diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2014-11-08 10:35:52 -0500 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2014-11-08 10:35:52 -0500 |
| commit | 13dee1876996ccf19092607a8e95928bd7548a3d (patch) | |
| tree | 4ec142c0e4d230d3e7a196d542fc07364f18a967 | |
| parent | Grsec/PaX: 3.0-3.2.63-201411020808 (diff) | |
| download | hardened-patchset-20141106.tar.gz hardened-patchset-20141106.tar.bz2 hardened-patchset-20141106.zip | |
Grsec/PaX: 3.0-{3.2.64,3.14.23,3.17.2}-20141106203420141106
| -rw-r--r-- | 3.14.23/0000_README | 6 | ||||
| -rw-r--r-- | 3.14.23/1022_linux-3.14.23.patch | 5877 | ||||
| -rw-r--r-- | 3.14.23/4420_grsecurity-3.0-3.14.23-201411062033.patch (renamed from 3.14.23/4420_grsecurity-3.0-3.14.23-201410312212.patch) | 91 | ||||
| -rw-r--r-- | 3.17.2/0000_README | 2 | ||||
| -rw-r--r-- | 3.17.2/4420_grsecurity-3.0-3.17.2-201411062034.patch (renamed from 3.17.2/4420_grsecurity-3.0-3.17.2-201410312213.patch) | 151 | ||||
| -rw-r--r-- | 3.2.64/0000_README (renamed from 3.2.63/0000_README) | 6 | ||||
| -rw-r--r-- | 3.2.64/1021_linux-3.2.22.patch (renamed from 3.2.63/1021_linux-3.2.22.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1022_linux-3.2.23.patch (renamed from 3.2.63/1022_linux-3.2.23.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1023_linux-3.2.24.patch (renamed from 3.2.63/1023_linux-3.2.24.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1024_linux-3.2.25.patch (renamed from 3.2.63/1024_linux-3.2.25.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1025_linux-3.2.26.patch (renamed from 3.2.63/1025_linux-3.2.26.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1026_linux-3.2.27.patch (renamed from 3.2.63/1026_linux-3.2.27.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1027_linux-3.2.28.patch (renamed from 3.2.63/1027_linux-3.2.28.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1028_linux-3.2.29.patch (renamed from 3.2.63/1028_linux-3.2.29.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1029_linux-3.2.30.patch (renamed from 3.2.63/1029_linux-3.2.30.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1030_linux-3.2.31.patch (renamed from 3.2.63/1030_linux-3.2.31.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1031_linux-3.2.32.patch (renamed from 3.2.63/1031_linux-3.2.32.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1032_linux-3.2.33.patch (renamed from 3.2.63/1032_linux-3.2.33.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1033_linux-3.2.34.patch (renamed from 3.2.63/1033_linux-3.2.34.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1034_linux-3.2.35.patch (renamed from 3.2.63/1034_linux-3.2.35.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1035_linux-3.2.36.patch (renamed from 3.2.63/1035_linux-3.2.36.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1036_linux-3.2.37.patch (renamed from 3.2.63/1036_linux-3.2.37.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1037_linux-3.2.38.patch (renamed from 3.2.63/1037_linux-3.2.38.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1038_linux-3.2.39.patch (renamed from 3.2.63/1038_linux-3.2.39.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1039_linux-3.2.40.patch (renamed from 3.2.63/1039_linux-3.2.40.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1040_linux-3.2.41.patch (renamed from 3.2.63/1040_linux-3.2.41.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1041_linux-3.2.42.patch (renamed from 3.2.63/1041_linux-3.2.42.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1042_linux-3.2.43.patch (renamed from 3.2.63/1042_linux-3.2.43.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1043_linux-3.2.44.patch (renamed from 3.2.63/1043_linux-3.2.44.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1044_linux-3.2.45.patch (renamed from 3.2.63/1044_linux-3.2.45.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1045_linux-3.2.46.patch (renamed from 3.2.63/1045_linux-3.2.46.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1046_linux-3.2.47.patch (renamed from 3.2.63/1046_linux-3.2.47.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1047_linux-3.2.48.patch (renamed from 3.2.63/1047_linux-3.2.48.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1048_linux-3.2.49.patch (renamed from 3.2.63/1048_linux-3.2.49.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1049_linux-3.2.50.patch (renamed from 3.2.63/1049_linux-3.2.50.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1050_linux-3.2.51.patch (renamed from 3.2.63/1050_linux-3.2.51.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1051_linux-3.2.52.patch (renamed from 3.2.63/1051_linux-3.2.52.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1052_linux-3.2.53.patch (renamed from 3.2.63/1052_linux-3.2.53.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1053_linux-3.2.54.patch (renamed from 3.2.63/1053_linux-3.2.54.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1054_linux-3.2.55.patch (renamed from 3.2.63/1054_linux-3.2.55.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1055_linux-3.2.56.patch (renamed from 3.2.63/1055_linux-3.2.56.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1056_linux-3.2.57.patch (renamed from 3.2.63/1056_linux-3.2.57.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1057_linux-3.2.58.patch (renamed from 3.2.63/1057_linux-3.2.58.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1058_linux-3.2.59.patch (renamed from 3.2.63/1058_linux-3.2.59.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1059_linux-3.2.60.patch (renamed from 3.2.63/1059_linux-3.2.60.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1060_linux-3.2.61.patch (renamed from 3.2.63/1060_linux-3.2.61.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1061_linux-3.2.62.patch (renamed from 3.2.63/1061_linux-3.2.62.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1062_linux-3.2.63.patch (renamed from 3.2.63/1062_linux-3.2.63.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/1063_linux-3.2.64.patch | 3821 | ||||
| -rw-r--r-- | 3.2.64/4420_grsecurity-3.0-3.2.64-201411062032.patch (renamed from 3.2.63/4420_grsecurity-3.0-3.2.63-201411020808.patch) | 926 | ||||
| -rw-r--r-- | 3.2.64/4425_grsec_remove_EI_PAX.patch (renamed from 3.2.63/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.2.63/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/4430_grsec-remove-localversion-grsec.patch (renamed from 3.2.63/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/4435_grsec-mute-warnings.patch (renamed from 3.2.63/4435_grsec-mute-warnings.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/4440_grsec-remove-protected-paths.patch (renamed from 3.2.63/4440_grsec-remove-protected-paths.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/4450_grsec-kconfig-default-gids.patch (renamed from 3.2.63/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.2.63/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/4470_disable-compat_vdso.patch (renamed from 3.2.63/4470_disable-compat_vdso.patch) | 0 | ||||
| -rw-r--r-- | 3.2.64/4475_emutramp_default_on.patch (renamed from 3.2.63/4475_emutramp_default_on.patch) | 0 |
59 files changed, 4267 insertions, 6613 deletions
diff --git a/3.14.23/0000_README b/3.14.23/0000_README index ceedf6a..3f5888e 100644 --- a/3.14.23/0000_README +++ b/3.14.23/0000_README @@ -2,11 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 1022_linux-3.14.23.patch -From: http://www.kernel.org -Desc: Linux 3.14.23 - -Patch: 4420_grsecurity-3.0-3.14.23-201410312212.patch +Patch: 4420_grsecurity-3.0-3.14.23-201411062033.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.14.23/1022_linux-3.14.23.patch b/3.14.23/1022_linux-3.14.23.patch deleted file mode 100644 index d74580b..0000000 --- a/3.14.23/1022_linux-3.14.23.patch +++ /dev/null @@ -1,5877 +0,0 @@ -diff --git a/Documentation/lzo.txt b/Documentation/lzo.txt -new file mode 100644 -index 0000000..ea45dd3 ---- /dev/null -+++ b/Documentation/lzo.txt -@@ -0,0 +1,164 @@ -+ -+LZO stream format as understood by Linux's LZO decompressor -+=========================================================== -+ -+Introduction -+ -+ This is not a specification. No specification seems to be publicly available -+ for the LZO stream format. This document describes what input format the LZO -+ decompressor as implemented in the Linux kernel understands. The file subject -+ of this analysis is lib/lzo/lzo1x_decompress_safe.c. No analysis was made on -+ the compressor nor on any other implementations though it seems likely that -+ the format matches the standard one. The purpose of this document is to -+ better understand what the code does in order to propose more efficient fixes -+ for future bug reports. -+ -+Description -+ -+ The stream is composed of a series of instructions, operands, and data. The -+ instructions consist in a few bits representing an opcode, and bits forming -+ the operands for the instruction, whose size and position depend on the -+ opcode and on the number of literals copied by previous instruction. The -+ operands are used to indicate : -+ -+ - a distance when copying data from the dictionary (past output buffer) -+ - a length (number of bytes to copy from dictionary) -+ - the number of literals to copy, which is retained in variable "state" -+ as a piece of information for next instructions. -+ -+ Optionally depending on the opcode and operands, extra data may follow. These -+ extra data can be a complement for the operand (eg: a length or a distance -+ encoded on larger values), or a literal to be copied to the output buffer. -+ -+ The first byte of the block follows a different encoding from other bytes, it -+ seems to be optimized for literal use only, since there is no dictionary yet -+ prior to that byte. -+ -+ Lengths are always encoded on a variable size starting with a small number -+ of bits in the operand. If the number of bits isn't enough to represent the -+ length, up to 255 may be added in increments by consuming more bytes with a -+ rate of at most 255 per extra byte (thus the compression ratio cannot exceed -+ around 255:1). The variable length encoding using #bits is always the same : -+ -+ length = byte & ((1 << #bits) - 1) -+ if (!length) { -+ length = ((1 << #bits) - 1) -+ length += 255*(number of zero bytes) -+ length += first-non-zero-byte -+ } -+ length += constant (generally 2 or 3) -+ -+ For references to the dictionary, distances are relative to the output -+ pointer. Distances are encoded using very few bits belonging to certain -+ ranges, resulting in multiple copy instructions using different encodings. -+ Certain encodings involve one extra byte, others involve two extra bytes -+ forming a little-endian 16-bit quantity (marked LE16 below). -+ -+ After any instruction except the large literal copy, 0, 1, 2 or 3 literals -+ are copied before starting the next instruction. The number of literals that -+ were copied may change the meaning and behaviour of the next instruction. In -+ practice, only one instruction needs to know whether 0, less than 4, or more -+ literals were copied. This is the information stored in the <state> variable -+ in this implementation. This number of immediate literals to be copied is -+ generally encoded in the last two bits of the instruction but may also be -+ taken from the last two bits of an extra operand (eg: distance). -+ -+ End of stream is declared when a block copy of distance 0 is seen. Only one -+ instruction may encode this distance (0001HLLL), it takes one LE16 operand -+ for the distance, thus requiring 3 bytes. -+ -+ IMPORTANT NOTE : in the code some length checks are missing because certain -+ instructions are called under the assumption that a certain number of bytes -+ follow because it has already been garanteed before parsing the instructions. -+ They just have to "refill" this credit if they consume extra bytes. This is -+ an implementation design choice independant on the algorithm or encoding. -+ -+Byte sequences -+ -+ First byte encoding : -+ -+ 0..17 : follow regular instruction encoding, see below. It is worth -+ noting that codes 16 and 17 will represent a block copy from -+ the dictionary which is empty, and that they will always be -+ invalid at this place. -+ -+ 18..21 : copy 0..3 literals -+ state = (byte - 17) = 0..3 [ copy <state> literals ] -+ skip byte -+ -+ 22..255 : copy literal string -+ length = (byte - 17) = 4..238 -+ state = 4 [ don't copy extra literals ] -+ skip byte -+ -+ Instruction encoding : -+ -+ 0 0 0 0 X X X X (0..15) -+ Depends on the number of literals copied by the last instruction. -+ If last instruction did not copy any literal (state == 0), this -+ encoding will be a copy of 4 or more literal, and must be interpreted -+ like this : -+ -+ 0 0 0 0 L L L L (0..15) : copy long literal string -+ length = 3 + (L ?: 15 + (zero_bytes * 255) + non_zero_byte) -+ state = 4 (no extra literals are copied) -+ -+ If last instruction used to copy between 1 to 3 literals (encoded in -+ the instruction's opcode or distance), the instruction is a copy of a -+ 2-byte block from the dictionary within a 1kB distance. It is worth -+ noting that this instruction provides little savings since it uses 2 -+ bytes to encode a copy of 2 other bytes but it encodes the number of -+ following literals for free. It must be interpreted like this : -+ -+ 0 0 0 0 D D S S (0..15) : copy 2 bytes from <= 1kB distance -+ length = 2 -+ state = S (copy S literals after this block) -+ Always followed by exactly one byte : H H H H H H H H -+ distance = (H << 2) + D + 1 -+ -+ If last instruction used to copy 4 or more literals (as detected by -+ state == 4), the instruction becomes a copy of a 3-byte block from the -+ dictionary from a 2..3kB distance, and must be interpreted like this : -+ -+ 0 0 0 0 D D S S (0..15) : copy 3 bytes from 2..3 kB distance -+ length = 3 -+ state = S (copy S literals after this block) -+ Always followed by exactly one byte : H H H H H H H H -+ distance = (H << 2) + D + 2049 -+ -+ 0 0 0 1 H L L L (16..31) -+ Copy of a block within 16..48kB distance (preferably less than 10B) -+ length = 2 + (L ?: 7 + (zero_bytes * 255) + non_zero_byte) -+ Always followed by exactly one LE16 : D D D D D D D D : D D D D D D S S -+ distance = 16384 + (H << 14) + D -+ state = S (copy S literals after this block) -+ End of stream is reached if distance == 16384 -+ -+ 0 0 1 L L L L L (32..63) -+ Copy of small block within 16kB distance (preferably less than 34B) -+ length = 2 + (L ?: 31 + (zero_bytes * 255) + non_zero_byte) -+ Always followed by exactly one LE16 : D D D D D D D D : D D D D D D S S -+ distance = D + 1 -+ state = S (copy S literals after this block) -+ -+ 0 1 L D D D S S (64..127) -+ Copy 3-4 bytes from block within 2kB distance -+ state = S (copy S literals after this block) -+ length = 3 + L -+ Always followed by exactly one byte : H H H H H H H H -+ distance = (H << 3) + D + 1 -+ -+ 1 L L D D D S S (128..255) -+ Copy 5-8 bytes from block within 2kB distance -+ state = S (copy S literals after this block) -+ length = 5 + L -+ Always followed by exactly one byte : H H H H H H H H -+ distance = (H << 3) + D + 1 -+ -+Authors -+ -+ This document was written by Willy Tarreau <w@1wt.eu> on 2014/07/19 during an -+ analysis of the decompression code available in Linux 3.16-rc5. The code is -+ tricky, it is possible that this document contains mistakes or that a few -+ corner cases were overlooked. In any case, please report any doubt, fix, or -+ proposed updates to the author(s) so that the document can be updated. -diff --git a/Documentation/virtual/kvm/mmu.txt b/Documentation/virtual/kvm/mmu.txt -index 2908941..53838d9 100644 ---- a/Documentation/virtual/kvm/mmu.txt -+++ b/Documentation/virtual/kvm/mmu.txt -@@ -425,6 +425,20 @@ fault through the slow path. - Since only 19 bits are used to store generation-number on mmio spte, all - pages are zapped when there is an overflow. - -+Unfortunately, a single memory access might access kvm_memslots(kvm) multiple -+times, the last one happening when the generation number is retrieved and -+stored into the MMIO spte. Thus, the MMIO spte might be created based on -+out-of-date information, but with an up-to-date generation number. -+ -+To avoid this, the generation number is incremented again after synchronize_srcu -+returns; thus, the low bit of kvm_memslots(kvm)->generation is only 1 during a -+memslot update, while some SRCU readers might be using the old copy. We do not -+want to use an MMIO sptes created with an odd generation number, and we can do -+this without losing a bit in the MMIO spte. The low bit of the generation -+is not stored in MMIO spte, and presumed zero when it is extracted out of the -+spte. If KVM is unlucky and creates an MMIO spte while the low bit is 1, -+the next access to the spte will always be a cache miss. -+ - - Further reading - =============== -diff --git a/Makefile b/Makefile -index a59980e..135a04a 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 3 - PATCHLEVEL = 14 --SUBLEVEL = 22 -+SUBLEVEL = 23 - EXTRAVERSION = - NAME = Remembering Coco - -diff --git a/arch/arm/boot/dts/armada-370-netgear-rn102.dts b/arch/arm/boot/dts/armada-370-netgear-rn102.dts -index 651aeb5..f3188e9 100644 ---- a/arch/arm/boot/dts/armada-370-netgear-rn102.dts -+++ b/arch/arm/boot/dts/armada-370-netgear-rn102.dts -@@ -144,6 +144,10 @@ - marvell,nand-enable-arbiter; - nand-on-flash-bbt; - -+ /* Use Hardware BCH ECC */ -+ nand-ecc-strength = <4>; -+ nand-ecc-step-size = <512>; -+ - partition@0 { - label = "u-boot"; - reg = <0x0000000 0x180000>; /* 1.5MB */ -diff --git a/arch/arm/boot/dts/armada-370-netgear-rn104.dts b/arch/arm/boot/dts/armada-370-netgear-rn104.dts -index 4e27587..da406c1 100644 ---- a/arch/arm/boot/dts/armada-370-netgear-rn104.dts -+++ b/arch/arm/boot/dts/armada-370-netgear-rn104.dts -@@ -146,6 +146,10 @@ - marvell,nand-enable-arbiter; - nand-on-flash-bbt; - -+ /* Use Hardware BCH ECC */ -+ nand-ecc-strength = <4>; -+ nand-ecc-step-size = <512>; -+ - partition@0 { - label = "u-boot"; - reg = <0x0000000 0x180000>; /* 1.5MB */ -diff --git a/arch/arm/boot/dts/armada-xp-netgear-rn2120.dts b/arch/arm/boot/dts/armada-xp-netgear-rn2120.dts -index ff049ee..b4aba09 100644 ---- a/arch/arm/boot/dts/armada-xp-netgear-rn2120.dts -+++ b/arch/arm/boot/dts/armada-xp-netgear-rn2120.dts -@@ -224,6 +224,10 @@ - marvell,nand-enable-arbiter; - nand-on-flash-bbt; - -+ /* Use Hardware BCH ECC */ -+ nand-ecc-strength = <4>; -+ nand-ecc-step-size = <512>; -+ - partition@0 { - label = "u-boot"; - reg = <0x0000000 0x180000>; /* 1.5MB */ -diff --git a/arch/arm/boot/dts/at91sam9263.dtsi b/arch/arm/boot/dts/at91sam9263.dtsi -index fece866..b8f234b 100644 ---- a/arch/arm/boot/dts/at91sam9263.dtsi -+++ b/arch/arm/boot/dts/at91sam9263.dtsi -@@ -535,6 +535,7 @@ - compatible = "atmel,hsmci"; - reg = <0xfff80000 0x600>; - interrupts = <10 IRQ_TYPE_LEVEL_HIGH 0>; -+ pinctrl-names = "default"; - #address-cells = <1>; - #size-cells = <0>; - status = "disabled"; -@@ -544,6 +545,7 @@ - compatible = "atmel,hsmci"; - reg = <0xfff84000 0x600>; - interrupts = <11 IRQ_TYPE_LEVEL_HIGH 0>; -+ pinctrl-names = "default"; - #address-cells = <1>; - #size-cells = <0>; - status = "disabled"; -diff --git a/arch/arm/boot/dts/sama5d3_can.dtsi b/arch/arm/boot/dts/sama5d3_can.dtsi -index a077585..eaf4145 100644 ---- a/arch/arm/boot/dts/sama5d3_can.dtsi -+++ b/arch/arm/boot/dts/sama5d3_can.dtsi -@@ -40,7 +40,7 @@ - atmel,clk-output-range = <0 66000000>; - }; - -- can1_clk: can0_clk { -+ can1_clk: can1_clk { - #clock-cells = <0>; - reg = <41>; - atmel,clk-output-range = <0 66000000>; -diff --git a/arch/arm/mach-at91/clock.c b/arch/arm/mach-at91/clock.c -index 034529d..d66f102 100644 ---- a/arch/arm/mach-at91/clock.c -+++ b/arch/arm/mach-at91/clock.c -@@ -962,6 +962,7 @@ static int __init at91_clock_reset(void) - } - - at91_pmc_write(AT91_PMC_SCDR, scdr); -+ at91_pmc_write(AT91_PMC_PCDR, pcdr); - if (cpu_is_sama5d3()) - at91_pmc_write(AT91_PMC_PCDR1, pcdr1); - -diff --git a/arch/arm64/include/asm/compat.h b/arch/arm64/include/asm/compat.h -index fda2704..e72289a 100644 ---- a/arch/arm64/include/asm/compat.h -+++ b/arch/arm64/include/asm/compat.h -@@ -37,8 +37,8 @@ typedef s32 compat_ssize_t; - typedef s32 compat_time_t; - typedef s32 compat_clock_t; - typedef s32 compat_pid_t; --typedef u32 __compat_uid_t; --typedef u32 __compat_gid_t; -+typedef u16 __compat_uid_t; -+typedef u16 __compat_gid_t; - typedef u16 __compat_uid16_t; - typedef u16 __compat_gid16_t; - typedef u32 __compat_uid32_t; -diff --git a/arch/m68k/mm/hwtest.c b/arch/m68k/mm/hwtest.c -index 2c7dde3..2a5259f 100644 ---- a/arch/m68k/mm/hwtest.c -+++ b/arch/m68k/mm/hwtest.c -@@ -28,9 +28,11 @@ - int hwreg_present( volatile void *regp ) - { - int ret = 0; -+ unsigned long flags; - long save_sp, save_vbr; - long tmp_vectors[3]; - -+ local_irq_save(flags); - __asm__ __volatile__ - ( "movec %/vbr,%2\n\t" - "movel #Lberr1,%4@(8)\n\t" -@@ -46,6 +48,7 @@ int hwreg_present( volatile void *regp ) - : "=&d" (ret), "=&r" (save_sp), "=&r" (save_vbr) - : "a" (regp), "a" (tmp_vectors) - ); -+ local_irq_restore(flags); - - return( ret ); - } -@@ -58,9 +61,11 @@ EXPORT_SYMBOL(hwreg_present); - int hwreg_write( volatile void *regp, unsigned short val ) - { - int ret; -+ unsigned long flags; - long save_sp, save_vbr; - long tmp_vectors[3]; - -+ local_irq_save(flags); - __asm__ __volatile__ - ( "movec %/vbr,%2\n\t" - "movel #Lberr2,%4@(8)\n\t" -@@ -78,6 +83,7 @@ int hwreg_write( volatile void *regp, unsigned short val ) - : "=&d" (ret), "=&r" (save_sp), "=&r" (save_vbr) - : "a" (regp), "a" (tmp_vectors), "g" (val) - ); -+ local_irq_restore(flags); - - return( ret ); - } -diff --git a/arch/powerpc/platforms/pseries/iommu.c b/arch/powerpc/platforms/pseries/iommu.c -index 4642d6a..de1ec54 100644 ---- a/arch/powerpc/platforms/pseries/iommu.c -+++ b/arch/powerpc/platforms/pseries/iommu.c -@@ -329,16 +329,16 @@ struct direct_window { - - /* Dynamic DMA Window support */ - struct ddw_query_response { -- __be32 windows_available; -- __be32 largest_available_block; -- __be32 page_size; -- __be32 migration_capable; -+ u32 windows_available; -+ u32 largest_available_block; -+ u32 page_size; -+ u32 migration_capable; - }; - - struct ddw_create_response { -- __be32 liobn; -- __be32 addr_hi; -- __be32 addr_lo; -+ u32 liobn; -+ u32 addr_hi; -+ u32 addr_lo; - }; - - static LIST_HEAD(direct_window_list); -@@ -725,16 +725,18 @@ static void remove_ddw(struct device_node *np, bool remove_prop) - { - struct dynamic_dma_window_prop *dwp; - struct property *win64; -- const u32 *ddw_avail; -+ u32 ddw_avail[3]; - u64 liobn; -- int len, ret = 0; -+ int ret = 0; -+ -+ ret = of_property_read_u32_array(np, "ibm,ddw-applicable", -+ &ddw_avail[0], 3); - -- ddw_avail = of_get_property(np, "ibm,ddw-applicable", &len); - win64 = of_find_property(np, DIRECT64_PROPNAME, NULL); - if (!win64) - return; - -- if (!ddw_avail || len < 3 * sizeof(u32) || win64->length < sizeof(*dwp)) -+ if (ret || win64->length < sizeof(*dwp)) - goto delprop; - - dwp = win64->value; -@@ -872,8 +874,9 @@ static int create_ddw(struct pci_dev *dev, const u32 *ddw_avail, - - do { - /* extra outputs are LIOBN and dma-addr (hi, lo) */ -- ret = rtas_call(ddw_avail[1], 5, 4, (u32 *)create, cfg_addr, -- BUID_HI(buid), BUID_LO(buid), page_shift, window_shift); -+ ret = rtas_call(ddw_avail[1], 5, 4, (u32 *)create, -+ cfg_addr, BUID_HI(buid), BUID_LO(buid), -+ page_shift, window_shift); - } while (rtas_busy_delay(ret)); - dev_info(&dev->dev, - "ibm,create-pe-dma-window(%x) %x %x %x %x %x returned %d " -@@ -910,7 +913,7 @@ static u64 enable_ddw(struct pci_dev *dev, struct device_node *pdn) - int page_shift; - u64 dma_addr, max_addr; - struct device_node *dn; -- const u32 *uninitialized_var(ddw_avail); -+ u32 ddw_avail[3]; - struct direct_window *window; - struct property *win64; - struct dynamic_dma_window_prop *ddwprop; -@@ -942,8 +945,9 @@ static u64 enable_ddw(struct pci_dev *dev, struct device_node *pdn) - * for the given node in that order. - * the property is actually in the parent, not the PE - */ -- ddw_avail = of_get_property(pdn, "ibm,ddw-applicable", &len); -- if (!ddw_avail || len < 3 * sizeof(u32)) -+ ret = of_property_read_u32_array(pdn, "ibm,ddw-applicable", -+ &ddw_avail[0], 3); -+ if (ret) - goto out_failed; - - /* -@@ -966,11 +970,11 @@ static u64 enable_ddw(struct pci_dev *dev, struct device_node *pdn) - dev_dbg(&dev->dev, "no free dynamic windows"); - goto out_failed; - } -- if (be32_to_cpu(query.page_size) & 4) { -+ if (query.page_size & 4) { - page_shift = 24; /* 16MB */ -- } else if (be32_to_cpu(query.page_size) & 2) { -+ } else if (query.page_size & 2) { - page_shift = 16; /* 64kB */ -- } else if (be32_to_cpu(query.page_size) & 1) { -+ } else if (query.page_size & 1) { - page_shift = 12; /* 4kB */ - } else { - dev_dbg(&dev->dev, "no supported direct page size in mask %x", -@@ -980,7 +984,7 @@ static u64 enable_ddw(struct pci_dev *dev, struct device_node *pdn) - /* verify the window * number of ptes will map the partition */ - /* check largest block * page size > max memory hotplug addr */ - max_addr = memory_hotplug_max(); -- if (be32_to_cpu(query.largest_available_block) < (max_addr >> page_shift)) { -+ if (query.largest_available_block < (max_addr >> page_shift)) { - dev_dbg(&dev->dev, "can't map partiton max 0x%llx with %u " - "%llu-sized pages\n", max_addr, query.largest_available_block, - 1ULL << page_shift); -@@ -1006,8 +1010,9 @@ static u64 enable_ddw(struct pci_dev *dev, struct device_node *pdn) - if (ret != 0) - goto out_free_prop; - -- ddwprop->liobn = create.liobn; -- ddwprop->dma_base = cpu_to_be64(of_read_number(&create.addr_hi, 2)); -+ ddwprop->liobn = cpu_to_be32(create.liobn); -+ ddwprop->dma_base = cpu_to_be64(((u64)create.addr_hi << 32) | -+ create.addr_lo); - ddwprop->tce_shift = cpu_to_be32(page_shift); - ddwprop->window_shift = cpu_to_be32(len); - -@@ -1039,7 +1044,7 @@ static u64 enable_ddw(struct pci_dev *dev, struct device_node *pdn) - list_add(&window->list, &direct_window_list); - spin_unlock(&direct_window_list_lock); - -- dma_addr = of_read_number(&create.addr_hi, 2); -+ dma_addr = be64_to_cpu(ddwprop->dma_base); - goto out_unlock; - - out_free_window: -diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c -index 5f79d2d..f1ba119 100644 ---- a/arch/s390/kvm/interrupt.c -+++ b/arch/s390/kvm/interrupt.c -@@ -71,6 +71,7 @@ static int __interrupt_is_deliverable(struct kvm_vcpu *vcpu, - return 0; - if (vcpu->arch.sie_block->gcr[0] & 0x2000ul) - return 1; -+ return 0; - case KVM_S390_INT_EMERGENCY: - if (psw_extint_disabled(vcpu)) - return 0; -diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig -index b398c68..a38513c 100644 ---- a/arch/sparc/Kconfig -+++ b/arch/sparc/Kconfig -@@ -67,6 +67,7 @@ config SPARC64 - select HAVE_SYSCALL_TRACEPOINTS - select HAVE_CONTEXT_TRACKING - select HAVE_DEBUG_KMEMLEAK -+ select SPARSE_IRQ - select RTC_DRV_CMOS - select RTC_DRV_BQ4802 - select RTC_DRV_SUN4V -diff --git a/arch/sparc/include/asm/hypervisor.h b/arch/sparc/include/asm/hypervisor.h -index ca121f0..17be9d6 100644 ---- a/arch/sparc/include/asm/hypervisor.h -+++ b/arch/sparc/include/asm/hypervisor.h -@@ -2944,6 +2944,16 @@ extern unsigned long sun4v_vt_set_perfreg(unsigned long reg_num, - unsigned long reg_val); - #endif - -+#define HV_FAST_T5_GET_PERFREG 0x1a8 -+#define HV_FAST_T5_SET_PERFREG 0x1a9 -+ -+#ifndef __ASSEMBLY__ -+unsigned long sun4v_t5_get_perfreg(unsigned long reg_num, -+ unsigned long *reg_val); -+unsigned long sun4v_t5_set_perfreg(unsigned long reg_num, -+ unsigned long reg_val); -+#endif -+ - /* Function numbers for HV_CORE_TRAP. */ - #define HV_CORE_SET_VER 0x00 - #define HV_CORE_PUTCHAR 0x01 -@@ -2975,6 +2985,7 @@ extern unsigned long sun4v_vt_set_perfreg(unsigned long reg_num, - #define HV_GRP_VF_CPU 0x0205 - #define HV_GRP_KT_CPU 0x0209 - #define HV_GRP_VT_CPU 0x020c -+#define HV_GRP_T5_CPU 0x0211 - #define HV_GRP_DIAG 0x0300 - - #ifndef __ASSEMBLY__ -diff --git a/arch/sparc/include/asm/irq_64.h b/arch/sparc/include/asm/irq_64.h -index abf6afe..3deb07f 100644 ---- a/arch/sparc/include/asm/irq_64.h -+++ b/arch/sparc/include/asm/irq_64.h -@@ -37,7 +37,7 @@ - * - * ino_bucket->irq allocation is made during {sun4v_,}build_irq(). - */ --#define NR_IRQS 255 -+#define NR_IRQS (2048) - - extern void irq_install_pre_handler(int irq, - void (*func)(unsigned int, void *, void *), -@@ -57,11 +57,8 @@ extern unsigned int sun4u_build_msi(u32 portid, unsigned int *irq_p, - unsigned long iclr_base); - extern void sun4u_destroy_msi(unsigned int irq); - --extern unsigned char irq_alloc(unsigned int dev_handle, -- unsigned int dev_ino); --#ifdef CONFIG_PCI_MSI --extern void irq_free(unsigned int irq); --#endif -+unsigned int irq_alloc(unsigned int dev_handle, unsigned int dev_ino); -+void irq_free(unsigned int irq); - - extern void __init init_IRQ(void); - extern void fixup_irqs(void); -diff --git a/arch/sparc/include/asm/ldc.h b/arch/sparc/include/asm/ldc.h -index bdb524a..8732ed3 100644 ---- a/arch/sparc/include/asm/ldc.h -+++ b/arch/sparc/include/asm/ldc.h -@@ -53,13 +53,14 @@ struct ldc_channel; - /* Allocate state for a channel. */ - extern struct ldc_channel *ldc_alloc(unsigned long id, - const struct ldc_channel_config *cfgp, -- void *event_arg); -+ void *event_arg, -+ const char *name); - - /* Shut down and free state for a channel. */ - extern void ldc_free(struct ldc_channel *lp); - - /* Register TX and RX queues of the link with the hypervisor. */ --extern int ldc_bind(struct ldc_channel *lp, const char *name); -+extern int ldc_bind(struct ldc_channel *lp); - - /* For non-RAW protocols we need to complete a handshake before - * communication can proceed. ldc_connect() does that, if the -diff --git a/arch/sparc/include/asm/oplib_64.h b/arch/sparc/include/asm/oplib_64.h -index a12dbe3..e48fdf4 100644 ---- a/arch/sparc/include/asm/oplib_64.h -+++ b/arch/sparc/include/asm/oplib_64.h -@@ -62,7 +62,8 @@ struct linux_mem_p1275 { - /* You must call prom_init() before using any of the library services, - * preferably as early as possible. Pass it the romvec pointer. - */ --extern void prom_init(void *cif_handler, void *cif_stack); -+extern void prom_init(void *cif_handler); -+extern void prom_init_report(void); - - /* Boot argument acquisition, returns the boot command line string. */ - extern char *prom_getbootargs(void); -diff --git a/arch/sparc/include/asm/page_64.h b/arch/sparc/include/asm/page_64.h -index aac53fc..b18e602 100644 ---- a/arch/sparc/include/asm/page_64.h -+++ b/arch/sparc/include/asm/page_64.h -@@ -57,18 +57,21 @@ extern void copy_user_page(void *to, void *from, unsigned long vaddr, struct pag - typedef struct { unsigned long pte; } pte_t; - typedef struct { unsigned long iopte; } iopte_t; - typedef struct { unsigned long pmd; } pmd_t; -+typedef struct { unsigned long pud; } pud_t; - typedef struct { unsigned long pgd; } pgd_t; - typedef struct { unsigned long pgprot; } pgprot_t; - - #define pte_val(x) ((x).pte) - #define iopte_val(x) ((x).iopte) - #define pmd_val(x) ((x).pmd) -+#define pud_val(x) ((x).pud) - #define pgd_val(x) ((x).pgd) - #define pgprot_val(x) ((x).pgprot) - - #define __pte(x) ((pte_t) { (x) } ) - #define __iopte(x) ((iopte_t) { (x) } ) - #define __pmd(x) ((pmd_t) { (x) } ) -+#define __pud(x) ((pud_t) { (x) } ) - #define __pgd(x) ((pgd_t) { (x) } ) - #define __pgprot(x) ((pgprot_t) { (x) } ) - -@@ -77,18 +80,21 @@ typedef struct { unsigned long pgprot; } pgprot_t; - typedef unsigned long pte_t; - typedef unsigned long iopte_t; - typedef unsigned long pmd_t; -+typedef unsigned long pud_t; - typedef unsigned long pgd_t; - typedef unsigned long pgprot_t; - - #define pte_val(x) (x) - #define iopte_val(x) (x) - #define pmd_val(x) (x) -+#define pud_val(x) (x) - #define pgd_val(x) (x) - #define pgprot_val(x) (x) - - #define __pte(x) (x) - #define __iopte(x) (x) - #define __pmd(x) (x) -+#define __pud(x) (x) - #define __pgd(x) (x) - #define __pgprot(x) (x) - -@@ -96,21 +102,14 @@ typedef unsigned long pgprot_t; - - typedef pte_t *pgtable_t; - --/* These two values define the virtual address space range in which we -- * must forbid 64-bit user processes from making mappings. It used to -- * represent precisely the virtual address space hole present in most -- * early sparc64 chips including UltraSPARC-I. But now it also is -- * further constrained by the limits of our page tables, which is -- * 43-bits of virtual address. -- */ --#define SPARC64_VA_HOLE_TOP _AC(0xfffffc0000000000,UL) --#define SPARC64_VA_HOLE_BOTTOM _AC(0x0000040000000000,UL) -+extern unsigned long sparc64_va_hole_top; -+extern unsigned long sparc64_va_hole_bottom; - - /* The next two defines specify the actual exclusion region we - * enforce, wherein we use a 4GB red zone on each side of the VA hole. - */ --#define VA_EXCLUDE_START (SPARC64_VA_HOLE_BOTTOM - (1UL << 32UL)) --#define VA_EXCLUDE_END (SPARC64_VA_HOLE_TOP + (1UL << 32UL)) -+#define VA_EXCLUDE_START (sparc64_va_hole_bottom - (1UL << 32UL)) -+#define VA_EXCLUDE_END (sparc64_va_hole_top + (1UL << 32UL)) - - #define TASK_UNMAPPED_BASE (test_thread_flag(TIF_32BIT) ? \ - _AC(0x0000000070000000,UL) : \ -@@ -118,20 +117,16 @@ typedef pte_t *pgtable_t; - - #include <asm-generic/memory_model.h> - --#define PAGE_OFFSET_BY_BITS(X) (-(_AC(1,UL) << (X))) - extern unsigned long PAGE_OFFSET; - - #endif /* !(__ASSEMBLY__) */ - --/* The maximum number of physical memory address bits we support, this -- * is used to size various tables used to manage kernel TLB misses and -- * also the sparsemem code. -+/* The maximum number of physical memory address bits we support. The -+ * largest value we can support is whatever "KPGD_SHIFT + KPTE_BITS" -+ * evaluates to. - */ --#define MAX_PHYS_ADDRESS_BITS 47 -+#define MAX_PHYS_ADDRESS_BITS 53 - --/* These two shift counts are used when indexing sparc64_valid_addr_bitmap -- * and kpte_linear_bitmap. -- */ - #define ILOG2_4MB 22 - #define ILOG2_256MB 28 - -diff --git a/arch/sparc/include/asm/pgalloc_64.h b/arch/sparc/include/asm/pgalloc_64.h -index bcfe063..2c8d41f 100644 ---- a/arch/sparc/include/asm/pgalloc_64.h -+++ b/arch/sparc/include/asm/pgalloc_64.h -@@ -15,6 +15,13 @@ - - extern struct kmem_cache *pgtable_cache; - -+static inline void __pgd_populate(pgd_t *pgd, pud_t *pud) -+{ -+ pgd_set(pgd, pud); -+} -+ -+#define pgd_populate(MM, PGD, PUD) __pgd_populate(PGD, PUD) -+ - static inline pgd_t *pgd_alloc(struct mm_struct *mm) - { - return kmem_cache_alloc(pgtable_cache, GFP_KERNEL); -@@ -25,7 +32,23 @@ static inline void pgd_free(struct mm_struct *mm, pgd_t *pgd) - kmem_cache_free(pgtable_cache, pgd); - } - --#define pud_populate(MM, PUD, PMD) pud_set(PUD, PMD) -+static inline void __pud_populate(pud_t *pud, pmd_t *pmd) -+{ -+ pud_set(pud, pmd); -+} -+ -+#define pud_populate(MM, PUD, PMD) __pud_populate(PUD, PMD) -+ -+static inline pud_t *pud_alloc_one(struct mm_struct *mm, unsigned long addr) -+{ -+ return kmem_cache_alloc(pgtable_cache, -+ GFP_KERNEL|__GFP_REPEAT); -+} -+ -+static inline void pud_free(struct mm_struct *mm, pud_t *pud) -+{ -+ kmem_cache_free(pgtable_cache, pud); -+} - - static inline pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long addr) - { -@@ -91,4 +114,7 @@ static inline void __pte_free_tlb(struct mmu_gather *tlb, pte_t *pte, - #define __pmd_free_tlb(tlb, pmd, addr) \ - pgtable_free_tlb(tlb, pmd, false) - -+#define __pud_free_tlb(tlb, pud, addr) \ -+ pgtable_free_tlb(tlb, pud, false) -+ - #endif /* _SPARC64_PGALLOC_H */ -diff --git a/arch/sparc/include/asm/pgtable_64.h b/arch/sparc/include/asm/pgtable_64.h -index 1a49ffd..e8dfabf 100644 ---- a/arch/sparc/include/asm/pgtable_64.h -+++ b/arch/sparc/include/asm/pgtable_64.h -@@ -20,8 +20,6 @@ - #include <asm/page.h> - #include <asm/processor.h> - --#include <asm-generic/pgtable-nopud.h> -- - /* The kernel image occupies 0x4000000 to 0x6000000 (4MB --> 96MB). - * The page copy blockops can use 0x6000000 to 0x8000000. - * The 8K TSB is mapped in the 0x8000000 to 0x8400000 range. -@@ -42,10 +40,7 @@ - #define LOW_OBP_ADDRESS _AC(0x00000000f0000000,UL) - #define HI_OBP_ADDRESS _AC(0x0000000100000000,UL) - #define VMALLOC_START _AC(0x0000000100000000,UL) --#define VMALLOC_END _AC(0x0000010000000000,UL) --#define VMEMMAP_BASE _AC(0x0000010000000000,UL) -- --#define vmemmap ((struct page *)VMEMMAP_BASE) -+#define VMEMMAP_BASE VMALLOC_END - - /* PMD_SHIFT determines the size of the area a second-level page - * table can map -@@ -55,13 +50,25 @@ - #define PMD_MASK (~(PMD_SIZE-1)) - #define PMD_BITS (PAGE_SHIFT - 3) - --/* PGDIR_SHIFT determines what a third-level page table entry can map */ --#define PGDIR_SHIFT (PAGE_SHIFT + (PAGE_SHIFT-3) + PMD_BITS) -+/* PUD_SHIFT determines the size of the area a third-level page -+ * table can map -+ */ -+#define PUD_SHIFT (PMD_SHIFT + PMD_BITS) -+#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT) -+#define PUD_MASK (~(PUD_SIZE-1)) -+#define PUD_BITS (PAGE_SHIFT - 3) -+ -+/* PGDIR_SHIFT determines what a fourth-level page table entry can map */ -+#define PGDIR_SHIFT (PUD_SHIFT + PUD_BITS) - #define PGDIR_SIZE (_AC(1,UL) << PGDIR_SHIFT) - #define PGDIR_MASK (~(PGDIR_SIZE-1)) - #define PGDIR_BITS (PAGE_SHIFT - 3) - --#if (PGDIR_SHIFT + PGDIR_BITS) != 43 -+#if (MAX_PHYS_ADDRESS_BITS > PGDIR_SHIFT + PGDIR_BITS) -+#error MAX_PHYS_ADDRESS_BITS exceeds what kernel page tables can support -+#endif -+ -+#if (PGDIR_SHIFT + PGDIR_BITS) != 53 - #error Page table parameters do not cover virtual address space properly. - #endif - -@@ -71,28 +78,18 @@ - - #ifndef __ASSEMBLY__ - --#include <linux/sched.h> -- --extern unsigned long sparc64_valid_addr_bitmap[]; -+extern unsigned long VMALLOC_END; - --/* Needs to be defined here and not in linux/mm.h, as it is arch dependent */ --static inline bool __kern_addr_valid(unsigned long paddr) --{ -- if ((paddr >> MAX_PHYS_ADDRESS_BITS) != 0UL) -- return false; -- return test_bit(paddr >> ILOG2_4MB, sparc64_valid_addr_bitmap); --} -+#define vmemmap ((struct page *)VMEMMAP_BASE) - --static inline bool kern_addr_valid(unsigned long addr) --{ -- unsigned long paddr = __pa(addr); -+#include <linux/sched.h> - -- return __kern_addr_valid(paddr); --} -+bool kern_addr_valid(unsigned long addr); - - /* Entries per page directory level. */ - #define PTRS_PER_PTE (1UL << (PAGE_SHIFT-3)) - #define PTRS_PER_PMD (1UL << PMD_BITS) -+#define PTRS_PER_PUD (1UL << PUD_BITS) - #define PTRS_PER_PGD (1UL << PGDIR_BITS) - - /* Kernel has a separate 44bit address space. */ -@@ -101,6 +98,9 @@ static inline bool kern_addr_valid(unsigned long addr) - #define pmd_ERROR(e) \ - pr_err("%s:%d: bad pmd %p(%016lx) seen at (%pS)\n", \ - __FILE__, __LINE__, &(e), pmd_val(e), __builtin_return_address(0)) -+#define pud_ERROR(e) \ -+ pr_err("%s:%d: bad pud %p(%016lx) seen at (%pS)\n", \ -+ __FILE__, __LINE__, &(e), pud_val(e), __builtin_return_address(0)) - #define pgd_ERROR(e) \ - pr_err("%s:%d: bad pgd %p(%016lx) seen at (%pS)\n", \ - __FILE__, __LINE__, &(e), pgd_val(e), __builtin_return_address(0)) -@@ -112,6 +112,7 @@ static inline bool kern_addr_valid(unsigned long addr) - #define _PAGE_R _AC(0x8000000000000000,UL) /* Keep ref bit uptodate*/ - #define _PAGE_SPECIAL _AC(0x0200000000000000,UL) /* Special page */ - #define _PAGE_PMD_HUGE _AC(0x0100000000000000,UL) /* Huge page */ -+#define _PAGE_PUD_HUGE _PAGE_PMD_HUGE - - /* Advertise support for _PAGE_SPECIAL */ - #define __HAVE_ARCH_PTE_SPECIAL -@@ -658,26 +659,26 @@ static inline unsigned long pmd_large(pmd_t pmd) - return pte_val(pte) & _PAGE_PMD_HUGE; - } - --#ifdef CONFIG_TRANSPARENT_HUGEPAGE --static inline unsigned long pmd_young(pmd_t pmd) -+static inline unsigned long pmd_pfn(pmd_t pmd) - { - pte_t pte = __pte(pmd_val(pmd)); - -- return pte_young(pte); -+ return pte_pfn(pte); - } - --static inline unsigned long pmd_write(pmd_t pmd) -+#ifdef CONFIG_TRANSPARENT_HUGEPAGE -+static inline unsigned long pmd_young(pmd_t pmd) - { - pte_t pte = __pte(pmd_val(pmd)); - -- return pte_write(pte); -+ return pte_young(pte); - } - --static inline unsigned long pmd_pfn(pmd_t pmd) -+static inline unsigned long pmd_write(pmd_t pmd) - { - pte_t pte = __pte(pmd_val(pmd)); - -- return pte_pfn(pte); -+ return pte_write(pte); - } - - static inline unsigned long pmd_trans_huge(pmd_t pmd) -@@ -771,13 +772,15 @@ static inline int pmd_present(pmd_t pmd) - * the top bits outside of the range of any physical address size we - * support are clear as well. We also validate the physical itself. - */ --#define pmd_bad(pmd) ((pmd_val(pmd) & ~PAGE_MASK) || \ -- !__kern_addr_valid(pmd_val(pmd))) -+#define pmd_bad(pmd) (pmd_val(pmd) & ~PAGE_MASK) - - #define pud_none(pud) (!pud_val(pud)) - --#define pud_bad(pud) ((pud_val(pud) & ~PAGE_MASK) || \ -- !__kern_addr_valid(pud_val(pud))) -+#define pud_bad(pud) (pud_val(pud) & ~PAGE_MASK) -+ -+#define pgd_none(pgd) (!pgd_val(pgd)) -+ -+#define pgd_bad(pgd) (pgd_val(pgd) & ~PAGE_MASK) - - #ifdef CONFIG_TRANSPARENT_HUGEPAGE - extern void set_pmd_at(struct mm_struct *mm, unsigned long addr, -@@ -815,10 +818,31 @@ static inline unsigned long __pmd_page(pmd_t pmd) - #define pmd_clear(pmdp) (pmd_val(*(pmdp)) = 0UL) - #define pud_present(pud) (pud_val(pud) != 0U) - #define pud_clear(pudp) (pud_val(*(pudp)) = 0UL) -+#define pgd_page_vaddr(pgd) \ -+ ((unsigned long) __va(pgd_val(pgd))) -+#define pgd_present(pgd) (pgd_val(pgd) != 0U) -+#define pgd_clear(pgdp) (pgd_val(*(pgd)) = 0UL) -+ -+static inline unsigned long pud_large(pud_t pud) -+{ -+ pte_t pte = __pte(pud_val(pud)); -+ -+ return pte_val(pte) & _PAGE_PMD_HUGE; -+} -+ -+static inline unsigned long pud_pfn(pud_t pud) -+{ -+ pte_t pte = __pte(pud_val(pud)); -+ -+ return pte_pfn(pte); -+} - - /* Same in both SUN4V and SUN4U. */ - #define pte_none(pte) (!pte_val(pte)) - -+#define pgd_set(pgdp, pudp) \ -+ (pgd_val(*(pgdp)) = (__pa((unsigned long) (pudp)))) -+ - /* to find an entry in a page-table-directory. */ - #define pgd_index(address) (((address) >> PGDIR_SHIFT) & (PTRS_PER_PGD - 1)) - #define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address)) -@@ -826,6 +850,11 @@ static inline unsigned long __pmd_page(pmd_t pmd) - /* to find an entry in a kernel page-table-directory */ - #define pgd_offset_k(address) pgd_offset(&init_mm, address) - -+/* Find an entry in the third-level page table.. */ -+#define pud_index(address) (((address) >> PUD_SHIFT) & (PTRS_PER_PUD - 1)) -+#define pud_offset(pgdp, address) \ -+ ((pud_t *) pgd_page_vaddr(*(pgdp)) + pud_index(address)) -+ - /* Find an entry in the second-level page table.. */ - #define pmd_offset(pudp, address) \ - ((pmd_t *) pud_page_vaddr(*(pudp)) + \ -@@ -898,7 +927,6 @@ static inline void __set_pte_at(struct mm_struct *mm, unsigned long addr, - #endif - - extern pgd_t swapper_pg_dir[PTRS_PER_PGD]; --extern pmd_t swapper_low_pmd_dir[PTRS_PER_PMD]; - - extern void paging_init(void); - extern unsigned long find_ecache_flush_span(unsigned long size); -diff --git a/arch/sparc/include/asm/setup.h b/arch/sparc/include/asm/setup.h -index 5e35e05..acd6146 100644 ---- a/arch/sparc/include/asm/setup.h -+++ b/arch/sparc/include/asm/setup.h -@@ -24,6 +24,10 @@ static inline int con_is_present(void) - } - #endif - -+#ifdef CONFIG_SPARC64 -+extern void __init start_early_boot(void); -+#endif -+ - extern void sun_do_break(void); - extern int stop_a_enabled; - extern int scons_pwroff; -diff --git a/arch/sparc/include/asm/spitfire.h b/arch/sparc/include/asm/spitfire.h -index 6b67e50..69424d4 100644 ---- a/arch/sparc/include/asm/spitfire.h -+++ b/arch/sparc/include/asm/spitfire.h -@@ -45,6 +45,8 @@ - #define SUN4V_CHIP_NIAGARA3 0x03 - #define SUN4V_CHIP_NIAGARA4 0x04 - #define SUN4V_CHIP_NIAGARA5 0x05 -+#define SUN4V_CHIP_SPARC_M6 0x06 -+#define SUN4V_CHIP_SPARC_M7 0x07 - #define SUN4V_CHIP_SPARC64X 0x8a - #define SUN4V_CHIP_UNKNOWN 0xff - -diff --git a/arch/sparc/include/asm/thread_info_64.h b/arch/sparc/include/asm/thread_info_64.h -index a5f01ac..cc6275c 100644 ---- a/arch/sparc/include/asm/thread_info_64.h -+++ b/arch/sparc/include/asm/thread_info_64.h -@@ -63,7 +63,8 @@ struct thread_info { - struct pt_regs *kern_una_regs; - unsigned int kern_una_insn; - -- unsigned long fpregs[0] __attribute__ ((aligned(64))); -+ unsigned long fpregs[(7 * 256) / sizeof(unsigned long)] -+ __attribute__ ((aligned(64))); - }; - - #endif /* !