diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2016-02-02 01:45:53 -0500 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2016-02-02 01:45:53 -0500 |
| commit | 82e4e2c3535f481b3bd0ddfc1d6669ca2e0e8909 (patch) | |
| tree | d4b14a9077b35687470531e406cd8a96bf2a5e25 | |
| parent | grsecurity-3.1-4.3.4-201601292206 (diff) | |
| download | hardened-patchset-82e4e2c3535f481b3bd0ddfc1d6669ca2e0e8909.tar.gz hardened-patchset-82e4e2c3535f481b3bd0ddfc1d6669ca2e0e8909.tar.bz2 hardened-patchset-82e4e2c3535f481b3bd0ddfc1d6669ca2e0e8909.zip | |
grsecurity-3.1-4.3.5-20160131161120160131
| -rw-r--r-- | 4.3.4/1003_linux-4.3.4.patch | 1863 | ||||
| -rw-r--r-- | 4.3.5/0000_README (renamed from 4.3.4/0000_README) | 6 | ||||
| -rw-r--r-- | 4.3.5/4420_grsecurity-3.1-4.3.5-201601311611.patch (renamed from 4.3.4/4420_grsecurity-3.1-4.3.4-201601292206.patch) | 1419 | ||||
| -rw-r--r-- | 4.3.5/4425_grsec_remove_EI_PAX.patch (renamed from 4.3.4/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
| -rw-r--r-- | 4.3.5/4427_force_XATTR_PAX_tmpfs.patch (renamed from 4.3.4/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
| -rw-r--r-- | 4.3.5/4430_grsec-remove-localversion-grsec.patch (renamed from 4.3.4/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
| -rw-r--r-- | 4.3.5/4435_grsec-mute-warnings.patch (renamed from 4.3.4/4435_grsec-mute-warnings.patch) | 0 | ||||
| -rw-r--r-- | 4.3.5/4440_grsec-remove-protected-paths.patch (renamed from 4.3.4/4440_grsec-remove-protected-paths.patch) | 0 | ||||
| -rw-r--r-- | 4.3.5/4450_grsec-kconfig-default-gids.patch (renamed from 4.3.4/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
| -rw-r--r-- | 4.3.5/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 4.3.4/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
| -rw-r--r-- | 4.3.5/4470_disable-compat_vdso.patch (renamed from 4.3.4/4470_disable-compat_vdso.patch) | 0 | ||||
| -rw-r--r-- | 4.3.5/4475_emutramp_default_on.patch (renamed from 4.3.4/4475_emutramp_default_on.patch) | 0 |
12 files changed, 309 insertions, 2979 deletions
diff --git a/4.3.4/1003_linux-4.3.4.patch b/4.3.4/1003_linux-4.3.4.patch deleted file mode 100644 index 0e103a4..0000000 --- a/4.3.4/1003_linux-4.3.4.patch +++ /dev/null @@ -1,1863 +0,0 @@ -diff --git a/Makefile b/Makefile -index 2070d16..69430ed 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 4 - PATCHLEVEL = 3 --SUBLEVEL = 3 -+SUBLEVEL = 4 - EXTRAVERSION = - NAME = Blurry Fish Butt - -diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c -index 739a4a6..2f6e3c6 100644 ---- a/drivers/acpi/osl.c -+++ b/drivers/acpi/osl.c -@@ -81,6 +81,7 @@ static struct workqueue_struct *kacpid_wq; - static struct workqueue_struct *kacpi_notify_wq; - static struct workqueue_struct *kacpi_hotplug_wq; - static bool acpi_os_initialized; -+unsigned int acpi_sci_irq = INVALID_ACPI_IRQ; - - /* - * This list of permanent mappings is for memory that may be accessed from -@@ -856,17 +857,19 @@ acpi_os_install_interrupt_handler(u32 gsi, acpi_osd_handler handler, - acpi_irq_handler = NULL; - return AE_NOT_ACQUIRED; - } -+ acpi_sci_irq = irq; - - return AE_OK; - } - --acpi_status acpi_os_remove_interrupt_handler(u32 irq, acpi_osd_handler handler) -+acpi_status acpi_os_remove_interrupt_handler(u32 gsi, acpi_osd_handler handler) - { -- if (irq != acpi_gbl_FADT.sci_interrupt) -+ if (gsi != acpi_gbl_FADT.sci_interrupt || !acpi_sci_irq_valid()) - return AE_BAD_PARAMETER; - -- free_irq(irq, acpi_irq); -+ free_irq(acpi_sci_irq, acpi_irq); - acpi_irq_handler = NULL; -+ acpi_sci_irq = INVALID_ACPI_IRQ; - - return AE_OK; - } -@@ -1180,8 +1183,8 @@ void acpi_os_wait_events_complete(void) - * Make sure the GPE handler or the fixed event handler is not used - * on another CPU after removal. - */ -- if (acpi_irq_handler) -- synchronize_hardirq(acpi_gbl_FADT.sci_interrupt); -+ if (acpi_sci_irq_valid()) -+ synchronize_hardirq(acpi_sci_irq); - flush_workqueue(kacpid_wq); - flush_workqueue(kacpi_notify_wq); - } -diff --git a/drivers/acpi/sleep.c b/drivers/acpi/sleep.c -index 2f0d4db..3fe1fbe 100644 ---- a/drivers/acpi/sleep.c -+++ b/drivers/acpi/sleep.c -@@ -632,14 +632,16 @@ static int acpi_freeze_prepare(void) - acpi_enable_wakeup_devices(ACPI_STATE_S0); - acpi_enable_all_wakeup_gpes(); - acpi_os_wait_events_complete(); -- enable_irq_wake(acpi_gbl_FADT.sci_interrupt); -+ if (acpi_sci_irq_valid()) -+ enable_irq_wake(acpi_sci_irq); - return 0; - } - - static void acpi_freeze_restore(void) - { - acpi_disable_wakeup_devices(ACPI_STATE_S0); -- disable_irq_wake(acpi_gbl_FADT.sci_interrupt); -+ if (acpi_sci_irq_valid()) -+ disable_irq_wake(acpi_sci_irq); - acpi_enable_all_runtime_gpes(); - } - -diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h -index f8319a0..39be5ac 100644 ---- a/drivers/char/tpm/tpm.h -+++ b/drivers/char/tpm/tpm.h -@@ -115,6 +115,13 @@ enum tpm2_startup_types { - TPM2_SU_STATE = 0x0001, - }; - -+enum tpm2_start_method { -+ TPM2_START_ACPI = 2, -+ TPM2_START_FIFO = 6, -+ TPM2_START_CRB = 7, -+ TPM2_START_CRB_WITH_ACPI = 8, -+}; -+ - struct tpm_chip; - - struct tpm_vendor_specific { -diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c -index 1267322..2b971b3 100644 ---- a/drivers/char/tpm/tpm_crb.c -+++ b/drivers/char/tpm/tpm_crb.c -@@ -34,12 +34,6 @@ enum crb_defaults { - CRB_ACPI_START_INDEX = 1, - }; - --enum crb_start_method { -- CRB_SM_ACPI_START = 2, -- CRB_SM_CRB = 7, -- CRB_SM_CRB_WITH_ACPI_START = 8, --}; -- - struct acpi_tpm2 { - struct acpi_table_header hdr; - u16 platform_class; -@@ -220,12 +214,6 @@ static int crb_acpi_add(struct acpi_device *device) - u64 pa; - int rc; - -- chip = tpmm_chip_alloc(dev, &tpm_crb); -- if (IS_ERR(chip)) -- return PTR_ERR(chip); -- -- chip->flags = TPM_CHIP_FLAG_TPM2; -- - status = acpi_get_table(ACPI_SIG_TPM2, 1, - (struct acpi_table_header **) &buf); - if (ACPI_FAILURE(status)) { -@@ -233,13 +221,15 @@ static int crb_acpi_add(struct acpi_device *device) - return -ENODEV; - } - -- /* At least some versions of AMI BIOS have a bug that TPM2 table has -- * zero address for the control area and therefore we must fail. -- */ -- if (!buf->control_area_pa) { -- dev_err(dev, "TPM2 ACPI table has a zero address for the control area\n"); -- return -EINVAL; -- } -+ /* Should the FIFO driver handle this? */ -+ if (buf->start_method == TPM2_START_FIFO) -+ return -ENODEV; -+ -+ chip = tpmm_chip_alloc(dev, &tpm_crb); -+ if (IS_ERR(chip)) -+ return PTR_ERR(chip); -+ -+ chip->flags = TPM_CHIP_FLAG_TPM2; - - if (buf->hdr.length < sizeof(struct acpi_tpm2)) { - dev_err(dev, "TPM2 ACPI table has wrong size"); -@@ -259,11 +249,11 @@ static int crb_acpi_add(struct acpi_device *device) - * report only ACPI start but in practice seems to require both - * ACPI start and CRB start. - */ -- if (sm == CRB_SM_CRB || sm == CRB_SM_CRB_WITH_ACPI_START || -+ if (sm == TPM2_START_CRB || sm == TPM2_START_FIFO || - !strcmp(acpi_device_hid(device), "MSFT0101")) - priv->flags |= CRB_FL_CRB_START; - -- if (sm == CRB_SM_ACPI_START || sm == CRB_SM_CRB_WITH_ACPI_START) -+ if (sm == TPM2_START_ACPI || sm == TPM2_START_CRB_WITH_ACPI) - priv->flags |= CRB_FL_ACPI_START; - - priv->cca = (struct crb_control_area __iomem *) -diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c -index f2dffa7..696ef1d 100644 ---- a/drivers/char/tpm/tpm_tis.c -+++ b/drivers/char/tpm/tpm_tis.c -@@ -1,6 +1,6 @@ - /* - * Copyright (C) 2005, 2006 IBM Corporation -- * Copyright (C) 2014 Intel Corporation -+ * Copyright (C) 2014, 2015 Intel Corporation - * - * Authors: - * Leendert van Doorn <leendert@watson.ibm.com> -@@ -28,6 +28,7 @@ - #include <linux/wait.h> - #include <linux/acpi.h> - #include <linux/freezer.h> -+#include <acpi/actbl2.h> - #include "tpm.h" - - enum tis_access { -@@ -65,6 +66,17 @@ enum tis_defaults { - TIS_LONG_TIMEOUT = 2000, /* 2 sec */ - }; - -+struct tpm_info { -+ unsigned long start; -+ unsigned long len; -+ unsigned int irq; -+}; -+ -+static struct tpm_info tis_default_info = { -+ .start = TIS_MEM_BASE, -+ .len = TIS_MEM_LEN, -+ .irq = 0, -+}; - - /* Some timeout values are needed before it is known whether the chip is - * TPM 1.0 or TPM 2.0. -@@ -91,26 +103,54 @@ struct priv_data { - }; - - #if defined(CONFIG_PNP) && defined(CONFIG_ACPI) --static int is_itpm(struct pnp_dev *dev) -+static int has_hid(struct acpi_device *dev, const char *hid) - { -- struct acpi_device *acpi = pnp_acpi_device(dev); - struct acpi_hardware_id *id; - -- if (!acpi) -- return 0; -- -- list_for_each_entry(id, &acpi->pnp.ids, list) { -- if (!strcmp("INTC0102", id->id)) -+ list_for_each_entry(id, &dev->pnp.ids, list) -+ if (!strcmp(hid, id->id)) - return 1; -- } - - return 0; - } -+ -+static inline int is_itpm(struct acpi_device *dev) -+{ -+ return has_hid(dev, "INTC0102"); -+} -+ -+static inline int is_fifo(struct acpi_device *dev) -+{ -+ struct acpi_table_tpm2 *tbl; -+ acpi_status st; -+ -+ /* TPM 1.2 FIFO */ -+ if (!has_hid(dev, "MSFT0101")) -+ return 1; -+ -+ st = acpi_get_table(ACPI_SIG_TPM2, 1, -+ (struct acpi_table_header **) &tbl); -+ if (ACPI_FAILURE(st)) { -+ dev_err(&dev->dev, "failed to get TPM2 ACPI table\n"); -+ return 0; -+ } -+ -+ if (le32_to_cpu(tbl->start_method) != TPM2_START_FIFO) -+ return 0; -+ -+ /* TPM 2.0 FIFO */ -+ return 1; -+} - #else --static inline int is_itpm(struct pnp_dev *dev) -+static inline int is_itpm(struct acpi_device *dev) - { - return 0; - } -+ -+static inline int is_fifo(struct acpi_device *dev) -+{ -+ return 1; -+} - #endif - - /* Before we attempt to access the TPM we must see that the valid bit is set. -@@ -600,9 +640,8 @@ static void tpm_tis_remove(struct tpm_chip *chip) - release_locality(chip, chip->vendor.locality, 1); - } - --static int tpm_tis_init(struct device *dev, acpi_handle acpi_dev_handle, -- resource_size_t start, resource_size_t len, -- unsigned int irq) -+static int tpm_tis_init(struct device *dev, struct tpm_info *tpm_info, -+ acpi_handle acpi_dev_handle) - { - u32 vendor, intfcaps, intmask; - int rc, i, irq_s, irq_e, probe; -@@ -622,7 +661,7 @@ static int tpm_tis_init(struct device *dev, acpi_handle acpi_dev_handle, - chip->acpi_dev_handle = acpi_dev_handle; - #endif - -- chip->vendor.iobase = devm_ioremap(dev, start, len); -+ chip->vendor.iobase = devm_ioremap(dev, tpm_info->start, tpm_info->len); - if (!chip->vendor.iobase) - return -EIO; - -@@ -707,7 +746,7 @@ static int tpm_tis_init(struct device *dev, acpi_handle acpi_dev_handle, - chip->vendor.iobase + - TPM_INT_ENABLE(chip->vendor.locality)); - if (interrupts) -- chip->vendor.irq = irq; -+ chip->vendor.irq = tpm_info->irq; - if (interrupts && !chip->vendor.irq) { - irq_s = - ioread8(chip->vendor.iobase + -@@ -890,27 +929,27 @@ static SIMPLE_DEV_PM_OPS(tpm_tis_pm, tpm_pm_suspend, tpm_tis_resume); - static int tpm_tis_pnp_init(struct pnp_dev *pnp_dev, - const struct pnp_device_id *pnp_id) - { -- resource_size_t start, len; -- unsigned int irq = 0; -+ struct tpm_info tpm_info = tis_default_info; - acpi_handle acpi_dev_handle = NULL; - -- start = pnp_mem_start(pnp_dev, 0); -- len = pnp_mem_len(pnp_dev, 0); -+ tpm_info.start = pnp_mem_start(pnp_dev, 0); -+ tpm_info.len = pnp_mem_len(pnp_dev, 0); - - if (pnp_irq_valid(pnp_dev, 0)) -- irq = pnp_irq(pnp_dev, 0); -+ tpm_info.irq = pnp_irq(pnp_dev, 0); - else - interrupts = false; - -- if (is_itpm(pnp_dev)) -- itpm = true; -- - #ifdef CONFIG_ACPI -- if (pnp_acpi_device(pnp_dev)) -+ if (pnp_acpi_device(pnp_dev)) { -+ if (is_itpm(pnp_acpi_device(pnp_dev))) -+ itpm = true; -+ - acpi_dev_handle = pnp_acpi_device(pnp_dev)->handle; -+ } - #endif - -- return tpm_tis_init(&pnp_dev->dev, acpi_dev_handle, start, len, irq); -+ return tpm_tis_init(&pnp_dev->dev, &tpm_info, acpi_dev_handle); - } - - static struct pnp_device_id tpm_pnp_tbl[] = { -@@ -930,6 +969,7 @@ MODULE_DEVICE_TABLE(pnp, tpm_pnp_tbl); - static void tpm_tis_pnp_remove(struct pnp_dev *dev) - { - struct tpm_chip *chip = pnp_get_drvdata(dev); -+ - tpm_chip_unregister(chip); - tpm_tis_remove(chip); - } -@@ -950,6 +990,79 @@ module_param_string(hid, tpm_pnp_tbl[TIS_HID_USR_IDX].id, - MODULE_PARM_DESC(hid, "Set additional specific HID for this driver to probe"); - #endif - -+#ifdef CONFIG_ACPI -+static int tpm_check_resource(struct acpi_resource *ares, void *data) -+{ -+ struct tpm_info *tpm_info = (struct tpm_info *) data; -+ struct resource res; -+ -+ if (acpi_dev_resource_interrupt(ares, 0, &res)) { -+ tpm_info->irq = res.start; -+ } else if (acpi_dev_resource_memory(ares, &res)) { -+ tpm_info->start = res.start; -+ tpm_info->len = resource_size(&res); -+ } -+ -+ return 1; -+} -+ -+static int tpm_tis_acpi_init(struct acpi_device *acpi_dev) -+{ -+ struct list_head resources; -+ struct tpm_info tpm_info = tis_default_info; -+ int ret; -+ -+ if (!is_fifo(acpi_dev)) -+ return -ENODEV; -+ -+ INIT_LIST_HEAD(&resources); -+ ret = acpi_dev_get_resources(acpi_dev, &resources, tpm_check_resource, -+ &tpm_info); -+ if (ret < 0) -+ return ret; -+ -+ acpi_dev_free_resource_list(&resources); -+ -+ if (!tpm_info.irq) -+ interrupts = false; -+ -+ if (is_itpm(acpi_dev)) -+ itpm = true; -+ -+ return tpm_tis_init(&acpi_dev->dev, &tpm_info, acpi_dev->handle); -+} -+ -+static int tpm_tis_acpi_remove(struct acpi_device *dev) -+{ -+ struct tpm_chip *chip = dev_get_drvdata(&dev->dev); -+ -+ tpm_chip_unregister(chip); -+ tpm_tis_remove(chip); -+ -+ return 0; -+} -+ -+static struct acpi_device_id tpm_acpi_tbl[] = { -+ {"MSFT0101", 0}, /* TPM 2.0 */ -+ /* Add new here */ -+ {"", 0}, /* User Specified */ -+ {"", 0} /* Terminator */ -+}; -+MODULE_DEVICE_TABLE(acpi, tpm_acpi_tbl); -+ -+static struct acpi_driver tis_acpi_driver = { -+ .name = "tpm_tis", -+ .ids = tpm_acpi_tbl, -+ .ops = { -+ .add = tpm_tis_acpi_init, -+ .remove = tpm_tis_acpi_remove, -+ }, -+ .drv = { -+ .pm = &tpm_tis_pm, -+ }, -+}; -+#endif -+ - static struct platform_driver tis_drv = { - .driver = { - .name = "tpm_tis", -@@ -966,9 +1079,25 @@ static int __init init_tis(void) - { - int rc; - #ifdef CONFIG_PNP -- if (!force) -- return pnp_register_driver(&tis_pnp_driver); -+ if (!force) { -+ rc = pnp_register_driver(&tis_pnp_driver); -+ if (rc) -+ return rc; -+ } -+#endif -+#ifdef CONFIG_ACPI -+ if (!force) { -+ rc = acpi_bus_register_driver(&tis_acpi_driver); -+ if (rc) { -+#ifdef CONFIG_PNP -+ pnp_unregister_driver(&tis_pnp_driver); - #endif -+ return rc; -+ } -+ } -+#endif -+ if (!force) -+ return 0; - - rc = platform_driver_register(&tis_drv); - if (rc < 0) -@@ -978,7 +1107,7 @@ static int __init init_tis(void) - rc = PTR_ERR(pdev); - goto err_dev; - } -- rc = tpm_tis_init(&pdev->dev, NULL, TIS_MEM_BASE, TIS_MEM_LEN, 0); -+ rc = tpm_tis_init(&pdev->dev, &tis_default_info, NULL); - if (rc) - goto err_init; - return 0; -@@ -992,9 +1121,14 @@ err_dev: - static void __exit cleanup_tis(void) - { - struct tpm_chip *chip; --#ifdef CONFIG_PNP -+#if defined(CONFIG_PNP) || defined(CONFIG_ACPI) - if (!force) { -+#ifdef CONFIG_ACPI -+ acpi_bus_unregister_driver(&tis_acpi_driver); -+#endif -+#ifdef CONFIG_PNP - pnp_unregister_driver(&tis_pnp_driver); -+#endif - return; - } - #endif -diff --git a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c -index 2795d6d..8b5988e 100644 ---- a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c -+++ b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c -@@ -1016,13 +1016,12 @@ static int atl1c_setup_ring_resources(struct atl1c_adapter *adapter) - sizeof(struct atl1c_recv_ret_status) * rx_desc_count + - 8 * 4; - -- ring_header->desc = pci_alloc_consistent(pdev, ring_header->size, -- &ring_header->dma); -+ ring_header->desc = dma_zalloc_coherent(&pdev->dev, ring_header->size, -+ &ring_header->dma, GFP_KERNEL); - if (unlikely(!ring_header->desc)) { -- dev_err(&pdev->dev, "pci_alloc_consistend failed\n"); -+ dev_err(&pdev->dev, "could not get memory for DMA buffer\n"); - goto err_nomem; - } -- memset(ring_header->desc, 0, ring_header->size); - /* init TPD ring */ - - tpd_ring[0].dma = roundup(ring_header->dma, 8); -diff --git a/drivers/net/ethernet/freescale/gianfar.c b/drivers/net/ethernet/freescale/gianfar.c -index ce38d26..bcb933e 100644 ---- a/drivers/net/ethernet/freescale/gianfar.c -+++ b/drivers/net/ethernet/freescale/gianfar.c -@@ -894,7 +894,8 @@ static int gfar_of_init(struct platform_device *ofdev, struct net_device **pdev) - FSL_GIANFAR_DEV_HAS_VLAN | - FSL_GIANFAR_DEV_HAS_MAGIC_PACKET | - FSL_GIANFAR_DEV_HAS_EXTENDED_HASH | -- FSL_GIANFAR_DEV_HAS_TIMER; -+ FSL_GIANFAR_DEV_HAS_TIMER | -+ FSL_GIANFAR_DEV_HAS_RX_FILER; - - err = of_property_read_string(np, "phy-connection-type", &ctype); - -@@ -1393,8 +1394,9 @@ static int gfar_probe(struct platform_device *ofdev) - priv->rx_queue[i]->rxic = DEFAULT_RXIC; - } - -- /* always enable rx filer */ -- priv->rx_filer_enable = 1; -+ /* Always enable rx filer if available */ -+ priv->rx_filer_enable = -+ (priv->device_flags & FSL_GIANFAR_DEV_HAS_RX_FILER) ? 1 : 0; - /* Enable most messages by default */ - priv->msg_enable = (NETIF_MSG_IFUP << 1 ) - 1; - /* use pritority h/w tx queue scheduling for single queue devices */ -diff --git a/drivers/net/ethernet/freescale/gianfar.h b/drivers/net/ethernet/freescale/gianfar.h -index 8c19948..3755372 100644 ---- a/drivers/net/ethernet/freescale/gianfar.h -+++ b/drivers/net/ethernet/freescale/gianfar.h -@@ -917,6 +917,7 @@ struct gfar { - #define FSL_GIANFAR_DEV_HAS_BD_STASHING 0x00000200 - #define FSL_GIANFAR_DEV_HAS_BUF_STASHING 0x00000400 - #define FSL_GIANFAR_DEV_HAS_TIMER 0x00000800 -+#define FSL_GIANFAR_DEV_HAS_RX_FILER 0x00002000 - - #if (MAXGROUPS == 2) - #define DEFAULT_MAPPING 0xAA -diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c -index 2f87909..60ccc29 100644 ---- a/drivers/net/ethernet/qualcomm/qca_spi.c -+++ b/drivers/net/ethernet/qualcomm/qca_spi.c -@@ -736,9 +736,8 @@ qcaspi_netdev_tx_timeout(struct net_device *dev) - netdev_info(qca->net_dev, "Transmit timeout at %ld, latency %ld\n", - jiffies, jiffies - dev->trans_start); - qca->net_dev->stats.tx_errors++; -- /* wake the queue if there is room */ -- if (qcaspi_tx_ring_has_space(&qca->txr)) -- netif_wake_queue(dev); -+ /* Trigger tx queue flush and QCA7000 reset */ -+ qca->sync = QCASPI_SYNC_UNKNOWN; - } - - static int -diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c -index a484d8b..f3cbf90c 100644 ---- a/drivers/net/ethernet/renesas/sh_eth.c -+++ b/drivers/net/ethernet/renesas/sh_eth.c -@@ -1481,6 +1481,7 @@ static int sh_eth_rx(struct net_device *ndev, u32 intr_status, int *quota) - if (mdp->cd->shift_rd0) - desc_status >>= 16; - -+ skb = mdp->rx_skbuff[entry]; - if (desc_status & (RD_RFS1 | RD_RFS2 | RD_RFS3 | RD_RFS4 | - RD_RFS5 | RD_RFS6 | RD_RFS10)) { - ndev->stats.rx_errors++; -@@ -1496,12 +1497,11 @@ static int sh_eth_rx(struct net_device *ndev, u32 intr_status, int *quota) - ndev->stats.rx_missed_errors++; - if (desc_status & RD_RFS10) - ndev->stats.rx_over_errors++; -- } else { -+ } else if (skb) { - if (!mdp->cd->hw_swap) - sh_eth_soft_swap( - phys_to_virt(ALIGN(rxdesc->addr, 4)), - pkt_len + 2); -- skb = mdp->rx_skbuff[entry]; - mdp->rx_skbuff[entry] = NULL; - if (mdp->cd->rpadir) - skb_reserve(skb, NET_IP_ALIGN); -diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c -index cf6312f..e13ad6c 100644 ---- a/drivers/net/phy/micrel.c -+++ b/drivers/net/phy/micrel.c -@@ -339,9 +339,18 @@ static int ksz9021_config_init(struct phy_device *phydev) - { - const struct device *dev = &phydev->dev; - const struct device_node *of_node = dev->of_node; -+ const struct device *dev_walker; - -- if (!of_node && dev->parent->of_node) -- of_node = dev->parent->of_node; -+ /* The Micrel driver has a deprecated option to place phy OF -+ * properties in the MAC node. Walk up the tree of devices to -+ * find a device with an OF node. -+ */ -+ dev_walker = &phydev->dev; -+ do { -+ of_node = dev_walker->of_node; -+ dev_walker = dev_walker->parent; -+ -+ } while (!of_node && dev_walker); - - if (of_node) { - ksz9021_load_values_from_of(phydev, of_node, -diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c -index 5e0b432..0a37f84 100644 ---- a/drivers/net/ppp/pppoe.c -+++ b/drivers/net/ppp/pppoe.c -@@ -568,6 +568,9 @@ static int pppoe_create(struct net *net, struct socket *sock, int kern) - sk->sk_family = PF_PPPOX; - sk->sk_protocol = PX_PROTO_OE; - -+ INIT_WORK(&pppox_sk(sk)->proto.pppoe.padt_work, -+ pppoe_unbind_sock_work); -+ - return 0; - } - -@@ -632,8 +635,6 @@ static int pppoe_connect(struct socket *sock, struct sockaddr *uservaddr, - - lock_sock(sk); - -- INIT_WORK(&po->proto.pppoe.padt_work, pppoe_unbind_sock_work); -- - error = -EINVAL; - if (sp->sa_protocol != PX_PROTO_OE) - goto end; -@@ -663,8 +664,13 @@ static int pppoe_connect(struct socket *sock, struct sockaddr *uservaddr, - po->pppoe_dev = NULL; - } - -- memset(sk_pppox(po) + 1, 0, -- sizeof(struct pppox_sock) - sizeof(struct sock)); -+ po->pppoe_ifindex = 0; -+ memset(&po->pppoe_pa, 0, sizeof(po->pppoe_pa)); -+ memset(&po->pppoe_relay, 0, sizeof(po->pppoe_relay)); -+ memset(&po->chan, 0, sizeof(po->chan)); -+ po->next = NULL; -+ po->num = 0; -+ - sk->sk_state = PPPOX_NONE; - } - -diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c -index 686f37d..b910cae 100644 ---- a/drivers/net/ppp/pptp.c -+++ b/drivers/net/ppp/pptp.c -@@ -418,6 +418,9 @@ static int pptp_bind(struct socket *sock, struct sockaddr *uservaddr, - struct pptp_opt *opt = &po->proto.pptp; - int error = 0; - -+ if (sockaddr_len < sizeof(struct sockaddr_pppox)) -+ return -EINVAL; -+ - lock_sock(sk); - - opt->src_addr = sp->sa_addr.pptp; -@@ -439,6 +442,9 @@ static int pptp_connect(struct socket *sock, struct sockaddr *uservaddr, - struct flowi4 fl4; - int error = 0; - -+ if (sockaddr_len < sizeof(struct sockaddr_pppox)) -+ return -EINVAL; -+ - if (sp->sa_protocol != PX_PROTO_PPTP) - return -EINVAL; - -diff --git a/drivers/net/usb/cdc_mbim.c b/drivers/net/usb/cdc_mbim.c -index efc18e0..b6ea6ff 100644 ---- a/drivers/net/usb/cdc_mbim.c -+++ b/drivers/net/usb/cdc_mbim.c -@@ -158,7 +158,7 @@ static int cdc_mbim_bind(struct usbnet *dev, struct usb_interface *intf) - if (!cdc_ncm_comm_intf_is_mbim(intf->cur_altsetting)) - goto err; - -- ret = cdc_ncm_bind_common(dev, intf, data_altsetting, 0); -+ ret = cdc_ncm_bind_common(dev, intf, data_altsetting, dev->driver_info->data); - if (ret) - goto err; - -@@ -582,6 +582,26 @@ static