diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2015-12-12 04:06:01 -0500 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2015-12-12 04:06:01 -0500 |
commit | 55085213bb0871c830884175b80c5e4a12169d97 (patch) | |
tree | 9f8856edb7433aff58cce444d55452c0062ccdf5 | |
parent | grsecurity-3.1-4.2.6-201512051918 (diff) | |
download | hardened-patchset-20151209.tar.gz hardened-patchset-20151209.tar.bz2 hardened-patchset-20151209.zip |
grsecurity-3.1-4.2.7-20151209232020151209
-rw-r--r-- | 4.2.7/0000_README (renamed from 4.2.6/0000_README) | 6 | ||||
-rw-r--r-- | 4.2.7/1006_linux-4.2.7.patch | 4131 | ||||
-rw-r--r-- | 4.2.7/4420_grsecurity-3.1-4.2.7-201512092320.patch (renamed from 4.2.6/4420_grsecurity-3.1-4.2.6-201512051918.patch) | 3288 | ||||
-rw-r--r-- | 4.2.7/4425_grsec_remove_EI_PAX.patch (renamed from 4.2.6/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
-rw-r--r-- | 4.2.7/4427_force_XATTR_PAX_tmpfs.patch (renamed from 4.2.6/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
-rw-r--r-- | 4.2.7/4430_grsec-remove-localversion-grsec.patch (renamed from 4.2.6/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
-rw-r--r-- | 4.2.7/4435_grsec-mute-warnings.patch (renamed from 4.2.6/4435_grsec-mute-warnings.patch) | 0 | ||||
-rw-r--r-- | 4.2.7/4440_grsec-remove-protected-paths.patch (renamed from 4.2.6/4440_grsec-remove-protected-paths.patch) | 0 | ||||
-rw-r--r-- | 4.2.7/4450_grsec-kconfig-default-gids.patch (renamed from 4.2.6/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
-rw-r--r-- | 4.2.7/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 4.2.6/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
-rw-r--r-- | 4.2.7/4470_disable-compat_vdso.patch (renamed from 4.2.6/4470_disable-compat_vdso.patch) | 0 | ||||
-rw-r--r-- | 4.2.7/4475_emutramp_default_on.patch (renamed from 4.2.6/4475_emutramp_default_on.patch) | 0 |
12 files changed, 6777 insertions, 648 deletions
diff --git a/4.2.6/0000_README b/4.2.7/0000_README index ec4db38..8a09897 100644 --- a/4.2.6/0000_README +++ b/4.2.7/0000_README @@ -2,7 +2,11 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.1-4.2.6-201512051918.patch +Patch: 1006_linux-4.2.7.patch +From: http://www.kernel.org +Desc: Linux 4.2.7 + +Patch: 4420_grsecurity-3.1-4.2.7-201512092320.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.2.7/1006_linux-4.2.7.patch b/4.2.7/1006_linux-4.2.7.patch new file mode 100644 index 0000000..ba25fa7 --- /dev/null +++ b/4.2.7/1006_linux-4.2.7.patch @@ -0,0 +1,4131 @@ +diff --git a/Documentation/devicetree/bindings/usb/dwc3.txt b/Documentation/devicetree/bindings/usb/dwc3.txt +index 0815eac..e12f344 100644 +--- a/Documentation/devicetree/bindings/usb/dwc3.txt ++++ b/Documentation/devicetree/bindings/usb/dwc3.txt +@@ -35,6 +35,8 @@ Optional properties: + LTSSM during USB3 Compliance mode. + - snps,dis_u3_susphy_quirk: when set core will disable USB3 suspend phy. + - snps,dis_u2_susphy_quirk: when set core will disable USB2 suspend phy. ++ - snps,dis_enblslpm_quirk: when set clears the enblslpm in GUSB2PHYCFG, ++ disabling the suspend signal to the PHY. + - snps,is-utmi-l1-suspend: true when DWC3 asserts output signal + utmi_l1_suspend_n, false when asserts utmi_sleep_n + - snps,hird-threshold: HIRD threshold +diff --git a/Documentation/filesystems/proc.txt b/Documentation/filesystems/proc.txt +index 6f7fafd..3e2844e 100644 +--- a/Documentation/filesystems/proc.txt ++++ b/Documentation/filesystems/proc.txt +@@ -140,7 +140,8 @@ Table 1-1: Process specific entries in /proc + stat Process status + statm Process memory status information + status Process status in human readable form +- wchan If CONFIG_KALLSYMS is set, a pre-decoded wchan ++ wchan Present with CONFIG_KALLSYMS=y: it shows the kernel function ++ symbol the task is blocked in - or "0" if not blocked. + pagemap Page table + stack Report full stack trace, enable via CONFIG_STACKTRACE + smaps a extension based on maps, showing the memory consumption of +@@ -310,7 +311,7 @@ Table 1-4: Contents of the stat files (as of 2.6.30-rc7) + blocked bitmap of blocked signals + sigign bitmap of ignored signals + sigcatch bitmap of caught signals +- wchan address where process went to sleep ++ 0 (place holder, used to be the wchan address, use /proc/PID/wchan instead) + 0 (place holder) + 0 (place holder) + exit_signal signal to send to parent thread on exit +diff --git a/Makefile b/Makefile +index 9ef3739..f5014ea 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 2 +-SUBLEVEL = 6 ++SUBLEVEL = 7 + EXTRAVERSION = + NAME = Hurr durr I'ma sheep + +diff --git a/arch/arm/boot/dts/imx27.dtsi b/arch/arm/boot/dts/imx27.dtsi +index b69be5c..8c603fd 100644 +--- a/arch/arm/boot/dts/imx27.dtsi ++++ b/arch/arm/boot/dts/imx27.dtsi +@@ -477,7 +477,10 @@ + compatible = "fsl,imx27-usb"; + reg = <0x10024000 0x200>; + interrupts = <56>; +- clocks = <&clks IMX27_CLK_USB_IPG_GATE>; ++ clocks = <&clks IMX27_CLK_USB_IPG_GATE>, ++ <&clks IMX27_CLK_USB_AHB_GATE>, ++ <&clks IMX27_CLK_USB_DIV>; ++ clock-names = "ipg", "ahb", "per"; + fsl,usbmisc = <&usbmisc 0>; + status = "disabled"; + }; +@@ -486,7 +489,10 @@ + compatible = "fsl,imx27-usb"; + reg = <0x10024200 0x200>; + interrupts = <54>; +- clocks = <&clks IMX27_CLK_USB_IPG_GATE>; ++ clocks = <&clks IMX27_CLK_USB_IPG_GATE>, ++ <&clks IMX27_CLK_USB_AHB_GATE>, ++ <&clks IMX27_CLK_USB_DIV>; ++ clock-names = "ipg", "ahb", "per"; + fsl,usbmisc = <&usbmisc 1>; + dr_mode = "host"; + status = "disabled"; +@@ -496,7 +502,10 @@ + compatible = "fsl,imx27-usb"; + reg = <0x10024400 0x200>; + interrupts = <55>; +- clocks = <&clks IMX27_CLK_USB_IPG_GATE>; ++ clocks = <&clks IMX27_CLK_USB_IPG_GATE>, ++ <&clks IMX27_CLK_USB_AHB_GATE>, ++ <&clks IMX27_CLK_USB_DIV>; ++ clock-names = "ipg", "ahb", "per"; + fsl,usbmisc = <&usbmisc 2>; + dr_mode = "host"; + status = "disabled"; +@@ -506,7 +515,6 @@ + #index-cells = <1>; + compatible = "fsl,imx27-usbmisc"; + reg = <0x10024600 0x200>; +- clocks = <&clks IMX27_CLK_USB_AHB_GATE>; + }; + + sahara2: sahara@10025000 { +diff --git a/arch/arm/boot/dts/omap5-uevm.dts b/arch/arm/boot/dts/omap5-uevm.dts +index 5771a14..23d645d 100644 +--- a/arch/arm/boot/dts/omap5-uevm.dts ++++ b/arch/arm/boot/dts/omap5-uevm.dts +@@ -31,6 +31,24 @@ + regulator-max-microvolt = <3000000>; + }; + ++ mmc3_pwrseq: sdhci0_pwrseq { ++ compatible = "mmc-pwrseq-simple"; ++ clocks = <&clk32kgaudio>; ++ clock-names = "ext_clock"; ++ }; ++ ++ vmmcsdio_fixed: fixedregulator-mmcsdio { ++ compatible = "regulator-fixed"; ++ regulator-name = "vmmcsdio_fixed"; ++ regulator-min-microvolt = <1800000>; ++ regulator-max-microvolt = <1800000>; ++ gpio = <&gpio5 12 GPIO_ACTIVE_HIGH>; /* gpio140 WLAN_EN */ ++ enable-active-high; ++ startup-delay-us = <70000>; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&wlan_pins>; ++ }; ++ + /* HS USB Host PHY on PORT 2 */ + hsusb2_phy: hsusb2_phy { + compatible = "usb-nop-xceiv"; +@@ -197,12 +215,20 @@ + >; + }; + +- mcspi4_pins: pinmux_mcspi4_pins { ++ mmc3_pins: pinmux_mmc3_pins { ++ pinctrl-single,pins = < ++ OMAP5_IOPAD(0x01a4, PIN_INPUT_PULLUP | MUX_MODE0) /* wlsdio_clk */ ++ OMAP5_IOPAD(0x01a6, PIN_INPUT_PULLUP | MUX_MODE0) /* wlsdio_cmd */ ++ OMAP5_IOPAD(0x01a8, PIN_INPUT_PULLUP | MUX_MODE0) /* wlsdio_data0 */ ++ OMAP5_IOPAD(0x01aa, PIN_INPUT_PULLUP | MUX_MODE0) /* wlsdio_data1 */ ++ OMAP5_IOPAD(0x01ac, PIN_INPUT_PULLUP | MUX_MODE0) /* wlsdio_data2 */ ++ OMAP5_IOPAD(0x01ae, PIN_INPUT_PULLUP | MUX_MODE0) /* wlsdio_data3 */ ++ >; ++ }; ++ ++ wlan_pins: pinmux_wlan_pins { + pinctrl-single,pins = < +- 0x164 (PIN_INPUT | MUX_MODE1) /* mcspi4_clk */ +- 0x168 (PIN_INPUT | MUX_MODE1) /* mcspi4_simo */ +- 0x16a (PIN_INPUT | MUX_MODE1) /* mcspi4_somi */ +- 0x16c (PIN_INPUT | MUX_MODE1) /* mcspi4_cs0 */ ++ OMAP5_IOPAD(0x1bc, PIN_OUTPUT | MUX_MODE6) /* mcspi1_clk.gpio5_140 */ + >; + }; + +@@ -276,6 +302,12 @@ + 0x1A (PIN_OUTPUT | MUX_MODE0) /* fref_clk1_out, USB hub clk */ + >; + }; ++ ++ wlcore_irq_pin: pinmux_wlcore_irq_pin { ++ pinctrl-single,pins = < ++ OMAP5_IOPAD(0x040, WAKEUP_EN | PIN_INPUT_PULLUP | MUX_MODE6) /* llia_wakereqin.gpio1_wk14 */ ++ >; ++ }; + }; + + &mmc1 { +@@ -290,8 +322,25 @@ + }; + + &mmc3 { ++ vmmc-supply = <&vmmcsdio_fixed>; ++ mmc-pwrseq = <&mmc3_pwrseq>; + bus-width = <4>; +- ti,non-removable; ++ non-removable; ++ cap-power-off-card; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&mmc3_pins &wlcore_irq_pin>; ++ interrupts-extended = <&gic GIC_SPI 94 IRQ_TYPE_LEVEL_HIGH ++ &omap5_pmx_core 0x168>; ++ ++ #address-cells = <1>; ++ #size-cells = <0>; ++ wlcore: wlcore@2 { ++ compatible = "ti,wl1271"; ++ reg = <2>; ++ interrupt-parent = <&gpio1>; ++ interrupts = <14 IRQ_TYPE_LEVEL_HIGH>; /* gpio 14 */ ++ ref-clock-frequency = <26000000>; ++ }; + }; + + &mmc4 { +@@ -591,11 +640,6 @@ + pinctrl-0 = <&mcspi3_pins>; + }; + +-&mcspi4 { +- pinctrl-names = "default"; +- pinctrl-0 = <&mcspi4_pins>; +-}; +- + &uart1 { + pinctrl-names = "default"; + pinctrl-0 = <&uart1_pins>; +diff --git a/arch/arm/boot/dts/sama5d4.dtsi b/arch/arm/boot/dts/sama5d4.dtsi +index 3ee22ee..1ba10e4 100644 +--- a/arch/arm/boot/dts/sama5d4.dtsi ++++ b/arch/arm/boot/dts/sama5d4.dtsi +@@ -939,11 +939,11 @@ + reg = <0xf8018000 0x4000>; + interrupts = <33 IRQ_TYPE_LEVEL_HIGH 6>; + dmas = <&dma1 +- (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1)) +- AT91_XDMAC_DT_PERID(4)>, ++ (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1) ++ | AT91_XDMAC_DT_PERID(4))>, + <&dma1 +- (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1)) +- AT91_XDMAC_DT_PERID(5)>; ++ (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1) ++ | AT91_XDMAC_DT_PERID(5))>; + dma-names = "tx", "rx"; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_i2c1>; +diff --git a/arch/arm/boot/dts/sun6i-a31-hummingbird.dts b/arch/arm/boot/dts/sun6i-a31-hummingbird.dts +index d0cfada..18f26ca 100644 +--- a/arch/arm/boot/dts/sun6i-a31-hummingbird.dts ++++ b/arch/arm/boot/dts/sun6i-a31-hummingbird.dts +@@ -184,18 +184,18 @@ + regulator-name = "vcc-3v0"; + }; + +- vdd_cpu: dcdc2 { ++ vdd_gpu: dcdc2 { + regulator-always-on; + regulator-min-microvolt = <700000>; + regulator-max-microvolt = <1320000>; +- regulator-name = "vdd-cpu"; ++ regulator-name = "vdd-gpu"; + }; + +- vdd_gpu: dcdc3 { ++ vdd_cpu: dcdc3 { + regulator-always-on; + regulator-min-microvolt = <700000>; + regulator-max-microvolt = <1320000>; +- regulator-name = "vdd-gpu"; ++ regulator-name = "vdd-cpu"; + }; + + vdd_sys_dll: dcdc4 { +diff --git a/arch/arm/common/edma.c b/arch/arm/common/edma.c +index 873dbfc..56fc339 100644 +--- a/arch/arm/common/edma.c ++++ b/arch/arm/common/edma.c +@@ -406,7 +406,8 @@ static irqreturn_t dma_irq_handler(int irq, void *data) + BIT(slot)); + if (edma_cc[ctlr]->intr_data[channel].callback) + edma_cc[ctlr]->intr_data[channel].callback( +- channel, EDMA_DMA_COMPLETE, ++ EDMA_CTLR_CHAN(ctlr, channel), ++ EDMA_DMA_COMPLETE, + edma_cc[ctlr]->intr_data[channel].data); + } + } while (sh_ipr); +@@ -460,7 +461,8 @@ static irqreturn_t dma_ccerr_handler(int irq, void *data) + if (edma_cc[ctlr]->intr_data[k]. + callback) { + edma_cc[ctlr]->intr_data[k]. +- callback(k, ++ callback( ++ EDMA_CTLR_CHAN(ctlr, k), + EDMA_DMA_CC_ERROR, + edma_cc[ctlr]->intr_data + [k].data); +diff --git a/arch/arm/include/asm/irq.h b/arch/arm/include/asm/irq.h +index 53c15de..6a9851e 100644 +--- a/arch/arm/include/asm/irq.h ++++ b/arch/arm/include/asm/irq.h +@@ -35,6 +35,11 @@ extern void (*handle_arch_irq)(struct pt_regs *); + extern void set_handle_irq(void (*handle_irq)(struct pt_regs *)); + #endif + ++static inline int nr_legacy_irqs(void) ++{ ++ return NR_IRQS_LEGACY; ++} ++ + #endif + + #endif +diff --git a/arch/arm/mach-at91/pm_suspend.S b/arch/arm/mach-at91/pm_suspend.S +index 0d95f48..a25defd 100644 +--- a/arch/arm/mach-at91/pm_suspend.S ++++ b/arch/arm/mach-at91/pm_suspend.S +@@ -80,6 +80,8 @@ tmp2 .req r5 + * @r2: base address of second SDRAM Controller or 0 if not present + * @r3: pm information + */ ++/* at91_pm_suspend_in_sram must be 8-byte aligned per the requirements of fncpy() */ ++ .align 3 + ENTRY(at91_pm_suspend_in_sram) + /* Save registers on stack */ + stmfd sp!, {r4 - r12, lr} +diff --git a/arch/arm/mach-pxa/include/mach/pxa27x.h b/arch/arm/mach-pxa/include/mach/pxa27x.h +index 599b925..1a42919 100644 +--- a/arch/arm/mach-pxa/include/mach/pxa27x.h ++++ b/arch/arm/mach-pxa/include/mach/pxa27x.h +@@ -19,7 +19,7 @@ + #define ARB_CORE_PARK (1<<24) /* Be parked with core when idle */ + #define ARB_LOCK_FLAG (1<<23) /* Only Locking masters gain access to the bus */ + +-extern int __init pxa27x_set_pwrmode(unsigned int mode); ++extern int pxa27x_set_pwrmode(unsigned int mode); + extern void pxa27x_cpu_pm_enter(suspend_state_t state); + + #endif /* __MACH_PXA27x_H */ +diff --git a/arch/arm/mach-pxa/pxa27x.c b/arch/arm/mach-pxa/pxa27x.c +index b5abdeb..aa97547 100644 +--- a/arch/arm/mach-pxa/pxa27x.c ++++ b/arch/arm/mach-pxa/pxa27x.c +@@ -84,7 +84,7 @@ EXPORT_SYMBOL_GPL(pxa27x_configure_ac97reset); + */ + static unsigned int pwrmode = PWRMODE_SLEEP; + +-int __init pxa27x_set_pwrmode(unsigned int mode) ++int pxa27x_set_pwrmode(unsigned int mode) + { + switch (mode) { + case PWRMODE_SLEEP: +diff --git a/arch/arm/mach-tegra/board-paz00.c b/arch/arm/mach-tegra/board-paz00.c +index fbe74c6..49d1110 100644 +--- a/arch/arm/mach-tegra/board-paz00.c ++++ b/arch/arm/mach-tegra/board-paz00.c +@@ -39,8 +39,8 @@ static struct platform_device wifi_rfkill_device = { + static struct gpiod_lookup_table wifi_gpio_lookup = { + .dev_id = "rfkill_gpio", + .table = { +- GPIO_LOOKUP_IDX("tegra-gpio", 25, NULL, 0, 0), +- GPIO_LOOKUP_IDX("tegra-gpio", 85, NULL, 1, 0), ++ GPIO_LOOKUP("tegra-gpio", 25, "reset", 0), ++ GPIO_LOOKUP("tegra-gpio", 85, "shutdown", 0), + { }, + }, + }; +diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c +index cba12f3..25ecc6a 100644 +--- a/arch/arm/mm/dma-mapping.c ++++ b/arch/arm/mm/dma-mapping.c +@@ -1413,12 +1413,19 @@ static int arm_iommu_mmap_attrs(struct device *dev, struct vm_area_struct *vma, + unsigned long uaddr = vma->vm_start; + unsigned long usize = vma->vm_end - vma->vm_start; + struct page **pages = __iommu_get_pages(cpu_addr, attrs); ++ unsigned long nr_pages = PAGE_ALIGN(size) >> PAGE_SHIFT; ++ unsigned long off = vma->vm_pgoff; + + vma->vm_page_prot = __get_dma_pgprot(attrs, vma->vm_page_prot); + + if (!pages) + return -ENXIO; + ++ if (off >= nr_pages || (usize >> PAGE_SHIFT) > nr_pages - off) ++ return -ENXIO; ++ ++ pages += off; ++ + do { + int ret = vm_insert_page(vma, uaddr, *pages++); + if (ret) { +diff --git a/arch/arm64/include/asm/irq.h b/arch/arm64/include/asm/irq.h +index bbb251b..8b9bf54 100644 +--- a/arch/arm64/include/asm/irq.h ++++ b/arch/arm64/include/asm/irq.h +@@ -21,4 +21,9 @@ static inline void acpi_irq_init(void) + } + #define acpi_irq_init acpi_irq_init + ++static inline int nr_legacy_irqs(void) ++{ ++ return 0; ++} ++ + #endif +diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h +index d6dd9fd..d4264bb 100644 +--- a/arch/arm64/include/asm/ptrace.h ++++ b/arch/arm64/include/asm/ptrace.h +@@ -83,14 +83,14 @@ + #define compat_sp regs[13] + #define compat_lr regs[14] + #define compat_sp_hyp regs[15] +-#define compat_sp_irq regs[16] +-#define compat_lr_irq regs[17] +-#define compat_sp_svc regs[18] +-#define compat_lr_svc regs[19] +-#define compat_sp_abt regs[20] +-#define compat_lr_abt regs[21] +-#define compat_sp_und regs[22] +-#define compat_lr_und regs[23] ++#define compat_lr_irq regs[16] ++#define compat_sp_irq regs[17] ++#define compat_lr_svc regs[18] ++#define compat_sp_svc regs[19] ++#define compat_lr_abt regs[20] ++#define compat_sp_abt regs[21] ++#define compat_lr_und regs[22] ++#define compat_sp_und regs[23] + #define compat_r8_fiq regs[24] + #define compat_r9_fiq regs[25] + #define compat_r10_fiq regs[26] +diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S +index 9807333..4d77757 100644 +--- a/arch/arm64/kernel/vmlinux.lds.S ++++ b/arch/arm64/kernel/vmlinux.lds.S +@@ -60,9 +60,12 @@ PECOFF_FILE_ALIGNMENT = 0x200; + #define PECOFF_EDATA_PADDING + #endif + +-#ifdef CONFIG_DEBUG_ALIGN_RODATA ++#if defined(CONFIG_DEBUG_ALIGN_RODATA) + #define ALIGN_DEBUG_RO . = ALIGN(1<<SECTION_SHIFT); + #define ALIGN_DEBUG_RO_MIN(min) ALIGN_DEBUG_RO ++#elif defined(CONFIG_DEBUG_RODATA) ++#define ALIGN_DEBUG_RO . = ALIGN(1<<PAGE_SHIFT); ++#define ALIGN_DEBUG_RO_MIN(min) ALIGN_DEBUG_RO + #else + #define ALIGN_DEBUG_RO + #define ALIGN_DEBUG_RO_MIN(min) . = ALIGN(min); +diff --git a/arch/mips/ath79/setup.c b/arch/mips/ath79/setup.c +index 1ba2120..9a00137 100644 +--- a/arch/mips/ath79/setup.c ++++ b/arch/mips/ath79/setup.c +@@ -216,9 +216,9 @@ void __init plat_mem_setup(void) + AR71XX_RESET_SIZE); + ath79_pll_base = ioremap_nocache(AR71XX_PLL_BASE, + AR71XX_PLL_SIZE); ++ ath79_detect_sys_type(); + ath79_ddr_ctrl_init(); + +- ath79_detect_sys_type(); + if (mips_machtype != ATH79_MACH_GENERIC_OF) + detect_memory_region(0, ATH79_MEM_SIZE_MIN, ATH79_MEM_SIZE_MAX); + +diff --git a/arch/mips/include/asm/cdmm.h b/arch/mips/include/asm/cdmm.h +index 16e22ce..85dc4ce 100644 +--- a/arch/mips/include/asm/cdmm.h ++++ b/arch/mips/include/asm/cdmm.h +@@ -84,6 +84,17 @@ void mips_cdmm_driver_unregister(struct mips_cdmm_driver *); + module_driver(__mips_cdmm_driver, mips_cdmm_driver_register, \ + mips_cdmm_driver_unregister) + ++/* ++ * builtin_mips_cdmm_driver() - Helper macro for drivers that don't do anything ++ * special in init and have no exit. This eliminates some boilerplate. Each ++ * driver may only use this macro once, and calling it replaces device_initcall ++ * (or in some cases, the legacy __initcall). This is meant to be a direct ++ * parallel of module_mips_cdmm_driver() above but without the __exit stuff that ++ * is not used for builtin cases. ++ */ ++#define builtin_mips_cdmm_driver(__mips_cdmm_driver) \ ++ builtin_driver(__mips_cdmm_driver, mips_cdmm_driver_register) ++ + /* drivers/tty/mips_ejtag_fdc.c */ + + #ifdef CONFIG_MIPS_EJTAG_FDC_EARLYCON +diff --git a/arch/mips/kvm/emulate.c b/arch/mips/kvm/emulate.c +index d5fa3ea..41b1b09 100644 +--- a/arch/mips/kvm/emulate.c ++++ b/arch/mips/kvm/emulate.c +@@ -1581,7 +1581,7 @@ enum emulation_result kvm_mips_emulate_cache(uint32_t inst, uint32_t *opc, + + base = (inst >> 21) & 0x1f; + op_inst = (inst >> 16) & 0x1f; +- offset = inst & 0xffff; ++ offset = (int16_t)inst; + cache = (inst >> 16) & 0x3; + op = (inst >> 18) & 0x7; + +diff --git a/arch/mips/kvm/locore.S b/arch/mips/kvm/locore.S +index c567240..d1ee95a 100644 +--- a/arch/mips/kvm/locore.S ++++ b/arch/mips/kvm/locore.S +@@ -165,9 +165,11 @@ FEXPORT(__kvm_mips_vcpu_run) + + FEXPORT(__kvm_mips_load_asid) + /* Set the ASID for the Guest Kernel */ +- INT_SLL t0, t0, 1 /* with kseg0 @ 0x40000000, kernel */ +- /* addresses shift to 0x80000000 */ +- bltz t0, 1f /* If kernel */ ++ PTR_L t0, VCPU_COP0(k1) ++ LONG_L t0, COP0_STATUS(t0) ++ andi t0, KSU_USER | ST0_ERL | ST0_EXL ++ xori t0, KSU_USER ++ bnez t0, 1f /* If kernel */ + INT_ADDIU t1, k1, VCPU_GUEST_KERNEL_ASID /* (BD) */ + INT_ADDIU t1, k1, VCPU_GUEST_USER_ASID /* else user */ + 1: +@@ -482,9 +484,11 @@ __kvm_mips_return_to_guest: + mtc0 t0, CP0_EPC + + /* Set the ASID for the Guest Kernel */ +- INT_SLL t0, t0, 1 /* with kseg0 @ 0x40000000, kernel */ +- /* addresses shift to 0x80000000 */ +- bltz t0, 1f /* If kernel */ ++ PTR_L t0, VCPU_COP0(k1) ++ LONG_L t0, COP0_STATUS(t0) ++ andi t0, KSU_USER | ST0_ERL | ST0_EXL ++ xori t0, KSU_USER ++ bnez t0, 1f /* If kernel */ + INT_ADDIU t1, k1, VCPU_GUEST_KERNEL_ASID /* (BD) */ + INT_ADDIU t1, k1, VCPU_GUEST_USER_ASID /* else user */ + 1: +diff --git a/arch/mips/kvm/mips.c b/arch/mips/kvm/mips.c +index cd4c129..bafb32b 100644 +--- a/arch/mips/kvm/mips.c ++++ b/arch/mips/kvm/mips.c +@@ -278,7 +278,7 @@ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm, unsigned int id) + + if (!gebase) { + err = -ENOMEM; +- goto out_free_cpu; ++ goto out_uninit_cpu; + } + kvm_debug("Allocated %d bytes for KVM Exception Handlers @ %p\n", + ALIGN(size, PAGE_SIZE), gebase); +@@ -342,6 +342,9 @@ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm, unsigned int id) + out_free_gebase: + kfree(gebase); + ++out_uninit_cpu: ++ kvm_vcpu_uninit(vcpu); ++ + out_free_cpu: + kfree(vcpu); + +diff --git a/arch/mips/lantiq/clk.c b/arch/mips/lantiq/clk.c +index 3fc2e6d..a0706fd 100644 +--- a/arch/mips/lantiq/clk.c ++++ b/arch/mips/lantiq/clk.c +@@ -99,6 +99,23 @@ int clk_set_rate(struct clk *clk, unsigned long rate) + } + EXPORT_SYMBOL(clk_set_rate); + ++long clk_round_rate(struct clk *clk, unsigned long rate) ++{ ++ if (unlikely(!clk_good(clk))) ++ return 0; ++ if (clk->rates && *clk->rates) { ++ unsigned long *r = clk->rates; ++ ++ while (*r && (*r != rate)) ++ r++; ++ if (!*r) { ++ return clk->rate; ++ } ++ } ++ return rate; ++} ++EXPORT_SYMBOL(clk_round_rate); ++ + int clk_enable(struct clk *clk) + { + if (unlikely(!clk_good(clk))) +diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c +index c98d897..cbee788 100644 +--- a/arch/s390/kvm/interrupt.c ++++ b/arch/s390/kvm/interrupt.c +@@ -1051,8 +1051,7 @@ static int __inject_extcall(struct kvm_vcpu *vcpu, struct kvm_s390_irq *irq) + src_id, 0, 2); + + /* sending vcpu invalid */ +- if (src_id >= KVM_MAX_VCPUS || +- kvm_get_vcpu(vcpu->kvm, src_id) == NULL) ++ if (kvm_get_vcpu_by_id(vcpu->kvm, src_id) == NULL) + return -EINVAL; + + if (sclp.has_sigpif) +@@ -1131,6 +1130,10 @@ static int __inject_sigp_emergency(struct kvm_vcpu *vcpu, + trace_kvm_s390_inject_vcpu(vcpu->vcpu_id, KVM_S390_INT_EMERGENCY, + irq->u.emerg.code, 0, 2); + ++ /* sending vcpu invalid */ ++ if (kvm_get_vcpu_by_id(vcpu->kvm, irq->u.emerg.code) == NULL) ++ return -EINVAL; ++ + set_bit(irq->u.emerg.code, li->sigp_emerg_pending); + set_bit(IRQ_PEND_EXT_EMERGENCY, &li->pending_irqs); + atomic_set_mask(CPUSTAT_EXT_INT, li->cpuflags); +diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c +index f32f843..4a001c1 100644 +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -289,12 +289,16 @@ static int kvm_vm_ioctl_enable_cap(struct kvm *kvm, struct kvm_enable_cap *cap) + r = 0; + break; + case KVM_CAP_S390_VECTOR_REGISTERS: +- if (MACHINE_HAS_VX) { ++ mutex_lock(&kvm->lock); ++ if (atomic_read(&kvm->online_vcpus)) { ++ r = -EBUSY; ++ } else if (MACHINE_HAS_VX) { + set_kvm_facility(kvm->arch.model.fac->mask, 129); + set_kvm_facility(kvm->arch.model.fac->list, 129); + r = 0; + } else + r = -EINVAL; ++ mutex_unlock(&kvm->lock); + break; + case KVM_CAP_S390_USER_STSI: + kvm->arch.user_stsi = 1; +@@ -1037,7 +1041,9 @@ int kvm_arch_init_vm(struct kvm *kvm, unsigned long type) + if (!kvm->arch.sca) + goto out_err; + spin_lock(&kvm_lock); +- sca_offset = (sca_offset + 16) & 0x7f0; ++ sca_offset += 16; ++ if (sca_offset + sizeof(struct sca_block) > PAGE_SIZE) ++ sca_offset = 0; + kvm->arch.sca = (struct sca_block *) ((char *) kvm->arch.sca + sca_offset); + spin_unlock(&kvm_lock); + +diff --git a/arch/s390/kvm/sigp.c b/arch/s390/kvm/sigp.c +index 72e58bd..7171056 100644 +--- a/arch/s390/kvm/sigp.c ++++ b/arch/s390/kvm/sigp.c +@@ -294,12 +294,8 @@ static int handle_sigp_dst(struct kvm_vcpu *vcpu, u8 order_code, + u16 cpu_addr, u32 parameter, u64 *status_reg) + { + int rc; +- struct kvm_vcpu *dst_vcpu; ++ struct kvm_vcpu *dst_vcpu = kvm_get_vcpu_by_id(vcpu->kvm, cpu_addr); + +- if (cpu_addr >= KVM_MAX_VCPUS) +- return SIGP_CC_NOT_OPERATIONAL; +- +- dst_vcpu = kvm_get_vcpu(vcpu->kvm, cpu_addr); + if (!dst_vcpu) + return SIGP_CC_NOT_OPERATIONAL; + +@@ -481,7 +477,7 @@ int kvm_s390_handle_sigp_pei(struct kvm_vcpu *vcpu) + trace_kvm_s390_handle_sigp_pei(vcpu, order_code, cpu_addr); + + if (order_code == SIGP_EXTERNAL_CALL) { +- dest_vcpu = kvm_get_vcpu(vcpu->kvm, cpu_addr); ++ dest_vcpu = kvm_get_vcpu_by_id(vcpu->kvm, cpu_addr); + BUG_ON(dest_vcpu == NULL); + + kvm_s390_vcpu_wakeup(dest_vcpu); +diff --git a/arch/tile/kernel/usb.c b/arch/tile/kernel/usb.c +index f0da5a2..9f1e05e 100644 +--- a/arch/tile/kernel/usb.c ++++ b/arch/tile/kernel/usb.c +@@ -22,6 +22,7 @@ + #include <linux/platform_device.h> + #include <linux/usb/tilegx.h> + #include <linux/init.h> ++#include <linux/module.h> + #include <linux/types.h> + + static u64 ehci_dmamask = DMA_BIT_MASK(32); +diff --git a/arch/x86/include/asm/i8259.h b/arch/x86/include/asm/i8259.h +index ccffa53..39bcefc 100644 +--- a/arch/x86/include/asm/i8259.h ++++ b/arch/x86/include/asm/i8259.h +@@ -60,6 +60,7 @@ struct legacy_pic { + void (*mask_all)(void); + void (*restore_mask)(void); + void (*init)(int auto_eoi); ++ int (*probe)(void); + int (*irq_pending)(unsigned int irq); + void (*make_irq)(unsigned int irq); + }; +diff --git a/arch/x86/include/asm/kvm_emulate.h b/arch/x86/include/asm/kvm_emulate.h +index e16466e..e9cd7be 100644 +--- a/arch/x86/include/asm/kvm_emulate.h ++++ b/arch/x86/include/asm/kvm_emulate.h +@@ -112,6 +112,16 @@ struct x86_emulate_ops { + struct x86_exception *fault); + + /* ++ * read_phys: Read bytes of standard (non-emulated/special) memory. ++ * Used for descriptor reading. ++ * @addr: [IN ] Physical address from which to read. ++ * @val: [OUT] Value read from memory. ++ * @bytes: [IN ] Number of bytes to read from memory. ++ */ ++ int (*read_phys)(struct x86_emulate_ctxt *ctxt, unsigned long addr, ++ void *val, unsigned int bytes); ++ ++ /* + * write_std: Write bytes of standard (non-emulated/special) memory. + * Used for descriptor writing. + * @addr: [IN ] Linear address to which to write. +diff --git a/arch/x86/include/uapi/asm/svm.h b/arch/x86/include/uapi/asm/svm.h +index b5d7640..8a4add8 100644 +--- a/arch/x86/include/uapi/asm/svm.h ++++ b/arch/x86/include/uapi/asm/svm.h +@@ -100,6 +100,7 @@ + { SVM_EXIT_EXCP_BASE + UD_VECTOR, "UD excp" }, \ + { SVM_EXIT_EXCP_BASE + PF_VECTOR, "PF excp" }, \ + { SVM_EXIT_EXCP_BASE + NM_VECTOR, "NM excp" }, \ ++ { SVM_EXIT_EXCP_BASE + AC_VECTOR, "AC excp" }, \ + { SVM_EXIT_EXCP_BASE + MC_VECTOR, "MC excp" }, \ + { SVM_EXIT_INTR, "interrupt" }, \ + { SVM_EXIT_NMI, "nmi" }, \ +diff --git a/arch/x86/kernel/apic/vector.c b/arch/x86/kernel/apic/vector.c +index 2683f36..ea4ba83 100644 +--- a/arch/x86/kernel/apic/vector.c ++++ b/arch/x86/kernel/apic/vector.c +@@ -360,7 +360,11 @@ int __init arch_probe_nr_irqs(void) + if (nr < nr_irqs) + nr_irqs = nr; + +- return nr_legacy_irqs(); ++ /* ++ * We don't know if PIC is present at this point so we need to do ++ * probe() to get the right number of legacy IRQs. ++ */ ++ return legacy_pic->probe(); + } + + #ifdef CONFIG_X86_IO_APIC +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index cb9e5df..e4f929d 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -272,10 +272,9 @@ __setup("nosmap", setup_disable_smap); + + static __always_inline void setup_smap(struct cpuinfo_x86 *c) + { +- unsigned long eflags; ++ unsigned long eflags = native_save_fl(); + + /* This should have been cleared long ago */ +- raw_local_save_flags(eflags); + BUG_ON(eflags & X86_EFLAGS_AC); + + if (cpu_has(c, X86_FEATURE_SMAP)) { +diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c +index 50ec9af..6545e6d 100644 +--- a/arch/x86/kernel/fpu/signal.c ++++ b/arch/x86/kernel/fpu/signal.c +@@ -385,20 +385,19 @@ fpu__alloc_mathframe(unsigned long sp, int ia32_frame, + */ + void fpu__init_prepare_fx_sw_frame(void) + { +- int fsave_header_size = sizeof(struct fregs_state); + int size = xstate_size + FP_XSTATE_MAGIC2_SIZE; + +- if (config_enabled(CONFIG_X86_32)) +- size += fsave_header_size; +- + fx_sw_reserved.magic1 = FP_XSTATE_MAGIC1; + fx_sw_reserved.extended_size = size; + fx_sw_reserved.xfeatures = xfeatures_mask; + fx_sw_reserved.xstate_size = xstate_size; + +- if (config_enabled(CONFIG_IA32_EMULATION)) { ++ if (config_enabled(CONFIG_IA32_EMULATION) || ++ config_enabled(CONFIG_X86_32)) { ++ int fsave_header_size = sizeof(struct fregs_state); ++ + fx_sw_reserved_ia32 = fx_sw_reserved; +- fx_sw_reserved_ia32.extended_size += fsave_header_size; ++ fx_sw_reserved_ia32.extended_size = size + fsave_header_size; + } + } + +diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c +index 62fc001..2c4ac07 100644 +--- a/arch/x86/kernel/fpu/xstate.c ++++ b/arch/x86/kernel/fpu/xstate.c +@@ -402,7 +402,6 @@ void *get_xsave_addr(struct xregs_state *xsave, int xstate_feature) + if (!boot_cpu_has(X86_FEATURE_XSAVE)) + return NULL; + +- xsave = ¤t->thread.fpu.state.xsave; + /* + * We should not ever be requesting features that we + * have not enabled. Remember that pcntxt_mask is +diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S +index 1d40ca8..ffdc0e8 100644 +--- a/arch/x86/kernel/head_64.S ++++ b/arch/x86/kernel/head_64.S +@@ -65,6 +65,9 @@ startup_64: + * tables and then reload them. + */ + ++ /* Sanitize CPU configuration */ ++ call verify_cpu ++ + /* + * Compute the delta between the address I am compiled to run at and the + * address I am actually running at. +@@ -174,6 +177,9 @@ ENTRY(secondary_startup_64) + * after the boot processor executes this code. + */ + ++ /* Sanitize CPU configuration */ ++ call verify_cpu ++ + movq $(init_level4_pgt - __START_KERNEL_map), %rax + 1: + +@@ -288,6 +294,8 @@ ENTRY(secondary_startup_64) + pushq %rax # target address in negative space + lretq + ++#include "verify_cpu.S" ++ + #ifdef CONFIG_HOTPLUG_CPU + /* + * Boot CPU0 entry point. It's called from play_dead(). Everything has been set +diff --git a/arch/x86/kernel/i8259.c b/arch/x86/kernel/i8259.c +index 16cb827..be22f5a 100644 +--- a/arch/x86/kernel/i8259.c ++++ b/arch/x86/kernel/i8259.c +@@ -295,16 +295,11 @@ static void unmask_8259A(void) + raw_spin_unlock_irqrestore(&i8259A_lock, flags); + } + +-static void init_8259A(int auto_eoi) ++static int probe_8259A(void) + { + unsigned long flags; + unsigned char probe_val = ~(1 << PIC_CASCADE_IR); + unsigned char new_val; +- +- i8259A_auto_eoi = auto_eoi; +- +- raw_spin_lock_irqsave(&i8259A_lock, flags); +- + /* + * Check to see if we have a PIC. + * Mask all except the cascade and read +@@ -312,16 +307,28 @@ static void init_8259A(int auto_eoi) + * have a PIC, we will read 0xff as opposed to the + * value we wrote. + */ ++ raw_spin_lock_irqsave(&i8259A_lock, flags); ++ + outb(0xff, PIC_SLAVE_IMR); /* mask all of 8259A-2 */ + outb(probe_val, PIC_MASTER_IMR); + new_val = inb(PIC_MASTER_IMR); + if (new_val != probe_val) { + printk(KERN_INFO "Using NULL legacy PIC\n"); + legacy_pic = &null_legacy_pic; +- raw_spin_unlock_irqrestore(&i8259A_lock, flags); +- return; + } + ++ raw_spin_unlock_irqrestore(&i8259A_lock, flags); ++ return nr_legacy_irqs(); ++} ++ ++static void init_8259A(int auto_eoi) ++{ ++ unsigned long flags; ++ ++ i8259A_auto_eoi = auto_eoi; ++ ++ raw_spin_lock_irqsave(&i8259A_lock, flags); ++ + outb(0xff, PIC_MASTER_IMR); /* mask all of 8259A-1 */ + + /* +@@ -379,6 +386,10 @@ static int legacy_pic_irq_pending_noop(unsigned int irq) + { + return 0; + } ++static int legacy_pic_probe(void) ++{ ++ return 0; ++} + + struct legacy_pic null_legacy_pic = { + .nr_legacy_irqs = 0, +@@ -388,6 +399,7 @@ struct legacy_pic null_legacy_pic = { + .mask_all = legacy_pic_noop, + .restore_mask = legacy_pic_noop, + .init = legacy_pic_int_noop, ++ .probe = legacy_pic_probe, + .irq_pending = legacy_pic_irq_pending_noop, + .make_irq = legacy_pic_uint_noop, + }; +@@ -400,6 +412,7 @@ struct legacy_pic default_legacy_pic = { + .mask_all = mask_8259A, + .restore_mask = unmask_8259A, + .init = init_8259A, ++ .probe = probe_8259A, + .irq_pending = i8259A_irq_pending, + .make_irq = make_8259A_irq, + }; +diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c +index 80f874b..1e6f70f 100644 +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -1198,6 +1198,14 @@ void __init setup_arch(char **cmdline_p) + clone_pgd_range(initial_page_table + KERNEL_PGD_BOUNDARY, + swapper_pg_dir + KERNEL_PGD_BOUNDARY, + KERNEL_PGD_PTRS); ++ ++ /* ++ * sync back low identity map too. It is used for example ++ * in the 32-bit EFI stub. ++ */ ++ clone_pgd_range(initial_page_table, ++ swapper_pg_dir + KERNEL_PGD_BOUNDARY, ++ min(KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY)); + #endif + + tboot_probe(); +diff --git a/arch/x86/kernel/verify_cpu.S b/arch/x86/kernel/verify_cpu.S +index b9242ba..4cf401f 100644 +--- a/arch/x86/kernel/verify_cpu.S ++++ b/arch/x86/kernel/verify_cpu.S +@@ -34,10 +34,11 @@ + #include <asm/msr-index.h> + + verify_cpu: +- pushfl # Save caller passed flags +- pushl $0 # Kill any dangerous flags +- popfl ++ pushf # Save caller passed flags ++ push $0 # Kill any dangerous flags ++ popf + ++#ifndef __x86_64__ + pushfl # standard way to check for cpuid + popl %eax + movl %eax,%ebx +@@ -48,6 +49,7 @@ verify_cpu: + popl %eax + cmpl %eax,%ebx + jz verify_cpu_no_longmode # cpu has no cpuid ++#endif + + movl $0x0,%eax # See if cpuid 1 is implemented + cpuid +@@ -130,10 +132,10 @@ verify_cpu_sse_test: + jmp verify_cpu_sse_test # try again + + verify_cpu_no_longmode: +- popfl # Restore caller passed flags ++ popf # Restore caller passed flags + movl $1,%eax + ret + verify_cpu_sse_ok: +- popfl # Restore caller passed flags ++ popf # Restore caller passed flags + xorl %eax, %eax + ret +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index 2392541a..f17c342 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -2272,8 +2272,8 @@ static int emulator_has_longmode(struct x86_emulate_ctxt *ctxt) + #define GET_SMSTATE(type, smbase, offset) \ + ({ \ + type __val; \ +- int r = ctxt->ops->read_std(ctxt, smbase + offset, &__val, \ +- sizeof(__val), NULL); \ ++ int r = ctxt->ops->read_phys(ctxt, smbase + offset, &__val, \ ++ sizeof(__val)); \ + if (r != X86EMUL_CONTINUE) \ + return X86EMUL_UNHANDLEABLE; \ + __val; \ +@@ -2484,17 +2484,36 @@ static int em_rsm(struct x86_emulate_ctxt *ctxt) + + /* + * Get back to real mode, to prepare a safe state in which to load +- * CR0/CR3/CR4/EFER. Also this will ensure that addresses passed +- * to read_std/write_std are not virtual. +- * +- * CR4.PCIDE must be zero, because it is a 64-bit mode only feature. ++ * CR0/CR3/CR4/EFER. It's all a bit more complicated if the vCPU ++ * supports long mode. + */ ++ cr4 = ctxt->ops->get_cr(ctxt, 4); ++ if (emulator_has_longmode(ctxt)) { ++ struct desc_struct cs_desc; ++ ++ /* Zero CR4.PCIDE before CR0.PG. */ ++ if (cr4 & X86_CR4_PCIDE) { ++ ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PCIDE); ++ cr4 &= ~X86_CR4_PCIDE; ++ } ++ ++ /* A 32-bit code segment is required to clear EFER.LMA. */ ++ memset(&cs_desc, 0, sizeof(cs_desc)); ++ cs_desc.type = 0xb; ++ cs_desc.s = cs_desc.g = cs_desc.p = 1; ++ ctxt->ops->set_segment(ctxt, 0, &cs_desc, 0, VCPU_SREG_CS); ++ } ++ ++ /* For the 64-bit case, this will clear EFER.LMA. */ + cr0 = ctxt->ops->get_cr(ctxt, 0); + if (cr0 & X86_CR0_PE) + ctxt->ops->set_cr(ctxt, 0, cr0 & ~(X86_CR0_PG | X86_CR0_PE)); +- cr4 = ctxt->ops->get_cr(ctxt, 4); ++ ++ /* Now clear CR4.PAE (which must be done before clearing EFER.LME). */ + if (cr4 & X86_CR4_PAE) + ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PAE); ++ ++ /* And finally go back to 32-bit mode. */ + efer = 0; + ctxt->ops->set_msr(ctxt, MSR_EFER, efer); + +@@ -4455,7 +4474,7 @@ static const struct opcode twobyte_table[256] = { + F(DstMem | SrcReg | Src2CL | ModRM, em_shld), N, N, + /* 0xA8 - 0xAF */ + I(Stack | Src2GS, em_push_sreg), I(Stack | Src2GS, em_pop_sreg), +- II(No64 | EmulateOnUD | ImplicitOps, em_rsm, rsm), ++ II(EmulateOnUD | ImplicitOps, em_rsm, rsm), + F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_bts), + F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shrd), + F(DstMem | SrcReg | Src2CL | ModRM, em_shrd), +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 2a5ca97..236e346 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -348,6 +348,8 @@ void kvm_apic_update_irr(struct kvm_vcpu *vcpu, u32 *pir) + struct kvm_lapic *apic = vcpu->arch.apic; + + __kvm_apic_update_irr(pir, apic->regs); ++ ++ kvm_make_request(KVM_REQ_EVENT, vcpu); + } + EXPORT_SYMBOL_GPL(kvm_apic_update_irr); + +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index 2d32b67..00da6e8 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -1085,7 +1085,7 @@ static u64 svm_compute_tsc_offset(struct kvm_vcpu *vcpu, u64 target_tsc) + return target_tsc - tsc; + } + +-static void init_vmcb(struct vcpu_svm *svm, bool init_event) ++static void init_vmcb(struct vcpu_svm *svm) + { + struct vmcb_control_area *control = &svm->vmcb->control; + struct vmcb_save_area *save = &svm->vmcb->save; +@@ -1106,6 +1106,7 @@ static void init_vmcb(struct vcpu_svm *svm, bool init_event) + set_exception_intercept(svm, PF_VECTOR); + set_exception_intercept(svm, UD_VECTOR); + set_exception_intercept(svm, MC_VECTOR); ++ set_exception_intercept(svm, AC_VECTOR); + + set_intercept(svm, INTERCEPT_INTR); + set_intercept(svm, INTERCEPT_NMI); +@@ -1156,8 +1157,7 @@ static void init_vmcb(struct vcpu_svm *svm, bool init_event) + init_sys_seg(&save->ldtr, SEG_TYPE_LDT); + init_sys_seg(&save->tr, SEG_TYPE_BUSY_TSS16); + +- if (!init_event) +- svm_set_efer(&svm->vcpu, 0); ++ svm_set_efer(&svm->vcpu, 0); + save->dr6 = 0xffff0ff0; + kvm_set_rflags(&svm->vcpu, 2); + save->rip = 0x0000fff0; +@@ -1211,7 +1211,7 @@ static void svm_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event) + if (kvm_vcpu_is_reset_bsp(&svm->vcpu)) + svm->vcpu.arch.apic_base |= MSR_IA32_APICBASE_BSP; + } +- init_vmcb(svm, init_event); ++ init_vmcb(svm); + + kvm_cpuid(vcpu, &eax, &dummy, &dummy, &dummy); + kvm_register_write(vcpu, VCPU_REGS_RDX, eax); +@@ -1267,7 +1267,7 @@ static struct kvm_vcpu *svm_create_vcpu(struct kvm *kvm, unsigned int id) + clear_page(svm->vmcb); + svm->vmcb_pa = page_to_pfn(page) << PAGE_SHIFT; + svm->asid_generation = 0; +- init_vmcb(svm, false); ++ init_vmcb(svm); + + svm_init_osvw(&svm->vcpu); + +@@ -1795,6 +1795,12 @@ static int ud_interception(struct vcpu_svm *svm) + return 1; + } + ++static int ac_interception(struct vcpu_svm *svm) ++{ ++ kvm_queue_exception_e(&svm->vcpu, AC_VECTOR, 0); ++ return 1; ++} ++ + static void svm_fpu_activate(struct kvm_vcpu *vcpu) + { + struct vcpu_svm *svm = to_svm(vcpu); +@@ -1889,7 +1895,7 @@ static int shutdown_interception(struct vcpu_svm *svm) + * so reinitialize it. + */ + clear_page(svm->vmcb); +- init_vmcb(svm, false); ++ init_vmcb(svm); + + kvm_run->exit_reason = KVM_EXIT_SHUTDOWN; + return 0; +@@ -3369,6 +3375,7 @@ static int (*const svm_exit_handlers[])(struct vcpu_svm *svm) = { + [SVM_EXIT_EXCP_BASE + PF_VECTOR] = pf_interception, + [SVM_EXIT_EXCP_BASE + NM_VECTOR] = nm_interception, + [SVM_EXIT_EXCP_BASE + MC_VECTOR] = mc_interception, ++ [SVM_EXIT_EXCP_BASE + AC_VECTOR] = ac_interception, + [SVM_EXIT_INTR] = intr_interception, + [SVM_EXIT_NMI] = nmi_interception, + [SVM_EXIT_SMI] = nop_on_interception, +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index aa9e822..e77d75b 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -1567,7 +1567,7 @@ static void update_exception_bitmap(struct kvm_vcpu *vcpu) + u32 eb; + + eb = (1u << PF_VECTOR) | (1u << UD_VECTOR) | (1u << MC_VECTOR) | +- (1u << NM_VECTOR) | (1u << DB_VECTOR); ++ (1u << NM_VECTOR) | (1u << DB_VECTOR) | (1u << AC_VECTOR); + if ((vcpu->guest_debug & + (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) == + (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) +@@ -4780,8 +4780,7 @@ static void vmx_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event) + vmx_set_cr0(vcpu, cr0); /* enter rmode */ + vmx->vcpu.arch.cr0 = cr0; + vmx_set_cr4(vcpu, 0); +- if (!init_event) +- vmx_set_efer(vcpu, 0); ++ vmx_set_efer(vcpu, 0); + vmx_fpu_activate(vcpu); + update_exception_bitmap(vcpu); + +@@ -5118,6 +5117,9 @@ static int handle_exception(struct kvm_vcpu *vcpu) + return handle_rmode_exception(vcpu, ex_no, error_code); + + switch (ex_no) { ++ case AC_VECTOR: ++ kvm_queue_exception_e(vcpu, AC_VECTOR, error_code); ++ return 1; + case DB_VECTOR: + dr6 = vmcs_readl(EXIT_QUALIFICATION); + if (!(vcpu->guest_debug & +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 373328b..2781e2b 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -621,7 +621,9 @@ int kvm_set_cr0(struct kvm_vcpu *vcpu, unsigned long cr0) + if ((cr0 ^ old_cr0) & update_bits) + kvm_mmu_reset_context(vcpu); + +- if ((cr0 ^ old_cr0) & X86_CR0_CD) ++ if (((cr0 ^ old_cr0) & X86_CR0_CD) && ++ kvm_arch_has_noncoherent_dma(vcpu->kvm) && ++ !kvm_check_has_quirk(vcpu->kvm, KVM_X86_QUIRK_CD_NW_CLEARED)) + kvm_zap_gfn_range(vcpu->kvm, 0, ~0ULL); + + return 0; +@@ -4260,6 +4262,15 @@ static int kvm_read_guest_virt_system(struct x86_emulate_ctxt *ctxt, + return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, 0, exception); + } + ++static int kvm_read_guest_phys_system(struct x86_emulate_ctxt *ctxt, ++ unsigned long addr, void *val, unsigned int bytes) ++{ ++ struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt); ++ int r = kvm_vcpu_read_guest(vcpu, addr, val, bytes); ++ ++ return r < 0 ? X86EMUL_IO_NEEDED : X86EMUL_CONTINUE; ++} ++ + int kvm_write_guest_virt_system(struct x86_emulate_ctxt *ctxt, + gva_t addr, void *val, + unsigned int bytes, +@@ -4995,6 +5006,7 @@ static const struct x86_emulate_ops emulate_ops = { + .write_gpr = emulator_write_gpr, + .read_std = kvm_read_guest_virt_system, + .write_std = kvm_write_guest_virt_system, ++ .read_phys = kvm_read_guest_phys_system, + .fetch = kvm_fetch_guest_virt, + .read_emulated = emulator_read_emulated, + .write_emulated = emulator_write_emulated, +diff --git a/arch/x86/mm/mpx.c b/arch/x86/mm/mpx.c +index db1b0bc..c28f618 100644 +--- a/arch/x86/mm/mpx.c ++++ b/arch/x86/mm/mpx.c +@@ -622,6 +622,29 @@ static unsigned long mpx_bd_entry_to_bt_addr(struct mm_struct *mm, + } + + /* ++ * We only want to do a 4-byte get_user() on 32-bit. Otherwise, ++ * we might run off the end of the bounds table if we are on ++ * a 64-bit kernel and try to get 8 bytes. ++ */ ++int get_user_bd_entry(struct mm_struct *mm, unsigned long *bd_entry_ret, ++ long __user *bd_entry_ptr) ++{ ++ u32 bd_entry_32; ++ int ret; ++ ++ if (is_64bit_mm(mm)) ++ return get_user(*bd_entry_ret, bd_entry_ptr); ++ ++ /* ++ * Note that get_user() uses the type of the *pointer* to ++ * establish the size of the get, not the destination. ++ */ ++ ret = get_user(bd_entry_32, (u32 __user *)bd_entry_ptr); ++ *bd_entry_ret = bd_entry_32; ++ return ret; ++} ++ ++/* + * Get the base of bounds tables pointed by specific bounds + * directory entry. + */ +@@ -641,7 +664,7 @@ static int get_bt_addr(struct mm_struct *mm, + int need_write = 0; + + pagefault_disable(); +- ret = get_user(bd_entry, bd_entry_ptr); ++ ret = get_user_bd_entry(mm, &bd_entry, bd_entry_ptr); + pagefault_enable(); + if (!ret) + break; +@@ -736,11 +759,23 @@ static unsigned long mpx_get_bt_entry_offset_bytes(struct mm_struct *mm, + */ + static inline unsigned long bd_entry_virt_space(struct mm_struct *mm) + { +- unsigned long long virt_space = (1ULL << boot_cpu_data.x86_virt_bits); +- if (is_64bit_mm(mm)) +- return virt_space / MPX_BD_NR_ENTRIES_64; +- else +- return virt_space / MPX_BD_NR_ENTRIES_32; ++ unsigned long long virt_space; ++ unsigned long long GB = (1ULL << 30); ++ ++ /* ++ * This covers 32-bit emulation as well as 32-bit kernels ++ * running on 64-bit harware. ++ */ ++ if (!is_64bit_mm(mm)) ++ return (4ULL * GB) / MPX_BD_NR_ENTRIES_32; ++ ++ /* ++ * 'x86_virt_bits' returns what the hardware is capable ++ * of, and returns the full >32-bit adddress space when ++ * running 32-bit kernels on 64-bit hardware. ++ */ ++ virt_space = (1ULL << boot_cpu_data.x86_virt_bits); ++ return virt_space / MPX_BD_NR_ENTRIES_64; + } + + /* +diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c +index e527a3e..fa893c3 100644 +--- a/drivers/bluetooth/ath3k.c ++++ b/drivers/bluetooth/ath3k.c +@@ -93,6 +93,7 @@ static const struct usb_device_id ath3k_table[] = { + { USB_DEVICE(0x04CA, 0x300f) }, + { USB_DEVICE(0x04CA, 0x3010) }, + { USB_DEVICE(0x0930, 0x0219) }, ++ { USB_DEVICE(0x0930, 0x021c) }, + { USB_DEVICE(0x0930, 0x0220) }, + { USB_DEVICE(0x0930, 0x0227) }, + { USB_DEVICE(0x0b05, 0x17d0) }, +@@ -104,6 +105,7 @@ static const struct usb_device_id ath3k_table[] = { + { USB_DEVICE(0x0CF3, 0x311F) }, + { USB_DEVICE(0x0cf3, 0x3121) }, + { USB_DEVICE(0x0CF3, 0x817a) }, ++ { USB_DEVICE(0x0CF3, 0x817b) }, + { USB_DEVICE(0x0cf3, 0xe003) }, + { USB_DEVICE(0x0CF3, 0xE004) }, + { USB_DEVICE(0x0CF3, 0xE005) }, +@@ -153,6 +155,7 @@ static const struct usb_device_id ath3k_blist_tbl[] = { + { USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 }, +@@ -164,6 +167,7 @@ static const struct usb_device_id ath3k_blist_tbl[] = { + { USB_DEVICE(0x0cf3, 0x311F), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0CF3, 0x817a), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x0CF3, 0x817b), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe006), .driver_info = BTUSB_ATH3012 }, +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index b4cf8d9..7d9b09f 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -192,6 +192,7 @@ static const struct usb_device_id blacklist_table[] = { + { USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 }, +@@ -203,6 +204,7 @@ static const struct usb_device_id blacklist_table[] = { + { USB_DEVICE(0x0cf3, 0x311f), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x817a), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x0cf3, 0x817b), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 }, +diff --git a/drivers/clk/bcm/clk-iproc-pll.c b/drivers/clk/bcm/clk-iproc-pll.c +index 2dda4e8..d679ab8 100644 +--- a/drivers/clk/bcm/clk-iproc-pll.c ++++ b/drivers/clk/bcm/clk-iproc-pll.c +@@ -345,8 +345,8 @@ static unsigned long iproc_pll_recalc_rate(struct clk_hw *hw, + struct iproc_pll *pll = clk->pll; + const struct iproc_pll_ctrl *ctrl = pll->ctrl; + u32 val; +- u64 ndiv; +- unsigned int ndiv_int, ndiv_frac, pdiv; ++ u64 ndiv, ndiv_int, ndiv_frac; ++ unsigned int pdiv; + + if (parent_rate == 0) + return 0; +@@ -366,22 +366,19 @@ static unsigned long iproc_pll_recalc_rate(struct clk_hw *hw, + val = readl(pll->pll_base + ctrl->ndiv_int.offset); + ndiv_int = (val >> ctrl->ndiv_int.shift) & + bit_mask(ctrl->ndiv_int.width); +- ndiv = (u64)ndiv_int << ctrl->ndiv_int.shift; ++ ndiv = ndiv_int << 20; + + if (ctrl->flags & IPROC_CLK_PLL_HAS_NDIV_FRAC) { + val = readl(pll->pll_base + ctrl->ndiv_frac.offset); + ndiv_frac = (val >> ctrl->ndiv_frac.shift) & + bit_mask(ctrl->ndiv_frac.width); +- +- if (ndiv_frac != 0) +- ndiv = ((u64)ndiv_int << ctrl->ndiv_int.shift) | +- ndiv_frac; ++ ndiv += ndiv_frac; + } + + val = readl(pll->pll_base + ctrl->pdiv.offset); + pdiv = (val >> ctrl->pdiv.shift) & bit_mask(ctrl->pdiv.width); + +- clk->rate = (ndiv * parent_rate) >> ctrl->ndiv_int.shift; ++ clk->rate = (ndiv * parent_rate) >> 20; + + if (pdiv == 0) + clk->rate *= 2; +diff --git a/drivers/clk/versatile/clk-icst.c b/drivers/clk/versatile/clk-icst.c +index bc96f10..9064636 100644 +--- a/drivers/clk/versatile/clk-icst.c ++++ b/drivers/clk/versatile/clk-icst.c +@@ -156,8 +156,10 @@ struct clk *icst_clk_register(struct device *dev, + icst->lockreg = base + desc->lock_offset; + + clk = clk_register(dev, &icst->hw); +- if (IS_ERR(clk)) ++ if (IS_ERR(clk)) { ++ kfree(pclone); + kfree(icst); ++ } + + return clk; + } +diff --git a/drivers/mfd/twl6040.c b/drivers/mfd/twl6040.c +index c5265c1..6aacd20 100644 +--- a/drivers/mfd/twl6040.c ++++ b/drivers/mfd/twl6040.c +@@ -647,6 +647,8 @@ static int twl6040_probe(struct i2c_client *client, + + twl6040->clk32k = devm_clk_get(&client->dev, "clk32k"); + if (IS_ERR(twl6040->clk32k)) { ++ if (PTR_ERR(twl6040->clk32k) == -EPROBE_DEFER) ++ return -EPROBE_DEFER; + dev_info(&client->dev, "clk32k is not handled\n"); + twl6040->clk32k = NULL; + } +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index a98dd4f..cbbb1c9 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1751,6 +1751,7 @@ err_undo_flags: + slave_dev->dev_addr)) + eth_hw_addr_random(bond_dev); + if (bond_dev->type != ARPHRD_ETHER) { ++ dev_close(bond_dev); + ether_setup(bond_dev); + bond_dev->flags |= IFF_MASTER; + bond_dev->priv_flags &= ~IFF_TX_SKB_SHARING; +diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c +index aede704..141c2a4 100644 +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -915,7 +915,7 @@ static int can_fill_info(struct sk_buff *skb, const struct net_device *dev) + nla_put(skb, IFLA_CAN_BITTIMING_CONST, + sizeof(*priv->bittiming_const), priv->bittiming_const)) || + +- nla_put(skb, IFLA_CAN_CLOCK, sizeof(cm), &priv->clock) || ++ nla_put(skb, IFLA_CAN_CLOCK, sizeof(priv->clock), &priv->clock) || + nla_put_u32(skb, IFLA_CAN_STATE, state) || + nla_put(skb, IFLA_CAN_CTRLMODE, sizeof(cm), &cm) || + nla_put_u32(skb, IFLA_CAN_RESTART_MS, priv->restart_ms) || +diff --git a/drivers/net/can/sja1000/sja1000.c b/drivers/net/can/sja1000/sja1000.c +index 7b92e91..f10834b 100644 +--- a/drivers/net/can/sja1000/sja1000.c ++++ b/drivers/net/can/sja1000/sja1000.c +@@ -218,6 +218,9 @@ static void sja1000_start(struct net_device *dev) + priv->write_reg(priv, SJA1000_RXERR, 0x0); + priv->read_reg(priv, SJA1000_ECC); + ++ /* clear interrupt flags */ ++ priv->read_reg(priv, SJA1000_IR); ++ + /* leave reset mode */ + set_normal_mode(dev); + } +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c +index a4473d8..f672dba 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c +@@ -1595,7 +1595,7 @@ static void xgbe_dev_xmit(struct xgbe_channel *channel) + packet->rdesc_count, 1); + + /* Make sure ownership is written to the descriptor */ +- dma_wmb(); ++ smp_wmb(); + + ring->cur = cur_index + 1; + if (!packet->skb->xmit_more || +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +index aae9d5e..dde0486 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +@@ -1807,6 +1807,7 @@ static int xgbe_tx_poll(struct xgbe_channel *channel) + struct netdev_queue *txq; + int processed = 0; + unsigned int tx_packets = 0, tx_bytes = 0; ++ unsigned int cur; + + DBGPR("-->xgbe_tx_poll\n"); + +@@ -1814,10 +1815,15 @@ static int xgbe_tx_poll(struct xgbe_channel *channel) + if (!ring) + return 0; + ++ cur = ring->cur; ++ ++ /* Be sure we get ring->cur before accessing descriptor data */ ++ smp_rmb(); ++ + txq = netdev_get_tx_queue(netdev, channel->queue_index); + + while ((processed < XGBE_TX_DESC_MAX_PROC) && +- (ring->dirty != ring->cur)) { ++ (ring->dirty != cur)) { + rdata = XGBE_GET_DESC_DATA(ring, ring->dirty); + rdesc = rdata->rdesc; + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index de63266d..5d1dde3 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -1775,7 +1775,7 @@ static int fec_enet_mdio_read(struct mii_bus *bus, int mii_id, int regnum) + int ret = 0; + + ret = pm_runtime_get_sync(dev); +- if (IS_ERR_VALUE(ret)) ++ if (ret < 0) + return ret; + + fep->mii_timeout = 0; +@@ -1811,11 +1811,13 @@ static int fec_enet_mdio_write(struct mii_bus *bus, int mii_id, int regnum, + struct fec_enet_private *fep = bus->priv; + struct device *dev = &fep->pdev->dev; + unsigned long time_left; +- int ret = 0; ++ int ret; + + ret = pm_runtime_get_sync(dev); +- if (IS_ERR_VALUE(ret)) ++ if (ret < 0) + return ret; ++ else ++ ret = 0; + + fep->mii_timeout = 0; + reinit_completion(&fep->mdio_done); +@@ -2866,7 +2868,7 @@ fec_enet_open(struct net_device *ndev) + int ret; + + ret = pm_runtime_get_sync(&fep->pdev->dev); +- if (IS_ERR_VALUE(ret)) ++ if (ret < 0) + return ret; + + pinctrl_pm_select_default_state(&fep->pdev->dev); +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c +index 09ec32e..7e788073 100644 +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -949,7 +949,7 @@ static void mvneta_defaults_set(struct mvneta_port *pp) + /* Set CPU queue access map - all CPUs have access to all RX + * queues and to all TX queues + */ +- for (cpu = 0; cpu < CONFIG_NR_CPUS; cpu++) ++ for_each_present_cpu(cpu) + mvreg_write(pp, MVNETA_CPU_MAP(cpu), + (MVNETA_CPU_RXQ_ACCESS_ALL_MASK | + MVNETA_CPU_TXQ_ACCESS_ALL_MASK)); +@@ -1533,12 +1533,16 @@ static int mvneta_rx(struct mvneta_port *pp, int rx_todo, + } + + skb = build_skb(data, pp->frag_size > PAGE_SIZE ? 0 : pp->frag_size); +- if (!skb) +- goto err_drop_frame; + ++ /* After refill old buffer has to be unmapped regardless ++ * the skb is successfully built or not. ++ */ + dma_unmap_single(dev->dev.parent, phys_addr, + MVNETA_RX_BUF_SIZE(pp->pkt_size), DMA_FROM_DEVICE); + ++ if (!skb) ++ goto err_drop_frame; ++ + rcvd_pkts++; + rcvd_bytes += rx_bytes; + +diff --git a/drivers/net/ethernet/mellanox/mlx4/cmd.c b/drivers/net/ethernet/mellanox/mlx4/cmd.c +index 0a32020..2177e56 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx4/cmd.c +@@ -2398,7 +2398,7 @@ int mlx4_multi_func_init(struct mlx4_dev *dev) + } + } + +- memset(&priv->mfunc.master.cmd_eqe, 0, dev->caps.eqe_size); ++ memset(&priv->mfunc.master.cmd_eqe, 0, sizeof(struct mlx4_eqe)); + priv->mfunc.master.cmd_eqe.type = MLX4_EVENT_TYPE_CMD; + INIT_WORK(&priv->mfunc.master.comm_work, + mlx4_master_comm_channel); +diff --git a/drivers/net/ethernet/mellanox/mlx4/eq.c b/drivers/net/ethernet/mellanox/mlx4/eq.c +index 8e81e53..ad8f95d 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/eq.c ++++ b/drivers/net/ethernet/mellanox/mlx4/eq.c +@@ -196,7 +196,7 @@ static void slave_event(struct mlx4_dev *dev, u8 slave, struct mlx4_eqe *eqe) + return; + } + +- memcpy(s_eqe, eqe, dev->caps.eqe_size - 1); ++ memcpy(s_eqe, eqe, sizeof(struct mlx4_eqe) - 1); + s_eqe->slave_id = slave; + /* ensure all information is written before setting the ownersip bit */ + dma_wmb(); +diff --git a/drivers/net/ethernet/sfc/ef10.c b/drivers/net/ethernet/sfc/ef10.c +index b1a4ea2..4dd18f4 100644 +--- a/drivers/net/ethernet/sfc/ef10.c ++++ b/drivers/net/ethernet/sfc/ef10.c +@@ -1809,7 +1809,9 @@ static void efx_ef10_tx_write(struct efx_tx_queue *tx_queue) + unsigned int write_ptr; + efx_qword_t *txd; + +- BUG_ON(tx_queue->write_count == tx_queue->insert_count); ++ tx_queue->xmit_more_available = false; ++ if (unlikely(tx_queue->write_count == tx_queue->insert_count)) ++ return; + + do { + write_ptr = tx_queue->write_count & tx_queue->ptr_mask; +diff --git a/drivers/net/ethernet/sfc/farch.c b/drivers/net/ethernet/sfc/farch.c +index f08266f..5a1c5a8 100644 +--- a/drivers/net/ethernet/sfc/farch.c ++++ b/drivers/net/ethernet/sfc/farch.c +@@ -321,7 +321,9 @@ void efx_farch_tx_write(struct efx_tx_queue *tx_queue) + unsigned write_ptr; + unsigned old_write_count = tx_queue->write_count; + +- BUG_ON(tx_queue->write_count == tx_queue->insert_count); ++ tx_queue->xmit_more_available = false; ++ if (unlikely(tx_queue->write_count == tx_queue->insert_count)) ++ return; + + do { + write_ptr = tx_queue->write_count & tx_queue->ptr_mask; +diff --git a/drivers/net/ethernet/sfc/net_driver.h b/drivers/net/ethernet/sfc/net_driver.h +index 47d1e3a..b8e8ce1 100644 +--- a/drivers/net/ethernet/sfc/net_driver.h ++++ b/drivers/net/ethernet/sfc/net_driver.h +@@ -219,6 +219,7 @@ struct efx_tx_buffer { + * @tso_packets: Number of packets via the TSO xmit path + * @pushes: Number of times the TX push feature has been used + * @pio_packets: Number of times the TX PIO feature has been used ++ * @xmit_more_available: Are any packets waiting to be pushed to the NIC + * @empty_read_count: If the completion path has seen the queue as empty + * and the transmission path has not yet checked this, the value of + * @read_count bitwise-added to %EFX_EMPTY_COUNT_VALID; otherwise 0. +@@ -253,6 +254,7 @@ struct efx_tx_queue { + unsigned int tso_packets; + unsigned int pushes; + unsigned int pio_packets; ++ bool xmit_more_available; + /* Statistics to supplement MAC stats */ + unsigned long tx_packets; + +diff --git a/drivers/net/ethernet/sfc/tx.c b/drivers/net/ethernet/sfc/tx.c +index 1833a01..67f6afa 100644 +--- a/drivers/net/ethernet/sfc/tx.c ++++ b/drivers/net/ethernet/sfc/tx.c +@@ -431,8 +431,20 @@ finish_packet: + efx_tx_maybe_stop_queue(tx_queue); + + /* Pass off to hardware */ +- if (!skb->xmit_more || netif_xmit_stopped(tx_queue->core_txq)) ++ if (!skb->xmit_more || netif_xmit_stopped(tx_queue->core_txq)) { ++ struct efx_tx_queue *txq2 = efx_tx_queue_partner(tx_queue); ++ ++ /* There could be packets left on the partner queue if those ++ * SKBs had skb->xmit_more set. If we do not push those they ++ * could be left for a long time and cause a netdev watchdog. ++ */ ++ if (txq2->xmit_more_available) ++ efx_nic_push_buffers(txq2); ++ + efx_nic_push_buffers(tx_queue); ++ } else { ++ tx_queue->xmit_more_available = skb->xmit_more; ++ } + + tx_queue->tx_packets++; + +@@ -722,6 +734,7 @@ void efx_init_tx_queue(struct efx_tx_queue *tx_queue) + tx_queue->read_count = 0; + tx_queue->old_read_count = 0; + tx_queue->empty_read_count = 0 | EFX_EMPTY_COUNT_VALID; ++ tx_queue->xmit_more_available = false; + + /* Set up TX descriptor ring */ + efx_nic_init_tx(tx_queue); +@@ -747,6 +760,7 @@ void efx_fini_tx_queue(struct efx_tx_queue *tx_queue) + + ++tx_queue->read_count; + } ++ tx_queue->xmit_more_available = false; + netdev_tx_reset_queue(tx_queue->core_txq); + } + +@@ -1302,8 +1316,20 @@ static int efx_enqueue_skb_tso(struct efx_tx_queue *tx_queue, + efx_tx_maybe_stop_queue(tx_queue); + + /* Pass off to hardware */ +- if (!skb->xmit_more || netif_xmit_stopped(tx_queue->core_txq)) ++ if (!skb->xmit_more || netif_xmit_stopped(tx_queue->core_txq)) { ++ struct efx_tx_queue *txq2 = efx_tx_queue_partner(tx_queue); ++ ++ /* There could be packets left on the partner queue if those ++ * SKBs had skb->xmit_more set. If we do not push those they ++ * could be left for a long time and cause a netdev watchdog. ++ */ ++ if (txq2->xmit_more_available) ++ efx_nic_push_buffers(txq2); ++ + efx_nic_push_buffers(tx_queue); ++ } else { ++ tx_queue->xmit_more_available = skb->xmit_more; ++ } + + tx_queue->tso_bursts++; + return NETDEV_TX_OK; +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c +index 771cda2..2e51b81 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c +@@ -721,10 +721,13 @@ static int stmmac_get_ts_info(struct net_device *dev, + { + struct stmmac_priv *priv = netdev_priv(dev); + +- if ((priv->hwts_tx_en) && (priv->hwts_rx_en)) { ++ if ((priv->dma_cap.time_stamp || priv->dma_cap.atime_stamp)) { + +- info->so_timestamping = SOF_TIMESTAMPING_TX_HARDWARE | ++ info->so_timestamping = SOF_TIMESTAMPING_TX_SOFTWARE | ++ SOF_TIMESTAMPING_TX_HARDWARE | ++ SOF_TIMESTAMPING_RX_SOFTWARE | + SOF_TIMESTAMPING_RX_HARDWARE | ++ SOF_TIMESTAMPING_SOFTWARE | + SOF_TIMESTAMPING_RAW_HARDWARE; + + if (priv->ptp_clock) +diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c +index 248478c..197c939 100644 +--- a/drivers/net/macvtap.c ++++ b/drivers/net/macvtap.c +@@ -137,7 +137,7 @@ static const struct proto_ops macvtap_socket_ops; + #define TUN_OFFLOADS (NETIF_F_HW_CSUM | NETIF_F_TSO_ECN | NETIF_F_TSO | \ + NETIF_F_TSO6 | NETIF_F_UFO) + #define RX_OFFLOADS (NETIF_F_GRO | NETIF_F_LRO) +-#define TAP_FEATURES (NETIF_F_GSO | NETIF_F_SG) ++#define TAP_FEATURES (NETIF_F_GSO | NETIF_F_SG | NETIF_F_FRAGLIST) + + static struct macvlan_dev *macvtap_get_vlan_rcu(const struct net_device *dev) + { +diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c +index 2ed7506..5e0b432 100644 +--- a/drivers/net/ppp/pppoe.c ++++ b/drivers/net/ppp/pppoe.c +@@ -589,7 +589,7 @@ static int pppoe_release(struct socket *sock) + + po = pppox_sk(sk); + +- if (sk->sk_state & (PPPOX_CONNECTED | PPPOX_BOUND | PPPOX_ZOMBIE)) { ++ if (po->pppoe_dev) { + dev_put(po->pppoe_dev); + po->pppoe_dev = NULL; + } +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 64a60af..8f1738c 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -765,6 +765,10 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x1199, 0x9056, 8)}, /* Sierra Wireless Modem */ + {QMI_FIXED_INTF(0x1199, 0x9057, 8)}, + {QMI_FIXED_INTF(0x1199, 0x9061, 8)}, /* Sierra Wireless Modem */ ++ {QMI_FIXED_INTF(0x1199, 0x9070, 8)}, /* Sierra Wireless MC74xx/EM74xx */ ++ {QMI_FIXED_INTF(0x1199, 0x9070, 10)}, /* Sierra Wireless MC74xx/EM74xx */ ++ {QMI_FIXED_INTF(0x1199, 0x9071, 8)}, /* Sierra Wireless MC74xx/EM74xx */ ++ {QMI_FIXED_INTF(0x1199, 0x9071, 10)}, /* Sierra Wireless MC74xx/EM74xx */ + {QMI_FIXED_INTF(0x1bbb, 0x011e, 