(__ASSEMBLY__) */ -@@ -102,6 +103,7 @@ struct thread_info { - #define FAULT_CODE_ITLB 0x04 /* Miss happened in I-TLB */ - #define FAULT_CODE_WINFIXUP 0x08 /* Miss happened during spill/fill */ - #define FAULT_CODE_BLKCOMMIT 0x10 /* Use blk-commit ASI in copy_page */ -+#define FAULT_CODE_BAD_RA 0x20 /* Bad RA for sun4v */ - - #if PAGE_SHIFT == 13 - #define THREAD_SIZE (2*PAGE_SIZE) -diff --git a/arch/sparc/include/asm/tsb.h b/arch/sparc/include/asm/tsb.h -index 90916f9..ecb49cf 100644 ---- a/arch/sparc/include/asm/tsb.h -+++ b/arch/sparc/include/asm/tsb.h -@@ -133,9 +133,24 @@ extern struct tsb_phys_patch_entry __tsb_phys_patch, __tsb_phys_patch_end; - sub TSB, 0x8, TSB; \ - TSB_STORE(TSB, TAG); - -- /* Do a kernel page table walk. Leaves physical PTE pointer in -- * REG1. Jumps to FAIL_LABEL on early page table walk termination. -- * VADDR will not be clobbered, but REG2 will. -+ /* Do a kernel page table walk. Leaves valid PTE value in -+ * REG1. Jumps to FAIL_LABEL on early page table walk -+ * termination. VADDR will not be clobbered, but REG2 will. -+ * -+ * There are two masks we must apply to propagate bits from -+ * the virtual address into the PTE physical address field -+ * when dealing with huge pages. This is because the page -+ * table boundaries do not match the huge page size(s) the -+ * hardware supports. -+ * -+ * In these cases we propagate the bits that are below the -+ * page table level where we saw the huge page mapping, but -+ * are still within the relevant physical bits for the huge -+ * page size in question. So for PMD mappings (which fall on -+ * bit 23, for 8MB per PMD) we must propagate bit 22 for a -+ * 4MB huge page. For huge PUDs (which fall on bit 33, for -+ * 8GB per PUD), we have to accomodate 256MB and 2GB huge -+ * pages. So for those we propagate bits 32 to 28. - */ - #define KERN_PGTABLE_WALK(VADDR, REG1, REG2, FAIL_LABEL) \ - sethi %hi(swapper_pg_dir), REG1; \ -@@ -145,15 +160,40 @@ extern struct tsb_phys_patch_entry __tsb_phys_patch, __tsb_phys_patch_end; - andn REG2, 0x7, REG2; \ - ldx [REG1 + REG2], REG1; \ - brz,pn REG1, FAIL_LABEL; \ -- sllx VADDR, 64 - (PMD_SHIFT + PMD_BITS), REG2; \ -+ sllx VADDR, 64 - (PUD_SHIFT + PUD_BITS), REG2; \ - srlx REG2, 64 - PAGE_SHIFT, REG2; \ - andn REG2, 0x7, REG2; \ - ldxa [REG1 + REG2] ASI_PHYS_USE_EC, REG1; \ - brz,pn REG1, FAIL_LABEL; \ -- sllx VADDR, 64 - PMD_SHIFT, REG2; \ -+ sethi %uhi(_PAGE_PUD_HUGE), REG2; \ -+ brz,pn REG1, FAIL_LABEL; \ -+ sllx REG2, 32, REG2; \ -+ andcc REG1, REG2, %g0; \ -+ sethi %hi(0xf8000000), REG2; \ -+ bne,pt %xcc, 697f; \ -+ sllx REG2, 1, REG2; \ -+ sllx VADDR, 64 - (PMD_SHIFT + PMD_BITS), REG2; \ - srlx REG2, 64 - PAGE_SHIFT, REG2; \ - andn REG2, 0x7, REG2; \ -- add REG1, REG2, REG1; -+ ldxa [REG1 + REG2] ASI_PHYS_USE_EC, REG1; \ -+ sethi %uhi(_PAGE_PMD_HUGE), REG2; \ -+ brz,pn REG1, FAIL_LABEL; \ -+ sllx REG2, 32, REG2; \ -+ andcc REG1, REG2, %g0; \ -+ be,pn %xcc, 698f; \ -+ sethi %hi(0x400000), REG2; \ -+697: brgez,pn REG1, FAIL_LABEL; \ -+ andn REG1, REG2, REG1; \ -+ and VADDR, REG2, REG2; \ -+ ba,pt %xcc, 699f; \ -+ or REG1, REG2, REG1; \ -+698: sllx VADDR, 64 - PMD_SHIFT, REG2; \ -+ srlx REG2, 64 - PAGE_SHIFT, REG2; \ -+ andn REG2, 0x7, REG2; \ -+ ldxa [REG1 + REG2] ASI_PHYS_USE_EC, REG1; \ -+ brgez,pn REG1, FAIL_LABEL; \ -+ nop; \ -+699: - - /* PMD has been loaded into REG1, interpret the value, seeing - * if it is a HUGE PMD or a normal one. If it is not valid -@@ -198,6 +238,11 @@ extern struct tsb_phys_patch_entry __tsb_phys_patch, __tsb_phys_patch_end; - andn REG2, 0x7, REG2; \ - ldxa [PHYS_PGD + REG2] ASI_PHYS_USE_EC, REG1; \ - brz,pn REG1, FAIL_LABEL; \ -+ sllx VADDR, 64 - (PUD_SHIFT + PUD_BITS), REG2; \ -+ srlx REG2, 64 - PAGE_SHIFT, REG2; \ -+ andn REG2, 0x7, REG2; \ -+ ldxa [REG1 + REG2] ASI_PHYS_USE_EC, REG1; \ -+ brz,pn REG1, FAIL_LABEL; \ - sllx VADDR, 64 - (PMD_SHIFT + PMD_BITS), REG2; \ - srlx REG2, 64 - PAGE_SHIFT, REG2; \ - andn REG2, 0x7, REG2; \ -@@ -246,8 +291,6 @@ extern struct tsb_phys_patch_entry __tsb_phys_patch, __tsb_phys_patch_end; - (KERNEL_TSB_SIZE_BYTES / 16) - #define KERNEL_TSB4M_NENTRIES 4096 - --#define KTSB_PHYS_SHIFT 15 -- - /* Do a kernel TSB lookup at tl>0 on VADDR+TAG, branch to OK_LABEL - * on TSB hit. REG1, REG2, REG3, and REG4 are used as temporaries - * and the found TTE will be left in REG1. REG3 and REG4 must -@@ -256,17 +299,15 @@ extern struct tsb_phys_patch_entry __tsb_phys_patch, __tsb_phys_patch_end; - * VADDR and TAG will be preserved and not clobbered by this macro. - */ - #define KERN_TSB_LOOKUP_TL1(VADDR, TAG, REG1, REG2, REG3, REG4, OK_LABEL) \ --661: sethi %hi(swapper_tsb), REG1; \ -- or REG1, %lo(swapper_tsb), REG1; \ -+661: sethi %uhi(swapper_tsb), REG1; \ -+ sethi %hi(swapper_tsb), REG2; \ -+ or REG1, %ulo(swapper_tsb), REG1; \ -+ or REG2, %lo(swapper_tsb), REG2; \ - .section .swapper_tsb_phys_patch, "ax"; \ - .word 661b; \ - .previous; \ --661: nop; \ -- .section .tsb_ldquad_phys_patch, "ax"; \ -- .word 661b; \ -- sllx REG1, KTSB_PHYS_SHIFT, REG1; \ -- sllx REG1, KTSB_PHYS_SHIFT, REG1; \ -- .previous; \ -+ sllx REG1, 32, REG1; \ -+ or REG1, REG2, REG1; \ - srlx VADDR, PAGE_SHIFT, REG2; \ - and REG2, (KERNEL_TSB_NENTRIES - 1), REG2; \ - sllx REG2, 4, REG2; \ -@@ -281,17 +322,15 @@ extern struct tsb_phys_patch_entry __tsb_phys_patch, __tsb_phys_patch_end; - * we can make use of that for the index computation. - */ - #define KERN_TSB4M_LOOKUP_TL1(TAG, REG1, REG2, REG3, REG4, OK_LABEL) \ --661: sethi %hi(swapper_4m_tsb), REG1; \ -- or REG1, %lo(swapper_4m_tsb), REG1; \ -+661: sethi %uhi(swapper_4m_tsb), REG1; \ -+ sethi %hi(swapper_4m_tsb), REG2; \ -+ or REG1, %ulo(swapper_4m_tsb), REG1; \ -+ or REG2, %lo(swapper_4m_tsb), REG2; \ - .section .swapper_4m_tsb_phys_patch, "ax"; \ - .word 661b; \ - .previous; \ --661: nop; \ -- .section .tsb_ldquad_phys_patch, "ax"; \ -- .word 661b; \ -- sllx REG1, KTSB_PHYS_SHIFT, REG1; \ -- sllx REG1, KTSB_PHYS_SHIFT, REG1; \ -- .previous; \ -+ sllx REG1, 32, REG1; \ -+ or REG1, REG2, REG1; \ - and TAG, (KERNEL_TSB4M_NENTRIES - 1), REG2; \ - sllx REG2, 4, REG2; \ - add REG1, REG2, REG2; \ -diff --git a/arch/sparc/include/asm/visasm.h b/arch/sparc/include/asm/visasm.h -index 39ca301..11fdf0e 100644 ---- a/arch/sparc/include/asm/visasm.h -+++ b/arch/sparc/include/asm/visasm.h -@@ -39,6 +39,14 @@ - 297: wr %o5, FPRS_FEF, %fprs; \ - 298: - -+#define VISEntryHalfFast(fail_label) \ -+ rd %fprs, %o5; \ -+ andcc %o5, FPRS_FEF, %g0; \ -+ be,pt %icc, 297f; \ -+ nop; \ -+ ba,a,pt %xcc, fail_label; \ -+297: wr %o5, FPRS_FEF, %fprs; -+ - #define VISExitHalf \ - wr %o5, 0, %fprs; - -diff --git a/arch/sparc/kernel/cpu.c b/arch/sparc/kernel/cpu.c -index 5c51258..52e10de 100644 ---- a/arch/sparc/kernel/cpu.c -+++ b/arch/sparc/kernel/cpu.c -@@ -493,6 +493,18 @@ static void __init sun4v_cpu_probe(void) - sparc_pmu_type = "niagara5"; - break; - -+ case SUN4V_CHIP_SPARC_M6: -+ sparc_cpu_type = "SPARC-M6"; -+ sparc_fpu_type = "SPARC-M6 integrated FPU"; -+ sparc_pmu_type = "sparc-m6"; -+ break; -+ -+ case SUN4V_CHIP_SPARC_M7: -+ sparc_cpu_type = "SPARC-M7"; -+ sparc_fpu_type = "SPARC-M7 integrated FPU"; -+ sparc_pmu_type = "sparc-m7"; -+ break; -+ - case SUN4V_CHIP_SPARC64X: - sparc_cpu_type = "SPARC64-X"; - sparc_fpu_type = "SPARC64-X integrated FPU"; -diff --git a/arch/sparc/kernel/cpumap.c b/arch/sparc/kernel/cpumap.c -index de1c844..e69ec0e 100644 ---- a/arch/sparc/kernel/cpumap.c -+++ b/arch/sparc/kernel/cpumap.c -@@ -326,6 +326,8 @@ static int iterate_cpu(struct cpuinfo_tree *t, unsigned int root_index) - case SUN4V_CHIP_NIAGARA3: - case SUN4V_CHIP_NIAGARA4: - case SUN4V_CHIP_NIAGARA5: -+ case SUN4V_CHIP_SPARC_M6: -+ case SUN4V_CHIP_SPARC_M7: - case SUN4V_CHIP_SPARC64X: - rover_inc_table = niagara_iterate_method; - break; -diff --git a/arch/sparc/kernel/ds.c b/arch/sparc/kernel/ds.c -index dff60ab..f87a55d 100644 ---- a/arch/sparc/kernel/ds.c -+++ b/arch/sparc/kernel/ds.c -@@ -1200,14 +1200,14 @@ static int ds_probe(struct vio_dev *vdev, const struct vio_device_id *id) - ds_cfg.tx_irq = vdev->tx_irq; - ds_cfg.rx_irq = vdev->rx_irq; - -- lp = ldc_alloc(vdev->channel_id, &ds_cfg, dp); -+ lp = ldc_alloc(vdev->channel_id, &ds_cfg, dp, "DS"); - if (IS_ERR(lp)) { - err = PTR_ERR(lp); - goto out_free_ds_states; - } - dp->lp = lp; - -- err = ldc_bind(lp, "DS"); -+ err = ldc_bind(lp); - if (err) - goto out_free_ldc; - -diff --git a/arch/sparc/kernel/dtlb_prot.S b/arch/sparc/kernel/dtlb_prot.S -index b2c2c5b..d668ca14 100644 ---- a/arch/sparc/kernel/dtlb_prot.S -+++ b/arch/sparc/kernel/dtlb_prot.S -@@ -24,11 +24,11 @@ - mov TLB_TAG_ACCESS, %g4 ! For reload of vaddr - - /* PROT ** ICACHE line 2: More real fault processing */ -+ ldxa [%g4] ASI_DMMU, %g5 ! Put tagaccess in %g5 - bgu,pn %xcc, winfix_trampoline ! Yes, perform winfixup -- ldxa [%g4] ASI_DMMU, %g5 ! Put tagaccess in %g5 -- ba,pt %xcc, sparc64_realfault_common ! Nope, normal fault - mov FAULT_CODE_DTLB | FAULT_CODE_WRITE, %g4 -- nop -+ ba,pt %xcc, sparc64_realfault_common ! Nope, normal fault -+ nop - nop - nop - nop -diff --git a/arch/sparc/kernel/entry.h b/arch/sparc/kernel/entry.h -index 140966f..c88ffb9 100644 ---- a/arch/sparc/kernel/entry.h -+++ b/arch/sparc/kernel/entry.h -@@ -66,13 +66,10 @@ struct pause_patch_entry { - extern struct pause_patch_entry __pause_3insn_patch, - __pause_3insn_patch_end; - --extern void __init per_cpu_patch(void); - extern void sun4v_patch_1insn_range(struct sun4v_1insn_patch_entry *, - struct sun4v_1insn_patch_entry *); - extern void sun4v_patch_2insn_range(struct sun4v_2insn_patch_entry *, - struct sun4v_2insn_patch_entry *); --extern void __init sun4v_patch(void); --extern void __init boot_cpu_id_too_large(int cpu); - extern unsigned int dcache_parity_tl1_occurred; - extern unsigned int icache_parity_tl1_occurred; - -diff --git a/arch/sparc/kernel/head_64.S b/arch/sparc/kernel/head_64.S -index 452f04f..3d61fca 100644 ---- a/arch/sparc/kernel/head_64.S -+++ b/arch/sparc/kernel/head_64.S -@@ -427,6 +427,12 @@ sun4v_chip_type: - cmp %g2, '5' - be,pt %xcc, 5f - mov SUN4V_CHIP_NIAGARA5, %g4 -+ cmp %g2, '6' -+ be,pt %xcc, 5f -+ mov SUN4V_CHIP_SPARC_M6, %g4 -+ cmp %g2, '7' -+ be,pt %xcc, 5f -+ mov SUN4V_CHIP_SPARC_M7, %g4 - ba,pt %xcc, 49f - nop - -@@ -585,6 +591,12 @@ niagara_tlb_fixup: - cmp %g1, SUN4V_CHIP_NIAGARA5 - be,pt %xcc, niagara4_patch - nop -+ cmp %g1, SUN4V_CHIP_SPARC_M6 -+ be,pt %xcc, niagara4_patch -+ nop -+ cmp %g1, SUN4V_CHIP_SPARC_M7 -+ be,pt %xcc, niagara4_patch -+ nop - - call generic_patch_copyops - nop -@@ -660,14 +672,12 @@ tlb_fixup_done: - sethi %hi(init_thread_union), %g6 - or %g6, %lo(init_thread_union), %g6 - ldx [%g6 + TI_TASK], %g4 -- mov %sp, %l6 - - wr %g0, ASI_P, %asi - mov 1, %g1 - sllx %g1, THREAD_SHIFT, %g1 - sub %g1, (STACKFRAME_SZ + STACK_BIAS), %g1 - add %g6, %g1, %sp -- mov 0, %fp - - /* Set per-cpu pointer initially to zero, this makes - * the boot-cpu use the in-kernel-image per-cpu areas -@@ -694,44 +704,14 @@ tlb_fixup_done: - nop - #endif - -- mov %l6, %o1 ! OpenPROM stack - call prom_init - mov %l7, %o0 ! OpenPROM cif handler - -- /* Initialize current_thread_info()->cpu as early as possible. -- * In order to do that accurately we have to patch up the get_cpuid() -- * assembler sequences. And that, in turn, requires that we know -- * if we are on a Starfire box or not. While we're here, patch up -- * the sun4v sequences as well. -+ /* To create a one-register-window buffer between the kernel's -+ * initial stack and the last stack frame we use from the firmware, -+ * do the rest of the boot from a C helper function. - */ -- call check_if_starfire -- nop -- call per_cpu_patch -- nop -- call sun4v_patch -- nop -- --#ifdef CONFIG_SMP -- call hard_smp_processor_id -- nop -- cmp %o0, NR_CPUS -- blu,pt %xcc, 1f -- nop -- call boot_cpu_id_too_large -- nop -- /* Not reached... */ -- --1: --#else -- mov 0, %o0 --#endif -- sth %o0, [%g6 + TI_CPU] -- -- call prom_init_report -- nop -- -- /* Off we go.... */ -- call start_kernel -+ call start_early_boot - nop - /* Not reached... */ - -diff --git a/arch/sparc/kernel/hvapi.c b/arch/sparc/kernel/hvapi.c -index c0a2de0..5c55145 100644 ---- a/arch/sparc/kernel/hvapi.c -+++ b/arch/sparc/kernel/hvapi.c -@@ -46,6 +46,7 @@ static struct api_info api_table[] = { - { .group = HV_GRP_VF_CPU, }, - { .group = HV_GRP_KT_CPU, }, - { .group = HV_GRP_VT_CPU, }, -+ { .group = HV_GRP_T5_CPU, }, - { .group = HV_GRP_DIAG, .flags = FLAG_PRE_API }, - }; - -diff --git a/arch/sparc/kernel/hvcalls.S b/arch/sparc/kernel/hvcalls.S -index f3ab509..caedf83 100644 ---- a/arch/sparc/kernel/hvcalls.S -+++ b/arch/sparc/kernel/hvcalls.S -@@ -821,3 +821,19 @@ ENTRY(sun4v_vt_set_perfreg) - retl - nop - ENDPROC(sun4v_vt_set_perfreg) -+ -+ENTRY(sun4v_t5_get_perfreg) -+ mov %o1, %o4 -+ mov HV_FAST_T5_GET_PERFREG, %o5 -+ ta HV_FAST_TRAP -+ stx %o1, [%o4] -+ retl -+ nop -+ENDPROC(sun4v_t5_get_perfreg) -+ -+ENTRY(sun4v_t5_set_perfreg) -+ mov HV_FAST_T5_SET_PERFREG, %o5 -+ ta HV_FAST_TRAP -+ retl -+ nop -+ENDPROC(sun4v_t5_set_perfreg) -diff --git a/arch/sparc/kernel/hvtramp.S b/arch/sparc/kernel/hvtramp.S -index b7ddcdd..cdbfec2 100644 ---- a/arch/sparc/kernel/hvtramp.S -+++ b/arch/sparc/kernel/hvtramp.S -@@ -109,7 +109,6 @@ hv_cpu_startup: - sllx %g5, THREAD_SHIFT, %g5 - sub %g5, (STACKFRAME_SZ + STACK_BIAS), %g5 - add %g6, %g5, %sp -- mov 0, %fp - - call init_irqwork_curcpu - nop -diff --git a/arch/sparc/kernel/ioport.c b/arch/sparc/kernel/ioport.c -index e7e215d..c2d81ad 100644 ---- a/arch/sparc/kernel/ioport.c -+++ b/arch/sparc/kernel/ioport.c -@@ -278,7 +278,8 @@ static void *sbus_alloc_coherent(struct device *dev, size_t len, - } - - order = get_order(len_total); -- if ((va = __get_free_pages(GFP_KERNEL|__GFP_COMP, order)) == 0) -+ va = __get_free_pages(gfp, order); -+ if (va == 0) - goto err_nopages; - - if ((res = kzalloc(sizeof(struct resource), GFP_KERNEL)) == NULL) -@@ -443,7 +444,7 @@ static void *pci32_alloc_coherent(struct device *dev, size_t len, - } - - order = get_order(len_total); -- va = (void *) __get_free_pages(GFP_KERNEL, order); -+ va = (void *) __get_free_pages(gfp, order); - if (va == NULL) { - printk("pci_alloc_consistent: no %ld pages\n", len_total>>PAGE_SHIFT); - goto err_nopages; -diff --git a/arch/sparc/kernel/irq_64.c b/arch/sparc/kernel/irq_64.c -index 666193f..4033c23 100644 ---- a/arch/sparc/kernel/irq_64.c -+++ b/arch/sparc/kernel/irq_64.c -@@ -47,8 +47,6 @@ - #include "cpumap.h" - #include "kstack.h" - --#define NUM_IVECS (IMAP_INR + 1) -- - struct ino_bucket *ivector_table; - unsigned long ivector_table_pa; - -@@ -107,55 +105,196 @@ static void bucket_set_irq(unsigned long bucket_pa, unsigned int irq) - - #define irq_work_pa(__cpu) &(trap_block[(__cpu)].irq_worklist_pa) - --static struct { -- unsigned int dev_handle; -- unsigned int dev_ino; -- unsigned int in_use; --} irq_table[NR_IRQS]; --static DEFINE_SPINLOCK(irq_alloc_lock); -+static unsigned long hvirq_major __initdata; -+static int __init early_hvirq_major(char *p) -+{ -+ int rc = kstrtoul(p, 10, &hvirq_major); -+ -+ return rc; -+} -+early_param("hvirq", early_hvirq_major); -+ -+static int hv_irq_version; -+ -+/* Major version 2.0 of HV_GRP_INTR added support for the VIRQ cookie -+ * based interfaces, but: -+ * -+ * 1) Several OSs, Solaris and Linux included, use them even when only -+ * negotiating version 1.0 (or failing to negotiate at all). So the -+ * hypervisor has a workaround that provides the VIRQ interfaces even -+ * when only verion 1.0 of the API is in use. -+ * -+ * 2) Second, and more importantly, with major version 2.0 these VIRQ -+ * interfaces only were actually hooked up for LDC interrupts, even -+ * though the Hypervisor specification clearly stated: -+ * -+ * The new interrupt API functions will be available to a guest -+ * when it negotiates version 2.0 in the interrupt API group 0x2. When -+ * a guest negotiates version 2.0, all interrupt sources will only -+ * support using the cookie interface, and any attempt to use the -+ * version 1.0 interrupt APIs numbered 0xa0 to 0xa6 will result in the -+ * ENOTSUPPORTED error being returned. -+ * -+ * with an emphasis on "all interrupt sources". -+ * -+ * To correct this, major version 3.0 was created which does actually -+ * support VIRQs for all interrupt sources (not just LDC devices). So -+ * if we want to move completely over the cookie based VIRQs we must -+ * negotiate major version 3.0 or later of HV_GRP_INTR. -+ */ -+static bool sun4v_cookie_only_virqs(void) -+{ -+ if (hv_irq_version >= 3) -+ return true; -+ return false; -+} - --unsigned char irq_alloc(unsigned int dev_handle, unsigned int dev_ino) -+static void __init irq_init_hv(void) - { -- unsigned long flags; -- unsigned char ent; -+ unsigned long hv_error, major, minor = 0; -+ -+ if (tlb_type != hypervisor) -+ return; - -- BUILD_BUG_ON(NR_IRQS >= 256); -+ if (hvirq_major) -+ major = hvirq_major; -+ else -+ major = 3; - -- spin_lock_irqsave(&irq_alloc_lock, flags); -+ hv_error = sun4v_hvapi_register(HV_GRP_INTR, major, &minor); -+ if (!hv_error) -+ hv_irq_version = major; -+ else -+ hv_irq_version = 1; - -- for (ent = 1; ent < NR_IRQS; ent++) { -- if (!irq_table[ent].in_use) -+ pr_info("SUN4V: Using IRQ API major %d, cookie only virqs %s\n", -+ hv_irq_version, -+ sun4v_cookie_only_virqs() ? "enabled" : "disabled"); -+} -+ -+/* This function is for the timer interrupt.*/ -+int __init arch_probe_nr_irqs(void) -+{ -+ return 1; -+} -+ -+#define DEFAULT_NUM_IVECS (0xfffU) -+static unsigned int nr_ivec = DEFAULT_NUM_IVECS; -+#define NUM_IVECS (nr_ivec) -+ -+static unsigned int __init size_nr_ivec(void) -+{ -+ if (tlb_type == hypervisor) { -+ switch (sun4v_chip_type) { -+ /* Athena's devhandle|devino is large.*/ -+ case SUN4V_CHIP_SPARC64X: -+ nr_ivec = 0xffff; - break; -+ } - } -- if (ent >= NR_IRQS) { -- printk(KERN_ERR "IRQ: Out of virtual IRQs.\n"); -- ent = 0; -- } else { -- irq_table[ent].dev_handle = dev_handle; -- irq_table[ent].dev_ino = dev_ino; -- irq_table[ent].in_use = 1; -- } -+ return nr_ivec; -+} -+ -+struct irq_handler_data { -+ union { -+ struct { -+ unsigned int dev_handle; -+ unsigned int dev_ino; -+ }; -+ unsigned long sysino; -+ }; -+ struct ino_bucket bucket; -+ unsigned long iclr; -+ unsigned long imap; -+}; -+ -+static inline unsigned int irq_data_to_handle(struct irq_data *data) -+{ -+ struct irq_handler_data *ihd = data->handler_data; -+ -+ return ihd->dev_handle; -+} -+ -+static inline unsigned int irq_data_to_ino(struct irq_data *data) -+{ -+ struct irq_handler_data *ihd = data->handler_data; - -- spin_unlock_irqrestore(&irq_alloc_lock, flags); -+ return ihd->dev_ino; -+} -+ -+static inline unsigned long irq_data_to_sysino(struct irq_data *data) -+{ -+ struct irq_handler_data *ihd = data->handler_data; - -- return ent; -+ return ihd->sysino; - } - --#ifdef CONFIG_PCI_MSI - void irq_free(unsigned int irq) - { -- unsigned long flags; -+ void *data = irq_get_handler_data(irq); - -- if (irq >= NR_IRQS) -- return; -+ kfree(data); -+ irq_set_handler_data(irq, NULL); -+ irq_free_descs(irq, 1); -+} - -- spin_lock_irqsave(&irq_alloc_lock, flags); -+unsigned int irq_alloc(unsigned int dev_handle, unsigned int dev_ino) -+{ -+ int irq; - -- irq_table[irq].in_use = 0; -+ irq = __irq_alloc_descs(-1, 1, 1, numa_node_id(), NULL); -+ if (irq <= 0) -+ goto out; - -- spin_unlock_irqrestore(&irq_alloc_lock, flags); -+ return irq; -+out: -+ return 0; -+} -+ -+static unsigned int cookie_exists(u32 devhandle, unsigned int devino) -+{ -+ unsigned long hv_err, cookie; -+ struct ino_bucket *bucket; -+ unsigned int irq = 0U; -+ -+ hv_err = sun4v_vintr_get_cookie(devhandle, devino, &cookie); -+ if (hv_err) { -+ pr_err("HV get cookie failed hv_err = %ld\n", hv_err); -+ goto out; -+ } -+ -+ if (cookie & ((1UL << 63UL))) { -+ cookie = ~cookie; -+ bucket = (struct ino_bucket *) __va(cookie); -+ irq = bucket->__irq; -+ } -+out: -+ return irq; -+} -+ -+static unsigned int sysino_exists(u32 devhandle, unsigned int devino) -+{ -+ unsigned long sysino = sun4v_devino_to_sysino(devhandle, devino); -+ struct ino_bucket *bucket; -+ unsigned int irq; -+ -+ bucket = &ivector_table[sysino]; -+ irq = bucket_get_irq(__pa(bucket)); -+ -+ return irq; -+} -+ -+void ack_bad_irq(unsigned int irq) -+{ -+ pr_crit("BAD IRQ ack %d\n", irq); -+} -+ -+void irq_install_pre_handler(int irq, -+ void (*func)(unsigned int, void *, void *), -+ void *arg1, void *arg2) -+{ -+ pr_warn("IRQ pre handler NOT supported.\n"); - } --#endif - - /* - * /proc/interrupts printing: -@@ -206,15 +345,6 @@ static unsigned int sun4u_compute_tid(unsigned long imap, unsigned long cpuid) - return tid; - } - --struct irq_handler_data { -- unsigned long iclr; -- unsigned long imap; -- -- void (*pre_handler)(unsigned int, void *, void *); -- void *arg1; -- void *arg2; --}; -- - #ifdef CONFIG_SMP - static int irq_choose_cpu(unsigned int irq, const struct cpumask *affinity) - { -@@ -316,8 +446,8 @@ static void sun4u_irq_eoi(struct irq_data *data) - - static void sun4v_irq_enable(struct irq_data *data) - { -- unsigned int ino = irq_table[data->irq].dev_ino; - unsigned long cpuid = irq_choose_cpu(data->irq, data->affinity); -+ unsigned int ino = irq_data_to_sysino(data); - int err; - - err = sun4v_intr_settarget(ino, cpuid); -@@ -337,8 +467,8 @@ static void sun4v_irq_enable(struct irq_data *data) - static int sun4v_set_affinity(struct irq_data *data, - const struct cpumask *mask, bool force) - { -- unsigned int ino = irq_table[data->irq].dev_ino; - unsigned long cpuid = irq_choose_cpu(data->irq, mask); -+ unsigned int ino = irq_data_to_sysino(data); - int err; - - err = sun4v_intr_settarget(ino, cpuid); -@@ -351,7 +481,7 @@ static int sun4v_set_affinity(struct irq_data *data, - - static void sun4v_irq_disable(struct irq_data *data) - { -- unsigned int ino = irq_table[data->irq].dev_ino; -+ unsigned int ino = irq_data_to_sysino(data); - int err; - - err = sun4v_intr_setenabled(ino, HV_INTR_DISABLED); -@@ -362,7 +492,7 @@ static void sun4v_irq_disable(struct irq_data *data) - - static void sun4v_irq_eoi(struct irq_data *data) - { -- unsigned int ino = irq_table[data->irq].dev_ino; -+ unsigned int ino = irq_data_to_sysino(data); - int err; - - err = sun4v_intr_setstate(ino, HV_INTR_STATE_IDLE); -@@ -373,14 +503,13 @@ static void sun4v_irq_eoi(struct irq_data *data) - - static void sun4v_virq_enable(struct irq_data *data) - { -- unsigned long cpuid, dev_handle, dev_ino; -+ unsigned long dev_handle = irq_data_to_handle(data); -+ unsigned long dev_ino = irq_data_to_ino(data); -+ unsigned long cpuid; - int err; - - cpuid = irq_choose_cpu(data->irq, data->affinity); - -- dev_handle = irq_table[data->irq].dev_handle; -- dev_ino = irq_table[data->irq].dev_ino; -- - err = sun4v_vintr_set_target(dev_handle, dev_ino, cpuid); - if (err != HV_EOK) - printk(KERN_ERR "sun4v_vintr_set_target(%lx,%lx,%lu): " -@@ -403,14 +532,13 @@ static void sun4v_virq_enable(struct irq_data *data) - static int sun4v_virt_set_affinity(struct irq_data *data, - const struct cpumask *mask, bool force) - { -- unsigned long cpuid, dev_handle, dev_ino; -+ unsigned long dev_handle = irq_data_to_handle(data); -+ unsigned long dev_ino = irq_data_to_ino(data); -+ unsigned long cpuid; - int err; - - cpuid = irq_choose_cpu(data->irq, mask); - -- dev_handle = irq_table[data->irq].dev_handle; -- dev_ino = irq_table[data->irq].dev_ino; -- - err = sun4v_vintr_set_target(dev_handle, dev_ino, cpuid); - if (err != HV_EOK) - printk(KERN_ERR "sun4v_vintr_set_target(%lx,%lx,%lu): " -@@ -422,11 +550,10 @@ static int sun4v_virt_set_affinity(struct irq_data *data, - - static void sun4v_virq_disable(struct irq_data *data) - { -- unsigned long dev_handle, dev_ino; -+ unsigned long dev_handle = irq_data_to_handle(data); -+ unsigned long dev_ino = irq_data_to_ino(data); - int err; - -- dev_handle = irq_table[data->irq].dev_handle; -- dev_ino = irq_table[data->irq].dev_ino; - - err = sun4v_vintr_set_valid(dev_handle, dev_ino, - HV_INTR_DISABLED); -@@ -438,12 +565,10 @@ static void sun4v_virq_disable(struct irq_data *data) - - static void sun4v_virq_eoi(struct irq_data *data) - { -- unsigned long dev_handle, dev_ino; -+ unsigned long dev_handle = irq_data_to_handle(data); -+ unsigned long dev_ino = irq_data_to_ino(data); - int err; - -- dev_handle = irq_table[data->irq].dev_handle; -- dev_ino = irq_table[data->irq].dev_ino; -- - err = sun4v_vintr_set_state(dev_handle, dev_ino, - HV_INTR_STATE_IDLE); - if (err != HV_EOK) -@@ -479,31 +604,10 @@ static struct irq_chip sun4v_virq = { - .flags = IRQCHIP_EOI_IF_HANDLED, - }; - --static void pre_flow_handler(struct irq_data *d) --{ -- struct irq_handler_data *handler_data = irq_data_get_irq_handler_data(d); -- unsigned int ino = irq_table[d->irq].dev_ino; -- -- handler_data->pre_handler(ino, handler_data->arg1, handler_data->arg2); --} -- --void irq_install_pre_handler(int irq, -- void (*func)(unsigned int, void *, void *), -- void *arg1, void *arg2) --{ -- struct irq_handler_data *handler_data = irq_get_handler_data(irq); -- -- handler_data->pre_handler = func; -- handler_data->arg1 = arg1; -- handler_data->arg2 = arg2; -- -- __irq_set_preflow_handler(irq, pre_flow_handler); --} -- - unsigned int build_irq(int inofixup, unsigned long iclr, unsigned long imap) - { -- struct ino_bucket *bucket; - struct irq_handler_data *handler_data; -+ struct ino_bucket *bucket; - unsigned int irq; - int ino; - -@@ -537,119 +641,166 @@ out: - return irq; - } - --static unsigned int sun4v_build_common(unsigned long sysino, -- struct irq_chip *chip) -+static unsigned int sun4v_build_common(u32 devhandle, unsigned int devino, -+ void (*handler_data_init)(struct irq_handler_data *data, -+ u32 devhandle, unsigned int devino), -+ struct irq_chip *chip) - { -- struct ino_bucket *bucket; -- struct irq_handler_data *handler_data; -+ struct irq_handler_data *data; - unsigned int irq; - -- BUG_ON(tlb_type != hypervisor); -+ irq = irq_alloc(devhandle, devino); -+ if (!irq) -+ goto out; - -- bucket = &ivector_table[sysino]; -- irq = bucket_get_irq(__pa(bucket)); -- if (!irq) { -- irq = irq_alloc(0, sysino); -- bucket_set_irq(__pa(bucket), irq); -- irq_set_chip_and_handler_name(irq, chip, handle_fasteoi_irq, -- "IVEC"); -+ data = kzalloc(sizeof(struct irq_handler_data), GFP_ATOMIC); -+ if (unlikely(!data)) { -+ pr_err("IRQ handler data allocation failed.\n"); -+ irq_free(irq); -+ irq = 0; -+ goto out; - } - -- handler_data = irq_get_handler_data(irq); -- if (unlikely(handler_data)) -- goto out; -+ irq_set_handler_data(irq, data); -+ handler_data_init(data, devhandle, devino); -+ irq_set_chip_and_handler_name(irq, chip, handle_fasteoi_irq, "IVEC"); -+ data->imap = ~0UL; -+ data->iclr = ~0UL; -+out: -+ return irq; -+} - -- handler_data = kzalloc(sizeof(struct irq_handler_data), GFP_ATOMIC); -- if (unlikely(!handler_data)) { -- prom_printf("IRQ: kzalloc(irq_handler_data) failed.\n"); -- prom_halt(); -- } -- irq_set_handler_data(irq, handler_data); -+static unsigned long cookie_assign(unsigned int irq, u32 devhandle, -+ unsigned int devino) -+{ -+ struct irq_handler_data *ihd = irq_get_handler_data(irq); -+ unsigned long hv_error, cookie; - -- /* Catch accidental accesses to these things. IMAP/ICLR handling -- * is done by hypervisor calls on sun4v platforms, not by direct -- * register accesses. -+ /* handler_irq needs to find the irq. cookie is seen signed in -+ * sun4v_dev_mondo and treated as a non ivector_table delivery. - */ -- handler_data->imap = ~0UL; -- handler_data->iclr = ~0UL; -+ ihd->bucket.__irq = irq; -+ cookie = ~__pa(&ihd->bucket); - --out: -- return irq; -+ hv_error = sun4v_vintr_set_cookie(devhandle, devino, cookie); -+ if (hv_error) -+ pr_err("HV vintr set cookie failed = %ld\n", hv_error); -+ -+ return hv_error; - } - --unsigned int sun4v_build_irq(u32 devhandle, unsigned int devino) -+static void cookie_handler_data(struct irq_handler_data *data, -+ u32 devhandle, unsigned int devino) - { -- unsigned long sysino = sun4v_devino_to_sysino(devhandle, devino); -+ data->dev_handle = devhandle; -+ data->dev_ino = devino; -+} - -- return sun4v_build_common(sysino, &sun4v_irq); -+static unsigned int cookie_build_irq(u32 devhandle, unsigned int devino, -+ struct irq_chip *chip) -+{ -+ unsigned long hv_error; -+ unsigned int irq; -+ -+ irq = sun4v_build_common(devhandle, devino, cookie_handler_data, chip); -+ -+ hv_error = cookie_assign(irq, devhandle, devino); -+ if (hv_error) { -+ irq_free(irq); -+ irq = 0; -+ } -+ -+ return irq; - } - --unsigned int sun4v_build_virq(u32 devhandle, unsigned int devino) -+static unsigned int sun4v_build_cookie(u32 devhandle, unsigned int devino) - { -- struct irq_handler_data *handler_data; -- unsigned long hv_err, cookie; -- struct ino_bucket *bucket; - unsigned int irq; - -- bucket = kzalloc(sizeof(struct ino_bucket), GFP_ATOMIC); -- if (unlikely(!bucket)) -- return 0; -+ irq = cookie_exists(devhandle, devino); -+ if (irq) -+ goto out; - -- /* The only reference we store to the IRQ bucket is -- * by physical address which kmemleak can't see, tell -- * it that this object explicitly is not a leak and -- * should be scanned. -- */ -- kmemleak_not_leak(bucket); -+ irq = cookie_build_irq(devhandle, devino, &sun4v_virq); - -- __flush_dcache_range((unsigned long) bucket, -- ((unsigned long) bucket + -- sizeof(struct ino_bucket))); -+out: -+ return irq; -+} - -- irq = irq_alloc(devhandle, devino); -+static void sysino_set_bucket(unsigned int irq) -+{ -+ struct irq_handler_data *ihd = irq_get_handler_data(irq); -+ struct ino_bucket *bucket; -+ unsigned long sysino; -+ -+ sysino = sun4v_devino_to_sysino(ihd->dev_handle, ihd->dev_ino); -+ BUG_ON(sysino >= nr_ivec); -+ bucket = &ivector_table[sysino]; - bucket_set_irq(__pa(bucket), irq); -+} - -- irq_set_chip_and_handler_name(irq, &sun4v_virq, handle_fasteoi_irq, -- "IVEC"); -+static void sysino_handler_data(struct irq_handler_data *data, -+ u32 devhandle, unsigned int devino) -+{ -+ unsigned long sysino; - -- handler_data = kzalloc(sizeof(struct irq_handler_data), GFP_ATOMIC); -- if (unlikely(!handler_data)) -- return 0; -+ sysino = sun4v_devino_to_sysino(devhandle, devino); -+ data->sysino = sysino; -+} - -- /* In order to make the LDC channel startup sequence easier, -- * especially wrt. locking, we do not let request_irq() enable -- * the interrupt. -- */ -- irq_set_status_flags(irq, IRQ_NOAUTOEN); -- irq_set_handler_data(irq, handler_data); -+static unsigned int sysino_build_irq(u32 devhandle, unsigned int devino, -+ struct irq_chip *chip) -+{ -+ unsigned int irq; - -- /* Catch accidental accesses to these things. IMAP/ICLR handling -- * is done by hypervisor calls on sun4v platforms, not by direct -- * register accesses. -- */ -- handler_data->imap = ~0UL; -- handler_data->iclr = ~0UL; -+ irq = sun4v_build_common(devhandle, devino, sysino_handler_data, chip); -+ if (!irq) -+ goto out; - -- cookie = ~__pa(bucket); -- hv_err = sun4v_vintr_set_cookie(devhandle, devino, cookie); -- if (hv_err) { -- prom_printf("IRQ: Fatal, cannot set cookie for [%x:%x] " -- "err=%lu\n", devhandle, devino, hv_err); -- prom_halt(); -- } -+ sysino_set_bucket(irq); -+out: -+ return irq; -+} - -+static int sun4v_build_sysino(u32 devhandle, unsigned int devino) -+{ -+ int irq; -+ -+ irq = sysino_exists(devhandle, devino); -+ if (irq) -+ goto out; -+ -+ irq = sysino_build_irq(devhandle, devino, &sun4v_irq); -+out: - return irq; - } - --void ack_bad_irq(unsigned int irq) -+unsigned int sun4v_build_irq(u32 devhandle, unsigned int devino) - { -- unsigned int ino = irq_table[irq].dev_ino; -+ unsigned int irq; - -- if (!ino) -- ino = 0xdeadbeef; -+ if (sun4v_cookie_only_virqs()) -+ irq = sun4v_build_cookie(devhandle, devino); -+ else -+ irq = sun4v_build_sysino(devhandle, devino); - -- printk(KERN_CRIT "Unexpected IRQ from ino[%x] irq[%u]\n", -- ino, irq); -+ return irq; -+} -+ -+unsigned int sun4v_build_virq(u32 devhandle, unsigned int devino) -+{ -+ int irq; -+ -+ irq = cookie_build_irq(devhandle, devino, &sun4v_virq); -+ if (!irq) -+ goto out; -+ -+ /* This is borrowed from the original function. -+ */ -+ irq_set_status_flags(irq, IRQ_NOAUTOEN); -+ -+out: -+ return irq; - } - - void *hardirq_stack[NR_CPUS]; -@@ -720,9 +871,12 @@ void fixup_irqs(void) - - for (irq = 0; irq < NR_IRQS; irq++) { - struct irq_desc *desc = irq_to_desc(irq); -- struct irq_data *data = irq_desc_get_irq_data(desc); -+ struct irq_data *data; - unsigned long flags; - -+ if (!desc) -+ continue; -+ data = irq_desc_get_irq_data(desc); - raw_spin_lock_irqsave(&desc->lock, flags); - if (desc->action && !irqd_is_per_cpu(data)) { - if (data->chip->irq_set_affinity) -@@ -922,16 +1076,22 @@ static struct irqaction timer_irq_action = { - .name = "timer", - }; - --/* Only invoked on boot processor. */ --void __init init_IRQ(void) -+static void __init irq_ivector_init(void) - { -- unsigned long size; -+ unsigned long size, order; -+ unsigned int ivecs; - -- map_prom_timers(); -- kill_prom_timer(); -+ /* If we are doing cookie only VIRQs then we do not need the ivector -+ * table to process interrupts. -+ */ -+ if (sun4v_cookie_only_virqs()) -+ return; - -- size = sizeof(struct ino_bucket) * NUM_IVECS; -- ivector_table = kzalloc(size, GFP_KERNEL); -+ ivecs = size_nr_ivec(); -+ size = sizeof(struct ino_bucket) * ivecs; -+ order = get_order(size); -+ ivector_table = (struct ino_bucket *) -+ __get_free_pages(GFP_KERNEL | __GFP_ZERO, order); - if (!ivector_table) { - prom_printf("Fatal error, cannot allocate ivector_table\n"); - prom_halt(); -@@ -940,6 +1100,15 @@ void __init init_IRQ(void) - ((unsigned long) ivector_table) + size); - - ivector_table_pa = __pa(ivector_table); -+} -+ -+/* Only invoked on boot processor.*/ -+void __init init_IRQ(void) -+{ -+ irq_init_hv(); -+ irq_ivector_init(); -+ map_prom_timers(); -+ kill_prom_timer(); - - if (tlb_type == hypervisor) - sun4v_init_mondo_queues(); -diff --git a/arch/sparc/kernel/ktlb.S b/arch/sparc/kernel/ktlb.S -index 605d492..ef0d8e9 100644 ---- a/arch/sparc/kernel/ktlb.S -+++ b/arch/sparc/kernel/ktlb.S -@@ -47,14 +47,6 @@ kvmap_itlb_vmalloc_addr: - KERN_PGTABLE_WALK(%g4, %g5, %g2, kvmap_itlb_longpath) - - TSB_LOCK_TAG(%g1, %g2, %g7) -- -- /* Load and check PTE. */ -- ldxa [%g5] ASI_PHYS_USE_EC, %g5 -- mov 1, %g7 -- sllx %g7, TSB_TAG_INVALID_BIT, %g7 -- brgez,a,pn %g5, kvmap_itlb_longpath -- TSB_STORE(%g1, %g7) -- - TSB_WRITE(%g1, %g5, %g6) - - /* fallthrough to TLB load */ -@@ -118,6 +110,12 @@ kvmap_dtlb_obp: - ba,pt %xcc, kvmap_dtlb_load - nop - -+kvmap_linear_early: -+ sethi %hi(kern_linear_pte_xor), %g7 -+ ldx [%g7 + %lo(kern_linear_pte_xor)], %g2 -+ ba,pt %xcc, kvmap_dtlb_tsb4m_load -+ xor %g2, %g4, %g5 -+ - .align 32 - kvmap_dtlb_tsb4m_load: - TSB_LOCK_TAG(%g1, %g2, %g7) -@@ -146,105 +144,17 @@ kvmap_dtlb_4v: - /* Correct TAG_TARGET is already in %g6, check 4mb TSB. */ - KERN_TSB4M_LOOKUP_TL1(%g6, %g5, %g1, %g2, %g3, kvmap_dtlb_load) - #endif -- /* TSB entry address left in %g1, lookup linear PTE. -- * Must preserve %g1 and %g6 (TAG). -- */ --kvmap_dtlb_tsb4m_miss: -- /* Clear the PAGE_OFFSET top virtual bits, shift -- * down to get PFN, and make sure PFN is in range. -- */ --661: sllx %g4, 0, %g5 -- .section .page_offset_shift_patch, "ax" -- .word 661b -- .previous -- -- /* Check to see if we know about valid memory at the 4MB -- * chunk this physical address will reside within. -+ /* Linear mapping TSB lookup failed. Fallthrough to kernel -+ * page table based lookup. - */ --661: srlx %g5, MAX_PHYS_ADDRESS_BITS, %g2 -- .section .page_offset_shift_patch, "ax" -- .word 661b -- .previous -- -- brnz,pn %g2, kvmap_dtlb_longpath -- nop -- -- /* This unconditional branch and delay-slot nop gets patched -- * by the sethi sequence once the bitmap is properly setup. -- */ -- .globl valid_addr_bitmap_insn --valid_addr_bitmap_insn: -- ba,pt %xcc, 2f -- nop -- .subsection 2 -- .globl valid_addr_bitmap_patch --valid_addr_bitmap_patch: -- sethi %hi(sparc64_valid_addr_bitmap), %g7 -- or %g7, %lo(sparc64_valid_addr_bitmap), %g7 -- .previous -- --661: srlx %g5, ILOG2_4MB, %g2 -- .section .page_offset_shift_patch, "ax" -- .word 661b -- .previous -- -- srlx %g2, 6, %g5 -- and %g2, 63, %g2 -- sllx %g5, 3, %g5 -- ldx [%g7 + %g5], %g5 -- mov 1, %g7 -- sllx %g7, %g2, %g7 -- andcc %g5, %g7, %g0 -- be,pn %xcc, kvmap_dtlb_longpath -- --2: sethi %hi(kpte_linear_bitmap), %g2 -- -- /* Get the 256MB physical address index. */ --661: sllx %g4, 0, %g5 -- .section .page_offset_shift_patch, "ax" -- .word 661b -- .previous -- -- or %g2, %lo(kpte_linear_bitmap), %g2 -- --661: srlx %g5, ILOG2_256MB, %g5 -- .section .page_offset_shift_patch, "ax" -- .word 661b -- .previous -- -- and %g5, (32 - 1), %g7 -- -- /* Divide by 32 to get the offset into the bitmask. */ -- srlx %g5, 5, %g5 -- add %g7, %g7, %g7 -- sllx %g5, 3, %g5 -- -- /* kern_linear_pte_xor[(mask >> shift) & 3)] */ -- ldx [%g2 + %g5], %g2 -- srlx %g2, %g7, %g7 -- sethi %hi(kern_linear_pte_xor), %g5 -- and %g7, 3, %g7 -- or %g5, %lo(kern_linear_pte_xor), %g5 -- sllx %g7, 3, %g7 -- ldx [%g5 + %g7], %g2 -- - .globl kvmap_linear_patch - kvmap_linear_patch: -- ba,pt %xcc, kvmap_dtlb_tsb4m_load -- xor %g2, %g4, %g5 -+ ba,a,pt %xcc, kvmap_linear_early - - kvmap_dtlb_vmalloc_addr: - KERN_PGTABLE_WALK(%g4, %g5, %g2, kvmap_dtlb_longpath) - - TSB_LOCK_TAG(%g1, %g2, %g7) -- -- /* Load and check PTE. */ -- ldxa [%g5] ASI_PHYS_USE_EC, %g5 -- mov 1, %g7 -- sllx %g7, TSB_TAG_INVALID_BIT, %g7 -- brgez,a,pn %g5, kvmap_dtlb_longpath -- TSB_STORE(%g1, %g7) -- - TSB_WRITE(%g1, %g5, %g6) - - /* fallthrough to TLB load */ -@@ -276,13 +186,8 @@ kvmap_dtlb_load: - - #ifdef CONFIG_SPARSEMEM_VMEMMAP - kvmap_vmemmap: -- sub %g4, %g5, %g5 -- srlx %g5, ILOG2_4MB, %g5 -- sethi %hi(vmemmap_table), %g1 -- sllx %g5, 3, %g5 -- or %g1, %lo(vmemmap_table), %g1 -- ba,pt %xcc, kvmap_dtlb_load -- ldx [%g1 + %g5], %g5 -+ KERN_PGTABLE_WALK(%g4, %g5, %g2, kvmap_dtlb_longpath) -+ ba,a,pt %xcc, kvmap_dtlb_load - #endif - - kvmap_dtlb_nonlinear: -@@ -294,8 +199,8 @@ kvmap_dtlb_nonlinear: - - #ifdef CONFIG_SPARSEMEM_VMEMMAP - /* Do not use the TSB for vmemmap. */ -- mov (VMEMMAP_BASE >> 40), %g5 -- sllx %g5, 40, %g5 -+ sethi %hi(VMEMMAP_BASE), %g5 -+ ldx [%g5 + %lo(VMEMMAP_BASE)], %g5 - cmp %g4,%g5 - bgeu,pn %xcc, kvmap_vmemmap - nop -@@ -307,8 +212,8 @@ kvmap_dtlb_tsbmiss: - sethi %hi(MODULES_VADDR), %g5 - cmp %g4, %g5 - blu,pn %xcc, kvmap_dtlb_longpath -- mov (VMALLOC_END >> 40), %g5 -- sllx %g5, 40, %g5 -+ sethi %hi(VMALLOC_END), %g5 -+ ldx [%g5 + %lo(VMALLOC_END)], %g5 - cmp %g4, %g5 - bgeu,pn %xcc, kvmap_dtlb_longpath - nop -diff --git a/arch/sparc/kernel/ldc.c b/arch/sparc/kernel/ldc.c -index 66dacd5..27bb554 100644 ---- a/arch/sparc/kernel/ldc.c -+++ b/arch/sparc/kernel/ldc.c -@@ -1078,7 +1078,8 @@ static void ldc_iommu_release(struct ldc_channel *lp) - - struct ldc_channel *ldc_alloc(unsigned long id, - const struct ldc_channel_config *cfgp, -- void *event_arg) -+ void *event_arg, -+ const char *name) - { - struct ldc_channel *lp; - const struct ldc_mode_ops *mops; -@@ -1093,6 +1094,8 @@ struct ldc_channel *ldc_alloc(unsigned long id, - err = -EINVAL; - if (!cfgp) - goto out_err; -+ if (!name) -+ goto out_err; - - switch (cfgp->mode) { - case LDC_MODE_RAW: -@@ -1185,6 +1188,21 @@ struct ldc_channel *ldc_alloc(unsigned long id, - - INIT_HLIST_HEAD(&lp->mh_list); - -+ snprintf(lp->rx_irq_name, LDC_IRQ_NAME_MAX, "%s RX", name); -+ snprintf(lp->tx_irq_name, LDC_IRQ_NAME_MAX, "%s TX", name); -+ -+ err = request_irq(lp->cfg.rx_irq, ldc_rx, 0, -+ lp->rx_irq_name, lp); -+ if (err) -+ goto out_free_txq; -+ -+ err = request_irq(lp->cfg.tx_irq, ldc_tx, 0, -+ lp->tx_irq_name, lp); -+ if (err) { -+ free_irq(lp->cfg.rx_irq, lp); -+ goto out_free_txq; -+ } -+ - return lp; - - out_free_txq: -@@ -1237,31 +1255,14 @@ EXPORT_SYMBOL(ldc_free); - * state. This does not initiate a handshake, ldc_connect() does - * that. - */ --int ldc_bind(struct ldc_channel *lp, const char *name) -+int ldc_bind(struct ldc_channel *lp) - { - unsigned long hv_err, flags; - int err = -EINVAL; - -- if (!name || -- (lp->state != LDC_STATE_INIT)) -+ if (lp->state != LDC_STATE_INIT) - return -EINVAL; - -- snprintf(lp->rx_irq_name, LDC_IRQ_NAME_MAX, "%s RX", name); -- snprintf(lp->tx_irq_name, LDC_IRQ_NAME_MAX, "%s TX", name); -- -- err = request_irq(lp->cfg.rx_irq, ldc_rx, 0, -- lp->rx_irq_name, lp); -- if (err) -- return err; -- -- err = request_irq(lp->cfg.tx_irq, ldc_tx, 0, -- lp->tx_irq_name, lp); -- if (err) { -- free_irq(lp->cfg.rx_irq, lp); -- return err; -- } -- -- - spin_lock_irqsave(&lp->lock, flags); - - enable_irq(lp->cfg.rx_irq); -diff --git a/arch/sparc/kernel/nmi.c b/arch/sparc/kernel/nmi.c -index 6479256..fce8ab1 100644 ---- a/arch/sparc/kernel/nmi.c -+++ b/arch/sparc/kernel/nmi.c -@@ -141,7 +141,6 @@ static inline unsigned int get_nmi_count(int cpu) - - static __init void nmi_cpu_busy(void *data) - { -- local_irq_enable_in_hardirq(); - while (endflag == 0) - mb(); - } -diff --git a/arch/sparc/kernel/pcr.c b/arch/sparc/kernel/pcr.c -index 269af58..7e967c8 100644 ---- a/arch/sparc/kernel/pcr.c -+++ b/arch/sparc/kernel/pcr.c -@@ -191,12 +191,41 @@ static const struct pcr_ops n4_pcr_ops = { - .pcr_nmi_disable = PCR_N4_PICNPT, - }; - -+static u64 n5_pcr_read(unsigned long reg_num) -+{ -+ unsigned long val; -+ -+ (void) sun4v_t5_get_perfreg(reg_num, &val); -+ -+ return val; -+} -+ -+static void n5_pcr_write(unsigned long reg_num, u64 val) -+{ -+ (void) sun4v_t5_set_perfreg(reg_num, val); -+} -+ -+static const struct pcr_ops n5_pcr_ops = { -+ .read_pcr = n5_pcr_read, -+ .write_pcr = n5_pcr_write, -+ .read_pic = n4_pic_read, -+ .write_pic = n4_pic_write, -+ .nmi_picl_value = n4_picl_value, -+ .pcr_nmi_enable = (PCR_N4_PICNPT | PCR_N4_STRACE | -+ PCR_N4_UTRACE | PCR_N4_TOE | -+ (26 << PCR_N4_SL_SHIFT)), -+ .pcr_nmi_disable = PCR_N4_PICNPT, -+}; -+ -+ - static unsigned long perf_hsvc_group; - static unsigned long perf_hsvc_major; - static unsigned long perf_hsvc_minor; - - static int __init register_perf_hsvc(void) - { -+ unsigned long hverror; -+ - if (tlb_type == hypervisor) { - switch (sun4v_chip_type) { - case SUN4V_CHIP_NIAGARA1: -@@ -215,6 +244,10 @@ static int __init register_perf_hsvc(void) - perf_hsvc_group = HV_GRP_VT_CPU; - break; - -+ case SUN4V_CHIP_NIAGARA5: -+ perf_hsvc_group = HV_GRP_T5_CPU; -+ break; -+ - default: - return -ENODEV; - } -@@ -222,10 +255,12 @@ static int __init register_perf_hsvc(void) - - perf_hsvc_major = 1; - perf_hsvc_minor = 0; -- if (sun4v_hvapi_register(perf_hsvc_group, -- perf_hsvc_major, -- &perf_hsvc_minor)) { -- printk("perfmon: Could not register hvapi.\n"); -+ hverror = sun4v_hvapi_register(perf_hsvc_group, -+ perf_hsvc_major, -+ &perf_hsvc_minor); -+ if (hverror) { -+ pr_err("perfmon: Could not register hvapi(0x%lx).\n", -+ hverror); - return -ENODEV; - } - } -@@ -254,6 +289,10 @@ static int __init setup_sun4v_pcr_ops(void) - pcr_ops = &n4_pcr_ops; - break; - -+ case SUN4V_CHIP_NIAGARA5: -+ pcr_ops = &n5_pcr_ops; -+ break; -+ - default: - ret = -ENODEV; - break; -diff --git a/arch/sparc/kernel/perf_event.c b/arch/sparc/kernel/perf_event.c -index b5c38fa..617b9fe 100644 ---- a/arch/sparc/kernel/perf_event.c -+++ b/arch/sparc/kernel/perf_event.c -@@ -1662,7 +1662,8 @@ static bool __init supported_pmu(void) - sparc_pmu = &niagara2_pmu; - return true; - } -- if (!strcmp(sparc_pmu_type, "niagara4")) { -+ if (!strcmp(sparc_pmu_type, "niagara4") || -+ !strcmp(sparc_pmu_type, "niagara5")) { - sparc_pmu = &niagara4_pmu; - return true; - } -@@ -1671,9 +1672,12 @@ static bool __init supported_pmu(void) - - int __init init_hw_perf_events(void) - { -+ int err; -+ - pr_info("Performance events: "); - -- if (!supported_pmu()) { -+ err = pcr_arch_init(); -+ if (err || !supported_pmu()) { - pr_cont("No support for PMU type '%s'\n", sparc_pmu_type); - return 0; - } -@@ -1685,7 +1689,7 @@ int __init init_hw_perf_events(void) - - return 0; - } --early_initcall(init_hw_perf_events); -+pure_initcall(init_hw_perf_events); - - void perf_callchain_kernel(struct perf_callchain_entry *entry, - struct pt_regs *regs) -diff --git a/arch/sparc/kernel/process_64.c b/arch/sparc/kernel/process_64.c -index d7b4967..c6f7113 100644 ---- a/arch/sparc/kernel/process_64.c -+++ b/arch/sparc/kernel/process_64.c -@@ -306,6 +306,9 @@ static void __global_pmu_self(int this_cpu) - struct global_pmu_snapshot *pp; - int i, num; - -+ if (!pcr_ops) -+ return; -+ - pp = &global_cpu_snapshot[this_cpu].pmu; - - num = 1; -diff --git a/arch/sparc/kernel/setup_64.c b/arch/sparc/kernel/setup_64.c -index 3fdb455..61a5198 100644 ---- a/arch/sparc/kernel/setup_64.c -+++ b/arch/sparc/kernel/setup_64.c -@@ -30,6 +30,7 @@ - #include <linux/cpu.h> - #include <linux/initrd.h> - #include <linux/module.h> -+#include <linux/start_kernel.h> - - #include <asm/io.h> - #include <asm/processor.h> -@@ -174,7 +175,7 @@ char reboot_command[COMMAND_LINE_SIZE]; - - static struct pt_regs fake_swapper_regs = { { 0, }, 0, 0, 0, 0 }; - --void __init per_cpu_patch(void) -+static void __init per_cpu_patch(void) - { - struct cpuid_patch_entry *p; - unsigned long ver; -@@ -266,7 +267,7 @@ void sun4v_patch_2insn_range(struct sun4v_2insn_patch_entry *start, - } - } - --void __init sun4v_patch(void) -+static void __init sun4v_patch(void) - { - extern void sun4v_hvapi_init(void); - -@@ -335,14 +336,25 @@ static void __init pause_patch(void) - } - } - --#ifdef CONFIG_SMP --void __init boot_cpu_id_too_large(int cpu) -+void __init start_early_boot(void) - { -- prom_printf("Serious problem, boot cpu id (%d) >= NR_CPUS (%d)\n", -- cpu, NR_CPUS); -- prom_halt(); -+ int cpu; -+ -+ check_if_starfire(); -+ per_cpu_patch(); -+ sun4v_patch(); -+ -+ cpu = hard_smp_processor_id(); -+ if (cpu >= NR_CPUS) { -+ prom_printf("Serious problem, boot cpu id (%d) >= NR_CPUS (%d)\n", -+ cpu, NR_CPUS); -+ prom_halt(); -+ } -+ current_thread_info()->cpu = cpu; -+ -+ prom_init_report(); -+ start_kernel(); - } --#endif - - /* On Ultra, we support all of the v8 capabilities. */ - unsigned long sparc64_elf_hwcap = (HWCAP_SPARC_FLUSH | HWCAP_SPARC_STBAR | -@@ -500,12 +512,16 @@ static void __init init_sparc64_elf_hwcap(void) - sun4v_chip_type == SUN4V_CHIP_NIAGARA3 || - sun4v_chip_type == SUN4V_CHIP_NIAGARA4 || - sun4v_chip_type == SUN4V_CHIP_NIAGARA5 || -+ sun4v_chip_type == SUN4V_CHIP_SPARC_M6 || -+ sun4v_chip_type == SUN4V_CHIP_SPARC_M7 || - sun4v_chip_type == SUN4V_CHIP_SPARC64X) - cap |= HWCAP_SPARC_BLKINIT; - if (sun4v_chip_type == SUN4V_CHIP_NIAGARA2 || - sun4v_chip_type == SUN4V_CHIP_NIAGARA3 || - sun4v_chip_type == SUN4V_CHIP_NIAGARA4 || - sun4v_chip_type == SUN4V_CHIP_NIAGARA5 || -+ sun4v_chip_type == SUN4V_CHIP_SPARC_M6 || -+ sun4v_chip_type == SUN4V_CHIP_SPARC_M7 || - sun4v_chip_type == SUN4V_CHIP_SPARC64X) - cap |= HWCAP_SPARC_N2; - } -@@ -533,6 +549,8 @@ static void __init init_sparc64_elf_hwcap(void) - sun4v_chip_type == SUN4V_CHIP_NIAGARA3 || - sun4v_chip_type == SUN4V_CHIP_NIAGARA4 || - sun4v_chip_type == SUN4V_CHIP_NIAGARA5 || -+ sun4v_chip_type == SUN4V_CHIP_SPARC_M6 || -+ sun4v_chip_type == SUN4V_CHIP_SPARC_M7 || - sun4v_chip_type == SUN4V_CHIP_SPARC64X) - cap |= (AV_SPARC_VIS | AV_SPARC_VIS2 | - AV_SPARC_ASI_BLK_INIT | -@@ -540,6 +558,8 @@ static void __init init_sparc64_elf_hwcap(void) - if (sun4v_chip_type == SUN4V_CHIP_NIAGARA3 || - sun4v_chip_type == SUN4V_CHIP_NIAGARA4 || - sun4v_chip_type == SUN4V_CHIP_NIAGARA5 || -+ sun4v_chip_type == SUN4V_CHIP_SPARC_M6 || -+ sun4v_chip_type == SUN4V_CHIP_SPARC_M7 || - sun4v_chip_type == SUN4V_CHIP_SPARC64X) - cap |= (AV_SPARC_VIS3 | AV_SPARC_HPC | - AV_SPARC_FMAF); -diff --git a/arch/sparc/kernel/smp_64.c b/arch/sparc/kernel/smp_64.c -index 8416d7f..50c3dd03 100644 ---- a/arch/sparc/kernel/smp_64.c -+++ b/arch/sparc/kernel/smp_64.c -@@ -1395,7 +1395,6 @@ void __cpu_die(unsigned int cpu) - - void __init smp_cpus_done(unsigned int max_cpus) - { -- pcr_arch_init(); - } - - void smp_send_reschedule(int cpu) -@@ -1480,6 +1479,13 @@ static void __init pcpu_populate_pte(unsigned long addr) - pud_t *pud; - pmd_t *pmd; - -+ if (pgd_none(*pgd)) { -+ pud_t *new; -+ -+ new = __alloc_bootmem(PAGE_SIZE, PAGE_SIZE, PAGE_SIZE); -+ pgd_populate(&init_mm, pgd, new); -+ } -+ - pud = pud_offset(pgd, addr); - if (pud_none(*pud)) { - pmd_t *new; -diff --git a/arch/sparc/kernel/sun4v_tlb_miss.S b/arch/sparc/kernel/sun4v_tlb_miss.S -index e0c09bf8..6179e19 100644 ---- a/arch/sparc/kernel/sun4v_tlb_miss.S -+++ b/arch/sparc/kernel/sun4v_tlb_miss.S -@@ -195,6 +195,11 @@ sun4v_tsb_miss_common: - ldx [%g2 + TRAP_PER_CPU_PGD_PADDR], %g7 - - sun4v_itlb_error: -+ rdpr %tl, %g1 -+ cmp %g1, 1 -+ ble,pt %icc, sun4v_bad_ra -+ or %g0, FAULT_CODE_BAD_RA | FAULT_CODE_ITLB, %g1 -+ - sethi %hi(sun4v_err_itlb_vaddr), %g1 - stx %g4, [%g1 + %lo(sun4v_err_itlb_vaddr)] - sethi %hi(sun4v_err_itlb_ctx), %g1 -@@ -206,15 +211,10 @@ sun4v_itlb_error: - sethi %hi(sun4v_err_itlb_error), %g1 - stx %o0, [%g1 + %lo(sun4v_err_itlb_error)] - -+ sethi %hi(1f), %g7 - rdpr %tl, %g4 -- cmp %g4, 1 -- ble,pt %icc, 1f -- sethi %hi(2f), %g7 - ba,pt %xcc, etraptl1 -- or %g7, %lo(2f), %g7 -- --1: ba,pt %xcc, etrap --2: or %g7, %lo(2b), %g7 -+1: or %g7, %lo(1f), %g7 - mov %l4, %o1 - call sun4v_itlb_error_report - add %sp, PTREGS_OFF, %o0 -@@ -222,6 +222,11 @@ sun4v_itlb_error: - /* NOTREACHED */ - - sun4v_dtlb_error: -+ rdpr %tl, %g1 -+ cmp %g1, 1 -+ ble,pt %icc, sun4v_bad_ra -+ or %g0, FAULT_CODE_BAD_RA | FAULT_CODE_DTLB, %g1 -+ - sethi %hi(sun4v_err_dtlb_vaddr), %g1 - stx %g4, [%g1 + %lo(sun4v_err_dtlb_vaddr)] - sethi %hi(sun4v_err_dtlb_ctx), %g1 -@@ -233,21 +238,23 @@ sun4v_dtlb_error: - sethi %hi(sun4v_err_dtlb_error), %g1 - stx %o0, [%g1 + %lo(sun4v_err_dtlb_error)] - -+ sethi %hi(1f), %g7 - rdpr %tl, %g4 -- cmp %g4, 1 -- ble,pt %icc, 1f -- sethi %hi(2f), %g7 - ba,pt %xcc, etraptl1 -- or %g7, %lo(2f), %g7 -- --1: ba,pt %xcc, etrap --2: or %g7, %lo(2b), %g7 -+1: or %g7, %lo(1f), %g7 - mov %l4, %o1 - call sun4v_dtlb_error_report - add %sp, PTREGS_OFF, %o0 - - /* NOTREACHED */ - -+sun4v_bad_ra: -+ or %g0, %g4, %g5 -+ ba,pt %xcc, sparc64_realfault_common -+ or %g1, %g0, %g4 -+ -+ /* NOTREACHED */ -+ - /* Instruction Access Exception, tl0. */ - sun4v_iacc: - ldxa [%g0] ASI_SCRATCHPAD, %g2 -diff --git a/arch/sparc/kernel/trampoline_64.S b/arch/sparc/kernel/trampoline_64.S -index 737f8cb..88ede1d 100644 ---- a/arch/sparc/kernel/trampoline_64.S -+++ b/arch/sparc/kernel/trampoline_64.S -@@ -109,10 +109,13 @@ startup_continue: - brnz,pn %g1, 1b - nop - -- sethi %hi(p1275buf), %g2 -- or %g2, %lo(p1275buf), %g2 -- ldx [%g2 + 0x10], %l2 -- add %l2, -(192 + 128), %sp -+ /* Get onto temporary stack which will be in the locked -+ * kernel image. -+ */ -+ sethi %hi(tramp_stack), %g1 -+ or %g1, %lo(tramp_stack), %g1 -+ add %g1, TRAMP_STACK_SIZE, %g1 -+ sub %g1, STACKFRAME_SZ + STACK_BIAS + 256, %sp - flushw - - /* Setup the loop variables: -@@ -394,7 +397,6 @@ after_lock_tlb: - sllx %g5, THREAD_SHIFT, %g5 - sub %g5, (STACKFRAME_SZ + STACK_BIAS), %g5 - add %g6, %g5, %sp -- mov 0, %fp - - rdpr %pstate, %o1 - or %o1, PSTATE_IE, %o1 -diff --git a/arch/sparc/kernel/traps_64.c b/arch/sparc/kernel/traps_64.c -index 4ced92f..25d0c7e 100644 ---- a/arch/sparc/kernel/traps_64.c -+++ b/arch/sparc/kernel/traps_64.c -@@ -2102,6 +2102,11 @@ void sun4v_nonresum_overflow(struct pt_regs *regs) - atomic_inc(&sun4v_nonresum_oflow_cnt); - } - -+static void sun4v_tlb_error(struct pt_regs *regs) -+{ -+ die_if_kernel("TLB/TSB error", regs); -+} -+ - unsigned long sun4v_err_itlb_vaddr; - unsigned long sun4v_err_itlb_ctx; - unsigned long sun4v_err_itlb_pte; -@@ -2109,8 +2114,7 @@ unsigned long sun4v_err_itlb_error; - - void sun4v_itlb_error_report(struct pt_regs *regs, int tl) - { -- if (tl > 1) -- dump_tl1_traplog((struct tl1_traplog *)(regs + 1)); -+ dump_tl1_traplog((struct tl1_traplog *)(regs + 1)); - - printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n", - regs->tpc, tl); -@@ -2123,7 +2127,7 @@ void sun4v_itlb_error_report(struct pt_regs *regs, int tl) - sun4v_err_itlb_vaddr, sun4v_err_itlb_ctx, - sun4v_err_itlb_pte, sun4v_err_itlb_error); - -- prom_halt(); -+ sun4v_tlb_error(regs); - } - - unsigned long sun4v_err_dtlb_vaddr; -@@ -2133,8 +2137,7 @@ unsigned long sun4v_err_dtlb_error; - - void sun4v_dtlb_error_report(struct pt_regs *regs, int tl) - { -- if (tl > 1) -- dump_tl1_traplog((struct tl1_traplog *)(regs + 1)); -+ dump_tl1_traplog((struct tl1_traplog *)(regs + 1)); - - printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n", - regs->tpc, tl); -@@ -2147,7 +2150,7 @@ void sun4v_dtlb_error_report(struct pt_regs *regs, int tl) - sun4v_err_dtlb_vaddr, sun4v_err_dtlb_ctx, - sun4v_err_dtlb_pte, sun4v_err_dtlb_error); - -- prom_halt(); -+ sun4v_tlb_error(regs); - } - - void hypervisor_tlbop_error(unsigned long err, unsigned long op) -diff --git a/arch/sparc/kernel/tsb.S b/arch/sparc/kernel/tsb.S -index 14158d4..be98685 100644 ---- a/arch/sparc/kernel/tsb.S -+++ b/arch/sparc/kernel/tsb.S -@@ -162,10 +162,10 @@ tsb_miss_page_table_walk_sun4v_fastpath: - nop - .previous - -- rdpr %tl, %g3 -- cmp %g3, 1 -+ rdpr %tl, %g7 -+ cmp %g7, 1 - bne,pn %xcc, winfix_trampoline -- nop -+ mov %g3, %g4 - ba,pt %xcc, etrap - rd %pc, %g7 - call hugetlb_setup -diff --git a/arch/sparc/kernel/viohs.c b/arch/sparc/kernel/viohs.c -index f8e7dd5..9c5fbd0 100644 ---- a/arch/sparc/kernel/viohs.c -+++ b/arch/sparc/kernel/viohs.c -@@ -714,7 +714,7 @@ int vio_ldc_alloc(struct vio_driver_state *vio, - cfg.tx_irq = vio->vdev->tx_irq; - cfg.rx_irq = vio->vdev->rx_irq; - -- lp = ldc_alloc(vio->vdev->channel_id, &cfg, event_arg); -+ lp = ldc_alloc(vio->vdev->channel_id, &cfg, event_arg, vio->name); - if (IS_ERR(lp)) - return PTR_ERR(lp); - -@@ -746,7 +746,7 @@ void vio_port_up(struct vio_driver_state *vio) - - err = 0; - if (state == LDC_STATE_INIT) { -- err = ldc_bind(vio->lp, vio->name); -+ err = ldc_bind(vio->lp); - if (err) - printk(KERN_WARNING "%s: Port %lu bind failed, " - "err=%d\n", -diff --git a/arch/sparc/kernel/vmlinux.lds.S b/arch/sparc/kernel/vmlinux.lds.S -index 932ff90..0924305 100644 ---- a/arch/sparc/kernel/vmlinux.lds.S -+++ b/arch/sparc/kernel/vmlinux.lds.S -@@ -35,8 +35,9 @@ jiffies = jiffies_64; - - SECTIONS - { -- /* swapper_low_pmd_dir is sparc64 only */ -- swapper_low_pmd_dir = 0x0000000000402000; -+#ifdef CONFIG_SPARC64 -+ swapper_pg_dir = 0x0000000000402000; -+#endif - . = INITIAL_ADDRESS; - .text TEXTSTART : - { -@@ -122,11 +123,6 @@ SECTIONS - *(.swapper_4m_tsb_phys_patch) - __swapper_4m_tsb_phys_patch_end = .; - } -- .page_offset_shift_patch : { -- __page_offset_shift_patch = .; -- *(.page_offset_shift_patch) -- __page_offset_shift_patch_end = .; -- } - .popc_3insn_patch : { - __popc_3insn_patch = .; - *(.popc_3insn_patch) -diff --git a/arch/sparc/lib/NG4memcpy.S b/arch/sparc/lib/NG4memcpy.S -index 9cf2ee0..140527a 100644 ---- a/arch/sparc/lib/NG4memcpy.S -+++ b/arch/sparc/lib/NG4memcpy.S -@@ -41,6 +41,10 @@ - #endif - #endif - -+#if !defined(EX_LD) && !defined(EX_ST) -+#define NON_USER_COPY -+#endif -+ - #ifndef EX_LD - #define EX_LD(x) x - #endif -@@ -197,9 +201,13 @@ FUNC_NAME: /* %o0=dst, %o1=src, %o2=len */ - mov EX_RETVAL(%o3), %o0 - - .Llarge_src_unaligned: -+#ifdef NON_USER_COPY -+ VISEntryHalfFast(.Lmedium_vis_entry_fail) -+#else -+ VISEntryHalf -+#endif - andn %o2, 0x3f, %o4 - sub %o2, %o4, %o2 -- VISEntryHalf - alignaddr %o1, %g0, %g1 - add %o1, %o4, %o1 - EX_LD(LOAD(ldd, %g1 + 0x00, %f0)) -@@ -240,6 +248,10 @@ FUNC_NAME: /* %o0=dst, %o1=src, %o2=len */ - nop - ba,a,pt %icc, .Lmedium_unaligned - -+#ifdef NON_USER_COPY -+.Lmedium_vis_entry_fail: -+ or %o0, %o1, %g2 -+#endif - .Lmedium: - LOAD(prefetch, %o1 + 0x40, #n_reads_strong) - andcc %g2, 0x7, %g0 -diff --git a/arch/sparc/lib/memset.S b/arch/sparc/lib/memset.S -index 99c017b..f75e690 100644 ---- a/arch/sparc/lib/memset.S -+++ b/arch/sparc/lib/memset.S -@@ -3,8 +3,9 @@ - * Copyright (C) 1996,1997 Jakub Jelinek (jj@sunsite.mff.cuni.cz) - * Copyright (C) 1996 David S. Miller (davem@caip.rutgers.edu) - * -- * Returns 0, if ok, and number of bytes not yet set if exception -- * occurs and we were called as clear_user. -+ * Calls to memset returns initial %o0. Calls to bzero returns 0, if ok, and -+ * number of bytes not yet set if exception occurs and we were called as -+ * clear_user. - */ - - #include <asm/ptrace.h> -@@ -65,6 +66,8 @@ __bzero_begin: - .globl __memset_start, __memset_end - __memset_start: - memset: -+ mov %o0, %g1 -+ mov 1, %g4 - and %o1, 0xff, %g3 - sll %g3, 8, %g2 - or %g3, %g2, %g3 -@@ -89,6 +92,7 @@ memset: - sub %o0, %o2, %o0 - - __bzero: -+ clr %g4 - mov %g0, %g3 - 1: - cmp %o1, 7 -@@ -151,8 +155,8 @@ __bzero: - bne,a 8f - EX(stb %g3, [%o0], and %o1, 1) - 8: -- retl -- clr %o0 -+ b 0f -+ nop - 7: - be 13b - orcc %o1, 0, %g0 -@@ -164,6 +168,12 @@ __bzero: - bne 8b - EX(stb %g3, [%o0 - 1], add %o1, 1) - 0: -+ andcc %g4, 1, %g0 -+ be 5f -+ nop -+ retl -+ mov %g1, %o0 -+5: - retl - clr %o0 - __memset_end: -diff --git a/arch/sparc/mm/fault_64.c b/arch/sparc/mm/fault_64.c -index 4ced3fc..45a413e 100644 ---- a/arch/sparc/mm/fault_64.c -+++ b/arch/sparc/mm/fault_64.c -@@ -348,6 +348,9 @@ retry: - down_read(&mm->mmap_sem); - } - -+ if (fault_code & FAULT_CODE_BAD_RA) -+ goto do_sigbus; -+ - vma = find_vma(mm, address); - if (!vma) - goto bad_area; -diff --git a/arch/sparc/mm/gup.c b/arch/sparc/mm/gup.c -index 1aed043..ae6ce38 100644 ---- a/arch/sparc/mm/gup.c -+++ b/arch/sparc/mm/gup.c -@@ -160,6 +160,36 @@ static int gup_pud_range(pgd_t pgd, unsigned long addr, unsigned long end, - return 1; - } - -+int __get_user_pages_fast(unsigned long start, int nr_pages, int write, -+ struct page **pages) -+{ -+ struct mm_struct *mm = current->mm; -+ unsigned long addr, len, end; -+ unsigned long next, flags; -+ pgd_t *pgdp; -+ int nr = 0; -+ -+ start &= PAGE_MASK; -+ addr = start; -+ len = (unsigned long) nr_pages << PAGE_SHIFT; -+ end = start + len; -+ -+ local_irq_save(flags); -+ pgdp = pgd_offset(mm, addr); -+ do { -+ pgd_t pgd = *pgdp; -+ -+ next = pgd_addr_end(addr, end); -+ if (pgd_none(pgd)) -+ break; -+ if (!gup_pud_range(pgd, addr, next, write, pages, &nr)) -+ break; -+ } while (pgdp++, addr = next, addr != end); -+ local_irq_restore(flags); -+ -+ return nr; -+} -+ - int get_user_pages_fast(unsigned long start, int nr_pages, int write, - struct page **pages) - { -diff --git a/arch/sparc/mm/init_64.c b/arch/sparc/mm/init_64.c -index 9686224..34506f2 100644 ---- a/arch/sparc/mm/init_64.c -+++ b/arch/sparc/mm/init_64.c -@@ -73,7 +73,6 @@ unsigned long kern_linear_pte_xor[4] __read_mostly; - * 'cpu' properties, but we need to have this table setup before the - * MDESC is initialized. - */ --unsigned long kpte_linear_bitmap[KPTE_BITMAP_BYTES / sizeof(unsigned long)]; - - #ifndef CONFIG_DEBUG_PAGEALLOC - /* A special kernel TSB for 4MB, 256MB, 2GB and 16GB linear mappings. -@@ -82,10 +81,11 @@ unsigned long kpte_linear_bitmap[KPTE_BITMAP_BYTES / sizeof(unsigned long)]; - */ - extern struct tsb swapper_4m_tsb[KERNEL_TSB4M_NENTRIES]; - #endif -+extern struct tsb swapper_tsb[KERNEL_TSB_NENTRIES]; - - static unsigned long cpu_pgsz_mask; - --#define MAX_BANKS 32 -+#define MAX_BANKS 1024 - - static struct linux_prom64_registers pavail[MAX_BANKS]; - static int pavail_ents; -@@ -163,10 +163,6 @@ static void __init read_obp_memory(const char *property, - cmp_p64, NULL); - } - --unsigned long sparc64_valid_addr_bitmap[VALID_ADDR_BITMAP_BYTES / -- sizeof(unsigned long)]; --EXPORT_SYMBOL(sparc64_valid_addr_bitmap); -- - /* Kernel physical address base and size in bytes. */ - unsigned long kern_base __read_mostly; - unsigned long kern_size __read_mostly; -@@ -838,7 +834,10 @@ static int find_node(unsigned long addr) - if ((addr & p->mask) == p->val) - return i; - } -- return -1; -+ /* The following condition has been observed on LDOM guests.