diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2014-06-11 10:09:16 -0400 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2014-06-11 10:09:16 -0400 |
| commit | 0d0804c87cf0f56708fa7422f8a8b57dda821ac3 (patch) | |
| tree | 3b1e5813357cce147d4624366d00ab1f0187875e | |
| parent | Grsec/PaX: 3.0-3.2.59-201406052202 (diff) | |
| download | hardened-patchset-0d0804c87cf0f56708fa7422f8a8b57dda821ac3.tar.gz hardened-patchset-0d0804c87cf0f56708fa7422f8a8b57dda821ac3.tar.bz2 hardened-patchset-0d0804c87cf0f56708fa7422f8a8b57dda821ac3.zip | |
Grsec/PaX: 3.0-{3.2.60,3.14.6}-20140610141120140610
| -rw-r--r-- | 3.14.6/0000_README (renamed from 3.14.5/0000_README) | 2 | ||||
| -rw-r--r-- | 3.14.6/4420_grsecurity-3.0-3.14.6-201406101411.patch (renamed from 3.14.5/4420_grsecurity-3.0-3.14.5-201406051310.patch) | 1293 | ||||
| -rw-r--r-- | 3.14.6/4425_grsec_remove_EI_PAX.patch (renamed from 3.14.5/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
| -rw-r--r-- | 3.14.6/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.14.5/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
| -rw-r--r-- | 3.14.6/4430_grsec-remove-localversion-grsec.patch (renamed from 3.14.5/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
| -rw-r--r-- | 3.14.6/4435_grsec-mute-warnings.patch (renamed from 3.14.5/4435_grsec-mute-warnings.patch) | 0 | ||||
| -rw-r--r-- | 3.14.6/4440_grsec-remove-protected-paths.patch (renamed from 3.14.5/4440_grsec-remove-protected-paths.patch) | 0 | ||||
| -rw-r--r-- | 3.14.6/4450_grsec-kconfig-default-gids.patch (renamed from 3.14.5/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
| -rw-r--r-- | 3.14.6/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.14.5/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
| -rw-r--r-- | 3.14.6/4470_disable-compat_vdso.patch (renamed from 3.14.5/4470_disable-compat_vdso.patch) | 0 | ||||
| -rw-r--r-- | 3.14.6/4475_emutramp_default_on.patch (renamed from 3.14.5/4475_emutramp_default_on.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/0000_README (renamed from 3.2.59/0000_README) | 6 | ||||
| -rw-r--r-- | 3.2.60/1021_linux-3.2.22.patch (renamed from 3.2.59/1021_linux-3.2.22.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1022_linux-3.2.23.patch (renamed from 3.2.59/1022_linux-3.2.23.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1023_linux-3.2.24.patch (renamed from 3.2.59/1023_linux-3.2.24.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1024_linux-3.2.25.patch (renamed from 3.2.59/1024_linux-3.2.25.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1025_linux-3.2.26.patch (renamed from 3.2.59/1025_linux-3.2.26.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1026_linux-3.2.27.patch (renamed from 3.2.59/1026_linux-3.2.27.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1027_linux-3.2.28.patch (renamed from 3.2.59/1027_linux-3.2.28.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1028_linux-3.2.29.patch (renamed from 3.2.59/1028_linux-3.2.29.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1029_linux-3.2.30.patch (renamed from 3.2.59/1029_linux-3.2.30.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1030_linux-3.2.31.patch (renamed from 3.2.59/1030_linux-3.2.31.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1031_linux-3.2.32.patch (renamed from 3.2.59/1031_linux-3.2.32.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1032_linux-3.2.33.patch (renamed from 3.2.59/1032_linux-3.2.33.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1033_linux-3.2.34.patch (renamed from 3.2.59/1033_linux-3.2.34.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1034_linux-3.2.35.patch (renamed from 3.2.59/1034_linux-3.2.35.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1035_linux-3.2.36.patch (renamed from 3.2.59/1035_linux-3.2.36.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1036_linux-3.2.37.patch (renamed from 3.2.59/1036_linux-3.2.37.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1037_linux-3.2.38.patch (renamed from 3.2.59/1037_linux-3.2.38.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1038_linux-3.2.39.patch (renamed from 3.2.59/1038_linux-3.2.39.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1039_linux-3.2.40.patch (renamed from 3.2.59/1039_linux-3.2.40.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1040_linux-3.2.41.patch (renamed from 3.2.59/1040_linux-3.2.41.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1041_linux-3.2.42.patch (renamed from 3.2.59/1041_linux-3.2.42.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1042_linux-3.2.43.patch (renamed from 3.2.59/1042_linux-3.2.43.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1043_linux-3.2.44.patch (renamed from 3.2.59/1043_linux-3.2.44.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1044_linux-3.2.45.patch (renamed from 3.2.59/1044_linux-3.2.45.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1045_linux-3.2.46.patch (renamed from 3.2.59/1045_linux-3.2.46.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1046_linux-3.2.47.patch (renamed from 3.2.59/1046_linux-3.2.47.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1047_linux-3.2.48.patch (renamed from 3.2.59/1047_linux-3.2.48.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1048_linux-3.2.49.patch (renamed from 3.2.59/1048_linux-3.2.49.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1049_linux-3.2.50.patch (renamed from 3.2.59/1049_linux-3.2.50.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1050_linux-3.2.51.patch (renamed from 3.2.59/1050_linux-3.2.51.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1051_linux-3.2.52.patch (renamed from 3.2.59/1051_linux-3.2.52.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1052_linux-3.2.53.patch (renamed from 3.2.59/1052_linux-3.2.53.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1053_linux-3.2.54.patch (renamed from 3.2.59/1053_linux-3.2.54.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1054_linux-3.2.55.patch (renamed from 3.2.59/1054_linux-3.2.55.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1055_linux-3.2.56.patch (renamed from 3.2.59/1055_linux-3.2.56.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1056_linux-3.2.57.patch (renamed from 3.2.59/1056_linux-3.2.57.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1057_linux-3.2.58.patch (renamed from 3.2.59/1057_linux-3.2.58.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1058_linux-3.2.59.patch (renamed from 3.2.59/1058_linux-3.2.59.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/1059_linux-3.2.60.patch | 2964 | ||||
| -rw-r--r-- | 3.2.60/4420_grsecurity-3.0-3.2.60-201406101410.patch (renamed from 3.2.59/4420_grsecurity-3.0-3.2.59-201406052202.patch) | 914 | ||||
| -rw-r--r-- | 3.2.60/4425_grsec_remove_EI_PAX.patch (renamed from 3.2.59/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.2.59/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/4430_grsec-remove-localversion-grsec.patch (renamed from 3.2.59/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/4435_grsec-mute-warnings.patch (renamed from 3.2.59/4435_grsec-mute-warnings.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/4440_grsec-remove-protected-paths.patch (renamed from 3.2.59/4440_grsec-remove-protected-paths.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/4450_grsec-kconfig-default-gids.patch (renamed from 3.2.59/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.2.59/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/4470_disable-compat_vdso.patch (renamed from 3.2.59/4470_disable-compat_vdso.patch) | 0 | ||||
| -rw-r--r-- | 3.2.60/4475_emutramp_default_on.patch (renamed from 3.2.59/4475_emutramp_default_on.patch) | 0 |
61 files changed, 3756 insertions, 1423 deletions
diff --git a/3.14.5/0000_README b/3.14.6/0000_README index d423279..982ffca 100644 --- a/3.14.5/0000_README +++ b/3.14.6/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.0-3.14.5-201406051310.patch +Patch: 4420_grsecurity-3.0-3.14.6-201406101411.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.14.5/4420_grsecurity-3.0-3.14.5-201406051310.patch b/3.14.6/4420_grsecurity-3.0-3.14.6-201406101411.patch index 311f637..274a809 100644 --- a/3.14.5/4420_grsecurity-3.0-3.14.5-201406051310.patch +++ b/3.14.6/4420_grsecurity-3.0-3.14.6-201406101411.patch @@ -287,7 +287,7 @@ index 7116fda..d8ed6e8 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index fa77b0b..dadf5fd 100644 +index 0d499e6..2318683 100644 --- a/Makefile +++ b/Makefile @@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -457,15 +457,16 @@ index fa77b0b..dadf5fd 100644 # clean - Delete most, but leave enough to build external modules # -@@ -1112,6 +1189,7 @@ distclean: mrproper +@@ -1111,7 +1188,7 @@ distclean: mrproper + @find $(srctree) $(RCS_FIND_IGNORE) \ \( -name '*.orig' -o -name '*.rej' -o -name '*~' \ -o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \ - -o -name '.*.rej' \ +- -o -name '.*.rej' \ + -o -name '.*.rej' -o -name '*.so' \ -o -name '*%' -o -name '.*.cmd' -o -name 'core' \) \ -type f -print | xargs rm -f -@@ -1273,6 +1351,8 @@ PHONY += $(module-dirs) modules +@@ -1273,6 +1350,8 @@ PHONY += $(module-dirs) modules $(module-dirs): crmodverdir $(objtree)/Module.symvers $(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@) @@ -474,7 +475,7 @@ index fa77b0b..dadf5fd 100644 modules: $(module-dirs) @$(kecho) ' Building modules, stage 2.'; $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost -@@ -1412,17 +1492,21 @@ else +@@ -1412,17 +1491,21 @@ else target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@)) endif @@ -500,7 +501,7 @@ index fa77b0b..dadf5fd 100644 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) %.symtypes: %.c prepare scripts FORCE $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) -@@ -1432,11 +1516,15 @@ endif +@@ -1432,11 +1515,15 @@ endif $(cmd_crmodverdir) $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \ $(build)=$(build-dir) @@ -1524,6 +1525,19 @@ index 62d2cb5..09d45e3 100644 #define atomic64_dec_return(v) atomic64_sub_return(1LL, (v)) #define atomic64_dec_and_test(v) (atomic64_dec_return((v)) == 0) #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1LL, 0LL) +diff --git a/arch/arm/include/asm/barrier.h b/arch/arm/include/asm/barrier.h +index 2f59f74..1594659 100644 +--- a/arch/arm/include/asm/barrier.h ++++ b/arch/arm/include/asm/barrier.h +@@ -63,7 +63,7 @@ + do { \ + compiletime_assert_atomic_type(*p); \ + smp_mb(); \ +- ACCESS_ONCE(*p) = (v); \ ++ ACCESS_ONCE_RW(*p) = (v); \ + } while (0) + + #define smp_load_acquire(p) \ diff --git a/arch/arm/include/asm/cache.h b/arch/arm/include/asm/cache.h index 75fe66b..ba3dee4 100644 --- a/arch/arm/include/asm/cache.h @@ -4716,6 +4730,19 @@ index ce6d763..cfea917 100644 extern void *samsung_dmadev_get_ops(void); extern void *s3c_dma_get_ops(void); +diff --git a/arch/arm64/include/asm/barrier.h b/arch/arm64/include/asm/barrier.h +index 409ca37..10c87ad 100644 +--- a/arch/arm64/include/asm/barrier.h ++++ b/arch/arm64/include/asm/barrier.h +@@ -40,7 +40,7 @@ + do { \ + compiletime_assert_atomic_type(*p); \ + smp_mb(); \ +- ACCESS_ONCE(*p) = (v); \ ++ ACCESS_ONCE_RW(*p) = (v); \ + } while (0) + + #define smp_load_acquire(p) \ diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h index 6c0f684..5faea9d 100644 --- a/arch/arm64/include/asm/uaccess.h @@ -5010,6 +5037,19 @@ index 6e6fe18..a6ae668 100644 /* Atomic operations are already serializing */ #define smp_mb__before_atomic_dec() barrier() #define smp_mb__after_atomic_dec() barrier() +diff --git a/arch/ia64/include/asm/barrier.h b/arch/ia64/include/asm/barrier.h +index d0a69aa..142f878 100644 +--- a/arch/ia64/include/asm/barrier.h ++++ b/arch/ia64/include/asm/barrier.h +@@ -64,7 +64,7 @@ + do { \ + compiletime_assert_atomic_type(*p); \ + barrier(); \ +- ACCESS_ONCE(*p) = (v); \ ++ ACCESS_ONCE_RW(*p) = (v); \ + } while (0) + + #define smp_load_acquire(p) \ diff --git a/arch/ia64/include/asm/cache.h b/arch/ia64/include/asm/cache.h index 988254a..e1ee885 100644 --- a/arch/ia64/include/asm/cache.h @@ -5497,6 +5537,19 @@ index 0395c51..5f26031 100644 #define ARCH_DMA_MINALIGN L1_CACHE_BYTES +diff --git a/arch/metag/include/asm/barrier.h b/arch/metag/include/asm/barrier.h +index 2d6f0de..de5f5ac 100644 +--- a/arch/metag/include/asm/barrier.h ++++ b/arch/metag/include/asm/barrier.h +@@ -89,7 +89,7 @@ static inline void fence(void) + do { \ + compiletime_assert_atomic_type(*p); \ + smp_mb(); \ +- ACCESS_ONCE(*p) = (v); \ ++ ACCESS_ONCE_RW(*p) = (v); \ + } while (0) + + #define smp_load_acquire(p) \ diff --git a/arch/metag/mm/hugetlbpage.c b/arch/metag/mm/hugetlbpage.c index 0424315..defcca9 100644 --- a/arch/metag/mm/hugetlbpage.c @@ -6459,6 +6512,19 @@ index 7eed2f2..c4e385d 100644 /* * atomic64_add_negative - add and test if negative +diff --git a/arch/mips/include/asm/barrier.h b/arch/mips/include/asm/barrier.h +index e1aa4e4..670b68b 100644 +--- a/arch/mips/include/asm/barrier.h ++++ b/arch/mips/include/asm/barrier.h +@@ -184,7 +184,7 @@ + do { \ + compiletime_assert_atomic_type(*p); \ + smp_mb(); \ +- ACCESS_ONCE(*p) = (v); \ ++ ACCESS_ONCE_RW(*p) = (v); \ + } while (0) + + #define smp_load_acquire(p) \ diff --git a/arch/mips/include/asm/cache.h b/arch/mips/include/asm/cache.h index b4db69f..8f3b093 100644 --- a/arch/mips/include/asm/cache.h @@ -7684,10 +7750,10 @@ index 31ffa9b..588a798 100644 mm->mmap_base = mm->mmap_legacy_base; mm->get_unmapped_area = arch_get_unmapped_area; diff --git a/arch/parisc/kernel/traps.c b/arch/parisc/kernel/traps.c -index 1cd1d0c..44ec918 100644 +index 47ee620..1107387 100644 --- a/arch/parisc/kernel/traps.c +++ b/arch/parisc/kernel/traps.c -@@ -722,9 +722,7 @@ void notrace handle_interruption(int code, struct pt_regs *regs) +@@ -726,9 +726,7 @@ void notrace handle_interruption(int code, struct pt_regs *regs) down_read(¤t->mm->mmap_sem); vma = find_vma(current->mm,regs->iaoq[0]); @@ -7699,7 +7765,7 @@ index 1cd1d0c..44ec918 100644 fault_space = regs->iasq[0]; diff --git a/arch/parisc/mm/fault.c b/arch/parisc/mm/fault.c -index 9d08c71..e2b4d20 100644 +index d72197f..c017c84 100644 --- a/arch/parisc/mm/fault.c +++ b/arch/parisc/mm/fault.c @@ -15,6 +15,7 @@ @@ -7710,7 +7776,7 @@ index 9d08c71..e2b4d20 100644 #include <asm/uaccess.h> #include <asm/traps.h> -@@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, exception_data); +@@ -50,7 +51,7 @@ int show_unhandled_signals = 1; static unsigned long parisc_acctyp(unsigned long code, unsigned int inst) { @@ -7719,7 +7785,7 @@ index 9d08c71..e2b4d20 100644 return VM_EXEC; switch (inst & 0xf0000000) { -@@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsigned int inst) +@@ -136,6 +137,116 @@ parisc_acctyp(unsigned long code, unsigned int inst) } #endif @@ -7836,7 +7902,7 @@ index 9d08c71..e2b4d20 100644 int fixup_exception(struct pt_regs *regs) { const struct exception_table_entry *fix; -@@ -210,8 +321,33 @@ retry: +@@ -234,8 +345,33 @@ retry: good_area: @@ -7904,6 +7970,19 @@ index e3b1d41..8e81edf 100644 #endif /* __powerpc64__ */ #endif /* __KERNEL__ */ +diff --git a/arch/powerpc/include/asm/barrier.h b/arch/powerpc/include/asm/barrier.h +index f89da80..7f5b05a 100644 +--- a/arch/powerpc/include/asm/barrier.h ++++ b/arch/powerpc/include/asm/barrier.h +@@ -73,7 +73,7 @@ + do { \ + compiletime_assert_atomic_type(*p); \ + __lwsync(); \ +- ACCESS_ONCE(*p) = (v); \ ++ ACCESS_ONCE_RW(*p) = (v); \ + } while (0) + + #define smp_load_acquire(p) \ diff --git a/arch/powerpc/include/asm/cache.h b/arch/powerpc/include/asm/cache.h index ed0afc1..0332825 100644 --- a/arch/powerpc/include/asm/cache.h @@ -9020,6 +9099,19 @@ index 1d47061..0714963 100644 #define smp_mb__before_atomic_dec() smp_mb() #define smp_mb__after_atomic_dec() smp_mb() #define smp_mb__before_atomic_inc() smp_mb() +diff --git a/arch/s390/include/asm/barrier.h b/arch/s390/include/asm/barrier.h +index 578680f..0eb3b11 100644 +--- a/arch/s390/include/asm/barrier.h ++++ b/arch/s390/include/asm/barrier.h +@@ -36,7 +36,7 @@ + do { \ + compiletime_assert_atomic_type(*p); \ + barrier(); \ +- ACCESS_ONCE(*p) = (v); \ ++ ACCESS_ONCE_RW(*p) = (v); \ + } while (0) + + #define smp_load_acquire(p) \ diff --git a/arch/s390/include/asm/cache.h b/arch/s390/include/asm/cache.h index 4d7ccac..d03d0ad 100644 --- a/arch/s390/include/asm/cache.h @@ -9623,6 +9715,19 @@ index be56a24..443328f 100644 } #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0) +diff --git a/arch/sparc/include/asm/barrier_64.h b/arch/sparc/include/asm/barrier_64.h +index b5aad96..99d7465 100644 +--- a/arch/sparc/include/asm/barrier_64.h ++++ b/arch/sparc/include/asm/barrier_64.h +@@ -57,7 +57,7 @@ do { __asm__ __volatile__("ba,pt %%xcc, 1f\n\t" \ + do { \ + compiletime_assert_atomic_type(*p); \ + barrier(); \ +- ACCESS_ONCE(*p) = (v); \ ++ ACCESS_ONCE_RW(*p) = (v); \ + } while (0) + + #define smp_load_acquire(p) \ diff --git a/arch/sparc/include/asm/cache.h b/arch/sparc/include/asm/cache.h index 5bb6991..5c2132e 100644 --- a/arch/sparc/include/asm/cache.h @@ -15986,6 +16091,28 @@ index 46e9052..ae45136 100644 } #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0) +diff --git a/arch/x86/include/asm/barrier.h b/arch/x86/include/asm/barrier.h +index 69bbb48..32517fe 100644 +--- a/arch/x86/include/asm/barrier.h ++++ b/arch/x86/include/asm/barrier.h +@@ -107,7 +107,7 @@ + do { \ + compiletime_assert_atomic_type(*p); \ + smp_mb(); \ +- ACCESS_ONCE(*p) = (v); \ ++ ACCESS_ONCE_RW(*p) = (v); \ + } while (0) + + #define smp_load_acquire(p) \ +@@ -124,7 +124,7 @@ do { \ + do { \ + compiletime_assert_atomic_type(*p); \ + barrier(); \ +- ACCESS_ONCE(*p) = (v); \ ++ ACCESS_ONCE_RW(*p) = (v); \ + } while (0) + + #define smp_load_acquire(p) \ diff --git a/arch/x86/include/asm/bitops.h b/arch/x86/include/asm/bitops.h index 9fc1af7..fc71228 100644 --- a/arch/x86/include/asm/bitops.h @@ -16958,18 +17085,6 @@ index b4c1f54..e290c08 100644 pagefault_enable(); -diff --git a/arch/x86/include/asm/hugetlb.h b/arch/x86/include/asm/hugetlb.h -index a809121..68c0539 100644 ---- a/arch/x86/include/asm/hugetlb.h -+++ b/arch/x86/include/asm/hugetlb.h -@@ -52,6 +52,7 @@ static inline pte_t huge_ptep_get_and_clear(struct mm_struct *mm, - static inline void huge_ptep_clear_flush(struct vm_area_struct *vma, - unsigned long addr, pte_t *ptep) - { -+ ptep_clear_flush(vma, addr, ptep); - } - - static inline int huge_pte_none(pte_t pte) diff --git a/arch/x86/include/asm/hw_irq.h b/arch/x86/include/asm/hw_irq.h index 67d69b8..50e4b77 100644 --- a/arch/x86/include/asm/hw_irq.h @@ -17593,6 +17708,19 @@ index 0f1ddee..e2fc3d1 100644 { unsigned long y = x - __START_KERNEL_map; +diff --git a/arch/x86/include/asm/page_64_types.h b/arch/x86/include/asm/page_64_types.h +index 8de6d9c..6782051 100644 +--- a/arch/x86/include/asm/page_64_types.h ++++ b/arch/x86/include/asm/page_64_types.h +@@ -1,7 +1,7 @@ + #ifndef _ASM_X86_PAGE_64_DEFS_H + #define _ASM_X86_PAGE_64_DEFS_H + +-#define THREAD_SIZE_ORDER 1 ++#define THREAD_SIZE_ORDER 2 + #define THREAD_SIZE (PAGE_SIZE << THREAD_SIZE_ORDER) + #define CURRENT_MASK (~(THREAD_SIZE - 1)) + diff --git a/arch/x86/include/asm/paravirt.h b/arch/x86/include/asm/paravirt.h index cd6e1610..70f4418 100644 --- a/arch/x86/include/asm/paravirt.h @@ -25823,19 +25951,10 @@ index c2bedae..25e7ab6 100644 .name = "data", .mode = S_IRUGO, diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c -index af1d14a..81ae763 100644 +index dcbbaa1..81ae763 100644 --- a/arch/x86/kernel/ldt.c +++ b/arch/x86/kernel/ldt.c -@@ -20,6 +20,8 @@ - #include <asm/mmu_context.h> - #include <asm/syscalls.h> - -+int sysctl_ldt16 = 0; -+ - #ifdef CONFIG_SMP - static void flush_ldt(void *current_mm) - { -@@ -66,13 +68,13 @@ static int alloc_ldt(mm_context_t *pc, int mincount, int reload) +@@ -68,13 +68,13 @@ static int alloc_ldt(mm_context_t *pc, int mincount, int reload) if (reload) { #ifdef CONFIG_SMP preempt_disable(); @@ -25851,7 +25970,7 @@ index af1d14a..81ae763 100644 #endif } if (oldsize) { -@@ -94,7 +96,7 @@ static inline int copy_ldt(mm_context_t *new, mm_context_t *old) +@@ -96,7 +96,7 @@ static inline int copy_ldt(mm_context_t *new, mm_context_t *old) return err; for (i = 0; i < old->size; i++) @@ -25860,7 +25979,7 @@ index af1d14a..81ae763 100644 return 0; } -@@ -115,6 +117,24 @@ int init_new_context(struct task_struct *tsk, struct mm_struct *mm) +@@ -117,6 +117,24 @@ int init_new_context(struct task_struct *tsk, struct mm_struct *mm) retval = copy_ldt(&mm->context, &old_mm->context); mutex_unlock(&old_mm->context.lock); } @@ -25885,7 +26004,7 @@ index af1d14a..81ae763 100644 return retval; } -@@ -229,12 +249,19 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode) +@@ -231,6 +249,13 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode) } } @@ -25899,13 +26018,6 @@ index af1d14a..81ae763 100644 /* * On x86-64 we do not support 16-bit segments due to * IRET leaking the high bits of the kernel stack address. - */ - #ifdef CONFIG_X86_64 -- if (!ldt_info.seg_32bit) { -+ if (!ldt_info.seg_32bit && !sysctl_ldt16) { - error = -EINVAL; - goto out_unlock; - } diff --git a/arch/x86/kernel/machine_kexec_32.c b/arch/x86/kernel/machine_kexec_32.c index 1667b1d..16492c5 100644 --- a/arch/x86/kernel/machine_kexec_32.c @@ -27275,35 +27387,32 @@ index 7c3a5a6..f0a8961 100644 .smp_prepare_cpus = native_smp_prepare_cpus, .smp_cpus_done = native_smp_cpus_done, diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c -index a32da80..30c97f1 100644 +index a32da80..041a4ff 100644 --- a/arch/x86/kernel/smpboot.c +++ b/arch/x86/kernel/smpboot.c -@@ -229,14 +229,18 @@ static void notrace start_secondary(void *unused) +@@ -229,14 +229,17 @@ static void notrace start_secondary(void *unused) enable_start_cpu0 = 0; -#ifdef CONFIG_X86_32 -- /* switch away from the initial page table */ -- load_cr3(swapper_pg_dir); -- __flush_tlb_all(); --#endif -- - /* otherwise gcc will move up smp_processor_id before the cpu_init */ - barrier(); ++ /* otherwise gcc will move up smp_processor_id before the cpu_init */ ++ barrier(); + -+ /* switch away from the initial page table */ + /* switch away from the initial page table */ +#ifdef CONFIG_PAX_PER_CPU_PGD + load_cr3(get_cpu_pgd(smp_processor_id(), kernel)); -+ __flush_tlb_all(); -+#elif defined(CONFIG_X86_32) -+ load_cr3(swapper_pg_dir); -+ __flush_tlb_all(); ++#else + load_cr3(swapper_pg_dir); +#endif -+ + __flush_tlb_all(); +-#endif + +- /* otherwise gcc will move up smp_processor_id before the cpu_init */ +- barrier(); /* * Check TSC synchronization with the BP: */ -@@ -749,8 +753,9 @@ static int do_boot_cpu(int apicid, int cpu, struct task_struct *idle) +@@ -749,8 +752,9 @@ static int do_boot_cpu(int apicid, int cpu, struct task_struct *idle) alternatives_enable_smp(); idle->thread.sp = (unsigned long) (((struct pt_regs *) @@ -27314,7 +27423,7 @@ index a32da80..30c97f1 100644 #ifdef CONFIG_X86_32 /* Stack for startup_32 can be just as for start_secondary onwards */ -@@ -758,11 +763,13 @@ static int do_boot_cpu(int apicid, int cpu, struct task_struct *idle) +@@ -758,11 +762,13 @@ static int do_boot_cpu(int apicid, int cpu, struct task_struct *idle) #else clear_tsk_thread_flag(idle, TIF_FORK); initial_gs = per_cpu_offset(cpu); @@ -27331,7 +27440,7 @@ index a32da80..30c97f1 100644 initial_code = (unsigned long)start_secondary; stack_start = idle->thread.sp; -@@ -911,6 +918,15 @@ int native_cpu_up(unsigned int cpu, struct task_struct *tidle) +@@ -911,6 +917,15 @@ int native_cpu_up(unsigned int cpu, struct task_struct *tidle) /* the FPU context is blank, nobody can own it */ __cpu_disable_lazy_restore(cpu); @@ -35630,7 +35739,7 @@ index fd14be1..e3c79c0 100644 # diff --git a/arch/x86/vdso/vdso32-setup.c b/arch/x86/vdso/vdso32-setup.c -index d6bfb87..a75c5f7 100644 +index f1d633a..a75c5f7 100644 --- a/arch/x86/vdso/vdso32-setup.c +++ b/arch/x86/vdso/vdso32-setup.c @@ -25,6 +25,7 @@ @@ -35641,15 +35750,7 @@ index d6bfb87..a75c5f7 100644 enum { VDSO_DISABLED = 0, -@@ -41,6 +42,7 @@ enum { - #ifdef CONFIG_X86_64 - #define vdso_enabled sysctl_vsyscall32 - #define arch_setup_additional_pages syscall32_setup_pages -+extern int sysctl_ldt16; - #endif - - /* -@@ -226,7 +228,7 @@ static inline void map_compat_vdso(int map) +@@ -227,7 +228,7 @@ static inline void map_compat_vdso(int map) void enable_sep_cpu(void) { int cpu = get_cpu(); @@ -35658,7 +35759,7 @@ index d6bfb87..a75c5f7 100644 if (!boot_cpu_has(X86_FEATURE_SEP)) { put_cpu(); -@@ -249,7 +251,7 @@ static int __init gate_vma_init(void) +@@ -250,7 +251,7 @@ static int __init gate_vma_init(void) gate_vma.vm_start = FIXADDR_USER_START; gate_vma.vm_end = FIXADDR_USER_END; gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC; @@ -35667,7 +35768,7 @@ index d6bfb87..a75c5f7 100644 return 0; } -@@ -330,14 +332,14 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) +@@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) if (compat) addr = VDSO_HIGH_BASE; else { @@ -35684,7 +35785,7 @@ index d6bfb87..a75c5f7 100644 if (compat_uses_vma || !compat) { /* -@@ -353,11 +355,11 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) +@@ -354,11 +355,11 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) } current_thread_info()->sysenter_return = @@ -35698,21 +35799,7 @@ index d6bfb87..a75c5f7 100644 up_write(&mm->mmap_sem); -@@ -380,6 +382,13 @@ static struct ctl_table abi_table2[] = { - .mode = 0644, - .proc_handler = proc_dointvec - }, -+ { -+ .procname = "ldt16", -+ .data = &sysctl_ldt16, -+ .maxlen = sizeof(int), -+ .mode = 0644, -+ .proc_handler = proc_dointvec -+ }, - {} - }; - -@@ -404,8 +413,14 @@ __initcall(ia32_binfmt_init); +@@ -412,8 +413,14 @@ __initcall(ia32_binfmt_init); const char *arch_vma_name(struct vm_area_struct *vma) { @@ -35728,7 +35815,7 @@ index d6bfb87..a75c5f7 100644 return NULL; } -@@ -415,7 +430,7 @@ struct vm_area_struct *get_gate_vma(struct mm_struct *mm) +@@ -423,7 +430,7 @@ struct vm_area_struct *get_gate_vma(struct mm_struct *mm) * Check to see if the corresponding task was created in compat vdso * mode. */ @@ -36531,7 +36618,7 @@ index a83e3c6..c3d617f 100644 bgrt_kobj = kobject_create_and_add("bgrt", acpi_kobj); if (!bgrt_kobj) diff --git a/drivers/acpi/blacklist.c b/drivers/acpi/blacklist.c -index afec452..c5d8b96 100644 +index 3d8413d..95f638c 100644 --- a/drivers/acpi/blacklist.c +++ b/drivers/acpi/blacklist.c @@ -51,7 +51,7 @@ struct acpi_blacklist_item { @@ -36612,7 +36699,7 @@ index 36605ab..6ef6d4b 100644 unsigned long timeout_msec) { diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c -index 0a79c54..c1b92ed 100644 +index bb26636..09cbdb4 100644 --- a/drivers/ata/libata-core.c +++ b/drivers/ata/libata-core.c @@ -98,7 +98,7 @@ static unsigned int ata_dev_set_xfermode(struct ata_device *dev); @@ -38757,10 +38844,10 @@ index ec4e10f..f2a763b 100644 intf->proc_dir = NULL; diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c -index 03f4189..e79f5e0 100644 +index 8b4fa2c..5f81848 100644 --- a/drivers/char/ipmi/ipmi_si_intf.c +++ b/drivers/char/ipmi/ipmi_si_intf.c -@@ -280,7 +280,7 @@ struct smi_info { +@@ -283,7 +283,7 @@ struct smi_info { unsigned char slave_addr; /* Counters and things for the proc filesystem. */ @@ -38769,7 +38856,7 @@ index 03f4189..e79f5e0 100644 struct task_struct *thread; -@@ -289,9 +289,9 @@ struct smi_info { +@@ -292,9 +292,9 @@ struct smi_info { }; #define smi_inc_stat(smi, stat) \ @@ -38781,7 +38868,7 @@ index 03f4189..e79f5e0 100644 #define SI_MAX_PARMS 4 -@@ -3339,7 +3339,7 @@ static int try_smi_init(struct smi_info *new_smi) +@@ -3349,7 +3349,7 @@ static int try_smi_init(struct smi_info *new_smi) atomic_set(&new_smi->req_events, 0); new_smi->run_to_completion = 0; for (i = 0; i < SI_NUM_STATS; i++) @@ -39505,10 +39592,10 @@ index 18d4091..434be15 100644 } EXPORT_SYMBOL_GPL(od_unregister_powersave_bias_handler); diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c -index 2cd36b9..8f07fae 100644 +index 9ac3783..652b033 100644 --- a/drivers/cpufreq/intel_pstate.c +++ b/drivers/cpufreq/intel_pstate.c -@@ -124,10 +124,10 @@ struct pstate_funcs { +@@ -126,10 +126,10 @@ struct pstate_funcs { struct cpu_defaults { struct pstate_adjust_policy pid_policy; struct pstate_funcs funcs; @@ -39521,7 +39608,7 @@ index 2cd36b9..8f07fae 100644 struct perf_limits { int no_turbo; -@@ -518,7 +518,7 @@ static void intel_pstate_set_pstate(struct cpudata *cpu, int pstate) +@@ -527,7 +527,7 @@ static void intel_pstate_set_pstate(struct cpudata *cpu, int pstate) cpu->pstate.current_pstate = pstate; @@ -39530,7 +39617,7 @@ index 2cd36b9..8f07fae 100644 } static inline void intel_pstate_pstate_increase(struct cpudata *cpu, int steps) -@@ -540,12 +540,12 @@ static void intel_pstate_get_cpu_pstates(struct cpudata *cpu) +@@ -549,12 +549,12 @@ static void intel_pstate_get_cpu_pstates(struct cpudata *cpu) { sprintf(cpu->name, "Intel 2nd generation core"); @@ -39545,10 +39632,10 @@ index 2cd36b9..8f07fae 100644 - pstate_funcs.get_vid(cpu); + if (pstate_funcs->get_vid) + pstate_funcs->get_vid(cpu); + intel_pstate_set_pstate(cpu, cpu->pstate.min_pstate); + } - /* - * goto max pstate so we don't slow up boot if we are built-in if we are -@@ -832,9 +832,9 @@ static int intel_pstate_msrs_not_valid(void) +@@ -830,9 +830,9 @@ static int intel_pstate_msrs_not_valid(void) rdmsrl(MSR_IA32_APERF, aperf); rdmsrl(MSR_IA32_MPERF, mperf); @@ -39561,7 +39648,7 @@ index 2cd36b9..8f07fae 100644 return -ENODEV; rdmsrl(MSR_IA32_APERF, tmp); -@@ -848,7 +848,7 @@ static int intel_pstate_msrs_not_valid(void) +@@ -846,7 +846,7 @@ static int intel_pstate_msrs_not_valid(void) return 0; } @@ -39570,7 +39657,7 @@ index 2cd36b9..8f07fae 100644 { pid_params.sample_rate_ms = policy->sample_rate_ms; pid_params.p_gain_pct = policy->p_gain_pct; -@@ -860,11 +860,7 @@ static void copy_pid_params(struct pstate_adjust_policy *policy) +@@ -858,11 +858,7 @@ static void copy_pid_params(struct pstate_adjust_policy *policy) static void copy_cpu_funcs(struct pstate_funcs *funcs) { @@ -40657,10 +40744,10 @@ index 3c59584..500f2e9 100644 return ret; diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c -index d554169..f4426bb 100644 +index 4050450..f67c5c1 100644 --- a/drivers/gpu/drm/i915/i915_irq.c +++ b/drivers/gpu/drm/i915/i915_irq.c -@@ -1438,7 +1438,7 @@ static irqreturn_t valleyview_irq_handler(int irq, void *arg) +@@ -1448,7 +1448,7 @@ static irqreturn_t valleyview_irq_handler(int irq, void *arg) int pipe; u32 pipe_stats[I915_MAX_PIPES]; @@ -40669,7 +40756,7 @@ index d554169..f4426bb 100644 while (true) { iir = I915_READ(VLV_IIR); -@@ -1751,7 +1751,7 @@ static irqreturn_t ironlake_irq_handler(int irq, void *arg) +@@ -1761,7 +1761,7 @@ static irqreturn_t ironlake_irq_handler(int irq, void *arg) u32 de_iir, gt_iir, de_ier, sde_ier = 0; irqreturn_t ret = IRQ_NONE; @@ -40678,7 +40765,7 @@ index d554169..f4426bb 100644 /* We get interrupts on unclaimed registers, so check for this before we * do any I915_{READ,WRITE}. */ -@@ -1821,7 +1821,7 @@ static irqreturn_t gen8_irq_handler(int irq, void *arg) +@@ -1831,7 +1831,7 @@ static irqreturn_t gen8_irq_handler(int irq, void *arg) uint32_t tmp = 0; enum pipe pipe; @@ -40687,7 +40774,7 @@ index d554169..f4426bb 100644 master_ctl = I915_READ(GEN8_MASTER_IRQ); master_ctl &= ~GEN8_MASTER_IRQ_CONTROL; -@@ -2645,7 +2645,7 @@ static void ironlake_irq_preinstall(struct drm_device *dev) +@@ -2655,7 +2655,7 @@ static void ironlake_irq_preinstall(struct drm_device *dev) { drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; @@ -40696,7 +40783,7 @@ index d554169..f4426bb 100644 I915_WRITE(HWSTAM, 0xeffe); -@@ -2663,7 +2663,7 @@ static void valleyview_irq_preinstall(struct drm_device *dev) +@@ -2673,7 +2673,7 @@ static void valleyview_irq_preinstall(struct drm_device *dev) drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; int pipe; @@ -40705,7 +40792,7 @@ index d554169..f4426bb 100644 /* VLV magic */ I915_WRITE(VLV_IMR, 0); -@@ -2694,7 +2694,7 @@ static void gen8_irq_preinstall(struct drm_device *dev) +@@ -2704,7 +2704,7 @@ static void gen8_irq_preinstall(struct drm_device *dev) struct drm_i915_private *dev_priv = dev->dev_private; int pipe; @@ -40714,7 +40801,7 @@ index d554169..f4426bb 100644 I915_WRITE(GEN8_MASTER_IRQ, 0); POSTING_READ(GEN8_MASTER_IRQ); -@@ -3018,7 +3018,7 @@ static void gen8_irq_uninstall(struct drm_device *dev) +@@ -3028,7 +3028,7 @@ static void gen8_irq_uninstall(struct drm_device *dev) if (!dev_priv) return; @@ -40723,7 +40810,7 @@ index d554169..f4426bb 100644 I915_WRITE(GEN8_MASTER_IRQ, 0); -@@ -3112,7 +3112,7 @@ static void i8xx_irq_preinstall(struct drm_device * dev) +@@ -3122,7 +3122,7 @@ static void i8xx_irq_preinstall(struct drm_device * dev) drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; int pipe; @@ -40732,7 +40819,7 @@ index d554169..f4426bb 100644 for_each_pipe(pipe) I915_WRITE(PIPESTAT(pipe), 0); -@@ -3198,7 +3198,7 @@ static irqreturn_t i8xx_irq_handler(int irq, void *arg) +@@ -3208,7 +3208,7 @@ static irqreturn_t i8xx_irq_handler(int irq, void *arg) I915_DISPLAY_PLANE_A_FLIP_PENDING_INTERRUPT | I915_DISPLAY_PLANE_B_FLIP_PENDING_INTERRUPT; @@ -40741,7 +40828,7 @@ index d554169..f4426bb 100644 iir = I915_READ16(IIR); if (iir == 0) -@@ -3277,7 +3277,7 @@ static void i915_irq_preinstall(struct drm_device * dev) +@@ -3287,7 +3287,7 @@ static void i915_irq_preinstall(struct drm_device * dev) drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; int pipe; @@ -40750,7 +40837,7 @@ index d554169..f4426bb 100644 if (I915_HAS_HOTPLUG(dev)) { I915_WRITE(PORT_HOTPLUG_EN, 0); -@@ -3384,7 +3384,7 @@ static irqreturn_t i915_irq_handler(int irq, void *arg) +@@ -3394,7 +3394,7 @@ static irqreturn_t i915_irq_handler(int irq, void *arg) I915_DISPLAY_PLANE_B_FLIP_PENDING_INTERRUPT; int pipe, ret = IRQ_NONE; @@ -40759,7 +40846,7 @@ index d554169..f4426bb 100644 iir = I915_READ(IIR); do { -@@ -3511,7 +3511,7 @@ static void i965_irq_preinstall(struct drm_device * dev) +@@ -3521,7 +3521,7 @@ static void i965_irq_preinstall(struct drm_device * dev) drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; int pipe; @@ -40768,7 +40855,7 @@ index d554169..f4426bb 100644 I915_WRITE(PORT_HOTPLUG_EN, 0); I915_WRITE(PORT_HOTPLUG_STAT, I915_READ(PORT_HOTPLUG_STAT)); -@@ -3627,7 +3627,7 @@ static irqreturn_t i965_irq_handler(int irq, void *arg) +@@ -3637,7 +3637,7 @@ static irqreturn_t i965_irq_handler(int irq, void *arg) I915_DISPLAY_PLANE_A_FLIP_PENDING_INTERRUPT | I915_DISPLAY_PLANE_B_FLIP_PENDING_INTERRUPT; @@ -40778,10 +40865,10 @@ index d554169..f4426bb 100644 iir = I915_READ(IIR); diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c -index 963639d..ea0c0cb 100644 +index 9d4d837..6836e22 100644 --- a/drivers/gpu/drm/i915/intel_display.c +++ b/drivers/gpu/drm/i915/intel_display.c -@@ -10787,13 +10787,13 @@ struct intel_quirk { +@@ -10798,13 +10798,13 @@ struct intel_quirk { int subsystem_vendor; int subsystem_device; void (*hook)(struct drm_device *dev); @@ -40797,7 +40884,7 @@ index 963639d..ea0c0cb 100644 static int intel_dmi_reverse_brightness(const struct dmi_system_id *id) { -@@ -10801,18 +10801,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id) +@@ -10812,18 +10812,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id) return 1; } @@ -41375,10 +41462,10 @@ index 4a85bb6..aaea819 100644 if (regcomp (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) { diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c -index 044bc98..50ced9b 100644 +index 7f370b3..4e92ca6 100644 --- a/drivers/gpu/drm/radeon/radeon_device.c +++ b/drivers/gpu/drm/radeon/radeon_device.c -@@ -1125,7 +1125,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev) +@@ -1128,7 +1128,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev) bool can_switch; spin_lock(&dev->count_lock); @@ -42152,7 +42239,7 @@ index ae208f6..48b6c5b 100644 { sysfs_attr_init(&attr->attr); diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c -index bbb0b0d..9fe1332 100644 +index 1599310..cd9525c 100644 --- a/drivers/hwmon/coretemp.c +++ b/drivers/hwmon/coretemp.c @@ -823,7 +823,7 @@ static int coretemp_cpu_callback(struct notifier_block *nfb, @@ -43438,10 +43525,10 @@ index