4)}, /* Telekom Speedstick LTE II (Alcatel One Touch L100V LTE) */ + {QMI_FIXED_INTF(0x1bbb, 0x0203, 2)}, /* Alcatel L800MA */ + {QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */ +diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c +index 0d3c474..a5ea8a9 100644 +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -2070,7 +2070,8 @@ static void ath10k_peer_assoc_h_ht(struct ath10k *ar, + enum ieee80211_band band; + const u8 *ht_mcs_mask; + const u16 *vht_mcs_mask; +- int i, n, max_nss; ++ int i, n; ++ u8 max_nss; + u32 stbc; + + lockdep_assert_held(&ar->conf_mutex); +@@ -2155,7 +2156,7 @@ static void ath10k_peer_assoc_h_ht(struct ath10k *ar, + arg->peer_ht_rates.rates[i] = i; + } else { + arg->peer_ht_rates.num_rates = n; +- arg->peer_num_spatial_streams = max_nss; ++ arg->peer_num_spatial_streams = min(sta->rx_nss, max_nss); + } + + ath10k_dbg(ar, ATH10K_DBG_MAC, "mac ht peer %pM mcs cnt %d nss %d\n", +@@ -4021,7 +4022,7 @@ static int ath10k_config(struct ieee80211_hw *hw, u32 changed) + + static u32 get_nss_from_chainmask(u16 chain_mask) + { +- if ((chain_mask & 0x15) == 0x15) ++ if ((chain_mask & 0xf) == 0xf) + return 4; + else if ((chain_mask & 0x7) == 0x7) + return 3; +diff --git a/drivers/net/wireless/iwlwifi/pcie/drv.c b/drivers/net/wireless/iwlwifi/pcie/drv.c +index 865d578d..fd6aef7 100644 +--- a/drivers/net/wireless/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/iwlwifi/pcie/drv.c +@@ -423,14 +423,21 @@ static const struct pci_device_id iwl_hw_card_ids[] = { + /* 8000 Series */ + {IWL_PCI_DEVICE(0x24F3, 0x0010, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x1010, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x0130, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x1130, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x0132, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x1132, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0110, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x01F0, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x0012, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x1012, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x1110, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0050, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0250, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x1050, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0150, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x1150, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F4, 0x0030, iwl8260_2ac_cfg)}, +- {IWL_PCI_DEVICE(0x24F4, 0x1130, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F4, 0x1030, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0xC010, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0xC110, iwl8260_2ac_cfg)}, +@@ -438,18 +445,28 @@ static const struct pci_device_id iwl_hw_card_ids[] = { + {IWL_PCI_DEVICE(0x24F3, 0xC050, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0xD050, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x8010, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x8110, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x9010, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x9110, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F4, 0x8030, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F4, 0x9030, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x8130, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x9130, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x8132, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x9132, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x8050, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x8150, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x9050, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x9150, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0004, iwl8260_2n_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x0044, iwl8260_2n_cfg)}, + {IWL_PCI_DEVICE(0x24F5, 0x0010, iwl4165_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F6, 0x0030, iwl4165_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0810, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0910, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0850, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0950, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x0930, iwl8260_2ac_cfg)}, + #endif /* CONFIG_IWLMVM */ + + {0} +diff --git a/drivers/net/wireless/iwlwifi/pcie/trans.c b/drivers/net/wireless/iwlwifi/pcie/trans.c +index 9e144e7..dab9b91 100644 +--- a/drivers/net/wireless/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/iwlwifi/pcie/trans.c +@@ -592,10 +592,8 @@ static int iwl_pcie_prepare_card_hw(struct iwl_trans *trans) + + do { + ret = iwl_pcie_set_hw_ready(trans); +- if (ret >= 0) { +- ret = 0; +- goto out; +- } ++ if (ret >= 0) ++ return 0; + + usleep_range(200, 1000); + t += 200; +@@ -605,10 +603,6 @@ static int iwl_pcie_prepare_card_hw(struct iwl_trans *trans) + + IWL_ERR(trans, "Couldn't prepare the card\n"); + +-out: +- iwl_clear_bit(trans, CSR_DBG_LINK_PWR_MGMT_REG, +- CSR_RESET_LINK_PWR_MGMT_DISABLED); +- + return ret; + } + +diff --git a/drivers/net/wireless/mwifiex/debugfs.c b/drivers/net/wireless/mwifiex/debugfs.c +index 5a0636d4..5583856 100644 +--- a/drivers/net/wireless/mwifiex/debugfs.c ++++ b/drivers/net/wireless/mwifiex/debugfs.c +@@ -731,7 +731,7 @@ mwifiex_rdeeprom_read(struct file *file, char __user *ubuf, + (struct mwifiex_private *) file->private_data; + unsigned long addr = get_zeroed_page(GFP_KERNEL); + char *buf = (char *) addr; +- int pos = 0, ret = 0, i; ++ int pos, ret, i; + u8 value[MAX_EEPROM_DATA]; + + if (!buf) +@@ -739,7 +739,7 @@ mwifiex_rdeeprom_read(struct file *file, char __user *ubuf, + + if (saved_offset == -1) { + /* No command has been given */ +- pos += snprintf(buf, PAGE_SIZE, "0"); ++ pos = snprintf(buf, PAGE_SIZE, "0"); + goto done; + } + +@@ -748,17 +748,17 @@ mwifiex_rdeeprom_read(struct file *file, char __user *ubuf, + (u16) saved_bytes, value); + if (ret) { + ret = -EINVAL; +- goto done; ++ goto out_free; + } + +- pos += snprintf(buf, PAGE_SIZE, "%d %d ", saved_offset, saved_bytes); ++ pos = snprintf(buf, PAGE_SIZE, "%d %d ", saved_offset, saved_bytes); + + for (i = 0; i < saved_bytes; i++) +- pos += snprintf(buf + strlen(buf), PAGE_SIZE, "%d ", value[i]); +- +- ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos); ++ pos += scnprintf(buf + pos, PAGE_SIZE - pos, "%d ", value[i]); + + done: ++ ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos); ++out_free: + free_page(addr); + return ret; + } +diff --git a/drivers/staging/lustre/include/linux/lnet/lib-lnet.h b/drivers/staging/lustre/include/linux/lnet/lib-lnet.h +index a9c9a07..bc3d907 100644 +--- a/drivers/staging/lustre/include/linux/lnet/lib-lnet.h ++++ b/drivers/staging/lustre/include/linux/lnet/lib-lnet.h +@@ -680,7 +680,7 @@ void lnet_debug_peer(lnet_nid_t nid); + static inline void + lnet_peer_set_alive(lnet_peer_t *lp) + { +- lp->lp_last_alive = lp->lp_last_query = get_seconds(); ++ lp->lp_last_alive = lp->lp_last_query = jiffies; + if (!lp->lp_alive) + lnet_notify_locked(lp, 0, 1, lp->lp_last_alive); + } +diff --git a/drivers/staging/rtl8712/usb_intf.c b/drivers/staging/rtl8712/usb_intf.c +index f8b5b33..943a0e2 100644 +--- a/drivers/staging/rtl8712/usb_intf.c ++++ b/drivers/staging/rtl8712/usb_intf.c +@@ -144,6 +144,7 @@ static struct usb_device_id rtl871x_usb_id_tbl[] = { + {USB_DEVICE(0x0DF6, 0x0058)}, + {USB_DEVICE(0x0DF6, 0x0049)}, + {USB_DEVICE(0x0DF6, 0x004C)}, ++ {USB_DEVICE(0x0DF6, 0x006C)}, + {USB_DEVICE(0x0DF6, 0x0064)}, + /* Skyworth */ + {USB_DEVICE(0x14b2, 0x3300)}, +diff --git a/drivers/tty/mips_ejtag_fdc.c b/drivers/tty/mips_ejtag_fdc.c +index 358323c..43a2ba0 100644 +--- a/drivers/tty/mips_ejtag_fdc.c ++++ b/drivers/tty/mips_ejtag_fdc.c +@@ -1045,38 +1045,6 @@ err_destroy_ports: + return ret; + } + +-static int mips_ejtag_fdc_tty_remove(struct mips_cdmm_device *dev) +-{ +- struct mips_ejtag_fdc_tty *priv = mips_cdmm_get_drvdata(dev); +- struct mips_ejtag_fdc_tty_port *dport; +- int nport; +- unsigned int cfg; +- +- if (priv->irq >= 0) { +- raw_spin_lock_irq(&priv->lock); +- cfg = mips_ejtag_fdc_read(priv, REG_FDCFG); +- /* Disable interrupts */ +- cfg &= ~(REG_FDCFG_TXINTTHRES | REG_FDCFG_RXINTTHRES); +- cfg |= REG_FDCFG_TXINTTHRES_DISABLED; +- cfg |= REG_FDCFG_RXINTTHRES_DISABLED; +- mips_ejtag_fdc_write(priv, REG_FDCFG, cfg); +- raw_spin_unlock_irq(&priv->lock); +- } else { +- priv->removing = true; +- del_timer_sync(&priv->poll_timer); +- } +- kthread_stop(priv->thread); +- if (dev->cpu == 0) +- mips_ejtag_fdc_con.tty_drv = NULL; +- tty_unregister_driver(priv->driver); +- for (nport = 0; nport < NUM_TTY_CHANNELS; nport++) { +- dport = &priv->ports[nport]; +- tty_port_destroy(&dport->port); +- } +- put_tty_driver(priv->driver); +- return 0; +-} +- + static int mips_ejtag_fdc_tty_cpu_down(struct mips_cdmm_device *dev) + { + struct mips_ejtag_fdc_tty *priv = mips_cdmm_get_drvdata(dev); +@@ -1149,12 +1117,11 @@ static struct mips_cdmm_driver mips_ejtag_fdc_tty_driver = { + .name = "mips_ejtag_fdc", + }, + .probe = mips_ejtag_fdc_tty_probe, +- .remove = mips_ejtag_fdc_tty_remove, + .cpu_down = mips_ejtag_fdc_tty_cpu_down, + .cpu_up = mips_ejtag_fdc_tty_cpu_up, + .id_table = mips_ejtag_fdc_tty_ids, + }; +-module_mips_cdmm_driver(mips_ejtag_fdc_tty_driver); ++builtin_mips_cdmm_driver(mips_ejtag_fdc_tty_driver); + + static int __init mips_ejtag_fdc_init_console(void) + { +diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c +index afc1879..dedac8a 100644 +--- a/drivers/tty/n_tty.c ++++ b/drivers/tty/n_tty.c +@@ -169,7 +169,7 @@ static inline int tty_copy_to_user(struct tty_struct *tty, + { + struct n_tty_data *ldata = tty->disc_data; + +- tty_audit_add_data(tty, to, n, ldata->icanon); ++ tty_audit_add_data(tty, from, n, ldata->icanon); + return copy_to_user(to, from, n); + } + +diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c +index 90ca082..3d245cd 100644 +--- a/drivers/tty/tty_audit.c ++++ b/drivers/tty/tty_audit.c +@@ -265,7 +265,7 @@ static struct tty_audit_buf *tty_audit_buf_get(struct tty_struct *tty, + * + * Audit @data of @size from @tty, if necessary. + */ +-void tty_audit_add_data(struct tty_struct *tty, unsigned char *data, ++void tty_audit_add_data(struct tty_struct *tty, const void *data, + size_t size, unsigned icanon) + { + struct tty_audit_buf *buf; +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index 774df35..1aa0286 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -1279,18 +1279,22 @@ int tty_send_xchar(struct tty_struct *tty, char ch) + int was_stopped = tty->stopped; + + if (tty->ops->send_xchar) { ++ down_read(&tty->termios_rwsem); + tty->ops->send_xchar(tty, ch); ++ up_read(&tty->termios_rwsem); + return 0; + } + + if (tty_write_lock(tty, 0) < 0) + return -ERESTARTSYS; + ++ down_read(&tty->termios_rwsem); + if (was_stopped) + start_tty(tty); + tty->ops->write(tty, &ch, 1); + if (was_stopped) + stop_tty(tty); ++ up_read(&tty->termios_rwsem); + tty_write_unlock(tty); + return 0; + } +diff --git a/drivers/tty/tty_ioctl.c b/drivers/tty/tty_ioctl.c +index 5232fb6..043e332 100644 +--- a/drivers/tty/tty_ioctl.c ++++ b/drivers/tty/tty_ioctl.c +@@ -1142,16 +1142,12 @@ int n_tty_ioctl_helper(struct tty_struct *tty, struct file *file, + spin_unlock_irq(&tty->flow_lock); + break; + case TCIOFF: +- down_read(&tty->termios_rwsem); + if (STOP_CHAR(tty) != __DISABLED_CHAR) + retval = tty_send_xchar(tty, STOP_CHAR(tty)); +- up_read(&tty->termios_rwsem); + break; + case TCION: +- down_read(&tty->termios_rwsem); + if (START_CHAR(tty) != __DISABLED_CHAR) + retval = tty_send_xchar(tty, START_CHAR(tty)); +- up_read(&tty->termios_rwsem); + break; + default: + return -EINVAL; +diff --git a/drivers/usb/chipidea/ci_hdrc_imx.c b/drivers/usb/chipidea/ci_hdrc_imx.c +index fa77432..846ceb9 100644 +--- a/drivers/usb/chipidea/ci_hdrc_imx.c ++++ b/drivers/usb/chipidea/ci_hdrc_imx.c +@@ -68,6 +68,12 @@ struct ci_hdrc_imx_data { + struct imx_usbmisc_data *usbmisc_data; + bool supports_runtime_pm; + bool in_lpm; ++ /* SoC before i.mx6 (except imx23/imx28) needs three clks */ ++ bool need_three_clks; ++ struct clk *clk_ipg; ++ struct clk *clk_ahb; ++ struct clk *clk_per; ++ /* --------------------------------- */ + }; + + /* Common functions shared by usbmisc drivers */ +@@ -119,6 +125,102 @@ static struct imx_usbmisc_data *usbmisc_get_init_data(struct device *dev) + } + + /* End of common functions shared by usbmisc drivers*/ ++static int imx_get_clks(struct device *dev) ++{ ++ struct ci_hdrc_imx_data *data = dev_get_drvdata(dev); ++ int ret = 0; ++ ++ data->clk_ipg = devm_clk_get(dev, "ipg"); ++ if (IS_ERR(data->clk_ipg)) { ++ /* If the platform only needs one clocks */ ++ data->clk = devm_clk_get(dev, NULL); ++ if (IS_ERR(data->clk)) { ++ ret = PTR_ERR(data->clk); ++ dev_err(dev, ++ "Failed to get clks, err=%ld,%ld\n", ++ PTR_ERR(data->clk), PTR_ERR(data->clk_ipg)); ++ return ret; ++ } ++ return ret; ++ } ++ ++ data->clk_ahb = devm_clk_get(dev, "ahb"); ++ if (IS_ERR(data->clk_ahb)) { ++ ret = PTR_ERR(data->clk_ahb); ++ dev_err(dev, ++ "Failed to get ahb clock, err=%d\n", ret); ++ return ret; ++ } ++ ++ data->clk_per = devm_clk_get(dev, "per"); ++ if (IS_ERR(data->clk_per)) { ++ ret = PTR_ERR(data->clk_per); ++ dev_err(dev, ++ "Failed to get per clock, err=%d\n", ret); ++ return ret; ++ } ++ ++ data->need_three_clks = true; ++ return ret; ++} ++ ++static int imx_prepare_enable_clks(struct device *dev) ++{ ++ struct ci_hdrc_imx_data *data = dev_get_drvdata(dev); ++ int ret = 0; ++ ++ if (data->need_three_clks) { ++ ret = clk_prepare_enable(data->clk_ipg); ++ if (ret) { ++ dev_err(dev, ++ "Failed to prepare/enable ipg clk, err=%d\n", ++ ret); ++ return ret; ++ } ++ ++ ret = clk_prepare_enable(data->clk_ahb); ++ if (ret) { ++ dev_err(dev, ++ "Failed to prepare/enable ahb clk, err=%d\n", ++ ret); ++ clk_disable_unprepare(data->clk_ipg); ++ return ret; ++ } ++ ++ ret = clk_prepare_enable(data->clk_per); ++ if (ret) { ++ dev_err(dev, ++ "Failed to prepare/enable per clk, err=%d\n", ++ ret); ++ clk_disable_unprepare(data->clk_ahb); ++ clk_disable_unprepare(data->clk_ipg); ++ return ret; ++ } ++ } else { ++ ret = clk_prepare_enable(data->clk); ++ if (ret) { ++ dev_err(dev, ++ "Failed to prepare/enable clk, err=%d\n", ++ ret); ++ return ret; ++ } ++ } ++ ++ return ret; ++} ++ ++static void imx_disable_unprepare_clks(struct device *dev) ++{ ++ struct ci_hdrc_imx_data *data = dev_get_drvdata(dev); ++ ++ if (data->need_three_clks) { ++ clk_disable_unprepare(data->clk_per); ++ clk_disable_unprepare(data->clk_ahb); ++ clk_disable_unprepare(data->clk_ipg); ++ } else { ++ clk_disable_unprepare(data->clk); ++ } ++} + + static int ci_hdrc_imx_probe(struct platform_device *pdev) + { +@@ -137,23 +239,18 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev) + if (!data) + return -ENOMEM; + ++ platform_set_drvdata(pdev, data); + data->usbmisc_data = usbmisc_get_init_data(&pdev->dev); + if (IS_ERR(data->usbmisc_data)) + return PTR_ERR(data->usbmisc_data); + +- data->clk = devm_clk_get(&pdev->dev, NULL); +- if (IS_ERR(data->clk)) { +- dev_err(&pdev->dev, +- "Failed to get clock, err=%ld\n", PTR_ERR(data->clk)); +- return PTR_ERR(data->clk); +- } ++ ret = imx_get_clks(&pdev->dev); ++ if (ret) ++ return ret; + +- ret = clk_prepare_enable(data->clk); +- if (ret) { +- dev_err(&pdev->dev, +- "Failed to prepare or enable clock, err=%d\n", ret); ++ ret = imx_prepare_enable_clks(&pdev->dev); ++ if (ret) + return ret; +- } + + data->phy = devm_usb_get_phy_by_phandle(&pdev->dev, "fsl,usbphy", 0); + if (IS_ERR(data->phy)) { +@@ -196,8 +293,6 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev) + goto disable_device; + } + +- platform_set_drvdata(pdev, data); +- + if (data->supports_runtime_pm) { + pm_runtime_set_active(&pdev->dev); + pm_runtime_enable(&pdev->dev); +@@ -210,7 +305,7 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev) + disable_device: + ci_hdrc_remove_device(data->ci_pdev); + err_clk: +- clk_disable_unprepare(data->clk); ++ imx_disable_unprepare_clks(&pdev->dev); + return ret; + } + +@@ -224,7 +319,7 @@ static int ci_hdrc_imx_remove(struct platform_device *pdev) + pm_runtime_put_noidle(&pdev->dev); + } + ci_hdrc_remove_device(data->ci_pdev); +- clk_disable_unprepare(data->clk); ++ imx_disable_unprepare_clks(&pdev->dev); + + return 0; + } +@@ -236,7 +331,7 @@ static int imx_controller_suspend(struct device *dev) + + dev_dbg(dev, "at %s\n", __func__); + +- clk_disable_unprepare(data->clk); ++ imx_disable_unprepare_clks(dev); + data->in_lpm = true; + + return 0; +@@ -254,7 +349,7 @@ static int imx_controller_resume(struct device *dev) + return 0; + } + +- ret = clk_prepare_enable(data->clk); ++ ret = imx_prepare_enable_clks(dev); + if (ret) + return ret; + +@@ -269,7 +364,7 @@ static int imx_controller_resume(struct device *dev) + return 0; + + clk_disable: +- clk_disable_unprepare(data->clk); ++ imx_disable_unprepare_clks(dev); + return ret; + } + +diff --git a/drivers/usb/chipidea/udc.c b/drivers/usb/chipidea/udc.c +index 6e53c24..92937c1 100644 +--- a/drivers/usb/chipidea/udc.c ++++ b/drivers/usb/chipidea/udc.c +@@ -1730,6 +1730,22 @@ static int ci_udc_start(struct usb_gadget *gadget, + return retval; + } + ++static void ci_udc_stop_for_otg_fsm(struct ci_hdrc *ci) ++{ ++ if (!ci_otg_is_fsm_mode(ci)) ++ return; ++ ++ mutex_lock(&ci->fsm.lock); ++ if (ci->fsm.otg->state == OTG_STATE_A_PERIPHERAL) { ++ ci->fsm.a_bidl_adis_tmout = 1; ++ ci_hdrc_otg_fsm_start(ci); ++ } else if (ci->fsm.otg->state == OTG_STATE_B_PERIPHERAL) { ++ ci->fsm.protocol = PROTO_UNDEF; ++ ci->fsm.otg->state = OTG_STATE_UNDEFINED; ++ } ++ mutex_unlock(&ci->fsm.lock); ++} ++ + /** + * ci_udc_stop: unregister a gadget driver + */ +@@ -1754,6 +1770,7 @@ static int ci_udc_stop(struct usb_gadget *gadget) + ci->driver = NULL; + spin_unlock_irqrestore(&ci->lock, flags); + ++ ci_udc_stop_for_otg_fsm(ci); + return 0; + } + +diff --git a/drivers/usb/class/usblp.c b/drivers/usb/class/usblp.c +index f38e875..8218ba7 100644 +--- a/drivers/usb/class/usblp.c ++++ b/drivers/usb/class/usblp.c +@@ -873,11 +873,11 @@ static int usblp_wwait(struct usblp *usblp, int nonblock) + + add_wait_queue(&usblp->wwait, &waita); + for (;;) { +- set_current_state(TASK_INTERRUPTIBLE); + if (mutex_lock_interruptible(&usblp->mut)) { + rc = -EINTR; + break; + } ++ set_current_state(TASK_INTERRUPTIBLE); + rc = usblp_wtest(usblp, nonblock); + mutex_unlock(&usblp->mut); + if (rc <= 0) +diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c +index ff5773c..c0566ec 100644 +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -490,6 +490,9 @@ static int dwc3_phy_setup(struct dwc3 *dwc) + if (dwc->dis_u2_susphy_quirk) + reg &= ~DWC3_GUSB2PHYCFG_SUSPHY; + ++ if (dwc->dis_enblslpm_quirk) ++ reg &= ~DWC3_GUSB2PHYCFG_ENBLSLPM; ++ + dwc3_writel(dwc->regs, DWC3_GUSB2PHYCFG(0), reg); + + return 0; +@@ -509,12 +512,18 @@ static int dwc3_core_init(struct dwc3 *dwc) + + reg = dwc3_readl(dwc->regs, DWC3_GSNPSID); + /* This should read as U3 followed by revision number */ +- if ((reg & DWC3_GSNPSID_MASK) != 0x55330000) { ++ if ((reg & DWC3_GSNPSID_MASK) == 0x55330000) { ++ /* Detected DWC_usb3 IP */ ++ dwc->revision = reg; ++ } else if ((reg & DWC3_GSNPSID_MASK) == 0x33310000) { ++ /* Detected DWC_usb31 IP */ ++ dwc->revision = dwc3_readl(dwc->regs, DWC3_VER_NUMBER); ++ dwc->revision |= DWC3_REVISION_IS_DWC31; ++ } else { + dev_err(dwc->dev, "this is not a DesignWare USB3 DRD Core\n"); + ret = -ENODEV; + goto err0; + } +- dwc->revision = reg; + + /* + * Write Linux Version Code to our GUID register so it's easy to figure +@@ -881,6 +890,8 @@ static int dwc3_probe(struct platform_device *pdev) + "snps,dis_u3_susphy_quirk"); + dwc->dis_u2_susphy_quirk = of_property_read_bool(node, + "snps,dis_u2_susphy_quirk"); ++ dwc->dis_enblslpm_quirk = device_property_read_bool(dev, ++ "snps,dis_enblslpm_quirk"); + + dwc->tx_de_emphasis_quirk = of_property_read_bool(node, + "snps,tx_de_emphasis_quirk"); +@@ -911,6 +922,7 @@ static int dwc3_probe(struct platform_device *pdev) + dwc->rx_detect_poll_quirk = pdata->rx_detect_poll_quirk; + dwc->dis_u3_susphy_quirk = pdata->dis_u3_susphy_quirk; + dwc->dis_u2_susphy_quirk = pdata->dis_u2_susphy_quirk; ++ dwc->dis_enblslpm_quirk = pdata->dis_enblslpm_quirk; + + dwc->tx_de_emphasis_quirk = pdata->tx_de_emphasis_quirk; + if (pdata->tx_de_emphasis) +diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h +index 0447788..6e53ce9 100644 +--- a/drivers/usb/dwc3/core.h ++++ b/drivers/usb/dwc3/core.h +@@ -108,6 +108,9 @@ + #define DWC3_GPRTBIMAP_FS0 0xc188 + #define DWC3_GPRTBIMAP_FS1 0xc18c + ++#define DWC3_VER_NUMBER 0xc1a0 ++#define DWC3_VER_TYPE 0xc1a4 ++ + #define DWC3_GUSB2PHYCFG(n) (0xc200 + (n * 0x04)) + #define DWC3_GUSB2I2CCTL(n) (0xc240 + (n * 0x04)) + +@@ -175,6 +178,7 @@ + #define DWC3_GUSB2PHYCFG_PHYSOFTRST (1 << 31) + #define DWC3_GUSB2PHYCFG_SUSPHY (1 << 6) + #define DWC3_GUSB2PHYCFG_ULPI_UTMI (1 << 4) ++#define DWC3_GUSB2PHYCFG_ENBLSLPM (1 << 8) + + /* Global USB2 PHY Vendor Control Register */ + #define DWC3_GUSB2PHYACC_NEWREGREQ (1 << 25) +@@ -712,6 +716,8 @@ struct dwc3_scratchpad_array { + * @rx_detect_poll_quirk: set if we enable rx_detect to polling lfps quirk + * @dis_u3_susphy_quirk: set if we disable usb3 suspend phy + * @dis_u2_susphy_quirk: set if we disable usb2 suspend phy ++ * @dis_enblslpm_quirk: set if we clear enblslpm in GUSB2PHYCFG, ++ * disabling the suspend signal to the PHY. + * @tx_de_emphasis_quirk: set if we enable Tx de-emphasis quirk + * @tx_de_emphasis: Tx de-emphasis value + * 0 - -6dB de-emphasis +@@ -766,6 +772,14 @@ struct dwc3 { + u32 num_event_buffers; + u32 u1u2; + u32 maximum_speed; ++ ++ /* ++ * All 3.1 IP version constants are greater than the 3.0 IP ++ * version constants. This works for most version checks in ++ * dwc3. However, in the future, this may not apply as ++ * features may be developed on newer versions of the 3.0 IP ++ * that are not in the 3.1 IP. ++ */ + u32 revision; + + #define DWC3_REVISION_173A 0x5533173a +@@ -788,6 +802,13 @@ struct dwc3 { + #define DWC3_REVISION_270A 0x5533270a + #define DWC3_REVISION_280A 0x5533280a + ++/* ++ * NOTICE: we're using bit 31 as a "is usb 3.1" flag. This is really ++ * just so dwc31 revisions are always larger than dwc3. ++ */ ++#define DWC3_REVISION_IS_DWC31 0x80000000 ++#define DWC3_USB31_REVISION_110A (0x3131302a | DWC3_REVISION_IS_USB31) ++ + enum dwc3_ep0_next ep0_next_event; + enum dwc3_ep0_state ep0state; + enum dwc3_link_state link_state; +@@ -841,6 +862,7 @@ struct dwc3 { + unsigned rx_detect_poll_quirk:1; + unsigned dis_u3_susphy_quirk:1; + unsigned dis_u2_susphy_quirk:1; ++ unsigned dis_enblslpm_quirk:1; + + unsigned tx_de_emphasis_quirk:1; + unsigned tx_de_emphasis:2; +diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c +index 27e4fc8..04b87eb 100644 +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -27,6 +27,8 @@ + #include "platform_data.h" + + #define PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3 0xabcd ++#define PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3_AXI 0xabce ++#define PCI_DEVICE_ID_SYNOPSYS_HAPSUSB31 0xabcf + #define PCI_DEVICE_ID_INTEL_BYT 0x0f37 + #define PCI_DEVICE_ID_INTEL_MRFLD 0x119e + #define PCI_DEVICE_ID_INTEL_BSW 0x22B7 +@@ -100,6 +102,22 @@ static int dwc3_pci_quirks(struct pci_dev *pdev) + } + } + ++ if (pdev->vendor == PCI_VENDOR_ID_SYNOPSYS && ++ (pdev->device == PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3 || ++ pdev->device == PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3_AXI || ++ pdev->device == PCI_DEVICE_ID_SYNOPSYS_HAPSUSB31)) { ++ ++ struct dwc3_platform_data pdata; ++ ++ memset(&pdata, 0, sizeof(pdata)); ++ pdata.usb3_lpm_capable = true; ++ pdata.has_lpm_erratum = true; ++ pdata.dis_enblslpm_quirk = true; ++ ++ return platform_device_add_data(pci_get_drvdata(pdev), &pdata, ++ sizeof(pdata)); ++ } ++ + return 0; + } + +@@ -172,6 +190,14 @@ static const struct pci_device_id dwc3_pci_id_table[] = { + PCI_DEVICE(PCI_VENDOR_ID_SYNOPSYS, + PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3), + }, ++ { ++ PCI_DEVICE(PCI_VENDOR_ID_SYNOPSYS, ++ PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3_AXI), ++ }, ++ { ++ PCI_DEVICE(PCI_VENDOR_ID_SYNOPSYS, ++ PCI_DEVICE_ID_SYNOPSYS_HAPSUSB31), ++ }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BSW), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BYT), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_MRFLD), }, +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index 333a7c0..6fbf461 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1859,27 +1859,32 @@ static int dwc3_cleanup_done_reqs(struct dwc3 *dwc, struct dwc3_ep *dep, + unsigned int i; + int ret; + +- req = next_request(&dep->req_queued); +- if (!req) { +- WARN_ON_ONCE(1); +- return 1; +- } +- i = 0; + do { +- slot = req->start_slot + i; +- if ((slot == DWC3_TRB_NUM - 1) && ++ req = next_request(&dep->req_queued); ++ if (!req) { ++ WARN_ON_ONCE(1); ++ return 1; ++ } ++ i = 0; ++ do { ++ slot = req->start_slot + i; ++ if ((slot == DWC3_TRB_NUM - 1) && + usb_endpoint_xfer_isoc(dep->endpoint.desc)) +- slot++; +- slot %= DWC3_TRB_NUM; +- trb = &dep->trb_pool[slot]; ++ slot++; ++ slot %= DWC3_TRB_NUM; ++ trb = &dep->trb_pool[slot]; ++ ++ ret = __dwc3_cleanup_done_trbs(dwc, dep, req, trb, ++ event, status); ++ if (ret) ++ break; ++ } while (++i < req->request.num_mapped_sgs); ++ ++ dwc3_gadget_giveback(dep, req, status); + +- ret = __dwc3_cleanup_done_trbs(dwc, dep, req, trb, +- event, status); + if (ret) + break; +- } while (++i < req->request.num_mapped_sgs); +- +- dwc3_gadget_giveback(dep, req, status); ++ } while (1); + + if (usb_endpoint_xfer_isoc(dep->endpoint.desc) && + list_empty(&dep->req_queued)) { +@@ -2709,12 +2714,34 @@ int dwc3_gadget_init(struct dwc3 *dwc) + } + + dwc->gadget.ops = &dwc3_gadget_ops; +- dwc->gadget.max_speed = USB_SPEED_SUPER; + dwc->gadget.speed = USB_SPEED_UNKNOWN; + dwc->gadget.sg_supported = true; + dwc->gadget.name = "dwc3-gadget"; + + /* ++ * FIXME We might be setting max_speed to <SUPER, however versions ++ * <2.20a of dwc3 have an issue with metastability (documented ++ * elsewhere in this driver) which tells us we can't set max speed to ++ * anything lower than SUPER. ++ * ++ * Because gadget.max_speed is only used by composite.c and function ++ * drivers (i.e. it won't go into dwc3's registers) we are allowing this ++ * to happen so we avoid sending SuperSpeed Capability descriptor ++ * together with our BOS descriptor as that could confuse host into ++ * thinking we can handle super speed. ++ * ++ * Note that, in fact, we won't even support GetBOS requests when speed ++ * is less than super speed because we don't have means, yet, to tell ++ * composite.c that we are USB 2.0 + LPM ECN. ++ */ ++ if (dwc->revision < DWC3_REVISION_220A) ++ dwc3_trace(trace_dwc3_gadget, ++ "Changing max_speed on rev %08x\n", ++ dwc->revision); ++ ++ dwc->gadget.max_speed = dwc->maximum_speed; ++ ++ /* + * Per databook, DWC3 needs buffer size to be aligned to MaxPacketSize + * on ep out. + */ +diff --git a/drivers/usb/dwc3/platform_data.h b/drivers/usb/dwc3/platform_data.h +index d3614ec..db29380 100644 +--- a/drivers/usb/dwc3/platform_data.h ++++ b/drivers/usb/dwc3/platform_data.h +@@ -42,6 +42,7 @@ struct dwc3_platform_data { + unsigned rx_detect_poll_quirk:1; + unsigned dis_u3_susphy_quirk:1; + unsigned dis_u2_susphy_quirk:1; ++ unsigned dis_enblslpm_quirk:1; + + unsigned tx_de_emphasis_quirk:1; + unsigned tx_de_emphasis:2; +diff --git a/drivers/usb/gadget/udc/atmel_usba_udc.c b/drivers/usb/gadget/udc/atmel_usba_udc.c +index 4095cce0..35fff45 100644 +--- a/drivers/usb/gadget/udc/atmel_usba_udc.c ++++ b/drivers/usb/gadget/udc/atmel_usba_udc.c +@@ -1634,7 +1634,7 @@ static irqreturn_t usba_udc_irq(int irq, void *devid) + spin_lock(&udc->lock); + + int_enb = usba_int_enb_get(udc); +- status = usba_readl(udc, INT_STA) & int_enb; ++ status = usba_readl(udc, INT_STA) & (int_enb | USBA_HIGH_SPEED); + DBG(DBG_INT, "irq, status=%#08x\n", status); + + if (status & USBA_DET_SUSPEND) { +diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c +index 2bee912..baa0191 100644 +--- a/drivers/usb/gadget/udc/net2280.c ++++ b/drivers/usb/gadget/udc/net2280.c +@@ -1846,7 +1846,7 @@ static void defect7374_disable_data_eps(struct net2280 *dev) + + for (i = 1; i < 5; i++) { + ep = &dev->ep[i]; +- writel(0, &ep->cfg->ep_cfg); ++ writel(i, &ep->cfg->ep_cfg); + } + + /* CSROUT, CSRIN, PCIOUT, PCIIN, STATIN, RCIN */ +diff --git a/drivers/usb/host/ehci-orion.c b/drivers/usb/host/ehci-orion.c +index bfcbb9a..ee8d5fa 100644 +--- a/drivers/usb/host/ehci-orion.c ++++ b/drivers/usb/host/ehci-orion.c +@@ -224,7 +224,8 @@ static int ehci_orion_drv_probe(struct platform_device *pdev) + priv->phy = devm_phy_optional_get(&pdev->dev, "usb"); + if (IS_ERR(priv->phy)) { + err = PTR_ERR(priv->phy); +- goto err_phy_get; ++ if (err != -ENOSYS) ++ goto err_phy_get; + } else { + err = phy_init(priv->phy); + if (err) +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index d7b9f484..6062996 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -175,6 +175,16 @@ int xhci_reset(struct xhci_hcd *xhci) + command |= CMD_RESET; + writel(command, &xhci->op_regs->command); + ++ /* Existing Intel xHCI controllers require a delay of 1 mS, ++ * after setting the CMD_RESET bit, and before accessing any ++ * HC registers. This allows the HC to complete the ++ * reset operation and be ready for HC register access. ++ * Without this delay, the subsequent HC register access, ++ * may result in a system hang very rarely. ++ */ ++ if (xhci->quirks & XHCI_INTEL_HOST) ++ udelay(1000); ++ + ret = xhci_handshake(&xhci->op_regs->command, + CMD_RESET, 0, 10 * 1000 * 1000); + if (ret) +diff --git a/drivers/usb/musb/musb_core.c b/drivers/usb/musb/musb_core.c +index 514a6cd..2fe6d26 100644 +--- a/drivers/usb/musb/musb_core.c ++++ b/drivers/usb/musb/musb_core.c +@@ -132,7 +132,7 @@ static inline struct musb *dev_to_musb(struct device *dev) + /*-------------------------------------------------------------------------*/ + + #ifndef CONFIG_BLACKFIN +-static int musb_ulpi_read(struct usb_phy *phy, u32 offset) ++static int musb_ulpi_read(struct usb_phy *phy, u32 reg) + { + void __iomem *addr = phy->io_priv; + int i = 0; +@@ -151,7 +151,7 @@ static int musb_ulpi_read(struct usb_phy *phy, u32 offset) + * ULPICarKitControlDisableUTMI after clearing POWER_SUSPENDM. + */ + +- musb_writeb(addr, MUSB_ULPI_REG_ADDR, (u8)offset); ++ musb_writeb(addr, MUSB_ULPI_REG_ADDR, (u8)reg); + musb_writeb(addr, MUSB_ULPI_REG_CONTROL, + MUSB_ULPI_REG_REQ | MUSB_ULPI_RDN_WR); + +@@ -176,7 +176,7 @@ out: + return ret; + } + +-static int musb_ulpi_write(struct usb_phy *phy, u32 offset, u32 data) ++static int musb_ulpi_write(struct usb_phy *phy, u32 val, u32 reg) + { + void __iomem *addr = phy->io_priv; + int i = 0; +@@ -191,8 +191,8 @@ static int musb_ulpi_write(struct usb_phy *phy, u32 offset, u32 data) + power &= ~MUSB_POWER_SUSPENDM; + musb_writeb(addr, MUSB_POWER, power); + +- musb_writeb(addr, MUSB_ULPI_REG_ADDR, (u8)offset); +- musb_writeb(addr, MUSB_ULPI_REG_DATA, (u8)data); ++ musb_writeb(addr, MUSB_ULPI_REG_ADDR, (u8)reg); ++ musb_writeb(addr, MUSB_ULPI_REG_DATA, (u8)val); + musb_writeb(addr, MUSB_ULPI_REG_CONTROL, MUSB_ULPI_REG_REQ); + + while (!