const struct driver_info cdc_mbim_info_zlp = { - .tx_fixup = cdc_mbim_tx_fixup, - }; - -+/* The spefication explicitly allows NDPs to be placed anywhere in the -+ * frame, but some devices fail unless the NDP is placed after the IP -+ * packets. Using the CDC_NCM_FLAG_NDP_TO_END flags to force this -+ * behaviour. -+ * -+ * Note: The current implementation of this feature restricts each NTB -+ * to a single NDP, implying that multiplexed sessions cannot share an -+ * NTB. This might affect performace for multiplexed sessions. -+ */ -+static const struct driver_info cdc_mbim_info_ndp_to_end = { -+ .description = "CDC MBIM", -+ .flags = FLAG_NO_SETINT | FLAG_MULTI_PACKET | FLAG_WWAN, -+ .bind = cdc_mbim_bind, -+ .unbind = cdc_mbim_unbind, -+ .manage_power = cdc_mbim_manage_power, -+ .rx_fixup = cdc_mbim_rx_fixup, -+ .tx_fixup = cdc_mbim_tx_fixup, -+ .data = CDC_NCM_FLAG_NDP_TO_END, -+}; -+ - static const struct usb_device_id mbim_devs[] = { - /* This duplicate NCM entry is intentional. MBIM devices can - * be disguised as NCM by default, and this is necessary to -@@ -597,6 +617,10 @@ static const struct usb_device_id mbim_devs[] = { - { USB_VENDOR_AND_INTERFACE_INFO(0x0bdb, USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE), - .driver_info = (unsigned long)&cdc_mbim_info, - }, -+ /* Huawei E3372 fails unless NDP comes after the IP packets */ -+ { USB_DEVICE_AND_INTERFACE_INFO(0x12d1, 0x157d, USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE), -+ .driver_info = (unsigned long)&cdc_mbim_info_ndp_to_end, -+ }, - /* default entry */ - { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE), - .driver_info = (unsigned long)&cdc_mbim_info_zlp, -diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c -index db40175..fa41a6d 100644 ---- a/drivers/net/usb/cdc_ncm.c -+++ b/drivers/net/usb/cdc_ncm.c -@@ -1006,10 +1006,18 @@ static struct usb_cdc_ncm_ndp16 *cdc_ncm_ndp(struct cdc_ncm_ctx *ctx, struct sk_ - * NTH16 header as we would normally do. NDP isn't written to the SKB yet, and - * the wNdpIndex field in the header is actually not consistent with reality. It will be later. - */ -- if (ctx->drvflags & CDC_NCM_FLAG_NDP_TO_END) -+ if (ctx->drvflags & CDC_NCM_FLAG_NDP_TO_END) { - if (ctx->delayed_ndp16->dwSignature == sign) - return ctx->delayed_ndp16; - -+ /* We can only push a single NDP to the end. Return -+ * NULL to send what we've already got and queue this -+ * skb for later. -+ */ -+ else if (ctx->delayed_ndp16->dwSignature) -+ return NULL; -+ } -+ - /* follow the chain of NDPs, looking for a match */ - while (ndpoffset) { - ndp16 = (struct usb_cdc_ncm_ndp16 *)(skb->data + ndpoffset); -diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c -index d9427ca..2e32c41 100644 ---- a/drivers/net/usb/r8152.c -+++ b/drivers/net/usb/r8152.c -@@ -3067,17 +3067,6 @@ static int rtl8152_open(struct net_device *netdev) - - mutex_lock(&tp->control); - -- /* The WORK_ENABLE may be set when autoresume occurs */ -- if (test_bit(WORK_ENABLE, &tp->flags)) { -- clear_bit(WORK_ENABLE, &tp->flags); -- usb_kill_urb(tp->intr_urb); -- cancel_delayed_work_sync(&tp->schedule); -- -- /* disable the tx/rx, if the workqueue has enabled them. */ -- if (netif_carrier_ok(netdev)) -- tp->rtl_ops.disable(tp); -- } -- - tp->rtl_ops.up(tp); - - rtl8152_set_speed(tp, AUTONEG_ENABLE, -@@ -3124,12 +3113,6 @@ static int rtl8152_close(struct net_device *netdev) - } else { - mutex_lock(&tp->control); - -- /* The autosuspend may have been enabled and wouldn't -- * be disable when autoresume occurs, because the -- * netif_running() would be false. -- */ -- rtl_runtime_suspend_enable(tp, false); -- - tp->rtl_ops.down(tp); - - mutex_unlock(&tp->control); -@@ -3512,7 +3495,7 @@ static int rtl8152_resume(struct usb_interface *intf) - netif_device_attach(tp->netdev); - } - -- if (netif_running(tp->netdev)) { -+ if (netif_running(tp->netdev) && tp->netdev->flags & IFF_UP) { - if (test_bit(SELECTIVE_SUSPEND, &tp->flags)) { - rtl_runtime_suspend_enable(tp, false); - clear_bit(SELECTIVE_SUSPEND, &tp->flags); -@@ -3532,6 +3515,8 @@ static int rtl8152_resume(struct usb_interface *intf) - } - usb_submit_urb(tp->intr_urb, GFP_KERNEL); - } else if (test_bit(SELECTIVE_SUSPEND, &tp->flags)) { -+ if (tp->netdev->flags & IFF_UP) -+ rtl_runtime_suspend_enable(tp, false); - clear_bit(SELECTIVE_SUSPEND, &tp->flags); - } - -diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c -index c9e309c..374feba 100644 ---- a/drivers/net/vrf.c -+++ b/drivers/net/vrf.c -@@ -581,6 +581,7 @@ static int vrf_newlink(struct net *src_net, struct net_device *dev, - { - struct net_vrf *vrf = netdev_priv(dev); - struct net_vrf_dev *vrf_ptr; -+ int err; - - if (!data || !data[IFLA_VRF_TABLE]) - return -EINVAL; -@@ -589,16 +590,25 @@ static int vrf_newlink(struct net *src_net, struct net_device *dev, - - dev->priv_flags |= IFF_VRF_MASTER; - -+ err = -ENOMEM; - vrf_ptr = kmalloc(sizeof(*dev->vrf_ptr), GFP_KERNEL); - if (!vrf_ptr) -- return -ENOMEM; -+ goto out_fail; - - vrf_ptr->ifindex = dev->ifindex; - vrf_ptr->tb_id = vrf->tb_id; - -+ err = register_netdevice(dev); -+ if (err < 0) -+ goto out_fail; -+ - rcu_assign_pointer(dev->vrf_ptr, vrf_ptr); - -- return register_netdev(dev); -+ return 0; -+ -+out_fail: -+ kfree(vrf_ptr); -+ return err; - } - - static size_t vrf_nl_getsize(const struct net_device *dev) -diff --git a/drivers/platform/x86/toshiba_acpi.c b/drivers/platform/x86/toshiba_acpi.c -index f2372f4..d2de91c 100644 ---- a/drivers/platform/x86/toshiba_acpi.c -+++ b/drivers/platform/x86/toshiba_acpi.c -@@ -2676,6 +2676,7 @@ static int toshiba_acpi_add(struct acpi_device *acpi_dev) - ret = toshiba_function_keys_get(dev, &special_functions); - dev->kbd_function_keys_supported = !ret; - -+ dev->hotkey_event_type = 0; - if (toshiba_acpi_setup_keyboard(dev)) - pr_info("Unable to activate hotkeys\n"); - -diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c -index b30e742..26ca4f9 100644 ---- a/drivers/usb/class/cdc-acm.c -+++ b/drivers/usb/class/cdc-acm.c -@@ -1838,6 +1838,11 @@ static const struct usb_device_id acm_ids[] = { - }, - #endif - -+ /* Exclude Infineon Flash Loader utility */ -+ { USB_DEVICE(0x058b, 0x0041), -+ .driver_info = IGNORE_DEVICE, -+ }, -+ - /* control interfaces without any protocol set */ - { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM, - USB_CDC_PROTO_NONE) }, -diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c -index b9ddf0c..894894f 100644 ---- a/drivers/usb/core/config.c -+++ b/drivers/usb/core/config.c -@@ -115,7 +115,8 @@ static void usb_parse_ss_endpoint_companion(struct device *ddev, int cfgno, - USB_SS_MULT(desc->bmAttributes) > 3) { - dev_warn(ddev, "Isoc endpoint has Mult of %d in " - "config %d interface %d altsetting %d ep %d: " -- "setting to 3\n", desc->bmAttributes + 1, -+ "setting to 3\n", -+ USB_SS_MULT(desc->bmAttributes), - cfgno, inum, asnum, ep->desc.bEndpointAddress); - ep->ss_ep_comp.bmAttributes = 2; - } -diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c -index 431839b..522f766 100644 ---- a/drivers/usb/core/hub.c -+++ b/drivers/usb/core/hub.c -@@ -124,6 +124,10 @@ struct usb_hub *usb_hub_to_struct_hub(struct usb_device *hdev) - - int usb_device_supports_lpm(struct usb_device *udev) - { -+ /* Some devices have trouble with LPM */ -+ if (udev->quirks & USB_QUIRK_NO_LPM) -+ return 0; -+ - /* USB 2.1 (and greater) devices indicate LPM support through - * their USB 2.0 Extended Capabilities BOS descriptor. - */ -@@ -4503,6 +4507,8 @@ hub_port_init (struct usb_hub *hub, struct usb_device *udev, int port1, - goto fail; - } - -+ usb_detect_quirks(udev); -+ - if (udev->wusb == 0 && le16_to_cpu(udev->descriptor.bcdUSB) >= 0x0201) { - retval = usb_get_bos_descriptor(udev); - if (!retval) { -@@ -4701,7 +4707,6 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, - if (status < 0) - goto loop; - -- usb_detect_quirks(udev); - if (udev->quirks & USB_QUIRK_DELAY_INIT) - msleep(1000); - -@@ -5317,9 +5322,6 @@ static int usb_reset_and_verify_device(struct usb_device *udev) - if (udev->usb2_hw_lpm_enabled == 1) - usb_set_usb2_hardware_lpm(udev, 0); - -- bos = udev->bos; -- udev->bos = NULL; -- - /* Disable LPM and LTM while we reset the device and reinstall the alt - * settings. Device-initiated LPM settings, and system exit latency - * settings are cleared when the device is reset, so we have to set -@@ -5328,15 +5330,18 @@ static int usb_reset_and_verify_device(struct usb_device *udev) - ret = usb_unlocked_disable_lpm(udev); - if (ret) { - dev_err(&udev->dev, "%s Failed to disable LPM\n.", __func__); -- goto re_enumerate; -+ goto re_enumerate_no_bos; - } - ret = usb_disable_ltm(udev); - if (ret) { - dev_err(&udev->dev, "%s Failed to disable LTM\n.", - __func__); -- goto re_enumerate; -+ goto re_enumerate_no_bos; - } - -+ bos = udev->bos; -+ udev->bos = NULL; -+ - for (i = 0; i < SET_CONFIG_TRIES; ++i) { - - /* ep0 maxpacket size may change; let the HCD know about it. -@@ -5433,10 +5438,11 @@ done: - return 0; - - re_enumerate: -- /* LPM state doesn't matter when we're about to destroy the device. */ -- hub_port_logical_disconnect(parent_hub, port1); - usb_release_bos_descriptor(udev); - udev->bos = bos; -+re_enumerate_no_bos: -+ /* LPM state doesn't matter when we're about to destroy the device. */ -+ hub_port_logical_disconnect(parent_hub, port1); - return -ENODEV; - } - -diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c -index f5a3819..017c1de 100644 ---- a/drivers/usb/core/quirks.c -+++ b/drivers/usb/core/quirks.c -@@ -199,6 +199,12 @@ static const struct usb_device_id usb_quirk_list[] = { - { USB_DEVICE(0x1a0a, 0x0200), .driver_info = - USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL }, - -+ /* Blackmagic Design Intensity Shuttle */ -+ { USB_DEVICE(0x1edb, 0xbd3b), .driver_info = USB_QUIRK_NO_LPM }, -+ -+ /* Blackmagic Design UltraStudio SDI */ -+ { USB_DEVICE(0x1edb, 0xbd4f), .driver_info = USB_QUIRK_NO_LPM }, -+ - { } /* terminating entry must be last */ - }; - -diff --git a/drivers/usb/gadget/udc/pxa27x_udc.c b/drivers/usb/gadget/udc/pxa27x_udc.c -index 670ac0b..001a3b7 100644 ---- a/drivers/usb/gadget/udc/pxa27x_udc.c -+++ b/drivers/usb/gadget/udc/pxa27x_udc.c -@@ -2536,6 +2536,9 @@ static int pxa_udc_suspend(struct platform_device *_dev, pm_message_t state) - udc->pullup_resume = udc->pullup_on; - dplus_pullup(udc, 0); - -+ if (udc->driver) -+ udc->driver->disconnect(&udc->gadget); -+ - return 0; - } - -diff --git a/drivers/usb/host/ohci-at91.c b/drivers/usb/host/ohci-at91.c -index 342ffd1..8c6e15b 100644 ---- a/drivers/usb/host/ohci-at91.c -+++ b/drivers/usb/host/ohci-at91.c -@@ -473,6 +473,8 @@ static int ohci_hcd_at91_drv_probe(struct platform_device *pdev) - if (!pdata) - return -ENOMEM; - -+ pdev->dev.platform_data = pdata; -+ - if (!of_property_read_u32(np, "num-ports", &ports)) - pdata->ports = ports; - -@@ -483,6 +485,7 @@ static int ohci_hcd_at91_drv_probe(struct platform_device *pdev) - */ - if (i >= pdata->ports) { - pdata->vbus_pin[i] = -EINVAL; -+ pdata->overcurrent_pin[i] = -EINVAL; - continue; - } - -@@ -513,10 +516,8 @@ static int ohci_hcd_at91_drv_probe(struct platform_device *pdev) - } - - at91_for_each_port(i) { -- if (i >= pdata->ports) { -- pdata->overcurrent_pin[i] = -EINVAL; -- continue; -- } -+ if (i >= pdata->ports) -+ break; - - pdata->overcurrent_pin[i] = - of_get_named_gpio_flags(np, "atmel,oc-gpio", i, &flags); -@@ -552,8 +553,6 @@ static int ohci_hcd_at91_drv_probe(struct platform_device *pdev) - } - } - -- pdev->dev.platform_data = pdata; -- - device_init_wakeup(&pdev->dev, 1); - return usb_hcd_at91_probe(&ohci_at91_hc_driver, pdev); - } -diff --git a/drivers/usb/host/whci/qset.c b/drivers/usb/host/whci/qset.c -index dc31c42..9f1c053 100644 ---- a/drivers/usb/host/whci/qset.c -+++ b/drivers/usb/host/whci/qset.c -@@ -377,6 +377,10 @@ static int qset_fill_page_list(struct whc *whc, struct whc_std *std, gfp_t mem_f - if (std->pl_virt == NULL) - return -ENOMEM; - std->dma_addr = dma_map_single(whc->wusbhc.dev, std->pl_virt, pl_len, DMA_TO_DEVICE); -+ if (dma_mapping_error(whc->wusbhc.dev, std->dma_addr)) { -+ kfree(std->pl_virt); -+ return -EFAULT; -+ } - - for (p = 0; p < std->num_pointers; p++) { - std->pl_virt[p].buf_ptr = cpu_to_le64(dma_addr); -diff --git a/drivers/usb/musb/Kconfig b/drivers/usb/musb/Kconfig -index 1f2037b..45c83ba 100644 ---- a/drivers/usb/musb/Kconfig -+++ b/drivers/usb/musb/Kconfig -@@ -159,7 +159,7 @@ config USB_TI_CPPI_DMA - - config USB_TI_CPPI41_DMA - bool 'TI CPPI 4.1 (AM335x)' -- depends on ARCH_OMAP -+ depends on ARCH_OMAP && DMADEVICES - select TI_CPPI41 - - config USB_TUSB_OMAP_DMA -diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c -index eac7cca..7d4f51a 100644 ---- a/drivers/usb/serial/cp210x.c -+++ b/drivers/usb/serial/cp210x.c -@@ -132,7 +132,6 @@ static const struct usb_device_id id_table[] = { - { USB_DEVICE(0x10C4, 0xEA60) }, /* Silicon Labs factory default */ - { USB_DEVICE(0x10C4, 0xEA61) }, /* Silicon Labs factory default */ - { USB_DEVICE(0x10C4, 0xEA70) }, /* Silicon Labs factory default */ -- { USB_DEVICE(0x10C4, 0xEA80) }, /* Silicon Labs factory default */ - { USB_DEVICE(0x10C4, 0xEA71) }, /* Infinity GPS-MIC-1 Radio Monophone */ - { USB_DEVICE(0x10C4, 0xF001) }, /* Elan Digital Systems USBscope50 */ - { USB_DEVICE(0x10C4, 0xF002) }, /* Elan Digital Systems USBwave12 */ -diff --git a/drivers/usb/serial/usb-serial-simple.c b/drivers/usb/serial/usb-serial-simple.c -index 3658662..a204782 100644 ---- a/drivers/usb/serial/usb-serial-simple.c -+++ b/drivers/usb/serial/usb-serial-simple.c -@@ -53,6 +53,7 @@ DEVICE(funsoft, FUNSOFT_IDS); - - /* Infineon Flashloader driver */ - #define FLASHLOADER_IDS() \ -+ { USB_DEVICE_INTERFACE_CLASS(0x058b, 0x0041, USB_CLASS_CDC_DATA) }, \ - { USB_DEVICE(0x8087, 0x0716) } - DEVICE(flashloader, FLASHLOADER_IDS); - -diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c -index f689219..43b1caf 100644 ---- a/drivers/usb/storage/uas.c -+++ b/drivers/usb/storage/uas.c -@@ -796,6 +796,10 @@ static int uas_slave_configure(struct scsi_device *sdev) - if (devinfo->flags & US_FL_NO_REPORT_OPCODES) - sdev->no_report_opcodes = 1; - -+ /* A few buggy USB-ATA bridges don't understand FUA */ -+ if (devinfo->flags & US_FL_BROKEN_FUA) -+ sdev->broken_fua = 1; -+ - scsi_change_queue_depth(sdev, devinfo->qdepth - 2); - return 0; - } -diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h -index 6b24791..7ffe420 100644 ---- a/drivers/usb/storage/unusual_devs.h -+++ b/drivers/usb/storage/unusual_devs.h -@@ -1987,7 +1987,7 @@ UNUSUAL_DEV( 0x14cd, 0x6600, 0x0201, 0x0201, - US_FL_IGNORE_RESIDUE ), - - /* Reported by Michael Büsch <m@bues.ch> */ --UNUSUAL_DEV( 0x152d, 0x0567, 0x0114, 0x0114, -+UNUSUAL_DEV( 0x152d, 0x0567, 0x0114, 0x0116, - "JMicron", - "USB to ATA/ATAPI Bridge", - USB_SC_DEVICE, USB_PR_DEVICE, NULL, -diff --git a/drivers/usb/storage/unusual_uas.h b/drivers/usb/storage/unusual_uas.h -index c85ea53..ccc113e 100644 ---- a/drivers/usb/storage/unusual_uas.h -+++ b/drivers/usb/storage/unusual_uas.h -@@ -132,7 +132,7 @@ UNUSUAL_DEV(0x152d, 0x0567, 0x0000, 0x9999, - "JMicron", - "JMS567", - USB_SC_DEVICE, USB_PR_DEVICE, NULL, -- US_FL_NO_REPORT_OPCODES), -+ US_FL_BROKEN_FUA | US_FL_NO_REPORT_OPCODES), - - /* Reported-by: Hans de Goede <hdegoede@redhat.com> */ - UNUSUAL_DEV(0x2109, 0x0711, 0x0000, 0x9999, -diff --git a/include/linux/acpi.h b/include/linux/acpi.h -index 43856d1..1ae6ba0 100644 ---- a/include/linux/acpi.h -+++ b/include/linux/acpi.h -@@ -193,6 +193,12 @@ int acpi_ioapic_registered(acpi_handle handle, u32 gsi_base); - void acpi_irq_stats_init(void); - extern u32 acpi_irq_handled; - extern u32 acpi_irq_not_handled; -+extern unsigned int acpi_sci_irq; -+#define INVALID_ACPI_IRQ ((unsigned)-1) -+static inline bool acpi_sci_irq_valid(void) -+{ -+ return acpi_sci_irq != INVALID_ACPI_IRQ; -+} - - extern int sbf_port; - extern unsigned long acpi_realmode_flags; -diff --git a/include/linux/usb/quirks.h b/include/linux/usb/quirks.h -index 9948c87..1d0043d 100644 ---- a/include/linux/usb/quirks.h -+++ b/include/linux/usb/quirks.h -@@ -47,4 +47,7 @@ - /* device generates spurious wakeup, ignore remote wakeup capability */ - #define USB_QUIRK_IGNORE_REMOTE_WAKEUP BIT(9) - -+/* device can't handle Link Power Management */ -+#define USB_QUIRK_NO_LPM BIT(10) -+ - #endif /* __LINUX_USB_QUIRKS_H */ -diff --git a/include/net/dst.h b/include/net/dst.h -index 9261d92..e7fa2e2 100644 ---- a/include/net/dst.h -+++ b/include/net/dst.h -@@ -322,6 +322,39 @@ static inline void skb_dst_force(struct sk_buff *skb) - } - } - -+/** -+ * dst_hold_safe - Take a reference on a dst if possible -+ * @dst: pointer to dst entry -+ * -+ * This helper returns false if it could not safely -+ * take a reference on a dst. -+ */ -+static inline bool dst_hold_safe(struct dst_entry *dst) -+{ -+ if (dst->flags & DST_NOCACHE) -+ return atomic_inc_not_zero(&dst->__refcnt); -+ dst_hold(dst); -+ return true; -+} -+ -+/** -+ * skb_dst_force_safe - makes sure skb dst is refcounted -+ * @skb: buffer -+ * -+ * If dst is not yet refcounted and not destroyed, grab a ref on it. -+ */ -+static inline void skb_dst_force_safe(struct sk_buff *skb) -+{ -+ if (skb_dst_is_noref(skb)) { -+ struct dst_entry *dst = skb_dst(skb); -+ -+ if (!dst_hold_safe(dst)) -+ dst = NULL; -+ -+ skb->_skb_refdst = (unsigned long)dst; -+ } -+} -+ - - /** - * __skb_tunnel_rx - prepare skb for rx reinsert -diff --git a/include/net/inetpeer.h b/include/net/inetpeer.h -index 4a6009d..235c781 100644 ---- a/include/net/inetpeer.h -+++ b/include/net/inetpeer.h -@@ -78,6 +78,7 @@ void inet_initpeers(void) __init; - static inline void inetpeer_set_addr_v4(struct inetpeer_addr *iaddr, __be32 ip) - { - iaddr->a4.addr = ip; -+ iaddr->a4.vif = 0; - iaddr->family = AF_INET; - } - -diff --git a/include/net/sock.h b/include/net/sock.h -index e237170..bca709a 100644 ---- a/include/net/sock.h -+++ b/include/net/sock.h -@@ -387,6 +387,7 @@ struct sock { - sk_no_check_rx : 1, - sk_userlocks : 4, - sk_protocol : 8, -+#define SK_PROTOCOL_MAX U8_MAX - sk_type : 16; - kmemcheck_bitfield_end(flags); - int sk_wmem_queued; -@@ -724,6 +725,8 @@ enum sock_flags { - SOCK_SELECT_ERR_QUEUE, /* Wake select on error queue */ - }; - -+#define SK_FLAGS_TIMESTAMP ((1UL << SOCK_TIMESTAMP) | (1UL << SOCK_TIMESTAMPING_RX_SOFTWARE)) -+ - static inline void sock_copy_flags(struct sock *nsk, struct sock *osk) - { - nsk->sk_flags = osk->sk_flags; -@@ -798,7 +801,7 @@ void sk_stream_write_space(struct sock *sk); - static inline void __sk_add_backlog(struct sock *sk, struct sk_buff *skb) - { - /* dont let skb dst not refcounted, we are going to leave rcu lock */ -- skb_dst_force(skb); -+ skb_dst_force_safe(skb); - - if (!sk->sk_backlog.tail) - sk->sk_backlog.head = skb; -diff --git a/include/net/vxlan.h b/include/net/vxlan.h -index 480a319..f4a4972 100644 ---- a/include/net/vxlan.h -+++ b/include/net/vxlan.h -@@ -79,7 +79,7 @@ struct vxlanhdr { - }; - - /* VXLAN header flags. */ --#define VXLAN_HF_RCO BIT(24) -+#define VXLAN_HF_RCO BIT(21) - #define VXLAN_HF_VNI BIT(27) - #define VXLAN_HF_GBP BIT(31) - -diff --git a/include/uapi/linux/Kbuild b/include/uapi/linux/Kbuild -index f7b2db4..7fc5733 100644 ---- a/include/uapi/linux/Kbuild -+++ b/include/uapi/linux/Kbuild -@@ -186,6 +186,7 @@ header-y += if_tunnel.h - header-y += if_vlan.h - header-y += if_x25.h - header-y += igmp.h -+header-y += ila.h - header-y += in6.h - header-y += inet_diag.h - header-y += in.h -diff --git a/lib/rhashtable.c b/lib/rhashtable.c -index a54ff89..aa388a7 100644 ---- a/lib/rhashtable.c -+++ b/lib/rhashtable.c -@@ -503,10 +503,11 @@ int rhashtable_walk_init(struct rhashtable *ht, struct rhashtable_iter *iter) - if (!iter->walker) - return -ENOMEM; - -- mutex_lock(&ht->mutex); -- iter->walker->tbl = rht_dereference(ht->tbl, ht); -+ spin_lock(&ht->lock); -+ iter->walker->tbl = -+ rcu_dereference_protected(ht->tbl, lockdep_is_held(&ht->lock)); - list_add(&iter->walker->list, &iter->walker->tbl->walkers); -- mutex_unlock(&ht->mutex); -+ spin_unlock(&ht->lock); - - return 0; - } -@@ -520,10 +521,10 @@ EXPORT_SYMBOL_GPL(rhashtable_walk_init); - */ - void rhashtable_walk_exit(struct rhashtable_iter *iter) - { -- mutex_lock(&iter->ht->mutex); -+ spin_lock(&iter->ht->lock); - if (iter->walker->tbl) - list_del(&iter->walker->list); -- mutex_unlock(&iter->ht->mutex); -+ spin_unlock(&iter->ht->lock); - kfree(iter->walker); - } - EXPORT_SYMBOL_GPL(rhashtable_walk_exit); -@@ -547,14 +548,12 @@ int rhashtable_walk_start(struct rhashtable_iter *iter) - { - struct rhashtable *ht = iter->ht; - -- mutex_lock(&ht->mutex); -+ rcu_read_lock(); - -+ spin_lock(&ht->lock); - if (iter->walker->tbl) - list_del(&iter->walker->list); -- -- rcu_read_lock(); -- -- mutex_unlock(&ht->mutex); -+ spin_unlock(&ht->lock); - - if (!iter->walker->tbl) { - iter->walker->tbl = rht_dereference_rcu(ht->tbl, ht); -@@ -723,9 +722,6 @@ int rhashtable_init(struct rhashtable *ht, - if (params->nulls_base && params->nulls_base < (1U << RHT_BASE_SHIFT)) - return -EINVAL; - -- if (params->nelem_hint) -- size = rounded_hashtable_size(params); -- - memset(ht, 0, sizeof(*ht)); - mutex_init(&ht->mutex); - spin_lock_init(&ht->lock); -@@ -745,6 +741,9 @@ int rhashtable_init(struct rhashtable *ht, - - ht->p.min_size = max(ht->p.min_size, HASH_MIN_SIZE); - -+ if (params->nelem_hint) -+ size = rounded_hashtable_size(&ht->p); -+ - /* The maximum (not average) chain length grows with the - * size of the hash table, at a rate of (log N)/(log log N). - * The value of 16 is selected so that even if the hash -diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c -index ae3a47f..fbd0acf 100644 ---- a/net/ax25/af_ax25.c -+++ b/net/ax25/af_ax25.c -@@ -805,6 +805,9 @@ static int ax25_create(struct net *net, struct socket *sock, int protocol, - struct sock *sk; - ax25_cb *ax25; - -+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) -+ return -EINVAL; -+ - if (!net_eq(net, &init_net)) - return -EAFNOSUPPORT; - -diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c -index f315c8d..15cb6c5 100644 ---- a/net/bluetooth/sco.c -+++ b/net/bluetooth/sco.c -@@ -519,6 +519,9 @@ static int sco_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_le - if (!addr || addr->sa_family != AF_BLUETOOTH) - return -EINVAL; - -+ if (addr_len < sizeof(struct sockaddr_sco)) -+ return -EINVAL; -+ - lock_sock(sk); - - if (sk->sk_state != BT_OPEN) { -diff --git a/net/core/skbuff.c b/net/core/skbuff.c -index fab4599..1c1f87c 100644 ---- a/net/core/skbuff.c -+++ b/net/core/skbuff.c -@@ -3643,7 +3643,8 @@ static void __skb_complete_tx_timestamp(struct sk_buff *skb, - serr->ee.ee_info = tstype; - if (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID) { - serr->ee.ee_data = skb_shinfo(skb)->tskey; -- if (sk->sk_protocol == IPPROTO_TCP) -+ if (sk->sk_protocol == IPPROTO_TCP && -+ sk->sk_type == SOCK_STREAM) - serr->ee.ee_data -= sk->sk_tskey; - } - -@@ -4268,7 +4269,8 @@ static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb) - return NULL; - } - -- memmove(skb->data - ETH_HLEN, skb->data - VLAN_ETH_HLEN, 2 * ETH_ALEN); -+ memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len - VLAN_HLEN, -+ 2 * ETH_ALEN); - skb->mac_header += VLAN_HLEN; - return skb; - } -diff --git a/net/core/sock.c b/net/core/sock.c -index 3307c02..dbbda99 100644 ---- a/net/core/sock.c -+++ b/net/core/sock.c -@@ -422,8 +422,6 @@ static void sock_warn_obsolete_bsdism(const char *name) - } - } - --#define SK_FLAGS_TIMESTAMP ((1UL << SOCK_TIMESTAMP) | (1UL << SOCK_TIMESTAMPING_RX_SOFTWARE)) -- - static void sock_disable_timestamp(struct sock *sk, unsigned long flags) - { - if (sk->sk_flags & flags) { -@@ -862,7 +860,8 @@ set_rcvbuf: - - if (val & SOF_TIMESTAMPING_OPT_ID && - !