*/ -+ WARN_ONCE(1, "find_node: A physical address doesn't match a NUMA node" -+ " rule. Some physical memory will be owned by node 0."); -+ return 0; - } - - static u64 memblock_nid_range(u64 start, u64 end, int *nid) -@@ -1360,9 +1359,144 @@ static unsigned long __init bootmem_init(unsigned long phys_base) - static struct linux_prom64_registers pall[MAX_BANKS] __initdata; - static int pall_ents __initdata; - --#ifdef CONFIG_DEBUG_PAGEALLOC -+static unsigned long max_phys_bits = 40; -+ -+bool kern_addr_valid(unsigned long addr) -+{ -+ pgd_t *pgd; -+ pud_t *pud; -+ pmd_t *pmd; -+ pte_t *pte; -+ -+ if ((long)addr < 0L) { -+ unsigned long pa = __pa(addr); -+ -+ if ((addr >> max_phys_bits) != 0UL) -+ return false; -+ -+ return pfn_valid(pa >> PAGE_SHIFT); -+ } -+ -+ if (addr >= (unsigned long) KERNBASE && -+ addr < (unsigned long)&_end) -+ return true; -+ -+ pgd = pgd_offset_k(addr); -+ if (pgd_none(*pgd)) -+ return 0; -+ -+ pud = pud_offset(pgd, addr); -+ if (pud_none(*pud)) -+ return 0; -+ -+ if (pud_large(*pud)) -+ return pfn_valid(pud_pfn(*pud)); -+ -+ pmd = pmd_offset(pud, addr); -+ if (pmd_none(*pmd)) -+ return 0; -+ -+ if (pmd_large(*pmd)) -+ return pfn_valid(pmd_pfn(*pmd)); -+ -+ pte = pte_offset_kernel(pmd, addr); -+ if (pte_none(*pte)) -+ return 0; -+ -+ return pfn_valid(pte_pfn(*pte)); -+} -+EXPORT_SYMBOL(kern_addr_valid); -+ -+static unsigned long __ref kernel_map_hugepud(unsigned long vstart, -+ unsigned long vend, -+ pud_t *pud) -+{ -+ const unsigned long mask16gb = (1UL << 34) - 1UL; -+ u64 pte_val = vstart; -+ -+ /* Each PUD is 8GB */ -+ if ((vstart & mask16gb) || -+ (vend - vstart <= mask16gb)) { -+ pte_val ^= kern_linear_pte_xor[2]; -+ pud_val(*pud) = pte_val | _PAGE_PUD_HUGE; -+ -+ return vstart + PUD_SIZE; -+ } -+ -+ pte_val ^= kern_linear_pte_xor[3]; -+ pte_val |= _PAGE_PUD_HUGE; -+ -+ vend = vstart + mask16gb + 1UL; -+ while (vstart < vend) { -+ pud_val(*pud) = pte_val; -+ -+ pte_val += PUD_SIZE; -+ vstart += PUD_SIZE; -+ pud++; -+ } -+ return vstart; -+} -+ -+static bool kernel_can_map_hugepud(unsigned long vstart, unsigned long vend, -+ bool guard) -+{ -+ if (guard && !(vstart & ~PUD_MASK) && (vend - vstart) >= PUD_SIZE) -+ return true; -+ -+ return false; -+} -+ -+static unsigned long __ref kernel_map_hugepmd(unsigned long vstart, -+ unsigned long vend, -+ pmd_t *pmd) -+{ -+ const unsigned long mask256mb = (1UL << 28) - 1UL; -+ const unsigned long mask2gb = (1UL << 31) - 1UL; -+ u64 pte_val = vstart; -+ -+ /* Each PMD is 8MB */ -+ if ((vstart & mask256mb) || -+ (vend - vstart <= mask256mb)) { -+ pte_val ^= kern_linear_pte_xor[0]; -+ pmd_val(*pmd) = pte_val | _PAGE_PMD_HUGE; -+ -+ return vstart + PMD_SIZE; -+ } -+ -+ if ((vstart & mask2gb) || -+ (vend - vstart <= mask2gb)) { -+ pte_val ^= kern_linear_pte_xor[1]; -+ pte_val |= _PAGE_PMD_HUGE; -+ vend = vstart + mask256mb + 1UL; -+ } else { -+ pte_val ^= kern_linear_pte_xor[2]; -+ pte_val |= _PAGE_PMD_HUGE; -+ vend = vstart + mask2gb + 1UL; -+ } -+ -+ while (vstart < vend) { -+ pmd_val(*pmd) = pte_val; -+ -+ pte_val += PMD_SIZE; -+ vstart += PMD_SIZE; -+ pmd++; -+ } -+ -+ return vstart; -+} -+ -+static bool kernel_can_map_hugepmd(unsigned long vstart, unsigned long vend, -+ bool guard) -+{ -+ if (guard && !(vstart & ~PMD_MASK) && (vend - vstart) >= PMD_SIZE) -+ return true; -+ -+ return false; -+} -+ - static unsigned long __ref kernel_map_range(unsigned long pstart, -- unsigned long pend, pgprot_t prot) -+ unsigned long pend, pgprot_t prot, -+ bool use_huge) - { - unsigned long vstart = PAGE_OFFSET + pstart; - unsigned long vend = PAGE_OFFSET + pend; -@@ -1381,19 +1515,34 @@ static unsigned long __ref kernel_map_range(unsigned long pstart, - pmd_t *pmd; - pte_t *pte; - -+ if (pgd_none(*pgd)) { -+ pud_t *new; -+ -+ new = __alloc_bootmem(PAGE_SIZE, PAGE_SIZE, PAGE_SIZE); -+ alloc_bytes += PAGE_SIZE; -+ pgd_populate(&init_mm, pgd, new); -+ } - pud = pud_offset(pgd, vstart); - if (pud_none(*pud)) { - pmd_t *new; - -+ if (kernel_can_map_hugepud(vstart, vend, use_huge)) { -+ vstart = kernel_map_hugepud(vstart, vend, pud); -+ continue; -+ } - new = __alloc_bootmem(PAGE_SIZE, PAGE_SIZE, PAGE_SIZE); - alloc_bytes += PAGE_SIZE; - pud_populate(&init_mm, pud, new); - } - - pmd = pmd_offset(pud, vstart); -- if (!pmd_present(*pmd)) { -+ if (pmd_none(*pmd)) { - pte_t *new; - -+ if (kernel_can_map_hugepmd(vstart, vend, use_huge)) { -+ vstart = kernel_map_hugepmd(vstart, vend, pmd); -+ continue; -+ } - new = __alloc_bootmem(PAGE_SIZE, PAGE_SIZE, PAGE_SIZE); - alloc_bytes += PAGE_SIZE; - pmd_populate_kernel(&init_mm, pmd, new); -@@ -1416,100 +1565,34 @@ static unsigned long __ref kernel_map_range(unsigned long pstart, - return alloc_bytes; - } - --extern unsigned int kvmap_linear_patch[1]; --#endif /* CONFIG_DEBUG_PAGEALLOC */ -- --static void __init kpte_set_val(unsigned long index, unsigned long val) -+static void __init flush_all_kernel_tsbs(void) - { -- unsigned long *ptr = kpte_linear_bitmap; -- -- val <<= ((index % (BITS_PER_LONG / 2)) * 2); -- ptr += (index / (BITS_PER_LONG / 2)); -- -- *ptr |= val; --} -- --static const unsigned long kpte_shift_min = 28; /* 256MB */ --static const unsigned long kpte_shift_max = 34; /* 16GB */ --static const unsigned long kpte_shift_incr = 3; -- --static unsigned long kpte_mark_using_shift(unsigned long start, unsigned long end, -- unsigned long shift) --{ -- unsigned long size = (1UL << shift); -- unsigned long mask = (size - 1UL); -- unsigned long remains = end - start; -- unsigned long val; -- -- if (remains < size || (start & mask)) -- return start; -- -- /* VAL maps: -- * -- * shift 28 --> kern_linear_pte_xor index 1 -- * shift 31 --> kern_linear_pte_xor index 2 -- * shift 34 --> kern_linear_pte_xor index 3 -- */ -- val = ((shift - kpte_shift_min) / kpte_shift_incr) + 1; -- -- remains &= ~mask; -- if (shift != kpte_shift_max) -- remains = size; -- -- while (remains) { -- unsigned long index = start >> kpte_shift_min; -+ int i; - -- kpte_set_val(index, val); -+ for (i = 0; i < KERNEL_TSB_NENTRIES; i++) { -+ struct tsb *ent = &swapper_tsb[i]; - -- start += 1UL << kpte_shift_min; -- remains -= 1UL << kpte_shift_min; -+ ent->tag = (1UL << TSB_TAG_INVALID_BIT); - } -+#ifndef CONFIG_DEBUG_PAGEALLOC -+ for (i = 0; i < KERNEL_TSB4M_NENTRIES; i++) { -+ struct tsb *ent = &swapper_4m_tsb[i]; - -- return start; --} -- --static void __init mark_kpte_bitmap(unsigned long start, unsigned long end) --{ -- unsigned long smallest_size, smallest_mask; -- unsigned long s; -- -- smallest_size = (1UL << kpte_shift_min); -- smallest_mask = (smallest_size - 1UL); -- -- while (start < end) { -- unsigned long orig_start = start; -- -- for (s = kpte_shift_max; s >= kpte_shift_min; s -= kpte_shift_incr) { -- start = kpte_mark_using_shift(start, end, s); -- -- if (start != orig_start) -- break; -- } -- -- if (start == orig_start) -- start = (start + smallest_size) & ~smallest_mask; -+ ent->tag = (1UL << TSB_TAG_INVALID_BIT); - } -+#endif - } - --static void __init init_kpte_bitmap(void) --{ -- unsigned long i; -- -- for (i = 0; i < pall_ents; i++) { -- unsigned long phys_start, phys_end; -- -- phys_start = pall[i].phys_addr; -- phys_end = phys_start + pall[i].reg_size; -- -- mark_kpte_bitmap(phys_start, phys_end); -- } --} -+extern unsigned int kvmap_linear_patch[1]; - - static void __init kernel_physical_mapping_init(void) - { --#ifdef CONFIG_DEBUG_PAGEALLOC - unsigned long i, mem_alloced = 0UL; -+ bool use_huge = true; - -+#ifdef CONFIG_DEBUG_PAGEALLOC -+ use_huge = false; -+#endif - for (i = 0; i < pall_ents; i++) { - unsigned long phys_start, phys_end; - -@@ -1517,7 +1600,7 @@ static void __init kernel_physical_mapping_init(void) - phys_end = phys_start + pall[i].reg_size; - - mem_alloced += kernel_map_range(phys_start, phys_end, -- PAGE_KERNEL); -+ PAGE_KERNEL, use_huge); - } - - printk("Allocated %ld bytes for kernel page tables.\n", -@@ -1526,8 +1609,9 @@ static void __init kernel_physical_mapping_init(void) - kvmap_linear_patch[0] = 0x01000000; /* nop */ - flushi(&kvmap_linear_patch[0]); - -+ flush_all_kernel_tsbs(); -+ - __flush_tlb_all(); --#endif - } - - #ifdef CONFIG_DEBUG_PAGEALLOC -@@ -1537,7 +1621,7 @@ void kernel_map_pages(struct page *page, int numpages, int enable) - unsigned long phys_end = phys_start + (numpages * PAGE_SIZE); - - kernel_map_range(phys_start, phys_end, -- (enable ? PAGE_KERNEL : __pgprot(0))); -+ (enable ? PAGE_KERNEL : __pgprot(0)), false); - - flush_tsb_kernel_range(PAGE_OFFSET + phys_start, - PAGE_OFFSET + phys_end); -@@ -1565,76 +1649,56 @@ unsigned long __init find_ecache_flush_span(unsigned long size) - unsigned long PAGE_OFFSET; - EXPORT_SYMBOL(PAGE_OFFSET); - --static void __init page_offset_shift_patch_one(unsigned int *insn, unsigned long phys_bits) --{ -- unsigned long final_shift; -- unsigned int val = *insn; -- unsigned int cnt; -- -- /* We are patching in ilog2(max_supported_phys_address), and -- * we are doing so in a manner similar to a relocation addend. -- * That is, we are adding the shift value to whatever value -- * is in the shift instruction count field already. -- */ -- cnt = (val & 0x3f); -- val &= ~0x3f; -- -- /* If we are trying to shift >= 64 bits, clear the destination -- * register. This can happen when phys_bits ends up being equal -- * to MAX_PHYS_ADDRESS_BITS. -- */ -- final_shift = (cnt + (64 - phys_bits)); -- if (final_shift >= 64) { -- unsigned int rd = (val >> 25) & 0x1f; -- -- val = 0x80100000 | (rd << 25); -- } else { -- val |= final_shift; -- } -- *insn = val; -- -- __asm__ __volatile__("flush %0" -- : /* no outputs */ -- : "r" (insn)); --} -- --static void __init page_offset_shift_patch(unsigned long phys_bits) --{ -- extern unsigned int __page_offset_shift_patch; -- extern unsigned int __page_offset_shift_patch_end; -- unsigned int *p; -- -- p = &__page_offset_shift_patch; -- while (p < &__page_offset_shift_patch_end) { -- unsigned int *insn = (unsigned int *)(unsigned long)*p; -+unsigned long VMALLOC_END = 0x0000010000000000UL; -+EXPORT_SYMBOL(VMALLOC_END); - -- page_offset_shift_patch_one(insn, phys_bits); -- -- p++; -- } --} -+unsigned long sparc64_va_hole_top = 0xfffff80000000000UL; -+unsigned long sparc64_va_hole_bottom = 0x0000080000000000UL; - - static void __init setup_page_offset(void) - { -- unsigned long max_phys_bits = 40; -- - if (tlb_type == cheetah || tlb_type == cheetah_plus) { -+ /* Cheetah/Panther support a full 64-bit virtual -+ * address, so we can use all that our page tables -+ * support. -+ */ -+ sparc64_va_hole_top = 0xfff0000000000000UL; -+ sparc64_va_hole_bottom = 0x0010000000000000UL; -+ - max_phys_bits = 42; - } else if (tlb_type == hypervisor) { - switch (sun4v_chip_type) { - case SUN4V_CHIP_NIAGARA1: - case SUN4V_CHIP_NIAGARA2: -+ /* T1 and T2 support 48-bit virtual addresses. */ -+ sparc64_va_hole_top = 0xffff800000000000UL; -+ sparc64_va_hole_bottom = 0x0000800000000000UL; -+ - max_phys_bits = 39; - break; - case SUN4V_CHIP_NIAGARA3: -+ /* T3 supports 48-bit virtual addresses. */ -+ sparc64_va_hole_top = 0xffff800000000000UL; -+ sparc64_va_hole_bottom = 0x0000800000000000UL; -+ - max_phys_bits = 43; - break; - case SUN4V_CHIP_NIAGARA4: - case SUN4V_CHIP_NIAGARA5: - case SUN4V_CHIP_SPARC64X: -- default: -+ case SUN4V_CHIP_SPARC_M6: -+ /* T4 and later support 52-bit virtual addresses. */ -+ sparc64_va_hole_top = 0xfff8000000000000UL; -+ sparc64_va_hole_bottom = 0x0008000000000000UL; - max_phys_bits = 47; - break; -+ case SUN4V_CHIP_SPARC_M7: -+ default: -+ /* M7 and later support 52-bit virtual addresses. */ -+ sparc64_va_hole_top = 0xfff8000000000000UL; -+ sparc64_va_hole_bottom = 0x0008000000000000UL; -+ max_phys_bits = 49; -+ break; - } - } - -@@ -1644,12 +1708,16 @@ static void __init setup_page_offset(void) - prom_halt(); - } - -- PAGE_OFFSET = PAGE_OFFSET_BY_BITS(max_phys_bits); -+ PAGE_OFFSET = sparc64_va_hole_top; -+ VMALLOC_END = ((sparc64_va_hole_bottom >> 1) + -+ (sparc64_va_hole_bottom >> 2)); - -- pr_info("PAGE_OFFSET is 0x%016lx (max_phys_bits == %lu)\n", -+ pr_info("MM: PAGE_OFFSET is 0x%016lx (max_phys_bits == %lu)\n", - PAGE_OFFSET, max_phys_bits); -- -- page_offset_shift_patch(max_phys_bits); -+ pr_info("MM: VMALLOC [0x%016lx --> 0x%016lx]\n", -+ VMALLOC_START, VMALLOC_END); -+ pr_info("MM: VMEMMAP [0x%016lx --> 0x%016lx]\n", -+ VMEMMAP_BASE, VMEMMAP_BASE << 1); - } - - static void __init tsb_phys_patch(void) -@@ -1694,21 +1762,42 @@ static void __init tsb_phys_patch(void) - #define NUM_KTSB_DESCR 1 - #endif - static struct hv_tsb_descr ktsb_descr[NUM_KTSB_DESCR]; --extern struct tsb swapper_tsb[KERNEL_TSB_NENTRIES]; -+ -+/* The swapper TSBs are loaded with a base sequence of: -+ * -+ * sethi %uhi(SYMBOL), REG1 -+ * sethi %hi(SYMBOL), REG2 -+ * or REG1, %ulo(SYMBOL), REG1 -+ * or REG2, %lo(SYMBOL), REG2 -+ * sllx REG1, 32, REG1 -+ * or REG1, REG2, REG1 -+ * -+ * When we use physical addressing for the TSB accesses, we patch the -+ * first four instructions in the above sequence. -+ */ - - static void patch_one_ktsb_phys(unsigned int *start, unsigned int *end, unsigned long pa) - { -- pa >>= KTSB_PHYS_SHIFT; -+ unsigned long high_bits, low_bits; -+ -+ high_bits = (pa >> 32) & 0xffffffff; -+ low_bits = (pa >> 0) & 0xffffffff; - - while (start < end) { - unsigned int *ia = (unsigned int *)(unsigned long)*start; - -- ia[0] = (ia[0] & ~0x3fffff) | (pa >> 10); -+ ia[0] = (ia[0] & ~0x3fffff) | (high_bits >> 10); - __asm__ __volatile__("flush %0" : : "r" (ia)); - -- ia[1] = (ia[1] & ~0x3ff) | (pa & 0x3ff); -+ ia[1] = (ia[1] & ~0x3fffff) | (low_bits >> 10); - __asm__ __volatile__("flush %0" : : "r" (ia + 1)); - -+ ia[2] = (ia[2] & ~0x1fff) | (high_bits & 0x3ff); -+ __asm__ __volatile__("flush %0" : : "r" (ia + 2)); -+ -+ ia[3] = (ia[3] & ~0x1fff) | (low_bits & 0x3ff); -+ __asm__ __volatile__("flush %0" : : "r" (ia + 3)); -+ - start++; - } - } -@@ -1847,7 +1936,6 @@ static void __init sun4v_linear_pte_xor_finalize(void) - /* paging_init() sets up the page tables */ - - static unsigned long last_valid_pfn; --pgd_t swapper_pg_dir[PTRS_PER_PGD]; - - static void sun4u_pgprot_init(void); - static void sun4v_pgprot_init(void); -@@ -1950,16 +2038,10 @@ void __init paging_init(void) - */ - init_mm.pgd += ((shift) / (sizeof(pgd_t))); - -- memset(swapper_low_pmd_dir, 0, sizeof(swapper_low_pmd_dir)); -+ memset(swapper_pg_dir, 0, sizeof(swapper_pg_dir)); - -- /* Now can init the kernel/bad page tables. */ -- pud_set(pud_offset(&swapper_pg_dir[0], 0), -- swapper_low_pmd_dir + (shift / sizeof(pgd_t))); -- - inherit_prom_mappings(); - -- init_kpte_bitmap(); -- - /* Ok, we can use our TLB miss and window trap handlers safely. */ - setup_tba(); - -@@ -2066,70 +2148,6 @@ int page_in_phys_avail(unsigned long paddr) - return 0; - } - --static struct linux_prom64_registers pavail_rescan[MAX_BANKS] __initdata; --static int pavail_rescan_ents __initdata; -- --/* Certain OBP calls, such as fetching "available" properties, can -- * claim physical memory. So, along with initializing the valid -- * address bitmap, what we do here is refetch the physical available -- * memory list again, and make sure it provides at least as much -- * memory as 'pavail' does. -- */ --static void __init setup_valid_addr_bitmap_from_pavail(unsigned long *bitmap) --{ -- int i; -- -- read_obp_memory("available", &pavail_rescan[0], &pavail_rescan_ents); -- -- for (i = 0; i < pavail_ents; i++) { -- unsigned long old_start, old_end; -- -- old_start = pavail[i].phys_addr; -- old_end = old_start + pavail[i].reg_size; -- while (old_start < old_end) { -- int n; -- -- for (n = 0; n < pavail_rescan_ents; n++) { -- unsigned long new_start, new_end; -- -- new_start = pavail_rescan[n].phys_addr; -- new_end = new_start + -- pavail_rescan[n].reg_size; -- -- if (new_start <= old_start && -- new_end >= (old_start + PAGE_SIZE)) { -- set_bit(old_start >> ILOG2_4MB, bitmap); -- goto do_next_page; -- } -- } -- -- prom_printf("mem_init: Lost memory in pavail\n"); -- prom_printf("mem_init: OLD start[%lx] size[%lx]\n", -- pavail[i].phys_addr, -- pavail[i].reg_size); -- prom_printf("mem_init: NEW start[%lx] size[%lx]\n", -- pavail_rescan[i].phys_addr, -- pavail_rescan[i].reg_size); -- prom_printf("mem_init: Cannot continue, aborting.\n"); -- prom_halt(); -- -- do_next_page: -- old_start += PAGE_SIZE; -- } -- } --} -- --static void __init patch_tlb_miss_handler_bitmap(void) --{ -- extern unsigned int valid_addr_bitmap_insn[]; -- extern unsigned int valid_addr_bitmap_patch[]; -- -- valid_addr_bitmap_insn[1] = valid_addr_bitmap_patch[1]; -- mb(); -- valid_addr_bitmap_insn[0] = valid_addr_bitmap_patch[0]; -- flushi(&valid_addr_bitmap_insn[0]); --} -- - static void __init register_page_bootmem_info(void) - { - #ifdef CONFIG_NEED_MULTIPLE_NODES -@@ -2142,18 +2160,6 @@ static void __init register_page_bootmem_info(void) - } - void __init mem_init(void) - { -- unsigned long addr, last; -- -- addr = PAGE_OFFSET + kern_base; -- last = PAGE_ALIGN(kern_size) + addr; -- while (addr < last) { -- set_bit(__pa(addr) >> ILOG2_4MB, sparc64_valid_addr_bitmap); -- addr += PAGE_SIZE; -- } -- -- setup_valid_addr_bitmap_from_pavail(sparc64_valid_addr_bitmap); -- patch_tlb_miss_handler_bitmap(); -- - high_memory = __va(last_valid_pfn << PAGE_SHIFT); - - register_page_bootmem_info(); -@@ -2243,18 +2249,9 @@ unsigned long _PAGE_CACHE __read_mostly; - EXPORT_SYMBOL(_PAGE_CACHE); - - #ifdef CONFIG_SPARSEMEM_VMEMMAP --unsigned long vmemmap_table[VMEMMAP_SIZE]; -- --static long __meminitdata addr_start, addr_end; --static int __meminitdata node_start; -- - int __meminit vmemmap_populate(unsigned long vstart, unsigned long vend, - int node) - { -- unsigned long phys_start = (vstart - VMEMMAP_BASE); -- unsigned long phys_end = (vend - VMEMMAP_BASE); -- unsigned long addr = phys_start & VMEMMAP_CHUNK_MASK; -- unsigned long end = VMEMMAP_ALIGN(phys_end); - unsigned long pte_base; - - pte_base = (_PAGE_VALID | _PAGE_SZ4MB_4U | -@@ -2265,47 +2262,52 @@ int __meminit vmemmap_populate(unsigned long vstart, unsigned long vend, - _PAGE_CP_4V | _PAGE_CV_4V | - _PAGE_P_4V | _PAGE_W_4V); - -- for (; addr < end; addr += VMEMMAP_CHUNK) { -- unsigned long *vmem_pp = -- vmemmap_table + (addr >> VMEMMAP_CHUNK_SHIFT); -- void *block; -+ pte_base |= _PAGE_PMD_HUGE; - -- if (!(*vmem_pp & _PAGE_VALID)) { -- block = vmemmap_alloc_block(1UL << ILOG2_4MB, node); -- if (!block) -+ vstart = vstart & PMD_MASK; -+ vend = ALIGN(vend, PMD_SIZE); -+ for (; vstart < vend; vstart += PMD_SIZE) { -+ pgd_t *pgd = pgd_offset_k(vstart); -+ unsigned long pte; -+ pud_t *pud; -+ pmd_t *pmd; -+ -+ if (pgd_none(*pgd)) { -+ pud_t *new = vmemmap_alloc_block(PAGE_SIZE, node); -+ -+ if (!new) - return -ENOMEM; -+ pgd_populate(&init_mm, pgd, new); -+ } - -- *vmem_pp = pte_base | __pa(block); -+ pud = pud_offset(pgd, vstart); -+ if (pud_none(*pud)) { -+ pmd_t *new = vmemmap_alloc_block(PAGE_SIZE, node); - -- /* check to see if we have contiguous blocks */ -- if (addr_end != addr || node_start != node) { -- if (addr_start) -- printk(KERN_DEBUG " [%lx-%lx] on node %d\n", -- addr_start, addr_end-1, node_start); -- addr_start = addr; -- node_start = node; -- } -- addr_end = addr + VMEMMAP_CHUNK; -+ if (!new) -+ return -ENOMEM; -+ pud_populate(&init_mm, pud, new); - } -- } -- return 0; --} - --void __meminit vmemmap_populate_print_last(void) --{ -- if (addr_start) { -- printk(KERN_DEBUG " [%lx-%lx] on node %d\n", -- addr_start, addr_end-1, node_start); -- addr_start = 0; -- addr_end = 0; -- node_start = 0; -+ pmd = pmd_offset(pud, vstart); -+ -+ pte = pmd_val(*pmd); -+ if (!(pte & _PAGE_VALID)) { -+ void *block = vmemmap_alloc_block(PMD_SIZE, node); -+ -+ if (!block) -+ return -ENOMEM; -+ -+ pmd_val(*pmd) = pte_base | __pa(block); -+ } - } -+ -+ return 0; - } - - void vmemmap_free(unsigned long start, unsigned long end) - { - } -- - #endif /* CONFIG_SPARSEMEM_VMEMMAP */ - - static void prot_init_common(unsigned long page_none, -@@ -2717,8 +2719,8 @@ void flush_tlb_kernel_range(unsigned long start, unsigned long end) - do_flush_tlb_kernel_range(start, LOW_OBP_ADDRESS); - } - if (end > HI_OBP_ADDRESS) { -- flush_tsb_kernel_range(end, HI_OBP_ADDRESS); -- do_flush_tlb_kernel_range(end, HI_OBP_ADDRESS); -+ flush_tsb_kernel_range(HI_OBP_ADDRESS, end); -+ do_flush_tlb_kernel_range(HI_OBP_ADDRESS, end); - } - } else { - flush_tsb_kernel_range(start, end); -diff --git a/arch/sparc/mm/init_64.h b/arch/sparc/mm/init_64.h -index 5d3782de..ac49119 100644 ---- a/arch/sparc/mm/init_64.h -+++ b/arch/sparc/mm/init_64.h -@@ -8,15 +8,8 @@ - */ - - #define MAX_PHYS_ADDRESS (1UL << MAX_PHYS_ADDRESS_BITS) --#define KPTE_BITMAP_CHUNK_SZ (256UL * 1024UL * 1024UL) --#define KPTE_BITMAP_BYTES \ -- ((MAX_PHYS_ADDRESS / KPTE_BITMAP_CHUNK_SZ) / 4) --#define VALID_ADDR_BITMAP_CHUNK_SZ (4UL * 1024UL * 1024UL) --#define VALID_ADDR_BITMAP_BYTES \ -- ((MAX_PHYS_ADDRESS / VALID_ADDR_BITMAP_CHUNK_SZ) / 8) - - extern unsigned long kern_linear_pte_xor[4]; --extern unsigned long kpte_linear_bitmap[KPTE_BITMAP_BYTES / sizeof(unsigned long)]; - extern unsigned int sparc64_highest_unlocked_tlb_ent; - extern unsigned long sparc64_kern_pri_context; - extern unsigned long sparc64_kern_pri_nuc_bits; -@@ -38,15 +31,4 @@ extern unsigned long kern_locked_tte_data; - - extern void prom_world(int enter); - --#ifdef CONFIG_SPARSEMEM_VMEMMAP --#define VMEMMAP_CHUNK_SHIFT 22 --#define VMEMMAP_CHUNK (1UL << VMEMMAP_CHUNK_SHIFT) --#define VMEMMAP_CHUNK_MASK ~(VMEMMAP_CHUNK - 1UL) --#define VMEMMAP_ALIGN(x) (((x)+VMEMMAP_CHUNK-1UL)&VMEMMAP_CHUNK_MASK) -- --#define VMEMMAP_SIZE ((((1UL << MAX_PHYSADDR_BITS) >> PAGE_SHIFT) * \ -- sizeof(struct page)) >> VMEMMAP_CHUNK_SHIFT) --extern unsigned long vmemmap_table[VMEMMAP_SIZE]; --#endif -- - #endif /* _SPARC64_MM_INIT_H */ -diff --git a/arch/sparc/power/hibernate_asm.S b/arch/sparc/power/hibernate_asm.S -index 7994216..d7d9017 100644 ---- a/arch/sparc/power/hibernate_asm.S -+++ b/arch/sparc/power/hibernate_asm.S -@@ -54,8 +54,8 @@ ENTRY(swsusp_arch_resume) - nop - - /* Write PAGE_OFFSET to %g7 */ -- sethi %uhi(PAGE_OFFSET), %g7 -- sllx %g7, 32, %g7 -+ sethi %hi(PAGE_OFFSET), %g7 -+ ldx [%g7 + %lo(PAGE_OFFSET)], %g7 - - setuw (PAGE_SIZE-8), %g3 - -diff --git a/arch/sparc/prom/bootstr_64.c b/arch/sparc/prom/bootstr_64.c -index ab9ccc6..7149e77 100644 ---- a/arch/sparc/prom/bootstr_64.c -+++ b/arch/sparc/prom/bootstr_64.c -@@ -14,7 +14,10 @@ - * the .bss section or it will break things. - */ - --#define BARG_LEN 256 -+/* We limit BARG_LEN to 1024 because this is the size of the -+ * 'barg_out' command line buffer in the SILO bootloader. -+ */ -+#define BARG_LEN 1024 - struct { - int bootstr_len; - int bootstr_valid; -diff --git a/arch/sparc/prom/cif.S b/arch/sparc/prom/cif.S -index 9c86b4b..8050f38 100644 ---- a/arch/sparc/prom/cif.S -+++ b/arch/sparc/prom/cif.S -@@ -11,11 +11,10 @@ - .text - .globl prom_cif_direct - prom_cif_direct: -+ save %sp, -192, %sp - sethi %hi(p1275buf), %o1 - or %o1, %lo(p1275buf), %o1 -- ldx [%o1 + 0x0010], %o2 ! prom_cif_stack -- save %o2, -192, %sp -- ldx [%i1 + 0x0008], %l2 ! prom_cif_handler -+ ldx [%o1 + 0x0008], %l2 ! prom_cif_handler - mov %g4, %l0 - mov %g5, %l1 - mov %g6, %l3 -diff --git a/arch/sparc/prom/init_64.c b/arch/sparc/prom/init_64.c -index d95db75..110b0d7 100644 ---- a/arch/sparc/prom/init_64.c -+++ b/arch/sparc/prom/init_64.c -@@ -26,13 +26,13 @@ phandle prom_chosen_node; - * It gets passed the pointer to the PROM vector. - */ - --extern void prom_cif_init(void *, void *); -+extern void prom_cif_init(void *); - --void __init prom_init(void *cif_handler, void *cif_stack) -+void __init prom_init(void *cif_handler) - { - phandle node; - -- prom_cif_init(cif_handler, cif_stack); -+ prom_cif_init(cif_handler); - - prom_chosen_node = prom_finddevice(prom_chosen_path); - if (!prom_chosen_node || (s32)prom_chosen_node == -1) -diff --git a/arch/sparc/prom/p1275.c b/arch/sparc/prom/p1275.c -index e58b817..545d8bb 100644 ---- a/arch/sparc/prom/p1275.c -+++ b/arch/sparc/prom/p1275.c -@@ -9,6 +9,7 @@ - #include <linux/smp.h> - #include <linux/string.h> - #include <linux/spinlock.h> -+#include <linux/irqflags.h> - - #include <asm/openprom.h> - #include <asm/oplib.h> -@@ -19,7 +20,6 @@ - struct { - long prom_callback; /* 0x00 */ - void (*prom_cif_handler)(long *); /* 0x08 */ -- unsigned long prom_cif_stack; /* 0x10 */ - } p1275buf; - - extern void prom_world(int); -@@ -36,8 +36,8 @@ void p1275_cmd_direct(unsigned long *args) - { - unsigned long flags; - -- raw_local_save_flags(flags); -- raw_local_irq_restore((unsigned long)PIL_NMI); -+ local_save_flags(flags); -+ local_irq_restore((unsigned long)PIL_NMI); - raw_spin_lock(&prom_entry_lock); - - prom_world(1); -@@ -45,11 +45,10 @@ void p1275_cmd_direct(unsigned long *args) - prom_world(0); - - raw_spin_unlock(&prom_entry_lock); -- raw_local_irq_restore(flags); -+ local_irq_restore(flags); - } - - void prom_cif_init(void *cif_handler, void *cif_stack) - { - p1275buf.prom_cif_handler = (void (*)(long *))cif_handler; -- p1275buf.prom_cif_stack = (unsigned long)cif_stack; - } -diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h -index d71d5ac..ac63ea4 100644 ---- a/arch/x86/include/asm/kvm_host.h -+++ b/arch/x86/include/asm/kvm_host.h -@@ -480,6 +480,7 @@ struct kvm_vcpu_arch { - u64 mmio_gva; - unsigned access; - gfn_t mmio_gfn; -+ u64 mmio_gen; - - struct kvm_pmu pmu; - -diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c -index 5cd9bfa..c1a07d3 100644 ---- a/arch/x86/kernel/cpu/intel.c -+++ b/arch/x86/kernel/cpu/intel.c -@@ -153,6 +153,21 @@ static void early_init_intel(struct cpuinfo_x86 *c) - setup_clear_cpu_cap(X86_FEATURE_ERMS); - } - } -+ -+ /* -+ * Intel Quark Core DevMan_001.pdf section 6.4.11 -+ * "The operating system also is required to invalidate (i.e., flush) -+ * the TLB when any changes are made to any of the page table entries. -+ * The operating system must reload CR3 to cause the TLB to be flushed" -+ * -+ * As a result cpu_has_pge() in arch/x86/include/asm/tlbflush.h should -+ * be false so that __flush_tlb_all() causes CR3 insted of CR4.PGE -+ * to be modified -+ */ -+ if (c->x86 == 5 && c->x86_model == 9) { -+ pr_info("Disabling PGE capability bit\n"); -+ setup_clear_cpu_cap(X86_FEATURE_PGE); -+ } - } - - #ifdef CONFIG_X86_32 -diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c -index 9b53135..49088b8 100644 ---- a/arch/x86/kvm/mmu.c -+++ b/arch/x86/kvm/mmu.c -@@ -198,16 +198,20 @@ void kvm_mmu_set_mmio_spte_mask(u64 mmio_mask) - EXPORT_SYMBOL_GPL(kvm_mmu_set_mmio_spte_mask); - - /* -- * spte bits of bit 3 ~ bit 11 are used as low 9 bits of generation number, -- * the bits of bits 52 ~ bit 61 are used as high 10 bits of generation -- * number. -+ * the low bit of the generation number is always presumed to be zero. -+ * This disables mmio caching during memslot updates. The concept is -+ * similar to a seqcount but instead of retrying the access we just punt -+ * and ignore the cache. -+ * -+ * spte bits 3-11 are used as bits 1-9 of the generation number, -+ * the bits 52-61 are used as bits 10-19 of the generation number. - */ --#define MMIO_SPTE_GEN_LOW_SHIFT 3 -+#define MMIO_SPTE_GEN_LOW_SHIFT 2 - #define MMIO_SPTE_GEN_HIGH_SHIFT 52 - --#define MMIO_GEN_SHIFT 19 --#define MMIO_GEN_LOW_SHIFT 9 --#define MMIO_GEN_LOW_MASK ((1 << MMIO_GEN_LOW_SHIFT) - 1) -+#define MMIO_GEN_SHIFT 20 -+#define MMIO_GEN_LOW_SHIFT 10 -+#define MMIO_GEN_LOW_MASK ((1 << MMIO_GEN_LOW_SHIFT) - 2) - #define MMIO_GEN_MASK ((1 << MMIO_GEN_SHIFT) - 1) - #define MMIO_MAX_GEN ((1 << MMIO_GEN_SHIFT) - 1) - -@@ -3157,7 +3161,7 @@ static void mmu_sync_roots(struct kvm_vcpu *vcpu) - if (!VALID_PAGE(vcpu->arch.mmu.root_hpa)) - return; - -- vcpu_clear_mmio_info(vcpu, ~0ul); -+ vcpu_clear_mmio_info(vcpu, MMIO_GVA_ANY); - kvm_mmu_audit(vcpu, AUDIT_PRE_SYNC); - if (vcpu->arch.mmu.root_level == PT64_ROOT_LEVEL) { - hpa_t root = vcpu->arch.mmu.root_hpa; -@@ -4379,7 +4383,7 @@ void kvm_mmu_invalidate_mmio_sptes(struct kvm *kvm) - * The very rare case: if the generation-number is round, - * zap all shadow pages. - */ -- if (unlikely(kvm_current_mmio_generation(kvm) >= MMIO_MAX_GEN)) { -+ if (unlikely(kvm_current_mmio_generation(kvm) == 0)) { - printk_ratelimited(KERN_INFO "kvm: zapping shadow pages for mmio generation wraparound\n"); - kvm_mmu_invalidate_zap_all_pages(kvm); - } -diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h -index 8da5823..21ea4fc 100644 ---- a/arch/x86/kvm/x86.h -+++ b/arch/x86/kvm/x86.h -@@ -78,15 +78,23 @@ static inline void vcpu_cache_mmio_info(struct kvm_vcpu *vcpu, - vcpu->arch.mmio_gva = gva & PAGE_MASK; - vcpu->arch.access = access; - vcpu->arch.mmio_gfn = gfn; -+ vcpu->arch.mmio_gen = kvm_memslots(vcpu->kvm)->generation; -+} -+ -+static inline bool vcpu_match_mmio_gen(struct kvm_vcpu *vcpu) -+{ -+ return vcpu->arch.mmio_gen == kvm_memslots(vcpu->kvm)->generation; - } - - /* -- * Clear the mmio cache info for the given gva, -- * specially, if gva is ~0ul, we clear all mmio cache info. -+ * Clear the mmio cache info for the given gva. If gva is MMIO_GVA_ANY, we -+ * clear all mmio cache info. - */ -+#define MMIO_GVA_ANY (~(gva_t)0) -+ - static inline void vcpu_clear_mmio_info(struct kvm_vcpu *vcpu, gva_t gva) - { -- if (gva != (~0ul) && vcpu->arch.mmio_gva != (gva & PAGE_MASK)) -+ if (gva != MMIO_GVA_ANY && vcpu->arch.mmio_gva != (gva & PAGE_MASK)) - return; - - vcpu->arch.mmio_gva = 0; -@@ -94,7 +102,8 @@ static inline void vcpu_clear_mmio_info(struct kvm_vcpu *vcpu, gva_t gva) - - static inline bool vcpu_match_mmio_gva(struct kvm_vcpu *vcpu, unsigned long gva) - { -- if (vcpu->arch.mmio_gva && vcpu->arch.mmio_gva == (gva & PAGE_MASK)) -+ if (vcpu_match_mmio_gen(vcpu) && vcpu->arch.mmio_gva && -+ vcpu->arch.mmio_gva == (gva & PAGE_MASK)) - return true; - - return false; -@@ -102,7 +111,8 @@ static inline bool vcpu_match_mmio_gva(struct kvm_vcpu *vcpu, unsigned long gva) - - static inline bool vcpu_match_mmio_gpa(struct kvm_vcpu *vcpu, gpa_t gpa) - { -- if (vcpu->arch.mmio_gfn && vcpu->arch.mmio_gfn == gpa >> PAGE_SHIFT) -+ if (vcpu_match_mmio_gen(vcpu) && vcpu->arch.mmio_gfn && -+ vcpu->arch.mmio_gfn == gpa >> PAGE_SHIFT) - return true; - - return false; -diff --git a/crypto/async_tx/async_xor.c b/crypto/async_tx/async_xor.c -index 3c562f5..e1bce26 100644 ---- a/crypto/async_tx/async_xor.c -+++ b/crypto/async_tx/async_xor.c -@@ -78,8 +78,6 @@ do_async_xor(struct dma_chan *chan, struct dmaengine_unmap_data *unmap, - tx = dma->device_prep_dma_xor(chan, dma_dest, src_list, - xor_src_cnt, unmap->len, - dma_flags); -- src_list[0] = tmp; -- - - if (unlikely(!tx)) - async_tx_quiesce(&submit->depend_tx); -@@ -92,6 +90,7 @@ do_async_xor(struct dma_chan *chan, struct dmaengine_unmap_data *unmap, - xor_src_cnt, unmap->len, - dma_flags); - } -+ src_list[0] = tmp; - - dma_set_unmap(tx, unmap); - async_tx_submit(chan, tx, submit); -diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c -index c30df50e..2495ee5 100644 ---- a/drivers/base/firmware_class.c -+++ b/drivers/base/firmware_class.c -@@ -1081,6 +1081,9 @@ _request_firmware(const struct firmware **firmware_p, const char *name, - if (!firmware_p) - return -EINVAL; - -+ if (!name || name[0] == '\0') -+ return -EINVAL; -+ - ret = _request_firmware_prepare(&fw, name, device); - if (ret <= 0) /* error or already assigned */ - goto out; -diff --git a/drivers/base/regmap/regmap-debugfs.c b/drivers/base/regmap/regmap-debugfs.c -index c5471cd..d39fd61 100644 ---- a/drivers/base/regmap/regmap-debugfs.c -+++ b/drivers/base/regmap/regmap-debugfs.c -@@ -473,6 +473,7 @@ void regmap_debugfs_init(struct regmap *map, const char *name) - { - struct rb_node *next; - struct regmap_range_node *range_node; -+ const char *devname = "dummy"; - - /* If we don't have the debugfs root yet, postpone init */ - if (!regmap_debugfs_root) { -@@ -491,12 +492,15 @@ void regmap_debugfs_init(struct regmap *map, const char *name) - INIT_LIST_HEAD(&map->debugfs_off_cache); - mutex_init(&map->cache_lock); - -+ if (map->dev) -+ devname = dev_name(map->dev); -+ - if (name) { - map->debugfs_name = kasprintf(GFP_KERNEL, "%s-%s", -- dev_name(map->dev), name); -+ devname, name); - name = map->debugfs_name; - } else { -- name = dev_name(map->dev); -+ name = devname; - } - - map->debugfs = debugfs_create_dir(name, regmap_debugfs_root); -diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c -index 2ea056c..f6cff3b 100644 ---- a/drivers/base/regmap/regmap.c -+++ b/drivers/base/regmap/regmap.c -@@ -1308,7 +1308,7 @@ int _regmap_write(struct regmap *map, unsigned int reg, - } - - #ifdef LOG_DEVICE -- if (strcmp(dev_name(map->dev), LOG_DEVICE) == 0) -+ if (map->dev && strcmp(dev_name(map->dev), LOG_DEVICE) == 0) - dev_info(map->dev, "%x <= %x\n", reg, val); - #endif - -@@ -1557,6 +1557,9 @@ int regmap_bulk_write(struct regmap *map, unsigned int reg, const void *val, - } else { - void *wval; - -+ if (!val_count) -+ return -EINVAL; -+ - wval = kmemdup(val, val_count * val_bytes, GFP_KERNEL); - if (!wval) { - ret = -ENOMEM; -@@ -1739,7 +1742,7 @@ static int _regmap_read(struct regmap *map, unsigned int reg, - ret = map->reg_read(context, reg, val); - if (ret == 0) { - #ifdef LOG_DEVICE -- if (strcmp(dev_name(map->dev), LOG_DEVICE) == 0) -+ if (map->dev && strcmp(dev_name(map->dev), LOG_DEVICE) == 0) - dev_info(map->dev, "%x => %x\n", reg, *val); - #endif - -diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c -index 1c7b504..e00c3f8 100644 ---- a/drivers/bluetooth/btusb.c -+++ b/drivers/bluetooth/btusb.c -@@ -309,6 +309,9 @@ static void btusb_intr_complete(struct urb *urb) - BT_ERR("%s corrupted event packet", hdev->name); - hdev->stat.err_rx++; - } -+ } else if (urb->status == -ENOENT) { -+ /* Avoid suspend failed when usb_kill_urb */ -+ return; - } - - if (!test_bit(BTUSB_INTR_RUNNING, &data->flags)) -@@ -397,6 +400,9 @@ static void btusb_bulk_complete(struct urb *urb) - BT_ERR("%s corrupted ACL packet", hdev->name); - hdev->stat.err_rx++; - } -+ } else if (urb->status == -ENOENT) { -+ /* Avoid suspend failed when usb_kill_urb */ -+ return; - } - - if (!test_bit(BTUSB_BULK_RUNNING, &data->flags)) -@@ -491,6 +497,9 @@ static void btusb_isoc_complete(struct urb *urb) - hdev->stat.err_rx++; - } - } -+ } else if (urb->status == -ENOENT) { -+ /* Avoid suspend failed when usb_kill_urb */ -+ return; - } - - if (!test_bit(BTUSB_ISOC_RUNNING, &data->flags)) -diff --git a/drivers/bluetooth/hci_h5.c b/drivers/bluetooth/hci_h5.c -index e36a024..5651992 100644 ---- a/drivers/bluetooth/hci_h5.c -+++ b/drivers/bluetooth/hci_h5.c -@@ -237,7 +237,7 @@ static void h5_pkt_cull(struct h5 *h5) - break; - - to_remove--; -- seq = (seq - 1) % 8; -+ seq = (seq - 1) & 0x07; - } - - if (seq != h5->rx_ack) -diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c -index 69ea36f..e99e71a 100644 ---- a/drivers/hv/channel.c -+++ b/drivers/hv/channel.c -@@ -164,8 +164,10 @@ int vmbus_open(struct vmbus_channel *newchannel, u32 send_ringbuffer_size, - ret = vmbus_post_msg(open_msg, - sizeof(struct vmbus_channel_open_channel)); - -- if (ret != 0) -+ if (ret != 0) { -+ err = ret; - goto error1; -+ } - - t = wait_for_completion_timeout(&open_info->waitevent, 5*HZ); - if (t == 0) { -@@ -362,7 +364,6 @@ int vmbus_establish_gpadl(struct vmbus_channel *channel, void *kbuffer, - u32 next_gpadl_handle; - unsigned long flags; - int ret = 0; -- int t; - - next_gpadl_handle = atomic_read(&vmbus_connection.next_gpadl_handle); - atomic_inc(&vmbus_connection.next_gpadl_handle); -@@ -409,9 +410,7 @@ int vmbus_establish_gpadl(struct vmbus_channel *channel, void *kbuffer, - - } - } -- t = wait_for_completion_timeout(&msginfo->waitevent, 5*HZ); -- BUG_ON(t == 0); -- -+ wait_for_completion(&msginfo->waitevent); - - /* At this point, we received the gpadl created msg */ - *gpadl_handle = gpadlmsg->gpadl; -@@ -434,7 +433,7 @@ int vmbus_teardown_gpadl(struct vmbus_channel *channel, u32 gpadl_handle) - struct vmbus_channel_gpadl_teardown *msg; - struct vmbus_channel_msginfo *info; - unsigned long flags; -- int ret, t; -+ int ret; - - info = kmalloc(sizeof(*info) + - sizeof(struct vmbus_channel_gpadl_teardown), GFP_KERNEL); -@@ -456,11 +455,12 @@ int vmbus_teardown_gpadl(struct vmbus_channel *channel, u32 gpadl_handle) - ret = vmbus_post_msg(msg, - sizeof(struct vmbus_channel_gpadl_teardown)); - -- BUG_ON(ret != 0); -- t = wait_for_completion_timeout(&info->waitevent, 5*HZ); -- BUG_ON(t == 0); -+ if (ret) -+ goto post_msg_err; -+ -+ wait_for_completion(&info->waitevent); - -- /* Received a torndown response */ -+post_msg_err: - spin_lock_irqsave(&vmbus_connection.channelmsg_lock, flags); - list_del(&info->msglistentry); - spin_unlock_irqrestore(&vmbus_connection.channelmsg_lock, flags); -@@ -470,7 +470,7 @@ int vmbus_teardown_gpadl(struct vmbus_channel *channel, u32 gpadl_handle) - } - EXPORT_SYMBOL_GPL(vmbus_teardown_gpadl); - --static void vmbus_close_internal(struct vmbus_channel *channel) -+static int vmbus_close_internal(struct vmbus_channel *channel) - { - struct vmbus_channel_close_channel *msg; - int ret; -@@ -492,11 +492,28 @@ static void vmbus_close_internal(struct vmbus_channel *channel) - - ret = vmbus_post_msg(msg, sizeof(struct vmbus_channel_close_channel)); - -- BUG_ON(ret != 0); -+ if (ret) { -+ pr_err("Close failed: close post msg return is %d\n", ret); -+ /* -+ * If we failed to post the close msg, -+ * it is perhaps better to leak memory. -+ */ -+ return ret; -+ } -+ - /* Tear down the gpadl for the channel's ring buffer */ -- if (channel->ringbuffer_gpadlhandle) -- vmbus_teardown_gpadl(channel, -- channel->ringbuffer_gpadlhandle); -+ if (channel->ringbuffer_gpadlhandle) { -+ ret = vmbus_teardown_gpadl(channel, -+ channel->ringbuffer_gpadlhandle); -+ if (ret) { -+ pr_err("Close failed: teardown gpadl return %d\n", ret); -+ /* -+ * If we failed to teardown gpadl, -+ * it is perhaps better to leak memory. -+ */ -+ return ret; -+ } -+ } - - /* Cleanup the ring buffers for this channel */ - hv_ringbuffer_cleanup(&channel->outbound); -@@ -505,7 +522,7 @@ static void vmbus_close_internal(struct vmbus_channel *channel) - free_pages((unsigned long)channel->ringbuffer_pages, - get_order(channel->ringbuffer_pagecount * PAGE_SIZE)); - -- -+ return ret; - } - - /* -diff --git a/drivers/hv/connection.c b/drivers/hv/connection.c -index ce5a9f2..d8fd95c 100644 ---- a/drivers/hv/connection.c -+++ b/drivers/hv/connection.c -@@ -408,10 +408,21 @@ int vmbus_post_msg(void *buffer, size_t buflen) - * insufficient resources. Retry the operation a couple of - * times before giving up. - */ -- while (retries < 3) { -- ret = hv_post_message(conn_id, 1, buffer, buflen); -- if (ret != HV_STATUS_INSUFFICIENT_BUFFERS) -+ while (retries < 10) { -+ ret = hv_post_message(conn_id, 1, buffer, buflen); -+ -+ switch (ret) { -+ case HV_STATUS_INSUFFICIENT_BUFFERS: -+ ret = -ENOMEM; -+ case -ENOMEM: -+ break; -+ case HV_STATUS_SUCCESS: - return ret; -+ default: -+ pr_err("hv_post_msg() failed; error code:%d\n", ret); -+ return -EINVAL; -+ } -+ - retries++; - msleep(100); - } -diff --git a/drivers/message/fusion/mptspi.c b/drivers/message/fusion/mptspi.c -index 5653e50..424f51d 100644 ---- a/drivers/message/fusion/mptspi.c -+++ b/drivers/message/fusion/mptspi.c -@@ -1422,6 +1422,11 @@ mptspi_probe(struct pci_dev *pdev, const struct pci_device_id *id) - goto out_mptspi_probe; - } - -+ /* VMWare emulation doesn't properly implement WRITE_SAME -+ */ -+ if (pdev->subsystem_vendor == 0x15AD) -+ sh->no_write_same = 1; -+ - spin_lock_irqsave(&ioc->FreeQlock, flags); - - /* Attach the SCSI Host to the IOC structure -diff --git a/drivers/misc/mei/bus.c b/drivers/misc/mei/bus.c -index 4bc7d62..9a07bba 100644 ---- a/drivers/misc/mei/bus.c -+++ b/drivers/misc/mei/bus.c -@@ -71,7 +71,7 @@ static int mei_cl_device_probe(struct device *dev) - - dev_dbg(dev, "Device probe\n"); - -- strncpy(id.name, dev_name(dev), sizeof(id.name)); -+ strlcpy(id.name, dev_name(dev), sizeof(id.name)); - - return driver->probe(device, &id); - } -diff --git a/drivers/net/wireless/iwlwifi/pcie/drv.c b/drivers/net/wireless/iwlwifi/pcie/drv.c -index df1f5e7..1ac33d9 100644 ---- a/drivers/net/wireless/iwlwifi/pcie/drv.c -+++ b/drivers/net/wireless/iwlwifi/pcie/drv.c -@@ -272,6 +272,8 @@ static DEFINE_PCI_DEVICE_TABLE(iwl_hw_card_ids) = { - {IWL_PCI_DEVICE(0x08B1, 0x4070, iwl7260_2ac_cfg)}, - {IWL_PCI_DEVICE(0x08B1, 0x4072, iwl7260_2ac_cfg)}, - {IWL_PCI_DEVICE(0x08B1, 0x4170, iwl7260_2ac_cfg)}, -+ {IWL_PCI_DEVICE(0x08B1, 0x4C60, iwl7260_2ac_cfg)}, -+ {IWL_PCI_DEVICE(0x08B1, 0x4C70, iwl7260_2ac_cfg)}, - {IWL_PCI_DEVICE(0x08B1, 0x4060, iwl7260_2n_cfg)}, - {IWL_PCI_DEVICE(0x08B1, 0x406A, iwl7260_2n_cfg)}, - {IWL_PCI_DEVICE(0x08B1, 0x4160, iwl7260_2n_cfg)}, -@@ -315,6 +317,8 @@ static DEFINE_PCI_DEVICE_TABLE(iwl_hw_card_ids) = { - {IWL_PCI_DEVICE(0x08B1, 0xC770, iwl7260_2ac_cfg)}, - {IWL_PCI_DEVICE(0x08B1, 0xC760, iwl7260_2n_cfg)}, - {IWL_PCI_DEVICE(0x08B2, 0xC270, iwl7260_2ac_cfg)}, -+ {IWL_PCI_DEVICE(0x08B1, 0xCC70, iwl7260_2ac_cfg)}, -+ {IWL_PCI_DEVICE(0x08B1, 0xCC60, iwl7260_2ac_cfg)}, - {IWL_PCI_DEVICE(0x08B2, 0xC272, iwl7260_2ac_cfg)}, - {IWL_PCI_DEVICE(0x08B2, 0xC260, iwl7260_2n_cfg)}, - {IWL_PCI_DEVICE(0x08B2, 0xC26A, iwl7260_n_cfg)}, -diff --git a/drivers/net/wireless/rt2x00/rt2800.h b/drivers/net/wireless/rt2x00/rt2800.h -index a394a9a..7cf6081 100644 ---- a/drivers/net/wireless/rt2x00/rt2800.h -+++ b/drivers/net/wireless/rt2x00/rt2800.h -@@ -2039,7 +2039,7 @@ struct mac_iveiv_entry { - * 2 - drop tx power by 12dBm, - * 3 - increase tx power by 6dBm - */ --#define BBP1_TX_POWER_CTRL FIELD8(0x07) -+#define BBP1_TX_POWER_CTRL FIELD8(0x03) - #define BBP1_TX_ANTENNA FIELD8(0x18) - - /* -diff --git a/drivers/pci/host/pci-mvebu.c b/drivers/pci/host/pci-mvebu.c -index 483d9ad..9773667 100644 ---- a/drivers/pci/host/pci-mvebu.c -+++ b/drivers/pci/host/pci-mvebu.c -@@ -855,7 +855,7 @@ static int mvebu_get_tgt_attr(struct device_node *np, int devfn, - rangesz = pna + na + ns; - nranges = rlen / sizeof(__be32) / rangesz; - -- for (i = 0; i < nranges; i++) { -+ for (i = 0; i < nranges; i++, range += rangesz) { - u32 flags = of_read_number(range, 1); - u32 slot = of_read_number(range + 1, 1); - u64 cpuaddr = of_read_number(range + na, pna); -@@ -865,14 +865,14 @@ static int mvebu_get_tgt_attr(struct device_node *np, int devfn, - rtype = IORESOURCE_IO; - else if (DT_FLAGS_TO_TYPE(flags) == DT_TYPE_MEM32) - rtype = IORESOURCE_MEM; -+ else -+ continue; - - if (slot == PCI_SLOT(devfn) && type == rtype) { - *tgt = DT_CPUADDR_TO_TARGET(cpuaddr); - *attr = DT_CPUADDR_TO_ATTR(cpuaddr); - return 0; - } -- -- range += rangesz; - } - - return -ENOENT; -diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c -index 276ef9c..39a207a 100644 ---- a/drivers/pci/pci-sysfs.c -+++ b/drivers/pci/pci-sysfs.c -@@ -178,7 +178,7 @@ static ssize_t modalias_show(struct device *dev, struct device_attribute *attr, - { - struct pci_dev *pci_dev = to_pci_dev(dev); - -- return sprintf(buf, "pci:v%08Xd%08Xsv%08Xsd%08Xbc%02Xsc%02Xi%02x\n", -+ return sprintf(buf, "pci:v%08Xd%08Xsv%08Xsd%08Xbc%02Xsc%02Xi%02X\n", - pci_dev->vendor, pci_dev->device, - pci_dev->subsystem_vendor, pci_dev->subsystem_device, - (u8)(pci_dev->class >> 16), (u8)(pci_dev->class >> 8), -diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c -index 813f437..6e8776b 100644 ---- a/drivers/pci/quirks.c -+++ b/drivers/pci/quirks.c -@@ -24,6 +24,7 @@ - #include <linux/ioport.h> - #include <linux/sched.h> - #include <linux/ktime.h> -+#include <linux/mm.h> - #include <asm/dma.h> /* isa_dma_bridge_buggy */ - #include "pci.h" - -@@ -287,6 +288,25 @@ static void quirk_citrine(struct pci_dev *dev) - } - DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_IBM, PCI_DEVICE_ID_IBM_CITRINE, quirk_citrine); - -+/* On IBM Crocodile ipr SAS adapters, expand BAR to system page size */ -+static void quirk_extend_bar_to_page(struct pci_dev *dev) -+{ -+ int i; -+ -+ for (i = 0; i < PCI_STD_RESOURCE_END; i++) { -+ struct resource *r = &dev->resource[i]; -+ -+ if (r->flags & IORESOURCE_MEM && resource_size(r) < PAGE_SIZE) { -+ r->end = PAGE_SIZE - 1; -+ r->start = 0; -+ r->flags |= IORESOURCE_UNSET; -+ dev_info(&dev->dev, "expanded BAR %d to page size: %pR\n", -+ i, r); -+ } -+ } -+} -+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_IBM, 0x034a, quirk_extend_bar_to_page); -+ - /* - * S3 868 and 968 chips report region size equal to 32M, but they decode 64M. - * If it's needed, re-allocate the region. -diff --git a/drivers/scsi/be2iscsi/be_mgmt.c b/drivers/scsi/be2iscsi/be_mgmt.c -index b2fcac7..5bb9406 100644 ---- a/drivers/scsi/be2iscsi/be_mgmt.c -+++ b/drivers/scsi/be2iscsi/be_mgmt.c -@@ -897,17 +897,20 @@ mgmt_static_ip_modify(struct beiscsi_hba *phba, - - if (ip_action == IP_ACTION_ADD) { - memcpy(req->ip_params.ip_record.ip_addr.addr, ip_param->value, -- ip_param->len); -+ sizeof(req->ip_params.ip_record.ip_addr.addr)); - - if (subnet_param) - memcpy(req->ip_params.ip_record.ip_addr.subnet_mask, -- subnet_param->value, subnet_param->len); -+ subnet_param->value, -+ sizeof(req->ip_params.ip_record.ip_addr.subnet_mask)); - } else { - memcpy(req->ip_params.ip_record.ip_addr.addr, -- if_info->ip_addr.addr, ip_param->len); -+ if_info->ip_addr.addr, -+ sizeof(req->ip_params.ip_record.ip_addr.addr)); - - memcpy(req->ip_params.ip_record.ip_addr.subnet_mask, -- if_info->ip_addr.subnet_mask, ip_param->len); -+ if_info->ip_addr.subnet_mask, -+ sizeof(req->ip_params.ip_record.ip_addr.subnet_mask)); - } - - rc = mgmt_exec_nonemb_cmd(phba, &nonemb_cmd, NULL, 0); -@@ -935,7 +938,7 @@ static int mgmt_modify_gateway(struct beiscsi_hba *phba, uint8_t *gt_addr, - req->action = gtway_action; - req->ip_addr.ip_type = BE2_IPV4; - -- memcpy(req->ip_addr.addr, gt_addr, param_len); -+ memcpy(req->ip_addr.addr, gt_addr, sizeof(req->ip_addr.addr)); - - return mgmt_exec_nonemb_cmd(phba, &nonemb_cmd, NULL, 0); - } -diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c -index 83cb612..23c1b0c 100644 ---- a/drivers/scsi/qla2xxx/qla_os.c -+++ b/drivers/scsi/qla2xxx/qla_os.c -@@ -3039,10 +3039,8 @@ qla2x00_unmap_iobases(struct qla_hw_data *ha) - } - - static void --qla2x00_clear_drv_active(scsi_qla_host_t *vha) -+qla2x00_clear_drv_active(struct qla_hw_data *ha) - { -- struct qla_hw_data *ha = vha->hw; -- - if (IS_QLA8044(ha)) { - qla8044_idc_lock(ha); - qla8044_clear_drv_active(ha); -@@ -3111,7 +3109,7 @@ qla2x00_remove_one(struct pci_dev *pdev) - - scsi_host_put(base_vha->host); - -- qla2x00_clear_drv_active(base_vha); -+ qla2x00_clear_drv_active(ha); - - qla2x00_unmap_iobases(ha); - -diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c -index 0cb7307..2f264ac 100644 ---- a/drivers/scsi/qla2xxx/qla_target.c -+++ b/drivers/scsi/qla2xxx/qla_target.c -@@ -1382,12 +1382,10 @@ static inline void qlt_unmap_sg(struct scsi_qla_host *vha, - static int qlt_check_reserve_free_req(struct scsi_qla_host *vha, - uint32_t req_cnt) - { -- struct qla_hw_data *ha = vha->hw; -- device_reg_t __iomem *reg = ha->iobase; - uint32_t cnt; - - if (vha->req->cnt < (req_cnt + 2)) { -- cnt = (uint16_t)RD_REG_DWORD(®->isp24.req_q_out); -+ cnt = (uint16_t)RD_REG_DWORD(vha->req->req_q_out); - - ql_dbg(ql_dbg_tgt, vha, 0xe00a, - "Request ring circled: cnt=%d, vha->->ring_index=%d, " -diff --git a/drivers/spi/spi-dw-mid.c b/drivers/spi/spi-dw-mid.c -index 6d207af..a4c45ea 100644 ---- a/drivers/spi/spi-dw-mid.c -+++ b/drivers/spi/spi-dw-mid.c -@@ -89,7 +89,13 @@ err_exit: - - static void mid_spi_dma_exit(struct dw_spi *dws) - { -+ if (!dws->dma_inited) -+ return; -+ -+ dmaengine_terminate_all(dws->txchan); - dma_release_channel(dws->txchan); -+ -+ dmaengine_terminate_all(dws->rxchan); - dma_release_channel(dws->rxchan); - } - -@@ -136,7 +142,7 @@ static int mid_spi_dma_transfer(struct dw_spi *dws, int cs_change) - txconf.dst_addr = dws->dma_addr; - txconf.dst_maxburst = LNW_DMA_MSIZE_16; - txconf.src_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES; -- txconf.dst_addr_width = DMA_SLAVE_BUSWIDTH_2_BYTES; -+ txconf.dst_addr_width = dws->dma_width; - txconf.device_fc = false; - - txchan->device->device_control(txchan, DMA_SLAVE_CONFIG, -@@ -159,7 +165,7 @@ static int mid_spi_dma_transfer(struct dw_spi *dws, int cs_change) - rxconf.src_addr = dws->dma_addr; - rxconf.src_maxburst = LNW_DMA_MSIZE_16; - rxconf.dst_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES; -- rxconf.src_addr_width = DMA_SLAVE_BUSWIDTH_2_BYTES; -+ rxconf.src_addr_width = dws->dma_width; - rxconf.device_fc = false; - - rxchan->device->device_control(rxchan, DMA_SLAVE_CONFIG, -diff --git a/drivers/tty/serial/omap-serial.c b/drivers/tty/serial/omap-serial.c -index db8434d..f4e68b3 100644 ---- a/drivers/tty/serial/omap-serial.c -+++ b/drivers/tty/serial/omap-serial.c -@@ -260,8 +260,16 @@ serial_omap_baud_is_mode16(struct uart_port *port, unsigned int baud) - { - unsigned int n13 = port->uartclk / (13 * baud); - unsigned int n16 = port->uartclk / (16 * baud); -- int baudAbsDiff13 = baud - (port->uartclk / (13 * n13)); -- int baudAbsDiff16 = baud - (port->uartclk / (16 * n16)); -+ int baudAbsDiff13; -+ int baudAbsDiff16; -+ -+ if (n13 == 0) -+ n13 = 1; -+ if (n16 == 0) -+ n16 = 1; -+ -+ baudAbsDiff13 = baud - (port->uartclk / (13 * n13)); -+ baudAbsDiff16 = baud - (port->uartclk / (16 * n16)); - if (baudAbsDiff13 < 0) - baudAbsDiff13 = -baudAbsDiff13; - if (baudAbsDiff16 < 0) -diff --git a/drivers/usb/gadget/Kconfig b/drivers/usb/gadget/Kconfig -index 8154165..fd13ef0 100644 ---- a/drivers/usb/gadget/Kconfig -+++ b/drivers/usb/gadget/Kconfig -@@ -445,7 +445,7 @@ config USB_GOKU - gadget drivers to also be dynamically