(musb_readb(addr, MUSB_ULPI_REG_CONTROL) +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index 7c8eb4c..4021846 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -162,6 +162,7 @@ static void option_instat_callback(struct urb *urb); + #define NOVATELWIRELESS_PRODUCT_HSPA_EMBEDDED_HIGHSPEED 0x9001 + #define NOVATELWIRELESS_PRODUCT_E362 0x9010 + #define NOVATELWIRELESS_PRODUCT_E371 0x9011 ++#define NOVATELWIRELESS_PRODUCT_U620L 0x9022 + #define NOVATELWIRELESS_PRODUCT_G2 0xA010 + #define NOVATELWIRELESS_PRODUCT_MC551 0xB001 + +@@ -357,6 +358,7 @@ static void option_instat_callback(struct urb *urb); + /* This is the 4G XS Stick W14 a.k.a. Mobilcom Debitel Surf-Stick * + * It seems to contain a Qualcomm QSC6240/6290 chipset */ + #define FOUR_G_SYSTEMS_PRODUCT_W14 0x9603 ++#define FOUR_G_SYSTEMS_PRODUCT_W100 0x9b01 + + /* iBall 3.5G connect wireless modem */ + #define IBALL_3_5G_CONNECT 0x9605 +@@ -522,6 +524,11 @@ static const struct option_blacklist_info four_g_w14_blacklist = { + .sendsetup = BIT(0) | BIT(1), + }; + ++static const struct option_blacklist_info four_g_w100_blacklist = { ++ .sendsetup = BIT(1) | BIT(2), ++ .reserved = BIT(3), ++}; ++ + static const struct option_blacklist_info alcatel_x200_blacklist = { + .sendsetup = BIT(0) | BIT(1), + .reserved = BIT(4), +@@ -1060,6 +1067,7 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_MC551, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_E362, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_E371, 0xff, 0xff, 0xff) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_U620L, 0xff, 0x00, 0x00) }, + + { USB_DEVICE(AMOI_VENDOR_ID, AMOI_PRODUCT_H01) }, + { USB_DEVICE(AMOI_VENDOR_ID, AMOI_PRODUCT_H01A) }, +@@ -1653,6 +1661,9 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE(LONGCHEER_VENDOR_ID, FOUR_G_SYSTEMS_PRODUCT_W14), + .driver_info = (kernel_ulong_t)&four_g_w14_blacklist + }, ++ { USB_DEVICE(LONGCHEER_VENDOR_ID, FOUR_G_SYSTEMS_PRODUCT_W100), ++ .driver_info = (kernel_ulong_t)&four_g_w100_blacklist ++ }, + { USB_DEVICE_INTERFACE_CLASS(LONGCHEER_VENDOR_ID, SPEEDUP_PRODUCT_SU9800, 0xff) }, + { USB_DEVICE(LONGCHEER_VENDOR_ID, ZOOM_PRODUCT_4597) }, + { USB_DEVICE(LONGCHEER_VENDOR_ID, IBALL_3_5G_CONNECT) }, +diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c +index f49d262..514fa91 100644 +--- a/drivers/usb/serial/qcserial.c ++++ b/drivers/usb/serial/qcserial.c +@@ -22,6 +22,8 @@ + #define DRIVER_AUTHOR "Qualcomm Inc" + #define DRIVER_DESC "Qualcomm USB Serial driver" + ++#define QUECTEL_EC20_PID 0x9215 ++ + /* standard device layouts supported by this driver */ + enum qcserial_layouts { + QCSERIAL_G2K = 0, /* Gobi 2000 */ +@@ -169,6 +171,38 @@ static const struct usb_device_id id_table[] = { + }; + MODULE_DEVICE_TABLE(usb, id_table); + ++static int handle_quectel_ec20(struct device *dev, int ifnum) ++{ ++ int altsetting = 0; ++ ++ /* ++ * Quectel EC20 Mini PCIe LTE module layout: ++ * 0: DM/DIAG (use libqcdm from ModemManager for communication) ++ * 1: NMEA ++ * 2: AT-capable modem port ++ * 3: Modem interface ++ * 4: NDIS ++ */ ++ switch (ifnum) { ++ case 0: ++ dev_dbg(dev, "Quectel EC20 DM/DIAG interface found\n"); ++ break; ++ case 1: ++ dev_dbg(dev, "Quectel EC20 NMEA GPS interface found\n"); ++ break; ++ case 2: ++ case 3: ++ dev_dbg(dev, "Quectel EC20 Modem port found\n"); ++ break; ++ case 4: ++ /* Don't claim the QMI/net interface */ ++ altsetting = -1; ++ break; ++ } ++ ++ return altsetting; ++} ++ + static int qcprobe(struct usb_serial *serial, const struct usb_device_id *id) + { + struct usb_host_interface *intf = serial->interface->cur_altsetting; +@@ -178,6 +212,10 @@ static int qcprobe(struct usb_serial *serial, const struct usb_device_id *id) + __u8 ifnum; + int altsetting = -1; + ++ /* we only support vendor specific functions */ ++ if (intf->desc.bInterfaceClass != USB_CLASS_VENDOR_SPEC) ++ goto done; ++ + nintf = serial->dev->actconfig->desc.bNumInterfaces; + dev_dbg(dev, "Num Interfaces = %d\n", nintf); + ifnum = intf->desc.bInterfaceNumber; +@@ -237,6 +275,12 @@ static int qcprobe(struct usb_serial *serial, const struct usb_device_id *id) + altsetting = -1; + break; + case QCSERIAL_G2K: ++ /* handle non-standard layouts */ ++ if (nintf == 5 && id->idProduct == QUECTEL_EC20_PID) { ++ altsetting = handle_quectel_ec20(dev, ifnum); ++ goto done; ++ } ++ + /* + * Gobi 2K+ USB layout: + * 0: QMI/net +@@ -297,29 +341,39 @@ static int qcprobe(struct usb_serial *serial, const struct usb_device_id *id) + break; + case QCSERIAL_HWI: + /* +- * Huawei layout: +- * 0: AT-capable modem port +- * 1: DM/DIAG +- * 2: AT-capable modem port +- * 3: CCID-compatible PCSC interface +- * 4: QMI/net +- * 5: NMEA ++ * Huawei devices map functions by subclass + protocol ++ * instead of interface numbers. The protocol identify ++ * a specific function, while the subclass indicate a ++ * specific firmware source ++ * ++ * This is a blacklist of functions known to be ++ * non-serial. The rest are assumed to be serial and ++ * will be handled by this driver + */ +- switch (ifnum) { +- case 0: +- case 2: +- dev_dbg(dev, "Modem port found\n"); +- break; +- case 1: +- dev_dbg(dev, "DM/DIAG interface found\n"); +- break; +- case 5: +- dev_dbg(dev, "NMEA GPS interface found\n"); +- break; +- default: +- /* don't claim any unsupported interface */ ++ switch (intf->desc.bInterfaceProtocol) { ++ /* QMI combined (qmi_wwan) */ ++ case 0x07: ++ case 0x37: ++ case 0x67: ++ /* QMI data (qmi_wwan) */ ++ case 0x08: ++ case 0x38: ++ case 0x68: ++ /* QMI control (qmi_wwan) */ ++ case 0x09: ++ case 0x39: ++ case 0x69: ++ /* NCM like (huawei_cdc_ncm) */ ++ case 0x16: ++ case 0x46: ++ case 0x76: + altsetting = -1; + break; ++ default: ++ dev_dbg(dev, "Huawei type serial port found (%02x/%02x/%02x)\n", ++ intf->desc.bInterfaceClass, ++ intf->desc.bInterfaceSubClass, ++ intf->desc.bInterfaceProtocol); + } + break; + default: +diff --git a/drivers/usb/serial/ti_usb_3410_5052.c b/drivers/usb/serial/ti_usb_3410_5052.c +index e9da41d..2694df2 100644 +--- a/drivers/usb/serial/ti_usb_3410_5052.c ++++ b/drivers/usb/serial/ti_usb_3410_5052.c +@@ -159,6 +159,7 @@ static const struct usb_device_id ti_id_table_3410[] = { + { USB_DEVICE(ABBOTT_VENDOR_ID, ABBOTT_STEREO_PLUG_ID) }, + { USB_DEVICE(ABBOTT_VENDOR_ID, ABBOTT_STRIP_PORT_ID) }, + { USB_DEVICE(TI_VENDOR_ID, FRI2_PRODUCT_ID) }, ++ { USB_DEVICE(HONEYWELL_VENDOR_ID, HONEYWELL_HGI80_PRODUCT_ID) }, + { } /* terminator */ + }; + +@@ -191,6 +192,7 @@ static const struct usb_device_id ti_id_table_combined[] = { + { USB_DEVICE(ABBOTT_VENDOR_ID, ABBOTT_PRODUCT_ID) }, + { USB_DEVICE(ABBOTT_VENDOR_ID, ABBOTT_STRIP_PORT_ID) }, + { USB_DEVICE(TI_VENDOR_ID, FRI2_PRODUCT_ID) }, ++ { USB_DEVICE(HONEYWELL_VENDOR_ID, HONEYWELL_HGI80_PRODUCT_ID) }, + { } /* terminator */ + }; + +diff --git a/drivers/usb/serial/ti_usb_3410_5052.h b/drivers/usb/serial/ti_usb_3410_5052.h +index 4a2423e..98f35c6 100644 +--- a/drivers/usb/serial/ti_usb_3410_5052.h ++++ b/drivers/usb/serial/ti_usb_3410_5052.h +@@ -56,6 +56,10 @@ + #define ABBOTT_PRODUCT_ID ABBOTT_STEREO_PLUG_ID + #define ABBOTT_STRIP_PORT_ID 0x3420 + ++/* Honeywell vendor and product IDs */ ++#define HONEYWELL_VENDOR_ID 0x10ac ++#define HONEYWELL_HGI80_PRODUCT_ID 0x0102 /* Honeywell HGI80 */ ++ + /* Commands */ + #define TI_GET_VERSION 0x01 + #define TI_GET_PORT_STATUS 0x02 +diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c +index 96093ae..cdc3d33 100644 +--- a/drivers/xen/events/events_base.c ++++ b/drivers/xen/events/events_base.c +@@ -39,6 +39,7 @@ + #include <asm/irq.h> + #include <asm/idle.h> + #include <asm/io_apic.h> ++#include <asm/i8259.h> + #include <asm/xen/pci.h> + #include <xen/page.h> + #endif +@@ -420,7 +421,7 @@ static int __must_check xen_allocate_irq_gsi(unsigned gsi) + return xen_allocate_irq_dynamic(); + + /* Legacy IRQ descriptors are already allocated by the arch. */ +- if (gsi < NR_IRQS_LEGACY) ++ if (gsi < nr_legacy_irqs()) + irq = gsi; + else + irq = irq_alloc_desc_at(gsi, -1); +@@ -446,7 +447,7 @@ static void xen_free_irq(unsigned irq) + kfree(info); + + /* Legacy IRQ descriptors are managed by the arch. */ +- if (irq < NR_IRQS_LEGACY) ++ if (irq < nr_legacy_irqs()) + return; + + irq_free_desc(irq); +diff --git a/fs/proc/array.c b/fs/proc/array.c +index ce065cf..57fde2d 100644 +--- a/fs/proc/array.c ++++ b/fs/proc/array.c +@@ -372,7 +372,7 @@ int proc_pid_status(struct seq_file *m, struct pid_namespace *ns, + static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, + struct pid *pid, struct task_struct *task, int whole) + { +- unsigned long vsize, eip, esp, wchan = ~0UL; ++ unsigned long vsize, eip, esp, wchan = 0; + int priority, nice; + int tty_pgrp = -1, tty_nr = 0; + sigset_t sigign, sigcatch; +@@ -504,7 +504,19 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, + seq_put_decimal_ull(m, ' ', task->blocked.sig[0] & 0x7fffffffUL); + seq_put_decimal_ull(m, ' ', sigign.sig[0] & 0x7fffffffUL); + seq_put_decimal_ull(m, ' ', sigcatch.sig[0] & 0x7fffffffUL); +- seq_put_decimal_ull(m, ' ', wchan); ++ ++ /* ++ * We used to output the absolute kernel address, but that's an ++ * information leak - so instead we show a 0/1 flag here, to signal ++ * to user-space whether there's a wchan field in /proc/PID/wchan. ++ * ++ * This works with older implementations of procps as well. ++ */ ++ if (wchan) ++ seq_puts(m, " 1"); ++ else ++ seq_puts(m, " 0"); ++ + seq_put_decimal_ull(m, ' ', 0); + seq_put_decimal_ull(m, ' ', 0); + seq_put_decimal_ll(m, ' ', task->exit_signal); +diff --git a/fs/proc/base.c b/fs/proc/base.c +index aa50d1a..83a43c1 100644 +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -430,13 +430,10 @@ static int proc_pid_wchan(struct seq_file *m, struct pid_namespace *ns, + + wchan = get_wchan(task); + +- if (lookup_symbol_name(wchan, symname) < 0) { +- if (!ptrace_may_access(task, PTRACE_MODE_READ)) +- return 0; +- seq_printf(m, "%lu", wchan); +- } else { ++ if (wchan && ptrace_may_access(task, PTRACE_MODE_READ) && !lookup_symbol_name(wchan, symname)) + seq_printf(m, "%s", symname); +- } ++ else ++ seq_putc(m, '0'); + + return 0; + } +diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h +index 05e99b8..053f122 100644 +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -436,6 +436,17 @@ static inline struct kvm_vcpu *kvm_get_vcpu(struct kvm *kvm, int i) + (vcpup = kvm_get_vcpu(kvm, idx)) != NULL; \ + idx++) + ++static inline struct kvm_vcpu *kvm_get_vcpu_by_id(struct kvm *kvm, int id) ++{ ++ struct kvm_vcpu *vcpu; ++ int i; ++ ++ kvm_for_each_vcpu(i, vcpu, kvm) ++ if (vcpu->vcpu_id == id) ++ return vcpu; ++ return NULL; ++} ++ + #define kvm_for_each_memslot(memslot, slots) \ + for (memslot = &slots->memslots[0]; \ + memslot < slots->memslots + KVM_MEM_SLOTS_NUM && memslot->npages;\ +diff --git a/include/linux/tty.h b/include/linux/tty.h +index ad6c891..342a760 100644 +--- a/include/linux/tty.h ++++ b/include/linux/tty.h +@@ -605,7 +605,7 @@ extern void n_tty_inherit_ops(struct tty_ldisc_ops *ops); + + /* tty_audit.c */ + #ifdef CONFIG_AUDIT +-extern void tty_audit_add_data(struct tty_struct *tty, unsigned char *data, ++extern void tty_audit_add_data(struct tty_struct *tty, const void *data, + size_t size, unsigned icanon); + extern void tty_audit_exit(void); + extern void tty_audit_fork(struct signal_struct *sig); +@@ -613,8 +613,8 @@ extern void tty_audit_tiocsti(struct tty_struct *tty, char ch); + extern void tty_audit_push(struct tty_struct *tty); + extern int tty_audit_push_current(void); + #else +-static inline void tty_audit_add_data(struct tty_struct *tty, +- unsigned char *data, size_t size, unsigned icanon) ++static inline void tty_audit_add_data(struct tty_struct *tty, const void *data, ++ size_t size, unsigned icanon) + { + } + static inline void tty_audit_tiocsti(struct tty_struct *tty, char ch) +diff --git a/include/net/inet_common.h b/include/net/inet_common.h +index 279f835..109e3ee 100644 +--- a/include/net/inet_common.h ++++ b/include/net/inet_common.h +@@ -41,7 +41,8 @@ int inet_recv_error(struct sock *sk, struct msghdr *msg, int len, + + static inline void inet_ctl_sock_destroy(struct sock *sk) + { +- sock_release(sk->sk_socket); ++ if (sk) ++ sock_release(sk->sk_socket); + } + + #endif +diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h +index 5fa643b..ff6d78f 100644 +--- a/include/net/ip_fib.h ++++ b/include/net/ip_fib.h +@@ -306,7 +306,7 @@ void fib_flush_external(struct net *net); + + /* Exported by fib_semantics.c */ + int ip_fib_check_default(__be32 gw, struct net_device *dev); +-int fib_sync_down_dev(struct net_device *dev, unsigned long event); ++int fib_sync_down_dev(struct net_device *dev, unsigned long event, bool force); + int fib_sync_down_addr(struct net *net, __be32 local); + int fib_sync_up(struct net_device *dev, unsigned int nh_flags); + void fib_select_multipath(struct fib_result *res); +diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c +index f1a117f..0bec458 100644 +--- a/net/bluetooth/hidp/core.c ++++ b/net/bluetooth/hidp/core.c +@@ -401,6 +401,20 @@ static void hidp_idle_timeout(unsigned long arg) + { + struct hidp_session *session = (struct hidp_session *) arg; + ++ /* The HIDP user-space API only contains calls to add and remove ++ * devices. There is no way to forward events of any kind. Therefore, ++ * we have to forcefully disconnect a device on idle-timeouts. This is ++ * unfortunate and weird API design, but it is spec-compliant and ++ * required for backwards-compatibility. Hence, on idle-timeout, we ++ * signal driver-detach events, so poll() will be woken up with an ++ * error-condition on both sockets. ++ */ ++ ++ session->intr_sock->sk->sk_err = EUNATCH; ++ session->ctrl_sock->sk->sk_err = EUNATCH; ++ wake_up_interruptible(sk_sleep(session->intr_sock->sk)); ++ wake_up_interruptible(sk_sleep(session->ctrl_sock->sk)); ++ + hidp_session_terminate(session); + } + +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c +index 92720f3..e32a9e4 100644 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -3090,6 +3090,11 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data, + } else { + u8 addr_type; + ++ if (cp->addr.type == BDADDR_LE_PUBLIC) ++ addr_type = ADDR_LE_DEV_PUBLIC; ++ else ++ addr_type = ADDR_LE_DEV_RANDOM; ++ + conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, + &cp->addr.bdaddr); + if (conn) { +@@ -3105,13 +3110,10 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data, + */ + if (!cp->disconnect) + conn = NULL; ++ } else { ++ hci_conn_params_del(hdev, &cp->addr.bdaddr, addr_type); + } + +- if (cp->addr.type == BDADDR_LE_PUBLIC) +- addr_type = ADDR_LE_DEV_PUBLIC; +- else +- addr_type = ADDR_LE_DEV_RANDOM; +- + hci_remove_irk(hdev, &cp->addr.bdaddr, addr_type); + + err = hci_remove_ltk(hdev, &cp->addr.bdaddr, addr_type); +diff --git a/net/core/dst.c b/net/core/dst.c +index 002144be..cc4a086 100644 +--- a/net/core/dst.c ++++ b/net/core/dst.c +@@ -287,7 +287,7 @@ void dst_release(struct dst_entry *dst) + if (unlikely(newrefcnt < 0)) + net_warn_ratelimited("%s: dst:%p refcnt:%d\n", + __func__, dst, newrefcnt); +- if (unlikely(dst->flags & DST_NOCACHE) && !newrefcnt) ++ if (!newrefcnt && unlikely(dst->flags & DST_NOCACHE)) + call_rcu(&dst->rcu_head, dst_destroy_rcu); + } + } +diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c +index 6bbc549..d7116cf 100644 +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -1063,9 +1063,10 @@ static void nl_fib_lookup_exit(struct net *net) + net->ipv4.fibnl = NULL; + } + +-static void fib_disable_ip(struct net_device *dev, unsigned long event) ++static void fib_disable_ip(struct net_device *dev, unsigned long event, ++ bool force) + { +- if (fib_sync_down_dev(dev, event)) ++ if (fib_sync_down_dev(dev, event, force)) + fib_flush(dev_net(dev)); + rt_cache_flush(dev_net(dev)); + arp_ifdown(dev); +@@ -1093,7 +1094,7 @@ static int fib_inetaddr_event(struct notifier_block *this, unsigned long event, + /* Last address was deleted from this interface. + * Disable IP. + */ +- fib_disable_ip(dev, event); ++ fib_disable_ip(dev, event, true); + } else { + rt_cache_flush(dev_net(dev)); + } +@@ -1110,7 +1111,7 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo + unsigned int flags; + + if (event == NETDEV_UNREGISTER) { +- fib_disable_ip(dev, event); ++ fib_disable_ip(dev, event, true); + rt_flush_dev(dev); + return NOTIFY_DONE; + } +@@ -1131,14 +1132,14 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo + rt_cache_flush(net); + break; + case NETDEV_DOWN: +- fib_disable_ip(dev, event); ++ fib_disable_ip(dev, event, false); + break; + case NETDEV_CHANGE: + flags = dev_get_flags(dev); + if (flags & (IFF_RUNNING | IFF_LOWER_UP)) + fib_sync_up(dev, RTNH_F_LINKDOWN); + else +- fib_sync_down_dev(dev, event); ++ fib_sync_down_dev(dev, event, false); + /* fall through */ + case NETDEV_CHANGEMTU: + rt_cache_flush(net); +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c +index 3a06586..71bad5c 100644 +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -1132,7 +1132,13 @@ int fib_sync_down_addr(struct net *net, __be32 local) + return ret; + } + +-int fib_sync_down_dev(struct net_device *dev, unsigned long event) ++/* Event force Flags Description ++ * NETDEV_CHANGE 0 LINKDOWN Carrier OFF, not for scope host ++ * NETDEV_DOWN 0 LINKDOWN|DEAD Link down, not for scope host ++ * NETDEV_DOWN 1 LINKDOWN|DEAD Last address removed ++ * NETDEV_UNREGISTER 1 LINKDOWN|DEAD Device removed ++ */ ++int fib_sync_down_dev(struct net_device *dev, unsigned long event, bool force) + { + int ret = 0; + int scope = RT_SCOPE_NOWHERE; +@@ -1141,8 +1147,7 @@ int fib_sync_down_dev(struct net_device *dev, unsigned long event) + struct hlist_head *head = &fib_info_devhash[hash]; + struct fib_nh *nh; + +- if (event == NETDEV_UNREGISTER || +- event == NETDEV_DOWN) ++ if (force) + scope = -1; + + hlist_for_each_entry(nh, head, nh_hash) { +@@ -1291,6 +1296,13 @@ int fib_sync_up(struct net_device *dev, unsigned int nh_flags) + if (!(dev->flags & IFF_UP)) + return 0; + ++ if (nh_flags & RTNH_F_DEAD) { ++ unsigned int flags = dev_get_flags(dev); ++ ++ if (flags & (IFF_RUNNING | IFF_LOWER_UP)) ++ nh_flags |= RTNH_F_LINKDOWN; ++ } ++ + prev_fi = NULL; + hash = fib_devindex_hashfn(dev->ifindex); + head = &fib_info_devhash[hash]; +diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c +index b0c6258..ea3aedb 100644 +--- a/net/ipv4/fib_trie.c ++++ b/net/ipv4/fib_trie.c +@@ -1561,7 +1561,7 @@ static struct key_vector *leaf_walk_rcu(struct key_vector **tn, t_key key) + do { + /* record parent and next child index */ + pn = n; +- cindex = key ? get_index(key, pn) : 0; ++ cindex = (key > pn->key) ? get_index(key, pn) : 0; + + if (cindex >> pn->bits) + break; +diff --git a/net/ipv4/gre_offload.c b/net/ipv4/gre_offload.c +index 5aa46d4..5a8ee32 100644 +--- a/net/ipv4/gre_offload.c ++++ b/net/ipv4/gre_offload.c +@@ -36,7 +36,8 @@ static struct sk_buff *gre_gso_segment(struct sk_buff *skb, + SKB_GSO_TCP_ECN | + SKB_GSO_GRE | + SKB_GSO_GRE_CSUM | +- SKB_GSO_IPIP))) ++ SKB_GSO_IPIP | ++ SKB_GSO_SIT))) + goto out; + + if (!skb->encapsulation) +diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c +index 3a2c016..df28693 100644 +--- a/net/ipv4/ipmr.c ++++ b/net/ipv4/ipmr.c +@@ -1683,8 +1683,8 @@ static inline int ipmr_forward_finish(struct sock *sk, struct sk_buff *skb) + { + struct ip_options *opt = &(IPCB(skb)->opt); + +- IP_INC_STATS_BH(dev_net(skb_dst(skb)->dev), IPSTATS_MIB_OUTFORWDATAGRAMS); +- IP_ADD_STATS_BH(dev_net(skb_dst(skb)->dev), IPSTATS_MIB_OUTOCTETS, skb->len); ++ IP_INC_STATS(dev_net(skb_dst(skb)->dev), IPSTATS_MIB_OUTFORWDATAGRAMS); ++ IP_ADD_STATS(dev_net(skb_dst(skb)->dev), IPSTATS_MIB_OUTOCTETS, skb->len); + + if (unlikely(opt->optlen)) + ip_forward_options(skb); +@@ -1746,7 +1746,7 @@ static void ipmr_queue_xmit(struct net *net, struct mr_table *mrt, + * to blackhole. + */ + +- IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_FRAGFAILS); ++ IP_INC_STATS(dev_net(dev), IPSTATS_MIB_FRAGFAILS); + ip_rt_put(rt); + goto out_free; + } +diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c +index 0330ab2..a1442c5 100644 +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -47,14 +47,14 @@ static void set_local_port_range(struct net *net, int range[2]) + { + bool same_parity = !((range[0] ^ range[1]) & 1); + +- write_seqlock(&net->ipv4.ip_local_ports.lock); ++ write_seqlock_bh(&net->ipv4.ip_local_ports.lock); + if (same_parity && !net->ipv4.ip_local_ports.warned) { + net->ipv4.ip_local_ports.warned = true; + pr_err_ratelimited("ip_local_port_range: prefer different parity for start/end values.\n"); + } + net->ipv4.ip_local_ports.range[0] = range[0]; + net->ipv4.ip_local_ports.range[1] = range[1]; +- write_sequnlock(&net->ipv4.ip_local_ports.lock); ++ write_sequnlock_bh(&net->ipv4.ip_local_ports.lock); + } + + /* Validate changes from /proc interface. */ +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index b7dedd9..747a4c4 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -3406,7 +3406,7 @@ static int tcp_xmit_probe_skb(struct sock *sk, int urgent, int mib) + */ + tcp_init_nondata_skb(skb, tp->snd_una - !urgent, TCPHDR_ACK); + skb_mstamp_get(&skb->skb_mstamp); +- NET_INC_STATS_BH(sock_net(sk), mib); ++ NET_INC_STATS(sock_net(sk), mib); + return tcp_transmit_skb(sk, skb, 0, GFP_ATOMIC); + } + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 21c2c81..c8c1fea 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -411,6 +411,7 @@ static struct inet6_dev *ipv6_add_dev(struct net_device *dev) + if (err) { + ipv6_mc_destroy_dev(ndev); + del_timer(&ndev->regen_timer); ++ snmp6_unregister_dev(ndev); + goto err_release; + } + /* protected by rtnl_lock */ +diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c +index ac35a28..85c4b2f 100644 +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -1394,34 +1394,20 @@ static int ipip6_tunnel_init(struct net_device *dev) + return 0; + } + +-static int __net_init ipip6_fb_tunnel_init(struct net_device *dev) ++static void __net_init ipip6_fb_tunnel_init(struct net_device *dev) + { + struct ip_tunnel *tunnel = netdev_priv(dev); + struct iphdr *iph = &tunnel->parms.iph; + struct net *net = dev_net(dev); + struct sit_net *sitn = net_generic(net, sit_net_id); + +- tunnel->dev = dev; +- tunnel->net = dev_net(dev); +- + iph->version = 4; + iph->protocol = IPPROTO_IPV6; + iph->ihl = 5; + iph->ttl = 64; + +- dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats); +- if (!dev->tstats) +- return -ENOMEM; +- +- tunnel->dst_cache = alloc_percpu(struct ip_tunnel_dst); +- if (!tunnel->dst_cache) { +- free_percpu(dev->tstats); +- return -ENOMEM; +- } +- + dev_hold(dev); + rcu_assign_pointer(sitn->tunnels_wc[0], tunnel); +- return 0; + } + + static int ipip6_validate(struct nlattr *tb[], struct nlattr *data[]) +@@ -1831,23 +1817,19 @@ static int __net_init sit_init_net(struct net *net) + */ + sitn->fb_tunnel_dev->features |= NETIF_F_NETNS_LOCAL; + +- err = ipip6_fb_tunnel_init(sitn->fb_tunnel_dev); +- if (err) +- goto err_dev_free; +- +- ipip6_tunnel_clone_6rd(sitn->fb_tunnel_dev, sitn); + err = register_netdev(sitn->fb_tunnel_dev); + if (err) + goto err_reg_dev; + ++ ipip6_tunnel_clone_6rd(sitn->fb_tunnel_dev, sitn); ++ ipip6_fb_tunnel_init(sitn->fb_tunnel_dev); ++ + t = netdev_priv(sitn->fb_tunnel_dev); + + strcpy(t->parms.name, sitn->fb_tunnel_dev->name); + return 0; + + err_reg_dev: +- dev_put(sitn->fb_tunnel_dev); +-err_dev_free: + ipip6_dev_free(sitn->fb_tunnel_dev); + err_alloc_dev: + return err; +diff --git a/net/irda/irlmp.c b/net/irda/irlmp.c +index a26c401..4396459 100644 +--- a/net/irda/irlmp.c ++++ b/net/irda/irlmp.c +@@ -1839,7 +1839,7 @@ static void *irlmp_seq_hb_idx(struct irlmp_iter_state *iter, loff_t *off) + for (element = hashbin_get_first(iter->hashbin); + element != NULL; + element = hashbin_get_next(iter->hashbin)) { +- if (!off || *off-- == 0) { ++ if (!off || (*off)-- == 0) { + /* NB: hashbin left locked */ + return element; + } +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 9b2cc27..33bf779 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -3378,7 +3378,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata, + + if (ifmgd->rssi_min_thold != ifmgd->rssi_max_thold && + ifmgd->count_beacon_signal >= IEEE80211_SIGNAL_AVE_MIN_COUNT) { +- int sig = ifmgd->ave_beacon_signal; ++ int sig = ifmgd->ave_beacon_signal / 16; + int last_sig = ifmgd->last_ave_beacon_signal; + struct ieee80211_event event = { + .type = RSSI_EVENT, +@@ -4999,6 +4999,25 @@ int ieee80211_mgd_deauth(struct ieee80211_sub_if_data *sdata, + return 0; + } + ++ if (ifmgd->assoc_data && ++ ether_addr_equal(ifmgd->assoc_data->bss->bssid, req->bssid)) { ++ sdata_info(sdata, ++ "aborting association with %pM by local choice (Reason: %u=%s)\n", ++ req->bssid, req->reason_code, ++ ieee80211_get_reason_code_string(req->reason_code)); ++ ++ drv_mgd_prepare_tx(sdata->local, sdata); ++ ieee80211_send_deauth_disassoc(sdata, req->bssid, ++ IEEE80211_STYPE_DEAUTH, ++ req->reason_code, tx, ++ frame_buf); ++ ieee80211_destroy_assoc_data(sdata, false); ++ ieee80211_report_disconnect(sdata, frame_buf, ++ sizeof(frame_buf), true, ++ req->reason_code); ++ return 0; ++ } ++ + if (ifmgd->associated && + ether_addr_equal(ifmgd->associated->bssid, req->bssid)) { + sdata_info(sdata, +diff --git a/net/mac80211/trace.h b/net/mac80211/trace.h +index 6f14591..0b13bfa 100644 +--- a/net/mac80211/trace.h ++++ b/net/mac80211/trace.h +@@ -33,11 +33,11 @@ + __field(u32, chan_width) \ + __field(u32, center_freq1) \ + __field(u32, center_freq2) +-#define CHANDEF_ASSIGN(c) \ +- __entry->control_freq = (c)->chan ? (c)->chan->center_freq : 0; \ +- __entry->chan_width = (c)->width; \ +- __entry->center_freq1 = (c)->center_freq1; \ +- __entry->center_freq2 = (c)->center_freq2; ++#define CHANDEF_ASSIGN(c) \ ++ __entry->control_freq = (c) ? ((c)->chan ? (c)->chan->center_freq : 0) : 0; \ ++ __entry->chan_width = (c) ? (c)->width : 0; \ ++ __entry->center_freq1 = (c) ? (c)->center_freq1 : 0; \ ++ __entry->center_freq2 = (c) ? (c)->center_freq2 : 0; + #define CHANDEF_PR_FMT " control:%d MHz width:%d center: %d/%d MHz" + #define CHANDEF_PR_ARG __entry->control_freq, __entry->chan_width, \ + __entry->center_freq1, __entry->center_freq2 +diff --git a/net/mac80211/util.c b/net/mac80211/util.c +index 43e5aad..f5fa8c0 100644 +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -2984,6 +2984,13 @@ ieee80211_extend_noa_desc(struct ieee80211_noa_data *data, u32 tsf, int i) + if (end > 0) + return false; + ++ /* One shot NOA */ ++ if (data->count[i] == 1) ++ return false; ++ ++ if (data->desc[i].interval == 0) ++ return false; ++ + /* End time is in the past, check for repetitions */ + skip = DIV_ROUND_UP(-end, data->desc[i].interval); + if (data->count[i] < 255) { +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index a133d16..8b158f7 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -2346,7 +2346,7 @@ static int netlink_getsockopt(struct socket *sock, int level, int optname, + int pos, idx, shift; + + err = 0; +- netlink_table_grab(); ++ netlink_lock_table(); + for (pos = 0; pos * 8 < nlk->ngroups; pos += sizeof(u32)) { + if (len - pos < sizeof(u32)) + break; +@@ -2361,7 +2361,7 @@ static int netlink_getsockopt(struct socket *sock, int level, int optname, + } + if (put_user(ALIGN(nlk->ngroups / 8, sizeof(u32)), optlen)) + err = -EFAULT; +- netlink_table_ungrab(); ++ netlink_unlock_table(); + break; + } + default: +diff --git a/net/nfc/nci/hci.c b/net/nfc/nci/hci.c +index 609f922..30b09f0 100644 +--- a/net/nfc/nci/hci.c ++++ b/net/nfc/nci/hci.c +@@ -101,6 +101,20 @@ struct nci_hcp_packet { + #define NCI_HCP_MSG_GET_CMD(header) (header & 0x3f) + #define NCI_HCP_MSG_GET_PIPE(header) (header & 0x7f) + ++static int nci_hci_result_to_errno(u8 result) ++{ ++ switch (result) { ++ case NCI_HCI_ANY_OK: ++ return 0; ++ case NCI_HCI_ANY_E_REG_PAR_UNKNOWN: ++ return -EOPNOTSUPP; ++ case NCI_HCI_ANY_E_TIMEOUT: ++ return -ETIME; ++ default: ++ return -1; ++ } ++} ++ + /* HCI core */ + static void nci_hci_reset_pipes(struct nci_hci_dev *hdev) + { +@@ -146,18 +160,18 @@ static int nci_hci_send_data(struct nci_dev *ndev, u8 pipe, + if (!conn_info) + return -EPROTO; + +- skb = nci_skb_alloc(ndev, 2 + conn_info->max_pkt_payload_len + ++ i = 0; ++ skb = nci_skb_alloc(ndev, conn_info->max_pkt_payload_len + + NCI_DATA_HDR_SIZE, GFP_KERNEL); + if (!skb) + return -ENOMEM; + +- skb_reserve(skb, 2 + NCI_DATA_HDR_SIZE); ++ skb_reserve(skb, NCI_DATA_HDR_SIZE + 2); + *skb_push(skb, 1) = data_type; + +- i = 0; +- len = conn_info->max_pkt_payload_len; +- + do { ++ len = conn_info->max_pkt_payload_len; ++ + /* If last packet add NCI_HFP_NO_CHAINING */ + if (i + conn_info->max_pkt_payload_len - + (skb->len + 1) >= data_len) { +@@ -177,9 +191,15 @@ static int nci_hci_send_data(struct nci_dev *ndev, u8 pipe, + return r; + + i += len; ++ + if (i < data_len) { +- skb_trim(skb, 0); +- skb_pull(skb, len); ++ skb = nci_skb_alloc(ndev, ++ conn_info->max_pkt_payload_len + ++ NCI_DATA_HDR_SIZE, GFP_KERNEL); ++ if (!skb) ++ return -ENOMEM; ++ ++ skb_reserve(skb, NCI_DATA_HDR_SIZE + 1); + } + } while (i < data_len); + +@@ -212,7 +232,8 @@ int nci_hci_send_cmd(struct nci_dev *ndev, u8 gate, u8 cmd, + const u8 *param, size_t param_len, + struct sk_buff **skb) + { +- struct nci_conn_info *conn_info; ++ struct nci_hcp_message *message; ++ struct nci_conn_info *conn_info; + struct nci_data data; + int r; + u8 pipe = ndev->hci_dev->gate2pipe[gate]; +@@ -232,9 +253,15 @@ int nci_hci_send_cmd(struct nci_dev *ndev, u8 gate, u8 cmd, + + r = nci_request(ndev, nci_hci_send_data_req, (unsigned long)&data, + msecs_to_jiffies(NCI_DATA_TIMEOUT)); +- +- if (r == NCI_STATUS_OK && skb) +- *skb = conn_info->rx_skb; ++ if (r == NCI_STATUS_OK) { ++ message = (struct nci_hcp_message *)conn_info->rx_skb->data; ++ r = nci_hci_result_to_errno( ++ NCI_HCP_MSG_GET_CMD(message->header)); ++ skb_pull(conn_info->rx_skb, NCI_HCI_HCP_MESSAGE_HEADER_LEN); ++ ++ if (!r && skb) ++ *skb = conn_info->rx_skb; ++ } + + return r; + } +@@ -328,9 +355,6 @@ static void nci_hci_resp_received(struct nci_dev *ndev, u8 pipe, + struct nci_conn_info *conn_info; + u8 status = result; + +- if (result != NCI_HCI_ANY_OK) +- goto exit; +- + conn_info = ndev->hci_dev->conn_info; + if (!conn_info) { + status = NCI_STATUS_REJECTED; +@@ -340,7 +364,7 @@ static void nci_hci_resp_received(struct nci_dev *ndev, u8 pipe, + conn_info->rx_skb = skb; + + exit: +- nci_req_complete(ndev, status); ++ nci_req_complete(ndev, NCI_STATUS_OK); + } + + /* Receive hcp message for pipe, with type and cmd. +@@ -378,7 +402,7 @@ static void nci_hci_msg_rx_work(struct work_struct *work) + u8 pipe, type, instruction; + + while ((skb = skb_dequeue(&hdev->msg_rx_queue)) != NULL) { +- pipe = skb->data[0]; ++ pipe = NCI_HCP_MSG_GET_PIPE(skb->data[0]); + skb_pull(skb, NCI_HCI_HCP_PACKET_HEADER_LEN); + message = (struct nci_hcp_message *)skb->data; + type = NCI_HCP_MSG_GET_TYPE(message->header); +@@ -395,7 +419,7 @@ void nci_hci_data_received_cb(void *context, + { + struct nci_dev *ndev = (struct nci_dev *)context; + struct nci_hcp_packet *packet; +- u8 pipe, type, instruction; ++ u8 pipe, type; + struct sk_buff *hcp_skb; + struct sk_buff *frag_skb; + int msg_len; +@@ -415,7 +439,7 @@ void nci_hci_data_received_cb(void *context, + + /* it's the last fragment. Does it need re-aggregation? */ + if (skb_queue_len(&ndev->hci_dev->rx_hcp_frags)) { +- pipe = packet->header & NCI_HCI_FRAGMENT; ++ pipe = NCI_HCP_MSG_GET_PIPE(packet->header); + skb_queue_tail(&ndev->hci_dev->rx_hcp_frags, skb); + + msg_len = 0; +@@ -434,7 +458,7 @@ void nci_hci_data_received_cb(void *context, + *skb_put(hcp_skb, NCI_HCI_HCP_PACKET_HEADER_LEN) = pipe; + + skb_queue_walk(&ndev->hci_dev->rx_hcp_frags, frag_skb) { +- msg_len = frag_skb->len - NCI_HCI_HCP_PACKET_HEADER_LEN; ++ msg_len = frag_skb->len - NCI_HCI_HCP_PACKET_HEADER_LEN; + memcpy(skb_put(hcp_skb, msg_len), frag_skb->data + + NCI_HCI_HCP_PACKET_HEADER_LEN, msg_len); + } +@@ -452,11 +476,10 @@ void nci_hci_data_received_cb(void *context, + packet = (struct nci_hcp_packet *)hcp_skb->data; + type = NCI_HCP_MSG_GET_TYPE(packet->message.header); + if (type == NCI_HCI_HCP_RESPONSE) { +- pipe = packet->header; +- instruction = NCI_HCP_MSG_GET_CMD(packet->message.header); +- skb_pull(hcp_skb, NCI_HCI_HCP_PACKET_HEADER_LEN + +- NCI_HCI_HCP_MESSAGE_HEADER_LEN); +- nci_hci_hcp_message_rx(ndev, pipe, type, instruction, hcp_skb); ++ pipe = NCI_HCP_MSG_GET_PIPE(packet->header); ++ skb_pull(hcp_skb, NCI_HCI_HCP_PACKET_HEADER_LEN); ++ nci_hci_hcp_message_rx(ndev, pipe, type, ++ NCI_STATUS_OK, hcp_skb); + } else { + skb_queue_tail(&ndev->hci_dev->msg_rx_queue, hcp_skb); + schedule_work(&ndev->hci_dev->msg_rx_work); +@@ -488,6 +511,7 @@ EXPORT_SYMBOL(nci_hci_open_pipe); + int nci_hci_set_param(struct nci_dev *ndev, u8 gate, u8 idx, + const u8 *param, size_t param_len) + { ++ struct nci_hcp_message *message; + struct nci_conn_info *conn_info; + struct nci_data data; + int r; +@@ -520,6 +544,12 @@ int nci_hci_set_param(struct nci_dev *ndev, u8 gate, u8 idx, + r = nci_request(ndev, nci_hci_send_data_req, + (unsigned long)&data, + msecs_to_jiffies(NCI_DATA_TIMEOUT)); ++ if (r == NCI_STATUS_OK) { ++ message = (struct nci_hcp_message *)conn_info->rx_skb->data; ++ r = nci_hci_result_to_errno( ++ NCI_HCP_MSG_GET_CMD(message->header)); ++ skb_pull(conn_info->rx_skb, NCI_HCI_HCP_MESSAGE_HEADER_LEN); ++ } + + kfree(tmp); + return r; +@@ -529,6 +559,7 @@ EXPORT_SYMBOL(nci_hci_set_param); + int nci_hci_get_param(struct nci_dev *ndev, u8 gate, u8 idx, + struct sk_buff **skb) + { ++ struct nci_hcp_message *message; + struct nci_conn_info *conn_info; + struct nci_data data; + int r; +@@ -553,8 +584,15 @@ int nci_hci_get_param(struct nci_dev *ndev, u8 gate, u8 idx, + r = nci_request(ndev, nci_hci_send_data_req, (unsigned long)&data, + msecs_to_jiffies(NCI_DATA_TIMEOUT)); + +- if (r == NCI_STATUS_OK) +- *skb = conn_info->rx_skb; ++ if (r == NCI_STATUS_OK) { ++ message = (struct nci_hcp_message *)conn_info->rx_skb->data; ++ r = nci_hci_result_to_errno( ++ NCI_HCP_MSG_GET_CMD(message->header)); ++ skb_pull(conn_info->rx_skb, NCI_HCI_HCP_MESSAGE_HEADER_LEN); ++ ++ if (!r && skb) ++ *skb = conn_info->rx_skb; ++ } + + return r; + } +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 7851b12..71cb085 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2784,22 +2784,40 @@ static int packet_release(struct socket *sock) + * Attach a packet hook. + */ + +-static int packet_do_bind(struct sock *sk, struct net_device *dev, __be16 proto) ++static int packet_do_bind(struct sock *sk, const char *name, int ifindex, ++ __be16 proto) + { + struct packet_sock *po = pkt_sk(sk); + struct net_device *dev_curr; + __be16 proto_curr; + bool need_rehook; ++ struct net_device *dev = NULL; ++ int ret = 0; ++ bool unlisted = false; + +- if (po->fanout) { +- if (dev) +- dev_put(dev); +- ++ if (po->fanout) + return -EINVAL; +- } + + lock_sock(sk); + spin_lock(&po->bind_lock); ++ rcu_read_lock(); ++ ++ if (name) { ++ dev = dev_get_by_name_rcu(sock_net(sk), name); ++ if (!dev) { ++ ret = -ENODEV; ++ goto out_unlock; ++ } ++ } else if (ifindex) { ++ dev = dev_get_by_index_rcu(sock_net(sk), ifindex); ++ if (!dev) { ++ ret = -ENODEV; ++ goto out_unlock; ++ } ++ } ++ ++ if (dev) ++ dev_hold(dev); + + proto_curr = po->prot_hook.type; + dev_curr = po->prot_hook.dev; +@@ -2807,14 +2825,29 @@ static int packet_do_bind(struct sock *sk, struct net_device *dev, __be16 proto) + need_rehook = proto_curr != proto || dev_curr != dev; + + if (need_rehook) { +- unregister_prot_hook(sk, true); ++ if (po->running) { ++ rcu_read_unlock(); ++ __unregister_prot_hook(sk, true); ++ rcu_read_lock(); ++ dev_curr = po->prot_hook.dev; ++ if (dev) ++ unlisted = !dev_get_by_index_rcu(sock_net(sk), ++ dev->ifindex); ++ } + + po->num = proto; + po->prot_hook.type = proto; +- po->prot_hook.dev = dev; + +- po->ifindex = dev ? dev->ifindex : 0; +- packet_cached_dev_assign(po, dev); ++ if (unlikely(unlisted)) { ++ dev_put(dev); ++ po->prot_hook.dev = NULL; ++ po->ifindex = -1; ++ packet_cached_dev_reset(po); ++ } else { ++ po->prot_hook.dev = dev; ++ po->ifindex = dev ? dev->ifindex : 0; ++ packet_cached_dev_assign(po, dev); ++ } + } + if (dev_curr) + dev_put(dev_curr); +@@ -2822,7 +2855,7 @@ static int packet_do_bind(struct sock *sk, struct net_device *dev, __be16 proto) + if (proto == 0 || !need_rehook) + goto out_unlock; + +- if (!dev || (dev->flags & IFF_UP)) { ++ if (!unlisted && (!dev || (dev->flags & IFF_UP))) { + register_prot_hook(sk); + } else { + sk->sk_err = ENETDOWN; +@@ -2831,9 +2864,10 @@ static int packet_do_bind(struct sock *sk, struct net_device *dev, __be16 proto) + } + + out_unlock: ++ rcu_read_unlock(); + spin_unlock(&po->bind_lock); + release_sock(sk); +- return 0; ++ return ret; + } + + /* +@@ -2845,8 +2879,6 @@ static int packet_bind_spkt(struct socket *sock, struct sockaddr *uaddr, + { + struct sock *sk = sock->sk; + char name[15]; +- struct net_device *dev; +- int err = -ENODEV; + + /* + * Check legality +@@ -2856,19 +2888,13 @@ static int packet_bind_spkt(struct socket *sock, struct sockaddr *uaddr, + return -EINVAL; + strlcpy(name, uaddr->sa_data, sizeof(name)); + +- dev = dev_get_by_name(sock_net(sk), name); +- if (dev) +- err = packet_do_bind(sk, dev, pkt_sk(sk)->num); +- return err; ++ return packet_do_bind(sk, name, 0, pkt_sk(sk)->num); + } + + static int packet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + { + struct sockaddr_ll *sll = (struct sockaddr_ll *)uaddr; + struct sock *sk = sock->sk; +- struct net_device *dev = NULL; +- int err; +- + + /* + * Check legality +@@ -2879,16 +2905,8 @@ static int packet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len + if (sll->sll_family != AF_PACKET) + return -EINVAL; + +- if (sll->sll_ifindex) { +- err = -ENODEV; +- dev = dev_get_by_index(sock_net(sk), sll->sll_ifindex); +- if (dev == NULL) +- goto out; +- } +- err = packet_do_bind(sk, dev, sll->sll_protocol ? : pkt_sk(sk)->num); +- +-out: +- return err; ++ return packet_do_bind(sk, NULL, sll->sll_ifindex, ++ sll->sll_protocol ? : pkt_sk(sk)->num); + } + + static struct proto packet_proto = { +diff --git a/net/rds/connection.c b/net/rds/connection.c +index da6da57..9d66705 100644 +--- a/net/rds/connection.c ++++ b/net/rds/connection.c +@@ -187,6 +187,12 @@ new_conn: + } + } + ++ if (trans == NULL) { ++ kmem_cache_free(rds_conn_slab, conn); ++ conn = ERR_PTR(-ENODEV); ++ goto out; ++ } ++ + conn->c_trans = trans; + + ret = trans->conn_alloc(conn, gfp); +diff --git a/net/rds/tcp_recv.c b/net/rds/tcp_recv.c +index fbc5ef8..27a9921 100644 +--- a/net/rds/tcp_recv.c ++++ b/net/rds/tcp_recv.c +@@ -214,8 +214,15 @@ static int rds_tcp_data_recv(read_descriptor_t *desc, struct sk_buff *skb, + } + + to_copy = min(tc->t_tinc_data_rem, left); +- pskb_pull(clone, offset); +- pskb_trim(clone, to_copy); ++ if (!pskb_pull(clone, offset) || ++ pskb_trim(clone, to_copy)) { ++ pr_warn("rds_tcp_data_recv: pull/trim failed " ++ "left %zu data_rem %zu skb_len %d\n", ++ left, tc->t_tinc_data_rem, skb->len); ++ kfree_skb(clone); ++ desc->error = -ENOMEM; ++ goto out; ++ } + skb_queue_tail(&tinc->ti_skb_list, clone); + + rdsdebug("skb %p data %p len %d off %u to_copy %zu -> " +diff --git a/net/tipc/msg.c b/net/tipc/msg.c +index 08b4cc7..b3a3931 100644 +--- a/net/tipc/msg.c ++++ b/net/tipc/msg.c +@@ -121,7 +121,7 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf) + { + struct sk_buff *head = *headbuf; + struct sk_buff *frag = *buf; +- struct sk_buff *tail; ++ struct sk_buff *tail = NULL; + struct tipc_msg *msg; + u32 fragid; + int delta; +@@ -141,9 +141,15 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf) + if (unlikely(skb_unclone(frag, GFP_ATOMIC))) + goto err; + head = *headbuf = frag; +- skb_frag_list_init(head); +- TIPC_SKB_CB(head)->tail = NULL; + *buf = NULL; ++ TIPC_SKB_CB(head)->tail = NULL; ++ if (skb_is_nonlinear(head)) { ++ skb_walk_frags(head, tail) { ++ TIPC_SKB_CB(head)->tail = tail; ++ } ++ } else { ++ skb_frag_list_init(head); ++ } + return 0; + } + +diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c +index 66deebc..f8dfee5 100644 +--- a/net/tipc/udp_media.c ++++ b/net/tipc/udp_media.c +@@ -48,6 +48,7 @@ + #include <linux/tipc_netlink.h> + #include "core.h" + #include "bearer.h" ++#include "msg.h" + + /* IANA assigned UDP port */ + #define UDP_PORT_DEFAULT 6118 +@@ -216,6 +217,10 @@ static int tipc_udp_recv(struct sock *sk, struct sk_buff *skb) + { + struct udp_bearer *ub; + struct tipc_bearer *b; ++ int usr = msg_user(buf_msg(skb)); ++ ++ if ((usr == LINK_PROTOCOL) || (usr == NAME_DISTRIBUTOR)) ++ skb_linearize(skb); + + ub = rcu_dereference_sk_user_data(sk); + if (!ub) { +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 76b4157..d059cf3 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -3408,12 +3408,6 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info) + wdev->iftype)) + return -EINVAL; + +- if (info->attrs[NL80211_ATTR_ACL_POLICY]) { +- params.acl = parse_acl_data(&rdev->wiphy, info); +- if (IS_ERR(params.acl)) +- return PTR_ERR(params.acl); +- } +- + if (info->attrs[NL80211_ATTR_SMPS_MODE]) { + params.smps_mode = + nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]); +@@ -3437,6 +3431,12 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info) + params.smps_mode = NL80211_SMPS_OFF; + } + ++ if (info->attrs[NL80211_ATTR_ACL_POLICY]) { ++ params.acl = parse_acl_data(&rdev->wiphy, info); ++ if (IS_ERR(params.acl)) ++ return PTR_ERR(params.acl); ++ } ++ + wdev_lock(wdev); + err = rdev_start_ap(rdev, dev, ¶ms); + if (!err) { +diff --git a/sound/usb/midi.c b/sound/usb/midi.c +index 417ebb1..bec63e0 100644 +--- a/sound/usb/midi.c ++++ b/sound/usb/midi.c +@@ -174,6 +174,8 @@ struct snd_usb_midi_in_endpoint { + u8 running_status_length; + } ports[0x10]; + u8 seen_f5; ++ bool in_sysex; ++ u8 last_cin; + u8 error_resubmit; + int current_port; + }; +@@ -468,6 +470,39 @@ static void snd_usbmidi_maudio_broken_running_status_input( + } + + /* ++ * QinHeng CH345 is buggy: every second packet inside a SysEx has not CIN 4 ++ * but the previously seen CIN, but still with three data bytes. ++ */ ++static void ch345_broken_sysex_input(struct snd_usb_midi_in_endpoint *ep, ++ uint8_t *buffer, int buffer_length) ++{ ++ unsigned int i, cin, length; ++ ++ for (i = 0; i + 3 < buffer_length; i += 4) { ++ if (buffer[i] == 0 && i > 0) ++ break; ++ cin = buffer[i] & 0x0f; ++ if (ep->in_sysex && ++ cin == ep->last_cin && ++ (buffer[i + 1 + (cin == 0x6)] & 0x80) == 0) ++ cin = 0x4; ++#if 0 ++ if (buffer[i + 1] == 0x90) { ++ /* ++ * Either a corrupted running status or a real note-on ++ * message; impossible to detect reliably. ++ */ ++ } ++#endif ++ length = snd_usbmidi_cin_length[cin]; ++ snd_usbmidi_input_data(ep, 0, &buffer[i + 1], length); ++ ep->in_sysex = cin == 0x4; ++ if (!ep->in_sysex) ++ ep->last_cin = cin; ++ } ++} ++ ++/* + * CME protocol: like the standard protocol, but SysEx commands are sent as a + * single USB packet preceded by a 0x0F byte. + */ +@@ -660,6 +695,12 @@ static struct usb_protocol_ops snd_usbmidi_cme_ops = { + .output_packet = snd_usbmidi_output_standard_packet, + }; + ++static struct usb_protocol_ops snd_usbmidi_ch345_broken_sysex_ops = { ++ .input = ch345_broken_sysex_input, ++ .output = snd_usbmidi_standard_output, ++ .output_packet = snd_usbmidi_output_standard_packet, ++}; ++ + /* + * AKAI MPD16 protocol: + * +@@ -1341,6 +1382,7 @@ static int snd_usbmidi_out_endpoint_create(struct snd_usb_midi *umidi, + * Various chips declare a packet size larger than 4 bytes, but + * do not actually work with larger packets: + */ ++ case USB_ID(0x0a67, 0x5011): /* Medeli DD305 */ + case USB_ID(0x0a92, 0x1020): /* ESI M4U */ + case USB_ID(0x1430, 0x474b): /* RedOctane GH MIDI INTERFACE */ + case USB_ID(0x15ca, 0x0101): /* Textech USB Midi Cable */ +@@ -2375,6 +2417,10 @@ int snd_usbmidi_create(struct snd_card *card, + + err = snd_usbmidi_detect_per_port_endpoints(umidi, endpoints); + break; ++ case QUIRK_MIDI_CH345: ++ umidi->usb_protocol_ops = &snd_usbmidi_ch345_broken_sysex_ops; ++ err = snd_usbmidi_detect_per_port_endpoints(umidi, endpoints); ++ break; + default: + dev_err(&umidi->dev->dev, "invalid quirk type %d\n", + quirk->type); +diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h +index e475665..ecc2a4e 100644 +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -2820,6 +2820,17 @@ YAMAHA_DEVICE(0x7010, "UB99"), + .idProduct = 0x1020, + }, + ++/* QinHeng devices */ ++{ ++ USB_DEVICE(0x1a86, 0x752d), ++ .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) { ++ .vendor_name = "QinHeng", ++ .product_name = "CH345", ++ .ifnum = 1, ++ .type = QUIRK_MIDI_CH345 ++ } ++}, ++ + /* KeithMcMillen Stringport */ + { + USB_DEVICE(0x1f38, 0x0001), +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index 00ebc0c..eef9b8e 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -535,6 +535,7 @@ int snd_usb_create_quirk(struct snd_usb_audio *chip, + [QUIRK_MIDI_CME] = create_any_midi_quirk, + [QUIRK_MIDI_AKAI] = create_any_midi_quirk, + [QUIRK_MIDI_FTDI] = create_any_midi_quirk, ++ [QUIRK_MIDI_CH345] = create_any_midi_quirk, + [QUIRK_AUDIO_STANDARD_INTERFACE] = create_standard_audio_quirk, + [QUIRK_AUDIO_FIXED_ENDPOINT] = create_fixed_stream_quirk, + [QUIRK_AUDIO_EDIROL_UAXX] = create_uaxx_quirk, +@@ -1271,6 +1272,7 @@ u64 snd_usb_interface_dsd_format_quirks(struct snd_usb_audio *chip, + case USB_ID(0x20b1, 0x000a): /* Gustard DAC-X20U */ + case USB_ID(0x20b1, 0x2009): /* DIYINHK DSD DXD 384kHz USB to I2S/DSD */ + case USB_ID(0x20b1, 0x2023): /* JLsounds I2SoverUSB */ ++ case USB_ID(0x20b1, 0x3023): /* Aune X1S 32BIT/384 DSD DAC */ + if (fp->altsetting == 3) + return SNDRV_PCM_FMTBIT_DSD_U32_BE; + break; +diff --git a/sound/usb/usbaudio.h b/sound/usb/usbaudio.h +index 91d0380..991aa84 100644 +--- a/sound/usb/usbaudio.h ++++ b/sound/usb/usbaudio.h +@@ -94,6 +94,7 @@ enum quirk_type { + QUIRK_MIDI_AKAI, + QUIRK_MIDI_US122L, + QUIRK_MIDI_FTDI, ++ QUIRK_MIDI_CH345, + QUIRK_AUDIO_STANDARD_INTERFACE, + QUIRK_AUDIO_FIXED_ENDPOINT, + QUIRK_AUDIO_EDIROL_UAXX, diff --git a/4.2.6/4420_grsecurity-3.1-4.2.6-201512051918.patch b/4.2.7/4420_grsecurity-3.1-4.2.7-201512092320.patch index 9b88420..0e128e6 100644 --- a/4.2.6/4420_grsecurity-3.1-4.2.6-201512051918.patch +++ b/4.2.7/4420_grsecurity-3.1-4.2.7-201512092320.patch @@ -406,7 +406,7 @@ index 6fccb69..60c7c7a 100644 A toggle value indicating if modules are allowed to be loaded diff --git a/Makefile b/Makefile -index 9ef3739..df5234b 100644 +index f5014ea..5cc28a1 100644 --- a/Makefile +++ b/Makefile @@ -298,7 +298,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -431,7 +431,7 @@ index 9ef3739..df5234b 100644 $(Q)$(MAKE) $(build)=scripts/basic $(Q)rm -f .tmp_quiet_recordmcount -@@ -615,6 +617,79 @@ endif +@@ -615,6 +617,85 @@ endif # Tell gcc to never replace conditional load with a non-conditional one KBUILD_CFLAGS += $(call cc-option,--param=allow-store-data-races=0) @@ -466,6 +466,12 @@ index 9ef3739..df5234b 100644 +ifdef CONFIG_CHECKER_PLUGIN +ifeq ($(call cc-ifversion, -ge, 0406, y), y) +CHECKER_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/checker_plugin.so -DCHECKER_PLUGIN ++ifdef CONFIG_CHECKER_PLUGIN_USER ++CHECKER_PLUGIN_CFLAGS += -fplugin-arg-checker_plugin-user -DCHECKER_PLUGIN_USER ++endif ++ifdef CONFIG_CHECKER_PLUGIN_CONTEXT ++CHECKER_PLUGIN_CFLAGS += -fplugin-arg-checker_plugin-context -DCHECKER_PLUGIN_CONTEXT ++endif +endif +endif +COLORIZE_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/colorize_plugin.so @@ -511,7 +517,7 @@ index 9ef3739..df5234b 100644 ifdef CONFIG_READABLE_ASM # Disable optimizations that make assembler listings hard to read. # reorder blocks reorders the control in the function -@@ -714,7 +789,7 @@ KBUILD_CFLAGS += $(call cc-option, -gsplit-dwarf, -g) +@@ -714,7 +795,7 @@ KBUILD_CFLAGS += $(call cc-option, -gsplit-dwarf, -g) else KBUILD_CFLAGS += -g endif @@ -520,7 +526,7 @@ index 9ef3739..df5234b 100644 endif ifdef CONFIG_DEBUG_INFO_DWARF4 KBUILD_CFLAGS += $(call cc-option, -gdwarf-4,) -@@ -886,7 +961,7 @@ export mod_sign_cmd +@@ -886,7 +967,7 @@ export mod_sign_cmd ifeq ($(KBUILD_EXTMOD),) @@ -529,7 +535,7 @@ index 9ef3739..df5234b 100644 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \ $(core-y) $(core-m) $(drivers-y) $(drivers-m) \ -@@ -936,6 +1011,8 @@ endif +@@ -936,6 +1017,8 @@ endif # The actual objects are generated when descending, # make sure no implicit rule kicks in @@ -538,7 +544,7 @@ index 9ef3739..df5234b 100644 $(sort $(vmlinux-deps)): $(vmlinux-dirs) ; # Handle descending into subdirectories listed in $(vmlinux-dirs) -@@ -945,7 +1022,7 @@ $(sort $(vmlinux-deps)): $(vmlinux-dirs) ; +@@ -945,7 +1028,7 @@ $(sort $(vmlinux-deps)): $(vmlinux-dirs) ; # Error messages still appears in the original language PHONY += $(vmlinux-dirs) @@ -547,7 +553,7 @@ index 9ef3739..df5234b 100644 $(Q)$(MAKE) $(build)=$@ define filechk_kernel.release -@@ -988,10 +1065,13 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \ +@@ -988,10 +1071,13 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \ archprepare: archheaders archscripts prepare1 scripts_basic @@ -561,7 +567,7 @@ index 9ef3739..df5234b 100644 prepare: prepare0 # Generate some files -@@ -1099,6 +1179,8 @@ all: modules +@@ -1099,6 +1185,8 @@ all: modules # using awk while concatenating to the final file. PHONY += modules @@ -570,7 +576,7 @@ index 9ef3739..df5234b 100644 modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux) modules.builtin $(Q)$(AWK) '!x[$$0]++' $(vmlinux-dirs:%=$(objtree)/%/modules.order) > $(objtree)/modules.order @$(kecho) ' Building modules, stage 2.'; -@@ -1114,7 +1196,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin) +@@ -1114,7 +1202,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin) # Target to prepare building external modules PHONY += modules_prepare @@ -579,7 +585,7 @@ index 9ef3739..df5234b 100644 # Target to install modules PHONY += modules_install -@@ -1180,7 +1262,10 @@ MRPROPER_FILES += .config .config.old .version .old_version \ +@@ -1180,7 +1268,10 @@ MRPROPER_FILES += .config .config.old .version .old_version \ Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \ signing_key.priv signing_key.x509 x509.genkey \ extra_certificates signing_key.x509.keyid \ @@ -591,7 +597,7 @@ index 9ef3739..df5234b 100644 # clean - Delete most, but leave enough to build external modules # -@@ -1219,7 +1304,7 @@ distclean: mrproper +@@ -1219,7 +1310,7 @@ distclean: mrproper @find $(srctree) $(RCS_FIND_IGNORE) \ \( -name '*.orig' -o -name '*.rej' -o -name '*~' \ -o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \ @@ -600,7 +606,7 @@ index 9ef3739..df5234b 100644 -type f -print | xargs rm -f -@@ -1385,6 +1470,8 @@ PHONY += $(module-dirs) modules +@@ -1385,6 +1476,8 @@ PHONY += $(module-dirs) modules $(module-dirs): crmodverdir $(objtree)/Module.symvers $(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@) @@ -609,7 +615,7 @@ index 9ef3739..df5234b 100644 modules: $(module-dirs) @$(kecho) ' Building modules, stage 2.'; $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost -@@ -1525,17 +1612,21 @@ else +@@ -1525,17 +1618,21 @@ else target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@)) endif @@ -635,7 +641,7 @@ index 9ef3739..df5234b 100644 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) %.symtypes: %.c prepare scripts FORCE $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) -@@ -1547,11 +1638,15 @@ endif +@@ -1547,11 +1644,15 @@ endif $(build)=$(build-dir) # Make sure the latest headers are built for Documentation Documentation/: headers_install @@ -18606,6 +18612,19 @@ index 48f99f1..d78ebf9 100644 #ifdef CONFIG_X86_VSMP #ifdef CONFIG_SMP +diff --git a/arch/x86/include/asm/cacheflush.h b/arch/x86/include/asm/cacheflush.h +index 9bf3ea1..4693729 100644 +--- a/arch/x86/include/asm/cacheflush.h ++++ b/arch/x86/include/asm/cacheflush.h +@@ -133,7 +133,7 @@ static inline void arch_memcpy_to_pmem(void __pmem *dst, const void *src, + * before the WARN+BUG. + */ + unwritten = __copy_from_user_inatomic_nocache((void __force *) dst, +- (void __user *) src, n); ++ (void __force_user *) src, n); + if (WARN(unwritten, "%s: fault copying %p <- %p unwritten: %d\n", + __func__, dst, src, unwritten)) + BUG(); diff --git a/arch/x86/include/asm/checksum_32.h b/arch/x86/include/asm/checksum_32.h index f50de69..2b0a458 100644 --- a/arch/x86/include/asm/checksum_32.h @@ -18710,15 +18729,18 @@ index ad19841..0784041 100644 ({ \ __typeof__ (*(ptr)) __ret = (inc); \ diff --git a/arch/x86/include/asm/compat.h b/arch/x86/include/asm/compat.h -index acdee09..a553db3 100644 +index acdee09..e5c31cd 100644 --- a/arch/x86/include/asm/compat.h +++ b/arch/x86/include/asm/compat.h -@@ -41,7 +41,7 @@ typedef s64 __attribute__((aligned(4))) compat_s64; +@@ -41,7 +41,11 @@ typedef s64 __attribute__((aligned(4))) compat_s64; typedef u32 compat_uint_t; typedef u32 compat_ulong_t; typedef u64 __attribute__((aligned(4))) compat_u64; --typedef u32 compat_uptr_t; ++#ifdef CHECKER_PLUGIN_USER + typedef u32 compat_uptr_t; ++#else +typedef u32 __user compat_uptr_t; ++#endif struct compat_timespec { compat_time_t tv_sec; @@ -19062,6 +19084,26 @@ index ced283a..ffe04cc 100644 { union { u64 v64; +diff --git a/arch/x86/include/asm/dma.h b/arch/x86/include/asm/dma.h +index fe884e1..46149ae 100644 +--- a/arch/x86/include/asm/dma.h ++++ b/arch/x86/include/asm/dma.h +@@ -149,6 +149,7 @@ + #ifdef CONFIG_ISA_DMA_API + extern spinlock_t dma_spin_lock; + ++static inline unsigned long claim_dma_lock(void) __acquires(&dma_spin_lock); + static inline unsigned long claim_dma_lock(void) + { + unsigned long flags; +@@ -156,6 +157,7 @@ static inline unsigned long claim_dma_lock(void) + return flags; + } + ++static inline void release_dma_lock(unsigned long flags) __releases(&dma_spin_lock); + static inline void release_dma_lock(unsigned long flags) + { + spin_unlock_irqrestore(&dma_spin_lock, flags); diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h index f161c18..97d43e8 100644 --- a/arch/x86/include/asm/elf.h @@ -19508,11 +19550,11 @@ index 6615032..9c233be 100644 extern void elcr_set_level_irq(unsigned int irq); diff --git a/arch/x86/include/asm/i8259.h b/arch/x86/include/asm/i8259.h -index ccffa53..3c90c87 100644 +index 39bcefc..272d904 100644 --- a/arch/x86/include/asm/i8259.h +++ b/arch/x86/include/asm/i8259.h -@@ -62,7 +62,7 @@ struct legacy_pic { - void (*init)(int auto_eoi); +@@ -63,7 +63,7 @@ struct legacy_pic { + int (*probe)(void); int (*irq_pending)(unsigned int irq); void (*make_irq)(unsigned int irq); -}; @@ -22039,7 +22081,7 @@ index cd79194..6a9956f 100644 } diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h -index a8df874..3dcbd7c 100644 +index a8df874..e0aaf5f 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -7,6 +7,7 @@ @@ -22168,12 +22210,16 @@ index a8df874..3dcbd7c 100644 "3: " ASM_CLAC "\n" \ _ASM_EXTABLE_EX(1b, 2b) \ _ASM_EXTABLE_EX(2b, 3b) \ -@@ -260,7 +306,8 @@ extern void __put_user_8(void); - __typeof__(*(ptr)) __pu_val; \ +@@ -257,10 +303,11 @@ extern void __put_user_8(void); + #define put_user(x, ptr) \ + ({ \ + int __ret_pu; \ +- __typeof__(*(ptr)) __pu_val; \ ++ __inttype(*(ptr)) __pu_val; \ __chk_user_ptr(ptr); \ might_fault(); \ - __pu_val = x; \ -+ __pu_val = (x); \ ++ __pu_val = (__inttype(*(ptr)))(x); \ + pax_open_userland(); \ switch (sizeof(*(ptr))) { \ case 1: \ @@ -22186,7 +22232,20 @@ index a8df874..3dcbd7c 100644 __ret_pu; \ }) -@@ -358,8 +406,10 @@ do { \ +@@ -341,10 +389,10 @@ do { \ + __chk_user_ptr(ptr); \ + switch (size) { \ + case 1: \ +- __get_user_asm(x, ptr, retval, "b", "b", "=q", errret); \ ++ __get_user_asm(x, ptr, retval, "zbl", "k", "=r", errret);\ + break; \ + case 2: \ +- __get_user_asm(x, ptr, retval, "w", "w", "=r", errret); \ ++ __get_user_asm(x, ptr, retval, "zwl", "k", "=r", errret);\ + break; \ + case 4: \ + __get_user_asm(x, ptr, retval, "l", "k", "=r", errret); \ +@@ -358,27 +406,31 @@ do { \ } while (0) #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \ @@ -22198,7 +22257,8 @@ index a8df874..3dcbd7c 100644 "2: " ASM_CLAC "\n" \ ".section .fixup,\"ax\"\n" \ "3: mov %3,%0\n" \ -@@ -367,8 +417,10 @@ do { \ +- " xor"itype" %"rtype"1,%"rtype"1\n" \ ++ " xorl %k1,%k1\n" \ " jmp 2b\n" \ ".previous\n" \ _ASM_EXTABLE(1b, 3b) \ @@ -22211,6 +22271,18 @@ index a8df874..3dcbd7c 100644 #define __get_user_size_ex(x, ptr, size) \ do { \ + __chk_user_ptr(ptr); \ + switch (size) { \ + case 1: \ +- __get_user_asm_ex(x, ptr, "b", "b", "=q"); \ ++ __get_user_asm_ex(x, ptr, "zbl", "k", "=r"); \ + break; \ + case 2: \ +- __get_user_asm_ex(x, ptr, "w", "w", "=r"); \ ++ __get_user_asm_ex(x, ptr, "zwl", "k", "=r"); \ + break; \ + case 4: \ + __get_user_asm_ex(x, ptr, "l", "k", "=r"); \ @@ -392,7 +444,7 @@ do { \ } while (0) @@ -22335,10 +22407,16 @@ index a8df874..3dcbd7c 100644 extern void __cmpxchg_wrong_size(void) __compiletime_error("Bad argument size for cmpxchg"); -@@ -547,18 +624,19 @@ extern void __cmpxchg_wrong_size(void) - __typeof__(ptr) __uval = (uval); \ - __typeof__(*(ptr)) __old = (old); \ - __typeof__(*(ptr)) __new = (new); \ +@@ -544,21 +621,22 @@ extern void __cmpxchg_wrong_size(void) + #define __user_atomic_cmpxchg_inatomic(uval, ptr, old, new, size) \ + ({ \ + int __ret = 0; \ +- __typeof__(ptr) __uval = (uval); \ +- __typeof__(*(ptr)) __old = (old); \ +- __typeof__(*(ptr)) __new = (new); \ ++ __typeof__(uval) __uval = (uval); \ ++ __typeof__(*(uval)) __old = (old); \ ++ __typeof__(*(uval)) __new = (new); \ + pax_open_userland(); \ switch (size) { \ case 1: \ @@ -23004,18 +23082,6 @@ index 0f457e6..5970c0a 100644 #define BIOS_END 0x00100000 #define BIOS_ROM_BASE 0xffe00000 -diff --git a/arch/x86/include/uapi/asm/svm.h b/arch/x86/include/uapi/asm/svm.h -index b5d7640..8a4add8 100644 ---- a/arch/x86/include/uapi/asm/svm.h -+++ b/arch/x86/include/uapi/asm/svm.h -@@ -100,6 +100,7 @@ - { SVM_EXIT_EXCP_BASE + UD_VECTOR, "UD excp" }, \ - { SVM_EXIT_EXCP_BASE + PF_VECTOR, "PF excp" }, \ - { SVM_EXIT_EXCP_BASE + NM_VECTOR, "NM excp" }, \ -+ { SVM_EXIT_EXCP_BASE + AC_VECTOR, "AC excp" }, \ - { SVM_EXIT_EXCP_BASE + MC_VECTOR, "MC excp" }, \ - { SVM_EXIT_INTR, "interrupt" }, \ - { SVM_EXIT_NMI, "nmi" }, \ diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile index 0f15af4..501a76a 100644 --- a/arch/x86/kernel/Makefile @@ -23494,27 +23560,25 @@ index bda4886..f9c7195 100644 .name = "default", .probe = probe_default, diff --git a/arch/x86/kernel/apic/vector.c