summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2015-12-12 04:06:01 -0500
committerAnthony G. Basile <blueness@gentoo.org>2015-12-12 04:06:01 -0500
commit55085213bb0871c830884175b80c5e4a12169d97 (patch)
tree9f8856edb7433aff58cce444d55452c0062ccdf5
parentgrsecurity-3.1-4.2.6-201512051918 (diff)
downloadhardened-patchset-20151209.tar.gz
hardened-patchset-20151209.tar.bz2
hardened-patchset-20151209.zip
grsecurity-3.1-4.2.7-20151209232020151209
-rw-r--r--4.2.7/0000_README (renamed from 4.2.6/0000_README)6
-rw-r--r--4.2.7/1006_linux-4.2.7.patch4131
-rw-r--r--4.2.7/4420_grsecurity-3.1-4.2.7-201512092320.patch (renamed from 4.2.6/4420_grsecurity-3.1-4.2.6-201512051918.patch)3288
-rw-r--r--4.2.7/4425_grsec_remove_EI_PAX.patch (renamed from 4.2.6/4425_grsec_remove_EI_PAX.patch)0
-rw-r--r--4.2.7/4427_force_XATTR_PAX_tmpfs.patch (renamed from 4.2.6/4427_force_XATTR_PAX_tmpfs.patch)0
-rw-r--r--4.2.7/4430_grsec-remove-localversion-grsec.patch (renamed from 4.2.6/4430_grsec-remove-localversion-grsec.patch)0
-rw-r--r--4.2.7/4435_grsec-mute-warnings.patch (renamed from 4.2.6/4435_grsec-mute-warnings.patch)0
-rw-r--r--4.2.7/4440_grsec-remove-protected-paths.patch (renamed from 4.2.6/4440_grsec-remove-protected-paths.patch)0
-rw-r--r--4.2.7/4450_grsec-kconfig-default-gids.patch (renamed from 4.2.6/4450_grsec-kconfig-default-gids.patch)0
-rw-r--r--4.2.7/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 4.2.6/4465_selinux-avc_audit-log-curr_ip.patch)0
-rw-r--r--4.2.7/4470_disable-compat_vdso.patch (renamed from 4.2.6/4470_disable-compat_vdso.patch)0
-rw-r--r--4.2.7/4475_emutramp_default_on.patch (renamed from 4.2.6/4475_emutramp_default_on.patch)0
12 files changed, 6777 insertions, 648 deletions
diff --git a/4.2.6/0000_README b/4.2.7/0000_README
index ec4db38..8a09897 100644
--- a/4.2.6/0000_README
+++ b/4.2.7/0000_README
@@ -2,7 +2,11 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.1-4.2.6-201512051918.patch
+Patch: 1006_linux-4.2.7.patch
+From: http://www.kernel.org
+Desc: Linux 4.2.7
+
+Patch: 4420_grsecurity-3.1-4.2.7-201512092320.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.2.7/1006_linux-4.2.7.patch b/4.2.7/1006_linux-4.2.7.patch
new file mode 100644
index 0000000..ba25fa7
--- /dev/null
+++ b/4.2.7/1006_linux-4.2.7.patch
@@ -0,0 +1,4131 @@
+diff --git a/Documentation/devicetree/bindings/usb/dwc3.txt b/Documentation/devicetree/bindings/usb/dwc3.txt
+index 0815eac..e12f344 100644
+--- a/Documentation/devicetree/bindings/usb/dwc3.txt
++++ b/Documentation/devicetree/bindings/usb/dwc3.txt
+@@ -35,6 +35,8 @@ Optional properties:
+ LTSSM during USB3 Compliance mode.
+ - snps,dis_u3_susphy_quirk: when set core will disable USB3 suspend phy.
+ - snps,dis_u2_susphy_quirk: when set core will disable USB2 suspend phy.
++ - snps,dis_enblslpm_quirk: when set clears the enblslpm in GUSB2PHYCFG,
++ disabling the suspend signal to the PHY.
+ - snps,is-utmi-l1-suspend: true when DWC3 asserts output signal
+ utmi_l1_suspend_n, false when asserts utmi_sleep_n
+ - snps,hird-threshold: HIRD threshold
+diff --git a/Documentation/filesystems/proc.txt b/Documentation/filesystems/proc.txt
+index 6f7fafd..3e2844e 100644
+--- a/Documentation/filesystems/proc.txt
++++ b/Documentation/filesystems/proc.txt
+@@ -140,7 +140,8 @@ Table 1-1: Process specific entries in /proc
+ stat Process status
+ statm Process memory status information
+ status Process status in human readable form
+- wchan If CONFIG_KALLSYMS is set, a pre-decoded wchan
++ wchan Present with CONFIG_KALLSYMS=y: it shows the kernel function
++ symbol the task is blocked in - or "0" if not blocked.
+ pagemap Page table
+ stack Report full stack trace, enable via CONFIG_STACKTRACE
+ smaps a extension based on maps, showing the memory consumption of
+@@ -310,7 +311,7 @@ Table 1-4: Contents of the stat files (as of 2.6.30-rc7)
+ blocked bitmap of blocked signals
+ sigign bitmap of ignored signals
+ sigcatch bitmap of caught signals
+- wchan address where process went to sleep
++ 0 (place holder, used to be the wchan address, use /proc/PID/wchan instead)
+ 0 (place holder)
+ 0 (place holder)
+ exit_signal signal to send to parent thread on exit
+diff --git a/Makefile b/Makefile
+index 9ef3739..f5014ea 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 2
+-SUBLEVEL = 6
++SUBLEVEL = 7
+ EXTRAVERSION =
+ NAME = Hurr durr I'ma sheep
+
+diff --git a/arch/arm/boot/dts/imx27.dtsi b/arch/arm/boot/dts/imx27.dtsi
+index b69be5c..8c603fd 100644
+--- a/arch/arm/boot/dts/imx27.dtsi
++++ b/arch/arm/boot/dts/imx27.dtsi
+@@ -477,7 +477,10 @@
+ compatible = "fsl,imx27-usb";
+ reg = <0x10024000 0x200>;
+ interrupts = <56>;
+- clocks = <&clks IMX27_CLK_USB_IPG_GATE>;
++ clocks = <&clks IMX27_CLK_USB_IPG_GATE>,
++ <&clks IMX27_CLK_USB_AHB_GATE>,
++ <&clks IMX27_CLK_USB_DIV>;
++ clock-names = "ipg", "ahb", "per";
+ fsl,usbmisc = <&usbmisc 0>;
+ status = "disabled";
+ };
+@@ -486,7 +489,10 @@
+ compatible = "fsl,imx27-usb";
+ reg = <0x10024200 0x200>;
+ interrupts = <54>;
+- clocks = <&clks IMX27_CLK_USB_IPG_GATE>;
++ clocks = <&clks IMX27_CLK_USB_IPG_GATE>,
++ <&clks IMX27_CLK_USB_AHB_GATE>,
++ <&clks IMX27_CLK_USB_DIV>;
++ clock-names = "ipg", "ahb", "per";
+ fsl,usbmisc = <&usbmisc 1>;
+ dr_mode = "host";
+ status = "disabled";
+@@ -496,7 +502,10 @@
+ compatible = "fsl,imx27-usb";
+ reg = <0x10024400 0x200>;
+ interrupts = <55>;
+- clocks = <&clks IMX27_CLK_USB_IPG_GATE>;
++ clocks = <&clks IMX27_CLK_USB_IPG_GATE>,
++ <&clks IMX27_CLK_USB_AHB_GATE>,
++ <&clks IMX27_CLK_USB_DIV>;
++ clock-names = "ipg", "ahb", "per";
+ fsl,usbmisc = <&usbmisc 2>;
+ dr_mode = "host";
+ status = "disabled";
+@@ -506,7 +515,6 @@
+ #index-cells = <1>;
+ compatible = "fsl,imx27-usbmisc";
+ reg = <0x10024600 0x200>;
+- clocks = <&clks IMX27_CLK_USB_AHB_GATE>;
+ };
+
+ sahara2: sahara@10025000 {
+diff --git a/arch/arm/boot/dts/omap5-uevm.dts b/arch/arm/boot/dts/omap5-uevm.dts
+index 5771a14..23d645d 100644
+--- a/arch/arm/boot/dts/omap5-uevm.dts
++++ b/arch/arm/boot/dts/omap5-uevm.dts
+@@ -31,6 +31,24 @@
+ regulator-max-microvolt = <3000000>;
+ };
+
++ mmc3_pwrseq: sdhci0_pwrseq {
++ compatible = "mmc-pwrseq-simple";
++ clocks = <&clk32kgaudio>;
++ clock-names = "ext_clock";
++ };
++
++ vmmcsdio_fixed: fixedregulator-mmcsdio {
++ compatible = "regulator-fixed";
++ regulator-name = "vmmcsdio_fixed";
++ regulator-min-microvolt = <1800000>;
++ regulator-max-microvolt = <1800000>;
++ gpio = <&gpio5 12 GPIO_ACTIVE_HIGH>; /* gpio140 WLAN_EN */
++ enable-active-high;
++ startup-delay-us = <70000>;
++ pinctrl-names = "default";
++ pinctrl-0 = <&wlan_pins>;
++ };
++
+ /* HS USB Host PHY on PORT 2 */
+ hsusb2_phy: hsusb2_phy {
+ compatible = "usb-nop-xceiv";
+@@ -197,12 +215,20 @@
+ >;
+ };
+
+- mcspi4_pins: pinmux_mcspi4_pins {
++ mmc3_pins: pinmux_mmc3_pins {
++ pinctrl-single,pins = <
++ OMAP5_IOPAD(0x01a4, PIN_INPUT_PULLUP | MUX_MODE0) /* wlsdio_clk */
++ OMAP5_IOPAD(0x01a6, PIN_INPUT_PULLUP | MUX_MODE0) /* wlsdio_cmd */
++ OMAP5_IOPAD(0x01a8, PIN_INPUT_PULLUP | MUX_MODE0) /* wlsdio_data0 */
++ OMAP5_IOPAD(0x01aa, PIN_INPUT_PULLUP | MUX_MODE0) /* wlsdio_data1 */
++ OMAP5_IOPAD(0x01ac, PIN_INPUT_PULLUP | MUX_MODE0) /* wlsdio_data2 */
++ OMAP5_IOPAD(0x01ae, PIN_INPUT_PULLUP | MUX_MODE0) /* wlsdio_data3 */
++ >;
++ };
++
++ wlan_pins: pinmux_wlan_pins {
+ pinctrl-single,pins = <
+- 0x164 (PIN_INPUT | MUX_MODE1) /* mcspi4_clk */
+- 0x168 (PIN_INPUT | MUX_MODE1) /* mcspi4_simo */
+- 0x16a (PIN_INPUT | MUX_MODE1) /* mcspi4_somi */
+- 0x16c (PIN_INPUT | MUX_MODE1) /* mcspi4_cs0 */
++ OMAP5_IOPAD(0x1bc, PIN_OUTPUT | MUX_MODE6) /* mcspi1_clk.gpio5_140 */
+ >;
+ };
+
+@@ -276,6 +302,12 @@
+ 0x1A (PIN_OUTPUT | MUX_MODE0) /* fref_clk1_out, USB hub clk */
+ >;
+ };
++
++ wlcore_irq_pin: pinmux_wlcore_irq_pin {
++ pinctrl-single,pins = <
++ OMAP5_IOPAD(0x040, WAKEUP_EN | PIN_INPUT_PULLUP | MUX_MODE6) /* llia_wakereqin.gpio1_wk14 */
++ >;
++ };
+ };
+
+ &mmc1 {
+@@ -290,8 +322,25 @@
+ };
+
+ &mmc3 {
++ vmmc-supply = <&vmmcsdio_fixed>;
++ mmc-pwrseq = <&mmc3_pwrseq>;
+ bus-width = <4>;
+- ti,non-removable;
++ non-removable;
++ cap-power-off-card;
++ pinctrl-names = "default";
++ pinctrl-0 = <&mmc3_pins &wlcore_irq_pin>;
++ interrupts-extended = <&gic GIC_SPI 94 IRQ_TYPE_LEVEL_HIGH
++ &omap5_pmx_core 0x168>;
++
++ #address-cells = <1>;
++ #size-cells = <0>;
++ wlcore: wlcore@2 {
++ compatible = "ti,wl1271";
++ reg = <2>;
++ interrupt-parent = <&gpio1>;
++ interrupts = <14 IRQ_TYPE_LEVEL_HIGH>; /* gpio 14 */
++ ref-clock-frequency = <26000000>;
++ };
+ };
+
+ &mmc4 {
+@@ -591,11 +640,6 @@
+ pinctrl-0 = <&mcspi3_pins>;
+ };
+
+-&mcspi4 {
+- pinctrl-names = "default";
+- pinctrl-0 = <&mcspi4_pins>;
+-};
+-
+ &uart1 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&uart1_pins>;
+diff --git a/arch/arm/boot/dts/sama5d4.dtsi b/arch/arm/boot/dts/sama5d4.dtsi
+index 3ee22ee..1ba10e4 100644
+--- a/arch/arm/boot/dts/sama5d4.dtsi
++++ b/arch/arm/boot/dts/sama5d4.dtsi
+@@ -939,11 +939,11 @@
+ reg = <0xf8018000 0x4000>;
+ interrupts = <33 IRQ_TYPE_LEVEL_HIGH 6>;
+ dmas = <&dma1
+- (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1))
+- AT91_XDMAC_DT_PERID(4)>,
++ (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1)
++ | AT91_XDMAC_DT_PERID(4))>,
+ <&dma1
+- (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1))
+- AT91_XDMAC_DT_PERID(5)>;
++ (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1)
++ | AT91_XDMAC_DT_PERID(5))>;
+ dma-names = "tx", "rx";
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_i2c1>;
+diff --git a/arch/arm/boot/dts/sun6i-a31-hummingbird.dts b/arch/arm/boot/dts/sun6i-a31-hummingbird.dts
+index d0cfada..18f26ca 100644
+--- a/arch/arm/boot/dts/sun6i-a31-hummingbird.dts
++++ b/arch/arm/boot/dts/sun6i-a31-hummingbird.dts
+@@ -184,18 +184,18 @@
+ regulator-name = "vcc-3v0";
+ };
+
+- vdd_cpu: dcdc2 {
++ vdd_gpu: dcdc2 {
+ regulator-always-on;
+ regulator-min-microvolt = <700000>;
+ regulator-max-microvolt = <1320000>;
+- regulator-name = "vdd-cpu";
++ regulator-name = "vdd-gpu";
+ };
+
+- vdd_gpu: dcdc3 {
++ vdd_cpu: dcdc3 {
+ regulator-always-on;
+ regulator-min-microvolt = <700000>;
+ regulator-max-microvolt = <1320000>;
+- regulator-name = "vdd-gpu";
++ regulator-name = "vdd-cpu";
+ };
+
+ vdd_sys_dll: dcdc4 {
+diff --git a/arch/arm/common/edma.c b/arch/arm/common/edma.c
+index 873dbfc..56fc339 100644
+--- a/arch/arm/common/edma.c
++++ b/arch/arm/common/edma.c
+@@ -406,7 +406,8 @@ static irqreturn_t dma_irq_handler(int irq, void *data)
+ BIT(slot));
+ if (edma_cc[ctlr]->intr_data[channel].callback)
+ edma_cc[ctlr]->intr_data[channel].callback(
+- channel, EDMA_DMA_COMPLETE,
++ EDMA_CTLR_CHAN(ctlr, channel),
++ EDMA_DMA_COMPLETE,
+ edma_cc[ctlr]->intr_data[channel].data);
+ }
+ } while (sh_ipr);
+@@ -460,7 +461,8 @@ static irqreturn_t dma_ccerr_handler(int irq, void *data)
+ if (edma_cc[ctlr]->intr_data[k].
+ callback) {
+ edma_cc[ctlr]->intr_data[k].
+- callback(k,
++ callback(
++ EDMA_CTLR_CHAN(ctlr, k),
+ EDMA_DMA_CC_ERROR,
+ edma_cc[ctlr]->intr_data
+ [k].data);
+diff --git a/arch/arm/include/asm/irq.h b/arch/arm/include/asm/irq.h
+index 53c15de..6a9851e 100644
+--- a/arch/arm/include/asm/irq.h
++++ b/arch/arm/include/asm/irq.h
+@@ -35,6 +35,11 @@ extern void (*handle_arch_irq)(struct pt_regs *);
+ extern void set_handle_irq(void (*handle_irq)(struct pt_regs *));
+ #endif
+
++static inline int nr_legacy_irqs(void)
++{
++ return NR_IRQS_LEGACY;
++}
++
+ #endif
+
+ #endif
+diff --git a/arch/arm/mach-at91/pm_suspend.S b/arch/arm/mach-at91/pm_suspend.S
+index 0d95f48..a25defd 100644
+--- a/arch/arm/mach-at91/pm_suspend.S
++++ b/arch/arm/mach-at91/pm_suspend.S
+@@ -80,6 +80,8 @@ tmp2 .req r5
+ * @r2: base address of second SDRAM Controller or 0 if not present
+ * @r3: pm information
+ */
++/* at91_pm_suspend_in_sram must be 8-byte aligned per the requirements of fncpy() */
++ .align 3
+ ENTRY(at91_pm_suspend_in_sram)
+ /* Save registers on stack */
+ stmfd sp!, {r4 - r12, lr}
+diff --git a/arch/arm/mach-pxa/include/mach/pxa27x.h b/arch/arm/mach-pxa/include/mach/pxa27x.h
+index 599b925..1a42919 100644
+--- a/arch/arm/mach-pxa/include/mach/pxa27x.h
++++ b/arch/arm/mach-pxa/include/mach/pxa27x.h
+@@ -19,7 +19,7 @@
+ #define ARB_CORE_PARK (1<<24) /* Be parked with core when idle */
+ #define ARB_LOCK_FLAG (1<<23) /* Only Locking masters gain access to the bus */
+
+-extern int __init pxa27x_set_pwrmode(unsigned int mode);
++extern int pxa27x_set_pwrmode(unsigned int mode);
+ extern void pxa27x_cpu_pm_enter(suspend_state_t state);
+
+ #endif /* __MACH_PXA27x_H */
+diff --git a/arch/arm/mach-pxa/pxa27x.c b/arch/arm/mach-pxa/pxa27x.c
+index b5abdeb..aa97547 100644
+--- a/arch/arm/mach-pxa/pxa27x.c
++++ b/arch/arm/mach-pxa/pxa27x.c
+@@ -84,7 +84,7 @@ EXPORT_SYMBOL_GPL(pxa27x_configure_ac97reset);
+ */
+ static unsigned int pwrmode = PWRMODE_SLEEP;
+
+-int __init pxa27x_set_pwrmode(unsigned int mode)
++int pxa27x_set_pwrmode(unsigned int mode)
+ {
+ switch (mode) {
+ case PWRMODE_SLEEP:
+diff --git a/arch/arm/mach-tegra/board-paz00.c b/arch/arm/mach-tegra/board-paz00.c
+index fbe74c6..49d1110 100644
+--- a/arch/arm/mach-tegra/board-paz00.c
++++ b/arch/arm/mach-tegra/board-paz00.c
+@@ -39,8 +39,8 @@ static struct platform_device wifi_rfkill_device = {
+ static struct gpiod_lookup_table wifi_gpio_lookup = {
+ .dev_id = "rfkill_gpio",
+ .table = {
+- GPIO_LOOKUP_IDX("tegra-gpio", 25, NULL, 0, 0),
+- GPIO_LOOKUP_IDX("tegra-gpio", 85, NULL, 1, 0),
++ GPIO_LOOKUP("tegra-gpio", 25, "reset", 0),
++ GPIO_LOOKUP("tegra-gpio", 85, "shutdown", 0),
+ { },
+ },
+ };
+diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
+index cba12f3..25ecc6a 100644
+--- a/arch/arm/mm/dma-mapping.c
++++ b/arch/arm/mm/dma-mapping.c
+@@ -1413,12 +1413,19 @@ static int arm_iommu_mmap_attrs(struct device *dev, struct vm_area_struct *vma,
+ unsigned long uaddr = vma->vm_start;
+ unsigned long usize = vma->vm_end - vma->vm_start;
+ struct page **pages = __iommu_get_pages(cpu_addr, attrs);
++ unsigned long nr_pages = PAGE_ALIGN(size) >> PAGE_SHIFT;
++ unsigned long off = vma->vm_pgoff;
+
+ vma->vm_page_prot = __get_dma_pgprot(attrs, vma->vm_page_prot);
+
+ if (!pages)
+ return -ENXIO;
+
++ if (off >= nr_pages || (usize >> PAGE_SHIFT) > nr_pages - off)
++ return -ENXIO;
++
++ pages += off;
++
+ do {
+ int ret = vm_insert_page(vma, uaddr, *pages++);
+ if (ret) {
+diff --git a/arch/arm64/include/asm/irq.h b/arch/arm64/include/asm/irq.h
+index bbb251b..8b9bf54 100644
+--- a/arch/arm64/include/asm/irq.h
++++ b/arch/arm64/include/asm/irq.h
+@@ -21,4 +21,9 @@ static inline void acpi_irq_init(void)
+ }
+ #define acpi_irq_init acpi_irq_init
+
++static inline int nr_legacy_irqs(void)
++{
++ return 0;
++}
++
+ #endif
+diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
+index d6dd9fd..d4264bb 100644
+--- a/arch/arm64/include/asm/ptrace.h
++++ b/arch/arm64/include/asm/ptrace.h
+@@ -83,14 +83,14 @@
+ #define compat_sp regs[13]
+ #define compat_lr regs[14]
+ #define compat_sp_hyp regs[15]
+-#define compat_sp_irq regs[16]
+-#define compat_lr_irq regs[17]
+-#define compat_sp_svc regs[18]
+-#define compat_lr_svc regs[19]
+-#define compat_sp_abt regs[20]
+-#define compat_lr_abt regs[21]
+-#define compat_sp_und regs[22]
+-#define compat_lr_und regs[23]
++#define compat_lr_irq regs[16]
++#define compat_sp_irq regs[17]
++#define compat_lr_svc regs[18]
++#define compat_sp_svc regs[19]
++#define compat_lr_abt regs[20]
++#define compat_sp_abt regs[21]
++#define compat_lr_und regs[22]
++#define compat_sp_und regs[23]
+ #define compat_r8_fiq regs[24]
+ #define compat_r9_fiq regs[25]
+ #define compat_r10_fiq regs[26]
+diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S
+index 9807333..4d77757 100644
+--- a/arch/arm64/kernel/vmlinux.lds.S
++++ b/arch/arm64/kernel/vmlinux.lds.S
+@@ -60,9 +60,12 @@ PECOFF_FILE_ALIGNMENT = 0x200;
+ #define PECOFF_EDATA_PADDING
+ #endif
+
+-#ifdef CONFIG_DEBUG_ALIGN_RODATA
++#if defined(CONFIG_DEBUG_ALIGN_RODATA)
+ #define ALIGN_DEBUG_RO . = ALIGN(1<<SECTION_SHIFT);
+ #define ALIGN_DEBUG_RO_MIN(min) ALIGN_DEBUG_RO
++#elif defined(CONFIG_DEBUG_RODATA)
++#define ALIGN_DEBUG_RO . = ALIGN(1<<PAGE_SHIFT);
++#define ALIGN_DEBUG_RO_MIN(min) ALIGN_DEBUG_RO
+ #else
+ #define ALIGN_DEBUG_RO
+ #define ALIGN_DEBUG_RO_MIN(min) . = ALIGN(min);
+diff --git a/arch/mips/ath79/setup.c b/arch/mips/ath79/setup.c
+index 1ba2120..9a00137 100644
+--- a/arch/mips/ath79/setup.c
++++ b/arch/mips/ath79/setup.c
+@@ -216,9 +216,9 @@ void __init plat_mem_setup(void)
+ AR71XX_RESET_SIZE);
+ ath79_pll_base = ioremap_nocache(AR71XX_PLL_BASE,
+ AR71XX_PLL_SIZE);
++ ath79_detect_sys_type();
+ ath79_ddr_ctrl_init();
+
+- ath79_detect_sys_type();
+ if (mips_machtype != ATH79_MACH_GENERIC_OF)
+ detect_memory_region(0, ATH79_MEM_SIZE_MIN, ATH79_MEM_SIZE_MAX);
+
+diff --git a/arch/mips/include/asm/cdmm.h b/arch/mips/include/asm/cdmm.h
+index 16e22ce..85dc4ce 100644
+--- a/arch/mips/include/asm/cdmm.h
++++ b/arch/mips/include/asm/cdmm.h
+@@ -84,6 +84,17 @@ void mips_cdmm_driver_unregister(struct mips_cdmm_driver *);
+ module_driver(__mips_cdmm_driver, mips_cdmm_driver_register, \
+ mips_cdmm_driver_unregister)
+
++/*
++ * builtin_mips_cdmm_driver() - Helper macro for drivers that don't do anything
++ * special in init and have no exit. This eliminates some boilerplate. Each
++ * driver may only use this macro once, and calling it replaces device_initcall
++ * (or in some cases, the legacy __initcall). This is meant to be a direct
++ * parallel of module_mips_cdmm_driver() above but without the __exit stuff that
++ * is not used for builtin cases.
++ */
++#define builtin_mips_cdmm_driver(__mips_cdmm_driver) \
++ builtin_driver(__mips_cdmm_driver, mips_cdmm_driver_register)
++
+ /* drivers/tty/mips_ejtag_fdc.c */
+
+ #ifdef CONFIG_MIPS_EJTAG_FDC_EARLYCON
+diff --git a/arch/mips/kvm/emulate.c b/arch/mips/kvm/emulate.c
+index d5fa3ea..41b1b09 100644
+--- a/arch/mips/kvm/emulate.c
++++ b/arch/mips/kvm/emulate.c
+@@ -1581,7 +1581,7 @@ enum emulation_result kvm_mips_emulate_cache(uint32_t inst, uint32_t *opc,
+
+ base = (inst >> 21) & 0x1f;
+ op_inst = (inst >> 16) & 0x1f;
+- offset = inst & 0xffff;
++ offset = (int16_t)inst;
+ cache = (inst >> 16) & 0x3;
+ op = (inst >> 18) & 0x7;
+
+diff --git a/arch/mips/kvm/locore.S b/arch/mips/kvm/locore.S
+index c567240..d1ee95a 100644
+--- a/arch/mips/kvm/locore.S
++++ b/arch/mips/kvm/locore.S
+@@ -165,9 +165,11 @@ FEXPORT(__kvm_mips_vcpu_run)
+
+ FEXPORT(__kvm_mips_load_asid)
+ /* Set the ASID for the Guest Kernel */
+- INT_SLL t0, t0, 1 /* with kseg0 @ 0x40000000, kernel */
+- /* addresses shift to 0x80000000 */
+- bltz t0, 1f /* If kernel */
++ PTR_L t0, VCPU_COP0(k1)
++ LONG_L t0, COP0_STATUS(t0)
++ andi t0, KSU_USER | ST0_ERL | ST0_EXL
++ xori t0, KSU_USER
++ bnez t0, 1f /* If kernel */
+ INT_ADDIU t1, k1, VCPU_GUEST_KERNEL_ASID /* (BD) */
+ INT_ADDIU t1, k1, VCPU_GUEST_USER_ASID /* else user */
+ 1:
+@@ -482,9 +484,11 @@ __kvm_mips_return_to_guest:
+ mtc0 t0, CP0_EPC
+
+ /* Set the ASID for the Guest Kernel */
+- INT_SLL t0, t0, 1 /* with kseg0 @ 0x40000000, kernel */
+- /* addresses shift to 0x80000000 */
+- bltz t0, 1f /* If kernel */
++ PTR_L t0, VCPU_COP0(k1)
++ LONG_L t0, COP0_STATUS(t0)
++ andi t0, KSU_USER | ST0_ERL | ST0_EXL
++ xori t0, KSU_USER
++ bnez t0, 1f /* If kernel */
+ INT_ADDIU t1, k1, VCPU_GUEST_KERNEL_ASID /* (BD) */
+ INT_ADDIU t1, k1, VCPU_GUEST_USER_ASID /* else user */
+ 1:
+diff --git a/arch/mips/kvm/mips.c b/arch/mips/kvm/mips.c
+index cd4c129..bafb32b 100644
+--- a/arch/mips/kvm/mips.c
++++ b/arch/mips/kvm/mips.c
+@@ -278,7 +278,7 @@ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm, unsigned int id)
+
+ if (!gebase) {
+ err = -ENOMEM;
+- goto out_free_cpu;
++ goto out_uninit_cpu;
+ }
+ kvm_debug("Allocated %d bytes for KVM Exception Handlers @ %p\n",
+ ALIGN(size, PAGE_SIZE), gebase);
+@@ -342,6 +342,9 @@ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm, unsigned int id)
+ out_free_gebase:
+ kfree(gebase);
+
++out_uninit_cpu:
++ kvm_vcpu_uninit(vcpu);
++
+ out_free_cpu:
+ kfree(vcpu);
+
+diff --git a/arch/mips/lantiq/clk.c b/arch/mips/lantiq/clk.c
+index 3fc2e6d..a0706fd 100644
+--- a/arch/mips/lantiq/clk.c
++++ b/arch/mips/lantiq/clk.c
+@@ -99,6 +99,23 @@ int clk_set_rate(struct clk *clk, unsigned long rate)
+ }
+ EXPORT_SYMBOL(clk_set_rate);
+
++long clk_round_rate(struct clk *clk, unsigned long rate)
++{
++ if (unlikely(!clk_good(clk)))
++ return 0;
++ if (clk->rates && *clk->rates) {
++ unsigned long *r = clk->rates;
++
++ while (*r && (*r != rate))
++ r++;
++ if (!*r) {
++ return clk->rate;
++ }
++ }
++ return rate;
++}
++EXPORT_SYMBOL(clk_round_rate);
++
+ int clk_enable(struct clk *clk)
+ {
+ if (unlikely(!clk_good(clk)))
+diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c
+index c98d897..cbee788 100644
+--- a/arch/s390/kvm/interrupt.c
++++ b/arch/s390/kvm/interrupt.c
+@@ -1051,8 +1051,7 @@ static int __inject_extcall(struct kvm_vcpu *vcpu, struct kvm_s390_irq *irq)
+ src_id, 0, 2);
+
+ /* sending vcpu invalid */
+- if (src_id >= KVM_MAX_VCPUS ||
+- kvm_get_vcpu(vcpu->kvm, src_id) == NULL)
++ if (kvm_get_vcpu_by_id(vcpu->kvm, src_id) == NULL)
+ return -EINVAL;
+
+ if (sclp.has_sigpif)
+@@ -1131,6 +1130,10 @@ static int __inject_sigp_emergency(struct kvm_vcpu *vcpu,
+ trace_kvm_s390_inject_vcpu(vcpu->vcpu_id, KVM_S390_INT_EMERGENCY,
+ irq->u.emerg.code, 0, 2);
+
++ /* sending vcpu invalid */
++ if (kvm_get_vcpu_by_id(vcpu->kvm, irq->u.emerg.code) == NULL)
++ return -EINVAL;
++
+ set_bit(irq->u.emerg.code, li->sigp_emerg_pending);
+ set_bit(IRQ_PEND_EXT_EMERGENCY, &li->pending_irqs);
+ atomic_set_mask(CPUSTAT_EXT_INT, li->cpuflags);
+diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
+index f32f843..4a001c1 100644
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -289,12 +289,16 @@ static int kvm_vm_ioctl_enable_cap(struct kvm *kvm, struct kvm_enable_cap *cap)
+ r = 0;
+ break;
+ case KVM_CAP_S390_VECTOR_REGISTERS:
+- if (MACHINE_HAS_VX) {
++ mutex_lock(&kvm->lock);
++ if (atomic_read(&kvm->online_vcpus)) {
++ r = -EBUSY;
++ } else if (MACHINE_HAS_VX) {
+ set_kvm_facility(kvm->arch.model.fac->mask, 129);
+ set_kvm_facility(kvm->arch.model.fac->list, 129);
+ r = 0;
+ } else
+ r = -EINVAL;
++ mutex_unlock(&kvm->lock);
+ break;
+ case KVM_CAP_S390_USER_STSI:
+ kvm->arch.user_stsi = 1;
+@@ -1037,7 +1041,9 @@ int kvm_arch_init_vm(struct kvm *kvm, unsigned long type)
+ if (!kvm->arch.sca)
+ goto out_err;
+ spin_lock(&kvm_lock);
+- sca_offset = (sca_offset + 16) & 0x7f0;
++ sca_offset += 16;
++ if (sca_offset + sizeof(struct sca_block) > PAGE_SIZE)
++ sca_offset = 0;
+ kvm->arch.sca = (struct sca_block *) ((char *) kvm->arch.sca + sca_offset);
+ spin_unlock(&kvm_lock);
+
+diff --git a/arch/s390/kvm/sigp.c b/arch/s390/kvm/sigp.c
+index 72e58bd..7171056 100644
+--- a/arch/s390/kvm/sigp.c
++++ b/arch/s390/kvm/sigp.c
+@@ -294,12 +294,8 @@ static int handle_sigp_dst(struct kvm_vcpu *vcpu, u8 order_code,
+ u16 cpu_addr, u32 parameter, u64 *status_reg)
+ {
+ int rc;
+- struct kvm_vcpu *dst_vcpu;
++ struct kvm_vcpu *dst_vcpu = kvm_get_vcpu_by_id(vcpu->kvm, cpu_addr);
+
+- if (cpu_addr >= KVM_MAX_VCPUS)
+- return SIGP_CC_NOT_OPERATIONAL;
+-
+- dst_vcpu = kvm_get_vcpu(vcpu->kvm, cpu_addr);
+ if (!dst_vcpu)
+ return SIGP_CC_NOT_OPERATIONAL;
+
+@@ -481,7 +477,7 @@ int kvm_s390_handle_sigp_pei(struct kvm_vcpu *vcpu)
+ trace_kvm_s390_handle_sigp_pei(vcpu, order_code, cpu_addr);
+
+ if (order_code == SIGP_EXTERNAL_CALL) {
+- dest_vcpu = kvm_get_vcpu(vcpu->kvm, cpu_addr);
++ dest_vcpu = kvm_get_vcpu_by_id(vcpu->kvm, cpu_addr);
+ BUG_ON(dest_vcpu == NULL);
+
+ kvm_s390_vcpu_wakeup(dest_vcpu);
+diff --git a/arch/tile/kernel/usb.c b/arch/tile/kernel/usb.c
+index f0da5a2..9f1e05e 100644
+--- a/arch/tile/kernel/usb.c
++++ b/arch/tile/kernel/usb.c
+@@ -22,6 +22,7 @@
+ #include <linux/platform_device.h>
+ #include <linux/usb/tilegx.h>
+ #include <linux/init.h>
++#include <linux/module.h>
+ #include <linux/types.h>
+
+ static u64 ehci_dmamask = DMA_BIT_MASK(32);
+diff --git a/arch/x86/include/asm/i8259.h b/arch/x86/include/asm/i8259.h
+index ccffa53..39bcefc 100644
+--- a/arch/x86/include/asm/i8259.h
++++ b/arch/x86/include/asm/i8259.h
+@@ -60,6 +60,7 @@ struct legacy_pic {
+ void (*mask_all)(void);
+ void (*restore_mask)(void);
+ void (*init)(int auto_eoi);
++ int (*probe)(void);
+ int (*irq_pending)(unsigned int irq);
+ void (*make_irq)(unsigned int irq);
+ };
+diff --git a/arch/x86/include/asm/kvm_emulate.h b/arch/x86/include/asm/kvm_emulate.h
+index e16466e..e9cd7be 100644
+--- a/arch/x86/include/asm/kvm_emulate.h
++++ b/arch/x86/include/asm/kvm_emulate.h
+@@ -112,6 +112,16 @@ struct x86_emulate_ops {
+ struct x86_exception *fault);
+
+ /*
++ * read_phys: Read bytes of standard (non-emulated/special) memory.
++ * Used for descriptor reading.
++ * @addr: [IN ] Physical address from which to read.
++ * @val: [OUT] Value read from memory.
++ * @bytes: [IN ] Number of bytes to read from memory.
++ */
++ int (*read_phys)(struct x86_emulate_ctxt *ctxt, unsigned long addr,
++ void *val, unsigned int bytes);
++
++ /*
+ * write_std: Write bytes of standard (non-emulated/special) memory.
+ * Used for descriptor writing.
+ * @addr: [IN ] Linear address to which to write.
+diff --git a/arch/x86/include/uapi/asm/svm.h b/arch/x86/include/uapi/asm/svm.h
+index b5d7640..8a4add8 100644
+--- a/arch/x86/include/uapi/asm/svm.h
++++ b/arch/x86/include/uapi/asm/svm.h
+@@ -100,6 +100,7 @@
+ { SVM_EXIT_EXCP_BASE + UD_VECTOR, "UD excp" }, \
+ { SVM_EXIT_EXCP_BASE + PF_VECTOR, "PF excp" }, \
+ { SVM_EXIT_EXCP_BASE + NM_VECTOR, "NM excp" }, \
++ { SVM_EXIT_EXCP_BASE + AC_VECTOR, "AC excp" }, \
+ { SVM_EXIT_EXCP_BASE + MC_VECTOR, "MC excp" }, \
+ { SVM_EXIT_INTR, "interrupt" }, \
+ { SVM_EXIT_NMI, "nmi" }, \
+diff --git a/arch/x86/kernel/apic/vector.c b/arch/x86/kernel/apic/vector.c
+index 2683f36..ea4ba83 100644
+--- a/arch/x86/kernel/apic/vector.c
++++ b/arch/x86/kernel/apic/vector.c
+@@ -360,7 +360,11 @@ int __init arch_probe_nr_irqs(void)
+ if (nr < nr_irqs)
+ nr_irqs = nr;
+
+- return nr_legacy_irqs();
++ /*
++ * We don't know if PIC is present at this point so we need to do
++ * probe() to get the right number of legacy IRQs.
++ */
++ return legacy_pic->probe();
+ }
+
+ #ifdef CONFIG_X86_IO_APIC
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
+index cb9e5df..e4f929d 100644
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -272,10 +272,9 @@ __setup("nosmap", setup_disable_smap);
+
+ static __always_inline void setup_smap(struct cpuinfo_x86 *c)
+ {
+- unsigned long eflags;
++ unsigned long eflags = native_save_fl();
+
+ /* This should have been cleared long ago */
+- raw_local_save_flags(eflags);
+ BUG_ON(eflags & X86_EFLAGS_AC);
+
+ if (cpu_has(c, X86_FEATURE_SMAP)) {
+diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c
+index 50ec9af..6545e6d 100644
+--- a/arch/x86/kernel/fpu/signal.c
++++ b/arch/x86/kernel/fpu/signal.c
+@@ -385,20 +385,19 @@ fpu__alloc_mathframe(unsigned long sp, int ia32_frame,
+ */
+ void fpu__init_prepare_fx_sw_frame(void)
+ {
+- int fsave_header_size = sizeof(struct fregs_state);
+ int size = xstate_size + FP_XSTATE_MAGIC2_SIZE;
+
+- if (config_enabled(CONFIG_X86_32))
+- size += fsave_header_size;
+-
+ fx_sw_reserved.magic1 = FP_XSTATE_MAGIC1;
+ fx_sw_reserved.extended_size = size;
+ fx_sw_reserved.xfeatures = xfeatures_mask;
+ fx_sw_reserved.xstate_size = xstate_size;
+
+- if (config_enabled(CONFIG_IA32_EMULATION)) {
++ if (config_enabled(CONFIG_IA32_EMULATION) ||
++ config_enabled(CONFIG_X86_32)) {
++ int fsave_header_size = sizeof(struct fregs_state);
++
+ fx_sw_reserved_ia32 = fx_sw_reserved;
+- fx_sw_reserved_ia32.extended_size += fsave_header_size;
++ fx_sw_reserved_ia32.extended_size = size + fsave_header_size;
+ }
+ }
+
+diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
+index 62fc001..2c4ac07 100644
+--- a/arch/x86/kernel/fpu/xstate.c
++++ b/arch/x86/kernel/fpu/xstate.c
+@@ -402,7 +402,6 @@ void *get_xsave_addr(struct xregs_state *xsave, int xstate_feature)
+ if (!boot_cpu_has(X86_FEATURE_XSAVE))
+ return NULL;
+
+- xsave = &current->thread.fpu.state.xsave;
+ /*
+ * We should not ever be requesting features that we
+ * have not enabled. Remember that pcntxt_mask is
+diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
+index 1d40ca8..ffdc0e8 100644
+--- a/arch/x86/kernel/head_64.S
++++ b/arch/x86/kernel/head_64.S
+@@ -65,6 +65,9 @@ startup_64:
+ * tables and then reload them.
+ */
+
++ /* Sanitize CPU configuration */
++ call verify_cpu
++
+ /*
+ * Compute the delta between the address I am compiled to run at and the
+ * address I am actually running at.
+@@ -174,6 +177,9 @@ ENTRY(secondary_startup_64)
+ * after the boot processor executes this code.
+ */
+
++ /* Sanitize CPU configuration */
++ call verify_cpu
++
+ movq $(init_level4_pgt - __START_KERNEL_map), %rax
+ 1:
+
+@@ -288,6 +294,8 @@ ENTRY(secondary_startup_64)
+ pushq %rax # target address in negative space
+ lretq
+
++#include "verify_cpu.S"
++
+ #ifdef CONFIG_HOTPLUG_CPU
+ /*
+ * Boot CPU0 entry point. It's called from play_dead(). Everything has been set
+diff --git a/arch/x86/kernel/i8259.c b/arch/x86/kernel/i8259.c
+index 16cb827..be22f5a 100644
+--- a/arch/x86/kernel/i8259.c
++++ b/arch/x86/kernel/i8259.c
+@@ -295,16 +295,11 @@ static void unmask_8259A(void)
+ raw_spin_unlock_irqrestore(&i8259A_lock, flags);
+ }
+
+-static void init_8259A(int auto_eoi)
++static int probe_8259A(void)
+ {
+ unsigned long flags;
+ unsigned char probe_val = ~(1 << PIC_CASCADE_IR);
+ unsigned char new_val;
+-
+- i8259A_auto_eoi = auto_eoi;
+-
+- raw_spin_lock_irqsave(&i8259A_lock, flags);
+-
+ /*
+ * Check to see if we have a PIC.
+ * Mask all except the cascade and read
+@@ -312,16 +307,28 @@ static void init_8259A(int auto_eoi)
+ * have a PIC, we will read 0xff as opposed to the
+ * value we wrote.
+ */
++ raw_spin_lock_irqsave(&i8259A_lock, flags);
++
+ outb(0xff, PIC_SLAVE_IMR); /* mask all of 8259A-2 */
+ outb(probe_val, PIC_MASTER_IMR);
+ new_val = inb(PIC_MASTER_IMR);
+ if (new_val != probe_val) {
+ printk(KERN_INFO "Using NULL legacy PIC\n");
+ legacy_pic = &null_legacy_pic;
+- raw_spin_unlock_irqrestore(&i8259A_lock, flags);
+- return;
+ }
+
++ raw_spin_unlock_irqrestore(&i8259A_lock, flags);
++ return nr_legacy_irqs();
++}
++
++static void init_8259A(int auto_eoi)
++{
++ unsigned long flags;
++
++ i8259A_auto_eoi = auto_eoi;
++
++ raw_spin_lock_irqsave(&i8259A_lock, flags);
++
+ outb(0xff, PIC_MASTER_IMR); /* mask all of 8259A-1 */
+
+ /*
+@@ -379,6 +386,10 @@ static int legacy_pic_irq_pending_noop(unsigned int irq)
+ {
+ return 0;
+ }
++static int legacy_pic_probe(void)
++{
++ return 0;
++}
+
+ struct legacy_pic null_legacy_pic = {
+ .nr_legacy_irqs = 0,
+@@ -388,6 +399,7 @@ struct legacy_pic null_legacy_pic = {
+ .mask_all = legacy_pic_noop,
+ .restore_mask = legacy_pic_noop,
+ .init = legacy_pic_int_noop,
++ .probe = legacy_pic_probe,
+ .irq_pending = legacy_pic_irq_pending_noop,
+ .make_irq = legacy_pic_uint_noop,
+ };
+@@ -400,6 +412,7 @@ struct legacy_pic default_legacy_pic = {
+ .mask_all = mask_8259A,
+ .restore_mask = unmask_8259A,
+ .init = init_8259A,
++ .probe = probe_8259A,
+ .irq_pending = i8259A_irq_pending,
+ .make_irq = make_8259A_irq,
+ };
+diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
+index 80f874b..1e6f70f 100644
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -1198,6 +1198,14 @@ void __init setup_arch(char **cmdline_p)
+ clone_pgd_range(initial_page_table + KERNEL_PGD_BOUNDARY,
+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
+ KERNEL_PGD_PTRS);
++
++ /*
++ * sync back low identity map too. It is used for example
++ * in the 32-bit EFI stub.
++ */
++ clone_pgd_range(initial_page_table,
++ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
++ min(KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
+ #endif
+
+ tboot_probe();
+diff --git a/arch/x86/kernel/verify_cpu.S b/arch/x86/kernel/verify_cpu.S
+index b9242ba..4cf401f 100644
+--- a/arch/x86/kernel/verify_cpu.S
++++ b/arch/x86/kernel/verify_cpu.S
+@@ -34,10 +34,11 @@
+ #include <asm/msr-index.h>
+
+ verify_cpu:
+- pushfl # Save caller passed flags
+- pushl $0 # Kill any dangerous flags
+- popfl
++ pushf # Save caller passed flags
++ push $0 # Kill any dangerous flags
++ popf
+
++#ifndef __x86_64__
+ pushfl # standard way to check for cpuid
+ popl %eax
+ movl %eax,%ebx
+@@ -48,6 +49,7 @@ verify_cpu:
+ popl %eax
+ cmpl %eax,%ebx
+ jz verify_cpu_no_longmode # cpu has no cpuid
++#endif
+
+ movl $0x0,%eax # See if cpuid 1 is implemented
+ cpuid
+@@ -130,10 +132,10 @@ verify_cpu_sse_test:
+ jmp verify_cpu_sse_test # try again
+
+ verify_cpu_no_longmode:
+- popfl # Restore caller passed flags
++ popf # Restore caller passed flags
+ movl $1,%eax
+ ret
+ verify_cpu_sse_ok:
+- popfl # Restore caller passed flags
++ popf # Restore caller passed flags
+ xorl %eax, %eax
+ ret
+diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
+index 2392541a..f17c342 100644
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -2272,8 +2272,8 @@ static int emulator_has_longmode(struct x86_emulate_ctxt *ctxt)
+ #define GET_SMSTATE(type, smbase, offset) \
+ ({ \
+ type __val; \
+- int r = ctxt->ops->read_std(ctxt, smbase + offset, &__val, \
+- sizeof(__val), NULL); \
++ int r = ctxt->ops->read_phys(ctxt, smbase + offset, &__val, \
++ sizeof(__val)); \
+ if (r != X86EMUL_CONTINUE) \
+ return X86EMUL_UNHANDLEABLE; \
+ __val; \
+@@ -2484,17 +2484,36 @@ static int em_rsm(struct x86_emulate_ctxt *ctxt)
+
+ /*
+ * Get back to real mode, to prepare a safe state in which to load
+- * CR0/CR3/CR4/EFER. Also this will ensure that addresses passed
+- * to read_std/write_std are not virtual.
+- *
+- * CR4.PCIDE must be zero, because it is a 64-bit mode only feature.
++ * CR0/CR3/CR4/EFER. It's all a bit more complicated if the vCPU
++ * supports long mode.
+ */
++ cr4 = ctxt->ops->get_cr(ctxt, 4);
++ if (emulator_has_longmode(ctxt)) {
++ struct desc_struct cs_desc;
++
++ /* Zero CR4.PCIDE before CR0.PG. */
++ if (cr4 & X86_CR4_PCIDE) {
++ ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PCIDE);
++ cr4 &= ~X86_CR4_PCIDE;
++ }
++
++ /* A 32-bit code segment is required to clear EFER.LMA. */
++ memset(&cs_desc, 0, sizeof(cs_desc));
++ cs_desc.type = 0xb;
++ cs_desc.s = cs_desc.g = cs_desc.p = 1;
++ ctxt->ops->set_segment(ctxt, 0, &cs_desc, 0, VCPU_SREG_CS);
++ }
++
++ /* For the 64-bit case, this will clear EFER.LMA. */
+ cr0 = ctxt->ops->get_cr(ctxt, 0);
+ if (cr0 & X86_CR0_PE)
+ ctxt->ops->set_cr(ctxt, 0, cr0 & ~(X86_CR0_PG | X86_CR0_PE));
+- cr4 = ctxt->ops->get_cr(ctxt, 4);
++
++ /* Now clear CR4.PAE (which must be done before clearing EFER.LME). */
+ if (cr4 & X86_CR4_PAE)
+ ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PAE);
++
++ /* And finally go back to 32-bit mode. */
+ efer = 0;
+ ctxt->ops->set_msr(ctxt, MSR_EFER, efer);
+
+@@ -4455,7 +4474,7 @@ static const struct opcode twobyte_table[256] = {
+ F(DstMem | SrcReg | Src2CL | ModRM, em_shld), N, N,
+ /* 0xA8 - 0xAF */
+ I(Stack | Src2GS, em_push_sreg), I(Stack | Src2GS, em_pop_sreg),
+- II(No64 | EmulateOnUD | ImplicitOps, em_rsm, rsm),
++ II(EmulateOnUD | ImplicitOps, em_rsm, rsm),
+ F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_bts),
+ F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shrd),
+ F(DstMem | SrcReg | Src2CL | ModRM, em_shrd),
+diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
+index 2a5ca97..236e346 100644
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -348,6 +348,8 @@ void kvm_apic_update_irr(struct kvm_vcpu *vcpu, u32 *pir)
+ struct kvm_lapic *apic = vcpu->arch.apic;
+
+ __kvm_apic_update_irr(pir, apic->regs);
++
++ kvm_make_request(KVM_REQ_EVENT, vcpu);
+ }
+ EXPORT_SYMBOL_GPL(kvm_apic_update_irr);
+
+diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
+index 2d32b67..00da6e8 100644
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -1085,7 +1085,7 @@ static u64 svm_compute_tsc_offset(struct kvm_vcpu *vcpu, u64 target_tsc)
+ return target_tsc - tsc;
+ }
+
+-static void init_vmcb(struct vcpu_svm *svm, bool init_event)
++static void init_vmcb(struct vcpu_svm *svm)
+ {
+ struct vmcb_control_area *control = &svm->vmcb->control;
+ struct vmcb_save_area *save = &svm->vmcb->save;
+@@ -1106,6 +1106,7 @@ static void init_vmcb(struct vcpu_svm *svm, bool init_event)
+ set_exception_intercept(svm, PF_VECTOR);
+ set_exception_intercept(svm, UD_VECTOR);
+ set_exception_intercept(svm, MC_VECTOR);
++ set_exception_intercept(svm, AC_VECTOR);
+
+ set_intercept(svm, INTERCEPT_INTR);
+ set_intercept(svm, INTERCEPT_NMI);
+@@ -1156,8 +1157,7 @@ static void init_vmcb(struct vcpu_svm *svm, bool init_event)
+ init_sys_seg(&save->ldtr, SEG_TYPE_LDT);
+ init_sys_seg(&save->tr, SEG_TYPE_BUSY_TSS16);
+
+- if (!init_event)
+- svm_set_efer(&svm->vcpu, 0);
++ svm_set_efer(&svm->vcpu, 0);
+ save->dr6 = 0xffff0ff0;
+ kvm_set_rflags(&svm->vcpu, 2);
+ save->rip = 0x0000fff0;
+@@ -1211,7 +1211,7 @@ static void svm_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event)
+ if (kvm_vcpu_is_reset_bsp(&svm->vcpu))
+ svm->vcpu.arch.apic_base |= MSR_IA32_APICBASE_BSP;
+ }
+- init_vmcb(svm, init_event);
++ init_vmcb(svm);
+
+ kvm_cpuid(vcpu, &eax, &dummy, &dummy, &dummy);
+ kvm_register_write(vcpu, VCPU_REGS_RDX, eax);
+@@ -1267,7 +1267,7 @@ static struct kvm_vcpu *svm_create_vcpu(struct kvm *kvm, unsigned int id)
+ clear_page(svm->vmcb);
+ svm->vmcb_pa = page_to_pfn(page) << PAGE_SHIFT;
+ svm->asid_generation = 0;
+- init_vmcb(svm, false);
++ init_vmcb(svm);
+
+ svm_init_osvw(&svm->vcpu);
+
+@@ -1795,6 +1795,12 @@ static int ud_interception(struct vcpu_svm *svm)
+ return 1;
+ }
+
++static int ac_interception(struct vcpu_svm *svm)
++{
++ kvm_queue_exception_e(&svm->vcpu, AC_VECTOR, 0);
++ return 1;
++}
++
+ static void svm_fpu_activate(struct kvm_vcpu *vcpu)
+ {
+ struct vcpu_svm *svm = to_svm(vcpu);
+@@ -1889,7 +1895,7 @@ static int shutdown_interception(struct vcpu_svm *svm)
+ * so reinitialize it.
+ */
+ clear_page(svm->vmcb);
+- init_vmcb(svm, false);
++ init_vmcb(svm);
+
+ kvm_run->exit_reason = KVM_EXIT_SHUTDOWN;
+ return 0;
+@@ -3369,6 +3375,7 @@ static int (*const svm_exit_handlers[])(struct vcpu_svm *svm) = {
+ [SVM_EXIT_EXCP_BASE + PF_VECTOR] = pf_interception,
+ [SVM_EXIT_EXCP_BASE + NM_VECTOR] = nm_interception,
+ [SVM_EXIT_EXCP_BASE + MC_VECTOR] = mc_interception,
++ [SVM_EXIT_EXCP_BASE + AC_VECTOR] = ac_interception,
+ [SVM_EXIT_INTR] = intr_interception,
+ [SVM_EXIT_NMI] = nmi_interception,
+ [SVM_EXIT_SMI] = nop_on_interception,
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index aa9e822..e77d75b 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -1567,7 +1567,7 @@ static void update_exception_bitmap(struct kvm_vcpu *vcpu)
+ u32 eb;
+
+ eb = (1u << PF_VECTOR) | (1u << UD_VECTOR) | (1u << MC_VECTOR) |
+- (1u << NM_VECTOR) | (1u << DB_VECTOR);
++ (1u << NM_VECTOR) | (1u << DB_VECTOR) | (1u << AC_VECTOR);
+ if ((vcpu->guest_debug &
+ (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) ==
+ (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP))
+@@ -4780,8 +4780,7 @@ static void vmx_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event)
+ vmx_set_cr0(vcpu, cr0); /* enter rmode */
+ vmx->vcpu.arch.cr0 = cr0;
+ vmx_set_cr4(vcpu, 0);
+- if (!init_event)
+- vmx_set_efer(vcpu, 0);
++ vmx_set_efer(vcpu, 0);
+ vmx_fpu_activate(vcpu);
+ update_exception_bitmap(vcpu);
+
+@@ -5118,6 +5117,9 @@ static int handle_exception(struct kvm_vcpu *vcpu)
+ return handle_rmode_exception(vcpu, ex_no, error_code);
+
+ switch (ex_no) {
++ case AC_VECTOR:
++ kvm_queue_exception_e(vcpu, AC_VECTOR, error_code);
++ return 1;
+ case DB_VECTOR:
+ dr6 = vmcs_readl(EXIT_QUALIFICATION);
+ if (!(vcpu->guest_debug &
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 373328b..2781e2b 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -621,7 +621,9 @@ int kvm_set_cr0(struct kvm_vcpu *vcpu, unsigned long cr0)
+ if ((cr0 ^ old_cr0) & update_bits)
+ kvm_mmu_reset_context(vcpu);
+
+- if ((cr0 ^ old_cr0) & X86_CR0_CD)
++ if (((cr0 ^ old_cr0) & X86_CR0_CD) &&
++ kvm_arch_has_noncoherent_dma(vcpu->kvm) &&
++ !kvm_check_has_quirk(vcpu->kvm, KVM_X86_QUIRK_CD_NW_CLEARED))
+ kvm_zap_gfn_range(vcpu->kvm, 0, ~0ULL);
+
+ return 0;
+@@ -4260,6 +4262,15 @@ static int kvm_read_guest_virt_system(struct x86_emulate_ctxt *ctxt,
+ return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, 0, exception);
+ }
+
++static int kvm_read_guest_phys_system(struct x86_emulate_ctxt *ctxt,
++ unsigned long addr, void *val, unsigned int bytes)
++{
++ struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
++ int r = kvm_vcpu_read_guest(vcpu, addr, val, bytes);
++
++ return r < 0 ? X86EMUL_IO_NEEDED : X86EMUL_CONTINUE;
++}
++
+ int kvm_write_guest_virt_system(struct x86_emulate_ctxt *ctxt,
+ gva_t addr, void *val,
+ unsigned int bytes,
+@@ -4995,6 +5006,7 @@ static const struct x86_emulate_ops emulate_ops = {
+ .write_gpr = emulator_write_gpr,
+ .read_std = kvm_read_guest_virt_system,
+ .write_std = kvm_write_guest_virt_system,
++ .read_phys = kvm_read_guest_phys_system,
+ .fetch = kvm_fetch_guest_virt,
+ .read_emulated = emulator_read_emulated,
+ .write_emulated = emulator_write_emulated,
+diff --git a/arch/x86/mm/mpx.c b/arch/x86/mm/mpx.c
+index db1b0bc..c28f618 100644
+--- a/arch/x86/mm/mpx.c
++++ b/arch/x86/mm/mpx.c
+@@ -622,6 +622,29 @@ static unsigned long mpx_bd_entry_to_bt_addr(struct mm_struct *mm,
+ }
+
+ /*
++ * We only want to do a 4-byte get_user() on 32-bit. Otherwise,
++ * we might run off the end of the bounds table if we are on
++ * a 64-bit kernel and try to get 8 bytes.