b604564..3f14ae4 100644 return count; diff --git a/drivers/input/serio/serio.c b/drivers/input/serio/serio.c -index 8f4c4ab..5fc8a45 100644 +index b29134d..394deb0 100644 --- a/drivers/input/serio/serio.c +++ b/drivers/input/serio/serio.c -@@ -505,7 +505,7 @@ static void serio_release_port(struct device *dev) +@@ -514,7 +514,7 @@ static void serio_release_port(struct device *dev) */ static void serio_init_port(struct serio *serio) { @@ -43450,7 +43537,7 @@ index 8f4c4ab..5fc8a45 100644 __module_get(THIS_MODULE); -@@ -516,7 +516,7 @@ static void serio_init_port(struct serio *serio) +@@ -525,7 +525,7 @@ static void serio_init_port(struct serio *serio) mutex_init(&serio->drv_mutex); device_initialize(&serio->dev); dev_set_name(&serio->dev, "serio%ld", @@ -43525,7 +43612,7 @@ index 228632c9..edfe331 100644 bool setup_remapped_irq(int irq, struct irq_cfg *cfg, struct irq_chip *chip) diff --git a/drivers/irqchip/irq-gic.c b/drivers/irqchip/irq-gic.c -index 341c601..e5f407e 100644 +index ac2d41b..c657aa4 100644 --- a/drivers/irqchip/irq-gic.c +++ b/drivers/irqchip/irq-gic.c @@ -84,7 +84,7 @@ static u8 gic_cpu_map[NR_GIC_CPU_IF] __read_mostly; @@ -43537,7 +43624,7 @@ index 341c601..e5f407e 100644 .irq_eoi = NULL, .irq_mask = NULL, .irq_unmask = NULL, -@@ -332,7 +332,7 @@ static void gic_handle_cascade_irq(unsigned int irq, struct irq_desc *desc) +@@ -336,7 +336,7 @@ static void gic_handle_cascade_irq(unsigned int irq, struct irq_desc *desc) chained_irq_exit(chip, desc); } @@ -44429,7 +44516,7 @@ index 8c53b09..f1fb2b0 100644 void dm_uevent_add(struct mapped_device *md, struct list_head *elist) diff --git a/drivers/md/md.c b/drivers/md/md.c -index 4ad5cc4..0f19664 100644 +index 51c431c..be0fbd6 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -194,10 +194,10 @@ EXPORT_SYMBOL_GPL(bio_clone_mddev); @@ -44623,10 +44710,10 @@ index 56e24c0..e1c8e1f 100644 "md/raid1:%s: read error corrected " "(%d sectors at %llu on %s)\n", diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c -index 33fc408..fc61709 100644 +index cb882aa..9bd076e 100644 --- a/drivers/md/raid10.c +++ b/drivers/md/raid10.c -@@ -1948,7 +1948,7 @@ static void end_sync_read(struct bio *bio, int error) +@@ -1949,7 +1949,7 @@ static void end_sync_read(struct bio *bio, int error) /* The write handler will notice the lack of * R10BIO_Uptodate and record any errors etc */ @@ -44635,7 +44722,7 @@ index 33fc408..fc61709 100644 &conf->mirrors[d].rdev->corrected_errors); /* for reconstruct, we always reschedule after a read. -@@ -2306,7 +2306,7 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev) +@@ -2307,7 +2307,7 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev) { struct timespec cur_time_mon; unsigned long hours_since_last; @@ -44644,7 +44731,7 @@ index 33fc408..fc61709 100644 ktime_get_ts(&cur_time_mon); -@@ -2328,9 +2328,9 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev) +@@ -2329,9 +2329,9 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev) * overflowing the shift of read_errors by hours_since_last. */ if (hours_since_last >= 8 * sizeof(read_errors)) @@ -44656,7 +44743,7 @@ index 33fc408..fc61709 100644 } static int r10_sync_page_io(struct md_rdev *rdev, sector_t sector, -@@ -2384,8 +2384,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 +@@ -2385,8 +2385,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 return; check_decay_read_errors(mddev, rdev); @@ -44667,7 +44754,7 @@ index 33fc408..fc61709 100644 char b[BDEVNAME_SIZE]; bdevname(rdev->bdev, b); -@@ -2393,7 +2393,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 +@@ -2394,7 +2394,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 "md/raid10:%s: %s: Raid device exceeded " "read_error threshold [cur %d:max %d]\n", mdname(mddev), b, @@ -44676,7 +44763,7 @@ index 33fc408..fc61709 100644 printk(KERN_NOTICE "md/raid10:%s: %s: Failing raid device\n", mdname(mddev), b); -@@ -2548,7 +2548,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 +@@ -2549,7 +2549,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 sect + choose_data_offset(r10_bio, rdev)), bdevname(rdev->bdev, b)); @@ -44750,18 +44837,6 @@ index 9b6c3bb..baeb5c7 100644 #if IS_ENABLED(CONFIG_DVB_DIB3000MB) extern struct dvb_frontend* dib3000mb_attach(const struct dib3000_config* config, -diff --git a/drivers/media/media-device.c b/drivers/media/media-device.c -index d5a7a13..703560f 100644 ---- a/drivers/media/media-device.c -+++ b/drivers/media/media-device.c -@@ -93,6 +93,7 @@ static long media_device_enum_entities(struct media_device *mdev, - struct media_entity *ent; - struct media_entity_desc u_ent; - -+ memset(&u_ent, 0, sizeof(u_ent)); - if (copy_from_user(&u_ent.id, &uent->id, sizeof(u_ent.id))) - return -EFAULT; - diff --git a/drivers/media/pci/cx88/cx88-video.c b/drivers/media/pci/cx88/cx88-video.c index ed8cb90..5ef7f79 100644 --- a/drivers/media/pci/cx88/cx88-video.c @@ -45096,10 +45171,10 @@ index ae0f56a..ec71784 100644 /* debug */ static int dvb_usb_dw2102_debug; diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c -index b63a5e5..b16a062 100644 +index fca336b..fb70ab7 100644 --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c -@@ -326,7 +326,7 @@ struct v4l2_buffer32 { +@@ -328,7 +328,7 @@ struct v4l2_buffer32 { __u32 reserved; }; @@ -45108,7 +45183,7 @@ index b63a5e5..b16a062 100644 enum v4l2_memory memory) { void __user *up_pln; -@@ -355,7 +355,7 @@ static int get_v4l2_plane32(struct v4l2_plane *up, struct v4l2_plane32 *up32, +@@ -357,7 +357,7 @@ static int get_v4l2_plane32(struct v4l2_plane *up, struct v4l2_plane32 *up32, return 0; } @@ -45117,7 +45192,7 @@ index b63a5e5..b16a062 100644 enum v4l2_memory memory) { if (copy_in_user(up32, up, 2 * sizeof(__u32)) || -@@ -425,7 +425,7 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user +@@ -427,7 +427,7 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user * by passing a very big num_planes value */ uplane = compat_alloc_user_space(num_planes * sizeof(struct v4l2_plane)); @@ -45126,7 +45201,7 @@ index b63a5e5..b16a062 100644 while (--num_planes >= 0) { ret = get_v4l2_plane32(uplane, uplane32, kp->memory); -@@ -496,7 +496,7 @@ static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user +@@ -498,7 +498,7 @@ static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user if (num_planes == 0) return 0; @@ -45135,7 +45210,7 @@ index b63a5e5..b16a062 100644 if (get_user(p, &up->m.planes)) return -EFAULT; uplane32 = compat_ptr(p); -@@ -550,7 +550,7 @@ static int get_v4l2_framebuffer32(struct v4l2_framebuffer *kp, struct v4l2_frame +@@ -552,7 +552,7 @@ static int get_v4l2_framebuffer32(struct v4l2_framebuffer *kp, struct v4l2_frame get_user(kp->capability, &up->capability) || get_user(kp->flags, &up->flags)) return -EFAULT; @@ -45144,7 +45219,7 @@ index b63a5e5..b16a062 100644 get_v4l2_pix_format(&kp->fmt, &up->fmt); return 0; } -@@ -656,7 +656,7 @@ static int get_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext +@@ -658,7 +658,7 @@ static int get_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext n * sizeof(struct v4l2_ext_control32))) return -EFAULT; kcontrols = compat_alloc_user_space(n * sizeof(struct v4l2_ext_control)); @@ -45153,7 +45228,7 @@ index b63a5e5..b16a062 100644 while (--n >= 0) { if (copy_in_user(kcontrols, ucontrols, sizeof(*ucontrols))) return -EFAULT; -@@ -678,7 +678,7 @@ static int get_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext +@@ -680,7 +680,7 @@ static int get_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext static int put_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext_controls32 __user *up) { struct v4l2_ext_control32 __user *ucontrols; @@ -45162,7 +45237,7 @@ index b63a5e5..b16a062 100644 int n = kp->count; compat_caddr_t p; -@@ -772,7 +772,7 @@ static int put_v4l2_subdev_edid32(struct v4l2_subdev_edid *kp, struct v4l2_subde +@@ -774,7 +774,7 @@ static int put_v4l2_subdev_edid32(struct v4l2_subdev_edid *kp, struct v4l2_subde put_user(kp->start_block, &up->start_block) || put_user(kp->blocks, &up->blocks) || put_user(tmp, &up->edid) || @@ -45576,18 +45651,6 @@ index d1a22aa..d0f7bf7 100644 static char **event_name; static u8 avg_sample = SAMPLE_16; -diff --git a/drivers/mfd/janz-cmodio.c b/drivers/mfd/janz-cmodio.c -index 81b7d88..95ae998 100644 ---- a/drivers/mfd/janz-cmodio.c -+++ b/drivers/mfd/janz-cmodio.c -@@ -13,6 +13,7 @@ - - #include <linux/kernel.h> - #include <linux/module.h> -+#include <linux/slab.h> - #include <linux/init.h> - #include <linux/pci.h> - #include <linux/interrupt.h> diff --git a/drivers/mfd/max8925-i2c.c b/drivers/mfd/max8925-i2c.c index a83eed5..62a58a9 100644 --- a/drivers/mfd/max8925-i2c.c @@ -47611,7 +47674,7 @@ index ea7e70c..bc0c45f 100644 data->sku_cap_band_24GHz_enable ? "" : "NOT", "enabled", data->sku_cap_band_52GHz_enable ? "" : "NOT", "enabled", diff --git a/drivers/net/wireless/iwlwifi/pcie/trans.c b/drivers/net/wireless/iwlwifi/pcie/trans.c -index f950780..be9df93 100644 +index 8d42fd9..d923d65 100644 --- a/drivers/net/wireless/iwlwifi/pcie/trans.c +++ b/drivers/net/wireless/iwlwifi/pcie/trans.c @@ -1365,7 +1365,7 @@ static ssize_t iwl_dbgfs_interrupt_write(struct file *file, @@ -50169,10 +50232,10 @@ index df5e961..df6b97f 100644 return blk_trace_startstop(sdp->device->request_queue, 1); case BLKTRACESTOP: diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c -index d0b28bb..a263613 100644 +index fbf3b22..f5c8b60 100644 --- a/drivers/spi/spi.c +++ b/drivers/spi/spi.c -@@ -1971,7 +1971,7 @@ int spi_bus_unlock(struct spi_master *master) +@@ -1980,7 +1980,7 @@ int spi_bus_unlock(struct spi_master *master) EXPORT_SYMBOL_GPL(spi_bus_unlock); /* portable code must never pass more than 32 bytes */ @@ -50734,10 +50797,10 @@ index 24884ca..26c8220 100644 login->tgt_agt = sbp_target_agent_register(login); if (IS_ERR(login->tgt_agt)) { diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c -index 65001e1..2ebfbb9 100644 +index 26416c1..e796a3d 100644 --- a/drivers/target/target_core_device.c +++ b/drivers/target/target_core_device.c -@@ -1520,7 +1520,7 @@ struct se_device *target_alloc_device(struct se_hba *hba, const char *name) +@@ -1524,7 +1524,7 @@ struct se_device *target_alloc_device(struct se_hba *hba, const char *name) spin_lock_init(&dev->se_tmr_lock); spin_lock_init(&dev->qf_cmd_lock); sema_init(&dev->caw_sem, 1); @@ -50747,10 +50810,10 @@ index 65001e1..2ebfbb9 100644 spin_lock_init(&dev->t10_wwn.t10_vpd_lock); INIT_LIST_HEAD(&dev->t10_pr.registration_list); diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c -index 2956250..b10f722 100644 +index 98b48d4..f4297e5 100644 --- a/drivers/target/target_core_transport.c +++ b/drivers/target/target_core_transport.c -@@ -1136,7 +1136,7 @@ transport_check_alloc_task_attr(struct se_cmd *cmd) +@@ -1137,7 +1137,7 @@ transport_check_alloc_task_attr(struct se_cmd *cmd) * Used to determine when ORDERED commands should go from * Dormant to Active status. */ @@ -56373,19 +56436,6 @@ index 370b24c..ff0be7b 100644 ---help--- A.out (Assembler.OUTput) is a set of formats for libraries and executables used in the earliest versions of UNIX. Linux used -diff --git a/fs/affs/super.c b/fs/affs/super.c -index d098731..9a5b19d 100644 ---- a/fs/affs/super.c -+++ b/fs/affs/super.c -@@ -336,8 +336,6 @@ static int affs_fill_super(struct super_block *sb, void *data, int silent) - &blocksize,&sbi->s_prefix, - sbi->s_volume, &mount_flags)) { - printk(KERN_ERR "AFFS: Error parsing options\n"); -- kfree(sbi->s_prefix); -- kfree(sbi); - return -EINVAL; - } - /* N.B. after this point s_prefix must be released */ diff --git a/fs/afs/inode.c b/fs/afs/inode.c index ce25d75..dc09eeb 100644 --- a/fs/afs/inode.c @@ -56409,7 +56459,7 @@ index ce25d75..dc09eeb 100644 &data); if (!inode) { diff --git a/fs/aio.c b/fs/aio.c -index 12a3de0e..25949c1 100644 +index 04cd768..25949c1 100644 --- a/fs/aio.c +++ b/fs/aio.c @@ -375,7 +375,7 @@ static int aio_setup_ring(struct kioctx *ctx) @@ -56421,19 +56471,6 @@ index 12a3de0e..25949c1 100644 return -EINVAL; file = aio_private_file(ctx, nr_pages); -@@ -1299,10 +1299,8 @@ rw_common: - &iovec, compat) - : aio_setup_single_vector(req, rw, buf, &nr_segs, - iovec); -- if (ret) -- return ret; -- -- ret = rw_verify_area(rw, file, &req->ki_pos, req->ki_nbytes); -+ if (!ret) -+ ret = rw_verify_area(rw, file, &req->ki_pos, req->ki_nbytes); - if (ret < 0) { - if (iovec != &inline_vec) - kfree(iovec); diff --git a/fs/attr.c b/fs/attr.c index 5d4e59d..fd02418 100644 --- a/fs/attr.c @@ -57905,7 +57942,7 @@ index ebaff36..7e3ea26 100644 kunmap(page); file_end_write(file); diff --git a/fs/ceph/dir.c b/fs/ceph/dir.c -index 45eda6d..9126f7f 100644 +index 5e0982a..b7e82bc 100644 --- a/fs/ceph/dir.c +++ b/fs/ceph/dir.c @@ -248,7 +248,7 @@ static int ceph_readdir(struct file *file, struct dir_context *ctx) @@ -58639,27 +58676,10 @@ index e081acb..911df21 100644 /* * We'll have a dentry and an inode for diff --git a/fs/coredump.c b/fs/coredump.c -index e3ad709..836c55f 100644 +index 0b2528f..836c55f 100644 --- a/fs/coredump.c +++ b/fs/coredump.c -@@ -73,10 +73,15 @@ static int expand_corename(struct core_name *cn, int size) - static int cn_vprintf(struct core_name *cn, const char *fmt, va_list arg) - { - int free, need; -+ va_list arg_copy; - - again: - free = cn->size - cn->used; -- need = vsnprintf(cn->corename + cn->used, free, fmt, arg); -+ -+ va_copy(arg_copy, arg); -+ need = vsnprintf(cn->corename + cn->used, free, fmt, arg_copy); -+ va_end(arg_copy); -+ - if (need < free) { - cn->used += need; - return 0; -@@ -437,8 +442,8 @@ static void wait_for_dump_helpers(struct file *file) +@@ -442,8 +442,8 @@ static void wait_for_dump_helpers(struct file *file) struct pipe_inode_info *pipe = file->private_data; pipe_lock(pipe); @@ -58670,7 +58690,7 @@ index e3ad709..836c55f 100644 wake_up_interruptible_sync(&pipe->wait); kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN); pipe_unlock(pipe); -@@ -447,11 +452,11 @@ static void wait_for_dump_helpers(struct file *file) +@@ -452,11 +452,11 @@ static void wait_for_dump_helpers(struct file *file) * We actually want wait_event_freezable() but then we need * to clear TIF_SIGPENDING and improve dump_interrupted(). */ @@ -58685,7 +58705,7 @@ index e3ad709..836c55f 100644 pipe_unlock(pipe); } -@@ -498,7 +503,9 @@ void do_coredump(const siginfo_t *siginfo) +@@ -503,7 +503,9 @@ void do_coredump(const siginfo_t *siginfo) struct files_struct *displaced; bool need_nonrelative = false; bool core_dumped = false; @@ -58696,7 +58716,7 @@ index e3ad709..836c55f 100644 struct coredump_params cprm = { .siginfo = siginfo, .regs = signal_pt_regs(), -@@ -511,12 +518,17 @@ void do_coredump(const siginfo_t *siginfo) +@@ -516,12 +518,17 @@ void do_coredump(const siginfo_t *siginfo) .mm_flags = mm->flags, }; @@ -58716,7 +58736,7 @@ index e3ad709..836c55f 100644 goto fail; cred = prepare_creds(); -@@ -535,7 +547,7 @@ void do_coredump(const siginfo_t *siginfo) +@@ -540,7 +547,7 @@ void do_coredump(const siginfo_t *siginfo) need_nonrelative = true; } @@ -58725,7 +58745,7 @@ index e3ad709..836c55f 100644 if (retval < 0) goto fail_creds; -@@ -578,7 +590,7 @@ void do_coredump(const siginfo_t *siginfo) +@@ -583,7 +590,7 @@ void do_coredump(const siginfo_t *siginfo) } cprm.limit = RLIM_INFINITY; @@ -58734,7 +58754,7 @@ index e3ad709..836c55f 100644 if (core_pipe_limit && (core_pipe_limit < dump_count)) { printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n", task_tgid_vnr(current), current->comm); -@@ -610,6 +622,8 @@ void do_coredump(const siginfo_t *siginfo) +@@ -615,6 +622,8 @@ void do_coredump(const siginfo_t *siginfo) } else { struct inode *inode; @@ -58743,7 +58763,7 @@ index e3ad709..836c55f 100644 if (cprm.limit < binfmt->min_coredump) goto fail_unlock; -@@ -668,7 +682,7 @@ close_fail: +@@ -673,7 +682,7 @@ close_fail: filp_close(cprm.file, NULL); fail_dropcount: if (ispipe) @@ -58752,7 +58772,7 @@ index e3ad709..836c55f 100644 fail_unlock: kfree(cn.corename); coredump_finish(mm, core_dumped); -@@ -689,6 +703,8 @@ int dump_emit(struct coredump_params *cprm, const void *addr, int nr) +@@ -694,6 +703,8 @@ int dump_emit(struct coredump_params *cprm, const void *addr, int nr) struct file *file = cprm->file; loff_t pos = file->f_pos; ssize_t n; @@ -58762,7 +58782,7 @@ index e3ad709..836c55f 100644 return 0; while (nr) { diff --git a/fs/dcache.c b/fs/dcache.c -index ca02c13..7e2b581 100644 +index 7f3b400..9c911f2 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -1495,7 +1495,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name) @@ -58774,7 +58794,7 @@ index ca02c13..7e2b581 100644 if (!dname) { kmem_cache_free(dentry_cache, dentry); return NULL; -@@ -3431,7 +3431,8 @@ void __init vfs_caches_init(unsigned long mempages) +@@ -3430,7 +3430,8 @@ void __init vfs_caches_init(unsigned long mempages) mempages -= reserve; names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0, @@ -58827,7 +58847,7 @@ index e4141f2..d8263e8 100644 i += packet_length_size; if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size)) diff --git a/fs/exec.c b/fs/exec.c -index 3d78fcc..6b2fd70 100644 +index 31e46b1..f5c70a3 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -55,8 +55,20 @@ @@ -59318,7 +59338,7 @@ index 3d78fcc..6b2fd70 100644 out: if (bprm->mm) { acct_arg_size(bprm, 0); -@@ -1626,3 +1801,311 @@ asmlinkage long compat_sys_execve(const char __user * filename, +@@ -1626,3 +1801,312 @@ asmlinkage long compat_sys_execve(const char __user * filename, return compat_do_execve(getname(filename), argv, envp); } #endif @@ -59574,8 +59594,9 @@ index 3d78fcc..6b2fd70 100644 + +#ifndef CONFIG_STACK_GROWSUP + unsigned long stackstart = (unsigned long)task_stack_page(current); -+ if (unlikely(current_stack_pointer < stackstart + 512 || -+ current_stack_pointer >= stackstart + THREAD_SIZE)) ++ unsigned long currentsp = (unsigned long)&stackstart; ++ if (unlikely(currentsp < stackstart + 512 || ++ currentsp >= stackstart + THREAD_SIZE)) + BUG(); +#endif + @@ -61703,7 +61724,7 @@ index 39c0143..d54fad4 100644 unsigned long hash = init_name_hash(); unsigned int len = strlen(name); diff --git a/fs/kernfs/file.c b/fs/kernfs/file.c -index dbf397b..d624b48 100644 +index d29640b..32d2b6b 100644 --- a/fs/kernfs/file.c +++ b/fs/kernfs/file.c @@ -33,7 +33,7 @@ static DEFINE_MUTEX(kernfs_open_file_mutex); @@ -61740,7 +61761,7 @@ index dbf397b..d624b48 100644 if (!of->vm_ops) return -EINVAL; -@@ -557,7 +557,7 @@ static int kernfs_get_open_node(struct kernfs_node *kn, +@@ -559,7 +559,7 @@ static int kernfs_get_open_node(struct kernfs_node *kn, return -ENOMEM; atomic_set(&new_on->refcnt, 0); @@ -61749,7 +61770,7 @@ index dbf397b..d624b48 100644 init_waitqueue_head(&new_on->poll); INIT_LIST_HEAD(&new_on->files); goto retry; -@@ -754,7 +754,7 @@ static unsigned int kernfs_fop_poll(struct file *filp, poll_table *wait) +@@ -756,7 +756,7 @@ static unsigned int kernfs_fop_poll(struct file *filp, poll_table *wait) kernfs_put_active(kn); @@ -61758,7 +61779,7 @@ index dbf397b..d624b48 100644 goto trigger; return DEFAULT_POLLMASK; -@@ -779,7 +779,7 @@ void kernfs_notify(struct kernfs_node *kn) +@@ -781,7 +781,7 @@ void kernfs_notify(struct kernfs_node *kn) if (!WARN_ON(kernfs_type(kn) != KERNFS_FILE)) { on = kn->attr.open; if (on) { @@ -61883,7 +61904,7 @@ index b29e42f..5ea7fdf 100644 #define MNT_NS_INTERNAL ERR_PTR(-EINVAL) /* distinct from any mnt_namespace */ diff --git a/fs/namei.c b/fs/namei.c -index 4b491b4..a0166f9 100644 +index 4a3c105..0d718f4 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -330,16 +330,32 @@ int generic_permission(struct inode *inode, int mask) @@ -63333,7 +63354,7 @@ index 78fd0d0..f71fc09 100644 ret = -ERESTARTSYS; goto err; diff --git a/fs/posix_acl.c b/fs/posix_acl.c -index 9e363e4..d936d15 100644 +index 0855f77..6787d50 100644 --- a/fs/posix_acl.c +++ b/fs/posix_acl.c @@ -20,6 +20,7 @@ @@ -63344,7 +63365,7 @@ index 9e363e4..d936d15 100644 struct posix_acl **acl_by_type(struct inode *inode, int type) { -@@ -271,7 +272,7 @@ posix_acl_equiv_mode(const struct posix_acl *acl, umode_t *mode_p) +@@ -277,7 +278,7 @@ posix_acl_equiv_mode(const struct posix_acl *acl, umode_t *mode_p) } } if (mode_p) @@ -63353,7 +63374,7 @@ index 9e363e4..d936d15 100644 return not_equiv; } EXPORT_SYMBOL(posix_acl_equiv_mode); -@@ -421,7 +422,7 @@ static int posix_acl_create_masq(struct posix_acl *acl, umode_t *mode_p) +@@ -427,7 +428,7 @@ static int posix_acl_create_masq(struct posix_acl *acl, umode_t *mode_p) mode &= (group_obj->e_perm << 3) | ~S_IRWXG; } @@ -63362,7 +63383,7 @@ index 9e363e4..d936d15 100644 return not_equiv; } -@@ -479,6 +480,8 @@ __posix_acl_create(struct posix_acl **acl, gfp_t gfp, umode_t *mode_p) +@@ -485,6 +486,8 @@ __posix_acl_create(struct posix_acl **acl, gfp_t gfp, umode_t *mode_p) struct posix_acl *clone = posix_acl_clone(*acl, gfp); int err = -ENOMEM; if (clone) { @@ -63371,7 +63392,7 @@ index 9e363e4..d936d15 100644 err = posix_acl_create_masq(clone, mode_p); if (err < 0) { posix_acl_release(clone); -@@ -653,11 +656,12 @@ struct posix_acl * +@@ -659,11 +662,12 @@ struct posix_acl * posix_acl_from_xattr(struct user_namespace *user_ns, const void *value, size_t size) { @@ -63386,7 +63407,7 @@ index 9e363e4..d936d15 100644 if (!value) return NULL; -@@ -683,12 +687,18 @@ posix_acl_from_xattr(struct user_namespace *user_ns, +@@ -689,12 +693,18 @@ posix_acl_from_xattr(struct user_namespace *user_ns, switch(acl_e->e_tag) { case ACL_USER_OBJ: @@ -63405,7 +63426,7 @@ index 9e363e4..d936d15 100644 acl_e->e_uid = make_kuid(user_ns, le32_to_cpu(entry->e_id)); -@@ -696,6 +706,7 @@ posix_acl_from_xattr(struct user_namespace *user_ns, +@@ -702,6 +712,7 @@ posix_acl_from_xattr(struct user_namespace *user_ns, goto fail; break; case ACL_GROUP: @@ -65674,25 +65695,6 @@ index ee0d761..b346c58 100644 return PTR_ERR(kn); } -diff --git a/fs/sysfs/file.c b/fs/sysfs/file.c -index 810cf6e..5fd2bf1 100644 ---- a/fs/sysfs/file.c -+++ b/fs/sysfs/file.c -@@ -47,12 +47,13 @@ static int sysfs_kf_seq_show(struct seq_file *sf, void *v) - ssize_t count; - char *buf; - -- /* acquire buffer and ensure that it's >= PAGE_SIZE */ -+ /* acquire buffer and ensure that it's >= PAGE_SIZE and clear */ - count = seq_get_buf(sf, &buf); - if (count < PAGE_SIZE) { - seq_commit(sf, -1); - return 0; - } -+ memset(buf, 0, PAGE_SIZE); - - /* - * Invoke show(). Control may reach here via seq file lseek even diff --git a/fs/sysv/sysv.h b/fs/sysv/sysv.h index 69d4889..a810bd4 100644 --- a/fs/sysv/sysv.h @@ -77326,6 +77328,19 @@ index b18ce4f..2ee2843 100644 +#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n)) + #endif /* _ASM_GENERIC_ATOMIC64_H */ +diff --git a/include/asm-generic/barrier.h b/include/asm-generic/barrier.h +index 6f692f8..2ad9dd2 100644 +--- a/include/asm-generic/barrier.h ++++ b/include/asm-generic/barrier.h +@@ -66,7 +66,7 @@ + do { \ + compiletime_assert_atomic_type(*p); \ + smp_mb(); \ +- ACCESS_ONCE(*p) = (v); \ ++ ACCESS_ONCE_RW(*p) = (v); \ + } while (0) + + #define smp_load_acquire(p) \ diff --git a/include/asm-generic/bitops/__fls.h b/include/asm-generic/bitops/__fls.h index a60a7cc..0fe12f2 100644 --- a/include/asm-generic/bitops/__fls.h @@ -78460,10 +78475,10 @@ index fd4aee2..1f28db9 100644 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1)) diff --git a/include/linux/dmaengine.h b/include/linux/dmaengine.h -index c5c92d5..6a5c2b2 100644 +index 0a5f552..6661a5a 100644 --- a/include/linux/dmaengine.h +++ b/include/linux/dmaengine.h -@@ -1150,9 +1150,9 @@ struct dma_pinned_list { +@@ -1151,9 +1151,9 @@ struct dma_pinned_list { struct dma_pinned_list *dma_pin_iovec_pages(struct iovec *iov, size_t len); void dma_unpin_iovec_pages(struct dma_pinned_list* pinned_list); @@ -80289,10 +80304,10 @@ index 6df7f9f..d0bf699 100644 .files = &init_files, \ .signal = &init_signals, \ diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h -index a2678d3..e411b1b 100644 +index 203c43d..605836b 100644 --- a/include/linux/interrupt.h +++ b/include/linux/interrupt.h -@@ -373,8 +373,8 @@ extern const char * const softirq_to_name[NR_SOFTIRQS]; +@@ -411,8 +411,8 @@ extern const char * const softirq_to_name[NR_SOFTIRQS]; struct softirq_action { @@ -80303,7 +80318,7 @@ index a2678d3..e411b1b 100644 asmlinkage void do_softirq(void); asmlinkage void __do_softirq(void); -@@ -388,7 +388,7 @@ static inline void do_softirq_own_stack(void) +@@ -426,7 +426,7 @@ static inline void do_softirq_own_stack(void) } #endif @@ -80352,7 +80367,7 @@ index 35e7eca..6afb7ad 100644 extern struct ipc_namespace init_ipc_ns; extern atomic_t nr_ipc_ns; diff --git a/include/linux/irq.h b/include/linux/irq.h -index 7dc1003..407327b 100644 +index ef1ac9f..e1db06c 100644 --- a/include/linux/irq.h +++ b/include/linux/irq.h @@ -338,7 +338,8 @@ struct irq_chip { @@ -83711,7 +83726,7 @@ index c55aeed..b3393f4 100644 /** inet_connection_sock - INET connection oriented sock * diff --git a/include/net/inetpeer.h b/include/net/inetpeer.h -index 6efe73c..fa94270 100644 +index 6efe73c..1a44af7 100644 --- a/include/net/inetpeer.h +++ b/include/net/inetpeer.h @@ -47,8 +47,8 @@ struct inet_peer { @@ -83725,12 +83740,11 @@ index 6efe73c..fa94270 100644 }; struct rcu_head rcu; struct inet_peer *gc_next; -@@ -177,16 +177,13 @@ static inline void inet_peer_refcheck(const struct inet_peer *p) +@@ -177,16 +177,9 @@ static inline void inet_peer_refcheck(const struct inet_peer *p) /* can be called with or without local BH being disabled */ static inline int inet_getid(struct inet_peer *p, int more) { - int old, new; -+ int id; more++; inet_peer_refcheck(p); - do { @@ -83740,10 +83754,7 @@ index 6efe73c..fa94270 100644 - new = 1; - } while (atomic_cmpxchg(&p->ip_id_count, old, new) != old); - return new; -+ id = atomic_add_return_unchecked(more, &p->ip_id_count); -+ if (!id) -+ id = atomic_inc_return_unchecked(&p->ip_id_count); -+ return id; ++ return atomic_add_return_unchecked(more, &p->ip_id_count) - more; } #endif /* _NET_INETPEER_H */ @@ -85741,10 +85752,68 @@ index d5f31c1..06646e1 100644 s.version = AUDIT_VERSION_LATEST; s.backlog_wait_time = audit_backlog_wait_time; diff --git a/kernel/auditsc.c b/kernel/auditsc.c -index 3b29605..f6c85d0 100644 +index 3b29605..3604797 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c -@@ -1945,7 +1945,7 @@ int auditsc_get_stamp(struct audit_context *ctx, +@@ -720,6 +720,22 @@ static enum audit_state audit_filter_task(struct task_struct *tsk, char **key) + return AUDIT_BUILD_CONTEXT; + } + ++static int audit_in_mask(const struct audit_krule *rule, unsigned long val) ++{ ++ int word, bit; ++ ++ if (val > 0xffffffff) ++ return false; ++ ++ word = AUDIT_WORD(val); ++ if (word >= AUDIT_BITMASK_SIZE) ++ return false; ++ ++ bit = AUDIT_BIT(val); ++ ++ return rule->mask[word] & bit; ++} ++ + /* At syscall entry and exit time, this filter is called if the + * audit_state is not low enough that auditing cannot take place, but is + * also not high enough that we already know we have to write an audit +@@ -737,11 +753,8 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk, + + rcu_read_lock(); + if (!list_empty(list)) { +- int word = AUDIT_WORD(ctx->major); +- int bit = AUDIT_BIT(ctx->major); +- + list_for_each_entry_rcu(e, list, list) { +- if ((e->rule.mask[word] & bit) == bit && ++ if (audit_in_mask(&e->rule, ctx->major) && + audit_filter_rules(tsk, &e->rule, ctx, NULL, + &state, false)) { + rcu_read_unlock(); +@@ -761,20 +774,16 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk, + static int audit_filter_inode_name(struct task_struct *tsk, + struct audit_names *n, + struct audit_context *ctx) { +- int word, bit; + int h = audit_hash_ino((u32)n->ino); + struct list_head *list = &audit_inode_hash[h]; + struct audit_entry *e; + enum audit_state state; + +- word = AUDIT_WORD(ctx->major); +- bit = AUDIT_BIT(ctx->major); +- + if (list_empty(list)) + return 0; + + list_for_each_entry_rcu(e, list, list) { +- if ((e->rule.mask[word] & bit) == bit && ++ if (audit_in_mask(&e->rule, ctx->major) && + audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) { + ctx->current_state = state; + return 1; +@@ -1945,7 +1954,7 @@ int auditsc_get_stamp(struct audit_context *ctx, } /* global counter which is incremented every time something logs in */ @@ -85753,7 +85822,7 @@ index 3b29605..f6c85d0 100644 static int audit_set_loginuid_perm(kuid_t loginuid) { -@@ -2014,7 +2014,7 @@ int audit_set_loginuid(kuid_t loginuid) +@@ -2014,7 +2023,7 @@ int audit_set_loginuid(kuid_t loginuid) /* are we setting or clearing? */ if (uid_valid(loginuid)) @@ -86897,7 +86966,7 @@ index a17621c..d9e4b37 100644 else new_fs = fs; diff --git a/kernel/futex.c b/kernel/futex.c -index 6801b37..c0f67cf 100644 +index e3087af..8e3b90f 100644 --- a/kernel/futex.c +++ b/kernel/futex.c @@ -54,6 +54,7 @@ @@ -86947,326 +87016,7 @@ index 6801b37..c0f67cf 100644 pagefault_disable(); ret = __copy_from_user_inatomic(dest, from, sizeof(u32)); -@@ -729,6 +735,55 @@ void exit_pi_state_list(struct task_struct *curr) - raw_spin_unlock_irq(&curr->pi_lock); - } - -+/* -+ * We need to check the following states: -+ * -+ * Waiter | pi_state | pi->owner | uTID | uODIED | ? -+ * -+ * [1] NULL | --- | --- | 0 | 0/1 | Valid -+ * [2] NULL | --- | --- | >0 | 0/1 | Valid -+ * -+ * [3] Found | NULL | -- | Any | 0/1 | Invalid -+ * -+ * [4] Found | Found | NULL | 0 | 1 | Valid -+ * [5] Found | Found | NULL | >0 | 1 | Invalid -+ * -+ * [6] Found | Found | task | 0 | 1 | Valid -+ * -+ * [7] Found | Found | NULL | Any | 0 | Invalid -+ * -+ * [8] Found | Found | task | ==taskTID | 0/1 | Valid -+ * [9] Found | Found | task | 0 | 0 | Invalid -+ * [10] Found | Found | task | !=taskTID | 0/1 | Invalid -+ * -+ * [1] Indicates that the kernel can acquire the futex atomically. We -+ * came came here due to a stale FUTEX_WAITERS/FUTEX_OWNER_DIED bit. -+ * -+ * [2] Valid, if TID does not belong to a kernel thread. If no matching -+ * thread is found then it indicates that the owner TID has died. -+ * -+ * [3] Invalid. The waiter is queued on a non PI futex -+ * -+ * [4] Valid state after exit_robust_list(), which sets the user space -+ * value to FUTEX_WAITERS | FUTEX_OWNER_DIED. -+ * -+ * [5] The user space value got manipulated between exit_robust_list() -+ * and exit_pi_state_list() -+ * -+ * [6] Valid state after exit_pi_state_list() which sets the new owner in -+ * the pi_state but cannot access the user space value. -+ * -+ * [7] pi_state->owner can only be NULL when the OWNER_DIED bit is set. -+ * -+ * [8] Owner and user space value match -+ * -+ * [9] There is no transient state which sets the user space TID to 0 -+ * except exit_robust_list(), but this is indicated by the -+ * FUTEX_OWNER_DIED bit. See [4] -+ * -+ * [10] There is no transient state which leaves owner and user space -+ * TID out of sync. -+ */ - static int - lookup_pi_state(u32 uval, struct futex_hash_bucket *hb, - union futex_key *key, struct futex_pi_state **ps) -@@ -741,12 +796,13 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb, - plist_for_each_entry_safe(this, next, &hb->chain, list) { - if (match_futex(&this->key, key)) { - /* -- * Another waiter already exists - bump up -- * the refcount and return its pi_state: -+ * Sanity check the waiter before increasing -+ * the refcount and attaching to it. - */ - pi_state = this->pi_state; - /* -- * Userspace might have messed up non-PI and PI futexes -+ * Userspace might have messed up non-PI and -+ * PI futexes [3] - */ - if (unlikely(!pi_state)) - return -EINVAL; -@@ -754,34 +810,70 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb, - WARN_ON(!atomic_read(&pi_state->refcount)); - - /* -- * When pi_state->owner is NULL then the owner died -- * and another waiter is on the fly. pi_state->owner -- * is fixed up by the task which acquires -- * pi_state->rt_mutex. -- * -- * We do not check for pid == 0 which can happen when -- * the owner died and robust_list_exit() cleared the -- * TID. -+ * Handle the owner died case: - */ -- if (pid && pi_state->owner) { -+ if (uval & FUTEX_OWNER_DIED) { - /* -- * Bail out if user space manipulated the -- * futex value. -+ * exit_pi_state_list sets owner to NULL and -+ * wakes the topmost waiter. The task which -+ * acquires the pi_state->rt_mutex will fixup -+ * owner. - */ -- if (pid != task_pid_vnr(pi_state->owner)) -+ if (!pi_state->owner) { -+ /* -+ * No pi state owner, but the user -+ * space TID is not 0. Inconsistent -+ * state. [5] -+ */ -+ if (pid) -+ return -EINVAL; -+ /* -+ * Take a ref on the state and -+ * return. [4] -+ */ -+ goto out_state; -+ } -+ -+ /* -+ * If TID is 0, then either the dying owner -+ * has not yet executed exit_pi_state_list() -+ * or some waiter acquired the rtmutex in the -+ * pi state, but did not yet fixup the TID in -+ * user space. -+ * -+ * Take a ref on the state and return. [6] -+ */ -+ if (!pid) -+ goto out_state; -+ } else { -+ /* -+ * If the owner died bit is not set, -+ * then the pi_state must have an -+ * owner. [7] -+ */ -+ if (!pi_state->owner) - return -EINVAL; - } - -+ /* -+ * Bail out if user space manipulated the -+ * futex value. If pi state exists then the -+ * owner TID must be the same as the user -+ * space TID. [9/10] -+ */ -+ if (pid != task_pid_vnr(pi_state->owner)) -+ return -EINVAL; -+ -+ out_state: - atomic_inc(&pi_state->refcount); - *ps = pi_state; -- - return 0; - } - } - - /* - * We are the first waiter - try to look up the real owner and attach -- * the new pi_state to it, but bail out when TID = 0 -+ * the new pi_state to it, but bail out when TID = 0 [1] - */ - if (!pid) - return -ESRCH; -@@ -789,6 +881,11 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb, - if (!p) - return -ESRCH; - -+ if (!p->mm) { -+ put_task_struct(p); -+ return -EPERM; -+ } -+ - /* - * We need to look at the task state flags to figure out, - * whether the task is exiting. To protect against the do_exit -@@ -809,6 +906,9 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb, - return ret; - } - -+ /* -+ * No existing pi state. First waiter. [2] -+ */ - pi_state = alloc_pi_state(); - - /* -@@ -880,10 +980,18 @@ retry: - return -EDEADLK; - - /* -- * Surprise - we got the lock. Just return to userspace: -+ * Surprise - we got the lock, but we do not trust user space at all. - */ -- if (unlikely(!curval)) -- return 1; -+ if (unlikely(!curval)) { -+ /* -+ * We verify whether there is kernel state for this -+ * futex. If not, we can safely assume, that the 0 -> -+ * TID transition is correct. If state exists, we do -+ * not bother to fixup the user space state as it was -+ * corrupted already. -+ */ -+ return futex_top_waiter(hb, key) ? -EINVAL : 1; -+ } - - uval = curval; - -@@ -1014,6 +1122,7 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this) - struct task_struct *new_owner; - struct futex_pi_state *pi_state = this->pi_state; - u32 uninitialized_var(curval), newval; -+ int ret = 0; - - if (!pi_state) - return -EINVAL; -@@ -1037,23 +1146,19 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this) - new_owner = this->task; - - /* -- * We pass it to the next owner. (The WAITERS bit is always -- * kept enabled while there is PI state around. We must also -- * preserve the owner died bit.) -+ * We pass it to the next owner. The WAITERS bit is always -+ * kept enabled while there is PI state around. We cleanup the -+ * owner died bit, because we are the owner. - */ -- if (!