b/arch/x86/kernel/apic/vector.c -index 2683f36..0bdc74c 100644 +index ea4ba83..13a7b74 100644 --- a/arch/x86/kernel/apic/vector.c +++ b/arch/x86/kernel/apic/vector.c -@@ -36,7 +36,7 @@ static struct irq_chip lapic_controller; +@@ -36,6 +36,7 @@ static struct irq_chip lapic_controller; static struct apic_chip_data *legacy_irq_data[NR_IRQS_LEGACY]; #endif --void lock_vector_lock(void) -+void lock_vector_lock(void) __acquires(vector_lock) ++void lock_vector_lock(void) __acquires(&vector_lock); + void lock_vector_lock(void) { /* Used to the online set of cpus does not change - * during assign_irq_vector. -@@ -44,7 +44,7 @@ void lock_vector_lock(void) +@@ -44,6 +45,7 @@ void lock_vector_lock(void) raw_spin_lock(&vector_lock); } --void unlock_vector_lock(void) -+void unlock_vector_lock(void) __releases(vector_lock) ++void unlock_vector_lock(void) __releases(&vector_lock); + void unlock_vector_lock(void) { raw_spin_unlock(&vector_lock); - } diff --git a/arch/x86/kernel/apic/x2apic_cluster.c b/arch/x86/kernel/apic/x2apic_cluster.c index ab3219b..e8033eb 100644 --- a/arch/x86/kernel/apic/x2apic_cluster.c @@ -23748,7 +23812,7 @@ index 04f0fe5..3c0598c 100644 /* diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c -index cb9e5df..0849dd8 100644 +index e4f929d..0849dd8 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -91,60 +91,6 @@ static const struct cpu_dev default_cpu = { @@ -23812,19 +23876,7 @@ index cb9e5df..0849dd8 100644 static int __init x86_mpx_setup(char *s) { /* require an exact match without trailing characters */ -@@ -272,10 +218,9 @@ __setup("nosmap", setup_disable_smap); - - static __always_inline void setup_smap(struct cpuinfo_x86 *c) - { -- unsigned long eflags; -+ unsigned long eflags = native_save_fl(); - - /* This should have been cleared long ago */ -- raw_local_save_flags(eflags); - BUG_ON(eflags & X86_EFLAGS_AC); - - if (cpu_has(c, X86_FEATURE_SMAP)) { -@@ -287,6 +232,109 @@ static __always_inline void setup_smap(struct cpuinfo_x86 *c) +@@ -286,6 +232,109 @@ static __always_inline void setup_smap(struct cpuinfo_x86 *c) } } @@ -23934,7 +23986,7 @@ index cb9e5df..0849dd8 100644 /* * Some CPU features depend on higher CPUID levels, which may not always * be available due to CPUID level capping or broken virtualization -@@ -387,7 +435,7 @@ void switch_to_new_gdt(int cpu) +@@ -386,7 +435,7 @@ void switch_to_new_gdt(int cpu) { struct desc_ptr gdt_descr; @@ -23943,7 +23995,7 @@ index cb9e5df..0849dd8 100644 gdt_descr.size = GDT_SIZE - 1; load_gdt(&gdt_descr); /* Reload the per-cpu base */ -@@ -918,6 +966,20 @@ static void identify_cpu(struct cpuinfo_x86 *c) +@@ -917,6 +966,20 @@ static void identify_cpu(struct cpuinfo_x86 *c) setup_smep(c); setup_smap(c); @@ -23964,7 +24016,7 @@ index cb9e5df..0849dd8 100644 /* * The vendor-specific functions might have changed features. * Now we do "generic changes." -@@ -992,7 +1054,7 @@ void enable_sep_cpu(void) +@@ -991,7 +1054,7 @@ void enable_sep_cpu(void) int cpu; cpu = get_cpu(); @@ -23973,7 +24025,7 @@ index cb9e5df..0849dd8 100644 if (!boot_cpu_has(X86_FEATURE_SEP)) goto out; -@@ -1138,10 +1200,12 @@ static __init int setup_disablecpuid(char *arg) +@@ -1137,10 +1200,12 @@ static __init int setup_disablecpuid(char *arg) } __setup("clearcpuid=", setup_disablecpuid); @@ -23989,7 +24041,7 @@ index cb9e5df..0849dd8 100644 DEFINE_PER_CPU_FIRST(union irq_stack_union, irq_stack_union) __aligned(PAGE_SIZE) __visible; -@@ -1253,21 +1317,21 @@ EXPORT_PER_CPU_SYMBOL(current_task); +@@ -1252,21 +1317,21 @@ EXPORT_PER_CPU_SYMBOL(current_task); DEFINE_PER_CPU(int, __preempt_count) = INIT_PREEMPT_COUNT; EXPORT_PER_CPU_SYMBOL(__preempt_count); @@ -24018,7 +24070,7 @@ index cb9e5df..0849dd8 100644 /* * Clear all 6 debug registers: */ -@@ -1343,7 +1407,7 @@ void cpu_init(void) +@@ -1342,7 +1407,7 @@ void cpu_init(void) */ load_ucode_ap(); @@ -24027,7 +24079,7 @@ index cb9e5df..0849dd8 100644 oist = &per_cpu(orig_ist, cpu); #ifdef CONFIG_NUMA -@@ -1375,7 +1439,6 @@ void cpu_init(void) +@@ -1374,7 +1439,6 @@ void cpu_init(void) wrmsrl(MSR_KERNEL_GS_BASE, 0); barrier(); @@ -24035,7 +24087,7 @@ index cb9e5df..0849dd8 100644 x2apic_setup(); /* -@@ -1427,7 +1490,7 @@ void cpu_init(void) +@@ -1426,7 +1490,7 @@ void cpu_init(void) { int cpu = smp_processor_id(); struct task_struct *curr = current; @@ -24316,6 +24368,30 @@ index 969dc17..a9c3fdd 100644 } static void microcode_fini_cpu(int cpu) +diff --git a/arch/x86/kernel/cpu/mtrr/generic.c b/arch/x86/kernel/cpu/mtrr/generic.c +index 3b533cf..b40d426 100644 +--- a/arch/x86/kernel/cpu/mtrr/generic.c ++++ b/arch/x86/kernel/cpu/mtrr/generic.c +@@ -723,7 +723,8 @@ static DEFINE_RAW_SPINLOCK(set_atomicity_lock); + * The caller must ensure that local interrupts are disabled and + * are reenabled after post_set() has been called. + */ +-static void prepare_set(void) __acquires(set_atomicity_lock) ++static void prepare_set(void) __acquires(&set_atomicity_lock); ++static void prepare_set(void) + { + unsigned long cr0; + +@@ -759,7 +760,8 @@ static void prepare_set(void) __acquires(set_atomicity_lock) + wbinvd(); + } + +-static void post_set(void) __releases(set_atomicity_lock) ++static void post_set(void) __releases(&set_atomicity_lock); ++static void post_set(void) + { + /* Flush TLBs (no need to flush caches - they are disabled) */ + count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL); diff --git a/arch/x86/kernel/cpu/mtrr/main.c b/arch/x86/kernel/cpu/mtrr/main.c index e7ed0d8..57a2ab9 100644 --- a/arch/x86/kernel/cpu/mtrr/main.c @@ -24405,10 +24481,95 @@ index 97242a9..cf9c30e 100644 while (amd_iommu_v2_event_descs[i].attr.attr.name) diff --git a/arch/x86/kernel/cpu/perf_event_intel.c b/arch/x86/kernel/cpu/perf_event_intel.c -index 1b09c42..521004d 100644 +index 1b09c42..9627a7b 100644 --- a/arch/x86/kernel/cpu/perf_event_intel.c +++ b/arch/x86/kernel/cpu/perf_event_intel.c -@@ -3019,10 +3019,10 @@ __init int intel_pmu_init(void) +@@ -1900,6 +1900,8 @@ __intel_get_event_constraints(struct cpu_hw_events *cpuc, int idx, + } + + static void ++intel_start_scheduling(struct cpu_hw_events *cpuc) __acquires(&cpuc->excl_cntrs->lock); ++static void + intel_start_scheduling(struct cpu_hw_events *cpuc) + { + struct intel_excl_cntrs *excl_cntrs = cpuc->excl_cntrs; +@@ -1909,14 +1911,18 @@ intel_start_scheduling(struct cpu_hw_events *cpuc) + /* + * nothing needed if in group validation mode + */ +- if (cpuc->is_fake || !is_ht_workaround_enabled()) ++ if (cpuc->is_fake || !is_ht_workaround_enabled()) { ++ __acquire(&excl_cntrs->lock); + return; ++ } + + /* + * no exclusion needed + */ +- if (WARN_ON_ONCE(!excl_cntrs)) ++ if (WARN_ON_ONCE(!excl_cntrs)) { ++ __acquire(&excl_cntrs->lock); + return; ++ } + + xl = &excl_cntrs->states[tid]; + +@@ -1956,6 +1962,8 @@ static void intel_commit_scheduling(struct cpu_hw_events *cpuc, int idx, int cnt + } + + static void ++intel_stop_scheduling(struct cpu_hw_events *cpuc) __releases(&cpuc->excl_cntrs->lock); ++static void + intel_stop_scheduling(struct cpu_hw_events *cpuc) + { + struct intel_excl_cntrs *excl_cntrs = cpuc->excl_cntrs; +@@ -1965,13 +1973,18 @@ intel_stop_scheduling(struct cpu_hw_events *cpuc) + /* + * nothing needed if in group validation mode + */ +- if (cpuc->is_fake || !is_ht_workaround_enabled()) ++ if (cpuc->is_fake || !is_ht_workaround_enabled()) { ++ __release(&excl_cntrs->lock); + return; ++ } ++ + /* + * no exclusion needed + */ +- if (WARN_ON_ONCE(!excl_cntrs)) ++ if (WARN_ON_ONCE(!excl_cntrs)) { ++ __release(&excl_cntrs->lock); + return; ++ } + + xl = &excl_cntrs->states[tid]; + +@@ -2154,19 +2167,22 @@ static void intel_put_excl_constraints(struct cpu_hw_events *cpuc, + * unused now. + */ + if (hwc->idx >= 0) { ++ bool sched_started; ++ + xl = &excl_cntrs->states[tid]; ++ sched_started = xl->sched_started; + + /* + * put_constraint may be called from x86_schedule_events() + * which already has the lock held so here make locking + * conditional. + */ +- if (!xl->sched_started) ++ if (!sched_started) + raw_spin_lock(&excl_cntrs->lock); + + xl->state[hwc->idx] = INTEL_EXCL_UNUSED; + +- if (!xl->sched_started) ++ if (!sched_started) + raw_spin_unlock(&excl_cntrs->lock); + } + } +@@ -3019,10 +3035,10 @@ __init int intel_pmu_init(void) x86_pmu.num_counters_fixed = max((int)edx.split.num_counters_fixed, 3); if (boot_cpu_has(X86_FEATURE_PDCM)) { @@ -25376,7 +25537,7 @@ index dc60810..6c8a1fa 100644 } diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c -index 50ec9af..32d7f10 100644 +index 6545e6d..32d7f10 100644 --- a/arch/x86/kernel/fpu/signal.c +++ b/arch/x86/kernel/fpu/signal.c @@ -54,7 +54,7 @@ static inline int check_for_xstate(struct fxregs_state __user *buf, @@ -25465,34 +25626,8 @@ index 50ec9af..32d7f10 100644 err = -1; } else { sanitize_restored_xstate(tsk, &env, xfeatures, fx_only); -@@ -385,20 +387,19 @@ fpu__alloc_mathframe(unsigned long sp, int ia32_frame, - */ - void fpu__init_prepare_fx_sw_frame(void) - { -- int fsave_header_size = sizeof(struct fregs_state); - int size = xstate_size + FP_XSTATE_MAGIC2_SIZE; - -- if (config_enabled(CONFIG_X86_32)) -- size += fsave_header_size; -- - fx_sw_reserved.magic1 = FP_XSTATE_MAGIC1; - fx_sw_reserved.extended_size = size; - fx_sw_reserved.xfeatures = xfeatures_mask; - fx_sw_reserved.xstate_size = xstate_size; - -- if (config_enabled(CONFIG_IA32_EMULATION)) { -+ if (config_enabled(CONFIG_IA32_EMULATION) || -+ config_enabled(CONFIG_X86_32)) { -+ int fsave_header_size = sizeof(struct fregs_state); -+ - fx_sw_reserved_ia32 = fx_sw_reserved; -- fx_sw_reserved_ia32.extended_size += fsave_header_size; -+ fx_sw_reserved_ia32.extended_size = size + fsave_header_size; - } - } - diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c -index 62fc001..099cbd7 100644 +index 2c4ac07..099cbd7 100644 --- a/arch/x86/kernel/fpu/xstate.c +++ b/arch/x86/kernel/fpu/xstate.c @@ -93,14 +93,14 @@ EXPORT_SYMBOL_GPL(cpu_has_xfeatures); @@ -25512,15 +25647,7 @@ index 62fc001..099cbd7 100644 /* * None of the feature bits are in init state. So nothing else -@@ -402,7 +402,6 @@ void *get_xsave_addr(struct xregs_state *xsave, int xstate_feature) - if (!boot_cpu_has(X86_FEATURE_XSAVE)) - return NULL; - -- xsave = ¤t->thread.fpu.state.xsave; - /* - * We should not ever be requesting features that we - * have not enabled. Remember that pcntxt_mask is -@@ -457,5 +456,5 @@ const void *get_xsave_field_ptr(int xsave_state) +@@ -456,5 +456,5 @@ const void *get_xsave_field_ptr(int xsave_state) */ fpu__save(fpu); @@ -26102,7 +26229,7 @@ index 0e2d96f..5889003 100644 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0 + .endr diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S -index 1d40ca8..2dbedb3 100644 +index ffdc0e8..2dbedb3 100644 --- a/arch/x86/kernel/head_64.S +++ b/arch/x86/kernel/head_64.S @@ -20,6 +20,8 @@ @@ -26127,17 +26254,7 @@ index 1d40ca8..2dbedb3 100644 .text __HEAD -@@ -65,6 +73,9 @@ startup_64: - * tables and then reload them. - */ - -+ /* Sanitize CPU configuration */ -+ call verify_cpu -+ - /* - * Compute the delta between the address I am compiled to run at and the - * address I am actually running at. -@@ -89,11 +100,33 @@ startup_64: +@@ -92,11 +100,33 @@ startup_64: * Fixup the physical addresses in the page table */ addq %rbp, early_level4_pgt + (L4_START_KERNEL*8)(%rip) @@ -26173,13 +26290,10 @@ index 1d40ca8..2dbedb3 100644 /* * Set up the identity mapping for the switchover. These -@@ -174,11 +207,16 @@ ENTRY(secondary_startup_64) - * after the boot processor executes this code. - */ +@@ -180,11 +210,13 @@ ENTRY(secondary_startup_64) + /* Sanitize CPU configuration */ + call verify_cpu -+ /* Sanitize CPU configuration */ -+ call verify_cpu -+ + orq $-1, %rbp + movq $(init_level4_pgt - __START_KERNEL_map), %rax @@ -26192,7 +26306,7 @@ index 1d40ca8..2dbedb3 100644 movq %rcx, %cr4 /* Setup early boot stage 4 level pagetables. */ -@@ -199,10 +237,21 @@ ENTRY(secondary_startup_64) +@@ -205,10 +237,21 @@ ENTRY(secondary_startup_64) movl $MSR_EFER, %ecx rdmsr btsl $_EFER_SCE, %eax /* Enable System Call */ @@ -26215,7 +26329,7 @@ index 1d40ca8..2dbedb3 100644 1: wrmsr /* Make changes effective */ /* Setup cr0 */ -@@ -282,12 +331,15 @@ ENTRY(secondary_startup_64) +@@ -288,6 +331,7 @@ ENTRY(secondary_startup_64) * REX.W + FF /5 JMP m16:64 Jump far, absolute indirect, * address given in m16:64. */ @@ -26223,15 +26337,7 @@ index 1d40ca8..2dbedb3 100644 movq initial_code(%rip),%rax pushq $0 # fake return address to stop unwinder pushq $__KERNEL_CS # set correct cs - pushq %rax # target address in negative space - lretq - -+#include "verify_cpu.S" -+ - #ifdef CONFIG_HOTPLUG_CPU - /* - * Boot CPU0 entry point. It's called from play_dead(). Everything has been set -@@ -313,7 +365,7 @@ ENDPROC(start_cpu0) +@@ -321,7 +365,7 @@ ENDPROC(start_cpu0) .quad INIT_PER_CPU_VAR(irq_stack_union) GLOBAL(stack_start) @@ -26240,7 +26346,7 @@ index 1d40ca8..2dbedb3 100644 .word 0 __FINITDATA -@@ -393,7 +445,7 @@ early_idt_handler_common: +@@ -401,7 +445,7 @@ early_idt_handler_common: call dump_stack #ifdef CONFIG_KALLSYMS leaq early_idt_ripmsg(%rip),%rdi @@ -26249,7 +26355,7 @@ index 1d40ca8..2dbedb3 100644 call __print_symbol #endif #endif /* EARLY_PRINTK */ -@@ -422,6 +474,7 @@ ENDPROC(early_idt_handler_common) +@@ -430,6 +474,7 @@ ENDPROC(early_idt_handler_common) early_recursion_flag: .long 0 @@ -26257,7 +26363,7 @@ index 1d40ca8..2dbedb3 100644 #ifdef CONFIG_EARLY_PRINTK early_idt_msg: .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n" -@@ -444,40 +497,67 @@ GLOBAL(name) +@@ -452,40 +497,67 @@ GLOBAL(name) __INITDATA NEXT_PAGE(early_level4_pgt) .fill 511,8,0 @@ -26337,7 +26443,7 @@ index 1d40ca8..2dbedb3 100644 NEXT_PAGE(level2_kernel_pgt) /* -@@ -494,31 +574,79 @@ NEXT_PAGE(level2_kernel_pgt) +@@ -502,31 +574,79 @@ NEXT_PAGE(level2_kernel_pgt) KERNEL_IMAGE_SIZE/PMD_SIZE) NEXT_PAGE(level2_fixmap_pgt) @@ -26455,7 +26561,7 @@ index 64341aa..b1e6632 100644 +EXPORT_SYMBOL(cpu_pgd); +#endif diff --git a/arch/x86/kernel/i8259.c b/arch/x86/kernel/i8259.c -index 16cb827..372334f 100644 +index be22f5a..c5d0e1f 100644 --- a/arch/x86/kernel/i8259.c +++ b/arch/x86/kernel/i8259.c @@ -110,7 +110,7 @@ static int i8259A_irq_pending(unsigned int irq) @@ -26476,7 +26582,7 @@ index 16cb827..372334f 100644 /* * Theoretically we do not have to handle this IRQ, * but in Linux this does not cause problems and is -@@ -349,14 +349,16 @@ static void init_8259A(int auto_eoi) +@@ -356,14 +356,16 @@ static void init_8259A(int auto_eoi) /* (slave's support for AEOI in flat mode is to be investigated) */ outb_pic(SLAVE_ICW4_DEFAULT, PIC_SLAVE_IMR); @@ -28544,7 +28650,7 @@ index 98111b3..73ca125 100644 identity_mapped: /* set return address to 0 if not preserving context */ diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 80f874b..b3eff67 100644 +index 1e6f70f..a6b1c8a 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -111,6 +111,7 @@ @@ -29480,7 +29586,7 @@ index 6647624..2056791 100644 force_sig_info(SIGSEGV, SEND_SIG_FORCED, current); } diff --git a/arch/x86/kernel/verify_cpu.S b/arch/x86/kernel/verify_cpu.S -index b9242ba..ae8c9cf 100644 +index 4cf401f..ae8c9cf 100644 --- a/arch/x86/kernel/verify_cpu.S +++ b/arch/x86/kernel/verify_cpu.S @@ -20,6 +20,7 @@ @@ -29491,42 +29597,6 @@ index b9242ba..ae8c9cf 100644 * * verify_cpu, returns the status of longmode and SSE in register %eax. * 0: Success 1: Failure -@@ -34,10 +35,11 @@ - #include <asm/msr-index.h> - - verify_cpu: -- pushfl # Save caller passed flags -- pushl $0 # Kill any dangerous flags -- popfl -+ pushf # Save caller passed flags -+ push $0 # Kill any dangerous flags -+ popf - -+#ifndef __x86_64__ - pushfl # standard way to check for cpuid - popl %eax - movl %eax,%ebx -@@ -48,6 +50,7 @@ verify_cpu: - popl %eax - cmpl %eax,%ebx - jz verify_cpu_no_longmode # cpu has no cpuid -+#endif - - movl $0x0,%eax # See if cpuid 1 is implemented - cpuid -@@ -130,10 +133,10 @@ verify_cpu_sse_test: - jmp verify_cpu_sse_test # try again - - verify_cpu_no_longmode: -- popfl # Restore caller passed flags -+ popf # Restore caller passed flags - movl $1,%eax - ret - verify_cpu_sse_ok: -- popfl # Restore caller passed flags -+ popf # Restore caller passed flags - xorl %eax, %eax - ret diff --git a/arch/x86/kernel/vm86_32.c b/arch/x86/kernel/vm86_32.c index fc9db6e..2c5865d 100644 --- a/arch/x86/kernel/vm86_32.c @@ -29992,10 +30062,10 @@ index 2fbea25..9e0f8c7 100644 out: diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c -index 2392541a..2aefc2a 100644 +index f17c342..d5d17bc 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c -@@ -3851,7 +3851,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) +@@ -3870,7 +3870,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) int cr = ctxt->modrm_reg; u64 efer = 0; @@ -30004,8 +30074,90 @@ index 2392541a..2aefc2a 100644 0xffffffff00000000ULL, 0, 0, 0, /* CR3 checked later */ CR4_RESERVED_BITS, +diff --git a/arch/x86/kvm/i8259.c b/arch/x86/kvm/i8259.c +index fef922f..18f48a0 100644 +--- a/arch/x86/kvm/i8259.c ++++ b/arch/x86/kvm/i8259.c +@@ -39,14 +39,14 @@ + + static void pic_irq_request(struct kvm *kvm, int level); + ++static void pic_lock(struct kvm_pic *s) __acquires(&s->lock); + static void pic_lock(struct kvm_pic *s) +- __acquires(&s->lock) + { + spin_lock(&s->lock); + } + ++static void pic_unlock(struct kvm_pic *s) __releases(&s->lock); + static void pic_unlock(struct kvm_pic *s) +- __releases(&s->lock) + { + bool wakeup = s->wakeup_needed; + struct kvm_vcpu *vcpu, *found = NULL; +@@ -72,6 +72,7 @@ static void pic_unlock(struct kvm_pic *s) + } + } + ++static void pic_clear_isr(struct kvm_kpic_state *s, int irq) __must_hold(s->pics_state); + static void pic_clear_isr(struct kvm_kpic_state *s, int irq) + { + s->isr &= ~(1 << irq); +@@ -219,6 +220,7 @@ void kvm_pic_clear_all(struct kvm_pic *s, int irq_source_id) + /* + * acknowledge interrupt 'irq' + */ ++static inline void pic_intack(struct kvm_kpic_state *s, int irq) __must_hold(s); + static inline void pic_intack(struct kvm_kpic_state *s, int irq) + { + s->isr |= 1 << irq; +@@ -273,6 +275,7 @@ int kvm_pic_read_irq(struct kvm *kvm) + return intno; + } + ++void kvm_pic_reset(struct kvm_kpic_state *s) __must_hold(s); + void kvm_pic_reset(struct kvm_kpic_state *s) + { + int irq, i; +@@ -307,6 +310,7 @@ void kvm_pic_reset(struct kvm_kpic_state *s) + pic_clear_isr(s, irq); + } + ++static void pic_ioport_write(void *opaque, u32 addr, u32 val) __must_hold(opaque); + static void pic_ioport_write(void *opaque, u32 addr, u32 val) + { + struct kvm_kpic_state *s = opaque; +@@ -400,6 +404,7 @@ static void pic_ioport_write(void *opaque, u32 addr, u32 val) + } + } + ++static u32 pic_poll_read(struct kvm_kpic_state *s, u32 addr1) __must_hold(s); + static u32 pic_poll_read(struct kvm_kpic_state *s, u32 addr1) + { + int ret; +@@ -422,6 +427,7 @@ static u32 pic_poll_read(struct kvm_kpic_state *s, u32 addr1) + return ret; + } + ++static u32 pic_ioport_read(void *opaque, u32 addr1) __must_hold(opaque); + static u32 pic_ioport_read(void *opaque, u32 addr1) + { + struct kvm_kpic_state *s = opaque; +diff --git a/arch/x86/kvm/ioapic.c b/arch/x86/kvm/ioapic.c +index 856f791..bfc7694 100644 +--- a/arch/x86/kvm/ioapic.c ++++ b/arch/x86/kvm/ioapic.c +@@ -422,6 +422,8 @@ static void kvm_ioapic_eoi_inject_work(struct work_struct *work) + #define IOAPIC_SUCCESSIVE_IRQ_MAX_COUNT 10000 + + static void __kvm_ioapic_update_eoi(struct kvm_vcpu *vcpu, ++ struct kvm_ioapic *ioapic, int vector, int trigger_mode) __must_hold(&ioapic->lock); ++static void __kvm_ioapic_update_eoi(struct kvm_vcpu *vcpu, + struct kvm_ioapic *ioapic, int vector, int trigger_mode) + { + int i; diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c -index 2a5ca97..ce8577a 100644 +index 236e346..2b0f2be 100644 --- a/arch/x86/kvm/lapic.c +++ b/arch/x86/kvm/lapic.c @@ -56,7 +56,7 @@ @@ -30031,19 +30183,18 @@ index 0f67d7e..4b9fa11 100644 goto error; walker->ptep_user[walker->level - 1] = ptep_user; diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c -index 2d32b67..976f46e 100644 +index 00da6e8..7901046 100644 --- a/arch/x86/kvm/svm.c +++ b/arch/x86/kvm/svm.c -@@ -1106,6 +1106,8 @@ static void init_vmcb(struct vcpu_svm *svm, bool init_event) - set_exception_intercept(svm, PF_VECTOR); +@@ -1107,6 +1107,7 @@ static void init_vmcb(struct vcpu_svm *svm) set_exception_intercept(svm, UD_VECTOR); set_exception_intercept(svm, MC_VECTOR); -+ set_exception_intercept(svm, AC_VECTOR); + set_exception_intercept(svm, AC_VECTOR); + set_exception_intercept(svm, DB_VECTOR); set_intercept(svm, INTERCEPT_INTR); set_intercept(svm, INTERCEPT_NMI); -@@ -1641,20 +1643,13 @@ static void svm_set_segment(struct kvm_vcpu *vcpu, +@@ -1641,20 +1642,13 @@ static void svm_set_segment(struct kvm_vcpu *vcpu, mark_dirty(svm->vmcb, VMCB_SEG); } @@ -30065,7 +30216,7 @@ index 2d32b67..976f46e 100644 if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP) set_exception_intercept(svm, BP_VECTOR); } else -@@ -1760,7 +1755,6 @@ static int db_interception(struct vcpu_svm *svm) +@@ -1760,7 +1754,6 @@ static int db_interception(struct vcpu_svm *svm) if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP)) svm->vmcb->save.rflags &= ~(X86_EFLAGS_TF | X86_EFLAGS_RF); @@ -30073,28 +30224,7 @@ index 2d32b67..976f46e 100644 } if (svm->vcpu.guest_debug & -@@ -1795,6 +1789,12 @@ static int ud_interception(struct vcpu_svm *svm) - return 1; - } - -+static int ac_interception(struct vcpu_svm *svm) -+{ -+ kvm_queue_exception_e(&svm->vcpu, AC_VECTOR, 0); -+ return 1; -+} -+ - static void svm_fpu_activate(struct kvm_vcpu *vcpu) - { - struct vcpu_svm *svm = to_svm(vcpu); -@@ -3369,6 +3369,7 @@ static int (*const svm_exit_handlers[])(struct vcpu_svm *svm) = { - [SVM_EXIT_EXCP_BASE + PF_VECTOR] = pf_interception, - [SVM_EXIT_EXCP_BASE + NM_VECTOR] = nm_interception, - [SVM_EXIT_EXCP_BASE + MC_VECTOR] = mc_interception, -+ [SVM_EXIT_EXCP_BASE + AC_VECTOR] = ac_interception, - [SVM_EXIT_INTR] = intr_interception, - [SVM_EXIT_NMI] = nmi_interception, - [SVM_EXIT_SMI] = nop_on_interception, -@@ -3586,7 +3587,11 @@ static void reload_tss(struct kvm_vcpu *vcpu) +@@ -3593,7 +3586,11 @@ static void reload_tss(struct kvm_vcpu *vcpu) int cpu = raw_smp_processor_id(); struct svm_cpu_data *sd = per_cpu(svm_data, cpu); @@ -30106,7 +30236,7 @@ index 2d32b67..976f46e 100644 load_TR_desc(); } -@@ -3752,7 +3757,6 @@ static void enable_nmi_window(struct kvm_vcpu *vcpu) +@@ -3759,7 +3756,6 @@ static void enable_nmi_window(struct kvm_vcpu *vcpu) */ svm->nmi_singlestep = true; svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF); @@ -30114,7 +30244,7 @@ index 2d32b67..976f46e 100644 } static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr) -@@ -3982,6 +3986,10 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) +@@ -3989,6 +3985,10 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) #endif #endif @@ -30125,7 +30255,7 @@ index 2d32b67..976f46e 100644 reload_tss(vcpu); local_irq_disable(); -@@ -4355,7 +4363,7 @@ static void svm_sched_in(struct kvm_vcpu *vcpu, int cpu) +@@ -4362,7 +4362,7 @@ static void svm_sched_in(struct kvm_vcpu *vcpu, int cpu) { } @@ -30134,7 +30264,7 @@ index 2d32b67..976f46e 100644 .cpu_has_kvm_support = has_svm, .disabled_by_bios = is_disabled, .hardware_setup = svm_hardware_setup, -@@ -4374,7 +4382,7 @@ static struct kvm_x86_ops svm_x86_ops = { +@@ -4381,7 +4381,7 @@ static struct kvm_x86_ops svm_x86_ops = { .vcpu_load = svm_vcpu_load, .vcpu_put = svm_vcpu_put, @@ -30144,7 +30274,7 @@ index 2d32b67..976f46e 100644 .set_msr = svm_set_msr, .get_segment_base = svm_get_segment_base, diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c -index aa9e8229..5f643bf 100644 +index e77d75b..0f056cd 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -1440,12 +1440,12 @@ static void vmcs_write64(unsigned long field, u64 value) @@ -30162,15 +30292,6 @@ index aa9e8229..5f643bf 100644 { vmcs_writel(field, vmcs_readl(field) | mask); } -@@ -1567,7 +1567,7 @@ static void update_exception_bitmap(struct kvm_vcpu *vcpu) - u32 eb; - - eb = (1u << PF_VECTOR) | (1u << UD_VECTOR) | (1u << MC_VECTOR) | -- (1u << NM_VECTOR) | (1u << DB_VECTOR); -+ (1u << NM_VECTOR) | (1u << DB_VECTOR) | (1u << AC_VECTOR); - if ((vcpu->guest_debug & - (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) == - (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) @@ -1705,7 +1705,11 @@ static void reload_tss(void) struct desc_struct *descs; @@ -30223,17 +30344,7 @@ index aa9e8229..5f643bf 100644 rdmsr(MSR_IA32_SYSENTER_CS, low32, high32); vmcs_write32(HOST_IA32_SYSENTER_CS, low32); -@@ -5118,6 +5129,9 @@ static int handle_exception(struct kvm_vcpu *vcpu) - return handle_rmode_exception(vcpu, ex_no, error_code); - - switch (ex_no) { -+ case AC_VECTOR: -+ kvm_queue_exception_e(vcpu, AC_VECTOR, error_code); -+ return 1; - case DB_VECTOR: - dr6 = vmcs_readl(EXIT_QUALIFICATION); - if (!(vcpu->guest_debug & -@@ -6097,11 +6111,17 @@ static __init int hardware_setup(void) +@@ -6099,11 +6110,17 @@ static __init int hardware_setup(void) * page upon invalidation. No need to do anything if not * using the APIC_ACCESS_ADDR VMCS field. */ @@ -30253,7 +30364,7 @@ index aa9e8229..5f643bf 100644 if (enable_ept && !cpu_has_vmx_ept_2m_page()) kvm_disable_largepages(); -@@ -6112,6 +6132,7 @@ static __init int hardware_setup(void) +@@ -6114,6 +6131,7 @@ static __init int hardware_setup(void) if (!cpu_has_vmx_apicv()) enable_apicv = 0; @@ -30261,7 +30372,7 @@ index aa9e8229..5f643bf 100644 if (enable_apicv) kvm_x86_ops->update_cr8_intercept = NULL; else { -@@ -6120,6 +6141,7 @@ static __init int hardware_setup(void) +@@ -6122,6 +6140,7 @@ static __init int hardware_setup(void) kvm_x86_ops->deliver_posted_interrupt = NULL; kvm_x86_ops->sync_pir_to_irr = vmx_sync_pir_to_irr_dummy; } @@ -30269,7 +30380,7 @@ index aa9e8229..5f643bf 100644 vmx_disable_intercept_for_msr(MSR_FS_BASE, false); vmx_disable_intercept_for_msr(MSR_GS_BASE, false); -@@ -6174,10 +6196,12 @@ static __init int hardware_setup(void) +@@ -6176,10 +6195,12 @@ static __init int hardware_setup(void) enable_pml = 0; if (!enable_pml) { @@ -30282,7 +30393,7 @@ index aa9e8229..5f643bf 100644 } return alloc_kvm_area(); -@@ -8380,6 +8404,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) +@@ -8382,6 +8403,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) "jmp 2f \n\t" "1: " __ex(ASM_VMX_VMRESUME) "\n\t" "2: " @@ -30295,7 +30406,7 @@ index aa9e8229..5f643bf 100644 /* Save guest registers, load host registers, keep flags */ "mov %0, %c[wordsize](%%" _ASM_SP ") \n\t" "pop %0 \n\t" -@@ -8432,6 +8462,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) +@@ -8434,6 +8461,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) #endif [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)), [wordsize]"i"(sizeof(ulong)) @@ -30307,7 +30418,7 @@ index aa9e8229..5f643bf 100644 : "cc", "memory" #ifdef CONFIG_X86_64 , "rax", "rbx", "rdi", "rsi" -@@ -8445,7 +8480,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) +@@ -8447,7 +8479,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) if (debugctlmsr) update_debugctlmsr(debugctlmsr); @@ -30316,7 +30427,7 @@ index aa9e8229..5f643bf 100644 /* * The sysexit path does not restore ds/es, so we must set them to * a reasonable value ourselves. -@@ -8454,8 +8489,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) +@@ -8456,8 +8488,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) * may be executed in interrupt context, which saves and restore segments * around it, nullifying its effect. */ @@ -30337,7 +30448,7 @@ index aa9e8229..5f643bf 100644 #endif vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP) -@@ -10309,7 +10354,7 @@ static void vmx_enable_log_dirty_pt_masked(struct kvm *kvm, +@@ -10311,7 +10353,7 @@ static void vmx_enable_log_dirty_pt_masked(struct kvm *kvm, kvm_mmu_clear_dirty_pt_masked(kvm, memslot, offset, mask); } @@ -30347,10 +30458,10 @@ index aa9e8229..5f643bf 100644 .disabled_by_bios = vmx_disabled_by_bios, .hardware_setup = hardware_setup, diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index 373328b7..310cf2f 100644 +index 2781e2b..b7bff94 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c -@@ -1842,8 +1842,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data) +@@ -1844,8 +1844,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data) { struct kvm *kvm = vcpu->kvm; int lm = is_long_mode(vcpu); @@ -30361,7 +30472,7 @@ index 373328b7..310cf2f 100644 u8 blob_size = lm ? kvm->arch.xen_hvm_config.blob_size_64 : kvm->arch.xen_hvm_config.blob_size_32; u32 page_num = data & ~PAGE_MASK; -@@ -2733,6 +2733,8 @@ long kvm_arch_dev_ioctl(struct file *filp, +@@ -2735,6 +2735,8 @@ long kvm_arch_dev_ioctl(struct file *filp, if (n < msr_list.nmsrs) goto out; r = -EFAULT; @@ -30370,7 +30481,7 @@ index 373328b7..310cf2f 100644 if (copy_to_user(user_msr_list->indices, &msrs_to_save, num_msrs_to_save * sizeof(u32))) goto out; -@@ -3093,7 +3095,7 @@ static int kvm_vcpu_ioctl_x86_set_debugregs(struct kvm_vcpu *vcpu, +@@ -3095,7 +3097,7 @@ static int kvm_vcpu_ioctl_x86_set_debugregs(struct kvm_vcpu *vcpu, static void fill_xsave(u8 *dest, struct kvm_vcpu *vcpu) { @@ -30379,7 +30490,7 @@ index 373328b7..310cf2f 100644 u64 xstate_bv = xsave->header.xfeatures; u64 valid; -@@ -3129,7 +3131,7 @@ static void fill_xsave(u8 *dest, struct kvm_vcpu *vcpu) +@@ -3131,7 +3133,7 @@ static void fill_xsave(u8 *dest, struct kvm_vcpu *vcpu) static void load_xsave(struct kvm_vcpu *vcpu, u8 *src) { @@ -30388,7 +30499,7 @@ index 373328b7..310cf2f 100644 u64 xstate_bv = *(u64 *)(src + XSAVE_HDR_OFFSET); u64 valid; -@@ -3173,7 +3175,7 @@ static void kvm_vcpu_ioctl_x86_get_xsave(struct kvm_vcpu *vcpu, +@@ -3175,7 +3177,7 @@ static void kvm_vcpu_ioctl_x86_get_xsave(struct kvm_vcpu *vcpu, fill_xsave((u8 *) guest_xsave->region, vcpu); } else { memcpy(guest_xsave->region, @@ -30397,7 +30508,7 @@ index 373328b7..310cf2f 100644 sizeof(struct fxregs_state)); *(u64 *)&guest_xsave->region[XSAVE_HDR_OFFSET / sizeof(u32)] = XSTATE_FPSSE; -@@ -3198,7 +3200,7 @@ static int kvm_vcpu_ioctl_x86_set_xsave(struct kvm_vcpu *vcpu, +@@ -3200,7 +3202,7 @@ static int kvm_vcpu_ioctl_x86_set_xsave(struct kvm_vcpu *vcpu, } else { if (xstate_bv & ~XSTATE_FPSSE) return -EINVAL; @@ -30406,7 +30517,23 @@ index 373328b7..310cf2f 100644 guest_xsave->region, sizeof(struct fxregs_state)); } return 0; -@@ -7217,7 +7219,7 @@ int kvm_arch_vcpu_ioctl_translate(struct kvm_vcpu *vcpu, +@@ -6473,6 +6475,7 @@ void kvm_arch_mmu_notifier_invalidate_page(struct kvm *kvm, + * exiting to the userspace. Otherwise, the value will be returned to the + * userspace. + */ ++static int vcpu_enter_guest(struct kvm_vcpu *vcpu) __must_hold(&vcpu->kvm->srcu); + static int vcpu_enter_guest(struct kvm_vcpu *vcpu) + { + int r; +@@ -6690,6 +6693,7 @@ out: + return r; + } + ++static inline int vcpu_block(struct kvm *kvm, struct kvm_vcpu *vcpu) __must_hold(&kvm->srcu); + static inline int vcpu_block(struct kvm *kvm, struct kvm_vcpu *vcpu) + { + if (!kvm_arch_vcpu_runnable(vcpu)) { +@@ -7229,7 +7233,7 @@ int kvm_arch_vcpu_ioctl_translate(struct kvm_vcpu *vcpu, int kvm_arch_vcpu_ioctl_get_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu) { struct fxregs_state *fxsave = @@ -30415,7 +30542,7 @@ index 373328b7..310cf2f 100644 memcpy(fpu->fpr, fxsave->st_space, 128); fpu->fcw = fxsave->cwd; -@@ -7234,7 +7236,7 @@ int kvm_arch_vcpu_ioctl_get_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu) +@@ -7246,7 +7250,7 @@ int kvm_arch_vcpu_ioctl_get_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu) int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu) { struct fxregs_state *fxsave = @@ -30424,7 +30551,7 @@ index 373328b7..310cf2f 100644 memcpy(fxsave->st_space, fpu->fpr, 128); fxsave->cwd = fpu->fcw; -@@ -7250,9 +7252,9 @@ int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu) +@@ -7262,9 +7266,9 @@ int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu) static void fx_init(struct kvm_vcpu *vcpu) { @@ -30436,7 +30563,7 @@ index 373328b7..310cf2f 100644 host_xcr0 | XSTATE_COMPACTION_ENABLED; /* -@@ -7276,7 +7278,7 @@ void kvm_load_guest_fpu(struct kvm_vcpu *vcpu) +@@ -7288,7 +7292,7 @@ void kvm_load_guest_fpu(struct kvm_vcpu *vcpu) kvm_put_guest_xcr0(vcpu); vcpu->guest_fpu_loaded = 1; __kernel_fpu_begin(); @@ -30445,7 +30572,7 @@ index 373328b7..310cf2f 100644 trace_kvm_fpu(1); } -@@ -7554,6 +7556,8 @@ bool kvm_vcpu_compatible(struct kvm_vcpu *vcpu) +@@ -7566,6 +7570,8 @@ bool kvm_vcpu_compatible(struct kvm_vcpu *vcpu) struct static_key kvm_no_apic_vcpu __read_mostly; @@ -30454,7 +30581,7 @@ index 373328b7..310cf2f 100644 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu) { struct page *page; -@@ -7570,11 +7574,14 @@ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu) +@@ -7582,11 +7588,14 @@ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu) else vcpu->arch.mp_state = KVM_MP_STATE_UNINITIALIZED; @@ -30473,7 +30600,7 @@ index 373328b7..310cf2f 100644 vcpu->arch.pio_data = page_address(page); kvm_set_tsc_khz(vcpu, max_tsc_khz); -@@ -7628,6 +7635,9 @@ fail_mmu_destroy: +@@ -7640,6 +7649,9 @@ fail_mmu_destroy: kvm_mmu_destroy(vcpu); fail_free_pio_data: free_page((unsigned long)vcpu->arch.pio_data); @@ -30483,7 +30610,7 @@ index 373328b7..310cf2f 100644 fail: return r; } -@@ -7645,6 +7655,8 @@ void kvm_arch_vcpu_uninit(struct kvm_vcpu *vcpu) +@@ -7657,6 +7669,8 @@ void kvm_arch_vcpu_uninit(struct kvm_vcpu *vcpu) free_page((unsigned long)vcpu->arch.pio_data); if (!irqchip_in_kernel(vcpu->kvm)) static_key_slow_dec(&kvm_no_apic_vcpu); @@ -32971,7 +33098,7 @@ index 91d93b9..4b22130 100644 +EXPORT_SYMBOL(set_fs); +#endif diff --git a/arch/x86/lib/usercopy_64.c b/arch/x86/lib/usercopy_64.c -index 0a42327..7a82465 100644 +index 0a42327..45c0063 100644 --- a/arch/x86/lib/usercopy_64.c +++ b/arch/x86/lib/usercopy_64.c @@ -18,6 +18,7 @@ unsigned long __clear_user(void __user *addr, unsigned long size) @@ -33031,8 +33158,9 @@ index 0a42327..7a82465 100644 /* If the destination is a kernel buffer, we always clear the end */ - if (!