diff options
| -rw-r--r-- | 3.14.41/0000_README | 2 | ||||
| -rw-r--r-- | 3.14.41/4420_grsecurity-3.1-3.14.41-201505101121.patch (renamed from 3.14.41/4420_grsecurity-3.1-3.14.41-201505091723.patch) | 39 | ||||
| -rw-r--r-- | 3.2.69/0000_README (renamed from 3.2.68/0000_README) | 6 | ||||
| -rw-r--r-- | 3.2.69/1021_linux-3.2.22.patch (renamed from 3.2.68/1021_linux-3.2.22.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1022_linux-3.2.23.patch (renamed from 3.2.68/1022_linux-3.2.23.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1023_linux-3.2.24.patch (renamed from 3.2.68/1023_linux-3.2.24.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1024_linux-3.2.25.patch (renamed from 3.2.68/1024_linux-3.2.25.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1025_linux-3.2.26.patch (renamed from 3.2.68/1025_linux-3.2.26.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1026_linux-3.2.27.patch (renamed from 3.2.68/1026_linux-3.2.27.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1027_linux-3.2.28.patch (renamed from 3.2.68/1027_linux-3.2.28.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1028_linux-3.2.29.patch (renamed from 3.2.68/1028_linux-3.2.29.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1029_linux-3.2.30.patch (renamed from 3.2.68/1029_linux-3.2.30.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1030_linux-3.2.31.patch (renamed from 3.2.68/1030_linux-3.2.31.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1031_linux-3.2.32.patch (renamed from 3.2.68/1031_linux-3.2.32.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1032_linux-3.2.33.patch (renamed from 3.2.68/1032_linux-3.2.33.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1033_linux-3.2.34.patch (renamed from 3.2.68/1033_linux-3.2.34.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1034_linux-3.2.35.patch (renamed from 3.2.68/1034_linux-3.2.35.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1035_linux-3.2.36.patch (renamed from 3.2.68/1035_linux-3.2.36.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1036_linux-3.2.37.patch (renamed from 3.2.68/1036_linux-3.2.37.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1037_linux-3.2.38.patch (renamed from 3.2.68/1037_linux-3.2.38.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1038_linux-3.2.39.patch (renamed from 3.2.68/1038_linux-3.2.39.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1039_linux-3.2.40.patch (renamed from 3.2.68/1039_linux-3.2.40.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1040_linux-3.2.41.patch (renamed from 3.2.68/1040_linux-3.2.41.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1041_linux-3.2.42.patch (renamed from 3.2.68/1041_linux-3.2.42.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1042_linux-3.2.43.patch (renamed from 3.2.68/1042_linux-3.2.43.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1043_linux-3.2.44.patch (renamed from 3.2.68/1043_linux-3.2.44.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1044_linux-3.2.45.patch (renamed from 3.2.68/1044_linux-3.2.45.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1045_linux-3.2.46.patch (renamed from 3.2.68/1045_linux-3.2.46.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1046_linux-3.2.47.patch (renamed from 3.2.68/1046_linux-3.2.47.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1047_linux-3.2.48.patch (renamed from 3.2.68/1047_linux-3.2.48.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1048_linux-3.2.49.patch (renamed from 3.2.68/1048_linux-3.2.49.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1049_linux-3.2.50.patch (renamed from 3.2.68/1049_linux-3.2.50.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1050_linux-3.2.51.patch (renamed from 3.2.68/1050_linux-3.2.51.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1051_linux-3.2.52.patch (renamed from 3.2.68/1051_linux-3.2.52.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1052_linux-3.2.53.patch (renamed from 3.2.68/1052_linux-3.2.53.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1053_linux-3.2.54.patch (renamed from 3.2.68/1053_linux-3.2.54.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1054_linux-3.2.55.patch (renamed from 3.2.68/1054_linux-3.2.55.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1055_linux-3.2.56.patch (renamed from 3.2.68/1055_linux-3.2.56.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1056_linux-3.2.57.patch (renamed from 3.2.68/1056_linux-3.2.57.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1057_linux-3.2.58.patch (renamed from 3.2.68/1057_linux-3.2.58.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1058_linux-3.2.59.patch (renamed from 3.2.68/1058_linux-3.2.59.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1059_linux-3.2.60.patch (renamed from 3.2.68/1059_linux-3.2.60.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1060_linux-3.2.61.patch (renamed from 3.2.68/1060_linux-3.2.61.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1061_linux-3.2.62.patch (renamed from 3.2.68/1061_linux-3.2.62.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1062_linux-3.2.63.patch (renamed from 3.2.68/1062_linux-3.2.63.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1063_linux-3.2.64.patch (renamed from 3.2.68/1063_linux-3.2.64.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1064_linux-3.2.65.patch (renamed from 3.2.68/1064_linux-3.2.65.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1065_linux-3.2.66.patch (renamed from 3.2.68/1065_linux-3.2.66.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1066_linux-3.2.67.patch (renamed from 3.2.68/1066_linux-3.2.67.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1067_linux-3.2.68.patch (renamed from 3.2.68/1067_linux-3.2.68.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/1068_linux-3.2.69.patch | 6606 | ||||
| -rw-r--r-- | 3.2.69/4420_grsecurity-3.1-3.2.69-201505101117.patch (renamed from 3.2.68/4420_grsecurity-3.1-3.2.68-201505091720.patch) | 1642 | ||||
| -rw-r--r-- | 3.2.69/4425_grsec_remove_EI_PAX.patch (renamed from 3.2.68/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.2.68/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/4430_grsec-remove-localversion-grsec.patch (renamed from 3.2.68/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/4435_grsec-mute-warnings.patch (renamed from 3.2.68/4435_grsec-mute-warnings.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/4440_grsec-remove-protected-paths.patch (renamed from 3.2.68/4440_grsec-remove-protected-paths.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/4450_grsec-kconfig-default-gids.patch (renamed from 3.2.68/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.2.68/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/4470_disable-compat_vdso.patch (renamed from 3.2.68/4470_disable-compat_vdso.patch) | 0 | ||||
| -rw-r--r-- | 3.2.69/4475_emutramp_default_on.patch (renamed from 3.2.68/4475_emutramp_default_on.patch) | 0 | ||||
| -rw-r--r-- | 4.0.2/0000_README | 2 | ||||
| -rw-r--r-- | 4.0.2/4420_grsecurity-3.1-4.0.2-201505101122.patch (renamed from 4.0.2/4420_grsecurity-3.1-4.0.2-201505091724.patch) | 39 |
63 files changed, 7087 insertions, 1249 deletions
diff --git a/3.14.41/0000_README b/3.14.41/0000_README index 77861d5..74f54d4 100644 --- a/3.14.41/0000_README +++ b/3.14.41/0000_README @@ -6,7 +6,7 @@ Patch: 1040_linux-3.14.41.patch From: http://www.kernel.org Desc: Linux 3.14.41 -Patch: 4420_grsecurity-3.1-3.14.41-201505091723.patch +Patch: 4420_grsecurity-3.1-3.14.41-201505101121.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.14.41/4420_grsecurity-3.1-3.14.41-201505091723.patch b/3.14.41/4420_grsecurity-3.1-3.14.41-201505101121.patch index 9842fc2..4c28919 100644 --- a/3.14.41/4420_grsecurity-3.1-3.14.41-201505091723.patch +++ b/3.14.41/4420_grsecurity-3.1-3.14.41-201505101121.patch @@ -49025,6 +49025,28 @@ index a2515887..6d13233 100644 dev->net->dev_addr[ETH_ALEN-1] = ifacenum; /* we will have to manufacture ethernet headers, prepare template */ +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c +index f9e96c4..6b1faeb 100644 +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1262,7 +1262,7 @@ netdev_tx_t usbnet_start_xmit (struct sk_buff *skb, + struct net_device *net) + { + struct usbnet *dev = netdev_priv(net); +- int length; ++ unsigned int length; + struct urb *urb = NULL; + struct skb_data *entry; + struct driver_info *info = dev->driver_info; +@@ -1378,7 +1378,7 @@ not_drop: + } + } else + netif_dbg(dev, tx_queued, dev->net, +- "> tx, len %d, type 0x%x\n", length, skb->protocol); ++ "> tx, len %u, type 0x%x\n", length, skb->protocol); + #ifdef CONFIG_PM + deferred: + #endif diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c index 841b608..198a8b7 100644 --- a/drivers/net/virtio_net.c @@ -65590,7 +65612,7 @@ index ccb8000..ac58c5a 100644 out: return len; diff --git a/fs/namespace.c b/fs/namespace.c -index 039f380..4239636 100644 +index 039f380..66bad91 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -1373,6 +1373,9 @@ static int do_umount(struct mount *mnt, int flags) @@ -65708,7 +65730,20 @@ index 039f380..4239636 100644 get_fs_root(current->fs, &root); old_mp = lock_mount(&old); error = PTR_ERR(old_mp); -@@ -3076,7 +3100,7 @@ static int mntns_install(struct nsproxy *nsproxy, void *ns) +@@ -3025,6 +3049,12 @@ bool fs_fully_visible(struct file_system_type *type) + if (mnt->mnt.mnt_sb->s_type != type) + continue; + ++ /* This mount is not fully visible if it's root directory ++ * is not the root directory of the filesystem. ++ */ ++ if (mnt->mnt.mnt_root != mnt->mnt.mnt_sb->s_root) ++ continue; ++ + /* This mount is not fully visible if there are any child mounts + * that cover anything except for empty directories. + */ +@@ -3076,7 +3106,7 @@ static int mntns_install(struct nsproxy *nsproxy, void *ns) !ns_capable(current_user_ns(), CAP_SYS_ADMIN)) return -EPERM; diff --git a/3.2.68/0000_README b/3.2.69/0000_README index fb78cb8..7967083 100644 --- a/3.2.68/0000_README +++ b/3.2.69/0000_README @@ -190,7 +190,11 @@ Patch: 1067_linux-3.2.68.patch From: http://www.kernel.org Desc: Linux 3.2.68 -Patch: 4420_grsecurity-3.1-3.2.68-201505091720.patch +Patch: 1068_linux-3.2.69.patch +From: http://www.kernel.org +Desc: Linux 3.2.69 + +Patch: 4420_grsecurity-3.1-3.2.69-201505101117.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.68/1021_linux-3.2.22.patch b/3.2.69/1021_linux-3.2.22.patch index e6ad93a..e6ad93a 100644 --- a/3.2.68/1021_linux-3.2.22.patch +++ b/3.2.69/1021_linux-3.2.22.patch diff --git a/3.2.68/1022_linux-3.2.23.patch b/3.2.69/1022_linux-3.2.23.patch index 3d796d0..3d796d0 100644 --- a/3.2.68/1022_linux-3.2.23.patch +++ b/3.2.69/1022_linux-3.2.23.patch diff --git a/3.2.68/1023_linux-3.2.24.patch b/3.2.69/1023_linux-3.2.24.patch index 4692eb4..4692eb4 100644 --- a/3.2.68/1023_linux-3.2.24.patch +++ b/3.2.69/1023_linux-3.2.24.patch diff --git a/3.2.68/1024_linux-3.2.25.patch b/3.2.69/1024_linux-3.2.25.patch index e95c213..e95c213 100644 --- a/3.2.68/1024_linux-3.2.25.patch +++ b/3.2.69/1024_linux-3.2.25.patch diff --git a/3.2.68/1025_linux-3.2.26.patch b/3.2.69/1025_linux-3.2.26.patch index 44065b9..44065b9 100644 --- a/3.2.68/1025_linux-3.2.26.patch +++ b/3.2.69/1025_linux-3.2.26.patch diff --git a/3.2.68/1026_linux-3.2.27.patch b/3.2.69/1026_linux-3.2.27.patch index 5878eb4..5878eb4 100644 --- a/3.2.68/1026_linux-3.2.27.patch +++ b/3.2.69/1026_linux-3.2.27.patch diff --git a/3.2.68/1027_linux-3.2.28.patch b/3.2.69/1027_linux-3.2.28.patch index 4dbba4b..4dbba4b 100644 --- a/3.2.68/1027_linux-3.2.28.patch +++ b/3.2.69/1027_linux-3.2.28.patch diff --git a/3.2.68/1028_linux-3.2.29.patch b/3.2.69/1028_linux-3.2.29.patch index 3c65179..3c65179 100644 --- a/3.2.68/1028_linux-3.2.29.patch +++ b/3.2.69/1028_linux-3.2.29.patch diff --git a/3.2.68/1029_linux-3.2.30.patch b/3.2.69/1029_linux-3.2.30.patch index 86aea4b..86aea4b 100644 --- a/3.2.68/1029_linux-3.2.30.patch +++ b/3.2.69/1029_linux-3.2.30.patch diff --git a/3.2.68/1030_linux-3.2.31.patch b/3.2.69/1030_linux-3.2.31.patch index c6accf5..c6accf5 100644 --- a/3.2.68/1030_linux-3.2.31.patch +++ b/3.2.69/1030_linux-3.2.31.patch diff --git a/3.2.68/1031_linux-3.2.32.patch b/3.2.69/1031_linux-3.2.32.patch index 247fc0b..247fc0b 100644 --- a/3.2.68/1031_linux-3.2.32.patch +++ b/3.2.69/1031_linux-3.2.32.patch diff --git a/3.2.68/1032_linux-3.2.33.patch b/3.2.69/1032_linux-3.2.33.patch index c32fb75..c32fb75 100644 --- a/3.2.68/1032_linux-3.2.33.patch +++ b/3.2.69/1032_linux-3.2.33.patch diff --git a/3.2.68/1033_linux-3.2.34.patch b/3.2.69/1033_linux-3.2.34.patch index d647b38..d647b38 100644 --- a/3.2.68/1033_linux-3.2.34.patch +++ b/3.2.69/1033_linux-3.2.34.patch diff --git a/3.2.68/1034_linux-3.2.35.patch b/3.2.69/1034_linux-3.2.35.patch index 76a9c19..76a9c19 100644 --- a/3.2.68/1034_linux-3.2.35.patch +++ b/3.2.69/1034_linux-3.2.35.patch diff --git a/3.2.68/1035_linux-3.2.36.patch b/3.2.69/1035_linux-3.2.36.patch index 5d192a3..5d192a3 100644 --- a/3.2.68/1035_linux-3.2.36.patch +++ b/3.2.69/1035_linux-3.2.36.patch diff --git a/3.2.68/1036_linux-3.2.37.patch b/3.2.69/1036_linux-3.2.37.patch index ad13251..ad13251 100644 --- a/3.2.68/1036_linux-3.2.37.patch +++ b/3.2.69/1036_linux-3.2.37.patch diff --git a/3.2.68/1037_linux-3.2.38.patch b/3.2.69/1037_linux-3.2.38.patch index a3c106f..a3c106f 100644 --- a/3.2.68/1037_linux-3.2.38.patch +++ b/3.2.69/1037_linux-3.2.38.patch diff --git a/3.2.68/1038_linux-3.2.39.patch b/3.2.69/1038_linux-3.2.39.patch index 5639e92..5639e92 100644 --- a/3.2.68/1038_linux-3.2.39.patch +++ b/3.2.69/1038_linux-3.2.39.patch diff --git a/3.2.68/1039_linux-3.2.40.patch b/3.2.69/1039_linux-3.2.40.patch index f26b39c..f26b39c 100644 --- a/3.2.68/1039_linux-3.2.40.patch +++ b/3.2.69/1039_linux-3.2.40.patch diff --git a/3.2.68/1040_linux-3.2.41.patch b/3.2.69/1040_linux-3.2.41.patch index 0d27fcb..0d27fcb 100644 --- a/3.2.68/1040_linux-3.2.41.patch +++ b/3.2.69/1040_linux-3.2.41.patch diff --git a/3.2.68/1041_linux-3.2.42.patch b/3.2.69/1041_linux-3.2.42.patch index 77a08ed..77a08ed 100644 --- a/3.2.68/1041_linux-3.2.42.patch +++ b/3.2.69/1041_linux-3.2.42.patch diff --git a/3.2.68/1042_linux-3.2.43.patch b/3.2.69/1042_linux-3.2.43.patch index a3f878b..a3f878b 100644 --- a/3.2.68/1042_linux-3.2.43.patch +++ b/3.2.69/1042_linux-3.2.43.patch diff --git a/3.2.68/1043_linux-3.2.44.patch b/3.2.69/1043_linux-3.2.44.patch index 3d5e6ff..3d5e6ff 100644 --- a/3.2.68/1043_linux-3.2.44.patch +++ b/3.2.69/1043_linux-3.2.44.patch diff --git a/3.2.68/1044_linux-3.2.45.patch b/3.2.69/1044_linux-3.2.45.patch index 44e1767..44e1767 100644 --- a/3.2.68/1044_linux-3.2.45.patch +++ b/3.2.69/1044_linux-3.2.45.patch diff --git a/3.2.68/1045_linux-3.2.46.patch b/3.2.69/1045_linux-3.2.46.patch index bc10efd..bc10efd 100644 --- a/3.2.68/1045_linux-3.2.46.patch +++ b/3.2.69/1045_linux-3.2.46.patch diff --git a/3.2.68/1046_linux-3.2.47.patch b/3.2.69/1046_linux-3.2.47.patch index b74563c..b74563c 100644 --- a/3.2.68/1046_linux-3.2.47.patch +++ b/3.2.69/1046_linux-3.2.47.patch diff --git a/3.2.68/1047_linux-3.2.48.patch b/3.2.69/1047_linux-3.2.48.patch index 6d55b1f..6d55b1f 100644 --- a/3.2.68/1047_linux-3.2.48.patch +++ b/3.2.69/1047_linux-3.2.48.patch diff --git a/3.2.68/1048_linux-3.2.49.patch b/3.2.69/1048_linux-3.2.49.patch index 2dab0cf..2dab0cf 100644 --- a/3.2.68/1048_linux-3.2.49.patch +++ b/3.2.69/1048_linux-3.2.49.patch diff --git a/3.2.68/1049_linux-3.2.50.patch b/3.2.69/1049_linux-3.2.50.patch index 20b3015..20b3015 100644 --- a/3.2.68/1049_linux-3.2.50.patch +++ b/3.2.69/1049_linux-3.2.50.patch diff --git a/3.2.68/1050_linux-3.2.51.patch b/3.2.69/1050_linux-3.2.51.patch index 5d5832b..5d5832b 100644 --- a/3.2.68/1050_linux-3.2.51.patch +++ b/3.2.69/1050_linux-3.2.51.patch diff --git a/3.2.68/1051_linux-3.2.52.patch b/3.2.69/1051_linux-3.2.52.patch index 94b9359..94b9359 100644 --- a/3.2.68/1051_linux-3.2.52.patch +++ b/3.2.69/1051_linux-3.2.52.patch diff --git a/3.2.68/1052_linux-3.2.53.patch b/3.2.69/1052_linux-3.2.53.patch index 986d714..986d714 100644 --- a/3.2.68/1052_linux-3.2.53.patch +++ b/3.2.69/1052_linux-3.2.53.patch diff --git a/3.2.68/1053_linux-3.2.54.patch b/3.2.69/1053_linux-3.2.54.patch index a907496..a907496 100644 --- a/3.2.68/1053_linux-3.2.54.patch +++ b/3.2.69/1053_linux-3.2.54.patch diff --git a/3.2.68/1054_linux-3.2.55.patch b/3.2.69/1054_linux-3.2.55.patch index 6071ff5..6071ff5 100644 --- a/3.2.68/1054_linux-3.2.55.patch +++ b/3.2.69/1054_linux-3.2.55.patch diff --git a/3.2.68/1055_linux-3.2.56.patch b/3.2.69/1055_linux-3.2.56.patch index 2e8239c..2e8239c 100644 --- a/3.2.68/1055_linux-3.2.56.patch +++ b/3.2.69/1055_linux-3.2.56.patch diff --git a/3.2.68/1056_linux-3.2.57.patch b/3.2.69/1056_linux-3.2.57.patch index 7b8f174..7b8f174 100644 --- a/3.2.68/1056_linux-3.2.57.patch +++ b/3.2.69/1056_linux-3.2.57.patch diff --git a/3.2.68/1057_linux-3.2.58.patch b/3.2.69/1057_linux-3.2.58.patch index db5723a..db5723a 100644 --- a/3.2.68/1057_linux-3.2.58.patch +++ b/3.2.69/1057_linux-3.2.58.patch diff --git a/3.2.68/1058_linux-3.2.59.patch b/3.2.69/1058_linux-3.2.59.patch index cd59fe9..cd59fe9 100644 --- a/3.2.68/1058_linux-3.2.59.patch +++ b/3.2.69/1058_linux-3.2.59.patch diff --git a/3.2.68/1059_linux-3.2.60.patch b/3.2.69/1059_linux-3.2.60.patch index c5a9389..c5a9389 100644 --- a/3.2.68/1059_linux-3.2.60.patch +++ b/3.2.69/1059_linux-3.2.60.patch diff --git a/3.2.68/1060_linux-3.2.61.patch b/3.2.69/1060_linux-3.2.61.patch index a1bf580..a1bf580 100644 --- a/3.2.68/1060_linux-3.2.61.patch +++ b/3.2.69/1060_linux-3.2.61.patch diff --git a/3.2.68/1061_linux-3.2.62.patch b/3.2.69/1061_linux-3.2.62.patch index 34217f0..34217f0 100644 --- a/3.2.68/1061_linux-3.2.62.patch +++ b/3.2.69/1061_linux-3.2.62.patch diff --git a/3.2.68/1062_linux-3.2.63.patch b/3.2.69/1062_linux-3.2.63.patch index f7c7415..f7c7415 100644 --- a/3.2.68/1062_linux-3.2.63.patch +++ b/3.2.69/1062_linux-3.2.63.patch diff --git a/3.2.68/1063_linux-3.2.64.patch b/3.2.69/1063_linux-3.2.64.patch index 862b4f0..862b4f0 100644 --- a/3.2.68/1063_linux-3.2.64.patch +++ b/3.2.69/1063_linux-3.2.64.patch diff --git a/3.2.68/1064_linux-3.2.65.patch b/3.2.69/1064_linux-3.2.65.patch index c3ae4fa..c3ae4fa 100644 --- a/3.2.68/1064_linux-3.2.65.patch +++ b/3.2.69/1064_linux-3.2.65.patch diff --git a/3.2.68/1065_linux-3.2.66.patch b/3.2.69/1065_linux-3.2.66.patch index 73fa646..73fa646 100644 --- a/3.2.68/1065_linux-3.2.66.patch +++ b/3.2.69/1065_linux-3.2.66.patch diff --git a/3.2.68/1066_linux-3.2.67.patch b/3.2.69/1066_linux-3.2.67.patch index c0a9278..c0a9278 100644 --- a/3.2.68/1066_linux-3.2.67.patch +++ b/3.2.69/1066_linux-3.2.67.patch diff --git a/3.2.68/1067_linux-3.2.68.patch b/3.2.69/1067_linux-3.2.68.patch index 200e8b8..200e8b8 100644 --- a/3.2.68/1067_linux-3.2.68.patch +++ b/3.2.69/1067_linux-3.2.68.patch diff --git a/3.2.69/1068_linux-3.2.69.patch b/3.2.69/1068_linux-3.2.69.patch new file mode 100644 index 0000000..8848e8e --- /dev/null +++ b/3.2.69/1068_linux-3.2.69.patch @@ -0,0 +1,6606 @@ +diff --git a/Documentation/usb/usb-serial.txt b/Documentation/usb/usb-serial.txt +index 5bd7926..947fa62 100644 +--- a/Documentation/usb/usb-serial.txt ++++ b/Documentation/usb/usb-serial.txt +@@ -145,7 +145,7 @@ Keyspan PDA Serial Adapter + Single port DB-9 serial adapter, pushed as a PDA adapter for iMacs (mostly + sold in Macintosh catalogs, comes in a translucent white/green dongle). + Fairly simple device. Firmware is homebrew. +- This driver also works for the Xircom/Entrgra single port serial adapter. ++ This driver also works for the Xircom/Entrega single port serial adapter. + + Current status: + Things that work: +diff --git a/Makefile b/Makefile +index 2e7cbda..8071888 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 2 +-SUBLEVEL = 68 ++SUBLEVEL = 69 + EXTRAVERSION = + NAME = Saber-toothed Squirrel + +diff --git a/arch/arm/mach-pxa/corgi.c b/arch/arm/mach-pxa/corgi.c +index 549468d..e1715af 100644 +--- a/arch/arm/mach-pxa/corgi.c ++++ b/arch/arm/mach-pxa/corgi.c +@@ -26,6 +26,7 @@ + #include <linux/i2c.h> + #include <linux/i2c/pxa-i2c.h> + #include <linux/io.h> ++#include <linux/regulator/machine.h> + #include <linux/spi/spi.h> + #include <linux/spi/ads7846.h> + #include <linux/spi/corgi_lcd.h> +@@ -704,6 +705,8 @@ static void __init corgi_init(void) + sharpsl_nand_partitions[1].size = 53 * 1024 * 1024; + + platform_add_devices(devices, ARRAY_SIZE(devices)); ++ ++ regulator_has_full_constraints(); + } + + static void __init fixup_corgi(struct tag *tags, char **cmdline, +diff --git a/arch/arm/mach-pxa/hx4700.c b/arch/arm/mach-pxa/hx4700.c +index 6f6368e..a7be979 100644 +--- a/arch/arm/mach-pxa/hx4700.c ++++ b/arch/arm/mach-pxa/hx4700.c +@@ -835,6 +835,8 @@ static void __init hx4700_init(void) + mdelay(10); + gpio_set_value(GPIO71_HX4700_ASIC3_nRESET, 1); + mdelay(10); ++ ++ regulator_has_full_constraints(); + } + + MACHINE_START(H4700, "HP iPAQ HX4700") +diff --git a/arch/arm/mach-pxa/poodle.c b/arch/arm/mach-pxa/poodle.c +index 50c8331..fb645f4 100644 +--- a/arch/arm/mach-pxa/poodle.c ++++ b/arch/arm/mach-pxa/poodle.c +@@ -25,6 +25,7 @@ + #include <linux/gpio.h> + #include <linux/i2c.h> + #include <linux/i2c/pxa-i2c.h> ++#include <linux/regulator/machine.h> + #include <linux/spi/spi.h> + #include <linux/spi/ads7846.h> + #include <linux/spi/pxa2xx_spi.h> +@@ -453,6 +454,7 @@ static void __init poodle_init(void) + pxa_set_i2c_info(NULL); + i2c_register_board_info(0, ARRAY_AND_SIZE(poodle_i2c_devices)); + poodle_init_spi(); ++ regulator_has_full_constraints(); + } + + static void __init fixup_poodle(struct tag *tags, char **cmdline, +diff --git a/arch/arm/mach-pxa/spitz.c b/arch/arm/mach-pxa/spitz.c +index 953a919..0451bbd 100644 +--- a/arch/arm/mach-pxa/spitz.c ++++ b/arch/arm/mach-pxa/spitz.c +@@ -969,6 +969,8 @@ static void __init spitz_init(void) + spitz_nor_init(); + spitz_nand_init(); + spitz_i2c_init(); ++ ++ regulator_has_full_constraints(); + } + + static void __init spitz_fixup(struct tag *tags, char **cmdline, +diff --git a/arch/arm/mach-sa1100/pm.c b/arch/arm/mach-sa1100/pm.c +index bf85b8b..66c4845 100644 +--- a/arch/arm/mach-sa1100/pm.c ++++ b/arch/arm/mach-sa1100/pm.c +@@ -81,6 +81,7 @@ static int sa11x0_pm_enter(suspend_state_t state) + /* + * Ensure not to come back here if it wasn't intended + */ ++ RCSR = RCSR_SMR; + PSPR = 0; + + /* +diff --git a/arch/powerpc/sysdev/axonram.c b/arch/powerpc/sysdev/axonram.c +index ba42719..9befade 100644 +--- a/arch/powerpc/sysdev/axonram.c ++++ b/arch/powerpc/sysdev/axonram.c +@@ -156,7 +156,7 @@ axon_ram_direct_access(struct block_device *device, sector_t sector, + } + + *kaddr = (void *)(bank->ph_addr + offset); +- *pfn = virt_to_phys(kaddr) >> PAGE_SHIFT; ++ *pfn = virt_to_phys(*kaddr) >> PAGE_SHIFT; + + return 0; + } +diff --git a/arch/s390/kvm/intercept.c b/arch/s390/kvm/intercept.c +index bc486d0..a5f6eff 100644 +--- a/arch/s390/kvm/intercept.c ++++ b/arch/s390/kvm/intercept.c +@@ -58,7 +58,6 @@ static int handle_lctlg(struct kvm_vcpu *vcpu) + break; + reg = (reg + 1) % 16; + } while (1); +- kvm_make_request(KVM_REQ_TLB_FLUSH, vcpu); + return 0; + } + +@@ -98,7 +97,6 @@ static int handle_lctl(struct kvm_vcpu *vcpu) + break; + reg = (reg + 1) % 16; + } while (1); +- kvm_make_request(KVM_REQ_TLB_FLUSH, vcpu); + return 0; + } + +diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c +index f6f41dd..b96b4de 100644 +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -311,7 +311,7 @@ int kvm_arch_vcpu_setup(struct kvm_vcpu *vcpu) + vcpu->arch.sie_block->ecb = 6; + vcpu->arch.sie_block->eca = 0xC1002001U; + vcpu->arch.sie_block->fac = (int) (long) facilities; +- hrtimer_init(&vcpu->arch.ckc_timer, CLOCK_REALTIME, HRTIMER_MODE_ABS); ++ hrtimer_init(&vcpu->arch.ckc_timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL); + tasklet_init(&vcpu->arch.tasklet, kvm_s390_tasklet, + (unsigned long) vcpu); + vcpu->arch.ckc_timer.function = kvm_s390_idle_wakeup; +diff --git a/arch/x86/crypto/aesni-intel_glue.c b/arch/x86/crypto/aesni-intel_glue.c +index 16acf68..3b3a62f 100644 +--- a/arch/x86/crypto/aesni-intel_glue.c ++++ b/arch/x86/crypto/aesni-intel_glue.c +@@ -1202,7 +1202,7 @@ static int __driver_rfc4106_decrypt(struct aead_request *req) + src = kmalloc(req->cryptlen + req->assoclen, GFP_ATOMIC); + if (!src) + return -ENOMEM; +- assoc = (src + req->cryptlen + auth_tag_len); ++ assoc = (src + req->cryptlen); + scatterwalk_map_and_copy(src, req->src, 0, req->cryptlen, 0); + scatterwalk_map_and_copy(assoc, req->assoc, 0, + req->assoclen, 0); +@@ -1227,7 +1227,7 @@ static int __driver_rfc4106_decrypt(struct aead_request *req) + scatterwalk_done(&src_sg_walk, 0, 0); + scatterwalk_done(&assoc_sg_walk, 0, 0); + } else { +- scatterwalk_map_and_copy(dst, req->dst, 0, req->cryptlen, 1); ++ scatterwalk_map_and_copy(dst, req->dst, 0, tempCipherLen, 1); + kfree(src); + } + return retval; +diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S +index 9d28dba..8d15c69 100644 +--- a/arch/x86/kernel/entry_64.S ++++ b/arch/x86/kernel/entry_64.S +@@ -414,11 +414,14 @@ ENTRY(ret_from_fork) + testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread? + je int_ret_from_sys_call + +- testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET +- jnz int_ret_from_sys_call +- +- RESTORE_TOP_OF_STACK %rdi, -ARGOFFSET +- jmp ret_from_sys_call # go to the SYSRET fastpath ++ /* ++ * By the time we get here, we have no idea whether our pt_regs, ++ * ti flags, and ti status came from the 64-bit SYSCALL fast path, ++ * the slow path, or one of the ia32entry paths. ++ * Use int_ret_from_sys_call to return, since it can safely handle ++ * all of the above. ++ */ ++ jmp int_ret_from_sys_call + + CFI_ENDPROC + END(ret_from_fork) +diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c +index f411aca..41b2f57 100644 +--- a/arch/x86/kernel/reboot.c ++++ b/arch/x86/kernel/reboot.c +@@ -279,14 +279,6 @@ static struct dmi_system_id __initdata reboot_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "VGN-Z540N"), + }, + }, +- { /* Handle problems with rebooting on CompuLab SBC-FITPC2 */ +- .callback = set_bios_reboot, +- .ident = "CompuLab SBC-FITPC2", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "CompuLab"), +- DMI_MATCH(DMI_PRODUCT_NAME, "SBC-FITPC2"), +- }, +- }, + { /* Handle problems with rebooting on ASUS P4S800 */ + .callback = set_bios_reboot, + .ident = "ASUS P4S800", +@@ -295,14 +287,6 @@ static struct dmi_system_id __initdata reboot_dmi_table[] = { + DMI_MATCH(DMI_BOARD_NAME, "P4S800"), + }, + }, +- { /* Handle problems with rebooting on VersaLogic Menlow boards */ +- .callback = set_bios_reboot, +- .ident = "VersaLogic Menlow based board", +- .matches = { +- DMI_MATCH(DMI_BOARD_VENDOR, "VersaLogic Corporation"), +- DMI_MATCH(DMI_BOARD_NAME, "VersaLogic Menlow board"), +- }, +- }, + { /* Handle reboot issue on Acer Aspire one */ + .callback = set_kbd_reboot, + .ident = "Acer Aspire One A110", +@@ -428,6 +412,24 @@ static struct dmi_system_id __initdata pci_reboot_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "iMac9,1"), + }, + }, ++ /* ASRock */ ++ { /* Handle problems with rebooting on ASRock Q1900DC-ITX */ ++ .callback = set_pci_reboot, ++ .ident = "ASRock Q1900DC-ITX", ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "ASRock"), ++ DMI_MATCH(DMI_BOARD_NAME, "Q1900DC-ITX"), ++ }, ++ }, ++ /* Certec */ ++ { /* Handle problems with rebooting on Certec BPC600 */ ++ .callback = set_pci_reboot, ++ .ident = "Certec BPC600", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Certec"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "BPC600"), ++ }, ++ }, + { /* Handle problems with rebooting on the Latitude E6320. */ + .callback = set_pci_reboot, + .ident = "Dell Latitude E6320", +@@ -436,6 +438,14 @@ static struct dmi_system_id __initdata pci_reboot_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "Latitude E6320"), + }, + }, ++ { /* Handle problems with rebooting on the Latitude E5410. */ ++ .callback = set_pci_reboot, ++ .ident = "Dell Latitude E5410", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude E5410"), ++ }, ++ }, + { /* Handle problems with rebooting on the Latitude E5420. */ + .callback = set_pci_reboot, + .ident = "Dell Latitude E5420", +@@ -462,6 +472,22 @@ static struct dmi_system_id __initdata pci_reboot_dmi_table[] = { + }, + { /* Handle problems with rebooting on the Precision M6600. */ + .callback = set_pci_reboot, ++ .ident = "Dell Precision M6600", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Precision M6600"), ++ }, ++ }, ++ { /* Handle problems with rebooting on the Dell PowerEdge C6100. */ ++ .callback = set_pci_reboot, ++ .ident = "Dell PowerEdge C6100", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "C6100"), ++ }, ++ }, ++ { /* Handle problems with rebooting on the Precision M6600. */ ++ .callback = set_pci_reboot, + .ident = "Dell OptiPlex 990", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c +index 2aff347..edbd30a 100644 +--- a/arch/x86/kernel/traps.c ++++ b/arch/x86/kernel/traps.c +@@ -435,7 +435,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code) + * then it's very likely the result of an icebp/int01 trap. + * User wants a sigtrap for that. + */ +- if (!dr6 && user_mode(regs)) ++ if (!dr6 && user_mode_vm(regs)) + user_icebp = 1; + + /* Catch kmemcheck conditions first of all! */ +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index bdad489..9af0b82 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -4014,7 +4014,8 @@ int x86_emulate_insn(struct x86_emulate_ctxt *ctxt) + if (rc != X86EMUL_CONTINUE) + goto done; + } +- ctxt->dst.orig_val = ctxt->dst.val; ++ /* Copy full 64-bit value for CMPXCHG8B. */ ++ ctxt->dst.orig_val64 = ctxt->dst.val64; + + special_insn: + +diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c +index 5c1ae28..75f9e5d 100644 +--- a/arch/x86/mm/mmap.c ++++ b/arch/x86/mm/mmap.c +@@ -35,12 +35,12 @@ struct __read_mostly va_alignment va_align = { + .flags = -1, + }; + +-static unsigned int stack_maxrandom_size(void) ++static unsigned long stack_maxrandom_size(void) + { +- unsigned int max = 0; ++ unsigned long max = 0; + if ((current->flags & PF_RANDOMIZE) && + !(current->personality & ADDR_NO_RANDOMIZE)) { +- max = ((-1U) & STACK_RND_MASK) << PAGE_SHIFT; ++ max = ((-1UL) & STACK_RND_MASK) << PAGE_SHIFT; + } + + return max; +diff --git a/arch/x86/vdso/vdso32/sigreturn.S b/arch/x86/vdso/vdso32/sigreturn.S +index 31776d0..d7ec4e2 100644 +--- a/arch/x86/vdso/vdso32/sigreturn.S ++++ b/arch/x86/vdso/vdso32/sigreturn.S +@@ -17,6 +17,7 @@ + .text + .globl __kernel_sigreturn + .type __kernel_sigreturn,@function ++ nop /* this guy is needed for .LSTARTFDEDLSI1 below (watch for HACK) */ + ALIGN + __kernel_sigreturn: + .LSTART_sigreturn: +diff --git a/drivers/acpi/video.c b/drivers/acpi/video.c +index 2ebfdd2..cb842a8 100644 +--- a/drivers/acpi/video.c ++++ b/drivers/acpi/video.c +@@ -1854,6 +1854,17 @@ EXPORT_SYMBOL(acpi_video_unregister); + + static int __init acpi_video_init(void) + { ++ /* ++ * Let the module load even if ACPI is disabled (e.g. due to ++ * a broken BIOS) so that i915.ko can still be loaded on such ++ * old systems without an AcpiOpRegion. ++ * ++ * acpi_video_register() will report -ENODEV later as well due ++ * to acpi_disabled when i915.ko tries to register itself afterwards. ++ */ ++ if (acpi_disabled) ++ return 0; ++ + dmi_check_system(video_dmi_table); + + if (intel_opregion_present()) +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 5fb6885..788581e 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -773,10 +773,6 @@ static int __init nbd_init(void) + return -EINVAL; + } + +- nbd_dev = kcalloc(nbds_max, sizeof(*nbd_dev), GFP_KERNEL); +- if (!nbd_dev) +- return -ENOMEM; +- + part_shift = 0; + if (max_part > 0) { + part_shift = fls(max_part); +@@ -798,6 +794,10 @@ static int __init nbd_init(void) + if (nbds_max > 1UL << (MINORBITS - part_shift)) + return -EINVAL; + ++ nbd_dev = kcalloc(nbds_max, sizeof(*nbd_dev), GFP_KERNEL); ++ if (!nbd_dev) ++ return -ENOMEM; ++ + for (i = 0; i < nbds_max; i++) { + struct gendisk *disk = alloc_disk(1 << part_shift); + if (!disk) +diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c +index 22775ae..3eb6ad2 100644 +--- a/drivers/bluetooth/ath3k.c ++++ b/drivers/bluetooth/ath3k.c +@@ -106,6 +106,7 @@ static struct usb_device_id ath3k_table[] = { + { USB_DEVICE(0x13d3, 0x3393) }, + { USB_DEVICE(0x13d3, 0x3402) }, + { USB_DEVICE(0x13d3, 0x3408) }, ++ { USB_DEVICE(0x13d3, 0x3423) }, + { USB_DEVICE(0x13d3, 0x3432) }, + + /* Atheros AR5BBU12 with sflash firmware */ +@@ -160,6 +161,7 @@ static struct usb_device_id ath3k_blist_tbl[] = { + { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 }, + + /* Atheros AR5BBU22 with sflash firmware */ +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 2b479d6..5c385e5 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -191,6 +191,7 @@ static struct usb_device_id blacklist_table[] = { + { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 }, + + /* Atheros AR5BBU12 with sflash firmware */ +diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c +index c234b9e..f7395c4 100644 +--- a/drivers/char/tpm/tpm.c ++++ b/drivers/char/tpm/tpm.c +@@ -1341,7 +1341,7 @@ struct tpm_chip *tpm_register_hardware(struct device *dev, + + /* Make chip available */ + spin_lock(&driver_lock); +- list_add_rcu(&chip->list, &tpm_chip_list); ++ list_add_tail_rcu(&chip->list, &tpm_chip_list); + spin_unlock(&driver_lock); + + return chip; +diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c +index c68b8ad..e9d18aa 100644 +--- a/drivers/char/virtio_console.c ++++ b/drivers/char/virtio_console.c +@@ -124,6 +124,7 @@ struct ports_device { + * notification + */ + struct work_struct control_work; ++ struct work_struct config_work; + + struct list_head ports; + +@@ -1556,10 +1557,21 @@ static void config_intr(struct virtio_device *vdev) + + portdev = vdev->priv; + ++ if (!use_multiport(portdev)) ++ schedule_work(&portdev->config_work); ++} ++ ++static void config_work_handler(struct work_struct *work) ++{ ++ struct ports_device *portdev; ++ ++ portdev = container_of(work, struct ports_device, control_work); + if (!use_multiport(portdev)) { ++ struct virtio_device *vdev; + struct port *port; + u16 rows, cols; + ++ vdev = portdev->vdev; + vdev->config->get(vdev, + offsetof(struct virtio_console_config, cols), + &cols, sizeof(u16)); +@@ -1731,6 +1743,8 @@ static int __devinit virtcons_probe(struct virtio_device *vdev) + spin_lock_init(&portdev->ports_lock); + INIT_LIST_HEAD(&portdev->ports); + ++ INIT_WORK(&portdev->config_work, &config_work_handler); ++ + if (multiport) { + unsigned int nr_added_bufs; + +@@ -1806,6 +1820,8 @@ static void virtcons_remove(struct virtio_device *vdev) + /* Finish up work that's lined up */ + if (use_multiport(portdev)) + cancel_work_sync(&portdev->control_work); ++ else ++ cancel_work_sync(&portdev->config_work); + + list_for_each_entry_safe(port, port2, &portdev->ports, list) + unplug_port(port); +diff --git a/drivers/cpufreq/speedstep-lib.c b/drivers/cpufreq/speedstep-lib.c +index 8af2d2f..2c0345a 100644 +--- a/drivers/cpufreq/speedstep-lib.c ++++ b/drivers/cpufreq/speedstep-lib.c +@@ -399,6 +399,7 @@ unsigned int speedstep_get_freqs(enum speedstep_processor processor, + + pr_debug("previous speed is %u\n", prev_speed); + ++ preempt_disable(); + local_irq_save(flags); + + /* switch to low state */ +@@ -463,6 +464,8 @@ unsigned int speedstep_get_freqs(enum speedstep_processor processor, + + out: + local_irq_restore(flags); ++ preempt_enable(); ++ + return ret; + } + EXPORT_SYMBOL_GPL(speedstep_get_freqs); +diff --git a/drivers/cpufreq/speedstep-smi.c b/drivers/cpufreq/speedstep-smi.c +index c76ead3..8a97f94 100644 +--- a/drivers/cpufreq/speedstep-smi.c ++++ b/drivers/cpufreq/speedstep-smi.c +@@ -187,6 +187,7 @@ static void speedstep_set_state(unsigned int state) + return; + + /* Disable IRQs */ ++ preempt_disable(); + local_irq_save(flags); + + command = (smi_sig & 0xffffff00) | (smi_cmd & 0xff); +@@ -197,9 +198,19 @@ static void speedstep_set_state(unsigned int state) + + do { + if (retry) { ++ /* ++ * We need to enable interrupts, otherwise the blockage ++ * won't resolve. ++ * ++ * We disable preemption so that other processes don't ++ * run. If other processes were running, they could ++ * submit more DMA requests, making the blockage worse. ++ */ + pr_debug("retry %u, previous result %u, waiting...\n", + retry, result); ++ local_irq_enable(); + mdelay(retry * 50); ++ local_irq_disable(); + } + retry++; + __asm__ __volatile__( +@@ -216,6 +227,7 @@ static void speedstep_set_state(unsigned int state) + + /* enable IRQs */ + local_irq_restore(flags); ++ preempt_enable(); + + if (new_state == state) + pr_debug("change to %u MHz succeeded after %u tries " +diff --git a/drivers/gpio/gpio-tps65912.c b/drivers/gpio/gpio-tps65912.c +index 79e66c0..2712680 100644 +--- a/drivers/gpio/gpio-tps65912.c ++++ b/drivers/gpio/gpio-tps65912.c +@@ -26,9 +26,12 @@ struct tps65912_gpio_data { + struct gpio_chip gpio_chip; + }; + ++#define to_tgd(gc) container_of(gc, struct tps65912_gpio_data, gpio_chip) ++ + static int tps65912_gpio_get(struct gpio_chip *gc, unsigned offset) + { +- struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio); ++ struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc); ++ struct tps65912 *tps65912 = tps65912_gpio->tps65912; + int val; + + val = tps65912_reg_read(tps65912, TPS65912_GPIO1 + offset); +@@ -42,7 +45,8 @@ static int tps65912_gpio_get(struct gpio_chip *gc, unsigned offset) + static void tps65912_gpio_set(struct gpio_chip *gc, unsigned offset, + int value) + { +- struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio); ++ struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc); ++ struct tps65912 *tps65912 = tps65912_gpio->tps65912; + + if (value) + tps65912_set_bits(tps65912, TPS65912_GPIO1 + offset, +@@ -55,7 +59,8 @@ static void tps65912_gpio_set(struct gpio_chip *gc, unsigned offset, + static int tps65912_gpio_output(struct gpio_chip *gc, unsigned offset, + int value) + { +- struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio); ++ struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc); ++ struct tps65912 *tps65912 = tps65912_gpio->tps65912; + + /* Set the initial value */ + tps65912_gpio_set(gc, offset, value); +@@ -66,7 +71,8 @@ static int tps65912_gpio_output(struct gpio_chip *gc, unsigned offset, + + static int tps65912_gpio_input(struct gpio_chip *gc, unsigned offset) + { +- struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio); ++ struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc); ++ struct tps65912 *tps65912 = tps65912_gpio->tps65912; + + return tps65912_clear_bits(tps65912, TPS65912_GPIO1 + offset, + GPIO_CFG_MASK); +diff --git a/drivers/gpu/drm/radeon/atombios_dp.c b/drivers/gpu/drm/radeon/atombios_dp.c +index e8a3c31..3e34f1e 100644 +--- a/drivers/gpu/drm/radeon/atombios_dp.c ++++ b/drivers/gpu/drm/radeon/atombios_dp.c +@@ -739,10 +739,8 @@ static int radeon_dp_link_train_init(struct radeon_dp_link_train_info *dp_info) + radeon_write_dpcd_reg(dp_info->radeon_connector, + DP_DOWNSPREAD_CTRL, 0); + +- if ((dp_info->connector->connector_type == DRM_MODE_CONNECTOR_eDP) && +- (dig->panel_mode == DP_PANEL_MODE_INTERNAL_DP2_MODE)) { ++ if (dig->panel_mode == DP_PANEL_MODE_INTERNAL_DP2_MODE) + radeon_write_dpcd_reg(dp_info->radeon_connector, DP_EDP_CONFIGURATION_SET, 1); +- } + + /* set the lane count on the sink */ + tmp = dp_info->dp_lane_count; +diff --git a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c +index 9b3f787..5d78973 100644 +--- a/drivers/gpu/drm/radeon/evergreen.c ++++ b/drivers/gpu/drm/radeon/evergreen.c +@@ -2631,6 +2631,9 @@ int evergreen_irq_set(struct radeon_device *rdev) + WREG32(DC_HPD5_INT_CONTROL, hpd5); + WREG32(DC_HPD6_INT_CONTROL, hpd6); + ++ /* posting read */ ++ RREG32(SRBM_STATUS); ++ + return 0; + } + +diff --git a/drivers/gpu/drm/radeon/r100.c b/drivers/gpu/drm/radeon/r100.c +index 76c1290..dfd1267 100644 +--- a/drivers/gpu/drm/radeon/r100.c ++++ b/drivers/gpu/drm/radeon/r100.c +@@ -688,6 +688,10 @@ int r100_irq_set(struct radeon_device *rdev) + tmp |= RADEON_FP2_DETECT_MASK; + } + WREG32(RADEON_GEN_INT_CNTL, tmp); ++ ++ /* read back to post the write */ ++ RREG32(RADEON_GEN_INT_CNTL); ++ + return 0; + } + +diff --git a/drivers/gpu/drm/radeon/r600.c b/drivers/gpu/drm/radeon/r600.c +index ab46a99..e5299a0 100644 +--- a/drivers/gpu/drm/radeon/r600.c ++++ b/drivers/gpu/drm/radeon/r600.c +@@ -3156,6 +3156,9 @@ int r600_irq_set(struct radeon_device *rdev) + WREG32(DC_HOT_PLUG_DETECT3_INT_CONTROL, hpd3); + } + ++ /* posting read */ ++ RREG32(R_000E50_SRBM_STATUS); ++ + return 0; + } + +diff --git a/drivers/gpu/drm/radeon/radeon_bios.c b/drivers/gpu/drm/radeon/radeon_bios.c +index ccf324b..6e98703 100644 +--- a/drivers/gpu/drm/radeon/radeon_bios.c ++++ b/drivers/gpu/drm/radeon/radeon_bios.c +@@ -76,7 +76,7 @@ static bool igp_read_bios_from_vram(struct radeon_device *rdev) + + static bool radeon_read_bios(struct radeon_device *rdev) + { +- uint8_t __iomem *bios; ++ uint8_t __iomem *bios, val1, val2; + size_t size; + + rdev->bios = NULL; +@@ -86,15 +86,19 @@ static bool radeon_read_bios(struct radeon_device *rdev) + return false; + } + +- if (size == 0 || bios[0] != 0x55 || bios[1] != 0xaa) { ++ val1 = readb(&bios[0]); ++ val2 = readb(&bios[1]); ++ ++ if (size == 0 || val1 != 0x55 || val2 != 0xaa) { + pci_unmap_rom(rdev->pdev, bios); + return false; + } +- rdev->bios = kmemdup(bios, size, GFP_KERNEL); ++ rdev->bios = kzalloc(size, GFP_KERNEL); + if (rdev->bios == NULL) { + pci_unmap_rom(rdev->pdev, bios); + return false; + } ++ memcpy_fromio(rdev->bios, bios, size); + pci_unmap_rom(rdev->pdev, bios); + return true; + } +diff --git a/drivers/gpu/drm/radeon/radeon_cs.c b/drivers/gpu/drm/radeon/radeon_cs.c +index 1f32557..0ddc08c 100644 +--- a/drivers/gpu/drm/radeon/radeon_cs.c ++++ b/drivers/gpu/drm/radeon/radeon_cs.c +@@ -95,11 +95,13 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void *data) + uint64_t *chunk_array_ptr; + unsigned size, i, flags = 0; + ++ INIT_LIST_HEAD(&p->validated); ++ + if (!cs->num_chunks) { + return 0; + } ++ + /* get chunks */ +- INIT_LIST_HEAD(&p->validated); + p->idx = 0; + p->chunk_ib_idx = -1; + p->chunk_relocs_idx = -1; +diff --git a/drivers/gpu/drm/radeon/rs600.c b/drivers/gpu/drm/radeon/rs600.c +index dc00155..fc37558 100644 +--- a/drivers/gpu/drm/radeon/rs600.c ++++ b/drivers/gpu/drm/radeon/rs600.c +@@ -576,6 +576,10 @@ int rs600_irq_set(struct radeon_device *rdev) + WREG32(R_006540_DxMODE_INT_MASK, mode_int); + WREG32(R_007D08_DC_HOT_PLUG_DETECT1_INT_CONTROL, hpd1); + WREG32(R_007D18_DC_HOT_PLUG_DETECT2_INT_CONTROL, hpd2); ++ ++ /* posting read */ ++ RREG32(R_000040_GEN_INT_CNTL); ++ + return 0; + } + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c +index b639536..f739fcf 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c +@@ -503,21 +503,6 @@ static int vmw_driver_load(struct drm_device *dev, unsigned long chipset) + goto out_err1; + } + +- ret = ttm_bo_init_mm(&dev_priv->bdev, TTM_PL_VRAM, +- (dev_priv->vram_size >> PAGE_SHIFT)); +- if (unlikely(ret != 0)) { +- DRM_ERROR("Failed initializing memory manager for VRAM.\n"); +- goto out_err2; +- } +- +- dev_priv->has_gmr = true; +- if (ttm_bo_init_mm(&dev_priv->bdev, VMW_PL_GMR, +- dev_priv->max_gmr_ids) != 0) { +- DRM_INFO("No GMR memory available. " +- "Graphics memory resources are very limited.\n"); +- dev_priv->has_gmr = false; +- } +- + dev_priv->mmio_mtrr = drm_mtrr_add(dev_priv->mmio_start, + dev_priv->mmio_size, DRM_MTRR_WC); + +@@ -570,6 +555,22 @@ static int vmw_driver_load(struct drm_device *dev, unsigned long chipset) + if (unlikely(dev_priv->fman == NULL)) + goto out_no_fman; + ++ ++ ret = ttm_bo_init_mm(&dev_priv->bdev, TTM_PL_VRAM, ++ (dev_priv->vram_size >> PAGE_SHIFT)); ++ if (unlikely(ret != 0)) { ++ DRM_ERROR("Failed initializing memory manager for VRAM.\n"); ++ goto out_no_vram; ++ } ++ ++ dev_priv->has_gmr = true; ++ if (ttm_bo_init_mm(&dev_priv->bdev, VMW_PL_GMR, ++ dev_priv->max_gmr_ids) != 0) { ++ DRM_INFO("No GMR memory available. " ++ "Graphics memory resources are very limited.