sch = qdisc_lookup(qdisc_dev(sch), TC_H_MAJ(parentid));
+ if (sch == NULL) {
+- WARN_ON(parentid != TC_H_ROOT);
+- return;
++ WARN_ON_ONCE(parentid != TC_H_ROOT);
++ break;
+ }
+ cops = sch->ops->cl_ops;
+ if (cops->qlen_notify) {
+@@ -768,6 +776,7 @@ void qdisc_tree_decrease_qlen(struct Qdisc *sch, unsigned int n)
+ sch->q.qlen -= n;
+ __qdisc_qstats_drop(sch, drops);
+ }
++ rcu_read_unlock();
+ }
+ EXPORT_SYMBOL(qdisc_tree_decrease_qlen);
+
+@@ -941,7 +950,7 @@ qdisc_create(struct net_device *dev, struct netdev_queue *dev_queue,
+ }
+ lockdep_set_class(qdisc_lock(sch), &qdisc_tx_lock);
+ if (!netif_is_multiqueue(dev))
+- sch->flags |= TCQ_F_ONETXQUEUE;
++ sch->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT;
+ }
+
+ sch->handle = handle;
diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
-index 6efca30..1259f82 100644
+index 6efca30..166495a 100644
--- a/net/sched/sch_generic.c
+++ b/net/sched/sch_generic.c
@@ -349,7 +349,7 @@ void netif_carrier_on(struct net_device *dev)
@@ -124059,6 +124412,59 @@ index 6efca30..1259f82 100644
linkwatch_fire_event(dev);
}
}
+@@ -743,7 +743,7 @@ static void attach_one_default_qdisc(struct net_device *dev,
+ return;
+ }
+ if (!netif_is_multiqueue(dev))
+- qdisc->flags |= TCQ_F_ONETXQUEUE;
++ qdisc->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT;
+ }
+ dev_queue->qdisc_sleeping = qdisc;
+ }
+diff --git a/net/sched/sch_mq.c b/net/sched/sch_mq.c
+index f3cbaec..3e82f04 100644
+--- a/net/sched/sch_mq.c
++++ b/net/sched/sch_mq.c
+@@ -63,7 +63,7 @@ static int mq_init(struct Qdisc *sch, struct nlattr *opt)
+ if (qdisc == NULL)
+ goto err;
+ priv->qdiscs[ntx] = qdisc;
+- qdisc->flags |= TCQ_F_ONETXQUEUE;
++ qdisc->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT;
+ }
+
+ sch->flags |= TCQ_F_MQROOT;
+@@ -156,7 +156,7 @@ static int mq_graft(struct Qdisc *sch, unsigned long cl, struct Qdisc *new,
+
+ *old = dev_graft_qdisc(dev_queue, new);
+ if (new)
+- new->flags |= TCQ_F_ONETXQUEUE;
++ new->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT;
+ if (dev->flags & IFF_UP)
+ dev_activate(dev);
+ return 0;
+diff --git a/net/sched/sch_mqprio.c b/net/sched/sch_mqprio.c
+index 3811a74..ad70ecf 100644
+--- a/net/sched/sch_mqprio.c
++++ b/net/sched/sch_mqprio.c
+@@ -132,7 +132,7 @@ static int mqprio_init(struct Qdisc *sch, struct nlattr *opt)
+ goto err;
+ }
+ priv->qdiscs[i] = qdisc;
+- qdisc->flags |= TCQ_F_ONETXQUEUE;
++ qdisc->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT;
+ }
+
+ /* If the mqprio options indicate that hardware should own
+@@ -209,7 +209,7 @@ static int mqprio_graft(struct Qdisc *sch, unsigned long cl, struct Qdisc *new,
+ *old = dev_graft_qdisc(dev_queue, new);
+
+ if (new)
+- new->flags |= TCQ_F_ONETXQUEUE;
++ new->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT;
+
+ if (dev->flags & IFF_UP)
+ dev_activate(dev);
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index e917d27..13e2a4c 100644
--- a/net/sctp/ipv6.c
@@ -124147,9 +124553,18 @@ index 85e6f03..d41c1ad 100644
sctp_generate_t1_cookie_event,
sctp_generate_t1_init_event,
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index 17bef01..46f1473 100644
+index 17bef01..eaadf73 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
+@@ -972,7 +972,7 @@ static int sctp_setsockopt_bindx(struct sock *sk,
+ return -EFAULT;
+
+ /* Alloc space for the address array in kernel memory. */
+- kaddrs = kmalloc(addrs_size, GFP_KERNEL);
++ kaddrs = kmalloc(addrs_size, GFP_USER | __GFP_NOWARN);
