diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2012-12-04 09:26:52 -0500 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2012-12-04 09:26:52 -0500 |
| commit | c435e7e7fcfdefe366f2291aa429725887621c9c (patch) | |
| tree | 4308409884fe9d1fe2b7cf9e4efff3a704600bd9 | |
| parent | Grsec/PaX: 2.9.1-{2.6.32.60,3.2.34,3.6.8}-201211261714 (diff) | |
| download | hardened-patchset-c435e7e7fcfdefe366f2291aa429725887621c9c.tar.gz hardened-patchset-c435e7e7fcfdefe366f2291aa429725887621c9c.tar.bz2 hardened-patchset-c435e7e7fcfdefe366f2291aa429725887621c9c.zip | |
Grsec/PaX: 2.9.1-{2.6.32.60,3.2.34,3.6.9}-20121203185120121203
| -rw-r--r-- | 2.6.32/0000_README | 2 | ||||
| -rw-r--r-- | 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201212031850.patch (renamed from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201211261713.patch) | 760 | ||||
| -rw-r--r-- | 3.2.34/0000_README | 2 | ||||
| -rw-r--r-- | 3.2.34/4420_grsecurity-2.9.1-3.2.34-201212031851.patch (renamed from 3.2.34/4420_grsecurity-2.9.1-3.2.34-201211251859.patch) | 759 | ||||
| -rw-r--r-- | 3.6.9/0000_README (renamed from 3.6.8/0000_README) | 6 | ||||
| -rw-r--r-- | 3.6.9/1008_linux-3.6.9.patch | 1763 | ||||
| -rw-r--r-- | 3.6.9/4420_grsecurity-2.9.1-3.6.9-201212031851.patch (renamed from 3.6.8/4420_grsecurity-2.9.1-3.6.8-201211261714.patch) | 996 | ||||
| -rw-r--r-- | 3.6.9/4425-tmpfs-user-namespace.patch (renamed from 3.6.8/4425-tmpfs-user-namespace.patch) | 0 | ||||
| -rw-r--r-- | 3.6.9/4430_grsec-remove-localversion-grsec.patch (renamed from 3.6.8/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
| -rw-r--r-- | 3.6.9/4435_grsec-mute-warnings.patch (renamed from 3.6.8/4435_grsec-mute-warnings.patch) | 0 | ||||
| -rw-r--r-- | 3.6.9/4440_grsec-remove-protected-paths.patch (renamed from 3.6.8/4440_grsec-remove-protected-paths.patch) | 0 | ||||
| -rw-r--r-- | 3.6.9/4450_grsec-kconfig-default-gids.patch (renamed from 3.6.8/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
| -rw-r--r-- | 3.6.9/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.6.8/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
| -rw-r--r-- | 3.6.9/4470_disable-compat_vdso.patch (renamed from 3.6.8/4470_disable-compat_vdso.patch) | 0 |
14 files changed, 3554 insertions, 734 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index 05d6bef..3123ba8 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -34,7 +34,7 @@ Patch: 1059_linux-2.6.32.60.patch From: http://www.kernel.org Desc: Linux 2.6.32.59 -Patch: 4420_grsecurity-2.9.1-2.6.32.60-201211261713.patch +Patch: 4420_grsecurity-2.9.1-2.6.32.60-201212031850.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201211261713.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201212031850.patch index 6c95f6c..548b2c3 100644 --- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201211261713.patch +++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201212031850.patch @@ -11962,10 +11962,10 @@ index cc70c1c..d96d011 100644 #endif /* _ASM_X86_EMERGENCY_RESTART_H */ diff --git a/arch/x86/include/asm/futex.h b/arch/x86/include/asm/futex.h -index 1f11ce4..7caabd1 100644 +index 1f11ce4..3fed751 100644 --- a/arch/x86/include/asm/futex.h +++ b/arch/x86/include/asm/futex.h -@@ -12,16 +12,18 @@ +@@ -12,20 +12,22 @@ #include <asm/system.h> #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \ @@ -11985,6 +11985,11 @@ index 1f11ce4..7caabd1 100644 asm volatile("1:\tmovl %2, %0\n" \ "\tmovl\t%0, %3\n" \ "\t" insn "\n" \ +- "2:\t" LOCK_PREFIX "cmpxchgl %3, %2\n" \ ++ "2:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %3, %2\n" \ + "\tjnz\t1b\n" \ + "3:\t.section .fixup,\"ax\"\n" \ + "4:\tmov\t%5, %1\n" \ @@ -34,10 +36,10 @@ _ASM_EXTABLE(1b, 4b) \ _ASM_EXTABLE(2b, 4b) \ @@ -12056,34 +12061,52 @@ index ba180d9..3bad351 100644 /* EISA */ extern void eisa_set_level_irq(unsigned int irq); diff --git a/arch/x86/include/asm/i387.h b/arch/x86/include/asm/i387.h -index 0b20bbb..4cb1396 100644 +index 0b20bbb..953af07 100644 --- a/arch/x86/include/asm/i387.h +++ b/arch/x86/include/asm/i387.h -@@ -60,6 +60,11 @@ static inline int fxrstor_checking(struct i387_fxsave_struct *fx) +@@ -56,10 +56,12 @@ static inline void tolerant_fwait(void) + _ASM_EXTABLE(1b, 2b)); + } + +-static inline int fxrstor_checking(struct i387_fxsave_struct *fx) ++static inline int fxrstor_checking(struct i387_fxsave_struct __user *fx) { int err; -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -+ if ((unsigned long)fx < PAX_USER_SHADOW_BASE) -+ fx = (struct i387_fxsave_struct *)((void *)fx + PAX_USER_SHADOW_BASE); -+#endif ++ fx = (struct i387_fxsave_struct __user *)____m(fx); + asm volatile("1: rex64/fxrstor (%[fx])\n\t" "2:\n" ".section .fixup,\"ax\"\n" -@@ -105,6 +110,11 @@ static inline int fxsave_user(struct i387_fxsave_struct __user *fx) +@@ -105,6 +107,8 @@ static inline int fxsave_user(struct i387_fxsave_struct __user *fx) { int err; -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -+ if ((unsigned long)fx < PAX_USER_SHADOW_BASE) -+ fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE); -+#endif ++ fx = (struct i387_fxsave_struct __user *)____m(fx); + asm volatile("1: rex64/fxsave (%[fx])\n\t" "2:\n" ".section .fixup,\"ax\"\n" -@@ -195,13 +205,8 @@ static inline int fxrstor_checking(struct i387_fxsave_struct *fx) +@@ -179,15 +183,15 @@ static inline void tolerant_fwait(void) + } + + /* perform fxrstor iff the processor has extended states, otherwise frstor */ +-static inline int fxrstor_checking(struct i387_fxsave_struct *fx) ++static inline int fxrstor_checking(struct i387_fxsave_struct __user *fx) + { + /* + * The "nop" is needed to make the instructions the same + * length. + */ + alternative_input( +- "nop ; frstor %1", +- "fxrstor %1", ++ __copyuser_seg" frstor %1; nop", ++ __copyuser_seg" fxrstor %1", + X86_FEATURE_FXSR, + "m" (*fx)); + +@@ -195,13 +199,8 @@ static inline int fxrstor_checking(struct i387_fxsave_struct *fx) } /* We need a safe address that is cheap to find and that is already @@ -12099,7 +12122,7 @@ index 0b20bbb..4cb1396 100644 /* * These must be called with preempt disabled -@@ -291,7 +296,7 @@ static inline void kernel_fpu_begin(void) +@@ -291,7 +290,7 @@ static inline void kernel_fpu_begin(void) struct thread_info *me = current_thread_info(); preempt_disable(); if (me->status & TS_USEDFPU) @@ -14576,7 +14599,7 @@ index 632fb44..8bd6fa7 100644 #endif /* _ASM_X86_UACCESS_32_H */ diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h -index db24b21..9dd7cc3 100644 +index db24b21..73adc70 100644 --- a/arch/x86/include/asm/uaccess_64.h +++ b/arch/x86/include/asm/uaccess_64.h @@ -9,6 +9,9 @@ @@ -14589,7 +14612,7 @@ index db24b21..9dd7cc3 100644 /* * Copy To/From Userspace -@@ -16,116 +19,220 @@ +@@ -16,116 +19,187 @@ /* Handles exceptions in both to and from, but doesn't do access_ok */ __must_check unsigned long @@ -14634,13 +14657,7 @@ index db24b21..9dd7cc3 100644 + + if (!__builtin_constant_p(size)) { + check_object_size(dst, size, false); -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE) -+ src += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic(dst, (__force_kernel const void *)src, size); ++ return copy_user_generic(dst, (__force_kernel const void *)____m(src), size); + } switch (size) { - case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src, @@ -14683,13 +14700,7 @@ index db24b21..9dd7cc3 100644 return ret; default: - return copy_user_generic(dst, (__force void *)src, size); -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE) -+ src += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic(dst, (__force_kernel const void *)src, size); ++ return copy_user_generic(dst, (__force_kernel const void *)____m(src), size); } } @@ -14722,13 +14733,7 @@ index db24b21..9dd7cc3 100644 + + if (!__builtin_constant_p(size)) { + check_object_size(src, size, true); -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE) -+ dst += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic((__force_kernel void *)dst, src, size); ++ return copy_user_generic((__force_kernel void *)____m(dst), src, size); + } switch (size) { - case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst, @@ -14771,28 +14776,24 @@ index db24b21..9dd7cc3 100644 return ret; default: - return copy_user_generic((__force void *)dst, src, size); -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE) -+ dst += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic((__force_kernel void *)dst, src, size); -+ } -+} -+ -+static __always_inline __must_check ++ return copy_user_generic((__force_kernel void *)____m(dst), src, size); + } + } + + static __always_inline __must_check +-int __copy_in_user(void __user *dst, const void __user *src, unsigned size) +unsigned long copy_to_user(void __user *to, const void *from, unsigned long len) -+{ + { +- int ret = 0; + if (access_ok(VERIFY_WRITE, to, len)) + len = __copy_to_user(to, from, len); + return len; +} -+ + +static __always_inline __must_check +unsigned long copy_from_user(void *to, const void __user *from, unsigned long len) +{ -+ might_fault(); + might_fault(); + + if (access_ok(VERIFY_READ, from, len)) + len = __copy_from_user(to, from, len); @@ -14800,21 +14801,16 @@ index db24b21..9dd7cc3 100644 + if (!__builtin_constant_p(len)) + check_object_size(to, len, false); + memset(to, 0, len); - } ++ } + return len; - } - - static __always_inline __must_check --int __copy_in_user(void __user *dst, const void __user *src, unsigned size) ++} ++ ++static __always_inline __must_check +unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned long size) - { -- int ret = 0; ++{ + unsigned ret = 0; - - might_fault(); -- if (!__builtin_constant_p(size)) -- return copy_user_generic((__force void *)dst, -- (__force void *)src, size); ++ ++ might_fault(); + + pax_track_stack(); + @@ -14828,18 +14824,11 @@ index db24b21..9dd7cc3 100644 + return size; +#endif + -+ if (!__builtin_constant_p(size)) { -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE) -+ src += PAX_USER_SHADOW_BASE; -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE) -+ dst += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic((__force_kernel void *)dst, -+ (__force_kernel const void *)src, size); -+ } + if (!__builtin_constant_p(size)) +- return copy_user_generic((__force void *)dst, +- (__force void *)src, size); ++ return copy_user_generic((__force_kernel void *)____m(dst), ++ (__force_kernel const void *)____m(src), size); switch (size) { case 1: { u8 tmp; @@ -14848,7 +14837,7 @@ index db24b21..9dd7cc3 100644 ret, "b", "b", "=q", 1); if (likely(!ret)) __put_user_asm(tmp, (u8 __user *)dst, -@@ -134,7 +241,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) +@@ -134,7 +208,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) } case 2: { u16 tmp; @@ -14857,7 +14846,7 @@ index db24b21..9dd7cc3 100644 ret, "w", "w", "=r", 2); if (likely(!ret)) __put_user_asm(tmp, (u16 __user *)dst, -@@ -144,7 +251,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) +@@ -144,7 +218,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) case 4: { u32 tmp; @@ -14866,7 +14855,7 @@ index db24b21..9dd7cc3 100644 ret, "l", "k", "=r", 4); if (likely(!ret)) __put_user_asm(tmp, (u32 __user *)dst, -@@ -153,7 +260,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) +@@ -153,7 +227,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) } case 8: { u64 tmp; @@ -14875,26 +14864,18 @@ index db24b21..9dd7cc3 100644 ret, "q", "", "=r", 8); if (likely(!ret)) __put_user_asm(tmp, (u64 __user *)dst, -@@ -161,8 +268,16 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) +@@ -161,8 +235,8 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) return ret; } default: - return copy_user_generic((__force void *)dst, - (__force void *)src, size); -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE) -+ src += PAX_USER_SHADOW_BASE; -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE) -+ dst += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic((__force_kernel void *)dst, -+ (__force_kernel const void *)src, size); ++ return copy_user_generic((__force_kernel void *)____m(dst), ++ (__force_kernel const void *)____m(src), size); } } -@@ -173,36 +288,78 @@ __strncpy_from_user(char *dst, const char __user *src, long count); +@@ -173,36 +247,62 @@ __strncpy_from_user(char *dst, const char __user *src, long count); __must_check long strnlen_user(const char __user *str, long n); __must_check long __strnlen_user(const char __user *str, long n); __must_check long strlen_user(const char __user *str); @@ -14912,18 +14893,10 @@ index db24b21..9dd7cc3 100644 + + if (size > INT_MAX) + return size; -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if (!__access_ok(VERIFY_READ, src, size)) -+ return size; -static __must_check __always_inline int -__copy_to_user_inatomic(void __user *dst, const void *src, unsigned size) -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE) -+ src += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic(dst, (__force_kernel const void *)src, size); ++ return copy_user_generic(dst, (__force_kernel const void *)____m(src), size); +} + +static __must_check __always_inline unsigned long @@ -14933,15 +14906,7 @@ index db24b21..9dd7cc3 100644 + if (size > INT_MAX) + return size; + -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if (!__access_ok(VERIFY_WRITE, dst, size)) -+ return size; -+ -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE) -+ dst += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic((__force_kernel void *)dst, src, size); ++ return copy_user_generic((__force_kernel void *)____m(dst), src, size); } -extern long __copy_user_nocache(void *dst, const void __user *src, @@ -15159,39 +15124,39 @@ index 2c756fd..3377e37 100644 extern struct x86_init_ops x86_init; extern struct x86_cpuinit_ops x86_cpuinit; diff --git a/arch/x86/include/asm/xsave.h b/arch/x86/include/asm/xsave.h -index 727acc1..554f3eb 100644 +index 727acc1..52c9e4c 100644 --- a/arch/x86/include/asm/xsave.h +++ b/arch/x86/include/asm/xsave.h -@@ -56,6 +56,12 @@ static inline int xrstor_checking(struct xsave_struct *fx) +@@ -56,7 +56,12 @@ static inline int xrstor_checking(struct xsave_struct *fx) static inline int xsave_user(struct xsave_struct __user *buf) { int err; +- __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x27\n" + -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -+ if ((unsigned long)buf < PAX_USER_SHADOW_BASE) -+ buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE); -+#endif ++ buf = (struct xsave_struct __user *)____m(buf); + - __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x27\n" ++ __asm__ __volatile__("1:" ++ __copyuser_seg ++ ".byte " REX_PREFIX "0x0f,0xae,0x27\n" "2:\n" ".section .fixup,\"ax\"\n" -@@ -78,10 +84,15 @@ static inline int xsave_user(struct xsave_struct __user *buf) + "3: movl $-1,%[err]\n" +@@ -78,11 +83,13 @@ static inline int xsave_user(struct xsave_struct __user *buf) static inline int xrestore_user(struct xsave_struct __user *buf, u64 mask) { int err; - struct xsave_struct *xstate = ((__force struct xsave_struct *)buf); -+ struct xsave_struct *xstate = ((__force_kernel struct xsave_struct *)buf); ++ struct xsave_struct *xstate = ((__force_kernel struct xsave_struct *)____m(buf)); u32 lmask = mask; u32 hmask = mask >> 32; -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -+ if ((unsigned long)xstate < PAX_USER_SHADOW_BASE) -+ xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE); -+#endif -+ - __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n" +- __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n" ++ __asm__ __volatile__("1:" ++ __copyuser_seg ++ ".byte " REX_PREFIX "0x0f,0xae,0x2f\n" "2:\n" ".section .fixup,\"ax\"\n" + "3: movl $-1,%[err]\n" diff --git a/arch/x86/kernel/acpi/realmode/Makefile b/arch/x86/kernel/acpi/realmode/Makefile index 6a564ac..3f3a3d7 100644 --- a/arch/x86/kernel/acpi/realmode/Makefile @@ -16437,7 +16402,7 @@ index 81086c2..13e8b17 100644 const struct stacktrace_ops *ops, void *data, unsigned long *end, int *graph); diff --git a/arch/x86/kernel/dumpstack_32.c b/arch/x86/kernel/dumpstack_32.c -index f7dd2a7..504f53b 100644 +index f7dd2a7..c7b8ce6 100644 --- a/arch/x86/kernel/dumpstack_32.c +++ b/arch/x86/kernel/dumpstack_32.c @@ -53,16 +53,12 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs, @@ -16471,7 +16436,7 @@ index f7dd2a7..504f53b 100644 unsigned int code_len = code_bytes; unsigned char c; u8 *ip; -+ unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]); ++ unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(0)[(0xffff & regs->cs) >> 3]); printk(KERN_EMERG "Stack:\n"); show_stack_log_lvl(NULL, regs, ®s->sp, @@ -16522,7 +16487,7 @@ index f7dd2a7..504f53b 100644 return 0; if (probe_kernel_address((unsigned short *)ip, ud2)) diff --git a/arch/x86/kernel/dumpstack_64.c b/arch/x86/kernel/dumpstack_64.c -index a071e6b..047e748 100644 +index a071e6b..1ad66d7 100644 --- a/arch/x86/kernel/dumpstack_64.c +++ b/arch/x86/kernel/dumpstack_64.c @@ -116,8 +116,8 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs, @@ -16585,6 +16550,15 @@ index a071e6b..047e748 100644 put_cpu(); } EXPORT_SYMBOL(dump_trace); +@@ -248,7 +252,7 @@ void show_registers(struct pt_regs *regs) + { + int i; + unsigned long sp; +- const int cpu = smp_processor_id(); ++ const int cpu = raw_smp_processor_id(); + struct task_struct *cur = current; + + sp = regs->sp; @@ -304,3 +308,50 @@ int is_valid_bugaddr(unsigned long ip) return ud2 == 0x0b0f; } @@ -17794,7 +17768,7 @@ index c097e7d..a3f1930 100644 /* * End of kprobes section diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S -index 34a56a9..9df0232 100644 +index 34a56a9..7da97ae 100644 --- a/arch/x86/kernel/entry_64.S +++ b/arch/x86/kernel/entry_64.S @@ -53,6 +53,8 @@ @@ -18424,7 +18398,7 @@ index 34a56a9..9df0232 100644 retint_restore_args: /* return to kernel space */ DISABLE_INTERRUPTS(CLBR_ANY) + pax_exit_kernel -+ pax_force_retaddr RIP-ARGOFFSET ++ pax_force_retaddr (RIP-ARGOFFSET) /* * The iretq could re-enable interrupts: */ @@ -20874,7 +20848,7 @@ index fc6c84d..0312ca2 100644 +#endif diff --git a/arch/x86/kernel/process_32.c b/arch/x86/kernel/process_32.c -index c40c432..6e1df72 100644 +index c40c432..e88c62c 100644 --- a/arch/x86/kernel/process_32.c +++ b/arch/x86/kernel/process_32.c @@ -67,6 +67,7 @@ asmlinkage void ret_from_fork(void) __asm__("ret_from_fork"); @@ -20903,6 +20877,15 @@ index c40c432..6e1df72 100644 printk("\n"); +@@ -152,7 +152,7 @@ void __show_regs(struct pt_regs *regs, int all) + + printk("EIP: %04x:[<%08lx>] EFLAGS: %08lx CPU: %d\n", + (u16)regs->cs, regs->ip, regs->flags, +- smp_processor_id()); ++ raw_smp_processor_id()); + print_symbol("EIP is at %s\n", regs->ip); + + printk("EAX: %08lx EBX: %08lx ECX: %08lx EDX: %08lx\n", @@ -210,10 +210,10 @@ int kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) regs.bx = (unsigned long) fn; regs.dx = (unsigned long) arg; @@ -23227,7 +23210,7 @@ index 3909e3b..5433a97 100644 EXPORT_SYMBOL(copy_page); diff --git a/arch/x86/kernel/xsave.c b/arch/x86/kernel/xsave.c -index c5ee17e..d63218f 100644 +index c5ee17e..e73621d2 100644 --- a/arch/x86/kernel/xsave.c +++ b/arch/x86/kernel/xsave.c @@ -54,7 +54,7 @@ int check_for_xstate(struct i387_fxsave_struct __user *buf, @@ -23244,19 +23227,20 @@ index c5ee17e..d63218f 100644 */ xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE); - return fxrstor_checking((__force struct i387_fxsave_struct *)buf); -+ return fxrstor_checking((struct i387_fxsave_struct __force_kernel *)buf); ++ return fxrstor_checking((struct i387_fxsave_struct __user *)buf); } /* -@@ -228,7 +228,7 @@ int restore_i387_xstate(void __user *buf) +@@ -228,8 +228,7 @@ int restore_i387_xstate(void __user *buf) if (task_thread_info(tsk)->status & TS_XSAVE) err = restore_user_xstate(buf); else - err = fxrstor_checking((__force struct i387_fxsave_struct *) -+ err = fxrstor_checking((struct i387_fxsave_struct __user *) - buf); +- buf); ++ err = fxrstor_checking((struct i387_fxsave_struct __user *)buf); if (unlikely(err)) { /* + * Encountered an error while doing the restore from the diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c index aa2d905..d7384e3 100644 --- a/arch/x86/kvm/emulate.c @@ -24396,36 +24380,24 @@ index f0dba36..48cb4d6 100644 CFI_RESTORE_STATE diff --git a/arch/x86/lib/csum-wrappers_64.c b/arch/x86/lib/csum-wrappers_64.c -index 459b58a..9570bc7 100644 +index 459b58a..d67737f 100644 --- a/arch/x86/lib/csum-wrappers_64.c +++ b/arch/x86/lib/csum-wrappers_64.c -@@ -52,7 +52,13 @@ csum_partial_copy_from_user(const void __user *src, void *dst, +@@ -52,7 +52,7 @@ csum_partial_copy_from_user(const void __user *src, void *dst, len -= 2; } } - isum = csum_partial_copy_generic((__force const void *)src, -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE) -+ src += PAX_USER_SHADOW_BASE; -+#endif -+ -+ isum = csum_partial_copy_generic((const void __force_kernel *)src, ++ isum = csum_partial_copy_generic((const void __force_kernel *)____m(src), dst, len, isum, errp, NULL); if (unlikely(*errp)) goto out_err; -@@ -105,7 +111,13 @@ csum_partial_copy_to_user(const void *src, void __user *dst, +@@ -105,7 +105,7 @@ csum_partial_copy_to_user(const void *src, void __user *dst, } *errp = 0; - return csum_partial_copy_generic(src, (void __force *)dst, -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE) -+ dst += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return csum_partial_copy_generic(src, (void __force_kernel *)dst, ++ return csum_partial_copy_generic(src, (void __force_kernel *)____m(dst), len, isum, NULL, errp); } EXPORT_SYMBOL(csum_partial_copy_to_user); @@ -25966,7 +25938,7 @@ index 1f118d4..7d522b8 100644 +EXPORT_SYMBOL(set_fs); +#endif diff --git a/arch/x86/lib/usercopy_64.c b/arch/x86/lib/usercopy_64.c -index b7c2849..ca4b1cb 100644 +index b7c2849..17c878da 100644 --- a/arch/x86/lib/usercopy_64.c +++ b/arch/x86/lib/usercopy_64.c @@ -42,6 +42,12 @@ long @@ -25982,20 +25954,16 @@ index b7c2849..ca4b1cb 100644 __do_strncpy_from_user(dst, src, count, res); return res; } -@@ -65,6 +71,12 @@ unsigned long __clear_user(void __user *addr, unsigned long size) - { - long __d0; - might_fault(); -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)addr < PAX_USER_SHADOW_BASE) -+ addr += PAX_USER_SHADOW_BASE; -+#endif -+ - /* no memory constraint because it doesn't change any memory gcc knows - about */ - asm volatile( -@@ -149,12 +161,20 @@ long strlen_user(const char __user *s) +@@ -87,7 +93,7 @@ unsigned long __clear_user(void __user *addr, unsigned long size) + _ASM_EXTABLE(0b,3b) + _ASM_EXTABLE(1b,2b) + : [size8] "=&c"(size), [dst] "=&D" (__d0) +- : [size1] "r"(size & 7), "[size8]" (size / 8), "[dst]"(addr), ++ : [size1] "r"(size & 7), "[size8]" (size / 8), "[dst]"(____m(addr)), + [zero] "r" (0UL), [eight] "r" (8UL)); + return size; + } +@@ -149,12 +155,11 @@ long strlen_user(const char __user *s) } EXPORT_SYMBOL(strlen_user); @@ -26006,22 +25974,13 @@ index b7c2849..ca4b1cb 100644 - return copy_user_generic((__force void *)to, (__force void *)from, len); - } - return len; -+ if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) { -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)to < PAX_USER_SHADOW_BASE) -+ to += PAX_USER_SHADOW_BASE; -+ if ((unsigned long)from < PAX_USER_SHADOW_BASE) -+ from += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic((void __force_kernel *)to, (void __force_kernel *)from, len); -+ } ++ if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) ++ return copy_user_generic((void __force_kernel *)____m(to), (void __force_kernel *)____m(from), len); + return len; } EXPORT_SYMBOL(copy_in_user); -@@ -164,7 +184,7 @@ EXPORT_SYMBOL(copy_in_user); +@@ -164,7 +169,7 @@ EXPORT_SYMBOL(copy_in_user); * it is not necessary to optimize tail handling. */ unsigned long @@ -26030,7 +25989,7 @@ index b7c2849..ca4b1cb 100644 { char c; unsigned zero_len; -@@ -181,3 +201,15 @@ copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest) +@@ -181,3 +186,15 @@ copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest) break; return len; } @@ -70522,9 +70481,27 @@ index fbea856..06efea6 100644 if (!left--) { if (instance->disconnected) diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c -index 24e6205..fe5a5d4 100644 +index 24e6205..b94523b 100644 --- a/drivers/usb/core/hcd.c +++ b/drivers/usb/core/hcd.c +@@ -1373,7 +1373,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags) + */ + usb_get_urb(urb); + atomic_inc(&urb->use_count); +- atomic_inc(&urb->dev->urbnum); ++ atomic_inc_unchecked(&urb->dev->urbnum); + usbmon_urb_submit(&hcd->self, urb); + + /* NOTE requirements on root-hub callers (usbfs and the hub +@@ -1401,7 +1401,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags) + urb->hcpriv = NULL; + INIT_LIST_HEAD(&urb->urb_list); + atomic_dec(&urb->use_count); +- atomic_dec(&urb->dev->urbnum); ++ atomic_dec_unchecked(&urb->dev->urbnum); + if (atomic_read(&urb->reject)) + wake_up(&usb_kill_urb_queue); + usb_put_urb(urb); @@ -2216,7 +2216,7 @@ EXPORT_SYMBOL_GPL(usb_hcd_platform_shutdown); #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE) @@ -70574,6 +70551,32 @@ index bcbe104..9cfd1c6 100644 void usb_mon_deregister(void); #else +diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c +index fcdcad4..cf1aadd 100644 +--- a/drivers/usb/core/sysfs.c ++++ b/drivers/usb/core/sysfs.c +@@ -186,7 +186,7 @@ show_urbnum(struct device *dev, struct device_attribute *attr, char *buf) + struct usb_device *udev; + + udev = to_usb_device(dev); +- return sprintf(buf, "%d\n", atomic_read(&udev->urbnum)); ++ return sprintf(buf, "%d\n", atomic_read_unchecked(&udev->urbnum)); + } + static DEVICE_ATTR(urbnum, S_IRUGO, show_urbnum, NULL); + +diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c +index ab2d3e7..9c5dffe 100644 +--- a/drivers/usb/core/usb.c ++++ b/drivers/usb/core/usb.c +@@ -377,7 +377,7 @@ struct usb_device *usb_alloc_dev(struct usb_device *parent, + dev->dev.dma_mask = bus->controller->dma_mask; + set_dev_node(&dev->dev, dev_to_node(bus->controller)); + dev->state = USB_STATE_ATTACHED; +- atomic_set(&dev->urbnum, 0); ++ atomic_set_unchecked(&dev->urbnum, 0); + + INIT_LIST_HEAD(&dev->ep0.urb_list); + dev->ep0.desc.bLength = USB_DT_ENDPOINT_SIZE; diff --git a/drivers/usb/misc/appledisplay.c b/drivers/usb/misc/appledisplay.c index 62ff5e7..530b74e 100644 --- a/drivers/usb/misc/appledisplay.c @@ -76149,6 +76152,31 @@ index 95b82e8..12a538d 100644 #endif /* CONFIG_CIFS_STATS2 */ } +diff --git a/fs/cifs/readdir.c b/fs/cifs/readdir.c +index f5618f8..fd7b4d0 100644 +--- a/fs/cifs/readdir.c ++++ b/fs/cifs/readdir.c +@@ -79,11 +79,17 @@ cifs_readdir_lookup(struct dentry *parent, struct qstr *name, + + dentry = d_lookup(parent, name); + if (dentry) { +- /* FIXME: check for inode number changes? */ +- if (dentry->d_inode != NULL) ++ int err; ++ inode = dentry->d_inode; ++ /* update inode in place if i_ino didn't change */ ++ if (inode && CIFS_I(inode)->uniqueid == fattr->cf_uniqueid) { ++ cifs_fattr_to_inode(inode, fattr); + return dentry; +- d_drop(dentry); ++ } ++ err = d_invalidate(dentry); + dput(dentry); ++ if (err) ++ return NULL; + } + + dentry = d_alloc(parent, name); diff --git a/fs/coda/cache.c b/fs/coda/cache.c index a5bf577..6d19845 100644 --- a/fs/coda/cache.c @@ -79913,7 +79941,7 @@ index ec88ff3..b843a82 100644 cache->c_bucket_bits = bucket_bits; #ifdef MB_CACHE_INDEXES_COUNT diff --git a/fs/namei.c b/fs/namei.c -index b0afbd4..e6236df 100644 +index b0afbd4..78b0f63 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -224,6 +224,14 @@ int generic_permission(struct inode *inode, int mask, @@ -80037,7 +80065,19 @@ index b0afbd4..e6236df 100644 return retval; } -@@ -1576,6 +1604,20 @@ int may_open(struct path *path, int acc_mode, int flag) +@@ -1251,6 +1279,11 @@ static int __lookup_one_len(const char *name, struct qstr *this, + if (!len) + return -EACCES; + ++ if (unlikely(name[0] == '.')) { ++ if (len < 2 || (len == 2 && name[1] == '.')) ++ return ERR_PTR(-EACCES); ++ } ++ + hash = init_name_hash(); + while (len--) { + c = *(const unsigned char *)name++; +@@ -1576,6 +1609,20 @@ int may_open(struct path *path, int acc_mode, int flag) if (error) goto err_out; @@ -80058,7 +80098,7 @@ index b0afbd4..e6236df 100644 if (flag & O_TRUNC) { error = get_write_access(inode); if (error) -@@ -1620,6 +1662,17 @@ static int __open_namei_create(struct nameidata *nd, struct path *path, +@@ -1620,6 +1667,17 @@ static int __open_namei_create(struct nameidata *nd, struct path *path, { int error; struct dentry *dir = nd->path.dentry; @@ -80076,7 +80116,7 @@ index b0afbd4..e6236df 100644 if (!IS_POSIXACL(dir->d_inode)) mode &= ~current_umask(); -@@ -1627,6 +1680,8 @@ static int __open_namei_create(struct nameidata *nd, struct path *path, +@@ -1627,6 +1685,8 @@ static int __open_namei_create(struct nameidata *nd, struct path *path, if (error) goto out_unlock; error = vfs_create(dir->d_inode, path->dentry, mode, nd); @@ -80085,7 +80125,7 @@ index b0afbd4..e6236df 100644 out_unlock: mutex_unlock(&dir->d_inode->i_mutex); dput(nd->path.dentry); -@@ -1684,6 +1739,7 @@ struct file *do_filp_open(int dfd, const char *pathname, +@@ -1684,6 +1744,7 @@ struct file *do_filp_open(int dfd, const char *pathname, struct nameidata nd; int error; struct path path; @@ -80093,7 +80133,7 @@ index b0afbd4..e6236df 100644 struct dentry *dir; int count = 0; int will_write; -@@ -1709,6 +1765,22 @@ struct file *do_filp_open(int dfd, const char *pathname, +@@ -1709,6 +1770,22 @@ struct file *do_filp_open(int dfd, const char *pathname, &nd, flag); if (error) return ERR_PTR(error); @@ -80116,7 +80156,7 @@ index b0afbd4..e6236df 100644 goto ok; } -@@ -1795,6 +1867,19 @@ do_last: +@@ -1795,6 +1872,19 @@ do_last: /* * It already exists. */ @@ -80136,7 +80176,7 @@ index b0afbd4..e6236df 100644 mutex_unlock(&dir->d_inode->i_mutex); audit_inode(pathname, path.dentry); -@@ -1887,6 +1972,14 @@ do_link: +@@ -1887,6 +1977,14 @@ do_link: error = security_inode_follow_link(path.dentry, &nd); if (error) goto exit_dput; @@ -80151,7 +80191,7 @@ index b0afbd4..e6236df 100644 error = __do_follow_link(&path, &nd); if (error) { /* Does someone understand code flow here? Or it is only -@@ -1915,9 +2008,24 @@ do_link: +@@ -1915,9 +2013,24 @@ do_link: } dir = nd.path.dentry; mutex_lock(&dir->d_inode->i_mutex); @@ -80176,7 +80216,7 @@ index b0afbd4..e6236df 100644 goto do_last; } -@@ -1984,6 +2092,10 @@ struct dentry *lookup_create(struct nameidata *nd, int is_dir) +@@ -1984,6 +2097,10 @@ struct dentry *lookup_create(struct nameidata *nd, int is_dir) } return dentry; eexist: @@ -80187,7 +80227,7 @@ index b0afbd4..e6236df 100644 dput(dentry); dentry = ERR_PTR(-EEXIST); fail: -@@ -2061,6 +2173,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, +@@ -2061,6 +2178,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, error = may_mknod(mode); if (error) goto out_dput; @@ -80205,7 +80245,7 @@ index b0afbd4..e6236df 100644 error = mnt_want_write(nd.path.mnt); if (error) goto out_dput; -@@ -2081,6 +2204,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, +@@ -2081,6 +2209,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, } out_drop_write: mnt_drop_write(nd.path.mnt); @@ -80215,7 +80255,7 @@ index b0afbd4..e6236df 100644 out_dput: dput(dentry); out_unlock: -@@ -2134,6 +2260,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode) +@@ -2134,6 +2265,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode) if (IS_ERR(dentry)) goto out_unlock; @@ -80227,7 +80267,7 @@ index b0afbd4..e6236df 100644 if (!IS_POSIXACL(nd.path.dentry->d_inode)) mode &= ~current_umask(); error = mnt_want_write(nd.path.mnt); -@@ -2145,6 +2276,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode) +@@ -2145,6 +2281,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode) error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode); out_drop_write: mnt_drop_write(nd.path.mnt); @@ -80238,7 +80278,7 @@ index b0afbd4..e6236df 100644 out_dput: dput(dentry); out_unlock: -@@ -2226,6 +2361,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -2226,6 +2366,8 @@ static long do_rmdir(int dfd, const char __user *pathname) char * name; struct dentry *dentry; struct nameidata nd; @@ -80247,7 +80287,7 @@ index b0afbd4..e6236df 100644 error = user_path_parent(dfd, pathname, &nd, &name); if (error) -@@ -2250,6 +2387,17 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -2250,6 +2392,17 @@ static long do_rmdir(int dfd, const char __user *pathname) error = PTR_ERR(dentry); if (IS_ERR(dentry)) goto exit2; @@ -80265,7 +80305,7 @@ index b0afbd4..e6236df 100644 error = mnt_want_write(nd.path.mnt); if (error) goto exit3; -@@ -2257,6 +2405,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -2257,6 +2410,8 @@ static long do_rmdir(int dfd, const char __user *pathname) if (error) goto exit4; error = vfs_rmdir(nd.path.dentry->d_inode, dentry); @@ -80274,7 +80314,7 @@ index b0afbd4..e6236df 100644 exit4: mnt_drop_write(nd.path.mnt); exit3: -@@ -2318,6 +2468,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -2318,6 +2473,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) struct dentry *dentry; struct nameidata nd; struct inode *inode = NULL; @@ -80283,7 +80323,7 @@ index b0afbd4..e6236df 100644 error = user_path_parent(dfd, pathname, &nd, &name); if (error) -@@ -2337,8 +2489,19 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -2337,8 +2494,19 @@ static long do_unlinkat(int dfd, const char __user *pathname) if (nd.last.name[nd.last.len]) goto slashes; inode = dentry->d_inode; @@ -80304,7 +80344,7 @@ index b0afbd4..e6236df 100644 error = mnt_want_write(nd.path.mnt); if (error) goto exit2; -@@ -2346,6 +2509,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -2346,6 +2514,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) if (error) goto exit3; error = vfs_unlink(nd.path.dentry->d_inode, dentry); @@ -80313,7 +80353,7 @@ index b0afbd4..e6236df 100644 exit3: mnt_drop_write(nd.path.mnt); exit2: -@@ -2424,6 +2589,11 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, +@@ -2424,6 +2594,11 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, if (IS_ERR(dentry)) goto out_unlock; @@ -80325,7 +80365,7 @@ index b0afbd4..e6236df 100644 error = mnt_want_write(nd.path.mnt); if (error) goto out_dput; -@@ -2431,6 +2601,8 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, +@@ -2431,6 +2606,8 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, if (error) goto out_drop_write; error = vfs_symlink(nd.path.dentry->d_inode, dentry, from); @@ -80334,7 +80374,7 @@ index b0afbd4..e6236df 100644 out_drop_write: mnt_drop_write(nd.path.mnt); out_dput: -@@ -2524,6 +2696,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -2524,6 +2701,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, error = PTR_ERR(new_dentry); if (IS_ERR(new_dentry)) goto out_unlock; @@ -80355,7 +80395,7 @@ index b0afbd4..e6236df 100644 error = mnt_want_write(nd.path.mnt); if (error) goto out_dput; -@@ -2531,6 +2717,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -2531,6 +2722,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, if (error) goto out_drop_write; error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry); @@ -80364,7 +80404,7 @@ index b0afbd4..e6236df 100644 out_drop_write: mnt_drop_write(nd.path.mnt); out_dput: -@@ -2708,6 +2896,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, +@@ -2708,6 +2901,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, char *to; int error; @@ -80373,7 +80413,7 @@ index b0afbd4..e6236df 100644 error = user_path_parent(olddfd, oldname, &oldnd, &from); if (error) goto exit; -@@ -2764,6 +2954,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, +@@ -2764,6 +2959,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, if (new_dentry == trap) goto exit5; @@ -80386,7 +80426,7 @@ index b0afbd4..e6236df 100644 error = mnt_want_write(oldnd.path.mnt); if (error) goto exit5; -@@ -2773,6 +2969,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, +@@ -2773,6 +2974,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, goto exit6; error = vfs_rename(old_dir->d_inode, old_dentry, new_dir->d_inode, new_dentry); @@ -80396,7 +80436,7 @@ index b0afbd4..e6236df 100644 exit6: mnt_drop_write(oldnd.path.mnt); exit5: -@@ -2798,6 +2997,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna +@@ -2798,6 +3002,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link) { @@ -80405,7 +80445,7 @@ index b0afbd4..e6236df 100644 int len; len = PTR_ERR(link); -@@ -2807,7 +3008,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c +@@ -2807,7 +3013,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c len = strlen(link); if (len > (unsigned) buflen) len = buflen; @@ -80561,6 +80601,19 @@ index cf98da1..da890a9 100644 data.wdog_pid = NULL; server = kzalloc(sizeof(struct ncp_server), GFP_KERNEL); if (!server) +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index a87cbd8..e8638f6 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -830,6 +830,8 @@ out_set_verifier: + out_zap_parent: + nfs_zap_caches(dir); + out_bad: ++ nfs_free_fattr(fattr); ++ nfs_free_fhandle(fhandle); + nfs_mark_for_revalidate(dir); + if (inode && S_ISDIR(inode->i_mode)) { + /* Purge readdir caches. */ diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c index bfaef7b..e9d03ca 100644 --- a/fs/nfs/inode.c @@ -97017,18 +97070,20 @@ index 4c4e57d..f3c5303 100644 and pointers */ #endif diff --git a/include/linux/init.h b/include/linux/init.h -index ff8bde5..c7815d8 100644 +index ff8bde5..ed08ca7 100644 --- a/include/linux/init.h +++ b/include/linux/init.h -@@ -38,9 +38,33 @@ +@@ -38,9 +38,36 @@ * Also note, that this data cannot be "const". */ +#ifdef MODULE +#define add_init_latent_entropy ++#define add_devinit_latent_entropy ++#define add_cpuinit_latent_entropy ++#define add_meminit_latent_entropy +#else +#define add_init_latent_entropy __latent_entropy -+#endif + +#ifdef CONFIG_HOTPLUG +#define add_devinit_latent_entropy @@ -97047,6 +97102,7 @@ index ff8bde5..c7815d8 100644 +#else +#define add_meminit_latent_entropy __latent_entropy +#endif ++#endif + /* These are for everybody (although not all archs will actually discard it in modules) */ @@ -97055,7 +97111,7 @@ index ff8bde5..c7815d8 100644 #define __initdata __section(.init.data) #define __initconst __section(.init.rodata) #define __exitdata __section(.exit.data) -@@ -75,7 +99,7 @@ +@@ -75,7 +102,7 @@ #define __exit __section(.exit.text) __exitused __cold /* Used for HOTPLUG */ @@ -97064,7 +97120,7 @@ index ff8bde5..c7815d8 100644 #define __devinitdata __section(.devinit.data) #define __devinitconst __section(.devinit.rodata) #define __devexit __section(.devexit.text) __exitused __cold -@@ -83,7 +107,7 @@ +@@ -83,7 +110,7 @@ #define __devexitconst __section(.devexit.rodata) /* Used for HOTPLUG_CPU */ @@ -97073,7 +97129,7 @@ index ff8bde5..c7815d8 100644 #define __cpuinitdata __section(.cpuinit.data) #define __cpuinitconst __section(.cpuinit.rodata) #define __cpuexit __section(.cpuexit.text) __exitused __cold -@@ -91,7 +115,7 @@ +@@ -91,7 +118,7 @@ #define __cpuexitconst __section(.cpuexit.rodata) /* Used for MEMORY_HOTPLUG */ @@ -97209,6 +97265,22 @@ index 7922742..27306a2 100644 /* This macro allows us to keep printk typechecking */ static void __check_printsym_format(const char *fmt, ...) +diff --git a/include/linux/kernel.h b/include/linux/kernel.h +index 3526cd4..99206e2 100644 +--- a/include/linux/kernel.h ++++ b/include/linux/kernel.h +@@ -163,6 +163,11 @@ extern int _cond_resched(void); + (__x < 0) ? -__x : __x; \ + }) + ++#define abs64(x) ({ \ ++ s64 __x = (x); \ ++ (__x < 0) ? -__x : __x; \ ++ }) ++ + #ifdef CONFIG_PROVE_LOCKING + void might_fault(void); + #else diff --git a/include/linux/kgdb.h b/include/linux/kgdb.h index 6adcc29..13369e8 100644 --- a/include/linux/kgdb.h @@ -97423,6 +97495,36 @@ index fbc48f8..0886e57 100644 /* * Similar to nfs_client_initdata, but without the NFS-specific +diff --git a/include/linux/math64.h b/include/linux/math64.h +index c87f152..23fcdfc 100644 +--- a/include/linux/math64.h ++++ b/include/linux/math64.h +@@ -35,6 +35,14 @@ static inline u64 div64_u64(u64 dividend, u64 divisor) + return dividend / divisor; + } + ++/** ++ * div64_s64 - signed 64bit divide with 64bit divisor ++ */ ++static inline s64 div64_s64(s64 dividend, s64 divisor) ++{ ++ return dividend / divisor; ++} ++ + #elif BITS_PER_LONG == 32 + + #ifndef div_u64_rem +@@ -53,6 +61,10 @@ extern s64 div_s64_rem(s64 dividend, s32 divisor, s32 *remainder); + extern u64 div64_u64(u64 dividend, u64 divisor); + #endif + ++#ifndef div64_s64 ++extern s64 div64_s64(s64 dividend, s64 divisor); ++#endif ++ + #endif /* BITS_PER_LONG */ + + /** diff --git a/include/linux/mca.h b/include/linux/mca.h index 3797270..7765ede 100644 --- a/include/linux/mca.h @@ -99497,6 +99599,19 @@ index 99c1b4d..bb94261 100644 } static inline void put_unaligned_le16(u16 val, void *p) +diff --git a/include/linux/usb.h b/include/linux/usb.h +index a34fa89..ef176bc 100644 +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -500,7 +500,7 @@ struct usb_device { + + int pm_usage_cnt; + u32 quirks; +- atomic_t urbnum; ++ atomic_unchecked_t urbnum; + + unsigned long active_duration; + diff --git a/include/linux/vermagic.h b/include/linux/vermagic.h index 79b9837..b5a56f9 100644 --- a/include/linux/vermagic.h @@ -102011,7 +102126,7 @@ index c28f804..96ea6cb 100644 else new_fs = fs; diff --git a/kernel/futex.c b/kernel/futex.c -index 9c5ffe1..abe0820 100644 +index 9c5ffe1..7c85216 100644 --- a/kernel/futex.c +++ b/kernel/futex.c @@ -54,6 +54,7 @@ @@ -102132,7 +102247,62 @@ index 9c5ffe1..abe0820 100644 goto retry; } default: -@@ -1831,6 +1840,8 @@ static int futex_wait(u32 __user *uaddr, int fshared, +@@ -775,6 +784,9 @@ static void wake_futex(struct futex_q *q) + { + struct task_struct *p = q->task; + ++ if (WARN(q->pi_state || q->rt_waiter, "refusing to wake PI futex\n")) ++ return; ++ + /* + * We set q->lock_ptr = NULL _before_ we wake up the task. If + * a non futex wake up happens on another CPU then the task +@@ -1014,6 +1026,10 @@ retry_private: + + plist_for_each_entry_safe(this, next, head, list) { + if (match_futex (&this->key, &key1)) { ++ if (this->pi_state || this->rt_waiter) { ++ ret = -EINVAL; ++ goto out_unlock; ++ } + wake_futex(this); + if (++ret >= nr_wake) + break; +@@ -1026,6 +1042,10 @@ retry_private: + op_ret = 0; + plist_for_each_entry_safe(this, next, head, list) { + if (match_futex (&this->key, &key2)) { ++ if (this->pi_state || this->rt_waiter) { ++ ret = -EINVAL; ++ goto out_unlock; ++ } + wake_futex(this); + if (++op_ret >= nr_wake2) + break; +@@ -1034,6 +1054,7 @@ retry_private: + ret += op_ret; + } + ++out_unlock: + double_unlock_hb(hb1, hb2); + out_put_keys: + put_futex_key(fshared, &key2); +@@ -1328,9 +1349,13 @@ retry_private: + /* + * FUTEX_WAIT_REQEUE_PI and FUTEX_CMP_REQUEUE_PI should always + * be paired with each other and no other futex ops. ++ * ++ * We should never be requeueing a futex_q with a pi_state, ++ * which is awaiting a futex_unlock_pi(). + */ + if ((requeue_pi && !this->rt_waiter) || +- (!requeue_pi && this->rt_waiter)) { ++ (!requeue_pi && this->rt_waiter) || ++ this->pi_state) { + ret = -EINVAL; + break; + } +@@ -1831,6 +1856,8 @@ static int futex_wait(u32 __user *uaddr, int fshared, struct futex_q q; int ret; @@ -102141,7 +102311,7 @@ index 9c5ffe1..abe0820 100644 if (!bitset) return -EINVAL; -@@ -1883,7 +1894,7 @@ retry: +@@ -1883,7 +1910,7 @@ retry: restart = ¤t_thread_info()->restart_block; restart->fn = futex_wait_restart; @@ -102150,7 +102320,7 @@ index 9c5ffe1..abe0820 100644 restart->futex.val = val; restart->futex.time = abs_time->tv64; restart->futex.bitset = bitset; -@@ -2245,6 +2256,8 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, int fshared, +@@ -2245,6 +2272,8 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, int fshared, struct futex_q q; int res, ret; @@ -102159,7 +102329,7 @@ index 9c5ffe1..abe0820 100644 if (uaddr == uaddr2) return -EINVAL; -@@ -2438,6 +2451,10 @@ SYSCALL_DEFINE3(get_robust_list, int, pid, +@@ -2438,6 +2467,10 @@ SYSCALL_DEFINE3(get_robust_list, int, pid, if (!p) goto err_unlock; ret = -EPERM; @@ -102170,7 +102340,7 @@ index 9c5ffe1..abe0820 100644 pcred = __task_cred(p); if (cred->euid != pcred->euid && cred->euid != pcred->uid && -@@ -2504,7 +2521,7 @@ retry: +@@ -2504,7 +2537,7 @@ retry: */ static inline int fetch_robust_entry(struct robust_list __user **entry, struct robust_list __user * __user *head, @@ -102179,7 +102349,7 @@ index 9c5ffe1..abe0820 100644 { unsigned long uentry; -@@ -2685,6 +2702,7 @@ static int __init futex_init(void) +@@ -2685,6 +2718,7 @@ static int __init futex_init(void) { u32 curval; int i; @@ -102187,7 +102357,7 @@ index 9c5ffe1..abe0820 100644 /* * This will fail and we want it. Some arch implementations do -@@ -2696,7 +2714,10 @@ static int __init futex_init(void) +@@ -2696,7 +2730,10 @@ static int __init futex_init(void) * implementation, the non functional ones will return * -ENOSYS. */ @@ -106319,6 +106489,79 @@ index 72c8909..7543868 100644 } EXPORT_SYMBOL(devm_ioport_unmap); +diff --git a/lib/div64.c b/lib/div64.c +index a111eb8..5b49191 100644 +--- a/lib/div64.c ++++ b/lib/div64.c +@@ -77,26 +77,58 @@ s64 div_s64_rem(s64 dividend, s32 divisor, s32 *remainder) + EXPORT_SYMBOL(div_s64_rem); + #endif + +-/* 64bit divisor, dividend and result. dynamic precision */ ++/** ++ * div64_u64 - unsigned 64bit divide with 64bit divisor ++ * @dividend: 64bit dividend ++ * @divisor: 64bit divisor ++ * ++ * This implementation is a modified version of the algorithm proposed ++ * by the book 'Hacker's Delight'. The original source and full proof ++ * can be found here and is available for use without restriction. ++ * ++ * 'http://www.hackersdelight.org/HDcode/newCode/divDouble.c' ++ */ + #ifndef div64_u64 + u64 div64_u64(u64 dividend, u64 divisor) + { +- u32 high, d; ++ u32 high = divisor >> 32; ++ u64 quot; + +- high = divisor >> 32; +- if (high) { +- unsigned int shift = fls(high); ++ if (high == 0) { ++ quot = div_u64(dividend, divisor); ++ } else { ++ int n = 1 + fls(high); ++ quot = div_u64(dividend >> n, divisor >> n); + +- d = divisor >> shift; +- dividend >>= shift; +- } else +- d = divisor; ++ if (quot != 0) ++ quot--; ++ if ((dividend - quot * divisor) >= divisor) ++ quot++; ++ } + +- return div_u64(dividend, d); ++ return quot; + } + EXPORT_SYMBOL(div64_u64); + #endif + ++/** ++ * div64_s64 - signed 64bit divide with 64bit divisor ++ * @dividend: 64bit dividend ++ * @divisor: 64bit divisor ++ */ ++#ifndef div64_s64 ++s64 div64_s64(s64 dividend, s64 divisor) ++{ ++ s64 quot, t; ++ ++ quot = div64_u64(abs64(dividend), abs64(divisor)); ++ t = (dividend ^ divisor) >> 63; ++ ++ return (quot ^ t) - t; ++} ++EXPORT_SYMBOL(div64_s64); ++#endif ++ + #endif /* BITS_PER_LONG == 32 */ + + /* diff --git a/lib/dma-debug.c b/lib/dma-debug.c index 084e879..0674448 100644 --- a/lib/dma-debug.c @@ -111355,7 +111598,7 @@ index d73d47f..72df42a 100644 entries_size = t->private->entries_size; nentries = t->private->nentries; diff --git a/net/can/bcm.c b/net/can/bcm.c -index 2ffd2e0..72a7486 100644 +index 2ffd2e0..e002f92 100644 --- a/net/can/bcm.c +++ b/net/can/bcm.c @@ -164,9 +164,15 @@ static int bcm_proc_show(struct seq_file *m, void *v) @@ -111374,6 +111617,16 @@ index 2ffd2e0..72a7486 100644 seq_printf(m, " / dropped %lu", bo->dropped_usr_msgs); seq_printf(m, " / bound %s", bcm_proc_getifname(ifname, bo->ifindex)); seq_printf(m, " <<<\n"); +@@ -1091,6 +1097,9 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg, + op->sk = sk; + op->ifindex = ifindex; + ++ /* ifindex for timeout events w/o previous frame reception */ ++ op->rx_ifindex = ifindex; ++ + /* initialize uninitialized (kzalloc) structure */ + hrtimer_init(&op->timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL); + op->timer.function = bcm_rx_timeout_handler; diff --git a/net/compat.c b/net/compat.c index 9559afc..6c62f69 100644 --- a/net/compat.c @@ -113198,6 +113451,18 @@ index 811984d..11f59b7 100644 seq_printf(m, "Max data size: %d\n", self->max_data_size); seq_printf(m, "Max header size: %d\n", self->max_header_size); +diff --git a/net/irda/irttp.c b/net/irda/irttp.c +index 9cb79f9..d35d057 100644 +--- a/net/irda/irttp.c ++++ b/net/irda/irttp.c +@@ -439,6 +439,7 @@ struct tsap_cb *irttp_open_tsap(__u8 stsap_sel, int credit, notify_t *notify) + lsap = irlmp_open_lsap(stsap_sel, &ttp_notify, 0); + if (lsap == NULL) { + IRDA_WARNING("%s: unable to allocate LSAP!!\n", __func__); ++ __irttp_close_tsap(self); + return NULL; + } + diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c index bada1b9..f325943 100644 --- a/net/iucv/af_iucv.c @@ -114552,6 +114817,38 @@ index 914c419..7a16d2c 100644 return NULL; /* Allocate the shared key */ +diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c +index acf7c4d..b29621d 100644 +--- a/net/sctp/chunk.c ++++ b/net/sctp/chunk.c +@@ -272,7 +272,7 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc, + goto errout; + err = sctp_user_addto_chunk(chunk, offset, len, msgh->msg_iov); + if (err < 0) +- goto errout; ++ goto errout_chunk_free; + + offset += len; + +@@ -308,7 +308,7 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc, + __skb_pull(chunk->skb, (__u8 *)chunk->chunk_hdr + - (__u8 *)chunk->skb->data); + if (err < 0) +- goto errout; ++ goto errout_chunk_free; + + sctp_datamsg_assign(msg, chunk); + list_add_tail(&chunk->frag_list, &msg->chunks); +@@ -316,6 +316,9 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc, + + return msg; + ++errout_chunk_free: ++ sctp_chunk_free(chunk); ++ + errout: + list_for_each_safe(pos, temp, &msg->chunks) { + list_del_init(pos); diff --git a/net/sctp/proc.c b/net/sctp/proc.c index d093cbf..9fc36fc 100644 --- a/net/sctp/proc.c @@ -114596,6 +114893,19 @@ index 1f9843e..9cd0edd 100644 SCTP_DEBUG_PRINTK("sctp_get_port() found a possible match\n"); if (pp->fastreuse && sk->sk_reuse && +diff --git a/net/sctp/transport.c b/net/sctp/transport.c +index e04c9f8..51bc18e 100644 +--- a/net/sctp/transport.c ++++ b/net/sctp/transport.c +@@ -355,7 +355,7 @@ void sctp_transport_update_rto(struct sctp_transport *tp, __u32 rtt) + * 1/8, rto_alpha would be expressed as 3. + */ + tp->rttvar = tp->rttvar - (tp->rttvar >> sctp_rto_beta) +- + ((abs(tp->srtt - rtt)) >> sctp_rto_beta); ++ + (((__u32)abs64((__s64)tp->srtt - (__s64)rtt)) >> sctp_rto_beta); + tp->srtt = tp->srtt - (tp->srtt >> sctp_rto_alpha) + + (rtt >> sctp_rto_alpha); + } else { diff --git a/net/socket.c b/net/socket.c index d449812..4ac08d3c 100644 --- a/net/socket.c diff --git a/3.2.34/0000_README b/3.2.34/0000_README index 3c72d25..396e196 100644 --- a/3.2.34/0000_README +++ b/3.2.34/0000_README @@ -54,7 +54,7 @@ Patch: 1033_linux-3.2.34.patch From: http://www.kernel.org Desc: Linux 3.2.34 -Patch: 4420_grsecurity-2.9.1-3.2.34-201211251859.patch +Patch: 4420_grsecurity-2.9.1-3.2.34-201212031851.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.34/4420_grsecurity-2.9.1-3.2.34-201211251859.patch b/3.2.34/4420_grsecurity-2.9.1-3.2.34-201212031851.patch index a958ea6..940e3e9 100644 --- a/3.2.34/4420_grsecurity-2.9.1-3.2.34-201211251859.patch +++ b/3.2.34/4420_grsecurity-2.9.1-3.2.34-201212031851.patch @@ -10697,10 +10697,10 @@ index cc70c1c..d96d011 100644 #endif /* _ASM_X86_EMERGENCY_RESTART_H */ diff --git a/arch/x86/include/asm/futex.h b/arch/x86/include/asm/futex.h -index d09bb03..4ea4194 100644 +index d09bb03..0a3629b 100644 --- a/arch/x86/include/asm/futex.h +++ b/arch/x86/include/asm/futex.h -@@ -12,16 +12,18 @@ +@@ -12,20 +12,22 @@ #include <asm/system.h> #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \ @@ -10720,6 +10720,11 @@ index d09bb03..4ea4194 100644 asm volatile("1:\tmovl %2, %0\n" \ "\tmovl\t%0, %3\n" \ "\t" insn "\n" \ +- "2:\t" LOCK_PREFIX "cmpxchgl %3, %2\n" \ ++ "2:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %3, %2\n" \ + "\tjnz\t1b\n" \ + "3:\t.section .fixup,\"ax\"\n" \ + "4:\tmov\t%5, %1\n" \ @@ -34,7 +36,7 @@ _ASM_EXTABLE(1b, 4b) \ _ASM_EXTABLE(2b, 4b) \ @@ -10774,34 +10779,52 @@ index eb92a6e..b98b2f4 100644 /* EISA */ extern void eisa_set_level_irq(unsigned int irq); diff --git a/arch/x86/include/asm/i387.h b/arch/x86/include/asm/i387.h -index a850b4d..bae26dc 100644 +index a850b4d..4e4ded4 100644 --- a/arch/x86/include/asm/i387.h +++ b/arch/x86/include/asm/i387.h -@@ -92,6 +92,11 @@ static inline int fxrstor_checking(struct i387_fxsave_struct *fx) +@@ -88,10 +88,12 @@ static inline void sanitize_i387_state(struct task_struct *tsk) + } + + #ifdef CONFIG_X86_64 +-static inline int fxrstor_checking(struct i387_fxsave_struct *fx) ++static inline int fxrstor_checking(struct i387_fxsave_struct __user *fx) { int err; -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -+ if ((unsigned long)fx < PAX_USER_SHADOW_BASE) -+ fx = (struct i387_fxsave_struct __user *)((void *)fx + PAX_USER_SHADOW_BASE); -+#endif ++ fx = (struct i387_fxsave_struct __user *)____m(fx); + /* See comment in fxsave() below. */ #ifdef CONFIG_AS_FXSAVEQ asm volatile("1: fxrstorq %[fx]\n\t" -@@ -121,6 +126,11 @@ static inline int fxsave_user(struct i387_fxsave_struct __user *fx) +@@ -121,6 +123,8 @@ static inline int fxsave_user(struct i387_fxsave_struct __user *fx) { int err; -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -+ if ((unsigned long)fx < PAX_USER_SHADOW_BASE) -+ fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE); -+#endif ++ fx = (struct i387_fxsave_struct __user *)____m(fx); + /* * Clear the bytes not touched by the fxsave and reserved * for the SW usage. -@@ -424,7 +434,7 @@ static inline bool interrupted_kernel_fpu_idle(void) +@@ -189,15 +193,15 @@ static inline void fpu_fxsave(struct fpu *fpu) + #else /* CONFIG_X86_32 */ + + /* perform fxrstor iff the processor has extended states, otherwise frstor */ +-static inline int fxrstor_checking(struct i387_fxsave_struct *fx) ++static inline int fxrstor_checking(struct i387_fxsave_struct __user *fx) + { + /* + * The "nop" is needed to make the instructions the same + * length. + */ + alternative_input( +- "nop ; frstor %1", +- "fxrstor %1", ++ __copyuser_seg" frstor %1; nop", ++ __copyuser_seg" fxrstor %1", + X86_FEATURE_FXSR, + "m" (*fx)); + +@@ -424,7 +428,7 @@ static inline bool interrupted_kernel_fpu_idle(void) static inline bool interrupted_user_mode(void) { struct pt_regs *regs = get_irq_regs(); @@ -13208,7 +13231,7 @@ index 566e803..4e55748 100644 } diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h -index 1c66d30..a4ba048 100644 +index 1c66d30..cf36db0 100644 --- a/arch/x86/include/asm/uaccess_64.h +++ b/arch/x86/include/asm/uaccess_64.h @@ -10,6 +10,9 @@ @@ -13238,7 +13261,7 @@ index 1c66d30..a4ba048 100644 { unsigned ret; -@@ -32,142 +35,238 @@ copy_user_generic(void *to, const void *from, unsigned len) +@@ -32,142 +35,205 @@ copy_user_generic(void *to, const void *from, unsigned len) ASM_OUTPUT2("=a" (ret), "=D" (to), "=S" (from), "=d" (len)), "1" (to), "2" (from), "3" (len) @@ -13338,13 +13361,7 @@ index 1c66d30..a4ba048 100644 + + if (!__builtin_constant_p(size)) { + check_object_size(dst, size, false); -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE) -+ src += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic(dst, (__force_kernel const void *)src, size); ++ return copy_user_generic(dst, (__force_kernel const void *)____m(src), size); + } switch (size) { - case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src, @@ -13387,13 +13404,7 @@ index 1c66d30..a4ba048 100644 return ret; default: - return copy_user_generic(dst, (__force void *)src, size); -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE) -+ src += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic(dst, (__force_kernel const void *)src, size); ++ return copy_user_generic(dst, (__force_kernel const void *)____m(src), size); } } @@ -13424,13 +13435,7 @@ index 1c66d30..a4ba048 100644 + + if (!__builtin_constant_p(size)) { + check_object_size(src, size, true); -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE) -+ dst += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic((__force_kernel void *)dst, src, size); ++ return copy_user_generic((__force_kernel void *)____m(dst), src, size); + } switch (size) { - case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst, @@ -13473,13 +13478,7 @@ index 1c66d30..a4ba048 100644 return ret; default: - return copy_user_generic((__force void *)dst, src, size); -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE) -+ dst += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic((__force_kernel void *)dst, src, size); ++ return copy_user_generic((__force_kernel void *)____m(dst), src, size); } } @@ -13491,9 +13490,6 @@ index 1c66d30..a4ba048 100644 + unsigned ret = 0; might_fault(); -- if (!__builtin_constant_p(size)) -- return copy_user_generic((__force void *)dst, -- (__force void *)src, size); + + if (size > INT_MAX) + return size; @@ -13505,18 +13501,11 @@ index 1c66d30..a4ba048 100644 + return size; +#endif + -+ if (!