(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID)) { -- if (sk->sk_protocol == IPPROTO_TCP) { -+ if (sk->sk_protocol == IPPROTO_TCP && -+ sk->sk_type == SOCK_STREAM) { - if (sk->sk_state != TCP_ESTABLISHED) { - ret = -EINVAL; - break; -diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c -index 675cf94..6feddca 100644 ---- a/net/decnet/af_decnet.c -+++ b/net/decnet/af_decnet.c -@@ -678,6 +678,9 @@ static int dn_create(struct net *net, struct socket *sock, int protocol, - { - struct sock *sk; - -+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) -+ return -EINVAL; -+ - if (!net_eq(net, &init_net)) - return -EAFNOSUPPORT; - -diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c -index 1d0c3ad..4b16cf3 100644 ---- a/net/ipv4/af_inet.c -+++ b/net/ipv4/af_inet.c -@@ -261,6 +261,9 @@ static int inet_create(struct net *net, struct socket *sock, int protocol, - int try_loading_module = 0; - int err; - -+ if (protocol < 0 || protocol >= IPPROTO_MAX) -+ return -EINVAL; -+ - sock->state = SS_UNCONNECTED; - - /* Look for the requested type/protocol pair. */ -diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c -index e0fcbbb..bd903fe 100644 ---- a/net/ipv4/fou.c -+++ b/net/ipv4/fou.c -@@ -24,6 +24,7 @@ struct fou { - u16 type; - struct udp_offload udp_offloads; - struct list_head list; -+ struct rcu_head rcu; - }; - - #define FOU_F_REMCSUM_NOPARTIAL BIT(0) -@@ -417,7 +418,7 @@ static void fou_release(struct fou *fou) - list_del(&fou->list); - udp_tunnel_sock_release(sock); - -- kfree(fou); -+ kfree_rcu(fou, rcu); - } - - static int fou_encap_init(struct sock *sk, struct fou *fou, struct fou_cfg *cfg) -diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c -index a7739c8..d77be28 100644 ---- a/net/ipv4/tcp_ipv4.c -+++ b/net/ipv4/tcp_ipv4.c -@@ -1509,7 +1509,7 @@ bool tcp_prequeue(struct sock *sk, struct sk_buff *skb) - if (likely(sk->sk_rx_dst)) - skb_dst_drop(skb); - else -- skb_dst_force(skb); -+ skb_dst_force_safe(skb); - - __skb_queue_tail(&tp->ucopy.prequeue, skb); - tp->ucopy.memory += skb->truesize; -@@ -1710,8 +1710,7 @@ void inet_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb) - { - struct dst_entry *dst = skb_dst(skb); - -- if (dst) { -- dst_hold(dst); -+ if (dst && dst_hold_safe(dst)) { - sk->sk_rx_dst = dst; - inet_sk(sk)->rx_dst_ifindex = skb->skb_iif; - } -diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c -index 3dbee0d..c958596 100644 ---- a/net/ipv4/tcp_output.c -+++ b/net/ipv4/tcp_output.c -@@ -3147,7 +3147,7 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn) - { - struct tcp_sock *tp = tcp_sk(sk); - struct tcp_fastopen_request *fo = tp->fastopen_req; -- int syn_loss = 0, space, err = 0, copied; -+ int syn_loss = 0, space, err = 0; - unsigned long last_syn_loss = 0; - struct sk_buff *syn_data; - -@@ -3185,17 +3185,18 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn) - goto fallback; - syn_data->ip_summed = CHECKSUM_PARTIAL; - memcpy(syn_data->cb, syn->cb, sizeof(syn->cb)); -- copied = copy_from_iter(skb_put(syn_data, space), space, -- &fo->data->msg_iter); -- if (unlikely(!copied)) { -- kfree_skb(syn_data); -- goto fallback; -- } -- if (copied != space) { -- skb_trim(syn_data, copied); -- space = copied; -+ if (space) { -+ int copied = copy_from_iter(skb_put(syn_data, space), space, -+ &fo->data->msg_iter); -+ if (unlikely(!copied)) { -+ kfree_skb(syn_data); -+ goto fallback; -+ } -+ if (copied != space) { -+ skb_trim(syn_data, copied); -+ space = copied; -+ } - } -- - /* No more data pending in inet_wait_for_connect() */ - if (space == fo->size) - fo->data = NULL; -diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c -index 3939dd2..ddd3511 100644 ---- a/net/ipv6/addrconf.c -+++ b/net/ipv6/addrconf.c -@@ -349,6 +349,12 @@ static struct inet6_dev *ipv6_add_dev(struct net_device *dev) - setup_timer(&ndev->rs_timer, addrconf_rs_timer, - (unsigned long)ndev); - memcpy(&ndev->cnf, dev_net(dev)->ipv6.devconf_dflt, sizeof(ndev->cnf)); -+ -+ if (ndev->cnf.stable_secret.initialized) -+ ndev->addr_gen_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY; -+ else -+ ndev->addr_gen_mode = IN6_ADDR_GEN_MODE_EUI64; -+ - ndev->cnf.mtu6 = dev->mtu; - ndev->cnf.sysctl = NULL; - ndev->nd_parms = neigh_parms_alloc(dev, &nd_tbl); -@@ -2453,7 +2459,7 @@ ok: - #ifdef CONFIG_IPV6_OPTIMISTIC_DAD - if (in6_dev->cnf.optimistic_dad && - !net->ipv6.devconf_all->forwarding && sllao) -- addr_flags = IFA_F_OPTIMISTIC; -+ addr_flags |= IFA_F_OPTIMISTIC; - #endif - - /* Do not allow to create too much of autoconfigured -diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c -index 38d66dd..df095ee 100644 ---- a/net/ipv6/af_inet6.c -+++ b/net/ipv6/af_inet6.c -@@ -109,6 +109,9 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol, - int try_loading_module = 0; - int err; - -+ if (protocol < 0 || protocol >= IPPROTO_MAX) -+ return -EINVAL; -+ - /* Look for the requested type/protocol pair. */ - lookup_protocol: - err = -ESOCKTNOSUPPORT; -diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c -index 3c7b931..e5ea177 100644 ---- a/net/ipv6/ip6_gre.c -+++ b/net/ipv6/ip6_gre.c -@@ -1571,13 +1571,11 @@ static int ip6gre_changelink(struct net_device *dev, struct nlattr *tb[], - return -EEXIST; - } else { - t = nt; -- -- ip6gre_tunnel_unlink(ign, t); -- ip6gre_tnl_change(t, &p, !tb[IFLA_MTU]); -- ip6gre_tunnel_link(ign, t); -- netdev_state_change(dev); - } - -+ ip6gre_tunnel_unlink(ign, t); -+ ip6gre_tnl_change(t, &p, !tb[IFLA_MTU]); -+ ip6gre_tunnel_link(ign, t); - return 0; - } - -diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c -index 9e9b77b..8935dc1 100644 ---- a/net/ipv6/tcp_ipv6.c -+++ b/net/ipv6/tcp_ipv6.c -@@ -93,10 +93,9 @@ static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb) - { - struct dst_entry *dst = skb_dst(skb); - -- if (dst) { -+ if (dst && dst_hold_safe(dst)) { - const struct rt6_info *rt = (const struct rt6_info *)dst; - -- dst_hold(dst); - sk->sk_rx_dst = dst; - inet_sk(sk)->rx_dst_ifindex = skb->skb_iif; - inet6_sk(sk)->rx_dst_cookie = rt6_get_cookie(rt); -diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c -index fae6822..25f63a8 100644 ---- a/net/irda/af_irda.c -+++ b/net/irda/af_irda.c -@@ -1086,6 +1086,9 @@ static int irda_create(struct net *net, struct socket *sock, int protocol, - struct sock *sk; - struct irda_sock *self; - -+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) -+ return -EINVAL; -+ - if (net != &init_net) - return -EAFNOSUPPORT; - -diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c -index 5009582..cad8c4b 100644 ---- a/net/openvswitch/conntrack.c -+++ b/net/openvswitch/conntrack.c -@@ -53,6 +53,8 @@ struct ovs_conntrack_info { - struct md_labels labels; - }; - -+static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info); -+ - static u16 key_to_nfproto(const struct sw_flow_key *key) - { - switch (ntohs(key->eth.type)) { -@@ -141,6 +143,7 @@ static void __ovs_ct_update_key(struct sw_flow_key *key, u8 state, - * previously sent the packet to conntrack via the ct action. - */ - static void ovs_ct_update_key(const struct sk_buff *skb, -+ const struct ovs_conntrack_info *info, - struct sw_flow_key *key, bool post_ct) - { - const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt; -@@ -158,13 +161,15 @@ static void ovs_ct_update_key(const struct sk_buff *skb, - zone = nf_ct_zone(ct); - } else if (post_ct) { - state = OVS_CS_F_TRACKED | OVS_CS_F_INVALID; -+ if (info) -+ zone = &info->zone; - } - __ovs_ct_update_key(key, state, zone, ct); - } - - void ovs_ct_fill_key(const struct sk_buff *skb, struct sw_flow_key *key) - { -- ovs_ct_update_key(skb, key, false); -+ ovs_ct_update_key(skb, NULL, key, false); - } - - int ovs_ct_put_key(const struct sw_flow_key *key, struct sk_buff *skb) -@@ -418,7 +423,7 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, - } - } - -- ovs_ct_update_key(skb, key, true); -+ ovs_ct_update_key(skb, info, key, true); - - return 0; - } -@@ -708,7 +713,7 @@ int ovs_ct_copy_action(struct net *net, const struct nlattr *attr, - nf_conntrack_get(&ct_info.ct->ct_general); - return 0; - err_free_ct: -- nf_conntrack_free(ct_info.ct); -+ __ovs_ct_free_action(&ct_info); - return err; - } - -@@ -750,6 +755,11 @@ void ovs_ct_free_action(const struct nlattr *a) - { - struct ovs_conntrack_info *ct_info = nla_data(a); - -+ __ovs_ct_free_action(ct_info); -+} -+ -+static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info) -+{ - if (ct_info->helper) - module_put(ct_info->helper->me); - if (ct_info->ct) -diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c -index 7ec667d..b5c2cf2 100644 ---- a/net/sched/sch_api.c -+++ b/net/sched/sch_api.c -@@ -950,7 +950,7 @@ qdisc_create(struct net_device *dev, struct netdev_queue *dev_queue, - } - lockdep_set_class(qdisc_lock(sch), &qdisc_tx_lock); - if (!netif_is_multiqueue(dev)) -- sch->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT; -+ sch->flags |= TCQ_F_ONETXQUEUE; - } - - sch->handle = handle; -diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c -index e917d27..40677cf 100644 ---- a/net/sctp/ipv6.c -+++ b/net/sctp/ipv6.c -@@ -635,6 +635,7 @@ static struct sock *sctp_v6_create_accept_sk(struct sock *sk, - struct sock *newsk; - struct ipv6_pinfo *newnp, *np = inet6_sk(sk); - struct sctp6_sock *newsctp6sk; -+ struct ipv6_txoptions *opt; - - newsk = sk_alloc(sock_net(sk), PF_INET6, GFP_KERNEL, sk->sk_prot, 0); - if (!newsk) -@@ -654,6 +655,13 @@ static struct sock *sctp_v6_create_accept_sk(struct sock *sk, - - memcpy(newnp, np, sizeof(struct ipv6_pinfo)); - -+ rcu_read_lock(); -+ opt = rcu_dereference(np->opt); -+ if (opt) -+ opt = ipv6_dup_options(newsk, opt); -+ RCU_INIT_POINTER(newnp->opt, opt); -+ rcu_read_unlock(); -+ - /* Initialize sk's sport, dport, rcv_saddr and daddr for getsockname() - * and getpeername(). - */ -diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c -index 7954c52..8d67d72 100644 ---- a/net/sctp/sm_make_chunk.c -+++ b/net/sctp/sm_make_chunk.c -@@ -1652,7 +1652,7 @@ static sctp_cookie_param_t *sctp_pack_cookie(const struct sctp_endpoint *ep, - - /* Set an expiration time for the cookie. */ - cookie->c.expiration = ktime_add(asoc->cookie_life, -- ktime_get()); -+ ktime_get_real()); - - /* Copy the peer's init packet. */ - memcpy(&cookie->c.peer_init[0], init_chunk->chunk_hdr, -@@ -1780,7 +1780,7 @@ no_hmac: - if (sock_flag(ep->base.sk, SOCK_TIMESTAMP)) - kt = skb_get_ktime(skb); - else -- kt = ktime_get(); -+ kt = ktime_get_real(); - - if (!asoc && ktime_before(bear_cookie->expiration, kt)) { - /* -diff --git a/net/sctp/socket.c b/net/sctp/socket.c -index 3ec88be..84b1b50 100644 ---- a/net/sctp/socket.c -+++ b/net/sctp/socket.c -@@ -7163,6 +7163,7 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk, - newsk->sk_type = sk->sk_type; - newsk->sk_bound_dev_if = sk->sk_bound_dev_if; - newsk->sk_flags = sk->sk_flags; -+ newsk->sk_tsflags = sk->sk_tsflags; - newsk->sk_no_check_tx = sk->sk_no_check_tx; - newsk->sk_no_check_rx = sk->sk_no_check_rx; - newsk->sk_reuse = sk->sk_reuse; -@@ -7195,6 +7196,9 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk, - newinet->mc_ttl = 1; - newinet->mc_index = 0; - newinet->mc_list = NULL; -+ -+ if (newsk->sk_flags & SK_FLAGS_TIMESTAMP) -+ net_enable_timestamp(); - } - - static inline void sctp_copy_descendant(struct sock *sk_to, -diff --git a/net/socket.c b/net/socket.c -index 9963a0b..f3fbe17 100644 ---- a/net/socket.c -+++ b/net/socket.c -@@ -1702,6 +1702,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size, - msg.msg_name = addr ? (struct sockaddr *)&address : NULL; - /* We assume all kernel code knows the size of sockaddr_storage */ - msg.msg_namelen = 0; -+ msg.msg_iocb = NULL; - if (sock->file->f_flags & O_NONBLOCK) - flags |= MSG_DONTWAIT; - err = sock_recvmsg(sock, &msg, iov_iter_count(&msg.msg_iter), flags); -diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c -index 86f2e7c..73bdf1b 100644 ---- a/net/tipc/udp_media.c -+++ b/net/tipc/udp_media.c -@@ -162,7 +162,7 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb, - if (skb_headroom(skb) < UDP_MIN_HEADROOM) { - err = pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC); - if (err) -- goto tx_error; -+ return err; - } - - clone = skb_clone(skb, GFP_ATOMIC); -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 128b098..0fc6dba 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -2255,14 +2255,7 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state) - /* Lock the socket to prevent queue disordering - * while sleeps in memcpy_tomsg - */ -- err = mutex_lock_interruptible(&u->readlock); -- if (unlikely(err)) { -- /* recvmsg() in non blocking mode is supposed to return -EAGAIN -- * sk_rcvtimeo is not honored by mutex_lock_interruptible() -- */ -- err = noblock ? -EAGAIN : -ERESTARTSYS; -- goto out; -- } -+ mutex_lock(&u->readlock); - - if (flags & MSG_PEEK) - skip = sk_peek_offset(sk, flags); -@@ -2306,12 +2299,12 @@ again: - timeo = unix_stream_data_wait(sk, timeo, last, - last_len); - -- if (signal_pending(current) || -- mutex_lock_interruptible(&u->readlock)) { -+ if (signal_pending(current)) { - err = sock_intr_errno(timeo); - goto out; - } - -+ mutex_lock(&u->readlock); - continue; - unlock: - unix_state_unlock(sk); -diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c -index 0b9ec78..26f0e0a 100644 ---- a/security/keys/keyctl.c -+++ b/security/keys/keyctl.c -@@ -757,16 +757,16 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) - - /* the key is probably readable - now try to read it */ - can_read_key: -- ret = key_validate(key); -- if (ret == 0) { -- ret = -EOPNOTSUPP; -- if (key->type->read) { -- /* read the data with the semaphore held (since we -- * might sleep) */ -- down_read(&key->sem); -+ ret = -EOPNOTSUPP; -+ if (key->type->read) { -+ /* Read the data with the semaphore held (since we might sleep) -+ * to protect against the key being updated or revoked. -+ */ -+ down_read(&key->sem); -+ ret = key_validate(key); -+ if (ret == 0) - ret = key->type->read(key, buffer, buflen); -- up_read(&key->sem); -- } -+ up_read(&key->sem); - } - - error2: -diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c -index 43b4cdd..7877e5c 100644 ---- a/security/keys/process_keys.c -+++ b/security/keys/process_keys.c -@@ -794,6 +794,7 @@ long join_session_keyring(const char *name) - ret = PTR_ERR(keyring); - goto error2; - } else if (keyring == new->session_keyring) { -+ key_put(keyring); - ret = 0; - goto error2; - } diff --git a/4.3.4/0000_README b/4.3.5/0000_README index ce73e44..e49fbae 100644 --- a/4.3.4/0000_README +++ b/4.3.5/0000_README @@ -2,11 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 1003_linux-4.3.4.patch -From: http://www.kernel.org -Desc: Linux 4.3.4 - -Patch: 4420_grsecurity-3.1-4.3.4-201601292206.patch +Patch: 4420_grsecurity-3.1-4.3.5-201601311611.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.3.4/4420_grsecurity-3.1-4.3.4-201601292206.patch b/4.3.5/4420_grsecurity-3.1-4.3.5-201601311611.patch index 92cf754..63ba087 100644 --- a/4.3.4/4420_grsecurity-3.1-4.3.4-201601292206.patch +++ b/4.3.5/4420_grsecurity-3.1-4.3.5-201601311611.patch @@ -452,7 +452,7 @@ index 6fccb69..60c7c7a 100644 A toggle value indicating if modules are allowed to be loaded diff --git a/Makefile b/Makefile -index 69430ed..8fa626c 100644 +index efc7a76..aa435e3 100644 --- a/Makefile +++ b/Makefile @@ -298,7 +298,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -4743,7 +4743,7 @@ index 7cd1514..0307305 100644 } diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c -index b8efb8c..0b8f924 100644 +index 4d25fd0..0b8f924 100644 --- a/arch/arm/net/bpf_jit_32.c +++ b/arch/arm/net/bpf_jit_32.c @@ -20,6 +20,7 @@ @@ -4819,24 +4819,7 @@ index b8efb8c..0b8f924 100644 return (u64)err << 32 | ntohl(ret); } -@@ -182,31 +167,19 @@ static inline int mem_words_used(struct jit_ctx *ctx) - return fls(ctx->seen & SEEN_MEM); - } - --static inline bool is_load_to_a(u16 inst) --{ -- switch (inst) { -- case BPF_LD | BPF_W | BPF_LEN: -- case BPF_LD | BPF_W | BPF_ABS: -- case BPF_LD | BPF_H | BPF_ABS: -- case BPF_LD | BPF_B | BPF_ABS: -- return true; -- default: -- return false; -- } --} -- - static void jit_fill_hole(void *area, unsigned int size) +@@ -186,8 +171,10 @@ static void jit_fill_hole(void *area, unsigned int size) { u32 *ptr; /* We are guaranteed to have aligned memory. */ @@ -4847,22 +4830,7 @@ index b8efb8c..0b8f924 100644 } static void build_prologue(struct jit_ctx *ctx) - { - u16 reg_set = saved_regs(ctx); -- u16 first_inst = ctx->skf->insns[0].code; - u16 off; - - #ifdef CONFIG_FRAME_POINTER -@@ -236,7 +209,7 @@ static void build_prologue(struct jit_ctx *ctx) - emit(ARM_MOV_I(r_X, 0), ctx); - - /* do not leak kernel data to userspace */ -- if ((first_inst != (BPF_RET | BPF_K)) && !(is_load_to_a(first_inst))) -+ if (bpf_needs_clear_a(&ctx->skf->insns[0])) - emit(ARM_MOV_I(r_A, 0), ctx); - - /* stack space for the BPF_MEM words */ -@@ -556,6 +529,9 @@ static int build_body(struct jit_ctx *ctx) +@@ -542,6 +529,9 @@ static int build_body(struct jit_ctx *ctx) case BPF_LD | BPF_B | BPF_ABS: load_order = 0; load: @@ -4872,7 +4840,7 @@ index b8efb8c..0b8f924 100644 emit_mov_i(r_off, k, ctx); load_common: ctx->seen |= SEEN_DATA | SEEN_CALL; -@@ -570,18 +546,6 @@ load_common: +@@ -556,18 +546,6 @@ load_common: condt = ARM_COND_HI; } @@ -4891,7 +4859,7 @@ index b8efb8c..0b8f924 100644 _emit(condt, ARM_ADD_R(r_scratch, r_off, r_skb_data), ctx); -@@ -744,7 +708,8 @@ load_ind: +@@ -730,7 +708,8 @@ load_ind: case BPF_ALU | BPF_RSH | BPF_K: if (unlikely(k > 31)) return -1; @@ -7129,47 +7097,6 @@ index 5c81fdd..db158d3 100644 int __virt_addr_valid(const volatile void *kaddr) { return pfn_valid(PFN_DOWN(virt_to_phys(kaddr))); -diff --git a/arch/mips/net/bpf_jit.c b/arch/mips/net/bpf_jit.c -index 0c4a133..26e947d 100644 ---- a/arch/mips/net/bpf_jit.c -+++ b/arch/mips/net/bpf_jit.c -@@ -521,19 +521,6 @@ static inline u16 align_sp(unsigned int num) - return num; - } - --static bool is_load_to_a(u16 inst) --{ -- switch (inst) { -- case BPF_LD | BPF_W | BPF_LEN: -- case BPF_LD | BPF_W | BPF_ABS: -- case BPF_LD | BPF_H | BPF_ABS: -- case BPF_LD | BPF_B | BPF_ABS: -- return true; -- default: -- return false; -- } --} -- - static void save_bpf_jit_regs(struct jit_ctx *ctx, unsigned offset) - { - int i = 0, real_off = 0; -@@ -614,7 +601,6 @@ static unsigned int get_stack_depth(struct jit_ctx *ctx) - - static void build_prologue(struct jit_ctx *ctx) - { -- u16 first_inst = ctx->skf->insns[0].code; - int sp_off; - - /* Calculate the total offset for the stack pointer */ -@@ -641,7 +627,7 @@ static void build_prologue(struct jit_ctx *ctx) - emit_jit_reg_move(r_X, r_zero, ctx); - - /* Do not leak kernel data to userspace */ -- if ((first_inst != (BPF_RET | BPF_K)) && !