linked. - - config USB_EG20T -- tristate "Intel EG20T PCH/LAPIS Semiconductor IOH(ML7213/ML7831) UDC" -+ tristate "Intel QUARK X1000/EG20T PCH/LAPIS Semiconductor IOH(ML7213/ML7831) UDC" - depends on PCI - help - This is a USB device driver for EG20T PCH. -@@ -466,6 +466,7 @@ config USB_EG20T - ML7213/ML7831 is companion chip for Intel Atom E6xx series. - ML7213/ML7831 is completely compatible for Intel EG20T PCH. - -+ This driver can be used with Intel's Quark X1000 SOC platform - # - # LAST -- dummy/emulated controller - # -diff --git a/drivers/usb/gadget/pch_udc.c b/drivers/usb/gadget/pch_udc.c -index eb8c3be..460d953 100644 ---- a/drivers/usb/gadget/pch_udc.c -+++ b/drivers/usb/gadget/pch_udc.c -@@ -343,6 +343,7 @@ struct pch_vbus_gpio_data { - * @setup_data: Received setup data - * @phys_addr: of device memory - * @base_addr: for mapped device memory -+ * @bar: Indicates which PCI BAR for USB regs - * @irq: IRQ line for the device - * @cfg_data: current cfg, intf, and alt in use - * @vbus_gpio: GPIO informaton for detecting VBUS -@@ -370,14 +371,17 @@ struct pch_udc_dev { - struct usb_ctrlrequest setup_data; - unsigned long phys_addr; - void __iomem *base_addr; -+ unsigned bar; - unsigned irq; - struct pch_udc_cfg_data cfg_data; - struct pch_vbus_gpio_data vbus_gpio; - }; - #define to_pch_udc(g) (container_of((g), struct pch_udc_dev, gadget)) - -+#define PCH_UDC_PCI_BAR_QUARK_X1000 0 - #define PCH_UDC_PCI_BAR 1 - #define PCI_DEVICE_ID_INTEL_EG20T_UDC 0x8808 -+#define PCI_DEVICE_ID_INTEL_QUARK_X1000_UDC 0x0939 - #define PCI_VENDOR_ID_ROHM 0x10DB - #define PCI_DEVICE_ID_ML7213_IOH_UDC 0x801D - #define PCI_DEVICE_ID_ML7831_IOH_UDC 0x8808 -@@ -3076,7 +3080,7 @@ static void pch_udc_remove(struct pci_dev *pdev) - iounmap(dev->base_addr); - if (dev->mem_region) - release_mem_region(dev->phys_addr, -- pci_resource_len(pdev, PCH_UDC_PCI_BAR)); -+ pci_resource_len(pdev, dev->bar)); - if (dev->active) - pci_disable_device(pdev); - kfree(dev); -@@ -3144,9 +3148,15 @@ static int pch_udc_probe(struct pci_dev *pdev, - dev->active = 1; - pci_set_drvdata(pdev, dev); - -+ /* Determine BAR based on PCI ID */ -+ if (id->device == PCI_DEVICE_ID_INTEL_QUARK_X1000_UDC) -+ dev->bar = PCH_UDC_PCI_BAR_QUARK_X1000; -+ else -+ dev->bar = PCH_UDC_PCI_BAR; -+ - /* PCI resource allocation */ -- resource = pci_resource_start(pdev, 1); -- len = pci_resource_len(pdev, 1); -+ resource = pci_resource_start(pdev, dev->bar); -+ len = pci_resource_len(pdev, dev->bar); - - if (!request_mem_region(resource, len, KBUILD_MODNAME)) { - dev_err(&pdev->dev, "%s: pci device used already\n", __func__); -@@ -3212,6 +3222,12 @@ finished: - - static const struct pci_device_id pch_udc_pcidev_id[] = { - { -+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, -+ PCI_DEVICE_ID_INTEL_QUARK_X1000_UDC), -+ .class = (PCI_CLASS_SERIAL_USB << 8) | 0xfe, -+ .class_mask = 0xffffffff, -+ }, -+ { - PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_EG20T_UDC), - .class = (PCI_CLASS_SERIAL_USB << 8) | 0xfe, - .class_mask = 0xffffffff, -diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c -index 0165b86..a9a881e 100644 ---- a/fs/btrfs/file.c -+++ b/fs/btrfs/file.c -@@ -2510,23 +2510,28 @@ static int find_desired_extent(struct inode *inode, loff_t *offset, int whence) - struct btrfs_root *root = BTRFS_I(inode)->root; - struct extent_map *em = NULL; - struct extent_state *cached_state = NULL; -- u64 lockstart = *offset; -- u64 lockend = i_size_read(inode); -- u64 start = *offset; -- u64 len = i_size_read(inode); -+ u64 lockstart; -+ u64 lockend; -+ u64 start; -+ u64 len; - int ret = 0; - -- lockend = max_t(u64, root->sectorsize, lockend); -+ if (inode->i_size == 0) -+ return -ENXIO; -+ -+ /* -+ * *offset can be negative, in this case we start finding DATA/HOLE from -+ * the very start of the file. -+ */ -+ start = max_t(loff_t, 0, *offset); -+ -+ lockstart = round_down(start, root->sectorsize); -+ lockend = round_up(i_size_read(inode), root->sectorsize); - if (lockend <= lockstart) - lockend = lockstart + root->sectorsize; -- - lockend--; - len = lockend - lockstart + 1; - -- len = max_t(u64, len, root->sectorsize); -- if (inode->i_size == 0) -- return -ENXIO; -- - lock_extent_bits(&BTRFS_I(inode)->io_tree, lockstart, lockend, 0, - &cached_state); - -diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c -index c69c763..d68a725 100644 ---- a/fs/btrfs/inode.c -+++ b/fs/btrfs/inode.c -@@ -3596,7 +3596,8 @@ noinline int btrfs_update_inode(struct btrfs_trans_handle *trans, - * without delay - */ - if (!btrfs_is_free_space_inode(inode) -- && root->root_key.objectid != BTRFS_DATA_RELOC_TREE_OBJECTID) { -+ && root->root_key.objectid != BTRFS_DATA_RELOC_TREE_OBJECTID -+ && !root->fs_info->log_root_recovering) { - btrfs_update_root_times(trans, root); - - ret = btrfs_delayed_update_inode(trans, root, inode); -diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c -index a6d8efa..0b72006 100644 ---- a/fs/btrfs/ioctl.c -+++ b/fs/btrfs/ioctl.c -@@ -302,6 +302,9 @@ static int btrfs_ioctl_setflags(struct file *file, void __user *arg) - goto out_drop; - - } else { -+ ret = btrfs_set_prop(inode, "btrfs.compression", NULL, 0, 0); -+ if (ret && ret != -ENODATA) -+ goto out_drop; - ip->flags &= ~(BTRFS_INODE_COMPRESS | BTRFS_INODE_NOCOMPRESS); - } - -@@ -4750,6 +4753,12 @@ long btrfs_ioctl(struct file *file, unsigned int - if (ret) - return ret; - ret = btrfs_sync_fs(file->f_dentry->d_sb, 1); -+ /* -+ * The transaction thread may want to do more work, -+ * namely it pokes the cleaner ktread that will start -+ * processing uncleaned subvols. -+ */ -+ wake_up_process(root->fs_info->transaction_kthread); - return ret; - } - case BTRFS_IOC_START_SYNC: -diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c -index 07b3b36..01f977e 100644 ---- a/fs/btrfs/relocation.c -+++ b/fs/btrfs/relocation.c -@@ -736,7 +736,8 @@ again: - err = ret; - goto out; - } -- BUG_ON(!ret || !path1->slots[0]); -+ ASSERT(ret); -+ ASSERT(path1->slots[0]); - - path1->slots[0]--; - -@@ -746,10 +747,10 @@ again: - * the backref was added previously when processing - * backref of type BTRFS_TREE_BLOCK_REF_KEY - */ -- BUG_ON(!list_is_singular(&cur->upper)); -+ ASSERT(list_is_singular(&cur->upper)); - edge = list_entry(cur->upper.next, struct backref_edge, - list[LOWER]); -- BUG_ON(!list_empty(&edge->list[UPPER])); -+ ASSERT(list_empty(&edge->list[UPPER])); - exist = edge->node[UPPER]; - /* - * add the upper level block to pending list if we need -@@ -831,7 +832,7 @@ again: - cur->cowonly = 1; - } - #else -- BUG_ON(key.type == BTRFS_EXTENT_REF_V0_KEY); -+ ASSERT(key.type != BTRFS_EXTENT_REF_V0_KEY); - if (key.type == BTRFS_SHARED_BLOCK_REF_KEY) { - #endif - if (key.objectid == key.offset) { -@@ -840,7 +841,7 @@ again: - * backref of this type. - */ - root = find_reloc_root(rc, cur->bytenr); -- BUG_ON(!root); -+ ASSERT(root); - cur->root = root; - break; - } -@@ -868,7 +869,7 @@ again: - } else { - upper = rb_entry(rb_node, struct backref_node, - rb_node); -- BUG_ON(!upper->checked); -+ ASSERT(upper->checked); - INIT_LIST_HEAD(&edge->list[UPPER]); - } - list_add_tail(&edge->list[LOWER], &cur->upper); -@@ -892,7 +893,7 @@ again: - - if (btrfs_root_level(&root->root_item) == cur->level) { - /* tree root */ -- BUG_ON(btrfs_root_bytenr(&root->root_item) != -+ ASSERT(btrfs_root_bytenr(&root->root_item) == - cur->bytenr); - if (should_ignore_root(root)) - list_add(&cur->list, &useless); -@@ -927,7 +928,7 @@ again: - need_check = true; - for (; level < BTRFS_MAX_LEVEL; level++) { - if (!path2->nodes[level]) { -- BUG_ON(btrfs_root_bytenr(&root->root_item) != -+ ASSERT(btrfs_root_bytenr(&root->root_item) == - lower->bytenr); - if (should_ignore_root(root)) - list_add(&lower->list, &useless); -@@ -976,12 +977,15 @@ again: - need_check = false; - list_add_tail(&edge->list[UPPER], - &list); -- } else -+ } else { -+ if (upper->checked) -+ need_check = true; - INIT_LIST_HEAD(&edge->list[UPPER]); -+ } - } else { - upper = rb_entry(rb_node, struct backref_node, - rb_node); -- BUG_ON(!upper->checked); -+ ASSERT(upper->checked); - INIT_LIST_HEAD(&edge->list[UPPER]); - if (!upper->owner) - upper->owner = btrfs_header_owner(eb); -@@ -1025,7 +1029,7 @@ next: - * everything goes well, connect backref nodes and insert backref nodes - * into the cache. - */ -- BUG_ON(!node->checked); -+ ASSERT(node->checked); - cowonly = node->cowonly; - if (!cowonly) { - rb_node = tree_insert(&cache->rb_root, node->bytenr, -@@ -1061,8 +1065,21 @@ next: - continue; - } - -- BUG_ON(!upper->checked); -- BUG_ON(cowonly != upper->cowonly); -+ if (!upper->checked) { -+ /* -+ * Still want to blow up for developers since this is a -+ * logic bug. -+ */ -+ ASSERT(0); -+ err = -EINVAL; -+ goto out; -+ } -+ if (cowonly != upper->cowonly) { -+ ASSERT(0); -+ err = -EINVAL; -+ goto out; -+ } -+ - if (!cowonly) { - rb_node = tree_insert(&cache->rb_root, upper->bytenr, - &upper->rb_node); -@@ -1085,7 +1102,7 @@ next: - while (!list_empty(&useless)) { - upper = list_entry(useless.next, struct backref_node, list); - list_del_init(&upper->list); -- BUG_ON(!list_empty(&upper->upper)); -+ ASSERT(list_empty(&upper->upper)); - if (upper == node) - node = NULL; - if (upper->lowest) { -@@ -1118,29 +1135,45 @@ out: - if (err) { - while (!list_empty(&useless)) { - lower = list_entry(useless.next, -- struct backref_node, upper); -- list_del_init(&lower->upper); -+ struct backref_node, list); -+ list_del_init(&lower->list); - } -- upper = node; -- INIT_LIST_HEAD(&list); -- while (upper) { -- if (RB_EMPTY_NODE(&upper->rb_node)) { -- list_splice_tail(&upper->upper, &list); -- free_backref_node(cache, upper); -- } -- -- if (list_empty(&list)) -- break; -- -- edge = list_entry(list.next, struct backref_edge, -- list[LOWER]); -+ while (!list_empty(&list)) { -+ edge = list_first_entry(&list, struct backref_edge, -+ list[UPPER]); -+ list_del(&edge->list[UPPER]); - list_del(&edge->list[LOWER]); -+ lower = edge->node[LOWER]; - upper = edge->node[UPPER]; - free_backref_edge(cache, edge); -+ -+ /* -+ * Lower is no longer linked to any upper backref nodes -+ * and isn't in the cache, we can free it ourselves. -+ */ -+ if (list_empty(&lower->upper) && -+ RB_EMPTY_NODE(&lower->rb_node)) -+ list_add(&lower->list, &useless); -+ -+ if (!RB_EMPTY_NODE(&upper->rb_node)) -+ continue; -+ -+ /* Add this guy's upper edges to the list to proces */ -+ list_for_each_entry(edge, &upper->upper, list[LOWER]) -+ list_add_tail(&edge->list[UPPER], &list); -+ if (list_empty(&upper->upper)) -+ list_add(&upper->list, &useless); -+ } -+ -+ while (!list_empty(&useless)) { -+ lower = list_entry(useless.next, -+ struct backref_node, list); -+ list_del_init(&lower->list); -+ free_backref_node(cache, lower); - } - return ERR_PTR(err); - } -- BUG_ON(node && node->detached); -+ ASSERT(!node || !node->detached); - return node; - } - -diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c -index a65ed4c..20d7935 100644 ---- a/fs/btrfs/send.c -+++ b/fs/btrfs/send.c -@@ -4728,7 +4728,9 @@ static int finish_inode_if_needed(struct send_ctx *sctx, int at_end) - - if (S_ISREG(sctx->cur_inode_mode)) { - if (need_send_hole(sctx)) { -- if (sctx->cur_inode_last_extent == (u64)-1) { -+ if (sctx->cur_inode_last_extent == (u64)-1 || -+ sctx->cur_inode_last_extent < -+ sctx->cur_inode_size) { - ret = get_last_extent(sctx, (u64)-1); - if (ret) - goto out; -diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c -index b05bf58..a0b65a0 100644 ---- a/fs/btrfs/transaction.c -+++ b/fs/btrfs/transaction.c -@@ -592,7 +592,6 @@ int btrfs_wait_for_commit(struct btrfs_root *root, u64 transid) - if (transid <= root->fs_info->last_trans_committed) - goto out; - -- ret = -EINVAL; - /* find specified transaction */ - spin_lock(&root->fs_info->trans_lock); - list_for_each_entry(t, &root->fs_info->trans_list, list) { -@@ -608,9 +607,16 @@ int btrfs_wait_for_commit(struct btrfs_root *root, u64 transid) - } - } - spin_unlock(&root->fs_info->trans_lock); -- /* The specified transaction doesn't exist */ -- if (!cur_trans) -+ -+ /* -+ * The specified transaction doesn't exist, or we -+ * raced with btrfs_commit_transaction -+ */ -+ if (!cur_trans) { -+ if (transid > root->fs_info->last_trans_committed) -+ ret = -EINVAL; - goto out; -+ } - } else { - /* find newest transaction that is committing | committed */ - spin_lock(&root->fs_info->trans_lock); -diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c -index b167ca4..a85ceb7 100644 ---- a/fs/ecryptfs/inode.c -+++ b/fs/ecryptfs/inode.c -@@ -1039,7 +1039,7 @@ ecryptfs_setxattr(struct dentry *dentry, const char *name, const void *value, - } - - rc = vfs_setxattr(lower_dentry, name, value, size, flags); -- if (!rc) -+ if (!rc && dentry->d_inode) - fsstack_copy_attr_all(dentry->d_inode, lower_dentry->d_inode); - out: - return rc; -diff --git a/fs/namespace.c b/fs/namespace.c -index 75536db..c7d4a0a 100644 ---- a/fs/namespace.c -+++ b/fs/namespace.c -@@ -1365,6 +1365,8 @@ static int do_umount(struct mount *mnt, int flags) - * Special case for "unmounting" root ... - * we just try to remount it readonly. - */ -+ if (!capable(CAP_SYS_ADMIN)) -+ return -EPERM; - down_write(&sb->s_umount); - if (!(sb->s_flags & MS_RDONLY)) - retval = do_remount_sb(sb, MS_RDONLY, NULL, 0); -diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c -index 2e9662e..da657b7 100644 ---- a/fs/nfs/nfs4proc.c -+++ b/fs/nfs/nfs4proc.c -@@ -7242,7 +7242,7 @@ static int nfs41_proc_async_sequence(struct nfs_client *clp, struct rpc_cred *cr - int ret = 0; - - if ((renew_flags & NFS4_RENEW_TIMEOUT) == 0) -- return 0; -+ return -EAGAIN; - task = _nfs41_proc_sequence(clp, cred, false); - if (IS_ERR(task)) - ret = PTR_ERR(task); -diff --git a/fs/nfs/nfs4renewd.c b/fs/nfs/nfs4renewd.c -index 1720d32..e1ba58c 100644 ---- a/fs/nfs/nfs4renewd.c -+++ b/fs/nfs/nfs4renewd.c -@@ -88,10 +88,18 @@ nfs4_renew_state(struct work_struct *work) - } - nfs_expire_all_delegations(clp); - } else { -+ int ret; -+ - /* Queue an asynchronous RENEW. */ -- ops->sched_state_renewal(clp, cred, renew_flags); -+ ret = ops->sched_state_renewal(clp, cred, renew_flags); - put_rpccred(cred); -- goto out_exp; -+ switch (ret) { -+ default: -+ goto out_exp; -+ case -EAGAIN: -+ case -ENOMEM: -+ break; -+ } - } - } else { - dprintk("%s: failed to call renewd. Reason: lease not expired \n", -diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c -index 27f5f85..b4f177f 100644 ---- a/fs/nfs/nfs4state.c -+++ b/fs/nfs/nfs4state.c -@@ -1732,7 +1732,8 @@ restart: - if (status < 0) { - set_bit(ops->owner_flag_bit, &sp->so_flags); - nfs4_put_state_owner(sp); -- return nfs4_recovery_handle_error(clp, status); -+ status = nfs4_recovery_handle_error(clp, status); -+ return (status != 0) ? status : -EAGAIN; - } - - nfs4_put_state_owner(sp); -@@ -1741,7 +1742,7 @@ restart: - spin_unlock(&clp->cl_lock); - } - rcu_read_unlock(); -- return status; -+ return 0; - } - - static int nfs4_check_lease(struct nfs_client *clp) -@@ -1788,7 +1789,6 @@ static int nfs4_handle_reclaim_lease_error(struct nfs_client *clp, int status) - break; - case -NFS4ERR_STALE_CLIENTID: - clear_bit(NFS4CLNT_LEASE_CONFIRM, &clp->cl_state); -- nfs4_state_clear_reclaim_reboot(clp); - nfs4_state_start_reclaim_reboot(clp); - break; - case -NFS4ERR_CLID_INUSE: -@@ -2370,6 +2370,7 @@ static void nfs4_state_manager(struct nfs_client *clp) - status = nfs4_check_lease(clp); - if (status < 0) - goto out_error; -+ continue; - } - - if (test_and_clear_bit(NFS4CLNT_MOVED, &clp->cl_state)) { -@@ -2391,14 +2392,11 @@ static void nfs4_state_manager(struct nfs_client *clp) - section = "reclaim reboot"; - status = nfs4_do_reclaim(clp, - clp->cl_mvops->reboot_recovery_ops); -- if (test_bit(NFS4CLNT_LEASE_EXPIRED, &clp->cl_state) || -- test_bit(NFS4CLNT_SESSION_RESET, &clp->cl_state)) -- continue; -- nfs4_state_end_reclaim_reboot(clp); -- if (test_bit(NFS4CLNT_RECLAIM_NOGRACE, &clp->cl_state)) -+ if (status == -EAGAIN) - continue; - if (status < 0) - goto out_error; -+ nfs4_state_end_reclaim_reboot(clp); - } - - /* Now recover expired state... */ -@@ -2406,9 +2404,7 @@ static void nfs4_state_manager(struct nfs_client *clp) - section = "reclaim nograce"; - status = nfs4_do_reclaim(clp, - clp->cl_mvops->nograce_recovery_ops); -- if (test_bit(NFS4CLNT_LEASE_EXPIRED, &clp->cl_state) || -- test_bit(NFS4CLNT_SESSION_RESET, &clp->cl_state) || -- test_bit(NFS4CLNT_RECLAIM_REBOOT, &clp->cl_state)) -+ if (status == -EAGAIN) - continue; - if (status < 0) - goto out_error; -diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c -index 287a22c..de6323e 100644 ---- a/fs/notify/fanotify/fanotify_user.c -+++ b/fs/notify/fanotify/fanotify_user.c -@@ -71,7 +71,7 @@ static int create_fd(struct fsnotify_group *group, - - pr_debug("%s: group=%p event=%p\n", __func__, group, event); - -- client_fd = get_unused_fd(); -+ client_fd = get_unused_fd_flags(group->fanotify_data.f_flags); - if (client_fd < 0) - return client_fd; - -diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c -index 5d2518b..0461fbe 100644 ---- a/fs/xfs/xfs_aops.c -+++ b/fs/xfs/xfs_aops.c -@@ -434,10 +434,22 @@ xfs_start_page_writeback( - { - ASSERT(PageLocked(page)); - ASSERT(!PageWriteback(page)); -- if (clear_dirty) -+ -+ /* -+ * if the page was not fully cleaned, we need to ensure that the higher -+ * layers come back to it correctly. That means we need to keep the page -+ * dirty, and for WB_SYNC_ALL writeback we need to ensure the -+ * PAGECACHE_TAG_TOWRITE index mark is not removed so another attempt to -+ * write this page in this writeback sweep will be made. -+ */ -+ if (clear_dirty) { - clear_page_dirty_for_io(page); -- set_page_writeback(page); -+ set_page_writeback(page); -+ } else -+ set_page_writeback_keepwrite(page); -+ - unlock_page(page); -+ - /* If no buffers on the page are to be written, finish it here */ - if (!buffers) - end_page_writeback(page); -diff --git a/include/linux/compiler-gcc5.h b/include/linux/compiler-gcc5.h -new file mode 100644 -index 0000000..cdd1cc2 ---- /dev/null -+++ b/include/linux/compiler-gcc5.h -@@ -0,0 +1,66 @@ -+#ifndef __LINUX_COMPILER_H -+#error "Please don't include <linux/compiler-gcc5.h> directly, include <linux/compiler.h> instead." -+#endif -+ -+#define __used __attribute__((__used__)) -+#define __must_check __attribute__((warn_unused_result)) -+#define __compiler_offsetof(a, b) __builtin_offsetof(a, b) -+ -+/* Mark functions as cold. gcc will assume any path leading to a call -+ to them will be unlikely. This means a lot of manual unlikely()s -+ are unnecessary now for any paths leading to the usual suspects -+ like BUG(), printk(), panic() etc. [but let's keep them for now for -+ older compilers] -+ -+ Early snapshots of gcc 4.3 don't support this and we can't detect this -+ in the preprocessor, but we can live with this because they're unreleased. -+ Maketime probing would be overkill here. -+ -+ gcc also has a __attribute__((__hot__)) to move hot functions into -+ a special section, but I don't see any sense in this right now in -+ the kernel context */ -+#define __cold __attribute__((__cold__)) -+ -+#define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__) -+ -+#ifndef __CHECKER__ -+# define __compiletime_warning(message) __attribute__((warning(message))) -+# define __compiletime_error(message) __attribute__((error(message))) -+#endif /* __CHECKER__ */ -+ -+/* -+ * Mark a position in code as unreachable. This can be used to -+ * suppress control flow warnings after asm blocks that transfer -+ * control elsewhere. -+ * -+ * Early snapshots of gcc 4.5 don't support this and we can't detect -+ * this in the preprocessor, but we can live with this because they're -+ * unreleased. Really, we need to have autoconf for the kernel. -+ */ -+#define unreachable() __builtin_unreachable() -+ -+/* Mark a function definition as prohibited from being cloned. */ -+#define __noclone __attribute__((__noclone__)) -+ -+/* -+ * Tell the optimizer that something else uses this function or variable. -+ */ -+#define __visible __attribute__((externally_visible)) -+ -+/* -+ * GCC 'asm goto' miscompiles certain code sequences: -+ * -+ * http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670 -+ * -+ * Work it around via a compiler barrier quirk suggested by Jakub Jelinek. -+ * Fixed in GCC 4.8.2 and later versions. -+ * -+ * (asm goto is automatically volatile - the naming reflects this.) -+ */ -+#define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0) -+ -+#ifdef CONFIG_ARCH_USE_BUILTIN_BSWAP -+#define __HAVE_BUILTIN_BSWAP32__ -+#define __HAVE_BUILTIN_BSWAP64__ -+#define __HAVE_BUILTIN_BSWAP16__ -+#endif /* CONFIG_ARCH_USE_BUILTIN_BSWAP */ -diff --git a/include/linux/pci_ids.h b/include/linux/pci_ids.h -index 97fbecd..057c1d8 100644 ---- a/include/linux/pci_ids.h -+++ b/include/linux/pci_ids.h -@@ -2551,6 +2551,7 @@ - #define PCI_DEVICE_ID_INTEL_MFD_EMMC0 0x0823 - #define PCI_DEVICE_ID_INTEL_MFD_EMMC1 0x0824 - #define PCI_DEVICE_ID_INTEL_MRST_SD2 0x084F -+#define PCI_DEVICE_ID_INTEL_QUARK_X1000_ILB 0x095E - #define PCI_DEVICE_ID_INTEL_I960 0x0960 - #define PCI_DEVICE_ID_INTEL_I960RM 0x0962 - #define PCI_DEVICE_ID_INTEL_CENTERTON_ILB 0x0c60 -diff --git a/include/linux/sched.h b/include/linux/sched.h -index d7ca410..218b058 100644 ---- a/include/linux/sched.h -+++ b/include/linux/sched.h -@@ -1876,11 +1876,13 @@ extern void thread_group_cputime_adjusted(struct task_struct *p, cputime_t *ut, - #define tsk_used_math(p) ((p)->flags & PF_USED_MATH) - #define used_math() tsk_used_math(current) - --/* __GFP_IO isn't allowed if PF_MEMALLOC_NOIO is set in current->flags */ -+/* __GFP_IO isn't allowed if PF_MEMALLOC_NOIO is set in current->flags -+ * __GFP_FS is also cleared as it implies __GFP_IO. -+ */ - static inline gfp_t memalloc_noio_flags(gfp_t flags) - { - if (unlikely(current->flags & PF_MEMALLOC_NOIO)) -- flags &= ~__GFP_IO; -+ flags &= ~(__GFP_IO | __GFP_FS); - return flags; - } - -diff --git a/kernel/futex.c b/kernel/futex.c -index 0b0dc02..fda2950 100644 ---- a/kernel/futex.c -+++ b/kernel/futex.c -@@ -329,6 +329,8 @@ static void get_futex_key_refs(union futex_key *key) - case FUT_OFF_MMSHARED: - futex_get_mm(key); /* implies MB (B) */ - break; -+ default: -+ smp_mb(); /* explicit MB (B) */ - } - } - -diff --git a/lib/lzo/lzo1x_decompress_safe.c b/lib/lzo/lzo1x_decompress_safe.c -index 8563081..a1c387f 100644 ---- a/lib/lzo/lzo1x_decompress_safe.c -+++ b/lib/lzo/lzo1x_decompress_safe.c -@@ -19,31 +19,21 @@ - #include <linux/lzo.h> - #include "lzodefs.h" - --#define HAVE_IP(t, x) \ -- (((size_t)(ip_end - ip) >= (size_t)(t + x)) && \ -- (((t + x) >= t) && ((t + x) >= x))) -+#define HAVE_IP(x) ((size_t)(ip_end - ip) >= (size_t)(x)) -+#define HAVE_OP(x) ((size_t)(op_end - op) >= (size_t)(x)) -+#define NEED_IP(x) if (!HAVE_IP(x)) goto input_overrun -+#define NEED_OP(x) if (!HAVE_OP(x)) goto output_overrun -+#define TEST_LB(m_pos) if ((m_pos) < out) goto lookbehind_overrun - --#define HAVE_OP(t, x) \ -- (((size_t)(op_end - op) >= (size_t)(t + x)) && \ -- (((t + x) >= t) && ((t + x) >= x))) -- --#define NEED_IP(t, x) \ -- do { \ -- if (!HAVE_IP(t, x)) \ -- goto input_overrun; \ -- } while (0) -- --#define NEED_OP(t, x) \ -- do { \ -- if (!HAVE_OP(t, x)) \ -- goto output_overrun; \ -- } while (0) -- --#define TEST_LB(m_pos) \ -- do { \ -- if ((m_pos) < out) \ -- goto lookbehind_overrun; \ -- } while (0) -+/* This MAX_255_COUNT is the maximum number of times we can add 255 to a base -+ * count without overflowing an integer. The multiply will overflow when -+ * multiplying 255 by more than MAXINT/255. The sum will overflow earlier -+ * depending on the base count. Since the base count is taken from a u8 -+ * and a few bits, it is safe to assume that it will always be lower than -+ * or equal to 2*255, thus we can always prevent any overflow by accepting -+ * two less 255 steps. See Documentation/lzo.txt for more information. -+ */ -+#define MAX_255_COUNT ((((size_t)~0) / 255) - 2) - - int lzo1x_decompress_safe(const unsigned char *in, size_t in_len, - unsigned char *out, size_t *out_len) -@@ -75,17 +65,24 @@ int lzo1x_decompress_safe(const unsigned char *in, size_t in_len, - if (t < 16) { - if (likely(state == 0)) { - if (unlikely(t == 0)) { -+ size_t offset; -+ const unsigned char *ip_last = ip; -+ - while (unlikely(*ip == 0)) { -- t += 255; - ip++; -- NEED_IP(1, 0); -+ NEED_IP(1); - } -- t += 15 + *ip++; -+ offset = ip - ip_last; -+ if (unlikely(offset > MAX_255_COUNT)) -+ return LZO_E_ERROR; -+ -+ offset = (offset << 8) - offset; -+ t += offset + 15 + *ip++; - } - t += 3; - copy_literal_run: - #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) -- if (likely(HAVE_IP(t, 15) && HAVE_OP(t, 15))) { -+ if (likely(HAVE_IP(t + 15) && HAVE_OP(t + 15))) { - const unsigned char *ie = ip + t; - unsigned char *oe = op + t; - do { -@@ -101,8 +98,8 @@ copy_literal_run: - } else - #endif - { -- NEED_OP(t, 0); -- NEED_IP(t, 3); -+ NEED_OP(t); -+ NEED_IP(t + 3); - do { - *op++ = *ip++; - } while (--t > 0); -@@ -115,7 +112,7 @@ copy_literal_run: - m_pos -= t >> 2; - m_pos -= *ip++ << 2; - TEST_LB(m_pos); -- NEED_OP(2, 0); -+ NEED_OP(2); - op[0] = m_pos[0]; - op[1] = m_pos[1]; - op += 2; -@@ -136,13 +133,20 @@ copy_literal_run: - } else if (t >= 32) { - t = (t & 31) + (3 - 1); - if (unlikely(t == 2)) { -+ size_t offset; -+ const unsigned char *ip_last = ip; -+ - while (unlikely(*ip == 0)) { -- t += 255; - ip++; -- NEED_IP(1, 0); -+ NEED_IP(1); - } -- t += 31 + *ip++; -- NEED_IP(2, 0); -+ offset = ip - ip_last; -+ if (unlikely(offset > MAX_255_COUNT)) -+ return LZO_E_ERROR; -+ -+ offset = (offset << 8) - offset; -+ t += offset + 31 + *ip++; -+ NEED_IP(2); - } - m_pos = op - 1; - next = get_unaligned_le16(ip); -@@ -154,13 +158,20 @@ copy_literal_run: - m_pos -= (t & 8) << 11; - t = (t & 7) + (3 - 1); - if (unlikely(t == 2)) { -+ size_t offset; -+ const unsigned char *ip_last = ip; -+ - while (unlikely(*ip == 0)) { -- t += 255; - ip++; -- NEED_IP(1, 0); -+ NEED_IP(1); - } -- t += 7 + *ip++; -- NEED_IP(2, 0); -+ offset = ip - ip_last; -+ if (unlikely(offset > MAX_255_COUNT)) -+ return LZO_E_ERROR; -+ -+ offset = (offset << 8) - offset; -+ t += offset + 7 + *ip++; -+ NEED_IP(2); - } - next = get_unaligned_le16(ip); - ip += 2; -@@ -174,7 +185,7 @@ copy_literal_run: - #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) - if (op - m_pos >= 8) { - unsigned char *oe = op + t; -- if (likely(HAVE_OP(t, 15))) { -+ if (likely(HAVE_OP(t + 15))) { - do { - COPY8(op, m_pos); - op += 8; -@@ -184,7 +195,7 @@ copy_literal_run: - m_pos += 8; - } while (op < oe); - op = oe; -- if (HAVE_IP(6, 0)) { -+ if (HAVE_IP(6)) { - state = next; - COPY4(op, ip); - op += next; -@@ -192,7 +203,7 @@ copy_literal_run: - continue; - } - } else { -- NEED_OP(t, 0); -+ NEED_OP(t); - do { - *op++ = *m_pos++; - } while (op < oe); -@@ -201,7 +212,7 @@ copy_literal_run: - #endif - { - unsigned char *oe = op + t; -- NEED_OP(t, 0); -+ NEED_OP(t); - op[0] = m_pos[0]; - op[1] = m_pos[1]; - op += 2; -@@ -214,15 +225,15 @@ match_next: - state = next; - t = next; - #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) -- if (likely(HAVE_IP(6, 0) && HAVE_OP(4, 0))) { -+ if (likely(HAVE_IP(6) && HAVE_OP(4))) { - COPY4(op, ip); - op += t; - ip += t; - } else - #endif - { -- NEED_IP(t, 3); -- NEED_OP(t, 0); -+ NEED_IP(t + 3); -+ NEED_OP(t); - while (t > 0) { - *op++ = *ip++; - t--; -diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c -index 6afa3b4..0007c9e 100644 ---- a/net/bluetooth/l2cap_core.c -+++ b/net/bluetooth/l2cap_core.c -@@ -2608,12 +2608,8 @@ static int l2cap_segment_le_sdu(struct l2cap_chan *chan, - - BT_DBG("chan %p, msg %p, len %zu", chan, msg, len); - -- pdu_len = chan->conn->mtu - L2CAP_HDR_SIZE; -- -- pdu_len = min_t(size_t, pdu_len, chan->remote_mps); -- - sdu_len = len; -- pdu_len -= L2CAP_SDULEN_SIZE; -+ pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE; - - while (len > 0) { - if (len <= pdu_len) -diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c -index 734e946..6df1b25 100644 ---- a/security/integrity/ima/ima_appraise.c -+++ b/security/integrity/ima/ima_appraise.c -@@ -194,8 +194,11 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint, - goto out; - - cause = "missing-hash"; -- status = -- (inode->i_size == 0) ? INTEGRITY_PASS : INTEGRITY_NOLABEL; -+ status = INTEGRITY_NOLABEL; -+ if (inode->i_size == 0) { -+ iint->flags |= IMA_NEW_FILE; -+ status = INTEGRITY_PASS; -+ } - goto out; - } - -diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c -index 76d8aad..9f70efd 100644 ---- a/security/integrity/ima/ima_main.c -+++ b/security/integrity/ima/ima_main.c -@@ -131,11 +131,13 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint, - return; - - mutex_lock(&inode->i_mutex); -- if (atomic_read(&inode->i_writecount) == 1 && -- iint->version != inode->i_version) { -- iint->flags &= ~IMA_DONE_MASK; -- if (iint->flags & IMA_APPRAISE) -- ima_update_xattr(iint, file); -+ if (atomic_read(&inode->i_writecount) == 1) { -+ if ((iint->version != inode->i_version) || -+ (iint->flags & IMA_NEW_FILE)) { -+ iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE); -+ if (iint->flags & IMA_APPRAISE) -+ ima_update_xattr(iint, file); -+ } - } - mutex_unlock(&inode->i_mutex); - } -diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h -index 33c0a70..2f8715d 100644 ---- a/security/integrity/integrity.h -+++ b/security/integrity/integrity.h -@@ -31,6 +31,7 @@ - #define IMA_DIGSIG 0x01000000 - #define IMA_DIGSIG_REQUIRED 0x02000000 - #define IMA_PERMIT_DIRECTIO 0x04000000 -+#define IMA_NEW_FILE 0x08000000 - - #define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \ - IMA_APPRAISE_SUBMASK) -diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c -index 01a5e05..566b0f6 100644 ---- a/sound/core/pcm_native.c -+++ b/sound/core/pcm_native.c -@@ -3189,7 +3189,7 @@ static const struct vm_operations_struct snd_pcm_vm_ops_data_fault = { - - #ifndef ARCH_HAS_DMA_MMAP_COHERENT - /* This should be defined / handled globally! */ --#ifdef CONFIG_ARM -+#if defined(CONFIG_ARM) || defined(CONFIG_ARM64) - #define ARCH_HAS_DMA_MMAP_COHERENT - #endif - #endif -diff --git a/sound/pci/emu10k1/emu10k1_callback.c b/sound/pci/emu10k1/emu10k1_callback.c -index cae3659..0a34b5f 100644 ---- a/sound/pci/emu10k1/emu10k1_callback.c -+++ b/sound/pci/emu10k1/emu10k1_callback.c -@@ -85,6 +85,8 @@ snd_emu10k1_ops_setup(struct snd_emux *emux) - * get more voice for pcm - * - * terminate most inactive voice and give it as a pcm voice. -+ * -+ * voice_lock is already held. - */ - int - snd_emu10k1_synth_get_voice(struct snd_emu10k1 *hw) -@@ -92,12 +94,10 @@ snd_emu10k1_synth_get_voice(struct snd_emu10k1 *hw) - struct snd_emux *emu; - struct snd_emux_voice *vp; - struct best_voice best[V_END]; -- unsigned long flags; - int i; - - emu = hw->synth; - -- spin_lock_irqsave(&emu->voice_lock, flags); - lookup_voices(emu, hw, best, 1); /* no OFF voices */ - for (i = 0; i < V_END; i++) { - if (best[i].voice >= 0) { -@@ -113,11 +113,9 @@ snd_emu10k1_synth_get_voice(struct snd_emu10k1 *hw) - vp->emu->num_voices--; - vp->ch = -1; - vp->state = SNDRV_EMUX_ST_OFF; -- spin_unlock_irqrestore(&emu->voice_lock, flags); - return ch; - } - } -- spin_unlock_irqrestore(&emu->voice_lock, flags); - - /* not found */ - return -ENOMEM; -diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c -index d135c90..8253b48 100644 ---- a/sound/pci/hda/patch_hdmi.c -+++ b/sound/pci/hda/patch_hdmi.c -@@ -1557,19 +1557,22 @@ static bool hdmi_present_sense(struct hdmi_spec_per_pin *per_pin, int repoll) - } - } - -- if (pin_eld->eld_valid && !eld->eld_valid) { -- update_eld = true; -+ if (pin_eld->eld_valid != eld->eld_valid) - eld_changed = true; -- } -+ -+ if (pin_eld->eld_valid && !eld->eld_valid) -+ update_eld = true; -+ - if (update_eld) { - bool old_eld_valid = pin_eld->eld_valid; - pin_eld->eld_valid = eld->eld_valid; -- eld_changed = pin_eld->eld_size != eld->eld_size || -+ if (pin_eld->eld_size != eld->eld_size || - memcmp(pin_eld->eld_buffer, eld->eld_buffer, -- eld->eld_size) != 0; -- if (eld_changed) -+ eld->eld_size) != 0) { - memcpy(pin_eld->eld_buffer, eld->eld_buffer, - eld->eld_size); -+ eld_changed = true; -+ } - pin_eld->eld_size = eld->eld_size; - pin_eld->info = eld->info; - -diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c -index 5d0058b..4c826a4 100644 ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -2926,6 +2926,9 @@ static void alc283_shutup(struct hda_codec *codec) - - alc_write_coef_idx(codec, 0x43, 0x9004); - -+ /*depop hp during suspend*/ -+ alc_write_coef_idx(codec, 0x06, 0x2100); -+ - snd_hda_codec_write(codec, hp_pin, 0, - AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_MUTE); - -diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h -index 223c47b..c657752 100644 ---- a/sound/usb/quirks-table.h -+++ b/sound/usb/quirks-table.h -@@ -385,6 +385,36 @@ YAMAHA_DEVICE(0x105d, NULL), - } - }, - { -+ USB_DEVICE(0x0499, 0x1509), -+ .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) { -+ /* .vendor_name = "Yamaha", */ -+ /* .product_name = "Steinberg UR22", */ -+ .ifnum = QUIRK_ANY_INTERFACE, -+ .type = QUIRK_COMPOSITE, -+ .data = (const struct snd_usb_audio_quirk[]) { -+ { -+ .ifnum = 1, -+ .type = QUIRK_AUDIO_STANDARD_INTERFACE -+ }, -+ { -+ .ifnum = 2, -+ .type = QUIRK_AUDIO_STANDARD_INTERFACE -+ }, -+ { -+ .ifnum = 3, -+ .type = QUIRK_MIDI_YAMAHA -+ }, -+ { -+ .ifnum = 4, -+ .type = QUIRK_IGNORE_INTERFACE -+ }, -+ { -+ .ifnum = -1 -+ } -+ } -+ } -+}, -+{ - USB_DEVICE(0x0499, 0x150a), - .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) { - /* .vendor_name = "Yamaha", */ -diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c -index 03a0381..6611253 100644 ---- a/virt/kvm/kvm_main.c -+++ b/virt/kvm/kvm_main.c -@@ -52,6 +52,7 @@ - - #include <asm/processor.h> - #include <asm/io.h> -+#include <asm/ioctl.h> - #include <asm/uaccess.h> - #include <asm/pgtable.h> - -@@ -95,8 +96,6 @@ static int hardware_enable_all(void); - static void hardware_disable_all(void); - - static void kvm_io_bus_destroy(struct kvm_io_bus *bus); --static void update_memslots(struct kvm_memslots *slots, -- struct kvm_memory_slot *new, u64 last_generation); - - static void kvm_release_pfn_dirty(pfn_t pfn); - static void mark_page_dirty_in_slot(struct kvm *kvm, -@@ -682,8 +681,7 @@ static void sort_memslots(struct kvm_memslots *slots) - } - - static void update_memslots(struct kvm_memslots *slots, -- struct kvm_memory_slot *new, -- u64 last_generation) -+ struct kvm_memory_slot *new) - { - if (new) { - int id = new->id; -@@ -694,8 +692,6 @@ static void update_memslots(struct kvm_memslots *slots, - if (new->npages != npages) - sort_memslots(slots); - } -- -- slots->generation = last_generation + 1; - } - - static int check_memory_region_flags(struct kvm_userspace_memory_region *mem) -@@ -717,10 +713,24 @@ static struct kvm_memslots *install_new_memslots(struct kvm *kvm, - { - struct kvm_memslots *old_memslots = kvm->memslots; - -- update_memslots(slots, new, kvm->memslots->generation); -+ /* -+ * Set the low bit in the generation, which disables SPTE caching -+ * until the end of synchronize_srcu_expedited. -+ */ -+ WARN_ON(old_memslots->generation & 1); -+ slots->generation = old_memslots->generation + 1; -+ -+ update_memslots(slots, new); - rcu_assign_pointer(kvm->memslots, slots); - synchronize_srcu_expedited(&kvm->srcu); - -+ /* -+ * Increment the new memslot generation a second time. This prevents -+ * vm exits that race with memslot updates from caching a memslot -+ * generation that will (potentially) be valid forever. -+ */ -+ slots->generation++; -+ - kvm_arch_memslots_updated(kvm); - - return old_memslots; -@@ -1970,6 +1980,9 @@ static long kvm_vcpu_ioctl(struct file *filp, - if (vcpu->kvm->mm != current->mm) - return -EIO; - -+ if (unlikely(_IOC_TYPE(ioctl) != KVMIO)) -+ return -EINVAL; -+ - #if defined(CONFIG_S390) || defined(CONFIG_PPC) || defined(CONFIG_MIPS) - /* - * Special cases: vcpu ioctls that are asynchronous to vcpu execution, diff --git a/3.14.23/4420_grsecurity-3.0-3.14.23-201410312212.patch b/3.14.23/4420_grsecurity-3.0-3.14.23-201411062033.patch index 2b0f9bd..399d2be 100644 --- a/3.14.23/4420_grsecurity-3.0-3.14.23-201410312212.patch +++ b/3.14.23/4420_grsecurity-3.0-3.14.23-201411062033.patch @@ -93492,6 +93492,82 @@ index e6be585..d73ae5e 100644 return; local_irq_save(flags); +diff --git a/kernel/trace/trace_syscalls.c b/kernel/trace/trace_syscalls.c +index 759d5e0..5156a5fe 100644 +--- a/kernel/trace/trace_syscalls.c ++++ b/kernel/trace/trace_syscalls.c +@@ -313,7 +313,7 @@ static void ftrace_syscall_enter(void *data, struct pt_regs *regs, long id) + int size; + + syscall_nr = trace_get_syscall_nr(current, regs); +- if (syscall_nr < 0) ++ if (syscall_nr < 0 || syscall_nr >= NR_syscalls) + return; + + /* Here we're inside tp handler's rcu_read_lock_sched (__DO_TRACE) */ +@@ -360,7 +360,7 @@ static void ftrace_syscall_exit(void *data, struct pt_regs *regs, long ret) + int syscall_nr; + + syscall_nr = trace_get_syscall_nr(current, regs); +- if (syscall_nr < 0) ++ if (syscall_nr < 0 || syscall_nr >= NR_syscalls) + return; + + /* Here we're inside tp handler's rcu_read_lock_sched (__DO_TRACE()) */ +@@ -567,7 +567,7 @@ static void perf_syscall_enter(void *ignore, struct pt_regs *regs, long id) + int size; + + syscall_nr = trace_get_syscall_nr(current, regs); +- if (syscall_nr < 0) ++ if (syscall_nr < 0 || syscall_nr >= NR_syscalls) + return; + if (!test_bit(syscall_nr, enabled_perf_enter_syscalls)) + return; +@@ -602,6 +602,8 @@ static int perf_sysenter_enable(struct ftrace_event_call *call) + int num; + + num = ((struct syscall_metadata *)call->data)->syscall_nr; ++ if (WARN_ON_ONCE(num < 0 || num >= NR_syscalls)) ++ return -EINVAL; + + mutex_lock(&syscall_trace_lock); + if (!sys_perf_refcount_enter) +@@ -622,6 +624,8 @@ static void perf_sysenter_disable(struct ftrace_event_call *call) + int num; + + num = ((struct syscall_metadata *)call->data)->syscall_nr; ++ if (WARN_ON_ONCE(num < 0 || num >= NR_syscalls)) ++ return; + + mutex_lock(&syscall_trace_lock); + sys_perf_refcount_enter--; +@@ -641,7 +645,7 @@ static void perf_syscall_exit(void *ignore, struct pt_regs *regs, long ret) + int size; + + syscall_nr = trace_get_syscall_nr(current, regs); +- if (syscall_nr < 0) ++ if (syscall_nr < 0 || syscall_nr >= NR_syscalls) + return; + if (!test_bit(syscall_nr, enabled_perf_exit_syscalls)) + return; +@@ -674,6 +678,8 @@ static int perf_sysexit_enable(struct ftrace_event_call *call) + int num; + + num = ((struct syscall_metadata *)call->data)->syscall_nr; ++ if (WARN_ON_ONCE(num < 0 || num >= NR_syscalls)) ++ return -EINVAL; + + mutex_lock(&syscall_trace_lock); + if (!sys_perf_refcount_exit) +@@ -694,6 +700,8 @@ static void perf_sysexit_disable(struct ftrace_event_call *call) + int num; + + num = ((struct syscall_metadata *)call->data)->syscall_nr; ++ if (WARN_ON_ONCE(num < 0 || num >= NR_syscalls)) ++ return; + + mutex_lock(&syscall_trace_lock); + sys_perf_refcount_exit--; diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c index 80a57af..7f5a7ff 100644 --- a/kernel/user_namespace.c @@ -100239,7 +100315,7 @@ index b543470..d2ddae2 100644 if (!can_dir) { printk(KERN_INFO "can: failed to create /proc/net/can . " diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c -index 0a31298..241da43 100644 +index 0a31298..6301eb0 100644 --- a/net/ceph/messenger.c +++ b/net/ceph/messenger.c @@ -187,7 +187,7 @@ static void con_fault(struct ceph_connection *con); @@ -100260,6 +100336,19 @@ index 0a31298..241da43 100644 s = addr_str[i]; switch (ss->ss_family) { +@@ -291,7 +291,11 @@ int ceph_msgr_init(void) + if (ceph_msgr_slab_init()) + return -ENOMEM; + +- ceph_msgr_wq = alloc_workqueue("ceph-msgr", 0, 0); ++ /* ++ * The number of active work items is limited by the number of ++ * connections, so leave @max_active at default. ++ */ ++ ceph_msgr_wq = alloc_workqueue("ceph-msgr", WQ_MEM_RECLAIM, 0); + if (ceph_msgr_wq) + return 0; + diff --git a/net/compat.c b/net/compat.c index cbc1a2a..ab7644e 100644 --- a/net/compat.c diff --git a/3.17.2/0000_README b/3.17.2/0000_README index c71a071..08a13b9 100644 --- a/3.17.2/0000_README +++ b/3.17.2/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.0-3.17.2-201410312213.patch +Patch: 4420_grsecurity-3.0-3.17.2-201411062034.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.17.2/4420_grsecurity-3.0-3.17.2-201410312213.patch b/3.17.2/4420_grsecurity-3.0-3.17.2-201411062034.patch index 942b997..2da5648 100644 --- a/3.17.2/4420_grsecurity-3.0-3.17.2-201410312213.patch +++ b/3.17.2/4420_grsecurity-3.0-3.17.2-201411062034.patch @@ -29335,7 +29335,7 @@ index 38a0afe..94421a9 100644 out: diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c -index 03954f7..48daa1a 100644 +index 03954f7..0f4ad73 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -504,11 +504,6 @@ static void rsp_increment(struct x86_emulate_ctxt *ctxt, int inc) @@ -29350,7 +29350,7 @@ index 03954f7..48daa1a 100644 static u32 desc_limit_scaled(struct desc_struct *desc) { u32 limit = get_desc_limit(desc); -@@ -568,6 +563,38 @@ static int emulate_nm(struct x86_emulate_ctxt *ctxt) +@@ -568,6 +563,40 @@ static int emulate_nm(struct x86_emulate_ctxt *ctxt) return emulate_exception(ctxt, NM_VECTOR, 0, false); } @@ -29364,12 +29364,14 @@ index 03954f7..48daa1a 100644 + case 4: + ctxt->_eip = (u32)dst; + break; ++#ifdef CONFIG_X86_64 + case 8: + if ((cs_l && is_noncanonical_address(dst)) || -+ (!cs_l && (dst & ~(u32)-1))) ++ (!cs_l && (dst >> 32) != 0)) + return emulate_gp(ctxt, 0); + ctxt->_eip = dst; + break; ++#endif + default: + WARN(1, "unsupported eip assignment size\n"); + } @@ -29389,7 +29391,7 @@ index 03954f7..48daa1a 100644 static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg) { u16 selector; -@@ -750,8 +777,10 @@ static int __do_insn_fetch_bytes(struct x86_emulate_ctxt *ctxt, int op_size) +@@ -750,8 +779,10 @@ static int __do_insn_fetch_bytes(struct x86_emulate_ctxt *ctxt, int op_size) static __always_inline int do_insn_fetch_bytes(struct x86_emulate_ctxt *ctxt, unsigned size) { @@ -29402,7 +29404,7 @@ index 03954f7..48daa1a 100644 else return X86EMUL_CONTINUE; } -@@ -1415,7 +1444,9 @@ static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt, +@@ -1415,7 +1446,9 @@ static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt, /* Does not support long mode */ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt, @@ -29413,7 +29415,7 @@ index 03954f7..48daa1a 100644 { struct desc_struct seg_desc, old_desc; u8 dpl, rpl; -@@ -1547,6 +1578,8 @@ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt, +@@ -1547,6 +1580,8 @@ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt, } load: ctxt->ops->set_segment(ctxt, selector, &seg_desc, base3, seg); @@ -29422,7 +29424,7 @@ index 03954f7..48daa1a 100644 return X86EMUL_CONTINUE; exception: emulate_exception(ctxt, err_vec, err_code, true); -@@ -1557,7 +1590,7 @@ static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt, +@@ -1557,7 +1592,7 @@ static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt, u16 selector, int seg) { u8 cpl = ctxt->ops->cpl(ctxt); @@ -29431,7 +29433,7 @@ index 03954f7..48daa1a 100644 } static void write_register_operand(struct operand *op) -@@ -1951,17 +1984,31 @@ static int em_iret(struct x86_emulate_ctxt *ctxt) +@@ -1951,17 +1986,31 @@ static int em_iret(struct x86_emulate_ctxt *ctxt) static int em_jmp_far(struct x86_emulate_ctxt *ctxt) { int rc; @@ -29459,7 +29461,7 @@ index 03954f7..48daa1a 100644 - return X86EMUL_CONTINUE; + rc = assign_eip_far(ctxt, ctxt->src.val, new_desc.l); + if (rc != X86EMUL_CONTINUE) { -+ WARN_ON(!ctxt->mode != X86EMUL_MODE_PROT64); ++ WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64); + /* assigning eip failed; restore the old cs */ + ops->set_segment(ctxt, old_sel, &old_desc, 0, VCPU_SREG_CS); + return rc; @@ -29468,7 +29470,7 @@ index 03954f7..48daa1a 100644 } static int em_grp45(struct x86_emulate_ctxt *ctxt) -@@ -1972,13 +2019,15 @@ static int em_grp45(struct x86_emulate_ctxt *ctxt) +@@ -1972,13 +2021,15 @@ static int em_grp45(struct x86_emulate_ctxt *ctxt) case 2: /* call near abs */ { long int old_eip; old_eip = ctxt->_eip; @@ -29486,7 +29488,7 @@ index 03954f7..48daa1a 100644 break; case 5: /* jmp far */ rc = em_jmp_far(ctxt); -@@ -2013,30 +2062,47 @@ static int em_cmpxchg8b(struct x86_emulate_ctxt *ctxt) +@@ -2013,30 +2064,47 @@ static int em_cmpxchg8b(struct x86_emulate_ctxt *ctxt) static int em_ret(struct x86_emulate_ctxt *ctxt) { @@ -29537,13 +29539,13 @@ index 03954f7..48daa1a 100644 + return rc; + rc = assign_eip_far(ctxt, eip, new_desc.l); + if (rc != X86EMUL_CONTINUE) { -+ WARN_ON(!ctxt->mode != X86EMUL_MODE_PROT64); ++ WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64); + ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS); + } return rc; } -@@ -2297,7 +2363,7 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt) +@@ -2297,7 +2365,7 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt) { const struct x86_emulate_ops *ops = ctxt->ops; struct desc_struct cs, ss; @@ -29552,7 +29554,7 @@ index 03954f7..48daa1a 100644 int usermode; u16 cs_sel = 0, ss_sel = 0; -@@ -2313,6 +2379,9 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt) +@@ -2313,6 +2381,9 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt) else usermode = X86EMUL_MODE_PROT32; @@ -29562,7 +29564,7 @@ index 03954f7..48daa1a 100644 cs.dpl = 3; ss.dpl = 3; ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data); -@@ -2330,6 +2399,9 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt) +@@ -2330,6 +2401,9 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt) ss_sel = cs_sel + 8; cs.d = 0; cs.l = 1; @@ -29572,7 +29574,7 @@ index 03954f7..48daa1a 100644 break; } cs_sel |= SELECTOR_RPL_MASK; -@@ -2338,8 +2410,8 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt) +@@ -2338,8 +2412,8 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt) ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS); ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS); @@ -29583,7 +29585,7 @@ index 03954f7..48daa1a 100644 return X86EMUL_CONTINUE; } -@@ -2457,19 +2529,24 @@ static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt, +@@ -2457,19 +2531,24 @@ static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt, * Now load segment descriptors. If fault happens at this stage * it is handled in a context of new task */ @@ -29613,7 +29615,7 @@ index 03954f7..48daa1a 100644 if (ret != X86EMUL_CONTINUE) return ret; -@@ -2594,25 +2671,32 @@ static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt, +@@ -2594,25 +2673,32 @@ static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt, * Now load segment descriptors. If fault happenes at this stage * it is handled in a context of new task */ @@ -29653,7 +29655,7 @@ index 03954f7..48daa1a 100644 if (ret != X86EMUL_CONTINUE) return ret; -@@ -2880,10 +2964,13 @@ static int em_aad(struct x86_emulate_ctxt *ctxt) +@@ -2880,10 +2966,13 @@ static int em_aad(struct x86_emulate_ctxt *ctxt) static int em_call(struct x86_emulate_ctxt *ctxt) { @@ -29668,7 +29670,7 @@ index 03954f7..48daa1a 100644 return em_push(ctxt); } -@@ -2892,34 +2979,50 @@ static int em_call_far(struct x86_emulate_ctxt *ctxt) +@@ -2892,34 +2981,50 @@ static int em_call_far(struct x86_emulate_ctxt *ctxt) u16 sel, old_cs; ulong old_eip; int rc; @@ -29729,7 +29731,7 @@ index 03954f7..48daa1a 100644 if (rc != X86EMUL_CONTINUE) return rc; rsp_increment(ctxt, ctxt->src.val); -@@ -3250,20 +3353,24 @@ static int em_lmsw(struct x86_emulate_ctxt *ctxt) +@@ -3250,20 +3355,24 @@ static int em_lmsw(struct x86_emulate_ctxt *ctxt) static int em_loop(struct x86_emulate_ctxt *ctxt) { @@ -29758,7 +29760,7 @@ index 03954f7..48daa1a 100644 } static int em_in(struct x86_emulate_ctxt *ctxt) -@@ -3351,6 +3458,12 @@ static int em_bswap(struct x86_emulate_ctxt *ctxt) +@@ -3351,6 +3460,12 @@ static int em_bswap(struct x86_emulate_ctxt *ctxt) return X86EMUL_CONTINUE; } @@ -29771,7 +29773,7 @@ index 03954f7..48daa1a 100644 static bool valid_cr(int nr) { switch (nr) { -@@ -3683,6 +3796,16 @@ static const struct opcode group11[] = { +@@ -3683,6 +3798,16 @@ static const struct opcode group11[] = { X7(D(Undefined)), }; @@ -29788,7 +29790,7 @@ index 03954f7..48daa1a 100644 static const struct gprefix pfx_0f_6f_0f_7f = { I(Mmx, em_mov), I(Sse | Aligned, em_mov), N, I(Sse | Unaligned, em_mov), }; -@@ -3887,10 +4010,11 @@ static const struct opcode twobyte_table[256] = { +@@ -3887,10 +4012,11 @@ static const struct opcode twobyte_table[256] = { N, I(ImplicitOps | EmulateOnUD, em_syscall), II(ImplicitOps | Priv, em_clts, clts), N, DI(ImplicitOps | Priv, invd), DI(ImplicitOps | Priv, wbinvd), N, N, @@ -29802,7 +29804,7 @@ index 03954f7..48daa1a 100644 /* 0x20 - 0x2F */ DIP(ModRM | DstMem | Priv | Op3264 | NoMod, cr_read, check_cr_read), DIP(ModRM | DstMem | Priv | Op3264 | NoMod, dr_read, check_dr_read), -@@ -3942,7 +4066,7 @@ static const struct opcode twobyte_table[256] = { +@@ -3942,7 +4068,7 @@ static const struct opcode twobyte_table[256] = { F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_bts), F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shrd), F(DstMem | SrcReg | Src2CL | ModRM, em_shrd), @@ -29811,7 +29813,7 @@ index 03954f7..48daa1a 100644 /* 0xB0 - 0xB7 */ I2bv(DstMem | SrcReg | ModRM | Lock | PageTable, em_cmpxchg), I(DstReg | SrcMemFAddr | ModRM | Src2SS, em_lseg), -@@ -4458,10 +4582,10 @@ done_prefixes: +@@ -4458,10 +4584,10 @@ done_prefixes: /* Decode and fetch the destination operand: register or memory. */ rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask); @@ -29823,7 +29825,7 @@ index 03954f7..48daa1a 100644 return (rc != X86EMUL_CONTINUE) ? EMULATION_FAILED : EMULATION_OK; } -@@ -4711,7 +4835,7 @@ special_insn: +@@ -4711,7 +4837,7 @@ special_insn: break; case 0x70 ... 0x7f: /* jcc (short) */ if (test_cc(ctxt->b, ctxt->eflags)) @@ -29832,7 +29834,7 @@ index 03954f7..48daa1a 100644 break; case 0x8d: /* lea r16/r32, m */ ctxt->dst.val = ctxt->src.addr.mem.ea; -@@ -4741,7 +4865,7 @@ special_insn: +@@ -4741,7 +4867,7 @@ special_insn: break; case 0xe9: /* jmp rel */ case 0xeb: /* jmp rel short */ @@ -29841,7 +29843,7 @@ index 03954f7..48daa1a 100644 ctxt->dst.type = OP_NONE; /* Disable writeback. */ break; case 0xf4: /* hlt */ -@@ -4864,13 +4988,11 @@ twobyte_insn: +@@ -4864,13 +4990,11 @@ twobyte_insn: break; case 0x80 ... 