__builtin_constant_p(size)) { -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE) -+ src += PAX_USER_SHADOW_BASE; -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE) -+ dst += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic((__force_kernel void *)dst, -+ (__force_kernel const void *)src, size); -+ } + if (!__builtin_constant_p(size)) +- return copy_user_generic((__force void *)dst, +- (__force void *)src, size); ++ return copy_user_generic((__force_kernel void *)____m(dst), ++ (__force_kernel const void *)____m(src), size); switch (size) { case 1: { u8 tmp; @@ -13525,7 +13514,7 @@ index 1c66d30..a4ba048 100644 ret, "b", "b", "=q", 1); if (likely(!ret)) __put_user_asm(tmp, (u8 __user *)dst, -@@ -176,7 +275,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) +@@ -176,7 +242,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) } case 2: { u16 tmp; @@ -13534,7 +13523,7 @@ index 1c66d30..a4ba048 100644 ret, "w", "w", "=r", 2); if (likely(!ret)) __put_user_asm(tmp, (u16 __user *)dst, -@@ -186,7 +285,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) +@@ -186,7 +252,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) case 4: { u32 tmp; @@ -13543,7 +13532,7 @@ index 1c66d30..a4ba048 100644 ret, "l", "k", "=r", 4); if (likely(!ret)) __put_user_asm(tmp, (u32 __user *)dst, -@@ -195,7 +294,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) +@@ -195,7 +261,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) } case 8: { u64 tmp; @@ -13552,26 +13541,18 @@ index 1c66d30..a4ba048 100644 ret, "q", "", "=r", 8); if (likely(!ret)) __put_user_asm(tmp, (u64 __user *)dst, -@@ -203,8 +302,16 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) +@@ -203,8 +269,8 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) return ret; } default: - return copy_user_generic((__force void *)dst, - (__force void *)src, size); -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE) -+ src += PAX_USER_SHADOW_BASE; -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE) -+ dst += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic((__force_kernel void *)dst, -+ (__force_kernel const void *)src, size); ++ return copy_user_generic((__force_kernel void *)____m(dst), ++ (__force_kernel const void *)____m(src), size); } } -@@ -215,39 +322,76 @@ __strncpy_from_user(char *dst, const char __user *src, long count); +@@ -215,39 +281,60 @@ __strncpy_from_user(char *dst, const char __user *src, long count); __must_check long strnlen_user(const char __user *str, long n); __must_check long __strnlen_user(const char __user *str, long n); __must_check long strlen_user(const char __user *str); @@ -13588,15 +13569,7 @@ index 1c66d30..a4ba048 100644 + if (size > INT_MAX) + return size; + -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if (!__access_ok(VERIFY_READ, src, size)) -+ return size; -+ -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE) -+ src += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic(dst, (__force_kernel const void *)src, size); ++ return copy_user_generic(dst, (__force_kernel const void *)____m(src), size); } -static __must_check __always_inline int @@ -13608,15 +13581,7 @@ index 1c66d30..a4ba048 100644 + if (size > INT_MAX) + return size; + -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if (!__access_ok(VERIFY_WRITE, dst, size)) -+ return size; -+ -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE) -+ dst += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic((__force_kernel void *)dst, src, size); ++ return copy_user_generic((__force_kernel void *)____m(dst), src, size); } -extern long __copy_user_nocache(void *dst, const void __user *src, @@ -13799,38 +13764,45 @@ index 1971e65..1e3559b 100644 extern struct x86_init_ops x86_init; extern struct x86_cpuinit_ops x86_cpuinit; diff --git a/arch/x86/include/asm/xsave.h b/arch/x86/include/asm/xsave.h -index c6ce245..ffbdab7 100644 +index c6ce245..aab6adb 100644 --- a/arch/x86/include/asm/xsave.h +++ b/arch/x86/include/asm/xsave.h -@@ -65,6 +65,11 @@ static inline int xsave_user(struct xsave_struct __user *buf) +@@ -65,6 +65,8 @@ static inline int xsave_user(struct xsave_struct __user *buf) { int err; -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -+ if ((unsigned long)buf < PAX_USER_SHADOW_BASE) -+ buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE); -+#endif ++ buf = (struct xsave_struct __user *)____m(buf); + /* * Clear the xsave header first, so that reserved fields are * initialized to zero. -@@ -96,10 +101,15 @@ static inline int xsave_user(struct xsave_struct __user *buf) +@@ -74,7 +76,9 @@ static inline int xsave_user(struct xsave_struct __user *buf) + if (unlikely(err)) + return -EFAULT; + +- __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x27\n" ++ __asm__ __volatile__("1:" ++ __copyuser_seg ++ ".byte " REX_PREFIX "0x0f,0xae,0x27\n" + "2:\n" + ".section .fixup,\"ax\"\n" + "3: movl $-1,%[err]\n" +@@ -96,11 +100,13 @@ static inline int xsave_user(struct xsave_struct __user *buf) static inline int xrestore_user(struct xsave_struct __user *buf, u64 mask) { int err; - struct xsave_struct *xstate = ((__force struct xsave_struct *)buf); -+ struct xsave_struct *xstate = ((__force_kernel struct xsave_struct *)buf); ++ struct xsave_struct *xstate = ((__force_kernel struct xsave_struct *)____m(buf)); u32 lmask = mask; u32 hmask = mask >> 32; -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -+ if ((unsigned long)xstate < PAX_USER_SHADOW_BASE) -+ xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE); -+#endif -+ - __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n" +- __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n" ++ __asm__ __volatile__("1:" ++ __copyuser_seg ++ ".byte " REX_PREFIX "0x0f,0xae,0x2f\n" "2:\n" ".section .fixup,\"ax\"\n" + "3: movl $-1,%[err]\n" diff --git a/arch/x86/kernel/acpi/realmode/Makefile b/arch/x86/kernel/acpi/realmode/Makefile index 6a564ac..3f3a3d7 100644 --- a/arch/x86/kernel/acpi/realmode/Makefile @@ -14826,7 +14798,7 @@ index 1aae78f..aab3a3d 100644 if (__die(str, regs, err)) diff --git a/arch/x86/kernel/dumpstack_32.c b/arch/x86/kernel/dumpstack_32.c -index c99f9ed..2a15d80 100644 +index c99f9ed..025ebd3 100644 --- a/arch/x86/kernel/dumpstack_32.c +++ b/arch/x86/kernel/dumpstack_32.c @@ -38,15 +38,13 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs, @@ -14859,7 +14831,7 @@ index c99f9ed..2a15d80 100644 unsigned int code_len = code_bytes; unsigned char c; u8 *ip; -+ unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]); ++ unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(0)[(0xffff & regs->cs) >> 3]); printk(KERN_EMERG "Stack:\n"); show_stack_log_lvl(NULL, regs, ®s->sp, 0, KERN_EMERG); @@ -14909,7 +14881,7 @@ index c99f9ed..2a15d80 100644 +EXPORT_SYMBOL(pax_check_alloca); +#endif diff --git a/arch/x86/kernel/dumpstack_64.c b/arch/x86/kernel/dumpstack_64.c -index 6d728d9..6cef684 100644 +index 6d728d9..80f1867 100644 --- a/arch/x86/kernel/dumpstack_64.c +++ b/arch/x86/kernel/dumpstack_64.c @@ -119,9 +119,9 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs, @@ -14973,6 +14945,15 @@ index 6d728d9..6cef684 100644 put_cpu(); } EXPORT_SYMBOL(dump_trace); +@@ -249,7 +253,7 @@ void show_registers(struct pt_regs *regs) + { + int i; + unsigned long sp; +- const int cpu = smp_processor_id(); ++ const int cpu = raw_smp_processor_id(); + struct task_struct *cur = current; + + sp = regs->sp; @@ -305,3 +309,50 @@ int is_valid_bugaddr(unsigned long ip) return ud2 == 0x0b0f; @@ -15848,7 +15829,7 @@ index 4893d58..0152a42 100644 /* diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S -index 6274f5f..c1b617b 100644 +index 6274f5f..3d36291 100644 --- a/arch/x86/kernel/entry_64.S +++ b/arch/x86/kernel/entry_64.S @@ -55,6 +55,8 @@ @@ -16466,7 +16447,7 @@ index 6274f5f..c1b617b 100644 retint_restore_args: /* return to kernel space */ DISABLE_INTERRUPTS(CLBR_ANY) + pax_exit_kernel -+ pax_force_retaddr RIP-ARGOFFSET ++ pax_force_retaddr (RIP-ARGOFFSET) /* * The iretq could re-enable interrupts: */ @@ -18747,7 +18728,7 @@ index 59b9b37..f02ee42 100644 +} +#endif diff --git a/arch/x86/kernel/process_32.c b/arch/x86/kernel/process_32.c -index 8598296..bfadef0 100644 +index 8598296..7c1af45 100644 --- a/arch/x86/kernel/process_32.c +++ b/arch/x86/kernel/process_32.c @@ -67,6 +67,7 @@ asmlinkage void ret_from_fork(void) __asm__("ret_from_fork"); @@ -18758,7 +18739,7 @@ index 8598296..bfadef0 100644 } #ifndef CONFIG_SMP -@@ -130,15 +131,14 @@ void __show_regs(struct pt_regs *regs, int all) +@@ -130,21 +131,20 @@ void __show_regs(struct pt_regs *regs, int all) unsigned long sp; unsigned short ss, gs; @@ -18776,6 +18757,13 @@ index 8598296..bfadef0 100644 show_regs_common(); + printk(KERN_DEFAULT "EIP: %04x:[<%08lx>] EFLAGS: %08lx CPU: %d\n", + (u16)regs->cs, regs->ip, regs->flags, +- smp_processor_id()); ++ raw_smp_processor_id()); + print_symbol("EIP is at %s\n", regs->ip); + + printk(KERN_DEFAULT "EAX: %08lx EBX: %08lx ECX: %08lx EDX: %08lx\n", @@ -200,13 +200,14 @@ int copy_thread(unsigned long clone_flags, unsigned long sp, struct task_struct *tsk; int err; @@ -20558,7 +20546,7 @@ index 9796c2f..f686fbf 100644 EXPORT_SYMBOL(copy_page); EXPORT_SYMBOL(clear_page); diff --git a/arch/x86/kernel/xsave.c b/arch/x86/kernel/xsave.c -index 7110911..e8cdee5 100644 +index 7110911..069da9c 100644 --- a/arch/x86/kernel/xsave.c +++ b/arch/x86/kernel/xsave.c @@ -130,7 +130,7 @@ int check_for_xstate(struct i387_fxsave_struct __user *buf, @@ -20575,21 +20563,22 @@ index 7110911..e8cdee5 100644 */ xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE); - return fxrstor_checking((__force struct i387_fxsave_struct *)buf); -+ return fxrstor_checking((struct i387_fxsave_struct __force_kernel *)buf); ++ return fxrstor_checking((struct i387_fxsave_struct __user *)buf); } /* -@@ -295,7 +295,7 @@ int restore_i387_xstate(void __user *buf) +@@ -295,8 +295,7 @@ int restore_i387_xstate(void __user *buf) if (use_xsave()) err = restore_user_xstate(buf); else - err = fxrstor_checking((__force struct i387_fxsave_struct *) -+ err = fxrstor_checking((struct i387_fxsave_struct __force_kernel *) - buf); +- buf); ++ err = fxrstor_checking((struct i387_fxsave_struct __user *)buf); if (unlikely(err)) { /* + * Encountered an error while doing the restore from the diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c -index f5302da..cac3ca9 100644 +index f5302da..6ee193e 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -249,6 +249,7 @@ struct gprefix { @@ -20617,6 +20606,16 @@ index f5302da..cac3ca9 100644 switch ((ctxt)->dst.bytes) { \ case 1: \ ____emulate_2op(ctxt,_op,_bx,_by,"b",u8); \ +@@ -383,8 +381,7 @@ struct gprefix { + _ASM_EXTABLE(1b, 3b) \ + : "=m" ((ctxt)->eflags), "=&r" (_tmp), \ + "+a" (*rax), "+d" (*rdx), "+qm"(_ex) \ +- : "i" (EFLAGS_MASK), "m" ((ctxt)->src.val), \ +- "a" (*rax), "d" (*rdx)); \ ++ : "i" (EFLAGS_MASK), "m" ((ctxt)->src.val)); \ + } while (0) + + /* instruction has only one source operand, destination is implicit (e.g. mul, div, imul, idiv) */ diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c index 54abb40..a192606 100644 --- a/arch/x86/kvm/lapic.c @@ -22071,36 +22070,24 @@ index fb903b7..c92b7f7 100644 CFI_RESTORE_STATE diff --git a/arch/x86/lib/csum-wrappers_64.c b/arch/x86/lib/csum-wrappers_64.c -index 459b58a..9570bc7 100644 +index 459b58a..d67737f 100644 --- a/arch/x86/lib/csum-wrappers_64.c +++ b/arch/x86/lib/csum-wrappers_64.c -@@ -52,7 +52,13 @@ csum_partial_copy_from_user(const void __user *src, void *dst, +@@ -52,7 +52,7 @@ csum_partial_copy_from_user(const void __user *src, void *dst, len -= 2; } } - isum = csum_partial_copy_generic((__force const void *)src, -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE) -+ src += PAX_USER_SHADOW_BASE; -+#endif -+ -+ isum = csum_partial_copy_generic((const void __force_kernel *)src, ++ isum = csum_partial_copy_generic((const void __force_kernel *)____m(src), dst, len, isum, errp, NULL); if (unlikely(*errp)) goto out_err; -@@ -105,7 +111,13 @@ csum_partial_copy_to_user(const void *src, void __user *dst, +@@ -105,7 +105,7 @@ csum_partial_copy_to_user(const void *src, void __user *dst, } *errp = 0; - return csum_partial_copy_generic(src, (void __force *)dst, -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE) -+ dst += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return csum_partial_copy_generic(src, (void __force_kernel *)dst, ++ return csum_partial_copy_generic(src, (void __force_kernel *)____m(dst), len, isum, NULL, errp); } EXPORT_SYMBOL(csum_partial_copy_to_user); @@ -23834,7 +23821,7 @@ index e218d5d..7d522b8 100644 +EXPORT_SYMBOL(set_fs); +#endif diff --git a/arch/x86/lib/usercopy_64.c b/arch/x86/lib/usercopy_64.c -index b7c2849..ca4b1cb 100644 +index b7c2849..17c878da 100644 --- a/arch/x86/lib/usercopy_64.c +++ b/arch/x86/lib/usercopy_64.c @@ -42,6 +42,12 @@ long @@ -23850,20 +23837,16 @@ index b7c2849..ca4b1cb 100644 __do_strncpy_from_user(dst, src, count, res); return res; } -@@ -65,6 +71,12 @@ unsigned long __clear_user(void __user *addr, unsigned long size) - { - long __d0; - might_fault(); -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)addr < PAX_USER_SHADOW_BASE) -+ addr += PAX_USER_SHADOW_BASE; -+#endif -+ - /* no memory constraint because it doesn't change any memory gcc knows - about */ - asm volatile( -@@ -149,12 +161,20 @@ long strlen_user(const char __user *s) +@@ -87,7 +93,7 @@ unsigned long __clear_user(void __user *addr, unsigned long size) + _ASM_EXTABLE(0b,3b) + _ASM_EXTABLE(1b,2b) + : [size8] "=&c"(size), [dst] "=&D" (__d0) +- : [size1] "r"(size & 7), "[size8]" (size / 8), "[dst]"(addr), ++ : [size1] "r"(size & 7), "[size8]" (size / 8), "[dst]"(____m(addr)), + [zero] "r" (0UL), [eight] "r" (8UL)); + return size; + } +@@ -149,12 +155,11 @@ long strlen_user(const char __user *s) } EXPORT_SYMBOL(strlen_user); @@ -23874,22 +23857,13 @@ index b7c2849..ca4b1cb 100644 - return copy_user_generic((__force void *)to, (__force void *)from, len); - } - return len; -+ if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) { -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)to < PAX_USER_SHADOW_BASE) -+ to += PAX_USER_SHADOW_BASE; -+ if ((unsigned long)from < PAX_USER_SHADOW_BASE) -+ from += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic((void __force_kernel *)to, (void __force_kernel *)from, len); -+ } ++ if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) ++ return copy_user_generic((void __force_kernel *)____m(to), (void __force_kernel *)____m(from), len); + return len; } EXPORT_SYMBOL(copy_in_user); -@@ -164,7 +184,7 @@ EXPORT_SYMBOL(copy_in_user); +@@ -164,7 +169,7 @@ EXPORT_SYMBOL(copy_in_user); * it is not necessary to optimize tail handling. */ unsigned long @@ -23898,7 +23872,7 @@ index b7c2849..ca4b1cb 100644 { char c; unsigned zero_len; -@@ -181,3 +201,15 @@ copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest) +@@ -181,3 +186,15 @@ copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest) break; return len; } @@ -39921,6 +39895,54 @@ index 3440812..2a4ef1f 100644 if (file->f_version != event_count) { file->f_version = event_count; return POLLIN | POLLRDNORM; +diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c +index 032e5a6..bc422e4 100644 +--- a/drivers/usb/core/hcd.c ++++ b/drivers/usb/core/hcd.c +@@ -1475,7 +1475,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags) + */ + usb_get_urb(urb); + atomic_inc(&urb->use_count); +- atomic_inc(&urb->dev->urbnum); ++ atomic_inc_unchecked(&urb->dev->urbnum); + usbmon_urb_submit(&hcd->self, urb); + + /* NOTE requirements on root-hub callers (usbfs and the hub +@@ -1502,7 +1502,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags) + urb->hcpriv = NULL; + INIT_LIST_HEAD(&urb->urb_list); + atomic_dec(&urb->use_count); +- atomic_dec(&urb->dev->urbnum); ++ atomic_dec_unchecked(&urb->dev->urbnum); + if (atomic_read(&urb->reject)) + wake_up(&usb_kill_urb_queue); + usb_put_urb(urb); +diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c +index 662c0cf..6880fbb 100644 +--- a/drivers/usb/core/sysfs.c ++++ b/drivers/usb/core/sysfs.c +@@ -226,7 +226,7 @@ show_urbnum(struct device *dev, struct device_attribute *attr, char *buf) + struct usb_device *udev; + + udev = to_usb_device(dev); +- return sprintf(buf, "%d\n", atomic_read(&udev->urbnum)); ++ return sprintf(buf, "%d\n", atomic_read_unchecked(&udev->urbnum)); + } + static DEVICE_ATTR(urbnum, S_IRUGO, show_urbnum, NULL); + +diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c +index 73cd900..40502a4 100644 +--- a/drivers/usb/core/usb.c ++++ b/drivers/usb/core/usb.c +@@ -396,7 +396,7 @@ struct usb_device *usb_alloc_dev(struct usb_device *parent, + dev->dev.dma_mask = bus->controller->dma_mask; + set_dev_node(&dev->dev, dev_to_node(bus->controller)); + dev->state = USB_STATE_ATTACHED; +- atomic_set(&dev->urbnum, 0); ++ atomic_set_unchecked(&dev->urbnum, 0); + + INIT_LIST_HEAD(&dev->ep0.urb_list); + dev->ep0.desc.bLength = USB_DT_ENDPOINT_SIZE; diff --git a/drivers/usb/early/ehci-dbgp.c b/drivers/usb/early/ehci-dbgp.c index 347bb05..63e1b73 100644 --- a/drivers/usb/early/ehci-dbgp.c @@ -39998,7 +40020,7 @@ index 57c01ab..8a05959 100644 /* diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c -index ae66278..579de88b 100644 +index ae66278..b5f6c08 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -631,7 +631,7 @@ static long vhost_set_memory(struct vhost_dev *d, struct vhost_memory __user *m) @@ -40010,6 +40032,15 @@ index ae66278..579de88b 100644 { struct file *eventfp, *filep = NULL, *pollstart = NULL, *pollstop = NULL; +@@ -1073,7 +1073,7 @@ static int translate_desc(struct vhost_dev *dev, u64 addr, u32 len, + } + _iov = iov + ret; + size = reg->memory_size - addr + reg->guest_phys_addr; +- _iov->iov_len = min((u64)len, size); ++ _iov->iov_len = min((u64)len - s, size); + _iov->iov_base = (void __user *)(unsigned long) + (reg->userspace_addr + addr - reg->guest_phys_addr); + s += size; diff --git a/drivers/video/aty/aty128fb.c b/drivers/video/aty/aty128fb.c index b0b2ac3..89a4399 100644 --- a/drivers/video/aty/aty128fb.c @@ -44985,6 +45016,29 @@ index 703ef5c..2a44ed5 100644 #endif /* CONFIG_CIFS_STATS2 */ } +diff --git a/fs/cifs/readdir.c b/fs/cifs/readdir.c +index 4c37ed4..b722eed 100644 +--- a/fs/cifs/readdir.c ++++ b/fs/cifs/readdir.c +@@ -86,14 +86,17 @@ cifs_readdir_lookup(struct dentry *parent, struct qstr *name, + + dentry = d_lookup(parent, name); + if (dentry) { ++ int err; + inode = dentry->d_inode; + /* update inode in place if i_ino didn't change */ + if (inode && CIFS_I(inode)->uniqueid == fattr->cf_uniqueid) { + cifs_fattr_to_inode(inode, fattr); + return dentry; + } +- d_drop(dentry); ++ err = d_invalidate(dentry); + dput(dentry); ++ if (err) ++ return NULL; + } + + dentry = d_alloc(parent, name); diff --git a/fs/coda/cache.c b/fs/coda/cache.c index 6901578..d402eb5 100644 --- a/fs/coda/cache.c @@ -48279,7 +48333,7 @@ index fcc50ab..c3dacf2 100644 lock_flocks(); diff --git a/fs/namei.c b/fs/namei.c -index 9680cef..1abcb10 100644 +index 9680cef..d098ba0 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -279,16 +279,32 @@ int generic_permission(struct inode *inode, int mask) @@ -48410,7 +48464,21 @@ index 9680cef..1abcb10 100644 if (unlikely(!audit_dummy_context())) { if (nd->path.dentry && nd->inode) audit_inode(name, nd->path.dentry); -@@ -2048,6 +2092,13 @@ static int may_open(struct path *path, int acc_mode, int flag) +@@ -1784,7 +1828,13 @@ struct dentry *lookup_one_len(const char *name, struct dentry *base, int len) + if (!len) + return ERR_PTR(-EACCES); + ++ if (unlikely(name[0] == '.')) { ++ if (len < 2 || (len == 2 && name[1] == '.')) ++ return ERR_PTR(-EACCES); ++ } ++ + hash = init_name_hash(); ++ + while (len--) { + c = *(const unsigned char *)name++; + if (c == '/' || c == '\0') +@@ -2048,6 +2098,13 @@ static int may_open(struct path *path, int acc_mode, int flag) if (flag & O_NOATIME && !inode_owner_or_capable(inode)) return -EPERM; @@ -48424,7 +48492,7 @@ index 9680cef..1abcb10 100644 return 0; } -@@ -2083,7 +2134,7 @@ static inline int open_to_namei_flags(int flag) +@@ -2083,7 +2140,7 @@ static inline int open_to_namei_flags(int flag) /* * Handle the last step of open() */ @@ -48433,7 +48501,7 @@ index 9680cef..1abcb10 100644 const struct open_flags *op, const char *pathname) { struct dentry *dir = nd->path.dentry; -@@ -2109,16 +2160,44 @@ static struct file *do_last(struct nameidata *nd, struct path *path, +@@ -2109,16 +2166,44 @@ static struct file *do_last(struct nameidata *nd, struct path *path, error = complete_walk(nd); if (error) return ERR_PTR(error); @@ -48478,7 +48546,7 @@ index 9680cef..1abcb10 100644 audit_inode(pathname, dir); goto ok; } -@@ -2134,18 +2213,37 @@ static struct file *do_last(struct nameidata *nd, struct path *path, +@@ -2134,18 +2219,37 @@ static struct file *do_last(struct nameidata *nd, struct path *path, !symlink_ok); if (error < 0) return ERR_PTR(error); @@ -48517,7 +48585,7 @@ index 9680cef..1abcb10 100644 audit_inode(pathname, nd->path.dentry); goto ok; } -@@ -2180,6 +2278,17 @@ static struct file *do_last(struct nameidata *nd, struct path *path, +@@ -2180,6 +2284,17 @@ static struct file *do_last(struct nameidata *nd, struct path *path, /* Negative dentry, just create the file */ if (!dentry->d_inode) { int mode = op->mode; @@ -48535,7 +48603,7 @@ index 9680cef..1abcb10 100644 if (!IS_POSIXACL(dir->d_inode)) mode &= ~current_umask(); /* -@@ -2203,6 +2312,8 @@ static struct file *do_last(struct nameidata *nd, struct path *path, +@@ -2203,6 +2318,8 @@ static struct file *do_last(struct nameidata *nd, struct path *path, error = vfs_create(dir->d_inode, dentry, mode, nd); if (error) goto exit_mutex_unlock; @@ -48544,7 +48612,7 @@ index 9680cef..1abcb10 100644 mutex_unlock(&dir->d_inode->i_mutex); dput(nd->path.dentry); nd->path.dentry = dentry; -@@ -2212,6 +2323,19 @@ static struct file *do_last(struct nameidata *nd, struct path *path, +@@ -2212,6 +2329,19 @@ static struct file *do_last(struct nameidata *nd, struct path *path, /* * It already exists. */ @@ -48564,7 +48632,7 @@ index 9680cef..1abcb10 100644 mutex_unlock(&dir->d_inode->i_mutex); audit_inode(pathname, path->dentry); -@@ -2230,11 +2354,17 @@ static struct file *do_last(struct nameidata *nd, struct path *path, +@@ -2230,11 +2360,17 @@ static struct file *do_last(struct nameidata *nd, struct path *path, if (!path->dentry->d_inode) goto exit_dput; @@ -48583,7 +48651,7 @@ index 9680cef..1abcb10 100644 /* Why this, you ask? _Now_ we might have grown LOOKUP_JUMPED... */ error = complete_walk(nd); if (error) -@@ -2242,6 +2372,12 @@ static struct file *do_last(struct nameidata *nd, struct path *path, +@@ -2242,6 +2378,12 @@ static struct file *do_last(struct nameidata *nd, struct path *path, error = -EISDIR; if (S_ISDIR(nd->inode->i_mode)) goto exit; @@ -48596,7 +48664,7 @@ index 9680cef..1abcb10 100644 ok: if (!S_ISREG(nd->inode->i_mode)) will_truncate = 0; -@@ -2314,7 +2450,7 @@ static struct file *path_openat(int dfd, const char *pathname, +@@ -2314,7 +2456,7 @@ static struct file *path_openat(int dfd, const char *pathname, if (unlikely(error)) goto out_filp; @@ -48605,7 +48673,7 @@ index 9680cef..1abcb10 100644 while (unlikely(!filp)) { /* trailing symlink */ struct path link = path; void *cookie; -@@ -2329,8 +2465,9 @@ static struct file *path_openat(int dfd, const char *pathname, +@@ -2329,8 +2471,9 @@ static struct file *path_openat(int dfd, const char *pathname, error = follow_link(&link, nd, &cookie); if (unlikely(error)) filp = ERR_PTR(error); @@ -48617,7 +48685,7 @@ index 9680cef..1abcb10 100644 put_link(nd, &link, cookie); } out: -@@ -2424,6 +2561,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, struct path *path +@@ -2424,6 +2567,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, struct path *path *path = nd.path; return dentry; eexist: @@ -48629,7 +48697,7 @@ index 9680cef..1abcb10 100644 dput(dentry); dentry = ERR_PTR(-EEXIST); fail: -@@ -2446,6 +2588,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, struct pat +@@ -2446,6 +2594,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, struct pat } EXPORT_SYMBOL(user_path_create); @@ -48650,7 +48718,7 @@ index 9680cef..1abcb10 100644 int vfs_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) { int error = may_create(dir, dentry); -@@ -2513,6 +2669,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, +@@ -2513,6 +2675,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, error = mnt_want_write(path.mnt); if (error) goto out_dput; @@ -48668,7 +48736,7 @@ index 9680cef..1abcb10 100644 error = security_path_mknod(&path, dentry, mode, dev); if (error) goto out_drop_write; -@@ -2530,6 +2697,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, +@@ -2530,6 +2703,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, } out_drop_write: mnt_drop_write(path.mnt); @@ -48678,7 +48746,7 @@ index 9680cef..1abcb10 100644 out_dput: dput(dentry); mutex_unlock(&path.dentry->d_inode->i_mutex); -@@ -2579,12 +2749,21 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode) +@@ -2579,12 +2755,21 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode) error = mnt_want_write(path.mnt); if (error) goto out_dput; @@ -48700,7 +48768,7 @@ index 9680cef..1abcb10 100644 out_dput: dput(dentry); mutex_unlock(&path.dentry->d_inode->i_mutex); -@@ -2664,6 +2843,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -2664,6 +2849,8 @@ static long do_rmdir(int dfd, const char __user *pathname) char * name; struct dentry *dentry; struct nameidata nd; @@ -48709,7 +48777,7 @@ index 9680cef..1abcb10 100644 error = user_path_parent(dfd, pathname, &nd, &name); if (error) -@@ -2692,6 +2873,15 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -2692,6 +2879,15 @@ static long do_rmdir(int dfd, const char __user *pathname) error = -ENOENT; goto exit3; } @@ -48725,7 +48793,7 @@ index 9680cef..1abcb10 100644 error = mnt_want_write(nd.path.mnt); if (error) goto exit3; -@@ -2699,6 +2889,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -2699,6 +2895,8 @@ static long do_rmdir(int dfd, const char __user *pathname) if (error) goto exit4; error = vfs_rmdir(nd.path.dentry->d_inode, dentry); @@ -48734,7 +48802,7 @@ index 9680cef..1abcb10 100644 exit4: mnt_drop_write(nd.path.mnt); exit3: -@@ -2761,6 +2953,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -2761,6 +2959,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) struct dentry *dentry; struct nameidata nd; struct inode *inode = NULL; @@ -48743,7 +48811,7 @@ index 9680cef..1abcb10 100644 error = user_path_parent(dfd, pathname, &nd, &name); if (error) -@@ -2783,6 +2977,16 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -2783,6 +2983,16 @@ static long do_unlinkat(int dfd, const char __user *pathname) if (!inode) goto slashes; ihold(inode); @@ -48760,7 +48828,7 @@ index 9680cef..1abcb10 100644 error = mnt_want_write(nd.path.mnt); if (error) goto exit2; -@@ -2790,6 +2994,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -2790,6 +3000,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) if (error) goto exit3; error = vfs_unlink(nd.path.dentry->d_inode, dentry); @@ -48769,7 +48837,7 @@ index 9680cef..1abcb10 100644 exit3: mnt_drop_write(nd.path.mnt); exit2: -@@ -2865,10 +3071,18 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, +@@ -2865,10 +3077,18 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, error = mnt_want_write(path.mnt); if (error) goto out_dput; @@ -48788,7 +48856,7 @@ index 9680cef..1abcb10 100644 out_drop_write: mnt_drop_write(path.mnt); out_dput: -@@ -2940,6 +3154,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -2940,6 +3160,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, { struct dentry *new_dentry; struct path old_path, new_path; @@ -48796,7 +48864,7 @@ index 9680cef..1abcb10 100644 int how = 0; int error; -@@ -2963,7 +3178,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -2963,7 +3184,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, if (error) return error; @@ -48805,7 +48873,7 @@ index 9680cef..1abcb10 100644 error = PTR_ERR(new_dentry); if (IS_ERR(new_dentry)) goto out; -@@ -2974,13 +3189,30 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -2974,13 +3195,30 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, error = mnt_want_write(new_path.mnt); if (error) goto out_dput; @@ -48836,7 +48904,7 @@ index 9680cef..1abcb10 100644 dput(new_dentry); mutex_unlock(&new_path.dentry->d_inode->i_mutex); path_put(&new_path); -@@ -3208,6 +3440,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, +@@ -3208,6 +3446,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, if (new_dentry == trap) goto exit5; @@ -48849,7 +48917,7 @@ index 9680cef..1abcb10 100644 error = mnt_want_write(oldnd.path.mnt); if (error) goto exit5; -@@ -3217,6 +3455,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, +@@ -3217,6 +3461,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, goto exit6; error = vfs_rename(old_dir->d_inode, old_dentry, new_dir->d_inode, new_dentry); @@ -48859,7 +48927,7 @@ index 9680cef..1abcb10 100644 exit6: mnt_drop_write(oldnd.path.mnt); exit5: -@@ -3242,6 +3483,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna +@@ -3242,6 +3489,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link) { @@ -48868,7 +48936,7 @@ index 9680cef..1abcb10 100644 int len; len = PTR_ERR(link); -@@ -3251,7 +3494,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c +@@ -3251,7 +3500,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c len = strlen(link); if (len > (unsigned) buflen) len = buflen; @@ -48960,6 +49028,38 @@ index 1aaa0ee..c5cc5bd 100644 void (*pnfs_callback) (void *data); void *data; }; +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index 756f4df..8bd49ca 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -500,7 +500,8 @@ void nfs_prime_dcache(struct dentry *parent, struct nfs_entry *entry) + nfs_refresh_inode(dentry->d_inode, entry->fattr); + goto out; + } else { +- d_drop(dentry); ++ if (d_invalidate(dentry) != 0) ++ goto out; + dput(dentry); + } + } +@@ -1164,6 +1165,8 @@ out_set_verifier: + out_zap_parent: + nfs_zap_caches(dir); + out_bad: ++ nfs_free_fattr(fattr); ++ nfs_free_fhandle(fhandle); + nfs_mark_for_revalidate(dir); + if (inode && S_ISDIR(inode->i_mode)) { + /* Purge readdir caches. */ +@@ -1176,8 +1179,6 @@ out_zap_parent: + shrink_dcache_parent(dentry); + } + d_drop(dentry); +- nfs_free_fattr(fattr); +- nfs_free_fhandle(fhandle); + dput(parent); + dfprintk(LOOKUPCACHE, "NFS: %s(%s/%s) is invalid\n", + __func__, dentry->d_parent->d_name.name, diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c index b78b5b6..c64d84f 100644 --- a/fs/nfs/inode.c @@ -64060,18 +64160,20 @@ index a6deef4..c56a7f2 100644 and pointers */ #endif diff --git a/include/linux/init.h b/include/linux/init.h -index 9146f39..0963f76 100644 +index 9146f39..23fa1ea 100644 --- a/include/linux/init.h +++ b/include/linux/init.h -@@ -38,9 +38,33 @@ +@@ -38,9 +38,36 @@ * Also note, that this data cannot be "const". */ +#ifdef MODULE +#define add_init_latent_entropy ++#define add_devinit_latent_entropy ++#define add_cpuinit_latent_entropy ++#define add_meminit_latent_entropy +#else +#define add_init_latent_entropy __latent_entropy -+#endif + +#ifdef CONFIG_HOTPLUG +#define add_devinit_latent_entropy @@ -64090,6 +64192,7 @@ index 9146f39..0963f76 100644 +#else +#define add_meminit_latent_entropy __latent_entropy +#endif ++#endif + /* These are for everybody (although not all archs will actually discard it in modules) */ @@ -64098,7 +64201,7 @@ index 9146f39..0963f76 100644 #define __initdata __section(.init.data) #define __initconst __section(.init.rodata) #define __exitdata __section(.exit.data) -@@ -82,7 +106,7 @@ +@@ -82,7 +109,7 @@ #define __exit __section(.exit.text) __exitused __cold notrace /* Used for HOTPLUG */ @@ -64107,7 +64210,7 @@ index 9146f39..0963f76 100644 #define __devinitdata __section(.devinit.data) #define __devinitconst __section(.devinit.rodata) #define __devexit __section(.devexit.text) __exitused __cold notrace -@@ -90,7 +114,7 @@ +@@ -90,7 +117,7 @@ #define __devexitconst __section(.devexit.rodata) /* Used for HOTPLUG_CPU */ @@ -64116,7 +64219,7 @@ index 9146f39..0963f76 100644 #define __cpuinitdata __section(.cpuinit.data) #define __cpuinitconst __section(.cpuinit.rodata) #define __cpuexit __section(.cpuexit.text) __exitused __cold notrace -@@ -98,7 +122,7 @@ +@@ -98,7 +125,7 @@ #define __cpuexitconst __section(.cpuexit.rodata) /* Used for MEMORY_HOTPLUG */ @@ -66174,6 +66277,19 @@ index 99c1b4d..bb94261 100644 } static inline void put_unaligned_le16(u16 val, void *p) +diff --git a/include/linux/usb.h b/include/linux/usb.h +index 93629fc..0c97651 100644 +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -497,7 +497,7 @@ struct usb_device { + struct usb_device *children[USB_MAXCHILDREN]; + + u32 quirks; +- atomic_t urbnum; ++ atomic_unchecked_t urbnum; + + unsigned long active_duration; + diff --git a/include/linux/usb/renesas_usbhs.h b/include/linux/usb/renesas_usbhs.h index e5a40c3..20ab0f6 100644 --- a/include/linux/usb/renesas_usbhs.h @@ -68806,7 +68922,7 @@ index 222457a..de637ca 100644 else new_fs = fs; diff --git a/kernel/futex.c b/kernel/futex.c -index 80fb1c6..2238366 100644 +index 80fb1c6..f2b5e1f 100644 --- a/kernel/futex.c +++ b/kernel/futex.c @@ -54,6 +54,7 @@ @@ -68906,7 +69022,62 @@ index 80fb1c6..2238366 100644 goto retry; } default: -@@ -2724,6 +2733,7 @@ static int __init futex_init(void) +@@ -840,6 +849,9 @@ static void wake_futex(struct futex_q *q) + { + struct task_struct *p = q->task; + ++ if (WARN(q->pi_state || q->rt_waiter, "refusing to wake PI futex\n")) ++ return; ++ + /* + * We set q->lock_ptr = NULL _before_ we wake up the task. If + * a non-futex wake up happens on another CPU then the task +@@ -1075,6 +1087,10 @@ retry_private: + + plist_for_each_entry_safe(this, next, head, list) { + if (match_futex (&this->key, &key1)) { ++ if (this->pi_state || this->rt_waiter) { ++ ret = -EINVAL; ++ goto out_unlock; ++ } + wake_futex(this); + if (++ret >= nr_wake) + break; +@@ -1087,6 +1103,10 @@ retry_private: + op_ret = 0; + plist_for_each_entry_safe(this, next, head, list) { + if (match_futex (&this->key, &key2)) { ++ if (this->pi_state || this->rt_waiter) { ++ ret = -EINVAL; ++ goto out_unlock; ++ } + wake_futex(this); + if (++op_ret >= nr_wake2) + break; +@@ -1095,6 +1115,7 @@ retry_private: + ret += op_ret; + } + ++out_unlock: + double_unlock_hb(hb1, hb2); + out_put_keys: + put_futex_key(&key2); +@@ -1384,9 +1405,13 @@ retry_private: + /* + * FUTEX_WAIT_REQEUE_PI and FUTEX_CMP_REQUEUE_PI should always + * be paired with each other and no other futex ops. ++ * ++ * We should never be requeueing a futex_q with a pi_state, ++ * which is awaiting a futex_unlock_pi(). + */ + if ((requeue_pi && !this->rt_waiter) || +- (!requeue_pi && this->rt_waiter)) { ++ (!requeue_pi && this->rt_waiter) || ++ this->pi_state) { + ret = -EINVAL; + break; + } +@@ -2724,6 +2749,7 @@ static int __init futex_init(void) { u32 curval; int i; @@ -68914,7 +69085,7 @@ index 80fb1c6..2238366 100644 /* * This will fail and we want it. Some arch implementations do -@@ -2735,8 +2745,11 @@ static int __init futex_init(void) +@@ -2735,8 +2761,11 @@ static int __init futex_init(void) * implementation, the non-functional ones will return * -ENOSYS. */ @@ -72591,10 +72762,22 @@ index 209b379..7f76423 100644 put_task_struct(tsk); } diff --git a/kernel/workqueue.c b/kernel/workqueue.c -index 43a19c5..c815189 100644 +index 43a19c5..a6ca577 100644 --- a/kernel/workqueue.c +++ b/kernel/workqueue.c -@@ -3468,7 +3468,7 @@ static int __cpuinit trustee_thread(void *__gcwq) +@@ -2052,8 +2052,10 @@ static int rescuer_thread(void *__wq) + repeat: + set_current_state(TASK_INTERRUPTIBLE); + +- if (kthread_should_stop()) ++ if (kthread_should_stop()) { ++ __set_current_state(TASK_RUNNING); + return 0; ++ } + + /* + * See whether any cpu is asking for help. Unbounded +@@ -3468,7 +3470,7 @@ static int __cpuinit trustee_thread(void *__gcwq) */ worker_flags |= WORKER_REBIND; worker_flags &= ~WORKER_ROGUE; @@ -73333,7 +73516,7 @@ index 23d3a6b..e10d35a 100644 if (end == start) goto out; diff --git a/mm/memory-failure.c b/mm/memory-failure.c -index 5bd5bb1..2da9ddb 100644 +index 5bd5bb1..de5405e 100644 --- a/mm/memory-failure.c +++ b/mm/memory-failure.c @@ -61,7 +61,7 @@ int sysctl_memory_failure_early_kill __read_mostly = 0; @@ -73408,7 +73591,25 @@ index 5bd5bb1..2da9ddb 100644 set_page_hwpoison_huge_page(hpage); dequeue_hwpoisoned_huge_page(hpage); /* keep elevated page count for bad page */ -@@ -1573,7 +1573,7 @@ int soft_offline_page(struct page *page, int flags) +@@ -1475,9 +1475,17 @@ int soft_offline_page(struct page *page, int flags) + { + int ret; + unsigned long pfn = page_to_pfn(page); ++ struct page *hpage = compound_trans_head(page); + + if (PageHuge(page)) + return soft_offline_huge_page(page, flags); ++ if (PageTransHuge(hpage)) { ++ if (PageAnon(hpage) && unlikely(split_huge_page(hpage))) { ++ pr_info("soft offline: %#lx: failed to split THP\n", ++ pfn); ++ return -EBUSY; ++ } ++ } + + ret = get_any_page(page, pfn, flags); + if (ret < 0) +@@ -1573,7 +1581,7 @@ int soft_offline_page(struct page *page, int flags) return ret; done: @@ -77212,6 +77413,47 @@ index 1b7e22a..3fcd4f3 100644 } return pgd; } +diff --git a/mm/sparse.c b/mm/sparse.c +index bf7d3cc..42935b5 100644 +--- a/mm/sparse.c ++++ b/mm/sparse.c +@@ -622,7 +622,7 @@ static void __kfree_section_memmap(struct page *memmap, unsigned long nr_pages) + { + return; /* XXX: Not implemented yet */ + } +-static void free_map_bootmem(struct page *page, unsigned long nr_pages) ++static void free_map_bootmem(struct page *memmap, unsigned long nr_pages) + { + } + #else +@@ -663,10 +663,11 @@ static void __kfree_section_memmap(struct page *memmap, unsigned long nr_pages) + get_order(sizeof(struct page) * nr_pages)); + } + +-static void free_map_bootmem(struct page *page, unsigned long nr_pages) ++static void free_map_bootmem(struct page *memmap, unsigned long nr_pages) + { + unsigned long maps_section_nr, removing_section_nr, i; + unsigned long magic; ++ struct page *page = virt_to_page(memmap); + + for (i = 0; i < nr_pages; i++, page++) { + magic = (unsigned long) page->lru.next; +@@ -715,13 +716,10 @@ static void free_section_usemap(struct page *memmap, unsigned long *usemap) + */ + + if (memmap) { +- struct page *memmap_page; +- memmap_page = virt_to_page(memmap); +- + nr_pages = PAGE_ALIGN(PAGES_PER_SECTION * sizeof(struct page)) + >> PAGE_SHIFT; + +- free_map_bootmem(memmap_page, nr_pages); ++ free_map_bootmem(memmap, nr_pages); + } + } + diff --git a/mm/swap.c b/mm/swap.c index 55b266d..a532537 100644 --- a/mm/swap.c @@ -78223,6 +78465,20 @@ index 8656909..a2ae45d 100644 } /* Update statistics. */ +diff --git a/net/can/bcm.c b/net/can/bcm.c +index 151b773..3910c1f 100644 +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -1084,6 +1084,9 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg, + op->sk = sk; + op->ifindex = ifindex; + ++ /* ifindex for timeout events w/o previous frame reception */ ++ op->rx_ifindex = ifindex; ++ + /* initialize uninitialized (kzalloc) structure */ + hrtimer_init(&op->timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL); + op->timer.function = bcm_rx_timeout_handler; diff --git a/net/can/gw.c b/net/can/gw.c index 3d79b12..8de85fa 100644 --- a/net/can/gw.c @@ -78966,6 +79222,21 @@ index 99ec116..c5628fe 100644 set_fs(oldfs); return res; } +diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c +index 0064394..2d993a0 100644 +--- a/net/ipv4/ipmr.c ++++ b/net/ipv4/ipmr.c +@@ -1320,6 +1320,10 @@ int ip_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, unsi + if (get_user(v, (u32 __user *)optval)) + return -EFAULT; + ++ /* "pimreg%u" should not exceed 16 bytes (IFNAMSIZ) */ ++ if (v != RT_TABLE_DEFAULT && v >= 1000000000) ++ return -EINVAL; ++ + rtnl_lock(); + ret = 0; + if (sk == rtnl_dereference(mrt->mroute_sk)) { diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index fd7a3f6..21e76da 100644 --- a/net/ipv4/netfilter/arp_tables.c @@ -79983,6 +80254,18 @@ index 253695d..9481ce8 100644 seq_printf(m, "Max data size: %d\n", self->max_data_size); seq_printf(m, "Max header size: %d\n", self->max_header_size); +diff --git a/net/irda/irttp.c b/net/irda/irttp.c +index 32e3bb0..a4e5eb8 100644 +--- a/net/irda/irttp.c ++++ b/net/irda/irttp.c +@@ -441,6 +441,7 @@ struct tsap_cb *irttp_open_tsap(__u8 stsap_sel, int credit, notify_t *notify) + lsap = irlmp_open_lsap(stsap_sel, &ttp_notify, 0); + if (lsap == NULL) { + IRDA_WARNING("%s: unable to allocate LSAP!!\n", __func__); ++ __irttp_close_tsap(self); + return NULL; + } + diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c index cf98d62..7bf2972 100644 --- a/net/iucv/af_iucv.c @@ -80249,6 +80532,19 @@ index 1a02853..5d8c22e 100644 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o +diff --git a/net/netfilter/ipset/ip_set_hash_netiface.c b/net/netfilter/ipset/ip_set_hash_netiface.c +index e13095d..6617217 100644 +--- a/net/netfilter/ipset/ip_set_hash_netiface.c ++++ b/net/netfilter/ipset/ip_set_hash_netiface.c +@@ -761,7 +761,7 @@ static struct ip_set_type hash_netiface_type __read_mostly = { + [IPSET_ATTR_IP] = { .type = NLA_NESTED }, + [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED }, + [IPSET_ATTR_IFACE] = { .type = NLA_NUL_STRING, +- .len = IPSET_MAXNAMELEN - 1 }, ++ .len = IFNAMSIZ - 1 }, + [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 }, + [IPSET_ATTR_CIDR] = { .type = NLA_U8 }, + [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c index 29fa5ba..8debc79 100644 --- a/net/netfilter/ipvs/ip_vs_conn.c @@ -81126,6 +81422,38 @@ index 7635107..4670276 100644 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial)); ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len); +diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c +index 6c85564..9534bf9 100644 +--- a/net/sctp/chunk.c ++++ b/net/sctp/chunk.c +@@ -284,7 +284,7 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc, + goto errout; + err = sctp_user_addto_chunk(chunk, offset, len, msgh->msg_iov); + if (err < 0) +- goto errout; ++ goto errout_chunk_free; + + offset += len; + +@@ -324,7 +324,7 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc, + __skb_pull(chunk->skb, (__u8 *)chunk->chunk_hdr + - (__u8 *)chunk->skb->data); + if (err < 0) +- goto errout; ++ goto errout_chunk_free; + + sctp_datamsg_assign(msg, chunk); + list_add_tail(&chunk->frag_list, &msg->chunks); +@@ -332,6 +332,9 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc, + + return msg; + ++errout_chunk_free: ++ sctp_chunk_free(chunk); ++ + errout: + list_for_each_safe(pos, temp, &msg->chunks) { + list_del_init(pos); diff --git a/net/sctp/proc.c b/net/sctp/proc.c index 1e2eee8..ce3967e 100644 --- a/net/sctp/proc.c @@ -81153,6 +81481,19 @@ index 8e49d76..52773ad 100644 if (copy_to_user(to, &temp, addrlen)) return -EFAULT; to += addrlen; +diff --git a/net/sctp/transport.c b/net/sctp/transport.c +index 8da4481..d02565e 100644 +--- a/net/sctp/transport.c ++++ b/net/sctp/transport.c +@@ -317,7 +317,7 @@ void sctp_transport_update_rto(struct sctp_transport *tp, __u32 rtt) + * 1/8, rto_alpha would be expressed as 3. + */ + tp->rttvar = tp->rttvar - (tp->rttvar >> sctp_rto_beta) +- + ((abs(tp->srtt - rtt)) >> sctp_rto_beta); ++ + (((__u32)abs64((__s64)tp->srtt - (__s64)rtt)) >> sctp_rto_beta); + tp->srtt = tp->srtt - (tp->srtt >> sctp_rto_alpha) + + (rtt >> sctp_rto_alpha); + } else { diff --git a/net/socket.c b/net/socket.c index 68879db..ed22cd4 100644 --- a/net/socket.c diff --git a/3.6.8/0000_README b/3.6.9/0000_README index f24acf7..44b7fad 100644 --- a/3.6.8/0000_README +++ b/3.6.9/0000_README @@ -2,7 +2,11 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-2.9.1-3.6.8-201211261714.patch +Patch: 1008_linux-3.6.9.patch +From: http://www.kernel.org +Desc: Linux 3.6.9 + +Patch: 4420_grsecurity-2.9.1-3.6.9-201212031851.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.6.9/1008_linux-3.6.9.patch b/3.6.9/1008_linux-3.6.9.patch new file mode 100644 index 0000000..17d84ec --- /dev/null +++ b/3.6.9/1008_linux-3.6.9.patch @@ -0,0 +1,1763 @@ +diff --git a/Documentation/dvb/get_dvb_firmware b/Documentation/dvb/get_dvb_firmware +index 12d3952e..32bc56b 100755 +--- a/Documentation/dvb/get_dvb_firmware ++++ b/Documentation/dvb/get_dvb_firmware +@@ -116,7 +116,7 @@ sub tda10045 { + + sub tda10046 { + my $sourcefile = "TT_PCI_2.19h_28_11_2006.zip"; +- my $url = "http://www.tt-download.com/download/updates/219/$sourcefile"; ++ my $url = "http://technotrend.com.ua/download/software/219/$sourcefile"; + my $hash = "6a7e1e2f2644b162ff0502367553c72d"; + my $outfile = "dvb-fe-tda10046.fw"; + my $tmpdir = tempdir(DIR => "/tmp", CLEANUP => 1); +diff --git a/Makefile b/Makefile +index c5cc2f0..978af72 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 6 +-SUBLEVEL = 8 ++SUBLEVEL = 9 + EXTRAVERSION = + NAME = Terrified Chipmunk + +diff --git a/arch/parisc/kernel/signal32.c b/arch/parisc/kernel/signal32.c +index fd49aed..5dede04 100644 +--- a/arch/parisc/kernel/signal32.c ++++ b/arch/parisc/kernel/signal32.c +@@ -65,7 +65,8 @@ put_sigset32(compat_sigset_t __user *up, sigset_t *set, size_t sz) + { + compat_sigset_t s; + +- if (sz != sizeof *set) panic("put_sigset32()"); ++ if (sz != sizeof *set) ++ return -EINVAL; + sigset_64to32(&s, set); + + return copy_to_user(up, &s, sizeof s); +@@ -77,7 +78,8 @@ get_sigset32(compat_sigset_t __user *up, sigset_t *set, size_t sz) + compat_sigset_t s; + int r; + +- if (sz != sizeof *set) panic("put_sigset32()"); ++ if (sz != sizeof *set) ++ return -EINVAL; + + if ((r = copy_from_user(&s, up, sz)) == 0) { + sigset_32to64(set, &s); +diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c +index 7426e40..f76c108 100644 +--- a/arch/parisc/kernel/sys_parisc.c ++++ b/arch/parisc/kernel/sys_parisc.c +@@ -73,6 +73,8 @@ static unsigned long get_shared_area(struct address_space *mapping, + struct vm_area_struct *vma; + int offset = mapping ? get_offset(mapping) : 0; + ++ offset = (offset + (pgoff << PAGE_SHIFT)) & 0x3FF000; ++ + addr = DCACHE_ALIGN(addr - offset) + offset; + + for (vma = find_vma(current->mm, addr); ; vma = vma->vm_next) { +diff --git a/arch/powerpc/platforms/pseries/eeh_driver.c b/arch/powerpc/platforms/pseries/eeh_driver.c +index baf92cd..041e28d 100644 +--- a/arch/powerpc/platforms/pseries/eeh_driver.c ++++ b/arch/powerpc/platforms/pseries/eeh_driver.c +@@ -25,6 +25,7 @@ + #include <linux/delay.h> + #include <linux/interrupt.h> + #include <linux/irq.h> ++#include <linux/module.h> + #include <linux/pci.h> + #include <asm/eeh.h> + #include <asm/eeh_event.h> +@@ -47,6 +48,41 @@ static inline const char *eeh_pcid_name(struct pci_dev *pdev) + return ""; + } + ++/** ++ * eeh_pcid_get - Get the PCI device driver ++ * @pdev: PCI device ++ * ++ * The function is used to retrieve the PCI device driver for ++ * the indicated PCI device. Besides, we will increase the reference ++ * of the PCI device driver to prevent that being unloaded on ++ * the fly. Otherwise, kernel crash would be seen. ++ */ ++static inline struct pci_driver *eeh_pcid_get(struct pci_dev *pdev) ++{ ++ if (!pdev || !pdev->driver) ++ return NULL; ++ ++ if (!try_module_get(pdev->driver->driver.owner)) ++ return NULL; ++ ++ return pdev->driver; ++} ++ ++/** ++ * eeh_pcid_put - Dereference on the PCI device driver ++ * @pdev: PCI device ++ * ++ * The function is called to do dereference on the PCI device ++ * driver of the indicated PCI device. ++ */ ++static inline void eeh_pcid_put(struct pci_dev *pdev) ++{ ++ if (!pdev || !pdev->driver) ++ return; ++ ++ module_put(pdev->driver->driver.owner); ++} ++ + #if 0 + static void print_device_node_tree(struct pci_dn *pdn, int dent) + { +@@ -126,18 +162,20 @@ static void eeh_enable_irq(struct pci_dev *dev) + static int eeh_report_error(struct pci_dev *dev, void *userdata) + { + enum pci_ers_result rc, *res = userdata; +- struct pci_driver *driver = dev->driver; ++ struct pci_driver *driver; + + dev->error_state = pci_channel_io_frozen; + +- if (!driver) +- return 0; ++ driver = eeh_pcid_get(dev); ++ if (!driver) return 0; + + eeh_disable_irq(dev); + + if (!driver->err_handler || +- !driver->err_handler->error_detected) ++ !driver->err_handler->error_detected) { ++ eeh_pcid_put(dev); + return 0; ++ } + + rc = driver->err_handler->error_detected(dev, pci_channel_io_frozen); + +@@ -145,6 +183,7 @@ static int eeh_report_error(struct pci_dev *dev, void *userdata) + if (rc == PCI_ERS_RESULT_NEED_RESET) *res = rc; + if (*res == PCI_ERS_RESULT_NONE) *res = rc; + ++ eeh_pcid_put(dev); + return 0; + } + +@@ -160,12 +199,16 @@ static int eeh_report_error(struct pci_dev *dev, void *userdata) + static int eeh_report_mmio_enabled(struct pci_dev *dev, void *userdata) + { + enum pci_ers_result rc, *res = userdata; +- struct pci_driver *driver = dev->driver; ++ struct pci_driver *driver; ++ ++ driver = eeh_pcid_get(dev); ++ if (!driver) return 0; + +- if (!driver || +- !driver->err_handler || +- !driver->err_handler->mmio_enabled) ++ if (!driver->err_handler || ++ !driver->err_handler->mmio_enabled) { ++ eeh_pcid_put(dev); + return 0; ++ } + + rc = driver->err_handler->mmio_enabled(dev); + +@@ -173,6 +216,7 @@ static int eeh_report_mmio_enabled(struct pci_dev *dev, void *userdata) + if (rc == PCI_ERS_RESULT_NEED_RESET) *res = rc; + if (*res == PCI_ERS_RESULT_NONE) *res = rc; + ++ eeh_pcid_put(dev); + return 0; + } + +@@ -189,18 +233,20 @@ static int eeh_report_mmio_enabled(struct pci_dev *dev, void *userdata) + static int eeh_report_reset(struct pci_dev *dev, void *userdata) + { + enum pci_ers_result rc, *res = userdata; +- struct pci_driver *driver = dev->driver; +- +- if (!driver) +- return 0; ++ struct pci_driver *driver; + + dev->error_state = pci_channel_io_normal; + ++ driver = eeh_pcid_get(dev); ++ if (!driver) return 0; ++ + eeh_enable_irq(dev); + + if (!driver->err_handler || +- !driver->err_handler->slot_reset) ++ !driver->err_handler->slot_reset) { ++ eeh_pcid_put(dev); + return 0; ++ } + + rc = driver->err_handler->slot_reset(dev); + if ((*res == PCI_ERS_RESULT_NONE) || +@@ -208,6 +254,7 @@ static int eeh_report_reset(struct pci_dev *dev, void *userdata) + if (*res == PCI_ERS_RESULT_DISCONNECT && + rc == PCI_ERS_RESULT_NEED_RESET) *res = rc; + ++ eeh_pcid_put(dev); + return 0; + } + +@@ -222,21 +269,24 @@ static int eeh_report_reset(struct pci_dev *dev, void *userdata) + */ + static int eeh_report_resume(struct pci_dev *dev, void *userdata) + { +- struct pci_driver *driver = dev->driver; ++ struct pci_driver *driver; + + dev->error_state = pci_channel_io_normal; + +- if (!driver) +- return 0; ++ driver = eeh_pcid_get(dev); ++ if (!driver) return 0; + + eeh_enable_irq(dev); + + if (!driver->err_handler || +- !driver->err_handler->resume) ++ !driver->err_handler->resume) { ++ eeh_pcid_put(dev); + return 0; ++ } + + driver->err_handler->resume(dev); + ++ eeh_pcid_put(dev); + return 0; + } + +@@ -250,21 +300,24 @@ static int eeh_report_resume(struct pci_dev *dev, void *userdata) + */ + static int eeh_report_failure(struct pci_dev *dev, void *userdata) + { +- struct pci_driver *driver = dev->driver; ++ struct pci_driver *driver; + + dev->error_state = pci_channel_io_perm_failure; + +- if (!driver) +- return 0; ++ driver = eeh_pcid_get(dev); ++ if (!driver) return 0; + + eeh_disable_irq(dev); + + if (!driver->err_handler || +- !driver->err_handler->error_detected) ++ !driver->err_handler->error_detected) { ++ eeh_pcid_put(dev); + return 0; ++ } + + driver->err_handler->error_detected(dev, pci_channel_io_perm_failure); + ++ eeh_pcid_put(dev); + return 0; + } + +diff --git a/arch/sparc/kernel/signal_64.c b/arch/sparc/kernel/signal_64.c +index 867de2f..689e1ba 100644 +--- a/arch/sparc/kernel/signal_64.c ++++ b/arch/sparc/kernel/signal_64.c +@@ -295,9 +295,7 @@ void do_rt_sigreturn(struct pt_regs *regs) + err |= restore_fpu_state(regs, fpu_save); + + err |= __copy_from_user(&set, &sf->mask, sizeof(sigset_t)); +- err |= do_sigaltstack(&sf->stack, NULL, (unsigned long)sf); +- +- if (err) ++ if (err || do_sigaltstack(&sf->stack, NULL, (unsigned long)sf) == -EFAULT) + goto segv; + + err |= __get_user(rwin_save, &sf->rwin_save); +diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c +index b3e0227..90201aa 100644 +--- a/arch/x86/boot/compressed/eboot.c ++++ b/arch/x86/boot/compressed/eboot.c +@@ -12,6 +12,8 @@ + #include <asm/setup.h> + #include <asm/desc.h> + ++#undef memcpy /* Use memcpy from misc.c */ ++ + #include "eboot.h" + + static efi_system_table_t *sys_table; +diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h +index dcfde52..19f16eb 100644 +--- a/arch/x86/include/asm/ptrace.h ++++ b/arch/x86/include/asm/ptrace.h +@@ -205,21 +205,14 @@ static inline bool user_64bit_mode(struct pt_regs *regs) + } + #endif + +-/* +- * X86_32 CPUs don't save ss and esp if the CPU is already in kernel mode +- * when it traps. The previous stack will be directly underneath the saved +- * registers, and 'sp/ss' won't even have been saved. Thus the '®s->sp'. +- * +- * This is valid only for kernel mode traps. +- */ +-static inline unsigned long kernel_stack_pointer(struct pt_regs *regs) +-{ + #ifdef CONFIG_X86_32 +- return (unsigned long)(®s->sp); ++extern unsigned long kernel_stack_pointer(struct pt_regs *regs); + #else ++static inline unsigned long kernel_stack_pointer(struct pt_regs *regs) ++{ + return regs->sp; +-#endif + } ++#endif + + #define GET_IP(regs) ((regs)->ip) + #define GET_FP(regs) ((regs)->bp) +diff --git a/arch/x86/kernel/microcode_amd.c b/arch/x86/kernel/microcode_amd.c +index 82746f9..5d8cf0d 100644 +--- a/arch/x86/kernel/microcode_amd.c ++++ b/arch/x86/kernel/microcode_amd.c +@@ -97,6 +97,7 @@ static unsigned int verify_ucode_size(int cpu, u32 patch_size, + #define F1XH_MPB_MAX_SIZE 2048 + #define F14H_MPB_MAX_SIZE 1824 + #define F15H_MPB_MAX_SIZE 4096 ++#define F16H_MPB_MAX_SIZE 3458 + + switch (c->x86) { + case 0x14: +@@ -105,6 +106,9 @@ static unsigned int verify_ucode_size(int cpu, u32 patch_size, + case 0x15: + max_size = F15H_MPB_MAX_SIZE; + break; ++ case 0x16: ++ max_size = F16H_MPB_MAX_SIZE; ++ break; + default: + max_size = F1XH_MPB_MAX_SIZE; + break; +diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c +index c4c6a5c..9ee1787 100644 +--- a/arch/x86/kernel/ptrace.c ++++ b/arch/x86/kernel/ptrace.c +@@ -21,6 +21,7 @@ + #include <linux/signal.h> + #include <linux/perf_event.h> + #include <linux/hw_breakpoint.h> ++#include <linux/module.h> + + #include <asm/uaccess.h> + #include <asm/pgtable.h> +@@ -165,6 +166,35 @@ static inline bool invalid_selector(u16 value) + + #define FLAG_MASK FLAG_MASK_32 + ++/* ++ * X86_32 CPUs don't save ss and esp if the CPU is already in kernel mode ++ * when it traps. The previous stack will be directly underneath the saved ++ * registers, and 'sp/ss' won't even have been saved. Thus the '®s->sp'. ++ * ++ * Now, if the stack is empty, '®s->sp' is out of range. In this ++ * case we try to take the previous stack. To always return a non-null ++ * stack pointer we fall back to regs as stack if no previous stack ++ * exists. ++ * ++ * This is valid only for kernel mode traps. ++ */ ++unsigned long kernel_stack_pointer(struct pt_regs *regs) ++{ ++ unsigned long context = (unsigned long)regs & ~(THREAD_SIZE - 1); ++ unsigned long sp = (unsigned long)®s->sp; ++ struct thread_info *tinfo; ++ ++ if (context == (sp & ~(THREAD_SIZE - 1))) ++ return sp; ++ ++ tinfo = (struct thread_info *)context; ++ if (tinfo->previous_esp) ++ return tinfo->previous_esp; ++ ++ return (unsigned long)regs; ++} ++EXPORT_SYMBOL_GPL(kernel_stack_pointer); ++ + static unsigned long *pt_regs_access(struct pt_regs *regs, unsigned long regno) + { + BUILD_BUG_ON(offsetof(struct pt_regs, bx) != 0); +diff --git a/arch/x86/kvm/cpuid.h b/arch/x86/kvm/cpuid.h +index a10e460..58fc514 100644 +--- a/arch/x86/kvm/cpuid.h ++++ b/arch/x86/kvm/cpuid.h +@@ -24,6 +24,9 @@ static inline bool guest_cpuid_has_xsave(struct kvm_vcpu *vcpu) + { + struct kvm_cpuid_entry2 *best; + ++ if (!static_cpu_has(X86_FEATURE_XSAVE)) ++ return 0; ++ + best = kvm_find_cpuid_entry(vcpu, 1, 0); + return best && (best->ecx & bit(X86_FEATURE_XSAVE)); + } +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 2966c84..a201790 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -5762,6 +5762,9 @@ int kvm_arch_vcpu_ioctl_set_sregs(struct kvm_vcpu *vcpu, + int pending_vec, max_bits, idx; + struct desc_ptr dt; + ++ if (!guest_cpuid_has_xsave(vcpu) && (sregs->cr4 & X86_CR4_OSXSAVE)) ++ return -EINVAL; ++ + dt.size = sregs->idt.limit; + dt.address = sregs->idt.base; + kvm_x86_ops->set_idt(vcpu, &dt); +diff --git a/block/blk-exec.c b/block/blk-exec.c +index 8b6dc5b..f71eac3 100644 +--- a/block/blk-exec.c ++++ b/block/blk-exec.c +@@ -52,11 +52,17 @@ void blk_execute_rq_nowait(struct request_queue *q, struct gendisk *bd_disk, + rq_end_io_fn *done) + { + int where = at_head ? ELEVATOR_INSERT_FRONT : ELEVATOR_INSERT_BACK; ++ bool is_pm_resume; + + WARN_ON(irqs_disabled()); + + rq->rq_disk = bd_disk; + rq->end_io = done; ++ /* ++ * need to check this before __blk_run_queue(), because rq can ++ * be freed before that returns. ++ */ ++ is_pm_resume = rq->cmd_type == REQ_TYPE_PM_RESUME; + + spin_lock_irq(q->queue_lock); + +@@ -71,7 +77,7 @@ void blk_execute_rq_nowait(struct request_queue *q, struct gendisk *bd_disk, + __elv_add_request(q, rq, where); + __blk_run_queue(q); + /* the queue is stopped so it won't be run */ +- if (rq->cmd_type == REQ_TYPE_PM_RESUME) ++ if (is_pm_resume) + q->request_fn(q); + spin_unlock_irq(q->queue_lock); + } +diff --git a/drivers/ata/sata_svw.c b/drivers/ata/sata_svw.c +index 44a4256..08608de 100644 +--- a/drivers/ata/sata_svw.c ++++ b/drivers/ata/sata_svw.c +@@ -142,6 +142,39 @@ static int k2_sata_scr_write(struct ata_link *link, + return 0; + } + ++static int k2_sata_softreset(struct ata_link *link, ++ unsigned int *class, unsigned long deadline) ++{ ++ u8 dmactl; ++ void __iomem *mmio = link->ap->ioaddr.bmdma_addr; ++ ++ dmactl = readb(mmio + ATA_DMA_CMD); ++ ++ /* Clear the start bit */ ++ if (dmactl & ATA_DMA_START) { ++ dmactl &= ~ATA_DMA_START; ++ writeb(dmactl, mmio + ATA_DMA_CMD); ++ } ++ ++ return ata_sff_softreset(link, class, deadline); ++} ++ ++static int k2_sata_hardreset(struct ata_link *link, ++ unsigned int *class, unsigned long deadline) ++{ ++ u8 dmactl; ++ void __iomem *mmio = link->ap->ioaddr.bmdma_addr; ++ ++ dmactl = readb(mmio + ATA_DMA_CMD); ++ ++ /* Clear the start bit */ ++ if (dmactl & ATA_DMA_START) { ++ dmactl &= ~ATA_DMA_START; ++ writeb(dmactl, mmio + ATA_DMA_CMD); ++ } ++ ++ return sata_sff_hardreset(link, class, deadline); ++} + + static void k2_sata_tf_load(struct ata_port *ap, const struct ata_taskfile *tf) + { +@@ -346,6 +379,8 @@ static struct scsi_host_template k2_sata_sht = { + + static struct ata_port_operations k2_sata_ops = { + .inherits = &ata_bmdma_port_ops, ++ .softreset = k2_sata_softreset, ++ .hardreset = k2_sata_hardreset, + .sff_tf_load = k2_sata_tf_load, + .sff_tf_read = k2_sata_tf_read, + .sff_check_status = k2_stat_check_status, +diff --git a/drivers/base/power/qos.c b/drivers/base/power/qos.c +index 74a67e0..fbbd4ed 100644 +--- a/drivers/base/power/qos.c ++++ b/drivers/base/power/qos.c +@@ -451,7 +451,7 @@ int dev_pm_qos_add_ancestor_request(struct device *dev, + if (ancestor) + error = dev_pm_qos_add_request(ancestor, req, value); + +- if (error) ++ if (error < 0) + req->dev = NULL; + + return error; +diff --git a/drivers/gpu/drm/radeon/radeon_agp.c b/drivers/gpu/drm/radeon/radeon_agp.c +index bd2f33e..bc6b64f 100644 +--- a/drivers/gpu/drm/radeon/radeon_agp.c ++++ b/drivers/gpu/drm/radeon/radeon_agp.c +@@ -70,9 +70,12 @@ static struct radeon_agpmode_quirk radeon_agpmode_quirk_list[] = { + /* Intel 82830 830 Chipset Host Bridge / Mobility M6 LY Needs AGPMode 2 (fdo #17360)*/ + { PCI_VENDOR_ID_INTEL, 0x3575, PCI_VENDOR_ID_ATI, 0x4c59, + PCI_VENDOR_ID_DELL, 0x00e3, 2}, +- /* Intel 82852/82855 host bridge / Mobility FireGL 9000 R250 Needs AGPMode 1 (lp #296617) */ ++ /* Intel 82852/82855 host bridge / Mobility FireGL 9000 RV250 Needs AGPMode 1 (lp #296617) */ + { PCI_VENDOR_ID_INTEL, 0x3580, PCI_VENDOR_ID_ATI, 0x4c66, + PCI_VENDOR_ID_DELL, 0x0149, 1}, ++ /* Intel 82855PM host bridge / Mobility FireGL 9000 RV250 Needs AGPMode 1 for suspend/resume */ ++ { PCI_VENDOR_ID_INTEL, 0x3340, PCI_VENDOR_ID_ATI, 0x4c66, ++ PCI_VENDOR_ID_IBM, 0x0531, 1}, + /* Intel 82852/82855 host bridge / Mobility 9600 M10 RV350 Needs AGPMode 1 (deb #467460) */ + { PCI_VENDOR_ID_INTEL, 0x3580, PCI_VENDOR_ID_ATI, 0x4e50, + 0x1025, 0x0061, 1}, +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 1dcb76f..ab8ce9f 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -296,6 +296,9 @@ + #define USB_VENDOR_ID_EZKEY 0x0518 + #define USB_DEVICE_ID_BTC_8193 0x0002 + ++#define USB_VENDOR_ID_FREESCALE 0x15A2 ++#define USB_DEVICE_ID_FREESCALE_MX28 0x004F ++ + #define USB_VENDOR_ID_FRUCTEL 0x25B6 + #define USB_DEVICE_ID_GAMETEL_MT_MODE 0x0002 + +diff --git a/drivers/hid/usbhid/hid-quirks.c b/drivers/hid/usbhid/hid-quirks.c +index 991e85c..8865fa3 100644 +--- a/drivers/hid/usbhid/hid-quirks.c ++++ b/drivers/hid/usbhid/hid-quirks.c +@@ -70,6 +70,7 @@ static const struct hid_blacklist { + { USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_AXIS_295, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_DMI, USB_DEVICE_ID_DMI_ENC, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_ELO, USB_DEVICE_ID_ELO_TS2700, HID_QUIRK_NOGET }, ++ { USB_VENDOR_ID_FREESCALE, USB_DEVICE_ID_FREESCALE_MX28, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_MGE, USB_DEVICE_ID_MGE_UPS, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_OPTICAL_TOUCH_SCREEN, HID_QUIRK_NO_INIT_REPORTS }, + { USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_OPTICAL_TOUCH_SCREEN1, HID_QUIRK_NO_INIT_REPORTS }, +diff --git a/drivers/isdn/gigaset/bas-gigaset.c b/drivers/isdn/gigaset/bas-gigaset.c +index 5275887..c44950d 100644 +--- a/drivers/isdn/gigaset/bas-gigaset.c ++++ b/drivers/isdn/gigaset/bas-gigaset.c +@@ -617,7 +617,13 @@ static void int_in_work(struct work_struct *work) + if (rc == 0) + /* success, resubmit interrupt read URB */ + rc = usb_submit_urb(urb, GFP_ATOMIC); +- if (rc != 0 && rc != -ENODEV) { ++ ++ switch (rc) { ++ case 0: /* success */ ++ case -ENODEV: /* device gone */ ++ case -EINVAL: /* URB already resubmitted, or terminal badness */ ++ break; ++ default: /* failure: try to recover by resetting the device */ + dev_err(cs->dev, "clear halt failed: %s\n", get_usb_rcmsg(rc)); + rc = usb_lock_device_for_reset(ucs->udev, ucs->interface); + if (rc == 0) { +@@ -2442,7 +2448,9 @@ static void gigaset_disconnect(struct usb_interface *interface) + } + + /* gigaset_suspend +- * This function is called before the USB connection is suspended. ++ * This function is called before the USB connection is suspended ++ * or before the USB device is reset. ++ * In the latter case, message == PMSG_ON. + */ + static int gigaset_suspend(struct usb_interface *intf, pm_message_t message) + { +@@ -2498,7 +2506,12 @@ static int gigaset_suspend(struct usb_interface *intf, pm_message_t message) + del_timer_sync(&ucs->timer_atrdy); + del_timer_sync(&ucs->timer_cmd_in); + del_timer_sync(&ucs->timer_int_in); +- cancel_work_sync(&ucs->int_in_wq); ++ ++ /* don't try to cancel int_in_wq from within reset as it ++ * might be the one requesting the reset ++ */ ++ if (message.event != PM_EVENT_ON) ++ cancel_work_sync(&ucs->int_in_wq); + + gig_dbg(DEBUG_SUSPEND, "suspend complete"); + return 0; +diff --git a/drivers/md/dm.c b/drivers/md/dm.c +index 67ffa39..4256200 100644 +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -754,8 +754,14 @@ static void rq_completed(struct mapped_device *md, int rw, int run_queue) + if (!md_in_flight(md)) + wake_up(&md->wait); + ++ /* ++ * Run this off this callpath, as drivers could invoke end_io while ++ * inside their request_fn (and holding the queue lock). Calling ++ * back into ->request_fn() could deadlock attempting to grab the ++ * queue lock again. ++ */ + if (run_queue) +- blk_run_queue(md->queue); ++ blk_run_queue_async(md->queue); + + /* + * dm_put() must be at the end of this function. See the comment above +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 308e87b..c7b000f 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -1832,10 +1832,10 @@ retry: + memset(bbp, 0xff, PAGE_SIZE); + + for (i = 0 ; i < bb->count ; i++) { +- u64 internal_bb = *p++; ++ u64 internal_bb = p[i]; + u64 store_bb = ((BB_OFFSET(internal_bb) << 10) + | BB_LEN(internal_bb)); +- *bbp++ = cpu_to_le64(store_bb); ++ bbp[i] = cpu_to_le64(store_bb); + } + bb->changed = 0; + if (read_seqretry(&bb->lock, seq)) +@@ -7907,9 +7907,9 @@ int md_is_badblock(struct badblocks *bb, sector_t s, int sectors, + sector_t *first_bad, int *bad_sectors) + { + int hi; +- int lo = 0; ++ int lo; + u64 *p = bb->page; +- int rv = 0; ++ int rv; + sector_t target = s + sectors; + unsigned seq; + +@@ -7924,7 +7924,8 @@ int md_is_badblock(struct badblocks *bb, sector_t s, int sectors, + + retry: + seq = read_seqbegin(&bb->lock); +- ++ lo = 0; ++ rv = 0; + hi = bb->count; + + /* Binary search between lo and hi for 'target' +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index a48c215..c52d893 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -499,7 +499,7 @@ static void raid10_end_write_request(struct bio *bio, int error) + */ + one_write_done(r10_bio); + if (dec_rdev) +- rdev_dec_pending(conf->mirrors[dev].rdev, conf->mddev); ++ rdev_dec_pending(rdev, conf->mddev); + } + + /* +@@ -1287,18 +1287,21 @@ retry_write: + blocked_rdev = rrdev; + break; + } ++ if (rdev && (test_bit(Faulty, &rdev->flags) ++ || test_bit(Unmerged, &rdev->flags))) ++ rdev = NULL; + if (rrdev && (test_bit(Faulty, &rrdev->flags) + || test_bit(Unmerged, &rrdev->flags))) + rrdev = NULL; + + r10_bio->devs[i].bio = NULL; + r10_bio->devs[i].repl_bio = NULL; +- if (!rdev || test_bit(Faulty, &rdev->flags) || +- test_bit(Unmerged, &rdev->flags)) { ++ ++ if (!rdev && !rrdev) { + set_bit(R10BIO_Degraded, &r10_bio->state); + continue; + } +- if (test_bit(WriteErrorSeen, &rdev->flags)) { ++ if (rdev && test_bit(WriteErrorSeen, &rdev->flags)) { + sector_t first_bad; + sector_t dev_sector = r10_bio->devs[i].addr; + int bad_sectors; +@@ -1340,8 +1343,10 @@ retry_write: + max_sectors = good_sectors; + } + } +- r10_bio->devs[i].bio = bio; +- atomic_inc(&rdev->nr_pending); ++ if (rdev) { ++ r10_bio->devs[i].bio = bio; ++ atomic_inc(&rdev->nr_pending); ++ } + if (rrdev) { + r10_bio->devs[i].repl_bio = bio; + atomic_inc(&rrdev->nr_pending); +@@ -1397,58 +1402,57 @@ retry_write: + for (i = 0; i < conf->copies; i++) { + struct bio *mbio; + int d = r10_bio->devs[i].devnum; +- if (!r10_bio->devs[i].bio) +- continue; +- +- mbio = bio_clone_mddev(bio, GFP_NOIO, mddev); +- md_trim_bio(mbio, r10_bio->sector - bio->bi_sector, +- max_sectors); +- r10_bio->devs[i].bio = mbio; +- +- mbio->bi_sector = (r10_bio->devs[i].addr+ +- choose_data_offset(r10_bio, +- conf->mirrors[d].rdev)); +- mbio->bi_bdev = conf->mirrors[d].rdev->bdev; +- mbio->bi_end_io = raid10_end_write_request; +- mbio->bi_rw = WRITE | do_sync | do_fua; +- mbio->bi_private = r10_bio; + +- atomic_inc(&r10_bio->remaining); +- spin_lock_irqsave(&conf->device_lock, flags); +- bio_list_add(&conf->pending_bio_list, mbio); +- conf->pending_count++; +- spin_unlock_irqrestore(&conf->device_lock, flags); +- if (!mddev_check_plugged(mddev)) +- md_wakeup_thread(mddev->thread); +- +- if (!r10_bio->devs[i].repl_bio) +- continue; ++ if (r10_bio->devs[i].bio) { ++ struct md_rdev *rdev = conf->mirrors[d].rdev; ++ mbio = bio_clone_mddev(bio, GFP_NOIO, mddev); ++ md_trim_bio(mbio, r10_bio->sector - bio->bi_sector, ++ max_sectors); ++ r10_bio->devs[i].bio = mbio; ++ ++ mbio->bi_sector = (r10_bio->devs[i].addr + ++ choose_data_offset(r10_bio, rdev)); ++ mbio->bi_bdev = rdev->bdev; ++ mbio->bi_end_io = raid10_end_write_request; ++ mbio->bi_rw = WRITE | do_sync | do_fua; ++ mbio->bi_private = r10_bio; + +- mbio = bio_clone_mddev(bio, GFP_NOIO, mddev); +- md_trim_bio(mbio, r10_bio->sector - bio->bi_sector, +- max_sectors); +- r10_bio->devs[i].repl_bio = mbio; ++ atomic_inc(&r10_bio->remaining); ++ spin_lock_irqsave(&conf->device_lock, flags); ++ bio_list_add(&conf->pending_bio_list, mbio); ++ conf->pending_count++; ++ spin_unlock_irqrestore(&conf->device_lock, flags); ++ if (!mddev_check_plugged(mddev)) ++ md_wakeup_thread(mddev->thread); ++ } + +- /* We are actively writing to the original device +- * so it cannot disappear, so the replacement cannot +- * become NULL here +- */ +- mbio->bi_sector = (r10_bio->devs[i].addr + +- choose_data_offset( +- r10_bio, +- conf->mirrors[d].replacement)); +- mbio->bi_bdev = conf->mirrors[d].replacement->bdev; +- mbio->bi_end_io = raid10_end_write_request; +- mbio->bi_rw = WRITE | do_sync | do_fua; +- mbio->bi_private = r10_bio; ++ if (r10_bio->devs[i].repl_bio) { ++ struct md_rdev *rdev = conf->mirrors[d].replacement; ++ if (rdev == NULL) { ++ /* Replacement just got moved to main 'rdev' */ ++ smp_mb(); ++ rdev = conf->mirrors[d].rdev; ++ } ++ mbio = bio_clone_mddev(bio, GFP_NOIO, mddev); ++ md_trim_bio(mbio, r10_bio->sector - bio->bi_sector, ++ max_sectors); ++ r10_bio->devs[i].repl_bio = mbio; ++ ++ mbio->bi_sector = (r10_bio->devs[i].addr + ++ choose_data_offset(r10_bio, rdev)); ++ mbio->bi_bdev = rdev->bdev; ++ mbio->bi_end_io = raid10_end_write_request; ++ mbio->bi_rw = WRITE | do_sync | do_fua; ++ mbio->bi_private = r10_bio; + +- atomic_inc(&r10_bio->remaining); +- spin_lock_irqsave(&conf->device_lock, flags); +- bio_list_add(&conf->pending_bio_list, mbio); +- conf->pending_count++; +- spin_unlock_irqrestore(&conf->device_lock, flags); +- if (!mddev_check_plugged(mddev)) +- md_wakeup_thread(mddev->thread); ++ atomic_inc(&r10_bio->remaining); ++ spin_lock_irqsave(&conf->device_lock, flags); ++ bio_list_add(&conf->pending_bio_list, mbio); ++ conf->pending_count++; ++ spin_unlock_irqrestore(&conf->device_lock, flags); ++ if (!mddev_check_plugged(mddev)) ++ md_wakeup_thread(mddev->thread); ++ } + } + + /* Don't remove the bias on 'remaining' (one_write_done) until +diff --git a/drivers/mmc/host/sdhci-s3c.c b/drivers/mmc/host/sdhci-s3c.c +index a50c205..02b7a4a 100644 +--- a/drivers/mmc/host/sdhci-s3c.c ++++ b/drivers/mmc/host/sdhci-s3c.c +@@ -656,7 +656,7 @@ static int __devexit sdhci_s3c_remove(struct platform_device *pdev) + + pm_runtime_disable(&pdev->dev); + +- for (ptr = 0; ptr < 3; ptr++) { ++ for (ptr = 0; ptr < MAX_BUS_CLK; ptr++) { + if (sc->clk_bus[ptr]) { + clk_disable(sc->clk_bus[ptr]); + clk_put(sc->clk_bus[ptr]); +diff --git a/drivers/mtd/devices/slram.c b/drivers/mtd/devices/slram.c +index 8f52fc8..5a5cd2a 100644 +--- a/drivers/mtd/devices/slram.c ++++ b/drivers/mtd/devices/slram.c +@@ -240,7 +240,7 @@ static int parse_cmdline(char *devname, char *szstart, char *szlength) + + if (*(szlength) != '+') { + devlength = simple_strtoul(szlength, &buffer, 0); +- devlength = handle_unit(devlength, buffer) - devstart; ++ devlength = handle_unit(devlength, buffer); + if (devlength < devstart) + goto err_out; + +diff --git a/drivers/mtd/ofpart.c b/drivers/mtd/ofpart.c +index 64be8f0..d9127e2 100644 +--- a/drivers/mtd/ofpart.c ++++ b/drivers/mtd/ofpart.c +@@ -121,7 +121,7 @@ static int parse_ofoldpart_partitions(struct mtd_info *master, + nr_parts = plen / sizeof(part[0]); + + *pparts = kzalloc(nr_parts * sizeof(*(*pparts)), GFP_KERNEL); +- if (!pparts) ++ if (!*pparts) + return -ENOMEM; + + names = of_get_property(dp, "partition-names", &plen); +diff --git a/drivers/net/can/usb/peak_usb/pcan_usb.c b/drivers/net/can/usb/peak_usb/pcan_usb.c +index 86f26a1..25723d8 100644 +--- a/drivers/net/can/usb/peak_usb/pcan_usb.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb.c +@@ -519,8 +519,10 @@ static int pcan_usb_decode_error(struct pcan_usb_msg_context *mc, u8 n, + mc->pdev->dev.can.state = new_state; + + if (status_len & PCAN_USB_STATUSLEN_TIMESTAMP) { ++ struct skb_shared_hwtstamps *hwts = skb_hwtstamps(skb); ++ + peak_usb_get_ts_tv(&mc->pdev->time_ref, mc->ts16, &tv); +- skb->tstamp = timeval_to_ktime(tv); ++ hwts->hwtstamp = timeval_to_ktime(tv); + } + + netif_rx(skb); +@@ -605,6 +607,7 @@ static int pcan_usb_decode_data(struct pcan_usb_msg_context *mc, u8 status_len) + struct sk_buff *skb; + struct can_frame *cf; + struct timeval tv; ++ struct skb_shared_hwtstamps *hwts; + + skb = alloc_can_skb(mc->netdev, &cf); + if (!skb) +@@ -652,7 +655,8 @@ static int pcan_usb_decode_data(struct pcan_usb_msg_context *mc, u8 status_len) + + /* convert timestamp into kernel time */ + peak_usb_get_ts_tv(&mc->pdev->time_ref, mc->ts16, &tv); +- skb->tstamp = timeval_to_ktime(tv); ++ hwts = skb_hwtstamps(skb); ++ hwts->hwtstamp = timeval_to_ktime(tv); + + /* push the skb */ + netif_rx(skb); +diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_pro.c b/drivers/net/can/usb/peak_usb/pcan_usb_pro.c +index 629c4ba..c95913a 100644 +--- a/drivers/net/can/usb/peak_usb/pcan_usb_pro.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb_pro.c +@@ -532,6 +532,7 @@ static int pcan_usb_pro_handle_canmsg(struct pcan_usb_pro_interface *usb_if, + struct can_frame *can_frame; + struct sk_buff *skb; + struct timeval tv; ++ struct skb_shared_hwtstamps *hwts; + + skb = alloc_can_skb(netdev, &can_frame); + if (!skb) +@@ -549,7 +550,8 @@ static int pcan_usb_pro_handle_canmsg(struct pcan_usb_pro_interface *usb_if, + memcpy(can_frame->data, rx->data, can_frame->can_dlc); + + peak_usb_get_ts_tv(&usb_if->time_ref, le32_to_cpu(rx->ts32), &tv); +- skb->tstamp = timeval_to_ktime(tv); ++ hwts = skb_hwtstamps(skb); ++ hwts->hwtstamp = timeval_to_ktime(tv); + + netif_rx(skb); + netdev->stats.rx_packets++; +@@ -570,6 +572,7 @@ static int pcan_usb_pro_handle_error(struct pcan_usb_pro_interface *usb_if, + u8 err_mask = 0; + struct sk_buff *skb; + struct timeval tv; ++ struct skb_shared_hwtstamps *hwts; + + /* nothing should be sent while in BUS_OFF state */ + if (dev->can.state == CAN_STATE_BUS_OFF) +@@ -664,7 +667,8 @@ static int pcan_usb_pro_handle_error(struct pcan_usb_pro_interface *usb_if, + dev->can.state = new_state; + + peak_usb_get_ts_tv(&usb_if->time_ref, le32_to_cpu(er->ts32), &tv); +- skb->tstamp = timeval_to_ktime(tv); ++ hwts = skb_hwtstamps(skb); ++ hwts->hwtstamp = timeval_to_ktime(tv); + netif_rx(skb); + netdev->stats.rx_packets++; + netdev->stats.rx_bytes += can_frame->can_dlc; +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c +index 90e41db..dbf37e4 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c +@@ -70,6 +70,7 @@ static s32 ixgbe_device_supports_autoneg_fc(struct ixgbe_hw *hw) + + switch (hw->device_id) { + case IXGBE_DEV_ID_X540T: ++ case IXGBE_DEV_ID_X540T1: + return 0; + case IXGBE_DEV_ID_82599_T3_LOM: + return 0; +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +index 4326f74..1fff36d 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -114,6 +114,7 @@ static DEFINE_PCI_DEVICE_TABLE(ixgbe_pci_tbl) = { + {PCI_VDEVICE(INTEL, IXGBE_DEV_ID_82599_LS), board_82599 }, + {PCI_VDEVICE(INTEL, IXGBE_DEV_ID_82599EN_SFP), board_82599 }, + {PCI_VDEVICE(INTEL, IXGBE_DEV_ID_82599_SFP_SF_QP), board_82599 }, ++ {PCI_VDEVICE(INTEL, IXGBE_DEV_ID_X540T1), board_X540 }, + /* required last entry */ + {0, } + }; +@@ -7010,6 +7011,7 @@ int ixgbe_wol_supported(struct ixgbe_adapter *adapter, u16 device_id, + is_wol_supported = 1; + break; + case IXGBE_DEV_ID_X540T: ++ case IXGBE_DEV_ID_X540T1: + /* check eeprom to see if enabled wol */ + if ((wol_cap == IXGBE_DEVICE_CAPS_WOL_PORT0_1) || + ((wol_cap == IXGBE_DEVICE_CAPS_WOL_PORT0) && +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h b/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h +index 400f86a..0722f33 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h +@@ -65,6 +65,7 @@ + #define IXGBE_DEV_ID_82599_LS 0x154F + #define IXGBE_DEV_ID_X540T 0x1528 + #define IXGBE_DEV_ID_82599_SFP_SF_QP 0x154A ++#define IXGBE_DEV_ID_X540T1 0x1560 + + /* VF Device IDs */ + #define IXGBE_DEV_ID_82599_VF 0x10ED +diff --git a/drivers/net/wireless/iwlwifi/dvm/mac80211.c b/drivers/net/wireless/iwlwifi/dvm/mac80211.c +index a5f7bce..7a2cf52 100644 +--- a/drivers/net/wireless/iwlwifi/dvm/mac80211.c ++++ b/drivers/net/wireless/iwlwifi/dvm/mac80211.c +@@ -1352,6 +1352,20 @@ static int iwlagn_mac_add_interface(struct ieee80211_hw *hw, + vif_priv->ctx = ctx; + ctx->vif = vif; + ++ /* ++ * In SNIFFER device type, the firmware reports the FCS to ++ * the host, rather than snipping it off. Unfortunately, ++ * mac80211 doesn't (yet) provide a per-packet flag for ++ * this, so that we have to set the hardware flag based ++ * on the interfaces added. As the monitor interface can ++ * only be present by itself, and will be removed before ++ * other interfaces are added, this is safe. ++ */ ++ if (vif->type == NL80211_IFTYPE_MONITOR) ++ priv->hw->flags |= IEEE80211_HW_RX_INCLUDES_FCS; ++ else ++ priv->hw->flags &= ~IEEE80211_HW_RX_INCLUDES_FCS; ++ + err = iwl_setup_interface(priv, ctx); + if (!err || reset) + goto out; +diff --git a/drivers/net/wireless/iwlwifi/pcie/tx.c b/drivers/net/wireless/iwlwifi/pcie/tx.c +index 6baf8de..b9d6152 100644 +--- a/drivers/net/wireless/iwlwifi/pcie/tx.c ++++ b/drivers/net/wireless/iwlwifi/pcie/tx.c +@@ -480,20 +480,12 @@ void iwl_trans_pcie_txq_enable(struct iwl_trans *trans, int txq_id, int fifo, + void iwl_trans_pcie_txq_disable(struct iwl_trans *trans, int txq_id) + { + struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans); +- u16 rd_ptr, wr_ptr; +- int n_bd = trans_pcie->txq[txq_id].q.n_bd; + + if (!test_and_clear_bit(txq_id, trans_pcie->queue_used)) { + WARN_ONCE(1, "queue %d not used", txq_id); + return; + } + +- rd_ptr = iwl_read_prph(trans, SCD_QUEUE_RDPTR(txq_id)) & (n_bd - 1); +- wr_ptr = iwl_read_prph(trans, SCD_QUEUE_WRPTR(txq_id)); +- +- WARN_ONCE(rd_ptr != wr_ptr, "queue %d isn't empty: [%d,%d]", +- txq_id, rd_ptr, wr_ptr); +- + iwl_txq_set_inactive(trans, txq_id); + IWL_DEBUG_TX_QUEUES(trans, "Deactivate queue %d\n", txq_id); + } +diff --git a/drivers/net/wireless/mwifiex/cmdevt.c b/drivers/net/wireless/mwifiex/cmdevt.c +index 565527a..95382f1 100644 +--- a/drivers/net/wireless/mwifiex/cmdevt.c ++++ b/drivers/net/wireless/mwifiex/cmdevt.c +@@ -887,9 +887,6 @@ mwifiex_cmd_timeout_func(unsigned long function_context) + return; + } + cmd_node = adapter->curr_cmd; +- if (cmd_node->wait_q_enabled) +- adapter->cmd_wait_q.status = -ETIMEDOUT; +- + if (cmd_node) { + adapter->dbg.timeout_cmd_id = + adapter->dbg.last_cmd_id[adapter->dbg.last_cmd_index]; +@@ -935,6 +932,14 @@ mwifiex_cmd_timeout_func(unsigned long function_context) + + dev_err(adapter->dev, "ps_mode=%d ps_state=%d\n", + adapter->ps_mode, adapter->ps_state); ++ ++ if (cmd_node->wait_q_enabled) { ++ adapter->cmd_wait_q.status = -ETIMEDOUT; ++ wake_up_interruptible(&adapter->cmd_wait_q.wait); ++ mwifiex_cancel_pending_ioctl(adapter); ++ /* reset cmd_sent flag to unblock new commands */ ++ adapter->cmd_sent = false; ++ } + } + if (adapter->hw_status == MWIFIEX_HW_STATUS_INITIALIZING) + mwifiex_init_fw_complete(adapter); +diff --git a/drivers/net/wireless/mwifiex/sdio.c b/drivers/net/wireless/mwifiex/sdio.c +index fc8a9bf..82cf0fa 100644 +--- a/drivers/net/wireless/mwifiex/sdio.c ++++ b/drivers/net/wireless/mwifiex/sdio.c +@@ -161,7 +161,6 @@ static int mwifiex_sdio_suspend(struct device *dev) + struct sdio_mmc_card *card; + struct mwifiex_adapter *adapter; + mmc_pm_flag_t pm_flag = 0; +- int hs_actived = 0; + int i; + int ret = 0; + +@@ -188,12 +187,14 @@ static int mwifiex_sdio_suspend(struct device *dev) + adapter = card->adapter; + + /* Enable the Host Sleep */ +- hs_actived = mwifiex_enable_hs(adapter); +- if (hs_actived) { +- pr_debug("cmd: suspend with MMC_PM_KEEP_POWER\n"); +- ret = sdio_set_host_pm_flags(func, MMC_PM_KEEP_POWER); ++ if (!mwifiex_enable_hs(adapter)) { ++ dev_err(adapter->dev, "cmd: failed to suspend\n"); ++ return -EFAULT; + } + ++ dev_dbg(adapter->dev, "cmd: suspend with MMC_PM_KEEP_POWER\n"); ++ ret = sdio_set_host_pm_flags(func, MMC_PM_KEEP_POWER); ++ + /* Indicate device suspended */ + adapter->is_suspended = true; + +diff --git a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c +index 9970c2b..b7e6607 100644 +--- a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c +@@ -297,6 +297,7 @@ static struct usb_device_id rtl8192c_usb_ids[] = { + /*=== Customer ID ===*/ + /****** 8188CU ********/ + {RTL_USB_DEVICE(0x050d, 0x1102, rtl92cu_hal_cfg)}, /*Belkin - Edimax*/ ++ {RTL_USB_DEVICE(0x050d, 0x11f2, rtl92cu_hal_cfg)}, /*Belkin - ISY*/ + {RTL_USB_DEVICE(0x06f8, 0xe033, rtl92cu_hal_cfg)}, /*Hercules - Edimax*/ + {RTL_USB_DEVICE(0x07b8, 0x8188, rtl92cu_hal_cfg)}, /*Abocom - Abocom*/ + {RTL_USB_DEVICE(0x07b8, 0x8189, rtl92cu_hal_cfg)}, /*Funai - Abocom*/ +diff --git a/drivers/nfc/pn533.c b/drivers/nfc/pn533.c +index d606f52..83ba14e 100644 +--- a/drivers/nfc/pn533.c ++++ b/drivers/nfc/pn533.c +@@ -1618,11 +1618,14 @@ static void pn533_deactivate_target(struct nfc_dev *nfc_dev, + static int pn533_in_dep_link_up_complete(struct pn533 *dev, void *arg, + u8 *params, int params_len) + { +- struct pn533_cmd_jump_dep *cmd; + struct pn533_cmd_jump_dep_response *resp; + struct nfc_target nfc_target; + u8 target_gt_len; + int rc; ++ struct pn533_cmd_jump_dep *cmd = (struct pn533_cmd_jump_dep *)arg; ++ u8 active = cmd->active; ++ ++ kfree(arg); + + if (params_len == -ENOENT) { + nfc_dev_dbg(&dev->interface->dev, ""); +@@ -1644,7 +1647,6 @@ static int pn533_in_dep_link_up_complete(struct pn533 *dev, void *arg, + } + + resp = (struct pn533_cmd_jump_dep_response *) params; +- cmd = (struct pn533_cmd_jump_dep *) arg; + rc = resp->status & PN533_CMD_RET_MASK; + if (rc != PN533_CMD_RET_SUCCESS) { + nfc_dev_err(&dev->interface->dev, +@@ -1674,7 +1676,7 @@ static int pn533_in_dep_link_up_complete(struct pn533 *dev, void *arg, + if (rc == 0) + rc = nfc_dep_link_is_up(dev->nfc_dev, + dev->nfc_dev->targets[0].idx, +- !cmd->active, NFC_RF_INITIATOR); ++ !active, NFC_RF_INITIATOR); + + return 0; + } +@@ -1759,12 +1761,8 @@ static int pn533_dep_link_up(struct nfc_dev *nfc_dev, struct nfc_target *target, + rc = pn533_send_cmd_frame_async(dev, dev->out_frame, dev->in_frame, + dev->in_maxlen, pn533_in_dep_link_up_complete, + cmd, GFP_KERNEL); +- if (rc) +- goto out; +- +- +-out: +- kfree(cmd); ++ if (rc < 0) ++ kfree(cmd); + + return rc; + } +@@ -2018,8 +2016,12 @@ error: + static int pn533_tm_send_complete(struct pn533 *dev, void *arg, + u8 *params, int params_len) + { ++ struct sk_buff *skb_out = arg; ++ + nfc_dev_dbg(&dev->interface->dev, "%s", __func__); + ++ dev_kfree_skb(skb_out); ++ + if (params_len < 0) { + nfc_dev_err(&dev->interface->dev, + "Error %d when sending data", +@@ -2057,7 +2059,7 @@ static int pn533_tm_send(struct nfc_dev *nfc_dev, struct sk_buff *skb) + + rc = pn533_send_cmd_frame_async(dev, out_frame, dev->in_frame, + dev->in_maxlen, pn533_tm_send_complete, +- NULL, GFP_KERNEL); ++ skb, GFP_KERNEL); + if (rc) { + nfc_dev_err(&dev->interface->dev, + "Error %d when trying to send data", rc); +diff --git a/drivers/scsi/isci/request.c b/drivers/scsi/isci/request.c +index 7a0431c..94483c9 100644 +--- a/drivers/scsi/isci/request.c ++++ b/drivers/scsi/isci/request.c +@@ -1972,7 +1972,7 @@ sci_io_request_frame_handler(struct isci_request *ireq, + frame_index, + (void **)&frame_buffer); + +- sci_controller_copy_sata_response(&ireq->stp.req, ++ sci_controller_copy_sata_response(&ireq->stp.rsp, + frame_header, + frame_buffer); + +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index 101b41c..82e1fde3 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -979,8 +979,6 @@ static void update_backups(struct super_block *sb, + goto exit_err; + } + +- ext4_superblock_csum_set(sb); +- + while ((group = ext4_list_backups(sb, &three, &five, &seven)) < last) { + struct buffer_head *bh; + +diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c +index 5602d73..af321a6 100644 +--- a/fs/fs-writeback.c ++++ b/fs/fs-writeback.c +@@ -228,6 +228,8 @@ static void requeue_io(struct inode *inode, struct bdi_writeback *wb) + static void inode_sync_complete(struct inode *inode) + { + inode->i_state &= ~I_SYNC; ++ /* If inode is clean an unused, put it into LRU now... */ ++ inode_add_lru(inode); + /* Waiters must see I_SYNC cleared before being woken up */ + smp_mb(); + wake_up_bit(&inode->i_state, __I_SYNC); +diff --git a/fs/inode.c b/fs/inode.c +index ac8d904..7c14897 100644 +--- a/fs/inode.c ++++ b/fs/inode.c +@@ -408,6 +408,19 @@ static void inode_lru_list_add(struct inode *inode) + spin_unlock(&inode->i_sb->s_inode_lru_lock); + } + ++/* ++ * Add inode to LRU if needed (inode is unused and clean). ++ * ++ * Needs inode->i_lock held. ++ */ ++void inode_add_lru(struct inode *inode) ++{ ++ if (!(inode->i_state & (I_DIRTY | I_SYNC | I_FREEING | I_WILL_FREE)) && ++ !atomic_read(&inode->i_count) && inode->i_sb->s_flags & MS_ACTIVE) ++ inode_lru_list_add(inode); ++} ++ ++ + static void inode_lru_list_del(struct inode *inode) + { + spin_lock(&inode->i_sb->s_inode_lru_lock); +@@ -1390,8 +1403,7 @@ static void iput_final(struct inode *inode) + + if (!drop && (sb->s_flags & MS_ACTIVE)) { + inode->i_state |= I_REFERENCED; +- if (!