(uval & FUTEX_OWNER_DIED)) { -- int ret = 0; -+ newval = FUTEX_WAITERS | task_pid_vnr(new_owner); - -- newval = FUTEX_WAITERS | task_pid_vnr(new_owner); -- -- if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval)) -- ret = -EFAULT; -- else if (curval != uval) -- ret = -EINVAL; -- if (ret) { -- raw_spin_unlock(&pi_state->pi_mutex.wait_lock); -- return ret; -- } -+ if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval)) -+ ret = -EFAULT; -+ else if (curval != uval) -+ ret = -EINVAL; -+ if (ret) { -+ raw_spin_unlock(&pi_state->pi_mutex.wait_lock); -+ return ret; - } - - raw_spin_lock_irq(&pi_state->owner->pi_lock); -@@ -1411,6 +1516,13 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags, - - if (requeue_pi) { - /* -+ * Requeue PI only works on two distinct uaddrs. This -+ * check is only valid for private futexes. See below. -+ */ -+ if (uaddr1 == uaddr2) -+ return -EINVAL; -+ -+ /* - * requeue_pi requires a pi_state, try to allocate it now - * without any locks in case it fails. - */ -@@ -1448,6 +1560,15 @@ retry: - if (unlikely(ret != 0)) - goto out_put_key1; - -+ /* -+ * The check above which compares uaddrs is not sufficient for -+ * shared futexes. We need to compare the keys: -+ */ -+ if (requeue_pi && match_futex(&key1, &key2)) { -+ ret = -EINVAL; -+ goto out_put_keys; -+ } -+ - hb1 = hash_futex(&key1); - hb2 = hash_futex(&key2); - -@@ -2287,9 +2408,10 @@ retry: - /* - * To avoid races, try to do the TID -> 0 atomic transition - * again. If it succeeds then we can return without waking -- * anyone else up: -+ * anyone else up. We only try this if neither the waiters nor -+ * the owner died bit are set. - */ -- if (!(uval & FUTEX_OWNER_DIED) && -+ if (!(uval & ~FUTEX_TID_MASK) && - cmpxchg_futex_value_locked(&uval, uaddr, vpid, 0)) - goto pi_faulted; - /* -@@ -2319,11 +2441,9 @@ retry: - /* - * No waiters - kernel unlocks the futex: - */ -- if (!(uval & FUTEX_OWNER_DIED)) { -- ret = unlock_futex_pi(uaddr, uval); -- if (ret == -EFAULT) -- goto pi_faulted; -- } -+ ret = unlock_futex_pi(uaddr, uval); -+ if (ret == -EFAULT) -+ goto pi_faulted; - - out_unlock: - spin_unlock(&hb->lock); -@@ -2485,6 +2605,15 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags, - if (ret) - goto out_key2; - -+ /* -+ * The check above which compares uaddrs is not sufficient for -+ * shared futexes. We need to compare the keys: -+ */ -+ if (match_futex(&q.key, &key2)) { -+ ret = -EINVAL; -+ goto out_put_keys; -+ } -+ - /* Queue the futex_q, drop the hb lock, wait for wakeup. */ - futex_wait_queue_me(hb, &q, to); - -@@ -2886,6 +3015,7 @@ static void __init futex_detect_cmpxchg(void) +@@ -3019,6 +3025,7 @@ static void __init futex_detect_cmpxchg(void) { #ifndef CONFIG_HAVE_FUTEX_CMPXCHG u32 curval; @@ -87274,7 +87024,7 @@ index 6801b37..c0f67cf 100644 /* * This will fail and we want it. Some arch implementations do -@@ -2897,8 +3027,11 @@ static void __init futex_detect_cmpxchg(void) +@@ -3030,8 +3037,11 @@ static void __init futex_detect_cmpxchg(void) * implementation, the non-functional ones will return * -ENOSYS. */ @@ -87325,10 +87075,10 @@ index f45b75b..bfac6d5 100644 if (gcov_events_enabled) gcov_event(GCOV_REMOVE, info); diff --git a/kernel/hrtimer.c b/kernel/hrtimer.c -index 0909436..6037d22 100644 +index 04d0374..e7c3725 100644 --- a/kernel/hrtimer.c +++ b/kernel/hrtimer.c -@@ -1439,7 +1439,7 @@ void hrtimer_peek_ahead_timers(void) +@@ -1461,7 +1461,7 @@ void hrtimer_peek_ahead_timers(void) local_irq_restore(flags); } @@ -87523,7 +87273,7 @@ index e30ac0f..3528cac 100644 /* diff --git a/kernel/kexec.c b/kernel/kexec.c -index 60bafbe..a120f4f 100644 +index 18ff0b9..40b0eab 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -1045,7 +1045,8 @@ asmlinkage long compat_sys_kexec_load(unsigned long entry, @@ -88077,7 +87827,7 @@ index 1d96dd0..994ff19 100644 default: diff --git a/kernel/module.c b/kernel/module.c -index d24fcf2..2af3fd9 100644 +index 6716a1f..9ddc1e1 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -61,6 +61,7 @@ @@ -88125,7 +87875,7 @@ index d24fcf2..2af3fd9 100644 pr_warn("%s: per-cpu alignment %li > %li\n", mod->name, align, PAGE_SIZE); align = PAGE_SIZE; -@@ -1062,7 +1064,7 @@ struct module_attribute module_uevent = +@@ -1059,7 +1061,7 @@ struct module_attribute module_uevent = static ssize_t show_coresize(struct module_attribute *mattr, struct module_kobject *mk, char *buffer) { @@ -88134,7 +87884,7 @@ index d24fcf2..2af3fd9 100644 } static struct module_attribute modinfo_coresize = -@@ -1071,7 +1073,7 @@ static struct module_attribute modinfo_coresize = +@@ -1068,7 +1070,7 @@ static struct module_attribute modinfo_coresize = static ssize_t show_initsize(struct module_attribute *mattr, struct module_kobject *mk, char *buffer) { @@ -88143,7 +87893,7 @@ index d24fcf2..2af3fd9 100644 } static struct module_attribute modinfo_initsize = -@@ -1163,12 +1165,29 @@ static int check_version(Elf_Shdr *sechdrs, +@@ -1160,12 +1162,29 @@ static int check_version(Elf_Shdr *sechdrs, goto bad_version; } @@ -88173,7 +87923,7 @@ index d24fcf2..2af3fd9 100644 return 0; } -@@ -1284,7 +1303,7 @@ resolve_symbol_wait(struct module *mod, +@@ -1281,7 +1300,7 @@ resolve_symbol_wait(struct module *mod, */ #ifdef CONFIG_SYSFS @@ -88182,7 +87932,7 @@ index d24fcf2..2af3fd9 100644 static inline bool sect_empty(const Elf_Shdr *sect) { return !(sect->sh_flags & SHF_ALLOC) || sect->sh_size == 0; -@@ -1424,7 +1443,7 @@ static void add_notes_attrs(struct module *mod, const struct load_info *info) +@@ -1421,7 +1440,7 @@ static void add_notes_attrs(struct module *mod, const struct load_info *info) { unsigned int notes, loaded, i; struct module_notes_attrs *notes_attrs; @@ -88191,7 +87941,7 @@ index d24fcf2..2af3fd9 100644 /* failed to create section attributes, so can't create notes */ if (!mod->sect_attrs) -@@ -1536,7 +1555,7 @@ static void del_usage_links(struct module *mod) +@@ -1533,7 +1552,7 @@ static void del_usage_links(struct module *mod) static int module_add_modinfo_attrs(struct module *mod) { struct module_attribute *attr; @@ -88200,7 +87950,7 @@ index d24fcf2..2af3fd9 100644 int error = 0; int i; -@@ -1757,21 +1776,21 @@ static void set_section_ro_nx(void *base, +@@ -1754,21 +1773,21 @@ static void set_section_ro_nx(void *base, static void unset_module_core_ro_nx(struct module *mod) { @@ -88230,7 +87980,7 @@ index d24fcf2..2af3fd9 100644 set_memory_rw); } -@@ -1784,14 +1803,14 @@ void set_all_modules_text_rw(void) +@@ -1781,14 +1800,14 @@ void set_all_modules_text_rw(void) list_for_each_entry_rcu(mod, &modules, list) { if (mod->state == MODULE_STATE_UNFORMED) continue; @@ -88251,7 +88001,7 @@ index d24fcf2..2af3fd9 100644 set_memory_rw); } } -@@ -1807,14 +1826,14 @@ void set_all_modules_text_ro(void) +@@ -1804,14 +1823,14 @@ void set_all_modules_text_ro(void) list_for_each_entry_rcu(mod, &modules, list) { if (mod->state == MODULE_STATE_UNFORMED) continue; @@ -88272,7 +88022,7 @@ index d24fcf2..2af3fd9 100644 set_memory_ro); } } -@@ -1865,16 +1884,19 @@ static void free_module(struct module *mod) +@@ -1862,16 +1881,19 @@ static void free_module(struct module *mod) /* This may be NULL, but that's OK */ unset_module_init_ro_nx(mod); @@ -88295,7 +88045,7 @@ index d24fcf2..2af3fd9 100644 #ifdef CONFIG_MPU update_protections(current->mm); -@@ -1943,9 +1965,31 @@ static int simplify_symbols(struct module *mod, const struct load_info *info) +@@ -1940,9 +1962,31 @@ static int simplify_symbols(struct module *mod, const struct load_info *info) int ret = 0; const struct kernel_symbol *ksym; @@ -88327,7 +88077,7 @@ index d24fcf2..2af3fd9 100644 switch (sym[i].st_shndx) { case SHN_COMMON: /* We compiled with -fno-common. These are not -@@ -1966,7 +2010,9 @@ static int simplify_symbols(struct module *mod, const struct load_info *info) +@@ -1963,7 +2007,9 @@ static int simplify_symbols(struct module *mod, const struct load_info *info) ksym = resolve_symbol_wait(mod, info, name); /* Ok if resolved. */ if (ksym && !IS_ERR(ksym)) { @@ -88337,7 +88087,7 @@ index d24fcf2..2af3fd9 100644 break; } -@@ -1985,11 +2031,20 @@ static int simplify_symbols(struct module *mod, const struct load_info *info) +@@ -1982,11 +2028,20 @@ static int simplify_symbols(struct module *mod, const struct load_info *info) secbase = (unsigned long)mod_percpu(mod); else secbase = info->sechdrs[sym[i].st_shndx].sh_addr; @@ -88358,7 +88108,7 @@ index d24fcf2..2af3fd9 100644 return ret; } -@@ -2073,22 +2128,12 @@ static void layout_sections(struct module *mod, struct load_info *info) +@@ -2070,22 +2125,12 @@ static void layout_sections(struct module *mod, struct load_info *info) || s->sh_entsize != ~0UL || strstarts(sname, ".init")) continue; @@ -88385,7 +88135,7 @@ index d24fcf2..2af3fd9 100644 } pr_debug("Init section allocation order:\n"); -@@ -2102,23 +2147,13 @@ static void layout_sections(struct module *mod, struct load_info *info) +@@ -2099,23 +2144,13 @@ static void layout_sections(struct module *mod, struct load_info *info) || s->sh_entsize != ~0UL || !strstarts(sname, ".init")) continue; @@ -88414,7 +88164,7 @@ index d24fcf2..2af3fd9 100644 } } -@@ -2291,7 +2326,7 @@ static void layout_symtab(struct module *mod, struct load_info *info) +@@ -2288,7 +2323,7 @@ static void layout_symtab(struct module *mod, struct load_info *info) /* Put symbol section at end of init part of module. */ symsect->sh_flags |= SHF_ALLOC; @@ -88423,7 +88173,7 @@ index d24fcf2..2af3fd9 100644 info->index.sym) | INIT_OFFSET_MASK; pr_debug("\t%s\n", info->secstrings + symsect->sh_name); -@@ -2308,13 +2343,13 @@ static void layout_symtab(struct module *mod, struct load_info *info) +@@ -2305,13 +2340,13 @@ static void layout_symtab(struct module *mod, struct load_info *info) } /* Append room for core symbols at end of core part. */ @@ -88441,7 +88191,7 @@ index d24fcf2..2af3fd9 100644 info->index.str) | INIT_OFFSET_MASK; pr_debug("\t%s\n", info->secstrings + strsect->sh_name); } -@@ -2332,12 +2367,14 @@ static void add_kallsyms(struct module *mod, const struct load_info *info) +@@ -2329,12 +2364,14 @@ static void add_kallsyms(struct module *mod, const struct load_info *info) /* Make sure we get permanent strtab: don't use info->strtab. */ mod->strtab = (void *)info->sechdrs[info->index.str].sh_addr; @@ -88458,7 +88208,7 @@ index d24fcf2..2af3fd9 100644 src = mod->symtab; for (ndst = i = 0; i < mod->num_symtab; i++) { if (i == 0 || -@@ -2349,6 +2386,8 @@ static void add_kallsyms(struct module *mod, const struct load_info *info) +@@ -2346,6 +2383,8 @@ static void add_kallsyms(struct module *mod, const struct load_info *info) } } mod->core_num_syms = ndst; @@ -88467,7 +88217,7 @@ index d24fcf2..2af3fd9 100644 } #else static inline void layout_symtab(struct module *mod, struct load_info *info) -@@ -2382,17 +2421,33 @@ void * __weak module_alloc(unsigned long size) +@@ -2379,17 +2418,33 @@ void * __weak module_alloc(unsigned long size) return vmalloc_exec(size); } @@ -88506,7 +88256,7 @@ index d24fcf2..2af3fd9 100644 mutex_unlock(&module_mutex); } return ret; -@@ -2649,7 +2704,15 @@ static struct module *setup_load_info(struct load_info *info, int flags) +@@ -2646,7 +2701,15 @@ static struct module *setup_load_info(struct load_info *info, int flags) mod = (void *)info->sechdrs[info->index.mod].sh_addr; if (info->index.sym == 0) { @@ -88522,7 +88272,7 @@ index d24fcf2..2af3fd9 100644 return ERR_PTR(-ENOEXEC); } -@@ -2665,8 +2728,14 @@ static struct module *setup_load_info(struct load_info *info, int flags) +@@ -2662,8 +2725,14 @@ static struct module *setup_load_info(struct load_info *info, int flags) static int check_modinfo(struct module *mod, struct load_info *info, int flags) { const char *modmagic = get_modinfo(info, "vermagic"); @@ -88537,7 +88287,7 @@ index d24fcf2..2af3fd9 100644 if (flags & MODULE_INIT_IGNORE_VERMAGIC) modmagic = NULL; -@@ -2691,7 +2760,7 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags) +@@ -2688,7 +2757,7 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags) } /* Set up license info based on the info section */ @@ -88546,7 +88296,7 @@ index d24fcf2..2af3fd9 100644 return 0; } -@@ -2785,7 +2854,7 @@ static int move_module(struct module *mod, struct load_info *info) +@@ -2782,7 +2851,7 @@ static int move_module(struct module *mod, struct load_info *info) void *ptr; /* Do the allocs. */ @@ -88555,7 +88305,7 @@ index d24fcf2..2af3fd9 100644 /* * The pointer to this block is stored in the module structure * which is inside the block. Just mark it as not being a -@@ -2795,11 +2864,11 @@ static int move_module(struct module *mod, struct load_info *info) +@@ -2792,11 +2861,11 @@ static int move_module(struct module *mod, struct load_info *info) if (!ptr) return -ENOMEM; @@ -88571,7 +88321,7 @@ index d24fcf2..2af3fd9 100644 /* * The pointer to this block is stored in the module structure * which is inside the block. This block doesn't need to be -@@ -2808,13 +2877,45 @@ static int move_module(struct module *mod, struct load_info *info) +@@ -2805,13 +2874,45 @@ static int move_module(struct module *mod, struct load_info *info) */ kmemleak_ignore(ptr); if (!ptr) { @@ -88621,7 +88371,7 @@ index d24fcf2..2af3fd9 100644 /* Transfer each section which specifies SHF_ALLOC */ pr_debug("final section addresses:\n"); -@@ -2825,16 +2926,45 @@ static int move_module(struct module *mod, struct load_info *info) +@@ -2822,16 +2923,45 @@ static int move_module(struct module *mod, struct load_info *info) if (!(shdr->sh_flags & SHF_ALLOC)) continue; @@ -88674,7 +88424,7 @@ index d24fcf2..2af3fd9 100644 pr_debug("\t0x%lx %s\n", (long)shdr->sh_addr, info->secstrings + shdr->sh_name); } -@@ -2891,12 +3021,12 @@ static void flush_module_icache(const struct module *mod) +@@ -2888,12 +3018,12 @@ static void flush_module_icache(const struct module *mod) * Do it before processing of module parameters, so the module * can provide parameter accessor functions of its own. */ @@ -88693,7 +88443,7 @@ index d24fcf2..2af3fd9 100644 set_fs(old_fs); } -@@ -2953,8 +3083,10 @@ static struct module *layout_and_allocate(struct load_info *info, int flags) +@@ -2950,8 +3080,10 @@ static struct module *layout_and_allocate(struct load_info *info, int flags) static void module_deallocate(struct module *mod, struct load_info *info) { percpu_modfree(mod); @@ -88706,7 +88456,7 @@ index d24fcf2..2af3fd9 100644 } int __weak module_finalize(const Elf_Ehdr *hdr, -@@ -2967,7 +3099,9 @@ int __weak module_finalize(const Elf_Ehdr *hdr, +@@ -2964,7 +3096,9 @@ int __weak module_finalize(const Elf_Ehdr *hdr, static int post_relocation(struct module *mod, const struct load_info *info) { /* Sort exception table now relocations are done. */ @@ -88716,7 +88466,7 @@ index d24fcf2..2af3fd9 100644 /* Copy relocated percpu area over. */ percpu_modcopy(mod, (void *)info->sechdrs[info->index.pcpu].sh_addr, -@@ -3021,16 +3155,16 @@ static int do_init_module(struct module *mod) +@@ -3018,16 +3152,16 @@ static int do_init_module(struct module *mod) MODULE_STATE_COMING, mod); /* Set RO and NX regions for core */ @@ -88741,7 +88491,7 @@ index d24fcf2..2af3fd9 100644 do_mod_ctors(mod); /* Start the module */ -@@ -3091,11 +3225,12 @@ static int do_init_module(struct module *mod) +@@ -3088,11 +3222,12 @@ static int do_init_module(struct module *mod) mod->strtab = mod->core_strtab; #endif unset_module_init_ro_nx(mod); @@ -88759,7 +88509,7 @@ index d24fcf2..2af3fd9 100644 mutex_unlock(&module_mutex); wake_up_all(&module_wq); -@@ -3238,9 +3373,38 @@ static int load_module(struct load_info *info, const char __user *uargs, +@@ -3235,9 +3370,38 @@ static int load_module(struct load_info *info, const char __user *uargs, if (err) goto free_unload; @@ -88798,7 +88548,7 @@ index d24fcf2..2af3fd9 100644 /* Fix up syms, so that st_value is a pointer to location. */ err = simplify_symbols(mod, info); if (err < 0) -@@ -3256,13 +3420,6 @@ static int load_module(struct load_info *info, const char __user *uargs, +@@ -3253,13 +3417,6 @@ static int load_module(struct load_info *info, const char __user *uargs, flush_module_icache(mod); @@ -88811,7 +88561,7 @@ index d24fcf2..2af3fd9 100644 - dynamic_debug_setup(info->debug, info->num_debug); - /* Finally it's fully formed, ready to start executing. */ + /* Ftrace init must be called in the MODULE_STATE_UNFORMED state */ @@ -3297,11 +3454,10 @@ static int load_module(struct load_info *info, const char __user *uargs, ddebug_cleanup: dynamic_debug_remove(info->debug); @@ -91331,7 +91081,7 @@ index 1fb08f2..ca4bb1e 100644 return -ENOMEM; return 0; diff --git a/kernel/timer.c b/kernel/timer.c -index accfd24..e00f0c0 100644 +index 38f0d40..96b2ebf 100644 --- a/kernel/timer.c +++ b/kernel/timer.c @@ -1366,7 +1366,7 @@ void update_process_times(int user_tick) @@ -91384,7 +91134,7 @@ index 4f3a3c03..04b7886 100644 ret = -EIO; diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c -index cd7f76d..553c805 100644 +index 868633e..921dc41 100644 --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c @@ -1965,12 +1965,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec) @@ -91418,7 +91168,7 @@ index cd7f76d..553c805 100644 start_pg = ftrace_allocate_pages(count); if (!start_pg) -@@ -4909,8 +4916,6 @@ ftrace_enable_sysctl(struct ctl_table *table, int write, +@@ -4890,8 +4897,6 @@ ftrace_enable_sysctl(struct ctl_table *table, int write, #ifdef CONFIG_FUNCTION_GRAPH_TRACER static int ftrace_graph_active; @@ -91427,7 +91177,7 @@ index cd7f76d..553c805 100644 int ftrace_graph_entry_stub(struct ftrace_graph_ent *trace) { return 0; -@@ -5086,6 +5091,10 @@ static void update_function_graph_func(void) +@@ -5067,6 +5072,10 @@ static void update_function_graph_func(void) ftrace_graph_entry = ftrace_graph_entry_test; } @@ -91438,7 +91188,7 @@ index cd7f76d..553c805 100644 int register_ftrace_graph(trace_func_graph_ret_t retfunc, trace_func_graph_ent_t entryfunc) { -@@ -5099,7 +5108,6 @@ int register_ftrace_graph(trace_func_graph_ret_t retfunc, +@@ -5080,7 +5089,6 @@ int register_ftrace_graph(trace_func_graph_ret_t retfunc, goto out; } @@ -91931,10 +91681,10 @@ index 4431610..4265616 100644 .thread_should_run = watchdog_should_run, .thread_fn = watchdog, diff --git a/kernel/workqueue.c b/kernel/workqueue.c -index 193e977..26dd63f 100644 +index b6a3941..b68f191 100644 --- a/kernel/workqueue.c +++ b/kernel/workqueue.c -@@ -4678,7 +4678,7 @@ static void rebind_workers(struct worker_pool *pool) +@@ -4702,7 +4702,7 @@ static void rebind_workers(struct worker_pool *pool) WARN_ON_ONCE(!(worker_flags & WORKER_UNBOUND)); worker_flags |= WORKER_REBOUND; worker_flags &= ~WORKER_UNBOUND; @@ -93155,7 +92905,7 @@ index 539eeb9..e24a987 100644 if (end == start) return error; diff --git a/mm/memory-failure.c b/mm/memory-failure.c -index 90002ea..db1452d 100644 +index 66586bb..73ab487 100644 --- a/mm/memory-failure.c +++ b/mm/memory-failure.c @@ -61,7 +61,7 @@ int sysctl_memory_failure_early_kill __read_mostly = 0; @@ -93194,16 +92944,16 @@ index 90002ea..db1452d 100644 /* * We need/can do nothing about count=0 pages. -@@ -1092,7 +1092,7 @@ int memory_failure(unsigned long pfn, int trapno, int flags) - if (!PageHWPoison(hpage) - || (hwpoison_filter(p) && TestClearPageHWPoison(p)) - || (p != hpage && TestSetPageHWPoison(hpage))) { -- atomic_long_sub(nr_pages, &num_poisoned_pages); -+ atomic_long_sub_unchecked(nr_pages, &num_poisoned_pages); - return 0; - } - set_page_hwpoison_huge_page(hpage); -@@ -1161,7 +1161,7 @@ int memory_failure(unsigned long pfn, int trapno, int flags) +@@ -1091,7 +1091,7 @@ int memory_failure(unsigned long pfn, int trapno, int flags) + if (PageHWPoison(hpage)) { + if ((hwpoison_filter(p) && TestClearPageHWPoison(p)) + || (p != hpage && TestSetPageHWPoison(hpage))) { +- atomic_long_sub(nr_pages, &num_poisoned_pages); ++ atomic_long_sub_unchecked(nr_pages, &num_poisoned_pages); + unlock_page(hpage); + return 0; + } +@@ -1162,7 +1162,7 @@ int memory_failure(unsigned long pfn, int trapno, int flags) } if (hwpoison_filter(p)) { if (TestClearPageHWPoison(p)) @@ -93212,7 +92962,7 @@ index 90002ea..db1452d 100644 unlock_page(hpage); put_page(hpage); return 0; -@@ -1383,7 +1383,7 @@ int unpoison_memory(unsigned long pfn) +@@ -1384,7 +1384,7 @@ int unpoison_memory(unsigned long pfn) return 0; } if (TestClearPageHWPoison(p)) @@ -93221,7 +92971,7 @@ index 90002ea..db1452d 100644 pr_info("MCE: Software-unpoisoned free page %#lx\n", pfn); return 0; } -@@ -1397,7 +1397,7 @@ int unpoison_memory(unsigned long pfn) +@@ -1398,7 +1398,7 @@ int unpoison_memory(unsigned long pfn) */ if (TestClearPageHWPoison(page)) { pr_info("MCE: Software-unpoisoned page %#lx\n", pfn); @@ -93230,7 +92980,7 @@ index 90002ea..db1452d 100644 freeit = 1; if (PageHuge(page)) clear_page_hwpoison_huge_page(page); -@@ -1522,11 +1522,11 @@ static int soft_offline_huge_page(struct page *page, int flags) +@@ -1523,11 +1523,11 @@ static int soft_offline_huge_page(struct page *page, int flags) if (PageHuge(page)) { set_page_hwpoison_huge_page(hpage); dequeue_hwpoisoned_huge_page(hpage); @@ -93244,7 +92994,7 @@ index 90002ea..db1452d 100644 } } return ret; -@@ -1565,7 +1565,7 @@ static int __soft_offline_page(struct page *page, int flags) +@@ -1566,7 +1566,7 @@ static int __soft_offline_page(struct page *page, int flags) put_page(page); pr_info("soft_offline: %#lx: invalidated\n", pfn); SetPageHWPoison(page); @@ -93253,7 +93003,7 @@ index 90002ea..db1452d 100644 return 0; } -@@ -1616,7 +1616,7 @@ static int __soft_offline_page(struct page *page, int flags) +@@ -1617,7 +1617,7 @@ static int __soft_offline_page(struct page *page, int flags) if (!is_free_buddy_page(page)) pr_info("soft offline: %#lx: page leaked\n", pfn); @@ -93262,7 +93012,7 @@ index 90002ea..db1452d 100644 } } else { pr_info("soft offline: %#lx: isolation failed: %d, page count %d, type %lx\n", -@@ -1690,11 +1690,11 @@ int soft_offline_page(struct page *page, int flags) +@@ -1691,11 +1691,11 @@ int soft_offline_page(struct page *page, int flags) if (PageHuge(page)) { set_page_hwpoison_huge_page(hpage); dequeue_hwpoisoned_huge_page(hpage); @@ -93277,7 +93027,7 @@ index 90002ea..db1452d 100644 } unset_migratetype_isolate(page, MIGRATE_MOVABLE); diff --git a/mm/memory.c b/mm/memory.c -index 22dfa61..90d7ec5 100644 +index 49e930f..90d7ec5 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -403,6 +403,7 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud, @@ -93370,25 +93120,7 @@ index 22dfa61..90d7ec5 100644 return i; } EXPORT_SYMBOL(__get_user_pages); -@@ -1929,12 +1924,17 @@ int fixup_user_fault(struct task_struct *tsk, struct mm_struct *mm, - unsigned long address, unsigned int fault_flags) - { - struct vm_area_struct *vma; -+ vm_flags_t vm_flags; - int ret; - - vma = find_extend_vma(mm, address); - if (!vma || address < vma->vm_start) - return -EFAULT; - -+ vm_flags = (fault_flags & FAULT_FLAG_WRITE) ? VM_WRITE : VM_READ; -+ if (!(vm_flags & vma->vm_flags)) -+ return -EFAULT; -+ - ret = handle_mm_fault(mm, vma, address, fault_flags); - if (ret & VM_FAULT_ERROR) { - if (ret & VM_FAULT_OOM) -@@ -2100,6 +2100,10 @@ static int insert_page(struct vm_area_struct *vma, unsigned long addr, +@@ -2105,6 +2100,10 @@ static int insert_page(struct vm_area_struct *vma, unsigned long addr, page_add_file_rmap(page); set_pte_at(mm, addr, pte, mk_pte(page, prot)); @@ -93399,7 +93131,7 @@ index 22dfa61..90d7ec5 100644 retval = 0; pte_unmap_unlock(pte, ptl); return retval; -@@ -2144,9 +2148,21 @@ int vm_insert_page(struct vm_area_struct *vma, unsigned long addr, +@@ -2149,9 +2148,21 @@ int vm_insert_page(struct vm_area_struct *vma, unsigned long addr, if (!page_count(page)) return -EINVAL; if (!(vma->vm_flags & VM_MIXEDMAP)) { @@ -93421,7 +93153,7 @@ index 22dfa61..90d7ec5 100644 } return insert_page(vma, addr, page, vma->vm_page_prot); } -@@ -2229,6 +2245,7 @@ int vm_insert_mixed(struct vm_area_struct *vma, unsigned long addr, +@@ -2234,6 +2245,7 @@ int vm_insert_mixed(struct vm_area_struct *vma, unsigned long addr, unsigned long pfn) { BUG_ON(!(vma->vm_flags & VM_MIXEDMAP)); @@ -93429,7 +93161,7 @@ index 22dfa61..90d7ec5 100644 if (addr < vma->vm_start || addr >= vma->vm_end) return -EFAULT; -@@ -2476,7 +2493,9 @@ static int apply_to_pmd_range(struct mm_struct *mm, pud_t *pud, +@@ -2481,7 +2493,9 @@ static int apply_to_pmd_range(struct mm_struct *mm, pud_t *pud, BUG_ON(pud_huge(*pud)); @@ -93440,7 +93172,7 @@ index 22dfa61..90d7ec5 100644 if (!pmd) return -ENOMEM; do { -@@ -2496,7 +2515,9 @@ static int apply_to_pud_range(struct mm_struct *mm, pgd_t *pgd, +@@ -2501,7 +2515,9 @@ static int apply_to_pud_range(struct mm_struct *mm, pgd_t *pgd, unsigned long next; int err; @@ -93451,7 +93183,7 @@ index 22dfa61..90d7ec5 100644 if (!pud) return -ENOMEM; do { -@@ -2586,6 +2607,186 @@ static inline void cow_user_page(struct page *dst, struct page *src, unsigned lo +@@ -2591,6 +2607,186 @@ static inline void cow_user_page(struct page *dst, struct page *src, unsigned lo copy_user_highpage(dst, src, va, vma); } @@ -93638,7 +93370,7 @@ index 22dfa61..90d7ec5 100644 /* * This routine handles present pages, when users try to write * to a shared page. It is done by copying the page to a new address -@@ -2810,6 +3011,12 @@ gotten: +@@ -2815,6 +3011,12 @@ gotten: */ page_table = pte_offset_map_lock(mm, pmd, address, &ptl); if (likely(pte_same(*page_table, orig_pte))) { @@ -93651,7 +93383,7 @@ index 22dfa61..90d7ec5 100644 if (old_page) { if (!PageAnon(old_page)) { dec_mm_counter_fast(mm, MM_FILEPAGES); -@@ -2861,6 +3068,10 @@ gotten: +@@ -2866,6 +3068,10 @@ gotten: page_remove_rmap(old_page); } @@ -93662,7 +93394,7 @@ index 22dfa61..90d7ec5 100644 /* Free the old page.. */ new_page = old_page; ret |= VM_FAULT_WRITE; -@@ -3138,6 +3349,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3143,6 +3349,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, swap_free(entry); if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page)) try_to_free_swap(page); @@ -93674,7 +93406,7 @@ index 22dfa61..90d7ec5 100644 unlock_page(page); if (page != swapcache) { /* -@@ -3161,6 +3377,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3166,6 +3377,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, /* No need to invalidate - it was non-present before */ update_mmu_cache(vma, address, page_table); @@ -93686,7 +93418,7 @@ index 22dfa61..90d7ec5 100644 unlock: pte_unmap_unlock(page_table, ptl); out: -@@ -3180,40 +3401,6 @@ out_release: +@@ -3185,40 +3401,6 @@ out_release: } /* @@ -93727,7 +93459,7 @@ index 22dfa61..90d7ec5 100644 * We enter with non-exclusive mmap_sem (to exclude vma changes, * but allow concurrent faults), and pte mapped but not yet locked. * We return with mmap_sem still held, but pte unmapped and unlocked. -@@ -3222,27 +3409,23 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3227,27 +3409,23 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, unsigned long address, pte_t *page_table, pmd_t *pmd, unsigned int flags) { @@ -93760,7 +93492,7 @@ index 22dfa61..90d7ec5 100644 if (unlikely(anon_vma_prepare(vma))) goto oom; page = alloc_zeroed_user_highpage_movable(vma, address); -@@ -3266,6 +3449,11 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3271,6 +3449,11 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, if (!pte_none(*page_table)) goto release; @@ -93772,7 +93504,7 @@ index 22dfa61..90d7ec5 100644 inc_mm_counter_fast(mm, MM_ANONPAGES); page_add_new_anon_rmap(page, vma, address); setpte: -@@ -3273,6 +3461,12 @@ setpte: +@@ -3278,6 +3461,12 @@ setpte: /* No need to invalidate - it was non-present before */ update_mmu_cache(vma, address, page_table); @@ -93785,7 +93517,7 @@ index 22dfa61..90d7ec5 100644 unlock: pte_unmap_unlock(page_table, ptl); return 0; -@@ -3417,6 +3611,12 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3422,6 +3611,12 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma, */ /* Only go through if we didn't race with anybody else... */ if (likely(pte_same(*page_table, orig_pte))) { @@ -93798,7 +93530,7 @@ index 22dfa61..90d7ec5 100644 flush_icache_page(vma, page); entry = mk_pte(page, vma->vm_page_prot); if (flags & FAULT_FLAG_WRITE) -@@ -3438,6 +3638,14 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3443,6 +3638,14 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma, /* no need to invalidate: a not-present page won't be cached */ update_mmu_cache(vma, address, page_table); @@ -93813,7 +93545,7 @@ index 22dfa61..90d7ec5 100644 } else { if (cow_page) mem_cgroup_uncharge_page(cow_page); -@@ -3685,6 +3893,12 @@ static int handle_pte_fault(struct mm_struct *mm, +@@ -3690,6 +3893,12 @@ static int handle_pte_fault(struct mm_struct *mm, if (flags & FAULT_FLAG_WRITE) flush_tlb_fix_spurious_fault(vma, address); } @@ -93826,7 +93558,7 @@ index 22dfa61..90d7ec5 100644 unlock: pte_unmap_unlock(pte, ptl); return 0; -@@ -3701,9 +3915,41 @@ static int __handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3706,9 +3915,41 @@ static int __handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, pmd_t *pmd; pte_t *pte; @@ -93868,7 +93600,7 @@ index 22dfa61..90d7ec5 100644 pgd = pgd_offset(mm, address); pud = pud_alloc(mm, pgd, address); if (!pud) -@@ -3834,6 +4080,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address) +@@ -3839,6 +4080,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address) spin_unlock(&mm->page_table_lock); return 0; } @@ -93892,7 +93624,7 @@ index 22dfa61..90d7ec5 100644 #endif /* __PAGETABLE_PUD_FOLDED */ #ifndef __PAGETABLE_PMD_FOLDED -@@ -3864,6 +4127,30 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address) +@@ -3869,6 +4127,30 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address) spin_unlock(&mm->page_table_lock); return 0; } @@ -93923,7 +93655,7 @@ index 22dfa61..90d7ec5 100644 #endif /* __PAGETABLE_PMD_FOLDED */ #if !defined(__HAVE_ARCH_GATE_AREA) -@@ -3877,7 +4164,7 @@ static int __init gate_vma_init(void) +@@ -3882,7 +4164,7 @@ static int __init gate_vma_init(void) gate_vma.vm_start = FIXADDR_USER_START; gate_vma.vm_end = FIXADDR_USER_END; gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC; @@ -93932,7 +93664,7 @@ index 22dfa61..90d7ec5 100644 return 0; } -@@ -4011,8 +4298,8 @@ out: +@@ -4016,8 +4298,8 @@ out: return ret; } @@ -93943,7 +93675,7 @@ index 22dfa61..90d7ec5 100644 { resource_size_t phys_addr; unsigned long prot = 0; -@@ -4038,8 +4325,8 @@ EXPORT_SYMBOL_GPL(generic_access_phys); +@@ -4043,8 +4325,8 @@ EXPORT_SYMBOL_GPL(generic_access_phys); * Access another process' address space as given in mm. If non-NULL, use the * given task for page fault accounting. */ @@ -93954,7 +93686,7 @@ index 22dfa61..90d7ec5 100644 { struct vm_area_struct *vma; void *old_buf = buf; -@@ -4047,7 +4334,7 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, +@@ -4052,7 +4334,7 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, down_read(&mm->mmap_sem); /* ignore errors, just check how much was successfully transferred */ while (len) { @@ -93963,7 +93695,7 @@ index 22dfa61..90d7ec5 100644 void *maddr; struct page *page = NULL; -@@ -4106,8 +4393,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, +@@ -4111,8 +4393,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, * * The caller must hold a reference on @mm. */ @@ -93974,7 +93706,7 @@ index 22dfa61..90d7ec5 100644 { return __access_remote_vm(NULL, mm, addr, buf, len, write); } -@@ -4117,11 +4404,11 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr, +@@ -4122,11 +4404,11 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr, * Source/target buffer must be kernel space, * Do not walk the page table directly, use get_user_pages */ @@ -95634,7 +95366,7 @@ index 769a67a..414d24f 100644 if (nstart < prev->vm_end) diff --git a/mm/mremap.c b/mm/mremap.c -index 0843feb..c3cde48 100644 +index 05f1180..c3cde48 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -144,6 +144,12 @@ static void move_ptes(struct vm_area_struct *vma, pmd_t *old_pmd, @@ -95650,26 +95382,7 @@ index 0843feb..c3cde48 100644 pte = move_soft_dirty_pte(pte); set_pte_at(mm, new_addr, new_pte, pte); } -@@ -194,10 +200,17 @@ unsigned long move_page_tables(struct vm_area_struct *vma, - break; - if (pmd_trans_huge(*old_pmd)) { - int err = 0; -- if (extent == HPAGE_PMD_SIZE) -+ if (extent == HPAGE_PMD_SIZE) { -+ VM_BUG_ON(vma->vm_file || !vma->anon_vma); -+ /* See comment in move_ptes() */ -+ if (need_rmap_locks) -+ anon_vma_lock_write(vma->anon_vma); - err = move_huge_pmd(vma, new_vma, old_addr, - new_addr, old_end, - old_pmd, new_pmd); -+ if (need_rmap_locks) -+ anon_vma_unlock_write(vma->anon_vma); -+ } - if (err > 0) { - need_flush = true; - continue; -@@ -337,6 +350,11 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr, +@@ -344,6 +350,11 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr, if (is_vm_hugetlb_page(vma)) goto Einval; @@ -95681,7 +95394,7 @@ index 0843feb..c3cde48 100644 /* We can't remap across vm area boundaries */ if (old_len > vma->vm_end - addr) goto Efault; -@@ -392,20 +410,25 @@ static unsigned long mremap_to(unsigned long addr, unsigned long old_len, +@@ -399,20 +410,25 @@ static unsigned long mremap_to(unsigned long addr, unsigned long old_len, unsigned long ret = -EINVAL; unsigned long charged = 0; unsigned long map_flags; @@ -95712,7 +95425,7 @@ index 0843feb..c3cde48 100644 goto out; ret = do_munmap(mm, new_addr, new_len); -@@ -474,6 +497,7 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len, +@@ -481,6 +497,7 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len, unsigned long ret = -EINVAL; unsigned long charged = 0; bool locked = false; @@ -95720,7 +95433,7 @@ index 0843feb..c3cde48 100644 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE)) return ret; -@@ -495,6 +519,17 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len, +@@ -502,6 +519,17 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len, if (!new_len) return ret; @@ -95738,7 +95451,7 @@ index 0843feb..c3cde48 100644 down_write(¤t->mm->mmap_sem); if (flags & MREMAP_FIXED) { -@@ -545,6 +580,7 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len, +@@ -552,6 +580,7 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len, new_addr = addr; } ret = addr; @@ -95746,7 +95459,7 @@ index 0843feb..c3cde48 100644 goto out; } } -@@ -568,7 +604,12 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len, +@@ -575,7 +604,12 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len, goto out; } @@ -95827,10 +95540,10 @@ index 8740213..f87e25b 100644 struct mm_struct *mm; diff --git a/mm/page-writeback.c b/mm/page-writeback.c -index 7106cb1..0805f48 100644 +index 8f6daa6..1f8587c 100644 --- a/mm/page-writeback.c +++ b/mm/page-writeback.c -@@ -685,7 +685,7 @@ static inline long long pos_ratio_polynom(unsigned long setpoint, +@@ -685,7 +685,7 @@ static long long pos_ratio_polynom(unsigned long setpoint, * card's bdi_dirty may rush to many times higher than bdi_setpoint. * - the bdi dirty thresh drops quickly due to change of JBOD workload */ @@ -95965,7 +95678,7 @@ index 7c59ef6..1358905 100644 }; diff --git a/mm/percpu.c b/mm/percpu.c -index 036cfe0..980d0fa 100644 +index a2a54a8..43ecb68 100644 --- a/mm/percpu.c +++ b/mm/percpu.c @@ -122,7 +122,7 @@ static unsigned int pcpu_low_unit_cpu __read_mostly; @@ -96029,7 +95742,7 @@ index fd26d04..0cea1b0 100644 if (!mm || IS_ERR(mm)) { rc = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH; diff --git a/mm/rmap.c b/mm/rmap.c -index d3cbac5..0788da4 100644 +index d3cbac5..3784601 100644 --- a/mm/rmap.c +++ b/mm/rmap.c @@ -163,6 +163,10 @@ int anon_vma_prepare(struct vm_area_struct *vma) @@ -96131,6 +95844,18 @@ index d3cbac5..0788da4 100644 } /* +@@ -1554,10 +1590,9 @@ void __put_anon_vma(struct anon_vma *anon_vma) + { + struct anon_vma *root = anon_vma->root; + ++ anon_vma_free(anon_vma); + if (root != anon_vma && atomic_dec_and_test(&root->refcount)) + anon_vma_free(root); +- +- anon_vma_free(anon_vma); + } + + static struct anon_vma *rmap_walk_anon_lock(struct page *page, diff --git a/mm/shmem.c b/mm/shmem.c index 1f18c9d..3e03d33 100644 --- a/mm/shmem.c @@ -98274,7 +97999,7 @@ index b543470..d2ddae2 100644 if (!can_dir) { printk(KERN_INFO "can: failed to create /proc/net/can . " diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c -index 30efc5c..cfa1bbc 100644 +index 988721a..947846d 100644 --- a/net/ceph/messenger.c +++ b/net/ceph/messenger.c @@ -187,7 +187,7 @@ static void con_fault(struct ceph_connection *con); @@ -100787,7 +100512,7 @@ index 767ab8d..c5ec70a 100644 return -ENOMEM; } diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c -index 827f795..7e28e82 100644 +index 827f795..bdff9eb 100644 --- a/net/ipv6/output_core.c +++ b/net/ipv6/output_core.c @@ -9,8 +9,8 @@ @@ -100801,7 +100526,7 @@ index 827f795..7e28e82 100644 #if IS_ENABLED(CONFIG_IPV6) if (rt && !