++ */
++int get_user_bd_entry(struct mm_struct *mm, unsigned long *bd_entry_ret,
++ long __user *bd_entry_ptr)
++{
++ u32 bd_entry_32;
++ int ret;
++
++ if (is_64bit_mm(mm))
++ return get_user(*bd_entry_ret, bd_entry_ptr);
++
++ /*
++ * Note that get_user() uses the type of the *pointer* to
++ * establish the size of the get, not the destination.
++ */
++ ret = get_user(bd_entry_32, (u32 __user *)bd_entry_ptr);
++ *bd_entry_ret = bd_entry_32;
++ return ret;
++}
++
++/*
+ * Get the base of bounds tables pointed by specific bounds
+ * directory entry.
+ */
+@@ -641,7 +664,7 @@ static int get_bt_addr(struct mm_struct *mm,
+ int need_write = 0;
+
+ pagefault_disable();
+- ret = get_user(bd_entry, bd_entry_ptr);
++ ret = get_user_bd_entry(mm, &bd_entry, bd_entry_ptr);
+ pagefault_enable();
+ if (!ret)
+ break;
+@@ -736,11 +759,23 @@ static unsigned long mpx_get_bt_entry_offset_bytes(struct mm_struct *mm,
+ */
+ static inline unsigned long bd_entry_virt_space(struct mm_struct *mm)
+ {
+- unsigned long long virt_space = (1ULL << boot_cpu_data.x86_virt_bits);
+- if (is_64bit_mm(mm))
+- return virt_space / MPX_BD_NR_ENTRIES_64;
+- else
+- return virt_space / MPX_BD_NR_ENTRIES_32;
++ unsigned long long virt_space;
++ unsigned long long GB = (1ULL << 30);
++
++ /*
++ * This covers 32-bit emulation as well as 32-bit kernels
++ * running on 64-bit harware.
++ */
++ if (!is_64bit_mm(mm))
++ return (4ULL * GB) / MPX_BD_NR_ENTRIES_32;
++
++ /*
++ * 'x86_virt_bits' returns what the hardware is capable
++ * of, and returns the full >32-bit adddress space when
++ * running 32-bit kernels on 64-bit hardware.
++ */
++ virt_space = (1ULL << boot_cpu_data.x86_virt_bits);
++ return virt_space / MPX_BD_NR_ENTRIES_64;
+ }
+
+ /*
+diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
+index e527a3e..fa893c3 100644
+--- a/drivers/bluetooth/ath3k.c
++++ b/drivers/bluetooth/ath3k.c
+@@ -93,6 +93,7 @@ static const struct usb_device_id ath3k_table[] = {
+ { USB_DEVICE(0x04CA, 0x300f) },
+ { USB_DEVICE(0x04CA, 0x3010) },
+ { USB_DEVICE(0x0930, 0x0219) },
++ { USB_DEVICE(0x0930, 0x021c) },
+ { USB_DEVICE(0x0930, 0x0220) },
+ { USB_DEVICE(0x0930, 0x0227) },
+ { USB_DEVICE(0x0b05, 0x17d0) },
+@@ -104,6 +105,7 @@ static const struct usb_device_id ath3k_table[] = {
+ { USB_DEVICE(0x0CF3, 0x311F) },
+ { USB_DEVICE(0x0cf3, 0x3121) },
+ { USB_DEVICE(0x0CF3, 0x817a) },
++ { USB_DEVICE(0x0CF3, 0x817b) },
+ { USB_DEVICE(0x0cf3, 0xe003) },
+ { USB_DEVICE(0x0CF3, 0xE004) },
+ { USB_DEVICE(0x0CF3, 0xE005) },
+@@ -153,6 +155,7 @@ static const struct usb_device_id ath3k_blist_tbl[] = {
+ { USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
++ { USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 },
+@@ -164,6 +167,7 @@ static const struct usb_device_id ath3k_blist_tbl[] = {
+ { USB_DEVICE(0x0cf3, 0x311F), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0CF3, 0x817a), .driver_info = BTUSB_ATH3012 },
++ { USB_DEVICE(0x0CF3, 0x817b), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0cf3, 0xe006), .driver_info = BTUSB_ATH3012 },
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index b4cf8d9..7d9b09f 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -192,6 +192,7 @@ static const struct usb_device_id blacklist_table[] = {
+ { USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
++ { USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 },
+@@ -203,6 +204,7 @@ static const struct usb_device_id blacklist_table[] = {
+ { USB_DEVICE(0x0cf3, 0x311f), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0cf3, 0x817a), .driver_info = BTUSB_ATH3012 },
++ { USB_DEVICE(0x0cf3, 0x817b), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 },
+diff --git a/drivers/clk/bcm/clk-iproc-pll.c b/drivers/clk/bcm/clk-iproc-pll.c
+index 2dda4e8..d679ab8 100644
+--- a/drivers/clk/bcm/clk-iproc-pll.c
++++ b/drivers/clk/bcm/clk-iproc-pll.c
+@@ -345,8 +345,8 @@ static unsigned long iproc_pll_recalc_rate(struct clk_hw *hw,
+ struct iproc_pll *pll = clk->pll;
+ const struct iproc_pll_ctrl *ctrl = pll->ctrl;
+ u32 val;
+- u64 ndiv;
+- unsigned int ndiv_int, ndiv_frac, pdiv;
++ u64 ndiv, ndiv_int, ndiv_frac;
++ unsigned int pdiv;
+
+ if (parent_rate == 0)
+ return 0;
+@@ -366,22 +366,19 @@ static unsigned long iproc_pll_recalc_rate(struct clk_hw *hw,
+ val = readl(pll->pll_base + ctrl->ndiv_int.offset);
+ ndiv_int = (val >> ctrl->ndiv_int.shift) &
+ bit_mask(ctrl->ndiv_int.width);
+- ndiv = (u64)ndiv_int << ctrl->ndiv_int.shift;
++ ndiv = ndiv_int << 20;
+
+ if (ctrl->flags & IPROC_CLK_PLL_HAS_NDIV_FRAC) {
+ val = readl(pll->pll_base + ctrl->ndiv_frac.offset);
+ ndiv_frac = (val >> ctrl->ndiv_frac.shift) &
+ bit_mask(ctrl->ndiv_frac.width);
+-
+- if (ndiv_frac != 0)
+- ndiv = ((u64)ndiv_int << ctrl->ndiv_int.shift) |
+- ndiv_frac;
++ ndiv += ndiv_frac;
+ }
+
+ val = readl(pll->pll_base + ctrl->pdiv.offset);
+ pdiv = (val >> ctrl->pdiv.shift) & bit_mask(ctrl->pdiv.width);
+
+- clk->rate = (ndiv * parent_rate) >> ctrl->ndiv_int.shift;
++ clk->rate = (ndiv * parent_rate) >> 20;
+
+ if (pdiv == 0)
+ clk->rate *= 2;
+diff --git a/drivers/clk/versatile/clk-icst.c b/drivers/clk/versatile/clk-icst.c
+index bc96f10..9064636 100644
+--- a/drivers/clk/versatile/clk-icst.c
++++ b/drivers/clk/versatile/clk-icst.c
+@@ -156,8 +156,10 @@ struct clk *icst_clk_register(struct device *dev,
+ icst->lockreg = base + desc->lock_offset;
+
+ clk = clk_register(dev, &icst->hw);
+- if (IS_ERR(clk))
++ if (IS_ERR(clk)) {
++ kfree(pclone);
+ kfree(icst);
++ }
+
+ return clk;
+ }
+diff --git a/drivers/mfd/twl6040.c b/drivers/mfd/twl6040.c
+index c5265c1..6aacd20 100644
+--- a/drivers/mfd/twl6040.c
++++ b/drivers/mfd/twl6040.c
+@@ -647,6 +647,8 @@ static int twl6040_probe(struct i2c_client *client,
+
+ twl6040->clk32k = devm_clk_get(&client->dev, "clk32k");
+ if (IS_ERR(twl6040->clk32k)) {
++ if (PTR_ERR(twl6040->clk32k) == -EPROBE_DEFER)
++ return -EPROBE_DEFER;
+ dev_info(&client->dev, "clk32k is not handled\n");
+ twl6040->clk32k = NULL;
+ }
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index a98dd4f..cbbb1c9 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1751,6 +1751,7 @@ err_undo_flags:
+ slave_dev->dev_addr))
+ eth_hw_addr_random(bond_dev);
+ if (bond_dev->type != ARPHRD_ETHER) {
++ dev_close(bond_dev);
+ ether_setup(bond_dev);
+ bond_dev->flags |= IFF_MASTER;
+ bond_dev->priv_flags &= ~IFF_TX_SKB_SHARING;
+diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
+index aede704..141c2a4 100644
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -915,7 +915,7 @@ static int can_fill_info(struct sk_buff *skb, const struct net_device *dev)
+ nla_put(skb, IFLA_CAN_BITTIMING_CONST,
+ sizeof(*priv->bittiming_const), priv->bittiming_const)) ||
+
+- nla_put(skb, IFLA_CAN_CLOCK, sizeof(cm), &priv->clock) ||
++ nla_put(skb, IFLA_CAN_CLOCK, sizeof(priv->clock), &priv->clock) ||
+ nla_put_u32(skb, IFLA_CAN_STATE, state) ||
+ nla_put(skb, IFLA_CAN_CTRLMODE, sizeof(cm), &cm) ||
+ nla_put_u32(skb, IFLA_CAN_RESTART_MS, priv->restart_ms) ||
+diff --git a/drivers/net/can/sja1000/sja1000.c b/drivers/net/can/sja1000/sja1000.c
+index 7b92e91..f10834b 100644
+--- a/drivers/net/can/sja1000/sja1000.c
++++ b/drivers/net/can/sja1000/sja1000.c
+@@ -218,6 +218,9 @@ static void sja1000_start(struct net_device *dev)
+ priv->write_reg(priv, SJA1000_RXERR, 0x0);
+ priv->read_reg(priv, SJA1000_ECC);
+
++ /* clear interrupt flags */
++ priv->read_reg(priv, SJA1000_IR);
++
+ /* leave reset mode */
+ set_normal_mode(dev);
+ }
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
+index a4473d8..f672dba 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
+@@ -1595,7 +1595,7 @@ static void xgbe_dev_xmit(struct xgbe_channel *channel)
+ packet->rdesc_count, 1);
+
+ /* Make sure ownership is written to the descriptor */
+- dma_wmb();
++ smp_wmb();
+
+ ring->cur = cur_index + 1;
+ if (!packet->skb->xmit_more ||
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
+index aae9d5e..dde0486 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
+@@ -1807,6 +1807,7 @@ static int xgbe_tx_poll(struct xgbe_channel *channel)
+ struct netdev_queue *txq;
+ int processed = 0;
+ unsigned int tx_packets = 0, tx_bytes = 0;
++ unsigned int cur;
+
+ DBGPR("-->xgbe_tx_poll\n");
+
+@@ -1814,10 +1815,15 @@ static int xgbe_tx_poll(struct xgbe_channel *channel)
+ if (!ring)
+ return 0;
+
++ cur = ring->cur;
++
++ /* Be sure we get ring->cur before accessing descriptor data */
++ smp_rmb();
++
+ txq = netdev_get_tx_queue(netdev, channel->queue_index);
+
+ while ((processed < XGBE_TX_DESC_MAX_PROC) &&
+- (ring->dirty != ring->cur)) {
++ (ring->dirty != cur)) {
+ rdata = XGBE_GET_DESC_DATA(ring, ring->dirty);
+ rdesc = rdata->rdesc;
+
+diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
+index de63266d..5d1dde3 100644
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -1775,7 +1775,7 @@ static int fec_enet_mdio_read(struct mii_bus *bus, int mii_id, int regnum)
+ int ret = 0;
+
+ ret = pm_runtime_get_sync(dev);
+- if (IS_ERR_VALUE(ret))
++ if (ret < 0)
+ return ret;
+
+ fep->mii_timeout = 0;
+@@ -1811,11 +1811,13 @@ static int fec_enet_mdio_write(struct mii_bus *bus, int mii_id, int regnum,
+ struct fec_enet_private *fep = bus->priv;
+ struct device *dev = &fep->pdev->dev;
+ unsigned long time_left;
+- int ret = 0;
++ int ret;
+
+ ret = pm_runtime_get_sync(dev);
+- if (IS_ERR_VALUE(ret))
++ if (ret < 0)
+ return ret;
++ else
++ ret = 0;
+
+ fep->mii_timeout = 0;
+ reinit_completion(&fep->mdio_done);
+@@ -2866,7 +2868,7 @@ fec_enet_open(struct net_device *ndev)
+ int ret;
+
+ ret = pm_runtime_get_sync(&fep->pdev->dev);
+- if (IS_ERR_VALUE(ret))
++ if (ret < 0)
+ return ret;
+
+ pinctrl_pm_select_default_state(&fep->pdev->dev);
+diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
+index 09ec32e..7e788073 100644
+--- a/drivers/net/ethernet/marvell/mvneta.c
++++ b/drivers/net/ethernet/marvell/mvneta.c
+@@ -949,7 +949,7 @@ static void mvneta_defaults_set(struct mvneta_port *pp)
+ /* Set CPU queue access map - all CPUs have access to all RX
+ * queues and to all TX queues
+ */
+- for (cpu = 0; cpu < CONFIG_NR_CPUS; cpu++)
++ for_each_present_cpu(cpu)
+ mvreg_write(pp, MVNETA_CPU_MAP(cpu),
+ (MVNETA_CPU_RXQ_ACCESS_ALL_MASK |
+ MVNETA_CPU_TXQ_ACCESS_ALL_MASK));
+@@ -1533,12 +1533,16 @@ static int mvneta_rx(struct mvneta_port *pp, int rx_todo,
+ }
+
+ skb = build_skb(data, pp->frag_size > PAGE_SIZE ? 0 : pp->frag_size);
+- if (!skb)
+- goto err_drop_frame;
+
++ /* After refill old buffer has to be unmapped regardless
++ * the skb is successfully built or not.
++ */
+ dma_unmap_single(dev->dev.parent, phys_addr,
+ MVNETA_RX_BUF_SIZE(pp->pkt_size), DMA_FROM_DEVICE);
+
++ if (!skb)
++ goto err_drop_frame;
++
+ rcvd_pkts++;
+ rcvd_bytes += rx_bytes;
+
+diff --git a/drivers/net/ethernet/mellanox/mlx4/cmd.c b/drivers/net/ethernet/mellanox/mlx4/cmd.c
+index 0a32020..2177e56 100644
+--- a/drivers/net/ethernet/mellanox/mlx4/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx4/cmd.c
+@@ -2398,7 +2398,7 @@ int mlx4_multi_func_init(struct mlx4_dev *dev)
+ }
+ }
+
+- memset(&priv->mfunc.master.cmd_eqe, 0, dev->caps.eqe_size);
++ memset(&priv->mfunc.master.cmd_eqe, 0, sizeof(struct mlx4_eqe));
+ priv->mfunc.master.cmd_eqe.type = MLX4_EVENT_TYPE_CMD;
+ INIT_WORK(&priv->mfunc.master.comm_work,
+ mlx4_master_comm_channel);
+diff --git a/drivers/net/ethernet/mellanox/mlx4/eq.c b/drivers/net/ethernet/mellanox/mlx4/eq.c
+index 8e81e53..ad8f95d 100644
+--- a/drivers/net/ethernet/mellanox/mlx4/eq.c
++++ b/drivers/net/ethernet/mellanox/mlx4/eq.c
+@@ -196,7 +196,7 @@ static void slave_event(struct mlx4_dev *dev, u8 slave, struct mlx4_eqe *eqe)
+ return;
+ }
+
+- memcpy(s_eqe, eqe, dev->caps.eqe_size - 1);
++ memcpy(s_eqe, eqe, sizeof(struct mlx4_eqe) - 1);
+ s_eqe->slave_id = slave;
+ /* ensure all information is written before setting the ownersip bit */
+ dma_wmb();
+diff --git a/drivers/net/ethernet/sfc/ef10.c b/drivers/net/ethernet/sfc/ef10.c
+index b1a4ea2..4dd18f4 100644
+--- a/drivers/net/ethernet/sfc/ef10.c
++++ b/drivers/net/ethernet/sfc/ef10.c
+@@ -1809,7 +1809,9 @@ static void efx_ef10_tx_write(struct efx_tx_queue *tx_queue)
+ unsigned int write_ptr;
+ efx_qword_t *txd;
+
+- BUG_ON(tx_queue->write_count == tx_queue->insert_count);
++ tx_queue->xmit_more_available = false;
++ if (unlikely(tx_queue->write_count == tx_queue->insert_count))
++ return;
+
+ do {
+ write_ptr = tx_queue->write_count & tx_queue->ptr_mask;
+diff --git a/drivers/net/ethernet/sfc/farch.c b/drivers/net/ethernet/sfc/farch.c
+index f08266f..5a1c5a8 100644
+--- a/drivers/net/ethernet/sfc/farch.c
++++ b/drivers/net/ethernet/sfc/farch.c
+@@ -321,7 +321,9 @@ void efx_farch_tx_write(struct efx_tx_queue *tx_queue)
+ unsigned write_ptr;
+ unsigned old_write_count = tx_queue->write_count;
+
+- BUG_ON(tx_queue->write_count == tx_queue->insert_count);
++ tx_queue->xmit_more_available = false;
++ if (unlikely(tx_queue->write_count == tx_queue->insert_count))
++ return;
+
+ do {
+ write_ptr = tx_queue->write_count & tx_queue->ptr_mask;
+diff --git a/drivers/net/ethernet/sfc/net_driver.h b/drivers/net/ethernet/sfc/net_driver.h
+index 47d1e3a..b8e8ce1 100644
+--- a/drivers/net/ethernet/sfc/net_driver.h
++++ b/drivers/net/ethernet/sfc/net_driver.h
+@@ -219,6 +219,7 @@ struct efx_tx_buffer {
+ * @tso_packets: Number of packets via the TSO xmit path
+ * @pushes: Number of times the TX push feature has been used
+ * @pio_packets: Number of times the TX PIO feature has been used
++ * @xmit_more_available: Are any packets waiting to be pushed to the NIC
+ * @empty_read_count: If the completion path has seen the queue as empty
+ * and the transmission path has not yet checked this, the value of
+ * @read_count bitwise-added to %EFX_EMPTY_COUNT_VALID; otherwise 0.
+@@ -253,6 +254,7 @@ struct efx_tx_queue {
+ unsigned int tso_packets;
+ unsigned int pushes;
+ unsigned int pio_packets;
++ bool xmit_more_available;
+ /* Statistics to supplement MAC stats */
+ unsigned long tx_packets;
+
+diff --git a/drivers/net/ethernet/sfc/tx.c b/drivers/net/ethernet/sfc/tx.c
+index 1833a01..67f6afa 100644
+--- a/drivers/net/ethernet/sfc/tx.c
++++ b/drivers/net/ethernet/sfc/tx.c
+@@ -431,8 +431,20 @@ finish_packet:
+ efx_tx_maybe_stop_queue(tx_queue);
+
+ /* Pass off to hardware */
+- if (!skb->xmit_more || netif_xmit_stopped(tx_queue->core_txq))
++ if (!skb->xmit_more || netif_xmit_stopped(tx_queue->core_txq)) {
++ struct efx_tx_queue *txq2 = efx_tx_queue_partner(tx_queue);
++
++ /* There could be packets left on the partner queue if those
++ * SKBs had skb->xmit_more set. If we do not push those they
++ * could be left for a long time and cause a netdev watchdog.
++ */
++ if (txq2->xmit_more_available)
++ efx_nic_push_buffers(txq2);
++
+ efx_nic_push_buffers(tx_queue);
++ } else {
++ tx_queue->xmit_more_available = skb->xmit_more;
++ }
+
+ tx_queue->tx_packets++;
+
+@@ -722,6 +734,7 @@ void efx_init_tx_queue(struct efx_tx_queue *tx_queue)
+ tx_queue->read_count = 0;
+ tx_queue->old_read_count = 0;
+ tx_queue->empty_read_count = 0 | EFX_EMPTY_COUNT_VALID;
++ tx_queue->xmit_more_available = false;
+
+ /* Set up TX descriptor ring */
+ efx_nic_init_tx(tx_queue);
+@@ -747,6 +760,7 @@ void efx_fini_tx_queue(struct efx_tx_queue *tx_queue)
+
+ ++tx_queue->read_count;
+ }
++ tx_queue->xmit_more_available = false;
+ netdev_tx_reset_queue(tx_queue->core_txq);
+ }
+
+@@ -1302,8 +1316,20 @@ static int efx_enqueue_skb_tso(struct efx_tx_queue *tx_queue,
+ efx_tx_maybe_stop_queue(tx_queue);
+
+ /* Pass off to hardware */
+- if (!skb->xmit_more || netif_xmit_stopped(tx_queue->core_txq))
++ if (!skb->xmit_more || netif_xmit_stopped(tx_queue->core_txq)) {
++ struct efx_tx_queue *txq2 = efx_tx_queue_partner(tx_queue);
++
++ /* There could be packets left on the partner queue if those
++ * SKBs had skb->xmit_more set. If we do not push those they
++ * could be left for a long time and cause a netdev watchdog.
++ */
++ if (txq2->xmit_more_available)
++ efx_nic_push_buffers(txq2);
++
+ efx_nic_push_buffers(tx_queue);
++ } else {
++ tx_queue->xmit_more_available = skb->xmit_more;
++ }
+
+ tx_queue->tso_bursts++;
+ return NETDEV_TX_OK;
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
+index 771cda2..2e51b81 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
+@@ -721,10 +721,13 @@ static int stmmac_get_ts_info(struct net_device *dev,
+ {
+ struct stmmac_priv *priv = netdev_priv(dev);
+
+- if ((priv->hwts_tx_en) && (priv->hwts_rx_en)) {
++ if ((priv->dma_cap.time_stamp || priv->dma_cap.atime_stamp)) {
+
+- info->so_timestamping = SOF_TIMESTAMPING_TX_HARDWARE |
++ info->so_timestamping = SOF_TIMESTAMPING_TX_SOFTWARE |
++ SOF_TIMESTAMPING_TX_HARDWARE |
++ SOF_TIMESTAMPING_RX_SOFTWARE |
+ SOF_TIMESTAMPING_RX_HARDWARE |
++ SOF_TIMESTAMPING_SOFTWARE |
+ SOF_TIMESTAMPING_RAW_HARDWARE;
+
+ if (priv->ptp_clock)
+diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
+index 248478c..197c939 100644
+--- a/drivers/net/macvtap.c
++++ b/drivers/net/macvtap.c
+@@ -137,7 +137,7 @@ static const struct proto_ops macvtap_socket_ops;
+ #define TUN_OFFLOADS (NETIF_F_HW_CSUM | NETIF_F_TSO_ECN | NETIF_F_TSO | \
+ NETIF_F_TSO6 | NETIF_F_UFO)
+ #define RX_OFFLOADS (NETIF_F_GRO | NETIF_F_LRO)
+-#define TAP_FEATURES (NETIF_F_GSO | NETIF_F_SG)
++#define TAP_FEATURES (NETIF_F_GSO | NETIF_F_SG | NETIF_F_FRAGLIST)
+
+ static struct macvlan_dev *macvtap_get_vlan_rcu(const struct net_device *dev)
+ {
+diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
+index 2ed7506..5e0b432 100644
+--- a/drivers/net/ppp/pppoe.c
++++ b/drivers/net/ppp/pppoe.c
+@@ -589,7 +589,7 @@ static int pppoe_release(struct socket *sock)
+
+ po = pppox_sk(sk);
+
+- if (sk->sk_state & (PPPOX_CONNECTED | PPPOX_BOUND | PPPOX_ZOMBIE)) {
++ if (po->pppoe_dev) {
+ dev_put(po->pppoe_dev);
+ po->pppoe_dev = NULL;
+ }
+diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
+index 64a60af..8f1738c 100644
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -765,6 +765,10 @@ static const struct usb_device_id products[] = {
+ {QMI_FIXED_INTF(0x1199, 0x9056, 8)}, /* Sierra Wireless Modem */
+ {QMI_FIXED_INTF(0x1199, 0x9057, 8)},
+ {QMI_FIXED_INTF(0x1199, 0x9061, 8)}, /* Sierra Wireless Modem */
++ {QMI_FIXED_INTF(0x1199, 0x9070, 8)}, /* Sierra Wireless MC74xx/EM74xx */
++ {QMI_FIXED_INTF(0x1199, 0x9070, 10)}, /* Sierra Wireless MC74xx/EM74xx */
++ {QMI_FIXED_INTF(0x1199, 0x9071, 8)}, /* Sierra Wireless MC74xx/EM74xx */
++ {QMI_FIXED_INTF(0x1199, 0x9071, 10)}, /* Sierra Wireless MC74xx/EM74xx */
+ {QMI_FIXED_INTF(0x1bbb, 0x011e, 4)}, /* Telekom Speedstick LTE II (Alcatel One Touch L100V LTE) */
+ {QMI_FIXED_INTF(0x1bbb, 0x0203, 2)}, /* Alcatel L800MA */
+ {QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */
+diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
+index 0d3c474..a5ea8a9 100644
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -2070,7 +2070,8 @@ static void ath10k_peer_assoc_h_ht(struct ath10k *ar,
+ enum ieee80211_band band;
+ const u8 *ht_mcs_mask;
+ const u16 *vht_mcs_mask;
+- int i, n, max_nss;
++ int i, n;
++ u8 max_nss;
+ u32 stbc;
+
+ lockdep_assert_held(&ar->conf_mutex);
+@@ -2155,7 +2156,7 @@ static void ath10k_peer_assoc_h_ht(struct ath10k *ar,
+ arg->peer_ht_rates.rates[i] = i;
+ } else {
+ arg->peer_ht_rates.num_rates = n;
+- arg->peer_num_spatial_streams = max_nss;
++ arg->peer_num_spatial_streams = min(sta->rx_nss, max_nss);
+ }
+
+ ath10k_dbg(ar, ATH10K_DBG_MAC, "mac ht peer %pM mcs cnt %d nss %d\n",
+@@ -4021,7 +4022,7 @@ static int ath10k_config(struct ieee80211_hw *hw, u32 changed)
+
+ static u32 get_nss_from_chainmask(u16 chain_mask)
+ {
+- if ((chain_mask & 0x15) == 0x15)
++ if ((chain_mask & 0xf) == 0xf)
+ return 4;
+ else if ((chain_mask & 0x7) == 0x7)
+ return 3;
+diff --git a/drivers/net/wireless/iwlwifi/pcie/drv.c b/drivers/net/wireless/iwlwifi/pcie/drv.c
+index 865d578d..fd6aef7 100644
+--- a/drivers/net/wireless/iwlwifi/pcie/drv.c
++++ b/drivers/net/wireless/iwlwifi/pcie/drv.c
+@@ -423,14 +423,21 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
+ /* 8000 Series */
+ {IWL_PCI_DEVICE(0x24F3, 0x0010, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x1010, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x0130, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x1130, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x0132, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x1132, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x0110, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x01F0, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x0012, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x1012, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x1110, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x0050, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x0250, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x1050, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x0150, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x1150, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F4, 0x0030, iwl8260_2ac_cfg)},
+- {IWL_PCI_DEVICE(0x24F4, 0x1130, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F4, 0x1030, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0xC010, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0xC110, iwl8260_2ac_cfg)},
+@@ -438,18 +445,28 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
+ {IWL_PCI_DEVICE(0x24F3, 0xC050, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0xD050, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x8010, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x8110, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x9010, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x9110, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F4, 0x8030, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F4, 0x9030, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x8130, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x9130, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x8132, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x9132, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x8050, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x8150, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x9050, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x9150, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x0004, iwl8260_2n_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x0044, iwl8260_2n_cfg)},
+ {IWL_PCI_DEVICE(0x24F5, 0x0010, iwl4165_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F6, 0x0030, iwl4165_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x0810, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x0910, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x0850, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x0950, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x0930, iwl8260_2ac_cfg)},
+ #endif /* CONFIG_IWLMVM */
+
+ {0}
+diff --git a/drivers/net/wireless/iwlwifi/pcie/trans.c b/drivers/net/wireless/iwlwifi/pcie/trans.c
+index 9e144e7..dab9b91 100644
+--- a/drivers/net/wireless/iwlwifi/pcie/trans.c
++++ b/drivers/net/wireless/iwlwifi/pcie/trans.c
+@@ -592,10 +592,8 @@ static int iwl_pcie_prepare_card_hw(struct iwl_trans *trans)
+
+ do {
+ ret = iwl_pcie_set_hw_ready(trans);
+- if (ret >= 0) {
+- ret = 0;
+- goto out;
+- }
++ if (ret >= 0)
++ return 0;
+
+ usleep_range(200, 1000);
+ t += 200;
+@@ -605,10 +603,6 @@ static int iwl_pcie_prepare_card_hw(struct iwl_trans *trans)
+
+ IWL_ERR(trans, "Couldn't prepare the card\n");
+
+-out:
+- iwl_clear_bit(trans, CSR_DBG_LINK_PWR_MGMT_REG,
+- CSR_RESET_LINK_PWR_MGMT_DISABLED);
+-
+ return ret;
+ }
+
+diff --git a/drivers/net/wireless/mwifiex/debugfs.c b/drivers/net/wireless/mwifiex/debugfs.c
+index 5a0636d4..5583856 100644
+--- a/drivers/net/wireless/mwifiex/debugfs.c
++++ b/drivers/net/wireless/mwifiex/debugfs.c
+@@ -731,7 +731,7 @@ mwifiex_rdeeprom_read(struct file *file, char __user *ubuf,
+ (struct mwifiex_private *) file->private_data;
+ unsigned long addr = get_zeroed_page(GFP_KERNEL);
+ char *buf = (char *) addr;
+- int pos = 0, ret = 0, i;
++ int pos, ret, i;
+ u8 value[MAX_EEPROM_DATA];
+
+ if (!buf)
+@@ -739,7 +739,7 @@ mwifiex_rdeeprom_read(struct file *file, char __user *ubuf,
+
+ if (saved_offset == -1) {
+ /* No command has been given */
+- pos += snprintf(buf, PAGE_SIZE, "0");
++ pos = snprintf(buf, PAGE_SIZE, "0");
+ goto done;
+ }
+
+@@ -748,17 +748,17 @@ mwifiex_rdeeprom_read(struct file *file, char __user *ubuf,
+ (u16) saved_bytes, value);
+ if (ret) {
+ ret = -EINVAL;
+- goto done;
++ goto out_free;
+ }
+
+- pos += snprintf(buf, PAGE_SIZE, "%d %d ", saved_offset, saved_bytes);
++ pos = snprintf(buf, PAGE_SIZE, "%d %d ", saved_offset, saved_bytes);
+
+ for (i = 0; i < saved_bytes; i++)
+- pos += snprintf(buf + strlen(buf), PAGE_SIZE, "%d ", value[i]);
+-
+- ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos);
++ pos += scnprintf(buf + pos, PAGE_SIZE - pos, "%d ", value[i]);
+
+ done:
++ ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos);
++out_free:
+ free_page(addr);
+ return ret;
+ }
+diff --git a/drivers/staging/lustre/include/linux/lnet/lib-lnet.h b/drivers/staging/lustre/include/linux/lnet/lib-lnet.h
+index a9c9a07..bc3d907 100644
+--- a/drivers/staging/lustre/include/linux/lnet/lib-lnet.h
++++ b/drivers/staging/lustre/include/linux/lnet/lib-lnet.h
+@@ -680,7 +680,7 @@ void lnet_debug_peer(lnet_nid_t nid);
+ static inline void
+ lnet_peer_set_alive(lnet_peer_t *lp)
+ {
+- lp->lp_last_alive = lp->lp_last_query = get_seconds();
++ lp->lp_last_alive = lp->lp_last_query = jiffies;
+ if (!lp->lp_alive)
+ lnet_notify_locked(lp, 0, 1, lp->lp_last_alive);
+ }
+diff --git a/drivers/staging/rtl8712/usb_intf.c b/drivers/staging/rtl8712/usb_intf.c
+index f8b5b33..943a0e2 100644
+--- a/drivers/staging/rtl8712/usb_intf.c
++++ b/drivers/staging/rtl8712/usb_intf.c
+@@ -144,6 +144,7 @@ static struct usb_device_id rtl871x_usb_id_tbl[] = {
+ {USB_DEVICE(0x0DF6, 0x0058)},
+ {USB_DEVICE(0x0DF6, 0x0049)},
+ {USB_DEVICE(0x0DF6, 0x004C)},
++ {USB_DEVICE(0x0DF6, 0x006C)},
+ {USB_DEVICE(0x0DF6, 0x0064)},
+ /* Skyworth */
+ {USB_DEVICE(0x14b2, 0x3300)},
+diff --git a/drivers/tty/mips_ejtag_fdc.c b/drivers/tty/mips_ejtag_fdc.c
+index 358323c..43a2ba0 100644
+--- a/drivers/tty/mips_ejtag_fdc.c
++++ b/drivers/tty/mips_ejtag_fdc.c
+@@ -1045,38 +1045,6 @@ err_destroy_ports:
+ return ret;
+ }
+
+-static int mips_ejtag_fdc_tty_remove(struct mips_cdmm_device *dev)
+-{
+- struct mips_ejtag_fdc_tty *priv = mips_cdmm_get_drvdata(dev);
+- struct mips_ejtag_fdc_tty_port *dport;
+- int nport;
+- unsigned int cfg;
+-
+- if (priv->irq >= 0) {
+- raw_spin_lock_irq(&priv->lock);
+- cfg = mips_ejtag_fdc_read(priv, REG_FDCFG);
+- /* Disable interrupts */
+- cfg &= ~(REG_FDCFG_TXINTTHRES | REG_FDCFG_RXINTTHRES);
+- cfg |= REG_FDCFG_TXINTTHRES_DISABLED;
+- cfg |= REG_FDCFG_RXINTTHRES_DISABLED;
+- mips_ejtag_fdc_write(priv, REG_FDCFG, cfg);
+- raw_spin_unlock_irq(&priv->lock);
+- } else {
+- priv->removing = true;
+- del_timer_sync(&priv->poll_timer);
+- }
+- kthread_stop(priv->thread);
+- if (dev->cpu == 0)
+- mips_ejtag_fdc_con.tty_drv = NULL;
+- tty_unregister_driver(priv->driver);
+- for (nport = 0; nport < NUM_TTY_CHANNELS; nport++) {
+- dport = &priv->ports[nport];
+- tty_port_destroy(&dport->port);
+- }
+- put_tty_driver(priv->driver);
+- return 0;
+-}
+-
+ static int mips_ejtag_fdc_tty_cpu_down(struct mips_cdmm_device *dev)
+ {
+ struct mips_ejtag_fdc_tty *priv = mips_cdmm_get_drvdata(dev);
+@@ -1149,12 +1117,11 @@ static struct mips_cdmm_driver mips_ejtag_fdc_tty_driver = {
+ .name = "mips_ejtag_fdc",
+ },
+ .probe = mips_ejtag_fdc_tty_probe,
+- .remove = mips_ejtag_fdc_tty_remove,
+ .cpu_down = mips_ejtag_fdc_tty_cpu_down,
+ .cpu_up = mips_ejtag_fdc_tty_cpu_up,
+ .id_table = mips_ejtag_fdc_tty_ids,
+ };
+-module_mips_cdmm_driver(mips_ejtag_fdc_tty_driver);
++builtin_mips_cdmm_driver(mips_ejtag_fdc_tty_driver);
+
+ static int __init mips_ejtag_fdc_init_console(void)
+ {
+diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
+index afc1879..dedac8a 100644
+--- a/drivers/tty/n_tty.c
++++ b/drivers/tty/n_tty.c
+@@ -169,7 +169,7 @@ static inline int tty_copy_to_user(struct tty_struct *tty,
+ {
+ struct n_tty_data *ldata = tty->disc_data;
+
+- tty_audit_add_data(tty, to, n, ldata->icanon);
++ tty_audit_add_data(tty, from, n, ldata->icanon);
+ return copy_to_user(to, from, n);
+ }
+
+diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
+index 90ca082..3d245cd 100644
+--- a/drivers/tty/tty_audit.c
++++ b/drivers/tty/tty_audit.c
+@@ -265,7 +265,7 @@ static struct tty_audit_buf *tty_audit_buf_get(struct tty_struct *tty,
+ *
+ * Audit @data of @size from @tty, if necessary.
+ */
+-void tty_audit_add_data(struct tty_struct *tty, unsigned char *data,
++void tty_audit_add_data(struct tty_struct *tty, const void *data,
+ size_t size, unsigned icanon)
+ {
+ struct tty_audit_buf *buf;
+diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
+index 774df35..1aa0286 100644
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -1279,18 +1279,22 @@ int tty_send_xchar(struct tty_struct *tty, char ch)
+ int was_stopped = tty->stopped;
+
+ if (tty->ops->send_xchar) {
++ down_read(&tty->termios_rwsem);
+ tty->ops->send_xchar(tty, ch);
++ up_read(&tty->termios_rwsem);
+ return 0;
+ }
+
+ if (tty_write_lock(tty, 0) < 0)
+ return -ERESTARTSYS;
+
++ down_read(&tty->termios_rwsem);
+ if (was_stopped)
+ start_tty(tty);
+ tty->ops->write(tty, &ch, 1);
+ if (was_stopped)
+ stop_tty(tty);
++ up_read(&tty->termios_rwsem);
+ tty_write_unlock(tty);
+ return 0;
+ }
+diff --git a/drivers/tty/tty_ioctl.c b/drivers/tty/tty_ioctl.c
+index 5232fb6..043e332 100644
+--- a/drivers/tty/tty_ioctl.c
++++ b/drivers/tty/tty_ioctl.c
+@@ -1142,16 +1142,12 @@ int n_tty_ioctl_helper(struct tty_struct *tty, struct file *file,
+ spin_unlock_irq(&tty->flow_lock);
+ break;
+ case TCIOFF:
+- down_read(&tty->termios_rwsem);
+ if (STOP_CHAR(tty) != __DISABLED_CHAR)
+ retval = tty_send_xchar(tty, STOP_CHAR(tty));
+- up_read(&tty->termios_rwsem);
+ break;
+ case TCION:
+- down_read(&tty->termios_rwsem);
+ if (START_CHAR(tty) != __DISABLED_CHAR)
+ retval = tty_send_xchar(tty, START_CHAR(tty));
+- up_read(&tty->termios_rwsem);
+ break;
+ default:
+ return -EINVAL;
+diff --git a/drivers/usb/chipidea/ci_hdrc_imx.c b/drivers/usb/chipidea/ci_hdrc_imx.c
+index fa77432..846ceb9 100644
+--- a/drivers/usb/chipidea/ci_hdrc_imx.c
++++ b/drivers/usb/chipidea/ci_hdrc_imx.c
+@@ -68,6 +68,12 @@ struct ci_hdrc_imx_data {
+ struct imx_usbmisc_data *usbmisc_data;
+ bool supports_runtime_pm;
+ bool in_lpm;
++ /* SoC before i.mx6 (except imx23/imx28) needs three clks */
++ bool need_three_clks;
++ struct clk *clk_ipg;
++ struct clk *clk_ahb;
++ struct clk *clk_per;
++ /* --------------------------------- */
+ };
+
+ /* Common functions shared by usbmisc drivers */
+@@ -119,6 +125,102 @@ static struct imx_usbmisc_data *usbmisc_get_init_data(struct device *dev)
+ }
+
+ /* End of common functions shared by usbmisc drivers*/
++static int imx_get_clks(struct device *dev)
++{
++ struct ci_hdrc_imx_data *data = dev_get_drvdata(dev);
++ int ret = 0;
++
++ data->clk_ipg = devm_clk_get(dev, "ipg");
++ if (IS_ERR(data->clk_ipg)) {
++ /* If the platform only needs one clocks */
++ data->clk = devm_clk_get(dev, NULL);
++ if (IS_ERR(data->clk)) {
++ ret = PTR_ERR(data->clk);
++ dev_err(dev,
++ "Failed to get clks, err=%ld,%ld\n",
++ PTR_ERR(data->clk), PTR_ERR(data->clk_ipg));
++ return ret;
++ }
++ return ret;
++ }
++
++ data->clk_ahb = devm_clk_get(dev, "ahb");
++ if (IS_ERR(data->clk_ahb)) {
++ ret = PTR_ERR(data->clk_ahb);
++ dev_err(dev,
++ "Failed to get ahb clock, err=%d\n", ret);
++ return ret;
++ }
++
++ data->clk_per = devm_clk_get(dev, "per");
++ if (IS_ERR(data->clk_per)) {
++ ret = PTR_ERR(data->clk_per);
++ dev_err(dev,
++ "Failed to get per clock, err=%d\n", ret);
++ return ret;
++ }
++
++ data->need_three_clks = true;
++ return ret;
++}
++
++static int imx_prepare_enable_clks(struct device *dev)
++{
++ struct ci_hdrc_imx_data *data = dev_get_drvdata(dev);
++ int ret = 0;
++
++ if (data->need_three_clks) {
++ ret = clk_prepare_enable(data->clk_ipg);
++ if (ret) {
++ dev_err(dev,
++ "Failed to prepare/enable ipg clk, err=%d\n",
++ ret);
++ return ret;
++ }
++
++ ret = clk_prepare_enable(data->clk_ahb);
++ if (ret) {
++ dev_err(dev,
++ "Failed to prepare/enable ahb clk, err=%d\n",
++ ret);
++ clk_disable_unprepare(data->clk_ipg);
++ return ret;
++ }
++
++ ret = clk_prepare_enable(data->clk_per);
++ if (ret) {
++ dev_err(dev,
++ "Failed to prepare/enable per clk, err=%d\n",
++ ret);
++ clk_disable_unprepare(data->clk_ahb);
++ clk_disable_unprepare(data->clk_ipg);
++ return ret;
++ }
++ } else {
++ ret = clk_prepare_enable(data->clk);
++ if (ret) {
++ dev_err(dev,
++ "Failed to prepare/enable clk, err=%d\n",
++ ret);
++ return ret;
++ }
++ }
++
++ return ret;
++}
++
++static void imx_disable_unprepare_clks(struct device *dev)
++{
++ struct ci_hdrc_imx_data *data = dev_get_drvdata(dev);
++
++ if (data->need_three_clks) {
++ clk_disable_unprepare(data->clk_per);
++ clk_disable_unprepare(data->clk_ahb);
++ clk_disable_unprepare(data->clk_ipg);
++ } else {
++ clk_disable_unprepare(data->clk);
++ }
++}
+
+ static int ci_hdrc_imx_probe(struct platform_device *pdev)
+ {
+@@ -137,23 +239,18 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev)
+ if (!data)
+ return -ENOMEM;
+
++ platform_set_drvdata(pdev, data);
+ data->usbmisc_data = usbmisc_get_init_data(&pdev->dev);
+ if (IS_ERR(data->usbmisc_data))
+ return PTR_ERR(data->usbmisc_data);
+
+- data->clk = devm_clk_get(&pdev->dev, NULL);
+- if (IS_ERR(data->clk)) {
+- dev_err(&pdev->dev,
+- "Failed to get clock, err=%ld\n", PTR_ERR(data->clk));
+- return PTR_ERR(data->clk);
+- }
++ ret = imx_get_clks(&pdev->dev);
++ if (ret)
++ return ret;
+
+- ret = clk_prepare_enable(data->clk);
+- if (ret) {
+- dev_err(&pdev->dev,
+- "Failed to prepare or enable clock, err=%d\n", ret);
++ ret = imx_prepare_enable_clks(&pdev->dev);
++ if (ret)
+ return ret;
+- }
+
+ data->phy = devm_usb_get_phy_by_phandle(&pdev->dev, "fsl,usbphy", 0);
+ if (IS_ERR(data->phy)) {
+@@ -196,8 +293,6 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev)
+ goto disable_device;
+ }
+
+- platform_set_drvdata(pdev, data);
+-
+ if (data->supports_runtime_pm) {
+ pm_runtime_set_active(&pdev->dev);
+ pm_runtime_enable(&pdev->dev);
+@@ -210,7 +305,7 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev)
+ disable_device:
+ ci_hdrc_remove_device(data->ci_pdev);
+ err_clk:
+- clk_disable_unprepare(data->clk);
++ imx_disable_unprepare_clks(&pdev->dev);
+ return ret;
+ }
+
+@@ -224,7 +319,7 @@ static int ci_hdrc_imx_remove(struct platform_device *pdev)
+ pm_runtime_put_noidle(&pdev->dev);
+ }
+ ci_hdrc_remove_device(data->ci_pdev);
+- clk_disable_unprepare(data->clk);
++ imx_disable_unprepare_clks(&pdev->dev);
+
+ return 0;
+ }
+@@ -236,7 +331,7 @@ static int imx_controller_suspend(struct device *dev)
+
+ dev_dbg(dev, "at %s\n", __func__);
+
+- clk_disable_unprepare(data->clk);
++ imx_disable_unprepare_clks(dev);
+ data->in_lpm = true;
+
+ return 0;
+@@ -254,7 +349,7 @@ static int imx_controller_resume(struct device *dev)
+ return 0;
+ }
+
+- ret = clk_prepare_enable(data->clk);
++ ret = imx_prepare_enable_clks(dev);
+ if (ret)
+ return ret;
+
+@@ -269,7 +364,7 @@ static int imx_controller_resume(struct device *dev)
+ return 0;
+
+ clk_disable:
+- clk_disable_unprepare(data->clk);
++ imx_disable_unprepare_clks(dev);
+ return ret;
+ }
+
+diff --git a/drivers/usb/chipidea/udc.c b/drivers/usb/chipidea/udc.c
+index 6e53c24..92937c1 100644
+--- a/drivers/usb/chipidea/udc.c
++++ b/drivers/usb/chipidea/udc.c
+@@ -1730,6 +1730,22 @@ static int ci_udc_start(struct usb_gadget *gadget,
+ return retval;
+ }
+
++static void ci_udc_stop_for_otg_fsm(struct ci_hdrc *ci)
++{
++ if (!ci_otg_is_fsm_mode(ci))
++ return;
++
++ mutex_lock(&ci->fsm.lock);
++ if (ci->fsm.otg->state == OTG_STATE_A_PERIPHERAL) {
++ ci->fsm.a_bidl_adis_tmout = 1;
++ ci_hdrc_otg_fsm_start(ci);
++ } else if (ci->fsm.otg->state == OTG_STATE_B_PERIPHERAL) {
++ ci->fsm.protocol = PROTO_UNDEF;
++ ci->fsm.otg->state = OTG_STATE_UNDEFINED;
++ }
++ mutex_unlock(&ci->fsm.lock);
++}
++
+ /**
+ * ci_udc_stop: unregister a gadget driver
+ */
+@@ -1754,6 +1770,7 @@ static int ci_udc_stop(struct usb_gadget *gadget)
+ ci->driver = NULL;
+ spin_unlock_irqrestore(&ci->lock, flags);
+
++ ci_udc_stop_for_otg_fsm(ci);
+ return 0;
+ }
+
+diff --git a/drivers/usb/class/usblp.c b/drivers/usb/class/usblp.c
+index f38e875..8218ba7 100644
+--- a/drivers/usb/class/usblp.c
++++ b/drivers/usb/class/usblp.c
+@@ -873,11 +873,11 @@ static int usblp_wwait(struct usblp *usblp, int nonblock)
+
+ add_wait_queue(&usblp->wwait, &waita);
+ for (;;) {
+- set_current_state(TASK_INTERRUPTIBLE);
+ if (mutex_lock_interruptible(&usblp->mut)) {
+ rc = -EINTR;
+ break;
+ }
++ set_current_state(TASK_INTERRUPTIBLE);
+ rc = usblp_wtest(usblp, nonblock);
+ mutex_unlock(&usblp->mut);
+ if (rc <= 0)
+diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
+index ff5773c..c0566ec 100644
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -490,6 +490,9 @@ static int dwc3_phy_setup(struct dwc3 *dwc)
+ if (dwc->dis_u2_susphy_quirk)
+ reg &= ~DWC3_GUSB2PHYCFG_SUSPHY;
+
++ if (dwc->dis_enblslpm_quirk)
++ reg &= ~DWC3_GUSB2PHYCFG_ENBLSLPM;
++
+ dwc3_writel(dwc->regs, DWC3_GUSB2PHYCFG(0), reg);
+
+ return 0;
+@@ -509,12 +512,18 @@ static int dwc3_core_init(struct dwc3 *dwc)
+
+ reg = dwc3_readl(dwc->regs, DWC3_GSNPSID);
+ /* This should read as U3 followed by revision number */
+- if ((reg & DWC3_GSNPSID_MASK) != 0x55330000) {
++ if ((reg & DWC3_GSNPSID_MASK) == 0x55330000) {
++ /* Detected DWC_usb3 IP */
++ dwc->revision = reg;
++ } else if ((reg & DWC3_GSNPSID_MASK) == 0x33310000) {
++ /* Detected DWC_usb31 IP */
++ dwc->revision = dwc3_readl(dwc->regs, DWC3_VER_NUMBER);
++ dwc->revision |= DWC3_REVISION_IS_DWC31;
++ } else {
+ dev_err(dwc->dev, "this is not a DesignWare USB3 DRD Core\n");
+ ret = -ENODEV;
+ goto err0;
+ }
+- dwc->revision = reg;
+
+ /*
+ * Write Linux Version Code to our GUID register so it's easy to figure
+@@ -881,6 +890,8 @@ static int dwc3_probe(struct platform_device *pdev)
+ "snps,dis_u3_susphy_quirk");
+ dwc->dis_u2_susphy_quirk = of_property_read_bool(node,
+ "snps,dis_u2_susphy_quirk");
++ dwc->dis_enblslpm_quirk = device_property_read_bool(dev,
++ "snps,dis_enblslpm_quirk");
+
+ dwc->tx_de_emphasis_quirk = of_property_read_bool(node,
+ "snps,tx_de_emphasis_quirk");
+@@ -911,6 +922,7 @@ static int dwc3_probe(struct platform_device *pdev)
+ dwc->rx_detect_poll_quirk = pdata->rx_detect_poll_quirk;
+ dwc->dis_u3_susphy_quirk = pdata->dis_u3_susphy_quirk;
+ dwc->dis_u2_susphy_quirk = pdata->dis_u2_susphy_quirk;
++ dwc->dis_enblslpm_quirk = pdata->dis_enblslpm_quirk;
+
+ dwc->tx_de_emphasis_quirk = pdata->tx_de_emphasis_quirk;
+ if (pdata->tx_de_emphasis)
+diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h
+index 0447788..6e53ce9 100644
+--- a/drivers/usb/dwc3/core.h
++++ b/drivers/usb/dwc3/core.h
+@@ -108,6 +108,9 @@
+ #define DWC3_GPRTBIMAP_FS0 0xc188
+ #define DWC3_GPRTBIMAP_FS1 0xc18c
+
++#define DWC3_VER_NUMBER 0xc1a0
++#define DWC3_VER_TYPE 0xc1a4
++
+ #define DWC3_GUSB2PHYCFG(n) (0xc200 + (n * 0x04))
+ #define DWC3_GUSB2I2CCTL(n) (0xc240 + (n * 0x04))
+
+@@ -175,6 +178,7 @@
+ #define DWC3_GUSB2PHYCFG_PHYSOFTRST (1 << 31)
+ #define DWC3_GUSB2PHYCFG_SUSPHY (1 << 6)
+ #define DWC3_GUSB2PHYCFG_ULPI_UTMI (1 << 4)
++#define DWC3_GUSB2PHYCFG_ENBLSLPM (1 << 8)
+
+ /* Global USB2 PHY Vendor Control Register */
+ #define DWC3_GUSB2PHYACC_NEWREGREQ (1 << 25)
+@@ -712,6 +716,8 @@ struct dwc3_scratchpad_array {
+ * @rx_detect_poll_quirk: set if we enable rx_detect to polling lfps quirk
+ * @dis_u3_susphy_quirk: set if we disable usb3 suspend phy
+ * @dis_u2_susphy_quirk: set if we disable usb2 suspend phy
++ * @dis_enblslpm_quirk: set if we clear enblslpm in GUSB2PHYCFG,
++ * disabling the suspend signal to the PHY.
+ * @tx_de_emphasis_quirk: set if we enable Tx de-emphasis quirk
+ * @tx_de_emphasis: Tx de-emphasis value
+ * 0 - -6dB de-emphasis
+@@ -766,6 +772,14 @@ struct dwc3 {
+ u32 num_event_buffers;
+ u32 u1u2;
+ u32 maximum_speed;
++
++ /*
++ * All 3.1 IP version constants are greater than the 3.0 IP
++ * version constants. This works for most version checks in
++ * dwc3. However, in the future, this may not apply as
++ * features may be developed on newer versions of the 3.0 IP
++ * that are not in the 3.1 IP.
++ */
+ u32 revision;
+
+ #define DWC3_REVISION_173A 0x5533173a
+@@ -788,6 +802,13 @@ struct dwc3 {
+ #define DWC3_REVISION_270A 0x5533270a
+ #define DWC3_REVISION_280A 0x5533280a
+
++/*
++ * NOTICE: we're using bit 31 as a "is usb 3.1" flag. This is really
++ * just so dwc31 revisions are always larger than dwc3.
++ */
++#define DWC3_REVISION_IS_DWC31 0x80000000
++#define DWC3_USB31_REVISION_110A (0x3131302a | DWC3_REVISION_IS_USB31)
++
+ enum dwc3_ep0_next ep0_next_event;
+ enum dwc3_ep0_state ep0state;
+ enum dwc3_link_state link_state;
+@@ -841,6 +862,7 @@ struct dwc3 {
+ unsigned rx_detect_poll_quirk:1;
+ unsigned dis_u3_susphy_quirk:1;
+ unsigned dis_u2_susphy_quirk:1;
++ unsigned dis_enblslpm_quirk:1;
+
+ unsigned tx_de_emphasis_quirk:1;
+ unsigned tx_de_emphasis:2;
+diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c
+index 27e4fc8..04b87eb 100644
+--- a/drivers/usb/dwc3/dwc3-pci.c
++++ b/drivers/usb/dwc3/dwc3-pci.c
+@@ -27,6 +27,8 @@
+ #include "platform_data.h"
+
+ #define PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3 0xabcd
++#define PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3_AXI 0xabce
++#define PCI_DEVICE_ID_SYNOPSYS_HAPSUSB31 0xabcf
+ #define PCI_DEVICE_ID_INTEL_BYT 0x0f37
+ #define PCI_DEVICE_ID_INTEL_MRFLD 0x119e
+ #define PCI_DEVICE_ID_INTEL_BSW 0x22B7
+@@ -100,6 +102,22 @@ static int dwc3_pci_quirks(struct pci_dev *pdev)
+ }
+ }
+
++ if (pdev->vendor == PCI_VENDOR_ID_SYNOPSYS &&
++ (pdev->device == PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3 ||
++ pdev->device == PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3_AXI ||
++ pdev->device == PCI_DEVICE_ID_SYNOPSYS_HAPSUSB31)) {
++
++ struct dwc3_platform_data pdata;
++
++ memset(&pdata, 0, sizeof(pdata));
++ pdata.usb3_lpm_capable = true;
++ pdata.has_lpm_erratum = true;
++ pdata.dis_enblslpm_quirk = true;
++
++ return platform_device_add_data(pci_get_drvdata(pdev), &pdata,
++ sizeof(pdata));
++ }
++
+ return 0;
+ }
+
+@@ -172,6 +190,14 @@ static const struct pci_device_id dwc3_pci_id_table[] = {
+ PCI_DEVICE(PCI_VENDOR_ID_SYNOPSYS,
+ PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3),
+ },
++ {
++ PCI_DEVICE(PCI_VENDOR_ID_SYNOPSYS,
++ PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3_AXI),
++ },
++ {
++ PCI_DEVICE(PCI_VENDOR_ID_SYNOPSYS,
++ PCI_DEVICE_ID_SYNOPSYS_HAPSUSB31),
++ },
+ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BSW), },
+ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BYT), },
+ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_MRFLD), },
+diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
+index 333a7c0..6fbf461 100644
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -1859,27 +1859,32 @@ static int dwc3_cleanup_done_reqs(struct dwc3 *dwc, struct dwc3_ep *dep,
+ unsigned int i;
+ int ret;
+
+- req = next_request(&dep->req_queued);
+- if (!req) {
+- WARN_ON_ONCE(1);
+- return 1;
+- }
+- i = 0;
+ do {
+- slot = req->start_slot + i;
+- if ((slot == DWC3_TRB_NUM - 1) &&
++ req = next_request(&dep->req_queued);
++ if (!req) {
++ WARN_ON_ONCE(1);
++ return 1;
++ }
++ i = 0;
++ do {
++ slot = req->start_slot + i;
++ if ((slot == DWC3_TRB_NUM - 1) &&
+ usb_endpoint_xfer_isoc(dep->endpoint.desc))
+- slot++;
+- slot %= DWC3_TRB_NUM;
+- trb = &dep->trb_pool[slot];
++ slot++;
++ slot %= DWC3_TRB_NUM;
++ trb = &dep->trb_pool[slot];
++
++ ret = __dwc3_cleanup_done_trbs(dwc, dep, req, trb,
++ event, status);
++ if (ret)
++ break;
++ } while (++i < req->request.num_mapped_sgs);
++
++ dwc3_gadget_giveback(dep, req, status);
+
+- ret = __dwc3_cleanup_done_trbs(dwc, dep, req, trb,
+- event, status);
+ if (ret)
+ break;
+- } while (++i < req->request.num_mapped_sgs);
+-
+- dwc3_gadget_giveback(dep, req, status);
++ } while (1);
+
+ if (usb_endpoint_xfer_isoc(dep->endpoint.desc) &&
+ list_empty(&dep->req_queued)) {
+@@ -2709,12 +2714,34 @@ int dwc3_gadget_init(struct dwc3 *dwc)
+ }
+
+ dwc->gadget.ops = &dwc3_gadget_ops;
+- dwc->gadget.max_speed = USB_SPEED_SUPER;
+ dwc->gadget.speed = USB_SPEED_UNKNOWN;
+ dwc->gadget.sg_supported = true;
+ dwc->gadget.name = "dwc3-gadget";
+
+ /*
++ * FIXME We might be setting max_speed to <SUPER, however versions
++ * <2.20a of dwc3 have an issue with metastability (documented
++ * elsewhere in this driver) which tells us we can't set max speed to
++ * anything lower than SUPER.