\n"); ++ dev_priv->has_gmr = false; ++ } ++ + /* Need to start the fifo to check if we can do screen objects */ + ret = vmw_3d_resource_inc(dev_priv, true); + if (unlikely(ret != 0)) +@@ -620,6 +621,10 @@ out_no_kms: + vmw_3d_resource_dec(dev_priv, false); + } + out_no_fifo: ++ if (dev_priv->has_gmr) ++ (void) ttm_bo_clean_mm(&dev_priv->bdev, VMW_PL_GMR); ++ (void)ttm_bo_clean_mm(&dev_priv->bdev, TTM_PL_VRAM); ++out_no_vram: + vmw_fence_manager_takedown(dev_priv->fman); + out_no_fman: + if (dev_priv->stealth) +@@ -633,10 +638,6 @@ out_err4: + out_err3: + drm_mtrr_del(dev_priv->mmio_mtrr, dev_priv->mmio_start, + dev_priv->mmio_size, DRM_MTRR_WC); +- if (dev_priv->has_gmr) +- (void) ttm_bo_clean_mm(&dev_priv->bdev, VMW_PL_GMR); +- (void)ttm_bo_clean_mm(&dev_priv->bdev, TTM_PL_VRAM); +-out_err2: + (void)ttm_bo_device_release(&dev_priv->bdev); + out_err1: + vmw_ttm_global_release(dev_priv); +@@ -665,6 +666,11 @@ static int vmw_driver_unload(struct drm_device *dev) + } + vmw_kms_close(dev_priv); + vmw_overlay_close(dev_priv); ++ ++ if (dev_priv->has_gmr) ++ (void)ttm_bo_clean_mm(&dev_priv->bdev, VMW_PL_GMR); ++ (void)ttm_bo_clean_mm(&dev_priv->bdev, TTM_PL_VRAM); ++ + vmw_fence_manager_takedown(dev_priv->fman); + if (dev_priv->stealth) + pci_release_region(dev->pdev, 2); +@@ -675,9 +681,6 @@ static int vmw_driver_unload(struct drm_device *dev) + iounmap(dev_priv->mmio_virt); + drm_mtrr_del(dev_priv->mmio_mtrr, dev_priv->mmio_start, + dev_priv->mmio_size, DRM_MTRR_WC); +- if (dev_priv->has_gmr) +- (void)ttm_bo_clean_mm(&dev_priv->bdev, VMW_PL_GMR); +- (void)ttm_bo_clean_mm(&dev_priv->bdev, TTM_PL_VRAM); + (void)ttm_bo_device_release(&dev_priv->bdev); + vmw_ttm_global_release(dev_priv); + idr_destroy(&dev_priv->surface_idr); +diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c +index a841123..055ebeb 100644 +--- a/drivers/infiniband/core/umem.c ++++ b/drivers/infiniband/core/umem.c +@@ -94,6 +94,14 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr, + if (dmasync) + dma_set_attr(DMA_ATTR_WRITE_BARRIER, &attrs); + ++ /* ++ * If the combination of the addr and size requested for this memory ++ * region causes an integer overflow, return error. ++ */ ++ if ((PAGE_ALIGN(addr + size) <= size) || ++ (PAGE_ALIGN(addr + size) <= addr)) ++ return ERR_PTR(-EINVAL); ++ + if (!can_do_mlock()) + return ERR_PTR(-EPERM); + +diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c +index 8796367..9379b97 100644 +--- a/drivers/infiniband/core/uverbs_main.c ++++ b/drivers/infiniband/core/uverbs_main.c +@@ -451,6 +451,7 @@ static void ib_uverbs_async_handler(struct ib_uverbs_file *file, + + entry->desc.async.element = element; + entry->desc.async.event_type = event; ++ entry->desc.async.reserved = 0; + entry->counter = counter; + + list_add_tail(&entry->list, &file->async_file->event_list); +diff --git a/drivers/infiniband/hw/mlx4/mad.c b/drivers/infiniband/hw/mlx4/mad.c +index 77702c0..46b291e 100644 +--- a/drivers/infiniband/hw/mlx4/mad.c ++++ b/drivers/infiniband/hw/mlx4/mad.c +@@ -44,6 +44,14 @@ enum { + MLX4_IB_VENDOR_CLASS2 = 0xa + }; + ++/* Counters should be saturate once they reach their maximum value */ ++#define ASSIGN_32BIT_COUNTER(counter, value) do {\ ++ if ((value) > (u32)~0U) \ ++ counter = cpu_to_be32((u32)~0U); \ ++ else \ ++ counter = cpu_to_be32(value); \ ++} while (0) ++ + int mlx4_MAD_IFC(struct mlx4_ib_dev *dev, int ignore_mkey, int ignore_bkey, + int port, struct ib_wc *in_wc, struct ib_grh *in_grh, + void *in_mad, void *response_mad) +@@ -303,10 +311,14 @@ static int ib_process_mad(struct ib_device *ibdev, int mad_flags, u8 port_num, + static void edit_counter(struct mlx4_counter *cnt, + struct ib_pma_portcounters *pma_cnt) + { +- pma_cnt->port_xmit_data = cpu_to_be32((be64_to_cpu(cnt->tx_bytes)>>2)); +- pma_cnt->port_rcv_data = cpu_to_be32((be64_to_cpu(cnt->rx_bytes)>>2)); +- pma_cnt->port_xmit_packets = cpu_to_be32(be64_to_cpu(cnt->tx_frames)); +- pma_cnt->port_rcv_packets = cpu_to_be32(be64_to_cpu(cnt->rx_frames)); ++ ASSIGN_32BIT_COUNTER(pma_cnt->port_xmit_data, ++ (be64_to_cpu(cnt->tx_bytes) >> 2)); ++ ASSIGN_32BIT_COUNTER(pma_cnt->port_rcv_data, ++ (be64_to_cpu(cnt->rx_bytes) >> 2)); ++ ASSIGN_32BIT_COUNTER(pma_cnt->port_xmit_packets, ++ be64_to_cpu(cnt->tx_frames)); ++ ASSIGN_32BIT_COUNTER(pma_cnt->port_rcv_packets, ++ be64_to_cpu(cnt->rx_frames)); + } + + static int iboe_process_mad(struct ib_device *ibdev, int mad_flags, u8 port_num, +diff --git a/drivers/infiniband/hw/qib/qib.h b/drivers/infiniband/hw/qib/qib.h +index b881bdc..4c2b079 100644 +--- a/drivers/infiniband/hw/qib/qib.h ++++ b/drivers/infiniband/hw/qib/qib.h +@@ -1005,12 +1005,6 @@ struct qib_devdata { + /* control high-level access to EEPROM */ + struct mutex eep_lock; + uint64_t traffic_wds; +- /* active time is kept in seconds, but logged in hours */ +- atomic_t active_time; +- /* Below are nominal shadow of EEPROM, new since last EEPROM update */ +- uint8_t eep_st_errs[QIB_EEP_LOG_CNT]; +- uint8_t eep_st_new_errs[QIB_EEP_LOG_CNT]; +- uint16_t eep_hrs; + /* + * masks for which bits of errs, hwerrs that cause + * each of the counters to increment. +@@ -1227,8 +1221,7 @@ int qib_twsi_blk_rd(struct qib_devdata *dd, int dev, int addr, void *buffer, + int qib_twsi_blk_wr(struct qib_devdata *dd, int dev, int addr, + const void *buffer, int len); + void qib_get_eeprom_info(struct qib_devdata *); +-int qib_update_eeprom_log(struct qib_devdata *dd); +-void qib_inc_eeprom_err(struct qib_devdata *dd, u32 eidx, u32 incr); ++#define qib_inc_eeprom_err(dd, eidx, incr) + void qib_dump_lookup_output_queue(struct qib_devdata *); + void qib_force_pio_avail_update(struct qib_devdata *); + void qib_clear_symerror_on_linkup(unsigned long opaque); +diff --git a/drivers/infiniband/hw/qib/qib_eeprom.c b/drivers/infiniband/hw/qib/qib_eeprom.c +index 92d9cfe..6359c2f 100644 +--- a/drivers/infiniband/hw/qib/qib_eeprom.c ++++ b/drivers/infiniband/hw/qib/qib_eeprom.c +@@ -263,189 +263,9 @@ void qib_get_eeprom_info(struct qib_devdata *dd) + qib_dev_err(dd, "Board SN %s did not pass functional " + "test: %s\n", dd->serial, ifp->if_comment); + +- memcpy(&dd->eep_st_errs, &ifp->if_errcntp, QIB_EEP_LOG_CNT); +- /* +- * Power-on (actually "active") hours are kept as little-endian value +- * in EEPROM, but as seconds in a (possibly as small as 24-bit) +- * atomic_t while running. +- */ +- atomic_set(&dd->active_time, 0); +- dd->eep_hrs = ifp->if_powerhour[0] | (ifp->if_powerhour[1] << 8); +- + done: + vfree(buf); + + bail:; + } + +-/** +- * qib_update_eeprom_log - copy active-time and error counters to eeprom +- * @dd: the qlogic_ib device +- * +- * Although the time is kept as seconds in the qib_devdata struct, it is +- * rounded to hours for re-write, as we have only 16 bits in EEPROM. +- * First-cut code reads whole (expected) struct qib_flash, modifies, +- * re-writes. Future direction: read/write only what we need, assuming +- * that the EEPROM had to have been "good enough" for driver init, and +- * if not, we aren't making it worse. +- * +- */ +-int qib_update_eeprom_log(struct qib_devdata *dd) +-{ +- void *buf; +- struct qib_flash *ifp; +- int len, hi_water; +- uint32_t new_time, new_hrs; +- u8 csum; +- int ret, idx; +- unsigned long flags; +- +- /* first, check if we actually need to do anything. */ +- ret = 0; +- for (idx = 0; idx < QIB_EEP_LOG_CNT; ++idx) { +- if (dd->eep_st_new_errs[idx]) { +- ret = 1; +- break; +- } +- } +- new_time = atomic_read(&dd->active_time); +- +- if (ret == 0 && new_time < 3600) +- goto bail; +- +- /* +- * The quick-check above determined that there is something worthy +- * of logging, so get current contents and do a more detailed idea. +- * read full flash, not just currently used part, since it may have +- * been written with a newer definition +- */ +- len = sizeof(struct qib_flash); +- buf = vmalloc(len); +- ret = 1; +- if (!buf) { +- qib_dev_err(dd, "Couldn't allocate memory to read %u " +- "bytes from eeprom for logging\n", len); +- goto bail; +- } +- +- /* Grab semaphore and read current EEPROM. If we get an +- * error, let go, but if not, keep it until we finish write. +- */ +- ret = mutex_lock_interruptible(&dd->eep_lock); +- if (ret) { +- qib_dev_err(dd, "Unable to acquire EEPROM for logging\n"); +- goto free_bail; +- } +- ret = qib_twsi_blk_rd(dd, dd->twsi_eeprom_dev, 0, buf, len); +- if (ret) { +- mutex_unlock(&dd->eep_lock); +- qib_dev_err(dd, "Unable read EEPROM for logging\n"); +- goto free_bail; +- } +- ifp = (struct qib_flash *)buf; +- +- csum = flash_csum(ifp, 0); +- if (csum != ifp->if_csum) { +- mutex_unlock(&dd->eep_lock); +- qib_dev_err(dd, "EEPROM cks err (0x%02X, S/B 0x%02X)\n", +- csum, ifp->if_csum); +- ret = 1; +- goto free_bail; +- } +- hi_water = 0; +- spin_lock_irqsave(&dd->eep_st_lock, flags); +- for (idx = 0; idx < QIB_EEP_LOG_CNT; ++idx) { +- int new_val = dd->eep_st_new_errs[idx]; +- if (new_val) { +- /* +- * If we have seen any errors, add to EEPROM values +- * We need to saturate at 0xFF (255) and we also +- * would need to adjust the checksum if we were +- * trying to minimize EEPROM traffic +- * Note that we add to actual current count in EEPROM, +- * in case it was altered while we were running. +- */ +- new_val += ifp->if_errcntp[idx]; +- if (new_val > 0xFF) +- new_val = 0xFF; +- if (ifp->if_errcntp[idx] != new_val) { +- ifp->if_errcntp[idx] = new_val; +- hi_water = offsetof(struct qib_flash, +- if_errcntp) + idx; +- } +- /* +- * update our shadow (used to minimize EEPROM +- * traffic), to match what we are about to write. +- */ +- dd->eep_st_errs[idx] = new_val; +- dd->eep_st_new_errs[idx] = 0; +- } +- } +- /* +- * Now update active-time. We would like to round to the nearest hour +- * but unless atomic_t are sure to be proper signed ints we cannot, +- * because we need to account for what we "transfer" to EEPROM and +- * if we log an hour at 31 minutes, then we would need to set +- * active_time to -29 to accurately count the _next_ hour. +- */ +- if (new_time >= 3600) { +- new_hrs = new_time / 3600; +- atomic_sub((new_hrs * 3600), &dd->active_time); +- new_hrs += dd->eep_hrs; +- if (new_hrs > 0xFFFF) +- new_hrs = 0xFFFF; +- dd->eep_hrs = new_hrs; +- if ((new_hrs & 0xFF) != ifp->if_powerhour[0]) { +- ifp->if_powerhour[0] = new_hrs & 0xFF; +- hi_water = offsetof(struct qib_flash, if_powerhour); +- } +- if ((new_hrs >> 8) != ifp->if_powerhour[1]) { +- ifp->if_powerhour[1] = new_hrs >> 8; +- hi_water = offsetof(struct qib_flash, if_powerhour) + 1; +- } +- } +- /* +- * There is a tiny possibility that we could somehow fail to write +- * the EEPROM after updating our shadows, but problems from holding +- * the spinlock too long are a much bigger issue. +- */ +- spin_unlock_irqrestore(&dd->eep_st_lock, flags); +- if (hi_water) { +- /* we made some change to the data, uopdate cksum and write */ +- csum = flash_csum(ifp, 1); +- ret = eeprom_write_with_enable(dd, 0, buf, hi_water + 1); +- } +- mutex_unlock(&dd->eep_lock); +- if (ret) +- qib_dev_err(dd, "Failed updating EEPROM\n"); +- +-free_bail: +- vfree(buf); +-bail: +- return ret; +-} +- +-/** +- * qib_inc_eeprom_err - increment one of the four error counters +- * that are logged to EEPROM. +- * @dd: the qlogic_ib device +- * @eidx: 0..3, the counter to increment +- * @incr: how much to add +- * +- * Each counter is 8-bits, and saturates at 255 (0xFF). They +- * are copied to the EEPROM (aka flash) whenever qib_update_eeprom_log() +- * is called, but it can only be called in a context that allows sleep. +- * This function can be called even at interrupt level. +- */ +-void qib_inc_eeprom_err(struct qib_devdata *dd, u32 eidx, u32 incr) +-{ +- uint new_val; +- unsigned long flags; +- +- spin_lock_irqsave(&dd->eep_st_lock, flags); +- new_val = dd->eep_st_new_errs[eidx] + incr; +- if (new_val > 255) +- new_val = 255; +- dd->eep_st_new_errs[eidx] = new_val; +- spin_unlock_irqrestore(&dd->eep_st_lock, flags); +-} +diff --git a/drivers/infiniband/hw/qib/qib_iba6120.c b/drivers/infiniband/hw/qib/qib_iba6120.c +index 4f18e2d..2a0f7de 100644 +--- a/drivers/infiniband/hw/qib/qib_iba6120.c ++++ b/drivers/infiniband/hw/qib/qib_iba6120.c +@@ -2674,8 +2674,6 @@ static void qib_get_6120_faststats(unsigned long opaque) + spin_lock_irqsave(&dd->eep_st_lock, flags); + traffic_wds -= dd->traffic_wds; + dd->traffic_wds += traffic_wds; +- if (traffic_wds >= QIB_TRAFFIC_ACTIVE_THRESHOLD) +- atomic_add(5, &dd->active_time); /* S/B #define */ + spin_unlock_irqrestore(&dd->eep_st_lock, flags); + + qib_chk_6120_errormask(dd); +diff --git a/drivers/infiniband/hw/qib/qib_iba7220.c b/drivers/infiniband/hw/qib/qib_iba7220.c +index 7ec4048..4dc04e3 100644 +--- a/drivers/infiniband/hw/qib/qib_iba7220.c ++++ b/drivers/infiniband/hw/qib/qib_iba7220.c +@@ -3292,8 +3292,6 @@ static void qib_get_7220_faststats(unsigned long opaque) + spin_lock_irqsave(&dd->eep_st_lock, flags); + traffic_wds -= dd->traffic_wds; + dd->traffic_wds += traffic_wds; +- if (traffic_wds >= QIB_TRAFFIC_ACTIVE_THRESHOLD) +- atomic_add(5, &dd->active_time); /* S/B #define */ + spin_unlock_irqrestore(&dd->eep_st_lock, flags); + done: + mod_timer(&dd->stats_timer, jiffies + HZ * ACTIVITY_TIMER); +diff --git a/drivers/infiniband/hw/qib/qib_iba7322.c b/drivers/infiniband/hw/qib/qib_iba7322.c +index d8517fc..44180c6 100644 +--- a/drivers/infiniband/hw/qib/qib_iba7322.c ++++ b/drivers/infiniband/hw/qib/qib_iba7322.c +@@ -4793,8 +4793,6 @@ static void qib_get_7322_faststats(unsigned long opaque) + spin_lock_irqsave(&ppd->dd->eep_st_lock, flags); + traffic_wds -= ppd->dd->traffic_wds; + ppd->dd->traffic_wds += traffic_wds; +- if (traffic_wds >= QIB_TRAFFIC_ACTIVE_THRESHOLD) +- atomic_add(ACTIVITY_TIMER, &ppd->dd->active_time); + spin_unlock_irqrestore(&ppd->dd->eep_st_lock, flags); + if (ppd->cpspec->qdr_dfe_on && (ppd->link_speed_active & + QIB_IB_QDR) && +diff --git a/drivers/infiniband/hw/qib/qib_init.c b/drivers/infiniband/hw/qib/qib_init.c +index 58b0f8a..9966ec2 100644 +--- a/drivers/infiniband/hw/qib/qib_init.c ++++ b/drivers/infiniband/hw/qib/qib_init.c +@@ -765,7 +765,6 @@ static void qib_shutdown_device(struct qib_devdata *dd) + dd->f_quiet_serdes(ppd); + } + +- qib_update_eeprom_log(dd); + } + + /** +diff --git a/drivers/infiniband/hw/qib/qib_sysfs.c b/drivers/infiniband/hw/qib/qib_sysfs.c +index 78fbd56..c97224a 100644 +--- a/drivers/infiniband/hw/qib/qib_sysfs.c ++++ b/drivers/infiniband/hw/qib/qib_sysfs.c +@@ -550,28 +550,6 @@ bail: + return ret < 0 ? ret : count; + } + +-static ssize_t show_logged_errs(struct device *device, +- struct device_attribute *attr, char *buf) +-{ +- struct qib_ibdev *dev = +- container_of(device, struct qib_ibdev, ibdev.dev); +- struct qib_devdata *dd = dd_from_dev(dev); +- int idx, count; +- +- /* force consistency with actual EEPROM */ +- if (qib_update_eeprom_log(dd) != 0) +- return -ENXIO; +- +- count = 0; +- for (idx = 0; idx < QIB_EEP_LOG_CNT; ++idx) { +- count += scnprintf(buf + count, PAGE_SIZE - count, "%d%c", +- dd->eep_st_errs[idx], +- idx == (QIB_EEP_LOG_CNT - 1) ? '\n' : ' '); +- } +- +- return count; +-} +- + /* + * Dump tempsense regs. in decimal, to ease shell-scripts. + */ +@@ -618,7 +596,6 @@ static DEVICE_ATTR(nctxts, S_IRUGO, show_nctxts, NULL); + static DEVICE_ATTR(nfreectxts, S_IRUGO, show_nfreectxts, NULL); + static DEVICE_ATTR(serial, S_IRUGO, show_serial, NULL); + static DEVICE_ATTR(boardversion, S_IRUGO, show_boardversion, NULL); +-static DEVICE_ATTR(logged_errors, S_IRUGO, show_logged_errs, NULL); + static DEVICE_ATTR(tempsense, S_IRUGO, show_tempsense, NULL); + static DEVICE_ATTR(localbus_info, S_IRUGO, show_localbus_info, NULL); + static DEVICE_ATTR(chip_reset, S_IWUSR, NULL, store_chip_reset); +@@ -632,7 +609,6 @@ static struct device_attribute *qib_attributes[] = { + &dev_attr_nfreectxts, + &dev_attr_serial, + &dev_attr_boardversion, +- &dev_attr_logged_errors, + &dev_attr_tempsense, + &dev_attr_localbus_info, + &dev_attr_chip_reset, +diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c +index bb41f94..91e94ad 100644 +--- a/drivers/input/mouse/synaptics.c ++++ b/drivers/input/mouse/synaptics.c +@@ -274,8 +274,14 @@ static int synaptics_resolution(struct psmouse *psmouse) + } + } + +- if (SYN_EXT_CAP_REQUESTS(priv->capabilities) >= 7 && +- SYN_CAP_MIN_DIMENSIONS(priv->ext_cap_0c)) { ++ if (SYN_CAP_MIN_DIMENSIONS(priv->ext_cap_0c) && ++ (SYN_EXT_CAP_REQUESTS(priv->capabilities) >= 7 || ++ /* ++ * Firmware v8.1 does not report proper number of extended ++ * capabilities, but has been proven to report correct min ++ * coordinates. ++ */ ++ SYN_ID_FULL(priv->identity) == 0x801)) { + if (synaptics_send_cmd(psmouse, SYN_QUE_EXT_MIN_COORDS, resp)) { + psmouse_warn(psmouse, + "device claims to have min coordinates query, but I'm not able to read it.\n"); +@@ -495,6 +501,18 @@ static void synaptics_parse_agm(const unsigned char buf[], + priv->agm_pending = true; + } + ++static void synaptics_parse_ext_buttons(const unsigned char buf[], ++ struct synaptics_data *priv, ++ struct synaptics_hw_state *hw) ++{ ++ unsigned int ext_bits = ++ (SYN_CAP_MULTI_BUTTON_NO(priv->ext_cap) + 1) >> 1; ++ unsigned int ext_mask = (1U << ext_bits) - 1; ++ ++ hw->ext_buttons = buf[4] & ext_mask; ++ hw->ext_buttons |= (buf[5] & ext_mask) << ext_bits; ++} ++ + static bool is_forcepad; + + static int synaptics_parse_hw_state(const unsigned char buf[], +@@ -581,28 +599,9 @@ static int synaptics_parse_hw_state(const unsigned char buf[], + hw->down = ((buf[0] ^ buf[3]) & 0x02) ? 1 : 0; + } + +- if (SYN_CAP_MULTI_BUTTON_NO(priv->ext_cap) && ++ if (SYN_CAP_MULTI_BUTTON_NO(priv->ext_cap) > 0 && + ((buf[0] ^ buf[3]) & 0x02)) { +- switch (SYN_CAP_MULTI_BUTTON_NO(priv->ext_cap) & ~0x01) { +- default: +- /* +- * if nExtBtn is greater than 8 it should be +- * considered invalid and treated as 0 +- */ +- break; +- case 8: +- hw->ext_buttons |= ((buf[5] & 0x08)) ? 0x80 : 0; +- hw->ext_buttons |= ((buf[4] & 0x08)) ? 0x40 : 0; +- case 6: +- hw->ext_buttons |= ((buf[5] & 0x04)) ? 0x20 : 0; +- hw->ext_buttons |= ((buf[4] & 0x04)) ? 0x10 : 0; +- case 4: +- hw->ext_buttons |= ((buf[5] & 0x02)) ? 0x08 : 0; +- hw->ext_buttons |= ((buf[4] & 0x02)) ? 0x04 : 0; +- case 2: +- hw->ext_buttons |= ((buf[5] & 0x01)) ? 0x02 : 0; +- hw->ext_buttons |= ((buf[4] & 0x01)) ? 0x01 : 0; +- } ++ synaptics_parse_ext_buttons(buf, priv, hw); + } + } else { + hw->x = (((buf[1] & 0x1f) << 8) | buf[2]); +@@ -664,12 +663,35 @@ static void synaptics_report_semi_mt_data(struct input_dev *dev, + } + } + ++static void synaptics_report_ext_buttons(struct psmouse *psmouse, ++ const struct synaptics_hw_state *hw) ++{ ++ struct input_dev *dev = psmouse->dev; ++ struct synaptics_data *priv = psmouse->private; ++ int ext_bits = (SYN_CAP_MULTI_BUTTON_NO(priv->ext_cap) + 1) >> 1; ++ int i; ++ ++ if (!SYN_CAP_MULTI_BUTTON_NO(priv->ext_cap)) ++ return; ++ ++ /* Bug in FW 8.1, buttons are reported only when ExtBit is 1 */ ++ if (SYN_ID_FULL(priv->identity) == 0x801 && ++ !((psmouse->packet[0] ^ psmouse->packet[3]) & 0x02)) ++ return; ++ ++ for (i = 0; i < ext_bits; i++) { ++ input_report_key(dev, BTN_0 + 2 * i, ++ hw->ext_buttons & (1 << i)); ++ input_report_key(dev, BTN_1 + 2 * i, ++ hw->ext_buttons & (1 << (i + ext_bits))); ++ } ++} ++ + static void synaptics_report_buttons(struct psmouse *psmouse, + const struct synaptics_hw_state *hw) + { + struct input_dev *dev = psmouse->dev; + struct synaptics_data *priv = psmouse->private; +- int i; + + input_report_key(dev, BTN_LEFT, hw->left); + input_report_key(dev, BTN_RIGHT, hw->right); +@@ -682,8 +704,7 @@ static void synaptics_report_buttons(struct psmouse *psmouse, + input_report_key(dev, BTN_BACK, hw->down); + } + +- for (i = 0; i < SYN_CAP_MULTI_BUTTON_NO(priv->ext_cap); i++) +- input_report_key(dev, BTN_0 + i, hw->ext_buttons & (1 << i)); ++ synaptics_report_ext_buttons(psmouse, hw); + } + + static void synaptics_report_slot(struct input_dev *dev, int slot, +diff --git a/drivers/md/dm-io.c b/drivers/md/dm-io.c +index 39a08be..b8ed01b 100644 +--- a/drivers/md/dm-io.c ++++ b/drivers/md/dm-io.c +@@ -299,6 +299,16 @@ static void do_region(int rw, unsigned region, struct dm_io_region *where, + sector_t remaining = where->count; + struct request_queue *q = bdev_get_queue(where->bdev); + sector_t discard_sectors; ++ unsigned int uninitialized_var(special_cmd_max_sectors); ++ ++ /* Reject unsupported discard requests */ ++ if (rw & REQ_DISCARD) { ++ special_cmd_max_sectors = q->limits.max_discard_sectors; ++ if (special_cmd_max_sectors == 0) { ++ dec_count(io, region, -EOPNOTSUPP); ++ return; ++ } ++ } + + /* + * where->count may be zero if rw holds a flush and we need to +@@ -322,7 +332,7 @@ static void do_region(int rw, unsigned region, struct dm_io_region *where, + store_io_and_region_in_bio(bio, io, region); + + if (rw & REQ_DISCARD) { +- discard_sectors = min_t(sector_t, q->limits.max_discard_sectors, remaining); ++ discard_sectors = min_t(sector_t, special_cmd_max_sectors, remaining); + bio->bi_size = discard_sectors << SECTOR_SHIFT; + remaining -= discard_sectors; + } else while (remaining) { +diff --git a/drivers/md/dm-raid1.c b/drivers/md/dm-raid1.c +index b7b649d..b4361eb 100644 +--- a/drivers/md/dm-raid1.c ++++ b/drivers/md/dm-raid1.c +@@ -603,6 +603,15 @@ static void write_callback(unsigned long error, void *context) + return; + } + ++ /* ++ * If the bio is discard, return an error, but do not ++ * degrade the array. ++ */ ++ if (bio->bi_rw & REQ_DISCARD) { ++ bio_endio(bio, -EOPNOTSUPP); ++ return; ++ } ++ + for (i = 0; i < ms->nr_mirrors; i++) + if (test_bit(i, &error)) + fail_mirror(ms->mirror + i, DM_RAID1_WRITE_ERROR); +diff --git a/drivers/md/dm-snap.c b/drivers/md/dm-snap.c +index fec79e7..6b94c3c 100644 +--- a/drivers/md/dm-snap.c ++++ b/drivers/md/dm-snap.c +@@ -1444,8 +1444,6 @@ out: + full_bio->bi_end_io = pe->full_bio_end_io; + full_bio->bi_private = pe->full_bio_private; + } +- free_pending_exception(pe); +- + increment_pending_exceptions_done_count(); + + up_write(&s->lock); +@@ -1462,6 +1460,8 @@ out: + } + + retry_origin_bios(s, origin_bios); ++ ++ free_pending_exception(pe); + } + + static void commit_callback(void *context, int success) +diff --git a/drivers/md/dm.c b/drivers/md/dm.c +index 7ead065..c00bcdc 100644 +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -2232,7 +2232,7 @@ int dm_setup_md_queue(struct mapped_device *md) + return 0; + } + +-static struct mapped_device *dm_find_md(dev_t dev) ++struct mapped_device *dm_get_md(dev_t dev) + { + struct mapped_device *md; + unsigned minor = MINOR(dev); +@@ -2243,12 +2243,15 @@ static struct mapped_device *dm_find_md(dev_t dev) + spin_lock(&_minor_lock); + + md = idr_find(&_minor_idr, minor); +- if (md && (md == MINOR_ALLOCED || +- (MINOR(disk_devt(dm_disk(md))) != minor) || +- dm_deleting_md(md) || +- test_bit(DMF_FREEING, &md->flags))) { +- md = NULL; +- goto out; ++ if (md) { ++ if ((md == MINOR_ALLOCED || ++ (MINOR(disk_devt(dm_disk(md))) != minor) || ++ dm_deleting_md(md) || ++ test_bit(DMF_FREEING, &md->flags))) { ++ md = NULL; ++ goto out; ++ } ++ dm_get(md); + } + + out: +@@ -2256,16 +2259,6 @@ out: + + return md; + } +- +-struct mapped_device *dm_get_md(dev_t dev) +-{ +- struct mapped_device *md = dm_find_md(dev); +- +- if (md) +- dm_get(md); +- +- return md; +-} + EXPORT_SYMBOL_GPL(dm_get_md); + + void *dm_get_mdptr(struct mapped_device *md) +@@ -2302,10 +2295,16 @@ static void __dm_destroy(struct mapped_device *md, bool wait) + set_bit(DMF_FREEING, &md->flags); + spin_unlock(&_minor_lock); + ++ /* ++ * Take suspend_lock so that presuspend and postsuspend methods ++ * do not race with internal suspend. ++ */ ++ mutex_lock(&md->suspend_lock); + if (!dm_suspended_md(md)) { + dm_table_presuspend_targets(map); + dm_table_postsuspend_targets(map); + } ++ mutex_unlock(&md->suspend_lock); + + /* + * Rare, but there may be I/O requests still going to complete, +diff --git a/drivers/media/dvb/dvb-usb/lmedm04.c b/drivers/media/dvb/dvb-usb/lmedm04.c +index b922824..c7ad854 100644 +--- a/drivers/media/dvb/dvb-usb/lmedm04.c ++++ b/drivers/media/dvb/dvb-usb/lmedm04.c +@@ -326,7 +326,9 @@ static void lme2510_int_response(struct urb *lme_urb) + + static int lme2510_int_read(struct dvb_usb_adapter *adap) + { ++ struct dvb_usb_device *d = adap->dev; + struct lme2510_state *lme_int = adap->dev->priv; ++ struct usb_host_endpoint *ep; + + lme_int->lme_urb = usb_alloc_urb(0, GFP_ATOMIC); + +@@ -348,6 +350,12 @@ static int lme2510_int_read(struct dvb_usb_adapter *adap) + adap, + 8); + ++ /* Quirk of pipe reporting PIPE_BULK but behaves as interrupt */ ++ ep = usb_pipe_endpoint(d->udev, lme_int->lme_urb->pipe); ++ ++ if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK) ++ lme_int->lme_urb->pipe = usb_rcvbulkpipe(d->udev, 0xa), ++ + lme_int->lme_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; + + usb_submit_urb(lme_int->lme_urb, GFP_ATOMIC); +diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c +index a25442e..db9100f 100644 +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -468,6 +468,11 @@ struct sk_buff *alloc_can_skb(struct net_device *dev, struct can_frame **cf) + skb->protocol = htons(ETH_P_CAN); + skb->pkt_type = PACKET_BROADCAST; + skb->ip_summed = CHECKSUM_UNNECESSARY; ++ ++ skb_reset_mac_header(skb); ++ skb_reset_network_header(skb); ++ skb_reset_transport_header(skb); ++ + *cf = (struct can_frame *)skb_put(skb, sizeof(struct can_frame)); + memset(*cf, 0, sizeof(struct can_frame)); + +diff --git a/drivers/net/ethernet/amd/pcnet32.c b/drivers/net/ethernet/amd/pcnet32.c +index f92bc6e..c664abb 100644 +--- a/drivers/net/ethernet/amd/pcnet32.c ++++ b/drivers/net/ethernet/amd/pcnet32.c +@@ -1524,7 +1524,7 @@ pcnet32_probe1(unsigned long ioaddr, int shared, struct pci_dev *pdev) + { + struct pcnet32_private *lp; + int i, media; +- int fdx, mii, fset, dxsuflo; ++ int fdx, mii, fset, dxsuflo, sram; + int chip_version; + char *chipname; + struct net_device *dev; +@@ -1561,7 +1561,7 @@ pcnet32_probe1(unsigned long ioaddr, int shared, struct pci_dev *pdev) + } + + /* initialize variables */ +- fdx = mii = fset = dxsuflo = 0; ++ fdx = mii = fset = dxsuflo = sram = 0; + chip_version = (chip_version >> 12) & 0xffff; + + switch (chip_version) { +@@ -1594,6 +1594,7 @@ pcnet32_probe1(unsigned long ioaddr, int shared, struct pci_dev *pdev) + chipname = "PCnet/FAST III 79C973"; /* PCI */ + fdx = 1; + mii = 1; ++ sram = 1; + break; + case 0x2626: + chipname = "PCnet/Home 79C978"; /* PCI */ +@@ -1617,6 +1618,7 @@ pcnet32_probe1(unsigned long ioaddr, int shared, struct pci_dev *pdev) + chipname = "PCnet/FAST III 79C975"; /* PCI */ + fdx = 1; + mii = 1; ++ sram = 1; + break; + case 0x2628: + chipname = "PCnet/PRO 79C976"; +@@ -1645,6 +1647,31 @@ pcnet32_probe1(unsigned long ioaddr, int shared, struct pci_dev *pdev) + dxsuflo = 1; + } + ++ /* ++ * The Am79C973/Am79C975 controllers come with 12K of SRAM ++ * which we can use for the Tx/Rx buffers but most importantly, ++ * the use of SRAM allow us to use the BCR18:NOUFLO bit to avoid ++ * Tx fifo underflows. ++ */ ++ if (sram) { ++ /* ++ * The SRAM is being configured in two steps. First we ++ * set the SRAM size in the BCR25:SRAM_SIZE bits. According ++ * to the datasheet, each bit corresponds to a 512-byte ++ * page so we can have at most 24 pages. The SRAM_SIZE ++ * holds the value of the upper 8 bits of the 16-bit SRAM size. ++ * The low 8-bits start at 0x00 and end at 0xff. So the ++ * address range is from 0x0000 up to 0x17ff. Therefore, ++ * the SRAM_SIZE is set to 0x17. The next step is to set ++ * the BCR26:SRAM_BND midway through so the Tx and Rx ++ * buffers can share the SRAM equally. ++ */ ++ a->write_bcr(ioaddr, 25, 0x17); ++ a->write_bcr(ioaddr, 26, 0xc); ++ /* And finally enable the NOUFLO bit */ ++ a->write_bcr(ioaddr, 18, a->read_bcr(ioaddr, 18) | (1 << 11)); ++ } ++ + dev = alloc_etherdev(sizeof(*lp)); + if (!dev) { + if (pcnet32_debug & NETIF_MSG_PROBE) +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +index 2f6361e..1042935 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +@@ -10325,6 +10325,10 @@ static int __devinit bnx2x_init_dev(struct pci_dev *pdev, + /* clean indirect addresses */ + pci_write_config_dword(bp->pdev, PCICFG_GRC_ADDRESS, + PCICFG_VENDOR_ID_OFFSET); ++ ++ /* Set PCIe reset type to fundamental for EEH recovery */ ++ pdev->needs_freset = 1; ++ + /* + * Clean the following indirect addresses for all functions since it + * is not used by the driver. +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c +index 2ec19e7..d0ebf9c 100644 +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -5412,7 +5412,7 @@ static void tg3_tx(struct tg3_napi *tnapi) + sw_idx = NEXT_TX(sw_idx); + } + +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + + if (unlikely(tx_bug)) { + tg3_tx_recover(tp); +@@ -5702,7 +5702,7 @@ static int tg3_rx(struct tg3_napi *tnapi, int budget) + + if (len > (tp->dev->mtu + ETH_HLEN) && + skb->protocol != htons(ETH_P_8021Q)) { +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + goto drop_it_no_recycle; + } + +@@ -6609,7 +6609,7 @@ static int tigon3_dma_hwbug_workaround(struct tg3_napi *tnapi, + PCI_DMA_TODEVICE); + /* Make sure the mapping succeeded */ + if (pci_dma_mapping_error(tp->pdev, new_addr)) { +- dev_kfree_skb(new_skb); ++ dev_kfree_skb_any(new_skb); + ret = -1; + } else { + u32 save_entry = *entry; +@@ -6624,13 +6624,13 @@ static int tigon3_dma_hwbug_workaround(struct tg3_napi *tnapi, + new_skb->len, base_flags, + mss, vlan)) { + tg3_tx_skb_unmap(tnapi, save_entry, -1); +- dev_kfree_skb(new_skb); ++ dev_kfree_skb_any(new_skb); + ret = -1; + } + } + } + +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + *pskb = new_skb; + return ret; + } +@@ -6673,7 +6673,7 @@ static int tg3_tso_bug(struct tg3 *tp, struct sk_buff *skb) + } while (segs); + + tg3_tso_bug_end: +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + + return NETDEV_TX_OK; + } +@@ -6888,7 +6888,7 @@ dma_error: + tg3_tx_skb_unmap(tnapi, tnapi->tx_prod, --i); + tnapi->tx_buffers[tnapi->tx_prod].skb = NULL; + drop: +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + drop_nofree: + tp->tx_dropped++; + return NETDEV_TX_OK; +diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c +index 36c7c4e..10c9acf 100644 +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -1434,7 +1434,7 @@ static u16 be_tx_compl_process(struct be_adapter *adapter, + queue_tail_inc(txq); + } while (cur_index != last_index); + +- kfree_skb(sent_skb); ++ dev_kfree_skb_any(sent_skb); + return num_wrbs; + } + +diff --git a/drivers/net/ethernet/freescale/gianfar.c b/drivers/net/ethernet/freescale/gianfar.c +index fb9e7d3..b167e38 100644 +--- a/drivers/net/ethernet/freescale/gianfar.c ++++ b/drivers/net/ethernet/freescale/gianfar.c +@@ -2092,10 +2092,10 @@ static int gfar_start_xmit(struct sk_buff *skb, struct net_device *dev) + skb_new = skb_realloc_headroom(skb, GMAC_FCB_LEN); + if (!skb_new) { + dev->stats.tx_errors++; +- kfree_skb(skb); ++ dev_kfree_skb_any(skb); + return NETDEV_TX_OK; + } +- kfree_skb(skb); ++ dev_kfree_skb_any(skb); + skb = skb_new; + } + +diff --git a/drivers/net/ethernet/intel/ixgb/ixgb_main.c b/drivers/net/ethernet/intel/ixgb/ixgb_main.c +index e21148f..e17cfca 100644 +--- a/drivers/net/ethernet/intel/ixgb/ixgb_main.c ++++ b/drivers/net/ethernet/intel/ixgb/ixgb_main.c +@@ -1539,12 +1539,12 @@ ixgb_xmit_frame(struct sk_buff *skb, struct net_device *netdev) + int tso; + + if (test_bit(__IXGB_DOWN, &adapter->flags)) { +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + return NETDEV_TX_OK; + } + + if (skb->len <= 0) { +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + return NETDEV_TX_OK; + } + +@@ -1561,7 +1561,7 @@ ixgb_xmit_frame(struct sk_buff *skb, struct net_device *netdev) + + tso = ixgb_tso(adapter, skb); + if (tso < 0) { +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + return NETDEV_TX_OK; + } + +diff --git a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c +index 4a238a4..8737e0d 100644 +--- a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c ++++ b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c +@@ -2277,7 +2277,10 @@ static int netxen_nic_poll(struct napi_struct *napi, int budget) + + work_done = netxen_process_rcv_ring(sds_ring, budget); + +- if ((work_done < budget) && tx_complete) { ++ if (!tx_complete) ++ work_done = budget; ++ ++ if (work_done < budget) { + napi_complete(&sds_ring->napi); + if (test_bit(__NX_DEV_UP, &adapter->state)) + netxen_nic_enable_int(sds_ring); +diff --git a/drivers/net/ethernet/realtek/8139cp.c b/drivers/net/ethernet/realtek/8139cp.c +index 4aa830f..ab5c276 100644 +--- a/drivers/net/ethernet/realtek/8139cp.c ++++ b/drivers/net/ethernet/realtek/8139cp.c +@@ -886,7 +886,7 @@ out_unlock: + + return NETDEV_TX_OK; + out_dma_error: +- kfree_skb(skb); ++ dev_kfree_skb_any(skb); + cp->dev->stats.tx_dropped++; + goto out_unlock; + } +diff --git a/drivers/net/ethernet/realtek/8139too.c b/drivers/net/ethernet/realtek/8139too.c +index 4d6b254..728805f 100644 +--- a/drivers/net/ethernet/realtek/8139too.c ++++ b/drivers/net/ethernet/realtek/8139too.c +@@ -1703,9 +1703,9 @@ static netdev_tx_t rtl8139_start_xmit (struct sk_buff *skb, + if (len < ETH_ZLEN) + memset(tp->tx_buf[entry], 0, ETH_ZLEN); + skb_copy_and_csum_dev(skb, tp->tx_buf[entry]); +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + } else { +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + dev->stats.tx_dropped++; + return NETDEV_TX_OK; + } +diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c +index a3bd0ba..0c26787 100644 +--- a/drivers/net/ethernet/realtek/r8169.c ++++ b/drivers/net/ethernet/realtek/r8169.c +@@ -5372,7 +5372,7 @@ static void rtl8169_tx_clear_range(struct rtl8169_private *tp, u32 start, + tp->TxDescArray + entry); + if (skb) { + tp->dev->stats.tx_dropped++; +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + tx_skb->skb = NULL; + } + } +@@ -5651,7 +5651,7 @@ static netdev_tx_t rtl8169_start_xmit(struct sk_buff *skb, + err_dma_1: + rtl8169_unmap_tx_skb(d, tp->tx_skb + entry, txd); + err_dma_0: +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + err_update_stats: + dev->stats.tx_dropped++; + return NETDEV_TX_OK; +@@ -5734,7 +5734,7 @@ static void rtl8169_tx_interrupt(struct net_device *dev, + if (status & LastFrag) { + dev->stats.tx_packets++; + dev->stats.tx_bytes += tx_skb->skb->len; +- dev_kfree_skb(tx_skb->skb); ++ dev_kfree_skb_any(tx_skb->skb); + tx_skb->skb = NULL; + } + dirty_tx++; +diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c +index 0e6e57e..7300447 100644 +--- a/drivers/net/macvtap.c ++++ b/drivers/net/macvtap.c +@@ -667,11 +667,15 @@ static unsigned long iov_pages(const struct iovec *iv, int offset, + return pages; + } + ++/* Neighbour code has some assumptions on HH_DATA_MOD alignment */ ++#define MACVTAP_RESERVE HH_DATA_OFF(ETH_HLEN) ++ + /* Get packet from user space buffer */ + static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m, + const struct iovec *iv, unsigned long total_len, + size_t count, int noblock) + { ++ int good_linear = SKB_MAX_HEAD(MACVTAP_RESERVE); + struct sk_buff *skb; + struct macvlan_dev *vlan; + unsigned long len = total_len; +@@ -714,6 +718,8 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m, + + if (m && m->msg_control && sock_flag(&q->sk, SOCK_ZEROCOPY)) { + copylen = vnet_hdr.hdr_len ? vnet_hdr.hdr_len : GOODCOPY_LEN; ++ if (copylen > good_linear) ++ copylen = good_linear; + linear = copylen; + if (iov_pages(iv, vnet_hdr_len + copylen, count) + <= MAX_SKB_FRAGS) +@@ -722,10 +728,13 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m, + + if (!zerocopy) { + copylen = len; +- linear = vnet_hdr.hdr_len; ++ if (vnet_hdr.hdr_len > good_linear) ++ linear = good_linear; ++ else ++ linear = vnet_hdr.hdr_len; + } + +- skb = macvtap_alloc_skb(&q->sk, NET_IP_ALIGN, copylen, ++ skb = macvtap_alloc_skb(&q->sk, MACVTAP_RESERVE, copylen, + linear, noblock, &err); + if (!skb) + goto err; +diff --git a/drivers/net/ppp/ppp_deflate.c b/drivers/net/ppp/ppp_deflate.c +index 1dbdf82..43764cc 100644 +--- a/drivers/net/ppp/ppp_deflate.c ++++ b/drivers/net/ppp/ppp_deflate.c +@@ -268,7 +268,7 @@ static int z_compress(void *arg, unsigned char *rptr, unsigned char *obuf, + /* + * See if we managed to reduce the size of the packet. + */ +- if (olen < isize) { ++ if (olen < isize && olen <= osize) { + state->stats.comp_bytes += olen; + state->stats.comp_packets++; + } else { +diff --git a/drivers/net/usb/plusb.c b/drivers/net/usb/plusb.c +index 217aec8..4a09110 100644 +--- a/drivers/net/usb/plusb.c ++++ b/drivers/net/usb/plusb.c +@@ -139,6 +139,11 @@ static const struct usb_device_id products [] = { + }, { + USB_DEVICE(0x050d, 0x258a), /* Belkin F5U258/F5U279 (PL-25A1) */ + .driver_info = (unsigned long) &prolific_info, ++}, { ++ USB_DEVICE(0x3923, 0x7825), /* National Instruments USB ++ * Host-to-Host Cable ++ */ ++ .driver_info = (unsigned long) &prolific_info, + }, + + { }, // END +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c +index 0d9914b..c64a60e 100644 +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -1053,8 +1053,7 @@ err: + + static int xennet_change_mtu(struct net_device *dev, int mtu) + { +- int max = xennet_can_sg(dev) ? +- XEN_NETIF_MAX_TX_SIZE - MAX_TCP_HEADER : ETH_DATA_LEN; ++ int max = xennet_can_sg(dev) ? XEN_NETIF_MAX_TX_SIZE : ETH_DATA_LEN; + + if (mtu > max) + return -EINVAL; +@@ -1329,8 +1328,6 @@ static struct net_device * __devinit xennet_create_dev(struct xenbus_device *dev + SET_ETHTOOL_OPS(netdev, &xennet_ethtool_ops); + SET_NETDEV_DEV(netdev, &dev->dev); + +- netif_set_gso_max_size(netdev, XEN_NETIF_MAX_TX_SIZE - MAX_TCP_HEADER); +- + np->netdev = netdev; + + netif_carrier_off(netdev); +diff --git a/drivers/pci/hotplug.c b/drivers/pci/hotplug.c +index 2b5352a..3b70f5c 100644 +--- a/drivers/pci/hotplug.c ++++ b/drivers/pci/hotplug.c +@@ -27,7 +27,7 @@ int pci_uevent(struct device *dev, struct kobj_uevent_env *env) + if (add_uevent_var(env, "PCI_SLOT_NAME=%s", pci_name(pdev))) + return -ENOMEM; + +- if (add_uevent_var(env, "MODALIAS=pci:v%08Xd%08Xsv%08Xsd%08Xbc%02Xsc%02Xi%02x", ++ if (add_uevent_var(env, "MODALIAS=pci:v%08Xd%08Xsv%08Xsd%08Xbc%02Xsc%02Xi%02X", + pdev->vendor, pdev->device, + pdev->subsystem_vendor, pdev->subsystem_device, + (u8)(pdev->class >> 16), (u8)(pdev->class >> 8), +diff --git a/drivers/pci/rom.c b/drivers/pci/rom.c +index 48ebdb2..e31659c 100644 +--- a/drivers/pci/rom.c ++++ b/drivers/pci/rom.c +@@ -69,6 +69,7 @@ size_t pci_get_rom_size(struct pci_dev *pdev, void __iomem *rom, size_t size) + { + void __iomem *image; + int last_image; ++ unsigned length; + + image = rom; + do { +@@ -91,9 +92,9 @@ size_t pci_get_rom_size(struct pci_dev *pdev, void __iomem *rom, size_t size) + if (readb(pds + 3) != 'R') + break; + last_image = readb(pds + 21) & 0x80; +- /* this length is reliable */ +- image += readw(pds + 16) * 512; +- } while (!last_image); ++ length = readw(pds + 16); ++ image += length * 512; ++ } while (length && !last_image); + + /* never return a size larger than the PCI resource window */ + /* there are known ROMs that get the size wrong */ +diff --git a/drivers/scsi/be2iscsi/be_main.c b/drivers/scsi/be2iscsi/be_main.c +index 379c696..b9ee9f3 100644 +--- a/drivers/scsi/be2iscsi/be_main.c ++++ b/drivers/scsi/be2iscsi/be_main.c +@@ -424,7 +424,6 @@ static struct beiscsi_hba *beiscsi_hba_alloc(struct pci_dev *pcidev) + "iscsi_host_alloc failed\n"); + return NULL; + } +- shost->dma_boundary = pcidev->dma_mask; + shost->max_id = BE2_MAX_SESSIONS; + shost->max_channel = 0; + shost->max_cmd_len = BEISCSI_MAX_CMD_LEN; +@@ -4398,9 +4397,9 @@ free_port: + hba_free: + if (phba->msix_enabled) + pci_disable_msix(phba->pcidev); +- iscsi_host_remove(phba->shost); + pci_dev_put(phba->pcidev); + iscsi_host_free(phba->shost); ++ pci_set_drvdata(pcidev, NULL); + disable_pci: + pci_disable_device(pcidev); + return ret; +diff --git a/drivers/scsi/libsas/sas_discover.c b/drivers/scsi/libsas/sas_discover.c +index 54a5199..676e169 100644 +--- a/drivers/scsi/libsas/sas_discover.c ++++ b/drivers/scsi/libsas/sas_discover.c +@@ -336,14 +336,16 @@ static void sas_revalidate_domain(struct work_struct *work) + struct sas_discovery_event *ev = + container_of(work, struct sas_discovery_event, work); + struct asd_sas_port *port = ev->port; ++ struct domain_device *ddev = port->port_dev; + + sas_begin_event(DISCE_REVALIDATE_DOMAIN, &port->disc.disc_event_lock, + &port->disc.pending); + + SAS_DPRINTK("REVALIDATING DOMAIN on port %d, pid:%d\n", port->id, + task_pid_nr(current)); +- if (port->port_dev) +- res = sas_ex_revalidate_domain(port->port_dev); ++ if (ddev && (ddev->dev_type == FANOUT_DEV || ++ ddev->dev_type == EDGE_DEV)) ++ res = sas_ex_revalidate_domain(ddev); + + SAS_DPRINTK("done REVALIDATING DOMAIN on port %d, pid:%d, res 0x%x\n", + port->id, task_pid_nr(current), res); +diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c +index 0bdc4a7..f6a464a 100644 +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -1206,9 +1206,11 @@ int scsi_prep_state_check(struct scsi_device *sdev, struct request *req) + "rejecting I/O to dead device\n"); + ret = BLKPREP_KILL; + break; +- case SDEV_QUIESCE: + case SDEV_BLOCK: + case SDEV_CREATED_BLOCK: ++ ret = BLKPREP_DEFER; ++ break; ++ case SDEV_QUIESCE: + /* + * If the devices is blocked we defer normal commands. + */ +diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c +index 441a1c5..2d25616 100644 +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -498,7 +498,7 @@ static ssize_t + sg_new_read(Sg_fd * sfp, char __user *buf, size_t count, Sg_request * srp) + { + sg_io_hdr_t *hp = &srp->header; +- int err = 0; ++ int err = 0, err2; + int len; + + if (count < SZ_SG_IO_HDR) { +@@ -527,8 +527,8 @@ sg_new_read(Sg_fd * sfp, char __user *buf, size_t count, Sg_request * srp) + goto err_out; + } + err_out: +- err = sg_finish_rem_req(srp); +- return (0 == err) ? count : err; ++ err2 = sg_finish_rem_req(srp); ++ return err ? : err2 ? : count; + } + + static ssize_t +diff --git a/drivers/spi/spi-dw.c b/drivers/spi/spi-dw.c +index bbdf0cf..9fc34e6 100644 +--- a/drivers/spi/spi-dw.c ++++ b/drivers/spi/spi-dw.c +@@ -786,13 +786,13 @@ static void spi_hw_init(struct dw_spi *dws) + */ + if (!dws->fifo_len) { + u32 fifo; +- for (fifo = 2; fifo <= 256; fifo++) { ++ for (fifo = 1; fifo < 256; fifo++) { + dw_writew(dws, DW_SPI_TXFLTR, fifo); + if (fifo != dw_readw(dws, DW_SPI_TXFLTR)) + break; + } + +- dws->fifo_len = (fifo == 2) ? 0 : fifo - 1; ++ dws->fifo_len = (fifo == 1) ? 0 : fifo; + dw_writew(dws, DW_SPI_TXFLTR, 0); + } + } +diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c +index 830adbe..1556db9 100644 +--- a/drivers/spi/spidev.c ++++ b/drivers/spi/spidev.c +@@ -241,7 +241,10 @@ static int spidev_message(struct spidev_data *spidev, + k_tmp->len = u_tmp->len; + + total += k_tmp->len; +- if (total > bufsiz) { ++ /* Check total length of transfers. Also check each ++ * transfer length to avoid arithmetic overflow. ++ */ ++ if (total > bufsiz || k_tmp->len > bufsiz) { + status = -EMSGSIZE; + goto done; + } +diff --git a/drivers/staging/comedi/comedi_compat32.c b/drivers/staging/comedi/comedi_compat32.c +index 41a7a62..a8a0c0f 100644 +--- a/drivers/staging/comedi/comedi_compat32.c ++++ b/drivers/staging/comedi/comedi_compat32.c +@@ -271,7 +271,7 @@ static int compat_cmd(struct file *file, unsigned long arg) + { + struct comedi_cmd __user *cmd; + struct comedi32_cmd_struct __user *cmd32; +- int rc; ++ int rc, err; + + cmd32 = compat_ptr(arg); + cmd = compat_alloc_user_space(sizeof(*cmd)); +@@ -280,7 +280,15 @@ static int compat_cmd(struct file *file, unsigned long arg) + if (rc) + return rc; + +- return translated_ioctl(file, COMEDI_CMD, (unsigned long)cmd); ++ rc = translated_ioctl(file, COMEDI_CMD, (unsigned long)cmd); ++ if (rc == -EAGAIN) { ++ /* Special case: copy cmd back to user. */ ++ err = put_compat_cmd(cmd32, cmd); ++ if (err) ++ rc = err; ++ } ++ ++ return rc; + } + + /* Handle 32-bit COMEDI_CMDTEST ioctl. */ +diff --git a/drivers/staging/iio/imu/adis16400_core.c b/drivers/staging/iio/imu/adis16400_core.c +index d082a37..57cb92f 100644 +--- a/drivers/staging/iio/imu/adis16400_core.c ++++ b/drivers/staging/iio/imu/adis16400_core.c +@@ -25,6 +25,7 @@ + #include <linux/sysfs.h> + #include <linux/list.h> + #include <linux/module.h> ++#include <linux/bitops.h> + + #include "../iio.h" + #include "../sysfs.h" +@@ -541,7 +542,7 @@ static int adis16400_read_raw(struct iio_dev *indio_dev, + mutex_unlock(&indio_dev->mlock); + if (ret) + return ret; +- val16 = ((val16 & 0xFFF) << 4) >> 4; ++ val16 = sign_extend32(val16, 11); + *val = val16; + return IIO_VAL_INT; + case (1 << IIO_CHAN_INFO_OFFSET_SEPARATE): +diff --git a/drivers/staging/iio/industrialio-core.c b/drivers/staging/iio/industrialio-core.c +index aec9311..f0abf29 100644 +--- a/drivers/staging/iio/industrialio-core.c ++++ b/drivers/staging/iio/industrialio-core.c +@@ -711,6 +711,7 @@ static void iio_device_unregister_sysfs(struct iio_dev *indio_dev) + iio_device_remove_and_free_read_attr(indio_dev, p); + } + kfree(indio_dev->chan_attr_group.attrs); ++ indio_dev->chan_attr_group.attrs = NULL; + } + + static const char * const iio_ev_type_text[] = { +@@ -986,6 +987,7 @@ static int iio_device_register_eventset(struct iio_dev *indio_dev) + error_free_setup_event_lines: + __iio_remove_event_config_attrs(indio_dev); + kfree(indio_dev->event_interface); ++ indio_dev->event_interface = NULL; + error_ret: + + return ret; +diff --git a/drivers/staging/vt6655/rf.c b/drivers/staging/vt6655/rf.c +index b8ec783..3003363 100644 +--- a/drivers/staging/vt6655/rf.c ++++ b/drivers/staging/vt6655/rf.c +@@ -1029,6 +1029,7 @@ unsigned char byPwrdBm = 0; + break; + case RATE_6M: + case RATE_9M: ++ case RATE_12M: + case RATE_18M: + byPwr = pDevice->abyOFDMPwrTbl[uCH]; + if (pDevice->byRFType == RF_UW2452) { +diff --git a/drivers/target/iscsi/iscsi_target_tq.c b/drivers/target/iscsi/iscsi_target_tq.c +index 0baac5b..3f59a80 100644 +--- a/drivers/target/iscsi/iscsi_target_tq.c ++++ b/drivers/target/iscsi/iscsi_target_tq.c +@@ -26,36 +26,22 @@ + #include "iscsi_target_tq.h" + #include "iscsi_target.h" + +-static LIST_HEAD(active_ts_list); + static LIST_HEAD(inactive_ts_list); +-static DEFINE_SPINLOCK(active_ts_lock); + static DEFINE_SPINLOCK(inactive_ts_lock); + static DEFINE_SPINLOCK(ts_bitmap_lock); + +-static void iscsi_add_ts_to_active_list(struct iscsi_thread_set *ts) +-{ +- spin_lock(&active_ts_lock); +- list_add_tail(&ts->ts_list, &active_ts_list); +- iscsit_global->active_ts++; +- spin_unlock(&active_ts_lock); +-} +- + extern void iscsi_add_ts_to_inactive_list(struct iscsi_thread_set *ts) + { ++ if (!list_empty(&ts->ts_list)) { ++ WARN_ON(1); ++ return; ++ } + spin_lock(&inactive_ts_lock); + list_add_tail(&ts->ts_list, &inactive_ts_list); + iscsit_global->inactive_ts++; + spin_unlock(&inactive_ts_lock); + } + +-static void iscsi_del_ts_from_active_list(struct iscsi_thread_set *ts) +-{ +- spin_lock(&active_ts_lock); +- list_del(&ts->ts_list); +- iscsit_global->active_ts--; +- spin_unlock(&active_ts_lock); +-} +- + static struct iscsi_thread_set *iscsi_get_ts_from_inactive_list(void) + { + struct iscsi_thread_set *ts; +@@ -69,7 +55,7 @@ static struct iscsi_thread_set *iscsi_get_ts_from_inactive_list(void) + list_for_each_entry(ts, &inactive_ts_list, ts_list) + break; + +- list_del(&ts->ts_list); ++ list_del_init(&ts->ts_list); + iscsit_global->inactive_ts--; + spin_unlock(&inactive_ts_lock); + +@@ -220,8 +206,6 @@ static void iscsi_deallocate_extra_thread_sets(void) + + void iscsi_activate_thread_set(struct iscsi_conn *conn, struct iscsi_thread_set *ts) + { +- iscsi_add_ts_to_active_list(ts); +- + spin_lock_bh(&ts->ts_state_lock); + conn->thread_set = ts; + ts->conn = conn; +@@ -424,7 +408,6 @@ struct iscsi_conn *iscsi_rx_thread_pre_handler(struct iscsi_thread_set *ts) + + if (ts->delay_inactive && (--ts->thread_count == 0)) { + spin_unlock_bh(&ts->ts_state_lock); +- iscsi_del_ts_from_active_list(ts); + + if (!iscsit_global->in_shutdown) + iscsi_deallocate_extra_thread_sets(); +@@ -477,7 +460,6 @@ struct iscsi_conn *iscsi_tx_thread_pre_handler(struct iscsi_thread_set *ts) + + if (ts->delay_inactive && (--ts->thread_count == 0)) { + spin_unlock_bh(&ts->ts_state_lock); +- iscsi_del_ts_from_active_list(ts); + + if (!iscsit_global->in_shutdown) + iscsi_deallocate_extra_thread_sets(); +@@ -536,10 +518,8 @@ int iscsi_thread_set_init(void) + return -ENOMEM; + } + +- spin_lock_init(&active_ts_lock); + spin_lock_init(&inactive_ts_lock); + spin_lock_init(&ts_bitmap_lock); +- INIT_LIST_HEAD(&active_ts_list); + INIT_LIST_HEAD(&inactive_ts_list); + + return 0; +diff --git a/drivers/target/target_core_pscsi.c b/drivers/target/target_core_pscsi.c +index e813227..ebf9b60 100644 +--- a/drivers/target/target_core_pscsi.c ++++ b/drivers/target/target_core_pscsi.c +@@ -1168,7 +1168,7 @@ static u32 pscsi_get_device_type(struct se_device *dev) + struct pscsi_dev_virt *pdv = dev->dev_ptr; + struct scsi_device *sd = pdv->pdv_sd; + +- return sd->type; ++ return (sd) ? sd->type : TYPE_NO_LUN; + } + + static sector_t pscsi_get_blocks(struct se_device *dev) +diff --git a/drivers/target/tcm_fc/tfc_io.c b/drivers/target/tcm_fc/tfc_io.c +index ada131c..cebd235 100644 +--- a/drivers/target/tcm_fc/tfc_io.c ++++ b/drivers/target/tcm_fc/tfc_io.c +@@ -335,7 +335,7 @@ void ft_invl_hw_context(struct ft_cmd *cmd) + ep = fc_seq_exch(seq); + if (ep) { + lport = ep->lp; +- if (lport && (ep->xid <= lport->lro_xid)) ++ if (lport && (ep->xid <= lport->lro_xid)) { + /* + * "ddp_done" trigger invalidation of HW + * specific DDP context +@@ -350,6 +350,7 @@ void ft_invl_hw_context(struct ft_cmd *cmd) + * identified using ep->xid) + */ + cmd->was_ddp_setup = 0; ++ } + } + } + } +diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c +index 4735928..e753be2 100644 +--- a/drivers/tty/pty.c ++++ b/drivers/tty/pty.c +@@ -175,6 +175,9 @@ static int pty_signal(struct tty_struct *tty, int sig) + unsigned long flags; + struct pid *pgrp; + ++ if (sig != SIGINT && sig != SIGQUIT && sig != SIGTSTP) ++ return -EINVAL; ++ + if (tty->link) { + spin_lock_irqsave(&tty->link->ctrl_lock, flags); + pgrp = get_pid(tty->link->pgrp); +diff --git a/drivers/tty/serial/8250_pci.c b/drivers/tty/serial/8250_pci.c +index ef24e96..c1c1e52 100644 +--- a/drivers/tty/serial/8250_pci.c ++++ b/drivers/tty/serial/8250_pci.c +@@ -67,7 +67,7 @@ static void moan_device(const char *str, struct pci_dev *dev) + "Please send the output of lspci -vv, this\n" + "message (0x%04x,0x%04x,0x%04x,0x%04x), the\n" + "manufacturer and name of serial board or\n" +- "modem board to rmk+serial@arm.linux.org.uk.\n", ++ "modem board to <linux-serial@vger.kernel.org>.