diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2013-02-08 16:10:48 -0500 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2013-02-08 16:10:48 -0500 |
| commit | 7c1ba4e71ddae00d7e4e5fff094de7b04dffe284 (patch) | |
| tree | 574622bc041daf6b19119a2459b9744e26c14c18 | |
| parent | Grsec/PaX: 2.9.1-{2.6.32.60,3.2.37,3.7.5}-201301311811 (diff) | |
| download | hardened-patchset-7c1ba4e71ddae00d7e4e5fff094de7b04dffe284.tar.gz hardened-patchset-7c1ba4e71ddae00d7e4e5fff094de7b04dffe284.tar.bz2 hardened-patchset-7c1ba4e71ddae00d7e4e5fff094de7b04dffe284.zip | |
Grsec/PaX: 2.9.1-{2.6.32.60,3.2.38,3.7.6}-20130207193820130207
| -rw-r--r-- | 2.6.32/0000_README | 2 | ||||
| -rw-r--r-- | 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201302071937.patch (renamed from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201301311809.patch) | 94 | ||||
| -rw-r--r-- | 3.2.38/0000_README (renamed from 3.2.37/0000_README) | 6 | ||||
| -rw-r--r-- | 3.2.38/1021_linux-3.2.22.patch (renamed from 3.2.37/1021_linux-3.2.22.patch) | 0 | ||||
| -rw-r--r-- | 3.2.38/1022_linux-3.2.23.patch (renamed from 3.2.37/1022_linux-3.2.23.patch) | 0 | ||||
| -rw-r--r-- | 3.2.38/1023_linux-3.2.24.patch (renamed from 3.2.37/1023_linux-3.2.24.patch) | 0 | ||||
| -rw-r--r-- | 3.2.38/1024_linux-3.2.25.patch (renamed from 3.2.37/1024_linux-3.2.25.patch) | 0 | ||||
| -rw-r--r-- | 3.2.38/1025_linux-3.2.26.patch (renamed from 3.2.37/1025_linux-3.2.26.patch) | 0 | ||||
| -rw-r--r-- | 3.2.38/1026_linux-3.2.27.patch (renamed from 3.2.37/1026_linux-3.2.27.patch) | 0 | ||||
| -rw-r--r-- | 3.2.38/1027_linux-3.2.28.patch (renamed from 3.2.37/1027_linux-3.2.28.patch) | 0 | ||||
| -rw-r--r-- | 3.2.38/1028_linux-3.2.29.patch (renamed from 3.2.37/1028_linux-3.2.29.patch) | 0 | ||||
| -rw-r--r-- | 3.2.38/1029_linux-3.2.30.patch (renamed from 3.2.37/1029_linux-3.2.30.patch) | 0 | ||||
| -rw-r--r-- | 3.2.38/1030_linux-3.2.31.patch (renamed from 3.2.37/1030_linux-3.2.31.patch) | 0 | ||||
| -rw-r--r-- | 3.2.38/1031_linux-3.2.32.patch (renamed from 3.2.37/1031_linux-3.2.32.patch) | 0 | ||||
| -rw-r--r-- | 3.2.38/1032_linux-3.2.33.patch (renamed from 3.2.37/1032_linux-3.2.33.patch) | 0 | ||||
| -rw-r--r-- | 3.2.38/1033_linux-3.2.34.patch (renamed from 3.2.37/1033_linux-3.2.34.patch) | 0 | ||||
| -rw-r--r-- | 3.2.38/1034_linux-3.2.35.patch (renamed from 3.2.37/1034_linux-3.2.35.patch) | 0 | ||||
| -rw-r--r-- | 3.2.38/1035_linux-3.2.36.patch (renamed from 3.2.37/1035_linux-3.2.36.patch) | 0 | ||||
| -rw-r--r-- | 3.2.38/1036_linux-3.2.37.patch (renamed from 3.2.37/1036_linux-3.2.37.patch) | 0 | ||||
| -rw-r--r-- | 3.2.38/1037_linux-3.2.38.patch | 4587 | ||||
| -rw-r--r-- | 3.2.38/4420_grsecurity-2.9.1-3.2.38-201302071937.patch (renamed from 3.2.37/4420_grsecurity-2.9.1-3.2.37-201301311810.patch) | 237 | ||||
| -rw-r--r-- | 3.2.38/4425_grsec_remove_EI_PAX.patch (renamed from 3.2.37/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
| -rw-r--r-- | 3.2.38/4430_grsec-remove-localversion-grsec.patch (renamed from 3.2.37/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
| -rw-r--r-- | 3.2.38/4435_grsec-mute-warnings.patch (renamed from 3.2.37/4435_grsec-mute-warnings.patch) | 0 | ||||
| -rw-r--r-- | 3.2.38/4440_grsec-remove-protected-paths.patch (renamed from 3.2.37/4440_grsec-remove-protected-paths.patch) | 0 | ||||
| -rw-r--r-- | 3.2.38/4450_grsec-kconfig-default-gids.patch (renamed from 3.2.37/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
| -rw-r--r-- | 3.2.38/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.2.37/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
| -rw-r--r-- | 3.2.38/4470_disable-compat_vdso.patch (renamed from 3.2.37/4470_disable-compat_vdso.patch) | 0 | ||||
| -rw-r--r-- | 3.7.6/0000_README (renamed from 3.7.5/0000_README) | 2 | ||||
| -rw-r--r-- | 3.7.6/4420_grsecurity-2.9.1-3.7.6-201302071938.patch (renamed from 3.7.5/4420_grsecurity-2.9.1-3.7.5-201301311811.patch) | 1335 | ||||
| -rw-r--r-- | 3.7.6/4425_grsec_remove_EI_PAX.patch (renamed from 3.7.5/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
| -rw-r--r-- | 3.7.6/4430_grsec-remove-localversion-grsec.patch (renamed from 3.7.5/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
| -rw-r--r-- | 3.7.6/4435_grsec-mute-warnings.patch (renamed from 3.7.5/4435_grsec-mute-warnings.patch) | 0 | ||||
| -rw-r--r-- | 3.7.6/4440_grsec-remove-protected-paths.patch (renamed from 3.7.5/4440_grsec-remove-protected-paths.patch) | 0 | ||||
| -rw-r--r-- | 3.7.6/4450_grsec-kconfig-default-gids.patch (renamed from 3.7.5/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
| -rw-r--r-- | 3.7.6/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.7.5/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
| -rw-r--r-- | 3.7.6/4470_disable-compat_vdso.patch (renamed from 3.7.5/4470_disable-compat_vdso.patch) | 4 |
37 files changed, 5614 insertions, 653 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index ff482d8..b9830e4 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -34,7 +34,7 @@ Patch: 1059_linux-2.6.32.60.patch From: http://www.kernel.org Desc: Linux 2.6.32.59 -Patch: 4420_grsecurity-2.9.1-2.6.32.60-201301311809.patch +Patch: 4420_grsecurity-2.9.1-2.6.32.60-201302071937.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201301311809.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201302071937.patch index c356f5e..ffae5a9 100644 --- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201301311809.patch +++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201302071937.patch @@ -1417,7 +1417,7 @@ index ba8ccfe..2dc34dc 100644 .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7} #else /* ! __ARMEB__ */ diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c -index 61f90d3..771ab27 100644 +index 61f90d3..b1b8ab9 100644 --- a/arch/arm/kernel/process.c +++ b/arch/arm/kernel/process.c @@ -83,7 +83,7 @@ static int __init hlt_setup(char *__unused) @@ -1454,6 +1454,17 @@ index 61f90d3..771ab27 100644 } void machine_restart(char *cmd) +@@ -218,8 +220,8 @@ void __show_regs(struct pt_regs *regs) + smp_processor_id(), print_tainted(), init_utsname()->release, + (int)strcspn(init_utsname()->version, " "), + init_utsname()->version); +- print_symbol("PC is at %s\n", instruction_pointer(regs)); +- print_symbol("LR is at %s\n", regs->ARM_lr); ++ printk("PC is at %pA\n", instruction_pointer(regs)); ++ printk("LR is at %pA\n", regs->ARM_lr); + printk("pc : [<%08lx>] lr : [<%08lx>] psr: %08lx\n" + "sp : %08lx ip : %08lx fp : %08lx\n", + regs->ARM_pc, regs->ARM_lr, regs->ARM_cpsr, diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c index a2ea385..4783488 100644 --- a/arch/arm/kernel/ptrace.c @@ -1504,10 +1515,22 @@ index c6c57b6..8ec5c3f 100644 struct stack { diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c -index 3f361a7..6e806e1 100644 +index 3f361a7..aa0d108 100644 --- a/arch/arm/kernel/traps.c +++ b/arch/arm/kernel/traps.c -@@ -247,6 +247,8 @@ static void __die(const char *str, int err, struct thread_info *thread, struct p +@@ -50,10 +50,7 @@ static void dump_mem(const char *, const char *, unsigned long, unsigned long); + void dump_backtrace_entry(unsigned long where, unsigned long from, unsigned long frame) + { + #ifdef CONFIG_KALLSYMS +- char sym1[KSYM_SYMBOL_LEN], sym2[KSYM_SYMBOL_LEN]; +- sprint_symbol(sym1, where); +- sprint_symbol(sym2, from); +- printk("[<%08lx>] (%s) from [<%08lx>] (%s)\n", where, sym1, from, sym2); ++ printk("[<%08lx>] (%pA) from [<%08lx>] (%pA)\n", where, (void *)where, from, (void *)from); + #else + printk("Function entered at [<%08lx>] from [<%08lx>]\n", where, from); + #endif +@@ -247,6 +244,8 @@ static void __die(const char *str, int err, struct thread_info *thread, struct p DEFINE_SPINLOCK(die_lock); @@ -1516,7 +1539,7 @@ index 3f361a7..6e806e1 100644 /* * This function is protected against re-entrancy. */ -@@ -271,6 +273,8 @@ NORET_TYPE void die(const char *str, struct pt_regs *regs, int err) +@@ -271,6 +270,8 @@ NORET_TYPE void die(const char *str, struct pt_regs *regs, int err) if (panic_on_oops) panic("Fatal exception"); @@ -26634,7 +26657,7 @@ index 61b41ca..5fef66a 100644 extern u32 pnp_bios_is_utter_crap; pnp_bios_is_utter_crap = 1; diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c -index 249ad57..bbe82fd 100644 +index 249ad57..8d4b579 100644 --- a/arch/x86/mm/fault.c +++ b/arch/x86/mm/fault.c @@ -11,10 +11,19 @@ @@ -26876,10 +26899,12 @@ index 249ad57..bbe82fd 100644 /* User mode accesses just cause a SIGSEGV */ if (error_code & PF_USER) { /* -@@ -720,6 +827,21 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code, +@@ -720,12 +827,30 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code, if (is_errata100(regs, address)) return; +- if (unlikely(show_unhandled_signals)) +- show_signal_msg(regs, error_code, address, tsk); +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) + if (pax_is_fetch_fault(regs, error_code, address)) { + @@ -26894,11 +26919,21 @@ index 249ad57..bbe82fd 100644 + do_group_exit(SIGKILL); + } +#endif + + /* Kernel addresses are always protection faults: */ ++ if (address >= TASK_SIZE) ++ error_code |= PF_PROT; ++ ++ if (show_unhandled_signals) ++ show_signal_msg(regs, error_code, address, tsk); + - if (unlikely(show_unhandled_signals)) - show_signal_msg(regs, error_code, address, tsk); + tsk->thread.cr2 = address; +- tsk->thread.error_code = error_code | (address >= TASK_SIZE); ++ tsk->thread.error_code = error_code; + tsk->thread.trap_no = 14; -@@ -816,7 +938,7 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address, + force_sig_info_fault(SIGSEGV, si_code, address, tsk); +@@ -816,7 +941,7 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address, if (fault & VM_FAULT_HWPOISON) { printk(KERN_ERR "MCE: Killing %s:%d due to hardware memory corruption fault at %lx\n", @@ -26907,7 +26942,7 @@ index 249ad57..bbe82fd 100644 code = BUS_MCEERR_AR; } #endif -@@ -855,6 +977,99 @@ static int spurious_fault_check(unsigned long error_code, pte_t *pte) +@@ -855,6 +980,99 @@ static int spurious_fault_check(unsigned long error_code, pte_t *pte) return 1; } @@ -27007,7 +27042,7 @@ index 249ad57..bbe82fd 100644 /* * Handle a spurious fault caused by a stale TLB entry. * -@@ -921,6 +1136,9 @@ int show_unhandled_signals = 1; +@@ -921,6 +1139,9 @@ int show_unhandled_signals = 1; static inline int access_error(unsigned long error_code, int write, struct vm_area_struct *vma) { @@ -27017,7 +27052,7 @@ index 249ad57..bbe82fd 100644 if (write) { /* write, present and write, not present: */ if (unlikely(!(vma->vm_flags & VM_WRITE))) -@@ -954,16 +1172,30 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code) +@@ -954,16 +1175,30 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code) { struct vm_area_struct *vma; struct task_struct *tsk; @@ -27053,7 +27088,7 @@ index 249ad57..bbe82fd 100644 /* * Detect and handle instructions that would cause a page fault for -@@ -1024,7 +1256,7 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code) +@@ -1024,7 +1259,7 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code) * User-mode registers count as a user access even for any * potential system fault or CPU buglet: */ @@ -27062,7 +27097,7 @@ index 249ad57..bbe82fd 100644 local_irq_enable(); error_code |= PF_USER; } else { -@@ -1078,6 +1310,11 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code) +@@ -1078,6 +1313,11 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code) might_sleep(); } @@ -27074,7 +27109,7 @@ index 249ad57..bbe82fd 100644 vma = find_vma(mm, address); if (unlikely(!vma)) { bad_area(regs, error_code, address); -@@ -1089,18 +1326,24 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code) +@@ -1089,18 +1329,24 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code) bad_area(regs, error_code, address); return; } @@ -27110,7 +27145,7 @@ index 249ad57..bbe82fd 100644 if (unlikely(expand_stack(vma, address))) { bad_area(regs, error_code, address); return; -@@ -1144,3 +1387,292 @@ good_area: +@@ -1144,3 +1390,292 @@ good_area: up_read(&mm->mmap_sem); } @@ -91633,10 +91668,10 @@ index 0000000..bc0be01 +} diff --git a/grsecurity/grsec_chroot.c b/grsecurity/grsec_chroot.c new file mode 100644 -index 0000000..197bdd5 +index 0000000..80a3a4b --- /dev/null +++ b/grsecurity/grsec_chroot.c -@@ -0,0 +1,386 @@ +@@ -0,0 +1,375 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -91725,17 +91760,6 @@ index 0000000..197bdd5 +} + +int -+gr_handle_chroot_rawio(const struct inode *inode) -+{ -+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS -+ if (grsec_enable_chroot_caps && proc_is_chrooted(current) && -+ inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO)) -+ return 1; -+#endif -+ return 0; -+} -+ -+int +gr_handle_chroot_fowner(struct pid *pid, enum pid_type type) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK @@ -118094,10 +118118,10 @@ index d52f7a0..b66cdd9 100755 rm -f tags xtags ctags diff --git a/security/Kconfig b/security/Kconfig -index fb363cd..4cf6d28 100644 +index fb363cd..9fc4cfa 100644 --- a/security/Kconfig +++ b/security/Kconfig -@@ -4,6 +4,890 @@ +@@ -4,6 +4,896 @@ menu "Security options" @@ -118940,6 +118964,12 @@ index fb363cd..4cf6d28 100644 + Since this has a negligible performance impact, you should enable + this feature. + ++ ++config PAX_USERCOPY_DEBUG ++ bool ++ depends on X86 && PAX_USERCOPY ++ default n ++ +config PAX_SIZE_OVERFLOW + bool "Prevent various integer overflows in function size parameters" + default y if GRKERNSEC_CONFIG_AUTO @@ -118988,7 +119018,7 @@ index fb363cd..4cf6d28 100644 config KEYS bool "Enable access key retention support" help -@@ -146,7 +1030,7 @@ config INTEL_TXT +@@ -146,7 +1036,7 @@ config INTEL_TXT config LSM_MMAP_MIN_ADDR int "Low address space for LSM to protect from user allocation" depends on SECURITY && SECURITY_SELINUX diff --git a/3.2.37/0000_README b/3.2.38/0000_README index 4390092..9a7d72b 100644 --- a/3.2.37/0000_README +++ b/3.2.38/0000_README @@ -66,7 +66,11 @@ Patch: 1036_linux-3.2.37.patch From: http://www.kernel.org Desc: Linux 3.2.37 -Patch: 4420_grsecurity-2.9.1-3.2.37-201301311810.patch +Patch: 1037_linux-3.2.38.patch +From: http://www.kernel.org +Desc: Linux 3.2.38 + +Patch: 4420_grsecurity-2.9.1-3.2.38-201302071937.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.37/1021_linux-3.2.22.patch b/3.2.38/1021_linux-3.2.22.patch index e6ad93a..e6ad93a 100644 --- a/3.2.37/1021_linux-3.2.22.patch +++ b/3.2.38/1021_linux-3.2.22.patch diff --git a/3.2.37/1022_linux-3.2.23.patch b/3.2.38/1022_linux-3.2.23.patch index 3d796d0..3d796d0 100644 --- a/3.2.37/1022_linux-3.2.23.patch +++ b/3.2.38/1022_linux-3.2.23.patch diff --git a/3.2.37/1023_linux-3.2.24.patch b/3.2.38/1023_linux-3.2.24.patch index 4692eb4..4692eb4 100644 --- a/3.2.37/1023_linux-3.2.24.patch +++ b/3.2.38/1023_linux-3.2.24.patch diff --git a/3.2.37/1024_linux-3.2.25.patch b/3.2.38/1024_linux-3.2.25.patch index e95c213..e95c213 100644 --- a/3.2.37/1024_linux-3.2.25.patch +++ b/3.2.38/1024_linux-3.2.25.patch diff --git a/3.2.37/1025_linux-3.2.26.patch b/3.2.38/1025_linux-3.2.26.patch index 44065b9..44065b9 100644 --- a/3.2.37/1025_linux-3.2.26.patch +++ b/3.2.38/1025_linux-3.2.26.patch diff --git a/3.2.37/1026_linux-3.2.27.patch b/3.2.38/1026_linux-3.2.27.patch index 5878eb4..5878eb4 100644 --- a/3.2.37/1026_linux-3.2.27.patch +++ b/3.2.38/1026_linux-3.2.27.patch diff --git a/3.2.37/1027_linux-3.2.28.patch b/3.2.38/1027_linux-3.2.28.patch index 4dbba4b..4dbba4b 100644 --- a/3.2.37/1027_linux-3.2.28.patch +++ b/3.2.38/1027_linux-3.2.28.patch diff --git a/3.2.37/1028_linux-3.2.29.patch b/3.2.38/1028_linux-3.2.29.patch index 3c65179..3c65179 100644 --- a/3.2.37/1028_linux-3.2.29.patch +++ b/3.2.38/1028_linux-3.2.29.patch diff --git a/3.2.37/1029_linux-3.2.30.patch b/3.2.38/1029_linux-3.2.30.patch index 86aea4b..86aea4b 100644 --- a/3.2.37/1029_linux-3.2.30.patch +++ b/3.2.38/1029_linux-3.2.30.patch diff --git a/3.2.37/1030_linux-3.2.31.patch b/3.2.38/1030_linux-3.2.31.patch index c6accf5..c6accf5 100644 --- a/3.2.37/1030_linux-3.2.31.patch +++ b/3.2.38/1030_linux-3.2.31.patch diff --git a/3.2.37/1031_linux-3.2.32.patch b/3.2.38/1031_linux-3.2.32.patch index 247fc0b..247fc0b 100644 --- a/3.2.37/1031_linux-3.2.32.patch +++ b/3.2.38/1031_linux-3.2.32.patch diff --git a/3.2.37/1032_linux-3.2.33.patch b/3.2.38/1032_linux-3.2.33.patch index c32fb75..c32fb75 100644 --- a/3.2.37/1032_linux-3.2.33.patch +++ b/3.2.38/1032_linux-3.2.33.patch diff --git a/3.2.37/1033_linux-3.2.34.patch b/3.2.38/1033_linux-3.2.34.patch index d647b38..d647b38 100644 --- a/3.2.37/1033_linux-3.2.34.patch +++ b/3.2.38/1033_linux-3.2.34.patch diff --git a/3.2.37/1034_linux-3.2.35.patch b/3.2.38/1034_linux-3.2.35.patch index 76a9c19..76a9c19 100644 --- a/3.2.37/1034_linux-3.2.35.patch +++ b/3.2.38/1034_linux-3.2.35.patch diff --git a/3.2.37/1035_linux-3.2.36.patch b/3.2.38/1035_linux-3.2.36.patch index 5d192a3..5d192a3 100644 --- a/3.2.37/1035_linux-3.2.36.patch +++ b/3.2.38/1035_linux-3.2.36.patch diff --git a/3.2.37/1036_linux-3.2.37.patch b/3.2.38/1036_linux-3.2.37.patch index ad13251..ad13251 100644 --- a/3.2.37/1036_linux-3.2.37.patch +++ b/3.2.38/1036_linux-3.2.37.patch diff --git a/3.2.38/1037_linux-3.2.38.patch b/3.2.38/1037_linux-3.2.38.patch new file mode 100644 index 0000000..a3c106f --- /dev/null +++ b/3.2.38/1037_linux-3.2.38.patch @@ -0,0 +1,4587 @@ +diff --git a/Makefile b/Makefile +index 21c77e2..c8c9d02 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 2 +-SUBLEVEL = 37 ++SUBLEVEL = 38 + EXTRAVERSION = + NAME = Saber-toothed Squirrel + +diff --git a/arch/arm/kernel/head.S b/arch/arm/kernel/head.S +index 08c82fd..3606e85 100644 +--- a/arch/arm/kernel/head.S ++++ b/arch/arm/kernel/head.S +@@ -221,6 +221,7 @@ __create_page_tables: + /* + * Then map boot params address in r2 or + * the first 1MB of ram if boot params address is not specified. ++ * We map 2 sections in case the ATAGs/DTB crosses a section boundary. + */ + mov r0, r2, lsr #SECTION_SHIFT + movs r0, r0, lsl #SECTION_SHIFT +@@ -229,6 +230,8 @@ __create_page_tables: + add r3, r3, #PAGE_OFFSET + add r3, r4, r3, lsr #(SECTION_SHIFT - PMD_ORDER) + orr r6, r7, r0 ++ str r6, [r3], #1 << PMD_ORDER ++ add r6, r6, #1 << SECTION_SHIFT + str r6, [r3] + + #ifdef CONFIG_DEBUG_LL +diff --git a/arch/arm/mach-pxa/include/mach/mfp-pxa27x.h b/arch/arm/mach-pxa/include/mach/mfp-pxa27x.h +index ec0f0b0..18c083e 100644 +--- a/arch/arm/mach-pxa/include/mach/mfp-pxa27x.h ++++ b/arch/arm/mach-pxa/include/mach/mfp-pxa27x.h +@@ -460,6 +460,9 @@ + GPIO76_LCD_PCLK, \ + GPIO77_LCD_BIAS + ++/* these enable a work-around for a hw bug in pxa27x during ac97 warm reset */ ++#define GPIO113_AC97_nRESET_GPIO_HIGH MFP_CFG_OUT(GPIO113, AF0, DEFAULT) ++#define GPIO95_AC97_nRESET_GPIO_HIGH MFP_CFG_OUT(GPIO95, AF0, DEFAULT) + + extern int keypad_set_wake(unsigned int on); + #endif /* __ASM_ARCH_MFP_PXA27X_H */ +diff --git a/arch/arm/mach-pxa/pxa27x.c b/arch/arm/mach-pxa/pxa27x.c +index bc5a98e..a9447f9 100644 +--- a/arch/arm/mach-pxa/pxa27x.c ++++ b/arch/arm/mach-pxa/pxa27x.c +@@ -47,9 +47,9 @@ void pxa27x_clear_otgph(void) + EXPORT_SYMBOL(pxa27x_clear_otgph); + + static unsigned long ac97_reset_config[] = { +- GPIO113_GPIO, ++ GPIO113_AC97_nRESET_GPIO_HIGH, + GPIO113_AC97_nRESET, +- GPIO95_GPIO, ++ GPIO95_AC97_nRESET_GPIO_HIGH, + GPIO95_AC97_nRESET, + }; + +diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c +index 1aa664a..e1dd92c 100644 +--- a/arch/arm/mm/dma-mapping.c ++++ b/arch/arm/mm/dma-mapping.c +@@ -500,25 +500,27 @@ static void dma_cache_maint_page(struct page *page, unsigned long offset, + size_t size, enum dma_data_direction dir, + void (*op)(const void *, size_t, int)) + { ++ unsigned long pfn; ++ size_t left = size; ++ ++ pfn = page_to_pfn(page) + offset / PAGE_SIZE; ++ offset %= PAGE_SIZE; ++ + /* + * A single sg entry may refer to multiple physically contiguous + * pages. But we still need to process highmem pages individually. + * If highmem is not configured then the bulk of this loop gets + * optimized out. + */ +- size_t left = size; + do { + size_t len = left; + void *vaddr; + ++ page = pfn_to_page(pfn); ++ + if (PageHighMem(page)) { +- if (len + offset > PAGE_SIZE) { +- if (offset >= PAGE_SIZE) { +- page += offset / PAGE_SIZE; +- offset %= PAGE_SIZE; +- } ++ if (len + offset > PAGE_SIZE) + len = PAGE_SIZE - offset; +- } + vaddr = kmap_high_get(page); + if (vaddr) { + vaddr += offset; +@@ -535,7 +537,7 @@ static void dma_cache_maint_page(struct page *page, unsigned long offset, + op(vaddr, len, dir); + } + offset = 0; +- page++; ++ pfn++; + left -= len; + } while (left); + } +diff --git a/arch/arm/vfp/entry.S b/arch/arm/vfp/entry.S +index cc926c9..323ce1a 100644 +--- a/arch/arm/vfp/entry.S ++++ b/arch/arm/vfp/entry.S +@@ -22,7 +22,7 @@ + @ IRQs disabled. + @ + ENTRY(do_vfp) +-#ifdef CONFIG_PREEMPT ++#ifdef CONFIG_PREEMPT_COUNT + ldr r4, [r10, #TI_PREEMPT] @ get preempt count + add r11, r4, #1 @ increment it + str r11, [r10, #TI_PREEMPT] +@@ -35,7 +35,7 @@ ENTRY(do_vfp) + ENDPROC(do_vfp) + + ENTRY(vfp_null_entry) +-#ifdef CONFIG_PREEMPT ++#ifdef CONFIG_PREEMPT_COUNT + get_thread_info r10 + ldr r4, [r10, #TI_PREEMPT] @ get preempt count + sub r11, r4, #1 @ decrement it +@@ -53,7 +53,7 @@ ENDPROC(vfp_null_entry) + + __INIT + ENTRY(vfp_testing_entry) +-#ifdef CONFIG_PREEMPT ++#ifdef CONFIG_PREEMPT_COUNT + get_thread_info r10 + ldr r4, [r10, #TI_PREEMPT] @ get preempt count + sub r11, r4, #1 @ decrement it +diff --git a/arch/arm/vfp/vfphw.S b/arch/arm/vfp/vfphw.S +index 3a0efaa..6ff903e 100644 +--- a/arch/arm/vfp/vfphw.S ++++ b/arch/arm/vfp/vfphw.S +@@ -167,7 +167,7 @@ vfp_hw_state_valid: + @ else it's one 32-bit instruction, so + @ always subtract 4 from the following + @ instruction address. +-#ifdef CONFIG_PREEMPT ++#ifdef CONFIG_PREEMPT_COUNT + get_thread_info r10 + ldr r4, [r10, #TI_PREEMPT] @ get preempt count + sub r11, r4, #1 @ decrement it +@@ -191,7 +191,7 @@ look_for_VFP_exceptions: + @ not recognised by VFP + + DBGSTR "not VFP" +-#ifdef CONFIG_PREEMPT ++#ifdef CONFIG_PREEMPT_COUNT + get_thread_info r10 + ldr r4, [r10, #TI_PREEMPT] @ get preempt count + sub r11, r4, #1 @ decrement it +diff --git a/arch/powerpc/kvm/emulate.c b/arch/powerpc/kvm/emulate.c +index 141dce3..2a73d82 100644 +--- a/arch/powerpc/kvm/emulate.c ++++ b/arch/powerpc/kvm/emulate.c +@@ -35,6 +35,7 @@ + #define OP_TRAP_64 2 + + #define OP_31_XOP_LWZX 23 ++#define OP_31_XOP_DCBF 86 + #define OP_31_XOP_LBZX 87 + #define OP_31_XOP_STWX 151 + #define OP_31_XOP_STBX 215 +@@ -370,6 +371,7 @@ int kvmppc_emulate_instruction(struct kvm_run *run, struct kvm_vcpu *vcpu) + kvmppc_set_exit_type(vcpu, EMULATED_MTSPR_EXITS); + break; + ++ case OP_31_XOP_DCBF: + case OP_31_XOP_DCBI: + /* Do nothing. The guest is performing dcbi because + * hardware DMA is not snooped by the dcache, but +diff --git a/arch/s390/include/asm/timex.h b/arch/s390/include/asm/timex.h +index c447a27..945b7cd 100644 +--- a/arch/s390/include/asm/timex.h ++++ b/arch/s390/include/asm/timex.h +@@ -137,4 +137,32 @@ static inline unsigned long long get_clock_monotonic(void) + return get_clock_xt() - sched_clock_base_cc; + } + ++/** ++ * tod_to_ns - convert a TOD format value to nanoseconds ++ * @todval: to be converted TOD format value ++ * Returns: number of nanoseconds that correspond to the TOD format value ++ * ++ * Converting a 64 Bit TOD format value to nanoseconds means that the value ++ * must be divided by 4.096. In order to achieve that we multiply with 125 ++ * and divide by 512: ++ * ++ * ns = (todval * 125) >> 9; ++ * ++ * In order to avoid an overflow with the multiplication we can rewrite this. ++ * With a split todval == 2^32 * th + tl (th upper 32 bits, tl lower 32 bits) ++ * we end up with ++ * ++ * ns = ((2^32 * th + tl) * 125 ) >> 9; ++ * -> ns = (2^23 * th * 125) + ((tl * 125) >> 9); ++ * ++ */ ++static inline unsigned long long tod_to_ns(unsigned long long todval) ++{ ++ unsigned long long ns; ++ ++ ns = ((todval >> 32) << 23) * 125; ++ ns += ((todval & 0xffffffff) * 125) >> 9; ++ return ns; ++} ++ + #endif +diff --git a/arch/s390/kernel/time.c b/arch/s390/kernel/time.c +index e03c555..8644366 100644 +--- a/arch/s390/kernel/time.c ++++ b/arch/s390/kernel/time.c +@@ -64,7 +64,7 @@ static DEFINE_PER_CPU(struct clock_event_device, comparators); + */ + unsigned long long notrace __kprobes sched_clock(void) + { +- return (get_clock_monotonic() * 125) >> 9; ++ return tod_to_ns(get_clock_monotonic()); + } + + /* +diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c +index 278ee00..5482d1e 100644 +--- a/arch/s390/kvm/interrupt.c ++++ b/arch/s390/kvm/interrupt.c +@@ -391,7 +391,7 @@ int kvm_s390_handle_wait(struct kvm_vcpu *vcpu) + return 0; + } + +- sltime = ((vcpu->arch.sie_block->ckc - now)*125)>>9; ++ sltime = tod_to_ns(vcpu->arch.sie_block->ckc - now); + + hrtimer_start(&vcpu->arch.ckc_timer, ktime_set (0, sltime) , HRTIMER_MODE_REL); + VCPU_EVENT(vcpu, 5, "enabled wait via clock comparator: %llx ns", sltime); +diff --git a/arch/sh/include/asm/elf.h b/arch/sh/include/asm/elf.h +index f38112b..978b7fd 100644 +--- a/arch/sh/include/asm/elf.h ++++ b/arch/sh/include/asm/elf.h +@@ -202,9 +202,9 @@ extern void __kernel_vsyscall; + if (vdso_enabled) \ + NEW_AUX_ENT(AT_SYSINFO_EHDR, VDSO_BASE); \ + else \ +- NEW_AUX_ENT(AT_IGNORE, 0); ++ NEW_AUX_ENT(AT_IGNORE, 0) + #else +-#define VSYSCALL_AUX_ENT ++#define VSYSCALL_AUX_ENT NEW_AUX_ENT(AT_IGNORE, 0) + #endif /* CONFIG_VSYSCALL */ + + #ifdef CONFIG_SH_FPU +diff --git a/arch/x86/include/asm/efi.h b/arch/x86/include/asm/efi.h +index 7093e4a..035cd81 100644 +--- a/arch/x86/include/asm/efi.h ++++ b/arch/x86/include/asm/efi.h +@@ -90,6 +90,7 @@ extern void __iomem *efi_ioremap(unsigned long addr, unsigned long size, + #endif /* CONFIG_X86_32 */ + + extern int add_efi_memmap; ++extern unsigned long x86_efi_facility; + extern void efi_set_executable(efi_memory_desc_t *md, bool executable); + extern void efi_memblock_x86_reserve_range(void); + extern void efi_call_phys_prelog(void); +diff --git a/arch/x86/include/asm/traps.h b/arch/x86/include/asm/traps.h +index 0012d09..88eae2a 100644 +--- a/arch/x86/include/asm/traps.h ++++ b/arch/x86/include/asm/traps.h +@@ -89,4 +89,29 @@ asmlinkage void smp_thermal_interrupt(void); + asmlinkage void mce_threshold_interrupt(void); + #endif + ++/* Interrupts/Exceptions */ ++enum { ++ X86_TRAP_DE = 0, /* 0, Divide-by-zero */ ++ X86_TRAP_DB, /* 1, Debug */ ++ X86_TRAP_NMI, /* 2, Non-maskable Interrupt */ ++ X86_TRAP_BP, /* 3, Breakpoint */ ++ X86_TRAP_OF, /* 4, Overflow */ ++ X86_TRAP_BR, /* 5, Bound Range Exceeded */ ++ X86_TRAP_UD, /* 6, Invalid Opcode */ ++ X86_TRAP_NM, /* 7, Device Not Available */ ++ X86_TRAP_DF, /* 8, Double Fault */ ++ X86_TRAP_OLD_MF, /* 9, Coprocessor Segment Overrun */ ++ X86_TRAP_TS, /* 10, Invalid TSS */ ++ X86_TRAP_NP, /* 11, Segment Not Present */ ++ X86_TRAP_SS, /* 12, Stack Segment Fault */ ++ X86_TRAP_GP, /* 13, General Protection Fault */ ++ X86_TRAP_PF, /* 14, Page Fault */ ++ X86_TRAP_SPURIOUS, /* 15, Spurious Interrupt */ ++ X86_TRAP_MF, /* 16, x87 Floating-Point Exception */ ++ X86_TRAP_AC, /* 17, Alignment Check */ ++ X86_TRAP_MC, /* 18, Machine Check */ ++ X86_TRAP_XF, /* 19, SIMD Floating-Point Exception */ ++ X86_TRAP_IRET = 32, /* 32, IRET Exception */ ++}; ++ + #endif /* _ASM_X86_TRAPS_H */ +diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S +index 4893d58..d2d488b8 100644 +--- a/arch/x86/kernel/entry_32.S ++++ b/arch/x86/kernel/entry_32.S +@@ -1074,7 +1074,6 @@ ENTRY(xen_failsafe_callback) + lea 16(%esp),%esp + CFI_ADJUST_CFA_OFFSET -16 + jz 5f +- addl $16,%esp + jmp iret_exc + 5: pushl_cfi $-1 /* orig_ax = -1 => not a system call */ + SAVE_ALL +diff --git a/arch/x86/kernel/irqinit.c b/arch/x86/kernel/irqinit.c +index b3300e6..e328f69 100644 +--- a/arch/x86/kernel/irqinit.c ++++ b/arch/x86/kernel/irqinit.c +@@ -61,7 +61,7 @@ static irqreturn_t math_error_irq(int cpl, void *dev_id) + outb(0, 0xF0); + if (ignore_fpu_irq || !boot_cpu_data.hard_math) + return IRQ_NONE; +- math_error(get_irq_regs(), 0, 16); ++ math_error(get_irq_regs(), 0, X86_TRAP_MF); + return IRQ_HANDLED; + } + +diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c +index 12fcbe2..f7d1a64 100644 +--- a/arch/x86/kernel/msr.c ++++ b/arch/x86/kernel/msr.c +@@ -175,6 +175,9 @@ static int msr_open(struct inode *inode, struct file *file) + unsigned int cpu; + struct cpuinfo_x86 *c; + ++ if (!capable(CAP_SYS_RAWIO)) ++ return -EPERM; ++ + cpu = iminor(file->f_path.dentry->d_inode); + if (cpu >= nr_cpu_ids || !cpu_online(cpu)) + return -ENXIO; /* No such CPU */ +diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c +index e61f79c..47f4e5f 100644 +--- a/arch/x86/kernel/reboot.c ++++ b/arch/x86/kernel/reboot.c +@@ -603,7 +603,7 @@ static void native_machine_emergency_restart(void) + break; + + case BOOT_EFI: +- if (efi_enabled) ++ if (efi_enabled(EFI_RUNTIME_SERVICES)) + efi.reset_system(reboot_mode ? + EFI_RESET_WARM : + EFI_RESET_COLD, +diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c +index 0d403aa..b506f41 100644 +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -631,6 +631,83 @@ static __init void reserve_ibft_region(void) + + static unsigned reserve_low = CONFIG_X86_RESERVE_LOW << 10; + ++static bool __init snb_gfx_workaround_needed(void) ++{ ++#ifdef CONFIG_PCI ++ int i; ++ u16 vendor, devid; ++ static const __initconst u16 snb_ids[] = { ++ 0x0102, ++ 0x0112, ++ 0x0122, ++ 0x0106, ++ 0x0116, ++ 0x0126, ++ 0x010a, ++ }; ++ ++ /* Assume no if something weird is going on with PCI */ ++ if (!early_pci_allowed()) ++ return false; ++ ++ vendor = read_pci_config_16(0, 2, 0, PCI_VENDOR_ID); ++ if (vendor != 0x8086) ++ return false; ++ ++ devid = read_pci_config_16(0, 2, 0, PCI_DEVICE_ID); ++ for (i = 0; i < ARRAY_SIZE(snb_ids); i++) ++ if (devid == snb_ids[i]) ++ return true; ++#endif ++ ++ return false; ++} ++ ++/* ++ * Sandy Bridge graphics has trouble with certain ranges, exclude ++ * them from allocation. ++ */ ++static void __init trim_snb_memory(void) ++{ ++ static const __initconst unsigned long bad_pages[] = { ++ 0x20050000, ++ 0x20110000, ++ 0x20130000, ++ 0x20138000, ++ 0x40004000, ++ }; ++ int i; ++ ++ if (!snb_gfx_workaround_needed()) ++ return; ++ ++ printk(KERN_DEBUG "reserving inaccessible SNB gfx pages\n"); ++ ++ /* ++ * Reserve all memory below the 1 MB mark that has not ++ * already been reserved. ++ */ ++ memblock_reserve(0, 1<<20); ++ ++ for (i = 0; i < ARRAY_SIZE(bad_pages); i++) { ++ if (memblock_reserve(bad_pages[i], PAGE_SIZE)) ++ printk(KERN_WARNING "failed to reserve 0x%08lx\n", ++ bad_pages[i]); ++ } ++} ++ ++/* ++ * Here we put platform-specific memory range workarounds, i.e. ++ * memory known to be corrupt or otherwise in need to be reserved on ++ * specific platforms. ++ * ++ * If this gets used more widely it could use a real dispatch mechanism. ++ */ ++static void __init trim_platform_memory_ranges(void) ++{ ++ trim_snb_memory(); ++} ++ + static void __init trim_bios_range(void) + { + /* +@@ -651,6 +728,7 @@ static void __init trim_bios_range(void) + * take them out. + */ + e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1); ++ + sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map); + } + +@@ -750,15 +828,16 @@ void __init setup_arch(char **cmdline_p) + #endif + #ifdef CONFIG_EFI + if (!strncmp((char *)&boot_params.efi_info.efi_loader_signature, +-#ifdef CONFIG_X86_32 +- "EL32", +-#else +- "EL64", +-#endif +- 4)) { +- efi_enabled = 1; +- efi_memblock_x86_reserve_range(); ++ "EL32", 4)) { ++ set_bit(EFI_BOOT, &x86_efi_facility); ++ } else if (!strncmp((char *)&boot_params.efi_info.efi_loader_signature, ++ "EL64", 4)) { ++ set_bit(EFI_BOOT, &x86_efi_facility); ++ set_bit(EFI_64BIT, &x86_efi_facility); + } ++ ++ if (efi_enabled(EFI_BOOT)) ++ efi_memblock_x86_reserve_range(); + #endif + + x86_init.oem.arch_setup(); +@@ -831,7 +910,7 @@ void __init setup_arch(char **cmdline_p) + + finish_e820_parsing(); + +- if (efi_enabled) ++ if (efi_enabled(EFI_BOOT)) + efi_init(); + + dmi_scan_machine(); +@@ -914,7 +993,7 @@ void __init setup_arch(char **cmdline_p) + * The EFI specification says that boot service code won't be called + * after ExitBootServices(). This is, in fact, a lie. + */ +- if (efi_enabled) ++ if (efi_enabled(EFI_MEMMAP)) + efi_reserve_boot_services(); + + /* preallocate 4k for mptable mpc */ +@@ -929,6 +1008,8 @@ void __init setup_arch(char **cmdline_p) + + setup_trampolines(); + ++ trim_platform_memory_ranges(); ++ + init_gbpages(); + + /* max_pfn_mapped is updated here */ +@@ -1048,7 +1129,7 @@ void __init setup_arch(char **cmdline_p) + + #ifdef CONFIG_VT + #if defined(CONFIG_VGA_CONSOLE) +- if (!efi_enabled || (efi_mem_type(0xa0000) != EFI_CONVENTIONAL_MEMORY)) ++ if (!efi_enabled(EFI_BOOT) || (efi_mem_type(0xa0000) != EFI_CONVENTIONAL_MEMORY)) + conswitchp = &vga_con; + #elif defined(CONFIG_DUMMY_CONSOLE) + conswitchp = &dummy_con; +diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c +index 31d9d0f..e6fbb94 100644 +--- a/arch/x86/kernel/traps.c ++++ b/arch/x86/kernel/traps.c +@@ -119,7 +119,7 @@ do_trap(int trapnr, int signr, char *str, struct pt_regs *regs, + * traps 0, 1, 3, 4, and 5 should be forwarded to vm86. + * On nmi (interrupt 2), do_trap should not be called. + */ +- if (trapnr < 6) ++ if (trapnr < X86_TRAP_UD) + goto vm86_trap; + goto trap_signal; + } +@@ -203,27 +203,31 @@ dotraplinkage void do_##name(struct pt_regs *regs, long error_code) \ + do_trap(trapnr, signr, str, regs, error_code, &info); \ + } + +-DO_ERROR_INFO(0, SIGFPE, "divide error", divide_error, FPE_INTDIV, regs->ip) +-DO_ERROR(4, SIGSEGV, "overflow", overflow) +-DO_ERROR(5, SIGSEGV, "bounds", bounds) +-DO_ERROR_INFO(6, SIGILL, "invalid opcode", invalid_op, ILL_ILLOPN, regs->ip) +-DO_ERROR(9, SIGFPE, "coprocessor segment overrun", coprocessor_segment_overrun) +-DO_ERROR(10, SIGSEGV, "invalid TSS", invalid_TSS) +-DO_ERROR(11, SIGBUS, "segment not present", segment_not_present) ++DO_ERROR_INFO(X86_TRAP_DE, SIGFPE, "divide error", divide_error, FPE_INTDIV, ++ regs->ip) ++DO_ERROR(X86_TRAP_OF, SIGSEGV, "overflow", overflow) ++DO_ERROR(X86_TRAP_BR, SIGSEGV, "bounds", bounds) ++DO_ERROR_INFO(X86_TRAP_UD, SIGILL, "invalid opcode", invalid_op, ILL_ILLOPN, ++ regs->ip) ++DO_ERROR(X86_TRAP_OLD_MF, SIGFPE, "coprocessor segment overrun", ++ coprocessor_segment_overrun) ++DO_ERROR(X86_TRAP_TS, SIGSEGV, "invalid TSS", invalid_TSS) ++DO_ERROR(X86_TRAP_NP, SIGBUS, "segment not present", segment_not_present) + #ifdef CONFIG_X86_32 +-DO_ERROR(12, SIGBUS, "stack segment", stack_segment) ++DO_ERROR(X86_TRAP_SS, SIGBUS, "stack segment", stack_segment) + #endif +-DO_ERROR_INFO(17, SIGBUS, "alignment check", alignment_check, BUS_ADRALN, 0) ++DO_ERROR_INFO(X86_TRAP_AC, SIGBUS, "alignment check", alignment_check, ++ BUS_ADRALN, 0) + + #ifdef CONFIG_X86_64 + /* Runs on IST stack */ + dotraplinkage void do_stack_segment(struct pt_regs *regs, long error_code) + { + if (notify_die(DIE_TRAP, "stack segment", regs, error_code, +- 12, SIGBUS) == NOTIFY_STOP) ++ X86_TRAP_SS, SIGBUS) == NOTIFY_STOP) + return; + preempt_conditional_sti(regs); +- do_trap(12, SIGBUS, "stack segment", regs, error_code, NULL); ++ do_trap(X86_TRAP_SS, SIGBUS, "stack segment", regs, error_code, NULL); + preempt_conditional_cli(regs); + } + +@@ -233,10 +237,10 @@ dotraplinkage void do_double_fault(struct pt_regs *regs, long error_code) + struct task_struct *tsk = current; + + /* Return not checked because double check cannot be ignored */ +- notify_die(DIE_TRAP, str, regs, error_code, 8, SIGSEGV); ++ notify_die(DIE_TRAP, str, regs, error_code, X86_TRAP_DF, SIGSEGV); + + tsk->thread.error_code = error_code; +- tsk->thread.trap_no = 8; ++ tsk->thread.trap_no = X86_TRAP_DF; + + /* + * This is always a kernel trap and never fixable (and thus must +@@ -264,7 +268,7 @@ do_general_protection(struct pt_regs *regs, long error_code) + goto gp_in_kernel; + + tsk->thread.error_code = error_code; +- tsk->thread.trap_no = 13; ++ tsk->thread.trap_no = X86_TRAP_GP; + + if (show_unhandled_signals && unhandled_signal(tsk, SIGSEGV) && + printk_ratelimit()) { +@@ -291,9 +295,9 @@ gp_in_kernel: + return; + + tsk->thread.error_code = error_code; +- tsk->thread.trap_no = 13; +- if (notify_die(DIE_GPF, "general protection fault", regs, +- error_code, 13, SIGSEGV) == NOTIFY_STOP) ++ tsk->thread.trap_no = X86_TRAP_GP; ++ if (notify_die(DIE_GPF, "general protection fault", regs, error_code, ++ X86_TRAP_GP, SIGSEGV) == NOTIFY_STOP) + return; + die("general protection fault", regs, error_code); + } +@@ -302,13 +306,14 @@ gp_in_kernel: + dotraplinkage void __kprobes do_int3(struct pt_regs *regs, long error_code) + { + #ifdef CONFIG_KGDB_LOW_LEVEL_TRAP +- if (kgdb_ll_trap(DIE_INT3, "int3", regs, error_code, 3, SIGTRAP) +- == NOTIFY_STOP) ++ if (kgdb_ll_trap(DIE_INT3, "int3", regs, error_code, X86_TRAP_BP, ++ SIGTRAP) == NOTIFY_STOP) + return; + #endif /* CONFIG_KGDB_LOW_LEVEL_TRAP */ + #ifdef CONFIG_KPROBES +- if (notify_die(DIE_INT3, "int3", regs, error_code, 3, SIGTRAP) +- == NOTIFY_STOP) ++ ++ if (notify_die(DIE_INT3, "int3", regs, error_code, X86_TRAP_BP, ++ SIGTRAP) == NOTIFY_STOP) + return; + #else + if (notify_die(DIE_TRAP, "int3", regs, error_code, 3, SIGTRAP) +@@ -317,7 +322,7 @@ dotraplinkage void __kprobes do_int3(struct pt_regs *regs, long error_code) + #endif + + preempt_conditional_sti(regs); +- do_trap(3, SIGTRAP, "int3", regs, error_code, NULL); ++ do_trap(X86_TRAP_BP, SIGTRAP, "int3", regs, error_code, NULL); + preempt_conditional_cli(regs); + } + +@@ -415,8 +420,8 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code) + preempt_conditional_sti(regs); + + if (regs->flags & X86_VM_MASK) { +- handle_vm86_trap((struct kernel_vm86_regs *) regs, +- error_code, 1); ++ handle_vm86_trap((struct kernel_vm86_regs *) regs, error_code, ++ X86_TRAP_DB); + preempt_conditional_cli(regs); + return; + } +@@ -451,7 +456,8 @@ void math_error(struct pt_regs *regs, int error_code, int trapnr) + struct task_struct *task = current; + siginfo_t info; + unsigned short err; +- char *str = (trapnr == 16) ? "fpu exception" : "simd exception"; ++ char *str = (trapnr == X86_TRAP_MF) ? "fpu exception" : ++ "simd exception"; + + if (notify_die(DIE_TRAP, str, regs, error_code, trapnr, SIGFPE) == NOTIFY_STOP) + return; +@@ -476,7 +482,7 @@ void math_error(struct pt_regs *regs, int error_code, int trapnr) + info.si_signo = SIGFPE; + info.si_errno = 0; + info.si_addr = (void __user *)regs->ip; +- if (trapnr == 16) { ++ if (trapnr == X86_TRAP_MF) { + unsigned short cwd, swd; + /* + * (~cwd & swd) will mask out exceptions that are not set to unmasked +@@ -520,10 +526,11 @@ void math_error(struct pt_regs *regs, int error_code, int trapnr) + info.si_code = FPE_FLTRES; + } else { + /* +- * If we're using IRQ 13, or supposedly even some trap 16 +- * implementations, it's possible we get a spurious trap... ++ * If we're using IRQ 13, or supposedly even some trap ++ * X86_TRAP_MF implementations, it's possible ++ * we get a spurious trap, which is not an error. + */ +- return; /* Spurious trap, no error */ ++ return; + } + force_sig_info(SIGFPE, &info, task); + } +@@ -534,13 +541,13 @@ dotraplinkage void do_coprocessor_error(struct pt_regs *regs, long error_code) + ignore_fpu_irq = 1; + #endif + +- math_error(regs, error_code, 16); ++ math_error(regs, error_code, X86_TRAP_MF); + } + + dotraplinkage void + do_simd_coprocessor_error(struct pt_regs *regs, long error_code) + { +- math_error(regs, error_code, 19); ++ math_error(regs, error_code, X86_TRAP_XF); + } + + dotraplinkage void +@@ -658,20 +665,21 @@ dotraplinkage void do_iret_error(struct pt_regs *regs, long error_code) + info.si_errno = 0; + info.si_code = ILL_BADSTK; + info.si_addr = NULL; +- if (notify_die(DIE_TRAP, "iret exception", +- regs, error_code, 32, SIGILL) == NOTIFY_STOP) ++ if (notify_die(DIE_TRAP, "iret exception", regs, error_code, ++ X86_TRAP_IRET, SIGILL) == NOTIFY_STOP) + return; +- do_trap(32, SIGILL, "iret exception", regs, error_code, &info); ++ do_trap(X86_TRAP_IRET, SIGILL, "iret exception", regs, error_code, ++ &info); + } + #endif + + /* Set of traps needed for early debugging. */ + void __init early_trap_init(void) + { +- set_intr_gate_ist(1, &debug, DEBUG_STACK); ++ set_intr_gate_ist(X86_TRAP_DB, &debug, DEBUG_STACK); + /* int3 can be called from all */ +- set_system_intr_gate_ist(3, &int3, DEBUG_STACK); +- set_intr_gate(14, &page_fault); ++ set_system_intr_gate_ist(X86_TRAP_BP, &int3, DEBUG_STACK); ++ set_intr_gate(X86_TRAP_PF, &page_fault); + load_idt(&idt_descr); + } + +@@ -687,30 +695,30 @@ void __init trap_init(void) + early_iounmap(p, 4); + #endif + +- set_intr_gate(0, ÷_error); +- set_intr_gate_ist(2, &nmi, NMI_STACK); ++ set_intr_gate(X86_TRAP_DE, ÷_error); ++ set_intr_gate_ist(X86_TRAP_NMI, &nmi, NMI_STACK); + /* int4 can be called from all */ +- set_system_intr_gate(4, &overflow); +- set_intr_gate(5, &bounds); +- set_intr_gate(6, &invalid_op); +- set_intr_gate(7, &device_not_available); ++ set_system_intr_gate(X86_TRAP_OF, &overflow); ++ set_intr_gate(X86_TRAP_BR, &bounds); ++ set_intr_gate(X86_TRAP_UD, &invalid_op); ++ set_intr_gate(X86_TRAP_NM, &device_not_available); + #ifdef CONFIG_X86_32 +- set_task_gate(8, GDT_ENTRY_DOUBLEFAULT_TSS); ++ set_task_gate(X86_TRAP_DF, GDT_ENTRY_DOUBLEFAULT_TSS); + #else +- set_intr_gate_ist(8, &double_fault, DOUBLEFAULT_STACK); ++ set_intr_gate_ist(X86_TRAP_DF, &double_fault, DOUBLEFAULT_STACK); + #endif +- set_intr_gate(9, &coprocessor_segment_overrun); +- set_intr_gate(10, &invalid_TSS); +- set_intr_gate(11, &segment_not_present); +- set_intr_gate_ist(12, &stack_segment, STACKFAULT_STACK); +- set_intr_gate(13, &general_protection); +- set_intr_gate(15, &spurious_interrupt_bug); +- set_intr_gate(16, &coprocessor_error); +- set_intr_gate(17, &alignment_check); ++ set_intr_gate(X86_TRAP_OLD_MF, &coprocessor_segment_overrun); ++ set_intr_gate(X86_TRAP_TS, &invalid_TSS); ++ set_intr_gate(X86_TRAP_NP, &segment_not_present); ++ set_intr_gate_ist(X86_TRAP_SS, &stack_segment, STACKFAULT_STACK); ++ set_intr_gate(X86_TRAP_GP, &general_protection); ++ set_intr_gate(X86_TRAP_SPURIOUS, &spurious_interrupt_bug); ++ set_intr_gate(X86_TRAP_MF, &coprocessor_error); ++ set_intr_gate(X86_TRAP_AC, &alignment_check); + #ifdef CONFIG_X86_MCE +- set_intr_gate_ist(18, &machine_check, MCE_STACK); ++ set_intr_gate_ist(X86_TRAP_MC, &machine_check, MCE_STACK); + #endif +- set_intr_gate(19, &simd_coprocessor_error); ++ set_intr_gate(X86_TRAP_XF, &simd_coprocessor_error); + + /* Reserve all the builtin and the syscall vector: */ + for (i = 0; i < FIRST_EXTERNAL_VECTOR; i++) +diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c +index 4d320b2..bef9991 100644 +--- a/arch/x86/platform/efi/efi.c ++++ b/arch/x86/platform/efi/efi.c +@@ -49,9 +49,6 @@ + #define EFI_DEBUG 1 + #define PFX "EFI: " + +-int efi_enabled; +-EXPORT_SYMBOL(efi_enabled); +- + struct efi __read_mostly efi = { + .mps = EFI_INVALID_TABLE_ADDR, + .acpi = EFI_INVALID_TABLE_ADDR, +@@ -70,9 +67,25 @@ struct efi_memory_map memmap; + static struct efi efi_phys __initdata; + static efi_system_table_t efi_systab __initdata; + ++static inline bool efi_is_native(void) ++{ ++ return IS_ENABLED(CONFIG_X86_64) == efi_enabled(EFI_64BIT); ++} ++ ++unsigned long x86_efi_facility; ++ ++/* ++ * Returns 1 if 'facility' is enabled, 0 otherwise. ++ */ ++int efi_enabled(int facility) ++{ ++ return test_bit(facility, &x86_efi_facility) != 0; ++} ++EXPORT_SYMBOL(efi_enabled); ++ + static int __init setup_noefi(char *arg) + { +- efi_enabled = 0; ++ clear_bit(EFI_BOOT, &x86_efi_facility); + return 0; + } + early_param("noefi", setup_noefi); +@@ -440,6 +453,9 @@ void __init efi_init(void) + int i = 0; + void *tmp; + ++ if (!efi_is_native()) ++ return; ++ + #ifdef CONFIG_X86_32 + efi_phys.systab = (efi_system_table_t *)boot_params.efi_info.efi_systab; + #else +@@ -467,6 +483,8 @@ void __init efi_init(void) + efi.systab->hdr.revision >> 16, + efi.systab->hdr.revision & 0xffff); + ++ set_bit(EFI_SYSTEM_TABLES, &x86_efi_facility); ++ + /* + * Show what we know for posterity + */ +@@ -529,6 +547,8 @@ void __init efi_init(void) + early_iounmap(config_tables, + efi.systab->nr_tables * sizeof(efi_config_table_t)); + ++ set_bit(EFI_CONFIG_TABLES, &x86_efi_facility); ++ + /* + * Check out the runtime services table. We need to map + * the runtime services table so that we can grab the physical +@@ -552,6 +572,8 @@ void __init efi_init(void) + * virtual mode. + */ + efi.get_time = phys_efi_get_time; ++ ++ set_bit(EFI_RUNTIME_SERVICES, &x86_efi_facility); + } else + printk(KERN_ERR "Could not map the EFI runtime service " + "table!\n"); +@@ -571,6 +593,8 @@ void __init efi_init(void) + if (add_efi_memmap) + do_add_efi_memmap(); + ++ set_bit(EFI_MEMMAP, &x86_efi_facility); ++ + #ifdef CONFIG_X86_32 + x86_platform.get_wallclock = efi_get_time; + x86_platform.set_wallclock = efi_set_rtc_mmss; +@@ -731,7 +755,7 @@ void __init efi_enter_virtual_mode(void) + * + * Call EFI services through wrapper functions. + */ +- efi.runtime_version = efi_systab.fw_revision; ++ efi.runtime_version = efi_systab.hdr.revision; + efi.get_time = virt_efi_get_time; + efi.set_time = virt_efi_set_time; + efi.get_wakeup_time = virt_efi_get_wakeup_time; +@@ -747,6 +771,7 @@ void __init efi_enter_virtual_mode(void) + efi.query_capsule_caps = virt_efi_query_capsule_caps; + if (__supported_pte_mask & _PAGE_NX) + runtime_code_page_mkexec(); ++ clear_bit(EFI_MEMMAP, &x86_efi_facility); + early_iounmap(memmap.map, memmap.nr_map * memmap.desc_size); + memmap.map = NULL; + kfree(new_memmap); +@@ -760,6 +785,9 @@ u32 efi_mem_type(unsigned long phys_addr) + efi_memory_desc_t *md; + void *p; + ++ if (!efi_enabled(EFI_MEMMAP)) ++ return 0; ++ + for (p = memmap.map; p < memmap.map_end; p += memmap.desc_size) { + md = p; + if ((md->phys_addr <= phys_addr) && +diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c +index ac3aa54..0fba86d 100644 +--- a/arch/x86/platform/efi/efi_64.c ++++ b/arch/x86/platform/efi/efi_64.c +@@ -38,7 +38,7 @@ + #include <asm/cacheflush.h> + #include <asm/fixmap.h> + +-static pgd_t save_pgd __initdata; ++static pgd_t *save_pgd __initdata; + static unsigned long efi_flags __initdata; + + static void __init early_code_mapping_set_exec(int executable) +@@ -61,12 +61,20 @@ static void __init early_code_mapping_set_exec(int executable) + void __init efi_call_phys_prelog(void) + { + unsigned long vaddress; ++ int pgd; ++ int n_pgds; + + early_code_mapping_set_exec(1); + local_irq_save(efi_flags); +- vaddress = (unsigned long)__va(0x0UL); +- save_pgd = *pgd_offset_k(0x0UL); +- set_pgd(pgd_offset_k(0x0UL), *pgd_offset_k(vaddress)); ++ ++ n_pgds = DIV_ROUND_UP((max_pfn << PAGE_SHIFT), PGDIR_SIZE); ++ save_pgd = kmalloc(n_pgds * sizeof(pgd_t), GFP_KERNEL); ++ ++ for (pgd = 0; pgd < n_pgds; pgd++) { ++ save_pgd[pgd] = *pgd_offset_k(pgd * PGDIR_SIZE); ++ vaddress = (unsigned long)__va(pgd * PGDIR_SIZE); ++ set_pgd(pgd_offset_k(pgd * PGDIR_SIZE), *pgd_offset_k(vaddress)); ++ } + __flush_tlb_all(); + } + +@@ -75,7 +83,11 @@ void __init efi_call_phys_epilog(void) + /* + * After the lock is released, the original page table is restored. + */ +- set_pgd(pgd_offset_k(0x0UL), save_pgd); ++ int pgd; ++ int n_pgds = DIV_ROUND_UP((max_pfn << PAGE_SHIFT) , PGDIR_SIZE); ++ for (pgd = 0; pgd < n_pgds; pgd++) ++ set_pgd(pgd_offset_k(pgd * PGDIR_SIZE), save_pgd[pgd]); ++ kfree(save_pgd); + __flush_tlb_all(); + local_irq_restore(efi_flags); + early_code_mapping_set_exec(0); +diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c +index f31c5c5..a6664d2 100644 +--- a/drivers/acpi/osl.c ++++ b/drivers/acpi/osl.c +@@ -255,7 +255,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void) + return acpi_rsdp; + #endif + +- if (efi_enabled) { ++ if (efi_enabled(EFI_CONFIG_TABLES)) { + if (efi.acpi20 != EFI_INVALID_TABLE_ADDR) + return efi.acpi20; + else if (efi.acpi != EFI_INVALID_TABLE_ADDR) +diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c +index 0e8e2de..de0791c 100644 +--- a/drivers/acpi/processor_idle.c ++++ b/drivers/acpi/processor_idle.c +@@ -989,6 +989,9 @@ static int acpi_processor_setup_cpuidle_cx(struct acpi_processor *pr) + return -EINVAL; + } + ++ if (!dev) ++ return -EINVAL; ++ + dev->cpu = pr->id; + + if (max_cstate == 0) +@@ -1175,6 +1178,7 @@ int acpi_processor_cst_has_changed(struct acpi_processor *pr) + } + + /* Populate Updated C-state information */ ++ acpi_processor_get_power_info(pr); + acpi_processor_setup_cpuidle_states(pr); + + /* Enable all cpuidle devices */ +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c +index 608257a..b07edc4 100644 +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -395,7 +395,10 @@ static const struct pci_device_id ahci_pci_tbl[] = { + { PCI_VDEVICE(PROMISE, 0x3f20), board_ahci }, /* PDC42819 */ + + /* Asmedia */ +- { PCI_VDEVICE(ASMEDIA, 0x0612), board_ahci }, /* ASM1061 */ ++ { PCI_VDEVICE(ASMEDIA, 0x0601), board_ahci }, /* ASM1060 */ ++ { PCI_VDEVICE(ASMEDIA, 0x0602), board_ahci }, /* ASM1060 */ ++ { PCI_VDEVICE(ASMEDIA, 0x0611), board_ahci }, /* ASM1061 */ ++ { PCI_VDEVICE(ASMEDIA, 0x0612), board_ahci }, /* ASM1062 */ + + /* Generic, PCI class code for AHCI */ + { PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, +diff --git a/drivers/block/drbd/drbd_req.c b/drivers/block/drbd/drbd_req.c +index 4a0f314..be984e0 100644 +--- a/drivers/block/drbd/drbd_req.c ++++ b/drivers/block/drbd/drbd_req.c +@@ -37,6 +37,7 @@ static void _drbd_start_io_acct(struct drbd_conf *mdev, struct drbd_request *req + const int rw = bio_data_dir(bio); + int cpu; + cpu = part_stat_lock(); ++ part_round_stats(cpu, &mdev->vdisk->part0); + part_stat_inc(cpu, &mdev->vdisk->part0, ios[rw]); + part_stat_add(cpu, &mdev->vdisk->part0, sectors[rw], bio_sectors(bio)); + part_inc_in_flight(&mdev->vdisk->part0, rw); +diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c +index de9c800..166cb36 100644 +--- a/drivers/block/virtio_blk.c ++++ b/drivers/block/virtio_blk.c +@@ -546,6 +546,7 @@ static void __devexit virtblk_remove(struct virtio_device *vdev) + { + struct virtio_blk *vblk = vdev->priv; + int index = vblk->index; ++ int refc; + + /* Prevent config work handler from accessing the device. */ + mutex_lock(&vblk->config_lock); +@@ -560,11 +561,15 @@ static void __devexit virtblk_remove(struct virtio_device *vdev) + + flush_work(&vblk->config_work); + ++ refc = atomic_read(&disk_to_dev(vblk->disk)->kobj.kref.refcount); + put_disk(vblk->disk); + mempool_destroy(vblk->pool); + vdev->config->del_vqs(vdev); + kfree(vblk); +- ida_simple_remove(&vd_index_ida, index); ++ ++ /* Only free device id if we don't have any users */ ++ if (refc == 1) ++ ida_simple_remove(&vd_index_ida, index); + } + + static const struct virtio_device_id id_table[] = { +diff --git a/drivers/dma/ioat/dma_v3.c b/drivers/dma/ioat/dma_v3.c +index 2dbf32b..714560f 100644 +--- a/drivers/dma/ioat/dma_v3.c ++++ b/drivers/dma/ioat/dma_v3.c +@@ -949,7 +949,7 @@ static int __devinit ioat_xor_val_self_test(struct ioatdma_device *device) + goto free_resources; + } + } +- dma_sync_single_for_device(dev, dest_dma, PAGE_SIZE, DMA_TO_DEVICE); ++ dma_sync_single_for_device(dev, dest_dma, PAGE_SIZE, DMA_FROM_DEVICE); + + /* skip validate if the capability is not present */ + if (!dma_has_cap(DMA_XOR_VAL, dma_chan->device->cap_mask)) +diff --git a/drivers/edac/edac_pci_sysfs.c b/drivers/edac/edac_pci_sysfs.c +index 495198a..8cc8676 100644 +--- a/drivers/edac/edac_pci_sysfs.c ++++ b/drivers/edac/edac_pci_sysfs.c +@@ -257,7 +257,7 @@ static ssize_t edac_pci_dev_store(struct kobject *kobj, + struct edac_pci_dev_attribute *edac_pci_dev; + edac_pci_dev = (struct edac_pci_dev_attribute *)attr; + +- if (edac_pci_dev->show) ++ if (edac_pci_dev->store) + return edac_pci_dev->store(edac_pci_dev->value, buffer, count); + return -EIO; + } +diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c +index b298158..982f1f5 100644 +--- a/drivers/firmware/dmi_scan.c ++++ b/drivers/firmware/dmi_scan.c +@@ -16,6 +16,7 @@ + */ + static char dmi_empty_string[] = " "; + ++static u16 __initdata dmi_ver; + /* + * Catch too early calls to dmi_check_system(): + */ +@@ -118,12 +119,12 @@ static int __init dmi_walk_early(void (*decode)(const struct dmi_header *, + return 0; + } + +-static int __init dmi_checksum(const u8 *buf) ++static int __init dmi_checksum(const u8 *buf, u8 len) + { + u8 sum = 0; + int a; + +- for (a = 0; a < 15; a++) ++ for (a = 0; a < len; a++) + sum += buf[a]; + + return sum == 0; +@@ -161,8 +162,10 @@ static void __init dmi_save_uuid(const struct dmi_header *dm, int slot, int inde + return; + + for (i = 0; i < 16 && (is_ff || is_00); i++) { +- if(d[i] != 0x00) is_ff = 0; +- if(d[i] != 0xFF) is_00 = 0; ++ if (d[i] != 0x00) ++ is_00 = 0; ++ if (d[i] != 0xFF) ++ is_ff = 0; + } + + if (is_ff || is_00) +@@ -172,7 +175,15 @@ static void __init dmi_save_uuid(const struct dmi_header *dm, int slot, int inde + if (!s) + return; + +- sprintf(s, "%pUB", d); ++ /* ++ * As of version 2.6 of the SMBIOS specification, the first 3 fields of ++ * the UUID are supposed to be little-endian encoded. The specification ++ * says that this is the defacto standard. ++ */ ++ if (dmi_ver >= 0x0206) ++ sprintf(s, "%pUL", d); ++ else ++ sprintf(s, "%pUB", d); + + dmi_ident[slot] = s; + } +@@ -404,35 +415,63 @@ static int __init dmi_present(const char __iomem *p) + u8 buf[15]; + + memcpy_fromio(buf, p, 15); +- if ((memcmp(buf, "_DMI_", 5) == 0) && dmi_checksum(buf)) { ++ if (dmi_checksum(buf, 15)) { + dmi_num = (buf[13] << 8) | buf[12]; + dmi_len = (buf[7] << 8) | buf[6]; + dmi_base = (buf[11] << 24) | (buf[10] << 16) | + (buf[9] << 8) | buf[8]; + +- /* +- * DMI version 0.0 means that the real version is taken from +- * the SMBIOS version, which we don't know at this point. +- */ +- if (buf[14] != 0) +- printk(KERN_INFO "DMI %d.%d present.\n", +- buf[14] >> 4, buf[14] & 0xF); +- else +- printk(KERN_INFO "DMI present.\n"); + if (dmi_walk_early(dmi_decode) == 0) { ++ if (dmi_ver) ++ pr_info("SMBIOS %d.%d present.\n", ++ dmi_ver >> 8, dmi_ver & 0xFF); ++ else { ++ dmi_ver = (buf[14] & 0xF0) << 4 | ++ (buf[14] & 0x0F); ++ pr_info("Legacy DMI %d.%d present.\n", ++ dmi_ver >> 8, dmi_ver & 0xFF); ++ } + dmi_dump_ids(); + return 0; + } + } ++ dmi_ver = 0; + return 1; + } + ++static int __init smbios_present(const char __iomem *p) ++{ ++ u8 buf[32]; ++ int offset = 0; ++ ++ memcpy_fromio(buf, p, 32); ++ if ((buf[5] < 32) && dmi_checksum(buf, buf[5])) { ++ dmi_ver = (buf[6] << 8) + buf[7]; ++ ++ /* Some BIOS report weird SMBIOS version, fix that up */ ++ switch (dmi_ver) { ++ case 0x021F: ++ case 0x0221: ++ pr_debug("SMBIOS version fixup(2.%d->2.%d)\n", ++ dmi_ver & 0xFF, 3); ++ dmi_ver = 0x0203; ++ break; ++ case 0x0233: ++ pr_debug("SMBIOS version fixup(2.%d->2.%d)\n", 51, 6); ++ dmi_ver = 0x0206; ++ break; ++ } ++ offset = 16; ++ } ++ return dmi_present(buf + offset); ++} ++ + void __init dmi_scan_machine(void) + { + char __iomem *p, *q; + int rc; + +- if (efi_enabled) { ++ if (efi_enabled(EFI_CONFIG_TABLES)) { + if (efi.smbios == EFI_INVALID_TABLE_ADDR) + goto error; + +@@ -444,7 +483,7 @@ void __init dmi_scan_machine(void) + if (p == NULL) + goto error; + +- rc = dmi_present(p + 0x10); /* offset of _DMI_ string */ ++ rc = smbios_present(p); + dmi_iounmap(p, 32); + if (!rc) { + dmi_available = 1; +@@ -462,7 +501,12 @@ void __init dmi_scan_machine(void) + goto error; + + for (q = p; q < p + 0x10000; q += 16) { +- rc = dmi_present(q); ++ if (memcmp(q, "_SM_", 4) == 0 && q - p <= 0xFFE0) ++ rc = smbios_present(q); ++ else if (memcmp(q, "_DMI_", 5) == 0) ++ rc = dmi_present(q); ++ else ++ continue; + if (!rc) { + dmi_available = 1; + dmi_iounmap(p, 0x10000); +diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c +index 3e60e8d..5d5a868 100644 +--- a/drivers/firmware/efivars.c ++++ b/drivers/firmware/efivars.c +@@ -1222,7 +1222,7 @@ efivars_init(void) + printk(KERN_INFO "EFI Variables Facility v%s %s\n", EFIVARS_VERSION, + EFIVARS_DATE); + +- if (!efi_enabled) ++ if (!efi_enabled(EFI_RUNTIME_SERVICES)) + return 0; + + /* For now we'll register the efi directory at /sys/firmware/efi */ +@@ -1260,7 +1260,7 @@ err_put: + static void __exit + efivars_exit(void) + { +- if (efi_enabled) { ++ if (efi_enabled(EFI_RUNTIME_SERVICES)) { + unregister_efivars(&__efivars); + kobject_put(efi_kobj); + } +diff --git a/drivers/firmware/iscsi_ibft_find.c b/drivers/firmware/iscsi_ibft_find.c +index 4da4eb9..2224f1d 100644 +--- a/drivers/firmware/iscsi_ibft_find.c ++++ b/drivers/firmware/iscsi_ibft_find.c +@@ -99,7 +99,7 @@ unsigned long __init find_ibft_region(unsigned long *sizep) + /* iBFT 1.03 section 1.4.3.1 mandates that UEFI machines will + * only use ACPI for this */ + +- if (!efi_enabled) ++ if (!efi_enabled(EFI_BOOT)) + find_ibft_in_mem(); + + if (ibft_addr) { +diff --git a/drivers/gpu/drm/i915/i915_debugfs.c b/drivers/gpu/drm/i915/i915_debugfs.c +index d00f905..10fe480 100644 +--- a/drivers/gpu/drm/i915/i915_debugfs.c ++++ b/drivers/gpu/drm/i915/i915_debugfs.c +@@ -30,6 +30,7 @@ + #include <linux/debugfs.h> + #include <linux/slab.h> + #include <linux/export.h> ++#include <generated/utsrelease.h> + #include "drmP.h" + #include "drm.h" + #include "intel_drv.h" +@@ -755,6 +756,7 @@ static int i915_error_state(struct seq_file *m, void *unused) + + seq_printf(m, "Time: %ld s %ld us\n", error->time.tv_sec, + error->time.tv_usec); ++ seq_printf(m, "Kernel: " UTS_RELEASE); + seq_printf(m, "PCI ID: 0x%04x\n", dev->pci_device); + seq_printf(m, "EIR: 0x%08x\n", error->eir); + seq_printf(m, "PGTBL_ER: 0x%08x\n", error->pgtbl_er); +diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c +index 5950ba3..b0186b8 100644 +--- a/drivers/gpu/drm/i915/i915_gem.c ++++ b/drivers/gpu/drm/i915/i915_gem.c +@@ -3456,14 +3456,15 @@ i915_gem_pin_ioctl(struct drm_device *dev, void *data, + goto out; + } + +- obj->user_pin_count++; +- obj->pin_filp = file; +- if (obj->user_pin_count == 1) { ++ if (obj->user_pin_count == 0) { + ret = i915_gem_object_pin(obj, args->alignment, true); + if (ret) + goto out; + } + ++ obj->user_pin_count++; ++ obj->pin_filp = file; ++ + /* XXX - flush the CPU caches for pinned objects + * as the X server doesn't manage domains yet + */ +diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c +index 1202198..878b989 100644 +--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c ++++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c +@@ -657,6 +657,8 @@ i915_gem_execbuffer_relocate_slow(struct drm_device *dev, + total = 0; + for (i = 0; i < count; i++) { + struct drm_i915_gem_relocation_entry __user *user_relocs; ++ u64 invalid_offset = (u64)-1; ++ int j; + + user_relocs = (void __user *)(uintptr_t)exec[i].relocs_ptr; + +@@ -667,6 +669,25 @@ i915_gem_execbuffer_relocate_slow(struct drm_device *dev, + goto err; + } + ++ /* As we do not update the known relocation offsets after ++ * relocating (due to the complexities in lock handling), ++ * we need to mark them as invalid now so that we force the ++ * relocation processing next time. Just in case the target ++ * object is evicted and then rebound into its old ++ * presumed_offset before the next execbuffer - if that ++ * happened we would make the mistake of assuming that the ++ * relocations were valid. ++ */ ++ for (j = 0; j < exec[i].relocation_count; j++) { ++ if (copy_to_user(&user_relocs[j].presumed_offset, ++ &invalid_offset, ++ sizeof(invalid_offset))) { ++ ret = -EFAULT; ++ mutex_lock(&dev->struct_mutex); ++ goto err; ++ } ++ } ++ + reloc_offset[i] = total; + total += exec[i].relocation_count; + } +diff --git a/drivers/gpu/drm/i915/i915_reg.h b/drivers/gpu/drm/i915/i915_reg.h +index 7a10f5f..124dd87 100644 +--- a/drivers/gpu/drm/i915/i915_reg.h ++++ b/drivers/gpu/drm/i915/i915_reg.h +@@ -27,6 +27,8 @@ + + #define _PIPE(pipe, a, b) ((a) + (pipe)*((b)-(a))) + ++#define _MASKED_BIT_ENABLE(a) (((a) << 16) | (a)) ++ + /* + * The Bridge device's PCI config space has information about the + * fb aperture size and the amount of pre-reserved memory. +@@ -389,6 +391,7 @@ + * the enables for writing to the corresponding low bit. + */ + #define _3D_CHICKEN 0x02084 ++#define _3D_CHICKEN_HIZ_PLANE_DISABLE_MSAA_4X_SNB (1 << 10) + #define _3D_CHICKEN2 0x0208c + /* Disables pipelining of read flushes past the SF-WIZ interface. + * Required on all Ironlake steppings according to the B-Spec, but the +@@ -399,7 +402,8 @@ + + #define MI_MODE 0x0209c + # define VS_TIMER_DISPATCH (1 << 6) +-# define MI_FLUSH_ENABLE (1 << 11) ++# define MI_FLUSH_ENABLE (1 << 12) ++# define ASYNC_FLIP_PERF_DISABLE (1 << 14) + + #define GEN6_GT_MODE 0x20d0 + #define GEN6_GT_MODE_HI (1 << 9) +diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c +index fa9639b..c05e825 100644 +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -8279,6 +8279,10 @@ static void gen6_init_clock_gating(struct drm_device *dev) + I915_READ(ILK_DISPLAY_CHICKEN2) | + ILK_ELPIN_409_SELECT); + ++ /* WaDisableHiZPlanesWhenMSAAEnabled */ ++ I915_WRITE(_3D_CHICKEN, ++ _MASKED_BIT_ENABLE(_3D_CHICKEN_HIZ_PLANE_DISABLE_MSAA_4X_SNB)); ++ + I915_WRITE(WM3_LP_ILK, 0); + I915_WRITE(WM2_LP_ILK, 0); + I915_WRITE(WM1_LP_ILK, 0); +diff --git a/drivers/gpu/drm/i915/intel_lvds.c b/drivers/gpu/drm/i915/intel_lvds.c +index c6d0966..6601d21 100644 +--- a/drivers/gpu/drm/i915/intel_lvds.c ++++ b/drivers/gpu/drm/i915/intel_lvds.c +@@ -774,14 +774,6 @@ static const struct dmi_system_id intel_no_lvds[] = { + }, + { + .callback = intel_no_lvds_dmi_callback, +- .ident = "ZOTAC ZBOXSD-ID12/ID13", +- .matches = { +- DMI_MATCH(DMI_BOARD_VENDOR, "ZOTAC"), +- DMI_MATCH(DMI_BOARD_NAME, "ZBOXSD-ID12/ID13"), +- }, +- }, +- { +- .callback = intel_no_lvds_dmi_callback, + .ident = "Gigabyte GA-D525TUD", + .matches = { + DMI_MATCH(DMI_BOARD_VENDOR, "Gigabyte Technology Co., Ltd."), +diff --git a/drivers/gpu/drm/i915/intel_ringbuffer.c b/drivers/gpu/drm/i915/intel_ringbuffer.c +index 19085c0..4fddd21 100644 +--- a/drivers/gpu/drm/i915/intel_ringbuffer.c ++++ b/drivers/gpu/drm/i915/intel_ringbuffer.c +@@ -398,15 +398,26 @@ static int init_render_ring(struct intel_ring_buffer *ring) + + if (INTEL_INFO(dev)->gen > 3) { + int mode = VS_TIMER_DISPATCH << 16 | VS_TIMER_DISPATCH; +- if (IS_GEN6(dev) || IS_GEN7(dev)) +- mode |= MI_FLUSH_ENABLE << 16 | MI_FLUSH_ENABLE; + I915_WRITE(MI_MODE, mode); +- if (IS_GEN7(dev)) +- I915_WRITE(GFX_MODE_GEN7, +- GFX_MODE_DISABLE(GFX_TLB_INVALIDATE_ALWAYS) | +- GFX_MODE_ENABLE(GFX_REPLAY_MODE)); + } + ++ /* We need to disable the AsyncFlip performance optimisations in order ++ * to use MI_WAIT_FOR_EVENT within the CS. It should already be ++ * programmed to '1' on all products. ++ */ ++ if (INTEL_INFO(dev)->gen >= 6) ++ I915_WRITE(MI_MODE, GFX_MODE_ENABLE(ASYNC_FLIP_PERF_DISABLE)); ++ ++ /* Required for the hardware to program scanline values for waiting */ ++ if (INTEL_INFO(dev)->gen == 6) ++ I915_WRITE(GFX_MODE, ++ GFX_MODE_ENABLE(GFX_TLB_INVALIDATE_ALWAYS)); ++ ++ if (IS_GEN7(dev)) ++ I915_WRITE(GFX_MODE_GEN7, ++ GFX_MODE_DISABLE(GFX_TLB_INVALIDATE_ALWAYS) | ++ GFX_MODE_ENABLE(GFX_REPLAY_MODE)); ++ + if (INTEL_INFO(dev)->gen >= 5) { + ret = init_pipe_control(ring); + if (ret) +diff --git a/drivers/gpu/drm/radeon/radeon_cs.c b/drivers/gpu/drm/radeon/radeon_cs.c +index 29afd71..1f32557 100644 +--- a/drivers/gpu/drm/radeon/radeon_cs.c ++++ b/drivers/gpu/drm/radeon/radeon_cs.c +@@ -168,6 +168,8 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void *data) + if (p->chunks[i].kpage[0] == NULL || p->chunks[i].kpage[1] == NULL) { + kfree(p->chunks[i].kpage[0]); + kfree(p->chunks[i].kpage[1]); ++ p->chunks[i].kpage[0] = NULL; ++ p->chunks[i].kpage[1] = NULL; + return -ENOMEM; + } + p->chunks[i].kpage_idx[0] = -1; +diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c +index c5762e3..bd959c1 100644 +--- a/drivers/gpu/drm/radeon/radeon_device.c ++++ b/drivers/gpu/drm/radeon/radeon_device.c +@@ -354,7 +354,8 @@ bool radeon_card_posted(struct radeon_device *rdev) + { + uint32_t reg; + +- if (efi_enabled && rdev->pdev->subsystem_vendor == PCI_VENDOR_ID_APPLE) ++ if (efi_enabled(EFI_BOOT) && ++ rdev->pdev->subsystem_vendor == PCI_VENDOR_ID_APPLE) + return false; + + /* first check CRTCs */ +diff --git a/drivers/gpu/drm/radeon/radeon_legacy_encoders.c b/drivers/gpu/drm/radeon/radeon_legacy_encoders.c +index 8165953..a906803 100644 +--- a/drivers/gpu/drm/radeon/radeon_legacy_encoders.c ++++ b/drivers/gpu/drm/radeon/radeon_legacy_encoders.c +@@ -617,6 +617,14 @@ static enum drm_connector_status radeon_legacy_primary_dac_detect(struct drm_enc + enum drm_connector_status found = connector_status_disconnected; + bool color = true; + ++ /* just don't bother on RN50 those chip are often connected to remoting ++ * console hw and often we get failure to load detect those. So to make ++ * everyone happy report the encoder as always connected. ++ */ ++ if (ASIC_IS_RN50(rdev)) { ++ return connector_status_connected; ++ } ++ + /* save the regs we need */ + vclk_ecp_cntl = RREG32_PLL(RADEON_VCLK_ECP_CNTL); + crtc_ext_cntl = RREG32(RADEON_CRTC_EXT_CNTL); +diff --git a/drivers/idle/intel_idle.c b/drivers/idle/intel_idle.c +index 3f28290..4fa2b11 100644 +--- a/drivers/idle/intel_idle.c ++++ b/drivers/idle/intel_idle.c +@@ -431,10 +431,8 @@ static int intel_idle_probe(void) + + if (boot_cpu_has(X86_FEATURE_ARAT)) /* Always Reliable APIC Timer */ + lapic_timer_reliable_states = LAPIC_TIMER_ALWAYS_RELIABLE; +- else { ++ else + on_each_cpu(__setup_broadcast_timer, (void *)true, 1); +- register_cpu_notifier(&setup_broadcast_notifier); +- } + + pr_debug(PREFIX "v" INTEL_IDLE_VERSION + " model 0x%X\n", boot_cpu_data.x86_model); +@@ -597,6 +595,9 @@ static int __init intel_idle_init(void) + return retval; + } + ++ if (lapic_timer_reliable_states != LAPIC_TIMER_ALWAYS_RELIABLE) ++ register_cpu_notifier(&setup_broadcast_notifier); ++ + return 0; + } + +diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c +index ef2d493..62a4d5c 100644 +--- a/drivers/iommu/amd_iommu_init.c ++++ b/drivers/iommu/amd_iommu_init.c +@@ -916,6 +916,38 @@ static void __init free_iommu_all(void) + } + + /* ++ * Family15h Model 10h-1fh erratum 746 (IOMMU Logging May Stall Translations) ++ * Workaround: ++ * BIOS should disable L2B micellaneous clock gating by setting ++ * L2_L2B_CK_GATE_CONTROL[CKGateL2BMiscDisable](D0F2xF4_x90[2]) = 1b ++ */ ++static void __init amd_iommu_erratum_746_workaround(struct amd_iommu *iommu) ++{ ++ u32 value; ++ ++ if ((boot_cpu_data.x86 != 0x15) || ++ (boot_cpu_data.x86_model < 0x10) || ++ (boot_cpu_data.x86_model > 0x1f)) ++ return; ++ ++ pci_write_config_dword(iommu->dev, 0xf0, 0x90); ++ pci_read_config_dword(iommu->dev, 0xf4, &value); ++ ++ if (value & BIT(2)) ++ return; ++ ++ /* Select NB indirect register 0x90 and enable writing */ ++ pci_write_config_dword(iommu->dev, 0xf0, 0x90 | (1 << 8)); ++ ++ pci_write_config_dword(iommu->dev, 0xf4, value | 0x4); ++ pr_info("AMD-Vi: Applying erratum 746 workaround for IOMMU at %s\n", ++ dev_name(&iommu->dev->dev)); ++ ++ /* Clear the enable writing bit */ ++ pci_write_config_dword(iommu->dev, 0xf0, 0x90); ++} ++ ++/* + * This function clues the initialization function for one IOMMU + * together and also allocates the command buffer and programs the + * hardware. It does NOT enable the IOMMU. This is done afterwards. +@@ -970,6 +1002,8 @@ static int __init init_iommu_one(struct amd_iommu *iommu, struct ivhd_header *h) + if (iommu->cap & (1UL << IOMMU_CAP_NPCACHE)) + amd_iommu_np_cache = true; + ++ amd_iommu_erratum_746_workaround(iommu); ++ + return pci_enable_device(iommu->dev); + } + +diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c +index 9a6cc92..dffdca8 100644 +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -2302,8 +2302,39 @@ static int domain_add_dev_info(struct dmar_domain *domain, + return 0; + } + ++static bool device_has_rmrr(struct pci_dev *dev) ++{ ++ struct dmar_rmrr_unit *rmrr; ++ int i; ++ ++ for_each_rmrr_units(rmrr) { ++ for (i = 0; i < rmrr->devices_cnt; i++) { ++ /* ++ * Return TRUE if this RMRR contains the device that ++ * is passed in. ++ */ ++ if (rmrr->devices[i] == dev) ++ return true; ++ } ++ } ++ return false; ++} ++ + static int iommu_should_identity_map(struct pci_dev *pdev, int startup) + { ++ ++ /* ++ * We want to prevent any device associated with an RMRR from ++ * getting placed into the SI Domain. This is done because ++ * problems exist when devices are moved in and out of domains ++ * and their respective RMRR info is lost. We exempt USB devices ++ * from this process due to their usage of RMRRs that are known ++ * to not be needed after BIOS hand-off to OS. ++ */ ++ if (device_has_rmrr(pdev) && ++ (pdev->class >> 8) != PCI_CLASS_SERIAL_USB) ++ return 0; ++ + if ((iommu_identity_mapping & IDENTMAP_AZALIA) && IS_AZALIA(pdev)) + return 1; + +@@ -4090,6 +4121,21 @@ static struct iommu_ops intel_iommu_ops = { + .domain_has_cap = intel_iommu_domain_has_cap, + }; + ++static void quirk_iommu_g4x_gfx(struct pci_dev *dev) ++{ ++ /* G4x/GM45 integrated gfx dmar support is totally busted. */ ++ printk(KERN_INFO "DMAR: Disabling IOMMU for graphics on this chipset\n"); ++ dmar_map_gfx = 0; ++} ++ ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2a40, quirk_iommu_g4x_gfx); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2e00, quirk_iommu_g4x_gfx); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2e10, quirk_iommu_g4x_gfx); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2e20, quirk_iommu_g4x_gfx); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2e30, quirk_iommu_g4x_gfx); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2e40, quirk_iommu_g4x_gfx); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2e90, quirk_iommu_g4x_gfx); ++ + static void __devinit quirk_iommu_rwbf(struct pci_dev *dev) + { + /* +@@ -4098,12 +4144,6 @@ static void __devinit quirk_iommu_rwbf(struct pci_dev *dev) + */ + printk(KERN_INFO "DMAR: Forcing write-buffer flush capability\n"); + rwbf_quirk = 1; +- +- /* https://bugzilla.redhat.com/show_bug.cgi?id=538163 */ +- if (dev->revision == 0x07) { +- printk(KERN_INFO "DMAR: Disabling IOMMU for graphics on this chipset\n"); +- dmar_map_gfx = 0; +- } + } + + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2a40, quirk_iommu_rwbf); +diff --git a/drivers/net/can/c_can/c_can.c b/drivers/net/can/c_can/c_can.c +index 86cd532..21a3d77 100644 +--- a/drivers/net/can/c_can/c_can.c ++++ b/drivers/net/can/c_can/c_can.c +@@ -914,7 +914,7 @@ static int c_can_handle_bus_err(struct net_device *dev, + break; + case LEC_ACK_ERROR: + netdev_dbg(dev, "ack error\n"); +- cf->data[2] |= (CAN_ERR_PROT_LOC_ACK | ++ cf->data[3] |= (CAN_ERR_PROT_LOC_ACK | + CAN_ERR_PROT_LOC_ACK_DEL); + break; + case LEC_BIT1_ERROR: +@@ -927,7 +927,7 @@ static int c_can_handle_bus_err(struct net_device *dev, + break; + case LEC_CRC_ERROR: + netdev_dbg(dev, "CRC error\n"); +- cf->data[2] |= (CAN_ERR_PROT_LOC_CRC_SEQ | ++ cf->data[3] |= (CAN_ERR_PROT_LOC_CRC_SEQ | + CAN_ERR_PROT_LOC_CRC_DEL); + break; + default: +diff --git a/drivers/net/can/pch_can.c b/drivers/net/can/pch_can.c +index d11fbb2..b508a63 100644 +--- a/drivers/net/can/pch_can.c ++++ b/drivers/net/can/pch_can.c +@@ -559,7 +559,7 @@ static void pch_can_error(struct net_device *ndev, u32 status) + stats->rx_errors++; + break; + case PCH_CRC_ERR: +- cf->data[2] |= CAN_ERR_PROT_LOC_CRC_SEQ | ++ cf->data[3] |= CAN_ERR_PROT_LOC_CRC_SEQ | + CAN_ERR_PROT_LOC_CRC_DEL; + priv->can.can_stats.bus_error++; + stats->rx_errors++; +diff --git a/drivers/net/can/ti_hecc.c b/drivers/net/can/ti_hecc.c +index 79c70ae..1ef9df8 100644 +--- a/drivers/net/can/ti_hecc.c ++++ b/drivers/net/can/ti_hecc.c +@@ -735,12 +735,12 @@ static int ti_hecc_error(struct net_device *ndev, int int_status, + } + if (err_status & HECC_CANES_CRCE) { + hecc_set_bit(priv, HECC_CANES, HECC_CANES_CRCE); +- cf->data[2] |= CAN_ERR_PROT_LOC_CRC_SEQ | ++ cf->data[3] |= CAN_ERR_PROT_LOC_CRC_SEQ | + CAN_ERR_PROT_LOC_CRC_DEL; + } + if (err_status & HECC_CANES_ACKE) { + hecc_set_bit(priv, HECC_CANES, HECC_CANES_ACKE); +- cf->data[2] |= CAN_ERR_PROT_LOC_ACK | ++ cf->data[3] |= CAN_ERR_PROT_LOC_ACK | + CAN_ERR_PROT_LOC_ACK_DEL; + } + } +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 222954d..cf177b8 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -939,17 +939,18 @@ static int igb_request_msix(struct igb_adapter *adapter) + { + struct net_device *netdev = adapter->netdev; + struct e1000_hw *hw = &adapter->hw; +- int i, err = 0, vector = 0; ++ int i, err = 0, vector = 0, free_vector = 0; + + err = request_irq(adapter->msix_entries[vector].vector, + igb_msix_other, 0, netdev->name, adapter); + if (err) +- goto out; +- vector++; ++ goto err_out; + + for (i = 0; i < adapter->num_q_vectors; i++) { + struct igb_q_vector *q_vector = adapter->q_vector[i]; + ++ vector++; ++ + q_vector->itr_register = hw->hw_addr + E1000_EITR(vector); + + if (q_vector->rx.ring && q_vector->tx.ring) +@@ -968,13 +969,22 @@ static int igb_request_msix(struct igb_adapter *adapter) + igb_msix_ring, 0, q_vector->name, + q_vector); + if (err) +- goto out; +- vector++; ++ goto err_free; + } + + igb_configure_msix(adapter); + return 0; +-out: ++ ++err_free: ++ /* free already assigned IRQs */ ++ free_irq(adapter->msix_entries[free_vector++].vector, adapter); ++ ++ vector--; ++ for (i = 0; i < vector; i++) { ++ free_irq(adapter->msix_entries[free_vector++].vector, ++ adapter->q_vector[i]); ++ } ++err_out: + return err; + } + +diff --git a/drivers/net/wireless/ath/ath9k/ar9003_calib.c b/drivers/net/wireless/ath/ath9k/ar9003_calib.c +index 12a730d..ae750f9 100644 +--- a/drivers/net/wireless/ath/ath9k/ar9003_calib.c ++++ b/drivers/net/wireless/ath/ath9k/ar9003_calib.c +@@ -946,6 +946,8 @@ static bool ar9003_hw_init_cal(struct ath_hw *ah, + AR_PHY_CL_TAB_1, + AR_PHY_CL_TAB_2 }; + ++ ar9003_hw_set_chain_masks(ah, ah->caps.rx_chainmask, ah->caps.tx_chainmask); ++ + if (rtt) { + if (!ar9003_hw_rtt_restore(ah, chan)) + run_rtt_cal = true; +diff --git a/drivers/net/wireless/ath/ath9k/ar9003_phy.c b/drivers/net/wireless/ath/ath9k/ar9003_phy.c +index 2330e7e..73be7ff 100644 +--- a/drivers/net/wireless/ath/ath9k/ar9003_phy.c ++++ b/drivers/net/wireless/ath/ath9k/ar9003_phy.c +@@ -541,35 +541,22 @@ static void ar9003_hw_init_bb(struct ath_hw *ah, + udelay(synthDelay + BASE_ACTIVATE_DELAY); + } + +-static void ar9003_hw_set_chain_masks(struct ath_hw *ah, u8 rx, u8 tx) ++void ar9003_hw_set_chain_masks(struct ath_hw *ah, u8 rx, u8 tx) + { +- switch (rx) { +- case 0x5: ++ if (ah->caps.tx_chainmask == 5 || ah->caps.rx_chainmask == 5) + REG_SET_BIT(ah, AR_PHY_ANALOG_SWAP, + AR_PHY_SWAP_ALT_CHAIN); +- case 0x3: +- case 0x1: +- case 0x2: +- case 0x7: +- REG_WRITE(ah, AR_PHY_RX_CHAINMASK, rx); +- REG_WRITE(ah, AR_PHY_CAL_CHAINMASK, rx); +- break; +- default: +- break; +- } ++ ++ REG_WRITE(ah, AR_PHY_RX_CHAINMASK, rx); ++ REG_WRITE(ah, AR_PHY_CAL_CHAINMASK, rx); + + if ((ah->caps.hw_caps & ATH9K_HW_CAP_APM) && (tx == 0x7)) +- REG_WRITE(ah, AR_SELFGEN_MASK, 0x3); ++ tx = 3; + else if (AR_SREV_9462(ah)) + /* xxx only when MCI support is enabled */ +- REG_WRITE(ah, AR_SELFGEN_MASK, 0x3); +- else +- REG_WRITE(ah, AR_SELFGEN_MASK, tx); ++ tx = 3; + +- if (tx == 0x5) { +- REG_SET_BIT(ah, AR_PHY_ANALOG_SWAP, +- AR_PHY_SWAP_ALT_CHAIN); +- } ++ REG_WRITE(ah, AR_SELFGEN_MASK, tx); + } + + /* +diff --git a/drivers/net/wireless/ath/ath9k/beacon.c b/drivers/net/wireless/ath/ath9k/beacon.c +index a13cabb..2bbc83e 100644 +--- a/drivers/net/wireless/ath/ath9k/beacon.c ++++ b/drivers/net/wireless/ath/ath9k/beacon.c +@@ -155,6 +155,7 @@ static struct ath_buf *ath_beacon_generate(struct ieee80211_hw *hw, + skb->len, DMA_TO_DEVICE); + dev_kfree_skb_any(skb); + bf->bf_buf_addr = 0; ++ bf->bf_mpdu = NULL; + } + + /* Get a new beacon from mac80211 */ +diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c +index 1b90ed8..4f7843a 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_hst.c ++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c +@@ -342,6 +342,8 @@ void ath9k_htc_txcompletion_cb(struct htc_target *htc_handle, + endpoint->ep_callbacks.tx(endpoint->ep_callbacks.priv, + skb, htc_hdr->endpoint_id, + txok); ++ } else { ++ kfree_skb(skb); + } + } + +diff --git a/drivers/net/wireless/ath/ath9k/hw.h b/drivers/net/wireless/ath/ath9k/hw.h +index a5c4ba8..0c65a09 100644 +--- a/drivers/net/wireless/ath/ath9k/hw.h ++++ b/drivers/net/wireless/ath/ath9k/hw.h +@@ -1016,6 +1016,7 @@ int ar9003_paprd_setup_gain_table(struct ath_hw *ah, int chain); + int ar9003_paprd_init_table(struct ath_hw *ah); + bool ar9003_paprd_is_done(struct ath_hw *ah); + void ar9003_hw_set_paprd_txdesc(struct ath_hw *ah, void *ds, u8 chains); ++void ar9003_hw_set_chain_masks(struct ath_hw *ah, u8 rx, u8 tx); + + /* Hardware family op attach helpers */ + void ar5008_hw_attach_phy_ops(struct ath_hw *ah); +diff --git a/drivers/net/wireless/ath/ath9k/recv.c b/drivers/net/wireless/ath/ath9k/recv.c +index b4cbc82..d171a72 100644 +--- a/drivers/net/wireless/ath/ath9k/recv.c ++++ b/drivers/net/wireless/ath/ath9k/recv.c +@@ -786,6 +786,7 @@ static struct ath_buf *ath_get_next_rx_buf(struct ath_softc *sc, + return NULL; + } + ++ list_del(&bf->list); + if (!bf->bf_mpdu) + return bf; + +@@ -1966,14 +1967,15 @@ requeue_drop_frag: + sc->rx.frag = NULL; + } + requeue: ++ list_add_tail(&bf->list, &sc->rx.rxbuf); ++ if (flush) ++ continue; ++ + if (edma) { +- list_add_tail(&bf->list, &sc->rx.rxbuf); + ath_rx_edma_buf_link(sc, qtype); + } else { +- list_move_tail(&bf->list, &sc->rx.rxbuf); + ath_rx_buf_link(sc, bf); +- if (!flush) +- ath9k_hw_rxena(ah); ++ ath9k_hw_rxena(ah); + } + } while (1); + +diff --git a/drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c b/drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c +index 0d8a9cd..78c16eb 100644 +--- a/drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c ++++ b/drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c +@@ -1484,9 +1484,10 @@ void brcms_add_timer(struct brcms_timer *t, uint ms, int periodic) + #endif + t->ms = ms; + t->periodic = (bool) periodic; +- t->set = true; +- +- atomic_inc(&t->wl->callbacks); ++ if (!t->set) { ++ t->set = true; ++ atomic_inc(&t->wl->callbacks); ++ } + + ieee80211_queue_delayed_work(hw, &t->dly_wrk, msecs_to_jiffies(ms)); + } +diff --git a/drivers/net/wireless/mwifiex/pcie.c b/drivers/net/wireless/mwifiex/pcie.c +index d34acf0..de94244 100644 +--- a/drivers/net/wireless/mwifiex/pcie.c ++++ b/drivers/net/wireless/mwifiex/pcie.c +@@ -160,7 +160,7 @@ static int mwifiex_pcie_suspend(struct pci_dev *pdev, pm_message_t state) + + if (pdev) { + card = (struct pcie_service_card *) pci_get_drvdata(pdev); +- if (!card || card->adapter) { ++ if (!card || !card->adapter) { + pr_err("Card or adapter structure is not valid\n"); + return 0; + } +diff --git a/drivers/net/wireless/mwifiex/sta_ioctl.c b/drivers/net/wireless/mwifiex/sta_ioctl.c +index 1679c25..56e1c4a 100644 +--- a/drivers/net/wireless/mwifiex/sta_ioctl.c ++++ b/drivers/net/wireless/mwifiex/sta_ioctl.c +@@ -53,8 +53,7 @@ int mwifiex_copy_mcast_addr(struct mwifiex_multicast_list *mlist, + */ + int mwifiex_wait_queue_complete(struct mwifiex_adapter *adapter) + { +- bool cancel_flag = false; +- int status = adapter->cmd_wait_q.status; ++ int status; + struct cmd_ctrl_node *cmd_queued; + + if (!adapter->cmd_queued) +@@ -70,15 +69,14 @@ int mwifiex_wait_queue_complete(struct mwifiex_adapter *adapter) + queue_work(adapter->workqueue, &adapter->main_work); + + /* Wait for completion */ +- wait_event_interruptible(adapter->cmd_wait_q.wait, +- *(cmd_queued->condition)); +- if (!*(cmd_queued->condition)) +- cancel_flag = true; +- +- if (cancel_flag) { +- mwifiex_cancel_pending_ioctl(adapter); +- dev_dbg(adapter->dev, "cmd cancel\n"); ++ status = wait_event_interruptible(adapter->cmd_wait_q.wait, ++ *(cmd_queued->condition)); ++ if (status) { ++ dev_err(adapter->dev, "cmd_wait_q terminated: %d\n", status); ++ return status; + } ++ ++ status = adapter->cmd_wait_q.status; + adapter->cmd_wait_q.status = 0; + + return status; +@@ -240,6 +238,8 @@ int mwifiex_bss_start(struct mwifiex_private *priv, struct cfg80211_bss *bss, + + if (!netif_queue_stopped(priv->netdev)) + netif_stop_queue(priv->netdev); ++ if (netif_carrier_ok(priv->netdev)) ++ netif_carrier_off(priv->netdev); + + /* Clear any past association response stored for + * application retrieval */ +@@ -271,6 +271,8 @@ int mwifiex_bss_start(struct mwifiex_private *priv, struct cfg80211_bss *bss, + + if (!netif_queue_stopped(priv->netdev)) + netif_stop_queue(priv->netdev); ++ if (netif_carrier_ok(priv->netdev)) ++ netif_carrier_off(priv->netdev); + + if (!ret) { + dev_dbg(adapter->dev, "info: network found in scan" +@@ -421,8 +423,11 @@ int mwifiex_enable_hs(struct mwifiex_adapter *adapter) + return false; + } + +- wait_event_interruptible(adapter->hs_activate_wait_q, +- adapter->hs_activate_wait_q_woken); ++ if (wait_event_interruptible(adapter->hs_activate_wait_q, ++ adapter->hs_activate_wait_q_woken)) { ++ dev_err(adapter->dev, "hs_activate_wait_q terminated\n"); ++ return false; ++ } + + return true; + } +diff --git a/drivers/pci/hotplug/pciehp.h b/drivers/pci/hotplug/pciehp.h +index 838f571..4fff912 100644 +--- a/drivers/pci/hotplug/pciehp.h ++++ b/drivers/pci/hotplug/pciehp.h +@@ -44,8 +44,6 @@ extern int pciehp_poll_mode; + extern int pciehp_poll_time; + extern int pciehp_debug; + extern int pciehp_force; +-extern struct workqueue_struct *pciehp_wq; +-extern struct workqueue_struct *pciehp_ordered_wq; + + #define dbg(format, arg...) \ + do { \ +@@ -79,6 +77,7 @@ struct slot { + struct hotplug_slot *hotplug_slot; + struct delayed_work work; /* work for button event */ + struct mutex lock; ++ struct workqueue_struct *wq; + }; + + struct event_info { +diff --git a/drivers/pci/hotplug/pciehp_core.c b/drivers/pci/hotplug/pciehp_core.c +index 7ac8358..9350af9 100644 +--- a/drivers/pci/hotplug/pciehp_core.c ++++ b/drivers/pci/hotplug/pciehp_core.c +@@ -42,8 +42,6 @@ int pciehp_debug; + int pciehp_poll_mode; + int pciehp_poll_time; + int pciehp_force; +-struct workqueue_struct *pciehp_wq; +-struct workqueue_struct *pciehp_ordered_wq; + + #define DRIVER_VERSION "0.4" + #define DRIVER_AUTHOR "Dan Zink <dan.zink@compaq.com>, Greg Kroah-Hartman <greg@kroah.com>, Dely Sy <dely.l.sy@intel.com>" +@@ -341,33 +339,19 @@ static int __init pcied_init(void) + { + int retval = 0; + +- pciehp_wq = alloc_workqueue("pciehp", 0, 0); +- if (!pciehp_wq) +- return -ENOMEM; +- +- pciehp_ordered_wq = alloc_ordered_workqueue("pciehp_ordered", 0); +- if (!pciehp_ordered_wq) { +- destroy_workqueue(pciehp_wq); +- return -ENOMEM; +- } +- + pciehp_firmware_init(); + retval = pcie_port_service_register(&hpdriver_portdrv); + dbg("pcie_port_service_register = %d\n", retval); + info(DRIVER_DESC " version: " DRIVER_VERSION "\n"); +- if (retval) { +- destroy_workqueue(pciehp_ordered_wq); +- destroy_workqueue(pciehp_wq); ++ if (retval) + dbg("Failure to register service\n"); +- } ++ + return retval; + } + + static void __exit pcied_cleanup(void) + { + dbg("unload_pciehpd()\n"); +- destroy_workqueue(pciehp_ordered_wq); +- destroy_workqueue(pciehp_wq); + pcie_port_service_unregister(&hpdriver_portdrv); + info(DRIVER_DESC " version: " DRIVER_VERSION " unloaded\n"); + } +diff --git a/drivers/pci/hotplug/pciehp_ctrl.c b/drivers/pci/hotplug/pciehp_ctrl.c +index 085dbb5..38f0186 100644 +--- a/drivers/pci/hotplug/pciehp_ctrl.c ++++ b/drivers/pci/hotplug/pciehp_ctrl.c +@@ -49,7 +49,7 @@ static int queue_interrupt_event(struct slot *p_slot, u32 event_type) + info->p_slot = p_slot; + INIT_WORK(&info->work, interrupt_event_handler); + +- queue_work(pciehp_wq, &info->work); ++ queue_work(p_slot->wq, &info->work); + + return 0; + } +@@ -344,7 +344,7 @@ void pciehp_queue_pushbutton_work(struct work_struct *work) + kfree(info); + goto out; + } +- queue_work(pciehp_ordered_wq, &info->work); ++ queue_work(p_slot->wq, &info->work); + out: + mutex_unlock(&p_slot->lock); + } +@@ -377,7 +377,7 @@ static void handle_button_press_event(struct slot *p_slot) + if (ATTN_LED(ctrl)) + pciehp_set_attention_status(p_slot, 0); + +- queue_delayed_work(pciehp_wq, &p_slot->work, 5*HZ); ++ queue_delayed_work(p_slot->wq, &p_slot->work, 5*HZ); + break; + case BLINKINGOFF_STATE: + case BLINKINGON_STATE: +@@ -439,7 +439,7 @@ static void handle_surprise_event(struct slot *p_slot) + else + p_slot->state = POWERON_STATE; + +- queue_work(pciehp_ordered_wq, &info->work); ++ queue_work(p_slot->wq, &info->work); + } + + static void interrupt_event_handler(struct work_struct *work) +diff --git a/drivers/pci/hotplug/pciehp_hpc.c b/drivers/pci/hotplug/pciehp_hpc.c +index 7b14148..fef1748 100644 +--- a/drivers/pci/hotplug/pciehp_hpc.c ++++ b/drivers/pci/hotplug/pciehp_hpc.c +@@ -789,24 +789,32 @@ static void pcie_shutdown_notification(struct controller *ctrl) + static int pcie_init_slot(struct controller *ctrl) + { + struct slot *slot; ++ char name[32]; + + slot = kzalloc(sizeof(*slot), GFP_KERNEL); + if (!slot) + return -ENOMEM; + ++ snprintf(name, sizeof(name), "pciehp-%u", PSN(ctrl)); ++ slot->wq = alloc_workqueue(name, 0, 0); ++ if (!slot->wq) ++ goto abort; ++ + slot->ctrl = ctrl; + mutex_init(&slot->lock); + INIT_DELAYED_WORK(&slot->work, pciehp_queue_pushbutton_work); + ctrl->slot = slot; + return 0; ++abort: ++ kfree(slot); ++ return -ENOMEM; + } + + static void pcie_cleanup_slot(struct controller *ctrl) + { + struct slot *slot = ctrl->slot; + cancel_delayed_work(&slot->work); +- flush_workqueue(pciehp_wq); +- flush_workqueue(pciehp_ordered_wq); ++ destroy_workqueue(slot->wq); + kfree(slot); + } + +diff --git a/drivers/pci/hotplug/shpchp.h b/drivers/pci/hotplug/shpchp.h +index e0c90e6..2c2ac80 100644 +--- a/drivers/pci/hotplug/shpchp.h ++++ b/drivers/pci/hotplug/shpchp.h +@@ -46,8 +46,6 @@ + extern int shpchp_poll_mode; + extern int shpchp_poll_time; + extern int shpchp_debug; +-extern struct workqueue_struct *shpchp_wq; +-extern struct workqueue_struct *shpchp_ordered_wq; + + #define dbg(format, arg...) \ + do { \ +@@ -91,6 +89,7 @@ struct slot { + struct list_head slot_list; + struct delayed_work work; /* work for button event */ + struct mutex lock; ++ struct workqueue_struct *wq; + u8 hp_slot; + }; + +diff --git a/drivers/pci/hotplug/shpchp_core.c b/drivers/pci/hotplug/shpchp_core.c +index dd7e0c5..754a7cd 100644 +--- a/drivers/pci/hotplug/shpchp_core.c ++++ b/drivers/pci/hotplug/shpchp_core.c +@@ -39,8 +39,6 @@ + int shpchp_debug; + int shpchp_poll_mode; + int shpchp_poll_time; +-struct workqueue_struct *shpchp_wq; +-struct workqueue_struct *shpchp_ordered_wq; + + #define DRIVER_VERSION "0.4" + #define DRIVER_AUTHOR "Dan Zink <dan.zink@compaq.com>, Greg Kroah-Hartman <greg@kroah.com>, Dely Sy <dely.l.sy@intel.com>" +@@ -123,6 +121,14 @@ static int init_slots(struct controller *ctrl) + slot->device = ctrl->slot_device_offset + i; + slot->hpc_ops = ctrl->hpc_ops; + slot->number = ctrl->first_slot + (ctrl->slot_num_inc * i); ++ ++ snprintf(name, sizeof(name), "shpchp-%d", slot->number); ++ slot->wq = alloc_workqueue(name, 0, 0); ++ if (!slot->wq) { ++ retval = -ENOMEM; ++ goto error_info; ++ } ++ + mutex_init(&slot->lock); + INIT_DELAYED_WORK(&slot->work, shpchp_queue_pushbutton_work); + +@@ -142,7 +148,7 @@ static int init_slots(struct controller *ctrl) + if (retval) { + ctrl_err(ctrl, "pci_hp_register failed with error %d\n", + retval); +- goto error_info; ++ goto error_slotwq; + } + + get_power_status(hotplug_slot, &info->power_status); +@@ -154,6 +160,8 @@ static int init_slots(struct controller *ctrl) + } + + return 0; ++error_slotwq: ++ destroy_workqueue(slot->wq); + error_info: + kfree(info); + error_hpslot: +@@ -174,8 +182,7 @@ void cleanup_slots(struct controller *ctrl) + slot = list_entry(tmp, struct slot, slot_list); + list_del(&slot->slot_list); + cancel_delayed_work(&slot->work); +- flush_workqueue(shpchp_wq); +- flush_workqueue(shpchp_ordered_wq); ++ destroy_workqueue(slot->wq); + pci_hp_deregister(slot->hotplug_slot); + } + } +@@ -358,25 +365,12 @@ static struct pci_driver shpc_driver = { + + static int __init shpcd_init(void) + { +- int retval = 0; +- +- shpchp_wq = alloc_ordered_workqueue("shpchp", 0); +- if (!shpchp_wq) +- return -ENOMEM; +- +- shpchp_ordered_wq = alloc_ordered_workqueue("shpchp_ordered", 0); +- if (!shpchp_ordered_wq) { +- destroy_workqueue(shpchp_wq); +- return -ENOMEM; +- } ++ int retval; + + retval = pci_register_driver(&shpc_driver); + dbg("%s: pci_register_driver = %d\n", __func__, retval); + info(DRIVER_DESC " version: " DRIVER_VERSION "\n"); +- if (retval) { +- destroy_workqueue(shpchp_ordered_wq); +- destroy_workqueue(shpchp_wq); +- } ++ + return retval; + } + +@@ -384,8 +378,6 @@ static void __exit shpcd_cleanup(void) + { + dbg("unload_shpchpd()\n"); + pci_unregister_driver(&shpc_driver); +- destroy_workqueue(shpchp_ordered_wq); +- destroy_workqueue(shpchp_wq); + info(DRIVER_DESC " version: " DRIVER_VERSION " unloaded\n"); + } + +diff --git a/drivers/pci/hotplug/shpchp_ctrl.c b/drivers/pci/hotplug/shpchp_ctrl.c +index b00b09b..3ffc1b2 100644 +--- a/drivers/pci/hotplug/shpchp_ctrl.c ++++ b/drivers/pci/hotplug/shpchp_ctrl.c +@@ -51,7 +51,7 @@ static int queue_interrupt_event(struct slot *p_slot, u32 event_type) + info->p_slot = p_slot; + INIT_WORK(&info->work, interrupt_event_handler); + +- queue_work(shpchp_wq, &info->work); ++ queue_work(p_slot->wq, &info->work); + + return 0; + } +@@ -456,7 +456,7 @@ void shpchp_queue_pushbutton_work(struct work_struct *work) + kfree(info); + goto out; + } +- queue_work(shpchp_ordered_wq, &info->work); ++ queue_work(p_slot->wq, &info->work); + out: + mutex_unlock(&p_slot->lock); + } +@@ -504,7 +504,7 @@ static void handle_button_press_event(struct slot *p_slot) + p_slot->hpc_ops->green_led_blink(p_slot); + p_slot->hpc_ops->set_attention_status(p_slot, 0); + +- queue_delayed_work(shpchp_wq, &p_slot->work, 5*HZ); ++ queue_delayed_work(p_slot->wq, &p_slot->work, 5*HZ); + break; + case BLINKINGOFF_STATE: + case BLINKINGON_STATE: +diff --git a/drivers/pci/pcie/aer/aerdrv_core.c b/drivers/pci/pcie/aer/aerdrv_core.c +index 9674e9f..ee82c55 100644 +--- a/drivers/pci/pcie/aer/aerdrv_core.c ++++ b/drivers/pci/pcie/aer/aerdrv_core.c +@@ -637,6 +637,7 @@ static void aer_recover_work_func(struct work_struct *work) + continue; + } + do_recovery(pdev, entry.severity); ++ pci_dev_put(pdev); + } + } + #endif +diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c +index 2275162..c73ed00 100644 +--- a/drivers/pci/pcie/aspm.c ++++ b/drivers/pci/pcie/aspm.c +@@ -790,6 +790,9 @@ void pcie_clear_aspm(struct pci_bus *bus) + { + struct pci_dev *child; + ++ if (aspm_force) ++ return; ++ + /* + * Clear any ASPM setup that the firmware has carried out on this bus + */ +diff --git a/drivers/platform/x86/ibm_rtl.c b/drivers/platform/x86/ibm_rtl.c +index 811d436..2704386 100644 +--- a/drivers/platform/x86/ibm_rtl.c ++++ b/drivers/platform/x86/ibm_rtl.c +@@ -255,7 +255,7 @@ static int __init ibm_rtl_init(void) { + if (force) + pr_warn("module loaded by force\n"); + /* first ensure that we are running on IBM HW */ +- else if (efi_enabled || !dmi_check_system(ibm_rtl_dmi_table)) ++ else if (efi_enabled(EFI_BOOT) || !dmi_check_system(ibm_rtl_dmi_table)) + return -ENODEV; + + /* Get the address for the Extended BIOS Data Area */ +diff --git a/drivers/platform/x86/samsung-laptop.c b/drivers/platform/x86/samsung-laptop.c +index 21bc1a7..64e1f2d 100644 +--- a/drivers/platform/x86/samsung-laptop.c ++++ b/drivers/platform/x86/samsung-laptop.c +@@ -22,6 +22,7 @@ + #include <linux/platform_device.h> + #include <linux/rfkill.h> + #include <linux/acpi.h> ++#include <linux/efi.h> + + /* + * This driver is needed because a number of Samsung laptops do not hook +@@ -603,6 +604,9 @@ static int __init samsung_init(void) + int loca; + int retval; + ++ if (efi_enabled(EFI_BOOT)) ++ return -ENODEV; ++ + mutex_init(&sabi_mutex); + handle_backlight = true; + +diff --git a/drivers/regulator/max8997.c b/drivers/regulator/max8997.c +index 8cba82d..32445a7 100644 +--- a/drivers/regulator/max8997.c ++++ b/drivers/regulator/max8997.c +@@ -71,26 +71,26 @@ struct voltage_map_desc { + unsigned int n_bits; + }; + +-/* Voltage maps in mV */ ++/* Voltage maps in uV */ + static const struct voltage_map_desc ldo_voltage_map_desc = { +- .min = 800, .max = 3950, .step = 50, .n_bits = 6, ++ .min = 800000, .max = 3950000, .step = 50000, .n_bits = 6, + }; /* LDO1 ~ 18, 21 all */ + + static const struct voltage_map_desc buck1245_voltage_map_desc = { +- .min = 650, .max = 2225, .step = 25, .n_bits = 6, ++ .min = 650000, .max = 2225000, .step = 25000, .n_bits = 6, + }; /* Buck1, 2, 4, 5 */ + + static const struct voltage_map_desc buck37_voltage_map_desc = { +- .min = 750, .max = 3900, .step = 50, .n_bits = 6, ++ .min = 750000, .max = 3900000, .step = 50000, .n_bits = 6, + }; /* Buck3, 7 */ + +-/* current map in mA */ ++/* current map in uA */ + static const struct voltage_map_desc charger_current_map_desc = { +- .min = 200, .max = 950, .step = 50, .n_bits = 4, ++ .min = 200000, .max = 950000, .step = 50000, .n_bits = 4, + }; + + static const struct voltage_map_desc topoff_current_map_desc = { +- .min = 50, .max = 200, .step = 10, .n_bits = 4, ++ .min = 50000, .max = 200000, .step = 10000, .n_bits = 4, + }; + + static const struct voltage_map_desc *reg_voltage_map[] = { +@@ -199,7 +199,7 @@ static int max8997_list_voltage(struct regulator_dev *rdev, + if (val > desc->max) + return -EINVAL; + +- return val * 1000; ++ return val; + } + + static int max8997_get_enable_register(struct regulator_dev *rdev, +@@ -501,7 +501,6 @@ static int max8997_set_voltage_ldobuck(struct regulator_dev *rdev, + { + struct max8997_data *max8997 = rdev_get_drvdata(rdev); + struct i2c_client *i2c = max8997->iodev->i2c; +- int min_vol = min_uV / 1000, max_vol = max_uV / 1000; + const struct voltage_map_desc *desc; + int rid = max8997_get_rid(rdev); + int reg, shift = 0, mask, ret; +@@ -527,7 +526,7 @@ static int max8997_set_voltage_ldobuck(struct regulator_dev *rdev, + + desc = reg_voltage_map[rid]; + +- i = max8997_get_voltage_proper_val(desc, min_vol, max_vol); ++ i = max8997_get_voltage_proper_val(desc, min_uV, max_uV); + if (i < 0) + return i; + +@@ -546,7 +545,7 @@ static int max8997_set_voltage_ldobuck(struct regulator_dev *rdev, + /* If the voltage is increasing */ + if (org < i) + udelay(DIV_ROUND_UP(desc->step * (i - org), +- max8997->ramp_delay)); ++ max8997->ramp_delay * 1000)); + } + + return ret; +@@ -645,7 +644,6 @@ static int max8997_set_voltage_buck(struct regulator_dev *rdev, + const struct voltage_map_desc *desc; + int new_val, new_idx, damage, tmp_val, tmp_idx, tmp_dmg; + bool gpio_dvs_mode = false; +- int min_vol = min_uV / 1000, max_vol = max_uV / 1000; + + if (rid < MAX8997_BUCK1 || rid > MAX8997_BUCK7) + return -EINVAL; +@@ -670,7 +668,7 @@ static int max8997_set_voltage_buck(struct regulator_dev *rdev, + selector); + + desc = reg_voltage_map[rid]; +- new_val = max8997_get_voltage_proper_val(desc, min_vol, max_vol); ++ new_val = max8997_get_voltage_proper_val(desc, min_uV, max_uV); + if (new_val < 0) + return new_val; + +@@ -1002,8 +1000,8 @@ static __devinit int max8997_pmic_probe(struct platform_device *pdev) + max8997->buck1_vol[i] = ret = + max8997_get_voltage_proper_val( + &buck1245_voltage_map_desc, +- pdata->buck1_voltage[i] / 1000, +- pdata->buck1_voltage[i] / 1000 + ++ pdata->buck1_voltage[i], ++ pdata->buck1_voltage[i] + + buck1245_voltage_map_desc.step); + if (ret < 0) + goto err_alloc; +@@ -1011,8 +1009,8 @@ static __devinit int max8997_pmic_probe(struct platform_device *pdev) + max8997->buck2_vol[i] = ret = + max8997_get_voltage_proper_val( + &buck1245_voltage_map_desc, +- pdata->buck2_voltage[i] / 1000, +- pdata->buck2_voltage[i] / 1000 + ++ pdata->buck2_voltage[i], ++ pdata->buck2_voltage[i] + + buck1245_voltage_map_desc.step); + if (ret < 0) + goto err_alloc; +@@ -1020,8 +1018,8 @@ static __devinit int max8997_pmic_probe(struct platform_device *pdev) + max8997->buck5_vol[i] = ret = + max8997_get_voltage_proper_val( + &buck1245_voltage_map_desc, +- pdata->buck5_voltage[i] / 1000, +- pdata->buck5_voltage[i] / 1000 + ++ pdata->buck5_voltage[i], ++ pdata->buck5_voltage[i] + + buck1245_voltage_map_desc.step); + if (ret < 0) + goto err_alloc; +diff --git a/drivers/regulator/max8998.c b/drivers/regulator/max8998.c +index 41a1495..27fe1c6 100644 +--- a/drivers/regulator/max8998.c ++++ b/drivers/regulator/max8998.c +@@ -497,7 +497,7 @@ buck2_exit: + + difference = desc->min + desc->step*i - previous_vol/1000; + if (difference > 0) +- udelay(difference / ((val & 0x0f) + 1)); ++ udelay(DIV_ROUND_UP(difference, (val & 0x0f) + 1)); + + return ret; + } +diff --git a/drivers/scsi/isci/init.c b/drivers/scsi/isci/init.c +index 5c8b0dc..3784388 100644 +--- a/drivers/scsi/isci/init.c ++++ b/drivers/scsi/isci/init.c +@@ -459,7 +459,7 @@ static int __devinit isci_pci_probe(struct pci_dev *pdev, const struct pci_devic + return -ENOMEM; + pci_set_drvdata(pdev, pci_info); + +- if (efi_enabled) ++ if (efi_enabled(EFI_RUNTIME_SERVICES)) + orom = isci_get_efi_var(pdev); + + if (!orom) +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c +index 4b63c73..f44d633 100644 +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -2825,10 +2825,6 @@ static int __init init_sd(void) + if (err) + goto err_out; + +- err = scsi_register_driver(&sd_template.gendrv); +- if (err) +- goto err_out_class; +- + sd_cdb_cache = kmem_cache_create("sd_ext_cdb", SD_EXT_CDB_SIZE, + 0, 0, NULL); + if (!sd_cdb_cache) { +@@ -2842,8 +2838,15 @@ static int __init init_sd(void) + goto err_out_cache; + } + ++ err = scsi_register_driver(&sd_template.gendrv); ++ if (err) ++ goto err_out_driver; ++ + return 0; + ++err_out_driver: ++ mempool_destroy(sd_cdb_pool); ++ + err_out_cache: + kmem_cache_destroy(sd_cdb_cache); + +@@ -2866,10 +2869,10 @@ static void __exit exit_sd(void) + + SCSI_LOG_HLQUEUE(3, printk("exit_sd: exiting sd driver\n")); + ++ scsi_unregister_driver(&sd_template.gendrv); + mempool_destroy(sd_cdb_pool); + kmem_cache_destroy(sd_cdb_cache); + +- scsi_unregister_driver(&sd_template.gendrv); + class_unregister(&sd_disk_class); + + for (i = 0; i < SD_MAJORS; i++) +diff --git a/drivers/staging/comedi/Kconfig b/drivers/staging/comedi/Kconfig +index 4c77e50..da26630 100644 +--- a/drivers/staging/comedi/Kconfig ++++ b/drivers/staging/comedi/Kconfig +@@ -424,6 +424,7 @@ config COMEDI_ADQ12B + + config COMEDI_NI_AT_A2150 + tristate "NI AT-A2150 ISA card support" ++ select COMEDI_FC + depends on COMEDI_NI_COMMON + depends on VIRT_TO_BUS + default N +diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c +index 9465bce..ab9f5ed 100644 +--- a/drivers/staging/comedi/comedi_fops.c ++++ b/drivers/staging/comedi/comedi_fops.c +@@ -2207,6 +2207,7 @@ int comedi_alloc_board_minor(struct device *hardware_device) + kfree(info); + return -ENOMEM; + } ++ info->hardware_device = hardware_device; + comedi_device_init(info->device); + spin_lock_irqsave(&comedi_file_info_table_lock, flags); + for (i = 0; i < COMEDI_NUM_BOARD_MINORS; ++i) { +@@ -2295,6 +2296,23 @@ void comedi_free_board_minor(unsigned minor) + } + } + ++int comedi_find_board_minor(struct device *hardware_device) ++{ ++ int minor; ++ struct comedi_device_file_info *info; ++ ++ for (minor = 0; minor < COMEDI_NUM_BOARD_MINORS; minor++) { ++ spin_lock(&comedi_file_info_table_lock); ++ info = comedi_file_info_table[minor]; ++ if (info && info->hardware_device == hardware_device) { ++ spin_unlock(&comedi_file_info_table_lock); ++ return minor; ++ } ++ spin_unlock(&comedi_file_info_table_lock); ++ } ++ return -ENODEV; ++} ++ + int comedi_alloc_subdevice_minor(struct comedi_device *dev, + struct comedi_subdevice *s) + { +diff --git a/drivers/staging/comedi/comedidev.h b/drivers/staging/comedi/comedidev.h +index 7a0d4bc..00d3c65 100644 +--- a/drivers/staging/comedi/comedidev.h ++++ b/drivers/staging/comedi/comedidev.h +@@ -234,6 +234,7 @@ struct comedi_device_file_info { + struct comedi_device *device; + struct comedi_subdevice *read_subdevice; + struct comedi_subdevice *write_subdevice; ++ struct device *hardware_device; + }; + + #ifdef CONFIG_COMEDI_DEBUG +diff --git a/drivers/staging/comedi/drivers.c b/drivers/staging/comedi/drivers.c +index db1fd63..538b568 100644 +--- a/drivers/staging/comedi/drivers.c ++++ b/drivers/staging/comedi/drivers.c +@@ -823,25 +823,14 @@ static int comedi_auto_config(struct device *hardware_device, + int minor; + struct comedi_device_file_info *dev_file_info; + int retval; +- unsigned *private_data = NULL; + +- if (!comedi_autoconfig) { +- dev_set_drvdata(hardware_device, NULL); ++ if (!comedi_autoconfig) + return 0; +- } + + minor = comedi_alloc_board_minor(hardware_device); + if (minor < 0) + return minor; + +- private_data = kmalloc(sizeof(unsigned), GFP_KERNEL); +- if (private_data == NULL) { +- retval = -ENOMEM; +- goto cleanup; +- } +- *private_data = minor; +- dev_set_drvdata(hardware_device, private_data); +- + dev_file_info = comedi_get_device_file_info(minor); + + memset(&it, 0, sizeof(it)); +@@ -854,25 +843,22 @@ static int comedi_auto_config(struct device *hardware_device, + retval = comedi_device_attach(dev_file_info->device, &it); + mutex_unlock(&dev_file_info->device->mutex); + +-cleanup: +- if (retval < 0) { +- kfree(private_data); ++ if (retval < 0) + comedi_free_board_minor(minor); +- } + return retval; + } + + static void comedi_auto_unconfig(struct device *hardware_device) + { +- unsigned *minor = (unsigned *)dev_get_drvdata(hardware_device); +- if (minor == NULL) +- return; +- +- BUG_ON(*minor >= COMEDI_NUM_BOARD_MINORS); ++ int minor; + +- comedi_free_board_minor(*minor); +- dev_set_drvdata(hardware_device, NULL); +- kfree(minor); ++ if (hardware_device == NULL) ++ return; ++ minor = comedi_find_board_minor(hardware_device); ++ if (minor < 0) ++ return; ++ BUG_ON(minor >= COMEDI_NUM_BOARD_MINORS); ++ comedi_free_board_minor(minor); + } + + int comedi_pci_auto_config(struct pci_dev *pcidev, const char *board_name) +diff --git a/drivers/staging/comedi/drivers/comedi_test.c b/drivers/staging/comedi/drivers/comedi_test.c +index a804742..2567f9a 100644 +--- a/drivers/staging/comedi/drivers/comedi_test.c ++++ b/drivers/staging/comedi/drivers/comedi_test.c +@@ -461,7 +461,7 @@ static int waveform_ai_cancel(struct comedi_device *dev, + struct comedi_subdevice *s) + { + devpriv->timer_running = 0; +- del_timer(&devpriv->timer); ++ del_timer_sync(&devpriv->timer); + return 0; + } + +diff --git a/drivers/staging/comedi/drivers/ni_pcimio.c b/drivers/staging/comedi/drivers/ni_pcimio.c +index 9148abd..9fee2f2 100644 +--- a/drivers/staging/comedi/drivers/ni_pcimio.c ++++ b/drivers/staging/comedi/drivers/ni_pcimio.c +@@ -1021,7 +1021,7 @@ static const struct ni_board_struct ni_boards[] = { + .ao_range_table = &range_ni_M_625x_ao, + .reg_type = ni_reg_625x, + .ao_unipolar = 0, +- .ao_speed = 357, ++ .ao_speed = 350, + .num_p0_dio_channels = 8, + .caldac = {caldac_none}, + .has_8255 = 0, +@@ -1040,7 +1040,7 @@ static const struct ni_board_struct ni_boards[] = { + .ao_range_table = &range_ni_M_625x_ao, + .reg_type = ni_reg_625x, + .ao_unipolar = 0, +- .ao_speed = 357, ++ .ao_speed = 350, + .num_p0_dio_channels = 8, + .caldac = {caldac_none}, + .has_8255 = 0, +@@ -1076,7 +1076,7 @@ static const struct ni_board_struct ni_boards[] = { + .ao_range_table = &range_ni_M_625x_ao, + .reg_type = ni_reg_625x, + .ao_unipolar = 0, +- .ao_speed = 357, ++ .ao_speed = 350, + .num_p0_dio_channels = 32, + .caldac = {caldac_none}, + .has_8255 = 0, +@@ -1095,7 +1095,7 @@ static const struct ni_board_struct ni_boards[] = { + .ao_range_table = &range_ni_M_625x_ao, + .reg_type = ni_reg_625x, + .ao_unipolar = 0, +- .ao_speed = 357, ++ .ao_speed = 350, + .num_p0_dio_channels = 32, + .caldac = {caldac_none}, + .has_8255 = 0, +@@ -1131,7 +1131,7 @@ static const struct ni_board_struct ni_boards[] = { + .ao_range_table = &range_ni_M_628x_ao, + .reg_type = ni_reg_628x, + .ao_unipolar = 1, +- .ao_speed = 357, ++ .ao_speed = 350, + .num_p0_dio_channels = 8, + .caldac = {caldac_none}, + .has_8255 = 0, +@@ -1150,7 +1150,7 @@ static const struct ni_board_struct ni_boards[] = { + .ao_range_table = &range_ni_M_628x_ao, + .reg_type = ni_reg_628x, + .ao_unipolar = 1, +- .ao_speed = 357, ++ .ao_speed = 350, + .num_p0_dio_channels = 8, + .caldac = {caldac_none}, + .has_8255 = 0, +@@ -1186,7 +1186,7 @@ static const struct ni_board_struct ni_boards[] = { + .ao_range_table = &range_ni_M_628x_ao, + .reg_type = ni_reg_628x, + .ao_unipolar = 1, +- .ao_speed = 357, ++ .ao_speed = 350, + .num_p0_dio_channels = 32, + .caldac = {caldac_none}, + .has_8255 = 0, +diff --git a/drivers/staging/comedi/internal.h b/drivers/staging/comedi/internal.h +index 434ce34..4208fb4 100644 +--- a/drivers/staging/comedi/internal.h ++++ b/drivers/staging/comedi/internal.h +@@ -7,6 +7,7 @@ int insn_inval(struct comedi_device *dev, struct comedi_subdevice *s, + struct comedi_insn *insn, unsigned int *data); + int comedi_alloc_board_minor(struct device *hardware_device); + void comedi_free_board_minor(unsigned minor); ++int comedi_find_board_minor(struct device *hardware_device); + void comedi_reset_async_buf(struct comedi_async *async); + int comedi_buf_alloc(struct comedi_device *dev, struct comedi_subdevice *s, + unsigned long new_size); +diff --git a/drivers/staging/rtl8712/usb_intf.c b/drivers/staging/rtl8712/usb_intf.c +index f4b738f..88d1d35 100644 +--- a/drivers/staging/rtl8712/usb_intf.c ++++ b/drivers/staging/rtl8712/usb_intf.c +@@ -66,6 +66,8 @@ static struct usb_device_id rtl871x_usb_id_tbl[] = { + {USB_DEVICE(0x0B05, 0x1791)}, /* 11n mode disable */ + /* Belkin */ + {USB_DEVICE(0x050D, 0x945A)}, ++ /* ISY IWL - Belkin clone */ ++ {USB_DEVICE(0x050D, 0x11F1)}, + /* Corega */ + {USB_DEVICE(0x07AA, 0x0047)}, + /* D-Link */ +diff --git a/drivers/staging/speakup/synth.c b/drivers/staging/speakup/synth.c +index c241074..7843111 100644 +--- a/drivers/staging/speakup/synth.c ++++ b/drivers/staging/speakup/synth.c +@@ -342,7 +342,7 @@ int synth_init(char *synth_name) + + mutex_lock(&spk_mutex); + /* First, check if we already have it loaded. */ +- for (i = 0; synths[i] != NULL && i < MAXSYNTHS; i++) ++ for (i = 0; i < MAXSYNTHS && synths[i] != NULL; i++) + if (strcmp(synths[i]->name, synth_name) == 0) + synth = synths[i]; + +@@ -423,7 +423,7 @@ int synth_add(struct spk_synth *in_synth) + int i; + int status = 0; + mutex_lock(&spk_mutex); +- for (i = 0; synths[i] != NULL && i < MAXSYNTHS; i++) ++ for (i = 0; i < MAXSYNTHS && synths[i] != NULL; i++) + /* synth_remove() is responsible for rotating the array down */ + if (in_synth == synths[i]) { + mutex_unlock(&spk_mutex); +diff --git a/drivers/staging/usbip/usbip_common.c b/drivers/staging/usbip/usbip_common.c +index 3b7a847..194e974 100644 +--- a/drivers/staging/usbip/usbip_common.c ++++ b/drivers/staging/usbip/usbip_common.c +@@ -761,26 +761,25 @@ EXPORT_SYMBOL_GPL(usbip_recv_iso); + * buffer and iso packets need to be stored and be in propeper endian in urb + * before calling this function + */ +-int usbip_pad_iso(struct usbip_device *ud, struct urb *urb) ++void usbip_pad_iso(struct usbip_device *ud, struct urb *urb) + { + int np = urb->number_of_packets; + int i; +- int ret; + int actualoffset = urb->actual_length; + + if (!usb_pipeisoc(urb->pipe)) +- return 0; ++ return; + + /* if no packets or length of data is 0, then nothing to unpack */ + if (np == 0 || urb->actual_length == 0) +- return 0; ++ return; + + /* + * if actual_length is transfer_buffer_length then no padding is + * present. + */ + if (urb->actual_length == urb->transfer_buffer_length) +- return 0; ++ return; + + /* + * loop over all packets from last to first (to prevent overwritting +@@ -792,8 +791,6 @@ int usbip_pad_iso(struct usbip_device *ud, struct urb *urb) + urb->transfer_buffer + actualoffset, + urb->iso_frame_desc[i].actual_length); + } +- +- return ret; + } + EXPORT_SYMBOL_GPL(usbip_pad_iso); + +diff --git a/drivers/staging/usbip/usbip_common.h b/drivers/staging/usbip/usbip_common.h +index be21617..e547dba 100644 +--- a/drivers/staging/usbip/usbip_common.h ++++ b/drivers/staging/usbip/usbip_common.h +@@ -316,7 +316,7 @@ void usbip_header_correct_endian(struct usbip_header *pdu, int send); + void *usbip_alloc_iso_desc_pdu(struct urb *urb, ssize_t *bufflen); + /* some members of urb must be substituted before. */ + int usbip_recv_iso(struct usbip_device *ud, struct urb *urb); +-int usbip_pad_iso(struct usbip_device *ud, struct urb *urb); ++void usbip_pad_iso(struct usbip_device *ud, struct urb *urb); + int usbip_recv_xbuff(struct usbip_device *ud, struct urb *urb); + + /* usbip_event.c */ +diff --git a/drivers/staging/usbip/vhci_rx.c b/drivers/staging/usbip/vhci_rx.c +index 3872b8c..1a7afaa 100644 +--- a/drivers/staging/usbip/vhci_rx.c ++++ b/drivers/staging/usbip/vhci_rx.c +@@ -94,8 +94,7 @@ static void vhci_recv_ret_submit(struct vhci_device *vdev, + return; + + /* restore the padding in iso packets */ +- if (usbip_pad_iso(ud, urb) < 0) +- return; ++ usbip_pad_iso(ud, urb); + + if (usbip_dbg_flag_vhci_rx) + usbip_dump_urb(urb); +diff --git a/drivers/staging/vt6656/bssdb.h b/drivers/staging/vt6656/bssdb.h +index a8f97eb..991ce3e 100644 +--- a/drivers/staging/vt6656/bssdb.h ++++ b/drivers/staging/vt6656/bssdb.h +@@ -92,7 +92,6 @@ typedef struct tagSRSNCapObject { + } SRSNCapObject, *PSRSNCapObject; + + // BSS info(AP) +-#pragma pack(1) + typedef struct tagKnownBSS { + // BSS info + BOOL bActive; +diff --git a/drivers/staging/vt6656/int.h b/drivers/staging/vt6656/int.h +index 3176c8d..c731b12 100644 +--- a/drivers/staging/vt6656/int.h ++++ b/drivers/staging/vt6656/int.h +@@ -34,7 +34,6 @@ + #include "device.h" + + /*--------------------- Export Definitions -------------------------*/ +-#pragma pack(1) + typedef struct tagSINTData { + BYTE byTSR0; + BYTE byPkt0; +diff --git a/drivers/staging/vt6656/iocmd.h b/drivers/staging/vt6656/iocmd.h +index 22710ce..ae6e2d2 100644 +--- a/drivers/staging/vt6656/iocmd.h ++++ b/drivers/staging/vt6656/iocmd.h +@@ -95,13 +95,12 @@ typedef enum tagWZONETYPE { + // Ioctl interface structure + // Command structure + // +-#pragma pack(1) + typedef struct tagSCmdRequest { + u8 name[16]; + void *data; + u16 wResult; + u16 wCmdCode; +-} SCmdRequest, *PSCmdRequest; ++} __packed SCmdRequest, *PSCmdRequest; + + // + // Scan +@@ -111,7 +110,7 @@ typedef struct tagSCmdScan { + + u8 ssid[SSID_MAXLEN + 2]; + +-} SCmdScan, *PSCmdScan; ++} __packed SCmdScan, *PSCmdScan; + + // + // BSS Join +@@ -126,7 +125,7 @@ typedef struct tagSCmdBSSJoin { + BOOL bPSEnable; + BOOL bShareKeyAuth; + +-} SCmdBSSJoin, *PSCmdBSSJoin; ++} __packed SCmdBSSJoin, *PSCmdBSSJoin; + + // + // Zonetype Setting +@@ -137,7 +136,7 @@ typedef struct tagSCmdZoneTypeSet { + BOOL bWrite; + WZONETYPE ZoneType; + +-} SCmdZoneTypeSet, *PSCmdZoneTypeSet; ++} __packed SCmdZoneTypeSet, *PSCmdZoneTypeSet; + + typedef struct tagSWPAResult { + char ifname[100]; +@@ -145,7 +144,7 @@ typedef struct tagSWPAResult { + u8 key_mgmt; + u8 eap_type; + BOOL authenticated; +-} SWPAResult, *PSWPAResult; ++} __packed SWPAResult, *PSWPAResult; + + typedef struct tagSCmdStartAP { + +@@ -157,7 +156,7 @@ typedef struct tagSCmdStartAP { + BOOL bShareKeyAuth; + u8 byBasicRate; + +-} SCmdStartAP, *PSCmdStartAP; ++} __packed SCmdStartAP, *PSCmdStartAP; + + typedef struct tagSCmdSetWEP { + +@@ -167,7 +166,7 @@ typedef struct tagSCmdSetWEP { + BOOL bWepKeyAvailable[WEP_NKEYS]; + u32 auWepKeyLength[WEP_NKEYS]; + +-} SCmdSetWEP, *PSCmdSetWEP; ++} __packed SCmdSetWEP, *PSCmdSetWEP; + + typedef struct tagSBSSIDItem { + +@@ -180,14 +179,14 @@ typedef struct tagSBSSIDItem { + BOOL bWEPOn; + u32 uRSSI; + +-} SBSSIDItem; ++} __packed SBSSIDItem; + + + typedef struct tagSBSSIDList { + + u32 uItem; + SBSSIDItem sBSSIDList[0]; +-} SBSSIDList, *PSBSSIDList; ++} __packed SBSSIDList, *PSBSSIDList; + + + typedef struct tagSNodeItem { +@@ -208,7 +207,7 @@ typedef struct tagSNodeItem { + u32 uTxAttempts; + u16 wFailureRatio; + +-} SNodeItem; ++} __packed SNodeItem; + + + typedef struct tagSNodeList { +@@ -216,7 +215,7 @@ typedef struct tagSNodeList { + u32 uItem; + SNodeItem sNodeList[0]; + +-} SNodeList, *PSNodeList; ++} __packed SNodeList, *PSNodeList; + + + typedef struct tagSCmdLinkStatus { +@@ -229,7 +228,7 @@ typedef struct tagSCmdLinkStatus { + u32 uChannel; + u32 uLinkRate; + +-} SCmdLinkStatus, *PSCmdLinkStatus; ++} __packed SCmdLinkStatus, *PSCmdLinkStatus; + + // + // 802.11 counter +@@ -247,7 +246,7 @@ typedef struct tagSDot11MIBCount { + u32 ReceivedFragmentCount; + u32 MulticastReceivedFrameCount; + u32 FCSErrorCount; +-} SDot11MIBCount, *PSDot11MIBCount; ++} __packed SDot11MIBCount, *PSDot11MIBCount; + + + +@@ -355,13 +354,13 @@ typedef struct tagSStatMIBCount { + u32 ullTxBroadcastBytes[2]; + u32 ullTxMulticastBytes[2]; + u32 ullTxDirectedBytes[2]; +-} SStatMIBCount, *PSStatMIBCount; ++} __packed SStatMIBCount, *PSStatMIBCount; + + typedef struct tagSCmdValue { + + u32 dwValue; + +-} SCmdValue, *PSCmdValue; ++} __packed SCmdValue, *PSCmdValue; + + // + // hostapd & viawget ioctl related +@@ -431,7 +430,7 @@ struct viawget_hostapd_param { + u8 ssid[32]; + } scan_req; + } u; +-}; ++} __packed; + + /*--------------------- Export Classes ----------------------------*/ + +diff --git a/drivers/staging/vt6656/iowpa.h b/drivers/staging/vt6656/iowpa.h +index 959c886..2522dde 100644 +--- a/drivers/staging/vt6656/iowpa.h ++++ b/drivers/staging/vt6656/iowpa.h +@@ -67,12 +67,11 @@ enum { + + + +-#pragma pack(1) + typedef struct viawget_wpa_header { + u8 type; + u16 req_ie_len; + u16 resp_ie_len; +-} viawget_wpa_header; ++} __packed viawget_wpa_header; + + struct viawget_wpa_param { + u32 cmd; +@@ -113,9 +112,8 @@ struct viawget_wpa_param { + u8 *buf; + } scan_results; + } u; +-}; ++} __packed; + +-#pragma pack(1) + struct viawget_scan_result { + u8 bssid[6]; + u8 ssid[32]; +@@ -130,7 +128,7 @@ struct viawget_scan_result { + int noise; + int level; + int maxrate; +-}; ++} __packed; + + /*--------------------- Export Classes ----------------------------*/ + +diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c +index 34d114a..9176b2e 100644 +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -4539,7 +4539,7 @@ int transport_send_check_condition_and_sense( + /* ILLEGAL REQUEST */ + buffer[offset+SPC_SENSE_KEY_OFFSET] = ILLEGAL_REQUEST; + /* LOGICAL UNIT COMMUNICATION FAILURE */ +- buffer[offset+SPC_ASC_KEY_OFFSET] = 0x80; ++ buffer[offset+SPC_ASC_KEY_OFFSET] = 0x08; + break; + } + /* +diff --git a/drivers/target/tcm_fc/tfc_sess.c b/drivers/target/tcm_fc/tfc_sess.c +index 3f28fdb..ab0a3fa 100644 +--- a/drivers/target/tcm_fc/tfc_sess.c ++++ b/drivers/target/tcm_fc/tfc_sess.c +@@ -390,11 +390,11 @@ static int ft_prli_locked(struct fc_rport_priv *rdata, u32 spp_len, + + tport = ft_tport_create(rdata->local_port); + if (!tport) +- return 0; /* not a target for this local port */ ++ goto not_target; /* not a target for this local port */ + + acl = ft_acl_get(tport->tpg, rdata); + if (!acl) +- return 0; ++ goto not_target; /* no target for this remote */ + + if (!rspp) + goto fill; +@@ -431,12 +431,18 @@ static int ft_prli_locked(struct fc_rport_priv *rdata, u32 spp_len, + + /* + * OR in our service parameters with other provider (initiator), if any. +- * TBD XXX - indicate RETRY capability? + */ + fill: + fcp_parm = ntohl(spp->spp_params); ++ fcp_parm &= ~FCP_SPPF_RETRY; + spp->spp_params = htonl(fcp_parm | FCP_SPPF_TARG_FCN); + return FC_SPP_RESP_ACK; ++ ++not_target: ++ fcp_parm = ntohl(spp->spp_params); ++ fcp_parm &= ~FCP_SPPF_TARG_FCN; ++ spp->spp_params = htonl(fcp_parm); ++ return 0; + } + + /** +diff --git a/drivers/tty/serial/8250.c b/drivers/tty/serial/8250.c +index 70585b6..90dad17 100644 +--- a/drivers/tty/serial/8250.c ++++ b/drivers/tty/serial/8250.c +@@ -316,6 +316,12 @@ static const struct serial8250_config uart_config[] = { + .fcr = UART_FCR_ENABLE_FIFO | UART_FCR_R_TRIG_10, + .flags = UART_CAP_FIFO | UART_CAP_AFE | UART_CAP_EFR, + }, ++ [PORT_BRCM_TRUMANAGE] = { ++ .name = "TruManage", ++ .fifo_size = 1, ++ .tx_loadsz = 1024, ++ .flags = UART_CAP_HFIFO, ++ }, + }; + + #if defined(CONFIG_MIPS_ALCHEMY) +@@ -1511,6 +1517,11 @@ static void transmit_chars(struct uart_8250_port *up) + up->port.icount.tx++; + if (uart_circ_empty(xmit)) + break; ++ if (up->capabilities & UART_CAP_HFIFO) { ++ if ((serial_in(up, UART_LSR) & BOTH_EMPTY) != ++ BOTH_EMPTY) ++ break; ++ } + } while (--count > 0); + + if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS) +diff --git a/drivers/tty/serial/8250.h b/drivers/tty/serial/8250.h +index 6edf4a6..902adcd 100644 +--- a/drivers/tty/serial/8250.h ++++ b/drivers/tty/serial/8250.h +@@ -43,6 +43,7 @@ struct serial8250_config { + #define UART_CAP_AFE (1 << 11) /* MCR-based hw flow control */ + #define UART_CAP_UUE (1 << 12) /* UART needs IER bit 6 set (Xscale) */ + #define UART_CAP_RTOIE (1 << 13) /* UART needs IER bit 4 set (Xscale, Tegra) */ ++#define UART_CAP_HFIFO (1 << 14) /* UART has a "hidden" FIFO */ + + #define UART_BUG_QUOT (1 << 0) /* UART has buggy quot LSB */ + #define UART_BUG_TXEN (1 << 1) /* UART has buggy TX IIR status */ +diff --git a/drivers/tty/serial/8250_dw.c b/drivers/tty/serial/8250_dw.c +index bf1fba6..b6278c1 100644 +--- a/drivers/tty/serial/8250_dw.c ++++ b/drivers/tty/serial/8250_dw.c +@@ -79,7 +79,7 @@ static int dw8250_handle_irq(struct uart_port *p) + } else if ((iir & UART_IIR_BUSY) == UART_IIR_BUSY) { + /* Clear the USR and write the LCR again. */ + (void)p->serial_in(p, UART_USR); +- p->serial_out(p, d->last_lcr, UART_LCR); ++ p->serial_out(p, UART_LCR, d->last_lcr); + + return 1; + } +diff --git a/drivers/tty/serial/8250_pci.c b/drivers/tty/serial/8250_pci.c +index e7d82c1..a753956 100644 +--- a/drivers/tty/serial/8250_pci.c ++++ b/drivers/tty/serial/8250_pci.c +@@ -1077,6 +1077,18 @@ pci_omegapci_setup(struct serial_private *priv, + return setup_port(priv, port, 2, idx * 8, 0); + } + ++static int ++pci_brcm_trumanage_setup(struct serial_private *priv, ++ const struct pciserial_board *board, ++ struct uart_port *port, int idx) ++{ ++ int ret = pci_default_setup(priv, board, port, idx); ++ ++ port->type = PORT_BRCM_TRUMANAGE; ++ port->flags = (port->flags | UPF_FIXED_PORT | UPF_FIXED_TYPE); ++ return ret; ++} ++ + static int skip_tx_en_setup(struct serial_private *priv, + const struct pciserial_board *board, + struct uart_port *port, int idx) +@@ -1138,6 +1150,7 @@ pci_xr17c154_setup(struct serial_private *priv, + #define PCI_DEVICE_ID_OXSEMI_16PCI958 0x9538 + #define PCIE_DEVICE_ID_NEO_2_OX_IBM 0x00F6 + #define PCI_DEVICE_ID_PLX_CRONYX_OMEGA 0xc001 ++#define PCI_DEVICE_ID_BROADCOM_TRUMANAGE 0x160a + + /* Unknown vendors/cards - this should not be in linux/pci_ids.h */ + #define PCI_SUBDEVICE_ID_UNKNOWN_0x1584 0x1584 +@@ -1672,6 +1685,17 @@ static struct pci_serial_quirk pci_serial_quirks[] __refdata = { + .setup = pci_omegapci_setup, + }, + /* ++ * Broadcom TruManage (NetXtreme) ++ */ ++ { ++ .vendor = PCI_VENDOR_ID_BROADCOM, ++ .device = PCI_DEVICE_ID_BROADCOM_TRUMANAGE, ++ .subvendor = PCI_ANY_ID, ++ .subdevice = PCI_ANY_ID, ++ .setup = pci_brcm_trumanage_setup, ++ }, ++ ++ /* + * Default "match everything" terminator entry + */ + { +@@ -1860,6 +1884,7 @@ enum pci_board_num_t { + pbn_ce4100_1_115200, + pbn_omegapci, + pbn_NETMOS9900_2s_115200, ++ pbn_brcm_trumanage, + }; + + /* +@@ -2566,6 +2591,12 @@ static struct pciserial_board pci_boards[] __devinitdata = { + .num_ports = 2, + .base_baud = 115200, + }, ++ [pbn_brcm_trumanage] = { ++ .flags = FL_BASE0, ++ .num_ports = 1, ++ .reg_shift = 2, ++ .base_baud = 115200, ++ }, + }; + + static const struct pci_device_id softmodem_blacklist[] = { +@@ -4108,6 +4139,13 @@ static struct pci_device_id serial_pci_tbl[] = { + pbn_omegapci }, + + /* ++ * Broadcom TruManage ++ */ ++ { PCI_VENDOR_ID_BROADCOM, PCI_DEVICE_ID_BROADCOM_TRUMANAGE, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_brcm_trumanage }, ++ ++ /* + * These entries match devices with class COMMUNICATION_SERIAL, + * COMMUNICATION_MODEM or COMMUNICATION_MULTISERIAL + */ +diff --git a/drivers/tty/serial/ifx6x60.c b/drivers/tty/serial/ifx6x60.c +index 426434e..a6a6777 100644 +--- a/drivers/tty/serial/ifx6x60.c ++++ b/drivers/tty/serial/ifx6x60.c +@@ -552,6 +552,7 @@ static void ifx_port_shutdown(struct tty_port *port) + container_of(port, struct ifx_spi_device, tty_port); + + mrdy_set_low(ifx_dev); ++ del_timer(&ifx_dev->spi_timer); + clear_bit(IFX_SPI_STATE_TIMER_PENDING, &ifx_dev->flags); + tasklet_kill(&ifx_dev->io_work_tasklet); + } +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c +index df7f15d..0cdff38 100644 +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1509,6 +1509,9 @@ static const struct usb_device_id acm_ids[] = { + { USB_DEVICE(0x0572, 0x1340), /* Conexant CX93010-2x UCMxx */ + .driver_info = NO_UNION_NORMAL, + }, ++ { USB_DEVICE(0x05f9, 0x4002), /* PSC Scanning, Magellan 800i */ ++ .driver_info = NO_UNION_NORMAL, ++ }, + { USB_DEVICE(0x1bbb, 0x0003), /* Alcatel OT-I650 */ + .driver_info = NO_UNION_NORMAL, /* reports zero length descriptor */ + }, +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index a9a74d2..0ff8e9a 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -619,6 +619,60 @@ static int hub_hub_status(struct usb_hub *hub, + return ret; + } + ++static int hub_set_port_link_state(struct usb_hub *hub, int port1, ++ unsigned int link_status) ++{ ++ return set_port_feature(hub->hdev, ++ port1 | (link_status << 3), ++ USB_PORT_FEAT_LINK_STATE); ++} ++ ++/* ++ * If USB 3.0 ports are placed into the Disabled state, they will no longer ++ * detect any device connects or disconnects. This is generally not what the ++ * USB core wants, since it expects a disabled port to produce a port status ++ * change event when a new device connects. ++ * ++ * Instead, set the link state to Disabled, wait for the link to settle into ++ * that state, clear any change bits, and then put the port into the RxDetect ++ * state. ++ */ ++static int hub_usb3_port_disable(struct usb_hub *hub, int port1) ++{ ++ int ret; ++ int total_time; ++ u16 portchange, portstatus; ++ ++ if (!hub_is_superspeed(hub->hdev)) ++ return -EINVAL; ++ ++ ret = hub_set_port_link_state(hub, port1, USB_SS_PORT_LS_SS_DISABLED); ++ if (ret) { ++ dev_err(hub->intfdev, "cannot disable port %d (err = %d)\n", ++ port1, ret); ++ return ret; ++ } ++ ++ /* Wait for the link to enter the disabled state. */ ++ for (total_time = 0; ; total_time += HUB_DEBOUNCE_STEP) { ++ ret = hub_port_status(hub, port1, &portstatus, &portchange); ++ if (ret < 0) ++ return ret; ++ ++ if ((portstatus & USB_PORT_STAT_LINK_STATE) == ++ USB_SS_PORT_LS_SS_DISABLED) ++ break; ++ if (total_time >= HUB_DEBOUNCE_TIMEOUT) ++ break; ++ msleep(HUB_DEBOUNCE_STEP); ++ } ++ if (total_time >= HUB_DEBOUNCE_TIMEOUT) ++ dev_warn(hub->intfdev, "Could not disable port %d after %d ms\n", ++ port1, total_time); ++ ++ return hub_set_port_link_state(hub, port1, USB_SS_PORT_LS_RX_DETECT); ++} ++ + static int hub_port_disable(struct usb_hub *hub, int port1, int set_state) + { + struct usb_device *hdev = hub->hdev; +@@ -627,8 +681,13 @@ static int hub_port_disable(struct usb_hub *hub, int port1, int set_state) + if (hdev->children[port1-1] && set_state) + usb_set_device_state(hdev->children[port1-1], + USB_STATE_NOTATTACHED); +- if (!hub->error && !hub_is_superspeed(hub->hdev)) +- ret = clear_port_feature(hdev, port1, USB_PORT_FEAT_ENABLE); ++ if (!hub->error) { ++ if (hub_is_superspeed(hub->hdev)) ++ ret = hub_usb3_port_disable(hub, port1); ++ else ++ ret = clear_port_feature(hdev, port1, ++ USB_PORT_FEAT_ENABLE); ++ } + if (ret) + dev_err(hub->intfdev, "cannot disable port %d (err = %d)\n", + port1, ret); +@@ -2046,7 +2105,7 @@ static unsigned hub_is_wusb(struct usb_hub *hub) + #define HUB_SHORT_RESET_TIME 10 + #define HUB_BH_RESET_TIME 50 + #define HUB_LONG_RESET_TIME 200 +-#define HUB_RESET_TIMEOUT 500 ++#define HUB_RESET_TIMEOUT 800 + + static int hub_port_reset(struct usb_hub *hub, int port1, + struct usb_device *udev, unsigned int delay, bool warm); +@@ -2081,6 +2140,10 @@ static int hub_port_wait_reset(struct usb_hub *hub, int port1, + if (ret < 0) + return ret; + ++ /* The port state is unknown until the reset completes. */ ++ if ((portstatus & USB_PORT_STAT_RESET)) ++ goto delay; ++ + /* + * Some buggy devices require a warm reset to be issued even + * when the port appears not to be connected. +@@ -2126,11 +2189,7 @@ static int hub_port_wait_reset(struct usb_hub *hub, int port1, + if ((portchange & USB_PORT_STAT_C_CONNECTION)) + return -ENOTCONN; + +- /* if we`ve finished resetting, then break out of +- * the loop +- */ +- if (!(portstatus & USB_PORT_STAT_RESET) && +- (portstatus & USB_PORT_STAT_ENABLE)) { ++ if ((portstatus & USB_PORT_STAT_ENABLE)) { + if (hub_is_wusb(hub)) + udev->speed = USB_SPEED_WIRELESS; + else if (hub_is_superspeed(hub->hdev)) +@@ -2144,10 +2203,15 @@ static int hub_port_wait_reset(struct usb_hub *hub, int port1, + return 0; + } + } else { +- if (portchange & USB_PORT_STAT_C_BH_RESET) +- return 0; ++ if (!(portstatus & USB_PORT_STAT_CONNECTION) || ++ hub_port_warm_reset_required(hub, ++ portstatus)) ++ return -ENOTCONN; ++ ++ return 0; + } + ++delay: + /* switch to the long delay after two short delay failures */ + if (delay_time >= 2 * HUB_SHORT_RESET_TIME) + delay = HUB_LONG_RESET_TIME; +@@ -2171,14 +2235,11 @@ static void hub_port_finish_reset(struct usb_hub *hub, int port1, + msleep(10 + 40); + update_devnum(udev, 0); + hcd = bus_to_hcd(udev->bus); +- if (hcd->driver->reset_device) { +- *status = hcd->driver->reset_device(hcd, udev); +- if (*status < 0) { +- dev_err(&udev->dev, "Cannot reset " +- "HCD device state\n"); +- break; +- } +- } ++ /* The xHC may think the device is already reset, ++ * so ignore the status. ++ */ ++ if (hcd->driver->reset_device) ++ hcd->driver->reset_device(hcd, udev); + } + /* FALL THROUGH */ + case -ENOTCONN: +@@ -2186,16 +2247,16 @@ static void hub_port_finish_reset(struct usb_hub *hub, int port1, + clear_port_feature(hub->hdev, + port1, USB_PORT_FEAT_C_RESET); + /* FIXME need disconnect() for NOTATTACHED device */ +- if (warm) { ++ if (hub_is_superspeed(hub->hdev)) { + clear_port_feature(hub->hdev, port1, + USB_PORT_FEAT_C_BH_PORT_RESET); + clear_port_feature(hub->hdev, port1, + USB_PORT_FEAT_C_PORT_LINK_STATE); +- } else { ++ } ++ if (!warm) + usb_set_device_state(udev, *status + ? USB_STATE_NOTATTACHED + : USB_STATE_DEFAULT); +- } + break; + } + } +@@ -2469,7 +2530,7 @@ int usb_port_suspend(struct usb_device *udev, pm_message_t msg) + static int finish_port_resume(struct usb_device *udev) + { + int status = 0; +- u16 devstatus; ++ u16 devstatus = 0; + + /* caller owns the udev device lock */ + dev_dbg(&udev->dev, "%s\n", +@@ -2514,7 +2575,13 @@ static int finish_port_resume(struct usb_device *udev) + if (status) { + dev_dbg(&udev->dev, "gone after usb resume? status %d\n", + status); +- } else if (udev->actconfig) { ++ /* ++ * There are a few quirky devices which violate the standard ++ * by claiming to have remote wakeup enabled after a reset, ++ * which crash if the feature is cleared, hence check for ++ * udev->reset_resume ++ */ ++ } else if (udev->actconfig && !udev->reset_resume) { + le16_to_cpus(&devstatus); + if (devstatus & (1 << USB_DEVICE_REMOTE_WAKEUP)) { + status = usb_control_msg(udev, +@@ -3663,9 +3730,14 @@ static void hub_events(void) + * SS.Inactive state. + */ + if (hub_port_warm_reset_required(hub, portstatus)) { ++ int status; ++ + dev_dbg(hub_dev, "warm reset port %d\n", i); +- hub_port_reset(hub, i, NULL, ++ status = hub_port_reset(hub, i, NULL, + HUB_BH_RESET_TIME, true); ++ if (status < 0) ++ hub_port_disable(hub, i, 1); ++ connect_change = 0; + } + + if (connect_change) +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c +index 8b2a9d8..3f08c09 100644 +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -38,6 +38,9 @@ static const struct usb_device_id usb_quirk_list[] = { + /* Creative SB Audigy 2 NX */ + { USB_DEVICE(0x041e, 0x3020), .driver_info = USB_QUIRK_RESET_RESUME }, + ++ /* Microsoft LifeCam-VX700 v2.0 */ ++ { USB_DEVICE(0x045e, 0x0770), .driver_info = USB_QUIRK_RESET_RESUME }, ++ + /* Logitech Webcam C200 */ + { USB_DEVICE(0x046d, 0x0802), .driver_info = USB_QUIRK_RESET_RESUME }, + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index 3700aa6..e9637f9 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1277,6 +1277,7 @@ static int __devinit dwc3_gadget_init_endpoints(struct dwc3 *dwc) + + if (epnum == 0 || epnum == 1) { + dep->endpoint.maxpacket = 512; ++ dep->endpoint.maxburst = 1; + dep->endpoint.ops = &dwc3_gadget_ep0_ops; + if (!epnum) + dwc->gadget.ep0 = &dep->endpoint; +diff --git a/drivers/usb/gadget/dummy_hcd.c b/drivers/usb/gadget/dummy_hcd.c +index d584eaf..c7423a7 100644 +--- a/drivers/usb/gadget/dummy_hcd.c ++++ b/drivers/usb/gadget/dummy_hcd.c +@@ -126,10 +126,7 @@ static const char ep0name [] = "ep0"; + static const char *const ep_name [] = { + ep0name, /* everyone has ep0 */ + +- /* act like a net2280: high speed, six configurable endpoints */ +- "ep-a", "ep-b", "ep-c", "ep-d", "ep-e", "ep-f", +- +- /* or like pxa250: fifteen fixed function endpoints */ ++ /* act like a pxa250: fifteen fixed function endpoints */ + "ep1in-bulk", "ep2out-bulk", "ep3in-iso", "ep4out-iso", "ep5in-int", + "ep6in-bulk", "ep7out-bulk", "ep8in-iso", "ep9out-iso", "ep10in-int", + "ep11in-bulk", "ep12out-bulk", "ep13in-iso", "ep14out-iso", +@@ -137,6 +134,10 @@ static const char *const ep_name [] = { + + /* or like sa1100: two fixed function endpoints */ + "ep1out-bulk", "ep2in-bulk", ++ ++ /* and now some generic EPs so we have enough in multi config */ ++ "ep3out", "ep4in", "ep5out", "ep6out", "ep7in", "ep8out", "ep9in", ++ "ep10out", "ep11out", "ep12in", "ep13out", "ep14in", "ep15out", + }; + #define DUMMY_ENDPOINTS ARRAY_SIZE(ep_name) + +diff --git a/drivers/usb/host/uhci-hcd.c b/drivers/usb/host/uhci-hcd.c +index c8ae199..b6989e4 100644 +--- a/drivers/usb/host/uhci-hcd.c ++++ b/drivers/usb/host/uhci-hcd.c +@@ -448,6 +448,10 @@ static irqreturn_t uhci_irq(struct usb_hcd *hcd) + return IRQ_NONE; + uhci_writew(uhci, status, USBSTS); /* Clear it */ + ++ spin_lock(&uhci->lock); ++ if (unlikely(!uhci->is_initialized)) /* not yet configured */ ++ goto done; ++ + if (status & ~(USBSTS_USBINT | USBSTS_ERROR | USBSTS_RD)) { + if (status & USBSTS_HSE) + dev_err(uhci_dev(uhci), "host system error, " +@@ -456,7 +460,6 @@ static irqreturn_t uhci_irq(struct usb_hcd *hcd) + dev_err(uhci_dev(uhci), "host controller process " + "error, something bad happened!\n"); + if (status & USBSTS_HCH) { +- spin_lock(&uhci->lock); + if (uhci->rh_state >= UHCI_RH_RUNNING) { + dev_err(uhci_dev(uhci), + "host controller halted, " +@@ -474,15 +477,15 @@ static irqreturn_t uhci_irq(struct usb_hcd *hcd) + * pending unlinks */ + mod_timer(&hcd->rh_timer, jiffies); + } +- spin_unlock(&uhci->lock); + } + } + +- if (status & USBSTS_RD) ++ if (status & USBSTS_RD) { ++ spin_unlock(&uhci->lock); + usb_hcd_poll_rh_status(hcd); +- else { +- spin_lock(&uhci->lock); ++ } else { + uhci_scan_schedule(uhci); ++ done: + spin_unlock(&uhci->lock); + } + +@@ -660,9 +663,9 @@ static int uhci_start(struct usb_hcd *hcd) + */ + mb(); + ++ spin_lock_irq(&uhci->lock); + configure_hc(uhci); + uhci->is_initialized = 1; +- spin_lock_irq(&uhci->lock); + start_rh(uhci); + spin_unlock_irq(&uhci->lock); + return 0; +diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c +index 978860b..24107a7 100644 +--- a/drivers/usb/host/xhci-hub.c ++++ b/drivers/usb/host/xhci-hub.c +@@ -725,12 +725,39 @@ int xhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue, + break; + case USB_PORT_FEAT_LINK_STATE: + temp = xhci_readl(xhci, port_array[wIndex]); ++ ++ /* Disable port */ ++ if (link_state == USB_SS_PORT_LS_SS_DISABLED) { ++ xhci_dbg(xhci, "Disable port %d\n", wIndex); ++ temp = xhci_port_state_to_neutral(temp); ++ /* ++ * Clear all change bits, so that we get a new ++ * connection event. ++ */ ++ temp |= PORT_CSC | PORT_PEC | PORT_WRC | ++ PORT_OCC | PORT_RC | PORT_PLC | ++ PORT_CEC; ++ xhci_writel(xhci, temp | PORT_PE, ++ port_array[wIndex]); ++ temp = xhci_readl(xhci, port_array[wIndex]); ++ break; ++ } ++ ++ /* Put link in RxDetect (enable port) */ ++ if (link_state == USB_SS_PORT_LS_RX_DETECT) { ++ xhci_dbg(xhci, "Enable port %d\n", wIndex); ++ xhci_set_link_state(xhci, port_array, wIndex, ++ link_state); ++ temp = xhci_readl(xhci, port_array[wIndex]); ++ break; ++ } ++ + /* Software should not attempt to set +- * port link state above '5' (Rx.Detect) and the port ++ * port link state above '3' (U3) and the port + * must be enabled. + */ + if ((temp & PORT_PE) == 0 || +- (link_state > USB_SS_PORT_LS_RX_DETECT)) { ++ (link_state > USB_SS_PORT_LS_U3)) { + xhci_warn(xhci, "Cannot set link state.\n"); + goto error; + } +@@ -877,6 +904,7 @@ int xhci_hub_status_data(struct usb_hcd *hcd, char *buf) + int max_ports; + __le32 __iomem **port_array; + struct xhci_bus_state *bus_state; ++ bool reset_change = false; + + max_ports = xhci_get_ports(hcd, &port_array); + bus_state = &xhci->bus_state[hcd_index(hcd)]; +@@ -903,6 +931,12 @@ int xhci_hub_status_data(struct usb_hcd *hcd, char *buf) + buf[(i + 1) / 8] |= 1 << (i + 1) % 8; + status = 1; + } ++ if ((temp & PORT_RC)) ++ reset_change = true; ++ } ++ if (!status && !reset_change) { ++ xhci_dbg(xhci, "%s: stopping port polling.\n", __func__); ++ clear_bit(HCD_FLAG_POLL_RH, &hcd->flags); + } + spin_unlock_irqrestore(&xhci->lock, flags); + return status ? retval : 0; +diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c +index 5719c4d..ee5ec11 100644 +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -1152,6 +1152,8 @@ static unsigned int xhci_microframes_to_exponent(struct usb_device *udev, + static unsigned int xhci_parse_microframe_interval(struct usb_device *udev, + struct usb_host_endpoint *ep) + { ++ if (ep->desc.bInterval == 0) ++ return 0; + return xhci_microframes_to_exponent(udev, ep, + ep->desc.bInterval, 0, 15); + } +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index 1ba98f5..2ed591d 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -1661,6 +1661,15 @@ cleanup: + if (bogus_port_status) + return; + ++ /* ++ * xHCI port-status-change events occur when the "or" of all the ++ * status-change bits in the portsc register changes from 0 to 1. ++ * New status changes won't cause an event if any other change ++ * bits are still set. When an event occurs, switch over to ++ * polling to avoid losing status changes. ++ */ ++ xhci_dbg(xhci, "%s: starting port polling.\n", __func__); ++ set_bit(HCD_FLAG_POLL_RH, &hcd->flags); + spin_unlock(&xhci->lock); + /* Pass this up to the core */ + usb_hcd_poll_rh_status(hcd); +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index 9dc5870..53c8be1 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -871,6 +871,11 @@ int xhci_suspend(struct xhci_hcd *xhci) + struct usb_hcd *hcd = xhci_to_hcd(xhci); + u32 command; + ++ /* Don't poll the roothubs on bus suspend. */ ++ xhci_dbg(xhci, "%s: stopping port polling.\n", __func__); ++ clear_bit(HCD_FLAG_POLL_RH, &hcd->flags); ++ del_timer_sync(&hcd->rh_timer); ++ + spin_lock_irq(&xhci->lock); + clear_bit(HCD_FLAG_HW_ACCESSIBLE, &hcd->flags); + clear_bit(HCD_FLAG_HW_ACCESSIBLE, &xhci->shared_hcd->flags); +@@ -1055,6 +1060,11 @@ int xhci_resume(struct xhci_hcd *xhci, bool hibernated) + if (xhci->quirks & XHCI_COMP_MODE_QUIRK) + compliance_mode_recovery_timer_init(xhci); + ++ /* Re-enable port polling. */ ++ xhci_dbg(xhci, "%s: starting port polling.\n", __func__); ++ set_bit(HCD_FLAG_POLL_RH, &hcd->flags); ++ usb_hcd_poll_rh_status(hcd); ++ + return retval; + } + #endif /* CONFIG_PM */ +diff --git a/drivers/usb/musb/musb_core.c b/drivers/usb/musb/musb_core.c +index 920f04e..641caf8 100644 +--- a/drivers/usb/musb/musb_core.c ++++ b/drivers/usb/musb/musb_core.c +@@ -2372,10 +2372,7 @@ static int __init musb_init(void) + if (usb_disabled()) + return 0; + +- pr_info("%s: version " MUSB_VERSION ", " +- "?dma?" +- ", " +- "otg (peripheral+host)", ++ pr_info("%s: version " MUSB_VERSION ", ?dma?, otg (peripheral+host)\n", + musb_driver_name); + return platform_driver_probe(&musb_driver, musb_probe); + } +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index 3f989d6..2cc7c18 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -881,6 +881,8 @@ static struct usb_device_id id_table_combined [] = { + { USB_DEVICE(FTDI_VID, FTDI_DISTORTEC_JTAG_LOCK_PICK_PID), + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, + { USB_DEVICE(FTDI_VID, FTDI_LUMEL_PD12_PID) }, ++ /* Crucible Devices */ ++ { USB_DEVICE(FTDI_VID, FTDI_CT_COMET_PID) }, + { }, /* Optional parameter entry */ + { } /* Terminating entry */ + }; +diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h +index aedf65f..dd6edf8 100644 +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -1259,3 +1259,9 @@ + * ATI command output: Cinterion MC55i + */ + #define FTDI_CINTERION_MC55I_PID 0xA951 ++ ++/* ++ * Product: Comet Caller ID decoder ++ * Manufacturer: Crucible Technologies ++ */ ++#define FTDI_CT_COMET_PID 0x8e08 +diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c +index 8a90d58..3de751d 100644 +--- a/drivers/usb/serial/io_ti.c ++++ b/drivers/usb/serial/io_ti.c +@@ -558,6 +558,9 @@ static void chase_port(struct edgeport_port *port, unsigned long timeout, + wait_queue_t wait; + unsigned long flags; + ++ if (!tty) ++ return; ++ + if (!timeout) + timeout = (HZ * EDGE_CLOSING_WAIT)/100; + +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index 872807b..9db3e23 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -288,6 +288,7 @@ static void option_instat_callback(struct urb *urb); + #define ALCATEL_VENDOR_ID 0x1bbb + #define ALCATEL_PRODUCT_X060S_X200 0x0000 + #define ALCATEL_PRODUCT_X220_X500D 0x0017 ++#define ALCATEL_PRODUCT_L100V 0x011e + + #define PIRELLI_VENDOR_ID 0x1266 + #define PIRELLI_PRODUCT_C100_1 0x1002 +@@ -429,9 +430,12 @@ static void option_instat_callback(struct urb *urb); + #define MEDIATEK_VENDOR_ID 0x0e8d + #define MEDIATEK_PRODUCT_DC_1COM 0x00a0 + #define MEDIATEK_PRODUCT_DC_4COM 0x00a5 ++#define MEDIATEK_PRODUCT_DC_4COM2 0x00a7 + #define MEDIATEK_PRODUCT_DC_5COM 0x00a4 + #define MEDIATEK_PRODUCT_7208_1COM 0x7101 + #define MEDIATEK_PRODUCT_7208_2COM 0x7102 ++#define MEDIATEK_PRODUCT_7103_2COM 0x7103 ++#define MEDIATEK_PRODUCT_7106_2COM 0x7106 + #define MEDIATEK_PRODUCT_FP_1COM 0x0003 + #define MEDIATEK_PRODUCT_FP_2COM 0x0023 + #define MEDIATEK_PRODUCT_FPDC_1COM 0x0043 +@@ -441,6 +445,14 @@ static void option_instat_callback(struct urb *urb); + #define CELLIENT_VENDOR_ID 0x2692 + #define CELLIENT_PRODUCT_MEN200 0x9005 + ++/* Hyundai Petatel Inc. products */ ++#define PETATEL_VENDOR_ID 0x1ff4 ++#define PETATEL_PRODUCT_NP10T 0x600e ++ ++/* TP-LINK Incorporated products */ ++#define TPLINK_VENDOR_ID 0x2357 ++#define TPLINK_PRODUCT_MA180 0x0201 ++ + /* some devices interfaces need special handling due to a number of reasons */ + enum option_blacklist_reason { + OPTION_BLACKLIST_NONE = 0, +@@ -922,8 +934,10 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0254, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0257, 0xff, 0xff, 0xff), /* ZTE MF821 */ + .driver_info = (kernel_ulong_t)&net_intf3_blacklist }, +- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0265, 0xff, 0xff, 0xff) }, +- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0284, 0xff, 0xff, 0xff) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0265, 0xff, 0xff, 0xff), /* ONDA MT8205 */ ++ .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0284, 0xff, 0xff, 0xff), /* ZTE MF880 */ ++ .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0317, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0326, 0xff, 0xff, 0xff), + .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, +@@ -1190,6 +1204,8 @@ static const struct usb_device_id option_ids[] = { + .driver_info = (kernel_ulong_t)&alcatel_x200_blacklist + }, + { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X220_X500D) }, ++ { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_L100V), ++ .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, + { USB_DEVICE(AIRPLUS_VENDOR_ID, AIRPLUS_PRODUCT_MCD650) }, + { USB_DEVICE(TLAYTECH_VENDOR_ID, TLAYTECH_PRODUCT_TEU800) }, + { USB_DEVICE(LONGCHEER_VENDOR_ID, FOUR_G_SYSTEMS_PRODUCT_W14), +@@ -1294,7 +1310,14 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_AND_INTERFACE_INFO(MEDIATEK_VENDOR_ID, MEDIATEK_PRODUCT_FP_2COM, 0x0a, 0x00, 0x00) }, + { USB_DEVICE_AND_INTERFACE_INFO(MEDIATEK_VENDOR_ID, MEDIATEK_PRODUCT_FPDC_1COM, 0x0a, 0x00, 0x00) }, + { USB_DEVICE_AND_INTERFACE_INFO(MEDIATEK_VENDOR_ID, MEDIATEK_PRODUCT_FPDC_2COM, 0x0a, 0x00, 0x00) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(MEDIATEK_VENDOR_ID, MEDIATEK_PRODUCT_7103_2COM, 0xff, 0x00, 0x00) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(MEDIATEK_VENDOR_ID, MEDIATEK_PRODUCT_7106_2COM, 0x02, 0x02, 0x01) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(MEDIATEK_VENDOR_ID, MEDIATEK_PRODUCT_DC_4COM2, 0xff, 0x02, 0x01) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(MEDIATEK_VENDOR_ID, MEDIATEK_PRODUCT_DC_4COM2, 0xff, 0x00, 0x00) }, + { USB_DEVICE(CELLIENT_VENDOR_ID, CELLIENT_PRODUCT_MEN200) }, ++ { USB_DEVICE(PETATEL_VENDOR_ID, PETATEL_PRODUCT_NP10T) }, ++ { USB_DEVICE(TPLINK_VENDOR_ID, TPLINK_PRODUCT_MA180), ++ .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, + { } /* Terminating entry */ + }; + MODULE_DEVICE_TABLE(usb, option_ids); +diff --git a/fs/cifs/cifs_dfs_ref.c b/fs/cifs/cifs_dfs_ref.c +index 6873bb6..2263144 100644 +--- a/fs/cifs/cifs_dfs_ref.c ++++ b/fs/cifs/cifs_dfs_ref.c +@@ -226,6 +226,8 @@ compose_mount_options_out: + compose_mount_options_err: + kfree(mountdata); + mountdata = ERR_PTR(rc); ++ kfree(*devname); ++ *devname = NULL; + goto compose_mount_options_out; + } + +diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c +index a86873e..31df53e 100644 +--- a/fs/nfs/namespace.c ++++ b/fs/nfs/namespace.c +@@ -289,11 +289,31 @@ out_nofree: + return mnt; + } + ++static int ++nfs_namespace_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat) ++{ ++ if (NFS_FH(dentry->d_inode)->size != 0) ++ return nfs_getattr(mnt, dentry, stat); ++ generic_fillattr(dentry->d_inode, stat); ++ return 0; ++} ++ ++static int ++nfs_namespace_setattr(struct dentry *dentry, struct iattr *attr) ++{ ++ if (NFS_FH(dentry->d_inode)->size != 0) ++ return nfs_setattr(dentry, attr); ++ return -EACCES; ++} ++ + const struct inode_operations nfs_mountpoint_inode_operations = { + .getattr = nfs_getattr, ++ .setattr = nfs_setattr, + }; + + const struct inode_operations nfs_referral_inode_operations = { ++ .getattr = nfs_namespace_getattr, ++ .setattr = nfs_namespace_setattr, + }; + + static void nfs_expire_automounts(struct work_struct *work) +diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c +index 07354b7..b2e1136 100644 +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -1583,8 +1583,18 @@ static int nfs4_reset_session(struct nfs_client *clp) + + nfs4_begin_drain_session(clp); + status = nfs4_proc_destroy_session(clp->cl_session); +- if (status && status != -NFS4ERR_BADSESSION && +- status != -NFS4ERR_DEADSESSION) { ++ switch (status) { ++ case 0: ++ case -NFS4ERR_BADSESSION: ++ case -NFS4ERR_DEADSESSION: ++ break; ++ case -NFS4ERR_BACK_CHAN_BUSY: ++ case -NFS4ERR_DELAY: ++ set_bit(NFS4CLNT_SESSION_RESET, &clp->cl_state); ++ status = 0; ++ ssleep(1); ++ goto out; ++ default: + status = nfs4_recovery_handle_error(clp, status); + goto out; + } +diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c +index 574d4ee..b367581 100644 +--- a/fs/xfs/xfs_aops.c ++++ b/fs/xfs/xfs_aops.c +@@ -88,11 +88,11 @@ xfs_destroy_ioend( + } + + if (ioend->io_iocb) { ++ inode_dio_done(ioend->io_inode); + if (ioend->io_isasync) { + aio_complete(ioend->io_iocb, ioend->io_error ? + ioend->io_error : ioend->io_result, 0); + } +- inode_dio_done(ioend->io_inode); + } + + mempool_free(ioend, xfs_ioend_pool); +diff --git a/include/linux/efi.h b/include/linux/efi.h +index 1328d8c..1721c41 100644 +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -364,17 +364,30 @@ extern int __init efi_setup_pcdp_console(char *); + #endif + + /* +- * We play games with efi_enabled so that the compiler will, if possible, remove +- * EFI-related code altogether. ++ * We play games with efi_enabled so that the compiler will, if ++ * possible, remove EFI-related code altogether. + */ ++#define EFI_BOOT 0 /* Were we booted from EFI? */ ++#define EFI_SYSTEM_TABLES 1 /* Can we use EFI system tables? */ ++#define EFI_CONFIG_TABLES 2 /* Can we use EFI config tables? */ ++#define EFI_RUNTIME_SERVICES 3 /* Can we use runtime services? */ ++#define EFI_MEMMAP 4 /* Can we use EFI memory map? */ ++#define EFI_64BIT 5 /* Is the firmware 64-bit? */ ++ + #ifdef CONFIG_EFI + # ifdef CONFIG_X86 +- extern int efi_enabled; ++extern int efi_enabled(int facility); + # else +-# define efi_enabled 1 ++static inline int efi_enabled(int facility) ++{ ++ return 1; ++} + # endif + #else +-# define efi_enabled 0 ++static inline int efi_enabled(int facility) ++{ ++ return 0; ++} + #endif + + /* +diff --git a/include/linux/serial_core.h b/include/linux/serial_core.h +index eadf33d..8bec265 100644 +--- a/include/linux/serial_core.h ++++ b/include/linux/serial_core.h +@@ -47,7 +47,8 @@ + #define PORT_U6_16550A 19 /* ST-Ericsson U6xxx internal UART */ + #define PORT_TEGRA 20 /* NVIDIA Tegra internal UART */ + #define PORT_XR17D15X 21 /* Exar XR17D15x UART */ +-#define PORT_MAX_8250 21 /* max port ID */ ++#define PORT_BRCM_TRUMANAGE 22 ++#define PORT_MAX_8250 22 /* max port ID */ + + /* + * ARM specific type numbers. These are not currently guaranteed +diff --git a/include/linux/syslog.h b/include/linux/syslog.h +index 3891139..ce4c665 100644 +--- a/include/linux/syslog.h ++++ b/include/linux/syslog.h +@@ -47,6 +47,12 @@ + #define SYSLOG_FROM_CALL 0 + #define SYSLOG_FROM_FILE 1 + ++/* ++ * Syslog priority (PRI) maximum length in char : '<[0-9]{1,3}>' ++ * See RFC5424 for details ++*/ ++#define SYSLOG_PRI_MAX_LENGTH 5 ++ + int do_syslog(int type, char __user *buf, int count, bool from_file); + + #endif /* _LINUX_SYSLOG_H */ +diff --git a/init/main.c b/init/main.c +index cb08fea2..5d0eb1d 100644 +--- a/init/main.c ++++ b/init/main.c +@@ -606,7 +606,7 @@ asmlinkage void __init start_kernel(void) + pidmap_init(); + anon_vma_init(); + #ifdef CONFIG_X86 +- if (efi_enabled) ++ if (efi_enabled(EFI_RUNTIME_SERVICES)) + efi_enter_virtual_mode(); + #endif + thread_info_cache_init(); +diff --git a/kernel/printk.c b/kernel/printk.c +index 7982a0a..c0d12ea 100644 +--- a/kernel/printk.c ++++ b/kernel/printk.c +@@ -633,8 +633,19 @@ static void call_console_drivers(unsigned start, unsigned end) + start_print = start; + while (cur_index != end) { + if (msg_level < 0 && ((end - cur_index) > 2)) { ++ /* ++ * prepare buf_prefix, as a contiguous array, ++ * to be processed by log_prefix function ++ */ ++ char buf_prefix[SYSLOG_PRI_MAX_LENGTH+1]; ++ unsigned i; ++ for (i = 0; i < ((end - cur_index)) && (i < SYSLOG_PRI_MAX_LENGTH); i++) { ++ buf_prefix[i] = LOG_BUF(cur_index + i); ++ } ++ buf_prefix[i] = '\0'; /* force '\0' as last string character */ ++ + /* strip log prefix */ +- cur_index += log_prefix(&LOG_BUF(cur_index), &msg_level, NULL); ++ cur_index += log_prefix((const char *)&buf_prefix, &msg_level, NULL); + start_print = cur_index; + } + while (cur_index != end) { +diff --git a/kernel/smp.c b/kernel/smp.c +index db197d6..9e800b2 100644 +--- a/kernel/smp.c ++++ b/kernel/smp.c +@@ -31,6 +31,7 @@ struct call_function_data { + struct call_single_data csd; + atomic_t refs; + cpumask_var_t cpumask; ++ cpumask_var_t cpumask_ipi; + }; + + static DEFINE_PER_CPU_SHARED_ALIGNED(struct call_function_data, cfd_data); +@@ -54,6 +55,9 @@ hotplug_cfd(struct notifier_block *nfb, unsigned long action, void *hcpu) + if (!zalloc_cpumask_var_node(&cfd->cpumask, GFP_KERNEL, + cpu_to_node(cpu))) + return notifier_from_errno(-ENOMEM); ++ if (!zalloc_cpumask_var_node(&cfd->cpumask_ipi, GFP_KERNEL, ++ cpu_to_node(cpu))) ++ return notifier_from_errno(-ENOMEM); + break; + + #ifdef CONFIG_HOTPLUG_CPU +@@ -63,6 +67,7 @@ hotplug_cfd(struct notifier_block *nfb, unsigned long action, void *hcpu) + case CPU_DEAD: + case CPU_DEAD_FROZEN: + free_cpumask_var(cfd->cpumask); ++ free_cpumask_var(cfd->cpumask_ipi); + break; + #endif + }; +@@ -524,6 +529,12 @@ void smp_call_function_many(const struct cpumask *mask, + return; + } + ++ /* ++ * After we put an entry into the list, data->cpumask ++ * may be cleared again when another CPU sends another IPI for ++ * a SMP function call, so data->cpumask will be zero. ++ */ ++ cpumask_copy(data->cpumask_ipi, data->cpumask); + raw_spin_lock_irqsave(&call_function.lock, flags); + /* + * Place entry at the _HEAD_ of the list, so that any cpu still +@@ -547,7 +558,7 @@ void smp_call_function_many(const struct cpumask *mask, + smp_mb(); + + /* Send a message to all CPUs in the map */ +- arch_send_call_function_ipi_mask(data->cpumask); ++ arch_send_call_function_ipi_mask(data->cpumask_ipi); + + /* Optionally wait for the CPUs to complete */ + if (wait) +diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c +index 54dba59..4b1a96b 100644 +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -3482,7 +3482,7 @@ static int ftrace_module_notify(struct notifier_block *self, + + struct notifier_block ftrace_module_nb = { + .notifier_call = ftrace_module_notify, +- .priority = 0, ++ .priority = INT_MAX, /* Run before anything that can use kprobes */ + }; + + extern unsigned long __start_mcount_loc[]; +diff --git a/mm/compaction.c b/mm/compaction.c +index 46973fb..5f8ec82 100644 +--- a/mm/compaction.c ++++ b/mm/compaction.c +@@ -714,14 +714,12 @@ static int compact_node(int nid) + } + + /* Compact all nodes in the system */ +-static int compact_nodes(void) ++static void compact_nodes(void) + { + int nid; + + for_each_online_node(nid) + compact_node(nid); +- +- return COMPACT_COMPLETE; + } + + /* The written value is actually unused, all memory is compacted */ +@@ -732,7 +730,7 @@ int sysctl_compaction_handler(struct ctl_table *table, int write, + void __user *buffer, size_t *length, loff_t *ppos) + { + if (write) +- return compact_nodes(); ++ compact_nodes(); + + return 0; + } +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index a88dded..4d3a697 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -5532,7 +5532,7 @@ static inline int pfn_to_bitidx(struct zone *zone, unsigned long pfn) + pfn &= (PAGES_PER_SECTION-1); + return (pfn >> pageblock_order) * NR_PAGEBLOCK_BITS; + #else +- pfn = pfn - zone->zone_start_pfn; ++ pfn = pfn - round_down(zone->zone_start_pfn, pageblock_nr_pages); + return (pfn >> pageblock_order) * NR_PAGEBLOCK_BITS; + #endif /* CONFIG_SPARSEMEM */ + } +diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c +index 075a3e9..0274157 100644 +--- a/net/bluetooth/hidp/core.c ++++ b/net/bluetooth/hidp/core.c +@@ -945,7 +945,7 @@ static int hidp_setup_hid(struct hidp_session *session, + hid->version = req->version; + hid->country = req->country; + +- strncpy(hid->name, req->name, 128); ++ strncpy(hid->name, req->name, sizeof(req->name) - 1); + strncpy(hid->phys, batostr(&bt_sk(session->ctrl_sock->sk)->src), 64); + strncpy(hid->uniq, batostr(&bt_sk(session->ctrl_sock->sk)->dst), 64); + +diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c +index 1c775f0..488600c 100644 +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -1021,7 +1021,7 @@ void sta_info_init(struct ieee80211_local *local) + + void sta_info_stop(struct ieee80211_local *local) + { +- del_timer(&local->sta_cleanup); ++ del_timer_sync(&local->sta_cleanup); + sta_info_flush(local, NULL); + } + +diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c +index 56c3f85..18c5a50 100644 +--- a/net/sunrpc/sched.c ++++ b/net/sunrpc/sched.c +@@ -918,8 +918,7 @@ static void rpc_async_release(struct work_struct *work) + + static void rpc_release_resources_task(struct rpc_task *task) + { +- if (task->tk_rqstp) +- xprt_release(task); ++ xprt_release(task); + if (task->tk_msg.rpc_cred) { + put_rpccred(task->tk_msg.rpc_cred); + task->tk_msg.rpc_cred = NULL; +diff --git a/net/sunrpc/xprt.c b/net/sunrpc/xprt.c +index ffba207..6c91208 100644 +--- a/net/sunrpc/xprt.c ++++ b/net/sunrpc/xprt.c +@@ -1132,10 +1132,18 @@ static void xprt_request_init(struct rpc_task *task, struct rpc_xprt *xprt) + void xprt_release(struct rpc_task *task) + { + struct rpc_xprt *xprt; +- struct rpc_rqst *req; ++ struct rpc_rqst *req = task->tk_rqstp; + +- if (!(req = task->tk_rqstp)) ++ if (req == NULL) { ++ if (task->tk_client) { ++ rcu_read_lock(); ++ xprt = rcu_dereference(task->tk_client->cl_xprt); ++ if (xprt->snd_task == task) ++ xprt_release_write(xprt, task); ++ rcu_read_unlock(); ++ } + return; ++ } + + xprt = req->rq_xprt; + rpc_count_iostats(task); +diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c +index 8738def..e76a470 100644 +--- a/security/integrity/evm/evm_crypto.c ++++ b/security/integrity/evm/evm_crypto.c +@@ -175,9 +175,9 @@ int evm_update_evmxattr(struct dentry *dentry, const char *xattr_name, + rc = __vfs_setxattr_noperm(dentry, XATTR_NAME_EVM, + &xattr_data, + sizeof(xattr_data), 0); +- } +- else if (rc == -ENODATA) ++ } else if (rc == -ENODATA && inode->i_op->removexattr) { + rc = inode->i_op->removexattr(dentry, XATTR_NAME_EVM); ++ } + return rc; + } + +diff --git a/sound/arm/pxa2xx-ac97-lib.c b/sound/arm/pxa2xx-ac97-lib.c +index d1aa421..52a4318 100644 +--- a/sound/arm/pxa2xx-ac97-lib.c ++++ b/sound/arm/pxa2xx-ac97-lib.c +@@ -17,6 +17,7 @@ + #include <linux/clk.h> + #include <linux/delay.h> + #include <linux/module.h> ++#include <linux/gpio.h> + + #include <sound/ac97_codec.h> + #include <sound/pxa2xx-lib.h> +@@ -147,6 +148,8 @@ static inline void pxa_ac97_warm_pxa27x(void) + + static inline void pxa_ac97_cold_pxa27x(void) + { ++ unsigned int timeout; ++ + GCR &= GCR_COLD_RST; /* clear everything but nCRST */ + GCR &= ~GCR_COLD_RST; /* then assert nCRST */ + +@@ -156,8 +159,10 @@ static inline void pxa_ac97_cold_pxa27x(void) + clk_enable(ac97conf_clk); + udelay(5); + clk_disable(ac97conf_clk); +- GCR = GCR_COLD_RST; +- udelay(50); ++ GCR = GCR_COLD_RST | GCR_WARM_RST; ++ timeout = 100; /* wait for the codec-ready bit to be set */ ++ while (!((GSR | gsr_bits) & (GSR_PCR | GSR_SCR)) && timeout--) ++ mdelay(1); + } + #endif + +@@ -339,8 +344,21 @@ int __devinit pxa2xx_ac97_hw_probe(struct platform_device *dev) + } + + if (cpu_is_pxa27x()) { +- /* Use GPIO 113 as AC97 Reset on Bulverde */ ++ /* ++ * This gpio is needed for a work-around to a bug in the ac97 ++ * controller during warm reset. The direction and level is set ++ * here so that it is an output driven high when switching from ++ * AC97_nRESET alt function to generic gpio. ++ */ ++ ret = gpio_request_one(reset_gpio, GPIOF_OUT_INIT_HIGH, ++ "pxa27x ac97 reset"); ++ if (ret < 0) { ++ pr_err("%s: gpio_request_one() failed: %d\n", ++ __func__, ret); ++ goto err_conf; ++ } + pxa27x_assert_ac97reset(reset_gpio, 0); ++ + ac97conf_clk = clk_get(&dev->dev, "AC97CONFCLK"); + if (IS_ERR(ac97conf_clk)) { + ret = PTR_ERR(ac97conf_clk); +@@ -383,6 +401,8 @@ EXPORT_SYMBOL_GPL(pxa2xx_ac97_hw_probe); + + void pxa2xx_ac97_hw_remove(struct platform_device *dev) + { ++ if (cpu_is_pxa27x()) ++ gpio_free(reset_gpio); + GCR |= GCR_ACLINK_OFF; + free_irq(IRQ_AC97, NULL); + if (ac97conf_clk) { +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index a1e312f..a166a85 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -569,29 +569,43 @@ static char *driver_short_names[] __devinitdata = { + #define get_azx_dev(substream) (substream->runtime->private_data) + + #ifdef CONFIG_X86 +-static void __mark_pages_wc(struct azx *chip, void *addr, size_t size, bool on) ++static void __mark_pages_wc(struct azx *chip, struct snd_dma_buffer *dmab, bool on) + { ++ int pages; ++ + if (azx_snoop(chip)) + return; +- if (addr && size) { +- int pages = (size + PAGE_SIZE - 1) >> PAGE_SHIFT; ++ if (!dmab || !dmab->area || !dmab->bytes) ++ return; ++ ++#ifdef CONFIG_SND_DMA_SGBUF ++ if (dmab->dev.type == SNDRV_DMA_TYPE_DEV_SG) { ++ struct snd_sg_buf *sgbuf = dmab->private_data; + if (on) +- set_memory_wc((unsigned long)addr, pages); ++ set_pages_array_wc(sgbuf->page_table, sgbuf->pages); + else +- set_memory_wb((unsigned long)addr, pages); ++ set_pages_array_wb(sgbuf->page_table, sgbuf->pages); ++ return; + } ++#endif ++ ++ pages = (dmab->bytes + PAGE_SIZE - 1) >> PAGE_SHIFT; ++ if (on) ++ set_memory_wc((unsigned long)dmab->area, pages); ++ else ++ set_memory_wb((unsigned long)dmab->area, pages); + } + + static inline void mark_pages_wc(struct azx *chip, struct snd_dma_buffer *buf, + bool on) + { +- __mark_pages_wc(chip, buf->area, buf->bytes, on); ++ __mark_pages_wc(chip, buf, on); + } + static inline void mark_runtime_wc(struct azx *chip, struct azx_dev *azx_dev, +- struct snd_pcm_runtime *runtime, bool on) ++ struct snd_pcm_substream *substream, bool on) + { + if (azx_dev->wc_marked != on) { +- __mark_pages_wc(chip, runtime->dma_area, runtime->dma_bytes, on); ++ __mark_pages_wc(chip, substream->runtime->dma_buffer_p, on); + azx_dev->wc_marked = on; + } + } +@@ -602,7 +616,7 @@ static inline void mark_pages_wc(struct azx *chip, struct snd_dma_buffer *buf, + { + } + static inline void mark_runtime_wc(struct azx *chip, struct azx_dev *azx_dev, +- struct snd_pcm_runtime *runtime, bool on) ++ struct snd_pcm_substream *substream, bool on) + { + } + #endif +@@ -1776,11 +1790,10 @@ static int azx_pcm_hw_params(struct snd_pcm_substream *substream, + { + struct azx_pcm *apcm = snd_pcm_substream_chip(substream); + struct azx *chip = apcm->chip; +- struct snd_pcm_runtime *runtime = substream->runtime; + struct azx_dev *azx_dev = get_azx_dev(substream); + int ret; + +- mark_runtime_wc(chip, azx_dev, runtime, false); ++ mark_runtime_wc(chip, azx_dev, substream, false); + azx_dev->bufsize = 0; + azx_dev->period_bytes = 0; + azx_dev->format_val = 0; +@@ -1788,7 +1801,7 @@ static int azx_pcm_hw_params(struct snd_pcm_substream *substream, + params_buffer_bytes(hw_params)); + if (ret < 0) + return ret; +- mark_runtime_wc(chip, azx_dev, runtime, true); ++ mark_runtime_wc(chip, azx_dev, substream, true); + return ret; + } + +@@ -1797,7 +1810,6 @@ static int azx_pcm_hw_free(struct snd_pcm_substream *substream) + struct azx_pcm *apcm = snd_pcm_substream_chip(substream); + struct azx_dev *azx_dev = get_azx_dev(substream); + struct azx *chip = apcm->chip; +- struct snd_pcm_runtime *runtime = substream->runtime; + struct hda_pcm_stream *hinfo = apcm->hinfo[substream->stream]; + + /* reset BDL address */ +@@ -1810,7 +1822,7 @@ static int azx_pcm_hw_free(struct snd_pcm_substream *substream) + + snd_hda_codec_cleanup(apcm->codec, hinfo, substream); + +- mark_runtime_wc(chip, azx_dev, runtime, false); ++ mark_runtime_wc(chip, azx_dev, substream, false); + return snd_pcm_lib_free_pages(substream); + } + +diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c +index 498b62e..c9269ce 100644 +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -592,24 +592,12 @@ static int conexant_build_controls(struct hda_codec *codec) + return 0; + } + +-#ifdef CONFIG_SND_HDA_POWER_SAVE +-static int conexant_suspend(struct hda_codec *codec, pm_message_t state) +-{ +- snd_hda_shutup_pins(codec); +- return 0; +-} +-#endif +- + static const struct hda_codec_ops conexant_patch_ops = { + .build_controls = conexant_build_controls, + .build_pcms = conexant_build_pcms, + .init = conexant_init, + .free = conexant_free, + .set_power_state = conexant_set_power, +-#ifdef CONFIG_SND_HDA_POWER_SAVE +- .suspend = conexant_suspend, +-#endif +- .reboot_notify = snd_hda_shutup_pins, + }; + + #ifdef CONFIG_SND_HDA_INPUT_BEEP +@@ -4429,10 +4417,6 @@ static const struct hda_codec_ops cx_auto_patch_ops = { + .init = cx_auto_init, + .free = conexant_free, + .unsol_event = cx_auto_unsol_event, +-#ifdef CONFIG_SND_HDA_POWER_SAVE +- .suspend = conexant_suspend, +-#endif +- .reboot_notify = snd_hda_shutup_pins, + }; + + /* +@@ -4614,6 +4598,18 @@ static const struct hda_codec_preset snd_hda_preset_conexant[] = { + .patch = patch_conexant_auto }, + { .id = 0x14f150b9, .name = "CX20665", + .patch = patch_conexant_auto }, ++ { .id = 0x14f1510f, .name = "CX20751/2", ++ .patch = patch_conexant_auto }, ++ { .id = 0x14f15110, .name = "CX20751/2", ++ .patch = patch_conexant_auto }, ++ { .id = 0x14f15111, .name = "CX20753/4", ++ .patch = patch_conexant_auto }, ++ { .id = 0x14f15113, .name = "CX20755", ++ .patch = patch_conexant_auto }, ++ { .id = 0x14f15114, .name = "CX20756", ++ .patch = patch_conexant_auto }, ++ { .id = 0x14f15115, .name = "CX20757", ++ .patch = patch_conexant_auto }, + {} /* terminator */ + }; + +@@ -4634,6 +4630,12 @@ MODULE_ALIAS("snd-hda-codec-id:14f150ab"); + MODULE_ALIAS("snd-hda-codec-id:14f150ac"); + MODULE_ALIAS("snd-hda-codec-id:14f150b8"); + MODULE_ALIAS("snd-hda-codec-id:14f150b9"); ++MODULE_ALIAS("snd-hda-codec-id:14f1510f"); ++MODULE_ALIAS("snd-hda-codec-id:14f15110"); ++MODULE_ALIAS("snd-hda-codec-id:14f15111"); ++MODULE_ALIAS("snd-hda-codec-id:14f15113"); ++MODULE_ALIAS("snd-hda-codec-id:14f15114"); ++MODULE_ALIAS("snd-hda-codec-id:14f15115"); + + MODULE_LICENSE("GPL"); + MODULE_DESCRIPTION("Conexant HD-audio codec"); +diff --git a/sound/soc/codecs/wm2000.c b/sound/soc/codecs/wm2000.c +index a3b9cbb..ba03dc2 100644 +--- a/sound/soc/codecs/wm2000.c ++++ b/sound/soc/codecs/wm2000.c +@@ -224,9 +224,9 @@ static int wm2000_power_up(struct i2c_client *i2c, int analogue) + + ret = wm2000_read(i2c, WM2000_REG_SPEECH_CLARITY); + if (wm2000->speech_clarity) +- ret &= ~WM2000_SPEECH_CLARITY; +- else + ret |= WM2000_SPEECH_CLARITY; ++ else ++ ret &= ~WM2000_SPEECH_CLARITY; + wm2000_write(i2c, WM2000_REG_SPEECH_CLARITY, ret); + + wm2000_write(i2c, WM2000_REG_SYS_START0, 0x33); +diff --git a/sound/soc/codecs/wm5100.c b/sound/soc/codecs/wm5100.c +index 42d9039..a0cda1b 100644 +--- a/sound/soc/codecs/wm5100.c ++++ b/sound/soc/codecs/wm5100.c +@@ -1446,15 +1446,9 @@ static int wm5100_set_fmt(struct snd_soc_dai *dai, unsigned int fmt) + case SND_SOC_DAIFMT_DSP_A: + mask = 0; + break; +- case SND_SOC_DAIFMT_DSP_B: +- mask = 1; +- break; + case SND_SOC_DAIFMT_I2S: + mask = 2; + break; +- case SND_SOC_DAIFMT_LEFT_J: +- mask = 3; +- break; + default: + dev_err(codec->dev, "Unsupported DAI format %d\n", + fmt & SND_SOC_DAIFMT_FORMAT_MASK); +diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c +index 24c5114..9ab2b3e 100644 +--- a/sound/usb/endpoint.c ++++ b/sound/usb/endpoint.c +@@ -148,10 +148,8 @@ void snd_usb_release_substream_urbs(struct snd_usb_substream *subs, int force) + int i; + + /* stop urbs (to be sure) */ +- if (!subs->stream->chip->shutdown) { +- deactivate_urbs(subs, force, 1); +- wait_clear_urbs(subs); +- } ++ deactivate_urbs(subs, force, 1); ++ wait_clear_urbs(subs); + + for (i = 0; i < MAX_URBS; i++) + release_urb_ctx(&subs->dataurb[i]); +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index 6730a33..9121dee 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -1239,16 +1239,23 @@ static int parse_audio_feature_unit(struct mixer_build *state, int unitid, void + } + channels = (hdr->bLength - 7) / csize - 1; + bmaControls = hdr->bmaControls; ++ if (hdr->bLength < 7 + csize) { ++ snd_printk(KERN_ERR "usbaudio: unit %u: " ++ "invalid UAC_FEATURE_UNIT descriptor\n", ++ unitid); ++ return -EINVAL; ++ } + } else { + struct uac2_feature_unit_descriptor *ftr = _ftr; + csize = 4; + channels = (hdr->bLength - 6) / 4 - 1; + bmaControls = ftr->bmaControls; +- } +- +- if (hdr->bLength < 7 || !csize || hdr->bLength < 7 + csize) { +- snd_printk(KERN_ERR "usbaudio: unit %u: invalid UAC_FEATURE_UNIT descriptor\n", unitid); +- return -EINVAL; ++ if (hdr->bLength < 6 + csize) { ++ snd_printk(KERN_ERR "usbaudio: unit %u: " ++ "invalid UAC_FEATURE_UNIT descriptor\n", ++ unitid); ++ return -EINVAL; ++ } + } + + /* parse the source unit */ +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index a3ddac0..1b275f0 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -383,11 +383,13 @@ static int snd_usb_fasttrackpro_boot_quirk(struct usb_device *dev) + * rules + */ + err = usb_driver_set_configuration(dev, 2); +- if (err < 0) { ++ if (err < 0) + snd_printdd("error usb_driver_set_configuration: %d\n", + err); +- return -ENODEV; +- } ++ /* Always return an error, so that we stop creating a device ++ that will just be destroyed and recreated with a new ++ configuration */ ++ return -ENODEV; + } else + snd_printk(KERN_INFO "usb-audio: Fast Track Pro config OK\n"); + diff --git a/3.2.37/4420_grsecurity-2.9.1-3.2.37-201301311810.patch b/3.2.38/4420_grsecurity-2.9.1-3.2.38-201302071937.patch index aba5725..d72bd5d 100644 --- a/3.2.37/4420_grsecurity-2.9.1-3.2.37-201301311810.patch +++ b/3.2.38/4420_grsecurity-2.9.1-3.2.38-201302071937.patch @@ -255,7 +255,7 @@ index 88fd7f5..b318a78 100644 ============================================================== diff --git a/Makefile b/Makefile -index 21c77e2..30aaeef 100644 +index c8c9d02..7e79e3e 100644 --- a/Makefile +++ b/Makefile @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -1687,7 +1687,7 @@ index b2a27b6..520889c 100644 cmp scno, #NR_syscalls @ check upper syscall limit diff --git a/arch/arm/kernel/head.S b/arch/arm/kernel/head.S -index 08c82fd..647a3c7 100644 +index 3606e85..44ba19d 100644 --- a/arch/arm/kernel/head.S +++ b/arch/arm/kernel/head.S @@ -46,7 +46,9 @@ @@ -1702,7 +1702,7 @@ index 08c82fd..647a3c7 100644 #ifdef CONFIG_XIP_KERNEL diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c -index e68d251..b70de67 100644 +index e68d251..c950684 100644 --- a/arch/arm/kernel/process.c +++ b/arch/arm/kernel/process.c @@ -28,7 +28,6 @@ @@ -1739,6 +1739,17 @@ index e68d251..b70de67 100644 } void machine_restart(char *cmd) +@@ -268,8 +268,8 @@ void __show_regs(struct pt_regs *regs) + init_utsname()->release, + (int)strcspn(init_utsname()->version, " "), + init_utsname()->version); +- print_symbol("PC is at %s\n", instruction_pointer(regs)); +- print_symbol("LR is at %s\n", regs->ARM_lr); ++ printk("PC is at %pA\n", instruction_pointer(regs)); ++ printk("LR is at %pA\n", regs->ARM_lr); + printk("pc : [<%08lx>] lr : [<%08lx>] psr: %08lx\n" + "sp : %08lx ip : %08lx fp : %08lx\n", + regs->ARM_pc, regs->ARM_lr, regs->ARM_cpsr, @@ -486,12 +486,6 @@ unsigned long get_wchan(struct task_struct *p) return 0; } @@ -1777,9 +1788,18 @@ index 90fa8b3..a3a2212 100644 return scno; if (!(current->ptrace & PT_PTRACED)) diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c -index 7ac5dfd..cbbbd34 100644 +index 7ac5dfd..0ce09c2 100644 --- a/arch/arm/kernel/traps.c +++ b/arch/arm/kernel/traps.c +@@ -57,7 +57,7 @@ static void dump_mem(const char *, const char *, unsigned long, unsigned long); + void dump_backtrace_entry(unsigned long where, unsigned long from, unsigned long frame) + { + #ifdef CONFIG_KALLSYMS +- printk("[<%08lx>] (%pS) from [<%08lx>] (%pS)\n", where, (void *)where, from, (void *)from); ++ printk("[<%08lx>] (%pA) from [<%08lx>] (%pA)\n", where, (void *)where, from, (void *)from); + #else + printk("Function entered at [<%08lx>] from [<%08lx>]\n", where, from); + #endif @@ -259,6 +259,8 @@ static int __die(const char *str, int err, struct thread_info *thread, struct pt static DEFINE_RAW_SPINLOCK(die_lock); @@ -15327,7 +15347,7 @@ index cd28a35..c72ed9a 100644 #include <asm/processor.h> #include <asm/fcntl.h> diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S -index 4893d58..0152a42 100644 +index d2d488b8..a4f589f 100644 --- a/arch/x86/kernel/entry_32.S +++ b/arch/x86/kernel/entry_32.S @@ -180,13 +180,153 @@ @@ -16010,7 +16030,7 @@ index 4893d58..0152a42 100644 /* * End of kprobes section */ -@@ -1114,7 +1379,7 @@ BUILD_INTERRUPT3(xen_hvm_callback_vector, XEN_HVM_EVTCHN_CALLBACK, +@@ -1113,7 +1378,7 @@ BUILD_INTERRUPT3(xen_hvm_callback_vector, XEN_HVM_EVTCHN_CALLBACK, ENTRY(mcount) ret @@ -16019,7 +16039,7 @@ index 4893d58..0152a42 100644 ENTRY(ftrace_caller) cmpl $0, function_trace_stop -@@ -1143,7 +1408,7 @@ ftrace_graph_call: +@@ -1142,7 +1407,7 @@ ftrace_graph_call: .globl ftrace_stub ftrace_stub: ret @@ -16028,7 +16048,7 @@ index 4893d58..0152a42 100644 #else /* ! CONFIG_DYNAMIC_FTRACE */ -@@ -1179,7 +1444,7 @@ trace: +@@ -1178,7 +1443,7 @@ trace: popl %ecx popl %eax jmp ftrace_stub @@ -16037,7 +16057,7 @@ index 4893d58..0152a42 100644 #endif /* CONFIG_DYNAMIC_FTRACE */ #endif /* CONFIG_FUNCTION_TRACER */ -@@ -1200,7 +1465,7 @@ ENTRY(ftrace_graph_caller) +@@ -1199,7 +1464,7 @@ ENTRY(ftrace_graph_caller) popl %ecx popl %eax ret @@ -16046,7 +16066,7 @@ index 4893d58..0152a42 100644 .globl return_to_handler return_to_handler: -@@ -1214,7 +1479,6 @@ return_to_handler: +@@ -1213,7 +1478,6 @@ return_to_handler: jmp *%ecx #endif @@ -16054,7 +16074,7 @@ index 4893d58..0152a42 100644 #include "syscall_table_32.S" syscall_table_size=(.-sys_call_table) -@@ -1260,15 +1524,18 @@ error_code: +@@ -1259,15 +1523,18 @@ error_code: movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart REG_TO_PTGS %ecx SET_KERNEL_GS %ecx @@ -16075,7 +16095,7 @@ index 4893d58..0152a42 100644 /* * Debug traps and NMI can happen at the one SYSENTER instruction -@@ -1310,7 +1577,7 @@ debug_stack_correct: +@@ -1309,7 +1576,7 @@ debug_stack_correct: call do_debug jmp ret_from_exception CFI_ENDPROC @@ -16084,7 +16104,7 @@ index 4893d58..0152a42 100644 /* * NMI is doubly nasty. It can happen _while_ we're handling -@@ -1347,6 +1614,9 @@ nmi_stack_correct: +@@ -1346,6 +1613,9 @@ nmi_stack_correct: xorl %edx,%edx # zero error code movl %esp,%eax # pt_regs pointer call do_nmi @@ -16094,7 +16114,7 @@ index 4893d58..0152a42 100644 jmp restore_all_notrace CFI_ENDPROC -@@ -1383,12 +1653,15 @@ nmi_espfix_stack: +@@ -1382,12 +1652,15 @@ nmi_espfix_stack: FIXUP_ESPFIX_STACK # %eax == %esp xorl %edx,%edx # zero error code call do_nmi @@ -16111,7 +16131,7 @@ index 4893d58..0152a42 100644 ENTRY(int3) RING0_INT_FRAME -@@ -1400,14 +1673,14 @@ ENTRY(int3) +@@ -1399,14 +1672,14 @@ ENTRY(int3) call do_int3 jmp ret_from_exception CFI_ENDPROC @@ -16128,7 +16148,7 @@ index 4893d58..0152a42 100644 #ifdef CONFIG_KVM_GUEST ENTRY(async_page_fault) -@@ -1415,7 +1688,7 @@ ENTRY(async_page_fault) +@@ -1414,7 +1687,7 @@ ENTRY(async_page_fault) pushl_cfi $do_async_page_fault jmp error_code CFI_ENDPROC @@ -18884,20 +18904,6 @@ index 925179f..59bfaa1 100644 #if 0 if ((s64)val != *(s32 *)loc) goto overflow; -diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c -index 12fcbe2..f7d1a64 100644 ---- a/arch/x86/kernel/msr.c -+++ b/arch/x86/kernel/msr.c -@@ -175,6 +175,9 @@ static int msr_open(struct inode *inode, struct file *file) - unsigned int cpu; - struct cpuinfo_x86 *c; - -+ if (!capable(CAP_SYS_RAWIO)) -+ return -EPERM; -+ - cpu = iminor(file->f_path.dentry->d_inode); - if (cpu >= nr_cpu_ids || !cpu_online(cpu)) - return -ENXIO; /* No such CPU */ diff --git a/arch/x86/kernel/nmi.c b/arch/x86/kernel/nmi.c index e88f37b..1353db6 100644 --- a/arch/x86/kernel/nmi.c @@ -19543,7 +19549,7 @@ index 42eb330..139955c 100644 return ret; diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c -index e61f79c..0f9624f 100644 +index 47f4e5f..f8abbbc 100644 --- a/arch/x86/kernel/reboot.c +++ b/arch/x86/kernel/reboot.c @@ -35,7 +35,7 @@ void (*pm_power_off)(void); @@ -19708,7 +19714,7 @@ index 7a6f3b3..bed145d7 100644 1: diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 0d403aa..42a31fa 100644 +index b506f41..b17974e 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -447,7 +447,7 @@ static void __init parse_setup_data(void) @@ -19720,16 +19726,17 @@ index 0d403aa..42a31fa 100644 break; case SETUP_DTB: add_dtb(pa_data); -@@ -650,7 +650,7 @@ static void __init trim_bios_range(void) +@@ -727,8 +727,7 @@ static void __init trim_bios_range(void) * area (640->1Mb) as ram even though it is not. * take them out. */ - e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1); +- + e820_remove_range(ISA_START_ADDRESS, ISA_END_ADDRESS - ISA_START_ADDRESS, E820_RAM, 1); sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map); } -@@ -773,14 +773,14 @@ void __init setup_arch(char **cmdline_p) +@@ -852,14 +851,14 @@ void __init setup_arch(char **cmdline_p) if (!boot_params.hdr.root_flags) root_mountflags &= ~MS_RDONLY; @@ -20531,7 +20538,7 @@ index 09ff517..df19fbff 100644 .short 0 .quad 0x00cf9b000000ffff # __KERNEL32_CS diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c -index 31d9d0f..817ef73 100644 +index e6fbb94..877c934 100644 --- a/arch/x86/kernel/traps.c +++ b/arch/x86/kernel/traps.c @@ -70,12 +70,6 @@ asmlinkage int system_call(void); @@ -20602,7 +20609,7 @@ index 31d9d0f..817ef73 100644 return; #ifdef CONFIG_X86_32 -@@ -255,14 +261,30 @@ do_general_protection(struct pt_regs *regs, long error_code) +@@ -259,14 +265,30 @@ do_general_protection(struct pt_regs *regs, long error_code) conditional_sti(regs); #ifdef CONFIG_X86_32 @@ -20633,11 +20640,11 @@ index 31d9d0f..817ef73 100644 +#endif + tsk->thread.error_code = error_code; - tsk->thread.trap_no = 13; + tsk->thread.trap_no = X86_TRAP_GP; -@@ -295,6 +317,13 @@ gp_in_kernel: - if (notify_die(DIE_GPF, "general protection fault", regs, - error_code, 13, SIGSEGV) == NOTIFY_STOP) +@@ -299,6 +321,13 @@ gp_in_kernel: + if (notify_die(DIE_GPF, "general protection fault", regs, error_code, + X86_TRAP_GP, SIGSEGV) == NOTIFY_STOP) return; + +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) @@ -20649,16 +20656,20 @@ index 31d9d0f..817ef73 100644 die("general protection fault", regs, error_code); } -@@ -414,7 +443,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code) +@@ -419,9 +448,9 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code) /* It's safe to allow irq's after DR6 has been saved */ preempt_conditional_sti(regs); - if (regs->flags & X86_VM_MASK) { +- handle_vm86_trap((struct kernel_vm86_regs *) regs, error_code, +- X86_TRAP_DB); + if (v8086_mode(regs)) { - handle_vm86_trap((struct kernel_vm86_regs *) regs, - error_code, 1); ++ handle_vm86_trap((struct kernel_vm86_regs *) regs, ++ error_code, X86_TRAP_DB); preempt_conditional_cli(regs); -@@ -428,7 +457,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code) + return; + } +@@ -433,7 +462,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code) * We already checked v86 mode above, so we can check for kernel mode * by just checking the CPL of CS. */ @@ -20667,7 +20678,7 @@ index 31d9d0f..817ef73 100644 tsk->thread.debugreg6 &= ~DR_STEP; set_tsk_thread_flag(tsk, TIF_SINGLESTEP); regs->flags &= ~X86_EFLAGS_TF; -@@ -457,7 +486,7 @@ void math_error(struct pt_regs *regs, int error_code, int trapnr) +@@ -463,7 +492,7 @@ void math_error(struct pt_regs *regs, int error_code, int trapnr) return; conditional_sti(regs); @@ -20676,7 +20687,7 @@ index 31d9d0f..817ef73 100644 { if (!fixup_exception(regs)) { task->thread.error_code = error_code; -@@ -569,8 +598,8 @@ asmlinkage void __attribute__((weak)) smp_threshold_interrupt(void) +@@ -576,8 +605,8 @@ asmlinkage void __attribute__((weak)) smp_threshold_interrupt(void) void __math_state_restore(struct task_struct *tsk) { /* We need a safe address that is cheap to find and that is already @@ -24542,7 +24553,7 @@ index d0474ad..36e9257 100644 extern u32 pnp_bios_is_utter_crap; pnp_bios_is_utter_crap = 1; diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c -index 5db0490..2ddce45 100644 +index 5db0490..ec12014 100644 --- a/arch/x86/mm/fault.c +++ b/arch/x86/mm/fault.c @@ -13,11 +13,18 @@ @@ -24744,10 +24755,12 @@ index 5db0490..2ddce45 100644 printk(KERN_ALERT "BUG: unable to handle kernel "); if (address < PAGE_SIZE) printk(KERN_CONT "NULL pointer dereference"); -@@ -739,6 +820,21 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code, +@@ -739,12 +820,30 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code, } #endif +- if (unlikely(show_unhandled_signals)) +- show_signal_msg(regs, error_code, address, tsk); +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) + if (pax_is_fetch_fault(regs, error_code, address)) { + @@ -24762,11 +24775,21 @@ index 5db0490..2ddce45 100644 + do_group_exit(SIGKILL); + } +#endif + + /* Kernel addresses are always protection faults: */ ++ if (address >= TASK_SIZE) ++ error_code |= PF_PROT; ++ ++ if (show_unhandled_signals) ++ show_signal_msg(regs, error_code, address, tsk); + - if (unlikely(show_unhandled_signals)) - show_signal_msg(regs, error_code, address, tsk); + tsk->thread.cr2 = address; +- tsk->thread.error_code = error_code | (address >= TASK_SIZE); ++ tsk->thread.error_code = error_code; + tsk->thread.trap_no = 14; -@@ -835,7 +931,7 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address, + force_sig_info_fault(SIGSEGV, si_code, address, tsk, 0); +@@ -835,7 +934,7 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address, if (fault & (VM_FAULT_HWPOISON|VM_FAULT_HWPOISON_LARGE)) { printk(KERN_ERR "MCE: Killing %s:%d due to hardware memory corruption fault at %lx\n", @@ -24775,7 +24798,7 @@ index 5db0490..2ddce45 100644 code = BUS_MCEERR_AR; } #endif -@@ -890,6 +986,99 @@ static int spurious_fault_check(unsigned long error_code, pte_t *pte) +@@ -890,6 +989,99 @@ static int spurious_fault_check(unsigned long error_code, pte_t *pte) return 1; } @@ -24875,7 +24898,7 @@ index 5db0490..2ddce45 100644 /* * Handle a spurious fault caused by a stale TLB entry. * -@@ -962,6 +1151,9 @@ int show_unhandled_signals = 1; +@@ -962,6 +1154,9 @@ int show_unhandled_signals = 1; static inline int access_error(unsigned long error_code, struct vm_area_struct *vma) { @@ -24885,7 +24908,7 @@ index 5db0490..2ddce45 100644 if (error_code & PF_WRITE) { /* write, present and write, not present: */ if (unlikely(!(vma->vm_flags & VM_WRITE))) -@@ -995,18 +1187,32 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code) +@@ -995,18 +1190,32 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code) { struct vm_area_struct *vma; struct task_struct *tsk; @@ -24923,7 +24946,7 @@ index 5db0490..2ddce45 100644 /* * Detect and handle instructions that would cause a page fault for -@@ -1067,7 +1273,7 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code) +@@ -1067,7 +1276,7 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code) * User-mode registers count as a user access even for any * potential system fault or CPU buglet: */ @@ -24932,7 +24955,7 @@ index 5db0490..2ddce45 100644 local_irq_enable(); error_code |= PF_USER; } else { -@@ -1122,6 +1328,11 @@ retry: +@@ -1122,6 +1331,11 @@ retry: might_sleep(); } @@ -24944,7 +24967,7 @@ index 5db0490..2ddce45 100644 vma = find_vma(mm, address); if (unlikely(!vma)) { bad_area(regs, error_code, address); -@@ -1133,18 +1344,24 @@ retry: +@@ -1133,18 +1347,24 @@ retry: bad_area(regs, error_code, address); return; } @@ -24980,7 +25003,7 @@ index 5db0490..2ddce45 100644 if (unlikely(expand_stack(vma, address))) { bad_area(regs, error_code, address); return; -@@ -1199,3 +1416,292 @@ good_area: +@@ -1199,3 +1419,292 @@ good_area: up_read(&mm->mmap_sem); } @@ -27693,11 +27716,11 @@ index 4c262f6..01f170b 100644 xen_setup_acpi_sci(); __acpi_register_gsi = acpi_register_gsi_xen; diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c -index 4d320b2..e9cf650 100644 +index bef9991..ca3dab1 100644 --- a/arch/x86/platform/efi/efi.c +++ b/arch/x86/platform/efi/efi.c -@@ -572,8 +572,8 @@ void __init efi_init(void) - do_add_efi_memmap(); +@@ -596,8 +596,8 @@ void __init efi_init(void) + set_bit(EFI_MEMMAP, &x86_efi_facility); #ifdef CONFIG_X86_32 - x86_platform.get_wallclock = efi_get_time; @@ -29949,7 +29972,7 @@ index 3d0c2b0..45441fa 100644 vcc->tx_quota = vcc->tx_quota * 3 / 4; printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota ); diff --git a/drivers/atm/lanai.c b/drivers/atm/lanai.c -index f556969..0da15eb 100644 +index f5569699..0da15eb 100644 --- a/drivers/atm/lanai.c +++ b/drivers/atm/lanai.c @@ -1303,7 +1303,7 @@ static void lanai_send_one_aal5(struct lanai_dev *lanai, @@ -31615,7 +31638,7 @@ index 6ffb6d2..383d8d7 100644 PCI_VEND_DEV(INTEL, 7205_0), PCI_ANY_ID, PCI_ANY_ID, 0, 0, E7205}, diff --git a/drivers/edac/edac_pci_sysfs.c b/drivers/edac/edac_pci_sysfs.c -index 495198a..ac08c85 100644 +index 8cc8676..f46ebc8 100644 --- a/drivers/edac/edac_pci_sysfs.c +++ b/drivers/edac/edac_pci_sysfs.c @@ -26,8 +26,8 @@ static int edac_pci_log_pe = 1; /* log PCI parity errors */ @@ -31948,10 +31971,10 @@ index b45be57..5fad18b 100644 void fw_card_initialize(struct fw_card *card, const struct fw_card_driver *driver, struct device *device); diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c -index b298158..7ed8432 100644 +index 982f1f5..d21e5da 100644 --- a/drivers/firmware/dmi_scan.c +++ b/drivers/firmware/dmi_scan.c -@@ -452,11 +452,6 @@ void __init dmi_scan_machine(void) +@@ -491,11 +491,6 @@ void __init dmi_scan_machine(void) } } else { @@ -31963,7 +31986,7 @@ index b298158..7ed8432 100644 p = dmi_ioremap(0xF0000, 0x10000); if (p == NULL) goto error; -@@ -726,7 +721,7 @@ int dmi_walk(void (*decode)(const struct dmi_header *, void *), +@@ -770,7 +765,7 @@ int dmi_walk(void (*decode)(const struct dmi_header *, void *), if (buf == NULL) return -1; @@ -31973,7 +31996,7 @@ index b298158..7ed8432 100644 iounmap(buf); return 0; diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c -index 3e60e8d..2a9e727 100644 +index 5d5a868..4c9ec84 100644 --- a/drivers/firmware/efivars.c +++ b/drivers/firmware/efivars.c @@ -1232,9 +1232,9 @@ efivars_init(void) @@ -32394,10 +32417,10 @@ index c9339f4..f5e1b9d 100644 int front_offset; } drm_i810_private_t; diff --git a/drivers/gpu/drm/i915/i915_debugfs.c b/drivers/gpu/drm/i915/i915_debugfs.c -index d00f905..c84a0d8 100644 +index 10fe480..4659c41 100644 --- a/drivers/gpu/drm/i915/i915_debugfs.c +++ b/drivers/gpu/drm/i915/i915_debugfs.c -@@ -499,7 +499,7 @@ static int i915_interrupt_info(struct seq_file *m, void *data) +@@ -500,7 +500,7 @@ static int i915_interrupt_info(struct seq_file *m, void *data) I915_READ(GTIMR)); } seq_printf(m, "Interrupts received: %d\n", @@ -32406,7 +32429,7 @@ index d00f905..c84a0d8 100644 for (i = 0; i < I915_NUM_RINGS; i++) { if (IS_GEN6(dev) || IS_GEN7(dev)) { seq_printf(m, "Graphics Interrupt mask (%s): %08x\n", -@@ -1232,7 +1232,7 @@ static int i915_opregion(struct seq_file *m, void *unused) +@@ -1234,7 +1234,7 @@ static int i915_opregion(struct seq_file *m, void *unused) return ret; if (opregion->header) @@ -32460,7 +32483,7 @@ index 012a9d2..3b2267c 100644 return container_of(adapter, struct intel_gmbus, adapter)->force_bit; } diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c -index 1202198..6487397 100644 +index 878b989..ea158f5 100644 --- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c +++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c @@ -189,7 +189,7 @@ i915_gem_object_set_to_gpu_domain(struct drm_i915_gem_object *obj, @@ -32472,7 +32495,7 @@ index 1202198..6487397 100644 /* The actual obj->write_domain will be updated with * pending_write_domain after we emit the accumulated flush for all -@@ -883,9 +883,9 @@ i915_gem_check_execbuffer(struct drm_i915_gem_execbuffer2 *exec) +@@ -904,9 +904,9 @@ i915_gem_check_execbuffer(struct drm_i915_gem_execbuffer2 *exec) static int validate_exec_list(struct drm_i915_gem_exec_object2 *exec, @@ -32534,7 +32557,7 @@ index 93e74fb..4a1182d 100644 INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func); INIT_WORK(&dev_priv->error_work, i915_error_work_func); diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c -index fa9639b..2180f44 100644 +index c05e825..b086c8c 100644 --- a/drivers/gpu/drm/i915/intel_display.c +++ b/drivers/gpu/drm/i915/intel_display.c @@ -2214,7 +2214,7 @@ intel_finish_fb(struct drm_framebuffer *old_fb) @@ -33059,10 +33082,10 @@ index a2e1eae..8e4a0ec 100644 return 0; diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c -index c5762e3..987ff1d 100644 +index bd959c1..46dba3b 100644 --- a/drivers/gpu/drm/radeon/radeon_device.c +++ b/drivers/gpu/drm/radeon/radeon_device.c -@@ -687,7 +687,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev) +@@ -688,7 +688,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev) bool can_switch; spin_lock(&dev->count_lock); @@ -34967,10 +34990,10 @@ index ba70058..571d25d 100644 serio->dev.release = serio_release_port; serio->dev.groups = serio_device_attr_groups; diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c -index ef2d493..bf04ef6 100644 +index 62a4d5c..84c482a 100644 --- a/drivers/iommu/amd_iommu_init.c +++ b/drivers/iommu/amd_iommu_init.c -@@ -1468,7 +1468,7 @@ static int __init amd_iommu_init(void) +@@ -1502,7 +1502,7 @@ static int __init amd_iommu_init(void) register_syscore_ops(&amd_iommu_syscore_ops); @@ -34979,7 +35002,7 @@ index ef2d493..bf04ef6 100644 if (iommu_pass_through) goto out; -@@ -1538,7 +1538,7 @@ int __init amd_iommu_detect(void) +@@ -1572,7 +1572,7 @@ int __init amd_iommu_detect(void) if (acpi_table_parse("IVRS", early_amd_iommu_detect) == 0) { iommu_detected = 1; amd_iommu_detected = 1; @@ -37963,7 +37986,7 @@ index f5ae3c6..7936af3 100644 static u16 ar9003_calc_ptr_chksum(struct ar9003_txc *ads) diff --git a/drivers/net/wireless/ath/ath9k/hw.h b/drivers/net/wireless/ath/ath9k/hw.h -index a5c4ba8..1aff36c 100644 +index 0c65a09..313fb6d 100644 --- a/drivers/net/wireless/ath/ath9k/hw.h +++ b/drivers/net/wireless/ath/ath9k/hw.h @@ -606,7 +606,7 @@ struct ath_hw_private_ops { @@ -38492,7 +38515,7 @@ index 76ba8a1..20ca857 100644 /* initialize our int15 lock */ diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c -index 2275162..95f1a92 100644 +index c73ed00..cc3edec 100644 --- a/drivers/pci/pcie/aspm.c +++ b/drivers/pci/pcie/aspm.c @@ -27,9 +27,9 @@ @@ -40012,7 +40035,7 @@ index 2ee97e2..0420b86 100644 hcd->power_budget = 0; /* no limit */ diff --git a/drivers/staging/usbip/vhci_rx.c b/drivers/staging/usbip/vhci_rx.c -index 3872b8c..fe6d2f4 100644 +index 1a7afaa..e7dafbb 100644 --- a/drivers/staging/usbip/vhci_rx.c +++ b/drivers/staging/usbip/vhci_rx.c @@ -77,7 +77,7 @@ static void vhci_recv_ret_submit(struct vhci_device *vdev, @@ -40171,7 +40194,7 @@ index 6845228..df77141 100644 core_tmr_handle_tas_abort(tmr_nacl, cmd, tas, fe_count); diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c -index 34d114a..0e95a43 100644 +index 9176b2e..0859fe0 100644 --- a/drivers/target/target_core_transport.c +++ b/drivers/target/target_core_transport.c @@ -1343,7 +1343,7 @@ struct se_device *transport_add_device_to_core_hba( @@ -59804,10 +59827,10 @@ index 0000000..bc0be01 +} diff --git a/grsecurity/grsec_chroot.c b/grsecurity/grsec_chroot.c new file mode 100644 -index 0000000..a2dc675 +index 0000000..9ab3ba3 --- /dev/null +++ b/grsecurity/grsec_chroot.c -@@ -0,0 +1,351 @@ +@@ -0,0 +1,340 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -59895,17 +59918,6 @@ index 0000000..a2dc675 +} + +int -+gr_handle_chroot_rawio(const struct inode *inode) -+{ -+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS -+ if (grsec_enable_chroot_caps && proc_is_chrooted(current) && -+ inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO)) -+ return 1; -+#endif -+ return 0; -+} -+ -+int +gr_handle_chroot_fowner(struct pid *pid, enum pid_type type) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK @@ -68744,7 +68756,7 @@ index 2531811..040d4d4 100644 next_state = Reset; return 0; diff --git a/init/main.c b/init/main.c -index cb08fea2..b5f96d5 100644 +index 5d0eb1d..7b1084c 100644 --- a/init/main.c +++ b/init/main.c @@ -96,6 +96,8 @@ static inline void mark_rodata_ro(void) { } @@ -71927,7 +71939,7 @@ index 3d4b954..11af930 100644 if (pm_wakeup_pending()) { diff --git a/kernel/printk.c b/kernel/printk.c -index 7982a0a..2095fdc 100644 +index c0d12ea..5ac488d 100644 --- a/kernel/printk.c +++ b/kernel/printk.c @@ -313,6 +313,11 @@ static int check_syslog_permissions(int type, bool from_file) @@ -72983,10 +72995,10 @@ index 08e0b97..e3ad9b7 100644 error = check_kill_permission(sig, info, p); /* diff --git a/kernel/smp.c b/kernel/smp.c -index db197d6..17aef0b 100644 +index 9e800b2..451c00b 100644 --- a/kernel/smp.c +++ b/kernel/smp.c -@@ -580,22 +580,22 @@ int smp_call_function(smp_call_func_t func, void *info, int wait) +@@ -591,22 +591,22 @@ int smp_call_function(smp_call_func_t func, void *info, int wait) } EXPORT_SYMBOL(smp_call_function); @@ -73845,7 +73857,7 @@ index 16fc34a..efd8bb8 100644 ret = -EIO; bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt, diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c -index 54dba59..1690055 100644 +index 4b1a96b..1690055 100644 --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c @@ -1587,12 +1587,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec) @@ -73877,15 +73889,6 @@ index 54dba59..1690055 100644 { struct ftrace_func_probe *entry; struct ftrace_page *pg; -@@ -3482,7 +3487,7 @@ static int ftrace_module_notify(struct notifier_block *self, - - struct notifier_block ftrace_module_nb = { - .notifier_call = ftrace_module_notify, -- .priority = 0, -+ .priority = INT_MAX, /* Run before anything that can use kprobes */ - }; - - extern unsigned long __start_mcount_loc[]; @@ -3968,8 +3973,6 @@ ftrace_enable_sysctl(struct ctl_table *table, int write, #ifdef CONFIG_FUNCTION_GRAPH_TRACER @@ -78030,7 +78033,7 @@ index f59e170..34e2a2b 100644 new->vm_region = region; diff --git a/mm/page_alloc.c b/mm/page_alloc.c -index a88dded..f9a07d2 100644 +index 4d3a697..29ecee3 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -341,7 +341,7 @@ out: @@ -83642,7 +83645,7 @@ index 68879db..ed22cd4 100644 set_fs(KERNEL_DS); if (level == SOL_SOCKET) diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c -index 56c3f85..434bb1f 100644 +index 18c5a50..775f9f9 100644 --- a/net/sunrpc/sched.c +++ b/net/sunrpc/sched.c @@ -238,9 +238,9 @@ static int rpc_wait_bit_killable(void *word) @@ -84604,10 +84607,10 @@ index 38f6617..e70b72b 100755 exuberant() diff --git a/security/Kconfig b/security/Kconfig -index 51bd5a0..6a9a9a2 100644 +index 51bd5a0..740de0b 100644 --- a/security/Kconfig +++ b/security/Kconfig -@@ -4,6 +4,896 @@ +@@ -4,6 +4,902 @@ menu "Security options" @@ -85456,6 +85459,12 @@ index 51bd5a0..6a9a9a2 100644 + Since this has a negligible performance impact, you should enable + this feature. + ++ ++config PAX_USERCOPY_DEBUG ++ bool ++ depends on X86 && PAX_USERCOPY ++ default n ++ +config PAX_SIZE_OVERFLOW + bool "Prevent various integer overflows in function size parameters" + default y if GRKERNSEC_CONFIG_AUTO @@ -85504,7 +85513,7 @@ index 51bd5a0..6a9a9a2 100644 config KEYS bool "Enable access key retention support" help -@@ -169,7 +1059,7 @@ config INTEL_TXT +@@ -169,7 +1065,7 @@ config INTEL_TXT config LSM_MMAP_MIN_ADDR int "Low address space for LSM to protect from user allocation" depends on SECURITY && SECURITY_SELINUX diff --git a/3.2.37/4425_grsec_remove_EI_PAX.patch b/3.2.38/4425_grsec_remove_EI_PAX.patch index 97e6951..97e6951 100644 --- a/3.2.37/4425_grsec_remove_EI_PAX.patch +++ b/3.2.38/4425_grsec_remove_EI_PAX.patch diff --git a/3.2.37/4430_grsec-remove-localversion-grsec.patch b/3.2.38/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.2.37/4430_grsec-remove-localversion-grsec.patch +++ b/3.2.38/4430_grsec-remove-localversion-grsec.patch diff --git a/3.2.37/4435_grsec-mute-warnings.patch b/3.2.38/4435_grsec-mute-warnings.patch index e85abd6..e85abd6 100644 --- a/3.2.37/4435_grsec-mute-warnings.patch +++ b/3.2.38/4435_grsec-mute-warnings.patch diff --git a/3.2.37/4440_grsec-remove-protected-paths.patch b/3.2.38/4440_grsec-remove-protected-paths.patch index 637934a..637934a 100644 --- a/3.2.37/4440_grsec-remove-protected-paths.patch +++ b/3.2.38/4440_grsec-remove-protected-paths.patch diff --git a/3.2.37/4450_grsec-kconfig-default-gids.patch b/3.2.38/4450_grsec-kconfig-default-gids.patch index 3dfdc8f..3dfdc8f 100644 --- a/3.2.37/4450_grsec-kconfig-default-gids.patch +++ b/3.2.38/4450_grsec-kconfig-default-gids.patch diff --git a/3.2.37/4465_selinux-avc_audit-log-curr_ip.patch b/3.2.38/4465_selinux-avc_audit-log-curr_ip.patch index a7cc9cd..a7cc9cd 100644 --- a/3.2.37/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.2.38/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.2.37/4470_disable-compat_vdso.patch b/3.2.38/4470_disable-compat_vdso.patch index 4742d01..4742d01 100644 --- a/3.2.37/4470_disable-compat_vdso.patch +++ b/3.2.38/4470_disable-compat_vdso.patch diff --git a/3.7.5/0000_README b/3.7.6/0000_README index cecc634..b0c037f 100644 --- a/3.7.5/0000_README +++ b/3.7.6/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-2.9.1-3.7.5-201301311811.patch +Patch: 4420_grsecurity-2.9.1-3.7.6-201302071938.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.7.5/4420_grsecurity-2.9.1-3.7.5-201301311811.patch b/3.7.6/4420_grsecurity-2.9.1-3.7.6-201302071938.patch index 1a84583..9602583 100644 --- a/3.7.5/4420_grsecurity-2.9.1-3.7.5-201301311811.patch +++ b/3.7.6/4420_grsecurity-2.9.1-3.7.6-201302071938.patch @@ -251,7 +251,7 @@ index 9776f06..18b1856 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index ecf87b1..f0c8483 100644 +index b6de2ea..5ba90ee 100644 --- a/Makefile +++ b/Makefile @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -1537,6 +1537,19 @@ index 83eb2f7..ed77159 100644 +#define KM_TYPE_NR 17 #endif +diff --git a/arch/arm/include/asm/mach/dma.h b/arch/arm/include/asm/mach/dma.h +index 9e614a1..3302cca 100644 +--- a/arch/arm/include/asm/mach/dma.h ++++ b/arch/arm/include/asm/mach/dma.h +@@ -22,7 +22,7 @@ struct dma_ops { + int (*residue)(unsigned int, dma_t *); /* optional */ + int (*setspeed)(unsigned int, dma_t *, int); /* optional */ + const char *type; +-}; ++} __do_const; + + struct dma_struct { + void *addr; /* single DMA address */ diff --git a/arch/arm/include/asm/mach/map.h b/arch/arm/include/asm/mach/map.h index 195ac2f..2272f0d 100644 --- a/arch/arm/include/asm/mach/map.h @@ -1578,19 +1591,18 @@ index 812a494..71fc0b6 100644 #ifdef MULTI_USER extern struct cpu_user_fns cpu_user; diff --git a/arch/arm/include/asm/pgalloc.h b/arch/arm/include/asm/pgalloc.h -index 943504f..1ad2de8 100644 +index 943504f..84d0f84 100644 --- a/arch/arm/include/asm/pgalloc.h +++ b/arch/arm/include/asm/pgalloc.h -@@ -22,7 +22,7 @@ - - #ifdef CONFIG_MMU +@@ -17,6 +17,7 @@ + #include <asm/processor.h> + #include <asm/cacheflush.h> + #include <asm/tlbflush.h> ++#include <asm/system_info.h> --#define _PAGE_USER_TABLE (PMD_TYPE_TABLE | PMD_BIT4 | PMD_DOMAIN(DOMAIN_USER)) -+#define _PAGE_USER_TABLE (PMD_TYPE_TABLE | PMD_PXNTABLE | PMD_BIT4 | PMD_DOMAIN(DOMAIN_USER)) - #define _PAGE_KERNEL_TABLE (PMD_TYPE_TABLE | PMD_BIT4 | PMD_DOMAIN(DOMAIN_KERNEL)) + #define check_pgt_cache() do { } while (0) - #ifdef CONFIG_ARM_LPAE -@@ -43,6 +43,11 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd) +@@ -43,6 +44,11 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd) set_pud(pud, __pud(__pa(pmd) | PMD_TYPE_TABLE)); } @@ -1602,7 +1614,7 @@ index 943504f..1ad2de8 100644 #else /* !CONFIG_ARM_LPAE */ /* -@@ -51,6 +56,7 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd) +@@ -51,6 +57,7 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd) #define pmd_alloc_one(mm,addr) ({ BUG(); ((pmd_t *)2); }) #define pmd_free(mm, pmd) do { } while (0) #define pud_populate(mm,pmd,pte) BUG() @@ -1610,7 +1622,7 @@ index 943504f..1ad2de8 100644 #endif /* CONFIG_ARM_LPAE */ -@@ -126,6 +132,16 @@ static inline void pte_free(struct mm_struct *mm, pgtable_t pte) +@@ -126,6 +133,16 @@ static inline void pte_free(struct mm_struct *mm, pgtable_t pte) __free_page(pte); } @@ -1627,6 +1639,15 @@ index 943504f..1ad2de8 100644 static inline void __pmd_populate(pmd_t *pmdp, phys_addr_t pte, pmdval_t prot) { +@@ -155,7 +172,7 @@ pmd_populate_kernel(struct mm_struct *mm, pmd_t *pmdp, pte_t *ptep) + static inline void + pmd_populate(struct mm_struct *mm, pmd_t *pmdp, pgtable_t ptep) + { +- __pmd_populate(pmdp, page_to_phys(ptep), _PAGE_USER_TABLE); ++ __pmd_populate(pmdp, page_to_phys(ptep), _PAGE_USER_TABLE | __supported_pmd_mask); + } + #define pmd_pgtable(pmd) pmd_page(pmd) + diff --git a/arch/arm/include/asm/pgtable-2level-hwdef.h b/arch/arm/include/asm/pgtable-2level-hwdef.h index 5cfba15..d437dc2 100644 --- a/arch/arm/include/asm/pgtable-2level-hwdef.h @@ -1655,6 +1676,18 @@ index 5cfba15..d437dc2 100644 #define PMD_SECT_UNCACHED (_AT(pmdval_t, 0)) #define PMD_SECT_BUFFERED (PMD_SECT_BUFFERABLE) +diff --git a/arch/arm/include/asm/pgtable-2level.h b/arch/arm/include/asm/pgtable-2level.h +index 2317a71..1897391 100644 +--- a/arch/arm/include/asm/pgtable-2level.h ++++ b/arch/arm/include/asm/pgtable-2level.h +@@ -123,6 +123,7 @@ + #define L_PTE_USER (_AT(pteval_t, 1) << 8) + #define L_PTE_XN (_AT(pteval_t, 1) << 9) + #define L_PTE_SHARED (_AT(pteval_t, 1) << 10) /* shared(v6), coherent(xsc3) */ ++#define L_PTE_PXN (_AT(pteval_t, 1) << 11) /* v7*/ + + /* + * These are the memory types, defined to be compatible with diff --git a/arch/arm/include/asm/pgtable-3level-hwdef.h b/arch/arm/include/asm/pgtable-3level-hwdef.h index d795282..d82ff13 100644 --- a/arch/arm/include/asm/pgtable-3level-hwdef.h @@ -1708,7 +1741,7 @@ index b249035..4ab204b 100644 #define L_PTE_DIRTY_HIGH (1 << (55 - 32)) diff --git a/arch/arm/include/asm/pgtable.h b/arch/arm/include/asm/pgtable.h -index 08c1231..6a2d6b0 100644 +index 08c1231..1031bb4 100644 --- a/arch/arm/include/asm/pgtable.h +++ b/arch/arm/include/asm/pgtable.h @@ -30,6 +30,9 @@ @@ -1721,7 +1754,17 @@ index 08c1231..6a2d6b0 100644 /* * Just any arbitrary offset to the start of the vmalloc VM area: the * current 8MB value just means that there will be a 8MB "hole" after the -@@ -53,6 +56,17 @@ extern void __pgd_error(const char *file, int line, pgd_t); +@@ -45,6 +48,9 @@ + #define LIBRARY_TEXT_START 0x0c000000 + + #ifndef __ASSEMBLY__ ++extern pteval_t __supported_pte_mask; ++extern pmdval_t __supported_pmd_mask; ++ + extern void __pte_error(const char *file, int line, pte_t); + extern void __pmd_error(const char *file, int line, pmd_t); + extern void __pgd_error(const char *file, int line, pgd_t); +@@ -53,6 +59,17 @@ extern void __pgd_error(const char *file, int line, pgd_t); #define pmd_ERROR(pmd) __pmd_error(__FILE__, __LINE__, pmd) #define pgd_ERROR(pgd) __pgd_error(__FILE__, __LINE__, pgd) @@ -1739,50 +1782,23 @@ index 08c1231..6a2d6b0 100644 /* * This is the lowest virtual address we can permit any user space * mapping to be mapped at. This is particularly important for -@@ -73,23 +87,23 @@ extern pgprot_t pgprot_kernel; - - #define _MOD_PROT(p, b) __pgprot(pgprot_val(p) | (b)) - --#define PAGE_NONE _MOD_PROT(pgprot_user, L_PTE_XN | L_PTE_RDONLY) --#define PAGE_SHARED _MOD_PROT(pgprot_user, L_PTE_USER | L_PTE_XN) --#define PAGE_SHARED_EXEC _MOD_PROT(pgprot_user, L_PTE_USER) --#define PAGE_COPY _MOD_PROT(pgprot_user, L_PTE_USER | L_PTE_RDONLY | L_PTE_XN) --#define PAGE_COPY_EXEC _MOD_PROT(pgprot_user, L_PTE_USER | L_PTE_RDONLY) --#define PAGE_READONLY _MOD_PROT(pgprot_user, L_PTE_USER | L_PTE_RDONLY | L_PTE_XN) --#define PAGE_READONLY_EXEC _MOD_PROT(pgprot_user, L_PTE_USER | L_PTE_RDONLY) -+#define PAGE_NONE _MOD_PROT(pgprot_user, L_PTE_XN | L_PTE_PXN | L_PTE_RDONLY) -+#define PAGE_SHARED _MOD_PROT(pgprot_user, L_PTE_USER | L_PTE_XN | L_PTE_PXN) -+#define PAGE_SHARED_EXEC _MOD_PROT(pgprot_user, L_PTE_USER | L_PTE_PXN) -+#define PAGE_COPY _MOD_PROT(pgprot_user, L_PTE_USER | L_PTE_RDONLY | L_PTE_XN | L_PTE_PXN) -+#define PAGE_COPY_EXEC _MOD_PROT(pgprot_user, L_PTE_USER | L_PTE_RDONLY | L_PTE_PXN) -+#define PAGE_READONLY _MOD_PROT(pgprot_user, L_PTE_USER | L_PTE_RDONLY | L_PTE_XN | L_PTE_PXN) -+#define PAGE_READONLY_EXEC _MOD_PROT(pgprot_user, L_PTE_USER | L_PTE_RDONLY | L_PTE_PXN) - #define PAGE_KERNEL _MOD_PROT(pgprot_kernel, L_PTE_XN) - #define PAGE_KERNEL_EXEC pgprot_kernel - --#define __PAGE_NONE __pgprot(_L_PTE_DEFAULT | L_PTE_RDONLY | L_PTE_XN) --#define __PAGE_SHARED __pgprot(_L_PTE_DEFAULT | L_PTE_USER | L_PTE_XN) --#define __PAGE_SHARED_EXEC __pgprot(_L_PTE_DEFAULT | L_PTE_USER) --#define __PAGE_COPY __pgprot(_L_PTE_DEFAULT | L_PTE_USER | L_PTE_RDONLY | L_PTE_XN) --#define __PAGE_COPY_EXEC __pgprot(_L_PTE_DEFAULT | L_PTE_USER | L_PTE_RDONLY) --#define __PAGE_READONLY __pgprot(_L_PTE_DEFAULT | L_PTE_USER | L_PTE_RDONLY | L_PTE_XN) --#define __PAGE_READONLY_EXEC __pgprot(_L_PTE_DEFAULT | L_PTE_USER | L_PTE_RDONLY) -+#define __PAGE_NONE __pgprot(_L_PTE_DEFAULT | L_PTE_RDONLY | L_PTE_XN | L_PTE_PXN) -+#define __PAGE_SHARED __pgprot(_L_PTE_DEFAULT | L_PTE_USER | L_PTE_XN | L_PTE_PXN) -+#define __PAGE_SHARED_EXEC __pgprot(_L_PTE_DEFAULT | L_PTE_USER | L_PTE_PXN) -+#define __PAGE_COPY __pgprot(_L_PTE_DEFAULT | L_PTE_USER | L_PTE_RDONLY | L_PTE_XN | L_PTE_PXN) -+#define __PAGE_COPY_EXEC __pgprot(_L_PTE_DEFAULT | L_PTE_USER | L_PTE_RDONLY | L_PTE_PXN) -+#define __PAGE_READONLY __pgprot(_L_PTE_DEFAULT | L_PTE_USER | L_PTE_RDONLY | L_PTE_XN | L_PTE_PXN) -+#define __PAGE_READONLY_EXEC __pgprot(_L_PTE_DEFAULT | L_PTE_USER | L_PTE_RDONLY | L_PTE_PXN) - - #define __pgprot_modify(prot,mask,bits) \ - __pgprot((pgprot_val(prot) & ~(mask)) | (bits)) -@@ -242,7 +256,7 @@ static inline pte_t pte_mkspecial(pte_t pte) { return pte; } +@@ -63,8 +80,8 @@ extern void __pgd_error(const char *file, int line, pgd_t); + /* + * The pgprot_* and protection_map entries will be fixed up in runtime + * to include the cachable and bufferable bits based on memory policy, +- * as well as any architecture dependent bits like global/ASID and SMP +- * shared mapping bits. ++ * as well as any architecture dependent bits like global/ASID, PXN, ++ * and SMP shared mapping bits. + */ + #define _L_PTE_DEFAULT L_PTE_PRESENT | L_PTE_YOUNG + +@@ -242,7 +259,7 @@ static inline pte_t pte_mkspecial(pte_t pte) { return pte; } static inline pte_t pte_modify(pte_t pte, pgprot_t newprot) { - const pteval_t mask = L_PTE_XN | L_PTE_RDONLY | L_PTE_USER; -+ const pteval_t mask = L_PTE_XN | L_PTE_PXN | L_PTE_RDONLY | L_PTE_USER; ++ const pteval_t mask = L_PTE_XN | L_PTE_RDONLY | L_PTE_USER | __supported_pte_mask; pte_val(pte) = (pte_val(pte) & ~mask) | (pgprot_val(newprot) & mask); return pte; } @@ -1843,19 +1859,10 @@ index 8477b4c..801a6a9 100644 /* * Change these and you break ASM code in entry-common.S diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h -index 7e1f760..1af891c 100644 +index 7e1f760..f2c37b1 100644 --- a/arch/arm/include/asm/uaccess.h +++ b/arch/arm/include/asm/uaccess.h -@@ -22,6 +22,8 @@ - #define VERIFY_READ 0 - #define VERIFY_WRITE 1 - -+extern void check_object_size(const void *ptr, unsigned long n, bool to); -+ - /* - * The exception table consists of pairs of addresses: the first is the - * address of an instruction that is allowed to fault, and the second is -@@ -418,8 +420,23 @@ do { \ +@@ -418,8 +418,23 @@ do { \ #ifdef CONFIG_MMU @@ -1866,22 +1873,22 @@ index 7e1f760..1af891c 100644 + +static inline unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n) +{ -+ if (!__builtin_constant_p(n)) -+ check_object_size(to, n, false); ++ check_object_size(to, n, false); ++ + return ___copy_from_user(to, from, n); +} + +static inline unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n) +{ -+ if (!__builtin_constant_p(n)) -+ check_object_size(from, n, true); ++ check_object_size(from, n, true); ++ + return ___copy_to_user(to, from, n); +} + extern unsigned long __must_check __copy_to_user_std(void __user *to, const void *from, unsigned long n); extern unsigned long __must_check __clear_user(void __user *addr, unsigned long n); extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned long n); -@@ -431,6 +448,9 @@ extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned l +@@ -431,6 +446,9 @@ extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned l static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n) { @@ -1891,7 +1898,7 @@ index 7e1f760..1af891c 100644 if (access_ok(VERIFY_READ, from, n)) n = __copy_from_user(to, from, n); else /* security hole - plug it */ -@@ -440,6 +460,9 @@ static inline unsigned long __must_check copy_from_user(void *to, const void __u +@@ -440,6 +458,9 @@ static inline unsigned long __must_check copy_from_user(void *to, const void __u static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n) { @@ -1930,7 +1937,7 @@ index 60d3b73..9168db0 100644 EXPORT_SYMBOL(__get_user_1); diff --git a/arch/arm/kernel/head.S b/arch/arm/kernel/head.S -index 4eee351..e247728 100644 +index 486a15a..d95523a 100644 --- a/arch/arm/kernel/head.S +++ b/arch/arm/kernel/head.S @@ -52,7 +52,9 @@ @@ -1945,16 +1952,18 @@ index 4eee351..e247728 100644 /* diff --git a/arch/arm/kernel/module.c b/arch/arm/kernel/module.c -index 1e9be5d..b9a75e1 100644 +index 1e9be5d..ef22b26 100644 --- a/arch/arm/kernel/module.c +++ b/arch/arm/kernel/module.c -@@ -37,12 +37,35 @@ +@@ -37,12 +37,37 @@ #endif #ifdef CONFIG_MMU -void *module_alloc(unsigned long size) +static inline void *__module_alloc(unsigned long size, pgprot_t prot) { ++ if (!size || PAGE_ALIGN(size) > (MODULES_END - MODULES_VADDR)) ++ return NULL; return __vmalloc_node_range(size, 1, MODULES_VADDR, MODULES_END, - GFP_KERNEL, PAGE_KERNEL_EXEC, -1, + GFP_KERNEL, prot, -1, @@ -1987,7 +1996,7 @@ index 1e9be5d..b9a75e1 100644 int diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c -index 90084a6..bf4bcfb 100644 +index 90084a6..a8b26bc 100644 --- a/arch/arm/kernel/process.c +++ b/arch/arm/kernel/process.c @@ -28,7 +28,6 @@ @@ -2010,6 +2019,17 @@ index 90084a6..bf4bcfb 100644 { machine_shutdown(); +@@ -283,8 +283,8 @@ void __show_regs(struct pt_regs *regs) + init_utsname()->release, + (int)strcspn(init_utsname()->version, " "), + init_utsname()->version); +- print_symbol("PC is at %s\n", instruction_pointer(regs)); +- print_symbol("LR is at %s\n", regs->ARM_lr); ++ printk("PC is at %pA\n", instruction_pointer(regs)); ++ printk("LR is at %pA\n", regs->ARM_lr); + printk("pc : [<%08lx>] lr : [<%08lx>] psr: %08lx\n" + "sp : %08lx ip : %08lx fp : %08lx\n", + regs->ARM_pc, regs->ARM_lr, regs->ARM_cpsr, @@ -451,12 +451,6 @@ unsigned long get_wchan(struct task_struct *p) return 0; } @@ -2051,11 +2071,15 @@ index 739db3a..7f4a272 100644 return scno; diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c -index da1d1aa..5aaf182 100644 +index da1d1aa..ef9bc58 100644 --- a/arch/arm/kernel/setup.c +++ b/arch/arm/kernel/setup.c -@@ -99,19 +99,19 @@ EXPORT_SYMBOL(elf_hwcap); +@@ -97,21 +97,23 @@ EXPORT_SYMBOL(system_serial_high); + unsigned int elf_hwcap __read_mostly; + EXPORT_SYMBOL(elf_hwcap); ++pteval_t __supported_pte_mask __read_only; ++pmdval_t __supported_pmd_mask __read_only; #ifdef MULTI_CPU -struct processor processor __read_mostly; @@ -2079,7 +2103,23 @@ index da1d1aa..5aaf182 100644 EXPORT_SYMBOL(outer_cache); #endif -@@ -455,7 +455,7 @@ static void __init setup_processor(void) +@@ -236,9 +238,13 @@ static int __get_cpu_architecture(void) + asm("mrc p15, 0, %0, c0, c1, 4" + : "=r" (mmfr0)); + if ((mmfr0 & 0x0000000f) >= 0x00000003 || +- (mmfr0 & 0x000000f0) >= 0x00000030) ++ (mmfr0 & 0x000000f0) >= 0x00000030) { + cpu_arch = CPU_ARCH_ARMv7; +- else if ((mmfr0 & 0x0000000f) == 0x00000002 || ++ if ((mmfr0 & 0x0000000f) == 0x00000005 || (mmfr0 & 0x0000000f) == 0x00000004) { ++ __supported_pte_mask |= L_PTE_PXN; ++ __supported_pmd_mask |= PMD_PXNTABLE; ++ } ++ } else if ((mmfr0 & 0x0000000f) == 0x00000002 || + (mmfr0 & 0x000000f0) == 0x00000020) + cpu_arch = CPU_ARCH_ARMv6; + else +@@ -455,7 +461,7 @@ static void __init setup_processor(void) __cpu_architecture = __get_cpu_architecture(); #ifdef MULTI_CPU @@ -2102,9 +2142,18 @@ index fbc8b26..000ded0 100644 void __init smp_set_ops(struct smp_operations *ops) { diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c -index b0179b8..b54c6c1 100644 +index b0179b8..7713948 100644 --- a/arch/arm/kernel/traps.c +++ b/arch/arm/kernel/traps.c +@@ -57,7 +57,7 @@ static void dump_mem(const char *, const char *, unsigned long, unsigned long); + void dump_backtrace_entry(unsigned long where, unsigned long from, unsigned long frame) + { + #ifdef CONFIG_KALLSYMS +- printk("[<%08lx>] (%pS) from [<%08lx>] (%pS)\n", where, (void *)where, from, (void *)from); ++ printk("[<%08lx>] (%pA) from [<%08lx>] (%pA)\n", where, (void *)where, from, (void *)from); + #else + printk("Function entered at [<%08lx>] from [<%08lx>]\n", where, from); + #endif @@ -266,6 +266,8 @@ static arch_spinlock_t die_lock = __ARCH_SPIN_LOCK_UNLOCKED; static int die_owner = -1; static unsigned int die_nest_count; @@ -2562,7 +2611,7 @@ index ad722f1..46b670e 100644 totalram_pages += free_area(__phys_to_pfn(__pa(&__tcm_start)), __phys_to_pfn(__pa(&__tcm_end)), diff --git a/arch/arm/mm/mmap.c b/arch/arm/mm/mmap.c -index ce8cb19..b9fe4d7 100644 +index ce8cb19..061aa14 100644 --- a/arch/arm/mm/mmap.c +++ b/arch/arm/mm/mmap.c @@ -72,6 +72,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, @@ -2694,7 +2743,18 @@ index ce8cb19..b9fe4d7 100644 bottomup: /* -@@ -266,10 +272,22 @@ void arch_pick_mmap_layout(struct mm_struct *mm) +@@ -259,6 +265,10 @@ void arch_pick_mmap_layout(struct mm_struct *mm) + { + unsigned long random_factor = 0UL; + ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP)) ++#endif ++ + /* 8 bits of randomness in 20 address space bits */ + if ((current->flags & PF_RANDOMIZE) && + !(current->personality & ADDR_NO_RANDOMIZE)) +@@ -266,10 +276,22 @@ void arch_pick_mmap_layout(struct mm_struct *mm) if (mmap_is_legacy()) { mm->mmap_base = TASK_UNMAPPED_BASE + random_factor; @@ -2718,7 +2778,7 @@ index ce8cb19..b9fe4d7 100644 mm->unmap_area = arch_unmap_area_topdown; } diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c -index 99b47b9..ede7824 100644 +index 99b47b9..579b667 100644 --- a/arch/arm/mm/mmu.c +++ b/arch/arm/mm/mmu.c @@ -227,16 +227,16 @@ static struct mem_type mem_types[] = { @@ -2800,7 +2860,16 @@ index 99b47b9..ede7824 100644 mem_types[MT_MEMORY_DMA_READY].prot_pte |= L_PTE_SHARED; mem_types[MT_MEMORY_NONCACHED].prot_sect |= PMD_SECT_S; mem_types[MT_MEMORY_NONCACHED].prot_pte |= L_PTE_SHARED; -@@ -503,6 +529,12 @@ static void __init build_mem_type_table(void) +@@ -487,6 +513,8 @@ static void __init build_mem_type_table(void) + vecs_pgprot |= PTE_EXT_AF; + #endif + ++ user_pgprot |= __supported_pte_mask; ++ + for (i = 0; i < 16; i++) { + pteval_t v = pgprot_val(protection_map[i]); + protection_map[i] = __pgprot(v | user_pgprot); +@@ -503,6 +531,12 @@ static void __init build_mem_type_table(void) mem_types[MT_HIGH_VECTORS].prot_l1 |= ecc_mask; mem_types[MT_MEMORY].prot_sect |= ecc_mask | cp->pmd; mem_types[MT_MEMORY].prot_pte |= kern_pgprot; @@ -2813,12 +2882,12 @@ index 99b47b9..ede7824 100644 mem_types[MT_MEMORY_DMA_READY].prot_pte |= kern_pgprot; mem_types[MT_MEMORY_NONCACHED].prot_sect |= ecc_mask; mem_types[MT_ROM].prot_sect |= cp->pmd; -@@ -1198,8 +1230,37 @@ static void __init map_lowmem(void) +@@ -1198,7 +1232,41 @@ static void __init map_lowmem(void) map.pfn = __phys_to_pfn(start); map.virtual = __phys_to_virt(start); map.length = end - start; -- map.type = MT_MEMORY; - ++ ++#ifdef CONFIG_PAX_KERNEXEC + if (map.virtual <= (unsigned long)_stext && ((unsigned long)_end < (map.virtual + map.length))) { + struct map_desc kernel; + struct map_desc initmap; @@ -2849,9 +2918,12 @@ index 99b47b9..ede7824 100644 + } + + map.type = MT_MEMORY_RW; ++#else + map.type = MT_MEMORY; ++#endif + create_mapping(&map); } - } diff --git a/arch/arm/plat-orion/include/plat/addr-map.h b/arch/arm/plat-orion/include/plat/addr-map.h index ec63e4a..62aa5f1d 100644 --- a/arch/arm/plat-orion/include/plat/addr-map.h @@ -3988,7 +4060,7 @@ index ddcec1e..c7f983e 100644 * This routine handles page faults. It determines the address, * and the problem, and then passes it off to one of the appropriate diff --git a/arch/mips/mm/mmap.c b/arch/mips/mm/mmap.c -index 302d779..573314a 100644 +index 302d779..6459dc0 100644 --- a/arch/mips/mm/mmap.c +++ b/arch/mips/mm/mmap.c @@ -71,6 +71,7 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp, @@ -4073,7 +4145,38 @@ index 302d779..573314a 100644 bottomup: /* -@@ -242,30 +245,3 @@ void arch_pick_mmap_layout(struct mm_struct *mm) +@@ -223,6 +226,10 @@ void arch_pick_mmap_layout(struct mm_struct *mm) + { + unsigned long random_factor = 0UL; + ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP)) ++#endif ++ + if (current->flags & PF_RANDOMIZE) { + random_factor = get_random_int(); + random_factor = random_factor << PAGE_SHIFT; +@@ -234,38 +241,23 @@ void arch_pick_mmap_layout(struct mm_struct *mm) + + if (mmap_is_legacy()) { + mm->mmap_base = TASK_UNMAPPED_BASE + random_factor; ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (mm->pax_flags & MF_PAX_RANDMMAP) ++ mm->mmap_base += mm->delta_mmap; ++#endif ++ + mm->get_unmapped_area = arch_get_unmapped_area; + mm->unmap_area = arch_unmap_area; + } else { + mm->mmap_base = mmap_base(random_factor); ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (mm->pax_flags & MF_PAX_RANDMMAP) ++ mm->mmap_base -= mm->delta_mmap + mm->delta_stack; ++#endif ++ + mm->get_unmapped_area = arch_get_unmapped_area_topdown; mm->unmap_area = arch_unmap_area_topdown; } } @@ -5526,10 +5629,21 @@ index 0a6b283..7674925 100644 return 0; } diff --git a/arch/powerpc/mm/mmap_64.c b/arch/powerpc/mm/mmap_64.c -index 67a42ed..1c7210c 100644 +index 67a42ed..c16ef80 100644 --- a/arch/powerpc/mm/mmap_64.c +++ b/arch/powerpc/mm/mmap_64.c -@@ -91,10 +91,22 @@ void arch_pick_mmap_layout(struct mm_struct *mm) +@@ -57,6 +57,10 @@ static unsigned long mmap_rnd(void) + { + unsigned long rnd = 0; + ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP)) ++#endif ++ + if (current->flags & PF_RANDOMIZE) { + /* 8MB for 32bit, 1GB for 64bit */ + if (is_32bit_task()) +@@ -91,10 +95,22 @@ void arch_pick_mmap_layout(struct mm_struct *mm) */ if (mmap_is_legacy()) { mm->mmap_base = TASK_UNMAPPED_BASE; @@ -6817,7 +6931,7 @@ index 0c9b31b..55a8ba6 100644 addr = vmm->vm_end; if (flags & MAP_SHARED) diff --git a/arch/sparc/kernel/sys_sparc_64.c b/arch/sparc/kernel/sys_sparc_64.c -index 878ef3d..609e41f 100644 +index 878ef3d..f100719 100644 --- a/arch/sparc/kernel/sys_sparc_64.c +++ b/arch/sparc/kernel/sys_sparc_64.c @@ -102,12 +102,13 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi @@ -6955,7 +7069,18 @@ index 878ef3d..609e41f 100644 bottomup: /* -@@ -373,6 +375,12 @@ void arch_pick_mmap_layout(struct mm_struct *mm) +@@ -348,6 +350,10 @@ static unsigned long mmap_rnd(void) + { + unsigned long rnd = 0UL; + ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP)) ++#endif ++ + if (current->flags & PF_RANDOMIZE) { + unsigned long val = get_random_int(); + if (test_thread_flag(TIF_32BIT)) +@@ -373,6 +379,12 @@ void arch_pick_mmap_layout(struct mm_struct *mm) gap == RLIM_INFINITY || sysctl_legacy_va_layout) { mm->mmap_base = TASK_UNMAPPED_BASE + random_factor; @@ -6968,7 +7093,7 @@ index 878ef3d..609e41f 100644 mm->get_unmapped_area = arch_get_unmapped_area; mm->unmap_area = arch_unmap_area; } else { -@@ -385,6 +393,12 @@ void arch_pick_mmap_layout(struct mm_struct *mm) +@@ -385,6 +397,12 @@ void arch_pick_mmap_layout(struct mm_struct *mm) gap = (task_size / 6 * 5); mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor); @@ -8568,7 +8693,7 @@ index ad8f795..2c7eec6 100644 /* * Memory returned by kmalloc() may be used for DMA, so we must make diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 46c3bff..da289d1 100644 +index 46c3bff..b82f26b 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -241,7 +241,7 @@ config X86_HT @@ -8647,7 +8772,7 @@ index 46c3bff..da289d1 100644 + def_bool n prompt "Compat VDSO support" depends on X86_32 || IA32_EMULATION -+ depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF ++ depends on !PAX_PAGEEXEC && !PAX_SEGMEXEC && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF ---help--- Map the 32-bit VDSO to the predictable old-style address too. @@ -8811,7 +8936,7 @@ index 8a84501..b2d165f 100644 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__ GCOV_PROFILE := n diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index e87b0ca..2bce457 100644 +index ccae7e2..8ac70be 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c @@ -144,7 +144,6 @@ again: @@ -8831,10 +8956,10 @@ index e87b0ca..2bce457 100644 fail: return status; diff --git a/arch/x86/boot/compressed/head_32.S b/arch/x86/boot/compressed/head_32.S -index aa4aaf1..6656f2f 100644 +index ccb2f4a..e49b20e 100644 --- a/arch/x86/boot/compressed/head_32.S +++ b/arch/x86/boot/compressed/head_32.S -@@ -116,7 +116,7 @@ preferred_addr: +@@ -118,7 +118,7 @@ preferred_addr: notl %eax andl %eax, %ebx #else @@ -8843,7 +8968,7 @@ index aa4aaf1..6656f2f 100644 #endif /* Target address to relocate to for decompression */ -@@ -202,7 +202,7 @@ relocated: +@@ -204,7 +204,7 @@ relocated: * and where it was actually loaded. */ movl %ebp, %ebx @@ -8852,7 +8977,7 @@ index aa4aaf1..6656f2f 100644 jz 2f /* Nothing to be done if loaded at compiled addr. */ /* * Process relocations. -@@ -210,8 +210,7 @@ relocated: +@@ -212,8 +212,7 @@ relocated: 1: subl $4, %edi movl (%edi), %ecx @@ -9582,7 +9707,7 @@ index 49d6987..df66bd4 100644 .size \name, .-\name diff --git a/arch/x86/crypto/twofish-avx-x86_64-asm_64.S b/arch/x86/crypto/twofish-avx-x86_64-asm_64.S -index 1585abb..4a9af16 100644 +index 1585abb..1ff9d9b 100644 --- a/arch/x86/crypto/twofish-avx-x86_64-asm_64.S +++ b/arch/x86/crypto/twofish-avx-x86_64-asm_64.S @@ -23,6 +23,8 @@ @@ -9598,14 +9723,14 @@ index 1585abb..4a9af16 100644 outunpack_blocks(%r11, RC1, RD1, RA1, RB1, RK1, RX0, RY0, RK2); outunpack_blocks(%rax, RC2, RD2, RA2, RB2, RK1, RX0, RY0, RK2); -+ pax_force_retaddr ++ pax_force_retaddr 0, 1 ret; __enc_xor8: outunpack_xor_blocks(%r11, RC1, RD1, RA1, RB1, RK1, RX0, RY0, RK2); outunpack_xor_blocks(%rax, RC2, RD2, RA2, RB2, RK1, RX0, RY0, RK2); -+ pax_force_retaddr ++ pax_force_retaddr 0, 1 ret; .align 8 @@ -9613,7 +9738,7 @@ index 1585abb..4a9af16 100644 outunpack_blocks(%r11, RA1, RB1, RC1, RD1, RK1, RX0, RY0, RK2); outunpack_blocks(%rax, RA2, RB2, RC2, RD2, RK1, RX0, RY0, RK2); -+ pax_force_retaddr ++ pax_force_retaddr 0, 1 ret; diff --git a/arch/x86/crypto/twofish-x86_64-asm_64-3way.S b/arch/x86/crypto/twofish-x86_64-asm_64-3way.S index 5b012a2..36d5364 100644 @@ -12514,7 +12639,7 @@ index 4cc9f2b..5fd9226 100644 /* diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h -index a1f780d..5f38ced4 100644 +index a1f780d..a3eb32f 100644 --- a/arch/x86/include/asm/pgtable.h +++ b/arch/x86/include/asm/pgtable.h @@ -44,6 +44,7 @@ extern struct mm_struct *pgd_page_get_mm(struct page *page); @@ -12544,7 +12669,7 @@ index a1f780d..5f38ced4 100644 + preempt_disable(); + barrier(); + cr0 = read_cr0() ^ X86_CR0_WP; -+ BUG_ON(unlikely(cr0 & X86_CR0_WP)); ++ BUG_ON(cr0 & X86_CR0_WP); + write_cr0(cr0); + return cr0 ^ X86_CR0_WP; +} @@ -12554,7 +12679,7 @@ index a1f780d..5f38ced4 100644 + unsigned long cr0; + + cr0 = read_cr0() ^ X86_CR0_WP; -+ BUG_ON(unlikely(!(cr0 & X86_CR0_WP))); ++ BUG_ON(!(cr0 & X86_CR0_WP)); + write_cr0(cr0); + barrier(); + preempt_enable_no_resched(); @@ -13778,7 +13903,7 @@ index 2d946e6..e453ec4 100644 #endif #endif /* _ASM_X86_THREAD_INFO_H */ diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h -index 7ccf8d1..7cdca12 100644 +index 7ccf8d1..9a18110 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -7,6 +7,7 @@ @@ -13789,16 +13914,7 @@ index 7ccf8d1..7cdca12 100644 #include <asm/asm.h> #include <asm/page.h> #include <asm/smap.h> -@@ -14,6 +15,8 @@ - #define VERIFY_READ 0 - #define VERIFY_WRITE 1 - -+extern void check_object_size(const void *ptr, unsigned long n, bool to); -+ - /* - * The fs value determines whether argument validity checking should be - * performed or not. If get_fs() == USER_DS, checking is performed, with -@@ -29,7 +32,12 @@ +@@ -29,7 +30,12 @@ #define get_ds() (KERNEL_DS) #define get_fs() (current_thread_info()->addr_limit) @@ -13811,7 +13927,7 @@ index 7ccf8d1..7cdca12 100644 #define segment_eq(a, b) ((a).seg == (b).seg) -@@ -77,8 +85,33 @@ +@@ -77,8 +83,33 @@ * checks that the pointer is in the user space range - after calling * this function, memory access functions may still return -EFAULT. */ @@ -13847,7 +13963,7 @@ index 7ccf8d1..7cdca12 100644 /* * The exception table consists of pairs of addresses relative to the -@@ -189,13 +222,21 @@ extern int __get_user_bad(void); +@@ -189,13 +220,21 @@ extern int __get_user_bad(void); asm volatile("call __put_user_" #size : "=a" (__ret_pu) \ : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx") @@ -13872,7 +13988,7 @@ index 7ccf8d1..7cdca12 100644 "3: " ASM_CLAC "\n" \ ".section .fixup,\"ax\"\n" \ "4: movl %3,%0\n" \ -@@ -208,8 +249,8 @@ extern int __get_user_bad(void); +@@ -208,8 +247,8 @@ extern int __get_user_bad(void); #define __put_user_asm_ex_u64(x, addr) \ asm volatile(ASM_STAC "\n" \ @@ -13883,7 +13999,7 @@ index 7ccf8d1..7cdca12 100644 "3: " ASM_CLAC "\n" \ _ASM_EXTABLE_EX(1b, 2b) \ _ASM_EXTABLE_EX(2b, 3b) \ -@@ -261,7 +302,7 @@ extern void __put_user_8(void); +@@ -261,7 +300,7 @@ extern void __put_user_8(void); __typeof__(*(ptr)) __pu_val; \ __chk_user_ptr(ptr); \ might_fault(); \ @@ -13892,7 +14008,7 @@ index 7ccf8d1..7cdca12 100644 switch (sizeof(*(ptr))) { \ case 1: \ __put_user_x(1, __pu_val, ptr, __ret_pu); \ -@@ -383,7 +424,7 @@ do { \ +@@ -383,7 +422,7 @@ do { \ #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \ asm volatile(ASM_STAC "\n" \ @@ -13901,7 +14017,7 @@ index 7ccf8d1..7cdca12 100644 "2: " ASM_CLAC "\n" \ ".section .fixup,\"ax\"\n" \ "3: mov %3,%0\n" \ -@@ -391,7 +432,7 @@ do { \ +@@ -391,7 +430,7 @@ do { \ " jmp 2b\n" \ ".previous\n" \ _ASM_EXTABLE(1b, 3b) \ @@ -13910,7 +14026,7 @@ index 7ccf8d1..7cdca12 100644 : "m" (__m(addr)), "i" (errret), "0" (err)) #define __get_user_size_ex(x, ptr, size) \ -@@ -416,7 +457,7 @@ do { \ +@@ -416,7 +455,7 @@ do { \ } while (0) #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \ @@ -13919,7 +14035,7 @@ index 7ccf8d1..7cdca12 100644 "2:\n" \ _ASM_EXTABLE_EX(1b, 2b) \ : ltype(x) : "m" (__m(addr))) -@@ -433,13 +474,24 @@ do { \ +@@ -433,13 +472,24 @@ do { \ int __gu_err; \ unsigned long __gu_val; \ __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \ @@ -13946,7 +14062,7 @@ index 7ccf8d1..7cdca12 100644 /* * Tell gcc we read from memory instead of writing: this is because -@@ -448,7 +500,7 @@ struct __large_struct { unsigned long buf[100]; }; +@@ -448,7 +498,7 @@ struct __large_struct { unsigned long buf[100]; }; */ #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \ asm volatile(ASM_STAC "\n" \ @@ -13955,7 +14071,7 @@ index 7ccf8d1..7cdca12 100644 "2: " ASM_CLAC "\n" \ ".section .fixup,\"ax\"\n" \ "3: mov %3,%0\n" \ -@@ -456,10 +508,10 @@ struct __large_struct { unsigned long buf[100]; }; +@@ -456,10 +506,10 @@ struct __large_struct { unsigned long buf[100]; }; ".previous\n" \ _ASM_EXTABLE(1b, 3b) \ : "=r"(err) \ @@ -13968,7 +14084,7 @@ index 7ccf8d1..7cdca12 100644 "2:\n" \ _ASM_EXTABLE_EX(1b, 2b) \ : : ltype(x), "m" (__m(addr))) -@@ -498,8 +550,12 @@ struct __large_struct { unsigned long buf[100]; }; +@@ -498,8 +548,12 @@ struct __large_struct { unsigned long buf[100]; }; * On error, the variable @x is set to zero. */ @@ -13981,7 +14097,7 @@ index 7ccf8d1..7cdca12 100644 /** * __put_user: - Write a simple value into user space, with less checking. -@@ -521,8 +577,12 @@ struct __large_struct { unsigned long buf[100]; }; +@@ -521,8 +575,12 @@ struct __large_struct { unsigned long buf[100]; }; * Returns zero on success, or -EFAULT on error. */ @@ -13994,7 +14110,7 @@ index 7ccf8d1..7cdca12 100644 #define __get_user_unaligned __get_user #define __put_user_unaligned __put_user -@@ -540,7 +600,7 @@ struct __large_struct { unsigned long buf[100]; }; +@@ -540,7 +598,7 @@ struct __large_struct { unsigned long buf[100]; }; #define get_user_ex(x, ptr) do { \ unsigned long __gue_val; \ __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \ @@ -14003,7 +14119,7 @@ index 7ccf8d1..7cdca12 100644 } while (0) #ifdef CONFIG_X86_WP_WORKS_OK -@@ -574,8 +634,8 @@ strncpy_from_user(char *dst, const char __user *src, long count); +@@ -574,8 +632,8 @@ strncpy_from_user(char *dst, const char __user *src, long count); extern __must_check long strlen_user(const char __user *str); extern __must_check long strnlen_user(const char __user *str, long n); @@ -14015,7 +14131,7 @@ index 7ccf8d1..7cdca12 100644 /* * movsl can be slow when source and dest are not both 8-byte aligned diff --git a/arch/x86/include/asm/uaccess_32.h b/arch/x86/include/asm/uaccess_32.h -index 7f760a9..00f93c0 100644 +index 7f760a9..04b1c65 100644 --- a/arch/x86/include/asm/uaccess_32.h +++ b/arch/x86/include/asm/uaccess_32.h @@ -11,15 +11,15 @@ @@ -14039,25 +14155,18 @@ index 7f760a9..00f93c0 100644 /** * __copy_to_user_inatomic: - Copy a block of data into user space, with less checking. -@@ -43,6 +43,9 @@ unsigned long __must_check __copy_from_user_ll_nocache_nozero +@@ -43,6 +43,11 @@ unsigned long __must_check __copy_from_user_ll_nocache_nozero static __always_inline unsigned long __must_check __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n) { + if ((long)n < 0) + return n; + ++ check_object_size(from, n, true); ++ if (__builtin_constant_p(n)) { unsigned long ret; -@@ -61,6 +64,8 @@ __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n) - return ret; - } - } -+ if (!__builtin_constant_p(n)) -+ check_object_size(from, n, true); - return __copy_to_user_ll(to, from, n); - } - @@ -82,12 +87,16 @@ static __always_inline unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n) { @@ -14075,7 +14184,7 @@ index 7f760a9..00f93c0 100644 /* Avoid zeroing the tail if the copy fails.. * If 'n' is constant and 1, 2, or 4, we do still zero on a failure, * but as the zeroing behaviour is only significant when n is not -@@ -137,6 +146,10 @@ static __always_inline unsigned long +@@ -137,6 +146,12 @@ static __always_inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n) { might_fault(); @@ -14083,18 +14192,11 @@ index 7f760a9..00f93c0 100644 + if ((long)n < 0) + return n; + ++ check_object_size(to, n, false); ++ if (__builtin_constant_p(n)) { unsigned long ret; -@@ -152,6 +165,8 @@ __copy_from_user(void *to, const void __user *from, unsigned long n) - return ret; - } - } -+ if (!__builtin_constant_p(n)) -+ check_object_size(to, n, false); - return __copy_from_user_ll(to, from, n); - } - @@ -159,6 +174,10 @@ static __always_inline unsigned long __copy_from_user_nocache(void *to, const void __user *from, unsigned long n) { @@ -14133,7 +14235,7 @@ index 7f760a9..00f93c0 100644 extern void copy_from_user_overflow(void) #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS -@@ -199,17 +222,61 @@ extern void copy_from_user_overflow(void) +@@ -199,17 +222,60 @@ extern void copy_from_user_overflow(void) #endif ; @@ -14190,21 +14292,20 @@ index 7f760a9..00f93c0 100644 +{ + size_t sz = __compiletime_object_size(to); + ++ check_object_size(to, n, false); ++ + if (unlikely(sz != (size_t)-1 && sz < n)) copy_from_user_overflow(); - + else if (access_ok(VERIFY_READ, from, n)) + n = __copy_from_user(to, from, n); -+ else if ((long)n > 0) { -+ if (!__builtin_constant_p(n)) -+ check_object_size(to, n, false); ++ else if ((long)n > 0) + memset(to, 0, n); -+ } return n; } diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h -index 142810c..4389299 100644 +index 142810c..4b68a3e 100644 --- a/arch/x86/include/asm/uaccess_64.h +++ b/arch/x86/include/asm/uaccess_64.h @@ -10,6 +10,9 @@ @@ -14235,7 +14336,7 @@ index 142810c..4389299 100644 copy_user_generic(void *to, const void *from, unsigned len) { unsigned ret; -@@ -41,142 +44,205 @@ copy_user_generic(void *to, const void *from, unsigned len) +@@ -41,142 +44,203 @@ copy_user_generic(void *to, const void *from, unsigned len) ASM_OUTPUT2("=a" (ret), "=D" (to), "=S" (from), "=d" (len)), "1" (to), "2" (from), "3" (len) @@ -14286,13 +14387,11 @@ index 142810c..4389299 100644 - WARN(1, "Buffer overflow detected!\n"); -#endif + ++ check_object_size(to, n, false); + if (access_ok(VERIFY_READ, from, n)) + n = __copy_from_user(to, from, n); -+ else if (n < INT_MAX) { -+ if (!__builtin_constant_p(n)) -+ check_object_size(to, n, false); ++ else if (n < INT_MAX) + memset(to, 0, n); -+ } return n; } @@ -14317,12 +14416,12 @@ index 142810c..4389299 100644 + unsigned ret = 0; might_fault(); -- if (!__builtin_constant_p(size)) -- return copy_user_generic(dst, (__force void *)src, size); + + if (size > INT_MAX) + return size; + ++ check_object_size(dst, size, false); ++ +#ifdef CONFIG_PAX_MEMORY_UDEREF + if (!__access_ok(VERIFY_READ, src, size)) + return size; @@ -14333,10 +14432,9 @@ index 142810c..4389299 100644 + return size; + } + -+ if (!__builtin_constant_p(size)) { -+ check_object_size(dst, size, false); + if (!__builtin_constant_p(size)) +- return copy_user_generic(dst, (__force void *)src, size); + return copy_user_generic(dst, (__force_kernel const void *)____m(src), size); -+ } switch (size) { - case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src, + case 1:__get_user_asm(*(u8 *)dst, (const u8 __user *)src, @@ -14391,12 +14489,12 @@ index 142810c..4389299 100644 + unsigned ret = 0; might_fault(); -- if (!__builtin_constant_p(size)) -- return copy_user_generic((__force void *)dst, src, size); + + if (size > INT_MAX) + return size; + ++ check_object_size(src, size, true); ++ +#ifdef CONFIG_PAX_MEMORY_UDEREF + if (!__access_ok(VERIFY_WRITE, dst, size)) + return size; @@ -14407,10 +14505,9 @@ index 142810c..4389299 100644 + return size; + } + -+ if (!__builtin_constant_p(size)) { -+ check_object_size(src, size, true); + if (!__builtin_constant_p(size)) +- return copy_user_generic((__force void *)dst, src, size); + return copy_user_generic((__force_kernel void *)____m(dst), src, size); -+ } switch (size) { - case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst, + case 1:__put_user_asm(*(const u8 *)src, (u8 __user *)dst, @@ -14488,7 +14585,7 @@ index 142810c..4389299 100644 ret, "b", "b", "=q", 1); if (likely(!ret)) __put_user_asm(tmp, (u8 __user *)dst, -@@ -185,7 +251,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) +@@ -185,7 +249,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) } case 2: { u16 tmp; @@ -14497,7 +14594,7 @@ index 142810c..4389299 100644 ret, "w", "w", "=r", 2); if (likely(!ret)) __put_user_asm(tmp, (u16 __user *)dst, -@@ -195,7 +261,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) +@@ -195,7 +259,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) case 4: { u32 tmp; @@ -14506,7 +14603,7 @@ index 142810c..4389299 100644 ret, "l", "k", "=r", 4); if (likely(!ret)) __put_user_asm(tmp, (u32 __user *)dst, -@@ -204,7 +270,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) +@@ -204,7 +268,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) } case 8: { u64 tmp; @@ -14515,7 +14612,7 @@ index 142810c..4389299 100644 ret, "q", "", "=r", 8); if (likely(!ret)) __put_user_asm(tmp, (u64 __user *)dst, -@@ -212,41 +278,72 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) +@@ -212,41 +276,72 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) return ret; } default: @@ -16107,7 +16204,7 @@ index 9b9f18b..9fcaa04 100644 #include <asm/processor.h> #include <asm/fcntl.h> diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S -index cf8639b..98fcee6 100644 +index cf8639b..6c6a674 100644 --- a/arch/x86/kernel/entry_32.S +++ b/arch/x86/kernel/entry_32.S @@ -177,13 +177,153 @@ @@ -16581,44 +16678,7 @@ index cf8639b..98fcee6 100644 CFI_ENDPROC /* * End of kprobes section -@@ -763,6 +995,36 @@ ENTRY(ptregs_clone) - CFI_ENDPROC - ENDPROC(ptregs_clone) - -+ ALIGN; -+ENTRY(kernel_execve) -+ CFI_STARTPROC -+ pushl_cfi %ebp -+ sub $PT_OLDSS+4,%esp -+ pushl_cfi %edi -+ pushl_cfi %ecx -+ pushl_cfi %eax -+ lea 3*4(%esp),%edi -+ mov $PT_OLDSS/4+1,%ecx -+ xorl %eax,%eax -+ rep stosl -+ popl_cfi %eax -+ popl_cfi %ecx -+ popl_cfi %edi -+ movl $X86_EFLAGS_IF,PT_EFLAGS(%esp) -+ pushl_cfi %esp -+ call sys_execve -+ add $4,%esp -+ CFI_ADJUST_CFA_OFFSET -4 -+ GET_THREAD_INFO(%ebp) -+ test %eax,%eax -+ jz syscall_exit -+ add $PT_OLDSS+4,%esp -+ CFI_ADJUST_CFA_OFFSET -PT_OLDSS-4 -+ popl_cfi %ebp -+ ret -+ CFI_ENDPROC -+ENDPROC(kernel_execve) -+ - .macro FIXUP_ESPFIX_STACK - /* - * Switch back for ESPFIX stack to the normal zerobased stack -@@ -772,8 +1034,15 @@ ENDPROC(ptregs_clone) +@@ -772,8 +1004,15 @@ ENDPROC(ptregs_clone) * normal stack and adjusts ESP with the matching offset. */ /* fixup the stack */ @@ -16636,7 +16696,7 @@ index cf8639b..98fcee6 100644 shl $16, %eax addl %esp, %eax /* the adjusted stack pointer */ pushl_cfi $__KERNEL_DS -@@ -826,7 +1095,7 @@ vector=vector+1 +@@ -826,7 +1065,7 @@ vector=vector+1 .endr 2: jmp common_interrupt .endr @@ -16645,7 +16705,7 @@ index cf8639b..98fcee6 100644 .previous END(interrupt) -@@ -877,7 +1146,7 @@ ENTRY(coprocessor_error) +@@ -877,7 +1116,7 @@ ENTRY(coprocessor_error) pushl_cfi $do_coprocessor_error jmp error_code CFI_ENDPROC @@ -16654,7 +16714,7 @@ index cf8639b..98fcee6 100644 ENTRY(simd_coprocessor_error) RING0_INT_FRAME -@@ -899,7 +1168,7 @@ ENTRY(simd_coprocessor_error) +@@ -899,7 +1138,7 @@ ENTRY(simd_coprocessor_error) #endif jmp error_code CFI_ENDPROC @@ -16663,7 +16723,7 @@ index cf8639b..98fcee6 100644 ENTRY(device_not_available) RING0_INT_FRAME -@@ -908,18 +1177,18 @@ ENTRY(device_not_available) +@@ -908,18 +1147,18 @@ ENTRY(device_not_available) pushl_cfi $do_device_not_available jmp error_code CFI_ENDPROC @@ -16685,7 +16745,7 @@ index cf8639b..98fcee6 100644 #endif ENTRY(overflow) -@@ -929,7 +1198,7 @@ ENTRY(overflow) +@@ -929,7 +1168,7 @@ ENTRY(overflow) pushl_cfi $do_overflow jmp error_code CFI_ENDPROC @@ -16694,7 +16754,7 @@ index cf8639b..98fcee6 100644 ENTRY(bounds) RING0_INT_FRAME -@@ -938,7 +1207,7 @@ ENTRY(bounds) +@@ -938,7 +1177,7 @@ ENTRY(bounds) pushl_cfi $do_bounds jmp error_code CFI_ENDPROC @@ -16703,7 +16763,7 @@ index cf8639b..98fcee6 100644 ENTRY(invalid_op) RING0_INT_FRAME -@@ -947,7 +1216,7 @@ ENTRY(invalid_op) +@@ -947,7 +1186,7 @@ ENTRY(invalid_op) pushl_cfi $do_invalid_op jmp error_code CFI_ENDPROC @@ -16712,7 +16772,7 @@ index cf8639b..98fcee6 100644 ENTRY(coprocessor_segment_overrun) RING0_INT_FRAME -@@ -956,7 +1225,7 @@ ENTRY(coprocessor_segment_overrun) +@@ -956,7 +1195,7 @@ ENTRY(coprocessor_segment_overrun) pushl_cfi $do_coprocessor_segment_overrun jmp error_code CFI_ENDPROC @@ -16721,7 +16781,7 @@ index cf8639b..98fcee6 100644 ENTRY(invalid_TSS) RING0_EC_FRAME -@@ -964,7 +1233,7 @@ ENTRY(invalid_TSS) +@@ -964,7 +1203,7 @@ ENTRY(invalid_TSS) pushl_cfi $do_invalid_TSS jmp error_code CFI_ENDPROC @@ -16730,7 +16790,7 @@ index cf8639b..98fcee6 100644 ENTRY(segment_not_present) RING0_EC_FRAME -@@ -972,7 +1241,7 @@ ENTRY(segment_not_present) +@@ -972,7 +1211,7 @@ ENTRY(segment_not_present) pushl_cfi $do_segment_not_present jmp error_code CFI_ENDPROC @@ -16739,7 +16799,7 @@ index cf8639b..98fcee6 100644 ENTRY(stack_segment) RING0_EC_FRAME -@@ -980,7 +1249,7 @@ ENTRY(stack_segment) +@@ -980,7 +1219,7 @@ ENTRY(stack_segment) pushl_cfi $do_stack_segment jmp error_code CFI_ENDPROC @@ -16748,7 +16808,7 @@ index cf8639b..98fcee6 100644 ENTRY(alignment_check) RING0_EC_FRAME -@@ -988,7 +1257,7 @@ ENTRY(alignment_check) +@@ -988,7 +1227,7 @@ ENTRY(alignment_check) pushl_cfi $do_alignment_check jmp error_code CFI_ENDPROC @@ -16757,7 +16817,7 @@ index cf8639b..98fcee6 100644 ENTRY(divide_error) RING0_INT_FRAME -@@ -997,7 +1266,7 @@ ENTRY(divide_error) +@@ -997,7 +1236,7 @@ ENTRY(divide_error) pushl_cfi $do_divide_error jmp error_code CFI_ENDPROC @@ -16766,7 +16826,7 @@ index cf8639b..98fcee6 100644 #ifdef CONFIG_X86_MCE ENTRY(machine_check) -@@ -1007,7 +1276,7 @@ ENTRY(machine_check) +@@ -1007,7 +1246,7 @@ ENTRY(machine_check) pushl_cfi machine_check_vector jmp error_code CFI_ENDPROC @@ -16775,7 +16835,7 @@ index cf8639b..98fcee6 100644 #endif ENTRY(spurious_interrupt_bug) -@@ -1017,7 +1286,7 @@ ENTRY(spurious_interrupt_bug) +@@ -1017,7 +1256,7 @@ ENTRY(spurious_interrupt_bug) pushl_cfi $do_spurious_interrupt_bug jmp error_code CFI_ENDPROC @@ -16784,7 +16844,7 @@ index cf8639b..98fcee6 100644 /* * End of kprobes section */ -@@ -1120,7 +1389,7 @@ BUILD_INTERRUPT3(xen_hvm_callback_vector, XEN_HVM_EVTCHN_CALLBACK, +@@ -1120,7 +1359,7 @@ BUILD_INTERRUPT3(xen_hvm_callback_vector, XEN_HVM_EVTCHN_CALLBACK, ENTRY(mcount) ret @@ -16793,7 +16853,7 @@ index cf8639b..98fcee6 100644 ENTRY(ftrace_caller) cmpl $0, function_trace_stop -@@ -1153,7 +1422,7 @@ ftrace_graph_call: +@@ -1153,7 +1392,7 @@ ftrace_graph_call: .globl ftrace_stub ftrace_stub: ret @@ -16802,7 +16862,7 @@ index cf8639b..98fcee6 100644 ENTRY(ftrace_regs_caller) pushf /* push flags before compare (in cs location) */ -@@ -1254,7 +1523,7 @@ trace: +@@ -1254,7 +1493,7 @@ trace: popl %ecx popl %eax jmp ftrace_stub @@ -16811,7 +16871,7 @@ index cf8639b..98fcee6 100644 #endif /* CONFIG_DYNAMIC_FTRACE */ #endif /* CONFIG_FUNCTION_TRACER */ -@@ -1272,7 +1541,7 @@ ENTRY(ftrace_graph_caller) +@@ -1272,7 +1511,7 @@ ENTRY(ftrace_graph_caller) popl %ecx popl %eax ret @@ -16820,7 +16880,7 @@ index cf8639b..98fcee6 100644 .globl return_to_handler return_to_handler: -@@ -1328,15 +1597,18 @@ error_code: +@@ -1328,15 +1567,18 @@ error_code: movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart REG_TO_PTGS %ecx SET_KERNEL_GS %ecx @@ -16841,7 +16901,7 @@ index cf8639b..98fcee6 100644 /* * Debug traps and NMI can happen at the one SYSENTER instruction -@@ -1379,7 +1651,7 @@ debug_stack_correct: +@@ -1379,7 +1621,7 @@ debug_stack_correct: call do_debug jmp ret_from_exception CFI_ENDPROC @@ -16850,7 +16910,7 @@ index cf8639b..98fcee6 100644 /* * NMI is doubly nasty. It can happen _while_ we're handling -@@ -1417,6 +1689,9 @@ nmi_stack_correct: +@@ -1417,6 +1659,9 @@ nmi_stack_correct: xorl %edx,%edx # zero error code movl %esp,%eax # pt_regs pointer call do_nmi @@ -16860,7 +16920,7 @@ index cf8639b..98fcee6 100644 jmp restore_all_notrace CFI_ENDPROC -@@ -1453,12 +1728,15 @@ nmi_espfix_stack: +@@ -1453,12 +1698,15 @@ nmi_espfix_stack: FIXUP_ESPFIX_STACK # %eax == %esp xorl %edx,%edx # zero error code call do_nmi @@ -16877,7 +16937,7 @@ index cf8639b..98fcee6 100644 ENTRY(int3) RING0_INT_FRAME -@@ -1471,14 +1749,14 @@ ENTRY(int3) +@@ -1471,14 +1719,14 @@ ENTRY(int3) call do_int3 jmp ret_from_exception CFI_ENDPROC @@ -16894,7 +16954,7 @@ index cf8639b..98fcee6 100644 #ifdef CONFIG_KVM_GUEST ENTRY(async_page_fault) -@@ -1487,7 +1765,7 @@ ENTRY(async_page_fault) +@@ -1487,7 +1735,7 @@ ENTRY(async_page_fault) pushl_cfi $do_async_page_fault jmp error_code CFI_ENDPROC @@ -19610,20 +19670,6 @@ index 216a4d7..b328f09 100644 #if 0 if ((s64)val != *(s32 *)loc) goto overflow; -diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c -index a7c5661..4929502 100644 ---- a/arch/x86/kernel/msr.c -+++ b/arch/x86/kernel/msr.c -@@ -174,6 +174,9 @@ static int msr_open(struct inode *inode, struct file *file) - unsigned int cpu; - struct cpuinfo_x86 *c; - -+ if (!capable(CAP_SYS_RAWIO)) -+ return -EPERM; -+ - cpu = iminor(file->f_path.dentry->d_inode); - if (cpu >= nr_cpu_ids || !cpu_online(cpu)) - return -ENXIO; /* No such CPU */ diff --git a/arch/x86/kernel/nmi.c b/arch/x86/kernel/nmi.c index f84f5c5..e27e54b 100644 --- a/arch/x86/kernel/nmi.c @@ -20241,7 +20287,7 @@ index 42eb330..139955c 100644 return ret; diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c -index 4e8ba39..e0186b3 100644 +index 76fa1e9..a93c759 100644 --- a/arch/x86/kernel/reboot.c +++ b/arch/x86/kernel/reboot.c @@ -36,7 +36,7 @@ void (*pm_power_off)(void); @@ -20376,7 +20422,7 @@ index 7a6f3b3..bed145d7 100644 1: diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 86c524c..bae70c5 100644 +index aeacb0e..f9d4c02 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -441,7 +441,7 @@ static void __init parse_setup_data(void) @@ -20388,7 +20434,7 @@ index 86c524c..bae70c5 100644 break; case SETUP_DTB: add_dtb(pa_data); -@@ -708,7 +708,7 @@ static void __init trim_bios_range(void) +@@ -710,7 +710,7 @@ static void __init trim_bios_range(void) * area (640->1Mb) as ram even though it is not. * take them out. */ @@ -20397,7 +20443,7 @@ index 86c524c..bae70c5 100644 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map); } -@@ -832,14 +832,14 @@ void __init setup_arch(char **cmdline_p) +@@ -834,14 +834,14 @@ void __init setup_arch(char **cmdline_p) if (!boot_params.hdr.root_flags) root_mountflags &= ~MS_RDONLY; @@ -25075,7 +25121,7 @@ index 903ec1e..c4166b2 100644 } diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c -index 8e13ecb..831f2d0 100644 +index 8e13ecb..60bf506 100644 --- a/arch/x86/mm/fault.c +++ b/arch/x86/mm/fault.c @@ -13,12 +13,19 @@ @@ -25249,7 +25295,7 @@ index 8e13ecb..831f2d0 100644 static void show_fault_oops(struct pt_regs *regs, unsigned long error_code, -@@ -577,15 +647,26 @@ show_fault_oops(struct pt_regs *regs, unsigned long error_code, +@@ -577,15 +647,27 @@ show_fault_oops(struct pt_regs *regs, unsigned long error_code, if (!oops_may_print()) return; @@ -25268,20 +25314,23 @@ index 8e13ecb..831f2d0 100644 + if (init_mm.start_code <= address && address < init_mm.end_code) { + if (current->signal->curr_ip) + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", -+ ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid()); ++ ¤t->signal->curr_ip, current->comm, task_pid_nr(current), ++ from_kuid(&init_user_ns, current_uid()), from_kuid(&init_user_ns, current_euid())); + else -+ printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", -+ current->comm, task_pid_nr(current), current_uid(), current_euid()); ++ printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", current->comm, task_pid_nr(current), ++ from_kuid(&init_user_ns, current_uid()), from_kuid(&init_user_ns, current_euid())); + } +#endif + printk(KERN_ALERT "BUG: unable to handle kernel "); if (address < PAGE_SIZE) printk(KERN_CONT "NULL pointer dereference"); -@@ -749,6 +830,21 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code, +@@ -749,12 +831,30 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code, } #endif +- if (unlikely(show_unhandled_signals)) +- show_signal_msg(regs, error_code, address, tsk); +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) + if (pax_is_fetch_fault(regs, error_code, address)) { + @@ -25296,11 +25345,21 @@ index 8e13ecb..831f2d0 100644 + do_group_exit(SIGKILL); + } +#endif + + /* Kernel addresses are always protection faults: */ ++ if (address >= TASK_SIZE) ++ error_code |= PF_PROT; + - if (unlikely(show_unhandled_signals)) - show_signal_msg(regs, error_code, address, tsk); ++ if (show_unhandled_signals) ++ show_signal_msg(regs, error_code, address, tsk); ++ + tsk->thread.cr2 = address; +- tsk->thread.error_code = error_code | (address >= TASK_SIZE); ++ tsk->thread.error_code = error_code; + tsk->thread.trap_nr = X86_TRAP_PF; -@@ -845,7 +941,7 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address, + force_sig_info_fault(SIGSEGV, si_code, address, tsk, 0); +@@ -845,7 +945,7 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address, if (fault & (VM_FAULT_HWPOISON|VM_FAULT_HWPOISON_LARGE)) { printk(KERN_ERR "MCE: Killing %s:%d due to hardware memory corruption fault at %lx\n", @@ -25309,7 +25368,7 @@ index 8e13ecb..831f2d0 100644 code = BUS_MCEERR_AR; } #endif -@@ -901,6 +997,99 @@ static int spurious_fault_check(unsigned long error_code, pte_t *pte) +@@ -901,6 +1001,99 @@ static int spurious_fault_check(unsigned long error_code, pte_t *pte) return 1; } @@ -25409,7 +25468,7 @@ index 8e13ecb..831f2d0 100644 /* * Handle a spurious fault caused by a stale TLB entry. * -@@ -973,6 +1162,9 @@ int show_unhandled_signals = 1; +@@ -973,6 +1166,9 @@ int show_unhandled_signals = 1; static inline int access_error(unsigned long error_code, struct vm_area_struct *vma) { @@ -25419,7 +25478,7 @@ index 8e13ecb..831f2d0 100644 if (error_code & PF_WRITE) { /* write, present and write, not present: */ if (unlikely(!(vma->vm_flags & VM_WRITE))) -@@ -1001,7 +1193,7 @@ static inline bool smap_violation(int error_code, struct pt_regs *regs) +@@ -1001,7 +1197,7 @@ static inline bool smap_violation(int error_code, struct pt_regs *regs) if (error_code & PF_USER) return false; @@ -25428,7 +25487,7 @@ index 8e13ecb..831f2d0 100644 return false; return true; -@@ -1017,18 +1209,33 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code) +@@ -1017,18 +1213,33 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code) { struct vm_area_struct *vma; struct task_struct *tsk; @@ -25467,7 +25526,7 @@ index 8e13ecb..831f2d0 100644 /* * Detect and handle instructions that would cause a page fault for -@@ -1089,7 +1296,7 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code) +@@ -1089,7 +1300,7 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code) * User-mode registers count as a user access even for any * potential system fault or CPU buglet: */ @@ -25476,7 +25535,7 @@ index 8e13ecb..831f2d0 100644 local_irq_enable(); error_code |= PF_USER; } else { -@@ -1151,6 +1358,11 @@ retry: +@@ -1151,6 +1362,11 @@ retry: might_sleep(); } @@ -25488,7 +25547,7 @@ index 8e13ecb..831f2d0 100644 vma = find_vma(mm, address); if (unlikely(!vma)) { bad_area(regs, error_code, address); -@@ -1162,18 +1374,24 @@ retry: +@@ -1162,18 +1378,24 @@ retry: bad_area(regs, error_code, address); return; } @@ -25524,7 +25583,7 @@ index 8e13ecb..831f2d0 100644 if (unlikely(expand_stack(vma, address))) { bad_area(regs, error_code, address); return; -@@ -1237,3 +1455,292 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code) +@@ -1237,3 +1459,292 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code) __do_page_fault(regs, error_code); exception_exit(regs); } @@ -25847,7 +25906,7 @@ index 6f31ee5..8ee4164 100644 return (void *)vaddr; diff --git a/arch/x86/mm/hugetlbpage.c b/arch/x86/mm/hugetlbpage.c -index 937bff5..a354c44 100644 +index 937bff5..dce75ff 100644 --- a/arch/x86/mm/hugetlbpage.c +++ b/arch/x86/mm/hugetlbpage.c @@ -276,13 +276,21 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *file, @@ -26034,7 +26093,14 @@ index 937bff5..a354c44 100644 return -ENOMEM; if (flags & MAP_FIXED) { -@@ -420,8 +444,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, +@@ -417,11 +441,14 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, + return addr; + } + ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP)) ++#endif ++ if (addr) { addr = ALIGN(addr, huge_page_size(h)); vma = find_vma(mm, addr); @@ -28258,11 +28324,11 @@ index 56ab749..3cb792a 100644 xen_setup_acpi_sci(); __acpi_register_gsi = acpi_register_gsi_xen; diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c -index ad44391..acef4b5 100644 +index 77cf009..7fe44c8 100644 --- a/arch/x86/platform/efi/efi.c +++ b/arch/x86/platform/efi/efi.c -@@ -738,8 +738,8 @@ void __init efi_init(void) - } +@@ -746,8 +746,8 @@ void __init efi_init(void) + #ifdef CONFIG_X86_32 if (efi_is_native()) { - x86_platform.get_wallclock = efi_get_time; @@ -29962,43 +30028,30 @@ index 7586544..636a2f0 100644 if (err) return err; diff --git a/drivers/acpi/proc.c b/drivers/acpi/proc.c -index 27adb09..1ed412d 100644 +index 27adb09..ef98796b 100644 --- a/drivers/acpi/proc.c +++ b/drivers/acpi/proc.c -@@ -360,19 +360,13 @@ acpi_system_write_wakeup_device(struct file *file, - size_t count, loff_t * ppos) - { +@@ -362,16 +362,13 @@ acpi_system_write_wakeup_device(struct file *file, struct list_head *node, *next; -- char strbuf[5]; -- char str[5] = ""; + char strbuf[5]; + char str[5] = ""; - unsigned int len = count; -+ char strbuf[5] = {0}; - if (len > 4) - len = 4; - if (len < 0) +- return -EFAULT; + if (count > 4) + count = 4; + +- if (copy_from_user(strbuf, buffer, len)) + if (copy_from_user(strbuf, buffer, count)) return -EFAULT; -- -- if (copy_from_user(strbuf, buffer, len)) -- return -EFAULT; - strbuf[len] = '\0'; -- sscanf(strbuf, "%s", str); + strbuf[count] = '\0'; + sscanf(strbuf, "%s", str); mutex_lock(&acpi_device_lock); - list_for_each_safe(node, next, &acpi_wakeup_device_list) { -@@ -381,7 +375,7 @@ acpi_system_write_wakeup_device(struct file *file, - if (!dev->wakeup.flags.valid) - continue; - -- if (!strncmp(dev->pnp.bus_id, str, 4)) { -+ if (!strncmp(dev->pnp.bus_id, strbuf, 4)) { - if (device_can_wakeup(&dev->dev)) { - bool enable = !device_may_wakeup(&dev->dev); - device_set_wakeup_enable(&dev->dev, enable); diff --git a/drivers/acpi/processor_driver.c b/drivers/acpi/processor_driver.c index bd4e5dc..0497b66 100644 --- a/drivers/acpi/processor_driver.c @@ -32278,8 +32331,39 @@ index 8ab9c3d..c3e65d3 100644 } static int wait_port_writable(struct port *port, bool nonblock) +diff --git a/drivers/edac/edac_mc.c b/drivers/edac/edac_mc.c +index 75c0a1a..96ba8f6 100644 +--- a/drivers/edac/edac_mc.c ++++ b/drivers/edac/edac_mc.c +@@ -340,7 +340,7 @@ struct mem_ctl_info *edac_mc_alloc(unsigned mc_num, + /* + * Alocate and fill the csrow/channels structs + */ +- mci->csrows = kcalloc(sizeof(*mci->csrows), tot_csrows, GFP_KERNEL); ++ mci->csrows = kcalloc(tot_csrows, sizeof(*mci->csrows), GFP_KERNEL); + if (!mci->csrows) + goto error; + for (row = 0; row < tot_csrows; row++) { +@@ -351,7 +351,7 @@ struct mem_ctl_info *edac_mc_alloc(unsigned mc_num, + csr->csrow_idx = row; + csr->mci = mci; + csr->nr_channels = tot_channels; +- csr->channels = kcalloc(sizeof(*csr->channels), tot_channels, ++ csr->channels = kcalloc(tot_channels, sizeof(*csr->channels), + GFP_KERNEL); + if (!csr->channels) + goto error; +@@ -369,7 +369,7 @@ struct mem_ctl_info *edac_mc_alloc(unsigned mc_num, + /* + * Allocate and fill the dimm structs + */ +- mci->dimms = kcalloc(sizeof(*mci->dimms), tot_dimms, GFP_KERNEL); ++ mci->dimms = kcalloc(tot_dimms, sizeof(*mci->dimms), GFP_KERNEL); + if (!mci->dimms) + goto error; + diff --git a/drivers/edac/edac_pci_sysfs.c b/drivers/edac/edac_pci_sysfs.c -index e164c55..3aabb50 100644 +index 1bfb207..0d059c2 100644 --- a/drivers/edac/edac_pci_sysfs.c +++ b/drivers/edac/edac_pci_sysfs.c @@ -26,8 +26,8 @@ static int edac_pci_log_pe = 1; /* log PCI parity errors */ @@ -32430,7 +32514,7 @@ index 515a42c..5ecf3ba 100644 void fw_card_initialize(struct fw_card *card, const struct fw_card_driver *driver, struct device *device); diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c -index fd3ae62..669efe3 100644 +index 982f1f5..d21e5da 100644 --- a/drivers/firmware/dmi_scan.c +++ b/drivers/firmware/dmi_scan.c @@ -491,11 +491,6 @@ void __init dmi_scan_machine(void) @@ -32455,7 +32539,7 @@ index fd3ae62..669efe3 100644 iounmap(buf); return 0; diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c -index d10c987..ebe5400 100644 +index bfd8f43..133189c 100644 --- a/drivers/firmware/efivars.c +++ b/drivers/firmware/efivars.c @@ -1234,9 +1234,9 @@ efivars_init(void) @@ -32809,10 +32893,10 @@ index 6e0acad..93c8289 100644 int front_offset; } drm_i810_private_t; diff --git a/drivers/gpu/drm/i915/i915_debugfs.c b/drivers/gpu/drm/i915/i915_debugfs.c -index da21b11..14c8749 100644 +index 3a1a495..995c093 100644 --- a/drivers/gpu/drm/i915/i915_debugfs.c +++ b/drivers/gpu/drm/i915/i915_debugfs.c -@@ -495,7 +495,7 @@ static int i915_interrupt_info(struct seq_file *m, void *data) +@@ -496,7 +496,7 @@ static int i915_interrupt_info(struct seq_file *m, void *data) I915_READ(GTIMR)); } seq_printf(m, "Interrupts received: %d\n", @@ -33293,10 +33377,10 @@ index 5a82b6b..9e69c73 100644 if (regcomp (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) { diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c -index ad4c973..aa27bcb 100644 +index 008d645..de03849 100644 --- a/drivers/gpu/drm/radeon/radeon_device.c +++ b/drivers/gpu/drm/radeon/radeon_device.c -@@ -940,7 +940,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev) +@@ -941,7 +941,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev) bool can_switch; spin_lock(&dev->count_lock); @@ -34636,10 +34720,10 @@ index d0f7533..fb8215b 100644 serio->dev.release = serio_release_port; serio->dev.groups = serio_device_attr_groups; diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c -index 81837b0..d7470e8 100644 +index faf10ba..7cfaba9 100644 --- a/drivers/iommu/amd_iommu_init.c +++ b/drivers/iommu/amd_iommu_init.c -@@ -1888,7 +1888,7 @@ static int __init state_next(void) +@@ -1922,7 +1922,7 @@ static int __init state_next(void) case IOMMU_ACPI_FINISHED: early_enable_iommus(); register_syscore_ops(&amd_iommu_syscore_ops); @@ -34648,7 +34732,7 @@ index 81837b0..d7470e8 100644 init_state = IOMMU_ENABLED; break; case IOMMU_ENABLED: -@@ -2030,7 +2030,7 @@ int __init amd_iommu_detect(void) +@@ -2064,7 +2064,7 @@ int __init amd_iommu_detect(void) amd_iommu_detected = true; iommu_detected = 1; @@ -35589,6 +35673,158 @@ index a3b1a34..71ce0e3 100644 spin_lock_init(&vout->vbq_lock); videobuf_queue_dma_contig_init(q, &video_vbq_ops, q->dev, +diff --git a/drivers/media/platform/s5p-tv/mixer.h b/drivers/media/platform/s5p-tv/mixer.h +index ddb422e..8cf008e 100644 +--- a/drivers/media/platform/s5p-tv/mixer.h ++++ b/drivers/media/platform/s5p-tv/mixer.h +@@ -155,7 +155,7 @@ struct mxr_layer { + /** layer index (unique identifier) */ + int idx; + /** callbacks for layer methods */ +- struct mxr_layer_ops ops; ++ struct mxr_layer_ops *ops; + /** format array */ + const struct mxr_format **fmt_array; + /** size of format array */ +diff --git a/drivers/media/platform/s5p-tv/mixer_grp_layer.c b/drivers/media/platform/s5p-tv/mixer_grp_layer.c +index b93a21f..2535195 100644 +--- a/drivers/media/platform/s5p-tv/mixer_grp_layer.c ++++ b/drivers/media/platform/s5p-tv/mixer_grp_layer.c +@@ -235,7 +235,7 @@ struct mxr_layer *mxr_graph_layer_create(struct mxr_device *mdev, int idx) + { + struct mxr_layer *layer; + int ret; +- struct mxr_layer_ops ops = { ++ static struct mxr_layer_ops ops = { + .release = mxr_graph_layer_release, + .buffer_set = mxr_graph_buffer_set, + .stream_set = mxr_graph_stream_set, +diff --git a/drivers/media/platform/s5p-tv/mixer_reg.c b/drivers/media/platform/s5p-tv/mixer_reg.c +index 3b1670a..595c939 100644 +--- a/drivers/media/platform/s5p-tv/mixer_reg.c ++++ b/drivers/media/platform/s5p-tv/mixer_reg.c +@@ -276,7 +276,7 @@ static void mxr_irq_layer_handle(struct mxr_layer *layer) + layer->update_buf = next; + } + +- layer->ops.buffer_set(layer, layer->update_buf); ++ layer->ops->buffer_set(layer, layer->update_buf); + + if (done && done != layer->shadow_buf) + vb2_buffer_done(&done->vb, VB2_BUF_STATE_DONE); +diff --git a/drivers/media/platform/s5p-tv/mixer_video.c b/drivers/media/platform/s5p-tv/mixer_video.c +index 0c1cd89..6574647 100644 +--- a/drivers/media/platform/s5p-tv/mixer_video.c ++++ b/drivers/media/platform/s5p-tv/mixer_video.c +@@ -209,7 +209,7 @@ static void mxr_layer_default_geo(struct mxr_layer *layer) + layer->geo.src.height = layer->geo.src.full_height; + + mxr_geometry_dump(mdev, &layer->geo); +- layer->ops.fix_geometry(layer, MXR_GEOMETRY_SINK, 0); ++ layer->ops->fix_geometry(layer, MXR_GEOMETRY_SINK, 0); + mxr_geometry_dump(mdev, &layer->geo); + } + +@@ -227,7 +227,7 @@ static void mxr_layer_update_output(struct mxr_layer *layer) + layer->geo.dst.full_width = mbus_fmt.width; + layer->geo.dst.full_height = mbus_fmt.height; + layer->geo.dst.field = mbus_fmt.field; +- layer->ops.fix_geometry(layer, MXR_GEOMETRY_SINK, 0); ++ layer->ops->fix_geometry(layer, MXR_GEOMETRY_SINK, 0); + + mxr_geometry_dump(mdev, &layer->geo); + } +@@ -333,7 +333,7 @@ static int mxr_s_fmt(struct file *file, void *priv, + /* set source size to highest accepted value */ + geo->src.full_width = max(geo->dst.full_width, pix->width); + geo->src.full_height = max(geo->dst.full_height, pix->height); +- layer->ops.fix_geometry(layer, MXR_GEOMETRY_SOURCE, 0); ++ layer->ops->fix_geometry(layer, MXR_GEOMETRY_SOURCE, 0); + mxr_geometry_dump(mdev, &layer->geo); + /* set cropping to total visible screen */ + geo->src.width = pix->width; +@@ -341,12 +341,12 @@ static int mxr_s_fmt(struct file *file, void *priv, + geo->src.x_offset = 0; + geo->src.y_offset = 0; + /* assure consistency of geometry */ +- layer->ops.fix_geometry(layer, MXR_GEOMETRY_CROP, MXR_NO_OFFSET); ++ layer->ops->fix_geometry(layer, MXR_GEOMETRY_CROP, MXR_NO_OFFSET); + mxr_geometry_dump(mdev, &layer->geo); + /* set full size to lowest possible value */ + geo->src.full_width = 0; + geo->src.full_height = 0; +- layer->ops.fix_geometry(layer, MXR_GEOMETRY_SOURCE, 0); ++ layer->ops->fix_geometry(layer, MXR_GEOMETRY_SOURCE, 0); + mxr_geometry_dump(mdev, &layer->geo); + + /* returning results */ +@@ -473,7 +473,7 @@ static int mxr_s_selection(struct file *file, void *fh, + target->width = s->r.width; + target->height = s->r.height; + +- layer->ops.fix_geometry(layer, stage, s->flags); ++ layer->ops->fix_geometry(layer, stage, s->flags); + + /* retrieve update selection rectangle */ + res.left = target->x_offset; +@@ -928,13 +928,13 @@ static int start_streaming(struct vb2_queue *vq, unsigned int count) + mxr_output_get(mdev); + + mxr_layer_update_output(layer); +- layer->ops.format_set(layer); ++ layer->ops->format_set(layer); + /* enabling layer in hardware */ + spin_lock_irqsave(&layer->enq_slock, flags); + layer->state = MXR_LAYER_STREAMING; + spin_unlock_irqrestore(&layer->enq_slock, flags); + +- layer->ops.stream_set(layer, MXR_ENABLE); ++ layer->ops->stream_set(layer, MXR_ENABLE); + mxr_streamer_get(mdev); + + return 0; +@@ -1004,7 +1004,7 @@ static int stop_streaming(struct vb2_queue *vq) + spin_unlock_irqrestore(&layer->enq_slock, flags); + + /* disabling layer in hardware */ +- layer->ops.stream_set(layer, MXR_DISABLE); ++ layer->ops->stream_set(layer, MXR_DISABLE); + /* remove one streamer */ + mxr_streamer_put(mdev); + /* allow changes in output configuration */ +@@ -1043,8 +1043,8 @@ void mxr_base_layer_unregister(struct mxr_layer *layer) + + void mxr_layer_release(struct mxr_layer *layer) + { +- if (layer->ops.release) +- layer->ops.release(layer); ++ if (layer->ops->release) ++ layer->ops->release(layer); + } + + void mxr_base_layer_release(struct mxr_layer *layer) +@@ -1070,7 +1070,7 @@ struct mxr_layer *mxr_base_layer_create(struct mxr_device *mdev, + + layer->mdev = mdev; + layer->idx = idx; +- layer->ops = *ops; ++ layer->ops = ops; + + spin_lock_init(&layer->enq_slock); + INIT_LIST_HEAD(&layer->enq_list); +diff --git a/drivers/media/platform/s5p-tv/mixer_vp_layer.c b/drivers/media/platform/s5p-tv/mixer_vp_layer.c +index 3d13a63..da31bf1 100644 +--- a/drivers/media/platform/s5p-tv/mixer_vp_layer.c ++++ b/drivers/media/platform/s5p-tv/mixer_vp_layer.c +@@ -206,7 +206,7 @@ struct mxr_layer *mxr_vp_layer_create(struct mxr_device *mdev, int idx) + { + struct mxr_layer *layer; + int ret; +- struct mxr_layer_ops ops = { ++ static struct mxr_layer_ops ops = { + .release = mxr_vp_layer_release, + .buffer_set = mxr_vp_buffer_set, + .stream_set = mxr_vp_stream_set, diff --git a/drivers/media/platform/timblogiw.c b/drivers/media/platform/timblogiw.c index 02194c0..36d69c1 100644 --- a/drivers/media/platform/timblogiw.c @@ -36307,6 +36543,25 @@ index 53b8fd9..615b462 100644 -}; +} __do_const; #endif /* _DW_MMC_H_ */ +diff --git a/drivers/mmc/host/sdhci-s3c.c b/drivers/mmc/host/sdhci-s3c.c +index c9ec725..178e79a 100644 +--- a/drivers/mmc/host/sdhci-s3c.c ++++ b/drivers/mmc/host/sdhci-s3c.c +@@ -719,9 +719,11 @@ static int __devinit sdhci_s3c_probe(struct platform_device *pdev) + * we can use overriding functions instead of default. + */ + if (host->quirks & SDHCI_QUIRK_NONSTANDARD_CLOCK) { +- sdhci_s3c_ops.set_clock = sdhci_cmu_set_clock; +- sdhci_s3c_ops.get_min_clock = sdhci_cmu_get_min_clock; +- sdhci_s3c_ops.get_max_clock = sdhci_cmu_get_max_clock; ++ pax_open_kernel(); ++ *(void **)&sdhci_s3c_ops.set_clock = sdhci_cmu_set_clock; ++ *(void **)&sdhci_s3c_ops.get_min_clock = sdhci_cmu_get_min_clock; ++ *(void **)&sdhci_s3c_ops.get_max_clock = sdhci_cmu_get_max_clock; ++ pax_close_kernel(); + } + + /* It supports additional host capabilities if needed */ diff --git a/drivers/mtd/devices/doc2000.c b/drivers/mtd/devices/doc2000.c index a4eb8b5..8c0628f 100644 --- a/drivers/mtd/devices/doc2000.c @@ -46438,7 +46693,7 @@ index b2a34a1..162fa69 100644 return rc; } diff --git a/fs/exec.c b/fs/exec.c -index c6e6de4..fb98879 100644 +index c6e6de4..45e71ad 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -55,6 +55,17 @@ @@ -47027,9 +47282,8 @@ index c6e6de4..fb98879 100644 + printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset); + else + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset); -+ printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, " -+ "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk), -+ task_uid(tsk), task_euid(tsk), pc, sp); ++ printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk), ++ from_kuid(&init_user_ns, task_uid(tsk)), from_kuid(&init_user_ns, task_euid(tsk)), pc, sp); + free_page((unsigned long)buffer_exec); + free_page((unsigned long)buffer_fault); + pax_report_insns(regs, pc, sp); @@ -47047,10 +47301,11 @@ index c6e6de4..fb98879 100644 +{ + if (current->signal->curr_ip) + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", -+ ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid()); ++ ¤t->signal->curr_ip, current->comm, task_pid_nr(current), ++ from_kuid(&init_user_ns, current_uid()), from_kuid(&init_user_ns, current_euid())); + else -+ printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", -+ current->comm, task_pid_nr(current), current_uid(), current_euid()); ++ printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", current->comm, task_pid_nr(current), ++ from_kuid(&init_user_ns, current_uid()), from_kuid(&init_user_ns, current_euid())); + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs)); + show_regs(regs); + force_sig_info(SIGKILL, SEND_SIG_FORCED, current); @@ -47119,7 +47374,7 @@ index c6e6de4..fb98879 100644 +} +#endif + -+void check_object_size(const void *ptr, unsigned long n, bool to) ++void __check_object_size(const void *ptr, unsigned long n, bool to) +{ + +#ifdef CONFIG_PAX_USERCOPY @@ -47139,7 +47394,7 @@ index c6e6de4..fb98879 100644 +#endif + +} -+EXPORT_SYMBOL(check_object_size); ++EXPORT_SYMBOL(__check_object_size); + +#ifdef CONFIG_PAX_MEMORY_STACKLEAK +void pax_track_stack(void) @@ -49019,10 +49274,54 @@ index 381893c..3793318 100644 kfree(s); } diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c -index c5bc355..5a513bb 100644 +index c5bc355..f94f2d7 100644 --- a/fs/hugetlbfs/inode.c +++ b/fs/hugetlbfs/inode.c -@@ -923,7 +923,7 @@ static struct file_system_type hugetlbfs_fs_type = { +@@ -165,18 +165,21 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, + return addr; + } + ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP)) ++#endif ++ + if (addr) { + addr = ALIGN(addr, huge_page_size(h)); + vma = find_vma(mm, addr); +- if (TASK_SIZE - len >= addr && +- (!vma || addr + len <= vma->vm_start)) ++ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len)) + return addr; + } + + if (len > mm->cached_hole_size) + start_addr = mm->free_area_cache; + else { +- start_addr = TASK_UNMAPPED_BASE; ++ start_addr = mm->mmap_base; + mm->cached_hole_size = 0; + } + +@@ -190,15 +193,15 @@ full_search: + * Start a new search - just in case we missed + * some holes. + */ +- if (start_addr != TASK_UNMAPPED_BASE) { +- start_addr = TASK_UNMAPPED_BASE; ++ if (start_addr != mm->mmap_base) { ++ start_addr = mm->mmap_base; + mm->cached_hole_size = 0; + goto full_search; + } + return -ENOMEM; + } + +- if (!vma || addr + len <= vma->vm_start) { ++ if (check_heap_stack_gap(vma, addr, len)) { + mm->free_area_cache = addr + len; + return addr; + } +@@ -923,7 +926,7 @@ static struct file_system_type hugetlbfs_fs_type = { .kill_sb = kill_litter_super, }; @@ -53316,10 +53615,10 @@ index 0000000..1b9afa9 +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c new file mode 100644 -index 0000000..78353bd +index 0000000..960766a --- /dev/null +++ b/grsecurity/gracl.c -@@ -0,0 +1,4039 @@ +@@ -0,0 +1,4003 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -53383,11 +53682,6 @@ index 0000000..78353bd +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum); +extern void gr_clear_learn_entries(void); + -+#ifdef CONFIG_GRKERNSEC_RESLOG -+extern void gr_log_resource(const struct task_struct *task, -+ const int res, const unsigned long wanted, const int gt); -+#endif -+ +unsigned char *gr_system_salt; +unsigned char *gr_system_sum; + @@ -56784,6 +57078,26 @@ index 0000000..78353bd + return 0; +} + ++#if defined(CONFIG_GRKERNSEC_RESLOG) || !defined(CONFIG_GRKERNSEC_NO_RBAC) ++static const unsigned long res_learn_bumps[GR_NLIMITS] = { ++ [RLIMIT_CPU] = GR_RLIM_CPU_BUMP, ++ [RLIMIT_FSIZE] = GR_RLIM_FSIZE_BUMP, ++ [RLIMIT_DATA] = GR_RLIM_DATA_BUMP, ++ [RLIMIT_STACK] = GR_RLIM_STACK_BUMP, ++ [RLIMIT_CORE] = GR_RLIM_CORE_BUMP, ++ [RLIMIT_RSS] = GR_RLIM_RSS_BUMP, ++ [RLIMIT_NPROC] = GR_RLIM_NPROC_BUMP, ++ [RLIMIT_NOFILE] = GR_RLIM_NOFILE_BUMP, ++ [RLIMIT_MEMLOCK] = GR_RLIM_MEMLOCK_BUMP, ++ [RLIMIT_AS] = GR_RLIM_AS_BUMP, ++ [RLIMIT_LOCKS] = GR_RLIM_LOCKS_BUMP, ++ [RLIMIT_SIGPENDING] = GR_RLIM_SIGPENDING_BUMP, ++ [RLIMIT_MSGQUEUE] = GR_RLIM_MSGQUEUE_BUMP, ++ [RLIMIT_NICE] = GR_RLIM_NICE_BUMP, ++ [RLIMIT_RTPRIO] = GR_RLIM_RTPRIO_BUMP, ++ [RLIMIT_RTTIME] = GR_RLIM_RTTIME_BUMP ++}; ++ +void +gr_learn_resource(const struct task_struct *task, + const int res, const unsigned long wanted, const int gt) @@ -56795,10 +57109,8 @@ index 0000000..78353bd + task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) + goto skip_reslog; + -+#ifdef CONFIG_GRKERNSEC_RESLOG + gr_log_resource(task, res, wanted, gt); -+#endif -+ skip_reslog: ++skip_reslog: + + if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS)) + return; @@ -56812,57 +57124,7 @@ index 0000000..78353bd + if (wanted >= acl->res[res].rlim_cur) { + unsigned long res_add; + -+ res_add = wanted; -+ switch (res) { -+ case RLIMIT_CPU: -+ res_add += GR_RLIM_CPU_BUMP; -+ break; -+ case RLIMIT_FSIZE: -+ res_add += GR_RLIM_FSIZE_BUMP; -+ break; -+ case RLIMIT_DATA: -+ res_add += GR_RLIM_DATA_BUMP; -+ break; -+ case RLIMIT_STACK: -+ res_add += GR_RLIM_STACK_BUMP; -+ break; -+ case RLIMIT_CORE: -+ res_add += GR_RLIM_CORE_BUMP; -+ break; -+ case RLIMIT_RSS: -+ res_add += GR_RLIM_RSS_BUMP; -+ break; -+ case RLIMIT_NPROC: -+ res_add += GR_RLIM_NPROC_BUMP; -+ break; -+ case RLIMIT_NOFILE: -+ res_add += GR_RLIM_NOFILE_BUMP; -+ break; -+ case RLIMIT_MEMLOCK: -+ res_add += GR_RLIM_MEMLOCK_BUMP; -+ break; -+ case RLIMIT_AS: -+ res_add += GR_RLIM_AS_BUMP; -+ break; -+ case RLIMIT_LOCKS: -+ res_add += GR_RLIM_LOCKS_BUMP; -+ break; -+ case RLIMIT_SIGPENDING: -+ res_add += GR_RLIM_SIGPENDING_BUMP; -+ break; -+ case RLIMIT_MSGQUEUE: -+ res_add += GR_RLIM_MSGQUEUE_BUMP; -+ break; -+ case RLIMIT_NICE: -+ res_add += GR_RLIM_NICE_BUMP; -+ break; -+ case RLIMIT_RTPRIO: -+ res_add += GR_RLIM_RTPRIO_BUMP; -+ break; -+ case RLIMIT_RTTIME: -+ res_add += GR_RLIM_RTTIME_BUMP; -+ break; -+ } ++ res_add = wanted + res_learn_bumps[res]; + + acl->res[res].rlim_cur = res_add; + @@ -56882,6 +57144,8 @@ index 0000000..78353bd + + return; +} ++EXPORT_SYMBOL(gr_learn_resource); ++#endif + +#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)) +void @@ -57352,7 +57616,6 @@ index 0000000..78353bd +#ifdef CONFIG_NETFILTER_XT_MATCH_GRADM_MODULE +EXPORT_SYMBOL(gr_acl_is_enabled); +#endif -+EXPORT_SYMBOL(gr_learn_resource); +EXPORT_SYMBOL(gr_set_kernel_label); +#ifdef CONFIG_SECURITY +EXPORT_SYMBOL(gr_check_user_change); @@ -59078,10 +59341,10 @@ index 0000000..bc0be01 +} diff --git a/grsecurity/grsec_chroot.c b/grsecurity/grsec_chroot.c new file mode 100644 -index 0000000..9807ee2 +index 0000000..70fe0ae --- /dev/null +++ b/grsecurity/grsec_chroot.c -@@ -0,0 +1,368 @@ +@@ -0,0 +1,357 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -59169,17 +59432,6 @@ index 0000000..9807ee2 +} + +int -+gr_handle_chroot_rawio(const struct inode *inode) -+{ -+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS -+ if (grsec_enable_chroot_caps && proc_is_chrooted(current) && -+ inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO)) -+ return 1; -+#endif -+ return 0; -+} -+ -+int +gr_handle_chroot_fowner(struct pid *pid, enum pid_type type) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK @@ -59452,10 +59704,10 @@ index 0000000..9807ee2 +} diff --git a/grsecurity/grsec_disabled.c b/grsecurity/grsec_disabled.c new file mode 100644 -index 0000000..7de2055 +index 0000000..e6796b3 --- /dev/null +++ b/grsecurity/grsec_disabled.c -@@ -0,0 +1,442 @@ +@@ -0,0 +1,434 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -59527,13 +59779,6 @@ index 0000000..7de2055 + return 0; +} + -+void -+gr_learn_resource(const struct task_struct *task, -+ const int res, const unsigned long wanted, const int gt) -+{ -+ return; -+} -+ +int +gr_set_acls(const int type) +{ @@ -59892,7 +60137,6 @@ index 0000000..7de2055 + return; +} + -+EXPORT_SYMBOL(gr_learn_resource); +EXPORT_SYMBOL(gr_set_kernel_label); +#ifdef CONFIG_SECURITY +EXPORT_SYMBOL(gr_check_user_change); @@ -60492,10 +60736,10 @@ index 0000000..6095407 +} diff --git a/grsecurity/grsec_log.c b/grsecurity/grsec_log.c new file mode 100644 -index 0000000..a45d2e9 +index 0000000..7bd6c2b --- /dev/null +++ b/grsecurity/grsec_log.c -@@ -0,0 +1,322 @@ +@@ -0,0 +1,329 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/file.h> @@ -60511,6 +60755,9 @@ index 0000000..a45d2e9 +#define ENABLE_PREEMPT() +#endif + ++#define GR_GLOBAL_UID(x) from_kuid_munged(&init_user_ns, (x)) ++#define GR_GLOBAL_GID(x) from_kgid_munged(&init_user_ns, (x)) ++ +#define BEGIN_LOCKS(x) \ + DISABLE_PREEMPT(); \ + rcu_read_lock(); \ @@ -60620,10 +60867,14 @@ index 0000000..a45d2e9 +static void gr_log_end(int audit, int append_default) +{ + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf; -+ + if (append_default) { ++ struct task_struct *task = current; ++ struct task_struct *parent = task->real_parent; ++ const struct cred *cred = __task_cred(task); ++ const struct cred *pcred = __task_cred(parent); + unsigned int len = strlen(buf); -+ snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->real_parent))); ++ ++ snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, gr_task_fullpath(task), task->comm, task_pid_nr(task), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), gr_parent_task_fullpath(task), parent->comm, task_pid_nr(task->real_parent), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid)); + } + + printk("%s\n", buf); @@ -60656,7 +60907,7 @@ index 0000000..a45d2e9 + switch (argtypes) { + case GR_TTYSNIFF: + task = va_arg(ap, struct task_struct *); -+ gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid); ++ gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task_pid_nr(task), gr_parent_task_fullpath0(task), task->real_parent->comm, task_pid_nr(task->real_parent)); + break; + case GR_SYSCTL_HIDDEN: + str1 = va_arg(ap, char *); @@ -60734,7 +60985,7 @@ index 0000000..a45d2e9 + break; + case GR_PTRACE: + task = va_arg(ap, struct task_struct *); -+ gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid); ++ gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task_pid_nr(task)); + break; + case GR_RESOURCE: + task = va_arg(ap, struct task_struct *); @@ -60743,14 +60994,14 @@ index 0000000..a45d2e9 + ulong1 = va_arg(ap, unsigned long); + str1 = va_arg(ap, char *); + ulong2 = va_arg(ap, unsigned long); -+ gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid); ++ gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task_pid_nr(task), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), gr_parent_task_fullpath(task), task->real_parent->comm, task_pid_nr(task->real_parent), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid)); + break; + case GR_CAP: + task = va_arg(ap, struct task_struct *); + cred = __task_cred(task); + pcred = __task_cred(task->real_parent); + str1 = va_arg(ap, char *); -+ gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid); ++ gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task_pid_nr(task), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), gr_parent_task_fullpath(task), task->real_parent->comm, task_pid_nr(task->real_parent), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid)); + break; + case GR_SIG: + str1 = va_arg(ap, char *); @@ -60762,21 +61013,21 @@ index 0000000..a45d2e9 + cred = __task_cred(task); + pcred = __task_cred(task->real_parent); + num1 = va_arg(ap, int); -+ gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid); ++ gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task_pid_nr(task), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), gr_parent_task_fullpath0(task), task->real_parent->comm, task_pid_nr(task->real_parent), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid)); + break; + case GR_CRASH1: + task = va_arg(ap, struct task_struct *); + cred = __task_cred(task); + pcred = __task_cred(task->real_parent); + ulong1 = va_arg(ap, unsigned long); -+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1); ++ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task_pid_nr(task), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), gr_parent_task_fullpath(task), task->real_parent->comm, task_pid_nr(task->real_parent), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid), GR_GLOBAL_UID(cred->uid), ulong1); + break; + case GR_CRASH2: + task = va_arg(ap, struct task_struct *); + cred = __task_cred(task); + pcred = __task_cred(task->real_parent); + ulong1 = va_arg(ap, unsigned long); -+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1); ++ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task_pid_nr(task), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), gr_parent_task_fullpath(task), task->real_parent->comm, task_pid_nr(task->real_parent), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid), ulong1); + break; + case GR_RWXMAP: + file = va_arg(ap, struct file *); @@ -60804,7 +61055,7 @@ index 0000000..a45d2e9 + cred = __task_cred(task); + pcred = __task_cred(task->real_parent); + -+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, &task->real_parent->signal->curr_ip, tty_name(task->real_parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid); ++ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task_pid_nr(task), &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->real_parent->comm, task_pid_nr(task->real_parent), &task->real_parent->signal->curr_ip, tty_name(task->real_parent->signal->tty, parent_tty), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid)); + } + break; + default: @@ -63899,10 +64150,10 @@ index 0000000..be66033 +#endif diff --git a/include/linux/grinternal.h b/include/linux/grinternal.h new file mode 100644 -index 0000000..c9292f7 +index 0000000..baa6e96 --- /dev/null +++ b/include/linux/grinternal.h -@@ -0,0 +1,223 @@ +@@ -0,0 +1,215 @@ +#ifndef __GRINTERNAL_H +#define __GRINTERNAL_H + @@ -64016,14 +64267,6 @@ index 0000000..c9292f7 + +#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry) + -+#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), (task)->comm, \ -+ (task)->pid, (cred)->uid, \ -+ (cred)->euid, (cred)->gid, (cred)->egid, \ -+ gr_parent_task_fullpath(task), \ -+ (task)->real_parent->comm, (task)->real_parent->pid, \ -+ (pcred)->uid, (pcred)->euid, \ -+ (pcred)->gid, (pcred)->egid -+ +#define GR_CHROOT_CAPS {{ \ + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \ + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \ @@ -64245,10 +64488,10 @@ index 0000000..2bd4c8d +#define GR_BRUTE_DAEMON_MSG "bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for " diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h new file mode 100644 -index 0000000..f2f5d5b +index 0000000..c5e5913 --- /dev/null +++ b/include/linux/grsecurity.h -@@ -0,0 +1,239 @@ +@@ -0,0 +1,257 @@ +#ifndef GR_SECURITY_H +#define GR_SECURITY_H +#include <linux/fs.h> @@ -64363,8 +64606,6 @@ index 0000000..f2f5d5b +int gr_task_is_capable(const struct task_struct *task, const struct cred *cred, const int cap); +int gr_task_is_capable_nolog(const struct task_struct *task, const int cap); + -+void gr_learn_resource(const struct task_struct *task, const int limit, -+ const unsigned long wanted, const int gt); +void gr_copy_label(struct task_struct *tsk); +void gr_handle_crash(struct task_struct *task, const int sig); +int gr_handle_signal(const struct task_struct *p, const int sig); @@ -64465,6 +64706,26 @@ index 0000000..f2f5d5b + +int gr_ptrace_readexec(struct file *file, int unsafe_flags); + ++#if defined(CONFIG_GRKERNSEC) && (defined(CONFIG_GRKERNSEC_RESLOG) || !defined(CONFIG_GRKERNSEC_NO_RBAC)) ++extern void gr_learn_resource(const struct task_struct *task, const int res, ++ const unsigned long wanted, const int gt); ++#else ++static inline void gr_learn_resource(const struct task_struct *task, const int res, ++ const unsigned long wanted, const int gt) ++{ ++} ++#endif ++ ++#ifdef CONFIG_GRKERNSEC_RESLOG ++extern void gr_log_resource(const struct task_struct *task, const int res, ++ const unsigned long wanted, const int gt); ++#else ++static inline void gr_log_resource(const struct task_struct *task, const int res, ++ const unsigned long wanted, const int gt) ++{ ++} ++#endif ++ +#ifdef CONFIG_GRKERNSEC +void task_grsec_rbac(struct seq_file *m, struct task_struct *p); +void gr_handle_vm86(void); @@ -65681,7 +65942,7 @@ index bfe1f47..6a33ee3 100644 static inline void anon_vma_merge(struct vm_area_struct *vma, struct vm_area_struct *next) diff --git a/include/linux/sched.h b/include/linux/sched.h -index 3e63925..1d69dff 100644 +index 3e63925..6c93b17 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -61,6 +61,7 @@ struct bio_list; @@ -65802,7 +66063,7 @@ index 3e63925..1d69dff 100644 #ifdef CONFIG_FUTEX struct robust_list_head __user *robust_list; #ifdef CONFIG_COMPAT -@@ -1548,8 +1585,75 @@ struct task_struct { +@@ -1548,8 +1585,74 @@ struct task_struct { #ifdef CONFIG_UPROBES struct uprobe_task *utask; #endif @@ -65873,12 +66134,11 @@ index 3e63925..1d69dff 100644 +extern void pax_report_fault(struct pt_regs *regs, void *pc, void *sp); +extern void pax_report_insns(struct pt_regs *regs, void *pc, void *sp); +extern void pax_report_refcount_overflow(struct pt_regs *regs); -+extern void check_object_size(const void *ptr, unsigned long n, bool to); + /* Future-safe accessor for struct task_struct's cpus_allowed. */ #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed) -@@ -2092,7 +2196,9 @@ void yield(void); +@@ -2092,7 +2195,9 @@ void yield(void); extern struct exec_domain default_exec_domain; union thread_union { @@ -65888,7 +66148,7 @@ index 3e63925..1d69dff 100644 unsigned long stack[THREAD_SIZE/sizeof(long)]; }; -@@ -2125,6 +2231,7 @@ extern struct pid_namespace init_pid_ns; +@@ -2125,6 +2230,7 @@ extern struct pid_namespace init_pid_ns; */ extern struct task_struct *find_task_by_vpid(pid_t nr); @@ -65896,7 +66156,7 @@ index 3e63925..1d69dff 100644 extern struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns); -@@ -2281,7 +2388,7 @@ extern void __cleanup_sighand(struct sighand_struct *); +@@ -2281,7 +2387,7 @@ extern void __cleanup_sighand(struct sighand_struct *); extern void exit_itimers(struct signal_struct *); extern void flush_itimer_signals(void); @@ -65905,7 +66165,7 @@ index 3e63925..1d69dff 100644 extern void daemonize(const char *, ...); extern int allow_signal(int); -@@ -2485,9 +2592,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) +@@ -2485,9 +2591,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) #endif @@ -66025,7 +66285,7 @@ index 6a2c34e..a1f320f 100644 int size); extern int skb_copy_and_csum_datagram_iovec(struct sk_buff *skb, diff --git a/include/linux/slab.h b/include/linux/slab.h -index 83d1a14..209e1a6 100644 +index 83d1a14..e23d723 100644 --- a/include/linux/slab.h +++ b/include/linux/slab.h @@ -11,12 +11,20 @@ @@ -66084,7 +66344,26 @@ index 83d1a14..209e1a6 100644 /* * Allocator specific definitions. These are mainly used to establish optimized -@@ -323,7 +336,7 @@ static inline void *kmem_cache_alloc_node(struct kmem_cache *cachep, +@@ -264,8 +277,18 @@ size_t ksize(const void *); + * for general use, and so are not documented here. For a full list of + * potential flags, always refer to linux/gfp.h. + */ ++ ++extern void kmalloc_array_error(void) ++#if defined(CONFIG_GCOV_KERNEL) && defined(CONFIG_PAX_SIZE_OVERFLOW) ++__compiletime_warning("kmalloc_array called with swapped arguments?"); ++#else ++__compiletime_error("kmalloc_array called with swapped arguments?"); ++#endif ++ + static inline void *kmalloc_array(size_t n, size_t size, gfp_t flags) + { ++ if (__builtin_constant_p(n) && !__builtin_constant_p(size)) ++ kmalloc_array_error(); + if (size != 0 && n > SIZE_MAX / size) + return NULL; + return __kmalloc(n * size, flags); +@@ -323,7 +346,7 @@ static inline void *kmem_cache_alloc_node(struct kmem_cache *cachep, #if defined(CONFIG_DEBUG_SLAB) || defined(CONFIG_SLUB) || \ (defined(CONFIG_SLAB) && defined(CONFIG_TRACING)) || \ (defined(CONFIG_SLOB) && defined(CONFIG_TRACING)) @@ -66093,7 +66372,7 @@ index 83d1a14..209e1a6 100644 #define kmalloc_track_caller(size, flags) \ __kmalloc_track_caller(size, flags, _RET_IP_) #else -@@ -343,7 +356,7 @@ extern void *__kmalloc_track_caller(size_t, gfp_t, unsigned long); +@@ -343,7 +366,7 @@ extern void *__kmalloc_track_caller(size_t, gfp_t, unsigned long); #if defined(CONFIG_DEBUG_SLAB) || defined(CONFIG_SLUB) || \ (defined(CONFIG_SLAB) && defined(CONFIG_TRACING)) || \ (defined(CONFIG_SLOB) && defined(CONFIG_TRACING)) @@ -66358,6 +66637,26 @@ index 7faf933..eb6f5e3 100644 #ifdef CONFIG_MAGIC_SYSRQ +diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h +index ccc1899..b1aaceb 100644 +--- a/include/linux/thread_info.h ++++ b/include/linux/thread_info.h +@@ -146,6 +146,15 @@ static inline bool test_and_clear_restore_sigmask(void) + #error "no set_restore_sigmask() provided and default one won't work" + #endif + ++extern void __check_object_size(const void *ptr, unsigned long n, bool to); ++static inline void check_object_size(const void *ptr, unsigned long n, bool to) ++{ ++#ifndef CONFIG_PAX_USERCOPY_DEBUG ++ if (!__builtin_constant_p(n)) ++#endif ++ __check_object_size(ptr, n, to); ++} ++ + #endif /* __KERNEL__ */ + + #endif /* _LINUX_THREAD_INFO_H */ diff --git a/include/linux/tty.h b/include/linux/tty.h index f0b4eb4..1c4854e 100644 --- a/include/linux/tty.h @@ -66731,7 +67030,7 @@ index 628e11b..4c475df 100644 #endif diff --git a/include/net/gro_cells.h b/include/net/gro_cells.h -index e5062c9..e709988 100644 +index e5062c9..48a9a4b 100644 --- a/include/net/gro_cells.h +++ b/include/net/gro_cells.h @@ -29,7 +29,7 @@ static inline void gro_cells_receive(struct gro_cells *gcells, struct sk_buff *s @@ -66743,6 +67042,17 @@ index e5062c9..e709988 100644 kfree_skb(skb); return; } +@@ -73,8 +73,8 @@ static inline int gro_cells_init(struct gro_cells *gcells, struct net_device *de + int i; + + gcells->gro_cells_mask = roundup_pow_of_two(netif_get_num_default_rss_queues()) - 1; +- gcells->cells = kcalloc(sizeof(struct gro_cell), +- gcells->gro_cells_mask + 1, ++ gcells->cells = kcalloc(gcells->gro_cells_mask + 1, ++ sizeof(struct gro_cell), + GFP_KERNEL); + if (!gcells->cells) + return -ENOMEM; diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h index 1832927..ce39aea 100644 --- a/include/net/inet_connection_sock.h @@ -67470,19 +67780,6 @@ index 26607bd..588b65f 100644 +#define XATTR_NAME_PAX_FLAGS XATTR_PAX_PREFIX XATTR_PAX_FLAGS_SUFFIX #endif /* _UAPI_LINUX_XATTR_H */ -diff --git a/include/video/omapdss.h b/include/video/omapdss.h -index 3729173..7b2df7e 100644 ---- a/include/video/omapdss.h -+++ b/include/video/omapdss.h -@@ -323,7 +323,7 @@ struct omap_dss_board_info { - int (*dsi_enable_pads)(int dsi_id, unsigned lane_mask); - void (*dsi_disable_pads)(int dsi_id, unsigned lane_mask); - int (*set_min_bus_tput)(struct device *dev, unsigned long r); --}; -+} __do_const; - - /* Init with the board info */ - extern int omap_display_init(struct omap_dss_board_info *board_data); diff --git a/include/video/udlfb.h b/include/video/udlfb.h index f9466fa..f4e2b81 100644 --- a/include/video/udlfb.h @@ -67874,7 +68171,7 @@ index 84c6bf1..8899338 100644 next_state = Reset; return 0; diff --git a/init/main.c b/init/main.c -index cd147a9..12ce8c2 100644 +index 857166f..9df1d8e 100644 --- a/init/main.c +++ b/init/main.c @@ -96,6 +96,8 @@ static inline void mark_rodata_ro(void) { } @@ -69837,7 +70134,7 @@ index 91c32a0..7b88d63 100644 seq_printf(m, "%40s %14lu %29s %pS\n", name, stats->contending_point[i], diff --git a/kernel/module.c b/kernel/module.c -index 3e544f4..096cb73 100644 +index 3e544f4..34c3008 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -59,6 +59,7 @@ @@ -70251,7 +70548,7 @@ index 3e544f4..096cb73 100644 /* * The pointer to this block is stored in the module structure * which is inside the block. Just mark it as not being a -@@ -2758,23 +2802,50 @@ static int move_module(struct module *mod, struct load_info *info) +@@ -2758,10 +2802,10 @@ static int move_module(struct module *mod, struct load_info *info) if (!ptr) return -ENOMEM; @@ -70265,13 +70562,12 @@ index 3e544f4..096cb73 100644 /* * The pointer to this block is stored in the module structure * which is inside the block. This block doesn't need to be - * scanned as it contains data and code that will be freed +@@ -2769,12 +2813,39 @@ static int move_module(struct module *mod, struct load_info *info) * after the module is initialized. */ -- kmemleak_ignore(ptr); + kmemleak_ignore(ptr); - if (!ptr && mod->init_size) { - module_free(mod, mod->module_core); -+ kmemleak_not_leak(ptr); + if (!ptr && mod->init_size_rw) { + module_free(mod, mod->module_core_rw); return -ENOMEM; @@ -70295,7 +70591,7 @@ index 3e544f4..096cb73 100644 + mod->module_core_rx = ptr; + + ptr = module_alloc_update_bounds_rx(mod->init_size_rx); -+ kmemleak_not_leak(ptr); ++ kmemleak_ignore(ptr); + if (!ptr && mod->init_size_rx) { + module_free_exec(mod, mod->module_core_rx); + module_free(mod, mod->module_init_rw); @@ -73863,7 +74159,7 @@ index 40f17c3..c1cc011 100644 /* if an huge pmd materialized from under us just retry later */ if (unlikely(pmd_trans_huge(*pmd))) diff --git a/mm/hugetlb.c b/mm/hugetlb.c -index f198aca..a19a5a5 100644 +index f198aca..10e3e37 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -2509,6 +2509,27 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma, @@ -73955,6 +74251,14 @@ index f198aca..a19a5a5 100644 ptep = huge_pte_alloc(mm, address, huge_page_size(h)); if (!ptep) return VM_FAULT_OOM; +@@ -3028,6 +3082,7 @@ void hugetlb_change_protection(struct vm_area_struct *vma, + if (!huge_pte_none(huge_ptep_get(ptep))) { + pte = huge_ptep_get_and_clear(mm, address, ptep); + pte = pte_mkhuge(pte_modify(pte, newprot)); ++ pte = arch_make_huge_pte(pte, vma, NULL, 0); + set_huge_pte_at(mm, address, ptep, pte); + } + } diff --git a/mm/internal.h b/mm/internal.h index 3c5197d..08d0065 100644 --- a/mm/internal.h @@ -74908,10 +75212,22 @@ index 002c281..9429765 100644 capable(CAP_SYS_NICE) ? MPOL_MF_MOVE_ALL : MPOL_MF_MOVE); diff --git a/mm/migrate.c b/mm/migrate.c -index 77ed2d7..317d528 100644 +index 77ed2d7..d7adff2 100644 --- a/mm/migrate.c +++ b/mm/migrate.c -@@ -1350,8 +1350,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages, +@@ -143,8 +143,10 @@ static int remove_migration_pte(struct page *new, struct vm_area_struct *vma, + if (is_write_migration_entry(entry)) + pte = pte_mkwrite(pte); + #ifdef CONFIG_HUGETLB_PAGE +- if (PageHuge(new)) ++ if (PageHuge(new)) { + pte = pte_mkhuge(pte); ++ pte = arch_make_huge_pte(pte, vma, new, 0); ++ } + #endif + flush_cache_page(vma, addr, pte_pfn(pte)); + set_pte_at(mm, addr, ptep, pte); +@@ -1350,8 +1352,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages, */ tcred = __task_cred(task); if (!uid_eq(cred->euid, tcred->suid) && !uid_eq(cred->euid, tcred->uid) && @@ -76919,7 +77235,7 @@ index 50c5b8f..0bc87f7 100644 return -ENOMEM; diff --git a/mm/slab.c b/mm/slab.c -index 33d3363..93c6810 100644 +index 33d3363..3851c61 100644 --- a/mm/slab.c +++ b/mm/slab.c @@ -164,7 +164,7 @@ static bool pfmemalloc_active __read_mostly; @@ -77036,7 +77352,7 @@ index 33d3363..93c6810 100644 + +#ifdef CONFIG_PAX_USERCOPY_SLABS + sizes->cs_usercopycachep = kmem_cache_zalloc(kmem_cache, GFP_NOWAIT); -+ sizes->cs_usercopycachep->name = names->name_dma; ++ sizes->cs_usercopycachep->name = names->name_usercopy; + sizes->cs_usercopycachep->size = sizes->cs_size; + sizes->cs_usercopycachep->object_size = sizes->cs_size; + sizes->cs_usercopycachep->align = ARCH_KMALLOC_MINALIGN; @@ -77514,7 +77830,7 @@ index 1e921c5..1ce12c2 100644 EXPORT_SYMBOL(kmem_cache_free); diff --git a/mm/slub.c b/mm/slub.c -index a0d6984..e280e5d 100644 +index 321afab..9595170 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -201,7 +201,7 @@ struct track { @@ -77564,7 +77880,16 @@ index a0d6984..e280e5d 100644 static int __init setup_slub_min_order(char *str) { get_option(&str, &slub_min_order); -@@ -3342,6 +3348,13 @@ static struct kmem_cache *get_slab(size_t size, gfp_t flags) +@@ -3279,7 +3285,7 @@ static struct kmem_cache *__init create_kmalloc_cache(const char *name, + if (kmem_cache_open(s, flags)) + goto panic; + +- s->refcount = 1; ++ atomic_set(&s->refcount, 1); + list_add(&s->list, &slab_caches); + return s; + +@@ -3343,6 +3349,13 @@ static struct kmem_cache *get_slab(size_t size, gfp_t flags) return kmalloc_dma_caches[index]; #endif @@ -77578,7 +77903,7 @@ index a0d6984..e280e5d 100644 return kmalloc_caches[index]; } -@@ -3410,6 +3423,59 @@ void *__kmalloc_node(size_t size, gfp_t flags, int node) +@@ -3411,6 +3424,59 @@ void *__kmalloc_node(size_t size, gfp_t flags, int node) EXPORT_SYMBOL(__kmalloc_node); #endif @@ -77638,7 +77963,7 @@ index a0d6984..e280e5d 100644 size_t ksize(const void *object) { struct page *page; -@@ -3684,7 +3750,7 @@ static void __init kmem_cache_bootstrap_fixup(struct kmem_cache *s) +@@ -3685,7 +3751,7 @@ static void __init kmem_cache_bootstrap_fixup(struct kmem_cache *s) int node; list_add(&s->list, &slab_caches); @@ -77647,7 +77972,7 @@ index a0d6984..e280e5d 100644 for_each_node_state(node, N_NORMAL_MEMORY) { struct kmem_cache_node *n = get_node(s, node); -@@ -3807,17 +3873,17 @@ void __init kmem_cache_init(void) +@@ -3808,17 +3874,17 @@ void __init kmem_cache_init(void) /* Caches that are not of the two-to-the-power-of size */ if (KMALLOC_MIN_SIZE <= 32) { @@ -77668,7 +77993,7 @@ index a0d6984..e280e5d 100644 caches++; } -@@ -3859,6 +3925,22 @@ void __init kmem_cache_init(void) +@@ -3860,6 +3926,22 @@ void __init kmem_cache_init(void) } } #endif @@ -77691,7 +78016,7 @@ index a0d6984..e280e5d 100644 printk(KERN_INFO "SLUB: Genslabs=%d, HWalign=%d, Order=%d-%d, MinObjects=%d," " CPUs=%d, Nodes=%d\n", -@@ -3885,7 +3967,7 @@ static int slab_unmergeable(struct kmem_cache *s) +@@ -3886,7 +3968,7 @@ static int slab_unmergeable(struct kmem_cache *s) /* * We may have set a slab to be unmergeable during bootstrap. */ @@ -77700,7 +78025,7 @@ index a0d6984..e280e5d 100644 return 1; return 0; -@@ -3939,7 +4021,7 @@ struct kmem_cache *__kmem_cache_alias(const char *name, size_t size, +@@ -3940,7 +4022,7 @@ struct kmem_cache *__kmem_cache_alias(const char *name, size_t size, s = find_mergeable(size, align, flags, name, ctor); if (s) { @@ -77709,7 +78034,7 @@ index a0d6984..e280e5d 100644 /* * Adjust the object sizes so that we clear * the complete object on kzalloc. -@@ -3948,7 +4030,7 @@ struct kmem_cache *__kmem_cache_alias(const char *name, size_t size, +@@ -3949,7 +4031,7 @@ struct kmem_cache *__kmem_cache_alias(const char *name, size_t size, s->inuse = max_t(int, s->inuse, ALIGN(size, sizeof(void *))); if (sysfs_slab_alias(s, name)) { @@ -77718,7 +78043,7 @@ index a0d6984..e280e5d 100644 s = NULL; } } -@@ -4063,7 +4145,7 @@ void *__kmalloc_node_track_caller(size_t size, gfp_t gfpflags, +@@ -4064,7 +4146,7 @@ void *__kmalloc_node_track_caller(size_t size, gfp_t gfpflags, } #endif @@ -77727,7 +78052,7 @@ index a0d6984..e280e5d 100644 static int count_inuse(struct page *page) { return page->inuse; -@@ -4450,12 +4532,12 @@ static void resiliency_test(void) +@@ -4451,12 +4533,12 @@ static void resiliency_test(void) validate_slab_cache(kmalloc_caches[9]); } #else @@ -77742,7 +78067,7 @@ index a0d6984..e280e5d 100644 enum slab_stat_type { SL_ALL, /* All slabs */ SL_PARTIAL, /* Only partially allocated slabs */ -@@ -4699,7 +4781,7 @@ SLAB_ATTR_RO(ctor); +@@ -4700,7 +4782,7 @@ SLAB_ATTR_RO(ctor); static ssize_t aliases_show(struct kmem_cache *s, char *buf) { @@ -77751,7 +78076,7 @@ index a0d6984..e280e5d 100644 } SLAB_ATTR_RO(aliases); -@@ -5261,6 +5343,7 @@ static char *create_unique_id(struct kmem_cache *s) +@@ -5262,6 +5344,7 @@ static char *create_unique_id(struct kmem_cache *s) return name; } @@ -77759,7 +78084,7 @@ index a0d6984..e280e5d 100644 static int sysfs_slab_add(struct kmem_cache *s) { int err; -@@ -5323,6 +5406,7 @@ static void sysfs_slab_remove(struct kmem_cache *s) +@@ -5324,6 +5407,7 @@ static void sysfs_slab_remove(struct kmem_cache *s) kobject_del(&s->kobj); kobject_put(&s->kobj); } @@ -77767,7 +78092,7 @@ index a0d6984..e280e5d 100644 /* * Need to buffer aliases during bootup until sysfs becomes -@@ -5336,6 +5420,7 @@ struct saved_alias { +@@ -5337,6 +5421,7 @@ struct saved_alias { static struct saved_alias *alias_list; @@ -77775,7 +78100,7 @@ index a0d6984..e280e5d 100644 static int sysfs_slab_alias(struct kmem_cache *s, const char *name) { struct saved_alias *al; -@@ -5358,6 +5443,7 @@ static int sysfs_slab_alias(struct kmem_cache *s, const char *name) +@@ -5359,6 +5444,7 @@ static int sysfs_slab_alias(struct kmem_cache *s, const char *name) alias_list = al; return 0; } @@ -80290,10 +80615,10 @@ index 08897a3..0b812ab 100644 return res; } diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c -index 7371f67..9897314 100644 +index 494da7f..6ce2ffd 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c -@@ -2594,7 +2594,7 @@ static void ieee80211_mgmt_frame_register(struct wiphy *wiphy, +@@ -2604,7 +2604,7 @@ static void ieee80211_mgmt_frame_register(struct wiphy *wiphy, else local->probe_req_reg--; @@ -80303,7 +80628,7 @@ index 7371f67..9897314 100644 ieee80211_queue_work(&local->hw, &local->reconfig_filter); diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h -index 3da215c..497a6e3 100644 +index 493e2e8..be76574 100644 --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h @@ -28,6 +28,7 @@ @@ -80474,10 +80799,10 @@ index 0151ae3..26709d3 100644 /* diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig -index fefa514..0755f23 100644 +index 49e96df..63a51c3 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig -@@ -929,6 +929,16 @@ config NETFILTER_XT_MATCH_ESP +@@ -936,6 +936,16 @@ config NETFILTER_XT_MATCH_ESP To compile it as a module, choose M here. If unsure, say N. @@ -80662,10 +80987,10 @@ index cc4c809..50f8fe5 100644 } diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c -index 0f241be..2c9be6d 100644 +index ec02168..f0caab6 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c -@@ -1532,6 +1532,10 @@ err_extend: +@@ -1533,6 +1533,10 @@ err_extend: #define UNCONFIRMED_NULLS_VAL ((1<<30)+0) #define DYING_NULLS_VAL ((1<<30)+1) @@ -80676,7 +81001,7 @@ index 0f241be..2c9be6d 100644 static int nf_conntrack_init_net(struct net *net) { int ret; -@@ -1545,7 +1549,11 @@ static int nf_conntrack_init_net(struct net *net) +@@ -1546,7 +1550,11 @@ static int nf_conntrack_init_net(struct net *net) goto err_stat; } @@ -80689,10 +81014,10 @@ index 0f241be..2c9be6d 100644 ret = -ENOMEM; goto err_slabname; diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c -index 9f199f2..719ad23 100644 +index 92fd8ec..3f6ea4b 100644 --- a/net/netfilter/nfnetlink_log.c +++ b/net/netfilter/nfnetlink_log.c -@@ -71,7 +71,7 @@ struct nfulnl_instance { +@@ -72,7 +72,7 @@ struct nfulnl_instance { }; static DEFINE_SPINLOCK(instances_lock); @@ -80701,7 +81026,7 @@ index 9f199f2..719ad23 100644 #define INSTANCE_BUCKETS 16 static struct hlist_head instance_table[INSTANCE_BUCKETS]; -@@ -527,7 +527,7 @@ __build_packet_message(struct nfulnl_instance *inst, +@@ -537,7 +537,7 @@ __build_packet_message(struct nfulnl_instance *inst, /* global sequence number */ if ((inst->flags & NFULNL_CFG_F_SEQ_GLOBAL) && nla_put_be32(inst->skb, NFULA_SEQ_GLOBAL, @@ -82572,10 +82897,10 @@ index 5c11312..72742b5 100644 write_hex_cnt = 0; for (i = 0; i < logo_clutsize; i++) { diff --git a/security/Kconfig b/security/Kconfig -index e9c6ac7..a9bcf23 100644 +index e9c6ac7..01c698c 100644 --- a/security/Kconfig +++ b/security/Kconfig -@@ -4,6 +4,896 @@ +@@ -4,6 +4,902 @@ menu "Security options" @@ -83424,6 +83749,12 @@ index e9c6ac7..a9bcf23 100644 + Since this has a negligible performance impact, you should enable + this feature. + ++ ++config PAX_USERCOPY_DEBUG ++ bool ++ depends on X86 && PAX_USERCOPY ++ default n ++ +config PAX_SIZE_OVERFLOW + bool "Prevent various integer overflows in function size parameters" + default y if GRKERNSEC_CONFIG_AUTO @@ -83472,7 +83803,7 @@ index e9c6ac7..a9bcf23 100644 source security/keys/Kconfig config SECURITY_DMESG_RESTRICT -@@ -103,7 +993,7 @@ config INTEL_TXT +@@ -103,7 +999,7 @@ config INTEL_TXT config LSM_MMAP_MIN_ADDR int "Low address space for LSM to protect from user allocation" depends on SECURITY && SECURITY_SELINUX diff --git a/3.7.5/4425_grsec_remove_EI_PAX.patch b/3.7.6/4425_grsec_remove_EI_PAX.patch index 97e6951..97e6951 100644 --- a/3.7.5/4425_grsec_remove_EI_PAX.patch +++ b/3.7.6/4425_grsec_remove_EI_PAX.patch diff --git a/3.7.5/4430_grsec-remove-localversion-grsec.patch b/3.7.6/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.7.5/4430_grsec-remove-localversion-grsec.patch +++ b/3.7.6/4430_grsec-remove-localversion-grsec.patch diff --git a/3.7.5/4435_grsec-mute-warnings.patch b/3.7.6/4435_grsec-mute-warnings.patch index e1a7a3c..e1a7a3c 100644 --- a/3.7.5/4435_grsec-mute-warnings.patch +++ b/3.7.6/4435_grsec-mute-warnings.patch diff --git a/3.7.5/4440_grsec-remove-protected-paths.patch b/3.7.6/4440_grsec-remove-protected-paths.patch index 637934a..637934a 100644 --- a/3.7.5/4440_grsec-remove-protected-paths.patch +++ b/3.7.6/4440_grsec-remove-protected-paths.patch diff --git a/3.7.5/4450_grsec-kconfig-default-gids.patch b/3.7.6/4450_grsec-kconfig-default-gids.patch index 3dfdc8f..3dfdc8f 100644 --- a/3.7.5/4450_grsec-kconfig-default-gids.patch +++ b/3.7.6/4450_grsec-kconfig-default-gids.patch diff --git a/3.7.5/4465_selinux-avc_audit-log-curr_ip.patch b/3.7.6/4465_selinux-avc_audit-log-curr_ip.patch index 5b614b1..5b614b1 100644 --- a/3.7.5/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.7.6/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.7.5/4470_disable-compat_vdso.patch b/3.7.6/4470_disable-compat_vdso.patch index d32044a..1037ba9 100644 --- a/3.7.5/4470_disable-compat_vdso.patch +++ b/3.7.6/4470_disable-compat_vdso.patch @@ -26,13 +26,13 @@ Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138 diff -urp a/arch/x86/Kconfig b/arch/x86/Kconfig --- a/arch/x86/Kconfig 2009-07-31 01:36:57.323857684 +0100 +++ b/arch/x86/Kconfig 2009-07-31 01:51:39.395749681 +0100 -@@ -1703,17 +1703,8 @@ +@@ -1704,17 +1704,8 @@ config COMPAT_VDSO def_bool n - prompt "Compat VDSO support" depends on X86_32 || IA32_EMULATION - depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF + depends on !PAX_PAGEEXEC && !PAX_SEGMEXEC && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF - ---help--- - Map the 32-bit VDSO to the predictable old-style address too. - |