++ *
++ * Because gadget.max_speed is only used by composite.c and function
++ * drivers (i.e. it won't go into dwc3's registers) we are allowing this
++ * to happen so we avoid sending SuperSpeed Capability descriptor
++ * together with our BOS descriptor as that could confuse host into
++ * thinking we can handle super speed.
++ *
++ * Note that, in fact, we won't even support GetBOS requests when speed
++ * is less than super speed because we don't have means, yet, to tell
++ * composite.c that we are USB 2.0 + LPM ECN.
++ */
++ if (dwc->revision < DWC3_REVISION_220A)
++ dwc3_trace(trace_dwc3_gadget,
++ "Changing max_speed on rev %08x\n",
++ dwc->revision);
++
++ dwc->gadget.max_speed = dwc->maximum_speed;
++
++ /*
+ * Per databook, DWC3 needs buffer size to be aligned to MaxPacketSize
+ * on ep out.
+ */
+diff --git a/drivers/usb/dwc3/platform_data.h b/drivers/usb/dwc3/platform_data.h
+index d3614ec..db29380 100644
+--- a/drivers/usb/dwc3/platform_data.h
++++ b/drivers/usb/dwc3/platform_data.h
+@@ -42,6 +42,7 @@ struct dwc3_platform_data {
+ unsigned rx_detect_poll_quirk:1;
+ unsigned dis_u3_susphy_quirk:1;
+ unsigned dis_u2_susphy_quirk:1;
++ unsigned dis_enblslpm_quirk:1;
+
+ unsigned tx_de_emphasis_quirk:1;
+ unsigned tx_de_emphasis:2;
+diff --git a/drivers/usb/gadget/udc/atmel_usba_udc.c b/drivers/usb/gadget/udc/atmel_usba_udc.c
+index 4095cce0..35fff45 100644
+--- a/drivers/usb/gadget/udc/atmel_usba_udc.c
++++ b/drivers/usb/gadget/udc/atmel_usba_udc.c
+@@ -1634,7 +1634,7 @@ static irqreturn_t usba_udc_irq(int irq, void *devid)
+ spin_lock(&udc->lock);
+
+ int_enb = usba_int_enb_get(udc);
+- status = usba_readl(udc, INT_STA) & int_enb;
++ status = usba_readl(udc, INT_STA) & (int_enb | USBA_HIGH_SPEED);
+ DBG(DBG_INT, "irq, status=%#08x\n", status);
+
+ if (status & USBA_DET_SUSPEND) {
+diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c
+index 2bee912..baa0191 100644
+--- a/drivers/usb/gadget/udc/net2280.c
++++ b/drivers/usb/gadget/udc/net2280.c
+@@ -1846,7 +1846,7 @@ static void defect7374_disable_data_eps(struct net2280 *dev)
+
+ for (i = 1; i < 5; i++) {
+ ep = &dev->ep[i];
+- writel(0, &ep->cfg->ep_cfg);
++ writel(i, &ep->cfg->ep_cfg);
+ }
+
+ /* CSROUT, CSRIN, PCIOUT, PCIIN, STATIN, RCIN */
+diff --git a/drivers/usb/host/ehci-orion.c b/drivers/usb/host/ehci-orion.c
+index bfcbb9a..ee8d5fa 100644
+--- a/drivers/usb/host/ehci-orion.c
++++ b/drivers/usb/host/ehci-orion.c
+@@ -224,7 +224,8 @@ static int ehci_orion_drv_probe(struct platform_device *pdev)
+ priv->phy = devm_phy_optional_get(&pdev->dev, "usb");
+ if (IS_ERR(priv->phy)) {
+ err = PTR_ERR(priv->phy);
+- goto err_phy_get;
++ if (err != -ENOSYS)
++ goto err_phy_get;
+ } else {
+ err = phy_init(priv->phy);
+ if (err)
+diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
+index d7b9f484..6062996 100644
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -175,6 +175,16 @@ int xhci_reset(struct xhci_hcd *xhci)
+ command |= CMD_RESET;
+ writel(command, &xhci->op_regs->command);
+
++ /* Existing Intel xHCI controllers require a delay of 1 mS,
++ * after setting the CMD_RESET bit, and before accessing any
++ * HC registers. This allows the HC to complete the
++ * reset operation and be ready for HC register access.
++ * Without this delay, the subsequent HC register access,
++ * may result in a system hang very rarely.
++ */
++ if (xhci->quirks & XHCI_INTEL_HOST)
++ udelay(1000);
++
+ ret = xhci_handshake(&xhci->op_regs->command,
+ CMD_RESET, 0, 10 * 1000 * 1000);
+ if (ret)
+diff --git a/drivers/usb/musb/musb_core.c b/drivers/usb/musb/musb_core.c
+index 514a6cd..2fe6d26 100644
+--- a/drivers/usb/musb/musb_core.c
++++ b/drivers/usb/musb/musb_core.c
+@@ -132,7 +132,7 @@ static inline struct musb *dev_to_musb(struct device *dev)
+ /*-------------------------------------------------------------------------*/
+
+ #ifndef CONFIG_BLACKFIN
+-static int musb_ulpi_read(struct usb_phy *phy, u32 offset)
++static int musb_ulpi_read(struct usb_phy *phy, u32 reg)
+ {
+ void __iomem *addr = phy->io_priv;
+ int i = 0;
+@@ -151,7 +151,7 @@ static int musb_ulpi_read(struct usb_phy *phy, u32 offset)
+ * ULPICarKitControlDisableUTMI after clearing POWER_SUSPENDM.
+ */
+
+- musb_writeb(addr, MUSB_ULPI_REG_ADDR, (u8)offset);
++ musb_writeb(addr, MUSB_ULPI_REG_ADDR, (u8)reg);
+ musb_writeb(addr, MUSB_ULPI_REG_CONTROL,
+ MUSB_ULPI_REG_REQ | MUSB_ULPI_RDN_WR);
+
+@@ -176,7 +176,7 @@ out:
+ return ret;
+ }
+
+-static int musb_ulpi_write(struct usb_phy *phy, u32 offset, u32 data)
++static int musb_ulpi_write(struct usb_phy *phy, u32 val, u32 reg)
+ {
+ void __iomem *addr = phy->io_priv;
+ int i = 0;
+@@ -191,8 +191,8 @@ static int musb_ulpi_write(struct usb_phy *phy, u32 offset, u32 data)
+ power &= ~MUSB_POWER_SUSPENDM;
+ musb_writeb(addr, MUSB_POWER, power);
+
+- musb_writeb(addr, MUSB_ULPI_REG_ADDR, (u8)offset);
+- musb_writeb(addr, MUSB_ULPI_REG_DATA, (u8)data);
++ musb_writeb(addr, MUSB_ULPI_REG_ADDR, (u8)reg);
++ musb_writeb(addr, MUSB_ULPI_REG_DATA, (u8)val);
+ musb_writeb(addr, MUSB_ULPI_REG_CONTROL, MUSB_ULPI_REG_REQ);
+
+ while (!(musb_readb(addr, MUSB_ULPI_REG_CONTROL)
+diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
+index 7c8eb4c..4021846 100644
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -162,6 +162,7 @@ static void option_instat_callback(struct urb *urb);
+ #define NOVATELWIRELESS_PRODUCT_HSPA_EMBEDDED_HIGHSPEED 0x9001
+ #define NOVATELWIRELESS_PRODUCT_E362 0x9010
+ #define NOVATELWIRELESS_PRODUCT_E371 0x9011
++#define NOVATELWIRELESS_PRODUCT_U620L 0x9022
+ #define NOVATELWIRELESS_PRODUCT_G2 0xA010
+ #define NOVATELWIRELESS_PRODUCT_MC551 0xB001
+
+@@ -357,6 +358,7 @@ static void option_instat_callback(struct urb *urb);
+ /* This is the 4G XS Stick W14 a.k.a. Mobilcom Debitel Surf-Stick *
+ * It seems to contain a Qualcomm QSC6240/6290 chipset */
+ #define FOUR_G_SYSTEMS_PRODUCT_W14 0x9603
++#define FOUR_G_SYSTEMS_PRODUCT_W100 0x9b01
+
+ /* iBall 3.5G connect wireless modem */
+ #define IBALL_3_5G_CONNECT 0x9605
+@@ -522,6 +524,11 @@ static const struct option_blacklist_info four_g_w14_blacklist = {
+ .sendsetup = BIT(0) | BIT(1),
+ };
+
++static const struct option_blacklist_info four_g_w100_blacklist = {
++ .sendsetup = BIT(1) | BIT(2),
++ .reserved = BIT(3),
++};
++
+ static const struct option_blacklist_info alcatel_x200_blacklist = {
+ .sendsetup = BIT(0) | BIT(1),
+ .reserved = BIT(4),
+@@ -1060,6 +1067,7 @@ static const struct usb_device_id option_ids[] = {
+ { USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_MC551, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_E362, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_E371, 0xff, 0xff, 0xff) },
++ { USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_U620L, 0xff, 0x00, 0x00) },
+
+ { USB_DEVICE(AMOI_VENDOR_ID, AMOI_PRODUCT_H01) },
+ { USB_DEVICE(AMOI_VENDOR_ID, AMOI_PRODUCT_H01A) },
+@@ -1653,6 +1661,9 @@ static const struct usb_device_id option_ids[] = {
+ { USB_DEVICE(LONGCHEER_VENDOR_ID, FOUR_G_SYSTEMS_PRODUCT_W14),
+ .driver_info = (kernel_ulong_t)&four_g_w14_blacklist
+ },
++ { USB_DEVICE(LONGCHEER_VENDOR_ID, FOUR_G_SYSTEMS_PRODUCT_W100),
++ .driver_info = (kernel_ulong_t)&four_g_w100_blacklist
++ },
+ { USB_DEVICE_INTERFACE_CLASS(LONGCHEER_VENDOR_ID, SPEEDUP_PRODUCT_SU9800, 0xff) },
+ { USB_DEVICE(LONGCHEER_VENDOR_ID, ZOOM_PRODUCT_4597) },
+ { USB_DEVICE(LONGCHEER_VENDOR_ID, IBALL_3_5G_CONNECT) },
+diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c
+index f49d262..514fa91 100644
+--- a/drivers/usb/serial/qcserial.c
++++ b/drivers/usb/serial/qcserial.c
+@@ -22,6 +22,8 @@
+ #define DRIVER_AUTHOR "Qualcomm Inc"
+ #define DRIVER_DESC "Qualcomm USB Serial driver"
+
++#define QUECTEL_EC20_PID 0x9215
++
+ /* standard device layouts supported by this driver */
+ enum qcserial_layouts {
+ QCSERIAL_G2K = 0, /* Gobi 2000 */
+@@ -169,6 +171,38 @@ static const struct usb_device_id id_table[] = {
+ };
+ MODULE_DEVICE_TABLE(usb, id_table);
+
++static int handle_quectel_ec20(struct device *dev, int ifnum)
++{
++ int altsetting = 0;
++
++ /*
++ * Quectel EC20 Mini PCIe LTE module layout:
++ * 0: DM/DIAG (use libqcdm from ModemManager for communication)
++ * 1: NMEA
++ * 2: AT-capable modem port
++ * 3: Modem interface
++ * 4: NDIS
++ */
++ switch (ifnum) {
++ case 0:
++ dev_dbg(dev, "Quectel EC20 DM/DIAG interface found\n");
++ break;
++ case 1:
++ dev_dbg(dev, "Quectel EC20 NMEA GPS interface found\n");
++ break;
++ case 2:
++ case 3:
++ dev_dbg(dev, "Quectel EC20 Modem port found\n");
++ break;
++ case 4:
++ /* Don't claim the QMI/net interface */
++ altsetting = -1;
++ break;
++ }
++
++ return altsetting;
++}
++
+ static int qcprobe(struct usb_serial *serial, const struct usb_device_id *id)
+ {
+ struct usb_host_interface *intf = serial->interface->cur_altsetting;
+@@ -178,6 +212,10 @@ static int qcprobe(struct usb_serial *serial, const struct usb_device_id *id)
+ __u8 ifnum;
+ int altsetting = -1;
+
++ /* we only support vendor specific functions */
++ if (intf->desc.bInterfaceClass != USB_CLASS_VENDOR_SPEC)
++ goto done;
++
+ nintf = serial->dev->actconfig->desc.bNumInterfaces;
+ dev_dbg(dev, "Num Interfaces = %d\n", nintf);
+ ifnum = intf->desc.bInterfaceNumber;
+@@ -237,6 +275,12 @@ static int qcprobe(struct usb_serial *serial, const struct usb_device_id *id)
+ altsetting = -1;
+ break;
+ case QCSERIAL_G2K:
++ /* handle non-standard layouts */
++ if (nintf == 5 && id->idProduct == QUECTEL_EC20_PID) {
++ altsetting = handle_quectel_ec20(dev, ifnum);
++ goto done;
++ }
++
+ /*
+ * Gobi 2K+ USB layout:
+ * 0: QMI/net
+@@ -297,29 +341,39 @@ static int qcprobe(struct usb_serial *serial, const struct usb_device_id *id)
+ break;
+ case QCSERIAL_HWI:
+ /*
+- * Huawei layout:
+- * 0: AT-capable modem port
+- * 1: DM/DIAG
+- * 2: AT-capable modem port
+- * 3: CCID-compatible PCSC interface
+- * 4: QMI/net
+- * 5: NMEA
++ * Huawei devices map functions by subclass + protocol
++ * instead of interface numbers. The protocol identify
++ * a specific function, while the subclass indicate a
++ * specific firmware source
++ *
++ * This is a blacklist of functions known to be
++ * non-serial. The rest are assumed to be serial and
++ * will be handled by this driver
+ */
+- switch (ifnum) {
+- case 0:
+- case 2:
+- dev_dbg(dev, "Modem port found\n");
+- break;
+- case 1:
+- dev_dbg(dev, "DM/DIAG interface found\n");
+- break;
+- case 5:
+- dev_dbg(dev, "NMEA GPS interface found\n");
+- break;
+- default:
+- /* don't claim any unsupported interface */
++ switch (intf->desc.bInterfaceProtocol) {
++ /* QMI combined (qmi_wwan) */
++ case 0x07:
++ case 0x37:
++ case 0x67:
++ /* QMI data (qmi_wwan) */
++ case 0x08:
++ case 0x38:
++ case 0x68:
++ /* QMI control (qmi_wwan) */
++ case 0x09:
++ case 0x39:
++ case 0x69:
++ /* NCM like (huawei_cdc_ncm) */
++ case 0x16:
++ case 0x46:
++ case 0x76:
+ altsetting = -1;
+ break;
++ default:
++ dev_dbg(dev, "Huawei type serial port found (%02x/%02x/%02x)\n",
++ intf->desc.bInterfaceClass,
++ intf->desc.bInterfaceSubClass,
++ intf->desc.bInterfaceProtocol);
+ }
+ break;
+ default:
+diff --git a/drivers/usb/serial/ti_usb_3410_5052.c b/drivers/usb/serial/ti_usb_3410_5052.c
+index e9da41d..2694df2 100644
+--- a/drivers/usb/serial/ti_usb_3410_5052.c
++++ b/drivers/usb/serial/ti_usb_3410_5052.c
+@@ -159,6 +159,7 @@ static const struct usb_device_id ti_id_table_3410[] = {
+ { USB_DEVICE(ABBOTT_VENDOR_ID, ABBOTT_STEREO_PLUG_ID) },
+ { USB_DEVICE(ABBOTT_VENDOR_ID, ABBOTT_STRIP_PORT_ID) },
+ { USB_DEVICE(TI_VENDOR_ID, FRI2_PRODUCT_ID) },
++ { USB_DEVICE(HONEYWELL_VENDOR_ID, HONEYWELL_HGI80_PRODUCT_ID) },
+ { } /* terminator */
+ };
+
+@@ -191,6 +192,7 @@ static const struct usb_device_id ti_id_table_combined[] = {
+ { USB_DEVICE(ABBOTT_VENDOR_ID, ABBOTT_PRODUCT_ID) },
+ { USB_DEVICE(ABBOTT_VENDOR_ID, ABBOTT_STRIP_PORT_ID) },
+ { USB_DEVICE(TI_VENDOR_ID, FRI2_PRODUCT_ID) },
++ { USB_DEVICE(HONEYWELL_VENDOR_ID, HONEYWELL_HGI80_PRODUCT_ID) },
+ { } /* terminator */
+ };
+
+diff --git a/drivers/usb/serial/ti_usb_3410_5052.h b/drivers/usb/serial/ti_usb_3410_5052.h
+index 4a2423e..98f35c6 100644
+--- a/drivers/usb/serial/ti_usb_3410_5052.h
++++ b/drivers/usb/serial/ti_usb_3410_5052.h
+@@ -56,6 +56,10 @@
+ #define ABBOTT_PRODUCT_ID ABBOTT_STEREO_PLUG_ID
+ #define ABBOTT_STRIP_PORT_ID 0x3420
+
++/* Honeywell vendor and product IDs */
++#define HONEYWELL_VENDOR_ID 0x10ac
++#define HONEYWELL_HGI80_PRODUCT_ID 0x0102 /* Honeywell HGI80 */
++
+ /* Commands */
+ #define TI_GET_VERSION 0x01
+ #define TI_GET_PORT_STATUS 0x02
+diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c
+index 96093ae..cdc3d33 100644
+--- a/drivers/xen/events/events_base.c
++++ b/drivers/xen/events/events_base.c
+@@ -39,6 +39,7 @@
+ #include <asm/irq.h>
+ #include <asm/idle.h>
+ #include <asm/io_apic.h>
++#include <asm/i8259.h>
+ #include <asm/xen/pci.h>
+ #include <xen/page.h>
+ #endif
+@@ -420,7 +421,7 @@ static int __must_check xen_allocate_irq_gsi(unsigned gsi)
+ return xen_allocate_irq_dynamic();
+
+ /* Legacy IRQ descriptors are already allocated by the arch. */
+- if (gsi < NR_IRQS_LEGACY)
++ if (gsi < nr_legacy_irqs())
+ irq = gsi;
+ else
+ irq = irq_alloc_desc_at(gsi, -1);
+@@ -446,7 +447,7 @@ static void xen_free_irq(unsigned irq)
+ kfree(info);
+
+ /* Legacy IRQ descriptors are managed by the arch. */
+- if (irq < NR_IRQS_LEGACY)
++ if (irq < nr_legacy_irqs())
+ return;
+
+ irq_free_desc(irq);
+diff --git a/fs/proc/array.c b/fs/proc/array.c
+index ce065cf..57fde2d 100644
+--- a/fs/proc/array.c
++++ b/fs/proc/array.c
+@@ -372,7 +372,7 @@ int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
+ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
+ struct pid *pid, struct task_struct *task, int whole)
+ {
+- unsigned long vsize, eip, esp, wchan = ~0UL;
++ unsigned long vsize, eip, esp, wchan = 0;
+ int priority, nice;
+ int tty_pgrp = -1, tty_nr = 0;
+ sigset_t sigign, sigcatch;
+@@ -504,7 +504,19 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
+ seq_put_decimal_ull(m, ' ', task->blocked.sig[0] & 0x7fffffffUL);
+ seq_put_decimal_ull(m, ' ', sigign.sig[0] & 0x7fffffffUL);
+ seq_put_decimal_ull(m, ' ', sigcatch.sig[0] & 0x7fffffffUL);
+- seq_put_decimal_ull(m, ' ', wchan);
++
++ /*
++ * We used to output the absolute kernel address, but that's an
++ * information leak - so instead we show a 0/1 flag here, to signal
++ * to user-space whether there's a wchan field in /proc/PID/wchan.
++ *
++ * This works with older implementations of procps as well.
++ */
++ if (wchan)
++ seq_puts(m, " 1");
++ else
++ seq_puts(m, " 0");
++
+ seq_put_decimal_ull(m, ' ', 0);
+ seq_put_decimal_ull(m, ' ', 0);
+ seq_put_decimal_ll(m, ' ', task->exit_signal);
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index aa50d1a..83a43c1 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -430,13 +430,10 @@ static int proc_pid_wchan(struct seq_file *m, struct pid_namespace *ns,
+
+ wchan = get_wchan(task);
+
+- if (lookup_symbol_name(wchan, symname) < 0) {
+- if (!ptrace_may_access(task, PTRACE_MODE_READ))
+- return 0;
+- seq_printf(m, "%lu", wchan);
+- } else {
++ if (wchan && ptrace_may_access(task, PTRACE_MODE_READ) && !lookup_symbol_name(wchan, symname))
+ seq_printf(m, "%s", symname);
+- }
++ else
++ seq_putc(m, '0');
+
+ return 0;
+ }
+diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
+index 05e99b8..053f122 100644
+--- a/include/linux/kvm_host.h
++++ b/include/linux/kvm_host.h
+@@ -436,6 +436,17 @@ static inline struct kvm_vcpu *kvm_get_vcpu(struct kvm *kvm, int i)
+ (vcpup = kvm_get_vcpu(kvm, idx)) != NULL; \
+ idx++)
+
++static inline struct kvm_vcpu *kvm_get_vcpu_by_id(struct kvm *kvm, int id)
++{
++ struct kvm_vcpu *vcpu;
++ int i;
++
++ kvm_for_each_vcpu(i, vcpu, kvm)
++ if (vcpu->vcpu_id == id)
++ return vcpu;
++ return NULL;
++}
++
+ #define kvm_for_each_memslot(memslot, slots) \
+ for (memslot = &slots->memslots[0]; \
+ memslot < slots->memslots + KVM_MEM_SLOTS_NUM && memslot->npages;\
+diff --git a/include/linux/tty.h b/include/linux/tty.h
+index ad6c891..342a760 100644
+--- a/include/linux/tty.h
++++ b/include/linux/tty.h
+@@ -605,7 +605,7 @@ extern void n_tty_inherit_ops(struct tty_ldisc_ops *ops);
+
+ /* tty_audit.c */
+ #ifdef CONFIG_AUDIT
+-extern void tty_audit_add_data(struct tty_struct *tty, unsigned char *data,
++extern void tty_audit_add_data(struct tty_struct *tty, const void *data,
+ size_t size, unsigned icanon);
+ extern void tty_audit_exit(void);
+ extern void tty_audit_fork(struct signal_struct *sig);
+@@ -613,8 +613,8 @@ extern void tty_audit_tiocsti(struct tty_struct *tty, char ch);
+ extern void tty_audit_push(struct tty_struct *tty);
+ extern int tty_audit_push_current(void);
+ #else
+-static inline void tty_audit_add_data(struct tty_struct *tty,
+- unsigned char *data, size_t size, unsigned icanon)
++static inline void tty_audit_add_data(struct tty_struct *tty, const void *data,
++ size_t size, unsigned icanon)
+ {
+ }
+ static inline void tty_audit_tiocsti(struct tty_struct *tty, char ch)
+diff --git a/include/net/inet_common.h b/include/net/inet_common.h
+index 279f835..109e3ee 100644
+--- a/include/net/inet_common.h
++++ b/include/net/inet_common.h
+@@ -41,7 +41,8 @@ int inet_recv_error(struct sock *sk, struct msghdr *msg, int len,
+
+ static inline void inet_ctl_sock_destroy(struct sock *sk)
+ {
+- sock_release(sk->sk_socket);
++ if (sk)
++ sock_release(sk->sk_socket);
+ }
+
+ #endif
+diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h
+index 5fa643b..ff6d78f 100644
+--- a/include/net/ip_fib.h
++++ b/include/net/ip_fib.h
+@@ -306,7 +306,7 @@ void fib_flush_external(struct net *net);
+
+ /* Exported by fib_semantics.c */
+ int ip_fib_check_default(__be32 gw, struct net_device *dev);
+-int fib_sync_down_dev(struct net_device *dev, unsigned long event);
++int fib_sync_down_dev(struct net_device *dev, unsigned long event, bool force);
+ int fib_sync_down_addr(struct net *net, __be32 local);
+ int fib_sync_up(struct net_device *dev, unsigned int nh_flags);
+ void fib_select_multipath(struct fib_result *res);
+diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
+index f1a117f..0bec458 100644
+--- a/net/bluetooth/hidp/core.c
++++ b/net/bluetooth/hidp/core.c
+@@ -401,6 +401,20 @@ static void hidp_idle_timeout(unsigned long arg)
+ {
+ struct hidp_session *session = (struct hidp_session *) arg;
+
++ /* The HIDP user-space API only contains calls to add and remove
++ * devices. There is no way to forward events of any kind. Therefore,
++ * we have to forcefully disconnect a device on idle-timeouts. This is
++ * unfortunate and weird API design, but it is spec-compliant and
++ * required for backwards-compatibility. Hence, on idle-timeout, we
++ * signal driver-detach events, so poll() will be woken up with an
++ * error-condition on both sockets.
++ */
++
++ session->intr_sock->sk->sk_err = EUNATCH;
++ session->ctrl_sock->sk->sk_err = EUNATCH;
++ wake_up_interruptible(sk_sleep(session->intr_sock->sk));
++ wake_up_interruptible(sk_sleep(session->ctrl_sock->sk));
++
+ hidp_session_terminate(session);
+ }
+
+diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
+index 92720f3..e32a9e4 100644
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -3090,6 +3090,11 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
+ } else {
+ u8 addr_type;
+
++ if (cp->addr.type == BDADDR_LE_PUBLIC)
++ addr_type = ADDR_LE_DEV_PUBLIC;
++ else
++ addr_type = ADDR_LE_DEV_RANDOM;
++
+ conn = hci_conn_hash_lookup_ba(hdev, LE_LINK,
+ &cp->addr.bdaddr);
+ if (conn) {
+@@ -3105,13 +3110,10 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
+ */
+ if (!cp->disconnect)
+ conn = NULL;
++ } else {
++ hci_conn_params_del(hdev, &cp->addr.bdaddr, addr_type);
+ }
+
+- if (cp->addr.type == BDADDR_LE_PUBLIC)
+- addr_type = ADDR_LE_DEV_PUBLIC;
+- else
+- addr_type = ADDR_LE_DEV_RANDOM;
+-
+ hci_remove_irk(hdev, &cp->addr.bdaddr, addr_type);
+
+ err = hci_remove_ltk(hdev, &cp->addr.bdaddr, addr_type);
+diff --git a/net/core/dst.c b/net/core/dst.c
+index 002144be..cc4a086 100644
+--- a/net/core/dst.c
++++ b/net/core/dst.c
+@@ -287,7 +287,7 @@ void dst_release(struct dst_entry *dst)
+ if (unlikely(newrefcnt < 0))
+ net_warn_ratelimited("%s: dst:%p refcnt:%d\n",
+ __func__, dst, newrefcnt);
+- if (unlikely(dst->flags & DST_NOCACHE) && !newrefcnt)
++ if (!newrefcnt && unlikely(dst->flags & DST_NOCACHE))
+ call_rcu(&dst->rcu_head, dst_destroy_rcu);
+ }
+ }
+diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
+index 6bbc549..d7116cf 100644
+--- a/net/ipv4/fib_frontend.c
++++ b/net/ipv4/fib_frontend.c
+@@ -1063,9 +1063,10 @@ static void nl_fib_lookup_exit(struct net *net)
+ net->ipv4.fibnl = NULL;
+ }
+
+-static void fib_disable_ip(struct net_device *dev, unsigned long event)
++static void fib_disable_ip(struct net_device *dev, unsigned long event,
++ bool force)
+ {
+- if (fib_sync_down_dev(dev, event))
++ if (fib_sync_down_dev(dev, event, force))
+ fib_flush(dev_net(dev));
+ rt_cache_flush(dev_net(dev));
+ arp_ifdown(dev);
+@@ -1093,7 +1094,7 @@ static int fib_inetaddr_event(struct notifier_block *this, unsigned long event,
+ /* Last address was deleted from this interface.
+ * Disable IP.
+ */
+- fib_disable_ip(dev, event);
++ fib_disable_ip(dev, event, true);
+ } else {
+ rt_cache_flush(dev_net(dev));
+ }
+@@ -1110,7 +1111,7 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo
+ unsigned int flags;
+
+ if (event == NETDEV_UNREGISTER) {
+- fib_disable_ip(dev, event);
++ fib_disable_ip(dev, event, true);
+ rt_flush_dev(dev);
+ return NOTIFY_DONE;
+ }
+@@ -1131,14 +1132,14 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo
+ rt_cache_flush(net);
+ break;
+ case NETDEV_DOWN:
+- fib_disable_ip(dev, event);
++ fib_disable_ip(dev, event, false);
+ break;
+ case NETDEV_CHANGE:
+ flags = dev_get_flags(dev);
+ if (flags & (IFF_RUNNING | IFF_LOWER_UP))
+ fib_sync_up(dev, RTNH_F_LINKDOWN);
+ else
+- fib_sync_down_dev(dev, event);
++ fib_sync_down_dev(dev, event, false);
+ /* fall through */
+ case NETDEV_CHANGEMTU:
+ rt_cache_flush(net);
+diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
+index 3a06586..71bad5c 100644
+--- a/net/ipv4/fib_semantics.c
++++ b/net/ipv4/fib_semantics.c
+@@ -1132,7 +1132,13 @@ int fib_sync_down_addr(struct net *net, __be32 local)
+ return ret;
+ }
+
+-int fib_sync_down_dev(struct net_device *dev, unsigned long event)
++/* Event force Flags Description
++ * NETDEV_CHANGE 0 LINKDOWN Carrier OFF, not for scope host
++ * NETDEV_DOWN 0 LINKDOWN|DEAD Link down, not for scope host
++ * NETDEV_DOWN 1 LINKDOWN|DEAD Last address removed
++ * NETDEV_UNREGISTER 1 LINKDOWN|DEAD Device removed
++ */
++int fib_sync_down_dev(struct net_device *dev, unsigned long event, bool force)
+ {
+ int ret = 0;
+ int scope = RT_SCOPE_NOWHERE;
+@@ -1141,8 +1147,7 @@ int fib_sync_down_dev(struct net_device *dev, unsigned long event)
+ struct hlist_head *head = &fib_info_devhash[hash];
+ struct fib_nh *nh;
+
+- if (event == NETDEV_UNREGISTER ||
+- event == NETDEV_DOWN)
++ if (force)
+ scope = -1;
+
+ hlist_for_each_entry(nh, head, nh_hash) {
+@@ -1291,6 +1296,13 @@ int fib_sync_up(struct net_device *dev, unsigned int nh_flags)
+ if (!(dev->flags & IFF_UP))
+ return 0;
+
++ if (nh_flags & RTNH_F_DEAD) {
++ unsigned int flags = dev_get_flags(dev);
++
++ if (flags & (IFF_RUNNING | IFF_LOWER_UP))
++ nh_flags |= RTNH_F_LINKDOWN;
++ }
++
+ prev_fi = NULL;
+ hash = fib_devindex_hashfn(dev->ifindex);
+ head = &fib_info_devhash[hash];
+diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
+index b0c6258..ea3aedb 100644
+--- a/net/ipv4/fib_trie.c
++++ b/net/ipv4/fib_trie.c
+@@ -1561,7 +1561,7 @@ static struct key_vector *leaf_walk_rcu(struct key_vector **tn, t_key key)
+ do {
+ /* record parent and next child index */
+ pn = n;
+- cindex = key ? get_index(key, pn) : 0;
++ cindex = (key > pn->key) ? get_index(key, pn) : 0;
+
+ if (cindex >> pn->bits)
+ break;
+diff --git a/net/ipv4/gre_offload.c b/net/ipv4/gre_offload.c
+index 5aa46d4..5a8ee32 100644
+--- a/net/ipv4/gre_offload.c
++++ b/net/ipv4/gre_offload.c
+@@ -36,7 +36,8 @@ static struct sk_buff *gre_gso_segment(struct sk_buff *skb,
+ SKB_GSO_TCP_ECN |
+ SKB_GSO_GRE |
+ SKB_GSO_GRE_CSUM |
+- SKB_GSO_IPIP)))
++ SKB_GSO_IPIP |
++ SKB_GSO_SIT)))
+ goto out;
+
+ if (!skb->encapsulation)
+diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
+index 3a2c016..df28693 100644
+--- a/net/ipv4/ipmr.c
++++ b/net/ipv4/ipmr.c
+@@ -1683,8 +1683,8 @@ static inline int ipmr_forward_finish(struct sock *sk, struct sk_buff *skb)
+ {
+ struct ip_options *opt = &(IPCB(skb)->opt);
+
+- IP_INC_STATS_BH(dev_net(skb_dst(skb)->dev), IPSTATS_MIB_OUTFORWDATAGRAMS);
+- IP_ADD_STATS_BH(dev_net(skb_dst(skb)->dev), IPSTATS_MIB_OUTOCTETS, skb->len);
++ IP_INC_STATS(dev_net(skb_dst(skb)->dev), IPSTATS_MIB_OUTFORWDATAGRAMS);
++ IP_ADD_STATS(dev_net(skb_dst(skb)->dev), IPSTATS_MIB_OUTOCTETS, skb->len);
+
+ if (unlikely(opt->optlen))
+ ip_forward_options(skb);
+@@ -1746,7 +1746,7 @@ static void ipmr_queue_xmit(struct net *net, struct mr_table *mrt,
+ * to blackhole.
+ */
+
+- IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_FRAGFAILS);
++ IP_INC_STATS(dev_net(dev), IPSTATS_MIB_FRAGFAILS);
+ ip_rt_put(rt);
+ goto out_free;
+ }
+diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
+index 0330ab2..a1442c5 100644
+--- a/net/ipv4/sysctl_net_ipv4.c
++++ b/net/ipv4/sysctl_net_ipv4.c
+@@ -47,14 +47,14 @@ static void set_local_port_range(struct net *net, int range[2])
+ {
+ bool same_parity = !((range[0] ^ range[1]) & 1);
+
+- write_seqlock(&net->ipv4.ip_local_ports.lock);
++ write_seqlock_bh(&net->ipv4.ip_local_ports.lock);
+ if (same_parity && !net->ipv4.ip_local_ports.warned) {
+ net->ipv4.ip_local_ports.warned = true;
+ pr_err_ratelimited("ip_local_port_range: prefer different parity for start/end values.\n");
+ }
+ net->ipv4.ip_local_ports.range[0] = range[0];
+ net->ipv4.ip_local_ports.range[1] = range[1];
+- write_sequnlock(&net->ipv4.ip_local_ports.lock);
++ write_sequnlock_bh(&net->ipv4.ip_local_ports.lock);
+ }
+
+ /* Validate changes from /proc interface. */
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index b7dedd9..747a4c4 100644
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -3406,7 +3406,7 @@ static int tcp_xmit_probe_skb(struct sock *sk, int urgent, int mib)
+ */
+ tcp_init_nondata_skb(skb, tp->snd_una - !urgent, TCPHDR_ACK);
+ skb_mstamp_get(&skb->skb_mstamp);
+- NET_INC_STATS_BH(sock_net(sk), mib);
++ NET_INC_STATS(sock_net(sk), mib);
+ return tcp_transmit_skb(sk, skb, 0, GFP_ATOMIC);
+ }
+
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index 21c2c81..c8c1fea 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -411,6 +411,7 @@ static struct inet6_dev *ipv6_add_dev(struct net_device *dev)
+ if (err) {
+ ipv6_mc_destroy_dev(ndev);
+ del_timer(&ndev->regen_timer);
++ snmp6_unregister_dev(ndev);
+ goto err_release;
+ }
+ /* protected by rtnl_lock */
+diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
+index ac35a28..85c4b2f 100644
+--- a/net/ipv6/sit.c
++++ b/net/ipv6/sit.c
+@@ -1394,34 +1394,20 @@ static int ipip6_tunnel_init(struct net_device *dev)
+ return 0;
+ }
+
+-static int __net_init ipip6_fb_tunnel_init(struct net_device *dev)
++static void __net_init ipip6_fb_tunnel_init(struct net_device *dev)
+ {
+ struct ip_tunnel *tunnel = netdev_priv(dev);
+ struct iphdr *iph = &tunnel->parms.iph;
+ struct net *net = dev_net(dev);
+ struct sit_net *sitn = net_generic(net, sit_net_id);
+
+- tunnel->dev = dev;
+- tunnel->net = dev_net(dev);
+-
+ iph->version = 4;
+ iph->protocol = IPPROTO_IPV6;
+ iph->ihl = 5;
+ iph->ttl = 64;
+
+- dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats);
+- if (!dev->tstats)
+- return -ENOMEM;
+-
+- tunnel->dst_cache = alloc_percpu(struct ip_tunnel_dst);
+- if (!tunnel->dst_cache) {
+- free_percpu(dev->tstats);
+- return -ENOMEM;
+- }
+-
+ dev_hold(dev);
+ rcu_assign_pointer(sitn->tunnels_wc[0], tunnel);
+- return 0;
+ }
+
+ static int ipip6_validate(struct nlattr *tb[], struct nlattr *data[])
+@@ -1831,23 +1817,19 @@ static int __net_init sit_init_net(struct net *net)
+ */
+ sitn->fb_tunnel_dev->features |= NETIF_F_NETNS_LOCAL;
+
+- err = ipip6_fb_tunnel_init(sitn->fb_tunnel_dev);
+- if (err)
+- goto err_dev_free;
+-
+- ipip6_tunnel_clone_6rd(sitn->fb_tunnel_dev, sitn);
+ err = register_netdev(sitn->fb_tunnel_dev);
+ if (err)
+ goto err_reg_dev;
+
++ ipip6_tunnel_clone_6rd(sitn->fb_tunnel_dev, sitn);
++ ipip6_fb_tunnel_init(sitn->fb_tunnel_dev);
++
+ t = netdev_priv(sitn->fb_tunnel_dev);
+
+ strcpy(t->parms.name, sitn->fb_tunnel_dev->name);
+ return 0;
+
+ err_reg_dev:
+- dev_put(sitn->fb_tunnel_dev);
+-err_dev_free:
+ ipip6_dev_free(sitn->fb_tunnel_dev);
+ err_alloc_dev:
+ return err;
+diff --git a/net/irda/irlmp.c b/net/irda/irlmp.c
+index a26c401..4396459 100644
+--- a/net/irda/irlmp.c
++++ b/net/irda/irlmp.c
+@@ -1839,7 +1839,7 @@ static void *irlmp_seq_hb_idx(struct irlmp_iter_state *iter, loff_t *off)
+ for (element = hashbin_get_first(iter->hashbin);
+ element != NULL;
+ element = hashbin_get_next(iter->hashbin)) {
+- if (!off || *off-- == 0) {
++ if (!off || (*off)-- == 0) {
+ /* NB: hashbin left locked */
+ return element;
+ }
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index 9b2cc27..33bf779 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -3378,7 +3378,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
+
+ if (ifmgd->rssi_min_thold != ifmgd->rssi_max_thold &&
+ ifmgd->count_beacon_signal >= IEEE80211_SIGNAL_AVE_MIN_COUNT) {
+- int sig = ifmgd->ave_beacon_signal;
++ int sig = ifmgd->ave_beacon_signal / 16;
+ int last_sig = ifmgd->last_ave_beacon_signal;
+ struct ieee80211_event event = {
+ .type = RSSI_EVENT,
+@@ -4999,6 +4999,25 @@ int ieee80211_mgd_deauth(struct ieee80211_sub_if_data *sdata,
+ return 0;
+ }
+
++ if (ifmgd->assoc_data &&
++ ether_addr_equal(ifmgd->assoc_data->bss->bssid, req->bssid)) {
++ sdata_info(sdata,
++ "aborting association with %pM by local choice (Reason: %u=%s)\n",
++ req->bssid, req->reason_code,
++ ieee80211_get_reason_code_string(req->reason_code));
++
++ drv_mgd_prepare_tx(sdata->local, sdata);
++ ieee80211_send_deauth_disassoc(sdata, req->bssid,
++ IEEE80211_STYPE_DEAUTH,
++ req->reason_code, tx,
++ frame_buf);
++ ieee80211_destroy_assoc_data(sdata, false);
++ ieee80211_report_disconnect(sdata, frame_buf,
++ sizeof(frame_buf), true,
++ req->reason_code);
++ return 0;
++ }
++
+ if (ifmgd->associated &&
+ ether_addr_equal(ifmgd->associated->bssid, req->bssid)) {
+ sdata_info(sdata,
+diff --git a/net/mac80211/trace.h b/net/mac80211/trace.h
+index 6f14591..0b13bfa 100644
+--- a/net/mac80211/trace.h
++++ b/net/mac80211/trace.h
+@@ -33,11 +33,11 @@
+ __field(u32, chan_width) \
+ __field(u32, center_freq1) \
+ __field(u32, center_freq2)
+-#define CHANDEF_ASSIGN(c) \
+- __entry->control_freq = (c)->chan ? (c)->chan->center_freq : 0; \
+- __entry->chan_width = (c)->width; \
+- __entry->center_freq1 = (c)->center_freq1; \
+- __entry->center_freq2 = (c)->center_freq2;
++#define CHANDEF_ASSIGN(c) \
++ __entry->control_freq = (c) ? ((c)->chan ? (c)->chan->center_freq : 0) : 0; \
++ __entry->chan_width = (c) ? (c)->width : 0; \
++ __entry->center_freq1 = (c) ? (c)->center_freq1 : 0; \
++ __entry->center_freq2 = (c) ? (c)->center_freq2 : 0;
+ #define CHANDEF_PR_FMT " control:%d MHz width:%d center: %d/%d MHz"
+ #define CHANDEF_PR_ARG __entry->control_freq, __entry->chan_width, \
+ __entry->center_freq1, __entry->center_freq2
+diff --git a/net/mac80211/util.c b/net/mac80211/util.c
+index 43e5aad..f5fa8c0 100644
+--- a/net/mac80211/util.c
++++ b/net/mac80211/util.c
+@@ -2984,6 +2984,13 @@ ieee80211_extend_noa_desc(struct ieee80211_noa_data *data, u32 tsf, int i)
+ if (end > 0)
+ return false;
+
++ /* One shot NOA */
++ if (data->count[i] == 1)
++ return false;
++
++ if (data->desc[i].interval == 0)
++ return false;
++
+ /* End time is in the past, check for repetitions */
+ skip = DIV_ROUND_UP(-end, data->desc[i].interval);
+ if (data->count[i] < 255) {
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index a133d16..8b158f7 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -2346,7 +2346,7 @@ static int netlink_getsockopt(struct socket *sock, int level, int optname,
+ int pos, idx, shift;
+
+ err = 0;
+- netlink_table_grab();
++ netlink_lock_table();
+ for (pos = 0; pos * 8 < nlk->ngroups; pos += sizeof(u32)) {
+ if (len - pos < sizeof(u32))
+ break;
+@@ -2361,7 +2361,7 @@ static int netlink_getsockopt(struct socket *sock, int level, int optname,
+ }
+ if (put_user(ALIGN(nlk->ngroups / 8, sizeof(u32)), optlen))
+ err = -EFAULT;
+- netlink_table_ungrab();
++ netlink_unlock_table();
+ break;
+ }
+ default:
+diff --git a/net/nfc/nci/hci.c b/net/nfc/nci/hci.c
+index 609f922..30b09f0 100644
+--- a/net/nfc/nci/hci.c
++++ b/net/nfc/nci/hci.c
+@@ -101,6 +101,20 @@ struct nci_hcp_packet {
+ #define NCI_HCP_MSG_GET_CMD(header) (header & 0x3f)
+ #define NCI_HCP_MSG_GET_PIPE(header) (header & 0x7f)
+
++static int nci_hci_result_to_errno(u8 result)
++{
++ switch (result) {
++ case NCI_HCI_ANY_OK:
++ return 0;
++ case NCI_HCI_ANY_E_REG_PAR_UNKNOWN:
++ return -EOPNOTSUPP;
++ case NCI_HCI_ANY_E_TIMEOUT:
++ return -ETIME;
++ default:
++ return -1;
++ }
++}
++
+ /* HCI core */
+ static void nci_hci_reset_pipes(struct nci_hci_dev *hdev)
+ {
+@@ -146,18 +160,18 @@ static int nci_hci_send_data(struct nci_dev *ndev, u8 pipe,
+ if (!conn_info)
+ return -EPROTO;
+
+- skb = nci_skb_alloc(ndev, 2 + conn_info->max_pkt_payload_len +
++ i = 0;
++ skb = nci_skb_alloc(ndev, conn_info->max_pkt_payload_len +
+ NCI_DATA_HDR_SIZE, GFP_KERNEL);
+ if (!skb)
+ return -ENOMEM;
+
+- skb_reserve(skb, 2 + NCI_DATA_HDR_SIZE);
++ skb_reserve(skb, NCI_DATA_HDR_SIZE + 2);
+ *skb_push(skb, 1) = data_type;
+
+- i = 0;
+- len = conn_info->max_pkt_payload_len;
+-
+ do {
++ len = conn_info->max_pkt_payload_len;
++
+ /* If last packet add NCI_HFP_NO_CHAINING */
+ if (i + conn_info->max_pkt_payload_len -
+ (skb->len + 1) >= data_len) {
+@@ -177,9 +191,15 @@ static int nci_hci_send_data(struct nci_dev *ndev, u8 pipe,
+ return r;
+
+ i += len;
++
+ if (i < data_len) {
+- skb_trim(skb, 0);
+- skb_pull(skb, len);
++ skb = nci_skb_alloc(ndev,
++ conn_info->max_pkt_payload_len +
++ NCI_DATA_HDR_SIZE, GFP_KERNEL);
++ if (!skb)
++ return -ENOMEM;
++
++ skb_reserve(skb, NCI_DATA_HDR_SIZE + 1);
+ }
+ } while (i < data_len);
+
+@@ -212,7 +232,8 @@ int nci_hci_send_cmd(struct nci_dev *ndev, u8 gate, u8 cmd,
+ const u8 *param, size_t param_len,
+ struct sk_buff **skb)
+ {
+- struct nci_conn_info *conn_info;
++ struct nci_hcp_message *message;
++ struct nci_conn_info *conn_info;
+ struct nci_data data;
+ int r;
+ u8 pipe = ndev->hci_dev->gate2pipe[gate];
+@@ -232,9 +253,15 @@ int nci_hci_send_cmd(struct nci_dev *ndev, u8 gate, u8 cmd,
+
+ r = nci_request(ndev, nci_hci_send_data_req, (unsigned long)&data,
+ msecs_to_jiffies(NCI_DATA_TIMEOUT));
+-
+- if (r == NCI_STATUS_OK && skb)
+- *skb = conn_info->rx_skb;
++ if (r == NCI_STATUS_OK) {
++ message = (struct nci_hcp_message *)conn_info->rx_skb->data;
++ r = nci_hci_result_to_errno(
++ NCI_HCP_MSG_GET_CMD(message->header));
++ skb_pull(conn_info->rx_skb, NCI_HCI_HCP_MESSAGE_HEADER_LEN);
++
++ if (!r && skb)
++ *skb = conn_info->rx_skb;
++ }
+
+ return r;
+ }
+@@ -328,9 +355,6 @@ static void nci_hci_resp_received(struct nci_dev *ndev, u8 pipe,
+ struct nci_conn_info *conn_info;
+ u8 status = result;
+
+- if (result != NCI_HCI_ANY_OK)
+- goto exit;
+-
+ conn_info = ndev->hci_dev->conn_info;
+ if (!conn_info) {
+ status = NCI_STATUS_REJECTED;
+@@ -340,7 +364,7 @@ static void nci_hci_resp_received(struct nci_dev *ndev, u8 pipe,
+ conn_info->rx_skb = skb;
+
+ exit:
+- nci_req_complete(ndev, status);
++ nci_req_complete(ndev, NCI_STATUS_OK);
+ }
+
+ /* Receive hcp message for pipe, with type and cmd.
+@@ -378,7 +402,7 @@ static void nci_hci_msg_rx_work(struct work_struct *work)
+ u8 pipe, type, instruction;
+
+ while ((skb = skb_dequeue(&hdev->msg_rx_queue)) != NULL) {
+- pipe = skb->data[0];
++ pipe = NCI_HCP_MSG_GET_PIPE(skb->data[0]);
+ skb_pull(skb, NCI_HCI_HCP_PACKET_HEADER_LEN);
+ message = (struct nci_hcp_message *)skb->data;
+ type = NCI_HCP_MSG_GET_TYPE(message->header);
+@@ -395,7 +419,7 @@ void nci_hci_data_received_cb(void *context,
+ {
+ struct nci_dev *ndev = (struct nci_dev *)context;
+ struct nci_hcp_packet *packet;
+- u8 pipe, type, instruction;
++ u8 pipe, type;
+ struct sk_buff *hcp_skb;
+ struct sk_buff *frag_skb;
+ int msg_len;
+@@ -415,7 +439,7 @@ void nci_hci_data_received_cb(void *context,
+
+ /* it's the last fragment. Does it need re-aggregation? */
+ if (skb_queue_len(&ndev->hci_dev->rx_hcp_frags)) {
+- pipe = packet->header & NCI_HCI_FRAGMENT;
++ pipe = NCI_HCP_MSG_GET_PIPE(packet->header);
+ skb_queue_tail(&ndev->hci_dev->rx_hcp_frags, skb);
+
+ msg_len = 0;
+@@ -434,7 +458,7 @@ void nci_hci_data_received_cb(void *context,
+ *skb_put(hcp_skb, NCI_HCI_HCP_PACKET_HEADER_LEN) = pipe;
+
+ skb_queue_walk(&ndev->hci_dev->rx_hcp_frags, frag_skb) {
+- msg_len = frag_skb->len - NCI_HCI_HCP_PACKET_HEADER_LEN;
++ msg_len = frag_skb->len - NCI_HCI_HCP_PACKET_HEADER_LEN;
+ memcpy(skb_put(hcp_skb, msg_len), frag_skb->data +
+ NCI_HCI_HCP_PACKET_HEADER_LEN, msg_len);
+ }
+@@ -452,11 +476,10 @@ void nci_hci_data_received_cb(void *context,
+ packet = (struct nci_hcp_packet *)hcp_skb->data;
+ type = NCI_HCP_MSG_GET_TYPE(packet->message.header);
+ if (type == NCI_HCI_HCP_RESPONSE) {
+- pipe = packet->header;
+- instruction = NCI_HCP_MSG_GET_CMD(packet->message.header);
+- skb_pull(hcp_skb, NCI_HCI_HCP_PACKET_HEADER_LEN +
+- NCI_HCI_HCP_MESSAGE_HEADER_LEN);
+- nci_hci_hcp_message_rx(ndev, pipe, type, instruction, hcp_skb);
++ pipe = NCI_HCP_MSG_GET_PIPE(packet->header);
++ skb_pull(hcp_skb, NCI_HCI_HCP_PACKET_HEADER_LEN);
++ nci_hci_hcp_message_rx(ndev, pipe, type,
++ NCI_STATUS_OK, hcp_skb);
+ } else {
+ skb_queue_tail(&ndev->hci_dev->msg_rx_queue, hcp_skb);
+ schedule_work(&ndev->hci_dev->msg_rx_work);
+@@ -488,6 +511,7 @@ EXPORT_SYMBOL(nci_hci_open_pipe);
+ int nci_hci_set_param(struct nci_dev *ndev, u8 gate, u8 idx,
+ const u8 *param, size_t param_len)
+ {
++ struct nci_hcp_message *message;
+ struct nci_conn_info *conn_info;
+ struct nci_data data;
+ int r;
+@@ -520,6 +544,12 @@ int nci_hci_set_param(struct nci_dev *ndev, u8 gate, u8 idx,
+ r = nci_request(ndev, nci_hci_send_data_req,
+ (unsigned long)&data,
+ msecs_to_jiffies(NCI_DATA_TIMEOUT));
++ if (r == NCI_STATUS_OK) {
++ message = (struct nci_hcp_message *)conn_info->rx_skb->data;
++ r = nci_hci_result_to_errno(
++ NCI_HCP_MSG_GET_CMD(message->header));
++ skb_pull(conn_info->rx_skb, NCI_HCI_HCP_MESSAGE_HEADER_LEN);
++ }
+
+ kfree(tmp);
+ return r;
+@@ -529,6 +559,7 @@ EXPORT_SYMBOL(nci_hci_set_param);
+ int nci_hci_get_param(struct nci_dev *ndev, u8 gate, u8 idx,
+ struct sk_buff **skb)
+ {
++ struct nci_hcp_message *message;
+ struct nci_conn_info *conn_info;
+ struct nci_data data;
+ int r;
+@@ -553,8 +584,15 @@ int nci_hci_get_param(struct nci_dev *ndev, u8 gate, u8 idx,
+ r = nci_request(ndev, nci_hci_send_data_req, (unsigned long)&data,
+ msecs_to_jiffies(NCI_DATA_TIMEOUT));
+
+- if (r == NCI_STATUS_OK)
+- *skb = conn_info->rx_skb;
++ if (r == NCI_STATUS_OK) {
++ message = (struct nci_hcp_message *)conn_info->rx_skb->data;
++ r = nci_hci_result_to_errno(
++ NCI_HCP_MSG_GET_CMD(message->header));
++ skb_pull(conn_info->rx_skb, NCI_HCI_HCP_MESSAGE_HEADER_LEN);
++
++ if (!r && skb)
++ *skb = conn_info->rx_skb;
++ }
+
+ return r;
+ }
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 7851b12..71cb085 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2784,22 +2784,40 @@ static int packet_release(struct socket *sock)
+ * Attach a packet hook.