0x8f: /* jnz rel, etc*/ if (test_cc(ctxt->b, ctxt->eflags)) @@ -95262,6 +95264,82 @@ index 8a4e5cb..64f270d 100644 return; local_irq_save(flags); +diff --git a/kernel/trace/trace_syscalls.c b/kernel/trace/trace_syscalls.c +index 759d5e0..5156a5fe 100644 +--- a/kernel/trace/trace_syscalls.c ++++ b/kernel/trace/trace_syscalls.c +@@ -313,7 +313,7 @@ static void ftrace_syscall_enter(void *data, struct pt_regs *regs, long id) + int size; + + syscall_nr = trace_get_syscall_nr(current, regs); +- if (syscall_nr < 0) ++ if (syscall_nr < 0 || syscall_nr >= NR_syscalls) + return; + + /* Here we're inside tp handler's rcu_read_lock_sched (__DO_TRACE) */ +@@ -360,7 +360,7 @@ static void ftrace_syscall_exit(void *data, struct pt_regs *regs, long ret) + int syscall_nr; + + syscall_nr = trace_get_syscall_nr(current, regs); +- if (syscall_nr < 0) ++ if (syscall_nr < 0 || syscall_nr >= NR_syscalls) + return; + + /* Here we're inside tp handler's rcu_read_lock_sched (__DO_TRACE()) */ +@@ -567,7 +567,7 @@ static void perf_syscall_enter(void *ignore, struct pt_regs *regs, long id) + int size; + + syscall_nr = trace_get_syscall_nr(current, regs); +- if (syscall_nr < 0) ++ if (syscall_nr < 0 || syscall_nr >= NR_syscalls) + return; + if (!test_bit(syscall_nr, enabled_perf_enter_syscalls)) + return; +@@ -602,6 +602,8 @@ static int perf_sysenter_enable(struct ftrace_event_call *call) + int num; + + num = ((struct syscall_metadata *)call->data)->syscall_nr; ++ if (WARN_ON_ONCE(num < 0 || num >= NR_syscalls)) ++ return -EINVAL; + + mutex_lock(&syscall_trace_lock); + if (!sys_perf_refcount_enter) +@@ -622,6 +624,8 @@ static void perf_sysenter_disable(struct ftrace_event_call *call) + int num; + + num = ((struct syscall_metadata *)call->data)->syscall_nr; ++ if (WARN_ON_ONCE(num < 0 || num >= NR_syscalls)) ++ return; + + mutex_lock(&syscall_trace_lock); + sys_perf_refcount_enter--; +@@ -641,7 +645,7 @@ static void perf_syscall_exit(void *ignore, struct pt_regs *regs, long ret) + int size; + + syscall_nr = trace_get_syscall_nr(current, regs); +- if (syscall_nr < 0) ++ if (syscall_nr < 0 || syscall_nr >= NR_syscalls) + return; + if (!test_bit(syscall_nr, enabled_perf_exit_syscalls)) + return; +@@ -674,6 +678,8 @@ static int perf_sysexit_enable(struct ftrace_event_call *call) + int num; + + num = ((struct syscall_metadata *)call->data)->syscall_nr; ++ if (WARN_ON_ONCE(num < 0 || num >= NR_syscalls)) ++ return -EINVAL; + + mutex_lock(&syscall_trace_lock); + if (!sys_perf_refcount_exit) +@@ -694,6 +700,8 @@ static void perf_sysexit_disable(struct ftrace_event_call *call) + int num; + + num = ((struct syscall_metadata *)call->data)->syscall_nr; ++ if (WARN_ON_ONCE(num < 0 || num >= NR_syscalls)) ++ return; + + mutex_lock(&syscall_trace_lock); + sys_perf_refcount_exit--; diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c index aa312b0..395f343 100644 --- a/kernel/user_namespace.c @@ -101964,7 +102042,7 @@ index 1a19b98..df2b4ec 100644 if (!can_dir) { printk(KERN_INFO "can: failed to create /proc/net/can . " diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c -index b2f571d..b584643 100644 +index b2f571d..e6160e9 100644 --- a/net/ceph/messenger.c +++ b/net/ceph/messenger.c @@ -188,7 +188,7 @@ static void con_fault(struct ceph_connection *con); @@ -101985,6 +102063,19 @@ index b2f571d..b584643 100644 s = addr_str[i]; switch (ss->ss_family) { +@@ -292,7 +292,11 @@ int ceph_msgr_init(void) + if (ceph_msgr_slab_init()) + return -ENOMEM; + +- ceph_msgr_wq = alloc_workqueue("ceph-msgr", 0, 0); ++ /* ++ * The number of active work items is limited by the number of ++ * connections, so leave @max_active at default. ++ */ ++ ceph_msgr_wq = alloc_workqueue("ceph-msgr", WQ_MEM_RECLAIM, 0); + if (ceph_msgr_wq) + return 0; + diff --git a/net/compat.c b/net/compat.c index bc8aeef..f9c070c 100644 --- a/net/compat.c diff --git a/3.2.63/0000_README b/3.2.64/0000_README index dc58512..4dc0dd8 100644 --- a/3.2.63/0000_README +++ b/3.2.64/0000_README @@ -170,7 +170,11 @@ Patch: 1062_linux-3.2.63.patch From: http://www.kernel.org Desc: Linux 3.2.63 -Patch: 4420_grsecurity-3.0-3.2.63-201411020808.patch +Patch: 1063_linux-3.2.64.patch +From: http://www.kernel.org +Desc: Linux 3.2.64 + +Patch: 4420_grsecurity-3.0-3.2.64-201411062032.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.63/1021_linux-3.2.22.patch b/3.2.64/1021_linux-3.2.22.patch index e6ad93a..e6ad93a 100644 --- a/3.2.63/1021_linux-3.2.22.patch +++ b/3.2.64/1021_linux-3.2.22.patch diff --git a/3.2.63/1022_linux-3.2.23.patch b/3.2.64/1022_linux-3.2.23.patch index 3d796d0..3d796d0 100644 --- a/3.2.63/1022_linux-3.2.23.patch +++ b/3.2.64/1022_linux-3.2.23.patch diff --git a/3.2.63/1023_linux-3.2.24.patch b/3.2.64/1023_linux-3.2.24.patch index 4692eb4..4692eb4 100644 --- a/3.2.63/1023_linux-3.2.24.patch +++ b/3.2.64/1023_linux-3.2.24.patch diff --git a/3.2.63/1024_linux-3.2.25.patch b/3.2.64/1024_linux-3.2.25.patch index e95c213..e95c213 100644 --- a/3.2.63/1024_linux-3.2.25.patch +++ b/3.2.64/1024_linux-3.2.25.patch diff --git a/3.2.63/1025_linux-3.2.26.patch b/3.2.64/1025_linux-3.2.26.patch index 44065b9..44065b9 100644 --- a/3.2.63/1025_linux-3.2.26.patch +++ b/3.2.64/1025_linux-3.2.26.patch diff --git a/3.2.63/1026_linux-3.2.27.patch b/3.2.64/1026_linux-3.2.27.patch index 5878eb4..5878eb4 100644 --- a/3.2.63/1026_linux-3.2.27.patch +++ b/3.2.64/1026_linux-3.2.27.patch diff --git a/3.2.63/1027_linux-3.2.28.patch b/3.2.64/1027_linux-3.2.28.patch index 4dbba4b..4dbba4b 100644 --- a/3.2.63/1027_linux-3.2.28.patch +++ b/3.2.64/1027_linux-3.2.28.patch diff --git a/3.2.63/1028_linux-3.2.29.patch b/3.2.64/1028_linux-3.2.29.patch index 3c65179..3c65179 100644 --- a/3.2.63/1028_linux-3.2.29.patch +++ b/3.2.64/1028_linux-3.2.29.patch diff --git a/3.2.63/1029_linux-3.2.30.patch b/3.2.64/1029_linux-3.2.30.patch index 86aea4b..86aea4b 100644 --- a/3.2.63/1029_linux-3.2.30.patch +++ b/3.2.64/1029_linux-3.2.30.patch diff --git a/3.2.63/1030_linux-3.2.31.patch b/3.2.64/1030_linux-3.2.31.patch index c6accf5..c6accf5 100644 --- a/3.2.63/1030_linux-3.2.31.patch +++ b/3.2.64/1030_linux-3.2.31.patch diff --git a/3.2.63/1031_linux-3.2.32.patch b/3.2.64/1031_linux-3.2.32.patch index 247fc0b..247fc0b 100644 --- a/3.2.63/1031_linux-3.2.32.patch +++ b/3.2.64/1031_linux-3.2.32.patch diff --git a/3.2.63/1032_linux-3.2.33.patch b/3.2.64/1032_linux-3.2.33.patch index c32fb75..c32fb75 100644 --- a/3.2.63/1032_linux-3.2.33.patch +++ b/3.2.64/1032_linux-3.2.33.patch diff --git a/3.2.63/1033_linux-3.2.34.patch b/3.2.64/1033_linux-3.2.34.patch index d647b38..d647b38 100644 --- a/3.2.63/1033_linux-3.2.34.patch +++ b/3.2.64/1033_linux-3.2.34.patch diff --git a/3.2.63/1034_linux-3.2.35.patch b/3.2.64/1034_linux-3.2.35.patch index 76a9c19..76a9c19 100644 --- a/3.2.63/1034_linux-3.2.35.patch +++ b/3.2.64/1034_linux-3.2.35.patch diff --git a/3.2.63/1035_linux-3.2.36.patch b/3.2.64/1035_linux-3.2.36.patch index 5d192a3..5d192a3 100644 --- a/3.2.63/1035_linux-3.2.36.patch +++ b/3.2.64/1035_linux-3.2.36.patch diff --git a/3.2.63/1036_linux-3.2.37.patch b/3.2.64/1036_linux-3.2.37.patch index ad13251..ad13251 100644 --- a/3.2.63/1036_linux-3.2.37.patch +++ b/3.2.64/1036_linux-3.2.37.patch diff --git a/3.2.63/1037_linux-3.2.38.patch b/3.2.64/1037_linux-3.2.38.patch index a3c106f..a3c106f 100644 --- a/3.2.63/1037_linux-3.2.38.patch +++ b/3.2.64/1037_linux-3.2.38.patch diff --git a/3.2.63/1038_linux-3.2.39.patch b/3.2.64/1038_linux-3.2.39.patch index 5639e92..5639e92 100644 --- a/3.2.63/1038_linux-3.2.39.patch +++ b/3.2.64/1038_linux-3.2.39.patch diff --git a/3.2.63/1039_linux-3.2.40.patch b/3.2.64/1039_linux-3.2.40.patch index f26b39c..f26b39c 100644 --- a/3.2.63/1039_linux-3.2.40.patch +++ b/3.2.64/1039_linux-3.2.40.patch diff --git a/3.2.63/1040_linux-3.2.41.patch b/3.2.64/1040_linux-3.2.41.patch index 0d27fcb..0d27fcb 100644 --- a/3.2.63/1040_linux-3.2.41.patch +++ b/3.2.64/1040_linux-3.2.41.patch diff --git a/3.2.63/1041_linux-3.2.42.patch b/3.2.64/1041_linux-3.2.42.patch index 77a08ed..77a08ed 100644 --- a/3.2.63/1041_linux-3.2.42.patch +++ b/3.2.64/1041_linux-3.2.42.patch diff --git a/3.2.63/1042_linux-3.2.43.patch b/3.2.64/1042_linux-3.2.43.patch index a3f878b..a3f878b 100644 --- a/3.2.63/1042_linux-3.2.43.patch +++ b/3.2.64/1042_linux-3.2.43.patch diff --git a/3.2.63/1043_linux-3.2.44.patch b/3.2.64/1043_linux-3.2.44.patch index 3d5e6ff..3d5e6ff 100644 --- a/3.2.63/1043_linux-3.2.44.patch +++ b/3.2.64/1043_linux-3.2.44.patch diff --git a/3.2.63/1044_linux-3.2.45.patch b/3.2.64/1044_linux-3.2.45.patch index 44e1767..44e1767 100644 --- a/3.2.63/1044_linux-3.2.45.patch +++ b/3.2.64/1044_linux-3.2.45.patch diff --git a/3.2.63/1045_linux-3.2.46.patch b/3.2.64/1045_linux-3.2.46.patch index bc10efd..bc10efd 100644 --- a/3.2.63/1045_linux-3.2.46.patch +++ b/3.2.64/1045_linux-3.2.46.patch diff --git a/3.2.63/1046_linux-3.2.47.patch b/3.2.64/1046_linux-3.2.47.patch index b74563c..b74563c 100644 --- a/3.2.63/1046_linux-3.2.47.patch +++ b/3.2.64/1046_linux-3.2.47.patch diff --git a/3.2.63/1047_linux-3.2.48.patch b/3.2.64/1047_linux-3.2.48.patch index 6d55b1f..6d55b1f 100644 --- a/3.2.63/1047_linux-3.2.48.patch +++ b/3.2.64/1047_linux-3.2.48.patch diff --git a/3.2.63/1048_linux-3.2.49.patch b/3.2.64/1048_linux-3.2.49.patch index 2dab0cf..2dab0cf 100644 --- a/3.2.63/1048_linux-3.2.49.patch +++ b/3.2.64/1048_linux-3.2.49.patch diff --git a/3.2.63/1049_linux-3.2.50.patch b/3.2.64/1049_linux-3.2.50.patch index 20b3015..20b3015 100644 --- a/3.2.63/1049_linux-3.2.50.patch +++ b/3.2.64/1049_linux-3.2.50.patch diff --git a/3.2.63/1050_linux-3.2.51.patch b/3.2.64/1050_linux-3.2.51.patch index 5d5832b..5d5832b 100644 --- a/3.2.63/1050_linux-3.2.51.patch +++ b/3.2.64/1050_linux-3.2.51.patch diff --git a/3.2.63/1051_linux-3.2.52.patch b/3.2.64/1051_linux-3.2.52.patch index 94b9359..94b9359 100644 --- a/3.2.63/1051_linux-3.2.52.patch +++ b/3.2.64/1051_linux-3.2.52.patch diff --git a/3.2.63/1052_linux-3.2.53.patch b/3.2.64/1052_linux-3.2.53.patch index 986d714..986d714 100644 --- a/3.2.63/1052_linux-3.2.53.patch +++ b/3.2.64/1052_linux-3.2.53.patch diff --git a/3.2.63/1053_linux-3.2.54.patch b/3.2.64/1053_linux-3.2.54.patch index a907496..a907496 100644 --- a/3.2.63/1053_linux-3.2.54.patch +++ b/3.2.64/1053_linux-3.2.54.patch diff --git a/3.2.63/1054_linux-3.2.55.patch b/3.2.64/1054_linux-3.2.55.patch index 6071ff5..6071ff5 100644 --- a/3.2.63/1054_linux-3.2.55.patch +++ b/3.2.64/1054_linux-3.2.55.patch diff --git a/3.2.63/1055_linux-3.2.56.patch b/3.2.64/1055_linux-3.2.56.patch index 2e8239c..2e8239c 100644 --- a/3.2.63/1055_linux-3.2.56.patch +++ b/3.2.64/1055_linux-3.2.56.patch diff --git a/3.2.63/1056_linux-3.2.57.patch b/3.2.64/1056_linux-3.2.57.patch index 7b8f174..7b8f174 100644 --- a/3.2.63/1056_linux-3.2.57.patch +++ b/3.2.64/1056_linux-3.2.57.patch diff --git a/3.2.63/1057_linux-3.2.58.patch b/3.2.64/1057_linux-3.2.58.patch index db5723a..db5723a 100644 --- a/3.2.63/1057_linux-3.2.58.patch +++ b/3.2.64/1057_linux-3.2.58.patch diff --git a/3.2.63/1058_linux-3.2.59.patch b/3.2.64/1058_linux-3.2.59.patch index cd59fe9..cd59fe9 100644 --- a/3.2.63/1058_linux-3.2.59.patch +++ b/3.2.64/1058_linux-3.2.59.patch diff --git a/3.2.63/1059_linux-3.2.60.patch b/3.2.64/1059_linux-3.2.60.patch index c5a9389..c5a9389 100644 --- a/3.2.63/1059_linux-3.2.60.patch +++ b/3.2.64/1059_linux-3.2.60.patch diff --git a/3.2.63/1060_linux-3.2.61.patch b/3.2.64/1060_linux-3.2.61.patch index a1bf580..a1bf580 100644 --- a/3.2.63/1060_linux-3.2.61.patch +++ b/3.2.64/1060_linux-3.2.61.patch diff --git a/3.2.63/1061_linux-3.2.62.patch b/3.2.64/1061_linux-3.2.62.patch index 34217f0..34217f0 100644 --- a/3.2.63/1061_linux-3.2.62.patch +++ b/3.2.64/1061_linux-3.2.62.patch diff --git a/3.2.63/1062_linux-3.2.63.patch b/3.2.64/1062_linux-3.2.63.patch index f7c7415..f7c7415 100644 --- a/3.2.63/1062_linux-3.2.63.patch +++ b/3.2.64/1062_linux-3.2.63.patch diff --git a/3.2.64/1063_linux-3.2.64.patch b/3.2.64/1063_linux-3.2.64.patch new file mode 100644 index 0000000..862b4f0 --- /dev/null +++ b/3.2.64/1063_linux-3.2.64.patch @@ -0,0 +1,3821 @@ +diff --git a/Makefile b/Makefile +index 6d3f2d4..2b58ffc 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 2 +-SUBLEVEL = 63 ++SUBLEVEL = 64 + EXTRAVERSION = + NAME = Saber-toothed Squirrel + +diff --git a/arch/arm/mm/alignment.c b/arch/arm/mm/alignment.c +index a125c4b..6e39bf1 100644 +--- a/arch/arm/mm/alignment.c ++++ b/arch/arm/mm/alignment.c +@@ -38,6 +38,7 @@ + * This code is not portable to processors with late data abort handling. + */ + #define CODING_BITS(i) (i & 0x0e000000) ++#define COND_BITS(i) (i & 0xf0000000) + + #define LDST_I_BIT(i) (i & (1 << 26)) /* Immediate constant */ + #define LDST_P_BIT(i) (i & (1 << 24)) /* Preindex */ +@@ -812,6 +813,8 @@ do_alignment(unsigned long addr, unsigned int fsr, struct pt_regs *regs) + break; + + case 0x04000000: /* ldr or str immediate */ ++ if (COND_BITS(instr) == 0xf0000000) /* NEON VLDn, VSTn */ ++ goto bad; + offset.un = OFFSET_BITS(instr); + handler = do_alignment_ldrstr; + break; +diff --git a/arch/mips/boot/compressed/decompress.c b/arch/mips/boot/compressed/decompress.c +index 5cad0fa..ca51d69 100644 +--- a/arch/mips/boot/compressed/decompress.c ++++ b/arch/mips/boot/compressed/decompress.c +@@ -13,6 +13,7 @@ + + #include <linux/types.h> + #include <linux/kernel.h> ++#include <linux/string.h> + + #include <asm/addrspace.h> + +diff --git a/arch/mips/kernel/mcount.S b/arch/mips/kernel/mcount.S +index 4c968e7..55eca41 100644 +--- a/arch/mips/kernel/mcount.S ++++ b/arch/mips/kernel/mcount.S +@@ -119,7 +119,11 @@ NESTED(_mcount, PT_SIZE, ra) + nop + #endif + b ftrace_stub ++#ifdef CONFIG_32BIT ++ addiu sp, sp, 8 ++#else + nop ++#endif + + static_trace: + MCOUNT_SAVE_REGS +@@ -129,6 +133,9 @@ static_trace: + move a1, AT /* arg2: parent's return address */ + + MCOUNT_RESTORE_REGS ++#ifdef CONFIG_32BIT ++ addiu sp, sp, 8 ++#endif + .globl ftrace_stub + ftrace_stub: + RETURN_BACK +@@ -177,6 +184,11 @@ NESTED(ftrace_graph_caller, PT_SIZE, ra) + jal prepare_ftrace_return + nop + MCOUNT_RESTORE_REGS ++#ifndef CONFIG_DYNAMIC_FTRACE ++#ifdef CONFIG_32BIT ++ addiu sp, sp, 8 ++#endif ++#endif + RETURN_BACK + END(ftrace_graph_caller) + +diff --git a/arch/mips/mm/c-r4k.c b/arch/mips/mm/c-r4k.c +index fe425bb..228a205 100644 +--- a/arch/mips/mm/c-r4k.c ++++ b/arch/mips/mm/c-r4k.c +@@ -606,6 +606,7 @@ static void r4k_dma_cache_wback_inv(unsigned long addr, unsigned long size) + r4k_blast_scache(); + else + blast_scache_range(addr, addr + size); ++ preempt_enable(); + __sync(); + return; + } +@@ -647,6 +648,7 @@ static void r4k_dma_cache_inv(unsigned long addr, unsigned long size) + */ + blast_inv_scache_range(addr, addr + size); + } ++ preempt_enable(); + __sync(); + return; + } +diff --git a/arch/parisc/Makefile b/arch/parisc/Makefile +index 55cca1d..75947e0 100644 +--- a/arch/parisc/Makefile ++++ b/arch/parisc/Makefile +@@ -47,7 +47,12 @@ cflags-y := -pipe + + # These flags should be implied by an hppa-linux configuration, but they + # are not in gcc 3.2. +-cflags-y += -mno-space-regs -mfast-indirect-calls ++cflags-y += -mno-space-regs ++ ++# -mfast-indirect-calls is only relevant for 32-bit kernels. ++ifndef CONFIG_64BIT ++cflags-y += -mfast-indirect-calls ++endif + + # Currently we save and restore fpregs on all kernel entry/interruption paths. + # If that gets optimized, we might need to disable the use of fpregs in the +diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c +index dd072b1..f6f41dd 100644 +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -516,16 +516,6 @@ rerun_vcpu: + + BUG_ON(vcpu->kvm->arch.float_int.local_int[vcpu->vcpu_id] == NULL); + +- switch (kvm_run->exit_reason) { +- case KVM_EXIT_S390_SIEIC: +- case KVM_EXIT_UNKNOWN: +- case KVM_EXIT_INTR: +- case KVM_EXIT_S390_RESET: +- break; +- default: +- BUG(); +- } +- + vcpu->arch.sie_block->gpsw.mask = kvm_run->psw_mask; + vcpu->arch.sie_block->gpsw.addr = kvm_run->psw_addr; + +diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h +index b3eb9a7..15d24cb 100644 +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -821,6 +821,20 @@ static inline void kvm_inject_gp(struct kvm_vcpu *vcpu, u32 error_code) + kvm_queue_exception_e(vcpu, GP_VECTOR, error_code); + } + ++static inline u64 get_canonical(u64 la) ++{ ++ return ((int64_t)la << 16) >> 16; ++} ++ ++static inline bool is_noncanonical_address(u64 la) ++{ ++#ifdef CONFIG_X86_64 ++ return get_canonical(la) != la; ++#else ++ return false; ++#endif ++} ++ + #define TSS_IOPB_BASE_OFFSET 0x66 + #define TSS_BASE_SIZE 0x68 + #define TSS_IOPB_SIZE (65536 / 8) +diff --git a/arch/x86/include/asm/vmx.h b/arch/x86/include/asm/vmx.h +index 31f180c..36cbe2a 100644 +--- a/arch/x86/include/asm/vmx.h ++++ b/arch/x86/include/asm/vmx.h +@@ -279,6 +279,8 @@ enum vmcs_field { + #define EXIT_REASON_APIC_ACCESS 44 + #define EXIT_REASON_EPT_VIOLATION 48 + #define EXIT_REASON_EPT_MISCONFIG 49 ++#define EXIT_REASON_INVEPT 50 ++#define EXIT_REASON_INVVPID 53 + #define EXIT_REASON_WBINVD 54 + #define EXIT_REASON_XSETBV 55 + +diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c +index 6e68bd9..bb28f2ca 100644 +--- a/arch/x86/kernel/smpboot.c ++++ b/arch/x86/kernel/smpboot.c +@@ -1252,6 +1252,9 @@ static void remove_siblinginfo(int cpu) + + for_each_cpu(sibling, cpu_sibling_mask(cpu)) + cpumask_clear_cpu(cpu, cpu_sibling_mask(sibling)); ++ for_each_cpu(sibling, cpu_llc_shared_mask(cpu)) ++ cpumask_clear_cpu(cpu, cpu_llc_shared_mask(sibling)); ++ cpumask_clear(cpu_llc_shared_mask(cpu)); + cpumask_clear(cpu_sibling_mask(cpu)); + cpumask_clear(cpu_core_mask(cpu)); + c->phys_proc_id = 0; +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index 638cab5..f0ac042 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -456,11 +456,6 @@ register_address_increment(struct x86_emulate_ctxt *ctxt, unsigned long *reg, in + *reg = (*reg & ~ad_mask(ctxt)) | ((*reg + inc) & ad_mask(ctxt)); + } + +-static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel) +-{ +- register_address_increment(ctxt, &ctxt->_eip, rel); +-} +- + static u32 desc_limit_scaled(struct desc_struct *desc) + { + u32 limit = get_desc_limit(desc); +@@ -534,6 +529,40 @@ static int emulate_nm(struct x86_emulate_ctxt *ctxt) + return emulate_exception(ctxt, NM_VECTOR, 0, false); + } + ++static inline int assign_eip_far(struct x86_emulate_ctxt *ctxt, ulong dst, ++ int cs_l) ++{ ++ switch (ctxt->op_bytes) { ++ case 2: ++ ctxt->_eip = (u16)dst; ++ break; ++ case 4: ++ ctxt->_eip = (u32)dst; ++ break; ++#ifdef CONFIG_X86_64 ++ case 8: ++ if ((cs_l && is_noncanonical_address(dst)) || ++ (!cs_l && (dst >> 32) != 0)) ++ return emulate_gp(ctxt, 0); ++ ctxt->_eip = dst; ++ break; ++#endif ++ default: ++ WARN(1, "unsupported eip assignment size\n"); ++ } ++ return X86EMUL_CONTINUE; ++} ++ ++static inline int assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst) ++{ ++ return assign_eip_far(ctxt, dst, ctxt->mode == X86EMUL_MODE_PROT64); ++} ++ ++static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel) ++{ ++ return assign_eip_near(ctxt, ctxt->_eip + rel); ++} ++ + static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg) + { + u16 selector; +@@ -1206,11 +1235,12 @@ static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt, + } + + /* Does not support long mode */ +-static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt, +- u16 selector, int seg) ++static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt, ++ u16 selector, int seg, u8 cpl, ++ struct desc_struct *desc) + { + struct desc_struct seg_desc; +- u8 dpl, rpl, cpl; ++ u8 dpl, rpl; + unsigned err_vec = GP_VECTOR; + u32 err_code = 0; + bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */ +@@ -1259,7 +1289,6 @@ static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt, + + rpl = selector & 3; + dpl = seg_desc.dpl; +- cpl = ctxt->ops->cpl(ctxt); + + switch (seg) { + case VCPU_SREG_SS: +@@ -1316,12 +1345,21 @@ static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt, + } + load: + ctxt->ops->set_segment(ctxt, selector, &seg_desc, 0, seg); ++ if (desc) ++ *desc = seg_desc; + return X86EMUL_CONTINUE; + exception: + emulate_exception(ctxt, err_vec, err_code, true); + return X86EMUL_PROPAGATE_FAULT; + } + ++static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt, ++ u16 selector, int seg) ++{ ++ u8 cpl = ctxt->ops->cpl(ctxt); ++ return __load_segment_descriptor(ctxt, selector, seg, cpl, NULL); ++} ++ + static void write_register_operand(struct operand *op) + { + /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */ +@@ -1661,17 +1699,31 @@ static int em_iret(struct x86_emulate_ctxt *ctxt) + static int em_jmp_far(struct x86_emulate_ctxt *ctxt) + { + int rc; +- unsigned short sel; ++ unsigned short sel, old_sel; ++ struct desc_struct old_desc, new_desc; ++ const struct x86_emulate_ops *ops = ctxt->ops; ++ u8 cpl = ctxt->ops->cpl(ctxt); ++ ++ /* Assignment of RIP may only fail in 64-bit mode */ ++ if (ctxt->mode == X86EMUL_MODE_PROT64) ++ ops->get_segment(ctxt, &old_sel, &old_desc, NULL, ++ VCPU_SREG_CS); + + memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2); + +- rc = load_segment_descriptor(ctxt, sel, VCPU_SREG_CS); ++ rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl, ++ &new_desc); + if (rc != X86EMUL_CONTINUE) + return rc; + +- ctxt->_eip = 0; +- memcpy(&ctxt->_eip, ctxt->src.valptr, ctxt->op_bytes); +- return X86EMUL_CONTINUE; ++ rc = assign_eip_far(ctxt, ctxt->src.val, new_desc.l); ++ if (rc != X86EMUL_CONTINUE) { ++ WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64); ++ /* assigning eip failed; restore the old cs */ ++ ops->set_segment(ctxt, old_sel, &old_desc, 0, VCPU_SREG_CS); ++ return rc; ++ } ++ return rc; + } + + static int em_grp1a(struct x86_emulate_ctxt *ctxt) +@@ -1770,13 +1822,15 @@ static int em_grp45(struct x86_emulate_ctxt *ctxt) + case 2: /* call near abs */ { + long int old_eip; + old_eip = ctxt->_eip; +- ctxt->_eip = ctxt->src.val; ++ rc = assign_eip_near(ctxt, ctxt->src.val); ++ if (rc != X86EMUL_CONTINUE) ++ break; + ctxt->src.val = old_eip; + rc = em_push(ctxt); + break; + } + case 4: /* jmp abs */ +- ctxt->_eip = ctxt->src.val; ++ rc = assign_eip_near(ctxt, ctxt->src.val); + break; + case 5: /* jmp far */ + rc = em_jmp_far(ctxt); +@@ -1808,30 +1862,47 @@ static int em_grp9(struct x86_emulate_ctxt *ctxt) + + static int em_ret(struct x86_emulate_ctxt *ctxt) + { +- ctxt->dst.type = OP_REG; +- ctxt->dst.addr.reg = &ctxt->_eip; +- ctxt->dst.bytes = ctxt->op_bytes; +- return em_pop(ctxt); ++ int rc; ++ unsigned long eip; ++ ++ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes); ++ if (rc != X86EMUL_CONTINUE) ++ return rc; ++ ++ return assign_eip_near(ctxt, eip); + } + + static int em_ret_far(struct x86_emulate_ctxt *ctxt) + { + int rc; +- unsigned long cs; ++ unsigned long eip, cs; ++ u16 old_cs; + int cpl = ctxt->ops->cpl(ctxt); ++ struct desc_struct old_desc, new_desc; ++ const struct x86_emulate_ops *ops = ctxt->ops; + +- rc = emulate_pop(ctxt, &ctxt->_eip, ctxt->op_bytes); ++ if (ctxt->mode == X86EMUL_MODE_PROT64) ++ ops->get_segment(ctxt, &old_cs, &old_desc, NULL, ++ VCPU_SREG_CS); ++ ++ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes); + if (rc != X86EMUL_CONTINUE) + return rc; +- if (ctxt->op_bytes == 4) +- ctxt->_eip = (u32)ctxt->_eip; + rc = emulate_pop(ctxt, &cs, ctxt->op_bytes); + if (rc != X86EMUL_CONTINUE) + return rc; + /* Outer-privilege level return is not implemented */ + if (ctxt->mode >= X86EMUL_MODE_PROT16 && (cs & 3) > cpl) + return X86EMUL_UNHANDLEABLE; +- rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS); ++ rc = __load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS, 0, ++ &new_desc); ++ if (rc != X86EMUL_CONTINUE) ++ return rc; ++ rc = assign_eip_far(ctxt, eip, new_desc.l); ++ if (rc != X86EMUL_CONTINUE) { ++ WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64); ++ ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS); ++ } + return rc; + } + +@@ -2043,7 +2114,7 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt) + { + struct x86_emulate_ops *ops = ctxt->ops; + struct desc_struct cs, ss; +- u64 msr_data; ++ u64 msr_data, rcx, rdx; + int usermode; + u16 cs_sel = 0, ss_sel = 0; + +@@ -2059,6 +2130,9 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt) + else + usermode = X86EMUL_MODE_PROT32; + ++ rcx = ctxt->regs[VCPU_REGS_RCX]; ++ rdx = ctxt->regs[VCPU_REGS_RDX]; ++ + cs.dpl = 3; + ss.dpl = 3; + ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data); +@@ -2076,6 +2150,9 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt) + ss_sel = cs_sel + 8; + cs.d = 0; + cs.l = 1; ++ if (is_noncanonical_address(rcx) || ++ is_noncanonical_address(rdx)) ++ return emulate_gp(ctxt, 0); + break; + } + cs_sel |= SELECTOR_RPL_MASK; +@@ -2084,8 +2161,8 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt) + ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS); + ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS); + +- ctxt->_eip = ctxt->regs[VCPU_REGS_RDX]; +- ctxt->regs[VCPU_REGS_RSP] = ctxt->regs[VCPU_REGS_RCX]; ++ ctxt->_eip = rdx; ++ ctxt->regs[VCPU_REGS_RSP] = rcx; + + return X86EMUL_CONTINUE; + } +@@ -2174,6 +2251,7 @@ static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt, + struct tss_segment_16 *tss) + { + int ret; ++ u8 cpl; + + ctxt->_eip = tss->ip; + ctxt->eflags = tss->flag | 2; +@@ -2196,23 +2274,30 @@ static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt, + set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS); + set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS); + ++ cpl = tss->cs & 3; ++ + /* + * Now load segment descriptors. If fault happenes at this stage + * it is handled in a context of new task + */ +- ret = load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR); ++ ret = __load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR, cpl, ++ NULL); + if (ret != X86EMUL_CONTINUE) + return ret; +- ret = load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES); ++ ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl, ++ NULL); + if (ret != X86EMUL_CONTINUE) + return ret; +- ret = load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS); ++ ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl, ++ NULL); + if (ret != X86EMUL_CONTINUE) + return ret; +- ret = load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS); ++ ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl, ++ NULL); + if (ret != X86EMUL_CONTINUE) + return ret; +- ret = load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS); ++ ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl, ++ NULL); + if (ret != X86EMUL_CONTINUE) + return ret; + +@@ -2291,6 +2376,7 @@ static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt, + struct tss_segment_32 *tss) + { + int ret; ++ u8 cpl; + + if (ctxt->ops->set_cr(ctxt, 3, tss->cr3)) + return emulate_gp(ctxt, 0); +@@ -2307,7 +2393,8 @@ static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt, + + /* + * SDM says that segment selectors are loaded before segment +- * descriptors ++ * descriptors. This is important because CPL checks will ++ * use CS.RPL. + */ + set_segment_selector(ctxt, tss->ldt_selector, VCPU_SREG_LDTR); + set_segment_selector(ctxt, tss->es, VCPU_SREG_ES); +@@ -2317,29 +2404,38 @@ static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt, + set_segment_selector(ctxt, tss->fs, VCPU_SREG_FS); + set_segment_selector(ctxt, tss->gs, VCPU_SREG_GS); + ++ cpl = tss->cs & 3; ++ + /* + * Now load segment descriptors. If fault happenes at this stage + * it is handled in a context of new task + */ +- ret = load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR); ++ ret = __load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR, ++ cpl, NULL); + if (ret != X86EMUL_CONTINUE) + return ret; +- ret = load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES); ++ ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl, ++ NULL); + if (ret != X86EMUL_CONTINUE) + return ret; +- ret = load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS); ++ ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl, ++ NULL); + if (ret != X86EMUL_CONTINUE) + return ret; +- ret = load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS); ++ ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl, ++ NULL); + if (ret != X86EMUL_CONTINUE) + return ret; +- ret = load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS); ++ ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl, ++ NULL); + if (ret != X86EMUL_CONTINUE) + return ret; +- ret = load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS); ++ ret = __load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS, cpl, ++ NULL); + if (ret != X86EMUL_CONTINUE) + return ret; +- ret = load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS); ++ ret = __load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS, cpl, ++ NULL); + if (ret != X86EMUL_CONTINUE) + return ret; + +@@ -2536,39 +2632,67 @@ static int em_das(struct x86_emulate_ctxt *ctxt) + return X86EMUL_CONTINUE; + } + ++static int em_call(struct x86_emulate_ctxt *ctxt) ++{ ++ int rc; ++ long rel = ctxt->src.val; ++ ++ ctxt->src.val = (unsigned long)ctxt->_eip; ++ rc = jmp_rel(ctxt, rel); ++ if (rc != X86EMUL_CONTINUE) ++ return rc; ++ return em_push(ctxt); ++} ++ + static int em_call_far(struct x86_emulate_ctxt *ctxt) + { + u16 sel, old_cs; + ulong old_eip; + int rc; ++ struct desc_struct old_desc, new_desc; ++ const struct x86_emulate_ops *ops = ctxt->ops; ++ int cpl = ctxt->ops->cpl(ctxt); + +- old_cs = get_segment_selector(ctxt, VCPU_SREG_CS); + old_eip = ctxt->_eip; ++ ops->get_segment(ctxt, &old_cs, &old_desc, NULL, VCPU_SREG_CS); + + memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2); +- if (load_segment_descriptor(ctxt, sel, VCPU_SREG_CS)) ++ rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl, ++ &new_desc); ++ if (rc != X86EMUL_CONTINUE) + return X86EMUL_CONTINUE; + +- ctxt->_eip = 0; +- memcpy(&ctxt->_eip, ctxt->src.valptr, ctxt->op_bytes); ++ rc = assign_eip_far(ctxt, ctxt->src.val, new_desc.l); ++ if (rc != X86EMUL_CONTINUE) ++ goto fail; + + ctxt->src.val = old_cs; + rc = em_push(ctxt); + if (rc != X86EMUL_CONTINUE) +- return rc; ++ goto fail; + + ctxt->src.val = old_eip; +- return em_push(ctxt); ++ rc = em_push(ctxt); ++ /* If we failed, we tainted the memory, but the very least we should ++ restore cs */ ++ if (rc != X86EMUL_CONTINUE) ++ goto fail; ++ return rc; ++fail: ++ ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS); ++ return rc; ++ + } + + static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt) + { + int rc; ++ unsigned long eip; + +- ctxt->dst.type = OP_REG; +- ctxt->dst.addr.reg = &ctxt->_eip; +- ctxt->dst.bytes = ctxt->op_bytes; +- rc = emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes); ++ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes); ++ if (rc != X86EMUL_CONTINUE) ++ return rc; ++ rc = assign_eip_near(ctxt, eip); + if (rc != X86EMUL_CONTINUE) + return rc; + register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RSP], ctxt->src.val); +@@ -2814,20 +2938,24 @@ static int em_lmsw(struct x86_emulate_ctxt *ctxt) + + static int em_loop(struct x86_emulate_ctxt *ctxt) + { ++ int rc = X86EMUL_CONTINUE; ++ + register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RCX], -1); + if ((address_mask(ctxt, ctxt->regs[VCPU_REGS_RCX]) != 0) && + (ctxt->b == 0xe2 || test_cc(ctxt->b ^ 0x5, ctxt->eflags))) +- jmp_rel(ctxt, ctxt->src.val); ++ rc = jmp_rel(ctxt, ctxt->src.val); + +- return X86EMUL_CONTINUE; ++ return rc; + } + + static int em_jcxz(struct x86_emulate_ctxt *ctxt) + { ++ int rc = X86EMUL_CONTINUE; ++ + if (address_mask(ctxt, ctxt->regs[VCPU_REGS_RCX]) == 0) +- jmp_rel(ctxt, ctxt->src.val); ++ rc = jmp_rel(ctxt, ctxt->src.val); + +- return X86EMUL_CONTINUE; ++ return rc; + } + + static int em_cli(struct x86_emulate_ctxt *ctxt) +@@ -3271,7 +3399,7 @@ static struct opcode opcode_table[256] = { + D2bvIP(SrcImmUByte | DstAcc, in, check_perm_in), + D2bvIP(SrcAcc | DstImmUByte, out, check_perm_out), + /* 0xE8 - 0xEF */ +- D(SrcImm | Stack), D(SrcImm | ImplicitOps), ++ I(SrcImm | Stack, em_call), D(SrcImm | ImplicitOps), + I(SrcImmFAddr | No64, em_jmp_far), D(SrcImmByte | ImplicitOps), + D2bvIP(SrcDX | DstAcc, in, check_perm_in), + D2bvIP(SrcAcc | DstDX, out, check_perm_out), +@@ -3920,7 +4048,7 @@ special_insn: + break; + case 0x70 ... 0x7f: /* jcc (short) */ + if (test_cc(ctxt->b, ctxt->eflags)) +- jmp_rel(ctxt, ctxt->src.val); ++ rc = jmp_rel(ctxt, ctxt->src.val); + break; + case 0x8d: /* lea r16/r32, m */ + ctxt->dst.val = ctxt->src.addr.mem.ea; +@@ -3966,16 +4094,9 @@ special_insn: + case 0xe6: /* outb */ + case 0xe7: /* out */ + goto do_io_out; +- case 0xe8: /* call (near) */ { +- long int rel = ctxt->src.val; +- ctxt->src.val = (unsigned long) ctxt->_eip; +- jmp_rel(ctxt, rel); +- rc = em_push(ctxt); +- break; +- } + case 0xe9: /* jmp rel */ + case 0xeb: /* jmp rel short */ +- jmp_rel(ctxt, ctxt->src.val); ++ rc = jmp_rel(ctxt, ctxt->src.val); + ctxt->dst.type = OP_NONE; /* Disable writeback. */ + break; + case 0xec: /* in al,dx */ +@@ -4141,7 +4262,7 @@ twobyte_insn: + break; + case 0x80 ... 0x8f: /* jnz rel, etc*/ + if (test_cc(ctxt->b, ctxt->eflags)) +- jmp_rel(ctxt, ctxt->src.val); ++ rc = jmp_rel(ctxt, ctxt->src.val); + break; + case 0x90 ... 0x9f: /* setcc r/m8 */ + ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags); +diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c +index 139415e..cced57f 100644 +--- a/arch/x86/kvm/i8254.c ++++ b/arch/x86/kvm/i8254.c +@@ -264,8 +264,10 @@ void __kvm_migrate_pit_timer(struct kvm_vcpu *vcpu) + return; + + timer = &pit->pit_state.pit_timer.timer; ++ mutex_lock(&pit->pit_state.lock); + if (hrtimer_cancel(timer)) + hrtimer_start_expires(timer, HRTIMER_MODE_ABS); ++ mutex_unlock(&pit->pit_state.lock); + } + + static void destroy_pit_timer(struct kvm_pit *pit) +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index 2102a17..82f97a5 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -3109,7 +3109,7 @@ static int wrmsr_interception(struct vcpu_svm *svm) + + + svm->next_rip = kvm_rip_read(&svm->vcpu) + 2; +- if (svm_set_msr(&svm->vcpu, ecx, data)) { ++ if (kvm_set_msr(&svm->vcpu, ecx, data)) { + trace_kvm_msr_write_ex(ecx, data); + kvm_inject_gp(&svm->vcpu, 0); + } else { +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index a4f6bda..578b1c6 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -390,6 +390,7 @@ struct vcpu_vmx { + u16 fs_sel, gs_sel, ldt_sel; + int gs_ldt_reload_needed; + int fs_reload_needed; ++ unsigned long vmcs_host_cr4; /* May not match real cr4 */ + } host_state; + struct { + int vm86_active; +@@ -3629,16 +3630,21 @@ static void vmx_disable_intercept_for_msr(u32 msr, bool longmode_only) + * Note that host-state that does change is set elsewhere. E.g., host-state + * that is set differently for each CPU is set in vmx_vcpu_load(), not here. + */ +-static void vmx_set_constant_host_state(void) ++static void vmx_set_constant_host_state(struct vcpu_vmx *vmx) + { + u32 low32, high32; + unsigned long tmpl; + struct desc_ptr dt; ++ unsigned long cr4; + + vmcs_writel(HOST_CR0, read_cr0() | X86_CR0_TS); /* 22.2.3 */ +- vmcs_writel(HOST_CR4, read_cr4()); /* 22.2.3, 22.2.5 */ + vmcs_writel(HOST_CR3, read_cr3()); /* 22.2.3 FIXME: shadow tables */ + ++ /* Save the most likely value for this task's CR4 in the VMCS. */ ++ cr4 = read_cr4(); ++ vmcs_writel(HOST_CR4, cr4); /* 22.2.3, 22.2.5 */ ++ vmx->host_state.vmcs_host_cr4 = cr4; ++ + vmcs_write16(HOST_CS_SELECTOR, __KERNEL_CS); /* 22.2.4 */ + vmcs_write16(HOST_DS_SELECTOR, __KERNEL_DS); /* 22.2.4 */ + vmcs_write16(HOST_ES_SELECTOR, __KERNEL_DS); /* 22.2.4 */ +@@ -3760,7 +3766,7 @@ static int vmx_vcpu_setup(struct vcpu_vmx *vmx) + + vmcs_write16(HOST_FS_SELECTOR, 0); /* 22.2.4 */ + vmcs_write16(HOST_GS_SELECTOR, 0); /* 22.2.4 */ +- vmx_set_constant_host_state(); ++ vmx_set_constant_host_state(vmx); + #ifdef CONFIG_X86_64 + rdmsrl(MSR_FS_BASE, a); + vmcs_writel(HOST_FS_BASE, a); /* 22.2.4 */ +@@ -4544,7 +4550,7 @@ static int handle_wrmsr(struct kvm_vcpu *vcpu) + u64 data = (vcpu->arch.regs[VCPU_REGS_RAX] & -1u) + | ((u64)(vcpu->arch.regs[VCPU_REGS_RDX] & -1u) << 32); + +- if (vmx_set_msr(vcpu, ecx, data) != 0) { ++ if (kvm_set_msr(vcpu, ecx, data) != 0) { + trace_kvm_msr_write_ex(ecx, data); + kvm_inject_gp(vcpu, 0); + return 1; +@@ -5550,6 +5556,18 @@ static int handle_vmptrst(struct kvm_vcpu *vcpu) + return 1; + } + ++static int handle_invept(struct kvm_vcpu *vcpu) ++{ ++ kvm_queue_exception(vcpu, UD_VECTOR); ++ return 1; ++} ++ ++static int handle_invvpid(struct kvm_vcpu *vcpu) ++{ ++ kvm_queue_exception(vcpu, UD_VECTOR); ++ return 1; ++} ++ + /* + * The exit handlers return 1 if the exit was handled fully and guest execution + * may resume. Otherwise they set the kvm_run parameter to indicate what needs +@@ -5591,6 +5609,8 @@ static int (*kvm_vmx_exit_handlers[])(struct kvm_vcpu *vcpu) = { + [EXIT_REASON_PAUSE_INSTRUCTION] = handle_pause, + [EXIT_REASON_MWAIT_INSTRUCTION] = handle_invalid_op, + [EXIT_REASON_MONITOR_INSTRUCTION] = handle_invalid_op, ++ [EXIT_REASON_INVEPT] = handle_invept, ++ [EXIT_REASON_INVVPID] = handle_invvpid, + }; + + static const int kvm_vmx_max_exit_handlers = +@@ -5775,6 +5795,7 @@ static bool nested_vmx_exit_handled(struct kvm_vcpu *vcpu) + case EXIT_REASON_VMPTRST: case EXIT_REASON_VMREAD: + case EXIT_REASON_VMRESUME: case EXIT_REASON_VMWRITE: + case EXIT_REASON_VMOFF: case EXIT_REASON_VMON: ++ case EXIT_REASON_INVEPT: case EXIT_REASON_INVVPID: + /* + * VMX instructions trap unconditionally. This allows L1 to + * emulate them for its L2 guest, i.e., allows 3-level nesting! +@@ -6093,6 +6114,7 @@ static void atomic_switch_perf_msrs(struct vcpu_vmx *vmx) + static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) + { + struct vcpu_vmx *vmx = to_vmx(vcpu); ++ unsigned long cr4; + + if (is_guest_mode(vcpu) && !vmx->nested.nested_run_pending) { + struct vmcs12 *vmcs12 = get_vmcs12(vcpu); +@@ -6123,6 +6145,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) + if (test_bit(VCPU_REGS_RIP, (unsigned long *)&vcpu->arch.regs_dirty)) + vmcs_writel(GUEST_RIP, vcpu->arch.regs[VCPU_REGS_RIP]); + ++ cr4 = read_cr4(); ++ if (unlikely(cr4 != vmx->host_state.vmcs_host_cr4)) { ++ vmcs_writel(HOST_CR4, cr4); ++ vmx->host_state.vmcs_host_cr4 = cr4; ++ } ++ + /* When single-stepping over STI and MOV SS, we must clear the + * corresponding interruptibility bits in the guest state. Otherwise + * vmentry fails as it then expects bit 14 (BS) in pending debug +@@ -6581,7 +6609,7 @@ static void prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12) + * Other fields are different per CPU, and will be set later when + * vmx_vcpu_load() is called, and when vmx_save_host_state() is called. + */ +- vmx_set_constant_host_state(); ++ vmx_set_constant_host_state(vmx); + + /* + * HOST_RSP is normally set correctly in vmx_vcpu_run() just before +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index b9fefaf..2d7d0df 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -893,7 +893,6 @@ void kvm_enable_efer_bits(u64 mask) + } + EXPORT_SYMBOL_GPL(kvm_enable_efer_bits); + +- + /* + * Writes msr value into into the appropriate "register". + * Returns 0 on success, non-0 otherwise. +@@ -901,8 +900,34 @@ EXPORT_SYMBOL_GPL(kvm_enable_efer_bits); + */ + int kvm_set_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 data) + { ++ switch (msr_index) { ++ case MSR_FS_BASE: ++ case MSR_GS_BASE: ++ case MSR_KERNEL_GS_BASE: ++ case MSR_CSTAR: ++ case MSR_LSTAR: ++ if (is_noncanonical_address(data)) ++ return 1; ++ break; ++ case MSR_IA32_SYSENTER_EIP: ++ case MSR_IA32_SYSENTER_ESP: ++ /* ++ * IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if ++ * non-canonical address is written on Intel but not on ++ * AMD (which ignores the top 32-bits, because it does ++ * not implement 64-bit SYSENTER). ++ * ++ * 64-bit code should hence be able to write a non-canonical ++ * value on AMD. Making the address canonical ensures that ++ * vmentry does not fail on Intel after writing a non-canonical ++ * value, and that something deterministic happens if the guest ++ * invokes 64-bit SYSENTER. ++ */ ++ data = get_canonical(data); ++ } + return kvm_x86_ops->set_msr(vcpu, msr_index, data); + } ++EXPORT_SYMBOL_GPL(kvm_set_msr); + + /* + * Adapt set_msr() to msr_io()'s calling convention +diff --git a/block/genhd.c b/block/genhd.c +index 8bd4ef2..41b0435 100644 +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -28,10 +28,10 @@ struct kobject *block_depr; + /* for extended dynamic devt allocation, currently only one major is used */ + #define NR_EXT_DEVT (1 << MINORBITS) + +-/* For extended devt allocation. ext_devt_mutex prevents look up ++/* For extended devt allocation. ext_devt_lock prevents look up + * results from going away underneath its user. + */ +-static DEFINE_MUTEX(ext_devt_mutex); ++static DEFINE_SPINLOCK(ext_devt_lock); + static DEFINE_IDR(ext_devt_idr); + + static struct device_type disk_type; +@@ -421,13 +421,13 @@ int blk_alloc_devt(struct hd_struct *part, dev_t *devt) + do { + if (!idr_pre_get(&ext_devt_idr, GFP_KERNEL)) + return -ENOMEM; +- mutex_lock(&ext_devt_mutex); ++ spin_lock(&ext_devt_lock); + rc = idr_get_new(&ext_devt_idr, part, &idx); + if (!rc && idx >= NR_EXT_DEVT) { + idr_remove(&ext_devt_idr, idx); + rc = -EBUSY; + } +- mutex_unlock(&ext_devt_mutex); ++ spin_unlock(&ext_devt_lock); + } while (rc == -EAGAIN); + + if (rc) +@@ -448,15 +448,13 @@ int blk_alloc_devt(struct hd_struct *part, dev_t *devt) + */ + void blk_free_devt(dev_t devt) + { +- might_sleep(); +- + if (devt == MKDEV(0, 0)) + return; + + if (MAJOR(devt) == BLOCK_EXT_MAJOR) { +- mutex_lock(&ext_devt_mutex); ++ spin_lock(&ext_devt_lock); + idr_remove(&ext_devt_idr, blk_mangle_minor(MINOR(devt))); +- mutex_unlock(&ext_devt_mutex); ++ spin_unlock(&ext_devt_lock); + } + } + +@@ -663,7 +661,6 @@ void del_gendisk(struct gendisk *disk) + if (!sysfs_deprecated) + sysfs_remove_link(block_depr, dev_name(disk_to_dev(disk))); + device_del(disk_to_dev(disk)); +- blk_free_devt(disk_to_dev(disk)->devt); + } + EXPORT_SYMBOL(del_gendisk); + +@@ -688,13 +685,13 @@ struct gendisk *get_gendisk(dev_t devt, int *partno) + } else { + struct hd_struct *part; + +- mutex_lock(&ext_devt_mutex); ++ spin_lock(&ext_devt_lock); + part = idr_find(&ext_devt_idr, blk_mangle_minor(MINOR(devt))); + if (part && get_disk(part_to_disk(part))) { + *partno = part->partno; + disk = part_to_disk(part); + } +- mutex_unlock(&ext_devt_mutex); ++ spin_unlock(&ext_devt_lock); + } + + return disk; +@@ -1102,6 +1099,7 @@ static void disk_release(struct device *dev) + { + struct gendisk *disk = dev_to_disk(dev); + ++ blk_free_devt(dev->devt); + disk_release_events(disk); + kfree(disk->random); + disk_replace_part_tbl(disk, NULL); +diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c +index de0791c..388ba10 100644 +--- a/drivers/acpi/processor_idle.c ++++ b/drivers/acpi/processor_idle.c +@@ -1165,9 +1165,9 @@ int acpi_processor_cst_has_changed(struct acpi_processor *pr) + if (smp_processor_id() == 0 && + cpuidle_get_driver() == &acpi_idle_driver) { + +- cpuidle_pause_and_lock(); + /* Protect against cpu-hotplug */ + get_online_cpus(); ++ cpuidle_pause_and_lock(); + + /* Disable all cpuidle devices */ + for_each_online_cpu(cpu) { +@@ -1192,8 +1192,8 @@ int acpi_processor_cst_has_changed(struct acpi_processor *pr) + cpuidle_enable_device(&_pr->power.dev); + } + } +- put_online_cpus(); + cpuidle_resume_and_unlock(); ++ put_online_cpus(); + } + + return 0; +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c +index 43b0acf..4007f62 100644 +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -315,6 +315,14 @@ static const struct pci_device_id ahci_pci_tbl[] = { + { PCI_VDEVICE(INTEL, 0x9c85), board_ahci }, /* Wildcat Point-LP RAID */ + { PCI_VDEVICE(INTEL, 0x9c87), board_ahci }, /* Wildcat Point-LP RAID */ + { PCI_VDEVICE(INTEL, 0x9c8f), board_ahci }, /* Wildcat Point-LP RAID */ ++ { PCI_VDEVICE(INTEL, 0x8c82), board_ahci }, /* 9 Series AHCI */ ++ { PCI_VDEVICE(INTEL, 0x8c83), board_ahci }, /* 9 Series AHCI */ ++ { PCI_VDEVICE(INTEL, 0x8c84), board_ahci }, /* 9 Series RAID */ ++ { PCI_VDEVICE(INTEL, 0x8c85), board_ahci }, /* 9 Series RAID */ ++ { PCI_VDEVICE(INTEL, 0x8c86), board_ahci }, /* 9 Series RAID */ ++ { PCI_VDEVICE(INTEL, 0x8c87), board_ahci }, /* 9 Series RAID */ ++ { PCI_VDEVICE(INTEL, 0x8c8e), board_ahci }, /* 9 Series RAID */ ++ { PCI_VDEVICE(INTEL, 0x8c8f), board_ahci }, /* 9 Series RAID */ + + /* JMicron 360/1/3/5/6, match class to avoid IDE function */ + { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, +@@ -449,6 +457,8 @@ static const struct pci_device_id ahci_pci_tbl[] = { + { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x917a), + .driver_data = board_ahci_yes_fbs }, /* 88se9172 */ + { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9172), ++ .driver_data = board_ahci_yes_fbs }, /* 88se9182 */ ++ { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9182), + .driver_data = board_ahci_yes_fbs }, /* 88se9172 */ + { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9192), + .driver_data = board_ahci_yes_fbs }, /* 88se9172 on some Gigabyte */ +diff --git a/drivers/ata/ata_piix.c b/drivers/ata/ata_piix.c +index 5b0b5f7..b1e8e11 100644 +--- a/drivers/ata/ata_piix.c ++++ b/drivers/ata/ata_piix.c +@@ -362,6 +362,14 @@ static const struct pci_device_id piix_pci_tbl[] = { + { 0x8086, 0x0F21, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata_byt }, + /* SATA Controller IDE (Coleto Creek) */ + { 0x8086, 0x23a6, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata }, ++ /* SATA Controller IDE (9 Series) */ ++ { 0x8086, 0x8c88, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata_snb }, ++ /* SATA Controller IDE (9 Series) */ ++ { 0x8086, 0x8c89, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata_snb }, ++ /* SATA Controller IDE (9 Series) */ ++ { 0x8086, 0x8c80, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata_snb }, ++ /* SATA Controller IDE (9 Series) */ ++ { 0x8086, 0x8c81, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata_snb }, + + { } /* terminate list */ + }; +diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c +index bf441db..ea78bc46 100644 +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -36,6 +36,9 @@ bool regmap_readable(struct regmap *map, unsigned int reg) + if (map->max_register && reg > map->max_register) + return false; + ++ if (map->format.format_write) ++ return false; ++ + if (map->readable_reg) + return map->readable_reg(map->dev, reg); + +@@ -44,7 +47,7 @@ bool regmap_readable(struct regmap *map, unsigned int reg) + + bool regmap_volatile(struct regmap *map, unsigned int reg) + { +- if (map->max_register && reg > map->max_register) ++ if (!map->format.format_write && !regmap_readable(map, reg)) + return false; + + if (map->volatile_reg) +@@ -55,7 +58,7 @@ bool regmap_volatile(struct regmap *map, unsigned int reg) + + bool regmap_precious(struct regmap *map, unsigned int reg) + { +- if (map->max_register && reg > map->max_register) ++ if (!regmap_readable(map, reg)) + return false; + + if (map->precious_reg) +diff --git a/drivers/gpu/drm/i915/intel_bios.c b/drivers/gpu/drm/i915/intel_bios.c +index 0016fee..96d5cfc 100644 +--- a/drivers/gpu/drm/i915/intel_bios.c ++++ b/drivers/gpu/drm/i915/intel_bios.c +@@ -651,7 +651,7 @@ init_vbt_defaults(struct drm_i915_private *dev_priv) + DRM_DEBUG_KMS("Set default to SSC at %dMHz\n", dev_priv->lvds_ssc_freq); + } + +-static int __init intel_no_opregion_vbt_callback(const struct dmi_system_id *id) ++static int intel_no_opregion_vbt_callback(const struct dmi_system_id *id) + { + DRM_DEBUG_KMS("Falling back to manually reading VBT from " + "VBIOS ROM for %s\n", +diff --git a/drivers/gpu/drm/i915/intel_lvds.c b/drivers/gpu/drm/i915/intel_lvds.c +index 74d312f..fadd021 100644 +--- a/drivers/gpu/drm/i915/intel_lvds.c ++++ b/drivers/gpu/drm/i915/intel_lvds.c +@@ -613,7 +613,7 @@ static const struct drm_encoder_funcs intel_lvds_enc_funcs = { + .destroy = intel_encoder_destroy, + }; + +-static int __init intel_no_lvds_dmi_callback(const struct dmi_system_id *id) ++static int intel_no_lvds_dmi_callback(const struct dmi_system_id *id) + { + DRM_DEBUG_KMS("Skipping LVDS initialization for %s\n", id->ident); + return 1; +diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c +index 6d9c32b..24e9756 100644 +--- a/drivers/gpu/drm/radeon/radeon_atombios.c ++++ b/drivers/gpu/drm/radeon/radeon_atombios.c +@@ -457,6 +457,13 @@ static bool radeon_atom_apply_quirks(struct drm_device *dev, + } + } + ++ /* Fujitsu D3003-S2 board lists DVI-I as DVI-I and VGA */ ++ if ((dev->pdev->device == 0x9805) && ++ (dev->pdev->subsystem_vendor == 0x1734) && ++ (dev->pdev->subsystem_device == 0x11bd)) { ++ if (*connector_type == DRM_MODE_CONNECTOR_VGA) ++ return false; ++ } + + return true; + } +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c b/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c +index a0c2f12..decca82 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c +@@ -163,8 +163,9 @@ void vmw_fifo_release(struct vmw_private *dev_priv, struct vmw_fifo_state *fifo) + + mutex_lock(&dev_priv->hw_mutex); + ++ vmw_write(dev_priv, SVGA_REG_SYNC, SVGA_SYNC_GENERIC); + while (vmw_read(dev_priv, SVGA_REG_BUSY) != 0) +- vmw_write(dev_priv, SVGA_REG_SYNC, SVGA_SYNC_GENERIC); ++ ; + + dev_priv->last_read_seqno = ioread32(fifo_mem + SVGA_FIFO_FENCE); + +diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c +index 70423dc..2d5bb5b 100644 +--- a/drivers/input/mouse/elantech.c ++++ b/drivers/input/mouse/elantech.c +@@ -1130,6 +1130,13 @@ static bool elantech_is_signature_valid(const unsigned char *param) + if (param[1] == 0) + return true; + ++ /* ++ * Some models have a revision higher then 20. Meaning param[2] may ++ * be 10 or 20, skip the rates check for these. ++ */ ++ if (param[0] == 0x46 && (param[1] & 0xef) == 0x0f && param[2] < 40) ++ return true; ++ + for (i = 0; i < ARRAY_SIZE(rates); i++) + if (param[2] == rates[i]) + return false; +diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c +index df8b72b..a50e121 100644 +--- a/drivers/input/mouse/synaptics.c ++++ b/drivers/input/mouse/synaptics.c +@@ -506,10 +506,61 @@ static int synaptics_parse_hw_state(const unsigned char buf[], + ((buf[0] & 0x04) >> 1) | + ((buf[3] & 0x04) >> 2)); + ++ if ((SYN_CAP_ADV_GESTURE(priv->ext_cap_0c) || ++ SYN_CAP_IMAGE_SENSOR(priv->ext_cap_0c)) && ++ hw->w == 2) { ++ synaptics_parse_agm(buf, priv, hw); ++ return 1; ++ } ++ ++ hw->x = (((buf[3] & 0x10) << 8) | ++ ((buf[1] & 0x0f) << 8) | ++ buf[4]); ++ hw->y = (((buf[3] & 0x20) << 7) | ++ ((buf[1] & 0xf0) << 4) | ++ buf[5]); ++ hw->z = buf[2]; ++ + hw->left = (buf[0] & 0x01) ? 1 : 0; + hw->right = (buf[0] & 0x02) ? 1 : 0; + +- if (SYN_CAP_CLICKPAD(priv->ext_cap_0c)) { ++ if (SYN_CAP_FORCEPAD(priv->ext_cap_0c)) { ++ /* ++ * ForcePads, like Clickpads, use middle button ++ * bits to report primary button clicks. ++ * Unfortunately they report primary button not ++ * only when user presses on the pad above certain ++ * threshold, but also when there are more than one ++ * finger on the touchpad, which interferes with ++ * out multi-finger gestures. ++ */ ++ if (hw->z == 0) { ++ /* No contacts */ ++ priv->press = priv->report_press = false; ++ } else if (hw->w >= 4 && ((buf[0] ^ buf[3]) & 0x01)) { ++ /* ++ * Single-finger touch with pressure above ++ * the threshold. If pressure stays long ++ * enough, we'll start reporting primary ++ * button. We rely on the device continuing ++ * sending data even if finger does not ++ * move. ++ */ ++ if (!priv->press) { ++ priv->press_start = jiffies; ++ priv->press = true; ++ } else if (time_after(jiffies, ++ priv->press_start + ++ msecs_to_jiffies(50))) { ++ priv->report_press = true; ++ } ++ } else { ++ priv->press = false; ++ } ++ ++ hw->left = priv->report_press; ++ ++ } else if (SYN_CAP_CLICKPAD(priv->ext_cap_0c)) { + /* + * Clickpad's button is transmitted as middle button, + * however, since it is primary button, we will report +@@ -528,21 +579,6 @@ static int synaptics_parse_hw_state(const unsigned char buf[], + hw->down = ((buf[0] ^ buf[3]) & 0x02) ? 1 : 0; + } + +- if ((SYN_CAP_ADV_GESTURE(priv->ext_cap_0c) || +- SYN_CAP_IMAGE_SENSOR(priv->ext_cap_0c)) && +- hw->w == 2) { +- synaptics_parse_agm(buf, priv, hw); +- return 1; +- } +- +- hw->x = (((buf[3] & 0x10) << 8) | +- ((buf[1] & 0x0f) << 8) | +- buf[4]); +- hw->y = (((buf[3] & 0x20) << 7) | +- ((buf[1] & 0xf0) << 4) | +- buf[5]); +- hw->z = buf[2]; +- + if (SYN_CAP_MULTI_BUTTON_NO(priv->ext_cap) && + ((buf[0] ^ buf[3]) & 0x02)) { + switch (SYN_CAP_MULTI_BUTTON_NO(priv->ext_cap) & ~0x01) { +diff --git a/drivers/input/mouse/synaptics.h b/drivers/input/mouse/synaptics.h +index 622aea8..908d167 100644 +--- a/drivers/input/mouse/synaptics.h ++++ b/drivers/input/mouse/synaptics.h +@@ -77,6 +77,11 @@ + * 2 0x08 image sensor image sensor tracks 5 fingers, but only + * reports 2. + * 2 0x20 report min query 0x0f gives min coord reported ++ * 2 0x80 forcepad forcepad is a variant of clickpad that ++ * does not have physical buttons but rather ++ * uses pressure above certain threshold to ++ * report primary clicks. Forcepads also have ++ * clickpad bit set. + */ + #define SYN_CAP_CLICKPAD(ex0c) ((ex0c) & 0x100000) /* 1-button ClickPad */ + #define SYN_CAP_CLICKPAD2BTN(ex0c) ((ex0c) & 0x000100) /* 2-button ClickPad */ +@@ -85,6 +90,7 @@ + #define SYN_CAP_ADV_GESTURE(ex0c) ((ex0c) & 0x080000) + #define SYN_CAP_REDUCED_FILTERING(ex0c) ((ex0c) & 0x000400) + #define SYN_CAP_IMAGE_SENSOR(ex0c) ((ex0c) & 0x000800) ++#define SYN_CAP_FORCEPAD(ex0c) ((ex0c) & 0x008000) + + /* synaptics modes query bits */ + #define SYN_MODE_ABSOLUTE(m) ((m) & (1 << 7)) +@@ -170,6 +176,11 @@ struct synaptics_data { + */ + struct synaptics_hw_state agm; + bool agm_pending; /* new AGM packet received */ ++ ++ /* ForcePad handling */ ++ unsigned long press_start; ++ bool press; ++ bool report_press; + }; + + void synaptics_module_init(void); +diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h +index 031270c..bab8238 100644 +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -458,6 +458,13 @@ static const struct dmi_system_id __initconst i8042_dmi_nomux_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion dv4 Notebook PC"), + }, + }, ++ { ++ /* Avatar AVIU-145A6 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Intel"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "IC4I"), ++ }, ++ }, + { } + }; + +@@ -594,6 +601,14 @@ static const struct dmi_system_id __initconst i8042_dmi_notimeout_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion dv4 Notebook PC"), + }, + }, ++ { ++ /* Fujitsu U574 laptop */ ++ /* https://bugzilla.kernel.org/show_bug.cgi?id=69731 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK U574"), ++ }, ++ }, + { } + }; + +diff --git a/drivers/input/serio/serport.c b/drivers/input/serio/serport.c +index 8755f5f..e4ecf3b 100644 +--- a/drivers/input/serio/serport.c ++++ b/drivers/input/serio/serport.c +@@ -21,6 +21,7 @@ + #include <linux/init.h> + #include <linux/serio.h> + #include <linux/tty.h> ++#include <linux/compat.h> + + MODULE_AUTHOR("Vojtech Pavlik <vojtech@ucw.cz>"); + MODULE_DESCRIPTION("Input device TTY line discipline"); +@@ -196,28 +197,55 @@ static ssize_t serport_ldisc_read(struct tty_struct * tty, struct file * file, u + return 0; + } + ++static void serport_set_type(struct tty_struct *tty, unsigned long type) ++{ ++ struct serport *serport = tty->disc_data; ++ ++ serport->id.proto = type & 0x000000ff; ++ serport->id.id = (type & 0x0000ff00) >> 8; ++ serport->id.extra = (type & 0x00ff0000) >> 16; ++} ++ + /* + * serport_ldisc_ioctl() allows to set the port protocol, and device ID + */ + +-static int serport_ldisc_ioctl(struct tty_struct * tty, struct file * file, unsigned int cmd, unsigned long arg) ++static int serport_ldisc_ioctl(struct tty_struct *tty, struct file *file, ++ unsigned int cmd, unsigned long arg) + { +- struct serport *serport = (struct serport*) tty->disc_data; +- unsigned long type; +- + if (cmd == SPIOCSTYPE) { ++ unsigned long type; ++ + if (get_user(type, (unsigned long __user *) arg)) + return -EFAULT; + +- serport->id.proto = type & 0x000000ff; +- serport->id.id = (type & 0x0000ff00) >> 8; +- serport->id.extra = (type & 0x00ff0000) >> 16; ++ serport_set_type(tty, type); ++ return 0; ++ } ++ ++ return -EINVAL; ++} ++ ++#ifdef CONFIG_COMPAT ++#define COMPAT_SPIOCSTYPE _IOW('q', 0x01, compat_ulong_t) ++static long serport_ldisc_compat_ioctl(struct tty_struct *tty, ++ struct file *file, ++ unsigned int cmd, unsigned long arg) ++{ ++ if (cmd == COMPAT_SPIOCSTYPE) { ++ void __user *uarg = compat_ptr(arg); ++ compat_ulong_t compat_type; ++ ++ if (get_user(compat_type, (compat_ulong_t __user *)uarg)) ++ return -EFAULT; + ++ serport_set_type(tty, compat_type); + return 0; + } + + return -EINVAL; + } ++#endif + + static void serport_ldisc_write_wakeup(struct tty_struct * tty) + { +@@ -241,6 +269,9 @@ static struct tty_ldisc_ops serport_ldisc = { + .close = serport_ldisc_close, + .read = serport_ldisc_read, + .ioctl = serport_ldisc_ioctl, ++#ifdef CONFIG_COMPAT ++ .compat_ioctl = serport_ldisc_compat_ioctl, ++#endif + .receive_buf = serport_ldisc_receive, + .write_wakeup = serport_ldisc_write_wakeup + }; +diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c +index aa142f9..4878d91 100644 +--- a/drivers/md/dm-crypt.c ++++ b/drivers/md/dm-crypt.c +@@ -1565,6 +1565,7 @@ static int crypt_ctr(struct dm_target *ti, unsigned int argc, char **argv) + unsigned int key_size, opt_params; + unsigned long long tmpll; + int ret; ++ size_t iv_size_padding; + struct dm_arg_set as; + const char *opt_string; + +@@ -1600,12 +1601,23 @@ static int crypt_ctr(struct dm_target *ti, unsigned int argc, char **argv) + + cc->dmreq_start = sizeof(struct ablkcipher_request); + cc->dmreq_start += crypto_ablkcipher_reqsize(any_tfm(cc)); +- cc->dmreq_start = ALIGN(cc->dmreq_start, crypto_tfm_ctx_alignment()); +- cc->dmreq_start += crypto_ablkcipher_alignmask(any_tfm(cc)) & +- ~(crypto_tfm_ctx_alignment() - 1); ++ cc->dmreq_start = ALIGN(cc->dmreq_start, __alignof__(struct dm_crypt_request)); ++ ++ if (crypto_ablkcipher_alignmask(any_tfm(cc)) < CRYPTO_MINALIGN) { ++ /* Allocate the padding exactly */ ++ iv_size_padding = -(cc->dmreq_start + sizeof(struct dm_crypt_request)) ++ & crypto_ablkcipher_alignmask(any_tfm(cc)); ++ } else { ++ /* ++ * If the cipher requires greater alignment than kmalloc ++ * alignment, we don't know the exact position of the ++ * initialization vector. We must assume worst case. ++ */ ++ iv_size_padding = crypto_ablkcipher_alignmask(any_tfm(cc)); ++ } + + cc->req_pool = mempool_create_kmalloc_pool(MIN_IOS, cc->dmreq_start + +- sizeof(struct dm_crypt_request) + cc->iv_size); ++ sizeof(struct dm_crypt_request) + iv_size_padding + cc->iv_size); + if (!cc->req_pool) { + ti->error = "Cannot allocate crypt request mempool"; + goto bad; +diff --git a/drivers/net/can/at91_can.c b/drivers/net/can/at91_can.c +index 044ea06..ab411c3 100644 +--- a/drivers/net/can/at91_can.c ++++ b/drivers/net/can/at91_can.c +@@ -1115,7 +1115,9 @@ static int at91_open(struct net_device *dev) + struct at91_priv *priv = netdev_priv(dev); + int err; + +- clk_enable(priv->clk); ++ err = clk_prepare_enable(priv->clk); ++ if (err) ++ return err; + + /* check or determine and set bittime */ + err = open_candev(dev); +@@ -1139,7 +1141,7 @@ static int at91_open(struct net_device *dev) + out_close: + close_candev(dev); + out: +- clk_disable(priv->clk); ++ clk_disable_unprepare(priv->clk); + + return err; + } +@@ -1156,7 +1158,7 @@ static int at91_close(struct net_device *dev) + at91_chip_stop(dev, CAN_STATE_STOPPED); + + free_irq(dev->irq, dev); +- clk_disable(priv->clk); ++ clk_disable_unprepare(priv->clk); + + close_candev(dev); + +diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c +index 7c6bb5a..b1f354f 100644 +--- a/drivers/net/can/flexcan.c ++++ b/drivers/net/can/flexcan.c +@@ -120,7 +120,9 @@ + (FLEXCAN_ESR_ERR_BUS | FLEXCAN_ESR_ERR_STATE) + + /* FLEXCAN interrupt flag register (IFLAG) bits */ +-#define FLEXCAN_TX_BUF_ID 8 ++/* Errata ERR005829 step7: Reserve first valid MB */ ++#define FLEXCAN_TX_BUF_RESERVED 8 ++#define FLEXCAN_TX_BUF_ID 9 + #define FLEXCAN_IFLAG_BUF(x) BIT(x) + #define FLEXCAN_IFLAG_RX_FIFO_OVERFLOW BIT(7) + #define FLEXCAN_IFLAG_RX_FIFO_WARN BIT(6) +@@ -131,6 +133,17 @@ + + /* FLEXCAN message buffers */ + #define FLEXCAN_MB_CNT_CODE(x) (((x) & 0xf) << 24) ++#define FLEXCAN_MB_CODE_RX_INACTIVE (0x0 << 24) ++#define FLEXCAN_MB_CODE_RX_EMPTY (0x4 << 24) ++#define FLEXCAN_MB_CODE_RX_FULL (0x2 << 24) ++#define FLEXCAN_MB_CODE_RX_OVERRRUN (0x6 << 24) ++#define FLEXCAN_MB_CODE_RX_RANSWER (0xa << 24) ++ ++#define FLEXCAN_MB_CODE_TX_INACTIVE (0x8 << 24) ++#define FLEXCAN_MB_CODE_TX_ABORT (0x9 << 24) ++#define FLEXCAN_MB_CODE_TX_DATA (0xc << 24) ++#define FLEXCAN_MB_CODE_TX_TANSWER (0xe << 24) ++ + #define FLEXCAN_MB_CNT_SRR BIT(22) + #define FLEXCAN_MB_CNT_IDE BIT(21) + #define FLEXCAN_MB_CNT_RTR BIT(20) +@@ -302,6 +315,14 @@ static int flexcan_start_xmit(struct sk_buff *skb, struct net_device *dev) + flexcan_write(can_id, ®s->cantxfg[FLEXCAN_TX_BUF_ID].can_id); + flexcan_write(ctrl, ®s->cantxfg[FLEXCAN_TX_BUF_ID].can_ctrl); + ++ /* Errata ERR005829 step8: ++ * Write twice INACTIVE(0x8) code to first MB. ++ */ ++ flexcan_write(FLEXCAN_MB_CODE_TX_INACTIVE, ++ ®s->cantxfg[FLEXCAN_TX_BUF_RESERVED].can_ctrl); ++ flexcan_write(FLEXCAN_MB_CODE_TX_INACTIVE, ++ ®s->cantxfg[FLEXCAN_TX_BUF_RESERVED].can_ctrl); ++ + kfree_skb(skb); + + /* tx_packets is incremented in flexcan_irq */ +@@ -611,6 +632,9 @@ static irqreturn_t flexcan_irq(int irq, void *dev_id) + if (reg_iflag1 & (1 << FLEXCAN_TX_BUF_ID)) { + /* tx_bytes is incremented in flexcan_start_xmit */ + stats->tx_packets++; ++ /* after sending a RTR frame mailbox is in RX mode */ ++ flexcan_write(FLEXCAN_MB_CODE_TX_INACTIVE, ++ ®s->cantxfg[FLEXCAN_TX_BUF_ID].can_ctrl); + flexcan_write((1 << FLEXCAN_TX_BUF_ID), ®s->iflag1); + netif_wake_queue(dev); + } +@@ -668,6 +692,7 @@ static int flexcan_chip_start(struct net_device *dev) + struct flexcan_regs __iomem *regs = priv->base; + int err; + u32 reg_mcr, reg_ctrl; ++ int i; + + /* enable module */ + flexcan_chip_enable(priv); +@@ -733,8 +758,18 @@ static int flexcan_chip_start(struct net_device *dev) + dev_dbg(dev->dev.parent, "%s: writing ctrl=0x%08x", __func__, reg_ctrl); + flexcan_write(reg_ctrl, ®s->ctrl); + +- /* Abort any pending TX, mark Mailbox as INACTIVE */ +- flexcan_write(FLEXCAN_MB_CNT_CODE(0x4), ++ /* clear and invalidate all mailboxes first */ ++ for (i = FLEXCAN_TX_BUF_ID; i < ARRAY_SIZE(regs->cantxfg); i++) { ++ flexcan_write(FLEXCAN_MB_CODE_RX_INACTIVE, ++ ®s->cantxfg[i].can_ctrl); ++ } ++ ++ /* Errata ERR005829: mark first TX mailbox as INACTIVE */ ++ flexcan_write(FLEXCAN_MB_CODE_TX_INACTIVE, ++ ®s->cantxfg[FLEXCAN_TX_BUF_RESERVED].can_ctrl); ++ ++ /* mark TX mailbox as INACTIVE */ ++ flexcan_write(FLEXCAN_MB_CODE_TX_INACTIVE, + ®s->cantxfg[FLEXCAN_TX_BUF_ID].can_ctrl); + + /* acceptance mask/acceptance code (accept everything) */ +diff --git a/drivers/net/wireless/iwlwifi/iwl-agn-rxon.c b/drivers/net/wireless/iwlwifi/iwl-agn-rxon.c +index d696536..d552fa3 100644 +--- a/drivers/net/wireless/iwlwifi/iwl-agn-rxon.c ++++ b/drivers/net/wireless/iwlwifi/iwl-agn-rxon.c +@@ -440,6 +440,14 @@ int iwlagn_commit_rxon(struct iwl_priv *priv, struct iwl_rxon_context *ctx) + /* always get timestamp with Rx frame */ + ctx->staging.flags |= RXON_FLG_TSF2HOST_MSK; + ++ /* ++ * force CTS-to-self frames protection if RTS-CTS is not preferred ++ * one aggregation protection method ++ */ ++ if (!(priv->cfg->ht_params && ++ priv->cfg->ht_params->use_rts_for_aggregation)) ++ ctx->staging.flags |= RXON_FLG_SELF_CTS_EN; ++ + if ((ctx->vif && ctx->vif->bss_conf.use_short_slot) || + !(ctx->staging.flags & RXON_FLG_BAND_24G_MSK)) + ctx->staging.flags |= RXON_FLG_SHORT_SLOT_MSK; +@@ -872,6 +880,11 @@ void iwlagn_bss_info_changed(struct ieee80211_hw *hw, + else + ctx->staging.flags &= ~RXON_FLG_TGG_PROTECT_MSK; + ++ if (bss_conf->use_cts_prot) ++ ctx->staging.flags |= RXON_FLG_SELF_CTS_EN; ++ else ++ ctx->staging.flags &= ~RXON_FLG_SELF_CTS_EN; ++ + memcpy(ctx->staging.bssid_addr, bss_conf->bssid, ETH_ALEN); + + if (vif->type == NL80211_IFTYPE_AP || +diff --git a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c +index c184253..1644b1f 100644 +--- a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c +@@ -316,6 +316,7 @@ static struct usb_device_id rtl8192c_usb_ids[] = { + {RTL_USB_DEVICE(0x0bda, 0x5088, rtl92cu_hal_cfg)}, /*Thinkware-CC&C*/ + {RTL_USB_DEVICE(0x0df6, 0x0052, rtl92cu_hal_cfg)}, /*Sitecom - Edimax*/ + {RTL_USB_DEVICE(0x0df6, 0x005c, rtl92cu_hal_cfg)}, /*Sitecom - Edimax*/ ++ {RTL_USB_DEVICE(0x0df6, 0x0070, rtl92cu_hal_cfg)}, /*Sitecom - 150N */ + {RTL_USB_DEVICE(0x0df6, 0x0077, rtl92cu_hal_cfg)}, /*Sitecom-WLA2100V2*/ + {RTL_USB_DEVICE(0x0eb0, 0x9071, rtl92cu_hal_cfg)}, /*NO Brand - Etop*/ + {RTL_USB_DEVICE(0x4856, 0x0091, rtl92cu_hal_cfg)}, /*NetweeN - Feixun*/ +diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c +index 143bbe4..2794a30 100644 +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -718,11 +718,21 @@ __iscsi_conn_send_pdu(struct iscsi_conn *conn, struct iscsi_hdr *hdr, + return NULL; + } + ++ if (data_size > ISCSI_DEF_MAX_RECV_SEG_LEN) { ++ iscsi_conn_printk(KERN_ERR, conn, "Invalid buffer len of %u for login task. Max len is %u\n", data_size, ISCSI_DEF_MAX_RECV_SEG_LEN); ++ return NULL; ++ } ++ + task = conn->login_task; + } else { + if (session->state != ISCSI_STATE_LOGGED_IN) + return NULL; + ++ if (data_size != 0) { ++ iscsi_conn_printk(KERN_ERR, conn, "Can not send data buffer of len %u for op 0x%x\n", data_size, opcode); ++ return NULL; ++ } ++ + BUG_ON(conn->c_stage == ISCSI_CONN_INITIAL_STAGE); + BUG_ON(conn->c_stage == ISCSI_CONN_STOPPED); + +diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c +index ab5dd16..ae4e7da 100644 +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -4306,6 +4306,7 @@ static void iscsit_logout_post_handler_diffcid( + { + struct iscsi_conn *l_conn; + struct iscsi_session *sess = conn->sess; ++ bool conn_found = false; + + if (!sess) + return; +@@ -4314,12 +4315,13 @@ static void iscsit_logout_post_handler_diffcid( + list_for_each_entry(l_conn, &sess->sess_conn_list, conn_list) { + if (l_conn->cid == cid) { + iscsit_inc_conn_usage_count(l_conn); ++ conn_found = true; + break; + } + } + spin_unlock_bh(&sess->conn_lock); + +- if (!l_conn) ++ if (!conn_found) + return; + + if (l_conn->sock) +diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c +index db313ba..e5f5bff 100644 +--- a/drivers/target/iscsi/iscsi_target_parameters.c ++++ b/drivers/target/iscsi/iscsi_target_parameters.c +@@ -552,7 +552,7 @@ int iscsi_copy_param_list( + param_list = kzalloc(sizeof(struct iscsi_param_list), GFP_KERNEL); + if (!param_list) { + pr_err("Unable to allocate memory for struct iscsi_param_list.\n"); +- goto err_out; ++ return -1; + } + INIT_LIST_HEAD(¶m_list->param_list); + INIT_LIST_HEAD(¶m_list->extra_response_list); +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index f08732b..10aec1a 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -3651,9 +3651,10 @@ static void hub_events(void) + + hub = list_entry(tmp, struct usb_hub, event_list); + kref_get(&hub->kref); ++ hdev = hub->hdev; ++ usb_get_dev(hdev); + spin_unlock_irq(&hub_event_lock); + +- hdev = hub->hdev; + hub_dev = hub->intfdev; + intf = to_usb_interface(hub_dev); + dev_dbg(hub_dev, "state %d ports %d chg %04x evt %04x\n", +@@ -3888,6 +3889,7 @@ static void hub_events(void) + usb_autopm_put_interface(intf); + loop_disconnected: + usb_unlock_device(hdev); ++ usb_put_dev(hdev); + kref_put(&hub->kref, hub_release); + + } /* end while (1) */ +diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c +index 600d823..3d9b57e 100644 +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -427,9 +427,6 @@ static int __devexit dwc3_remove(struct platform_device *pdev) + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + +- pm_runtime_put(&pdev->dev); +- pm_runtime_disable(&pdev->dev); +- + dwc3_debugfs_exit(dwc); + + if (features & DWC3_HAS_PERIPHERAL) +@@ -440,6 +437,9 @@ static int __devexit dwc3_remove(struct platform_device *pdev) + iounmap(dwc->regs); + kfree(dwc->mem); + ++ pm_runtime_put_sync(&pdev->dev); ++ pm_runtime_disable(&pdev->dev); ++ + return 0; + } + +diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c +index 517cadb..a3b569f 100644 +--- a/drivers/usb/host/xhci-hub.c ++++ b/drivers/usb/host/xhci-hub.c +@@ -440,7 +440,8 @@ void xhci_test_and_clear_bit(struct xhci_hcd *xhci, __le32 __iomem **port_array, + } + + /* Updates Link Status for super Speed port */ +-static void xhci_hub_report_link_state(u32 *status, u32 status_reg) ++static void xhci_hub_report_link_state(struct xhci_hcd *xhci, ++ u32 *status, u32 status_reg) + { + u32 pls = status_reg & PORT_PLS_MASK; + +@@ -479,7 +480,8 @@ static void xhci_hub_report_link_state(u32 *status, u32 status_reg) + * in which sometimes the port enters compliance mode + * caused by a delay on the host-device negotiation. + */ +- if (pls == USB_SS_PORT_LS_COMP_MOD) ++ if ((xhci->quirks & XHCI_COMP_MODE_QUIRK) && ++ (pls == USB_SS_PORT_LS_COMP_MOD)) + pls |= USB_PORT_STAT_CONNECTION; + } + +@@ -655,7 +657,7 @@ int xhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue, + } + /* Update Port Link State for super speed ports*/ + if (hcd->speed == HCD_USB3) { +- xhci_hub_report_link_state(&status, temp); ++ xhci_hub_report_link_state(xhci, &status, temp); + /* + * Verify if all USB3 Ports Have entered U0 already. + * Delete Compliance Mode Timer if so. +diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c +index 74922b9..0f4a41d 100644 +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -1723,7 +1723,7 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci) + } + + num_ports = HCS_MAX_PORTS(xhci->hcs_params1); +- for (i = 0; i < num_ports; i++) { ++ for (i = 0; i < num_ports && xhci->rh_bw; i++) { + struct xhci_interval_bw_table *bwt = &xhci->rh_bw[i].bw_table; + for (j = 0; j < XHCI_MAX_INTERVAL; j++) { + struct list_head *ep = &bwt->interval_bw[j].endpoints; +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index 0d34f85..8fe5c13 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -752,6 +752,7 @@ static struct usb_device_id id_table_combined [] = { + { USB_DEVICE(FTDI_VID, FTDI_NDI_AURORA_SCU_PID), + .driver_info = (kernel_ulong_t)&ftdi_NDI_device_quirk }, + { USB_DEVICE(TELLDUS_VID, TELLDUS_TELLSTICK_PID) }, ++ { USB_DEVICE(NOVITUS_VID, NOVITUS_BONO_E_PID) }, + { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_S03_PID) }, + { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_59_PID) }, + { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_57A_PID) }, +@@ -961,6 +962,8 @@ static struct usb_device_id id_table_combined [] = { + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_842_4_PID) }, + /* ekey Devices */ + { USB_DEVICE(FTDI_VID, FTDI_EKEY_CONV_USB_PID) }, ++ /* GE Healthcare devices */ ++ { USB_DEVICE(GE_HEALTHCARE_VID, GE_HEALTHCARE_NEMO_TRACKER_PID) }, + { }, /* Optional parameter entry */ + { } /* Terminating entry */ + }; +diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h +index cbcb1e6..bd509de 100644 +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -831,6 +831,12 @@ + #define TELLDUS_TELLSTICK_PID 0x0C30 /* RF control dongle 433 MHz using FT232RL */ + + /* ++ * NOVITUS printers ++ */ ++#define NOVITUS_VID 0x1a28 ++#define NOVITUS_BONO_E_PID 0x6010 ++ ++/* + * RT Systems programming cables for various ham radios + */ + #define RTSYSTEMS_VID 0x2100 /* Vendor ID */ +@@ -1379,3 +1385,9 @@ + * ekey biometric systems GmbH (http://ekey.net/) + */ + #define FTDI_EKEY_CONV_USB_PID 0xCB08 /* Converter USB */ ++ ++/* ++ * GE Healthcare devices ++ */ ++#define GE_HEALTHCARE_VID 0x1901 ++#define GE_HEALTHCARE_NEMO_TRACKER_PID 0x0015 +diff --git a/drivers/usb/serial/sierra.c b/drivers/usb/serial/sierra.c +index 0d26ab6..db9e54a 100644 +--- a/drivers/usb/serial/sierra.c ++++ b/drivers/usb/serial/sierra.c +@@ -296,14 +296,19 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x1199, 0x68A2), /* Sierra Wireless MC77xx in QMI mode */ + .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist + }, +- { USB_DEVICE(0x1199, 0x68A3), /* Sierra Wireless Direct IP modems */ ++ /* Sierra Wireless Direct IP modems */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x1199, 0x68A3, 0xFF, 0xFF, 0xFF), ++ .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist ++ }, ++ { USB_DEVICE_AND_INTERFACE_INFO(0x1199, 0x68AA, 0xFF, 0xFF, 0xFF), + .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist + }, + /* AT&T Direct IP LTE modems */ + { USB_DEVICE_AND_INTERFACE_INFO(0x0F3D, 0x68AA, 0xFF, 0xFF, 0xFF), + .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist + }, +- { USB_DEVICE(0x0f3d, 0x68A3), /* Airprime/Sierra Wireless Direct IP modems */ ++ /* Airprime/Sierra Wireless Direct IP modems */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x0F3D, 0x68A3, 0xFF, 0xFF, 0xFF), + .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist + }, + +diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h +index e588a11..a6c4c7d 100644 +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -93,6 +93,12 @@ UNUSUAL_DEV( 0x03f0, 0x4002, 0x0001, 0x0001, + "PhotoSmart R707", + USB_SC_DEVICE, USB_PR_DEVICE, NULL, US_FL_FIX_CAPACITY), + ++UNUSUAL_DEV( 0x03f3, 0x0001, 0x0000, 0x9999, ++ "Adaptec", ++ "USBConnect 2000", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_euscsi_init, ++ US_FL_SCM_MULT_TARG ), ++ + /* Reported by Sebastian Kapfer <sebastian_kapfer@gmx.net> + * and Olaf Hering <olh@suse.de> (different bcd's, same vendor/product) + * for USB floppies that need the SINGLE_LUN enforcement. +@@ -733,6 +739,12 @@ UNUSUAL_DEV( 0x059b, 0x0001, 0x0100, 0x0100, + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_SINGLE_LUN ), + ++UNUSUAL_DEV( 0x059b, 0x0040, 0x0100, 0x0100, ++ "Iomega", ++ "Jaz USB Adapter", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_SINGLE_LUN ), ++ + /* Reported by <Hendryk.Pfeiffer@gmx.de> */ + UNUSUAL_DEV( 0x059f, 0x0643, 0x0000, 0x0000, + "LaCie", +@@ -1105,6 +1117,18 @@ UNUSUAL_DEV( 0x0851, 0x1543, 0x0200, 0x0200, + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_NOT_LOCKABLE), + ++UNUSUAL_DEV( 0x085a, 0x0026, 0x0100, 0x0133, ++ "Xircom", ++ "PortGear USB-SCSI (Mac USB Dock)", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_euscsi_init, ++ US_FL_SCM_MULT_TARG ), ++ ++UNUSUAL_DEV( 0x085a, 0x0028, 0x0100, 0x0133, ++ "Xircom", ++ "PortGear USB to SCSI Converter", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_euscsi_init, ++ US_FL_SCM_MULT_TARG ), ++ + /* Submitted by Jan De Luyck <lkml@kcore.org> */ + UNUSUAL_DEV( 0x08bd, 0x1100, 0x0000, 0x0000, + "CITIZEN", +@@ -1932,6 +1956,14 @@ UNUSUAL_DEV( 0x152d, 0x2329, 0x0100, 0x0100, + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_IGNORE_RESIDUE | US_FL_SANE_SENSE ), + ++/* Entrega Technologies U1-SC25 (later Xircom PortGear PGSCSI) ++ * and Mac USB Dock USB-SCSI */ ++UNUSUAL_DEV( 0x1645, 0x0007, 0x0100, 0x0133, ++ "Entrega Technologies", ++ "USB to SCSI Converter", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_euscsi_init, ++ US_FL_SCM_MULT_TARG ), ++ + /* Reported by Robert Schedel <r.schedel@yahoo.de> + * Note: this is a 'super top' device like the above 14cd/6600 device */ + UNUSUAL_DEV( 0x1652, 0x6600, 0x0201, 0x0201, +@@ -1947,6 +1979,12 @@ UNUSUAL_DEV( 0x177f, 0x0400, 0x0000, 0x0000, + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_BULK_IGNORE_TAG | US_FL_MAX_SECTORS_64 ), + ++UNUSUAL_DEV( 0x1822, 0x0001, 0x0000, 0x9999, ++ "Ariston Technologies", ++ "iConnect USB to SCSI adapter", ++ USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_euscsi_init, ++ US_FL_SCM_MULT_TARG ), ++ + /* Reported by Hans de Goede <hdegoede@redhat.com> + * These Appotech controllers are found in Picture Frames, they provide a + * (buggy) emulation of a cdrom drive which contains the windows software +diff --git a/drivers/uwb/lc-dev.c b/drivers/uwb/lc-dev.c +index 5241f1d..3c9e929 100644 +--- a/drivers/uwb/lc-dev.c ++++ b/drivers/uwb/lc-dev.c +@@ -441,16 +441,19 @@ void uwbd_dev_onair(struct uwb_rc *rc, struct uwb_beca_e *bce) + uwb_dev->mac_addr = *bce->mac_addr; + uwb_dev->dev_addr = bce->dev_addr; + dev_set_name(&uwb_dev->dev, macbuf); ++ ++ /* plug the beacon cache */ ++ bce->uwb_dev = uwb_dev; ++ uwb_dev->bce = bce; ++ uwb_bce_get(bce); /* released in uwb_dev_sys_release() */ ++ + result = uwb_dev_add(uwb_dev, &rc->uwb_dev.dev, rc); + if (result < 0) { + dev_err(dev, "new device %s: cannot instantiate device\n", + macbuf); + goto error_dev_add; + } +- /* plug the beacon cache */ +- bce->uwb_dev = uwb_dev; +- uwb_dev->bce = bce; +- uwb_bce_get(bce); /* released in uwb_dev_sys_release() */ ++ + dev_info(dev, "uwb device (mac %s dev %s) connected to %s %s\n", + macbuf, devbuf, rc->uwb_dev.dev.parent->bus->name, + dev_name(rc->uwb_dev.dev.parent)); +@@ -458,6 +461,8 @@ void uwbd_dev_onair(struct uwb_rc *rc, struct uwb_beca_e *bce) + return; + + error_dev_add: ++ bce->uwb_dev = NULL; ++ uwb_bce_put(bce); + kfree(uwb_dev); + return; + } +diff --git a/drivers/xen/manage.c b/drivers/xen/manage.c +index c8af7e5..6548417 100644 +--- a/drivers/xen/manage.c ++++ b/drivers/xen/manage.c +@@ -108,16 +108,11 @@ static void do_suspend(void) + + shutting_down = SHUTDOWN_SUSPEND; + +-#ifdef CONFIG_PREEMPT +- /* If the kernel is preemptible, we need to freeze all the processes +- to prevent them from being in the middle of a pagetable update +- during suspend. */ + err = freeze_processes(); + if (err) { + printk(KERN_ERR "xen suspend: freeze failed %d\n", err); + goto out; + } +-#endif + + err = dpm_suspend_start(PMSG_FREEZE); + if (err) { +@@ -172,10 +167,8 @@ out_resume: + clock_was_set(); + + out_thaw: +-#ifdef CONFIG_PREEMPT + thaw_processes(); + out: +-#endif + shutting_down = SHUTDOWN_INVALID; + } + #endif /* CONFIG_HIBERNATE_CALLBACKS */ +diff --git a/fs/aio.c b/fs/aio.c +index 8cdd8ea..9acfd07 100644 +--- a/fs/aio.c ++++ b/fs/aio.c +@@ -1102,6 +1102,13 @@ static int aio_read_evt(struct kioctx *ioctx, struct io_event *ent) + head = ring->head % info->nr; + if (head != ring->tail) { + struct io_event *evp = aio_ring_event(info, head, KM_USER1); ++ ++ /* ++ * Ensure that once we've read the current tail pointer, that ++ * we also see the events that were stored up to the tail. ++ */ ++ smp_rmb(); ++ + *ent = *evp; + head = (head + 1) % info->nr; + smp_mb(); /* finish reading the event before updatng the head */ +diff --git a/fs/buffer.c b/fs/buffer.c +index 5f4bde2..59496e7 100644 +--- a/fs/buffer.c ++++ b/fs/buffer.c +@@ -1021,7 +1021,8 @@ grow_dev_page(struct block_device *bdev, sector_t block, + bh = page_buffers(page); + if (bh->b_size == size) { + end_block = init_page_buffers(page, bdev, +- index << sizebits, size); ++ (sector_t)index << sizebits, ++ size); + goto done; + } + if (!try_to_free_buffers(page)) +@@ -1042,7 +1043,8 @@ grow_dev_page(struct block_device *bdev, sector_t block, + */ + spin_lock(&inode->i_mapping->private_lock); + link_dev_buffers(page, bh); +- end_block = init_page_buffers(page, bdev, index << sizebits, size); ++ end_block = init_page_buffers(page, bdev, (sector_t)index << sizebits, ++ size); + spin_unlock(&inode->i_mapping->private_lock); + done: + ret = (block < end_block) ? 1 : -ENXIO; +diff --git a/fs/ext2/inode.c b/fs/ext2/inode.c +index 91a6945..5a45b8f 100644 +--- a/fs/ext2/inode.c ++++ b/fs/ext2/inode.c +@@ -619,6 +619,8 @@ static int ext2_get_blocks(struct inode *inode, + int count = 0; + ext2_fsblk_t first_block = 0; + ++ BUG_ON(maxblocks == 0); ++ + depth = ext2_block_to_path(inode,iblock,offsets,&blocks_to_boundary); + + if (depth == 0) +diff --git a/fs/ext2/xip.c b/fs/ext2/xip.c +index 322a56b..af014bb 100644 +--- a/fs/ext2/xip.c ++++ b/fs/ext2/xip.c +@@ -37,6 +37,7 @@ __ext2_get_block(struct inode *inode, pgoff_t pgoff, int create, + int rc; + + memset(&tmp, 0, sizeof(struct buffer_head)); ++ tmp.b_size = 1 << inode->i_blkbits; + rc = ext2_get_block(inode, pgoff, &tmp, create); + *result = tmp.b_blocknr; + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index 818b43e..5baa7ba 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -1312,6 +1312,8 @@ static void mb_free_blocks(struct inode *inode, struct ext4_buddy *e4b, + void *buddy2; + struct super_block *sb = e4b->bd_sb; + ++ if (WARN_ON(count == 0)) ++ return; + BUG_ON(first + count > (sb->s_blocksize << 3)); + assert_spin_locked(ext4_group_lock_ptr(sb, e4b->bd_group)); + mb_check_buddy(e4b); +@@ -3132,6 +3134,8 @@ static void ext4_discard_allocated_blocks(struct ext4_allocation_context *ac) + int err; + + if (pa == NULL) { ++ if (ac->ac_f_ex.fe_len == 0) ++ return; + err = ext4_mb_load_buddy(ac->ac_sb, ac->ac_f_ex.fe_group, &e4b); + if (err) { + /* +@@ -3146,6 +3150,7 @@ static void ext4_discard_allocated_blocks(struct ext4_allocation_context *ac) + mb_free_blocks(ac->ac_inode, &e4b, ac->ac_f_ex.fe_start, + ac->ac_f_ex.fe_len); + ext4_unlock_group(ac->ac_sb, ac->ac_f_ex.fe_group); ++ ext4_mb_unload_buddy(&e4b); + return; + } + if (pa->pa_type == MB_INODE_PA) +diff --git a/fs/namei.c b/fs/namei.c +index 9680cef..dea2dab 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -554,24 +554,22 @@ static int complete_walk(struct nameidata *nd) + + static __always_inline void set_root(struct nameidata *nd) + { +- if (!nd->root.mnt) +- get_fs_root(current->fs, &nd->root); ++ get_fs_root(current->fs, &nd->root); + } + + static int link_path_walk(const char *, struct nameidata *); + +-static __always_inline void set_root_rcu(struct nameidata *nd) ++static __always_inline unsigned set_root_rcu(struct nameidata *nd) + { +- if (!nd->root.mnt) { +- struct fs_struct *fs = current->fs; +- unsigned seq; ++ struct fs_struct *fs = current->fs; ++ unsigned seq, res; + +- do { +- seq = read_seqcount_begin(&fs->seq); +- nd->root = fs->root; +- nd->seq = __read_seqcount_begin(&nd->root.dentry->d_seq); +- } while (read_seqcount_retry(&fs->seq, seq)); +- } ++ do { ++ seq = read_seqcount_begin(&fs->seq); ++ nd->root = fs->root; ++ res = __read_seqcount_begin(&nd->root.dentry->d_seq); ++ } while (read_seqcount_retry(&fs->seq, seq)); ++ return res; + } + + static __always_inline int __vfs_follow_link(struct nameidata *nd, const char *link) +@@ -582,7 +580,8 @@ static __always_inline int __vfs_follow_link(struct nameidata *nd, const char *l + goto fail; + + if (*link == '/') { +- set_root(nd); ++ if (!nd->root.mnt) ++ set_root(nd); + path_put(&nd->path); + nd->path = nd->root; + path_get(&nd->root); +@@ -912,22 +911,11 @@ static bool __follow_mount_rcu(struct nameidata *nd, struct path *path, + return true; + } + +-static void follow_mount_rcu(struct nameidata *nd) +-{ +- while (d_mountpoint(nd->path.dentry)) { +- struct vfsmount *mounted; +- mounted = __lookup_mnt(nd->path.mnt, nd->path.dentry, 1); +- if (!mounted) +- break; +- nd->path.mnt = mounted; +- nd->path.dentry = mounted->mnt_root; +- nd->seq = read_seqcount_begin(&nd->path.dentry->d_seq); +- } +-} +- + static int follow_dotdot_rcu(struct nameidata *nd) + { +- set_root_rcu(nd); ++ struct inode *inode = nd->inode; ++ if (!nd->root.mnt) ++ set_root_rcu(nd); + + while (1) { + if (nd->path.dentry == nd->root.dentry && +@@ -939,6 +927,7 @@ static int follow_dotdot_rcu(struct nameidata *nd) + struct dentry *parent = old->d_parent; + unsigned seq; + ++ inode = parent->d_inode; + seq = read_seqcount_begin(&parent->d_seq); + if (read_seqcount_retry(&old->d_seq, nd->seq)) + goto failed; +@@ -948,10 +937,20 @@ static int follow_dotdot_rcu(struct nameidata *nd) + } + if (!follow_up_rcu(&nd->path)) + break; ++ inode = nd->path.dentry->d_inode; + nd->seq = read_seqcount_begin(&nd->path.dentry->d_seq); + } +- follow_mount_rcu(nd); +- nd->inode = nd->path.dentry->d_inode; ++ while (d_mountpoint(nd->path.dentry)) { ++ struct vfsmount *mounted; ++ mounted = __lookup_mnt(nd->path.mnt, nd->path.dentry, 1); ++ if (!mounted) ++ break; ++ nd->path.mnt = mounted; ++ nd->path.dentry = mounted->mnt_root; ++ inode = nd->path.dentry->d_inode; ++ nd->seq = read_seqcount_begin(&nd->path.dentry->d_seq); ++ } ++ nd->inode = inode; + return 0; + + failed: +@@ -1030,7 +1029,8 @@ static void follow_mount(struct path *path) + + static void follow_dotdot(struct nameidata *nd) + { +- set_root(nd); ++ if (!nd->root.mnt) ++ set_root(nd); + + while(1) { + struct dentry *old = nd->path.dentry; +@@ -1504,7 +1504,7 @@ static int path_init(int dfd, const char *name, unsigned int flags, + if (flags & LOOKUP_RCU) { + br_read_lock(vfsmount_lock); + rcu_read_lock(); +- set_root_rcu(nd); ++ nd->seq = set_root_rcu(nd); + } else { + set_root(nd); + path_get(&nd->root); +@@ -1560,7 +1560,14 @@ static int path_init(int dfd, const char *name, unsigned int flags, + } + + nd->inode = nd->path.dentry->d_inode; +- return 0; ++ if (!(flags & LOOKUP_RCU)) ++ return 0; ++ if (likely(!read_seqcount_retry(&nd->path.dentry->d_seq, nd->seq))) ++ return 0; ++ if (!(nd->flags & LOOKUP_ROOT)) ++ nd->root.mnt = NULL; ++ rcu_read_unlock(); ++ return -ECHILD; + + fput_fail: + fput_light(file, fput_needed); +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index c4a2a68..61a1303 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -2015,23 +2015,23 @@ static void nfs4_close_prepare(struct rpc_task *task, void *data) + is_rdwr = test_bit(NFS_O_RDWR_STATE, &state->flags); + is_rdonly = test_bit(NFS_O_RDONLY_STATE, &state->flags); + is_wronly = test_bit(NFS_O_WRONLY_STATE, &state->flags); +- /* Calculate the current open share mode */ +- calldata->arg.fmode = 0; +- if (is_rdonly || is_rdwr) +- calldata->arg.fmode |= FMODE_READ; +- if (is_wronly || is_rdwr) +- calldata->arg.fmode |= FMODE_WRITE; + /* Calculate the change in open mode */ ++ calldata->arg.fmode = 0; + if (state->n_rdwr == 0) { +- if (state->n_rdonly == 0) { +- call_close |= is_rdonly || is_rdwr; +- calldata->arg.fmode &= ~FMODE_READ; +- } +- if (state->n_wronly == 0) { +- call_close |= is_wronly || is_rdwr; +- calldata->arg.fmode &= ~FMODE_WRITE; +- } +- } ++ if (state->n_rdonly == 0) ++ call_close |= is_rdonly; ++ else if (is_rdonly) ++ calldata->arg.fmode |= FMODE_READ; ++ if (state->n_wronly == 0) ++ call_close |= is_wronly; ++ else if (is_wronly) ++ calldata->arg.fmode |= FMODE_WRITE; ++ } else if (is_rdwr) ++ calldata->arg.fmode |= FMODE_READ|FMODE_WRITE; ++ ++ if (calldata->arg.fmode == 0) ++ call_close |= is_rdwr; ++ + spin_unlock(&state->owner->so_lock); + + if (!call_close) { +diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c +index 11e1888..e2e7914 100644 +--- a/fs/nfsd/vfs.c ++++ b/fs/nfsd/vfs.c +@@ -508,6 +508,9 @@ set_nfsv4_acl_one(struct dentry *dentry, struct posix_acl *pacl, char *key) + char *buf = NULL; + int error = 0; + ++ if (!pacl) ++ return vfs_setxattr(dentry, key, NULL, 0, 0); ++ + buflen = posix_acl_xattr_size(pacl->a_count); + buf = kmalloc(buflen, GFP_KERNEL); + error = -ENOMEM; +diff --git a/fs/nilfs2/inode.c b/fs/nilfs2/inode.c +index edeb239..b2d8a96 100644 +--- a/fs/nilfs2/inode.c ++++ b/fs/nilfs2/inode.c +@@ -24,6 +24,7 @@ + #include <linux/buffer_head.h> + #include <linux/gfp.h> + #include <linux/mpage.h> ++#include <linux/pagemap.h> + #include <linux/writeback.h> + #include <linux/uio.h> + #include "nilfs.h" +@@ -195,10 +196,10 @@ static int nilfs_writepage(struct page *page, struct writeback_control *wbc) + + static int nilfs_set_page_dirty(struct page *page) + { ++ struct inode *inode = page->mapping->host; + int ret = __set_page_dirty_nobuffers(page); + + if (page_has_buffers(page)) { +- struct inode *inode = page->mapping->host; + unsigned nr_dirty = 0; + struct buffer_head *bh, *head; + +@@ -221,6 +222,10 @@ static int nilfs_set_page_dirty(struct page *page) + + if (nr_dirty) + nilfs_set_file_dirty(inode, nr_dirty); ++ } else if (ret) { ++ unsigned nr_dirty = 1 << (PAGE_CACHE_SHIFT - inode->i_blkbits); ++ ++ nilfs_set_file_dirty(inode, nr_dirty); + } + return ret; + } +diff --git a/fs/ocfs2/dlm/dlmmaster.c b/fs/ocfs2/dlm/dlmmaster.c +index 005261c..dbc372e 100644 +--- a/fs/ocfs2/dlm/dlmmaster.c ++++ b/fs/ocfs2/dlm/dlmmaster.c +@@ -653,12 +653,9 @@ void dlm_lockres_clear_refmap_bit(struct dlm_ctxt *dlm, + clear_bit(bit, res->refmap); + } + +- +-void dlm_lockres_grab_inflight_ref(struct dlm_ctxt *dlm, ++static void __dlm_lockres_grab_inflight_ref(struct dlm_ctxt *dlm, + struct dlm_lock_resource *res) + { +- assert_spin_locked(&res->spinlock); +- + res->inflight_locks++; + + mlog(0, "%s: res %.*s, inflight++: now %u, %ps()\n", dlm->name, +@@ -666,6 +663,13 @@ void dlm_lockres_grab_inflight_ref(struct dlm_ctxt *dlm, + __builtin_return_address(0)); + } + ++void dlm_lockres_grab_inflight_ref(struct dlm_ctxt *dlm, ++ struct dlm_lock_resource *res) ++{ ++ assert_spin_locked(&res->spinlock); ++ __dlm_lockres_grab_inflight_ref(dlm, res); ++} ++ + void dlm_lockres_drop_inflight_ref(struct dlm_ctxt *dlm, + struct dlm_lock_resource *res) + { +@@ -855,10 +859,8 @@ lookup: + /* finally add the lockres to its hash bucket */ + __dlm_insert_lockres(dlm, res); + +- /* Grab inflight ref to pin the resource */ +- spin_lock(&res->spinlock); +- dlm_lockres_grab_inflight_ref(dlm, res); +- spin_unlock(&res->spinlock); ++ /* since this lockres is new it doesn't not require the spinlock */ ++ __dlm_lockres_grab_inflight_ref(dlm, res); + + /* get an extra ref on the mle in case this is a BLOCK + * if so, the creator of the BLOCK may try to put the last +diff --git a/fs/partitions/check.c b/fs/partitions/check.c +index 1ef15cc..18c58e5 100644 +--- a/fs/partitions/check.c ++++ b/fs/partitions/check.c +@@ -361,6 +361,7 @@ static const struct attribute_group *part_attr_groups[] = { + static void part_release(struct device *dev) + { + struct hd_struct *p = dev_to_part(dev); ++ blk_free_devt(dev->devt); + free_part_stats(p); + free_part_info(p); + kfree(p); +@@ -403,7 +404,6 @@ void delete_partition(struct gendisk *disk, int partno) + rcu_assign_pointer(ptbl->last_lookup, NULL); + kobject_put(part->holder_dir); + device_del(part_to_dev(part)); +- blk_free_devt(part_devt(part)); + + hd_struct_put(part); + } +diff --git a/include/linux/alarmtimer.h b/include/linux/alarmtimer.h +index 975009e..9a9838a 100644 +--- a/include/linux/alarmtimer.h ++++ b/include/linux/alarmtimer.h +@@ -48,6 +48,7 @@ int alarm_try_to_cancel(struct alarm *alarm); + int alarm_cancel(struct alarm *alarm); + + u64 alarm_forward(struct alarm *alarm, ktime_t now, ktime_t interval); ++ktime_t alarm_expires_remaining(const struct alarm *alarm); + + /* + * A alarmtimer is active, when it is enqueued into timerqueue or the +diff --git a/include/linux/ceph/messenger.h b/include/linux/ceph/messenger.h +index ffbeb2c..5b6efef 100644 +--- a/include/linux/ceph/messenger.h ++++ b/include/linux/ceph/messenger.h +@@ -92,7 +92,7 @@ struct ceph_msg { + bool front_is_vmalloc; + bool more_to_follow; + bool needs_out_seq; +- int front_max; ++ int front_alloc_len; + unsigned long ack_stamp; /* tx: when we were acked */ + + struct ceph_msgpool *pool; +diff --git a/include/linux/jiffies.h b/include/linux/jiffies.h +index f5df3dc..f4e8578 100644 +--- a/include/linux/jiffies.h ++++ b/include/linux/jiffies.h +@@ -259,23 +259,11 @@ extern unsigned long preset_lpj; + #define SEC_JIFFIE_SC (32 - SHIFT_HZ) + #endif + #define NSEC_JIFFIE_SC (SEC_JIFFIE_SC + 29) +-#define USEC_JIFFIE_SC (SEC_JIFFIE_SC + 19) + #define SEC_CONVERSION ((unsigned long)((((u64)NSEC_PER_SEC << SEC_JIFFIE_SC) +\ + TICK_NSEC -1) / (u64)TICK_NSEC)) + + #define NSEC_CONVERSION ((unsigned long)((((u64)1 << NSEC_JIFFIE_SC) +\ + TICK_NSEC -1) / (u64)TICK_NSEC)) +-#define USEC_CONVERSION \ +- ((unsigned long)((((u64)NSEC_PER_USEC << USEC_JIFFIE_SC) +\ +- TICK_NSEC -1) / (u64)TICK_NSEC)) +-/* +- * USEC_ROUND is used in the timeval to jiffie conversion. See there +- * for more details. It is the scaled resolution rounding value. Note +- * that it is a 64-bit value. Since, when it is applied, we are already +- * in jiffies (albit scaled), it is nothing but the bits we will shift +- * off. +- */ +-#define USEC_ROUND (u64)(((u64)1 << USEC_JIFFIE_SC) - 1) + /* + * The maximum jiffie value is (MAX_INT >> 1). Here we translate that + * into seconds. The 64-bit case will overflow if we are not careful, +diff --git a/include/net/regulatory.h b/include/net/regulatory.h +index eb7d3c2..c3c22e0 100644 +--- a/include/net/regulatory.h ++++ b/include/net/regulatory.h +@@ -92,7 +92,7 @@ struct ieee80211_reg_rule { + + struct ieee80211_regdomain { + u32 n_reg_rules; +- char alpha2[2]; ++ char alpha2[3]; + struct ieee80211_reg_rule reg_rules[]; + }; + +diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h +index ad03988..e0f1c91 100644 +--- a/include/net/sctp/sctp.h ++++ b/include/net/sctp/sctp.h +@@ -523,6 +523,11 @@ static inline void sctp_assoc_pending_pmtu(struct sctp_association *asoc) + asoc->pmtu_pending = 0; + } + ++static inline bool sctp_chunk_pending(const struct sctp_chunk *chunk) ++{ ++ return !list_empty(&chunk->list); ++} ++ + /* Walk through a list of TLV parameters. Don't trust the + * individual parameter lengths and instead depend on + * the chunk length to indicate when to stop. Make sure +diff --git a/include/net/sctp/sm.h b/include/net/sctp/sm.h +index 9148632..4d1be75 100644 +--- a/include/net/sctp/sm.h ++++ b/include/net/sctp/sm.h +@@ -251,9 +251,9 @@ struct sctp_chunk *sctp_make_asconf_update_ip(struct sctp_association *, + int, __be16); + struct sctp_chunk *sctp_make_asconf_set_prim(struct sctp_association *asoc, + union sctp_addr *addr); +-int sctp_verify_asconf(const struct sctp_association *asoc, +- struct sctp_paramhdr *param_hdr, void *chunk_end, +- struct sctp_paramhdr **errp); ++bool sctp_verify_asconf(const struct sctp_association *asoc, ++ struct sctp_chunk *chunk, bool addr_param_needed, ++ struct sctp_paramhdr **errp); + struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc, + struct sctp_chunk *asconf); + int sctp_process_asconf_ack(struct sctp_association *asoc, +diff --git a/init/Kconfig b/init/Kconfig +index 43298f9..b8dc1de 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -555,6 +555,7 @@ config LOG_BUF_SHIFT + int "Kernel log buffer size (16 => 64KB, 17 => 128KB)" + range 12 21 + default 17 ++ depends on PRINTK + help + Select kernel log buffer size as a power of 2. + Examples: +diff --git a/kernel/cgroup.c b/kernel/cgroup.c +index 93fc15e..ffcf896 100644 +--- a/kernel/cgroup.c ++++ b/kernel/cgroup.c +@@ -3871,6 +3871,11 @@ static int cgroup_mkdir(struct inode *dir, struct dentry *dentry, int mode) + { + struct cgroup *c_parent = dentry->d_parent->d_fsdata; + ++ /* Do not accept '\n' to prevent making /proc/<pid>/cgroup unparsable. ++ */ ++ if (strchr(dentry->d_name.name, '\n')) ++ return -EINVAL; ++ + /* the vfs holds inode->i_mutex already */ + return cgroup_create(c_parent, dentry, mode | S_IFDIR); + } +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 14c111c..4a14895 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -1683,6 +1683,16 @@ retry: + */ + if (ctx->is_active) { + raw_spin_unlock_irq(&ctx->lock); ++ /* ++ * Reload the task pointer, it might have been changed by ++ * a concurrent perf_event_context_sched_out(). ++ */ ++ task = ctx->task; ++ /* ++ * Reload the task pointer, it might have been changed by ++ * a concurrent perf_event_context_sched_out(). ++ */ ++ task = ctx->task; + goto retry; + } + +@@ -7071,8 +7081,10 @@ int perf_event_init_task(struct task_struct *child) + + for_each_task_context_nr(ctxn) { + ret = perf_event_init_context(child, ctxn); +- if (ret) ++ if (ret) { ++ perf_event_free_task(child); + return ret; ++ } + } + + return 0; +diff --git a/kernel/fork.c b/kernel/fork.c +index 13bba30..29b4604 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -1221,7 +1221,7 @@ static struct task_struct *copy_process(unsigned long clone_flags, + goto bad_fork_cleanup_policy; + retval = audit_alloc(p); + if (retval) +- goto bad_fork_cleanup_policy; ++ goto bad_fork_cleanup_perf; + /* copy all the process information */ + retval = copy_semundo(clone_flags, p); + if (retval) +@@ -1406,8 +1406,9 @@ bad_fork_cleanup_semundo: + exit_sem(p); + bad_fork_cleanup_audit: + audit_free(p); +-bad_fork_cleanup_policy: ++bad_fork_cleanup_perf: + perf_event_free_task(p); ++bad_fork_cleanup_policy: + #ifdef CONFIG_NUMA + mpol_put(p->mempolicy); + bad_fork_cleanup_cgroup: +diff --git a/kernel/futex.c b/kernel/futex.c +index 1bb37d0..f31f190 100644 +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -2460,6 +2460,7 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags, + * shared futexes. We need to compare the keys: + */ + if (match_futex(&q.key, &key2)) { ++ queue_unlock(&q, hb); + ret = -EINVAL; + goto out_put_keys; + } +diff --git a/kernel/time.c b/kernel/time.c +index 73e416d..060f961 100644 +--- a/kernel/time.c ++++ b/kernel/time.c +@@ -493,17 +493,20 @@ EXPORT_SYMBOL(usecs_to_jiffies); + * that a remainder subtract here would not do the right thing as the + * resolution values don't fall on second boundries. I.e. the line: + * nsec -= nsec % TICK_NSEC; is NOT a correct resolution rounding. ++ * Note that due to the small error in the multiplier here, this ++ * rounding is incorrect for sufficiently large values of tv_nsec, but ++ * well formed timespecs should have tv_nsec < NSEC_PER_SEC, so we're ++ * OK. + * + * Rather, we just shift the bits off the right. + * + * The >> (NSEC_JIFFIE_SC - SEC_JIFFIE_SC) converts the scaled nsec + * value to a scaled second value. + */ +-unsigned long +-timespec_to_jiffies(const struct timespec *value) ++static unsigned long ++__timespec_to_jiffies(unsigned long sec, long nsec) + { +- unsigned long sec = value->tv_sec; +- long nsec = value->tv_nsec + TICK_NSEC - 1; ++ nsec = nsec + TICK_NSEC - 1; + + if (sec >= MAX_SEC_IN_JIFFIES){ + sec = MAX_SEC_IN_JIFFIES; +@@ -514,6 +517,13 @@ timespec_to_jiffies(const struct timespec *value) + (NSEC_JIFFIE_SC - SEC_JIFFIE_SC))) >> SEC_JIFFIE_SC; + + } ++ ++unsigned long ++timespec_to_jiffies(const struct timespec *value) ++{ ++ return __timespec_to_jiffies(value->tv_sec, value->tv_nsec); ++} ++ + EXPORT_SYMBOL(timespec_to_jiffies); + + void +@@ -530,31 +540,27 @@ jiffies_to_timespec(const unsigned long jiffies, struct timespec *value) + } + EXPORT_SYMBOL(jiffies_to_timespec); + +-/* Same for "timeval" ++/* ++ * We could use a similar algorithm to timespec_to_jiffies (with a ++ * different multiplier for usec instead of nsec). But this has a ++ * problem with rounding: we can't exactly add TICK_NSEC - 1 to the ++ * usec value, since it's not necessarily integral. + * +- * Well, almost. The problem here is that the real system resolution is +- * in nanoseconds and the value being converted is in micro seconds. +- * Also for some machines (those that use HZ = 1024, in-particular), +- * there is a LARGE error in the tick size in microseconds. +- +- * The solution we use is to do the rounding AFTER we convert the +- * microsecond part. Thus the USEC_ROUND, the bits to be shifted off. +- * Instruction wise, this should cost only an additional add with carry +- * instruction above the way it was done above. ++ * We could instead round in the intermediate scaled representation ++ * (i.e. in units of 1/2^(large scale) jiffies) but that's also ++ * perilous: the scaling introduces a small positive error, which ++ * combined with a division-rounding-upward (i.e. adding 2^(scale) - 1 ++ * units to the intermediate before shifting) leads to accidental ++ * overflow and overestimates. ++ * ++ * At the cost of one additional multiplication by a constant, just ++ * use the timespec implementation. + */ + unsigned long + timeval_to_jiffies(const struct timeval *value) + { +- unsigned long sec = value->tv_sec; +- long usec = value->tv_usec; +- +- if (sec >= MAX_SEC_IN_JIFFIES){ +- sec = MAX_SEC_IN_JIFFIES; +- usec = 0; +- } +- return (((u64)sec * SEC_CONVERSION) + +- (((u64)usec * USEC_CONVERSION + USEC_ROUND) >> +- (USEC_JIFFIE_SC - SEC_JIFFIE_SC))) >> SEC_JIFFIE_SC; ++ return __timespec_to_jiffies(value->tv_sec, ++ value->tv_usec * NSEC_PER_USEC); + } + EXPORT_SYMBOL(timeval_to_jiffies); + +diff --git a/kernel/time/alarmtimer.c b/kernel/time/alarmtimer.c +index eb198a3..7eaf162 100644 +--- a/kernel/time/alarmtimer.c ++++ b/kernel/time/alarmtimer.c +@@ -226,6 +226,12 @@ static enum hrtimer_restart alarmtimer_fired(struct hrtimer *timer) + + } + ++ktime_t alarm_expires_remaining(const struct alarm *alarm) ++{ ++ struct alarm_base *base = &alarm_bases[alarm->type]; ++ return ktime_sub(alarm->node.expires, base->gettime()); ++} ++ + #ifdef CONFIG_RTC_CLASS + /** + * alarmtimer_suspend - Suspend time callback +@@ -442,18 +448,26 @@ static enum alarmtimer_type clock2alarm(clockid_t clockid) + static enum alarmtimer_restart alarm_handle_timer(struct alarm *alarm, + ktime_t now) + { ++ unsigned long flags; + struct k_itimer *ptr = container_of(alarm, struct k_itimer, + it.alarm.alarmtimer); +- if (posix_timer_event(ptr, 0) != 0) +- ptr->it_overrun++; ++ enum alarmtimer_restart result = ALARMTIMER_NORESTART; ++ ++ spin_lock_irqsave(&ptr->it_lock, flags); ++ if ((ptr->it_sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_NONE) { ++ if (posix_timer_event(ptr, 0) != 0) ++ ptr->it_overrun++; ++ } + + /* Re-add periodic timers */ + if (ptr->it.alarm.interval.tv64) { + ptr->it_overrun += alarm_forward(alarm, now, + ptr->it.alarm.interval); +- return ALARMTIMER_RESTART; ++ result = ALARMTIMER_RESTART; + } +- return ALARMTIMER_NORESTART; ++ spin_unlock_irqrestore(&ptr->it_lock, flags); ++ ++ return result; + } + + /** +@@ -519,18 +533,22 @@ static int alarm_timer_create(struct k_itimer *new_timer) + * @new_timer: k_itimer pointer + * @cur_setting: itimerspec data to fill + * +- * Copies the itimerspec data out from the k_itimer ++ * Copies out the current itimerspec data + */ + static void alarm_timer_get(struct k_itimer *timr, + struct itimerspec *cur_setting) + { +- memset(cur_setting, 0, sizeof(struct itimerspec)); ++ ktime_t relative_expiry_time = ++ alarm_expires_remaining(&(timr->it.alarm.alarmtimer)); ++ ++ if (ktime_to_ns(relative_expiry_time) > 0) { ++ cur_setting->it_value = ktime_to_timespec(relative_expiry_time); ++ } else { ++ cur_setting->it_value.tv_sec = 0; ++ cur_setting->it_value.tv_nsec = 0; ++ } + +- cur_setting->it_interval = +- ktime_to_timespec(timr->it.alarm.interval); +- cur_setting->it_value = +- ktime_to_timespec(timr->it.alarm.alarmtimer.node.expires); +- return; ++ cur_setting->it_interval = ktime_to_timespec(timr->it.alarm.interval); + } + + /** +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index 4babd77..b252661 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -2847,7 +2847,7 @@ static void rb_iter_reset(struct ring_buffer_iter *iter) + iter->head = cpu_buffer->reader_page->read; + + iter->cache_reader_page = iter->head_page; +- iter->cache_read = iter->head; ++ iter->cache_read = cpu_buffer->read; + + if (iter->head) + iter->read_stamp = cpu_buffer->read_stamp; +diff --git a/mm/migrate.c b/mm/migrate.c +index 09d6a9d..7d26ea5 100644 +--- a/mm/migrate.c ++++ b/mm/migrate.c +@@ -141,8 +141,11 @@ static int remove_migration_pte(struct page *new, struct vm_area_struct *vma, + + get_page(new); + pte = pte_mkold(mk_pte(new, vma->vm_page_prot)); ++ ++ /* Recheck VMA as permissions can change since migration started */ + if (is_write_migration_entry(entry)) +- pte = pte_mkwrite(pte); ++ pte = maybe_mkwrite(pte, vma); ++ + #ifdef CONFIG_HUGETLB_PAGE + if (PageHuge(new)) + pte = pte_mkhuge(pte); +diff --git a/mm/percpu-vm.c b/mm/percpu-vm.c +index 12a48a88..0539f6a 100644 +--- a/mm/percpu-vm.c ++++ b/mm/percpu-vm.c +@@ -108,7 +108,7 @@ static int pcpu_alloc_pages(struct pcpu_chunk *chunk, + int page_start, int page_end) + { + const gfp_t gfp = GFP_KERNEL | __GFP_HIGHMEM | __GFP_COLD; +- unsigned int cpu; ++ unsigned int cpu, tcpu; + int i; + + for_each_possible_cpu(cpu) { +@@ -116,14 +116,23 @@ static int pcpu_alloc_pages(struct pcpu_chunk *chunk, + struct page **pagep = &pages[pcpu_page_idx(cpu, i)]; + + *pagep = alloc_pages_node(cpu_to_node(cpu), gfp, 0); +- if (!*pagep) { +- pcpu_free_pages(chunk, pages, populated, +- page_start, page_end); +- return -ENOMEM; +- } ++ if (!*pagep) ++ goto err; + } + } + return 0; ++ ++err: ++ while (--i >= page_start) ++ __free_page(pages[pcpu_page_idx(cpu, i)]); ++ ++ for_each_possible_cpu(tcpu) { ++ if (tcpu == cpu) ++ break; ++ for (i = page_start; i < page_end; i++) ++ __free_page(pages[pcpu_page_idx(tcpu, i)]); ++ } ++ return -ENOMEM; + } + + /** +@@ -264,6 +273,7 @@ err: + __pcpu_unmap_pages(pcpu_chunk_addr(chunk, tcpu, page_start), + page_end - page_start); + } ++ pcpu_post_unmap_tlb_flush(chunk, page_start, page_end); + return err; + } + +diff --git a/mm/percpu.c b/mm/percpu.c +index 5c29750..e29a1c4 100644 +--- a/mm/percpu.c ++++ b/mm/percpu.c +@@ -1895,6 +1895,8 @@ void __init setup_per_cpu_areas(void) + + if (pcpu_setup_first_chunk(ai, fc) < 0) + panic("Failed to initialize percpu areas."); ++ ++ pcpu_free_alloc_info(ai); + } + + #endif /* CONFIG_SMP */ +diff --git a/mm/shmem.c b/mm/shmem.c +index 1371021..83efac6 100644 +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -1719,8 +1719,10 @@ static int shmem_rename(struct inode *old_dir, struct dentry *old_dentry, struct + + if (new_dentry->d_inode) { + (void) shmem_unlink(new_dir, new_dentry); +- if (they_are_dirs) ++ if (they_are_dirs) { ++ drop_nlink(new_dentry->d_inode); + drop_nlink(old_dir); ++ } + } else if (they_are_dirs) { + drop_nlink(old_dir); + inc_nlink(new_dir); +diff --git a/net/ceph/auth_x.c b/net/ceph/auth_x.c +index 1587dc6..9898d1f 100644 +--- a/net/ceph/auth_x.c ++++ b/net/ceph/auth_x.c +@@ -13,8 +13,6 @@ + #include "auth_x.h" + #include "auth_x_protocol.h" + +-#define TEMP_TICKET_BUF_LEN 256 +- + static void ceph_x_validate_tickets(struct ceph_auth_client *ac, int *pneed); + + static int ceph_x_is_authenticated(struct ceph_auth_client *ac) +@@ -64,7 +62,7 @@ static int ceph_x_encrypt(struct ceph_crypto_key *secret, + } + + static int ceph_x_decrypt(struct ceph_crypto_key *secret, +- void **p, void *end, void *obuf, size_t olen) ++ void **p, void *end, void **obuf, size_t olen) + { + struct ceph_x_encrypt_header head; + size_t head_len = sizeof(head); +@@ -75,8 +73,14 @@ static int ceph_x_decrypt(struct ceph_crypto_key *secret, + return -EINVAL; + + dout("ceph_x_decrypt len %d\n", len); +- ret = ceph_decrypt2(secret, &head, &head_len, obuf, &olen, +- *p, len); ++ if (*obuf == NULL) { ++ *obuf = kmalloc(len, GFP_NOFS); ++ if (!*obuf) ++ return -ENOMEM; ++ olen = len; ++ } ++ ++ ret = ceph_decrypt2(secret, &head, &head_len, *obuf, &olen, *p, len); + if (ret) + return ret; + if (head.struct_v != 1 || le64_to_cpu(head.magic) != CEPHX_ENC_MAGIC) +@@ -129,139 +133,120 @@ static void remove_ticket_handler(struct ceph_auth_client *ac, + kfree(th); + } + +-static int ceph_x_proc_ticket_reply(struct ceph_auth_client *ac, +- struct ceph_crypto_key *secret, +- void *buf, void *end) ++static int process_one_ticket(struct ceph_auth_client *ac, ++ struct ceph_crypto_key *secret, ++ void **p, void *end) + { + struct ceph_x_info *xi = ac->private; +- int num; +- void *p = buf; ++ int type; ++ u8 tkt_struct_v, blob_struct_v; ++ struct ceph_x_ticket_handler *th; ++ void *dbuf = NULL; ++ void *dp, *dend; ++ int dlen; ++ char is_enc; ++ struct timespec validity; ++ struct ceph_crypto_key old_key; ++ void *ticket_buf = NULL; ++ void *tp, *tpend; ++ struct ceph_timespec new_validity; ++ struct ceph_crypto_key new_session_key; ++ struct ceph_buffer *new_ticket_blob; ++ unsigned long new_expires, new_renew_after; ++ u64 new_secret_id; + int ret; +- char *dbuf; +- char *ticket_buf; +- u8 reply_struct_v; + +- dbuf = kmalloc(TEMP_TICKET_BUF_LEN, GFP_NOFS); +- if (!dbuf) +- return -ENOMEM; ++ ceph_decode_need(p, end, sizeof(u32) + 1, bad); + +- ret = -ENOMEM; +- ticket_buf = kmalloc(TEMP_TICKET_BUF_LEN, GFP_NOFS); +- if (!ticket_buf) +- goto out_dbuf; ++ type = ceph_decode_32(p); ++ dout(" ticket type %d %s\n", type, ceph_entity_type_name(type)); + +- ceph_decode_need(&p, end, 1 + sizeof(u32), bad); +- reply_struct_v = ceph_decode_8(&p); +- if (reply_struct_v != 1) ++ tkt_struct_v = ceph_decode_8(p); ++ if (tkt_struct_v != 1) + goto bad; +- num = ceph_decode_32(&p); +- dout("%d tickets\n", num); +- while (num--) { +- int type; +- u8 tkt_struct_v, blob_struct_v; +- struct ceph_x_ticket_handler *th; +- void *dp, *dend; +- int dlen; +- char is_enc; +- struct timespec validity; +- struct ceph_crypto_key old_key; +- void *tp, *tpend; +- struct ceph_timespec new_validity; +- struct ceph_crypto_key new_session_key; +- struct ceph_buffer *new_ticket_blob; +- unsigned long new_expires, new_renew_after; +- u64 new_secret_id; +- +- ceph_decode_need(&p, end, sizeof(u32) + 1, bad); +- +- type = ceph_decode_32(&p); +- dout(" ticket type %d %s\n", type, ceph_entity_type_name(type)); +- +- tkt_struct_v = ceph_decode_8(&p); +- if (tkt_struct_v != 1) +- goto bad; +- +- th = get_ticket_handler(ac, type); +- if (IS_ERR(th)) { +- ret = PTR_ERR(th); +- goto out; +- } + +- /* blob for me */ +- dlen = ceph_x_decrypt(secret, &p, end, dbuf, +- TEMP_TICKET_BUF_LEN); +- if (dlen <= 0) { +- ret = dlen; +- goto out; +- } +- dout(" decrypted %d bytes\n", dlen); +- dend = dbuf + dlen; +- dp = dbuf; ++ th = get_ticket_handler(ac, type); ++ if (IS_ERR(th)) { ++ ret = PTR_ERR(th); ++ goto out; ++ } + +- tkt_struct_v = ceph_decode_8(&dp); +- if (tkt_struct_v != 1) +- goto bad; ++ /* blob for me */ ++ dlen = ceph_x_decrypt(secret, p, end, &dbuf, 0); ++ if (dlen <= 0) { ++ ret = dlen; ++ goto out; ++ } ++ dout(" decrypted %d bytes\n", dlen); ++ dp = dbuf; ++ dend = dp + dlen; + +- memcpy(&old_key, &th->session_key, sizeof(old_key)); +- ret = ceph_crypto_key_decode(&new_session_key, &dp, dend); +- if (ret) +- goto out; ++ tkt_struct_v = ceph_decode_8(&dp); ++ if (tkt_struct_v != 1) ++ goto bad; + +- ceph_decode_copy(&dp, &new_validity, sizeof(new_validity)); +- ceph_decode_timespec(&validity, &new_validity); +- new_expires = get_seconds() + validity.tv_sec; +- new_renew_after = new_expires - (validity.tv_sec / 4); +- dout(" expires=%lu renew_after=%lu\n", new_expires, +- new_renew_after); ++ memcpy(&old_key, &th->session_key, sizeof(old_key)); ++ ret = ceph_crypto_key_decode(&new_session_key, &dp, dend); ++ if (ret) ++ goto out; + +- /* ticket blob for service */ +- ceph_decode_8_safe(&p, end, is_enc, bad); +- tp = ticket_buf; +- if (is_enc) { +- /* encrypted */ +- dout(" encrypted ticket\n"); +- dlen = ceph_x_decrypt(&old_key, &p, end, ticket_buf, +- TEMP_TICKET_BUF_LEN); +- if (dlen < 0) { +- ret = dlen; +- goto out; +- } +- dlen = ceph_decode_32(&tp); +- } else { +- /* unencrypted */ +- ceph_decode_32_safe(&p, end, dlen, bad); +- ceph_decode_need(&p, end, dlen, bad); +- ceph_decode_copy(&p, ticket_buf, dlen); ++ ceph_decode_copy(&dp, &new_validity, sizeof(new_validity)); ++ ceph_decode_timespec(&validity, &new_validity); ++ new_expires = get_seconds() + validity.tv_sec; ++ new_renew_after = new_expires - (validity.tv_sec / 4); ++ dout(" expires=%lu renew_after=%lu\n", new_expires, ++ new_renew_after); ++ ++ /* ticket blob for service */ ++ ceph_decode_8_safe(p, end, is_enc, bad); ++ if (is_enc) { ++ /* encrypted */ ++ dout(" encrypted ticket\n"); ++ dlen = ceph_x_decrypt(&old_key, p, end, &ticket_buf, 0); ++ if (dlen < 0) { ++ ret = dlen; ++ goto out; + } +- tpend = tp + dlen; +- dout(" ticket blob is %d bytes\n", dlen); +- ceph_decode_need(&tp, tpend, 1 + sizeof(u64), bad); +- blob_struct_v = ceph_decode_8(&tp); +- new_secret_id = ceph_decode_64(&tp); +- ret = ceph_decode_buffer(&new_ticket_blob, &tp, tpend); +- if (ret) ++ tp = ticket_buf; ++ dlen = ceph_decode_32(&tp); ++ } else { ++ /* unencrypted */ ++ ceph_decode_32_safe(p, end, dlen, bad); ++ ticket_buf = kmalloc(dlen, GFP_NOFS); ++ if (!ticket_buf) { ++ ret = -ENOMEM; + goto out; +- +- /* all is well, update our ticket */ +- ceph_crypto_key_destroy(&th->session_key); +- if (th->ticket_blob) +- ceph_buffer_put(th->ticket_blob); +- th->session_key = new_session_key; +- th->ticket_blob = new_ticket_blob; +- th->validity = new_validity; +- th->secret_id = new_secret_id; +- th->expires = new_expires; +- th->renew_after = new_renew_after; +- dout(" got ticket service %d (%s) secret_id %lld len %d\n", +- type, ceph_entity_type_name(type), th->secret_id, +- (int)th->ticket_blob->vec.iov_len); +- xi->have_keys |= th->service; ++ } ++ tp = ticket_buf; ++ ceph_decode_need(p, end, dlen, bad); ++ ceph_decode_copy(p, ticket_buf, dlen); + } ++ tpend = tp + dlen; ++ dout(" ticket blob is %d bytes\n", dlen); ++ ceph_decode_need(&tp, tpend, 1 + sizeof(u64), bad); ++ blob_struct_v = ceph_decode_8(&tp); ++ new_secret_id = ceph_decode_64(&tp); ++ ret = ceph_decode_buffer(&new_ticket_blob, &tp, tpend); ++ if (ret) ++ goto out; ++ ++ /* all is well, update our ticket */ ++ ceph_crypto_key_destroy(&th->session_key); ++ if (th->ticket_blob) ++ ceph_buffer_put(th->ticket_blob); ++ th->session_key = new_session_key; ++ th->ticket_blob = new_ticket_blob; ++ th->validity = new_validity; ++ th->secret_id = new_secret_id; ++ th->expires = new_expires; ++ th->renew_after = new_renew_after; ++ dout(" got ticket service %d (%s) secret_id %lld len %d\n", ++ type, ceph_entity_type_name(type), th->secret_id, ++ (int)th->ticket_blob->vec.iov_len); ++ xi->have_keys |= th->service; + +- ret = 0; + out: + kfree(ticket_buf); +-out_dbuf: + kfree(dbuf); + return ret; + +@@ -270,6 +255,34 @@ bad: + goto out; + } + ++static int ceph_x_proc_ticket_reply(struct ceph_auth_client *ac, ++ struct ceph_crypto_key *secret, ++ void *buf, void *end) ++{ ++ void *p = buf; ++ u8 reply_struct_v; ++ u32 num; ++ int ret; ++ ++ ceph_decode_8_safe(&p, end, reply_struct_v, bad); ++ if (reply_struct_v != 1) ++ return -EINVAL; ++ ++ ceph_decode_32_safe(&p, end, num, bad); ++ dout("%d tickets\n", num); ++ ++ while (num--) { ++ ret = process_one_ticket(ac, secret, &p, end); ++ if (ret) ++ return ret; ++ } ++ ++ return 0; ++ ++bad: ++ return -EINVAL; ++} ++ + static int ceph_x_build_authorizer(struct ceph_auth_client *ac, + struct ceph_x_ticket_handler *th, + struct ceph_x_authorizer *au) +@@ -563,13 +576,14 @@ static int ceph_x_verify_authorizer_reply(struct ceph_auth_client *ac, + struct ceph_x_ticket_handler *th; + int ret = 0; + struct ceph_x_authorize_reply reply; ++ void *preply = &reply; + void *p = au->reply_buf; + void *end = p + sizeof(au->reply_buf); + + th = get_ticket_handler(ac, au->service); + if (IS_ERR(th)) + return PTR_ERR(th); +- ret = ceph_x_decrypt(&th->session_key, &p, end, &reply, sizeof(reply)); ++ ret = ceph_x_decrypt(&th->session_key, &p, end, &preply, sizeof(reply)); + if (ret < 0) + return ret; + if (ret != sizeof(reply)) +diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c +index 20ba2d5..7a239f0 100644 +--- a/net/ceph/messenger.c ++++ b/net/ceph/messenger.c +@@ -2423,7 +2423,7 @@ struct ceph_msg *ceph_msg_new(int type, int front_len, gfp_t flags, + m->footer.middle_crc = 0; + m->footer.data_crc = 0; + m->footer.flags = 0; +- m->front_max = front_len; ++ m->front_alloc_len = front_len; + m->front_is_vmalloc = false; + m->more_to_follow = false; + m->ack_stamp = 0; +@@ -2594,8 +2594,8 @@ EXPORT_SYMBOL(ceph_msg_last_put); + + void ceph_msg_dump(struct ceph_msg *msg) + { +- pr_debug("msg_dump %p (front_max %d nr_pages %d)\n", msg, +- msg->front_max, msg->nr_pages); ++ pr_debug("msg_dump %p (front_alloc_len %d nr_pages %d)\n", msg, ++ msg->front_alloc_len, msg->nr_pages); + print_hex_dump(KERN_DEBUG, "header: ", + DUMP_PREFIX_OFFSET, 16, 1, + &msg->hdr, sizeof(msg->hdr), true); +diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c +index 0b62dea..0c0859b 100644 +--- a/net/ceph/mon_client.c ++++ b/net/ceph/mon_client.c +@@ -150,7 +150,7 @@ static int __open_session(struct ceph_mon_client *monc) + /* initiatiate authentication handshake */ + ret = ceph_auth_build_hello(monc->auth, + monc->m_auth->front.iov_base, +- monc->m_auth->front_max); ++ monc->m_auth->front_alloc_len); + __send_prepared_auth_request(monc, ret); + } else { + dout("open_session mon%d already open\n", monc->cur_mon); +@@ -194,7 +194,7 @@ static void __send_subscribe(struct ceph_mon_client *monc) + int num; + + p = msg->front.iov_base; +- end = p + msg->front_max; ++ end = p + msg->front_alloc_len; + + num = 1 + !!monc->want_next_osdmap + !!monc->want_mdsmap; + ceph_encode_32(&p, num); +@@ -860,7 +860,7 @@ static void handle_auth_reply(struct ceph_mon_client *monc, + ret = ceph_handle_auth_reply(monc->auth, msg->front.iov_base, + msg->front.iov_len, + monc->m_auth->front.iov_base, +- monc->m_auth->front_max); ++ monc->m_auth->front_alloc_len); + if (ret < 0) { + monc->client->auth_err = ret; + wake_up_all(&monc->client->auth_wq); +@@ -887,7 +887,7 @@ static int __validate_auth(struct ceph_mon_client *monc) + return 0; + + ret = ceph_build_auth(monc->auth, monc->m_auth->front.iov_base, +- monc->m_auth->front_max); ++ monc->m_auth->front_alloc_len); + if (ret <= 0) + return ret; /* either an error, or no need to authenticate */ + __send_prepared_auth_request(monc, ret); +@@ -987,7 +987,15 @@ static struct ceph_msg *mon_alloc_msg(struct ceph_connection *con, + if (!m) { + pr_info("alloc_msg unknown type %d\n", type); + *skip = 1; ++ } else if (front_len > m->front_alloc_len) { ++ pr_warning("mon_alloc_msg front %d > prealloc %d (%u#%llu)\n", ++ front_len, m->front_alloc_len, ++ (unsigned int)con->peer_name.type, ++ le64_to_cpu(con->peer_name.num)); ++ ceph_msg_put(m); ++ m = ceph_msg_new(type, front_len, GFP_NOFS, false); + } ++ + return m; + } + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index d361dc0..8e79a9e 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -151,6 +151,9 @@ static void ipv4_link_failure(struct sk_buff *skb); + static void ip_rt_update_pmtu(struct dst_entry *dst, u32 mtu); + static int rt_garbage_collect(struct dst_ops *ops); + ++static void __rt_garbage_collect(struct work_struct *w); ++static DECLARE_WORK(rt_gc_worker, __rt_garbage_collect); ++ + static void ipv4_dst_ifdown(struct dst_entry *dst, struct net_device *dev, + int how) + { +@@ -979,12 +982,13 @@ static void rt_emergency_hash_rebuild(struct net *net) + and when load increases it reduces to limit cache size. + */ + +-static int rt_garbage_collect(struct dst_ops *ops) ++static void __do_rt_garbage_collect(int elasticity, int min_interval) + { + static unsigned long expire = RT_GC_TIMEOUT; + static unsigned long last_gc; + static int rover; + static int equilibrium; ++ static DEFINE_SPINLOCK(rt_gc_lock); + struct rtable *rth; + struct rtable __rcu **rthp; + unsigned long now = jiffies; +@@ -996,9 +1000,11 @@ static int rt_garbage_collect(struct dst_ops *ops) + * do not make it too frequently. + */ + ++ spin_lock_bh(&rt_gc_lock); ++ + RT_CACHE_STAT_INC(gc_total); + +- if (now - last_gc < ip_rt_gc_min_interval && ++ if (now - last_gc < min_interval && + entries < ip_rt_max_size) { + RT_CACHE_STAT_INC(gc_ignored); + goto out; +@@ -1006,7 +1012,7 @@ static int rt_garbage_collect(struct dst_ops *ops) + + entries = dst_entries_get_slow(&ipv4_dst_ops); + /* Calculate number of entries, which we want to expire now. */ +- goal = entries - (ip_rt_gc_elasticity << rt_hash_log); ++ goal = entries - (elasticity << rt_hash_log); + if (goal <= 0) { + if (equilibrium < ipv4_dst_ops.gc_thresh) + equilibrium = ipv4_dst_ops.gc_thresh; +@@ -1023,7 +1029,7 @@ static int rt_garbage_collect(struct dst_ops *ops) + equilibrium = entries - goal; + } + +- if (now - last_gc >= ip_rt_gc_min_interval) ++ if (now - last_gc >= min_interval) + last_gc = now; + + if (goal <= 0) { +@@ -1088,15 +1094,34 @@ static int rt_garbage_collect(struct dst_ops *ops) + if (net_ratelimit()) + printk(KERN_WARNING "dst cache overflow\n"); + RT_CACHE_STAT_INC(gc_dst_overflow); +- return 1; ++ goto out; + + work_done: +- expire += ip_rt_gc_min_interval; ++ expire += min_interval; + if (expire > ip_rt_gc_timeout || + dst_entries_get_fast(&ipv4_dst_ops) < ipv4_dst_ops.gc_thresh || + dst_entries_get_slow(&ipv4_dst_ops) < ipv4_dst_ops.gc_thresh) + expire = ip_rt_gc_timeout; +-out: return 0; ++out: ++ spin_unlock_bh(&rt_gc_lock); ++} ++ ++static void __rt_garbage_collect(struct work_struct *w) ++{ ++ __do_rt_garbage_collect(ip_rt_gc_elasticity, ip_rt_gc_min_interval); ++} ++ ++static int rt_garbage_collect(struct dst_ops *ops) ++{ ++ if (!work_pending(&rt_gc_worker)) ++ schedule_work(&rt_gc_worker); ++ ++ if (dst_entries_get_fast(&ipv4_dst_ops) >= ip_rt_max_size || ++ dst_entries_get_slow(&ipv4_dst_ops) >= ip_rt_max_size) { ++ RT_CACHE_STAT_INC(gc_dst_overflow); ++ return 1; ++ } ++ return 0; + } + + /* +@@ -1153,7 +1178,7 @@ static struct rtable *rt_intern_hash(unsigned hash, struct rtable *rt, + unsigned long now; + u32 min_score; + int chain_length; +- int attempts = !in_softirq(); ++ int attempts = 1; + + restart: + chain_length = 0; +@@ -1290,14 +1315,15 @@ restart: + can be released. Try to shrink route cache, + it is most likely it holds some neighbour records. + */ +- if (attempts-- > 0) { +- int saved_elasticity = ip_rt_gc_elasticity; +- int saved_int = ip_rt_gc_min_interval; +- ip_rt_gc_elasticity = 1; +- ip_rt_gc_min_interval = 0; +- rt_garbage_collect(&ipv4_dst_ops); +- ip_rt_gc_min_interval = saved_int; +- ip_rt_gc_elasticity = saved_elasticity; ++ if (!in_softirq() && attempts-- > 0) { ++ static DEFINE_SPINLOCK(lock); ++ ++ if (spin_trylock(&lock)) { ++ __do_rt_garbage_collect(1, 0); ++ spin_unlock(&lock); ++ } else { ++ spin_unlock_wait(&lock); ++ } + goto restart; + } + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index b9edff0..3afdd78 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -2443,8 +2443,18 @@ static void init_loopback(struct net_device *dev) + if (sp_ifa->flags & (IFA_F_DADFAILED | IFA_F_TENTATIVE)) + continue; + +- if (sp_ifa->rt) +- continue; ++ if (sp_ifa->rt) { ++ /* This dst has been added to garbage list when ++ * lo device down, release this obsolete dst and ++ * reallocate a new router for ifa. ++ */ ++ if (sp_ifa->rt->dst.obsolete > 0) { ++ dst_release(&sp_ifa->rt->dst); ++ sp_ifa->rt = NULL; ++ } else { ++ continue; ++ } ++ } + + sp_rt = addrconf_dst_alloc(idev, &sp_ifa->addr, 0); + +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index f8bec1e..d131a95 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -1362,7 +1362,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, u32 features) + fptr = (struct frag_hdr *)(skb_network_header(skb) + unfrag_ip6hlen); + fptr->nexthdr = nexthdr; + fptr->reserved = 0; +- ipv6_select_ident(fptr, (struct rt6_info *)skb_dst(skb)); ++ fptr->identification = skb_shinfo(skb)->ip6_frag_id; + + /* Fragment the skb. ipv6 header and the remaining fields of the + * fragment header are updated in ipv6_gso_segment() +diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c +index 437fb59..767bf4a 100644 +--- a/net/l2tp/l2tp_ppp.c ++++ b/net/l2tp/l2tp_ppp.c +@@ -774,7 +774,8 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr, + /* If PMTU discovery was enabled, use the MTU that was discovered */ + dst = sk_dst_get(tunnel->sock); + if (dst != NULL) { +- u32 pmtu = dst_mtu(__sk_dst_get(tunnel->sock)); ++ u32 pmtu = dst_mtu(dst); ++ + if (pmtu != 0) + session->mtu = session->mru = pmtu - + PPPOL2TP_HEADER_OVERHEAD; +diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c +index 29fa5ba..6422845 100644 +--- a/net/netfilter/ipvs/ip_vs_conn.c ++++ b/net/netfilter/ipvs/ip_vs_conn.c +@@ -777,7 +777,6 @@ static void ip_vs_conn_expire(unsigned long data) + ip_vs_control_del(cp); + + if (cp->flags & IP_VS_CONN_F_NFCT) { +- ip_vs_conn_drop_conntrack(cp); + /* Do not access conntracks during subsys cleanup + * because nf_conntrack_find_get can not be used after + * conntrack cleanup for the net. +diff --git a/net/sctp/associola.c b/net/sctp/associola.c +index da54d29..5b2d8e6 100644 +--- a/net/sctp/associola.c ++++ b/net/sctp/associola.c +@@ -1638,6 +1638,8 @@ struct sctp_chunk *sctp_assoc_lookup_asconf_ack( + * ack chunk whose serial number matches that of the request. + */ + list_for_each_entry(ack, &asoc->asconf_ack_list, transmitted_list) { ++ if (sctp_chunk_pending(ack)) ++ continue; + if (ack->subh.addip_hdr->serial == serial) { + sctp_chunk_hold(ack); + return ack; +diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c +index 397296f..32421ae 100644 +--- a/net/sctp/inqueue.c ++++ b/net/sctp/inqueue.c +@@ -152,18 +152,9 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue) + } else { + /* Nothing to do. Next chunk in the packet, please. */ + ch = (sctp_chunkhdr_t *) chunk->chunk_end; +- + /* Force chunk->skb->data to chunk->chunk_end. */ +- skb_pull(chunk->skb, +- chunk->chunk_end - chunk->skb->data); +- +- /* Verify that we have at least chunk headers +- * worth of buffer left. +- */ +- if (skb_headlen(chunk->skb) < sizeof(sctp_chunkhdr_t)) { +- sctp_chunk_free(chunk); +- chunk = queue->in_progress = NULL; +- } ++ skb_pull(chunk->skb, chunk->chunk_end - chunk->skb->data); ++ /* We are guaranteed to pull a SCTP header. */ + } + } + +@@ -199,24 +190,14 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue) + skb_pull(chunk->skb, sizeof(sctp_chunkhdr_t)); + chunk->subh.v = NULL; /* Subheader is no longer valid. */ + +- if (chunk->chunk_end < skb_tail_pointer(chunk->skb)) { ++ if (chunk->chunk_end + sizeof(sctp_chunkhdr_t) < ++ skb_tail_pointer(chunk->skb)) { + /* This is not a singleton */ + chunk->singleton = 0; + } else if (chunk->chunk_end > skb_tail_pointer(chunk->skb)) { +- /* RFC 2960, Section 6.10 Bundling +- * +- * Partial chunks MUST NOT be placed in an SCTP packet. +- * If the receiver detects a partial chunk, it MUST drop +- * the chunk. +- * +- * Since the end of the chunk is past the end of our buffer +- * (which contains the whole packet, we can freely discard +- * the whole packet. +- */ +- sctp_chunk_free(chunk); +- chunk = queue->in_progress = NULL; +- +- return NULL; ++ /* Discard inside state machine. */ ++ chunk->pdiscard = 1; ++ chunk->chunk_end = skb_tail_pointer(chunk->skb); + } else { + /* We are at the end of the packet, so mark the chunk + * in case we need to send a SACK. +diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c +index c95a3f2..d8d4704 100644 +--- a/net/sctp/sm_make_chunk.c ++++ b/net/sctp/sm_make_chunk.c +@@ -3068,50 +3068,63 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc, + return SCTP_ERROR_NO_ERROR; + } + +-/* Verify the ASCONF packet before we process it. */ +-int sctp_verify_asconf(const struct sctp_association *asoc, +- struct sctp_paramhdr *param_hdr, void *chunk_end, +- struct sctp_paramhdr **errp) { +- sctp_addip_param_t *asconf_param; ++/* Verify the ASCONF packet before we process it. */ ++bool sctp_verify_asconf(const struct sctp_association *asoc, ++ struct sctp_chunk *chunk, bool addr_param_needed, ++ struct sctp_paramhdr **errp) ++{ ++ sctp_addip_chunk_t *addip = (sctp_addip_chunk_t *) chunk->chunk_hdr; + union sctp_params param; +- int length, plen; +- +- param.v = (sctp_paramhdr_t *) param_hdr; +- while (param.v <= chunk_end - sizeof(sctp_paramhdr_t)) { +- length = ntohs(param.p->length); +- *errp = param.p; ++ bool addr_param_seen = false; + +- if (param.v > chunk_end - length || +- length < sizeof(sctp_paramhdr_t)) +- return 0; ++ sctp_walk_params(param, addip, addip_hdr.params) { ++ size_t length = ntohs(param.p->length); + ++ *errp = param.p; + switch (param.p->type) { ++ case SCTP_PARAM_ERR_CAUSE: ++ break; ++ case SCTP_PARAM_IPV4_ADDRESS: ++ if (length != sizeof(sctp_ipv4addr_param_t)) ++ return false; ++ addr_param_seen = true; ++ break; ++ case SCTP_PARAM_IPV6_ADDRESS: ++ if (length != sizeof(sctp_ipv6addr_param_t)) ++ return false; ++ addr_param_seen = true; ++ break; + case SCTP_PARAM_ADD_IP: + case SCTP_PARAM_DEL_IP: + case SCTP_PARAM_SET_PRIMARY: +- asconf_param = (sctp_addip_param_t *)param.v; +- plen = ntohs(asconf_param->param_hdr.length); +- if (plen < sizeof(sctp_addip_param_t) + +- sizeof(sctp_paramhdr_t)) +- return 0; ++ /* In ASCONF chunks, these need to be first. */ ++ if (addr_param_needed && !addr_param_seen) ++ return false; ++ length = ntohs(param.addip->param_hdr.length); ++ if (length < sizeof(sctp_addip_param_t) + ++ sizeof(sctp_paramhdr_t)) ++ return false; + break; + case SCTP_PARAM_SUCCESS_REPORT: + case SCTP_PARAM_ADAPTATION_LAYER_IND: + if (length != sizeof(sctp_addip_param_t)) +- return 0; +- ++ return false; + break; + default: +- break; ++ /* This is unkown to us, reject! */ ++ return false; + } +- +- param.v += WORD_ROUND(length); + } + +- if (param.v != chunk_end) +- return 0; ++ /* Remaining sanity checks. */ ++ if (addr_param_needed && !addr_param_seen) ++ return false; ++ if (!addr_param_needed && addr_param_seen) ++ return false; ++ if (param.v != chunk->chunk_end) ++ return false; + +- return 1; ++ return true; + } + + /* Process an incoming ASCONF chunk with the next expected serial no. and +@@ -3120,16 +3133,17 @@ int sctp_verify_asconf(const struct sctp_association *asoc, + struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc, + struct sctp_chunk *asconf) + { ++ sctp_addip_chunk_t *addip = (sctp_addip_chunk_t *) asconf->chunk_hdr; ++ bool all_param_pass = true; ++ union sctp_params param; + sctp_addiphdr_t *hdr; + union sctp_addr_param *addr_param; + sctp_addip_param_t *asconf_param; + struct sctp_chunk *asconf_ack; +- + __be16 err_code; + int length = 0; + int chunk_len; + __u32 serial; +- int all_param_pass = 1; + + chunk_len = ntohs(asconf->chunk_hdr->length) - sizeof(sctp_chunkhdr_t); + hdr = (sctp_addiphdr_t *)asconf->skb->data; +@@ -3157,9 +3171,14 @@ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc, + goto done; + + /* Process the TLVs contained within the ASCONF chunk. */ +- while (chunk_len > 0) { ++ sctp_walk_params(param, addip, addip_hdr.params) { ++ /* Skip preceeding address parameters. */ ++ if (param.p->type == SCTP_PARAM_IPV4_ADDRESS || ++ param.p->type == SCTP_PARAM_IPV6_ADDRESS) ++ continue; ++ + err_code = sctp_process_asconf_param(asoc, asconf, +- asconf_param); ++ param.addip); + /* ADDIP 4.1 A7) + * If an error response is received for a TLV parameter, + * all TLVs with no response before the failed TLV are +@@ -3167,28 +3186,20 @@ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc, + * the failed response are considered unsuccessful unless + * a specific success indication is present for the parameter. + */ +- if (SCTP_ERROR_NO_ERROR != err_code) +- all_param_pass = 0; +- ++ if (err_code != SCTP_ERROR_NO_ERROR) ++ all_param_pass = false; + if (!all_param_pass) +- sctp_add_asconf_response(asconf_ack, +- asconf_param->crr_id, err_code, +- asconf_param); ++ sctp_add_asconf_response(asconf_ack, param.addip->crr_id, ++ err_code, param.addip); + + /* ADDIP 4.3 D11) When an endpoint receiving an ASCONF to add + * an IP address sends an 'Out of Resource' in its response, it + * MUST also fail any subsequent add or delete requests bundled + * in the ASCONF. + */ +- if (SCTP_ERROR_RSRC_LOW == err_code) ++ if (err_code == SCTP_ERROR_RSRC_LOW) + goto done; +- +- /* Move to the next ASCONF param. */ +- length = ntohs(asconf_param->param_hdr.length); +- asconf_param = (void *)asconf_param + length; +- chunk_len -= length; + } +- + done: + asoc->peer.addip_serial++; + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index 5ac33b6..d02dd3c 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -163,6 +163,9 @@ sctp_chunk_length_valid(struct sctp_chunk *chunk, + { + __u16 chunk_length = ntohs(chunk->chunk_hdr->length); + ++ /* Previously already marked? */ ++ if (unlikely(chunk->pdiscard)) ++ return 0; + if (unlikely(chunk_length < required_length)) + return 0; + +@@ -3516,9 +3519,7 @@ sctp_disposition_t sctp_sf_do_asconf(const struct sctp_endpoint *ep, + struct sctp_chunk *asconf_ack = NULL; + struct sctp_paramhdr *err_param = NULL; + sctp_addiphdr_t *hdr; +- union sctp_addr_param *addr_param; + __u32 serial; +- int length; + + if (!sctp_vtag_verify(chunk, asoc)) { + sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, +@@ -3543,17 +3544,8 @@ sctp_disposition_t sctp_sf_do_asconf(const struct sctp_endpoint *ep, + hdr = (sctp_addiphdr_t *)chunk->skb->data; + serial = ntohl(hdr->serial); + +- addr_param = (union sctp_addr_param *)hdr->params; +- length = ntohs(addr_param->p.length); +- if (length < sizeof(sctp_paramhdr_t)) +- return sctp_sf_violation_paramlen(ep, asoc, type, arg, +- (void *)addr_param, commands); +- + /* Verify the ASCONF chunk before processing it. */ +- if (!sctp_verify_asconf(asoc, +- (sctp_paramhdr_t *)((void *)addr_param + length), +- (void *)chunk->chunk_end, +- &err_param)) ++ if (!sctp_verify_asconf(asoc, chunk, true, &err_param)) + return sctp_sf_violation_paramlen(ep, asoc, type, arg, + (void *)err_param, commands); + +@@ -3670,10 +3662,7 @@ sctp_disposition_t sctp_sf_do_asconf_ack(const struct sctp_endpoint *ep, + rcvd_serial = ntohl(addip_hdr->serial); + + /* Verify the ASCONF-ACK chunk before processing it. */ +- if (!sctp_verify_asconf(asoc, +- (sctp_paramhdr_t *)addip_hdr->params, +- (void *)asconf_ack->chunk_end, +- &err_param)) ++ if (!sctp_verify_asconf(asoc, asconf_ack, false, &err_param)) + return sctp_sf_violation_paramlen(ep, asoc, type, arg, + (void *)err_param, commands); + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 6d4d263..cdf77a2 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -4804,6 +4804,9 @@ int cfg80211_testmode_reply(struct sk_buff *skb) + void *hdr = ((void **)skb->cb)[1]; + struct nlattr *data = ((void **)skb->cb)[2]; + ++ /* clear CB data for netlink core to own from now on */ ++ memset(skb->cb, 0, sizeof(skb->cb)); ++ + if (WARN_ON(!rdev->testmode_info)) { + kfree_skb(skb); + return -EINVAL; +@@ -4830,6 +4833,9 @@ void cfg80211_testmode_event(struct sk_buff *skb, gfp_t gfp) + void *hdr = ((void **)skb->cb)[1]; + struct nlattr *data = ((void **)skb->cb)[2]; + ++ /* clear CB data for netlink core to own from now on */ ++ memset(skb->cb, 0, sizeof(skb->cb)); ++ + nla_nest_end(skb, data); + genlmsg_end(skb, hdr); + genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), skb, 0, +diff --git a/sound/core/pcm_lib.c b/sound/core/pcm_lib.c +index cf0d46e..7f00d34 100644 +--- a/sound/core/pcm_lib.c ++++ b/sound/core/pcm_lib.c +@@ -1692,14 +1692,16 @@ static int snd_pcm_lib_ioctl_fifo_size(struct snd_pcm_substream *substream, + { + struct snd_pcm_hw_params *params = arg; + snd_pcm_format_t format; +- int channels, width; ++ int channels; ++ ssize_t frame_size; + + params->fifo_size = substream->runtime->hw.fifo_size; + if (!(substream->runtime->hw.info & SNDRV_PCM_INFO_FIFO_IN_FRAMES)) { + format = params_format(params); + channels = params_channels(params); +- width = snd_pcm_format_physical_width(format); +- params->fifo_size /= width * channels; ++ frame_size = snd_pcm_format_size(format, channels); ++ if (frame_size > 0) ++ params->fifo_size /= (unsigned)frame_size; + } + return 0; + } +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 491cdf0..d10a6ef 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -789,6 +789,7 @@ static void alc_auto_init_amp(struct hda_codec *codec, int type) + case 0x10ec0885: + case 0x10ec0887: + /*case 0x10ec0889:*/ /* this causes an SPDIF problem */ ++ case 0x10ec0900: + alc889_coef_init(codec); + break; + case 0x10ec0888: +@@ -4343,6 +4344,7 @@ static int patch_alc882(struct hda_codec *codec) + switch (codec->vendor_id) { + case 0x10ec0882: + case 0x10ec0885: ++ case 0x10ec0900: + break; + default: + /* ALC883 and variants */ diff --git a/3.2.63/4420_grsecurity-3.0-3.2.63-201411020808.patch b/3.2.64/4420_grsecurity-3.0-3.2.64-201411062032.patch index ab7ff79..7cb2c8e 100644 --- a/3.2.63/4420_grsecurity-3.0-3.2.63-201411020808.patch +++ b/3.2.64/4420_grsecurity-3.0-3.2.64-201411062032.patch @@ -278,7 +278,7 @@ index 88fd7f5..b318a78 100644 ============================================================== diff --git a/Makefile b/Makefile -index 6d3f2d4..8bd5807 100644 +index 2b58ffc..895bdb8 100644 --- a/Makefile +++ b/Makefile @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -14092,7 +14092,7 @@ index 5478825..839e88c 100644 #define flush_insn_slot(p) do { } while (0) diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h -index b3eb9a7..7c34d91 100644 +index 15d24cb..ee4dcd1 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -459,7 +459,7 @@ struct kvm_arch { @@ -23595,7 +23595,7 @@ index 16204dc..0e7d4b7 100644 .smp_prepare_cpus = native_smp_prepare_cpus, .smp_cpus_done = native_smp_cpus_done, diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c -index 6e68bd9..facb68a 100644 +index bb28f2ca..e377b54 100644 --- a/arch/x86/kernel/smpboot.c +++ b/arch/x86/kernel/smpboot.c @@ -252,11 +252,13 @@ notrace static void __cpuinit start_secondary(void *unused) @@ -24907,7 +24907,7 @@ index 7110911..069da9c 100644 /* * Encountered an error while doing the restore from the diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c -index 638cab5..0a38f1e 100644 +index f0ac042..f6e5b65 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -249,6 +249,7 @@ struct gprefix { @@ -25003,7 +25003,7 @@ index 9299410..ade2f9b 100644 spin_unlock(&vcpu->kvm->mmu_lock); diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c -index 2102a17..16e1531 100644 +index 82f97a5..159a0df 100644 --- a/arch/x86/kvm/svm.c +++ b/arch/x86/kvm/svm.c @@ -3403,7 +3403,11 @@ static void reload_tss(struct kvm_vcpu *vcpu) @@ -25030,10 +25030,10 @@ index 2102a17..16e1531 100644 local_irq_disable(); diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c -index a4f6bda..40eb721 100644 +index 578b1c6..5a7039c 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c -@@ -1099,12 +1099,12 @@ static void vmcs_write64(unsigned long field, u64 value) +@@ -1100,12 +1100,12 @@ static void vmcs_write64(unsigned long field, u64 value) #endif } @@ -25048,7 +25048,7 @@ index a4f6bda..40eb721 100644 { vmcs_writel(field, vmcs_readl(field) | mask); } -@@ -1305,7 +1305,11 @@ static void reload_tss(void) +@@ -1306,7 +1306,11 @@ static void reload_tss(void) struct desc_struct *descs; descs = (void *)gdt->address; @@ -25060,7 +25060,7 @@ index a4f6bda..40eb721 100644 load_TR_desc(); } -@@ -1504,6 +1508,10 @@ static void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu) +@@ -1505,6 +1509,10 @@ static void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu) vmcs_writel(HOST_TR_BASE, kvm_read_tr_base()); /* 22.2.4 */ vmcs_writel(HOST_GDTR_BASE, gdt->address); /* 22.2.4 */ @@ -25071,7 +25071,7 @@ index a4f6bda..40eb721 100644 rdmsrl(MSR_IA32_SYSENTER_ESP, sysenter_esp); vmcs_writel(HOST_IA32_SYSENTER_ESP, sysenter_esp); /* 22.2.3 */ vmx->loaded_vmcs->cpu = cpu; -@@ -2634,8 +2642,11 @@ static __init int hardware_setup(void) +@@ -2635,8 +2643,11 @@ static __init int hardware_setup(void) if (!cpu_has_vmx_flexpriority()) flexpriority_enabled = 0; @@ -25085,18 +25085,18 @@ index a4f6bda..40eb721 100644 if (enable_ept && !cpu_has_vmx_ept_2m_page()) kvm_disable_largepages(); -@@ -3637,7 +3648,10 @@ static void vmx_set_constant_host_state(void) +@@ -3638,7 +3649,10 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx) + unsigned long cr4; vmcs_writel(HOST_CR0, read_cr0() | X86_CR0_TS); /* 22.2.3 */ - vmcs_writel(HOST_CR4, read_cr4()); /* 22.2.3, 22.2.5 */ + +#ifndef CONFIG_PAX_PER_CPU_PGD vmcs_writel(HOST_CR3, read_cr3()); /* 22.2.3 FIXME: shadow tables */ +#endif - vmcs_write16(HOST_CS_SELECTOR, __KERNEL_CS); /* 22.2.4 */ - vmcs_write16(HOST_DS_SELECTOR, __KERNEL_DS); /* 22.2.4 */ -@@ -3649,7 +3663,7 @@ static void vmx_set_constant_host_state(void) + /* Save the most likely value for this task's CR4 in the VMCS. */ + cr4 = read_cr4(); +@@ -3655,7 +3669,7 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx) vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */ asm("mov $.Lkvm_vmx_return, %0" : "=r"(tmpl)); @@ -25105,7 +25105,7 @@ index a4f6bda..40eb721 100644 rdmsr(MSR_IA32_SYSENTER_CS, low32, high32); vmcs_write32(HOST_IA32_SYSENTER_CS, low32); -@@ -6178,6 +6192,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) +@@ -6206,6 +6220,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) "jmp .Lkvm_vmx_return \n\t" ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t" ".Lkvm_vmx_return: " @@ -25118,7 +25118,7 @@ index a4f6bda..40eb721 100644 /* Save guest registers, load host registers, keep flags */ "mov %0, %c[wordsize](%%"R"sp) \n\t" "pop %0 \n\t" -@@ -6226,6 +6246,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) +@@ -6254,6 +6274,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) #endif [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)), [wordsize]"i"(sizeof(ulong)) @@ -25130,7 +25130,7 @@ index a4f6bda..40eb721 100644 : "cc", "memory" , R"ax", R"bx", R"di", R"si" #ifdef CONFIG_X86_64 -@@ -6254,7 +6279,16 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) +@@ -6282,7 +6307,16 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) } } @@ -25149,10 +25149,10 @@ index a4f6bda..40eb721 100644 vmx->exit_reason = vmcs_read32(VM_EXIT_REASON); diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index b9fefaf..32b0407 100644 +index 2d7d0df..4476198 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c -@@ -1344,8 +1344,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data) +@@ -1369,8 +1369,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data) { struct kvm *kvm = vcpu->kvm; int lm = is_long_mode(vcpu); @@ -25163,7 +25163,7 @@ index b9fefaf..32b0407 100644 u8 blob_size = lm ? kvm->arch.xen_hvm_config.blob_size_64 : kvm->arch.xen_hvm_config.blob_size_32; u32 page_num = data & ~PAGE_MASK; -@@ -2162,6 +2162,8 @@ long kvm_arch_dev_ioctl(struct file *filp, +@@ -2187,6 +2187,8 @@ long kvm_arch_dev_ioctl(struct file *filp, if (n < msr_list.nmsrs) goto out; r = -EFAULT; @@ -25172,7 +25172,7 @@ index b9fefaf..32b0407 100644 if (copy_to_user(user_msr_list->indices, &msrs_to_save, num_msrs_to_save * sizeof(u32))) goto out; -@@ -2337,15 +2339,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(struct kvm_vcpu *vcpu, +@@ -2362,15 +2364,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(struct kvm_vcpu *vcpu, struct kvm_cpuid2 *cpuid, struct kvm_cpuid_entry2 __user *entries) { @@ -25196,7 +25196,7 @@ index b9fefaf..32b0407 100644 vcpu->arch.cpuid_nent = cpuid->nent; kvm_apic_set_version(vcpu); kvm_x86_ops->cpuid_update(vcpu); -@@ -2360,15 +2367,19 @@ static int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu, +@@ -2385,15 +2392,19 @@ static int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu, struct kvm_cpuid2 *cpuid, struct kvm_cpuid_entry2 __user *entries) { @@ -25219,7 +25219,7 @@ index b9fefaf..32b0407 100644 return 0; out: -@@ -2743,7 +2754,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu, +@@ -2768,7 +2779,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu, static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu, struct kvm_interrupt *irq) { @@ -25228,7 +25228,7 @@ index b9fefaf..32b0407 100644 return -EINVAL; if (irqchip_in_kernel(vcpu->kvm)) return -ENXIO; -@@ -5184,7 +5195,7 @@ static void kvm_set_mmio_spte_mask(void) +@@ -5209,7 +5220,7 @@ static void kvm_set_mmio_spte_mask(void) kvm_mmu_set_mmio_spte_mask(mask); } @@ -32597,10 +32597,10 @@ index 7b72502..3d7b647 100644 err = -EFAULT; goto out; diff --git a/block/genhd.c b/block/genhd.c -index 8bd4ef2..078f68b9 100644 +index 41b0435..09f9f28 100644 --- a/block/genhd.c +++ b/block/genhd.c -@@ -474,21 +474,24 @@ static char *bdevt_str(dev_t devt, char *buf) +@@ -472,21 +472,24 @@ static char *bdevt_str(dev_t devt, char *buf) /* * Register device numbers dev..(dev+range-1) @@ -32978,7 +32978,7 @@ index ac28db3..0848b37 100644 /* * Buggy BIOS check diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c -index de0791c..d6d4ea3 100644 +index 388ba10..d509dbb 100644 --- a/drivers/acpi/processor_idle.c +++ b/drivers/acpi/processor_idle.c @@ -1036,7 +1036,7 @@ static int acpi_processor_setup_cpuidle_states(struct acpi_processor *pr) @@ -39557,7 +39557,7 @@ index 0e3fa7d..35f9ed6 100644 wait_queue_head_t fifo_queue; int fence_queue_waiters; /* Protected by hw_mutex */ diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c b/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c -index a0c2f12..68ae6cb 100644 +index decca82..7968bc5 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c @@ -137,7 +137,7 @@ int vmw_fifo_init(struct vmw_private *dev_priv, struct vmw_fifo_state *fifo) @@ -39569,7 +39569,7 @@ index a0c2f12..68ae6cb 100644 iowrite32(dev_priv->last_read_seqno, fifo_mem + SVGA_FIFO_FENCE); vmw_marker_queue_init(&fifo->marker_queue); return vmw_fifo_send_fence(dev_priv, &dummy); -@@ -355,7 +355,7 @@ void *vmw_fifo_reserve(struct vmw_private *dev_priv, uint32_t bytes) +@@ -356,7 +356,7 @@ void *vmw_fifo_reserve(struct vmw_private *dev_priv, uint32_t bytes) if (reserveable) iowrite32(bytes, fifo_mem + SVGA_FIFO_RESERVED); @@ -39578,7 +39578,7 @@ index a0c2f12..68ae6cb 100644 } else { need_bounce = true; } -@@ -475,7 +475,7 @@ int vmw_fifo_send_fence(struct vmw_private *dev_priv, uint32_t *seqno) +@@ -476,7 +476,7 @@ int vmw_fifo_send_fence(struct vmw_private *dev_priv, uint32_t *seqno) fm = vmw_fifo_reserve(dev_priv, bytes); if (unlikely(fm == NULL)) { @@ -39587,7 +39587,7 @@ index a0c2f12..68ae6cb 100644 ret = -ENOMEM; (void)vmw_fallback_wait(dev_priv, false, true, *seqno, false, 3*HZ); -@@ -483,7 +483,7 @@ int vmw_fifo_send_fence(struct vmw_private *dev_priv, uint32_t *seqno) +@@ -484,7 +484,7 @@ int vmw_fifo_send_fence(struct vmw_private *dev_priv, uint32_t *seqno) } do { @@ -48153,32 +48153,6 @@ index 9de9db2..1e09660 100644 fc_frame_free(fp); } -diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c -index 143bbe4..2794a30 100644 ---- a/drivers/scsi/libiscsi.c -+++ b/drivers/scsi/libiscsi.c -@@ -718,11 +718,21 @@ __iscsi_conn_send_pdu(struct iscsi_conn *conn, struct iscsi_hdr *hdr, - return NULL; - } - -+ if (data_size > ISCSI_DEF_MAX_RECV_SEG_LEN) { -+ iscsi_conn_printk(KERN_ERR, conn, "Invalid buffer len of %u for login task. Max len is %u\n", data_size, ISCSI_DEF_MAX_RECV_SEG_LEN); -+ return NULL; -+ } -+ - task = conn->login_task; - } else { - if (session->state != ISCSI_STATE_LOGGED_IN) - return NULL; - -+ if (data_size != 0) { -+ iscsi_conn_printk(KERN_ERR, conn, "Can not send data buffer of len %u for op 0x%x\n", data_size, opcode); -+ return NULL; -+ } -+ - BUG_ON(conn->c_stage == ISCSI_CONN_INITIAL_STAGE); - BUG_ON(conn->c_stage == ISCSI_CONN_STOPPED); - diff --git a/drivers/scsi/libsas/sas_ata.c b/drivers/scsi/libsas/sas_ata.c index 5e170e3..1e87efc 100644 --- a/drivers/scsi/libsas/sas_ata.c @@ -50164,7 +50138,7 @@ index ed147c4..94fc3c6 100644 /* core tmem accessor functions */ diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c -index ab5dd16..17f7bd2 100644 +index ae4e7da..46264ce 100644 --- a/drivers/target/iscsi/iscsi_target.c +++ b/drivers/target/iscsi/iscsi_target.c @@ -1357,7 +1357,7 @@ static int iscsit_handle_data_out(struct iscsi_conn *conn, unsigned char *buf) @@ -51322,7 +51296,7 @@ index 032e5a6..bc422e4 100644 wake_up(&usb_kill_urb_queue); usb_put_urb(urb); diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c -index f08732b..6338872 100644 +index 10aec1a..387cff3 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -25,6 +25,7 @@ @@ -55416,7 +55390,7 @@ index 356dcf0..c0046cd 100644 static const struct super_operations afs_super_ops = { .statfs = afs_statfs, diff --git a/fs/aio.c b/fs/aio.c -index 8cdd8ea..64197b4 100644 +index 9acfd07..ad962e7 100644 --- a/fs/aio.c +++ b/fs/aio.c @@ -119,7 +119,7 @@ static int aio_setup_ring(struct kioctx *ctx) @@ -55428,7 +55402,7 @@ index 8cdd8ea..64197b4 100644 return -EINVAL; nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event); -@@ -1461,18 +1461,19 @@ static ssize_t aio_fsync(struct kiocb *iocb) +@@ -1468,18 +1468,19 @@ static ssize_t aio_fsync(struct kiocb *iocb) static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb, bool compat) { ssize_t ret; @@ -55450,7 +55424,7 @@ index 8cdd8ea..64197b4 100644 &kiocb->ki_iovec, 1); if (ret < 0) goto out; -@@ -1481,6 +1482,10 @@ static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb, bool compat) +@@ -1488,6 +1489,10 @@ static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb, bool compat) if (ret < 0) goto out; @@ -56882,30 +56856,10 @@ index 200f63b..490b833 100644 /* * used by btrfsctl to scan devices when no FS is mounted diff --git a/fs/buffer.c b/fs/buffer.c -index 5f4bde2..5df71b8 100644 +index 59496e7..5df71b8 100644 --- a/fs/buffer.c +++ b/fs/buffer.c -@@ -1021,7 +1021,8 @@ grow_dev_page(struct block_device *bdev, sector_t block, - bh = page_buffers(page); - if (bh->b_size == size) { - end_block = init_page_buffers(page, bdev, -- index << sizebits, size); -+ (sector_t)index << sizebits, -+ size); - goto done; - } - if (!try_to_free_buffers(page)) -@@ -1042,7 +1043,8 @@ grow_dev_page(struct block_device *bdev, sector_t block, - */ - spin_lock(&inode->i_mapping->private_lock); - link_dev_buffers(page, bh); -- end_block = init_page_buffers(page, bdev, index << sizebits, size); -+ end_block = init_page_buffers(page, bdev, (sector_t)index << sizebits, -+ size); - spin_unlock(&inode->i_mapping->private_lock); - done: - ret = (block < end_block) ? 1 : -ENXIO; -@@ -2256,6 +2258,11 @@ static int cont_expand_zero(struct file *file, struct address_space *mapping, +@@ -2258,6 +2258,11 @@ static int cont_expand_zero(struct file *file, struct address_space *mapping, err = 0; balance_dirty_pages_ratelimited(mapping); @@ -56917,7 +56871,7 @@ index 5f4bde2..5df71b8 100644 } /* page covers the boundary, find the boundary offset */ -@@ -3316,7 +3323,7 @@ void __init buffer_init(void) +@@ -3318,7 +3323,7 @@ void __init buffer_init(void) bh_cachep = kmem_cache_create("buffer_head", sizeof(struct buffer_head), 0, (SLAB_RECLAIM_ACCOUNT|SLAB_PANIC| @@ -59189,10 +59143,10 @@ index 40f4d06..7f3507d 100644 /* locality groups */ diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c -index 818b43e..9a76283 100644 +index 5baa7ba..917bb08 100644 --- a/fs/ext4/mballoc.c +++ b/fs/ext4/mballoc.c -@@ -1794,7 +1794,7 @@ void ext4_mb_simple_scan_group(struct ext4_allocation_context *ac, +@@ -1796,7 +1796,7 @@ void ext4_mb_simple_scan_group(struct ext4_allocation_context *ac, BUG_ON(ac->ac_b_ex.fe_len != ac->ac_g_ex.fe_len); if (EXT4_SB(sb)->s_mb_stats) @@ -59201,7 +59155,7 @@ index 818b43e..9a76283 100644 break; } -@@ -2092,7 +2092,7 @@ repeat: +@@ -2094,7 +2094,7 @@ repeat: ac->ac_status = AC_STATUS_CONTINUE; ac->ac_flags |= EXT4_MB_HINT_FIRST; cr = 3; @@ -59210,7 +59164,7 @@ index 818b43e..9a76283 100644 goto repeat; } } -@@ -2599,25 +2599,25 @@ int ext4_mb_release(struct super_block *sb) +@@ -2601,25 +2601,25 @@ int ext4_mb_release(struct super_block *sb) if (sbi->s_mb_stats) { ext4_msg(sb, KERN_INFO, "mballoc: %u blocks %u reqs (%u success)", @@ -59246,7 +59200,7 @@ index 818b43e..9a76283 100644 } free_percpu(sbi->s_locality_groups); -@@ -3101,16 +3101,16 @@ static void ext4_mb_collect_stats(struct ext4_allocation_context *ac) +@@ -3103,16 +3103,16 @@ static void ext4_mb_collect_stats(struct ext4_allocation_context *ac) struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb); if (sbi->s_mb_stats && ac->ac_g_ex.fe_len > 1) { @@ -59269,7 +59223,7 @@ index 818b43e..9a76283 100644 } if (ac->ac_op == EXT4_MB_HISTORY_ALLOC) -@@ -3534,7 +3534,7 @@ ext4_mb_new_inode_pa(struct ext4_allocation_context *ac) +@@ -3539,7 +3539,7 @@ ext4_mb_new_inode_pa(struct ext4_allocation_context *ac) trace_ext4_mb_new_inode_pa(ac, pa); ext4_mb_use_inode_pa(ac, pa); @@ -59278,7 +59232,7 @@ index 818b43e..9a76283 100644 ei = EXT4_I(ac->ac_inode); grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group); -@@ -3594,7 +3594,7 @@ ext4_mb_new_group_pa(struct ext4_allocation_context *ac) +@@ -3599,7 +3599,7 @@ ext4_mb_new_group_pa(struct ext4_allocation_context *ac) trace_ext4_mb_new_group_pa(ac, pa); ext4_mb_use_group_pa(ac, pa); @@ -59287,7 +59241,7 @@ index 818b43e..9a76283 100644 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group); lg = ac->ac_lg; -@@ -3683,7 +3683,7 @@ ext4_mb_release_inode_pa(struct ext4_buddy *e4b, struct buffer_head *bitmap_bh, +@@ -3688,7 +3688,7 @@ ext4_mb_release_inode_pa(struct ext4_buddy *e4b, struct buffer_head *bitmap_bh, * from the bitmap and continue. */ } @@ -59296,7 +59250,7 @@ index 818b43e..9a76283 100644 return err; } -@@ -3701,7 +3701,7 @@ ext4_mb_release_group_pa(struct ext4_buddy *e4b, +@@ -3706,7 +3706,7 @@ ext4_mb_release_group_pa(struct ext4_buddy *e4b, ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit); BUG_ON(group != e4b->bd_group && pa->pa_len != 0); mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len); @@ -61558,7 +61512,7 @@ index 4d46a6a..dee1cdf 100644 static int __init init_minix_fs(void) { diff --git a/fs/namei.c b/fs/namei.c -index 9680cef..36c9152 100644 +index dea2dab..6452ab2 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -279,16 +279,32 @@ int generic_permission(struct inode *inode, int mask) @@ -61612,7 +61566,7 @@ index 9680cef..36c9152 100644 return -EACCES; } -@@ -653,11 +661,19 @@ follow_link(struct path *link, struct nameidata *nd, void **p) +@@ -652,11 +660,19 @@ follow_link(struct path *link, struct nameidata *nd, void **p) return error; } @@ -61642,7 +61596,7 @@ index 9680cef..36c9152 100644 put_link(nd, &link, cookie); } while (res > 0); -@@ -1617,6 +1635,8 @@ static int path_lookupat(int dfd, const char *name, +@@ -1624,6 +1642,8 @@ static int path_lookupat(int dfd, const char *name, err = follow_link(&link, nd, &cookie); if (!err) err = lookup_last(nd, &path); @@ -61651,7 +61605,7 @@ index 9680cef..36c9152 100644 put_link(nd, &link, cookie); } } -@@ -1624,6 +1644,13 @@ static int path_lookupat(int dfd, const char *name, +@@ -1631,6 +1651,13 @@ static int path_lookupat(int dfd, const char *name, if (!err) err = complete_walk(nd); @@ -61665,7 +61619,7 @@ index 9680cef..36c9152 100644 if (!err && nd->flags & LOOKUP_DIRECTORY) { if (!nd->inode->i_op->lookup) { path_put(&nd->path); -@@ -1655,6 +1682,12 @@ static int do_path_lookup(int dfd, const char *name, +@@ -1662,6 +1689,12 @@ static int do_path_lookup(int dfd, const char *name, if (nd->path.dentry && nd->inode) audit_inode(name, nd->path.dentry); } @@ -61678,7 +61632,7 @@ index 9680cef..36c9152 100644 } return retval; } -@@ -1784,7 +1817,13 @@ struct dentry *lookup_one_len(const char *name, struct dentry *base, int len) +@@ -1791,7 +1824,13 @@ struct dentry *lookup_one_len(const char *name, struct dentry *base, int len) if (!len) return ERR_PTR(-EACCES); @@ -61692,7 +61646,7 @@ index 9680cef..36c9152 100644 while (len--) { c = *(const unsigned char *)name++; if (c == '/' || c == '\0') -@@ -2048,6 +2087,13 @@ static int may_open(struct path *path, int acc_mode, int flag) +@@ -2055,6 +2094,13 @@ static int may_open(struct path *path, int acc_mode, int flag) if (flag & O_NOATIME && !inode_owner_or_capable(inode)) return -EPERM; @@ -61706,7 +61660,7 @@ index 9680cef..36c9152 100644 return 0; } -@@ -2083,7 +2129,7 @@ static inline int open_to_namei_flags(int flag) +@@ -2090,7 +2136,7 @@ static inline int open_to_namei_flags(int flag) /* * Handle the last step of open() */ @@ -61715,7 +61669,7 @@ index 9680cef..36c9152 100644 const struct open_flags *op, const char *pathname) { struct dentry *dir = nd->path.dentry; -@@ -2109,16 +2155,32 @@ static struct file *do_last(struct nameidata *nd, struct path *path, +@@ -2116,16 +2162,32 @@ static struct file *do_last(struct nameidata *nd, struct path *path, error = complete_walk(nd); if (error) return ERR_PTR(error); @@ -61748,7 +61702,7 @@ index 9680cef..36c9152 100644 audit_inode(pathname, dir); goto ok; } -@@ -2134,18 +2196,31 @@ static struct file *do_last(struct nameidata *nd, struct path *path, +@@ -2141,18 +2203,31 @@ static struct file *do_last(struct nameidata *nd, struct path *path, !symlink_ok); if (error < 0) return ERR_PTR(error); @@ -61781,7 +61735,7 @@ index 9680cef..36c9152 100644 audit_inode(pathname, nd->path.dentry); goto ok; } -@@ -2180,6 +2255,17 @@ static struct file *do_last(struct nameidata *nd, struct path *path, +@@ -2187,6 +2262,17 @@ static struct file *do_last(struct nameidata *nd, struct path *path, /* Negative dentry, just create the file */ if (!dentry->d_inode) { int mode = op->mode; @@ -61799,7 +61753,7 @@ index 9680cef..36c9152 100644 if (!IS_POSIXACL(dir->d_inode)) mode &= ~current_umask(); /* -@@ -2203,6 +2289,8 @@ static struct file *do_last(struct nameidata *nd, struct path *path, +@@ -2210,6 +2296,8 @@ static struct file *do_last(struct nameidata *nd, struct path *path, error = vfs_create(dir->d_inode, dentry, mode, nd); if (error) goto exit_mutex_unlock; @@ -61808,7 +61762,7 @@ index 9680cef..36c9152 100644 mutex_unlock(&dir->d_inode->i_mutex); dput(nd->path.dentry); nd->path.dentry = dentry; -@@ -2212,6 +2300,19 @@ static struct file *do_last(struct nameidata *nd, struct path *path, +@@ -2219,6 +2307,19 @@ static struct file *do_last(struct nameidata *nd, struct path *path, /* * It already exists. */ @@ -61828,7 +61782,7 @@ index 9680cef..36c9152 100644 mutex_unlock(&dir->d_inode->i_mutex); audit_inode(pathname, path->dentry); -@@ -2230,11 +2331,17 @@ static struct file *do_last(struct nameidata *nd, struct path *path, +@@ -2237,11 +2338,17 @@ static struct file *do_last(struct nameidata *nd, struct path *path, if (!path->dentry->d_inode) goto exit_dput; @@ -61847,7 +61801,7 @@ index 9680cef..36c9152 100644 /* Why this, you ask? _Now_ we might have grown LOOKUP_JUMPED... */ error = complete_walk(nd); if (error) -@@ -2242,6 +2349,12 @@ static struct file *do_last(struct nameidata *nd, struct path *path, +@@ -2249,6 +2356,12 @@ static struct file *do_last(struct nameidata *nd, struct path *path, error = -EISDIR; if (S_ISDIR(nd->inode->i_mode)) goto exit; @@ -61860,7 +61814,7 @@ index 9680cef..36c9152 100644 ok: if (!S_ISREG(nd->inode->i_mode)) will_truncate = 0; -@@ -2314,7 +2427,7 @@ static struct file *path_openat(int dfd, const char *pathname, +@@ -2321,7 +2434,7 @@ static struct file *path_openat(int dfd, const char *pathname, if (unlikely(error)) goto out_filp; @@ -61869,7 +61823,7 @@ index 9680cef..36c9152 100644 while (unlikely(!filp)) { /* trailing symlink */ struct path link = path; void *cookie; -@@ -2329,8 +2442,9 @@ static struct file *path_openat(int dfd, const char *pathname, +@@ -2336,8 +2449,9 @@ static struct file *path_openat(int dfd, const char *pathname, error = follow_link(&link, nd, &cookie); if (unlikely(error)) filp = ERR_PTR(error); @@ -61881,7 +61835,7 @@ index 9680cef..36c9152 100644 put_link(nd, &link, cookie); } out: -@@ -2424,6 +2538,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, struct path *path +@@ -2431,6 +2545,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, struct path *path *path = nd.path; return dentry; eexist: @@ -61893,7 +61847,7 @@ index 9680cef..36c9152 100644 dput(dentry); dentry = ERR_PTR(-EEXIST); fail: -@@ -2446,6 +2565,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, struct pat +@@ -2453,6 +2572,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, struct pat } EXPORT_SYMBOL(user_path_create); @@ -61914,7 +61868,7 @@ index 9680cef..36c9152 100644 int vfs_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) { int error = may_create(dir, dentry); -@@ -2513,6 +2646,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, +@@ -2520,6 +2653,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, error = mnt_want_write(path.mnt); if (error) goto out_dput; @@ -61932,7 +61886,7 @@ index 9680cef..36c9152 100644 error = security_path_mknod(&path, dentry, mode, dev); if (error) goto out_drop_write; -@@ -2530,6 +2674,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, +@@ -2537,6 +2681,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, } out_drop_write: mnt_drop_write(path.mnt); @@ -61942,7 +61896,7 @@ index 9680cef..36c9152 100644 out_dput: dput(dentry); mutex_unlock(&path.dentry->d_inode->i_mutex); -@@ -2579,12 +2726,21 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode) +@@ -2586,12 +2733,21 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode) error = mnt_want_write(path.mnt); if (error) goto out_dput; @@ -61964,7 +61918,7 @@ index 9680cef..36c9152 100644 out_dput: dput(dentry); mutex_unlock(&path.dentry->d_inode->i_mutex); -@@ -2664,6 +2820,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -2671,6 +2827,8 @@ static long do_rmdir(int dfd, const char __user *pathname) char * name; struct dentry *dentry; struct nameidata nd; @@ -61973,7 +61927,7 @@ index 9680cef..36c9152 100644 error = user_path_parent(dfd, pathname, &nd, &name); if (error) -@@ -2692,6 +2850,15 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -2699,6 +2857,15 @@ static long do_rmdir(int dfd, const char __user *pathname) error = -ENOENT; goto exit3; } @@ -61989,7 +61943,7 @@ index 9680cef..36c9152 100644 error = mnt_want_write(nd.path.mnt); if (error) goto exit3; -@@ -2699,6 +2866,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -2706,6 +2873,8 @@ static long do_rmdir(int dfd, const char __user *pathname) if (error) goto exit4; error = vfs_rmdir(nd.path.dentry->d_inode, dentry); @@ -61998,7 +61952,7 @@ index 9680cef..36c9152 100644 exit4: mnt_drop_write(nd.path.mnt); exit3: -@@ -2761,6 +2930,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -2768,6 +2937,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) struct dentry *dentry; struct nameidata nd; struct inode *inode = NULL; @@ -62007,7 +61961,7 @@ index 9680cef..36c9152 100644 error = user_path_parent(dfd, pathname, &nd, &name); if (error) -@@ -2783,6 +2954,16 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -2790,6 +2961,16 @@ static long do_unlinkat(int dfd, const char __user *pathname) if (!inode) goto slashes; ihold(inode); @@ -62024,7 +61978,7 @@ index 9680cef..36c9152 100644 error = mnt_want_write(nd.path.mnt); if (error) goto exit2; -@@ -2790,6 +2971,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -2797,6 +2978,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) if (error) goto exit3; error = vfs_unlink(nd.path.dentry->d_inode, dentry); @@ -62033,7 +61987,7 @@ index 9680cef..36c9152 100644 exit3: mnt_drop_write(nd.path.mnt); exit2: -@@ -2865,10 +3048,18 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, +@@ -2872,10 +3055,18 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, error = mnt_want_write(path.mnt); if (error) goto out_dput; @@ -62052,7 +62006,7 @@ index 9680cef..36c9152 100644 out_drop_write: mnt_drop_write(path.mnt); out_dput: -@@ -2940,6 +3131,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -2947,6 +3138,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, { struct dentry *new_dentry; struct path old_path, new_path; @@ -62060,7 +62014,7 @@ index 9680cef..36c9152 100644 int how = 0; int error; -@@ -2963,7 +3155,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -2970,7 +3162,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, if (error) return error; @@ -62069,7 +62023,7 @@ index 9680cef..36c9152 100644 error = PTR_ERR(new_dentry); if (IS_ERR(new_dentry)) goto out; -@@ -2974,13 +3166,30 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -2981,13 +3173,30 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, error = mnt_want_write(new_path.mnt); if (error) goto out_dput; @@ -62100,7 +62054,7 @@ index 9680cef..36c9152 100644 dput(new_dentry); mutex_unlock(&new_path.dentry->d_inode->i_mutex); path_put(&new_path); -@@ -3208,6 +3417,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, +@@ -3215,6 +3424,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, if (new_dentry == trap) goto exit5; @@ -62113,7 +62067,7 @@ index 9680cef..36c9152 100644 error = mnt_want_write(oldnd.path.mnt); if (error) goto exit5; -@@ -3217,6 +3432,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, +@@ -3224,6 +3439,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, goto exit6; error = vfs_rename(old_dir->d_inode, old_dentry, new_dir->d_inode, new_dentry); @@ -62123,7 +62077,7 @@ index 9680cef..36c9152 100644 exit6: mnt_drop_write(oldnd.path.mnt); exit5: -@@ -3242,6 +3460,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna +@@ -3249,6 +3467,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link) { @@ -62132,7 +62086,7 @@ index 9680cef..36c9152 100644 int len; len = PTR_ERR(link); -@@ -3251,7 +3471,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c +@@ -3258,7 +3478,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c len = strlen(link); if (len > (unsigned) buflen) len = buflen; @@ -62355,7 +62309,7 @@ index b78b5b6..c64d84f 100644 void nfs_fattr_init(struct nfs_fattr *fattr) diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c -index c4a2a68..ec7ff6e 100644 +index 61a1303..3e0034a 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -1037,7 +1037,7 @@ static struct nfs4_state *nfs4_try_open_cached(struct nfs4_opendata *opendata) @@ -62476,10 +62430,10 @@ index c45a2ea..1a6bd66 100644 #ifdef CONFIG_PROC_FS static int create_proc_exports_entry(void) diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c -index 11e1888..216bf2f 100644 +index e2e7914..f057f88 100644 --- a/fs/nfsd/vfs.c +++ b/fs/nfsd/vfs.c -@@ -957,7 +957,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file, +@@ -960,7 +960,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file, } else { oldfs = get_fs(); set_fs(KERNEL_DS); @@ -62488,7 +62442,7 @@ index 11e1888..216bf2f 100644 set_fs(oldfs); } -@@ -1061,7 +1061,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file, +@@ -1064,7 +1064,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file, /* Write the data. */ oldfs = get_fs(); set_fs(KERNEL_DS); @@ -62497,7 +62451,7 @@ index 11e1888..216bf2f 100644 set_fs(oldfs); if (host_err < 0) goto out_nfserr; -@@ -1602,7 +1602,7 @@ nfsd_readlink(struct svc_rqst *rqstp, struct svc_fh *fhp, char *buf, int *lenp) +@@ -1605,7 +1605,7 @@ nfsd_readlink(struct svc_rqst *rqstp, struct svc_fh *fhp, char *buf, int *lenp) */ oldfs = get_fs(); set_fs(KERNEL_DS); @@ -78989,7 +78943,7 @@ index 7408af8..8d6f9dd 100644 #ifdef CONFIG_CPU_IDLE diff --git a/include/linux/cpumask.h b/include/linux/cpumask.h -index 4f7a632..b9e6f95 100644 +index 4f7a6323..b9e6f95 100644 --- a/include/linux/cpumask.h +++ b/include/linux/cpumask.h @@ -117,17 +117,17 @@ static inline unsigned int cpumask_first(const struct cpumask *srcp) @@ -81204,10 +81158,10 @@ index e2e1ab5..1e1e417 100644 irq_flow_handler_t handle_irq; #ifdef CONFIG_IRQ_PREFLOW_FASTEOI diff --git a/include/linux/jiffies.h b/include/linux/jiffies.h -index f5df3dc..116cbeb 100644 +index f4e8578..cbfc9fc 100644 --- a/include/linux/jiffies.h +++ b/include/linux/jiffies.h -@@ -295,9 +295,9 @@ extern unsigned long preset_lpj; +@@ -283,9 +283,9 @@ extern unsigned long preset_lpj; */ extern unsigned int jiffies_to_msecs(const unsigned long j); extern unsigned int jiffies_to_usecs(const unsigned long j); @@ -85502,7 +85456,7 @@ index 3702939..cf9e78e 100644 extern int __rtnl_link_register(struct rtnl_link_ops *ops); extern void __rtnl_link_unregister(struct rtnl_link_ops *ops); diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h -index ad03988..0c5a964 100644 +index e0f1c91..c73f85c 100644 --- a/include/net/sctp/sctp.h +++ b/include/net/sctp/sctp.h @@ -318,9 +318,9 @@ do { \ @@ -85519,7 +85473,7 @@ index ad03988..0c5a964 100644 #define SCTP_DISABLE_DEBUG #define SCTP_ASSERT(expr, str, func) diff --git a/include/net/sctp/sm.h b/include/net/sctp/sm.h -index 9148632..be3c5ac 100644 +index 4d1be75..a54d29e 100644 --- a/include/net/sctp/sm.h +++ b/include/net/sctp/sm.h @@ -86,7 +86,7 @@ typedef void (sctp_timer_event_t) (unsigned long); @@ -86297,10 +86251,10 @@ index 0993a22..32ba2fe 100644 void *pmi_pal; u8 *vbe_state_orig; /* diff --git a/init/Kconfig b/init/Kconfig -index 43298f9..7e4816c 100644 +index b8dc1de..e4ce6c6 100644 --- a/init/Kconfig +++ b/init/Kconfig -@@ -1214,7 +1214,7 @@ config SLUB_DEBUG +@@ -1215,7 +1215,7 @@ config SLUB_DEBUG config COMPAT_BRK bool "Disable heap randomization" @@ -86309,7 +86263,7 @@ index 43298f9..7e4816c 100644 help Randomizing heap placement makes heap exploits harder, but it also breaks ancient binaries (including anything libc5 based). -@@ -1397,7 +1397,7 @@ config INIT_ALL_POSSIBLE +@@ -1398,7 +1398,7 @@ config INIT_ALL_POSSIBLE config STOP_MACHINE bool default y @@ -87325,10 +87279,10 @@ index b463871..59495fd 100644 * nsown_capable - Check superior capability to one's own user_ns * @cap: The capability in question diff --git a/kernel/cgroup.c b/kernel/cgroup.c -index 93fc15e..94e383a 100644 +index ffcf896..a88b61f 100644 --- a/kernel/cgroup.c +++ b/kernel/cgroup.c -@@ -4750,6 +4750,14 @@ static void cgroup_release_agent(struct work_struct *work) +@@ -4755,6 +4755,14 @@ static void cgroup_release_agent(struct work_struct *work) release_list); list_del_init(&cgrp->release_list); raw_spin_unlock(&release_list_lock); @@ -87343,7 +87297,7 @@ index 93fc15e..94e383a 100644 pathbuf = kmalloc(PAGE_SIZE, GFP_KERNEL); if (!pathbuf) goto continue_free; -@@ -5169,7 +5177,7 @@ static int cgroup_css_links_read(struct cgroup *cont, +@@ -5174,7 +5182,7 @@ static int cgroup_css_links_read(struct cgroup *cont, struct css_set *cg = link->cg; struct task_struct *task; int count = 0; @@ -87767,7 +87721,7 @@ index 63786e7..0780cac 100644 #ifdef CONFIG_MODULE_UNLOAD { diff --git a/kernel/events/core.c b/kernel/events/core.c -index 14c111c..98d977c 100644 +index 4a14895..e44008c 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -145,8 +145,15 @@ static struct srcu_struct pmus_srcu; @@ -87796,7 +87750,7 @@ index 14c111c..98d977c 100644 static void cpu_ctx_sched_out(struct perf_cpu_context *cpuctx, enum event_type_t event_type); -@@ -2589,7 +2596,7 @@ static void __perf_event_read(void *info) +@@ -2599,7 +2606,7 @@ static void __perf_event_read(void *info) static inline u64 perf_event_count(struct perf_event *event) { @@ -87805,7 +87759,7 @@ index 14c111c..98d977c 100644 } static u64 perf_event_read(struct perf_event *event) -@@ -3132,9 +3139,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running) +@@ -3142,9 +3149,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running) mutex_lock(&event->child_mutex); total += perf_event_read(event); *enabled += event->total_time_enabled + @@ -87817,7 +87771,7 @@ index 14c111c..98d977c 100644 list_for_each_entry(child, &event->child_list, child_list) { total += perf_event_read(child); -@@ -3526,10 +3533,10 @@ void perf_event_update_userpage(struct perf_event *event) +@@ -3536,10 +3543,10 @@ void perf_event_update_userpage(struct perf_event *event) userpg->offset -= local64_read(&event->hw.prev_count); userpg->time_enabled = enabled + @@ -87830,7 +87784,7 @@ index 14c111c..98d977c 100644 barrier(); ++userpg->lock; -@@ -4037,11 +4044,11 @@ static void perf_output_read_one(struct perf_output_handle *handle, +@@ -4047,11 +4054,11 @@ static void perf_output_read_one(struct perf_output_handle *handle, values[n++] = perf_event_count(event); if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) { values[n++] = enabled + @@ -87844,7 +87798,7 @@ index 14c111c..98d977c 100644 } if (read_format & PERF_FORMAT_ID) values[n++] = primary_event_id(event); -@@ -4692,12 +4699,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event) +@@ -4702,12 +4709,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event) * need to add enough zero bytes after the string to handle * the 64bit alignment we do later. */ @@ -87859,7 +87813,7 @@ index 14c111c..98d977c 100644 if (IS_ERR(name)) { name = strncpy(tmp, "//toolong", sizeof(tmp)); goto got_name; -@@ -6063,7 +6070,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu, +@@ -6073,7 +6080,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu, event->parent = parent_event; event->ns = get_pid_ns(current->nsproxy->pid_ns); @@ -87868,7 +87822,7 @@ index 14c111c..98d977c 100644 event->state = PERF_EVENT_STATE_INACTIVE; -@@ -6309,6 +6316,11 @@ SYSCALL_DEFINE5(perf_event_open, +@@ -6319,6 +6326,11 @@ SYSCALL_DEFINE5(perf_event_open, if (flags & ~PERF_FLAG_ALL) return -EINVAL; @@ -87880,7 +87834,7 @@ index 14c111c..98d977c 100644 err = perf_copy_attr(attr_uptr, &attr); if (err) return err; -@@ -6607,10 +6619,10 @@ static void sync_child_event(struct perf_event *child_event, +@@ -6617,10 +6629,10 @@ static void sync_child_event(struct perf_event *child_event, /* * Add back the child's count to the parent's count: */ @@ -87894,18 +87848,6 @@ index 14c111c..98d977c 100644 &parent_event->child_total_time_running); /* -@@ -7071,8 +7083,10 @@ int perf_event_init_task(struct task_struct *child) - - for_each_task_context_nr(ctxn) { - ret = perf_event_init_context(child, ctxn); -- if (ret) -+ if (ret) { -+ perf_event_free_task(child); - return ret; -+ } - } - - return 0; diff --git a/kernel/events/internal.h b/kernel/events/internal.h index a2101bb..f2e0354 100644 --- a/kernel/events/internal.h @@ -88037,7 +87979,7 @@ index fde15f9..99f1b97 100644 { struct signal_struct *sig = current->signal; diff --git a/kernel/fork.c b/kernel/fork.c -index 13bba30..ee14dbd 100644 +index 29b4604..ee14dbd 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -34,6 +34,7 @@ @@ -88479,15 +88421,6 @@ index 13bba30..ee14dbd 100644 goto bad_fork_free; } current->flags &= ~PF_NPROC_EXCEEDED; -@@ -1221,7 +1345,7 @@ static struct task_struct *copy_process(unsigned long clone_flags, - goto bad_fork_cleanup_policy; - retval = audit_alloc(p); - if (retval) -- goto bad_fork_cleanup_policy; -+ goto bad_fork_cleanup_perf; - /* copy all the process information */ - retval = copy_semundo(clone_flags, p); - if (retval) @@ -1341,6 +1465,11 @@ static struct task_struct *copy_process(unsigned long clone_flags, goto bad_fork_free_pid; } @@ -88500,18 +88433,7 @@ index 13bba30..ee14dbd 100644 if (clone_flags & CLONE_THREAD) { current->signal->nr_threads++; atomic_inc(¤t->signal->live); -@@ -1406,8 +1535,9 @@ bad_fork_cleanup_semundo: - exit_sem(p); - bad_fork_cleanup_audit: - audit_free(p); --bad_fork_cleanup_policy: -+bad_fork_cleanup_perf: - perf_event_free_task(p); -+bad_fork_cleanup_policy: - #ifdef CONFIG_NUMA - mpol_put(p->mempolicy); - bad_fork_cleanup_cgroup: -@@ -1423,6 +1553,8 @@ bad_fork_cleanup_count: +@@ -1424,6 +1553,8 @@ bad_fork_cleanup_count: bad_fork_free: free_task(p); fork_out: @@ -88520,7 +88442,7 @@ index 13bba30..ee14dbd 100644 return ERR_PTR(retval); } -@@ -1509,6 +1641,7 @@ long do_fork(unsigned long clone_flags, +@@ -1510,6 +1641,7 @@ long do_fork(unsigned long clone_flags, p = copy_process(clone_flags, stack_start, regs, stack_size, child_tidptr, NULL, trace); @@ -88528,7 +88450,7 @@ index 13bba30..ee14dbd 100644 /* * Do this prior waking up the new thread - the thread pointer * might get invalid after that point, if the thread exits quickly. -@@ -1525,6 +1658,8 @@ long do_fork(unsigned long clone_flags, +@@ -1526,6 +1658,8 @@ long do_fork(unsigned long clone_flags, if (clone_flags & CLONE_PARENT_SETTID) put_user(nr, parent_tidptr); @@ -88537,7 +88459,7 @@ index 13bba30..ee14dbd 100644 if (clone_flags & CLONE_VFORK) { p->vfork_done = &vfork; init_completion(&vfork); -@@ -1597,7 +1732,7 @@ void __init proc_caches_init(void) +@@ -1598,7 +1732,7 @@ void __init proc_caches_init(void) mm_cachep = kmem_cache_create("mm_struct", sizeof(struct mm_struct), ARCH_MIN_MMSTRUCT_ALIGN, SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_NOTRACK, NULL); @@ -88546,7 +88468,7 @@ index 13bba30..ee14dbd 100644 mmap_init(); nsproxy_cache_init(); } -@@ -1636,7 +1771,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) +@@ -1637,7 +1771,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) return 0; /* don't need lock here; in the worst case we'll do useless copy */ @@ -88555,7 +88477,7 @@ index 13bba30..ee14dbd 100644 return 0; *new_fsp = copy_fs_struct(fs); -@@ -1725,7 +1860,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) +@@ -1726,7 +1860,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) fs = current->fs; spin_lock(&fs->lock); current->fs = new_fs; @@ -88566,7 +88488,7 @@ index 13bba30..ee14dbd 100644 else new_fs = fs; diff --git a/kernel/futex.c b/kernel/futex.c -index 1bb37d0..8d00f9b 100644 +index f31f190..8d00f9b 100644 --- a/kernel/futex.c +++ b/kernel/futex.c @@ -54,6 +54,7 @@ @@ -88625,15 +88547,7 @@ index 1bb37d0..8d00f9b 100644 pagefault_disable(); ret = __copy_from_user_inatomic(dest, from, sizeof(u32)); -@@ -2460,6 +2468,7 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags, - * shared futexes. We need to compare the keys: - */ - if (match_futex(&q.key, &key2)) { -+ queue_unlock(&q, hb); - ret = -EINVAL; - goto out_put_keys; - } -@@ -2877,6 +2886,7 @@ static int __init futex_init(void) +@@ -2878,6 +2886,7 @@ static int __init futex_init(void) { u32 curval; int i; @@ -88641,7 +88555,7 @@ index 1bb37d0..8d00f9b 100644 /* * This will fail and we want it. Some arch implementations do -@@ -2888,8 +2898,11 @@ static int __init futex_init(void) +@@ -2889,8 +2898,11 @@ static int __init futex_init(void) * implementation, the non-functional ones will return * -ENOSYS. */ @@ -93069,7 +92983,7 @@ index e660464..c8b9e67 100644 return cmd_attr_register_cpumask(info); else if (info->attrs[TASKSTATS_CMD_ATTR_DEREGISTER_CPUMASK]) diff --git a/kernel/time.c b/kernel/time.c -index 73e416d..cfc6f69 100644 +index 060f961..fe7a19e 100644 --- a/kernel/time.c +++ b/kernel/time.c @@ -163,6 +163,11 @@ int do_sys_settimeofday(const struct timespec *tv, const struct timezone *tz) @@ -93085,82 +92999,10 @@ index 73e416d..cfc6f69 100644 sys_tz = *tz; update_vsyscall_tz(); diff --git a/kernel/time/alarmtimer.c b/kernel/time/alarmtimer.c -index eb198a3..42f27b5 100644 +index 7eaf162..e2615e7 100644 --- a/kernel/time/alarmtimer.c +++ b/kernel/time/alarmtimer.c -@@ -442,18 +442,26 @@ static enum alarmtimer_type clock2alarm(clockid_t clockid) - static enum alarmtimer_restart alarm_handle_timer(struct alarm *alarm, - ktime_t now) - { -+ unsigned long flags; - struct k_itimer *ptr = container_of(alarm, struct k_itimer, - it.alarm.alarmtimer); -- if (posix_timer_event(ptr, 0) != 0) -- ptr->it_overrun++; -+ enum alarmtimer_restart result = ALARMTIMER_NORESTART; -+ -+ spin_lock_irqsave(&ptr->it_lock, flags); -+ if ((ptr->it_sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_NONE) { -+ if (posix_timer_event(ptr, 0) != 0) -+ ptr->it_overrun++; -+ } - - /* Re-add periodic timers */ - if (ptr->it.alarm.interval.tv64) { - ptr->it_overrun += alarm_forward(alarm, now, - ptr->it.alarm.interval); -- return ALARMTIMER_RESTART; -+ result = ALARMTIMER_RESTART; - } -- return ALARMTIMER_NORESTART; -+ spin_unlock_irqrestore(&ptr->it_lock, flags); -+ -+ return result; - } - - /** -@@ -514,23 +522,33 @@ static int alarm_timer_create(struct k_itimer *new_timer) - return 0; - } - -+static ktime_t alarm_expires_remaining(const struct alarm *alarm) -+{ -+ struct alarm_base *base = &alarm_bases[alarm->type]; -+ return ktime_sub(alarm->node.expires, base->gettime()); -+} -+ - /** - * alarm_timer_get - posix timer_get interface - * @new_timer: k_itimer pointer - * @cur_setting: itimerspec data to fill - * -- * Copies the itimerspec data out from the k_itimer -+ * Copies out the current itimerspec data - */ - static void alarm_timer_get(struct k_itimer *timr, - struct itimerspec *cur_setting) - { -- memset(cur_setting, 0, sizeof(struct itimerspec)); -+ ktime_t relative_expiry_time = -+ alarm_expires_remaining(&(timr->it.alarm.alarmtimer)); - -- cur_setting->it_interval = -- ktime_to_timespec(timr->it.alarm.interval); -- cur_setting->it_value = -- ktime_to_timespec(timr->it.alarm.alarmtimer.node.expires); -- return; -+ if (ktime_to_ns(relative_expiry_time) > 0) { -+ cur_setting->it_value = ktime_to_timespec(relative_expiry_time); -+ } else { -+ cur_setting->it_value.tv_sec = 0; -+ cur_setting->it_value.tv_nsec = 0; -+ } -+ -+ cur_setting->it_interval = ktime_to_timespec(timr->it.alarm.interval); - } - - /** -@@ -789,7 +807,7 @@ static int __init alarmtimer_init(void) +@@ -807,7 +807,7 @@ static int __init alarmtimer_init(void) struct platform_device *pdev; int error = 0; int i; @@ -93445,7 +93287,7 @@ index dcbafed..9feb3de 100644 ftrace_graph_active++; diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c -index 4babd77..3e869fd 100644 +index b252661..45b218f 100644 --- a/kernel/trace/ring_buffer.c +++ b/kernel/trace/ring_buffer.c @@ -376,9 +376,9 @@ struct buffer_data_page { @@ -93963,6 +93805,82 @@ index c5b20a3..6b38c73 100644 return; local_irq_save(flags); +diff --git a/kernel/trace/trace_syscalls.c b/kernel/trace/trace_syscalls.c +index 7c75bbb..f32b331 100644 +--- a/kernel/trace/trace_syscalls.c ++++ b/kernel/trace/trace_syscalls.c +@@ -309,7 +309,7 @@ void ftrace_syscall_enter(void *ignore, struct pt_regs *regs, long id) + int syscall_nr; + + syscall_nr = syscall_get_nr(current, regs); +- if (syscall_nr < 0) ++ if (syscall_nr < 0 || syscall_nr >= NR_syscalls) + return; + if (!test_bit(syscall_nr, enabled_enter_syscalls)) + return; +@@ -349,7 +349,7 @@ void ftrace_syscall_exit(void *ignore, struct pt_regs *regs, long ret) + int syscall_nr; + + syscall_nr = syscall_get_nr(current, regs); +- if (syscall_nr < 0) ++ if (syscall_nr < 0 || syscall_nr >= NR_syscalls) + return; + if (!test_bit(syscall_nr, enabled_exit_syscalls)) + return; +@@ -519,6 +519,8 @@ static void perf_syscall_enter(void *ignore, struct pt_regs *regs, long id) + int size; + + syscall_nr = syscall_get_nr(current, regs); ++ if (syscall_nr < 0 || syscall_nr >= NR_syscalls) ++ return; + if (!test_bit(syscall_nr, enabled_perf_enter_syscalls)) + return; + +@@ -554,6 +556,8 @@ int perf_sysenter_enable(struct ftrace_event_call *call) + int num; + + num = ((struct syscall_metadata *)call->data)->syscall_nr; ++ if (WARN_ON_ONCE(num < 0 || num >= NR_syscalls)) ++ return -EINVAL; + + mutex_lock(&syscall_trace_lock); + if (!sys_perf_refcount_enter) +@@ -574,6 +578,8 @@ void perf_sysenter_disable(struct ftrace_event_call *call) + int num; + + num = ((struct syscall_metadata *)call->data)->syscall_nr; ++ if (WARN_ON_ONCE(num < 0 || num >= NR_syscalls)) ++ return; + + mutex_lock(&syscall_trace_lock); + sys_perf_refcount_enter--; +@@ -593,6 +599,8 @@ static void perf_syscall_exit(void *ignore, struct pt_regs *regs, long ret) + int size; + + syscall_nr = syscall_get_nr(current, regs); ++ if (syscall_nr < 0 || syscall_nr >= NR_syscalls) ++ return; + if (!test_bit(syscall_nr, enabled_perf_exit_syscalls)) + return; + +@@ -630,6 +638,8 @@ int perf_sysexit_enable(struct ftrace_event_call *call) + int num; + + num = ((struct syscall_metadata *)call->data)->syscall_nr; ++ if (WARN_ON_ONCE(num < 0 || num >= NR_syscalls)) ++ return -EINVAL; + + mutex_lock(&syscall_trace_lock); + if (!sys_perf_refcount_exit) +@@ -650,6 +660,8 @@ void perf_sysexit_disable(struct ftrace_event_call *call) + int num; + + num = ((struct syscall_metadata *)call->data)->syscall_nr; ++ if (WARN_ON_ONCE(num < 0 || num >= NR_syscalls)) ++ return; + + mutex_lock(&syscall_trace_lock); + sys_perf_refcount_exit--; diff --git a/kernel/trace/trace_workqueue.c b/kernel/trace/trace_workqueue.c index 209b379..7f76423 100644 --- a/kernel/trace/trace_workqueue.c @@ -96613,23 +96531,10 @@ index a72fa33..0b12a09 100644 err = -EPERM; goto out; diff --git a/mm/migrate.c b/mm/migrate.c -index 09d6a9d..e2941874 100644 +index 7d26ea5..e2941874 100644 --- a/mm/migrate.c +++ b/mm/migrate.c -@@ -141,8 +141,11 @@ static int remove_migration_pte(struct page *new, struct vm_area_struct *vma, - - get_page(new); - pte = pte_mkold(mk_pte(new, vma->vm_page_prot)); -+ -+ /* Recheck VMA as permissions can change since migration started */ - if (is_write_migration_entry(entry)) -- pte = pte_mkwrite(pte); -+ pte = maybe_mkwrite(pte, vma); -+ - #ifdef CONFIG_HUGETLB_PAGE - if (PageHuge(new)) - pte = pte_mkhuge(pte); -@@ -1389,6 +1392,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages, +@@ -1392,6 +1392,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages, if (!mm) return -EINVAL; @@ -96644,7 +96549,7 @@ index 09d6a9d..e2941874 100644 /* * Check if this process has the right to modify the specified * process. The right exists if the process has administrative -@@ -1398,8 +1409,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages, +@@ -1401,8 +1409,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages, rcu_read_lock(); tcred = __task_cred(task); if (cred->euid != tcred->suid && cred->euid != tcred->uid && @@ -98835,7 +98740,7 @@ index 62a7fa23..aaa6823 100644 if (order && (gfp_flags & __GFP_COMP)) prep_compound_page(page, order); diff --git a/mm/percpu.c b/mm/percpu.c -index 5c29750..99f6386 100644 +index e29a1c4..e7f90f0 100644 --- a/mm/percpu.c +++ b/mm/percpu.c @@ -121,7 +121,7 @@ static unsigned int pcpu_low_unit_cpu __read_mostly; @@ -99040,7 +98945,7 @@ index f3f6fd3..0d91a63 100644 /* diff --git a/mm/shmem.c b/mm/shmem.c -index 1371021..7104960 100644 +index 83efac6..7104960 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -31,7 +31,7 @@ @@ -99061,19 +98966,7 @@ index 1371021..7104960 100644 /* * vmtruncate_range() communicates with shmem_fault via -@@ -1719,8 +1719,10 @@ static int shmem_rename(struct inode *old_dir, struct dentry *old_dentry, struct - - if (new_dentry->d_inode) { - (void) shmem_unlink(new_dir, new_dentry); -- if (they_are_dirs) -+ if (they_are_dirs) { -+ drop_nlink(new_dentry->d_inode); - drop_nlink(old_dir); -+ } - } else if (they_are_dirs) { - drop_nlink(old_dir); - inc_nlink(new_dir); -@@ -1924,6 +1926,11 @@ static const struct xattr_handler *shmem_xattr_handlers[] = { +@@ -1926,6 +1926,11 @@ static const struct xattr_handler *shmem_xattr_handlers[] = { static int shmem_xattr_validate(const char *name) { struct { const char *prefix; size_t len; } arr[] = { @@ -99085,7 +98978,7 @@ index 1371021..7104960 100644 { XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN }, { XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN } }; -@@ -1977,6 +1984,15 @@ static int shmem_setxattr(struct dentry *dentry, const char *name, +@@ -1979,6 +1984,15 @@ static int shmem_setxattr(struct dentry *dentry, const char *name, if (err) return err; @@ -99101,7 +98994,7 @@ index 1371021..7104960 100644 if (size == 0) value = ""; /* empty EA, do not remove */ -@@ -2310,8 +2326,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent) +@@ -2312,8 +2326,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent) int err = -ENOMEM; /* Round up to L1_CACHE_BYTES to resist false sharing */ @@ -101690,360 +101583,6 @@ index ba873c3..3b00036 100644 if (!can_dir) { printk(KERN_INFO "can: failed to create /proc/net/can . " -diff --git a/net/ceph/auth_x.c b/net/ceph/auth_x.c -index 1587dc6..9898d1f 100644 ---- a/net/ceph/auth_x.c -+++ b/net/ceph/auth_x.c -@@ -13,8 +13,6 @@ - #include "auth_x.h" - #include "auth_x_protocol.h" - --#define TEMP_TICKET_BUF_LEN 256 -- - static void ceph_x_validate_tickets(struct ceph_auth_client *ac, int *pneed); - - static int ceph_x_is_authenticated(struct ceph_auth_client *ac) -@@ -64,7 +62,7 @@ static int ceph_x_encrypt(struct ceph_crypto_key *secret, - } - - static int ceph_x_decrypt(struct ceph_crypto_key *secret, -- void **p, void *end, void *obuf, size_t olen) -+ void **p, void *end, void **obuf, size_t olen) - { - struct ceph_x_encrypt_header head; - size_t head_len = sizeof(head); -@@ -75,8 +73,14 @@ static int ceph_x_decrypt(struct ceph_crypto_key *secret, - return -EINVAL; - - dout("ceph_x_decrypt len %d\n", len); -- ret = ceph_decrypt2(secret, &head, &head_len, obuf, &olen, -- *p, len); -+ if (*obuf == NULL) { -+ *obuf = kmalloc(len, GFP_NOFS); -+ if (!*obuf) -+ return -ENOMEM; -+ olen = len; -+ } -+ -+ ret = ceph_decrypt2(secret, &head, &head_len, *obuf, &olen, *p, len); - if (ret) - return ret; - if (head.struct_v != 1 || le64_to_cpu(head.magic) != CEPHX_ENC_MAGIC) -@@ -129,145 +133,154 @@ static void remove_ticket_handler(struct ceph_auth_client *ac, - kfree(th); - } - -+static int process_one_ticket(struct ceph_auth_client *ac, -+ struct ceph_crypto_key *secret, -+ void **p, void *end) -+{ -+ struct ceph_x_info *xi = ac->private; -+ int type; -+ u8 tkt_struct_v, blob_struct_v; -+ struct ceph_x_ticket_handler *th; -+ void *dbuf = NULL; -+ void *dp, *dend; -+ int dlen; -+ char is_enc; -+ struct timespec validity; -+ struct ceph_crypto_key old_key; -+ void *ticket_buf = NULL; -+ void *tp, *tpend; -+ struct ceph_timespec new_validity; -+ struct ceph_crypto_key new_session_key; -+ struct ceph_buffer *new_ticket_blob; -+ unsigned long new_expires, new_renew_after; -+ u64 new_secret_id; -+ int ret; -+ -+ ceph_decode_need(p, end, sizeof(u32) + 1, bad); -+ -+ type = ceph_decode_32(p); -+ dout(" ticket type %d %s\n", type, ceph_entity_type_name(type)); -+ -+ tkt_struct_v = ceph_decode_8(p); -+ if (tkt_struct_v != 1) -+ goto bad; -+ -+ th = get_ticket_handler(ac, type); -+ if (IS_ERR(th)) { -+ ret = PTR_ERR(th); -+ goto out; -+ } -+ -+ /* blob for me */ -+ dlen = ceph_x_decrypt(secret, p, end, &dbuf, 0); -+ if (dlen <= 0) { -+ ret = dlen; -+ goto out; -+ } -+ dout(" decrypted %d bytes\n", dlen); -+ dp = dbuf; -+ dend = dp + dlen; -+ -+ tkt_struct_v = ceph_decode_8(&dp); -+ if (tkt_struct_v != 1) -+ goto bad; -+ -+ memcpy(&old_key, &th->session_key, sizeof(old_key)); -+ ret = ceph_crypto_key_decode(&new_session_key, &dp, dend); -+ if (ret) -+ goto out; -+ -+ ceph_decode_copy(&dp, &new_validity, sizeof(new_validity)); -+ ceph_decode_timespec(&validity, &new_validity); -+ new_expires = get_seconds() + validity.tv_sec; -+ new_renew_after = new_expires - (validity.tv_sec / 4); -+ dout(" expires=%lu renew_after=%lu\n", new_expires, -+ new_renew_after); -+ -+ /* ticket blob for service */ -+ ceph_decode_8_safe(p, end, is_enc, bad); -+ if (is_enc) { -+ /* encrypted */ -+ dout(" encrypted ticket\n"); -+ dlen = ceph_x_decrypt(&old_key, p, end, &ticket_buf, 0); -+ if (dlen < 0) { -+ ret = dlen; -+ goto out; -+ } -+ tp = ticket_buf; -+ dlen = ceph_decode_32(&tp); -+ } else { -+ /* unencrypted */ -+ ceph_decode_32_safe(p, end, dlen, bad); -+ ticket_buf = kmalloc(dlen, GFP_NOFS); -+ if (!ticket_buf) { -+ ret = -ENOMEM; -+ goto out; -+ } -+ tp = ticket_buf; -+ ceph_decode_need(p, end, dlen, bad); -+ ceph_decode_copy(p, ticket_buf, dlen); -+ } -+ tpend = tp + dlen; -+ dout(" ticket blob is %d bytes\n", dlen); -+ ceph_decode_need(&tp, tpend, 1 + sizeof(u64), bad); -+ blob_struct_v = ceph_decode_8(&tp); -+ new_secret_id = ceph_decode_64(&tp); -+ ret = ceph_decode_buffer(&new_ticket_blob, &tp, tpend); -+ if (ret) -+ goto out; -+ -+ /* all is well, update our ticket */ -+ ceph_crypto_key_destroy(&th->session_key); -+ if (th->ticket_blob) -+ ceph_buffer_put(th->ticket_blob); -+ th->session_key = new_session_key; -+ th->ticket_blob = new_ticket_blob; -+ th->validity = new_validity; -+ th->secret_id = new_secret_id; -+ th->expires = new_expires; -+ th->renew_after = new_renew_after; -+ dout(" got ticket service %d (%s) secret_id %lld len %d\n", -+ type, ceph_entity_type_name(type), th->secret_id, -+ (int)th->ticket_blob->vec.iov_len); -+ xi->have_keys |= th->service; -+ -+out: -+ kfree(ticket_buf); -+ kfree(dbuf); -+ return ret; -+ -+bad: -+ ret = -EINVAL; -+ goto out; -+} -+ - static int ceph_x_proc_ticket_reply(struct ceph_auth_client *ac, - struct ceph_crypto_key *secret, - void *buf, void *end) - { -- struct ceph_x_info *xi = ac->private; -- int num; - void *p = buf; -- int ret; -- char *dbuf; -- char *ticket_buf; - u8 reply_struct_v; -+ u32 num; -+ int ret; - -- dbuf = kmalloc(TEMP_TICKET_BUF_LEN, GFP_NOFS); -- if (!dbuf) -- return -ENOMEM; -- -- ret = -ENOMEM; -- ticket_buf = kmalloc(TEMP_TICKET_BUF_LEN, GFP_NOFS); -- if (!ticket_buf) -- goto out_dbuf; -- -- ceph_decode_need(&p, end, 1 + sizeof(u32), bad); -- reply_struct_v = ceph_decode_8(&p); -+ ceph_decode_8_safe(&p, end, reply_struct_v, bad); - if (reply_struct_v != 1) -- goto bad; -- num = ceph_decode_32(&p); -+ return -EINVAL; -+ -+ ceph_decode_32_safe(&p, end, num, bad); - dout("%d tickets\n", num); -+ - while (num--) { -- int type; -- u8 tkt_struct_v, blob_struct_v; -- struct ceph_x_ticket_handler *th; -- void *dp, *dend; -- int dlen; -- char is_enc; -- struct timespec validity; -- struct ceph_crypto_key old_key; -- void *tp, *tpend; -- struct ceph_timespec new_validity; -- struct ceph_crypto_key new_session_key; -- struct ceph_buffer *new_ticket_blob; -- unsigned long new_expires, new_renew_after; -- u64 new_secret_id; -- -- ceph_decode_need(&p, end, sizeof(u32) + 1, bad); -- -- type = ceph_decode_32(&p); -- dout(" ticket type %d %s\n", type, ceph_entity_type_name(type)); -- -- tkt_struct_v = ceph_decode_8(&p); -- if (tkt_struct_v != 1) -- goto bad; -- -- th = get_ticket_handler(ac, type); -- if (IS_ERR(th)) { -- ret = PTR_ERR(th); -- goto out; -- } -- -- /* blob for me */ -- dlen = ceph_x_decrypt(secret, &p, end, dbuf, -- TEMP_TICKET_BUF_LEN); -- if (dlen <= 0) { -- ret = dlen; -- goto out; -- } -- dout(" decrypted %d bytes\n", dlen); -- dend = dbuf + dlen; -- dp = dbuf; -- -- tkt_struct_v = ceph_decode_8(&dp); -- if (tkt_struct_v != 1) -- goto bad; -- -- memcpy(&old_key, &th->session_key, sizeof(old_key)); -- ret = ceph_crypto_key_decode(&new_session_key, &dp, dend); -+ ret = process_one_ticket(ac, secret, &p, end); - if (ret) -- goto out; -- -- ceph_decode_copy(&dp, &new_validity, sizeof(new_validity)); -- ceph_decode_timespec(&validity, &new_validity); -- new_expires = get_seconds() + validity.tv_sec; -- new_renew_after = new_expires - (validity.tv_sec / 4); -- dout(" expires=%lu renew_after=%lu\n", new_expires, -- new_renew_after); -- -- /* ticket blob for service */ -- ceph_decode_8_safe(&p, end, is_enc, bad); -- tp = ticket_buf; -- if (is_enc) { -- /* encrypted */ -- dout(" encrypted ticket\n"); -- dlen = ceph_x_decrypt(&old_key, &p, end, ticket_buf, -- TEMP_TICKET_BUF_LEN); -- if (dlen < 0) { -- ret = dlen; -- goto out; -- } -- dlen = ceph_decode_32(&tp); -- } else { -- /* unencrypted */ -- ceph_decode_32_safe(&p, end, dlen, bad); -- ceph_decode_need(&p, end, dlen, bad); -- ceph_decode_copy(&p, ticket_buf, dlen); -- } -- tpend = tp + dlen; -- dout(" ticket blob is %d bytes\n", dlen); -- ceph_decode_need(&tp, tpend, 1 + sizeof(u64), bad); -- blob_struct_v = ceph_decode_8(&tp); -- new_secret_id = ceph_decode_64(&tp); -- ret = ceph_decode_buffer(&new_ticket_blob, &tp, tpend); -- if (ret) -- goto out; -- -- /* all is well, update our ticket */ -- ceph_crypto_key_destroy(&th->session_key); -- if (th->ticket_blob) -- ceph_buffer_put(th->ticket_blob); -- th->session_key = new_session_key; -- th->ticket_blob = new_ticket_blob; -- th->validity = new_validity; -- th->secret_id = new_secret_id; -- th->expires = new_expires; -- th->renew_after = new_renew_after; -- dout(" got ticket service %d (%s) secret_id %lld len %d\n", -- type, ceph_entity_type_name(type), th->secret_id, -- (int)th->ticket_blob->vec.iov_len); -- xi->have_keys |= th->service; -+ return ret; - } - -- ret = 0; --out: -- kfree(ticket_buf); --out_dbuf: -- kfree(dbuf); -- return ret; -+ return 0; - - bad: -- ret = -EINVAL; -- goto out; -+ return -EINVAL; - } - - static int ceph_x_build_authorizer(struct ceph_auth_client *ac, -@@ -563,13 +576,14 @@ static int ceph_x_verify_authorizer_reply(struct ceph_auth_client *ac, - struct ceph_x_ticket_handler *th; - int ret = 0; - struct ceph_x_authorize_reply reply; -+ void *preply = &reply; - void *p = au->reply_buf; - void *end = p + sizeof(au->reply_buf); - - th = get_ticket_handler(ac, au->service); - if (IS_ERR(th)) - return PTR_ERR(th); -- ret = ceph_x_decrypt(&th->session_key, &p, end, &reply, sizeof(reply)); -+ ret = ceph_x_decrypt(&th->session_key, &p, end, &preply, sizeof(reply)); - if (ret < 0) - return ret; - if (ret != sizeof(reply)) -diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c -index 0b62dea..c2b8d20 100644 ---- a/net/ceph/mon_client.c -+++ b/net/ceph/mon_client.c -@@ -987,7 +987,15 @@ static struct ceph_msg *mon_alloc_msg(struct ceph_connection *con, - if (!m) { - pr_info("alloc_msg unknown type %d\n", type); - *skip = 1; -+ } else if (front_len > m->front_max) { -+ pr_warning("mon_alloc_msg front %d > prealloc %d (%u#%llu)\n", -+ front_len, m->front_max, -+ (unsigned int)con->peer_name.type, -+ le64_to_cpu(con->peer_name.num)); -+ ceph_msg_put(m); -+ m = ceph_msg_new(type, front_len, GFP_NOFS, false); - } -+ - return m; - } - diff --git a/net/compat.c b/net/compat.c index 759e542..7cf6606 100644 --- a/net/compat.c @@ -103817,10 +103356,10 @@ index 75fea1f..a26be5a 100644 .exit = raw_exit_net, }; diff --git a/net/ipv4/route.c b/net/ipv4/route.c -index d361dc0..a814666 100644 +index 8e79a9e..3767dfd 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c -@@ -313,7 +313,7 @@ static inline unsigned int rt_hash(__be32 daddr, __be32 saddr, int idx, +@@ -316,7 +316,7 @@ static inline unsigned int rt_hash(__be32 daddr, __be32 saddr, int idx, static inline int rt_genid(struct net *net) { @@ -103829,7 +103368,7 @@ index d361dc0..a814666 100644 } #ifdef CONFIG_PROC_FS -@@ -551,7 +551,7 @@ static const struct seq_operations rt_cpu_seq_ops = { +@@ -554,7 +554,7 @@ static const struct seq_operations rt_cpu_seq_ops = { static int rt_cpu_seq_open(struct inode *inode, struct file *file) { @@ -103838,7 +103377,7 @@ index d361dc0..a814666 100644 } static const struct file_operations rt_cpu_seq_fops = { -@@ -589,7 +589,7 @@ static int rt_acct_proc_show(struct seq_file *m, void *v) +@@ -592,7 +592,7 @@ static int rt_acct_proc_show(struct seq_file *m, void *v) static int rt_acct_proc_open(struct inode *inode, struct file *file) { @@ -103847,7 +103386,7 @@ index d361dc0..a814666 100644 } static const struct file_operations rt_acct_proc_fops = { -@@ -641,7 +641,7 @@ static void __net_exit ip_rt_do_proc_exit(struct net *net) +@@ -644,7 +644,7 @@ static void __net_exit ip_rt_do_proc_exit(struct net *net) #endif } @@ -103856,7 +103395,7 @@ index d361dc0..a814666 100644 .init = ip_rt_do_proc_init, .exit = ip_rt_do_proc_exit, }; -@@ -937,7 +937,7 @@ static void rt_cache_invalidate(struct net *net) +@@ -940,7 +940,7 @@ static void rt_cache_invalidate(struct net *net) unsigned char shuffle; get_random_bytes(&shuffle, sizeof(shuffle)); @@ -103865,7 +103404,7 @@ index d361dc0..a814666 100644 redirect_genid++; inetpeer_invalidate_tree(AF_INET); } -@@ -1346,11 +1346,11 @@ void rt_bind_peer(struct rtable *rt, __be32 daddr, int create) +@@ -1372,11 +1372,11 @@ void rt_bind_peer(struct rtable *rt, __be32 daddr, int create) #define IP_IDENTS_SZ 2048u struct ip_ident_bucket { @@ -103879,7 +103418,7 @@ index d361dc0..a814666 100644 /* In order to protect privacy, we add a perturbation to identifiers * if one generator is seldom used. This makes hard for an attacker -@@ -1370,7 +1370,7 @@ u32 ip_idents_reserve(u32 hash, int segs) +@@ -1396,7 +1396,7 @@ u32 ip_idents_reserve(u32 hash, int segs) delta = (u32)(x >> 32); } @@ -103888,7 +103427,7 @@ index d361dc0..a814666 100644 } EXPORT_SYMBOL(ip_idents_reserve); -@@ -3228,7 +3228,7 @@ static int ipv4_sysctl_rtcache_flush(ctl_table *__ctl, int write, +@@ -3254,7 +3254,7 @@ static int ipv4_sysctl_rtcache_flush(ctl_table *__ctl, int write, { if (write) { int flush_delay; @@ -103897,7 +103436,7 @@ index d361dc0..a814666 100644 struct net *net; memcpy(&ctl, __ctl, sizeof(ctl)); -@@ -3377,6 +3377,7 @@ static struct ctl_table ipv4_route_flush_table[] = { +@@ -3403,6 +3403,7 @@ static struct ctl_table ipv4_route_flush_table[] = { .maxlen = sizeof(int), .mode = 0200, .proc_handler = ipv4_sysctl_rtcache_flush, @@ -103905,7 +103444,7 @@ index d361dc0..a814666 100644 }, { }, }; -@@ -3390,25 +3391,23 @@ static __net_initdata struct ctl_path ipv4_route_path[] = { +@@ -3416,25 +3417,23 @@ static __net_initdata struct ctl_path ipv4_route_path[] = { static __net_init int sysctl_route_net_init(struct net *net) { @@ -103938,7 +103477,7 @@ index d361dc0..a814666 100644 err_dup: return -ENOMEM; } -@@ -3423,7 +3422,7 @@ static __net_exit void sysctl_route_net_exit(struct net *net) +@@ -3449,7 +3448,7 @@ static __net_exit void sysctl_route_net_exit(struct net *net) kfree(tbl); } @@ -103947,7 +103486,7 @@ index d361dc0..a814666 100644 .init = sysctl_route_net_init, .exit = sysctl_route_net_exit, }; -@@ -3438,7 +3437,7 @@ static __net_init int rt_genid_init(struct net *net) +@@ -3464,7 +3463,7 @@ static __net_init int rt_genid_init(struct net *net) return 0; } @@ -103956,7 +103495,7 @@ index d361dc0..a814666 100644 .init = rt_genid_init, }; -@@ -3461,11 +3460,7 @@ int __init ip_rt_init(void) +@@ -3487,11 +3486,7 @@ int __init ip_rt_init(void) { int rc = 0; @@ -104613,7 +104152,7 @@ index a0b4c5d..a5818a1 100644 } diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c -index b9edff0..63ad6cf 100644 +index 3afdd78..cf4a70f 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -2160,7 +2160,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg) @@ -104625,7 +104164,7 @@ index b9edff0..63ad6cf 100644 if (ops->ndo_do_ioctl) { mm_segment_t oldfs = get_fs(); -@@ -3227,16 +3227,23 @@ static const struct file_operations if6_fops = { +@@ -3237,16 +3237,23 @@ static const struct file_operations if6_fops = { .release = seq_release_net, }; @@ -105155,7 +104694,7 @@ index c69358c..d1e5855 100644 static int tcp6_seq_show(struct seq_file *seq, void *v) diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c -index f8bec1e..e2c60f8 100644 +index d131a95..e2c60f8 100644 --- a/net/ipv6/udp.c +++ b/net/ipv6/udp.c @@ -50,6 +50,10 @@ @@ -105206,15 +104745,6 @@ index f8bec1e..e2c60f8 100644 bh_unlock_sock(sk); sock_put(sk); goto discard; -@@ -1362,7 +1369,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, u32 features) - fptr = (struct frag_hdr *)(skb_network_header(skb) + unfrag_ip6hlen); - fptr->nexthdr = nexthdr; - fptr->reserved = 0; -- ipv6_select_ident(fptr, (struct rt6_info *)skb_dst(skb)); -+ fptr->identification = skb_shinfo(skb)->ip6_frag_id; - - /* Fragment the skb. ipv6 header and the remaining fields of the - * fragment header are updated in ipv6_gso_segment() @@ -1409,8 +1416,13 @@ static void udp6_sock_seq_show(struct seq_file *seq, struct sock *sp, int bucket 0, 0L, 0, sock_i_uid(sp), 0, @@ -105831,7 +105361,7 @@ index e13095d..6617217 100644 [IPSET_ATTR_CIDR] = { .type = NLA_U8 }, [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c -index 29fa5ba..8debc79 100644 +index 6422845..2c19968 100644 --- a/net/netfilter/ipvs/ip_vs_conn.c +++ b/net/netfilter/ipvs/ip_vs_conn.c @@ -556,7 +556,7 @@ ip_vs_bind_dest(struct ip_vs_conn *cp, struct ip_vs_dest *dest) @@ -105843,7 +105373,7 @@ index 29fa5ba..8debc79 100644 if (cp->protocol != IPPROTO_UDP) conn_flags &= ~IP_VS_CONN_F_ONE_PACKET; /* Bind with the destination and its corresponding transmitter */ -@@ -869,7 +869,7 @@ ip_vs_conn_new(const struct ip_vs_conn_param *p, +@@ -868,7 +868,7 @@ ip_vs_conn_new(const struct ip_vs_conn_param *p, atomic_set(&cp->refcnt, 1); atomic_set(&cp->n_control, 0); @@ -105852,7 +105382,7 @@ index 29fa5ba..8debc79 100644 atomic_inc(&ipvs->conn_count); if (flags & IP_VS_CONN_F_NO_CPORT) -@@ -1149,7 +1149,7 @@ static inline int todrop_entry(struct ip_vs_conn *cp) +@@ -1148,7 +1148,7 @@ static inline int todrop_entry(struct ip_vs_conn *cp) /* Don't drop the entry if its number of incoming packets is not located in [0, 8] */ diff --git a/3.2.63/4425_grsec_remove_EI_PAX.patch b/3.2.64/4425_grsec_remove_EI_PAX.patch index cf65d90..cf65d90 100644 --- a/3.2.63/4425_grsec_remove_EI_PAX.patch +++ b/3.2.64/4425_grsec_remove_EI_PAX.patch diff --git a/3.2.63/4427_force_XATTR_PAX_tmpfs.patch b/3.2.64/4427_force_XATTR_PAX_tmpfs.patch index caaeed1..caaeed1 100644 --- a/3.2.63/4427_force_XATTR_PAX_tmpfs.patch +++ b/3.2.64/4427_force_XATTR_PAX_tmpfs.patch diff --git a/3.2.63/4430_grsec-remove-localversion-grsec.patch b/3.2.64/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.2.63/4430_grsec-remove-localversion-grsec.patch +++ b/3.2.64/4430_grsec-remove-localversion-grsec.patch diff --git a/3.2.63/4435_grsec-mute-warnings.patch b/3.2.64/4435_grsec-mute-warnings.patch index da01ac7..da01ac7 100644 --- a/3.2.63/4435_grsec-mute-warnings.patch +++ b/3.2.64/4435_grsec-mute-warnings.patch diff --git a/3.2.63/4440_grsec-remove-protected-paths.patch b/3.2.64/4440_grsec-remove-protected-paths.patch index 741546d..741546d 100644 --- a/3.2.63/4440_grsec-remove-protected-paths.patch +++ b/3.2.64/4440_grsec-remove-protected-paths.patch diff --git a/3.2.63/4450_grsec-kconfig-default-gids.patch b/3.2.64/4450_grsec-kconfig-default-gids.patch index b4a0e64..b4a0e64 100644 --- a/3.2.63/4450_grsec-kconfig-default-gids.patch +++ b/3.2.64/4450_grsec-kconfig-default-gids.patch diff --git a/3.2.63/4465_selinux-avc_audit-log-curr_ip.patch b/3.2.64/4465_selinux-avc_audit-log-curr_ip.patch index ed1cb9b..ed1cb9b 100644 --- a/3.2.63/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.2.64/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.2.63/4470_disable-compat_vdso.patch b/3.2.64/4470_disable-compat_vdso.patch index 42bc94d..42bc94d 100644 --- a/3.2.63/4470_disable-compat_vdso.patch +++ b/3.2.64/4470_disable-compat_vdso.patch diff --git a/3.2.63/4475_emutramp_default_on.patch b/3.2.64/4475_emutramp_default_on.patch index 941870b..941870b 100644 --- a/3.2.63/4475_emutramp_default_on.patch +++ b/3.2.64/4475_emutramp_default_on.patch |