\n", + pci_name(dev), str, dev->vendor, dev->device, + dev->subsystem_vendor, dev->subsystem_device); + } +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index 613f06a..fa59fbe 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -943,8 +943,8 @@ EXPORT_SYMBOL(start_tty); + /* We limit tty time update visibility to every 8 seconds or so. */ + static void tty_update_time(struct timespec *time) + { +- unsigned long sec = get_seconds() & ~7; +- if ((long)(sec - time->tv_sec) > 0) ++ unsigned long sec = get_seconds(); ++ if (abs(sec - time->tv_sec) & ~7) + time->tv_sec = sec; + } + +diff --git a/drivers/tty/tty_ioctl.c b/drivers/tty/tty_ioctl.c +index 937f927..1740117 100644 +--- a/drivers/tty/tty_ioctl.c ++++ b/drivers/tty/tty_ioctl.c +@@ -154,11 +154,17 @@ void tty_wait_until_sent(struct tty_struct *tty, long timeout) + #endif + if (!timeout) + timeout = MAX_SCHEDULE_TIMEOUT; ++ + if (wait_event_interruptible_timeout(tty->write_wait, +- !tty_chars_in_buffer(tty), timeout) >= 0) { +- if (tty->ops->wait_until_sent) +- tty->ops->wait_until_sent(tty, timeout); ++ !tty_chars_in_buffer(tty), timeout) < 0) { ++ return; + } ++ ++ if (timeout == MAX_SCHEDULE_TIMEOUT) ++ timeout = 0; ++ ++ if (tty->ops->wait_until_sent) ++ tty->ops->wait_until_sent(tty, timeout); + } + EXPORT_SYMBOL(tty_wait_until_sent); + +diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c +index 632df54f..c51803f 100644 +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -499,6 +499,7 @@ void invert_screen(struct vc_data *vc, int offset, int count, int viewed) + #endif + if (DO_UPDATE(vc)) + do_update_region(vc, (unsigned long) p, count); ++ notify_update(vc); + } + + /* used by selection: complement pointer position */ +@@ -515,6 +516,7 @@ void complement_pos(struct vc_data *vc, int offset) + scr_writew(old, screenpos(vc, old_offset, 1)); + if (DO_UPDATE(vc)) + vc->vc_sw->con_putc(vc, old, oldy, oldx); ++ notify_update(vc); + } + + old_offset = offset; +@@ -532,8 +534,8 @@ void complement_pos(struct vc_data *vc, int offset) + oldy = (offset >> 1) / vc->vc_cols; + vc->vc_sw->con_putc(vc, new, oldy, oldx); + } ++ notify_update(vc); + } +- + } + + static void insert_char(struct vc_data *vc, unsigned int nr) +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c +index d38d88e..360ddb5 100644 +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -911,6 +911,7 @@ static int acm_probe(struct usb_interface *intf, + unsigned long quirks; + int num_rx_buf; + int i; ++ unsigned int elength = 0; + int combined_interfaces = 0; + + /* normal quirks */ +@@ -950,9 +951,12 @@ static int acm_probe(struct usb_interface *intf, + dev_err(&intf->dev, "skipping garbage\n"); + goto next_desc; + } ++ elength = buffer[0]; + + switch (buffer[2]) { + case USB_CDC_UNION_TYPE: /* we've found it */ ++ if (elength < sizeof(struct usb_cdc_union_desc)) ++ goto next_desc; + if (union_header) { + dev_err(&intf->dev, "More than one " + "union descriptor, skipping ...\n"); +@@ -961,31 +965,38 @@ static int acm_probe(struct usb_interface *intf, + union_header = (struct usb_cdc_union_desc *)buffer; + break; + case USB_CDC_COUNTRY_TYPE: /* export through sysfs*/ ++ if (elength < sizeof(struct usb_cdc_country_functional_desc)) ++ goto next_desc; + cfd = (struct usb_cdc_country_functional_desc *)buffer; + break; + case USB_CDC_HEADER_TYPE: /* maybe check version */ + break; /* for now we ignore it */ + case USB_CDC_ACM_TYPE: ++ if (elength < 4) ++ goto next_desc; + ac_management_function = buffer[3]; + break; + case USB_CDC_CALL_MANAGEMENT_TYPE: ++ if (elength < 5) ++ goto next_desc; + call_management_function = buffer[3]; + call_interface_num = buffer[4]; + if ( (quirks & NOT_A_MODEM) == 0 && (call_management_function & 3) != 3) + dev_err(&intf->dev, "This device cannot do calls on its own. It is not a modem.\n"); + break; + default: +- /* there are LOTS more CDC descriptors that ++ /* ++ * there are LOTS more CDC descriptors that + * could legitimately be found here. + */ + dev_dbg(&intf->dev, "Ignoring descriptor: " +- "type %02x, length %d\n", +- buffer[2], buffer[0]); ++ "type %02x, length %ud\n", ++ buffer[2], elength); + break; + } + next_desc: +- buflen -= buffer[0]; +- buffer += buffer[0]; ++ buflen -= elength; ++ buffer += elength; + } + + if (!union_header) { +diff --git a/drivers/usb/core/buffer.c b/drivers/usb/core/buffer.c +index b0585e6..19fa68a 100644 +--- a/drivers/usb/core/buffer.c ++++ b/drivers/usb/core/buffer.c +@@ -22,17 +22,25 @@ + */ + + /* FIXME tune these based on pool statistics ... */ +-static const size_t pool_max[HCD_BUFFER_POOLS] = { +- /* platforms without dma-friendly caches might need to +- * prevent cacheline sharing... +- */ +- 32, +- 128, +- 512, +- PAGE_SIZE / 2 +- /* bigger --> allocate pages */ ++static size_t pool_max[HCD_BUFFER_POOLS] = { ++ 32, 128, 512, 2048, + }; + ++void __init usb_init_pool_max(void) ++{ ++ /* ++ * The pool_max values must never be smaller than ++ * ARCH_KMALLOC_MINALIGN. ++ */ ++ if (ARCH_KMALLOC_MINALIGN <= 32) ++ ; /* Original value is okay */ ++ else if (ARCH_KMALLOC_MINALIGN <= 64) ++ pool_max[0] = 64; ++ else if (ARCH_KMALLOC_MINALIGN <= 128) ++ pool_max[0] = 0; /* Don't use this pool */ ++ else ++ BUILD_BUG(); /* We don't allow this */ ++} + + /* SETUP primitives */ + +diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c +index 49257b3..64340f3 100644 +--- a/drivers/usb/core/devio.c ++++ b/drivers/usb/core/devio.c +@@ -406,6 +406,7 @@ static void async_completed(struct urb *urb) + as->status = urb->status; + signr = as->signr; + if (signr) { ++ memset(&sinfo, 0, sizeof(sinfo)); + sinfo.si_signo = as->signr; + sinfo.si_errno = as->status; + sinfo.si_code = SI_ASYNCIO; +@@ -2031,6 +2032,7 @@ static void usbdev_remove(struct usb_device *udev) + wake_up_all(&ps->wait); + list_del_init(&ps->list); + if (ps->discsignr) { ++ memset(&sinfo, 0, sizeof(sinfo)); + sinfo.si_signo = ps->discsignr; + sinfo.si_errno = EPIPE; + sinfo.si_code = SI_ASYNCIO; +diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c +index cc13abf..c105ba3 100644 +--- a/drivers/usb/core/driver.c ++++ b/drivers/usb/core/driver.c +@@ -1664,6 +1664,18 @@ static int autosuspend_check(struct usb_device *udev) + dev_dbg(&udev->dev, "remote wakeup needed for autosuspend\n"); + return -EOPNOTSUPP; + } ++ ++ /* ++ * If the device is a direct child of the root hub and the HCD ++ * doesn't handle wakeup requests, don't allow autosuspend when ++ * wakeup is needed. ++ */ ++ if (w && udev->parent == udev->bus->root_hub && ++ bus_to_hcd(udev->bus)->cant_recv_wakeups) { ++ dev_dbg(&udev->dev, "HCD doesn't handle wakeup requests\n"); ++ return -EOPNOTSUPP; ++ } ++ + udev->do_remote_wakeup = w; + return 0; + } +diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c +index c0ee52a..eb2c3bd 100644 +--- a/drivers/usb/core/hcd.c ++++ b/drivers/usb/core/hcd.c +@@ -1542,6 +1542,7 @@ static int unlink1(struct usb_hcd *hcd, struct urb *urb, int status) + int usb_hcd_unlink_urb (struct urb *urb, int status) + { + struct usb_hcd *hcd; ++ struct usb_device *udev = urb->dev; + int retval = -EIDRM; + unsigned long flags; + +@@ -1553,20 +1554,19 @@ int usb_hcd_unlink_urb (struct urb *urb, int status) + spin_lock_irqsave(&hcd_urb_unlink_lock, flags); + if (atomic_read(&urb->use_count) > 0) { + retval = 0; +- usb_get_dev(urb->dev); ++ usb_get_dev(udev); + } + spin_unlock_irqrestore(&hcd_urb_unlink_lock, flags); + if (retval == 0) { + hcd = bus_to_hcd(urb->dev->bus); + retval = unlink1(hcd, urb, status); +- usb_put_dev(urb->dev); ++ if (retval == 0) ++ retval = -EINPROGRESS; ++ else if (retval != -EIDRM && retval != -EBUSY) ++ dev_dbg(&udev->dev, "hcd_unlink_urb %p fail %d\n", ++ urb, retval); ++ usb_put_dev(udev); + } +- +- if (retval == 0) +- retval = -EINPROGRESS; +- else if (retval != -EIDRM && retval != -EBUSY) +- dev_dbg(&urb->dev->dev, "hcd_unlink_urb %p fail %d\n", +- urb, retval); + return retval; + } + +diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c +index 73cd900..9044ef6 100644 +--- a/drivers/usb/core/usb.c ++++ b/drivers/usb/core/usb.c +@@ -1010,6 +1010,7 @@ static int __init usb_init(void) + pr_info("%s: USB support disabled\n", usbcore_name); + return 0; + } ++ usb_init_pool_max(); + + retval = usb_debugfs_init(); + if (retval) +diff --git a/drivers/usb/gadget/inode.c b/drivers/usb/gadget/inode.c +index 7138540..ce7253b 100644 +--- a/drivers/usb/gadget/inode.c ++++ b/drivers/usb/gadget/inode.c +@@ -570,6 +570,7 @@ static ssize_t ep_aio_read_retry(struct kiocb *iocb) + break; + } + kfree(priv->buf); ++ kfree(priv->iv); + kfree(priv); + return len; + } +@@ -591,6 +592,7 @@ static void ep_aio_complete(struct usb_ep *ep, struct usb_request *req) + */ + if (priv->iv == NULL || unlikely(req->actual == 0)) { + kfree(req->buf); ++ kfree(priv->iv); + kfree(priv); + iocb->private = NULL; + /* aio_complete() reports bytes-transferred _and_ faults */ +@@ -626,7 +628,7 @@ ep_aio_rwtail( + struct usb_request *req; + ssize_t value; + +- priv = kmalloc(sizeof *priv, GFP_KERNEL); ++ priv = kzalloc(sizeof *priv, GFP_KERNEL); + if (!priv) { + value = -ENOMEM; + fail: +@@ -634,11 +636,19 @@ fail: + return value; + } + iocb->private = priv; +- priv->iv = iv; ++ if (iv) { ++ priv->iv = kmemdup(iv, nr_segs * sizeof(struct iovec), ++ GFP_KERNEL); ++ if (!priv->iv) { ++ kfree(priv); ++ goto fail; ++ } ++ } + priv->nr_segs = nr_segs; + + value = get_ready_ep(iocb->ki_filp->f_flags, epdata); + if (unlikely(value < 0)) { ++ kfree(priv->iv); + kfree(priv); + goto fail; + } +@@ -672,6 +682,7 @@ fail: + mutex_unlock(&epdata->lock); + + if (unlikely(value)) { ++ kfree(priv->iv); + kfree(priv); + put_ep(epdata); + } else +diff --git a/drivers/usb/host/isp1760-hcd.c b/drivers/usb/host/isp1760-hcd.c +index 27dfab8..a4c2369 100644 +--- a/drivers/usb/host/isp1760-hcd.c ++++ b/drivers/usb/host/isp1760-hcd.c +@@ -2254,6 +2254,9 @@ struct usb_hcd *isp1760_register(phys_addr_t res_start, resource_size_t res_len, + hcd->rsrc_start = res_start; + hcd->rsrc_len = res_len; + ++ /* This driver doesn't support wakeup requests */ ++ hcd->cant_recv_wakeups = 1; ++ + ret = usb_add_hcd(hcd, irq, irqflags); + if (ret) + goto err_unmap; +diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c +index a8bbeed..c1fa92e 100644 +--- a/drivers/usb/host/xhci-hub.c ++++ b/drivers/usb/host/xhci-hub.c +@@ -385,6 +385,10 @@ static void xhci_clear_port_change_bit(struct xhci_hcd *xhci, u16 wValue, + status = PORT_PLC; + port_change_bit = "link state"; + break; ++ case USB_PORT_FEAT_C_PORT_CONFIG_ERROR: ++ status = PORT_CEC; ++ port_change_bit = "config error"; ++ break; + default: + /* Should never happen */ + return; +@@ -592,6 +596,8 @@ int xhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue, + status |= USB_PORT_STAT_C_LINK_STATE << 16; + if ((temp & PORT_WRC)) + status |= USB_PORT_STAT_C_BH_RESET << 16; ++ if ((temp & PORT_CEC)) ++ status |= USB_PORT_STAT_C_CONFIG_ERROR << 16; + } + + if (hcd->speed != HCD_USB3) { +@@ -868,6 +874,7 @@ int xhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue, + case USB_PORT_FEAT_C_OVER_CURRENT: + case USB_PORT_FEAT_C_ENABLE: + case USB_PORT_FEAT_C_PORT_LINK_STATE: ++ case USB_PORT_FEAT_C_PORT_CONFIG_ERROR: + xhci_clear_port_change_bit(xhci, wValue, wIndex, + port_array[wIndex], temp); + break; +@@ -916,7 +923,7 @@ int xhci_hub_status_data(struct usb_hcd *hcd, char *buf) + memset(buf, 0, retval); + status = 0; + +- mask = PORT_CSC | PORT_PEC | PORT_OCC | PORT_PLC | PORT_WRC; ++ mask = PORT_CSC | PORT_PEC | PORT_OCC | PORT_PLC | PORT_WRC | PORT_CEC; + + spin_lock_irqsave(&xhci->lock, flags); + /* For each port, did anything change? If so, set that bit in buf. */ +diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c +index a464dbc..a30f9e5 100644 +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -36,6 +36,9 @@ + + #define PCI_DEVICE_ID_INTEL_LYNXPOINT_XHCI 0x8c31 + #define PCI_DEVICE_ID_INTEL_LYNXPOINT_LP_XHCI 0x9c31 ++#define PCI_DEVICE_ID_INTEL_CHERRYVIEW_XHCI 0x22b5 ++#define PCI_DEVICE_ID_INTEL_SUNRISEPOINT_H_XHCI 0xa12f ++#define PCI_DEVICE_ID_INTEL_SUNRISEPOINT_LP_XHCI 0x9d2f + + static const char hcd_name[] = "xhci_hcd"; + +@@ -102,6 +105,8 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) + if (pdev->vendor == PCI_VENDOR_ID_AMD) + xhci->quirks |= XHCI_TRUST_TX_LENGTH; + ++ if (pdev->vendor == PCI_VENDOR_ID_INTEL) ++ xhci->quirks |= XHCI_AVOID_BEI; + if (pdev->vendor == PCI_VENDOR_ID_INTEL && + pdev->device == PCI_DEVICE_ID_INTEL_PANTHERPOINT_XHCI) { + xhci->quirks |= XHCI_EP_LIMIT_QUIRK; +@@ -116,7 +121,12 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) + * PPT chipsets. + */ + xhci->quirks |= XHCI_SPURIOUS_REBOOT; +- xhci->quirks |= XHCI_AVOID_BEI; ++ } ++ if (pdev->vendor == PCI_VENDOR_ID_INTEL && ++ (pdev->device == PCI_DEVICE_ID_INTEL_SUNRISEPOINT_LP_XHCI || ++ pdev->device == PCI_DEVICE_ID_INTEL_SUNRISEPOINT_H_XHCI || ++ pdev->device == PCI_DEVICE_ID_INTEL_CHERRYVIEW_XHCI)) { ++ xhci->quirks |= XHCI_PME_STUCK_QUIRK; + } + if (pdev->vendor == PCI_VENDOR_ID_ETRON && + pdev->device == PCI_DEVICE_ID_ASROCK_P67) { +@@ -128,6 +138,21 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) + xhci->quirks |= XHCI_RESET_ON_RESUME; + } + ++/* ++ * Make sure PME works on some Intel xHCI controllers by writing 1 to clear ++ * the Internal PME flag bit in vendor specific PMCTRL register at offset 0x80a4 ++ */ ++static void xhci_pme_quirk(struct xhci_hcd *xhci) ++{ ++ u32 val; ++ void __iomem *reg; ++ ++ reg = (void __iomem *) xhci->cap_regs + 0x80a4; ++ val = readl(reg); ++ writel(val | BIT(28), reg); ++ readl(reg); ++} ++ + /* called during probe() after chip reset completes */ + static int xhci_pci_setup(struct usb_hcd *hcd) + { +@@ -235,6 +260,9 @@ static int xhci_pci_suspend(struct usb_hcd *hcd, bool do_wakeup) + xhci->shared_hcd->state != HC_STATE_SUSPENDED) + return -EINVAL; + ++ if (xhci->quirks & XHCI_PME_STUCK_QUIRK) ++ xhci_pme_quirk(xhci); ++ + retval = xhci_suspend(xhci, do_wakeup); + + return retval; +@@ -265,6 +293,9 @@ static int xhci_pci_resume(struct usb_hcd *hcd, bool hibernated) + if (usb_is_intel_switchable_xhci(pdev)) + usb_enable_xhci_ports(pdev); + ++ if (xhci->quirks & XHCI_PME_STUCK_QUIRK) ++ xhci_pme_quirk(xhci); ++ + retval = xhci_resume(xhci, hibernated); + return retval; + } +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index 3755274..25e9eb4 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -1980,7 +1980,7 @@ static int process_ctrl_td(struct xhci_hcd *xhci, struct xhci_td *td, + if (event_trb != ep_ring->dequeue) { + /* The event was for the status stage */ + if (event_trb == td->last_trb) { +- if (td->urb->actual_length != 0) { ++ if (td->urb_length_set) { + /* Don't overwrite a previously set error code + */ + if ((*status == -EINPROGRESS || *status == 0) && +@@ -1994,7 +1994,13 @@ static int process_ctrl_td(struct xhci_hcd *xhci, struct xhci_td *td, + td->urb->transfer_buffer_length; + } + } else { +- /* Maybe the event was for the data stage? */ ++ /* ++ * Maybe the event was for the data stage? If so, update ++ * already the actual_length of the URB and flag it as ++ * set, so that it is not overwritten in the event for ++ * the last TRB. ++ */ ++ td->urb_length_set = true; + td->urb->actual_length = + td->urb->transfer_buffer_length - + EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)); +diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h +index 2090a03..efbdf83 100644 +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -1,3 +1,4 @@ ++ + /* + * xHCI host controller driver + * +@@ -88,9 +89,10 @@ struct xhci_cap_regs { + #define HCS_IST(p) (((p) >> 0) & 0xf) + /* bits 4:7, max number of Event Ring segments */ + #define HCS_ERST_MAX(p) (((p) >> 4) & 0xf) ++/* bits 21:25 Hi 5 bits of Scratchpad buffers SW must allocate for the HW */ + /* bit 26 Scratchpad restore - for save/restore HW state - not used yet */ +-/* bits 27:31 number of Scratchpad buffers SW must allocate for the HW */ +-#define HCS_MAX_SCRATCHPAD(p) (((p) >> 27) & 0x1f) ++/* bits 27:31 Lo 5 bits of Scratchpad buffers SW must allocate for the HW */ ++#define HCS_MAX_SCRATCHPAD(p) ((((p) >> 16) & 0x3e0) | (((p) >> 27) & 0x1f)) + + /* HCSPARAMS3 - hcs_params3 - bitmasks */ + /* bits 0:7, Max U1 to U0 latency for the roothub ports */ +@@ -1255,6 +1257,8 @@ struct xhci_td { + struct xhci_segment *start_seg; + union xhci_trb *first_trb; + union xhci_trb *last_trb; ++ /* actual_length of the URB has already been set */ ++ bool urb_length_set; + }; + + /* xHCI command default timeout value */ +@@ -1493,6 +1497,7 @@ struct xhci_hcd { + #define XHCI_AVOID_BEI (1 << 15) + #define XHCI_SLOW_SUSPEND (1 << 17) + #define XHCI_SPURIOUS_WAKEUP (1 << 18) ++#define XHCI_PME_STUCK_QUIRK (1 << 20) + unsigned int num_active_eps; + unsigned int limit_active_eps; + /* There are two roothubs to keep track of bus suspend info for */ +diff --git a/drivers/usb/serial/Kconfig b/drivers/usb/serial/Kconfig +index 677f577..1888da7c 100644 +--- a/drivers/usb/serial/Kconfig ++++ b/drivers/usb/serial/Kconfig +@@ -578,10 +578,10 @@ config USB_SERIAL_CYBERJACK + If unsure, say N. + + config USB_SERIAL_XIRCOM +- tristate "USB Xircom / Entregra Single Port Serial Driver" ++ tristate "USB Xircom / Entrega Single Port Serial Driver" + select USB_EZUSB + help +- Say Y here if you want to use a Xircom or Entregra single port USB to ++ Say Y here if you want to use a Xircom or Entrega single port USB to + serial converter device. This driver makes use of firmware + developed from scratch by Brian Warner. + +diff --git a/drivers/usb/serial/bus.c b/drivers/usb/serial/bus.c +index 7f547dc..a8dc799 100644 +--- a/drivers/usb/serial/bus.c ++++ b/drivers/usb/serial/bus.c +@@ -52,6 +52,7 @@ static int usb_serial_device_probe(struct device *dev) + { + struct usb_serial_driver *driver; + struct usb_serial_port *port; ++ struct device *tty_dev; + int retval = 0; + int minor; + +@@ -73,12 +74,20 @@ static int usb_serial_device_probe(struct device *dev) + retval = device_create_file(dev, &dev_attr_port_number); + if (retval) { + if (driver->port_remove) +- retval = driver->port_remove(port); ++ driver->port_remove(port); + goto exit; + } + + minor = port->number; +- tty_register_device(usb_serial_tty_driver, minor, dev); ++ tty_dev = tty_register_device(usb_serial_tty_driver, minor, dev); ++ if (IS_ERR(tty_dev)) { ++ retval = PTR_ERR(tty_dev); ++ device_remove_file(dev, &dev_attr_port_number); ++ if (driver->port_remove) ++ driver->port_remove(port); ++ goto exit; ++ } ++ + dev_info(&port->serial->dev->dev, + "%s converter now attached to ttyUSB%d\n", + driver->description, minor); +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c +index e795a4c..7f32c74 100644 +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -63,6 +63,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x0846, 0x1100) }, /* NetGear Managed Switch M4100 series, M5300 series, M7100 series */ + { USB_DEVICE(0x08e6, 0x5501) }, /* Gemalto Prox-PU/CU contactless smartcard reader */ + { USB_DEVICE(0x08FD, 0x000A) }, /* Digianswer A/S , ZigBee/802.15.4 MAC Device */ ++ { USB_DEVICE(0x0908, 0x01FF) }, /* Siemens RUGGEDCOM USB Serial Console */ + { USB_DEVICE(0x0BED, 0x1100) }, /* MEI (TM) Cashflow-SC Bill/Voucher Acceptor */ + { USB_DEVICE(0x0BED, 0x1101) }, /* MEI series 2000 Combo Acceptor */ + { USB_DEVICE(0x0FCF, 0x1003) }, /* Dynastream ANT development board */ +@@ -152,6 +153,8 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x166A, 0x0305) }, /* Clipsal C-5000CT2 C-Bus Spectrum Colour Touchscreen */ + { USB_DEVICE(0x166A, 0x0401) }, /* Clipsal L51xx C-Bus Architectural Dimmer */ + { USB_DEVICE(0x166A, 0x0101) }, /* Clipsal 5560884 C-Bus Multi-room Audio Matrix Switcher */ ++ { USB_DEVICE(0x16C0, 0x09B0) }, /* Lunatico Seletek */ ++ { USB_DEVICE(0x16C0, 0x09B1) }, /* Lunatico Seletek */ + { USB_DEVICE(0x16D6, 0x0001) }, /* Jablotron serial interface */ + { USB_DEVICE(0x16DC, 0x0010) }, /* W-IE-NE-R Plein & Baus GmbH PL512 Power Supply */ + { USB_DEVICE(0x16DC, 0x0011) }, /* W-IE-NE-R Plein & Baus GmbH RCM Remote Control for MARATON Power Supply */ +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index f6a6205..e13ebb0 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -628,6 +628,7 @@ static struct usb_device_id id_table_combined [] = { + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, + { USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLXM_PID), + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, ++ { USB_DEVICE(FTDI_VID, FTDI_SYNAPSE_SS200_PID) }, + /* + * ELV devices: + */ +@@ -823,6 +824,8 @@ static struct usb_device_id id_table_combined [] = { + { USB_DEVICE(FTDI_VID, FTDI_ELSTER_UNICOM_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_PROPOX_JTAGCABLEII_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_PROPOX_ISPCABLEIII_PID) }, ++ { USB_DEVICE(FTDI_VID, CYBER_CORTEX_AV_PID), ++ .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, + { USB_DEVICE(OLIMEX_VID, OLIMEX_ARM_USB_OCD_PID), + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, + { USB_DEVICE(OLIMEX_VID, OLIMEX_ARM_USB_OCD_H_PID), +@@ -1000,6 +1003,23 @@ static struct usb_device_id id_table_combined [] = { + { USB_DEVICE(FTDI_VID, FTDI_EKEY_CONV_USB_PID) }, + /* GE Healthcare devices */ + { USB_DEVICE(GE_HEALTHCARE_VID, GE_HEALTHCARE_NEMO_TRACKER_PID) }, ++ /* Active Research (Actisense) devices */ ++ { USB_DEVICE(FTDI_VID, ACTISENSE_NDC_PID) }, ++ { USB_DEVICE(FTDI_VID, ACTISENSE_USG_PID) }, ++ { USB_DEVICE(FTDI_VID, ACTISENSE_NGT_PID) }, ++ { USB_DEVICE(FTDI_VID, ACTISENSE_NGW_PID) }, ++ { USB_DEVICE(FTDI_VID, ACTISENSE_D9AC_PID) }, ++ { USB_DEVICE(FTDI_VID, ACTISENSE_D9AD_PID) }, ++ { USB_DEVICE(FTDI_VID, ACTISENSE_D9AE_PID) }, ++ { USB_DEVICE(FTDI_VID, ACTISENSE_D9AF_PID) }, ++ { USB_DEVICE(FTDI_VID, CHETCO_SEAGAUGE_PID) }, ++ { USB_DEVICE(FTDI_VID, CHETCO_SEASWITCH_PID) }, ++ { USB_DEVICE(FTDI_VID, CHETCO_SEASMART_NMEA2000_PID) }, ++ { USB_DEVICE(FTDI_VID, CHETCO_SEASMART_ETHERNET_PID) }, ++ { USB_DEVICE(FTDI_VID, CHETCO_SEASMART_WIFI_PID) }, ++ { USB_DEVICE(FTDI_VID, CHETCO_SEASMART_DISPLAY_PID) }, ++ { USB_DEVICE(FTDI_VID, CHETCO_SEASMART_LITE_PID) }, ++ { USB_DEVICE(FTDI_VID, CHETCO_SEASMART_ANALOG_PID) }, + { }, /* Optional parameter entry */ + { } /* Terminating entry */ + }; +@@ -1927,8 +1947,12 @@ static int ftdi_8u2232c_probe(struct usb_serial *serial) + + dbg("%s", __func__); + +- if ((udev->manufacturer && !strcmp(udev->manufacturer, "CALAO Systems")) || +- (udev->product && !strcmp(udev->product, "BeagleBone/XDS100V2"))) ++ if (udev->manufacturer && !strcmp(udev->manufacturer, "CALAO Systems")) ++ return ftdi_jtag_probe(serial); ++ ++ if (udev->product && ++ (!strcmp(udev->product, "BeagleBone/XDS100V2") || ++ !strcmp(udev->product, "SNAP Connect E10"))) + return ftdi_jtag_probe(serial); + + return 0; +diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h +index 5735fb7..361192c 100644 +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -38,6 +38,9 @@ + + #define FTDI_LUMEL_PD12_PID 0x6002 + ++/* Cyber Cortex AV by Fabulous Silicon (http://fabuloussilicon.com) */ ++#define CYBER_CORTEX_AV_PID 0x8698 ++ + /* + * Marvell OpenRD Base, Client + * http://www.open-rd.org +@@ -558,6 +561,12 @@ + */ + #define FTDI_NT_ORIONLXM_PID 0x7c90 /* OrionLXm Substation Automation Platform */ + ++/* ++ * Synapse Wireless product ids (FTDI_VID) ++ * http://www.synapse-wireless.com ++ */ ++#define FTDI_SYNAPSE_SS200_PID 0x9090 /* SS200 - SNAP Stick 200 */ ++ + + /********************************/ + /** third-party VID/PID combos **/ +@@ -1432,3 +1441,23 @@ + */ + #define GE_HEALTHCARE_VID 0x1901 + #define GE_HEALTHCARE_NEMO_TRACKER_PID 0x0015 ++ ++/* ++ * Active Research (Actisense) devices ++ */ ++#define ACTISENSE_NDC_PID 0xD9A8 /* NDC USB Serial Adapter */ ++#define ACTISENSE_USG_PID 0xD9A9 /* USG USB Serial Adapter */ ++#define ACTISENSE_NGT_PID 0xD9AA /* NGT NMEA2000 Interface */ ++#define ACTISENSE_NGW_PID 0xD9AB /* NGW NMEA2000 Gateway */ ++#define ACTISENSE_D9AC_PID 0xD9AC /* Actisense Reserved */ ++#define ACTISENSE_D9AD_PID 0xD9AD /* Actisense Reserved */ ++#define ACTISENSE_D9AE_PID 0xD9AE /* Actisense Reserved */ ++#define ACTISENSE_D9AF_PID 0xD9AF /* Actisense Reserved */ ++#define CHETCO_SEAGAUGE_PID 0xA548 /* SeaGauge USB Adapter */ ++#define CHETCO_SEASWITCH_PID 0xA549 /* SeaSwitch USB Adapter */ ++#define CHETCO_SEASMART_NMEA2000_PID 0xA54A /* SeaSmart NMEA2000 Gateway */ ++#define CHETCO_SEASMART_ETHERNET_PID 0xA54B /* SeaSmart Ethernet Gateway */ ++#define CHETCO_SEASMART_WIFI_PID 0xA5AC /* SeaSmart Wifi Gateway */ ++#define CHETCO_SEASMART_DISPLAY_PID 0xA5AD /* SeaSmart NMEA2000 Display */ ++#define CHETCO_SEASMART_LITE_PID 0xA5AE /* SeaSmart Lite USB Adapter */ ++#define CHETCO_SEASMART_ANALOG_PID 0xA5AF /* SeaSmart Analog Adapter */ +diff --git a/drivers/usb/serial/keyspan_pda.c b/drivers/usb/serial/keyspan_pda.c +index d5c0c6a..661a1a2 100644 +--- a/drivers/usb/serial/keyspan_pda.c ++++ b/drivers/usb/serial/keyspan_pda.c +@@ -1,5 +1,5 @@ + /* +- * USB Keyspan PDA / Xircom / Entregra Converter driver ++ * USB Keyspan PDA / Xircom / Entrega Converter driver + * + * Copyright (C) 1999 - 2001 Greg Kroah-Hartman <greg@kroah.com> + * Copyright (C) 1999, 2000 Brian Warner <warner@lothar.com> +@@ -119,11 +119,12 @@ struct keyspan_pda_private { + #define KEYSPAN_PDA_FAKE_ID 0x0103 + #define KEYSPAN_PDA_ID 0x0104 /* no clue */ + +-/* For Xircom PGSDB9 and older Entregra version of the same device */ ++/* For Xircom PGSDB9 and older Entrega version of the same device */ + #define XIRCOM_VENDOR_ID 0x085a + #define XIRCOM_FAKE_ID 0x8027 +-#define ENTREGRA_VENDOR_ID 0x1645 +-#define ENTREGRA_FAKE_ID 0x8093 ++#define XIRCOM_FAKE_ID_2 0x8025 /* "PGMFHUB" serial */ ++#define ENTREGA_VENDOR_ID 0x1645 ++#define ENTREGA_FAKE_ID 0x8093 + + static const struct usb_device_id id_table_combined[] = { + #ifdef KEYSPAN +@@ -131,7 +132,8 @@ static const struct usb_device_id id_table_combined[] = { + #endif + #ifdef XIRCOM + { USB_DEVICE(XIRCOM_VENDOR_ID, XIRCOM_FAKE_ID) }, +- { USB_DEVICE(ENTREGRA_VENDOR_ID, ENTREGRA_FAKE_ID) }, ++ { USB_DEVICE(XIRCOM_VENDOR_ID, XIRCOM_FAKE_ID_2) }, ++ { USB_DEVICE(ENTREGA_VENDOR_ID, ENTREGA_FAKE_ID) }, + #endif + { USB_DEVICE(KEYSPAN_VENDOR_ID, KEYSPAN_PDA_ID) }, + { } /* Terminating entry */ +@@ -162,7 +164,8 @@ static const struct usb_device_id id_table_fake[] = { + #ifdef XIRCOM + static const struct usb_device_id id_table_fake_xircom[] = { + { USB_DEVICE(XIRCOM_VENDOR_ID, XIRCOM_FAKE_ID) }, +- { USB_DEVICE(ENTREGRA_VENDOR_ID, ENTREGRA_FAKE_ID) }, ++ { USB_DEVICE(XIRCOM_VENDOR_ID, XIRCOM_FAKE_ID_2) }, ++ { USB_DEVICE(ENTREGA_VENDOR_ID, ENTREGA_FAKE_ID) }, + { } + }; + #endif +@@ -757,7 +760,7 @@ static int keyspan_pda_fake_startup(struct usb_serial *serial) + #endif + #ifdef XIRCOM + else if ((le16_to_cpu(serial->dev->descriptor.idVendor) == XIRCOM_VENDOR_ID) || +- (le16_to_cpu(serial->dev->descriptor.idVendor) == ENTREGRA_VENDOR_ID)) ++ (le16_to_cpu(serial->dev->descriptor.idVendor) == ENTREGA_VENDOR_ID)) + fw_name = "keyspan_pda/xircom_pgs.fw"; + #endif + else { +@@ -848,7 +851,7 @@ static struct usb_serial_driver xircom_pgs_fake_device = { + .owner = THIS_MODULE, + .name = "xircom_no_firm", + }, +- .description = "Xircom / Entregra PGS - (prerenumeration)", ++ .description = "Xircom / Entrega PGS - (prerenumeration)", + .usb_driver = &keyspan_pda_driver, + .id_table = id_table_fake_xircom, + .num_ports = 1, +diff --git a/drivers/xen/manage.c b/drivers/xen/manage.c +index 6548417..caa3969 100644 +--- a/drivers/xen/manage.c ++++ b/drivers/xen/manage.c +@@ -110,10 +110,16 @@ static void do_suspend(void) + + err = freeze_processes(); + if (err) { +- printk(KERN_ERR "xen suspend: freeze failed %d\n", err); ++ pr_err("%s: freeze processes failed %d\n", __func__, err); + goto out; + } + ++ err = freeze_kernel_threads(); ++ if (err) { ++ pr_err("%s: freeze kernel threads failed %d\n", __func__, err); ++ goto out_thaw; ++ } ++ + err = dpm_suspend_start(PMSG_FREEZE); + if (err) { + printk(KERN_ERR "xen suspend: dpm_suspend_start %d\n", err); +diff --git a/drivers/xen/xen-pciback/conf_space.c b/drivers/xen/xen-pciback/conf_space.c +index 52fed16..82ab1c3 100644 +--- a/drivers/xen/xen-pciback/conf_space.c ++++ b/drivers/xen/xen-pciback/conf_space.c +@@ -16,7 +16,7 @@ + #include "conf_space.h" + #include "conf_space_quirks.h" + +-static int permissive; ++bool permissive; + module_param(permissive, bool, 0644); + + /* This is where xen_pcibk_read_config_byte, xen_pcibk_read_config_word, +diff --git a/drivers/xen/xen-pciback/conf_space.h b/drivers/xen/xen-pciback/conf_space.h +index e56c934..2e1d73d 100644 +--- a/drivers/xen/xen-pciback/conf_space.h ++++ b/drivers/xen/xen-pciback/conf_space.h +@@ -64,6 +64,8 @@ struct config_field_entry { + void *data; + }; + ++extern bool permissive; ++ + #define OFFSET(cfg_entry) ((cfg_entry)->base_offset+(cfg_entry)->field->offset) + + /* Add fields to a device - the add_fields macro expects to get a pointer to +diff --git a/drivers/xen/xen-pciback/conf_space_header.c b/drivers/xen/xen-pciback/conf_space_header.c +index 3daf862..a5bb81a 100644 +--- a/drivers/xen/xen-pciback/conf_space_header.c ++++ b/drivers/xen/xen-pciback/conf_space_header.c +@@ -9,6 +9,10 @@ + #include "pciback.h" + #include "conf_space.h" + ++struct pci_cmd_info { ++ u16 val; ++}; ++ + struct pci_bar_info { + u32 val; + u32 len_val; +@@ -18,22 +22,36 @@ struct pci_bar_info { + #define is_enable_cmd(value) ((value)&(PCI_COMMAND_MEMORY|PCI_COMMAND_IO)) + #define is_master_cmd(value) ((value)&PCI_COMMAND_MASTER) + +-static int command_read(struct pci_dev *dev, int offset, u16 *value, void *data) ++/* Bits guests are allowed to control in permissive mode. */ ++#define PCI_COMMAND_GUEST (PCI_COMMAND_MASTER|PCI_COMMAND_SPECIAL| \ ++ PCI_COMMAND_INVALIDATE|PCI_COMMAND_VGA_PALETTE| \ ++ PCI_COMMAND_WAIT|PCI_COMMAND_FAST_BACK) ++ ++static void *command_init(struct pci_dev *dev, int offset) + { +- int i; +- int ret; +- +- ret = xen_pcibk_read_config_word(dev, offset, value, data); +- if (!pci_is_enabled(dev)) +- return ret; +- +- for (i = 0; i < PCI_ROM_RESOURCE; i++) { +- if (dev->resource[i].flags & IORESOURCE_IO) +- *value |= PCI_COMMAND_IO; +- if (dev->resource[i].flags & IORESOURCE_MEM) +- *value |= PCI_COMMAND_MEMORY; ++ struct pci_cmd_info *cmd = kmalloc(sizeof(*cmd), GFP_KERNEL); ++ int err; ++ ++ if (!cmd) ++ return ERR_PTR(-ENOMEM); ++ ++ err = pci_read_config_word(dev, PCI_COMMAND, &cmd->val); ++ if (err) { ++ kfree(cmd); ++ return ERR_PTR(err); + } + ++ return cmd; ++} ++ ++static int command_read(struct pci_dev *dev, int offset, u16 *value, void *data) ++{ ++ int ret = pci_read_config_word(dev, offset, value); ++ const struct pci_cmd_info *cmd = data; ++ ++ *value &= PCI_COMMAND_GUEST; ++ *value |= cmd->val & ~PCI_COMMAND_GUEST; ++ + return ret; + } + +@@ -41,6 +59,8 @@ static int command_write(struct pci_dev *dev, int offset, u16 value, void *data) + { + struct xen_pcibk_dev_data *dev_data; + int err; ++ u16 val; ++ struct pci_cmd_info *cmd = data; + + dev_data = pci_get_drvdata(dev); + if (!pci_is_enabled(dev) && is_enable_cmd(value)) { +@@ -83,6 +103,19 @@ static int command_write(struct pci_dev *dev, int offset, u16 value, void *data) + } + } + ++ cmd->val = value; ++ ++ if (!permissive && (!dev_data || !dev_data->permissive)) ++ return 0; ++ ++ /* Only allow the guest to control certain bits. */ ++ err = pci_read_config_word(dev, offset, &val); ++ if (err || val == value) ++ return err; ++ ++ value &= PCI_COMMAND_GUEST; ++ value |= val & ~PCI_COMMAND_GUEST; ++ + return pci_write_config_word(dev, offset, value); + } + +@@ -282,6 +315,8 @@ static const struct config_field header_common[] = { + { + .offset = PCI_COMMAND, + .size = 2, ++ .init = command_init, ++ .release = bar_release, + .u.w.read = command_read, + .u.w.write = command_write, + }, +diff --git a/fs/autofs4/dev-ioctl.c b/fs/autofs4/dev-ioctl.c +index de54271..62d7a6d 100644 +--- a/fs/autofs4/dev-ioctl.c ++++ b/fs/autofs4/dev-ioctl.c +@@ -95,7 +95,7 @@ static int check_dev_ioctl_version(int cmd, struct autofs_dev_ioctl *param) + */ + static struct autofs_dev_ioctl *copy_dev_ioctl(struct autofs_dev_ioctl __user *in) + { +- struct autofs_dev_ioctl tmp; ++ struct autofs_dev_ioctl tmp, *res; + + if (copy_from_user(&tmp, in, sizeof(tmp))) + return ERR_PTR(-EFAULT); +@@ -103,7 +103,14 @@ static struct autofs_dev_ioctl *copy_dev_ioctl(struct autofs_dev_ioctl __user *i + if (tmp.size < sizeof(tmp)) + return ERR_PTR(-EINVAL); + +- return memdup_user(in, tmp.size); ++ if (tmp.size > (PATH_MAX + sizeof(tmp))) ++ return ERR_PTR(-ENAMETOOLONG); ++ ++ res = memdup_user(in, tmp.size); ++ if (!IS_ERR(res)) ++ res->size = tmp.size; ++ ++ return res; + } + + static inline void free_dev_ioctl(struct autofs_dev_ioctl *param) +diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c +index 8dd615c..2aed667 100644 +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -542,11 +542,12 @@ out: + + static unsigned long randomize_stack_top(unsigned long stack_top) + { +- unsigned int random_variable = 0; ++ unsigned long random_variable = 0; + + if ((current->flags & PF_RANDOMIZE) && + !(current->personality & ADDR_NO_RANDOMIZE)) { +- random_variable = get_random_int() & STACK_RND_MASK; ++ random_variable = (unsigned long) get_random_int(); ++ random_variable &= STACK_RND_MASK; + random_variable <<= PAGE_SHIFT; + } + #ifdef CONFIG_STACK_GROWSUP +diff --git a/fs/cifs/file.c b/fs/cifs/file.c +index aa05d5e..f9d2863 100644 +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -1608,6 +1608,7 @@ refind_writable: + cifsFileInfo_put(inv_file); + spin_lock(&cifs_file_list_lock); + ++refind; ++ inv_file = NULL; + goto refind_writable; + } + } +diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c +index 6ac0893..a15f1e2 100644 +--- a/fs/debugfs/inode.c ++++ b/fs/debugfs/inode.c +@@ -125,11 +125,30 @@ static inline int debugfs_positive(struct dentry *dentry) + return dentry->d_inode && !d_unhashed(dentry); + } + ++static void debugfs_evict_inode(struct inode *inode) ++{ ++ truncate_inode_pages(&inode->i_data, 0); ++ end_writeback(inode); ++ if (S_ISLNK(inode->i_mode)) ++ kfree(inode->i_private); ++} ++ ++static const struct super_operations debugfs_super_operations = { ++ .evict_inode = debugfs_evict_inode, ++}; ++ + static int debug_fill_super(struct super_block *sb, void *data, int silent) + { + static struct tree_descr debug_files[] = {{""}}; ++ int err; + +- return simple_fill_super(sb, DEBUGFS_MAGIC, debug_files); ++ err = simple_fill_super(sb, DEBUGFS_MAGIC, debug_files); ++ if (err) ++ return err; ++ ++ sb->s_op = &debugfs_super_operations; ++ ++ return 0; + } + + static struct dentry *debug_mount(struct file_system_type *fs_type, +@@ -312,23 +331,14 @@ static int __debugfs_remove(struct dentry *dentry, struct dentry *parent) + int ret = 0; + + if (debugfs_positive(dentry)) { +- if (dentry->d_inode) { +- dget(dentry); +- switch (dentry->d_inode->i_mode & S_IFMT) { +- case S_IFDIR: +- ret = simple_rmdir(parent->d_inode, dentry); +- break; +- case S_IFLNK: +- kfree(dentry->d_inode->i_private); +- /* fall through */ +- default: +- simple_unlink(parent->d_inode, dentry); +- break; +- } +- if (!ret) +- d_delete(dentry); +- dput(dentry); +- } ++ dget(dentry); ++ if (S_ISDIR(dentry->d_inode->i_mode)) ++ ret = simple_rmdir(parent->d_inode, dentry); ++ else ++ simple_unlink(parent->d_inode, dentry); ++ if (!ret) ++ d_delete(dentry); ++ dput(dentry); + } + return ret; + } +diff --git a/fs/ecryptfs/file.c b/fs/ecryptfs/file.c +index 80fc876..464fe1f 100644 +--- a/fs/ecryptfs/file.c ++++ b/fs/ecryptfs/file.c +@@ -307,9 +307,23 @@ ecryptfs_unlocked_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + + if (ecryptfs_file_to_private(file)) + lower_file = ecryptfs_file_to_lower(file); +- if (lower_file && lower_file->f_op && lower_file->f_op->unlocked_ioctl) ++ if (!(lower_file && lower_file->f_op && lower_file->f_op->unlocked_ioctl)) ++ return rc; ++ ++ switch (cmd) { ++ case FITRIM: ++ case FS_IOC_GETFLAGS: ++ case FS_IOC_SETFLAGS: ++ case FS_IOC_GETVERSION: ++ case FS_IOC_SETVERSION: + rc = lower_file->f_op->unlocked_ioctl(lower_file, cmd, arg); +- return rc; ++ fsstack_copy_attr_all(file->f_path.dentry->d_inode, ++ lower_file->f_path.dentry->d_inode); ++ ++ return rc; ++ default: ++ return rc; ++ } + } + + #ifdef CONFIG_COMPAT +@@ -321,9 +335,23 @@ ecryptfs_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + + if (ecryptfs_file_to_private(file)) + lower_file = ecryptfs_file_to_lower(file); +- if (lower_file && lower_file->f_op && lower_file->f_op->compat_ioctl) ++ if (!(lower_file && lower_file->f_op && lower_file->f_op->compat_ioctl)) ++ return rc; ++ ++ switch (cmd) { ++ case FITRIM: ++ case FS_IOC32_GETFLAGS: ++ case FS_IOC32_SETFLAGS: ++ case FS_IOC32_GETVERSION: ++ case FS_IOC32_SETVERSION: + rc = lower_file->f_op->compat_ioctl(lower_file, cmd, arg); +- return rc; ++ fsstack_copy_attr_all(file->f_path.dentry->d_inode, ++ lower_file->f_path.dentry->d_inode); ++ ++ return rc; ++ default: ++ return rc; ++ } + } + #endif + +diff --git a/fs/exec.c b/fs/exec.c +index 78199eb..7adb43f 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -1282,6 +1282,45 @@ int check_unsafe_exec(struct linux_binprm *bprm) + return res; + } + ++static void bprm_fill_uid(struct linux_binprm *bprm) ++{ ++ struct inode *inode; ++ unsigned int mode; ++ uid_t uid; ++ gid_t gid; ++ ++ /* clear any previous set[ug]id data from a previous binary */ ++ bprm->cred->euid = current_euid(); ++ bprm->cred->egid = current_egid(); ++ ++ if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ++ return; ++ ++ inode = bprm->file->f_path.dentry->d_inode; ++ mode = ACCESS_ONCE(inode->i_mode); ++ if (!(mode & (S_ISUID|S_ISGID))) ++ return; ++ ++ /* Be careful if suid/sgid is set */ ++ mutex_lock(&inode->i_mutex); ++ ++ /* reload atomically mode/uid/gid now that lock held */ ++ mode = inode->i_mode; ++ uid = inode->i_uid; ++ gid = inode->i_gid; ++ mutex_unlock(&inode->i_mutex); ++ ++ if (mode & S_ISUID) { ++ bprm->per_clear |= PER_CLEAR_ON_SETID; ++ bprm->cred->euid = uid; ++ } ++ ++ if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) { ++ bprm->per_clear |= PER_CLEAR_ON_SETID; ++ bprm->cred->egid = gid; ++ } ++} ++ + /* + * Fill the binprm structure from the inode. + * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes +@@ -1290,36 +1329,12 @@ int check_unsafe_exec(struct linux_binprm *bprm) + */ + int prepare_binprm(struct linux_binprm *bprm) + { +- umode_t mode; +- struct inode * inode = bprm->file->f_path.dentry->d_inode; + int retval; + +- mode = inode->i_mode; + if (bprm->file->f_op == NULL) + return -EACCES; + +- /* clear any previous set[ug]id data from a previous binary */ +- bprm->cred->euid = current_euid(); +- bprm->cred->egid = current_egid(); +- +- if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) { +- /* Set-uid? */ +- if (mode & S_ISUID) { +- bprm->per_clear |= PER_CLEAR_ON_SETID; +- bprm->cred->euid = inode->i_uid; +- } +- +- /* Set-gid? */ +- /* +- * If setgid is set but no group execute bit then this +- * is a candidate for mandatory locking, not a setgid +- * executable. +- */ +- if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) { +- bprm->per_clear |= PER_CLEAR_ON_SETID; +- bprm->cred->egid = inode->i_gid; +- } +- } ++ bprm_fill_uid(bprm); + + /* fill in binprm security blob */ + retval = security_bprm_set_creds(bprm); +diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c +index cf0098d..81970d7 100644 +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -717,8 +717,8 @@ static int fuse_try_move_page(struct fuse_copy_state *cs, struct page **pagep) + + newpage = buf->page; + +- if (WARN_ON(!PageUptodate(newpage))) +- return -EIO; ++ if (!PageUptodate(newpage)) ++ SetPageUptodate(newpage); + + ClearPageMappedToDisk(newpage); + +@@ -1570,6 +1570,9 @@ copy_finish: + static int fuse_notify(struct fuse_conn *fc, enum fuse_notify_code code, + unsigned int size, struct fuse_copy_state *cs) + { ++ /* Don't try to move pages (yet) */ ++ cs->move_pages = 0; ++ + switch (code) { + case FUSE_NOTIFY_POLL: + return fuse_notify_poll(fc, size, cs); +diff --git a/fs/hfsplus/brec.c b/fs/hfsplus/brec.c +index 2a734cf..7429c40 100644 +--- a/fs/hfsplus/brec.c ++++ b/fs/hfsplus/brec.c +@@ -130,13 +130,16 @@ skip: + hfs_bnode_write(node, entry, data_off + key_len, entry_len); + hfs_bnode_dump(node); + +- if (new_node) { +- /* update parent key if we inserted a key +- * at the start of the first node +- */ +- if (!rec && new_node != node) +- hfs_brec_update_parent(fd); ++ /* ++ * update parent key if we inserted a key ++ * at the start of the node and it is not the new node ++ */ ++ if (!rec && new_node != node) { ++ hfs_bnode_read_key(node, fd->search_key, data_off + size); ++ hfs_brec_update_parent(fd); ++ } + ++ if (new_node) { + hfs_bnode_put(fd->bnode); + if (!new_node->parent) { + hfs_btree_inc_height(tree); +@@ -166,9 +169,6 @@ skip: + goto again; + } + +- if (!rec) +- hfs_brec_update_parent(fd); +- + return 0; + } + +@@ -368,6 +368,8 @@ again: + if (IS_ERR(parent)) + return PTR_ERR(parent); + __hfs_brec_find(parent, fd); ++ if (fd->record < 0) ++ return -ENOENT; + hfs_bnode_dump(parent); + rec = fd->record; + +diff --git a/fs/jffs2/scan.c b/fs/jffs2/scan.c +index 28107ca..327cc17 100644 +--- a/fs/jffs2/scan.c ++++ b/fs/jffs2/scan.c +@@ -503,6 +503,10 @@ static int jffs2_scan_eraseblock (struct jffs2_sb_info *c, struct jffs2_eraseblo + sumlen = c->sector_size - je32_to_cpu(sm->offset); + sumptr = buf + buf_size - sumlen; + ++ /* sm->offset maybe wrong but MAGIC maybe right */ ++ if (sumlen > c->sector_size) ++ goto full_scan; ++ + /* Now, make sure the summary itself is available */ + if (sumlen > buf_size) { + /* Need to kmalloc for this. */ +@@ -537,6 +541,7 @@ static int jffs2_scan_eraseblock (struct jffs2_sb_info *c, struct jffs2_eraseblo + } + } + ++full_scan: + buf_ofs = jeb->offset; + + if (!buf_size) { +diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c +index 9f7c758..f6f32fa 100644 +--- a/fs/jfs/jfs_dtree.c ++++ b/fs/jfs/jfs_dtree.c +@@ -3103,7 +3103,7 @@ int jfs_readdir(struct file *filp, void *dirent, filldir_t filldir) + * self "." + */ + filp->f_pos = 1; +- if (filldir(dirent, ".", 1, 0, ip->i_ino, ++ if (filldir(dirent, ".", 1, 1, ip->i_ino, + DT_DIR)) + return 0; + } +@@ -3111,7 +3111,7 @@ int jfs_readdir(struct file *filp, void *dirent, filldir_t filldir) + * parent ".." + */ + filp->f_pos = 2; +- if (filldir(dirent, "..", 2, 1, PARENT(ip), DT_DIR)) ++ if (filldir(dirent, "..", 2, 2, PARENT(ip), DT_DIR)) + return 0; + + /* +diff --git a/fs/nfs/callback.c b/fs/nfs/callback.c +index 516f337..3172b51 100644 +--- a/fs/nfs/callback.c ++++ b/fs/nfs/callback.c +@@ -149,22 +149,24 @@ nfs41_callback_svc(void *vrqstp) + set_freezable(); + + while (!kthread_should_stop()) { +- prepare_to_wait(&serv->sv_cb_waitq, &wq, TASK_INTERRUPTIBLE); ++ prepare_to_wait(&serv->sv_cb_waitq, &wq, TASK_UNINTERRUPTIBLE); + spin_lock_bh(&serv->sv_cb_lock); + if (!list_empty(&serv->sv_cb_list)) { + req = list_first_entry(&serv->sv_cb_list, + struct rpc_rqst, rq_bc_list); + list_del(&req->rq_bc_list); + spin_unlock_bh(&serv->sv_cb_lock); ++ finish_wait(&serv->sv_cb_waitq, &wq); + dprintk("Invoking bc_svc_process()\n"); + error = bc_svc_process(serv, req, rqstp); + dprintk("bc_svc_process() returned w/ error code= %d\n", + error); + } else { + spin_unlock_bh(&serv->sv_cb_lock); +- schedule(); ++ /* schedule_timeout to game the hung task watchdog */ ++ schedule_timeout(60 * HZ); ++ finish_wait(&serv->sv_cb_waitq, &wq); + } +- finish_wait(&serv->sv_cb_waitq, &wq); + } + return 0; + } +diff --git a/fs/nfs/callback_xdr.c b/fs/nfs/callback_xdr.c +index 3fde055..6d22d35 100644 +--- a/fs/nfs/callback_xdr.c ++++ b/fs/nfs/callback_xdr.c +@@ -459,8 +459,10 @@ static __be32 decode_cb_sequence_args(struct svc_rqst *rqstp, + + for (i = 0; i < args->csa_nrclists; i++) { + status = decode_rc_list(xdr, &args->csa_rclists[i]); +- if (status) ++ if (status) { ++ args->csa_nrclists = i; + goto out_free; ++ } + } + } + status = 0; +diff --git a/fs/nfs/delegation.c b/fs/nfs/delegation.c +index ac889af..92cf07d 100644 +--- a/fs/nfs/delegation.c ++++ b/fs/nfs/delegation.c +@@ -149,8 +149,8 @@ void nfs_inode_reclaim_delegation(struct inode *inode, struct rpc_cred *cred, + &delegation->flags); + NFS_I(inode)->delegation_state = delegation->type; + spin_unlock(&delegation->lock); +- put_rpccred(oldcred); + rcu_read_unlock(); ++ put_rpccred(oldcred); + } else { + /* We appear to have raced with a delegation return. */ + spin_unlock(&delegation->lock); +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 351989e..e83786f 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -267,7 +267,7 @@ static int nfs4_handle_exception(struct nfs_server *server, int errorcode, struc + case 0: + return 0; + case -NFS4ERR_OPENMODE: +- if (nfs_have_delegation(inode, FMODE_READ)) { ++ if (inode && nfs_have_delegation(inode, FMODE_READ)) { + nfs_inode_return_delegation(inode); + exception->retry = 1; + return 0; +@@ -279,10 +279,9 @@ static int nfs4_handle_exception(struct nfs_server *server, int errorcode, struc + case -NFS4ERR_DELEG_REVOKED: + case -NFS4ERR_ADMIN_REVOKED: + case -NFS4ERR_BAD_STATEID: +- if (state != NULL) +- nfs_remove_bad_delegation(state->inode); + if (state == NULL) + break; ++ nfs_remove_bad_delegation(state->inode); + nfs4_schedule_stateid_recovery(server, state); + goto wait_on_recovery; + case -NFS4ERR_EXPIRED: +@@ -3746,8 +3745,9 @@ nfs4_async_handle_error(struct rpc_task *task, const struct nfs_server *server, + case -NFS4ERR_DELEG_REVOKED: + case -NFS4ERR_ADMIN_REVOKED: + case -NFS4ERR_BAD_STATEID: +- if (state != NULL) +- nfs_remove_bad_delegation(state->inode); ++ if (state == NULL) ++ break; ++ nfs_remove_bad_delegation(state->inode); + case -NFS4ERR_OPENMODE: + if (state == NULL) + break; +diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c +index b2e3ff3..ecdbae1 100644 +--- a/fs/nilfs2/btree.c ++++ b/fs/nilfs2/btree.c +@@ -31,6 +31,8 @@ + #include "alloc.h" + #include "dat.h" + ++static void __nilfs_btree_init(struct nilfs_bmap *bmap); ++ + static struct nilfs_btree_path *nilfs_btree_alloc_path(void) + { + struct nilfs_btree_path *path; +@@ -368,6 +370,34 @@ static int nilfs_btree_node_broken(const struct nilfs_btree_node *node, + return ret; + } + ++/** ++ * nilfs_btree_root_broken - verify consistency of btree root node ++ * @node: btree root node to be examined ++ * @ino: inode number ++ * ++ * Return Value: If node is broken, 1 is returned. Otherwise, 0 is returned. ++ */ ++static int nilfs_btree_root_broken(const struct nilfs_btree_node *node, ++ unsigned long ino) ++{ ++ int level, flags, nchildren; ++ int ret = 0; ++ ++ level = nilfs_btree_node_get_level(node); ++ flags = nilfs_btree_node_get_flags(node); ++ nchildren = nilfs_btree_node_get_nchildren(node); ++ ++ if (unlikely(level < NILFS_BTREE_LEVEL_NODE_MIN || ++ level > NILFS_BTREE_LEVEL_MAX || ++ nchildren < 0 || ++ nchildren > NILFS_BTREE_ROOT_NCHILDREN_MAX)) { ++ pr_crit("NILFS: bad btree root (inode number=%lu): level = %d, flags = 0x%x, nchildren = %d\n", ++ ino, level, flags, nchildren); ++ ret = 1; ++ } ++ return ret; ++} ++ + int nilfs_btree_broken_node_block(struct buffer_head *bh) + { + int ret; +@@ -1713,7 +1743,7 @@ nilfs_btree_commit_convert_and_insert(struct nilfs_bmap *btree, + + /* convert and insert */ + dat = NILFS_BMAP_USE_VBN(btree) ? nilfs_bmap_get_dat(btree) : NULL; +- nilfs_btree_init(btree); ++ __nilfs_btree_init(btree); + if (nreq != NULL) { + nilfs_bmap_commit_alloc_ptr(btree, dreq, dat); + nilfs_bmap_commit_alloc_ptr(btree, nreq, dat); +@@ -2294,12 +2324,23 @@ static const struct nilfs_bmap_operations nilfs_btree_ops_gc = { + .bop_gather_data = NULL, + }; + +-int nilfs_btree_init(struct nilfs_bmap *bmap) ++static void __nilfs_btree_init(struct nilfs_bmap *bmap) + { + bmap->b_ops = &nilfs_btree_ops; + bmap->b_nchildren_per_block = + NILFS_BTREE_NODE_NCHILDREN_MAX(nilfs_btree_node_size(bmap)); +- return 0; ++} ++ ++int nilfs_btree_init(struct nilfs_bmap *bmap) ++{ ++ int ret = 0; ++ ++ __nilfs_btree_init(bmap); ++ ++ if (nilfs_btree_root_broken(nilfs_btree_get_root(bmap), ++ bmap->b_inode->i_ino)) ++ ret = -EIO; ++ return ret; + } + + void nilfs_btree_init_gc(struct nilfs_bmap *bmap) +diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c +index eb7f6a6..6bba106 100644 +--- a/fs/nilfs2/segment.c ++++ b/fs/nilfs2/segment.c +@@ -1903,6 +1903,7 @@ static void nilfs_segctor_drop_written_files(struct nilfs_sc_info *sci, + struct the_nilfs *nilfs) + { + struct nilfs_inode_info *ii, *n; ++ int during_mount = !