+ */
+
+-static int packet_do_bind(struct sock *sk, struct net_device *dev, __be16 proto)
++static int packet_do_bind(struct sock *sk, const char *name, int ifindex,
++ __be16 proto)
+ {
+ struct packet_sock *po = pkt_sk(sk);
+ struct net_device *dev_curr;
+ __be16 proto_curr;
+ bool need_rehook;
++ struct net_device *dev = NULL;
++ int ret = 0;
++ bool unlisted = false;
+
+- if (po->fanout) {
+- if (dev)
+- dev_put(dev);
+-
++ if (po->fanout)
+ return -EINVAL;
+- }
+
+ lock_sock(sk);
+ spin_lock(&po->bind_lock);
++ rcu_read_lock();
++
++ if (name) {
++ dev = dev_get_by_name_rcu(sock_net(sk), name);
++ if (!dev) {
++ ret = -ENODEV;
++ goto out_unlock;
++ }
++ } else if (ifindex) {
++ dev = dev_get_by_index_rcu(sock_net(sk), ifindex);
++ if (!dev) {
++ ret = -ENODEV;
++ goto out_unlock;
++ }
++ }
++
++ if (dev)
++ dev_hold(dev);
+
+ proto_curr = po->prot_hook.type;
+ dev_curr = po->prot_hook.dev;
+@@ -2807,14 +2825,29 @@ static int packet_do_bind(struct sock *sk, struct net_device *dev, __be16 proto)
+ need_rehook = proto_curr != proto || dev_curr != dev;
+
+ if (need_rehook) {
+- unregister_prot_hook(sk, true);
++ if (po->running) {
++ rcu_read_unlock();
++ __unregister_prot_hook(sk, true);
++ rcu_read_lock();
++ dev_curr = po->prot_hook.dev;
++ if (dev)
++ unlisted = !dev_get_by_index_rcu(sock_net(sk),
++ dev->ifindex);
++ }
+
+ po->num = proto;
+ po->prot_hook.type = proto;
+- po->prot_hook.dev = dev;
+
+- po->ifindex = dev ? dev->ifindex : 0;
+- packet_cached_dev_assign(po, dev);
++ if (unlikely(unlisted)) {
++ dev_put(dev);
++ po->prot_hook.dev = NULL;
++ po->ifindex = -1;
++ packet_cached_dev_reset(po);
++ } else {
++ po->prot_hook.dev = dev;
++ po->ifindex = dev ? dev->ifindex : 0;
++ packet_cached_dev_assign(po, dev);
++ }
+ }
+ if (dev_curr)
+ dev_put(dev_curr);
+@@ -2822,7 +2855,7 @@ static int packet_do_bind(struct sock *sk, struct net_device *dev, __be16 proto)
+ if (proto == 0 || !need_rehook)
+ goto out_unlock;
+
+- if (!dev || (dev->flags & IFF_UP)) {
++ if (!unlisted && (!dev || (dev->flags & IFF_UP))) {
+ register_prot_hook(sk);
+ } else {
+ sk->sk_err = ENETDOWN;
+@@ -2831,9 +2864,10 @@ static int packet_do_bind(struct sock *sk, struct net_device *dev, __be16 proto)
+ }
+
+ out_unlock:
++ rcu_read_unlock();
+ spin_unlock(&po->bind_lock);
+ release_sock(sk);
+- return 0;
++ return ret;
+ }
+
+ /*
+@@ -2845,8 +2879,6 @@ static int packet_bind_spkt(struct socket *sock, struct sockaddr *uaddr,
+ {
+ struct sock *sk = sock->sk;
+ char name[15];
+- struct net_device *dev;
+- int err = -ENODEV;
+
+ /*
+ * Check legality
+@@ -2856,19 +2888,13 @@ static int packet_bind_spkt(struct socket *sock, struct sockaddr *uaddr,
+ return -EINVAL;
+ strlcpy(name, uaddr->sa_data, sizeof(name));
+
+- dev = dev_get_by_name(sock_net(sk), name);
+- if (dev)
+- err = packet_do_bind(sk, dev, pkt_sk(sk)->num);
+- return err;
++ return packet_do_bind(sk, name, 0, pkt_sk(sk)->num);
+ }
+
+ static int packet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
+ {
+ struct sockaddr_ll *sll = (struct sockaddr_ll *)uaddr;
+ struct sock *sk = sock->sk;
+- struct net_device *dev = NULL;
+- int err;
+-
+
+ /*
+ * Check legality
+@@ -2879,16 +2905,8 @@ static int packet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len
+ if (sll->sll_family != AF_PACKET)
+ return -EINVAL;
+
+- if (sll->sll_ifindex) {
+- err = -ENODEV;
+- dev = dev_get_by_index(sock_net(sk), sll->sll_ifindex);
+- if (dev == NULL)
+- goto out;
+- }
+- err = packet_do_bind(sk, dev, sll->sll_protocol ? : pkt_sk(sk)->num);
+-
+-out:
+- return err;
++ return packet_do_bind(sk, NULL, sll->sll_ifindex,
++ sll->sll_protocol ? : pkt_sk(sk)->num);
+ }
+
+ static struct proto packet_proto = {
+diff --git a/net/rds/connection.c b/net/rds/connection.c
+index da6da57..9d66705 100644
+--- a/net/rds/connection.c
++++ b/net/rds/connection.c
+@@ -187,6 +187,12 @@ new_conn:
+ }
+ }
+
++ if (trans == NULL) {
++ kmem_cache_free(rds_conn_slab, conn);
++ conn = ERR_PTR(-ENODEV);
++ goto out;
++ }
++
+ conn->c_trans = trans;
+
+ ret = trans->conn_alloc(conn, gfp);
+diff --git a/net/rds/tcp_recv.c b/net/rds/tcp_recv.c
+index fbc5ef8..27a9921 100644
+--- a/net/rds/tcp_recv.c
++++ b/net/rds/tcp_recv.c
+@@ -214,8 +214,15 @@ static int rds_tcp_data_recv(read_descriptor_t *desc, struct sk_buff *skb,
+ }
+
+ to_copy = min(tc->t_tinc_data_rem, left);
+- pskb_pull(clone, offset);
+- pskb_trim(clone, to_copy);
++ if (!pskb_pull(clone, offset) ||
++ pskb_trim(clone, to_copy)) {
++ pr_warn("rds_tcp_data_recv: pull/trim failed "
++ "left %zu data_rem %zu skb_len %d\n",
++ left, tc->t_tinc_data_rem, skb->len);
++ kfree_skb(clone);
++ desc->error = -ENOMEM;
++ goto out;
++ }
+ skb_queue_tail(&tinc->ti_skb_list, clone);
+
+ rdsdebug("skb %p data %p len %d off %u to_copy %zu -> "
+diff --git a/net/tipc/msg.c b/net/tipc/msg.c
+index 08b4cc7..b3a3931 100644
+--- a/net/tipc/msg.c
++++ b/net/tipc/msg.c
+@@ -121,7 +121,7 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf)
+ {
+ struct sk_buff *head = *headbuf;
+ struct sk_buff *frag = *buf;
+- struct sk_buff *tail;
++ struct sk_buff *tail = NULL;
+ struct tipc_msg *msg;
+ u32 fragid;
+ int delta;
+@@ -141,9 +141,15 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf)
+ if (unlikely(skb_unclone(frag, GFP_ATOMIC)))
+ goto err;
+ head = *headbuf = frag;
+- skb_frag_list_init(head);
+- TIPC_SKB_CB(head)->tail = NULL;
+ *buf = NULL;
++ TIPC_SKB_CB(head)->tail = NULL;
++ if (skb_is_nonlinear(head)) {
++ skb_walk_frags(head, tail) {
++ TIPC_SKB_CB(head)->tail = tail;
++ }
++ } else {
++ skb_frag_list_init(head);
++ }
+ return 0;
+ }
+
+diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
+index 66deebc..f8dfee5 100644
+--- a/net/tipc/udp_media.c
++++ b/net/tipc/udp_media.c
+@@ -48,6 +48,7 @@
+ #include <linux/tipc_netlink.h>
+ #include "core.h"
+ #include "bearer.h"
++#include "msg.h"
+
+ /* IANA assigned UDP port */
+ #define UDP_PORT_DEFAULT 6118
+@@ -216,6 +217,10 @@ static int tipc_udp_recv(struct sock *sk, struct sk_buff *skb)
+ {
+ struct udp_bearer *ub;
+ struct tipc_bearer *b;
++ int usr = msg_user(buf_msg(skb));
++
++ if ((usr == LINK_PROTOCOL) || (usr == NAME_DISTRIBUTOR))
++ skb_linearize(skb);
+
+ ub = rcu_dereference_sk_user_data(sk);
+ if (!ub) {
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 76b4157..d059cf3 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -3408,12 +3408,6 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
+ wdev->iftype))
+ return -EINVAL;
+
+- if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
+- params.acl = parse_acl_data(&rdev->wiphy, info);
+- if (IS_ERR(params.acl))
+- return PTR_ERR(params.acl);
+- }
+-
+ if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
+ params.smps_mode =
+ nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
+@@ -3437,6 +3431,12 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
+ params.smps_mode = NL80211_SMPS_OFF;
+ }
+
++ if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
++ params.acl = parse_acl_data(&rdev->wiphy, info);
++ if (IS_ERR(params.acl))
++ return PTR_ERR(params.acl);
++ }
++
+ wdev_lock(wdev);
+ err = rdev_start_ap(rdev, dev, &params);
+ if (!err) {
+diff --git a/sound/usb/midi.c b/sound/usb/midi.c
+index 417ebb1..bec63e0 100644
+--- a/sound/usb/midi.c
++++ b/sound/usb/midi.c
+@@ -174,6 +174,8 @@ struct snd_usb_midi_in_endpoint {
+ u8 running_status_length;
+ } ports[0x10];
+ u8 seen_f5;
++ bool in_sysex;
++ u8 last_cin;
+ u8 error_resubmit;
+ int current_port;
+ };
+@@ -468,6 +470,39 @@ static void snd_usbmidi_maudio_broken_running_status_input(
+ }
+
+ /*
++ * QinHeng CH345 is buggy: every second packet inside a SysEx has not CIN 4
++ * but the previously seen CIN, but still with three data bytes.
++ */
++static void ch345_broken_sysex_input(struct snd_usb_midi_in_endpoint *ep,
++ uint8_t *buffer, int buffer_length)
++{
++ unsigned int i, cin, length;
++
++ for (i = 0; i + 3 < buffer_length; i += 4) {
++ if (buffer[i] == 0 && i > 0)
++ break;
++ cin = buffer[i] & 0x0f;
++ if (ep->in_sysex &&
++ cin == ep->last_cin &&
++ (buffer[i + 1 + (cin == 0x6)] & 0x80) == 0)
++ cin = 0x4;
++#if 0
++ if (buffer[i + 1] == 0x90) {
++ /*
++ * Either a corrupted running status or a real note-on
++ * message; impossible to detect reliably.
++ */
++ }
++#endif
++ length = snd_usbmidi_cin_length[cin];
++ snd_usbmidi_input_data(ep, 0, &buffer[i + 1], length);
++ ep->in_sysex = cin == 0x4;
++ if (!ep->in_sysex)
++ ep->last_cin = cin;
++ }
++}
++
++/*
+ * CME protocol: like the standard protocol, but SysEx commands are sent as a
+ * single USB packet preceded by a 0x0F byte.
+ */
+@@ -660,6 +695,12 @@ static struct usb_protocol_ops snd_usbmidi_cme_ops = {
+ .output_packet = snd_usbmidi_output_standard_packet,
+ };
+
++static struct usb_protocol_ops snd_usbmidi_ch345_broken_sysex_ops = {
++ .input = ch345_broken_sysex_input,
++ .output = snd_usbmidi_standard_output,
++ .output_packet = snd_usbmidi_output_standard_packet,
++};
++
+ /*
+ * AKAI MPD16 protocol:
+ *
+@@ -1341,6 +1382,7 @@ static int snd_usbmidi_out_endpoint_create(struct snd_usb_midi *umidi,
+ * Various chips declare a packet size larger than 4 bytes, but
+ * do not actually work with larger packets:
+ */
++ case USB_ID(0x0a67, 0x5011): /* Medeli DD305 */
+ case USB_ID(0x0a92, 0x1020): /* ESI M4U */
+ case USB_ID(0x1430, 0x474b): /* RedOctane GH MIDI INTERFACE */
+ case USB_ID(0x15ca, 0x0101): /* Textech USB Midi Cable */
+@@ -2375,6 +2417,10 @@ int snd_usbmidi_create(struct snd_card *card,
+
+ err = snd_usbmidi_detect_per_port_endpoints(umidi, endpoints);
+ break;
++ case QUIRK_MIDI_CH345:
++ umidi->usb_protocol_ops = &snd_usbmidi_ch345_broken_sysex_ops;
++ err = snd_usbmidi_detect_per_port_endpoints(umidi, endpoints);
++ break;
+ default:
+ dev_err(&umidi->dev->dev, "invalid quirk type %d\n",
+ quirk->type);
+diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h
+index e475665..ecc2a4e 100644
+--- a/sound/usb/quirks-table.h
++++ b/sound/usb/quirks-table.h
+@@ -2820,6 +2820,17 @@ YAMAHA_DEVICE(0x7010, "UB99"),
+ .idProduct = 0x1020,
+ },
+
++/* QinHeng devices */
++{
++ USB_DEVICE(0x1a86, 0x752d),
++ .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
++ .vendor_name = "QinHeng",
++ .product_name = "CH345",
++ .ifnum = 1,
++ .type = QUIRK_MIDI_CH345
++ }
++},
++
+ /* KeithMcMillen Stringport */
+ {
+ USB_DEVICE(0x1f38, 0x0001),
+diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
+index 00ebc0c..eef9b8e 100644
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -535,6 +535,7 @@ int snd_usb_create_quirk(struct snd_usb_audio *chip,
+ [QUIRK_MIDI_CME] = create_any_midi_quirk,
+ [QUIRK_MIDI_AKAI] = create_any_midi_quirk,
+ [QUIRK_MIDI_FTDI] = create_any_midi_quirk,
++ [QUIRK_MIDI_CH345] = create_any_midi_quirk,
+ [QUIRK_AUDIO_STANDARD_INTERFACE] = create_standard_audio_quirk,
+ [QUIRK_AUDIO_FIXED_ENDPOINT] = create_fixed_stream_quirk,
+ [QUIRK_AUDIO_EDIROL_UAXX] = create_uaxx_quirk,
+@@ -1271,6 +1272,7 @@ u64 snd_usb_interface_dsd_format_quirks(struct snd_usb_audio *chip,
+ case USB_ID(0x20b1, 0x000a): /* Gustard DAC-X20U */
+ case USB_ID(0x20b1, 0x2009): /* DIYINHK DSD DXD 384kHz USB to I2S/DSD */
+ case USB_ID(0x20b1, 0x2023): /* JLsounds I2SoverUSB */
++ case USB_ID(0x20b1, 0x3023): /* Aune X1S 32BIT/384 DSD DAC */
+ if (fp->altsetting == 3)
+ return SNDRV_PCM_FMTBIT_DSD_U32_BE;
+ break;
+diff --git a/sound/usb/usbaudio.h b/sound/usb/usbaudio.h
+index 91d0380..991aa84 100644
+--- a/sound/usb/usbaudio.h
++++ b/sound/usb/usbaudio.h
+@@ -94,6 +94,7 @@ enum quirk_type {
+ QUIRK_MIDI_AKAI,
+ QUIRK_MIDI_US122L,
+ QUIRK_MIDI_FTDI,
++ QUIRK_MIDI_CH345,
+ QUIRK_AUDIO_STANDARD_INTERFACE,
+ QUIRK_AUDIO_FIXED_ENDPOINT,
+ QUIRK_AUDIO_EDIROL_UAXX,
diff --git a/4.2.6/4420_grsecurity-3.1-4.2.6-201512051918.patch b/4.2.7/4420_grsecurity-3.1-4.2.7-201512092320.patch
index 9b88420..0e128e6 100644
--- a/4.2.6/4420_grsecurity-3.1-4.2.6-201512051918.patch
+++ b/4.2.7/4420_grsecurity-3.1-4.2.7-201512092320.patch
@@ -406,7 +406,7 @@ index 6fccb69..60c7c7a 100644
A toggle value indicating if modules are allowed to be loaded
diff --git a/Makefile b/Makefile
-index 9ef3739..df5234b 100644
+index f5014ea..5cc28a1 100644
--- a/Makefile
+++ b/Makefile
@@ -298,7 +298,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -431,7 +431,7 @@ index 9ef3739..df5234b 100644
$(Q)$(MAKE) $(build)=scripts/basic
$(Q)rm -f .tmp_quiet_recordmcount
-@@ -615,6 +617,79 @@ endif
+@@ -615,6 +617,85 @@ endif
# Tell gcc to never replace conditional load with a non-conditional one
KBUILD_CFLAGS += $(call cc-option,--param=allow-store-data-races=0)
@@ -466,6 +466,12 @@ index 9ef3739..df5234b 100644
+ifdef CONFIG_CHECKER_PLUGIN
+ifeq ($(call cc-ifversion, -ge, 0406, y), y)
+CHECKER_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/checker_plugin.so -DCHECKER_PLUGIN
++ifdef CONFIG_CHECKER_PLUGIN_USER
++CHECKER_PLUGIN_CFLAGS += -fplugin-arg-checker_plugin-user -DCHECKER_PLUGIN_USER
++endif
++ifdef CONFIG_CHECKER_PLUGIN_CONTEXT
++CHECKER_PLUGIN_CFLAGS += -fplugin-arg-checker_plugin-context -DCHECKER_PLUGIN_CONTEXT
++endif
+endif
+endif
+COLORIZE_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/colorize_plugin.so
@@ -511,7 +517,7 @@ index 9ef3739..df5234b 100644
ifdef CONFIG_READABLE_ASM
# Disable optimizations that make assembler listings hard to read.
# reorder blocks reorders the control in the function
-@@ -714,7 +789,7 @@ KBUILD_CFLAGS += $(call cc-option, -gsplit-dwarf, -g)
+@@ -714,7 +795,7 @@ KBUILD_CFLAGS += $(call cc-option, -gsplit-dwarf, -g)
else
KBUILD_CFLAGS += -g
endif
@@ -520,7 +526,7 @@ index 9ef3739..df5234b 100644
endif
ifdef CONFIG_DEBUG_INFO_DWARF4
KBUILD_CFLAGS += $(call cc-option, -gdwarf-4,)
-@@ -886,7 +961,7 @@ export mod_sign_cmd
+@@ -886,7 +967,7 @@ export mod_sign_cmd
ifeq ($(KBUILD_EXTMOD),)
@@ -529,7 +535,7 @@ index 9ef3739..df5234b 100644
vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
$(core-y) $(core-m) $(drivers-y) $(drivers-m) \
-@@ -936,6 +1011,8 @@ endif
+@@ -936,6 +1017,8 @@ endif
# The actual objects are generated when descending,
# make sure no implicit rule kicks in
@@ -538,7 +544,7 @@ index 9ef3739..df5234b 100644
$(sort $(vmlinux-deps)): $(vmlinux-dirs) ;
# Handle descending into subdirectories listed in $(vmlinux-dirs)
-@@ -945,7 +1022,7 @@ $(sort $(vmlinux-deps)): $(vmlinux-dirs) ;
+@@ -945,7 +1028,7 @@ $(sort $(vmlinux-deps)): $(vmlinux-dirs) ;
# Error messages still appears in the original language
PHONY += $(vmlinux-dirs)
@@ -547,7 +553,7 @@ index 9ef3739..df5234b 100644
$(Q)$(MAKE) $(build)=$@
define filechk_kernel.release
-@@ -988,10 +1065,13 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \
+@@ -988,10 +1071,13 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \
archprepare: archheaders archscripts prepare1 scripts_basic
@@ -561,7 +567,7 @@ index 9ef3739..df5234b 100644
prepare: prepare0
# Generate some files
-@@ -1099,6 +1179,8 @@ all: modules
+@@ -1099,6 +1185,8 @@ all: modules
# using awk while concatenating to the final file.
PHONY += modules
@@ -570,7 +576,7 @@ index 9ef3739..df5234b 100644
modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux) modules.builtin
$(Q)$(AWK) '!x[$$0]++' $(vmlinux-dirs:%=$(objtree)/%/modules.order) > $(objtree)/modules.order
@$(kecho) ' Building modules, stage 2.';
-@@ -1114,7 +1196,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin)
+@@ -1114,7 +1202,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin)
# Target to prepare building external modules
PHONY += modules_prepare
@@ -579,7 +585,7 @@ index 9ef3739..df5234b 100644
# Target to install modules
PHONY += modules_install
-@@ -1180,7 +1262,10 @@ MRPROPER_FILES += .config .config.old .version .old_version \
+@@ -1180,7 +1268,10 @@ MRPROPER_FILES += .config .config.old .version .old_version \
Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \
signing_key.priv signing_key.x509 x509.genkey \
extra_certificates signing_key.x509.keyid \
@@ -591,7 +597,7 @@ index 9ef3739..df5234b 100644
# clean - Delete most, but leave enough to build external modules
#
-@@ -1219,7 +1304,7 @@ distclean: mrproper
+@@ -1219,7 +1310,7 @@ distclean: mrproper
@find $(srctree) $(RCS_FIND_IGNORE) \
\( -name '*.orig' -o -name '*.rej' -o -name '*~' \
-o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \
@@ -600,7 +606,7 @@ index 9ef3739..df5234b 100644
-type f -print | xargs rm -f
-@@ -1385,6 +1470,8 @@ PHONY += $(module-dirs) modules
+@@ -1385,6 +1476,8 @@ PHONY += $(module-dirs) modules
$(module-dirs): crmodverdir $(objtree)/Module.symvers
$(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@)
@@ -609,7 +615,7 @@ index 9ef3739..df5234b 100644
modules: $(module-dirs)
@$(kecho) ' Building modules, stage 2.';
$(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost
-@@ -1525,17 +1612,21 @@ else
+@@ -1525,17 +1618,21 @@ else
target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@))
endif
@@ -635,7 +641,7 @@ index 9ef3739..df5234b 100644
$(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
%.symtypes: %.c prepare scripts FORCE
$(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
-@@ -1547,11 +1638,15 @@ endif
+@@ -1547,11 +1644,15 @@ endif
$(build)=$(build-dir)
# Make sure the latest headers are built for Documentation
Documentation/: headers_install
@@ -18606,6 +18612,19 @@ index 48f99f1..d78ebf9 100644
#ifdef CONFIG_X86_VSMP
#ifdef CONFIG_SMP
+diff --git a/arch/x86/include/asm/cacheflush.h b/arch/x86/include/asm/cacheflush.h
+index 9bf3ea1..4693729 100644
+--- a/arch/x86/include/asm/cacheflush.h
++++ b/arch/x86/include/asm/cacheflush.h
+@@ -133,7 +133,7 @@ static inline void arch_memcpy_to_pmem(void __pmem *dst, const void *src,
+ * before the WARN+BUG.
+ */
+ unwritten = __copy_from_user_inatomic_nocache((void __force *) dst,
+- (void __user *) src, n);
++ (void __force_user *) src, n);
+ if (WARN(unwritten, "%s: fault copying %p <- %p unwritten: %d\n",
+ __func__, dst, src, unwritten))
+ BUG();
diff --git a/arch/x86/include/asm/checksum_32.h b/arch/x86/include/asm/checksum_32.h
index f50de69..2b0a458 100644
--- a/arch/x86/include/asm/checksum_32.h
@@ -18710,15 +18729,18 @@ index ad19841..0784041 100644
({ \
__typeof__ (*(ptr)) __ret = (inc); \
diff --git a/arch/x86/include/asm/compat.h b/arch/x86/include/asm/compat.h
-index acdee09..a553db3 100644
+index acdee09..e5c31cd 100644
--- a/arch/x86/include/asm/compat.h
+++ b/arch/x86/include/asm/compat.h
-@@ -41,7 +41,7 @@ typedef s64 __attribute__((aligned(4))) compat_s64;
+@@ -41,7 +41,11 @@ typedef s64 __attribute__((aligned(4))) compat_s64;
typedef u32 compat_uint_t;
typedef u32 compat_ulong_t;
typedef u64 __attribute__((aligned(4))) compat_u64;
--typedef u32 compat_uptr_t;
++#ifdef CHECKER_PLUGIN_USER
+ typedef u32 compat_uptr_t;
++#else
+typedef u32 __user compat_uptr_t;
++#endif
struct compat_timespec {
compat_time_t tv_sec;
@@ -19062,6 +19084,26 @@ index ced283a..ffe04cc 100644
{
union {
u64 v64;
+diff --git a/arch/x86/include/asm/dma.h b/arch/x86/include/asm/dma.h
+index fe884e1..46149ae 100644
+--- a/arch/x86/include/asm/dma.h
++++ b/arch/x86/include/asm/dma.h
+@@ -149,6 +149,7 @@
+ #ifdef CONFIG_ISA_DMA_API
+ extern spinlock_t dma_spin_lock;
+
++static inline unsigned long claim_dma_lock(void) __acquires(&dma_spin_lock);
+ static inline unsigned long claim_dma_lock(void)
+ {
+ unsigned long flags;
+@@ -156,6 +157,7 @@ static inline unsigned long claim_dma_lock(void)
+ return flags;
+ }
+
++static inline void release_dma_lock(unsigned long flags) __releases(&dma_spin_lock);
+ static inline void release_dma_lock(unsigned long flags)
+ {
+ spin_unlock_irqrestore(&dma_spin_lock, flags);
diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h
index f161c18..97d43e8 100644
--- a/arch/x86/include/asm/elf.h
@@ -19508,11 +19550,11 @@ index 6615032..9c233be 100644
extern void elcr_set_level_irq(unsigned int irq);
diff --git a/arch/x86/include/asm/i8259.h b/arch/x86/include/asm/i8259.h
-index ccffa53..3c90c87 100644
+index 39bcefc..272d904 100644
--- a/arch/x86/include/asm/i8259.h
+++ b/arch/x86/include/asm/i8259.h
-@@ -62,7 +62,7 @@ struct legacy_pic {
- void (*init)(int auto_eoi);
+@@ -63,7 +63,7 @@ struct legacy_pic {
+ int (*probe)(void);
int (*irq_pending)(unsigned int irq);
void (*make_irq)(unsigned int irq);
-};
@@ -22039,7 +22081,7 @@ index cd79194..6a9956f 100644
}
diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
-index a8df874..3dcbd7c 100644
+index a8df874..e0aaf5f 100644
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -7,6 +7,7 @@
@@ -22168,12 +22210,16 @@ index a8df874..3dcbd7c 100644
"3: " ASM_CLAC "\n" \
_ASM_EXTABLE_EX(1b, 2b) \
_ASM_EXTABLE_EX(2b, 3b) \
-@@ -260,7 +306,8 @@ extern void __put_user_8(void);
- __typeof__(*(ptr)) __pu_val; \
+@@ -257,10 +303,11 @@ extern void __put_user_8(void);
+ #define put_user(x, ptr) \
+ ({ \
+ int __ret_pu; \
+- __typeof__(*(ptr)) __pu_val; \
++ __inttype(*(ptr)) __pu_val; \
__chk_user_ptr(ptr); \
might_fault(); \
- __pu_val = x; \
-+ __pu_val = (x); \
++ __pu_val = (__inttype(*(ptr)))(x); \
+ pax_open_userland(); \
switch (sizeof(*(ptr))) { \
case 1: \
@@ -22186,7 +22232,20 @@ index a8df874..3dcbd7c 100644
__ret_pu; \
})
-@@ -358,8 +406,10 @@ do { \
+@@ -341,10 +389,10 @@ do { \
+ __chk_user_ptr(ptr); \
+ switch (size) { \
+ case 1: \
+- __get_user_asm(x, ptr, retval, "b", "b", "=q", errret); \
++ __get_user_asm(x, ptr, retval, "zbl", "k", "=r", errret);\
+ break; \
+ case 2: \
+- __get_user_asm(x, ptr, retval, "w", "w", "=r", errret); \
++ __get_user_asm(x, ptr, retval, "zwl", "k", "=r", errret);\
+ break; \
+ case 4: \
+ __get_user_asm(x, ptr, retval, "l", "k", "=r", errret); \
+@@ -358,27 +406,31 @@ do { \
} while (0)
#define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
@@ -22198,7 +22257,8 @@ index a8df874..3dcbd7c 100644
"2: " ASM_CLAC "\n" \
".section .fixup,\"ax\"\n" \
"3: mov %3,%0\n" \
-@@ -367,8 +417,10 @@ do { \
+- " xor"itype" %"rtype"1,%"rtype"1\n" \
++ " xorl %k1,%k1\n" \
" jmp 2b\n" \
".previous\n" \
_ASM_EXTABLE(1b, 3b) \
@@ -22211,6 +22271,18 @@ index a8df874..3dcbd7c 100644
#define __get_user_size_ex(x, ptr, size) \
do { \
+ __chk_user_ptr(ptr); \
+ switch (size) { \
+ case 1: \
+- __get_user_asm_ex(x, ptr, "b", "b", "=q"); \
++ __get_user_asm_ex(x, ptr, "zbl", "k", "=r"); \
+ break; \
+ case 2: \
+- __get_user_asm_ex(x, ptr, "w", "w", "=r"); \
++ __get_user_asm_ex(x, ptr, "zwl", "k", "=r"); \
+ break; \
+ case 4: \
+ __get_user_asm_ex(x, ptr, "l", "k", "=r"); \
@@ -392,7 +444,7 @@ do { \
} while (0)
@@ -22335,10 +22407,16 @@ index a8df874..3dcbd7c 100644
extern void __cmpxchg_wrong_size(void)
__compiletime_error("Bad argument size for cmpxchg");
-@@ -547,18 +624,19 @@ extern void __cmpxchg_wrong_size(void)
- __typeof__(ptr) __uval = (uval); \
- __typeof__(*(ptr)) __old = (old); \
- __typeof__(*(ptr)) __new = (new); \
+@@ -544,21 +621,22 @@ extern void __cmpxchg_wrong_size(void)
+ #define __user_atomic_cmpxchg_inatomic(uval, ptr, old, new, size) \
+ ({ \
+ int __ret = 0; \
+- __typeof__(ptr) __uval = (uval); \
+- __typeof__(*(ptr)) __old = (old); \
+- __typeof__(*(ptr)) __new = (new); \
++ __typeof__(uval) __uval = (uval); \
++ __typeof__(*(uval)) __old = (old); \
++ __typeof__(*(uval)) __new = (new); \
+ pax_open_userland(); \
switch (size) { \
case 1: \
@@ -23004,18 +23082,6 @@ index 0f457e6..5970c0a 100644
#define BIOS_END 0x00100000
#define BIOS_ROM_BASE 0xffe00000
-diff --git a/arch/x86/include/uapi/asm/svm.h b/arch/x86/include/uapi/asm/svm.h
-index b5d7640..8a4add8 100644
---- a/arch/x86/include/uapi/asm/svm.h
-+++ b/arch/x86/include/uapi/asm/svm.h
-@@ -100,6 +100,7 @@
- { SVM_EXIT_EXCP_BASE + UD_VECTOR, "UD excp" }, \
- { SVM_EXIT_EXCP_BASE + PF_VECTOR, "PF excp" }, \
- { SVM_EXIT_EXCP_BASE + NM_VECTOR, "NM excp" }, \
-+ { SVM_EXIT_EXCP_BASE + AC_VECTOR, "AC excp" }, \
- { SVM_EXIT_EXCP_BASE + MC_VECTOR, "MC excp" }, \
- { SVM_EXIT_INTR, "interrupt" }, \
- { SVM_EXIT_NMI, "nmi" }, \
diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile
index 0f15af4..501a76a 100644
--- a/arch/x86/kernel/Makefile
@@ -23494,27 +23560,25 @@ index bda4886..f9c7195 100644
.name = "default",
.probe = probe_default,
diff --git a/arch/x86/kernel/apic/vector.c b/arch/x86/kernel/apic/vector.c
-index 2683f36..0bdc74c 100644
+index ea4ba83..13a7b74 100644
--- a/arch/x86/kernel/apic/vector.c
+++ b/arch/x86/kernel/apic/vector.c
-@@ -36,7 +36,7 @@ static struct irq_chip lapic_controller;
+@@ -36,6 +36,7 @@ static struct irq_chip lapic_controller;
static struct apic_chip_data *legacy_irq_data[NR_IRQS_LEGACY];
#endif
--void lock_vector_lock(void)
-+void lock_vector_lock(void) __acquires(vector_lock)
++void lock_vector_lock(void) __acquires(&vector_lock);
+ void lock_vector_lock(void)
{
/* Used to the online set of cpus does not change
- * during assign_irq_vector.
-@@ -44,7 +44,7 @@ void lock_vector_lock(void)
+@@ -44,6 +45,7 @@ void lock_vector_lock(void)
raw_spin_lock(&vector_lock);
}
--void unlock_vector_lock(void)
-+void unlock_vector_lock(void) __releases(vector_lock)
++void unlock_vector_lock(void) __releases(&vector_lock);
+ void unlock_vector_lock(void)
{
raw_spin_unlock(&vector_lock);
- }
diff --git a/arch/x86/kernel/apic/x2apic_cluster.c b/arch/x86/kernel/apic/x2apic_cluster.c
index ab3219b..e8033eb 100644
--- a/arch/x86/kernel/apic/x2apic_cluster.c
@@ -23748,7 +23812,7 @@ index 04f0fe5..3c0598c 100644
/*
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
-index cb9e5df..0849dd8 100644
+index e4f929d..0849dd8 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -91,60 +91,6 @@ static const struct cpu_dev default_cpu = {
@@ -23812,19 +23876,7 @@ index cb9e5df..0849dd8 100644
static int __init x86_mpx_setup(char *s)
{
/* require an exact match without trailing characters */
-@@ -272,10 +218,9 @@ __setup("nosmap", setup_disable_smap);
-
- static __always_inline void setup_smap(struct cpuinfo_x86 *c)
- {
-- unsigned long eflags;
-+ unsigned long eflags = native_save_fl();
-
- /* This should have been cleared long ago */
-- raw_local_save_flags(eflags);
- BUG_ON(eflags & X86_EFLAGS_AC);
-
- if (cpu_has(c, X86_FEATURE_SMAP)) {
-@@ -287,6 +232,109 @@ static __always_inline void setup_smap(struct cpuinfo_x86 *c)
+@@ -286,6 +232,109 @@ static __always_inline void setup_smap(struct cpuinfo_x86 *c)
}
}
@@ -23934,7 +23986,7 @@ index cb9e5df..0849dd8 100644
/*
* Some CPU features depend on higher CPUID levels, which may not always
* be available due to CPUID level capping or broken virtualization
-@@ -387,7 +435,7 @@ void switch_to_new_gdt(int cpu)
+@@ -386,7 +435,7 @@ void switch_to_new_gdt(int cpu)
{
struct desc_ptr gdt_descr;
@@ -23943,7 +23995,7 @@ index cb9e5df..0849dd8 100644
gdt_descr.size = GDT_SIZE - 1;
load_gdt(&gdt_descr);
/* Reload the per-cpu base */
-@@ -918,6 +966,20 @@ static void identify_cpu(struct cpuinfo_x86 *c)
+@@ -917,6 +966,20 @@ static void identify_cpu(struct cpuinfo_x86 *c)
setup_smep(c);
setup_smap(c);
@@ -23964,7 +24016,7 @@ index cb9e5df..0849dd8 100644
/*
* The vendor-specific functions might have changed features.
* Now we do "generic changes."
-@@ -992,7 +1054,7 @@ void enable_sep_cpu(void)
+@@ -991,7 +1054,7 @@ void enable_sep_cpu(void)
int cpu;
cpu = get_cpu();
@@ -23973,7 +24025,7 @@ index cb9e5df..0849dd8 100644
if (!boot_cpu_has(X86_FEATURE_SEP))
goto out;
-@@ -1138,10 +1200,12 @@ static __init int setup_disablecpuid(char *arg)
+@@ -1137,10 +1200,12 @@ static __init int setup_disablecpuid(char *arg)
}
__setup("clearcpuid=", setup_disablecpuid);
@@ -23989,7 +24041,7 @@ index cb9e5df..0849dd8 100644
DEFINE_PER_CPU_FIRST(union irq_stack_union,
irq_stack_union) __aligned(PAGE_SIZE) __visible;
-@@ -1253,21 +1317,21 @@ EXPORT_PER_CPU_SYMBOL(current_task);
+@@ -1252,21 +1317,21 @@ EXPORT_PER_CPU_SYMBOL(current_task);
DEFINE_PER_CPU(int, __preempt_count) = INIT_PREEMPT_COUNT;
EXPORT_PER_CPU_SYMBOL(__preempt_count);
@@ -24018,7 +24070,7 @@ index cb9e5df..0849dd8 100644
/*
* Clear all 6 debug registers:
*/
-@@ -1343,7 +1407,7 @@ void cpu_init(void)
+@@ -1342,7 +1407,7 @@ void cpu_init(void)
*/
load_ucode_ap();
@@ -24027,7 +24079,7 @@ index cb9e5df..0849dd8 100644
oist = &per_cpu(orig_ist, cpu);
#ifdef CONFIG_NUMA
-@@ -1375,7 +1439,6 @@ void cpu_init(void)
+@@ -1374,7 +1439,6 @@ void cpu_init(void)
wrmsrl(MSR_KERNEL_GS_BASE, 0);
barrier();
@@ -24035,7 +24087,7 @@ index cb9e5df..0849dd8 100644
x2apic_setup();
/*
-@@ -1427,7 +1490,7 @@ void cpu_init(void)
+@@ -1426,7 +1490,7 @@ void cpu_init(void)
{
int cpu = smp_processor_id();
struct task_struct *curr = current;
@@ -24316,6 +24368,30 @@ index 969dc17..a9c3fdd 100644
}
static void microcode_fini_cpu(int cpu)
+diff --git a/arch/x86/kernel/cpu/mtrr/generic.c b/arch/x86/kernel/cpu/mtrr/generic.c
+index 3b533cf..b40d426 100644
+--- a/arch/x86/kernel/cpu/mtrr/generic.c
++++ b/arch/x86/kernel/cpu/mtrr/generic.c
+@@ -723,7 +723,8 @@ static DEFINE_RAW_SPINLOCK(set_atomicity_lock);
+ * The caller must ensure that local interrupts are disabled and
+ * are reenabled after post_set() has been called.
+ */
+-static void prepare_set(void) __acquires(set_atomicity_lock)
++static void prepare_set(void) __acquires(&set_atomicity_lock);
++static void prepare_set(void)
+ {
+ unsigned long cr0;
+
+@@ -759,7 +760,8 @@ static void prepare_set(void) __acquires(set_atomicity_lock)
+ wbinvd();
+ }
+
+-static void post_set(void) __releases(set_atomicity_lock)
++static void post_set(void) __releases(&set_atomicity_lock);
++static void post_set(void)
+ {
+ /* Flush TLBs (no need to flush caches - they are disabled) */
+ count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL);
diff --git a/arch/x86/kernel/cpu/mtrr/main.c b/arch/x86/kernel/cpu/mtrr/main.c
index e7ed0d8..57a2ab9 100644
--- a/arch/x86/kernel/cpu/mtrr/main.c
@@ -24405,10 +24481,95 @@ index 97242a9..cf9c30e 100644
while (amd_iommu_v2_event_descs[i].attr.attr.name)
diff --git a/arch/x86/kernel/cpu/perf_event_intel.c b/arch/x86/kernel/cpu/perf_event_intel.c
-index 1b09c42..521004d 100644
+index 1b09c42..9627a7b 100644
--- a/arch/x86/kernel/cpu/perf_event_intel.c
+++ b/arch/x86/kernel/cpu/perf_event_intel.c
-@@ -3019,10 +3019,10 @@ __init int intel_pmu_init(void)
+@@ -1900,6 +1900,8 @@ __intel_get_event_constraints(struct cpu_hw_events *cpuc, int idx,
+ }
+
+ static void
++intel_start_scheduling(struct cpu_hw_events *cpuc) __acquires(&cpuc->excl_cntrs->lock);
++static void
+ intel_start_scheduling(struct cpu_hw_events *cpuc)
+ {
+ struct intel_excl_cntrs *excl_cntrs = cpuc->excl_cntrs;
+@@ -1909,14 +1911,18 @@ intel_start_scheduling(struct cpu_hw_events *cpuc)
+ /*
+ * nothing needed if in group validation mode
+ */
+- if (cpuc->is_fake || !is_ht_workaround_enabled())
++ if (cpuc->is_fake || !is_ht_workaround_enabled()) {
++ __acquire(&excl_cntrs->lock);
+ return;
++ }
+
+ /*
+ * no exclusion needed
+ */
+- if (WARN_ON_ONCE(!excl_cntrs))
++ if (WARN_ON_ONCE(!excl_cntrs)) {
++ __acquire(&excl_cntrs->lock);
+ return;
++ }
+
+ xl = &excl_cntrs->states[tid];
+
+@@ -1956,6 +1962,8 @@ static void intel_commit_scheduling(struct cpu_hw_events *cpuc, int idx, int cnt
+ }
+
+ static void
++intel_stop_scheduling(struct cpu_hw_events *cpuc) __releases(&cpuc->excl_cntrs->lock);
++static void
+ intel_stop_scheduling(struct cpu_hw_events *cpuc)
+ {
+ struct intel_excl_cntrs *excl_cntrs = cpuc->excl_cntrs;
+@@ -1965,13 +1973,18 @@ intel_stop_scheduling(struct cpu_hw_events *cpuc)
+ /*
+ * nothing needed if in group validation mode
+ */
+- if (cpuc->is_fake || !is_ht_workaround_enabled())
++ if (cpuc->is_fake || !is_ht_workaround_enabled()) {
++ __release(&excl_cntrs->lock);
+ return;
++ }
++
+ /*
+ * no exclusion needed
+ */
+- if (WARN_ON_ONCE(!excl_cntrs))
++ if (WARN_ON_ONCE(!excl_cntrs)) {
++ __release(&excl_cntrs->lock);
+ return;
++ }
+
+ xl = &excl_cntrs->states[tid];
+
+@@ -2154,19 +2167,22 @@ static void intel_put_excl_constraints(struct cpu_hw_events *cpuc,
+ * unused now.
+ */
+ if (hwc->idx >= 0) {
++ bool sched_started;
++
+ xl = &excl_cntrs->states[tid];
++ sched_started = xl->sched_started;
+
+ /*
+ * put_constraint may be called from x86_schedule_events()
+ * which already has the lock held so here make locking
+ * conditional.
+ */
+- if (!xl->sched_started)
++ if (!sched_started)
+ raw_spin_lock(&excl_cntrs->lock);
+
+ xl->state[hwc->idx] = INTEL_EXCL_UNUSED;
+
+- if (!xl->sched_started)
++ if (!sched_started)
+ raw_spin_unlock(&excl_cntrs->lock);
+ }
+ }
+@@ -3019,10 +3035,10 @@ __init int intel_pmu_init(void)
x86_pmu.num_counters_fixed = max((int)edx.split.num_counters_fixed, 3);
if (boot_cpu_has(X86_FEATURE_PDCM)) {
@@ -25376,7 +25537,7 @@ index dc60810..6c8a1fa 100644
}
diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c
-index 50ec9af..32d7f10 100644
+index 6545e6d..32d7f10 100644
--- a/arch/x86/kernel/fpu/signal.c
+++ b/arch/x86/kernel/fpu/signal.c
@@ -54,7 +54,7 @@ static inline int check_for_xstate(struct fxregs_state __user *buf,
@@ -25465,34 +25626,8 @@ index 50ec9af..32d7f10 100644
err = -1;
} else {
sanitize_restored_xstate(tsk, &env, xfeatures, fx_only);
-@@ -385,20 +387,19 @@ fpu__alloc_mathframe(unsigned long sp, int ia32_frame,
- */
- void fpu__init_prepare_fx_sw_frame(void)
- {
-- int fsave_header_size = sizeof(struct fregs_state);
- int size = xstate_size + FP_XSTATE_MAGIC2_SIZE;
-
-- if (config_enabled(CONFIG_X86_32))
-- size += fsave_header_size;
--
- fx_sw_reserved.magic1 = FP_XSTATE_MAGIC1;
- fx_sw_reserved.extended_size = size;
- fx_sw_reserved.xfeatures = xfeatures_mask;
- fx_sw_reserved.xstate_size = xstate_size;
-
-- if (config_enabled(CONFIG_IA32_EMULATION)) {
-+ if (config_enabled(CONFIG_IA32_EMULATION) ||
-+ config_enabled(CONFIG_X86_32)) {
-+ int fsave_header_size = sizeof(struct fregs_state);
-+
- fx_sw_reserved_ia32 = fx_sw_reserved;
-- fx_sw_reserved_ia32.extended_size += fsave_header_size;
-+ fx_sw_reserved_ia32.extended_size = size + fsave_header_size;
- }
- }
-
diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
-index 62fc001..099cbd7 100644
+index 2c4ac07..099cbd7 100644
--- a/arch/x86/kernel/fpu/xstate.c
+++ b/arch/x86/kernel/fpu/xstate.c
@@ -93,14 +93,14 @@ EXPORT_SYMBOL_GPL(cpu_has_xfeatures);
@@ -25512,15 +25647,7 @@ index 62fc001..099cbd7 100644
/*
* None of the feature bits are in init state. So nothing else
-@@ -402,7 +402,6 @@ void *get_xsave_addr(struct xregs_state *xsave, int xstate_feature)
- if (!boot_cpu_has(X86_FEATURE_XSAVE))
- return NULL;
-
-- xsave = &current->thread.fpu.state.xsave;
- /*
- * We should not ever be requesting features that we
- * have not enabled. Remember that pcntxt_mask is
-@@ -457,5 +456,5 @@ const void *get_xsave_field_ptr(int xsave_state)
+@@ -456,5 +456,5 @@ const void *get_xsave_field_ptr(int xsave_state)
*/
fpu__save(fpu);
@@ -26102,7 +26229,7 @@ index 0e2d96f..5889003 100644
+ .fill PAGE_SIZE_asm - GDT_SIZE,1,0
+ .endr
diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
-index 1d40ca8..2dbedb3 100644
+index ffdc0e8..2dbedb3 100644
--- a/arch/x86/kernel/head_64.S
+++ b/arch/x86/kernel/head_64.S
@@ -20,6 +20,8 @@
@@ -26127,17 +26254,7 @@ index 1d40ca8..2dbedb3 100644
.text
__HEAD
-@@ -65,6 +73,9 @@ startup_64:
- * tables and then reload them.
- */
-
-+ /* Sanitize CPU configuration */
-+ call verify_cpu
-+
- /*
- * Compute the delta between the address I am compiled to run at and the
- * address I am actually running at.
-@@ -89,11 +100,33 @@ startup_64:
+@@ -92,11 +100,33 @@ startup_64:
* Fixup the physical addresses in the page table
*/
addq %rbp, early_level4_pgt + (L4_START_KERNEL*8)(%rip)
@@ -26173,13 +26290,10 @@ index 1d40ca8..2dbedb3 100644
/*
* Set up the identity mapping for the switchover. These
-@@ -174,11 +207,16 @@ ENTRY(secondary_startup_64)
- * after the boot processor executes this code.
- */
+@@ -180,11 +210,13 @@ ENTRY(secondary_startup_64)
+ /* Sanitize CPU configuration */
+ call verify_cpu
-+ /* Sanitize CPU configuration */
-+ call verify_cpu
-+
+ orq $-1, %rbp
+
movq $(init_level4_pgt - __START_KERNEL_map), %rax
@@ -26192,7 +26306,7 @@ index 1d40ca8..2dbedb3 100644
movq %rcx, %cr4
/* Setup early boot stage 4 level pagetables. */
-@@ -199,10 +237,21 @@ ENTRY(secondary_startup_64)
+@@ -205,10 +237,21 @@ ENTRY(secondary_startup_64)
movl $MSR_EFER, %ecx
rdmsr
btsl $_EFER_SCE, %eax /* Enable System Call */
@@ -26215,7 +26329,7 @@ index 1d40ca8..2dbedb3 100644
1: wrmsr /* Make changes effective */
/* Setup cr0 */
-@@ -282,12 +331,15 @@ ENTRY(secondary_startup_64)
+@@ -288,6 +331,7 @@ ENTRY(secondary_startup_64)
* REX.W + FF /5 JMP m16:64 Jump far, absolute indirect,
* address given in m16:64.
*/
@@ -26223,15 +26337,7 @@ index 1d40ca8..2dbedb3 100644
movq initial_code(%rip),%rax
pushq $0 # fake return address to stop unwinder
pushq $__KERNEL_CS # set correct cs
- pushq %rax # target address in negative space
- lretq
-
-+#include "verify_cpu.S"
-+
- #ifdef CONFIG_HOTPLUG_CPU
- /*
- * Boot CPU0 entry point. It's called from play_dead(). Everything has been set
-@@ -313,7 +365,7 @@ ENDPROC(start_cpu0)
+@@ -321,7 +365,7 @@ ENDPROC(start_cpu0)
.quad INIT_PER_CPU_VAR(irq_stack_union)
GLOBAL(stack_start)
@@ -26240,7 +26346,7 @@ index 1d40ca8..2dbedb3 100644
.word 0
__FINITDATA
-@@ -393,7 +445,7 @@ early_idt_handler_common:
+@@ -401,7 +445,7 @@ early_idt_handler_common:
call dump_stack
#ifdef CONFIG_KALLSYMS
leaq early_idt_ripmsg(%rip),%rdi
@@ -26249,7 +26355,7 @@ index 1d40ca8..2dbedb3 100644
call __print_symbol
#endif
#endif /* EARLY_PRINTK */
-@@ -422,6 +474,7 @@ ENDPROC(early_idt_handler_common)
+@@ -430,6 +474,7 @@ ENDPROC(early_idt_handler_common)
early_recursion_flag:
.long 0
@@ -26257,7 +26363,7 @@ index 1d40ca8..2dbedb3 100644
#ifdef CONFIG_EARLY_PRINTK
early_idt_msg:
.asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
-@@ -444,40 +497,67 @@ GLOBAL(name)
+@@ -452,40 +497,67 @@ GLOBAL(name)
__INITDATA
NEXT_PAGE(early_level4_pgt)
.fill 511,8,0
@@ -26337,7 +26443,7 @@ index 1d40ca8..2dbedb3 100644
NEXT_PAGE(level2_kernel_pgt)
/*
-@@ -494,31 +574,79 @@ NEXT_PAGE(level2_kernel_pgt)
+@@ -502,31 +574,79 @@ NEXT_PAGE(level2_kernel_pgt)
KERNEL_IMAGE_SIZE/PMD_SIZE)
NEXT_PAGE(level2_fixmap_pgt)
@@ -26455,7 +26561,7 @@ index 64341aa..b1e6632 100644
+EXPORT_SYMBOL(cpu_pgd);
+#endif
diff --git a/arch/x86/kernel/i8259.c b/arch/x86/kernel/i8259.c
-index 16cb827..372334f 100644
+index be22f5a..c5d0e1f 100644
--- a/arch/x86/kernel/i8259.c
+++ b/arch/x86/kernel/i8259.c
@@ -110,7 +110,7 @@ static int i8259A_irq_pending(unsigned int irq)
@@ -26476,7 +26582,7 @@ index 16cb827..372334f 100644
/*
* Theoretically we do not have to handle this IRQ,
* but in Linux this does not cause problems and is
-@@ -349,14 +349,16 @@ static void init_8259A(int auto_eoi)
+@@ -356,14 +356,16 @@ static void init_8259A(int auto_eoi)
/* (slave's support for AEOI in flat mode is to be investigated) */
outb_pic(SLAVE_ICW4_DEFAULT, PIC_SLAVE_IMR);
@@ -28544,7 +28650,7 @@ index 98111b3..73ca125 100644
identity_mapped:
/* set return address to 0 if not preserving context */
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index 80f874b..b3eff67 100644
+index 1e6f70f..a6b1c8a 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -111,6 +111,7 @@
@@ -29480,7 +29586,7 @@ index 6647624..2056791 100644
force_sig_info(SIGSEGV, SEND_SIG_FORCED, current);
}
diff --git a/arch/x86/kernel/verify_cpu.S b/arch/x86/kernel/verify_cpu.S
-index b9242ba..ae8c9cf 100644
+index 4cf401f..ae8c9cf 100644
--- a/arch/x86/kernel/verify_cpu.S
+++ b/arch/x86/kernel/verify_cpu.S
@@ -20,6 +20,7 @@
@@ -29491,42 +29597,6 @@ index b9242ba..ae8c9cf 100644
*
* verify_cpu, returns the status of longmode and SSE in register %eax.