(rt->dst.flags & DST_NOPEER)) { -@@ -26,13 +26,10 @@ void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) +@@ -26,13 +26,8 @@ void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) } } #endif @@ -100813,8 +100538,6 @@ index 827f795..7e28e82 100644 - } while (atomic_cmpxchg(&ipv6_fragmentation_id, old, new) != old); - fhdr->identification = htonl(new); + id = atomic_inc_return_unchecked(&ipv6_fragmentation_id); -+ if (!id) -+ id = atomic_inc_return_unchecked(&ipv6_fragmentation_id); + fhdr->identification = htonl(id); } EXPORT_SYMBOL(ipv6_select_ident); @@ -101484,7 +101207,7 @@ index 453e974..b3a43a5 100644 if (local->use_chanctx) *chandef = local->monitor_chandef; diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h -index 6bd4984..d8805c5 100644 +index b127902..9dc4947 100644 --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h @@ -28,6 +28,7 @@ @@ -101495,7 +101218,7 @@ index 6bd4984..d8805c5 100644 #include "key.h" #include "sta_info.h" #include "debug.h" -@@ -994,7 +995,7 @@ struct ieee80211_local { +@@ -995,7 +996,7 @@ struct ieee80211_local { /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */ spinlock_t queue_stop_reason_lock; @@ -101651,7 +101374,7 @@ index 6ff1346..936ca9a 100644 return p; diff --git a/net/mac80211/util.c b/net/mac80211/util.c -index b8700d4..89086d5 100644 +index 6427625..afa5a5a 100644 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -1483,7 +1483,7 @@ int ieee80211_reconfig(struct ieee80211_local *local) @@ -104691,10 +104414,10 @@ index 8fac3fd..32ff38d 100644 unsigned int secindex_strings; diff --git a/security/Kconfig b/security/Kconfig -index beb86b5..1ea5a01 100644 +index beb86b5..1776e5eb7 100644 --- a/security/Kconfig +++ b/security/Kconfig -@@ -4,6 +4,960 @@ +@@ -4,6 +4,957 @@ menu "Security options" @@ -105353,8 +105076,7 @@ index beb86b5..1ea5a01 100644 + guess them in most cases. Any failed guess will most likely crash + the attacked program which allows the kernel to detect such attempts + and react on them. PaX itself provides no reaction mechanisms, -+ instead it is strongly encouraged that you make use of Nergal's -+ segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's ++ instead it is strongly encouraged that you make use of grsecurity's + (http://www.grsecurity.net/) built-in crash detection features or + develop one yourself. + @@ -105388,30 +105110,28 @@ index beb86b5..1ea5a01 100644 + configuration, this feature cannot be disabled on a per file basis. + +config PAX_RANDUSTACK -+ bool "Randomize user stack base" ++ bool ++ ++config PAX_RANDMMAP ++ bool "Randomize user stack and mmap() bases" + default y if GRKERNSEC_CONFIG_AUTO + depends on PAX_ASLR ++ select PAX_RANDUSTACK + help + By saying Y here the kernel will randomize every task's userland -+ stack. The randomization is done in two steps where the second ++ stack and use a randomized base address for mmap() requests that ++ do not specify one themselves. ++ ++ The stack randomization is done in two steps where the second + one may apply a big amount of shift to the top of the stack and + cause problems for programs that want to use lots of memory (more + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is). -+ For this reason the second step can be controlled by 'chpax' or -+ 'paxctl' on a per file basis. + -+config PAX_RANDMMAP -+ bool "Randomize mmap() base" -+ default y if GRKERNSEC_CONFIG_AUTO -+ depends on PAX_ASLR -+ help -+ By saying Y here the kernel will use a randomized base address for -+ mmap() requests that do not specify one themselves. As a result -+ all dynamically loaded libraries will appear at random addresses -+ and therefore be harder to exploit by a technique where an attacker -+ attempts to execute library code for his purposes (e.g. spawn a -+ shell from an exploited program that is running at an elevated -+ privilege level). ++ As a result of mmap randomization all dynamically loaded libraries ++ will appear at random addresses and therefore be harder to exploit ++ by a technique where an attacker attempts to execute library code ++ for his purposes (e.g. spawn a shell from an exploited program that ++ is running at an elevated privilege level). + + Furthermore, if a program is relinked as a dynamic ELF file, its + base address will be randomized as well, completing the full @@ -105655,7 +105375,7 @@ index beb86b5..1ea5a01 100644 source security/keys/Kconfig config SECURITY_DMESG_RESTRICT -@@ -103,7 +1057,7 @@ config INTEL_TXT +@@ -103,7 +1054,7 @@ config INTEL_TXT config LSM_MMAP_MIN_ADDR int "Low address space for LSM to protect from user allocation" depends on SECURITY && SECURITY_SELINUX @@ -114785,10 +114505,10 @@ index 0000000..4378111 +} diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data new file mode 100644 -index 0000000..72e9c0e +index 0000000..8972f81 --- /dev/null +++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data -@@ -0,0 +1,5986 @@ +@@ -0,0 +1,5988 @@ +intel_fake_agp_alloc_by_type_1 intel_fake_agp_alloc_by_type 1 1 NULL +ocfs2_get_refcount_tree_3 ocfs2_get_refcount_tree 0 3 NULL +storvsc_connect_to_vsp_22 storvsc_connect_to_vsp 2 22 NULL @@ -114886,6 +114606,7 @@ index 0000000..72e9c0e +lov_ost_pool_init_1215 lov_ost_pool_init 2 1215 NULL +fsync_buffers_list_1219 fsync_buffers_list 0 1219 NULL +kernfs_file_direct_read_1238 kernfs_file_direct_read 3 1238 NULL ++acpi_battery_write_alarm_1240 acpi_battery_write_alarm 3 1240 NULL +ocfs2_extend_file_1266 ocfs2_extend_file 3 1266 NULL +qla4xxx_change_queue_depth_1268 qla4xxx_change_queue_depth 2 1268 NULL +ioctl_private_iw_point_1273 ioctl_private_iw_point 7 1273 NULL @@ -117169,6 +116890,7 @@ index 0000000..72e9c0e +keyctl_update_key_26061 keyctl_update_key 3 26061 NULL +btrfs_wait_ordered_range_26086 btrfs_wait_ordered_range 0 26086 NULL +rx_rx_wa_density_dropped_frame_read_26095 rx_rx_wa_density_dropped_frame_read 3 26095 NULL ++i8042_pnp_id_to_string_26108 i8042_pnp_id_to_string 3 26108 NULL +read_sb_page_26119 read_sb_page 5 26119 NULL +ath9k_hw_name_26146 ath9k_hw_name 3 26146 NULL +copy_oldmem_page_26164 copy_oldmem_page 3 26164 NULL @@ -122212,6 +121934,19 @@ index 6789d788..4afd019e 100644 + .endm + #endif +diff --git a/tools/virtio/linux/uaccess.h b/tools/virtio/linux/uaccess.h +index 0a578fe..b81f62d 100644 +--- a/tools/virtio/linux/uaccess.h ++++ b/tools/virtio/linux/uaccess.h +@@ -13,7 +13,7 @@ static inline void __chk_user_ptr(const volatile void *p, size_t size) + ({ \ + typeof(ptr) __pu_ptr = (ptr); \ + __chk_user_ptr(__pu_ptr, sizeof(*__pu_ptr)); \ +- ACCESS_ONCE(*(__pu_ptr)) = x; \ ++ ACCESS_ONCE_RW(*(__pu_ptr)) = x; \ + 0; \ + }) + diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 03a0381..8b31923 100644 --- a/virt/kvm/kvm_main.c diff --git a/3.14.5/4425_grsec_remove_EI_PAX.patch b/3.14.6/4425_grsec_remove_EI_PAX.patch index fc51f79..fc51f79 100644 --- a/3.14.5/4425_grsec_remove_EI_PAX.patch +++ b/3.14.6/4425_grsec_remove_EI_PAX.patch diff --git a/3.14.5/4427_force_XATTR_PAX_tmpfs.patch b/3.14.6/4427_force_XATTR_PAX_tmpfs.patch index bbcef41..bbcef41 100644 --- a/3.14.5/4427_force_XATTR_PAX_tmpfs.patch +++ b/3.14.6/4427_force_XATTR_PAX_tmpfs.patch diff --git a/3.14.5/4430_grsec-remove-localversion-grsec.patch b/3.14.6/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.14.5/4430_grsec-remove-localversion-grsec.patch +++ b/3.14.6/4430_grsec-remove-localversion-grsec.patch diff --git a/3.14.5/4435_grsec-mute-warnings.patch b/3.14.6/4435_grsec-mute-warnings.patch index 392cefb..392cefb 100644 --- a/3.14.5/4435_grsec-mute-warnings.patch +++ b/3.14.6/4435_grsec-mute-warnings.patch diff --git a/3.14.5/4440_grsec-remove-protected-paths.patch b/3.14.6/4440_grsec-remove-protected-paths.patch index 741546d..741546d 100644 --- a/3.14.5/4440_grsec-remove-protected-paths.patch +++ b/3.14.6/4440_grsec-remove-protected-paths.patch diff --git a/3.14.5/4450_grsec-kconfig-default-gids.patch b/3.14.6/4450_grsec-kconfig-default-gids.patch index 19a4285..19a4285 100644 --- a/3.14.5/4450_grsec-kconfig-default-gids.patch +++ b/3.14.6/4450_grsec-kconfig-default-gids.patch diff --git a/3.14.5/4465_selinux-avc_audit-log-curr_ip.patch b/3.14.6/4465_selinux-avc_audit-log-curr_ip.patch index 2765cdc..2765cdc 100644 --- a/3.14.5/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.14.6/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.14.5/4470_disable-compat_vdso.patch b/3.14.6/4470_disable-compat_vdso.patch index 677174c..677174c 100644 --- a/3.14.5/4470_disable-compat_vdso.patch +++ b/3.14.6/4470_disable-compat_vdso.patch diff --git a/3.14.5/4475_emutramp_default_on.patch b/3.14.6/4475_emutramp_default_on.patch index a453a5b..a453a5b 100644 --- a/3.14.5/4475_emutramp_default_on.patch +++ b/3.14.6/4475_emutramp_default_on.patch diff --git a/3.2.59/0000_README b/3.2.60/0000_README index 53759a1..daa1871 100644 --- a/3.2.59/0000_README +++ b/3.2.60/0000_README @@ -154,7 +154,11 @@ Patch: 1058_linux-3.2.59.patch From: http://www.kernel.org Desc: Linux 3.2.59 -Patch: 4420_grsecurity-3.0-3.2.59-201406052202.patch +Patch: 1059_linux-3.2.60.patch +From: http://www.kernel.org +Desc: Linux 3.2.60 + +Patch: 4420_grsecurity-3.0-3.2.60-201406101410.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.59/1021_linux-3.2.22.patch b/3.2.60/1021_linux-3.2.22.patch index e6ad93a..e6ad93a 100644 --- a/3.2.59/1021_linux-3.2.22.patch +++ b/3.2.60/1021_linux-3.2.22.patch diff --git a/3.2.59/1022_linux-3.2.23.patch b/3.2.60/1022_linux-3.2.23.patch index 3d796d0..3d796d0 100644 --- a/3.2.59/1022_linux-3.2.23.patch +++ b/3.2.60/1022_linux-3.2.23.patch diff --git a/3.2.59/1023_linux-3.2.24.patch b/3.2.60/1023_linux-3.2.24.patch index 4692eb4..4692eb4 100644 --- a/3.2.59/1023_linux-3.2.24.patch +++ b/3.2.60/1023_linux-3.2.24.patch diff --git a/3.2.59/1024_linux-3.2.25.patch b/3.2.60/1024_linux-3.2.25.patch index e95c213..e95c213 100644 --- a/3.2.59/1024_linux-3.2.25.patch +++ b/3.2.60/1024_linux-3.2.25.patch diff --git a/3.2.59/1025_linux-3.2.26.patch b/3.2.60/1025_linux-3.2.26.patch index 44065b9..44065b9 100644 --- a/3.2.59/1025_linux-3.2.26.patch +++ b/3.2.60/1025_linux-3.2.26.patch diff --git a/3.2.59/1026_linux-3.2.27.patch b/3.2.60/1026_linux-3.2.27.patch index 5878eb4..5878eb4 100644 --- a/3.2.59/1026_linux-3.2.27.patch +++ b/3.2.60/1026_linux-3.2.27.patch diff --git a/3.2.59/1027_linux-3.2.28.patch b/3.2.60/1027_linux-3.2.28.patch index 4dbba4b..4dbba4b 100644 --- a/3.2.59/1027_linux-3.2.28.patch +++ b/3.2.60/1027_linux-3.2.28.patch diff --git a/3.2.59/1028_linux-3.2.29.patch b/3.2.60/1028_linux-3.2.29.patch index 3c65179..3c65179 100644 --- a/3.2.59/1028_linux-3.2.29.patch +++ b/3.2.60/1028_linux-3.2.29.patch diff --git a/3.2.59/1029_linux-3.2.30.patch b/3.2.60/1029_linux-3.2.30.patch index 86aea4b..86aea4b 100644 --- a/3.2.59/1029_linux-3.2.30.patch +++ b/3.2.60/1029_linux-3.2.30.patch diff --git a/3.2.59/1030_linux-3.2.31.patch b/3.2.60/1030_linux-3.2.31.patch index c6accf5..c6accf5 100644 --- a/3.2.59/1030_linux-3.2.31.patch +++ b/3.2.60/1030_linux-3.2.31.patch diff --git a/3.2.59/1031_linux-3.2.32.patch b/3.2.60/1031_linux-3.2.32.patch index 247fc0b..247fc0b 100644 --- a/3.2.59/1031_linux-3.2.32.patch +++ b/3.2.60/1031_linux-3.2.32.patch diff --git a/3.2.59/1032_linux-3.2.33.patch b/3.2.60/1032_linux-3.2.33.patch index c32fb75..c32fb75 100644 --- a/3.2.59/1032_linux-3.2.33.patch +++ b/3.2.60/1032_linux-3.2.33.patch diff --git a/3.2.59/1033_linux-3.2.34.patch b/3.2.60/1033_linux-3.2.34.patch index d647b38..d647b38 100644 --- a/3.2.59/1033_linux-3.2.34.patch +++ b/3.2.60/1033_linux-3.2.34.patch diff --git a/3.2.59/1034_linux-3.2.35.patch b/3.2.60/1034_linux-3.2.35.patch index 76a9c19..76a9c19 100644 --- a/3.2.59/1034_linux-3.2.35.patch +++ b/3.2.60/1034_linux-3.2.35.patch diff --git a/3.2.59/1035_linux-3.2.36.patch b/3.2.60/1035_linux-3.2.36.patch index 5d192a3..5d192a3 100644 --- a/3.2.59/1035_linux-3.2.36.patch +++ b/3.2.60/1035_linux-3.2.36.patch diff --git a/3.2.59/1036_linux-3.2.37.patch b/3.2.60/1036_linux-3.2.37.patch index ad13251..ad13251 100644 --- a/3.2.59/1036_linux-3.2.37.patch +++ b/3.2.60/1036_linux-3.2.37.patch diff --git a/3.2.59/1037_linux-3.2.38.patch b/3.2.60/1037_linux-3.2.38.patch index a3c106f..a3c106f 100644 --- a/3.2.59/1037_linux-3.2.38.patch +++ b/3.2.60/1037_linux-3.2.38.patch diff --git a/3.2.59/1038_linux-3.2.39.patch b/3.2.60/1038_linux-3.2.39.patch index 5639e92..5639e92 100644 --- a/3.2.59/1038_linux-3.2.39.patch +++ b/3.2.60/1038_linux-3.2.39.patch diff --git a/3.2.59/1039_linux-3.2.40.patch b/3.2.60/1039_linux-3.2.40.patch index f26b39c..f26b39c 100644 --- a/3.2.59/1039_linux-3.2.40.patch +++ b/3.2.60/1039_linux-3.2.40.patch diff --git a/3.2.59/1040_linux-3.2.41.patch b/3.2.60/1040_linux-3.2.41.patch index 0d27fcb..0d27fcb 100644 --- a/3.2.59/1040_linux-3.2.41.patch +++ b/3.2.60/1040_linux-3.2.41.patch diff --git a/3.2.59/1041_linux-3.2.42.patch b/3.2.60/1041_linux-3.2.42.patch index 77a08ed..77a08ed 100644 --- a/3.2.59/1041_linux-3.2.42.patch +++ b/3.2.60/1041_linux-3.2.42.patch diff --git a/3.2.59/1042_linux-3.2.43.patch b/3.2.60/1042_linux-3.2.43.patch index a3f878b..a3f878b 100644 --- a/3.2.59/1042_linux-3.2.43.patch +++ b/3.2.60/1042_linux-3.2.43.patch diff --git a/3.2.59/1043_linux-3.2.44.patch b/3.2.60/1043_linux-3.2.44.patch index 3d5e6ff..3d5e6ff 100644 --- a/3.2.59/1043_linux-3.2.44.patch +++ b/3.2.60/1043_linux-3.2.44.patch diff --git a/3.2.59/1044_linux-3.2.45.patch b/3.2.60/1044_linux-3.2.45.patch index 44e1767..44e1767 100644 --- a/3.2.59/1044_linux-3.2.45.patch +++ b/3.2.60/1044_linux-3.2.45.patch diff --git a/3.2.59/1045_linux-3.2.46.patch b/3.2.60/1045_linux-3.2.46.patch index bc10efd..bc10efd 100644 --- a/3.2.59/1045_linux-3.2.46.patch +++ b/3.2.60/1045_linux-3.2.46.patch diff --git a/3.2.59/1046_linux-3.2.47.patch b/3.2.60/1046_linux-3.2.47.patch index b74563c..b74563c 100644 --- a/3.2.59/1046_linux-3.2.47.patch +++ b/3.2.60/1046_linux-3.2.47.patch diff --git a/3.2.59/1047_linux-3.2.48.patch b/3.2.60/1047_linux-3.2.48.patch index 6d55b1f..6d55b1f 100644 --- a/3.2.59/1047_linux-3.2.48.patch +++ b/3.2.60/1047_linux-3.2.48.patch diff --git a/3.2.59/1048_linux-3.2.49.patch b/3.2.60/1048_linux-3.2.49.patch index 2dab0cf..2dab0cf 100644 --- a/3.2.59/1048_linux-3.2.49.patch +++ b/3.2.60/1048_linux-3.2.49.patch diff --git a/3.2.59/1049_linux-3.2.50.patch b/3.2.60/1049_linux-3.2.50.patch index 20b3015..20b3015 100644 --- a/3.2.59/1049_linux-3.2.50.patch +++ b/3.2.60/1049_linux-3.2.50.patch diff --git a/3.2.59/1050_linux-3.2.51.patch b/3.2.60/1050_linux-3.2.51.patch index 5d5832b..5d5832b 100644 --- a/3.2.59/1050_linux-3.2.51.patch +++ b/3.2.60/1050_linux-3.2.51.patch diff --git a/3.2.59/1051_linux-3.2.52.patch b/3.2.60/1051_linux-3.2.52.patch index 94b9359..94b9359 100644 --- a/3.2.59/1051_linux-3.2.52.patch +++ b/3.2.60/1051_linux-3.2.52.patch diff --git a/3.2.59/1052_linux-3.2.53.patch b/3.2.60/1052_linux-3.2.53.patch index 986d714..986d714 100644 --- a/3.2.59/1052_linux-3.2.53.patch +++ b/3.2.60/1052_linux-3.2.53.patch diff --git a/3.2.59/1053_linux-3.2.54.patch b/3.2.60/1053_linux-3.2.54.patch index a907496..a907496 100644 --- a/3.2.59/1053_linux-3.2.54.patch +++ b/3.2.60/1053_linux-3.2.54.patch diff --git a/3.2.59/1054_linux-3.2.55.patch b/3.2.60/1054_linux-3.2.55.patch index 6071ff5..6071ff5 100644 --- a/3.2.59/1054_linux-3.2.55.patch +++ b/3.2.60/1054_linux-3.2.55.patch diff --git a/3.2.59/1055_linux-3.2.56.patch b/3.2.60/1055_linux-3.2.56.patch index 2e8239c..2e8239c 100644 --- a/3.2.59/1055_linux-3.2.56.patch +++ b/3.2.60/1055_linux-3.2.56.patch diff --git a/3.2.59/1056_linux-3.2.57.patch b/3.2.60/1056_linux-3.2.57.patch index 7b8f174..7b8f174 100644 --- a/3.2.59/1056_linux-3.2.57.patch +++ b/3.2.60/1056_linux-3.2.57.patch diff --git a/3.2.59/1057_linux-3.2.58.patch b/3.2.60/1057_linux-3.2.58.patch index db5723a..db5723a 100644 --- a/3.2.59/1057_linux-3.2.58.patch +++ b/3.2.60/1057_linux-3.2.58.patch diff --git a/3.2.59/1058_linux-3.2.59.patch b/3.2.60/1058_linux-3.2.59.patch index cd59fe9..cd59fe9 100644 --- a/3.2.59/1058_linux-3.2.59.patch +++ b/3.2.60/1058_linux-3.2.59.patch diff --git a/3.2.60/1059_linux-3.2.60.patch b/3.2.60/1059_linux-3.2.60.patch new file mode 100644 index 0000000..c5a9389 --- /dev/null +++ b/3.2.60/1059_linux-3.2.60.patch @@ -0,0 +1,2964 @@ +diff --git a/Documentation/input/elantech.txt b/Documentation/input/elantech.txt +index 5602eb7..e1ae127 100644 +--- a/Documentation/input/elantech.txt ++++ b/Documentation/input/elantech.txt +@@ -504,9 +504,12 @@ byte 5: + * reg_10 + + bit 7 6 5 4 3 2 1 0 +- 0 0 0 0 0 0 0 A ++ 0 0 0 0 R F T A + + A: 1 = enable absolute tracking ++ T: 1 = enable two finger mode auto correct ++ F: 1 = disable ABS Position Filter ++ R: 1 = enable real hardware resolution + + 6.2 Native absolute mode 6 byte packet format + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +diff --git a/Makefile b/Makefile +index 1be3414..317d5ea 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 2 +-SUBLEVEL = 59 ++SUBLEVEL = 60 + EXTRAVERSION = + NAME = Saber-toothed Squirrel + +diff --git a/arch/powerpc/lib/crtsavres.S b/arch/powerpc/lib/crtsavres.S +index 1c893f0..21ecdf5 100644 +--- a/arch/powerpc/lib/crtsavres.S ++++ b/arch/powerpc/lib/crtsavres.S +@@ -230,6 +230,87 @@ _GLOBAL(_rest32gpr_31_x) + mr 1,11 + blr + ++#ifdef CONFIG_ALTIVEC ++/* Called with r0 pointing just beyond the end of the vector save area. */ ++ ++_GLOBAL(_savevr_20) ++ li r11,-192 ++ stvx vr20,r11,r0 ++_GLOBAL(_savevr_21) ++ li r11,-176 ++ stvx vr21,r11,r0 ++_GLOBAL(_savevr_22) ++ li r11,-160 ++ stvx vr22,r11,r0 ++_GLOBAL(_savevr_23) ++ li r11,-144 ++ stvx vr23,r11,r0 ++_GLOBAL(_savevr_24) ++ li r11,-128 ++ stvx vr24,r11,r0 ++_GLOBAL(_savevr_25) ++ li r11,-112 ++ stvx vr25,r11,r0 ++_GLOBAL(_savevr_26) ++ li r11,-96 ++ stvx vr26,r11,r0 ++_GLOBAL(_savevr_27) ++ li r11,-80 ++ stvx vr27,r11,r0 ++_GLOBAL(_savevr_28) ++ li r11,-64 ++ stvx vr28,r11,r0 ++_GLOBAL(_savevr_29) ++ li r11,-48 ++ stvx vr29,r11,r0 ++_GLOBAL(_savevr_30) ++ li r11,-32 ++ stvx vr30,r11,r0 ++_GLOBAL(_savevr_31) ++ li r11,-16 ++ stvx vr31,r11,r0 ++ blr ++ ++_GLOBAL(_restvr_20) ++ li r11,-192 ++ lvx vr20,r11,r0 ++_GLOBAL(_restvr_21) ++ li r11,-176 ++ lvx vr21,r11,r0 ++_GLOBAL(_restvr_22) ++ li r11,-160 ++ lvx vr22,r11,r0 ++_GLOBAL(_restvr_23) ++ li r11,-144 ++ lvx vr23,r11,r0 ++_GLOBAL(_restvr_24) ++ li r11,-128 ++ lvx vr24,r11,r0 ++_GLOBAL(_restvr_25) ++ li r11,-112 ++ lvx vr25,r11,r0 ++_GLOBAL(_restvr_26) ++ li r11,-96 ++ lvx vr26,r11,r0 ++_GLOBAL(_restvr_27) ++ li r11,-80 ++ lvx vr27,r11,r0 ++_GLOBAL(_restvr_28) ++ li r11,-64 ++ lvx vr28,r11,r0 ++_GLOBAL(_restvr_29) ++ li r11,-48 ++ lvx vr29,r11,r0 ++_GLOBAL(_restvr_30) ++ li r11,-32 ++ lvx vr30,r11,r0 ++_GLOBAL(_restvr_31) ++ li r11,-16 ++ lvx vr31,r11,r0 ++ blr ++ ++#endif /* CONFIG_ALTIVEC */ ++ + #else /* CONFIG_PPC64 */ + + .globl _savegpr0_14 +@@ -353,6 +434,111 @@ _restgpr0_31: + mtlr r0 + blr + ++#ifdef CONFIG_ALTIVEC ++/* Called with r0 pointing just beyond the end of the vector save area. */ ++ ++.globl _savevr_20 ++_savevr_20: ++ li r12,-192 ++ stvx vr20,r12,r0 ++.globl _savevr_21 ++_savevr_21: ++ li r12,-176 ++ stvx vr21,r12,r0 ++.globl _savevr_22 ++_savevr_22: ++ li r12,-160 ++ stvx vr22,r12,r0 ++.globl _savevr_23 ++_savevr_23: ++ li r12,-144 ++ stvx vr23,r12,r0 ++.globl _savevr_24 ++_savevr_24: ++ li r12,-128 ++ stvx vr24,r12,r0 ++.globl _savevr_25 ++_savevr_25: ++ li r12,-112 ++ stvx vr25,r12,r0 ++.globl _savevr_26 ++_savevr_26: ++ li r12,-96 ++ stvx vr26,r12,r0 ++.globl _savevr_27 ++_savevr_27: ++ li r12,-80 ++ stvx vr27,r12,r0 ++.globl _savevr_28 ++_savevr_28: ++ li r12,-64 ++ stvx vr28,r12,r0 ++.globl _savevr_29 ++_savevr_29: ++ li r12,-48 ++ stvx vr29,r12,r0 ++.globl _savevr_30 ++_savevr_30: ++ li r12,-32 ++ stvx vr30,r12,r0 ++.globl _savevr_31 ++_savevr_31: ++ li r12,-16 ++ stvx vr31,r12,r0 ++ blr ++ ++.globl _restvr_20 ++_restvr_20: ++ li r12,-192 ++ lvx vr20,r12,r0 ++.globl _restvr_21 ++_restvr_21: ++ li r12,-176 ++ lvx vr21,r12,r0 ++.globl _restvr_22 ++_restvr_22: ++ li r12,-160 ++ lvx vr22,r12,r0 ++.globl _restvr_23 ++_restvr_23: ++ li r12,-144 ++ lvx vr23,r12,r0 ++.globl _restvr_24 ++_restvr_24: ++ li r12,-128 ++ lvx vr24,r12,r0 ++.globl _restvr_25 ++_restvr_25: ++ li r12,-112 ++ lvx vr25,r12,r0 ++.globl _restvr_26 ++_restvr_26: ++ li r12,-96 ++ lvx vr26,r12,r0 ++.globl _restvr_27 ++_restvr_27: ++ li r12,-80 ++ lvx vr27,r12,r0 ++.globl _restvr_28 ++_restvr_28: ++ li r12,-64 ++ lvx vr28,r12,r0 ++.globl _restvr_29 ++_restvr_29: ++ li r12,-48 ++ lvx vr29,r12,r0 ++.globl _restvr_30 ++_restvr_30: ++ li r12,-32 ++ lvx vr30,r12,r0 ++.globl _restvr_31 ++_restvr_31: ++ li r12,-16 ++ lvx vr31,r12,r0 ++ blr ++ ++#endif /* CONFIG_ALTIVEC */ ++ + #endif /* CONFIG_PPC64 */ + + #endif +diff --git a/arch/x86/include/asm/hugetlb.h b/arch/x86/include/asm/hugetlb.h +index 439a9ac..48fa391 100644 +--- a/arch/x86/include/asm/hugetlb.h ++++ b/arch/x86/include/asm/hugetlb.h +@@ -51,6 +51,7 @@ static inline pte_t huge_ptep_get_and_clear(struct mm_struct *mm, + static inline void huge_ptep_clear_flush(struct vm_area_struct *vma, + unsigned long addr, pte_t *ptep) + { ++ ptep_clear_flush(vma, addr, ptep); + } + + static inline int huge_pte_none(pte_t pte) +diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c +index 4ac4531..3e0ccbf 100644 +--- a/arch/x86/kernel/ldt.c ++++ b/arch/x86/kernel/ldt.c +@@ -21,6 +21,8 @@ + #include <asm/mmu_context.h> + #include <asm/syscalls.h> + ++int sysctl_ldt16 = 0; ++ + #ifdef CONFIG_SMP + static void flush_ldt(void *current_mm) + { +@@ -235,7 +237,7 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode) + * IRET leaking the high bits of the kernel stack address. + */ + #ifdef CONFIG_X86_64 +- if (!ldt_info.seg_32bit) { ++ if (!ldt_info.seg_32bit && !sysctl_ldt16) { + error = -EINVAL; + goto out_unlock; + } +diff --git a/arch/x86/vdso/vdso32-setup.c b/arch/x86/vdso/vdso32-setup.c +index 468d591..51bdc05 100644 +--- a/arch/x86/vdso/vdso32-setup.c ++++ b/arch/x86/vdso/vdso32-setup.c +@@ -41,6 +41,7 @@ enum { + #ifdef CONFIG_X86_64 + #define vdso_enabled sysctl_vsyscall32 + #define arch_setup_additional_pages syscall32_setup_pages ++extern int sysctl_ldt16; + #endif + + /* +@@ -388,6 +389,13 @@ static ctl_table abi_table2[] = { + .mode = 0644, + .proc_handler = proc_dointvec + }, ++ { ++ .procname = "ldt16", ++ .data = &sysctl_ldt16, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec ++ }, + {} + }; + +diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c +index 8176b82..3923064 100644 +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -70,6 +70,8 @@ enum ec_command { + #define ACPI_EC_DELAY 500 /* Wait 500ms max. during EC ops */ + #define ACPI_EC_UDELAY_GLK 1000 /* Wait 1ms max. to get global lock */ + #define ACPI_EC_MSI_UDELAY 550 /* Wait 550us for MSI EC */ ++#define ACPI_EC_CLEAR_MAX 100 /* Maximum number of events to query ++ * when trying to clear the EC */ + + enum { + EC_FLAGS_QUERY_PENDING, /* Query is pending */ +@@ -123,6 +125,7 @@ EXPORT_SYMBOL(first_ec); + static int EC_FLAGS_MSI; /* Out-of-spec MSI controller */ + static int EC_FLAGS_VALIDATE_ECDT; /* ASUStec ECDTs need to be validated */ + static int EC_FLAGS_SKIP_DSDT_SCAN; /* Not all BIOS survive early DSDT scan */ ++static int EC_FLAGS_CLEAR_ON_RESUME; /* Needs acpi_ec_clear() on boot/resume */ + + /* -------------------------------------------------------------------------- + Transaction Management +@@ -203,13 +206,13 @@ unlock: + spin_unlock_irqrestore(&ec->curr_lock, flags); + } + +-static int acpi_ec_sync_query(struct acpi_ec *ec); ++static int acpi_ec_sync_query(struct acpi_ec *ec, u8 *data); + + static int ec_check_sci_sync(struct acpi_ec *ec, u8 state) + { + if (state & ACPI_EC_FLAG_SCI) { + if (!test_and_set_bit(EC_FLAGS_QUERY_PENDING, &ec->flags)) +- return acpi_ec_sync_query(ec); ++ return acpi_ec_sync_query(ec, NULL); + } + return 0; + } +@@ -449,6 +452,27 @@ int ec_transaction(u8 command, + + EXPORT_SYMBOL(ec_transaction); + ++/* ++ * Process _Q events that might have accumulated in the EC. ++ * Run with locked ec mutex. ++ */ ++static void acpi_ec_clear(struct acpi_ec *ec) ++{ ++ int i, status; ++ u8 value = 0; ++ ++ for (i = 0; i < ACPI_EC_CLEAR_MAX; i++) { ++ status = acpi_ec_sync_query(ec, &value); ++ if (status || !value) ++ break; ++ } ++ ++ if (unlikely(i == ACPI_EC_CLEAR_MAX)) ++ pr_warn("Warning: Maximum of %d stale EC events cleared\n", i); ++ else ++ pr_info("%d stale EC events cleared\n", i); ++} ++ + void acpi_ec_block_transactions(void) + { + struct acpi_ec *ec = first_ec; +@@ -472,6 +496,10 @@ void acpi_ec_unblock_transactions(void) + mutex_lock(&ec->lock); + /* Allow transactions to be carried out again */ + clear_bit(EC_FLAGS_BLOCKED, &ec->flags); ++ ++ if (EC_FLAGS_CLEAR_ON_RESUME) ++ acpi_ec_clear(ec); ++ + mutex_unlock(&ec->lock); + } + +@@ -561,13 +589,18 @@ static void acpi_ec_run(void *cxt) + kfree(handler); + } + +-static int acpi_ec_sync_query(struct acpi_ec *ec) ++static int acpi_ec_sync_query(struct acpi_ec *ec, u8 *data) + { + u8 value = 0; + int status; + struct acpi_ec_query_handler *handler, *copy; +- if ((status = acpi_ec_query_unlocked(ec, &value))) ++ ++ status = acpi_ec_query_unlocked(ec, &value); ++ if (data) ++ *data = value; ++ if (status) + return status; ++ + list_for_each_entry(handler, &ec->list, node) { + if (value == handler->query_bit) { + /* have custom handler for this bit */ +@@ -590,7 +623,7 @@ static void acpi_ec_gpe_query(void *ec_cxt) + if (!ec) + return; + mutex_lock(&ec->lock); +- acpi_ec_sync_query(ec); ++ acpi_ec_sync_query(ec, NULL); + mutex_unlock(&ec->lock); + } + +@@ -828,6 +861,13 @@ static int acpi_ec_add(struct acpi_device *device) + + /* EC is fully operational, allow queries */ + clear_bit(EC_FLAGS_QUERY_PENDING, &ec->flags); ++ ++ /* Clear stale _Q events if hardware might require that */ ++ if (EC_FLAGS_CLEAR_ON_RESUME) { ++ mutex_lock(&ec->lock); ++ acpi_ec_clear(ec); ++ mutex_unlock(&ec->lock); ++ } + return ret; + } + +@@ -929,6 +969,30 @@ static int ec_enlarge_storm_threshold(const struct dmi_system_id *id) + return 0; + } + ++/* ++ * On some hardware it is necessary to clear events accumulated by the EC during ++ * sleep. These ECs stop reporting GPEs until they are manually polled, if too ++ * many events are accumulated. (e.g. Samsung Series 5/9 notebooks) ++ * ++ * https://bugzilla.kernel.org/show_bug.cgi?id=44161 ++ * ++ * Ideally, the EC should also be instructed NOT to accumulate events during ++ * sleep (which Windows seems to do somehow), but the interface to control this ++ * behaviour is not known at this time. ++ * ++ * Models known to be affected are Samsung 530Uxx/535Uxx/540Uxx/550Pxx/900Xxx, ++ * however it is very likely that other Samsung models are affected. ++ * ++ * On systems which don't accumulate _Q events during sleep, this extra check ++ * should be harmless. ++ */ ++static int ec_clear_on_resume(const struct dmi_system_id *id) ++{ ++ pr_debug("Detected system needing EC poll on resume.\n"); ++ EC_FLAGS_CLEAR_ON_RESUME = 1; ++ return 0; ++} ++ + static struct dmi_system_id __initdata ec_dmi_table[] = { + { + ec_skip_dsdt_scan, "Compal JFL92", { +@@ -968,6 +1032,9 @@ static struct dmi_system_id __initdata ec_dmi_table[] = { + ec_validate_ecdt, "ASUS hardware", { + DMI_MATCH(DMI_SYS_VENDOR, "ASUSTek Computer Inc."), + DMI_MATCH(DMI_PRODUCT_NAME, "L4R"),}, NULL}, ++ { ++ ec_clear_on_resume, "Samsung hardware", { ++ DMI_MATCH(DMI_SYS_VENDOR, "SAMSUNG ELECTRONICS CO., LTD.")}, NULL}, + {}, + }; + +diff --git a/drivers/atm/ambassador.c b/drivers/atm/ambassador.c +index f8f41e0..89b30f3 100644 +--- a/drivers/atm/ambassador.c ++++ b/drivers/atm/ambassador.c +@@ -802,7 +802,7 @@ static void fill_rx_pool (amb_dev * dev, unsigned char pool, + } + // cast needed as there is no %? for pointer differences + PRINTD (DBG_SKB, "allocated skb at %p, head %p, area %li", +- skb, skb->head, (long) (skb_end_pointer(skb) - skb->head)); ++ skb, skb->head, (long) skb_end_offset(skb)); + rx.handle = virt_to_bus (skb); + rx.host_address = cpu_to_be32 (virt_to_bus (skb->data)); + if (rx_give (dev, &rx, pool)) +diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c +index b0e75ce..81845fa 100644 +--- a/drivers/atm/idt77252.c ++++ b/drivers/atm/idt77252.c +@@ -1258,7 +1258,7 @@ idt77252_rx_raw(struct idt77252_dev *card) + tail = readl(SAR_REG_RAWCT); + + pci_dma_sync_single_for_cpu(card->pcidev, IDT77252_PRV_PADDR(queue), +- skb_end_pointer(queue) - queue->head - 16, ++ skb_end_offset(queue) - 16, + PCI_DMA_FROMDEVICE); + + while (head != tail) { +diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c +index 3539f9b..6fe003a 100644 +--- a/drivers/bluetooth/ath3k.c ++++ b/drivers/bluetooth/ath3k.c +@@ -81,6 +81,7 @@ static struct usb_device_id ath3k_table[] = { + { USB_DEVICE(0x04CA, 0x3004) }, + { USB_DEVICE(0x04CA, 0x3005) }, + { USB_DEVICE(0x04CA, 0x3006) }, ++ { USB_DEVICE(0x04CA, 0x3007) }, + { USB_DEVICE(0x04CA, 0x3008) }, + { USB_DEVICE(0x13d3, 0x3362) }, + { USB_DEVICE(0x0CF3, 0xE004) }, +@@ -123,6 +124,7 @@ static struct usb_device_id ath3k_blist_tbl[] = { + { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04ca, 0x3006), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x04ca, 0x3007), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 }, +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index f18b5a2..dddcb1d 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -152,6 +152,7 @@ static struct usb_device_id blacklist_table[] = { + { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04ca, 0x3006), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x04ca, 0x3007), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 }, +diff --git a/drivers/crypto/caam/error.c b/drivers/crypto/caam/error.c +index 7e2d54b..9b8d231 100644 +--- a/drivers/crypto/caam/error.c ++++ b/drivers/crypto/caam/error.c +@@ -16,9 +16,13 @@ + char *tmp; \ + \ + tmp = kmalloc(sizeof(format) + max_alloc, GFP_ATOMIC); \ +- sprintf(tmp, format, param); \ +- strcat(str, tmp); \ +- kfree(tmp); \ ++ if (likely(tmp)) { \ ++ sprintf(tmp, format, param); \ ++ strcat(str, tmp); \ ++ kfree(tmp); \ ++ } else { \ ++ strcat(str, "kmalloc failure in SPRINTFCAT"); \ ++ } \ + } + + static void report_jump_idx(u32 status, char *outstr) +diff --git a/drivers/dma/mv_xor.c b/drivers/dma/mv_xor.c +index 9a353c2..9b01145 100644 +--- a/drivers/dma/mv_xor.c ++++ b/drivers/dma/mv_xor.c +@@ -218,12 +218,10 @@ static void mv_set_mode(struct mv_xor_chan *chan, + + static void mv_chan_activate(struct mv_xor_chan *chan) + { +- u32 activation; +- + dev_dbg(chan->device->common.dev, " activate chan.\n"); +- activation = __raw_readl(XOR_ACTIVATION(chan)); +- activation |= 0x1; +- __raw_writel(activation, XOR_ACTIVATION(chan)); ++ ++ /* writel ensures all descriptors are flushed before activation */ ++ writel(BIT(0), XOR_ACTIVATION(chan)); + } + + static char mv_chan_is_busy(struct mv_xor_chan *chan) +diff --git a/drivers/gpu/drm/nouveau/nouveau_acpi.c b/drivers/gpu/drm/nouveau/nouveau_acpi.c +index 3df56c7..5ee8cca 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_acpi.c ++++ b/drivers/gpu/drm/nouveau/nouveau_acpi.c +@@ -332,9 +332,6 @@ bool nouveau_acpi_rom_supported(struct pci_dev *pdev) + acpi_status status; + acpi_handle dhandle, rom_handle; + +- if (!nouveau_dsm_priv.dsm_detected && !nouveau_dsm_priv.optimus_detected) +- return false; +- + dhandle = DEVICE_ACPI_HANDLE(&pdev->dev); + if (!dhandle) + return false; +diff --git a/drivers/gpu/drm/radeon/radeon_bios.c b/drivers/gpu/drm/radeon/radeon_bios.c +index d306cc8..ccf324b 100644 +--- a/drivers/gpu/drm/radeon/radeon_bios.c ++++ b/drivers/gpu/drm/radeon/radeon_bios.c +@@ -173,6 +173,20 @@ static bool radeon_atrm_get_bios(struct radeon_device *rdev) + } + } + ++ if (!found) { ++ while ((pdev = pci_get_class(PCI_CLASS_DISPLAY_OTHER << 8, pdev)) != NULL) { ++ dhandle = DEVICE_ACPI_HANDLE(&pdev->dev); ++ if (!dhandle) ++ continue; ++ ++ status = acpi_get_handle(dhandle, "ATRM", &atrm_handle); ++ if (!ACPI_FAILURE(status)) { ++ found = true; ++ break; ++ } ++ } ++ } ++ + if (!found) + return false; + +diff --git a/drivers/gpu/drm/radeon/radeon_object.c b/drivers/gpu/drm/radeon/radeon_object.c +index f3ae607..3e35bbe 100644 +--- a/drivers/gpu/drm/radeon/radeon_object.c ++++ b/drivers/gpu/drm/radeon/radeon_object.c +@@ -513,22 +513,30 @@ int radeon_bo_fault_reserve_notify(struct ttm_buffer_object *bo) + rbo = container_of(bo, struct radeon_bo, tbo); + radeon_bo_check_tiling(rbo, 0, 0); + rdev = rbo->rdev; +- if (bo->mem.mem_type == TTM_PL_VRAM) { +- size = bo->mem.num_pages << PAGE_SHIFT; +- offset = bo->mem.start << PAGE_SHIFT; +- if ((offset + size) > rdev->mc.visible_vram_size) { +- /* hurrah the memory is not visible ! */ +- radeon_ttm_placement_from_domain(rbo, RADEON_GEM_DOMAIN_VRAM); +- rbo->placement.lpfn = rdev->mc.visible_vram_size >> PAGE_SHIFT; +- r = ttm_bo_validate(bo, &rbo->placement, false, true, false); +- if (unlikely(r != 0)) +- return r; +- offset = bo->mem.start << PAGE_SHIFT; +- /* this should not happen */ +- if ((offset + size) > rdev->mc.visible_vram_size) +- return -EINVAL; +- } ++ if (bo->mem.mem_type != TTM_PL_VRAM) ++ return 0; ++ ++ size = bo->mem.num_pages << PAGE_SHIFT; ++ offset = bo->mem.start << PAGE_SHIFT; ++ if ((offset + size) <= rdev->mc.visible_vram_size) ++ return 0; ++ ++ /* hurrah the memory is not visible ! */ ++ radeon_ttm_placement_from_domain(rbo, RADEON_GEM_DOMAIN_VRAM); ++ rbo->placement.lpfn = rdev->mc.visible_vram_size >> PAGE_SHIFT; ++ r = ttm_bo_validate(bo, &rbo->placement, false, true, false); ++ if (unlikely(r == -ENOMEM)) { ++ radeon_ttm_placement_from_domain(rbo, RADEON_GEM_DOMAIN_GTT); ++ return ttm_bo_validate(bo, &rbo->placement, false, true, false); ++ } else if (unlikely(r != 0)) { ++ return r; + } ++ ++ offset = bo->mem.start << PAGE_SHIFT; ++ /* this should never happen */ ++ if ((offset + size) > rdev->mc.visible_vram_size) ++ return -EINVAL; ++ + return 0; + } + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +index 40932fb..84ba033 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +@@ -558,14 +558,36 @@ static int vmw_cmd_dma(struct vmw_private *dev_priv, + } *cmd; + int ret; + struct vmw_resource *res; ++ SVGA3dCmdSurfaceDMASuffix *suffix; ++ uint32_t bo_size; + + cmd = container_of(header, struct vmw_dma_cmd, header); ++ suffix = (SVGA3dCmdSurfaceDMASuffix *)((unsigned long) &cmd->dma + ++ header->size - sizeof(*suffix)); ++ ++ /* Make sure device and verifier stays in sync. */ ++ if (unlikely(suffix->suffixSize != sizeof(*suffix))) { ++ DRM_ERROR("Invalid DMA suffix size.\n"); ++ return -EINVAL; ++ } ++ + ret = vmw_translate_guest_ptr(dev_priv, sw_context, + &cmd->dma.guest.ptr, + &vmw_bo); + if (unlikely(ret != 0)) + return ret; + ++ /* Make sure DMA doesn't cross BO boundaries. */ ++ bo_size = vmw_bo->base.num_pages * PAGE_SIZE; ++ if (unlikely(cmd->dma.guest.ptr.offset > bo_size)) { ++ DRM_ERROR("Invalid DMA offset.