(sci->sc_super->s_flags & MS_ACTIVE); + int defer_iput = false; + + spin_lock(&nilfs->ns_inode_lock); +@@ -1915,10 +1916,10 @@ static void nilfs_segctor_drop_written_files(struct nilfs_sc_info *sci, + brelse(ii->i_bh); + ii->i_bh = NULL; + list_del_init(&ii->i_dirty); +- if (!ii->vfs_inode.i_nlink) { ++ if (!ii->vfs_inode.i_nlink || during_mount) { + /* +- * Defer calling iput() to avoid a deadlock +- * over I_SYNC flag for inodes with i_nlink == 0 ++ * Defer calling iput() to avoid deadlocks if ++ * i_nlink == 0 or mount is not yet finished. + */ + list_add_tail(&ii->i_dirty, &sci->sc_iput_queue); + defer_iput = true; +diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c +index 0de24a2..6a7a3d9 100644 +--- a/fs/ocfs2/file.c ++++ b/fs/ocfs2/file.c +@@ -2387,10 +2387,14 @@ out_dio: + /* buffered aio wouldn't have proper lock coverage today */ + BUG_ON(ret == -EIOCBQUEUED && !(file->f_flags & O_DIRECT)); + ++ if (unlikely(written <= 0)) ++ goto no_sync; ++ + if (((file->f_flags & O_DSYNC) && !direct_io) || IS_SYNC(inode) || + ((file->f_flags & O_DIRECT) && !direct_io)) { +- ret = filemap_fdatawrite_range(file->f_mapping, *ppos, +- *ppos + count - 1); ++ ret = filemap_fdatawrite_range(file->f_mapping, ++ iocb->ki_pos - written, ++ iocb->ki_pos - 1); + if (ret < 0) + written = ret; + +@@ -2403,10 +2407,12 @@ out_dio: + } + + if (!ret) +- ret = filemap_fdatawait_range(file->f_mapping, *ppos, +- *ppos + count - 1); ++ ret = filemap_fdatawait_range(file->f_mapping, ++ iocb->ki_pos - written, ++ iocb->ki_pos - 1); + } + ++no_sync: + /* + * deep in g_f_a_w_n()->ocfs2_direct_IO we pass in a ocfs2_dio_end_io + * function pointer which is called when o_direct io completes so that +diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c +index ef1740d..d1bd6a9 100644 +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -864,9 +864,19 @@ out: + return ret; + } + ++static int pagemap_open(struct inode *inode, struct file *file) ++{ ++ /* do not disclose physical addresses to unprivileged ++ userspace (closes a rowhammer attack vector) */ ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; ++ return 0; ++} ++ + const struct file_operations proc_pagemap_operations = { + .llseek = mem_lseek, /* borrow this */ + .read = pagemap_read, ++ .open = pagemap_open, + }; + #endif /* CONFIG_PROC_PAGE_MONITOR */ + +diff --git a/fs/udf/inode.c b/fs/udf/inode.c +index 2a706bb..e081440 100644 +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -1271,6 +1271,7 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) + struct udf_sb_info *sbi = UDF_SB(inode->i_sb); + struct udf_inode_info *iinfo = UDF_I(inode); + unsigned int link_count; ++ int bs = inode->i_sb->s_blocksize; + + fe = (struct fileEntry *)bh->b_data; + efe = (struct extendedFileEntry *)bh->b_data; +@@ -1291,41 +1292,38 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) + if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_EFE)) { + iinfo->i_efe = 1; + iinfo->i_use = 0; +- if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize - ++ if (udf_alloc_i_data(inode, bs - + sizeof(struct extendedFileEntry))) { + make_bad_inode(inode); + return; + } + memcpy(iinfo->i_ext.i_data, + bh->b_data + sizeof(struct extendedFileEntry), +- inode->i_sb->s_blocksize - +- sizeof(struct extendedFileEntry)); ++ bs - sizeof(struct extendedFileEntry)); + } else if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_FE)) { + iinfo->i_efe = 0; + iinfo->i_use = 0; +- if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize - +- sizeof(struct fileEntry))) { ++ if (udf_alloc_i_data(inode, bs - sizeof(struct fileEntry))) { + make_bad_inode(inode); + return; + } + memcpy(iinfo->i_ext.i_data, + bh->b_data + sizeof(struct fileEntry), +- inode->i_sb->s_blocksize - sizeof(struct fileEntry)); ++ bs - sizeof(struct fileEntry)); + } else if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_USE)) { + iinfo->i_efe = 0; + iinfo->i_use = 1; + iinfo->i_lenAlloc = le32_to_cpu( + ((struct unallocSpaceEntry *)bh->b_data)-> + lengthAllocDescs); +- if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize - ++ if (udf_alloc_i_data(inode, bs - + sizeof(struct unallocSpaceEntry))) { + make_bad_inode(inode); + return; + } + memcpy(iinfo->i_ext.i_data, + bh->b_data + sizeof(struct unallocSpaceEntry), +- inode->i_sb->s_blocksize - +- sizeof(struct unallocSpaceEntry)); ++ bs - sizeof(struct unallocSpaceEntry)); + return; + } + +@@ -1403,6 +1401,19 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) + iinfo->i_lenEAttr; + } + ++ /* ++ * Sanity check length of allocation descriptors and extended attrs to ++ * avoid integer overflows ++ */ ++ if (iinfo->i_lenEAttr > bs || iinfo->i_lenAlloc > bs) { ++ make_bad_inode(inode); ++ return; ++ } ++ /* Now do exact checks */ ++ if (udf_file_entry_alloc_offset(inode) + iinfo->i_lenAlloc > bs) { ++ make_bad_inode(inode); ++ return; ++ } + /* Sanity checks for files in ICB so that we don't get confused later */ + if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) { + /* +@@ -1414,8 +1425,7 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) + return; + } + /* File in ICB has to fit in there... */ +- if (inode->i_size > inode->i_sb->s_blocksize - +- udf_file_entry_alloc_offset(inode)) { ++ if (inode->i_size > bs - udf_file_entry_alloc_offset(inode)) { + make_bad_inode(inode); + return; + } +diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c +index 753ed9b..8ae937a 100644 +--- a/fs/xfs/xfs_file.c ++++ b/fs/xfs/xfs_file.c +@@ -516,7 +516,8 @@ STATIC int /* error (positive) */ + xfs_zero_last_block( + xfs_inode_t *ip, + xfs_fsize_t offset, +- xfs_fsize_t isize) ++ xfs_fsize_t isize, ++ bool *did_zeroing) + { + xfs_fileoff_t last_fsb; + xfs_mount_t *mp = ip->i_mount; +@@ -560,6 +561,7 @@ xfs_zero_last_block( + zero_len = mp->m_sb.sb_blocksize - zero_offset; + if (isize + zero_len > offset) + zero_len = offset - isize; ++ *did_zeroing = true; + error = xfs_iozero(ip, isize, zero_len); + + xfs_ilock(ip, XFS_ILOCK_EXCL); +@@ -582,7 +584,8 @@ int /* error (positive) */ + xfs_zero_eof( + xfs_inode_t *ip, + xfs_off_t offset, /* starting I/O offset */ +- xfs_fsize_t isize) /* current inode size */ ++ xfs_fsize_t isize, /* current inode size */ ++ bool *did_zeroing) + { + xfs_mount_t *mp = ip->i_mount; + xfs_fileoff_t start_zero_fsb; +@@ -602,7 +605,7 @@ xfs_zero_eof( + * First handle zeroing the block on which isize resides. + * We only zero a part of that block so it is handled specially. + */ +- error = xfs_zero_last_block(ip, offset, isize); ++ error = xfs_zero_last_block(ip, offset, isize, did_zeroing); + if (error) { + ASSERT(xfs_isilocked(ip, XFS_ILOCK_EXCL|XFS_IOLOCK_EXCL)); + return error; +@@ -672,6 +675,7 @@ xfs_zero_eof( + goto out_lock; + } + ++ *did_zeroing = true; + start_zero_fsb = imap.br_startoff + imap.br_blockcount; + ASSERT(start_zero_fsb <= (end_zero_fsb + 1)); + +@@ -729,13 +733,15 @@ restart: + */ + if ((ip->i_new_size && *pos > ip->i_new_size) || + (!ip->i_new_size && *pos > ip->i_size)) { ++ bool zero = false; ++ + if (*iolock == XFS_IOLOCK_SHARED) { + xfs_rw_iunlock(ip, XFS_ILOCK_EXCL | *iolock); + *iolock = XFS_IOLOCK_EXCL; + xfs_rw_ilock(ip, XFS_ILOCK_EXCL | *iolock); + goto restart; + } +- error = -xfs_zero_eof(ip, *pos, ip->i_size); ++ error = -xfs_zero_eof(ip, *pos, ip->i_size, &zero); + } + + /* +diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c +index bd2fb43..1c01f04 100644 +--- a/fs/xfs/xfs_iops.c ++++ b/fs/xfs/xfs_iops.c +@@ -766,6 +766,7 @@ xfs_setattr_size( + int error; + uint lock_flags; + uint commit_flags = 0; ++ bool did_zeroing = false; + + trace_xfs_setattr(ip); + +@@ -812,20 +813,16 @@ xfs_setattr_size( + goto out_unlock; + + /* +- * Now we can make the changes. Before we join the inode to the +- * transaction, take care of the part of the truncation that must be +- * done without the inode lock. This needs to be done before joining +- * the inode to the transaction, because the inode cannot be unlocked +- * once it is a part of the transaction. ++ * File data changes must be complete before we start the transaction to ++ * modify the inode. This needs to be done before joining the inode to ++ * the transaction because the inode cannot be unlocked once it is a ++ * part of the transaction. ++ * ++ * Start with zeroing any data block beyond EOF that we may expose on ++ * file extension. + */ + if (iattr->ia_size > ip->i_size) { +- /* +- * Do the first part of growing a file: zero any data in the +- * last block that is beyond the old EOF. We need to do this +- * before the inode is joined to the transaction to modify +- * i_size. +- */ +- error = xfs_zero_eof(ip, iattr->ia_size, ip->i_size); ++ error = xfs_zero_eof(ip, iattr->ia_size, ip->i_size, &did_zeroing); + if (error) + goto out_unlock; + } +@@ -837,23 +834,18 @@ xfs_setattr_size( + * any previous writes that are beyond the on disk EOF and the new + * EOF that have not been written out need to be written here. If we + * do not write the data out, we expose ourselves to the null files +- * problem. +- * +- * Only flush from the on disk size to the smaller of the in memory +- * file size or the new size as that's the range we really care about +- * here and prevents waiting for other data not within the range we +- * care about here. ++ * problem. Note that this includes any block zeroing we did above; ++ * otherwise those blocks may not be zeroed after a crash. + */ +- if (ip->i_size != ip->i_d.di_size && iattr->ia_size > ip->i_d.di_size) { ++ if (iattr->ia_size > ip->i_d.di_size && ++ (ip->i_size != ip->i_d.di_size || did_zeroing)) { + error = xfs_flush_pages(ip, ip->i_d.di_size, iattr->ia_size, 0, + FI_NONE); + if (error) + goto out_unlock; + } + +- /* +- * Wait for all direct I/O to complete. +- */ ++ /* Now wait for all direct I/O to complete. */ + inode_dio_wait(inode); + + error = -block_truncate_page(inode->i_mapping, iattr->ia_size, +diff --git a/fs/xfs/xfs_vnodeops.h b/fs/xfs/xfs_vnodeops.h +index 35d3d51..c0f7714 100644 +--- a/fs/xfs/xfs_vnodeops.h ++++ b/fs/xfs/xfs_vnodeops.h +@@ -59,6 +59,7 @@ int xfs_flush_pages(struct xfs_inode *ip, xfs_off_t first, + xfs_off_t last, uint64_t flags, int fiopt); + int xfs_wait_on_pages(struct xfs_inode *ip, xfs_off_t first, xfs_off_t last); + +-int xfs_zero_eof(struct xfs_inode *, xfs_off_t, xfs_fsize_t); ++int xfs_zero_eof(struct xfs_inode *ip, xfs_off_t offset, ++ xfs_fsize_t isize, bool *did_zeroing); + + #endif /* _XFS_VNODEOPS_H */ +diff --git a/include/linux/blk_types.h b/include/linux/blk_types.h +index 4053cbd..ddce23d 100644 +--- a/include/linux/blk_types.h ++++ b/include/linux/blk_types.h +@@ -144,7 +144,9 @@ enum rq_flag_bits { + __REQ_ELVPRIV, /* elevator private data attached */ + __REQ_FAILED, /* set if the request failed */ + __REQ_QUIET, /* don't worry about errors */ +- __REQ_PREEMPT, /* set for "ide_preempt" requests */ ++ __REQ_PREEMPT, /* set for "ide_preempt" requests and also ++ for requests for which the SCSI "quiesce" ++ state must be ignored. */ + __REQ_ALLOCED, /* request came from our alloc pool */ + __REQ_COPY_USER, /* contains copies of user pages */ + __REQ_FLUSH_SEQ, /* request for flush sequence */ +diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h +index e2a360a..59a7e4c 100644 +--- a/include/linux/compiler-gcc4.h ++++ b/include/linux/compiler-gcc4.h +@@ -29,6 +29,8 @@ + the kernel context */ + #define __cold __attribute__((__cold__)) + ++#define __linktime_error(message) __attribute__((__error__(message))) ++ + /* + * GCC 'asm goto' miscompiles certain code sequences: + * +diff --git a/include/linux/compiler.h b/include/linux/compiler.h +index 7c7546b..65c8b78 100644 +--- a/include/linux/compiler.h ++++ b/include/linux/compiler.h +@@ -297,7 +297,9 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect); + #ifndef __compiletime_error + # define __compiletime_error(message) + #endif +- ++#ifndef __linktime_error ++# define __linktime_error(message) ++#endif + /* + * Prevent the compiler from merging or refetching accesses. The compiler + * is also forbidden from reordering successive instances of ACCESS_ONCE(), +diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h +index 2a53f10..dad4f61 100644 +--- a/include/linux/fsnotify.h ++++ b/include/linux/fsnotify.h +@@ -100,8 +100,10 @@ static inline void fsnotify_move(struct inode *old_dir, struct inode *new_dir, + new_dir_mask |= FS_ISDIR; + } + +- fsnotify(old_dir, old_dir_mask, old_dir, FSNOTIFY_EVENT_INODE, old_name, fs_cookie); +- fsnotify(new_dir, new_dir_mask, new_dir, FSNOTIFY_EVENT_INODE, new_name, fs_cookie); ++ fsnotify(old_dir, old_dir_mask, source, FSNOTIFY_EVENT_INODE, old_name, ++ fs_cookie); ++ fsnotify(new_dir, new_dir_mask, source, FSNOTIFY_EVENT_INODE, new_name, ++ fs_cookie); + + if (target) + fsnotify_link_count(target); +diff --git a/include/linux/kernel.h b/include/linux/kernel.h +index 0b8ca35..dcf6a8b 100644 +--- a/include/linux/kernel.h ++++ b/include/linux/kernel.h +@@ -679,6 +679,7 @@ static inline void ftrace_dump(enum ftrace_dump_mode oops_dump_mode) { } + #define BUILD_BUG_ON_ZERO(e) (0) + #define BUILD_BUG_ON_NULL(e) ((void*)0) + #define BUILD_BUG_ON(condition) ++#define BUILD_BUG() (0) + #else /* __CHECKER__ */ + + /* Force a compilation error if a constant expression is not a power of 2 */ +@@ -717,6 +718,21 @@ extern int __build_bug_on_failed; + if (condition) __build_bug_on_failed = 1; \ + } while(0) + #endif ++ ++/** ++ * BUILD_BUG - break compile if used. ++ * ++ * If you have some code that you expect the compiler to eliminate at ++ * build time, you should use BUILD_BUG to detect if it is ++ * unexpectedly used. ++ */ ++#define BUILD_BUG() \ ++ do { \ ++ extern void __build_bug_failed(void) \ ++ __linktime_error("BUILD_BUG failed"); \ ++ __build_bug_failed(); \ ++ } while (0) ++ + #endif /* __CHECKER__ */ + + /* Trap pasters of __FUNCTION__ at compile-time */ +diff --git a/include/linux/usb/hcd.h b/include/linux/usb/hcd.h +index 0daa46b..4fc3e5d 100644 +--- a/include/linux/usb/hcd.h ++++ b/include/linux/usb/hcd.h +@@ -128,6 +128,8 @@ struct usb_hcd { + unsigned wireless:1; /* Wireless USB HCD */ + unsigned authorized_default:1; + unsigned has_tt:1; /* Integrated TT in root hub */ ++ unsigned cant_recv_wakeups:1; ++ /* wakeup requests from downstream aren't received */ + + int irq; /* irq allocated */ + void __iomem *regs; /* device memory/io */ +@@ -401,6 +403,7 @@ extern const struct dev_pm_ops usb_hcd_pci_pm_ops; + #endif /* CONFIG_PCI */ + + /* pci-ish (pdev null is ok) buffer alloc/mapping support */ ++void usb_init_pool_max(void); + int hcd_buffer_create(struct usb_hcd *hcd); + void hcd_buffer_destroy(struct usb_hcd *hcd); + +diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h +index 2dcf317..d918074 100644 +--- a/include/net/netfilter/nf_conntrack_extend.h ++++ b/include/net/netfilter/nf_conntrack_extend.h +@@ -33,8 +33,8 @@ enum nf_ct_ext_id { + /* Extensions: optional stuff which isn't permanently in struct. */ + struct nf_ct_ext { + struct rcu_head rcu; +- u8 offset[NF_CT_EXT_NUM]; +- u8 len; ++ u16 offset[NF_CT_EXT_NUM]; ++ u16 len; + char data[0]; + }; + +diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c +index 63786e7..f56af55 100644 +--- a/kernel/debug/kdb/kdb_main.c ++++ b/kernel/debug/kdb/kdb_main.c +@@ -2595,7 +2595,7 @@ static int kdb_summary(int argc, const char **argv) + #define K(x) ((x) << (PAGE_SHIFT - 10)) + kdb_printf("\nMemTotal: %8lu kB\nMemFree: %8lu kB\n" + "Buffers: %8lu kB\n", +- val.totalram, val.freeram, val.bufferram); ++ K(val.totalram), K(val.freeram), K(val.bufferram)); + return 0; + } + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 2a4bf43..4277095 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -3956,6 +3956,13 @@ static void perf_pending_event(struct irq_work *entry) + { + struct perf_event *event = container_of(entry, + struct perf_event, pending); ++ int rctx; ++ ++ rctx = perf_swevent_get_recursion_context(); ++ /* ++ * If we 'fail' here, that's OK, it means recursion is already disabled ++ * and we won't recurse 'further'. ++ */ + + if (event->pending_disable) { + event->pending_disable = 0; +@@ -3966,6 +3973,9 @@ static void perf_pending_event(struct irq_work *entry) + event->pending_wakeup = 0; + perf_event_wakeup(event); + } ++ ++ if (rctx >= 0) ++ perf_swevent_put_recursion_context(rctx); + } + + /* +diff --git a/kernel/printk.c b/kernel/printk.c +index 8fac434..c073f43 100644 +--- a/kernel/printk.c ++++ b/kernel/printk.c +@@ -123,7 +123,7 @@ static struct console *exclusive_console; + */ + struct console_cmdline + { +- char name[8]; /* Name of the driver */ ++ char name[16]; /* Name of the driver */ + int index; /* Minor dev. to use */ + char *options; /* Options for the driver */ + #ifdef CONFIG_A11Y_BRAILLE_CONSOLE +@@ -1477,6 +1477,7 @@ void register_console(struct console *newcon) + */ + for (i = 0; i < MAX_CMDLINECONSOLES && console_cmdline[i].name[0]; + i++) { ++ BUILD_BUG_ON(sizeof(console_cmdline[i].name) != sizeof(newcon->name)); + if (strcmp(console_cmdline[i].name, newcon->name) != 0) + continue; + if (newcon->index >= 0 && +diff --git a/kernel/sched.c b/kernel/sched.c +index ea85b0d..fe33d0f 100644 +--- a/kernel/sched.c ++++ b/kernel/sched.c +@@ -5224,8 +5224,11 @@ void rt_mutex_setprio(struct task_struct *p, int prio) + + if (rt_prio(prio)) + p->sched_class = &rt_sched_class; +- else ++ else { ++ if (rt_prio(oldprio)) ++ p->rt.timeout = 0; + p->sched_class = &fair_sched_class; ++ } + + p->prio = prio; + +@@ -9104,6 +9107,12 @@ static inline int tg_has_rt_tasks(struct task_group *tg) + { + struct task_struct *g, *p; + ++ /* ++ * Autogroups do not have RT tasks; see autogroup_create(). ++ */ ++ if (task_group_is_autogroup(tg)) ++ return 0; ++ + do_each_thread(g, p) { + if (rt_task(p) && rt_rq_of_se(&p->rt)->tg == tg) + return 1; +diff --git a/kernel/sched_autogroup.c b/kernel/sched_autogroup.c +index f280df1..cb0a950 100644 +--- a/kernel/sched_autogroup.c ++++ b/kernel/sched_autogroup.c +@@ -86,8 +86,7 @@ static inline struct autogroup *autogroup_create(void) + * so we don't have to move tasks around upon policy change, + * or flail around trying to allocate bandwidth on the fly. + * A bandwidth exception in __sched_setscheduler() allows +- * the policy change to proceed. Thereafter, task_group() +- * returns &root_task_group, so zero bandwidth is required. ++ * the policy change to proceed. + */ + free_rt_sched_group(tg); + tg->rt_se = root_task_group.rt_se; +@@ -114,9 +113,6 @@ task_wants_autogroup(struct task_struct *p, struct task_group *tg) + if (tg != &root_task_group) + return false; + +- if (p->sched_class != &fair_sched_class) +- return false; +- + /* + * We can only assume the task group can't go away on us if + * autogroup_move_group() can see us on ->thread_group list. +diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c +index dcbafed..08e043b 100644 +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -935,6 +935,12 @@ static __init void ftrace_profile_debugfs(struct dentry *d_tracer) + + static struct pid * const ftrace_swapper_pid = &init_struct_pid; + ++#ifdef CONFIG_FUNCTION_GRAPH_TRACER ++static int ftrace_graph_active; ++#else ++# define ftrace_graph_active 0 ++#endif ++ + static loff_t + ftrace_filter_lseek(struct file *file, loff_t offset, int whence) + { +@@ -1810,24 +1816,36 @@ static int ftrace_shutdown(struct ftrace_ops *ops, int command) + + static void ftrace_startup_sysctl(void) + { ++ int command; ++ + if (unlikely(ftrace_disabled)) + return; + + /* Force update next time */ + saved_ftrace_func = NULL; + /* ftrace_start_up is true if we want ftrace running */ +- if (ftrace_start_up) +- ftrace_run_update_code(FTRACE_UPDATE_CALLS); ++ if (ftrace_start_up) { ++ command = FTRACE_UPDATE_CALLS; ++ if (ftrace_graph_active) ++ command |= FTRACE_START_FUNC_RET; ++ ftrace_startup_enable(command); ++ } + } + + static void ftrace_shutdown_sysctl(void) + { ++ int command; ++ + if (unlikely(ftrace_disabled)) + return; + + /* ftrace_start_up is true if ftrace is running */ +- if (ftrace_start_up) +- ftrace_run_update_code(FTRACE_DISABLE_CALLS); ++ if (ftrace_start_up) { ++ command = FTRACE_DISABLE_CALLS; ++ if (ftrace_graph_active) ++ command |= FTRACE_STOP_FUNC_RET; ++ ftrace_run_update_code(command); ++ } + } + + static cycle_t ftrace_update_time; +@@ -4024,12 +4042,12 @@ ftrace_enable_sysctl(struct ctl_table *table, int write, + + if (ftrace_enabled) { + +- ftrace_startup_sysctl(); +- + /* we are starting ftrace again */ + if (ftrace_ops_list != &ftrace_list_end) + update_ftrace_function(); + ++ ftrace_startup_sysctl(); ++ + } else { + /* stopping ftrace calls (just send to ftrace_stub) */ + ftrace_trace_function = ftrace_stub; +@@ -4044,7 +4062,6 @@ ftrace_enable_sysctl(struct ctl_table *table, int write, + + #ifdef CONFIG_FUNCTION_GRAPH_TRACER + +-static int ftrace_graph_active; + static struct notifier_block ftrace_suspend_notifier; + + int ftrace_graph_entry_stub(struct ftrace_graph_ent *trace) +diff --git a/mm/hugetlb.c b/mm/hugetlb.c +index d2c43a2..26922da 100644 +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -2418,9 +2418,10 @@ void __unmap_hugepage_range(struct vm_area_struct *vma, unsigned long start, + continue; + + /* +- * HWPoisoned hugepage is already unmapped and dropped reference ++ * Migrating hugepage or HWPoisoned hugepage is already ++ * unmapped and its refcount is dropped + */ +- if (unlikely(is_hugetlb_entry_hwpoisoned(pte))) ++ if (unlikely(!pte_present(pte))) + continue; + + page = pte_page(pte); +@@ -2798,6 +2799,7 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, + struct page *pagecache_page = NULL; + static DEFINE_MUTEX(hugetlb_instantiation_mutex); + struct hstate *h = hstate_vma(vma); ++ int need_wait_lock = 0; + + ptep = huge_pte_offset(mm, address); + if (ptep) { +@@ -2829,6 +2831,16 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, + ret = 0; + + /* ++ * entry could be a migration/hwpoison entry at this point, so this ++ * check prevents the kernel from going below assuming that we have ++ * a active hugepage in pagecache. This goto expects the 2nd page fault, ++ * and is_hugetlb_entry_(migration|hwpoisoned) check will properly ++ * handle it. ++ */ ++ if (!pte_present(entry)) ++ goto out_mutex; ++ ++ /* + * If we are going to COW the mapping later, we examine the pending + * reservations for this page now. This will ensure that any + * allocations necessary to record that reservation occur outside the +@@ -2847,29 +2859,30 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, + vma, address); + } + ++ spin_lock(&mm->page_table_lock); ++ /* Check for a racing update before calling hugetlb_cow */ ++ if (unlikely(!pte_same(entry, huge_ptep_get(ptep)))) ++ goto out_page_table_lock; ++ + /* + * hugetlb_cow() requires page locks of pte_page(entry) and + * pagecache_page, so here we need take the former one + * when page != pagecache_page or !pagecache_page. +- * Note that locking order is always pagecache_page -> page, +- * so no worry about deadlock. + */ + page = pte_page(entry); +- get_page(page); + if (page != pagecache_page) +- lock_page(page); +- +- spin_lock(&mm->page_table_lock); +- /* Check for a racing update before calling hugetlb_cow */ +- if (unlikely(!pte_same(entry, huge_ptep_get(ptep)))) +- goto out_page_table_lock; ++ if (!trylock_page(page)) { ++ need_wait_lock = 1; ++ goto out_page_table_lock; ++ } + ++ get_page(page); + + if (flags & FAULT_FLAG_WRITE) { + if (!pte_write(entry)) { + ret = hugetlb_cow(mm, vma, address, ptep, entry, + pagecache_page); +- goto out_page_table_lock; ++ goto out_put_page; + } + entry = pte_mkdirty(entry); + } +@@ -2877,7 +2890,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, + if (huge_ptep_set_access_flags(vma, address, ptep, entry, + flags & FAULT_FLAG_WRITE)) + update_mmu_cache(vma, address, ptep); +- ++out_put_page: ++ if (page != pagecache_page) ++ unlock_page(page); ++ put_page(page); + out_page_table_lock: + spin_unlock(&mm->page_table_lock); + +@@ -2885,13 +2901,18 @@ out_page_table_lock: + unlock_page(pagecache_page); + put_page(pagecache_page); + } +- if (page != pagecache_page) +- unlock_page(page); +- put_page(page); +- + out_mutex: + mutex_unlock(&hugetlb_instantiation_mutex); + ++ /* ++ * Generally it's safe to hold refcount during waiting page lock. But ++ * here we just wait to defer the next page fault to avoid busy loop and ++ * the page is not used after unlocked before returning from the current ++ * page fault. So we are safe from accessing freed page, even if we wait ++ * here without taking refcount. ++ */ ++ if (need_wait_lock) ++ wait_on_page_locked(page); + return ret; + } + +@@ -3017,7 +3038,22 @@ void hugetlb_change_protection(struct vm_area_struct *vma, + continue; + if (huge_pmd_unshare(mm, &address, ptep)) + continue; +- if (!huge_pte_none(huge_ptep_get(ptep))) { ++ pte = huge_ptep_get(ptep); ++ if (unlikely(is_hugetlb_entry_hwpoisoned(pte))) ++ continue; ++ if (unlikely(is_hugetlb_entry_migration(pte))) { ++ swp_entry_t entry = pte_to_swp_entry(pte); ++ ++ if (is_write_migration_entry(entry)) { ++ pte_t newpte; ++ ++ make_migration_entry_read(&entry); ++ newpte = swp_entry_to_pte(entry); ++ set_huge_pte_at(mm, address, ptep, newpte); ++ } ++ continue; ++ } ++ if (!huge_pte_none(pte)) { + pte = huge_ptep_get_and_clear(mm, address, ptep); + pte = pte_mkhuge(pte_modify(pte, newprot)); + set_huge_pte_at(mm, address, ptep, pte); +diff --git a/mm/memory.c b/mm/memory.c +index 0a7bb38..452b8ba 100644 +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -3831,7 +3831,7 @@ int generic_access_phys(struct vm_area_struct *vma, unsigned long addr, + if (follow_phys(vma, addr, write, &prot, &phys_addr)) + return -EINVAL; + +- maddr = ioremap_prot(phys_addr, PAGE_SIZE, prot); ++ maddr = ioremap_prot(phys_addr, PAGE_ALIGN(len + offset), prot); + if (write) + memcpy_toio(maddr + offset, buf, len); + else +diff --git a/mm/mmap.c b/mm/mmap.c +index 13b5685..94f4e34 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -111,7 +111,7 @@ struct percpu_counter vm_committed_as ____cacheline_aligned_in_smp; + */ + int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin) + { +- unsigned long free, allowed; ++ long free, allowed; + + vm_acct_memory(pages); + +@@ -541,10 +541,8 @@ again: remove_next = 1 + (end > next->vm_end); + + importer->anon_vma = exporter->anon_vma; + error = anon_vma_clone(importer, exporter); +- if (error) { +- importer->anon_vma = NULL; ++ if (error) + return error; +- } + } + } + +diff --git a/mm/nommu.c b/mm/nommu.c +index 1db7971..d0cb11f 100644 +--- a/mm/nommu.c ++++ b/mm/nommu.c +@@ -1885,7 +1885,7 @@ EXPORT_SYMBOL(unmap_mapping_range); + */ + int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin) + { +- unsigned long free, allowed; ++ long free, allowed; + + vm_acct_memory(pages); + +diff --git a/mm/page-writeback.c b/mm/page-writeback.c +index aad22aa..1bf1f74 100644 +--- a/mm/page-writeback.c ++++ b/mm/page-writeback.c +@@ -661,8 +661,11 @@ static void bdi_update_write_bandwidth(struct backing_dev_info *bdi, + * bw * elapsed + write_bandwidth * (period - elapsed) + * write_bandwidth = --------------------------------------------------- + * period ++ * ++ * @written may have decreased due to account_page_redirty(). ++ * Avoid underflowing @bw calculation. + */ +- bw = written - bdi->written_stamp; ++ bw = written - min(written, bdi->written_stamp); + bw *= HZ; + if (unlikely(elapsed > period)) { + do_div(bw, elapsed); +@@ -726,7 +729,7 @@ static void global_update_bandwidth(unsigned long thresh, + unsigned long now) + { + static DEFINE_SPINLOCK(dirty_lock); +- static unsigned long update_time; ++ static unsigned long update_time = INITIAL_JIFFIES; + + /* + * check locklessly first to optimize away locking for the most time +diff --git a/mm/rmap.c b/mm/rmap.c +index 2c4ee3e..98f0bf7f 100644 +--- a/mm/rmap.c ++++ b/mm/rmap.c +@@ -295,6 +295,13 @@ int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src) + return 0; + + enomem_failure: ++ /* ++ * dst->anon_vma is dropped here otherwise its degree can be incorrectly ++ * decremented in unlink_anon_vmas(). ++ * We can safely do this because callers of anon_vma_clone() don't care ++ * about dst->anon_vma if anon_vma_clone() failed. ++ */ ++ dst->anon_vma = NULL; + unlink_anon_vmas(dst); + return -ENOMEM; + } +diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c +index 7fac75f..7eed9eb 100644 +--- a/net/caif/caif_socket.c ++++ b/net/caif/caif_socket.c +@@ -317,7 +317,7 @@ static int caif_seqpkt_recvmsg(struct kiocb *iocb, struct socket *sock, + int copylen; + + ret = -EOPNOTSUPP; +- if (m->msg_flags&MSG_OOB) ++ if (flags & MSG_OOB) + goto read_error; + + skb = skb_recv_datagram(sk, flags, 0 , &ret); +diff --git a/net/can/af_can.c b/net/can/af_can.c +index 0ce2ad0..7d9dff222 100644 +--- a/net/can/af_can.c ++++ b/net/can/af_can.c +@@ -244,6 +244,9 @@ int can_send(struct sk_buff *skb, int loop) + } + + skb->protocol = htons(ETH_P_CAN); ++ skb->ip_summed = CHECKSUM_UNNECESSARY; ++ ++ skb_reset_mac_header(skb); + skb_reset_network_header(skb); + skb_reset_transport_header(skb); + +diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c +index a70f426..2df98a6 100644 +--- a/net/ceph/osd_client.c ++++ b/net/ceph/osd_client.c +@@ -678,12 +678,22 @@ static void put_osd(struct ceph_osd *osd) + */ + static void __remove_osd(struct ceph_osd_client *osdc, struct ceph_osd *osd) + { +- dout("__remove_osd %p\n", osd); ++ dout("%s %p osd%d\n", __func__, osd, osd->o_osd); + BUG_ON(!list_empty(&osd->o_requests)); +- rb_erase(&osd->o_node, &osdc->osds); + list_del_init(&osd->o_osd_lru); +- ceph_con_close(&osd->o_con); +- put_osd(osd); ++ rb_erase(&osd->o_node, &osdc->osds); ++ RB_CLEAR_NODE(&osd->o_node); ++} ++ ++static void remove_osd(struct ceph_osd_client *osdc, struct ceph_osd *osd) ++{ ++ dout("%s %p osd%d\n", __func__, osd, osd->o_osd); ++ ++ if (!RB_EMPTY_NODE(&osd->o_node)) { ++ ceph_con_close(&osd->o_con); ++ __remove_osd(osdc, osd); ++ put_osd(osd); ++ } + } + + static void remove_all_osds(struct ceph_osd_client *osdc) +@@ -693,7 +703,7 @@ static void remove_all_osds(struct ceph_osd_client *osdc) + while (!RB_EMPTY_ROOT(&osdc->osds)) { + struct ceph_osd *osd = rb_entry(rb_first(&osdc->osds), + struct ceph_osd, o_node); +- __remove_osd(osdc, osd); ++ remove_osd(osdc, osd); + } + mutex_unlock(&osdc->request_mutex); + } +@@ -723,7 +733,7 @@ static void remove_old_osds(struct ceph_osd_client *osdc) + list_for_each_entry_safe(osd, nosd, &osdc->osd_lru, o_osd_lru) { + if (time_before(jiffies, osd->lru_ttl)) + break; +- __remove_osd(osdc, osd); ++ remove_osd(osdc, osd); + } + mutex_unlock(&osdc->request_mutex); + } +@@ -739,7 +749,7 @@ static int __reset_osd(struct ceph_osd_client *osdc, struct ceph_osd *osd) + dout("__reset_osd %p osd%d\n", osd, osd->o_osd); + if (list_empty(&osd->o_requests) && + list_empty(&osd->o_linger_requests)) { +- __remove_osd(osdc, osd); ++ remove_osd(osdc, osd); + } else if (memcmp(&osdc->osdmap->osd_addr[osd->o_osd], + &osd->o_con.peer_addr, + sizeof(osd->o_con.peer_addr)) == 0 && +@@ -1271,6 +1281,7 @@ static void reset_changed_osds(struct ceph_osd_client *osdc) + { + struct rb_node *p, *n; + ++ dout("%s %p\n", __func__, osdc); + for (p = rb_first(&osdc->osds); p; p = n) { + struct ceph_osd *osd = rb_entry(p, struct ceph_osd, o_node); + +diff --git a/net/compat.c b/net/compat.c +index 759e542..f06994d 100644 +--- a/net/compat.c ++++ b/net/compat.c +@@ -71,6 +71,13 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) + __get_user(kmsg->msg_controllen, &umsg->msg_controllen) || + __get_user(kmsg->msg_flags, &umsg->msg_flags)) + return -EFAULT; ++ ++ if (!tmp1) ++ kmsg->msg_namelen = 0; ++ ++ if (kmsg->msg_namelen < 0) ++ return -EINVAL; ++ + if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) + kmsg->msg_namelen = sizeof(struct sockaddr_storage); + kmsg->msg_name = compat_ptr(tmp1); +@@ -737,24 +744,18 @@ static unsigned char nas[21] = { + + asmlinkage long compat_sys_sendmsg(int fd, struct compat_msghdr __user *msg, unsigned flags) + { +- if (flags & MSG_CMSG_COMPAT) +- return -EINVAL; + return __sys_sendmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT); + } + + asmlinkage long compat_sys_sendmmsg(int fd, struct compat_mmsghdr __user *mmsg, + unsigned vlen, unsigned int flags) + { +- if (flags & MSG_CMSG_COMPAT) +- return -EINVAL; + return __sys_sendmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, + flags | MSG_CMSG_COMPAT); + } + + asmlinkage long compat_sys_recvmsg(int fd, struct compat_msghdr __user *msg, unsigned int flags) + { +- if (flags & MSG_CMSG_COMPAT) +- return -EINVAL; + return __sys_recvmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT); + } + +@@ -777,9 +778,6 @@ asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg, + int datagrams; + struct timespec ktspec; + +- if (flags & MSG_CMSG_COMPAT) +- return -EINVAL; +- + if (timeout == NULL) + return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, + flags | MSG_CMSG_COMPAT, NULL); +diff --git a/net/core/dev.c b/net/core/dev.c +index fcb5133..1c0d862 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -859,7 +859,7 @@ int dev_valid_name(const char *name) + return 0; + + while (*name) { +- if (*name == '/' || isspace(*name)) ++ if (*name == '/' || *name == ':' || isspace(*name)) + return 0; + name++; + } +@@ -6338,10 +6338,20 @@ static int dev_cpu_callback(struct notifier_block *nfb, + oldsd->output_queue = NULL; + oldsd->output_queue_tailp = &oldsd->output_queue; + } +- /* Append NAPI poll list from offline CPU. */ +- if (!list_empty(&oldsd->poll_list)) { +- list_splice_init(&oldsd->poll_list, &sd->poll_list); +- raise_softirq_irqoff(NET_RX_SOFTIRQ); ++ /* Append NAPI poll list from offline CPU, with one exception : ++ * process_backlog() must be called by cpu owning percpu backlog. ++ * We properly handle process_queue & input_pkt_queue later. ++ */ ++ while (!list_empty(&oldsd->poll_list)) { ++ struct napi_struct *napi = list_first_entry(&oldsd->poll_list, ++ struct napi_struct, ++ poll_list); ++ ++ list_del_init(&napi->poll_list); ++ if (napi->poll == process_backlog) ++ napi->state = 0; ++ else ++ ____napi_schedule(sd, napi); + } + + raise_softirq_irqoff(NET_TX_SOFTIRQ); +@@ -6352,7 +6362,7 @@ static int dev_cpu_callback(struct notifier_block *nfb, + netif_rx(skb); + input_queue_head_incr(oldsd); + } +- while ((skb = __skb_dequeue(&oldsd->input_pkt_queue))) { ++ while ((skb = skb_dequeue(&oldsd->input_pkt_queue))) { + netif_rx(skb); + input_queue_head_incr(oldsd); + } +diff --git a/net/core/gen_stats.c b/net/core/gen_stats.c +index 0452eb2..91080c1 100644 +--- a/net/core/gen_stats.c ++++ b/net/core/gen_stats.c +@@ -31,6 +31,9 @@ gnet_stats_copy(struct gnet_dump *d, int type, void *buf, int size) + return 0; + + nla_put_failure: ++ kfree(d->xstats); ++ d->xstats = NULL; ++ d->xstats_len = 0; + spin_unlock_bh(d->lock); + return -1; + } +@@ -204,7 +207,9 @@ int + gnet_stats_copy_app(struct gnet_dump *d, void *st, int len) + { + if (d->compat_xstats) { +- d->xstats = st; ++ d->xstats = kmemdup(st, len, GFP_ATOMIC); ++ if (!d->xstats) ++ goto err_out; + d->xstats_len = len; + } + +@@ -212,6 +217,11 @@ gnet_stats_copy_app(struct gnet_dump *d, void *st, int len) + return gnet_stats_copy(d, TCA_STATS_APP, st, len); + + return 0; ++ ++err_out: ++ d->xstats_len = 0; ++ spin_unlock_bh(d->lock); ++ return -1; + } + EXPORT_SYMBOL(gnet_stats_copy_app); + +@@ -244,6 +254,9 @@ gnet_stats_finish_copy(struct gnet_dump *d) + return -1; + } + ++ kfree(d->xstats); ++ d->xstats = NULL; ++ d->xstats_len = 0; + spin_unlock_bh(d->lock); + return 0; + } +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 0900a17..5b412f0 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -1152,14 +1152,10 @@ static const struct nla_policy ifla_vfinfo_policy[IFLA_VF_INFO_MAX+1] = { + }; + + static const struct nla_policy ifla_vf_policy[IFLA_VF_MAX+1] = { +- [IFLA_VF_MAC] = { .type = NLA_BINARY, +- .len = sizeof(struct ifla_vf_mac) }, +- [IFLA_VF_VLAN] = { .type = NLA_BINARY, +- .len = sizeof(struct ifla_vf_vlan) }, +- [IFLA_VF_TX_RATE] = { .type = NLA_BINARY, +- .len = sizeof(struct ifla_vf_tx_rate) }, +- [IFLA_VF_SPOOFCHK] = { .type = NLA_BINARY, +- .len = sizeof(struct ifla_vf_spoofchk) }, ++ [IFLA_VF_MAC] = { .len = sizeof(struct ifla_vf_mac) }, ++ [IFLA_VF_VLAN] = { .len = sizeof(struct ifla_vf_vlan) }, ++ [IFLA_VF_TX_RATE] = { .len = sizeof(struct ifla_vf_tx_rate) }, ++ [IFLA_VF_SPOOFCHK] = { .len = sizeof(struct ifla_vf_spoofchk) }, + }; + + static const struct nla_policy ifla_port_policy[IFLA_PORT_MAX+1] = { +@@ -1705,10 +1701,10 @@ static int rtnl_group_changelink(struct net *net, int group, + struct ifinfomsg *ifm, + struct nlattr **tb) + { +- struct net_device *dev; ++ struct net_device *dev, *aux; + int err; + +- for_each_netdev(net, dev) { ++ for_each_netdev_safe(net, dev, aux) { + if (dev->group == group) { + err = do_setlink(dev, ifm, tb, NULL, 0); + if (err < 0) +@@ -1864,8 +1860,16 @@ replay: + goto out; + + err = rtnl_configure_link(dev, ifm); +- if (err < 0) +- unregister_netdevice(dev); ++ if (err < 0) { ++ if (ops->newlink) { ++ LIST_HEAD(list_kill); ++ ++ ops->dellink(dev, &list_kill); ++ unregister_netdevice_many(&list_kill); ++ } else { ++ unregister_netdevice(dev); ++ } ++ } + out: + put_net(dest_net); + return err; +diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c +index f0bdd36..f9496c4 100644 +--- a/net/core/sysctl_net_core.c ++++ b/net/core/sysctl_net_core.c +@@ -21,6 +21,8 @@ + + static int zero = 0; + static int ushort_max = USHRT_MAX; ++static int min_sndbuf = SOCK_MIN_SNDBUF; ++static int min_rcvbuf = SOCK_MIN_RCVBUF; + + #ifdef CONFIG_RPS + static int rps_sock_flow_sysctl(ctl_table *table, int write, +@@ -89,28 +91,32 @@ static struct ctl_table net_core_table[] = { + .data = &sysctl_wmem_max, + .maxlen = sizeof(int), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = &min_sndbuf, + }, + { + .procname = "rmem_max", + .data = &sysctl_rmem_max, + .maxlen = sizeof(int), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = &min_rcvbuf, + }, + { + .procname = "wmem_default", + .data = &sysctl_wmem_default, + .maxlen = sizeof(int), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = &min_sndbuf, + }, + { + .procname = "rmem_default", + .data = &sysctl_rmem_default, + .maxlen = sizeof(int), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = &min_rcvbuf, + }, + { + .procname = "dev_weight", +diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c +index 29a07b6..bcd78a3 100644 +--- a/net/ipv4/ip_forward.c ++++ b/net/ipv4/ip_forward.c +@@ -57,6 +57,9 @@ int ip_forward(struct sk_buff *skb) + struct rtable *rt; /* Route we use */ + struct ip_options * opt = &(IPCB(skb)->opt); + ++ if (unlikely(skb->sk)) ++ goto drop; ++ + if (skb_warn_if_lro(skb)) + goto drop; + +diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c +index 8f441b2..16e25a4 100644 +--- a/net/ipv4/ip_fragment.c ++++ b/net/ipv4/ip_fragment.c +@@ -692,27 +692,30 @@ EXPORT_SYMBOL(ip_defrag); + struct sk_buff *ip_check_defrag(struct sk_buff *skb, u32 user) + { + struct iphdr iph; ++ int netoff; + u32 len; + + if (skb->protocol != htons(ETH_P_IP)) + return skb; + +- if (!skb_copy_bits(skb, 0, &iph, sizeof(iph))) ++ netoff = skb_network_offset(skb); ++ ++ if (skb_copy_bits(skb, netoff, &iph, sizeof(iph)) < 0) + return skb; + + if (iph.ihl < 5 || iph.version != 4) + return skb; + + len = ntohs(iph.tot_len); +- if (skb->len < len || len < (iph.ihl * 4)) ++ if (skb->len < netoff + len || len < (iph.ihl * 4)) + return skb; + + if (ip_is_fragment(&iph)) { + skb = skb_share_check(skb, GFP_ATOMIC); + if (skb) { +- if (!pskb_may_pull(skb, iph.ihl*4)) ++ if (!pskb_may_pull(skb, netoff + iph.ihl * 4)) + return skb; +- if (pskb_trim_rcsum(skb, len)) ++ if (pskb_trim_rcsum(skb, netoff + len)) + return skb; + memset(IPCB(skb), 0, sizeof(struct inet_skb_parm)); + if (ip_defrag(skb, user)) +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index bf2e54b..013f59b 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -834,7 +834,8 @@ static int __ip_append_data(struct sock *sk, + cork->length += length; + if (((length > mtu) || (skb && skb_has_frags(skb))) && + (sk->sk_protocol == IPPROTO_UDP) && +- (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len) { ++ (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len && ++ (sk->sk_type == SOCK_DGRAM)) { + err = ip_ufo_append_data(sk, queue, getfrag, from, length, + hh_len, fragheaderlen, transhdrlen, + maxfraglen, flags); +diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c +index 542a9c1..043d882 100644 +--- a/net/ipv4/ip_sockglue.c ++++ b/net/ipv4/ip_sockglue.c +@@ -416,15 +416,11 @@ int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) + + memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err)); + sin = &errhdr.offender; +- sin->sin_family = AF_UNSPEC; ++ memset(sin, 0, sizeof(*sin)); + if (serr->ee.ee_origin == SO_EE_ORIGIN_ICMP) { +- struct inet_sock *inet = inet_sk(sk); +- + sin->sin_family = AF_INET; + sin->sin_addr.s_addr = ip_hdr(skb)->saddr; +- sin->sin_port = 0; +- memset(&sin->sin_zero, 0, sizeof(sin->sin_zero)); +- if (inet->cmsg_flags) ++ if (inet_sk(sk)->cmsg_flags) + ip_cmsg_recv(msg, skb); + } + +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c +index d495d4b..7aa6225 100644 +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -139,6 +139,7 @@ static void ping_v4_unhash(struct sock *sk) + if (sk_hashed(sk)) { + write_lock_bh(&ping_table.lock); + hlist_nulls_del(&sk->sk_nulls_node); ++ sk_nulls_node_init(&sk->sk_nulls_node); + sock_put(sk); + isk->inet_num = isk->inet_sport = 0; + sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1); +@@ -257,6 +258,11 @@ static int ping_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len) + if (addr_len < sizeof(struct sockaddr_in)) + return -EINVAL; + ++ if (addr->sin_family != AF_INET && ++ !(addr->sin_family == AF_UNSPEC && ++ addr->sin_addr.s_addr == htonl(INADDR_ANY))) ++ return -EAFNOSUPPORT; ++ + pr_debug("ping_v4_bind(sk=%p,sa_addr=%08x,sa_port=%d)\n", + sk, addr->sin_addr.s_addr, ntohs(addr->sin_port)); + +@@ -504,7 +510,7 @@ static int ping_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, + if (msg->msg_namelen < sizeof(*usin)) + return -EINVAL; + if (usin->sin_family != AF_INET) +- return -EINVAL; ++ return -EAFNOSUPPORT; + daddr = usin->sin_addr.s_addr; + /* no remote port */ + } else { +@@ -716,8 +722,11 @@ void ping_rcv(struct sk_buff *skb) + sk = ping_v4_lookup(net, saddr, daddr, ntohs(icmph->un.echo.id), + skb->dev->ifindex); + if (sk != NULL) { ++ struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC); ++ + pr_debug("rcv on socket %p\n", sk); +- ping_queue_rcv_skb(sk, skb_get(skb)); ++ if (skb2) ++ ping_queue_rcv_skb(sk, skb2); + sock_put(sk); + return; + } +diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c +index 739b073..253dd80 100644 +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -24,7 +24,7 @@ + #include <net/inet_frag.h> + #include <net/ping.h> + +-static int zero; ++static int one = 1; + static int tcp_retr1_max = 255; + static int ip_local_port_range_min[] = { 1, 1 }; + static int ip_local_port_range_max[] = { 65535, 65535 }; +@@ -448,14 +448,16 @@ static struct ctl_table ipv4_table[] = { + .data = &sysctl_tcp_wmem, + .maxlen = sizeof(sysctl_tcp_wmem), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = &one, + }, + { + .procname = "tcp_rmem", + .data = &sysctl_tcp_rmem, + .maxlen = sizeof(sysctl_tcp_rmem), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = &one, + }, + { + .procname = "tcp_app_win", +@@ -662,7 +664,7 @@ static struct ctl_table ipv4_table[] = { + .maxlen = sizeof(sysctl_udp_rmem_min), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, +- .extra1 = &zero ++ .extra1 = &one + }, + { + .procname = "udp_wmem_min", +@@ -670,7 +672,7 @@ static struct ctl_table ipv4_table[] = { + .maxlen = sizeof(sysctl_udp_wmem_min), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, +- .extra1 = &zero ++ .extra1 = &one + }, + { } + }; +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 3a37f54..e614810 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -2320,33 +2320,40 @@ begin_fwd: + } + } + +-/* Send a fin. The caller locks the socket for us. This cannot be +- * allowed to fail queueing a FIN frame under any circumstances. ++/* Send a FIN. The caller locks the socket for us. ++ * We should try to send a FIN packet really hard, but eventually give up. + */ + void tcp_send_fin(struct sock *sk) + { ++ struct sk_buff *skb, *tskb = tcp_write_queue_tail(sk); + struct tcp_sock *tp = tcp_sk(sk); +- struct sk_buff *skb = tcp_write_queue_tail(sk); +- int mss_now; + +- /* Optimization, tack on the FIN if we have a queue of +- * unsent frames. But be careful about outgoing SACKS +- * and IP options. ++ /* Optimization, tack on the FIN if we have one skb in write queue and ++ * this skb was not yet sent, or we are under memory pressure. ++ * Note: in the latter case, FIN packet will be sent after a timeout, ++ * as TCP stack thinks it has already been transmitted. + */ +- mss_now = tcp_current_mss(sk); +- +- if (tcp_send_head(sk) != NULL) { +- TCP_SKB_CB(skb)->tcp_flags |= TCPHDR_FIN; +- TCP_SKB_CB(skb)->end_seq++; ++ if (tskb && (tcp_send_head(sk) || tcp_memory_pressure)) { ++coalesce: ++ TCP_SKB_CB(tskb)->tcp_flags |= TCPHDR_FIN; ++ TCP_SKB_CB(tskb)->end_seq++; + tp->write_seq++; ++ if (!tcp_send_head(sk)) { ++ /* This means tskb was already sent. ++ * Pretend we included the FIN on previous transmit. ++ * We need to set tp->snd_nxt to the value it would have ++ * if FIN had been sent. This is because retransmit path ++ * does not change tp->snd_nxt. ++ */ ++ tp->snd_nxt++; ++ return; ++ } + } else { +- /* Socket is locked, keep trying until memory is available. */ +- for (;;) { +- skb = alloc_skb_fclone(MAX_TCP_HEADER, +- sk->sk_allocation); +- if (skb) +- break; +- yield(); ++ skb = alloc_skb_fclone(MAX_TCP_HEADER, sk->sk_allocation); ++ if (unlikely(!skb)) { ++ if (tskb) ++ goto coalesce; ++ return; + } + + /* Reserve space for headers and prepare control bits. */ +@@ -2356,7 +2363,7 @@ void tcp_send_fin(struct sock *sk) + TCPHDR_ACK | TCPHDR_FIN); + tcp_queue_skb(sk, skb); + } +- __tcp_push_pending_frames(sk, mss_now, TCP_NAGLE_OFF); ++ __tcp_push_pending_frames(sk, tcp_current_mss(sk), TCP_NAGLE_OFF); + } + + /* We get here when a process closes a file descriptor (either due to +@@ -2632,13 +2639,10 @@ int tcp_connect(struct sock *sk) + + tcp_connect_init(sk); + +- buff = alloc_skb_fclone(MAX_TCP_HEADER + 15, sk->sk_allocation); +- if (unlikely(buff == NULL)) ++ buff = sk_stream_alloc_skb(sk, 0, sk->sk_allocation); ++ if (unlikely(!buff)) + return -ENOBUFS; + +- /* Reserve space for headers. */ +- skb_reserve(buff, MAX_TCP_HEADER); +- + tp->snd_nxt = tp->write_seq; + tcp_init_nondata_skb(buff, tp->write_seq++, TCPHDR_SYN); + TCP_ECN_send_syn(sk, buff); +diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c +index 3c7c948..33719b7 100644 +--- a/net/ipv6/datagram.c ++++ b/net/ipv6/datagram.c +@@ -371,12 +371,10 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) + + memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err)); + sin = &errhdr.offender; +- sin->sin6_family = AF_UNSPEC; ++ memset(sin, 0, sizeof(*sin)); ++ + if (serr->ee.ee_origin != SO_EE_ORIGIN_LOCAL) { + sin->sin6_family = AF_INET6; +- sin->sin6_flowinfo = 0; +- sin->sin6_port = 0; +- sin->sin6_scope_id = 0; + if (skb->protocol == htons(ETH_P_IPV6)) { + ipv6_addr_copy(&sin->sin6_addr, &ipv6_hdr(skb)->saddr); + if (np->rxopt.all) +@@ -384,11 +382,9 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) + if (ipv6_addr_type(&sin->sin6_addr) & IPV6_ADDR_LINKLOCAL) + sin->sin6_scope_id = IP6CB(skb)->iif; + } else { +- struct inet_sock *inet = inet_sk(sk); +- + ipv6_addr_set_v4mapped(ip_hdr(skb)->saddr, + &sin->sin6_addr); +- if (inet->cmsg_flags) ++ if (inet_sk(sk)->cmsg_flags) + ip_cmsg_recv(msg, skb); + } + } +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index 2215d6b..6b3edff 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1339,7 +1339,8 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to, + if (((length > mtu) || + (skb && skb_has_frags(skb))) && + (sk->sk_protocol == IPPROTO_UDP) && +- (rt->dst.dev->features & NETIF_F_UFO)) { ++ (rt->dst.dev->features & NETIF_F_UFO) && ++ (sk->sk_type == SOCK_DGRAM)) { + err = ip6_ufo_append_data(sk, getfrag, from, length, + hh_len, fragheaderlen, + transhdrlen, mtu, flags, rt); +diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c +index 62096d8..884d45f 100644 +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -1277,7 +1277,14 @@ static void ndisc_router_discovery(struct sk_buff *skb) + rt->rt6i_expires = jiffies + (HZ * lifetime); + + if (ra_msg->icmph.icmp6_hop_limit) { +- in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit; ++ /* Only set hop_limit on the interface if it is higher than ++ * the current hop_limit. ++ */ ++ if (in6_dev->cnf.hop_limit < ra_msg->icmph.icmp6_hop_limit) { ++ in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit; ++ } else { ++ ND_PRINTK2(KERN_WARNING "RA: Got route advertisement with lower hop_limit than current\n"); ++ } + if (rt) + dst_metric_set(&rt->dst, RTAX_HOPLIMIT, + ra_msg->icmph.icmp6_hop_limit); +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 782f67a..d89d1a6 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -106,7 +106,7 @@ static u32 *ipv6_cow_metrics(struct dst_entry *dst, unsigned long old) + u32 *p = NULL; + + if (!