* 0: Success 1: Failure
-@@ -34,10 +35,11 @@
- #include <asm/msr-index.h>
-
- verify_cpu:
-- pushfl # Save caller passed flags
-- pushl $0 # Kill any dangerous flags
-- popfl
-+ pushf # Save caller passed flags
-+ push $0 # Kill any dangerous flags
-+ popf
-
-+#ifndef __x86_64__
- pushfl # standard way to check for cpuid
- popl %eax
- movl %eax,%ebx
-@@ -48,6 +50,7 @@ verify_cpu:
- popl %eax
- cmpl %eax,%ebx
- jz verify_cpu_no_longmode # cpu has no cpuid
-+#endif
-
- movl $0x0,%eax # See if cpuid 1 is implemented
- cpuid
-@@ -130,10 +133,10 @@ verify_cpu_sse_test:
- jmp verify_cpu_sse_test # try again
-
- verify_cpu_no_longmode:
-- popfl # Restore caller passed flags
-+ popf # Restore caller passed flags
- movl $1,%eax
- ret
- verify_cpu_sse_ok:
-- popfl # Restore caller passed flags
-+ popf # Restore caller passed flags
- xorl %eax, %eax
- ret
diff --git a/arch/x86/kernel/vm86_32.c b/arch/x86/kernel/vm86_32.c
index fc9db6e..2c5865d 100644
--- a/arch/x86/kernel/vm86_32.c
@@ -29992,10 +30062,10 @@ index 2fbea25..9e0f8c7 100644
out:
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
-index 2392541a..2aefc2a 100644
+index f17c342..d5d17bc 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
-@@ -3851,7 +3851,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt)
+@@ -3870,7 +3870,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt)
int cr = ctxt->modrm_reg;
u64 efer = 0;
@@ -30004,8 +30074,90 @@ index 2392541a..2aefc2a 100644
0xffffffff00000000ULL,
0, 0, 0, /* CR3 checked later */
CR4_RESERVED_BITS,
+diff --git a/arch/x86/kvm/i8259.c b/arch/x86/kvm/i8259.c
+index fef922f..18f48a0 100644
+--- a/arch/x86/kvm/i8259.c
++++ b/arch/x86/kvm/i8259.c
+@@ -39,14 +39,14 @@
+
+ static void pic_irq_request(struct kvm *kvm, int level);
+
++static void pic_lock(struct kvm_pic *s) __acquires(&s->lock);
+ static void pic_lock(struct kvm_pic *s)
+- __acquires(&s->lock)
+ {
+ spin_lock(&s->lock);
+ }
+
++static void pic_unlock(struct kvm_pic *s) __releases(&s->lock);
+ static void pic_unlock(struct kvm_pic *s)
+- __releases(&s->lock)
+ {
+ bool wakeup = s->wakeup_needed;
+ struct kvm_vcpu *vcpu, *found = NULL;
+@@ -72,6 +72,7 @@ static void pic_unlock(struct kvm_pic *s)
+ }
+ }
+
++static void pic_clear_isr(struct kvm_kpic_state *s, int irq) __must_hold(s->pics_state);
+ static void pic_clear_isr(struct kvm_kpic_state *s, int irq)
+ {
+ s->isr &= ~(1 << irq);
+@@ -219,6 +220,7 @@ void kvm_pic_clear_all(struct kvm_pic *s, int irq_source_id)
+ /*
+ * acknowledge interrupt 'irq'
+ */
++static inline void pic_intack(struct kvm_kpic_state *s, int irq) __must_hold(s);
+ static inline void pic_intack(struct kvm_kpic_state *s, int irq)
+ {
+ s->isr |= 1 << irq;
+@@ -273,6 +275,7 @@ int kvm_pic_read_irq(struct kvm *kvm)
+ return intno;
+ }
+
++void kvm_pic_reset(struct kvm_kpic_state *s) __must_hold(s);
+ void kvm_pic_reset(struct kvm_kpic_state *s)
+ {
+ int irq, i;
+@@ -307,6 +310,7 @@ void kvm_pic_reset(struct kvm_kpic_state *s)
+ pic_clear_isr(s, irq);
+ }
+
++static void pic_ioport_write(void *opaque, u32 addr, u32 val) __must_hold(opaque);
+ static void pic_ioport_write(void *opaque, u32 addr, u32 val)
+ {
+ struct kvm_kpic_state *s = opaque;
+@@ -400,6 +404,7 @@ static void pic_ioport_write(void *opaque, u32 addr, u32 val)
+ }
+ }
+
++static u32 pic_poll_read(struct kvm_kpic_state *s, u32 addr1) __must_hold(s);
+ static u32 pic_poll_read(struct kvm_kpic_state *s, u32 addr1)
+ {
+ int ret;
+@@ -422,6 +427,7 @@ static u32 pic_poll_read(struct kvm_kpic_state *s, u32 addr1)
+ return ret;
+ }
+
++static u32 pic_ioport_read(void *opaque, u32 addr1) __must_hold(opaque);
+ static u32 pic_ioport_read(void *opaque, u32 addr1)
+ {
+ struct kvm_kpic_state *s = opaque;
+diff --git a/arch/x86/kvm/ioapic.c b/arch/x86/kvm/ioapic.c
+index 856f791..bfc7694 100644
+--- a/arch/x86/kvm/ioapic.c
++++ b/arch/x86/kvm/ioapic.c
+@@ -422,6 +422,8 @@ static void kvm_ioapic_eoi_inject_work(struct work_struct *work)
+ #define IOAPIC_SUCCESSIVE_IRQ_MAX_COUNT 10000
+
+ static void __kvm_ioapic_update_eoi(struct kvm_vcpu *vcpu,
++ struct kvm_ioapic *ioapic, int vector, int trigger_mode) __must_hold(&ioapic->lock);
++static void __kvm_ioapic_update_eoi(struct kvm_vcpu *vcpu,
+ struct kvm_ioapic *ioapic, int vector, int trigger_mode)
+ {
+ int i;
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
-index 2a5ca97..ce8577a 100644
+index 236e346..2b0f2be 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -56,7 +56,7 @@
@@ -30031,19 +30183,18 @@ index 0f67d7e..4b9fa11 100644
goto error;
walker->ptep_user[walker->level - 1] = ptep_user;
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
-index 2d32b67..976f46e 100644
+index 00da6e8..7901046 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
-@@ -1106,6 +1106,8 @@ static void init_vmcb(struct vcpu_svm *svm, bool init_event)
- set_exception_intercept(svm, PF_VECTOR);
+@@ -1107,6 +1107,7 @@ static void init_vmcb(struct vcpu_svm *svm)
set_exception_intercept(svm, UD_VECTOR);
set_exception_intercept(svm, MC_VECTOR);
-+ set_exception_intercept(svm, AC_VECTOR);
+ set_exception_intercept(svm, AC_VECTOR);
+ set_exception_intercept(svm, DB_VECTOR);
set_intercept(svm, INTERCEPT_INTR);
set_intercept(svm, INTERCEPT_NMI);
-@@ -1641,20 +1643,13 @@ static void svm_set_segment(struct kvm_vcpu *vcpu,
+@@ -1641,20 +1642,13 @@ static void svm_set_segment(struct kvm_vcpu *vcpu,
mark_dirty(svm->vmcb, VMCB_SEG);
}
@@ -30065,7 +30216,7 @@ index 2d32b67..976f46e 100644
if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP)
set_exception_intercept(svm, BP_VECTOR);
} else
-@@ -1760,7 +1755,6 @@ static int db_interception(struct vcpu_svm *svm)
+@@ -1760,7 +1754,6 @@ static int db_interception(struct vcpu_svm *svm)
if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP))
svm->vmcb->save.rflags &=
~(X86_EFLAGS_TF | X86_EFLAGS_RF);
@@ -30073,28 +30224,7 @@ index 2d32b67..976f46e 100644
}
if (svm->vcpu.guest_debug &
-@@ -1795,6 +1789,12 @@ static int ud_interception(struct vcpu_svm *svm)
- return 1;
- }
-
-+static int ac_interception(struct vcpu_svm *svm)
-+{
-+ kvm_queue_exception_e(&svm->vcpu, AC_VECTOR, 0);
-+ return 1;
-+}
-+
- static void svm_fpu_activate(struct kvm_vcpu *vcpu)
- {
- struct vcpu_svm *svm = to_svm(vcpu);
-@@ -3369,6 +3369,7 @@ static int (*const svm_exit_handlers[])(struct vcpu_svm *svm) = {
- [SVM_EXIT_EXCP_BASE + PF_VECTOR] = pf_interception,
- [SVM_EXIT_EXCP_BASE + NM_VECTOR] = nm_interception,
- [SVM_EXIT_EXCP_BASE + MC_VECTOR] = mc_interception,
-+ [SVM_EXIT_EXCP_BASE + AC_VECTOR] = ac_interception,
- [SVM_EXIT_INTR] = intr_interception,
- [SVM_EXIT_NMI] = nmi_interception,
- [SVM_EXIT_SMI] = nop_on_interception,
-@@ -3586,7 +3587,11 @@ static void reload_tss(struct kvm_vcpu *vcpu)
+@@ -3593,7 +3586,11 @@ static void reload_tss(struct kvm_vcpu *vcpu)
int cpu = raw_smp_processor_id();
struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
@@ -30106,7 +30236,7 @@ index 2d32b67..976f46e 100644
load_TR_desc();
}
-@@ -3752,7 +3757,6 @@ static void enable_nmi_window(struct kvm_vcpu *vcpu)
+@@ -3759,7 +3756,6 @@ static void enable_nmi_window(struct kvm_vcpu *vcpu)
*/
svm->nmi_singlestep = true;
svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF);
@@ -30114,7 +30244,7 @@ index 2d32b67..976f46e 100644
}
static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr)
-@@ -3982,6 +3986,10 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -3989,6 +3985,10 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
#endif
#endif
@@ -30125,7 +30255,7 @@ index 2d32b67..976f46e 100644
reload_tss(vcpu);
local_irq_disable();
-@@ -4355,7 +4363,7 @@ static void svm_sched_in(struct kvm_vcpu *vcpu, int cpu)
+@@ -4362,7 +4362,7 @@ static void svm_sched_in(struct kvm_vcpu *vcpu, int cpu)
{
}
@@ -30134,7 +30264,7 @@ index 2d32b67..976f46e 100644
.cpu_has_kvm_support = has_svm,
.disabled_by_bios = is_disabled,
.hardware_setup = svm_hardware_setup,
-@@ -4374,7 +4382,7 @@ static struct kvm_x86_ops svm_x86_ops = {
+@@ -4381,7 +4381,7 @@ static struct kvm_x86_ops svm_x86_ops = {
.vcpu_load = svm_vcpu_load,
.vcpu_put = svm_vcpu_put,
@@ -30144,7 +30274,7 @@ index 2d32b67..976f46e 100644
.set_msr = svm_set_msr,
.get_segment_base = svm_get_segment_base,
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index aa9e8229..5f643bf 100644
+index e77d75b..0f056cd 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -1440,12 +1440,12 @@ static void vmcs_write64(unsigned long field, u64 value)
@@ -30162,15 +30292,6 @@ index aa9e8229..5f643bf 100644
{
vmcs_writel(field, vmcs_readl(field) | mask);
}
-@@ -1567,7 +1567,7 @@ static void update_exception_bitmap(struct kvm_vcpu *vcpu)
- u32 eb;
-
- eb = (1u << PF_VECTOR) | (1u << UD_VECTOR) | (1u << MC_VECTOR) |
-- (1u << NM_VECTOR) | (1u << DB_VECTOR);
-+ (1u << NM_VECTOR) | (1u << DB_VECTOR) | (1u << AC_VECTOR);
- if ((vcpu->guest_debug &
- (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) ==
- (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP))
@@ -1705,7 +1705,11 @@ static void reload_tss(void)
struct desc_struct *descs;
@@ -30223,17 +30344,7 @@ index aa9e8229..5f643bf 100644
rdmsr(MSR_IA32_SYSENTER_CS, low32, high32);
vmcs_write32(HOST_IA32_SYSENTER_CS, low32);
-@@ -5118,6 +5129,9 @@ static int handle_exception(struct kvm_vcpu *vcpu)
- return handle_rmode_exception(vcpu, ex_no, error_code);
-
- switch (ex_no) {
-+ case AC_VECTOR:
-+ kvm_queue_exception_e(vcpu, AC_VECTOR, error_code);
-+ return 1;
- case DB_VECTOR:
- dr6 = vmcs_readl(EXIT_QUALIFICATION);
- if (!(vcpu->guest_debug &
-@@ -6097,11 +6111,17 @@ static __init int hardware_setup(void)
+@@ -6099,11 +6110,17 @@ static __init int hardware_setup(void)
* page upon invalidation. No need to do anything if not
* using the APIC_ACCESS_ADDR VMCS field.
*/
@@ -30253,7 +30364,7 @@ index aa9e8229..5f643bf 100644
if (enable_ept && !cpu_has_vmx_ept_2m_page())
kvm_disable_largepages();
-@@ -6112,6 +6132,7 @@ static __init int hardware_setup(void)
+@@ -6114,6 +6131,7 @@ static __init int hardware_setup(void)
if (!cpu_has_vmx_apicv())
enable_apicv = 0;
@@ -30261,7 +30372,7 @@ index aa9e8229..5f643bf 100644
if (enable_apicv)
kvm_x86_ops->update_cr8_intercept = NULL;
else {
-@@ -6120,6 +6141,7 @@ static __init int hardware_setup(void)
+@@ -6122,6 +6140,7 @@ static __init int hardware_setup(void)
kvm_x86_ops->deliver_posted_interrupt = NULL;
kvm_x86_ops->sync_pir_to_irr = vmx_sync_pir_to_irr_dummy;
}
@@ -30269,7 +30380,7 @@ index aa9e8229..5f643bf 100644
vmx_disable_intercept_for_msr(MSR_FS_BASE, false);
vmx_disable_intercept_for_msr(MSR_GS_BASE, false);
-@@ -6174,10 +6196,12 @@ static __init int hardware_setup(void)
+@@ -6176,10 +6195,12 @@ static __init int hardware_setup(void)
enable_pml = 0;
if (!enable_pml) {
@@ -30282,7 +30393,7 @@ index aa9e8229..5f643bf 100644
}
return alloc_kvm_area();
-@@ -8380,6 +8404,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -8382,6 +8403,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
"jmp 2f \n\t"
"1: " __ex(ASM_VMX_VMRESUME) "\n\t"
"2: "
@@ -30295,7 +30406,7 @@ index aa9e8229..5f643bf 100644
/* Save guest registers, load host registers, keep flags */
"mov %0, %c[wordsize](%%" _ASM_SP ") \n\t"
"pop %0 \n\t"
-@@ -8432,6 +8462,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -8434,6 +8461,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
#endif
[cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)),
[wordsize]"i"(sizeof(ulong))
@@ -30307,7 +30418,7 @@ index aa9e8229..5f643bf 100644
: "cc", "memory"
#ifdef CONFIG_X86_64
, "rax", "rbx", "rdi", "rsi"
-@@ -8445,7 +8480,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -8447,7 +8479,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
if (debugctlmsr)
update_debugctlmsr(debugctlmsr);
@@ -30316,7 +30427,7 @@ index aa9e8229..5f643bf 100644
/*
* The sysexit path does not restore ds/es, so we must set them to
* a reasonable value ourselves.
-@@ -8454,8 +8489,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -8456,8 +8488,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
* may be executed in interrupt context, which saves and restore segments
* around it, nullifying its effect.
*/
@@ -30337,7 +30448,7 @@ index aa9e8229..5f643bf 100644
#endif
vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP)
-@@ -10309,7 +10354,7 @@ static void vmx_enable_log_dirty_pt_masked(struct kvm *kvm,
+@@ -10311,7 +10353,7 @@ static void vmx_enable_log_dirty_pt_masked(struct kvm *kvm,
kvm_mmu_clear_dirty_pt_masked(kvm, memslot, offset, mask);
}
@@ -30347,10 +30458,10 @@ index aa9e8229..5f643bf 100644
.disabled_by_bios = vmx_disabled_by_bios,
.hardware_setup = hardware_setup,
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 373328b7..310cf2f 100644
+index 2781e2b..b7bff94 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
-@@ -1842,8 +1842,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data)
+@@ -1844,8 +1844,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data)
{
struct kvm *kvm = vcpu->kvm;
int lm = is_long_mode(vcpu);
@@ -30361,7 +30472,7 @@ index 373328b7..310cf2f 100644
u8 blob_size = lm ? kvm->arch.xen_hvm_config.blob_size_64
: kvm->arch.xen_hvm_config.blob_size_32;
u32 page_num = data & ~PAGE_MASK;
-@@ -2733,6 +2733,8 @@ long kvm_arch_dev_ioctl(struct file *filp,
+@@ -2735,6 +2735,8 @@ long kvm_arch_dev_ioctl(struct file *filp,
if (n < msr_list.nmsrs)
goto out;
r = -EFAULT;
@@ -30370,7 +30481,7 @@ index 373328b7..310cf2f 100644
if (copy_to_user(user_msr_list->indices, &msrs_to_save,
num_msrs_to_save * sizeof(u32)))
goto out;
-@@ -3093,7 +3095,7 @@ static int kvm_vcpu_ioctl_x86_set_debugregs(struct kvm_vcpu *vcpu,
+@@ -3095,7 +3097,7 @@ static int kvm_vcpu_ioctl_x86_set_debugregs(struct kvm_vcpu *vcpu,
static void fill_xsave(u8 *dest, struct kvm_vcpu *vcpu)
{
@@ -30379,7 +30490,7 @@ index 373328b7..310cf2f 100644
u64 xstate_bv = xsave->header.xfeatures;
u64 valid;
-@@ -3129,7 +3131,7 @@ static void fill_xsave(u8 *dest, struct kvm_vcpu *vcpu)
+@@ -3131,7 +3133,7 @@ static void fill_xsave(u8 *dest, struct kvm_vcpu *vcpu)
static void load_xsave(struct kvm_vcpu *vcpu, u8 *src)
{
@@ -30388,7 +30499,7 @@ index 373328b7..310cf2f 100644
u64 xstate_bv = *(u64 *)(src + XSAVE_HDR_OFFSET);
u64 valid;
-@@ -3173,7 +3175,7 @@ static void kvm_vcpu_ioctl_x86_get_xsave(struct kvm_vcpu *vcpu,
+@@ -3175,7 +3177,7 @@ static void kvm_vcpu_ioctl_x86_get_xsave(struct kvm_vcpu *vcpu,
fill_xsave((u8 *) guest_xsave->region, vcpu);
} else {
memcpy(guest_xsave->region,
@@ -30397,7 +30508,7 @@ index 373328b7..310cf2f 100644
sizeof(struct fxregs_state));
*(u64 *)&guest_xsave->region[XSAVE_HDR_OFFSET / sizeof(u32)] =
XSTATE_FPSSE;
-@@ -3198,7 +3200,7 @@ static int kvm_vcpu_ioctl_x86_set_xsave(struct kvm_vcpu *vcpu,
+@@ -3200,7 +3202,7 @@ static int kvm_vcpu_ioctl_x86_set_xsave(struct kvm_vcpu *vcpu,
} else {
if (xstate_bv & ~XSTATE_FPSSE)
return -EINVAL;
@@ -30406,7 +30517,23 @@ index 373328b7..310cf2f 100644
guest_xsave->region, sizeof(struct fxregs_state));
}
return 0;
-@@ -7217,7 +7219,7 @@ int kvm_arch_vcpu_ioctl_translate(struct kvm_vcpu *vcpu,
+@@ -6473,6 +6475,7 @@ void kvm_arch_mmu_notifier_invalidate_page(struct kvm *kvm,
+ * exiting to the userspace. Otherwise, the value will be returned to the
+ * userspace.
+ */
++static int vcpu_enter_guest(struct kvm_vcpu *vcpu) __must_hold(&vcpu->kvm->srcu);
+ static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
+ {
+ int r;
+@@ -6690,6 +6693,7 @@ out:
+ return r;
+ }
+
++static inline int vcpu_block(struct kvm *kvm, struct kvm_vcpu *vcpu) __must_hold(&kvm->srcu);
+ static inline int vcpu_block(struct kvm *kvm, struct kvm_vcpu *vcpu)
+ {
+ if (!kvm_arch_vcpu_runnable(vcpu)) {
+@@ -7229,7 +7233,7 @@ int kvm_arch_vcpu_ioctl_translate(struct kvm_vcpu *vcpu,
int kvm_arch_vcpu_ioctl_get_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
{
struct fxregs_state *fxsave =
@@ -30415,7 +30542,7 @@ index 373328b7..310cf2f 100644
memcpy(fpu->fpr, fxsave->st_space, 128);
fpu->fcw = fxsave->cwd;
-@@ -7234,7 +7236,7 @@ int kvm_arch_vcpu_ioctl_get_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
+@@ -7246,7 +7250,7 @@ int kvm_arch_vcpu_ioctl_get_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
{
struct fxregs_state *fxsave =
@@ -30424,7 +30551,7 @@ index 373328b7..310cf2f 100644
memcpy(fxsave->st_space, fpu->fpr, 128);
fxsave->cwd = fpu->fcw;
-@@ -7250,9 +7252,9 @@ int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
+@@ -7262,9 +7266,9 @@ int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
static void fx_init(struct kvm_vcpu *vcpu)
{
@@ -30436,7 +30563,7 @@ index 373328b7..310cf2f 100644
host_xcr0 | XSTATE_COMPACTION_ENABLED;
/*
-@@ -7276,7 +7278,7 @@ void kvm_load_guest_fpu(struct kvm_vcpu *vcpu)
+@@ -7288,7 +7292,7 @@ void kvm_load_guest_fpu(struct kvm_vcpu *vcpu)
kvm_put_guest_xcr0(vcpu);
vcpu->guest_fpu_loaded = 1;
__kernel_fpu_begin();
@@ -30445,7 +30572,7 @@ index 373328b7..310cf2f 100644
trace_kvm_fpu(1);
}
-@@ -7554,6 +7556,8 @@ bool kvm_vcpu_compatible(struct kvm_vcpu *vcpu)
+@@ -7566,6 +7570,8 @@ bool kvm_vcpu_compatible(struct kvm_vcpu *vcpu)
struct static_key kvm_no_apic_vcpu __read_mostly;
@@ -30454,7 +30581,7 @@ index 373328b7..310cf2f 100644
int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
{
struct page *page;
-@@ -7570,11 +7574,14 @@ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
+@@ -7582,11 +7588,14 @@ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
else
vcpu->arch.mp_state = KVM_MP_STATE_UNINITIALIZED;
@@ -30473,7 +30600,7 @@ index 373328b7..310cf2f 100644
vcpu->arch.pio_data = page_address(page);
kvm_set_tsc_khz(vcpu, max_tsc_khz);
-@@ -7628,6 +7635,9 @@ fail_mmu_destroy:
+@@ -7640,6 +7649,9 @@ fail_mmu_destroy:
kvm_mmu_destroy(vcpu);
fail_free_pio_data:
free_page((unsigned long)vcpu->arch.pio_data);
@@ -30483,7 +30610,7 @@ index 373328b7..310cf2f 100644
fail:
return r;
}
-@@ -7645,6 +7655,8 @@ void kvm_arch_vcpu_uninit(struct kvm_vcpu *vcpu)
+@@ -7657,6 +7669,8 @@ void kvm_arch_vcpu_uninit(struct kvm_vcpu *vcpu)
free_page((unsigned long)vcpu->arch.pio_data);
if (!irqchip_in_kernel(vcpu->kvm))
static_key_slow_dec(&kvm_no_apic_vcpu);
@@ -32971,7 +33098,7 @@ index 91d93b9..4b22130 100644
+EXPORT_SYMBOL(set_fs);
+#endif
diff --git a/arch/x86/lib/usercopy_64.c b/arch/x86/lib/usercopy_64.c
-index 0a42327..7a82465 100644
+index 0a42327..45c0063 100644
--- a/arch/x86/lib/usercopy_64.c
+++ b/arch/x86/lib/usercopy_64.c
@@ -18,6 +18,7 @@ unsigned long __clear_user(void __user *addr, unsigned long size)
@@ -33031,8 +33158,9 @@ index 0a42327..7a82465 100644
/* If the destination is a kernel buffer, we always clear the end */
- if (!__addr_ok(to))
+- memset(to, 0, len);
+ if (!__addr_ok(to) && (unsigned long)to >= TASK_SIZE_MAX + pax_user_shadow_base)
- memset(to, 0, len);
++ memset((void __force_kernel *)to, 0, len);
return len;
}
diff --git a/arch/x86/math-emu/fpu_aux.c b/arch/x86/math-emu/fpu_aux.c
@@ -34908,77 +35036,23 @@ index 0057a7acc..95c7edd 100644
might_sleep();
if (is_enabled()) /* recheck and proper locking in *_core() */
diff --git a/arch/x86/mm/mpx.c b/arch/x86/mm/mpx.c
-index db1b0bc..c28f618 100644
+index c28f618..73c7772 100644
--- a/arch/x86/mm/mpx.c
+++ b/arch/x86/mm/mpx.c
-@@ -622,6 +622,29 @@ static unsigned long mpx_bd_entry_to_bt_addr(struct mm_struct *mm,
- }
-
- /*
-+ * We only want to do a 4-byte get_user() on 32-bit. Otherwise,
-+ * we might run off the end of the bounds table if we are on
-+ * a 64-bit kernel and try to get 8 bytes.
-+ */
-+int get_user_bd_entry(struct mm_struct *mm, unsigned long *bd_entry_ret,
-+ long __user *bd_entry_ptr)
-+{
-+ u32 bd_entry_32;
-+ int ret;
-+
-+ if (is_64bit_mm(mm))
-+ return get_user(*bd_entry_ret, bd_entry_ptr);
-+
-+ /*
-+ * Note that get_user() uses the type of the *pointer* to
-+ * establish the size of the get, not the destination.
-+ */
-+ ret = get_user(bd_entry_32, (u32 __user *)bd_entry_ptr);
-+ *bd_entry_ret = bd_entry_32;
-+ return ret;
-+}
-+
-+/*
- * Get the base of bounds tables pointed by specific bounds
- * directory entry.
- */
-@@ -641,7 +664,7 @@ static int get_bt_addr(struct mm_struct *mm,
- int need_write = 0;
-
- pagefault_disable();
-- ret = get_user(bd_entry, bd_entry_ptr);
-+ ret = get_user_bd_entry(mm, &bd_entry, bd_entry_ptr);
- pagefault_enable();
- if (!ret)
- break;
-@@ -736,11 +759,23 @@ static unsigned long mpx_get_bt_entry_offset_bytes(struct mm_struct *mm,
- */
- static inline unsigned long bd_entry_virt_space(struct mm_struct *mm)
- {
-- unsigned long long virt_space = (1ULL << boot_cpu_data.x86_virt_bits);
-- if (is_64bit_mm(mm))
-- return virt_space / MPX_BD_NR_ENTRIES_64;
-- else
-- return virt_space / MPX_BD_NR_ENTRIES_32;
-+ unsigned long long virt_space;
-+ unsigned long long GB = (1ULL << 30);
-+
-+ /*
-+ * This covers 32-bit emulation as well as 32-bit kernels
-+ * running on 64-bit harware.
-+ */
-+ if (!is_64bit_mm(mm))
-+ return (4ULL * GB) / MPX_BD_NR_ENTRIES_32;
-+
-+ /*
-+ * 'x86_virt_bits' returns what the hardware is capable
-+ * of, and returns the full >32-bit adddress space when
-+ * running 32-bit kernels on 64-bit hardware.
-+ */
-+ virt_space = (1ULL << boot_cpu_data.x86_virt_bits);
-+ return virt_space / MPX_BD_NR_ENTRIES_64;
- }
-
- /*
+@@ -329,11 +329,11 @@ siginfo_t *mpx_generate_siginfo(struct pt_regs *regs)
+ * We were not able to extract an address from the instruction,
+ * probably because there was something invalid in it.
+ */
+- if (info->si_addr == (void *)-1) {
++ if (info->si_addr == (void __user *)-1) {
+ err = -EINVAL;
+ goto err_out;
+ }
+- trace_mpx_bounds_register_exception(info->si_addr, bndreg);
++ trace_mpx_bounds_register_exception((void __force_kernel *)info->si_addr, bndreg);
+ return info;
+ err_out:
+ /* info might be NULL, but kfree() handles that */
diff --git a/arch/x86/mm/numa.c b/arch/x86/mm/numa.c
index 4053bb5..b1ad3dc 100644
--- a/arch/x86/mm/numa.c
@@ -34993,7 +35067,7 @@ index 4053bb5..b1ad3dc 100644
unsigned long uninitialized_var(pfn_align);
int i, nid;
diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c
-index 727158c..54dd3ff 100644
+index 727158c..e278402 100644
--- a/arch/x86/mm/pageattr.c
+++ b/arch/x86/mm/pageattr.c
@@ -260,7 +260,7 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address,
@@ -35090,7 +35164,28 @@ index 727158c..54dd3ff 100644
pgprot_val(req_prot) &= ~pgprot_val(cpa->mask_clr);
pgprot_val(req_prot) |= pgprot_val(cpa->mask_set);
-@@ -1176,7 +1200,9 @@ repeat:
+@@ -675,6 +699,10 @@ __split_large_page(struct cpa_data *cpa, pte_t *kpte, unsigned long address,
+ return 0;
+ }
+
++#if debug_pagealloc == 0
++static int split_large_page(struct cpa_data *cpa, pte_t *kpte,
++ unsigned long address) __must_hold(&cpa_lock);
++#endif
+ static int split_large_page(struct cpa_data *cpa, pte_t *kpte,
+ unsigned long address)
+ {
+@@ -1118,6 +1146,9 @@ static int __cpa_process_fault(struct cpa_data *cpa, unsigned long vaddr,
+ }
+ }
+
++#if debug_pagealloc == 0
++static int __change_page_attr(struct cpa_data *cpa, int primary) __must_hold(&cpa_lock);
++#endif
+ static int __change_page_attr(struct cpa_data *cpa, int primary)
+ {
+ unsigned long address;
+@@ -1176,7 +1207,9 @@ repeat:
* Do we really change anything ?
*/
if (pte_val(old_pte) != pte_val(new_pte)) {
@@ -39200,6 +39295,21 @@ index 5005924..9fc06c4 100644
if (sif->remove_dev) {
subsys_dev_iter_init(&iter, subsys, NULL, NULL);
while ((dev = subsys_dev_iter_next(&iter)))
+diff --git a/drivers/base/devres.c b/drivers/base/devres.c
+index 8754646..6828fbe 100644
+--- a/drivers/base/devres.c
++++ b/drivers/base/devres.c
+@@ -475,7 +475,9 @@ static int remove_nodes(struct device *dev,
+
+ static int release_nodes(struct device *dev, struct list_head *first,
+ struct list_head *end, unsigned long flags)
+- __releases(&dev->devres_lock)
++ __releases(&dev->devres_lock);
++static int release_nodes(struct device *dev, struct list_head *first,
++ struct list_head *end, unsigned long flags)
+ {
+ LIST_HEAD(todo);
+ int cnt;
diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c
index 68f0314..ca2a609 100644
--- a/drivers/base/devtmpfs.c
@@ -39277,6 +39387,40 @@ index 0ee43c1..369dd62 100644
pm_genpd_poweron(pd);
return 0;
+diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c
+index e1a10a0..a6bc363 100644
+--- a/drivers/base/power/runtime.c
++++ b/drivers/base/power/runtime.c
+@@ -263,8 +263,8 @@ static int rpm_check_suspend_allowed(struct device *dev)
+ * @cb: Runtime PM callback to run.
+ * @dev: Device to run the callback for.
+ */
++static int __rpm_callback(int (*cb)(struct device *), struct device *dev) __must_hold(&dev->power.lock);
+ static int __rpm_callback(int (*cb)(struct device *), struct device *dev)
+- __releases(&dev->power.lock) __acquires(&dev->power.lock)
+ {
+ int retval;
+
+@@ -412,8 +412,8 @@ static int rpm_callback(int (*cb)(struct device *), struct device *dev)
+ *
+ * This function must be called under dev->power.lock with interrupts disabled.
+ */
++static int rpm_suspend(struct device *dev, int rpmflags) __must_hold(&dev->power.lock);
+ static int rpm_suspend(struct device *dev, int rpmflags)
+- __releases(&dev->power.lock) __acquires(&dev->power.lock)
+ {
+ int (*callback)(struct device *);
+ struct device *parent = NULL;
+@@ -594,8 +594,8 @@ static int rpm_suspend(struct device *dev, int rpmflags)
+ *
+ * This function must be called under dev->power.lock with interrupts disabled.
+ */
++static int rpm_resume(struct device *dev, int rpmflags) __must_hold(&dev->power.lock);
+ static int rpm_resume(struct device *dev, int rpmflags)
+- __releases(&dev->power.lock) __acquires(&dev->power.lock)
+ {
+ int (*callback)(struct device *);
+ struct device *parent = NULL;
diff --git a/drivers/base/power/sysfs.c b/drivers/base/power/sysfs.c
index d2be3f9..0a3167a 100644
--- a/drivers/base/power/sysfs.c
@@ -39370,6 +39514,30 @@ index c8941f3..f7c7a7e 100644
tot_len = reg_len + 10; /* ': R W V P\n' */
for (i = 0; i <= map->max_register; i += map->reg_stride) {
+diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c
+index 7111d04..bcda737 100644
+--- a/drivers/base/regmap/regmap.c
++++ b/drivers/base/regmap/regmap.c
+@@ -340,8 +340,8 @@ static void regmap_unlock_mutex(void *__map)
+ mutex_unlock(&map->mutex);
+ }
+
++static void regmap_lock_spinlock(void *__map) __acquires(&map->spinlock);
+ static void regmap_lock_spinlock(void *__map)
+-__acquires(&map->spinlock)
+ {
+ struct regmap *map = __map;
+ unsigned long flags;
+@@ -350,8 +350,8 @@ __acquires(&map->spinlock)
+ map->spinlock_flags = flags;
+ }
+
++static void regmap_unlock_spinlock(void *__map) __releases(&map->spinlock);
+ static void regmap_unlock_spinlock(void *__map)
+-__releases(&map->spinlock)
+ {
+ struct regmap *map = __map;
+ spin_unlock_irqrestore(&map->spinlock, map->spinlock_flags);
diff --git a/drivers/base/syscore.c b/drivers/base/syscore.c
index 8d98a32..61d3165 100644
--- a/drivers/base/syscore.c
@@ -39810,7 +39978,7 @@ index 74df8cf..e41fc24 100644
if (!msg)
goto failed;
diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c
-index c097909..13688e1 100644
+index c097909..b0dd588 100644
--- a/drivers/block/drbd/drbd_receiver.c
+++ b/drivers/block/drbd/drbd_receiver.c
@@ -870,7 +870,7 @@ int drbd_connected(struct drbd_peer_device *peer_device)
@@ -39863,7 +40031,18 @@ index c097909..13688e1 100644
list_add(&epoch->list, &connection->current_epoch->list);
connection->current_epoch = epoch;
connection->epochs++;
-@@ -1802,7 +1802,7 @@ static int recv_resync_read(struct drbd_peer_device *peer_device, sector_t secto
+@@ -1780,7 +1780,9 @@ static int e_end_resync_block(struct drbd_work *w, int unused)
+ }
+
+ static int recv_resync_read(struct drbd_peer_device *peer_device, sector_t sector,
+- struct packet_info *pi) __releases(local)
++ struct packet_info *pi) __releases(local);
++static int recv_resync_read(struct drbd_peer_device *peer_device, sector_t sector,
++ struct packet_info *pi)
+ {
+ struct drbd_device *device = peer_device->device;
+ struct drbd_peer_request *peer_req;
+@@ -1802,7 +1804,7 @@ static int recv_resync_read(struct drbd_peer_device *peer_device, sector_t secto
list_add_tail(&peer_req->w.list, &device->sync_ee);
spin_unlock_irq(&device->resource->req_lock);
@@ -39872,7 +40051,7 @@ index c097909..13688e1 100644
if (drbd_submit_peer_request(device, peer_req, WRITE, DRBD_FAULT_RS_WR) == 0)
return 0;
-@@ -1900,7 +1900,7 @@ static int receive_RSDataReply(struct drbd_connection *connection, struct packet
+@@ -1900,7 +1902,7 @@ static int receive_RSDataReply(struct drbd_connection *connection, struct packet
drbd_send_ack_dp(peer_device, P_NEG_ACK, p, pi->size);
}
@@ -39881,7 +40060,7 @@ index c097909..13688e1 100644
return err;
}
-@@ -2290,7 +2290,7 @@ static int receive_Data(struct drbd_connection *connection, struct packet_info *
+@@ -2290,7 +2292,7 @@ static int receive_Data(struct drbd_connection *connection, struct packet_info *
err = wait_for_and_update_peer_seq(peer_device, peer_seq);
drbd_send_ack_dp(peer_device, P_NEG_ACK, p, pi->size);
@@ -39890,7 +40069,7 @@ index c097909..13688e1 100644
err2 = drbd_drain_block(peer_device, pi->size);
if (!err)
err = err2;
-@@ -2334,7 +2334,7 @@ static int receive_Data(struct drbd_connection *connection, struct packet_info *
+@@ -2334,7 +2336,7 @@ static int receive_Data(struct drbd_connection *connection, struct packet_info *
spin_lock(&connection->epoch_lock);
peer_req->epoch = connection->current_epoch;
@@ -39899,7 +40078,7 @@ index c097909..13688e1 100644
atomic_inc(&peer_req->epoch->active);
spin_unlock(&connection->epoch_lock);
-@@ -2479,7 +2479,7 @@ bool drbd_rs_c_min_rate_throttle(struct drbd_device *device)
+@@ -2479,7 +2481,7 @@ bool drbd_rs_c_min_rate_throttle(struct drbd_device *device)
curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
(int)part_stat_read(&disk->part0, sectors[1]) -
@@ -39908,7 +40087,7 @@ index c097909..13688e1 100644
if (atomic_read(&device->ap_actlog_cnt)
|| curr_events - device->rs_last_events > 64) {
-@@ -2618,7 +2618,7 @@ static int receive_DataRequest(struct drbd_connection *connection, struct packet
+@@ -2618,7 +2620,7 @@ static int receive_DataRequest(struct drbd_connection *connection, struct packet
device->use_csums = true;
} else if (pi->cmd == P_OV_REPLY) {
/* track progress, we may need to throttle */
@@ -39917,7 +40096,7 @@ index c097909..13688e1 100644
peer_req->w.cb = w_e_end_ov_reply;
dec_rs_pending(device);
/* drbd_rs_begin_io done when we sent this request,
-@@ -2691,7 +2691,7 @@ static int receive_DataRequest(struct drbd_connection *connection, struct packet
+@@ -2691,7 +2693,7 @@ static int receive_DataRequest(struct drbd_connection *connection, struct packet
goto out_free_e;
submit_for_resync:
@@ -39926,7 +40105,7 @@ index c097909..13688e1 100644
submit:
update_receiver_timing_details(connection, drbd_submit_peer_request);
-@@ -4564,7 +4564,7 @@ struct data_cmd {
+@@ -4564,7 +4566,7 @@ struct data_cmd {
int expect_payload;
size_t pkt_size;
int (*fn)(struct drbd_connection *, struct packet_info *);
@@ -39935,7 +40114,7 @@ index c097909..13688e1 100644
static struct data_cmd drbd_cmd_handler[] = {
[P_DATA] = { 1, sizeof(struct p_data), receive_Data },
-@@ -4678,7 +4678,7 @@ static void conn_disconnect(struct drbd_connection *connection)
+@@ -4678,7 +4680,7 @@ static void conn_disconnect(struct drbd_connection *connection)
if (!list_empty(&connection->current_epoch->list))
drbd_err(connection, "ASSERTION FAILED: connection->current_epoch->list not empty\n");
/* ok, no more ee's on the fly, it is safe to reset the epoch_size */
@@ -39944,7 +40123,7 @@ index c097909..13688e1 100644
connection->send.seen_any_write_yet = false;
drbd_info(connection, "Connection closed\n");
-@@ -5182,7 +5182,7 @@ static int got_IsInSync(struct drbd_connection *connection, struct packet_info *
+@@ -5182,7 +5184,7 @@ static int got_IsInSync(struct drbd_connection *connection, struct packet_info *
put_ldev(device);
}
dec_rs_pending(device);
@@ -39953,7 +40132,7 @@ index c097909..13688e1 100644
return 0;
}
-@@ -5470,7 +5470,7 @@ static int connection_finish_peer_reqs(struct drbd_connection *connection)
+@@ -5470,7 +5472,7 @@ static int connection_finish_peer_reqs(struct drbd_connection *connection)
struct asender_cmd {
size_t pkt_size;
int (*fn)(struct drbd_connection *connection, struct packet_info *);
@@ -39963,10 +40142,30 @@ index c097909..13688e1 100644
static struct asender_cmd asender_tbl[] = {
[P_PING] = { 0, got_Ping },
diff --git a/drivers/block/drbd/drbd_worker.c b/drivers/block/drbd/drbd_worker.c
-index d0fae55..4469096 100644
+index d0fae55..e85f28e 100644
--- a/drivers/block/drbd/drbd_worker.c
+++ b/drivers/block/drbd/drbd_worker.c
-@@ -408,7 +408,7 @@ static int read_for_csum(struct drbd_peer_device *peer_device, sector_t sector,
+@@ -94,7 +94,8 @@ void drbd_md_endio(struct bio *bio, int error)
+ /* reads on behalf of the partner,
+ * "submitted" by the receiver
+ */
+-static void drbd_endio_read_sec_final(struct drbd_peer_request *peer_req) __releases(local)
++static void drbd_endio_read_sec_final(struct drbd_peer_request *peer_req) __releases(local);
++static void drbd_endio_read_sec_final(struct drbd_peer_request *peer_req)
+ {
+ unsigned long flags = 0;
+ struct drbd_peer_device *peer_device = peer_req->peer_device;
+@@ -115,7 +116,8 @@ static void drbd_endio_read_sec_final(struct drbd_peer_request *peer_req) __rele
+
+ /* writes on behalf of the partner, or resync writes,
+ * "submitted" by the receiver, final stage. */
+-void drbd_endio_write_sec_final(struct drbd_peer_request *peer_req) __releases(local)
++void drbd_endio_write_sec_final(struct drbd_peer_request *peer_req) __releases(local);
++void drbd_endio_write_sec_final(struct drbd_peer_request *peer_req)
+ {
+ unsigned long flags = 0;
+ struct drbd_peer_device *peer_device = peer_req->peer_device;
+@@ -408,7 +410,7 @@ static int read_for_csum(struct drbd_peer_device *peer_device, sector_t sector,
list_add_tail(&peer_req->w.list, &device->read_ee);
spin_unlock_irq(&device->resource->req_lock);
@@ -39975,7 +40174,7 @@ index d0fae55..4469096 100644
if (drbd_submit_peer_request(device, peer_req, READ, DRBD_FAULT_RS_RD) == 0)
return 0;
-@@ -553,7 +553,7 @@ static int drbd_rs_number_requests(struct drbd_device *device)
+@@ -553,7 +555,7 @@ static int drbd_rs_number_requests(struct drbd_device *device)
unsigned int sect_in; /* Number of sectors that came in since the last turn */
int number, mxb;
@@ -39984,7 +40183,7 @@ index d0fae55..4469096 100644
device->rs_in_flight -= sect_in;
rcu_read_lock();
-@@ -1595,8 +1595,8 @@ void drbd_rs_controller_reset(struct drbd_device *device)
+@@ -1595,8 +1597,8 @@ void drbd_rs_controller_reset(struct drbd_device *device)
struct gendisk *disk = device->ldev->backing_bdev->bd_contains->bd_disk;
struct fifo_buffer *plan;
@@ -39995,6 +40194,20 @@ index d0fae55..4469096 100644
device->rs_in_flight = 0;
device->rs_last_events =
(int)part_stat_read(&disk->part0, sectors[0]) +
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index 0e385d8..0c63d6a 100644
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -538,8 +538,8 @@ static int nbd_thread(void *data)
+ * { printk( "Warning: Ignoring result!\n"); nbd_end_request( req ); }
+ */
+
++static void do_nbd_request(struct request_queue *q) __must_hold(q->queue_lock);
+ static void do_nbd_request(struct request_queue *q)
+- __releases(q->queue_lock) __acquires(q->queue_lock)
+ {
+ struct request *req;
+
diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
index 4c20c22..caef1eb 100644
--- a/drivers/block/pktcdvd.c
@@ -40309,7 +40522,7 @@ index bf75f63..359fa10 100644
intf->proc_dir = NULL;
diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c
-index 8a45e92..e41b1c7 100644
+index 8a45e92..3546003 100644
--- a/drivers/char/ipmi/ipmi_si_intf.c
+++ b/drivers/char/ipmi/ipmi_si_intf.c
@@ -289,7 +289,7 @@ struct smi_info {
@@ -40333,6 +40546,25 @@ index 8a45e92..e41b1c7 100644
#define SI_MAX_PARMS 4
+@@ -1203,14 +1203,14 @@ static int smi_start_processing(void *send_info,
+
+ new_smi->intf = intf;
+
+- /* Try to claim any interrupts. */
+- if (new_smi->irq_setup)
+- new_smi->irq_setup(new_smi);
+-
+ /* Set up the timer that drives the interface. */
+ setup_timer(&new_smi->si_timer, smi_timeout, (long)new_smi);
+ smi_mod_timer(new_smi, jiffies + SI_TIMEOUT_JIFFIES);
+
++ /* Try to claim any interrupts. */
++ if (new_smi->irq_setup)
++ new_smi->irq_setup(new_smi);
++
+ /*
+ * Check if the user forcefully enabled the daemon.
+ */
@@ -3500,7 +3500,7 @@ static int try_smi_init(struct smi_info *new_smi)
atomic_set(&new_smi->req_events, 0);
new_smi->run_to_completion = false;
@@ -40741,10 +40973,10 @@ index 3a56a13..f8cbd25 100644
return 0;
}
diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
-index d2406fe..243951a 100644
+index d2406fe..473a5c0 100644
--- a/drivers/char/virtio_console.c
+++ b/drivers/char/virtio_console.c
-@@ -685,7 +685,7 @@ static ssize_t fill_readbuf(struct port *port, char __user *out_buf,
+@@ -685,11 +685,11 @@ static ssize_t fill_readbuf(struct port *port, char __user *out_buf,
if (to_user) {
ssize_t ret;
@@ -40753,15 +40985,20 @@ index d2406fe..243951a 100644
if (ret)
return -EFAULT;
} else {
-@@ -789,7 +789,7 @@ static ssize_t port_fops_read(struct file *filp, char __user *ubuf,
- if (!port_has_data(port) && !port->host_connected)
- return 0;
+- memcpy((__force char *)out_buf, buf->buf + buf->offset,
++ memcpy((__force_kernel char *)out_buf, buf->buf + buf->offset,
+ out_count);
+ }
-- return fill_readbuf(port, ubuf, count, true);
-+ return fill_readbuf(port, (char __force_kernel *)ubuf, count, true);
+@@ -1164,7 +1164,7 @@ static int get_chars(u32 vtermno, char *buf, int count)
+ /* If we don't have an input queue yet, we can't get input. */
+ BUG_ON(!port->in_vq);
+
+- return fill_readbuf(port, (__force char __user *)buf, count, false);
++ return fill_readbuf(port, (char __force_user *)buf, count, false);
}
- static int wait_port_writable(struct port *port, bool nonblock)
+ static void resize_console(struct port *port)
diff --git a/drivers/clk/clk-composite.c b/drivers/clk/clk-composite.c
index 616f5ae..747bdd0 100644
--- a/drivers/clk/clk-composite.c
@@ -47780,7 +48017,7 @@ index 6ba47cf..a870ba2 100644
pmd->bl_info.value_type.inc = data_block_inc;
pmd->bl_info.value_type.dec = data_block_dec;
diff --git a/drivers/md/dm.c b/drivers/md/dm.c
-index 3e32f4e..01e0a7f 100644
+index 3e32f4e..18528b7 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -194,9 +194,9 @@ struct mapped_device {
@@ -47795,7 +48032,44 @@ index 3e32f4e..01e0a7f 100644
struct list_head uevent_list;
spinlock_t uevent_lock; /* Protect access to uevent_list */
-@@ -2339,8 +2339,8 @@ static struct mapped_device *alloc_dev(int minor)
+@@ -705,14 +705,16 @@ static void queue_io(struct mapped_device *md, struct bio *bio)
+ * function to access the md->map field, and make sure they call
+ * dm_put_live_table() when finished.
+ */
+-struct dm_table *dm_get_live_table(struct mapped_device *md, int *srcu_idx) __acquires(md->io_barrier)
++struct dm_table *dm_get_live_table(struct mapped_device *md, int *srcu_idx) __acquires(&md->io_barrier);
++struct dm_table *dm_get_live_table(struct mapped_device *md, int *srcu_idx)
+ {
+ *srcu_idx = srcu_read_lock(&md->io_barrier);
+
+ return srcu_dereference(md->map, &md->io_barrier);
+ }
+
+-void dm_put_live_table(struct mapped_device *md, int srcu_idx) __releases(md->io_barrier)
++void dm_put_live_table(struct mapped_device *md, int srcu_idx) __releases(&md->io_barrier);
++void dm_put_live_table(struct mapped_device *md, int srcu_idx)
+ {
+ srcu_read_unlock(&md->io_barrier, srcu_idx);
+ }
+@@ -727,13 +729,15 @@ void dm_sync_table(struct mapped_device *md)
+ * A fast alternative to dm_get_live_table/dm_put_live_table.
+ * The caller must not block between these two functions.
+ */
+-static struct dm_table *dm_get_live_table_fast(struct mapped_device *md) __acquires(RCU)
++static struct dm_table *dm_get_live_table_fast(struct mapped_device *md) __acquires(RCU);
++static struct dm_table *dm_get_live_table_fast(struct mapped_device *md)
+ {
+ rcu_read_lock();
+ return rcu_dereference(md->map);
+ }
+
+-static void dm_put_live_table_fast(struct mapped_device *md) __releases(RCU)
++static void dm_put_live_table_fast(struct mapped_device *md) __releases(RCU);
++static void dm_put_live_table_fast(struct mapped_device *md)
+ {
+ rcu_read_unlock();
+ }
+@@ -2339,8 +2343,8 @@ static struct mapped_device *alloc_dev(int minor)
spin_lock_init(&md->deferred_lock);
atomic_set(&md->holders, 1);
atomic_set(&md->open_count, 0);
@@ -47806,7 +48080,7 @@ index 3e32f4e..01e0a7f 100644
INIT_LIST_HEAD(&md->uevent_list);
INIT_LIST_HEAD(&md->table_devices);
spin_lock_init(&md->uevent_lock);
-@@ -2481,7 +2481,7 @@ static void event_callback(void *context)
+@@ -2481,7 +2485,7 @@ static void event_callback(void *context)
dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj);
@@ -47815,7 +48089,7 @@ index 3e32f4e..01e0a7f 100644
wake_up(&md->eventq);
}
-@@ -3479,18 +3479,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action,
+@@ -3479,18 +3483,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action,
uint32_t dm_next_uevent_seq(struct mapped_device *md)
{
@@ -50347,18 +50621,9 @@ index e8c96b8..516a96c 100644
Say Y here if you want to support for Freescale FlexCAN.
diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
-index aede704..ca734ed 100644
+index 141c2a4..ca734ed 100644
--- a/drivers/net/can/dev.c
+++ b/drivers/net/can/dev.c
-@@ -915,7 +915,7 @@ static int can_fill_info(struct sk_buff *skb, const struct net_device *dev)
- nla_put(skb, IFLA_CAN_BITTIMING_CONST,
- sizeof(*priv->bittiming_const), priv->bittiming_const)) ||
-
-- nla_put(skb, IFLA_CAN_CLOCK, sizeof(cm), &priv->clock) ||
-+ nla_put(skb, IFLA_CAN_CLOCK, sizeof(priv->clock), &priv->clock) ||
- nla_put_u32(skb, IFLA_CAN_STATE, state) ||
- nla_put(skb, IFLA_CAN_CTRLMODE, sizeof(cm), &cm) ||
- nla_put_u32(skb, IFLA_CAN_RESTART_MS, priv->restart_ms) ||
@@ -961,7 +961,7 @@ static int can_newlink(struct net *src_net, struct net_device *dev,
return -EOPNOTSUPP;
}
@@ -50531,7 +50796,7 @@ index b3bc87f..5bdfdd3 100644
+ .wrapper_rx_desc_init = xgbe_wrapper_rx_descriptor_init,
+};
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
-index a4473d8..039a2ab 100644
+index f672dba3..d71818d 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
@@ -2776,7 +2776,7 @@ static void xgbe_powerdown_rx(struct xgbe_prv_data *pdata)
@@ -50727,7 +50992,7 @@ index a4473d8..039a2ab 100644
+ .set_rss_lookup_table = xgbe_set_rss_lookup_table,
+};
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
-index aae9d5e..29ce58d 100644
+index dde0486..831e127 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
@@ -245,7 +245,7 @@ static int xgbe_maybe_stop_tx_queue(struct xgbe_channel *channel,
@@ -50972,7 +51237,7 @@ index aae9d5e..29ce58d 100644
struct xgbe_ring *ring = channel->tx_ring;
struct xgbe_ring_data *rdata;
struct xgbe_ring_desc *rdesc;
-@@ -1863,7 +1863,7 @@ static int xgbe_tx_poll(struct xgbe_channel *channel)
+@@ -1869,7 +1869,7 @@ static int xgbe_tx_poll(struct xgbe_channel *channel)
static int xgbe_rx_poll(struct xgbe_channel *channel, int budget)
{
struct xgbe_prv_data *pdata = channel->pdata;
@@ -51436,19 +51701,6 @@ index e5ba040..d47531c 100644
smp_mb();
/* need lock to prevent incorrect read while modifying cyclecounter */
-diff --git a/drivers/net/ethernet/mellanox/mlx4/cmd.c b/drivers/net/ethernet/mellanox/mlx4/cmd.c
-index 0a32020..2177e56 100644
---- a/drivers/net/ethernet/mellanox/mlx4/cmd.c
-+++ b/drivers/net/ethernet/mellanox/mlx4/cmd.c
-@@ -2398,7 +2398,7 @@ int mlx4_multi_func_init(struct mlx4_dev *dev)
- }
- }
-
-- memset(&priv->mfunc.master.cmd_eqe, 0, dev->caps.eqe_size);
-+ memset(&priv->mfunc.master.cmd_eqe, 0, sizeof(struct mlx4_eqe));
- priv->mfunc.master.cmd_eqe.type = MLX4_EVENT_TYPE_CMD;
- INIT_WORK(&priv->mfunc.master.comm_work,
- mlx4_master_comm_channel);
diff --git a/drivers/net/ethernet/mellanox/mlx4/en_tx.c b/drivers/net/ethernet/mellanox/mlx4/en_tx.c
index c10d98f..72914c6 100644
--- a/drivers/net/ethernet/mellanox/mlx4/en_tx.c
@@ -51464,19 +51716,6 @@ index c10d98f..72914c6 100644
netdev_tx_completed_queue(ring->tx_queue, packets, bytes);
-diff --git a/drivers/net/ethernet/mellanox/mlx4/eq.c b/drivers/net/ethernet/mellanox/mlx4/eq.c
-index 8e81e53..ad8f95d 100644
---- a/drivers/net/ethernet/mellanox/mlx4/eq.c
-+++ b/drivers/net/ethernet/mellanox/mlx4/eq.c
-@@ -196,7 +196,7 @@ static void slave_event(struct mlx4_dev *dev, u8 slave, struct mlx4_eqe *eqe)
- return;
- }
-
-- memcpy(s_eqe, eqe, dev->caps.eqe_size - 1);
-+ memcpy(s_eqe, eqe, sizeof(struct mlx4_eqe) - 1);
- s_eqe->slave_id = slave;
- /* ensure all information is written before setting the ownersip bit */
- dma_wmb();
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
index 40206da..9d94643 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
@@ -51517,6 +51756,21 @@ index 6223930..975033d 100644
fifo->mempool =
__vxge_hw_mempool_create(vpath->hldev,
fifo->config->memblock_size,
+diff --git a/drivers/net/ethernet/nvidia/forcedeth.c b/drivers/net/ethernet/nvidia/forcedeth.c
+index a41bb5e..0ed99f9 100644
+--- a/drivers/net/ethernet/nvidia/forcedeth.c
++++ b/drivers/net/ethernet/nvidia/forcedeth.c
+@@ -357,8 +357,8 @@ struct ring_desc {
+ };
+
+ struct ring_desc_ex {
+- __le32 bufhigh;
+- __le32 buflow;
++ __le32 bufhigh __intentional_overflow(0);
++ __le32 buflow __intentional_overflow(0);
+ __le32 txvlan;
+ __le32 flaglen;
+ };
diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c
index 753ea8b..674c39a 100644
--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c
@@ -51765,7 +52019,7 @@ index 9f59f17..52cb38f 100644
};
diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
-index 248478c..05e8467 100644
+index 197c939..5f7bee5 100644
--- a/drivers/net/macvtap.c
+++ b/drivers/net/macvtap.c
@@ -485,7 +485,7 @@ static void macvtap_setup(struct net_device *dev)
@@ -51786,6 +52040,17 @@ index 248478c..05e8467 100644
put_user(u, &ifr->ifr_flags))
ret = -EFAULT;
macvtap_put_vlan(vlan);
+@@ -1173,8 +1173,8 @@ static long macvtap_ioctl(struct file *file, unsigned int cmd,
+ }
+ ret = 0;
+ u = vlan->dev->type;
+- if (copy_to_user(&ifr->ifr_name, vlan->dev->name, IFNAMSIZ) ||
+- copy_to_user(&ifr->ifr_hwaddr.sa_data, vlan->dev->dev_addr, ETH_ALEN) ||
++ if (copy_to_user(ifr->ifr_name, vlan->dev->name, IFNAMSIZ) ||
++ copy_to_user(ifr->ifr_hwaddr.sa_data, vlan->dev->dev_addr, ETH_ALEN) ||
+ put_user(u, &ifr->ifr_hwaddr.sa_family))
+ ret = -EFAULT;
+ macvtap_put_vlan(vlan);
@@ -1308,7 +1308,7 @@ static int macvtap_device_event(struct notifier_block *unused,
return NOTIFY_DONE;
}
@@ -51862,7 +52127,7 @@ index 487be20..f4c87bc 100644
err = 0;
break;
diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
-index 2ed7506..cf82b13 100644
+index 5e0b432..0a37f84 100644
--- a/drivers/net/ppp/pppoe.c
+++ b/drivers/net/ppp/pppoe.c
@@ -568,6 +568,9 @@ static int pppoe_create(struct net *net, struct socket *sock, int kern)
@@ -52895,10 +53160,10 @@ index 0ffb6ff..c0b7f0e 100644
memset(buf, 0, sizeof(buf));
buf_size = min(count, sizeof(buf) - 1);
diff --git a/drivers/net/wireless/iwlwifi/pcie/trans.c b/drivers/net/wireless/iwlwifi/pcie/trans.c
-index 9e144e7..2f5511a 100644
+index dab9b91..b169b42 100644
--- a/drivers/net/wireless/iwlwifi/pcie/trans.c
+++ b/drivers/net/wireless/iwlwifi/pcie/trans.c
-@@ -1950,7 +1950,7 @@ static ssize_t iwl_dbgfs_interrupt_write(struct file *file,
+@@ -1944,7 +1944,7 @@ static ssize_t iwl_dbgfs_interrupt_write(struct file *file,
struct isr_statistics *isr_stats = &trans_pcie->isr_stats;
char buf[8];
@@ -52907,7 +53172,7 @@ index 9e144e7..2f5511a 100644
u32 reset_flag;
memset(buf, 0, sizeof(buf));
-@@ -1971,7 +1971,7 @@ static ssize_t iwl_dbgfs_csr_write(struct file *file,
+@@ -1965,7 +1965,7 @@ static ssize_t iwl_dbgfs_csr_write(struct file *file,
{
struct iwl_trans *trans = file->private_data;
char buf[8];
@@ -57016,7 +57281,7 @@ index 382d3fc..b16d625 100644
dlci->modem_rx = 0;
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
-index afc1879..b605d4b 100644
+index dedac8a..d085233 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -2574,6 +2574,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops)
@@ -57781,6 +58046,19 @@ index b5b4278..bb9c7b0 100644
char c;
if (get_user(c, buf))
+diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
+index 3d245cd..51d4d3c 100644
+--- a/drivers/tty/tty_audit.c
++++ b/drivers/tty/tty_audit.c
+@@ -265,7 +265,7 @@ static struct tty_audit_buf *tty_audit_buf_get(struct tty_struct *tty,
+ *
+ * Audit @data of @size from @tty, if necessary.