+ if (unlikely(!kaddrs))
+ return -ENOMEM;
+
@@ -2194,11 +2194,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval,
{
struct sctp_association *asoc;
@@ -124228,6 +124643,38 @@ index 17bef01..46f1473 100644
if (copy_to_user(to, &temp, addrlen))
return -EFAULT;
to += addrlen;
+@@ -4928,7 +4941,7 @@ static int sctp_getsockopt_local_addrs(struct sock *sk, int len,
+ to = optval + offsetof(struct sctp_getaddrs, addrs);
+ space_left = len - offsetof(struct sctp_getaddrs, addrs);
+
+- addrs = kmalloc(space_left, GFP_KERNEL);
++ addrs = kmalloc(space_left, GFP_USER | __GFP_NOWARN);
+ if (!addrs)
+ return -ENOMEM;
+
+@@ -7375,6 +7388,13 @@ struct proto sctp_prot = {
+
+ #if IS_ENABLED(CONFIG_IPV6)
+
++#include <net/transp_v6.h>
++static void sctp_v6_destroy_sock(struct sock *sk)
++{
++ sctp_destroy_sock(sk);
++ inet6_destroy_sock(sk);
++}
++
+ struct proto sctpv6_prot = {
+ .name = "SCTPv6",
+ .owner = THIS_MODULE,
+@@ -7384,7 +7404,7 @@ struct proto sctpv6_prot = {
+ .accept = sctp_accept,
+ .ioctl = sctp_ioctl,
+ .init = sctp_init_sock,
+- .destroy = sctp_destroy_sock,
++ .destroy = sctp_v6_destroy_sock,
+ .shutdown = sctp_shutdown,
+ .setsockopt = sctp_setsockopt,
+ .getsockopt = sctp_getsockopt,
diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c
index 26d50c5..dfae665 100644
--- a/net/sctp/sysctl.c
@@ -124936,7 +125383,7 @@ index 350cca3..a108fc5 100644
sub->evt.event = htohl(event, sub->swap);
sub->evt.found_lower = htohl(found_lower, sub->swap);
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
-index 94f6582..0883e68 100644
+index 94f6582..5c2e78b 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -420,6 +420,8 @@ static void unix_release_sock(struct sock *sk, int embrion)
@@ -125080,7 +125527,67 @@ index 94f6582..0883e68 100644
init_peercred(ska);
init_peercred(skb);
-@@ -1565,6 +1613,7 @@ restart:
+@@ -1432,6 +1480,14 @@ static int unix_scm_to_skb(struct scm_cookie *scm, struct sk_buff *skb, bool sen
+ return err;
+ }
+
++static bool unix_passcred_enabled(const struct socket *sock,
++ const struct sock *other)
++{
++ return test_bit(SOCK_PASSCRED, &sock->flags) ||
++ !other->sk_socket ||
++ test_bit(SOCK_PASSCRED, &other->sk_socket->flags);
++}
++
+ /*
+ * Some apps rely on write() giving SCM_CREDENTIALS
+ * We include credentials if source or destination socket
+@@ -1442,14 +1498,41 @@ static void maybe_add_creds(struct sk_buff *skb, const struct socket *sock,
+ {
+ if (UNIXCB(skb).pid)
+ return;
+- if (test_bit(SOCK_PASSCRED, &sock->flags) ||
+- !other->sk_socket ||
+- test_bit(SOCK_PASSCRED, &other->sk_socket->flags)) {
++ if (unix_passcred_enabled(sock, other)) {
+ UNIXCB(skb).pid = get_pid(task_tgid(current));
+ current_uid_gid(&UNIXCB(skb).uid, &UNIXCB(skb).gid);
+ }
+ }
+
++static int maybe_init_creds(struct scm_cookie *scm,
++ struct socket *socket,
++ const struct sock *other)
++{
++ int err;
++ struct msghdr msg = { .msg_controllen = 0 };
++
++ err = scm_send(socket, &msg, scm, false);
++ if (err)
++ return err;
++
++ if (unix_passcred_enabled(socket, other)) {
++ scm->pid = get_pid(task_tgid(current));
++ current_uid_gid(&scm->creds.uid, &scm->creds.gid);
++ }
++ return err;
++}
++
++static bool unix_skb_scm_eq(struct sk_buff *skb,
++ struct scm_cookie *scm)
++{
++ const struct unix_skb_parms *u = &UNIXCB(skb);
++
++ return u->pid == scm->pid &&
++ uid_eq(u->uid, scm->creds.uid) &&
++ gid_eq(u->gid, scm->creds.gid) &&
++ unix_secdata_eq(scm, skb);
++}
++
+ /*
+ * Send AF_UNIX data.