(rt->dst.flags & DST_HOST)) +- return NULL; ++ return dst_cow_metrics_generic(dst, old); + + if (!rt->rt6i_peer) + rt6_bind_peer(rt, 1); +@@ -1018,12 +1018,9 @@ static void ip6_rt_update_pmtu(struct dst_entry *dst, u32 mtu) + + if (mtu < dst_mtu(dst) && rt6->rt6i_dst.plen == 128) { + rt6->rt6i_flags |= RTF_MODIFIED; +- if (mtu < IPV6_MIN_MTU) { +- u32 features = dst_metric(dst, RTAX_FEATURES); ++ if (mtu < IPV6_MIN_MTU) + mtu = IPV6_MIN_MTU; +- features |= RTAX_FEATURE_ALLFRAG; +- dst_metric_set(dst, RTAX_FEATURES, features); +- } ++ + dst_metric_set(dst, RTAX_MTU, mtu); + } + } +diff --git a/net/irda/ircomm/ircomm_tty.c b/net/irda/ircomm/ircomm_tty.c +index 253695d..cf368dd 100644 +--- a/net/irda/ircomm/ircomm_tty.c ++++ b/net/irda/ircomm/ircomm_tty.c +@@ -848,7 +848,9 @@ static void ircomm_tty_wait_until_sent(struct tty_struct *tty, int timeout) + orig_jiffies = jiffies; + + /* Set poll time to 200 ms */ +- poll_time = IRDA_MIN(timeout, msecs_to_jiffies(200)); ++ poll_time = msecs_to_jiffies(200); ++ if (timeout) ++ poll_time = min_t(unsigned long, timeout, poll_time); + + spin_lock_irqsave(&self->spinlock, flags); + while (self->tx_skb && self->tx_skb->len) { +diff --git a/net/llc/sysctl_net_llc.c b/net/llc/sysctl_net_llc.c +index e2ebe35..be078ec 100644 +--- a/net/llc/sysctl_net_llc.c ++++ b/net/llc/sysctl_net_llc.c +@@ -17,28 +17,28 @@ static struct ctl_table llc2_timeout_table[] = { + { + .procname = "ack", + .data = &sysctl_llc2_ack_timeout, +- .maxlen = sizeof(long), ++ .maxlen = sizeof(sysctl_llc2_ack_timeout), + .mode = 0644, + .proc_handler = proc_dointvec_jiffies, + }, + { + .procname = "busy", + .data = &sysctl_llc2_busy_timeout, +- .maxlen = sizeof(long), ++ .maxlen = sizeof(sysctl_llc2_busy_timeout), + .mode = 0644, + .proc_handler = proc_dointvec_jiffies, + }, + { + .procname = "p", + .data = &sysctl_llc2_p_timeout, +- .maxlen = sizeof(long), ++ .maxlen = sizeof(sysctl_llc2_p_timeout), + .mode = 0644, + .proc_handler = proc_dointvec_jiffies, + }, + { + .procname = "rej", + .data = &sysctl_llc2_rej_timeout, +- .maxlen = sizeof(long), ++ .maxlen = sizeof(sysctl_llc2_rej_timeout), + .mode = 0644, + .proc_handler = proc_dointvec_jiffies, + }, +diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c +index aea1559..6174785 100644 +--- a/net/mac80211/agg-rx.c ++++ b/net/mac80211/agg-rx.c +@@ -49,8 +49,6 @@ static void ieee80211_free_tid_rx(struct rcu_head *h) + container_of(h, struct tid_ampdu_rx, rcu_head); + int i; + +- del_timer_sync(&tid_rx->reorder_timer); +- + for (i = 0; i < tid_rx->buf_size; i++) + dev_kfree_skb(tid_rx->reorder_buf[i]); + kfree(tid_rx->reorder_buf); +@@ -91,6 +89,12 @@ void ___ieee80211_stop_rx_ba_session(struct sta_info *sta, u16 tid, + + del_timer_sync(&tid_rx->session_timer); + ++ /* make sure ieee80211_sta_reorder_release() doesn't re-arm the timer */ ++ spin_lock_bh(&tid_rx->reorder_lock); ++ tid_rx->removed = true; ++ spin_unlock_bh(&tid_rx->reorder_lock); ++ del_timer_sync(&tid_rx->reorder_timer); ++ + call_rcu(&tid_rx->rcu_head, ieee80211_free_tid_rx); + } + +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h +index a9cf593..8da371c5 100644 +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -53,11 +53,25 @@ struct ieee80211_local; + + #define TU_TO_EXP_TIME(x) (jiffies + usecs_to_jiffies((x) * 1024)) + +-#define IEEE80211_DEFAULT_UAPSD_QUEUES \ +- (IEEE80211_WMM_IE_STA_QOSINFO_AC_BK | \ +- IEEE80211_WMM_IE_STA_QOSINFO_AC_BE | \ +- IEEE80211_WMM_IE_STA_QOSINFO_AC_VI | \ +- IEEE80211_WMM_IE_STA_QOSINFO_AC_VO) ++/* ++ * Some APs experience problems when working with U-APSD. Decreasing the ++ * probability of that happening by using legacy mode for all ACs but VO isn't ++ * enough. ++ * ++ * Cisco 4410N originally forced us to enable VO by default only because it ++ * treated non-VO ACs as legacy. ++ * ++ * However some APs (notably Netgear R7000) silently reclassify packets to ++ * different ACs. Since u-APSD ACs require trigger frames for frame retrieval ++ * clients would never see some frames (e.g. ARP responses) or would fetch them ++ * accidentally after a long time. ++ * ++ * It makes little sense to enable u-APSD queues by default because it needs ++ * userspace applications to be aware of it to actually take advantage of the ++ * possible additional powersavings. Implicitly depending on driver autotrigger ++ * frame support doesn't make much sense. ++ */ ++#define IEEE80211_DEFAULT_UAPSD_QUEUES 0 + + #define IEEE80211_DEFAULT_MAX_SP_LEN \ + IEEE80211_WMM_IE_STA_QOSINFO_SP_ALL +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index c0444a0..7c53eff 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -670,9 +670,10 @@ static void ieee80211_sta_reorder_release(struct ieee80211_hw *hw, + + set_release_timer: + +- mod_timer(&tid_agg_rx->reorder_timer, +- tid_agg_rx->reorder_time[j] + 1 + +- HT_RX_REORDER_BUF_TIMEOUT); ++ if (!tid_agg_rx->removed) ++ mod_timer(&tid_agg_rx->reorder_timer, ++ tid_agg_rx->reorder_time[j] + 1 + ++ HT_RX_REORDER_BUF_TIMEOUT); + } else { + del_timer(&tid_agg_rx->reorder_timer); + } +@@ -1921,6 +1922,9 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx) + hdr = (struct ieee80211_hdr *) skb->data; + mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen); + ++ if (ieee80211_drop_unencrypted(rx, hdr->frame_control)) ++ return RX_DROP_MONITOR; ++ + /* frame is in RMC, don't forward */ + if (ieee80211_is_data(hdr->frame_control) && + is_multicast_ether_addr(hdr->addr1) && +diff --git a/net/mac80211/sta_info.h b/net/mac80211/sta_info.h +index a68155f..556fbcc 100644 +--- a/net/mac80211/sta_info.h ++++ b/net/mac80211/sta_info.h +@@ -138,6 +138,7 @@ struct tid_ampdu_tx { + * @dialog_token: dialog token for aggregation session + * @rcu_head: RCU head used for freeing this struct + * @reorder_lock: serializes access to reorder buffer, see below. ++ * @removed: this session is removed (but might have been found due to RCU) + * + * This structure's lifetime is managed by RCU, assignments to + * the array holding it must hold the aggregation mutex. +@@ -160,6 +161,7 @@ struct tid_ampdu_rx { + u16 buf_size; + u16 timeout; + u8 dialog_token; ++ bool removed; + }; + + /** +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index 25bbb2e..65df296 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -537,9 +537,11 @@ ieee80211_tx_h_check_control_port_protocol(struct ieee80211_tx_data *tx) + { + struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx->skb); + +- if (unlikely(tx->sdata->control_port_protocol == tx->skb->protocol && +- tx->sdata->control_port_no_encrypt)) +- info->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT; ++ if (unlikely(tx->sdata->control_port_protocol == tx->skb->protocol)) { ++ if (tx->sdata->control_port_no_encrypt) ++ info->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT; ++ info->flags |= IEEE80211_TX_CTL_USE_MINRATE; ++ } + + return TX_CONTINUE; + } +diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c +index 6dc7d7d..d864aaf 100644 +--- a/net/netfilter/ipvs/ip_vs_core.c ++++ b/net/netfilter/ipvs/ip_vs_core.c +@@ -662,16 +662,24 @@ static inline int ip_vs_gather_frags_v6(struct sk_buff *skb, u_int32_t user) + } + #endif + +-static int ip_vs_route_me_harder(int af, struct sk_buff *skb) ++static int ip_vs_route_me_harder(int af, struct sk_buff *skb, ++ unsigned int hooknum) + { ++ if (!sysctl_snat_reroute(skb)) ++ return 0; ++ /* Reroute replies only to remote clients (FORWARD and LOCAL_OUT) */ ++ if (NF_INET_LOCAL_IN == hooknum) ++ return 0; + #ifdef CONFIG_IP_VS_IPV6 + if (af == AF_INET6) { +- if (sysctl_snat_reroute(skb) && ip6_route_me_harder(skb) != 0) ++ struct dst_entry *dst = skb_dst(skb); ++ ++ if (dst->dev && !(dst->dev->flags & IFF_LOOPBACK) && ++ ip6_route_me_harder(skb) != 0) + return 1; + } else + #endif +- if ((sysctl_snat_reroute(skb) || +- skb_rtable(skb)->rt_flags & RTCF_LOCAL) && ++ if (!(skb_rtable(skb)->rt_flags & RTCF_LOCAL) && + ip_route_me_harder(skb, RTN_LOCAL) != 0) + return 1; + +@@ -782,7 +790,8 @@ static int handle_response_icmp(int af, struct sk_buff *skb, + union nf_inet_addr *snet, + __u8 protocol, struct ip_vs_conn *cp, + struct ip_vs_protocol *pp, +- unsigned int offset, unsigned int ihl) ++ unsigned int offset, unsigned int ihl, ++ unsigned int hooknum) + { + unsigned int verdict = NF_DROP; + +@@ -812,7 +821,7 @@ static int handle_response_icmp(int af, struct sk_buff *skb, + #endif + ip_vs_nat_icmp(skb, pp, cp, 1); + +- if (ip_vs_route_me_harder(af, skb)) ++ if (ip_vs_route_me_harder(af, skb, hooknum)) + goto out; + + /* do the statistics and put it back */ +@@ -908,7 +917,7 @@ static int ip_vs_out_icmp(struct sk_buff *skb, int *related, + + snet.ip = iph->saddr; + return handle_response_icmp(AF_INET, skb, &snet, cih->protocol, cp, +- pp, offset, ihl); ++ pp, offset, ihl, hooknum); + } + + #ifdef CONFIG_IP_VS_IPV6 +@@ -985,7 +994,8 @@ static int ip_vs_out_icmp_v6(struct sk_buff *skb, int *related, + + ipv6_addr_copy(&snet.in6, &iph->saddr); + return handle_response_icmp(AF_INET6, skb, &snet, cih->nexthdr, cp, +- pp, offset, sizeof(struct ipv6hdr)); ++ pp, offset, sizeof(struct ipv6hdr), ++ hooknum); + } + #endif + +@@ -1018,7 +1028,7 @@ static inline int is_tcp_reset(const struct sk_buff *skb, int nh_len) + */ + static unsigned int + handle_response(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd, +- struct ip_vs_conn *cp, int ihl) ++ struct ip_vs_conn *cp, int ihl, unsigned int hooknum) + { + struct ip_vs_protocol *pp = pd->pp; + +@@ -1056,7 +1066,7 @@ handle_response(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd, + * if it came from this machine itself. So re-compute + * the routing information. + */ +- if (ip_vs_route_me_harder(af, skb)) ++ if (ip_vs_route_me_harder(af, skb, hooknum)) + goto drop; + + IP_VS_DBG_PKT(10, af, pp, skb, 0, "After SNAT"); +@@ -1169,7 +1179,7 @@ ip_vs_out(unsigned int hooknum, struct sk_buff *skb, int af) + cp = pp->conn_out_get(af, skb, &iph, iph.len, 0); + + if (likely(cp)) +- return handle_response(af, skb, pd, cp, iph.len); ++ return handle_response(af, skb, pd, cp, iph.len, hooknum); + if (sysctl_nat_icmp_send(net) && + (pp->protocol == IPPROTO_TCP || + pp->protocol == IPPROTO_UDP || +diff --git a/net/netfilter/ipvs/ip_vs_ftp.c b/net/netfilter/ipvs/ip_vs_ftp.c +index 538d74e..365163f 100644 +--- a/net/netfilter/ipvs/ip_vs_ftp.c ++++ b/net/netfilter/ipvs/ip_vs_ftp.c +@@ -183,6 +183,8 @@ static int ip_vs_ftp_out(struct ip_vs_app *app, struct ip_vs_conn *cp, + struct nf_conn *ct; + struct net *net; + ++ *diff = 0; ++ + #ifdef CONFIG_IP_VS_IPV6 + /* This application helper doesn't work with IPv6 yet, + * so turn this into a no-op for IPv6 packets +@@ -191,8 +193,6 @@ static int ip_vs_ftp_out(struct ip_vs_app *app, struct ip_vs_conn *cp, + return 1; + #endif + +- *diff = 0; +- + /* Only useful for established sessions */ + if (cp->state != IP_VS_TCP_S_ESTABLISHED) + return 1; +@@ -318,6 +318,9 @@ static int ip_vs_ftp_in(struct ip_vs_app *app, struct ip_vs_conn *cp, + struct ip_vs_conn *n_cp; + struct net *net; + ++ /* no diff required for incoming packets */ ++ *diff = 0; ++ + #ifdef CONFIG_IP_VS_IPV6 + /* This application helper doesn't work with IPv6 yet, + * so turn this into a no-op for IPv6 packets +@@ -326,9 +329,6 @@ static int ip_vs_ftp_in(struct ip_vs_app *app, struct ip_vs_conn *cp, + return 1; + #endif + +- /* no diff required for incoming packets */ +- *diff = 0; +- + /* Only useful for established sessions */ + if (cp->state != IP_VS_TCP_S_ESTABLISHED) + return 1; +diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c +index 2b6678c0..2cbcc83 100644 +--- a/net/netfilter/ipvs/ip_vs_sync.c ++++ b/net/netfilter/ipvs/ip_vs_sync.c +@@ -763,6 +763,8 @@ static void ip_vs_proc_conn(struct net *net, struct ip_vs_conn_param *param, + IP_VS_DBG(2, "BACKUP, add new conn. failed\n"); + return; + } ++ if (!(flags & IP_VS_CONN_F_TEMPLATE)) ++ kfree(param->pe_data); + } else if (!cp->dest) { + dest = ip_vs_try_bind_dest(cp); + if (dest) +@@ -1064,6 +1066,7 @@ static inline int ip_vs_proc_sync_conn(struct net *net, __u8 *p, __u8 *msg_end) + (opt_flags & IPVS_OPT_F_SEQ_DATA ? &opt : NULL) + ); + #endif ++ ip_vs_pe_put(param.pe); + return 0; + /* Error exit */ + out: +diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c +index b3a7db6..6d70533 100644 +--- a/net/netfilter/nf_queue.c ++++ b/net/netfilter/nf_queue.c +@@ -233,7 +233,7 @@ int nf_queue(struct sk_buff *skb, + * returned by nf_queue. For instance, callers rely on -ECANCELED to mean + * 'ignore this hook'. + */ +- if (IS_ERR(segs)) ++ if (IS_ERR_OR_NULL(segs)) + return -EINVAL; + + queued = 0; +diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c +index fe39f7e..c4706be 100644 +--- a/net/netfilter/xt_socket.c ++++ b/net/netfilter/xt_socket.c +@@ -205,12 +205,13 @@ static int + extract_icmp6_fields(const struct sk_buff *skb, + unsigned int outside_hdrlen, + int *protocol, +- struct in6_addr **raddr, +- struct in6_addr **laddr, ++ const struct in6_addr **raddr, ++ const struct in6_addr **laddr, + __be16 *rport, +- __be16 *lport) ++ __be16 *lport, ++ struct ipv6hdr *ipv6_var) + { +- struct ipv6hdr *inside_iph, _inside_iph; ++ const struct ipv6hdr *inside_iph; + struct icmp6hdr *icmph, _icmph; + __be16 *ports, _ports[2]; + u8 inside_nexthdr; +@@ -224,12 +225,15 @@ extract_icmp6_fields(const struct sk_buff *skb, + if (icmph->icmp6_type & ICMPV6_INFOMSG_MASK) + return 1; + +- inside_iph = skb_header_pointer(skb, outside_hdrlen + sizeof(_icmph), sizeof(_inside_iph), &_inside_iph); ++ inside_iph = skb_header_pointer(skb, outside_hdrlen + sizeof(_icmph), ++ sizeof(*ipv6_var), ipv6_var); + if (inside_iph == NULL) + return 1; + inside_nexthdr = inside_iph->nexthdr; + +- inside_hdrlen = ipv6_skip_exthdr(skb, outside_hdrlen + sizeof(_icmph) + sizeof(_inside_iph), &inside_nexthdr); ++ inside_hdrlen = ipv6_skip_exthdr(skb, outside_hdrlen + sizeof(_icmph) + ++ sizeof(*ipv6_var), ++ &inside_nexthdr); + if (inside_hdrlen < 0) + return 1; /* hjm: Packet has no/incomplete transport layer headers. */ + +@@ -256,10 +260,10 @@ extract_icmp6_fields(const struct sk_buff *skb, + static bool + socket_mt6_v1(const struct sk_buff *skb, struct xt_action_param *par) + { +- struct ipv6hdr *iph = ipv6_hdr(skb); ++ struct ipv6hdr ipv6_var, *iph = ipv6_hdr(skb); + struct udphdr _hdr, *hp = NULL; + struct sock *sk; +- struct in6_addr *daddr, *saddr; ++ const struct in6_addr *daddr, *saddr; + __be16 dport, sport; + int thoff, tproto; + const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo; +@@ -283,7 +287,7 @@ socket_mt6_v1(const struct sk_buff *skb, struct xt_action_param *par) + + } else if (tproto == IPPROTO_ICMPV6) { + if (extract_icmp6_fields(skb, thoff, &tproto, &saddr, &daddr, +- &sport, &dport)) ++ &sport, &dport, &ipv6_var)) + return false; + } else { + return false; +diff --git a/net/rds/iw_rdma.c b/net/rds/iw_rdma.c +index 4e1de17..83725f3 100644 +--- a/net/rds/iw_rdma.c ++++ b/net/rds/iw_rdma.c +@@ -88,7 +88,9 @@ static unsigned int rds_iw_unmap_fastreg_list(struct rds_iw_mr_pool *pool, + int *unpinned); + static void rds_iw_destroy_fastreg(struct rds_iw_mr_pool *pool, struct rds_iw_mr *ibmr); + +-static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwdev, struct rdma_cm_id **cm_id) ++static int rds_iw_get_device(struct sockaddr_in *src, struct sockaddr_in *dst, ++ struct rds_iw_device **rds_iwdev, ++ struct rdma_cm_id **cm_id) + { + struct rds_iw_device *iwdev; + struct rds_iw_cm_id *i_cm_id; +@@ -112,15 +114,15 @@ static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwd + src_addr->sin_port, + dst_addr->sin_addr.s_addr, + dst_addr->sin_port, +- rs->rs_bound_addr, +- rs->rs_bound_port, +- rs->rs_conn_addr, +- rs->rs_conn_port); ++ src->sin_addr.s_addr, ++ src->sin_port, ++ dst->sin_addr.s_addr, ++ dst->sin_port); + #ifdef WORKING_TUPLE_DETECTION +- if (src_addr->sin_addr.s_addr == rs->rs_bound_addr && +- src_addr->sin_port == rs->rs_bound_port && +- dst_addr->sin_addr.s_addr == rs->rs_conn_addr && +- dst_addr->sin_port == rs->rs_conn_port) { ++ if (src_addr->sin_addr.s_addr == src->sin_addr.s_addr && ++ src_addr->sin_port == src->sin_port && ++ dst_addr->sin_addr.s_addr == dst->sin_addr.s_addr && ++ dst_addr->sin_port == dst->sin_port) { + #else + /* FIXME - needs to compare the local and remote + * ipaddr/port tuple, but the ipaddr is the only +@@ -128,7 +130,7 @@ static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwd + * zero'ed. It doesn't appear to be properly populated + * during connection setup... + */ +- if (src_addr->sin_addr.s_addr == rs->rs_bound_addr) { ++ if (src_addr->sin_addr.s_addr == src->sin_addr.s_addr) { + #endif + spin_unlock_irq(&iwdev->spinlock); + *rds_iwdev = iwdev; +@@ -180,19 +182,13 @@ int rds_iw_update_cm_id(struct rds_iw_device *rds_iwdev, struct rdma_cm_id *cm_i + { + struct sockaddr_in *src_addr, *dst_addr; + struct rds_iw_device *rds_iwdev_old; +- struct rds_sock rs; + struct rdma_cm_id *pcm_id; + int rc; + + src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr; + dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr; + +- rs.rs_bound_addr = src_addr->sin_addr.s_addr; +- rs.rs_bound_port = src_addr->sin_port; +- rs.rs_conn_addr = dst_addr->sin_addr.s_addr; +- rs.rs_conn_port = dst_addr->sin_port; +- +- rc = rds_iw_get_device(&rs, &rds_iwdev_old, &pcm_id); ++ rc = rds_iw_get_device(src_addr, dst_addr, &rds_iwdev_old, &pcm_id); + if (rc) + rds_iw_remove_cm_id(rds_iwdev, cm_id); + +@@ -611,9 +607,17 @@ void *rds_iw_get_mr(struct scatterlist *sg, unsigned long nents, + struct rds_iw_device *rds_iwdev; + struct rds_iw_mr *ibmr = NULL; + struct rdma_cm_id *cm_id; ++ struct sockaddr_in src = { ++ .sin_addr.s_addr = rs->rs_bound_addr, ++ .sin_port = rs->rs_bound_port, ++ }; ++ struct sockaddr_in dst = { ++ .sin_addr.s_addr = rs->rs_conn_addr, ++ .sin_port = rs->rs_conn_port, ++ }; + int ret; + +- ret = rds_iw_get_device(rs, &rds_iwdev, &cm_id); ++ ret = rds_iw_get_device(&src, &dst, &rds_iwdev, &cm_id); + if (ret || !cm_id) { + ret = -ENODEV; + goto out; +diff --git a/net/rds/sysctl.c b/net/rds/sysctl.c +index 25ad0c7..065026f 100644 +--- a/net/rds/sysctl.c ++++ b/net/rds/sysctl.c +@@ -71,14 +71,14 @@ static ctl_table rds_sysctl_rds_table[] = { + { + .procname = "max_unacked_packets", + .data = &rds_sysctl_max_unacked_packets, +- .maxlen = sizeof(unsigned long), ++ .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec, + }, + { + .procname = "max_unacked_bytes", + .data = &rds_sysctl_max_unacked_bytes, +- .maxlen = sizeof(unsigned long), ++ .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec, + }, +diff --git a/net/rxrpc/ar-recvmsg.c b/net/rxrpc/ar-recvmsg.c +index 898492a..5cc2da5 100644 +--- a/net/rxrpc/ar-recvmsg.c ++++ b/net/rxrpc/ar-recvmsg.c +@@ -87,7 +87,7 @@ int rxrpc_recvmsg(struct kiocb *iocb, struct socket *sock, + if (!skb) { + /* nothing remains on the queue */ + if (copied && +- (msg->msg_flags & MSG_PEEK || timeo == 0)) ++ (flags & MSG_PEEK || timeo == 0)) + goto out; + + /* wait for a message to turn up */ +diff --git a/net/sched/ematch.c b/net/sched/ematch.c +index 88d93eb..088342f 100644 +--- a/net/sched/ematch.c ++++ b/net/sched/ematch.c +@@ -227,6 +227,7 @@ static int tcf_em_validate(struct tcf_proto *tp, + * to replay the request. + */ + module_put(em->ops->owner); ++ em->ops = NULL; + err = -EAGAIN; + } + #endif +diff --git a/net/socket.c b/net/socket.c +index 3faa358..116cf9d 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -1885,6 +1885,9 @@ static int copy_msghdr_from_user(struct msghdr *kmsg, + if (copy_from_user(kmsg, umsg, sizeof(struct msghdr))) + return -EFAULT; + ++ if (kmsg->msg_name == NULL) ++ kmsg->msg_namelen = 0; ++ + if (kmsg->msg_namelen < 0) + return -EINVAL; + +diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c +index 237a2ee..7de935a 100644 +--- a/net/sunrpc/cache.c ++++ b/net/sunrpc/cache.c +@@ -909,7 +909,7 @@ static unsigned int cache_poll(struct file *filp, poll_table *wait, + poll_wait(filp, &queue_wait, wait); + + /* alway allow write */ +- mask = POLL_OUT | POLLWRNORM; ++ mask = POLLOUT | POLLWRNORM; + + if (!rp) + return mask; +diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c +index 28236ba..37e4484 100644 +--- a/net/sunrpc/xprtrdma/verbs.c ++++ b/net/sunrpc/xprtrdma/verbs.c +@@ -485,7 +485,7 @@ rpcrdma_ia_open(struct rpcrdma_xprt *xprt, struct sockaddr *addr, int memreg) + if (rc) { + dprintk("RPC: %s: ib_query_device failed %d\n", + __func__, rc); +- goto out2; ++ goto out3; + } + + if (devattr.device_cap_flags & IB_DEVICE_LOCAL_DMA_LKEY) { +@@ -587,7 +587,7 @@ rpcrdma_ia_open(struct rpcrdma_xprt *xprt, struct sockaddr *addr, int memreg) + printk(KERN_ERR "%s: invalid memory registration mode %d\n", + __func__, memreg); + rc = -EINVAL; +- goto out2; ++ goto out3; + } + dprintk("RPC: %s: memory registration strategy is %d\n", + __func__, memreg); +@@ -596,6 +596,10 @@ rpcrdma_ia_open(struct rpcrdma_xprt *xprt, struct sockaddr *addr, int memreg) + ia->ri_memreg_strategy = memreg; + + return 0; ++ ++out3: ++ ib_dealloc_pd(ia->ri_pd); ++ ia->ri_pd = NULL; + out2: + rdma_destroy_id(ia->ri_id); + ia->ri_id = NULL; +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index cb4168e..e1f73b6 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -2650,6 +2650,14 @@ static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info) + if (parse_station_flags(info, ¶ms)) + return -EINVAL; + ++ /* HT requires QoS, but if we don't have that just ignore HT/VHT ++ * as userspace might just pass through the capabilities from the IEs ++ * directly, rather than enforcing this restriction and returning an ++ * error in this case. ++ */ ++ if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) ++ params.ht_capa = NULL; ++ + /* parse WME attributes if sta is WME capable */ + if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) && + (params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)) && +diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c +index 47bacd8..e49d5f4 100644 +--- a/net/xfrm/xfrm_output.c ++++ b/net/xfrm/xfrm_output.c +@@ -151,6 +151,8 @@ static int xfrm_output_gso(struct sk_buff *skb) + kfree_skb(skb); + if (IS_ERR(segs)) + return PTR_ERR(segs); ++ if (segs == NULL) ++ return -EINVAL; + + do { + struct sk_buff *nskb = segs->next; +diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c +index 4dd8dcf..bac8928 100644 +--- a/security/selinux/selinuxfs.c ++++ b/security/selinux/selinuxfs.c +@@ -150,7 +150,7 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf, + goto out; + + /* No partial writes. */ +- length = EINVAL; ++ length = -EINVAL; + if (*ppos != 0) + goto out; + +diff --git a/security/smack/smack.h b/security/smack/smack.h +index 2ad0065..bd88b73 100644 +--- a/security/smack/smack.h ++++ b/security/smack/smack.h +@@ -272,6 +272,16 @@ static inline char *smk_of_task(const struct task_smack *tsp) + return tsp->smk_task; + } + ++static inline char *smk_of_task_struct(const struct task_struct *t) ++{ ++ char *skp; ++ ++ rcu_read_lock(); ++ skp = smk_of_task(__task_cred(t)->security); ++ rcu_read_unlock(); ++ return skp; ++} ++ + /* + * Present a pointer to the forked smack label in an task blob. + */ +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index e3adb49..774c159 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -38,8 +38,6 @@ + #include <linux/personality.h> + #include "smack.h" + +-#define task_security(task) (task_cred_xxx((task), security)) +- + #define TRANS_TRUE "TRUE" + #define TRANS_TRUE_SIZE 4 + +@@ -161,7 +159,7 @@ static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) + if (rc != 0) + return rc; + +- tsp = smk_of_task(task_security(ctp)); ++ tsp = smk_of_task_struct(ctp); + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); + smk_ad_setfield_u_tsk(&ad, ctp); + +@@ -187,7 +185,7 @@ static int smack_ptrace_traceme(struct task_struct *ptp) + if (rc != 0) + return rc; + +- tsp = smk_of_task(task_security(ptp)); ++ tsp = smk_of_task_struct(ptp); + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); + smk_ad_setfield_u_tsk(&ad, ptp); + +@@ -1515,7 +1513,7 @@ static int smk_curacc_on_task(struct task_struct *p, int access, + + smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); + smk_ad_setfield_u_tsk(&ad, p); +- return smk_curacc(smk_of_task(task_security(p)), access, &ad); ++ return smk_curacc(smk_of_task_struct(p), access, &ad); + } + + /** +@@ -1561,7 +1559,7 @@ static int smack_task_getsid(struct task_struct *p) + */ + static void smack_task_getsecid(struct task_struct *p, u32 *secid) + { +- *secid = smack_to_secid(smk_of_task(task_security(p))); ++ *secid = smack_to_secid(smk_of_task_struct(p)); + } + + /** +@@ -1673,7 +1671,7 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info, + * can write the receiver. + */ + if (secid == 0) +- return smk_curacc(smk_of_task(task_security(p)), MAY_WRITE, ++ return smk_curacc(smk_of_task_struct(p), MAY_WRITE, + &ad); + /* + * If the secid isn't 0 we're dealing with some USB IO +@@ -1681,7 +1679,7 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info, + * we can't take privilege into account. + */ + return smk_access(smack_from_secid(secid), +- smk_of_task(task_security(p)), MAY_WRITE, &ad); ++ smk_of_task_struct(p), MAY_WRITE, &ad); + } + + /** +@@ -1694,9 +1692,13 @@ static int smack_task_wait(struct task_struct *p) + { + struct smk_audit_info ad; + char *sp = smk_of_current(); +- char *tsp = smk_of_forked(task_security(p)); ++ char *tsp; + int rc; + ++ rcu_read_lock(); ++ tsp = smk_of_forked(__task_cred(p)->security); ++ rcu_read_unlock(); ++ + /* we don't log here, we can be overriden */ + rc = smk_access(tsp, sp, MAY_WRITE, NULL); + if (rc == 0) +@@ -1733,7 +1735,7 @@ static int smack_task_wait(struct task_struct *p) + static void smack_task_to_inode(struct task_struct *p, struct inode *inode) + { + struct inode_smack *isp = inode->i_security; +- isp->smk_inode = smk_of_task(task_security(p)); ++ isp->smk_inode = smk_of_task_struct(p); + } + + /* +@@ -2714,7 +2716,7 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value) + if (strcmp(name, "current") != 0) + return -EINVAL; + +- cp = kstrdup(smk_of_task(task_security(p)), GFP_KERNEL); ++ cp = kstrdup(smk_of_task_struct(p), GFP_KERNEL); + if (cp == NULL) + return -ENOMEM; + +diff --git a/sound/core/control.c b/sound/core/control.c +index 9210594..1ba5d33 100644 +--- a/sound/core/control.c ++++ b/sound/core/control.c +@@ -1164,6 +1164,10 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file, + + if (info->count < 1) + return -EINVAL; ++ if (!*info->id.name) ++ return -EINVAL; ++ if (strnlen(info->id.name, sizeof(info->id.name)) >= sizeof(info->id.name)) ++ return -EINVAL; + access = info->access == 0 ? SNDRV_CTL_ELEM_ACCESS_READWRITE : + (info->access & (SNDRV_CTL_ELEM_ACCESS_READWRITE| + SNDRV_CTL_ELEM_ACCESS_INACTIVE| +diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c +index 638600b..8a00555 100644 +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -1382,6 +1382,8 @@ static int snd_pcm_do_drain_init(struct snd_pcm_substream *substream, int state) + if (! snd_pcm_playback_empty(substream)) { + snd_pcm_do_start(substream, SNDRV_PCM_STATE_DRAINING); + snd_pcm_post_start(substream, SNDRV_PCM_STATE_DRAINING); ++ } else { ++ runtime->status->state = SNDRV_PCM_STATE_SETUP; + } + break; + case SNDRV_PCM_STATE_RUNNING: +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index d10a6ef..6d19f99 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -737,7 +737,7 @@ static void alc_auto_setup_eapd(struct hda_codec *codec, bool on) + { + /* We currently only handle front, HP */ + static hda_nid_t pins[] = { +- 0x0f, 0x10, 0x14, 0x15, 0 ++ 0x0f, 0x10, 0x14, 0x15, 0x17, 0 + }; + hda_nid_t *p; + for (p = pins; *p; p++) +diff --git a/sound/pci/riptide/riptide.c b/sound/pci/riptide/riptide.c +index dcbedd3..c86044f 100644 +--- a/sound/pci/riptide/riptide.c ++++ b/sound/pci/riptide/riptide.c +@@ -2026,32 +2026,43 @@ snd_riptide_joystick_probe(struct pci_dev *pci, const struct pci_device_id *id) + { + static int dev; + struct gameport *gameport; ++ int ret; + + if (dev >= SNDRV_CARDS) + return -ENODEV; ++ + if (!enable[dev]) { +- dev++; +- return -ENOENT; ++ ret = -ENOENT; ++ goto inc_dev; + } + +- if (!joystick_port[dev++]) +- return 0; ++ if (!joystick_port[dev]) { ++ ret = 0; ++ goto inc_dev; ++ } + + gameport = gameport_allocate_port(); +- if (!gameport) +- return -ENOMEM; ++ if (!gameport) { ++ ret = -ENOMEM; ++ goto inc_dev; ++ } + if (!request_region(joystick_port[dev], 8, "Riptide gameport")) { + snd_printk(KERN_WARNING + "Riptide: cannot grab gameport 0x%x\n", + joystick_port[dev]); + gameport_free_port(gameport); +- return -EBUSY; ++ ret = -EBUSY; ++ goto inc_dev; + } + + gameport->io = joystick_port[dev]; + gameport_register_port(gameport); + pci_set_drvdata(pci, gameport); +- return 0; ++ ++ ret = 0; ++inc_dev: ++ dev++; ++ return ret; + } + + static void __devexit snd_riptide_joystick_remove(struct pci_dev *pci) +diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c +index 19ee220..71a3d52 100644 +--- a/sound/pci/rme9652/hdspm.c ++++ b/sound/pci/rme9652/hdspm.c +@@ -5966,6 +5966,9 @@ static int snd_hdspm_playback_open(struct snd_pcm_substream *substream) + snd_pcm_hw_constraint_minmax(runtime, + SNDRV_PCM_HW_PARAM_PERIOD_SIZE, + 64, 8192); ++ snd_pcm_hw_constraint_minmax(runtime, ++ SNDRV_PCM_HW_PARAM_PERIODS, ++ 2, 2); + break; + } + +@@ -6040,6 +6043,9 @@ static int snd_hdspm_capture_open(struct snd_pcm_substream *substream) + snd_pcm_hw_constraint_minmax(runtime, + SNDRV_PCM_HW_PARAM_PERIOD_SIZE, + 64, 8192); ++ snd_pcm_hw_constraint_minmax(runtime, ++ SNDRV_PCM_HW_PARAM_PERIODS, ++ 2, 2); + break; + } + +diff --git a/sound/soc/codecs/adav80x.c b/sound/soc/codecs/adav80x.c +index f9f0894..b23d979 100644 +--- a/sound/soc/codecs/adav80x.c ++++ b/sound/soc/codecs/adav80x.c +@@ -307,7 +307,7 @@ static int adav80x_put_deemph(struct snd_kcontrol *kcontrol, + { + struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); + struct adav80x *adav80x = snd_soc_codec_get_drvdata(codec); +- unsigned int deemph = ucontrol->value.enumerated.item[0]; ++ unsigned int deemph = ucontrol->value.integer.value[0]; + + if (deemph > 1) + return -EINVAL; +@@ -323,7 +323,7 @@ static int adav80x_get_deemph(struct snd_kcontrol *kcontrol, + struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); + struct adav80x *adav80x = snd_soc_codec_get_drvdata(codec); + +- ucontrol->value.enumerated.item[0] = adav80x->deemph; ++ ucontrol->value.integer.value[0] = adav80x->deemph; + return 0; + }; + +diff --git a/sound/soc/codecs/ak4641.c b/sound/soc/codecs/ak4641.c +index 7783858..60891f6 100644 +--- a/sound/soc/codecs/ak4641.c ++++ b/sound/soc/codecs/ak4641.c +@@ -75,7 +75,7 @@ static int ak4641_put_deemph(struct snd_kcontrol *kcontrol, + { + struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); + struct ak4641_priv *ak4641 = snd_soc_codec_get_drvdata(codec); +- int deemph = ucontrol->value.enumerated.item[0]; ++ int deemph = ucontrol->value.integer.value[0]; + + if (deemph > 1) + return -EINVAL; +@@ -91,7 +91,7 @@ static int ak4641_get_deemph(struct snd_kcontrol *kcontrol, + struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); + struct ak4641_priv *ak4641 = snd_soc_codec_get_drvdata(codec); + +- ucontrol->value.enumerated.item[0] = ak4641->deemph; ++ ucontrol->value.integer.value[0] = ak4641->deemph; + return 0; + }; + +diff --git a/sound/soc/codecs/cs4271.c b/sound/soc/codecs/cs4271.c +index 69fde15..561d5e0 100644 +--- a/sound/soc/codecs/cs4271.c ++++ b/sound/soc/codecs/cs4271.c +@@ -261,7 +261,7 @@ static int cs4271_get_deemph(struct snd_kcontrol *kcontrol, + struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); + struct cs4271_private *cs4271 = snd_soc_codec_get_drvdata(codec); + +- ucontrol->value.enumerated.item[0] = cs4271->deemph; ++ ucontrol->value.integer.value[0] = cs4271->deemph; + return 0; + } + +@@ -271,7 +271,7 @@ static int cs4271_put_deemph(struct snd_kcontrol *kcontrol, + struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); + struct cs4271_private *cs4271 = snd_soc_codec_get_drvdata(codec); + +- cs4271->deemph = ucontrol->value.enumerated.item[0]; ++ cs4271->deemph = ucontrol->value.integer.value[0]; + return cs4271_set_deemph(codec); + } + +diff --git a/sound/soc/codecs/sgtl5000.c b/sound/soc/codecs/sgtl5000.c +index c8cdf91..ed07d83 100644 +--- a/sound/soc/codecs/sgtl5000.c ++++ b/sound/soc/codecs/sgtl5000.c +@@ -1098,13 +1098,7 @@ static int sgtl5000_set_power_regs(struct snd_soc_codec *codec) + /* Enable VDDC charge pump */ + ana_pwr |= SGTL5000_VDDC_CHRGPMP_POWERUP; + } else if (vddio >= 3100 && vdda >= 3100) { +- /* +- * if vddio and vddd > 3.1v, +- * charge pump should be clean before set ana_pwr +- */ +- snd_soc_update_bits(codec, SGTL5000_CHIP_ANA_POWER, +- SGTL5000_VDDC_CHRGPMP_POWERUP, 0); +- ++ ana_pwr &= ~SGTL5000_VDDC_CHRGPMP_POWERUP; + /* VDDC use VDDIO rail */ + lreg_ctrl |= SGTL5000_VDDC_ASSN_OVRD; + lreg_ctrl |= SGTL5000_VDDC_MAN_ASSN_VDDIO << +diff --git a/sound/soc/codecs/wm2000.c b/sound/soc/codecs/wm2000.c +index ba03dc2..d421140 100644 +--- a/sound/soc/codecs/wm2000.c ++++ b/sound/soc/codecs/wm2000.c +@@ -614,7 +614,7 @@ static int wm2000_anc_mode_get(struct snd_kcontrol *kcontrol, + { + struct wm2000_priv *wm2000 = dev_get_drvdata(&wm2000_i2c->dev); + +- ucontrol->value.enumerated.item[0] = wm2000->anc_active; ++ ucontrol->value.integer.value[0] = wm2000->anc_active; + + return 0; + } +@@ -623,7 +623,7 @@ static int wm2000_anc_mode_put(struct snd_kcontrol *kcontrol, + struct snd_ctl_elem_value *ucontrol) + { + struct wm2000_priv *wm2000 = dev_get_drvdata(&wm2000_i2c->dev); +- int anc_active = ucontrol->value.enumerated.item[0]; ++ int anc_active = ucontrol->value.integer.value[0]; + + if (anc_active > 1) + return -EINVAL; +@@ -638,7 +638,7 @@ static int wm2000_speaker_get(struct snd_kcontrol *kcontrol, + { + struct wm2000_priv *wm2000 = dev_get_drvdata(&wm2000_i2c->dev); + +- ucontrol->value.enumerated.item[0] = wm2000->spk_ena; ++ ucontrol->value.integer.value[0] = wm2000->spk_ena; + + return 0; + } +@@ -647,7 +647,7 @@ static int wm2000_speaker_put(struct snd_kcontrol *kcontrol, + struct snd_ctl_elem_value *ucontrol) + { + struct wm2000_priv *wm2000 = dev_get_drvdata(&wm2000_i2c->dev); +- int val = ucontrol->value.enumerated.item[0]; ++ int val = ucontrol->value.integer.value[0]; + + if (val > 1) + return -EINVAL; +diff --git a/sound/soc/codecs/wm8731.c b/sound/soc/codecs/wm8731.c +index 6cfd4f7..dffede1 100644 +--- a/sound/soc/codecs/wm8731.c ++++ b/sound/soc/codecs/wm8731.c +@@ -106,7 +106,7 @@ static int wm8731_get_deemph(struct snd_kcontrol *kcontrol, + struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); + struct wm8731_priv *wm8731 = snd_soc_codec_get_drvdata(codec); + +- ucontrol->value.enumerated.item[0] = wm8731->deemph; ++ ucontrol->value.integer.value[0] = wm8731->deemph; + + return 0; + } +@@ -116,7 +116,7 @@ static int wm8731_put_deemph(struct snd_kcontrol *kcontrol, + { + struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); + struct wm8731_priv *wm8731 = snd_soc_codec_get_drvdata(codec); +- int deemph = ucontrol->value.enumerated.item[0]; ++ int deemph = ucontrol->value.integer.value[0]; + int ret = 0; + + if (deemph > 1) +diff --git a/sound/soc/codecs/wm8903.c b/sound/soc/codecs/wm8903.c +index 4352ffb..16c0ec5 100644 +--- a/sound/soc/codecs/wm8903.c ++++ b/sound/soc/codecs/wm8903.c +@@ -464,7 +464,7 @@ static int wm8903_get_deemph(struct snd_kcontrol *kcontrol, + struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); + struct wm8903_priv *wm8903 = snd_soc_codec_get_drvdata(codec); + +- ucontrol->value.enumerated.item[0] = wm8903->deemph; ++ ucontrol->value.integer.value[0] = wm8903->deemph; + + return 0; + } +@@ -474,7 +474,7 @@ static int wm8903_put_deemph(struct snd_kcontrol *kcontrol, + { + struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); + struct wm8903_priv *wm8903 = snd_soc_codec_get_drvdata(codec); +- int deemph = ucontrol->value.enumerated.item[0]; ++ int deemph = ucontrol->value.integer.value[0]; + int ret = 0; + + if (deemph > 1) +diff --git a/sound/soc/codecs/wm8904.c b/sound/soc/codecs/wm8904.c +index fafb76f..79bfa52 100644 +--- a/sound/soc/codecs/wm8904.c ++++ b/sound/soc/codecs/wm8904.c +@@ -814,7 +814,7 @@ static int wm8904_get_deemph(struct snd_kcontrol *kcontrol, + struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); + struct wm8904_priv *wm8904 = snd_soc_codec_get_drvdata(codec); + +- ucontrol->value.enumerated.item[0] = wm8904->deemph; ++ ucontrol->value.integer.value[0] = wm8904->deemph; + return 0; + } + +@@ -823,7 +823,7 @@ static int wm8904_put_deemph(struct snd_kcontrol *kcontrol, + { + struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); + struct wm8904_priv *wm8904 = snd_soc_codec_get_drvdata(codec); +- int deemph = ucontrol->value.enumerated.item[0]; ++ int deemph = ucontrol->value.integer.value[0]; + + if (deemph > 1) + return -EINVAL; +diff --git a/sound/soc/codecs/wm8955.c b/sound/soc/codecs/wm8955.c +index 3c71987..77ff1d7 100644 +--- a/sound/soc/codecs/wm8955.c ++++ b/sound/soc/codecs/wm8955.c +@@ -377,7 +377,7 @@ static int wm8955_get_deemph(struct snd_kcontrol *kcontrol, + struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); + struct wm8955_priv *wm8955 = snd_soc_codec_get_drvdata(codec); + +- ucontrol->value.enumerated.item[0] = wm8955->deemph; ++ ucontrol->value.integer.value[0] = wm8955->deemph; + return 0; + } + +@@ -386,7 +386,7 @@ static int wm8955_put_deemph(struct snd_kcontrol *kcontrol, + { + struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); + struct wm8955_priv *wm8955 = snd_soc_codec_get_drvdata(codec); +- int deemph = ucontrol->value.enumerated.item[0]; ++ int deemph = ucontrol->value.integer.value[0]; + + if (deemph > 1) + return -EINVAL; +diff --git a/sound/soc/codecs/wm8960.c b/sound/soc/codecs/wm8960.c +index 3551705..b2abe93 100644 +--- a/sound/soc/codecs/wm8960.c ++++ b/sound/soc/codecs/wm8960.c +@@ -135,7 +135,7 @@ static int wm8960_get_deemph(struct snd_kcontrol *kcontrol, + struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); + struct wm8960_priv *wm8960 = snd_soc_codec_get_drvdata(codec); + +- ucontrol->value.enumerated.item[0] = wm8960->deemph; ++ ucontrol->value.integer.value[0] = wm8960->deemph; + return 0; + } + +@@ -144,7 +144,7 @@ static int wm8960_put_deemph(struct snd_kcontrol *kcontrol, + { + struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); + struct wm8960_priv *wm8960 = snd_soc_codec_get_drvdata(codec); +- int deemph = ucontrol->value.enumerated.item[0]; ++ int deemph = ucontrol->value.integer.value[0]; + + if (deemph > 1) + return -EINVAL; +diff --git a/sound/soc/omap/omap-pcm.c b/sound/soc/omap/omap-pcm.c +index 6ede7dc..9563728 100644 +--- a/sound/soc/omap/omap-pcm.c ++++ b/sound/soc/omap/omap-pcm.c +@@ -333,7 +333,7 @@ static struct snd_pcm_ops omap_pcm_ops = { + .mmap = omap_pcm_mmap, + }; + +-static u64 omap_pcm_dmamask = DMA_BIT_MASK(64); ++static u64 omap_pcm_dmamask = DMA_BIT_MASK(32); + + static int omap_pcm_preallocate_dma_buffer(struct snd_pcm *pcm, + int stream) +@@ -385,7 +385,7 @@ static int omap_pcm_new(struct snd_soc_pcm_runtime *rtd) + if (!card->dev->dma_mask) + card->dev->dma_mask = &omap_pcm_dmamask; + if (!card->dev->coherent_dma_mask) +- card->dev->coherent_dma_mask = DMA_BIT_MASK(64); ++ card->dev->coherent_dma_mask = DMA_BIT_MASK(32); + + if (dai->driver->playback.channels_min) { + ret = omap_pcm_preallocate_dma_buffer(pcm, +diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c +index fb95069..040d101 100644 +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -64,6 +64,7 @@ static const struct rc_config { + { USB_ID(0x041e, 0x3040), 2, 2, 6, 6, 2, 0x6e91 }, /* Live! 24-bit */ + { USB_ID(0x041e, 0x3042), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi S51 */ + { USB_ID(0x041e, 0x30df), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi S51 Pro */ ++ { USB_ID(0x041e, 0x3237), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi S51 Pro */ + { USB_ID(0x041e, 0x3048), 2, 2, 6, 6, 2, 0x6e91 }, /* Toshiba SB0500 */ + }; + +diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h +index 2aacb96..b38dde0 100644 +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -1803,6 +1803,36 @@ YAMAHA_DEVICE(0x7010, "UB99"), + } + } + }, ++{ ++ USB_DEVICE(0x0582, 0x0159), ++ .