+ */
+-void tty_audit_add_data(struct tty_struct *tty, const void *data,
++void tty_audit_add_data(struct tty_struct *tty, const unsigned char *data,
+ size_t size, unsigned icanon)
+ {
+ struct tty_audit_buf *buf;
diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c
index 4cf263d..fd011fa 100644
--- a/drivers/tty/tty_buffer.c
@@ -57859,10 +58137,10 @@ index 4cf263d..fd011fa 100644
if (next == NULL) {
check_other_closed(tty);
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
-index 774df35..62fa290 100644
+index 1aa0286..b99e9a8 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
-@@ -3524,7 +3524,7 @@ EXPORT_SYMBOL(tty_devnum);
+@@ -3528,7 +3528,7 @@ EXPORT_SYMBOL(tty_devnum);
void tty_default_fops(struct file_operations *fops)
{
@@ -58712,10 +58990,10 @@ index c47d3e4..35bcc1e 100644
/* Device for a quirk */
#define PCI_VENDOR_ID_FRESCO_LOGIC 0x1b73
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
-index d7b9f484..8208965 100644
+index 6062996..9b6c196 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
-@@ -4837,7 +4837,7 @@ int xhci_gen_setup(struct usb_hcd *hcd, xhci_get_quirks_t get_quirks)
+@@ -4847,7 +4847,7 @@ int xhci_gen_setup(struct usb_hcd *hcd, xhci_get_quirks_t get_quirks)
int retval;
/* Accept arbitrarily long scatter-gather lists */
@@ -59137,7 +59415,7 @@ index 3fc63c2..eec5e49 100644
}
EXPORT_SYMBOL_GPL(fb_deferred_io_cleanup);
diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
-index 0705d88..d9429bf 100644
+index 0705d88..0e17c07 100644
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -1301,7 +1301,7 @@ static int do_fscreeninfo_to_user(struct fb_fix_screeninfo *fix,
@@ -59149,6 +59427,30 @@ index 0705d88..d9429bf 100644
data = (__u32) (unsigned long) fix->smem_start;
err |= put_user(data, &fix32->smem_start);
+@@ -1435,10 +1435,7 @@ fb_mmap(struct file *file, struct vm_area_struct * vma)
+ return vm_iomap_memory(vma, start, len);
+ }
+
+-static int
+-fb_open(struct inode *inode, struct file *file)
+-__acquires(&info->lock)
+-__releases(&info->lock)
++static int fb_open(struct inode *inode, struct file *file)
+ {
+ int fbidx = iminor(inode);
+ struct fb_info *info;
+@@ -1476,10 +1473,7 @@ out:
+ return res;
+ }
+
+-static int
+-fb_release(struct inode *inode, struct file *file)
+-__acquires(&info->lock)
+-__releases(&info->lock)
++static int fb_release(struct inode *inode, struct file *file)
+ {
+ struct fb_info * const info = file->private_data;
+
diff --git a/drivers/video/fbdev/hyperv_fb.c b/drivers/video/fbdev/hyperv_fb.c
index 807ee22..7814cd6 100644
--- a/drivers/video/fbdev/hyperv_fb.c
@@ -62463,10 +62765,10 @@ index 3c14e43..2630570 100644
+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
+4 4 4 4 4 4
diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c
-index 96093ae..b9eed29 100644
+index cdc3d33..2701a17 100644
--- a/drivers/xen/events/events_base.c
+++ b/drivers/xen/events/events_base.c
-@@ -1568,7 +1568,7 @@ void xen_irq_resume(void)
+@@ -1569,7 +1569,7 @@ void xen_irq_resume(void)
restore_pirqs();
}
@@ -62475,7 +62777,7 @@ index 96093ae..b9eed29 100644
.name = "xen-dyn",
.irq_disable = disable_dynirq,
-@@ -1582,7 +1582,7 @@ static struct irq_chip xen_dynamic_chip __read_mostly = {
+@@ -1583,7 +1583,7 @@ static struct irq_chip xen_dynamic_chip __read_mostly = {
.irq_retrigger = retrigger_dynirq,
};
@@ -62484,7 +62786,7 @@ index 96093ae..b9eed29 100644
.name = "xen-pirq",
.irq_startup = startup_pirq,
-@@ -1602,7 +1602,7 @@ static struct irq_chip xen_pirq_chip __read_mostly = {
+@@ -1603,7 +1603,7 @@ static struct irq_chip xen_pirq_chip __read_mostly = {
.irq_retrigger = retrigger_dynirq,
};
@@ -74890,6 +75192,22 @@ index 0000000..43d7c4f
+:1095C00080080000800E00008008008080080000F5
+:1095D00080000A8080000A00800009808000090065
+:00000001FF
+diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c
+index b1dc518..2f97461 100644
+--- a/fs/9p/vfs_inode.c
++++ b/fs/9p/vfs_inode.c
+@@ -451,9 +451,9 @@ void v9fs_evict_inode(struct inode *inode)
+ {
+ struct v9fs_inode *v9inode = V9FS_I(inode);
+
+- truncate_inode_pages_final(inode->i_mapping);
++ truncate_inode_pages_final(&inode->i_data);
+ clear_inode(inode);
+- filemap_fdatawrite(inode->i_mapping);
++ filemap_fdatawrite(&inode->i_data);
+
+ v9fs_cache_inode_put_cookie(inode);
+ /* clunk the fid stashed in writeback_fid */
diff --git a/fs/Kconfig.binfmt b/fs/Kconfig.binfmt
index 2d0cbbd..a6d61492 100644
--- a/fs/Kconfig.binfmt
@@ -77152,7 +77470,7 @@ index 5bb630a..043dc70 100644
return hit;
diff --git a/fs/compat.c b/fs/compat.c
-index 6fd272d..dd34ba2 100644
+index 6fd272d..ae85f4f 100644
--- a/fs/compat.c
+++ b/fs/compat.c
@@ -54,7 +54,7 @@
@@ -77255,7 +77573,7 @@ index 6fd272d..dd34ba2 100644
dirent = buf->previous;
if (dirent) {
-@@ -1067,6 +1084,7 @@ COMPAT_SYSCALL_DEFINE3(getdents64, unsigned int, fd,
+@@ -1067,13 +1084,13 @@ COMPAT_SYSCALL_DEFINE3(getdents64, unsigned int, fd,
if (!f.file)
return -EBADF;
@@ -77263,6 +77581,14 @@ index 6fd272d..dd34ba2 100644
error = iterate_dir(f.file, &buf.ctx);
if (error >= 0)
error = buf.error;
+ lastdirent = buf.previous;
+ if (lastdirent) {
+- typeof(lastdirent->d_off) d_off = buf.ctx.pos;
+- if (__put_user_unaligned(d_off, &lastdirent->d_off))
++ if (__put_user_unaligned(buf.ctx.pos, &lastdirent->d_off))
+ error = -EFAULT;
+ else
+ error = count - buf.count;
diff --git a/fs/compat_binfmt_elf.c b/fs/compat_binfmt_elf.c
index 4d24d17..4f8c09e 100644
--- a/fs/compat_binfmt_elf.c
@@ -77354,7 +77680,7 @@ index c81ce7f..f3de5fd 100644
/*
* We'll have a dentry and an inode for
diff --git a/fs/coredump.c b/fs/coredump.c
-index a8f7564..3dde349 100644
+index a8f7564..0329da8 100644
--- a/fs/coredump.c
+++ b/fs/coredump.c
@@ -457,8 +457,8 @@ static void wait_for_dump_helpers(struct file *file)
@@ -77441,6 +77767,15 @@ index a8f7564..3dde349 100644
if (cprm.limit < binfmt->min_coredump)
goto fail_unlock;
+@@ -654,7 +663,7 @@ void do_coredump(const siginfo_t *siginfo)
+ * If it doesn't exist, that's fine. If there's some
+ * other problem, we'll catch it at the filp_open().
+ */
+- (void) sys_unlink((const char __user *)cn.corename);
++ (void) sys_unlink((const char __force_user *)cn.corename);
+ set_fs(old_fs);
+ }
+
@@ -718,7 +727,7 @@ close_fail:
filp_close(cprm.file, NULL);
fail_dropcount:
@@ -77460,10 +77795,34 @@ index a8f7564..3dde349 100644
return 0;
while (nr) {
diff --git a/fs/dcache.c b/fs/dcache.c
-index e3b44ca..e0d94f1 100644
+index e3b44ca..97367b7 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
-@@ -545,7 +545,7 @@ static void __dentry_kill(struct dentry *dentry)
+@@ -341,8 +341,9 @@ static inline void dentry_rcuwalk_invalidate(struct dentry *dentry)
+ * and is unhashed.
+ */
+ static void dentry_iput(struct dentry * dentry)
+- __releases(dentry->d_lock)
+- __releases(dentry->d_inode->i_lock)
++ __releases(&dentry->d_lock)
++ __releases(&dentry->d_inode->i_lock);
++static void dentry_iput(struct dentry * dentry)
+ {
+ struct inode *inode = dentry->d_inode;
+ if (inode) {
+@@ -366,8 +367,9 @@ static void dentry_iput(struct dentry * dentry)
+ * d_iput() operation if defined. dentry remains in-use.
+ */
+ static void dentry_unlink_inode(struct dentry * dentry)
+- __releases(dentry->d_lock)
+- __releases(dentry->d_inode->i_lock)
++ __releases(&dentry->d_lock)
++ __releases(&dentry->d_inode->i_lock);
++static void dentry_unlink_inode(struct dentry * dentry)
+ {
+ struct inode *inode = dentry->d_inode;
+ __d_clear_type_and_inode(dentry);
+@@ -545,7 +547,7 @@ static void __dentry_kill(struct dentry *dentry)
* dentry_iput drops the locks, at which point nobody (except
* transient RCU lookups) can reach this dentry.
*/
@@ -77472,7 +77831,17 @@ index e3b44ca..e0d94f1 100644
this_cpu_dec(nr_dentry);
if (dentry->d_op && dentry->d_op->d_release)
dentry->d_op->d_release(dentry);
-@@ -598,7 +598,7 @@ static inline struct dentry *lock_parent(struct dentry *dentry)
+@@ -567,7 +569,8 @@ static void __dentry_kill(struct dentry *dentry)
+ * Returns dentry requiring refcount drop, or NULL if we're done.
+ */
+ static struct dentry *dentry_kill(struct dentry *dentry)
+- __releases(dentry->d_lock)
++ __releases(&dentry->d_lock);
++static struct dentry *dentry_kill(struct dentry *dentry)
+ {
+ struct inode *inode = dentry->d_inode;
+ struct dentry *parent = NULL;
+@@ -598,7 +601,7 @@ static inline struct dentry *lock_parent(struct dentry *dentry)
struct dentry *parent = dentry->d_parent;
if (IS_ROOT(dentry))
return NULL;
@@ -77481,7 +77850,7 @@ index e3b44ca..e0d94f1 100644
return NULL;
if (likely(spin_trylock(&parent->d_lock)))
return parent;
-@@ -660,8 +660,8 @@ static inline bool fast_dput(struct dentry *dentry)
+@@ -660,8 +663,8 @@ static inline bool fast_dput(struct dentry *dentry)
*/
if (unlikely(ret < 0)) {
spin_lock(&dentry->d_lock);
@@ -77492,7 +77861,7 @@ index e3b44ca..e0d94f1 100644
spin_unlock(&dentry->d_lock);
return 1;
}
-@@ -716,7 +716,7 @@ static inline bool fast_dput(struct dentry *dentry)
+@@ -716,7 +719,7 @@ static inline bool fast_dput(struct dentry *dentry)
* else could have killed it and marked it dead. Either way, we
* don't need to do anything else.
*/
@@ -77501,7 +77870,7 @@ index e3b44ca..e0d94f1 100644
spin_unlock(&dentry->d_lock);
return 1;
}
-@@ -726,7 +726,7 @@ static inline bool fast_dput(struct dentry *dentry)
+@@ -726,7 +729,7 @@ static inline bool fast_dput(struct dentry *dentry)
* lock, and we just tested that it was zero, so we can just
* set it to 1.
*/
@@ -77510,7 +77879,7 @@ index e3b44ca..e0d94f1 100644
return 0;
}
-@@ -788,7 +788,7 @@ repeat:
+@@ -788,7 +791,7 @@ repeat:
dentry->d_flags |= DCACHE_REFERENCED;
dentry_lru_add(dentry);
@@ -77519,7 +77888,7 @@ index e3b44ca..e0d94f1 100644
spin_unlock(&dentry->d_lock);
return;
-@@ -803,7 +803,7 @@ EXPORT_SYMBOL(dput);
+@@ -803,7 +806,7 @@ EXPORT_SYMBOL(dput);
/* This must be called with d_lock held */
static inline void __dget_dlock(struct dentry *dentry)
{
@@ -77528,7 +77897,7 @@ index e3b44ca..e0d94f1 100644
}
static inline void __dget(struct dentry *dentry)
-@@ -844,8 +844,8 @@ repeat:
+@@ -844,8 +847,8 @@ repeat:
goto repeat;
}
rcu_read_unlock();
@@ -77539,7 +77908,7 @@ index e3b44ca..e0d94f1 100644
spin_unlock(&ret->d_lock);
return ret;
}
-@@ -923,9 +923,9 @@ restart:
+@@ -923,9 +926,9 @@ restart:
spin_lock(&inode->i_lock);
hlist_for_each_entry(dentry, &inode->i_dentry, d_u.d_alias) {
spin_lock(&dentry->d_lock);
@@ -77551,7 +77920,7 @@ index e3b44ca..e0d94f1 100644
__dentry_kill(dentry);
dput(parent);
goto restart;
-@@ -960,7 +960,7 @@ static void shrink_dentry_list(struct list_head *list)
+@@ -960,7 +963,7 @@ static void shrink_dentry_list(struct list_head *list)
* We found an inuse dentry which was not removed from
* the LRU because of laziness during lookup. Do not free it.
*/
@@ -77560,7 +77929,7 @@ index e3b44ca..e0d94f1 100644
spin_unlock(&dentry->d_lock);
if (parent)
spin_unlock(&parent->d_lock);
-@@ -998,8 +998,8 @@ static void shrink_dentry_list(struct list_head *list)
+@@ -998,8 +1001,8 @@ static void shrink_dentry_list(struct list_head *list)
dentry = parent;
while (dentry && !lockref_put_or_lock(&dentry->d_lockref)) {
parent = lock_parent(dentry);
@@ -77571,7 +77940,7 @@ index e3b44ca..e0d94f1 100644
spin_unlock(&dentry->d_lock);
if (parent)
spin_unlock(&parent->d_lock);
-@@ -1039,7 +1039,7 @@ static enum lru_status dentry_lru_isolate(struct list_head *item,
+@@ -1039,7 +1042,7 @@ static enum lru_status dentry_lru_isolate(struct list_head *item,
* counts, just remove them from the LRU. Otherwise give them
* another pass through the LRU.
*/
@@ -77580,7 +77949,7 @@ index e3b44ca..e0d94f1 100644
d_lru_isolate(lru, dentry);
spin_unlock(&dentry->d_lock);
return LRU_REMOVED;
-@@ -1373,7 +1373,7 @@ static enum d_walk_ret select_collect(void *_data, struct dentry *dentry)
+@@ -1373,7 +1376,7 @@ static enum d_walk_ret select_collect(void *_data, struct dentry *dentry)
} else {
if (dentry->d_flags & DCACHE_LRU_LIST)
d_lru_del(dentry);
@@ -77589,7 +77958,7 @@ index e3b44ca..e0d94f1 100644
d_shrink_add(dentry, &data->dispose);
data->found++;
}
-@@ -1421,7 +1421,7 @@ static enum d_walk_ret umount_check(void *_data, struct dentry *dentry)
+@@ -1421,7 +1424,7 @@ static enum d_walk_ret umount_check(void *_data, struct dentry *dentry)
return D_WALK_CONTINUE;
/* root with refcount 1 is fine */
@@ -77598,7 +77967,7 @@ index e3b44ca..e0d94f1 100644
return D_WALK_CONTINUE;
printk(KERN_ERR "BUG: Dentry %p{i=%lx,n=%pd} "
-@@ -1430,7 +1430,7 @@ static enum d_walk_ret umount_check(void *_data, struct dentry *dentry)
+@@ -1430,7 +1433,7 @@ static enum d_walk_ret umount_check(void *_data, struct dentry *dentry)
dentry->d_inode ?
dentry->d_inode->i_ino : 0UL,
dentry,
@@ -77607,7 +77976,7 @@ index e3b44ca..e0d94f1 100644
dentry->d_sb->s_type->name,
dentry->d_sb->s_id);
WARN_ON(1);
-@@ -1571,7 +1571,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
+@@ -1571,7 +1574,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
dentry->d_iname[DNAME_INLINE_LEN-1] = 0;
if (name->len > DNAME_INLINE_LEN-1) {
size_t size = offsetof(struct external_name, name[1]);
@@ -77616,7 +77985,7 @@ index e3b44ca..e0d94f1 100644
if (!p) {
kmem_cache_free(dentry_cache, dentry);
return NULL;
-@@ -1594,7 +1594,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
+@@ -1594,7 +1597,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
smp_wmb();
dentry->d_name.name = dname;
@@ -77625,7 +77994,7 @@ index e3b44ca..e0d94f1 100644
dentry->d_flags = 0;
spin_lock_init(&dentry->d_lock);
seqcount_init(&dentry->d_seq);
-@@ -1603,6 +1603,9 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
+@@ -1603,6 +1606,9 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
dentry->d_sb = sb;
dentry->d_op = NULL;
dentry->d_fsdata = NULL;
@@ -77635,7 +78004,7 @@ index e3b44ca..e0d94f1 100644
INIT_HLIST_BL_NODE(&dentry->d_hash);
INIT_LIST_HEAD(&dentry->d_lru);
INIT_LIST_HEAD(&dentry->d_subdirs);
-@@ -2327,7 +2330,7 @@ struct dentry *__d_lookup(const struct dentry *parent, const struct qstr *name)
+@@ -2327,7 +2333,7 @@ struct dentry *__d_lookup(const struct dentry *parent, const struct qstr *name)
goto next;
}
@@ -77644,7 +78013,7 @@ index e3b44ca..e0d94f1 100644
found = dentry;
spin_unlock(&dentry->d_lock);
break;
-@@ -2395,7 +2398,7 @@ again:
+@@ -2395,7 +2401,7 @@ again:
spin_lock(&dentry->d_lock);
inode = dentry->d_inode;
isdir = S_ISDIR(inode->i_mode);
@@ -77653,7 +78022,7 @@ index e3b44ca..e0d94f1 100644
if (!spin_trylock(&inode->i_lock)) {
spin_unlock(&dentry->d_lock);
cpu_relax();
-@@ -3344,7 +3347,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry)
+@@ -3344,7 +3350,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry)
if (!(dentry->d_flags & DCACHE_GENOCIDE)) {
dentry->d_flags |= DCACHE_GENOCIDE;
@@ -77662,7 +78031,7 @@ index e3b44ca..e0d94f1 100644
}
}
return D_WALK_CONTINUE;
-@@ -3452,7 +3455,8 @@ void __init vfs_caches_init_early(void)
+@@ -3452,7 +3458,8 @@ void __init vfs_caches_init_early(void)
void __init vfs_caches_init(void)
{
names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
@@ -78987,7 +79356,7 @@ index ee85cd4..9dd0d20 100644
}
EXPORT_SYMBOL(__f_setown);
diff --git a/fs/fhandle.c b/fs/fhandle.c
-index d59712d..2281df9 100644
+index d59712d..2c63363 100644
--- a/fs/fhandle.c
+++ b/fs/fhandle.c
@@ -8,6 +8,7 @@
@@ -79017,8 +79386,17 @@ index d59712d..2281df9 100644
retval = -EPERM;
goto out_err;
}
+@@ -197,7 +197,7 @@ static int handle_to_path(int mountdirfd, struct file_handle __user *ufh,
+ /* copy the full handle */
+ *handle = f_handle;
+ if (copy_from_user(&handle->f_handle,
+- &ufh->f_handle,
++ ufh->f_handle,
+ f_handle.handle_bytes)) {
+ retval = -EFAULT;
+ goto out_handle;
diff --git a/fs/file.c b/fs/file.c
-index 6c672ad..bf787b0 100644
+index 6c672ad..3166d8c 100644
--- a/fs/file.c
+++ b/fs/file.c
@@ -16,6 +16,7 @@
@@ -79029,25 +79407,46 @@ index 6c672ad..bf787b0 100644
#include <linux/fdtable.h>
#include <linux/bitops.h>
#include <linux/interrupt.h>
-@@ -139,7 +140,7 @@ out:
+@@ -139,9 +140,10 @@ out:
* Return <0 error code on error; 1 on successful completion.
* The files->file_lock should be held on entry, and will be held on exit.
*/
-static int expand_fdtable(struct files_struct *files, int nr)
+- __releases(files->file_lock)
+- __acquires(files->file_lock)
++static int expand_fdtable(struct files_struct *files, unsigned int nr)
++ __releases(&files->file_lock)
++ __acquires(&files->file_lock);
+static int expand_fdtable(struct files_struct *files, unsigned int nr)
- __releases(files->file_lock)
- __acquires(files->file_lock)
{
-@@ -184,7 +185,7 @@ static int expand_fdtable(struct files_struct *files, int nr)
+ struct fdtable *new_fdt, *cur_fdt;
+
+@@ -184,9 +186,10 @@ static int expand_fdtable(struct files_struct *files, int nr)
* expanded and execution may have blocked.
* The files->file_lock should be held on entry, and will be held on exit.
*/
-static int expand_files(struct files_struct *files, int nr)
+- __releases(files->file_lock)
+- __acquires(files->file_lock)
+static int expand_files(struct files_struct *files, unsigned int nr)
- __releases(files->file_lock)
- __acquires(files->file_lock)
++ __releases(&files->file_lock)
++ __acquires(&files->file_lock);
++static int expand_files(struct files_struct *files, unsigned int nr)
+ {
+ struct fdtable *fdt;
+ int expanded = 0;
+@@ -784,7 +787,9 @@ bool get_close_on_exec(unsigned int fd)
+
+ static int do_dup2(struct files_struct *files,
+ struct file *file, unsigned fd, unsigned flags)
+-__releases(&files->file_lock)
++__releases(&files->file_lock);
++static int do_dup2(struct files_struct *files,
++ struct file *file, unsigned fd, unsigned flags)
{
-@@ -834,6 +835,7 @@ int replace_fd(unsigned fd, struct file *file, unsigned flags)
+ struct file *tofree;
+ struct fdtable *fdt;
+@@ -834,6 +839,7 @@ int replace_fd(unsigned fd, struct file *file, unsigned flags)
if (!file)
return __close_fd(files, fd);
@@ -79055,7 +79454,7 @@ index 6c672ad..bf787b0 100644
if (fd >= rlimit(RLIMIT_NOFILE))
return -EBADF;
-@@ -860,6 +862,7 @@ SYSCALL_DEFINE3(dup3, unsigned int, oldfd, unsigned int, newfd, int, flags)
+@@ -860,6 +866,7 @@ SYSCALL_DEFINE3(dup3, unsigned int, oldfd, unsigned int, newfd, int, flags)
if (unlikely(oldfd == newfd))
return -EINVAL;
@@ -79063,7 +79462,7 @@ index 6c672ad..bf787b0 100644
if (newfd >= rlimit(RLIMIT_NOFILE))
return -EBADF;
-@@ -915,6 +918,7 @@ SYSCALL_DEFINE1(dup, unsigned int, fildes)
+@@ -915,6 +922,7 @@ SYSCALL_DEFINE1(dup, unsigned int, fildes)
int f_dupfd(unsigned int from, struct file *file, unsigned flags)
{
int err;
@@ -79087,6 +79486,53 @@ index 5797d45..7d7d79a 100644
fs = __get_fs_type(name, len);
if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) {
+diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
+index 5fa588e..21cc57d 100644
+--- a/fs/fs-writeback.c
++++ b/fs/fs-writeback.c
+@@ -869,9 +869,9 @@ restart:
+ #else /* CONFIG_CGROUP_WRITEBACK */
+
+ static struct bdi_writeback *
++locked_inode_to_wb_and_lock_list(struct inode *inode) __releases(&inode->i_lock) __acquires(&wb->list_lock);
++static struct bdi_writeback *
+ locked_inode_to_wb_and_lock_list(struct inode *inode)
+- __releases(&inode->i_lock)
+- __acquires(&wb->list_lock)
+ {
+ struct bdi_writeback *wb = inode_to_wb(inode);
+
+@@ -880,8 +880,8 @@ locked_inode_to_wb_and_lock_list(struct inode *inode)
+ return wb;
+ }
+
++static struct bdi_writeback *inode_to_wb_and_lock_list(struct inode *inode) __acquires(&wb->list_lock);
+ static struct bdi_writeback *inode_to_wb_and_lock_list(struct inode *inode)
+- __acquires(&wb->list_lock)
+ {
+ struct bdi_writeback *wb = inode_to_wb(inode);
+
+@@ -1127,9 +1127,8 @@ static int write_inode(struct inode *inode, struct writeback_control *wbc)
+ * Wait for writeback on an inode to complete. Called with i_lock held.
+ * Caller must make sure inode cannot go away when we drop i_lock.
+ */
++static void __inode_wait_for_writeback(struct inode *inode) __must_hold(&inode->i_lock);
+ static void __inode_wait_for_writeback(struct inode *inode)
+- __releases(inode->i_lock)
+- __acquires(inode->i_lock)
+ {
+ DEFINE_WAIT_BIT(wq, &inode->i_state, __I_SYNC);
+ wait_queue_head_t *wqh;
+@@ -1158,8 +1157,8 @@ void inode_wait_for_writeback(struct inode *inode)
+ * held and drops it. It is aimed for callers not holding any inode reference
+ * so once i_lock is dropped, inode can go away.
+ */
++static void inode_sleep_on_writeback(struct inode *inode) __releases(&inode->i_lock);
+ static void inode_sleep_on_writeback(struct inode *inode)
+- __releases(inode->i_lock)
+ {
+ DEFINE_WAIT(wait);
+ wait_queue_head_t *wqh = bit_waitqueue(&inode->i_state, __I_SYNC);
diff --git a/fs/fs_struct.c b/fs/fs_struct.c
index 7dca743..1ff87ae 100644
--- a/fs/fs_struct.c
@@ -81099,7 +81545,7 @@ index 14db05d..687f6d8 100644
#define MNT_NS_INTERNAL ERR_PTR(-EINVAL) /* distinct from any mnt_namespace */
diff --git a/fs/namei.c b/fs/namei.c
-index 36df481..c3045fd 100644
+index 36df481..cb04cfe 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -336,17 +336,32 @@ int generic_permission(struct inode *inode, int mask)
@@ -81304,17 +81750,18 @@ index 36df481..c3045fd 100644
hash = a = 0;
len = -sizeof(unsigned long);
-@@ -2000,6 +2089,9 @@ static const char *path_init(struct nameidata *nd, unsigned flags)
+@@ -1999,7 +2088,9 @@ static const char *path_init(struct nameidata *nd, unsigned flags)
+ nd->last_type = LAST_ROOT; /* if there are only slashes... */
nd->flags = flags | LOOKUP_JUMPED | LOOKUP_PARENT;
nd->depth = 0;
- nd->total_link_count = 0;
+- nd->total_link_count = 0;
+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
+ nd->symlinkown_depth = 0;
+#endif
if (flags & LOOKUP_ROOT) {
struct dentry *root = nd->root.dentry;
struct inode *inode = root->d_inode;
-@@ -2137,6 +2229,11 @@ static int path_lookupat(struct nameidata *nd, unsigned flags, struct path *path
+@@ -2137,6 +2228,11 @@ static int path_lookupat(struct nameidata *nd, unsigned flags, struct path *path
if (!err)
err = complete_walk(nd);
@@ -81326,7 +81773,7 @@ index 36df481..c3045fd 100644
if (!err && nd->flags & LOOKUP_DIRECTORY)
if (!d_can_lookup(nd->path.dentry))
err = -ENOTDIR;
-@@ -2185,6 +2282,10 @@ static int path_parentat(struct nameidata *nd, unsigned flags,
+@@ -2185,6 +2281,10 @@ static int path_parentat(struct nameidata *nd, unsigned flags,
err = link_path_walk(s, nd);
if (!err)
err = complete_walk(nd);
@@ -81337,7 +81784,7 @@ index 36df481..c3045fd 100644
if (!err) {
*parent = nd->path;
nd->path.mnt = NULL;
-@@ -2716,6 +2817,13 @@ static int may_open(struct path *path, int acc_mode, int flag)
+@@ -2716,6 +2816,13 @@ static int may_open(struct path *path, int acc_mode, int flag)
if (flag & O_NOATIME && !inode_owner_or_capable(inode))
return -EPERM;
@@ -81351,7 +81798,7 @@ index 36df481..c3045fd 100644
return 0;
}
-@@ -2982,6 +3090,18 @@ static int lookup_open(struct nameidata *nd, struct path *path,
+@@ -2982,6 +3089,18 @@ static int lookup_open(struct nameidata *nd, struct path *path,
/* Negative dentry, just create the file */
if (!dentry->d_inode && (op->open_flag & O_CREAT)) {
umode_t mode = op->mode;
@@ -81370,7 +81817,7 @@ index 36df481..c3045fd 100644
if (!IS_POSIXACL(dir->d_inode))
mode &= ~current_umask();
/*
-@@ -3003,6 +3123,8 @@ static int lookup_open(struct nameidata *nd, struct path *path,
+@@ -3003,6 +3122,8 @@ static int lookup_open(struct nameidata *nd, struct path *path,
nd->flags & LOOKUP_EXCL);
if (error)
goto out_dput;
@@ -81379,7 +81826,7 @@ index 36df481..c3045fd 100644
}
out_no_open:
path->dentry = dentry;
-@@ -3066,6 +3188,9 @@ static int do_last(struct nameidata *nd,
+@@ -3066,6 +3187,9 @@ static int do_last(struct nameidata *nd,
if (error)
return error;
@@ -81389,7 +81836,7 @@ index 36df481..c3045fd 100644
audit_inode(nd->name, dir, LOOKUP_PARENT);
/* trailing slashes? */
if (unlikely(nd->last.name[nd->last.len]))
-@@ -3108,11 +3233,24 @@ retry_lookup:
+@@ -3108,11 +3232,24 @@ retry_lookup:
goto finish_open_created;
}
@@ -81415,7 +81862,7 @@ index 36df481..c3045fd 100644
/*
* If atomic_open() acquired write access it is dropped now due to
-@@ -3148,6 +3286,11 @@ finish_lookup:
+@@ -3148,6 +3285,11 @@ finish_lookup:
if (unlikely(error))
return error;
@@ -81427,7 +81874,7 @@ index 36df481..c3045fd 100644
if (unlikely(d_is_symlink(path.dentry)) && !(open_flag & O_PATH)) {
path_to_nameidata(&path, nd);
return -ELOOP;
-@@ -3170,6 +3313,12 @@ finish_open:
+@@ -3170,6 +3312,12 @@ finish_open:
path_put(&save_parent);
return error;
}
@@ -81440,7 +81887,7 @@ index 36df481..c3045fd 100644
audit_inode(nd->name, nd->path.dentry, 0);
error = -EISDIR;
if ((open_flag & O_CREAT) && d_is_dir(nd->path.dentry))
-@@ -3436,9 +3585,11 @@ static struct dentry *filename_create(int dfd, struct filename *name,
+@@ -3436,9 +3584,11 @@ static struct dentry *filename_create(int dfd, struct filename *name,
goto unlock;
error = -EEXIST;
@@ -81454,7 +81901,7 @@ index 36df481..c3045fd 100644
/*
* Special case - lookup gave negative, but... we had foo/bar/
* From the vfs_mknod() POV we just have a negative dentry -
-@@ -3492,6 +3643,20 @@ inline struct dentry *user_path_create(int dfd, const char __user *pathname,
+@@ -3492,6 +3642,20 @@ inline struct dentry *user_path_create(int dfd, const char __user *pathname,
}
EXPORT_SYMBOL(user_path_create);
@@ -81475,7 +81922,7 @@ index 36df481..c3045fd 100644
int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
{
int error = may_create(dir, dentry);
-@@ -3555,6 +3720,17 @@ retry:
+@@ -3555,6 +3719,17 @@ retry:
if (!IS_POSIXACL(path.dentry->d_inode))
mode &= ~current_umask();
@@ -81493,7 +81940,7 @@ index 36df481..c3045fd 100644
error = security_path_mknod(&path, dentry, mode, dev);
if (error)
goto out;
-@@ -3570,6 +3746,8 @@ retry:
+@@ -3570,6 +3745,8 @@ retry:
error = vfs_mknod(path.dentry->d_inode,dentry,mode,0);
break;
}
@@ -81502,7 +81949,7 @@ index 36df481..c3045fd 100644
out:
done_path_create(&path, dentry);
if (retry_estale(error, lookup_flags)) {
-@@ -3624,9 +3802,16 @@ retry:
+@@ -3624,9 +3801,16 @@ retry:
if (!IS_POSIXACL(path.dentry->d_inode))
mode &= ~current_umask();
@@ -81519,7 +81966,7 @@ index 36df481..c3045fd 100644
done_path_create(&path, dentry);
if (retry_estale(error, lookup_flags)) {
lookup_flags |= LOOKUP_REVAL;
-@@ -3659,7 +3844,7 @@ void dentry_unhash(struct dentry *dentry)
+@@ -3659,7 +3843,7 @@ void dentry_unhash(struct dentry *dentry)
{
shrink_dcache_parent(dentry);
spin_lock(&dentry->d_lock);
@@ -81528,7 +81975,7 @@ index 36df481..c3045fd 100644
__d_drop(dentry);
spin_unlock(&dentry->d_lock);
}
-@@ -3712,6 +3897,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
+@@ -3712,6 +3896,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
struct path path;
struct qstr last;
int type;
@@ -81537,7 +81984,7 @@ index 36df481..c3045fd 100644
unsigned int lookup_flags = 0;
retry:
name = user_path_parent(dfd, pathname,
-@@ -3744,10 +3931,20 @@ retry:
+@@ -3744,10 +3930,20 @@ retry:
error = -ENOENT;
goto exit3;
}
@@ -81558,7 +82005,7 @@ index 36df481..c3045fd 100644
exit3:
dput(dentry);
exit2:
-@@ -3842,6 +4039,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
+@@ -3842,6 +4038,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
int type;
struct inode *inode = NULL;
struct inode *delegated_inode = NULL;
@@ -81567,7 +82014,7 @@ index 36df481..c3045fd 100644
unsigned int lookup_flags = 0;
retry:
name = user_path_parent(dfd, pathname,
-@@ -3868,10 +4067,21 @@ retry_deleg:
+@@ -3868,10 +4066,21 @@ retry_deleg:
if (d_is_negative(dentry))
goto slashes;
ihold(inode);
@@ -81589,7 +82036,7 @@ index 36df481..c3045fd 100644
exit2:
dput(dentry);
}
-@@ -3960,9 +4170,17 @@ retry:
+@@ -3960,9 +4169,17 @@ retry:
if (IS_ERR(dentry))
goto out_putname;
@@ -81607,7 +82054,7 @@ index 36df481..c3045fd 100644
done_path_create(&path, dentry);
if (retry_estale(error, lookup_flags)) {
lookup_flags |= LOOKUP_REVAL;
-@@ -4066,6 +4284,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
+@@ -4066,6 +4283,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
struct dentry *new_dentry;
struct path old_path, new_path;
struct inode *delegated_inode = NULL;
@@ -81615,7 +82062,7 @@ index 36df481..c3045fd 100644
int how = 0;
int error;
-@@ -4089,7 +4308,7 @@ retry:
+@@ -4089,7 +4307,7 @@ retry:
if (error)
return error;
@@ -81624,7 +82071,7 @@ index 36df481..c3045fd 100644
(how & LOOKUP_REVAL));
error = PTR_ERR(new_dentry);
if (IS_ERR(new_dentry))
-@@ -4101,11 +4320,26 @@ retry:
+@@ -4101,11 +4319,26 @@ retry:
error = may_linkat(&old_path);
if (unlikely(error))
goto out_dput;
@@ -81651,7 +82098,7 @@ index 36df481..c3045fd 100644
done_path_create(&new_path, new_dentry);
if (delegated_inode) {
error = break_deleg_wait(&delegated_inode);
-@@ -4420,6 +4654,20 @@ retry_deleg:
+@@ -4420,6 +4653,20 @@ retry_deleg:
if (new_dentry == trap)
goto exit5;
@@ -81672,7 +82119,7 @@ index 36df481..c3045fd 100644
error = security_path_rename(&old_path, old_dentry,
&new_path, new_dentry, flags);
if (error)
-@@ -4427,6 +4675,9 @@ retry_deleg:
+@@ -4427,6 +4674,9 @@ retry_deleg:
error = vfs_rename(old_path.dentry->d_inode, old_dentry,
new_path.dentry->d_inode, new_dentry,
&delegated_inode, flags);
@@ -81682,7 +82129,7 @@ index 36df481..c3045fd 100644
exit5:
dput(new_dentry);
exit4:
-@@ -4483,14 +4734,24 @@ EXPORT_SYMBOL(vfs_whiteout);
+@@ -4483,14 +4733,24 @@ EXPORT_SYMBOL(vfs_whiteout);
int readlink_copy(char __user *buffer, int buflen, const char *link)
{
@@ -82400,10 +82847,41 @@ index e33dab2..cdbdad9 100644
}
}
putname(tmp);
+diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
+index 871fcb6..f038f64 100644
+--- a/fs/overlayfs/copy_up.c
++++ b/fs/overlayfs/copy_up.c
+@@ -142,7 +142,7 @@ static char *ovl_read_symlink(struct dentry *realdentry)
+ set_fs(get_ds());
+ /* The cast to a user pointer is valid due to the set_fs() */
+ res = inode->i_op->readlink(realdentry,
+- (char __user *)buf, PAGE_SIZE - 1);
++ (char __force_user *)buf, PAGE_SIZE - 1);
+ set_fs(old_fs);
+ if (res < 0) {
+ free_page((unsigned long) buf);
diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
-index ec0c2a0..f9b5b82 100644
+index ec0c2a0..3a64073 100644
--- a/fs/overlayfs/inode.c
+++ b/fs/overlayfs/inode.c
+@@ -49,13 +49,13 @@ int ovl_setattr(struct dentry *dentry, struct iattr *attr)
+ if (err)
+ goto out;
+
+- upperdentry = ovl_dentry_upper(dentry);
+- if (upperdentry) {
++ err = ovl_copy_up(dentry);
++ if (!err) {
++ upperdentry = ovl_dentry_upper(dentry);
++
+ mutex_lock(&upperdentry->d_inode->i_mutex);
+ err = notify_change(upperdentry, attr, NULL);
+ mutex_unlock(&upperdentry->d_inode->i_mutex);
+- } else {
+- err = ovl_copy_up_last(dentry, attr, false);
+ }
+ ovl_drop_write(dentry);
+ out:
@@ -346,6 +346,9 @@ struct inode *ovl_d_select_inode(struct dentry *dentry, unsigned file_flags)
if (d_is_dir(dentry))
return d_backing_inode(dentry);
@@ -82803,7 +83281,7 @@ index 1ade120..a86f1a2 100644
help
Various /proc files exist to monitor process memory utilization:
diff --git a/fs/proc/array.c b/fs/proc/array.c
-index ce065cf..8974fed 100644
+index 57fde2d..f6c419f 100644
--- a/fs/proc/array.c
+++ b/fs/proc/array.c
@@ -60,6 +60,7 @@
@@ -82861,7 +83339,7 @@ index ce065cf..8974fed 100644
static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
struct pid *pid, struct task_struct *task, int whole)
{
-@@ -390,6 +421,13 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
+@@ -390,9 +421,16 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
char tcomm[sizeof(task->comm)];
unsigned long flags;
@@ -82874,7 +83352,11 @@ index ce065cf..8974fed 100644
+
state = *get_task_state(task);
vsize = eip = esp = 0;
- permitted = ptrace_may_access(task, PTRACE_MODE_READ | PTRACE_MODE_NOAUDIT);
+- permitted = ptrace_may_access(task, PTRACE_MODE_READ | PTRACE_MODE_NOAUDIT);
++ permitted = ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS | PTRACE_MODE_NOAUDIT);
+ mm = get_task_mm(task);
+ if (mm) {
+ vsize = task_vsize(mm);
@@ -460,6 +498,19 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
gtime = task_gtime(task);
}
@@ -82911,7 +83393,7 @@ index ce065cf..8974fed 100644
seq_put_decimal_ull(m, ' ', esp);
seq_put_decimal_ull(m, ' ', eip);
/* The signal information here is obsolete.
-@@ -515,7 +572,11 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
+@@ -527,7 +584,11 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
seq_put_decimal_ull(m, ' ', cputime_to_clock_t(gtime));
seq_put_decimal_ll(m, ' ', cputime_to_clock_t(cgtime));
@@ -82924,7 +83406,7 @@ index ce065cf..8974fed 100644
seq_put_decimal_ull(m, ' ', mm->start_data);
seq_put_decimal_ull(m, ' ', mm->end_data);
seq_put_decimal_ull(m, ' ', mm->start_brk);
-@@ -553,8 +614,15 @@ int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
+@@ -565,8 +626,15 @@ int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
struct pid *pid, struct task_struct *task)
{
unsigned long size = 0, resident = 0, shared = 0, text = 0, data = 0;
@@ -82941,7 +83423,7 @@ index ce065cf..8974fed 100644
if (mm) {
size = task_statm(mm, &shared, &text, &data, &resident);
mmput(mm);
-@@ -577,6 +645,20 @@ int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
+@@ -589,6 +657,20 @@ int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
return 0;
}
@@ -82963,7 +83445,7 @@ index ce065cf..8974fed 100644
static struct pid *
get_children_pid(struct inode *inode, struct pid *pid_prev, loff_t pos)
diff --git a/fs/proc/base.c b/fs/proc/base.c
-index aa50d1a..c202cde 100644
+index 83a43c1..6279ec0 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -113,6 +113,14 @@ struct pid_entry {
@@ -83006,7 +83488,8 @@ index aa50d1a..c202cde 100644
static int proc_pid_auxv(struct seq_file *m, struct pid_namespace *ns,
struct pid *pid, struct task_struct *task)
{
- struct mm_struct *mm = mm_access(task, PTRACE_MODE_READ);
+- struct mm_struct *mm = mm_access(task, PTRACE_MODE_READ);
++ struct mm_struct *mm = mm_access(task, PTRACE_MODE_READ_FSCREDS);
if (mm && !IS_ERR(mm)) {
unsigned int nwords = 0;
+
@@ -83031,7 +83514,25 @@ index aa50d1a..c202cde 100644
/*
* Provides a wchan file via kallsyms in a proper one-value-per-file format.
* Returns the resolved symbol. If that fails, simply return the address.
-@@ -459,7 +488,7 @@ static void unlock_trace(struct task_struct *task)
+@@ -430,7 +459,7 @@ static int proc_pid_wchan(struct seq_file *m, struct pid_namespace *ns,
+
+ wchan = get_wchan(task);
+
+- if (wchan && ptrace_may_access(task, PTRACE_MODE_READ) && !lookup_symbol_name(wchan, symname))
++ if (wchan && !lookup_symbol_name(wchan, symname) && ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS))
+ seq_printf(m, "%s", symname);
+ else
+ seq_putc(m, '0');
+@@ -444,7 +473,7 @@ static int lock_trace(struct task_struct *task)
+ int err = mutex_lock_killable(&task->signal->cred_guard_mutex);
+ if (err)
+ return err;
+- if (!ptrace_may_access(task, PTRACE_MODE_ATTACH)) {
++ if (!ptrace_may_access(task, PTRACE_MODE_ATTACH_FSCREDS)) {
+ mutex_unlock(&task->signal->cred_guard_mutex);
+ return -EPERM;
+ }
+@@ -456,7 +485,7 @@ static void unlock_trace(struct task_struct *task)
mutex_unlock(&task->signal->cred_guard_mutex);
}
@@ -83040,7 +83541,7 @@ index aa50d1a..c202cde 100644
#define MAX_STACK_TRACE_DEPTH 64
-@@ -657,7 +686,7 @@ static int proc_pid_limits(struct seq_file *m, struct pid_namespace *ns,
+@@ -654,7 +683,7 @@ static int proc_pid_limits(struct seq_file *m, struct pid_namespace *ns,
return 0;
}
@@ -83049,7 +83550,7 @@ index aa50d1a..c202cde 100644
static int proc_pid_syscall(struct seq_file *m, struct pid_namespace *ns,
struct pid *pid, struct task_struct *task)
{
-@@ -690,7 +719,7 @@ static int proc_pid_syscall(struct seq_file *m, struct pid_namespace *ns,
+@@ -687,7 +716,7 @@ static int proc_pid_syscall(struct seq_file *m, struct pid_namespace *ns,
/************************************************************************/
/* permission checks */
@@ -83058,19 +83559,19 @@ index aa50d1a..c202cde 100644
{
struct task_struct *task;
int allowed = 0;
-@@ -700,7 +729,10 @@ static int proc_fd_access_allowed(struct inode *inode)
+@@ -697,7 +726,10 @@ static int proc_fd_access_allowed(struct inode *inode)
*/
task = get_proc_task(inode);
if (task) {
- allowed = ptrace_may_access(task, PTRACE_MODE_READ);
+ if (log)
-+ allowed = ptrace_may_access(task, PTRACE_MODE_READ);
++ allowed = ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS);
+ else
-+ allowed = ptrace_may_access(task, PTRACE_MODE_READ | PTRACE_MODE_NOAUDIT);
++ allowed = ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS | PTRACE_MODE_NOAUDIT);
put_task_struct(task);
}
return allowed;
-@@ -731,10 +763,35 @@ static bool has_pid_permissions(struct pid_namespace *pid,
+@@ -728,11 +760,36 @@ static bool has_pid_permissions(struct pid_namespace *pid,
struct task_struct *task,
int hide_pid_min)
{
@@ -83095,18 +83596,20 @@ index aa50d1a..c202cde 100644
+ rcu_read_unlock();
+
+ if (!pid->hide_pid)
-+ return ptrace_may_access(task, PTRACE_MODE_READ | PTRACE_MODE_NOAUDIT);
++ return ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS | PTRACE_MODE_NOAUDIT);
+#endif
+
if (pid->hide_pid < hide_pid_min)
return true;
if (in_group_p(pid->pid_gid))
return true;
+- return ptrace_may_access(task, PTRACE_MODE_READ);
+
- return ptrace_may_access(task, PTRACE_MODE_READ);
++ return ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS);
}
-@@ -752,7 +809,11 @@ static int proc_pid_permission(struct inode *inode, int mask)
+
+@@ -749,7 +806,11 @@ static int proc_pid_permission(struct inode *inode, int mask)
put_task_struct(task);
if (!has_perms) {
@@ -83118,10 +83621,12 @@ index aa50d1a..c202cde 100644
/*
* Let's make getdents(), stat(), and open()
* consistent with each other. If a process
-@@ -813,6 +874,10 @@ struct mm_struct *proc_mem_open(struct inode *inode, unsigned int mode)
+@@ -809,7 +870,11 @@ struct mm_struct *proc_mem_open(struct inode *inode, unsigned int mode)
+ struct mm_struct *mm = ERR_PTR(-ESRCH);
if (task) {
- mm = mm_access(task, mode);
+- mm = mm_access(task, mode);
++ mm = mm_access(task, mode | PTRACE_MODE_FSCREDS);
+ if (!IS_ERR_OR_NULL(mm) && gr_acl_handle_procpidmem(task)) {
+ mmput(mm);
+ mm = ERR_PTR(-EPERM);
@@ -83129,7 +83634,7 @@ index aa50d1a..c202cde 100644
put_task_struct(task);
if (!IS_ERR_OR_NULL(mm)) {
-@@ -834,6 +899,11 @@ static int __mem_open(struct inode *inode, struct file *file, unsigned int mode)
+@@ -831,6 +896,11 @@ static int __mem_open(struct inode *inode, struct file *file, unsigned int mode)
return PTR_ERR(mm);
file->private_data = mm;
@@ -83141,7 +83646,7 @@ index aa50d1a..c202cde 100644
return 0;
}
-@@ -855,6 +925,17 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
+@@ -852,6 +922,17 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
ssize_t copied;
char *page;
@@ -83159,7 +83664,7 @@ index aa50d1a..c202cde 100644
if (!mm)
return 0;
-@@ -867,7 +948,7 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
+@@ -864,7 +945,7 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
goto free;
while (count > 0) {
@@ -83168,7 +83673,7 @@ index aa50d1a..c202cde 100644
if (write && copy_from_user(page, buf, this_len)) {
copied = -EFAULT;
-@@ -959,6 +1040,13 @@ static ssize_t environ_read(struct file *file, char __user *buf,
+@@ -956,6 +1037,13 @@ static ssize_t environ_read(struct file *file, char __user *buf,
if (!mm)
return 0;
@@ -83182,7 +83687,7 @@ index aa50d1a..c202cde 100644
page = (char *)__get_free_page(GFP_TEMPORARY);
if (!page)
return -ENOMEM;
-@@ -968,7 +1056,7 @@ static ssize_t environ_read(struct file *file, char __user *buf,
+@@ -965,7 +1053,7 @@ static ssize_t environ_read(struct file *file, char __user *buf,
goto free;
while (count > 0) {
size_t this_len, max_len;
@@ -83191,7 +83696,7 @@ index aa50d1a..c202cde 100644
if (src >= (mm->env_end - mm->env_start))
break;
-@@ -1582,7 +1670,7 @@ static const char *proc_pid_follow_link(struct dentry *dentry, void **cookie)
+@@ -1579,7 +1667,7 @@ static const char *proc_pid_follow_link(struct dentry *dentry, void **cookie)
int error = -EACCES;
/* Are we allowed to snoop on the tasks file descriptors? */
@@ -83200,7 +83705,7 @@ index aa50d1a..c202cde 100644
goto out;
error = PROC_I(inode)->op.proc_get_link(dentry, &path);
-@@ -1626,8 +1714,18 @@ static int proc_pid_readlink(struct dentry * dentry, char __user * buffer, int b
+@@ -1623,8 +1711,18 @@ static int proc_pid_readlink(struct dentry * dentry, char __user * buffer, int b
struct path path;
/* Are we allowed to snoop on the tasks file descriptors? */
@@ -83221,7 +83726,7 @@ index aa50d1a..c202cde 100644
error = PROC_I(inode)->op.proc_get_link(dentry, &path);
if (error)
-@@ -1677,7 +1775,11 @@ struct inode *proc_pid_make_inode(struct super_block * sb, struct task_struct *t
+@@ -1674,7 +1772,11 @@ struct inode *proc_pid_make_inode(struct super_block * sb, struct task_struct *t
rcu_read_lock();
cred = __task_cred(task);
inode->i_uid = cred->euid;
@@ -83233,7 +83738,7 @@ index aa50d1a..c202cde 100644
rcu_read_unlock();
}
security_task_to_inode(task, inode);
-@@ -1713,10 +1815,19 @@ int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat)
+@@ -1710,10 +1812,19 @@ int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat)
return -ENOENT;
}
if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
@@ -83253,7 +83758,7 @@ index aa50d1a..c202cde 100644
}
}
rcu_read_unlock();
-@@ -1754,11 +1865,20 @@ int pid_revalidate(struct dentry *dentry, unsigned int flags)
+@@ -1751,11 +1862,20 @@ int pid_revalidate(struct dentry *dentry, unsigned int flags)
if (task) {
if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
@@ -83274,7 +83779,34 @@ index aa50d1a..c202cde 100644
rcu_read_unlock();
} else {
inode->i_uid = GLOBAL_ROOT_UID;
-@@ -2290,6 +2410,9 @@ static struct dentry *proc_pident_lookup(struct inode *dir,
+@@ -1871,7 +1991,7 @@ static int map_files_d_revalidate(struct dentry *dentry, unsigned int flags)
+ if (!task)
+ goto out_notask;
+
+- mm = mm_access(task, PTRACE_MODE_READ);
++ mm = mm_access(task, PTRACE_MODE_READ_FSCREDS);
+ if (IS_ERR_OR_NULL(mm))
+ goto out;
+
+@@ -2003,7 +2123,7 @@ static struct dentry *proc_map_files_lookup(struct inode *dir,
+ goto out;
+
+ result = -EACCES;
+- if (!ptrace_may_access(task, PTRACE_MODE_READ))
++ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS))
+ goto out_put_task;
+
+ result = -ENOENT;
+@@ -2060,7 +2180,7 @@ proc_map_files_readdir(struct file *file, struct dir_context *ctx)
+ goto out;
+
+ ret = -EACCES;
+- if (!ptrace_may_access(task, PTRACE_MODE_READ))
++ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS))
+ goto out_put_task;
+
+ ret = 0;
+@@ -2287,6 +2407,9 @@ static struct dentry *proc_pident_lookup(struct inode *dir,
if (!task)
goto out_no_task;
@@ -83284,7 +83816,7 @@ index aa50d1a..c202cde 100644
/*
* Yes, it does not scale. And it should not. Don't add
* new entries into /proc/<tgid>/ without very good reasons.
-@@ -2320,6 +2443,9 @@ static int proc_pident_readdir(struct file *file, struct dir_context *ctx,
+@@ -2317,6 +2440,9 @@ static int proc_pident_readdir(struct file *file, struct dir_context *ctx,
if (!task)
return -ENOENT;
@@ -83294,7 +83826,16 @@ index aa50d1a..c202cde 100644
if (!dir_emit_dots(file, ctx))
goto out;
-@@ -2764,7 +2890,7 @@ static const struct pid_entry tgid_base_stuff[] = {
+@@ -2540,7 +2666,7 @@ static int do_io_accounting(struct task_struct *task, struct seq_file *m, int wh
+ if (result)
+ return result;
+
+- if (!ptrace_may_access(task, PTRACE_MODE_READ)) {
++ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) {
+ result = -EACCES;
+ goto out_unlock;
+ }
+@@ -2761,7 +2887,7 @@ static const struct pid_entry tgid_base_stuff[] = {
REG("autogroup", S_IRUGO|S_IWUSR, proc_pid_sched_autogroup_operations),
#endif
REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
@@ -83303,7 +83844,7 @@ index aa50d1a..c202cde 100644
ONE("syscall", S_IRUSR, proc_pid_syscall),
#endif
REG("cmdline", S_IRUGO, proc_pid_cmdline_ops),
-@@ -2789,10 +2915,10 @@ static const struct pid_entry tgid_base_stuff[] = {
+@@ -2786,10 +2912,10 @@ static const struct pid_entry tgid_base_stuff[] = {
#ifdef CONFIG_SECURITY
DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
#endif
@@ -83316,7 +83857,7 @@ index aa50d1a..c202cde 100644
ONE("stack", S_IRUSR, proc_pid_stack),
#endif
#ifdef CONFIG_SCHED_INFO
-@@ -2826,6 +2952,9 @@ static const struct pid_entry tgid_base_stuff[] = {
+@@ -2823,6 +2949,9 @@ static const struct pid_entry tgid_base_stuff[] = {
#ifdef CONFIG_HARDWALL
ONE("hardwall", S_IRUGO, proc_pid_hardwall),
#endif
@@ -83326,7 +83867,7 @@ index aa50d1a..c202cde 100644
#ifdef CONFIG_USER_NS
REG("uid_map", S_IRUGO|S_IWUSR, proc_uid_map_operations),
REG("gid_map", S_IRUGO|S_IWUSR, proc_gid_map_operations),
-@@ -2958,7 +3087,14 @@ static int proc_pid_instantiate(struct inode *dir,
+@@ -2955,7 +3084,14 @@ static int proc_pid_instantiate(struct inode *dir,
if (!inode)
goto out;
@@ -83341,7 +83882,7 @@ index aa50d1a..c202cde 100644
inode->i_op = &proc_tgid_base_inode_operations;
inode->i_fop = &proc_tgid_base_operations;
inode->i_flags|=S_IMMUTABLE;
-@@ -2996,7 +3132,11 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, unsign
+@@ -2993,7 +3129,11 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, unsign
if (!task)
goto out;
@@ -83353,7 +83894,7 @@ index aa50d1a..c202cde 100644
put_task_struct(task);
out:
return ERR_PTR(result);
-@@ -3110,7 +3250,7 @@ static const struct pid_entry tid_base_stuff[] = {
+@@ -3107,7 +3247,7 @@ static const struct pid_entry tid_base_stuff[] = {
REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
#endif
REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
@@ -83362,7 +83903,7 @@ index aa50d1a..c202cde 100644
ONE("syscall", S_IRUSR, proc_pid_syscall),
#endif
REG("cmdline", S_IRUGO, proc_pid_cmdline_ops),
-@@ -3137,10 +3277,10 @@ static const struct pid_entry tid_base_stuff[] = {
+@@ -3134,10 +3274,10 @@ static const struct pid_entry tid_base_stuff[] = {
#ifdef CONFIG_SECURITY
DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
#endif
@@ -83778,6 +84319,28 @@ index d3ebf2e..abe1823 100644
#endif
#ifdef CONFIG_TRANSPARENT_HUGEPAGE
, K(global_page_state(NR_ANON_TRANSPARENT_HUGEPAGES) *
+diff --git a/fs/proc/namespaces.c b/fs/proc/namespaces.c
+index f6e8354..1b0ea4a 100644
+--- a/fs/proc/namespaces.c
++++ b/fs/proc/namespaces.c
+@@ -42,7 +42,7 @@ static const char *proc_ns_follow_link(struct dentry *dentry, void **cookie)
+ if (!task)
+ return error;
+
+- if (ptrace_may_access(task, PTRACE_MODE_READ)) {
++ if (ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) {
+ error = ns_get_path(&ns_path, task, ns_ops);
+ if (!error)
+ nd_jump_link(&ns_path);
+@@ -63,7 +63,7 @@ static int proc_ns_readlink(struct dentry *dentry, char __user *buffer, int bufl
+ if (!task)
+ return res;
+
+- if (ptrace_may_access(task, PTRACE_MODE_READ)) {
++ if (ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) {
+ res = ns_get_name(name, sizeof(name), task, ns_ops);
+ if (res >= 0)
+ res = readlink_copy(buffer, buflen, name);
diff --git a/fs/proc/nommu.c b/fs/proc/nommu.c
index f8595e8..e0d13cbd 100644
--- a/fs/proc/nommu.c
@@ -84213,7 +84776,7 @@ index 510413eb..34d9a8c 100644
seq_printf(p, "softirq %llu", (unsigned long long)sum_softirq);
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
-index ca1e091..12dd9f1 100644
+index ca1e091..41c80d6 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -13,12 +13,19 @@
@@ -84381,6 +84944,15 @@ index ca1e091..12dd9f1 100644
mss.resident >> 10,
(unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
mss.shared_clean >> 10,
+@@ -1257,7 +1308,7 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
+ if (!pm.buffer)
+ goto out_task;
+
+- mm = mm_access(task, PTRACE_MODE_READ);
++ mm = mm_access(task, PTRACE_MODE_READ_FSCREDS);
+ ret = PTR_ERR(mm);
+ if (!mm || IS_ERR(mm))
+ goto out_free;
@@ -1491,6 +1542,13 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid)
char buffer[64];
int nid;
@@ -84540,7 +85112,7 @@ index 819ef3f..f07222d 100644
count = MAX_RW_COUNT;
ret = __vfs_write(file, p, count, pos);
diff --git a/fs/readdir.c b/fs/readdir.c
-index ced6791..936687b 100644
+index ced6791..e0500c1 100644
--- a/fs/readdir.c
+++ b/fs/readdir.c
@@ -18,6 +18,7 @@
@@ -84624,7 +85196,7 @@ index ced6791..936687b 100644
dirent = buf->previous;
if (dirent) {
if (__put_user(offset, &dirent->d_off))
-@@ -293,6 +311,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int, fd,
+@@ -293,13 +311,13 @@ SYSCALL_DEFINE3(getdents64, unsigned int, fd,
if (!f.file)
return -EBADF;
@@ -84632,6 +85204,14 @@ index ced6791..936687b 100644
error = iterate_dir(f.file, &buf.ctx);
if (error >= 0)
error = buf.error;
+ lastdirent = buf.previous;
+ if (lastdirent) {
+- typeof(lastdirent->d_off) d_off = buf.ctx.pos;
+- if (__put_user(d_off, &lastdirent->d_off))
++ if (__put_user(buf.ctx.pos, &lastdirent->d_off))
+ error = -EFAULT;
+ else
+ error = count - buf.count;
diff --git a/fs/reiserfs/do_balan.c b/fs/reiserfs/do_balan.c
index 9c02d96..6562c10 100644
--- a/fs/reiserfs/do_balan.c
@@ -85116,6 +85696,20 @@ index cccc1aa..7fe8951 100644
generic_fillattr(inode, stat);
return 0;
+diff --git a/fs/super.c b/fs/super.c
+index b613723..08704f9 100644
+--- a/fs/super.c
++++ b/fs/super.c
+@@ -333,7 +333,8 @@ EXPORT_SYMBOL(deactivate_super);
+ * called for superblocks not in rundown mode (== ones still on ->fs_supers
+ * of their type), so increment of ->s_count is OK here.