\n"); ++ return -EINVAL; ++ } ++ ++ bo_size -= cmd->dma.guest.ptr.offset; ++ if (unlikely(suffix->maximumOffset > bo_size)) ++ suffix->maximumOffset = bo_size; ++ + bo = &vmw_bo->base; + ret = vmw_user_surface_lookup_handle(dev_priv, sw_context->tfile, + cmd->dma.host.sid, &srf); +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index ca2b3e6..ccc89b0 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -678,6 +678,13 @@ + #define USB_DEVICE_ID_SYMBOL_SCANNER_1 0x0800 + #define USB_DEVICE_ID_SYMBOL_SCANNER_2 0x1300 + ++#define USB_VENDOR_ID_SYNAPTICS 0x06cb ++#define USB_DEVICE_ID_SYNAPTICS_LTS1 0x0af8 ++#define USB_DEVICE_ID_SYNAPTICS_LTS2 0x1d10 ++#define USB_DEVICE_ID_SYNAPTICS_HD 0x0ac3 ++#define USB_DEVICE_ID_SYNAPTICS_QUAD_HD 0x1ac3 ++#define USB_DEVICE_ID_SYNAPTICS_TP_V103 0x5710 ++ + #define USB_VENDOR_ID_THRUSTMASTER 0x044f + + #define USB_VENDOR_ID_TOPSEED 0x0766 +diff --git a/drivers/hid/usbhid/hid-quirks.c b/drivers/hid/usbhid/hid-quirks.c +index f98fbad..71c2582 100644 +--- a/drivers/hid/usbhid/hid-quirks.c ++++ b/drivers/hid/usbhid/hid-quirks.c +@@ -100,6 +100,11 @@ static const struct hid_blacklist { + { USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_WIRELESS, HID_QUIRK_MULTI_INPUT }, + { USB_VENDOR_ID_SIGMA_MICRO, USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD, HID_QUIRK_NO_INIT_REPORTS }, + { USB_VENDOR_ID_NTRIG, USB_DEVICE_ID_NTRIG_DUOSENSE, HID_QUIRK_NO_INIT_REPORTS }, ++ { USB_VENDOR_ID_SYNAPTICS, USB_DEVICE_ID_SYNAPTICS_LTS1, HID_QUIRK_NO_INIT_REPORTS }, ++ { USB_VENDOR_ID_SYNAPTICS, USB_DEVICE_ID_SYNAPTICS_LTS2, HID_QUIRK_NO_INIT_REPORTS }, ++ { USB_VENDOR_ID_SYNAPTICS, USB_DEVICE_ID_SYNAPTICS_HD, HID_QUIRK_NO_INIT_REPORTS }, ++ { USB_VENDOR_ID_SYNAPTICS, USB_DEVICE_ID_SYNAPTICS_QUAD_HD, HID_QUIRK_NO_INIT_REPORTS }, ++ { USB_VENDOR_ID_SYNAPTICS, USB_DEVICE_ID_SYNAPTICS_TP_V103, HID_QUIRK_NO_INIT_REPORTS }, + + { 0, 0 } + }; +diff --git a/drivers/hwmon/emc1403.c b/drivers/hwmon/emc1403.c +index cd2a6e4..7da08ac 100644 +--- a/drivers/hwmon/emc1403.c ++++ b/drivers/hwmon/emc1403.c +@@ -159,7 +159,7 @@ static ssize_t store_hyst(struct device *dev, + if (retval < 0) + goto fail; + +- hyst = val - retval * 1000; ++ hyst = retval * 1000 - val; + hyst = DIV_ROUND_CLOSEST(hyst, 1000); + if (hyst < 0 || hyst > 255) { + retval = -ERANGE; +@@ -290,7 +290,7 @@ static int emc1403_detect(struct i2c_client *client, + } + + id = i2c_smbus_read_byte_data(client, THERMAL_REVISION_REG); +- if (id != 0x01) ++ if (id < 0x01 || id > 0x04) + return -ENODEV; + + return 0; +diff --git a/drivers/i2c/busses/i2c-designware-core.c b/drivers/i2c/busses/i2c-designware-core.c +index 3c2812f..aadb398 100644 +--- a/drivers/i2c/busses/i2c-designware-core.c ++++ b/drivers/i2c/busses/i2c-designware-core.c +@@ -346,6 +346,9 @@ static void i2c_dw_xfer_init(struct dw_i2c_dev *dev) + ic_con &= ~DW_IC_CON_10BITADDR_MASTER; + dw_writel(dev, ic_con, DW_IC_CON); + ++ /* enforce disabled interrupts (due to HW issues) */ ++ i2c_dw_disable_int(dev); ++ + /* Enable the adapter */ + dw_writel(dev, 1, DW_IC_ENABLE); + +diff --git a/drivers/i2c/busses/i2c-s3c2410.c b/drivers/i2c/busses/i2c-s3c2410.c +index 4c17180..7d6d2b7 100644 +--- a/drivers/i2c/busses/i2c-s3c2410.c ++++ b/drivers/i2c/busses/i2c-s3c2410.c +@@ -1082,10 +1082,10 @@ static int s3c24xx_i2c_resume(struct device *dev) + struct platform_device *pdev = to_platform_device(dev); + struct s3c24xx_i2c *i2c = platform_get_drvdata(pdev); + +- i2c->suspended = 0; + clk_enable(i2c->clk); + s3c24xx_i2c_init(i2c); + clk_disable(i2c->clk); ++ i2c->suspended = 0; + + return 0; + } +diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c +index e2a9867..342a059 100644 +--- a/drivers/input/mouse/elantech.c ++++ b/drivers/input/mouse/elantech.c +@@ -11,6 +11,7 @@ + */ + + #include <linux/delay.h> ++#include <linux/dmi.h> + #include <linux/slab.h> + #include <linux/module.h> + #include <linux/input.h> +@@ -783,7 +784,11 @@ static int elantech_set_absolute_mode(struct psmouse *psmouse) + break; + + case 3: +- etd->reg_10 = 0x0b; ++ if (etd->set_hw_resolution) ++ etd->reg_10 = 0x0b; ++ else ++ etd->reg_10 = 0x03; ++ + if (elantech_write_reg(psmouse, 0x10, etd->reg_10)) + rc = -1; + +@@ -1206,6 +1211,22 @@ static int elantech_reconnect(struct psmouse *psmouse) + } + + /* ++ * Some hw_version 3 models go into error state when we try to set bit 3 of r10 ++ */ ++static const struct dmi_system_id no_hw_res_dmi_table[] = { ++#if defined(CONFIG_DMI) && defined(CONFIG_X86) ++ { ++ /* Gigabyte U2442 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "GIGABYTE"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "U2442"), ++ }, ++ }, ++#endif ++ { } ++}; ++ ++/* + * determine hardware version and set some properties according to it. + */ + static int elantech_set_properties(struct elantech_data *etd) +@@ -1254,6 +1275,9 @@ static int elantech_set_properties(struct elantech_data *etd) + etd->reports_pressure = true; + } + ++ /* Enable real hardware resolution on hw_version 3 ? */ ++ etd->set_hw_resolution = !dmi_check_system(no_hw_res_dmi_table); ++ + return 0; + } + +diff --git a/drivers/input/mouse/elantech.h b/drivers/input/mouse/elantech.h +index 9e5f1aa..3569bed 100644 +--- a/drivers/input/mouse/elantech.h ++++ b/drivers/input/mouse/elantech.h +@@ -128,6 +128,7 @@ struct elantech_data { + bool paritycheck; + bool jumpy_cursor; + bool reports_pressure; ++ bool set_hw_resolution; + unsigned char hw_version; + unsigned int fw_version; + unsigned int single_finger_reports; +diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c +index 886c191..8a39807 100644 +--- a/drivers/input/mouse/synaptics.c ++++ b/drivers/input/mouse/synaptics.c +@@ -1394,6 +1394,14 @@ static const struct dmi_system_id min_max_dmi_table[] __initconst = { + .driver_data = (int []){1232, 5710, 1156, 4696}, + }, + { ++ /* Lenovo ThinkPad Edge E431 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad Edge E431"), ++ }, ++ .driver_data = (int []){1024, 5022, 2508, 4832}, ++ }, ++ { + /* Lenovo ThinkPad T431s */ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 2d0544c..db4b4a8 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -8122,7 +8122,8 @@ static int md_notify_reboot(struct notifier_block *this, + if (mddev_trylock(mddev)) { + if (mddev->pers) + __md_stop_writes(mddev); +- mddev->safemode = 2; ++ if (mddev->persistent) ++ mddev->safemode = 2; + mddev_unlock(mddev); + } + need_delay = 1; +diff --git a/drivers/media/media-device.c b/drivers/media/media-device.c +index 6edc9ba..298703f 100644 +--- a/drivers/media/media-device.c ++++ b/drivers/media/media-device.c +@@ -90,6 +90,7 @@ static long media_device_enum_entities(struct media_device *mdev, + struct media_entity *ent; + struct media_entity_desc u_ent; + ++ memset(&u_ent, 0, sizeof(u_ent)); + if (copy_from_user(&u_ent.id, &uent->id, sizeof(u_ent.id))) + return -EFAULT; + +diff --git a/drivers/media/video/ov7670.c b/drivers/media/video/ov7670.c +index 8aa0585..17125d9 100644 +--- a/drivers/media/video/ov7670.c ++++ b/drivers/media/video/ov7670.c +@@ -937,7 +937,7 @@ static int ov7670_enum_framesizes(struct v4l2_subdev *sd, + * windows that fall outside that. + */ + for (i = 0; i < N_WIN_SIZES; i++) { +- struct ov7670_win_size *win = &ov7670_win_sizes[index]; ++ struct ov7670_win_size *win = &ov7670_win_sizes[i]; + if (info->min_width && win->width < info->min_width) + continue; + if (info->min_height && win->height < info->min_height) +diff --git a/drivers/media/video/v4l2-compat-ioctl32.c b/drivers/media/video/v4l2-compat-ioctl32.c +index c68531b..2671959 100644 +--- a/drivers/media/video/v4l2-compat-ioctl32.c ++++ b/drivers/media/video/v4l2-compat-ioctl32.c +@@ -178,6 +178,9 @@ struct v4l2_create_buffers32 { + + static int __get_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up) + { ++ if (get_user(kp->type, &up->type)) ++ return -EFAULT; ++ + switch (kp->type) { + case V4L2_BUF_TYPE_VIDEO_CAPTURE: + case V4L2_BUF_TYPE_VIDEO_OUTPUT: +@@ -208,17 +211,16 @@ static int __get_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __us + + static int get_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up) + { +- if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_format32)) || +- get_user(kp->type, &up->type)) +- return -EFAULT; ++ if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_format32))) ++ return -EFAULT; + return __get_v4l2_format32(kp, up); + } + + static int get_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_buffers32 __user *up) + { + if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_create_buffers32)) || +- copy_from_user(kp, up, offsetof(struct v4l2_create_buffers32, format.fmt))) +- return -EFAULT; ++ copy_from_user(kp, up, offsetof(struct v4l2_create_buffers32, format))) ++ return -EFAULT; + return __get_v4l2_format32(&kp->format, &up->format); + } + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 1bf36ac..5af2a8f 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -4914,6 +4914,7 @@ static int __init bonding_init(void) + out: + return res; + err: ++ bond_destroy_debugfs(); + rtnl_link_unregister(&bond_link_ops); + err_link: + unregister_pernet_subsys(&bond_net_ops); +diff --git a/drivers/net/can/sja1000/peak_pci.c b/drivers/net/can/sja1000/peak_pci.c +index 2c7f503..5192f86 100644 +--- a/drivers/net/can/sja1000/peak_pci.c ++++ b/drivers/net/can/sja1000/peak_pci.c +@@ -39,9 +39,9 @@ MODULE_LICENSE("GPL v2"); + #define DRV_NAME "peak_pci" + + struct peak_pci_chan { +- void __iomem *cfg_base; /* Common for all channels */ +- struct net_device *next_dev; /* Chain of network devices */ +- u16 icr_mask; /* Interrupt mask for fast ack */ ++ void __iomem *cfg_base; /* Common for all channels */ ++ struct net_device *prev_dev; /* Chain of network devices */ ++ u16 icr_mask; /* Interrupt mask for fast ack */ + }; + + #define PEAK_PCI_CAN_CLOCK (16000000 / 2) +@@ -98,7 +98,7 @@ static int __devinit peak_pci_probe(struct pci_dev *pdev, + { + struct sja1000_priv *priv; + struct peak_pci_chan *chan; +- struct net_device *dev, *dev0 = NULL; ++ struct net_device *dev, *prev_dev; + void __iomem *cfg_base, *reg_base; + u16 sub_sys_id, icr; + int i, err, channels; +@@ -196,18 +196,14 @@ static int __devinit peak_pci_probe(struct pci_dev *pdev, + } + + /* Create chain of SJA1000 devices */ +- if (i == 0) +- dev0 = dev; +- else +- chan->next_dev = dev; ++ chan->prev_dev = pci_get_drvdata(pdev); ++ pci_set_drvdata(pdev, dev); + + dev_info(&pdev->dev, + "%s at reg_base=0x%p cfg_base=0x%p irq=%d\n", + dev->name, priv->reg_base, chan->cfg_base, dev->irq); + } + +- pci_set_drvdata(pdev, dev0); +- + /* Enable interrupts */ + writew(icr, cfg_base + PITA_ICR + 2); + +@@ -217,12 +213,13 @@ failure_remove_channels: + /* Disable interrupts */ + writew(0x0, cfg_base + PITA_ICR + 2); + +- for (dev = dev0; dev; dev = chan->next_dev) { +- unregister_sja1000dev(dev); +- free_sja1000dev(dev); ++ for (dev = pci_get_drvdata(pdev); dev; dev = prev_dev) { + priv = netdev_priv(dev); + chan = priv->priv; +- dev = chan->next_dev; ++ prev_dev = chan->prev_dev; ++ ++ unregister_sja1000dev(dev); ++ free_sja1000dev(dev); + } + + pci_iounmap(pdev, reg_base); +@@ -241,7 +238,7 @@ failure_disable_pci: + + static void __devexit peak_pci_remove(struct pci_dev *pdev) + { +- struct net_device *dev = pci_get_drvdata(pdev); /* First device */ ++ struct net_device *dev = pci_get_drvdata(pdev); /* Last device */ + struct sja1000_priv *priv = netdev_priv(dev); + struct peak_pci_chan *chan = priv->priv; + void __iomem *cfg_base = chan->cfg_base; +@@ -252,10 +249,12 @@ static void __devexit peak_pci_remove(struct pci_dev *pdev) + + /* Loop over all registered devices */ + while (1) { ++ struct net_device *prev_dev = chan->prev_dev; ++ + dev_info(&pdev->dev, "removing device %s\n", dev->name); + unregister_sja1000dev(dev); + free_sja1000dev(dev); +- dev = chan->next_dev; ++ dev = prev_dev; + if (!dev) + break; + priv = netdev_priv(dev); +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c +index c77c462..2615433 100644 +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -10656,7 +10656,9 @@ static int tg3_set_ringparam(struct net_device *dev, struct ethtool_ringparam *e + if (tg3_flag(tp, MAX_RXPEND_64) && + tp->rx_pending > 63) + tp->rx_pending = 63; +- tp->rx_jumbo_pending = ering->rx_jumbo_pending; ++ ++ if (tg3_flag(tp, JUMBO_RING_ENABLE)) ++ tp->rx_jumbo_pending = ering->rx_jumbo_pending; + + for (i = 0; i < tp->irq_max; i++) + tp->napi[i].tx_pending = ering->tx_pending; +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c +index 301b39e..b74cdf6 100644 +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -236,11 +236,9 @@ static int macvlan_queue_xmit(struct sk_buff *skb, struct net_device *dev) + const struct macvlan_dev *vlan = netdev_priv(dev); + const struct macvlan_port *port = vlan->port; + const struct macvlan_dev *dest; +- __u8 ip_summed = skb->ip_summed; + + if (vlan->mode == MACVLAN_MODE_BRIDGE) { + const struct ethhdr *eth = (void *)skb->data; +- skb->ip_summed = CHECKSUM_UNNECESSARY; + + /* send to other bridge ports directly */ + if (is_multicast_ether_addr(eth->h_dest)) { +@@ -258,7 +256,6 @@ static int macvlan_queue_xmit(struct sk_buff *skb, struct net_device *dev) + } + + xmit_world: +- skb->ip_summed = ip_summed; + skb->dev = vlan->lowerdev; + return dev_queue_xmit(skb); + } +@@ -394,8 +391,10 @@ static void macvlan_change_rx_flags(struct net_device *dev, int change) + struct macvlan_dev *vlan = netdev_priv(dev); + struct net_device *lowerdev = vlan->lowerdev; + +- if (change & IFF_ALLMULTI) +- dev_set_allmulti(lowerdev, dev->flags & IFF_ALLMULTI ? 1 : -1); ++ if (dev->flags & IFF_UP) { ++ if (change & IFF_ALLMULTI) ++ dev_set_allmulti(lowerdev, dev->flags & IFF_ALLMULTI ? 1 : -1); ++ } + } + + static void macvlan_set_multicast_list(struct net_device *dev) +diff --git a/drivers/net/wimax/i2400m/usb-rx.c b/drivers/net/wimax/i2400m/usb-rx.c +index e325768..b78ee67 100644 +--- a/drivers/net/wimax/i2400m/usb-rx.c ++++ b/drivers/net/wimax/i2400m/usb-rx.c +@@ -277,7 +277,7 @@ retry: + d_printf(1, dev, "RX: size changed to %d, received %d, " + "copied %d, capacity %ld\n", + rx_size, read_size, rx_skb->len, +- (long) (skb_end_pointer(new_skb) - new_skb->head)); ++ (long) skb_end_offset(new_skb)); + goto retry; + } + /* In most cases, it happens due to the hardware scheduling a +diff --git a/drivers/net/wireless/rt2x00/rt2x00mac.c b/drivers/net/wireless/rt2x00/rt2x00mac.c +index 5c38281..1d4c579 100644 +--- a/drivers/net/wireless/rt2x00/rt2x00mac.c ++++ b/drivers/net/wireless/rt2x00/rt2x00mac.c +@@ -651,20 +651,18 @@ void rt2x00mac_bss_info_changed(struct ieee80211_hw *hw, + bss_conf->bssid); + + /* +- * Update the beacon. This is only required on USB devices. PCI +- * devices fetch beacons periodically. +- */ +- if (changes & BSS_CHANGED_BEACON && rt2x00_is_usb(rt2x00dev)) +- rt2x00queue_update_beacon(rt2x00dev, vif); +- +- /* + * Start/stop beaconing. + */ + if (changes & BSS_CHANGED_BEACON_ENABLED) { + if (!bss_conf->enable_beacon && intf->enable_beacon) { +- rt2x00queue_clear_beacon(rt2x00dev, vif); + rt2x00dev->intf_beaconing--; + intf->enable_beacon = false; ++ /* ++ * Clear beacon in the H/W for this vif. This is needed ++ * to disable beaconing on this particular interface ++ * and keep it running on other interfaces. ++ */ ++ rt2x00queue_clear_beacon(rt2x00dev, vif); + + if (rt2x00dev->intf_beaconing == 0) { + /* +@@ -675,11 +673,15 @@ void rt2x00mac_bss_info_changed(struct ieee80211_hw *hw, + rt2x00queue_stop_queue(rt2x00dev->bcn); + mutex_unlock(&intf->beacon_skb_mutex); + } +- +- + } else if (bss_conf->enable_beacon && !intf->enable_beacon) { + rt2x00dev->intf_beaconing++; + intf->enable_beacon = true; ++ /* ++ * Upload beacon to the H/W. This is only required on ++ * USB devices. PCI devices fetch beacons periodically. ++ */ ++ if (rt2x00_is_usb(rt2x00dev)) ++ rt2x00queue_update_beacon(rt2x00dev, vif); + + if (rt2x00dev->intf_beaconing == 1) { + /* +diff --git a/drivers/net/wireless/rtlwifi/rtl8192cu/hw.c b/drivers/net/wireless/rtlwifi/rtl8192cu/hw.c +index d3920da..79fc4b7 100644 +--- a/drivers/net/wireless/rtlwifi/rtl8192cu/hw.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/hw.c +@@ -1158,12 +1158,23 @@ int rtl92cu_hw_init(struct ieee80211_hw *hw) + struct rtl_ps_ctl *ppsc = rtl_psc(rtl_priv(hw)); + int err = 0; + static bool iqk_initialized; ++ unsigned long flags; ++ ++ /* As this function can take a very long time (up to 350 ms) ++ * and can be called with irqs disabled, reenable the irqs ++ * to let the other devices continue being serviced. ++ * ++ * It is safe doing so since our own interrupts will only be enabled ++ * in a subsequent step. ++ */ ++ local_save_flags(flags); ++ local_irq_enable(); + + rtlhal->hw_type = HARDWARE_TYPE_RTL8192CU; + err = _rtl92cu_init_mac(hw); + if (err) { + RT_TRACE(rtlpriv, COMP_ERR, DBG_EMERG, ("init mac failed!\n")); +- return err; ++ goto exit; + } + err = rtl92c_download_fw(hw); + if (err) { +@@ -1171,7 +1182,7 @@ int rtl92cu_hw_init(struct ieee80211_hw *hw) + ("Failed to download FW. Init HW without FW now..\n")); + err = 1; + rtlhal->fw_ready = false; +- return err; ++ goto exit; + } else { + rtlhal->fw_ready = true; + } +@@ -1212,6 +1223,8 @@ int rtl92cu_hw_init(struct ieee80211_hw *hw) + _update_mac_setting(hw); + rtl92c_dm_init(hw); + _dump_registers(hw); ++exit: ++ local_irq_restore(flags); + return err; + } + +diff --git a/drivers/pci/hotplug/shpchp_ctrl.c b/drivers/pci/hotplug/shpchp_ctrl.c +index 3ffc1b2..b888675 100644 +--- a/drivers/pci/hotplug/shpchp_ctrl.c ++++ b/drivers/pci/hotplug/shpchp_ctrl.c +@@ -285,8 +285,8 @@ static int board_added(struct slot *p_slot) + return WRONG_BUS_FREQUENCY; + } + +- bsp = ctrl->pci_dev->bus->cur_bus_speed; +- msp = ctrl->pci_dev->bus->max_bus_speed; ++ bsp = ctrl->pci_dev->subordinate->cur_bus_speed; ++ msp = ctrl->pci_dev->subordinate->max_bus_speed; + + /* Check if there are other slots or devices on the same bus */ + if (!list_empty(&ctrl->pci_dev->subordinate->devices)) +diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c +index 8e6c4fa..2a8d6aa 100644 +--- a/drivers/platform/x86/thinkpad_acpi.c ++++ b/drivers/platform/x86/thinkpad_acpi.c +@@ -3405,7 +3405,7 @@ static int __init hotkey_init(struct ibm_init_struct *iibm) + /* Do not issue duplicate brightness change events to + * userspace. tpacpi_detect_brightness_capabilities() must have + * been called before this point */ +- if (tp_features.bright_acpimode && acpi_video_backlight_support()) { ++ if (acpi_video_backlight_support()) { + pr_info("This ThinkPad has standard ACPI backlight " + "brightness control, supported by the ACPI " + "video driver\n"); +diff --git a/drivers/scsi/mpt2sas/mpt2sas_scsih.c b/drivers/scsi/mpt2sas/mpt2sas_scsih.c +index 987c6d6..01780a9 100644 +--- a/drivers/scsi/mpt2sas/mpt2sas_scsih.c ++++ b/drivers/scsi/mpt2sas/mpt2sas_scsih.c +@@ -8166,7 +8166,6 @@ _scsih_suspend(struct pci_dev *pdev, pm_message_t state) + + mpt2sas_base_free_resources(ioc); + pci_save_state(pdev); +- pci_disable_device(pdev); + pci_set_power_state(pdev, device_state); + return 0; + } +diff --git a/drivers/staging/octeon/ethernet-tx.c b/drivers/staging/octeon/ethernet-tx.c +index 2542c37..c5da0d2 100644 +--- a/drivers/staging/octeon/ethernet-tx.c ++++ b/drivers/staging/octeon/ethernet-tx.c +@@ -344,7 +344,7 @@ int cvm_oct_xmit(struct sk_buff *skb, struct net_device *dev) + } + if (unlikely + (skb->truesize != +- sizeof(*skb) + skb_end_pointer(skb) - skb->head)) { ++ sizeof(*skb) + skb_end_offset(skb))) { + /* + printk("TX buffer truesize has been changed\n"); + */ +diff --git a/drivers/tty/hvc/hvc_console.c b/drivers/tty/hvc/hvc_console.c +index 7b97e7e..443547b 100644 +--- a/drivers/tty/hvc/hvc_console.c ++++ b/drivers/tty/hvc/hvc_console.c +@@ -190,7 +190,7 @@ static struct tty_driver *hvc_console_device(struct console *c, int *index) + return hvc_driver; + } + +-static int __init hvc_console_setup(struct console *co, char *options) ++static int hvc_console_setup(struct console *co, char *options) + { + if (co->index < 0 || co->index >= MAX_NR_HVC_CONSOLES) + return -ENODEV; +diff --git a/drivers/usb/storage/shuttle_usbat.c b/drivers/usb/storage/shuttle_usbat.c +index 0b00091..ff8aeee 100644 +--- a/drivers/usb/storage/shuttle_usbat.c ++++ b/drivers/usb/storage/shuttle_usbat.c +@@ -1846,7 +1846,7 @@ static int usbat_probe(struct usb_interface *intf, + us->transport_name = "Shuttle USBAT"; + us->transport = usbat_flash_transport; + us->transport_reset = usb_stor_CB_reset; +- us->max_lun = 1; ++ us->max_lun = 0; + + result = usb_stor_probe2(us); + return result; +diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h +index 08711bc..49d222d 100644 +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -226,6 +226,20 @@ UNUSUAL_DEV( 0x0421, 0x0495, 0x0370, 0x0370, + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_MAX_SECTORS_64 ), + ++/* Reported by Daniele Forsi <dforsi@gmail.com> */ ++UNUSUAL_DEV( 0x0421, 0x04b9, 0x0350, 0x0350, ++ "Nokia", ++ "5300", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_MAX_SECTORS_64 ), ++ ++/* Patch submitted by Victor A. Santos <victoraur.santos@gmail.com> */ ++UNUSUAL_DEV( 0x0421, 0x05af, 0x0742, 0x0742, ++ "Nokia", ++ "305", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_MAX_SECTORS_64), ++ + /* Patch submitted by Mikhail Zolotaryov <lebon@lebon.org.ua> */ + UNUSUAL_DEV( 0x0421, 0x06aa, 0x1110, 0x1110, + "Nokia", +diff --git a/drivers/video/tgafb.c b/drivers/video/tgafb.c +index ac2cf6d..3b15bca 100644 +--- a/drivers/video/tgafb.c ++++ b/drivers/video/tgafb.c +@@ -192,6 +192,8 @@ tgafb_check_var(struct fb_var_screeninfo *var, struct fb_info *info) + + if (var->xres_virtual != var->xres || var->yres_virtual != var->yres) + return -EINVAL; ++ if (var->xres * var->yres * (var->bits_per_pixel >> 3) > info->fix.smem_len) ++ return -EINVAL; + if (var->nonstd) + return -EINVAL; + if (1000000000 / var->pixclock > TGA_PLL_MAX_FREQ) +@@ -272,6 +274,7 @@ tgafb_set_par(struct fb_info *info) + par->yres = info->var.yres; + par->pll_freq = pll_freq = 1000000000 / info->var.pixclock; + par->bits_per_pixel = info->var.bits_per_pixel; ++ info->fix.line_length = par->xres * (par->bits_per_pixel >> 3); + + tga_type = par->tga_type; + +@@ -1318,6 +1321,7 @@ tgafb_init_fix(struct fb_info *info) + int tga_bus_tc = TGA_BUS_TC(par->dev); + u8 tga_type = par->tga_type; + const char *tga_type_name = NULL; ++ unsigned memory_size; + + switch (tga_type) { + case TGA_TYPE_8PLANE: +@@ -1325,21 +1329,25 @@ tgafb_init_fix(struct fb_info *info) + tga_type_name = "Digital ZLXp-E1"; + if (tga_bus_tc) + tga_type_name = "Digital ZLX-E1"; ++ memory_size = 2097152; + break; + case TGA_TYPE_24PLANE: + if (tga_bus_pci) + tga_type_name = "Digital ZLXp-E2"; + if (tga_bus_tc) + tga_type_name = "Digital ZLX-E2"; ++ memory_size = 8388608; + break; + case TGA_TYPE_24PLUSZ: + if (tga_bus_pci) + tga_type_name = "Digital ZLXp-E3"; + if (tga_bus_tc) + tga_type_name = "Digital ZLX-E3"; ++ memory_size = 16777216; + break; + default: + tga_type_name = "Unknown"; ++ memory_size = 16777216; + break; + } + +@@ -1351,9 +1359,8 @@ tgafb_init_fix(struct fb_info *info) + ? FB_VISUAL_PSEUDOCOLOR + : FB_VISUAL_DIRECTCOLOR); + +- info->fix.line_length = par->xres * (par->bits_per_pixel >> 3); + info->fix.smem_start = (size_t) par->tga_fb_base; +- info->fix.smem_len = info->fix.line_length * par->yres; ++ info->fix.smem_len = memory_size; + info->fix.mmio_start = (size_t) par->tga_regs_base; + info->fix.mmio_len = 512; + +@@ -1478,6 +1485,9 @@ tgafb_register(struct device *dev) + modedb_tga = &modedb_tc; + modedbsize_tga = 1; + } ++ ++ tgafb_init_fix(info); ++ + ret = fb_find_mode(&info->var, info, + mode_option ? mode_option : mode_option_tga, + modedb_tga, modedbsize_tga, NULL, +@@ -1495,7 +1505,6 @@ tgafb_register(struct device *dev) + } + + tgafb_set_par(info); +- tgafb_init_fix(info); + + if (register_framebuffer(info) < 0) { + printk(KERN_ERR "tgafb: Could not register framebuffer\n"); +diff --git a/fs/nfsd/nfs4acl.c b/fs/nfsd/nfs4acl.c +index 9c51aff..435a9be1 100644 +--- a/fs/nfsd/nfs4acl.c ++++ b/fs/nfsd/nfs4acl.c +@@ -373,8 +373,10 @@ sort_pacl(struct posix_acl *pacl) + * by uid/gid. */ + int i, j; + +- if (pacl->a_count <= 4) +- return; /* no users or groups */ ++ /* no users or groups */ ++ if (!pacl || pacl->a_count <= 4) ++ return; ++ + i = 1; + while (pacl->a_entries[i].e_tag == ACL_USER) + i++; +@@ -498,13 +500,12 @@ posix_state_to_acl(struct posix_acl_state *state, unsigned int flags) + + /* + * ACLs with no ACEs are treated differently in the inheritable +- * and effective cases: when there are no inheritable ACEs, we +- * set a zero-length default posix acl: ++ * and effective cases: when there are no inheritable ACEs, ++ * calls ->set_acl with a NULL ACL structure. + */ +- if (state->empty && (flags & NFS4_ACL_TYPE_DEFAULT)) { +- pacl = posix_acl_alloc(0, GFP_KERNEL); +- return pacl ? pacl : ERR_PTR(-ENOMEM); +- } ++ if (state->empty && (flags & NFS4_ACL_TYPE_DEFAULT)) ++ return NULL; ++ + /* + * When there are no effective ACEs, the following will end + * up setting a 3-element effective posix ACL with all +diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c +index 4cef99f..b2e0a55 100644 +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -986,6 +986,18 @@ static struct nfs4_client *alloc_client(struct xdr_netobj name) + } + memcpy(clp->cl_name.data, name.data, name.len); + clp->cl_name.len = name.len; ++ INIT_LIST_HEAD(&clp->cl_sessions); ++ idr_init(&clp->cl_stateids); ++ atomic_set(&clp->cl_refcount, 0); ++ clp->cl_cb_state = NFSD4_CB_UNKNOWN; ++ INIT_LIST_HEAD(&clp->cl_idhash); ++ INIT_LIST_HEAD(&clp->cl_strhash); ++ INIT_LIST_HEAD(&clp->cl_openowners); ++ INIT_LIST_HEAD(&clp->cl_delegations); ++ INIT_LIST_HEAD(&clp->cl_lru); ++ INIT_LIST_HEAD(&clp->cl_callbacks); ++ spin_lock_init(&clp->cl_lock); ++ rpc_init_wait_queue(&clp->cl_cb_waitq, "Backchannel slot table"); + return clp; + } + +@@ -999,6 +1011,7 @@ free_client(struct nfs4_client *clp) + list_del(&ses->se_perclnt); + nfsd4_put_session(ses); + } ++ rpc_destroy_wait_queue(&clp->cl_cb_waitq); + if (clp->cl_cred.cr_group_info) + put_group_info(clp->cl_cred.cr_group_info); + kfree(clp->cl_principal); +@@ -1163,7 +1176,6 @@ static struct nfs4_client *create_client(struct xdr_netobj name, char *recdir, + if (clp == NULL) + return NULL; + +- INIT_LIST_HEAD(&clp->cl_sessions); + + princ = svc_gss_principal(rqstp); + if (princ) { +@@ -1174,21 +1186,10 @@ static struct nfs4_client *create_client(struct xdr_netobj name, char *recdir, + } + } + +- idr_init(&clp->cl_stateids); + memcpy(clp->cl_recdir, recdir, HEXDIR_LEN); +- atomic_set(&clp->cl_refcount, 0); +- clp->cl_cb_state = NFSD4_CB_UNKNOWN; +- INIT_LIST_HEAD(&clp->cl_idhash); +- INIT_LIST_HEAD(&clp->cl_strhash); +- INIT_LIST_HEAD(&clp->cl_openowners); +- INIT_LIST_HEAD(&clp->cl_delegations); +- INIT_LIST_HEAD(&clp->cl_lru); +- INIT_LIST_HEAD(&clp->cl_callbacks); +- spin_lock_init(&clp->cl_lock); + INIT_WORK(&clp->cl_cb_null.cb_work, nfsd4_do_callback_rpc); + clp->cl_time = get_seconds(); + clear_bit(0, &clp->cl_cb_slot_busy); +- rpc_init_wait_queue(&clp->cl_cb_waitq, "Backchannel slot table"); + copy_verf(clp, verf); + rpc_copy_addr((struct sockaddr *) &clp->cl_addr, sa); + clp->cl_flavor = rqstp->rq_flavor; +@@ -3375,9 +3376,16 @@ out: + static __be32 + nfsd4_free_lock_stateid(struct nfs4_ol_stateid *stp) + { +- if (check_for_locks(stp->st_file, lockowner(stp->st_stateowner))) ++ struct nfs4_lockowner *lo = lockowner(stp->st_stateowner); ++ ++ if (check_for_locks(stp->st_file, lo)) + return nfserr_locks_held; +- release_lock_stateid(stp); ++ /* ++ * Currently there's a 1-1 lock stateid<->lockowner ++ * correspondance, and we have to delete the lockowner when we ++ * delete the lock stateid: ++ */ ++ unhash_lockowner(lo); + return nfs_ok; + } + +@@ -3812,6 +3820,10 @@ static bool same_lockowner_ino(struct nfs4_lockowner *lo, struct inode *inode, c + + if (!same_owner_str(&lo->lo_owner, owner, clid)) + return false; ++ if (list_empty(&lo->lo_owner.so_stateids)) { ++ WARN_ON_ONCE(1); ++ return false; ++ } + lst = list_first_entry(&lo->lo_owner.so_stateids, + struct nfs4_ol_stateid, st_perstateowner); + return lst->st_file->fi_inode == inode; +diff --git a/fs/posix_acl.c b/fs/posix_acl.c +index cea4623..6c70ab2 100644 +--- a/fs/posix_acl.c ++++ b/fs/posix_acl.c +@@ -155,6 +155,12 @@ posix_acl_equiv_mode(const struct posix_acl *acl, umode_t *mode_p) + umode_t mode = 0; + int not_equiv = 0; + ++ /* ++ * A null ACL can always be presented as mode bits. ++ */ ++ if (!acl) ++ return 0; ++ + FOREACH_ACL_ENTRY(pa, acl, pe) { + switch (pa->e_tag) { + case ACL_USER_OBJ: +diff --git a/include/linux/ftrace.h b/include/linux/ftrace.h +index 26eafce..a3ebb09 100644 +--- a/include/linux/ftrace.h ++++ b/include/linux/ftrace.h +@@ -260,6 +260,7 @@ extern int ftrace_make_call(struct dyn_ftrace *rec, unsigned long addr); + extern int ftrace_arch_read_dyn_info(char *buf, int size); + + extern int skip_trace(unsigned long ip); ++extern void ftrace_module_init(struct module *mod); + + extern void ftrace_disable_daemon(void); + extern void ftrace_enable_daemon(void); +@@ -272,6 +273,7 @@ static inline void ftrace_set_filter(unsigned char *buf, int len, int reset) + static inline void ftrace_disable_daemon(void) { } + static inline void ftrace_enable_daemon(void) { } + static inline void ftrace_release_mod(struct module *mod) {} ++static inline void ftrace_module_init(struct module *mod) {} + static inline int register_ftrace_command(struct ftrace_func_command *cmd) + { + return -EINVAL; +diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h +index e6796c1..f93d8c1 100644 +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -95,7 +95,6 @@ struct kvm_async_pf { + unsigned long addr; + struct kvm_arch_async_pf arch; + struct page *page; +- bool done; + }; + + void kvm_clear_async_pf_completion_queue(struct kvm_vcpu *vcpu); +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index 13bd6d0..c445e52 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -617,11 +617,21 @@ static inline unsigned char *skb_end_pointer(const struct sk_buff *skb) + { + return skb->head + skb->end; + } ++ ++static inline unsigned int skb_end_offset(const struct sk_buff *skb) ++{ ++ return skb->end; ++} + #else + static inline unsigned char *skb_end_pointer(const struct sk_buff *skb) + { + return skb->end; + } ++ ++static inline unsigned int skb_end_offset(const struct sk_buff *skb) ++{ ++ return skb->end - skb->head; ++} + #endif + + /* Internal */ +@@ -2549,7 +2559,7 @@ static inline bool skb_is_recycleable(const struct sk_buff *skb, int skb_size) + return false; + + skb_size = SKB_DATA_ALIGN(skb_size + NET_SKB_PAD); +- if (skb_end_pointer(skb) - skb->head < skb_size) ++ if (skb_end_offset(skb) < skb_size) + return false; + + if (skb_shared(skb) || skb_cloned(skb)) +diff --git a/include/net/ip6_route.h b/include/net/ip6_route.h +index 5e91b72..4913dac 100644 +--- a/include/net/ip6_route.h ++++ b/include/net/ip6_route.h +@@ -34,6 +34,11 @@ struct route_info { + #define RT6_LOOKUP_F_SRCPREF_PUBLIC 0x00000010 + #define RT6_LOOKUP_F_SRCPREF_COA 0x00000020 + ++/* We do not (yet ?) support IPv6 jumbograms (RFC 2675) ++ * Unlike IPv4, hdr->seg_len doesn't include the IPv6 header ++ */ ++#define IP6_MAX_MTU (0xFFFF + sizeof(struct ipv6hdr)) ++ + /* + * rt6_srcprefs2flags() and rt6_flags2srcprefs() translate + * between IPV6_ADDR_PREFERENCES socket option values +diff --git a/include/trace/events/module.h b/include/trace/events/module.h +index 1619327..ca298c7 100644 +--- a/include/trace/events/module.h ++++ b/include/trace/events/module.h +@@ -78,7 +78,7 @@ DECLARE_EVENT_CLASS(module_refcnt, + + TP_fast_assign( + __entry->ip = ip; +- __entry->refcnt = __this_cpu_read(mod->refptr->incs) + __this_cpu_read(mod->refptr->decs); ++ __entry->refcnt = __this_cpu_read(mod->refptr->incs) - __this_cpu_read(mod->refptr->decs); + __assign_str(name, mod->name); + ), + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index b15b4f7..1d1edcb 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -4899,6 +4899,9 @@ struct swevent_htable { + + /* Recursion avoidance in each contexts */ + int recursion[PERF_NR_CONTEXTS]; ++ ++ /* Keeps track of cpu being initialized/exited */ ++ bool online; + }; + + static DEFINE_PER_CPU(struct swevent_htable, swevent_htable); +@@ -5141,8 +5144,14 @@ static int perf_swevent_add(struct perf_event *event, int flags) + hwc->state = !(flags & PERF_EF_START); + + head = find_swevent_head(swhash, event); +- if (WARN_ON_ONCE(!head)) ++ if (!head) { ++ /* ++ * We can race with cpu hotplug code. Do not ++ * WARN if the cpu just got unplugged. ++ */ ++ WARN_ON_ONCE(swhash->online); + return -EINVAL; ++ } + + hlist_add_head_rcu(&event->hlist_entry, head); + +@@ -6301,6 +6310,9 @@ SYSCALL_DEFINE5(perf_event_open, + if (attr.freq) { + if (attr.sample_freq > sysctl_perf_event_sample_rate) + return -EINVAL; ++ } else { ++ if (attr.sample_period & (1ULL << 63)) ++ return -EINVAL; + } + + /* +@@ -7078,6 +7090,7 @@ static void __cpuinit perf_event_init_cpu(int cpu) + struct swevent_htable *swhash = &per_cpu(swevent_htable, cpu); + + mutex_lock(&swhash->hlist_mutex); ++ swhash->online = true; + if (swhash->hlist_refcount > 0) { + struct swevent_hlist *hlist; + +@@ -7135,6 +7148,7 @@ static void perf_event_exit_cpu(int cpu) + perf_event_exit_cpu_context(cpu); + + mutex_lock(&swhash->hlist_mutex); ++ swhash->online = false; + swevent_hlist_release(swhash); + mutex_unlock(&swhash->hlist_mutex); + } +diff --git a/kernel/futex.c b/kernel/futex.c +index 8888815..1bb37d0 100644 +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -588,6 +588,55 @@ void exit_pi_state_list(struct task_struct *curr) + raw_spin_unlock_irq(&curr->pi_lock); + } + ++/* ++ * We need to check the following states: ++ * ++ * Waiter | pi_state | pi->owner | uTID | uODIED | ? ++ * ++ * [1] NULL | --- | --- | 0 | 0/1 | Valid ++ * [2] NULL | --- | --- | >0 | 0/1 | Valid ++ * ++ * [3] Found | NULL | -- | Any | 0/1 | Invalid ++ * ++ * [4] Found | Found | NULL | 0 | 1 | Valid ++ * [5] Found | Found | NULL | >0 | 1 | Invalid ++ * ++ * [6] Found | Found | task | 0 | 1 | Valid ++ * ++ * [7] Found | Found | NULL | Any | 0 | Invalid ++ * ++ * [8] Found | Found | task | ==taskTID | 0/1 | Valid ++ * [9] Found | Found | task | 0 | 0 | Invalid ++ * [10] Found | Found | task | !=taskTID | 0/1 | Invalid ++ * ++ * [1] Indicates that the kernel can acquire the futex atomically. We ++ * came came here due to a stale FUTEX_WAITERS/FUTEX_OWNER_DIED bit. ++ * ++ * [2] Valid, if TID does not belong to a kernel thread. If no matching ++ * thread is found then it indicates that the owner TID has died. ++ * ++ * [3] Invalid. The waiter is queued on a non PI futex ++ * ++ * [4] Valid state after exit_robust_list(), which sets the user space ++ * value to FUTEX_WAITERS | FUTEX_OWNER_DIED. ++ * ++ * [5] The user space value got manipulated between exit_robust_list() ++ * and exit_pi_state_list() ++ * ++ * [6] Valid state after exit_pi_state_list() which sets the new owner in ++ * the pi_state but cannot access the user space value. ++ * ++ * [7] pi_state->owner can only be NULL when the OWNER_DIED bit is set. ++ * ++ * [8] Owner and user space value match ++ * ++ * [9] There is no transient state which sets the user space TID to 0 ++ * except exit_robust_list(), but this is indicated by the ++ * FUTEX_OWNER_DIED bit. See [4] ++ * ++ * [10] There is no transient state which leaves owner and user space ++ * TID out of sync. ++ */ + static int + lookup_pi_state(u32 uval, struct futex_hash_bucket *hb, + union futex_key *key, struct futex_pi_state **ps) +@@ -603,12 +652,13 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb, + plist_for_each_entry_safe(this, next, head, list) { + if (match_futex(&this->key, key)) { + /* +- * Another waiter already exists - bump up +- * the refcount and return its pi_state: ++ * Sanity check the waiter before increasing ++ * the refcount and attaching to it. + */ + pi_state = this->pi_state; + /* +- * Userspace might have messed up non-PI and PI futexes ++ * Userspace might have messed up non-PI and ++ * PI futexes [3] + */ + if (unlikely(!pi_state)) + return -EINVAL; +@@ -616,34 +666,70 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb, + WARN_ON(!atomic_read(&pi_state->refcount)); + + /* +- * When pi_state->owner is NULL then the owner died +- * and another waiter is on the fly. pi_state->owner +- * is fixed up by the task which acquires +- * pi_state->rt_mutex. +- * +- * We do not check for pid == 0 which can happen when +- * the owner died and robust_list_exit() cleared the +- * TID. ++ * Handle the owner died case: + */ +- if (pid && pi_state->owner) { ++ if (uval & FUTEX_OWNER_DIED) { ++ /* ++ * exit_pi_state_list sets owner to NULL and ++ * wakes the topmost waiter. The task which ++ * acquires the pi_state->rt_mutex will fixup ++ * owner. ++ */ ++ if (!pi_state->owner) { ++ /* ++ * No pi state owner, but the user ++ * space TID is not 0. Inconsistent ++ * state. [5] ++ */ ++ if (pid) ++ return -EINVAL; ++ /* ++ * Take a ref on the state and ++ * return. [4] ++ */ ++ goto out_state; ++ } ++ + /* +- * Bail out if user space manipulated the +- * futex value. ++ * If TID is 0, then either the dying owner ++ * has not yet executed exit_pi_state_list() ++ * or some waiter acquired the rtmutex in the ++ * pi state, but did not yet fixup the TID in ++ * user space. ++ * ++ * Take a ref on the state and return. [6] + */ +- if (pid != task_pid_vnr(pi_state->owner)) ++ if (!pid) ++ goto out_state; ++ } else { ++ /* ++ * If the owner died bit is not set, ++ * then the pi_state must have an ++ * owner. [7] ++ */ ++ if (!pi_state->owner) + return -EINVAL; + } + ++ /* ++ * Bail out if user space manipulated the ++ * futex value. If pi state exists then the ++ * owner TID must be the same as the user ++ * space TID. [9/10] ++ */ ++ if (pid != task_pid_vnr(pi_state->owner)) ++ return -EINVAL; ++ ++ out_state: + atomic_inc(&pi_state->refcount); + *ps = pi_state; +- + return 0; + } + } + + /* + * We are the first waiter - try to look up the real owner and attach +- * the new pi_state to it, but bail out when TID = 0 ++ * the new pi_state to it, but bail out when TID = 0 [1] + */ + if (!pid) + return -ESRCH; +@@ -651,6 +737,11 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb, + if (!p) + return -ESRCH; + ++ if (!p->mm) { ++ put_task_struct(p); ++ return -EPERM; ++ } ++ + /* + * We need to look at the task state flags to figure out, + * whether the task is exiting. To protect against the do_exit +@@ -671,6 +762,9 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb, + return ret; + } + ++ /* ++ * No existing pi state. First waiter. [2] ++ */ + pi_state = alloc_pi_state(); + + /* +@@ -742,10 +836,18 @@ retry: + return -EDEADLK; + + /* +- * Surprise - we got the lock. Just return to userspace: ++ * Surprise - we got the lock, but we do not trust user space at all. + */ +- if (unlikely(!curval)) +- return 1; ++ if (unlikely(!curval)) { ++ /* ++ * We verify whether there is kernel state for this ++ * futex. If not, we can safely assume, that the 0 -> ++ * TID transition is correct. If state exists, we do ++ * not bother to fixup the user space state as it was ++ * corrupted already. ++ */ ++ return futex_top_waiter(hb, key) ? -EINVAL : 1; ++ } + + uval = curval; + +@@ -875,6 +977,7 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this) + struct task_struct *new_owner; + struct futex_pi_state *pi_state = this->pi_state; + u32 uninitialized_var(curval), newval; ++ int ret = 0; + + if (!pi_state) + return -EINVAL; +@@ -898,23 +1001,19 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this) + new_owner = this->task; + + /* +- * We pass it to the next owner. (The WAITERS bit is always +- * kept enabled while there is PI state around. We must also +- * preserve the owner died bit.) ++ * We pass it to the next owner. The WAITERS bit is always ++ * kept enabled while there is PI state around. We cleanup the ++ * owner died bit, because we are the owner. + */ +- if (!