__addr_ok(to)) +- memset(to, 0, len); + if (!__addr_ok(to) && (unsigned long)to >= TASK_SIZE_MAX + pax_user_shadow_base) - memset(to, 0, len); ++ memset((void __force_kernel *)to, 0, len); return len; } diff --git a/arch/x86/math-emu/fpu_aux.c b/arch/x86/math-emu/fpu_aux.c @@ -34908,77 +35036,23 @@ index 0057a7acc..95c7edd 100644 might_sleep(); if (is_enabled()) /* recheck and proper locking in *_core() */ diff --git a/arch/x86/mm/mpx.c b/arch/x86/mm/mpx.c -index db1b0bc..c28f618 100644 +index c28f618..73c7772 100644 --- a/arch/x86/mm/mpx.c +++ b/arch/x86/mm/mpx.c -@@ -622,6 +622,29 @@ static unsigned long mpx_bd_entry_to_bt_addr(struct mm_struct *mm, - } - - /* -+ * We only want to do a 4-byte get_user() on 32-bit. Otherwise, -+ * we might run off the end of the bounds table if we are on -+ * a 64-bit kernel and try to get 8 bytes. -+ */ -+int get_user_bd_entry(struct mm_struct *mm, unsigned long *bd_entry_ret, -+ long __user *bd_entry_ptr) -+{ -+ u32 bd_entry_32; -+ int ret; -+ -+ if (is_64bit_mm(mm)) -+ return get_user(*bd_entry_ret, bd_entry_ptr); -+ -+ /* -+ * Note that get_user() uses the type of the *pointer* to -+ * establish the size of the get, not the destination. -+ */ -+ ret = get_user(bd_entry_32, (u32 __user *)bd_entry_ptr); -+ *bd_entry_ret = bd_entry_32; -+ return ret; -+} -+ -+/* - * Get the base of bounds tables pointed by specific bounds - * directory entry. - */ -@@ -641,7 +664,7 @@ static int get_bt_addr(struct mm_struct *mm, - int need_write = 0; - - pagefault_disable(); -- ret = get_user(bd_entry, bd_entry_ptr); -+ ret = get_user_bd_entry(mm, &bd_entry, bd_entry_ptr); - pagefault_enable(); - if (!ret) - break; -@@ -736,11 +759,23 @@ static unsigned long mpx_get_bt_entry_offset_bytes(struct mm_struct *mm, - */ - static inline unsigned long bd_entry_virt_space(struct mm_struct *mm) - { -- unsigned long long virt_space = (1ULL << boot_cpu_data.x86_virt_bits); -- if (is_64bit_mm(mm)) -- return virt_space / MPX_BD_NR_ENTRIES_64; -- else -- return virt_space / MPX_BD_NR_ENTRIES_32; -+ unsigned long long virt_space; -+ unsigned long long GB = (1ULL << 30); -+ -+ /* -+ * This covers 32-bit emulation as well as 32-bit kernels -+ * running on 64-bit harware. -+ */ -+ if (!is_64bit_mm(mm)) -+ return (4ULL * GB) / MPX_BD_NR_ENTRIES_32; -+ -+ /* -+ * 'x86_virt_bits' returns what the hardware is capable -+ * of, and returns the full >32-bit adddress space when -+ * running 32-bit kernels on 64-bit hardware. -+ */ -+ virt_space = (1ULL << boot_cpu_data.x86_virt_bits); -+ return virt_space / MPX_BD_NR_ENTRIES_64; - } - - /* +@@ -329,11 +329,11 @@ siginfo_t *mpx_generate_siginfo(struct pt_regs *regs) + * We were not able to extract an address from the instruction, + * probably because there was something invalid in it. + */ +- if (info->si_addr == (void *)-1) { ++ if (info->si_addr == (void __user *)-1) { + err = -EINVAL; + goto err_out; + } +- trace_mpx_bounds_register_exception(info->si_addr, bndreg); ++ trace_mpx_bounds_register_exception((void __force_kernel *)info->si_addr, bndreg); + return info; + err_out: + /* info might be NULL, but kfree() handles that */ diff --git a/arch/x86/mm/numa.c b/arch/x86/mm/numa.c index 4053bb5..b1ad3dc 100644 --- a/arch/x86/mm/numa.c @@ -34993,7 +35067,7 @@ index 4053bb5..b1ad3dc 100644 unsigned long uninitialized_var(pfn_align); int i, nid; diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c -index 727158c..54dd3ff 100644 +index 727158c..e278402 100644 --- a/arch/x86/mm/pageattr.c +++ b/arch/x86/mm/pageattr.c @@ -260,7 +260,7 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address, @@ -35090,7 +35164,28 @@ index 727158c..54dd3ff 100644 pgprot_val(req_prot) &= ~pgprot_val(cpa->mask_clr); pgprot_val(req_prot) |= pgprot_val(cpa->mask_set); -@@ -1176,7 +1200,9 @@ repeat: +@@ -675,6 +699,10 @@ __split_large_page(struct cpa_data *cpa, pte_t *kpte, unsigned long address, + return 0; + } + ++#if debug_pagealloc == 0 ++static int split_large_page(struct cpa_data *cpa, pte_t *kpte, ++ unsigned long address) __must_hold(&cpa_lock); ++#endif + static int split_large_page(struct cpa_data *cpa, pte_t *kpte, + unsigned long address) + { +@@ -1118,6 +1146,9 @@ static int __cpa_process_fault(struct cpa_data *cpa, unsigned long vaddr, + } + } + ++#if debug_pagealloc == 0 ++static int __change_page_attr(struct cpa_data *cpa, int primary) __must_hold(&cpa_lock); ++#endif + static int __change_page_attr(struct cpa_data *cpa, int primary) + { + unsigned long address; +@@ -1176,7 +1207,9 @@ repeat: * Do we really change anything ? */ if (pte_val(old_pte) != pte_val(new_pte)) { @@ -39200,6 +39295,21 @@ index 5005924..9fc06c4 100644 if (sif->remove_dev) { subsys_dev_iter_init(&iter, subsys, NULL, NULL); while ((dev = subsys_dev_iter_next(&iter))) +diff --git a/drivers/base/devres.c b/drivers/base/devres.c +index 8754646..6828fbe 100644 +--- a/drivers/base/devres.c ++++ b/drivers/base/devres.c +@@ -475,7 +475,9 @@ static int remove_nodes(struct device *dev, + + static int release_nodes(struct device *dev, struct list_head *first, + struct list_head *end, unsigned long flags) +- __releases(&dev->devres_lock) ++ __releases(&dev->devres_lock); ++static int release_nodes(struct device *dev, struct list_head *first, ++ struct list_head *end, unsigned long flags) + { + LIST_HEAD(todo); + int cnt; diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c index 68f0314..ca2a609 100644 --- a/drivers/base/devtmpfs.c @@ -39277,6 +39387,40 @@ index 0ee43c1..369dd62 100644 pm_genpd_poweron(pd); return 0; +diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c +index e1a10a0..a6bc363 100644 +--- a/drivers/base/power/runtime.c ++++ b/drivers/base/power/runtime.c +@@ -263,8 +263,8 @@ static int rpm_check_suspend_allowed(struct device *dev) + * @cb: Runtime PM callback to run. + * @dev: Device to run the callback for. + */ ++static int __rpm_callback(int (*cb)(struct device *), struct device *dev) __must_hold(&dev->power.lock); + static int __rpm_callback(int (*cb)(struct device *), struct device *dev) +- __releases(&dev->power.lock) __acquires(&dev->power.lock) + { + int retval; + +@@ -412,8 +412,8 @@ static int rpm_callback(int (*cb)(struct device *), struct device *dev) + * + * This function must be called under dev->power.lock with interrupts disabled. + */ ++static int rpm_suspend(struct device *dev, int rpmflags) __must_hold(&dev->power.lock); + static int rpm_suspend(struct device *dev, int rpmflags) +- __releases(&dev->power.lock) __acquires(&dev->power.lock) + { + int (*callback)(struct device *); + struct device *parent = NULL; +@@ -594,8 +594,8 @@ static int rpm_suspend(struct device *dev, int rpmflags) + * + * This function must be called under dev->power.lock with interrupts disabled. + */ ++static int rpm_resume(struct device *dev, int rpmflags) __must_hold(&dev->power.lock); + static int rpm_resume(struct device *dev, int rpmflags) +- __releases(&dev->power.lock) __acquires(&dev->power.lock) + { + int (*callback)(struct device *); + struct device *parent = NULL; diff --git a/drivers/base/power/sysfs.c b/drivers/base/power/sysfs.c index d2be3f9..0a3167a 100644 --- a/drivers/base/power/sysfs.c @@ -39370,6 +39514,30 @@ index c8941f3..f7c7a7e 100644 tot_len = reg_len + 10; /* ': R W V P\n' */ for (i = 0; i <= map->max_register; i += map->reg_stride) { +diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c +index 7111d04..bcda737 100644 +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -340,8 +340,8 @@ static void regmap_unlock_mutex(void *__map) + mutex_unlock(&map->mutex); + } + ++static void regmap_lock_spinlock(void *__map) __acquires(&map->spinlock); + static void regmap_lock_spinlock(void *__map) +-__acquires(&map->spinlock) + { + struct regmap *map = __map; + unsigned long flags; +@@ -350,8 +350,8 @@ __acquires(&map->spinlock) + map->spinlock_flags = flags; + } + ++static void regmap_unlock_spinlock(void *__map) __releases(&map->spinlock); + static void regmap_unlock_spinlock(void *__map) +-__releases(&map->spinlock) + { + struct regmap *map = __map; + spin_unlock_irqrestore(&map->spinlock, map->spinlock_flags); diff --git a/drivers/base/syscore.c b/drivers/base/syscore.c index 8d98a32..61d3165 100644 --- a/drivers/base/syscore.c @@ -39810,7 +39978,7 @@ index 74df8cf..e41fc24 100644 if (!msg) goto failed; diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c -index c097909..13688e1 100644 +index c097909..b0dd588 100644 --- a/drivers/block/drbd/drbd_receiver.c +++ b/drivers/block/drbd/drbd_receiver.c @@ -870,7 +870,7 @@ int drbd_connected(struct drbd_peer_device *peer_device) @@ -39863,7 +40031,18 @@ index c097909..13688e1 100644 list_add(&epoch->list, &connection->current_epoch->list); connection->current_epoch = epoch; connection->epochs++; -@@ -1802,7 +1802,7 @@ static int recv_resync_read(struct drbd_peer_device *peer_device, sector_t secto +@@ -1780,7 +1780,9 @@ static int e_end_resync_block(struct drbd_work *w, int unused) + } + + static int recv_resync_read(struct drbd_peer_device *peer_device, sector_t sector, +- struct packet_info *pi) __releases(local) ++ struct packet_info *pi) __releases(local); ++static int recv_resync_read(struct drbd_peer_device *peer_device, sector_t sector, ++ struct packet_info *pi) + { + struct drbd_device *device = peer_device->device; + struct drbd_peer_request *peer_req; +@@ -1802,7 +1804,7 @@ static int recv_resync_read(struct drbd_peer_device *peer_device, sector_t secto list_add_tail(&peer_req->w.list, &device->sync_ee); spin_unlock_irq(&device->resource->req_lock); @@ -39872,7 +40051,7 @@ index c097909..13688e1 100644 if (drbd_submit_peer_request(device, peer_req, WRITE, DRBD_FAULT_RS_WR) == 0) return 0; -@@ -1900,7 +1900,7 @@ static int receive_RSDataReply(struct drbd_connection *connection, struct packet +@@ -1900,7 +1902,7 @@ static int receive_RSDataReply(struct drbd_connection *connection, struct packet drbd_send_ack_dp(peer_device, P_NEG_ACK, p, pi->size); } @@ -39881,7 +40060,7 @@ index c097909..13688e1 100644 return err; } -@@ -2290,7 +2290,7 @@ static int receive_Data(struct drbd_connection *connection, struct packet_info * +@@ -2290,7 +2292,7 @@ static int receive_Data(struct drbd_connection *connection, struct packet_info * err = wait_for_and_update_peer_seq(peer_device, peer_seq); drbd_send_ack_dp(peer_device, P_NEG_ACK, p, pi->size); @@ -39890,7 +40069,7 @@ index c097909..13688e1 100644 err2 = drbd_drain_block(peer_device, pi->size); if (!err) err = err2; -@@ -2334,7 +2334,7 @@ static int receive_Data(struct drbd_connection *connection, struct packet_info * +@@ -2334,7 +2336,7 @@ static int receive_Data(struct drbd_connection *connection, struct packet_info * spin_lock(&connection->epoch_lock); peer_req->epoch = connection->current_epoch; @@ -39899,7 +40078,7 @@ index c097909..13688e1 100644 atomic_inc(&peer_req->epoch->active); spin_unlock(&connection->epoch_lock); -@@ -2479,7 +2479,7 @@ bool drbd_rs_c_min_rate_throttle(struct drbd_device *device) +@@ -2479,7 +2481,7 @@ bool drbd_rs_c_min_rate_throttle(struct drbd_device *device) curr_events = (int)part_stat_read(&disk->part0, sectors[0]) + (int)part_stat_read(&disk->part0, sectors[1]) - @@ -39908,7 +40087,7 @@ index c097909..13688e1 100644 if (atomic_read(&device->ap_actlog_cnt) || curr_events - device->rs_last_events > 64) { -@@ -2618,7 +2618,7 @@ static int receive_DataRequest(struct drbd_connection *connection, struct packet +@@ -2618,7 +2620,7 @@ static int receive_DataRequest(struct drbd_connection *connection, struct packet device->use_csums = true; } else if (pi->cmd == P_OV_REPLY) { /* track progress, we may need to throttle */ @@ -39917,7 +40096,7 @@ index c097909..13688e1 100644 peer_req->w.cb = w_e_end_ov_reply; dec_rs_pending(device); /* drbd_rs_begin_io done when we sent this request, -@@ -2691,7 +2691,7 @@ static int receive_DataRequest(struct drbd_connection *connection, struct packet +@@ -2691,7 +2693,7 @@ static int receive_DataRequest(struct drbd_connection *connection, struct packet goto out_free_e; submit_for_resync: @@ -39926,7 +40105,7 @@ index c097909..13688e1 100644 submit: update_receiver_timing_details(connection, drbd_submit_peer_request); -@@ -4564,7 +4564,7 @@ struct data_cmd { +@@ -4564,7 +4566,7 @@ struct data_cmd { int expect_payload; size_t pkt_size; int (*fn)(struct drbd_connection *, struct packet_info *); @@ -39935,7 +40114,7 @@ index c097909..13688e1 100644 static struct data_cmd drbd_cmd_handler[] = { [P_DATA] = { 1, sizeof(struct p_data), receive_Data }, -@@ -4678,7 +4678,7 @@ static void conn_disconnect(struct drbd_connection *connection) +@@ -4678,7 +4680,7 @@ static void conn_disconnect(struct drbd_connection *connection) if (!list_empty(&connection->current_epoch->list)) drbd_err(connection, "ASSERTION FAILED: connection->current_epoch->list not empty\n"); /* ok, no more ee's on the fly, it is safe to reset the epoch_size */ @@ -39944,7 +40123,7 @@ index c097909..13688e1 100644 connection->send.seen_any_write_yet = false; drbd_info(connection, "Connection closed\n"); -@@ -5182,7 +5182,7 @@ static int got_IsInSync(struct drbd_connection *connection, struct packet_info * +@@ -5182,7 +5184,7 @@ static int got_IsInSync(struct drbd_connection *connection, struct packet_info * put_ldev(device); } dec_rs_pending(device); @@ -39953,7 +40132,7 @@ index c097909..13688e1 100644 return 0; } -@@ -5470,7 +5470,7 @@ static int connection_finish_peer_reqs(struct drbd_connection *connection) +@@ -5470,7 +5472,7 @@ static int connection_finish_peer_reqs(struct drbd_connection *connection) struct asender_cmd { size_t pkt_size; int (*fn)(struct drbd_connection *connection, struct packet_info *); @@ -39963,10 +40142,30 @@ index c097909..13688e1 100644 static struct asender_cmd asender_tbl[] = { [P_PING] = { 0, got_Ping }, diff --git a/drivers/block/drbd/drbd_worker.c b/drivers/block/drbd/drbd_worker.c -index d0fae55..4469096 100644 +index d0fae55..e85f28e 100644 --- a/drivers/block/drbd/drbd_worker.c +++ b/drivers/block/drbd/drbd_worker.c -@@ -408,7 +408,7 @@ static int read_for_csum(struct drbd_peer_device *peer_device, sector_t sector, +@@ -94,7 +94,8 @@ void drbd_md_endio(struct bio *bio, int error) + /* reads on behalf of the partner, + * "submitted" by the receiver + */ +-static void drbd_endio_read_sec_final(struct drbd_peer_request *peer_req) __releases(local) ++static void drbd_endio_read_sec_final(struct drbd_peer_request *peer_req) __releases(local); ++static void drbd_endio_read_sec_final(struct drbd_peer_request *peer_req) + { + unsigned long flags = 0; + struct drbd_peer_device *peer_device = peer_req->peer_device; +@@ -115,7 +116,8 @@ static void drbd_endio_read_sec_final(struct drbd_peer_request *peer_req) __rele + + /* writes on behalf of the partner, or resync writes, + * "submitted" by the receiver, final stage. */ +-void drbd_endio_write_sec_final(struct drbd_peer_request *peer_req) __releases(local) ++void drbd_endio_write_sec_final(struct drbd_peer_request *peer_req) __releases(local); ++void drbd_endio_write_sec_final(struct drbd_peer_request *peer_req) + { + unsigned long flags = 0; + struct drbd_peer_device *peer_device = peer_req->peer_device; +@@ -408,7 +410,7 @@ static int read_for_csum(struct drbd_peer_device *peer_device, sector_t sector, list_add_tail(&peer_req->w.list, &device->read_ee); spin_unlock_irq(&device->resource->req_lock); @@ -39975,7 +40174,7 @@ index d0fae55..4469096 100644 if (drbd_submit_peer_request(device, peer_req, READ, DRBD_FAULT_RS_RD) == 0) return 0; -@@ -553,7 +553,7 @@ static int drbd_rs_number_requests(struct drbd_device *device) +@@ -553,7 +555,7 @@ static int drbd_rs_number_requests(struct drbd_device *device) unsigned int sect_in; /* Number of sectors that came in since the last turn */ int number, mxb; @@ -39984,7 +40183,7 @@ index d0fae55..4469096 100644 device->rs_in_flight -= sect_in; rcu_read_lock(); -@@ -1595,8 +1595,8 @@ void drbd_rs_controller_reset(struct drbd_device *device) +@@ -1595,8 +1597,8 @@ void drbd_rs_controller_reset(struct drbd_device *device) struct gendisk *disk = device->ldev->backing_bdev->bd_contains->bd_disk; struct fifo_buffer *plan; @@ -39995,6 +40194,20 @@ index d0fae55..4469096 100644 device->rs_in_flight = 0; device->rs_last_events = (int)part_stat_read(&disk->part0, sectors[0]) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 0e385d8..0c63d6a 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -538,8 +538,8 @@ static int nbd_thread(void *data) + * { printk( "Warning: Ignoring result!\n"); nbd_end_request( req ); } + */ + ++static void do_nbd_request(struct request_queue *q) __must_hold(q->queue_lock); + static void do_nbd_request(struct request_queue *q) +- __releases(q->queue_lock) __acquires(q->queue_lock) + { + struct request *req; + diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c index 4c20c22..caef1eb 100644 --- a/drivers/block/pktcdvd.c @@ -40309,7 +40522,7 @@ index bf75f63..359fa10 100644 intf->proc_dir = NULL; diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c -index 8a45e92..e41b1c7 100644 +index 8a45e92..3546003 100644 --- a/drivers/char/ipmi/ipmi_si_intf.c +++ b/drivers/char/ipmi/ipmi_si_intf.c @@ -289,7 +289,7 @@ struct smi_info { @@ -40333,6 +40546,25 @@ index 8a45e92..e41b1c7 100644 #define SI_MAX_PARMS 4 +@@ -1203,14 +1203,14 @@ static int smi_start_processing(void *send_info, + + new_smi->intf = intf; + +- /* Try to claim any interrupts. */ +- if (new_smi->irq_setup) +- new_smi->irq_setup(new_smi); +- + /* Set up the timer that drives the interface. */ + setup_timer(&new_smi->si_timer, smi_timeout, (long)new_smi); + smi_mod_timer(new_smi, jiffies + SI_TIMEOUT_JIFFIES); + ++ /* Try to claim any interrupts. */ ++ if (new_smi->irq_setup) ++ new_smi->irq_setup(new_smi); ++ + /* + * Check if the user forcefully enabled the daemon. + */ @@ -3500,7 +3500,7 @@ static int try_smi_init(struct smi_info *new_smi) atomic_set(&new_smi->req_events, 0); new_smi->run_to_completion = false; @@ -40741,10 +40973,10 @@ index 3a56a13..f8cbd25 100644 return 0; } diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c -index d2406fe..243951a 100644 +index d2406fe..473a5c0 100644 --- a/drivers/char/virtio_console.c +++ b/drivers/char/virtio_console.c -@@ -685,7 +685,7 @@ static ssize_t fill_readbuf(struct port *port, char __user *out_buf, +@@ -685,11 +685,11 @@ static ssize_t fill_readbuf(struct port *port, char __user *out_buf, if (to_user) { ssize_t ret; @@ -40753,15 +40985,20 @@ index d2406fe..243951a 100644 if (ret) return -EFAULT; } else { -@@ -789,7 +789,7 @@ static ssize_t port_fops_read(struct file *filp, char __user *ubuf, - if (!port_has_data(port) && !port->host_connected) - return 0; +- memcpy((__force char *)out_buf, buf->buf + buf->offset, ++ memcpy((__force_kernel char *)out_buf, buf->buf + buf->offset, + out_count); + } -- return fill_readbuf(port, ubuf, count, true); -+ return fill_readbuf(port, (char __force_kernel *)ubuf, count, true); +@@ -1164,7 +1164,7 @@ static int get_chars(u32 vtermno, char *buf, int count) + /* If we don't have an input queue yet, we can't get input. */ + BUG_ON(!port->in_vq); + +- return fill_readbuf(port, (__force char __user *)buf, count, false); ++ return fill_readbuf(port, (char __force_user *)buf, count, false); } - static int wait_port_writable(struct port *port, bool nonblock) + static void resize_console(struct port *port) diff --git a/drivers/clk/clk-composite.c b/drivers/clk/clk-composite.c index 616f5ae..747bdd0 100644 --- a/drivers/clk/clk-composite.c @@ -47780,7 +48017,7 @@ index 6ba47cf..a870ba2 100644 pmd->bl_info.value_type.inc = data_block_inc; pmd->bl_info.value_type.dec = data_block_dec; diff --git a/drivers/md/dm.c b/drivers/md/dm.c -index 3e32f4e..01e0a7f 100644 +index 3e32f4e..18528b7 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -194,9 +194,9 @@ struct mapped_device { @@ -47795,7 +48032,44 @@ index 3e32f4e..01e0a7f 100644 struct list_head uevent_list; spinlock_t uevent_lock; /* Protect access to uevent_list */ -@@ -2339,8 +2339,8 @@ static struct mapped_device *alloc_dev(int minor) +@@ -705,14 +705,16 @@ static void queue_io(struct mapped_device *md, struct bio *bio) + * function to access the md->map field, and make sure they call + * dm_put_live_table() when finished. + */ +-struct dm_table *dm_get_live_table(struct mapped_device *md, int *srcu_idx) __acquires(md->io_barrier) ++struct dm_table *dm_get_live_table(struct mapped_device *md, int *srcu_idx) __acquires(&md->io_barrier); ++struct dm_table *dm_get_live_table(struct mapped_device *md, int *srcu_idx) + { + *srcu_idx = srcu_read_lock(&md->io_barrier); + + return srcu_dereference(md->map, &md->io_barrier); + } + +-void dm_put_live_table(struct mapped_device *md, int srcu_idx) __releases(md->io_barrier) ++void dm_put_live_table(struct mapped_device *md, int srcu_idx) __releases(&md->io_barrier); ++void dm_put_live_table(struct mapped_device *md, int srcu_idx) + { + srcu_read_unlock(&md->io_barrier, srcu_idx); + } +@@ -727,13 +729,15 @@ void dm_sync_table(struct mapped_device *md) + * A fast alternative to dm_get_live_table/dm_put_live_table. + * The caller must not block between these two functions. + */ +-static struct dm_table *dm_get_live_table_fast(struct mapped_device *md) __acquires(RCU) ++static struct dm_table *dm_get_live_table_fast(struct mapped_device *md) __acquires(RCU); ++static struct dm_table *dm_get_live_table_fast(struct mapped_device *md) + { + rcu_read_lock(); + return rcu_dereference(md->map); + } + +-static void dm_put_live_table_fast(struct mapped_device *md) __releases(RCU) ++static void dm_put_live_table_fast(struct mapped_device *md) __releases(RCU); ++static void dm_put_live_table_fast(struct mapped_device *md) + { + rcu_read_unlock(); + } +@@ -2339,8 +2343,8 @@ static struct mapped_device *alloc_dev(int minor) spin_lock_init(&md->deferred_lock); atomic_set(&md->holders, 1); atomic_set(&md->open_count, 0); @@ -47806,7 +48080,7 @@ index 3e32f4e..01e0a7f 100644 INIT_LIST_HEAD(&md->uevent_list); INIT_LIST_HEAD(&md->table_devices); spin_lock_init(&md->uevent_lock); -@@ -2481,7 +2481,7 @@ static void event_callback(void *context) +@@ -2481,7 +2485,7 @@ static void event_callback(void *context) dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj); @@ -47815,7 +48089,7 @@ index 3e32f4e..01e0a7f 100644 wake_up(&md->eventq); } -@@ -3479,18 +3479,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action, +@@ -3479,18 +3483,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action, uint32_t dm_next_uevent_seq(struct mapped_device *md) { @@ -50347,18 +50621,9 @@ index e8c96b8..516a96c 100644 Say Y here if you want to support for Freescale FlexCAN. diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c -index aede704..ca734ed 100644 +index 141c2a4..ca734ed 100644 --- a/drivers/net/can/dev.c +++ b/drivers/net/can/dev.c -@@ -915,7 +915,7 @@ static int can_fill_info(struct sk_buff *skb, const struct net_device *dev) - nla_put(skb, IFLA_CAN_BITTIMING_CONST, - sizeof(*priv->bittiming_const), priv->bittiming_const)) || - -- nla_put(skb, IFLA_CAN_CLOCK, sizeof(cm), &priv->clock) || -+ nla_put(skb, IFLA_CAN_CLOCK, sizeof(priv->clock), &priv->clock) || - nla_put_u32(skb, IFLA_CAN_STATE, state) || - nla_put(skb, IFLA_CAN_CTRLMODE, sizeof(cm), &cm) || - nla_put_u32(skb, IFLA_CAN_RESTART_MS, priv->restart_ms) || @@ -961,7 +961,7 @@ static int can_newlink(struct net *src_net, struct net_device *dev, return -EOPNOTSUPP; } @@ -50531,7 +50796,7 @@ index b3bc87f..5bdfdd3 100644 + .wrapper_rx_desc_init = xgbe_wrapper_rx_descriptor_init, +}; diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c -index a4473d8..039a2ab 100644 +index f672dba3..d71818d 100644 --- a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c +++ b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c @@ -2776,7 +2776,7 @@ static void xgbe_powerdown_rx(struct xgbe_prv_data *pdata) @@ -50727,7 +50992,7 @@ index a4473d8..039a2ab 100644 + .set_rss_lookup_table = xgbe_set_rss_lookup_table, +}; diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c -index aae9d5e..29ce58d 100644 +index dde0486..831e127 100644 --- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c @@ -245,7 +245,7 @@ static int xgbe_maybe_stop_tx_queue(struct xgbe_channel *channel, @@ -50972,7 +51237,7 @@ index aae9d5e..29ce58d 100644 struct xgbe_ring *ring = channel->tx_ring; struct xgbe_ring_data *rdata; struct xgbe_ring_desc *rdesc; -@@ -1863,7 +1863,7 @@ static int xgbe_tx_poll(struct xgbe_channel *channel) +@@ -1869,7 +1869,7 @@ static int xgbe_tx_poll(struct xgbe_channel *channel) static int xgbe_rx_poll(struct xgbe_channel *channel, int budget) { struct xgbe_prv_data *pdata = channel->pdata; @@ -51436,19 +51701,6 @@ index e5ba040..d47531c 100644 smp_mb(); /* need lock to prevent incorrect read while modifying cyclecounter */ -diff --git a/drivers/net/ethernet/mellanox/mlx4/cmd.c b/drivers/net/ethernet/mellanox/mlx4/cmd.c -index 0a32020..2177e56 100644 ---- a/drivers/net/ethernet/mellanox/mlx4/cmd.c -+++ b/drivers/net/ethernet/mellanox/mlx4/cmd.c -@@ -2398,7 +2398,7 @@ int mlx4_multi_func_init(struct mlx4_dev *dev) - } - } - -- memset(&priv->mfunc.master.cmd_eqe, 0, dev->caps.eqe_size); -+ memset(&priv->mfunc.master.cmd_eqe, 0, sizeof(struct mlx4_eqe)); - priv->mfunc.master.cmd_eqe.type = MLX4_EVENT_TYPE_CMD; - INIT_WORK(&priv->mfunc.master.comm_work, - mlx4_master_comm_channel); diff --git a/drivers/net/ethernet/mellanox/mlx4/en_tx.c b/drivers/net/ethernet/mellanox/mlx4/en_tx.c index c10d98f..72914c6 100644 --- a/drivers/net/ethernet/mellanox/mlx4/en_tx.c @@ -51464,19 +51716,6 @@ index c10d98f..72914c6 100644 netdev_tx_completed_queue(ring->tx_queue, packets, bytes); -diff --git a/drivers/net/ethernet/mellanox/mlx4/eq.c b/drivers/net/ethernet/mellanox/mlx4/eq.c -index 8e81e53..ad8f95d 100644 ---- a/drivers/net/ethernet/mellanox/mlx4/eq.c -+++ b/drivers/net/ethernet/mellanox/mlx4/eq.c -@@ -196,7 +196,7 @@ static void slave_event(struct mlx4_dev *dev, u8 slave, struct