+ */
+@@ -1565,6 +1648,7 @@ restart:
unix_state_lock(sk);
if (unix_peer(sk) == other) {
unix_peer(sk) = NULL;
@@ -125088,7 +125595,73 @@ index 94f6582..0883e68 100644
unix_state_unlock(sk);
unix_dgram_disconnected(sk, other);
-@@ -1798,6 +1847,7 @@ alloc_skb:
+@@ -1739,8 +1823,10 @@ out_err:
+ static ssize_t unix_stream_sendpage(struct socket *socket, struct page *page,
+ int offset, size_t size, int flags)
+ {
+- int err = 0;
+- bool send_sigpipe = true;
++ int err;
++ bool send_sigpipe = false;
++ bool init_scm = true;
++ struct scm_cookie scm;
+ struct sock *other, *sk = socket->sk;
+ struct sk_buff *skb, *newskb = NULL, *tail = NULL;
+
+@@ -1758,7 +1844,7 @@ alloc_skb:
+ newskb = sock_alloc_send_pskb(sk, 0, 0, flags & MSG_DONTWAIT,
+ &err, 0);
+ if (!newskb)
+- return err;
++ goto err;
+ }
+
+ /* we must acquire readlock as we modify already present
+@@ -1767,12 +1853,12 @@ alloc_skb:
+ err = mutex_lock_interruptible(&unix_sk(other)->readlock);
+ if (err) {
+ err = flags & MSG_DONTWAIT ? -EAGAIN : -ERESTARTSYS;
+- send_sigpipe = false;
+ goto err;
+ }
+
+ if (sk->sk_shutdown & SEND_SHUTDOWN) {
+ err = -EPIPE;
++ send_sigpipe = true;
+ goto err_unlock;
+ }
+
+@@ -1781,23 +1867,34 @@ alloc_skb:
+ if (sock_flag(other, SOCK_DEAD) ||
+ other->sk_shutdown & RCV_SHUTDOWN) {
+ err = -EPIPE;
++ send_sigpipe = true;
+ goto err_state_unlock;
+ }
+
++ if (init_scm) {
++ err = maybe_init_creds(&scm, socket, other);
++ if (err)
++ goto err_state_unlock;
++ init_scm = false;
++ }
++
+ skb = skb_peek_tail(&other->sk_receive_queue);
+ if (tail && tail == skb) {
+ skb = newskb;
+- } else if (!skb) {
+- if (newskb)
++ } else if (!skb || !unix_skb_scm_eq(skb, &scm)) {
++ if (newskb) {
+ skb = newskb;
+- else
++ } else {
++ tail = skb;
+ goto alloc_skb;
++ }
+ } else if (newskb) {
+ /* this is fast path, we don't necessarily need to
+ * call to kfree_skb even though with newskb == NULL
* this - does no harm
*/
consume_skb(newskb);
@@ -125096,12 +125669,15 @@ index 94f6582..0883e68 100644
}
if (skb_append_pagefrags(skb, page, offset, size)) {
-@@ -1810,8 +1860,11 @@ alloc_skb:
+@@ -1810,14 +1907,20 @@ alloc_skb:
skb->truesize += size;
atomic_add(size, &sk->sk_wmem_alloc);
- if (newskb)
+ if (newskb) {
++ err = unix_scm_to_skb(&scm, skb, false);
++ if (err)
++ goto err_state_unlock;
+ spin_lock(&other->sk_receive_queue.lock);
__skb_queue_tail(&other->sk_receive_queue, newskb);
+ spin_unlock(&other->sk_receive_queue.lock);
@@ -125109,7 +125685,23 @@ index 94f6582..0883e68 100644
unix_state_unlock(other);
mutex_unlock(&unix_sk(other)->readlock);
-@@ -2071,6 +2124,7 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state)
+
+ other->sk_data_ready(other);
+-
++ scm_destroy(&scm);
+ return size;
+
+ err_state_unlock:
+@@ -1828,6 +1931,8 @@ err:
+ kfree_skb(newskb);
+ if (send_sigpipe && !(flags & MSG_NOSIGNAL))
+ send_sig(SIGPIPE, current, 0);
++ if (!init_scm)
++ scm_destroy(&scm);
+ return err;
+ }
+
+@@ -2071,6 +2176,7 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state)
do {
int chunk;
@@ -125117,7 +125709,19 @@ index 94f6582..0883e68 100644
struct sk_buff *skb, *last;
unix_state_lock(sk);
-@@ -2151,7 +2205,11 @@ unlock:
+@@ -2130,10 +2236,7 @@ unlock:
+
+ if (check_creds) {
+ /* Never glue messages from different writers */
+- if ((UNIXCB(skb).pid != scm.pid) ||
+- !uid_eq(UNIXCB(skb).uid, scm.creds.uid) ||
+- !gid_eq(UNIXCB(skb).gid, scm.creds.gid) ||
+- !unix_secdata_eq(&scm, skb))
++ if (!unix_skb_scm_eq(skb, &scm))
+ break;
+ } else if (test_bit(SOCK_PASSCRED, &sock->flags)) {
+ /* Copy credentials */
+@@ -2151,7 +2254,11 @@ unlock:
}
chunk = min_t(unsigned int, unix_skb_len(skb) - skip, size);
@@ -125129,7 +125733,7 @@ index 94f6582..0883e68 100644
if (chunk < 0) {
if (copied == 0)
copied = -EFAULT;
-@@ -2160,6 +2218,18 @@ unlock:
+@@ -2160,6 +2267,18 @@ unlock:
copied += chunk;
size -= chunk;
@@ -125148,7 +125752,7 @@ index 94f6582..0883e68 100644
/* Mark read part of skb as used */
if (!(flags & MSG_PEEK)) {
UNIXCB(skb).consumed += chunk;
-@@ -2456,7 +2526,6 @@ static unsigned int unix_dgram_poll(struct file *file, struct socket *sock,
+@@ -2456,7 +2575,6 @@ static unsigned int unix_dgram_poll(struct file *file, struct socket *sock,
other = unix_peer_get(sk);
if (other) {
if (unix_peer(other) != sk) {
@@ -125156,7 +125760,7 @@ index 94f6582..0883e68 100644
if (unix_recvq_full(other))
writable = 0;
}
-@@ -2556,9 +2625,13 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+@@ -2556,9 +2674,13 @@ static int unix_seq_show(struct seq_file *seq, void *v)
seq_puts(seq, "Num RefCount Protocol Flags Type St "
"Inode Path\n");
else {
@@ -125171,7 +125775,7 @@ index 94f6582..0883e68 100644
seq_printf(seq, "%pK: %08X %08X %08X %04X %02X %5lu",
s,
-@@ -2583,10 +2656,29 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+@@ -2583,10 +2705,29 @@ static int unix_seq_show(struct seq_file *seq, void *v)
seq_putc(seq, '@');
i++;
}
@@ -133195,10 +133799,10 @@ index 0000000..f74d85a
+targets += size_overflow_hash.h size_overflow_hash_aux.h disable_size_overflow_hash.h
diff --git a/tools/gcc/size_overflow_plugin/disable_size_overflow_hash.data b/tools/gcc/size_overflow_plugin/disable_size_overflow_hash.data
new file mode 100644
-index 0000000..8ce9ec1
+index 0000000..07f2628
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin/disable_size_overflow_hash.data
-@@ -0,0 +1,12422 @@
+@@ -0,0 +1,12424 @@
+disable_so_interrupt_pnode_gru_message_queue_desc_4 interrupt_pnode gru_message_queue_desc 0 4 NULL
+disable_so_bch_btree_insert_fndecl_12 bch_btree_insert fndecl 0 12 NULL
+disable_so_macvlan_sync_address_fndecl_22 macvlan_sync_address fndecl 0 22 NULL nohasharray
@@ -136504,7 +137108,8 @@ index 0000000..8ce9ec1
+disable_so_cir_addr_nvt_dev_17619 cir_addr nvt_dev 0 17619 NULL
+disable_so_plink_timeout_mesh_config_17621 plink_timeout mesh_config 0 17621 NULL
+disable_so_numaddr_mwl8k_cmd_mac_multicast_adr_17633 numaddr mwl8k_cmd_mac_multicast_adr 0 17633 NULL
-+disable_so_addr_nvbios_extdev_func_17635 addr nvbios_extdev_func 0 17635 NULL nohasharray
++enable_so_last_used_idx_vringh_17635 last_used_idx vringh 0 17635 NULL nohasharray
++disable_so_addr_nvbios_extdev_func_17635 addr nvbios_extdev_func 0 17635 &enable_so_last_used_idx_vringh_17635 nohasharray
+disable_so_xfs_btree_set_numrecs_fndecl_17635 xfs_btree_set_numrecs fndecl 2 17635 &disable_so_addr_nvbios_extdev_func_17635