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) { ++ /* .vendor_name = "Roland", */ ++ /* .product_name = "UA-22", */ ++ .ifnum = QUIRK_ANY_INTERFACE, ++ .type = QUIRK_COMPOSITE, ++ .data = (const struct snd_usb_audio_quirk[]) { ++ { ++ .ifnum = 0, ++ .type = QUIRK_AUDIO_STANDARD_INTERFACE ++ }, ++ { ++ .ifnum = 1, ++ .type = QUIRK_AUDIO_STANDARD_INTERFACE ++ }, ++ { ++ .ifnum = 2, ++ .type = QUIRK_MIDI_FIXED_ENDPOINT, ++ .data = & (const struct snd_usb_midi_endpoint_info) { ++ .out_cables = 0x0001, ++ .in_cables = 0x0001 ++ } ++ }, ++ { ++ .ifnum = -1 ++ } ++ } ++ } ++}, + + /* Guillemot devices */ + { diff --git a/3.2.68/4420_grsecurity-3.1-3.2.68-201505091720.patch b/3.2.69/4420_grsecurity-3.1-3.2.69-201505101117.patch index eaddb1d..c3a359c 100644 --- a/3.2.68/4420_grsecurity-3.1-3.2.68-201505091720.patch +++ b/3.2.69/4420_grsecurity-3.1-3.2.69-201505101117.patch @@ -282,7 +282,7 @@ index 88fd7f5..b318a78 100644 ============================================================== diff --git a/Makefile b/Makefile -index 2e7cbda..ed00cfe 100644 +index 8071888..3889f72 100644 --- a/Makefile +++ b/Makefile @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -11408,28 +11408,6 @@ index 3470624..9b476a3 100644 ret +ENDPROC(aesni_ctr_enc) #endif -diff --git a/arch/x86/crypto/aesni-intel_glue.c b/arch/x86/crypto/aesni-intel_glue.c -index 16acf68..3b3a62f 100644 ---- a/arch/x86/crypto/aesni-intel_glue.c -+++ b/arch/x86/crypto/aesni-intel_glue.c -@@ -1202,7 +1202,7 @@ static int __driver_rfc4106_decrypt(struct aead_request *req) - src = kmalloc(req->cryptlen + req->assoclen, GFP_ATOMIC); - if (!src) - return -ENOMEM; -- assoc = (src + req->cryptlen + auth_tag_len); -+ assoc = (src + req->cryptlen); - scatterwalk_map_and_copy(src, req->src, 0, req->cryptlen, 0); - scatterwalk_map_and_copy(assoc, req->assoc, 0, - req->assoclen, 0); -@@ -1227,7 +1227,7 @@ static int __driver_rfc4106_decrypt(struct aead_request *req) - scatterwalk_done(&src_sg_walk, 0, 0); - scatterwalk_done(&assoc_sg_walk, 0, 0); - } else { -- scatterwalk_map_and_copy(dst, req->dst, 0, req->cryptlen, 1); -+ scatterwalk_map_and_copy(dst, req->dst, 0, tempCipherLen, 1); - kfree(src); - } - return retval; diff --git a/arch/x86/crypto/blowfish-x86_64-asm_64.S b/arch/x86/crypto/blowfish-x86_64-asm_64.S index 391d245..c73d634 100644 --- a/arch/x86/crypto/blowfish-x86_64-asm_64.S @@ -19838,7 +19816,7 @@ index 0fa4f89..dbbfa58 100644 /* diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S -index 9d28dbac..30e8c80 100644 +index 8d15c69..30e8c80 100644 --- a/arch/x86/kernel/entry_64.S +++ b/arch/x86/kernel/entry_64.S @@ -56,6 +56,8 @@ @@ -20321,7 +20299,7 @@ index 9d28dbac..30e8c80 100644 /* * A newly forked process directly context switches into this address. -@@ -411,17 +726,20 @@ ENTRY(ret_from_fork) +@@ -411,7 +726,7 @@ ENTRY(ret_from_fork) RESTORE_REST @@ -20329,19 +20307,9 @@ index 9d28dbac..30e8c80 100644 + testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread? je int_ret_from_sys_call -- testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET -- jnz int_ret_from_sys_call -- -- RESTORE_TOP_OF_STACK %rdi, -ARGOFFSET -- jmp ret_from_sys_call # go to the SYSRET fastpath -+ /* -+ * By the time we get here, we have no idea whether our pt_regs, -+ * ti flags, and ti status came from the 64-bit SYSCALL fast path, -+ * the slow path, or one of the ia32entry paths. -+ * Use int_ret_from_sys_call to return, since it can safely handle -+ * all of the above. -+ */ -+ jmp int_ret_from_sys_call + /* +@@ -424,7 +739,7 @@ ENTRY(ret_from_fork) + jmp int_ret_from_sys_call CFI_ENDPROC -END(ret_from_fork) @@ -20349,7 +20317,7 @@ index 9d28dbac..30e8c80 100644 /* * System call entry. Up to 6 arguments in registers are supported. -@@ -457,7 +775,7 @@ END(ret_from_fork) +@@ -460,7 +775,7 @@ END(ret_from_fork) ENTRY(system_call) CFI_STARTPROC simple CFI_SIGNAL_FRAME @@ -20358,7 +20326,7 @@ index 9d28dbac..30e8c80 100644 CFI_REGISTER rip,rcx /*CFI_REGISTER rflags,r11*/ SWAPGS_UNSAFE_STACK -@@ -470,12 +788,18 @@ ENTRY(system_call_after_swapgs) +@@ -473,12 +788,18 @@ ENTRY(system_call_after_swapgs) movq %rsp,PER_CPU_VAR(old_rsp) movq PER_CPU_VAR(kernel_stack),%rsp @@ -20378,7 +20346,7 @@ index 9d28dbac..30e8c80 100644 movq %rax,ORIG_RAX-ARGOFFSET(%rsp) movq %rcx,RIP-ARGOFFSET(%rsp) CFI_REL_OFFSET rip,RIP-ARGOFFSET -@@ -504,6 +828,8 @@ sysret_check: +@@ -507,6 +828,8 @@ sysret_check: andl %edi,%edx jnz sysret_careful CFI_REMEMBER_STATE @@ -20387,7 +20355,7 @@ index 9d28dbac..30e8c80 100644 /* * sysretq will re-enable interrupts: */ -@@ -562,6 +888,9 @@ auditsys: +@@ -565,6 +888,9 @@ auditsys: movq %rax,%rsi /* 2nd arg: syscall number */ movl $AUDIT_ARCH_X86_64,%edi /* 1st arg: audit arch */ call audit_syscall_entry @@ -20397,7 +20365,7 @@ index 9d28dbac..30e8c80 100644 LOAD_ARGS 0 /* reload call-clobbered registers */ jmp system_call_fastpath -@@ -592,12 +921,15 @@ tracesys: +@@ -595,12 +921,15 @@ tracesys: FIXUP_TOP_OF_STACK %rdi movq %rsp,%rdi call syscall_trace_enter @@ -20414,7 +20382,7 @@ index 9d28dbac..30e8c80 100644 RESTORE_REST cmpq $__NR_syscall_max,%rax ja int_ret_from_sys_call /* RAX(%rsp) set to -ENOSYS above */ -@@ -613,7 +945,7 @@ tracesys: +@@ -616,7 +945,7 @@ tracesys: GLOBAL(int_ret_from_sys_call) DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF @@ -20423,7 +20391,7 @@ index 9d28dbac..30e8c80 100644 je retint_restore_args movl $_TIF_ALLWORK_MASK,%edi /* edi: mask to check */ -@@ -624,7 +956,9 @@ GLOBAL(int_with_check) +@@ -627,7 +956,9 @@ GLOBAL(int_with_check) andl %edi,%edx jnz int_careful andl $~TS_COMPAT,TI_status(%rcx) @@ -20434,7 +20402,7 @@ index 9d28dbac..30e8c80 100644 /* Either reschedule or signal or syscall exit tracking needed. */ /* First do a reschedule test. */ -@@ -670,7 +1004,7 @@ int_restore_rest: +@@ -673,7 +1004,7 @@ int_restore_rest: TRACE_IRQS_OFF jmp int_with_check CFI_ENDPROC @@ -20443,7 +20411,7 @@ index 9d28dbac..30e8c80 100644 /* * Certain special system calls that need to save a complete full stack frame. -@@ -678,15 +1012,13 @@ END(system_call) +@@ -681,15 +1012,13 @@ END(system_call) .macro PTREGSCALL label,func,arg ENTRY(\label) PARTIAL_FRAME 1 8 /* offset 8: return address */ @@ -20460,7 +20428,7 @@ index 9d28dbac..30e8c80 100644 .endm PTREGSCALL stub_clone, sys_clone, %r8 -@@ -701,12 +1033,17 @@ ENTRY(ptregscall_common) +@@ -704,12 +1033,17 @@ ENTRY(ptregscall_common) movq_cfi_restore R15+8, r15 movq_cfi_restore R14+8, r14 movq_cfi_restore R13+8, r13 @@ -20480,7 +20448,7 @@ index 9d28dbac..30e8c80 100644 ENTRY(stub_execve) CFI_STARTPROC -@@ -721,7 +1058,7 @@ ENTRY(stub_execve) +@@ -724,7 +1058,7 @@ ENTRY(stub_execve) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -20489,7 +20457,7 @@ index 9d28dbac..30e8c80 100644 /* * sigreturn is special because it needs to restore all registers on return. -@@ -739,7 +1076,7 @@ ENTRY(stub_rt_sigreturn) +@@ -742,7 +1076,7 @@ ENTRY(stub_rt_sigreturn) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -20498,7 +20466,7 @@ index 9d28dbac..30e8c80 100644 /* * Build the entry stubs and pointer table with some assembler magic. -@@ -774,7 +1111,7 @@ vector=vector+1 +@@ -777,7 +1111,7 @@ vector=vector+1 2: jmp common_interrupt .endr CFI_ENDPROC @@ -20507,7 +20475,7 @@ index 9d28dbac..30e8c80 100644 .previous END(interrupt) -@@ -791,8 +1128,8 @@ END(interrupt) +@@ -794,8 +1128,8 @@ END(interrupt) /* 0(%rsp): ~(interrupt number) */ .macro interrupt func /* reserve pt_regs for scratch regs and rbp */ @@ -20518,7 +20486,7 @@ index 9d28dbac..30e8c80 100644 SAVE_ARGS_IRQ call \func .endm -@@ -819,13 +1156,13 @@ ret_from_intr: +@@ -822,13 +1156,13 @@ ret_from_intr: /* Restore saved previous stack */ popq %rsi CFI_DEF_CFA_REGISTER rsi @@ -20535,7 +20503,7 @@ index 9d28dbac..30e8c80 100644 je retint_kernel /* Interrupt came from user space */ -@@ -847,12 +1184,16 @@ retint_swapgs: /* return to user-space */ +@@ -850,12 +1184,16 @@ retint_swapgs: /* return to user-space */ * The iretq could re-enable interrupts: */ DISABLE_INTERRUPTS(CLBR_ANY) @@ -20552,7 +20520,7 @@ index 9d28dbac..30e8c80 100644 /* * The iretq could re-enable interrupts: */ -@@ -890,15 +1231,15 @@ native_irq_return_ldt: +@@ -893,15 +1231,15 @@ native_irq_return_ldt: SWAPGS movq PER_CPU_VAR(espfix_waddr),%rdi movq %rax,(0*8)(%rdi) /* RAX */ @@ -20573,7 +20541,7 @@ index 9d28dbac..30e8c80 100644 movq %rax,(4*8)(%rdi) andl $0xffff0000,%eax popq_cfi %rdi -@@ -954,7 +1295,7 @@ ENTRY(retint_kernel) +@@ -957,7 +1295,7 @@ ENTRY(retint_kernel) jmp exit_intr #endif CFI_ENDPROC @@ -20582,7 +20550,7 @@ index 9d28dbac..30e8c80 100644 /* * End of kprobes section -@@ -971,7 +1312,7 @@ ENTRY(\sym) +@@ -974,7 +1312,7 @@ ENTRY(\sym) interrupt \do_sym jmp ret_from_intr CFI_ENDPROC @@ -20591,7 +20559,7 @@ index 9d28dbac..30e8c80 100644 .endm #ifdef CONFIG_SMP -@@ -1041,7 +1382,7 @@ ENTRY(\sym) +@@ -1044,7 +1382,7 @@ ENTRY(\sym) call \do_sym jmp error_exit /* %ebx: no swapgs flag */ CFI_ENDPROC @@ -20600,7 +20568,7 @@ index 9d28dbac..30e8c80 100644 .endm .macro paranoidzeroentry sym do_sym -@@ -1058,10 +1399,10 @@ ENTRY(\sym) +@@ -1061,10 +1399,10 @@ ENTRY(\sym) call \do_sym jmp paranoid_exit /* %ebx: no swapgs flag */ CFI_ENDPROC @@ -20613,7 +20581,7 @@ index 9d28dbac..30e8c80 100644 .macro paranoidzeroentry_ist sym do_sym ist ENTRY(\sym) INTR_FRAME -@@ -1073,12 +1414,18 @@ ENTRY(\sym) +@@ -1076,12 +1414,18 @@ ENTRY(\sym) TRACE_IRQS_OFF movq %rsp,%rdi /* pt_regs pointer */ xorl %esi,%esi /* no error code */ @@ -20633,7 +20601,7 @@ index 9d28dbac..30e8c80 100644 .endm .macro errorentry sym do_sym -@@ -1095,7 +1442,7 @@ ENTRY(\sym) +@@ -1098,7 +1442,7 @@ ENTRY(\sym) call \do_sym jmp error_exit /* %ebx: no swapgs flag */ CFI_ENDPROC @@ -20642,7 +20610,7 @@ index 9d28dbac..30e8c80 100644 .endm /* error code is on the stack already */ -@@ -1114,7 +1461,7 @@ ENTRY(\sym) +@@ -1117,7 +1461,7 @@ ENTRY(\sym) call \do_sym jmp paranoid_exit /* %ebx: no swapgs flag */ CFI_ENDPROC @@ -20651,7 +20619,7 @@ index 9d28dbac..30e8c80 100644 .endm zeroentry divide_error do_divide_error -@@ -1144,9 +1491,10 @@ gs_change: +@@ -1147,9 +1491,10 @@ gs_change: 2: mfence /* workaround */ SWAPGS popfq_cfi @@ -20663,7 +20631,7 @@ index 9d28dbac..30e8c80 100644 .section __ex_table,"a" .align 8 -@@ -1168,13 +1516,14 @@ ENTRY(kernel_thread_helper) +@@ -1171,13 +1516,14 @@ ENTRY(kernel_thread_helper) * Here we are in the child and the registers are set as they were * at kernel_thread() invocation in the parent. */ @@ -20679,7 +20647,7 @@ index 9d28dbac..30e8c80 100644 /* * execve(). This function needs to use IRET, not SYSRET, to set up all state properly. -@@ -1201,11 +1550,11 @@ ENTRY(kernel_execve) +@@ -1204,11 +1550,11 @@ ENTRY(kernel_execve) RESTORE_REST testq %rax,%rax je int_ret_from_sys_call @@ -20693,7 +20661,7 @@ index 9d28dbac..30e8c80 100644 /* Call softirq on interrupt stack. Interrupts are off. */ ENTRY(call_softirq) -@@ -1223,9 +1572,10 @@ ENTRY(call_softirq) +@@ -1226,9 +1572,10 @@ ENTRY(call_softirq) CFI_DEF_CFA_REGISTER rsp CFI_ADJUST_CFA_OFFSET -8 decl PER_CPU_VAR(irq_count) @@ -20705,7 +20673,7 @@ index 9d28dbac..30e8c80 100644 #ifdef CONFIG_XEN zeroentry xen_hypervisor_callback xen_do_hypervisor_callback -@@ -1263,7 +1613,7 @@ ENTRY(xen_do_hypervisor_callback) # do_hypervisor_callback(struct *pt_regs) +@@ -1266,7 +1613,7 @@ ENTRY(xen_do_hypervisor_callback) # do_hypervisor_callback(struct *pt_regs) decl PER_CPU_VAR(irq_count) jmp error_exit CFI_ENDPROC @@ -20714,7 +20682,7 @@ index 9d28dbac..30e8c80 100644 /* * Hypervisor uses this for application faults while it executes. -@@ -1322,7 +1672,7 @@ ENTRY(xen_failsafe_callback) +@@ -1325,7 +1672,7 @@ ENTRY(xen_failsafe_callback) SAVE_ALL jmp error_exit CFI_ENDPROC @@ -20723,7 +20691,7 @@ index 9d28dbac..30e8c80 100644 apicinterrupt XEN_HVM_EVTCHN_CALLBACK \ xen_hvm_callback_vector xen_evtchn_do_upcall -@@ -1371,16 +1721,31 @@ ENTRY(paranoid_exit) +@@ -1374,16 +1721,31 @@ ENTRY(paranoid_exit) TRACE_IRQS_OFF testl %ebx,%ebx /* swapgs needed? */ jnz paranoid_restore @@ -20756,7 +20724,7 @@ index 9d28dbac..30e8c80 100644 jmp irq_return paranoid_userspace: GET_THREAD_INFO(%rcx) -@@ -1409,7 +1774,7 @@ paranoid_schedule: +@@ -1412,7 +1774,7 @@ paranoid_schedule: TRACE_IRQS_OFF jmp paranoid_userspace CFI_ENDPROC @@ -20765,7 +20733,7 @@ index 9d28dbac..30e8c80 100644 /* * Exception entry point. This expects an error code/orig_rax on the stack. -@@ -1436,12 +1801,23 @@ ENTRY(error_entry) +@@ -1439,12 +1801,23 @@ ENTRY(error_entry) movq_cfi r14, R14+8 movq_cfi r15, R15+8 xorl %ebx,%ebx @@ -20790,7 +20758,7 @@ index 9d28dbac..30e8c80 100644 ret /* -@@ -1475,7 +1851,7 @@ error_bad_iret: +@@ -1478,7 +1851,7 @@ error_bad_iret: decl %ebx /* Return to usergs */ jmp error_sti CFI_ENDPROC @@ -20799,7 +20767,7 @@ index 9d28dbac..30e8c80 100644 /* ebx: no swapgs flag (1: don't need swapgs, 0: need it) */ -@@ -1495,7 +1871,7 @@ ENTRY(error_exit) +@@ -1498,7 +1871,7 @@ ENTRY(error_exit) jnz retint_careful jmp retint_swapgs CFI_ENDPROC @@ -20808,7 +20776,7 @@ index 9d28dbac..30e8c80 100644 /* runs on exception stack */ -@@ -1507,6 +1883,7 @@ ENTRY(nmi) +@@ -1510,6 +1883,7 @@ ENTRY(nmi) CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 call save_paranoid DEFAULT_FRAME 0 @@ -20816,7 +20784,7 @@ index 9d28dbac..30e8c80 100644 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */ movq %rsp,%rdi movq $-1,%rsi -@@ -1517,12 +1894,28 @@ ENTRY(nmi) +@@ -1520,12 +1894,28 @@ ENTRY(nmi) DISABLE_INTERRUPTS(CLBR_NONE) testl %ebx,%ebx /* swapgs needed? */ jnz nmi_restore @@ -20846,7 +20814,7 @@ index 9d28dbac..30e8c80 100644 jmp irq_return nmi_userspace: GET_THREAD_INFO(%rcx) -@@ -1551,14 +1944,14 @@ nmi_schedule: +@@ -1554,14 +1944,14 @@ nmi_schedule: jmp paranoid_exit CFI_ENDPROC #endif @@ -23514,7 +23482,7 @@ index 42eb330..139955c 100644 return ret; diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c -index f411aca..e436e0a 100644 +index 41b2f57..9dd7145 100644 --- a/arch/x86/kernel/reboot.c +++ b/arch/x86/kernel/reboot.c @@ -35,7 +35,7 @@ void (*pm_power_off)(void); @@ -23535,7 +23503,7 @@ index f411aca..e436e0a 100644 { /* Handle problems with rebooting on Dell E520's */ .callback = set_bios_reboot, .ident = "Dell E520", -@@ -324,13 +324,17 @@ core_initcall(reboot_init); +@@ -308,13 +308,17 @@ core_initcall(reboot_init); extern const unsigned char machine_real_restart_asm[]; extern const u64 machine_real_restart_gdt[3]; @@ -23555,7 +23523,7 @@ index f411aca..e436e0a 100644 local_irq_disable(); /* Write zero to CMOS register number 0x0f, which the BIOS POST -@@ -356,14 +360,14 @@ void machine_real_restart(unsigned int type) +@@ -340,14 +344,14 @@ void machine_real_restart(unsigned int type) boot)". This seems like a fairly standard thing that gets set by REBOOT.COM programs, and the previous reset routine did this too. */ @@ -23572,7 +23540,7 @@ index f411aca..e436e0a 100644 /* GDT[0]: GDT self-pointer */ lowmem_gdt[0] = -@@ -374,7 +378,35 @@ void machine_real_restart(unsigned int type) +@@ -358,7 +362,35 @@ void machine_real_restart(unsigned int type) GDT_ENTRY(0x009b, restart_pa, 0xffff); /* Jump to the identity-mapped low memory code */ @@ -23608,7 +23576,7 @@ index f411aca..e436e0a 100644 } #ifdef CONFIG_APM_MODULE EXPORT_SYMBOL(machine_real_restart); -@@ -564,7 +596,7 @@ void __attribute__((weak)) mach_reboot_fixups(void) +@@ -590,7 +622,7 @@ void __attribute__((weak)) mach_reboot_fixups(void) * try to force a triple fault and then cycle between hitting the keyboard * controller and doing that */ @@ -23617,7 +23585,7 @@ index f411aca..e436e0a 100644 { int i; int attempt = 0; -@@ -691,13 +723,13 @@ void native_machine_shutdown(void) +@@ -717,13 +749,13 @@ void native_machine_shutdown(void) #endif } @@ -23633,7 +23601,7 @@ index f411aca..e436e0a 100644 { printk("machine restart\n"); -@@ -706,7 +738,7 @@ static void native_machine_restart(char *__unused) +@@ -732,7 +764,7 @@ static void native_machine_restart(char *__unused) __machine_emergency_restart(0); } @@ -23642,7 +23610,7 @@ index f411aca..e436e0a 100644 { /* stop other cpus and apics */ machine_shutdown(); -@@ -717,7 +749,7 @@ static void native_machine_halt(void) +@@ -743,7 +775,7 @@ static void native_machine_halt(void) stop_this_cpu(NULL); } @@ -23651,7 +23619,7 @@ index f411aca..e436e0a 100644 { if (pm_power_off) { if (!reboot_force) -@@ -726,9 +758,10 @@ static void native_machine_power_off(void) +@@ -752,9 +784,10 @@ static void native_machine_power_off(void) } /* a fallback in case there is no PM info available */ tboot_shutdown(TB_SHUTDOWN_HALT); @@ -24603,7 +24571,7 @@ index 09ff517..df19fbff 100644 .short 0 .quad 0x00cf9b000000ffff # __KERNEL32_CS diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c -index 2aff347..d83c9a9 100644 +index edbd30a..d83c9a9 100644 --- a/arch/x86/kernel/traps.c +++ b/arch/x86/kernel/traps.c @@ -70,12 +70,6 @@ asmlinkage int system_call(void); @@ -24751,6 +24719,15 @@ index 2aff347..d83c9a9 100644 return new_stack; } #endif +@@ -435,7 +472,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code) + * then it's very likely the result of an icebp/int01 trap. + * User wants a sigtrap for that. + */ +- if (!dr6 && user_mode_vm(regs)) ++ if (!dr6 && user_mode(regs)) + user_icebp = 1; + + /* Catch kmemcheck conditions first of all! */ @@ -460,7 +497,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code) /* It's safe to allow irq's after DR6 has been saved */ preempt_conditional_sti(regs); @@ -25262,7 +25239,7 @@ index 7110911..069da9c 100644 /* * Encountered an error while doing the restore from the diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c -index bdad489..43849f4 100644 +index 9af0b82..086874c 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -249,6 +249,7 @@ struct gprefix { @@ -30161,10 +30138,10 @@ index d87dd6d..bf3fa66 100644 pte = kmemcheck_pte_lookup(address); diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c -index 5c1ae28..45f4ac9 100644 +index 75f9e5d..77b1e62 100644 --- a/arch/x86/mm/mmap.c +++ b/arch/x86/mm/mmap.c -@@ -52,7 +52,7 @@ static unsigned int stack_maxrandom_size(void) +@@ -52,7 +52,7 @@ static unsigned long stack_maxrandom_size(void) * Leave an at least ~128 MB hole with possible stack randomization. */ #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size()) @@ -33547,7 +33524,7 @@ index 48fbc64..d0a31d4 100644 * Award BIOS on this AOpen makes thermal control almost worthless. * http://bugzilla.kernel.org/show_bug.cgi?id=8842 diff --git a/drivers/acpi/video.c b/drivers/acpi/video.c -index 2ebfdd2..fa1ce82 100644 +index cb842a8..6688e24 100644 --- a/drivers/acpi/video.c +++ b/drivers/acpi/video.c @@ -395,7 +395,7 @@ static int video_ignore_initial_backlight(const struct dmi_system_id *d) @@ -37501,7 +37478,7 @@ index 1ee8ce7..586718d 100644 .ident = "Sony Vaio", .matches = { diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c -index c234b9e..34c325d 100644 +index f7395c4..93bcc43 100644 --- a/drivers/char/tpm/tpm.c +++ b/drivers/char/tpm/tpm.c @@ -414,7 +414,7 @@ static ssize_t tpm_transmit(struct tpm_chip *chip, const char *buf, @@ -37561,10 +37538,10 @@ index 0636520..169c1d0 100644 acpi_os_unmap_memory(virt, len); return 0; diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c -index c68b8ad..ef7a702 100644 +index e9d18aa..d0369bc 100644 --- a/drivers/char/virtio_console.c +++ b/drivers/char/virtio_console.c -@@ -570,7 +570,7 @@ static ssize_t fill_readbuf(struct port *port, char *out_buf, size_t out_count, +@@ -571,7 +571,7 @@ static ssize_t fill_readbuf(struct port *port, char *out_buf, size_t out_count, if (to_user) { ssize_t ret; @@ -37573,7 +37550,7 @@ index c68b8ad..ef7a702 100644 if (ret) return -EFAULT; } else { -@@ -673,7 +673,7 @@ static ssize_t port_fops_read(struct file *filp, char __user *ubuf, +@@ -674,7 +674,7 @@ static ssize_t port_fops_read(struct file *filp, char __user *ubuf, if (!port_has_data(port) && !port->host_connected) return 0; @@ -39543,10 +39520,10 @@ index a9e33ce..09edd4b 100644 #endif diff --git a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c -index 9b3f787..e9ad3ce 100644 +index 5d78973..2c1fe27 100644 --- a/drivers/gpu/drm/radeon/evergreen.c +++ b/drivers/gpu/drm/radeon/evergreen.c -@@ -3095,7 +3095,9 @@ static int evergreen_startup(struct radeon_device *rdev) +@@ -3098,7 +3098,9 @@ static int evergreen_startup(struct radeon_device *rdev) r = evergreen_blit_init(rdev); if (r) { r600_blit_fini(rdev); @@ -39594,7 +39571,7 @@ index 77e6fb1..43e5aae 100644 } diff --git a/drivers/gpu/drm/radeon/r100.c b/drivers/gpu/drm/radeon/r100.c -index 76c1290..865d31e 100644 +index dfd1267..e7251ec 100644 --- a/drivers/gpu/drm/radeon/r100.c +++ b/drivers/gpu/drm/radeon/r100.c @@ -592,8 +592,10 @@ int r100_pci_gart_init(struct radeon_device *rdev) @@ -39628,7 +39605,7 @@ index 441570b..8896094 100644 } diff --git a/drivers/gpu/drm/radeon/r600.c b/drivers/gpu/drm/radeon/r600.c -index ab46a99..5d73299 100644 +index e5299a0..eb205af 100644 --- a/drivers/gpu/drm/radeon/r600.c +++ b/drivers/gpu/drm/radeon/r600.c @@ -2442,7 +2442,9 @@ int r600_startup(struct radeon_device *rdev) @@ -41482,25 +41459,6 @@ index 176c8f9..2627b62 100644 wake_up_process(pool->thread); } } -diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c -index a841123..055ebeb 100644 ---- a/drivers/infiniband/core/umem.c -+++ b/drivers/infiniband/core/umem.c -@@ -94,6 +94,14 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr, - if (dmasync) - dma_set_attr(DMA_ATTR_WRITE_BARRIER, &attrs); - -+ /* -+ * If the combination of the addr and size requested for this memory -+ * region causes an integer overflow, return error. -+ */ -+ if ((PAGE_ALIGN(addr + size) <= size) || -+ (PAGE_ALIGN(addr + size) <= addr)) -+ return ERR_PTR(-EINVAL); -+ - if (!can_do_mlock()) - return ERR_PTR(-EPERM); - diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c index a8445b8..e43f9b9 100644 --- a/drivers/infiniband/core/uverbs_cmd.c @@ -42188,7 +42146,7 @@ index 330eb6e..a4bc52b 100644 /* Blow away the connection if it exists. */ diff --git a/drivers/infiniband/hw/qib/qib.h b/drivers/infiniband/hw/qib/qib.h -index b881bdc..c2e360c 100644 +index 4c2b079..76a0feb 100644 --- a/drivers/infiniband/hw/qib/qib.h +++ b/drivers/infiniband/hw/qib/qib.h @@ -51,6 +51,7 @@ @@ -43091,7 +43049,7 @@ index e5bd3ef..c69d0b7 100644 spin_lock(&receiving_list_lock); diff --git a/drivers/md/dm-raid1.c b/drivers/md/dm-raid1.c -index b7b649d..fcf5ef7 100644 +index b4361eb..4ad13a0 100644 --- a/drivers/md/dm-raid1.c +++ b/drivers/md/dm-raid1.c @@ -40,7 +40,7 @@ enum dm_raid1_error { @@ -43148,7 +43106,7 @@ index b7b649d..fcf5ef7 100644 m = NULL; if (likely(m)) -@@ -937,7 +937,7 @@ static int get_mirror(struct mirror_set *ms, struct dm_target *ti, +@@ -946,7 +946,7 @@ static int get_mirror(struct mirror_set *ms, struct dm_target *ti, } ms->mirror[mirror].ms = ms; @@ -43157,7 +43115,7 @@ index b7b649d..fcf5ef7 100644 ms->mirror[mirror].error_type = 0; ms->mirror[mirror].offset = offset; -@@ -1348,7 +1348,7 @@ static void mirror_resume(struct dm_target *ti) +@@ -1357,7 +1357,7 @@ static void mirror_resume(struct dm_target *ti) */ static char device_status_char(struct mirror *m) { @@ -43253,7 +43211,7 @@ index 237571a..fb6d19b 100644 pmd->bl_info.value_type.inc = data_block_inc; pmd->bl_info.value_type.dec = data_block_dec; diff --git a/drivers/md/dm.c b/drivers/md/dm.c -index 7ead065..832d24d 100644 +index c00bcdc..bb5792b 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -177,9 +177,9 @@ struct mapped_device { @@ -43288,7 +43246,7 @@ index 7ead065..832d24d 100644 wake_up(&md->eventq); } -@@ -2649,18 +2649,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action, +@@ -2648,18 +2648,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action, uint32_t dm_next_uevent_seq(struct mapped_device *md) { @@ -45518,10 +45476,10 @@ index cf95bd8d..f61f675 100644 /* check to see if we are clearing active */ if (!strlen(ifname) || buf[0] == '\n') { diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c -index a25442e..d1235bc 100644 +index db9100f..612019d 100644 --- a/drivers/net/can/dev.c +++ b/drivers/net/can/dev.c -@@ -725,7 +725,7 @@ static int can_newlink(struct net *src_net, struct net_device *dev, +@@ -730,7 +730,7 @@ static int can_newlink(struct net *src_net, struct net_device *dev, return -EOPNOTSUPP; } @@ -45783,7 +45741,7 @@ index dcd7f7a..ecb7fb3 100644 {"D-Link DFE-550FX 100Mbps Fiber-optics Adapter"}, {"D-Link DFE-580TX 4 port Server Adapter"}, diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c -index 36c7c4e..7de1382 100644 +index 10c9acf..d1a0b0f 100644 --- a/drivers/net/ethernet/emulex/benet/be_main.c +++ b/drivers/net/ethernet/emulex/benet/be_main.c @@ -397,7 +397,7 @@ static void accumulate_16bit_val(u32 *acc, u16 val) @@ -46153,7 +46111,7 @@ index 49b549f..13d648c 100644 mac->phydev = phydev; diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c -index a3bd0ba..8a34a90 100644 +index 0c26787..f847e66 100644 --- a/drivers/net/ethernet/realtek/r8169.c +++ b/drivers/net/ethernet/realtek/r8169.c @@ -704,17 +704,17 @@ struct rtl8169_private { @@ -46315,7 +46273,7 @@ index fed39de..8adf3152 100644 }; diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c -index 0e6e57e..060e208 100644 +index 7300447..fa23d39 100644 --- a/drivers/net/macvtap.c +++ b/drivers/net/macvtap.c @@ -351,7 +351,7 @@ static void macvtap_setup(struct net_device *dev) @@ -46327,7 +46285,7 @@ index 0e6e57e..060e208 100644 .kind = "macvtap", .setup = macvtap_setup, .newlink = macvtap_newlink, -@@ -927,7 +927,7 @@ static long macvtap_ioctl(struct file *file, unsigned int cmd, +@@ -936,7 +936,7 @@ static long macvtap_ioctl(struct file *file, unsigned int cmd, return -ENOLINK; ret = 0; @@ -46336,7 +46294,7 @@ index 0e6e57e..060e208 100644 put_user(q->flags, &ifr->ifr_flags)) ret = -EFAULT; dev_put(vlan->dev); -@@ -1088,7 +1088,7 @@ static int macvtap_device_event(struct notifier_block *unused, +@@ -1097,7 +1097,7 @@ static int macvtap_device_event(struct notifier_block *unused, return NOTIFY_DONE; } @@ -46367,19 +46325,6 @@ index 83a5a5a..9a9d0ae 100644 int r; r = get_phy_id(bus, addr, &phy_id); -diff --git a/drivers/net/ppp/ppp_deflate.c b/drivers/net/ppp/ppp_deflate.c -index 1dbdf82..43764cc 100644 ---- a/drivers/net/ppp/ppp_deflate.c -+++ b/drivers/net/ppp/ppp_deflate.c -@@ -268,7 +268,7 @@ static int z_compress(void *arg, unsigned char *rptr, unsigned char *obuf, - /* - * See if we managed to reduce the size of the packet. - */ -- if (olen < isize) { -+ if (olen < isize && olen <= osize) { - state->stats.comp_bytes += olen; - state->stats.comp_packets++; - } else { diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c index 4782d79..359f1b9 100644 --- a/drivers/net/ppp/ppp_generic.c @@ -46746,7 +46691,7 @@ index e773250..9ee61ab 100644 /* we will have to manufacture ethernet headers, prepare template */ diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c -index 3d21742..ddf9899 100644 +index 3d21742..b8e03e7 100644 --- a/drivers/net/usb/usbnet.c +++ b/drivers/net/usb/usbnet.c @@ -344,6 +344,12 @@ static int rx_submit (struct usbnet *dev, struct urb *urb, gfp_t flags) @@ -46792,6 +46737,24 @@ index 3d21742..ddf9899 100644 // delay posting reads until we're fully open tasklet_schedule (&dev->bh); if (info->manage_power) { +@@ -1078,7 +1100,7 @@ netdev_tx_t usbnet_start_xmit (struct sk_buff *skb, + struct net_device *net) + { + struct usbnet *dev = netdev_priv(net); +- int length; ++ unsigned int length; + struct urb *urb = NULL; + struct skb_data *entry; + struct driver_info *info = dev->driver_info; +@@ -1187,7 +1209,7 @@ not_drop: + usb_free_urb (urb); + } else + netif_dbg(dev, tx_queued, dev->net, +- "> tx, len %d, type 0x%x\n", length, skb->protocol); ++ "> tx, len %u, type 0x%x\n", length, skb->protocol); + #ifdef CONFIG_PM + deferred: + #endif @@ -1222,6 +1244,9 @@ static void usbnet_bh (unsigned long param) } } @@ -49684,10 +49647,10 @@ index 831db24..aef1598 100644 /* check if the device is still usable */ if (unlikely(cmd->device->sdev_state == SDEV_DEL)) { diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c -index 0bdc4a7..89011d6 100644 +index f6a464a..797b84d 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c -@@ -1435,7 +1435,7 @@ static void scsi_kill_request(struct request *req, struct request_queue *q) +@@ -1437,7 +1437,7 @@ static void scsi_kill_request(struct request *req, struct request_queue *q) shost = sdev->host; scsi_init_cmd_errh(cmd); cmd->result = DID_NO_CONNECT << 16; @@ -49696,7 +49659,7 @@ index 0bdc4a7..89011d6 100644 /* * SCSI request completion path will do scsi_device_unbusy(), -@@ -1461,9 +1461,9 @@ static void scsi_softirq_done(struct request *rq) +@@ -1463,9 +1463,9 @@ static void scsi_softirq_done(struct request *rq) INIT_LIST_HEAD(&cmd->eh_entry); @@ -49850,7 +49813,7 @@ index 5c6b5f5..475317d 100644 if (device_add(&sdkp->dev)) goto out_free_index; diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c -index 441a1c5..07cece7 100644 +index 2d25616..7502cde 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -1077,7 +1077,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg) @@ -50895,7 +50858,7 @@ index 72d0f3f..ba3ff3c 100644 if (!channels) return -ENOMEM; diff --git a/drivers/staging/iio/industrialio-core.c b/drivers/staging/iio/industrialio-core.c -index aec9311..ddc3103 100644 +index f0abf29..7f8ccd26 100644 --- a/drivers/staging/iio/industrialio-core.c +++ b/drivers/staging/iio/industrialio-core.c @@ -398,7 +398,7 @@ static ssize_t iio_write_channel_info(struct device *dev, @@ -51988,10 +51951,10 @@ index bac83d8..0b87bf6 100644 } EXPORT_SYMBOL_GPL(n_tty_inherit_ops); diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c -index 4735928..e80860a 100644 +index e753be2..9a8de18 100644 --- a/drivers/tty/pty.c +++ b/drivers/tty/pty.c -@@ -775,8 +775,10 @@ static void __init unix98_pty_init(void) +@@ -778,8 +778,10 @@ static void __init unix98_pty_init(void) register_sysctl_table(pty_root_table); /* Now create the /dev/ptmx special device */ @@ -52204,20 +52167,9 @@ index 43db715..82134aa 100644 if (get_user(c, buf)) diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c -index 613f06a..751b0f8 100644 +index fa59fbe..751b0f8 100644 --- a/drivers/tty/tty_io.c +++ b/drivers/tty/tty_io.c -@@ -943,8 +943,8 @@ EXPORT_SYMBOL(start_tty); - /* We limit tty time update visibility to every 8 seconds or so. */ - static void tty_update_time(struct timespec *time) - { -- unsigned long sec = get_seconds() & ~7; -- if ((long)(sec - time->tv_sec) > 0) -+ unsigned long sec = get_seconds(); -+ if (abs(sec - time->tv_sec) & ~7) - time->tv_sec = sec; - } - @@ -1089,7 +1089,7 @@ static inline ssize_t do_tty_write( cond_resched(); } @@ -52236,31 +52188,6 @@ index 613f06a..751b0f8 100644 } /* -diff --git a/drivers/tty/tty_ioctl.c b/drivers/tty/tty_ioctl.c -index 937f927..1740117 100644 ---- a/drivers/tty/tty_ioctl.c -+++ b/drivers/tty/tty_ioctl.c -@@ -154,11 +154,17 @@ void tty_wait_until_sent(struct tty_struct *tty, long timeout) - #endif - if (!timeout) - timeout = MAX_SCHEDULE_TIMEOUT; -+ - if (wait_event_interruptible_timeout(tty->write_wait, -- !tty_chars_in_buffer(tty), timeout) >= 0) { -- if (tty->ops->wait_until_sent) -- tty->ops->wait_until_sent(tty, timeout); -+ !tty_chars_in_buffer(tty), timeout) < 0) { -+ return; - } -+ -+ if (timeout == MAX_SCHEDULE_TIMEOUT) -+ timeout = 0; -+ -+ if (tty->ops->wait_until_sent) -+ tty->ops->wait_until_sent(tty, timeout); - } - EXPORT_SYMBOL(tty_wait_until_sent); - diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c index 8e0924f..4204eb4 100644 --- a/drivers/tty/tty_ldisc.c @@ -52622,7 +52549,7 @@ index 3440812..2a4ef1f 100644 file->f_version = event_count; return POLLIN | POLLRDNORM; diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c -index 49257b3..13133cd 100644 +index 64340f3..88c4041 100644 --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -147,7 +147,7 @@ static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes, @@ -52662,7 +52589,7 @@ index 49257b3..13133cd 100644 dev->rawdescriptors[i] + (*ppos - pos), min(len, alloclen))) { diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c -index c0ee52a..145ce87 100644 +index eb2c3bd..5236c12 100644 --- a/drivers/usb/core/hcd.c +++ b/drivers/usb/core/hcd.c @@ -1475,7 +1475,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags) @@ -52750,7 +52677,7 @@ index 662c0cf..6880fbb 100644 static DEVICE_ATTR(urbnum, S_IRUGO, show_urbnum, NULL); diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c -index 73cd900..40502a4 100644 +index 9044ef6..dcda063 100644 --- a/drivers/usb/core/usb.c +++ b/drivers/usb/core/usb.c @@ -396,7 +396,7 @@ struct usb_device *usb_alloc_dev(struct usb_device *parent, @@ -52847,10 +52774,10 @@ index db2d607..3a25028 100644 /* Find out how many LUNs there should be */ i = mod_data.nluns; diff --git a/drivers/usb/gadget/inode.c b/drivers/usb/gadget/inode.c -index 7138540..2370195 100644 +index ce7253b..754242d 100644 --- a/drivers/usb/gadget/inode.c +++ b/drivers/usb/gadget/inode.c -@@ -2121,6 +2121,7 @@ static struct file_system_type gadgetfs_type = { +@@ -2132,6 +2132,7 @@ static struct file_system_type gadgetfs_type = { .mount = gadgetfs_mount, .kill_sb = gadgetfs_kill_sb, }; @@ -56866,35 +56793,6 @@ index b8f55c4..4c2b80c 100644 if (limit != RLIM_INFINITY && offset > limit) goto out_sig; if (offset > inode->i_sb->s_maxbytes) -diff --git a/fs/autofs4/dev-ioctl.c b/fs/autofs4/dev-ioctl.c -index de54271..62d7a6d 100644 ---- a/fs/autofs4/dev-ioctl.c -+++ b/fs/autofs4/dev-ioctl.c -@@ -95,7 +95,7 @@ static int check_dev_ioctl_version(int cmd, struct autofs_dev_ioctl *param) - */ - static struct autofs_dev_ioctl *copy_dev_ioctl(struct autofs_dev_ioctl __user *in) - { -- struct autofs_dev_ioctl tmp; -+ struct autofs_dev_ioctl tmp, *res; - - if (copy_from_user(&tmp, in, sizeof(tmp))) - return ERR_PTR(-EFAULT); -@@ -103,7 +103,14 @@ static struct autofs_dev_ioctl *copy_dev_ioctl(struct autofs_dev_ioctl __user *i - if (tmp.size < sizeof(tmp)) - return ERR_PTR(-EINVAL); - -- return memdup_user(in, tmp.size); -+ if (tmp.size > (PATH_MAX + sizeof(tmp))) -+ return ERR_PTR(-ENAMETOOLONG); -+ -+ res = memdup_user(in, tmp.size); -+ if (!IS_ERR(res)) -+ res->size = tmp.size; -+ -+ return res; - } - - static inline void free_dev_ioctl(struct autofs_dev_ioctl *param) diff --git a/fs/autofs4/init.c b/fs/autofs4/init.c index c038727..4ba2927 100644 --- a/fs/autofs4/init.c @@ -57104,7 +57002,7 @@ index a6395bd..f1e376a 100644 (unsigned long) create_aout_tables((char __user *) bprm->p, bprm); #ifdef __alpha__ diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c -index 8dd615c..3ecdf113 100644 +index 2aed667..52b96fd 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -32,6 +32,7 @@ @@ -57625,7 +57523,7 @@ index 8dd615c..3ecdf113 100644 * libraries. There is no binary dependent code anywhere else. @@ -544,6 +905,11 @@ static unsigned long randomize_stack_top(unsigned long stack_top) { - unsigned int random_variable = 0; + unsigned long random_variable = 0; +#ifdef CONFIG_PAX_RANDUSTACK + if (current->mm->pax_flags & MF_PAX_RANDMMAP) @@ -57634,8 +57532,8 @@ index 8dd615c..3ecdf113 100644 + if ((current->flags & PF_RANDOMIZE) && !(current->personality & ADDR_NO_RANDOMIZE)) { - random_variable = get_random_int() & STACK_RND_MASK; -@@ -562,7 +928,7 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) + random_variable = (unsigned long) get_random_int(); +@@ -563,7 +929,7 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) unsigned long load_addr = 0, load_bias = 0; int load_addr_set = 0; char * elf_interpreter = NULL; @@ -57644,7 +57542,7 @@ index 8dd615c..3ecdf113 100644 struct elf_phdr *elf_ppnt, *elf_phdata; unsigned long elf_bss, elf_brk; int retval, i; -@@ -572,11 +938,11 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -573,11 +939,11 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) unsigned long start_code, end_code, start_data, end_data; unsigned long reloc_func_desc __maybe_unused = 0; int executable_stack = EXSTACK_DEFAULT; @@ -57657,7 +57555,7 @@ index 8dd615c..3ecdf113 100644 loc = kmalloc(sizeof(*loc), GFP_KERNEL); if (!loc) { -@@ -713,11 +1079,82 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -714,11 +1080,82 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) /* OK, This is the point of no return */ current->flags &= ~PF_FORKNOEXEC; @@ -57741,7 +57639,7 @@ index 8dd615c..3ecdf113 100644 if (elf_read_implies_exec(loc->elf_ex, executable_stack)) current->personality |= READ_IMPLIES_EXEC; -@@ -808,6 +1245,20 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -809,6 +1246,20 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) #else load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr); #endif @@ -57762,7 +57660,7 @@ index 8dd615c..3ecdf113 100644 } error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt, -@@ -840,9 +1291,9 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -841,9 +1292,9 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) * allowed task size. Note that p_filesz must always be * <= p_memsz so it is only necessary to check p_memsz. */ @@ -57775,7 +57673,7 @@ index 8dd615c..3ecdf113 100644 /* set_brk can never work. Avoid overflows. */ send_sig(SIGKILL, current, 0); retval = -EINVAL; -@@ -881,17 +1332,44 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -882,17 +1333,44 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) goto out_free_dentry; } if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) { @@ -57826,7 +57724,7 @@ index 8dd615c..3ecdf113 100644 load_bias); if (!IS_ERR((void *)elf_entry)) { /* -@@ -1098,7 +1576,7 @@ out: +@@ -1099,7 +1577,7 @@ out: * Decide what to dump of a segment, part, all or none. */ static unsigned long vma_dump_size(struct vm_area_struct *vma, @@ -57835,7 +57733,7 @@ index 8dd615c..3ecdf113 100644 { #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type)) -@@ -1132,7 +1610,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma, +@@ -1133,7 +1611,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma, if (vma->vm_file == NULL) return 0; @@ -57844,7 +57742,7 @@ index 8dd615c..3ecdf113 100644 goto whole; /* -@@ -1354,9 +1832,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm) +@@ -1355,9 +1833,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm) { elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv; int i = 0; @@ -57856,7 +57754,7 @@ index 8dd615c..3ecdf113 100644 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv); } -@@ -1851,14 +2329,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum, +@@ -1852,14 +2330,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum, } static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma, @@ -57873,7 +57771,7 @@ index 8dd615c..3ecdf113 100644 return size; } -@@ -1952,7 +2430,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -1953,7 +2431,7 @@ static int elf_core_dump(struct coredump_params *cprm) dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE); @@ -57882,7 +57780,7 @@ index 8dd615c..3ecdf113 100644 offset += elf_core_extra_data_size(); e_shoff = offset; -@@ -1966,10 +2444,12 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -1967,10 +2445,12 @@ static int elf_core_dump(struct coredump_params *cprm) offset = dataoff; size += sizeof(*elf); @@ -57895,7 +57793,7 @@ index 8dd615c..3ecdf113 100644 if (size > cprm->limit || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note))) goto end_coredump; -@@ -1983,7 +2463,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -1984,7 +2464,7 @@ static int elf_core_dump(struct coredump_params *cprm) phdr.p_offset = offset; phdr.p_vaddr = vma->vm_start; phdr.p_paddr = 0; @@ -57904,7 +57802,7 @@ index 8dd615c..3ecdf113 100644 phdr.p_memsz = vma->vm_end - vma->vm_start; offset += phdr.p_filesz; phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0; -@@ -1994,6 +2474,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -1995,6 +2475,7 @@ static int elf_core_dump(struct coredump_params *cprm) phdr.p_align = ELF_EXEC_PAGESIZE; size += sizeof(phdr); @@ -57912,7 +57810,7 @@ index 8dd615c..3ecdf113 100644 if (size > cprm->limit || !dump_write(cprm->file, &phdr, sizeof(phdr))) goto end_coredump; -@@ -2018,7 +2499,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2019,7 +2500,7 @@ static int elf_core_dump(struct coredump_params *cprm) unsigned long addr; unsigned long end; @@ -57921,7 +57819,7 @@ index 8dd615c..3ecdf113 100644 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) { struct page *page; -@@ -2027,6 +2508,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2028,6 +2509,7 @@ static int elf_core_dump(struct coredump_params *cprm) page = get_dump_page(addr); if (page) { void *kaddr = kmap(page); @@ -57929,7 +57827,7 @@ index 8dd615c..3ecdf113 100644 stop = ((size += PAGE_SIZE) > cprm->limit) || !dump_write(cprm->file, kaddr, PAGE_SIZE); -@@ -2044,6 +2526,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2045,6 +2527,7 @@ static int elf_core_dump(struct coredump_params *cprm) if (e_phnum == PN_XNUM) { size += sizeof(*shdr4extnum); @@ -57937,7 +57835,7 @@ index 8dd615c..3ecdf113 100644 if (size > cprm->limit || !dump_write(cprm->file, shdr4extnum, sizeof(*shdr4extnum))) -@@ -2064,6 +2547,167 @@ out: +@@ -2065,6 +2548,167 @@ out: #endif /* CONFIG_ELF_CORE */ @@ -58751,10 +58649,10 @@ index 7b68088..17a275b 100644 GLOBAL_EXTERN atomic_t smBufAllocCount; GLOBAL_EXTERN atomic_t midCount; diff --git a/fs/cifs/file.c b/fs/cifs/file.c -index aa05d5e..4c7ee5d 100644 +index f9d2863..12e111d 100644 --- a/fs/cifs/file.c +++ b/fs/cifs/file.c -@@ -1690,10 +1690,14 @@ static int cifs_writepages(struct address_space *mapping, +@@ -1691,10 +1691,14 @@ static int cifs_writepages(struct address_space *mapping, index = mapping->writeback_index; /* Start from prev offset */ end = -1; } else { @@ -59192,10 +59090,10 @@ index 8bc98af..a49e6f0 100644 dcache_init(); inode_init(); diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c -index 6ac0893..6edd689 100644 +index a15f1e2..3077628 100644 --- a/fs/debugfs/inode.c +++ b/fs/debugfs/inode.c -@@ -145,6 +145,7 @@ static struct file_system_type debug_fs_type = { +@@ -164,6 +164,7 @@ static struct file_system_type debug_fs_type = { .mount = debug_mount, .kill_sb = kill_litter_super, }; @@ -59203,7 +59101,7 @@ index 6ac0893..6edd689 100644 static int debugfs_create_by_name(const char *name, mode_t mode, struct dentry *parent, -@@ -258,11 +259,20 @@ EXPORT_SYMBOL_GPL(debugfs_create_file); +@@ -277,11 +278,20 @@ EXPORT_SYMBOL_GPL(debugfs_create_file); * If debugfs is not enabled in the kernel, the value -%ENODEV will be * returned. */ @@ -59355,7 +59253,7 @@ index 451b9b8..12e5a03 100644 out_free_fd: diff --git a/fs/exec.c b/fs/exec.c -index 78199eb..ffeac65 100644 +index 7adb43f..9b2005c 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -55,12 +55,35 @@ @@ -59797,99 +59695,28 @@ index 78199eb..ffeac65 100644 bprm->unsafe |= LSM_UNSAFE_SHARE; } else { res = -EAGAIN; -@@ -1282,45 +1373,60 @@ int check_unsafe_exec(struct linux_binprm *bprm) - return res; - } - --/* -- * Fill the binprm structure from the inode. -- * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes -- * -- * This may be called multiple times for binary chains (scripts for example). -- */ --int prepare_binprm(struct linux_binprm *bprm) -+static void bprm_fill_uid(struct linux_binprm *bprm) - { -- umode_t mode; -- struct inode * inode = bprm->file->f_path.dentry->d_inode; -- int retval; -- -- mode = inode->i_mode; -- if (bprm->file->f_op == NULL) -- return -EACCES; -+ struct inode *inode; -+ unsigned int mode; -+ uid_t uid; -+ gid_t gid; - - /* clear any previous set[ug]id data from a previous binary */ - bprm->cred->euid = current_euid(); - bprm->cred->egid = current_egid(); +@@ -1296,6 +1387,9 @@ static void bprm_fill_uid(struct linux_binprm *bprm) + if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) + return; -- if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) { -- /* Set-uid? */ -- if (mode & S_ISUID) { -- bprm->per_clear |= PER_CLEAR_ON_SETID; -- bprm->cred->euid = inode->i_uid; -- } -- -- /* Set-gid? */ -- /* -- * If setgid is set but no group execute bit then this -- * is a candidate for mandatory locking, not a setgid -- * executable. -- */ -- if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) { -- bprm->per_clear |= PER_CLEAR_ON_SETID; -- bprm->cred->egid = inode->i_gid; -- } -+ if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) -+ return; -+ + if (current->no_new_privs) + return; + -+ inode = bprm->file->f_path.dentry->d_inode; -+ mode = ACCESS_ONCE(inode->i_mode); -+ if (!(mode & (S_ISUID|S_ISGID))) -+ return; -+ -+ /* Be careful if suid/sgid is set */ -+ mutex_lock(&inode->i_mutex); -+ -+ /* reload atomically mode/uid/gid now that lock held */ -+ mode = inode->i_mode; -+ uid = inode->i_uid; -+ gid = inode->i_gid; -+ mutex_unlock(&inode->i_mutex); -+ -+ if (mode & S_ISUID) { -+ bprm->per_clear |= PER_CLEAR_ON_SETID; -+ bprm->cred->euid = uid; + inode = bprm->file->f_path.dentry->d_inode; + mode = ACCESS_ONCE(inode->i_mode); + if (!