+ */
+-static int grab_super(struct super_block *s) __releases(sb_lock)
++static int grab_super(struct super_block *s) __releases(&sb_lock);
++static int grab_super(struct super_block *s)
+ {
+ s->s_count++;
+ spin_unlock(&sb_lock);
diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c
index 94374e4..b5da3a1 100644
--- a/fs/sysfs/dir.c
@@ -97754,7 +98348,7 @@ index ea17cca..dd56e56 100644
if (small_const_nbits(nbits))
return hweight_long(*src & BITMAP_LAST_WORD_MASK(nbits));
diff --git a/include/linux/bitops.h b/include/linux/bitops.h
-index 297f5bd..5892caa 100644
+index 297f5bd..7812342 100644
--- a/include/linux/bitops.h
+++ b/include/linux/bitops.h
@@ -75,7 +75,7 @@ static __inline__ int get_count_order(unsigned int count)
@@ -97766,15 +98360,18 @@ index 297f5bd..5892caa 100644
{
return sizeof(w) == 4 ? hweight32(w) : hweight64(w);
}
-@@ -105,7 +105,7 @@ static inline __u64 ror64(__u64 word, unsigned int shift)
+@@ -105,9 +105,9 @@ static inline __u64 ror64(__u64 word, unsigned int shift)
* @word: value to rotate
* @shift: bits to roll
*/
-static inline __u32 rol32(__u32 word, unsigned int shift)
+static inline __u32 __intentional_overflow(-1) rol32(__u32 word, unsigned int shift)
{
- return (word << shift) | (word >> (32 - shift));
+- return (word << shift) | (word >> (32 - shift));
++ return (word << shift) | (word >> ((-shift) & 31));
}
+
+ /**
@@ -115,7 +115,7 @@ static inline __u32 rol32(__u32 word, unsigned int shift)
* @word: value to rotate
* @shift: bits to roll
@@ -97994,7 +98591,7 @@ index dfaa7b3..58cebfb 100644
* Mark a position in code as unreachable. This can be used to
* suppress control flow warnings after asm blocks that transfer
diff --git a/include/linux/compiler.h b/include/linux/compiler.h
-index e08a6ae..8d965c5 100644
+index e08a6ae..42d2098 100644
--- a/include/linux/compiler.h
+++ b/include/linux/compiler.h
@@ -5,11 +5,14 @@
@@ -98012,7 +98609,7 @@ index e08a6ae..8d965c5 100644
# define __must_hold(x) __attribute__((context(x,1,1)))
# define __acquires(x) __attribute__((context(x,0,1)))
# define __releases(x) __attribute__((context(x,1,0)))
-@@ -17,21 +20,39 @@
+@@ -17,33 +20,78 @@
# define __release(x) __context__(x,-1)
# define __cond_lock(x,c) ((c) ? ({ __acquire(x); 1; }) : 0)
# define __percpu __attribute__((noderef, address_space(3)))
@@ -98032,10 +98629,34 @@ index e08a6ae..8d965c5 100644
-# define __user
-# define __kernel
+# ifdef CHECKER_PLUGIN
++# ifdef CHECKER_PLUGIN_USER
+//# define __user
+//# define __force_user
+//# define __kernel
+//# define __force_kernel
++# else
++# define __user
++# define __force_user
++# define __kernel
++# define __force_kernel
++# endif
++# ifdef CHECKER_PLUGIN_CONTEXT
++# define __must_hold(x) __attribute__((context(#x,1,1)))
++# define __acquires(x) __attribute__((context(#x,0,1)))
++# define __releases(x) __attribute__((context(#x,1,0)))
++# define __acquire(x) __context__(#x,1)
++# define __release(x) __context__(#x,-1)
++# define __cond_lock(x,c) ((c) ? ({ __acquire(x); 1; }) : 0)
++# define __cond_unlock(x,c) ((c) ? ({ __release(x); 1; }) : 0)
++# else
++# define __must_hold(x)
++# define __acquires(x)
++# define __releases(x)
++# define __acquire(x) (void)0
++# define __release(x) (void)0
++# define __cond_lock(x,c) (c)
++# define __cond_unlock(x,c) (c)
++# endif
+# else
+# ifdef STRUCTLEAK_PLUGIN
+# define __user __attribute__((user))
@@ -98045,6 +98666,12 @@ index e08a6ae..8d965c5 100644
+# define __force_user
+# define __kernel
+# define __force_kernel
++# define __must_hold(x)
++# define __acquires(x)
++# define __releases(x)
++# define __acquire(x) (void)0
++# define __release(x) (void)0
++# define __cond_lock(x,c) (c)
+# endif
# define __safe
# define __force
@@ -98054,9 +98681,12 @@ index e08a6ae..8d965c5 100644
# define __chk_user_ptr(x) (void)0
# define __chk_io_ptr(x) (void)0
# define __builtin_warning(x, y...) (1)
-@@ -42,8 +63,11 @@ extern void __chk_io_ptr(const volatile void __iomem *);
- # define __release(x) (void)0
- # define __cond_lock(x,c) (c)
+-# define __must_hold(x)
+-# define __acquires(x)
+-# define __releases(x)
+-# define __acquire(x) (void)0
+-# define __release(x) (void)0
+-# define __cond_lock(x,c) (c)
# define __percpu
+# define __force_percpu
# define __rcu
@@ -98066,7 +98696,7 @@ index e08a6ae..8d965c5 100644
#endif
/* Indirect macros required for expanded argument pasting, eg. __LINE__. */
-@@ -198,34 +222,6 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
+@@ -198,34 +246,6 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
#include <uapi/linux/types.h>
@@ -98101,7 +98731,7 @@ index e08a6ae..8d965c5 100644
/*
* Prevent the compiler from merging or refetching reads or writes. The
* compiler is also forbidden from reordering successive instances of
-@@ -248,11 +244,16 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
+@@ -248,11 +268,16 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
* required ordering.
*/
@@ -98122,7 +98752,7 @@ index e08a6ae..8d965c5 100644
/**
* READ_ONCE_CTRL - Read a value heading a control dependency
-@@ -370,6 +371,38 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
+@@ -370,6 +395,38 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
# define __attribute_const__ /* unimplemented */
#endif
@@ -98161,7 +98791,7 @@ index e08a6ae..8d965c5 100644
/*
* Tell gcc if a function is cold. The compiler will assume any path
* directly leading to the call is unlikely.
-@@ -379,6 +412,22 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
+@@ -379,6 +436,22 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
#define __cold
#endif
@@ -98184,7 +98814,7 @@ index e08a6ae..8d965c5 100644
/* Simple shorthand for a section definition */
#ifndef __section
# define __section(S) __attribute__ ((__section__(#S)))
-@@ -393,6 +442,8 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
+@@ -393,6 +466,8 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
# define __same_type(a, b) __builtin_types_compatible_p(typeof(a), typeof(b))
#endif
@@ -98193,7 +98823,7 @@ index e08a6ae..8d965c5 100644
/* Is this type a native word size -- useful for atomic operations */
#ifndef __native_word
# define __native_word(t) (sizeof(t) == sizeof(char) || sizeof(t) == sizeof(short) || sizeof(t) == sizeof(int) || sizeof(t) == sizeof(long))
-@@ -472,8 +523,9 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
+@@ -472,8 +547,9 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
*/
#define __ACCESS_ONCE(x) ({ \
__maybe_unused typeof(x) __var = (__force typeof(x)) 0; \
@@ -102074,6 +102704,41 @@ index 42dfc61..8113a99 100644
extern const struct proc_ns_operations netns_operations;
extern const struct proc_ns_operations utsns_operations;
+diff --git a/include/linux/ptrace.h b/include/linux/ptrace.h
+index 987a73a..998c098 100644
+--- a/include/linux/ptrace.h
++++ b/include/linux/ptrace.h
+@@ -56,7 +56,29 @@ extern void exit_ptrace(struct task_struct *tracer, struct list_head *dead);
+ #define PTRACE_MODE_READ 0x01
+ #define PTRACE_MODE_ATTACH 0x02
+ #define PTRACE_MODE_NOAUDIT 0x04
+-/* Returns true on success, false on denial. */
++#define PTRACE_MODE_FSCREDS 0x08
++#define PTRACE_MODE_REALCREDS 0x10
++
++/* shorthands for READ/ATTACH and FSCREDS/REALCREDS combinations */
++#define PTRACE_MODE_READ_FSCREDS (PTRACE_MODE_READ | PTRACE_MODE_FSCREDS)
++#define PTRACE_MODE_READ_REALCREDS (PTRACE_MODE_READ | PTRACE_MODE_REALCREDS)
++#define PTRACE_MODE_ATTACH_FSCREDS (PTRACE_MODE_ATTACH | PTRACE_MODE_FSCREDS)
++#define PTRACE_MODE_ATTACH_REALCREDS (PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS)
++
++/**
++ * ptrace_may_access - check whether the caller is permitted to access
++ * a target task.
++ * @task: target task
++ * @mode: selects type of access and caller credentials
++ *
++ * Returns true on success, false on denial.
++ *
++ * One of the flags PTRACE_MODE_FSCREDS and PTRACE_MODE_REALCREDS must
++ * be set in @mode to specify whether the access was requested through
++ * a filesystem syscall (should use effective capabilities and fsuid
++ * of the caller) or through an explicit syscall such as
++ * process_vm_writev or ptrace (and should use the real credentials).
++ */
+ extern bool ptrace_may_access(struct task_struct *task, unsigned int mode);
+
+ static inline int ptrace_reparented(struct task_struct *child)
diff --git a/include/linux/quota.h b/include/linux/quota.h
index b2505ac..5f7ab55 100644
--- a/include/linux/quota.h
@@ -102197,6 +102862,74 @@ index 17c6b1f..a65e3f8 100644
/**
* hlist_del_init_rcu - deletes entry from hash list with re-initialization
* @n: the element to delete from the hash list.
+diff --git a/include/linux/rcupdate.h b/include/linux/rcupdate.h
+index 4cf5f51..87c7c91 100644
+--- a/include/linux/rcupdate.h
++++ b/include/linux/rcupdate.h
+@@ -840,6 +840,7 @@ static inline void rcu_preempt_sleep_check(void)
+ * read-side critical sections may be preempted and they may also block, but
+ * only when acquiring spinlocks that are subject to priority inheritance.
+ */
++static inline void rcu_read_lock(void) __acquires(RCU);
+ static inline void rcu_read_lock(void)
+ {
+ __rcu_read_lock();
+@@ -894,6 +895,7 @@ static inline void rcu_read_lock(void)
+ *
+ * See rcu_read_lock() for more information.
+ */
++static inline void rcu_read_unlock(void) __releases(RCU);
+ static inline void rcu_read_unlock(void)
+ {
+ rcu_lockdep_assert(rcu_is_watching(),
+@@ -920,6 +922,7 @@ static inline void rcu_read_unlock(void)
+ * rcu_read_unlock_bh() from one task if the matching rcu_read_lock_bh()
+ * was invoked from some other task.
+ */
++static inline void rcu_read_lock_bh(void) __acquires(RCU_BH);
+ static inline void rcu_read_lock_bh(void)
+ {
+ local_bh_disable();
+@@ -934,6 +937,7 @@ static inline void rcu_read_lock_bh(void)
+ *
+ * See rcu_read_lock_bh() for more information.
+ */
++static inline void rcu_read_unlock_bh(void) __releases(RCU_BH);
+ static inline void rcu_read_unlock_bh(void)
+ {
+ rcu_lockdep_assert(rcu_is_watching(),
+@@ -956,6 +960,7 @@ static inline void rcu_read_unlock_bh(void)
+ * rcu_read_unlock_sched() from process context if the matching
+ * rcu_read_lock_sched() was invoked from an NMI handler.
+ */
++static inline void rcu_read_lock_sched(void) __acquires(RCU_SCHED);
+ static inline void rcu_read_lock_sched(void)
+ {
+ preempt_disable();
+@@ -966,6 +971,7 @@ static inline void rcu_read_lock_sched(void)
+ }
+
+ /* Used by lockdep and tracing: cannot be traced, cannot call lockdep. */
++static inline notrace void rcu_read_lock_sched_notrace(void) __acquires(RCU_SCHED);
+ static inline notrace void rcu_read_lock_sched_notrace(void)
+ {
+ preempt_disable_notrace();
+@@ -977,6 +983,7 @@ static inline notrace void rcu_read_lock_sched_notrace(void)
+ *
+ * See rcu_read_lock_sched for more information.
+ */
++static inline void rcu_read_unlock_sched(void) __releases(RCU_SCHED);
+ static inline void rcu_read_unlock_sched(void)
+ {
+ rcu_lockdep_assert(rcu_is_watching(),
+@@ -987,6 +994,7 @@ static inline void rcu_read_unlock_sched(void)
+ }
+
+ /* Used by lockdep and tracing: cannot be traced, cannot call lockdep. */
++static inline notrace void rcu_read_unlock_sched_notrace(void) __releases(RCU_SCHED);
+ static inline notrace void rcu_read_unlock_sched_notrace(void)
+ {
+ __release(RCU_SCHED);
diff --git a/include/linux/reboot.h b/include/linux/reboot.h
index a7ff409..03e2fa8 100644
--- a/include/linux/reboot.h
@@ -102324,7 +103057,7 @@ index 9b1ef0c..9fa3feb 100644
/*
diff --git a/include/linux/sched.h b/include/linux/sched.h
-index bfca8aa..ac50d1b 100644
+index bfca8aa..d0aedec 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -7,7 +7,7 @@
@@ -102641,6 +103374,15 @@ index bfca8aa..ac50d1b 100644
extern struct task_struct *find_task_by_pid_ns(pid_t nr,
struct pid_namespace *ns);
+@@ -2445,7 +2575,7 @@ extern void proc_caches_init(void);
+ extern void flush_signals(struct task_struct *);
+ extern void ignore_signals(struct task_struct *);
+ extern void flush_signal_handlers(struct task_struct *, int force_default);
+-extern int dequeue_signal(struct task_struct *tsk, sigset_t *mask, siginfo_t *info);
++extern int dequeue_signal(struct task_struct *tsk, sigset_t *mask, siginfo_t *info) __must_hold(&tsk->sighand->siglock);
+
+ static inline int dequeue_signal_lock(struct task_struct *tsk, sigset_t *mask, siginfo_t *info)
+ {
@@ -2591,7 +2721,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
extern void exit_itimers(struct signal_struct *);
extern void flush_itimer_signals(void);
@@ -102650,7 +103392,21 @@ index bfca8aa..ac50d1b 100644
extern int do_execve(struct filename *,
const char __user * const __user *,
-@@ -2796,9 +2926,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
+@@ -2706,11 +2836,13 @@ static inline int thread_group_empty(struct task_struct *p)
+ * It must not be nested with write_lock_irq(&tasklist_lock),
+ * neither inside nor outside.
+ */
++static inline void task_lock(struct task_struct *p) __acquires(&p->alloc_lock);
+ static inline void task_lock(struct task_struct *p)
+ {
+ spin_lock(&p->alloc_lock);
+ }
+
++static inline void task_unlock(struct task_struct *p) __releases(&p->alloc_lock);
+ static inline void task_unlock(struct task_struct *p)
+ {
+ spin_unlock(&p->alloc_lock);
+@@ -2796,9 +2928,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
#define task_stack_end_corrupted(task) \
(*(end_of_stack(task)) != STACK_END_MAGIC)
@@ -102750,6 +103506,82 @@ index d4c7271..abf5706 100644
int single_open_size(struct file *, int (*)(struct seq_file *, void *), void *, size_t);
int single_release(struct inode *, struct file *);
void *__seq_open_private(struct file *, const struct seq_operations *, int);
+diff --git a/include/linux/seqlock.h b/include/linux/seqlock.h
+index e058210..386666a 100644
+--- a/include/linux/seqlock.h
++++ b/include/linux/seqlock.h
+@@ -440,42 +440,49 @@ static inline unsigned read_seqretry(const seqlock_t *sl, unsigned start)
+ * Acts like a normal spin_lock/unlock.
+ * Don't need preempt_disable() because that is in the spin_lock already.
+ */
++static inline void write_seqlock(seqlock_t *sl) __acquires(sl);
+ static inline void write_seqlock(seqlock_t *sl)
+ {
+ spin_lock(&sl->lock);
+ write_seqcount_begin(&sl->seqcount);
+ }
+
++static inline void write_sequnlock(seqlock_t *sl) __releases(sl);
+ static inline void write_sequnlock(seqlock_t *sl)
+ {
+ write_seqcount_end(&sl->seqcount);
+ spin_unlock(&sl->lock);
+ }
+
++static inline void write_seqlock_bh(seqlock_t *sl) __acquires(sl);
+ static inline void write_seqlock_bh(seqlock_t *sl)
+ {
+ spin_lock_bh(&sl->lock);
+ write_seqcount_begin(&sl->seqcount);
+ }
+
++static inline void write_sequnlock_bh(seqlock_t *sl) __releases(sl);
+ static inline void write_sequnlock_bh(seqlock_t *sl)
+ {
+ write_seqcount_end(&sl->seqcount);
+ spin_unlock_bh(&sl->lock);
+ }
+
++static inline void write_seqlock_irq(seqlock_t *sl) __acquires(sl);
+ static inline void write_seqlock_irq(seqlock_t *sl)
+ {
+ spin_lock_irq(&sl->lock);
+ write_seqcount_begin(&sl->seqcount);
+ }
+
++static inline void write_sequnlock_irq(seqlock_t *sl) __releases(sl);
+ static inline void write_sequnlock_irq(seqlock_t *sl)
+ {
+ write_seqcount_end(&sl->seqcount);
+ spin_unlock_irq(&sl->lock);
+ }
+
++static inline unsigned long __write_seqlock_irqsave(seqlock_t *sl) __acquires(sl);
+ static inline unsigned long __write_seqlock_irqsave(seqlock_t *sl)
+ {
+ unsigned long flags;
+@@ -488,6 +495,7 @@ static inline unsigned long __write_seqlock_irqsave(seqlock_t *sl)
+ #define write_seqlock_irqsave(lock, flags) \
+ do { flags = __write_seqlock_irqsave(lock); } while (0)
+
++static inline void write_sequnlock_irqrestore(seqlock_t *sl, unsigned long flags) __releases(sl);
+ static inline void
+ write_sequnlock_irqrestore(seqlock_t *sl, unsigned long flags)
+ {
+@@ -500,11 +508,13 @@ write_sequnlock_irqrestore(seqlock_t *sl, unsigned long flags)
+ * but doesn't update the sequence number. Acts like a normal spin_lock/unlock.
+ * Don't need preempt_disable() because that is in the spin_lock already.
+ */
++static inline void read_seqlock_excl(seqlock_t *sl) __acquires(sl);
+ static inline void read_seqlock_excl(seqlock_t *sl)
+ {
+ spin_lock(&sl->lock);
+ }
+
++static inline void read_sequnlock_excl(seqlock_t *sl) __releases(sl);
+ static inline void read_sequnlock_excl(seqlock_t *sl)
+ {
+ spin_unlock(&sl->lock);
diff --git a/include/linux/shm.h b/include/linux/shm.h
index 6fb8016..2cf60e7 100644
--- a/include/linux/shm.h
@@ -103026,6 +103858,112 @@ index 680f9a3..f13aeb0 100644
__SONET_ITEMS
#undef __HANDLE_ITEM
};
+diff --git a/include/linux/spinlock.h b/include/linux/spinlock.h
+index 0063b24..b2f35f7 100644
+--- a/include/linux/spinlock.h
++++ b/include/linux/spinlock.h
+@@ -152,14 +152,17 @@ do { \
+ extern int do_raw_spin_trylock(raw_spinlock_t *lock);
+ extern void do_raw_spin_unlock(raw_spinlock_t *lock) __releases(lock);
+ #else
+-static inline void do_raw_spin_lock(raw_spinlock_t *lock) __acquires(lock)
++static inline void do_raw_spin_lock(raw_spinlock_t *lock) __acquires(lock);
++static inline void do_raw_spin_lock(raw_spinlock_t *lock)
+ {
+ __acquire(lock);
+ arch_spin_lock(&lock->raw_lock);
+ }
+
+ static inline void
+-do_raw_spin_lock_flags(raw_spinlock_t *lock, unsigned long *flags) __acquires(lock)
++do_raw_spin_lock_flags(raw_spinlock_t *lock, unsigned long *flags) __acquires(lock);
++static inline void
++do_raw_spin_lock_flags(raw_spinlock_t *lock, unsigned long *flags)
+ {
+ __acquire(lock);
+ arch_spin_lock_flags(&lock->raw_lock, *flags);
+@@ -170,7 +173,8 @@ static inline int do_raw_spin_trylock(raw_spinlock_t *lock)
+ return arch_spin_trylock(&(lock)->raw_lock);
+ }
+
+-static inline void do_raw_spin_unlock(raw_spinlock_t *lock) __releases(lock)
++static inline void do_raw_spin_unlock(raw_spinlock_t *lock) __releases(lock);
++static inline void do_raw_spin_unlock(raw_spinlock_t *lock)
+ {
+ arch_spin_unlock(&lock->raw_lock);
+ __release(lock);
+@@ -307,11 +311,13 @@ do { \
+ raw_spin_lock_init(&(_lock)->rlock); \
+ } while (0)
+
++static inline void spin_lock(spinlock_t *lock) __acquires(lock);
+ static inline void spin_lock(spinlock_t *lock)
+ {
+ raw_spin_lock(&lock->rlock);
+ }
+
++static inline void spin_lock_bh(spinlock_t *lock) __acquires(lock);
+ static inline void spin_lock_bh(spinlock_t *lock)
+ {
+ raw_spin_lock_bh(&lock->rlock);
+@@ -337,6 +343,7 @@ do { \
+ raw_spin_lock_nest_lock(spinlock_check(lock), nest_lock); \
+ } while (0)
+
++static inline void spin_lock_irq(spinlock_t *lock) __acquires(lock);
+ static inline void spin_lock_irq(spinlock_t *lock)
+ {
+ raw_spin_lock_irq(&lock->rlock);
+@@ -352,21 +359,25 @@ do { \
+ raw_spin_lock_irqsave_nested(spinlock_check(lock), flags, subclass); \
+ } while (0)
+
++static inline void spin_unlock(spinlock_t *lock) __releases(lock);
+ static inline void spin_unlock(spinlock_t *lock)
+ {
+ raw_spin_unlock(&lock->rlock);
+ }
+
++static inline void spin_unlock_bh(spinlock_t *lock) __releases(lock);
+ static inline void spin_unlock_bh(spinlock_t *lock)
+ {
+ raw_spin_unlock_bh(&lock->rlock);
+ }
+
++static inline void spin_unlock_irq(spinlock_t *lock) __releases(lock);
+ static inline void spin_unlock_irq(spinlock_t *lock)
+ {
+ raw_spin_unlock_irq(&lock->rlock);
+ }
+
++static inline void spin_unlock_irqrestore(spinlock_t *lock, unsigned long flags) __releases(lock);
+ static inline void spin_unlock_irqrestore(spinlock_t *lock, unsigned long flags)
+ {
+ raw_spin_unlock_irqrestore(&lock->rlock, flags);
+diff --git a/include/linux/srcu.h b/include/linux/srcu.h
+index bdeb456..6412bb0 100644
+--- a/include/linux/srcu.h
++++ b/include/linux/srcu.h
+@@ -213,7 +213,8 @@ static inline int srcu_read_lock_held(struct srcu_struct *sp)
+ * srcu_read_unlock() in an irq handler if the matching srcu_read_lock()
+ * was invoked in process context.
+ */
+-static inline int srcu_read_lock(struct srcu_struct *sp) __acquires(sp)
++static inline int srcu_read_lock(struct srcu_struct *sp) __acquires(sp);
++static inline int srcu_read_lock(struct srcu_struct *sp)
+ {
+ int retval = __srcu_read_lock(sp);
+
+@@ -228,8 +229,8 @@ static inline int srcu_read_lock(struct srcu_struct *sp) __acquires(sp)
+ *
+ * Exit an SRCU read-side critical section.
+ */
++static inline void srcu_read_unlock(struct srcu_struct *sp, int idx) __releases(sp);
+ static inline void srcu_read_unlock(struct srcu_struct *sp, int idx)
+- __releases(sp)
+ {
+ rcu_lock_release(&(sp)->dep_map);
+ __srcu_read_unlock(sp, idx);
diff --git a/include/linux/sunrpc/addr.h b/include/linux/sunrpc/addr.h
index 07d8e53..dc934c9 100644
--- a/include/linux/sunrpc/addr.h
@@ -103143,7 +104081,7 @@ index e7a018e..49f8b17 100644
extern dma_addr_t swiotlb_map_page(struct device *dev, struct page *page,
unsigned long offset, size_t size,
diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
-index b45c45b..a6ae64c 100644
+index b45c45b..2a4f077 100644
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -102,7 +102,12 @@ union bpf_attr;
@@ -103198,6 +104136,15 @@ index b45c45b..a6ae64c 100644
const struct timespec __user *timeout);
asmlinkage long sys_shmat(int shmid, char __user *shmaddr, int shmflg);
asmlinkage long sys_shmget(key_t key, size_t size, int flag);
+@@ -878,7 +883,7 @@ asmlinkage long sys_seccomp(unsigned int op, unsigned int flags,
+ const char __user *uargs);
+ asmlinkage long sys_getrandom(char __user *buf, size_t count,
+ unsigned int flags);
+-asmlinkage long sys_bpf(int cmd, union bpf_attr *attr, unsigned int size);
++asmlinkage long sys_bpf(int cmd, union bpf_attr __user *attr, unsigned int size);
+
+ asmlinkage long sys_execveat(int dfd, const char __user *filename,
+ const char __user *const __user *argv,
diff --git a/include/linux/syscore_ops.h b/include/linux/syscore_ops.h
index 27b3b0b..e093dd9 100644
--- a/include/linux/syscore_ops.h
@@ -103365,7 +104312,7 @@ index ff307b5..f1a4468 100644
#endif /* _LINUX_THREAD_INFO_H */
diff --git a/include/linux/tty.h b/include/linux/tty.h
-index ad6c891..93a8f45 100644
+index 342a760..24296fa 100644
--- a/include/linux/tty.h
+++ b/include/linux/tty.h
@@ -225,7 +225,7 @@ struct tty_port {
@@ -103395,6 +104342,26 @@ index ad6c891..93a8f45 100644
}
extern int tty_register_ldisc(int disc, struct tty_ldisc_ops *new_ldisc);
+@@ -605,7 +605,7 @@ extern void n_tty_inherit_ops(struct tty_ldisc_ops *ops);
+
+ /* tty_audit.c */
+ #ifdef CONFIG_AUDIT
+-extern void tty_audit_add_data(struct tty_struct *tty, const void *data,
++extern void tty_audit_add_data(struct tty_struct *tty, const unsigned char *data,
+ size_t size, unsigned icanon);
+ extern void tty_audit_exit(void);
+ extern void tty_audit_fork(struct signal_struct *sig);
+@@ -613,8 +613,8 @@ extern void tty_audit_tiocsti(struct tty_struct *tty, char ch);
+ extern void tty_audit_push(struct tty_struct *tty);
+ extern int tty_audit_push_current(void);
+ #else
+-static inline void tty_audit_add_data(struct tty_struct *tty, const void *data,
+- size_t size, unsigned icanon)
++static inline void tty_audit_add_data(struct tty_struct *tty,
++ const unsigned char *data, size_t size, unsigned icanon)
+ {
+ }
+ static inline void tty_audit_tiocsti(struct tty_struct *tty, char ch)
diff --git a/include/linux/tty_driver.h b/include/linux/tty_driver.h
index 92e337c..f46757b 100644
--- a/include/linux/tty_driver.h
@@ -103861,6 +104828,21 @@ index 82e7db7..f8ce3d0 100644
}
static inline void __inc_zone_page_state(struct page *page,
+diff --git a/include/linux/writeback.h b/include/linux/writeback.h
+index b333c94..6b59f39 100644
+--- a/include/linux/writeback.h
++++ b/include/linux/writeback.h
+@@ -277,8 +277,9 @@ static inline void inode_detach_wb(struct inode *inode)
+ }
+
+ static inline void wbc_attach_and_unlock_inode(struct writeback_control *wbc,
++ struct inode *inode) __releases(&inode->i_lock);
++static inline void wbc_attach_and_unlock_inode(struct writeback_control *wbc,
+ struct inode *inode)
+- __releases(&inode->i_lock)
+ {
+ spin_unlock(&inode->i_lock);
+ }
diff --git a/include/linux/xattr.h b/include/linux/xattr.h
index 91b0a68..0e9adf6 100644
--- a/include/linux/xattr.h
@@ -104124,7 +105106,7 @@ index b8529aa..b0f7445 100644
stats->tx_errors++;
stats->tx_aborted_errors++;
diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h
-index 5fa643b..d871e20 100644
+index ff6d78f..7b5933f 100644
--- a/include/net/ip_fib.h
+++ b/include/net/ip_fib.h
@@ -170,7 +170,7 @@ __be32 fib_info_update_nh_saddr(struct net *net, struct fib_nh *nh);
@@ -105221,7 +106203,7 @@ index 7530e74..e714828 100644
#define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
diff --git a/include/uapi/linux/swab.h b/include/uapi/linux/swab.h
-index 0e011eb..82681b1 100644
+index 0e011eb..0020b3c 100644
--- a/include/uapi/linux/swab.h
+++ b/include/uapi/linux/swab.h
@@ -43,7 +43,7 @@
@@ -105229,7 +106211,7 @@ index 0e011eb..82681b1 100644
*/
-static inline __attribute_const__ __u16 __fswab16(__u16 val)
-+static inline __intentional_overflow(-1) __attribute_const__ __u16 __fswab16(__u16 val)
++static inline __intentional_overflow(0) __attribute_const__ __u16 __fswab16(__u16 val)
{
#ifdef __HAVE_BUILTIN_BSWAP16__
return __builtin_bswap16(val);
@@ -105238,7 +106220,7 @@ index 0e011eb..82681b1 100644
}
-static inline __attribute_const__ __u32 __fswab32(__u32 val)
-+static inline __intentional_overflow(-1) __attribute_const__ __u32 __fswab32(__u32 val)
++static inline __intentional_overflow(0) __attribute_const__ __u32 __fswab32(__u32 val)
{
#ifdef __HAVE_BUILTIN_BSWAP32__
return __builtin_bswap32(val);
@@ -105247,7 +106229,7 @@ index 0e011eb..82681b1 100644
}
-static inline __attribute_const__ __u64 __fswab64(__u64 val)
-+static inline __intentional_overflow(-1) __attribute_const__ __u64 __fswab64(__u64 val)
++static inline __intentional_overflow(0) __attribute_const__ __u64 __fswab64(__u64 val)
{
#ifdef __HAVE_BUILTIN_BSWAP64__
return __builtin_bswap64(val);
@@ -105846,7 +106828,7 @@ index 9b3c85f..5266b0f 100644
{
struct timespec __user *ts64;
diff --git a/ipc/ipc_sysctl.c b/ipc/ipc_sysctl.c
-index 8ad93c2..efd80f8 100644
+index 8ad93c2..54036e1 100644
--- a/ipc/ipc_sysctl.c
+++ b/ipc/ipc_sysctl.c
@@ -30,7 +30,7 @@ static void *get_ipc(struct ctl_table *table)
@@ -105885,6 +106867,33 @@ index 8ad93c2..efd80f8 100644
int dummy = 0;
memcpy(&ipc_table, table, sizeof(ipc_table));
+@@ -99,6 +99,8 @@ static int proc_ipc_auto_msgmni(struct ctl_table *table, int write,
+ static int zero;
+ static int one = 1;
+ static int int_max = INT_MAX;
++static unsigned long long_zero = 0;
++static unsigned long long_max = LONG_MAX;
+
+ static struct ctl_table ipc_kern_table[] = {
+ {
+@@ -107,6 +109,8 @@ static struct ctl_table ipc_kern_table[] = {
+ .maxlen = sizeof(init_ipc_ns.shm_ctlmax),
+ .mode = 0644,
+ .proc_handler = proc_ipc_doulongvec_minmax,
++ .extra1 = &long_zero,
++ .extra2 = &long_max,
+ },
+ {
+ .procname = "shmall",
+@@ -114,6 +118,8 @@ static struct ctl_table ipc_kern_table[] = {
+ .maxlen = sizeof(init_ipc_ns.shm_ctlall),
+ .mode = 0644,
+ .proc_handler = proc_ipc_doulongvec_minmax,
++ .extra1 = &long_zero,
++ .extra2 = &long_max,
+ },
+ {
+ .procname = "shmmni",
diff --git a/ipc/mq_sysctl.c b/ipc/mq_sysctl.c
index 68d4e95..1477ded 100644
--- a/ipc/mq_sysctl.c
@@ -106723,7 +107732,7 @@ index 41213454..861e178 100644
#ifdef CONFIG_MODULE_UNLOAD
{
diff --git a/kernel/events/core.c b/kernel/events/core.c
-index e6feb51..470c853 100644
+index e6feb51..ce984cb 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -174,8 +174,15 @@ static struct srcu_struct pmus_srcu;
@@ -106761,6 +107770,15 @@ index e6feb51..470c853 100644
static void cpu_ctx_sched_out(struct perf_cpu_context *cpuctx,
enum event_type_t event_type);
+@@ -3296,7 +3303,7 @@ find_lively_task_by_vpid(pid_t vpid)
+
+ /* Reuse ptrace permission checks for now. */
+ err = -EACCES;
+- if (!ptrace_may_access(task, PTRACE_MODE_READ))
++ if (!ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS))
+ goto errout;
+
+ return task;
@@ -3753,9 +3760,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running)
mutex_lock(&event->child_mutex);
total += perf_event_read(event);
@@ -106902,7 +107920,7 @@ index cb346f2..e4dc317 100644
pagefault_disable();
result = __copy_from_user_inatomic(&opcode, (void __user*)vaddr,
diff --git a/kernel/exit.c b/kernel/exit.c
-index 031325e..c6342c4 100644
+index 031325e..7ac751f 100644
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -171,6 +171,10 @@ void release_task(struct task_struct *p)
@@ -106916,7 +107934,27 @@ index 031325e..c6342c4 100644
/* don't need to get the RCU readlock here - the process is dead and
* can't be modifying its own credentials. But shut RCU-lockdep up */
rcu_read_lock();
-@@ -656,6 +660,8 @@ void do_exit(long code)
+@@ -450,9 +454,8 @@ static struct task_struct *find_alive_thread(struct task_struct *p)
+ return NULL;
+ }
+
++static struct task_struct *find_child_reaper(struct task_struct *father) __must_hold(&tasklist_lock);
+ static struct task_struct *find_child_reaper(struct task_struct *father)
+- __releases(&tasklist_lock)
+- __acquires(&tasklist_lock)
+ {
+ struct pid_namespace *pid_ns = task_active_pid_ns(father);
+ struct task_struct *reaper = pid_ns->child_reaper;
+@@ -549,6 +552,8 @@ static void reparent_leader(struct task_struct *father, struct task_struct *p,
+ * jobs, send them a SIGHUP and then a SIGCONT. (POSIX 3.2.2.2)
+ */
+ static void forget_original_parent(struct task_struct *father,
++ struct list_head *dead) __must_hold(&tasklist_lock);
++static void forget_original_parent(struct task_struct *father,
+ struct list_head *dead)
+ {
+ struct task_struct *p, *t, *reaper;
+@@ -656,6 +661,8 @@ void do_exit(long code)
int group_dead;
TASKS_RCU(int tasks_rcu_i);
@@ -106925,7 +107963,7 @@ index 031325e..c6342c4 100644
profile_task_exit(tsk);
WARN_ON(blk_needs_flush_plug(tsk));
-@@ -672,7 +678,6 @@ void do_exit(long code)
+@@ -672,7 +679,6 @@ void do_exit(long code)
* mm_release()->clear_child_tid() from writing to a user-controlled
* kernel address.
*/
@@ -106933,7 +107971,7 @@ index 031325e..c6342c4 100644
ptrace_event(PTRACE_EVENT_EXIT, code);
-@@ -730,6 +735,9 @@ void do_exit(long code)
+@@ -730,6 +736,9 @@ void do_exit(long code)
tsk->exit_code = code;
taskstats_exit(tsk, group_dead);
@@ -106943,7 +107981,7 @@ index 031325e..c6342c4 100644
exit_mm(tsk);
if (group_dead)
-@@ -847,7 +855,7 @@ SYSCALL_DEFINE1(exit, int, error_code)
+@@ -847,7 +856,7 @@ SYSCALL_DEFINE1(exit, int, error_code)
* Take down every thread in the group. This is called by fatal signals
* as well as by sys_exit_group (below).
*/
@@ -106952,8 +107990,109 @@ index 031325e..c6342c4 100644
do_group_exit(int exit_code)
{
struct signal_struct *sig = current->signal;
+@@ -964,6 +973,7 @@ static int wait_noreap_copyout(struct wait_opts *wo, struct task_struct *p,
+ * the lock and this task is uninteresting. If we return nonzero, we have
+ * released the lock and the system call should return.
+ */
++static int wait_task_zombie(struct wait_opts *wo, struct task_struct *p) __must_hold(&tasklist_lock);
+ static int wait_task_zombie(struct wait_opts *wo, struct task_struct *p)
+ {
+ int state, retval, status;
+@@ -980,6 +990,7 @@ static int wait_task_zombie(struct wait_opts *wo, struct task_struct *p)
+
+ get_task_struct(p);
+ read_unlock(&tasklist_lock);
++ __acquire(&tasklist_lock); // XXX sparse can't model conditional release
+ sched_annotate_sleep();
+
+ if ((exit_code & 0x7f) == 0) {
+@@ -1002,6 +1013,7 @@ static int wait_task_zombie(struct wait_opts *wo, struct task_struct *p)
+ * We own this thread, nobody else can reap it.
+ */
+ read_unlock(&tasklist_lock);
++ __acquire(&tasklist_lock); // XXX sparse can't model conditional release
+ sched_annotate_sleep();
+
+ /*
+@@ -1145,6 +1157,8 @@ static int *task_stopped_code(struct task_struct *p, bool ptrace)
+ * search should terminate.
+ */
+ static int wait_task_stopped(struct wait_opts *wo,
++ int ptrace, struct task_struct *p) __must_hold(&tasklist_lock);
++static int wait_task_stopped(struct wait_opts *wo,
+ int ptrace, struct task_struct *p)
+ {
+ struct siginfo __user *infop;
+@@ -1192,6 +1206,7 @@ unlock_sig:
+ pid = task_pid_vnr(p);
+ why = ptrace ? CLD_TRAPPED : CLD_STOPPED;
+ read_unlock(&tasklist_lock);
++ __acquire(&tasklist_lock); // XXX sparse can't model conditional release
+ sched_annotate_sleep();
+
+ if (unlikely(wo->wo_flags & WNOWAIT))
+@@ -1229,6 +1244,7 @@ unlock_sig:
+ * the lock and this task is uninteresting. If we return nonzero, we have
+ * released the lock and the system call should return.
+ */
++static int wait_task_continued(struct wait_opts *wo, struct task_struct *p) __must_hold(&tasklist_lock);
+ static int wait_task_continued(struct wait_opts *wo, struct task_struct *p)
+ {
+ int retval;
+@@ -1255,6 +1271,7 @@ static int wait_task_continued(struct wait_opts *wo, struct task_struct *p)
+ pid = task_pid_vnr(p);
+ get_task_struct(p);
+ read_unlock(&tasklist_lock);
++ __acquire(&tasklist_lock); // XXX sparse can't model conditional release
+ sched_annotate_sleep();
+
+ if (!wo->wo_info) {
+@@ -1284,6 +1301,8 @@ static int wait_task_continued(struct wait_opts *wo, struct task_struct *p)
+ * or another error from security_task_wait(), or still -ECHILD.
+ */
+ static int wait_consider_task(struct wait_opts *wo, int ptrace,
++ struct task_struct *p) __must_hold(&tasklist_lock);
++static int wait_consider_task(struct wait_opts *wo, int ptrace,
+ struct task_struct *p)
+ {
+ /*
+@@ -1409,6 +1428,7 @@ static int wait_consider_task(struct wait_opts *wo, int ptrace,
+ * ->notask_error is 0 if there were any eligible children,
+ * or another error from security_task_wait(), or still -ECHILD.
+ */
++static int do_wait_thread(struct wait_opts *wo, struct task_struct *tsk) __must_hold(&tasklist_lock);
+ static int do_wait_thread(struct wait_opts *wo, struct task_struct *tsk)
+ {
+ struct task_struct *p;
+@@ -1423,6 +1443,7 @@ static int do_wait_thread(struct wait_opts *wo, struct task_struct *tsk)
+ return 0;
+ }
+
++static int ptrace_do_wait(struct wait_opts *wo, struct task_struct *tsk) __must_hold(&tasklist_lock);
+ static int ptrace_do_wait(struct wait_opts *wo, struct task_struct *tsk)
+ {
+ struct task_struct *p;
+@@ -1486,12 +1507,16 @@ repeat:
+ tsk = current;
+ do {
+ retval = do_wait_thread(wo, tsk);
+- if (retval)
++ if (retval) {
++ __release(&tasklist_lock); // XXX sparse can't model conditional release
+ goto end;
++ }
+
+ retval = ptrace_do_wait(wo, tsk);
+- if (retval)
++ if (retval) {
++ __release(&tasklist_lock); // XXX sparse can't model conditional release
+ goto end;
++ }
+
+ if (wo->wo_flags & __WNOTHREAD)
+ break;
diff --git a/kernel/fork.c b/kernel/fork.c
-index e769c8c..9fa1de5 100644
+index e769c8c..882ebbb 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -188,12 +188,54 @@ static void free_thread_info(struct thread_info *ti)
@@ -107287,7 +108426,7 @@ index e769c8c..9fa1de5 100644
- if (mm && mm != current->mm &&
- !ptrace_may_access(task, mode)) {
+ if (mm && ((mm != current->mm && !ptrace_may_access(task, mode)) ||
-+ (mode == PTRACE_MODE_ATTACH && (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))))) {
++ ((mode & PTRACE_MODE_ATTACH) && (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))))) {
mmput(mm);
mm = ERR_PTR(-EACCES);
}
@@ -107408,7 +108547,7 @@ index e769c8c..9fa1de5 100644
int threads = max_threads;
int min = MIN_THREADS;
diff --git a/kernel/futex.c b/kernel/futex.c
-index c4a182f..e789324 100644
+index c4a182f..32e2eac 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -201,7 +201,7 @@ struct futex_pi_state {
@@ -107450,6 +108589,15 @@ index c4a182f..e789324 100644
pagefault_disable();
ret = __copy_from_user_inatomic(dest, from, sizeof(u32));
+@@ -2782,7 +2787,7 @@ SYSCALL_DEFINE3(get_robust_list, int, pid,
+ }
+
+ ret = -EPERM;
+- if (!ptrace_may_access(p, PTRACE_MODE_READ))
++ if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
+ goto err_unlock;
+
+ head = p->robust_list;
@@ -3030,6 +3035,7 @@ static void __init futex_detect_cmpxchg(void)
{
#ifndef CONFIG_HAVE_FUTEX_CMPXCHG
@@ -107471,7 +108619,7 @@ index c4a182f..e789324 100644
}
diff --git a/kernel/futex_compat.c b/kernel/futex_compat.c
-index 55c8c93..9ba7ad6 100644
+index 55c8c93..5adee02 100644
--- a/kernel/futex_compat.c
+++ b/kernel/futex_compat.c
@@ -32,7 +32,7 @@ fetch_robust_entry(compat_uptr_t *uentry, struct robust_list __user **entry,
@@ -107483,6 +108631,15 @@ index 55c8c93..9ba7ad6 100644
compat_long_t futex_offset)
{
compat_uptr_t base = ptr_to_compat(entry);
+@@ -155,7 +155,7 @@ COMPAT_SYSCALL_DEFINE3(get_robust_list, int, pid,
+ }
+
+ ret = -EPERM;
+- if (!ptrace_may_access(p, PTRACE_MODE_READ))
++ if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
+ goto err_unlock;
+
+ head = p->compat_robust_list;
diff --git a/kernel/gcov/base.c b/kernel/gcov/base.c
index 7080ae1..c9b3761 100644
--- a/kernel/gcov/base.c
@@ -107721,7 +108878,7 @@ index 5c5987f..bc502b0 100644
type, iter->name, iter->module_name);
} else
diff --git a/kernel/kcmp.c b/kernel/kcmp.c
-index 0aa69ea..a7fcafb 100644
+index 0aa69ea..bcb17e3 100644
--- a/kernel/kcmp.c
+++ b/kernel/kcmp.c
@@ -100,6 +100,10 @@ SYSCALL_DEFINE5(kcmp, pid_t, pid1, pid_t, pid2, int, type,
@@ -107735,6 +108892,17 @@ index 0aa69ea..a7fcafb 100644
rcu_read_lock();
/*
+@@ -122,8 +126,8 @@ SYSCALL_DEFINE5(kcmp, pid_t, pid1, pid_t, pid2, int, type,
+ &task2->signal->cred_guard_mutex);
+ if (ret)
+ goto err;
+- if (!ptrace_may_access(task1, PTRACE_MODE_READ) ||
+- !ptrace_may_access(task2, PTRACE_MODE_READ)) {
++ if (!ptrace_may_access(task1, PTRACE_MODE_READ_REALCREDS) ||
++ !ptrace_may_access(task2, PTRACE_MODE_READ_REALCREDS)) {
+ ret = -EPERM;
+ goto err_unlock;
+ }
diff --git a/kernel/kexec.c b/kernel/kexec.c
index a785c10..6dbb06f 100644
--- a/kernel/kexec.c
@@ -109675,10 +110843,74 @@ index a7bcd28..5b368fa 100644
}
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
-index c8e0e05..2be5614 100644
+index c8e0e05..0a6d59d 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
-@@ -321,7 +321,7 @@ static int ptrace_attach(struct task_struct *task, long request,
+@@ -219,6 +219,14 @@ static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode)
+ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
+ {
+ const struct cred *cred = current_cred(), *tcred;
++ int dumpable = 0;
++ kuid_t caller_uid;
++ kgid_t caller_gid;
++
++ if (!(mode & PTRACE_MODE_FSCREDS) == !(mode & PTRACE_MODE_REALCREDS)) {
++ WARN(1, "denying ptrace access check without PTRACE_MODE_*CREDS\n");
++ return -EPERM;
++ }
+
+ /* May we inspect the given task?
+ * This check is used both for attaching with ptrace
+@@ -228,18 +236,32 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
+ * because setting up the necessary parent/child relationship
+ * or halting the specified task is impossible.
+ */
+- int dumpable = 0;
+ /* Don't let security modules deny introspection */
+ if (same_thread_group(task, current))
+ return 0;
+ rcu_read_lock();
++ if (mode & PTRACE_MODE_FSCREDS) {
++ caller_uid = cred->fsuid;
++ caller_gid = cred->fsgid;
++ } else {
++ /*
++ * Using the euid would make more sense here, but something
++ * in userland might rely on the old behavior, and this
++ * shouldn't be a security problem since
++ * PTRACE_MODE_REALCREDS implies that the caller explicitly
++ * used a syscall that requests access to another process
++ * (and not a filesystem syscall to procfs).
++ */
++ caller_uid = cred->uid;
++ caller_gid = cred->gid;
++ }
+ tcred = __task_cred(task);
+- if (uid_eq(cred->uid, tcred->euid) &&
+- uid_eq(cred->uid, tcred->suid) &&
+- uid_eq(cred->uid, tcred->uid) &&
+- gid_eq(cred->gid, tcred->egid) &&
+- gid_eq(cred->gid, tcred->sgid) &&
+- gid_eq(cred->gid, tcred->gid))
++ if (uid_eq(caller_uid, tcred->euid) &&
++ uid_eq(caller_uid, tcred->suid) &&
++ uid_eq(caller_uid, tcred->uid) &&
++ gid_eq(caller_gid, tcred->egid) &&
++ gid_eq(caller_gid, tcred->sgid) &&
++ gid_eq(caller_gid, tcred->gid))
+ goto ok;
+ if (ptrace_has_cap(tcred->user_ns, mode))
+ goto ok;
+@@ -306,7 +328,7 @@ static int ptrace_attach(struct task_struct *task, long request,
+ goto out;
+
+ task_lock(task);
+- retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH);
++ retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS);
+ task_unlock(task);
+ if (retval)
+ goto unlock_creds;
+@@ -321,7 +343,7 @@ static int ptrace_attach(struct task_struct *task, long request,
if (seize)
flags |= PT_SEIZED;
rcu_read_lock();
@@ -109687,7 +110919,7 @@ index c8e0e05..2be5614 100644
flags |= PT_PTRACE_CAP;
rcu_read_unlock();
task->ptrace = flags;
-@@ -514,7 +514,7 @@ int ptrace_readdata(struct task_struct *tsk, unsigned long src, char __user *dst
+@@ -514,7 +536,7 @@ int ptrace_readdata(struct task_struct *tsk, unsigned long src, char __user *dst
break;
return -EIO;
}
@@ -109696,7 +110928,7 @@ index c8e0e05..2be5614 100644
return -EFAULT;
copied += retval;
src += retval;
-@@ -802,7 +802,7 @@ int ptrace_request(struct task_struct *child, long request,
+@@ -802,7 +824,7 @@ int ptrace_request(struct task_struct *child, long request,
bool seized = child->ptrace & PT_SEIZED;
int ret = -EIO;
siginfo_t siginfo, *si;
@@ -109705,7 +110937,7 @@ index c8e0e05..2be5614 100644
unsigned long __user *datalp = datavp;
unsigned long flags;
-@@ -1048,14 +1048,21 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr,
+@@ -1048,14 +1070,21 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr,
goto out;
}
@@ -109728,7 +110960,7 @@ index c8e0e05..2be5614 100644
goto out_put_task_struct;
}
-@@ -1083,7 +1090,7 @@ int generic_ptrace_peekdata(struct task_struct *tsk, unsigned long addr,
+@@ -1083,7 +1112,7 @@ int generic_ptrace_peekdata(struct task_struct *tsk, unsigned long addr,
copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
if (copied != sizeof(tmp))
return -EIO;
@@ -109737,7 +110969,7 @@ index c8e0e05..2be5614 100644
}
int generic_ptrace_pokedata(struct task_struct *tsk, unsigned long addr,
-@@ -1176,7 +1183,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request,
+@@ -1176,7 +1205,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request,
}
COMPAT_SYSCALL_DEFINE4(ptrace, compat_long_t, request, compat_long_t, pid,
@@ -109746,7 +110978,7 @@ index c8e0e05..2be5614 100644
{
struct task_struct *child;
long ret;
-@@ -1192,14 +1199,21 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_long_t, request, compat_long_t, pid,
+@@ -1192,14 +1221,21 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_long_t, request, compat_long_t, pid,
goto out;
}
@@ -110359,9 +111591,29 @@ index 3ea7ffc..cb06f2d 100644
}
diff --git a/kernel/resource.c b/kernel/resource.c
-index fed052a..ad13346 100644
+index fed052a..14936eb 100644
--- a/kernel/resource.c
+++ b/kernel/resource.c
+@@ -84,8 +84,8 @@ static void *r_next(struct seq_file *m, void *v, loff_t *pos)
+
+ enum { MAX_IORES_LEVEL = 5 };
+
++static void *r_start(struct seq_file *m, loff_t *pos) __acquires(&resource_lock);
+ static void *r_start(struct seq_file *m, loff_t *pos)
+- __acquires(resource_lock)
+ {
+ struct resource *p = m->private;
+ loff_t l = 0;
+@@ -95,8 +95,8 @@ static void *r_start(struct seq_file *m, loff_t *pos)
+ return p;
+ }
+
++static void r_stop(struct seq_file *m, void *v) __releases(&resource_lock);
+ static void r_stop(struct seq_file *m, void *v)
+- __releases(resource_lock)
+ {
+ read_unlock(&resource_lock);
+ }
@@ -162,8 +162,18 @@ static const struct file_operations proc_iomem_operations = {
static int __init ioresources_init(void)
@@ -110604,7 +111856,7 @@ index 08ab96b..82ab34c 100644
static inline void put_prev_task(struct rq *rq, struct task_struct *prev)
{
diff --git a/kernel/signal.c b/kernel/signal.c
-index 0f6bbbe..d77d2c3 100644
+index 0f6bbbe..4791c7d 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -53,12 +53,12 @@ static struct kmem_cache *sigqueue_cachep;
@@ -110650,7 +111902,15 @@ index 0f6bbbe..d77d2c3 100644
if (is_global_init(tsk))
return 1;
if (handler != SIG_IGN && handler != SIG_DFL)
-@@ -788,6 +791,13 @@ static int check_kill_permission(int sig, struct siginfo *info,
+@@ -602,6 +605,7 @@ static int __dequeue_signal(struct sigpending *pending, sigset_t *mask,
+ *
+ * All callers have to hold the siglock.
+ */
++int dequeue_signal(struct task_struct *tsk, sigset_t *mask, siginfo_t *info) __must_hold(&tsk->sighand->siglock);
+ int dequeue_signal(struct task_struct *tsk, sigset_t *mask, siginfo_t *info)
+ {
+ int signr;
+@@ -788,6 +792,13 @@ static int check_kill_permission(int sig, struct siginfo *info,
}
}
@@ -110664,7 +111924,7 @@ index 0f6bbbe..d77d2c3 100644
return security_task_kill(t, info, sig, 0);
}
-@@ -1171,7 +1181,7 @@ __group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
+@@ -1171,7 +1182,7 @@ __group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
return send_signal(sig, info, p, 1);
}
@@ -110673,7 +111933,7 @@ index 0f6bbbe..d77d2c3 100644
specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
{
return send_signal(sig, info, t, 0);
-@@ -1208,6 +1218,7 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
+@@ -1208,6 +1219,7 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
unsigned long int flags;
int ret, blocked, ignored;
struct k_sigaction *action;
@@ -110681,7 +111941,7 @@ index 0f6bbbe..d77d2c3 100644
spin_lock_irqsave(&t->sighand->siglock, flags);
action = &t->sighand->action[sig-1];
-@@ -1222,9 +1233,18 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
+@@ -1222,9 +1234,18 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
}
if (action->sa.sa_handler == SIG_DFL)
t->signal->flags &= ~SIGNAL_UNKILLABLE;
@@ -110700,7 +111960,7 @@ index 0f6bbbe..d77d2c3 100644
return ret;
}
-@@ -1305,8 +1325,11 @@ int group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
+@@ -1305,8 +1326,11 @@ int group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
ret = check_kill_permission(sig, info, p);
rcu_read_unlock();
@@ -110713,7 +111973,56 @@ index 0f6bbbe..d77d2c3 100644
return ret;
}
-@@ -2913,7 +2936,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
+@@ -1820,9 +1844,8 @@ static int sigkill_pending(struct task_struct *tsk)
+ * If we actually decide not to stop at all because the tracer
+ * is gone, we keep current->exit_code unless clear_code.