(uval & FUTEX_OWNER_DIED)) { +- int ret = 0; ++ newval = FUTEX_WAITERS | task_pid_vnr(new_owner); + +- newval = FUTEX_WAITERS | task_pid_vnr(new_owner); +- +- if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval)) +- ret = -EFAULT; +- else if (curval != uval) +- ret = -EINVAL; +- if (ret) { +- raw_spin_unlock(&pi_state->pi_mutex.wait_lock); +- return ret; +- } ++ if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval)) ++ ret = -EFAULT; ++ else if (curval != uval) ++ ret = -EINVAL; ++ if (ret) { ++ raw_spin_unlock(&pi_state->pi_mutex.wait_lock); ++ return ret; + } + + raw_spin_lock_irq(&pi_state->owner->pi_lock); +@@ -1193,7 +1292,7 @@ void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key, + * + * Returns: + * 0 - failed to acquire the lock atomicly +- * 1 - acquired the lock ++ * >0 - acquired the lock, return value is vpid of the top_waiter + * <0 - error + */ + static int futex_proxy_trylock_atomic(u32 __user *pifutex, +@@ -1204,7 +1303,7 @@ static int futex_proxy_trylock_atomic(u32 __user *pifutex, + { + struct futex_q *top_waiter = NULL; + u32 curval; +- int ret; ++ int ret, vpid; + + if (get_futex_value_locked(&curval, pifutex)) + return -EFAULT; +@@ -1232,11 +1331,13 @@ static int futex_proxy_trylock_atomic(u32 __user *pifutex, + * the contended case or if set_waiters is 1. The pi_state is returned + * in ps in contended cases. + */ ++ vpid = task_pid_vnr(top_waiter->task); + ret = futex_lock_pi_atomic(pifutex, hb2, key2, ps, top_waiter->task, + set_waiters); +- if (ret == 1) ++ if (ret == 1) { + requeue_pi_wake_futex(top_waiter, key2, hb2); +- ++ return vpid; ++ } + return ret; + } + +@@ -1268,10 +1369,16 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags, + struct futex_hash_bucket *hb1, *hb2; + struct plist_head *head1; + struct futex_q *this, *next; +- u32 curval2; + + if (requeue_pi) { + /* ++ * Requeue PI only works on two distinct uaddrs. This ++ * check is only valid for private futexes. See below. ++ */ ++ if (uaddr1 == uaddr2) ++ return -EINVAL; ++ ++ /* + * requeue_pi requires a pi_state, try to allocate it now + * without any locks in case it fails. + */ +@@ -1309,6 +1416,15 @@ retry: + if (unlikely(ret != 0)) + goto out_put_key1; + ++ /* ++ * The check above which compares uaddrs is not sufficient for ++ * shared futexes. We need to compare the keys: ++ */ ++ if (requeue_pi && match_futex(&key1, &key2)) { ++ ret = -EINVAL; ++ goto out_put_keys; ++ } ++ + hb1 = hash_futex(&key1); + hb2 = hash_futex(&key2); + +@@ -1354,16 +1470,25 @@ retry_private: + * At this point the top_waiter has either taken uaddr2 or is + * waiting on it. If the former, then the pi_state will not + * exist yet, look it up one more time to ensure we have a +- * reference to it. ++ * reference to it. If the lock was taken, ret contains the ++ * vpid of the top waiter task. + */ +- if (ret == 1) { ++ if (ret > 0) { + WARN_ON(pi_state); + drop_count++; + task_count++; +- ret = get_futex_value_locked(&curval2, uaddr2); +- if (!ret) +- ret = lookup_pi_state(curval2, hb2, &key2, +- &pi_state); ++ /* ++ * If we acquired the lock, then the user ++ * space value of uaddr2 should be vpid. It ++ * cannot be changed by the top waiter as it ++ * is blocked on hb2 lock if it tries to do ++ * so. If something fiddled with it behind our ++ * back the pi state lookup might unearth ++ * it. So we rather use the known value than ++ * rereading and handing potential crap to ++ * lookup_pi_state. ++ */ ++ ret = lookup_pi_state(ret, hb2, &key2, &pi_state); + } + + switch (ret) { +@@ -2133,9 +2258,10 @@ retry: + /* + * To avoid races, try to do the TID -> 0 atomic transition + * again. If it succeeds then we can return without waking +- * anyone else up: ++ * anyone else up. We only try this if neither the waiters nor ++ * the owner died bit are set. + */ +- if (!(uval & FUTEX_OWNER_DIED) && ++ if (!(uval & ~FUTEX_TID_MASK) && + cmpxchg_futex_value_locked(&uval, uaddr, vpid, 0)) + goto pi_faulted; + /* +@@ -2167,11 +2293,9 @@ retry: + /* + * No waiters - kernel unlocks the futex: + */ +- if (!(uval & FUTEX_OWNER_DIED)) { +- ret = unlock_futex_pi(uaddr, uval); +- if (ret == -EFAULT) +- goto pi_faulted; +- } ++ ret = unlock_futex_pi(uaddr, uval); ++ if (ret == -EFAULT) ++ goto pi_faulted; + + out_unlock: + spin_unlock(&hb->lock); +@@ -2331,6 +2455,15 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags, + if (ret) + goto out_key2; + ++ /* ++ * The check above which compares uaddrs is not sufficient for ++ * shared futexes. We need to compare the keys: ++ */ ++ if (match_futex(&q.key, &key2)) { ++ ret = -EINVAL; ++ goto out_put_keys; ++ } ++ + /* Queue the futex_q, drop the hb lock, wait for wakeup. */ + futex_wait_queue_me(hb, &q, to); + +diff --git a/kernel/hrtimer.c b/kernel/hrtimer.c +index 60f7e32..20e88af 100644 +--- a/kernel/hrtimer.c ++++ b/kernel/hrtimer.c +@@ -232,6 +232,11 @@ again: + goto again; + } + timer->base = new_base; ++ } else { ++ if (cpu != this_cpu && hrtimer_check_target(timer, new_base)) { ++ cpu = this_cpu; ++ goto again; ++ } + } + return new_base; + } +@@ -567,6 +572,23 @@ hrtimer_force_reprogram(struct hrtimer_cpu_base *cpu_base, int skip_equal) + + cpu_base->expires_next.tv64 = expires_next.tv64; + ++ /* ++ * If a hang was detected in the last timer interrupt then we ++ * leave the hang delay active in the hardware. We want the ++ * system to make progress. That also prevents the following ++ * scenario: ++ * T1 expires 50ms from now ++ * T2 expires 5s from now ++ * ++ * T1 is removed, so this code is called and would reprogram ++ * the hardware to 5s from now. Any hrtimer_start after that ++ * will not reprogram the hardware due to hang_detected being ++ * set. So we'd effectivly block all timers until the T2 event ++ * fires. ++ */ ++ if (cpu_base->hang_detected) ++ return; ++ + if (cpu_base->expires_next.tv64 != KTIME_MAX) + tick_program_event(cpu_base->expires_next, 1); + } +@@ -958,11 +980,8 @@ int __hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim, + /* Remove an active timer from the queue: */ + ret = remove_hrtimer(timer, base); + +- /* Switch the timer base, if necessary: */ +- new_base = switch_hrtimer_base(timer, base, mode & HRTIMER_MODE_PINNED); +- + if (mode & HRTIMER_MODE_REL) { +- tim = ktime_add_safe(tim, new_base->get_time()); ++ tim = ktime_add_safe(tim, base->get_time()); + /* + * CONFIG_TIME_LOW_RES is a temporary way for architectures + * to signal that they simply return xtime in +@@ -977,6 +996,9 @@ int __hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim, + + hrtimer_set_expires_range_ns(timer, tim, delta_ns); + ++ /* Switch the timer base, if necessary: */ ++ new_base = switch_hrtimer_base(timer, base, mode & HRTIMER_MODE_PINNED); ++ + timer_stats_hrtimer_set_start_info(timer); + + leftmost = enqueue_hrtimer(timer, new_base); +diff --git a/kernel/module.c b/kernel/module.c +index 65362d9..95ecd9f 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -2888,6 +2888,9 @@ static struct module *load_module(void __user *umod, + /* This has to be done once we're sure module name is unique. */ + dynamic_debug_setup(info.debug, info.num_debug); + ++ /* Ftrace init must be called in the MODULE_STATE_UNFORMED state */ ++ ftrace_module_init(mod); ++ + /* Find duplicate symbols */ + err = verify_export_symbols(mod); + if (err < 0) +diff --git a/kernel/sched_cpupri.c b/kernel/sched_cpupri.c +index a86cf9d..1f4afdd 100644 +--- a/kernel/sched_cpupri.c ++++ b/kernel/sched_cpupri.c +@@ -68,8 +68,7 @@ int cpupri_find(struct cpupri *cp, struct task_struct *p, + int idx = 0; + int task_pri = convert_prio(p->prio); + +- if (task_pri >= MAX_RT_PRIO) +- return 0; ++ BUG_ON(task_pri >= CPUPRI_NR_PRIORITIES); + + for (idx = 0; idx < task_pri; idx++) { + struct cpupri_vec *vec = &cp->pri_to_cpu[idx]; +diff --git a/kernel/timer.c b/kernel/timer.c +index f8b05a4..349953e 100644 +--- a/kernel/timer.c ++++ b/kernel/timer.c +@@ -769,7 +769,7 @@ unsigned long apply_slack(struct timer_list *timer, unsigned long expires) + + bit = find_last_bit(&mask, BITS_PER_LONG); + +- mask = (1 << bit) - 1; ++ mask = (1UL << bit) - 1; + + expires_limit = expires_limit & ~(mask); + +diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c +index a65fa36..dcbafed 100644 +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -3542,16 +3542,11 @@ static void ftrace_init_module(struct module *mod, + ftrace_process_locs(mod, start, end); + } + +-static int ftrace_module_notify_enter(struct notifier_block *self, +- unsigned long val, void *data) ++void ftrace_module_init(struct module *mod) + { +- struct module *mod = data; +- +- if (val == MODULE_STATE_COMING) +- ftrace_init_module(mod, mod->ftrace_callsites, +- mod->ftrace_callsites + +- mod->num_ftrace_callsites); +- return 0; ++ ftrace_init_module(mod, mod->ftrace_callsites, ++ mod->ftrace_callsites + ++ mod->num_ftrace_callsites); + } + + static int ftrace_module_notify_exit(struct notifier_block *self, +@@ -3565,11 +3560,6 @@ static int ftrace_module_notify_exit(struct notifier_block *self, + return 0; + } + #else +-static int ftrace_module_notify_enter(struct notifier_block *self, +- unsigned long val, void *data) +-{ +- return 0; +-} + static int ftrace_module_notify_exit(struct notifier_block *self, + unsigned long val, void *data) + { +@@ -3577,11 +3567,6 @@ static int ftrace_module_notify_exit(struct notifier_block *self, + } + #endif /* CONFIG_MODULES */ + +-struct notifier_block ftrace_module_enter_nb = { +- .notifier_call = ftrace_module_notify_enter, +- .priority = INT_MAX, /* Run before anything that can use kprobes */ +-}; +- + struct notifier_block ftrace_module_exit_nb = { + .notifier_call = ftrace_module_notify_exit, + .priority = INT_MIN, /* Run after anything that can remove kprobes */ +@@ -3618,10 +3603,6 @@ void __init ftrace_init(void) + __start_mcount_loc, + __stop_mcount_loc); + +- ret = register_module_notifier(&ftrace_module_enter_nb); +- if (ret) +- pr_warning("Failed to register trace ftrace module enter notifier\n"); +- + ret = register_module_notifier(&ftrace_module_exit_nb); + if (ret) + pr_warning("Failed to register trace ftrace module exit notifier\n"); +diff --git a/kernel/tracepoint.c b/kernel/tracepoint.c +index 41b25a0..088fbc5 100644 +--- a/kernel/tracepoint.c ++++ b/kernel/tracepoint.c +@@ -638,6 +638,9 @@ static int tracepoint_module_coming(struct module *mod) + struct tp_module *tp_mod, *iter; + int ret = 0; + ++ if (!mod->num_tracepoints) ++ return 0; ++ + /* + * We skip modules that taint the kernel, especially those with different + * module headers (for forced load), to make sure we don't cause a crash. +@@ -681,6 +684,9 @@ static int tracepoint_module_going(struct module *mod) + { + struct tp_module *pos; + ++ if (!mod->num_tracepoints) ++ return 0; ++ + mutex_lock(&tracepoints_mutex); + tracepoint_update_probe_range(mod->tracepoints_ptrs, + mod->tracepoints_ptrs + mod->num_tracepoints); +diff --git a/mm/memory-failure.c b/mm/memory-failure.c +index 96c4bcf..51901b1 100644 +--- a/mm/memory-failure.c ++++ b/mm/memory-failure.c +@@ -1033,15 +1033,16 @@ int __memory_failure(unsigned long pfn, int trapno, int flags) + return 0; + } else if (PageHuge(hpage)) { + /* +- * Check "just unpoisoned", "filter hit", and +- * "race with other subpage." ++ * Check "filter hit" and "race with other subpage." + */ + lock_page(hpage); +- if (!PageHWPoison(hpage) +- || (hwpoison_filter(p) && TestClearPageHWPoison(p)) +- || (p != hpage && TestSetPageHWPoison(hpage))) { +- atomic_long_sub(nr_pages, &mce_bad_pages); +- return 0; ++ if (PageHWPoison(hpage)) { ++ if ((hwpoison_filter(p) && TestClearPageHWPoison(p)) ++ || (p != hpage && TestSetPageHWPoison(hpage))) { ++ atomic_long_sub(nr_pages, &mce_bad_pages); ++ unlock_page(hpage); ++ return 0; ++ } + } + set_page_hwpoison_huge_page(hpage); + res = dequeue_hwpoisoned_huge_page(hpage); +@@ -1093,6 +1094,8 @@ int __memory_failure(unsigned long pfn, int trapno, int flags) + */ + if (!PageHWPoison(p)) { + printk(KERN_ERR "MCE %#lx: just unpoisoned\n", pfn); ++ atomic_long_sub(nr_pages, &mce_bad_pages); ++ put_page(hpage); + res = 0; + goto out; + } +diff --git a/mm/page-writeback.c b/mm/page-writeback.c +index b5cd796..d2ac057 100644 +--- a/mm/page-writeback.c ++++ b/mm/page-writeback.c +@@ -559,7 +559,7 @@ static unsigned long bdi_position_ratio(struct backing_dev_info *bdi, + * => fast response on large errors; small oscillation near setpoint + */ + setpoint = (freerun + limit) / 2; +- x = div_s64((setpoint - dirty) << RATELIMIT_CALC_SHIFT, ++ x = div64_s64(((s64)setpoint - (s64)dirty) << RATELIMIT_CALC_SHIFT, + limit - setpoint + 1); + pos_ratio = x; + pos_ratio = pos_ratio * x >> RATELIMIT_CALC_SHIFT; +@@ -625,7 +625,7 @@ static unsigned long bdi_position_ratio(struct backing_dev_info *bdi, + x_intercept = bdi_setpoint + span; + + if (bdi_dirty < x_intercept - span / 4) { +- pos_ratio = div_u64(pos_ratio * (x_intercept - bdi_dirty), ++ pos_ratio = div64_u64(pos_ratio * (x_intercept - bdi_dirty), + x_intercept - bdi_setpoint + 1); + } else + pos_ratio /= 4; +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index aa12649..4d99d42 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -610,14 +610,17 @@ static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type) + if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->pend)) { + struct hci_cp_auth_requested cp; + +- /* encrypt must be pending if auth is also pending */ +- set_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend); +- + cp.handle = cpu_to_le16(conn->handle); + hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED, + sizeof(cp), &cp); ++ ++ /* If we're already encrypted set the REAUTH_PEND flag, ++ * otherwise set the ENCRYPT_PEND. ++ */ + if (conn->key_type != 0xff) + set_bit(HCI_CONN_REAUTH_PEND, &conn->pend); ++ else ++ set_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend); + } + + return 0; +diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c +index cbf9ccd..99a48a3 100644 +--- a/net/bridge/br_netlink.c ++++ b/net/bridge/br_netlink.c +@@ -211,11 +211,26 @@ static int br_validate(struct nlattr *tb[], struct nlattr *data[]) + return 0; + } + ++static int br_dev_newlink(struct net *src_net, struct net_device *dev, ++ struct nlattr *tb[], struct nlattr *data[]) ++{ ++ struct net_bridge *br = netdev_priv(dev); ++ ++ if (tb[IFLA_ADDRESS]) { ++ spin_lock_bh(&br->lock); ++ br_stp_change_bridge_id(br, nla_data(tb[IFLA_ADDRESS])); ++ spin_unlock_bh(&br->lock); ++ } ++ ++ return register_netdevice(dev); ++} ++ + struct rtnl_link_ops br_link_ops __read_mostly = { + .kind = "bridge", + .priv_size = sizeof(struct net_bridge), + .setup = br_dev_setup, + .validate = br_validate, ++ .newlink = br_dev_newlink, + .dellink = br_dev_delete, + }; + +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c +index 5864cc4..45f93f8 100644 +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -1044,10 +1044,9 @@ static int do_replace_finish(struct net *net, struct ebt_replace *repl, + if (repl->num_counters && + copy_to_user(repl->counters, counterstmp, + repl->num_counters * sizeof(struct ebt_counter))) { +- ret = -EFAULT; ++ /* Silent error, can't fail, new table is already in place */ ++ net_warn_ratelimited("ebtables: counters copy to user failed while replacing table\n"); + } +- else +- ret = 0; + + /* decrease module count and free resources */ + EBT_ENTRY_ITERATE(table->entries, table->entries_size, +diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c +index ad5b708..20ba2d5 100644 +--- a/net/ceph/messenger.c ++++ b/net/ceph/messenger.c +@@ -284,6 +284,37 @@ static int ceph_tcp_sendmsg(struct socket *sock, struct kvec *iov, + return r; + } + ++static int __ceph_tcp_sendpage(struct socket *sock, struct page *page, ++ int offset, size_t size, bool more) ++{ ++ int flags = MSG_DONTWAIT | MSG_NOSIGNAL | (more ? MSG_MORE : MSG_EOR); ++ int ret; ++ ++ ret = kernel_sendpage(sock, page, offset, size, flags); ++ if (ret == -EAGAIN) ++ ret = 0; ++ ++ return ret; ++} ++ ++static int ceph_tcp_sendpage(struct socket *sock, struct page *page, ++ int offset, size_t size, bool more) ++{ ++ int ret; ++ struct kvec iov; ++ ++ /* sendpage cannot properly handle pages with page_count == 0, ++ * we need to fallback to sendmsg if that's the case */ ++ if (page_count(page) >= 1) ++ return __ceph_tcp_sendpage(sock, page, offset, size, more); ++ ++ iov.iov_base = kmap(page) + offset; ++ iov.iov_len = size; ++ ret = ceph_tcp_sendmsg(sock, &iov, 1, size, more); ++ kunmap(page); ++ ++ return ret; ++} + + /* + * Shutdown/close the socket for the given connection. +@@ -851,18 +882,14 @@ static int write_partial_msg_pages(struct ceph_connection *con) + cpu_to_le32(crc32c(tmpcrc, base, len)); + con->out_msg_pos.did_page_crc = 1; + } +- ret = kernel_sendpage(con->sock, page, ++ ret = ceph_tcp_sendpage(con->sock, page, + con->out_msg_pos.page_pos + page_shift, +- len, +- MSG_DONTWAIT | MSG_NOSIGNAL | +- MSG_MORE); ++ len, 1); + + if (crc && + (msg->pages || msg->pagelist || msg->bio || in_trail)) + kunmap(page); + +- if (ret == -EAGAIN) +- ret = 0; + if (ret <= 0) + goto out; + +diff --git a/net/core/dev.c b/net/core/dev.c +index 7bcf37d..854da15 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3648,6 +3648,7 @@ static void napi_reuse_skb(struct napi_struct *napi, struct sk_buff *skb) + skb->vlan_tci = 0; + skb->dev = napi->dev; + skb->skb_iif = 0; ++ skb->truesize = SKB_TRUESIZE(skb_end_offset(skb)); + + napi->skb = skb; + } +diff --git a/net/core/filter.c b/net/core/filter.c +index 5dea452..9c88080 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -320,6 +320,8 @@ load_b: + + if (skb_is_nonlinear(skb)) + return 0; ++ if (skb->len < sizeof(struct nlattr)) ++ return 0; + if (A > skb->len - sizeof(struct nlattr)) + return 0; + +@@ -336,11 +338,13 @@ load_b: + + if (skb_is_nonlinear(skb)) + return 0; ++ if (skb->len < sizeof(struct nlattr)) ++ return 0; + if (A > skb->len - sizeof(struct nlattr)) + return 0; + + nla = (struct nlattr *)&skb->data[A]; +- if (nla->nla_len > A - skb->len) ++ if (nla->nla_len > skb->len - A) + return 0; + + nla = nla_find_nested(nla, X); +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 5b7d5f2..7beaf10 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -744,7 +744,8 @@ static inline int rtnl_vfinfo_size(const struct net_device *dev, + return 0; + } + +-static size_t rtnl_port_size(const struct net_device *dev) ++static size_t rtnl_port_size(const struct net_device *dev, ++ u32 ext_filter_mask) + { + size_t port_size = nla_total_size(4) /* PORT_VF */ + + nla_total_size(PORT_PROFILE_MAX) /* PORT_PROFILE */ +@@ -760,7 +761,8 @@ static size_t rtnl_port_size(const struct net_device *dev) + size_t port_self_size = nla_total_size(sizeof(struct nlattr)) + + port_size; + +- if (!dev->netdev_ops->ndo_get_vf_port || !dev->dev.parent) ++ if (!dev->netdev_ops->ndo_get_vf_port || !dev->dev.parent || ++ !(ext_filter_mask & RTEXT_FILTER_VF)) + return 0; + if (dev_num_vf(dev->dev.parent)) + return port_self_size + vf_ports_size + +@@ -791,7 +793,7 @@ static noinline size_t if_nlmsg_size(const struct net_device *dev, + + nla_total_size(ext_filter_mask + & RTEXT_FILTER_VF ? 4 : 0) /* IFLA_NUM_VF */ + + rtnl_vfinfo_size(dev, ext_filter_mask) /* IFLA_VFINFO_LIST */ +- + rtnl_port_size(dev) /* IFLA_VF_PORTS + IFLA_PORT_SELF */ ++ + rtnl_port_size(dev, ext_filter_mask) /* IFLA_VF_PORTS + IFLA_PORT_SELF */ + + rtnl_link_get_size(dev) /* IFLA_LINKINFO */ + + rtnl_link_get_af_size(dev); /* IFLA_AF_SPEC */ + } +@@ -851,11 +853,13 @@ static int rtnl_port_self_fill(struct sk_buff *skb, struct net_device *dev) + return 0; + } + +-static int rtnl_port_fill(struct sk_buff *skb, struct net_device *dev) ++static int rtnl_port_fill(struct sk_buff *skb, struct net_device *dev, ++ u32 ext_filter_mask) + { + int err; + +- if (!dev->netdev_ops->ndo_get_vf_port || !dev->dev.parent) ++ if (!dev->netdev_ops->ndo_get_vf_port || !dev->dev.parent || ++ !(ext_filter_mask & RTEXT_FILTER_VF)) + return 0; + + err = rtnl_port_self_fill(skb, dev); +@@ -1002,7 +1006,7 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev, + nla_nest_end(skb, vfinfo); + } + +- if (rtnl_port_fill(skb, dev)) ++ if (rtnl_port_fill(skb, dev, ext_filter_mask)) + goto nla_put_failure; + + if (dev->rtnl_link_ops) { +@@ -1057,6 +1061,7 @@ static int rtnl_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb) + struct hlist_node *node; + struct nlattr *tb[IFLA_MAX+1]; + u32 ext_filter_mask = 0; ++ int err; + + s_h = cb->args[0]; + s_idx = cb->args[1]; +@@ -1077,11 +1082,17 @@ static int rtnl_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb) + hlist_for_each_entry_rcu(dev, node, head, index_hlist) { + if (idx < s_idx) + goto cont; +- if (rtnl_fill_ifinfo(skb, dev, RTM_NEWLINK, +- NETLINK_CB(cb->skb).pid, +- cb->nlh->nlmsg_seq, 0, +- NLM_F_MULTI, +- ext_filter_mask) <= 0) ++ err = rtnl_fill_ifinfo(skb, dev, RTM_NEWLINK, ++ NETLINK_CB(cb->skb).pid, ++ cb->nlh->nlmsg_seq, 0, ++ NLM_F_MULTI, ++ ext_filter_mask); ++ /* If we ran out of room on the first message, ++ * we're in trouble ++ */ ++ WARN_ON((err == -EMSGSIZE) && (skb->len == 0)); ++ ++ if (err <= 0) + goto out; + + nl_dump_check_consistent(cb, nlmsg_hdr(skb)); +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 8ac4a0f..9204d9b 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -743,7 +743,7 @@ static void copy_skb_header(struct sk_buff *new, const struct sk_buff *old) + struct sk_buff *skb_copy(const struct sk_buff *skb, gfp_t gfp_mask) + { + int headerlen = skb_headroom(skb); +- unsigned int size = (skb_end_pointer(skb) - skb->head) + skb->data_len; ++ unsigned int size = skb_end_offset(skb) + skb->data_len; + struct sk_buff *n = alloc_skb(size, gfp_mask); + + if (!n) +@@ -843,7 +843,7 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail, + { + int i; + u8 *data; +- int size = nhead + (skb_end_pointer(skb) - skb->head) + ntail; ++ int size = nhead + skb_end_offset(skb) + ntail; + long off; + bool fastpath; + +@@ -2642,14 +2642,13 @@ struct sk_buff *skb_segment(struct sk_buff *skb, u32 features) + if (unlikely(!nskb)) + goto err; + +- hsize = skb_end_pointer(nskb) - nskb->head; ++ hsize = skb_end_offset(nskb); + if (skb_cow_head(nskb, doffset + headroom)) { + kfree_skb(nskb); + goto err; + } + +- nskb->truesize += skb_end_pointer(nskb) - nskb->head - +- hsize; ++ nskb->truesize += skb_end_offset(nskb) - hsize; + skb_release_head_state(nskb); + __skb_push(nskb, doffset); + } else { +@@ -3197,12 +3196,14 @@ EXPORT_SYMBOL(__skb_warn_lro_forwarding); + unsigned int skb_gso_transport_seglen(const struct sk_buff *skb) + { + const struct skb_shared_info *shinfo = skb_shinfo(skb); +- unsigned int hdr_len; + + if (likely(shinfo->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6))) +- hdr_len = tcp_hdrlen(skb); +- else +- hdr_len = sizeof(struct udphdr); +- return hdr_len + shinfo->gso_size; ++ return tcp_hdrlen(skb) + shinfo->gso_size; ++ ++ /* UFO sets gso_size to the size of the fragmentation ++ * payload, i.e. the size of the L4 (UDP) header is already ++ * accounted for. ++ */ ++ return shinfo->gso_size; + } + EXPORT_SYMBOL_GPL(skb_gso_transport_seglen); +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c +index d01f9c6..76da979 100644 +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -752,13 +752,13 @@ struct fib_info *fib_create_info(struct fib_config *cfg) + fi = kzalloc(sizeof(*fi)+nhs*sizeof(struct fib_nh), GFP_KERNEL); + if (fi == NULL) + goto failure; ++ fib_info_cnt++; + if (cfg->fc_mx) { + fi->fib_metrics = kzalloc(sizeof(u32) * RTAX_MAX, GFP_KERNEL); + if (!fi->fib_metrics) + goto failure; + } else + fi->fib_metrics = (u32 *) dst_default_metrics; +- fib_info_cnt++; + + fi->fib_net = hold_net(net); + fi->fib_protocol = cfg->fc_protocol; +diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c +index e0d9f02..7593f3a 100644 +--- a/net/ipv4/ip_forward.c ++++ b/net/ipv4/ip_forward.c +@@ -42,12 +42,12 @@ + static bool ip_may_fragment(const struct sk_buff *skb) + { + return unlikely((ip_hdr(skb)->frag_off & htons(IP_DF)) == 0) || +- !skb->local_df; ++ skb->local_df; + } + + static bool ip_exceeds_mtu(const struct sk_buff *skb, unsigned int mtu) + { +- if (skb->len <= mtu || skb->local_df) ++ if (skb->len <= mtu) + return false; + + if (skb_is_gso(skb) && skb_gso_network_seglen(skb) <= mtu) +diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c +index fd7a3f6..bcb6e61 100644 +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -1039,8 +1039,10 @@ static int __do_replace(struct net *net, const char *name, + + xt_free_table_info(oldinfo); + if (copy_to_user(counters_ptr, counters, +- sizeof(struct xt_counters) * num_counters) != 0) +- ret = -EFAULT; ++ sizeof(struct xt_counters) * num_counters) != 0) { ++ /* Silent error, can't fail, new table is already in place */ ++ net_warn_ratelimited("arptables: counters copy to user failed while replacing table\n"); ++ } + vfree(counters); + xt_table_unlock(t); + return ret; +diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c +index 24e556e..f98a1cf 100644 +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -1227,8 +1227,10 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks, + + xt_free_table_info(oldinfo); + if (copy_to_user(counters_ptr, counters, +- sizeof(struct xt_counters) * num_counters) != 0) +- ret = -EFAULT; ++ sizeof(struct xt_counters) * num_counters) != 0) { ++ /* Silent error, can't fail, new table is already in place */ ++ net_warn_ratelimited("iptables: counters copy to user failed while replacing table\n"); ++ } + vfree(counters); + xt_table_unlock(t); + return ret; +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c +index 00975b6..d495d4b 100644 +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -203,26 +203,33 @@ static int ping_init_sock(struct sock *sk) + struct net *net = sock_net(sk); + gid_t group = current_egid(); + gid_t range[2]; +- struct group_info *group_info = get_current_groups(); +- int i, j, count = group_info->ngroups; ++ struct group_info *group_info; ++ int i, j, count; ++ int ret = 0; + + inet_get_ping_group_range_net(net, range, range+1); + if (range[0] <= group && group <= range[1]) + return 0; + ++ group_info = get_current_groups(); ++ count = group_info->ngroups; + for (i = 0; i < group_info->nblocks; i++) { + int cp_count = min_t(int, NGROUPS_PER_BLOCK, count); + + for (j = 0; j < cp_count; j++) { + group = group_info->blocks[i][j]; + if (range[0] <= group && group <= range[1]) +- return 0; ++ goto out_release_group; + } + + count -= cp_count; + } + +- return -EACCES; ++ ret = -EACCES; ++ ++out_release_group: ++ put_group_info(group_info); ++ return ret; + } + + static void ping_close(struct sock *sk, long timeout) +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 6768ce2..6526110 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -2142,7 +2142,7 @@ static int __mkroute_input(struct sk_buff *skb, + struct in_device *out_dev; + unsigned int flags = 0; + __be32 spec_dst; +- u32 itag; ++ u32 itag = 0; + + /* get a working reference to the output device */ + out_dev = __in_dev_get_rcu(FIB_RES_DEV(*res)); +diff --git a/net/ipv4/tcp_cubic.c b/net/ipv4/tcp_cubic.c +index b78eac2..ed3d6d4 100644 +--- a/net/ipv4/tcp_cubic.c ++++ b/net/ipv4/tcp_cubic.c +@@ -406,7 +406,7 @@ static void bictcp_acked(struct sock *sk, u32 cnt, s32 rtt_us) + ratio -= ca->delayed_ack >> ACK_RATIO_SHIFT; + ratio += cnt; + +- ca->delayed_ack = min(ratio, ACK_RATIO_LIMIT); ++ ca->delayed_ack = clamp(ratio, 1U, ACK_RATIO_LIMIT); + } + + /* Some calls are for duplicates without timetamps */ +diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c +index 94874b0..2e752b2 100644 +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -1249,8 +1249,10 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks, + + xt_free_table_info(oldinfo); + if (copy_to_user(counters_ptr, counters, +- sizeof(struct xt_counters) * num_counters) != 0) +- ret = -EFAULT; ++ sizeof(struct xt_counters) * num_counters) != 0) { ++ /* Silent error, can't fail, new table is already in place */ ++ net_warn_ratelimited("ip6tables: counters copy to user failed while replacing table\n"); ++ } + vfree(counters); + xt_table_unlock(t); + return ret; +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 39e11f9..782f67a 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -1056,7 +1056,7 @@ static unsigned int ip6_mtu(const struct dst_entry *dst) + unsigned int mtu = dst_metric_raw(dst, RTAX_MTU); + + if (mtu) +- return mtu; ++ goto out; + + mtu = IPV6_MIN_MTU; + +@@ -1066,7 +1066,8 @@ static unsigned int ip6_mtu(const struct dst_entry *dst) + mtu = idev->cnf.mtu6; + rcu_read_unlock(); + +- return mtu; ++out: ++ return min_t(unsigned int, mtu, IP6_MAX_MTU); + } + + static struct dst_entry *icmp6_dst_gc_list; +diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c +index 969cd3e..e0f0934 100644 +--- a/net/l2tp/l2tp_ppp.c ++++ b/net/l2tp/l2tp_ppp.c +@@ -772,9 +772,9 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr, + session->deref = pppol2tp_session_sock_put; + + /* If PMTU discovery was enabled, use the MTU that was discovered */ +- dst = sk_dst_get(sk); ++ dst = sk_dst_get(tunnel->sock); + if (dst != NULL) { +- u32 pmtu = dst_mtu(__sk_dst_get(sk)); ++ u32 pmtu = dst_mtu(__sk_dst_get(tunnel->sock)); + if (pmtu != 0) + session->mtu = session->mru = pmtu - + PPPOL2TP_HEADER_OVERHEAD; +diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c +index e051398..d067ed1 100644 +--- a/net/sched/act_mirred.c ++++ b/net/sched/act_mirred.c +@@ -201,13 +201,12 @@ static int tcf_mirred(struct sk_buff *skb, const struct tc_action *a, + out: + if (err) { + m->tcf_qstats.overlimits++; +- /* should we be asking for packet to be dropped? +- * may make sense for redirect case only +- */ +- retval = TC_ACT_SHOT; +- } else { ++ if (m->tcfm_eaction != TCA_EGRESS_MIRROR) ++ retval = TC_ACT_SHOT; ++ else ++ retval = m->tcf_action; ++ } else + retval = m->tcf_action; +- } + spin_unlock(&m->tcf_lock); + + return retval; +diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c +index 6f6ad86..de35e01 100644 +--- a/net/sctp/protocol.c ++++ b/net/sctp/protocol.c +@@ -528,8 +528,13 @@ static void sctp_v4_get_dst(struct sctp_transport *t, union sctp_addr *saddr, + continue; + if ((laddr->state == SCTP_ADDR_SRC) && + (AF_INET == laddr->a.sa.sa_family)) { +- fl4->saddr = laddr->a.v4.sin_addr.s_addr; + fl4->fl4_sport = laddr->a.v4.sin_port; ++ flowi4_update_output(fl4, ++ asoc->base.sk->sk_bound_dev_if, ++ RT_CONN_FLAGS(asoc->base.sk), ++ daddr->v4.sin_addr.s_addr, ++ laddr->a.v4.sin_addr.s_addr); ++ + rt = ip_route_output_key(&init_net, fl4); + if (!IS_ERR(rt)) { + dst = &rt->dst; +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index 619228d..dc5748f 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -569,12 +569,16 @@ static int ignore_undef_symbol(struct elf_info *info, const char *symname) + if (strncmp(symname, "_restgpr_", sizeof("_restgpr_") - 1) == 0 || + strncmp(symname, "_savegpr_", sizeof("_savegpr_") - 1) == 0 || + strncmp(symname, "_rest32gpr_", sizeof("_rest32gpr_") - 1) == 0 || +- strncmp(symname, "_save32gpr_", sizeof("_save32gpr_") - 1) == 0) ++ strncmp(symname, "_save32gpr_", sizeof("_save32gpr_") - 1) == 0 || ++ strncmp(symname, "_restvr_", sizeof("_restvr_") - 1) == 0 || ++ strncmp(symname, "_savevr_", sizeof("_savevr_") - 1) == 0) + return 1; + if (info->hdr->e_machine == EM_PPC64) + /* Special register function linked on all modules during final link of .ko */ + if (strncmp(symname, "_restgpr0_", sizeof("_restgpr0_") - 1) == 0 || +- strncmp(symname, "_savegpr0_", sizeof("_savegpr0_") - 1) == 0) ++ strncmp(symname, "_savegpr0_", sizeof("_savegpr0_") - 1) == 0 || ++ strncmp(symname, "_restvr_", sizeof("_restvr_") - 1) == 0 || ++ strncmp(symname, "_savevr_", sizeof("_savevr_") - 1) == 0) + return 1; + /* Do not ignore this symbol */ + return 0; +diff --git a/virt/kvm/async_pf.c b/virt/kvm/async_pf.c +index 74268b4..bdd2c0d 100644 +--- a/virt/kvm/async_pf.c ++++ b/virt/kvm/async_pf.c +@@ -75,7 +75,6 @@ static void async_pf_execute(struct work_struct *work) + spin_lock(&vcpu->async_pf.lock); + list_add_tail(&apf->link, &vcpu->async_pf.done); + apf->page = page; +- apf->done = true; + spin_unlock(&vcpu->async_pf.lock); + + /* +@@ -88,7 +87,7 @@ static void async_pf_execute(struct work_struct *work) + if (waitqueue_active(&vcpu->wq)) + wake_up_interruptible(&vcpu->wq); + +- mmdrop(mm); ++ mmput(mm); + kvm_put_kvm(vcpu->kvm); + } + +@@ -99,10 +98,12 @@ void kvm_clear_async_pf_completion_queue(struct kvm_vcpu *vcpu) + struct kvm_async_pf *work = + list_entry(vcpu->async_pf.queue.next, + typeof(*work), queue); +- cancel_work_sync(&work->work); + list_del(&work->queue); +- if (!work->done) /* work was canceled */ ++ if (cancel_work_sync(&work->work)) { ++ mmput(work->mm); ++ kvm_put_kvm(vcpu->kvm); /* == work->vcpu->kvm */ + kmem_cache_free(async_pf_cache, work); ++ } + } + + spin_lock(&vcpu->async_pf.lock); +@@ -163,13 +164,12 @@ int kvm_setup_async_pf(struct kvm_vcpu *vcpu, gva_t gva, gfn_t gfn, + return 0; + + work->page = NULL; +- work->done = false; + work->vcpu = vcpu; + work->gva = gva; + work->addr = gfn_to_hva(vcpu->kvm, gfn); + work->arch = *arch; + work->mm = current->mm; +- atomic_inc(&work->mm->mm_count); ++ atomic_inc(&work->mm->mm_users); + kvm_get_kvm(work->vcpu->kvm); + + /* this can't really happen otherwise gfn_to_pfn_async +@@ -187,7 +187,7 @@ int kvm_setup_async_pf(struct kvm_vcpu *vcpu, gva_t gva, gfn_t gfn, + return 1; + retry_sync: + kvm_put_kvm(work->vcpu->kvm); +- mmdrop(work->mm); ++ mmput(work->mm); + kmem_cache_free(async_pf_cache, work); + return 0; + } diff --git a/3.2.59/4420_grsecurity-3.0-3.2.59-201406052202.patch b/3.2.60/4420_grsecurity-3.0-3.2.60-201406101410.patch index bcb5cf5..c00f5cd 100644 --- a/3.2.59/4420_grsecurity-3.0-3.2.59-201406052202.patch +++ b/3.2.60/4420_grsecurity-3.0-3.2.60-201406101410.patch @@ -273,7 +273,7 @@ index 88fd7f5..b318a78 100644 ============================================================== diff --git a/Makefile b/Makefile -index 1be3414..0f629f5 100644 +index 317d5ea..1f4b27b 100644 --- a/Makefile +++ b/Makefile @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -466,15 +466,16 @@ index 1be3414..0f629f5 100644 Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS # clean - Delete most, but leave enough to build external modules -@@ -1201,6 +1284,7 @@ distclean: mrproper +@@ -1200,7 +1283,7 @@ distclean: mrproper + @find $(srctree) $(RCS_FIND_IGNORE) \ \( -name '*.orig' -o -name '*.rej' -o -name '*~' \ -o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \ - -o -name '.