+disable_so_pll_clkdiv_adau1701_17652 pll_clkdiv adau1701 0 17652 NULL
+disable_so_btree_insert_raw_fndecl_17655 btree_insert_raw fndecl 0-2 17655 NULL
@@ -145621,6 +146226,7 @@ index 0000000..8ce9ec1
+enable_so_i_size_lo_ext4_inode_40153 i_size_lo ext4_inode 0 40153 NULL
+enable_so_i_size_high_ext4_inode_18545 i_size_high ext4_inode 0 18545 NULL
+enable_so_nr_kvm_queued_interrupt_34927 nr kvm_queued_interrupt 0 34927 NULL
++enable_so_last_used_idx_vhost_virtqueue_40059 last_used_idx vhost_virtqueue 0 40059 NULL
diff --git a/tools/gcc/size_overflow_plugin/generate_size_overflow_hash.sh b/tools/gcc/size_overflow_plugin/generate_size_overflow_hash.sh
new file mode 100644
index 0000000..be9724d
@@ -146154,10 +146760,10 @@ index 0000000..cc20d48
+#endif
diff --git a/tools/gcc/size_overflow_plugin/intentional_overflow.c b/tools/gcc/size_overflow_plugin/intentional_overflow.c
new file mode 100644
-index 0000000..3bf5a4e
+index 0000000..7d9135d
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin/intentional_overflow.c
-@@ -0,0 +1,1010 @@
+@@ -0,0 +1,1032 @@
+/*
+ * Copyright 2011-2015 by Emese Revfy <re.emese@gmail.com>
+ * Licensed under the GPL v2, or (at your option) v3
@@ -147119,7 +147725,7 @@ index 0000000..3bf5a4e
+ * _141 = -_140;
+ * _154 = (short unsigned int) _141;
+ * _155 = (size_overflow_type_SI) _154;
-+ * _156 = _154 + _155;
++ * _156 = _154 + _155; // 2x
+ * _157 = (short unsigned int) _156;
+ */
+static bool is_short_cast_neg(const_tree rhs)
@@ -147145,11 +147751,28 @@ index 0000000..3bf5a4e
+ return gimple_assign_rhs_code(neg_stmt) == NEGATE_EXPR;
+}
+
++static bool check_add_stmt(const_tree node)
++{
++ const_gimple add_stmt;
++ const_tree add_rhs1, add_rhs2;
++
++ if (node == NULL_TREE)
++ return false;
++
++ add_stmt = get_def_stmt(node);
++ if (!add_stmt || !is_gimple_assign(add_stmt) || gimple_assign_rhs_code(add_stmt) != PLUS_EXPR)
++ return false;
++
++ add_rhs1 = gimple_assign_rhs1(add_stmt);
++ add_rhs2 = gimple_assign_rhs2(add_stmt);
++ return is_short_cast_neg(add_rhs1) || is_short_cast_neg(add_rhs2);
++}
++
+bool neg_short_add_intentional_overflow(gassign *unary_stmt)
+{
+ const_tree rhs1, add_rhs1, add_rhs2, cast_rhs;
-+ const_gimple add_stmt;
+ gimple cast_stmt;
++ const_gimple add_stmt;
+
+ rhs1 = gimple_assign_rhs1(unary_stmt);
+
@@ -147160,13 +147783,18 @@ index 0000000..3bf5a4e
+ if (GET_MODE_BITSIZE(TYPE_MODE(TREE_TYPE(cast_rhs))) <= GET_MODE_BITSIZE(TYPE_MODE(TREE_TYPE(rhs1))))
+ return false;
+
++ // one or two plus expressions
++ if (check_add_stmt(cast_rhs))
++ return true;
++
+ add_stmt = get_def_stmt(cast_rhs);
-+ if (!add_stmt || !is_gimple_assign(add_stmt) || gimple_assign_rhs_code(add_stmt) != PLUS_EXPR)
++ if (!add_stmt || !is_gimple_assign(add_stmt))
+ return false;
-+
+ add_rhs1 = gimple_assign_rhs1(add_stmt);
++ if (check_add_stmt(add_rhs1))
++ return true;
+ add_rhs2 = gimple_assign_rhs2(add_stmt);
-+ return is_short_cast_neg(add_rhs1) || is_short_cast_neg(add_rhs2);
++ return check_add_stmt(add_rhs2);
+}
diff --git a/tools/gcc/size_overflow_plugin/remove_unnecessary_dup.c b/tools/gcc/size_overflow_plugin/remove_unnecessary_dup.c