(is_load_to_a(first_inst))) -+ if (bpf_needs_clear_a(&ctx->skf->insns[0])) - emit_jit_reg_move(r_A, r_zero, ctx); - } - diff --git a/arch/mips/sgi-ip27/ip27-nmi.c b/arch/mips/sgi-ip27/ip27-nmi.c index a2358b4..7cead4f 100644 --- a/arch/mips/sgi-ip27/ip27-nmi.c @@ -8591,10 +8518,10 @@ index 62cfb0c..50c6402 100644 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */ #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */ diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h -index a908ada..f3c8966 100644 +index 2220f7a..5a9420e 100644 --- a/arch/powerpc/include/asm/reg.h +++ b/arch/powerpc/include/asm/reg.h -@@ -252,6 +252,7 @@ +@@ -253,6 +253,7 @@ #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */ #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */ #define DSISR_NOHPTE 0x40000000 /* no translation found */ @@ -9014,10 +8941,10 @@ index c94d2e0..992a9ce 100644 sechdrs, module); #endif diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c -index 75b6676..41c72b5 100644 +index 646bf4d..36d4d76 100644 --- a/arch/powerpc/kernel/process.c +++ b/arch/powerpc/kernel/process.c -@@ -1033,8 +1033,8 @@ void show_regs(struct pt_regs * regs) +@@ -1051,8 +1051,8 @@ void show_regs(struct pt_regs * regs) * Lookup NIP late so we have the best change of getting the * above info out without failing */ @@ -9028,7 +8955,7 @@ index 75b6676..41c72b5 100644 #endif show_stack(current, (unsigned long *) regs->gpr[1]); if (!user_mode(regs)) -@@ -1550,10 +1550,10 @@ void show_stack(struct task_struct *tsk, unsigned long *stack) +@@ -1568,10 +1568,10 @@ void show_stack(struct task_struct *tsk, unsigned long *stack) newsp = stack[0]; ip = stack[STACK_FRAME_LR_SAVE]; if (!firstframe || ip != lr) { @@ -9041,7 +8968,7 @@ index 75b6676..41c72b5 100644 (void *)current->ret_stack[curr_frame].ret); curr_frame--; } -@@ -1573,7 +1573,7 @@ void show_stack(struct task_struct *tsk, unsigned long *stack) +@@ -1591,7 +1591,7 @@ void show_stack(struct task_struct *tsk, unsigned long *stack) struct pt_regs *regs = (struct pt_regs *) (sp + STACK_FRAME_OVERHEAD); lr = regs->link; @@ -9050,7 +8977,7 @@ index 75b6676..41c72b5 100644 regs->trap, (void *)regs->nip, (void *)lr); firstframe = 1; } -@@ -1609,49 +1609,3 @@ void notrace __ppc64_runlatch_off(void) +@@ -1627,49 +1627,3 @@ void notrace __ppc64_runlatch_off(void) mtspr(SPRN_CTRLT, ctrl); } #endif /* CONFIG_PPC64 */ @@ -9140,10 +9067,10 @@ index 737c0d0..59c7417 100644 if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c -index 0dbee46..97b77b9 100644 +index ef7c24e..755a485 100644 --- a/arch/powerpc/kernel/signal_32.c +++ b/arch/powerpc/kernel/signal_32.c -@@ -1014,7 +1014,7 @@ int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset, +@@ -1018,7 +1018,7 @@ int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset, /* Save user registers on the stack */ frame = &rt_sf->uc.uc_mcontext; addr = frame; @@ -9153,10 +9080,10 @@ index 0dbee46..97b77b9 100644 tramp = current->mm->context.vdso_base + vdso32_rt_sigtramp; } else { diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c -index 20756df..300e2a4 100644 +index c676ece..188c057 100644 --- a/arch/powerpc/kernel/signal_64.c +++ b/arch/powerpc/kernel/signal_64.c -@@ -765,7 +765,7 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs +@@ -769,7 +769,7 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs current->thread.fp_state.fpscr = 0; /* Set up to return from userspace. */ @@ -9463,31 +9390,6 @@ index 0f432a7..abfe841 100644 /* If hint, make sure it matches our alignment restrictions */ if (!fixed && addr) { addr = _ALIGN_UP(addr, 1ul << pshift); -diff --git a/arch/powerpc/net/bpf_jit_comp.c b/arch/powerpc/net/bpf_jit_comp.c -index 17cea18..264c473 100644 ---- a/arch/powerpc/net/bpf_jit_comp.c -+++ b/arch/powerpc/net/bpf_jit_comp.c -@@ -78,18 +78,9 @@ static void bpf_jit_build_prologue(struct bpf_prog *fp, u32 *image, - PPC_LI(r_X, 0); - } - -- switch (filter[0].code) { -- case BPF_RET | BPF_K: -- case BPF_LD | BPF_W | BPF_LEN: -- case BPF_LD | BPF_W | BPF_ABS: -- case BPF_LD | BPF_H | BPF_ABS: -- case BPF_LD | BPF_B | BPF_ABS: -- /* first instruction sets A register (or is RET 'constant') */ -- break; -- default: -- /* make sure we dont leak kernel information to user */ -+ /* make sure we dont leak kernel information to user */ -+ if (bpf_needs_clear_a(&filter[0])) - PPC_LI(r_A, 0); -- } - } - - static void bpf_jit_build_epilogue(u32 *image, struct codegen_context *ctx) diff --git a/arch/powerpc/platforms/cell/spufs/file.c b/arch/powerpc/platforms/cell/spufs/file.c index 5038fd5..87a2033 100644 --- a/arch/powerpc/platforms/cell/spufs/file.c @@ -12341,35 +12243,6 @@ index 4ac88b7..bac6cb2 100644 #endif /* CONFIG_SMP */ #endif /* CONFIG_DEBUG_DCFLUSH */ } -diff --git a/arch/sparc/net/bpf_jit_comp.c b/arch/sparc/net/bpf_jit_comp.c -index f8b9f71..17e71d2 100644 ---- a/arch/sparc/net/bpf_jit_comp.c -+++ b/arch/sparc/net/bpf_jit_comp.c -@@ -420,22 +420,9 @@ void bpf_jit_compile(struct bpf_prog *fp) - } - emit_reg_move(O7, r_saved_O7); - -- switch (filter[0].code) { -- case BPF_RET | BPF_K: -- case BPF_LD | BPF_W | BPF_LEN: -- case BPF_LD | BPF_W | BPF_ABS: -- case BPF_LD | BPF_H | BPF_ABS: -- case BPF_LD | BPF_B | BPF_ABS: -- /* The first instruction sets the A register (or is -- * a "RET 'constant'") -- */ -- break; -- default: -- /* Make sure we dont leak kernel information to the -- * user. -- */ -+ /* Make sure we dont leak kernel information to the user. */ -+ if (bpf_needs_clear_a(&filter[0])) - emit_clear(r_A); /* A = 0 */ -- } - - for (i = 0; i < flen; i++) { - unsigned int K = filter[i].k; diff --git a/arch/tile/Kconfig b/arch/tile/Kconfig index 106c21b..185bf0f 100644 --- a/arch/tile/Kconfig @@ -18490,7 +18363,7 @@ index cfe3b95..d01b118 100644 int bitpos = -1; /* diff --git a/arch/x86/include/asm/boot.h b/arch/x86/include/asm/boot.h -index 4fa687a..4ca636f 100644 +index 6b8d6e8..3cbf4f8 100644 --- a/arch/x86/include/asm/boot.h +++ b/arch/x86/include/asm/boot.h @@ -6,7 +6,7 @@ @@ -19789,7 +19662,7 @@ index 55234d5..7e3c4bf 100644 atomic_t perf_rdpmc_allowed; /* nonzero if rdpmc is allowed */ } mm_context_t; diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h -index 379cd36..8ef26be 100644 +index bfd9b2a..a931fef 100644 --- a/arch/x86/include/asm/mmu_context.h +++ b/arch/x86/include/asm/mmu_context.h @@ -46,7 +46,7 @@ struct ldt_struct { @@ -19825,7 +19698,7 @@ index 379cd36..8ef26be 100644 return 0; } static inline void destroy_context(struct mm_struct *mm) {} -@@ -98,26 +115,95 @@ static inline void load_mm_ldt(struct mm_struct *mm) +@@ -98,19 +115,84 @@ static inline void load_mm_ldt(struct mm_struct *mm) static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk) { @@ -19910,18 +19783,19 @@ index 379cd36..8ef26be 100644 this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK); this_cpu_write(cpu_tlbstate.active_mm, next); #endif - cpumask_set_cpu(cpu, mm_cpumask(next)); - - /* Re-load page tables */ +@@ -144,7 +226,11 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, + * ordering guarantee we need. + * + */ +#ifdef CONFIG_PAX_PER_CPU_PGD + pax_switch_mm(next, cpu); +#else load_cr3(next->pgd); +#endif + trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL); - /* Stop flush ipis for the previous mm */ -@@ -142,9 +228,31 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, +@@ -170,9 +256,31 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, if (unlikely(prev->context.ldt != next->context.ldt)) load_mm_ldt(next); #endif @@ -19954,9 +19828,9 @@ index 379cd36..8ef26be 100644 this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK); BUG_ON(this_cpu_read(cpu_tlbstate.active_mm) != next); -@@ -161,13 +269,30 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, - * tlb flush IPI delivery. We must reload CR3 - * to make sure to use no freed page tables. +@@ -193,13 +301,30 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, + * As above, load_cr3() is serializing and orders TLB + * fills with respect to the mm_cpumask write. */ + +#ifndef CONFIG_PAX_PER_CPU_PGD @@ -20162,10 +20036,10 @@ index b3bebf9..cb419e7 100644 #define __phys_reloc_hide(x) (x) diff --git a/arch/x86/include/asm/paravirt.h b/arch/x86/include/asm/paravirt.h -index 10d0596..16a2a7c 100644 +index c759b3c..043875b 100644 --- a/arch/x86/include/asm/paravirt.h +++ b/arch/x86/include/asm/paravirt.h -@@ -530,7 +530,7 @@ static inline pmd_t __pmd(pmdval_t val) +@@ -536,7 +536,7 @@ static inline pmd_t __pmd(pmdval_t val) return (pmd_t) { ret }; } @@ -20174,7 +20048,7 @@ index 10d0596..16a2a7c 100644 { pmdval_t ret; -@@ -596,6 +596,18 @@ static inline void set_pgd(pgd_t *pgdp, pgd_t pgd) +@@ -602,6 +602,18 @@ static inline void set_pgd(pgd_t *pgdp, pgd_t pgd) val); } @@ -20193,7 +20067,7 @@ index 10d0596..16a2a7c 100644 static inline void pgd_clear(pgd_t *pgdp) { set_pgd(pgdp, __pgd(0)); -@@ -680,6 +692,21 @@ static inline void __set_fixmap(unsigned /* enum fixed_addresses */ idx, +@@ -686,6 +698,21 @@ static inline void __set_fixmap(unsigned /* enum fixed_addresses */ idx, pv_mmu_ops.set_fixmap(idx, phys, flags); } @@ -20215,7 +20089,7 @@ index 10d0596..16a2a7c 100644 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS) #ifdef CONFIG_QUEUED_SPINLOCKS -@@ -903,7 +930,7 @@ extern void default_banner(void); +@@ -909,7 +936,7 @@ extern void default_banner(void); #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4) #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4) @@ -20224,7 +20098,7 @@ index 10d0596..16a2a7c 100644 #endif #define INTERRUPT_RETURN \ -@@ -973,6 +1000,21 @@ extern void default_banner(void); +@@ -979,6 +1006,21 @@ extern void default_banner(void); PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_usergs_sysret64), \ CLBR_NONE, \ jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_usergs_sysret64)) @@ -20247,10 +20121,10 @@ index 10d0596..16a2a7c 100644 #endif /* __ASSEMBLY__ */ diff --git a/arch/x86/include/asm/paravirt_types.h b/arch/x86/include/asm/paravirt_types.h -index 31247b5..6b5b8ef 100644 +index 3d44191..1992d40 100644 --- a/arch/x86/include/asm/paravirt_types.h +++ b/arch/x86/include/asm/paravirt_types.h -@@ -84,7 +84,7 @@ struct pv_init_ops { +@@ -89,7 +89,7 @@ struct pv_init_ops { */ unsigned (*patch)(u8 type, u16 clobber, void *insnbuf, unsigned long addr, unsigned len); @@ -20259,7 +20133,7 @@ index 31247b5..6b5b8ef 100644 struct pv_lazy_ops { -@@ -92,12 +92,12 @@ struct pv_lazy_ops { +@@ -97,12 +97,12 @@ struct pv_lazy_ops { void (*enter)(void); void (*leave)(void); void (*flush)(void); @@ -20274,7 +20148,7 @@ index 31247b5..6b5b8ef 100644 struct pv_cpu_ops { /* hooks for various privileged instructions */ -@@ -190,7 +190,7 @@ struct pv_cpu_ops { +@@ -195,7 +195,7 @@ struct pv_cpu_ops { void (*start_context_switch)(struct task_struct *prev); void (*end_context_switch)(struct task_struct *next); @@ -20283,7 +20157,7 @@ index 31247b5..6b5b8ef 100644 struct pv_irq_ops { /* -@@ -213,7 +213,7 @@ struct pv_irq_ops { +@@ -218,7 +218,7 @@ struct pv_irq_ops { #ifdef CONFIG_X86_64 void (*adjust_exception_frame)(void); #endif @@ -20292,7 +20166,7 @@ index 31247b5..6b5b8ef 100644 struct pv_apic_ops { #ifdef CONFIG_X86_LOCAL_APIC -@@ -221,7 +221,7 @@ struct pv_apic_ops { +@@ -226,7 +226,7 @@ struct pv_apic_ops { unsigned long start_eip, unsigned long start_esp); #endif @@ -20301,7 +20175,7 @@ index 31247b5..6b5b8ef 100644 struct pv_mmu_ops { unsigned long (*read_cr2)(void); -@@ -311,6 +311,7 @@ struct pv_mmu_ops { +@@ -316,6 +316,7 @@ struct pv_mmu_ops { struct paravirt_callee_save make_pud; void (*set_pgd)(pgd_t *pudp, pgd_t pgdval); @@ -20309,7 +20183,7 @@ index 31247b5..6b5b8ef 100644 #endif /* CONFIG_PGTABLE_LEVELS == 4 */ #endif /* CONFIG_PGTABLE_LEVELS >= 3 */ -@@ -322,7 +323,13 @@ struct pv_mmu_ops { +@@ -327,7 +328,13 @@ struct pv_mmu_ops { an mfn. We can tell which is which from the index. */ void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx, phys_addr_t phys, pgprot_t flags); @@ -20324,7 +20198,7 @@ index 31247b5..6b5b8ef 100644 struct arch_spinlock; #ifdef CONFIG_SMP -@@ -344,11 +351,14 @@ struct pv_lock_ops { +@@ -349,11 +356,14 @@ struct pv_lock_ops { struct paravirt_callee_save lock_spinning; void (*unlock_kick)(struct arch_spinlock *lock, __ticket_t ticket); #endif /* !CONFIG_QUEUED_SPINLOCKS */ @@ -20341,7 +20215,7 @@ index 31247b5..6b5b8ef 100644 struct paravirt_patch_template { struct pv_init_ops pv_init_ops; struct pv_time_ops pv_time_ops; -@@ -357,7 +367,7 @@ struct paravirt_patch_template { +@@ -362,7 +372,7 @@ struct paravirt_patch_template { struct pv_apic_ops pv_apic_ops; struct pv_mmu_ops pv_mmu_ops; struct pv_lock_ops pv_lock_ops; @@ -20954,7 +20828,7 @@ index b12f810..aedcc13 100644 /* diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h -index 19577dd..f4acc54 100644 +index b7692da..c888b3b 100644 --- a/arch/x86/include/asm/processor.h +++ b/arch/x86/include/asm/processor.h @@ -136,7 +136,7 @@ struct cpuinfo_x86 { @@ -21047,7 +20921,7 @@ index 19577dd..f4acc54 100644 #else /* sp0 on x86_32 is special in and around vm86 mode. */ return this_cpu_read_stable(cpu_current_top_of_stack); -@@ -695,19 +702,29 @@ static inline void spin_lock_prefetch(const void *x) +@@ -696,19 +703,29 @@ static inline void spin_lock_prefetch(const void *x) #define TOP_OF_INIT_STACK ((unsigned long)&init_stack + sizeof(init_stack) - \ TOP_OF_KERNEL_STACK_PADDING) @@ -21078,7 +20952,7 @@ index 19577dd..f4acc54 100644 } extern unsigned long thread_saved_pc(struct task_struct *tsk); -@@ -722,12 +739,7 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk); +@@ -723,12 +740,7 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk); * "struct pt_regs" is possible, but they may contain the * completely wrong values. */ @@ -21092,7 +20966,7 @@ index 19577dd..f4acc54 100644 #define KSTK_ESP(task) (task_pt_regs(task)->sp) -@@ -741,13 +753,13 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk); +@@ -742,13 +754,13 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk); * particular problem by preventing anything from being mapped * at the maximum canonical address. */ @@ -21108,7 +20982,7 @@ index 19577dd..f4acc54 100644 #define TASK_SIZE (test_thread_flag(TIF_ADDR32) ? \ IA32_PAGE_OFFSET : TASK_SIZE_MAX) -@@ -758,7 +770,8 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk); +@@ -759,7 +771,8 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk); #define STACK_TOP_MAX TASK_SIZE_MAX #define INIT_THREAD { \ @@ -21118,7 +20992,7 @@ index 19577dd..f4acc54 100644 } /* -@@ -781,6 +794,10 @@ extern void start_thread(struct pt_regs *regs, unsigned long new_ip, +@@ -782,6 +795,10 @@ extern void start_thread(struct pt_regs *regs, unsigned long new_ip, */ #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3)) @@ -21129,7 +21003,7 @@ index 19577dd..f4acc54 100644 #define KSTK_EIP(task) (task_pt_regs(task)->ip) /* Get/set a process' ability to use the timestamp counter instruction */ -@@ -826,7 +843,7 @@ static inline uint32_t hypervisor_cpuid_base(const char *sig, uint32_t leaves) +@@ -827,7 +844,7 @@ static inline uint32_t hypervisor_cpuid_base(const char *sig, uint32_t leaves) return 0; } @@ -21138,7 +21012,7 @@ index 19577dd..f4acc54 100644 extern void free_init_pages(char *what, unsigned long begin, unsigned long end); void default_idle(void); -@@ -836,6 +853,6 @@ bool xen_set_default_idle(void); +@@ -837,6 +854,6 @@ bool xen_set_default_idle(void); #define xen_set_default_idle 0 #endif @@ -24055,7 +23929,7 @@ index be4febc..f7af533 100644 return &cache_private_group; diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c -index 9d014b82..8186c29 100644 +index 6b2c822..84c8d34 100644 --- a/arch/x86/kernel/cpu/mcheck/mce.c +++ b/arch/x86/kernel/cpu/mcheck/mce.c @@ -47,6 +47,7 @@ @@ -24134,7 +24008,7 @@ index 9d014b82..8186c29 100644 wait_for_panic(); if (!mca_cfg.monarch_timeout) goto out; -@@ -1654,7 +1654,7 @@ static void unexpected_machine_check(struct pt_regs *regs, long error_code) +@@ -1665,7 +1665,7 @@ static void unexpected_machine_check(struct pt_regs *regs, long error_code) } /* Call the installed machine check handler for this CPU setup. */ @@ -24143,7 +24017,7 @@ index 9d014b82..8186c29 100644 unexpected_machine_check; /* -@@ -1683,7 +1683,9 @@ void mcheck_cpu_init(struct cpuinfo_x86 *c) +@@ -1694,7 +1694,9 @@ void mcheck_cpu_init(struct cpuinfo_x86 *c) return; } @@ -24153,7 +24027,7 @@ index 9d014b82..8186c29 100644 __mcheck_cpu_init_generic(); __mcheck_cpu_init_vendor(c); -@@ -1714,7 +1716,7 @@ void mcheck_cpu_clear(struct cpuinfo_x86 *c) +@@ -1725,7 +1727,7 @@ void mcheck_cpu_clear(struct cpuinfo_x86 *c) */ static DEFINE_SPINLOCK(mce_chrdev_state_lock); @@ -24162,7 +24036,7 @@ index 9d014b82..8186c29 100644 static int mce_chrdev_open_exclu; /* already open exclusive? */ static int mce_chrdev_open(struct inode *inode, struct file *file) -@@ -1722,7 +1724,7 @@ static int mce_chrdev_open(struct inode *inode, struct file *file) +@@ -1733,7 +1735,7 @@ static int mce_chrdev_open(struct inode *inode, struct file *file) spin_lock(&mce_chrdev_state_lock); if (mce_chrdev_open_exclu || @@ -24171,7 +24045,7 @@ index 9d014b82..8186c29 100644 spin_unlock(&mce_chrdev_state_lock); return -EBUSY; -@@ -1730,7 +1732,7 @@ static int mce_chrdev_open(struct inode *inode, struct file *file) +@@ -1741,7 +1743,7 @@ static int mce_chrdev_open(struct inode *inode, struct file *file) if (file->f_flags & O_EXCL) mce_chrdev_open_exclu = 1; @@ -24180,7 +24054,7 @@ index 9d014b82..8186c29 100644 spin_unlock(&mce_chrdev_state_lock); -@@ -1741,7 +1743,7 @@ static int mce_chrdev_release(struct inode *inode, struct file *file) +@@ -1752,7 +1754,7 @@ static int mce_chrdev_release(struct inode *inode, struct file *file) { spin_lock(&mce_chrdev_state_lock); @@ -24189,7 +24063,7 @@ index 9d014b82..8186c29 100644 mce_chrdev_open_exclu = 0; spin_unlock(&mce_chrdev_state_lock); -@@ -2421,7 +2423,7 @@ static __init void mce_init_banks(void) +@@ -2432,7 +2434,7 @@ static __init void mce_init_banks(void) for (i = 0; i < mca_cfg.banks; i++) { struct mce_bank *b = &mce_banks[i]; @@ -24198,7 +24072,7 @@ index 9d014b82..8186c29 100644 sysfs_attr_init(&a->attr); a->attr.name = b->attrname; -@@ -2528,7 +2530,7 @@ struct dentry *mce_get_debugfs_dir(void) +@@ -2539,7 +2541,7 @@ struct dentry *mce_get_debugfs_dir(void) static void mce_reset(void) { cpu_missing = 0; @@ -28439,7 +28313,7 @@ index 2f355d2..e75ed0a 100644 return ret; diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c -index 02693dd..33a1546 100644 +index f660d63..564a120 100644 --- a/arch/x86/kernel/reboot.c +++ b/arch/x86/kernel/reboot.c @@ -70,6 +70,11 @@ static int __init set_bios_reboot(const struct dmi_system_id *d) @@ -28494,7 +28368,7 @@ index 02693dd..33a1546 100644 /* Acer */ { /* Handle reboot issue on Acer Aspire one */ -@@ -511,7 +538,7 @@ void __attribute__((weak)) mach_reboot_fixups(void) +@@ -519,7 +546,7 @@ void __attribute__((weak)) mach_reboot_fixups(void) * This means that this function can never return, it can misbehave * by not rebooting properly and hanging. */ @@ -28503,7 +28377,7 @@ index 02693dd..33a1546 100644 { int i; int attempt = 0; -@@ -631,13 +658,13 @@ void native_machine_shutdown(void) +@@ -639,13 +666,13 @@ void native_machine_shutdown(void) #endif } @@ -28519,7 +28393,7 @@ index 02693dd..33a1546 100644 { pr_notice("machine restart\n"); -@@ -646,7 +673,7 @@ static void native_machine_restart(char *__unused) +@@ -654,7 +681,7 @@ static void native_machine_restart(char *__unused) __machine_emergency_restart(0); } @@ -28528,7 +28402,7 @@ index 02693dd..33a1546 100644 { /* Stop other cpus and apics */ machine_shutdown(); -@@ -656,7 +683,7 @@ static void native_machine_halt(void) +@@ -664,7 +691,7 @@ static void native_machine_halt(void) stop_this_cpu(NULL); } @@ -28537,7 +28411,7 @@ index 02693dd..33a1546 100644 { if (pm_power_off) { if (!reboot_force) -@@ -665,9 +692,10 @@ static void native_machine_power_off(void) +@@ -673,9 +700,10 @@ static void native_machine_power_off(void) } /* A fallback in case there is no PM info available */ tboot_shutdown(TB_SHUTDOWN_HALT); @@ -28733,7 +28607,7 @@ index e4fcb87..9c06c55 100644 * Up to this point, the boot CPU has been using .init.data * area. Reload any changed state for the boot CPU. diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c -index da52e6b..8c18d64 100644 +index 7d2b2ed..6c92c5f 100644 --- a/arch/x86/kernel/signal.c +++ b/arch/x86/kernel/signal.c @@ -189,7 +189,7 @@ static unsigned long align_sigframe(unsigned long sp) @@ -28826,7 +28700,7 @@ index 12c8286..aa65d13 100644 .smp_prepare_cpus = native_smp_prepare_cpus, .smp_cpus_done = native_smp_cpus_done, diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c -index 892ee2e5..be6b3f6 100644 +index fbabe4f..c686333 100644 --- a/arch/x86/kernel/smpboot.c +++ b/arch/x86/kernel/smpboot.c @@ -213,14 +213,17 @@ static void notrace start_secondary(void *unused) @@ -28851,7 +28725,7 @@ index 892ee2e5..be6b3f6 100644 /* * Check TSC synchronization with the BP: */ -@@ -809,16 +812,15 @@ void common_cpu_up(unsigned int cpu, struct task_struct *idle) +@@ -810,16 +813,15 @@ void common_cpu_up(unsigned int cpu, struct task_struct *idle) alternatives_enable_smp(); per_cpu(current_task, cpu) = idle; @@ -28870,7 +28744,7 @@ index 892ee2e5..be6b3f6 100644 } /* -@@ -839,9 +841,11 @@ static int do_boot_cpu(int apicid, int cpu, struct task_struct *idle) +@@ -840,9 +842,11 @@ static int do_boot_cpu(int apicid, int cpu, struct task_struct *idle) unsigned long timeout; idle->thread.sp = (unsigned long) (((struct pt_regs *) @@ -28883,7 +28757,7 @@ index 892ee2e5..be6b3f6 100644 initial_code = (unsigned long)start_secondary; stack_start = idle->thread.sp; -@@ -989,6 +993,15 @@ int native_cpu_up(unsigned int cpu, struct task_struct *tidle) +@@ -990,6 +994,15 @@ int native_cpu_up(unsigned int cpu, struct task_struct *tidle) common_cpu_up(cpu, tidle); @@ -30121,48 +29995,10 @@ index 736e6ab..b2e3094 100644 goto error; walker->ptep_user[walker->level - 1] = ptep_user; diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c -index d7f8938..bc95a50 100644 +index 22d1813..bc95a50 100644 --- a/arch/x86/kvm/svm.c +++ b/arch/x86/kvm/svm.c -@@ -1108,6 +1108,7 @@ static void init_vmcb(struct vcpu_svm *svm) - set_exception_intercept(svm, UD_VECTOR); - set_exception_intercept(svm, MC_VECTOR); - set_exception_intercept(svm, AC_VECTOR); -+ set_exception_intercept(svm, DB_VECTOR); - - set_intercept(svm, INTERCEPT_INTR); - set_intercept(svm, INTERCEPT_NMI); -@@ -1642,20 +1643,13 @@ static void svm_set_segment(struct kvm_vcpu *vcpu, - mark_dirty(svm->vmcb, VMCB_SEG); - } - --static void update_db_bp_intercept(struct kvm_vcpu *vcpu) -+static void update_bp_intercept(struct kvm_vcpu *vcpu) - { - struct vcpu_svm *svm = to_svm(vcpu); - -- clr_exception_intercept(svm, DB_VECTOR); - clr_exception_intercept(svm, BP_VECTOR); - -- if (svm->nmi_singlestep) -- set_exception_intercept(svm, DB_VECTOR); -- - if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) { -- if (vcpu->guest_debug & -- (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP)) -- set_exception_intercept(svm, DB_VECTOR); - if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP) - set_exception_intercept(svm, BP_VECTOR); - } else -@@ -1761,7 +1755,6 @@ static int db_interception(struct vcpu_svm *svm) - if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP)) - svm->vmcb->save.rflags &= - ~(X86_EFLAGS_TF | X86_EFLAGS_RF); -- update_db_bp_intercept(&svm->vcpu); - } - - if (svm->vcpu.guest_debug & -@@ -3595,7 +3588,11 @@ static void reload_tss(struct kvm_vcpu *vcpu) +@@ -3588,7 +3588,11 @@ static void reload_tss(struct kvm_vcpu *vcpu) int cpu = raw_smp_processor_id(); struct svm_cpu_data *sd = per_cpu(svm_data, cpu); @@ -30174,15 +30010,7 @@ index d7f8938..bc95a50 100644 load_TR_desc(); } -@@ -3761,7 +3758,6 @@ static void enable_nmi_window(struct kvm_vcpu *vcpu) - */ - svm->nmi_singlestep = true; - svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF); -- update_db_bp_intercept(vcpu); - } - - static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr) -@@ -3991,6 +3987,10 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) +@@ -3983,6 +3987,10 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) #endif #endif @@ -30193,7 +30021,7 @@ index d7f8938..bc95a50 100644 reload_tss(vcpu); local_irq_disable(); -@@ -4364,7 +4364,7 @@ static void svm_sched_in(struct kvm_vcpu *vcpu, int cpu) +@@ -4356,7 +4364,7 @@ static void svm_sched_in(struct kvm_vcpu *vcpu, int cpu) { } @@ -30202,17 +30030,8 @@ index d7f8938..bc95a50 100644 .cpu_has_kvm_support = has_svm, .disabled_by_bios = is_disabled, .hardware_setup = svm_hardware_setup, -@@ -4383,7 +4383,7 @@ static struct kvm_x86_ops svm_x86_ops = { - .vcpu_load = svm_vcpu_load, - .vcpu_put = svm_vcpu_put, - -- .update_db_bp_intercept = update_db_bp_intercept, -+ .update_db_bp_intercept = update_bp_intercept, - .get_msr = svm_get_msr, - .set_msr = svm_set_msr, - .get_segment_base = svm_get_segment_base, diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c -index 343d369..95ade96 100644 +index 2e0bd48..c18c0bf 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -1440,12 +1440,12 @@ static void vmcs_write64(unsigned long field, u64 value) @@ -30262,7 +30081,7 @@ index 343d369..95ade96 100644 { u64 host_tsc, tsc_offset; -@@ -4450,7 +4458,10 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx) +@@ -4451,7 +4459,10 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx) unsigned long cr4; vmcs_writel(HOST_CR0, read_cr0() & ~X86_CR0_TS); /* 22.2.3 */ @@ -30273,7 +30092,7 @@ index 343d369..95ade96 100644 /* Save the most likely value for this task's CR4 in the VMCS. */ cr4 = cr4_read_shadow(); -@@ -4477,7 +4488,7 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx) +@@ -4478,7 +4489,7 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx) vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */ vmx->host_idt_base = dt.address; @@ -30282,7 +30101,7 @@ index 343d369..95ade96 100644 rdmsr(MSR_IA32_SYSENTER_CS, low32, high32); vmcs_write32(HOST_IA32_SYSENTER_CS, low32); -@@ -6015,11 +6026,17 @@ static __init int hardware_setup(void) +@@ -6016,11 +6027,17 @@ static __init int hardware_setup(void) * page upon invalidation. No need to do anything if not * using the APIC_ACCESS_ADDR VMCS field. */ @@ -30302,7 +30121,7 @@ index 343d369..95ade96 100644 if (enable_ept && !cpu_has_vmx_ept_2m_page()) kvm_disable_largepages(); -@@ -6030,6 +6047,7 @@ static __init int hardware_setup(void) +@@ -6031,6 +6048,7 @@ static __init int hardware_setup(void) if (!cpu_has_vmx_apicv()) enable_apicv = 0; @@ -30310,7 +30129,7 @@ index 343d369..95ade96 100644 if (enable_apicv) kvm_x86_ops->update_cr8_intercept = NULL; else { -@@ -6038,6 +6056,7 @@ static __init int hardware_setup(void) +@@ -6039,6 +6057,7 @@ static __init int hardware_setup(void) kvm_x86_ops->deliver_posted_interrupt = NULL; kvm_x86_ops->sync_pir_to_irr = vmx_sync_pir_to_irr_dummy; } @@ -30318,7 +30137,7 @@ index 343d369..95ade96 100644 vmx_disable_intercept_for_msr(MSR_FS_BASE, false); vmx_disable_intercept_for_msr(MSR_GS_BASE, false); -@@ -6092,10 +6111,12 @@ static __init int hardware_setup(void) +@@ -6093,10 +6112,12 @@ static __init int hardware_setup(void) enable_pml = 0; if (!enable_pml) { @@ -30331,7 +30150,7 @@ index 343d369..95ade96 100644 } return alloc_kvm_area(); -@@ -8351,6 +8372,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) +@@ -8352,6 +8373,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) "jmp 2f \n\t" "1: " __ex(ASM_VMX_VMRESUME) "\n\t" "2: " @@ -30344,7 +30163,7 @@ index 343d369..95ade96 100644 /* Save guest registers, load host registers, keep flags */ "mov %0, %c[wordsize](%%" _ASM_SP ") \n\t" "pop %0 \n\t" -@@ -8403,6 +8430,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) +@@ -8404,6 +8431,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) #endif [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)), [wordsize]"i"(sizeof(ulong)) @@ -30356,7 +30175,7 @@ index 343d369..95ade96 100644 : "cc", "memory" #ifdef CONFIG_X86_64 , "rax", "rbx", "rdi", "rsi" -@@ -8416,7 +8448,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) +@@ -8417,7 +8449,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) if (debugctlmsr) update_debugctlmsr(debugctlmsr); @@ -30365,7 +30184,7 @@ index 343d369..95ade96 100644 /* * The sysexit path does not restore ds/es, so we must set them to * a reasonable value ourselves. -@@ -8425,8 +8457,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) +@@ -8426,8 +8458,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) * may be executed in interrupt context, which saves and restore segments * around it, nullifying its effect. */ @@ -30386,7 +30205,7 @@ index 343d369..95ade96 100644 #endif vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP) -@@ -10280,7 +10322,7 @@ static void vmx_enable_log_dirty_pt_masked(struct kvm *kvm, +@@ -10281,7 +10323,7 @@ static void vmx_enable_log_dirty_pt_masked(struct kvm *kvm, kvm_mmu_clear_dirty_pt_masked(kvm, memslot, offset, mask); } @@ -30396,7 +30215,7 @@ index 343d369..95ade96 100644 .disabled_by_bios = vmx_disabled_by_bios, .hardware_setup = hardware_setup, diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index 43609af..f8b7b2c 100644 +index 37bbbf8..4a8338d 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -1828,8 +1828,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data) @@ -30455,7 +30274,7 @@ index 43609af..f8b7b2c 100644 guest_xsave->region, sizeof(struct fxregs_state)); } return 0; -@@ -6214,6 +6216,7 @@ void kvm_arch_mmu_notifier_invalidate_page(struct kvm *kvm, +@@ -6215,6 +6217,7 @@ void kvm_arch_mmu_notifier_invalidate_page(struct kvm *kvm, * exiting to the userspace. Otherwise, the value will be returned to the * userspace. */ @@ -30463,7 +30282,7 @@ index 43609af..f8b7b2c 100644 static int vcpu_enter_guest(struct kvm_vcpu *vcpu) { int r; -@@ -6437,6 +6440,7 @@ out: +@@ -6438,6 +6441,7 @@ out: return r; } @@ -30471,7 +30290,7 @@ index 43609af..f8b7b2c 100644 static inline int vcpu_block(struct kvm *kvm, struct kvm_vcpu *vcpu) { if (!kvm_arch_vcpu_runnable(vcpu)) { -@@ -6976,7 +6980,7 @@ int kvm_arch_vcpu_ioctl_translate(struct kvm_vcpu *vcpu, +@@ -6977,7 +6981,7 @@ int kvm_arch_vcpu_ioctl_translate(struct kvm_vcpu *vcpu, int kvm_arch_vcpu_ioctl_get_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu) { struct fxregs_state *fxsave = @@ -30480,7 +30299,7 @@ index 43609af..f8b7b2c 100644 memcpy(fpu->fpr, fxsave->st_space, 128); fpu->fcw = fxsave->cwd; -@@ -6993,7 +6997,7 @@ int kvm_arch_vcpu_ioctl_get_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu) +@@ -6994,7 +6998,7 @@ int kvm_arch_vcpu_ioctl_get_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu) int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu) { struct fxregs_state *fxsave = @@ -30489,7 +30308,7 @@ index 43609af..f8b7b2c 100644 memcpy(fxsave->st_space, fpu->fpr, 128); fxsave->cwd = fpu->fcw; -@@ -7009,9 +7013,9 @@ int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu) +@@ -7010,9 +7014,9 @@ int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu) static void fx_init(struct kvm_vcpu *vcpu) { @@ -30501,7 +30320,7 @@ index 43609af..f8b7b2c 100644 host_xcr0 | XSTATE_COMPACTION_ENABLED; /* -@@ -7035,7 +7039,7 @@ void kvm_load_guest_fpu(struct kvm_vcpu *vcpu) +@@ -7036,7 +7040,7 @@ void kvm_load_guest_fpu(struct kvm_vcpu *vcpu) kvm_put_guest_xcr0(vcpu); vcpu->guest_fpu_loaded = 1; __kernel_fpu_begin(); @@ -30510,7 +30329,7 @@ index 43609af..f8b7b2c 100644 trace_kvm_fpu(1); } -@@ -7324,6 +7328,8 @@ bool kvm_vcpu_compatible(struct kvm_vcpu *vcpu) +@@ -7325,6 +7329,8 @@ bool kvm_vcpu_compatible(struct kvm_vcpu *vcpu) struct static_key kvm_no_apic_vcpu __read_mostly; @@ -30519,7 +30338,7 @@ index 43609af..f8b7b2c 100644 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu) { struct page *page; -@@ -7340,11 +7346,14 @@ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu) +@@ -7341,11 +7347,14 @@ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu) else vcpu->arch.mp_state = KVM_MP_STATE_UNINITIALIZED; @@ -30538,7 +30357,7 @@ index 43609af..f8b7b2c 100644 vcpu->arch.pio_data = page_address(page); kvm_set_tsc_khz(vcpu, max_tsc_khz); -@@ -7398,6 +7407,9 @@ fail_mmu_destroy: +@@ -7399,6 +7408,9 @@ fail_mmu_destroy: kvm_mmu_destroy(vcpu); fail_free_pio_data: free_page((unsigned long)vcpu->arch.pio_data); @@ -30548,7 +30367,7 @@ index 43609af..f8b7b2c 100644 fail: return r; } -@@ -7415,6 +7427,8 @@ void kvm_arch_vcpu_uninit(struct kvm_vcpu *vcpu) +@@ -7416,6 +7428,8 @@ void kvm_arch_vcpu_uninit(struct kvm_vcpu *vcpu) free_page((unsigned long)vcpu->arch.pio_data); if (!irqchip_in_kernel(vcpu->kvm)) static_key_slow_dec(&kvm_no_apic_vcpu); @@ -30558,7 +30377,7 @@ index 43609af..f8b7b2c 100644 void kvm_arch_sched_in(struct kvm_vcpu *vcpu, int cpu) diff --git a/arch/x86/lguest/boot.c b/arch/x86/lguest/boot.c -index a0d09f6..92ede76 100644 +index a43b2ea..e64e453 100644 --- a/arch/x86/lguest/boot.c +++ b/arch/x86/lguest/boot.c @@ -1336,9 +1336,10 @@ static __init int early_put_chars(u32 vtermno, const char *buf, int count) @@ -34975,7 +34794,7 @@ index 0057a7acc..95c7edd 100644 might_sleep(); if (is_enabled()) /* recheck and proper locking in *_core() */ diff --git a/arch/x86/mm/mpx.c b/arch/x86/mm/mpx.c -index 71fc79a..3dd1f49 100644 +index 78e47ff..17c3093 100644 --- a/arch/x86/mm/mpx.c +++ b/arch/x86/mm/mpx.c @@ -193,7 +193,7 @@ static int mpx_insn_decode(struct insn *insn, @@ -35673,7 +35492,7 @@ index 90555bf..f5f1828 100644 } diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c -index 8ddb5d0..6f70318 100644 +index 8f4cc3d..7143a15 100644 --- a/arch/x86/mm/tlb.c +++ b/arch/x86/mm/tlb.c @@ -45,7 +45,11 @@ void leave_mm(int cpu) @@ -37148,7 +36967,7 @@ index c7b15f3..cc09a65 100644 This is the Linux Xen port. Enabling this will allow the kernel to boot in a paravirtualized environment under the diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c -index 993b7a7..59dec9a 100644 +index aeb385d..ff5dc9e 100644 --- a/arch/x86/xen/enlighten.c +++ b/arch/x86/xen/enlighten.c @@ -130,8 +130,6 @@ EXPORT_SYMBOL_GPL(xen_start_info); @@ -37245,7 +37064,7 @@ index 993b7a7..59dec9a 100644 pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry; pv_cpu_ops.load_gdt = xen_load_gdt; -@@ -1567,7 +1566,17 @@ asmlinkage __visible void __init xen_start_kernel(void) +@@ -1569,7 +1568,17 @@ asmlinkage __visible void __init xen_start_kernel(void) __userpte_alloc_gfp &= ~__GFP_HIGHMEM; /* Work out if we support NX */ @@ -37264,7 +37083,7 @@ index 993b7a7..59dec9a 100644 /* Get mfn list */ xen_build_dynamic_phys_to_machine(); -@@ -1595,13 +1604,6 @@ asmlinkage __visible void __init xen_start_kernel(void) +@@ -1597,13 +1606,6 @@ asmlinkage __visible void __init xen_start_kernel(void) machine_ops = xen_machine_ops; @@ -40596,7 +40415,7 @@ index e3536da..b1617f0 100644 intf->proc_dir = NULL; diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c -index 654f6f3..b36fbf4 100644 +index 54bccf7..f7a4fa9 100644 --- a/drivers/char/ipmi/ipmi_si_intf.c +++ b/drivers/char/ipmi/ipmi_si_intf.c @@ -300,7 +300,7 @@ struct smi_info { @@ -40620,26 +40439,7 @@ index 654f6f3..b36fbf4 100644 #define SI_MAX_PARMS 4 -@@ -1208,14 +1208,14 @@ static int smi_start_processing(void *send_info, - - new_smi->intf = intf; - -- /* Try to claim any interrupts. */ -- if (new_smi->irq_setup) -- new_smi->irq_setup(new_smi); -- - /* Set up the timer that drives the interface. */ - setup_timer(&new_smi->si_timer, smi_timeout, (long)new_smi); - smi_mod_timer(new_smi, jiffies + SI_TIMEOUT_JIFFIES); - -+ /* Try to claim any interrupts. */ -+ if (new_smi->irq_setup) -+ new_smi->irq_setup(new_smi); -+ - /* - * Check if the user forcefully enabled the daemon. - */ -@@ -3598,7 +3598,7 @@ static int try_smi_init(struct smi_info *new_smi) +@@ -3613,7 +3613,7 @@ static int try_smi_init(struct smi_info *new_smi) atomic_set(&new_smi->req_events, 0); new_smi->run_to_completion = false; for (i = 0; i < SI_NUM_STATS; i++) @@ -41183,40 +40983,6 @@ index b5bcd77..0f7bd99 100644 return 0; } -diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c -index 30f5228..c19e7fc 100644 ---- a/drivers/connector/connector.c -+++ b/drivers/connector/connector.c -@@ -178,26 +178,21 @@ static int cn_call_callback(struct sk_buff *skb) - * - * It checks skb, netlink header and msg sizes, and calls callback helper. - */ --static void cn_rx_skb(struct sk_buff *__skb) -+static void cn_rx_skb(struct sk_buff *skb) - { - struct nlmsghdr *nlh; -- struct sk_buff *skb; - int len, err; - -- skb = skb_get(__skb); -- - if (skb->len >= NLMSG_HDRLEN) { - nlh = nlmsg_hdr(skb); - len = nlmsg_len(nlh); - - if (len < (int)sizeof(struct cn_msg) || - skb->len < nlh->nlmsg_len || -- len > CONNECTOR_MAX_MSG_SIZE) { -- kfree_skb(skb); -+ len > CONNECTOR_MAX_MSG_SIZE) - return; -- } - -- err = cn_call_callback(skb); -+ err = cn_call_callback(skb_get(skb)); - if (err < 0) - kfree_skb(skb); - } diff --git a/drivers/cpufreq/acpi-cpufreq.c b/drivers/cpufreq/acpi-cpufreq.c index cec1ee2..d8e33a0 100644 --- a/drivers/cpufreq/acpi-cpufreq.c @@ -45350,7 +45116,7 @@ index 2106066..e759b59 100644 /* copy over all the bus versions */ if (dev->bus && dev->bus->pm) { diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c -index 70a11ac..9852312 100644 +index c0fbf4e..865f19d 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -2575,7 +2575,7 @@ EXPORT_SYMBOL_GPL(hid_ignore); @@ -46993,10 +46759,10 @@ index 532e2a2..a60aa73 100644 CMD_SET_TYPE(cmd, CMD_COMPL_WAIT); } diff --git a/drivers/iommu/arm-smmu-v3.c b/drivers/iommu/arm-smmu-v3.c -index 286e890..c2220cc 100644 +index ef78620..5b5d477 100644 --- a/drivers/iommu/arm-smmu-v3.c +++ b/drivers/iommu/arm-smmu-v3.c -@@ -1516,7 +1516,7 @@ static int arm_smmu_domain_finalise(struct iommu_domain *domain) +@@ -1517,7 +1517,7 @@ static int arm_smmu_domain_finalise(struct iommu_domain *domain) .iommu_dev = smmu->dev, }; @@ -49283,18 +49049,6 @@ index 641ad8f..02eacb9 100644 select DVB_LNBP21 if MEDIA_SUBDRV_AUTOSELECT select DVB_STV090x if MEDIA_SUBDRV_AUTOSELECT select DVB_STB6100 if MEDIA_SUBDRV_AUTOSELECT -diff --git a/drivers/media/platform/vivid/vivid-osd.c b/drivers/media/platform/vivid/vivid-osd.c -index 084d346..e15eef6 100644 ---- a/drivers/media/platform/vivid/vivid-osd.c -+++ b/drivers/media/platform/vivid/vivid-osd.c -@@ -85,6 +85,7 @@ static int vivid_fb_ioctl(struct fb_info *info, unsigned cmd, unsigned long arg) - case FBIOGET_VBLANK: { - struct fb_vblank vblank; - -+ memset(&vblank, 0, sizeof(vblank)); - vblank.flags = FB_VBLANK_HAVE_COUNT | FB_VBLANK_HAVE_VCOUNT | - FB_VBLANK_HAVE_VSYNC; - vblank.count = 0; diff --git a/drivers/media/radio/radio-cadet.c b/drivers/media/radio/radio-cadet.c index 82affae..42833ec 100644 --- a/drivers/media/radio/radio-cadet.c @@ -52173,7 +51927,7 @@ index 4421bf54..c07afb0 100644 netdev_tx_completed_queue(ring->tx_queue, packets, bytes); diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c -index 443632d..7b43236 100644 +index 394744b..de2161e 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c @@ -2025,8 +2025,11 @@ static void mlx5e_build_netdev(struct net_device *netdev) @@ -52631,10 +52385,10 @@ index f761288..a1024be 100644 r = get_phy_id(bus, addr, &phy_id, is_c45, &c45_ids); diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c -index ed00446..943fe2c 100644 +index 9a863c6..8e2d8c9 100644 --- a/drivers/net/ppp/ppp_generic.c +++ b/drivers/net/ppp/ppp_generic.c -@@ -1047,7 +1047,6 @@ ppp_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) +@@ -1045,7 +1045,6 @@ ppp_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data; struct ppp_stats stats; struct ppp_comp_stats cstats; @@ -52642,7 +52396,7 @@ index ed00446..943fe2c 100644 switch (cmd) { case SIOCGPPPSTATS: -@@ -1069,8 +1068,7 @@ ppp_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) +@@ -1067,8 +1066,7 @@ ppp_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) break; case SIOCGPPPVER: @@ -52733,20 +52487,10 @@ index b910cae..f55670b 100644 end: release_sock(sk); diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c -index 079f7ad..7e59810 100644 +index 27ed252..80cffde 100644 --- a/drivers/net/slip/slhc.c +++ b/drivers/net/slip/slhc.c -@@ -94,6 +94,9 @@ slhc_init(int rslots, int tslots) - register struct cstate *ts; - struct slcompress *comp; - -+ if (rslots <= 0 || tslots <= 0 || rslots >= 256 || tslots >= 256) -+ goto out_fail; -+ - comp = kzalloc(sizeof(struct slcompress), GFP_KERNEL); - if (! comp) - goto out_fail; -@@ -487,7 +490,7 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize) +@@ -491,7 +491,7 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize) register struct tcphdr *thp; register struct iphdr *ip; register struct cstate *cs; @@ -52756,7 +52500,7 @@ index 079f7ad..7e59810 100644 /* We've got a compressed packet; read the change byte */ diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c -index 651d35e..4249181 100644 +index 59fefca..b1422b1 100644 --- a/drivers/net/team/team.c +++ b/drivers/net/team/team.c @@ -2107,7 +2107,7 @@ static unsigned int team_get_num_rx_queues(void) @@ -52976,10 +52720,10 @@ index 374feba..01ba30e 100644 .priv_size = sizeof(struct net_vrf), diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c -index c1587ec..dcd13ca 100644 +index 40b5f8a..f934a2f 100644 --- a/drivers/net/vxlan.c +++ b/drivers/net/vxlan.c -@@ -3037,7 +3037,7 @@ static struct net *vxlan_get_link_net(const struct net_device *dev) +@@ -3043,7 +3043,7 @@ static struct net *vxlan_get_link_net(const struct net_device *dev) return vxlan->net; } @@ -52988,7 +52732,7 @@ index c1587ec..dcd13ca 100644 .kind = "vxlan", .maxtype = IFLA_VXLAN_MAX, .policy = vxlan_policy, -@@ -3085,7 +3085,7 @@ static int vxlan_lowerdev_event(struct notifier_block *unused, +@@ -3091,7 +3091,7 @@ static int vxlan_lowerdev_event(struct notifier_block *unused, return NOTIFY_DONE; } @@ -59213,7 +58957,7 @@ index 4d64e5c4..e21932a 100644 wake_up(&usb_kill_urb_queue); usb_put_urb(urb); diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c -index 522f766..6ddc50b 100644 +index 6208433..fe57c7f 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -26,6 +26,7 @@ @@ -59224,7 +58968,7 @@ index 522f766..6ddc50b 100644 #include <asm/uaccess.h> #include <asm/byteorder.h> -@@ -4665,6 +4666,10 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, +@@ -4702,6 +4703,10 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, goto done; return; } @@ -59236,7 +58980,7 @@ index 522f766..6ddc50b 100644 unit_load = 150; else diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c -index cfc68c1..38f943f 100644 +index c54fd8b..6e9f011 100644 --- a/drivers/usb/core/sysfs.c +++ b/drivers/usb/core/sysfs.c @@ -244,7 +244,7 @@ static ssize_t urbnum_show(struct device *dev, struct device_attribute *attr, @@ -59593,10 +59337,10 @@ index c47d3e4..35bcc1e 100644 /* Device for a quirk */ #define PCI_VENDOR_ID_FRESCO_LOGIC 0x1b73 diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c -index 385f9f5..fe0610e 100644 +index e40c300..7eb36da 100644 --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c -@@ -4843,7 +4843,7 @@ int xhci_gen_setup(struct usb_hcd *hcd, xhci_get_quirks_t get_quirks) +@@ -4851,7 +4851,7 @@ int xhci_gen_setup(struct usb_hcd *hcd, xhci_get_quirks_t get_quirks) int retval; /* Accept arbitrarily long scatter-gather lists */ @@ -100260,36 +100004,6 @@ index 674e3e2..f68af19 100644 void do_close_on_exec(struct files_struct *); int iterate_fd(struct files_struct *, unsigned, int (*)(const void *, struct file *, unsigned), -diff --git a/include/linux/filter.h b/include/linux/filter.h -index fa2cab9..d42a5b8 100644 ---- a/include/linux/filter.h -+++ b/include/linux/filter.h -@@ -459,6 +459,25 @@ static inline void bpf_jit_free(struct bpf_prog *fp) - - #define BPF_ANC BIT(15) - -+static inline bool bpf_needs_clear_a(const struct sock_filter *first) -+{ -+ switch (first->code) { -+ case BPF_RET | BPF_K: -+ case BPF_LD | BPF_W | BPF_LEN: -+ return false; -+ -+ case BPF_LD | BPF_W | BPF_ABS: -+ case BPF_LD | BPF_H | BPF_ABS: -+ case BPF_LD | BPF_B | BPF_ABS: -+ if (first->k == SKF_AD_OFF + SKF_AD_ALU_XOR_X) -+ return true; -+ return false; -+ -+ default: -+ return true; -+ } -+} -+ - static inline u16 bpf_anc_helper(const struct sock_filter *ftest) - { - BUG_ON(ftest->code & BPF_ANC); diff --git a/include/linux/fs.h b/include/linux/fs.h index 72d8a84..d67bd25 100644 --- a/include/linux/fs.h @@ -104183,7 +103897,7 @@ index 556ec1e..38c19c9 100644 /* diff --git a/include/linux/sched.h b/include/linux/sched.h -index b7b9501..f1e65cf 100644 +index f477e87..f1e65cf 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -7,7 +7,7 @@ @@ -104250,11 +103964,10 @@ index b7b9501..f1e65cf 100644 /* * Bits in flags field of signal_struct. -@@ -830,12 +855,22 @@ struct user_struct { - unsigned long mq_bytes; /* How many bytes can be allocated to mqueue? */ +@@ -831,12 +856,21 @@ struct user_struct { #endif unsigned long locked_shm; /* How many pages of mlocked shm ? */ -+ unsigned long unix_inflight; /* How many files in flight in unix sockets */ + unsigned long unix_inflight; /* How many files in flight in unix sockets */ + atomic_long_t pipe_bufs; /* how many pages are allocated in pipe buffers */ #ifdef CONFIG_KEYS @@ -104273,7 +103986,7 @@ index b7b9501..f1e65cf 100644 /* Hash table maintenance information */ struct hlist_node uidhash_node; kuid_t uid; -@@ -843,7 +878,7 @@ struct user_struct { +@@ -844,7 +878,7 @@ struct user_struct { #ifdef CONFIG_PERF_EVENTS atomic_long_t locked_vm; #endif @@ -104282,7 +103995,7 @@ index b7b9501..f1e65cf 100644 extern int uids_sysfs_init(void); -@@ -1378,6 +1413,9 @@ struct tlbflush_unmap_batch { +@@ -1379,6 +1413,9 @@ struct tlbflush_unmap_batch { struct task_struct { volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */ void *stack; @@ -104292,7 +104005,7 @@ index b7b9501..f1e65cf 100644 atomic_t usage; unsigned int flags; /* per process flags, defined below */ unsigned int ptrace; -@@ -1510,8 +1548,8 @@ struct task_struct { +@@ -1511,8 +1548,8 @@ struct task_struct { struct list_head thread_node; struct completion *vfork_done; /* for vfork() */ @@ -104303,7 +104016,7 @@ index b7b9501..f1e65cf 100644 cputime_t utime, stime, utimescaled, stimescaled; cputime_t gtime; -@@ -1534,11 +1572,6 @@ struct task_struct { +@@ -1535,11 +1572,6 @@ struct task_struct { struct task_cputime cputime_expires; struct list_head cpu_timers[3]; @@ -104315,7 +104028,7 @@ index b7b9501..f1e65cf 100644 char comm[TASK_COMM_LEN]; /* executable name excluding path - access with [gs]et_task_comm (which lock it with task_lock()) -@@ -1554,6 +1587,8 @@ struct task_struct { +@@ -1555,6 +1587,8 @@ struct task_struct { /* hung task detection */ unsigned long last_switch_count; #endif @@ -104324,7 +104037,7 @@ index b7b9501..f1e65cf 100644 /* filesystem information */ struct fs_struct *fs; /* open file information */ -@@ -1630,6 +1665,10 @@ struct task_struct { +@@ -1631,6 +1665,10 @@ struct task_struct { gfp_t lockdep_reclaim_gfp; #endif @@ -104335,7 +104048,7 @@ index b7b9501..f1e65cf 100644 /* journalling filesystem info */ void *journal_info; -@@ -1668,6 +1707,10 @@ struct task_struct { +@@ -1669,6 +1707,10 @@ struct task_struct { /* cg_list protected by css_set_lock and tsk->alloc_lock */ struct list_head cg_list; #endif @@ -104346,7 +104059,7 @@ index b7b9501..f1e65cf 100644 #ifdef CONFIG_FUTEX struct robust_list_head __user *robust_list; #ifdef CONFIG_COMPAT -@@ -1783,7 +1826,7 @@ struct task_struct { +@@ -1784,7 +1826,7 @@ struct task_struct { * Number of functions that haven't been traced * because of depth overrun. */ @@ -104355,7 +104068,7 @@ index b7b9501..f1e65cf 100644 /* Pause for the tracing */ atomic_t tracing_graph_pause; #endif -@@ -1812,22 +1855,89 @@ struct task_struct { +@@ -1813,22 +1855,89 @@ struct task_struct { unsigned long task_state_change; #endif int pagefault_disabled; @@ -104455,7 +104168,7 @@ index b7b9501..f1e65cf 100644 /* Future-safe accessor for struct task_struct's cpus_allowed. */ #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed) -@@ -1909,7 +2019,7 @@ struct pid_namespace; +@@ -1910,7 +2019,7 @@ struct pid_namespace; pid_t __task_pid_nr_ns(struct task_struct *task, enum pid_type type, struct pid_namespace *ns); @@ -104464,7 +104177,7 @@ index b7b9501..f1e65cf 100644 { return tsk->pid; } -@@ -2270,6 +2380,25 @@ extern u64 sched_clock_cpu(int cpu); +@@ -2271,6 +2380,25 @@ extern u64 sched_clock_cpu(int cpu); extern void sched_clock_init(void); @@ -104490,7 +104203,7 @@ index b7b9501..f1e65cf 100644 #ifndef CONFIG_HAVE_UNSTABLE_SCHED_CLOCK static inline void sched_clock_tick(void) { -@@ -2398,7 +2527,9 @@ extern void set_curr_task(int cpu, struct task_struct *p); +@@ -2399,7 +2527,9 @@ extern void set_curr_task(int cpu, struct task_struct *p); void yield(void); union thread_union { @@ -104500,7 +104213,7 @@ index b7b9501..f1e65cf 100644 unsigned long stack[THREAD_SIZE/sizeof(long)]; }; -@@ -2431,6 +2562,7 @@ extern struct pid_namespace init_pid_ns; +@@ -2432,6 +2562,7 @@ extern struct pid_namespace init_pid_ns; */ extern struct task_struct *find_task_by_vpid(pid_t nr); @@ -104508,7 +104221,7 @@ index b7b9501..f1e65cf 100644 extern struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns); -@@ -2462,7 +2594,7 @@ extern void proc_caches_init(void); +@@ -2463,7 +2594,7 @@ extern void proc_caches_init(void); extern void flush_signals(struct task_struct *); extern void ignore_signals(struct task_struct *); extern void flush_signal_handlers(struct task_struct *, int force_default); @@ -104517,7 +104230,7 @@ index b7b9501..f1e65cf 100644 static inline int dequeue_signal_lock(struct task_struct *tsk, sigset_t *mask, siginfo_t *info) { -@@ -2608,7 +2740,7 @@ extern void __cleanup_sighand(struct sighand_struct *); +@@ -2609,7 +2740,7 @@ extern void __cleanup_sighand(struct sighand_struct *); extern void exit_itimers(struct signal_struct *); extern void flush_itimer_signals(void); @@ -104526,7 +104239,7 @@ index b7b9501..f1e65cf 100644 extern int do_execve(struct filename *, const char __user * const __user *, -@@ -2723,11 +2855,13 @@ static inline int thread_group_empty(struct task_struct *p) +@@ -2724,11 +2855,13 @@ static inline int thread_group_empty(struct task_struct *p) * It must not be nested with write_lock_irq(&tasklist_lock), * neither inside nor outside. */ @@ -104540,7 +104253,7 @@ index b7b9501..f1e65cf 100644 static inline void task_unlock(struct task_struct *p) { spin_unlock(&p->alloc_lock); -@@ -2813,9 +2947,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) +@@ -2814,9 +2947,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) #define task_stack_end_corrupted(task) \ (*(end_of_stack(task)) != STACK_END_MAGIC) @@ -104763,7 +104476,7 @@ index ab1e039..ad4229e 100644 static inline void disallow_signal(int sig) diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h -index 4398411..4856c34 100644 +index 23ce309..861c28f 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -799,7 +799,7 @@ struct sk_buff *__alloc_skb(unsigned int size, gfp_t priority, int flags, @@ -105274,7 +104987,7 @@ index e7a018e..49f8b17 100644 extern dma_addr_t swiotlb_map_page(struct device *dev, struct page *page, unsigned long offset, size_t size, diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h -index a460e2e..de02ef1 100644 +index 42c36bb..ac90c15 100644 --- a/include/linux/syscalls.h +++ b/include/linux/syscalls.h @@ -102,7 +102,12 @@ union bpf_attr; @@ -105571,7 +105284,7 @@ index 00c9d68..bc0188b 100644 struct tty_ldisc { diff --git a/include/linux/types.h b/include/linux/types.h -index c314989..4e6e3a4 100644 +index 89f63da..66ab9c0 100644 --- a/include/linux/types.h +++ b/include/linux/types.h @@ -176,10 +176,26 @@ typedef struct { @@ -105699,7 +105412,7 @@ index 99c1b4d..562e6f3 100644 static inline void put_unaligned_le16(u16 val, void *p) diff --git a/include/linux/usb.h b/include/linux/usb.h -index 447fe29..07a9cf0 100644 +index 4aec211..0181378 100644 --- a/include/linux/usb.h +++ b/include/linux/usb.h @@ -363,7 +363,7 @@ struct usb_bus { @@ -105711,7 +105424,7 @@ index 447fe29..07a9cf0 100644 int devnum_next; /* Next open device number in * round-robin allocation */ -@@ -592,7 +592,7 @@ struct usb_device { +@@ -596,7 +596,7 @@ struct usb_device { int maxchild; u32 quirks; @@ -105720,7 +105433,7 @@ index 447fe29..07a9cf0 100644 unsigned long active_duration; -@@ -1785,10 +1785,10 @@ void usb_sg_wait(struct usb_sg_request *io); +@@ -1789,10 +1789,10 @@ void usb_sg_wait(struct usb_sg_request *io); /* NOTE: these are not the standard USB_ENDPOINT_XFER_* values!! */ /* (yet ... they're the values used by usbfs) */ @@ -108404,27 +108117,6 @@ index 35bac8e..8de1d69 100644 if (!access_ok(VERIFY_READ, uattr, 1)) return -EFAULT; -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index b074b23..36c6efe 100644 ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -1058,6 +1058,16 @@ static int check_alu_op(struct reg_state *regs, struct bpf_insn *insn) - return -EINVAL; - } - -+ if ((opcode == BPF_LSH || opcode == BPF_RSH || -+ opcode == BPF_ARSH) && BPF_SRC(insn->code) == BPF_K) { -+ int size = BPF_CLASS(insn->code) == BPF_ALU64 ? 64 : 32; -+ -+ if (insn->imm < 0 || insn->imm >= size) { -+ verbose("invalid shift %d\n", insn->imm); -+ return -EINVAL; -+ } -+ } -+ - /* pattern match 'bpf_add Rx, imm' instruction */ - if (opcode == BPF_ADD && BPF_CLASS(insn->code) == BPF_ALU64 && - regs[insn->dst_reg].type == FRAME_PTR && diff --git a/kernel/capability.c b/kernel/capability.c index 45432b5..988f1e4 100644 --- a/kernel/capability.c @@ -114066,10 +113758,10 @@ index 44d2cc0..337ccab 100644 write_seqcount_begin(&tk_core.seq); diff --git a/kernel/time/timer.c b/kernel/time/timer.c -index 84190f0..6f4ccad 100644 +index 101240b..f2822a4 100644 --- a/kernel/time/timer.c +++ b/kernel/time/timer.c -@@ -1406,7 +1406,7 @@ void update_process_times(int user_tick) +@@ -1422,7 +1422,7 @@ void update_process_times(int user_tick) /* * This function runs timers and the timer-tq in bottom half context. */ @@ -117229,7 +116921,7 @@ index 842ecd7..c8f2fc5 100644 err = -EPERM; goto out; diff --git a/mm/mlock.c b/mm/mlock.c -index 25936680..d0eff96 100644 +index 25936680..1770c1d 100644 --- a/mm/mlock.c +++ b/mm/mlock.c @@ -14,6 +14,7 @@ @@ -117271,15 +116963,18 @@ index 25936680..d0eff96 100644 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */ newflags = vma->vm_flags & ~VM_LOCKED; -@@ -628,6 +637,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, start, size_t, len) +@@ -628,6 +637,10 @@ SYSCALL_DEFINE2(mlock, unsigned long, start, size_t, len) locked += current->mm->locked_vm; /* check against resource limits */ -+ gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1); ++ if (locked > (ULONG_MAX >> PAGE_SHIFT)) ++ gr_learn_resource(current, RLIMIT_MEMLOCK, ULONG_MAX, 1); ++ else ++ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1); if ((locked <= lock_limit) || capable(CAP_IPC_LOCK)) error = do_mlock(start, len, 1); -@@ -669,6 +679,11 @@ static int do_mlockall(int flags) +@@ -669,6 +682,11 @@ static int do_mlockall(int flags) for (vma = current->mm->mmap; vma ; vma = prev->vm_next) { vm_flags_t newflags; @@ -117291,15 +116986,17 @@ index 25936680..d0eff96 100644 newflags = vma->vm_flags & ~VM_LOCKED; if (flags & MCL_CURRENT) newflags |= VM_LOCKED; -@@ -700,8 +715,10 @@ SYSCALL_DEFINE1(mlockall, int, flags) +@@ -700,8 +718,12 @@ SYSCALL_DEFINE1(mlockall, int, flags) lock_limit >>= PAGE_SHIFT; ret = -ENOMEM; -+ -+ gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1); -+ - down_write(¤t->mm->mmap_sem); -- +- down_write(¤t->mm->mmap_sem); + ++ down_write(¤t->mm->mmap_sem); ++ if (current->mm->total_vm > (ULONG_MAX >> PAGE_SHIFT)) ++ gr_learn_resource(current, RLIMIT_MEMLOCK, ULONG_MAX, 1); ++ else ++ gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1); if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) || capable(CAP_IPC_LOCK)) ret = do_mlockall(flags); @@ -117317,7 +117014,7 @@ index fdadf91..5f527d1 100644 .priority = IPC_CALLBACK_PRI, /* use lowest priority */ }; diff --git a/mm/mmap.c b/mm/mmap.c -index 79bcc9f..481e0f5c 100644 +index 79bcc9f..ee68a7e 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -42,6 +42,7 @@ @@ -117547,15 +117244,18 @@ index 79bcc9f..481e0f5c 100644 mm->stack_vm += pages; } #endif /* CONFIG_PROC_FS */ -@@ -1251,6 +1340,7 @@ static inline int mlock_future_check(struct mm_struct *mm, +@@ -1251,6 +1340,10 @@ static inline int mlock_future_check(struct mm_struct *mm, locked += mm->locked_vm; lock_limit = rlimit(RLIMIT_MEMLOCK); lock_limit >>= PAGE_SHIFT; -+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1); ++ if (locked > (ULONG_MAX >> PAGE_SHIFT)) ++ gr_learn_resource(current, RLIMIT_MEMLOCK, ULONG_MAX, 1); ++ else ++ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1); if (locked > lock_limit && !capable(CAP_IPC_LOCK)) return -EAGAIN; } -@@ -1278,7 +1368,7 @@ unsigned long do_mmap(struct file *file, unsigned long addr, +@@ -1278,7 +1371,7 @@ unsigned long do_mmap(struct file *file, unsigned long addr, * (the exception is when the underlying filesystem is noexec * mounted, in which case we dont add PROT_EXEC.) */ @@ -117564,7 +117264,7 @@ index 79bcc9f..481e0f5c 100644 if (!(file && path_noexec(&file->f_path))) prot |= PROT_EXEC; -@@ -1301,7 +1391,7 @@ unsigned long do_mmap(struct file *file, unsigned long addr, +@@ -1301,7 +1394,7 @@ unsigned long do_mmap(struct file *file, unsigned long addr, /* Obtain the address to map to. we verify (or select) it and ensure * that it represents a valid section of the address space. */ @@ -117573,7 +117273,7 @@ index 79bcc9f..481e0f5c 100644 if (addr & ~PAGE_MASK) return addr; -@@ -1312,6 +1402,43 @@ unsigned long do_mmap(struct file *file, unsigned long addr, +@@ -1312,6 +1405,43 @@ unsigned long do_mmap(struct file *file, unsigned long addr, vm_flags |= calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) | mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC; @@ -117617,7 +117317,7 @@ index 79bcc9f..481e0f5c 100644 if (flags & MAP_LOCKED) if (!can_do_mlock()) return -EPERM; -@@ -1399,6 +1526,9 @@ unsigned long do_mmap(struct file *file, unsigned long addr, +@@ -1399,6 +1529,9 @@ unsigned long do_mmap(struct file *file, unsigned long addr, vm_flags |= VM_NORESERVE; } @@ -117627,7 +117327,7 @@ index 79bcc9f..481e0f5c 100644 addr = mmap_region(file, addr, len, vm_flags, pgoff); if (!IS_ERR_VALUE(addr) && ((vm_flags & VM_LOCKED) || -@@ -1493,7 +1623,7 @@ int vma_wants_writenotify(struct vm_area_struct *vma) +@@ -1493,7 +1626,7 @@ int vma_wants_writenotify(struct vm_area_struct *vma) const struct vm_operations_struct *vm_ops = vma->vm_ops; /* If it was private or non-writable, the write bit is already clear */ @@ -117636,7 +117336,7 @@ index 79bcc9f..481e0f5c 100644 return 0; /* The backer wishes to know when pages are first written to? */ -@@ -1544,7 +1674,22 @@ unsigned long mmap_region(struct file *file, unsigned long addr, +@@ -1544,7 +1677,22 @@ unsigned long mmap_region(struct file *file, unsigned long addr, struct rb_node **rb_link, *rb_parent; unsigned long charged = 0; @@ -117659,7 +117359,7 @@ index 79bcc9f..481e0f5c 100644 if (!may_expand_vm(mm, len >> PAGE_SHIFT)) { unsigned long nr_pages; -@@ -1567,6 +1712,7 @@ unsigned long mmap_region(struct file *file, unsigned long addr, +@@ -1567,6 +1715,7 @@ unsigned long mmap_region(struct file *file, unsigned long addr, &rb_parent)) { if (do_munmap(mm, addr, len)) return -ENOMEM; @@ -117667,7 +117367,7 @@ index 79bcc9f..481e0f5c 100644 } /* -@@ -1598,6 +1744,16 @@ unsigned long mmap_region(struct file *file, unsigned long addr, +@@ -1598,6 +1747,16 @@ unsigned long mmap_region(struct file *file, unsigned long addr, goto unacct_error; } @@ -117684,7 +117384,7 @@ index 79bcc9f..481e0f5c 100644 vma->vm_mm = mm; vma->vm_start = addr; vma->vm_end = addr + len; -@@ -1628,6 +1784,13 @@ unsigned long mmap_region(struct file *file, unsigned long addr, +@@ -1628,6 +1787,13 @@ unsigned long mmap_region(struct file *file, unsigned long addr, if (error) goto unmap_and_free_vma; @@ -117698,7 +117398,7 @@ index 79bcc9f..481e0f5c 100644 /* Can addr have changed?? * * Answer: Yes, several device drivers can do it in their -@@ -1646,6 +1809,12 @@ unsigned long mmap_region(struct file *file, unsigned long addr, +@@ -1646,6 +1812,12 @@ unsigned long mmap_region(struct file *file, unsigned long addr, } vma_link(mm, vma, prev, rb_link, rb_parent); @@ -117711,7 +117411,7 @@ index 79bcc9f..481e0f5c 100644 /* Once vma denies write, undo our temporary denial count */ if (file) { if (vm_flags & VM_SHARED) -@@ -1658,6 +1827,7 @@ out: +@@ -1658,6 +1830,7 @@ out: perf_event_mmap(vma); vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT); @@ -117719,7 +117419,7 @@ index 79bcc9f..481e0f5c 100644 if (vm_flags & VM_LOCKED) { if (!((vm_flags & VM_SPECIAL) || is_vm_hugetlb_page(vma) || vma == get_gate_vma(current->mm))) -@@ -1695,6 +1865,12 @@ allow_write_and_free_vma: +@@ -1695,6 +1868,12 @@ allow_write_and_free_vma: if (vm_flags & VM_DENYWRITE) allow_write_access(file); free_vma: @@ -117732,7 +117432,7 @@ index 79bcc9f..481e0f5c 100644 kmem_cache_free(vm_area_cachep, vma); unacct_error: if (charged) -@@ -1702,7 +1878,63 @@ unacct_error: +@@ -1702,7 +1881,63 @@ unacct_error: return error; } @@ -117797,7 +117497,7 @@ index 79bcc9f..481e0f5c 100644 { /* * We implement the search by looking for an rbtree node that -@@ -1750,11 +1982,29 @@ unsigned long unmapped_area(struct vm_unmapped_area_info *info) +@@ -1750,11 +1985,29 @@ unsigned long unmapped_area(struct vm_unmapped_area_info *info) } } @@ -117828,7 +117528,7 @@ index 79bcc9f..481e0f5c 100644 if (gap_end >= low_limit && gap_end - gap_start >= length) goto found; -@@ -1804,7 +2054,7 @@ found: +@@ -1804,7 +2057,7 @@ found: return gap_start; } @@ -117837,7 +117537,7 @@ index 79bcc9f..481e0f5c 100644 { struct mm_struct *mm = current->mm; struct vm_area_struct *vma; -@@ -1858,6 +2108,24 @@ check_current: +@@ -1858,6 +2111,24 @@ check_current: gap_end = vma->vm_start; if (gap_end < low_limit) return -ENOMEM; @@ -117862,7 +117562,7 @@ index 79bcc9f..481e0f5c 100644 if (gap_start <= high_limit && gap_end - gap_start >= length) goto found; -@@ -1921,6 +2189,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -1921,6 +2192,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, struct mm_struct *mm = current->mm; struct vm_area_struct *vma; struct vm_unmapped_area_info info; @@ -117870,7 +117570,7 @@ index 79bcc9f..481e0f5c 100644 if (len > TASK_SIZE - mmap_min_addr) return -ENOMEM; -@@ -1928,11 +2197,15 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -1928,11 +2200,15 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, if (flags & MAP_FIXED) return addr; @@ -117887,7 +117587,7 @@ index 79bcc9f..481e0f5c 100644 return addr; } -@@ -1941,6 +2214,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -1941,6 +2217,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, info.low_limit = mm->mmap_base; info.high_limit = TASK_SIZE; info.align_mask = 0; @@ -117895,7 +117595,7 @@ index 79bcc9f..481e0f5c 100644 return vm_unmapped_area(&info); } #endif -@@ -1959,6 +2233,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1959,6 +2236,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, struct mm_struct *mm = current->mm; unsigned long addr = addr0; struct vm_unmapped_area_info info; @@ -117903,7 +117603,7 @@ index 79bcc9f..481e0f5c 100644 /* requested length too big for entire address space */ if (len > TASK_SIZE - mmap_min_addr) -@@ -1967,12 +2242,16 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1967,12 +2245,16 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, if (flags & MAP_FIXED) return addr; @@ -117921,7 +117621,7 @@ index 79bcc9f..481e0f5c 100644 return addr; } -@@ -1981,6 +2260,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1981,6 +2263,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, info.low_limit = max(PAGE_SIZE, mmap_min_addr); info.high_limit = mm->mmap_base; info.align_mask = 0; @@ -117929,7 +117629,7 @@ index 79bcc9f..481e0f5c 100644 addr = vm_unmapped_area(&info); /* -@@ -1993,6 +2273,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1993,6 +2276,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, VM_BUG_ON(addr != -ENOMEM); info.flags = 0; info.low_limit = TASK_UNMAPPED_BASE; @@ -117942,7 +117642,7 @@ index 79bcc9f..481e0f5c 100644 info.high_limit = TASK_SIZE; addr = vm_unmapped_area(&info); } -@@ -2093,6 +2379,28 @@ find_vma_prev(struct mm_struct *mm, unsigned long addr, +@@ -2093,6 +2382,28 @@ find_vma_prev(struct mm_struct *mm, unsigned long addr, return vma; } @@ -117971,7 +117671,7 @@ index 79bcc9f..481e0f5c 100644 /* * Verify that the stack growth is acceptable and * update accounting. This is shared with both the -@@ -2110,8 +2418,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -2110,8 +2421,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns /* Stack limit test */ actual_size = size; @@ -117981,15 +117681,18 @@ index 79bcc9f..481e0f5c 100644 if (actual_size > READ_ONCE(rlim[RLIMIT_STACK].rlim_cur)) return -ENOMEM; -@@ -2122,6 +2429,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -2122,6 +2432,10 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns locked = mm->locked_vm + grow; limit = READ_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur); limit >>= PAGE_SHIFT; -+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1); ++ if (locked > (ULONG_MAX >> PAGE_SHIFT)) ++ gr_learn_resource(current, RLIMIT_MEMLOCK, ULONG_MAX, 1); ++ else ++ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1); if (locked > limit && !capable(CAP_IPC_LOCK)) return -ENOMEM; } -@@ -2151,37 +2459,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -2151,37 +2465,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns * PA-RISC uses this for its stack; IA64 for its Register Backing Store. * vma is the last one with address > vma->vm_end. Have to extend vma. */ @@ -118047,7 +117750,7 @@ index 79bcc9f..481e0f5c 100644 unsigned long size, grow; size = address - vma->vm_start; -@@ -2216,6 +2535,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) +@@ -2216,6 +2541,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) } } } @@ -118056,7 +117759,7 @@ index 79bcc9f..481e0f5c 100644 vma_unlock_anon_vma(vma); khugepaged_enter_vma_merge(vma, vma->vm_flags); validate_mm(vma->vm_mm); -@@ -2230,6 +2551,8 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -2230,6 +2557,8 @@ int expand_downwards(struct vm_area_struct *vma, unsigned long address) { int error; @@ -118065,7 +117768,7 @@ index 79bcc9f..481e0f5c 100644 /* * We must make sure the anon_vma is allocated -@@ -2243,6 +2566,15 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -2243,6 +2572,15 @@ int expand_downwards(struct vm_area_struct *vma, if (error) return error; @@ -118081,7 +117784,7 @@ index 79bcc9f..481e0f5c 100644 vma_lock_anon_vma(vma); /* -@@ -2252,9 +2584,17 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -2252,9 +2590,17 @@ int expand_downwards(struct vm_area_struct *vma, */ /* Somebody else might have raced and expanded it already */ @@ -118100,7 +117803,7 @@ index 79bcc9f..481e0f5c 100644 size = vma->vm_end - address; grow = (vma->vm_start - address) >> PAGE_SHIFT; -@@ -2279,13 +2619,27 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -2279,13 +2625,27 @@ int expand_downwards(struct vm_area_struct *vma, vma->vm_pgoff -= grow; anon_vma_interval_tree_post_update_vma(vma); vma_gap_update(vma); @@ -118128,7 +117831,7 @@ index 79bcc9f..481e0f5c 100644 khugepaged_enter_vma_merge(vma, vma->vm_flags); validate_mm(vma->vm_mm); return error; -@@ -2385,6 +2739,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) +@@ -2385,6 +2745,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) do { long nrpages = vma_pages(vma); @@ -118142,7 +117845,7 @@ index 79bcc9f..481e0f5c 100644 if (vma->vm_flags & VM_ACCOUNT) nr_accounted += nrpages; vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages); -@@ -2429,6 +2790,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2429,6 +2796,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, insertion_point = (prev ? &prev->vm_next : &mm->mmap); vma->vm_prev = NULL; do { @@ -118159,7 +117862,7 @@ index 79bcc9f..481e0f5c 100644 vma_rb_erase(vma, &mm->mm_rb); mm->map_count--; tail_vma = vma; -@@ -2456,14 +2827,33 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2456,14 +2833,33 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, struct vm_area_struct *new; int err; @@ -118193,7 +117896,7 @@ index 79bcc9f..481e0f5c 100644 /* most fields are the same, copy all, and then fixup */ *new = *vma; -@@ -2476,6 +2866,22 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2476,6 +2872,22 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT); } @@ -118216,7 +117919,7 @@ index 79bcc9f..481e0f5c 100644 err = vma_dup_policy(vma, new); if (err) goto out_free_vma; -@@ -2496,6 +2902,38 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2496,6 +2908,38 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, else err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new); @@ -118255,7 +117958,7 @@ index 79bcc9f..481e0f5c 100644 /* Success. */ if (!err) return 0; -@@ -2505,10 +2943,18 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2505,10 +2949,18 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, new->vm_ops->close(new); if (new->vm_file) fput(new->vm_file); @@ -118275,7 +117978,7 @@ index 79bcc9f..481e0f5c 100644 kmem_cache_free(vm_area_cachep, new); return err; } -@@ -2520,6 +2966,15 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2520,6 +2972,15 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, unsigned long addr, int new_below) { @@ -118291,7 +117994,7 @@ index 79bcc9f..481e0f5c 100644 if (mm->map_count >= sysctl_max_map_count) return -ENOMEM; -@@ -2531,11 +2986,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2531,11 +2992,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, * work. This now handles partial unmappings. * Jeremy Fitzhardinge <jeremy@goop.org> */ @@ -118322,7 +118025,7 @@ index 79bcc9f..481e0f5c 100644 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start) return -EINVAL; -@@ -2613,6 +3087,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) +@@ -2613,6 +3093,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) /* Fix up all other VM information */ remove_vma_list(mm, vma); @@ -118331,7 +118034,7 @@ index 79bcc9f..481e0f5c 100644 return 0; } -@@ -2621,6 +3097,13 @@ int vm_munmap(unsigned long start, size_t len) +@@ -2621,6 +3103,13 @@ int vm_munmap(unsigned long start, size_t len) int ret; struct mm_struct *mm = current->mm; @@ -118345,7 +118048,7 @@ index 79bcc9f..481e0f5c 100644 down_write(&mm->mmap_sem); ret = do_munmap(mm, start, len); up_write(&mm->mmap_sem); -@@ -2667,6 +3150,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, +@@ -2667,6 +3156,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, down_write(&mm->mmap_sem); vma = find_vma(mm, start); @@ -118357,7 +118060,7 @@ index 79bcc9f..481e0f5c 100644 if (!vma || !