(inode->i_state & (I_DIRTY|I_SYNC))) +- inode_lru_list_add(inode); ++ inode_add_lru(inode); + spin_unlock(&inode->i_lock); + return; + } +diff --git a/fs/internal.h b/fs/internal.h +index 371bcc4..52813bd 100644 +--- a/fs/internal.h ++++ b/fs/internal.h +@@ -110,6 +110,7 @@ extern int open_check_o_direct(struct file *f); + * inode.c + */ + extern spinlock_t inode_sb_list_lock; ++extern void inode_add_lru(struct inode *inode); + + /* + * fs-writeback.c +diff --git a/fs/jbd/transaction.c b/fs/jbd/transaction.c +index 78b7f84..7f5120b 100644 +--- a/fs/jbd/transaction.c ++++ b/fs/jbd/transaction.c +@@ -1961,7 +1961,9 @@ retry: + spin_unlock(&journal->j_list_lock); + jbd_unlock_bh_state(bh); + spin_unlock(&journal->j_state_lock); ++ unlock_buffer(bh); + log_wait_commit(journal, tid); ++ lock_buffer(bh); + goto retry; + } + /* +diff --git a/fs/jffs2/file.c b/fs/jffs2/file.c +index db3889b..8608f87 100644 +--- a/fs/jffs2/file.c ++++ b/fs/jffs2/file.c +@@ -138,33 +138,39 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, + struct page *pg; + struct inode *inode = mapping->host; + struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode); ++ struct jffs2_sb_info *c = JFFS2_SB_INFO(inode->i_sb); ++ struct jffs2_raw_inode ri; ++ uint32_t alloc_len = 0; + pgoff_t index = pos >> PAGE_CACHE_SHIFT; + uint32_t pageofs = index << PAGE_CACHE_SHIFT; + int ret = 0; + ++ jffs2_dbg(1, "%s()\n", __func__); ++ ++ if (pageofs > inode->i_size) { ++ ret = jffs2_reserve_space(c, sizeof(ri), &alloc_len, ++ ALLOC_NORMAL, JFFS2_SUMMARY_INODE_SIZE); ++ if (ret) ++ return ret; ++ } ++ ++ mutex_lock(&f->sem); + pg = grab_cache_page_write_begin(mapping, index, flags); +- if (!pg) ++ if (!pg) { ++ if (alloc_len) ++ jffs2_complete_reservation(c); ++ mutex_unlock(&f->sem); + return -ENOMEM; ++ } + *pagep = pg; + +- jffs2_dbg(1, "%s()\n", __func__); +- +- if (pageofs > inode->i_size) { ++ if (alloc_len) { + /* Make new hole frag from old EOF to new page */ +- struct jffs2_sb_info *c = JFFS2_SB_INFO(inode->i_sb); +- struct jffs2_raw_inode ri; + struct jffs2_full_dnode *fn; +- uint32_t alloc_len; + + jffs2_dbg(1, "Writing new hole frag 0x%x-0x%x between current EOF and new page\n", + (unsigned int)inode->i_size, pageofs); + +- ret = jffs2_reserve_space(c, sizeof(ri), &alloc_len, +- ALLOC_NORMAL, JFFS2_SUMMARY_INODE_SIZE); +- if (ret) +- goto out_page; +- +- mutex_lock(&f->sem); + memset(&ri, 0, sizeof(ri)); + + ri.magic = cpu_to_je16(JFFS2_MAGIC_BITMASK); +@@ -191,7 +197,6 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, + if (IS_ERR(fn)) { + ret = PTR_ERR(fn); + jffs2_complete_reservation(c); +- mutex_unlock(&f->sem); + goto out_page; + } + ret = jffs2_add_full_dnode_to_inode(c, f, fn); +@@ -206,12 +211,10 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, + jffs2_mark_node_obsolete(c, fn->raw); + jffs2_free_full_dnode(fn); + jffs2_complete_reservation(c); +- mutex_unlock(&f->sem); + goto out_page; + } + jffs2_complete_reservation(c); + inode->i_size = pageofs; +- mutex_unlock(&f->sem); + } + + /* +@@ -220,18 +223,18 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, + * case of a short-copy. + */ + if (!PageUptodate(pg)) { +- mutex_lock(&f->sem); + ret = jffs2_do_readpage_nolock(inode, pg); +- mutex_unlock(&f->sem); + if (ret) + goto out_page; + } ++ mutex_unlock(&f->sem); + jffs2_dbg(1, "end write_begin(). pg->flags %lx\n", pg->flags); + return ret; + + out_page: + unlock_page(pg); + page_cache_release(pg); ++ mutex_unlock(&f->sem); + return ret; + } + +diff --git a/fs/pstore/ram.c b/fs/pstore/ram.c +index 0b311bc..6a37656 100644 +--- a/fs/pstore/ram.c ++++ b/fs/pstore/ram.c +@@ -406,7 +406,7 @@ static int __devinit ramoops_probe(struct platform_device *pdev) + goto fail_init_fprz; + + if (!cxt->przs && !cxt->cprz && !cxt->fprz) { +- pr_err("memory size too small, minimum is %lu\n", ++ pr_err("memory size too small, minimum is %zu\n", + cxt->console_size + cxt->record_size + + cxt->ftrace_size); + goto fail_cnt; +diff --git a/include/drm/drm_pciids.h b/include/drm/drm_pciids.h +index af1cbaf..c5c35e6 100644 +--- a/include/drm/drm_pciids.h ++++ b/include/drm/drm_pciids.h +@@ -210,6 +210,7 @@ + {0x1002, 0x6798, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_TAHITI|RADEON_NEW_MEMMAP}, \ + {0x1002, 0x6799, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_TAHITI|RADEON_NEW_MEMMAP}, \ + {0x1002, 0x679A, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_TAHITI|RADEON_NEW_MEMMAP}, \ ++ {0x1002, 0x679B, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_TAHITI|RADEON_NEW_MEMMAP}, \ + {0x1002, 0x679E, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_TAHITI|RADEON_NEW_MEMMAP}, \ + {0x1002, 0x679F, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_TAHITI|RADEON_NEW_MEMMAP}, \ + {0x1002, 0x6800, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_PITCAIRN|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \ +diff --git a/kernel/futex.c b/kernel/futex.c +index 20ef219..19eb089 100644 +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -843,6 +843,9 @@ static void wake_futex(struct futex_q *q) + { + struct task_struct *p = q->task; + ++ if (WARN(q->pi_state || q->rt_waiter, "refusing to wake PI futex\n")) ++ return; ++ + /* + * We set q->lock_ptr = NULL _before_ we wake up the task. If + * a non-futex wake up happens on another CPU then the task +@@ -1078,6 +1081,10 @@ retry_private: + + plist_for_each_entry_safe(this, next, head, list) { + if (match_futex (&this->key, &key1)) { ++ if (this->pi_state || this->rt_waiter) { ++ ret = -EINVAL; ++ goto out_unlock; ++ } + wake_futex(this); + if (++ret >= nr_wake) + break; +@@ -1090,6 +1097,10 @@ retry_private: + op_ret = 0; + plist_for_each_entry_safe(this, next, head, list) { + if (match_futex (&this->key, &key2)) { ++ if (this->pi_state || this->rt_waiter) { ++ ret = -EINVAL; ++ goto out_unlock; ++ } + wake_futex(this); + if (++op_ret >= nr_wake2) + break; +@@ -1098,6 +1109,7 @@ retry_private: + ret += op_ret; + } + ++out_unlock: + double_unlock_hb(hb1, hb2); + out_put_keys: + put_futex_key(&key2); +@@ -1387,9 +1399,13 @@ retry_private: + /* + * FUTEX_WAIT_REQEUE_PI and FUTEX_CMP_REQUEUE_PI should always + * be paired with each other and no other futex ops. ++ * ++ * We should never be requeueing a futex_q with a pi_state, ++ * which is awaiting a futex_unlock_pi(). + */ + if ((requeue_pi && !this->rt_waiter) || +- (!requeue_pi && this->rt_waiter)) { ++ (!requeue_pi && this->rt_waiter) || ++ this->pi_state) { + ret = -EINVAL; + break; + } +diff --git a/kernel/watchdog.c b/kernel/watchdog.c +index 4b1dfba..775fa0f 100644 +--- a/kernel/watchdog.c ++++ b/kernel/watchdog.c +@@ -113,7 +113,7 @@ static unsigned long get_timestamp(int this_cpu) + return cpu_clock(this_cpu) >> 30LL; /* 2^30 ~= 10^9 */ + } + +-static unsigned long get_sample_period(void) ++static u64 get_sample_period(void) + { + /* + * convert watchdog_thresh from seconds to ns +@@ -122,7 +122,7 @@ static unsigned long get_sample_period(void) + * and hard thresholds) to increment before the + * hardlockup detector generates a warning + */ +- return get_softlockup_thresh() * (NSEC_PER_SEC / 5); ++ return get_softlockup_thresh() * ((u64)NSEC_PER_SEC / 5); + } + + /* Commands for resetting the watchdog */ +diff --git a/lib/mpi/longlong.h b/lib/mpi/longlong.h +index 29f9862..280405b 100644 +--- a/lib/mpi/longlong.h ++++ b/lib/mpi/longlong.h +@@ -703,7 +703,14 @@ do { \ + ************** MIPS ***************** + ***************************************/ + #if defined(__mips__) && W_TYPE_SIZE == 32 +-#if __GNUC__ > 2 || __GNUC_MINOR__ >= 7 ++#if __GNUC__ >= 4 && __GNUC_MINOR__ >= 4 ++#define umul_ppmm(w1, w0, u, v) \ ++do { \ ++ UDItype __ll = (UDItype)(u) * (v); \ ++ w1 = __ll >> 32; \ ++ w0 = __ll; \ ++} while (0) ++#elif __GNUC__ > 2 || __GNUC_MINOR__ >= 7 + #define umul_ppmm(w1, w0, u, v) \ + __asm__ ("multu %2,%3" \ + : "=l" ((USItype)(w0)), \ +@@ -728,7 +735,15 @@ do { \ + ************** MIPS/64 ************** + ***************************************/ + #if (defined(__mips) && __mips >= 3) && W_TYPE_SIZE == 64 +-#if __GNUC__ > 2 || __GNUC_MINOR__ >= 7 ++#if __GNUC__ >= 4 && __GNUC_MINOR__ >= 4 ++#define umul_ppmm(w1, w0, u, v) \ ++do { \ ++ typedef unsigned int __ll_UTItype __attribute__((mode(TI))); \ ++ __ll_UTItype __ll = (__ll_UTItype)(u) * (v); \ ++ w1 = __ll >> 64; \ ++ w0 = __ll; \ ++} while (0) ++#elif __GNUC__ > 2 || __GNUC_MINOR__ >= 7 + #define umul_ppmm(w1, w0, u, v) \ + __asm__ ("dmultu %2,%3" \ + : "=l" ((UDItype)(w0)), \ +diff --git a/mm/vmscan.c b/mm/vmscan.c +index a018dfc..40db7d1 100644 +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -2176,9 +2176,12 @@ static bool pfmemalloc_watermark_ok(pg_data_t *pgdat) + * Throttle direct reclaimers if backing storage is backed by the network + * and the PFMEMALLOC reserve for the preferred node is getting dangerously + * depleted. kswapd will continue to make progress and wake the processes +- * when the low watermark is reached ++ * when the low watermark is reached. ++ * ++ * Returns true if a fatal signal was delivered during throttling. If this ++ * happens, the page allocator should not consider triggering the OOM killer. + */ +-static void throttle_direct_reclaim(gfp_t gfp_mask, struct zonelist *zonelist, ++static bool throttle_direct_reclaim(gfp_t gfp_mask, struct zonelist *zonelist, + nodemask_t *nodemask) + { + struct zone *zone; +@@ -2193,13 +2196,20 @@ static void throttle_direct_reclaim(gfp_t gfp_mask, struct zonelist *zonelist, + * processes to block on log_wait_commit(). + */ + if (current->flags & PF_KTHREAD) +- return; ++ goto out; ++ ++ /* ++ * If a fatal signal is pending, this process should not throttle. ++ * It should return quickly so it can exit and free its memory ++ */ ++ if (fatal_signal_pending(current)) ++ goto out; + + /* Check if the pfmemalloc reserves are ok */ + first_zones_zonelist(zonelist, high_zoneidx, NULL, &zone); + pgdat = zone->zone_pgdat; + if (pfmemalloc_watermark_ok(pgdat)) +- return; ++ goto out; + + /* Account for the throttling */ + count_vm_event(PGSCAN_DIRECT_THROTTLE); +@@ -2215,12 +2225,20 @@ static void throttle_direct_reclaim(gfp_t gfp_mask, struct zonelist *zonelist, + if (!(gfp_mask & __GFP_FS)) { + wait_event_interruptible_timeout(pgdat->pfmemalloc_wait, + pfmemalloc_watermark_ok(pgdat), HZ); +- return; ++ ++ goto check_pending; + } + + /* Throttle until kswapd wakes the process */ + wait_event_killable(zone->zone_pgdat->pfmemalloc_wait, + pfmemalloc_watermark_ok(pgdat)); ++ ++check_pending: ++ if (fatal_signal_pending(current)) ++ return true; ++ ++out: ++ return false; + } + + unsigned long try_to_free_pages(struct zonelist *zonelist, int order, +@@ -2242,13 +2260,12 @@ unsigned long try_to_free_pages(struct zonelist *zonelist, int order, + .gfp_mask = sc.gfp_mask, + }; + +- throttle_direct_reclaim(gfp_mask, zonelist, nodemask); +- + /* +- * Do not enter reclaim if fatal signal is pending. 1 is returned so +- * that the page allocator does not consider triggering OOM ++ * Do not enter reclaim if fatal signal was delivered while throttled. ++ * 1 is returned so that the page allocator does not OOM kill at this ++ * point. + */ +- if (fatal_signal_pending(current)) ++ if (throttle_direct_reclaim(gfp_mask, zonelist, nodemask)) + return 1; + + trace_mm_vmscan_direct_reclaim_begin(order, +diff --git a/net/can/bcm.c b/net/can/bcm.c +index 151b773..3910c1f 100644 +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -1084,6 +1084,9 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg, + op->sk = sk; + op->ifindex = ifindex; + ++ /* ifindex for timeout events w/o previous frame reception */ ++ op->rx_ifindex = ifindex; ++ + /* initialize uninitialized (kzalloc) structure */ + hrtimer_init(&op->timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL); + op->timer.function = bcm_rx_timeout_handler; +diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c +index 7260717..20bb371 100644 +--- a/net/core/net-sysfs.c ++++ b/net/core/net-sysfs.c +@@ -417,6 +417,17 @@ static struct attribute_group netstat_group = { + .name = "statistics", + .attrs = netstat_attrs, + }; ++ ++#if IS_ENABLED(CONFIG_WIRELESS_EXT) || IS_ENABLED(CONFIG_CFG80211) ++static struct attribute *wireless_attrs[] = { ++ NULL ++}; ++ ++static struct attribute_group wireless_group = { ++ .name = "wireless", ++ .attrs = wireless_attrs, ++}; ++#endif + #endif /* CONFIG_SYSFS */ + + #ifdef CONFIG_RPS +@@ -1397,6 +1408,15 @@ int netdev_register_kobject(struct net_device *net) + groups++; + + *groups++ = &netstat_group; ++ ++#if IS_ENABLED(CONFIG_WIRELESS_EXT) || IS_ENABLED(CONFIG_CFG80211) ++ if (net->ieee80211_ptr) ++ *groups++ = &wireless_group; ++#if IS_ENABLED(CONFIG_WIRELESS_EXT) ++ else if (net->wireless_handlers) ++ *groups++ = &wireless_group; ++#endif ++#endif + #endif /* CONFIG_SYSFS */ + + error = device_add(dev); +diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c +index 327aa07..a5894dd 100644 +--- a/net/mac80211/ibss.c ++++ b/net/mac80211/ibss.c +@@ -1117,10 +1117,6 @@ int ieee80211_ibss_leave(struct ieee80211_sub_if_data *sdata) + + mutex_lock(&sdata->u.ibss.mtx); + +- sdata->u.ibss.state = IEEE80211_IBSS_MLME_SEARCH; +- memset(sdata->u.ibss.bssid, 0, ETH_ALEN); +- sdata->u.ibss.ssid_len = 0; +- + active_ibss = ieee80211_sta_active_ibss(sdata); + + if (!active_ibss && !is_zero_ether_addr(ifibss->bssid)) { +@@ -1141,6 +1137,10 @@ int ieee80211_ibss_leave(struct ieee80211_sub_if_data *sdata) + } + } + ++ ifibss->state = IEEE80211_IBSS_MLME_SEARCH; ++ memset(ifibss->bssid, 0, ETH_ALEN); ++ ifibss->ssid_len = 0; ++ + sta_info_flush(sdata->local, sdata); + + spin_lock_bh(&ifibss->incomplete_lock); +diff --git a/net/nfc/llcp/llcp.c b/net/nfc/llcp/llcp.c +index 7dd983a..83a3592 100644 +--- a/net/nfc/llcp/llcp.c ++++ b/net/nfc/llcp/llcp.c +@@ -1190,7 +1190,7 @@ int nfc_llcp_register_device(struct nfc_dev *ndev) + local->remote_miu = LLCP_DEFAULT_MIU; + local->remote_lto = LLCP_DEFAULT_LTO; + +- list_add(&llcp_devices, &local->list); ++ list_add(&local->list, &llcp_devices); + + return 0; + +diff --git a/sound/pci/hda/patch_cirrus.c b/sound/pci/hda/patch_cirrus.c +index 2bb9bee..10fc710 100644 +--- a/sound/pci/hda/patch_cirrus.c ++++ b/sound/pci/hda/patch_cirrus.c +@@ -461,6 +461,7 @@ static int parse_output(struct hda_codec *codec) + memcpy(cfg->speaker_pins, cfg->line_out_pins, + sizeof(cfg->speaker_pins)); + cfg->line_outs = 0; ++ memset(cfg->line_out_pins, 0, sizeof(cfg->line_out_pins)); + } + + return 0; +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index f6b5995..e1b7061 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -4280,6 +4280,7 @@ static void alc_auto_init_std(struct hda_codec *codec) + ((spec)->beep_amp = HDA_COMPOSE_AMP_VAL(nid, 3, idx, dir)) + + static const struct snd_pci_quirk beep_white_list[] = { ++ SND_PCI_QUIRK(0x1043, 0x103c, "ASUS", 1), + SND_PCI_QUIRK(0x1043, 0x829f, "ASUS", 1), + SND_PCI_QUIRK(0x1043, 0x83ce, "EeePC", 1), + SND_PCI_QUIRK(0x1043, 0x831a, "EeePC", 1), +@@ -7089,6 +7090,9 @@ static const struct hda_codec_preset snd_hda_preset_realtek[] = { + { .id = 0x10ec0276, .name = "ALC276", .patch = patch_alc269 }, + { .id = 0x10ec0280, .name = "ALC280", .patch = patch_alc269 }, + { .id = 0x10ec0282, .name = "ALC282", .patch = patch_alc269 }, ++ { .id = 0x10ec0283, .name = "ALC283", .patch = patch_alc269 }, ++ { .id = 0x10ec0290, .name = "ALC290", .patch = patch_alc269 }, ++ { .id = 0x10ec0292, .name = "ALC292", .patch = patch_alc269 }, + { .id = 0x10ec0861, .rev = 0x100340, .name = "ALC660", + .patch = patch_alc861 }, + { .id = 0x10ec0660, .name = "ALC660-VD", .patch = patch_alc861vd }, +diff --git a/sound/usb/midi.c b/sound/usb/midi.c +index c83f614..eeefbce 100644 +--- a/sound/usb/midi.c ++++ b/sound/usb/midi.c +@@ -148,6 +148,7 @@ struct snd_usb_midi_out_endpoint { + struct snd_usb_midi_out_endpoint* ep; + struct snd_rawmidi_substream *substream; + int active; ++ bool autopm_reference; + uint8_t cable; /* cable number << 4 */ + uint8_t state; + #define STATE_UNKNOWN 0 +@@ -1076,7 +1077,8 @@ static int snd_usbmidi_output_open(struct snd_rawmidi_substream *substream) + return -ENXIO; + } + err = usb_autopm_get_interface(umidi->iface); +- if (err < 0) ++ port->autopm_reference = err >= 0; ++ if (err < 0 && err != -EACCES) + return -EIO; + substream->runtime->private_data = port; + port->state = STATE_UNKNOWN; +@@ -1087,9 +1089,11 @@ static int snd_usbmidi_output_open(struct snd_rawmidi_substream *substream) + static int snd_usbmidi_output_close(struct snd_rawmidi_substream *substream) + { + struct snd_usb_midi* umidi = substream->rmidi->private_data; ++ struct usbmidi_out_port *port = substream->runtime->private_data; + + substream_open(substream, 0); +- usb_autopm_put_interface(umidi->iface); ++ if (port->autopm_reference) ++ usb_autopm_put_interface(umidi->iface); + return 0; + } + diff --git a/3.6.8/4420_grsecurity-2.9.1-3.6.8-201211261714.patch b/3.6.9/4420_grsecurity-2.9.1-3.6.9-201212031851.patch index 13615ed..b057325 100644 --- a/3.6.8/4420_grsecurity-2.9.1-3.6.8-201211261714.patch +++ b/3.6.9/4420_grsecurity-2.9.1-3.6.9-201212031851.patch @@ -251,7 +251,7 @@ index ad7e2e5..199f49e 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index c5cc2f0..6570abb 100644 +index 978af72..1121485 100644 --- a/Makefile +++ b/Makefile @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -3470,32 +3470,8 @@ index 5e34ccf..672bc9c 100644 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n", me->arch.unwind_section, table, end, gp); -diff --git a/arch/parisc/kernel/signal32.c b/arch/parisc/kernel/signal32.c -index fd49aed..5dede04 100644 ---- a/arch/parisc/kernel/signal32.c -+++ b/arch/parisc/kernel/signal32.c -@@ -65,7 +65,8 @@ put_sigset32(compat_sigset_t __user *up, sigset_t *set, size_t sz) - { - compat_sigset_t s; - -- if (sz != sizeof *set) panic("put_sigset32()"); -+ if (sz != sizeof *set) -+ return -EINVAL; - sigset_64to32(&s, set); - - return copy_to_user(up, &s, sizeof s); -@@ -77,7 +78,8 @@ get_sigset32(compat_sigset_t __user *up, sigset_t *set, size_t sz) - compat_sigset_t s; - int r; - -- if (sz != sizeof *set) panic("put_sigset32()"); -+ if (sz != sizeof *set) -+ return -EINVAL; - - if ((r = copy_from_user(&s, up, sz)) == 0) { - sigset_32to64(set, &s); diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c -index 7426e40..30c8dbe 100644 +index f76c108..8117482 100644 --- a/arch/parisc/kernel/sys_parisc.c +++ b/arch/parisc/kernel/sys_parisc.c @@ -43,7 +43,7 @@ static unsigned long get_unshared_area(unsigned long addr, unsigned long len) @@ -3507,7 +3483,7 @@ index 7426e40..30c8dbe 100644 return addr; addr = vma->vm_end; } -@@ -79,7 +79,7 @@ static unsigned long get_shared_area(struct address_space *mapping, +@@ -81,7 +81,7 @@ static unsigned long get_shared_area(struct address_space *mapping, /* At this point: (!vma || addr < vma->vm_end). */ if (TASK_SIZE - len < addr) return -ENOMEM; @@ -3516,7 +3492,7 @@ index 7426e40..30c8dbe 100644 return addr; addr = DCACHE_ALIGN(vma->vm_end - offset) + offset; if (addr < vma->vm_end) /* handle wraparound */ -@@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -100,7 +100,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, if (flags & MAP_FIXED) return addr; if (!addr) @@ -7815,10 +7791,10 @@ index 8a84501..b2d165f 100644 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__ GCOV_PROFILE := n diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index b3e0227..f2c02d5 100644 +index 90201aa..be1de62 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c -@@ -142,7 +142,6 @@ again: +@@ -144,7 +144,6 @@ again: *addr = max_addr; } @@ -7826,7 +7802,7 @@ index b3e0227..f2c02d5 100644 efi_call_phys1(sys_table->boottime->free_pool, map); fail: -@@ -206,7 +205,6 @@ static efi_status_t low_alloc(unsigned long size, unsigned long align, +@@ -208,7 +207,6 @@ static efi_status_t low_alloc(unsigned long size, unsigned long align, if (i == map_size / desc_size) status = EFI_NOT_FOUND; @@ -10627,34 +10603,52 @@ index 75ce3f4..882e801 100644 #endif /* _ASM_X86_EMERGENCY_RESTART_H */ diff --git a/arch/x86/include/asm/fpu-internal.h b/arch/x86/include/asm/fpu-internal.h -index 75f4c6d..ee3eb8f 100644 +index 75f4c6d..9215c4a 100644 --- a/arch/x86/include/asm/fpu-internal.h +++ b/arch/x86/include/asm/fpu-internal.h -@@ -86,6 +86,11 @@ static inline int fxrstor_checking(struct i387_fxsave_struct *fx) +@@ -82,10 +82,12 @@ static inline void sanitize_i387_state(struct task_struct *tsk) + } + + #ifdef CONFIG_X86_64 +-static inline int fxrstor_checking(struct i387_fxsave_struct *fx) ++static inline int fxrstor_checking(struct i387_fxsave_struct __user *fx) { int err; -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -+ if ((unsigned long)fx < PAX_USER_SHADOW_BASE) -+ fx = (struct i387_fxsave_struct __user *)((void *)fx + PAX_USER_SHADOW_BASE); -+#endif ++ fx = (struct i387_fxsave_struct __user *)____m(fx); + /* See comment in fxsave() below. */ #ifdef CONFIG_AS_FXSAVEQ asm volatile("1: fxrstorq %[fx]\n\t" -@@ -115,6 +120,11 @@ static inline int fxsave_user(struct i387_fxsave_struct __user *fx) +@@ -115,6 +117,8 @@ static inline int fxsave_user(struct i387_fxsave_struct __user *fx) { int err; -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -+ if ((unsigned long)fx < PAX_USER_SHADOW_BASE) -+ fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE); -+#endif ++ fx = (struct i387_fxsave_struct __user *)____m(fx); + /* * Clear the bytes not touched by the fxsave and reserved * for the SW usage. -@@ -271,7 +281,7 @@ static inline int restore_fpu_checking(struct task_struct *tsk) +@@ -183,15 +187,15 @@ static inline void fpu_fxsave(struct fpu *fpu) + #else /* CONFIG_X86_32 */ + + /* perform fxrstor iff the processor has extended states, otherwise frstor */ +-static inline int fxrstor_checking(struct i387_fxsave_struct *fx) ++static inline int fxrstor_checking(struct i387_fxsave_struct __user *fx) + { + /* + * The "nop" is needed to make the instructions the same + * length. + */ + alternative_input( +- "nop ; frstor %1", +- "fxrstor %1", ++ __copyuser_seg" frstor %1; nop", ++ __copyuser_seg" fxrstor %1", + X86_FEATURE_FXSR, + "m" (*fx)); + +@@ -271,7 +275,7 @@ static inline int restore_fpu_checking(struct task_struct *tsk) "emms\n\t" /* clear stack tags */ "fildl %P[addr]", /* set F?P to defined value */ X86_FEATURE_FXSAVE_LEAK, @@ -10663,11 +10657,35 @@ index 75f4c6d..ee3eb8f 100644 return fpu_restore_checking(&tsk->thread.fpu); } +@@ -334,14 +338,17 @@ static inline void __thread_fpu_begin(struct task_struct *tsk) + typedef struct { int preload; } fpu_switch_t; + + /* +- * FIXME! We could do a totally lazy restore, but we need to +- * add a per-cpu "this was the task that last touched the FPU +- * on this CPU" variable, and the task needs to have a "I last +- * touched the FPU on this CPU" and check them. ++ * Must be run with preemption disabled: this clears the fpu_owner_task, ++ * on this CPU. + * +- * We don't do that yet, so "fpu_lazy_restore()" always returns +- * false, but some day.. ++ * This will disable any lazy FPU state restore of the current FPU state, ++ * but if the current thread owns the FPU, it will still be saved by. + */ ++static inline void __cpu_disable_lazy_restore(unsigned int cpu) ++{ ++ per_cpu(fpu_owner_task, cpu) = NULL; ++} ++ + static inline int fpu_lazy_restore(struct task_struct *new, unsigned int cpu) + { + return new == this_cpu_read_stable(fpu_owner_task) && diff --git a/arch/x86/include/asm/futex.h b/arch/x86/include/asm/futex.h -index 71ecbcb..bac10b7 100644 +index 71ecbcb..11df950 100644 --- a/arch/x86/include/asm/futex.h +++ b/arch/x86/include/asm/futex.h -@@ -11,16 +11,18 @@ +@@ -11,20 +11,22 @@ #include <asm/processor.h> #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \ @@ -10687,6 +10705,11 @@ index 71ecbcb..bac10b7 100644 asm volatile("1:\tmovl %2, %0\n" \ "\tmovl\t%0, %3\n" \ "\t" insn "\n" \ +- "2:\t" LOCK_PREFIX "cmpxchgl %3, %2\n" \ ++ "2:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %3, %2\n" \ + "\tjnz\t1b\n" \ + "3:\t.section .fixup,\"ax\"\n" \ + "4:\tmov\t%5, %1\n" \ @@ -33,7 +35,7 @@ _ASM_EXTABLE(1b, 4b) \ _ASM_EXTABLE(2b, 4b) \ @@ -12013,7 +12036,7 @@ index d048cad..45e350f 100644 #endif /* _ASM_X86_PROCESSOR_H */ diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h -index dcfde52..dbfea06 100644 +index 19f16eb..b50624b 100644 --- a/arch/x86/include/asm/ptrace.h +++ b/arch/x86/include/asm/ptrace.h @@ -155,28 +155,29 @@ static inline unsigned long regs_return_value(struct pt_regs *regs) @@ -13154,7 +13177,7 @@ index 576e39b..ccd0a39 100644 #endif /* _ASM_X86_UACCESS_32_H */ diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h -index d8def8b..ac7fc15 100644 +index d8def8b..6052b20 100644 --- a/arch/x86/include/asm/uaccess_64.h +++ b/arch/x86/include/asm/uaccess_64.h @@ -10,6 +10,9 @@ @@ -13185,7 +13208,7 @@ index d8def8b..ac7fc15 100644 copy_user_generic(void *to, const void *from, unsigned len) { unsigned ret; -@@ -41,142 +44,238 @@ copy_user_generic(void *to, const void *from, unsigned len) +@@ -41,142 +44,205 @@ copy_user_generic(void *to, const void *from, unsigned len) ASM_OUTPUT2("=a" (ret), "=D" (to), "=S" (from), "=d" (len)), "1" (to), "2" (from), "3" (len) @@ -13285,13 +13308,7 @@ index d8def8b..ac7fc15 100644 + + if (!__builtin_constant_p(size)) { + check_object_size(dst, size, false); -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE) -+ src += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic(dst, (__force_kernel const void *)src, size); ++ return copy_user_generic(dst, (__force_kernel const void *)____m(src), size); + } switch (size) { - case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src, @@ -13334,13 +13351,7 @@ index d8def8b..ac7fc15 100644 return ret; default: - return copy_user_generic(dst, (__force void *)src, size); -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE) -+ src += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic(dst, (__force_kernel const void *)src, size); ++ return copy_user_generic(dst, (__force_kernel const void *)____m(src), size); } } @@ -13371,13 +13382,7 @@ index d8def8b..ac7fc15 100644 + + if (!__builtin_constant_p(size)) { + check_object_size(src, size, true); -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE) -+ dst += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic((__force_kernel void *)dst, src, size); ++ return copy_user_generic((__force_kernel void *)____m(dst), src, size); + } switch (size) { - case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst, @@ -13420,13 +13425,7 @@ index d8def8b..ac7fc15 100644 return ret; default: - return copy_user_generic((__force void *)dst, src, size); -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE) -+ dst += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic((__force_kernel void *)dst, src, size); ++ return copy_user_generic((__force_kernel void *)____m(dst), src, size); } } @@ -13438,9 +13437,6 @@ index d8def8b..ac7fc15 100644 + unsigned ret = 0; might_fault(); -- if (!__builtin_constant_p(size)) -- return copy_user_generic((__force void *)dst, -- (__force void *)src, size); + + if (size > INT_MAX) + return size; @@ -13452,18 +13448,11 @@ index d8def8b..ac7fc15 100644 + return size; +#endif + -+ if (!__builtin_constant_p(size)) { -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE) -+ src += PAX_USER_SHADOW_BASE; -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE) -+ dst += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic((__force_kernel void *)dst, -+ (__force_kernel const void *)src, size); -+ } + if (!__builtin_constant_p(size)) +- return copy_user_generic((__force void *)dst, +- (__force void *)src, size); ++ return copy_user_generic((__force_kernel void *)____m(dst), ++ (__force_kernel const void *)____m(src), size); switch (size) { case 1: { u8 tmp; @@ -13472,7 +13461,7 @@ index d8def8b..ac7fc15 100644 ret, "b", "b", "=q", 1); if (likely(!ret)) __put_user_asm(tmp, (u8 __user *)dst, -@@ -185,7 +284,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) +@@ -185,7 +251,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) } case 2: { u16 tmp; @@ -13481,7 +13470,7 @@ index d8def8b..ac7fc15 100644 ret, "w", "w", "=r", 2); if (likely(!ret)) __put_user_asm(tmp, (u16 __user *)dst, -@@ -195,7 +294,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) +@@ -195,7 +261,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) case 4: { u32 tmp; @@ -13490,7 +13479,7 @@ index d8def8b..ac7fc15 100644 ret, "l", "k", "=r", 4); if (likely(!ret)) __put_user_asm(tmp, (u32 __user *)dst, -@@ -204,7 +303,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) +@@ -204,7 +270,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) } case 8: { u64 tmp; @@ -13499,22 +13488,14 @@ index d8def8b..ac7fc15 100644 ret, "q", "", "=r", 8); if (likely(!ret)) __put_user_asm(tmp, (u64 __user *)dst, -@@ -212,44 +311,89 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) +@@ -212,44 +278,65 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) return ret; } default: - return copy_user_generic((__force void *)dst, - (__force void *)src, size); -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE) -+ src += PAX_USER_SHADOW_BASE; -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE) -+ dst += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic((__force_kernel void *)dst, -+ (__force_kernel const void *)src, size); ++ return copy_user_generic((__force_kernel void *)____m(dst), ++ (__force_kernel const void *)____m(src), size); } } @@ -13531,15 +13512,7 @@ index d8def8b..ac7fc15 100644 + if (size > INT_MAX) + return size; + -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if (!__access_ok(VERIFY_READ, src, size)) -+ return size; -+ -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE) -+ src += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic(dst, (__force_kernel const void *)src, size); ++ return copy_user_generic(dst, (__force_kernel const void *)____m(src), size); } -static __must_check __always_inline int @@ -13551,15 +13524,7 @@ index d8def8b..ac7fc15 100644 + if (size > INT_MAX) + return size; + -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if (!__access_ok(VERIFY_WRITE, dst, size)) -+ return size; -+ -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE) -+ dst += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic((__force_kernel void *)dst, src, size); ++ return copy_user_generic((__force_kernel void *)____m(dst), src, size); } -extern long __copy_user_nocache(void *dst, const void __user *src, @@ -13763,38 +13728,45 @@ index 38155f6..e4184ba 100644 extern struct x86_init_ops x86_init; extern struct x86_cpuinit_ops x86_cpuinit; diff --git a/arch/x86/include/asm/xsave.h b/arch/x86/include/asm/xsave.h -index 8a1b6f9..a29c4e4 100644 +index 8a1b6f9..d47ba6d 100644 --- a/arch/x86/include/asm/xsave.h +++ b/arch/x86/include/asm/xsave.h -@@ -65,6 +65,11 @@ static inline int xsave_user(struct xsave_struct __user *buf) +@@ -65,6 +65,8 @@ static inline int xsave_user(struct xsave_struct __user *buf) { int err; -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -+ if ((unsigned long)buf < PAX_USER_SHADOW_BASE) -+ buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE); -+#endif ++ buf = (struct xsave_struct __user *)____m(buf); + /* * Clear the xsave header first, so that reserved fields are * initialized to zero. -@@ -93,10 +98,15 @@ static inline int xsave_user(struct xsave_struct __user *buf) +@@ -74,7 +76,9 @@ static inline int xsave_user(struct xsave_struct __user *buf) + if (unlikely(err)) + return -EFAULT; + +- __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x27\n" ++ __asm__ __volatile__("1:" ++ __copyuser_seg ++ ".byte " REX_PREFIX "0x0f,0xae,0x27\n" + "2:\n" + ".section .fixup,\"ax\"\n" + "3: movl $-1,%[err]\n" +@@ -93,11 +97,13 @@ static inline int xsave_user(struct xsave_struct __user *buf) static inline int xrestore_user(struct xsave_struct __user *buf, u64 mask) { int err; - struct xsave_struct *xstate = ((__force struct xsave_struct *)buf); -+ struct xsave_struct *xstate = ((__force_kernel struct xsave_struct *)buf); ++ struct xsave_struct *xstate = ((__force_kernel struct xsave_struct *)____m(buf)); u32 lmask = mask; u32 hmask = mask >> 32; -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -+ if ((unsigned long)xstate < PAX_USER_SHADOW_BASE) -+ xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE); -+#endif -+ - __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n" +- __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n" ++ __asm__ __volatile__("1:" ++ __copyuser_seg ++ ".byte " REX_PREFIX "0x0f,0xae,0x2f\n" "2:\n" ".section .fixup,\"ax\"\n" + "3: movl $-1,%[err]\n" diff --git a/arch/x86/kernel/acpi/sleep.c b/arch/x86/kernel/acpi/sleep.c index 1b8e5a0..354fd59 100644 --- a/arch/x86/kernel/acpi/sleep.c @@ -14804,7 +14776,7 @@ index ae42418b..787c16b 100644 if (__die(str, regs, err)) diff --git a/arch/x86/kernel/dumpstack_32.c b/arch/x86/kernel/dumpstack_32.c -index 1038a41..ac7e5f6 100644 +index 1038a41..db2c12b 100644 --- a/arch/x86/kernel/dumpstack_32.c +++ b/arch/x86/kernel/dumpstack_32.c @@ -38,15 +38,13 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs, @@ -14846,7 +14818,7 @@ index 1038a41..ac7e5f6 100644 unsigned int code_len = code_bytes; unsigned char c; u8 *ip; -+ unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]); ++ unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(0)[(0xffff & regs->cs) >> 3]); pr_emerg("Stack:\n"); show_stack_log_lvl(NULL, regs, ®s->sp, 0, KERN_EMERG); @@ -14896,7 +14868,7 @@ index 1038a41..ac7e5f6 100644 +EXPORT_SYMBOL(pax_check_alloca); +#endif diff --git a/arch/x86/kernel/dumpstack_64.c b/arch/x86/kernel/dumpstack_64.c -index b653675..33190c0 100644 +index b653675..51cc8c0 100644 --- a/arch/x86/kernel/dumpstack_64.c +++ b/arch/x86/kernel/dumpstack_64.c @@ -119,9 +119,9 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs, @@ -14960,6 +14932,15 @@ index b653675..33190c0 100644 put_cpu(); } EXPORT_SYMBOL(dump_trace); +@@ -249,7 +253,7 @@ void show_regs(struct pt_regs *regs) + { + int i; + unsigned long sp; +- const int cpu = smp_processor_id(); ++ const int cpu = raw_smp_processor_id(); + struct task_struct *cur = current; + + sp = regs->sp; @@ -304,3 +308,50 @@ int is_valid_bugaddr(unsigned long ip) return ud2 == 0x0b0f; @@ -15831,7 +15812,7 @@ index 8f8e8ee..3617d6e 100644 /* diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S -index dcdd0ea..8f32835 100644 +index dcdd0ea..a520f76 100644 --- a/arch/x86/kernel/entry_64.S +++ b/arch/x86/kernel/entry_64.S @@ -57,6 +57,8 @@ @@ -16465,7 +16446,7 @@ index dcdd0ea..8f32835 100644 retint_restore_args: /* return to kernel space */ DISABLE_INTERRUPTS(CLBR_ANY) + pax_exit_kernel -+ pax_force_retaddr RIP-ARGOFFSET ++ pax_force_retaddr (RIP-ARGOFFSET) /* * The iretq could re-enable interrupts: */ @@ -18677,7 +18658,7 @@ index ef6a845..8028ed3 100644 +} +#endif diff --git a/arch/x86/kernel/process_32.c b/arch/x86/kernel/process_32.c -index 516fa18..80bd9e6 100644 +index 516fa18..d3a7099 100644 --- a/arch/x86/kernel/process_32.c +++ b/arch/x86/kernel/process_32.c @@ -64,6 +64,7 @@ asmlinkage void ret_from_fork(void) __asm__("ret_from_fork"); @@ -18688,7 +18669,7 @@ index 516fa18..80bd9e6 100644 } void __show_regs(struct pt_regs *regs, int all) -@@ -73,15 +74,14 @@ void __show_regs(struct pt_regs *regs, int all) +@@ -73,21 +74,20 @@ void __show_regs(struct pt_regs *regs, int all) unsigned long sp; unsigned short ss, gs; @@ -18706,6 +18687,13 @@ index 516fa18..80bd9e6 100644 show_regs_common(); + printk(KERN_DEFAULT "EIP: %04x:[<%08lx>] EFLAGS: %08lx CPU: %d\n", + (u16)regs->cs, regs->ip, regs->flags, +- smp_processor_id()); ++ raw_smp_processor_id()); + print_symbol("EIP is at %s\n", regs->ip); + + printk(KERN_DEFAULT "EAX: %08lx EBX: %08lx ECX: %08lx EDX: %08lx\n", @@ -134,13 +134,14 @@ int copy_thread(unsigned long clone_flags, unsigned long sp, struct task_struct *tsk; int err; @@ -18826,10 +18814,29 @@ index 0a980c9..1d0e689 100644 ip = *(u64 *)(fp+8); if (!in_sched_functions(ip)) diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c -index c4c6a5c..905f440 100644 +index 9ee1787..33228a7 100644 --- a/arch/x86/kernel/ptrace.c +++ b/arch/x86/kernel/ptrace.c -@@ -824,7 +824,7 @@ long arch_ptrace(struct task_struct *child, long request, +@@ -182,14 +182,13 @@ unsigned long kernel_stack_pointer(struct pt_regs *regs) + { + unsigned long context = (unsigned long)regs & ~(THREAD_SIZE - 1); + unsigned long sp = (unsigned long)®s->sp; +- struct thread_info *tinfo; + +- if (context == (sp & ~(THREAD_SIZE - 1))) ++ if (context == ((sp + 8) & ~(THREAD_SIZE - 1))) + return sp; + +- tinfo = (struct thread_info *)context; +- if (tinfo->previous_esp) +- return tinfo->previous_esp; ++ sp = *(unsigned long *)context; ++ if (sp) ++ return sp; + + return (unsigned long)regs; + } +@@ -854,7 +853,7 @@ long arch_ptrace(struct task_struct *child, long request, unsigned long addr, unsigned long data) { int ret; @@ -18838,7 +18845,7 @@ index c4c6a5c..905f440 100644 switch (request) { /* read the word at location addr in the USER area. */ -@@ -909,14 +909,14 @@ long arch_ptrace(struct task_struct *child, long request, +@@ -939,14 +938,14 @@ long arch_ptrace(struct task_struct *child, long request, if ((int) addr < 0) return -EIO; ret = do_get_thread_area(child, addr, @@ -18855,7 +18862,7 @@ index c4c6a5c..905f440 100644 break; #endif -@@ -1426,7 +1426,7 @@ static void fill_sigtrap_info(struct task_struct *tsk, +@@ -1456,7 +1455,7 @@ static void fill_sigtrap_info(struct task_struct *tsk, memset(info, 0, sizeof(*info)); info->si_signo = SIGTRAP; info->si_code = si_code; @@ -18864,7 +18871,7 @@ index c4c6a5c..905f440 100644 } void user_single_step_siginfo(struct task_struct *tsk, -@@ -1455,6 +1455,10 @@ void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs, +@@ -1485,6 +1484,10 @@ void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs, # define IS_IA32 0 #endif @@ -18875,7 +18882,7 @@ index c4c6a5c..905f440 100644 /* * We must return the syscall number to actually look up in the table. * This can be -1L to skip running any syscall at all. -@@ -1463,6 +1467,11 @@ long syscall_trace_enter(struct pt_regs *regs) +@@ -1493,6 +1496,11 @@ long syscall_trace_enter(struct pt_regs *regs) { long ret = 0; @@ -18887,7 +18894,7 @@ index c4c6a5c..905f440 100644 /* * If we stepped into a sysenter/syscall insn, it trapped in * kernel mode; do_debug() cleared TF and set TIF_SINGLESTEP. -@@ -1511,6 +1520,11 @@ void syscall_trace_leave(struct pt_regs *regs) +@@ -1541,6 +1549,11 @@ void syscall_trace_leave(struct pt_regs *regs) { bool step; @@ -19245,10 +19252,19 @@ index b280908..6de349e 100644 if (err) diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c -index 7c5a8c3..88d422f 100644 +index 7c5a8c3..8a54a1a 100644 --- a/arch/x86/kernel/smpboot.c +++ b/arch/x86/kernel/smpboot.c -@@ -670,6 +670,7 @@ static int __cpuinit do_boot_cpu(int apicid, int cpu, struct task_struct *idle) +@@ -68,6 +68,8 @@ + #include <asm/mwait.h> + #include <asm/apic.h> + #include <asm/io_apic.h> ++#include <asm/i387.h> ++#include <asm/fpu-internal.h> + #include <asm/setup.h> + #include <asm/uv/uv.h> + #include <linux/mc146818rtc.h> +@@ -670,6 +672,7 @@ static int __cpuinit do_boot_cpu(int apicid, int cpu, struct task_struct *idle) idle->thread.sp = (unsigned long) (((struct pt_regs *) (THREAD_SIZE + task_stack_page(idle))) - 1); per_cpu(current_task, cpu) = idle; @@ -19256,7 +19272,7 @@ index 7c5a8c3..88d422f 100644 #ifdef CONFIG_X86_32 /* Stack for startup_32 can be just as for start_secondary onwards */ -@@ -677,11 +678,13 @@ static int __cpuinit do_boot_cpu(int apicid, int cpu, struct task_struct *idle) +@@ -677,11 +680,13 @@ static int __cpuinit do_boot_cpu(int apicid, int cpu, struct task_struct *idle) #else clear_tsk_thread_flag(idle, TIF_FORK); initial_gs = per_cpu_offset(cpu); @@ -19273,7 +19289,7 @@ index 7c5a8c3..88d422f 100644 initial_code = (unsigned long)start_secondary; stack_start = idle->thread.sp; -@@ -817,6 +820,12 @@ int __cpuinit native_cpu_up(unsigned int cpu, struct task_struct *tidle) +@@ -817,6 +822,15 @@ int __cpuinit native_cpu_up(unsigned int cpu, struct task_struct *tidle) per_cpu(cpu_state, cpu) = CPU_UP_PREPARE; @@ -19283,6 +19299,9 @@ index 7c5a8c3..88d422f 100644 + KERNEL_PGD_PTRS); +#endif + ++ /* the FPU context is blank, nobody can own it */ ++ __cpu_disable_lazy_restore(cpu); ++ err = do_boot_cpu(apicid, cpu, tidle); if (err) { pr_debug("do_boot_cpu failed %d\n", err); @@ -20383,7 +20402,7 @@ index 6020f6f..bedd6e3 100644 EXPORT_SYMBOL(copy_page); EXPORT_SYMBOL(clear_page); diff --git a/arch/x86/kernel/xsave.c b/arch/x86/kernel/xsave.c -index 3d3e207..1a73ab2 100644 +index 3d3e207..316a7e0 100644 --- a/arch/x86/kernel/xsave.c +++ b/arch/x86/kernel/xsave.c @@ -132,7 +132,7 @@ int check_for_xstate(struct i387_fxsave_struct __user *buf, @@ -20400,19 +20419,20 @@ index 3d3e207..1a73ab2 100644 */ xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE); - return fxrstor_checking((__force struct i387_fxsave_struct *)buf); -+ return fxrstor_checking((struct i387_fxsave_struct __force_kernel *)buf); ++ return fxrstor_checking((struct i387_fxsave_struct __user *)buf); } /* -@@ -297,7 +297,7 @@ int restore_i387_xstate(void __user *buf) +@@ -297,8 +297,7 @@ int restore_i387_xstate(void __user *buf) if (use_xsave()) err = restore_user_xstate(buf); else - err = fxrstor_checking((__force struct i387_fxsave_struct *) -+ err = fxrstor_checking((struct i387_fxsave_struct __force_kernel *) - buf); +- buf); ++ err = fxrstor_checking((struct i387_fxsave_struct __user *)buf); if (unlikely(err)) { /* + * Encountered an error while doing the restore from the diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c index 0595f13..b544fa3 100644 --- a/arch/x86/kvm/cpuid.c @@ -20464,22 +20484,8 @@ index 0595f13..b544fa3 100644 return 0; out: -diff --git a/arch/x86/kvm/cpuid.h b/arch/x86/kvm/cpuid.h -index a10e460..58fc514 100644 ---- a/arch/x86/kvm/cpuid.h -+++ b/arch/x86/kvm/cpuid.h -@@ -24,6 +24,9 @@ static inline bool guest_cpuid_has_xsave(struct kvm_vcpu *vcpu) - { - struct kvm_cpuid_entry2 *best; - -+ if (!static_cpu_has(X86_FEATURE_XSAVE)) -+ return 0; -+ - best = kvm_find_cpuid_entry(vcpu, 1, 0); - return best && (best->ecx & bit(X86_FEATURE_XSAVE)); - } diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c -index a3b57a2..ebbe732 100644 +index a3b57a2..e8f3324 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -256,6 +256,7 @@ struct gprefix { @@ -20507,6 +20513,16 @@ index a3b57a2..ebbe732 100644 switch ((ctxt)->dst.bytes) { \ case 1: \ ____emulate_2op(ctxt,_op,_bx,_by,"b",u8); \ +@@ -390,8 +388,7 @@ struct gprefix { + _ASM_EXTABLE(1b, 3b) \ + : "=m" ((ctxt)->eflags), "=&r" (_tmp), \ + "+a" (*rax), "+d" (*rdx), "+qm"(_ex) \ +- : "i" (EFLAGS_MASK), "m" ((ctxt)->src.val), \ +- "a" (*rax), "d" (*rdx)); \ ++ : "i" (EFLAGS_MASK), "m" ((ctxt)->src.val)); \ + } while (0) + + /* instruction has only one source operand, destination is implicit (e.g. mul, div, imul, idiv) */ diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c index ce87878..ab48aa3 100644 --- a/arch/x86/kvm/lapic.c @@ -20677,7 +20693,7 @@ index ff66a3b..48ad872 100644 vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index 2966c84..9ac0c3c 100644 +index a201790..9ac0c3c 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -1379,8 +1379,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data) @@ -20718,16 +20734,6 @@ index 2966c84..9ac0c3c 100644 { int r; struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque; -@@ -5762,6 +5764,9 @@ int kvm_arch_vcpu_ioctl_set_sregs(struct kvm_vcpu *vcpu, - int pending_vec, max_bits, idx; - struct desc_ptr dt; - -+ if (!guest_cpuid_has_xsave(vcpu) && (sregs->cr4 & X86_CR4_OSXSAVE)) -+ return -EINVAL; -+ - dt.size = sregs->idt.limit; - dt.address = sregs->idt.base; - kvm_x86_ops->set_idt(vcpu, &dt); diff --git a/arch/x86/lguest/boot.c b/arch/x86/lguest/boot.c index 642d880..cc9ebac 100644 --- a/arch/x86/lguest/boot.c @@ -21847,36 +21853,24 @@ index 2419d5f..953ee51 100644 CFI_RESTORE_STATE diff --git a/arch/x86/lib/csum-wrappers_64.c b/arch/x86/lib/csum-wrappers_64.c -index 25b7ae8..3b52ccd 100644 +index 25b7ae8..169fafc 100644 --- a/arch/x86/lib/csum-wrappers_64.c +++ b/arch/x86/lib/csum-wrappers_64.c -@@ -52,7 +52,13 @@ csum_partial_copy_from_user(const void __user *src, void *dst, +@@ -52,7 +52,7 @@ csum_partial_copy_from_user(const void __user *src, void *dst, len -= 2; } } - isum = csum_partial_copy_generic((__force const void *)src, -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE) -+ src += PAX_USER_SHADOW_BASE; -+#endif -+ -+ isum = csum_partial_copy_generic((const void __force_kernel *)src, ++ isum = csum_partial_copy_generic((const void __force_kernel *)____m(src), dst, len, isum, errp, NULL); if (unlikely(*errp)) goto out_err; -@@ -105,7 +111,13 @@ csum_partial_copy_to_user(const void *src, void __user *dst, +@@ -105,7 +105,7 @@ csum_partial_copy_to_user(const void *src, void __user *dst, } *errp = 0; - return csum_partial_copy_generic(src, (void __force *)dst, -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE) -+ dst += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return csum_partial_copy_generic(src, (void __force_kernel *)dst, ++ return csum_partial_copy_generic(src, (void __force_kernel *)____m(dst), len, isum, NULL, errp); } EXPORT_SYMBOL(csum_partial_copy_to_user); @@ -23576,23 +23570,19 @@ index 1781b2f..90368dd 100644 +EXPORT_SYMBOL(set_fs); +#endif diff --git a/arch/x86/lib/usercopy_64.c b/arch/x86/lib/usercopy_64.c -index e5b130b..6690d31 100644 +index e5b130b..7d33980 100644 --- a/arch/x86/lib/usercopy_64.c +++ b/arch/x86/lib/usercopy_64.c -@@ -16,6 +16,12 @@ unsigned long __clear_user(void __user *addr, unsigned long size) - { - long __d0; - might_fault(); -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)addr < PAX_USER_SHADOW_BASE) -+ addr += PAX_USER_SHADOW_BASE; -+#endif -+ - /* no memory constraint because it doesn't change any memory gcc knows - about */ - asm volatile( -@@ -52,12 +58,20 @@ unsigned long clear_user(void __user *to, unsigned long n) +@@ -38,7 +38,7 @@ unsigned long __clear_user(void __user *addr, unsigned long size) + _ASM_EXTABLE(0b,3b) + _ASM_EXTABLE(1b,2b) + : [size8] "=&c"(size), [dst] "=&D" (__d0) +- : [size1] "r"(size & 7), "[size8]" (size / 8), "[dst]"(addr), ++ : [size1] "r"(size & 7), "[size8]" (size / 8), "[dst]"(____m(addr)), + [zero] "r" (0UL), [eight] "r" (8UL)); + return size; + } +@@ -52,12 +52,11 @@ unsigned long clear_user(void __user *to, unsigned long n) } EXPORT_SYMBOL(clear_user); @@ -23603,22 +23593,13 @@ index e5b130b..6690d31 100644 - return copy_user_generic((__force void *)to, (__force void *)from, len); - } - return len; -+ if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) { -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)to < PAX_USER_SHADOW_BASE) -+ to += PAX_USER_SHADOW_BASE; -+ if ((unsigned long)from < PAX_USER_SHADOW_BASE) -+ from += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic((void __force_kernel *)to, (void __force_kernel *)from, len); -+ } ++ if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) ++ return copy_user_generic((void __force_kernel *)____m(to), (void __force_kernel *)____m(from), len); + return len; } EXPORT_SYMBOL(copy_in_user); -@@ -67,7 +81,7 @@ EXPORT_SYMBOL(copy_in_user); +@@ -67,7 +66,7 @@ EXPORT_SYMBOL(copy_in_user); * it is not necessary to optimize tail handling. */ unsigned long @@ -23627,7 +23608,7 @@ index e5b130b..6690d31 100644 { char c; unsigned zero_len; -@@ -84,3 +98,15 @@ copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest) +@@ -84,3 +83,15 @@ copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest) break; return len; } @@ -33847,7 +33828,7 @@ index 693e149..b7e0fde 100644 pmd->bl_info.value_type.inc = data_block_inc; pmd->bl_info.value_type.dec = data_block_dec; diff --git a/drivers/md/dm.c b/drivers/md/dm.c -index 67ffa39..cb3b1dd 100644 +index 4256200..154b975 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -176,9 +176,9 @@ struct mapped_device { @@ -33862,7 +33843,7 @@ index 67ffa39..cb3b1dd 100644 struct list_head uevent_list; spinlock_t uevent_lock; /* Protect access to uevent_list */ -@@ -1887,8 +1887,8 @@ static struct mapped_device *alloc_dev(int minor) +@@ -1893,8 +1893,8 @@ static struct mapped_device *alloc_dev(int minor) rwlock_init(&md->map_lock); atomic_set(&md->holders, 1); atomic_set(&md->open_count, 0); @@ -33873,7 +33854,7 @@ index 67ffa39..cb3b1dd 100644 INIT_LIST_HEAD(&md->uevent_list); spin_lock_init(&md->uevent_lock); -@@ -2022,7 +2022,7 @@ static void event_callback(void *context) +@@ -2028,7 +2028,7 @@ static void event_callback(void *context) dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj); @@ -33882,7 +33863,7 @@ index 67ffa39..cb3b1dd 100644 wake_up(&md->eventq); } -@@ -2677,18 +2677,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action, +@@ -2683,18 +2683,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action, uint32_t dm_next_uevent_seq(struct mapped_device *md) { @@ -33905,7 +33886,7 @@ index 67ffa39..cb3b1dd 100644 void dm_uevent_add(struct mapped_device *md, struct list_head *elist) diff --git a/drivers/md/md.c b/drivers/md/md.c -index 308e87b..7f365d6 100644 +index c7b000f..15a8b22 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -277,10 +277,10 @@ EXPORT_SYMBOL_GPL(md_trim_bio); @@ -34103,10 +34084,10 @@ index 05bb49e..84d7ce6 100644 "md/raid1:%s: read error corrected " "(%d sectors at %llu on %s)\n", diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c -index a48c215..6bda6f4 100644 +index c52d893..69c5d80 100644 --- a/drivers/md/raid10.c +++ b/drivers/md/raid10.c -@@ -1810,7 +1810,7 @@ static void end_sync_read(struct bio *bio, int error) +@@ -1814,7 +1814,7 @@ static void end_sync_read(struct bio *bio, int error) /* The write handler will notice the lack of * R10BIO_Uptodate and record any errors etc */ @@ -34115,7 +34096,7 @@ index a48c215..6bda6f4 100644 &conf->mirrors[d].rdev->corrected_errors); /* for reconstruct, we always reschedule after a read. -@@ -2159,7 +2159,7 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev) +@@ -2163,7 +2163,7 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev) { struct timespec cur_time_mon; unsigned long hours_since_last; @@ -34124,7 +34105,7 @@ index a48c215..6bda6f4 100644 ktime_get_ts(&cur_time_mon); -@@ -2181,9 +2181,9 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev) +@@ -2185,9 +2185,9 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev) * overflowing the shift of read_errors by hours_since_last. */ if (hours_since_last >= 8 * sizeof(read_errors)) @@ -34136,7 +34117,7 @@ index a48c215..6bda6f4 100644 } static int r10_sync_page_io(struct md_rdev *rdev, sector_t sector, -@@ -2237,8 +2237,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 +@@ -2241,8 +2241,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 return; check_decay_read_errors(mddev, rdev); @@ -34147,7 +34128,7 @@ index a48c215..6bda6f4 100644 char b[BDEVNAME_SIZE]; bdevname(rdev->bdev, b); -@@ -2246,7 +2246,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 +@@ -2250,7 +2250,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 "md/raid10:%s: %s: Raid device exceeded " "read_error threshold [cur %d:max %d]\n", mdname(mddev), b, @@ -34156,7 +34137,7 @@ index a48c215..6bda6f4 100644 printk(KERN_NOTICE "md/raid10:%s: %s: Failing raid device\n", mdname(mddev), b); -@@ -2401,7 +2401,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 +@@ -2405,7 +2405,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 sect + choose_data_offset(r10_bio, rdev)), bdevname(rdev->bdev, b)); @@ -35467,10 +35448,10 @@ index 3456d56..b688d81 100644 /* grab the ptp lock */ diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h b/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h -index 400f86a..7f2e062 100644 +index 0722f33..771758a 100644 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h -@@ -2799,6 +2799,7 @@ struct ixgbe_eeprom_operations { +@@ -2800,6 +2800,7 @@ struct ixgbe_eeprom_operations { s32 (*update_checksum)(struct ixgbe_hw *); u16 (*calc_checksum)(struct ixgbe_hw *); }; @@ -35478,7 +35459,7 @@ index 400f86a..7f2e062 100644 struct ixgbe_mac_operations { s32 (*init_hw)(struct ixgbe_hw *); -@@ -2865,6 +2866,7 @@ struct ixgbe_mac_operations { +@@ -2866,6 +2867,7 @@ struct ixgbe_mac_operations { s32 (*get_thermal_sensor_data)(struct ixgbe_hw *); s32 (*init_thermal_sensor_thresh)(struct ixgbe_hw *hw); }; @@ -35486,7 +35467,7 @@ index 400f86a..7f2e062 100644 struct ixgbe_phy_operations { s32 (*identify)(struct ixgbe_hw *); -@@ -2884,9 +2886,10 @@ struct ixgbe_phy_operations { +@@ -2885,9 +2887,10 @@ struct ixgbe_phy_operations { s32 (*write_i2c_eeprom)(struct ixgbe_hw *, u8, u8); s32 (*check_overtemp)(struct ixgbe_hw *); }; @@ -35498,7 +35479,7 @@ index 400f86a..7f2e062 100644 enum ixgbe_eeprom_type type; u32 semaphore_delay; u16 word_size; -@@ -2896,7 +2899,7 @@ struct ixgbe_eeprom_info { +@@ -2897,7 +2900,7 @@ struct ixgbe_eeprom_info { #define IXGBE_FLAGS_DOUBLE_RESET_REQUIRED 0x01 struct ixgbe_mac_info { @@ -35507,7 +35488,7 @@ index 400f86a..7f2e062 100644 enum ixgbe_mac_type type; u8 addr[ETH_ALEN]; u8 perm_addr[ETH_ALEN]; -@@ -2926,7 +2929,7 @@ struct ixgbe_mac_info { +@@ -2927,7 +2930,7 @@ struct ixgbe_mac_info { }; struct ixgbe_phy_info { @@ -35516,7 +35497,7 @@ index 400f86a..7f2e062 100644 struct mdio_if_info mdio; enum ixgbe_phy_type type; u32 id; -@@ -2954,6 +2957,7 @@ struct ixgbe_mbx_operations { +@@ -2955,6 +2958,7 @@ struct ixgbe_mbx_operations { s32 (*check_for_ack)(struct ixgbe_hw *, u16); s32 (*check_for_rst)(struct ixgbe_hw *, u16); }; @@ -35524,7 +35505,7 @@ index 400f86a..7f2e062 100644 struct ixgbe_mbx_stats { u32 msgs_tx; -@@ -2965,7 +2969,7 @@ struct ixgbe_mbx_stats { +@@ -2966,7 +2970,7 @@ struct ixgbe_mbx_stats { }; struct ixgbe_mbx_info { @@ -35571,6 +35552,19 @@ index 25c951d..cc7cf33 100644 struct ixgbe_mbx_stats stats; u32 timeout; u32 udelay; +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c b/drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c +index 5d367958..b799ab12 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c +@@ -237,7 +237,7 @@ static int mlx4_en_dcbnl_ieee_setmaxrate(struct net_device *dev, + if (err) + return err; + +- memcpy(priv->maxrate, tmp, sizeof(*priv->maxrate)); ++ memcpy(priv->maxrate, tmp, sizeof(priv->maxrate)); + + return 0; + } diff --git a/drivers/net/ethernet/neterion/vxge/vxge-config.h b/drivers/net/ethernet/neterion/vxge/vxge-config.h index 9e0c1ee..8471f77 100644 --- a/drivers/net/ethernet/neterion/vxge/vxge-config.h @@ -39576,6 +39570,54 @@ index 3440812..2a4ef1f 100644 if (file->f_version != event_count) { file->f_version = event_count; return POLLIN | POLLRDNORM; +diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c +index 75ba209..08bf89e 100644 +--- a/drivers/usb/core/hcd.c ++++ b/drivers/usb/core/hcd.c +@@ -1478,7 +1478,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags) + */ + usb_get_urb(urb); + atomic_inc(&urb->use_count); +- atomic_inc(&urb->dev->urbnum); ++ atomic_inc_unchecked(&urb->dev->urbnum); + usbmon_urb_submit(&hcd->self, urb); + + /* NOTE requirements on root-hub callers (usbfs and the hub +@@ -1505,7 +1505,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags) + urb->hcpriv = NULL; + INIT_LIST_HEAD(&urb->urb_list); + atomic_dec(&urb->use_count); +- atomic_dec(&urb->dev->urbnum); ++ atomic_dec_unchecked(&urb->dev->urbnum); + if (atomic_read(&urb->reject)) + wake_up(&usb_kill_urb_queue); + usb_put_urb(urb); +diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c +index 682e825..06d4f69 100644 +--- a/drivers/usb/core/sysfs.c ++++ b/drivers/usb/core/sysfs.c +@@ -226,7 +226,7 @@ show_urbnum(struct device *dev, struct device_attribute *attr, char *buf) + struct usb_device *udev; + + udev = to_usb_device(dev); +- return sprintf(buf, "%d\n", atomic_read(&udev->urbnum)); ++ return sprintf(buf, "%d\n", atomic_read_unchecked(&udev->urbnum)); + } + static DEVICE_ATTR(urbnum, S_IRUGO, show_urbnum, NULL); + +diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c +index cd8fb44..17fbe0c 100644 +--- a/drivers/usb/core/usb.c ++++ b/drivers/usb/core/usb.c +@@ -397,7 +397,7 @@ struct usb_device *usb_alloc_dev(struct usb_device *parent, + set_dev_node(&dev->dev, dev_to_node(bus->controller)); + dev->state = USB_STATE_ATTACHED; + dev->lpm_disable_count = 1; +- atomic_set(&dev->urbnum, 0); ++ atomic_set_unchecked(&dev->urbnum, 0); + + INIT_LIST_HEAD(&dev->ep0.urb_list); + dev->ep0.desc.bLength = USB_DT_ENDPOINT_SIZE; diff --git a/drivers/usb/early/ehci-dbgp.c b/drivers/usb/early/ehci-dbgp.c index 89dcf15..481800b 100644 --- a/drivers/usb/early/ehci-dbgp.c @@ -39769,7 +39811,7 @@ index 57c01ab..8a05959 100644 /* diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c -index ef82a0d..da8a0b3 100644 +index ef82a0d..78a026b 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -634,7 +634,7 @@ static long vhost_set_memory(struct vhost_dev *d, struct vhost_memory __user *m) @@ -39781,6 +39823,15 @@ index ef82a0d..da8a0b3 100644 { struct file *eventfp, *filep = NULL, *pollstart = NULL, *pollstop = NULL; +@@ -1076,7 +1076,7 @@ static int translate_desc(struct vhost_dev *dev, u64 addr, u32 len, + } + _iov = iov + ret; + size = reg->memory_size - addr + reg->guest_phys_addr; +- _iov->iov_len = min((u64)len, size); ++ _iov->iov_len = min((u64)len - s, size); + _iov->iov_base = (void __user *)(unsigned long) + (reg->userspace_addr + addr - reg->guest_phys_addr); + s += size; diff --git a/drivers/video/aty/aty128fb.c b/drivers/video/aty/aty128fb.c index 747442d..7c0c434 100644 --- a/drivers/video/aty/aty128fb.c @@ -44633,6 +44684,29 @@ index ce41fee..ac0d27a 100644 #endif /* CONFIG_CIFS_STATS2 */ } +diff --git a/fs/cifs/readdir.c b/fs/cifs/readdir.c +index d87f826..1bab9d4 100644 +--- a/fs/cifs/readdir.c ++++ b/fs/cifs/readdir.c +@@ -86,14 +86,17 @@ cifs_readdir_lookup(struct dentry *parent, struct qstr *name, + + dentry = d_lookup(parent, name); + if (dentry) { ++ int err; + inode = dentry->d_inode; + /* update inode in place if i_ino didn't change */ + if (inode && CIFS_I(inode)->uniqueid == fattr->cf_uniqueid) { + cifs_fattr_to_inode(inode, fattr); + return dentry; + } +- d_drop(dentry); ++ err = d_invalidate(dentry); + dput(dentry); ++ if (err) ++ return NULL; + } + + dentry = d_alloc(parent, name); diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c index 3129ac7..cc4a948 100644 --- a/fs/cifs/smb1ops.c @@ -47896,10 +47970,10 @@ index 8349a89..51a0254 100644 static int can_do_hugetlb_shm(void) { diff --git a/fs/inode.c b/fs/inode.c -index ac8d904..9f45d40 100644 +index 7c14897..d40169e 100644 --- a/fs/inode.c +++ b/fs/inode.c -@@ -867,8 +867,8 @@ unsigned int get_next_ino(void) +@@ -880,8 +880,8 @@ unsigned int get_next_ino(void) #ifdef CONFIG_SMP if (unlikely((res & (LAST_INO_BATCH-1)) == 0)) { @@ -48023,7 +48097,7 @@ index 7e81bfc..c3649aa 100644 lock_flocks(); diff --git a/fs/namei.c b/fs/namei.c -index 091c4b7..fbcb268 100644 +index 091c4b7..eb220a4 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -265,16 +265,32 @@ int generic_permission(struct inode *inode, int mask) @@ -48164,7 +48238,19 @@ index 091c4b7..fbcb268 100644 if (unlikely(!audit_dummy_context())) { if (nd->path.dentry && nd->inode) audit_inode(name, nd->path.dentry); -@@ -2336,6 +2378,13 @@ static int may_open(struct path *path, int acc_mode, int flag) +@@ -2076,6 +2118,11 @@ struct dentry *lookup_one_len(const char *name, struct dentry *base, int len) + if (!len) + return ERR_PTR(-EACCES); + ++ if (unlikely(name[0] == '.')) { ++ if (len < 2 || (len == 2 && name[1] == '.')) ++ return ERR_PTR(-EACCES); ++ } ++ + while (len--) { + c = *(const unsigned char *)name++; + if (c == '/' || c == '\0') +@@ -2336,6 +2383,13 @@ static int may_open(struct path *path, int acc_mode, int flag) if (flag & O_NOATIME && !inode_owner_or_capable(inode)) return -EPERM; @@ -48178,7 +48264,7 @@ index 091c4b7..fbcb268 100644 return 0; } -@@ -2557,7 +2606,7 @@ looked_up: +@@ -2557,7 +2611,7 @@ looked_up: * cleared otherwise prior to returning. */ static int lookup_open(struct nameidata *nd, struct path *path, @@ -48187,7 +48273,7 @@ index 091c4b7..fbcb268 100644 const struct open_flags *op, bool got_write, int *opened) { -@@ -2592,6 +2641,17 @@ static int lookup_open(struct nameidata *nd, struct path *path, +@@ -2592,6 +2646,17 @@ static int lookup_open(struct nameidata *nd, struct path *path, /* Negative dentry, just create the file */ if (!dentry->d_inode && (op->open_flag & O_CREAT)) { umode_t mode = op->mode; @@ -48205,7 +48291,7 @@ index 091c4b7..fbcb268 100644 if (!IS_POSIXACL(dir->d_inode)) mode &= ~current_umask(); /* -@@ -2613,6 +2673,8 @@ static int lookup_open(struct nameidata *nd, struct path *path, +@@ -2613,6 +2678,8 @@ static int lookup_open(struct nameidata *nd, struct path *path, nd->flags & LOOKUP_EXCL); if (error) goto out_dput; @@ -48214,7 +48300,7 @@ index 091c4b7..fbcb268 100644 } out_no_open: path->dentry = dentry; -@@ -2627,7 +2689,7 @@ out_dput: +@@ -2627,7 +2694,7 @@ out_dput: /* * Handle the last step of open() */ @@ -48223,7 +48309,7 @@ index 091c4b7..fbcb268 100644 struct file *file, const struct open_flags *op, int *opened, const char *pathname) { -@@ -2656,16 +2718,44 @@ static int do_last(struct nameidata *nd, struct path *path, +@@ -2656,16 +2723,44 @@ static int do_last(struct nameidata *nd, struct path *path, error = complete_walk(nd); if (error) return error; @@ -48268,7 +48354,7 @@ index 091c4b7..fbcb268 100644 audit_inode(pathname, dir); goto finish_open; } -@@ -2714,7 +2804,7 @@ retry_lookup: +@@ -2714,7 +2809,7 @@ retry_lookup: */ } mutex_lock(&dir->d_inode->i_mutex); @@ -48277,7 +48363,7 @@ index 091c4b7..fbcb268 100644 mutex_unlock(&dir->d_inode->i_mutex); if (error <= 0) { -@@ -2738,11 +2828,28 @@ retry_lookup: +@@ -2738,11 +2833,28 @@ retry_lookup: goto finish_open_created; } @@ -48307,7 +48393,7 @@ index 091c4b7..fbcb268 100644 /* * If atomic_open() acquired write access it is dropped now due to -@@ -2783,6 +2890,11 @@ finish_lookup: +@@ -2783,6 +2895,11 @@ finish_lookup: } } BUG_ON(inode != path->dentry->d_inode); @@ -48319,7 +48405,7 @@ index 091c4b7..fbcb268 100644 return 1; } -@@ -2792,7 +2904,6 @@ finish_lookup: +@@ -2792,7 +2909,6 @@ finish_lookup: save_parent.dentry = nd->path.dentry; save_parent.mnt = mntget(path->mnt); nd->path.dentry = path->dentry; @@ -48327,7 +48413,7 @@ index 091c4b7..fbcb268 100644 } nd->inode = inode; /* Why this, you ask? _Now_ we might have grown LOOKUP_JUMPED... */ -@@ -2801,6 +2912,22 @@ finish_lookup: +@@ -2801,6 +2917,22 @@ finish_lookup: path_put(&save_parent); return error; } @@ -48350,7 +48436,7 @@ index 091c4b7..fbcb268 100644 error = -EISDIR; if ((open_flag & O_CREAT) && S_ISDIR(nd->inode->i_mode)) goto out; -@@ -2899,7 +3026,7 @@ static struct file *path_openat(int dfd, const char *pathname, +@@ -2899,7 +3031,7 @@ static struct file *path_openat(int dfd, const char *pathname, if (unlikely(error)) goto out; @@ -48359,7 +48445,7 @@ index 091c4b7..fbcb268 100644 while (unlikely(error > 0)) { /* trailing symlink */ struct path link = path; void *cookie; -@@ -2917,7 +3044,7 @@ static struct file *path_openat(int dfd, const char *pathname, +@@ -2917,7 +3049,7 @@ static struct file *path_openat(int dfd, const char *pathname, error = follow_link(&link, nd, &cookie); if (unlikely(error)) break; @@ -48368,7 +48454,7 @@ index 091c4b7..fbcb268 100644 put_link(nd, &link, cookie); } out: -@@ -3006,8 +3133,12 @@ struct dentry *kern_path_create(int dfd, const char *pathname, struct path *path +@@ -3006,8 +3138,12 @@ struct dentry *kern_path_create(int dfd, const char *pathname, struct path *path goto unlock; error = -EEXIST; @@ -48382,7 +48468,7 @@ index 091c4b7..fbcb268 100644 /* * Special case - lookup gave negative, but... we had foo/bar/ * From the vfs_mknod() POV we just have a negative dentry - -@@ -3058,6 +3189,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, struct pat +@@ -3058,6 +3194,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, struct pat } EXPORT_SYMBOL(user_path_create); @@ -48403,7 +48489,7 @@ index 091c4b7..fbcb268 100644 int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) { int error = may_create(dir, dentry); -@@ -3119,6 +3264,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, umode_t, mode, +@@ -3119,6 +3269,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, umode_t, mode, if (!IS_POSIXACL(path.dentry->d_inode)) mode &= ~current_umask(); @@ -48421,7 +48507,7 @@ index 091c4b7..fbcb268 100644 error = security_path_mknod(&path, dentry, mode, dev); if (error) goto out; -@@ -3135,6 +3291,8 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, umode_t, mode, +@@ -3135,6 +3296,8 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, umode_t, mode, break; } out: @@ -48430,7 +48516,7 @@ index 091c4b7..fbcb268 100644 done_path_create(&path, dentry); return error; } -@@ -3181,9 +3339,18 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, umode_t, mode) +@@ -3181,9 +3344,18 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, umode_t, mode) if (!IS_POSIXACL(path.dentry->d_inode)) mode &= ~current_umask(); @@ -48449,7 +48535,7 @@ index 091c4b7..fbcb268 100644 done_path_create(&path, dentry); return error; } -@@ -3260,6 +3427,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -3260,6 +3432,8 @@ static long do_rmdir(int dfd, const char __user *pathname) char * name; struct dentry *dentry; struct nameidata nd; @@ -48458,7 +48544,7 @@ index 091c4b7..fbcb268 100644 error = user_path_parent(dfd, pathname, &nd, &name); if (error) -@@ -3291,10 +3460,21 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -3291,10 +3465,21 @@ static long do_rmdir(int dfd, const char __user *pathname) error = -ENOENT; goto exit3; } @@ -48480,7 +48566,7 @@ index 091c4b7..fbcb268 100644 exit3: dput(dentry); exit2: -@@ -3356,6 +3536,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -3356,6 +3541,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) struct dentry *dentry; struct nameidata nd; struct inode *inode = NULL; @@ -48489,7 +48575,7 @@ index 091c4b7..fbcb268 100644 error = user_path_parent(dfd, pathname, &nd, &name); if (error) -@@ -3381,10 +3563,22 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -3381,10 +3568,22 @@ static long do_unlinkat(int dfd, const char __user *pathname) if (!inode) goto slashes; ihold(inode); @@ -48512,7 +48598,7 @@ index 091c4b7..fbcb268 100644 exit2: dput(dentry); } -@@ -3456,9 +3650,17 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, +@@ -3456,9 +3655,17 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, if (IS_ERR(dentry)) goto out_putname; @@ -48530,7 +48616,7 @@ index 091c4b7..fbcb268 100644 done_path_create(&path, dentry); out_putname: putname(from); -@@ -3528,6 +3730,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -3528,6 +3735,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, { struct dentry *new_dentry; struct path old_path, new_path; @@ -48538,7 +48624,7 @@ index 091c4b7..fbcb268 100644 int how = 0; int error; -@@ -3551,7 +3754,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -3551,7 +3759,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, if (error) return error; @@ -48547,7 +48633,7 @@ index 091c4b7..fbcb268 100644 error = PTR_ERR(new_dentry); if (IS_ERR(new_dentry)) goto out; -@@ -3562,11 +3765,28 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -3562,11 +3770,28 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, error = may_linkat(&old_path); if (unlikely(error)) goto out_dput; @@ -48576,7 +48662,7 @@ index 091c4b7..fbcb268 100644 done_path_create(&new_path, new_dentry); out: path_put(&old_path); -@@ -3802,12 +4022,21 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, +@@ -3802,12 +4027,21 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, if (new_dentry == trap) goto exit5; @@ -48598,7 +48684,7 @@ index 091c4b7..fbcb268 100644 exit5: dput(new_dentry); exit4: -@@ -3832,6 +4061,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna +@@ -3832,6 +4066,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link) { @@ -48607,7 +48693,7 @@ index 091c4b7..fbcb268 100644 int len; len = PTR_ERR(link); -@@ -3841,7 +4072,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c +@@ -3841,7 +4077,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c len = strlen(link); if (len > (unsigned) buflen) len = buflen; @@ -48686,6 +48772,38 @@ index 7bdf790..eb79c4b 100644 get_fs_root(current->fs, &root); error = lock_mount(&old); if (error) +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index 627f108..afc1fc5b 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -450,7 +450,8 @@ void nfs_prime_dcache(struct dentry *parent, struct nfs_entry *entry) + nfs_refresh_inode(dentry->d_inode, entry->fattr); + goto out; + } else { +- d_drop(dentry); ++ if (d_invalidate(dentry) != 0) ++ goto out; + dput(dentry); + } + } +@@ -1100,6 +1101,8 @@ out_set_verifier: + out_zap_parent: + nfs_zap_caches(dir); + out_bad: ++ nfs_free_fattr(fattr); ++ nfs_free_fhandle(fhandle); + nfs_mark_for_revalidate(dir); + if (inode && S_ISDIR(inode->i_mode)) { + /* Purge readdir caches. */ +@@ -1112,8 +1115,6 @@ out_zap_parent: + shrink_dcache_parent(dentry); + } + d_drop(dentry); +- nfs_free_fattr(fattr); +- nfs_free_fhandle(fhandle); + dput(parent); + dfprintk(LOOKUPCACHE, "NFS: %s(%s/%s) is invalid\n", + __func__, dentry->d_parent->d_name.name, diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c index 9b47610..066975e 100644 --- a/fs/nfs/inode.c @@ -63441,18 +63559,20 @@ index aa2e167..84024ce 100644 }; diff --git a/include/linux/init.h b/include/linux/init.h -index 5e664f6..15ae326 100644 +index 5e664f6..ba694f0 100644 --- a/include/linux/init.h +++ b/include/linux/init.h -@@ -39,9 +39,33 @@ +@@ -39,9 +39,36 @@ * Also note, that this data cannot be "const". */ +#ifdef MODULE +#define add_init_latent_entropy ++#define add_devinit_latent_entropy ++#define add_cpuinit_latent_entropy ++#define add_meminit_latent_entropy +#else +#define add_init_latent_entropy __latent_entropy -+#endif + +#ifdef CONFIG_HOTPLUG +#define add_devinit_latent_entropy @@ -63471,6 +63591,7 @@ index 5e664f6..15ae326 100644 +#else +#define add_meminit_latent_entropy __latent_entropy +#endif ++#endif + /* These are for everybody (although not all archs will actually discard it in modules) */ @@ -63479,7 +63600,7 @@ index 5e664f6..15ae326 100644 #define __initdata __section(.init.data) #define __initconst __section(.init.rodata) #define __exitdata __section(.exit.data) -@@ -83,7 +107,7 @@ +@@ -83,7 +110,7 @@ #define __exit __section(.exit.text) __exitused __cold notrace /* Used for HOTPLUG */ @@ -63488,7 +63609,7 @@ index 5e664f6..15ae326 100644 #define __devinitdata __section(.devinit.data) #define __devinitconst __section(.devinit.rodata) #define __devexit __section(.devexit.text) __exitused __cold notrace -@@ -91,7 +115,7 @@ +@@ -91,7 +118,7 @@ #define __devexitconst __section(.devexit.rodata) /* Used for HOTPLUG_CPU */ @@ -63497,7 +63618,7 @@ index 5e664f6..15ae326 100644 #define __cpuinitdata __section(.cpuinit.data) #define __cpuinitconst __section(.cpuinit.rodata) #define __cpuexit __section(.cpuexit.text) __exitused __cold notrace -@@ -99,7 +123,7 @@ +@@ -99,7 +126,7 @@ #define __cpuexitconst __section(.cpuexit.rodata) /* Used for MEMORY_HOTPLUG */ @@ -65339,6 +65460,19 @@ index 99c1b4d..bb94261 100644 } static inline void put_unaligned_le16(u16 val, void *p) +diff --git a/include/linux/usb.h b/include/linux/usb.h +index 30d1ae3..aecd07e 100644 +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -546,7 +546,7 @@ struct usb_device { + struct usb_device **children; + + u32 quirks; +- atomic_t urbnum; ++ atomic_unchecked_t urbnum; + + unsigned long active_duration; + diff --git a/include/linux/usb/renesas_usbhs.h b/include/linux/usb/renesas_usbhs.h index c5d36c6..8478c90 100644 --- a/include/linux/usb/renesas_usbhs.h @@ -67978,7 +68112,7 @@ index 2c8857e..288c9c7 100644 else new_fs = fs; diff --git a/kernel/futex.c b/kernel/futex.c -index 20ef219..b3a0cb2 100644 +index 19eb089..b8c65ea 100644 --- a/kernel/futex.c +++ b/kernel/futex.c @@ -54,6 +54,7 @@ @@ -68001,7 +68135,7 @@ index 20ef219..b3a0cb2 100644 /* * The futex address must be "naturally" aligned. */ -@@ -2717,6 +2723,7 @@ static int __init futex_init(void) +@@ -2733,6 +2739,7 @@ static int __init futex_init(void) { u32 curval; int i; @@ -68009,7 +68143,7 @@ index 20ef219..b3a0cb2 100644 /* * This will fail and we want it. Some arch implementations do -@@ -2728,8 +2735,11 @@ static int __init futex_init(void) +@@ -2744,8 +2751,11 @@ static int __init futex_init(void) * implementation, the non-functional ones will return * -ENOSYS. */ @@ -70412,7 +70546,7 @@ index 98ec494..4241d6d 100644 default: diff --git a/kernel/sched/auto_group.c b/kernel/sched/auto_group.c -index 0984a21..939f183 100644 +index 0984a21..7e50319 100644 --- a/kernel/sched/auto_group.c +++ b/kernel/sched/auto_group.c @@ -11,7 +11,7 @@ @@ -70433,6 +70567,38 @@ index 0984a21..939f183 100644 ag->tg = tg; #ifdef CONFIG_RT_GROUP_SCHED /* +@@ -143,15 +143,11 @@ autogroup_move_group(struct task_struct *p, struct autogroup *ag) + + p->signal->autogroup = autogroup_kref_get(ag); + +- if (!ACCESS_ONCE(sysctl_sched_autogroup_enabled)) +- goto out; +- + t = p; + do { + sched_move_task(t); + } while_each_thread(p, t); + +-out: + unlock_task_sighand(p, &flags); + autogroup_kref_put(prev); + } +diff --git a/kernel/sched/auto_group.h b/kernel/sched/auto_group.h +index 8bd0471..443232e 100644 +--- a/kernel/sched/auto_group.h ++++ b/kernel/sched/auto_group.h +@@ -4,11 +4,6 @@ + #include <linux/rwsem.h> + + struct autogroup { +- /* +- * reference doesn't mean how many thread attach to this +- * autogroup now. It just stands for the number of task +- * could use this autogroup. +- */ + struct kref kref; + struct task_group *tg; + struct rw_semaphore lock; diff --git a/kernel/sched/core.c b/kernel/sched/core.c index 1a48cdb..d3949ff 100644 --- a/kernel/sched/core.c @@ -71546,7 +71712,7 @@ index d4545f4..a9010a1 100644 local_irq_save(flags); diff --git a/kernel/workqueue.c b/kernel/workqueue.c -index 872bd6d..31601a2 100644 +index 872bd6d..b727b3a 100644 --- a/kernel/workqueue.c +++ b/kernel/workqueue.c @@ -1422,7 +1422,7 @@ retry: @@ -71567,6 +71733,18 @@ index 872bd6d..31601a2 100644 if (test_and_set_bit(WORK_STRUCT_PENDING_BIT, work_data_bits(rebind_work))) +@@ -2266,8 +2266,10 @@ static int rescuer_thread(void *__wq) + repeat: + set_current_state(TASK_INTERRUPTIBLE); + +- if (kthread_should_stop()) ++ if (kthread_should_stop()) { ++ __set_current_state(TASK_RUNNING); + return 0; ++ } + + /* + * See whether any cpu is asking for help. Unbounded diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug index 2403a63..5c4be4c 100644 --- a/lib/Kconfig.debug @@ -72306,7 +72484,7 @@ index 14d260f..b2a80fd 100644 if (end == start) goto out; diff --git a/mm/memory-failure.c b/mm/memory-failure.c -index a6e2141..eaf5aad 100644 +index a6e2141..0e32042 100644 --- a/mm/memory-failure.c +++ b/mm/memory-failure.c @@ -61,7 +61,7 @@ int sysctl_memory_failure_early_kill __read_mostly = 0; @@ -72381,7 +72559,25 @@ index a6e2141..eaf5aad 100644 &mce_bad_pages); set_page_hwpoison_huge_page(hpage); dequeue_hwpoisoned_huge_page(hpage); -@@ -1572,7 +1572,7 @@ int soft_offline_page(struct page *page, int flags) +@@ -1474,9 +1474,17 @@ int soft_offline_page(struct page *page, int flags) + { + int ret; + unsigned long pfn = page_to_pfn(page); ++ struct page *hpage = compound_trans_head(page); + + if (PageHuge(page)) + return soft_offline_huge_page(page, flags); ++ if (PageTransHuge(hpage)) { ++ if (PageAnon(hpage) && unlikely(split_huge_page(hpage))) { ++ pr_info("soft offline: %#lx: failed to split THP\n", ++ pfn); ++ return -EBUSY; ++ } ++ } + + ret = get_any_page(page, pfn, flags); + if (ret < 0) +@@ -1572,7 +1580,7 @@ int soft_offline_page(struct page *page, int flags) return ret; done: @@ -76024,6 +76220,47 @@ index 1b7e22a..3fcd4f3 100644 } return pgd; } +diff --git a/mm/sparse.c b/mm/sparse.c +index fac95f2..a83de2f 100644 +--- a/mm/sparse.c ++++ b/mm/sparse.c +@@ -617,7 +617,7 @@ static void __kfree_section_memmap(struct page *memmap, unsigned long nr_pages) + { + return; /* XXX: Not implemented yet */ + } +-static void free_map_bootmem(struct page *page, unsigned long nr_pages) ++static void free_map_bootmem(struct page *memmap, unsigned long nr_pages) + { + } + #else +@@ -658,10 +658,11 @@ static void __kfree_section_memmap(struct page *memmap, unsigned long nr_pages) + get_order(sizeof(struct page) * nr_pages)); + } + +-static void free_map_bootmem(struct page *page, unsigned long nr_pages) ++static void free_map_bootmem(struct page *memmap, unsigned long nr_pages) + { + unsigned long maps_section_nr, removing_section_nr, i; + unsigned long magic; ++ struct page *page = virt_to_page(memmap); + + for (i = 0; i < nr_pages; i++, page++) { + magic = (unsigned long) page->lru.next; +@@ -710,13 +711,10 @@ static void free_section_usemap(struct page *memmap, unsigned long *usemap) + */ + + if (memmap) { +- struct page *memmap_page; +- memmap_page = virt_to_page(memmap); +- + nr_pages = PAGE_ALIGN(PAGES_PER_SECTION * sizeof(struct page)) + >> PAGE_SHIFT; + +- free_map_bootmem(memmap_page, nr_pages); ++ free_map_bootmem(memmap, nr_pages); + } + } + diff --git a/mm/swap.c b/mm/swap.c index 7782588..228c784 100644 --- a/mm/swap.c @@ -76308,6 +76545,72 @@ index 2bb90b1..3795e47 100644 v->addr, v->addr + v->size, v->size); if (v->caller) +diff --git a/mm/vmscan.c b/mm/vmscan.c +index 40db7d1..be5a9c1 100644 +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -2383,6 +2383,19 @@ static void age_active_anon(struct zone *zone, struct scan_control *sc) + } while (memcg); + } + ++static bool zone_balanced(struct zone *zone, int order, ++ unsigned long balance_gap, int classzone_idx) ++{ ++ if (!zone_watermark_ok_safe(zone, order, high_wmark_pages(zone) + ++ balance_gap, classzone_idx, 0)) ++ return false; ++ ++ if (COMPACTION_BUILD && order && !compaction_suitable(zone, order)) ++ return false; ++ ++ return true; ++} ++ + /* + * pgdat_balanced is used when checking if a node is balanced for high-order + * allocations. Only zones that meet watermarks and are in a zone allowed +@@ -2461,8 +2474,7 @@ static bool prepare_kswapd_sleep(pg_data_t *pgdat, int order, long remaining, + continue; + } + +- if (!zone_watermark_ok_safe(zone, order, high_wmark_pages(zone), +- i, 0)) ++ if (!zone_balanced(zone, order, 0, i)) + all_zones_ok = false; + else + balanced += zone->present_pages; +@@ -2571,8 +2583,7 @@ loop_again: + break; + } + +- if (!zone_watermark_ok_safe(zone, order, +- high_wmark_pages(zone), 0, 0)) { ++ if (!zone_balanced(zone, order, 0, 0)) { + end_zone = i; + break; + } else { +@@ -2648,9 +2659,8 @@ loop_again: + testorder = 0; + + if ((buffer_heads_over_limit && is_highmem_idx(i)) || +- !zone_watermark_ok_safe(zone, testorder, +- high_wmark_pages(zone) + balance_gap, +- end_zone, 0)) { ++ !zone_balanced(zone, testorder, ++ balance_gap, end_zone)) { + shrink_zone(zone, &sc); + + reclaim_state->reclaimed_slab = 0; +@@ -2677,8 +2687,7 @@ loop_again: + continue; + } + +- if (!zone_watermark_ok_safe(zone, testorder, +- high_wmark_pages(zone), end_zone, 0)) { ++ if (!zone_balanced(zone, testorder, 0, end_zone)) { + all_zones_ok = 0; + /* + * We are still under min water mark. This diff --git a/mm/vmstat.c b/mm/vmstat.c index df7a674..8b4a4f3 100644 --- a/mm/vmstat.c @@ -77403,6 +77706,20 @@ index 9633661..4e0bc08 100644 return nh->nh_saddr; } +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index f2eccd5..17ff9fd 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -257,7 +257,8 @@ static inline bool icmpv4_xrlim_allow(struct net *net, struct rtable *rt, + struct inet_peer *peer = inet_getpeer_v4(net->ipv4.peers, fl4->daddr, 1); + rc = inet_peer_xrlim_allow(peer, + net->ipv4.sysctl_icmp_ratelimit); +- inet_putpeer(peer); ++ if (peer) ++ inet_putpeer(peer); + } + out: + return rc; diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c index 7880af9..70f92a3 100644 --- a/net/ipv4/inet_hashtables.c @@ -77514,6 +77831,21 @@ index 67e8a6b..386764d 100644 set_fs(oldfs); return res; } +diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c +index ebdf06f..f797f59 100644 +--- a/net/ipv4/ipmr.c ++++ b/net/ipv4/ipmr.c +@@ -1318,6 +1318,10 @@ int ip_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, unsi + if (get_user(v, (u32 __user *)optval)) + return -EFAULT; + ++ /* "pimreg%u" should not exceed 16 bytes (IFNAMSIZ) */ ++ if (v != RT_TABLE_DEFAULT && v >= 1000000000) ++ return -EINVAL; ++ + rtnl_lock(); + ret = 0; + if (sk == rtnl_dereference(mrt->mroute_sk)) { diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index 97e61ea..cac1bbb 100644 --- a/net/ipv4/netfilter/arp_tables.c @@ -78467,6 +78799,18 @@ index 6b9d5a0..4dffaf1 100644 seq_printf(m, "Max data size: %d\n", self->max_data_size); seq_printf(m, "Max header size: %d\n", self->max_header_size); +diff --git a/net/irda/irttp.c b/net/irda/irttp.c +index 5c93f29..71498f0 100644 +--- a/net/irda/irttp.c ++++ b/net/irda/irttp.c +@@ -441,6 +441,7 @@ struct tsap_cb *irttp_open_tsap(__u8 stsap_sel, int credit, notify_t *notify) + lsap = irlmp_open_lsap(stsap_sel, &ttp_notify, 0); + if (lsap == NULL) { + IRDA_WARNING("%s: unable to allocate LSAP!!\n", __func__); ++ __irttp_close_tsap(self); + return NULL; + } + diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c index cd6f7a9..e63fe89 100644 --- a/net/iucv/af_iucv.c @@ -78705,6 +79049,19 @@ index 1c5160f..145ae21 100644 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o +diff --git a/net/netfilter/ipset/ip_set_hash_netiface.c b/net/netfilter/ipset/ip_set_hash_netiface.c +index d5d3607..1b6fa7b 100644 +--- a/net/netfilter/ipset/ip_set_hash_netiface.c ++++ b/net/netfilter/ipset/ip_set_hash_netiface.c +@@ -791,7 +791,7 @@ static struct ip_set_type hash_netiface_type __read_mostly = { + [IPSET_ATTR_IP] = { .type = NLA_NESTED }, + [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED }, + [IPSET_ATTR_IFACE] = { .type = NLA_NUL_STRING, +- .len = IPSET_MAXNAMELEN - 1 }, ++ .len = IFNAMSIZ - 1 }, + [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 }, + [IPSET_ATTR_CIDR] = { .type = NLA_U8 }, + [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c index 1548df9..98ad9b4 100644 --- a/net/netfilter/ipvs/ip_vs_conn.c @@ -79609,6 +79966,38 @@ index f226709..0e735a8 100644 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial)); ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len); +diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c +index 6c85564..9534bf9 100644 +--- a/net/sctp/chunk.c ++++ b/net/sctp/chunk.c +@@ -284,7 +284,7 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc, + goto errout; + err = sctp_user_addto_chunk(chunk, offset, len, msgh->msg_iov); + if (err < 0) +- goto errout; ++ goto errout_chunk_free; + + offset += len; + +@@ -324,7 +324,7 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc, + __skb_pull(chunk->skb, (__u8 *)chunk->chunk_hdr + - (__u8 *)chunk->skb->data); + if (err < 0) +- goto errout; ++ goto errout_chunk_free; + + sctp_datamsg_assign(msg, chunk); + list_add_tail(&chunk->frag_list, &msg->chunks); +@@ -332,6 +332,9 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc, + + return msg; + ++errout_chunk_free: ++ sctp_chunk_free(chunk); ++ + errout: + list_for_each_safe(pos, temp, &msg->chunks) { + list_del_init(pos); diff --git a/net/sctp/proc.c b/net/sctp/proc.c index 1e2eee8..ce3967e 100644 --- a/net/sctp/proc.c @@ -79636,6 +80025,19 @@ index 5e25981..dbda919 100644 if (copy_to_user(to, &temp, addrlen)) return -EFAULT; to += addrlen; +diff --git a/net/sctp/transport.c b/net/sctp/transport.c +index c97472b..3f7c94b 100644 +--- a/net/sctp/transport.c ++++ b/net/sctp/transport.c +@@ -328,7 +328,7 @@ void sctp_transport_update_rto(struct sctp_transport *tp, __u32 rtt) + * 1/8, rto_alpha would be expressed as 3. + */ + tp->rttvar = tp->rttvar - (tp->rttvar >> sctp_rto_beta) +- + ((abs(tp->srtt - rtt)) >> sctp_rto_beta); ++ + (((__u32)abs64((__s64)tp->srtt - (__s64)rtt)) >> sctp_rto_beta); + tp->srtt = tp->srtt - (tp->srtt >> sctp_rto_alpha) + + (rtt >> sctp_rto_alpha); + } else { diff --git a/net/socket.c b/net/socket.c index edc3c4a..4b4e4a8 100644 --- a/net/socket.c diff --git a/3.6.8/4425-tmpfs-user-namespace.patch b/3.6.9/4425-tmpfs-user-namespace.patch index b48d735..b48d735 100644 --- a/3.6.8/4425-tmpfs-user-namespace.patch +++ b/3.6.9/4425-tmpfs-user-namespace.patch diff --git a/3.6.8/4430_grsec-remove-localversion-grsec.patch b/3.6.9/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.6.8/4430_grsec-remove-localversion-grsec.patch +++ b/3.6.9/4430_grsec-remove-localversion-grsec.patch diff --git a/3.6.8/4435_grsec-mute-warnings.patch b/3.6.9/4435_grsec-mute-warnings.patch index e1a7a3c..e1a7a3c 100644 --- a/3.6.8/4435_grsec-mute-warnings.patch +++ b/3.6.9/4435_grsec-mute-warnings.patch diff --git a/3.6.8/4440_grsec-remove-protected-paths.patch b/3.6.9/4440_grsec-remove-protected-paths.patch index 637934a..637934a 100644 --- a/3.6.8/4440_grsec-remove-protected-paths.patch +++ b/3.6.9/4440_grsec-remove-protected-paths.patch diff --git a/3.6.8/4450_grsec-kconfig-default-gids.patch b/3.6.9/4450_grsec-kconfig-default-gids.patch index d4b0b7e..d4b0b7e 100644 --- a/3.6.8/4450_grsec-kconfig-default-gids.patch +++ b/3.6.9/4450_grsec-kconfig-default-gids.patch diff --git a/3.6.8/4465_selinux-avc_audit-log-curr_ip.patch b/3.6.9/4465_selinux-avc_audit-log-curr_ip.patch index 4fb50f4..4fb50f4 100644 --- a/3.6.8/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.6.9/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.6.8/4470_disable-compat_vdso.patch b/3.6.9/4470_disable-compat_vdso.patch index 4a1947b..4a1947b 100644 --- a/3.6.8/4470_disable-compat_vdso.patch +++ b/3.6.9/4470_disable-compat_vdso.patch |