(mode & (S_ISUID|S_ISGID))) +@@ -1321,8 +1415,8 @@ static void bprm_fill_uid(struct linux_binprm *bprm) } + } -+ if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) { -+ bprm->per_clear |= PER_CLEAR_ON_SETID; -+ bprm->cred->egid = gid; -+ } -+} -+ +-/* +- * Fill the binprm structure from the inode. +/* + * Fill the binprm structure from the inode. -+ * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes -+ * -+ * This may be called multiple times for binary chains (scripts for example). -+ */ -+int prepare_binprm(struct linux_binprm *bprm) -+{ -+ int retval; -+ -+ bprm_fill_uid(bprm); -+ - /* fill in binprm security blob */ - retval = security_bprm_set_creds(bprm); - if (retval) -@@ -1463,6 +1569,31 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) + * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes + * + * This may be called multiple times for binary chains (scripts for example). +@@ -1478,6 +1572,31 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) EXPORT_SYMBOL(search_binary_handler); @@ -59921,7 +59748,7 @@ index 78199eb..ffeac65 100644 /* * sys_execve() executes a new program. */ -@@ -1471,6 +1602,11 @@ static int do_execve_common(const char *filename, +@@ -1486,6 +1605,11 @@ static int do_execve_common(const char *filename, struct user_arg_ptr envp, struct pt_regs *regs) { @@ -59933,7 +59760,7 @@ index 78199eb..ffeac65 100644 struct linux_binprm *bprm; struct file *file; struct files_struct *displaced; -@@ -1478,6 +1614,8 @@ static int do_execve_common(const char *filename, +@@ -1493,6 +1617,8 @@ static int do_execve_common(const char *filename, int retval; const struct cred *cred = current_cred(); @@ -59942,7 +59769,7 @@ index 78199eb..ffeac65 100644 /* * We move the actual failure in case of RLIMIT_NPROC excess from * set*uid() to execve() because too many poorly written programs -@@ -1518,12 +1656,22 @@ static int do_execve_common(const char *filename, +@@ -1533,12 +1659,22 @@ static int do_execve_common(const char *filename, if (IS_ERR(file)) goto out_unmark; @@ -59965,7 +59792,7 @@ index 78199eb..ffeac65 100644 retval = bprm_mm_init(bprm); if (retval) goto out_file; -@@ -1540,24 +1688,70 @@ static int do_execve_common(const char *filename, +@@ -1555,24 +1691,70 @@ static int do_execve_common(const char *filename, if (retval < 0) goto out; @@ -60040,7 +59867,7 @@ index 78199eb..ffeac65 100644 current->fs->in_exec = 0; current->in_execve = 0; acct_update_integrals(current); -@@ -1566,6 +1760,14 @@ static int do_execve_common(const char *filename, +@@ -1581,6 +1763,14 @@ static int do_execve_common(const char *filename, put_files_struct(displaced); return retval; @@ -60055,7 +59882,7 @@ index 78199eb..ffeac65 100644 out: if (bprm->mm) { acct_arg_size(bprm, 0); -@@ -1639,7 +1841,7 @@ static int expand_corename(struct core_name *cn) +@@ -1654,7 +1844,7 @@ static int expand_corename(struct core_name *cn) { char *old_corename = cn->corename; @@ -60064,7 +59891,7 @@ index 78199eb..ffeac65 100644 cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL); if (!cn->corename) { -@@ -1736,7 +1938,7 @@ static int format_corename(struct core_name *cn, long signr) +@@ -1751,7 +1941,7 @@ static int format_corename(struct core_name *cn, long signr) int pid_in_pattern = 0; int err = 0; @@ -60073,7 +59900,7 @@ index 78199eb..ffeac65 100644 cn->corename = kmalloc(cn->size, GFP_KERNEL); cn->used = 0; -@@ -1833,6 +2035,309 @@ out: +@@ -1848,6 +2038,309 @@ out: return ispipe; } @@ -60383,7 +60210,7 @@ index 78199eb..ffeac65 100644 static int zap_process(struct task_struct *start, int exit_code) { struct task_struct *t; -@@ -2006,17 +2511,17 @@ static void coredump_finish(struct mm_struct *mm) +@@ -2021,17 +2514,17 @@ static void coredump_finish(struct mm_struct *mm) void set_dumpable(struct mm_struct *mm, int value) { switch (value) { @@ -60404,7 +60231,7 @@ index 78199eb..ffeac65 100644 set_bit(MMF_DUMP_SECURELY, &mm->flags); smp_wmb(); set_bit(MMF_DUMPABLE, &mm->flags); -@@ -2029,7 +2534,7 @@ static int __get_dumpable(unsigned long mm_flags) +@@ -2044,7 +2537,7 @@ static int __get_dumpable(unsigned long mm_flags) int ret; ret = mm_flags & MMF_DUMPABLE_MASK; @@ -60413,7 +60240,7 @@ index 78199eb..ffeac65 100644 } /* -@@ -2050,17 +2555,17 @@ static void wait_for_dump_helpers(struct file *file) +@@ -2065,17 +2558,17 @@ static void wait_for_dump_helpers(struct file *file) pipe = file->f_path.dentry->d_inode->i_pipe; pipe_lock(pipe); @@ -60436,7 +60263,7 @@ index 78199eb..ffeac65 100644 pipe_unlock(pipe); } -@@ -2121,7 +2626,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2136,7 +2629,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) int retval = 0; int flag = 0; int ispipe; @@ -60446,7 +60273,7 @@ index 78199eb..ffeac65 100644 struct coredump_params cprm = { .signr = signr, .regs = regs, -@@ -2136,6 +2642,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2151,6 +2645,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) audit_core_dumps(signr); @@ -60456,7 +60283,7 @@ index 78199eb..ffeac65 100644 binfmt = mm->binfmt; if (!binfmt || !binfmt->core_dump) goto fail; -@@ -2146,14 +2655,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2161,14 +2658,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) if (!cred) goto fail; /* @@ -60477,7 +60304,7 @@ index 78199eb..ffeac65 100644 } retval = coredump_wait(exit_code, &core_state); -@@ -2203,7 +2714,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2218,7 +2717,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) } cprm.limit = RLIM_INFINITY; @@ -60486,7 +60313,7 @@ index 78199eb..ffeac65 100644 if (core_pipe_limit && (core_pipe_limit < dump_count)) { printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n", task_tgid_vnr(current), current->comm); -@@ -2230,9 +2741,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2245,9 +2744,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) } else { struct inode *inode; @@ -60506,7 +60333,7 @@ index 78199eb..ffeac65 100644 cprm.file = filp_open(cn.corename, O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag, 0600); -@@ -2273,7 +2794,7 @@ close_fail: +@@ -2288,7 +2797,7 @@ close_fail: filp_close(cprm.file, NULL); fail_dropcount: if (ispipe) @@ -60515,7 +60342,7 @@ index 78199eb..ffeac65 100644 fail_unlock: kfree(cn.corename); fail_corename: -@@ -2292,7 +2813,7 @@ fail: +@@ -2307,7 +2816,7 @@ fail: */ int dump_write(struct file *file, const void *addr, int nr) { @@ -62694,7 +62521,7 @@ index 3426521..3b75162 100644 cuse_class = class_create(THIS_MODULE, "cuse"); if (IS_ERR(cuse_class)) diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c -index cf0098d..a849907 100644 +index 81970d7..594b748 100644 --- a/fs/fuse/dev.c +++ b/fs/fuse/dev.c @@ -1226,7 +1226,7 @@ static ssize_t fuse_dev_splice_read(struct file *in, loff_t *ppos, @@ -63854,10 +63681,10 @@ index cbd1a61..b43f68b 100644 static int __init init_ncp_fs(void) { diff --git a/fs/nfs/callback.c b/fs/nfs/callback.c -index 516f337..82a82df 100644 +index 3172b51..98740f4 100644 --- a/fs/nfs/callback.c +++ b/fs/nfs/callback.c -@@ -250,7 +250,6 @@ int nfs_callback_up(u32 minorversion, struct rpc_xprt *xprt) +@@ -252,7 +252,6 @@ int nfs_callback_up(u32 minorversion, struct rpc_xprt *xprt) struct svc_rqst *rqstp; int (*callback_svc)(void *vrqstp); struct nfs_callback_data *cb_info = &nfs_callback_info[minorversion]; @@ -63865,7 +63692,7 @@ index 516f337..82a82df 100644 int ret = 0; int minorversion_setup; -@@ -280,10 +279,9 @@ int nfs_callback_up(u32 minorversion, struct rpc_xprt *xprt) +@@ -282,10 +281,9 @@ int nfs_callback_up(u32 minorversion, struct rpc_xprt *xprt) svc_sock_update_bufs(serv); @@ -63878,7 +63705,7 @@ index 516f337..82a82df 100644 ret = PTR_ERR(cb_info->task); svc_exit_thread(cb_info->rqst); diff --git a/fs/nfs/callback_xdr.c b/fs/nfs/callback_xdr.c -index 3fde055..de27202 100644 +index 6d22d35..548abd8 100644 --- a/fs/nfs/callback_xdr.c +++ b/fs/nfs/callback_xdr.c @@ -50,7 +50,7 @@ struct callback_op { @@ -63947,10 +63774,10 @@ index b78b5b6..c64d84f 100644 void nfs_fattr_init(struct nfs_fattr *fattr) diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c -index 351989e..8b551bb 100644 +index e83786f..c6f7fd6 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c -@@ -1037,7 +1037,7 @@ static struct nfs4_state *nfs4_try_open_cached(struct nfs4_opendata *opendata) +@@ -1036,7 +1036,7 @@ static struct nfs4_state *nfs4_try_open_cached(struct nfs4_opendata *opendata) struct nfs4_state *state = opendata->state; struct nfs_inode *nfsi = NFS_I(state->inode); struct nfs_delegation *delegation; @@ -66283,7 +66110,7 @@ index 81a48d1..b2275ba 100644 "cpu%d %llu %llu %llu %llu %llu %llu %llu %llu %llu " "%llu\n", diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c -index ef1740d..9a18b87 100644 +index d1bd6a9..872017c 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c @@ -11,12 +11,19 @@ @@ -66468,7 +66295,7 @@ index ef1740d..9a18b87 100644 ret = PTR_ERR(mm); if (!mm || IS_ERR(mm)) goto out_free; -@@ -1024,6 +1075,13 @@ static int show_numa_map(struct seq_file *m, void *v) +@@ -1034,6 +1085,13 @@ static int show_numa_map(struct seq_file *m, void *v) int n; char buffer[50]; @@ -66482,7 +66309,7 @@ index ef1740d..9a18b87 100644 if (!mm) return 0; -@@ -1041,11 +1099,15 @@ static int show_numa_map(struct seq_file *m, void *v) +@@ -1051,11 +1109,15 @@ static int show_numa_map(struct seq_file *m, void *v) mpol_to_str(buffer, sizeof(buffer), pol, 0); mpol_cond_put(pol); @@ -67496,296 +67323,6 @@ index 201bcfc..cee4d16 100644 /* * Inode slab cache constructor. -diff --git a/fs/udf/inode.c b/fs/udf/inode.c -index 2a706bb..f1e984a 100644 ---- a/fs/udf/inode.c -+++ b/fs/udf/inode.c -@@ -50,7 +50,6 @@ MODULE_LICENSE("GPL"); - - static mode_t udf_convert_permissions(struct fileEntry *); - static int udf_update_inode(struct inode *, int); --static void udf_fill_inode(struct inode *, struct buffer_head *); - static int udf_sync_inode(struct inode *inode); - static int udf_alloc_i_data(struct inode *inode, size_t size); - static struct buffer_head *inode_getblk(struct inode *, sector_t, int *, -@@ -1183,15 +1182,28 @@ update_time: - */ - #define UDF_MAX_ICB_NESTING 1024 - --static void __udf_read_inode(struct inode *inode) -+static int udf_read_inode(struct inode *inode) - { - struct buffer_head *bh = NULL; - struct fileEntry *fe; -+ struct extendedFileEntry *efe; - uint16_t ident; - struct udf_inode_info *iinfo = UDF_I(inode); -+ struct udf_sb_info *sbi = UDF_SB(inode->i_sb); -+ struct kernel_lb_addr *iloc = &iinfo->i_location; -+ unsigned int link_count; -+ - unsigned int indirections = 0; -+ int ret = -EIO; - - reread: -+ if (iloc->logicalBlockNum >= -+ sbi->s_partmaps[iloc->partitionReferenceNum].s_partition_len) { -+ udf_debug("block=%d, partition=%d out of range\n", -+ iloc->logicalBlockNum, iloc->partitionReferenceNum); -+ return -EIO; -+ } -+ - /* - * Set defaults, but the inode is still incomplete! - * Note: get_new_inode() sets the following on a new inode: -@@ -1204,29 +1216,26 @@ reread: - * i_nlink = 1 - * i_op = NULL; - */ -- bh = udf_read_ptagged(inode->i_sb, &iinfo->i_location, 0, &ident); -+ bh = udf_read_ptagged(inode->i_sb, iloc, 0, &ident); - if (!bh) { - udf_err(inode->i_sb, "(ino %ld) failed !bh\n", inode->i_ino); -- make_bad_inode(inode); -- return; -+ return -EIO; - } - - if (ident != TAG_IDENT_FE && ident != TAG_IDENT_EFE && - ident != TAG_IDENT_USE) { - udf_err(inode->i_sb, "(ino %ld) failed ident=%d\n", - inode->i_ino, ident); -- brelse(bh); -- make_bad_inode(inode); -- return; -+ goto out; - } - - fe = (struct fileEntry *)bh->b_data; -+ efe = (struct extendedFileEntry *)bh->b_data; - - if (fe->icbTag.strategyType == cpu_to_le16(4096)) { - struct buffer_head *ibh; - -- ibh = udf_read_ptagged(inode->i_sb, &iinfo->i_location, 1, -- &ident); -+ ibh = udf_read_ptagged(inode->i_sb, iloc, 1, &ident); - if (ident == TAG_IDENT_IE && ibh) { - struct kernel_lb_addr loc; - struct indirectEntry *ie; -@@ -1235,7 +1244,6 @@ reread: - loc = lelb_to_cpu(ie->indirectICB.extLocation); - - if (ie->indirectICB.extLength) { -- brelse(bh); - brelse(ibh); - memcpy(&iinfo->i_location, &loc, - sizeof(struct kernel_lb_addr)); -@@ -1244,9 +1252,9 @@ reread: - "too many ICBs in ICB hierarchy" - " (max %d supported)\n", - UDF_MAX_ICB_NESTING); -- make_bad_inode(inode); -- return; -+ goto out; - } -+ brelse(bh); - goto reread; - } - } -@@ -1254,27 +1262,8 @@ reread: - } else if (fe->icbTag.strategyType != cpu_to_le16(4)) { - udf_err(inode->i_sb, "unsupported strategy type: %d\n", - le16_to_cpu(fe->icbTag.strategyType)); -- brelse(bh); -- make_bad_inode(inode); -- return; -+ goto out; - } -- udf_fill_inode(inode, bh); -- -- brelse(bh); --} -- --static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) --{ -- struct fileEntry *fe; -- struct extendedFileEntry *efe; -- int offset; -- struct udf_sb_info *sbi = UDF_SB(inode->i_sb); -- struct udf_inode_info *iinfo = UDF_I(inode); -- unsigned int link_count; -- -- fe = (struct fileEntry *)bh->b_data; -- efe = (struct extendedFileEntry *)bh->b_data; -- - if (fe->icbTag.strategyType == cpu_to_le16(4)) - iinfo->i_strat4096 = 0; - else /* if (fe->icbTag.strategyType == cpu_to_le16(4096)) */ -@@ -1291,11 +1280,10 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) - if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_EFE)) { - iinfo->i_efe = 1; - iinfo->i_use = 0; -- if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize - -- sizeof(struct extendedFileEntry))) { -- make_bad_inode(inode); -- return; -- } -+ ret = udf_alloc_i_data(inode, inode->i_sb->s_blocksize - -+ sizeof(struct extendedFileEntry)); -+ if (ret) -+ goto out; - memcpy(iinfo->i_ext.i_data, - bh->b_data + sizeof(struct extendedFileEntry), - inode->i_sb->s_blocksize - -@@ -1303,11 +1291,10 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) - } else if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_FE)) { - iinfo->i_efe = 0; - iinfo->i_use = 0; -- if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize - -- sizeof(struct fileEntry))) { -- make_bad_inode(inode); -- return; -- } -+ ret = udf_alloc_i_data(inode, inode->i_sb->s_blocksize - -+ sizeof(struct fileEntry)); -+ if (ret) -+ goto out; - memcpy(iinfo->i_ext.i_data, - bh->b_data + sizeof(struct fileEntry), - inode->i_sb->s_blocksize - sizeof(struct fileEntry)); -@@ -1317,18 +1304,18 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) - iinfo->i_lenAlloc = le32_to_cpu( - ((struct unallocSpaceEntry *)bh->b_data)-> - lengthAllocDescs); -- if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize - -- sizeof(struct unallocSpaceEntry))) { -- make_bad_inode(inode); -- return; -- } -+ ret = udf_alloc_i_data(inode, inode->i_sb->s_blocksize - -+ sizeof(struct unallocSpaceEntry)); -+ if (ret) -+ goto out; - memcpy(iinfo->i_ext.i_data, - bh->b_data + sizeof(struct unallocSpaceEntry), - inode->i_sb->s_blocksize - - sizeof(struct unallocSpaceEntry)); -- return; -+ return 0; - } - -+ ret = -EIO; - read_lock(&sbi->s_cred_lock); - inode->i_uid = le32_to_cpu(fe->uid); - if (inode->i_uid == -1 || -@@ -1378,7 +1365,6 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) - iinfo->i_unique = le64_to_cpu(fe->uniqueID); - iinfo->i_lenEAttr = le32_to_cpu(fe->lengthExtendedAttr); - iinfo->i_lenAlloc = le32_to_cpu(fe->lengthAllocDescs); -- offset = sizeof(struct fileEntry) + iinfo->i_lenEAttr; - } else { - inode->i_blocks = le64_to_cpu(efe->logicalBlocksRecorded) << - (inode->i_sb->s_blocksize_bits - 9); -@@ -1399,8 +1385,20 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) - iinfo->i_unique = le64_to_cpu(efe->uniqueID); - iinfo->i_lenEAttr = le32_to_cpu(efe->lengthExtendedAttr); - iinfo->i_lenAlloc = le32_to_cpu(efe->lengthAllocDescs); -- offset = sizeof(struct extendedFileEntry) + -- iinfo->i_lenEAttr; -+ } -+ -+ /* Sanity checks for files in ICB so that we don't get confused later */ -+ if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) { -+ /* -+ * For file in ICB data is stored in allocation descriptor -+ * so sizes should match -+ */ -+ if (iinfo->i_lenAlloc != inode->i_size) -+ goto out; -+ /* File in ICB has to fit in there... */ -+ if (inode->i_size > inode->i_sb->s_blocksize - -+ udf_file_entry_alloc_offset(inode)) -+ goto out; - } - - /* Sanity checks for files in ICB so that we don't get confused later */ -@@ -1469,8 +1467,7 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) - default: - udf_err(inode->i_sb, "(ino %ld) failed unknown file type=%d\n", - inode->i_ino, fe->icbTag.fileType); -- make_bad_inode(inode); -- return; -+ goto out; - } - if (S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode)) { - struct deviceSpec *dsea = -@@ -1481,8 +1478,12 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) - le32_to_cpu(dsea->minorDeviceIdent))); - /* Developer ID ??? */ - } else -- make_bad_inode(inode); -+ goto out; - } -+ ret = 0; -+out: -+ brelse(bh); -+ return ret; - } - - static int udf_alloc_i_data(struct inode *inode, size_t size) -@@ -1595,7 +1596,7 @@ static int udf_update_inode(struct inode *inode, int do_sync) - FE_PERM_U_DELETE | FE_PERM_U_CHATTR)); - fe->permissions = cpu_to_le32(udfperms); - -- if (S_ISDIR(inode->i_mode)) -+ if (S_ISDIR(inode->i_mode) && inode->i_nlink > 0) - fe->fileLinkCount = cpu_to_le16(inode->i_nlink - 1); - else - fe->fileLinkCount = cpu_to_le16(inode->i_nlink); -@@ -1756,32 +1757,23 @@ struct inode *udf_iget(struct super_block *sb, struct kernel_lb_addr *ino) - { - unsigned long block = udf_get_lb_pblock(sb, ino, 0); - struct inode *inode = iget_locked(sb, block); -+ int err; - - if (!inode) -- return NULL; -+ return ERR_PTR(-ENOMEM); - -- if (inode->i_state & I_NEW) { -- memcpy(&UDF_I(inode)->i_location, ino, sizeof(struct kernel_lb_addr)); -- __udf_read_inode(inode); -- unlock_new_inode(inode); -- } -- -- if (is_bad_inode(inode)) -- goto out_iput; -+ if (!(inode->i_state & I_NEW)) -+ return inode; - -- if (ino->logicalBlockNum >= UDF_SB(sb)-> -- s_partmaps[ino->partitionReferenceNum].s_partition_len) { -- udf_debug("block=%d, partition=%d out of range\n", -- ino->logicalBlockNum, ino->partitionReferenceNum); -- make_bad_inode(inode); -- goto out_iput; -+ memcpy(&UDF_I(inode)->i_location, ino, sizeof(struct kernel_lb_addr)); -+ err = udf_read_inode(inode); -+ if (err < 0) { -+ iget_failed(inode); -+ return ERR_PTR(err); - } -+ unlock_new_inode(inode); - - return inode; -- -- out_iput: -- iput(inode); -- return NULL; - } - - int udf_add_aext(struct inode *inode, struct extent_position *epos, diff --git a/fs/udf/misc.c b/fs/udf/misc.c index c175b4d..8f36a16 100644 --- a/fs/udf/misc.c @@ -68375,7 +67912,7 @@ index eb519de..a7569b5 100644 goto out_put; diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c -index bd2fb43..86fd3e8d 100644 +index 1c01f04..28fd95b 100644 --- a/fs/xfs/xfs_iops.c +++ b/fs/xfs/xfs_iops.c @@ -447,7 +447,7 @@ xfs_vn_put_link( @@ -80926,10 +80463,10 @@ index d42bd48..a20850d 100644 /* * epoll (fs/eventpoll.c) compat bits follow ... diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h -index e2a360a..1d61efb 100644 +index 59a7e4c..8feb590 100644 --- a/include/linux/compiler-gcc4.h +++ b/include/linux/compiler-gcc4.h -@@ -42,6 +42,26 @@ +@@ -44,6 +44,26 @@ #define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0) #if __GNUC_MINOR__ >= 5 @@ -80956,7 +80493,7 @@ index e2a360a..1d61efb 100644 /* * Mark a position in code as unreachable. This can be used to * suppress control flow warnings after asm blocks that transfer -@@ -57,6 +77,11 @@ +@@ -59,6 +79,11 @@ #define __noclone __attribute__((__noclone__)) #endif @@ -81008,7 +80545,7 @@ index cdd1cc2..2401b2e 100644 * (asm goto is automatically volatile - the naming reflects this.) */ diff --git a/include/linux/compiler.h b/include/linux/compiler.h -index 7c7546b..588d7d2 100644 +index 65c8b78..5d8ba14 100644 --- a/include/linux/compiler.h +++ b/include/linux/compiler.h @@ -5,31 +5,51 @@ @@ -81138,7 +80675,7 @@ index 7c7546b..588d7d2 100644 /* Compile time object size, -1 for unknown */ #ifndef __compiletime_object_size # define __compiletime_object_size(obj) -1 -@@ -296,6 +360,18 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect); +@@ -296,10 +360,24 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect); #endif #ifndef __compiletime_error # define __compiletime_error(message) @@ -81146,7 +80683,11 @@ index 7c7546b..588d7d2 100644 + do { ((void)sizeof(char[1 - 2*!!(condition)])); } while (0) +#else +# define __compiletime_error_fallback(condition) do { } while (0) -+#endif + #endif ++ + #ifndef __linktime_error + # define __linktime_error(message) + #endif + +#ifndef __size_overflow +# define __size_overflow(...) @@ -81154,10 +80695,12 @@ index 7c7546b..588d7d2 100644 + +#ifndef __intentional_overflow +# define __intentional_overflow(...) - #endif - ++#endif ++ /* -@@ -310,6 +386,7 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect); + * Prevent the compiler from merging or refetching accesses. The compiler + * is also forbidden from reordering successive instances of ACCESS_ONCE(), +@@ -312,6 +390,7 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect); * use is to mediate communication between process-level code and irq/NMI * handlers, all running on the same CPU. */ @@ -81825,10 +81368,10 @@ index 9ec20de..8007b8a 100644 /* * fscache cached network filesystem type diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h -index 2a53f10..e3cd3e0 100644 +index dad4f61..ce486de 100644 --- a/include/linux/fsnotify.h +++ b/include/linux/fsnotify.h -@@ -194,6 +194,9 @@ static inline void fsnotify_access(struct file *file) +@@ -196,6 +196,9 @@ static inline void fsnotify_access(struct file *file) struct inode *inode = path->dentry->d_inode; __u32 mask = FS_ACCESS; @@ -81838,7 +81381,7 @@ index 2a53f10..e3cd3e0 100644 if (S_ISDIR(inode->i_mode)) mask |= FS_ISDIR; -@@ -212,6 +215,9 @@ static inline void fsnotify_modify(struct file *file) +@@ -214,6 +217,9 @@ static inline void fsnotify_modify(struct file *file) struct inode *inode = path->dentry->d_inode; __u32 mask = FS_MODIFY; @@ -81848,7 +81391,7 @@ index 2a53f10..e3cd3e0 100644 if (S_ISDIR(inode->i_mode)) mask |= FS_ISDIR; -@@ -314,7 +320,7 @@ static inline void fsnotify_change(struct dentry *dentry, unsigned int ia_valid) +@@ -316,7 +322,7 @@ static inline void fsnotify_change(struct dentry *dentry, unsigned int ia_valid) */ static inline const unsigned char *fsnotify_oldname_init(const unsigned char *name) { @@ -83557,10 +83100,10 @@ index 3875719..4663bc3 100644 /* This macro allows us to keep printk typechecking */ static __printf(1, 2) diff --git a/include/linux/kernel.h b/include/linux/kernel.h -index 0b8ca35..bf1dd28 100644 +index dcf6a8b..e1f7aa5 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h -@@ -697,24 +697,30 @@ static inline void ftrace_dump(enum ftrace_dump_mode oops_dump_mode) { } +@@ -698,24 +698,30 @@ static inline void ftrace_dump(enum ftrace_dump_mode oops_dump_mode) { } * @condition: the condition which the compiler should know is false. * * If you have some code which relies on certain constants being equal, or @@ -83602,7 +83145,7 @@ index 0b8ca35..bf1dd28 100644 + __compiletime_error_fallback(__cond); \ } while(0) #endif - #endif /* __CHECKER__ */ + diff --git a/include/linux/key-type.h b/include/linux/key-type.h index 9efd081..19f989c 100644 --- a/include/linux/key-type.h @@ -87774,21 +87317,6 @@ index 8ba8ce2..99b7fff 100644 struct sk_buff *skb, int offset, struct iovec *to, size_t len, struct dma_pinned_list *pinned_list); -diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h -index 2dcf317..d918074 100644 ---- a/include/net/netfilter/nf_conntrack_extend.h -+++ b/include/net/netfilter/nf_conntrack_extend.h -@@ -33,8 +33,8 @@ enum nf_ct_ext_id { - /* Extensions: optional stuff which isn't permanently in struct. */ - struct nf_ct_ext { - struct rcu_head rcu; -- u8 offset[NF_CT_EXT_NUM]; -- u8 len; -+ u16 offset[NF_CT_EXT_NUM]; -+ u16 len; - char data[0]; - }; - diff --git a/include/net/netfilter/nf_queue.h b/include/net/netfilter/nf_queue.h index 252fd10..aa1421f 100644 --- a/include/net/netfilter/nf_queue.h @@ -90174,7 +89702,7 @@ index 7fda904..59f620c 100644 } EXPORT_SYMBOL_GPL(kgdb_schedule_breakpoint); diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c -index 63786e7..0780cac 100644 +index f56af55..657c675 100644 --- a/kernel/debug/kdb/kdb_main.c +++ b/kernel/debug/kdb/kdb_main.c @@ -1980,7 +1980,7 @@ static int kdb_lsmod(int argc, const char **argv) @@ -90196,7 +89724,7 @@ index 63786e7..0780cac 100644 #ifdef CONFIG_MODULE_UNLOAD { diff --git a/kernel/events/core.c b/kernel/events/core.c -index 2a4bf43..9f6ecac 100644 +index 4277095..836fd7d 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -146,8 +146,15 @@ static struct srcu_struct pmus_srcu; @@ -90259,7 +89787,7 @@ index 2a4bf43..9f6ecac 100644 barrier(); ++userpg->lock; -@@ -4067,11 +4074,11 @@ static void perf_output_read_one(struct perf_output_handle *handle, +@@ -4077,11 +4084,11 @@ static void perf_output_read_one(struct perf_output_handle *handle, values[n++] = perf_event_count(event); if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) { values[n++] = enabled + @@ -90273,7 +89801,7 @@ index 2a4bf43..9f6ecac 100644 } if (read_format & PERF_FORMAT_ID) values[n++] = primary_event_id(event); -@@ -4722,12 +4729,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event) +@@ -4732,12 +4739,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event) * need to add enough zero bytes after the string to handle * the 64bit alignment we do later. */ @@ -90288,7 +89816,7 @@ index 2a4bf43..9f6ecac 100644 if (IS_ERR(name)) { name = strncpy(tmp, "//toolong", sizeof(tmp)); goto got_name; -@@ -6093,7 +6100,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu, +@@ -6103,7 +6110,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu, event->parent = parent_event; event->ns = get_pid_ns(current->nsproxy->pid_ns); @@ -90297,7 +89825,7 @@ index 2a4bf43..9f6ecac 100644 event->state = PERF_EVENT_STATE_INACTIVE; -@@ -6339,6 +6346,11 @@ SYSCALL_DEFINE5(perf_event_open, +@@ -6349,6 +6356,11 @@ SYSCALL_DEFINE5(perf_event_open, if (flags & ~PERF_FLAG_ALL) return -EINVAL; @@ -90309,7 +89837,7 @@ index 2a4bf43..9f6ecac 100644 err = perf_copy_attr(attr_uptr, &attr); if (err) return err; -@@ -6637,10 +6649,10 @@ static void sync_child_event(struct perf_event *child_event, +@@ -6647,10 +6659,10 @@ static void sync_child_event(struct perf_event *child_event, /* * Add back the child's count to the parent's count: */ @@ -93015,18 +92543,9 @@ index 3d4b954..11af930 100644 if (pm_wakeup_pending()) { diff --git a/kernel/printk.c b/kernel/printk.c -index 8fac434..ced569b 100644 +index c073f43..ced569b 100644 --- a/kernel/printk.c +++ b/kernel/printk.c -@@ -123,7 +123,7 @@ static struct console *exclusive_console; - */ - struct console_cmdline - { -- char name[8]; /* Name of the driver */ -+ char name[16]; /* Name of the driver */ - int index; /* Minor dev. to use */ - char *options; /* Options for the driver */ - #ifdef CONFIG_A11Y_BRAILLE_CONSOLE @@ -313,6 +313,11 @@ static int check_syslog_permissions(int type, bool from_file) if (from_file && type != SYSLOG_ACTION_OPEN) return 0; @@ -93039,14 +92558,6 @@ index 8fac434..ced569b 100644 if (syslog_action_restricted(type)) { if (capable(CAP_SYSLOG)) return 0; -@@ -1477,6 +1482,7 @@ void register_console(struct console *newcon) - */ - for (i = 0; i < MAX_CMDLINECONSOLES && console_cmdline[i].name[0]; - i++) { -+ BUILD_BUG_ON(sizeof(console_cmdline[i].name) != sizeof(newcon->name)); - if (strcmp(console_cmdline[i].name, newcon->name) != 0) - continue; - if (newcon->index >= 0 && diff --git a/kernel/profile.c b/kernel/profile.c index 76b8e77..a2930e8 100644 --- a/kernel/profile.c @@ -93788,7 +93299,7 @@ index 3d9f31c..7fefc9e 100644 default: diff --git a/kernel/sched.c b/kernel/sched.c -index ea85b0d..633af22 100644 +index fe33d0f..b5d0b8a 100644 --- a/kernel/sched.c +++ b/kernel/sched.c @@ -3307,8 +3307,10 @@ context_switch(struct rq *rq, struct task_struct *prev, @@ -93830,7 +93341,7 @@ index ea85b0d..633af22 100644 wait_for_completion_killable_timeout(struct completion *x, unsigned long timeout) { -@@ -5297,6 +5299,8 @@ int can_nice(const struct task_struct *p, const int nice) +@@ -5300,6 +5302,8 @@ int can_nice(const struct task_struct *p, const int nice) /* convert nice value [19,-20] to rlimit style value [1,40] */ int nice_rlim = 20 - nice; @@ -93839,7 +93350,7 @@ index ea85b0d..633af22 100644 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) || capable(CAP_SYS_NICE)); } -@@ -5330,7 +5334,8 @@ SYSCALL_DEFINE1(nice, int, increment) +@@ -5333,7 +5337,8 @@ SYSCALL_DEFINE1(nice, int, increment) if (nice > 19) nice = 19; @@ -93849,7 +93360,7 @@ index ea85b0d..633af22 100644 return -EPERM; retval = security_task_setnice(current, nice); -@@ -5487,6 +5492,7 @@ recheck: +@@ -5490,6 +5495,7 @@ recheck: unsigned long rlim_rtprio = task_rlimit(p, RLIMIT_RTPRIO); @@ -93857,7 +93368,7 @@ index ea85b0d..633af22 100644 /* can't set/change the rt policy */ if (policy != p->policy && !rlim_rtprio) return -EPERM; -@@ -6521,8 +6527,10 @@ void idle_task_exit(void) +@@ -6524,8 +6530,10 @@ void idle_task_exit(void) BUG_ON(cpu_online(smp_processor_id())); @@ -93869,7 +93380,7 @@ index ea85b0d..633af22 100644 mmdrop(mm); } -@@ -6629,7 +6637,7 @@ static void unthrottle_offline_cfs_rqs(struct rq *rq) {} +@@ -6632,7 +6640,7 @@ static void unthrottle_offline_cfs_rqs(struct rq *rq) {} #if defined(CONFIG_SCHED_DEBUG) && defined(CONFIG_SYSCTL) @@ -93878,7 +93389,7 @@ index ea85b0d..633af22 100644 { .procname = "sched_domain", .mode = 0555, -@@ -6646,17 +6654,17 @@ static struct ctl_table sd_ctl_root[] = { +@@ -6649,17 +6657,17 @@ static struct ctl_table sd_ctl_root[] = { {} }; @@ -93900,7 +93411,7 @@ index ea85b0d..633af22 100644 /* * In the intermediate directories, both the child directory and -@@ -6664,22 +6672,25 @@ static void sd_free_ctl_entry(struct ctl_table **tablep) +@@ -6667,22 +6675,25 @@ static void sd_free_ctl_entry(struct ctl_table **tablep) * will always be set. In the lowest directory the names are * static strings and all have proc handlers. */ @@ -93932,7 +93443,7 @@ index ea85b0d..633af22 100644 const char *procname, void *data, int maxlen, mode_t mode, proc_handler *proc_handler, bool load_idx) -@@ -6699,7 +6710,7 @@ set_table_entry(struct ctl_table *entry, +@@ -6702,7 +6713,7 @@ set_table_entry(struct ctl_table *entry, static struct ctl_table * sd_alloc_ctl_domain_table(struct sched_domain *sd) { @@ -93941,7 +93452,7 @@ index ea85b0d..633af22 100644 if (table == NULL) return NULL; -@@ -6734,9 +6745,9 @@ sd_alloc_ctl_domain_table(struct sched_domain *sd) +@@ -6737,9 +6748,9 @@ sd_alloc_ctl_domain_table(struct sched_domain *sd) return table; } @@ -93953,7 +93464,7 @@ index ea85b0d..633af22 100644 struct sched_domain *sd; int domain_num = 0, i; char buf[32]; -@@ -6763,11 +6774,13 @@ static struct ctl_table_header *sd_sysctl_header; +@@ -6766,11 +6777,13 @@ static struct ctl_table_header *sd_sysctl_header; static void register_sched_domain_sysctl(void) { int i, cpu_num = num_possible_cpus(); @@ -93968,7 +93479,7 @@ index ea85b0d..633af22 100644 if (entry == NULL) return; -@@ -6790,8 +6803,12 @@ static void unregister_sched_domain_sysctl(void) +@@ -6793,8 +6806,12 @@ static void unregister_sched_domain_sysctl(void) if (sd_sysctl_header) unregister_sysctl_table(sd_sysctl_header); sd_sysctl_header = NULL; @@ -93983,7 +93494,7 @@ index ea85b0d..633af22 100644 } #else static void register_sched_domain_sysctl(void) -@@ -6889,7 +6906,7 @@ migration_call(struct notifier_block *nfb, unsigned long action, void *hcpu) +@@ -6892,7 +6909,7 @@ migration_call(struct notifier_block *nfb, unsigned long action, void *hcpu) * happens before everything else. This has to be lower priority than * the notifier in the perf_event subsystem, though. */ @@ -93993,7 +93504,7 @@ index ea85b0d..633af22 100644 .priority = CPU_PRI_MIGRATION, }; diff --git a/kernel/sched_autogroup.c b/kernel/sched_autogroup.c -index f280df1..da1281d 100644 +index cb0a950..47dfae9 100644 --- a/kernel/sched_autogroup.c +++ b/kernel/sched_autogroup.c @@ -7,7 +7,7 @@ @@ -95741,10 +95252,10 @@ index 92cac05..89f0de9 100644 ret = -EIO; bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt, diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c -index dcbafed..bba19b9 100644 +index 08e043b..a000091 100644 --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c -@@ -1610,12 +1610,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec) +@@ -1616,12 +1616,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec) if (unlikely(ftrace_disabled)) return 0; @@ -95764,7 +95275,7 @@ index dcbafed..bba19b9 100644 } /* -@@ -2695,7 +2700,7 @@ static void ftrace_free_entry_rcu(struct rcu_head *rhp) +@@ -2713,7 +2718,7 @@ static void ftrace_free_entry_rcu(struct rcu_head *rhp) int register_ftrace_function_probe(char *glob, struct ftrace_probe_ops *ops, @@ -95773,16 +95284,16 @@ index dcbafed..bba19b9 100644 { struct ftrace_func_probe *entry; struct ftrace_page *pg; -@@ -4045,8 +4050,6 @@ ftrace_enable_sysctl(struct ctl_table *table, int write, +@@ -4062,8 +4067,6 @@ ftrace_enable_sysctl(struct ctl_table *table, int write, + #ifdef CONFIG_FUNCTION_GRAPH_TRACER - static int ftrace_graph_active; -static struct notifier_block ftrace_suspend_notifier; - int ftrace_graph_entry_stub(struct ftrace_graph_ent *trace) { return 0; -@@ -4088,7 +4091,7 @@ static int alloc_retstack_tasklist(struct ftrace_ret_stack **ret_stack_list) +@@ -4105,7 +4108,7 @@ static int alloc_retstack_tasklist(struct ftrace_ret_stack **ret_stack_list) if (t->ret_stack == NULL) { atomic_set(&t->tracing_graph_pause, 0); @@ -95791,7 +95302,7 @@ index dcbafed..bba19b9 100644 t->curr_ret_stack = -1; /* Make sure the tasks see the -1 first: */ smp_wmb(); -@@ -4191,6 +4194,10 @@ ftrace_suspend_notifier_call(struct notifier_block *bl, unsigned long state, +@@ -4208,6 +4211,10 @@ ftrace_suspend_notifier_call(struct notifier_block *bl, unsigned long state, return NOTIFY_DONE; } @@ -95802,7 +95313,7 @@ index dcbafed..bba19b9 100644 /* Just a place holder for function graph */ static struct ftrace_ops fgraph_ops __read_mostly = { .func = ftrace_stub, -@@ -4234,7 +4241,6 @@ int register_ftrace_graph(trace_func_graph_ret_t retfunc, +@@ -4251,7 +4258,6 @@ int register_ftrace_graph(trace_func_graph_ret_t retfunc, goto out; } @@ -95810,7 +95321,7 @@ index dcbafed..bba19b9 100644 register_pm_notifier(&ftrace_suspend_notifier); ftrace_graph_active++; -@@ -4288,7 +4294,7 @@ static void +@@ -4305,7 +4311,7 @@ static void graph_init_task(struct task_struct *t, struct ftrace_ret_stack *ret_stack) { atomic_set(&t->tracing_graph_pause, 0); @@ -97934,7 +97445,7 @@ index 79166c2..7ce048f 100644 entry = maybe_mkwrite(pte_mkdirty(entry), vma); if (!pmd_write(*pmd)) diff --git a/mm/hugetlb.c b/mm/hugetlb.c -index d2c43a2..2213df3 100644 +index 26922da..73f8544 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -2009,15 +2009,17 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy, @@ -97979,7 +97490,7 @@ index d2c43a2..2213df3 100644 if (ret) goto out; -@@ -2517,6 +2521,27 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2518,6 +2522,27 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma, return 1; } @@ -98007,7 +97518,7 @@ index d2c43a2..2213df3 100644 /* * Hugetlb_cow() should be called with page lock of the original hugepage held. */ -@@ -2619,6 +2644,11 @@ retry_avoidcopy: +@@ -2620,6 +2645,11 @@ retry_avoidcopy: make_huge_pte(vma, new_page, 1)); page_remove_rmap(old_page); hugepage_add_new_anon_rmap(new_page, vma, address); @@ -98019,7 +97530,7 @@ index d2c43a2..2213df3 100644 /* Make the old page be freed below */ new_page = old_page; mmu_notifier_invalidate_range_end(mm, -@@ -2770,6 +2800,10 @@ retry: +@@ -2771,6 +2801,10 @@ retry: && (vma->vm_flags & VM_SHARED))); set_huge_pte_at(mm, address, ptep, new_pte); @@ -98030,9 +97541,9 @@ index d2c43a2..2213df3 100644 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) { /* Optimization, do the COW without a second fault */ ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page); -@@ -2799,6 +2833,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, - static DEFINE_MUTEX(hugetlb_instantiation_mutex); +@@ -2801,6 +2835,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, struct hstate *h = hstate_vma(vma); + int need_wait_lock = 0; +#ifdef CONFIG_PAX_SEGMEXEC + struct vm_area_struct *vma_m; @@ -98041,7 +97552,7 @@ index d2c43a2..2213df3 100644 ptep = huge_pte_offset(mm, address); if (ptep) { entry = huge_ptep_get(ptep); -@@ -2810,6 +2848,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2812,6 +2850,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, VM_FAULT_SET_HINDEX(h - hstates); } @@ -98314,7 +97825,7 @@ index 51901b1..79af2f4 100644 /* keep elevated page count for bad page */ return ret; diff --git a/mm/memory.c b/mm/memory.c -index 0a7bb38..4efd48c 100644 +index 452b8ba..d322be8 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -462,8 +462,12 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud, @@ -99256,7 +98767,7 @@ index 1ffd97a..ed75674 100644 int mminit_loglevel; diff --git a/mm/mmap.c b/mm/mmap.c -index 13b5685..39383bb 100644 +index 94f4e34..294492d 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -30,6 +30,7 @@ @@ -99341,7 +98852,7 @@ index 13b5685..39383bb 100644 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) + (mm->end_data - mm->start_data) > rlim) goto out; -@@ -694,6 +722,12 @@ static int +@@ -692,6 +720,12 @@ static int can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags, struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff) { @@ -99354,7 +98865,7 @@ index 13b5685..39383bb 100644 if (is_mergeable_vma(vma, file, vm_flags) && is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) { if (vma->vm_pgoff == vm_pgoff) -@@ -713,6 +747,12 @@ static int +@@ -711,6 +745,12 @@ static int can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags, struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff) { @@ -99367,7 +98878,7 @@ index 13b5685..39383bb 100644 if (is_mergeable_vma(vma, file, vm_flags) && is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) { pgoff_t vm_pglen; -@@ -755,13 +795,20 @@ can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags, +@@ -753,13 +793,20 @@ can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags, struct vm_area_struct *vma_merge(struct mm_struct *mm, struct vm_area_struct *prev, unsigned long addr, unsigned long end, unsigned long vm_flags, @@ -99389,7 +98900,7 @@ index 13b5685..39383bb 100644 /* * We later require that vma->vm_flags == vm_flags, * so this tests vma->vm_flags & VM_SPECIAL, too. -@@ -777,6 +824,15 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm, +@@ -775,6 +822,15 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm, if (next && next->vm_end == end) /* cases 6, 7, 8 */ next = next->vm_next; @@ -99405,7 +98916,7 @@ index 13b5685..39383bb 100644 /* * Can it merge with the predecessor? */ -@@ -796,9 +852,24 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm, +@@ -794,9 +850,24 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm, /* cases 1, 6 */ err = vma_adjust(prev, prev->vm_start, next->vm_end, prev->vm_pgoff, NULL); @@ -99431,7 +98942,7 @@ index 13b5685..39383bb 100644 if (err) return NULL; khugepaged_enter_vma_merge(prev, vm_flags); -@@ -812,12 +883,27 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm, +@@ -810,12 +881,27 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm, mpol_equal(policy, vma_policy(next)) && can_vma_merge_before(next, vm_flags, anon_vma, file, pgoff+pglen)) { @@ -99461,7 +98972,7 @@ index 13b5685..39383bb 100644 if (err) return NULL; khugepaged_enter_vma_merge(area, vm_flags); -@@ -926,15 +1012,22 @@ none: +@@ -924,15 +1010,22 @@ none: void vm_stat_account(struct mm_struct *mm, unsigned long flags, struct file *file, long pages) { @@ -99487,7 +98998,7 @@ index 13b5685..39383bb 100644 if (flags & (VM_RESERVED|VM_IO)) mm->reserved_vm += pages; } -@@ -960,7 +1053,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -958,7 +1051,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, * (the exception is when the underlying filesystem is noexec * mounted, in which case we dont add PROT_EXEC.) */ @@ -99496,7 +99007,7 @@ index 13b5685..39383bb 100644 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC))) prot |= PROT_EXEC; -@@ -986,7 +1079,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -984,7 +1077,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, /* Obtain the address to map to. we verify (or select) it and ensure * that it represents a valid section of the address space. */ @@ -99505,7 +99016,7 @@ index 13b5685..39383bb 100644 if (addr & ~PAGE_MASK) return addr; -@@ -997,6 +1090,43 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -995,6 +1088,43 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) | mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC; @@ -99549,7 +99060,7 @@ index 13b5685..39383bb 100644 if (flags & MAP_LOCKED) if (!can_do_mlock()) return -EPERM; -@@ -1008,6 +1138,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -1006,6 +1136,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, locked += mm->locked_vm; lock_limit = rlimit(RLIMIT_MEMLOCK); lock_limit >>= PAGE_SHIFT; @@ -99557,7 +99068,7 @@ index 13b5685..39383bb 100644 if (locked > lock_limit && !capable(CAP_IPC_LOCK)) return -EAGAIN; } -@@ -1078,6 +1209,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -1076,6 +1207,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, if (error) return error; @@ -99567,7 +99078,7 @@ index 13b5685..39383bb 100644 return mmap_region(file, addr, len, flags, vm_flags, pgoff); } EXPORT_SYMBOL(do_mmap_pgoff); -@@ -1158,7 +1292,7 @@ int vma_wants_writenotify(struct vm_area_struct *vma) +@@ -1156,7 +1290,7 @@ int vma_wants_writenotify(struct vm_area_struct *vma) vm_flags_t vm_flags = vma->vm_flags; /* If it was private or non-writable, the write bit is already clear */ @@ -99576,7 +99087,7 @@ index 13b5685..39383bb 100644 return 0; /* The backer wishes to know when pages are first written to? */ -@@ -1207,17 +1341,32 @@ unsigned long mmap_region(struct file *file, unsigned long addr, +@@ -1205,17 +1339,32 @@ unsigned long mmap_region(struct file *file, unsigned long addr, unsigned long charged = 0; struct inode *inode = file ? file->f_path.dentry->d_inode : NULL; @@ -99611,7 +99122,7 @@ index 13b5685..39383bb 100644 if (!may_expand_vm(mm, len >> PAGE_SHIFT)) return -ENOMEM; -@@ -1263,6 +1412,16 @@ munmap_back: +@@ -1261,6 +1410,16 @@ munmap_back: goto unacct_error; } @@ -99628,7 +99139,7 @@ index 13b5685..39383bb 100644 vma->vm_mm = mm; vma->vm_start = addr; vma->vm_end = addr + len; -@@ -1271,8 +1430,9 @@ munmap_back: +@@ -1269,8 +1428,9 @@ munmap_back: vma->vm_pgoff = pgoff; INIT_LIST_HEAD(&vma->anon_vma_chain); @@ -99639,7 +99150,7 @@ index 13b5685..39383bb 100644 if (vm_flags & (VM_GROWSDOWN|VM_GROWSUP)) goto free_vma; if (vm_flags & VM_DENYWRITE) { -@@ -1286,6 +1446,19 @@ munmap_back: +@@ -1284,6 +1444,19 @@ munmap_back: error = file->f_op->mmap(file, vma); if (error) goto unmap_and_free_vma; @@ -99659,7 +99170,7 @@ index 13b5685..39383bb 100644 if (vm_flags & VM_EXECUTABLE) added_exe_file_vma(mm); -@@ -1298,6 +1471,8 @@ munmap_back: +@@ -1296,6 +1469,8 @@ munmap_back: pgoff = vma->vm_pgoff; vm_flags = vma->vm_flags; } else if (vm_flags & VM_SHARED) { @@ -99668,7 +99179,7 @@ index 13b5685..39383bb 100644 error = shmem_zero_setup(vma); if (error) goto free_vma; -@@ -1321,14 +1496,19 @@ munmap_back: +@@ -1319,14 +1494,19 @@ munmap_back: vma_link(mm, vma, prev, rb_link, rb_parent); file = vma->vm_file; @@ -99689,7 +99200,7 @@ index 13b5685..39383bb 100644 if (vm_flags & VM_LOCKED) { if (!mlock_vma_pages_range(vma, addr, addr + len)) mm->locked_vm += (len >> PAGE_SHIFT); -@@ -1346,6 +1526,12 @@ unmap_and_free_vma: +@@ -1344,6 +1524,12 @@ unmap_and_free_vma: unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end); charged = 0; free_vma: @@ -99702,7 +99213,7 @@ index 13b5685..39383bb 100644 kmem_cache_free(vm_area_cachep, vma); unacct_error: if (charged) -@@ -1353,6 +1539,73 @@ unacct_error: +@@ -1351,6 +1537,73 @@ unacct_error: return error; } @@ -99776,7 +99287,7 @@ index 13b5685..39383bb 100644 /* Get an address range which is currently unmapped. * For shmat() with addr=0. * -@@ -1372,6 +1625,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -1370,6 +1623,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, struct mm_struct *mm = current->mm; struct vm_area_struct *vma; unsigned long start_addr; @@ -99784,7 +99295,7 @@ index 13b5685..39383bb 100644 if (len > TASK_SIZE - mmap_min_addr) return -ENOMEM; -@@ -1379,18 +1633,23 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -1377,18 +1631,23 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, if (flags & MAP_FIXED) return addr; @@ -99815,7 +99326,7 @@ index 13b5685..39383bb 100644 } full_search: -@@ -1401,34 +1660,40 @@ full_search: +@@ -1399,34 +1658,40 @@ full_search: * Start a new search - just in case we missed * some holes. */ @@ -99867,7 +99378,7 @@ index 13b5685..39383bb 100644 mm->free_area_cache = addr; mm->cached_hole_size = ~0UL; } -@@ -1446,7 +1711,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1444,7 +1709,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, { struct vm_area_struct *vma; struct mm_struct *mm = current->mm; @@ -99877,7 +99388,7 @@ index 13b5685..39383bb 100644 unsigned long low_limit = max(PAGE_SIZE, mmap_min_addr); /* requested length too big for entire address space */ -@@ -1456,13 +1722,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1454,13 +1720,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, if (flags & MAP_FIXED) return addr; @@ -99900,7 +99411,7 @@ index 13b5685..39383bb 100644 } /* check if free_area_cache is useful for us */ -@@ -1476,10 +1747,11 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1474,10 +1745,11 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, /* make sure it can fit in the remaining address space */ if (addr >= low_limit + len) { @@ -99915,7 +99426,7 @@ index 13b5685..39383bb 100644 } if (mm->mmap_base < low_limit + len) -@@ -1494,7 +1766,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1492,7 +1764,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, * return with success: */ vma = find_vma(mm, addr); @@ -99924,7 +99435,7 @@ index 13b5685..39383bb 100644 /* remember the address as a hint for next time */ return (mm->free_area_cache = addr); -@@ -1503,8 +1775,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1501,8 +1773,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, mm->cached_hole_size = vma->vm_start - addr; /* try just below the current vma->vm_start */ @@ -99935,7 +99446,7 @@ index 13b5685..39383bb 100644 bottomup: /* -@@ -1513,13 +1785,21 @@ bottomup: +@@ -1511,13 +1783,21 @@ bottomup: * can happen with large stack limits and large mmap() * allocations. */ @@ -99959,7 +99470,7 @@ index 13b5685..39383bb 100644 mm->cached_hole_size = ~0UL; return addr; -@@ -1528,6 +1808,12 @@ bottomup: +@@ -1526,6 +1806,12 @@ bottomup: void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr) { @@ -99972,7 +99483,7 @@ index 13b5685..39383bb 100644 /* * Is this a new hole at the highest possible address? */ -@@ -1535,8 +1821,10 @@ void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr) +@@ -1533,8 +1819,10 @@ void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr) mm->free_area_cache = addr; /* dont allow allocations above current base */ @@ -99984,7 +99495,7 @@ index 13b5685..39383bb 100644 } unsigned long -@@ -1609,40 +1897,50 @@ struct vm_area_struct *find_vma(struct mm_struct *mm, unsigned long addr) +@@ -1607,40 +1895,50 @@ struct vm_area_struct *find_vma(struct mm_struct *mm, unsigned long addr) EXPORT_SYMBOL(find_vma); @@ -100060,7 +99571,7 @@ index 13b5685..39383bb 100644 /* * Verify that the stack growth is acceptable and -@@ -1653,17 +1951,15 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -1651,17 +1949,15 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns { struct mm_struct *mm = vma->vm_mm; struct rlimit *rlim = current->signal->rlim; @@ -100081,7 +99592,7 @@ index 13b5685..39383bb 100644 return -ENOMEM; /* mlock limit tests */ -@@ -1673,6 +1969,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -1671,6 +1967,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns locked = mm->locked_vm + grow; limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur); limit >>= PAGE_SHIFT; @@ -100089,7 +99600,7 @@ index 13b5685..39383bb 100644 if (locked > limit && !capable(CAP_IPC_LOCK)) return -ENOMEM; } -@@ -1691,7 +1988,6 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -1689,7 +1986,6 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns return -ENOMEM; /* Ok, everything looks good - let it rip */ @@ -100097,7 +99608,7 @@ index 13b5685..39383bb 100644 if (vma->vm_flags & VM_LOCKED) mm->locked_vm += grow; vm_stat_account(mm, vma->vm_flags, vma->vm_file, grow); -@@ -1703,37 +1999,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -1701,37 +1997,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns * PA-RISC uses this for its stack; IA64 for its Register Backing Store. * vma is the last one with address > vma->vm_end. Have to extend vma. */ @@ -100155,7 +99666,7 @@ index 13b5685..39383bb 100644 unsigned long size, grow; size = address - vma->vm_start; -@@ -1748,6 +2055,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) +@@ -1746,6 +2053,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) } } } @@ -100164,7 +99675,7 @@ index 13b5685..39383bb 100644 vma_unlock_anon_vma(vma); khugepaged_enter_vma_merge(vma, vma->vm_flags); return error; -@@ -1761,6 +2070,8 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -1759,6 +2068,8 @@ int expand_downwards(struct vm_area_struct *vma, unsigned long address) { int error; @@ -100173,7 +99684,7 @@ index 13b5685..39383bb 100644 /* * We must make sure the anon_vma is allocated -@@ -1774,6 +2085,15 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -1772,6 +2083,15 @@ int expand_downwards(struct vm_area_struct *vma, if (error) return error; @@ -100189,7 +99700,7 @@ index 13b5685..39383bb 100644 vma_lock_anon_vma(vma); /* -@@ -1783,9 +2103,17 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -1781,9 +2101,17 @@ int expand_downwards(struct vm_area_struct *vma, */ /* Somebody else might have raced and expanded it already */ @@ -100208,7 +99719,7 @@ index 13b5685..39383bb 100644 size = vma->vm_end - address; grow = (vma->vm_start - address) >> PAGE_SHIFT; -@@ -1795,18 +2123,48 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -1793,18 +2121,48 @@ int expand_downwards(struct vm_area_struct *vma, if (!error) { vma->vm_start = address; vma->vm_pgoff -= grow; @@ -100257,7 +99768,7 @@ index 13b5685..39383bb 100644 return expand_upwards(vma, address); } -@@ -1829,6 +2187,14 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr) +@@ -1827,6 +2185,14 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr) #else int expand_stack(struct vm_area_struct *vma, unsigned long address) { @@ -100272,7 +99783,7 @@ index 13b5685..39383bb 100644 return expand_downwards(vma, address); } -@@ -1869,7 +2235,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) +@@ -1867,7 +2233,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) do { long nrpages = vma_pages(vma); @@ -100287,7 +99798,7 @@ index 13b5685..39383bb 100644 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages); vma = remove_vma(vma); } while (vma); -@@ -1914,6 +2286,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -1912,6 +2284,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, insertion_point = (prev ? &prev->vm_next : &mm->mmap); vma->vm_prev = NULL; do { @@ -100304,7 +99815,7 @@ index 13b5685..39383bb 100644 rb_erase(&vma->vm_rb, &mm->mm_rb); mm->map_count--; tail_vma = vma; -@@ -1942,14 +2324,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -1940,14 +2322,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, struct vm_area_struct *new; int err = -ENOMEM; @@ -100338,7 +99849,7 @@ index 13b5685..39383bb 100644 /* most fields are the same, copy all, and then fixup */ *new = *vma; -@@ -1962,6 +2363,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -1960,6 +2361,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT); } @@ -100361,7 +99872,7 @@ index 13b5685..39383bb 100644 pol = mpol_dup(vma_policy(vma)); if (IS_ERR(pol)) { err = PTR_ERR(pol); -@@ -1987,6 +2404,42 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -1985,6 +2402,42 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, else err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new); @@ -100404,7 +99915,7 @@ index 13b5685..39383bb 100644 /* Success. */ if (!err) return 0; -@@ -1999,10 +2452,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -1997,10 +2450,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, removed_exe_file_vma(mm); fput(new->vm_file); } @@ -100424,7 +99935,7 @@ index 13b5685..39383bb 100644 kmem_cache_free(vm_area_cachep, new); out_err: return err; -@@ -2015,6 +2476,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -2013,6 +2474,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, unsigned long addr, int new_below) { @@ -100440,7 +99951,7 @@ index 13b5685..39383bb 100644 if (mm->map_count >= sysctl_max_map_count) return -ENOMEM; -@@ -2026,11 +2496,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2024,11 +2494,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, * work. This now handles partial unmappings. * Jeremy Fitzhardinge <jeremy@goop.org> */ @@ -100471,7 +99982,7 @@ index 13b5685..39383bb 100644 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start) return -EINVAL; -@@ -2105,6 +2594,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) +@@ -2103,6 +2592,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) /* Fix up all other VM information */ remove_vma_list(mm, vma); @@ -100480,7 +99991,7 @@ index 13b5685..39383bb 100644 return 0; } -@@ -2117,22 +2608,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) +@@ -2115,22 +2606,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) profile_munmap(addr); @@ -100509,7 +100020,7 @@ index 13b5685..39383bb 100644 /* * this is really a simplified "do_mmap". it only handles * anonymous maps. eventually we may be able to do some -@@ -2146,6 +2633,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2144,6 +2631,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len) struct rb_node ** rb_link, * rb_parent; pgoff_t pgoff = addr >> PAGE_SHIFT; int error; @@ -100517,7 +100028,7 @@ index 13b5685..39383bb 100644 len = PAGE_ALIGN(len); if (!len) -@@ -2157,16 +2645,30 @@ unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2155,16 +2643,30 @@ unsigned long do_brk(unsigned long addr, unsigned long len) flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; @@ -100549,7 +100060,7 @@ index 13b5685..39383bb 100644 locked += mm->locked_vm; lock_limit = rlimit(RLIMIT_MEMLOCK); lock_limit >>= PAGE_SHIFT; -@@ -2183,22 +2685,22 @@ unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2181,22 +2683,22 @@ unsigned long do_brk(unsigned long addr, unsigned long len) /* * Clear old maps. this also does some error checking for us */ @@ -100576,7 +100087,7 @@ index 13b5685..39383bb 100644 return -ENOMEM; /* Can we just expand an old private anonymous mapping? */ -@@ -2212,7 +2714,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2210,7 +2712,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len) */ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); if (!vma) { @@ -100585,7 +100096,7 @@ index 13b5685..39383bb 100644 return -ENOMEM; } -@@ -2226,11 +2728,12 @@ unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2224,11 +2726,12 @@ unsigned long do_brk(unsigned long addr, unsigned long len) vma_link(mm, vma, prev, rb_link, rb_parent); out: perf_event_mmap(vma); @@ -100600,7 +100111,7 @@ index 13b5685..39383bb 100644 return addr; } -@@ -2277,8 +2780,10 @@ void exit_mmap(struct mm_struct *mm) +@@ -2275,8 +2778,10 @@ void exit_mmap(struct mm_struct *mm) * Walk the list again, actually closing and freeing it, * with preemption enabled, without holding any MM locks. */ @@ -100612,7 +100123,7 @@ index 13b5685..39383bb 100644 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT); } -@@ -2292,6 +2797,13 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) +@@ -2290,6 +2795,13 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) struct vm_area_struct * __vma, * prev; struct rb_node ** rb_link, * rb_parent; @@ -100626,7 +100137,7 @@ index 13b5685..39383bb 100644 /* * The vm_pgoff of a purely anonymous vma should be irrelevant * until its first write fault, when page's anon_vma and index -@@ -2314,7 +2826,22 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) +@@ -2312,7 +2824,22 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) if ((vma->vm_flags & VM_ACCOUNT) && security_vm_enough_memory_mm(mm, vma_pages(vma))) return -ENOMEM; @@ -100649,7 +100160,7 @@ index 13b5685..39383bb 100644 return 0; } -@@ -2332,6 +2859,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, +@@ -2330,6 +2857,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, struct rb_node **rb_link, *rb_parent; struct mempolicy *pol; @@ -100658,7 +100169,7 @@ index 13b5685..39383bb 100644 /* * If anonymous vma has not yet been faulted, update new pgoff * to match new location, to increase its chance of merging. -@@ -2382,6 +2911,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, +@@ -2380,6 +2909,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, return NULL; } @@ -100698,7 +100209,7 @@ index 13b5685..39383bb 100644 /* * Return true if the calling process may expand its vm space by the passed * number of pages -@@ -2393,6 +2955,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) +@@ -2391,6 +2953,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT; @@ -100706,7 +100217,7 @@ index 13b5685..39383bb 100644 if (cur + npages > lim) return 0; return 1; -@@ -2463,6 +3026,22 @@ int install_special_mapping(struct mm_struct *mm, +@@ -2461,6 +3024,22 @@ int install_special_mapping(struct mm_struct *mm, vma->vm_start = addr; vma->vm_end = addr + len; @@ -101133,7 +100644,7 @@ index 07c08c4..8d4ad26 100644 return count; } diff --git a/mm/nommu.c b/mm/nommu.c -index 1db7971..5dba7b6 100644 +index d0cb11f..e0a7fea 100644 --- a/mm/nommu.c +++ b/mm/nommu.c @@ -62,7 +62,6 @@ int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */ @@ -101200,7 +100711,7 @@ index 1db7971..5dba7b6 100644 struct mm_struct *mm; diff --git a/mm/page-writeback.c b/mm/page-writeback.c -index aad22aa..ad60f09 100644 +index 1bf1f74..5e27559 100644 --- a/mm/page-writeback.c +++ b/mm/page-writeback.c @@ -522,7 +522,7 @@ unsigned long bdi_dirty_limit(struct backing_dev_info *bdi, unsigned long dirty) @@ -101212,7 +100723,7 @@ index aad22aa..ad60f09 100644 unsigned long thresh, unsigned long bg_thresh, unsigned long dirty, -@@ -1370,7 +1370,7 @@ ratelimit_handler(struct notifier_block *self, unsigned long u, void *v) +@@ -1373,7 +1373,7 @@ ratelimit_handler(struct notifier_block *self, unsigned long u, void *v) return NOTIFY_DONE; } @@ -101418,7 +100929,7 @@ index cbcbb02..dfdc1de 100644 pgoff_t offset, unsigned long max) { diff --git a/mm/rmap.c b/mm/rmap.c -index 2c4ee3e..8eebe1d 100644 +index 98f0bf7f..b7d8cdc 100644 --- a/mm/rmap.c +++ b/mm/rmap.c @@ -156,6 +156,10 @@ int anon_vma_prepare(struct vm_area_struct *vma) @@ -101501,7 +101012,7 @@ index 2c4ee3e..8eebe1d 100644 { struct anon_vma_chain *avc, *pavc; struct anon_vma *root = NULL; -@@ -304,7 +341,7 @@ int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src) +@@ -311,7 +348,7 @@ int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src) * the corresponding VMA in the parent process is attached to. * Returns 0 on success, non-zero on failure. */ @@ -101510,7 +101021,7 @@ index 2c4ee3e..8eebe1d 100644 { struct anon_vma_chain *avc; struct anon_vma *anon_vma; -@@ -422,8 +459,10 @@ static void anon_vma_ctor(void *data) +@@ -429,8 +466,10 @@ static void anon_vma_ctor(void *data) void __init anon_vma_init(void) { anon_vma_cachep = kmem_cache_create("anon_vma", sizeof(struct anon_vma), @@ -103882,7 +103393,7 @@ index 45f93f8..550f429 100644 break; } diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c -index 7fac75f..5d8351b 100644 +index 7eed9eb..fd7291e 100644 --- a/net/caif/caif_socket.c +++ b/net/caif/caif_socket.c @@ -48,19 +48,20 @@ static struct dentry *debugfsdir; @@ -104141,10 +103652,10 @@ index b525aec..9659b25 100644 .priv_size = sizeof(struct chnl_net), .setup = ipcaif_net_setup, diff --git a/net/can/af_can.c b/net/can/af_can.c -index 0ce2ad0..cb92a90 100644 +index 7d9dff222..a1e901b 100644 --- a/net/can/af_can.c +++ b/net/can/af_can.c -@@ -818,7 +818,7 @@ static const struct net_proto_family can_family_ops = { +@@ -821,7 +821,7 @@ static const struct net_proto_family can_family_ops = { }; /* notifier block for netdevice event */ @@ -104211,11 +103722,11 @@ index ba873c3..3b00036 100644 if (!can_dir) { printk(KERN_INFO "can: failed to create /proc/net/can . " diff --git a/net/compat.c b/net/compat.c -index 759e542..7cf6606 100644 +index f06994d..b7fd27f 100644 --- a/net/compat.c +++ b/net/compat.c -@@ -73,9 +73,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) - return -EFAULT; +@@ -80,9 +80,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) + if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) kmsg->msg_namelen = sizeof(struct sockaddr_storage); - kmsg->msg_name = compat_ptr(tmp1); @@ -104227,7 +103738,7 @@ index 759e542..7cf6606 100644 return 0; } -@@ -87,7 +87,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, +@@ -94,7 +94,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, if (kern_msg->msg_name && kern_msg->msg_namelen) { if (mode == VERIFY_READ) { @@ -104236,7 +103747,7 @@ index 759e542..7cf6606 100644 kern_msg->msg_namelen, kern_address); if (err < 0) -@@ -100,7 +100,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, +@@ -107,7 +107,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, } tot_len = iov_from_user_compat_to_kern(kern_iov, @@ -104245,7 +103756,7 @@ index 759e542..7cf6606 100644 kern_msg->msg_iovlen); if (tot_len >= 0) kern_msg->msg_iov = kern_iov; -@@ -120,20 +120,20 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, +@@ -127,20 +127,20 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, #define CMSG_COMPAT_FIRSTHDR(msg) \ (((msg)->msg_controllen) >= sizeof(struct compat_cmsghdr) ? \ @@ -104269,7 +103780,7 @@ index 759e542..7cf6606 100644 msg->msg_controllen) return NULL; return (struct compat_cmsghdr __user *)ptr; -@@ -225,7 +225,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat +@@ -232,7 +232,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat { struct compat_timeval ctv; struct compat_timespec cts[3]; @@ -104278,7 +103789,7 @@ index 759e542..7cf6606 100644 struct compat_cmsghdr cmhdr; int cmlen; -@@ -277,7 +277,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat +@@ -284,7 +284,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm) { @@ -104287,7 +103798,7 @@ index 759e542..7cf6606 100644 int fdmax = (kmsg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int); int fdnum = scm->fp->count; struct file **fp = scm->fp->fp; -@@ -330,14 +330,6 @@ void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm) +@@ -337,14 +337,6 @@ void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm) __scm_destroy(scm); } @@ -104302,7 +103813,7 @@ index 759e542..7cf6606 100644 static int do_set_attach_filter(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen) { -@@ -374,7 +366,7 @@ static int do_set_sock_timeout(struct socket *sock, int level, +@@ -381,7 +373,7 @@ static int do_set_sock_timeout(struct socket *sock, int level, return -EFAULT; old_fs = get_fs(); set_fs(KERNEL_DS); @@ -104311,7 +103822,7 @@ index 759e542..7cf6606 100644 set_fs(old_fs); return err; -@@ -435,7 +427,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname, +@@ -442,7 +434,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname, len = sizeof(ktime); old_fs = get_fs(); set_fs(KERNEL_DS); @@ -104320,7 +103831,7 @@ index 759e542..7cf6606 100644 set_fs(old_fs); if (!err) { -@@ -570,7 +562,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, +@@ -577,7 +569,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, case MCAST_JOIN_GROUP: case MCAST_LEAVE_GROUP: { @@ -104329,7 +103840,7 @@ index 759e542..7cf6606 100644 struct group_req __user *kgr = compat_alloc_user_space(sizeof(struct group_req)); u32 interface; -@@ -591,7 +583,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, +@@ -598,7 +590,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, case MCAST_BLOCK_SOURCE: case MCAST_UNBLOCK_SOURCE: { @@ -104338,7 +103849,7 @@ index 759e542..7cf6606 100644 struct group_source_req __user *kgsr = compat_alloc_user_space( sizeof(struct group_source_req)); u32 interface; -@@ -612,7 +604,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, +@@ -619,7 +611,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, } case MCAST_MSFILTER: { @@ -104347,7 +103858,7 @@ index 759e542..7cf6606 100644 struct group_filter __user *kgf; u32 interface, fmode, numsrc; -@@ -650,7 +642,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname, +@@ -657,7 +649,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname, char __user *optval, int __user *optlen, int (*getsockopt)(struct sock *, int, int, char __user *, int __user *)) { @@ -104356,7 +103867,7 @@ index 759e542..7cf6606 100644 struct group_filter __user *kgf; int __user *koptlen; u32 interface, fmode, numsrc; -@@ -803,7 +795,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args) +@@ -801,7 +793,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args) if (call < SYS_SOCKET || call > SYS_SENDMMSG) return -EINVAL; @@ -104379,7 +103890,7 @@ index 68bbf9f..5ef0d12 100644 return err; diff --git a/net/core/dev.c b/net/core/dev.c -index fcb5133..5d5223c 100644 +index 1c0d862..6117f53 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -1142,10 +1142,14 @@ void dev_load(struct net *net, const char *name) @@ -104525,7 +104036,7 @@ index fcb5133..5d5223c 100644 return storage; } EXPORT_SYMBOL(dev_get_stats); -@@ -6518,7 +6533,7 @@ static void __net_exit netdev_exit(struct net *net) +@@ -6528,7 +6543,7 @@ static void __net_exit netdev_exit(struct net *net) kfree(net->dev_index_head); } @@ -104534,7 +104045,7 @@ index fcb5133..5d5223c 100644 .init = netdev_init, .exit = netdev_exit, }; -@@ -6580,7 +6595,7 @@ static void __net_exit default_device_exit_batch(struct list_head *net_list) +@@ -6590,7 +6605,7 @@ static void __net_exit default_device_exit_batch(struct list_head *net_list) rtnl_unlock(); } @@ -104852,7 +104363,7 @@ index 80aeac9..b08d0a8 100644 return -ENODEV; diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c -index 0900a17..f3fb6aa 100644 +index 5b412f0..e251eea 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -57,7 +57,7 @@ struct rtnl_link { @@ -105112,19 +104623,10 @@ index e093528..3966d08 100644 .exit = proto_exit_net, }; diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c -index f0bdd36..5345e58 100644 +index f9496c4..5345e58 100644 --- a/net/core/sysctl_net_core.c +++ b/net/core/sysctl_net_core.c -@@ -21,6 +21,8 @@ - - static int zero = 0; - static int ushort_max = USHRT_MAX; -+static int min_sndbuf = SOCK_MIN_SNDBUF; -+static int min_rcvbuf = SOCK_MIN_RCVBUF; - - #ifdef CONFIG_RPS - static int rps_sock_flow_sysctl(ctl_table *table, int write, -@@ -28,7 +30,7 @@ static int rps_sock_flow_sysctl(ctl_table *table, int write, +@@ -30,7 +30,7 @@ static int rps_sock_flow_sysctl(ctl_table *table, int write, { unsigned int orig_size, size; int ret, i; @@ -105133,44 +104635,7 @@ index f0bdd36..5345e58 100644 .data = &size, .maxlen = sizeof(size), .mode = table->mode -@@ -89,28 +91,32 @@ static struct ctl_table net_core_table[] = { - .data = &sysctl_wmem_max, - .maxlen = sizeof(int), - .mode = 0644, -- .proc_handler = proc_dointvec -+ .proc_handler = proc_dointvec_minmax, -+ .extra1 = &min_sndbuf, - }, - { - .procname = "rmem_max", - .data = &sysctl_rmem_max, - .maxlen = sizeof(int), - .mode = 0644, -- .proc_handler = proc_dointvec -+ .proc_handler = proc_dointvec_minmax, -+ .extra1 = &min_rcvbuf, - }, - { - .procname = "wmem_default", - .data = &sysctl_wmem_default, - .maxlen = sizeof(int), - .mode = 0644, -- .proc_handler = proc_dointvec -+ .proc_handler = proc_dointvec_minmax, -+ .extra1 = &min_sndbuf, - }, - { - .procname = "rmem_default", - .data = &sysctl_rmem_default, - .maxlen = sizeof(int), - .mode = 0644, -- .proc_handler = proc_dointvec -+ .proc_handler = proc_dointvec_minmax, -+ .extra1 = &min_rcvbuf, - }, - { - .procname = "dev_weight", -@@ -210,29 +216,27 @@ __net_initdata struct ctl_path net_core_path[] = { +@@ -216,29 +216,27 @@ __net_initdata struct ctl_path net_core_path[] = { static __net_init int sysctl_core_net_init(struct net *net) { @@ -105206,7 +104671,7 @@ index f0bdd36..5345e58 100644 err_dup: return -ENOMEM; } -@@ -247,7 +251,7 @@ static __net_exit void sysctl_core_net_exit(struct net *net) +@@ -253,7 +251,7 @@ static __net_exit void sysctl_core_net_exit(struct net *net) kfree(tbl); } @@ -105703,7 +105168,7 @@ index 9d74cc7..5a73694 100644 p->metrics[RTAX_LOCK-1] = INETPEER_METRICS_NEW; p->rate_tokens = 0; diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c -index 8f441b2..a56d38e 100644 +index 16e25a4..cbb0cd5 100644 --- a/net/ipv4/ip_fragment.c +++ b/net/ipv4/ip_fragment.c @@ -315,7 +315,7 @@ static inline int ip_frag_too_far(struct ipq *qp) @@ -105715,7 +105180,7 @@ index 8f441b2..a56d38e 100644 qp->rid = end; rc = qp->q.fragments && (end - start) > max; -@@ -773,21 +773,21 @@ static struct ctl_table ip4_frags_ctl_table[] = { +@@ -776,21 +776,21 @@ static struct ctl_table ip4_frags_ctl_table[] = { static int __net_init ip4_frags_ns_ctl_register(struct net *net) { @@ -105742,7 +105207,7 @@ index 8f441b2..a56d38e 100644 if (hdr == NULL) goto err_reg; -@@ -795,8 +795,7 @@ static int __net_init ip4_frags_ns_ctl_register(struct net *net) +@@ -798,8 +798,7 @@ static int __net_init ip4_frags_ns_ctl_register(struct net *net) return 0; err_reg: @@ -105809,29 +105274,10 @@ index 073a9b0..8c29a4f 100644 ICMP_PROT_UNREACH, 0); } diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c -index 542a9c1..9f73775 100644 +index 043d882..d938245 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c -@@ -416,15 +416,12 @@ int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) - - memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err)); - sin = &errhdr.offender; -- sin->sin_family = AF_UNSPEC; -+ memset(sin, 0, sizeof(*sin)); -+ - if (serr->ee.ee_origin == SO_EE_ORIGIN_ICMP) { -- struct inet_sock *inet = inet_sk(sk); -- - sin->sin_family = AF_INET; - sin->sin_addr.s_addr = ip_hdr(skb)->saddr; -- sin->sin_port = 0; -- memset(&sin->sin_zero, 0, sizeof(sin->sin_zero)); -- if (inet->cmsg_flags) -+ if (inet_sk(sk)->cmsg_flags) - ip_cmsg_recv(msg, skb); - } - -@@ -1121,7 +1118,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, +@@ -1117,7 +1117,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, len = min_t(unsigned int, len, opt->optlen); if (put_user(len, optlen)) return -EFAULT; @@ -105841,7 +105287,7 @@ index 542a9c1..9f73775 100644 return -EFAULT; return 0; } -@@ -1249,7 +1247,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, +@@ -1245,7 +1246,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, if (sk->sk_type != SOCK_STREAM) return -ENOPROTOOPT; @@ -106008,52 +105454,10 @@ index a639967..8f44480 100644 pr_err("Unable to proc dir entry\n"); ret = -ENOMEM; diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c -index d495d4b..31e741e 100644 +index 7aa6225..31e741e 100644 --- a/net/ipv4/ping.c +++ b/net/ipv4/ping.c -@@ -139,6 +139,7 @@ static void ping_v4_unhash(struct sock *sk) - if (sk_hashed(sk)) { - write_lock_bh(&ping_table.lock); - hlist_nulls_del(&sk->sk_nulls_node); -+ sk_nulls_node_init(&sk->sk_nulls_node); - sock_put(sk); - isk->inet_num = isk->inet_sport = 0; - sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1); -@@ -257,6 +258,11 @@ static int ping_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len) - if (addr_len < sizeof(struct sockaddr_in)) - return -EINVAL; - -+ if (addr->sin_family != AF_INET && -+ !(addr->sin_family == AF_UNSPEC && -+ addr->sin_addr.s_addr == htonl(INADDR_ANY))) -+ return -EAFNOSUPPORT; -+ - pr_debug("ping_v4_bind(sk=%p,sa_addr=%08x,sa_port=%d)\n", - sk, addr->sin_addr.s_addr, ntohs(addr->sin_port)); - -@@ -504,7 +510,7 @@ static int ping_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, - if (msg->msg_namelen < sizeof(*usin)) - return -EINVAL; - if (usin->sin_family != AF_INET) -- return -EINVAL; -+ return -EAFNOSUPPORT; - daddr = usin->sin_addr.s_addr; - /* no remote port */ - } else { -@@ -716,8 +722,11 @@ void ping_rcv(struct sk_buff *skb) - sk = ping_v4_lookup(net, saddr, daddr, ntohs(icmph->un.echo.id), - skb->dev->ifindex); - if (sk != NULL) { -+ struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC); -+ - pr_debug("rcv on socket %p\n", sk); -- ping_queue_rcv_skb(sk, skb_get(skb)); -+ if (skb2) -+ ping_queue_rcv_skb(sk, skb2); - sock_put(sk); - return; - } -@@ -842,7 +851,7 @@ static void ping_format_sock(struct sock *sp, struct seq_file *f, +@@ -851,7 +851,7 @@ static void ping_format_sock(struct sock *sp, struct seq_file *f, sk_rmem_alloc_get(sp), 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp), atomic_read(&sp->sk_refcnt), sp, @@ -106415,7 +105819,7 @@ index 8a1bed2..d41ac11 100644 return mssind < ARRAY_SIZE(msstab) ? msstab[mssind] : 0; } diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c -index 739b073..7ac6591 100644 +index 253dd80..ceba12a 100644 --- a/net/ipv4/sysctl_net_ipv4.c +++ b/net/ipv4/sysctl_net_ipv4.c @@ -53,7 +53,7 @@ static int ipv4_local_port_range(ctl_table *table, int write, @@ -106472,7 +105876,7 @@ index 739b073..7ac6591 100644 .maxlen = 65536, .mode = 0644, .proc_handler = proc_do_large_bitmap, -@@ -744,11 +744,10 @@ EXPORT_SYMBOL_GPL(net_ipv4_ctl_path); +@@ -746,11 +746,10 @@ EXPORT_SYMBOL_GPL(net_ipv4_ctl_path); static __net_init int ipv4_sysctl_init_net(struct net *net) { @@ -106486,7 +105890,7 @@ index 739b073..7ac6591 100644 if (table == NULL) goto err_alloc; -@@ -780,16 +779,17 @@ static __net_init int ipv4_sysctl_init_net(struct net *net) +@@ -782,16 +781,17 @@ static __net_init int ipv4_sysctl_init_net(struct net *net) net->ipv4.sysctl_rt_cache_rebuild_count = 4; @@ -106508,7 +105912,7 @@ index 739b073..7ac6591 100644 err_alloc: return -ENOMEM; } -@@ -803,7 +803,7 @@ static __net_exit void ipv4_sysctl_exit_net(struct net *net) +@@ -805,7 +805,7 @@ static __net_exit void ipv4_sysctl_exit_net(struct net *net) kfree(table); } @@ -106517,7 +105921,7 @@ index 739b073..7ac6591 100644 .init = ipv4_sysctl_init_net, .exit = ipv4_sysctl_exit_net, }; -@@ -811,16 +811,6 @@ static __net_initdata struct pernet_operations ipv4_sysctl_ops = { +@@ -813,16 +813,6 @@ static __net_initdata struct pernet_operations ipv4_sysctl_ops = { static __init int sysctl_ipv4_init(void) { struct ctl_table_header *hdr; @@ -106753,7 +106157,7 @@ index 00e1530..47b4f16 100644 req->rsk_ops->send_reset(sk, skb); diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c -index 3a37f54..109c484 100644 +index e614810..c4f2ee7 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -1319,7 +1319,7 @@ static void tcp_cwnd_validate(struct sock *sk) @@ -106998,38 +106402,6 @@ index 3afdd78..2f630fb 100644 } static struct pernet_operations if6_proc_net_ops = { -diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c -index 3c7c948..33719b7 100644 ---- a/net/ipv6/datagram.c -+++ b/net/ipv6/datagram.c -@@ -371,12 +371,10 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) - - memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err)); - sin = &errhdr.offender; -- sin->sin6_family = AF_UNSPEC; -+ memset(sin, 0, sizeof(*sin)); -+ - if (serr->ee.ee_origin != SO_EE_ORIGIN_LOCAL) { - sin->sin6_family = AF_INET6; -- sin->sin6_flowinfo = 0; -- sin->sin6_port = 0; -- sin->sin6_scope_id = 0; - if (skb->protocol == htons(ETH_P_IPV6)) { - ipv6_addr_copy(&sin->sin6_addr, &ipv6_hdr(skb)->saddr); - if (np->rxopt.all) -@@ -384,11 +382,9 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) - if (ipv6_addr_type(&sin->sin6_addr) & IPV6_ADDR_LINKLOCAL) - sin->sin6_scope_id = IP6CB(skb)->iif; - } else { -- struct inet_sock *inet = inet_sk(sk); -- - ipv6_addr_set_v4mapped(ip_hdr(skb)->saddr, - &sin->sin6_addr); -- if (inet->cmsg_flags) -+ if (inet_sk(sk)->cmsg_flags) - ip_cmsg_recv(msg, skb); - } - } diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index 65dd543..e6c6e6d 100644 --- a/net/ipv6/esp6.c @@ -107315,25 +106687,10 @@ index eba5deb..61e026f 100644 return -ENOMEM; } diff --git a/net/ipv6/route.c b/net/ipv6/route.c -index 782f67a..2dc56bf 100644 +index d89d1a6..61d0fe9 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c -@@ -1018,12 +1018,9 @@ static void ip6_rt_update_pmtu(struct dst_entry *dst, u32 mtu) - - if (mtu < dst_mtu(dst) && rt6->rt6i_dst.plen == 128) { - rt6->rt6i_flags |= RTF_MODIFIED; -- if (mtu < IPV6_MIN_MTU) { -- u32 features = dst_metric(dst, RTAX_FEATURES); -+ if (mtu < IPV6_MIN_MTU) - mtu = IPV6_MIN_MTU; -- features |= RTAX_FEATURE_ALLFRAG; -- dst_metric_set(dst, RTAX_FEATURES, features); -- } -+ - dst_metric_set(dst, RTAX_MTU, mtu); - } - } -@@ -2809,7 +2806,7 @@ ctl_table ipv6_route_table_template[] = { +@@ -2806,7 +2806,7 @@ ctl_table ipv6_route_table_template[] = { struct ctl_table * __net_init ipv6_route_sysctl_init(struct net *net) { @@ -107693,7 +107050,7 @@ index f8ba30d..927a4aa 100644 if (!ipx_proc_dir) goto out; diff --git a/net/irda/ircomm/ircomm_tty.c b/net/irda/ircomm/ircomm_tty.c -index 253695d..9481ce8 100644 +index cf368dd..d507600 100644 --- a/net/irda/ircomm/ircomm_tty.c +++ b/net/irda/ircomm/ircomm_tty.c @@ -282,16 +282,16 @@ static int ircomm_tty_block_til_ready(struct ircomm_tty_cb *self, @@ -107800,7 +107157,7 @@ index 253695d..9481ce8 100644 if (self->close_delay) schedule_timeout_interruptible(self->close_delay); wake_up_interruptible(&self->open_wait); -@@ -1013,7 +1013,7 @@ static void ircomm_tty_hangup(struct tty_struct *tty) +@@ -1015,7 +1015,7 @@ static void ircomm_tty_hangup(struct tty_struct *tty) spin_lock_irqsave(&self->spinlock, flags); self->flags &= ~ASYNC_NORMAL_ACTIVE; self->tty = NULL; @@ -107809,7 +107166,7 @@ index 253695d..9481ce8 100644 spin_unlock_irqrestore(&self->spinlock, flags); wake_up_interruptible(&self->open_wait); -@@ -1360,7 +1360,7 @@ static void ircomm_tty_line_info(struct ircomm_tty_cb *self, struct seq_file *m) +@@ -1362,7 +1362,7 @@ static void ircomm_tty_line_info(struct ircomm_tty_cb *self, struct seq_file *m) seq_putc(m, '\n'); seq_printf(m, "Role: %s\n", self->client ? "client" : "server"); @@ -108004,45 +107361,8 @@ index a1839c0..4e06b9b 100644 if (!llc_proc_dir) goto out; -diff --git a/net/llc/sysctl_net_llc.c b/net/llc/sysctl_net_llc.c -index e2ebe35..be078ec 100644 ---- a/net/llc/sysctl_net_llc.c -+++ b/net/llc/sysctl_net_llc.c -@@ -17,28 +17,28 @@ static struct ctl_table llc2_timeout_table[] = { - { - .procname = "ack", - .data = &sysctl_llc2_ack_timeout, -- .maxlen = sizeof(long), -+ .maxlen = sizeof(sysctl_llc2_ack_timeout), - .mode = 0644, - .proc_handler = proc_dointvec_jiffies, - }, - { - .procname = "busy", - .data = &sysctl_llc2_busy_timeout, -- .maxlen = sizeof(long), -+ .maxlen = sizeof(sysctl_llc2_busy_timeout), - .mode = 0644, - .proc_handler = proc_dointvec_jiffies, - }, - { - .procname = "p", - .data = &sysctl_llc2_p_timeout, -- .maxlen = sizeof(long), -+ .maxlen = sizeof(sysctl_llc2_p_timeout), - .mode = 0644, - .proc_handler = proc_dointvec_jiffies, - }, - { - .procname = "rej", - .data = &sysctl_llc2_rej_timeout, -- .maxlen = sizeof(long), -+ .maxlen = sizeof(sysctl_llc2_rej_timeout), - .mode = 0644, - .proc_handler = proc_dointvec_jiffies, - }, diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h -index a9cf593..b04a2d5 100644 +index 8da371c5..bd541cf 100644 --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h @@ -27,6 +27,7 @@ @@ -108053,7 +107373,7 @@ index a9cf593..b04a2d5 100644 #include "key.h" #include "sta_info.h" -@@ -767,7 +768,7 @@ struct ieee80211_local { +@@ -781,7 +782,7 @@ struct ieee80211_local { /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */ spinlock_t queue_stop_reason_lock; @@ -108307,7 +107627,7 @@ index 6422845..2c19968 100644 if (!todrop_rate[i]) return 0; diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c -index 6dc7d7d..e45913a 100644 +index d864aaf..d6afbda 100644 --- a/net/netfilter/ipvs/ip_vs_core.c +++ b/net/netfilter/ipvs/ip_vs_core.c @@ -562,7 +562,7 @@ int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb, @@ -108319,7 +107639,7 @@ index 6dc7d7d..e45913a 100644 ip_vs_conn_put(cp); return ret; } -@@ -1611,7 +1611,7 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af) +@@ -1621,7 +1621,7 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af) if (cp->flags & IP_VS_CONN_F_ONE_PACKET) pkts = sysctl_sync_threshold(ipvs); else @@ -108429,7 +107749,7 @@ index eec797f..6f3ec56 100644 .procname = "lblcr_expiration", .data = NULL, diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c -index 2b6678c0..aaa41fc 100644 +index 2cbcc83..2efc3e8 100644 --- a/net/netfilter/ipvs/ip_vs_sync.c +++ b/net/netfilter/ipvs/ip_vs_sync.c @@ -649,7 +649,7 @@ control: @@ -108441,7 +107761,7 @@ index 2b6678c0..aaa41fc 100644 if (pkts % sysctl_sync_period(ipvs) != 1) return; -@@ -795,7 +795,7 @@ static void ip_vs_proc_conn(struct net *net, struct ip_vs_conn_param *param, +@@ -797,7 +797,7 @@ static void ip_vs_proc_conn(struct net *net, struct ip_vs_conn_param *param, if (opt) memcpy(&cp->in_seq, opt, sizeof(*opt)); @@ -108658,19 +107978,6 @@ index 957374a..dcbce7a 100644 mutex_unlock(&nf_log_mutex); } -diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c -index b3a7db6..6d70533 100644 ---- a/net/netfilter/nf_queue.c -+++ b/net/netfilter/nf_queue.c -@@ -233,7 +233,7 @@ int nf_queue(struct sk_buff *skb, - * returned by nf_queue. For instance, callers rely on -ECANCELED to mean - * 'ignore this hook'. - */ -- if (IS_ERR(segs)) -+ if (IS_ERR_OR_NULL(segs)) - return -EINVAL; - - queued = 0; diff --git a/net/netfilter/nf_sockopt.c b/net/netfilter/nf_sockopt.c index f042ae5..30ea486 100644 --- a/net/netfilter/nf_sockopt.c @@ -109367,94 +108674,6 @@ index 9556d28..f046d0e 100644 #else ic->i_ack_next = 0; #endif -diff --git a/net/rds/iw_rdma.c b/net/rds/iw_rdma.c -index 4e1de17..83725f3 100644 ---- a/net/rds/iw_rdma.c -+++ b/net/rds/iw_rdma.c -@@ -88,7 +88,9 @@ static unsigned int rds_iw_unmap_fastreg_list(struct rds_iw_mr_pool *pool, - int *unpinned); - static void rds_iw_destroy_fastreg(struct rds_iw_mr_pool *pool, struct rds_iw_mr *ibmr); - --static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwdev, struct rdma_cm_id **cm_id) -+static int rds_iw_get_device(struct sockaddr_in *src, struct sockaddr_in *dst, -+ struct rds_iw_device **rds_iwdev, -+ struct rdma_cm_id **cm_id) - { - struct rds_iw_device *iwdev; - struct rds_iw_cm_id *i_cm_id; -@@ -112,15 +114,15 @@ static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwd - src_addr->sin_port, - dst_addr->sin_addr.s_addr, - dst_addr->sin_port, -- rs->rs_bound_addr, -- rs->rs_bound_port, -- rs->rs_conn_addr, -- rs->rs_conn_port); -+ src->sin_addr.s_addr, -+ src->sin_port, -+ dst->sin_addr.s_addr, -+ dst->sin_port); - #ifdef WORKING_TUPLE_DETECTION -- if (src_addr->sin_addr.s_addr == rs->rs_bound_addr && -- src_addr->sin_port == rs->rs_bound_port && -- dst_addr->sin_addr.s_addr == rs->rs_conn_addr && -- dst_addr->sin_port == rs->rs_conn_port) { -+ if (src_addr->sin_addr.s_addr == src->sin_addr.s_addr && -+ src_addr->sin_port == src->sin_port && -+ dst_addr->sin_addr.s_addr == dst->sin_addr.s_addr && -+ dst_addr->sin_port == dst->sin_port) { - #else - /* FIXME - needs to compare the local and remote - * ipaddr/port tuple, but the ipaddr is the only -@@ -128,7 +130,7 @@ static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwd - * zero'ed. It doesn't appear to be properly populated - * during connection setup... - */ -- if (src_addr->sin_addr.s_addr == rs->rs_bound_addr) { -+ if (src_addr->sin_addr.s_addr == src->sin_addr.s_addr) { - #endif - spin_unlock_irq(&iwdev->spinlock); - *rds_iwdev = iwdev; -@@ -180,19 +182,13 @@ int rds_iw_update_cm_id(struct rds_iw_device *rds_iwdev, struct rdma_cm_id *cm_i - { - struct sockaddr_in *src_addr, *dst_addr; - struct rds_iw_device *rds_iwdev_old; -- struct rds_sock rs; - struct rdma_cm_id *pcm_id; - int rc; - - src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr; - dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr; - -- rs.rs_bound_addr = src_addr->sin_addr.s_addr; -- rs.rs_bound_port = src_addr->sin_port; -- rs.rs_conn_addr = dst_addr->sin_addr.s_addr; -- rs.rs_conn_port = dst_addr->sin_port; -- -- rc = rds_iw_get_device(&rs, &rds_iwdev_old, &pcm_id); -+ rc = rds_iw_get_device(src_addr, dst_addr, &rds_iwdev_old, &pcm_id); - if (rc) - rds_iw_remove_cm_id(rds_iwdev, cm_id); - -@@ -611,9 +607,17 @@ void *rds_iw_get_mr(struct scatterlist *sg, unsigned long nents, - struct rds_iw_device *rds_iwdev; - struct rds_iw_mr *ibmr = NULL; - struct rdma_cm_id *cm_id; -+ struct sockaddr_in src = { -+ .sin_addr.s_addr = rs->rs_bound_addr, -+ .sin_port = rs->rs_bound_port, -+ }; -+ struct sockaddr_in dst = { -+ .sin_addr.s_addr = rs->rs_conn_addr, -+ .sin_port = rs->rs_conn_port, -+ }; - int ret; - -- ret = rds_iw_get_device(rs, &rds_iwdev, &cm_id); -+ ret = rds_iw_get_device(&src, &dst, &rds_iwdev, &cm_id); - if (ret || !cm_id) { - ret = -ENODEV; - goto out; diff --git a/net/rds/iw_recv.c b/net/rds/iw_recv.c index 5e57347..3916042 100644 --- a/net/rds/iw_recv.c @@ -109646,27 +108865,6 @@ index 88eace5..f33ba5d 100644 continue; } list_del_init(&rm->m_conn_item); -diff --git a/net/rds/sysctl.c b/net/rds/sysctl.c -index 25ad0c7..065026f 100644 ---- a/net/rds/sysctl.c -+++ b/net/rds/sysctl.c -@@ -71,14 +71,14 @@ static ctl_table rds_sysctl_rds_table[] = { - { - .procname = "max_unacked_packets", - .data = &rds_sysctl_max_unacked_packets, -- .maxlen = sizeof(unsigned long), -+ .maxlen = sizeof(int), - .mode = 0644, - .proc_handler = proc_dointvec, - }, - { - .procname = "max_unacked_bytes", - .data = &rds_sysctl_max_unacked_bytes, -- .maxlen = sizeof(unsigned long), -+ .maxlen = sizeof(int), - .mode = 0644, - .proc_handler = proc_dointvec, - }, diff --git a/net/rds/tcp.c b/net/rds/tcp.c index edac9ef..16bcb98 100644 --- a/net/rds/tcp.c @@ -110234,7 +109432,7 @@ index 8da4481..d02565e 100644 + (rtt >> sctp_rto_alpha); } else { diff --git a/net/socket.c b/net/socket.c -index 3faa358..a13ae17 100644 +index 116cf9d..a13ae17 100644 --- a/net/socket.c +++ b/net/socket.c @@ -88,6 +88,7 @@ @@ -110418,17 +109616,7 @@ index 3faa358..a13ae17 100644 int err, err2; int fput_needed; -@@ -1885,6 +1951,9 @@ static int copy_msghdr_from_user(struct msghdr *kmsg, - if (copy_from_user(kmsg, umsg, sizeof(struct msghdr))) - return -EFAULT; - -+ if (kmsg->msg_name == NULL) -+ kmsg->msg_namelen = 0; -+ - if (kmsg->msg_namelen < 0) - return -EINVAL; - -@@ -1970,7 +2039,7 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg, +@@ -1973,7 +2039,7 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg, * checking falls down on this. */ if (copy_from_user(ctl_buf, @@ -110437,7 +109625,7 @@ index 3faa358..a13ae17 100644 ctl_len)) goto out_freectl; msg_sys->msg_control = ctl_buf; -@@ -2121,7 +2190,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, +@@ -2124,7 +2190,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, int err, iov_size, total_len, len; /* kernel mode address */ @@ -110446,7 +109634,7 @@ index 3faa358..a13ae17 100644 /* user mode address pointers */ struct sockaddr __user *uaddr; -@@ -2152,7 +2221,8 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, +@@ -2155,7 +2221,8 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, /* Save the user-mode address (verify_iovec will change the * kernel msghdr to use the kernel address space) */ @@ -110456,7 +109644,7 @@ index 3faa358..a13ae17 100644 uaddr_len = COMPAT_NAMELEN(msg); if (MSG_CMSG_COMPAT & flags) err = verify_compat_iovec(msg_sys, iov, -@@ -2796,9 +2866,9 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) +@@ -2799,9 +2866,9 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) } ifr = compat_alloc_user_space(buf_size); @@ -110468,7 +109656,7 @@ index 3faa358..a13ae17 100644 return -EFAULT; if (put_user(convert_in ? rxnfc : compat_ptr(data), -@@ -2820,12 +2890,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) +@@ -2823,12 +2890,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) offsetof(struct ethtool_rxnfc, fs.ring_cookie)); if (copy_in_user(rxnfc, compat_rxnfc, @@ -110485,7 +109673,7 @@ index 3faa358..a13ae17 100644 copy_in_user(&rxnfc->rule_cnt, &compat_rxnfc->rule_cnt, sizeof(rxnfc->rule_cnt))) return -EFAULT; -@@ -2837,12 +2907,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) +@@ -2840,12 +2907,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) if (convert_out) { if (copy_in_user(compat_rxnfc, rxnfc, @@ -110502,7 +109690,7 @@ index 3faa358..a13ae17 100644 copy_in_user(&compat_rxnfc->rule_cnt, &rxnfc->rule_cnt, sizeof(rxnfc->rule_cnt))) return -EFAULT; -@@ -2912,14 +2982,14 @@ static int bond_ioctl(struct net *net, unsigned int cmd, +@@ -2915,14 +2982,14 @@ static int bond_ioctl(struct net *net, unsigned int cmd, old_fs = get_fs(); set_fs(KERNEL_DS); err = dev_ioctl(net, cmd, @@ -110519,7 +109707,7 @@ index 3faa358..a13ae17 100644 return -EFAULT; if (get_user(data, &ifr32->ifr_ifru.ifru_data)) -@@ -3021,7 +3091,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd, +@@ -3024,7 +3091,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd, old_fs = get_fs(); set_fs(KERNEL_DS); @@ -110528,7 +109716,7 @@ index 3faa358..a13ae17 100644 set_fs(old_fs); if (cmd == SIOCGIFMAP && !err) { -@@ -3126,7 +3196,7 @@ static int routing_ioctl(struct net *net, struct socket *sock, +@@ -3129,7 +3196,7 @@ static int routing_ioctl(struct net *net, struct socket *sock, ret |= __get_user(rtdev, &(ur4->rt_dev)); if (rtdev) { ret |= copy_from_user(devname, compat_ptr(rtdev), 15); @@ -110537,7 +109725,7 @@ index 3faa358..a13ae17 100644 devname[15] = 0; } else r4.rt_dev = NULL; -@@ -3366,8 +3436,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname, +@@ -3369,8 +3436,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname, int __user *uoptlen; int err; @@ -110548,7 +109736,7 @@ index 3faa358..a13ae17 100644 set_fs(KERNEL_DS); if (level == SOL_SOCKET) -@@ -3387,7 +3457,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname, +@@ -3390,7 +3457,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname, char __user *uoptval; int err; @@ -110558,18 +109746,9 @@ index 3faa358..a13ae17 100644 set_fs(KERNEL_DS); if (level == SOL_SOCKET) diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c -index 237a2ee..9e69f3e 100644 +index 7de935a..9e69f3e 100644 --- a/net/sunrpc/cache.c +++ b/net/sunrpc/cache.c -@@ -909,7 +909,7 @@ static unsigned int cache_poll(struct file *filp, poll_table *wait, - poll_wait(filp, &queue_wait, wait); - - /* alway allow write */ -- mask = POLL_OUT | POLLWRNORM; -+ mask = POLLOUT | POLLWRNORM; - - if (!rp) - return mask; @@ -1587,7 +1587,7 @@ static int create_cache_proc_entries(struct cache_detail *cd, struct net *net) struct sunrpc_net *sn; @@ -111602,19 +110781,6 @@ index 2ffde46..76f0432 100644 if (!x25_proc_dir) goto out; -diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c -index 47bacd8..e49d5f4 100644 ---- a/net/xfrm/xfrm_output.c -+++ b/net/xfrm/xfrm_output.c -@@ -151,6 +151,8 @@ static int xfrm_output_gso(struct sk_buff *skb) - kfree_skb(skb); - if (IS_ERR(segs)) - return PTR_ERR(segs); -+ if (segs == NULL) -+ return -EINVAL; - - do { - struct sk_buff *nskb = segs->next; diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 113d20e..2bb5a4e 100644 --- a/net/xfrm/xfrm_policy.c @@ -115105,24 +114271,11 @@ index b43813c..74be837 100644 } #else static inline int selinux_xfrm_enabled(void) -diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c -index 4dd8dcf..bac8928 100644 ---- a/security/selinux/selinuxfs.c -+++ b/security/selinux/selinuxfs.c -@@ -150,7 +150,7 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf, - goto out; - - /* No partial writes. */ -- length = EINVAL; -+ length = -EINVAL; - if (*ppos != 0) - goto out; - diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c -index e3adb49..9798c61 100644 +index 774c159..801c50d 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c -@@ -3481,7 +3481,7 @@ static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) +@@ -3483,7 +3483,7 @@ static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) return 0; } @@ -115422,10 +114575,10 @@ index 4dbb66e..eda2998 100644 if (err < 0) return err; diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c -index 638600b..2e6b1fd 100644 +index 8a00555..48f07fe 100644 --- a/sound/core/pcm_native.c +++ b/sound/core/pcm_native.c -@@ -2788,11 +2788,11 @@ int snd_pcm_kernel_ioctl(struct snd_pcm_substream *substream, +@@ -2790,11 +2790,11 @@ int snd_pcm_kernel_ioctl(struct snd_pcm_substream *substream, switch (substream->stream) { case SNDRV_PCM_STREAM_PLAYBACK: result = snd_pcm_playback_ioctl1(NULL, substream, cmd, @@ -124162,10 +123315,10 @@ index 0000000..4378111 +} diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data new file mode 100644 -index 0000000..6e35346 +index 0000000..cd3c18f --- /dev/null +++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data -@@ -0,0 +1,5133 @@ +@@ -0,0 +1,5138 @@ +intel_fake_agp_alloc_by_type_1 intel_fake_agp_alloc_by_type 1 1 NULL +storvsc_connect_to_vsp_22 storvsc_connect_to_vsp 2 22 NULL +compat_sock_setsockopt_23 compat_sock_setsockopt 5 23 NULL @@ -124402,7 +123555,8 @@ index 0000000..6e35346 +encrypted_instantiate_3168 encrypted_instantiate 3 3168 NULL +uv_num_possible_blades_3177 uv_num_possible_blades 0 3177 NULL +compat_do_ip6t_set_ctl_3184 compat_do_ip6t_set_ctl 4 3184 NULL -+alloc_context_3194 alloc_context 1 3194 NULL ++alloc_context_3194 alloc_context 1 3194 NULL nohasharray ++ep_aio_read_3194 ep_aio_read 3 3194 &alloc_context_3194 +codec_reg_write_file_3204 codec_reg_write_file 3 3204 NULL +ath6kl_mgmt_tx_3230 ath6kl_mgmt_tx 9 3230 NULL +btrfs_next_leaf_3232 btrfs_next_leaf 0 3232 NULL @@ -125314,6 +124468,7 @@ index 0000000..6e35346 +oo_objects_14319 oo_objects 0 14319 NULL +iwl_legacy_dbgfs_interrupt_read_14324 iwl_legacy_dbgfs_interrupt_read 3 14324 NULL +p9_client_zc_rpc_14345 p9_client_zc_rpc 7 14345 NULL ++ep_aio_rwtail_14347 ep_aio_rwtail 6 14347 NULL +snd_pcm_lib_readv_14363 snd_pcm_lib_readv 3-0 14363 NULL +ath6kl_regdump_read_14393 ath6kl_regdump_read 3 14393 NULL +smk_write_onlycap_14400 smk_write_onlycap 3 14400 NULL @@ -126509,6 +125664,7 @@ index 0000000..6e35346 +tcp_sendpage_29829 tcp_sendpage 4-3 29829 NULL +__probe_kernel_write_29842 __probe_kernel_write 3 29842 NULL +count_partial_29850 count_partial 0 29850 NULL ++extract_icmp6_fields_29870 extract_icmp6_fields 2 29870 NULL +ipv6_setsockopt_29871 ipv6_setsockopt 5 29871 NULL +scsi_end_request_29876 scsi_end_request 3 29876 NULL +crypto_aead_alignmask_29885 crypto_aead_alignmask 0 29885 NULL @@ -127737,6 +126893,7 @@ index 0000000..6e35346 +unix_dgram_sendmsg_45699 unix_dgram_sendmsg 4 45699 &bscnl_emit_45699 +sg_proc_write_adio_45704 sg_proc_write_adio 3 45704 NULL +dvb_ca_en50221_init_45718 dvb_ca_en50221_init 4 45718 NULL ++handle_response_icmp_45733 handle_response_icmp 7 45733 NULL +snd_cs46xx_io_read_45734 snd_cs46xx_io_read 5 45734 NULL +v4l2_ctrl_new_std_45748 v4l2_ctrl_new_std 5 45748 NULL +lkdtm_debugfs_read_45752 lkdtm_debugfs_read 3 45752 NULL @@ -128013,6 +127170,7 @@ index 0000000..6e35346 +root_nfs_cat_49192 root_nfs_cat 3 49192 NULL +iwl_dbgfs_ucode_general_stats_read_49199 iwl_dbgfs_ucode_general_stats_read 3 49199 NULL +do_jffs2_getxattr_49210 do_jffs2_getxattr 0 49210 NULL ++handle_response_49269 handle_response 5 49269 NULL +osd_req_add_get_attr_list_49278 osd_req_add_get_attr_list 3 49278 NULL +__ext4_ext_dirty_49284 __ext4_ext_dirty 0 49284 NULL +viafb_dfph_proc_write_49288 viafb_dfph_proc_write 3 49288 NULL diff --git a/3.2.68/4425_grsec_remove_EI_PAX.patch b/3.2.69/4425_grsec_remove_EI_PAX.patch index ba92792..ba92792 100644 --- a/3.2.68/4425_grsec_remove_EI_PAX.patch +++ b/3.2.69/4425_grsec_remove_EI_PAX.patch diff --git a/3.2.68/4427_force_XATTR_PAX_tmpfs.patch b/3.2.69/4427_force_XATTR_PAX_tmpfs.patch index caaeed1..caaeed1 100644 --- a/3.2.68/4427_force_XATTR_PAX_tmpfs.patch +++ b/3.2.69/4427_force_XATTR_PAX_tmpfs.patch diff --git a/3.2.68/4430_grsec-remove-localversion-grsec.patch b/3.2.69/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.2.68/4430_grsec-remove-localversion-grsec.patch +++ b/3.2.69/4430_grsec-remove-localversion-grsec.patch diff --git a/3.2.68/4435_grsec-mute-warnings.patch b/3.2.69/4435_grsec-mute-warnings.patch index da01ac7..da01ac7 100644 --- a/3.2.68/4435_grsec-mute-warnings.patch +++ b/3.2.69/4435_grsec-mute-warnings.patch diff --git a/3.2.68/4440_grsec-remove-protected-paths.patch b/3.2.69/4440_grsec-remove-protected-paths.patch index 741546d..741546d 100644 --- a/3.2.68/4440_grsec-remove-protected-paths.patch +++ b/3.2.69/4440_grsec-remove-protected-paths.patch diff --git a/3.2.68/4450_grsec-kconfig-default-gids.patch b/3.2.69/4450_grsec-kconfig-default-gids.patch index 5e1cb04..5e1cb04 100644 --- a/3.2.68/4450_grsec-kconfig-default-gids.patch +++ b/3.2.69/4450_grsec-kconfig-default-gids.patch diff --git a/3.2.68/4465_selinux-avc_audit-log-curr_ip.patch b/3.2.69/4465_selinux-avc_audit-log-curr_ip.patch index f73d198..f73d198 100644 --- a/3.2.68/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.2.69/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.2.68/4470_disable-compat_vdso.patch b/3.2.69/4470_disable-compat_vdso.patch index 34d46de..34d46de 100644 --- a/3.2.68/4470_disable-compat_vdso.patch +++ b/3.2.69/4470_disable-compat_vdso.patch diff --git a/3.2.68/4475_emutramp_default_on.patch b/3.2.69/4475_emutramp_default_on.patch index 2db58ab..2db58ab 100644 --- a/3.2.68/4475_emutramp_default_on.patch +++ b/3.2.69/4475_emutramp_default_on.patch diff --git a/4.0.2/0000_README b/4.0.2/0000_README index f34197d..2d4e7a4 100644 --- a/4.0.2/0000_README +++ b/4.0.2/0000_README @@ -6,7 +6,7 @@ Patch: 1002_linux-4.0.2.patch From: http://www.kernel.org Desc: Linux 4.0.2 -Patch: 4420_grsecurity-3.1-4.0.2-201505091724.patch +Patch: 4420_grsecurity-3.1-4.0.2-201505101122.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.0.2/4420_grsecurity-3.1-4.0.2-201505091724.patch b/4.0.2/4420_grsecurity-3.1-4.0.2-201505101122.patch index 86c9e65..334f5da 100644 --- a/4.0.2/4420_grsecurity-3.1-4.0.2-201505091724.patch +++ b/4.0.2/4420_grsecurity-3.1-4.0.2-201505101122.patch @@ -49152,6 +49152,28 @@ index a2515887..6d13233 100644 dev->net->dev_addr[ETH_ALEN-1] = ifacenum; /* we will have to manufacture ethernet headers, prepare template */ +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c +index 777757a..395a767 100644 +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1285,7 +1285,7 @@ netdev_tx_t usbnet_start_xmit (struct sk_buff *skb, + struct net_device *net) + { + struct usbnet *dev = netdev_priv(net); +- int length; ++ unsigned int length; + struct urb *urb = NULL; + struct skb_data *entry; + struct driver_info *info = dev->driver_info; +@@ -1413,7 +1413,7 @@ not_drop: + } + } else + netif_dbg(dev, tx_queued, dev->net, +- "> tx, len %d, type 0x%x\n", length, skb->protocol); ++ "> tx, len %u, type 0x%x\n", length, skb->protocol); + #ifdef CONFIG_PM + deferred: + #endif diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c index 59b0e97..a6ed579 100644 --- a/drivers/net/virtio_net.c @@ -65536,7 +65558,7 @@ index caa38a2..44c470a 100644 out: return len; diff --git a/fs/namespace.c b/fs/namespace.c -index 4622ee3..2db42e3 100644 +index 4622ee3..8500e56 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -1480,6 +1480,9 @@ static int do_umount(struct mount *mnt, int flags) @@ -65655,7 +65677,20 @@ index 4622ee3..2db42e3 100644 get_fs_root(current->fs, &root); old_mp = lock_mount(&old); error = PTR_ERR(old_mp); -@@ -3229,7 +3253,7 @@ static int mntns_install(struct nsproxy *nsproxy, struct ns_common *ns) +@@ -3178,6 +3202,12 @@ bool fs_fully_visible(struct file_system_type *type) + if (mnt->mnt.mnt_sb->s_type != type) + continue; + ++ /* This mount is not fully visible if it's root directory ++ * is not the root directory of the filesystem. ++ */ ++ if (mnt->mnt.mnt_root != mnt->mnt.mnt_sb->s_root) ++ continue; ++ + /* This mount is not fully visible if there are any child mounts + * that cover anything except for empty directories. + */ +@@ -3229,7 +3259,7 @@ static int mntns_install(struct nsproxy *nsproxy, struct ns_common *ns) !ns_capable(current_user_ns(), CAP_SYS_ADMIN)) return -EPERM; |