+ */
++static void ptrace_stop(int exit_code, int why, int clear_code, siginfo_t *info) __must_hold(&current->sighand->siglock);
+ static void ptrace_stop(int exit_code, int why, int clear_code, siginfo_t *info)
+- __releases(&current->sighand->siglock)
+- __acquires(&current->sighand->siglock)
+ {
+ bool gstop_done = false;
+
+@@ -1942,6 +1965,7 @@ static void ptrace_stop(int exit_code, int why, int clear_code, siginfo_t *info)
+ recalc_sigpending_tsk(current);
+ }
+
++static void ptrace_do_notify(int signr, int exit_code, int why) __must_hold(&current->sighand->siglock);
+ static void ptrace_do_notify(int signr, int exit_code, int why)
+ {
+ siginfo_t info;
+@@ -1989,8 +2013,8 @@ void ptrace_notify(int exit_code)
+ * %false if group stop is already cancelled or ptrace trap is scheduled.
+ * %true if participated in group stop.
+ */
++static bool do_signal_stop(int signr) __releases(&current->sighand->siglock);
+ static bool do_signal_stop(int signr)
+- __releases(&current->sighand->siglock)
+ {
+ struct signal_struct *sig = current->signal;
+
+@@ -2002,8 +2026,10 @@ static bool do_signal_stop(int signr)
+ WARN_ON_ONCE(signr & ~JOBCTL_STOP_SIGMASK);
+
+ if (!likely(current->jobctl & JOBCTL_STOP_DEQUEUED) ||
+- unlikely(signal_group_exit(sig)))
++ unlikely(signal_group_exit(sig))) {
++ __release(&current->sighand->siglock); // XXX sparse can't model conditional release
+ return false;
++ }
+ /*
+ * There is no group stop already in progress. We must
+ * initiate one now.
+@@ -2087,6 +2113,7 @@ static bool do_signal_stop(int signr)
+ * Schedule it and let the caller deal with it.
+ */
+ task_set_jobctl_pending(current, JOBCTL_TRAP_STOP);
++ __release(&current->sighand->siglock); // XXX sparse can't model conditional release
+ return false;
+ }
+ }
+@@ -2913,7 +2940,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
int error = -ESRCH;
rcu_read_lock();
@@ -110730,7 +112039,7 @@ index 0f6bbbe..d77d2c3 100644
if (p && (tgid <= 0 || task_tgid_vnr(p) == tgid)) {
error = check_kill_permission(sig, info, p);
/*
-@@ -3242,8 +3273,8 @@ COMPAT_SYSCALL_DEFINE2(sigaltstack,
+@@ -3242,8 +3277,8 @@ COMPAT_SYSCALL_DEFINE2(sigaltstack,
}
seg = get_fs();
set_fs(KERNEL_DS);
@@ -112435,6 +113744,20 @@ index 7d567a4..407a28d 100644
mutex_lock(&syscall_trace_lock);
sys_perf_refcount_exit--;
+diff --git a/kernel/user.c b/kernel/user.c
+index b069ccb..c59fe26 100644
+--- a/kernel/user.c
++++ b/kernel/user.c
+@@ -127,8 +127,8 @@ static struct user_struct *uid_hash_find(kuid_t uid, struct hlist_head *hashent)
+ * IRQ state (as stored in flags) is restored and uidhash_lock released
+ * upon function exit.
+ */
++static void free_user(struct user_struct *up, unsigned long flags) __releases(&uidhash_lock);
+ static void free_user(struct user_struct *up, unsigned long flags)
+- __releases(&uidhash_lock)
+ {
+ uid_hash_remove(up);
+ spin_unlock_irqrestore(&uidhash_lock, flags);
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 4109f83..fe1f830 100644
--- a/kernel/user_namespace.c
@@ -112497,10 +113820,32 @@ index a6ffa43..e48103b 100644
.thread_should_run = watchdog_should_run,
.thread_fn = watchdog,
diff --git a/kernel/workqueue.c b/kernel/workqueue.c
-index 1de0f5fab..dbf1ec6 100644
+index 1de0f5fab..74907c6 100644
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
-@@ -4452,7 +4452,7 @@ static void rebind_workers(struct worker_pool *pool)
+@@ -1858,9 +1858,8 @@ static void pool_mayday_timeout(unsigned long __pool)
+ * multiple times. Does GFP_KERNEL allocations. Called only from
+ * manager.
+ */
++static void maybe_create_worker(struct worker_pool *pool) __must_hold(&pool->lock);
+ static void maybe_create_worker(struct worker_pool *pool)
+-__releases(&pool->lock)
+-__acquires(&pool->lock)
+ {
+ restart:
+ spin_unlock_irq(&pool->lock);
+@@ -1950,9 +1949,8 @@ static bool manage_workers(struct worker *worker)
+ * CONTEXT:
+ * spin_lock_irq(pool->lock) which is released and regrabbed.
+ */
++static void process_one_work(struct worker *worker, struct work_struct *work) __must_hold(&pool->lock);
+ static void process_one_work(struct worker *worker, struct work_struct *work)
+-__releases(&pool->lock)
+-__acquires(&pool->lock)
+ {
+ struct pool_workqueue *pwq = get_work_pwq(work);
+ struct worker_pool *pool = worker->pool;
+@@ -4452,7 +4450,7 @@ static void rebind_workers(struct worker_pool *pool)
WARN_ON_ONCE(!(worker_flags & WORKER_UNBOUND));
worker_flags |= WORKER_REBOUND;
worker_flags &= ~WORKER_UNBOUND;
@@ -113280,6 +114625,30 @@ index 1356454..70ce6c6 100644
};
void rb_insert_color(struct rb_node *node, struct rb_root *root)
+diff --git a/lib/rhashtable.c b/lib/rhashtable.c
+index cc0c697..935eddb 100644
+--- a/lib/rhashtable.c
++++ b/lib/rhashtable.c
+@@ -545,8 +545,8 @@ EXPORT_SYMBOL_GPL(rhashtable_walk_exit);
+ * will rewind back to the beginning and you may use it immediately
+ * by calling rhashtable_walk_next.
+ */
++int rhashtable_walk_start(struct rhashtable_iter *iter) __acquires(RCU);
+ int rhashtable_walk_start(struct rhashtable_iter *iter)
+- __acquires(RCU)
+ {
+ struct rhashtable *ht = iter->ht;
+
+@@ -632,8 +632,8 @@ EXPORT_SYMBOL_GPL(rhashtable_walk_next);
+ *
+ * Finish a hash table walk.
+ */
++void rhashtable_walk_stop(struct rhashtable_iter *iter) __releases(RCU);
+ void rhashtable_walk_stop(struct rhashtable_iter *iter)
+- __releases(RCU)
+ {
+ struct rhashtable *ht;
+ struct bucket_table *tbl = iter->walker->tbl;
diff --git a/lib/show_mem.c b/lib/show_mem.c
index adc98e18..0ce83c2 100644
--- a/lib/show_mem.c
@@ -116786,7 +118155,7 @@ index 2dd7448..9bb6305 100644
static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
diff --git a/mm/process_vm_access.c b/mm/process_vm_access.c
-index e88d071..d80e01a 100644
+index e88d071..4043093 100644
--- a/mm/process_vm_access.c
+++ b/mm/process_vm_access.c
@@ -13,6 +13,7 @@
@@ -116824,18 +118193,20 @@ index e88d071..d80e01a 100644
}
if (nr_pages == 0)
-@@ -194,6 +195,11 @@ static ssize_t process_vm_rw_core(pid_t pid, struct iov_iter *iter,
+@@ -194,7 +195,12 @@ static ssize_t process_vm_rw_core(pid_t pid, struct iov_iter *iter,
goto free_proc_pages;
}
+- mm = mm_access(task, PTRACE_MODE_ATTACH);
+ if (gr_handle_ptrace(task, vm_write ? PTRACE_POKETEXT : PTRACE_ATTACH)) {
+ rc = -EPERM;
+ goto put_task_struct;
+ }
+
- mm = mm_access(task, PTRACE_MODE_ATTACH);
++ mm = mm_access(task, PTRACE_MODE_ATTACH_REALCREDS);
if (!mm || IS_ERR(mm)) {
rc = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH;
+ /*
diff --git a/mm/rmap.c b/mm/rmap.c
index 171b687..1a4b7e8 100644
--- a/mm/rmap.c
@@ -119556,9 +120927,18 @@ index e3be1d2..254c555 100644
switch (ss->ss_family) {
diff --git a/net/compat.c b/net/compat.c
-index 5cfd26a..7e43828 100644
+index 5cfd26a..3c50cb0 100644
--- a/net/compat.c
+++ b/net/compat.c
+@@ -58,7 +58,7 @@ int get_compat_msghdr(struct msghdr *kmsg,
+
+ if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
+ kmsg->msg_namelen = sizeof(struct sockaddr_storage);
+- kmsg->msg_control = compat_ptr(tmp3);
++ kmsg->msg_control = (void __force_kernel *)compat_ptr(tmp3);
+
+ if (save_addr)
+ *save_addr = compat_ptr(uaddr);
@@ -98,20 +98,20 @@ int get_compat_msghdr(struct msghdr *kmsg,
#define CMSG_COMPAT_FIRSTHDR(msg) \
@@ -120637,10 +122017,10 @@ index 2d9cb17..20ae904 100644
#endif
if (dflt != &ipv4_devconf_dflt)
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
-index 6bbc549..28d74951 100644
+index d7116cf..a561739 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
-@@ -1083,12 +1083,12 @@ static int fib_inetaddr_event(struct notifier_block *this, unsigned long event,
+@@ -1084,12 +1084,12 @@ static int fib_inetaddr_event(struct notifier_block *this, unsigned long event,
#ifdef CONFIG_IP_ROUTE_MULTIPATH
fib_sync_up(dev, RTNH_F_DEAD);
#endif
@@ -120655,7 +122035,7 @@ index 6bbc549..28d74951 100644
if (!ifa->ifa_dev->ifa_list) {
/* Last address was deleted from this interface.
* Disable IP.
-@@ -1127,7 +1127,7 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo
+@@ -1128,7 +1128,7 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo
#ifdef CONFIG_IP_ROUTE_MULTIPATH
fib_sync_up(dev, RTNH_F_DEAD);
#endif
@@ -120665,7 +122045,7 @@ index 6bbc549..28d74951 100644
break;
case NETDEV_DOWN:
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
-index 3a06586..1020c5b 100644
+index 71bad5c..114aaa3 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -755,7 +755,7 @@ __be32 fib_info_update_nh_saddr(struct net *net, struct fib_nh *nh)
@@ -121320,7 +122700,7 @@ index e681b85..8a43a65 100644
ip_tstamps = kcalloc(IP_IDENTS_SZ, sizeof(*ip_tstamps), GFP_KERNEL);
if (!ip_tstamps)
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
-index 0330ab2..4745d2c 100644
+index a1442c5..73a63cd 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -66,7 +66,7 @@ static int ipv4_local_port_range(struct ctl_table *table, int write,
@@ -121715,6 +123095,19 @@ index 1b8c5ba..e1f0542 100644
}
int udp4_seq_show(struct seq_file *seq, void *v)
+diff --git a/net/ipv4/xfrm4_mode_transport.c b/net/ipv4/xfrm4_mode_transport.c
+index fd840c7..b517627 100644
+--- a/net/ipv4/xfrm4_mode_transport.c
++++ b/net/ipv4/xfrm4_mode_transport.c
+@@ -18,7 +18,7 @@
+ * The IP header will be moved forward to make space for the encapsulation
+ * header.
+ */
+-static int xfrm4_transport_output(struct xfrm_state *x, struct sk_buff *skb)
++static int __intentional_overflow(0) xfrm4_transport_output(struct xfrm_state *x, struct sk_buff *skb)
+ {
+ struct iphdr *iph = ip_hdr(skb);
+ int ihl = iph->ihl * 4;
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index bff6974..c63736c 100644
--- a/net/ipv4/xfrm4_policy.c
@@ -121769,7 +123162,7 @@ index bff6974..c63736c 100644
return -ENOMEM;
}
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
-index 21c2c81..373c1ba 100644
+index c8c1fea..233a855 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -178,7 +178,7 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = {
@@ -121790,7 +123183,7 @@ index 21c2c81..373c1ba 100644
.autoconf = 1,
.force_mld_version = 0,
.mldv1_unsolicited_report_interval = 10 * HZ,
-@@ -620,7 +620,7 @@ static int inet6_netconf_dump_devconf(struct sk_buff *skb,
+@@ -621,7 +621,7 @@ static int inet6_netconf_dump_devconf(struct sk_buff *skb,
idx = 0;
head = &net->dev_index_head[h];
rcu_read_lock();
@@ -121799,7 +123192,7 @@ index 21c2c81..373c1ba 100644
net->dev_base_seq;
hlist_for_each_entry_rcu(dev, head, index_hlist) {
if (idx < s_idx)
-@@ -2508,7 +2508,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg)
+@@ -2509,7 +2509,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg)
p.iph.ihl = 5;
p.iph.protocol = IPPROTO_IPV6;
p.iph.ttl = 64;
@@ -121808,7 +123201,7 @@ index 21c2c81..373c1ba 100644
if (ops->ndo_do_ioctl) {
mm_segment_t oldfs = get_fs();
-@@ -3774,16 +3774,23 @@ static const struct file_operations if6_fops = {
+@@ -3775,16 +3775,23 @@ static const struct file_operations if6_fops = {
.release = seq_release_net,
};
@@ -121833,7 +123226,7 @@ index 21c2c81..373c1ba 100644
}
static struct pernet_operations if6_proc_net_ops = {
-@@ -4402,7 +4409,7 @@ static int inet6_dump_addr(struct sk_buff *skb, struct netlink_callback *cb,
+@@ -4403,7 +4410,7 @@ static int inet6_dump_addr(struct sk_buff *skb, struct netlink_callback *cb,
s_ip_idx = ip_idx = cb->args[2];
rcu_read_lock();
@@ -121842,7 +123235,7 @@ index 21c2c81..373c1ba 100644
for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) {
idx = 0;
head = &net->dev_index_head[h];
-@@ -5059,7 +5066,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
+@@ -5060,7 +5067,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
rt_genid_bump_ipv6(net);
break;
}
@@ -121851,7 +123244,7 @@ index 21c2c81..373c1ba 100644
}
static void ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
-@@ -5079,7 +5086,7 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int write,
+@@ -5080,7 +5087,7 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int write,
int *valp = ctl->data;
int val = *valp;
loff_t pos = *ppos;
@@ -121860,7 +123253,7 @@ index 21c2c81..373c1ba 100644
int ret;
/*
-@@ -5104,7 +5111,7 @@ int addrconf_sysctl_mtu(struct ctl_table *ctl, int write,
+@@ -5105,7 +5112,7 @@ int addrconf_sysctl_mtu(struct ctl_table *ctl, int write,
{
struct inet6_dev *idev = ctl->extra1;
int min_mtu = IPV6_MIN_MTU;
@@ -121869,7 +123262,7 @@ index 21c2c81..373c1ba 100644
lctl = *ctl;
lctl.extra1 = &min_mtu;
-@@ -5179,7 +5186,7 @@ int addrconf_sysctl_disable(struct ctl_table *ctl, int write,
+@@ -5180,7 +5187,7 @@ int addrconf_sysctl_disable(struct ctl_table *ctl, int write,
int *valp = ctl->data;
int val = *valp;
loff_t pos = *ppos;
@@ -121878,7 +123271,7 @@ index 21c2c81..373c1ba 100644
int ret;
/*
-@@ -5244,7 +5251,7 @@ static int addrconf_sysctl_stable_secret(struct ctl_table *ctl, int write,
+@@ -5245,7 +5252,7 @@ static int addrconf_sysctl_stable_secret(struct ctl_table *ctl, int write,
int err;
struct in6_addr addr;
char str[IPV6_MAX_STRLEN];
@@ -122347,7 +123740,7 @@ index dd6ebba..69d56e8 100644
table = kmemdup(ipv6_route_table_template,
sizeof(ipv6_route_table_template),
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
-index ac35a28..070cc8c 100644
+index 85c4b2f..4e2062f 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -74,7 +74,7 @@ static void ipip6_tunnel_setup(struct net_device *dev);
@@ -122359,7 +123752,7 @@ index ac35a28..070cc8c 100644
static int sit_net_id __read_mostly;
struct sit_net {
-@@ -1749,7 +1749,7 @@ static void ipip6_dellink(struct net_device *dev, struct list_head *head)
+@@ -1735,7 +1735,7 @@ static void ipip6_dellink(struct net_device *dev, struct list_head *head)
unregister_netdevice_queue(dev, head);
}
@@ -122652,19 +124045,6 @@ index 683346d..cb0e12d 100644
seq_printf(m, "Max data size: %d\n", self->max_data_size);
seq_printf(m, "Max header size: %d\n", self->max_header_size);
-diff --git a/net/irda/irlmp.c b/net/irda/irlmp.c
-index a26c401..4396459 100644
---- a/net/irda/irlmp.c
-+++ b/net/irda/irlmp.c
-@@ -1839,7 +1839,7 @@ static void *irlmp_seq_hb_idx(struct irlmp_iter_state *iter, loff_t *off)
- for (element = hashbin_get_first(iter->hashbin);
- element != NULL;
- element = hashbin_get_next(iter->hashbin)) {
-- if (!off || *off-- == 0) {
-+ if (!off || (*off)-- == 0) {
- /* NB: hashbin left locked */
- return element;
- }
diff --git a/net/irda/irproc.c b/net/irda/irproc.c
index b9ac598..f88cc56 100644
--- a/net/irda/irproc.c
@@ -123043,7 +124423,7 @@ index 666ddac..0cad93b 100644
goto free;
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
-index 43e5aad..d117c3a 100644
+index f5fa8c0..c24eae8 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1761,7 +1761,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
@@ -123682,7 +125062,7 @@ index 11de55e..f25e448 100644
return 0;
}
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
-index a133d16..fafee70 100644
+index 8b158f7..c43cfdb 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -286,7 +286,7 @@ static void netlink_overrun(struct sock *sk)
@@ -123779,7 +125159,7 @@ index bc85331..0d3dce0 100644
/**
* struct vport_portids - array of netlink portids of a vport.
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index 7851b12..b665c0c 100644
+index 71cb085..89e2202 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -277,7 +277,7 @@ static int packet_direct_xmit(struct sk_buff *skb)
@@ -123800,7 +125180,7 @@ index 7851b12..b665c0c 100644
spin_unlock(&sk->sk_receive_queue.lock);
drop_n_restore:
-@@ -3616,7 +3616,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+@@ -3634,7 +3634,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
case PACKET_HDRLEN:
if (len > sizeof(int))
len = sizeof(int);
@@ -123809,7 +125189,7 @@ index 7851b12..b665c0c 100644
return -EFAULT;
switch (val) {
case TPACKET_V1:
-@@ -3671,7 +3671,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+@@ -3689,7 +3689,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
len = lv;
if (put_user(len, optlen))
return -EFAULT;
@@ -128067,10 +129447,29 @@ index dec607c..2f291ad9 100644
d_backing_inode(old_dentry)->i_mode
};
diff --git a/security/commoncap.c b/security/commoncap.c
-index d103f5a4..3f7369a 100644
+index d103f5a4..cedcad8 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
-@@ -422,6 +422,32 @@ int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data
+@@ -137,12 +137,17 @@ int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
+ {
+ int ret = 0;
+ const struct cred *cred, *child_cred;
++ const kernel_cap_t *caller_caps;
+
+ rcu_read_lock();
+ cred = current_cred();
+ child_cred = __task_cred(child);
++ if (mode & PTRACE_MODE_FSCREDS)
++ caller_caps = &cred->cap_effective;
++ else
++ caller_caps = &cred->cap_permitted;
+ if (cred->user_ns == child_cred->user_ns &&
+- cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
++ cap_issubset(child_cred->cap_permitted, *caller_caps))
+ goto out;
+ if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE))
+ goto out;
+@@ -422,6 +427,32 @@ int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data
return 0;
}
@@ -128103,7 +129502,7 @@ index d103f5a4..3f7369a 100644
/*
* Attempt to get the on-exec apply capability sets for an executable file from
* its xattrs and, if present, apply them to the proposed credentials being
-@@ -586,6 +612,9 @@ int cap_bprm_secureexec(struct linux_binprm *bprm)
+@@ -586,6 +617,9 @@ int cap_bprm_secureexec(struct linux_binprm *bprm)
const struct cred *cred = current_cred();
kuid_t root_uid = make_kuid(cred->user_ns, 0);
@@ -128173,6 +129572,29 @@ index 552705d..9920f4fb 100644
key = ima_hash_key(entry->digest);
hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
return 0;
+diff --git a/security/keys/internal.h b/security/keys/internal.h
+index 5105c2c..fd59e52 100644
+--- a/security/keys/internal.h
++++ b/security/keys/internal.h
+@@ -90,12 +90,16 @@ extern void key_type_put(struct key_type *ktype);
+
+ extern int __key_link_begin(struct key *keyring,
+ const struct keyring_index_key *index_key,
+- struct assoc_array_edit **_edit);
++ struct assoc_array_edit **_edit)
++ __acquires(&keyring->sem)
++ __acquires(&keyring_serialise_link_sem);
+ extern int __key_link_check_live_key(struct key *keyring, struct key *key);
+ extern void __key_link(struct key *key, struct assoc_array_edit **_edit);
+ extern void __key_link_end(struct key *keyring,
+ const struct keyring_index_key *index_key,
+- struct assoc_array_edit *edit);
++ struct assoc_array_edit *edit)
++ __releases(&keyring->sem)
++ __releases(&keyring_serialise_link_sem);
+
+ extern key_ref_t find_key_to_update(key_ref_t keyring_ref,
+ const struct keyring_index_key *index_key);
diff --git a/security/keys/key.c b/security/keys/key.c
index aee2ec5..c276071 100644
--- a/security/keys/key.c
@@ -128230,6 +129652,28 @@ index aee2ec5..c276071 100644
/* record the root user tracking */
rb_link_node(&root_key_user.node,
+diff --git a/security/keys/keyring.c b/security/keys/keyring.c
+index d334370..b03e5a8 100644
+--- a/security/keys/keyring.c
++++ b/security/keys/keyring.c
+@@ -1071,8 +1071,6 @@ static int keyring_detect_cycle(struct key *A, struct key *B)
+ int __key_link_begin(struct key *keyring,
+ const struct keyring_index_key *index_key,
+ struct assoc_array_edit **_edit)
+- __acquires(&keyring->sem)
+- __acquires(&keyring_serialise_link_sem)
+ {
+ struct assoc_array_edit *edit;
+ int ret;
+@@ -1172,8 +1170,6 @@ void __key_link(struct key *key, struct assoc_array_edit **_edit)
+ void __key_link_end(struct key *keyring,
+ const struct keyring_index_key *index_key,
+ struct assoc_array_edit *edit)
+- __releases(&keyring->sem)
+- __releases(&keyring_serialise_link_sem)
+ {
+ BUG_ON(index_key->type == NULL);
+ kenter("%d,%s,", keyring->serial, index_key->type->name);
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index 486ef6f..0d62531 100644
--- a/security/keys/request_key.c
@@ -128308,6 +129752,26 @@ index 1450f85..a91e0bc 100644
rt_genid_bump_all(net);
}
rtnl_unlock();
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index a143328..0c29901 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -358,12 +358,10 @@ static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead,
+ */
+ static inline unsigned int smk_ptrace_mode(unsigned int mode)
+ {
+- switch (mode) {
+- case PTRACE_MODE_READ:
+- return MAY_READ;
+- case PTRACE_MODE_ATTACH:
++ if (mode & PTRACE_MODE_ATTACH)
+ return MAY_READWRITE;
+- }
++ if (mode & PTRACE_MODE_READ)
++ return MAY_READ;
+
+ return 0;
+ }
diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c
index 2367b10..a0c3c51 100644
--- a/security/tomoyo/file.c
@@ -128467,9 +129931,27 @@ index 3123e1d..951f48d 100644
help
This selects Yama, which extends DAC support with additional
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
-index 5ebb896..68147a2 100644
+index 5ebb896..6da9ba8 100644
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
+@@ -281,7 +281,7 @@ static int yama_ptrace_access_check(struct task_struct *child,
+ int rc = 0;
+
+ /* require ptrace target be a child of ptracer on attach */
+- if (mode == PTRACE_MODE_ATTACH) {
++ if (mode & PTRACE_MODE_ATTACH) {
+ switch (ptrace_scope) {
+ case YAMA_SCOPE_DISABLED:
+ /* No additional restrictions. */
+@@ -307,7 +307,7 @@ static int yama_ptrace_access_check(struct task_struct *child,
+ }
+ }
+
+- if (rc) {
++ if (rc && (mode & PTRACE_MODE_NOAUDIT) == 0) {
+ printk_ratelimited(KERN_NOTICE
+ "ptrace of pid %d was attempted by: %s (pid %d)\n",
+ child->pid, current->comm, current->pid);
@@ -362,7 +362,7 @@ void __init yama_add_hooks(void)
static int yama_dointvec_minmax(struct ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos)
@@ -128629,6 +130111,88 @@ index 75888dd..c940854 100644
break;
default:
result = -EINVAL;
+diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
+index b64f20d..aff6c32 100644
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -446,7 +446,7 @@ static ssize_t snd_seq_read(struct file *file, char __user *buf, size_t count,
+ count -= sizeof(struct snd_seq_event);
+ buf += sizeof(struct snd_seq_event);
+ err = snd_seq_expand_var_event(&cell->event, count,
+- (char __force *)buf, 0,
++ (char __force_kernel *)buf, 0,
+ sizeof(struct snd_seq_event));
+ if (err < 0)
+ break;
+@@ -1059,13 +1059,13 @@ static ssize_t snd_seq_write(struct file *file, const char __user *buf,
+ }
+ /* set user space pointer */
+ event.data.ext.len = extlen | SNDRV_SEQ_EXT_USRPTR;
+- event.data.ext.ptr = (char __force *)buf
++ event.data.ext.ptr = (char __force_kernel *)buf
+ + sizeof(struct snd_seq_event);
+ len += extlen; /* increment data length */
+ } else {
+ #ifdef CONFIG_COMPAT
+ if (client->convert32 && snd_seq_ev_is_varusr(&event)) {
+- void *ptr = (void __force *)compat_ptr(event.data.raw32.d[1]);
++ void *ptr = (void __force_kernel *)compat_ptr(event.data.raw32.d[1]);
+ event.data.ext.ptr = ptr;
+ }
+ #endif
+@@ -2420,7 +2420,7 @@ int snd_seq_kernel_client_ctl(int clientid, unsigned int cmd, void *arg)
+ if (client == NULL)
+ return -ENXIO;
+ fs = snd_enter_user();
+- result = snd_seq_do_ioctl(client, cmd, (void __force __user *)arg);
++ result = snd_seq_do_ioctl(client, cmd, (void __force_user *)arg);
+ snd_leave_user(fs);
+ return result;
+ }
+diff --git a/sound/core/seq/seq_compat.c b/sound/core/seq/seq_compat.c
+index 81f7c10..296bd6fd 100644
+--- a/sound/core/seq/seq_compat.c
++++ b/sound/core/seq/seq_compat.c
+@@ -59,7 +59,7 @@ static int snd_seq_call_port_info_ioctl(struct snd_seq_client *client, unsigned
+ data->kernel = NULL;
+
+ fs = snd_enter_user();
+- err = snd_seq_do_ioctl(client, cmd, data);
++ err = snd_seq_do_ioctl(client, cmd, (void __force_user *)data);
+ snd_leave_user(fs);
+ if (err < 0)
+ goto error;
+diff --git a/sound/core/seq/seq_memory.c b/sound/core/seq/seq_memory.c
+index 8010766..4bd361f 100644
+--- a/sound/core/seq/seq_memory.c
++++ b/sound/core/seq/seq_memory.c
+@@ -87,7 +87,7 @@ int snd_seq_dump_var_event(const struct snd_seq_event *event,
+
+ if (event->data.ext.len & SNDRV_SEQ_EXT_USRPTR) {
+ char buf[32];
+- char __user *curptr = (char __force __user *)event->data.ext.ptr;
++ char __user *curptr = (char __force_user *)event->data.ext.ptr;
+ while (len > 0) {
+ int size = sizeof(buf);
+ if (len < size)
+@@ -158,7 +158,7 @@ int snd_seq_expand_var_event(const struct snd_seq_event *event, int count, char
+ if (event->data.ext.len & SNDRV_SEQ_EXT_USRPTR) {
+ if (! in_kernel)
+ return -EINVAL;
+- if (copy_from_user(buf, (void __force __user *)event->data.ext.ptr, len))
++ if (copy_from_user(buf, (void __force_user *)event->data.ext.ptr, len))
+ return -EFAULT;
+ return newlen;
+ }
+@@ -344,7 +344,7 @@ int snd_seq_event_dup(struct snd_seq_pool *pool, struct snd_seq_event *event,
+ tmp->event = src->event;
+ src = src->next;
+ } else if (is_usrptr) {
+- if (copy_from_user(&tmp->event, (char __force __user *)buf, size)) {
++ if (copy_from_user(&tmp->event, (char __force_user *)buf, size)) {
+ err = -EFAULT;
+ goto __error;
+ }
diff --git a/sound/core/sound.c b/sound/core/sound.c
index 175f9e4..3518d31 100644
--- a/sound/core/sound.c
@@ -129251,12 +130815,12 @@ index 0000000..4945d82
+targets += randomize_layout_seed.h randomize_layout_hash.h
diff --git a/tools/gcc/checker_plugin.c b/tools/gcc/checker_plugin.c
new file mode 100644
-index 0000000..5452feea
+index 0000000..1264799f
--- /dev/null
+++ b/tools/gcc/checker_plugin.c
-@@ -0,0 +1,150 @@
+@@ -0,0 +1,549 @@
+/*
-+ * Copyright 2011-2014 by the PaX Team <pageexec@freemail.hu>
++ * Copyright 2011-2015 by the PaX Team <pageexec@freemail.hu>
+ * Licensed under the GPL v2
+ *
+ * Note: the choice of the license means that the compilation process is
@@ -129285,8 +130849,9 @@ index 0000000..5452feea
+int plugin_is_GPL_compatible;
+
+static struct plugin_info checker_plugin_info = {
-+ .version = "201304082245",
-+ .help = NULL,
++ .version = "201512100145",
++ .help = "user\tturn on user/kernel address space checking\n"
++ "context\tturn on locking context checking\n"
+};
+
+#define ADDR_SPACE_KERNEL 0
@@ -129381,12 +130946,395 @@ index 0000000..5452feea
+ targetm.addr_space.convert = checker_addr_space_convert;
+}
+
++static bool split_context_attribute(tree args, tree *lock, tree *in, tree *out)
++{
++ *in = TREE_VALUE(args);
++
++ if (TREE_CODE(*in) != INTEGER_CST) {
++ *lock = *in;
++ args = TREE_CHAIN(args);
++ *in = TREE_VALUE(args);
++ } else
++ *lock = NULL_TREE;
++
++ args = TREE_CHAIN(args);
++ if (*lock && !args)
++ return false;
++
++ *out = TREE_VALUE(args);
++ return true;
++}
++
++static tree handle_context_attribute(tree *node, tree name, tree args, int flags, bool *no_add_attrs)
++{
++ *no_add_attrs = true;
++ tree lock, in, out;
++
++ if (TREE_CODE(*node) != FUNCTION_DECL) {
++ error("%qE attribute applies to functions only (%qD)", name, *node);
++ return NULL_TREE;
++ }
++
++ if (!split_context_attribute(args, &lock, &in, &out)) {
++ error("%qE attribute needs two integers after the lock expression", name);
++ return NULL_TREE;
++ }
++
++ if (TREE_CODE(in) != INTEGER_CST) {
++ error("the 'in' argument of the %qE attribute must be an integer (%qE)", name, in);
++ return NULL_TREE;
++ }
++
++ if (TREE_CODE(out) != INTEGER_CST) {
++ error("the 'out' argument of the %qE attribute must be an integer (%qE)", name, out);
++ return NULL_TREE;
++ }
++
++ *no_add_attrs = false;
++ return NULL_TREE;
++}
++
++static struct attribute_spec context_attr = {
++ .name = "context",
++ .min_length = 2,
++ .max_length = 3,
++ .decl_required = true,
++ .type_required = false,
++ .function_type_required = false,
++ .handler = handle_context_attribute,
++#if BUILDING_GCC_VERSION >= 4007
++ .affects_type_identity = true
++#endif
++};
++
++static void register_attributes(void *event_data, void *data)
++{
++ register_attribute(&context_attr);
++}
++
++static const char context_function[] = "__context__";
++static GTY(()) tree context_function_decl;
++
++static const char context_error[] = "__context_error__";
++static GTY(()) tree context_error_decl;
++
++static void context_start_unit(void __unused *gcc_data, void __unused *user_data)
++{
++ tree fntype, attr;
++
++ // void __context__(void *, int);
++ fntype = build_function_type_list(void_type_node, ptr_type_node, integer_type_node, NULL_TREE);
++ context_function_decl = build_fn_decl(context_function, fntype);
++
++ TREE_PUBLIC(context_function_decl) = 1;
++ TREE_USED(context_function_decl) = 1;
++ DECL_EXTERNAL(context_function_decl) = 1;
++ DECL_ARTIFICIAL(context_function_decl) = 1;
++ DECL_PRESERVE_P(context_function_decl) = 1;
++// TREE_NOTHROW(context_function_decl) = 1;
++// DECL_UNINLINABLE(context_function_decl) = 1;
++ DECL_ASSEMBLER_NAME(context_function_decl); // for LTO
++ lang_hooks.decls.pushdecl(context_function_decl);
++
++ // void __context_error__(const void *, int) __attribute__((error("context error")));
++ fntype = build_function_type_list(void_type_node, const_ptr_type_node, integer_type_node, NULL_TREE);
++ context_error_decl = build_fn_decl(context_error, fntype);
++
++ TREE_PUBLIC(context_error_decl) = 1;
++ TREE_USED(context_error_decl) = 1;
++ DECL_EXTERNAL(context_error_decl) = 1;
++ DECL_ARTIFICIAL(context_error_decl) = 1;
++ DECL_PRESERVE_P(context_error_decl) = 1;
++// TREE_NOTHROW(context_error_decl) = 1;
++// DECL_UNINLINABLE(context_error_decl) = 1;
++ TREE_THIS_VOLATILE(context_error_decl) = 1;
++ DECL_ASSEMBLER_NAME(context_error_decl);
++
++ attr = tree_cons(NULL, build_string(14, "context error"), NULL);
++ attr = tree_cons(get_identifier("error"), attr, NULL);
++ decl_attributes(&context_error_decl, attr, 0);
++}
++
++static bool gate_context(void)
++{
++ tree context_attr;
++
++return true;
++
++ context_attr = lookup_attribute("context", DECL_ATTRIBUTES(current_function_decl));
++ return context_attr != NULL_TREE;
++}
++
++static basic_block verify_context_before(gimple_stmt_iterator *gsi, tree context, tree inout, tree error)
++{
++ gimple stmt;
++ basic_block cond_bb, join_bb, true_bb;
++ edge e;
++ location_t loc;
++ const char *file;
++ int line;
++ size_t len;
++ tree filename;
++
++ stmt = gsi_stmt(*gsi);
++ if (gimple_has_location(stmt)) {
++ loc = gimple_location(stmt);
++ file = gimple_filename(stmt);
++ line = gimple_lineno(stmt);
++ } else {
++ loc = DECL_SOURCE_LOCATION(current_function_decl);
++ file = DECL_SOURCE_FILE(current_function_decl);
++ line = DECL_SOURCE_LINE(current_function_decl);
++ }
++ gcc_assert(file);
++
++ // if (context != count) __context_error__(__FILE__, __LINE__);
++ stmt = gimple_build_cond(NE_EXPR, context, inout, NULL_TREE, NULL_TREE);
++ gimple_set_location(stmt, loc);
++ gsi_insert_before(gsi, stmt, GSI_NEW_STMT);
++
++ cond_bb = gsi_bb(*gsi);
++ gcc_assert(!gsi_end_p(*gsi));
++ gcc_assert(stmt == gsi_stmt(*gsi));
++
++ e = split_block(cond_bb, gsi_stmt(*gsi));
++ cond_bb = e->src;
++ join_bb = e->dest;
++ e->flags = EDGE_FALSE_VALUE;
++ e->probability = REG_BR_PROB_BASE;
++
++ true_bb = create_empty_bb(EXIT_BLOCK_PTR_FOR_FN(cfun)->prev_bb);
++ make_edge(cond_bb, true_bb, EDGE_TRUE_VALUE);
++ make_edge(true_bb, join_bb, EDGE_FALLTHRU);
++
++ set_immediate_dominator(CDI_DOMINATORS, true_bb, cond_bb);
++ set_immediate_dominator(CDI_DOMINATORS, join_bb, cond_bb);
++
++ gcc_assert(cond_bb->loop_father == join_bb->loop_father);
++ add_bb_to_loop(true_bb, cond_bb->loop_father);
++
++ // insert call to builtin_trap or __context_error__
++ *gsi = gsi_start_bb(true_bb);
++
++// stmt = gimple_build_call(builtin_decl_implicit(BUILT_IN_TRAP), 0);
++ len = strlen(file) + 1;
++ filename = build_string(len, file);
++ TREE_TYPE(filename) = build_array_type(unsigned_char_type_node, build_index_type(size_int(len)));
++ filename = build1(ADDR_EXPR, const_ptr_type_node, filename);
++ stmt = gimple_build_call(error, 2, filename, build_int_cst(NULL_TREE, line));
++ gimple_set_location(stmt, loc);
++ gsi_insert_after(gsi, stmt, GSI_CONTINUE_LINKING);
++
++ *gsi = gsi_start_nondebug_bb(join_bb);
++ return join_bb;
++}
++
++static void update_context(gimple_stmt_iterator *gsi, tree context, int diff)
++{
++ gimple assign;
++ tree op;
++
++ op = fold_build2_loc(UNKNOWN_LOCATION, PLUS_EXPR, integer_type_node, context, build_int_cst(integer_type_node, diff));
++ assign = gimple_build_assign(context, op);
++ gsi_insert_after(gsi, assign, GSI_NEW_STMT);
++ update_stmt(assign);
++}
++
++static basic_block track_context(basic_block bb, tree context)
++{
++ gimple_stmt_iterator gsi;
++ gimple assign;
++
++ // adjust context according to the context information on any call stmt
++ for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
++ gimple stmt = gsi_stmt(gsi);
++ tree fndecl, context_attr;
++ tree lock, in, out;
++ int incount, outcount;
++
++ if (!is_gimple_call(stmt))
++ continue;
++
++ fndecl = gimple_call_fndecl(stmt);
++ if (!fndecl)
++ continue;
++
++ if (fndecl == context_function_decl) {
++ unsigned int num_ops = gimple_num_ops(stmt);
++ int diff = tree_to_shwi(gimple_op(stmt, num_ops - 1));
++
++ gcc_assert(diff);
++ update_context(&gsi, context, diff);
++ continue;
++ }
++
++ context_attr = lookup_attribute("context", DECL_ATTRIBUTES(fndecl));
++ if (!context_attr)
++ continue;
++
++ gcc_assert(split_context_attribute(TREE_VALUE(context_attr), &lock, &in, &out));
++ incount = tree_to_shwi(in);
++ outcount = tree_to_shwi(out);
++ bb = verify_context_before(&gsi, context, in, context_error_decl);
++ update_context(&gsi, context, outcount - incount);
++ }
++
++ return bb;
++}
++
++static bool bb_any_loop(basic_block bb)
++{
++ return bb_loop_depth(bb) || (bb->flags & BB_IRREDUCIBLE_LOOP);
++}
++
++static unsigned int execute_context(void)
++{
++ basic_block bb;
++ gimple assign;
++ gimple_stmt_iterator gsi;
++ tree context_attr, context;
++ tree lock, in, out;
++
++ loop_optimizer_init(LOOPS_NORMAL | LOOPS_HAVE_RECORDED_EXITS);
++ gcc_assert(current_loops);
++
++ calculate_dominance_info(CDI_DOMINATORS);
++ calculate_dominance_info(CDI_POST_DOMINATORS);
++
++ context_attr = lookup_attribute("context", DECL_ATTRIBUTES(current_function_decl));
++ if (context_attr) {
++ gcc_assert(split_context_attribute(TREE_VALUE(context_attr), &lock, &in, &out));
++ } else {
++ in = out = integer_zero_node;
++ }
++
++ // 1. create local context variable
++ context = create_tmp_var(integer_type_node, "context");
++ add_referenced_var(context);
++ mark_sym_for_renaming(context);
++
++ // 2. initialize local context variable
++ gcc_assert(single_succ_p(ENTRY_BLOCK_PTR_FOR_FN(cfun)));
++ bb = single_succ(ENTRY_BLOCK_PTR_FOR_FN(cfun));
++ if (!single_pred_p(bb)) {
++ gcc_assert(bb_any_loop(bb));
++ split_edge(single_succ_edge(ENTRY_BLOCK_PTR_FOR_FN(cfun)));
++ bb = single_succ(ENTRY_BLOCK_PTR_FOR_FN(cfun));
++ }
++ gsi = gsi_start_bb(bb);
++ assign = gimple_build_assign(context, in);
++ gsi_insert_before(&gsi, assign, GSI_NEW_STMT);
++ update_stmt(assign);
++
++ // 3. instrument each BB to track the local context variable
++ FOR_EACH_BB_FN(bb, cfun) {
++ bb = track_context(bb, context);
++ }
++
++ // 4. verify the local context variable against the expected state
++ if (EDGE_COUNT(EXIT_BLOCK_PTR_FOR_FN(cfun)->preds)) {
++ gcc_assert(single_pred_p(EXIT_BLOCK_PTR_FOR_FN(cfun)));
++ gsi = gsi_last_nondebug_bb(single_pred(EXIT_BLOCK_PTR_FOR_FN(cfun)));
++ verify_context_before(&gsi, context, out, context_error_decl);
++ }
++
++ free_dominance_info(CDI_DOMINATORS);
++ free_dominance_info(CDI_POST_DOMINATORS);
++ loop_optimizer_finalize();
++ return 0;
++}
++
++#if BUILDING_GCC_VERSION >= 4009
++namespace {
++static const struct pass_data context_pass_data = {
++#else
++static struct gimple_opt_pass context_pass = {
++ .pass = {
++#endif
++ .type = GIMPLE_PASS,
++ .name = "context",
++#if BUILDING_GCC_VERSION >= 4008
++ .optinfo_flags = OPTGROUP_NONE,
++#endif
++#if BUILDING_GCC_VERSION >= 5000
++#elif BUILDING_GCC_VERSION == 4009
++ .has_gate = true,
++ .has_execute = true,
++#else
++ .gate = gate_context,
++ .execute = execute_context,
++ .sub = NULL,
++ .next = NULL,
++ .static_pass_number = 0,
++#endif
++ .tv_id = TV_NONE,
++ .properties_required = PROP_gimple_leh | PROP_cfg,
++ .properties_provided = 0,
++ .properties_destroyed = 0,
++ .todo_flags_start = 0, //TODO_verify_ssa | TODO_verify_flow | TODO_verify_stmts,
++ .todo_flags_finish = TODO_verify_ssa | TODO_verify_stmts | TODO_dump_func | TODO_verify_flow | TODO_update_ssa
++#if BUILDING_GCC_VERSION < 4009
++ }
++#endif
++};
++
++#if BUILDING_GCC_VERSION >= 4009
++class context_pass : public gimple_opt_pass {
++public:
++ context_pass() : gimple_opt_pass(context_pass_data, g) {}
++#if BUILDING_GCC_VERSION >= 5000
++ virtual bool gate(function *) { return gate_context(); }
++ virtual unsigned int execute(function *) { return execute_context(); }
++#else
++ bool gate() { return gate_context(); }
++ unsigned int execute() { return execute_context(); }
++#endif
++};
++}
++
++static opt_pass *make_context_pass(void)
++{
++ return new context_pass();
++}
++#else
++static struct opt_pass *make_context_pass(void)
++{
++ return &context_pass.pass;
++}
++#endif
++
+int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
+{
+ const char * const plugin_name = plugin_info->base_name;
+ const int argc = plugin_info->argc;
+ const struct plugin_argument * const argv = plugin_info->argv;
+ int i;
++ bool enable_user, enable_context;
++ struct register_pass_info context_pass_info;
++
++ static const struct ggc_root_tab gt_ggc_r_gt_checker[] = {
++ {
++ .base = &context_function_decl,
++ .nelt = 1,
++ .stride = sizeof(context_function_decl),
++ .cb = &gt_ggc_mx_tree_node,
++ .pchw = &gt_pch_nx_tree_node
++ },
++ {
++ .base = &context_error_decl,
++ .nelt = 1,
++ .stride = sizeof(context_error_decl),
++ .cb = &gt_ggc_mx_tree_node,
++ .pchw = &gt_pch_nx_tree_node
++ },
++ LAST_GGC_ROOT_TAB
++ };
++
++ context_pass_info.pass = make_context_pass();
++// context_pass_info.reference_pass_name = "ssa";
++ context_pass_info.reference_pass_name = "phiprop";
++ context_pass_info.ref_pass_instance_number = 1;
++ context_pass_info.pos_op = PASS_POS_INSERT_AFTER;
+
+ if (!plugin_default_version_check(version, &gcc_version)) {
+ error(G_("incompatible gcc/plugin versions"));
@@ -129395,13 +131343,28 @@ index 0000000..5452feea
+
+ register_callback(plugin_name, PLUGIN_INFO, NULL, &checker_plugin_info);
+
-+ for (i = 0; i < argc; ++i)
++ enable_user = false;
++ enable_context = false;
++ for (i = 0; i < argc; ++i) {
++ if (!strcmp(argv[i].key, "user")) {
++ enable_user = true;
++ continue;
++ }
++ if (!strcmp(argv[i].key, "context")) {
++ enable_context = true;
++ continue;
++ }
+ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
++ }
+
-+ if (TARGET_64BIT == 0)
-+ return 0;
-+
-+ register_callback(plugin_name, PLUGIN_PRAGMAS, register_checker_address_spaces, NULL);
++ if (enable_user)
++ register_callback(plugin_name, PLUGIN_PRAGMAS, register_checker_address_spaces, NULL);
++ if (enable_context) {
++ register_callback(plugin_name, PLUGIN_ATTRIBUTES, register_attributes, NULL);
++ register_callback(plugin_name, PLUGIN_START_UNIT, context_start_unit, NULL);
++ register_callback(plugin_name, PLUGIN_REGISTER_GGC_ROOTS, NULL, (void *)&gt_ggc_r_gt_checker);
++ register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &context_pass_info);
++ }
+
+ return 0;
+}
@@ -130205,10 +132168,10 @@ index 0000000..0b98f34
+}
diff --git a/tools/gcc/gcc-common.h b/tools/gcc/gcc-common.h
new file mode 100644
-index 0000000..2ec0551
+index 0000000..9d33451
--- /dev/null
+++ b/tools/gcc/gcc-common.h
-@@ -0,0 +1,812 @@
+@@ -0,0 +1,813 @@
+#ifndef GCC_COMMON_H_INCLUDED
+#define GCC_COMMON_H_INCLUDED
+
@@ -130308,6 +132271,7 @@ index 0000000..2ec0551
+#include "ipa-utils.h"
+
+#if BUILDING_GCC_VERSION >= 4009
++#include "attribs.h"
+#include "varasm.h"
+#include "stor-layout.h"
+#include "internal-fn.h"
@@ -131037,10 +133001,10 @@ index 0000000..7514850
+fi
diff --git a/tools/gcc/initify_plugin.c b/tools/gcc/initify_plugin.c
new file mode 100644
-index 0000000..39c0731
+index 0000000..a9d491f
--- /dev/null
+++ b/tools/gcc/initify_plugin.c
-@@ -0,0 +1,552 @@
+@@ -0,0 +1,581 @@
+/*
+ * Copyright 2011-2015 by Emese Revfy <re.emese@gmail.com>
+ * Licensed under the GPL v2, or (at your option) v3
@@ -131061,7 +133025,7 @@ index 0000000..39c0731
+int plugin_is_GPL_compatible;
+
+static struct plugin_info initify_plugin_info = {
-+ .version = "20151128",
++ .version = "20151209",
+ .help = "initify_plugin\n",
+};
+
@@ -131250,7 +133214,7 @@ index 0000000..39c0731
+ tree decl, offset;
+ HOST_WIDE_INT bitsize, bitpos;
+ enum machine_mode mode;
-+ int unsignedp, reversep, volatilep;
++ int unsignedp, reversep __unused, volatilep;
+ enum tree_code code = TREE_CODE(op);
+
+ if (TREE_CODE_CLASS(code) == tcc_exceptional && code != SSA_NAME)
@@ -131343,10 +133307,39 @@ index 0000000..39c0731
+ return false;
+}
+
++static bool is_in_capture_init(const_tree vardecl)
++{
++ unsigned int i;
++ tree var;
++
++ FOR_EACH_LOCAL_DECL(cfun, i, var) {
++ unsigned HOST_WIDE_INT cnt;
++ tree index __unused, value;
++ const_tree initial = DECL_INITIAL(var);
++
++ if (initial == NULL_TREE)
++ continue;
++ if (TREE_CODE(initial) != CONSTRUCTOR)
++ continue;
++
++ FOR_EACH_CONSTRUCTOR_ELT(CONSTRUCTOR_ELTS(initial), cnt, index, value) {
++ if (TREE_CODE(value) != ADDR_EXPR)
++ continue;
++ if (TREE_OPERAND(value, 0) == vardecl)
++ return true;
++ }
++ }
++
++ return false;
++}
++
+static bool has_capture_use_local_var(const_tree vardecl)
+{
+ basic_block bb;
+
++ if (is_in_capture_init(vardecl))
++ return true;
++
+ FOR_EACH_BB_FN(bb, cfun) {
+ gimple_stmt_iterator gsi;
+
@@ -133799,10 +135792,10 @@ index 0000000..f74d85a
+targets += size_overflow_hash.h size_overflow_hash_aux.h disable_size_overflow_hash.h
diff --git a/tools/gcc/size_overflow_plugin/disable_size_overflow_hash.data b/tools/gcc/size_overflow_plugin/disable_size_overflow_hash.data
new file mode 100644
-index 0000000..07f2628
+index 0000000..8b72888
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin/disable_size_overflow_hash.data
-@@ -0,0 +1,12424 @@
+@@ -0,0 +1,12425 @@
+disable_so_interrupt_pnode_gru_message_queue_desc_4 interrupt_pnode gru_message_queue_desc 0 4 NULL
+disable_so_bch_btree_insert_fndecl_12 bch_btree_insert fndecl 0 12 NULL
+disable_so_macvlan_sync_address_fndecl_22 macvlan_sync_address fndecl 0 22 NULL nohasharray
@@ -146227,6 +148220,7 @@ index 0000000..07f2628
+enable_so_i_size_high_ext4_inode_18545 i_size_high ext4_inode 0 18545 NULL
+enable_so_nr_kvm_queued_interrupt_34927 nr kvm_queued_interrupt 0 34927 NULL
+enable_so_last_used_idx_vhost_virtqueue_40059 last_used_idx vhost_virtqueue 0 40059 NULL
++enable_so___load_segment_descriptor_fndecl_30833 __load_segment_descriptor fndecl 2-4 30833 NULL
diff --git a/tools/gcc/size_overflow_plugin/generate_size_overflow_hash.sh b/tools/gcc/size_overflow_plugin/generate_size_overflow_hash.sh
new file mode 100644
index 0000000..be9724d
@@ -148470,7 +150464,7 @@ index 0000000..fc58e16
+}
diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
new file mode 100644
-index 0000000..a907202
+index 0000000..509d3f8
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
@@ -0,0 +1,20733 @@
@@ -149604,7 +151598,8 @@ index 0000000..a907202
+enable_so_bytes_btrfs_dio_private_3624 bytes btrfs_dio_private 0 3624 &enable_so_ns_blocksize_the_nilfs_3624 nohasharray
+enable_so_do_msg_fill_fndecl_3624 do_msg_fill fndecl 3 3624 &enable_so_bytes_btrfs_dio_private_3624
+enable_so_offline_pages_fndecl_3625 offline_pages fndecl 1-2 3625 NULL
-+enable_so_tail_timestamp_event_queue_3626 tail timestamp_event_queue 0 3626 NULL
++enable_so_tail_timestamp_event_queue_3626 tail timestamp_event_queue 0 3626 NULL nohasharray
++enable_so_length_pseudo_hdr_3626 length pseudo_hdr 0 3626 &enable_so_tail_timestamp_event_queue_3626
+enable_so_add_res_range_fndecl_3629 add_res_range fndecl 4 3629 NULL
+enable_so_cbuf_eat_fndecl_3631 cbuf_eat fndecl 2 3631 NULL
+enable_so_vmci_transport_queue_pair_alloc_fndecl_3639 vmci_transport_queue_pair_alloc fndecl 4-3 3639 NULL nohasharray
@@ -158206,7 +160201,6 @@ index 0000000..a907202
+enable_so_shmem_write_begin_fndecl_30822 shmem_write_begin fndecl 3 30822 NULL
+enable_so_report_count_hid_field_30826 report_count hid_field 0 30826 NULL
+enable_so_s_root_blkno_ocfs2_super_block_30828 s_root_blkno ocfs2_super_block 0 30828 NULL
-+enable_so___load_segment_descriptor_fndecl_30833 __load_segment_descriptor fndecl 2-4 30833 NULL
+enable_so_add_memory_fndecl_30836 add_memory fndecl 3-2 30836 NULL
+enable_so_f2fs_read_data_pages_fndecl_30837 f2fs_read_data_pages fndecl 4 30837 NULL
+enable_so_shadow_root_level_kvm_mmu_30842 shadow_root_level kvm_mmu 0 30842 NULL
diff --git a/4.2.6/4425_grsec_remove_EI_PAX.patch b/4.2.7/4425_grsec_remove_EI_PAX.patch
index 2a1aa6c..2a1aa6c 100644
--- a/4.2.6/4425_grsec_remove_EI_PAX.patch
+++ b/4.2.7/4425_grsec_remove_EI_PAX.patch
diff --git a/4.2.6/4427_force_XATTR_PAX_tmpfs.patch b/4.2.7/4427_force_XATTR_PAX_tmpfs.patch
index 9157231..9157231 100644
--- a/4.2.6/4427_force_XATTR_PAX_tmpfs.patch
+++ b/4.2.7/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/4.2.6/4430_grsec-remove-localversion-grsec.patch b/4.2.7/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/4.2.6/4430_grsec-remove-localversion-grsec.patch
+++ b/4.2.7/4430_grsec-remove-localversion-grsec.patch
diff --git a/4.2.6/4435_grsec-mute-warnings.patch b/4.2.7/4435_grsec-mute-warnings.patch
index b7564e4..b7564e4 100644
--- a/4.2.6/4435_grsec-mute-warnings.patch
+++ b/4.2.7/4435_grsec-mute-warnings.patch
diff --git a/4.2.6/4440_grsec-remove-protected-paths.patch b/4.2.7/4440_grsec-remove-protected-paths.patch
index 741546d..741546d 100644
--- a/4.2.6/4440_grsec-remove-protected-paths.patch
+++ b/4.2.7/4440_grsec-remove-protected-paths.patch
diff --git a/4.2.6/4450_grsec-kconfig-default-gids.patch b/4.2.7/4450_grsec-kconfig-default-gids.patch
index 9524b1f..9524b1f 100644
--- a/4.2.6/4450_grsec-kconfig-default-gids.patch
+++ b/4.2.7/4450_grsec-kconfig-default-gids.patch
diff --git a/4.2.6/4465_selinux-avc_audit-log-curr_ip.patch b/4.2.7/4465_selinux-avc_audit-log-curr_ip.patch
index ba89596..ba89596 100644
--- a/4.2.6/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/4.2.7/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/4.2.6/4470_disable-compat_vdso.patch b/4.2.7/4470_disable-compat_vdso.patch
index 7f84a27..7f84a27 100644
--- a/4.2.6/4470_disable-compat_vdso.patch
+++ b/4.2.7/4470_disable-compat_vdso.patch
diff --git a/4.2.6/4475_emutramp_default_on.patch b/4.2.7/4475_emutramp_default_on.patch
index afd6019..afd6019 100644
--- a/4.2.6/4475_emutramp_default_on.patch
+++ b/4.2.7/4475_emutramp_default_on.patch