new file mode 100644
@@ -147842,10 +148470,10 @@ index 0000000..fc58e16
+}
diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
new file mode 100644
-index 0000000..2d4a6ed
+index 0000000..a907202
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
-@@ -0,0 +1,20735 @@
+@@ -0,0 +1,20733 @@
+enable_so_recv_ctrl_pipe_us_data_0 recv_ctrl_pipe us_data 0 0 NULL
+enable_so___earlyonly_bootmem_alloc_fndecl_3 __earlyonly_bootmem_alloc fndecl 2-3-4 3 NULL
+enable_so_size_ttm_mem_reg_8 size ttm_mem_reg 0 8 NULL
@@ -153340,7 +153968,6 @@ index 0000000..2d4a6ed
+enable_so_min_alloc_order_gen_pool_17628 min_alloc_order gen_pool 0 17628 NULL
+enable_so_num_peri_pl330_config_17630 num_peri pl330_config 0 17630 NULL
+enable_so_ctxts_extrabuf_qib_devdata_17634 ctxts_extrabuf qib_devdata 0 17634 NULL
-+enable_so_last_used_idx_vringh_17635 last_used_idx vringh 0 17635 NULL
+enable_so_video_linelength_sis_video_info_17642 video_linelength sis_video_info 0 17642 NULL
+enable_so_wl12xx_sdio_raw_read_fndecl_17648 wl12xx_sdio_raw_read fndecl 4 17648 NULL
+enable_so_buf_len_ceph_none_authorizer_17652 buf_len ceph_none_authorizer 0 17652 NULL nohasharray
@@ -160564,7 +161191,6 @@ index 0000000..2d4a6ed
+enable_so_memdiff_vardecl_tridentfb_c_40043 memdiff vardecl_tridentfb.c 0 40043 NULL nohasharray
+enable_so_read_partial_fndecl_40043 read_partial fndecl 2 40043 &enable_so_memdiff_vardecl_tridentfb_c_40043
+enable_so_add_nested_action_start_fndecl_40044 add_nested_action_start fndecl 0 40044 NULL
-+enable_so_last_used_idx_vhost_virtqueue_40059 last_used_idx vhost_virtqueue 0 40059 NULL
+enable_so_SyS_listxattr_fndecl_40060 SyS_listxattr fndecl 3 40060 NULL
+enable_so_smp_execute_task_fndecl_40062 smp_execute_task fndecl 3-5-0 40062 NULL nohasharray
+enable_so_iwl_dbgfs_disable_power_off_read_fndecl_40062 iwl_dbgfs_disable_power_off_read fndecl 3 40062 &enable_so_smp_execute_task_fndecl_40062
@@ -170424,7 +171050,7 @@ index 0000000..6075e8f
+
diff --git a/tools/gcc/size_overflow_plugin/size_overflow_plugin.c b/tools/gcc/size_overflow_plugin/size_overflow_plugin.c
new file mode 100644
-index 0000000..29a5c26
+index 0000000..f1cc040
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin/size_overflow_plugin.c
@@ -0,0 +1,318 @@
@@ -170459,7 +171085,7 @@ index 0000000..29a5c26
+tree size_overflow_type_TI;
+
+static struct plugin_info size_overflow_plugin_info = {
-+ .version = "20151128",
++ .version = "20151201",
+ .help = "no-size-overflow\tturn off size overflow checking\n",
+};
+
^ permalink raw reply related [flat|nested] 8+ messages in thread
end of thread, other threads:[~2015-12-06 9:08 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-11-18 9:47 [gentoo-commits] proj/hardened-patchset:master commit in: 4.2.6/ Anthony G. Basile
-- strict thread matches above, loose matches on Subject: below --
2015-12-06 9:08 Anthony G. Basile
2015-11-29 23:57 Anthony G. Basile
2015-11-24 8:58 Anthony G. Basile
2015-11-24 8:47 Anthony G. Basile
2015-11-19 20:10 Anthony G. Basile
2015-11-15 16:26 Anthony G. Basile
2015-11-13 11:51 Anthony G. Basile
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox