diff options
-rw-r--r-- | 3.14.37/0000_README (renamed from 3.14.36/0000_README) | 6 | ||||
-rw-r--r-- | 3.14.37/1036_linux-3.14.37.patch | 2861 | ||||
-rw-r--r-- | 3.14.37/4420_grsecurity-3.1-3.14.37-201503270048.patch (renamed from 3.14.36/4420_grsecurity-3.1-3.14.36-201503251807.patch) | 345 | ||||
-rw-r--r-- | 3.14.37/4425_grsec_remove_EI_PAX.patch (renamed from 3.14.36/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
-rw-r--r-- | 3.14.37/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.14.36/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
-rw-r--r-- | 3.14.37/4430_grsec-remove-localversion-grsec.patch (renamed from 3.14.36/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
-rw-r--r-- | 3.14.37/4435_grsec-mute-warnings.patch (renamed from 3.14.36/4435_grsec-mute-warnings.patch) | 0 | ||||
-rw-r--r-- | 3.14.37/4440_grsec-remove-protected-paths.patch (renamed from 3.14.36/4440_grsec-remove-protected-paths.patch) | 0 | ||||
-rw-r--r-- | 3.14.37/4450_grsec-kconfig-default-gids.patch (renamed from 3.14.36/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
-rw-r--r-- | 3.14.37/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.14.36/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
-rw-r--r-- | 3.14.37/4470_disable-compat_vdso.patch (renamed from 3.14.36/4470_disable-compat_vdso.patch) | 0 | ||||
-rw-r--r-- | 3.14.37/4475_emutramp_default_on.patch (renamed from 3.14.36/4475_emutramp_default_on.patch) | 0 | ||||
-rw-r--r-- | 3.19.3/0000_README (renamed from 3.19.2/0000_README) | 6 | ||||
-rw-r--r-- | 3.19.3/1002_linux-3.19.3.patch | 4081 | ||||
-rw-r--r-- | 3.19.3/4420_grsecurity-3.1-3.19.3-201503270049.patch (renamed from 3.19.2/4420_grsecurity-3.1-3.19.2-201503251807.patch) | 460 | ||||
-rw-r--r-- | 3.19.3/4425_grsec_remove_EI_PAX.patch (renamed from 3.19.2/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
-rw-r--r-- | 3.19.3/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.19.2/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
-rw-r--r-- | 3.19.3/4430_grsec-remove-localversion-grsec.patch (renamed from 3.19.2/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
-rw-r--r-- | 3.19.3/4435_grsec-mute-warnings.patch (renamed from 3.19.2/4435_grsec-mute-warnings.patch) | 0 | ||||
-rw-r--r-- | 3.19.3/4440_grsec-remove-protected-paths.patch (renamed from 3.19.2/4440_grsec-remove-protected-paths.patch) | 0 | ||||
-rw-r--r-- | 3.19.3/4450_grsec-kconfig-default-gids.patch (renamed from 3.19.2/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
-rw-r--r-- | 3.19.3/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.19.2/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
-rw-r--r-- | 3.19.3/4470_disable-compat_vdso.patch (renamed from 3.19.2/4470_disable-compat_vdso.patch) | 0 | ||||
-rw-r--r-- | 3.19.3/4475_emutramp_default_on.patch (renamed from 3.19.2/4475_emutramp_default_on.patch) | 0 |
24 files changed, 7170 insertions, 589 deletions
diff --git a/3.14.36/0000_README b/3.14.37/0000_README index 8f98f5b..6e499e4 100644 --- a/3.14.36/0000_README +++ b/3.14.37/0000_README @@ -2,7 +2,11 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.1-3.14.36-201503251807.patch +Patch: 1036_linux-3.14.37.patch +From: http://www.kernel.org +Desc: Linux 3.14.37 + +Patch: 4420_grsecurity-3.1-3.14.37-201503270048.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.14.37/1036_linux-3.14.37.patch b/3.14.37/1036_linux-3.14.37.patch new file mode 100644 index 0000000..b25a2ef --- /dev/null +++ b/3.14.37/1036_linux-3.14.37.patch @@ -0,0 +1,2861 @@ +diff --git a/Makefile b/Makefile +index 4e6537b..c24acc0 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 14 +-SUBLEVEL = 36 ++SUBLEVEL = 37 + EXTRAVERSION = + NAME = Remembering Coco + +diff --git a/arch/arm/boot/dts/dra7xx-clocks.dtsi b/arch/arm/boot/dts/dra7xx-clocks.dtsi +index e96da9a..f2512e1 100644 +--- a/arch/arm/boot/dts/dra7xx-clocks.dtsi ++++ b/arch/arm/boot/dts/dra7xx-clocks.dtsi +@@ -243,10 +243,18 @@ + ti,invert-autoidle-bit; + }; + ++ dpll_core_byp_mux: dpll_core_byp_mux { ++ #clock-cells = <0>; ++ compatible = "ti,mux-clock"; ++ clocks = <&sys_clkin1>, <&dpll_abe_m3x2_ck>; ++ ti,bit-shift = <23>; ++ reg = <0x012c>; ++ }; ++ + dpll_core_ck: dpll_core_ck { + #clock-cells = <0>; + compatible = "ti,omap4-dpll-core-clock"; +- clocks = <&sys_clkin1>, <&dpll_abe_m3x2_ck>; ++ clocks = <&sys_clkin1>, <&dpll_core_byp_mux>; + reg = <0x0120>, <0x0124>, <0x012c>, <0x0128>; + }; + +@@ -309,10 +317,18 @@ + clock-div = <1>; + }; + ++ dpll_dsp_byp_mux: dpll_dsp_byp_mux { ++ #clock-cells = <0>; ++ compatible = "ti,mux-clock"; ++ clocks = <&sys_clkin1>, <&dsp_dpll_hs_clk_div>; ++ ti,bit-shift = <23>; ++ reg = <0x0240>; ++ }; ++ + dpll_dsp_ck: dpll_dsp_ck { + #clock-cells = <0>; + compatible = "ti,omap4-dpll-clock"; +- clocks = <&sys_clkin1>, <&dsp_dpll_hs_clk_div>; ++ clocks = <&sys_clkin1>, <&dpll_dsp_byp_mux>; + reg = <0x0234>, <0x0238>, <0x0240>, <0x023c>; + }; + +@@ -335,10 +351,18 @@ + clock-div = <1>; + }; + ++ dpll_iva_byp_mux: dpll_iva_byp_mux { ++ #clock-cells = <0>; ++ compatible = "ti,mux-clock"; ++ clocks = <&sys_clkin1>, <&iva_dpll_hs_clk_div>; ++ ti,bit-shift = <23>; ++ reg = <0x01ac>; ++ }; ++ + dpll_iva_ck: dpll_iva_ck { + #clock-cells = <0>; + compatible = "ti,omap4-dpll-clock"; +- clocks = <&sys_clkin1>, <&iva_dpll_hs_clk_div>; ++ clocks = <&sys_clkin1>, <&dpll_iva_byp_mux>; + reg = <0x01a0>, <0x01a4>, <0x01ac>, <0x01a8>; + }; + +@@ -361,10 +385,18 @@ + clock-div = <1>; + }; + ++ dpll_gpu_byp_mux: dpll_gpu_byp_mux { ++ #clock-cells = <0>; ++ compatible = "ti,mux-clock"; ++ clocks = <&sys_clkin1>, <&dpll_abe_m3x2_ck>; ++ ti,bit-shift = <23>; ++ reg = <0x02e4>; ++ }; ++ + dpll_gpu_ck: dpll_gpu_ck { + #clock-cells = <0>; + compatible = "ti,omap4-dpll-clock"; +- clocks = <&sys_clkin1>, <&dpll_abe_m3x2_ck>; ++ clocks = <&sys_clkin1>, <&dpll_gpu_byp_mux>; + reg = <0x02d8>, <0x02dc>, <0x02e4>, <0x02e0>; + }; + +@@ -398,10 +430,18 @@ + clock-div = <1>; + }; + ++ dpll_ddr_byp_mux: dpll_ddr_byp_mux { ++ #clock-cells = <0>; ++ compatible = "ti,mux-clock"; ++ clocks = <&sys_clkin1>, <&dpll_abe_m3x2_ck>; ++ ti,bit-shift = <23>; ++ reg = <0x021c>; ++ }; ++ + dpll_ddr_ck: dpll_ddr_ck { + #clock-cells = <0>; + compatible = "ti,omap4-dpll-clock"; +- clocks = <&sys_clkin1>, <&dpll_abe_m3x2_ck>; ++ clocks = <&sys_clkin1>, <&dpll_ddr_byp_mux>; + reg = <0x0210>, <0x0214>, <0x021c>, <0x0218>; + }; + +@@ -416,10 +456,18 @@ + ti,invert-autoidle-bit; + }; + ++ dpll_gmac_byp_mux: dpll_gmac_byp_mux { ++ #clock-cells = <0>; ++ compatible = "ti,mux-clock"; ++ clocks = <&sys_clkin1>, <&dpll_abe_m3x2_ck>; ++ ti,bit-shift = <23>; ++ reg = <0x02b4>; ++ }; ++ + dpll_gmac_ck: dpll_gmac_ck { + #clock-cells = <0>; + compatible = "ti,omap4-dpll-clock"; +- clocks = <&sys_clkin1>, <&dpll_abe_m3x2_ck>; ++ clocks = <&sys_clkin1>, <&dpll_gmac_byp_mux>; + reg = <0x02a8>, <0x02ac>, <0x02b4>, <0x02b0>; + }; + +@@ -482,10 +530,18 @@ + clock-div = <1>; + }; + ++ dpll_eve_byp_mux: dpll_eve_byp_mux { ++ #clock-cells = <0>; ++ compatible = "ti,mux-clock"; ++ clocks = <&sys_clkin1>, <&eve_dpll_hs_clk_div>; ++ ti,bit-shift = <23>; ++ reg = <0x0290>; ++ }; ++ + dpll_eve_ck: dpll_eve_ck { + #clock-cells = <0>; + compatible = "ti,omap4-dpll-clock"; +- clocks = <&sys_clkin1>, <&eve_dpll_hs_clk_div>; ++ clocks = <&sys_clkin1>, <&dpll_eve_byp_mux>; + reg = <0x0284>, <0x0288>, <0x0290>, <0x028c>; + }; + +@@ -1214,10 +1270,18 @@ + clock-div = <1>; + }; + ++ dpll_per_byp_mux: dpll_per_byp_mux { ++ #clock-cells = <0>; ++ compatible = "ti,mux-clock"; ++ clocks = <&sys_clkin1>, <&per_dpll_hs_clk_div>; ++ ti,bit-shift = <23>; ++ reg = <0x014c>; ++ }; ++ + dpll_per_ck: dpll_per_ck { + #clock-cells = <0>; + compatible = "ti,omap4-dpll-clock"; +- clocks = <&sys_clkin1>, <&per_dpll_hs_clk_div>; ++ clocks = <&sys_clkin1>, <&dpll_per_byp_mux>; + reg = <0x0140>, <0x0144>, <0x014c>, <0x0148>; + }; + +@@ -1240,10 +1304,18 @@ + clock-div = <1>; + }; + ++ dpll_usb_byp_mux: dpll_usb_byp_mux { ++ #clock-cells = <0>; ++ compatible = "ti,mux-clock"; ++ clocks = <&sys_clkin1>, <&usb_dpll_hs_clk_div>; ++ ti,bit-shift = <23>; ++ reg = <0x018c>; ++ }; ++ + dpll_usb_ck: dpll_usb_ck { + #clock-cells = <0>; + compatible = "ti,omap4-dpll-j-type-clock"; +- clocks = <&sys_clkin1>, <&usb_dpll_hs_clk_div>; ++ clocks = <&sys_clkin1>, <&dpll_usb_byp_mux>; + reg = <0x0180>, <0x0184>, <0x018c>, <0x0188>; + }; + +diff --git a/arch/arm/crypto/aesbs-core.S_shipped b/arch/arm/crypto/aesbs-core.S_shipped +index 71e5fc7..1d1800f 100644 +--- a/arch/arm/crypto/aesbs-core.S_shipped ++++ b/arch/arm/crypto/aesbs-core.S_shipped +@@ -58,14 +58,18 @@ + # define VFP_ABI_FRAME 0 + # define BSAES_ASM_EXTENDED_KEY + # define XTS_CHAIN_TWEAK +-# define __ARM_ARCH__ 7 ++# define __ARM_ARCH__ __LINUX_ARM_ARCH__ ++# define __ARM_MAX_ARCH__ 7 + #endif + + #ifdef __thumb__ + # define adrl adr + #endif + +-#if __ARM_ARCH__>=7 ++#if __ARM_MAX_ARCH__>=7 ++.arch armv7-a ++.fpu neon ++ + .text + .syntax unified @ ARMv7-capable assembler is expected to handle this + #ifdef __thumb2__ +@@ -74,8 +78,6 @@ + .code 32 + #endif + +-.fpu neon +- + .type _bsaes_decrypt8,%function + .align 4 + _bsaes_decrypt8: +@@ -2095,9 +2097,11 @@ bsaes_xts_decrypt: + vld1.8 {q8}, [r0] @ initial tweak + adr r2, .Lxts_magic + ++#ifndef XTS_CHAIN_TWEAK + tst r9, #0xf @ if not multiple of 16 + it ne @ Thumb2 thing, sanity check in ARM + subne r9, #0x10 @ subtract another 16 bytes ++#endif + subs r9, #0x80 + + blo .Lxts_dec_short +diff --git a/arch/arm/crypto/bsaes-armv7.pl b/arch/arm/crypto/bsaes-armv7.pl +index be068db..a4d3856 100644 +--- a/arch/arm/crypto/bsaes-armv7.pl ++++ b/arch/arm/crypto/bsaes-armv7.pl +@@ -701,14 +701,18 @@ $code.=<<___; + # define VFP_ABI_FRAME 0 + # define BSAES_ASM_EXTENDED_KEY + # define XTS_CHAIN_TWEAK +-# define __ARM_ARCH__ 7 ++# define __ARM_ARCH__ __LINUX_ARM_ARCH__ ++# define __ARM_MAX_ARCH__ 7 + #endif + + #ifdef __thumb__ + # define adrl adr + #endif + +-#if __ARM_ARCH__>=7 ++#if __ARM_MAX_ARCH__>=7 ++.arch armv7-a ++.fpu neon ++ + .text + .syntax unified @ ARMv7-capable assembler is expected to handle this + #ifdef __thumb2__ +@@ -717,8 +721,6 @@ $code.=<<___; + .code 32 + #endif + +-.fpu neon +- + .type _bsaes_decrypt8,%function + .align 4 + _bsaes_decrypt8: +@@ -2076,9 +2078,11 @@ bsaes_xts_decrypt: + vld1.8 {@XMM[8]}, [r0] @ initial tweak + adr $magic, .Lxts_magic + ++#ifndef XTS_CHAIN_TWEAK + tst $len, #0xf @ if not multiple of 16 + it ne @ Thumb2 thing, sanity check in ARM + subne $len, #0x10 @ subtract another 16 bytes ++#endif + subs $len, #0x80 + + blo .Lxts_dec_short +diff --git a/arch/arm/mach-at91/pm.h b/arch/arm/mach-at91/pm.h +index c5101dc..1d4df3b 100644 +--- a/arch/arm/mach-at91/pm.h ++++ b/arch/arm/mach-at91/pm.h +@@ -45,7 +45,7 @@ static inline void at91rm9200_standby(void) + " mcr p15, 0, %0, c7, c0, 4\n\t" + " str %5, [%1, %2]" + : +- : "r" (0), "r" (AT91_BASE_SYS), "r" (AT91RM9200_SDRAMC_LPR), ++ : "r" (0), "r" (at91_ramc_base[0]), "r" (AT91RM9200_SDRAMC_LPR), + "r" (1), "r" (AT91RM9200_SDRAMC_SRR), + "r" (lpr)); + } +diff --git a/arch/arm64/mm/dma-mapping.c b/arch/arm64/mm/dma-mapping.c +index fbd7678..3974881 100644 +--- a/arch/arm64/mm/dma-mapping.c ++++ b/arch/arm64/mm/dma-mapping.c +@@ -44,6 +44,7 @@ static void *arm64_swiotlb_alloc_coherent(struct device *dev, size_t size, + flags |= GFP_DMA32; + if (IS_ENABLED(CONFIG_DMA_CMA)) { + struct page *page; ++ void *addr; + + size = PAGE_ALIGN(size); + page = dma_alloc_from_contiguous(dev, size >> PAGE_SHIFT, +@@ -52,7 +53,10 @@ static void *arm64_swiotlb_alloc_coherent(struct device *dev, size_t size, + return NULL; + + *dma_handle = phys_to_dma(dev, page_to_phys(page)); +- return page_address(page); ++ addr = page_address(page); ++ if (flags & __GFP_ZERO) ++ memset(addr, 0, size); ++ return addr; + } else { + return swiotlb_alloc_coherent(dev, size, dma_handle, flags); + } +diff --git a/arch/sparc/kernel/perf_event.c b/arch/sparc/kernel/perf_event.c +index 617b9fe..3ccb677 100644 +--- a/arch/sparc/kernel/perf_event.c ++++ b/arch/sparc/kernel/perf_event.c +@@ -960,6 +960,8 @@ out: + cpuc->pcr[0] |= cpuc->event[0]->hw.config_base; + } + ++static void sparc_pmu_start(struct perf_event *event, int flags); ++ + /* On this PMU each PIC has it's own PCR control register. */ + static void calculate_multiple_pcrs(struct cpu_hw_events *cpuc) + { +@@ -972,20 +974,13 @@ static void calculate_multiple_pcrs(struct cpu_hw_events *cpuc) + struct perf_event *cp = cpuc->event[i]; + struct hw_perf_event *hwc = &cp->hw; + int idx = hwc->idx; +- u64 enc; + + if (cpuc->current_idx[i] != PIC_NO_INDEX) + continue; + +- sparc_perf_event_set_period(cp, hwc, idx); + cpuc->current_idx[i] = idx; + +- enc = perf_event_get_enc(cpuc->events[i]); +- cpuc->pcr[idx] &= ~mask_for_index(idx); +- if (hwc->state & PERF_HES_STOPPED) +- cpuc->pcr[idx] |= nop_for_index(idx); +- else +- cpuc->pcr[idx] |= event_encoding(enc, idx); ++ sparc_pmu_start(cp, PERF_EF_RELOAD); + } + out: + for (i = 0; i < cpuc->n_events; i++) { +@@ -1101,7 +1096,6 @@ static void sparc_pmu_del(struct perf_event *event, int _flags) + int i; + + local_irq_save(flags); +- perf_pmu_disable(event->pmu); + + for (i = 0; i < cpuc->n_events; i++) { + if (event == cpuc->event[i]) { +@@ -1127,7 +1121,6 @@ static void sparc_pmu_del(struct perf_event *event, int _flags) + } + } + +- perf_pmu_enable(event->pmu); + local_irq_restore(flags); + } + +@@ -1361,7 +1354,6 @@ static int sparc_pmu_add(struct perf_event *event, int ef_flags) + unsigned long flags; + + local_irq_save(flags); +- perf_pmu_disable(event->pmu); + + n0 = cpuc->n_events; + if (n0 >= sparc_pmu->max_hw_events) +@@ -1394,7 +1386,6 @@ nocheck: + + ret = 0; + out: +- perf_pmu_enable(event->pmu); + local_irq_restore(flags); + return ret; + } +diff --git a/arch/sparc/kernel/process_64.c b/arch/sparc/kernel/process_64.c +index c6f7113..1a79d68 100644 +--- a/arch/sparc/kernel/process_64.c ++++ b/arch/sparc/kernel/process_64.c +@@ -281,6 +281,8 @@ void arch_trigger_all_cpu_backtrace(void) + printk(" TPC[%lx] O7[%lx] I7[%lx] RPC[%lx]\n", + gp->tpc, gp->o7, gp->i7, gp->rpc); + } ++ ++ touch_nmi_watchdog(); + } + + memset(global_cpu_snapshot, 0, sizeof(global_cpu_snapshot)); +@@ -356,6 +358,8 @@ static void pmu_snapshot_all_cpus(void) + (cpu == this_cpu ? '*' : ' '), cpu, + pp->pcr[0], pp->pcr[1], pp->pcr[2], pp->pcr[3], + pp->pic[0], pp->pic[1], pp->pic[2], pp->pic[3]); ++ ++ touch_nmi_watchdog(); + } + + memset(global_cpu_snapshot, 0, sizeof(global_cpu_snapshot)); +diff --git a/arch/sparc/kernel/sys_sparc_64.c b/arch/sparc/kernel/sys_sparc_64.c +index beb0b5a..25db14a 100644 +--- a/arch/sparc/kernel/sys_sparc_64.c ++++ b/arch/sparc/kernel/sys_sparc_64.c +@@ -332,7 +332,7 @@ SYSCALL_DEFINE6(sparc_ipc, unsigned int, call, int, first, unsigned long, second + long err; + + /* No need for backward compatibility. We can start fresh... */ +- if (call <= SEMCTL) { ++ if (call <= SEMTIMEDOP) { + switch (call) { + case SEMOP: + err = sys_semtimedop(first, ptr, +diff --git a/arch/sparc/lib/memmove.S b/arch/sparc/lib/memmove.S +index b7f6334..857ad4f 100644 +--- a/arch/sparc/lib/memmove.S ++++ b/arch/sparc/lib/memmove.S +@@ -8,9 +8,11 @@ + + .text + ENTRY(memmove) /* o0=dst o1=src o2=len */ +- mov %o0, %g1 ++ brz,pn %o2, 99f ++ mov %o0, %g1 ++ + cmp %o0, %o1 +- bleu,pt %xcc, memcpy ++ bleu,pt %xcc, 2f + add %o1, %o2, %g7 + cmp %g7, %o0 + bleu,pt %xcc, memcpy +@@ -24,7 +26,34 @@ ENTRY(memmove) /* o0=dst o1=src o2=len */ + stb %g7, [%o0] + bne,pt %icc, 1b + sub %o0, 1, %o0 +- ++99: + retl + mov %g1, %o0 ++ ++ /* We can't just call memcpy for these memmove cases. On some ++ * chips the memcpy uses cache initializing stores and when dst ++ * and src are close enough, those can clobber the source data ++ * before we've loaded it in. ++ */ ++2: or %o0, %o1, %g7 ++ or %o2, %g7, %g7 ++ andcc %g7, 0x7, %g0 ++ bne,pn %xcc, 4f ++ nop ++ ++3: ldx [%o1], %g7 ++ add %o1, 8, %o1 ++ subcc %o2, 8, %o2 ++ add %o0, 8, %o0 ++ bne,pt %icc, 3b ++ stx %g7, [%o0 - 0x8] ++ ba,a,pt %xcc, 99b ++ ++4: ldub [%o1], %g7 ++ add %o1, 1, %o1 ++ subcc %o2, 1, %o2 ++ add %o0, 1, %o0 ++ bne,pt %icc, 4b ++ stb %g7, [%o0 - 0x1] ++ ba,a,pt %xcc, 99b + ENDPROC(memmove) +diff --git a/arch/sparc/mm/srmmu.c b/arch/sparc/mm/srmmu.c +index cfbe53c..09daebd 100644 +--- a/arch/sparc/mm/srmmu.c ++++ b/arch/sparc/mm/srmmu.c +@@ -460,10 +460,12 @@ static void __init sparc_context_init(int numctx) + void switch_mm(struct mm_struct *old_mm, struct mm_struct *mm, + struct task_struct *tsk) + { ++ unsigned long flags; ++ + if (mm->context == NO_CONTEXT) { +- spin_lock(&srmmu_context_spinlock); ++ spin_lock_irqsave(&srmmu_context_spinlock, flags); + alloc_context(old_mm, mm); +- spin_unlock(&srmmu_context_spinlock); ++ spin_unlock_irqrestore(&srmmu_context_spinlock, flags); + srmmu_ctxd_set(&srmmu_context_table[mm->context], mm->pgd); + } + +@@ -988,14 +990,15 @@ int init_new_context(struct task_struct *tsk, struct mm_struct *mm) + + void destroy_context(struct mm_struct *mm) + { ++ unsigned long flags; + + if (mm->context != NO_CONTEXT) { + flush_cache_mm(mm); + srmmu_ctxd_set(&srmmu_context_table[mm->context], srmmu_swapper_pg_dir); + flush_tlb_mm(mm); +- spin_lock(&srmmu_context_spinlock); ++ spin_lock_irqsave(&srmmu_context_spinlock, flags); + free_context(mm->context); +- spin_unlock(&srmmu_context_spinlock); ++ spin_unlock_irqrestore(&srmmu_context_spinlock, flags); + mm->context = NO_CONTEXT; + } + } +diff --git a/arch/x86/crypto/aesni-intel_glue.c b/arch/x86/crypto/aesni-intel_glue.c +index 6dfb7d0..6d4faba 100644 +--- a/arch/x86/crypto/aesni-intel_glue.c ++++ b/arch/x86/crypto/aesni-intel_glue.c +@@ -1109,7 +1109,7 @@ static int __driver_rfc4106_decrypt(struct aead_request *req) + src = kmalloc(req->cryptlen + req->assoclen, GFP_ATOMIC); + if (!src) + return -ENOMEM; +- assoc = (src + req->cryptlen + auth_tag_len); ++ assoc = (src + req->cryptlen); + scatterwalk_map_and_copy(src, req->src, 0, req->cryptlen, 0); + scatterwalk_map_and_copy(assoc, req->assoc, 0, + req->assoclen, 0); +@@ -1134,7 +1134,7 @@ static int __driver_rfc4106_decrypt(struct aead_request *req) + scatterwalk_done(&src_sg_walk, 0, 0); + scatterwalk_done(&assoc_sg_walk, 0, 0); + } else { +- scatterwalk_map_and_copy(dst, req->dst, 0, req->cryptlen, 1); ++ scatterwalk_map_and_copy(dst, req->dst, 0, tempCipherLen, 1); + kfree(src); + } + return retval; +diff --git a/arch/x86/include/asm/fpu-internal.h b/arch/x86/include/asm/fpu-internal.h +index cea1c76..1ac1c00 100644 +--- a/arch/x86/include/asm/fpu-internal.h ++++ b/arch/x86/include/asm/fpu-internal.h +@@ -368,7 +368,7 @@ static inline void drop_fpu(struct task_struct *tsk) + preempt_disable(); + tsk->thread.fpu_counter = 0; + __drop_fpu(tsk); +- clear_used_math(); ++ clear_stopped_child_used_math(tsk); + preempt_enable(); + } + +diff --git a/arch/x86/kernel/xsave.c b/arch/x86/kernel/xsave.c +index dd50e26..7a09aca 100644 +--- a/arch/x86/kernel/xsave.c ++++ b/arch/x86/kernel/xsave.c +@@ -375,7 +375,7 @@ int __restore_xstate_sig(void __user *buf, void __user *buf_fx, int size) + * thread's fpu state, reconstruct fxstate from the fsave + * header. Sanitize the copied state etc. + */ +- struct xsave_struct *xsave = &tsk->thread.fpu.state->xsave; ++ struct fpu *fpu = &tsk->thread.fpu; + struct user_i387_ia32_struct env; + int err = 0; + +@@ -389,14 +389,15 @@ int __restore_xstate_sig(void __user *buf, void __user *buf_fx, int size) + */ + drop_fpu(tsk); + +- if (__copy_from_user(xsave, buf_fx, state_size) || ++ if (__copy_from_user(&fpu->state->xsave, buf_fx, state_size) || + __copy_from_user(&env, buf, sizeof(env))) { ++ fpu_finit(fpu); + err = -1; + } else { + sanitize_restored_xstate(tsk, &env, xstate_bv, fx_only); +- set_used_math(); + } + ++ set_used_math(); + if (use_eager_fpu()) { + preempt_disable(); + math_state_restore(); +diff --git a/arch/x86/vdso/vdso32/sigreturn.S b/arch/x86/vdso/vdso32/sigreturn.S +index 31776d0..d7ec4e2 100644 +--- a/arch/x86/vdso/vdso32/sigreturn.S ++++ b/arch/x86/vdso/vdso32/sigreturn.S +@@ -17,6 +17,7 @@ + .text + .globl __kernel_sigreturn + .type __kernel_sigreturn,@function ++ nop /* this guy is needed for .LSTARTFDEDLSI1 below (watch for HACK) */ + ALIGN + __kernel_sigreturn: + .LSTART_sigreturn: +diff --git a/drivers/char/tpm/tpm_ibmvtpm.c b/drivers/char/tpm/tpm_ibmvtpm.c +index eff9d58..102463ba 100644 +--- a/drivers/char/tpm/tpm_ibmvtpm.c ++++ b/drivers/char/tpm/tpm_ibmvtpm.c +@@ -124,7 +124,7 @@ static int tpm_ibmvtpm_send(struct tpm_chip *chip, u8 *buf, size_t count) + { + struct ibmvtpm_dev *ibmvtpm; + struct ibmvtpm_crq crq; +- u64 *word = (u64 *) &crq; ++ __be64 *word = (__be64 *)&crq; + int rc; + + ibmvtpm = (struct ibmvtpm_dev *)TPM_VPRIV(chip); +@@ -145,11 +145,11 @@ static int tpm_ibmvtpm_send(struct tpm_chip *chip, u8 *buf, size_t count) + memcpy((void *)ibmvtpm->rtce_buf, (void *)buf, count); + crq.valid = (u8)IBMVTPM_VALID_CMD; + crq.msg = (u8)VTPM_TPM_COMMAND; +- crq.len = (u16)count; +- crq.data = ibmvtpm->rtce_dma_handle; ++ crq.len = cpu_to_be16(count); ++ crq.data = cpu_to_be32(ibmvtpm->rtce_dma_handle); + +- rc = ibmvtpm_send_crq(ibmvtpm->vdev, cpu_to_be64(word[0]), +- cpu_to_be64(word[1])); ++ rc = ibmvtpm_send_crq(ibmvtpm->vdev, be64_to_cpu(word[0]), ++ be64_to_cpu(word[1])); + if (rc != H_SUCCESS) { + dev_err(ibmvtpm->dev, "tpm_ibmvtpm_send failed rc=%d\n", rc); + rc = 0; +diff --git a/drivers/char/tpm/tpm_ibmvtpm.h b/drivers/char/tpm/tpm_ibmvtpm.h +index bd82a79..b2c231b 100644 +--- a/drivers/char/tpm/tpm_ibmvtpm.h ++++ b/drivers/char/tpm/tpm_ibmvtpm.h +@@ -22,9 +22,9 @@ + struct ibmvtpm_crq { + u8 valid; + u8 msg; +- u16 len; +- u32 data; +- u64 reserved; ++ __be16 len; ++ __be32 data; ++ __be64 reserved; + } __attribute__((packed, aligned(8))); + + struct ibmvtpm_crq_queue { +diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c +index 6928d09..b08eadb 100644 +--- a/drivers/char/virtio_console.c ++++ b/drivers/char/virtio_console.c +@@ -142,6 +142,7 @@ struct ports_device { + * notification + */ + struct work_struct control_work; ++ struct work_struct config_work; + + struct list_head ports; + +@@ -1832,10 +1833,21 @@ static void config_intr(struct virtio_device *vdev) + + portdev = vdev->priv; + ++ if (!use_multiport(portdev)) ++ schedule_work(&portdev->config_work); ++} ++ ++static void config_work_handler(struct work_struct *work) ++{ ++ struct ports_device *portdev; ++ ++ portdev = container_of(work, struct ports_device, control_work); + if (!use_multiport(portdev)) { ++ struct virtio_device *vdev; + struct port *port; + u16 rows, cols; + ++ vdev = portdev->vdev; + virtio_cread(vdev, struct virtio_console_config, cols, &cols); + virtio_cread(vdev, struct virtio_console_config, rows, &rows); + +@@ -2024,12 +2036,14 @@ static int virtcons_probe(struct virtio_device *vdev) + spin_lock_init(&portdev->ports_lock); + INIT_LIST_HEAD(&portdev->ports); + ++ INIT_WORK(&portdev->config_work, &config_work_handler); ++ INIT_WORK(&portdev->control_work, &control_work_handler); ++ + if (multiport) { + unsigned int nr_added_bufs; + + spin_lock_init(&portdev->c_ivq_lock); + spin_lock_init(&portdev->c_ovq_lock); +- INIT_WORK(&portdev->control_work, &control_work_handler); + + nr_added_bufs = fill_queue(portdev->c_ivq, + &portdev->c_ivq_lock); +@@ -2097,6 +2111,8 @@ static void virtcons_remove(struct virtio_device *vdev) + /* Finish up work that's lined up */ + if (use_multiport(portdev)) + cancel_work_sync(&portdev->control_work); ++ else ++ cancel_work_sync(&portdev->config_work); + + list_for_each_entry_safe(port, port2, &portdev->ports, list) + unplug_port(port); +@@ -2148,6 +2164,7 @@ static int virtcons_freeze(struct virtio_device *vdev) + + virtqueue_disable_cb(portdev->c_ivq); + cancel_work_sync(&portdev->control_work); ++ cancel_work_sync(&portdev->config_work); + /* + * Once more: if control_work_handler() was running, it would + * enable the cb as the last step. +diff --git a/drivers/gpu/drm/radeon/atombios_crtc.c b/drivers/gpu/drm/radeon/atombios_crtc.c +index 0cca5f2..663394f 100644 +--- a/drivers/gpu/drm/radeon/atombios_crtc.c ++++ b/drivers/gpu/drm/radeon/atombios_crtc.c +@@ -1306,6 +1306,9 @@ static int dce4_crtc_do_set_base(struct drm_crtc *crtc, + (x << 16) | y); + viewport_w = crtc->mode.hdisplay; + viewport_h = (crtc->mode.vdisplay + 1) & ~1; ++ if ((rdev->family >= CHIP_BONAIRE) && ++ (crtc->mode.flags & DRM_MODE_FLAG_INTERLACE)) ++ viewport_h *= 2; + WREG32(EVERGREEN_VIEWPORT_SIZE + radeon_crtc->crtc_offset, + (viewport_w << 16) | viewport_h); + +diff --git a/drivers/gpu/drm/radeon/cik.c b/drivers/gpu/drm/radeon/cik.c +index f0ed0ba..c3664bc 100644 +--- a/drivers/gpu/drm/radeon/cik.c ++++ b/drivers/gpu/drm/radeon/cik.c +@@ -7069,6 +7069,9 @@ int cik_irq_set(struct radeon_device *rdev) + WREG32(DC_HPD5_INT_CONTROL, hpd5); + WREG32(DC_HPD6_INT_CONTROL, hpd6); + ++ /* posting read */ ++ RREG32(SRBM_STATUS); ++ + return 0; + } + +diff --git a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c +index 7138f3e..ee9f0b4 100644 +--- a/drivers/gpu/drm/radeon/evergreen.c ++++ b/drivers/gpu/drm/radeon/evergreen.c +@@ -4596,6 +4596,9 @@ int evergreen_irq_set(struct radeon_device *rdev) + WREG32(AFMT_AUDIO_PACKET_CONTROL + EVERGREEN_CRTC4_REGISTER_OFFSET, afmt5); + WREG32(AFMT_AUDIO_PACKET_CONTROL + EVERGREEN_CRTC5_REGISTER_OFFSET, afmt6); + ++ /* posting read */ ++ RREG32(SRBM_STATUS); ++ + return 0; + } + +diff --git a/drivers/gpu/drm/radeon/r100.c b/drivers/gpu/drm/radeon/r100.c +index 07620e1..e28de20 100644 +--- a/drivers/gpu/drm/radeon/r100.c ++++ b/drivers/gpu/drm/radeon/r100.c +@@ -742,6 +742,10 @@ int r100_irq_set(struct radeon_device *rdev) + tmp |= RADEON_FP2_DETECT_MASK; + } + WREG32(RADEON_GEN_INT_CNTL, tmp); ++ ++ /* read back to post the write */ ++ RREG32(RADEON_GEN_INT_CNTL); ++ + return 0; + } + +diff --git a/drivers/gpu/drm/radeon/r600.c b/drivers/gpu/drm/radeon/r600.c +index 788f602..74a8a38 100644 +--- a/drivers/gpu/drm/radeon/r600.c ++++ b/drivers/gpu/drm/radeon/r600.c +@@ -3647,6 +3647,9 @@ int r600_irq_set(struct radeon_device *rdev) + WREG32(RV770_CG_THERMAL_INT, thermal_int); + } + ++ /* posting read */ ++ RREG32(R_000E50_SRBM_STATUS); ++ + return 0; + } + +diff --git a/drivers/gpu/drm/radeon/radeon_cs.c b/drivers/gpu/drm/radeon/radeon_cs.c +index 7f2d6c0..2f2d2ce 100644 +--- a/drivers/gpu/drm/radeon/radeon_cs.c ++++ b/drivers/gpu/drm/radeon/radeon_cs.c +@@ -179,11 +179,13 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void *data) + u32 ring = RADEON_CS_RING_GFX; + s32 priority = 0; + ++ INIT_LIST_HEAD(&p->validated); ++ + if (!cs->num_chunks) { + return 0; + } ++ + /* get chunks */ +- INIT_LIST_HEAD(&p->validated); + p->idx = 0; + p->ib.sa_bo = NULL; + p->ib.semaphore = NULL; +diff --git a/drivers/gpu/drm/radeon/rs600.c b/drivers/gpu/drm/radeon/rs600.c +index e5619d5..4261b38 100644 +--- a/drivers/gpu/drm/radeon/rs600.c ++++ b/drivers/gpu/drm/radeon/rs600.c +@@ -700,6 +700,10 @@ int rs600_irq_set(struct radeon_device *rdev) + WREG32(R_007D18_DC_HOT_PLUG_DETECT2_INT_CONTROL, hpd2); + if (ASIC_IS_DCE2(rdev)) + WREG32(R_007408_HDMI0_AUDIO_PACKET_CONTROL, hdmi0); ++ ++ /* posting read */ ++ RREG32(R_000040_GEN_INT_CNTL); ++ + return 0; + } + +diff --git a/drivers/gpu/drm/radeon/si.c b/drivers/gpu/drm/radeon/si.c +index 52b64ad..2f2decc 100644 +--- a/drivers/gpu/drm/radeon/si.c ++++ b/drivers/gpu/drm/radeon/si.c +@@ -5958,6 +5958,9 @@ int si_irq_set(struct radeon_device *rdev) + + WREG32(CG_THERMAL_INT, thermal_int); + ++ /* posting read */ ++ RREG32(SRBM_STATUS); ++ + return 0; + } + +@@ -6875,8 +6878,7 @@ int si_set_uvd_clocks(struct radeon_device *rdev, u32 vclk, u32 dclk) + WREG32_P(CG_UPLL_FUNC_CNTL, UPLL_BYPASS_EN_MASK, ~UPLL_BYPASS_EN_MASK); + + if (!vclk || !dclk) { +- /* keep the Bypass mode, put PLL to sleep */ +- WREG32_P(CG_UPLL_FUNC_CNTL, UPLL_SLEEP_MASK, ~UPLL_SLEEP_MASK); ++ /* keep the Bypass mode */ + return 0; + } + +@@ -6892,8 +6894,7 @@ int si_set_uvd_clocks(struct radeon_device *rdev, u32 vclk, u32 dclk) + /* set VCO_MODE to 1 */ + WREG32_P(CG_UPLL_FUNC_CNTL, UPLL_VCO_MODE_MASK, ~UPLL_VCO_MODE_MASK); + +- /* toggle UPLL_SLEEP to 1 then back to 0 */ +- WREG32_P(CG_UPLL_FUNC_CNTL, UPLL_SLEEP_MASK, ~UPLL_SLEEP_MASK); ++ /* disable sleep mode */ + WREG32_P(CG_UPLL_FUNC_CNTL, 0, ~UPLL_SLEEP_MASK); + + /* deassert UPLL_RESET */ +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c +index fb7c36e..0771dcb 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c +@@ -733,32 +733,6 @@ static int vmw_driver_load(struct drm_device *dev, unsigned long chipset) + goto out_err1; + } + +- ret = ttm_bo_init_mm(&dev_priv->bdev, TTM_PL_VRAM, +- (dev_priv->vram_size >> PAGE_SHIFT)); +- if (unlikely(ret != 0)) { +- DRM_ERROR("Failed initializing memory manager for VRAM.\n"); +- goto out_err2; +- } +- +- dev_priv->has_gmr = true; +- if (((dev_priv->capabilities & (SVGA_CAP_GMR | SVGA_CAP_GMR2)) == 0) || +- refuse_dma || ttm_bo_init_mm(&dev_priv->bdev, VMW_PL_GMR, +- VMW_PL_GMR) != 0) { +- DRM_INFO("No GMR memory available. " +- "Graphics memory resources are very limited.\n"); +- dev_priv->has_gmr = false; +- } +- +- if (dev_priv->capabilities & SVGA_CAP_GBOBJECTS) { +- dev_priv->has_mob = true; +- if (ttm_bo_init_mm(&dev_priv->bdev, VMW_PL_MOB, +- VMW_PL_MOB) != 0) { +- DRM_INFO("No MOB memory available. " +- "3D will be disabled.\n"); +- dev_priv->has_mob = false; +- } +- } +- + dev_priv->mmio_mtrr = arch_phys_wc_add(dev_priv->mmio_start, + dev_priv->mmio_size); + +@@ -821,6 +795,33 @@ static int vmw_driver_load(struct drm_device *dev, unsigned long chipset) + goto out_no_fman; + } + ++ ++ ret = ttm_bo_init_mm(&dev_priv->bdev, TTM_PL_VRAM, ++ (dev_priv->vram_size >> PAGE_SHIFT)); ++ if (unlikely(ret != 0)) { ++ DRM_ERROR("Failed initializing memory manager for VRAM.\n"); ++ goto out_no_vram; ++ } ++ ++ dev_priv->has_gmr = true; ++ if (((dev_priv->capabilities & (SVGA_CAP_GMR | SVGA_CAP_GMR2)) == 0) || ++ refuse_dma || ttm_bo_init_mm(&dev_priv->bdev, VMW_PL_GMR, ++ VMW_PL_GMR) != 0) { ++ DRM_INFO("No GMR memory available. " ++ "Graphics memory resources are very limited.\n"); ++ dev_priv->has_gmr = false; ++ } ++ ++ if (dev_priv->capabilities & SVGA_CAP_GBOBJECTS) { ++ dev_priv->has_mob = true; ++ if (ttm_bo_init_mm(&dev_priv->bdev, VMW_PL_MOB, ++ VMW_PL_MOB) != 0) { ++ DRM_INFO("No MOB memory available. " ++ "3D will be disabled.\n"); ++ dev_priv->has_mob = false; ++ } ++ } ++ + vmw_kms_save_vga(dev_priv); + + /* Start kms and overlay systems, needs fifo. */ +@@ -846,6 +847,12 @@ out_no_fifo: + vmw_kms_close(dev_priv); + out_no_kms: + vmw_kms_restore_vga(dev_priv); ++ if (dev_priv->has_mob) ++ (void) ttm_bo_clean_mm(&dev_priv->bdev, VMW_PL_MOB); ++ if (dev_priv->has_gmr) ++ (void) ttm_bo_clean_mm(&dev_priv->bdev, VMW_PL_GMR); ++ (void)ttm_bo_clean_mm(&dev_priv->bdev, TTM_PL_VRAM); ++out_no_vram: + vmw_fence_manager_takedown(dev_priv->fman); + out_no_fman: + if (dev_priv->capabilities & SVGA_CAP_IRQMASK) +@@ -861,12 +868,6 @@ out_err4: + iounmap(dev_priv->mmio_virt); + out_err3: + arch_phys_wc_del(dev_priv->mmio_mtrr); +- if (dev_priv->has_mob) +- (void) ttm_bo_clean_mm(&dev_priv->bdev, VMW_PL_MOB); +- if (dev_priv->has_gmr) +- (void) ttm_bo_clean_mm(&dev_priv->bdev, VMW_PL_GMR); +- (void)ttm_bo_clean_mm(&dev_priv->bdev, TTM_PL_VRAM); +-out_err2: + (void)ttm_bo_device_release(&dev_priv->bdev); + out_err1: + vmw_ttm_global_release(dev_priv); +@@ -896,6 +897,13 @@ static int vmw_driver_unload(struct drm_device *dev) + } + vmw_kms_close(dev_priv); + vmw_overlay_close(dev_priv); ++ ++ if (dev_priv->has_mob) ++ (void) ttm_bo_clean_mm(&dev_priv->bdev, VMW_PL_MOB); ++ if (dev_priv->has_gmr) ++ (void)ttm_bo_clean_mm(&dev_priv->bdev, VMW_PL_GMR); ++ (void)ttm_bo_clean_mm(&dev_priv->bdev, TTM_PL_VRAM); ++ + vmw_fence_manager_takedown(dev_priv->fman); + if (dev_priv->capabilities & SVGA_CAP_IRQMASK) + drm_irq_uninstall(dev_priv->dev); +@@ -907,11 +915,6 @@ static int vmw_driver_unload(struct drm_device *dev) + ttm_object_device_release(&dev_priv->tdev); + iounmap(dev_priv->mmio_virt); + arch_phys_wc_del(dev_priv->mmio_mtrr); +- if (dev_priv->has_mob) +- (void) ttm_bo_clean_mm(&dev_priv->bdev, VMW_PL_MOB); +- if (dev_priv->has_gmr) +- (void)ttm_bo_clean_mm(&dev_priv->bdev, VMW_PL_GMR); +- (void)ttm_bo_clean_mm(&dev_priv->bdev, TTM_PL_VRAM); + (void)ttm_bo_device_release(&dev_priv->bdev); + vmw_ttm_global_release(dev_priv); + +diff --git a/drivers/mtd/nand/pxa3xx_nand.c b/drivers/mtd/nand/pxa3xx_nand.c +index 51e15fd..d058b00 100644 +--- a/drivers/mtd/nand/pxa3xx_nand.c ++++ b/drivers/mtd/nand/pxa3xx_nand.c +@@ -481,6 +481,42 @@ static void disable_int(struct pxa3xx_nand_info *info, uint32_t int_mask) + nand_writel(info, NDCR, ndcr | int_mask); + } + ++static void drain_fifo(struct pxa3xx_nand_info *info, void *data, int len) ++{ ++ if (info->ecc_bch) { ++ int timeout; ++ ++ /* ++ * According to the datasheet, when reading from NDDB ++ * with BCH enabled, after each 32 bytes reads, we ++ * have to make sure that the NDSR.RDDREQ bit is set. ++ * ++ * Drain the FIFO 8 32 bits reads at a time, and skip ++ * the polling on the last read. ++ */ ++ while (len > 8) { ++ __raw_readsl(info->mmio_base + NDDB, data, 8); ++ ++ for (timeout = 0; ++ !(nand_readl(info, NDSR) & NDSR_RDDREQ); ++ timeout++) { ++ if (timeout >= 5) { ++ dev_err(&info->pdev->dev, ++ "Timeout on RDDREQ while draining the FIFO\n"); ++ return; ++ } ++ ++ mdelay(1); ++ } ++ ++ data += 32; ++ len -= 8; ++ } ++ } ++ ++ __raw_readsl(info->mmio_base + NDDB, data, len); ++} ++ + static void handle_data_pio(struct pxa3xx_nand_info *info) + { + unsigned int do_bytes = min(info->data_size, info->chunk_size); +@@ -497,14 +533,14 @@ static void handle_data_pio(struct pxa3xx_nand_info *info) + DIV_ROUND_UP(info->oob_size, 4)); + break; + case STATE_PIO_READING: +- __raw_readsl(info->mmio_base + NDDB, +- info->data_buff + info->data_buff_pos, +- DIV_ROUND_UP(do_bytes, 4)); ++ drain_fifo(info, ++ info->data_buff + info->data_buff_pos, ++ DIV_ROUND_UP(do_bytes, 4)); + + if (info->oob_size > 0) +- __raw_readsl(info->mmio_base + NDDB, +- info->oob_buff + info->oob_buff_pos, +- DIV_ROUND_UP(info->oob_size, 4)); ++ drain_fifo(info, ++ info->oob_buff + info->oob_buff_pos, ++ DIV_ROUND_UP(info->oob_size, 4)); + break; + default: + dev_err(&info->pdev->dev, "%s: invalid state %d\n", __func__, +diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c +index 1468c46..84ad2b4 100644 +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -502,6 +502,14 @@ struct sk_buff *alloc_can_skb(struct net_device *dev, struct can_frame **cf) + skb->pkt_type = PACKET_BROADCAST; + skb->ip_summed = CHECKSUM_UNNECESSARY; + ++ skb_reset_mac_header(skb); ++ skb_reset_network_header(skb); ++ skb_reset_transport_header(skb); ++ ++ skb_reset_mac_header(skb); ++ skb_reset_network_header(skb); ++ skb_reset_transport_header(skb); ++ + can_skb_reserve(skb); + can_skb_prv(skb)->ifindex = dev->ifindex; + +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +index 7d43822..2428740 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +@@ -12395,6 +12395,9 @@ static int bnx2x_init_dev(struct bnx2x *bp, struct pci_dev *pdev, + pci_write_config_dword(bp->pdev, PCICFG_GRC_ADDRESS, + PCICFG_VENDOR_ID_OFFSET); + ++ /* Set PCIe reset type to fundamental for EEH recovery */ ++ pdev->needs_freset = 1; ++ + /* AER (Advanced Error reporting) configuration */ + rc = pci_enable_pcie_error_reporting(pdev); + if (!rc) +diff --git a/drivers/net/usb/cx82310_eth.c b/drivers/net/usb/cx82310_eth.c +index 3eed708..fe48f4c 100644 +--- a/drivers/net/usb/cx82310_eth.c ++++ b/drivers/net/usb/cx82310_eth.c +@@ -300,9 +300,18 @@ static const struct driver_info cx82310_info = { + .tx_fixup = cx82310_tx_fixup, + }; + ++#define USB_DEVICE_CLASS(vend, prod, cl, sc, pr) \ ++ .match_flags = USB_DEVICE_ID_MATCH_DEVICE | \ ++ USB_DEVICE_ID_MATCH_DEV_INFO, \ ++ .idVendor = (vend), \ ++ .idProduct = (prod), \ ++ .bDeviceClass = (cl), \ ++ .bDeviceSubClass = (sc), \ ++ .bDeviceProtocol = (pr) ++ + static const struct usb_device_id products[] = { + { +- USB_DEVICE_AND_INTERFACE_INFO(0x0572, 0xcb01, 0xff, 0, 0), ++ USB_DEVICE_CLASS(0x0572, 0xcb01, 0xff, 0, 0), + .driver_info = (unsigned long) &cx82310_info + }, + { }, +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index b798404..5d8d2dc 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -1764,10 +1764,12 @@ static int _regulator_do_enable(struct regulator_dev *rdev) + trace_regulator_enable(rdev_get_name(rdev)); + + if (rdev->ena_pin) { +- ret = regulator_ena_gpio_ctrl(rdev, true); +- if (ret < 0) +- return ret; +- rdev->ena_gpio_state = 1; ++ if (!rdev->ena_gpio_state) { ++ ret = regulator_ena_gpio_ctrl(rdev, true); ++ if (ret < 0) ++ return ret; ++ rdev->ena_gpio_state = 1; ++ } + } else if (rdev->desc->ops->enable) { + ret = rdev->desc->ops->enable(rdev); + if (ret < 0) +@@ -1897,10 +1899,12 @@ static int _regulator_do_disable(struct regulator_dev *rdev) + trace_regulator_disable(rdev_get_name(rdev)); + + if (rdev->ena_pin) { +- ret = regulator_ena_gpio_ctrl(rdev, false); +- if (ret < 0) +- return ret; +- rdev->ena_gpio_state = 0; ++ if (rdev->ena_gpio_state) { ++ ret = regulator_ena_gpio_ctrl(rdev, false); ++ if (ret < 0) ++ return ret; ++ rdev->ena_gpio_state = 0; ++ } + + } else if (rdev->desc->ops->disable) { + ret = rdev->desc->ops->disable(rdev); +@@ -3454,12 +3458,6 @@ regulator_register(const struct regulator_desc *regulator_desc, + config->ena_gpio, ret); + goto wash; + } +- +- if (config->ena_gpio_flags & GPIOF_OUT_INIT_HIGH) +- rdev->ena_gpio_state = 1; +- +- if (config->ena_gpio_invert) +- rdev->ena_gpio_state = !rdev->ena_gpio_state; + } + + /* set regulator constraints */ +@@ -3631,9 +3629,11 @@ int regulator_suspend_finish(void) + list_for_each_entry(rdev, ®ulator_list, list) { + mutex_lock(&rdev->mutex); + if (rdev->use_count > 0 || rdev->constraints->always_on) { +- error = _regulator_do_enable(rdev); +- if (error) +- ret = error; ++ if (!_regulator_is_enabled(rdev)) { ++ error = _regulator_do_enable(rdev); ++ if (error) ++ ret = error; ++ } + } else { + if (!have_full_constraints()) + goto unlock; +diff --git a/drivers/scsi/libsas/sas_discover.c b/drivers/scsi/libsas/sas_discover.c +index 62b58d3..60de662 100644 +--- a/drivers/scsi/libsas/sas_discover.c ++++ b/drivers/scsi/libsas/sas_discover.c +@@ -500,6 +500,7 @@ static void sas_revalidate_domain(struct work_struct *work) + struct sas_discovery_event *ev = to_sas_discovery_event(work); + struct asd_sas_port *port = ev->port; + struct sas_ha_struct *ha = port->ha; ++ struct domain_device *ddev = port->port_dev; + + /* prevent revalidation from finding sata links in recovery */ + mutex_lock(&ha->disco_mutex); +@@ -514,8 +515,9 @@ static void sas_revalidate_domain(struct work_struct *work) + SAS_DPRINTK("REVALIDATING DOMAIN on port %d, pid:%d\n", port->id, + task_pid_nr(current)); + +- if (port->port_dev) +- res = sas_ex_revalidate_domain(port->port_dev); ++ if (ddev && (ddev->dev_type == SAS_FANOUT_EXPANDER_DEVICE || ++ ddev->dev_type == SAS_EDGE_EXPANDER_DEVICE)) ++ res = sas_ex_revalidate_domain(ddev); + + SAS_DPRINTK("done REVALIDATING DOMAIN on port %d, pid:%d, res 0x%x\n", + port->id, task_pid_nr(current), res); +diff --git a/drivers/spi/spi-atmel.c b/drivers/spi/spi-atmel.c +index 5d7b07f..5f8c6d2 100644 +--- a/drivers/spi/spi-atmel.c ++++ b/drivers/spi/spi-atmel.c +@@ -781,17 +781,17 @@ static void atmel_spi_pdc_next_xfer(struct spi_master *master, + (unsigned long long)xfer->rx_dma); + } + +- /* REVISIT: We're waiting for ENDRX before we start the next ++ /* REVISIT: We're waiting for RXBUFF before we start the next + * transfer because we need to handle some difficult timing +- * issues otherwise. If we wait for ENDTX in one transfer and +- * then starts waiting for ENDRX in the next, it's difficult +- * to tell the difference between the ENDRX interrupt we're +- * actually waiting for and the ENDRX interrupt of the ++ * issues otherwise. If we wait for TXBUFE in one transfer and ++ * then starts waiting for RXBUFF in the next, it's difficult ++ * to tell the difference between the RXBUFF interrupt we're ++ * actually waiting for and the RXBUFF interrupt of the + * previous transfer. + * + * It should be doable, though. Just not now... + */ +- spi_writel(as, IER, SPI_BIT(ENDRX) | SPI_BIT(OVRES)); ++ spi_writel(as, IER, SPI_BIT(RXBUFF) | SPI_BIT(OVRES)); + spi_writel(as, PTCR, SPI_BIT(TXTEN) | SPI_BIT(RXTEN)); + } + +diff --git a/drivers/spi/spi-pl022.c b/drivers/spi/spi-pl022.c +index 971855e..fe091a8 100644 +--- a/drivers/spi/spi-pl022.c ++++ b/drivers/spi/spi-pl022.c +@@ -503,12 +503,12 @@ static void giveback(struct pl022 *pl022) + pl022->cur_msg = NULL; + pl022->cur_transfer = NULL; + pl022->cur_chip = NULL; +- spi_finalize_current_message(pl022->master); + + /* disable the SPI/SSP operation */ + writew((readw(SSP_CR1(pl022->virtbase)) & + (~SSP_CR1_MASK_SSE)), SSP_CR1(pl022->virtbase)); + ++ spi_finalize_current_message(pl022->master); + } + + /** +diff --git a/drivers/staging/iio/adc/mxs-lradc.c b/drivers/staging/iio/adc/mxs-lradc.c +index be89260..27e1a6e 100644 +--- a/drivers/staging/iio/adc/mxs-lradc.c ++++ b/drivers/staging/iio/adc/mxs-lradc.c +@@ -1159,7 +1159,6 @@ static irqreturn_t mxs_lradc_handle_irq(int irq, void *data) + LRADC_CTRL1_LRADC_IRQ(TOUCHSCREEN_VCHANNEL2)); + } + +- if (iio_buffer_enabled(iio)) + if (iio_buffer_enabled(iio)) { + if (reg & lradc->buffer_vchans) + iio_trigger_poll(iio->trig, iio_get_time_ns()); +diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c +index 104f29e..e168a63 100644 +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -4196,11 +4196,17 @@ int iscsit_close_connection( + pr_debug("Closing iSCSI connection CID %hu on SID:" + " %u\n", conn->cid, sess->sid); + /* +- * Always up conn_logout_comp just in case the RX Thread is sleeping +- * and the logout response never got sent because the connection +- * failed. ++ * Always up conn_logout_comp for the traditional TCP case just in case ++ * the RX Thread in iscsi_target_rx_opcode() is sleeping and the logout ++ * response never got sent because the connection failed. ++ * ++ * However for iser-target, isert_wait4logout() is using conn_logout_comp ++ * to signal logout response TX interrupt completion. Go ahead and skip ++ * this for iser since isert_rx_opcode() does not wait on logout failure, ++ * and to avoid iscsi_conn pointer dereference in iser-target code. + */ +- complete(&conn->conn_logout_comp); ++ if (conn->conn_transport->transport_type == ISCSI_TCP) ++ complete(&conn->conn_logout_comp); + + iscsi_release_thread_set(conn); + +diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c +index 26ae688..093b8cb 100644 +--- a/drivers/target/target_core_device.c ++++ b/drivers/target/target_core_device.c +@@ -1591,8 +1591,6 @@ int target_configure_device(struct se_device *dev) + ret = dev->transport->configure_device(dev); + if (ret) + goto out; +- dev->dev_flags |= DF_CONFIGURED; +- + /* + * XXX: there is not much point to have two different values here.. + */ +@@ -1654,6 +1652,8 @@ int target_configure_device(struct se_device *dev) + list_add_tail(&dev->g_dev_node, &g_device_list); + mutex_unlock(&g_device_mutex); + ++ dev->dev_flags |= DF_CONFIGURED; ++ + return 0; + + out_free_alua: +diff --git a/drivers/target/target_core_pr.c b/drivers/target/target_core_pr.c +index 0fccdcf..70cb375 100644 +--- a/drivers/target/target_core_pr.c ++++ b/drivers/target/target_core_pr.c +@@ -76,7 +76,7 @@ enum preempt_type { + }; + + static void __core_scsi3_complete_pro_release(struct se_device *, struct se_node_acl *, +- struct t10_pr_registration *, int); ++ struct t10_pr_registration *, int, int); + + static sense_reason_t + target_scsi2_reservation_check(struct se_cmd *cmd) +@@ -528,6 +528,18 @@ static int core_scsi3_pr_seq_non_holder( + + return 0; + } ++ } else if (we && registered_nexus) { ++ /* ++ * Reads are allowed for Write Exclusive locks ++ * from all registrants. ++ */ ++ if (cmd->data_direction == DMA_FROM_DEVICE) { ++ pr_debug("Allowing READ CDB: 0x%02x for %s" ++ " reservation\n", cdb[0], ++ core_scsi3_pr_dump_type(pr_reg_type)); ++ ++ return 0; ++ } + } + pr_debug("%s Conflict for %sregistered nexus %s CDB: 0x%2x" + " for %s reservation\n", transport_dump_cmd_direction(cmd), +@@ -1186,7 +1198,7 @@ static int core_scsi3_check_implicit_release( + * service action with the SERVICE ACTION RESERVATION KEY + * field set to zero (see 5.7.11.3). + */ +- __core_scsi3_complete_pro_release(dev, nacl, pr_reg, 0); ++ __core_scsi3_complete_pro_release(dev, nacl, pr_reg, 0, 1); + ret = 1; + /* + * For 'All Registrants' reservation types, all existing +@@ -1228,7 +1240,8 @@ static void __core_scsi3_free_registration( + + pr_reg->pr_reg_deve->def_pr_registered = 0; + pr_reg->pr_reg_deve->pr_res_key = 0; +- list_del(&pr_reg->pr_reg_list); ++ if (!list_empty(&pr_reg->pr_reg_list)) ++ list_del(&pr_reg->pr_reg_list); + /* + * Caller accessing *pr_reg using core_scsi3_locate_pr_reg(), + * so call core_scsi3_put_pr_reg() to decrement our reference. +@@ -1280,6 +1293,7 @@ void core_scsi3_free_pr_reg_from_nacl( + { + struct t10_reservation *pr_tmpl = &dev->t10_pr; + struct t10_pr_registration *pr_reg, *pr_reg_tmp, *pr_res_holder; ++ bool free_reg = false; + /* + * If the passed se_node_acl matches the reservation holder, + * release the reservation. +@@ -1287,13 +1301,18 @@ void core_scsi3_free_pr_reg_from_nacl( + spin_lock(&dev->dev_reservation_lock); + pr_res_holder = dev->dev_pr_res_holder; + if ((pr_res_holder != NULL) && +- (pr_res_holder->pr_reg_nacl == nacl)) +- __core_scsi3_complete_pro_release(dev, nacl, pr_res_holder, 0); ++ (pr_res_holder->pr_reg_nacl == nacl)) { ++ __core_scsi3_complete_pro_release(dev, nacl, pr_res_holder, 0, 1); ++ free_reg = true; ++ } + spin_unlock(&dev->dev_reservation_lock); + /* + * Release any registration associated with the struct se_node_acl. + */ + spin_lock(&pr_tmpl->registration_lock); ++ if (pr_res_holder && free_reg) ++ __core_scsi3_free_registration(dev, pr_res_holder, NULL, 0); ++ + list_for_each_entry_safe(pr_reg, pr_reg_tmp, + &pr_tmpl->registration_list, pr_reg_list) { + +@@ -1316,7 +1335,7 @@ void core_scsi3_free_all_registrations( + if (pr_res_holder != NULL) { + struct se_node_acl *pr_res_nacl = pr_res_holder->pr_reg_nacl; + __core_scsi3_complete_pro_release(dev, pr_res_nacl, +- pr_res_holder, 0); ++ pr_res_holder, 0, 0); + } + spin_unlock(&dev->dev_reservation_lock); + +@@ -2126,13 +2145,13 @@ core_scsi3_emulate_pro_register(struct se_cmd *cmd, u64 res_key, u64 sa_res_key, + /* + * sa_res_key=0 Unregister Reservation Key for registered I_T Nexus. + */ +- pr_holder = core_scsi3_check_implicit_release( +- cmd->se_dev, pr_reg); ++ type = pr_reg->pr_res_type; ++ pr_holder = core_scsi3_check_implicit_release(cmd->se_dev, ++ pr_reg); + if (pr_holder < 0) { + ret = TCM_RESERVATION_CONFLICT; + goto out; + } +- type = pr_reg->pr_res_type; + + spin_lock(&pr_tmpl->registration_lock); + /* +@@ -2290,6 +2309,7 @@ core_scsi3_pro_reserve(struct se_cmd *cmd, int type, int scope, u64 res_key) + spin_lock(&dev->dev_reservation_lock); + pr_res_holder = dev->dev_pr_res_holder; + if (pr_res_holder) { ++ int pr_res_type = pr_res_holder->pr_res_type; + /* + * From spc4r17 Section 5.7.9: Reserving: + * +@@ -2300,7 +2320,9 @@ core_scsi3_pro_reserve(struct se_cmd *cmd, int type, int scope, u64 res_key) + * the logical unit, then the command shall be completed with + * RESERVATION CONFLICT status. + */ +- if (pr_res_holder != pr_reg) { ++ if ((pr_res_holder != pr_reg) && ++ (pr_res_type != PR_TYPE_WRITE_EXCLUSIVE_ALLREG) && ++ (pr_res_type != PR_TYPE_EXCLUSIVE_ACCESS_ALLREG)) { + struct se_node_acl *pr_res_nacl = pr_res_holder->pr_reg_nacl; + pr_err("SPC-3 PR: Attempted RESERVE from" + " [%s]: %s while reservation already held by" +@@ -2406,23 +2428,59 @@ static void __core_scsi3_complete_pro_release( + struct se_device *dev, + struct se_node_acl *se_nacl, + struct t10_pr_registration *pr_reg, +- int explicit) ++ int explicit, ++ int unreg) + { + struct target_core_fabric_ops *tfo = se_nacl->se_tpg->se_tpg_tfo; + char i_buf[PR_REG_ISID_ID_LEN]; ++ int pr_res_type = 0, pr_res_scope = 0; + + memset(i_buf, 0, PR_REG_ISID_ID_LEN); + core_pr_dump_initiator_port(pr_reg, i_buf, PR_REG_ISID_ID_LEN); + /* + * Go ahead and release the current PR reservation holder. ++ * If an All Registrants reservation is currently active and ++ * a unregister operation is requested, replace the current ++ * dev_pr_res_holder with another active registration. + */ +- dev->dev_pr_res_holder = NULL; ++ if (dev->dev_pr_res_holder) { ++ pr_res_type = dev->dev_pr_res_holder->pr_res_type; ++ pr_res_scope = dev->dev_pr_res_holder->pr_res_scope; ++ dev->dev_pr_res_holder->pr_res_type = 0; ++ dev->dev_pr_res_holder->pr_res_scope = 0; ++ dev->dev_pr_res_holder->pr_res_holder = 0; ++ dev->dev_pr_res_holder = NULL; ++ } ++ if (!unreg) ++ goto out; + +- pr_debug("SPC-3 PR [%s] Service Action: %s RELEASE cleared" +- " reservation holder TYPE: %s ALL_TG_PT: %d\n", +- tfo->get_fabric_name(), (explicit) ? "explicit" : "implicit", +- core_scsi3_pr_dump_type(pr_reg->pr_res_type), +- (pr_reg->pr_reg_all_tg_pt) ? 1 : 0); ++ spin_lock(&dev->t10_pr.registration_lock); ++ list_del_init(&pr_reg->pr_reg_list); ++ /* ++ * If the I_T nexus is a reservation holder, the persistent reservation ++ * is of an all registrants type, and the I_T nexus is the last remaining ++ * registered I_T nexus, then the device server shall also release the ++ * persistent reservation. ++ */ ++ if (!list_empty(&dev->t10_pr.registration_list) && ++ ((pr_res_type == PR_TYPE_WRITE_EXCLUSIVE_ALLREG) || ++ (pr_res_type == PR_TYPE_EXCLUSIVE_ACCESS_ALLREG))) { ++ dev->dev_pr_res_holder = ++ list_entry(dev->t10_pr.registration_list.next, ++ struct t10_pr_registration, pr_reg_list); ++ dev->dev_pr_res_holder->pr_res_type = pr_res_type; ++ dev->dev_pr_res_holder->pr_res_scope = pr_res_scope; ++ dev->dev_pr_res_holder->pr_res_holder = 1; ++ } ++ spin_unlock(&dev->t10_pr.registration_lock); ++out: ++ if (!dev->dev_pr_res_holder) { ++ pr_debug("SPC-3 PR [%s] Service Action: %s RELEASE cleared" ++ " reservation holder TYPE: %s ALL_TG_PT: %d\n", ++ tfo->get_fabric_name(), (explicit) ? "explicit" : ++ "implicit", core_scsi3_pr_dump_type(pr_res_type), ++ (pr_reg->pr_reg_all_tg_pt) ? 1 : 0); ++ } + pr_debug("SPC-3 PR [%s] RELEASE Node: %s%s\n", + tfo->get_fabric_name(), se_nacl->initiatorname, + i_buf); +@@ -2553,7 +2611,7 @@ core_scsi3_emulate_pro_release(struct se_cmd *cmd, int type, int scope, + * server shall not establish a unit attention condition. + */ + __core_scsi3_complete_pro_release(dev, se_sess->se_node_acl, +- pr_reg, 1); ++ pr_reg, 1, 0); + + spin_unlock(&dev->dev_reservation_lock); + +@@ -2641,7 +2699,7 @@ core_scsi3_emulate_pro_clear(struct se_cmd *cmd, u64 res_key) + if (pr_res_holder) { + struct se_node_acl *pr_res_nacl = pr_res_holder->pr_reg_nacl; + __core_scsi3_complete_pro_release(dev, pr_res_nacl, +- pr_res_holder, 0); ++ pr_res_holder, 0, 0); + } + spin_unlock(&dev->dev_reservation_lock); + /* +@@ -2700,7 +2758,7 @@ static void __core_scsi3_complete_pro_preempt( + */ + if (dev->dev_pr_res_holder) + __core_scsi3_complete_pro_release(dev, nacl, +- dev->dev_pr_res_holder, 0); ++ dev->dev_pr_res_holder, 0, 0); + + dev->dev_pr_res_holder = pr_reg; + pr_reg->pr_res_holder = 1; +@@ -2944,8 +3002,8 @@ core_scsi3_pro_preempt(struct se_cmd *cmd, int type, int scope, u64 res_key, + */ + if (pr_reg_n != pr_res_holder) + __core_scsi3_complete_pro_release(dev, +- pr_res_holder->pr_reg_nacl, +- dev->dev_pr_res_holder, 0); ++ pr_res_holder->pr_reg_nacl, ++ dev->dev_pr_res_holder, 0, 0); + /* + * b) Remove the registrations for all I_T nexuses identified + * by the SERVICE ACTION RESERVATION KEY field, except the +@@ -3415,7 +3473,7 @@ after_iport_check: + * holder (i.e., the I_T nexus on which the + */ + __core_scsi3_complete_pro_release(dev, pr_res_nacl, +- dev->dev_pr_res_holder, 0); ++ dev->dev_pr_res_holder, 0, 0); + /* + * g) Move the persistent reservation to the specified I_T nexus using + * the same scope and type as the persistent reservation released in +@@ -3855,7 +3913,8 @@ core_scsi3_pri_read_full_status(struct se_cmd *cmd) + unsigned char *buf; + u32 add_desc_len = 0, add_len = 0, desc_len, exp_desc_len; + u32 off = 8; /* off into first Full Status descriptor */ +- int format_code = 0; ++ int format_code = 0, pr_res_type = 0, pr_res_scope = 0; ++ bool all_reg = false; + + if (cmd->data_length < 8) { + pr_err("PRIN SA READ_FULL_STATUS SCSI Data Length: %u" +@@ -3872,6 +3931,19 @@ core_scsi3_pri_read_full_status(struct se_cmd *cmd) + buf[2] = ((dev->t10_pr.pr_generation >> 8) & 0xff); + buf[3] = (dev->t10_pr.pr_generation & 0xff); + ++ spin_lock(&dev->dev_reservation_lock); ++ if (dev->dev_pr_res_holder) { ++ struct t10_pr_registration *pr_holder = dev->dev_pr_res_holder; ++ ++ if (pr_holder->pr_res_type == PR_TYPE_WRITE_EXCLUSIVE_ALLREG || ++ pr_holder->pr_res_type == PR_TYPE_EXCLUSIVE_ACCESS_ALLREG) { ++ all_reg = true; ++ pr_res_type = pr_holder->pr_res_type; ++ pr_res_scope = pr_holder->pr_res_scope; ++ } ++ } ++ spin_unlock(&dev->dev_reservation_lock); ++ + spin_lock(&pr_tmpl->registration_lock); + list_for_each_entry_safe(pr_reg, pr_reg_tmp, + &pr_tmpl->registration_list, pr_reg_list) { +@@ -3921,14 +3993,20 @@ core_scsi3_pri_read_full_status(struct se_cmd *cmd) + * reservation holder for PR_HOLDER bit. + * + * Also, if this registration is the reservation +- * holder, fill in SCOPE and TYPE in the next byte. ++ * holder or there is an All Registrants reservation ++ * active, fill in SCOPE and TYPE in the next byte. + */ + if (pr_reg->pr_res_holder) { + buf[off++] |= 0x01; + buf[off++] = (pr_reg->pr_res_scope & 0xf0) | + (pr_reg->pr_res_type & 0x0f); +- } else ++ } else if (all_reg) { ++ buf[off++] |= 0x01; ++ buf[off++] = (pr_res_scope & 0xf0) | ++ (pr_res_type & 0x0f); ++ } else { + off += 2; ++ } + + off += 4; /* Skip over reserved area */ + /* +diff --git a/drivers/target/target_core_pscsi.c b/drivers/target/target_core_pscsi.c +index 0f199f6..29f2880 100644 +--- a/drivers/target/target_core_pscsi.c ++++ b/drivers/target/target_core_pscsi.c +@@ -1111,7 +1111,7 @@ static u32 pscsi_get_device_type(struct se_device *dev) + struct pscsi_dev_virt *pdv = PSCSI_DEV(dev); + struct scsi_device *sd = pdv->pdv_sd; + +- return sd->type; ++ return (sd) ? sd->type : TYPE_NO_LUN; + } + + static sector_t pscsi_get_blocks(struct se_device *dev) +diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c +index e6463ef..9e54c0f 100644 +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -2327,6 +2327,10 @@ int target_get_sess_cmd(struct se_session *se_sess, struct se_cmd *se_cmd, + list_add_tail(&se_cmd->se_cmd_list, &se_sess->sess_cmd_list); + out: + spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags); ++ ++ if (ret && ack_kref) ++ target_put_sess_cmd(se_sess, se_cmd); ++ + return ret; + } + EXPORT_SYMBOL(target_get_sess_cmd); +diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c +index feda344..5892eab 100644 +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -66,7 +66,7 @@ static void moan_device(const char *str, struct pci_dev *dev) + "Please send the output of lspci -vv, this\n" + "message (0x%04x,0x%04x,0x%04x,0x%04x), the\n" + "manufacturer and name of serial board or\n" +- "modem board to rmk+serial@arm.linux.org.uk.\n", ++ "modem board to <linux-serial@vger.kernel.org>.\n", + pci_name(dev), str, dev->vendor, dev->device, + dev->subsystem_vendor, dev->subsystem_device); + } +diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c +index f4a9e33..c8860a8 100644 +--- a/drivers/xen/events/events_base.c ++++ b/drivers/xen/events/events_base.c +@@ -547,20 +547,26 @@ static unsigned int __startup_pirq(unsigned int irq) + pirq_query_unmask(irq); + + rc = set_evtchn_to_irq(evtchn, irq); +- if (rc != 0) { +- pr_err("irq%d: Failed to set port to irq mapping (%d)\n", +- irq, rc); +- xen_evtchn_close(evtchn); +- return 0; +- } ++ if (rc) ++ goto err; ++ + bind_evtchn_to_cpu(evtchn, 0); + info->evtchn = evtchn; + ++ rc = xen_evtchn_port_setup(info); ++ if (rc) ++ goto err; ++ + out: + unmask_evtchn(evtchn); + eoi_pirq(irq_get_irq_data(irq)); + + return 0; ++ ++err: ++ pr_err("irq%d: Failed to set port to irq mapping (%d)\n", irq, rc); ++ xen_evtchn_close(evtchn); ++ return 0; + } + + static unsigned int startup_pirq(struct irq_data *data) +diff --git a/drivers/xen/xen-pciback/conf_space.c b/drivers/xen/xen-pciback/conf_space.c +index 46ae0f9..75fe3d4 100644 +--- a/drivers/xen/xen-pciback/conf_space.c ++++ b/drivers/xen/xen-pciback/conf_space.c +@@ -16,7 +16,7 @@ + #include "conf_space.h" + #include "conf_space_quirks.h" + +-static bool permissive; ++bool permissive; + module_param(permissive, bool, 0644); + + /* This is where xen_pcibk_read_config_byte, xen_pcibk_read_config_word, +diff --git a/drivers/xen/xen-pciback/conf_space.h b/drivers/xen/xen-pciback/conf_space.h +index e56c934..2e1d73d 100644 +--- a/drivers/xen/xen-pciback/conf_space.h ++++ b/drivers/xen/xen-pciback/conf_space.h +@@ -64,6 +64,8 @@ struct config_field_entry { + void *data; + }; + ++extern bool permissive; ++ + #define OFFSET(cfg_entry) ((cfg_entry)->base_offset+(cfg_entry)->field->offset) + + /* Add fields to a device - the add_fields macro expects to get a pointer to +diff --git a/drivers/xen/xen-pciback/conf_space_header.c b/drivers/xen/xen-pciback/conf_space_header.c +index c5ee825..2d73693 100644 +--- a/drivers/xen/xen-pciback/conf_space_header.c ++++ b/drivers/xen/xen-pciback/conf_space_header.c +@@ -11,6 +11,10 @@ + #include "pciback.h" + #include "conf_space.h" + ++struct pci_cmd_info { ++ u16 val; ++}; ++ + struct pci_bar_info { + u32 val; + u32 len_val; +@@ -20,22 +24,36 @@ struct pci_bar_info { + #define is_enable_cmd(value) ((value)&(PCI_COMMAND_MEMORY|PCI_COMMAND_IO)) + #define is_master_cmd(value) ((value)&PCI_COMMAND_MASTER) + +-static int command_read(struct pci_dev *dev, int offset, u16 *value, void *data) ++/* Bits guests are allowed to control in permissive mode. */ ++#define PCI_COMMAND_GUEST (PCI_COMMAND_MASTER|PCI_COMMAND_SPECIAL| \ ++ PCI_COMMAND_INVALIDATE|PCI_COMMAND_VGA_PALETTE| \ ++ PCI_COMMAND_WAIT|PCI_COMMAND_FAST_BACK) ++ ++static void *command_init(struct pci_dev *dev, int offset) + { +- int i; +- int ret; +- +- ret = xen_pcibk_read_config_word(dev, offset, value, data); +- if (!pci_is_enabled(dev)) +- return ret; +- +- for (i = 0; i < PCI_ROM_RESOURCE; i++) { +- if (dev->resource[i].flags & IORESOURCE_IO) +- *value |= PCI_COMMAND_IO; +- if (dev->resource[i].flags & IORESOURCE_MEM) +- *value |= PCI_COMMAND_MEMORY; ++ struct pci_cmd_info *cmd = kmalloc(sizeof(*cmd), GFP_KERNEL); ++ int err; ++ ++ if (!cmd) ++ return ERR_PTR(-ENOMEM); ++ ++ err = pci_read_config_word(dev, PCI_COMMAND, &cmd->val); ++ if (err) { ++ kfree(cmd); ++ return ERR_PTR(err); + } + ++ return cmd; ++} ++ ++static int command_read(struct pci_dev *dev, int offset, u16 *value, void *data) ++{ ++ int ret = pci_read_config_word(dev, offset, value); ++ const struct pci_cmd_info *cmd = data; ++ ++ *value &= PCI_COMMAND_GUEST; ++ *value |= cmd->val & ~PCI_COMMAND_GUEST; ++ + return ret; + } + +@@ -43,6 +61,8 @@ static int command_write(struct pci_dev *dev, int offset, u16 value, void *data) + { + struct xen_pcibk_dev_data *dev_data; + int err; ++ u16 val; ++ struct pci_cmd_info *cmd = data; + + dev_data = pci_get_drvdata(dev); + if (!pci_is_enabled(dev) && is_enable_cmd(value)) { +@@ -83,6 +103,19 @@ static int command_write(struct pci_dev *dev, int offset, u16 value, void *data) + } + } + ++ cmd->val = value; ++ ++ if (!permissive && (!dev_data || !dev_data->permissive)) ++ return 0; ++ ++ /* Only allow the guest to control certain bits. */ ++ err = pci_read_config_word(dev, offset, &val); ++ if (err || val == value) ++ return err; ++ ++ value &= PCI_COMMAND_GUEST; ++ value |= val & ~PCI_COMMAND_GUEST; ++ + return pci_write_config_word(dev, offset, value); + } + +@@ -282,6 +315,8 @@ static const struct config_field header_common[] = { + { + .offset = PCI_COMMAND, + .size = 2, ++ .init = command_init, ++ .release = bar_release, + .u.w.read = command_read, + .u.w.write = command_write, + }, +diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c +index 6eb13c6..499155c 100644 +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -819,8 +819,8 @@ static int fuse_try_move_page(struct fuse_copy_state *cs, struct page **pagep) + + newpage = buf->page; + +- if (WARN_ON(!PageUptodate(newpage))) +- return -EIO; ++ if (!PageUptodate(newpage)) ++ SetPageUptodate(newpage); + + ClearPageMappedToDisk(newpage); + +@@ -1726,6 +1726,9 @@ copy_finish: + static int fuse_notify(struct fuse_conn *fc, enum fuse_notify_code code, + unsigned int size, struct fuse_copy_state *cs) + { ++ /* Don't try to move pages (yet) */ ++ cs->move_pages = 0; ++ + switch (code) { + case FUSE_NOTIFY_POLL: + return fuse_notify_poll(fc, size, cs); +diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c +index 5bee816..14538a8 100644 +--- a/fs/nilfs2/segment.c ++++ b/fs/nilfs2/segment.c +@@ -1906,6 +1906,7 @@ static void nilfs_segctor_drop_written_files(struct nilfs_sc_info *sci, + struct the_nilfs *nilfs) + { + struct nilfs_inode_info *ii, *n; ++ int during_mount = !(sci->sc_super->s_flags & MS_ACTIVE); + int defer_iput = false; + + spin_lock(&nilfs->ns_inode_lock); +@@ -1918,10 +1919,10 @@ static void nilfs_segctor_drop_written_files(struct nilfs_sc_info *sci, + brelse(ii->i_bh); + ii->i_bh = NULL; + list_del_init(&ii->i_dirty); +- if (!ii->vfs_inode.i_nlink) { ++ if (!ii->vfs_inode.i_nlink || during_mount) { + /* +- * Defer calling iput() to avoid a deadlock +- * over I_SYNC flag for inodes with i_nlink == 0 ++ * Defer calling iput() to avoid deadlocks if ++ * i_nlink == 0 or mount is not yet finished. + */ + list_add_tail(&ii->i_dirty, &sci->sc_iput_queue); + defer_iput = true; +diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c +index c4b2646..c254671 100644 +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -1227,6 +1227,9 @@ out: + + static int pagemap_open(struct inode *inode, struct file *file) + { ++ /* do not disclose physical addresses: attack vector */ ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; + pr_warn_once("Bits 55-60 of /proc/PID/pagemap entries are about " + "to stop being page-shift some time soon. See the " + "linux/Documentation/vm/pagemap.txt for details.\n"); +diff --git a/include/linux/workqueue.h b/include/linux/workqueue.h +index 6c62cfa..bc9d2c2 100644 +--- a/include/linux/workqueue.h ++++ b/include/linux/workqueue.h +@@ -71,7 +71,8 @@ enum { + /* data contains off-queue information when !WORK_STRUCT_PWQ */ + WORK_OFFQ_FLAG_BASE = WORK_STRUCT_COLOR_SHIFT, + +- WORK_OFFQ_CANCELING = (1 << WORK_OFFQ_FLAG_BASE), ++ __WORK_OFFQ_CANCELING = WORK_OFFQ_FLAG_BASE, ++ WORK_OFFQ_CANCELING = (1 << __WORK_OFFQ_CANCELING), + + /* + * When a work item is off queue, its high bits point to the last +diff --git a/kernel/cpuset.c b/kernel/cpuset.c +index 2fb2877..7b4530b 100644 +--- a/kernel/cpuset.c ++++ b/kernel/cpuset.c +@@ -503,9 +503,6 @@ static void update_domain_attr_tree(struct sched_domain_attr *dattr, + + rcu_read_lock(); + cpuset_for_each_descendant_pre(cp, pos_css, root_cs) { +- if (cp == root_cs) +- continue; +- + /* skip the whole subtree if @cp doesn't have any CPU */ + if (cpumask_empty(cp->cpus_allowed)) { + pos_css = css_rightmost_descendant(pos_css); +diff --git a/kernel/printk/console_cmdline.h b/kernel/printk/console_cmdline.h +index cbd69d8..2ca4a8b 100644 +--- a/kernel/printk/console_cmdline.h ++++ b/kernel/printk/console_cmdline.h +@@ -3,7 +3,7 @@ + + struct console_cmdline + { +- char name[8]; /* Name of the driver */ ++ char name[16]; /* Name of the driver */ + int index; /* Minor dev. to use */ + char *options; /* Options for the driver */ + #ifdef CONFIG_A11Y_BRAILLE_CONSOLE +diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c +index 8c086e6..a755ad7 100644 +--- a/kernel/printk/printk.c ++++ b/kernel/printk/printk.c +@@ -2280,6 +2280,7 @@ void register_console(struct console *newcon) + for (i = 0, c = console_cmdline; + i < MAX_CMDLINECONSOLES && c->name[0]; + i++, c++) { ++ BUILD_BUG_ON(sizeof(c->name) != sizeof(newcon->name)); + if (strcmp(c->name, newcon->name) != 0) + continue; + if (newcon->index >= 0 && +diff --git a/kernel/workqueue.c b/kernel/workqueue.c +index f6f31d8..423c9e3 100644 +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -2893,19 +2893,57 @@ bool flush_work(struct work_struct *work) + } + EXPORT_SYMBOL_GPL(flush_work); + ++struct cwt_wait { ++ wait_queue_t wait; ++ struct work_struct *work; ++}; ++ ++static int cwt_wakefn(wait_queue_t *wait, unsigned mode, int sync, void *key) ++{ ++ struct cwt_wait *cwait = container_of(wait, struct cwt_wait, wait); ++ ++ if (cwait->work != key) ++ return 0; ++ return autoremove_wake_function(wait, mode, sync, key); ++} ++ + static bool __cancel_work_timer(struct work_struct *work, bool is_dwork) + { ++ static DECLARE_WAIT_QUEUE_HEAD(cancel_waitq); + unsigned long flags; + int ret; + + do { + ret = try_to_grab_pending(work, is_dwork, &flags); + /* +- * If someone else is canceling, wait for the same event it +- * would be waiting for before retrying. ++ * If someone else is already canceling, wait for it to ++ * finish. flush_work() doesn't work for PREEMPT_NONE ++ * because we may get scheduled between @work's completion ++ * and the other canceling task resuming and clearing ++ * CANCELING - flush_work() will return false immediately ++ * as @work is no longer busy, try_to_grab_pending() will ++ * return -ENOENT as @work is still being canceled and the ++ * other canceling task won't be able to clear CANCELING as ++ * we're hogging the CPU. ++ * ++ * Let's wait for completion using a waitqueue. As this ++ * may lead to the thundering herd problem, use a custom ++ * wake function which matches @work along with exclusive ++ * wait and wakeup. + */ +- if (unlikely(ret == -ENOENT)) +- flush_work(work); ++ if (unlikely(ret == -ENOENT)) { ++ struct cwt_wait cwait; ++ ++ init_wait(&cwait.wait); ++ cwait.wait.func = cwt_wakefn; ++ cwait.work = work; ++ ++ prepare_to_wait_exclusive(&cancel_waitq, &cwait.wait, ++ TASK_UNINTERRUPTIBLE); ++ if (work_is_canceling(work)) ++ schedule(); ++ finish_wait(&cancel_waitq, &cwait.wait); ++ } + } while (unlikely(ret < 0)); + + /* tell other tasks trying to grab @work to back off */ +@@ -2914,6 +2952,16 @@ static bool __cancel_work_timer(struct work_struct *work, bool is_dwork) + + flush_work(work); + clear_work_data(work); ++ ++ /* ++ * Paired with prepare_to_wait() above so that either ++ * waitqueue_active() is visible here or !work_is_canceling() is ++ * visible there. ++ */ ++ smp_mb(); ++ if (waitqueue_active(&cancel_waitq)) ++ __wake_up(&cancel_waitq, TASK_NORMAL, 1, work); ++ + return ret; + } + +diff --git a/lib/lz4/lz4_decompress.c b/lib/lz4/lz4_decompress.c +index 7a85967..f0f5c5c 100644 +--- a/lib/lz4/lz4_decompress.c ++++ b/lib/lz4/lz4_decompress.c +@@ -139,6 +139,9 @@ static int lz4_uncompress(const char *source, char *dest, int osize) + /* Error: request to write beyond destination buffer */ + if (cpy > oend) + goto _output_error; ++ if ((ref + COPYLENGTH) > oend || ++ (op + COPYLENGTH) > oend) ++ goto _output_error; + LZ4_SECURECOPY(ref, op, (oend - COPYLENGTH)); + while (op < cpy) + *op++ = *ref++; +diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c +index d6be3ed..526bf56 100644 +--- a/net/caif/caif_socket.c ++++ b/net/caif/caif_socket.c +@@ -283,7 +283,7 @@ static int caif_seqpkt_recvmsg(struct kiocb *iocb, struct socket *sock, + int copylen; + + ret = -EOPNOTSUPP; +- if (m->msg_flags&MSG_OOB) ++ if (flags & MSG_OOB) + goto read_error; + + skb = skb_recv_datagram(sk, flags, 0 , &ret); +diff --git a/net/can/af_can.c b/net/can/af_can.c +index a27f8aa..5e9a227 100644 +--- a/net/can/af_can.c ++++ b/net/can/af_can.c +@@ -262,6 +262,9 @@ int can_send(struct sk_buff *skb, int loop) + goto inval_skb; + } + ++ skb->ip_summed = CHECKSUM_UNNECESSARY; ++ ++ skb_reset_mac_header(skb); + skb_reset_network_header(skb); + skb_reset_transport_header(skb); + +diff --git a/net/compat.c b/net/compat.c +index 275af79..d125290 100644 +--- a/net/compat.c ++++ b/net/compat.c +@@ -71,6 +71,13 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) + __get_user(kmsg->msg_controllen, &umsg->msg_controllen) || + __get_user(kmsg->msg_flags, &umsg->msg_flags)) + return -EFAULT; ++ ++ if (!tmp1) ++ kmsg->msg_namelen = 0; ++ ++ if (kmsg->msg_namelen < 0) ++ return -EINVAL; ++ + if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) + kmsg->msg_namelen = sizeof(struct sockaddr_storage); + kmsg->msg_name = compat_ptr(tmp1); +diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c +index cf9cd13..e731c96 100644 +--- a/net/core/sysctl_net_core.c ++++ b/net/core/sysctl_net_core.c +@@ -25,6 +25,8 @@ + static int zero = 0; + static int one = 1; + static int ushort_max = USHRT_MAX; ++static int min_sndbuf = SOCK_MIN_SNDBUF; ++static int min_rcvbuf = SOCK_MIN_RCVBUF; + + #ifdef CONFIG_RPS + static int rps_sock_flow_sysctl(struct ctl_table *table, int write, +@@ -223,7 +225,7 @@ static struct ctl_table net_core_table[] = { + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, +- .extra1 = &one, ++ .extra1 = &min_sndbuf, + }, + { + .procname = "rmem_max", +@@ -231,7 +233,7 @@ static struct ctl_table net_core_table[] = { + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, +- .extra1 = &one, ++ .extra1 = &min_rcvbuf, + }, + { + .procname = "wmem_default", +@@ -239,7 +241,7 @@ static struct ctl_table net_core_table[] = { + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, +- .extra1 = &one, ++ .extra1 = &min_sndbuf, + }, + { + .procname = "rmem_default", +@@ -247,7 +249,7 @@ static struct ctl_table net_core_table[] = { + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, +- .extra1 = &one, ++ .extra1 = &min_rcvbuf, + }, + { + .procname = "dev_weight", +diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c +index e34dccb..4eeba4e 100644 +--- a/net/ipv4/inet_diag.c ++++ b/net/ipv4/inet_diag.c +@@ -71,6 +71,20 @@ static inline void inet_diag_unlock_handler( + mutex_unlock(&inet_diag_table_mutex); + } + ++static size_t inet_sk_attr_size(void) ++{ ++ return nla_total_size(sizeof(struct tcp_info)) ++ + nla_total_size(1) /* INET_DIAG_SHUTDOWN */ ++ + nla_total_size(1) /* INET_DIAG_TOS */ ++ + nla_total_size(1) /* INET_DIAG_TCLASS */ ++ + nla_total_size(sizeof(struct inet_diag_meminfo)) ++ + nla_total_size(sizeof(struct inet_diag_msg)) ++ + nla_total_size(SK_MEMINFO_VARS * sizeof(u32)) ++ + nla_total_size(TCP_CA_NAME_MAX) ++ + nla_total_size(sizeof(struct tcpvegas_info)) ++ + 64; ++} ++ + int inet_sk_diag_fill(struct sock *sk, struct inet_connection_sock *icsk, + struct sk_buff *skb, struct inet_diag_req_v2 *req, + struct user_namespace *user_ns, +@@ -324,9 +338,7 @@ int inet_diag_dump_one_icsk(struct inet_hashinfo *hashinfo, struct sk_buff *in_s + if (err) + goto out; + +- rep = nlmsg_new(sizeof(struct inet_diag_msg) + +- sizeof(struct inet_diag_meminfo) + +- sizeof(struct tcp_info) + 64, GFP_KERNEL); ++ rep = nlmsg_new(inet_sk_attr_size(), GFP_KERNEL); + if (!rep) { + err = -ENOMEM; + goto out; +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 7efa26b..d0c3108 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -2617,15 +2617,11 @@ void tcp_send_fin(struct sock *sk) + } else { + /* Socket is locked, keep trying until memory is available. */ + for (;;) { +- skb = alloc_skb_fclone(MAX_TCP_HEADER, +- sk->sk_allocation); ++ skb = sk_stream_alloc_skb(sk, 0, sk->sk_allocation); + if (skb) + break; + yield(); + } +- +- /* Reserve space for headers and prepare control bits. */ +- skb_reserve(skb, MAX_TCP_HEADER); + /* FIN eats a sequence byte, write_seq advanced by tcp_queue_skb(). */ + tcp_init_nondata_skb(skb, tp->write_seq, + TCPHDR_ACK | TCPHDR_FIN); +@@ -2899,9 +2895,9 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn) + { + struct tcp_sock *tp = tcp_sk(sk); + struct tcp_fastopen_request *fo = tp->fastopen_req; +- int syn_loss = 0, space, i, err = 0, iovlen = fo->data->msg_iovlen; +- struct sk_buff *syn_data = NULL, *data; ++ int syn_loss = 0, space, err = 0; + unsigned long last_syn_loss = 0; ++ struct sk_buff *syn_data; + + tp->rx_opt.mss_clamp = tp->advmss; /* If MSS is not cached */ + tcp_fastopen_cache_get(sk, &tp->rx_opt.mss_clamp, &fo->cookie, +@@ -2932,42 +2928,38 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn) + /* limit to order-0 allocations */ + space = min_t(size_t, space, SKB_MAX_HEAD(MAX_TCP_HEADER)); + +- syn_data = skb_copy_expand(syn, MAX_TCP_HEADER, space, +- sk->sk_allocation); +- if (syn_data == NULL) ++ syn_data = sk_stream_alloc_skb(sk, space, sk->sk_allocation); ++ if (!syn_data) + goto fallback; ++ syn_data->ip_summed = CHECKSUM_PARTIAL; ++ memcpy(syn_data->cb, syn->cb, sizeof(syn->cb)); ++ if (unlikely(memcpy_fromiovecend(skb_put(syn_data, space), ++ fo->data->msg_iov, 0, space))) { ++ kfree_skb(syn_data); ++ goto fallback; ++ } + +- for (i = 0; i < iovlen && syn_data->len < space; ++i) { +- struct iovec *iov = &fo->data->msg_iov[i]; +- unsigned char __user *from = iov->iov_base; +- int len = iov->iov_len; +- +- if (syn_data->len + len > space) +- len = space - syn_data->len; +- else if (i + 1 == iovlen) +- /* No more data pending in inet_wait_for_connect() */ +- fo->data = NULL; ++ /* No more data pending in inet_wait_for_connect() */ ++ if (space == fo->size) ++ fo->data = NULL; ++ fo->copied = space; + +- if (skb_add_data(syn_data, from, len)) +- goto fallback; +- } ++ tcp_connect_queue_skb(sk, syn_data); + +- /* Queue a data-only packet after the regular SYN for retransmission */ +- data = pskb_copy(syn_data, sk->sk_allocation); +- if (data == NULL) +- goto fallback; +- TCP_SKB_CB(data)->seq++; +- TCP_SKB_CB(data)->tcp_flags &= ~TCPHDR_SYN; +- TCP_SKB_CB(data)->tcp_flags = (TCPHDR_ACK|TCPHDR_PSH); +- tcp_connect_queue_skb(sk, data); +- fo->copied = data->len; ++ err = tcp_transmit_skb(sk, syn_data, 1, sk->sk_allocation); + +- if (tcp_transmit_skb(sk, syn_data, 0, sk->sk_allocation) == 0) { ++ /* Now full SYN+DATA was cloned and sent (or not), ++ * remove the SYN from the original skb (syn_data) ++ * we keep in write queue in case of a retransmit, as we ++ * also have the SYN packet (with no data) in the same queue. ++ */ ++ TCP_SKB_CB(syn_data)->seq++; ++ TCP_SKB_CB(syn_data)->tcp_flags = TCPHDR_ACK | TCPHDR_PSH; ++ if (!err) { + tp->syn_data = (fo->copied > 0); + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPFASTOPENACTIVE); + goto done; + } +- syn_data = NULL; + + fallback: + /* Send a regular SYN with Fast Open cookie request option */ +@@ -2976,7 +2968,6 @@ fallback: + err = tcp_transmit_skb(sk, syn, 1, sk->sk_allocation); + if (err) + tp->syn_fastopen = 0; +- kfree_skb(syn_data); + done: + fo->cookie.len = -1; /* Exclude Fast Open option for SYN retries */ + return err; +@@ -2996,13 +2987,10 @@ int tcp_connect(struct sock *sk) + return 0; + } + +- buff = alloc_skb_fclone(MAX_TCP_HEADER + 15, sk->sk_allocation); +- if (unlikely(buff == NULL)) ++ buff = sk_stream_alloc_skb(sk, 0, sk->sk_allocation); ++ if (unlikely(!buff)) + return -ENOBUFS; + +- /* Reserve space for headers. */ +- skb_reserve(buff, MAX_TCP_HEADER); +- + tcp_init_nondata_skb(buff, tp->write_seq++, TCPHDR_SYN); + tp->retrans_stamp = TCP_SKB_CB(buff)->when = tcp_time_stamp; + tcp_connect_queue_skb(sk, buff); +diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c +index b4d5e1d..27ca796 100644 +--- a/net/ipv6/fib6_rules.c ++++ b/net/ipv6/fib6_rules.c +@@ -104,6 +104,7 @@ static int fib6_rule_action(struct fib_rule *rule, struct flowi *flp, + goto again; + flp6->saddr = saddr; + } ++ err = rt->dst.error; + goto out; + } + again: +diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c +index 27d3f40..847d2a2 100644 +--- a/net/netfilter/ipvs/ip_vs_core.c ++++ b/net/netfilter/ipvs/ip_vs_core.c +@@ -658,16 +658,24 @@ static inline int ip_vs_gather_frags(struct sk_buff *skb, u_int32_t user) + return err; + } + +-static int ip_vs_route_me_harder(int af, struct sk_buff *skb) ++static int ip_vs_route_me_harder(int af, struct sk_buff *skb, ++ unsigned int hooknum) + { ++ if (!sysctl_snat_reroute(skb)) ++ return 0; ++ /* Reroute replies only to remote clients (FORWARD and LOCAL_OUT) */ ++ if (NF_INET_LOCAL_IN == hooknum) ++ return 0; + #ifdef CONFIG_IP_VS_IPV6 + if (af == AF_INET6) { +- if (sysctl_snat_reroute(skb) && ip6_route_me_harder(skb) != 0) ++ struct dst_entry *dst = skb_dst(skb); ++ ++ if (dst->dev && !(dst->dev->flags & IFF_LOOPBACK) && ++ ip6_route_me_harder(skb) != 0) + return 1; + } else + #endif +- if ((sysctl_snat_reroute(skb) || +- skb_rtable(skb)->rt_flags & RTCF_LOCAL) && ++ if (!(skb_rtable(skb)->rt_flags & RTCF_LOCAL) && + ip_route_me_harder(skb, RTN_LOCAL) != 0) + return 1; + +@@ -790,7 +798,8 @@ static int handle_response_icmp(int af, struct sk_buff *skb, + union nf_inet_addr *snet, + __u8 protocol, struct ip_vs_conn *cp, + struct ip_vs_protocol *pp, +- unsigned int offset, unsigned int ihl) ++ unsigned int offset, unsigned int ihl, ++ unsigned int hooknum) + { + unsigned int verdict = NF_DROP; + +@@ -820,7 +829,7 @@ static int handle_response_icmp(int af, struct sk_buff *skb, + #endif + ip_vs_nat_icmp(skb, pp, cp, 1); + +- if (ip_vs_route_me_harder(af, skb)) ++ if (ip_vs_route_me_harder(af, skb, hooknum)) + goto out; + + /* do the statistics and put it back */ +@@ -915,7 +924,7 @@ static int ip_vs_out_icmp(struct sk_buff *skb, int *related, + + snet.ip = iph->saddr; + return handle_response_icmp(AF_INET, skb, &snet, cih->protocol, cp, +- pp, ciph.len, ihl); ++ pp, ciph.len, ihl, hooknum); + } + + #ifdef CONFIG_IP_VS_IPV6 +@@ -980,7 +989,8 @@ static int ip_vs_out_icmp_v6(struct sk_buff *skb, int *related, + snet.in6 = ciph.saddr.in6; + writable = ciph.len; + return handle_response_icmp(AF_INET6, skb, &snet, ciph.protocol, cp, +- pp, writable, sizeof(struct ipv6hdr)); ++ pp, writable, sizeof(struct ipv6hdr), ++ hooknum); + } + #endif + +@@ -1039,7 +1049,8 @@ static inline bool is_new_conn(const struct sk_buff *skb, + */ + static unsigned int + handle_response(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd, +- struct ip_vs_conn *cp, struct ip_vs_iphdr *iph) ++ struct ip_vs_conn *cp, struct ip_vs_iphdr *iph, ++ unsigned int hooknum) + { + struct ip_vs_protocol *pp = pd->pp; + +@@ -1077,7 +1088,7 @@ handle_response(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd, + * if it came from this machine itself. So re-compute + * the routing information. + */ +- if (ip_vs_route_me_harder(af, skb)) ++ if (ip_vs_route_me_harder(af, skb, hooknum)) + goto drop; + + IP_VS_DBG_PKT(10, af, pp, skb, 0, "After SNAT"); +@@ -1180,7 +1191,7 @@ ip_vs_out(unsigned int hooknum, struct sk_buff *skb, int af) + cp = pp->conn_out_get(af, skb, &iph, 0); + + if (likely(cp)) +- return handle_response(af, skb, pd, cp, &iph); ++ return handle_response(af, skb, pd, cp, &iph, hooknum); + if (sysctl_nat_icmp_send(net) && + (pp->protocol == IPPROTO_TCP || + pp->protocol == IPPROTO_UDP || +diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c +index db80126..a8027e7 100644 +--- a/net/netfilter/ipvs/ip_vs_sync.c ++++ b/net/netfilter/ipvs/ip_vs_sync.c +@@ -891,6 +891,8 @@ static void ip_vs_proc_conn(struct net *net, struct ip_vs_conn_param *param, + IP_VS_DBG(2, "BACKUP, add new conn. failed\n"); + return; + } ++ if (!(flags & IP_VS_CONN_F_TEMPLATE)) ++ kfree(param->pe_data); + } + + if (opt) +@@ -1164,6 +1166,7 @@ static inline int ip_vs_proc_sync_conn(struct net *net, __u8 *p, __u8 *msg_end) + (opt_flags & IPVS_OPT_F_SEQ_DATA ? &opt : NULL) + ); + #endif ++ ip_vs_pe_put(param.pe); + return 0; + /* Error exit */ + out: +diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c +index ad97961..7350723 100644 +--- a/net/netfilter/nft_compat.c ++++ b/net/netfilter/nft_compat.c +@@ -611,8 +611,12 @@ nft_match_select_ops(const struct nft_ctx *ctx, + struct xt_match *match = nft_match->ops.data; + + if (strcmp(match->name, mt_name) == 0 && +- match->revision == rev && match->family == family) ++ match->revision == rev && match->family == family) { ++ if (!try_module_get(match->me)) ++ return ERR_PTR(-ENOENT); ++ + return &nft_match->ops; ++ } + } + + match = xt_request_find_match(family, mt_name, rev); +@@ -682,8 +686,12 @@ nft_target_select_ops(const struct nft_ctx *ctx, + struct xt_target *target = nft_target->ops.data; + + if (strcmp(target->name, tg_name) == 0 && +- target->revision == rev && target->family == family) ++ target->revision == rev && target->family == family) { ++ if (!try_module_get(target->me)) ++ return ERR_PTR(-ENOENT); ++ + return &nft_target->ops; ++ } + } + + target = xt_request_find_target(family, tg_name, rev); +diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c +index 1ba6793..13332db 100644 +--- a/net/netfilter/xt_socket.c ++++ b/net/netfilter/xt_socket.c +@@ -243,12 +243,13 @@ static int + extract_icmp6_fields(const struct sk_buff *skb, + unsigned int outside_hdrlen, + int *protocol, +- struct in6_addr **raddr, +- struct in6_addr **laddr, ++ const struct in6_addr **raddr, ++ const struct in6_addr **laddr, + __be16 *rport, +- __be16 *lport) ++ __be16 *lport, ++ struct ipv6hdr *ipv6_var) + { +- struct ipv6hdr *inside_iph, _inside_iph; ++ const struct ipv6hdr *inside_iph; + struct icmp6hdr *icmph, _icmph; + __be16 *ports, _ports[2]; + u8 inside_nexthdr; +@@ -263,12 +264,14 @@ extract_icmp6_fields(const struct sk_buff *skb, + if (icmph->icmp6_type & ICMPV6_INFOMSG_MASK) + return 1; + +- inside_iph = skb_header_pointer(skb, outside_hdrlen + sizeof(_icmph), sizeof(_inside_iph), &_inside_iph); ++ inside_iph = skb_header_pointer(skb, outside_hdrlen + sizeof(_icmph), ++ sizeof(*ipv6_var), ipv6_var); + if (inside_iph == NULL) + return 1; + inside_nexthdr = inside_iph->nexthdr; + +- inside_hdrlen = ipv6_skip_exthdr(skb, outside_hdrlen + sizeof(_icmph) + sizeof(_inside_iph), ++ inside_hdrlen = ipv6_skip_exthdr(skb, outside_hdrlen + sizeof(_icmph) + ++ sizeof(*ipv6_var), + &inside_nexthdr, &inside_fragoff); + if (inside_hdrlen < 0) + return 1; /* hjm: Packet has no/incomplete transport layer headers. */ +@@ -315,10 +318,10 @@ xt_socket_get_sock_v6(struct net *net, const u8 protocol, + static bool + socket_mt6_v1_v2(const struct sk_buff *skb, struct xt_action_param *par) + { +- struct ipv6hdr *iph = ipv6_hdr(skb); ++ struct ipv6hdr ipv6_var, *iph = ipv6_hdr(skb); + struct udphdr _hdr, *hp = NULL; + struct sock *sk = skb->sk; +- struct in6_addr *daddr = NULL, *saddr = NULL; ++ const struct in6_addr *daddr = NULL, *saddr = NULL; + __be16 uninitialized_var(dport), uninitialized_var(sport); + int thoff = 0, uninitialized_var(tproto); + const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo; +@@ -342,7 +345,7 @@ socket_mt6_v1_v2(const struct sk_buff *skb, struct xt_action_param *par) + + } else if (tproto == IPPROTO_ICMPV6) { + if (extract_icmp6_fields(skb, thoff, &tproto, &saddr, &daddr, +- &sport, &dport)) ++ &sport, &dport, &ipv6_var)) + return false; + } else { + return false; +diff --git a/net/rds/iw_rdma.c b/net/rds/iw_rdma.c +index a817705..dba8d08 100644 +--- a/net/rds/iw_rdma.c ++++ b/net/rds/iw_rdma.c +@@ -88,7 +88,9 @@ static unsigned int rds_iw_unmap_fastreg_list(struct rds_iw_mr_pool *pool, + int *unpinned); + static void rds_iw_destroy_fastreg(struct rds_iw_mr_pool *pool, struct rds_iw_mr *ibmr); + +-static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwdev, struct rdma_cm_id **cm_id) ++static int rds_iw_get_device(struct sockaddr_in *src, struct sockaddr_in *dst, ++ struct rds_iw_device **rds_iwdev, ++ struct rdma_cm_id **cm_id) + { + struct rds_iw_device *iwdev; + struct rds_iw_cm_id *i_cm_id; +@@ -112,15 +114,15 @@ static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwd + src_addr->sin_port, + dst_addr->sin_addr.s_addr, + dst_addr->sin_port, +- rs->rs_bound_addr, +- rs->rs_bound_port, +- rs->rs_conn_addr, +- rs->rs_conn_port); ++ src->sin_addr.s_addr, ++ src->sin_port, ++ dst->sin_addr.s_addr, ++ dst->sin_port); + #ifdef WORKING_TUPLE_DETECTION +- if (src_addr->sin_addr.s_addr == rs->rs_bound_addr && +- src_addr->sin_port == rs->rs_bound_port && +- dst_addr->sin_addr.s_addr == rs->rs_conn_addr && +- dst_addr->sin_port == rs->rs_conn_port) { ++ if (src_addr->sin_addr.s_addr == src->sin_addr.s_addr && ++ src_addr->sin_port == src->sin_port && ++ dst_addr->sin_addr.s_addr == dst->sin_addr.s_addr && ++ dst_addr->sin_port == dst->sin_port) { + #else + /* FIXME - needs to compare the local and remote + * ipaddr/port tuple, but the ipaddr is the only +@@ -128,7 +130,7 @@ static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwd + * zero'ed. It doesn't appear to be properly populated + * during connection setup... + */ +- if (src_addr->sin_addr.s_addr == rs->rs_bound_addr) { ++ if (src_addr->sin_addr.s_addr == src->sin_addr.s_addr) { + #endif + spin_unlock_irq(&iwdev->spinlock); + *rds_iwdev = iwdev; +@@ -180,19 +182,13 @@ int rds_iw_update_cm_id(struct rds_iw_device *rds_iwdev, struct rdma_cm_id *cm_i + { + struct sockaddr_in *src_addr, *dst_addr; + struct rds_iw_device *rds_iwdev_old; +- struct rds_sock rs; + struct rdma_cm_id *pcm_id; + int rc; + + src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr; + dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr; + +- rs.rs_bound_addr = src_addr->sin_addr.s_addr; +- rs.rs_bound_port = src_addr->sin_port; +- rs.rs_conn_addr = dst_addr->sin_addr.s_addr; +- rs.rs_conn_port = dst_addr->sin_port; +- +- rc = rds_iw_get_device(&rs, &rds_iwdev_old, &pcm_id); ++ rc = rds_iw_get_device(src_addr, dst_addr, &rds_iwdev_old, &pcm_id); + if (rc) + rds_iw_remove_cm_id(rds_iwdev, cm_id); + +@@ -598,9 +594,17 @@ void *rds_iw_get_mr(struct scatterlist *sg, unsigned long nents, + struct rds_iw_device *rds_iwdev; + struct rds_iw_mr *ibmr = NULL; + struct rdma_cm_id *cm_id; ++ struct sockaddr_in src = { ++ .sin_addr.s_addr = rs->rs_bound_addr, ++ .sin_port = rs->rs_bound_port, ++ }; ++ struct sockaddr_in dst = { ++ .sin_addr.s_addr = rs->rs_conn_addr, ++ .sin_port = rs->rs_conn_port, ++ }; + int ret; + +- ret = rds_iw_get_device(rs, &rds_iwdev, &cm_id); ++ ret = rds_iw_get_device(&src, &dst, &rds_iwdev, &cm_id); + if (ret || !cm_id) { + ret = -ENODEV; + goto out; +diff --git a/net/rxrpc/ar-recvmsg.c b/net/rxrpc/ar-recvmsg.c +index 34b5490..4949f75 100644 +--- a/net/rxrpc/ar-recvmsg.c ++++ b/net/rxrpc/ar-recvmsg.c +@@ -87,7 +87,7 @@ int rxrpc_recvmsg(struct kiocb *iocb, struct socket *sock, + if (!skb) { + /* nothing remains on the queue */ + if (copied && +- (msg->msg_flags & MSG_PEEK || timeo == 0)) ++ (flags & MSG_PEEK || timeo == 0)) + goto out; + + /* wait for a message to turn up */ +diff --git a/sound/core/control.c b/sound/core/control.c +index 98a29b2..f2082a3 100644 +--- a/sound/core/control.c ++++ b/sound/core/control.c +@@ -1168,6 +1168,10 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file, + + if (info->count < 1) + return -EINVAL; ++ if (!*info->id.name) ++ return -EINVAL; ++ if (strnlen(info->id.name, sizeof(info->id.name)) >= sizeof(info->id.name)) ++ return -EINVAL; + access = info->access == 0 ? SNDRV_CTL_ELEM_ACCESS_READWRITE : + (info->access & (SNDRV_CTL_ELEM_ACCESS_READWRITE| + SNDRV_CTL_ELEM_ACCESS_INACTIVE| +diff --git a/sound/pci/hda/hda_generic.c b/sound/pci/hda/hda_generic.c +index d9a09bd..9a23bde 100644 +--- a/sound/pci/hda/hda_generic.c ++++ b/sound/pci/hda/hda_generic.c +@@ -653,12 +653,45 @@ static int get_amp_val_to_activate(struct hda_codec *codec, hda_nid_t nid, + return val; + } + ++/* is this a stereo widget or a stereo-to-mono mix? */ ++static bool is_stereo_amps(struct hda_codec *codec, hda_nid_t nid, int dir) ++{ ++ unsigned int wcaps = get_wcaps(codec, nid); ++ hda_nid_t conn; ++ ++ if (wcaps & AC_WCAP_STEREO) ++ return true; ++ if (dir != HDA_INPUT || get_wcaps_type(wcaps) != AC_WID_AUD_MIX) ++ return false; ++ if (snd_hda_get_num_conns(codec, nid) != 1) ++ return false; ++ if (snd_hda_get_connections(codec, nid, &conn, 1) < 0) ++ return false; ++ return !!(get_wcaps(codec, conn) & AC_WCAP_STEREO); ++} ++ + /* initialize the amp value (only at the first time) */ + static void init_amp(struct hda_codec *codec, hda_nid_t nid, int dir, int idx) + { + unsigned int caps = query_amp_caps(codec, nid, dir); + int val = get_amp_val_to_activate(codec, nid, dir, caps, false); +- snd_hda_codec_amp_init_stereo(codec, nid, dir, idx, 0xff, val); ++ ++ if (is_stereo_amps(codec, nid, dir)) ++ snd_hda_codec_amp_init_stereo(codec, nid, dir, idx, 0xff, val); ++ else ++ snd_hda_codec_amp_init(codec, nid, 0, dir, idx, 0xff, val); ++} ++ ++/* update the amp, doing in stereo or mono depending on NID */ ++static int update_amp(struct hda_codec *codec, hda_nid_t nid, int dir, int idx, ++ unsigned int mask, unsigned int val) ++{ ++ if (is_stereo_amps(codec, nid, dir)) ++ return snd_hda_codec_amp_stereo(codec, nid, dir, idx, ++ mask, val); ++ else ++ return snd_hda_codec_amp_update(codec, nid, 0, dir, idx, ++ mask, val); + } + + /* calculate amp value mask we can modify; +@@ -698,7 +731,7 @@ static void activate_amp(struct hda_codec *codec, hda_nid_t nid, int dir, + return; + + val &= mask; +- snd_hda_codec_amp_stereo(codec, nid, dir, idx, mask, val); ++ update_amp(codec, nid, dir, idx, mask, val); + } + + static void activate_amp_out(struct hda_codec *codec, struct nid_path *path, +@@ -4337,13 +4370,11 @@ static void mute_all_mixer_nid(struct hda_codec *codec, hda_nid_t mix) + has_amp = nid_has_mute(codec, mix, HDA_INPUT); + for (i = 0; i < nums; i++) { + if (has_amp) +- snd_hda_codec_amp_stereo(codec, mix, +- HDA_INPUT, i, +- 0xff, HDA_AMP_MUTE); ++ update_amp(codec, mix, HDA_INPUT, i, ++ 0xff, HDA_AMP_MUTE); + else if (nid_has_volume(codec, conn[i], HDA_OUTPUT)) +- snd_hda_codec_amp_stereo(codec, conn[i], +- HDA_OUTPUT, 0, +- 0xff, HDA_AMP_MUTE); ++ update_amp(codec, conn[i], HDA_OUTPUT, 0, ++ 0xff, HDA_AMP_MUTE); + } + } + +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index 2f3059b..84e8879 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -959,7 +959,7 @@ static unsigned int azx_rirb_get_response(struct hda_bus *bus, + } + } + +- if (!bus->no_response_fallback) ++ if (bus->no_response_fallback) + return -1; + + if (!chip->polling_mode && chip->poll_count < 2) { +diff --git a/sound/pci/hda/hda_proc.c b/sound/pci/hda/hda_proc.c +index ce5a6da..05e19f7 100644 +--- a/sound/pci/hda/hda_proc.c ++++ b/sound/pci/hda/hda_proc.c +@@ -134,13 +134,38 @@ static void print_amp_caps(struct snd_info_buffer *buffer, + (caps & AC_AMPCAP_MUTE) >> AC_AMPCAP_MUTE_SHIFT); + } + ++/* is this a stereo widget or a stereo-to-mono mix? */ ++static bool is_stereo_amps(struct hda_codec *codec, hda_nid_t nid, ++ int dir, unsigned int wcaps, int indices) ++{ ++ hda_nid_t conn; ++ ++ if (wcaps & AC_WCAP_STEREO) ++ return true; ++ /* check for a stereo-to-mono mix; it must be: ++ * only a single connection, only for input, and only a mixer widget ++ */ ++ if (indices != 1 || dir != HDA_INPUT || ++ get_wcaps_type(wcaps) != AC_WID_AUD_MIX) ++ return false; ++ ++ if (snd_hda_get_raw_connections(codec, nid, &conn, 1) < 0) ++ return false; ++ /* the connection source is a stereo? */ ++ wcaps = snd_hda_param_read(codec, conn, AC_PAR_AUDIO_WIDGET_CAP); ++ return !!(wcaps & AC_WCAP_STEREO); ++} ++ + static void print_amp_vals(struct snd_info_buffer *buffer, + struct hda_codec *codec, hda_nid_t nid, +- int dir, int stereo, int indices) ++ int dir, unsigned int wcaps, int indices) + { + unsigned int val; ++ bool stereo; + int i; + ++ stereo = is_stereo_amps(codec, nid, dir, wcaps, indices); ++ + dir = dir == HDA_OUTPUT ? AC_AMP_GET_OUTPUT : AC_AMP_GET_INPUT; + for (i = 0; i < indices; i++) { + snd_iprintf(buffer, " ["); +@@ -757,12 +782,10 @@ static void print_codec_info(struct snd_info_entry *entry, + (codec->single_adc_amp && + wid_type == AC_WID_AUD_IN)) + print_amp_vals(buffer, codec, nid, HDA_INPUT, +- wid_caps & AC_WCAP_STEREO, +- 1); ++ wid_caps, 1); + else + print_amp_vals(buffer, codec, nid, HDA_INPUT, +- wid_caps & AC_WCAP_STEREO, +- conn_len); ++ wid_caps, conn_len); + } + if (wid_caps & AC_WCAP_OUT_AMP) { + snd_iprintf(buffer, " Amp-Out caps: "); +@@ -771,11 +794,10 @@ static void print_codec_info(struct snd_info_entry *entry, + if (wid_type == AC_WID_PIN && + codec->pin_amp_workaround) + print_amp_vals(buffer, codec, nid, HDA_OUTPUT, +- wid_caps & AC_WCAP_STEREO, +- conn_len); ++ wid_caps, conn_len); + else + print_amp_vals(buffer, codec, nid, HDA_OUTPUT, +- wid_caps & AC_WCAP_STEREO, 1); ++ wid_caps, 1); + } + + switch (wid_type) { +diff --git a/sound/pci/hda/patch_cirrus.c b/sound/pci/hda/patch_cirrus.c +index fc492ac..51e2080 100644 +--- a/sound/pci/hda/patch_cirrus.c ++++ b/sound/pci/hda/patch_cirrus.c +@@ -396,6 +396,7 @@ static const struct snd_pci_quirk cs420x_fixup_tbl[] = { + SND_PCI_QUIRK(0x106b, 0x1c00, "MacBookPro 8,1", CS420X_MBP81), + SND_PCI_QUIRK(0x106b, 0x2000, "iMac 12,2", CS420X_IMAC27_122), + SND_PCI_QUIRK(0x106b, 0x2800, "MacBookPro 10,1", CS420X_MBP101), ++ SND_PCI_QUIRK(0x106b, 0x5600, "MacBookAir 5,2", CS420X_MBP81), + SND_PCI_QUIRK(0x106b, 0x5b00, "MacBookAir 4,2", CS420X_MBA42), + SND_PCI_QUIRK_VENDOR(0x106b, "Apple", CS420X_APPLE), + {} /* terminator */ +@@ -587,6 +588,7 @@ static int patch_cs420x(struct hda_codec *codec) + return -ENOMEM; + + spec->gen.automute_hook = cs_automute; ++ codec->single_adc_amp = 1; + + snd_hda_pick_fixup(codec, cs420x_models, cs420x_fixup_tbl, + cs420x_fixups); +diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c +index ffc1946..976493c 100644 +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -3232,6 +3232,7 @@ enum { + CXT_PINCFG_LENOVO_TP410, + CXT_PINCFG_LEMOTE_A1004, + CXT_PINCFG_LEMOTE_A1205, ++ CXT_PINCFG_COMPAQ_CQ60, + CXT_FIXUP_STEREO_DMIC, + CXT_FIXUP_INC_MIC_BOOST, + CXT_FIXUP_HEADPHONE_MIC_PIN, +@@ -3368,6 +3369,15 @@ static const struct hda_fixup cxt_fixups[] = { + .type = HDA_FIXUP_PINS, + .v.pins = cxt_pincfg_lemote, + }, ++ [CXT_PINCFG_COMPAQ_CQ60] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ /* 0x17 was falsely set up as a mic, it should 0x1d */ ++ { 0x17, 0x400001f0 }, ++ { 0x1d, 0x97a70120 }, ++ { } ++ } ++ }, + [CXT_FIXUP_STEREO_DMIC] = { + .type = HDA_FIXUP_FUNC, + .v.func = cxt_fixup_stereo_dmic, +@@ -3411,6 +3421,7 @@ static const struct hda_fixup cxt_fixups[] = { + }; + + static const struct snd_pci_quirk cxt5051_fixups[] = { ++ SND_PCI_QUIRK(0x103c, 0x360b, "Compaq CQ60", CXT_PINCFG_COMPAQ_CQ60), + SND_PCI_QUIRK(0x17aa, 0x20f2, "Lenovo X200", CXT_PINCFG_LENOVO_X200), + {} + }; +diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h +index 83bddbd..5293b5a 100644 +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -1773,6 +1773,36 @@ YAMAHA_DEVICE(0x7010, "UB99"), + } + } + }, ++{ ++ USB_DEVICE(0x0582, 0x0159), ++ .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) { ++ /* .vendor_name = "Roland", */ ++ /* .product_name = "UA-22", */ ++ .ifnum = QUIRK_ANY_INTERFACE, ++ .type = QUIRK_COMPOSITE, ++ .data = (const struct snd_usb_audio_quirk[]) { ++ { ++ .ifnum = 0, ++ .type = QUIRK_AUDIO_STANDARD_INTERFACE ++ }, ++ { ++ .ifnum = 1, ++ .type = QUIRK_AUDIO_STANDARD_INTERFACE ++ }, ++ { ++ .ifnum = 2, ++ .type = QUIRK_MIDI_FIXED_ENDPOINT, ++ .data = & (const struct snd_usb_midi_endpoint_info) { ++ .out_cables = 0x0001, ++ .in_cables = 0x0001 ++ } ++ }, ++ { ++ .ifnum = -1 ++ } ++ } ++ } ++}, + /* this catches most recent vendor-specific Roland devices */ + { + .match_flags = USB_DEVICE_ID_MATCH_VENDOR | diff --git a/3.14.36/4420_grsecurity-3.1-3.14.36-201503251807.patch b/3.14.37/4420_grsecurity-3.1-3.14.37-201503270048.patch index 90768c5..e462e33 100644 --- a/3.14.36/4420_grsecurity-3.1-3.14.36-201503251807.patch +++ b/3.14.37/4420_grsecurity-3.1-3.14.37-201503270048.patch @@ -292,7 +292,7 @@ index 5d91ba1..935a4e7 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index 4e6537b..ce0ac5f 100644 +index c24acc0..eab5b13 100644 --- a/Makefile +++ b/Makefile @@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -10309,7 +10309,7 @@ index 510baec..9ff2607 100644 } while (++count < 16); printk("\n"); diff --git a/arch/sparc/kernel/process_64.c b/arch/sparc/kernel/process_64.c -index c6f7113..9299700 100644 +index 1a79d68..84423a6 100644 --- a/arch/sparc/kernel/process_64.c +++ b/arch/sparc/kernel/process_64.c @@ -161,7 +161,7 @@ static void show_regwindow(struct pt_regs *regs) @@ -10465,7 +10465,7 @@ index 3a8d184..49498a8 100644 info.flags = 0; info.length = len; diff --git a/arch/sparc/kernel/sys_sparc_64.c b/arch/sparc/kernel/sys_sparc_64.c -index beb0b5a..5a153f7 100644 +index 25db14a..70162eb 100644 --- a/arch/sparc/kernel/sys_sparc_64.c +++ b/arch/sparc/kernel/sys_sparc_64.c @@ -88,13 +88,14 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi @@ -16770,7 +16770,7 @@ index d3d7469..677ef72 100644 }; diff --git a/arch/x86/include/asm/fpu-internal.h b/arch/x86/include/asm/fpu-internal.h -index cea1c76..6c0d79b 100644 +index 1ac1c00..58f8e36 100644 --- a/arch/x86/include/asm/fpu-internal.h +++ b/arch/x86/include/asm/fpu-internal.h @@ -124,8 +124,11 @@ static inline void sanitize_i387_state(struct task_struct *tsk) @@ -28601,7 +28601,7 @@ index e48b674..a451dd9 100644 .read = native_io_apic_read, .write = native_io_apic_write, diff --git a/arch/x86/kernel/xsave.c b/arch/x86/kernel/xsave.c -index dd50e26..6e07dc3 100644 +index 7a09aca..cc2e713 100644 --- a/arch/x86/kernel/xsave.c +++ b/arch/x86/kernel/xsave.c @@ -164,18 +164,18 @@ static inline int save_xstate_epilog(void __user *buf, int ia32_frame) @@ -33739,7 +33739,7 @@ index fed892d..e380153 100644 static int diff --git a/arch/x86/mm/pat.c b/arch/x86/mm/pat.c -index 6574388..87e9bef 100644 +index 65743885..87e9bef 100644 --- a/arch/x86/mm/pat.c +++ b/arch/x86/mm/pat.c @@ -376,7 +376,7 @@ int free_memtype(u64 start, u64 end) @@ -39840,10 +39840,10 @@ index 59f7cb2..bac8b6d 100644 return 0; } diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c -index 6928d09..ff6abe8 100644 +index b08eadb..2de41c5 100644 --- a/drivers/char/virtio_console.c +++ b/drivers/char/virtio_console.c -@@ -684,7 +684,7 @@ static ssize_t fill_readbuf(struct port *port, char *out_buf, size_t out_count, +@@ -685,7 +685,7 @@ static ssize_t fill_readbuf(struct port *port, char *out_buf, size_t out_count, if (to_user) { ssize_t ret; @@ -39852,7 +39852,7 @@ index 6928d09..ff6abe8 100644 if (ret) return -EFAULT; } else { -@@ -787,7 +787,7 @@ static ssize_t port_fops_read(struct file *filp, char __user *ubuf, +@@ -788,7 +788,7 @@ static ssize_t port_fops_read(struct file *filp, char __user *ubuf, if (!port_has_data(port) && !port->host_connected) return 0; @@ -47801,10 +47801,10 @@ index 9e7d95d..d447b88 100644 Say Y here if you want to support for Freescale FlexCAN. diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c -index 1468c46..1f8e748 100644 +index 84ad2b4..23cb983 100644 --- a/drivers/net/can/dev.c +++ b/drivers/net/can/dev.c -@@ -760,7 +760,7 @@ static int can_newlink(struct net *src_net, struct net_device *dev, +@@ -768,7 +768,7 @@ static int can_newlink(struct net *src_net, struct net_device *dev, return -EOPNOTSUPP; } @@ -50639,10 +50639,10 @@ index 84419af..268ede8 100644 &dev_attr_energy_uj.attr; } diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c -index b798404..cd11618 100644 +index 5d8d2dc..99fd3db 100644 --- a/drivers/regulator/core.c +++ b/drivers/regulator/core.c -@@ -3368,7 +3368,7 @@ regulator_register(const struct regulator_desc *regulator_desc, +@@ -3372,7 +3372,7 @@ regulator_register(const struct regulator_desc *regulator_desc, { const struct regulation_constraints *constraints = NULL; const struct regulator_init_data *init_data; @@ -50651,7 +50651,7 @@ index b798404..cd11618 100644 struct regulator_dev *rdev; struct device *dev; int ret, i; -@@ -3438,7 +3438,7 @@ regulator_register(const struct regulator_desc *regulator_desc, +@@ -3442,7 +3442,7 @@ regulator_register(const struct regulator_desc *regulator_desc, rdev->dev.of_node = config->of_node; rdev->dev.parent = dev; dev_set_name(&rdev->dev, "regulator.%d", @@ -52804,7 +52804,7 @@ index 24884ca..26c8220 100644 login->tgt_agt = sbp_target_agent_register(login); if (IS_ERR(login->tgt_agt)) { diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c -index 26ae688..ca12181 100644 +index 093b8cb..9f07935 100644 --- a/drivers/target/target_core_device.c +++ b/drivers/target/target_core_device.c @@ -1526,7 +1526,7 @@ struct se_device *target_alloc_device(struct se_hba *hba, const char *name) @@ -52817,7 +52817,7 @@ index 26ae688..ca12181 100644 spin_lock_init(&dev->t10_wwn.t10_vpd_lock); INIT_LIST_HEAD(&dev->t10_pr.registration_list); diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c -index e6463ef..357ef0a 100644 +index 9e54c0f..9c8d784 100644 --- a/drivers/target/target_core_transport.c +++ b/drivers/target/target_core_transport.c @@ -1154,7 +1154,7 @@ transport_check_alloc_task_attr(struct se_cmd *cmd) @@ -64016,7 +64016,7 @@ index b96a49b..9bfdc47 100644 cuse_class = class_create(THIS_MODULE, "cuse"); if (IS_ERR(cuse_class)) diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c -index 6eb13c6..4389620 100644 +index 499155c..3eee098 100644 --- a/fs/fuse/dev.c +++ b/fs/fuse/dev.c @@ -1323,7 +1323,7 @@ static ssize_t fuse_dev_splice_read(struct file *in, loff_t *ppos, @@ -67455,7 +67455,7 @@ index dbd0272..3cd5915 100644 seq_printf(p, "softirq %llu", (unsigned long long)sum_softirq); diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c -index c4b2646..84f0d7b 100644 +index c254671..c09368e 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c @@ -13,12 +13,19 @@ @@ -67622,7 +67622,7 @@ index c4b2646..84f0d7b 100644 mss.resident >> 10, (unsigned long)(mss.pss >> (10 + PSS_SHIFT)), mss.shared_clean >> 10, -@@ -1388,6 +1439,13 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid) +@@ -1391,6 +1442,13 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid) char buffer[64]; int nid; @@ -67636,7 +67636,7 @@ index c4b2646..84f0d7b 100644 if (!mm) return 0; -@@ -1405,11 +1463,15 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid) +@@ -1408,11 +1466,15 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid) mpol_to_str(buffer, sizeof(buffer), pol); mpol_cond_put(pol); @@ -91230,7 +91230,7 @@ index 18ff0b9..40b0eab 100644 /* Don't allow clients that don't understand the native diff --git a/kernel/kmod.c b/kernel/kmod.c -index 6b375af..eaff670 100644 +index 6b375af..c1c119c 100644 --- a/kernel/kmod.c +++ b/kernel/kmod.c @@ -75,7 +75,7 @@ static void free_modprobe_argv(struct subprocess_info *info) @@ -91358,7 +91358,7 @@ index 6b375af..eaff670 100644 EXPORT_SYMBOL(__request_module); #endif /* CONFIG_MODULES */ -@@ -218,6 +271,20 @@ static int ____call_usermodehelper(void *data) +@@ -218,6 +271,21 @@ static int ____call_usermodehelper(void *data) */ set_user_nice(current, 0); @@ -91369,6 +91369,7 @@ index 6b375af..eaff670 100644 + */ + if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/usr/lib/", 9) && + strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) && ++ strncmp(sub_info->path, "/usr/libexec/", 13) && + strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) { + printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of /sbin and system library paths\n", sub_info->path); + retval = -EPERM; @@ -91379,7 +91380,7 @@ index 6b375af..eaff670 100644 retval = -ENOMEM; new = prepare_kernel_cred(current); if (!new) -@@ -240,8 +307,8 @@ static int ____call_usermodehelper(void *data) +@@ -240,8 +308,8 @@ static int ____call_usermodehelper(void *data) commit_creds(new); retval = do_execve(getname_kernel(sub_info->path), @@ -91390,7 +91391,7 @@ index 6b375af..eaff670 100644 if (!retval) return 0; -@@ -260,6 +327,10 @@ static int call_helper(void *data) +@@ -260,6 +328,10 @@ static int call_helper(void *data) static void call_usermodehelper_freeinfo(struct subprocess_info *info) { @@ -91401,7 +91402,7 @@ index 6b375af..eaff670 100644 if (info->cleanup) (*info->cleanup)(info); kfree(info); -@@ -303,7 +374,7 @@ static int wait_for_helper(void *data) +@@ -303,7 +375,7 @@ static int wait_for_helper(void *data) * * Thus the __user pointer cast is valid here. */ @@ -91410,7 +91411,7 @@ index 6b375af..eaff670 100644 /* * If ret is 0, either ____call_usermodehelper failed and the -@@ -542,7 +613,12 @@ struct subprocess_info *call_usermodehelper_setup(char *path, char **argv, +@@ -542,7 +614,12 @@ struct subprocess_info *call_usermodehelper_setup(char *path, char **argv, goto out; INIT_WORK(&sub_info->work, __call_usermodehelper); @@ -91423,7 +91424,7 @@ index 6b375af..eaff670 100644 sub_info->argv = argv; sub_info->envp = envp; -@@ -650,7 +726,7 @@ EXPORT_SYMBOL(call_usermodehelper); +@@ -650,7 +727,7 @@ EXPORT_SYMBOL(call_usermodehelper); static int proc_cap_handler(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { @@ -92988,21 +92989,8 @@ index f1fe7ec..7d4e641 100644 break; if (pm_wakeup_pending()) { -diff --git a/kernel/printk/console_cmdline.h b/kernel/printk/console_cmdline.h -index cbd69d8..2ca4a8b 100644 ---- a/kernel/printk/console_cmdline.h -+++ b/kernel/printk/console_cmdline.h -@@ -3,7 +3,7 @@ - - struct console_cmdline - { -- char name[8]; /* Name of the driver */ -+ char name[16]; /* Name of the driver */ - int index; /* Minor dev. to use */ - char *options; /* Options for the driver */ - #ifdef CONFIG_A11Y_BRAILLE_CONSOLE diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c -index 8c086e6..bf7e534 100644 +index a755ad7..bf7e534 100644 --- a/kernel/printk/printk.c +++ b/kernel/printk/printk.c @@ -385,6 +385,11 @@ static int check_syslog_permissions(int type, bool from_file) @@ -93017,14 +93005,6 @@ index 8c086e6..bf7e534 100644 if (syslog_action_restricted(type)) { if (capable(CAP_SYSLOG)) return 0; -@@ -2280,6 +2285,7 @@ void register_console(struct console *newcon) - for (i = 0, c = console_cmdline; - i < MAX_CMDLINECONSOLES && c->name[0]; - i++, c++) { -+ BUILD_BUG_ON(sizeof(c->name) != sizeof(newcon->name)); - if (strcmp(c->name, newcon->name) != 0) - continue; - if (newcon->index >= 0 && diff --git a/kernel/profile.c b/kernel/profile.c index ebdd9c1..612ee05 100644 --- a/kernel/profile.c @@ -95767,10 +95747,10 @@ index c9b6f01..37781d9 100644 .thread_should_run = watchdog_should_run, .thread_fn = watchdog, diff --git a/kernel/workqueue.c b/kernel/workqueue.c -index f6f31d8..bbe30db 100644 +index 423c9e3..67fa411 100644 --- a/kernel/workqueue.c +++ b/kernel/workqueue.c -@@ -4687,7 +4687,7 @@ static void rebind_workers(struct worker_pool *pool) +@@ -4735,7 +4735,7 @@ static void rebind_workers(struct worker_pool *pool) WARN_ON_ONCE(!(worker_flags & WORKER_UNBOUND)); worker_flags |= WORKER_REBOUND; worker_flags &= ~WORKER_UNBOUND; @@ -96717,6 +96697,18 @@ index 0862816..2e3a043 100644 select PROC_PAGE_MONITOR config NOMMU_INITIAL_TRIM_EXCESS +diff --git a/mm/Kconfig.debug b/mm/Kconfig.debug +index 4b24432..63a3e5e 100644 +--- a/mm/Kconfig.debug ++++ b/mm/Kconfig.debug +@@ -1,6 +1,7 @@ + config DEBUG_PAGEALLOC + bool "Debug page memory allocations" + depends on DEBUG_KERNEL ++ depends on !PAX_MEMORY_SANITIZE + depends on !HIBERNATION || ARCH_SUPPORTS_DEBUG_PAGEALLOC && !PPC && !SPARC + depends on !KMEMCHECK + select PAGE_POISONING if !ARCH_SUPPORTS_DEBUG_PAGEALLOC diff --git a/mm/backing-dev.c b/mm/backing-dev.c index 09d9591..165bb75 100644 --- a/mm/backing-dev.c @@ -102481,10 +102473,10 @@ index 4589ff67..46d6b8f 100644 .priv_size = sizeof(struct chnl_net), .setup = ipcaif_net_setup, diff --git a/net/can/af_can.c b/net/can/af_can.c -index a27f8aa..67174a3 100644 +index 5e9a227..92270b3 100644 --- a/net/can/af_can.c +++ b/net/can/af_can.c -@@ -863,7 +863,7 @@ static const struct net_proto_family can_family_ops = { +@@ -866,7 +866,7 @@ static const struct net_proto_family can_family_ops = { }; /* notifier block for netdevice event */ @@ -102573,11 +102565,11 @@ index 2e87eec..6301eb0 100644 switch (ss->ss_family) { diff --git a/net/compat.c b/net/compat.c -index 275af79..859a46f 100644 +index d125290..e86e034 100644 --- a/net/compat.c +++ b/net/compat.c -@@ -73,9 +73,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) - return -EFAULT; +@@ -80,9 +80,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) + if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) kmsg->msg_namelen = sizeof(struct sockaddr_storage); - kmsg->msg_name = compat_ptr(tmp1); @@ -102589,7 +102581,7 @@ index 275af79..859a46f 100644 return 0; } -@@ -87,7 +87,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, +@@ -94,7 +94,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, if (kern_msg->msg_name && kern_msg->msg_namelen) { if (mode == VERIFY_READ) { @@ -102598,7 +102590,7 @@ index 275af79..859a46f 100644 kern_msg->msg_namelen, kern_address); if (err < 0) -@@ -100,7 +100,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, +@@ -107,7 +107,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, } tot_len = iov_from_user_compat_to_kern(kern_iov, @@ -102607,7 +102599,7 @@ index 275af79..859a46f 100644 kern_msg->msg_iovlen); if (tot_len >= 0) kern_msg->msg_iov = kern_iov; -@@ -120,20 +120,20 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, +@@ -127,20 +127,20 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, #define CMSG_COMPAT_FIRSTHDR(msg) \ (((msg)->msg_controllen) >= sizeof(struct compat_cmsghdr) ? \ @@ -102631,7 +102623,7 @@ index 275af79..859a46f 100644 msg->msg_controllen) return NULL; return (struct compat_cmsghdr __user *)ptr; -@@ -223,7 +223,7 @@ Efault: +@@ -230,7 +230,7 @@ Efault: int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *data) { @@ -102640,7 +102632,7 @@ index 275af79..859a46f 100644 struct compat_cmsghdr cmhdr; struct compat_timeval ctv; struct compat_timespec cts[3]; -@@ -279,7 +279,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat +@@ -286,7 +286,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm) { @@ -102649,7 +102641,7 @@ index 275af79..859a46f 100644 int fdmax = (kmsg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int); int fdnum = scm->fp->count; struct file **fp = scm->fp->fp; -@@ -367,7 +367,7 @@ static int do_set_sock_timeout(struct socket *sock, int level, +@@ -374,7 +374,7 @@ static int do_set_sock_timeout(struct socket *sock, int level, return -EFAULT; old_fs = get_fs(); set_fs(KERNEL_DS); @@ -102658,7 +102650,7 @@ index 275af79..859a46f 100644 set_fs(old_fs); return err; -@@ -428,7 +428,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname, +@@ -435,7 +435,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname, len = sizeof(ktime); old_fs = get_fs(); set_fs(KERNEL_DS); @@ -102667,7 +102659,7 @@ index 275af79..859a46f 100644 set_fs(old_fs); if (!err) { -@@ -571,7 +571,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, +@@ -578,7 +578,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, case MCAST_JOIN_GROUP: case MCAST_LEAVE_GROUP: { @@ -102676,7 +102668,7 @@ index 275af79..859a46f 100644 struct group_req __user *kgr = compat_alloc_user_space(sizeof(struct group_req)); u32 interface; -@@ -592,7 +592,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, +@@ -599,7 +599,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, case MCAST_BLOCK_SOURCE: case MCAST_UNBLOCK_SOURCE: { @@ -102685,7 +102677,7 @@ index 275af79..859a46f 100644 struct group_source_req __user *kgsr = compat_alloc_user_space( sizeof(struct group_source_req)); u32 interface; -@@ -613,7 +613,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, +@@ -620,7 +620,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, } case MCAST_MSFILTER: { @@ -102694,7 +102686,7 @@ index 275af79..859a46f 100644 struct group_filter __user *kgf; u32 interface, fmode, numsrc; -@@ -651,7 +651,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname, +@@ -658,7 +658,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname, char __user *optval, int __user *optlen, int (*getsockopt)(struct sock *, int, int, char __user *, int __user *)) { @@ -102703,7 +102695,7 @@ index 275af79..859a46f 100644 struct group_filter __user *kgf; int __user *koptlen; u32 interface, fmode, numsrc; -@@ -795,7 +795,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args) +@@ -802,7 +802,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args) if (call < SYS_SOCKET || call > SYS_SENDMMSG) return -EINVAL; @@ -103506,19 +103498,10 @@ index c38e7a2..773e3d7 100644 } EXPORT_SYMBOL_GPL(sock_diag_unregister); diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c -index cf9cd13..26d07e0 100644 +index e731c96..26d07e0 100644 --- a/net/core/sysctl_net_core.c +++ b/net/core/sysctl_net_core.c -@@ -25,6 +25,8 @@ - static int zero = 0; - static int one = 1; - static int ushort_max = USHRT_MAX; -+static int min_sndbuf = SOCK_MIN_SNDBUF; -+static int min_rcvbuf = SOCK_MIN_RCVBUF; - - #ifdef CONFIG_RPS - static int rps_sock_flow_sysctl(struct ctl_table *table, int write, -@@ -32,7 +34,7 @@ static int rps_sock_flow_sysctl(struct ctl_table *table, int write, +@@ -34,7 +34,7 @@ static int rps_sock_flow_sysctl(struct ctl_table *table, int write, { unsigned int orig_size, size; int ret, i; @@ -103527,7 +103510,7 @@ index cf9cd13..26d07e0 100644 .data = &size, .maxlen = sizeof(size), .mode = table->mode -@@ -200,7 +202,7 @@ static int set_default_qdisc(struct ctl_table *table, int write, +@@ -202,7 +202,7 @@ static int set_default_qdisc(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { char id[IFNAMSIZ]; @@ -103536,43 +103519,7 @@ index cf9cd13..26d07e0 100644 .data = id, .maxlen = IFNAMSIZ, }; -@@ -223,7 +225,7 @@ static struct ctl_table net_core_table[] = { - .maxlen = sizeof(int), - .mode = 0644, - .proc_handler = proc_dointvec_minmax, -- .extra1 = &one, -+ .extra1 = &min_sndbuf, - }, - { - .procname = "rmem_max", -@@ -231,7 +233,7 @@ static struct ctl_table net_core_table[] = { - .maxlen = sizeof(int), - .mode = 0644, - .proc_handler = proc_dointvec_minmax, -- .extra1 = &one, -+ .extra1 = &min_rcvbuf, - }, - { - .procname = "wmem_default", -@@ -239,7 +241,7 @@ static struct ctl_table net_core_table[] = { - .maxlen = sizeof(int), - .mode = 0644, - .proc_handler = proc_dointvec_minmax, -- .extra1 = &one, -+ .extra1 = &min_sndbuf, - }, - { - .procname = "rmem_default", -@@ -247,7 +249,7 @@ static struct ctl_table net_core_table[] = { - .maxlen = sizeof(int), - .mode = 0644, - .proc_handler = proc_dointvec_minmax, -- .extra1 = &one, -+ .extra1 = &min_rcvbuf, - }, - { - .procname = "dev_weight", -@@ -379,13 +381,12 @@ static struct ctl_table netns_core_table[] = { +@@ -381,13 +381,12 @@ static struct ctl_table netns_core_table[] = { static __net_init int sysctl_core_net_init(struct net *net) { @@ -103588,7 +103535,7 @@ index cf9cd13..26d07e0 100644 if (tbl == NULL) goto err_dup; -@@ -395,17 +396,16 @@ static __net_init int sysctl_core_net_init(struct net *net) +@@ -397,17 +396,16 @@ static __net_init int sysctl_core_net_init(struct net *net) if (net->user_ns != &init_user_ns) { tbl[0].procname = NULL; } @@ -103610,7 +103557,7 @@ index cf9cd13..26d07e0 100644 err_dup: return -ENOMEM; } -@@ -420,7 +420,7 @@ static __net_exit void sysctl_core_net_exit(struct net *net) +@@ -422,7 +420,7 @@ static __net_exit void sysctl_core_net_exit(struct net *net) kfree(tbl); } @@ -103903,42 +103850,6 @@ index 0d1e2cb..4501a2c 100644 EXPORT_SYMBOL(sysctl_local_reserved_ports); void inet_get_local_port_range(struct net *net, int *low, int *high) -diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c -index e34dccb..4eeba4e 100644 ---- a/net/ipv4/inet_diag.c -+++ b/net/ipv4/inet_diag.c -@@ -71,6 +71,20 @@ static inline void inet_diag_unlock_handler( - mutex_unlock(&inet_diag_table_mutex); - } - -+static size_t inet_sk_attr_size(void) -+{ -+ return nla_total_size(sizeof(struct tcp_info)) -+ + nla_total_size(1) /* INET_DIAG_SHUTDOWN */ -+ + nla_total_size(1) /* INET_DIAG_TOS */ -+ + nla_total_size(1) /* INET_DIAG_TCLASS */ -+ + nla_total_size(sizeof(struct inet_diag_meminfo)) -+ + nla_total_size(sizeof(struct inet_diag_msg)) -+ + nla_total_size(SK_MEMINFO_VARS * sizeof(u32)) -+ + nla_total_size(TCP_CA_NAME_MAX) -+ + nla_total_size(sizeof(struct tcpvegas_info)) -+ + 64; -+} -+ - int inet_sk_diag_fill(struct sock *sk, struct inet_connection_sock *icsk, - struct sk_buff *skb, struct inet_diag_req_v2 *req, - struct user_namespace *user_ns, -@@ -324,9 +338,7 @@ int inet_diag_dump_one_icsk(struct inet_hashinfo *hashinfo, struct sk_buff *in_s - if (err) - goto out; - -- rep = nlmsg_new(sizeof(struct inet_diag_msg) + -- sizeof(struct inet_diag_meminfo) + -- sizeof(struct tcp_info) + 64, GFP_KERNEL); -+ rep = nlmsg_new(inet_sk_attr_size(), GFP_KERNEL); - if (!rep) { - err = -ENOMEM; - goto out; diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c index 8b9cf27..9c17cab 100644 --- a/net/ipv4/inet_hashtables.c @@ -106471,7 +106382,7 @@ index 610e19c..08d0c3f 100644 if (!todrop_rate[i]) return 0; diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c -index 27d3f40..f95d8d0 100644 +index 847d2a2..4dc8ae3 100644 --- a/net/netfilter/ipvs/ip_vs_core.c +++ b/net/netfilter/ipvs/ip_vs_core.c @@ -567,7 +567,7 @@ int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb, @@ -106483,7 +106394,7 @@ index 27d3f40..f95d8d0 100644 ip_vs_conn_put(cp); return ret; } -@@ -1711,7 +1711,7 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af) +@@ -1722,7 +1722,7 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af) if (cp->flags & IP_VS_CONN_F_ONE_PACKET) pkts = sysctl_sync_threshold(ipvs); else @@ -106595,7 +106506,7 @@ index 3f21a2f..a112e85 100644 .procname = "lblcr_expiration", .data = NULL, diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c -index db80126..ef7110e 100644 +index a8027e7..f5521e7 100644 --- a/net/netfilter/ipvs/ip_vs_sync.c +++ b/net/netfilter/ipvs/ip_vs_sync.c @@ -609,7 +609,7 @@ static void ip_vs_sync_conn_v0(struct net *net, struct ip_vs_conn *cp, @@ -106616,7 +106527,7 @@ index db80126..ef7110e 100644 else pkts = sysctl_sync_threshold(ipvs); goto sloop; -@@ -895,7 +895,7 @@ static void ip_vs_proc_conn(struct net *net, struct ip_vs_conn_param *param, +@@ -897,7 +897,7 @@ static void ip_vs_proc_conn(struct net *net, struct ip_vs_conn_param *param, if (opt) memcpy(&cp->in_seq, opt, sizeof(*opt)); @@ -106857,7 +106768,7 @@ index 6ff12a1..d1815b6 100644 if (data_len) { diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c -index ad97961..a312654 100644 +index 7350723..c58f861 100644 --- a/net/netfilter/nft_compat.c +++ b/net/netfilter/nft_compat.c @@ -216,7 +216,7 @@ target_dump_info(struct sk_buff *skb, const struct xt_target *t, const void *in) @@ -107236,94 +107147,6 @@ index a91e1db..cf3053f 100644 #else ic->i_ack_next = 0; #endif -diff --git a/net/rds/iw_rdma.c b/net/rds/iw_rdma.c -index a817705..dba8d08 100644 ---- a/net/rds/iw_rdma.c -+++ b/net/rds/iw_rdma.c -@@ -88,7 +88,9 @@ static unsigned int rds_iw_unmap_fastreg_list(struct rds_iw_mr_pool *pool, - int *unpinned); - static void rds_iw_destroy_fastreg(struct rds_iw_mr_pool *pool, struct rds_iw_mr *ibmr); - --static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwdev, struct rdma_cm_id **cm_id) -+static int rds_iw_get_device(struct sockaddr_in *src, struct sockaddr_in *dst, -+ struct rds_iw_device **rds_iwdev, -+ struct rdma_cm_id **cm_id) - { - struct rds_iw_device *iwdev; - struct rds_iw_cm_id *i_cm_id; -@@ -112,15 +114,15 @@ static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwd - src_addr->sin_port, - dst_addr->sin_addr.s_addr, - dst_addr->sin_port, -- rs->rs_bound_addr, -- rs->rs_bound_port, -- rs->rs_conn_addr, -- rs->rs_conn_port); -+ src->sin_addr.s_addr, -+ src->sin_port, -+ dst->sin_addr.s_addr, -+ dst->sin_port); - #ifdef WORKING_TUPLE_DETECTION -- if (src_addr->sin_addr.s_addr == rs->rs_bound_addr && -- src_addr->sin_port == rs->rs_bound_port && -- dst_addr->sin_addr.s_addr == rs->rs_conn_addr && -- dst_addr->sin_port == rs->rs_conn_port) { -+ if (src_addr->sin_addr.s_addr == src->sin_addr.s_addr && -+ src_addr->sin_port == src->sin_port && -+ dst_addr->sin_addr.s_addr == dst->sin_addr.s_addr && -+ dst_addr->sin_port == dst->sin_port) { - #else - /* FIXME - needs to compare the local and remote - * ipaddr/port tuple, but the ipaddr is the only -@@ -128,7 +130,7 @@ static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwd - * zero'ed. It doesn't appear to be properly populated - * during connection setup... - */ -- if (src_addr->sin_addr.s_addr == rs->rs_bound_addr) { -+ if (src_addr->sin_addr.s_addr == src->sin_addr.s_addr) { - #endif - spin_unlock_irq(&iwdev->spinlock); - *rds_iwdev = iwdev; -@@ -180,19 +182,13 @@ int rds_iw_update_cm_id(struct rds_iw_device *rds_iwdev, struct rdma_cm_id *cm_i - { - struct sockaddr_in *src_addr, *dst_addr; - struct rds_iw_device *rds_iwdev_old; -- struct rds_sock rs; - struct rdma_cm_id *pcm_id; - int rc; - - src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr; - dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr; - -- rs.rs_bound_addr = src_addr->sin_addr.s_addr; -- rs.rs_bound_port = src_addr->sin_port; -- rs.rs_conn_addr = dst_addr->sin_addr.s_addr; -- rs.rs_conn_port = dst_addr->sin_port; -- -- rc = rds_iw_get_device(&rs, &rds_iwdev_old, &pcm_id); -+ rc = rds_iw_get_device(src_addr, dst_addr, &rds_iwdev_old, &pcm_id); - if (rc) - rds_iw_remove_cm_id(rds_iwdev, cm_id); - -@@ -598,9 +594,17 @@ void *rds_iw_get_mr(struct scatterlist *sg, unsigned long nents, - struct rds_iw_device *rds_iwdev; - struct rds_iw_mr *ibmr = NULL; - struct rdma_cm_id *cm_id; -+ struct sockaddr_in src = { -+ .sin_addr.s_addr = rs->rs_bound_addr, -+ .sin_port = rs->rs_bound_port, -+ }; -+ struct sockaddr_in dst = { -+ .sin_addr.s_addr = rs->rs_conn_addr, -+ .sin_port = rs->rs_conn_port, -+ }; - int ret; - -- ret = rds_iw_get_device(rs, &rds_iwdev, &cm_id); -+ ret = rds_iw_get_device(&src, &dst, &rds_iwdev, &cm_id); - if (ret || !cm_id) { - ret = -ENODEV; - goto out; diff --git a/net/rds/iw_recv.c b/net/rds/iw_recv.c index 4503335..db566b4 100644 --- a/net/rds/iw_recv.c @@ -119978,10 +119801,10 @@ index 0000000..4378111 +} diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data new file mode 100644 -index 0000000..f084dc7 +index 0000000..f48651d --- /dev/null +++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data -@@ -0,0 +1,6045 @@ +@@ -0,0 +1,6057 @@ +intel_fake_agp_alloc_by_type_1 intel_fake_agp_alloc_by_type 1 1 NULL +ocfs2_get_refcount_tree_3 ocfs2_get_refcount_tree 0 3 NULL +storvsc_connect_to_vsp_22 storvsc_connect_to_vsp 2 22 NULL @@ -120192,6 +120015,7 @@ index 0000000..f084dc7 +xfs_buf_map_from_irec_2368 xfs_buf_map_from_irec 5-0 2368 NULL nohasharray +rose_recvmsg_2368 rose_recvmsg 4 2368 &xfs_buf_map_from_irec_2368 +il_dbgfs_sensitivity_read_2370 il_dbgfs_sensitivity_read 3 2370 NULL ++rts51x_read_ppbuf_2389 rts51x_read_ppbuf 3 2389 NULL +rxpipe_rx_prep_beacon_drop_read_2403 rxpipe_rx_prep_beacon_drop_read 3 2403 NULL +isdn_v110_open_2418 isdn_v110_open 3 2418 NULL +raid1_size_2419 raid1_size 0-2 2419 NULL @@ -120555,7 +120379,8 @@ index 0000000..f084dc7 +mpeg_read_6708 mpeg_read 3 6708 NULL +ibmpex_query_sensor_count_6709 ibmpex_query_sensor_count 0 6709 NULL +video_proc_write_6724 video_proc_write 3 6724 NULL -+posix_acl_xattr_count_6725 posix_acl_xattr_count 0-1 6725 NULL ++posix_acl_xattr_count_6725 posix_acl_xattr_count 0-1 6725 NULL nohasharray ++rts51x_transfer_data_rcc_6725 rts51x_transfer_data_rcc 4 6725 &posix_acl_xattr_count_6725 +kobject_add_varg_6781 kobject_add_varg 0 6781 NULL +iwl_dbgfs_channels_read_6784 iwl_dbgfs_channels_read 3 6784 NULL +ieee80211_if_read_6785 ieee80211_if_read 3 6785 NULL @@ -120658,6 +120483,7 @@ index 0000000..f084dc7 +config_desc_7878 config_desc 0 7878 NULL +gfs2_permission_7884 gfs2_permission 0 7884 NULL +dvb_dmxdev_read_sec_7892 dvb_dmxdev_read_sec 4 7892 NULL ++xd_read_data_from_ppb_7897 xd_read_data_from_ppb 4 7897 NULL +xfs_trans_get_efi_7898 xfs_trans_get_efi 2 7898 NULL +libfc_host_alloc_7917 libfc_host_alloc 2 7917 NULL +f_hidg_write_7932 f_hidg_write 3 7932 NULL @@ -121026,7 +120852,8 @@ index 0000000..f084dc7 +xfs_rtcheck_alloc_range_11553 xfs_rtcheck_alloc_range 0 11553 NULL +radix_tree_extend_11555 radix_tree_extend 0 11555 NULL +skb_cow_data_11565 skb_cow_data 0 11565 NULL -+lpfc_idiag_ctlacc_write_11576 lpfc_idiag_ctlacc_write 3 11576 NULL ++lpfc_idiag_ctlacc_write_11576 lpfc_idiag_ctlacc_write 3 11576 NULL nohasharray ++rts51x_write_ppbuf_11576 rts51x_write_ppbuf 3 11576 &lpfc_idiag_ctlacc_write_11576 +oprofilefs_ulong_to_user_11582 oprofilefs_ulong_to_user 3 11582 NULL +batadv_iv_ogm_orig_add_if_11586 batadv_iv_ogm_orig_add_if 2 11586 NULL +snd_pcm_action_11589 snd_pcm_action 0 11589 NULL @@ -121706,6 +121533,7 @@ index 0000000..f084dc7 +SyS_lsetxattr_18776 SyS_lsetxattr 4 18776 NULL +alloc_fcdev_18780 alloc_fcdev 1 18780 NULL +prealloc_18800 prealloc 0 18800 NULL ++sd_write_data_18803 sd_write_data 9 18803 NULL +dm_stats_print_18815 dm_stats_print 7 18815 NULL +sys_modify_ldt_18824 sys_modify_ldt 3 18824 NULL +mtf_test_write_18844 mtf_test_write 3 18844 NULL @@ -122458,6 +122286,7 @@ index 0000000..f084dc7 +tipc_conn_sendmsg_26867 tipc_conn_sendmsg 5 26867 NULL +ath6kl_create_qos_write_26879 ath6kl_create_qos_write 3 26879 NULL +svc_print_xprts_26881 svc_print_xprts 0 26881 NULL ++ms_read_bytes_26894 ms_read_bytes 6 26894 NULL +skb_zerocopy_headlen_26910 skb_zerocopy_headlen 0 26910 NULL +hhf_zalloc_26912 hhf_zalloc 1 26912 NULL +cfg80211_process_auth_26916 cfg80211_process_auth 3 26916 NULL @@ -123289,7 +123118,7 @@ index 0000000..f084dc7 +sctp_tsnmap_mark_35929 sctp_tsnmap_mark 2 35929 NULL +rx_defrag_init_called_read_35935 rx_defrag_init_called_read 3 35935 NULL +put_cmsg_compat_35937 put_cmsg_compat 4 35937 NULL -+ext_rts51x_sd_execute_write_data_35971 ext_rts51x_sd_execute_write_data 9 35971 NULL ++ext_rts51x_sd_execute_write_data_35971 ext_rts51x_sd_execute_write_data 9-11 35971 NULL +ceph_buffer_new_35974 ceph_buffer_new 1 35974 NULL nohasharray +generic_ocp_read_35974 generic_ocp_read 3 35974 &ceph_buffer_new_35974 +acl_alloc_35979 acl_alloc 1 35979 NULL @@ -124851,6 +124680,7 @@ index 0000000..f084dc7 +nvme_queue_extra_52661 nvme_queue_extra 0-1 52661 NULL +SYSC_gethostname_52677 SYSC_gethostname 2 52677 NULL +nvd0_disp_pioc_create__52693 nvd0_disp_pioc_create_ 5 52693 NULL ++ms_transfer_data_52705 ms_transfer_data 9 52705 NULL +nouveau_client_create__52715 nouveau_client_create_ 5 52715 NULL +__dm_stat_bio_52722 __dm_stat_bio 3 52722 NULL +cx25840_ir_rx_read_52724 cx25840_ir_rx_read 3 52724 NULL @@ -124977,6 +124807,7 @@ index 0000000..f084dc7 +memcpy_toiovec_54166 memcpy_toiovec 3 54166 NULL +nouveau_falcon_create__54169 nouveau_falcon_create_ 8 54169 NULL +p9_client_prepare_req_54175 p9_client_prepare_req 3 54175 NULL ++sd_read_data_54207 sd_read_data 9 54207 NULL +do_sys_poll_54221 do_sys_poll 2 54221 NULL +__register_chrdev_54223 __register_chrdev 2-3 54223 NULL +pi_read_regr_54231 pi_read_regr 0 54231 NULL @@ -125015,6 +124846,7 @@ index 0000000..f084dc7 +setsockopt_54539 setsockopt 5 54539 NULL +lbs_lowsnr_write_54549 lbs_lowsnr_write 3 54549 NULL +SYSC_setsockopt_54561 SYSC_setsockopt 5 54561 NULL ++rts51x_seq_read_register_54567 rts51x_seq_read_register 3 54567 NULL +nfsd_vfs_write_54577 nfsd_vfs_write 6 54577 NULL +fw_iso_buffer_init_54582 fw_iso_buffer_init 3 54582 NULL +nvme_npages_54601 nvme_npages 0-1 54601 NULL @@ -125091,7 +124923,8 @@ index 0000000..f084dc7 +memcpy_fromiovec_55247 memcpy_fromiovec 3 55247 NULL +lbs_failcount_write_55276 lbs_failcount_write 3 55276 NULL +persistent_ram_new_55286 persistent_ram_new 2-1 55286 NULL -+rx_streaming_interval_read_55291 rx_streaming_interval_read 3 55291 NULL ++rx_streaming_interval_read_55291 rx_streaming_interval_read 3 55291 NULL nohasharray ++xd_read_cis_55291 xd_read_cis 4 55291 &rx_streaming_interval_read_55291 +lov_get_stripecnt_55297 lov_get_stripecnt 0-3 55297 NULL +gsm_control_modem_55303 gsm_control_modem 3 55303 NULL +wimax_msg_len_55304 wimax_msg_len 0 55304 NULL @@ -125101,6 +124934,7 @@ index 0000000..f084dc7 +vme_user_read_55338 vme_user_read 3 55338 NULL +__wa_xfer_setup_sizes_55342 __wa_xfer_setup_sizes 0 55342 NULL nohasharray +sctp_datamsg_from_user_55342 sctp_datamsg_from_user 4 55342 &__wa_xfer_setup_sizes_55342 ++rts51x_seq_write_register_55345 rts51x_seq_write_register 3 55345 NULL +tipc_send2name_55373 tipc_send2name 5 55373 NULL +cw1200_sdio_align_size_55391 cw1200_sdio_align_size 2 55391 NULL +iwl_dbgfs_plcp_delta_read_55407 iwl_dbgfs_plcp_delta_read 3 55407 NULL @@ -125765,7 +125599,7 @@ index 0000000..f084dc7 +set_ssp_62411 set_ssp 4 62411 NULL +udf_expand_file_adinicb_62470 udf_expand_file_adinicb 0 62470 NULL +persistent_ram_new_62493 persistent_ram_new 1-2 62493 NULL -+ext_rts51x_sd_execute_read_data_62501 ext_rts51x_sd_execute_read_data 9 62501 NULL ++ext_rts51x_sd_execute_read_data_62501 ext_rts51x_sd_execute_read_data 9-11 62501 NULL +pep_sendmsg_62524 pep_sendmsg 4 62524 NULL +test_iso_queue_62534 test_iso_queue 5 62534 NULL +debugfs_read_62535 debugfs_read 3 62535 NULL @@ -126008,6 +125842,7 @@ index 0000000..f084dc7 +get_var_len_65304 get_var_len 0 65304 NULL +unpack_array_65318 unpack_array 0 65318 NULL +pci_vpd_find_tag_65325 pci_vpd_find_tag 0-2 65325 NULL ++rts51x_get_rsp_65334 rts51x_get_rsp 2 65334 NULL +dccp_setsockopt_service_65336 dccp_setsockopt_service 4 65336 NULL +dma_rx_requested_read_65354 dma_rx_requested_read 3 65354 NULL +alloc_cpu_rmap_65363 alloc_cpu_rmap 1 65363 NULL diff --git a/3.14.36/4425_grsec_remove_EI_PAX.patch b/3.14.37/4425_grsec_remove_EI_PAX.patch index 86e242a..86e242a 100644 --- a/3.14.36/4425_grsec_remove_EI_PAX.patch +++ b/3.14.37/4425_grsec_remove_EI_PAX.patch diff --git a/3.14.36/4427_force_XATTR_PAX_tmpfs.patch b/3.14.37/4427_force_XATTR_PAX_tmpfs.patch index 4c236cc..4c236cc 100644 --- a/3.14.36/4427_force_XATTR_PAX_tmpfs.patch +++ b/3.14.37/4427_force_XATTR_PAX_tmpfs.patch diff --git a/3.14.36/4430_grsec-remove-localversion-grsec.patch b/3.14.37/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.14.36/4430_grsec-remove-localversion-grsec.patch +++ b/3.14.37/4430_grsec-remove-localversion-grsec.patch diff --git a/3.14.36/4435_grsec-mute-warnings.patch b/3.14.37/4435_grsec-mute-warnings.patch index 392cefb..392cefb 100644 --- a/3.14.36/4435_grsec-mute-warnings.patch +++ b/3.14.37/4435_grsec-mute-warnings.patch diff --git a/3.14.36/4440_grsec-remove-protected-paths.patch b/3.14.37/4440_grsec-remove-protected-paths.patch index 741546d..741546d 100644 --- a/3.14.36/4440_grsec-remove-protected-paths.patch +++ b/3.14.37/4440_grsec-remove-protected-paths.patch diff --git a/3.14.36/4450_grsec-kconfig-default-gids.patch b/3.14.37/4450_grsec-kconfig-default-gids.patch index 8c878fc..8c878fc 100644 --- a/3.14.36/4450_grsec-kconfig-default-gids.patch +++ b/3.14.37/4450_grsec-kconfig-default-gids.patch diff --git a/3.14.36/4465_selinux-avc_audit-log-curr_ip.patch b/3.14.37/4465_selinux-avc_audit-log-curr_ip.patch index bba906e..bba906e 100644 --- a/3.14.36/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.14.37/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.14.36/4470_disable-compat_vdso.patch b/3.14.37/4470_disable-compat_vdso.patch index 3b3953b..3b3953b 100644 --- a/3.14.36/4470_disable-compat_vdso.patch +++ b/3.14.37/4470_disable-compat_vdso.patch diff --git a/3.14.36/4475_emutramp_default_on.patch b/3.14.37/4475_emutramp_default_on.patch index ad4967a..ad4967a 100644 --- a/3.14.36/4475_emutramp_default_on.patch +++ b/3.14.37/4475_emutramp_default_on.patch diff --git a/3.19.2/0000_README b/3.19.3/0000_README index 6d7f956..4d5e072 100644 --- a/3.19.2/0000_README +++ b/3.19.3/0000_README @@ -2,7 +2,11 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.1-3.19.2-201503251807.patch +Patch: 1002_linux-3.19.3.patch +From: http://www.kernel.org +Desc: Linux 3.19.3 + +Patch: 4420_grsecurity-3.1-3.19.3-201503270049.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.19.3/1002_linux-3.19.3.patch b/3.19.3/1002_linux-3.19.3.patch new file mode 100644 index 0000000..a17587c --- /dev/null +++ b/3.19.3/1002_linux-3.19.3.patch @@ -0,0 +1,4081 @@ +diff --git a/Makefile b/Makefile +index e49665a..713bf26 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 19 +-SUBLEVEL = 2 ++SUBLEVEL = 3 + EXTRAVERSION = + NAME = Diseased Newt + +diff --git a/arch/arm/boot/dts/am33xx-clocks.dtsi b/arch/arm/boot/dts/am33xx-clocks.dtsi +index 712edce..071b56a 100644 +--- a/arch/arm/boot/dts/am33xx-clocks.dtsi ++++ b/arch/arm/boot/dts/am33xx-clocks.dtsi +@@ -99,7 +99,7 @@ + ehrpwm0_tbclk: ehrpwm0_tbclk@44e10664 { + #clock-cells = <0>; + compatible = "ti,gate-clock"; +- clocks = <&dpll_per_m2_ck>; ++ clocks = <&l4ls_gclk>; + ti,bit-shift = <0>; + reg = <0x0664>; + }; +@@ -107,7 +107,7 @@ + ehrpwm1_tbclk: ehrpwm1_tbclk@44e10664 { + #clock-cells = <0>; + compatible = "ti,gate-clock"; +- clocks = <&dpll_per_m2_ck>; ++ clocks = <&l4ls_gclk>; + ti,bit-shift = <1>; + reg = <0x0664>; + }; +@@ -115,7 +115,7 @@ + ehrpwm2_tbclk: ehrpwm2_tbclk@44e10664 { + #clock-cells = <0>; + compatible = "ti,gate-clock"; +- clocks = <&dpll_per_m2_ck>; ++ clocks = <&l4ls_gclk>; + ti,bit-shift = <2>; + reg = <0x0664>; + }; +diff --git a/arch/arm/boot/dts/am43xx-clocks.dtsi b/arch/arm/boot/dts/am43xx-clocks.dtsi +index c7dc9da..cfb4968 100644 +--- a/arch/arm/boot/dts/am43xx-clocks.dtsi ++++ b/arch/arm/boot/dts/am43xx-clocks.dtsi +@@ -107,7 +107,7 @@ + ehrpwm0_tbclk: ehrpwm0_tbclk { + #clock-cells = <0>; + compatible = "ti,gate-clock"; +- clocks = <&dpll_per_m2_ck>; ++ clocks = <&l4ls_gclk>; + ti,bit-shift = <0>; + reg = <0x0664>; + }; +@@ -115,7 +115,7 @@ + ehrpwm1_tbclk: ehrpwm1_tbclk { + #clock-cells = <0>; + compatible = "ti,gate-clock"; +- clocks = <&dpll_per_m2_ck>; ++ clocks = <&l4ls_gclk>; + ti,bit-shift = <1>; + reg = <0x0664>; + }; +@@ -123,7 +123,7 @@ + ehrpwm2_tbclk: ehrpwm2_tbclk { + #clock-cells = <0>; + compatible = "ti,gate-clock"; +- clocks = <&dpll_per_m2_ck>; ++ clocks = <&l4ls_gclk>; + ti,bit-shift = <2>; + reg = <0x0664>; + }; +@@ -131,7 +131,7 @@ + ehrpwm3_tbclk: ehrpwm3_tbclk { + #clock-cells = <0>; + compatible = "ti,gate-clock"; +- clocks = <&dpll_per_m2_ck>; ++ clocks = <&l4ls_gclk>; + ti,bit-shift = <4>; + reg = <0x0664>; + }; +@@ -139,7 +139,7 @@ + ehrpwm4_tbclk: ehrpwm4_tbclk { + #clock-cells = <0>; + compatible = "ti,gate-clock"; +- clocks = <&dpll_per_m2_ck>; ++ clocks = <&l4ls_gclk>; + ti,bit-shift = <5>; + reg = <0x0664>; + }; +@@ -147,7 +147,7 @@ + ehrpwm5_tbclk: ehrpwm5_tbclk { + #clock-cells = <0>; + compatible = "ti,gate-clock"; +- clocks = <&dpll_per_m2_ck>; ++ clocks = <&l4ls_gclk>; + ti,bit-shift = <6>; + reg = <0x0664>; + }; +diff --git a/arch/arm/boot/dts/dra7xx-clocks.dtsi b/arch/arm/boot/dts/dra7xx-clocks.dtsi +index 4bdcbd6..99b09a4 100644 +--- a/arch/arm/boot/dts/dra7xx-clocks.dtsi ++++ b/arch/arm/boot/dts/dra7xx-clocks.dtsi +@@ -243,10 +243,18 @@ + ti,invert-autoidle-bit; + }; + ++ dpll_core_byp_mux: dpll_core_byp_mux { ++ #clock-cells = <0>; ++ compatible = "ti,mux-clock"; ++ clocks = <&sys_clkin1>, <&dpll_abe_m3x2_ck>; ++ ti,bit-shift = <23>; ++ reg = <0x012c>; ++ }; ++ + dpll_core_ck: dpll_core_ck { + #clock-cells = <0>; + compatible = "ti,omap4-dpll-core-clock"; +- clocks = <&sys_clkin1>, <&dpll_abe_m3x2_ck>; ++ clocks = <&sys_clkin1>, <&dpll_core_byp_mux>; + reg = <0x0120>, <0x0124>, <0x012c>, <0x0128>; + }; + +@@ -309,10 +317,18 @@ + clock-div = <1>; + }; + ++ dpll_dsp_byp_mux: dpll_dsp_byp_mux { ++ #clock-cells = <0>; ++ compatible = "ti,mux-clock"; ++ clocks = <&sys_clkin1>, <&dsp_dpll_hs_clk_div>; ++ ti,bit-shift = <23>; ++ reg = <0x0240>; ++ }; ++ + dpll_dsp_ck: dpll_dsp_ck { + #clock-cells = <0>; + compatible = "ti,omap4-dpll-clock"; +- clocks = <&sys_clkin1>, <&dsp_dpll_hs_clk_div>; ++ clocks = <&sys_clkin1>, <&dpll_dsp_byp_mux>; + reg = <0x0234>, <0x0238>, <0x0240>, <0x023c>; + }; + +@@ -335,10 +351,18 @@ + clock-div = <1>; + }; + ++ dpll_iva_byp_mux: dpll_iva_byp_mux { ++ #clock-cells = <0>; ++ compatible = "ti,mux-clock"; ++ clocks = <&sys_clkin1>, <&iva_dpll_hs_clk_div>; ++ ti,bit-shift = <23>; ++ reg = <0x01ac>; ++ }; ++ + dpll_iva_ck: dpll_iva_ck { + #clock-cells = <0>; + compatible = "ti,omap4-dpll-clock"; +- clocks = <&sys_clkin1>, <&iva_dpll_hs_clk_div>; ++ clocks = <&sys_clkin1>, <&dpll_iva_byp_mux>; + reg = <0x01a0>, <0x01a4>, <0x01ac>, <0x01a8>; + }; + +@@ -361,10 +385,18 @@ + clock-div = <1>; + }; + ++ dpll_gpu_byp_mux: dpll_gpu_byp_mux { ++ #clock-cells = <0>; ++ compatible = "ti,mux-clock"; ++ clocks = <&sys_clkin1>, <&dpll_abe_m3x2_ck>; ++ ti,bit-shift = <23>; ++ reg = <0x02e4>; ++ }; ++ + dpll_gpu_ck: dpll_gpu_ck { + #clock-cells = <0>; + compatible = "ti,omap4-dpll-clock"; +- clocks = <&sys_clkin1>, <&dpll_abe_m3x2_ck>; ++ clocks = <&sys_clkin1>, <&dpll_gpu_byp_mux>; + reg = <0x02d8>, <0x02dc>, <0x02e4>, <0x02e0>; + }; + +@@ -398,10 +430,18 @@ + clock-div = <1>; + }; + ++ dpll_ddr_byp_mux: dpll_ddr_byp_mux { ++ #clock-cells = <0>; ++ compatible = "ti,mux-clock"; ++ clocks = <&sys_clkin1>, <&dpll_abe_m3x2_ck>; ++ ti,bit-shift = <23>; ++ reg = <0x021c>; ++ }; ++ + dpll_ddr_ck: dpll_ddr_ck { + #clock-cells = <0>; + compatible = "ti,omap4-dpll-clock"; +- clocks = <&sys_clkin1>, <&dpll_abe_m3x2_ck>; ++ clocks = <&sys_clkin1>, <&dpll_ddr_byp_mux>; + reg = <0x0210>, <0x0214>, <0x021c>, <0x0218>; + }; + +@@ -416,10 +456,18 @@ + ti,invert-autoidle-bit; + }; + ++ dpll_gmac_byp_mux: dpll_gmac_byp_mux { ++ #clock-cells = <0>; ++ compatible = "ti,mux-clock"; ++ clocks = <&sys_clkin1>, <&dpll_abe_m3x2_ck>; ++ ti,bit-shift = <23>; ++ reg = <0x02b4>; ++ }; ++ + dpll_gmac_ck: dpll_gmac_ck { + #clock-cells = <0>; + compatible = "ti,omap4-dpll-clock"; +- clocks = <&sys_clkin1>, <&dpll_abe_m3x2_ck>; ++ clocks = <&sys_clkin1>, <&dpll_gmac_byp_mux>; + reg = <0x02a8>, <0x02ac>, <0x02b4>, <0x02b0>; + }; + +@@ -482,10 +530,18 @@ + clock-div = <1>; + }; + ++ dpll_eve_byp_mux: dpll_eve_byp_mux { ++ #clock-cells = <0>; ++ compatible = "ti,mux-clock"; ++ clocks = <&sys_clkin1>, <&eve_dpll_hs_clk_div>; ++ ti,bit-shift = <23>; ++ reg = <0x0290>; ++ }; ++ + dpll_eve_ck: dpll_eve_ck { + #clock-cells = <0>; + compatible = "ti,omap4-dpll-clock"; +- clocks = <&sys_clkin1>, <&eve_dpll_hs_clk_div>; ++ clocks = <&sys_clkin1>, <&dpll_eve_byp_mux>; + reg = <0x0284>, <0x0288>, <0x0290>, <0x028c>; + }; + +@@ -1249,10 +1305,18 @@ + clock-div = <1>; + }; + ++ dpll_per_byp_mux: dpll_per_byp_mux { ++ #clock-cells = <0>; ++ compatible = "ti,mux-clock"; ++ clocks = <&sys_clkin1>, <&per_dpll_hs_clk_div>; ++ ti,bit-shift = <23>; ++ reg = <0x014c>; ++ }; ++ + dpll_per_ck: dpll_per_ck { + #clock-cells = <0>; + compatible = "ti,omap4-dpll-clock"; +- clocks = <&sys_clkin1>, <&per_dpll_hs_clk_div>; ++ clocks = <&sys_clkin1>, <&dpll_per_byp_mux>; + reg = <0x0140>, <0x0144>, <0x014c>, <0x0148>; + }; + +@@ -1275,10 +1339,18 @@ + clock-div = <1>; + }; + ++ dpll_usb_byp_mux: dpll_usb_byp_mux { ++ #clock-cells = <0>; ++ compatible = "ti,mux-clock"; ++ clocks = <&sys_clkin1>, <&usb_dpll_hs_clk_div>; ++ ti,bit-shift = <23>; ++ reg = <0x018c>; ++ }; ++ + dpll_usb_ck: dpll_usb_ck { + #clock-cells = <0>; + compatible = "ti,omap4-dpll-j-type-clock"; +- clocks = <&sys_clkin1>, <&usb_dpll_hs_clk_div>; ++ clocks = <&sys_clkin1>, <&dpll_usb_byp_mux>; + reg = <0x0180>, <0x0184>, <0x018c>, <0x0188>; + }; + +diff --git a/arch/arm/boot/dts/imx6qdl-sabresd.dtsi b/arch/arm/boot/dts/imx6qdl-sabresd.dtsi +index f1cd214..a626e6d 100644 +--- a/arch/arm/boot/dts/imx6qdl-sabresd.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-sabresd.dtsi +@@ -35,6 +35,7 @@ + regulator-max-microvolt = <5000000>; + gpio = <&gpio3 22 0>; + enable-active-high; ++ vin-supply = <&swbst_reg>; + }; + + reg_usb_h1_vbus: regulator@1 { +@@ -45,6 +46,7 @@ + regulator-max-microvolt = <5000000>; + gpio = <&gpio1 29 0>; + enable-active-high; ++ vin-supply = <&swbst_reg>; + }; + + reg_audio: regulator@2 { +diff --git a/arch/arm/boot/dts/imx6sl-evk.dts b/arch/arm/boot/dts/imx6sl-evk.dts +index fda4932..945887d 100644 +--- a/arch/arm/boot/dts/imx6sl-evk.dts ++++ b/arch/arm/boot/dts/imx6sl-evk.dts +@@ -52,6 +52,7 @@ + regulator-max-microvolt = <5000000>; + gpio = <&gpio4 0 0>; + enable-active-high; ++ vin-supply = <&swbst_reg>; + }; + + reg_usb_otg2_vbus: regulator@1 { +@@ -62,6 +63,7 @@ + regulator-max-microvolt = <5000000>; + gpio = <&gpio4 2 0>; + enable-active-high; ++ vin-supply = <&swbst_reg>; + }; + + reg_aud3v: regulator@2 { +diff --git a/arch/arm/crypto/aesbs-core.S_shipped b/arch/arm/crypto/aesbs-core.S_shipped +index 71e5fc7..1d1800f 100644 +--- a/arch/arm/crypto/aesbs-core.S_shipped ++++ b/arch/arm/crypto/aesbs-core.S_shipped +@@ -58,14 +58,18 @@ + # define VFP_ABI_FRAME 0 + # define BSAES_ASM_EXTENDED_KEY + # define XTS_CHAIN_TWEAK +-# define __ARM_ARCH__ 7 ++# define __ARM_ARCH__ __LINUX_ARM_ARCH__ ++# define __ARM_MAX_ARCH__ 7 + #endif + + #ifdef __thumb__ + # define adrl adr + #endif + +-#if __ARM_ARCH__>=7 ++#if __ARM_MAX_ARCH__>=7 ++.arch armv7-a ++.fpu neon ++ + .text + .syntax unified @ ARMv7-capable assembler is expected to handle this + #ifdef __thumb2__ +@@ -74,8 +78,6 @@ + .code 32 + #endif + +-.fpu neon +- + .type _bsaes_decrypt8,%function + .align 4 + _bsaes_decrypt8: +@@ -2095,9 +2097,11 @@ bsaes_xts_decrypt: + vld1.8 {q8}, [r0] @ initial tweak + adr r2, .Lxts_magic + ++#ifndef XTS_CHAIN_TWEAK + tst r9, #0xf @ if not multiple of 16 + it ne @ Thumb2 thing, sanity check in ARM + subne r9, #0x10 @ subtract another 16 bytes ++#endif + subs r9, #0x80 + + blo .Lxts_dec_short +diff --git a/arch/arm/crypto/bsaes-armv7.pl b/arch/arm/crypto/bsaes-armv7.pl +index be068db..a4d3856 100644 +--- a/arch/arm/crypto/bsaes-armv7.pl ++++ b/arch/arm/crypto/bsaes-armv7.pl +@@ -701,14 +701,18 @@ $code.=<<___; + # define VFP_ABI_FRAME 0 + # define BSAES_ASM_EXTENDED_KEY + # define XTS_CHAIN_TWEAK +-# define __ARM_ARCH__ 7 ++# define __ARM_ARCH__ __LINUX_ARM_ARCH__ ++# define __ARM_MAX_ARCH__ 7 + #endif + + #ifdef __thumb__ + # define adrl adr + #endif + +-#if __ARM_ARCH__>=7 ++#if __ARM_MAX_ARCH__>=7 ++.arch armv7-a ++.fpu neon ++ + .text + .syntax unified @ ARMv7-capable assembler is expected to handle this + #ifdef __thumb2__ +@@ -717,8 +721,6 @@ $code.=<<___; + .code 32 + #endif + +-.fpu neon +- + .type _bsaes_decrypt8,%function + .align 4 + _bsaes_decrypt8: +@@ -2076,9 +2078,11 @@ bsaes_xts_decrypt: + vld1.8 {@XMM[8]}, [r0] @ initial tweak + adr $magic, .Lxts_magic + ++#ifndef XTS_CHAIN_TWEAK + tst $len, #0xf @ if not multiple of 16 + it ne @ Thumb2 thing, sanity check in ARM + subne $len, #0x10 @ subtract another 16 bytes ++#endif + subs $len, #0x80 + + blo .Lxts_dec_short +diff --git a/arch/arm/mach-at91/pm.h b/arch/arm/mach-at91/pm.h +index d2c8996..86c0aa8 100644 +--- a/arch/arm/mach-at91/pm.h ++++ b/arch/arm/mach-at91/pm.h +@@ -44,7 +44,7 @@ static inline void at91rm9200_standby(void) + " mcr p15, 0, %0, c7, c0, 4\n\t" + " str %5, [%1, %2]" + : +- : "r" (0), "r" (AT91_BASE_SYS), "r" (AT91RM9200_SDRAMC_LPR), ++ : "r" (0), "r" (at91_ramc_base[0]), "r" (AT91RM9200_SDRAMC_LPR), + "r" (1), "r" (AT91RM9200_SDRAMC_SRR), + "r" (lpr)); + } +diff --git a/arch/arm/mach-exynos/platsmp.c b/arch/arm/mach-exynos/platsmp.c +index 7a1ebfe..0abb7df 100644 +--- a/arch/arm/mach-exynos/platsmp.c ++++ b/arch/arm/mach-exynos/platsmp.c +@@ -126,8 +126,7 @@ static inline void platform_do_lowpower(unsigned int cpu, int *spurious) + */ + void exynos_cpu_power_down(int cpu) + { +- if (cpu == 0 && (of_machine_is_compatible("samsung,exynos5420") || +- of_machine_is_compatible("samsung,exynos5800"))) { ++ if (cpu == 0 && (soc_is_exynos5420() || soc_is_exynos5800())) { + /* + * Bypass power down for CPU0 during suspend. Check for + * the SYS_PWR_REG value to decide if we are suspending +diff --git a/arch/arm64/include/asm/tlb.h b/arch/arm64/include/asm/tlb.h +index c028fe3..53d9c35 100644 +--- a/arch/arm64/include/asm/tlb.h ++++ b/arch/arm64/include/asm/tlb.h +@@ -48,6 +48,7 @@ static inline void tlb_flush(struct mmu_gather *tlb) + static inline void __pte_free_tlb(struct mmu_gather *tlb, pgtable_t pte, + unsigned long addr) + { ++ __flush_tlb_pgtable(tlb->mm, addr); + pgtable_page_dtor(pte); + tlb_remove_entry(tlb, pte); + } +@@ -56,6 +57,7 @@ static inline void __pte_free_tlb(struct mmu_gather *tlb, pgtable_t pte, + static inline void __pmd_free_tlb(struct mmu_gather *tlb, pmd_t *pmdp, + unsigned long addr) + { ++ __flush_tlb_pgtable(tlb->mm, addr); + tlb_remove_entry(tlb, virt_to_page(pmdp)); + } + #endif +@@ -64,6 +66,7 @@ static inline void __pmd_free_tlb(struct mmu_gather *tlb, pmd_t *pmdp, + static inline void __pud_free_tlb(struct mmu_gather *tlb, pud_t *pudp, + unsigned long addr) + { ++ __flush_tlb_pgtable(tlb->mm, addr); + tlb_remove_entry(tlb, virt_to_page(pudp)); + } + #endif +diff --git a/arch/arm64/include/asm/tlbflush.h b/arch/arm64/include/asm/tlbflush.h +index 73f0ce5..8b8d8cb 100644 +--- a/arch/arm64/include/asm/tlbflush.h ++++ b/arch/arm64/include/asm/tlbflush.h +@@ -149,6 +149,19 @@ static inline void flush_tlb_kernel_range(unsigned long start, unsigned long end + } + + /* ++ * Used to invalidate the TLB (walk caches) corresponding to intermediate page ++ * table levels (pgd/pud/pmd). ++ */ ++static inline void __flush_tlb_pgtable(struct mm_struct *mm, ++ unsigned long uaddr) ++{ ++ unsigned long addr = uaddr >> 12 | ((unsigned long)ASID(mm) << 48); ++ ++ dsb(ishst); ++ asm("tlbi vae1is, %0" : : "r" (addr)); ++ dsb(ish); ++} ++/* + * On AArch64, the cache coherency is handled via the set_pte_at() function. + */ + static inline void update_mmu_cache(struct vm_area_struct *vma, +diff --git a/arch/arm64/mm/dma-mapping.c b/arch/arm64/mm/dma-mapping.c +index d920942..df34a70 100644 +--- a/arch/arm64/mm/dma-mapping.c ++++ b/arch/arm64/mm/dma-mapping.c +@@ -51,7 +51,7 @@ static int __init early_coherent_pool(char *p) + } + early_param("coherent_pool", early_coherent_pool); + +-static void *__alloc_from_pool(size_t size, struct page **ret_page) ++static void *__alloc_from_pool(size_t size, struct page **ret_page, gfp_t flags) + { + unsigned long val; + void *ptr = NULL; +@@ -67,6 +67,8 @@ static void *__alloc_from_pool(size_t size, struct page **ret_page) + + *ret_page = phys_to_page(phys); + ptr = (void *)val; ++ if (flags & __GFP_ZERO) ++ memset(ptr, 0, size); + } + + return ptr; +@@ -101,6 +103,7 @@ static void *__dma_alloc_coherent(struct device *dev, size_t size, + flags |= GFP_DMA; + if (IS_ENABLED(CONFIG_DMA_CMA) && (flags & __GFP_WAIT)) { + struct page *page; ++ void *addr; + + size = PAGE_ALIGN(size); + page = dma_alloc_from_contiguous(dev, size >> PAGE_SHIFT, +@@ -109,7 +112,10 @@ static void *__dma_alloc_coherent(struct device *dev, size_t size, + return NULL; + + *dma_handle = phys_to_dma(dev, page_to_phys(page)); +- return page_address(page); ++ addr = page_address(page); ++ if (flags & __GFP_ZERO) ++ memset(addr, 0, size); ++ return addr; + } else { + return swiotlb_alloc_coherent(dev, size, dma_handle, flags); + } +@@ -145,7 +151,7 @@ static void *__dma_alloc_noncoherent(struct device *dev, size_t size, + + if (!