*.rej' \ +- -o -name '.*.rej' \ + -o -name '.*.rej' -o -name '*.so' \ -o -name '*%' -o -name '.*.cmd' -o -name 'core' \) \ -type f -print | xargs rm -f -@@ -1361,6 +1445,8 @@ PHONY += $(module-dirs) modules +@@ -1361,6 +1444,8 @@ PHONY += $(module-dirs) modules $(module-dirs): crmodverdir $(objtree)/Module.symvers $(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@) @@ -483,7 +484,7 @@ index 1be3414..0f629f5 100644 modules: $(module-dirs) @$(kecho) ' Building modules, stage 2.'; $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost -@@ -1487,17 +1573,21 @@ else +@@ -1487,17 +1572,21 @@ else target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@)) endif @@ -509,7 +510,7 @@ index 1be3414..0f629f5 100644 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) %.symtypes: %.c prepare scripts FORCE $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) -@@ -1507,11 +1597,15 @@ endif +@@ -1507,11 +1596,15 @@ endif $(cmd_crmodverdir) $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \ $(build)=$(build-dir) @@ -13571,18 +13572,6 @@ index d09bb03..0a3629b 100644 : "i" (-EFAULT), "r" (newval), "1" (oldval) : "memory" ); -diff --git a/arch/x86/include/asm/hugetlb.h b/arch/x86/include/asm/hugetlb.h -index 439a9ac..48fa391 100644 ---- a/arch/x86/include/asm/hugetlb.h -+++ b/arch/x86/include/asm/hugetlb.h -@@ -51,6 +51,7 @@ static inline pte_t huge_ptep_get_and_clear(struct mm_struct *mm, - static inline void huge_ptep_clear_flush(struct vm_area_struct *vma, - unsigned long addr, pte_t *ptep) - { -+ ptep_clear_flush(vma, addr, ptep); - } - - static inline int huge_pte_none(pte_t pte) diff --git a/arch/x86/include/asm/hw_irq.h b/arch/x86/include/asm/hw_irq.h index eb92a6e..b98b2f4 100644 --- a/arch/x86/include/asm/hw_irq.h @@ -14252,9 +14241,18 @@ index 9eae775..c914fea 100644 + #endif /* _ASM_X86_MODULE_H */ diff --git a/arch/x86/include/asm/page_64_types.h b/arch/x86/include/asm/page_64_types.h -index 7639dbf..e08a58c 100644 +index 7639dbf..9dc5a94 100644 --- a/arch/x86/include/asm/page_64_types.h +++ b/arch/x86/include/asm/page_64_types.h +@@ -1,7 +1,7 @@ + #ifndef _ASM_X86_PAGE_64_DEFS_H + #define _ASM_X86_PAGE_64_DEFS_H + +-#define THREAD_ORDER 1 ++#define THREAD_ORDER 2 + #define THREAD_SIZE (PAGE_SIZE << THREAD_ORDER) + #define CURRENT_MASK (~(THREAD_SIZE - 1)) + @@ -56,7 +56,7 @@ void copy_page(void *to, void *from); /* duplicated to the one in bootmem.h */ @@ -21746,19 +21744,10 @@ index a9c2116..94c1e1a 100644 }; #endif diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c -index 4ac4531..d655d56 100644 +index 3e0ccbf..d655d56 100644 --- a/arch/x86/kernel/ldt.c +++ b/arch/x86/kernel/ldt.c -@@ -21,6 +21,8 @@ - #include <asm/mmu_context.h> - #include <asm/syscalls.h> - -+int sysctl_ldt16 = 0; -+ - #ifdef CONFIG_SMP - static void flush_ldt(void *current_mm) - { -@@ -67,13 +69,13 @@ static int alloc_ldt(mm_context_t *pc, int mincount, int reload) +@@ -69,13 +69,13 @@ static int alloc_ldt(mm_context_t *pc, int mincount, int reload) if (reload) { #ifdef CONFIG_SMP preempt_disable(); @@ -21774,7 +21763,7 @@ index 4ac4531..d655d56 100644 #endif } if (oldsize) { -@@ -95,7 +97,7 @@ static inline int copy_ldt(mm_context_t *new, mm_context_t *old) +@@ -97,7 +97,7 @@ static inline int copy_ldt(mm_context_t *new, mm_context_t *old) return err; for (i = 0; i < old->size; i++) @@ -21783,7 +21772,7 @@ index 4ac4531..d655d56 100644 return 0; } -@@ -116,6 +118,24 @@ int init_new_context(struct task_struct *tsk, struct mm_struct *mm) +@@ -118,6 +118,24 @@ int init_new_context(struct task_struct *tsk, struct mm_struct *mm) retval = copy_ldt(&mm->context, &old_mm->context); mutex_unlock(&old_mm->context.lock); } @@ -21808,7 +21797,7 @@ index 4ac4531..d655d56 100644 return retval; } -@@ -230,12 +250,19 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode) +@@ -232,6 +250,13 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode) } } @@ -21822,13 +21811,6 @@ index 4ac4531..d655d56 100644 /* * On x86-64 we do not support 16-bit segments due to * IRET leaking the high bits of the kernel stack address. - */ - #ifdef CONFIG_X86_64 -- if (!ldt_info.seg_32bit) { -+ if (!ldt_info.seg_32bit && !sysctl_ldt16) { - error = -EINVAL; - goto out_unlock; - } diff --git a/arch/x86/kernel/machine_kexec_32.c b/arch/x86/kernel/machine_kexec_32.c index a3fa43b..8966f4c 100644 --- a/arch/x86/kernel/machine_kexec_32.c @@ -31511,7 +31493,7 @@ index 5d17950..2253fc9 100644 # diff --git a/arch/x86/vdso/vdso32-setup.c b/arch/x86/vdso/vdso32-setup.c -index 468d591..8be5888 100644 +index 51bdc05..8be5888 100644 --- a/arch/x86/vdso/vdso32-setup.c +++ b/arch/x86/vdso/vdso32-setup.c @@ -25,6 +25,7 @@ @@ -31522,15 +31504,7 @@ index 468d591..8be5888 100644 enum { VDSO_DISABLED = 0, -@@ -41,6 +42,7 @@ enum { - #ifdef CONFIG_X86_64 - #define vdso_enabled sysctl_vsyscall32 - #define arch_setup_additional_pages syscall32_setup_pages -+extern int sysctl_ldt16; - #endif - - /* -@@ -226,7 +228,7 @@ static inline void map_compat_vdso(int map) +@@ -227,7 +228,7 @@ static inline void map_compat_vdso(int map) void enable_sep_cpu(void) { int cpu = get_cpu(); @@ -31539,7 +31513,7 @@ index 468d591..8be5888 100644 if (!boot_cpu_has(X86_FEATURE_SEP)) { put_cpu(); -@@ -249,7 +251,7 @@ static int __init gate_vma_init(void) +@@ -250,7 +251,7 @@ static int __init gate_vma_init(void) gate_vma.vm_start = FIXADDR_USER_START; gate_vma.vm_end = FIXADDR_USER_END; gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC; @@ -31548,7 +31522,7 @@ index 468d591..8be5888 100644 /* * Make sure the vDSO gets into every core dump. * Dumping its contents makes post-mortem fully interpretable later -@@ -331,14 +333,14 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) +@@ -332,14 +333,14 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) if (compat) addr = VDSO_HIGH_BASE; else { @@ -31565,7 +31539,7 @@ index 468d591..8be5888 100644 if (compat_uses_vma || !compat) { /* -@@ -361,11 +363,11 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) +@@ -362,11 +363,11 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) } current_thread_info()->sysenter_return = @@ -31579,21 +31553,7 @@ index 468d591..8be5888 100644 up_write(&mm->mmap_sem); -@@ -388,6 +390,13 @@ static ctl_table abi_table2[] = { - .mode = 0644, - .proc_handler = proc_dointvec - }, -+ { -+ .procname = "ldt16", -+ .data = &sysctl_ldt16, -+ .maxlen = sizeof(int), -+ .mode = 0644, -+ .proc_handler = proc_dointvec -+ }, - {} - }; - -@@ -412,8 +421,14 @@ __initcall(ia32_binfmt_init); +@@ -420,8 +421,14 @@ __initcall(ia32_binfmt_init); const char *arch_vma_name(struct vm_area_struct *vma) { @@ -31609,7 +31569,7 @@ index 468d591..8be5888 100644 return NULL; } -@@ -423,7 +438,7 @@ struct vm_area_struct *get_gate_vma(struct mm_struct *mm) +@@ -431,7 +438,7 @@ struct vm_area_struct *get_gate_vma(struct mm_struct *mm) * Check to see if the corresponding task was created in compat vdso * mode. */ @@ -32639,7 +32599,7 @@ index f9b983a..887b9d8 100644 return 0; } diff --git a/drivers/atm/ambassador.c b/drivers/atm/ambassador.c -index f8f41e0..1f987dd 100644 +index 89b30f3..7964211d4 100644 --- a/drivers/atm/ambassador.c +++ b/drivers/atm/ambassador.c @@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev, tx_out * tx) { @@ -32994,7 +32954,7 @@ index b812103..e391a49 100644 // free the skb hrz_kfree_skb (skb); diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c -index b0e75ce..035bf7e 100644 +index 81845fa..a4367d7 100644 --- a/drivers/atm/idt77252.c +++ b/drivers/atm/idt77252.c @@ -812,7 +812,7 @@ drain_scq(struct idt77252_dev *card, struct vc_map *vc) @@ -41956,7 +41916,7 @@ index 7ead065..832d24d 100644 void dm_uevent_add(struct mapped_device *md, struct list_head *elist) diff --git a/drivers/md/md.c b/drivers/md/md.c -index 2d0544c..bc3c200 100644 +index db4b4a8..779e19b 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -278,10 +278,10 @@ EXPORT_SYMBOL_GPL(md_trim_bio); @@ -42340,18 +42300,6 @@ index 0564192..75b16f5 100644 NGENE_ID(0x18c3, 0xabc3, ngene_info_cineS2), NGENE_ID(0x18c3, 0xabc4, ngene_info_cineS2), NGENE_ID(0x18c3, 0xdb01, ngene_info_satixS2), -diff --git a/drivers/media/media-device.c b/drivers/media/media-device.c -index 6edc9ba..298703f 100644 ---- a/drivers/media/media-device.c -+++ b/drivers/media/media-device.c -@@ -90,6 +90,7 @@ static long media_device_enum_entities(struct media_device *mdev, - struct media_entity *ent; - struct media_entity_desc u_ent; - -+ memset(&u_ent, 0, sizeof(u_ent)); - if (copy_from_user(&u_ent.id, &uent->id, sizeof(u_ent.id))) - return -EFAULT; - diff --git a/drivers/media/radio/radio-cadet.c b/drivers/media/radio/radio-cadet.c index 16a089f..1661b11 100644 --- a/drivers/media/radio/radio-cadet.c @@ -42511,10 +42459,10 @@ index a0895bf..b451f5b 100644 .open = timblogiw_open, .release = timblogiw_close, diff --git a/drivers/media/video/v4l2-compat-ioctl32.c b/drivers/media/video/v4l2-compat-ioctl32.c -index c68531b..5b2fb1d 100644 +index 2671959..fc2af92 100644 --- a/drivers/media/video/v4l2-compat-ioctl32.c +++ b/drivers/media/video/v4l2-compat-ioctl32.c -@@ -332,7 +332,7 @@ struct v4l2_buffer32 { +@@ -334,7 +334,7 @@ struct v4l2_buffer32 { __u32 reserved; }; @@ -42523,7 +42471,7 @@ index c68531b..5b2fb1d 100644 enum v4l2_memory memory) { void __user *up_pln; -@@ -358,7 +358,7 @@ static int get_v4l2_plane32(struct v4l2_plane *up, struct v4l2_plane32 *up32, +@@ -360,7 +360,7 @@ static int get_v4l2_plane32(struct v4l2_plane *up, struct v4l2_plane32 *up32, return 0; } @@ -42532,7 +42480,7 @@ index c68531b..5b2fb1d 100644 enum v4l2_memory memory) { if (copy_in_user(up32, up, 2 * sizeof(__u32)) || -@@ -424,7 +424,7 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user +@@ -426,7 +426,7 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user * by passing a very big num_planes value */ uplane = compat_alloc_user_space(num_planes * sizeof(struct v4l2_plane)); @@ -42541,7 +42489,7 @@ index c68531b..5b2fb1d 100644 while (--num_planes >= 0) { ret = get_v4l2_plane32(uplane, uplane32, kp->memory); -@@ -491,7 +491,7 @@ static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user +@@ -493,7 +493,7 @@ static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user if (num_planes == 0) return 0; @@ -42550,7 +42498,7 @@ index c68531b..5b2fb1d 100644 if (get_user(p, &up->m.planes)) return -EFAULT; uplane32 = compat_ptr(p); -@@ -541,7 +541,7 @@ static int get_v4l2_framebuffer32(struct v4l2_framebuffer *kp, struct v4l2_frame +@@ -543,7 +543,7 @@ static int get_v4l2_framebuffer32(struct v4l2_framebuffer *kp, struct v4l2_frame get_user(kp->capability, &up->capability) || get_user(kp->flags, &up->flags)) return -EFAULT; @@ -42559,7 +42507,7 @@ index c68531b..5b2fb1d 100644 get_v4l2_pix_format(&kp->fmt, &up->fmt); return 0; } -@@ -647,7 +647,7 @@ static int get_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext +@@ -649,7 +649,7 @@ static int get_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext n * sizeof(struct v4l2_ext_control32))) return -EFAULT; kcontrols = compat_alloc_user_space(n * sizeof(struct v4l2_ext_control)); @@ -42568,7 +42516,7 @@ index c68531b..5b2fb1d 100644 while (--n >= 0) { if (copy_in_user(kcontrols, ucontrols, sizeof(*ucontrols))) return -EFAULT; -@@ -669,7 +669,7 @@ static int get_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext +@@ -671,7 +671,7 @@ static int get_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext static int put_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext_controls32 __user *up) { struct v4l2_ext_control32 __user *ucontrols; @@ -42964,18 +42912,6 @@ index 4eec7b7..f468a4e 100644 if (err) goto exit_no_irq; -diff --git a/drivers/mfd/janz-cmodio.c b/drivers/mfd/janz-cmodio.c -index 5c2a06a..8fa077c 100644 ---- a/drivers/mfd/janz-cmodio.c -+++ b/drivers/mfd/janz-cmodio.c -@@ -13,6 +13,7 @@ - - #include <linux/kernel.h> - #include <linux/module.h> -+#include <linux/slab.h> - #include <linux/init.h> - #include <linux/pci.h> - #include <linux/interrupt.h> diff --git a/drivers/mfd/max8925-i2c.c b/drivers/mfd/max8925-i2c.c index 90b450c..7a52413 100644 --- a/drivers/mfd/max8925-i2c.c @@ -43600,7 +43536,7 @@ index a9ff89ff..461d313 100644 struct sm_sysfs_attribute *vendor_attribute; diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c -index 1bf36ac..55c534e 100644 +index 5af2a8f..9b833b4 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c @@ -4803,7 +4803,7 @@ static int bond_get_tx_queues(struct net *net, struct nlattr *tb[], @@ -43612,7 +43548,7 @@ index 1bf36ac..55c534e 100644 .kind = "bond", .priv_size = sizeof(struct bonding), .setup = bond_setup, -@@ -4928,8 +4928,8 @@ static void __exit bonding_exit(void) +@@ -4929,8 +4929,8 @@ static void __exit bonding_exit(void) bond_destroy_debugfs(); @@ -44278,10 +44214,10 @@ index d0893e4..14b0d44 100644 .init = loopback_net_init, }; diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c -index 301b39e..345c414 100644 +index b74cdf6..bed3bf3 100644 --- a/drivers/net/macvlan.c +++ b/drivers/net/macvlan.c -@@ -790,13 +790,15 @@ static const struct nla_policy macvlan_policy[IFLA_MACVLAN_MAX + 1] = { +@@ -789,13 +789,15 @@ static const struct nla_policy macvlan_policy[IFLA_MACVLAN_MAX + 1] = { int macvlan_link_register(struct rtnl_link_ops *ops) { /* common fields */ @@ -44304,7 +44240,7 @@ index 301b39e..345c414 100644 return rtnl_link_register(ops); }; -@@ -852,7 +854,7 @@ static int macvlan_device_event(struct notifier_block *unused, +@@ -851,7 +853,7 @@ static int macvlan_device_event(struct notifier_block *unused, return NOTIFY_DONE; } @@ -46026,7 +45962,7 @@ index b96766b..909c5a0 100644 ktime_t cur; acpi_status status; diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c -index 8e6c4fa..a7539b3 100644 +index 2a8d6aa..29b1bcb 100644 --- a/drivers/platform/x86/thinkpad_acpi.c +++ b/drivers/platform/x86/thinkpad_acpi.c @@ -2094,7 +2094,7 @@ static int hotkey_mask_get(void) @@ -47224,7 +47160,7 @@ index 2e1e54e..1af0a0d 100644 /** diff --git a/drivers/scsi/mpt2sas/mpt2sas_scsih.c b/drivers/scsi/mpt2sas/mpt2sas_scsih.c -index 987c6d6..575985c 100644 +index 01780a9..e756c24 100644 --- a/drivers/scsi/mpt2sas/mpt2sas_scsih.c +++ b/drivers/scsi/mpt2sas/mpt2sas_scsih.c @@ -1532,7 +1532,7 @@ _scsih_get_resync(struct device *dev) @@ -56723,7 +56659,7 @@ index 451b9b8..12e5a03 100644 out_free_fd: diff --git a/fs/exec.c b/fs/exec.c -index 78199eb..38c4c00 100644 +index 78199eb..8958766 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -55,12 +55,35 @@ @@ -57344,7 +57280,7 @@ index 78199eb..38c4c00 100644 cn->corename = kmalloc(cn->size, GFP_KERNEL); cn->used = 0; -@@ -1833,6 +2017,308 @@ out: +@@ -1833,6 +2017,309 @@ out: return ispipe; } @@ -57593,8 +57529,9 @@ index 78199eb..38c4c00 100644 + +#ifndef CONFIG_STACK_GROWSUP + unsigned long stackstart = (unsigned long)task_stack_page(current); -+ if (unlikely(current_stack_pointer < stackstart + 512 || -+ current_stack_pointer >= stackstart + THREAD_SIZE)) ++ unsigned long currentsp = (unsigned long)&stackstart; ++ if (unlikely(currentsp < stackstart + 512 || ++ currentsp >= stackstart + THREAD_SIZE)) + BUG(); +#endif + @@ -57653,7 +57590,7 @@ index 78199eb..38c4c00 100644 static int zap_process(struct task_struct *start, int exit_code) { struct task_struct *t; -@@ -2006,17 +2492,17 @@ static void coredump_finish(struct mm_struct *mm) +@@ -2006,17 +2493,17 @@ static void coredump_finish(struct mm_struct *mm) void set_dumpable(struct mm_struct *mm, int value) { switch (value) { @@ -57674,7 +57611,7 @@ index 78199eb..38c4c00 100644 set_bit(MMF_DUMP_SECURELY, &mm->flags); smp_wmb(); set_bit(MMF_DUMPABLE, &mm->flags); -@@ -2029,7 +2515,7 @@ static int __get_dumpable(unsigned long mm_flags) +@@ -2029,7 +2516,7 @@ static int __get_dumpable(unsigned long mm_flags) int ret; ret = mm_flags & MMF_DUMPABLE_MASK; @@ -57683,7 +57620,7 @@ index 78199eb..38c4c00 100644 } /* -@@ -2050,17 +2536,17 @@ static void wait_for_dump_helpers(struct file *file) +@@ -2050,17 +2537,17 @@ static void wait_for_dump_helpers(struct file *file) pipe = file->f_path.dentry->d_inode->i_pipe; pipe_lock(pipe); @@ -57706,7 +57643,7 @@ index 78199eb..38c4c00 100644 pipe_unlock(pipe); } -@@ -2121,7 +2607,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2121,7 +2608,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) int retval = 0; int flag = 0; int ispipe; @@ -57716,7 +57653,7 @@ index 78199eb..38c4c00 100644 struct coredump_params cprm = { .signr = signr, .regs = regs, -@@ -2136,6 +2623,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2136,6 +2624,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) audit_core_dumps(signr); @@ -57726,7 +57663,7 @@ index 78199eb..38c4c00 100644 binfmt = mm->binfmt; if (!binfmt || !binfmt->core_dump) goto fail; -@@ -2146,14 +2636,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2146,14 +2637,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) if (!cred) goto fail; /* @@ -57747,7 +57684,7 @@ index 78199eb..38c4c00 100644 } retval = coredump_wait(exit_code, &core_state); -@@ -2203,7 +2695,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2203,7 +2696,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) } cprm.limit = RLIM_INFINITY; @@ -57756,7 +57693,7 @@ index 78199eb..38c4c00 100644 if (core_pipe_limit && (core_pipe_limit < dump_count)) { printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n", task_tgid_vnr(current), current->comm); -@@ -2230,9 +2722,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2230,9 +2723,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) } else { struct inode *inode; @@ -57776,7 +57713,7 @@ index 78199eb..38c4c00 100644 cprm.file = filp_open(cn.corename, O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag, 0600); -@@ -2273,7 +2775,7 @@ close_fail: +@@ -2273,7 +2776,7 @@ close_fail: filp_close(cprm.file, NULL); fail_dropcount: if (ispipe) @@ -57785,7 +57722,7 @@ index 78199eb..38c4c00 100644 fail_unlock: kfree(cn.corename); fail_corename: -@@ -2292,7 +2794,7 @@ fail: +@@ -2292,7 +2795,7 @@ fail: */ int dump_write(struct file *file, const void *addr, int nr) { @@ -61915,7 +61852,7 @@ index 8ca88fc..d1f8b8a 100644 /* diff --git a/fs/posix_acl.c b/fs/posix_acl.c -index cea4623..c19c78b 100644 +index 6c70ab2..54c5656 100644 --- a/fs/posix_acl.c +++ b/fs/posix_acl.c @@ -19,6 +19,7 @@ @@ -61926,7 +61863,7 @@ index cea4623..c19c78b 100644 #include <linux/errno.h> -@@ -180,7 +181,7 @@ posix_acl_equiv_mode(const struct posix_acl *acl, umode_t *mode_p) +@@ -186,7 +187,7 @@ posix_acl_equiv_mode(const struct posix_acl *acl, umode_t *mode_p) } } if (mode_p) @@ -61935,7 +61872,7 @@ index cea4623..c19c78b 100644 return not_equiv; } -@@ -331,7 +332,7 @@ static int posix_acl_create_masq(struct posix_acl *acl, umode_t *mode_p) +@@ -337,7 +338,7 @@ static int posix_acl_create_masq(struct posix_acl *acl, umode_t *mode_p) mode &= (group_obj->e_perm << 3) | ~S_IRWXG; } @@ -61944,7 +61881,7 @@ index cea4623..c19c78b 100644 return not_equiv; } -@@ -389,6 +390,8 @@ posix_acl_create(struct posix_acl **acl, gfp_t gfp, umode_t *mode_p) +@@ -395,6 +396,8 @@ posix_acl_create(struct posix_acl **acl, gfp_t gfp, umode_t *mode_p) struct posix_acl *clone = posix_acl_clone(*acl, gfp); int err = -ENOMEM; if (clone) { @@ -79862,10 +79799,10 @@ index f66b065..c2c29b4 100644 int kobj_ns_type_register(const struct kobj_ns_type_operations *ops); int kobj_ns_type_registered(enum kobj_ns_type type); diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h -index e6796c1..350d338 100644 +index f93d8c1..71244f6 100644 --- a/include/linux/kvm_host.h +++ b/include/linux/kvm_host.h -@@ -308,7 +308,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vcpu); +@@ -307,7 +307,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vcpu); void vcpu_load(struct kvm_vcpu *vcpu); void vcpu_put(struct kvm_vcpu *vcpu); @@ -79874,7 +79811,7 @@ index e6796c1..350d338 100644 struct module *module); void kvm_exit(void); -@@ -454,7 +454,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(struct kvm_vcpu *vcpu, +@@ -453,7 +453,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(struct kvm_vcpu *vcpu, struct kvm_guest_debug *dbg); int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run); @@ -82099,7 +82036,7 @@ index 92808b8..c28cac4 100644 /* shm_mode upper byte flags */ diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h -index 13bd6d0..fbdc193 100644 +index c445e52..4271349 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -538,7 +538,7 @@ extern void consume_skb(struct sk_buff *skb); @@ -82111,7 +82048,7 @@ index 13bd6d0..fbdc193 100644 gfp_t priority) { return __alloc_skb(size, priority, 0, NUMA_NO_NODE); -@@ -640,7 +640,7 @@ static inline struct skb_shared_hwtstamps *skb_hwtstamps(struct sk_buff *skb) +@@ -650,7 +650,7 @@ static inline struct skb_shared_hwtstamps *skb_hwtstamps(struct sk_buff *skb) */ static inline int skb_queue_empty(const struct sk_buff_head *list) { @@ -82120,7 +82057,7 @@ index 13bd6d0..fbdc193 100644 } /** -@@ -653,7 +653,7 @@ static inline int skb_queue_empty(const struct sk_buff_head *list) +@@ -663,7 +663,7 @@ static inline int skb_queue_empty(const struct sk_buff_head *list) static inline bool skb_queue_is_last(const struct sk_buff_head *list, const struct sk_buff *skb) { @@ -82129,7 +82066,7 @@ index 13bd6d0..fbdc193 100644 } /** -@@ -666,7 +666,7 @@ static inline bool skb_queue_is_last(const struct sk_buff_head *list, +@@ -676,7 +676,7 @@ static inline bool skb_queue_is_last(const struct sk_buff_head *list, static inline bool skb_queue_is_first(const struct sk_buff_head *list, const struct sk_buff *skb) { @@ -82138,7 +82075,7 @@ index 13bd6d0..fbdc193 100644 } /** -@@ -1506,7 +1506,7 @@ static inline u32 skb_network_header_len(const struct sk_buff *skb) +@@ -1516,7 +1516,7 @@ static inline u32 skb_network_header_len(const struct sk_buff *skb) return skb->transport_header - skb->network_header; } @@ -82147,7 +82084,7 @@ index 13bd6d0..fbdc193 100644 { return skb_network_header(skb) - skb->data; } -@@ -1561,7 +1561,7 @@ static inline int pskb_network_may_pull(struct sk_buff *skb, unsigned int len) +@@ -1571,7 +1571,7 @@ static inline int pskb_network_may_pull(struct sk_buff *skb, unsigned int len) * NET_IP_ALIGN(2) + ethernet_header(14) + IP_header(20/40) + ports(8) */ #ifndef NET_SKB_PAD @@ -82156,7 +82093,7 @@ index 13bd6d0..fbdc193 100644 #endif extern int ___pskb_trim(struct sk_buff *skb, unsigned int len); -@@ -2100,7 +2100,7 @@ extern struct sk_buff *skb_recv_datagram(struct sock *sk, unsigned flags, +@@ -2110,7 +2110,7 @@ extern struct sk_buff *skb_recv_datagram(struct sock *sk, unsigned flags, int noblock, int *err); extern unsigned int datagram_poll(struct file *file, struct socket *sock, struct poll_table_struct *wait); @@ -82165,7 +82102,7 @@ index 13bd6d0..fbdc193 100644 int offset, struct iovec *to, int size); extern int skb_copy_and_csum_datagram_iovec(struct sk_buff *skb, -@@ -2382,6 +2382,9 @@ static inline void nf_reset(struct sk_buff *skb) +@@ -2392,6 +2392,9 @@ static inline void nf_reset(struct sk_buff *skb) nf_bridge_put(skb->nf_bridge); skb->nf_bridge = NULL; #endif @@ -85538,7 +85475,7 @@ index e14bc74..bdf7f6c 100644 if (!ab) return; diff --git a/kernel/auditsc.c b/kernel/auditsc.c -index aeac7cc..9fafcac 100644 +index aeac7cc..08ff2b8 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -67,6 +67,7 @@ @@ -85549,7 +85486,61 @@ index aeac7cc..9fafcac 100644 #include "audit.h" -@@ -1166,8 +1167,8 @@ static void audit_log_execve_info(struct audit_context *context, +@@ -688,6 +689,22 @@ static enum audit_state audit_filter_task(struct task_struct *tsk, char **key) + return AUDIT_BUILD_CONTEXT; + } + ++static int audit_in_mask(const struct audit_krule *rule, unsigned long val) ++{ ++ int word, bit; ++ ++ if (val > 0xffffffff) ++ return false; ++ ++ word = AUDIT_WORD(val); ++ if (word >= AUDIT_BITMASK_SIZE) ++ return false; ++ ++ bit = AUDIT_BIT(val); ++ ++ return rule->mask[word] & bit; ++} ++ + /* At syscall entry and exit time, this filter is called if the + * audit_state is not low enough that auditing cannot take place, but is + * also not high enough that we already know we have to write an audit +@@ -705,11 +722,8 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk, + + rcu_read_lock(); + if (!list_empty(list)) { +- int word = AUDIT_WORD(ctx->major); +- int bit = AUDIT_BIT(ctx->major); +- + list_for_each_entry_rcu(e, list, list) { +- if ((e->rule.mask[word] & bit) == bit && ++ if (audit_in_mask(&e->rule, ctx->major) && + audit_filter_rules(tsk, &e->rule, ctx, NULL, + &state, false)) { + rcu_read_unlock(); +@@ -738,8 +752,6 @@ void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx) + + rcu_read_lock(); + for (i = 0; i < ctx->name_count; i++) { +- int word = AUDIT_WORD(ctx->major); +- int bit = AUDIT_BIT(ctx->major); + struct audit_names *n = &ctx->names[i]; + int h = audit_hash_ino((u32)n->ino); + struct list_head *list = &audit_inode_hash[h]; +@@ -748,7 +760,7 @@ void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx) + continue; + + list_for_each_entry_rcu(e, list, list) { +- if ((e->rule.mask[word] & bit) == bit && ++ if (audit_in_mask(&e->rule, ctx->major) && + audit_filter_rules(tsk, &e->rule, ctx, n, + &state, false)) { + rcu_read_unlock(); +@@ -1166,8 +1178,8 @@ static void audit_log_execve_info(struct audit_context *context, struct audit_buffer **ab, struct audit_aux_data_execve *axi) { @@ -85560,7 +85551,7 @@ index aeac7cc..9fafcac 100644 const char __user *p; char *buf; -@@ -2118,7 +2119,7 @@ int auditsc_get_stamp(struct audit_context *ctx, +@@ -2118,7 +2130,7 @@ int auditsc_get_stamp(struct audit_context *ctx, } /* global counter which is incremented every time something logs in */ @@ -85569,7 +85560,7 @@ index aeac7cc..9fafcac 100644 /** * audit_set_loginuid - set a task's audit_context loginuid -@@ -2129,9 +2130,9 @@ static atomic_t session_id = ATOMIC_INIT(0); +@@ -2129,9 +2141,9 @@ static atomic_t session_id = ATOMIC_INIT(0); * * Called (set) from fs/proc/base.c::proc_loginuid_write(). */ @@ -85581,7 +85572,7 @@ index aeac7cc..9fafcac 100644 struct audit_context *context = task->audit_context; if (context && context->in_syscall) { -@@ -2499,46 +2500,59 @@ void __audit_mmap_fd(int fd, int flags) +@@ -2499,46 +2511,59 @@ void __audit_mmap_fd(int fd, int flags) context->type = AUDIT_MMAP; } @@ -86164,7 +86155,7 @@ index 63786e7..0780cac 100644 #ifdef CONFIG_MODULE_UNLOAD { diff --git a/kernel/events/core.c b/kernel/events/core.c -index b15b4f7..dc15ea9 100644 +index 1d1edcb..1820ae1 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -145,8 +145,15 @@ static struct srcu_struct pmus_srcu; @@ -86256,7 +86247,7 @@ index b15b4f7..dc15ea9 100644 if (IS_ERR(name)) { name = strncpy(tmp, "//toolong", sizeof(tmp)); goto got_name; -@@ -6043,7 +6050,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu, +@@ -6052,7 +6059,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu, event->parent = parent_event; event->ns = get_pid_ns(current->nsproxy->pid_ns); @@ -86265,7 +86256,7 @@ index b15b4f7..dc15ea9 100644 event->state = PERF_EVENT_STATE_INACTIVE; -@@ -6289,6 +6296,11 @@ SYSCALL_DEFINE5(perf_event_open, +@@ -6298,6 +6305,11 @@ SYSCALL_DEFINE5(perf_event_open, if (flags & ~PERF_FLAG_ALL) return -EINVAL; @@ -86277,7 +86268,7 @@ index b15b4f7..dc15ea9 100644 err = perf_copy_attr(attr_uptr, &attr); if (err) return err; -@@ -6584,10 +6596,10 @@ static void sync_child_event(struct perf_event *child_event, +@@ -6596,10 +6608,10 @@ static void sync_child_event(struct perf_event *child_event, /* * Add back the child's count to the parent's count: */ @@ -86889,7 +86880,7 @@ index ce0c182..b8e5b18 100644 else new_fs = fs; diff --git a/kernel/futex.c b/kernel/futex.c -index 8888815..36459d8 100644 +index 1bb37d0..14278a3 100644 --- a/kernel/futex.c +++ b/kernel/futex.c @@ -54,6 +54,7 @@ @@ -86939,326 +86930,7 @@ index 8888815..36459d8 100644 pagefault_disable(); ret = __copy_from_user_inatomic(dest, from, sizeof(u32)); -@@ -588,6 +594,55 @@ void exit_pi_state_list(struct task_struct *curr) - raw_spin_unlock_irq(&curr->pi_lock); - } - -+/* -+ * We need to check the following states: -+ * -+ * Waiter | pi_state | pi->owner | uTID | uODIED | ? -+ * -+ * [1] NULL | --- | --- | 0 | 0/1 | Valid -+ * [2] NULL | --- | --- | >0 | 0/1 | Valid -+ * -+ * [3] Found | NULL | -- | Any | 0/1 | Invalid -+ * -+ * [4] Found | Found | NULL | 0 | 1 | Valid -+ * [5] Found | Found | NULL | >0 | 1 | Invalid -+ * -+ * [6] Found | Found | task | 0 | 1 | Valid -+ * -+ * [7] Found | Found | NULL | Any | 0 | Invalid -+ * -+ * [8] Found | Found | task | ==taskTID | 0/1 | Valid -+ * [9] Found | Found | task | 0 | 0 | Invalid -+ * [10] Found | Found | task | !=taskTID | 0/1 | Invalid -+ * -+ * [1] Indicates that the kernel can acquire the futex atomically. We -+ * came came here due to a stale FUTEX_WAITERS/FUTEX_OWNER_DIED bit. -+ * -+ * [2] Valid, if TID does not belong to a kernel thread. If no matching -+ * thread is found then it indicates that the owner TID has died. -+ * -+ * [3] Invalid. The waiter is queued on a non PI futex -+ * -+ * [4] Valid state after exit_robust_list(), which sets the user space -+ * value to FUTEX_WAITERS | FUTEX_OWNER_DIED. -+ * -+ * [5] The user space value got manipulated between exit_robust_list() -+ * and exit_pi_state_list() -+ * -+ * [6] Valid state after exit_pi_state_list() which sets the new owner in -+ * the pi_state but cannot access the user space value. -+ * -+ * [7] pi_state->owner can only be NULL when the OWNER_DIED bit is set. -+ * -+ * [8] Owner and user space value match -+ * -+ * [9] There is no transient state which sets the user space TID to 0 -+ * except exit_robust_list(), but this is indicated by the -+ * FUTEX_OWNER_DIED bit. See [4] -+ * -+ * [10] There is no transient state which leaves owner and user space -+ * TID out of sync. -+ */ - static int - lookup_pi_state(u32 uval, struct futex_hash_bucket *hb, - union futex_key *key, struct futex_pi_state **ps) -@@ -603,12 +658,13 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb, - plist_for_each_entry_safe(this, next, head, list) { - if (match_futex(&this->key, key)) { - /* -- * Another waiter already exists - bump up -- * the refcount and return its pi_state: -+ * Sanity check the waiter before increasing -+ * the refcount and attaching to it. - */ - pi_state = this->pi_state; - /* -- * Userspace might have messed up non-PI and PI futexes -+ * Userspace might have messed up non-PI and -+ * PI futexes [3] - */ - if (unlikely(!pi_state)) - return -EINVAL; -@@ -616,34 +672,70 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb, - WARN_ON(!atomic_read(&pi_state->refcount)); - - /* -- * When pi_state->owner is NULL then the owner died -- * and another waiter is on the fly. pi_state->owner -- * is fixed up by the task which acquires -- * pi_state->rt_mutex. -- * -- * We do not check for pid == 0 which can happen when -- * the owner died and robust_list_exit() cleared the -- * TID. -+ * Handle the owner died case: - */ -- if (pid && pi_state->owner) { -+ if (uval & FUTEX_OWNER_DIED) { - /* -- * Bail out if user space manipulated the -- * futex value. -+ * exit_pi_state_list sets owner to NULL and -+ * wakes the topmost waiter. The task which -+ * acquires the pi_state->rt_mutex will fixup -+ * owner. - */ -- if (pid != task_pid_vnr(pi_state->owner)) -+ if (!pi_state->owner) { -+ /* -+ * No pi state owner, but the user -+ * space TID is not 0. Inconsistent -+ * state. [5] -+ */ -+ if (pid) -+ return -EINVAL; -+ /* -+ * Take a ref on the state and -+ * return. [4] -+ */ -+ goto out_state; -+ } -+ -+ /* -+ * If TID is 0, then either the dying owner -+ * has not yet executed exit_pi_state_list() -+ * or some waiter acquired the rtmutex in the -+ * pi state, but did not yet fixup the TID in -+ * user space. -+ * -+ * Take a ref on the state and return. [6] -+ */ -+ if (!pid) -+ goto out_state; -+ } else { -+ /* -+ * If the owner died bit is not set, -+ * then the pi_state must have an -+ * owner. [7] -+ */ -+ if (!pi_state->owner) - return -EINVAL; - } - -+ /* -+ * Bail out if user space manipulated the -+ * futex value. If pi state exists then the -+ * owner TID must be the same as the user -+ * space TID. [9/10] -+ */ -+ if (pid != task_pid_vnr(pi_state->owner)) -+ return -EINVAL; -+ -+ out_state: - atomic_inc(&pi_state->refcount); - *ps = pi_state; -- - return 0; - } - } - - /* - * We are the first waiter - try to look up the real owner and attach -- * the new pi_state to it, but bail out when TID = 0 -+ * the new pi_state to it, but bail out when TID = 0 [1] - */ - if (!pid) - return -ESRCH; -@@ -651,6 +743,11 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb, - if (!p) - return -ESRCH; - -+ if (!p->mm) { -+ put_task_struct(p); -+ return -EPERM; -+ } -+ - /* - * We need to look at the task state flags to figure out, - * whether the task is exiting. To protect against the do_exit -@@ -671,6 +768,9 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb, - return ret; - } - -+ /* -+ * No existing pi state. First waiter. [2] -+ */ - pi_state = alloc_pi_state(); - - /* -@@ -742,10 +842,18 @@ retry: - return -EDEADLK; - - /* -- * Surprise - we got the lock. Just return to userspace: -+ * Surprise - we got the lock, but we do not trust user space at all. - */ -- if (unlikely(!curval)) -- return 1; -+ if (unlikely(!curval)) { -+ /* -+ * We verify whether there is kernel state for this -+ * futex. If not, we can safely assume, that the 0 -> -+ * TID transition is correct. If state exists, we do -+ * not bother to fixup the user space state as it was -+ * corrupted already. -+ */ -+ return futex_top_waiter(hb, key) ? -EINVAL : 1; -+ } - - uval = curval; - -@@ -875,6 +983,7 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this) - struct task_struct *new_owner; - struct futex_pi_state *pi_state = this->pi_state; - u32 uninitialized_var(curval), newval; -+ int ret = 0; - - if (!pi_state) - return -EINVAL; -@@ -898,23 +1007,19 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this) - new_owner = this->task; - - /* -- * We pass it to the next owner. (The WAITERS bit is always -- * kept enabled while there is PI state around. We must also -- * preserve the owner died bit.) -+ * We pass it to the next owner. The WAITERS bit is always -+ * kept enabled while there is PI state around. We cleanup the -+ * owner died bit, because we are the owner. - */ -- if (!(uval & FUTEX_OWNER_DIED)) { -- int ret = 0; -+ newval = FUTEX_WAITERS | task_pid_vnr(new_owner); - -- newval = FUTEX_WAITERS | task_pid_vnr(new_owner); -- -- if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval)) -- ret = -EFAULT; -- else if (curval != uval) -- ret = -EINVAL; -- if (ret) { -- raw_spin_unlock(&pi_state->pi_mutex.wait_lock); -- return ret; -- } -+ if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval)) -+ ret = -EFAULT; -+ else if (curval != uval) -+ ret = -EINVAL; -+ if (ret) { -+ raw_spin_unlock(&pi_state->pi_mutex.wait_lock); -+ return ret; - } - - raw_spin_lock_irq(&pi_state->owner->pi_lock); -@@ -1272,6 +1377,13 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags, - - if (requeue_pi) { - /* -+ * Requeue PI only works on two distinct uaddrs. This -+ * check is only valid for private futexes. See below. -+ */ -+ if (uaddr1 == uaddr2) -+ return -EINVAL; -+ -+ /* - * requeue_pi requires a pi_state, try to allocate it now - * without any locks in case it fails. - */ -@@ -1309,6 +1421,15 @@ retry: - if (unlikely(ret != 0)) - goto out_put_key1; - -+ /* -+ * The check above which compares uaddrs is not sufficient for -+ * shared futexes. We need to compare the keys: -+ */ -+ if (requeue_pi && match_futex(&key1, &key2)) { -+ ret = -EINVAL; -+ goto out_put_keys; -+ } -+ - hb1 = hash_futex(&key1); - hb2 = hash_futex(&key2); - -@@ -2133,9 +2254,10 @@ retry: - /* - * To avoid races, try to do the TID -> 0 atomic transition - * again. If it succeeds then we can return without waking -- * anyone else up: -+ * anyone else up. We only try this if neither the waiters nor -+ * the owner died bit are set. - */ -- if (!(uval & FUTEX_OWNER_DIED) && -+ if (!(uval & ~FUTEX_TID_MASK) && - cmpxchg_futex_value_locked(&uval, uaddr, vpid, 0)) - goto pi_faulted; - /* -@@ -2167,11 +2289,9 @@ retry: - /* - * No waiters - kernel unlocks the futex: - */ -- if (!(uval & FUTEX_OWNER_DIED)) { -- ret = unlock_futex_pi(uaddr, uval); -- if (ret == -EFAULT) -- goto pi_faulted; -- } -+ ret = unlock_futex_pi(uaddr, uval); -+ if (ret == -EFAULT) -+ goto pi_faulted; - - out_unlock: - spin_unlock(&hb->lock); -@@ -2331,6 +2451,15 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags, - if (ret) - goto out_key2; - -+ /* -+ * The check above which compares uaddrs is not sufficient for -+ * shared futexes. We need to compare the keys: -+ */ -+ if (match_futex(&q.key, &key2)) { -+ ret = -EINVAL; -+ goto out_put_keys; -+ } -+ - /* Queue the futex_q, drop the hb lock, wait for wakeup. */ - futex_wait_queue_me(hb, &q, to); - -@@ -2744,6 +2873,7 @@ static int __init futex_init(void) +@@ -2877,6 +2883,7 @@ static int __init futex_init(void) { u32 curval; int i; @@ -87266,7 +86938,7 @@ index 8888815..36459d8 100644 /* * This will fail and we want it. Some arch implementations do -@@ -2755,8 +2885,11 @@ static int __init futex_init(void) +@@ -2888,8 +2895,11 @@ static int __init futex_init(void) * implementation, the non-functional ones will return * -ENOSYS. */ @@ -87317,10 +86989,10 @@ index 9b22d03..6295b62 100644 prev->next = info->next; else diff --git a/kernel/hrtimer.c b/kernel/hrtimer.c -index 60f7e32..d703ad4 100644 +index 20e88af..ec1b0d2 100644 --- a/kernel/hrtimer.c +++ b/kernel/hrtimer.c -@@ -1414,7 +1414,7 @@ void hrtimer_peek_ahead_timers(void) +@@ -1436,7 +1436,7 @@ void hrtimer_peek_ahead_timers(void) local_irq_restore(flags); } @@ -87329,7 +87001,7 @@ index 60f7e32..d703ad4 100644 { struct hrtimer_cpu_base *cpu_base = &__get_cpu_var(hrtimer_bases); -@@ -1756,7 +1756,7 @@ static int __cpuinit hrtimer_cpu_notify(struct notifier_block *self, +@@ -1778,7 +1778,7 @@ static int __cpuinit hrtimer_cpu_notify(struct notifier_block *self, return NOTIFY_OK; } @@ -87914,7 +87586,7 @@ index 91c32a0..7b88d63 100644 seq_printf(m, "%40s %14lu %29s %pS\n", name, stats->contending_point[i], diff --git a/kernel/module.c b/kernel/module.c -index 65362d9..4226e37 100644 +index 95ecd9f..dfa3a9b 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -58,6 +58,7 @@ @@ -88584,7 +88256,7 @@ index 65362d9..4226e37 100644 /* Mark state as coming so strong_try_module_get() ignores us. */ mod->state = MODULE_STATE_COMING; -@@ -2926,11 +3072,10 @@ static struct module *load_module(void __user *umod, +@@ -2929,11 +3075,10 @@ static struct module *load_module(void __user *umod, unlock: mutex_unlock(&module_mutex); synchronize_sched(); @@ -88597,7 +88269,7 @@ index 65362d9..4226e37 100644 free_unload: module_unload_free(mod); free_module: -@@ -2971,16 +3116,16 @@ SYSCALL_DEFINE3(init_module, void __user *, umod, +@@ -2974,16 +3119,16 @@ SYSCALL_DEFINE3(init_module, void __user *, umod, MODULE_STATE_COMING, mod); /* Set RO and NX regions for core */ @@ -88622,7 +88294,7 @@ index 65362d9..4226e37 100644 do_mod_ctors(mod); /* Start the module */ -@@ -3026,11 +3171,12 @@ SYSCALL_DEFINE3(init_module, void __user *, umod, +@@ -3029,11 +3174,12 @@ SYSCALL_DEFINE3(init_module, void __user *, umod, mod->strtab = mod->core_strtab; #endif unset_module_init_ro_nx(mod); @@ -88640,7 +88312,7 @@ index 65362d9..4226e37 100644 mutex_unlock(&module_mutex); return 0; -@@ -3061,10 +3207,16 @@ static const char *get_ksymbol(struct module *mod, +@@ -3064,10 +3210,16 @@ static const char *get_ksymbol(struct module *mod, unsigned long nextval; /* At worse, next value is at end of module */ @@ -88660,7 +88332,7 @@ index 65362d9..4226e37 100644 /* Scan for closest preceding symbol, and next symbol. (ELF starts real symbols at 1). */ -@@ -3312,7 +3464,7 @@ static int m_show(struct seq_file *m, void *p) +@@ -3315,7 +3467,7 @@ static int m_show(struct seq_file *m, void *p) char buf[8]; seq_printf(m, "%s %u", @@ -88669,7 +88341,7 @@ index 65362d9..4226e37 100644 print_unload_info(m, mod); /* Informative for users. */ -@@ -3321,7 +3473,7 @@ static int m_show(struct seq_file *m, void *p) +@@ -3324,7 +3476,7 @@ static int m_show(struct seq_file *m, void *p) mod->state == MODULE_STATE_COMING ? "Loading": "Live"); /* Used by oprofile and other similar tools. */ @@ -88678,7 +88350,7 @@ index 65362d9..4226e37 100644 /* Taints info */ if (mod->taints) -@@ -3357,7 +3509,17 @@ static const struct file_operations proc_modules_operations = { +@@ -3360,7 +3512,17 @@ static const struct file_operations proc_modules_operations = { static int __init proc_modules_init(void) { @@ -88696,7 +88368,7 @@ index 65362d9..4226e37 100644 return 0; } module_init(proc_modules_init); -@@ -3416,12 +3578,12 @@ struct module *__module_address(unsigned long addr) +@@ -3419,12 +3581,12 @@ struct module *__module_address(unsigned long addr) { struct module *mod; @@ -88712,7 +88384,7 @@ index 65362d9..4226e37 100644 return mod; return NULL; } -@@ -3455,11 +3617,20 @@ bool is_module_text_address(unsigned long addr) +@@ -3458,11 +3620,20 @@ bool is_module_text_address(unsigned long addr) */ struct module *__module_text_address(unsigned long addr) { @@ -91855,7 +91527,7 @@ index 0b537f2..40d6c20 100644 return -ENOMEM; return 0; diff --git a/kernel/timer.c b/kernel/timer.c -index f8b05a4..ece06b3 100644 +index 349953e..6262b04 100644 --- a/kernel/timer.c +++ b/kernel/timer.c @@ -1308,7 +1308,7 @@ void update_process_times(int user_tick) @@ -91917,7 +91589,7 @@ index 92cac05..89f0de9 100644 ret = -EIO; bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt, diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c -index a65fa36..ca1b827 100644 +index dcbafed..9feb3de 100644 --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c @@ -1610,12 +1610,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec) @@ -91949,7 +91621,7 @@ index a65fa36..ca1b827 100644 { struct ftrace_func_probe *entry; struct ftrace_page *pg; -@@ -4064,8 +4069,6 @@ ftrace_enable_sysctl(struct ctl_table *table, int write, +@@ -4045,8 +4050,6 @@ ftrace_enable_sysctl(struct ctl_table *table, int write, #ifdef CONFIG_FUNCTION_GRAPH_TRACER static int ftrace_graph_active; @@ -91958,7 +91630,7 @@ index a65fa36..ca1b827 100644 int ftrace_graph_entry_stub(struct ftrace_graph_ent *trace) { return 0; -@@ -4210,6 +4213,10 @@ ftrace_suspend_notifier_call(struct notifier_block *bl, unsigned long state, +@@ -4191,6 +4194,10 @@ ftrace_suspend_notifier_call(struct notifier_block *bl, unsigned long state, return NOTIFY_DONE; } @@ -91969,7 +91641,7 @@ index a65fa36..ca1b827 100644 /* Just a place holder for function graph */ static struct ftrace_ops fgraph_ops __read_mostly = { .func = ftrace_stub, -@@ -4253,7 +4260,6 @@ int register_ftrace_graph(trace_func_graph_ret_t retfunc, +@@ -4234,7 +4241,6 @@ int register_ftrace_graph(trace_func_graph_ret_t retfunc, goto out; } @@ -94203,7 +93875,7 @@ index 23d3a6b..e10d35a 100644 if (end == start) goto out; diff --git a/mm/memory-failure.c b/mm/memory-failure.c -index 96c4bcf..436254e 100644 +index 51901b1..79af2f4 100644 --- a/mm/memory-failure.c +++ b/mm/memory-failure.c @@ -61,7 +61,7 @@ int sysctl_memory_failure_early_kill __read_mostly = 0; @@ -94242,16 +93914,24 @@ index 96c4bcf..436254e 100644 /* * We need/can do nothing about count=0 pages. -@@ -1040,7 +1040,7 @@ int __memory_failure(unsigned long pfn, int trapno, int flags) - if (!PageHWPoison(hpage) - || (hwpoison_filter(p) && TestClearPageHWPoison(p)) - || (p != hpage && TestSetPageHWPoison(hpage))) { -- atomic_long_sub(nr_pages, &mce_bad_pages); -+ atomic_long_sub_unchecked(nr_pages, &mce_bad_pages); - return 0; - } - set_page_hwpoison_huge_page(hpage); -@@ -1098,7 +1098,7 @@ int __memory_failure(unsigned long pfn, int trapno, int flags) +@@ -1039,7 +1039,7 @@ int __memory_failure(unsigned long pfn, int trapno, int flags) + if (PageHWPoison(hpage)) { + if ((hwpoison_filter(p) && TestClearPageHWPoison(p)) + || (p != hpage && TestSetPageHWPoison(hpage))) { +- atomic_long_sub(nr_pages, &mce_bad_pages); ++ atomic_long_sub_unchecked(nr_pages, &mce_bad_pages); + unlock_page(hpage); + return 0; + } +@@ -1094,14 +1094,14 @@ int __memory_failure(unsigned long pfn, int trapno, int flags) + */ + if (!PageHWPoison(p)) { + printk(KERN_ERR "MCE %#lx: just unpoisoned\n", pfn); +- atomic_long_sub(nr_pages, &mce_bad_pages); ++ atomic_long_sub_unchecked(nr_pages, &mce_bad_pages); + put_page(hpage); + res = 0; + goto out; } if (hwpoison_filter(p)) { if (TestClearPageHWPoison(p)) @@ -94260,7 +93940,7 @@ index 96c4bcf..436254e 100644 unlock_page(hpage); put_page(hpage); return 0; -@@ -1315,7 +1315,7 @@ int unpoison_memory(unsigned long pfn) +@@ -1318,7 +1318,7 @@ int unpoison_memory(unsigned long pfn) return 0; } if (TestClearPageHWPoison(p)) @@ -94269,7 +93949,7 @@ index 96c4bcf..436254e 100644 pr_info("MCE: Software-unpoisoned free page %#lx\n", pfn); return 0; } -@@ -1329,7 +1329,7 @@ int unpoison_memory(unsigned long pfn) +@@ -1332,7 +1332,7 @@ int unpoison_memory(unsigned long pfn) */ if (TestClearPageHWPoison(page)) { pr_info("MCE: Software-unpoisoned page %#lx\n", pfn); @@ -94278,7 +93958,7 @@ index 96c4bcf..436254e 100644 freeit = 1; if (PageHuge(page)) clear_page_hwpoison_huge_page(page); -@@ -1444,13 +1444,13 @@ done: +@@ -1447,13 +1447,13 @@ done: /* overcommit hugetlb page will be freed to buddy */ if (PageHuge(hpage)) { if (!PageHWPoison(hpage)) @@ -94294,7 +93974,7 @@ index 96c4bcf..436254e 100644 } /* keep elevated page count for bad page */ -@@ -1589,7 +1589,7 @@ int soft_offline_page(struct page *page, int flags) +@@ -1592,7 +1592,7 @@ int soft_offline_page(struct page *page, int flags) return ret; done: @@ -97156,7 +96836,7 @@ index 1db7971..5dba7b6 100644 struct mm_struct *mm; diff --git a/mm/page-writeback.c b/mm/page-writeback.c -index b5cd796..9e4ec7c 100644 +index d2ac057..aa60e8c 100644 --- a/mm/page-writeback.c +++ b/mm/page-writeback.c @@ -522,7 +522,7 @@ unsigned long bdi_dirty_limit(struct backing_dev_info *bdi, unsigned long dirty) @@ -97374,7 +97054,7 @@ index cbcbb02..dfdc1de 100644 pgoff_t offset, unsigned long max) { diff --git a/mm/rmap.c b/mm/rmap.c -index 9ac405b..921d11e 100644 +index 9ac405b..66771e2 100644 --- a/mm/rmap.c +++ b/mm/rmap.c @@ -153,6 +153,10 @@ int anon_vma_prepare(struct vm_area_struct *vma) @@ -97479,6 +97159,18 @@ index 9ac405b..921d11e 100644 } /* +@@ -1669,10 +1708,9 @@ void __put_anon_vma(struct anon_vma *anon_vma) + { + struct anon_vma *root = anon_vma->root; + ++ anon_vma_free(anon_vma); + if (root != anon_vma && atomic_dec_and_test(&root->refcount)) + anon_vma_free(root); +- +- anon_vma_free(anon_vma); + } + + #ifdef CONFIG_MIGRATION diff --git a/mm/shmem.c b/mm/shmem.c index a78acf0..a31df98 100644 --- a/mm/shmem.c @@ -99444,7 +99136,7 @@ index 9b67f3d..f6d7e5c 100644 +bluetooth-$(CONFIG_BT_L2CAP) += l2cap_core.o l2cap_sock.o bluetooth-$(CONFIG_BT_SCO) += sco.o diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c -index aa12649..a22d595 100644 +index 4d99d42..cabd9b1a 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -235,7 +235,7 @@ void hci_le_ltk_reply(struct hci_conn *conn, u8 ltk[16]) @@ -99630,10 +99322,10 @@ index 5449294..c1d8d99 100644 if (skb_copy_bits(skb, -ETH_HLEN, pm->data, copy_len) < 0) BUG(); diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c -index 5864cc4..6ddb362 100644 +index 45f93f8..550f429 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c -@@ -1513,7 +1513,7 @@ static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) +@@ -1512,7 +1512,7 @@ static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) tmp.valid_hooks = t->table->valid_hooks; } mutex_unlock(&ebt_mutex); @@ -99642,7 +99334,7 @@ index 5864cc4..6ddb362 100644 BUGPRINT("c2u Didn't work\n"); ret = -EFAULT; break; -@@ -2323,7 +2323,7 @@ static int compat_do_ebt_get_ctl(struct sock *sk, int cmd, +@@ -2322,7 +2322,7 @@ static int compat_do_ebt_get_ctl(struct sock *sk, int cmd, goto out; tmp.valid_hooks = t->valid_hooks; @@ -99651,7 +99343,7 @@ index 5864cc4..6ddb362 100644 ret = -EFAULT; break; } -@@ -2334,7 +2334,7 @@ static int compat_do_ebt_get_ctl(struct sock *sk, int cmd, +@@ -2333,7 +2333,7 @@ static int compat_do_ebt_get_ctl(struct sock *sk, int cmd, tmp.entries_size = t->table->entries_size; tmp.valid_hooks = t->table->valid_hooks; @@ -100149,7 +99841,7 @@ index 68bbf9f..5ef0d12 100644 return err; diff --git a/net/core/dev.c b/net/core/dev.c -index 7bcf37d..3bb8e78 100644 +index 854da15..19d9b66 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -1142,10 +1142,14 @@ void dev_load(struct net *net, const char *name) @@ -100221,7 +99913,7 @@ index 7bcf37d..3bb8e78 100644 kfree_skb(skb); /* Jamal, now you will not able to escape explaining * me how you were going to use this. :-) -@@ -3907,7 +3911,7 @@ void netif_napi_del(struct napi_struct *napi) +@@ -3908,7 +3912,7 @@ void netif_napi_del(struct napi_struct *napi) } EXPORT_SYMBOL(netif_napi_del); @@ -100230,7 +99922,7 @@ index 7bcf37d..3bb8e78 100644 { struct softnet_data *sd = &__get_cpu_var(softnet_data); unsigned long time_limit = jiffies + 2; -@@ -4185,7 +4189,13 @@ static void dev_seq_printf_stats(struct seq_file *seq, struct net_device *dev) +@@ -4186,7 +4190,13 @@ static void dev_seq_printf_stats(struct seq_file *seq, struct net_device *dev) struct rtnl_link_stats64 temp; const struct rtnl_link_stats64 *stats = dev_get_stats(dev, &temp); @@ -100245,7 +99937,7 @@ index 7bcf37d..3bb8e78 100644 "%8llu %7llu %4llu %4llu %4llu %5llu %7llu %10llu\n", dev->name, stats->rx_bytes, stats->rx_packets, stats->rx_errors, -@@ -4260,7 +4270,7 @@ static int softnet_seq_show(struct seq_file *seq, void *v) +@@ -4261,7 +4271,7 @@ static int softnet_seq_show(struct seq_file *seq, void *v) return 0; } @@ -100254,7 +99946,7 @@ index 7bcf37d..3bb8e78 100644 .start = dev_seq_start, .next = dev_seq_next, .stop = dev_seq_stop, -@@ -4290,7 +4300,7 @@ static const struct seq_operations softnet_seq_ops = { +@@ -4291,7 +4301,7 @@ static const struct seq_operations softnet_seq_ops = { static int softnet_seq_open(struct inode *inode, struct file *file) { @@ -100263,7 +99955,7 @@ index 7bcf37d..3bb8e78 100644 } static const struct file_operations softnet_seq_fops = { -@@ -4377,8 +4387,13 @@ static int ptype_seq_show(struct seq_file *seq, void *v) +@@ -4378,8 +4388,13 @@ static int ptype_seq_show(struct seq_file *seq, void *v) else seq_printf(seq, "%04x", ntohs(pt->type)); @@ -100277,7 +99969,7 @@ index 7bcf37d..3bb8e78 100644 } return 0; -@@ -4440,7 +4455,7 @@ static void __net_exit dev_proc_net_exit(struct net *net) +@@ -4441,7 +4456,7 @@ static void __net_exit dev_proc_net_exit(struct net *net) proc_net_remove(net, "dev"); } @@ -100286,7 +99978,7 @@ index 7bcf37d..3bb8e78 100644 .init = dev_proc_net_init, .exit = dev_proc_net_exit, }; -@@ -5935,7 +5950,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, +@@ -5936,7 +5951,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, } else { netdev_stats_to_stats64(storage, &dev->stats); } @@ -100295,7 +99987,7 @@ index 7bcf37d..3bb8e78 100644 return storage; } EXPORT_SYMBOL(dev_get_stats); -@@ -6514,7 +6529,7 @@ static void __net_exit netdev_exit(struct net *net) +@@ -6515,7 +6530,7 @@ static void __net_exit netdev_exit(struct net *net) kfree(net->dev_index_head); } @@ -100304,7 +99996,7 @@ index 7bcf37d..3bb8e78 100644 .init = netdev_init, .exit = netdev_exit, }; -@@ -6576,7 +6591,7 @@ static void __net_exit default_device_exit_batch(struct list_head *net_list) +@@ -6577,7 +6592,7 @@ static void __net_exit default_device_exit_batch(struct list_head *net_list) rtnl_unlock(); } @@ -100369,7 +100061,7 @@ index 2367246..4a0a677 100644 ret = -EFAULT; goto out; diff --git a/net/core/filter.c b/net/core/filter.c -index 5dea452..b247b98 100644 +index 9c88080..403ac26c 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -39,6 +39,7 @@ @@ -100415,35 +100107,7 @@ index 5dea452..b247b98 100644 continue; case BPF_S_ANC_PROTOCOL: A = ntohs(skb->protocol); -@@ -320,6 +321,10 @@ load_b: - - if (skb_is_nonlinear(skb)) - return 0; -+ -+ if (skb->len < sizeof(struct nlattr)) -+ return 0; -+ - if (A > skb->len - sizeof(struct nlattr)) - return 0; - -@@ -336,11 +341,15 @@ load_b: - - if (skb_is_nonlinear(skb)) - return 0; -+ -+ if (skb->len < sizeof(struct nlattr)) -+ return 0; -+ - if (A > skb->len - sizeof(struct nlattr)) - return 0; - - nla = (struct nlattr *)&skb->data[A]; -- if (nla->nla_len > A - skb->len) -+ if (nla->nla_len > skb->len - A) - return 0; - - nla = nla_find_nested(nla, X); -@@ -350,10 +359,16 @@ load_b: +@@ -354,10 +355,16 @@ load_b: A = 0; continue; } @@ -100461,7 +100125,7 @@ index 5dea452..b247b98 100644 return 0; } } -@@ -376,7 +391,7 @@ static int check_load_and_stores(struct sock_filter *filter, int flen) +@@ -380,7 +387,7 @@ static int check_load_and_stores(struct sock_filter *filter, int flen) u16 *masks, memvalid = 0; /* one bit per cell, 16 cells */ int pc, ret = 0; @@ -100470,7 +100134,7 @@ index 5dea452..b247b98 100644 masks = kmalloc(flen * sizeof(*masks), GFP_KERNEL); if (!masks) return -ENOMEM; -@@ -490,6 +505,7 @@ int sk_chk_filter(struct sock_filter *filter, unsigned int flen) +@@ -494,6 +501,7 @@ int sk_chk_filter(struct sock_filter *filter, unsigned int flen) [BPF_JMP|BPF_JSET|BPF_X] = BPF_S_JMP_JSET_X, }; int pc; @@ -100478,7 +100142,7 @@ index 5dea452..b247b98 100644 if (flen == 0 || flen > BPF_MAXINSNS) return -EINVAL; -@@ -545,8 +561,10 @@ int sk_chk_filter(struct sock_filter *filter, unsigned int flen) +@@ -549,8 +557,10 @@ int sk_chk_filter(struct sock_filter *filter, unsigned int flen) case BPF_S_LD_W_ABS: case BPF_S_LD_H_ABS: case BPF_S_LD_B_ABS: @@ -100489,7 +100153,7 @@ index 5dea452..b247b98 100644 break switch (ftest->k) { ANCILLARY(PROTOCOL); -@@ -560,6 +578,10 @@ int sk_chk_filter(struct sock_filter *filter, unsigned int flen) +@@ -564,6 +574,10 @@ int sk_chk_filter(struct sock_filter *filter, unsigned int flen) ANCILLARY(RXHASH); ANCILLARY(CPU); } @@ -100650,7 +100314,7 @@ index 80aeac9..b08d0a8 100644 return -ENODEV; diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c -index 5b7d5f2..ecb9676 100644 +index 7beaf10..3c8226d 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -57,7 +57,7 @@ struct rtnl_link { @@ -100747,10 +100411,10 @@ index 925991a..209a505 100644 #ifdef CONFIG_INET static u32 seq_scale(u32 seq) diff --git a/net/core/skbuff.c b/net/core/skbuff.c -index 8ac4a0f..4ca060b 100644 +index 9204d9b..e6427c1 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c -@@ -2874,13 +2874,15 @@ void __init skb_init(void) +@@ -2873,13 +2873,15 @@ void __init skb_init(void) skbuff_head_cache = kmem_cache_create("skbuff_head_cache", sizeof(struct sk_buff), 0, @@ -101245,7 +100909,7 @@ index 92fc5f6..b790d91 100644 break; case NETDEV_DOWN: diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c -index d01f9c6..284c56c 100644 +index 76da979..0e9428c 100644 --- a/net/ipv4/fib_semantics.c +++ b/net/ipv4/fib_semantics.c @@ -699,7 +699,7 @@ __be32 fib_info_update_nh_saddr(struct net *net, struct fib_nh *nh) @@ -101542,7 +101206,7 @@ index 140d377..69801fa 100644 ret = 0; if (sk == rtnl_dereference(mrt->mroute_sk)) { diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c -index fd7a3f6..21e76da 100644 +index bcb6e61..5c995cd 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c @@ -880,14 +880,14 @@ static int compat_table_info(const struct xt_table_info *info, @@ -101572,7 +101236,7 @@ index fd7a3f6..21e76da 100644 ret = -EFAULT; else ret = 0; -@@ -1683,7 +1683,7 @@ static int compat_do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, +@@ -1685,7 +1685,7 @@ static int compat_do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, switch (cmd) { case ARPT_SO_GET_INFO: @@ -101581,7 +101245,7 @@ index fd7a3f6..21e76da 100644 break; case ARPT_SO_GET_ENTRIES: ret = compat_get_entries(sock_net(sk), user, len); -@@ -1728,7 +1728,7 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len +@@ -1730,7 +1730,7 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len switch (cmd) { case ARPT_SO_GET_INFO: @@ -101591,7 +101255,7 @@ index fd7a3f6..21e76da 100644 case ARPT_SO_GET_ENTRIES: diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c -index 24e556e..f6918b4 100644 +index f98a1cf..b05baff 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c @@ -1069,14 +1069,14 @@ static int compat_table_info(const struct xt_table_info *info, @@ -101621,7 +101285,7 @@ index 24e556e..f6918b4 100644 ret = -EFAULT; else ret = 0; -@@ -1967,7 +1967,7 @@ compat_do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) +@@ -1969,7 +1969,7 @@ compat_do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) switch (cmd) { case IPT_SO_GET_INFO: @@ -101630,7 +101294,7 @@ index 24e556e..f6918b4 100644 break; case IPT_SO_GET_ENTRIES: ret = compat_get_entries(sock_net(sk), user, len); -@@ -2014,7 +2014,7 @@ do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) +@@ -2016,7 +2016,7 @@ do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) switch (cmd) { case IPT_SO_GET_INFO: @@ -101688,43 +101352,10 @@ index b550815..c3b44d5 100644 /* copy_len <= skb->len, so can't fail. */ if (skb_copy_bits(skb, 0, pm->payload, copy_len) < 0) diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c -index 00975b6..ebd3af9 100644 +index d495d4b..c95851f 100644 --- a/net/ipv4/ping.c +++ b/net/ipv4/ping.c -@@ -205,10 +205,11 @@ static int ping_init_sock(struct sock *sk) - gid_t range[2]; - struct group_info *group_info = get_current_groups(); - int i, j, count = group_info->ngroups; -+ int ret = 0; - - inet_get_ping_group_range_net(net, range, range+1); - if (range[0] <= group && group <= range[1]) -- return 0; -+ goto out_release_group; - - for (i = 0; i < group_info->nblocks; i++) { - int cp_count = min_t(int, NGROUPS_PER_BLOCK, count); -@@ -216,13 +217,17 @@ static int ping_init_sock(struct sock *sk) - for (j = 0; j < cp_count; j++) { - group = group_info->blocks[i][j]; - if (range[0] <= group && group <= range[1]) -- return 0; -+ goto out_release_group; - } - - count -= cp_count; - } - -- return -EACCES; -+ ret = -EACCES; -+ -+out_release_group: -+ put_group_info(group_info); -+ return ret; - } - - static void ping_close(struct sock *sk, long timeout) -@@ -835,7 +840,7 @@ static void ping_format_sock(struct sock *sp, struct seq_file *f, +@@ -842,7 +842,7 @@ static void ping_format_sock(struct sock *sp, struct seq_file *f, sk_rmem_alloc_get(sp), 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp), atomic_read(&sp->sk_refcnt), sp, @@ -101817,7 +101448,7 @@ index cfded93..7b72cc0 100644 .exit = raw_exit_net, }; diff --git a/net/ipv4/route.c b/net/ipv4/route.c -index 6768ce2..843be03 100644 +index 6526110b..e060b32 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -313,7 +313,7 @@ static inline unsigned int rt_hash(__be32 daddr, __be32 saddr, int idx, @@ -102714,7 +102345,7 @@ index b204df8..8f274f4 100644 msg.msg_flags = flags; diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c -index 94874b0..a47969c 100644 +index 2e752b2..3d54ac42 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c @@ -1091,14 +1091,14 @@ static int compat_table_info(const struct xt_table_info *info, @@ -102744,7 +102375,7 @@ index 94874b0..a47969c 100644 ret = -EFAULT; else ret = 0; -@@ -1989,7 +1989,7 @@ compat_do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) +@@ -1991,7 +1991,7 @@ compat_do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) switch (cmd) { case IP6T_SO_GET_INFO: @@ -102753,7 +102384,7 @@ index 94874b0..a47969c 100644 break; case IP6T_SO_GET_ENTRIES: ret = compat_get_entries(sock_net(sk), user, len); -@@ -2036,7 +2036,7 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) +@@ -2038,7 +2038,7 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) switch (cmd) { case IP6T_SO_GET_INFO: @@ -102916,10 +102547,10 @@ index eba5deb..61e026f 100644 return -ENOMEM; } diff --git a/net/ipv6/route.c b/net/ipv6/route.c -index 39e11f9..d6b0d59 100644 +index 782f67a..9b969f2 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c -@@ -2808,7 +2808,7 @@ ctl_table ipv6_route_table_template[] = { +@@ -2809,7 +2809,7 @@ ctl_table ipv6_route_table_template[] = { struct ctl_table * __net_init ipv6_route_sysctl_init(struct net *net) { @@ -105173,7 +104804,7 @@ index 1e2eee8..ce3967e 100644 assoc->assoc_id, assoc->sndbuf_used, diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c -index 6f6ad86..a10ccad 100644 +index de35e01..ef925b0 100644 --- a/net/sctp/protocol.c +++ b/net/sctp/protocol.c @@ -109,7 +109,7 @@ static __init int sctp_proc_init(void) @@ -105185,7 +104816,7 @@ index 6f6ad86..a10ccad 100644 if (!proc_net_sctp) goto out_free_percpu; } -@@ -862,8 +862,10 @@ int sctp_register_af(struct sctp_af *af) +@@ -867,8 +867,10 @@ int sctp_register_af(struct sctp_af *af) return 0; } @@ -105197,7 +104828,7 @@ index 6f6ad86..a10ccad 100644 return 1; } -@@ -994,7 +996,7 @@ static inline int sctp_v4_xmit(struct sk_buff *skb, +@@ -999,7 +1001,7 @@ static inline int sctp_v4_xmit(struct sk_buff *skb, static struct sctp_af sctp_af_inet; @@ -105206,7 +104837,7 @@ index 6f6ad86..a10ccad 100644 .event_msgname = sctp_inet_event_msgname, .skb_msgname = sctp_inet_skb_msgname, .af_supported = sctp_inet_af_supported, -@@ -1064,7 +1066,7 @@ static const struct net_protocol sctp_protocol = { +@@ -1069,7 +1071,7 @@ static const struct net_protocol sctp_protocol = { }; /* IPv4 address related functions. */ @@ -105215,7 +104846,7 @@ index 6f6ad86..a10ccad 100644 .sa_family = AF_INET, .sctp_xmit = sctp_v4_xmit, .setsockopt = ip_setsockopt, -@@ -1149,7 +1151,7 @@ static void sctp_v4_pf_init(void) +@@ -1154,7 +1156,7 @@ static void sctp_v4_pf_init(void) static void sctp_v4_pf_exit(void) { @@ -107266,10 +106897,10 @@ index 98ff331..9a48619 100644 sprintf(alias, "dmi*"); diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c -index 619228d..bf61bbb 100644 +index dc5748f..193bd1d 100644 --- a/scripts/mod/modpost.c +++ b/scripts/mod/modpost.c -@@ -922,6 +922,7 @@ enum mismatch { +@@ -926,6 +926,7 @@ enum mismatch { ANY_INIT_TO_ANY_EXIT, ANY_EXIT_TO_ANY_INIT, EXPORT_TO_INIT_EXIT, @@ -107277,7 +106908,7 @@ index 619228d..bf61bbb 100644 }; struct sectioncheck { -@@ -1030,6 +1031,12 @@ const struct sectioncheck sectioncheck[] = { +@@ -1034,6 +1035,12 @@ const struct sectioncheck sectioncheck[] = { .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL }, .mismatch = EXPORT_TO_INIT_EXIT, .symbol_white_list = { DEFAULT_SYMBOL_WHITE_LIST, NULL }, @@ -107290,7 +106921,7 @@ index 619228d..bf61bbb 100644 } }; -@@ -1152,10 +1159,10 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr, +@@ -1156,10 +1163,10 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr, continue; if (ELF_ST_TYPE(sym->st_info) == STT_SECTION) continue; @@ -107303,7 +106934,7 @@ index 619228d..bf61bbb 100644 if (d < 0) d = addr - sym->st_value; if (d < distance) { -@@ -1434,6 +1441,14 @@ static void report_sec_mismatch(const char *modname, +@@ -1438,6 +1445,14 @@ static void report_sec_mismatch(const char *modname, tosym, prl_to, prl_to, tosym); free(prl_to); break; @@ -107318,7 +106949,7 @@ index 619228d..bf61bbb 100644 } fprintf(stderr, "\n"); } -@@ -1659,7 +1674,7 @@ static void section_rel(const char *modname, struct elf_info *elf, +@@ -1663,7 +1678,7 @@ static void section_rel(const char *modname, struct elf_info *elf, static void check_sec_ref(struct module *mod, const char *modname, struct elf_info *elf) { @@ -107327,7 +106958,7 @@ index 619228d..bf61bbb 100644 Elf_Shdr *sechdrs = elf->sechdrs; /* Walk through all sections */ -@@ -1757,7 +1772,7 @@ void __attribute__((format(printf, 2, 3))) buf_printf(struct buffer *buf, +@@ -1761,7 +1776,7 @@ void __attribute__((format(printf, 2, 3))) buf_printf(struct buffer *buf, va_end(ap); } @@ -107336,7 +106967,7 @@ index 619228d..bf61bbb 100644 { if (buf->size - buf->pos < len) { buf->size += len + SZ; -@@ -1975,7 +1990,7 @@ static void write_if_changed(struct buffer *b, const char *fname) +@@ -1979,7 +1994,7 @@ static void write_if_changed(struct buffer *b, const char *fname) if (fstat(fileno(file), &st) < 0) goto close_write; @@ -107452,10 +107083,10 @@ index 38f6617..e70b72b 100755 exuberant() diff --git a/security/Kconfig b/security/Kconfig -index 51bd5a0..d4191c5 100644 +index 51bd5a0..dfb6314 100644 --- a/security/Kconfig +++ b/security/Kconfig -@@ -4,6 +4,955 @@ +@@ -4,6 +4,952 @@ menu "Security options" @@ -108113,8 +107744,7 @@ index 51bd5a0..d4191c5 100644 + guess them in most cases. Any failed guess will most likely crash + the attacked program which allows the kernel to detect such attempts + and react on them. PaX itself provides no reaction mechanisms, -+ instead it is strongly encouraged that you make use of Nergal's -+ segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's ++ instead it is strongly encouraged that you make use of grsecurity's + (http://www.grsecurity.net/) built-in crash detection features or + develop one yourself. + @@ -108148,30 +107778,28 @@ index 51bd5a0..d4191c5 100644 + configuration, this feature cannot be disabled on a per file basis. + +config PAX_RANDUSTACK -+ bool "Randomize user stack base" ++ bool ++ ++config PAX_RANDMMAP ++ bool "Randomize user stack and mmap() bases" + default y if GRKERNSEC_CONFIG_AUTO + depends on PAX_ASLR ++ select PAX_RANDUSTACK + help + By saying Y here the kernel will randomize every task's userland -+ stack. The randomization is done in two steps where the second ++ stack and use a randomized base address for mmap() requests that ++ do not specify one themselves. ++ ++ The stack randomization is done in two steps where the second + one may apply a big amount of shift to the top of the stack and + cause problems for programs that want to use lots of memory (more + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is). -+ For this reason the second step can be controlled by 'chpax' or -+ 'paxctl' on a per file basis. + -+config PAX_RANDMMAP -+ bool "Randomize mmap() base" -+ default y if GRKERNSEC_CONFIG_AUTO -+ depends on PAX_ASLR -+ help -+ By saying Y here the kernel will use a randomized base address for -+ mmap() requests that do not specify one themselves. As a result -+ all dynamically loaded libraries will appear at random addresses -+ and therefore be harder to exploit by a technique where an attacker -+ attempts to execute library code for his purposes (e.g. spawn a -+ shell from an exploited program that is running at an elevated -+ privilege level). ++ As a result of mmap randomization all dynamically loaded libraries ++ will appear at random addresses and therefore be harder to exploit ++ by a technique where an attacker attempts to execute library code ++ for his purposes (e.g. spawn a shell from an exploited program that ++ is running at an elevated privilege level). + + Furthermore, if a program is relinked as a dynamic ELF file, its + base address will be randomized as well, completing the full @@ -108411,7 +108039,7 @@ index 51bd5a0..d4191c5 100644 config KEYS bool "Enable access key retention support" help -@@ -169,7 +1118,7 @@ config INTEL_TXT +@@ -169,7 +1115,7 @@ config INTEL_TXT config LSM_MMAP_MIN_ADDR int "Low address space for LSM to protect from user allocation" depends on SECURITY && SECURITY_SELINUX @@ -118560,10 +118188,10 @@ index 0000000..4378111 +} diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data new file mode 100644 -index 0000000..a75d300 +index 0000000..9eca4c1 --- /dev/null +++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data -@@ -0,0 +1,5106 @@ +@@ -0,0 +1,5108 @@ +intel_fake_agp_alloc_by_type_1 intel_fake_agp_alloc_by_type 1 1 NULL +storvsc_connect_to_vsp_22 storvsc_connect_to_vsp 2 22 NULL +compat_sock_setsockopt_23 compat_sock_setsockopt 5 23 NULL @@ -121626,6 +121254,7 @@ index 0000000..a75d300 +ieee80211_if_fmt_dot11MeshHWMPmaxPREQretries_39499 ieee80211_if_fmt_dot11MeshHWMPmaxPREQretries 3 39499 NULL +int_proc_write_39542 int_proc_write 3 39542 NULL nohasharray +wm8350_i2c_read_device_39542 wm8350_i2c_read_device 3 39542 &int_proc_write_39542 ++rtnl_port_size_39551 rtnl_port_size 0 39551 NULL +pp_write_39554 pp_write 3 39554 NULL +ol_dqblk_block_39558 ol_dqblk_block 0-2-3 39558 NULL +datablob_format_39571 datablob_format 2 39571 NULL nohasharray @@ -121742,6 +121371,7 @@ index 0000000..a75d300 +iterate_extent_inodes_40923 iterate_extent_inodes 0 40923 NULL +btrfs_setsize_40931 btrfs_setsize 2 40931 NULL +snd_vx_create_40948 snd_vx_create 4 40948 NULL ++skb_end_offset_40949 skb_end_offset 0 40949 NULL +tcp_skb_mss_40964 tcp_skb_mss 0 40964 NULL +rds_sendmsg_40976 rds_sendmsg 4 40976 NULL +mac80211_format_buffer_41010 mac80211_format_buffer 2 41010 NULL diff --git a/3.2.59/4425_grsec_remove_EI_PAX.patch b/3.2.60/4425_grsec_remove_EI_PAX.patch index cf65d90..cf65d90 100644 --- a/3.2.59/4425_grsec_remove_EI_PAX.patch +++ b/3.2.60/4425_grsec_remove_EI_PAX.patch diff --git a/3.2.59/4427_force_XATTR_PAX_tmpfs.patch b/3.2.60/4427_force_XATTR_PAX_tmpfs.patch index 8c7a533..8c7a533 100644 --- a/3.2.59/4427_force_XATTR_PAX_tmpfs.patch +++ b/3.2.60/4427_force_XATTR_PAX_tmpfs.patch diff --git a/3.2.59/4430_grsec-remove-localversion-grsec.patch b/3.2.60/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.2.59/4430_grsec-remove-localversion-grsec.patch +++ b/3.2.60/4430_grsec-remove-localversion-grsec.patch diff --git a/3.2.59/4435_grsec-mute-warnings.patch b/3.2.60/4435_grsec-mute-warnings.patch index da01ac7..da01ac7 100644 --- a/3.2.59/4435_grsec-mute-warnings.patch +++ b/3.2.60/4435_grsec-mute-warnings.patch diff --git a/3.2.59/4440_grsec-remove-protected-paths.patch b/3.2.60/4440_grsec-remove-protected-paths.patch index 741546d..741546d 100644 --- a/3.2.59/4440_grsec-remove-protected-paths.patch +++ b/3.2.60/4440_grsec-remove-protected-paths.patch diff --git a/3.2.59/4450_grsec-kconfig-default-gids.patch b/3.2.60/4450_grsec-kconfig-default-gids.patch index f3f6f14..f3f6f14 100644 --- a/3.2.59/4450_grsec-kconfig-default-gids.patch +++ b/3.2.60/4450_grsec-kconfig-default-gids.patch diff --git a/3.2.59/4465_selinux-avc_audit-log-curr_ip.patch b/3.2.60/4465_selinux-avc_audit-log-curr_ip.patch index e10ec6d..e10ec6d 100644 --- a/3.2.59/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.2.60/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.2.59/4470_disable-compat_vdso.patch b/3.2.60/4470_disable-compat_vdso.patch index f6eb9f7..f6eb9f7 100644 --- a/3.2.59/4470_disable-compat_vdso.patch +++ b/3.2.60/4470_disable-compat_vdso.patch diff --git a/3.2.59/4475_emutramp_default_on.patch b/3.2.60/4475_emutramp_default_on.patch index 10a2580..10a2580 100644 --- a/3.2.59/4475_emutramp_default_on.patch +++ b/3.2.60/4475_emutramp_default_on.patch |