(vma->vm_flags & VM_SHARED)) goto out; -@@ -2703,16 +3191,6 @@ out: +@@ -2703,16 +3197,6 @@ out: return ret; } @@ -118374,7 +118077,7 @@ index 79bcc9f..481e0f5c 100644 /* * this is really a simplified "do_mmap". it only handles * anonymous maps. eventually we may be able to do some -@@ -2726,6 +3204,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2726,6 +3210,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) struct rb_node **rb_link, *rb_parent; pgoff_t pgoff = addr >> PAGE_SHIFT; int error; @@ -118382,7 +118085,7 @@ index 79bcc9f..481e0f5c 100644 len = PAGE_ALIGN(len); if (!len) -@@ -2733,10 +3212,24 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2733,10 +3218,24 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; @@ -118407,7 +118110,7 @@ index 79bcc9f..481e0f5c 100644 error = mlock_future_check(mm, mm->def_flags, len); if (error) return error; -@@ -2754,16 +3247,17 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2754,16 +3253,17 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) &rb_parent)) { if (do_munmap(mm, addr, len)) return -ENOMEM; @@ -118427,7 +118130,7 @@ index 79bcc9f..481e0f5c 100644 return -ENOMEM; /* Can we just expand an old private anonymous mapping? */ -@@ -2777,7 +3271,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2777,7 +3277,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) */ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); if (!vma) { @@ -118436,7 +118139,7 @@ index 79bcc9f..481e0f5c 100644 return -ENOMEM; } -@@ -2791,10 +3285,11 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2791,10 +3291,11 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) vma_link(mm, vma, prev, rb_link, rb_parent); out: perf_event_mmap(vma); @@ -118450,7 +118153,7 @@ index 79bcc9f..481e0f5c 100644 return addr; } -@@ -2856,6 +3351,7 @@ void exit_mmap(struct mm_struct *mm) +@@ -2856,6 +3357,7 @@ void exit_mmap(struct mm_struct *mm) while (vma) { if (vma->vm_flags & VM_ACCOUNT) nr_accounted += vma_pages(vma); @@ -118458,7 +118161,7 @@ index 79bcc9f..481e0f5c 100644 vma = remove_vma(vma); } vm_unacct_memory(nr_accounted); -@@ -2870,6 +3366,10 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) +@@ -2870,6 +3372,10 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) struct vm_area_struct *prev; struct rb_node **rb_link, *rb_parent; @@ -118469,7 +118172,7 @@ index 79bcc9f..481e0f5c 100644 if (find_vma_links(mm, vma->vm_start, vma->vm_end, &prev, &rb_link, &rb_parent)) return -ENOMEM; -@@ -2877,6 +3377,9 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) +@@ -2877,6 +3383,9 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) security_vm_enough_memory_mm(mm, vma_pages(vma))) return -ENOMEM; @@ -118479,7 +118182,7 @@ index 79bcc9f..481e0f5c 100644 /* * The vm_pgoff of a purely anonymous vma should be irrelevant * until its first write fault, when page's anon_vma and index -@@ -2894,7 +3397,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) +@@ -2894,7 +3403,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) vma->vm_pgoff = vma->vm_start >> PAGE_SHIFT; } @@ -118501,7 +118204,7 @@ index 79bcc9f..481e0f5c 100644 return 0; } -@@ -2913,6 +3430,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, +@@ -2913,6 +3436,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, struct rb_node **rb_link, *rb_parent; bool faulted_in_anon_vma = true; @@ -118510,7 +118213,7 @@ index 79bcc9f..481e0f5c 100644 /* * If anonymous vma has not yet been faulted, update new pgoff * to match new location, to increase its chance of merging. -@@ -2979,6 +3498,39 @@ out: +@@ -2979,6 +3504,39 @@ out: return NULL; } @@ -118550,15 +118253,19 @@ index 79bcc9f..481e0f5c 100644 /* * Return true if the calling process may expand its vm space by the passed * number of pages -@@ -2990,6 +3542,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) +@@ -2990,6 +3548,11 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT; -+ gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1); ++ if ((cur + npages) > (ULONG_MAX >> PAGE_SHIFT)) ++ gr_learn_resource(current, RLIMIT_AS, ULONG_MAX, 1); ++ else ++ gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1); ++ if (cur + npages > lim) return 0; return 1; -@@ -3064,6 +3617,22 @@ static struct vm_area_struct *__install_special_mapping( +@@ -3064,6 +3627,22 @@ static struct vm_area_struct *__install_special_mapping( vma->vm_start = addr; vma->vm_end = addr + len; @@ -121892,22 +121599,6 @@ index ea748c9..79056c3 100644 .kind = "bridge", .priv_size = sizeof(struct net_bridge), .setup = br_dev_setup, -diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c -index 4ca449a..49d8d28 100644 ---- a/net/bridge/br_stp_if.c -+++ b/net/bridge/br_stp_if.c -@@ -130,7 +130,10 @@ static void br_stp_start(struct net_bridge *br) - char *envp[] = { NULL }; - struct net_bridge_port *p; - -- r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC); -+ if (net_eq(dev_net(br->dev), &init_net)) -+ r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC); -+ else -+ r = -ENOENT; - - spin_lock_bh(&br->lock); - diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 48b6b01..cf544f3 100644 --- a/net/bridge/netfilter/ebtables.c @@ -122219,7 +121910,7 @@ index 617088a..0364f4f 100644 return err; diff --git a/net/core/dev.c b/net/core/dev.c -index c14748d..b500378 100644 +index 6369c45..86ce9a7 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -1748,7 +1748,7 @@ int __dev_forward_skb(struct net_device *dev, struct sk_buff *skb) @@ -122231,7 +121922,7 @@ index c14748d..b500378 100644 kfree_skb(skb); return NET_RX_DROP; } -@@ -3162,7 +3162,7 @@ recursion_alert: +@@ -3167,7 +3167,7 @@ recursion_alert: drop: rcu_read_unlock_bh(); @@ -122240,7 +121931,7 @@ index c14748d..b500378 100644 kfree_skb_list(skb); return rc; out: -@@ -3514,7 +3514,7 @@ drop: +@@ -3519,7 +3519,7 @@ drop: local_irq_restore(flags); @@ -122249,7 +121940,7 @@ index c14748d..b500378 100644 kfree_skb(skb); return NET_RX_DROP; } -@@ -3591,7 +3591,7 @@ int netif_rx_ni(struct sk_buff *skb) +@@ -3596,7 +3596,7 @@ int netif_rx_ni(struct sk_buff *skb) } EXPORT_SYMBOL(netif_rx_ni); @@ -122258,7 +121949,7 @@ index c14748d..b500378 100644 { struct softnet_data *sd = this_cpu_ptr(&softnet_data); -@@ -3929,7 +3929,7 @@ ncls: +@@ -3934,7 +3934,7 @@ ncls: ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev); } else { drop: @@ -122267,7 +121958,7 @@ index c14748d..b500378 100644 kfree_skb(skb); /* Jamal, now you will not able to escape explaining * me how you were going to use this. :-) -@@ -4822,7 +4822,7 @@ out_unlock: +@@ -4827,7 +4827,7 @@ out_unlock: return work; } @@ -122276,7 +121967,7 @@ index c14748d..b500378 100644 { struct softnet_data *sd = this_cpu_ptr(&softnet_data); unsigned long time_limit = jiffies + 2; -@@ -6914,8 +6914,8 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, +@@ -6919,8 +6919,8 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, } else { netdev_stats_to_stats64(storage, &dev->stats); } @@ -122306,27 +121997,8 @@ index b94b1d2..da3ed7c 100644 } EXPORT_SYMBOL(dev_load); -diff --git a/net/core/dst.c b/net/core/dst.c -index d6a5a0b..8852021 100644 ---- a/net/core/dst.c -+++ b/net/core/dst.c -@@ -301,12 +301,13 @@ void dst_release(struct dst_entry *dst) - { - if (dst) { - int newrefcnt; -+ unsigned short nocache = dst->flags & DST_NOCACHE; - - newrefcnt = atomic_dec_return(&dst->__refcnt); - if (unlikely(newrefcnt < 0)) - net_warn_ratelimited("%s: dst:%p refcnt:%d\n", - __func__, dst, newrefcnt); -- if (!newrefcnt && unlikely(dst->flags & DST_NOCACHE)) -+ if (!newrefcnt && unlikely(nocache)) - call_rcu(&dst->rcu_head, dst_destroy_rcu); - } - } diff --git a/net/core/filter.c b/net/core/filter.c -index bb18c36..a0c92a7 100644 +index 49b4487..a0c92a7 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -584,7 +584,11 @@ do_pass: @@ -122351,19 +122023,7 @@ index bb18c36..a0c92a7 100644 masks = kmalloc_array(flen, sizeof(*masks), GFP_KERNEL); if (!masks) -@@ -781,6 +785,11 @@ static int bpf_check_classic(const struct sock_filter *filter, - if (ftest->k == 0) - return -EINVAL; - break; -+ case BPF_ALU | BPF_LSH | BPF_K: -+ case BPF_ALU | BPF_RSH | BPF_K: -+ if (ftest->k >= 32) -+ return -EINVAL; -+ break; - case BPF_LD | BPF_MEM: - case BPF_LDX | BPF_MEM: - case BPF_ST: -@@ -1057,7 +1066,7 @@ int bpf_prog_create(struct bpf_prog **pfp, struct sock_fprog_kern *fprog) +@@ -1062,7 +1066,7 @@ int bpf_prog_create(struct bpf_prog **pfp, struct sock_fprog_kern *fprog) if (!fp) return -ENOMEM; @@ -122552,10 +122212,10 @@ index 8bdada2..d7048c2 100644 iph->ttl = 64; iph->protocol = IPPROTO_UDP; diff --git a/net/core/pktgen.c b/net/core/pktgen.c -index de8d5cc..bf8443a 100644 +index 4da4d51..ef1aa60 100644 --- a/net/core/pktgen.c +++ b/net/core/pktgen.c -@@ -3827,7 +3827,7 @@ static int __net_init pg_net_init(struct net *net) +@@ -3829,7 +3829,7 @@ static int __net_init pg_net_init(struct net *net) pn->net = net; INIT_LIST_HEAD(&pn->pktgen_threads); pn->pktgen_exiting = false; @@ -124028,7 +123688,7 @@ index ade7737..70ed9be 100644 goto err_reg; diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index 0a2b61d..e6e7d27 100644 +index 064f1a0..e6e7d27 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -786,7 +786,7 @@ static void tcp_update_pacing_rate(struct sock *sk) @@ -124040,17 +123700,7 @@ index 0a2b61d..e6e7d27 100644 sk->sk_max_pacing_rate); } -@@ -2525,6 +2525,9 @@ static void tcp_cwnd_reduction(struct sock *sk, const int prior_unsacked, - int newly_acked_sacked = prior_unsacked - - (tp->packets_out - tp->sacked_out); - -+ if (newly_acked_sacked <= 0 || WARN_ON_ONCE(!tp->prior_cwnd)) -+ return; -+ - tp->prr_delivered += newly_acked_sacked; - if (delta < 0) { - u64 dividend = (u64)tp->snd_ssthresh * tp->prr_delivered + -@@ -4647,7 +4650,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb, +@@ -4650,7 +4650,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb, * simplifies code) */ static void @@ -124059,7 +123709,7 @@ index 0a2b61d..e6e7d27 100644 struct sk_buff *head, struct sk_buff *tail, u32 start, u32 end) { -@@ -5642,6 +5645,7 @@ discard: +@@ -5645,6 +5645,7 @@ discard: tcp_paws_reject(&tp->rx_opt, 0)) goto discard_and_undo; @@ -124067,7 +123717,7 @@ index 0a2b61d..e6e7d27 100644 if (th->syn) { /* We see SYN without ACK. It is attempt of * simultaneous connect with crossed SYNs. -@@ -5693,6 +5697,7 @@ discard: +@@ -5696,6 +5697,7 @@ discard: goto discard; #endif } @@ -124075,7 +123725,7 @@ index 0a2b61d..e6e7d27 100644 /* "fifth, if neither of the SYN or RST bits is set then * drop the segment and return." */ -@@ -5739,7 +5744,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, +@@ -5742,7 +5744,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, goto discard; if (th->syn) { @@ -124084,7 +123734,7 @@ index 0a2b61d..e6e7d27 100644 goto discard; if (icsk->icsk_af_ops->conn_request(sk, skb) < 0) return 1; -@@ -6069,7 +6074,7 @@ struct request_sock *inet_reqsk_alloc(const struct request_sock_ops *ops, +@@ -6072,7 +6074,7 @@ struct request_sock *inet_reqsk_alloc(const struct request_sock_ops *ops, kmemcheck_annotate_bitfield(ireq, flags); ireq->opt = NULL; @@ -124353,7 +124003,7 @@ index fd840c7..b517627 100644 struct iphdr *iph = ip_hdr(skb); int ihl = iph->ihl * 4; diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c -index c10a9ee..c621a01 100644 +index 126ff90..e9ba962 100644 --- a/net/ipv4/xfrm4_policy.c +++ b/net/ipv4/xfrm4_policy.c @@ -192,11 +192,11 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) @@ -124372,7 +124022,7 @@ index c10a9ee..c621a01 100644 @@ -274,19 +274,18 @@ static struct ctl_table xfrm4_policy_table[] = { - static int __net_init xfrm4_net_init(struct net *net) + static int __net_init xfrm4_net_sysctl_init(struct net *net) { - struct ctl_table *table; + ctl_table_no_const *table = NULL; @@ -124395,7 +124045,7 @@ index c10a9ee..c621a01 100644 if (!hdr) goto err_reg; -@@ -294,8 +293,7 @@ static int __net_init xfrm4_net_init(struct net *net) +@@ -294,8 +293,7 @@ static int __net_init xfrm4_net_sysctl_init(struct net *net) return 0; err_reg: @@ -124418,7 +124068,7 @@ index 983bb99..ebc39e1 100644 Support for IPsec ESP. diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c -index ddd3511..22c903e 100644 +index 5462bfd..22c903e 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -178,7 +178,7 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = { @@ -124554,25 +124204,7 @@ index ddd3511..22c903e 100644 struct net *net = ctl->extra2; struct ipv6_stable_secret *secret = ctl->data; -@@ -5349,13 +5356,10 @@ static int addrconf_sysctl_stable_secret(struct ctl_table *ctl, int write, - goto out; - } - -- if (!write) { -- err = snprintf(str, sizeof(str), "%pI6", -- &secret->secret); -- if (err >= sizeof(str)) { -- err = -EIO; -- goto out; -- } -+ err = snprintf(str, sizeof(str), "%pI6", &secret->secret); -+ if (err >= sizeof(str)) { -+ err = -EIO; -+ goto out; - } - - err = proc_dostring(&lctl, write, buffer, lenp, ppos); -@@ -5403,7 +5407,7 @@ int addrconf_sysctl_ignore_routes_with_linkdown(struct ctl_table *ctl, +@@ -5400,7 +5407,7 @@ int addrconf_sysctl_ignore_routes_with_linkdown(struct ctl_table *ctl, int *valp = ctl->data; int val = *valp; loff_t pos = *ppos; @@ -125107,7 +124739,7 @@ index 45243bb..cdb398e 100644 struct ctl_table *ipv6_icmp_table; int err; diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c -index 8935dc1..bdfd1ee 100644 +index a71fb26..072547c 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -102,6 +102,10 @@ static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb) @@ -125121,7 +124753,7 @@ index 8935dc1..bdfd1ee 100644 static __u32 tcp_v6_init_sequence(const struct sk_buff *skb) { return secure_tcpv6_sequence_number(ipv6_hdr(skb)->daddr.s6_addr32, -@@ -1285,6 +1289,9 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb) +@@ -1287,6 +1291,9 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb) return 0; reset: @@ -125131,7 +124763,7 @@ index 8935dc1..bdfd1ee 100644 tcp_v6_send_reset(sk, skb); discard: if (opt_skb) -@@ -1394,12 +1401,20 @@ static int tcp_v6_rcv(struct sk_buff *skb) +@@ -1396,12 +1403,20 @@ static int tcp_v6_rcv(struct sk_buff *skb) sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest, inet6_iif(skb)); @@ -125154,7 +124786,7 @@ index 8935dc1..bdfd1ee 100644 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) { NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP); -@@ -1451,6 +1466,10 @@ csum_error: +@@ -1453,6 +1468,10 @@ csum_error: bad_packet: TCP_INC_STATS_BH(net, TCP_MIB_INERRS); } else { @@ -125218,7 +124850,7 @@ index 8379fc2..faac798 100644 kfree_skb(skb); diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c -index da55e0c..3c30bd8 100644 +index d51a18d..36a6399 100644 --- a/net/ipv6/xfrm6_policy.c +++ b/net/ipv6/xfrm6_policy.c @@ -218,11 +218,11 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) @@ -125237,7 +124869,7 @@ index da55e0c..3c30bd8 100644 @@ -329,19 +329,19 @@ static struct ctl_table xfrm6_policy_table[] = { - static int __net_init xfrm6_net_init(struct net *net) + static int __net_init xfrm6_net_sysctl_init(struct net *net) { - struct ctl_table *table; + ctl_table_no_const *table = NULL; @@ -125260,7 +124892,7 @@ index da55e0c..3c30bd8 100644 if (!hdr) goto err_reg; -@@ -349,8 +349,7 @@ static int __net_init xfrm6_net_init(struct net *net) +@@ -349,8 +349,7 @@ static int __net_init xfrm6_net_sysctl_init(struct net *net) return 0; err_reg: @@ -127088,7 +126720,7 @@ index f226709..0e735a8 100644 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len); diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c -index e82a1ad..a7df216b 100644 +index 16bc83b..a7df216b 100644 --- a/net/sched/sch_generic.c +++ b/net/sched/sch_generic.c @@ -349,7 +349,7 @@ void netif_carrier_on(struct net_device *dev) @@ -127109,18 +126741,6 @@ index e82a1ad..a7df216b 100644 linkwatch_fire_event(dev); } } -@@ -658,8 +658,10 @@ static void qdisc_rcu_free(struct rcu_head *head) - { - struct Qdisc *qdisc = container_of(head, struct Qdisc, rcu_head); - -- if (qdisc_is_percpu_stats(qdisc)) -+ if (qdisc_is_percpu_stats(qdisc)) { - free_percpu(qdisc->cpu_bstats); -+ free_percpu(qdisc->cpu_qstats); -+ } - - kfree((char *) qdisc - qdisc->padded); - } diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c index 40677cf..9656f92 100644 --- a/net/sctp/ipv6.c @@ -127259,7 +126879,7 @@ index 6098d4c..9920c54 100644 * We should no longer have much work to do here as the * real work has been done as explicit commands above. diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c -index d7eaa73..9042a5d 100644 +index c89586e..dd962f7 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -2976,7 +2976,7 @@ sctp_disposition_t sctp_sf_eat_data_6_2(struct net *net, @@ -127306,9 +126926,9 @@ index d7eaa73..9042a5d 100644 - - retval = SCTP_DISPOSITION_CONSUME; - sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); - -@@ -4844,7 +4837,7 @@ sctp_disposition_t sctp_sf_do_9_1_prm_abort( + if (abort) + sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); +@@ -4845,7 +4838,7 @@ sctp_disposition_t sctp_sf_do_9_1_prm_abort( SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); @@ -127317,7 +126937,7 @@ index d7eaa73..9042a5d 100644 } /* We tried an illegal operation on an association which is closed. */ -@@ -4959,12 +4952,10 @@ sctp_disposition_t sctp_sf_cookie_wait_prm_abort( +@@ -4960,12 +4953,10 @@ sctp_disposition_t sctp_sf_cookie_wait_prm_abort( sctp_cmd_seq_t *commands) { struct sctp_chunk *abort = arg; @@ -127328,9 +126948,9 @@ index d7eaa73..9042a5d 100644 SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); - retval = SCTP_DISPOSITION_CONSUME; - sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); - -@@ -4983,7 +4974,7 @@ sctp_disposition_t sctp_sf_cookie_wait_prm_abort( + if (abort) + sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); +@@ -4985,7 +4976,7 @@ sctp_disposition_t sctp_sf_cookie_wait_prm_abort( sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, SCTP_PERR(SCTP_ERROR_USER_ABORT)); @@ -127340,7 +126960,7 @@ index d7eaa73..9042a5d 100644 /* diff --git a/net/sctp/socket.c b/net/sctp/socket.c -index 84b1b50..e2a95d3 100644 +index 9dee804..7e2f09d 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -972,7 +972,7 @@ static int sctp_setsockopt_bindx(struct sock *sk, @@ -127374,7 +126994,7 @@ index 84b1b50..e2a95d3 100644 if (unlikely(!kaddrs)) return -ENOMEM; -@@ -2194,11 +2197,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval, +@@ -2193,11 +2196,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval, { struct sctp_association *asoc; struct sctp_ulpevent *event; @@ -127389,7 +127009,7 @@ index 84b1b50..e2a95d3 100644 /* At the time when a user app subscribes to SCTP_SENDER_DRY_EVENT, * if there is no data to be sent or retransmit, the stack will -@@ -4373,13 +4378,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len, +@@ -4372,13 +4377,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len, static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, int __user *optlen) { @@ -127407,7 +127027,7 @@ index 84b1b50..e2a95d3 100644 return -EFAULT; return 0; } -@@ -4397,6 +4405,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, +@@ -4396,6 +4404,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, */ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optval, int __user *optlen) { @@ -127416,7 +127036,7 @@ index 84b1b50..e2a95d3 100644 /* Applicable to UDP-style socket only */ if (sctp_style(sk, TCP)) return -EOPNOTSUPP; -@@ -4405,7 +4415,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv +@@ -4404,7 +4414,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv len = sizeof(int); if (put_user(len, optlen)) return -EFAULT; @@ -127426,7 +127046,7 @@ index 84b1b50..e2a95d3 100644 return -EFAULT; return 0; } -@@ -4779,12 +4790,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len, +@@ -4778,12 +4789,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len, */ static int sctp_getsockopt_initmsg(struct sock *sk, int len, char __user *optval, int __user *optlen) { @@ -127443,7 +127063,7 @@ index 84b1b50..e2a95d3 100644 return -EFAULT; return 0; } -@@ -4825,6 +4839,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len, +@@ -4824,6 +4838,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len, ->addr_to_user(sp, &temp); if (space_left < addrlen) return -ENOMEM; @@ -127452,7 +127072,7 @@ index 84b1b50..e2a95d3 100644 if (copy_to_user(to, &temp, addrlen)) return -EFAULT; to += addrlen; -@@ -4928,7 +4944,7 @@ static int sctp_getsockopt_local_addrs(struct sock *sk, int len, +@@ -4927,7 +4943,7 @@ static int sctp_getsockopt_local_addrs(struct sock *sk, int len, to = optval + offsetof(struct sctp_getaddrs, addrs); space_left = len - offsetof(struct sctp_getaddrs, addrs); @@ -127461,7 +127081,7 @@ index 84b1b50..e2a95d3 100644 if (!addrs) return -ENOMEM; -@@ -5777,7 +5793,7 @@ static int sctp_getsockopt_assoc_ids(struct sock *sk, int len, +@@ -5776,7 +5792,7 @@ static int sctp_getsockopt_assoc_ids(struct sock *sk, int len, len = sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num; @@ -127471,10 +127091,10 @@ index 84b1b50..e2a95d3 100644 return -ENOMEM; diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c -index 26d50c5..289fe22 100644 +index 3e0fc51..289fe22 100644 --- a/net/sctp/sysctl.c +++ b/net/sctp/sysctl.c -@@ -317,10 +317,10 @@ static int proc_sctp_do_hmac_alg(struct ctl_table *ctl, int write, +@@ -317,7 +317,7 @@ static int proc_sctp_do_hmac_alg(struct ctl_table *ctl, int write, loff_t *ppos) { struct net *net = current->nsproxy->net_ns; @@ -127482,11 +127102,7 @@ index 26d50c5..289fe22 100644 + ctl_table_no_const tbl; bool changed = false; char *none = "none"; -- char tmp[8]; -+ char tmp[8] = {0}; - int ret; - - memset(&tbl, 0, sizeof(struct ctl_table)); + char tmp[8] = {0}; @@ -365,7 +365,7 @@ static int proc_sctp_do_rto_min(struct ctl_table *ctl, int write, struct net *net = current->nsproxy->net_ns; unsigned int min = *(unsigned int *) ctl->extra1; @@ -128221,7 +127837,7 @@ index 350cca3..a108fc5 100644 sub->evt.event = htohl(event, sub->swap); sub->evt.found_lower = htohl(found_lower, sub->swap); diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 0fc6dba..8355d2c 100644 +index 7926de1..8355d2c 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -918,6 +918,12 @@ static struct sock *unix_find_other(struct net *net, @@ -128251,186 +127867,27 @@ index 0fc6dba..8355d2c 100644 if (dentry) touch_atime(&unix_sk(u)->path); } else -@@ -952,32 +965,26 @@ fail: - return NULL; - } - --static int unix_mknod(const char *sun_path, umode_t mode, struct path *res) -+static int unix_mknod(struct dentry *dentry, struct path *path, umode_t mode, -+ struct path *res) - { -- struct dentry *dentry; -- struct path path; -- int err = 0; -- /* -- * Get the parent directory, calculate the hash for last -- * component. -- */ -- dentry = kern_path_create(AT_FDCWD, sun_path, &path, 0); -- err = PTR_ERR(dentry); -- if (IS_ERR(dentry)) -- return err; -+ int err; +@@ -959,13 +972,19 @@ static int unix_mknod(struct dentry *dentry, struct path *path, umode_t mode, -- /* -- * All right, let's create it. -- */ -- err = security_path_mknod(&path, dentry, mode, 0); -+ err = security_path_mknod(path, dentry, mode, 0); + err = security_path_mknod(path, dentry, mode, 0); if (!err) { -- err = vfs_mknod(d_inode(path.dentry), dentry, mode, 0); + if (!gr_acl_handle_mknod(dentry, path->dentry, path->mnt, mode)) { + err = -EACCES; + goto out; + } -+ err = vfs_mknod(d_inode(path->dentry), dentry, mode, 0); + err = vfs_mknod(d_inode(path->dentry), dentry, mode, 0); if (!err) { -- res->mnt = mntget(path.mnt); -+ res->mnt = mntget(path->mnt); + res->mnt = mntget(path->mnt); res->dentry = dget(dentry); + gr_handle_create(dentry, path->mnt); } } -- done_path_create(&path, dentry); -+ -+out: - return err; - } - -@@ -988,10 +995,12 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) - struct unix_sock *u = unix_sk(sk); - struct sockaddr_un *sunaddr = (struct sockaddr_un *)uaddr; - char *sun_path = sunaddr->sun_path; -- int err; -+ int err, name_err; - unsigned int hash; - struct unix_address *addr; - struct hlist_head *list; -+ struct path path; -+ struct dentry *dentry; - - err = -EINVAL; - if (sunaddr->sun_family != AF_UNIX) -@@ -1007,14 +1016,34 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) - goto out; - addr_len = err; - -+ name_err = 0; -+ dentry = NULL; -+ if (sun_path[0]) { -+ /* Get the parent directory, calculate the hash for last -+ * component. -+ */ -+ dentry = kern_path_create(AT_FDCWD, sun_path, &path, 0); -+ -+ if (IS_ERR(dentry)) { -+ /* delay report until after 'already bound' check */ -+ name_err = PTR_ERR(dentry); -+ dentry = NULL; -+ } -+ } -+ - err = mutex_lock_interruptible(&u->readlock); - if (err) -- goto out; -+ goto out_path; - - err = -EINVAL; - if (u->addr) - goto out_up; -+ if (name_err) { -+ err = name_err == -EEXIST ? -EADDRINUSE : name_err; -+ goto out_up; -+ } -+ - err = -ENOMEM; - addr = kmalloc(sizeof(*addr)+addr_len, GFP_KERNEL); - if (!addr) -@@ -1025,11 +1054,11 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) - addr->hash = hash ^ sk->sk_type; - atomic_set(&addr->refcnt, 1); - -- if (sun_path[0]) { -- struct path path; -+ if (dentry) { -+ struct path u_path; - umode_t mode = S_IFSOCK | - (SOCK_INODE(sock)->i_mode & ~current_umask()); -- err = unix_mknod(sun_path, mode, &path); -+ err = unix_mknod(dentry, &path, mode, &u_path); - if (err) { - if (err == -EEXIST) - err = -EADDRINUSE; -@@ -1037,9 +1066,9 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) - goto out_up; - } - addr->hash = UNIX_HASH_SIZE; -- hash = d_backing_inode(path.dentry)->i_ino & (UNIX_HASH_SIZE-1); -+ hash = d_backing_inode(dentry)->i_ino & (UNIX_HASH_SIZE - 1); - spin_lock(&unix_table_lock); -- u->path = path; -+ u->path = u_path; - list = &unix_socket_table[hash]; - } else { - spin_lock(&unix_table_lock); -@@ -1062,6 +1091,10 @@ out_unlock: - spin_unlock(&unix_table_lock); - out_up: - mutex_unlock(&u->readlock); -+out_path: -+ if (dentry) -+ done_path_create(&path, dentry); -+ - out: ++out: return err; } -@@ -1498,6 +1531,21 @@ static void unix_destruct_scm(struct sk_buff *skb) - sock_wfree(skb); - } -+/* -+ * The "user->unix_inflight" variable is protected by the garbage -+ * collection lock, and we just read it locklessly here. If you go -+ * over the limit, there might be a tiny race in actually noticing -+ * it across threads. Tough. -+ */ -+static inline bool too_many_unix_fds(struct task_struct *p) -+{ -+ struct user_struct *user = current_user(); -+ -+ if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE))) -+ return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN); -+ return false; -+} -+ - #define MAX_RECURSION_LEVEL 4 - - static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb) -@@ -1506,6 +1554,9 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb) - unsigned char max_level = 0; - int unix_sock_count = 0; - -+ if (too_many_unix_fds(current)) -+ return -ETOOMANYREFS; -+ - for (i = scm->fp->count - 1; i >= 0; i--) { - struct sock *sk = unix_get_socket(scm->fp->fp[i]); - -@@ -1527,10 +1578,8 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb) - if (!UNIXCB(skb).fp) - return -ENOMEM; - -- if (unix_sock_count) { -- for (i = scm->fp->count - 1; i >= 0; i--) -- unix_inflight(scm->fp->fp[i]); -- } -+ for (i = scm->fp->count - 1; i >= 0; i--) -+ unix_inflight(scm->fp->fp[i]); - return max_level; - } - -@@ -2301,6 +2350,7 @@ again: +@@ -2331,6 +2350,7 @@ again: if (signal_pending(current)) { err = sock_intr_errno(timeo); @@ -128438,7 +127895,7 @@ index 0fc6dba..8355d2c 100644 goto out; } -@@ -2765,9 +2815,13 @@ static int unix_seq_show(struct seq_file *seq, void *v) +@@ -2795,9 +2815,13 @@ static int unix_seq_show(struct seq_file *seq, void *v) seq_puts(seq, "Num RefCount Protocol Flags Type St " "Inode Path\n"); else { @@ -128453,7 +127910,7 @@ index 0fc6dba..8355d2c 100644 seq_printf(seq, "%pK: %08X %08X %08X %04X %02X %5lu", s, -@@ -2792,10 +2846,29 @@ static int unix_seq_show(struct seq_file *seq, void *v) +@@ -2822,10 +2846,29 @@ static int unix_seq_show(struct seq_file *seq, void *v) seq_putc(seq, '@'); i++; } @@ -128487,56 +127944,6 @@ index 0fc6dba..8355d2c 100644 seq_putc(seq, '\n'); } -diff --git a/net/unix/garbage.c b/net/unix/garbage.c -index a73a226..8fcdc22 100644 ---- a/net/unix/garbage.c -+++ b/net/unix/garbage.c -@@ -120,11 +120,11 @@ void unix_inflight(struct file *fp) - { - struct sock *s = unix_get_socket(fp); - -+ spin_lock(&unix_gc_lock); -+ - if (s) { - struct unix_sock *u = unix_sk(s); - -- spin_lock(&unix_gc_lock); -- - if (atomic_long_inc_return(&u->inflight) == 1) { - BUG_ON(!list_empty(&u->link)); - list_add_tail(&u->link, &gc_inflight_list); -@@ -132,25 +132,28 @@ void unix_inflight(struct file *fp) - BUG_ON(list_empty(&u->link)); - } - unix_tot_inflight++; -- spin_unlock(&unix_gc_lock); - } -+ fp->f_cred->user->unix_inflight++; -+ spin_unlock(&unix_gc_lock); - } - - void unix_notinflight(struct file *fp) - { - struct sock *s = unix_get_socket(fp); - -+ spin_lock(&unix_gc_lock); -+ - if (s) { - struct unix_sock *u = unix_sk(s); - -- spin_lock(&unix_gc_lock); - BUG_ON(list_empty(&u->link)); - - if (atomic_long_dec_and_test(&u->inflight)) - list_del_init(&u->link); - unix_tot_inflight--; -- spin_unlock(&unix_gc_lock); - } -+ fp->f_cred->user->unix_inflight--; -+ spin_unlock(&unix_gc_lock); - } - - static void scan_inflight(struct sock *x, void (*func)(struct unix_sock *), diff --git a/net/unix/sysctl_net_unix.c b/net/unix/sysctl_net_unix.c index b3d5150..ff3a837 100644 --- a/net/unix/sysctl_net_unix.c @@ -128692,7 +128099,7 @@ index 0917f04..f4e3d8c 100644 if (!proc_create("x25/route", S_IRUGO, init_net.proc_net, diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c -index 94af3d0..7db10b8 100644 +index bacd30b..f8ddfe7 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -325,7 +325,7 @@ static void xfrm_policy_kill(struct xfrm_policy *policy) @@ -128744,7 +128151,7 @@ index 94af3d0..7db10b8 100644 return 0; mtu = dst_mtu(dst->child); -@@ -2832,8 +2833,6 @@ int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo) +@@ -2831,8 +2832,6 @@ int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo) dst_ops->link_failure = xfrm_link_failure; if (likely(dst_ops->neigh_lookup == NULL)) dst_ops->neigh_lookup = xfrm_neigh_lookup; @@ -128753,7 +128160,7 @@ index 94af3d0..7db10b8 100644 rcu_assign_pointer(xfrm_policy_afinfo[afinfo->family], afinfo); } spin_unlock(&xfrm_policy_afinfo_lock); -@@ -2887,7 +2886,6 @@ int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo) +@@ -2866,7 +2865,6 @@ int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo) dst_ops->check = NULL; dst_ops->negative_advice = NULL; dst_ops->link_failure = NULL; @@ -128761,7 +128168,7 @@ index 94af3d0..7db10b8 100644 } return err; } -@@ -3285,7 +3283,7 @@ static int xfrm_policy_migrate(struct xfrm_policy *pol, +@@ -3247,7 +3245,7 @@ static int xfrm_policy_migrate(struct xfrm_policy *pol, sizeof(pol->xfrm_vec[i].saddr)); pol->xfrm_vec[i].encap_family = mp->new_family; /* flush bundles */ @@ -131348,27 +130755,6 @@ index ffd2025..df062c9 100644 /* PCM3052 register definitions */ -diff --git a/sound/core/hrtimer.c b/sound/core/hrtimer.c -index f845ecf..656d9a9 100644 ---- a/sound/core/hrtimer.c -+++ b/sound/core/hrtimer.c -@@ -90,7 +90,7 @@ static int snd_hrtimer_start(struct snd_timer *t) - struct snd_hrtimer *stime = t->private_data; - - atomic_set(&stime->running, 0); -- hrtimer_cancel(&stime->hrt); -+ hrtimer_try_to_cancel(&stime->hrt); - hrtimer_start(&stime->hrt, ns_to_ktime(t->sticks * resolution), - HRTIMER_MODE_REL); - atomic_set(&stime->running, 1); -@@ -101,6 +101,7 @@ static int snd_hrtimer_stop(struct snd_timer *t) - { - struct snd_hrtimer *stime = t->private_data; - atomic_set(&stime->running, 0); -+ hrtimer_try_to_cancel(&stime->hrt); - return 0; - } - diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c index 58550cc..4687a93 100644 --- a/sound/core/oss/pcm_oss.c @@ -131445,7 +130831,7 @@ index 58550cc..4687a93 100644 } } else if (runtime->access == SNDRV_PCM_ACCESS_RW_NONINTERLEAVED) { diff --git a/sound/core/pcm_compat.c b/sound/core/pcm_compat.c -index b48b434..e2ba787 100644 +index 9630e9f..2071ac2 100644 --- a/sound/core/pcm_compat.c +++ b/sound/core/pcm_compat.c @@ -31,7 +31,7 @@ static int snd_pcm_ioctl_delay_compat(struct snd_pcm_substream *substream, @@ -131476,7 +130862,7 @@ index 75888dd..c940854 100644 default: result = -EINVAL; diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c -index b64f20d..a68addd 100644 +index 13cfa81..a68addd 100644 --- a/sound/core/seq/seq_clientmgr.c +++ b/sound/core/seq/seq_clientmgr.c @@ -446,7 +446,7 @@ static ssize_t snd_seq_read(struct file *file, char __user *buf, size_t count, @@ -131504,15 +130890,6 @@ index b64f20d..a68addd 100644 event.data.ext.ptr = ptr; } #endif -@@ -1962,7 +1962,7 @@ static int snd_seq_ioctl_remove_events(struct snd_seq_client *client, - * No restrictions so for a user client we can clear - * the whole fifo - */ -- if (client->type == USER_CLIENT) -+ if (client->type == USER_CLIENT && client->data.user.fifo) - snd_seq_fifo_clear(client->data.user.fifo); - } - @@ -2420,7 +2420,7 @@ int snd_seq_kernel_client_ctl(int clientid, unsigned int cmd, void *arg) if (client == NULL) return -ENXIO; @@ -131523,10 +130900,10 @@ index b64f20d..a68addd 100644 return result; } diff --git a/sound/core/seq/seq_compat.c b/sound/core/seq/seq_compat.c -index 81f7c10..296bd6fd 100644 +index 6517590..9905cee 100644 --- a/sound/core/seq/seq_compat.c +++ b/sound/core/seq/seq_compat.c -@@ -59,7 +59,7 @@ static int snd_seq_call_port_info_ioctl(struct snd_seq_client *client, unsigned +@@ -60,7 +60,7 @@ static int snd_seq_call_port_info_ioctl(struct snd_seq_client *client, unsigned data->kernel = NULL; fs = snd_enter_user(); @@ -131566,21 +130943,6 @@ index 8010766..4bd361f 100644 err = -EFAULT; goto __error; } -diff --git a/sound/core/seq/seq_queue.c b/sound/core/seq/seq_queue.c -index 7dfd0f4..0bec02e 100644 ---- a/sound/core/seq/seq_queue.c -+++ b/sound/core/seq/seq_queue.c -@@ -142,8 +142,10 @@ static struct snd_seq_queue *queue_new(int owner, int locked) - static void queue_delete(struct snd_seq_queue *q) - { - /* stop and release the timer */ -+ mutex_lock(&q->timer_mutex); - snd_seq_timer_stop(q->timer); - snd_seq_timer_close(q); -+ mutex_unlock(&q->timer_mutex); - /* wait until access free */ - snd_use_lock_sync(&q->use_lock); - /* release resources... */ diff --git a/sound/core/sound.c b/sound/core/sound.c index 175f9e4..3518d31 100644 --- a/sound/core/sound.c @@ -131594,171 +130956,6 @@ index 175f9e4..3518d31 100644 } #endif /* modular kernel */ -diff --git a/sound/core/timer.c b/sound/core/timer.c -index 31f40f0..4e8d7bf 100644 ---- a/sound/core/timer.c -+++ b/sound/core/timer.c -@@ -73,7 +73,7 @@ struct snd_timer_user { - struct timespec tstamp; /* trigger tstamp */ - wait_queue_head_t qchange_sleep; - struct fasync_struct *fasync; -- struct mutex tread_sem; -+ struct mutex ioctl_lock; - }; - - /* list of timers */ -@@ -215,11 +215,13 @@ static void snd_timer_check_master(struct snd_timer_instance *master) - slave->slave_id == master->slave_id) { - list_move_tail(&slave->open_list, &master->slave_list_head); - spin_lock_irq(&slave_active_lock); -+ spin_lock(&master->timer->lock); - slave->master = master; - slave->timer = master->timer; - if (slave->flags & SNDRV_TIMER_IFLG_RUNNING) - list_add_tail(&slave->active_list, - &master->slave_active_head); -+ spin_unlock(&master->timer->lock); - spin_unlock_irq(&slave_active_lock); - } - } -@@ -346,15 +348,18 @@ int snd_timer_close(struct snd_timer_instance *timeri) - timer->hw.close) - timer->hw.close(timer); - /* remove slave links */ -+ spin_lock_irq(&slave_active_lock); -+ spin_lock(&timer->lock); - list_for_each_entry_safe(slave, tmp, &timeri->slave_list_head, - open_list) { -- spin_lock_irq(&slave_active_lock); -- _snd_timer_stop(slave, 1, SNDRV_TIMER_EVENT_RESOLUTION); - list_move_tail(&slave->open_list, &snd_timer_slave_list); - slave->master = NULL; - slave->timer = NULL; -- spin_unlock_irq(&slave_active_lock); -+ list_del_init(&slave->ack_list); -+ list_del_init(&slave->active_list); - } -+ spin_unlock(&timer->lock); -+ spin_unlock_irq(&slave_active_lock); - mutex_unlock(®ister_mutex); - } - out: -@@ -441,9 +446,12 @@ static int snd_timer_start_slave(struct snd_timer_instance *timeri) - - spin_lock_irqsave(&slave_active_lock, flags); - timeri->flags |= SNDRV_TIMER_IFLG_RUNNING; -- if (timeri->master) -+ if (timeri->master && timeri->timer) { -+ spin_lock(&timeri->timer->lock); - list_add_tail(&timeri->active_list, - &timeri->master->slave_active_head); -+ spin_unlock(&timeri->timer->lock); -+ } - spin_unlock_irqrestore(&slave_active_lock, flags); - return 1; /* delayed start */ - } -@@ -489,6 +497,8 @@ static int _snd_timer_stop(struct snd_timer_instance * timeri, - if (!keep_flag) { - spin_lock_irqsave(&slave_active_lock, flags); - timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING; -+ list_del_init(&timeri->ack_list); -+ list_del_init(&timeri->active_list); - spin_unlock_irqrestore(&slave_active_lock, flags); - } - goto __end; -@@ -694,7 +704,7 @@ void snd_timer_interrupt(struct snd_timer * timer, unsigned long ticks_left) - } else { - ti->flags &= ~SNDRV_TIMER_IFLG_RUNNING; - if (--timer->running) -- list_del(&ti->active_list); -+ list_del_init(&ti->active_list); - } - if ((timer->hw.flags & SNDRV_TIMER_HW_TASKLET) || - (ti->flags & SNDRV_TIMER_IFLG_FAST)) -@@ -1253,7 +1263,7 @@ static int snd_timer_user_open(struct inode *inode, struct file *file) - return -ENOMEM; - spin_lock_init(&tu->qlock); - init_waitqueue_head(&tu->qchange_sleep); -- mutex_init(&tu->tread_sem); -+ mutex_init(&tu->ioctl_lock); - tu->ticks = 1; - tu->queue_size = 128; - tu->queue = kmalloc(tu->queue_size * sizeof(struct snd_timer_read), -@@ -1273,8 +1283,10 @@ static int snd_timer_user_release(struct inode *inode, struct file *file) - if (file->private_data) { - tu = file->private_data; - file->private_data = NULL; -+ mutex_lock(&tu->ioctl_lock); - if (tu->timeri) - snd_timer_close(tu->timeri); -+ mutex_unlock(&tu->ioctl_lock); - kfree(tu->queue); - kfree(tu->tqueue); - kfree(tu); -@@ -1512,7 +1524,6 @@ static int snd_timer_user_tselect(struct file *file, - int err = 0; - - tu = file->private_data; -- mutex_lock(&tu->tread_sem); - if (tu->timeri) { - snd_timer_close(tu->timeri); - tu->timeri = NULL; -@@ -1556,7 +1567,6 @@ static int snd_timer_user_tselect(struct file *file, - } - - __err: -- mutex_unlock(&tu->tread_sem); - return err; - } - -@@ -1769,7 +1779,7 @@ enum { - SNDRV_TIMER_IOCTL_PAUSE_OLD = _IO('T', 0x23), - }; - --static long snd_timer_user_ioctl(struct file *file, unsigned int cmd, -+static long __snd_timer_user_ioctl(struct file *file, unsigned int cmd, - unsigned long arg) - { - struct snd_timer_user *tu; -@@ -1786,17 +1796,11 @@ static long snd_timer_user_ioctl(struct file *file, unsigned int cmd, - { - int xarg; - -- mutex_lock(&tu->tread_sem); -- if (tu->timeri) { /* too late */ -- mutex_unlock(&tu->tread_sem); -+ if (tu->timeri) /* too late */ - return -EBUSY; -- } -- if (get_user(xarg, p)) { -- mutex_unlock(&tu->tread_sem); -+ if (get_user(xarg, p)) - return -EFAULT; -- } - tu->tread = xarg ? 1 : 0; -- mutex_unlock(&tu->tread_sem); - return 0; - } - case SNDRV_TIMER_IOCTL_GINFO: -@@ -1829,6 +1833,18 @@ static long snd_timer_user_ioctl(struct file *file, unsigned int cmd, - return -ENOTTY; - } - -+static long snd_timer_user_ioctl(struct file *file, unsigned int cmd, -+ unsigned long arg) -+{ -+ struct snd_timer_user *tu = file->private_data; -+ long ret; -+ -+ mutex_lock(&tu->ioctl_lock); -+ ret = __snd_timer_user_ioctl(file, cmd, arg); -+ mutex_unlock(&tu->ioctl_lock); -+ return ret; -+} -+ - static int snd_timer_user_fasync(int fd, struct file * file, int on) - { - struct snd_timer_user *tu; diff --git a/sound/drivers/mts64.c b/sound/drivers/mts64.c index 2a008a9..a1efb3f 100644 --- a/sound/drivers/mts64.c diff --git a/4.3.4/4425_grsec_remove_EI_PAX.patch b/4.3.5/4425_grsec_remove_EI_PAX.patch index 2a1aa6c..2a1aa6c 100644 --- a/4.3.4/4425_grsec_remove_EI_PAX.patch +++ b/4.3.5/4425_grsec_remove_EI_PAX.patch diff --git a/4.3.4/4427_force_XATTR_PAX_tmpfs.patch b/4.3.5/4427_force_XATTR_PAX_tmpfs.patch index d03130d..d03130d 100644 --- a/4.3.4/4427_force_XATTR_PAX_tmpfs.patch +++ b/4.3.5/4427_force_XATTR_PAX_tmpfs.patch diff --git a/4.3.4/4430_grsec-remove-localversion-grsec.patch b/4.3.5/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/4.3.4/4430_grsec-remove-localversion-grsec.patch +++ b/4.3.5/4430_grsec-remove-localversion-grsec.patch diff --git a/4.3.4/4435_grsec-mute-warnings.patch b/4.3.5/4435_grsec-mute-warnings.patch index b7564e4..b7564e4 100644 --- a/4.3.4/4435_grsec-mute-warnings.patch +++ b/4.3.5/4435_grsec-mute-warnings.patch diff --git a/4.3.4/4440_grsec-remove-protected-paths.patch b/4.3.5/4440_grsec-remove-protected-paths.patch index 741546d..741546d 100644 --- a/4.3.4/4440_grsec-remove-protected-paths.patch +++ b/4.3.5/4440_grsec-remove-protected-paths.patch diff --git a/4.3.4/4450_grsec-kconfig-default-gids.patch b/4.3.5/4450_grsec-kconfig-default-gids.patch index c56ca90..c56ca90 100644 --- a/4.3.4/4450_grsec-kconfig-default-gids.patch +++ b/4.3.5/4450_grsec-kconfig-default-gids.patch diff --git a/4.3.4/4465_selinux-avc_audit-log-curr_ip.patch b/4.3.5/4465_selinux-avc_audit-log-curr_ip.patch index d2e466f..d2e466f 100644 --- a/4.3.4/4465_selinux-avc_audit-log-curr_ip.patch +++ b/4.3.5/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/4.3.4/4470_disable-compat_vdso.patch b/4.3.5/4470_disable-compat_vdso.patch index 8fd85dc..8fd85dc 100644 --- a/4.3.4/4470_disable-compat_vdso.patch +++ b/4.3.5/4470_disable-compat_vdso.patch diff --git a/4.3.4/4475_emutramp_default_on.patch b/4.3.5/4475_emutramp_default_on.patch index afd6019..afd6019 100644 --- a/4.3.4/4475_emutramp_default_on.patch +++ b/4.3.5/4475_emutramp_default_on.patch |