(flags & __GFP_WAIT)) { + struct page *page = NULL; +- void *addr = __alloc_from_pool(size, &page); ++ void *addr = __alloc_from_pool(size, &page, flags); + + if (addr) + *dma_handle = phys_to_dma(dev, page_to_phys(page)); +diff --git a/arch/powerpc/include/asm/iommu.h b/arch/powerpc/include/asm/iommu.h +index 9cfa370..f1ea597 100644 +--- a/arch/powerpc/include/asm/iommu.h ++++ b/arch/powerpc/include/asm/iommu.h +@@ -113,6 +113,7 @@ extern void iommu_register_group(struct iommu_table *tbl, + int pci_domain_number, unsigned long pe_num); + extern int iommu_add_device(struct device *dev); + extern void iommu_del_device(struct device *dev); ++extern int __init tce_iommu_bus_notifier_init(void); + #else + static inline void iommu_register_group(struct iommu_table *tbl, + int pci_domain_number, +@@ -128,6 +129,11 @@ static inline int iommu_add_device(struct device *dev) + static inline void iommu_del_device(struct device *dev) + { + } ++ ++static inline int __init tce_iommu_bus_notifier_init(void) ++{ ++ return 0; ++} + #endif /* !CONFIG_IOMMU_API */ + + static inline void set_iommu_table_base_and_group(struct device *dev, +diff --git a/arch/powerpc/kernel/iommu.c b/arch/powerpc/kernel/iommu.c +index 5d3968c..b054f33 100644 +--- a/arch/powerpc/kernel/iommu.c ++++ b/arch/powerpc/kernel/iommu.c +@@ -1175,4 +1175,30 @@ void iommu_del_device(struct device *dev) + } + EXPORT_SYMBOL_GPL(iommu_del_device); + ++static int tce_iommu_bus_notifier(struct notifier_block *nb, ++ unsigned long action, void *data) ++{ ++ struct device *dev = data; ++ ++ switch (action) { ++ case BUS_NOTIFY_ADD_DEVICE: ++ return iommu_add_device(dev); ++ case BUS_NOTIFY_DEL_DEVICE: ++ if (dev->iommu_group) ++ iommu_del_device(dev); ++ return 0; ++ default: ++ return 0; ++ } ++} ++ ++static struct notifier_block tce_iommu_bus_nb = { ++ .notifier_call = tce_iommu_bus_notifier, ++}; ++ ++int __init tce_iommu_bus_notifier_init(void) ++{ ++ bus_register_notifier(&pci_bus_type, &tce_iommu_bus_nb); ++ return 0; ++} + #endif /* CONFIG_IOMMU_API */ +diff --git a/arch/powerpc/kernel/smp.c b/arch/powerpc/kernel/smp.c +index 8b2d2dc..c68cc9d 100644 +--- a/arch/powerpc/kernel/smp.c ++++ b/arch/powerpc/kernel/smp.c +@@ -555,8 +555,8 @@ int __cpu_up(unsigned int cpu, struct task_struct *tidle) + if (smp_ops->give_timebase) + smp_ops->give_timebase(); + +- /* Wait until cpu puts itself in the online map */ +- while (!cpu_online(cpu)) ++ /* Wait until cpu puts itself in the online & active maps */ ++ while (!cpu_online(cpu) || !cpu_active(cpu)) + cpu_relax(); + + return 0; +diff --git a/arch/powerpc/platforms/powernv/pci.c b/arch/powerpc/platforms/powernv/pci.c +index 4945e87..3948b8a 100644 +--- a/arch/powerpc/platforms/powernv/pci.c ++++ b/arch/powerpc/platforms/powernv/pci.c +@@ -866,30 +866,4 @@ void __init pnv_pci_init(void) + #endif + } + +-static int tce_iommu_bus_notifier(struct notifier_block *nb, +- unsigned long action, void *data) +-{ +- struct device *dev = data; +- +- switch (action) { +- case BUS_NOTIFY_ADD_DEVICE: +- return iommu_add_device(dev); +- case BUS_NOTIFY_DEL_DEVICE: +- if (dev->iommu_group) +- iommu_del_device(dev); +- return 0; +- default: +- return 0; +- } +-} +- +-static struct notifier_block tce_iommu_bus_nb = { +- .notifier_call = tce_iommu_bus_notifier, +-}; +- +-static int __init tce_iommu_bus_notifier_init(void) +-{ +- bus_register_notifier(&pci_bus_type, &tce_iommu_bus_nb); +- return 0; +-} + machine_subsys_initcall_sync(powernv, tce_iommu_bus_notifier_init); +diff --git a/arch/powerpc/platforms/pseries/iommu.c b/arch/powerpc/platforms/pseries/iommu.c +index 1d3d52d..7803a19 100644 +--- a/arch/powerpc/platforms/pseries/iommu.c ++++ b/arch/powerpc/platforms/pseries/iommu.c +@@ -1340,3 +1340,5 @@ static int __init disable_multitce(char *str) + } + + __setup("multitce=", disable_multitce); ++ ++machine_subsys_initcall_sync(pseries, tce_iommu_bus_notifier_init); +diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c +index 9af01dc..e3bab3a 100644 +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -159,7 +159,6 @@ int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext) + case KVM_CAP_ONE_REG: + case KVM_CAP_ENABLE_CAP: + case KVM_CAP_S390_CSS_SUPPORT: +- case KVM_CAP_IRQFD: + case KVM_CAP_IOEVENTFD: + case KVM_CAP_DEVICE_CTRL: + case KVM_CAP_ENABLE_CAP_VM: +diff --git a/arch/s390/pci/pci_mmio.c b/arch/s390/pci/pci_mmio.c +index 62c5ea6..ec86d4f 100644 +--- a/arch/s390/pci/pci_mmio.c ++++ b/arch/s390/pci/pci_mmio.c +@@ -64,8 +64,7 @@ SYSCALL_DEFINE3(s390_pci_mmio_write, unsigned long, mmio_addr, + if (copy_from_user(buf, user_buffer, length)) + goto out; + +- memcpy_toio(io_addr, buf, length); +- ret = 0; ++ ret = zpci_memcpy_toio(io_addr, buf, length); + out: + if (buf != local_buf) + kfree(buf); +@@ -98,16 +97,16 @@ SYSCALL_DEFINE3(s390_pci_mmio_read, unsigned long, mmio_addr, + goto out; + io_addr = (void *)((pfn << PAGE_SHIFT) | (mmio_addr & ~PAGE_MASK)); + +- ret = -EFAULT; +- if ((unsigned long) io_addr < ZPCI_IOMAP_ADDR_BASE) ++ if ((unsigned long) io_addr < ZPCI_IOMAP_ADDR_BASE) { ++ ret = -EFAULT; + goto out; +- +- memcpy_fromio(buf, io_addr, length); +- +- if (copy_to_user(user_buffer, buf, length)) ++ } ++ ret = zpci_memcpy_fromio(buf, io_addr, length); ++ if (ret) + goto out; ++ if (copy_to_user(user_buffer, buf, length)) ++ ret = -EFAULT; + +- ret = 0; + out: + if (buf != local_buf) + kfree(buf); +diff --git a/arch/sparc/kernel/perf_event.c b/arch/sparc/kernel/perf_event.c +index 46a5e45..af53c25 100644 +--- a/arch/sparc/kernel/perf_event.c ++++ b/arch/sparc/kernel/perf_event.c +@@ -960,6 +960,8 @@ out: + cpuc->pcr[0] |= cpuc->event[0]->hw.config_base; + } + ++static void sparc_pmu_start(struct perf_event *event, int flags); ++ + /* On this PMU each PIC has it's own PCR control register. */ + static void calculate_multiple_pcrs(struct cpu_hw_events *cpuc) + { +@@ -972,20 +974,13 @@ static void calculate_multiple_pcrs(struct cpu_hw_events *cpuc) + struct perf_event *cp = cpuc->event[i]; + struct hw_perf_event *hwc = &cp->hw; + int idx = hwc->idx; +- u64 enc; + + if (cpuc->current_idx[i] != PIC_NO_INDEX) + continue; + +- sparc_perf_event_set_period(cp, hwc, idx); + cpuc->current_idx[i] = idx; + +- enc = perf_event_get_enc(cpuc->events[i]); +- cpuc->pcr[idx] &= ~mask_for_index(idx); +- if (hwc->state & PERF_HES_STOPPED) +- cpuc->pcr[idx] |= nop_for_index(idx); +- else +- cpuc->pcr[idx] |= event_encoding(enc, idx); ++ sparc_pmu_start(cp, PERF_EF_RELOAD); + } + out: + for (i = 0; i < cpuc->n_events; i++) { +@@ -1101,7 +1096,6 @@ static void sparc_pmu_del(struct perf_event *event, int _flags) + int i; + + local_irq_save(flags); +- perf_pmu_disable(event->pmu); + + for (i = 0; i < cpuc->n_events; i++) { + if (event == cpuc->event[i]) { +@@ -1127,7 +1121,6 @@ static void sparc_pmu_del(struct perf_event *event, int _flags) + } + } + +- perf_pmu_enable(event->pmu); + local_irq_restore(flags); + } + +@@ -1361,7 +1354,6 @@ static int sparc_pmu_add(struct perf_event *event, int ef_flags) + unsigned long flags; + + local_irq_save(flags); +- perf_pmu_disable(event->pmu); + + n0 = cpuc->n_events; + if (n0 >= sparc_pmu->max_hw_events) +@@ -1394,7 +1386,6 @@ nocheck: + + ret = 0; + out: +- perf_pmu_enable(event->pmu); + local_irq_restore(flags); + return ret; + } +diff --git a/arch/sparc/kernel/process_64.c b/arch/sparc/kernel/process_64.c +index 0be7bf9..46a5964 100644 +--- a/arch/sparc/kernel/process_64.c ++++ b/arch/sparc/kernel/process_64.c +@@ -287,6 +287,8 @@ void arch_trigger_all_cpu_backtrace(bool include_self) + printk(" TPC[%lx] O7[%lx] I7[%lx] RPC[%lx]\n", + gp->tpc, gp->o7, gp->i7, gp->rpc); + } ++ ++ touch_nmi_watchdog(); + } + + memset(global_cpu_snapshot, 0, sizeof(global_cpu_snapshot)); +@@ -362,6 +364,8 @@ static void pmu_snapshot_all_cpus(void) + (cpu == this_cpu ? '*' : ' '), cpu, + pp->pcr[0], pp->pcr[1], pp->pcr[2], pp->pcr[3], + pp->pic[0], pp->pic[1], pp->pic[2], pp->pic[3]); ++ ++ touch_nmi_watchdog(); + } + + memset(global_cpu_snapshot, 0, sizeof(global_cpu_snapshot)); +diff --git a/arch/sparc/kernel/sys_sparc_64.c b/arch/sparc/kernel/sys_sparc_64.c +index c85403d..30e7ddb 100644 +--- a/arch/sparc/kernel/sys_sparc_64.c ++++ b/arch/sparc/kernel/sys_sparc_64.c +@@ -333,7 +333,7 @@ SYSCALL_DEFINE6(sparc_ipc, unsigned int, call, int, first, unsigned long, second + long err; + + /* No need for backward compatibility. We can start fresh... */ +- if (call <= SEMCTL) { ++ if (call <= SEMTIMEDOP) { + switch (call) { + case SEMOP: + err = sys_semtimedop(first, ptr, +diff --git a/arch/sparc/lib/memmove.S b/arch/sparc/lib/memmove.S +index b7f6334..857ad4f 100644 +--- a/arch/sparc/lib/memmove.S ++++ b/arch/sparc/lib/memmove.S +@@ -8,9 +8,11 @@ + + .text + ENTRY(memmove) /* o0=dst o1=src o2=len */ +- mov %o0, %g1 ++ brz,pn %o2, 99f ++ mov %o0, %g1 ++ + cmp %o0, %o1 +- bleu,pt %xcc, memcpy ++ bleu,pt %xcc, 2f + add %o1, %o2, %g7 + cmp %g7, %o0 + bleu,pt %xcc, memcpy +@@ -24,7 +26,34 @@ ENTRY(memmove) /* o0=dst o1=src o2=len */ + stb %g7, [%o0] + bne,pt %icc, 1b + sub %o0, 1, %o0 +- ++99: + retl + mov %g1, %o0 ++ ++ /* We can't just call memcpy for these memmove cases. On some ++ * chips the memcpy uses cache initializing stores and when dst ++ * and src are close enough, those can clobber the source data ++ * before we've loaded it in. ++ */ ++2: or %o0, %o1, %g7 ++ or %o2, %g7, %g7 ++ andcc %g7, 0x7, %g0 ++ bne,pn %xcc, 4f ++ nop ++ ++3: ldx [%o1], %g7 ++ add %o1, 8, %o1 ++ subcc %o2, 8, %o2 ++ add %o0, 8, %o0 ++ bne,pt %icc, 3b ++ stx %g7, [%o0 - 0x8] ++ ba,a,pt %xcc, 99b ++ ++4: ldub [%o1], %g7 ++ add %o1, 1, %o1 ++ subcc %o2, 1, %o2 ++ add %o0, 1, %o0 ++ bne,pt %icc, 4b ++ stb %g7, [%o0 - 0x1] ++ ba,a,pt %xcc, 99b + ENDPROC(memmove) +diff --git a/arch/x86/crypto/aesni-intel_glue.c b/arch/x86/crypto/aesni-intel_glue.c +index ae855f4..95ad7ad 100644 +--- a/arch/x86/crypto/aesni-intel_glue.c ++++ b/arch/x86/crypto/aesni-intel_glue.c +@@ -1133,7 +1133,7 @@ static int __driver_rfc4106_decrypt(struct aead_request *req) + src = kmalloc(req->cryptlen + req->assoclen, GFP_ATOMIC); + if (!src) + return -ENOMEM; +- assoc = (src + req->cryptlen + auth_tag_len); ++ assoc = (src + req->cryptlen); + scatterwalk_map_and_copy(src, req->src, 0, req->cryptlen, 0); + scatterwalk_map_and_copy(assoc, req->assoc, 0, + req->assoclen, 0); +@@ -1158,7 +1158,7 @@ static int __driver_rfc4106_decrypt(struct aead_request *req) + scatterwalk_done(&src_sg_walk, 0, 0); + scatterwalk_done(&assoc_sg_walk, 0, 0); + } else { +- scatterwalk_map_and_copy(dst, req->dst, 0, req->cryptlen, 1); ++ scatterwalk_map_and_copy(dst, req->dst, 0, tempCipherLen, 1); + kfree(src); + } + return retval; +diff --git a/arch/x86/include/asm/fpu-internal.h b/arch/x86/include/asm/fpu-internal.h +index e97622f..f895358 100644 +--- a/arch/x86/include/asm/fpu-internal.h ++++ b/arch/x86/include/asm/fpu-internal.h +@@ -368,7 +368,7 @@ static inline void drop_fpu(struct task_struct *tsk) + preempt_disable(); + tsk->thread.fpu_counter = 0; + __drop_fpu(tsk); +- clear_used_math(); ++ clear_stopped_child_used_math(tsk); + preempt_enable(); + } + +diff --git a/arch/x86/kernel/apic/apic_numachip.c b/arch/x86/kernel/apic/apic_numachip.c +index c2fd21f..017149c 100644 +--- a/arch/x86/kernel/apic/apic_numachip.c ++++ b/arch/x86/kernel/apic/apic_numachip.c +@@ -37,10 +37,12 @@ static const struct apic apic_numachip; + static unsigned int get_apic_id(unsigned long x) + { + unsigned long value; +- unsigned int id; ++ unsigned int id = (x >> 24) & 0xff; + +- rdmsrl(MSR_FAM10H_NODE_ID, value); +- id = ((x >> 24) & 0xffU) | ((value << 2) & 0xff00U); ++ if (static_cpu_has_safe(X86_FEATURE_NODEID_MSR)) { ++ rdmsrl(MSR_FAM10H_NODE_ID, value); ++ id |= (value << 2) & 0xff00; ++ } + + return id; + } +@@ -155,10 +157,18 @@ static int __init numachip_probe(void) + + static void fixup_cpu_id(struct cpuinfo_x86 *c, int node) + { +- if (c->phys_proc_id != node) { +- c->phys_proc_id = node; +- per_cpu(cpu_llc_id, smp_processor_id()) = node; ++ u64 val; ++ u32 nodes = 1; ++ ++ this_cpu_write(cpu_llc_id, node); ++ ++ /* Account for nodes per socket in multi-core-module processors */ ++ if (static_cpu_has_safe(X86_FEATURE_NODEID_MSR)) { ++ rdmsrl(MSR_FAM10H_NODE_ID, val); ++ nodes = ((val >> 3) & 7) + 1; + } ++ ++ c->phys_proc_id = node / nodes; + } + + static int __init numachip_system_init(void) +diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c +index 88900e2..89f4e64 100644 +--- a/arch/x86/kernel/traps.c ++++ b/arch/x86/kernel/traps.c +@@ -300,7 +300,7 @@ dotraplinkage void do_bounds(struct pt_regs *regs, long error_code) + goto exit; + conditional_sti(regs); + +- if (!user_mode(regs)) ++ if (!user_mode_vm(regs)) + die("bounds", regs, error_code); + + if (!cpu_feature_enabled(X86_FEATURE_MPX)) { +@@ -566,7 +566,7 @@ dotraplinkage void do_debug(struct pt_regs *regs, long error_code) + * then it's very likely the result of an icebp/int01 trap. + * User wants a sigtrap for that. + */ +- if (!dr6 && user_mode(regs)) ++ if (!dr6 && user_mode_vm(regs)) + user_icebp = 1; + + /* Catch kmemcheck conditions first of all! */ +diff --git a/arch/x86/kernel/xsave.c b/arch/x86/kernel/xsave.c +index 0de1fae..8be1e17 100644 +--- a/arch/x86/kernel/xsave.c ++++ b/arch/x86/kernel/xsave.c +@@ -378,7 +378,7 @@ int __restore_xstate_sig(void __user *buf, void __user *buf_fx, int size) + * thread's fpu state, reconstruct fxstate from the fsave + * header. Sanitize the copied state etc. + */ +- struct xsave_struct *xsave = &tsk->thread.fpu.state->xsave; ++ struct fpu *fpu = &tsk->thread.fpu; + struct user_i387_ia32_struct env; + int err = 0; + +@@ -392,14 +392,15 @@ int __restore_xstate_sig(void __user *buf, void __user *buf_fx, int size) + */ + drop_fpu(tsk); + +- if (__copy_from_user(xsave, buf_fx, state_size) || ++ if (__copy_from_user(&fpu->state->xsave, buf_fx, state_size) || + __copy_from_user(&env, buf, sizeof(env))) { ++ fpu_finit(fpu); + err = -1; + } else { + sanitize_restored_xstate(tsk, &env, xstate_bv, fx_only); +- set_used_math(); + } + ++ set_used_math(); + if (use_eager_fpu()) { + preempt_disable(); + math_state_restore(); +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index c259814..64d76c1 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -2716,7 +2716,6 @@ int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext) + case KVM_CAP_USER_NMI: + case KVM_CAP_REINJECT_CONTROL: + case KVM_CAP_IRQ_INJECT_STATUS: +- case KVM_CAP_IRQFD: + case KVM_CAP_IOEVENTFD: + case KVM_CAP_IOEVENTFD_NO_LENGTH: + case KVM_CAP_PIT2: +diff --git a/arch/x86/vdso/vdso32/sigreturn.S b/arch/x86/vdso/vdso32/sigreturn.S +index 31776d0..d7ec4e2 100644 +--- a/arch/x86/vdso/vdso32/sigreturn.S ++++ b/arch/x86/vdso/vdso32/sigreturn.S +@@ -17,6 +17,7 @@ + .text + .globl __kernel_sigreturn + .type __kernel_sigreturn,@function ++ nop /* this guy is needed for .LSTARTFDEDLSI1 below (watch for HACK) */ + ALIGN + __kernel_sigreturn: + .LSTART_sigreturn: +diff --git a/arch/x86/xen/p2m.c b/arch/x86/xen/p2m.c +index 376a0a9..cc45a9f 100644 +--- a/arch/x86/xen/p2m.c ++++ b/arch/x86/xen/p2m.c +@@ -567,7 +567,7 @@ static bool alloc_p2m(unsigned long pfn) + if (p2m_pfn == PFN_DOWN(__pa(p2m_missing))) + p2m_init(p2m); + else +- p2m_init_identity(p2m, pfn); ++ p2m_init_identity(p2m, pfn & ~(P2M_PER_PAGE - 1)); + + spin_lock_irqsave(&p2m_update_lock, flags); + +diff --git a/drivers/char/tpm/tpm_i2c_stm_st33.c b/drivers/char/tpm/tpm_i2c_stm_st33.c +index 7d1c540..3f187a5 100644 +--- a/drivers/char/tpm/tpm_i2c_stm_st33.c ++++ b/drivers/char/tpm/tpm_i2c_stm_st33.c +@@ -397,7 +397,7 @@ static int wait_for_stat(struct tpm_chip *chip, u8 mask, unsigned long timeout, + */ + static int recv_data(struct tpm_chip *chip, u8 *buf, size_t count) + { +- int size = 0, burstcnt, len; ++ int size = 0, burstcnt, len, ret; + struct i2c_client *client; + + client = (struct i2c_client *)TPM_VPRIV(chip); +@@ -406,13 +406,15 @@ static int recv_data(struct tpm_chip *chip, u8 *buf, size_t count) + wait_for_stat(chip, + TPM_STS_DATA_AVAIL | TPM_STS_VALID, + chip->vendor.timeout_c, +- &chip->vendor.read_queue) +- == 0) { ++ &chip->vendor.read_queue) == 0) { + burstcnt = get_burstcount(chip); + if (burstcnt < 0) + return burstcnt; + len = min_t(int, burstcnt, count - size); +- I2C_READ_DATA(client, TPM_DATA_FIFO, buf + size, len); ++ ret = I2C_READ_DATA(client, TPM_DATA_FIFO, buf + size, len); ++ if (ret < 0) ++ return ret; ++ + size += len; + } + return size; +diff --git a/drivers/char/tpm/tpm_ibmvtpm.c b/drivers/char/tpm/tpm_ibmvtpm.c +index eff9d58..102463ba 100644 +--- a/drivers/char/tpm/tpm_ibmvtpm.c ++++ b/drivers/char/tpm/tpm_ibmvtpm.c +@@ -124,7 +124,7 @@ static int tpm_ibmvtpm_send(struct tpm_chip *chip, u8 *buf, size_t count) + { + struct ibmvtpm_dev *ibmvtpm; + struct ibmvtpm_crq crq; +- u64 *word = (u64 *) &crq; ++ __be64 *word = (__be64 *)&crq; + int rc; + + ibmvtpm = (struct ibmvtpm_dev *)TPM_VPRIV(chip); +@@ -145,11 +145,11 @@ static int tpm_ibmvtpm_send(struct tpm_chip *chip, u8 *buf, size_t count) + memcpy((void *)ibmvtpm->rtce_buf, (void *)buf, count); + crq.valid = (u8)IBMVTPM_VALID_CMD; + crq.msg = (u8)VTPM_TPM_COMMAND; +- crq.len = (u16)count; +- crq.data = ibmvtpm->rtce_dma_handle; ++ crq.len = cpu_to_be16(count); ++ crq.data = cpu_to_be32(ibmvtpm->rtce_dma_handle); + +- rc = ibmvtpm_send_crq(ibmvtpm->vdev, cpu_to_be64(word[0]), +- cpu_to_be64(word[1])); ++ rc = ibmvtpm_send_crq(ibmvtpm->vdev, be64_to_cpu(word[0]), ++ be64_to_cpu(word[1])); + if (rc != H_SUCCESS) { + dev_err(ibmvtpm->dev, "tpm_ibmvtpm_send failed rc=%d\n", rc); + rc = 0; +diff --git a/drivers/char/tpm/tpm_ibmvtpm.h b/drivers/char/tpm/tpm_ibmvtpm.h +index bd82a79..b2c231b 100644 +--- a/drivers/char/tpm/tpm_ibmvtpm.h ++++ b/drivers/char/tpm/tpm_ibmvtpm.h +@@ -22,9 +22,9 @@ + struct ibmvtpm_crq { + u8 valid; + u8 msg; +- u16 len; +- u32 data; +- u64 reserved; ++ __be16 len; ++ __be32 data; ++ __be64 reserved; + } __attribute__((packed, aligned(8))); + + struct ibmvtpm_crq_queue { +diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c +index de03df9..c3aac4c 100644 +--- a/drivers/char/virtio_console.c ++++ b/drivers/char/virtio_console.c +@@ -142,6 +142,7 @@ struct ports_device { + * notification + */ + struct work_struct control_work; ++ struct work_struct config_work; + + struct list_head ports; + +@@ -1837,10 +1838,21 @@ static void config_intr(struct virtio_device *vdev) + + portdev = vdev->priv; + ++ if (!use_multiport(portdev)) ++ schedule_work(&portdev->config_work); ++} ++ ++static void config_work_handler(struct work_struct *work) ++{ ++ struct ports_device *portdev; ++ ++ portdev = container_of(work, struct ports_device, control_work); + if (!use_multiport(portdev)) { ++ struct virtio_device *vdev; + struct port *port; + u16 rows, cols; + ++ vdev = portdev->vdev; + virtio_cread(vdev, struct virtio_console_config, cols, &cols); + virtio_cread(vdev, struct virtio_console_config, rows, &rows); + +@@ -2031,12 +2043,14 @@ static int virtcons_probe(struct virtio_device *vdev) + + virtio_device_ready(portdev->vdev); + ++ INIT_WORK(&portdev->config_work, &config_work_handler); ++ INIT_WORK(&portdev->control_work, &control_work_handler); ++ + if (multiport) { + unsigned int nr_added_bufs; + + spin_lock_init(&portdev->c_ivq_lock); + spin_lock_init(&portdev->c_ovq_lock); +- INIT_WORK(&portdev->control_work, &control_work_handler); + + nr_added_bufs = fill_queue(portdev->c_ivq, + &portdev->c_ivq_lock); +@@ -2104,6 +2118,8 @@ static void virtcons_remove(struct virtio_device *vdev) + /* Finish up work that's lined up */ + if (use_multiport(portdev)) + cancel_work_sync(&portdev->control_work); ++ else ++ cancel_work_sync(&portdev->config_work); + + list_for_each_entry_safe(port, port2, &portdev->ports, list) + unplug_port(port); +@@ -2155,6 +2171,7 @@ static int virtcons_freeze(struct virtio_device *vdev) + + virtqueue_disable_cb(portdev->c_ivq); + cancel_work_sync(&portdev->control_work); ++ cancel_work_sync(&portdev->config_work); + /* + * Once more: if control_work_handler() was running, it would + * enable the cb as the last step. +diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c +index 5213da4..29168fa 100644 +--- a/drivers/gpu/drm/drm_crtc.c ++++ b/drivers/gpu/drm/drm_crtc.c +@@ -42,9 +42,10 @@ + #include "drm_crtc_internal.h" + #include "drm_internal.h" + +-static struct drm_framebuffer *add_framebuffer_internal(struct drm_device *dev, +- struct drm_mode_fb_cmd2 *r, +- struct drm_file *file_priv); ++static struct drm_framebuffer * ++internal_framebuffer_create(struct drm_device *dev, ++ struct drm_mode_fb_cmd2 *r, ++ struct drm_file *file_priv); + + /* Avoid boilerplate. I'm tired of typing. */ + #define DRM_ENUM_NAME_FN(fnname, list) \ +@@ -2817,13 +2818,11 @@ static int drm_mode_cursor_universal(struct drm_crtc *crtc, + */ + if (req->flags & DRM_MODE_CURSOR_BO) { + if (req->handle) { +- fb = add_framebuffer_internal(dev, &fbreq, file_priv); ++ fb = internal_framebuffer_create(dev, &fbreq, file_priv); + if (IS_ERR(fb)) { + DRM_DEBUG_KMS("failed to wrap cursor buffer in drm framebuffer\n"); + return PTR_ERR(fb); + } +- +- drm_framebuffer_reference(fb); + } else { + fb = NULL; + } +@@ -3175,9 +3174,10 @@ static int framebuffer_check(const struct drm_mode_fb_cmd2 *r) + return 0; + } + +-static struct drm_framebuffer *add_framebuffer_internal(struct drm_device *dev, +- struct drm_mode_fb_cmd2 *r, +- struct drm_file *file_priv) ++static struct drm_framebuffer * ++internal_framebuffer_create(struct drm_device *dev, ++ struct drm_mode_fb_cmd2 *r, ++ struct drm_file *file_priv) + { + struct drm_mode_config *config = &dev->mode_config; + struct drm_framebuffer *fb; +@@ -3209,12 +3209,6 @@ static struct drm_framebuffer *add_framebuffer_internal(struct drm_device *dev, + return fb; + } + +- mutex_lock(&file_priv->fbs_lock); +- r->fb_id = fb->base.id; +- list_add(&fb->filp_head, &file_priv->fbs); +- DRM_DEBUG_KMS("[FB:%d]\n", fb->base.id); +- mutex_unlock(&file_priv->fbs_lock); +- + return fb; + } + +@@ -3236,15 +3230,24 @@ static struct drm_framebuffer *add_framebuffer_internal(struct drm_device *dev, + int drm_mode_addfb2(struct drm_device *dev, + void *data, struct drm_file *file_priv) + { ++ struct drm_mode_fb_cmd2 *r = data; + struct drm_framebuffer *fb; + + if (!drm_core_check_feature(dev, DRIVER_MODESET)) + return -EINVAL; + +- fb = add_framebuffer_internal(dev, data, file_priv); ++ fb = internal_framebuffer_create(dev, r, file_priv); + if (IS_ERR(fb)) + return PTR_ERR(fb); + ++ /* Transfer ownership to the filp for reaping on close */ ++ ++ DRM_DEBUG_KMS("[FB:%d]\n", fb->base.id); ++ mutex_lock(&file_priv->fbs_lock); ++ r->fb_id = fb->base.id; ++ list_add(&fb->filp_head, &file_priv->fbs); ++ mutex_unlock(&file_priv->fbs_lock); ++ + return 0; + } + +diff --git a/drivers/gpu/drm/i915/i915_drv.c b/drivers/gpu/drm/i915/i915_drv.c +index 7643300..4e6405e 100644 +--- a/drivers/gpu/drm/i915/i915_drv.c ++++ b/drivers/gpu/drm/i915/i915_drv.c +@@ -622,7 +622,7 @@ static int i915_drm_suspend(struct drm_device *dev) + return 0; + } + +-static int i915_drm_suspend_late(struct drm_device *drm_dev) ++static int i915_drm_suspend_late(struct drm_device *drm_dev, bool hibernation) + { + struct drm_i915_private *dev_priv = drm_dev->dev_private; + int ret; +@@ -636,7 +636,17 @@ static int i915_drm_suspend_late(struct drm_device *drm_dev) + } + + pci_disable_device(drm_dev->pdev); +- pci_set_power_state(drm_dev->pdev, PCI_D3hot); ++ /* ++ * During hibernation on some GEN4 platforms the BIOS may try to access ++ * the device even though it's already in D3 and hang the machine. So ++ * leave the device in D0 on those platforms and hope the BIOS will ++ * power down the device properly. Platforms where this was seen: ++ * Lenovo Thinkpad X301, X61s ++ */ ++ if (!(hibernation && ++ drm_dev->pdev->subsystem_vendor == PCI_VENDOR_ID_LENOVO && ++ INTEL_INFO(dev_priv)->gen == 4)) ++ pci_set_power_state(drm_dev->pdev, PCI_D3hot); + + return 0; + } +@@ -662,7 +672,7 @@ int i915_suspend_legacy(struct drm_device *dev, pm_message_t state) + if (error) + return error; + +- return i915_drm_suspend_late(dev); ++ return i915_drm_suspend_late(dev, false); + } + + static int i915_drm_resume(struct drm_device *dev) +@@ -934,8 +944,7 @@ static int i915_pm_suspend(struct device *dev) + + static int i915_pm_suspend_late(struct device *dev) + { +- struct pci_dev *pdev = to_pci_dev(dev); +- struct drm_device *drm_dev = pci_get_drvdata(pdev); ++ struct drm_device *drm_dev = dev_to_i915(dev)->dev; + + /* + * We have a suspedn ordering issue with the snd-hda driver also +@@ -949,13 +958,22 @@ static int i915_pm_suspend_late(struct device *dev) + if (drm_dev->switch_power_state == DRM_SWITCH_POWER_OFF) + return 0; + +- return i915_drm_suspend_late(drm_dev); ++ return i915_drm_suspend_late(drm_dev, false); ++} ++ ++static int i915_pm_poweroff_late(struct device *dev) ++{ ++ struct drm_device *drm_dev = dev_to_i915(dev)->dev; ++ ++ if (drm_dev->switch_power_state == DRM_SWITCH_POWER_OFF) ++ return 0; ++ ++ return i915_drm_suspend_late(drm_dev, true); + } + + static int i915_pm_resume_early(struct device *dev) + { +- struct pci_dev *pdev = to_pci_dev(dev); +- struct drm_device *drm_dev = pci_get_drvdata(pdev); ++ struct drm_device *drm_dev = dev_to_i915(dev)->dev; + + if (drm_dev->switch_power_state == DRM_SWITCH_POWER_OFF) + return 0; +@@ -965,8 +983,7 @@ static int i915_pm_resume_early(struct device *dev) + + static int i915_pm_resume(struct device *dev) + { +- struct pci_dev *pdev = to_pci_dev(dev); +- struct drm_device *drm_dev = pci_get_drvdata(pdev); ++ struct drm_device *drm_dev = dev_to_i915(dev)->dev; + + if (drm_dev->switch_power_state == DRM_SWITCH_POWER_OFF) + return 0; +@@ -1517,7 +1534,7 @@ static const struct dev_pm_ops i915_pm_ops = { + .thaw_early = i915_pm_resume_early, + .thaw = i915_pm_resume, + .poweroff = i915_pm_suspend, +- .poweroff_late = i915_pm_suspend_late, ++ .poweroff_late = i915_pm_poweroff_late, + .restore_early = i915_pm_resume_early, + .restore = i915_pm_resume, + +diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h +index 0936b0f..ddd005c 100644 +--- a/drivers/gpu/drm/i915/i915_drv.h ++++ b/drivers/gpu/drm/i915/i915_drv.h +@@ -1781,6 +1781,11 @@ static inline struct drm_i915_private *to_i915(const struct drm_device *dev) + return dev->dev_private; + } + ++static inline struct drm_i915_private *dev_to_i915(struct device *dev) ++{ ++ return to_i915(dev_get_drvdata(dev)); ++} ++ + /* Iterate over initialised rings */ + #define for_each_ring(ring__, dev_priv__, i__) \ + for ((i__) = 0; (i__) < I915_NUM_RINGS; (i__)++) \ +diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c +index 30d4eb3..c10b52e 100644 +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -9702,7 +9702,7 @@ void intel_check_page_flip(struct drm_device *dev, int pipe) + struct drm_crtc *crtc = dev_priv->pipe_to_crtc_mapping[pipe]; + struct intel_crtc *intel_crtc = to_intel_crtc(crtc); + +- WARN_ON(!in_irq()); ++ WARN_ON(!in_interrupt()); + + if (crtc == NULL) + return; +diff --git a/drivers/gpu/drm/radeon/atombios_crtc.c b/drivers/gpu/drm/radeon/atombios_crtc.c +index ed644a4..86807ee 100644 +--- a/drivers/gpu/drm/radeon/atombios_crtc.c ++++ b/drivers/gpu/drm/radeon/atombios_crtc.c +@@ -1405,6 +1405,9 @@ static int dce4_crtc_do_set_base(struct drm_crtc *crtc, + (x << 16) | y); + viewport_w = crtc->mode.hdisplay; + viewport_h = (crtc->mode.vdisplay + 1) & ~1; ++ if ((rdev->family >= CHIP_BONAIRE) && ++ (crtc->mode.flags & DRM_MODE_FLAG_INTERLACE)) ++ viewport_h *= 2; + WREG32(EVERGREEN_VIEWPORT_SIZE + radeon_crtc->crtc_offset, + (viewport_w << 16) | viewport_h); + +diff --git a/drivers/gpu/drm/radeon/cik.c b/drivers/gpu/drm/radeon/cik.c +index de9a562..53b9ac3 100644 +--- a/drivers/gpu/drm/radeon/cik.c ++++ b/drivers/gpu/drm/radeon/cik.c +@@ -7526,6 +7526,9 @@ int cik_irq_set(struct radeon_device *rdev) + WREG32(DC_HPD5_INT_CONTROL, hpd5); + WREG32(DC_HPD6_INT_CONTROL, hpd6); + ++ /* posting read */ ++ RREG32(SRBM_STATUS); ++ + return 0; + } + +diff --git a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c +index 85995b4..c674f63 100644 +--- a/drivers/gpu/drm/radeon/evergreen.c ++++ b/drivers/gpu/drm/radeon/evergreen.c +@@ -4589,6 +4589,9 @@ int evergreen_irq_set(struct radeon_device *rdev) + WREG32(AFMT_AUDIO_PACKET_CONTROL + EVERGREEN_CRTC4_REGISTER_OFFSET, afmt5); + WREG32(AFMT_AUDIO_PACKET_CONTROL + EVERGREEN_CRTC5_REGISTER_OFFSET, afmt6); + ++ /* posting read */ ++ RREG32(SRBM_STATUS); ++ + return 0; + } + +diff --git a/drivers/gpu/drm/radeon/r100.c b/drivers/gpu/drm/radeon/r100.c +index 279801c..04f2514 100644 +--- a/drivers/gpu/drm/radeon/r100.c ++++ b/drivers/gpu/drm/radeon/r100.c +@@ -728,6 +728,10 @@ int r100_irq_set(struct radeon_device *rdev) + tmp |= RADEON_FP2_DETECT_MASK; + } + WREG32(RADEON_GEN_INT_CNTL, tmp); ++ ++ /* read back to post the write */ ++ RREG32(RADEON_GEN_INT_CNTL); ++ + return 0; + } + +diff --git a/drivers/gpu/drm/radeon/r600.c b/drivers/gpu/drm/radeon/r600.c +index ef5d606..0e2cf2a 100644 +--- a/drivers/gpu/drm/radeon/r600.c ++++ b/drivers/gpu/drm/radeon/r600.c +@@ -3783,6 +3783,9 @@ int r600_irq_set(struct radeon_device *rdev) + WREG32(RV770_CG_THERMAL_INT, thermal_int); + } + ++ /* posting read */ ++ RREG32(R_000E50_SRBM_STATUS); ++ + return 0; + } + +diff --git a/drivers/gpu/drm/radeon/radeon_cs.c b/drivers/gpu/drm/radeon/radeon_cs.c +index c830863..26e7d28 100644 +--- a/drivers/gpu/drm/radeon/radeon_cs.c ++++ b/drivers/gpu/drm/radeon/radeon_cs.c +@@ -256,11 +256,13 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void *data) + u32 ring = RADEON_CS_RING_GFX; + s32 priority = 0; + ++ INIT_LIST_HEAD(&p->validated); ++ + if (!cs->num_chunks) { + return 0; + } ++ + /* get chunks */ +- INIT_LIST_HEAD(&p->validated); + p->idx = 0; + p->ib.sa_bo = NULL; + p->const_ib.sa_bo = NULL; +diff --git a/drivers/gpu/drm/radeon/radeon_fence.c b/drivers/gpu/drm/radeon/radeon_fence.c +index d13d1b5..df09ca7 100644 +--- a/drivers/gpu/drm/radeon/radeon_fence.c ++++ b/drivers/gpu/drm/radeon/radeon_fence.c +@@ -1030,37 +1030,59 @@ static inline bool radeon_test_signaled(struct radeon_fence *fence) + return test_bit(FENCE_FLAG_SIGNALED_BIT, &fence->base.flags); + } + ++struct radeon_wait_cb { ++ struct fence_cb base; ++ struct task_struct *task; ++}; ++ ++static void ++radeon_fence_wait_cb(struct fence *fence, struct fence_cb *cb) ++{ ++ struct radeon_wait_cb *wait = ++ container_of(cb, struct radeon_wait_cb, base); ++ ++ wake_up_process(wait->task); ++} ++ + static signed long radeon_fence_default_wait(struct fence *f, bool intr, + signed long t) + { + struct radeon_fence *fence = to_radeon_fence(f); + struct radeon_device *rdev = fence->rdev; +- bool signaled; ++ struct radeon_wait_cb cb; + +- fence_enable_sw_signaling(&fence->base); ++ cb.task = current; + +- /* +- * This function has to return -EDEADLK, but cannot hold +- * exclusive_lock during the wait because some callers +- * may already hold it. This means checking needs_reset without +- * lock, and not fiddling with any gpu internals. +- * +- * The callback installed with fence_enable_sw_signaling will +- * run before our wait_event_*timeout call, so we will see +- * both the signaled fence and the changes to needs_reset. +- */ ++ if (fence_add_callback(f, &cb.base, radeon_fence_wait_cb)) ++ return t; ++ ++ while (t > 0) { ++ if (intr) ++ set_current_state(TASK_INTERRUPTIBLE); ++ else ++ set_current_state(TASK_UNINTERRUPTIBLE); ++ ++ /* ++ * radeon_test_signaled must be called after ++ * set_current_state to prevent a race with wake_up_process ++ */ ++ if (radeon_test_signaled(fence)) ++ break; ++ ++ if (rdev->needs_reset) { ++ t = -EDEADLK; ++ break; ++ } ++ ++ t = schedule_timeout(t); ++ ++ if (t > 0 && intr && signal_pending(current)) ++ t = -ERESTARTSYS; ++ } ++ ++ __set_current_state(TASK_RUNNING); ++ fence_remove_callback(f, &cb.base); + +- if (intr) +- t = wait_event_interruptible_timeout(rdev->fence_queue, +- ((signaled = radeon_test_signaled(fence)) || +- rdev->needs_reset), t); +- else +- t = wait_event_timeout(rdev->fence_queue, +- ((signaled = radeon_test_signaled(fence)) || +- rdev->needs_reset), t); +- +- if (t > 0 && !signaled) +- return -EDEADLK; + return t; + } + +diff --git a/drivers/gpu/drm/radeon/radeon_kfd.c b/drivers/gpu/drm/radeon/radeon_kfd.c +index bef9a09..2151cec 100644 +--- a/drivers/gpu/drm/radeon/radeon_kfd.c ++++ b/drivers/gpu/drm/radeon/radeon_kfd.c +@@ -152,7 +152,7 @@ void radeon_kfd_device_init(struct radeon_device *rdev) + .compute_vmid_bitmap = 0xFF00, + + .first_compute_pipe = 1, +- .compute_pipe_count = 8 - 1, ++ .compute_pipe_count = 4 - 1, + }; + + radeon_doorbell_get_kfd_info(rdev, +diff --git a/drivers/gpu/drm/radeon/radeon_object.c b/drivers/gpu/drm/radeon/radeon_object.c +index 040d284..24f7d30 100644 +--- a/drivers/gpu/drm/radeon/radeon_object.c ++++ b/drivers/gpu/drm/radeon/radeon_object.c +@@ -173,17 +173,6 @@ void radeon_ttm_placement_from_domain(struct radeon_bo *rbo, u32 domain) + else + rbo->placements[i].lpfn = 0; + } +- +- /* +- * Use two-ended allocation depending on the buffer size to +- * improve fragmentation quality. +- * 512kb was measured as the most optimal number. +- */ +- if (rbo->tbo.mem.size > 512 * 1024) { +- for (i = 0; i < c; i++) { +- rbo->placements[i].flags |= TTM_PL_FLAG_TOPDOWN; +- } +- } + } + + int radeon_bo_create(struct radeon_device *rdev, +diff --git a/drivers/gpu/drm/radeon/rs600.c b/drivers/gpu/drm/radeon/rs600.c +index 74bce91..0396606 100644 +--- a/drivers/gpu/drm/radeon/rs600.c ++++ b/drivers/gpu/drm/radeon/rs600.c +@@ -693,6 +693,10 @@ int rs600_irq_set(struct radeon_device *rdev) + WREG32(R_007D18_DC_HOT_PLUG_DETECT2_INT_CONTROL, hpd2); + if (ASIC_IS_DCE2(rdev)) + WREG32(R_007408_HDMI0_AUDIO_PACKET_CONTROL, hdmi0); ++ ++ /* posting read */ ++ RREG32(R_000040_GEN_INT_CNTL); ++ + return 0; + } + +diff --git a/drivers/gpu/drm/radeon/si.c b/drivers/gpu/drm/radeon/si.c +index 5d89b87..eed21db 100644 +--- a/drivers/gpu/drm/radeon/si.c ++++ b/drivers/gpu/drm/radeon/si.c +@@ -6198,6 +6198,9 @@ int si_irq_set(struct radeon_device *rdev) + + WREG32(CG_THERMAL_INT, thermal_int); + ++ /* posting read */ ++ RREG32(SRBM_STATUS); ++ + return 0; + } + +@@ -7118,8 +7121,7 @@ int si_set_uvd_clocks(struct radeon_device *rdev, u32 vclk, u32 dclk) + WREG32_P(CG_UPLL_FUNC_CNTL, UPLL_BYPASS_EN_MASK, ~UPLL_BYPASS_EN_MASK); + + if (!vclk || !dclk) { +- /* keep the Bypass mode, put PLL to sleep */ +- WREG32_P(CG_UPLL_FUNC_CNTL, UPLL_SLEEP_MASK, ~UPLL_SLEEP_MASK); ++ /* keep the Bypass mode */ + return 0; + } + +@@ -7135,8 +7137,7 @@ int si_set_uvd_clocks(struct radeon_device *rdev, u32 vclk, u32 dclk) + /* set VCO_MODE to 1 */ + WREG32_P(CG_UPLL_FUNC_CNTL, UPLL_VCO_MODE_MASK, ~UPLL_VCO_MODE_MASK); + +- /* toggle UPLL_SLEEP to 1 then back to 0 */ +- WREG32_P(CG_UPLL_FUNC_CNTL, UPLL_SLEEP_MASK, ~UPLL_SLEEP_MASK); ++ /* disable sleep mode */ + WREG32_P(CG_UPLL_FUNC_CNTL, 0, ~UPLL_SLEEP_MASK); + + /* deassert UPLL_RESET */ +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c +index 6c6b655..74a2e23 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c +@@ -725,32 +725,6 @@ static int vmw_driver_load(struct drm_device *dev, unsigned long chipset) + goto out_err1; + } + +- ret = ttm_bo_init_mm(&dev_priv->bdev, TTM_PL_VRAM, +- (dev_priv->vram_size >> PAGE_SHIFT)); +- if (unlikely(ret != 0)) { +- DRM_ERROR("Failed initializing memory manager for VRAM.\n"); +- goto out_err2; +- } +- +- dev_priv->has_gmr = true; +- if (((dev_priv->capabilities & (SVGA_CAP_GMR | SVGA_CAP_GMR2)) == 0) || +- refuse_dma || ttm_bo_init_mm(&dev_priv->bdev, VMW_PL_GMR, +- VMW_PL_GMR) != 0) { +- DRM_INFO("No GMR memory available. " +- "Graphics memory resources are very limited.\n"); +- dev_priv->has_gmr = false; +- } +- +- if (dev_priv->capabilities & SVGA_CAP_GBOBJECTS) { +- dev_priv->has_mob = true; +- if (ttm_bo_init_mm(&dev_priv->bdev, VMW_PL_MOB, +- VMW_PL_MOB) != 0) { +- DRM_INFO("No MOB memory available. " +- "3D will be disabled.\n"); +- dev_priv->has_mob = false; +- } +- } +- + dev_priv->mmio_mtrr = arch_phys_wc_add(dev_priv->mmio_start, + dev_priv->mmio_size); + +@@ -813,6 +787,33 @@ static int vmw_driver_load(struct drm_device *dev, unsigned long chipset) + goto out_no_fman; + } + ++ ++ ret = ttm_bo_init_mm(&dev_priv->bdev, TTM_PL_VRAM, ++ (dev_priv->vram_size >> PAGE_SHIFT)); ++ if (unlikely(ret != 0)) { ++ DRM_ERROR("Failed initializing memory manager for VRAM.\n"); ++ goto out_no_vram; ++ } ++ ++ dev_priv->has_gmr = true; ++ if (((dev_priv->capabilities & (SVGA_CAP_GMR | SVGA_CAP_GMR2)) == 0) || ++ refuse_dma || ttm_bo_init_mm(&dev_priv->bdev, VMW_PL_GMR, ++ VMW_PL_GMR) != 0) { ++ DRM_INFO("No GMR memory available. " ++ "Graphics memory resources are very limited.\n"); ++ dev_priv->has_gmr = false; ++ } ++ ++ if (dev_priv->capabilities & SVGA_CAP_GBOBJECTS) { ++ dev_priv->has_mob = true; ++ if (ttm_bo_init_mm(&dev_priv->bdev, VMW_PL_MOB, ++ VMW_PL_MOB) != 0) { ++ DRM_INFO("No MOB memory available. " ++ "3D will be disabled.\n"); ++ dev_priv->has_mob = false; ++ } ++ } ++ + vmw_kms_save_vga(dev_priv); + + /* Start kms and overlay systems, needs fifo. */ +@@ -838,6 +839,12 @@ out_no_fifo: + vmw_kms_close(dev_priv); + out_no_kms: + vmw_kms_restore_vga(dev_priv); ++ if (dev_priv->has_mob) ++ (void) ttm_bo_clean_mm(&dev_priv->bdev, VMW_PL_MOB); ++ if (dev_priv->has_gmr) ++ (void) ttm_bo_clean_mm(&dev_priv->bdev, VMW_PL_GMR); ++ (void)ttm_bo_clean_mm(&dev_priv->bdev, TTM_PL_VRAM); ++out_no_vram: + vmw_fence_manager_takedown(dev_priv->fman); + out_no_fman: + if (dev_priv->capabilities & SVGA_CAP_IRQMASK) +@@ -853,12 +860,6 @@ out_err4: + iounmap(dev_priv->mmio_virt); + out_err3: + arch_phys_wc_del(dev_priv->mmio_mtrr); +- if (dev_priv->has_mob) +- (void) ttm_bo_clean_mm(&dev_priv->bdev, VMW_PL_MOB); +- if (dev_priv->has_gmr) +- (void) ttm_bo_clean_mm(&dev_priv->bdev, VMW_PL_GMR); +- (void)ttm_bo_clean_mm(&dev_priv->bdev, TTM_PL_VRAM); +-out_err2: + (void)ttm_bo_device_release(&dev_priv->bdev); + out_err1: + vmw_ttm_global_release(dev_priv); +@@ -887,6 +888,13 @@ static int vmw_driver_unload(struct drm_device *dev) + } + vmw_kms_close(dev_priv); + vmw_overlay_close(dev_priv); ++ ++ if (dev_priv->has_mob) ++ (void) ttm_bo_clean_mm(&dev_priv->bdev, VMW_PL_MOB); ++ if (dev_priv->has_gmr) ++ (void)ttm_bo_clean_mm(&dev_priv->bdev, VMW_PL_GMR); ++ (void)ttm_bo_clean_mm(&dev_priv->bdev, TTM_PL_VRAM); ++ + vmw_fence_manager_takedown(dev_priv->fman); + if (dev_priv->capabilities & SVGA_CAP_IRQMASK) + drm_irq_uninstall(dev_priv->dev); +@@ -898,11 +906,6 @@ static int vmw_driver_unload(struct drm_device *dev) + ttm_object_device_release(&dev_priv->tdev); + iounmap(dev_priv->mmio_virt); + arch_phys_wc_del(dev_priv->mmio_mtrr); +- if (dev_priv->has_mob) +- (void) ttm_bo_clean_mm(&dev_priv->bdev, VMW_PL_MOB); +- if (dev_priv->has_gmr) +- (void)ttm_bo_clean_mm(&dev_priv->bdev, VMW_PL_GMR); +- (void)ttm_bo_clean_mm(&dev_priv->bdev, TTM_PL_VRAM); + (void)ttm_bo_device_release(&dev_priv->bdev); + vmw_ttm_global_release(dev_priv); + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +index 33176d0..1e11489 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +@@ -2780,13 +2780,11 @@ int vmw_execbuf_ioctl(struct drm_device *dev, void *data, + NULL, arg->command_size, arg->throttle_us, + (void __user *)(unsigned long)arg->fence_rep, + NULL); +- ++ ttm_read_unlock(&dev_priv->reservation_sem); + if (unlikely(ret != 0)) +- goto out_unlock; ++ return ret; + + vmw_kms_cursor_post_execbuf(dev_priv); + +-out_unlock: +- ttm_read_unlock(&dev_priv->reservation_sem); +- return ret; ++ return 0; + } +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +index 8725b79..07cda8c 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +@@ -2033,23 +2033,17 @@ int vmw_kms_update_layout_ioctl(struct drm_device *dev, void *data, + int i; + struct drm_mode_config *mode_config = &dev->mode_config; + +- ret = ttm_read_lock(&dev_priv->reservation_sem, true); +- if (unlikely(ret != 0)) +- return ret; +- + if (!arg->num_outputs) { + struct drm_vmw_rect def_rect = {0, 0, 800, 600}; + vmw_du_update_layout(dev_priv, 1, &def_rect); +- goto out_unlock; ++ return 0; + } + + rects_size = arg->num_outputs * sizeof(struct drm_vmw_rect); + rects = kcalloc(arg->num_outputs, sizeof(struct drm_vmw_rect), + GFP_KERNEL); +- if (unlikely(!rects)) { +- ret = -ENOMEM; +- goto out_unlock; +- } ++ if (unlikely(!rects)) ++ return -ENOMEM; + + user_rects = (void __user *)(unsigned long)arg->rects; + ret = copy_from_user(rects, user_rects, rects_size); +@@ -2074,7 +2068,5 @@ int vmw_kms_update_layout_ioctl(struct drm_device *dev, void *data, + + out_free: + kfree(rects); +-out_unlock: +- ttm_read_unlock(&dev_priv->reservation_sem); + return ret; + } +diff --git a/drivers/i2c/i2c-core.c b/drivers/i2c/i2c-core.c +index e9eae57..6366333 100644 +--- a/drivers/i2c/i2c-core.c ++++ b/drivers/i2c/i2c-core.c +@@ -679,9 +679,6 @@ static int i2c_device_remove(struct device *dev) + status = driver->remove(client); + } + +- if (dev->of_node) +- irq_dispose_mapping(client->irq); +- + dev_pm_domain_detach(&client->dev, true); + return status; + } +diff --git a/drivers/irqchip/irq-armada-370-xp.c b/drivers/irqchip/irq-armada-370-xp.c +index 463c235..4387dae 100644 +--- a/drivers/irqchip/irq-armada-370-xp.c ++++ b/drivers/irqchip/irq-armada-370-xp.c +@@ -69,6 +69,7 @@ static void __iomem *per_cpu_int_base; + static void __iomem *main_int_base; + static struct irq_domain *armada_370_xp_mpic_domain; + static u32 doorbell_mask_reg; ++static int parent_irq; + #ifdef CONFIG_PCI_MSI + static struct irq_domain *armada_370_xp_msi_domain; + static DECLARE_BITMAP(msi_used, PCI_MSI_DOORBELL_NR); +@@ -356,6 +357,7 @@ static int armada_xp_mpic_secondary_init(struct notifier_block *nfb, + { + if (action == CPU_STARTING || action == CPU_STARTING_FROZEN) + armada_xp_mpic_smp_cpu_init(); ++ + return NOTIFY_OK; + } + +@@ -364,6 +366,20 @@ static struct notifier_block armada_370_xp_mpic_cpu_notifier = { + .priority = 100, + }; + ++static int mpic_cascaded_secondary_init(struct notifier_block *nfb, ++ unsigned long action, void *hcpu) ++{ ++ if (action == CPU_STARTING || action == CPU_STARTING_FROZEN) ++ enable_percpu_irq(parent_irq, IRQ_TYPE_NONE); ++ ++ return NOTIFY_OK; ++} ++ ++static struct notifier_block mpic_cascaded_cpu_notifier = { ++ .notifier_call = mpic_cascaded_secondary_init, ++ .priority = 100, ++}; ++ + #endif /* CONFIG_SMP */ + + static struct irq_domain_ops armada_370_xp_mpic_irq_ops = { +@@ -539,7 +555,7 @@ static int __init armada_370_xp_mpic_of_init(struct device_node *node, + struct device_node *parent) + { + struct resource main_int_res, per_cpu_int_res; +- int parent_irq, nr_irqs, i; ++ int nr_irqs, i; + u32 control; + + BUG_ON(of_address_to_resource(node, 0, &main_int_res)); +@@ -587,6 +603,9 @@ static int __init armada_370_xp_mpic_of_init(struct device_node *node, + register_cpu_notifier(&armada_370_xp_mpic_cpu_notifier); + #endif + } else { ++#ifdef CONFIG_SMP ++ register_cpu_notifier(&mpic_cascaded_cpu_notifier); ++#endif + irq_set_chained_handler(parent_irq, + armada_370_xp_mpic_handle_cascade_irq); + } +diff --git a/drivers/mtd/nand/pxa3xx_nand.c b/drivers/mtd/nand/pxa3xx_nand.c +index 96b0b1d..bc67736 100644 +--- a/drivers/mtd/nand/pxa3xx_nand.c ++++ b/drivers/mtd/nand/pxa3xx_nand.c +@@ -480,6 +480,42 @@ static void disable_int(struct pxa3xx_nand_info *info, uint32_t int_mask) + nand_writel(info, NDCR, ndcr | int_mask); + } + ++static void drain_fifo(struct pxa3xx_nand_info *info, void *data, int len) ++{ ++ if (info->ecc_bch) { ++ int timeout; ++ ++ /* ++ * According to the datasheet, when reading from NDDB ++ * with BCH enabled, after each 32 bytes reads, we ++ * have to make sure that the NDSR.RDDREQ bit is set. ++ * ++ * Drain the FIFO 8 32 bits reads at a time, and skip ++ * the polling on the last read. ++ */ ++ while (len > 8) { ++ __raw_readsl(info->mmio_base + NDDB, data, 8); ++ ++ for (timeout = 0; ++ !(nand_readl(info, NDSR) & NDSR_RDDREQ); ++ timeout++) { ++ if (timeout >= 5) { ++ dev_err(&info->pdev->dev, ++ "Timeout on RDDREQ while draining the FIFO\n"); ++ return; ++ } ++ ++ mdelay(1); ++ } ++ ++ data += 32; ++ len -= 8; ++ } ++ } ++ ++ __raw_readsl(info->mmio_base + NDDB, data, len); ++} ++ + static void handle_data_pio(struct pxa3xx_nand_info *info) + { + unsigned int do_bytes = min(info->data_size, info->chunk_size); +@@ -496,14 +532,14 @@ static void handle_data_pio(struct pxa3xx_nand_info *info) + DIV_ROUND_UP(info->oob_size, 4)); + break; + case STATE_PIO_READING: +- __raw_readsl(info->mmio_base + NDDB, +- info->data_buff + info->data_buff_pos, +- DIV_ROUND_UP(do_bytes, 4)); ++ drain_fifo(info, ++ info->data_buff + info->data_buff_pos, ++ DIV_ROUND_UP(do_bytes, 4)); + + if (info->oob_size > 0) +- __raw_readsl(info->mmio_base + NDDB, +- info->oob_buff + info->oob_buff_pos, +- DIV_ROUND_UP(info->oob_size, 4)); ++ drain_fifo(info, ++ info->oob_buff + info->oob_buff_pos, ++ DIV_ROUND_UP(info->oob_size, 4)); + break; + default: + dev_err(&info->pdev->dev, "%s: invalid state %d\n", __func__, +diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c +index 847c1f8..62ca0e8 100644 +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -578,6 +578,10 @@ struct sk_buff *alloc_can_skb(struct net_device *dev, struct can_frame **cf) + skb->pkt_type = PACKET_BROADCAST; + skb->ip_summed = CHECKSUM_UNNECESSARY; + ++ skb_reset_mac_header(skb); ++ skb_reset_network_header(skb); ++ skb_reset_transport_header(skb); ++ + can_skb_reserve(skb); + can_skb_prv(skb)->ifindex = dev->ifindex; + +@@ -602,6 +606,10 @@ struct sk_buff *alloc_canfd_skb(struct net_device *dev, + skb->pkt_type = PACKET_BROADCAST; + skb->ip_summed = CHECKSUM_UNNECESSARY; + ++ skb_reset_mac_header(skb); ++ skb_reset_network_header(skb); ++ skb_reset_transport_header(skb); ++ + can_skb_reserve(skb); + can_skb_prv(skb)->ifindex = dev->ifindex; + +diff --git a/drivers/net/can/usb/kvaser_usb.c b/drivers/net/can/usb/kvaser_usb.c +index 7af379c..913a2bc 100644 +--- a/drivers/net/can/usb/kvaser_usb.c ++++ b/drivers/net/can/usb/kvaser_usb.c +@@ -12,6 +12,7 @@ + * Copyright (C) 2012 Olivier Sobrie <olivier@sobrie.be> + */ + ++#include <linux/kernel.h> + #include <linux/completion.h> + #include <linux/module.h> + #include <linux/netdevice.h> +@@ -403,8 +404,15 @@ static int kvaser_usb_wait_msg(const struct kvaser_usb *dev, u8 id, + while (pos <= actual_len - MSG_HEADER_LEN) { + tmp = buf + pos; + +- if (!tmp->len) +- break; ++ /* Handle messages crossing the USB endpoint max packet ++ * size boundary. Check kvaser_usb_read_bulk_callback() ++ * for further details. ++ */ ++ if (tmp->len == 0) { ++ pos = round_up(pos, ++ dev->bulk_in->wMaxPacketSize); ++ continue; ++ } + + if (pos + tmp->len > actual_len) { + dev_err(dev->udev->dev.parent, +@@ -980,8 +988,19 @@ static void kvaser_usb_read_bulk_callback(struct urb *urb) + while (pos <= urb->actual_length - MSG_HEADER_LEN) { + msg = urb->transfer_buffer + pos; + +- if (!msg->len) +- break; ++ /* The Kvaser firmware can only read and write messages that ++ * does not cross the USB's endpoint wMaxPacketSize boundary. ++ * If a follow-up command crosses such boundary, firmware puts ++ * a placeholder zero-length command in its place then aligns ++ * the real command to the next max packet size. ++ * ++ * Handle such cases or we're going to miss a significant ++ * number of events in case of a heavy rx load on the bus. ++ */ ++ if (msg->len == 0) { ++ pos = round_up(pos, dev->bulk_in->wMaxPacketSize); ++ continue; ++ } + + if (pos + msg->len > urb->actual_length) { + dev_err(dev->udev->dev.parent, "Format error\n"); +@@ -989,7 +1008,6 @@ static void kvaser_usb_read_bulk_callback(struct urb *urb) + } + + kvaser_usb_handle_message(dev, msg); +- + pos += msg->len; + } + +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +index 72eef9f..ac6a0ef 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +@@ -12722,6 +12722,9 @@ static int bnx2x_init_dev(struct bnx2x *bp, struct pci_dev *pdev, + pci_write_config_dword(bp->pdev, PCICFG_GRC_ADDRESS, + PCICFG_VENDOR_ID_OFFSET); + ++ /* Set PCIe reset type to fundamental for EEH recovery */ ++ pdev->needs_freset = 1; ++ + /* AER (Advanced Error reporting) configuration */ + rc = pci_enable_pcie_error_reporting(pdev); + if (!rc) +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index bba8777..fba3c98 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -1448,8 +1448,7 @@ fec_enet_rx_queue(struct net_device *ndev, int budget, u16 queue_id) + + vlan_packet_rcvd = true; + +- skb_copy_to_linear_data_offset(skb, VLAN_HLEN, +- data, (2 * ETH_ALEN)); ++ memmove(skb->data + VLAN_HLEN, data, ETH_ALEN * 2); + skb_pull(skb, VLAN_HLEN); + } + +@@ -1566,7 +1565,7 @@ fec_enet_interrupt(int irq, void *dev_id) + writel(int_events, fep->hwp + FEC_IEVENT); + fec_enet_collect_events(fep, int_events); + +- if (fep->work_tx || fep->work_rx) { ++ if ((fep->work_tx || fep->work_rx) && fep->link) { + ret = IRQ_HANDLED; + + if (napi_schedule_prep(&fep->napi)) { +diff --git a/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h b/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h +index 944a112..8805ef1 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h ++++ b/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h +@@ -451,7 +451,7 @@ struct mlx4_en_port_stats { + unsigned long rx_chksum_none; + unsigned long rx_chksum_complete; + unsigned long tx_chksum_offload; +-#define NUM_PORT_STATS 9 ++#define NUM_PORT_STATS 10 + }; + + struct mlx4_en_perf_stats { +diff --git a/drivers/net/usb/cx82310_eth.c b/drivers/net/usb/cx82310_eth.c +index 3eed708..fe48f4c 100644 +--- a/drivers/net/usb/cx82310_eth.c ++++ b/drivers/net/usb/cx82310_eth.c +@@ -300,9 +300,18 @@ static const struct driver_info cx82310_info = { + .tx_fixup = cx82310_tx_fixup, + }; + ++#define USB_DEVICE_CLASS(vend, prod, cl, sc, pr) \ ++ .match_flags = USB_DEVICE_ID_MATCH_DEVICE | \ ++ USB_DEVICE_ID_MATCH_DEV_INFO, \ ++ .idVendor = (vend), \ ++ .idProduct = (prod), \ ++ .bDeviceClass = (cl), \ ++ .bDeviceSubClass = (sc), \ ++ .bDeviceProtocol = (pr) ++ + static const struct usb_device_id products[] = { + { +- USB_DEVICE_AND_INTERFACE_INFO(0x0572, 0xcb01, 0xff, 0, 0), ++ USB_DEVICE_CLASS(0x0572, 0xcb01, 0xff, 0, 0), + .driver_info = (unsigned long) &cx82310_info + }, + { }, +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 059fdf1..0ad6c0c 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -1444,8 +1444,10 @@ static void virtnet_free_queues(struct virtnet_info *vi) + { + int i; + +- for (i = 0; i < vi->max_queue_pairs; i++) ++ for (i = 0; i < vi->max_queue_pairs; i++) { ++ napi_hash_del(&vi->rq[i].napi); + netif_napi_del(&vi->rq[i].napi); ++ } + + kfree(vi->rq); + kfree(vi->sq); +@@ -1936,11 +1938,8 @@ static int virtnet_freeze(struct virtio_device *vdev) + cancel_delayed_work_sync(&vi->refill); + + if (netif_running(vi->dev)) { +- for (i = 0; i < vi->max_queue_pairs; i++) { ++ for (i = 0; i < vi->max_queue_pairs; i++) + napi_disable(&vi->rq[i].napi); +- napi_hash_del(&vi->rq[i].napi); +- netif_napi_del(&vi->rq[i].napi); +- } + } + + remove_vq_common(vi); +diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c +index 47731cb..2fa0dbb 100644 +--- a/drivers/net/wireless/b43/main.c ++++ b/drivers/net/wireless/b43/main.c +@@ -5322,6 +5322,7 @@ static void b43_supported_bands(struct b43_wldev *dev, bool *have_2ghz_phy, + case 0x432a: /* BCM4321 */ + case 0x432d: /* BCM4322 */ + case 0x4352: /* BCM43222 */ ++ case 0x435a: /* BCM43228 */ + case 0x4333: /* BCM4331 */ + case 0x43a2: /* BCM4360 */ + case 0x43b3: /* BCM4352 */ +diff --git a/drivers/of/base.c b/drivers/of/base.c +index 36536b6..65a47f4 100644 +--- a/drivers/of/base.c ++++ b/drivers/of/base.c +@@ -714,16 +714,12 @@ static struct device_node *__of_find_node_by_path(struct device_node *parent, + const char *path) + { + struct device_node *child; +- int len = strchrnul(path, '/') - path; +- int term; ++ int len; + ++ len = strcspn(path, "/:"); + if (!len) + return NULL; + +- term = strchrnul(path, ':') - path; +- if (term < len) +- len = term; +- + __for_each_child_of_node(parent, child) { + const char *name = strrchr(child->full_name, '/'); + if (WARN(!name, "malformed device_node %s\n", child->full_name)) +@@ -768,8 +764,12 @@ struct device_node *of_find_node_opts_by_path(const char *path, const char **opt + + /* The path could begin with an alias */ + if (*path != '/') { +- char *p = strchrnul(path, '/'); +- int len = separator ? separator - path : p - path; ++ int len; ++ const char *p = separator; ++ ++ if (!p) ++ p = strchrnul(path, '/'); ++ len = p - path; + + /* of_aliases must not be NULL */ + if (!of_aliases) +@@ -794,6 +794,8 @@ struct device_node *of_find_node_opts_by_path(const char *path, const char **opt + path++; /* Increment past '/' delimiter */ + np = __of_find_node_by_path(np, path); + path = strchrnul(path, '/'); ++ if (separator && separator < path) ++ break; + } + raw_spin_unlock_irqrestore(&devtree_lock, flags); + return np; +diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c +index aa012fb..312f23a 100644 +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -521,7 +521,8 @@ static ssize_t driver_override_store(struct device *dev, + struct pci_dev *pdev = to_pci_dev(dev); + char *driver_override, *old = pdev->driver_override, *cp; + +- if (count > PATH_MAX) ++ /* We need to keep extra room for a newline */ ++ if (count >= (PAGE_SIZE - 1)) + return -EINVAL; + + driver_override = kstrndup(buf, count, GFP_KERNEL); +@@ -549,7 +550,7 @@ static ssize_t driver_override_show(struct device *dev, + { + struct pci_dev *pdev = to_pci_dev(dev); + +- return sprintf(buf, "%s\n", pdev->driver_override); ++ return snprintf(buf, PAGE_SIZE, "%s\n", pdev->driver_override); + } + static DEVICE_ATTR_RW(driver_override); + +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index 9c48fb3..a5761d0 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -1843,10 +1843,12 @@ static int _regulator_do_enable(struct regulator_dev *rdev) + } + + if (rdev->ena_pin) { +- ret = regulator_ena_gpio_ctrl(rdev, true); +- if (ret < 0) +- return ret; +- rdev->ena_gpio_state = 1; ++ if (!rdev->ena_gpio_state) { ++ ret = regulator_ena_gpio_ctrl(rdev, true); ++ if (ret < 0) ++ return ret; ++ rdev->ena_gpio_state = 1; ++ } + } else if (rdev->desc->ops->enable) { + ret = rdev->desc->ops->enable(rdev); + if (ret < 0) +@@ -1943,10 +1945,12 @@ static int _regulator_do_disable(struct regulator_dev *rdev) + trace_regulator_disable(rdev_get_name(rdev)); + + if (rdev->ena_pin) { +- ret = regulator_ena_gpio_ctrl(rdev, false); +- if (ret < 0) +- return ret; +- rdev->ena_gpio_state = 0; ++ if (rdev->ena_gpio_state) { ++ ret = regulator_ena_gpio_ctrl(rdev, false); ++ if (ret < 0) ++ return ret; ++ rdev->ena_gpio_state = 0; ++ } + + } else if (rdev->desc->ops->disable) { + ret = rdev->desc->ops->disable(rdev); +@@ -3678,12 +3682,6 @@ regulator_register(const struct regulator_desc *regulator_desc, + config->ena_gpio, ret); + goto wash; + } +- +- if (config->ena_gpio_flags & GPIOF_OUT_INIT_HIGH) +- rdev->ena_gpio_state = 1; +- +- if (config->ena_gpio_invert) +- rdev->ena_gpio_state = !rdev->ena_gpio_state; + } + + /* set regulator constraints */ +@@ -3856,9 +3854,11 @@ int regulator_suspend_finish(void) + list_for_each_entry(rdev, ®ulator_list, list) { + mutex_lock(&rdev->mutex); + if (rdev->use_count > 0 || rdev->constraints->always_on) { +- error = _regulator_do_enable(rdev); +- if (error) +- ret = error; ++ if (!_regulator_is_enabled(rdev)) { ++ error = _regulator_do_enable(rdev); ++ if (error) ++ ret = error; ++ } + } else { + if (!have_full_constraints()) + goto unlock; +diff --git a/drivers/regulator/rk808-regulator.c b/drivers/regulator/rk808-regulator.c +index c94a3e0..3f67228 100644 +--- a/drivers/regulator/rk808-regulator.c ++++ b/drivers/regulator/rk808-regulator.c +@@ -235,6 +235,7 @@ static const struct regulator_desc rk808_reg[] = { + .vsel_mask = RK808_LDO_VSEL_MASK, + .enable_reg = RK808_LDO_EN_REG, + .enable_mask = BIT(0), ++ .enable_time = 400, + .owner = THIS_MODULE, + }, { + .name = "LDO_REG2", +@@ -249,6 +250,7 @@ static const struct regulator_desc rk808_reg[] = { + .vsel_mask = RK808_LDO_VSEL_MASK, + .enable_reg = RK808_LDO_EN_REG, + .enable_mask = BIT(1), ++ .enable_time = 400, + .owner = THIS_MODULE, + }, { + .name = "LDO_REG3", +@@ -263,6 +265,7 @@ static const struct regulator_desc rk808_reg[] = { + .vsel_mask = RK808_BUCK4_VSEL_MASK, + .enable_reg = RK808_LDO_EN_REG, + .enable_mask = BIT(2), ++ .enable_time = 400, + .owner = THIS_MODULE, + }, { + .name = "LDO_REG4", +@@ -277,6 +280,7 @@ static const struct regulator_desc rk808_reg[] = { + .vsel_mask = RK808_LDO_VSEL_MASK, + .enable_reg = RK808_LDO_EN_REG, + .enable_mask = BIT(3), ++ .enable_time = 400, + .owner = THIS_MODULE, + }, { + .name = "LDO_REG5", +@@ -291,6 +295,7 @@ static const struct regulator_desc rk808_reg[] = { + .vsel_mask = RK808_LDO_VSEL_MASK, + .enable_reg = RK808_LDO_EN_REG, + .enable_mask = BIT(4), ++ .enable_time = 400, + .owner = THIS_MODULE, + }, { + .name = "LDO_REG6", +@@ -305,6 +310,7 @@ static const struct regulator_desc rk808_reg[] = { + .vsel_mask = RK808_LDO_VSEL_MASK, + .enable_reg = RK808_LDO_EN_REG, + .enable_mask = BIT(5), ++ .enable_time = 400, + .owner = THIS_MODULE, + }, { + .name = "LDO_REG7", +@@ -319,6 +325,7 @@ static const struct regulator_desc rk808_reg[] = { + .vsel_mask = RK808_LDO_VSEL_MASK, + .enable_reg = RK808_LDO_EN_REG, + .enable_mask = BIT(6), ++ .enable_time = 400, + .owner = THIS_MODULE, + }, { + .name = "LDO_REG8", +@@ -333,6 +340,7 @@ static const struct regulator_desc rk808_reg[] = { + .vsel_mask = RK808_LDO_VSEL_MASK, + .enable_reg = RK808_LDO_EN_REG, + .enable_mask = BIT(7), ++ .enable_time = 400, + .owner = THIS_MODULE, + }, { + .name = "SWITCH_REG1", +diff --git a/drivers/rtc/rtc-s3c.c b/drivers/rtc/rtc-s3c.c +index 4241eea..f4cf685 100644 +--- a/drivers/rtc/rtc-s3c.c ++++ b/drivers/rtc/rtc-s3c.c +@@ -849,6 +849,7 @@ static struct s3c_rtc_data const s3c2443_rtc_data = { + + static struct s3c_rtc_data const s3c6410_rtc_data = { + .max_user_freq = 32768, ++ .needs_src_clk = true, + .irq_handler = s3c6410_rtc_irq, + .set_freq = s3c6410_rtc_setfreq, + .enable_tick = s3c6410_rtc_enable_tick, +diff --git a/drivers/scsi/libsas/sas_discover.c b/drivers/scsi/libsas/sas_discover.c +index 62b58d3..60de662 100644 +--- a/drivers/scsi/libsas/sas_discover.c ++++ b/drivers/scsi/libsas/sas_discover.c +@@ -500,6 +500,7 @@ static void sas_revalidate_domain(struct work_struct *work) + struct sas_discovery_event *ev = to_sas_discovery_event(work); + struct asd_sas_port *port = ev->port; + struct sas_ha_struct *ha = port->ha; ++ struct domain_device *ddev = port->port_dev; + + /* prevent revalidation from finding sata links in recovery */ + mutex_lock(&ha->disco_mutex); +@@ -514,8 +515,9 @@ static void sas_revalidate_domain(struct work_struct *work) + SAS_DPRINTK("REVALIDATING DOMAIN on port %d, pid:%d\n", port->id, + task_pid_nr(current)); + +- if (port->port_dev) +- res = sas_ex_revalidate_domain(port->port_dev); ++ if (ddev && (ddev->dev_type == SAS_FANOUT_EXPANDER_DEVICE || ++ ddev->dev_type == SAS_EDGE_EXPANDER_DEVICE)) ++ res = sas_ex_revalidate_domain(ddev); + + SAS_DPRINTK("done REVALIDATING DOMAIN on port %d, pid:%d, res 0x%x\n", + port->id, task_pid_nr(current), res); +diff --git a/drivers/spi/spi-atmel.c b/drivers/spi/spi-atmel.c +index 23d8f5f5..df93c97 100644 +--- a/drivers/spi/spi-atmel.c ++++ b/drivers/spi/spi-atmel.c +@@ -764,17 +764,17 @@ static void atmel_spi_pdc_next_xfer(struct spi_master *master, + (unsigned long long)xfer->rx_dma); + } + +- /* REVISIT: We're waiting for ENDRX before we start the next ++ /* REVISIT: We're waiting for RXBUFF before we start the next + * transfer because we need to handle some difficult timing +- * issues otherwise. If we wait for ENDTX in one transfer and +- * then starts waiting for ENDRX in the next, it's difficult +- * to tell the difference between the ENDRX interrupt we're +- * actually waiting for and the ENDRX interrupt of the ++ * issues otherwise. If we wait for TXBUFE in one transfer and ++ * then starts waiting for RXBUFF in the next, it's difficult ++ * to tell the difference between the RXBUFF interrupt we're ++ * actually waiting for and the RXBUFF interrupt of the + * previous transfer. + * + * It should be doable, though. Just not now... + */ +- spi_writel(as, IER, SPI_BIT(ENDRX) | SPI_BIT(OVRES)); ++ spi_writel(as, IER, SPI_BIT(RXBUFF) | SPI_BIT(OVRES)); + spi_writel(as, PTCR, SPI_BIT(TXTEN) | SPI_BIT(RXTEN)); + } + +diff --git a/drivers/spi/spi-dw-mid.c b/drivers/spi/spi-dw-mid.c +index a67d37c..22ca08a 100644 +--- a/drivers/spi/spi-dw-mid.c ++++ b/drivers/spi/spi-dw-mid.c +@@ -139,6 +139,9 @@ static struct dma_async_tx_descriptor *dw_spi_dma_prepare_tx(struct dw_spi *dws) + 1, + DMA_MEM_TO_DEV, + DMA_PREP_INTERRUPT | DMA_CTRL_ACK); ++ if (!txdesc) ++ return NULL; ++ + txdesc->callback = dw_spi_dma_tx_done; + txdesc->callback_param = dws; + +@@ -184,6 +187,9 @@ static struct dma_async_tx_descriptor *dw_spi_dma_prepare_rx(struct dw_spi *dws) + 1, + DMA_DEV_TO_MEM, + DMA_PREP_INTERRUPT | DMA_CTRL_ACK); ++ if (!rxdesc) ++ return NULL; ++ + rxdesc->callback = dw_spi_dma_rx_done; + rxdesc->callback_param = dws; + +diff --git a/drivers/spi/spi-pl022.c b/drivers/spi/spi-pl022.c +index 89ca162..ee513a8 100644 +--- a/drivers/spi/spi-pl022.c ++++ b/drivers/spi/spi-pl022.c +@@ -534,12 +534,12 @@ static void giveback(struct pl022 *pl022) + pl022->cur_msg = NULL; + pl022->cur_transfer = NULL; + pl022->cur_chip = NULL; +- spi_finalize_current_message(pl022->master); + + /* disable the SPI/SSP operation */ + writew((readw(SSP_CR1(pl022->virtbase)) & + (~SSP_CR1_MASK_SSE)), SSP_CR1(pl022->virtbase)); + ++ spi_finalize_current_message(pl022->master); + } + + /** +diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c +index aebde32..8d27db47 100644 +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -4221,11 +4221,17 @@ int iscsit_close_connection( + pr_debug("Closing iSCSI connection CID %hu on SID:" + " %u\n", conn->cid, sess->sid); + /* +- * Always up conn_logout_comp just in case the RX Thread is sleeping +- * and the logout response never got sent because the connection +- * failed. ++ * Always up conn_logout_comp for the traditional TCP case just in case ++ * the RX Thread in iscsi_target_rx_opcode() is sleeping and the logout ++ * response never got sent because the connection failed. ++ * ++ * However for iser-target, isert_wait4logout() is using conn_logout_comp ++ * to signal logout response TX interrupt completion. Go ahead and skip ++ * this for iser since isert_rx_opcode() does not wait on logout failure, ++ * and to avoid iscsi_conn pointer dereference in iser-target code. + */ +- complete(&conn->conn_logout_comp); ++ if (conn->conn_transport->transport_type == ISCSI_TCP) ++ complete(&conn->conn_logout_comp); + + iscsi_release_thread_set(conn); + +diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c +index 58f49ff..54da2a4 100644 +--- a/drivers/target/target_core_device.c ++++ b/drivers/target/target_core_device.c +@@ -1534,8 +1534,6 @@ int target_configure_device(struct se_device *dev) + ret = dev->transport->configure_device(dev); + if (ret) + goto out; +- dev->dev_flags |= DF_CONFIGURED; +- + /* + * XXX: there is not much point to have two different values here.. + */ +@@ -1597,6 +1595,8 @@ int target_configure_device(struct se_device *dev) + list_add_tail(&dev->g_dev_node, &g_device_list); + mutex_unlock(&g_device_mutex); + ++ dev->dev_flags |= DF_CONFIGURED; ++ + return 0; + + out_free_alua: +diff --git a/drivers/target/target_core_pscsi.c b/drivers/target/target_core_pscsi.c +index 1045dcd..f6c954c 100644 +--- a/drivers/target/target_core_pscsi.c ++++ b/drivers/target/target_core_pscsi.c +@@ -1121,7 +1121,7 @@ static u32 pscsi_get_device_type(struct se_device *dev) + struct pscsi_dev_virt *pdv = PSCSI_DEV(dev); + struct scsi_device *sd = pdv->pdv_sd; + +- return sd->type; ++ return (sd) ? sd->type : TYPE_NO_LUN; + } + + static sector_t pscsi_get_blocks(struct se_device *dev) +diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c +index 0adc0f6..ac3cbab 100644 +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -2389,6 +2389,10 @@ int target_get_sess_cmd(struct se_session *se_sess, struct se_cmd *se_cmd, + list_add_tail(&se_cmd->se_cmd_list, &se_sess->sess_cmd_list); + out: + spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags); ++ ++ if (ret && ack_kref) ++ target_put_sess_cmd(se_sess, se_cmd); ++ + return ret; + } + EXPORT_SYMBOL(target_get_sess_cmd); +diff --git a/drivers/tty/serial/8250/8250_dw.c b/drivers/tty/serial/8250/8250_dw.c +index 555de07..7d89da3 100644 +--- a/drivers/tty/serial/8250/8250_dw.c ++++ b/drivers/tty/serial/8250/8250_dw.c +@@ -111,7 +111,10 @@ static void dw8250_serial_out(struct uart_port *p, int offset, int value) + dw8250_force_idle(p); + writeb(value, p->membase + (UART_LCR << p->regshift)); + } +- dev_err(p->dev, "Couldn't set LCR to %d\n", value); ++ /* ++ * FIXME: this deadlocks if port->lock is already held ++ * dev_err(p->dev, "Couldn't set LCR to %d\n", value); ++ */ + } + } + +@@ -155,7 +158,10 @@ static void dw8250_serial_outq(struct uart_port *p, int offset, int value) + __raw_writeq(value & 0xff, + p->membase + (UART_LCR << p->regshift)); + } +- dev_err(p->dev, "Couldn't set LCR to %d\n", value); ++ /* ++ * FIXME: this deadlocks if port->lock is already held ++ * dev_err(p->dev, "Couldn't set LCR to %d\n", value); ++ */ + } + } + #endif /* CONFIG_64BIT */ +@@ -179,7 +185,10 @@ static void dw8250_serial_out32(struct uart_port *p, int offset, int value) + dw8250_force_idle(p); + writel(value, p->membase + (UART_LCR << p->regshift)); + } +- dev_err(p->dev, "Couldn't set LCR to %d\n", value); ++ /* ++ * FIXME: this deadlocks if port->lock is already held ++ * dev_err(p->dev, "Couldn't set LCR to %d\n", value); ++ */ + } + } + +diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c +index d1f8dc6..1442956 100644 +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -69,7 +69,7 @@ static void moan_device(const char *str, struct pci_dev *dev) + "Please send the output of lspci -vv, this\n" + "message (0x%04x,0x%04x,0x%04x,0x%04x), the\n" + "manufacturer and name of serial board or\n" +- "modem board to rmk+serial@arm.linux.org.uk.\n", ++ "modem board to <linux-serial@vger.kernel.org>.\n", + pci_name(dev), str, dev->vendor, dev->device, + dev->subsystem_vendor, dev->subsystem_device); + } +diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c +index db49ec4..9fbbaa0 100644 +--- a/drivers/usb/gadget/legacy/inode.c ++++ b/drivers/usb/gadget/legacy/inode.c +@@ -566,7 +566,6 @@ static ssize_t ep_copy_to_user(struct kiocb_priv *priv) + if (total == 0) + break; + } +- + return len; + } + +@@ -585,6 +584,7 @@ static void ep_user_copy_worker(struct work_struct *work) + aio_complete(iocb, ret, ret); + + kfree(priv->buf); ++ kfree(priv->iv); + kfree(priv); + } + +@@ -605,6 +605,7 @@ static void ep_aio_complete(struct usb_ep *ep, struct usb_request *req) + */ + if (priv->iv == NULL || unlikely(req->actual == 0)) { + kfree(req->buf); ++ kfree(priv->iv); + kfree(priv); + iocb->private = NULL; + /* aio_complete() reports bytes-transferred _and_ faults */ +@@ -640,7 +641,7 @@ ep_aio_rwtail( + struct usb_request *req; + ssize_t value; + +- priv = kmalloc(sizeof *priv, GFP_KERNEL); ++ priv = kzalloc(sizeof *priv, GFP_KERNEL); + if (!priv) { + value = -ENOMEM; + fail: +@@ -649,7 +650,14 @@ fail: + } + iocb->private = priv; + priv->iocb = iocb; +- priv->iv = iv; ++ if (iv) { ++ priv->iv = kmemdup(iv, nr_segs * sizeof(struct iovec), ++ GFP_KERNEL); ++ if (!priv->iv) { ++ kfree(priv); ++ goto fail; ++ } ++ } + priv->nr_segs = nr_segs; + INIT_WORK(&priv->work, ep_user_copy_worker); + +@@ -689,6 +697,7 @@ fail: + mutex_unlock(&epdata->lock); + + if (unlikely(value)) { ++ kfree(priv->iv); + kfree(priv); + put_ep(epdata); + } else +diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c +index b4bca2d..70fba97 100644 +--- a/drivers/xen/events/events_base.c ++++ b/drivers/xen/events/events_base.c +@@ -526,20 +526,26 @@ static unsigned int __startup_pirq(unsigned int irq) + pirq_query_unmask(irq); + + rc = set_evtchn_to_irq(evtchn, irq); +- if (rc != 0) { +- pr_err("irq%d: Failed to set port to irq mapping (%d)\n", +- irq, rc); +- xen_evtchn_close(evtchn); +- return 0; +- } ++ if (rc) ++ goto err; ++ + bind_evtchn_to_cpu(evtchn, 0); + info->evtchn = evtchn; + ++ rc = xen_evtchn_port_setup(info); ++ if (rc) ++ goto err; ++ + out: + unmask_evtchn(evtchn); + eoi_pirq(irq_get_irq_data(irq)); + + return 0; ++ ++err: ++ pr_err("irq%d: Failed to set port to irq mapping (%d)\n", irq, rc); ++ xen_evtchn_close(evtchn); ++ return 0; + } + + static unsigned int startup_pirq(struct irq_data *data) +diff --git a/drivers/xen/xen-pciback/conf_space.c b/drivers/xen/xen-pciback/conf_space.c +index 46ae0f9..75fe3d4 100644 +--- a/drivers/xen/xen-pciback/conf_space.c ++++ b/drivers/xen/xen-pciback/conf_space.c +@@ -16,7 +16,7 @@ + #include "conf_space.h" + #include "conf_space_quirks.h" + +-static bool permissive; ++bool permissive; + module_param(permissive, bool, 0644); + + /* This is where xen_pcibk_read_config_byte, xen_pcibk_read_config_word, +diff --git a/drivers/xen/xen-pciback/conf_space.h b/drivers/xen/xen-pciback/conf_space.h +index e56c934..2e1d73d 100644 +--- a/drivers/xen/xen-pciback/conf_space.h ++++ b/drivers/xen/xen-pciback/conf_space.h +@@ -64,6 +64,8 @@ struct config_field_entry { + void *data; + }; + ++extern bool permissive; ++ + #define OFFSET(cfg_entry) ((cfg_entry)->base_offset+(cfg_entry)->field->offset) + + /* Add fields to a device - the add_fields macro expects to get a pointer to +diff --git a/drivers/xen/xen-pciback/conf_space_header.c b/drivers/xen/xen-pciback/conf_space_header.c +index c5ee825..2d73693 100644 +--- a/drivers/xen/xen-pciback/conf_space_header.c ++++ b/drivers/xen/xen-pciback/conf_space_header.c +@@ -11,6 +11,10 @@ + #include "pciback.h" + #include "conf_space.h" + ++struct pci_cmd_info { ++ u16 val; ++}; ++ + struct pci_bar_info { + u32 val; + u32 len_val; +@@ -20,22 +24,36 @@ struct pci_bar_info { + #define is_enable_cmd(value) ((value)&(PCI_COMMAND_MEMORY|PCI_COMMAND_IO)) + #define is_master_cmd(value) ((value)&PCI_COMMAND_MASTER) + +-static int command_read(struct pci_dev *dev, int offset, u16 *value, void *data) ++/* Bits guests are allowed to control in permissive mode. */ ++#define PCI_COMMAND_GUEST (PCI_COMMAND_MASTER|PCI_COMMAND_SPECIAL| \ ++ PCI_COMMAND_INVALIDATE|PCI_COMMAND_VGA_PALETTE| \ ++ PCI_COMMAND_WAIT|PCI_COMMAND_FAST_BACK) ++ ++static void *command_init(struct pci_dev *dev, int offset) + { +- int i; +- int ret; +- +- ret = xen_pcibk_read_config_word(dev, offset, value, data); +- if (!pci_is_enabled(dev)) +- return ret; +- +- for (i = 0; i < PCI_ROM_RESOURCE; i++) { +- if (dev->resource[i].flags & IORESOURCE_IO) +- *value |= PCI_COMMAND_IO; +- if (dev->resource[i].flags & IORESOURCE_MEM) +- *value |= PCI_COMMAND_MEMORY; ++ struct pci_cmd_info *cmd = kmalloc(sizeof(*cmd), GFP_KERNEL); ++ int err; ++ ++ if (!cmd) ++ return ERR_PTR(-ENOMEM); ++ ++ err = pci_read_config_word(dev, PCI_COMMAND, &cmd->val); ++ if (err) { ++ kfree(cmd); ++ return ERR_PTR(err); + } + ++ return cmd; ++} ++ ++static int command_read(struct pci_dev *dev, int offset, u16 *value, void *data) ++{ ++ int ret = pci_read_config_word(dev, offset, value); ++ const struct pci_cmd_info *cmd = data; ++ ++ *value &= PCI_COMMAND_GUEST; ++ *value |= cmd->val & ~PCI_COMMAND_GUEST; ++ + return ret; + } + +@@ -43,6 +61,8 @@ static int command_write(struct pci_dev *dev, int offset, u16 value, void *data) + { + struct xen_pcibk_dev_data *dev_data; + int err; ++ u16 val; ++ struct pci_cmd_info *cmd = data; + + dev_data = pci_get_drvdata(dev); + if (!pci_is_enabled(dev) && is_enable_cmd(value)) { +@@ -83,6 +103,19 @@ static int command_write(struct pci_dev *dev, int offset, u16 value, void *data) + } + } + ++ cmd->val = value; ++ ++ if (!permissive && (!dev_data || !dev_data->permissive)) ++ return 0; ++ ++ /* Only allow the guest to control certain bits. */ ++ err = pci_read_config_word(dev, offset, &val); ++ if (err || val == value) ++ return err; ++ ++ value &= PCI_COMMAND_GUEST; ++ value |= val & ~PCI_COMMAND_GUEST; ++ + return pci_write_config_word(dev, offset, value); + } + +@@ -282,6 +315,8 @@ static const struct config_field header_common[] = { + { + .offset = PCI_COMMAND, + .size = 2, ++ .init = command_init, ++ .release = bar_release, + .u.w.read = command_read, + .u.w.write = command_write, + }, +diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c +index ed19a7d..71c4619 100644 +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -890,8 +890,8 @@ static int fuse_try_move_page(struct fuse_copy_state *cs, struct page **pagep) + + newpage = buf->page; + +- if (WARN_ON(!PageUptodate(newpage))) +- return -EIO; ++ if (!PageUptodate(newpage)) ++ SetPageUptodate(newpage); + + ClearPageMappedToDisk(newpage); + +@@ -1797,6 +1797,9 @@ copy_finish: + static int fuse_notify(struct fuse_conn *fc, enum fuse_notify_code code, + unsigned int size, struct fuse_copy_state *cs) + { ++ /* Don't try to move pages (yet) */ ++ cs->move_pages = 0; ++ + switch (code) { + case FUSE_NOTIFY_POLL: + return fuse_notify_poll(fc, size, cs); +diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c +index 469086b..0c3f303 100644 +--- a/fs/nilfs2/segment.c ++++ b/fs/nilfs2/segment.c +@@ -1907,6 +1907,7 @@ static void nilfs_segctor_drop_written_files(struct nilfs_sc_info *sci, + struct the_nilfs *nilfs) + { + struct nilfs_inode_info *ii, *n; ++ int during_mount = !(sci->sc_super->s_flags & MS_ACTIVE); + int defer_iput = false; + + spin_lock(&nilfs->ns_inode_lock); +@@ -1919,10 +1920,10 @@ static void nilfs_segctor_drop_written_files(struct nilfs_sc_info *sci, + brelse(ii->i_bh); + ii->i_bh = NULL; + list_del_init(&ii->i_dirty); +- if (!ii->vfs_inode.i_nlink) { ++ if (!ii->vfs_inode.i_nlink || during_mount) { + /* +- * Defer calling iput() to avoid a deadlock +- * over I_SYNC flag for inodes with i_nlink == 0 ++ * Defer calling iput() to avoid deadlocks if ++ * i_nlink == 0 or mount is not yet finished. + */ + list_add_tail(&ii->i_dirty, &sci->sc_iput_queue); + defer_iput = true; +diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c +index 88f9b83..f86e549 100644 +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -1326,6 +1326,9 @@ out: + + static int pagemap_open(struct inode *inode, struct file *file) + { ++ /* do not disclose physical addresses: attack vector */ ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; + pr_warn_once("Bits 55-60 of /proc/PID/pagemap entries are about " + "to stop being page-shift some time soon. See the " + "linux/Documentation/vm/pagemap.txt for details.\n"); +diff --git a/include/linux/serial_core.h b/include/linux/serial_core.h +index 057038c..b405a62 100644 +--- a/include/linux/serial_core.h ++++ b/include/linux/serial_core.h +@@ -146,9 +146,9 @@ struct uart_port { + #define UPIO_HUB6 (1) /* Hub6 ISA card */ + #define UPIO_MEM (2) /* 8b MMIO access */ + #define UPIO_MEM32 (3) /* 32b little endian */ +-#define UPIO_MEM32BE (4) /* 32b big endian */ +-#define UPIO_AU (5) /* Au1x00 and RT288x type IO */ +-#define UPIO_TSI (6) /* Tsi108/109 type IO */ ++#define UPIO_AU (4) /* Au1x00 and RT288x type IO */ ++#define UPIO_TSI (5) /* Tsi108/109 type IO */ ++#define UPIO_MEM32BE (6) /* 32b big endian */ + + unsigned int read_status_mask; /* driver specific */ + unsigned int ignore_status_mask; /* driver specific */ +diff --git a/include/linux/workqueue.h b/include/linux/workqueue.h +index b996e6cd..9eb54f4 100644 +--- a/include/linux/workqueue.h ++++ b/include/linux/workqueue.h +@@ -70,7 +70,8 @@ enum { + /* data contains off-queue information when !WORK_STRUCT_PWQ */ + WORK_OFFQ_FLAG_BASE = WORK_STRUCT_COLOR_SHIFT, + +- WORK_OFFQ_CANCELING = (1 << WORK_OFFQ_FLAG_BASE), ++ __WORK_OFFQ_CANCELING = WORK_OFFQ_FLAG_BASE, ++ WORK_OFFQ_CANCELING = (1 << __WORK_OFFQ_CANCELING), + + /* + * When a work item is off queue, its high bits point to the last +diff --git a/kernel/cpuset.c b/kernel/cpuset.c +index 64b257f..9e25599 100644 +--- a/kernel/cpuset.c ++++ b/kernel/cpuset.c +@@ -548,9 +548,6 @@ static void update_domain_attr_tree(struct sched_domain_attr *dattr, + + rcu_read_lock(); + cpuset_for_each_descendant_pre(cp, pos_css, root_cs) { +- if (cp == root_cs) +- continue; +- + /* skip the whole subtree if @cp doesn't have any CPU */ + if (cpumask_empty(cp->cpus_allowed)) { + pos_css = css_rightmost_descendant(pos_css); +@@ -873,7 +870,7 @@ static void update_cpumasks_hier(struct cpuset *cs, struct cpumask *new_cpus) + * If it becomes empty, inherit the effective mask of the + * parent, which is guaranteed to have some CPUs. + */ +- if (cpumask_empty(new_cpus)) ++ if (cgroup_on_dfl(cp->css.cgroup) && cpumask_empty(new_cpus)) + cpumask_copy(new_cpus, parent->effective_cpus); + + /* Skip the whole subtree if the cpumask remains the same. */ +@@ -1129,7 +1126,7 @@ static void update_nodemasks_hier(struct cpuset *cs, nodemask_t *new_mems) + * If it becomes empty, inherit the effective mask of the + * parent, which is guaranteed to have some MEMs. + */ +- if (nodes_empty(*new_mems)) ++ if (cgroup_on_dfl(cp->css.cgroup) && nodes_empty(*new_mems)) + *new_mems = parent->effective_mems; + + /* Skip the whole subtree if the nodemask remains the same. */ +@@ -1992,7 +1989,9 @@ static int cpuset_css_online(struct cgroup_subsys_state *css) + + spin_lock_irq(&callback_lock); + cs->mems_allowed = parent->mems_allowed; ++ cs->effective_mems = parent->mems_allowed; + cpumask_copy(cs->cpus_allowed, parent->cpus_allowed); ++ cpumask_copy(cs->effective_cpus, parent->cpus_allowed); + spin_unlock_irq(&callback_lock); + out_unlock: + mutex_unlock(&cpuset_mutex); +diff --git a/kernel/printk/console_cmdline.h b/kernel/printk/console_cmdline.h +index cbd69d8..2ca4a8b 100644 +--- a/kernel/printk/console_cmdline.h ++++ b/kernel/printk/console_cmdline.h +@@ -3,7 +3,7 @@ + + struct console_cmdline + { +- char name[8]; /* Name of the driver */ ++ char name[16]; /* Name of the driver */ + int index; /* Minor dev. to use */ + char *options; /* Options for the driver */ + #ifdef CONFIG_A11Y_BRAILLE_CONSOLE +diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c +index fae29e3..2cdd353 100644 +--- a/kernel/printk/printk.c ++++ b/kernel/printk/printk.c +@@ -2464,6 +2464,7 @@ void register_console(struct console *newcon) + for (i = 0, c = console_cmdline; + i < MAX_CMDLINECONSOLES && c->name[0]; + i++, c++) { ++ BUILD_BUG_ON(sizeof(c->name) != sizeof(newcon->name)); + if (strcmp(c->name, newcon->name) != 0) + continue; + if (newcon->index >= 0 && +diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c +index 224e768..af5bffd 100644 +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -1059,6 +1059,12 @@ static __init void ftrace_profile_debugfs(struct dentry *d_tracer) + + static struct pid * const ftrace_swapper_pid = &init_struct_pid; + ++#ifdef CONFIG_FUNCTION_GRAPH_TRACER ++static int ftrace_graph_active; ++#else ++# define ftrace_graph_active 0 ++#endif ++ + #ifdef CONFIG_DYNAMIC_FTRACE + + static struct ftrace_ops *removed_ops; +@@ -2041,8 +2047,12 @@ static int ftrace_check_record(struct dyn_ftrace *rec, int enable, int update) + if (!ftrace_rec_count(rec)) + rec->flags = 0; + else +- /* Just disable the record (keep REGS state) */ +- rec->flags &= ~FTRACE_FL_ENABLED; ++ /* ++ * Just disable the record, but keep the ops TRAMP ++ * and REGS states. The _EN flags must be disabled though. ++ */ ++ rec->flags &= ~(FTRACE_FL_ENABLED | FTRACE_FL_TRAMP_EN | ++ FTRACE_FL_REGS_EN); + } + + return FTRACE_UPDATE_MAKE_NOP; +@@ -2688,24 +2698,36 @@ static int ftrace_shutdown(struct ftrace_ops *ops, int command) + + static void ftrace_startup_sysctl(void) + { ++ int command; ++ + if (unlikely(ftrace_disabled)) + return; + + /* Force update next time */ + saved_ftrace_func = NULL; + /* ftrace_start_up is true if we want ftrace running */ +- if (ftrace_start_up) +- ftrace_run_update_code(FTRACE_UPDATE_CALLS); ++ if (ftrace_start_up) { ++ command = FTRACE_UPDATE_CALLS; ++ if (ftrace_graph_active) ++ command |= FTRACE_START_FUNC_RET; ++ ftrace_startup_enable(command); ++ } + } + + static void ftrace_shutdown_sysctl(void) + { ++ int command; ++ + if (unlikely(ftrace_disabled)) + return; + + /* ftrace_start_up is true if ftrace is running */ +- if (ftrace_start_up) +- ftrace_run_update_code(FTRACE_DISABLE_CALLS); ++ if (ftrace_start_up) { ++ command = FTRACE_DISABLE_CALLS; ++ if (ftrace_graph_active) ++ command |= FTRACE_STOP_FUNC_RET; ++ ftrace_run_update_code(command); ++ } + } + + static cycle_t ftrace_update_time; +@@ -5558,12 +5580,12 @@ ftrace_enable_sysctl(struct ctl_table *table, int write, + + if (ftrace_enabled) { + +- ftrace_startup_sysctl(); +- + /* we are starting ftrace again */ + if (ftrace_ops_list != &ftrace_list_end) + update_ftrace_function(); + ++ ftrace_startup_sysctl(); ++ + } else { + /* stopping ftrace calls (just send to ftrace_stub) */ + ftrace_trace_function = ftrace_stub; +@@ -5590,8 +5612,6 @@ static struct ftrace_ops graph_ops = { + ASSIGN_OPS_HASH(graph_ops, &global_ops.local_hash) + }; + +-static int ftrace_graph_active; +- + int ftrace_graph_entry_stub(struct ftrace_graph_ent *trace) + { + return 0; +diff --git a/kernel/workqueue.c b/kernel/workqueue.c +index beeeac9..82d0c8d 100644 +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -2728,19 +2728,57 @@ bool flush_work(struct work_struct *work) + } + EXPORT_SYMBOL_GPL(flush_work); + ++struct cwt_wait { ++ wait_queue_t wait; ++ struct work_struct *work; ++}; ++ ++static int cwt_wakefn(wait_queue_t *wait, unsigned mode, int sync, void *key) ++{ ++ struct cwt_wait *cwait = container_of(wait, struct cwt_wait, wait); ++ ++ if (cwait->work != key) ++ return 0; ++ return autoremove_wake_function(wait, mode, sync, key); ++} ++ + static bool __cancel_work_timer(struct work_struct *work, bool is_dwork) + { ++ static DECLARE_WAIT_QUEUE_HEAD(cancel_waitq); + unsigned long flags; + int ret; + + do { + ret = try_to_grab_pending(work, is_dwork, &flags); + /* +- * If someone else is canceling, wait for the same event it +- * would be waiting for before retrying. ++ * If someone else is already canceling, wait for it to ++ * finish. flush_work() doesn't work for PREEMPT_NONE ++ * because we may get scheduled between @work's completion ++ * and the other canceling task resuming and clearing ++ * CANCELING - flush_work() will return false immediately ++ * as @work is no longer busy, try_to_grab_pending() will ++ * return -ENOENT as @work is still being canceled and the ++ * other canceling task won't be able to clear CANCELING as ++ * we're hogging the CPU. ++ * ++ * Let's wait for completion using a waitqueue. As this ++ * may lead to the thundering herd problem, use a custom ++ * wake function which matches @work along with exclusive ++ * wait and wakeup. + */ +- if (unlikely(ret == -ENOENT)) +- flush_work(work); ++ if (unlikely(ret == -ENOENT)) { ++ struct cwt_wait cwait; ++ ++ init_wait(&cwait.wait); ++ cwait.wait.func = cwt_wakefn; ++ cwait.work = work; ++ ++ prepare_to_wait_exclusive(&cancel_waitq, &cwait.wait, ++ TASK_UNINTERRUPTIBLE); ++ if (work_is_canceling(work)) ++ schedule(); ++ finish_wait(&cancel_waitq, &cwait.wait); ++ } + } while (unlikely(ret < 0)); + + /* tell other tasks trying to grab @work to back off */ +@@ -2749,6 +2787,16 @@ static bool __cancel_work_timer(struct work_struct *work, bool is_dwork) + + flush_work(work); + clear_work_data(work); ++ ++ /* ++ * Paired with prepare_to_wait() above so that either ++ * waitqueue_active() is visible here or !work_is_canceling() is ++ * visible there. ++ */ ++ smp_mb(); ++ if (waitqueue_active(&cancel_waitq)) ++ __wake_up(&cancel_waitq, TASK_NORMAL, 1, work); ++ + return ret; + } + +diff --git a/lib/lz4/lz4_decompress.c b/lib/lz4/lz4_decompress.c +index 7a85967..f0f5c5c 100644 +--- a/lib/lz4/lz4_decompress.c ++++ b/lib/lz4/lz4_decompress.c +@@ -139,6 +139,9 @@ static int lz4_uncompress(const char *source, char *dest, int osize) + /* Error: request to write beyond destination buffer */ + if (cpy > oend) + goto _output_error; ++ if ((ref + COPYLENGTH) > oend || ++ (op + COPYLENGTH) > oend) ++ goto _output_error; + LZ4_SECURECOPY(ref, op, (oend - COPYLENGTH)); + while (op < cpy) + *op++ = *ref++; +diff --git a/lib/seq_buf.c b/lib/seq_buf.c +index 4eedfed..f25c33b 100644 +--- a/lib/seq_buf.c ++++ b/lib/seq_buf.c +@@ -61,7 +61,7 @@ int seq_buf_vprintf(struct seq_buf *s, const char *fmt, va_list args) + + if (s->len < s->size) { + len = vsnprintf(s->buffer + s->len, s->size - s->len, fmt, args); +- if (seq_buf_can_fit(s, len)) { ++ if (s->len + len < s->size) { + s->len += len; + return 0; + } +@@ -154,7 +154,7 @@ int seq_buf_bprintf(struct seq_buf *s, const char *fmt, const u32 *binary) + + if (s->len < s->size) { + ret = bstr_printf(s->buffer + s->len, len, fmt, binary); +- if (seq_buf_can_fit(s, ret)) { ++ if (s->len + ret < s->size) { + s->len += ret; + return 0; + } +diff --git a/mm/cma.c b/mm/cma.c +index a85ae28..f1bbcb6 100644 +--- a/mm/cma.c ++++ b/mm/cma.c +@@ -64,15 +64,17 @@ static unsigned long cma_bitmap_aligned_mask(struct cma *cma, int align_order) + return (1UL << (align_order - cma->order_per_bit)) - 1; + } + ++/* ++ * Find a PFN aligned to the specified order and return an offset represented in ++ * order_per_bits. ++ */ + static unsigned long cma_bitmap_aligned_offset(struct cma *cma, int align_order) + { +- unsigned int alignment; +- + if (align_order <= cma->order_per_bit) + return 0; +- alignment = 1UL << (align_order - cma->order_per_bit); +- return ALIGN(cma->base_pfn, alignment) - +- (cma->base_pfn >> cma->order_per_bit); ++ ++ return (ALIGN(cma->base_pfn, (1UL << align_order)) ++ - cma->base_pfn) >> cma->order_per_bit; + } + + static unsigned long cma_bitmap_maxno(struct cma *cma) +diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c +index 769b185..a6e2da0 100644 +--- a/net/caif/caif_socket.c ++++ b/net/caif/caif_socket.c +@@ -281,7 +281,7 @@ static int caif_seqpkt_recvmsg(struct kiocb *iocb, struct socket *sock, + int copylen; + + ret = -EOPNOTSUPP; +- if (m->msg_flags&MSG_OOB) ++ if (flags & MSG_OOB) + goto read_error; + + skb = skb_recv_datagram(sk, flags, 0 , &ret); +diff --git a/net/can/af_can.c b/net/can/af_can.c +index 66e0804..32d710e 100644 +--- a/net/can/af_can.c ++++ b/net/can/af_can.c +@@ -259,6 +259,9 @@ int can_send(struct sk_buff *skb, int loop) + goto inval_skb; + } + ++ skb->ip_summed = CHECKSUM_UNNECESSARY; ++ ++ skb_reset_mac_header(skb); + skb_reset_network_header(skb); + skb_reset_transport_header(skb); + +diff --git a/net/compat.c b/net/compat.c +index 94d3d5e..f7bd286 100644 +--- a/net/compat.c ++++ b/net/compat.c +@@ -49,6 +49,13 @@ ssize_t get_compat_msghdr(struct msghdr *kmsg, + __get_user(kmsg->msg_controllen, &umsg->msg_controllen) || + __get_user(kmsg->msg_flags, &umsg->msg_flags)) + return -EFAULT; ++ ++ if (!uaddr) ++ kmsg->msg_namelen = 0; ++ ++ if (kmsg->msg_namelen < 0) ++ return -EINVAL; ++ + if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) + kmsg->msg_namelen = sizeof(struct sockaddr_storage); + kmsg->msg_control = compat_ptr(tmp3); +diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c +index 31baba2..bbb1d5a 100644 +--- a/net/core/sysctl_net_core.c ++++ b/net/core/sysctl_net_core.c +@@ -25,6 +25,8 @@ + static int zero = 0; + static int one = 1; + static int ushort_max = USHRT_MAX; ++static int min_sndbuf = SOCK_MIN_SNDBUF; ++static int min_rcvbuf = SOCK_MIN_RCVBUF; + + static int net_msg_warn; /* Unused, but still a sysctl */ + +@@ -237,7 +239,7 @@ static struct ctl_table net_core_table[] = { + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, +- .extra1 = &one, ++ .extra1 = &min_sndbuf, + }, + { + .procname = "rmem_max", +@@ -245,7 +247,7 @@ static struct ctl_table net_core_table[] = { + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, +- .extra1 = &one, ++ .extra1 = &min_rcvbuf, + }, + { + .procname = "wmem_default", +@@ -253,7 +255,7 @@ static struct ctl_table net_core_table[] = { + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, +- .extra1 = &one, ++ .extra1 = &min_sndbuf, + }, + { + .procname = "rmem_default", +@@ -261,7 +263,7 @@ static struct ctl_table net_core_table[] = { + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, +- .extra1 = &one, ++ .extra1 = &min_rcvbuf, + }, + { + .procname = "dev_weight", +diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c +index e34dccb..4eeba4e 100644 +--- a/net/ipv4/inet_diag.c ++++ b/net/ipv4/inet_diag.c +@@ -71,6 +71,20 @@ static inline void inet_diag_unlock_handler( + mutex_unlock(&inet_diag_table_mutex); + } + ++static size_t inet_sk_attr_size(void) ++{ ++ return nla_total_size(sizeof(struct tcp_info)) ++ + nla_total_size(1) /* INET_DIAG_SHUTDOWN */ ++ + nla_total_size(1) /* INET_DIAG_TOS */ ++ + nla_total_size(1) /* INET_DIAG_TCLASS */ ++ + nla_total_size(sizeof(struct inet_diag_meminfo)) ++ + nla_total_size(sizeof(struct inet_diag_msg)) ++ + nla_total_size(SK_MEMINFO_VARS * sizeof(u32)) ++ + nla_total_size(TCP_CA_NAME_MAX) ++ + nla_total_size(sizeof(struct tcpvegas_info)) ++ + 64; ++} ++ + int inet_sk_diag_fill(struct sock *sk, struct inet_connection_sock *icsk, + struct sk_buff *skb, struct inet_diag_req_v2 *req, + struct user_namespace *user_ns, +@@ -324,9 +338,7 @@ int inet_diag_dump_one_icsk(struct inet_hashinfo *hashinfo, struct sk_buff *in_s + if (err) + goto out; + +- rep = nlmsg_new(sizeof(struct inet_diag_msg) + +- sizeof(struct inet_diag_meminfo) + +- sizeof(struct tcp_info) + 64, GFP_KERNEL); ++ rep = nlmsg_new(inet_sk_attr_size(), GFP_KERNEL); + if (!rep) { + err = -ENOMEM; + goto out; +diff --git a/net/ipv4/tcp_cong.c b/net/ipv4/tcp_cong.c +index 8670e68..f2d4097 100644 +--- a/net/ipv4/tcp_cong.c ++++ b/net/ipv4/tcp_cong.c +@@ -309,6 +309,12 @@ EXPORT_SYMBOL_GPL(tcp_slow_start); + */ + void tcp_cong_avoid_ai(struct tcp_sock *tp, u32 w, u32 acked) + { ++ /* If credits accumulated at a higher w, apply them gently now. */ ++ if (tp->snd_cwnd_cnt >= w) { ++ tp->snd_cwnd_cnt = 0; ++ tp->snd_cwnd++; ++ } ++ + tp->snd_cwnd_cnt += acked; + if (tp->snd_cwnd_cnt >= w) { + u32 delta = tp->snd_cwnd_cnt / w; +diff --git a/net/ipv4/tcp_cubic.c b/net/ipv4/tcp_cubic.c +index 4b276d1..06d3d66 100644 +--- a/net/ipv4/tcp_cubic.c ++++ b/net/ipv4/tcp_cubic.c +@@ -306,8 +306,10 @@ tcp_friendliness: + } + } + +- if (ca->cnt == 0) /* cannot be zero */ +- ca->cnt = 1; ++ /* The maximum rate of cwnd increase CUBIC allows is 1 packet per ++ * 2 packets ACKed, meaning cwnd grows at 1.5x per RTT. ++ */ ++ ca->cnt = max(ca->cnt, 2U); + } + + static void bictcp_cong_avoid(struct sock *sk, u32 ack, u32 acked) +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 65caf8b..9790f39 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -2775,15 +2775,11 @@ void tcp_send_fin(struct sock *sk) + } else { + /* Socket is locked, keep trying until memory is available. */ + for (;;) { +- skb = alloc_skb_fclone(MAX_TCP_HEADER, +- sk->sk_allocation); ++ skb = sk_stream_alloc_skb(sk, 0, sk->sk_allocation); + if (skb) + break; + yield(); + } +- +- /* Reserve space for headers and prepare control bits. */ +- skb_reserve(skb, MAX_TCP_HEADER); + /* FIN eats a sequence byte, write_seq advanced by tcp_queue_skb(). */ + tcp_init_nondata_skb(skb, tp->write_seq, + TCPHDR_ACK | TCPHDR_FIN); +diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c +index b4d5e1d..27ca796 100644 +--- a/net/ipv6/fib6_rules.c ++++ b/net/ipv6/fib6_rules.c +@@ -104,6 +104,7 @@ static int fib6_rule_action(struct fib_rule *rule, struct flowi *flp, + goto again; + flp6->saddr = saddr; + } ++ err = rt->dst.error; + goto out; + } + again: +diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c +index a562769..4b869d3 100644 +--- a/net/ipv6/udp_offload.c ++++ b/net/ipv6/udp_offload.c +@@ -112,11 +112,9 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, + fptr = (struct frag_hdr *)(skb_network_header(skb) + unfrag_ip6hlen); + fptr->nexthdr = nexthdr; + fptr->reserved = 0; +- if (skb_shinfo(skb)->ip6_frag_id) +- fptr->identification = skb_shinfo(skb)->ip6_frag_id; +- else +- ipv6_select_ident(fptr, +- (struct rt6_info *)skb_dst(skb)); ++ if (!skb_shinfo(skb)->ip6_frag_id) ++ ipv6_proxy_select_ident(skb); ++ fptr->identification = skb_shinfo(skb)->ip6_frag_id; + + /* Fragment the skb. ipv6 header and the remaining fields of the + * fragment header are updated in ipv6_gso_segment() +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index b8295a4..fdcda8b 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -3399,7 +3399,7 @@ static int ip_vs_genl_set_cmd(struct sk_buff *skb, struct genl_info *info) + if (udest.af == 0) + udest.af = svc->af; + +- if (udest.af != svc->af) { ++ if (udest.af != svc->af && cmd != IPVS_CMD_DEL_DEST) { + /* The synchronization protocol is incompatible + * with mixed family services + */ +diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c +index c47ffd7..d93ceeb 100644 +--- a/net/netfilter/ipvs/ip_vs_sync.c ++++ b/net/netfilter/ipvs/ip_vs_sync.c +@@ -896,6 +896,8 @@ static void ip_vs_proc_conn(struct net *net, struct ip_vs_conn_param *param, + IP_VS_DBG(2, "BACKUP, add new conn. failed\n"); + return; + } ++ if (!(flags & IP_VS_CONN_F_TEMPLATE)) ++ kfree(param->pe_data); + } + + if (opt) +@@ -1169,6 +1171,7 @@ static inline int ip_vs_proc_sync_conn(struct net *net, __u8 *p, __u8 *msg_end) + (opt_flags & IPVS_OPT_F_SEQ_DATA ? &opt : NULL) + ); + #endif ++ ip_vs_pe_put(param.pe); + return 0; + /* Error exit */ + out: +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 1ff04bc..f77f4cc 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -227,7 +227,7 @@ nft_rule_deactivate_next(struct net *net, struct nft_rule *rule) + + static inline void nft_rule_clear(struct net *net, struct nft_rule *rule) + { +- rule->genmask = 0; ++ rule->genmask &= ~(1 << gencursor_next(net)); + } + + static int +@@ -3606,12 +3606,11 @@ static int nf_tables_commit(struct sk_buff *skb) + &te->elem, + NFT_MSG_DELSETELEM, 0); + te->set->ops->get(te->set, &te->elem); +- te->set->ops->remove(te->set, &te->elem); + nft_data_uninit(&te->elem.key, NFT_DATA_VALUE); +- if (te->elem.flags & NFT_SET_MAP) { +- nft_data_uninit(&te->elem.data, +- te->set->dtype); +- } ++ if (te->set->flags & NFT_SET_MAP && ++ !(te->elem.flags & NFT_SET_ELEM_INTERVAL_END)) ++ nft_data_uninit(&te->elem.data, te->set->dtype); ++ te->set->ops->remove(te->set, &te->elem); + nft_trans_destroy(trans); + break; + } +@@ -3652,7 +3651,7 @@ static int nf_tables_abort(struct sk_buff *skb) + { + struct net *net = sock_net(skb->sk); + struct nft_trans *trans, *next; +- struct nft_set *set; ++ struct nft_trans_elem *te; + + list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { + switch (trans->msg_type) { +@@ -3713,9 +3712,13 @@ static int nf_tables_abort(struct sk_buff *skb) + break; + case NFT_MSG_NEWSETELEM: + nft_trans_elem_set(trans)->nelems--; +- set = nft_trans_elem_set(trans); +- set->ops->get(set, &nft_trans_elem(trans)); +- set->ops->remove(set, &nft_trans_elem(trans)); ++ te = (struct nft_trans_elem *)trans->data; ++ te->set->ops->get(te->set, &te->elem); ++ nft_data_uninit(&te->elem.key, NFT_DATA_VALUE); ++ if (te->set->flags & NFT_SET_MAP && ++ !(te->elem.flags & NFT_SET_ELEM_INTERVAL_END)) ++ nft_data_uninit(&te->elem.data, te->set->dtype); ++ te->set->ops->remove(te->set, &te->elem); + nft_trans_destroy(trans); + break; + case NFT_MSG_DELSETELEM: +diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c +index 265e190..b636486 100644 +--- a/net/netfilter/nft_compat.c ++++ b/net/netfilter/nft_compat.c +@@ -578,8 +578,12 @@ nft_match_select_ops(const struct nft_ctx *ctx, + struct xt_match *match = nft_match->ops.data; + + if (strcmp(match->name, mt_name) == 0 && +- match->revision == rev && match->family == family) ++ match->revision == rev && match->family == family) { ++ if (!try_module_get(match->me)) ++ return ERR_PTR(-ENOENT); ++ + return &nft_match->ops; ++ } + } + + match = xt_request_find_match(family, mt_name, rev); +@@ -648,8 +652,12 @@ nft_target_select_ops(const struct nft_ctx *ctx, + struct xt_target *target = nft_target->ops.data; + + if (strcmp(target->name, tg_name) == 0 && +- target->revision == rev && target->family == family) ++ target->revision == rev && target->family == family) { ++ if (!try_module_get(target->me)) ++ return ERR_PTR(-ENOENT); ++ + return &nft_target->ops; ++ } + } + + target = xt_request_find_target(family, tg_name, rev); +diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c +index 1ba6793..13332db 100644 +--- a/net/netfilter/xt_socket.c ++++ b/net/netfilter/xt_socket.c +@@ -243,12 +243,13 @@ static int + extract_icmp6_fields(const struct sk_buff *skb, + unsigned int outside_hdrlen, + int *protocol, +- struct in6_addr **raddr, +- struct in6_addr **laddr, ++ const struct in6_addr **raddr, ++ const struct in6_addr **laddr, + __be16 *rport, +- __be16 *lport) ++ __be16 *lport, ++ struct ipv6hdr *ipv6_var) + { +- struct ipv6hdr *inside_iph, _inside_iph; ++ const struct ipv6hdr *inside_iph; + struct icmp6hdr *icmph, _icmph; + __be16 *ports, _ports[2]; + u8 inside_nexthdr; +@@ -263,12 +264,14 @@ extract_icmp6_fields(const struct sk_buff *skb, + if (icmph->icmp6_type & ICMPV6_INFOMSG_MASK) + return 1; + +- inside_iph = skb_header_pointer(skb, outside_hdrlen + sizeof(_icmph), sizeof(_inside_iph), &_inside_iph); ++ inside_iph = skb_header_pointer(skb, outside_hdrlen + sizeof(_icmph), ++ sizeof(*ipv6_var), ipv6_var); + if (inside_iph == NULL) + return 1; + inside_nexthdr = inside_iph->nexthdr; + +- inside_hdrlen = ipv6_skip_exthdr(skb, outside_hdrlen + sizeof(_icmph) + sizeof(_inside_iph), ++ inside_hdrlen = ipv6_skip_exthdr(skb, outside_hdrlen + sizeof(_icmph) + ++ sizeof(*ipv6_var), + &inside_nexthdr, &inside_fragoff); + if (inside_hdrlen < 0) + return 1; /* hjm: Packet has no/incomplete transport layer headers. */ +@@ -315,10 +318,10 @@ xt_socket_get_sock_v6(struct net *net, const u8 protocol, + static bool + socket_mt6_v1_v2(const struct sk_buff *skb, struct xt_action_param *par) + { +- struct ipv6hdr *iph = ipv6_hdr(skb); ++ struct ipv6hdr ipv6_var, *iph = ipv6_hdr(skb); + struct udphdr _hdr, *hp = NULL; + struct sock *sk = skb->sk; +- struct in6_addr *daddr = NULL, *saddr = NULL; ++ const struct in6_addr *daddr = NULL, *saddr = NULL; + __be16 uninitialized_var(dport), uninitialized_var(sport); + int thoff = 0, uninitialized_var(tproto); + const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo; +@@ -342,7 +345,7 @@ socket_mt6_v1_v2(const struct sk_buff *skb, struct xt_action_param *par) + + } else if (tproto == IPPROTO_ICMPV6) { + if (extract_icmp6_fields(skb, thoff, &tproto, &saddr, &daddr, +- &sport, &dport)) ++ &sport, &dport, &ipv6_var)) + return false; + } else { + return false; +diff --git a/net/rds/iw_rdma.c b/net/rds/iw_rdma.c +index a817705..dba8d08 100644 +--- a/net/rds/iw_rdma.c ++++ b/net/rds/iw_rdma.c +@@ -88,7 +88,9 @@ static unsigned int rds_iw_unmap_fastreg_list(struct rds_iw_mr_pool *pool, + int *unpinned); + static void rds_iw_destroy_fastreg(struct rds_iw_mr_pool *pool, struct rds_iw_mr *ibmr); + +-static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwdev, struct rdma_cm_id **cm_id) ++static int rds_iw_get_device(struct sockaddr_in *src, struct sockaddr_in *dst, ++ struct rds_iw_device **rds_iwdev, ++ struct rdma_cm_id **cm_id) + { + struct rds_iw_device *iwdev; + struct rds_iw_cm_id *i_cm_id; +@@ -112,15 +114,15 @@ static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwd + src_addr->sin_port, + dst_addr->sin_addr.s_addr, + dst_addr->sin_port, +- rs->rs_bound_addr, +- rs->rs_bound_port, +- rs->rs_conn_addr, +- rs->rs_conn_port); ++ src->sin_addr.s_addr, ++ src->sin_port, ++ dst->sin_addr.s_addr, ++ dst->sin_port); + #ifdef WORKING_TUPLE_DETECTION +- if (src_addr->sin_addr.s_addr == rs->rs_bound_addr && +- src_addr->sin_port == rs->rs_bound_port && +- dst_addr->sin_addr.s_addr == rs->rs_conn_addr && +- dst_addr->sin_port == rs->rs_conn_port) { ++ if (src_addr->sin_addr.s_addr == src->sin_addr.s_addr && ++ src_addr->sin_port == src->sin_port && ++ dst_addr->sin_addr.s_addr == dst->sin_addr.s_addr && ++ dst_addr->sin_port == dst->sin_port) { + #else + /* FIXME - needs to compare the local and remote + * ipaddr/port tuple, but the ipaddr is the only +@@ -128,7 +130,7 @@ static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwd + * zero'ed. It doesn't appear to be properly populated + * during connection setup... + */ +- if (src_addr->sin_addr.s_addr == rs->rs_bound_addr) { ++ if (src_addr->sin_addr.s_addr == src->sin_addr.s_addr) { + #endif + spin_unlock_irq(&iwdev->spinlock); + *rds_iwdev = iwdev; +@@ -180,19 +182,13 @@ int rds_iw_update_cm_id(struct rds_iw_device *rds_iwdev, struct rdma_cm_id *cm_i + { + struct sockaddr_in *src_addr, *dst_addr; + struct rds_iw_device *rds_iwdev_old; +- struct rds_sock rs; + struct rdma_cm_id *pcm_id; + int rc; + + src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr; + dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr; + +- rs.rs_bound_addr = src_addr->sin_addr.s_addr; +- rs.rs_bound_port = src_addr->sin_port; +- rs.rs_conn_addr = dst_addr->sin_addr.s_addr; +- rs.rs_conn_port = dst_addr->sin_port; +- +- rc = rds_iw_get_device(&rs, &rds_iwdev_old, &pcm_id); ++ rc = rds_iw_get_device(src_addr, dst_addr, &rds_iwdev_old, &pcm_id); + if (rc) + rds_iw_remove_cm_id(rds_iwdev, cm_id); + +@@ -598,9 +594,17 @@ void *rds_iw_get_mr(struct scatterlist *sg, unsigned long nents, + struct rds_iw_device *rds_iwdev; + struct rds_iw_mr *ibmr = NULL; + struct rdma_cm_id *cm_id; ++ struct sockaddr_in src = { ++ .sin_addr.s_addr = rs->rs_bound_addr, ++ .sin_port = rs->rs_bound_port, ++ }; ++ struct sockaddr_in dst = { ++ .sin_addr.s_addr = rs->rs_conn_addr, ++ .sin_port = rs->rs_conn_port, ++ }; + int ret; + +- ret = rds_iw_get_device(rs, &rds_iwdev, &cm_id); ++ ret = rds_iw_get_device(&src, &dst, &rds_iwdev, &cm_id); + if (ret || !cm_id) { + ret = -ENODEV; + goto out; +diff --git a/net/rxrpc/ar-recvmsg.c b/net/rxrpc/ar-recvmsg.c +index 4575485..19a5606 100644 +--- a/net/rxrpc/ar-recvmsg.c ++++ b/net/rxrpc/ar-recvmsg.c +@@ -87,7 +87,7 @@ int rxrpc_recvmsg(struct kiocb *iocb, struct socket *sock, + if (!skb) { + /* nothing remains on the queue */ + if (copied && +- (msg->msg_flags & MSG_PEEK || timeo == 0)) ++ (flags & MSG_PEEK || timeo == 0)) + goto out; + + /* wait for a message to turn up */ +diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c +index 09487af..95fdf4e 100644 +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -78,8 +78,11 @@ struct tc_u_hnode { + struct tc_u_common *tp_c; + int refcnt; + unsigned int divisor; +- struct tc_u_knode __rcu *ht[1]; + struct rcu_head rcu; ++ /* The 'ht' field MUST be the last field in structure to allow for ++ * more entries allocated at end of structure. ++ */ ++ struct tc_u_knode __rcu *ht[1]; + }; + + struct tc_u_common { +diff --git a/net/socket.c b/net/socket.c +index 418795c..d50e7ca 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -1765,6 +1765,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len, + + if (len > INT_MAX) + len = INT_MAX; ++ if (unlikely(!access_ok(VERIFY_READ, buff, len))) ++ return -EFAULT; + sock = sockfd_lookup_light(fd, &err, &fput_needed); + if (!sock) + goto out; +@@ -1823,6 +1825,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size, + + if (size > INT_MAX) + size = INT_MAX; ++ if (unlikely(!access_ok(VERIFY_WRITE, ubuf, size))) ++ return -EFAULT; + sock = sockfd_lookup_light(fd, &err, &fput_needed); + if (!sock) + goto out; +diff --git a/sound/core/control.c b/sound/core/control.c +index bb96a46..23b018b 100644 +--- a/sound/core/control.c ++++ b/sound/core/control.c +@@ -1168,6 +1168,10 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file, + + if (info->count < 1) + return -EINVAL; ++ if (!*info->id.name) ++ return -EINVAL; ++ if (strnlen(info->id.name, sizeof(info->id.name)) >= sizeof(info->id.name)) ++ return -EINVAL; + access = info->access == 0 ? SNDRV_CTL_ELEM_ACCESS_READWRITE : + (info->access & (SNDRV_CTL_ELEM_ACCESS_READWRITE| + SNDRV_CTL_ELEM_ACCESS_INACTIVE| +diff --git a/sound/pci/hda/hda_controller.c b/sound/pci/hda/hda_controller.c +index c2aa3cd..a9536bb 100644 +--- a/sound/pci/hda/hda_controller.c ++++ b/sound/pci/hda/hda_controller.c +@@ -1160,7 +1160,7 @@ static unsigned int azx_rirb_get_response(struct hda_bus *bus, + } + } + +- if (!bus->no_response_fallback) ++ if (bus->no_response_fallback) + return -1; + + if (!chip->polling_mode && chip->poll_count < 2) { +diff --git a/sound/pci/hda/hda_generic.c b/sound/pci/hda/hda_generic.c +index b680b4e..8ec5289 100644 +--- a/sound/pci/hda/hda_generic.c ++++ b/sound/pci/hda/hda_generic.c +@@ -687,12 +687,45 @@ static int get_amp_val_to_activate(struct hda_codec *codec, hda_nid_t nid, + return val; + } + ++/* is this a stereo widget or a stereo-to-mono mix? */ ++static bool is_stereo_amps(struct hda_codec *codec, hda_nid_t nid, int dir) ++{ ++ unsigned int wcaps = get_wcaps(codec, nid); ++ hda_nid_t conn; ++ ++ if (wcaps & AC_WCAP_STEREO) ++ return true; ++ if (dir != HDA_INPUT || get_wcaps_type(wcaps) != AC_WID_AUD_MIX) ++ return false; ++ if (snd_hda_get_num_conns(codec, nid) != 1) ++ return false; ++ if (snd_hda_get_connections(codec, nid, &conn, 1) < 0) ++ return false; ++ return !!(get_wcaps(codec, conn) & AC_WCAP_STEREO); ++} ++ + /* initialize the amp value (only at the first time) */ + static void init_amp(struct hda_codec *codec, hda_nid_t nid, int dir, int idx) + { + unsigned int caps = query_amp_caps(codec, nid, dir); + int val = get_amp_val_to_activate(codec, nid, dir, caps, false); +- snd_hda_codec_amp_init_stereo(codec, nid, dir, idx, 0xff, val); ++ ++ if (is_stereo_amps(codec, nid, dir)) ++ snd_hda_codec_amp_init_stereo(codec, nid, dir, idx, 0xff, val); ++ else ++ snd_hda_codec_amp_init(codec, nid, 0, dir, idx, 0xff, val); ++} ++ ++/* update the amp, doing in stereo or mono depending on NID */ ++static int update_amp(struct hda_codec *codec, hda_nid_t nid, int dir, int idx, ++ unsigned int mask, unsigned int val) ++{ ++ if (is_stereo_amps(codec, nid, dir)) ++ return snd_hda_codec_amp_stereo(codec, nid, dir, idx, ++ mask, val); ++ else ++ return snd_hda_codec_amp_update(codec, nid, 0, dir, idx, ++ mask, val); + } + + /* calculate amp value mask we can modify; +@@ -732,7 +765,7 @@ static void activate_amp(struct hda_codec *codec, hda_nid_t nid, int dir, + return; + + val &= mask; +- snd_hda_codec_amp_stereo(codec, nid, dir, idx, mask, val); ++ update_amp(codec, nid, dir, idx, mask, val); + } + + static void activate_amp_out(struct hda_codec *codec, struct nid_path *path, +@@ -4424,13 +4457,11 @@ static void mute_all_mixer_nid(struct hda_codec *codec, hda_nid_t mix) + has_amp = nid_has_mute(codec, mix, HDA_INPUT); + for (i = 0; i < nums; i++) { + if (has_amp) +- snd_hda_codec_amp_stereo(codec, mix, +- HDA_INPUT, i, +- 0xff, HDA_AMP_MUTE); ++ update_amp(codec, mix, HDA_INPUT, i, ++ 0xff, HDA_AMP_MUTE); + else if (nid_has_volume(codec, conn[i], HDA_OUTPUT)) +- snd_hda_codec_amp_stereo(codec, conn[i], +- HDA_OUTPUT, 0, +- 0xff, HDA_AMP_MUTE); ++ update_amp(codec, conn[i], HDA_OUTPUT, 0, ++ 0xff, HDA_AMP_MUTE); + } + } + +diff --git a/sound/pci/hda/hda_proc.c b/sound/pci/hda/hda_proc.c +index ce5a6da..05e19f7 100644 +--- a/sound/pci/hda/hda_proc.c ++++ b/sound/pci/hda/hda_proc.c +@@ -134,13 +134,38 @@ static void print_amp_caps(struct snd_info_buffer *buffer, + (caps & AC_AMPCAP_MUTE) >> AC_AMPCAP_MUTE_SHIFT); + } + ++/* is this a stereo widget or a stereo-to-mono mix? */ ++static bool is_stereo_amps(struct hda_codec *codec, hda_nid_t nid, ++ int dir, unsigned int wcaps, int indices) ++{ ++ hda_nid_t conn; ++ ++ if (wcaps & AC_WCAP_STEREO) ++ return true; ++ /* check for a stereo-to-mono mix; it must be: ++ * only a single connection, only for input, and only a mixer widget ++ */ ++ if (indices != 1 || dir != HDA_INPUT || ++ get_wcaps_type(wcaps) != AC_WID_AUD_MIX) ++ return false; ++ ++ if (snd_hda_get_raw_connections(codec, nid, &conn, 1) < 0) ++ return false; ++ /* the connection source is a stereo? */ ++ wcaps = snd_hda_param_read(codec, conn, AC_PAR_AUDIO_WIDGET_CAP); ++ return !!(wcaps & AC_WCAP_STEREO); ++} ++ + static void print_amp_vals(struct snd_info_buffer *buffer, + struct hda_codec *codec, hda_nid_t nid, +- int dir, int stereo, int indices) ++ int dir, unsigned int wcaps, int indices) + { + unsigned int val; ++ bool stereo; + int i; + ++ stereo = is_stereo_amps(codec, nid, dir, wcaps, indices); ++ + dir = dir == HDA_OUTPUT ? AC_AMP_GET_OUTPUT : AC_AMP_GET_INPUT; + for (i = 0; i < indices; i++) { + snd_iprintf(buffer, " ["); +@@ -757,12 +782,10 @@ static void print_codec_info(struct snd_info_entry *entry, + (codec->single_adc_amp && + wid_type == AC_WID_AUD_IN)) + print_amp_vals(buffer, codec, nid, HDA_INPUT, +- wid_caps & AC_WCAP_STEREO, +- 1); ++ wid_caps, 1); + else + print_amp_vals(buffer, codec, nid, HDA_INPUT, +- wid_caps & AC_WCAP_STEREO, +- conn_len); ++ wid_caps, conn_len); + } + if (wid_caps & AC_WCAP_OUT_AMP) { + snd_iprintf(buffer, " Amp-Out caps: "); +@@ -771,11 +794,10 @@ static void print_codec_info(struct snd_info_entry *entry, + if (wid_type == AC_WID_PIN && + codec->pin_amp_workaround) + print_amp_vals(buffer, codec, nid, HDA_OUTPUT, +- wid_caps & AC_WCAP_STEREO, +- conn_len); ++ wid_caps, conn_len); + else + print_amp_vals(buffer, codec, nid, HDA_OUTPUT, +- wid_caps & AC_WCAP_STEREO, 1); ++ wid_caps, 1); + } + + switch (wid_type) { +diff --git a/sound/pci/hda/patch_cirrus.c b/sound/pci/hda/patch_cirrus.c +index 1589c9b..dd2b3d9 100644 +--- a/sound/pci/hda/patch_cirrus.c ++++ b/sound/pci/hda/patch_cirrus.c +@@ -393,6 +393,7 @@ static const struct snd_pci_quirk cs420x_fixup_tbl[] = { + SND_PCI_QUIRK(0x106b, 0x1c00, "MacBookPro 8,1", CS420X_MBP81), + SND_PCI_QUIRK(0x106b, 0x2000, "iMac 12,2", CS420X_IMAC27_122), + SND_PCI_QUIRK(0x106b, 0x2800, "MacBookPro 10,1", CS420X_MBP101), ++ SND_PCI_QUIRK(0x106b, 0x5600, "MacBookAir 5,2", CS420X_MBP81), + SND_PCI_QUIRK(0x106b, 0x5b00, "MacBookAir 4,2", CS420X_MBA42), + SND_PCI_QUIRK_VENDOR(0x106b, "Apple", CS420X_APPLE), + {} /* terminator */ +@@ -584,6 +585,7 @@ static int patch_cs420x(struct hda_codec *codec) + return -ENOMEM; + + spec->gen.automute_hook = cs_automute; ++ codec->single_adc_amp = 1; + + snd_hda_pick_fixup(codec, cs420x_models, cs420x_fixup_tbl, + cs420x_fixups); +diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c +index fd3ed18..da67ea8 100644 +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -223,6 +223,7 @@ enum { + CXT_PINCFG_LENOVO_TP410, + CXT_PINCFG_LEMOTE_A1004, + CXT_PINCFG_LEMOTE_A1205, ++ CXT_PINCFG_COMPAQ_CQ60, + CXT_FIXUP_STEREO_DMIC, + CXT_FIXUP_INC_MIC_BOOST, + CXT_FIXUP_HEADPHONE_MIC_PIN, +@@ -660,6 +661,15 @@ static const struct hda_fixup cxt_fixups[] = { + .type = HDA_FIXUP_PINS, + .v.pins = cxt_pincfg_lemote, + }, ++ [CXT_PINCFG_COMPAQ_CQ60] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ /* 0x17 was falsely set up as a mic, it should 0x1d */ ++ { 0x17, 0x400001f0 }, ++ { 0x1d, 0x97a70120 }, ++ { } ++ } ++ }, + [CXT_FIXUP_STEREO_DMIC] = { + .type = HDA_FIXUP_FUNC, + .v.func = cxt_fixup_stereo_dmic, +@@ -769,6 +779,7 @@ static const struct hda_model_fixup cxt5047_fixup_models[] = { + }; + + static const struct snd_pci_quirk cxt5051_fixups[] = { ++ SND_PCI_QUIRK(0x103c, 0x360b, "Compaq CQ60", CXT_PINCFG_COMPAQ_CQ60), + SND_PCI_QUIRK(0x17aa, 0x20f2, "Lenovo X200", CXT_PINCFG_LENOVO_X200), + {} + }; +diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h +index 0a598af..e61c167 100644 +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -1773,6 +1773,36 @@ YAMAHA_DEVICE(0x7010, "UB99"), + } + } + }, ++{ ++ USB_DEVICE(0x0582, 0x0159), ++ .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) { ++ /* .vendor_name = "Roland", */ ++ /* .product_name = "UA-22", */ ++ .ifnum = QUIRK_ANY_INTERFACE, ++ .type = QUIRK_COMPOSITE, ++ .data = (const struct snd_usb_audio_quirk[]) { ++ { ++ .ifnum = 0, ++ .type = QUIRK_AUDIO_STANDARD_INTERFACE ++ }, ++ { ++ .ifnum = 1, ++ .type = QUIRK_AUDIO_STANDARD_INTERFACE ++ }, ++ { ++ .ifnum = 2, ++ .type = QUIRK_MIDI_FIXED_ENDPOINT, ++ .data = & (const struct snd_usb_midi_endpoint_info) { ++ .out_cables = 0x0001, ++ .in_cables = 0x0001 ++ } ++ }, ++ { ++ .ifnum = -1 ++ } ++ } ++ } ++}, + /* this catches most recent vendor-specific Roland devices */ + { + .match_flags = USB_DEVICE_ID_MATCH_VENDOR | +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index 1cc6e2e..ec83b11 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -2416,6 +2416,7 @@ static long kvm_vm_ioctl_check_extension_generic(struct kvm *kvm, long arg) + case KVM_CAP_SIGNAL_MSI: + #endif + #ifdef CONFIG_HAVE_KVM_IRQFD ++ case KVM_CAP_IRQFD: + case KVM_CAP_IRQFD_RESAMPLE: + #endif + case KVM_CAP_CHECK_EXTENSION_VM: diff --git a/3.19.2/4420_grsecurity-3.1-3.19.2-201503251807.patch b/3.19.3/4420_grsecurity-3.1-3.19.3-201503270049.patch index e0eac06..237bab8 100644 --- a/3.19.2/4420_grsecurity-3.1-3.19.2-201503251807.patch +++ b/3.19.3/4420_grsecurity-3.1-3.19.3-201503270049.patch @@ -370,7 +370,7 @@ index 176d4fe..17ceefa 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index e49665a..7c65470 100644 +index 713bf26..9ceae96 100644 --- a/Makefile +++ b/Makefile @@ -298,7 +298,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -10563,7 +10563,7 @@ index 50e7b62..79fae35 100644 } while (++count < 16); printk("\n"); diff --git a/arch/sparc/kernel/process_64.c b/arch/sparc/kernel/process_64.c -index 0be7bf9..2b1cba8 100644 +index 46a5964..a35c62c 100644 --- a/arch/sparc/kernel/process_64.c +++ b/arch/sparc/kernel/process_64.c @@ -161,7 +161,7 @@ static void show_regwindow(struct pt_regs *regs) @@ -10708,7 +10708,7 @@ index 646988d..b88905f 100644 info.flags = 0; info.length = len; diff --git a/arch/sparc/kernel/sys_sparc_64.c b/arch/sparc/kernel/sys_sparc_64.c -index c85403d..6af95c9 100644 +index 30e7ddb..266a3b0 100644 --- a/arch/sparc/kernel/sys_sparc_64.c +++ b/arch/sparc/kernel/sys_sparc_64.c @@ -89,13 +89,14 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi @@ -16906,7 +16906,7 @@ index 1c7eefe..d0e4702 100644 }; diff --git a/arch/x86/include/asm/fpu-internal.h b/arch/x86/include/asm/fpu-internal.h -index e97622f..d0ba77a 100644 +index f895358..800c60d 100644 --- a/arch/x86/include/asm/fpu-internal.h +++ b/arch/x86/include/asm/fpu-internal.h @@ -124,8 +124,11 @@ static inline void sanitize_i387_state(struct task_struct *tsk) @@ -27881,7 +27881,7 @@ index 1c113db..287b42e 100644 static int trace_irq_vector_refcount; static DEFINE_MUTEX(irq_vector_mutex); diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c -index 88900e2..aa4149d 100644 +index 89f4e64..aa4149d 100644 --- a/arch/x86/kernel/traps.c +++ b/arch/x86/kernel/traps.c @@ -68,7 +68,7 @@ @@ -27972,6 +27972,15 @@ index 88900e2..aa4149d 100644 #ifdef CONFIG_DOUBLEFAULT df_debug(regs, error_code); #endif +@@ -300,7 +317,7 @@ dotraplinkage void do_bounds(struct pt_regs *regs, long error_code) + goto exit; + conditional_sti(regs); + +- if (!user_mode_vm(regs)) ++ if (!user_mode(regs)) + die("bounds", regs, error_code); + + if (!cpu_feature_enabled(X86_FEATURE_MPX)) { @@ -379,7 +396,7 @@ do_general_protection(struct pt_regs *regs, long error_code) conditional_sti(regs); @@ -28044,6 +28053,15 @@ index 88900e2..aa4149d 100644 return new_stack; } NOKPROBE_SYMBOL(fixup_bad_iret); +@@ -566,7 +610,7 @@ dotraplinkage void do_debug(struct pt_regs *regs, long error_code) + * then it's very likely the result of an icebp/int01 trap. + * User wants a sigtrap for that. + */ +- if (!dr6 && user_mode_vm(regs)) ++ if (!dr6 && user_mode(regs)) + user_icebp = 1; + + /* Catch kmemcheck conditions first of all! */ @@ -602,7 +646,7 @@ dotraplinkage void do_debug(struct pt_regs *regs, long error_code) /* It's safe to allow irq's after DR6 has been saved */ preempt_conditional_sti(regs); @@ -28557,7 +28575,7 @@ index 234b072..b7ab191 100644 .read = native_io_apic_read, .write = native_io_apic_write, diff --git a/arch/x86/kernel/xsave.c b/arch/x86/kernel/xsave.c -index 0de1fae..298d037 100644 +index 8be1e17..07dd990 100644 --- a/arch/x86/kernel/xsave.c +++ b/arch/x86/kernel/xsave.c @@ -167,18 +167,18 @@ static inline int save_xstate_epilog(void __user *buf, int ia32_frame) @@ -28659,7 +28677,7 @@ index 8a80737..bac4961 100644 out: diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c -index b24c2d8..e1e4e25 100644 +index b24c2d8..e1e4e259 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -3503,7 +3503,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) @@ -28891,7 +28909,7 @@ index d4c58d8..eaf2568 100644 vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index c259814..9a0345b 100644 +index 64d76c1..e20a4c1 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -1882,8 +1882,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data) @@ -28905,7 +28923,7 @@ index c259814..9a0345b 100644 u8 blob_size = lm ? kvm->arch.xen_hvm_config.blob_size_64 : kvm->arch.xen_hvm_config.blob_size_32; u32 page_num = data & ~PAGE_MASK; -@@ -2810,6 +2810,8 @@ long kvm_arch_dev_ioctl(struct file *filp, +@@ -2809,6 +2809,8 @@ long kvm_arch_dev_ioctl(struct file *filp, if (n < msr_list.nmsrs) goto out; r = -EFAULT; @@ -28914,7 +28932,7 @@ index c259814..9a0345b 100644 if (copy_to_user(user_msr_list->indices, &msrs_to_save, num_msrs_to_save * sizeof(u32))) goto out; -@@ -5746,7 +5748,7 @@ static struct notifier_block pvclock_gtod_notifier = { +@@ -5745,7 +5747,7 @@ static struct notifier_block pvclock_gtod_notifier = { }; #endif @@ -39068,10 +39086,10 @@ index 3a56a13..f8cbd25 100644 return 0; } diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c -index de03df9..0a309a9 100644 +index c3aac4c..88de09f9 100644 --- a/drivers/char/virtio_console.c +++ b/drivers/char/virtio_console.c -@@ -684,7 +684,7 @@ static ssize_t fill_readbuf(struct port *port, char __user *out_buf, +@@ -685,7 +685,7 @@ static ssize_t fill_readbuf(struct port *port, char __user *out_buf, if (to_user) { ssize_t ret; @@ -39080,7 +39098,7 @@ index de03df9..0a309a9 100644 if (ret) return -EFAULT; } else { -@@ -788,7 +788,7 @@ static ssize_t port_fops_read(struct file *filp, char __user *ubuf, +@@ -789,7 +789,7 @@ static ssize_t port_fops_read(struct file *filp, char __user *ubuf, if (!port_has_data(port) && !port->host_connected) return 0; @@ -40204,10 +40222,10 @@ index 568aa2b..d1204d8 100644 /* * Prepare the mapping since the irqchip shall be orthogonal to diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c -index 5213da4..7ef736e 100644 +index 29168fa..c9baec6 100644 --- a/drivers/gpu/drm/drm_crtc.c +++ b/drivers/gpu/drm/drm_crtc.c -@@ -3961,7 +3961,7 @@ int drm_mode_getproperty_ioctl(struct drm_device *dev, +@@ -3964,7 +3964,7 @@ int drm_mode_getproperty_ioctl(struct drm_device *dev, goto done; } @@ -40522,7 +40540,7 @@ index 176de63..1ef9ac7 100644 return ret; diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c -index 30d4eb3..92f2dc8 100644 +index c10b52e..e5e27ff 100644 --- a/drivers/gpu/drm/i915/intel_display.c +++ b/drivers/gpu/drm/i915/intel_display.c @@ -12935,13 +12935,13 @@ struct intel_quirk { @@ -46945,32 +46963,10 @@ index 98d73aa..63ef9da 100644 Say Y here if you want to support for Freescale FlexCAN. diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c -index 847c1f8..3bed607 100644 +index 62ca0e8..3bed607 100644 --- a/drivers/net/can/dev.c +++ b/drivers/net/can/dev.c -@@ -578,6 +578,10 @@ struct sk_buff *alloc_can_skb(struct net_device *dev, struct can_frame **cf) - skb->pkt_type = PACKET_BROADCAST; - skb->ip_summed = CHECKSUM_UNNECESSARY; - -+ skb_reset_mac_header(skb); -+ skb_reset_network_header(skb); -+ skb_reset_transport_header(skb); -+ - can_skb_reserve(skb); - can_skb_prv(skb)->ifindex = dev->ifindex; - -@@ -602,6 +606,10 @@ struct sk_buff *alloc_canfd_skb(struct net_device *dev, - skb->pkt_type = PACKET_BROADCAST; - skb->ip_summed = CHECKSUM_UNNECESSARY; - -+ skb_reset_mac_header(skb); -+ skb_reset_network_header(skb); -+ skb_reset_transport_header(skb); -+ - can_skb_reserve(skb); - can_skb_prv(skb)->ifindex = dev->ifindex; - -@@ -950,7 +958,7 @@ static int can_newlink(struct net *src_net, struct net_device *dev, +@@ -958,7 +958,7 @@ static int can_newlink(struct net *src_net, struct net_device *dev, return -EOPNOTSUPP; } @@ -48472,7 +48468,7 @@ index a2515887..6d13233 100644 /* we will have to manufacture ethernet headers, prepare template */ diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c -index 059fdf1..7543217 100644 +index 0ad6c0c..4013638 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -48,7 +48,7 @@ module_param(gso, bool, 0444); @@ -49766,10 +49762,10 @@ index fd60806..ab6c565 100644 kfree(msi_dev_attr); ++count; diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c -index aa012fb..63fac5d 100644 +index 312f23a..d21181c 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c -@@ -1139,7 +1139,7 @@ static int pci_create_attr(struct pci_dev *pdev, int num, int write_combine) +@@ -1140,7 +1140,7 @@ static int pci_create_attr(struct pci_dev *pdev, int num, int write_combine) { /* allocate attribute structure, piggyback attribute name */ int name_len = write_combine ? 13 : 10; @@ -49778,7 +49774,7 @@ index aa012fb..63fac5d 100644 int retval; res_attr = kzalloc(sizeof(*res_attr) + name_len, GFP_ATOMIC); -@@ -1316,7 +1316,7 @@ static struct device_attribute reset_attr = __ATTR(reset, 0200, NULL, reset_stor +@@ -1317,7 +1317,7 @@ static struct device_attribute reset_attr = __ATTR(reset, 0200, NULL, reset_stor static int pci_create_capabilities_sysfs(struct pci_dev *dev) { int retval; @@ -49787,7 +49783,7 @@ index aa012fb..63fac5d 100644 /* If the device has VPD, try to expose it in sysfs. */ if (dev->vpd) { -@@ -1363,7 +1363,7 @@ int __must_check pci_create_sysfs_dev_files(struct pci_dev *pdev) +@@ -1364,7 +1364,7 @@ int __must_check pci_create_sysfs_dev_files(struct pci_dev *pdev) { int retval; int rom_size = 0; @@ -50422,10 +50418,10 @@ index 302e626..12579af 100644 da->attr.name = info->pin_config[i].name; da->attr.mode = 0644; diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c -index 9c48fb3..5b494fa 100644 +index a5761d0..a2a4540 100644 --- a/drivers/regulator/core.c +++ b/drivers/regulator/core.c -@@ -3587,7 +3587,7 @@ regulator_register(const struct regulator_desc *regulator_desc, +@@ -3591,7 +3591,7 @@ regulator_register(const struct regulator_desc *regulator_desc, { const struct regulation_constraints *constraints = NULL; const struct regulator_init_data *init_data; @@ -50434,7 +50430,7 @@ index 9c48fb3..5b494fa 100644 struct regulator_dev *rdev; struct device *dev; int ret, i; -@@ -3661,7 +3661,7 @@ regulator_register(const struct regulator_desc *regulator_desc, +@@ -3665,7 +3665,7 @@ regulator_register(const struct regulator_desc *regulator_desc, rdev->dev.class = ®ulator_class; rdev->dev.parent = dev; dev_set_name(&rdev->dev, "regulator.%d", @@ -52271,7 +52267,7 @@ index 9512af6..045bf5a 100644 login->tgt_agt = sbp_target_agent_register(login); if (IS_ERR(login->tgt_agt)) { diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c -index 58f49ff..2669604 100644 +index 54da2a4..3dd6f57 100644 --- a/drivers/target/target_core_device.c +++ b/drivers/target/target_core_device.c @@ -1469,7 +1469,7 @@ struct se_device *target_alloc_device(struct se_hba *hba, const char *name) @@ -52284,7 +52280,7 @@ index 58f49ff..2669604 100644 spin_lock_init(&dev->t10_wwn.t10_vpd_lock); INIT_LIST_HEAD(&dev->t10_pr.registration_list); diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c -index 0adc0f6..7757bfe 100644 +index ac3cbab..f0d1dd2 100644 --- a/drivers/target/target_core_transport.c +++ b/drivers/target/target_core_transport.c @@ -1168,7 +1168,7 @@ transport_check_alloc_task_attr(struct se_cmd *cmd) @@ -63367,7 +63363,7 @@ index 28d0c7a..04816b7 100644 cuse_class = class_create(THIS_MODULE, "cuse"); if (IS_ERR(cuse_class)) diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c -index ed19a7d..91e9a4c 100644 +index 71c4619..6a9f6d4 100644 --- a/fs/fuse/dev.c +++ b/fs/fuse/dev.c @@ -1394,7 +1394,7 @@ static ssize_t fuse_dev_splice_read(struct file *in, loff_t *ppos, @@ -66729,7 +66725,7 @@ index 510413eb..34d9a8c 100644 seq_printf(p, "softirq %llu", (unsigned long long)sum_softirq); diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c -index 88f9b83..314064c 100644 +index f86e549..3a88fcd 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c @@ -13,12 +13,19 @@ @@ -66895,7 +66891,7 @@ index 88f9b83..314064c 100644 mss.resident >> 10, (unsigned long)(mss.pss >> (10 + PSS_SHIFT)), mss.shared_clean >> 10, -@@ -1486,6 +1536,13 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid) +@@ -1489,6 +1539,13 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid) char buffer[64]; int nid; @@ -66909,7 +66905,7 @@ index 88f9b83..314064c 100644 if (!mm) return 0; -@@ -1507,11 +1564,15 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid) +@@ -1510,11 +1567,15 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid) mpol_to_str(buffer, sizeof(buffer), proc_priv->task_mempolicy); } @@ -89592,7 +89588,7 @@ index 9a8a01a..3c35dd6 100644 /* Don't allow clients that don't understand the native diff --git a/kernel/kmod.c b/kernel/kmod.c -index 2777f40..6cf5e70 100644 +index 2777f40..a26e825 100644 --- a/kernel/kmod.c +++ b/kernel/kmod.c @@ -68,7 +68,7 @@ static void free_modprobe_argv(struct subprocess_info *info) @@ -89729,7 +89725,7 @@ index 2777f40..6cf5e70 100644 if (info->cleanup) (*info->cleanup)(info); kfree(info); -@@ -232,6 +289,20 @@ static int ____call_usermodehelper(void *data) +@@ -232,6 +289,21 @@ static int ____call_usermodehelper(void *data) */ set_user_nice(current, 0); @@ -89740,6 +89736,7 @@ index 2777f40..6cf5e70 100644 + */ + if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/usr/lib/", 9) && + strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) && ++ strncmp(sub_info->path, "/usr/libexec/", 13) && + strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) { + printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of /sbin and system library paths\n", sub_info->path); + retval = -EPERM; @@ -89750,7 +89747,7 @@ index 2777f40..6cf5e70 100644 retval = -ENOMEM; new = prepare_kernel_cred(current); if (!new) -@@ -254,8 +325,8 @@ static int ____call_usermodehelper(void *data) +@@ -254,8 +326,8 @@ static int ____call_usermodehelper(void *data) commit_creds(new); retval = do_execve(getname_kernel(sub_info->path), @@ -89761,7 +89758,7 @@ index 2777f40..6cf5e70 100644 out: sub_info->retval = retval; /* wait_for_helper() will call umh_complete if UHM_WAIT_PROC. */ -@@ -288,7 +359,7 @@ static int wait_for_helper(void *data) +@@ -288,7 +360,7 @@ static int wait_for_helper(void *data) * * Thus the __user pointer cast is valid here. */ @@ -89770,7 +89767,7 @@ index 2777f40..6cf5e70 100644 /* * If ret is 0, either ____call_usermodehelper failed and the -@@ -510,7 +581,12 @@ struct subprocess_info *call_usermodehelper_setup(char *path, char **argv, +@@ -510,7 +582,12 @@ struct subprocess_info *call_usermodehelper_setup(char *path, char **argv, goto out; INIT_WORK(&sub_info->work, __call_usermodehelper); @@ -89783,7 +89780,7 @@ index 2777f40..6cf5e70 100644 sub_info->argv = argv; sub_info->envp = envp; -@@ -612,7 +688,7 @@ EXPORT_SYMBOL(call_usermodehelper); +@@ -612,7 +689,7 @@ EXPORT_SYMBOL(call_usermodehelper); static int proc_cap_handler(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { @@ -91280,21 +91277,8 @@ index 5a6ec86..3a8c884 100644 break; if (pm_wakeup_pending()) { -diff --git a/kernel/printk/console_cmdline.h b/kernel/printk/console_cmdline.h -index cbd69d8..2ca4a8b 100644 ---- a/kernel/printk/console_cmdline.h -+++ b/kernel/printk/console_cmdline.h -@@ -3,7 +3,7 @@ - - struct console_cmdline - { -- char name[8]; /* Name of the driver */ -+ char name[16]; /* Name of the driver */ - int index; /* Minor dev. to use */ - char *options; /* Options for the driver */ - #ifdef CONFIG_A11Y_BRAILLE_CONSOLE diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c -index fae29e3..7df1786 100644 +index 2cdd353..7df1786 100644 --- a/kernel/printk/printk.c +++ b/kernel/printk/printk.c @@ -486,6 +486,11 @@ int check_syslog_permissions(int type, bool from_file) @@ -91309,14 +91293,6 @@ index fae29e3..7df1786 100644 if (syslog_action_restricted(type)) { if (capable(CAP_SYSLOG)) return 0; -@@ -2464,6 +2469,7 @@ void register_console(struct console *newcon) - for (i = 0, c = console_cmdline; - i < MAX_CMDLINECONSOLES && c->name[0]; - i++, c++) { -+ BUILD_BUG_ON(sizeof(c->name) != sizeof(newcon->name)); - if (strcmp(c->name, newcon->name) != 0) - continue; - if (newcon->index >= 0 && diff --git a/kernel/profile.c b/kernel/profile.c index 54bf5ba..df6e0a2 100644 --- a/kernel/profile.c @@ -93815,10 +93791,10 @@ index 483cecf..ac46091 100644 ret = -EIO; diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c -index 224e768..8303c84 100644 +index af5bffd..57664b8 100644 --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c -@@ -2372,12 +2372,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec) +@@ -2382,12 +2382,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec) if (unlikely(ftrace_disabled)) return 0; @@ -93838,7 +93814,7 @@ index 224e768..8303c84 100644 } /* -@@ -4754,8 +4759,10 @@ static int ftrace_process_locs(struct module *mod, +@@ -4776,8 +4781,10 @@ static int ftrace_process_locs(struct module *mod, if (!count) return 0; @@ -93849,7 +93825,7 @@ index 224e768..8303c84 100644 start_pg = ftrace_allocate_pages(count); if (!start_pg) -@@ -5633,7 +5640,7 @@ static int alloc_retstack_tasklist(struct ftrace_ret_stack **ret_stack_list) +@@ -5653,7 +5660,7 @@ static int alloc_retstack_tasklist(struct ftrace_ret_stack **ret_stack_list) if (t->ret_stack == NULL) { atomic_set(&t->tracing_graph_pause, 0); @@ -93858,7 +93834,7 @@ index 224e768..8303c84 100644 t->curr_ret_stack = -1; /* Make sure the tasks see the -1 first: */ smp_wmb(); -@@ -5856,7 +5863,7 @@ static void +@@ -5876,7 +5883,7 @@ static void graph_init_task(struct task_struct *t, struct ftrace_ret_stack *ret_stack) { atomic_set(&t->tracing_graph_pause, 0); @@ -94418,10 +94394,10 @@ index 70bf118..4be3c37 100644 .thread_should_run = watchdog_should_run, .thread_fn = watchdog, diff --git a/kernel/workqueue.c b/kernel/workqueue.c -index beeeac9..65cbfb3 100644 +index 82d0c8d..37f4222 100644 --- a/kernel/workqueue.c +++ b/kernel/workqueue.c -@@ -4517,7 +4517,7 @@ static void rebind_workers(struct worker_pool *pool) +@@ -4565,7 +4565,7 @@ static void rebind_workers(struct worker_pool *pool) WARN_ON_ONCE(!(worker_flags & WORKER_UNBOUND)); worker_flags |= WORKER_REBOUND; worker_flags &= ~WORKER_UNBOUND; @@ -95305,6 +95281,18 @@ index 1d1ae6b..0f05885 100644 select PROC_PAGE_MONITOR config NOMMU_INITIAL_TRIM_EXCESS +diff --git a/mm/Kconfig.debug b/mm/Kconfig.debug +index 957d3da..1d34e20 100644 +--- a/mm/Kconfig.debug ++++ b/mm/Kconfig.debug +@@ -10,6 +10,7 @@ config PAGE_EXTENSION + config DEBUG_PAGEALLOC + bool "Debug page memory allocations" + depends on DEBUG_KERNEL ++ depends on !PAX_MEMORY_SANITIZE + depends on !HIBERNATION || ARCH_SUPPORTS_DEBUG_PAGEALLOC && !PPC && !SPARC + depends on !KMEMCHECK + select PAGE_EXTENSION diff --git a/mm/backing-dev.c b/mm/backing-dev.c index 0ae0df5..82ac56b 100644 --- a/mm/backing-dev.c @@ -101088,20 +101076,10 @@ index 67a4a36..8d28068 100644 .priv_size = sizeof(struct chnl_net), .setup = ipcaif_net_setup, diff --git a/net/can/af_can.c b/net/can/af_can.c -index 66e0804..93bcf05 100644 +index 32d710e..93bcf05 100644 --- a/net/can/af_can.c +++ b/net/can/af_can.c -@@ -259,6 +259,9 @@ int can_send(struct sk_buff *skb, int loop) - goto inval_skb; - } - -+ skb->ip_summed = CHECKSUM_UNNECESSARY; -+ -+ skb_reset_mac_header(skb); - skb_reset_network_header(skb); - skb_reset_transport_header(skb); - -@@ -881,7 +884,7 @@ static const struct net_proto_family can_family_ops = { +@@ -884,7 +884,7 @@ static const struct net_proto_family can_family_ops = { }; /* notifier block for netdevice event */ @@ -101190,10 +101168,10 @@ index 33a2f20..371bd09 100644 switch (ss->ss_family) { diff --git a/net/compat.c b/net/compat.c -index 94d3d5e..2bd2649 100644 +index f7bd286..76ea56a 100644 --- a/net/compat.c +++ b/net/compat.c -@@ -93,20 +93,20 @@ ssize_t get_compat_msghdr(struct msghdr *kmsg, +@@ -100,20 +100,20 @@ ssize_t get_compat_msghdr(struct msghdr *kmsg, #define CMSG_COMPAT_FIRSTHDR(msg) \ (((msg)->msg_controllen) >= sizeof(struct compat_cmsghdr) ? \ @@ -101217,7 +101195,7 @@ index 94d3d5e..2bd2649 100644 msg->msg_controllen) return NULL; return (struct compat_cmsghdr __user *)ptr; -@@ -196,7 +196,7 @@ Efault: +@@ -203,7 +203,7 @@ Efault: int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *data) { @@ -101226,7 +101204,7 @@ index 94d3d5e..2bd2649 100644 struct compat_cmsghdr cmhdr; struct compat_timeval ctv; struct compat_timespec cts[3]; -@@ -252,7 +252,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat +@@ -259,7 +259,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm) { @@ -101235,7 +101213,7 @@ index 94d3d5e..2bd2649 100644 int fdmax = (kmsg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int); int fdnum = scm->fp->count; struct file **fp = scm->fp->fp; -@@ -340,7 +340,7 @@ static int do_set_sock_timeout(struct socket *sock, int level, +@@ -347,7 +347,7 @@ static int do_set_sock_timeout(struct socket *sock, int level, return -EFAULT; old_fs = get_fs(); set_fs(KERNEL_DS); @@ -101244,7 +101222,7 @@ index 94d3d5e..2bd2649 100644 set_fs(old_fs); return err; -@@ -401,7 +401,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname, +@@ -408,7 +408,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname, len = sizeof(ktime); old_fs = get_fs(); set_fs(KERNEL_DS); @@ -101253,7 +101231,7 @@ index 94d3d5e..2bd2649 100644 set_fs(old_fs); if (!err) { -@@ -544,7 +544,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, +@@ -551,7 +551,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, case MCAST_JOIN_GROUP: case MCAST_LEAVE_GROUP: { @@ -101262,7 +101240,7 @@ index 94d3d5e..2bd2649 100644 struct group_req __user *kgr = compat_alloc_user_space(sizeof(struct group_req)); u32 interface; -@@ -565,7 +565,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, +@@ -572,7 +572,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, case MCAST_BLOCK_SOURCE: case MCAST_UNBLOCK_SOURCE: { @@ -101271,7 +101249,7 @@ index 94d3d5e..2bd2649 100644 struct group_source_req __user *kgsr = compat_alloc_user_space( sizeof(struct group_source_req)); u32 interface; -@@ -586,7 +586,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, +@@ -593,7 +593,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, } case MCAST_MSFILTER: { @@ -101280,7 +101258,7 @@ index 94d3d5e..2bd2649 100644 struct group_filter __user *kgf; u32 interface, fmode, numsrc; -@@ -624,7 +624,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname, +@@ -631,7 +631,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname, char __user *optval, int __user *optlen, int (*getsockopt)(struct sock *, int, int, char __user *, int __user *)) { @@ -101289,7 +101267,7 @@ index 94d3d5e..2bd2649 100644 struct group_filter __user *kgf; int __user *koptlen; u32 interface, fmode, numsrc; -@@ -768,7 +768,7 @@ COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, args) +@@ -775,7 +775,7 @@ COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, args) if (call < SYS_SOCKET || call > SYS_SENDMMSG) return -EINVAL; @@ -101958,19 +101936,10 @@ index ad704c7..ca48aff 100644 } EXPORT_SYMBOL_GPL(sock_diag_unregister); diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c -index 31baba2..754e2e5 100644 +index bbb1d5a..754e2e5 100644 --- a/net/core/sysctl_net_core.c +++ b/net/core/sysctl_net_core.c -@@ -25,6 +25,8 @@ - static int zero = 0; - static int one = 1; - static int ushort_max = USHRT_MAX; -+static int min_sndbuf = SOCK_MIN_SNDBUF; -+static int min_rcvbuf = SOCK_MIN_RCVBUF; - - static int net_msg_warn; /* Unused, but still a sysctl */ - -@@ -34,7 +36,7 @@ static int rps_sock_flow_sysctl(struct ctl_table *table, int write, +@@ -36,7 +36,7 @@ static int rps_sock_flow_sysctl(struct ctl_table *table, int write, { unsigned int orig_size, size; int ret, i; @@ -101979,7 +101948,7 @@ index 31baba2..754e2e5 100644 .data = &size, .maxlen = sizeof(size), .mode = table->mode -@@ -202,7 +204,7 @@ static int set_default_qdisc(struct ctl_table *table, int write, +@@ -204,7 +204,7 @@ static int set_default_qdisc(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { char id[IFNAMSIZ]; @@ -101988,7 +101957,7 @@ index 31baba2..754e2e5 100644 .data = id, .maxlen = IFNAMSIZ, }; -@@ -220,7 +222,7 @@ static int set_default_qdisc(struct ctl_table *table, int write, +@@ -222,7 +222,7 @@ static int set_default_qdisc(struct ctl_table *table, int write, static int proc_do_rss_key(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { @@ -101997,43 +101966,7 @@ index 31baba2..754e2e5 100644 char buf[NETDEV_RSS_KEY_LEN * 3]; snprintf(buf, sizeof(buf), "%*phC", NETDEV_RSS_KEY_LEN, netdev_rss_key); -@@ -237,7 +239,7 @@ static struct ctl_table net_core_table[] = { - .maxlen = sizeof(int), - .mode = 0644, - .proc_handler = proc_dointvec_minmax, -- .extra1 = &one, -+ .extra1 = &min_sndbuf, - }, - { - .procname = "rmem_max", -@@ -245,7 +247,7 @@ static struct ctl_table net_core_table[] = { - .maxlen = sizeof(int), - .mode = 0644, - .proc_handler = proc_dointvec_minmax, -- .extra1 = &one, -+ .extra1 = &min_rcvbuf, - }, - { - .procname = "wmem_default", -@@ -253,7 +255,7 @@ static struct ctl_table net_core_table[] = { - .maxlen = sizeof(int), - .mode = 0644, - .proc_handler = proc_dointvec_minmax, -- .extra1 = &one, -+ .extra1 = &min_sndbuf, - }, - { - .procname = "rmem_default", -@@ -261,7 +263,7 @@ static struct ctl_table net_core_table[] = { - .maxlen = sizeof(int), - .mode = 0644, - .proc_handler = proc_dointvec_minmax, -- .extra1 = &one, -+ .extra1 = &min_rcvbuf, - }, - { - .procname = "dev_weight", -@@ -284,7 +286,7 @@ static struct ctl_table net_core_table[] = { +@@ -286,7 +286,7 @@ static struct ctl_table net_core_table[] = { .mode = 0444, .proc_handler = proc_do_rss_key, }, @@ -102042,7 +101975,7 @@ index 31baba2..754e2e5 100644 { .procname = "bpf_jit_enable", .data = &bpf_jit_enable, -@@ -400,13 +402,12 @@ static struct ctl_table netns_core_table[] = { +@@ -402,13 +402,12 @@ static struct ctl_table netns_core_table[] = { static __net_init int sysctl_core_net_init(struct net *net) { @@ -102058,7 +101991,7 @@ index 31baba2..754e2e5 100644 if (tbl == NULL) goto err_dup; -@@ -416,17 +417,16 @@ static __net_init int sysctl_core_net_init(struct net *net) +@@ -418,17 +417,16 @@ static __net_init int sysctl_core_net_init(struct net *net) if (net->user_ns != &init_user_ns) { tbl[0].procname = NULL; } @@ -102080,7 +102013,7 @@ index 31baba2..754e2e5 100644 err_dup: return -ENOMEM; } -@@ -441,7 +441,7 @@ static __net_exit void sysctl_core_net_exit(struct net *net) +@@ -443,7 +441,7 @@ static __net_exit void sysctl_core_net_exit(struct net *net) kfree(tbl); } @@ -102351,42 +102284,6 @@ index f99f41b..1879da9 100644 return nh->nh_saddr; } -diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c -index e34dccb..4eeba4e 100644 ---- a/net/ipv4/inet_diag.c -+++ b/net/ipv4/inet_diag.c -@@ -71,6 +71,20 @@ static inline void inet_diag_unlock_handler( - mutex_unlock(&inet_diag_table_mutex); - } - -+static size_t inet_sk_attr_size(void) -+{ -+ return nla_total_size(sizeof(struct tcp_info)) -+ + nla_total_size(1) /* INET_DIAG_SHUTDOWN */ -+ + nla_total_size(1) /* INET_DIAG_TOS */ -+ + nla_total_size(1) /* INET_DIAG_TCLASS */ -+ + nla_total_size(sizeof(struct inet_diag_meminfo)) -+ + nla_total_size(sizeof(struct inet_diag_msg)) -+ + nla_total_size(SK_MEMINFO_VARS * sizeof(u32)) -+ + nla_total_size(TCP_CA_NAME_MAX) -+ + nla_total_size(sizeof(struct tcpvegas_info)) -+ + 64; -+} -+ - int inet_sk_diag_fill(struct sock *sk, struct inet_connection_sock *icsk, - struct sk_buff *skb, struct inet_diag_req_v2 *req, - struct user_namespace *user_ns, -@@ -324,9 +338,7 @@ int inet_diag_dump_one_icsk(struct inet_hashinfo *hashinfo, struct sk_buff *in_s - if (err) - goto out; - -- rep = nlmsg_new(sizeof(struct inet_diag_msg) + -- sizeof(struct inet_diag_meminfo) + -- sizeof(struct tcp_info) + 64, GFP_KERNEL); -+ rep = nlmsg_new(inet_sk_attr_size(), GFP_KERNEL); - if (!rep) { - err = -ENOMEM; - goto out; diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c index 9111a4e..3576905 100644 --- a/net/ipv4/inet_hashtables.c @@ -104707,7 +104604,7 @@ index b87ca32..76c7799 100644 if (ipvs->sync_state & IP_VS_STATE_MASTER) ip_vs_sync_conn(net, cp, pkts); diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c -index b8295a4..17ff579 100644 +index fdcda8b..dbc1979 100644 --- a/net/netfilter/ipvs/ip_vs_ctl.c +++ b/net/netfilter/ipvs/ip_vs_ctl.c @@ -799,7 +799,7 @@ __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest, @@ -104800,7 +104697,7 @@ index 2229d2d..b32b785 100644 .procname = "lblcr_expiration", .data = NULL, diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c -index c47ffd7..d233a81 100644 +index d93ceeb..4556144 100644 --- a/net/netfilter/ipvs/ip_vs_sync.c +++ b/net/netfilter/ipvs/ip_vs_sync.c @@ -609,7 +609,7 @@ static void ip_vs_sync_conn_v0(struct net *net, struct ip_vs_conn *cp, @@ -104821,7 +104718,7 @@ index c47ffd7..d233a81 100644 else pkts = sysctl_sync_threshold(ipvs); goto sloop; -@@ -900,7 +900,7 @@ static void ip_vs_proc_conn(struct net *net, struct ip_vs_conn_param *param, +@@ -902,7 +902,7 @@ static void ip_vs_proc_conn(struct net *net, struct ip_vs_conn_param *param, if (opt) memcpy(&cp->in_seq, opt, sizeof(*opt)); @@ -105463,94 +105360,6 @@ index a91e1db..cf3053f 100644 #else ic->i_ack_next = 0; #endif -diff --git a/net/rds/iw_rdma.c b/net/rds/iw_rdma.c -index a817705..dba8d08 100644 ---- a/net/rds/iw_rdma.c -+++ b/net/rds/iw_rdma.c -@@ -88,7 +88,9 @@ static unsigned int rds_iw_unmap_fastreg_list(struct rds_iw_mr_pool *pool, - int *unpinned); - static void rds_iw_destroy_fastreg(struct rds_iw_mr_pool *pool, struct rds_iw_mr *ibmr); - --static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwdev, struct rdma_cm_id **cm_id) -+static int rds_iw_get_device(struct sockaddr_in *src, struct sockaddr_in *dst, -+ struct rds_iw_device **rds_iwdev, -+ struct rdma_cm_id **cm_id) - { - struct rds_iw_device *iwdev; - struct rds_iw_cm_id *i_cm_id; -@@ -112,15 +114,15 @@ static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwd - src_addr->sin_port, - dst_addr->sin_addr.s_addr, - dst_addr->sin_port, -- rs->rs_bound_addr, -- rs->rs_bound_port, -- rs->rs_conn_addr, -- rs->rs_conn_port); -+ src->sin_addr.s_addr, -+ src->sin_port, -+ dst->sin_addr.s_addr, -+ dst->sin_port); - #ifdef WORKING_TUPLE_DETECTION -- if (src_addr->sin_addr.s_addr == rs->rs_bound_addr && -- src_addr->sin_port == rs->rs_bound_port && -- dst_addr->sin_addr.s_addr == rs->rs_conn_addr && -- dst_addr->sin_port == rs->rs_conn_port) { -+ if (src_addr->sin_addr.s_addr == src->sin_addr.s_addr && -+ src_addr->sin_port == src->sin_port && -+ dst_addr->sin_addr.s_addr == dst->sin_addr.s_addr && -+ dst_addr->sin_port == dst->sin_port) { - #else - /* FIXME - needs to compare the local and remote - * ipaddr/port tuple, but the ipaddr is the only -@@ -128,7 +130,7 @@ static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwd - * zero'ed. It doesn't appear to be properly populated - * during connection setup... - */ -- if (src_addr->sin_addr.s_addr == rs->rs_bound_addr) { -+ if (src_addr->sin_addr.s_addr == src->sin_addr.s_addr) { - #endif - spin_unlock_irq(&iwdev->spinlock); - *rds_iwdev = iwdev; -@@ -180,19 +182,13 @@ int rds_iw_update_cm_id(struct rds_iw_device *rds_iwdev, struct rdma_cm_id *cm_i - { - struct sockaddr_in *src_addr, *dst_addr; - struct rds_iw_device *rds_iwdev_old; -- struct rds_sock rs; - struct rdma_cm_id *pcm_id; - int rc; - - src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr; - dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr; - -- rs.rs_bound_addr = src_addr->sin_addr.s_addr; -- rs.rs_bound_port = src_addr->sin_port; -- rs.rs_conn_addr = dst_addr->sin_addr.s_addr; -- rs.rs_conn_port = dst_addr->sin_port; -- -- rc = rds_iw_get_device(&rs, &rds_iwdev_old, &pcm_id); -+ rc = rds_iw_get_device(src_addr, dst_addr, &rds_iwdev_old, &pcm_id); - if (rc) - rds_iw_remove_cm_id(rds_iwdev, cm_id); - -@@ -598,9 +594,17 @@ void *rds_iw_get_mr(struct scatterlist *sg, unsigned long nents, - struct rds_iw_device *rds_iwdev; - struct rds_iw_mr *ibmr = NULL; - struct rdma_cm_id *cm_id; -+ struct sockaddr_in src = { -+ .sin_addr.s_addr = rs->rs_bound_addr, -+ .sin_port = rs->rs_bound_port, -+ }; -+ struct sockaddr_in dst = { -+ .sin_addr.s_addr = rs->rs_conn_addr, -+ .sin_port = rs->rs_conn_port, -+ }; - int ret; - -- ret = rds_iw_get_device(rs, &rds_iwdev, &cm_id); -+ ret = rds_iw_get_device(&src, &dst, &rds_iwdev, &cm_id); - if (ret || !cm_id) { - ret = -ENODEV; - goto out; diff --git a/net/rds/iw_recv.c b/net/rds/iw_recv.c index a66d179..cf1e258 100644 --- a/net/rds/iw_recv.c @@ -106118,7 +105927,7 @@ index 2e9ada1..40f425d 100644 table = kmemdup(sctp_net_table, sizeof(sctp_net_table), GFP_KERNEL); diff --git a/net/socket.c b/net/socket.c -index 418795c..c33fa46 100644 +index d50e7ca..c33fa46 100644 --- a/net/socket.c +++ b/net/socket.c @@ -89,6 +89,7 @@ @@ -106292,16 +106101,7 @@ index 418795c..c33fa46 100644 SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len, unsigned int, flags, struct sockaddr __user *, addr, int, addr_len) -@@ -1765,6 +1830,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len, - - if (len > INT_MAX) - len = INT_MAX; -+ if (unlikely(!access_ok(VERIFY_READ, buff, len))) -+ return -EFAULT; - sock = sockfd_lookup_light(fd, &err, &fput_needed); - if (!sock) - goto out; -@@ -1817,12 +1884,14 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size, +@@ -1819,7 +1884,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size, struct socket *sock; struct iovec iov; struct msghdr msg; @@ -106310,14 +106110,7 @@ index 418795c..c33fa46 100644 int err, err2; int fput_needed; - if (size > INT_MAX) - size = INT_MAX; -+ if (unlikely(!access_ok(VERIFY_WRITE, ubuf, size))) -+ return -EFAULT; - sock = sockfd_lookup_light(fd, &err, &fput_needed); - if (!sock) - goto out; -@@ -2065,7 +2134,7 @@ static int ___sys_sendmsg(struct socket *sock, struct user_msghdr __user *msg, +@@ -2069,7 +2134,7 @@ static int ___sys_sendmsg(struct socket *sock, struct user_msghdr __user *msg, * checking falls down on this. */ if (copy_from_user(ctl_buf, @@ -106326,7 +106119,7 @@ index 418795c..c33fa46 100644 ctl_len)) goto out_freectl; msg_sys->msg_control = ctl_buf; -@@ -2216,7 +2285,7 @@ static int ___sys_recvmsg(struct socket *sock, struct user_msghdr __user *msg, +@@ -2220,7 +2285,7 @@ static int ___sys_recvmsg(struct socket *sock, struct user_msghdr __user *msg, ssize_t err; /* kernel mode address */ @@ -106335,7 +106128,7 @@ index 418795c..c33fa46 100644 /* user mode address pointers */ struct sockaddr __user *uaddr; -@@ -2862,7 +2931,7 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) +@@ -2866,7 +2931,7 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) ifr = compat_alloc_user_space(buf_size); rxnfc = (void __user *)ifr + ALIGN(sizeof(struct ifreq), 8); @@ -106344,7 +106137,7 @@ index 418795c..c33fa46 100644 return -EFAULT; if (put_user(convert_in ? rxnfc : compat_ptr(data), -@@ -2973,7 +3042,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd, +@@ -2977,7 +3042,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd, old_fs = get_fs(); set_fs(KERNEL_DS); err = dev_ioctl(net, cmd, @@ -106353,7 +106146,7 @@ index 418795c..c33fa46 100644 set_fs(old_fs); return err; -@@ -3066,7 +3135,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd, +@@ -3070,7 +3135,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd, old_fs = get_fs(); set_fs(KERNEL_DS); @@ -106362,7 +106155,7 @@ index 418795c..c33fa46 100644 set_fs(old_fs); if (cmd == SIOCGIFMAP && !err) { -@@ -3150,7 +3219,7 @@ static int routing_ioctl(struct net *net, struct socket *sock, +@@ -3154,7 +3219,7 @@ static int routing_ioctl(struct net *net, struct socket *sock, ret |= get_user(rtdev, &(ur4->rt_dev)); if (rtdev) { ret |= copy_from_user(devname, compat_ptr(rtdev), 15); @@ -106371,7 +106164,7 @@ index 418795c..c33fa46 100644 devname[15] = 0; } else r4.rt_dev = NULL; -@@ -3377,8 +3446,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname, +@@ -3381,8 +3446,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname, int __user *uoptlen; int err; @@ -106382,7 +106175,7 @@ index 418795c..c33fa46 100644 set_fs(KERNEL_DS); if (level == SOL_SOCKET) -@@ -3398,7 +3467,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname, +@@ -3402,7 +3467,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname, char __user *uoptval; int err; @@ -116129,10 +115922,10 @@ index 0000000..b8e7188 +} diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data new file mode 100644 -index 0000000..d9762e1 +index 0000000..b125100 --- /dev/null +++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data -@@ -0,0 +1,27710 @@ +@@ -0,0 +1,27713 @@ +intel_fake_agp_alloc_by_type_1 intel_fake_agp_alloc_by_type 1 1 NULL nohasharray +iwl_set_tx_power_1 iwl_set_tx_power 0 1 &intel_fake_agp_alloc_by_type_1 +ocfs2_get_refcount_tree_3 ocfs2_get_refcount_tree 0 3 NULL @@ -117464,7 +117257,8 @@ index 0000000..d9762e1 +patch_via_hdmi_3183 patch_via_hdmi 0 3183 NULL +compat_do_ip6t_set_ctl_3184 compat_do_ip6t_set_ctl 4 3184 NULL +mempool_create_node_3191 mempool_create_node 1 3191 NULL -+alloc_context_3194 alloc_context 1 3194 NULL ++alloc_context_3194 alloc_context 1 3194 NULL nohasharray ++ep_aio_read_3194 ep_aio_read 3 3194 &alloc_context_3194 +dma_init_coherent_memory_3197 dma_init_coherent_memory 1-3 3197 NULL +shmem_pread_slow_3198 shmem_pread_slow 2-3 3198 NULL nohasharray +udp_sendpage_3198 udp_sendpage 4 3198 &shmem_pread_slow_3198 @@ -122227,6 +122021,7 @@ index 0000000..d9762e1 +sbp_tpg_show_enable_14341 sbp_tpg_show_enable 0 14341 NULL +reset_protection_store_14344 reset_protection_store 0-4 14344 NULL +p9_client_zc_rpc_14345 p9_client_zc_rpc 7 14345 NULL ++ep_aio_rwtail_14347 ep_aio_rwtail 6 14347 NULL +writepages_14348 writepages 0 14348 NULL +bnx2_request_uncached_firmware_14349 bnx2_request_uncached_firmware 0 14349 NULL nohasharray +alloc_tx_struct_14349 alloc_tx_struct 1 14349 &bnx2_request_uncached_firmware_14349 @@ -126893,7 +126688,7 @@ index 0000000..d9762e1 +viafb_check_var_25297 viafb_check_var 0 25297 NULL +patch_generic_hdmi_25299 patch_generic_hdmi 0 25299 NULL +usb6fire_pcm_stream_start_25305 usb6fire_pcm_stream_start 0 25305 NULL -+read8_reg_25307 read8_reg 4 25307 NULL ++read8_reg_25307 read8_reg 4-0 25307 NULL +firm_open_25313 firm_open 0 25313 NULL +cx25821_write_frame_25315 cx25821_write_frame 3-0 25315 NULL nohasharray +rtl8139_get_regs_len_25315 rtl8139_get_regs_len 0 25315 &cx25821_write_frame_25315 nohasharray @@ -128827,7 +128622,8 @@ index 0000000..d9762e1 +__dev_pm_qos_update_request_29863 __dev_pm_qos_update_request 0 29863 &set_eeprom1_29863 +acpi_device_modalias_show_29864 acpi_device_modalias_show 0 29864 NULL +xfs_rtfind_forw_29866 xfs_rtfind_forw 0 29866 NULL -+write_file_bool_bmps_29870 write_file_bool_bmps 3-0 29870 NULL ++write_file_bool_bmps_29870 write_file_bool_bmps 3-0 29870 NULL nohasharray ++extract_icmp6_fields_29870 extract_icmp6_fields 2 29870 &write_file_bool_bmps_29870 +ipv6_setsockopt_29871 ipv6_setsockopt 5-0 29871 NULL nohasharray +itd_submit_29871 itd_submit 0 29871 &ipv6_setsockopt_29871 +dma_map_xdr_29874 dma_map_xdr 0-3 29874 NULL @@ -147580,7 +147376,7 @@ index 0a578fe..b81f62d 100644 }) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c -index 1cc6e2e..85d2e86 100644 +index ec83b11..3941e06 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -78,12 +78,17 @@ LIST_HEAD(vm_list); @@ -147641,7 +147437,7 @@ index 1cc6e2e..85d2e86 100644 .release = kvm_vcpu_release, .unlocked_ioctl = kvm_vcpu_ioctl, #ifdef CONFIG_COMPAT -@@ -2647,7 +2660,7 @@ out: +@@ -2648,7 +2661,7 @@ out: } #endif @@ -147650,7 +147446,7 @@ index 1cc6e2e..85d2e86 100644 .release = kvm_vm_release, .unlocked_ioctl = kvm_vm_ioctl, #ifdef CONFIG_COMPAT -@@ -2718,7 +2731,7 @@ out: +@@ -2719,7 +2732,7 @@ out: return r; } @@ -147659,7 +147455,7 @@ index 1cc6e2e..85d2e86 100644 .unlocked_ioctl = kvm_dev_ioctl, .compat_ioctl = kvm_dev_ioctl, .llseek = noop_llseek, -@@ -2744,7 +2757,7 @@ static void hardware_enable_nolock(void *junk) +@@ -2745,7 +2758,7 @@ static void hardware_enable_nolock(void *junk) if (r) { cpumask_clear_cpu(cpu, cpus_hardware_enabled); @@ -147668,7 +147464,7 @@ index 1cc6e2e..85d2e86 100644 printk(KERN_INFO "kvm: enabling virtualization on " "CPU%d failed\n", cpu); } -@@ -2800,10 +2813,10 @@ static int hardware_enable_all(void) +@@ -2801,10 +2814,10 @@ static int hardware_enable_all(void) kvm_usage_count++; if (kvm_usage_count == 1) { @@ -147681,7 +147477,7 @@ index 1cc6e2e..85d2e86 100644 hardware_disable_all_nolock(); r = -EBUSY; } -@@ -3210,7 +3223,7 @@ static void kvm_sched_out(struct preempt_notifier *pn, +@@ -3211,7 +3224,7 @@ static void kvm_sched_out(struct preempt_notifier *pn, kvm_arch_vcpu_put(vcpu); } @@ -147690,7 +147486,7 @@ index 1cc6e2e..85d2e86 100644 struct module *module) { int r; -@@ -3257,7 +3270,7 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, +@@ -3258,7 +3271,7 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, if (!vcpu_align) vcpu_align = __alignof__(struct kvm_vcpu); kvm_vcpu_cache = kmem_cache_create("kvm_vcpu", vcpu_size, vcpu_align, @@ -147699,7 +147495,7 @@ index 1cc6e2e..85d2e86 100644 if (!kvm_vcpu_cache) { r = -ENOMEM; goto out_free_3; -@@ -3267,9 +3280,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, +@@ -3268,9 +3281,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, if (r) goto out_free; @@ -147711,7 +147507,7 @@ index 1cc6e2e..85d2e86 100644 r = misc_register(&kvm_dev); if (r) { -@@ -3279,9 +3294,6 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, +@@ -3280,9 +3295,6 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, register_syscore_ops(&kvm_syscore_ops); diff --git a/3.19.2/4425_grsec_remove_EI_PAX.patch b/3.19.3/4425_grsec_remove_EI_PAX.patch index 86e242a..86e242a 100644 --- a/3.19.2/4425_grsec_remove_EI_PAX.patch +++ b/3.19.3/4425_grsec_remove_EI_PAX.patch diff --git a/3.19.2/4427_force_XATTR_PAX_tmpfs.patch b/3.19.3/4427_force_XATTR_PAX_tmpfs.patch index 22c9273..22c9273 100644 --- a/3.19.2/4427_force_XATTR_PAX_tmpfs.patch +++ b/3.19.3/4427_force_XATTR_PAX_tmpfs.patch diff --git a/3.19.2/4430_grsec-remove-localversion-grsec.patch b/3.19.3/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.19.2/4430_grsec-remove-localversion-grsec.patch +++ b/3.19.3/4430_grsec-remove-localversion-grsec.patch diff --git a/3.19.2/4435_grsec-mute-warnings.patch b/3.19.3/4435_grsec-mute-warnings.patch index 0585e08..0585e08 100644 --- a/3.19.2/4435_grsec-mute-warnings.patch +++ b/3.19.3/4435_grsec-mute-warnings.patch diff --git a/3.19.2/4440_grsec-remove-protected-paths.patch b/3.19.3/4440_grsec-remove-protected-paths.patch index 741546d..741546d 100644 --- a/3.19.2/4440_grsec-remove-protected-paths.patch +++ b/3.19.3/4440_grsec-remove-protected-paths.patch diff --git a/3.19.2/4450_grsec-kconfig-default-gids.patch b/3.19.3/4450_grsec-kconfig-default-gids.patch index 5c025da..5c025da 100644 --- a/3.19.2/4450_grsec-kconfig-default-gids.patch +++ b/3.19.3/4450_grsec-kconfig-default-gids.patch diff --git a/3.19.2/4465_selinux-avc_audit-log-curr_ip.patch b/3.19.3/4465_selinux-avc_audit-log-curr_ip.patch index ba89596..ba89596 100644 --- a/3.19.2/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.19.3/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.19.2/4470_disable-compat_vdso.patch b/3.19.3/4470_disable-compat_vdso.patch index 2192180..2192180 100644 --- a/3.19.2/4470_disable-compat_vdso.patch +++ b/3.19.3/4470_disable-compat_vdso.patch diff --git a/3.19.2/4475_emutramp_default_on.patch b/3.19.3/4475_emutramp_default_on.patch index ad4967a..ad4967a 100644 --- a/3.19.2/4475_emutramp_default_on.patch +++ b/3.19.3/4475_emutramp_default_on.patch |