mlx4_eqe *eqe) - return; - } - -- memcpy(s_eqe, eqe, dev->caps.eqe_size - 1); -+ memcpy(s_eqe, eqe, sizeof(struct mlx4_eqe) - 1); - s_eqe->slave_id = slave; - /* ensure all information is written before setting the ownersip bit */ - dma_wmb(); diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c index 40206da..9d94643 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c @@ -51517,6 +51756,21 @@ index 6223930..975033d 100644 fifo->mempool = __vxge_hw_mempool_create(vpath->hldev, fifo->config->memblock_size, +diff --git a/drivers/net/ethernet/nvidia/forcedeth.c b/drivers/net/ethernet/nvidia/forcedeth.c +index a41bb5e..0ed99f9 100644 +--- a/drivers/net/ethernet/nvidia/forcedeth.c ++++ b/drivers/net/ethernet/nvidia/forcedeth.c +@@ -357,8 +357,8 @@ struct ring_desc { + }; + + struct ring_desc_ex { +- __le32 bufhigh; +- __le32 buflow; ++ __le32 bufhigh __intentional_overflow(0); ++ __le32 buflow __intentional_overflow(0); + __le32 txvlan; + __le32 flaglen; + }; diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c index 753ea8b..674c39a 100644 --- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c @@ -51765,7 +52019,7 @@ index 9f59f17..52cb38f 100644 }; diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c -index 248478c..05e8467 100644 +index 197c939..5f7bee5 100644 --- a/drivers/net/macvtap.c +++ b/drivers/net/macvtap.c @@ -485,7 +485,7 @@ static void macvtap_setup(struct net_device *dev) @@ -51786,6 +52040,17 @@ index 248478c..05e8467 100644 put_user(u, &ifr->ifr_flags)) ret = -EFAULT; macvtap_put_vlan(vlan); +@@ -1173,8 +1173,8 @@ static long macvtap_ioctl(struct file *file, unsigned int cmd, + } + ret = 0; + u = vlan->dev->type; +- if (copy_to_user(&ifr->ifr_name, vlan->dev->name, IFNAMSIZ) || +- copy_to_user(&ifr->ifr_hwaddr.sa_data, vlan->dev->dev_addr, ETH_ALEN) || ++ if (copy_to_user(ifr->ifr_name, vlan->dev->name, IFNAMSIZ) || ++ copy_to_user(ifr->ifr_hwaddr.sa_data, vlan->dev->dev_addr, ETH_ALEN) || + put_user(u, &ifr->ifr_hwaddr.sa_family)) + ret = -EFAULT; + macvtap_put_vlan(vlan); @@ -1308,7 +1308,7 @@ static int macvtap_device_event(struct notifier_block *unused, return NOTIFY_DONE; } @@ -51862,7 +52127,7 @@ index 487be20..f4c87bc 100644 err = 0; break; diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c -index 2ed7506..cf82b13 100644 +index 5e0b432..0a37f84 100644 --- a/drivers/net/ppp/pppoe.c +++ b/drivers/net/ppp/pppoe.c @@ -568,6 +568,9 @@ static int pppoe_create(struct net *net, struct socket *sock, int kern) @@ -52895,10 +53160,10 @@ index 0ffb6ff..c0b7f0e 100644 memset(buf, 0, sizeof(buf)); buf_size = min(count, sizeof(buf) - 1); diff --git a/drivers/net/wireless/iwlwifi/pcie/trans.c b/drivers/net/wireless/iwlwifi/pcie/trans.c -index 9e144e7..2f5511a 100644 +index dab9b91..b169b42 100644 --- a/drivers/net/wireless/iwlwifi/pcie/trans.c +++ b/drivers/net/wireless/iwlwifi/pcie/trans.c -@@ -1950,7 +1950,7 @@ static ssize_t iwl_dbgfs_interrupt_write(struct file *file, +@@ -1944,7 +1944,7 @@ static ssize_t iwl_dbgfs_interrupt_write(struct file *file, struct isr_statistics *isr_stats = &trans_pcie->isr_stats; char buf[8]; @@ -52907,7 +53172,7 @@ index 9e144e7..2f5511a 100644 u32 reset_flag; memset(buf, 0, sizeof(buf)); -@@ -1971,7 +1971,7 @@ static ssize_t iwl_dbgfs_csr_write(struct file *file, +@@ -1965,7 +1965,7 @@ static ssize_t iwl_dbgfs_csr_write(struct file *file, { struct iwl_trans *trans = file->private_data; char buf[8]; @@ -57016,7 +57281,7 @@ index 382d3fc..b16d625 100644 dlci->modem_rx = 0; diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c -index afc1879..b605d4b 100644 +index dedac8a..d085233 100644 --- a/drivers/tty/n_tty.c +++ b/drivers/tty/n_tty.c @@ -2574,6 +2574,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops) @@ -57781,6 +58046,19 @@ index b5b4278..bb9c7b0 100644 char c; if (get_user(c, buf)) +diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c +index 3d245cd..51d4d3c 100644 +--- a/drivers/tty/tty_audit.c ++++ b/drivers/tty/tty_audit.c +@@ -265,7 +265,7 @@ static struct tty_audit_buf *tty_audit_buf_get(struct tty_struct *tty, + * + * Audit @data of @size from @tty, if necessary. + */ +-void tty_audit_add_data(struct tty_struct *tty, const void *data, ++void tty_audit_add_data(struct tty_struct *tty, const unsigned char *data, + size_t size, unsigned icanon) + { + struct tty_audit_buf *buf; diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c index 4cf263d..fd011fa 100644 --- a/drivers/tty/tty_buffer.c @@ -57859,10 +58137,10 @@ index 4cf263d..fd011fa 100644 if (next == NULL) { check_other_closed(tty); diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c -index 774df35..62fa290 100644 +index 1aa0286..b99e9a8 100644 --- a/drivers/tty/tty_io.c +++ b/drivers/tty/tty_io.c -@@ -3524,7 +3524,7 @@ EXPORT_SYMBOL(tty_devnum); +@@ -3528,7 +3528,7 @@ EXPORT_SYMBOL(tty_devnum); void tty_default_fops(struct file_operations *fops) { @@ -58712,10 +58990,10 @@ index c47d3e4..35bcc1e 100644 /* Device for a quirk */ #define PCI_VENDOR_ID_FRESCO_LOGIC 0x1b73 diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c -index d7b9f484..8208965 100644 +index 6062996..9b6c196 100644 --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c -@@ -4837,7 +4837,7 @@ int xhci_gen_setup(struct usb_hcd *hcd, xhci_get_quirks_t get_quirks) +@@ -4847,7 +4847,7 @@ int xhci_gen_setup(struct usb_hcd *hcd, xhci_get_quirks_t get_quirks) int retval; /* Accept arbitrarily long scatter-gather lists */ @@ -59137,7 +59415,7 @@ index 3fc63c2..eec5e49 100644 } EXPORT_SYMBOL_GPL(fb_deferred_io_cleanup); diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c -index 0705d88..d9429bf 100644 +index 0705d88..0e17c07 100644 --- a/drivers/video/fbdev/core/fbmem.c +++ b/drivers/video/fbdev/core/fbmem.c @@ -1301,7 +1301,7 @@ static int do_fscreeninfo_to_user(struct fb_fix_screeninfo *fix, @@ -59149,6 +59427,30 @@ index 0705d88..d9429bf 100644 data = (__u32) (unsigned long) fix->smem_start; err |= put_user(data, &fix32->smem_start); +@@ -1435,10 +1435,7 @@ fb_mmap(struct file *file, struct vm_area_struct * vma) + return vm_iomap_memory(vma, start, len); + } + +-static int +-fb_open(struct inode *inode, struct file *file) +-__acquires(&info->lock) +-__releases(&info->lock) ++static int fb_open(struct inode *inode, struct file *file) + { + int fbidx = iminor(inode); + struct fb_info *info; +@@ -1476,10 +1473,7 @@ out: + return res; + } + +-static int +-fb_release(struct inode *inode, struct file *file) +-__acquires(&info->lock) +-__releases(&info->lock) ++static int fb_release(struct inode *inode, struct file *file) + { + struct fb_info * const info = file->private_data; + diff --git a/drivers/video/fbdev/hyperv_fb.c b/drivers/video/fbdev/hyperv_fb.c index 807ee22..7814cd6 100644 --- a/drivers/video/fbdev/hyperv_fb.c @@ -62463,10 +62765,10 @@ index 3c14e43..2630570 100644 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 +4 4 4 4 4 4 diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c -index 96093ae..b9eed29 100644 +index cdc3d33..2701a17 100644 --- a/drivers/xen/events/events_base.c +++ b/drivers/xen/events/events_base.c -@@ -1568,7 +1568,7 @@ void xen_irq_resume(void) +@@ -1569,7 +1569,7 @@ void xen_irq_resume(void) restore_pirqs(); } @@ -62475,7 +62777,7 @@ index 96093ae..b9eed29 100644 .name = "xen-dyn", .irq_disable = disable_dynirq, -@@ -1582,7 +1582,7 @@ static struct irq_chip xen_dynamic_chip __read_mostly = { +@@ -1583,7 +1583,7 @@ static struct irq_chip xen_dynamic_chip __read_mostly = { .irq_retrigger = retrigger_dynirq, }; @@ -62484,7 +62786,7 @@ index 96093ae..b9eed29 100644 .name = "xen-pirq", .irq_startup = startup_pirq, -@@ -1602,7 +1602,7 @@ static struct irq_chip xen_pirq_chip __read_mostly = { +@@ -1603,7 +1603,7 @@ static struct irq_chip xen_pirq_chip __read_mostly = { .irq_retrigger = retrigger_dynirq, }; @@ -74890,6 +75192,22 @@ index 0000000..43d7c4f +:1095C00080080000800E00008008008080080000F5 +:1095D00080000A8080000A00800009808000090065 +:00000001FF +diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c +index b1dc518..2f97461 100644 +--- a/fs/9p/vfs_inode.c ++++ b/fs/9p/vfs_inode.c +@@ -451,9 +451,9 @@ void v9fs_evict_inode(struct inode *inode) + { + struct v9fs_inode *v9inode = V9FS_I(inode); + +- truncate_inode_pages_final(inode->i_mapping); ++ truncate_inode_pages_final(&inode->i_data); + clear_inode(inode); +- filemap_fdatawrite(inode->i_mapping); ++ filemap_fdatawrite(&inode->i_data); + + v9fs_cache_inode_put_cookie(inode); + /* clunk the fid stashed in writeback_fid */ diff --git a/fs/Kconfig.binfmt b/fs/Kconfig.binfmt index 2d0cbbd..a6d61492 100644 --- a/fs/Kconfig.binfmt @@ -77152,7 +77470,7 @@ index 5bb630a..043dc70 100644 return hit; diff --git a/fs/compat.c b/fs/compat.c -index 6fd272d..dd34ba2 100644 +index 6fd272d..ae85f4f 100644 --- a/fs/compat.c +++ b/fs/compat.c @@ -54,7 +54,7 @@ @@ -77255,7 +77573,7 @@ index 6fd272d..dd34ba2 100644 dirent = buf->previous; if (dirent) { -@@ -1067,6 +1084,7 @@ COMPAT_SYSCALL_DEFINE3(getdents64, unsigned int, fd, +@@ -1067,13 +1084,13 @@ COMPAT_SYSCALL_DEFINE3(getdents64, unsigned int, fd, if (!f.file) return -EBADF; @@ -77263,6 +77581,14 @@ index 6fd272d..dd34ba2 100644 error = iterate_dir(f.file, &buf.ctx); if (error >= 0) error = buf.error; + lastdirent = buf.previous; + if (lastdirent) { +- typeof(lastdirent->d_off) d_off = buf.ctx.pos; +- if (__put_user_unaligned(d_off, &lastdirent->d_off)) ++ if (__put_user_unaligned(buf.ctx.pos, &lastdirent->d_off)) + error = -EFAULT; + else + error = count - buf.count; diff --git a/fs/compat_binfmt_elf.c b/fs/compat_binfmt_elf.c index 4d24d17..4f8c09e 100644 --- a/fs/compat_binfmt_elf.c @@ -77354,7 +77680,7 @@ index c81ce7f..f3de5fd 100644 /* * We'll have a dentry and an inode for diff --git a/fs/coredump.c b/fs/coredump.c -index a8f7564..3dde349 100644 +index a8f7564..0329da8 100644 --- a/fs/coredump.c +++ b/fs/coredump.c @@ -457,8 +457,8 @@ static void wait_for_dump_helpers(struct file *file) @@ -77441,6 +77767,15 @@ index a8f7564..3dde349 100644 if (cprm.limit < binfmt->min_coredump) goto fail_unlock; +@@ -654,7 +663,7 @@ void do_coredump(const siginfo_t *siginfo) + * If it doesn't exist, that's fine. If there's some + * other problem, we'll catch it at the filp_open(). + */ +- (void) sys_unlink((const char __user *)cn.corename); ++ (void) sys_unlink((const char __force_user *)cn.corename); + set_fs(old_fs); + } + @@ -718,7 +727,7 @@ close_fail: filp_close(cprm.file, NULL); fail_dropcount: @@ -77460,10 +77795,34 @@ index a8f7564..3dde349 100644 return 0; while (nr) { diff --git a/fs/dcache.c b/fs/dcache.c -index e3b44ca..e0d94f1 100644 +index e3b44ca..97367b7 100644 --- a/fs/dcache.c +++ b/fs/dcache.c -@@ -545,7 +545,7 @@ static void __dentry_kill(struct dentry *dentry) +@@ -341,8 +341,9 @@ static inline void dentry_rcuwalk_invalidate(struct dentry *dentry) + * and is unhashed. + */ + static void dentry_iput(struct dentry * dentry) +- __releases(dentry->d_lock) +- __releases(dentry->d_inode->i_lock) ++ __releases(&dentry->d_lock) ++ __releases(&dentry->d_inode->i_lock); ++static void dentry_iput(struct dentry * dentry) + { + struct inode *inode = dentry->d_inode; + if (inode) { +@@ -366,8 +367,9 @@ static void dentry_iput(struct dentry * dentry) + * d_iput() operation if defined. dentry remains in-use. + */ + static void dentry_unlink_inode(struct dentry * dentry) +- __releases(dentry->d_lock) +- __releases(dentry->d_inode->i_lock) ++ __releases(&dentry->d_lock) ++ __releases(&dentry->d_inode->i_lock); ++static void dentry_unlink_inode(struct dentry * dentry) + { + struct inode *inode = dentry->d_inode; + __d_clear_type_and_inode(dentry); +@@ -545,7 +547,7 @@ static void __dentry_kill(struct dentry *dentry) * dentry_iput drops the locks, at which point nobody (except * transient RCU lookups) can reach this dentry. */ @@ -77472,7 +77831,17 @@ index e3b44ca..e0d94f1 100644 this_cpu_dec(nr_dentry); if (dentry->d_op && dentry->d_op->d_release) dentry->d_op->d_release(dentry); -@@ -598,7 +598,7 @@ static inline struct dentry *lock_parent(struct dentry *dentry) +@@ -567,7 +569,8 @@ static void __dentry_kill(struct dentry *dentry) + * Returns dentry requiring refcount drop, or NULL if we're done. + */ + static struct dentry *dentry_kill(struct dentry *dentry) +- __releases(dentry->d_lock) ++ __releases(&dentry->d_lock); ++static struct dentry *dentry_kill(struct dentry *dentry) + { + struct inode *inode = dentry->d_inode; + struct dentry *parent = NULL; +@@ -598,7 +601,7 @@ static inline struct dentry *lock_parent(struct dentry *dentry) struct dentry *parent = dentry->d_parent; if (IS_ROOT(dentry)) return NULL; @@ -77481,7 +77850,7 @@ index e3b44ca..e0d94f1 100644 return NULL; if (likely(spin_trylock(&parent->d_lock))) return parent; -@@ -660,8 +660,8 @@ static inline bool fast_dput(struct dentry *dentry) +@@ -660,8 +663,8 @@ static inline bool fast_dput(struct dentry *dentry) */ if (unlikely(ret < 0)) { spin_lock(&dentry->d_lock); @@ -77492,7 +77861,7 @@ index e3b44ca..e0d94f1 100644 spin_unlock(&dentry->d_lock); return 1; } -@@ -716,7 +716,7 @@ static inline bool fast_dput(struct dentry *dentry) +@@ -716,7 +719,7 @@ static inline bool fast_dput(struct dentry *dentry) * else could have killed it and marked it dead. Either way, we * don't need to do anything else. */ @@ -77501,7 +77870,7 @@ index e3b44ca..e0d94f1 100644 spin_unlock(&dentry->d_lock); return 1; } -@@ -726,7 +726,7 @@ static inline bool fast_dput(struct dentry *dentry) +@@ -726,7 +729,7 @@ static inline bool fast_dput(struct dentry *dentry) * lock, and we just tested that it was zero, so we can just * set it to 1. */ @@ -77510,7 +77879,7 @@ index e3b44ca..e0d94f1 100644 return 0; } -@@ -788,7 +788,7 @@ repeat: +@@ -788,7 +791,7 @@ repeat: dentry->d_flags |= DCACHE_REFERENCED; dentry_lru_add(dentry); @@ -77519,7 +77888,7 @@ index e3b44ca..e0d94f1 100644 spin_unlock(&dentry->d_lock); return; -@@ -803,7 +803,7 @@ EXPORT_SYMBOL(dput); +@@ -803,7 +806,7 @@ EXPORT_SYMBOL(dput); /* This must be called with d_lock held */ static inline void __dget_dlock(struct dentry *dentry) { @@ -77528,7 +77897,7 @@ index e3b44ca..e0d94f1 100644 } static inline void __dget(struct dentry *dentry) -@@ -844,8 +844,8 @@ repeat: +@@ -844,8 +847,8 @@ repeat: goto repeat; } rcu_read_unlock(); @@ -77539,7 +77908,7 @@ index e3b44ca..e0d94f1 100644 spin_unlock(&ret->d_lock); return ret; } -@@ -923,9 +923,9 @@ restart: +@@ -923,9 +926,9 @@ restart: spin_lock(&inode->i_lock); hlist_for_each_entry(dentry, &inode->i_dentry, d_u.d_alias) { spin_lock(&dentry->d_lock); @@ -77551,7 +77920,7 @@ index e3b44ca..e0d94f1 100644 __dentry_kill(dentry); dput(parent); goto restart; -@@ -960,7 +960,7 @@ static void shrink_dentry_list(struct list_head *list) +@@ -960,7 +963,7 @@ static void shrink_dentry_list(struct list_head *list) * We found an inuse dentry which was not removed from * the LRU because of laziness during lookup. Do not free it. */ @@ -77560,7 +77929,7 @@ index e3b44ca..e0d94f1 100644 spin_unlock(&dentry->d_lock); if (parent) spin_unlock(&parent->d_lock); -@@ -998,8 +998,8 @@ static void shrink_dentry_list(struct list_head *list) +@@ -998,8 +1001,8 @@ static void shrink_dentry_list(struct list_head *list) dentry = parent; while (dentry && !lockref_put_or_lock(&dentry->d_lockref)) { parent = lock_parent(dentry); @@ -77571,7 +77940,7 @@ index e3b44ca..e0d94f1 100644 spin_unlock(&dentry->d_lock); if (parent) spin_unlock(&parent->d_lock); -@@ -1039,7 +1039,7 @@ static enum lru_status dentry_lru_isolate(struct list_head *item, +@@ -1039,7 +1042,7 @@ static enum lru_status dentry_lru_isolate(struct list_head *item, * counts, just remove them from the LRU. Otherwise give them * another pass through the LRU. */ @@ -77580,7 +77949,7 @@ index e3b44ca..e0d94f1 100644 d_lru_isolate(lru, dentry); spin_unlock(&dentry->d_lock); return LRU_REMOVED; -@@ -1373,7 +1373,7 @@ static enum d_walk_ret select_collect(void *_data, struct dentry *dentry) +@@ -1373,7 +1376,7 @@ static enum d_walk_ret select_collect(void *_data, struct dentry *dentry) } else { if (dentry->d_flags & DCACHE_LRU_LIST) d_lru_del(dentry); @@ -77589,7 +77958,7 @@ index e3b44ca..e0d94f1 100644 d_shrink_add(dentry, &data->dispose); data->found++; } -@@ -1421,7 +1421,7 @@ static enum d_walk_ret umount_check(void *_data, struct dentry *dentry) +@@ -1421,7 +1424,7 @@ static enum d_walk_ret umount_check(void *_data, struct dentry *dentry) return D_WALK_CONTINUE; /* root with refcount 1 is fine */ @@ -77598,7 +77967,7 @@ index e3b44ca..e0d94f1 100644 return D_WALK_CONTINUE; printk(KERN_ERR "BUG: Dentry %p{i=%lx,n=%pd} " -@@ -1430,7 +1430,7 @@ static enum d_walk_ret umount_check(void *_data, struct dentry *dentry) +@@ -1430,7 +1433,7 @@ static enum d_walk_ret umount_check(void *_data, struct dentry *dentry) dentry->d_inode ? dentry->d_inode->i_ino : 0UL, dentry, @@ -77607,7 +77976,7 @@ index e3b44ca..e0d94f1 100644 dentry->d_sb->s_type->name, dentry->d_sb->s_id); WARN_ON(1); -@@ -1571,7 +1571,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name) +@@ -1571,7 +1574,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name) dentry->d_iname[DNAME_INLINE_LEN-1] = 0; if (name->len > DNAME_INLINE_LEN-1) { size_t size = offsetof(struct external_name, name[1]); @@ -77616,7 +77985,7 @@ index e3b44ca..e0d94f1 100644 if (!p) { kmem_cache_free(dentry_cache, dentry); return NULL; -@@ -1594,7 +1594,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name) +@@ -1594,7 +1597,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name) smp_wmb(); dentry->d_name.name = dname; @@ -77625,7 +77994,7 @@ index e3b44ca..e0d94f1 100644 dentry->d_flags = 0; spin_lock_init(&dentry->d_lock); seqcount_init(&dentry->d_seq); -@@ -1603,6 +1603,9 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name) +@@ -1603,6 +1606,9 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name) dentry->d_sb = sb; dentry->d_op = NULL; dentry->d_fsdata = NULL; @@ -77635,7 +78004,7 @@ index e3b44ca..e0d94f1 100644 INIT_HLIST_BL_NODE(&dentry->d_hash); INIT_LIST_HEAD(&dentry->d_lru); INIT_LIST_HEAD(&dentry->d_subdirs); -@@ -2327,7 +2330,7 @@ struct dentry *__d_lookup(const struct dentry *parent, const struct qstr *name) +@@ -2327,7 +2333,7 @@ struct dentry *__d_lookup(const struct dentry *parent, const struct qstr *name) goto next; } @@ -77644,7 +78013,7 @@ index e3b44ca..e0d94f1 100644 found = dentry; spin_unlock(&dentry->d_lock); break; -@@ -2395,7 +2398,7 @@ again: +@@ -2395,7 +2401,7 @@ again: spin_lock(&dentry->d_lock); inode = dentry->d_inode; isdir = S_ISDIR(inode->i_mode); @@ -77653,7 +78022,7 @@ index e3b44ca..e0d94f1 100644 if (!spin_trylock(&inode->i_lock)) { spin_unlock(&dentry->d_lock); cpu_relax(); -@@ -3344,7 +3347,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry) +@@ -3344,7 +3350,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry) if (!(dentry->d_flags & DCACHE_GENOCIDE)) { dentry->d_flags |= DCACHE_GENOCIDE; @@ -77662,7 +78031,7 @@ index e3b44ca..e0d94f1 100644 } } return D_WALK_CONTINUE; -@@ -3452,7 +3455,8 @@ void __init vfs_caches_init_early(void) +@@ -3452,7 +3458,8 @@ void __init vfs_caches_init_early(void) void __init vfs_caches_init(void) { names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0, @@ -78987,7 +79356,7 @@ index ee85cd4..9dd0d20 100644 } EXPORT_SYMBOL(__f_setown); diff --git a/fs/fhandle.c b/fs/fhandle.c -index d59712d..2281df9 100644 +index d59712d..2c63363 100644 --- a/fs/fhandle.c +++ b/fs/fhandle.c @@ -8,6 +8,7 @@ @@ -79017,8 +79386,17 @@ index d59712d..2281df9 100644 retval = -EPERM; goto out_err; } +@@ -197,7 +197,7 @@ static int handle_to_path(int mountdirfd, struct file_handle __user *ufh, + /* copy the full handle */ + *handle = f_handle; + if (copy_from_user(&handle->f_handle, +- &ufh->f_handle, ++ ufh->f_handle, + f_handle.handle_bytes)) { + retval = -EFAULT; + goto out_handle; diff --git a/fs/file.c b/fs/file.c -index 6c672ad..bf787b0 100644 +index 6c672ad..3166d8c 100644 --- a/fs/file.c +++ b/fs/file.c @@ -16,6 +16,7 @@ @@ -79029,25 +79407,46 @@ index 6c672ad..bf787b0 100644 #include <linux/fdtable.h> #include <linux/bitops.h> #include <linux/interrupt.h> -@@ -139,7 +140,7 @@ out: +@@ -139,9 +140,10 @@ out: * Return <0 error code on error; 1 on successful completion. * The files->file_lock should be held on entry, and will be held on exit. */ -static int expand_fdtable(struct files_struct *files, int nr) +- __releases(files->file_lock) +- __acquires(files->file_lock) ++static int expand_fdtable(struct files_struct *files, unsigned int nr) ++ __releases(&files->file_lock) ++ __acquires(&files->file_lock); +static int expand_fdtable(struct files_struct *files, unsigned int nr) - __releases(files->file_lock) - __acquires(files->file_lock) { -@@ -184,7 +185,7 @@ static int expand_fdtable(struct files_struct *files, int nr) + struct fdtable *new_fdt, *cur_fdt; + +@@ -184,9 +186,10 @@ static int expand_fdtable(struct files_struct *files, int nr) * expanded and execution may have blocked. * The files->file_lock should be held on entry, and will be held on exit. */ -static int expand_files(struct files_struct *files, int nr) +- __releases(files->file_lock) +- __acquires(files->file_lock) +static int expand_files(struct files_struct *files, unsigned int nr) - __releases(files->file_lock) - __acquires(files->file_lock) ++ __releases(&files->file_lock) ++ __acquires(&files->file_lock); ++static int expand_files(struct files_struct *files, unsigned int nr) + { + struct fdtable *fdt; + int expanded = 0; +@@ -784,7 +787,9 @@ bool get_close_on_exec(unsigned int fd) + + static int do_dup2(struct files_struct *files, + struct file *file, unsigned fd, unsigned flags) +-__releases(&files->file_lock) ++__releases(&files->file_lock); ++static int do_dup2(struct files_struct *files, ++ struct file *file, unsigned fd, unsigned flags) { -@@ -834,6 +835,7 @@ int replace_fd(unsigned fd, struct file *file, unsigned flags) + struct file *tofree; + struct fdtable *fdt; +@@ -834,6 +839,7 @@ int replace_fd(unsigned fd, struct file *file, unsigned flags) if (!file) return __close_fd(files, fd); @@ -79055,7 +79454,7 @@ index 6c672ad..bf787b0 100644 if (fd >= rlimit(RLIMIT_NOFILE)) return -EBADF; -@@ -860,6 +862,7 @@ SYSCALL_DEFINE3(dup3, unsigned int, oldfd, unsigned int, newfd, int, flags) +@@ -860,6 +866,7 @@ SYSCALL_DEFINE3(dup3, unsigned int, oldfd, unsigned int, newfd, int, flags) if (unlikely(oldfd == newfd)) return -EINVAL; @@ -79063,7 +79462,7 @@ index 6c672ad..bf787b0 100644 if (newfd >= rlimit(RLIMIT_NOFILE)) return -EBADF; -@@ -915,6 +918,7 @@ SYSCALL_DEFINE1(dup, unsigned int, fildes) +@@ -915,6 +922,7 @@ SYSCALL_DEFINE1(dup, unsigned int, fildes) int f_dupfd(unsigned int from, struct file *file, unsigned flags) { int err; @@ -79087,6 +79486,53 @@ index 5797d45..7d7d79a 100644 fs = __get_fs_type(name, len); if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) { +diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c +index 5fa588e..21cc57d 100644 +--- a/fs/fs-writeback.c ++++ b/fs/fs-writeback.c +@@ -869,9 +869,9 @@ restart: + #else /* CONFIG_CGROUP_WRITEBACK */ + + static struct bdi_writeback * ++locked_inode_to_wb_and_lock_list(struct inode *inode) __releases(&inode->i_lock) __acquires(&wb->list_lock); ++static struct bdi_writeback * + locked_inode_to_wb_and_lock_list(struct inode *inode) +- __releases(&inode->i_lock) +- __acquires(&wb->list_lock) + { + struct bdi_writeback *wb = inode_to_wb(inode); + +@@ -880,8 +880,8 @@ locked_inode_to_wb_and_lock_list(struct inode *inode) + return wb; + } + ++static struct bdi_writeback *inode_to_wb_and_lock_list(struct inode *inode) __acquires(&wb->list_lock); + static struct bdi_writeback *inode_to_wb_and_lock_list(struct inode *inode) +- __acquires(&wb->list_lock) + { + struct bdi_writeback *wb = inode_to_wb(inode); + +@@ -1127,9 +1127,8 @@ static int write_inode(struct inode *inode, struct writeback_control *wbc) + * Wait for writeback on an inode to complete. Called with i_lock held. + * Caller must make sure inode cannot go away when we drop i_lock. + */ ++static void __inode_wait_for_writeback(struct inode *inode) __must_hold(&inode->i_lock); + static void __inode_wait_for_writeback(struct inode *inode) +- __releases(inode->i_lock) +- __acquires(inode->i_lock) + { + DEFINE_WAIT_BIT(wq, &inode->i_state, __I_SYNC); + wait_queue_head_t *wqh; +@@ -1158,8 +1157,8 @@ void inode_wait_for_writeback(struct inode *inode) + * held and drops it. It is aimed for callers not holding any inode reference + * so once i_lock is dropped, inode can go away. + */ ++static void inode_sleep_on_writeback(struct inode *inode) __releases(&inode->i_lock); + static void inode_sleep_on_writeback(struct inode *inode) +- __releases(inode->i_lock) + { + DEFINE_WAIT(wait); + wait_queue_head_t *wqh = bit_waitqueue(&inode->i_state, __I_SYNC); diff --git a/fs/fs_struct.c b/fs/fs_struct.c index 7dca743..1ff87ae 100644 --- a/fs/fs_struct.c @@ -81099,7 +81545,7 @@ index 14db05d..687f6d8 100644 #define MNT_NS_INTERNAL ERR_PTR(-EINVAL) /* distinct from any mnt_namespace */ diff --git a/fs/namei.c b/fs/namei.c -index 36df481..c3045fd 100644 +index 36df481..cb04cfe 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -336,17 +336,32 @@ int generic_permission(struct inode *inode, int mask) @@ -81304,17 +81750,18 @@ index 36df481..c3045fd 100644 hash = a = 0; len = -sizeof(unsigned long); -@@ -2000,6 +2089,9 @@ static const char *path_init(struct nameidata *nd, unsigned flags) +@@ -1999,7 +2088,9 @@ static const char *path_init(struct nameidata *nd, unsigned flags) + nd->last_type = LAST_ROOT; /* if there are only slashes... */ nd->flags = flags | LOOKUP_JUMPED | LOOKUP_PARENT; nd->depth = 0; - nd->total_link_count = 0; +- nd->total_link_count = 0; +#ifdef CONFIG_GRKERNSEC_SYMLINKOWN + nd->symlinkown_depth = 0; +#endif if (flags & LOOKUP_ROOT) { struct dentry *root = nd->root.dentry; struct inode *inode = root->d_inode; -@@ -2137,6 +2229,11 @@ static int path_lookupat(struct nameidata *nd, unsigned flags, struct path *path +@@ -2137,6 +2228,11 @@ static int path_lookupat(struct nameidata *nd, unsigned flags, struct path *path if (!err) err = complete_walk(nd); @@ -81326,7 +81773,7 @@ index 36df481..c3045fd 100644 if (!err && nd->flags & LOOKUP_DIRECTORY) if (!d_can_lookup(nd->path.dentry)) err = -ENOTDIR; -@@ -2185,6 +2282,10 @@ static int path_parentat(struct nameidata *nd, unsigned flags, +@@ -2185,6 +2281,10 @@ static int path_parentat(struct nameidata *nd, unsigned flags, err = link_path_walk(s, nd); if (!err) err = complete_walk(nd); @@ -81337,7 +81784,7 @@ index 36df481..c3045fd 100644 if (!err) { *parent = nd->path; nd->path.mnt = NULL; -@@ -2716,6 +2817,13 @@ static int may_open(struct path *path, int acc_mode, int flag) +@@ -2716,6 +2816,13 @@ static int may_open(struct path *path, int acc_mode, int flag) if (flag & O_NOATIME && !inode_owner_or_capable(inode)) return -EPERM; @@ -81351,7 +81798,7 @@ index 36df481..c3045fd 100644 return 0; } -@@ -2982,6 +3090,18 @@ static int lookup_open(struct nameidata *nd, struct path *path, +@@ -2982,6 +3089,18 @@ static int lookup_open(struct nameidata *nd, struct path *path, /* Negative dentry, just create the file */ if (!dentry->d_inode && (op->open_flag & O_CREAT)) { umode_t mode = op->mode; @@ -81370,7 +81817,7 @@ index 36df481..c3045fd 100644 if (!IS_POSIXACL(dir->d_inode)) mode &= ~current_umask(); /* -@@ -3003,6 +3123,8 @@ static int lookup_open(struct nameidata *nd, struct path *path, +@@ -3003,6 +3122,8 @@ static int lookup_open(struct nameidata *nd, struct path *path, nd->flags & LOOKUP_EXCL); if (error) goto out_dput; @@ -81379,7 +81826,7 @@ index 36df481..c3045fd 100644 } out_no_open: path->dentry = dentry; -@@ -3066,6 +3188,9 @@ static int do_last(struct nameidata *nd, +@@ -3066,6 +3187,9 @@ static int do_last(struct nameidata *nd, if (error) return error; @@ -81389,7 +81836,7 @@ index 36df481..c3045fd 100644 audit_inode(nd->name, dir, LOOKUP_PARENT); /* trailing slashes? */ if (unlikely(nd->last.name[nd->last.len])) -@@ -3108,11 +3233,24 @@ retry_lookup: +@@ -3108,11 +3232,24 @@ retry_lookup: goto finish_open_created; } @@ -81415,7 +81862,7 @@ index 36df481..c3045fd 100644 /* * If atomic_open() acquired write access it is dropped now due to -@@ -3148,6 +3286,11 @@ finish_lookup: +@@ -3148,6 +3285,11 @@ finish_lookup: if (unlikely(error)) return error; @@ -81427,7 +81874,7 @@ index 36df481..c3045fd 100644 if (unlikely(d_is_symlink(path.dentry)) && !(open_flag & O_PATH)) { path_to_nameidata(&path, nd); return -ELOOP; -@@ -3170,6 +3313,12 @@ finish_open: +@@ -3170,6 +3312,12 @@ finish_open: path_put(&save_parent); return error; } @@ -81440,7 +81887,7 @@ index 36df481..c3045fd 100644 audit_inode(nd->name, nd->path.dentry, 0); error = -EISDIR; if ((open_flag & O_CREAT) && d_is_dir(nd->path.dentry)) -@@ -3436,9 +3585,11 @@ static struct dentry *filename_create(int dfd, struct filename *name, +@@ -3436,9 +3584,11 @@ static struct dentry *filename_create(int dfd, struct filename *name, goto unlock; error = -EEXIST; @@ -81454,7 +81901,7 @@ index 36df481..c3045fd 100644 /* * Special case - lookup gave negative, but... we had foo/bar/ * From the vfs_mknod() POV we just have a negative dentry - -@@ -3492,6 +3643,20 @@ inline struct dentry *user_path_create(int dfd, const char __user *pathname, +@@ -3492,6 +3642,20 @@ inline struct dentry *user_path_create(int dfd, const char __user *pathname, } EXPORT_SYMBOL(user_path_create); @@ -81475,7 +81922,7 @@ index 36df481..c3045fd 100644 int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) { int error = may_create(dir, dentry); -@@ -3555,6 +3720,17 @@ retry: +@@ -3555,6 +3719,17 @@ retry: if (!IS_POSIXACL(path.dentry->d_inode)) mode &= ~current_umask(); @@ -81493,7 +81940,7 @@ index 36df481..c3045fd 100644 error = security_path_mknod(&path, dentry, mode, dev); if (error) goto out; -@@ -3570,6 +3746,8 @@ retry: +@@ -3570,6 +3745,8 @@ retry: error = vfs_mknod(path.dentry->d_inode,dentry,mode,0); break; } @@ -81502,7 +81949,7 @@ index 36df481..c3045fd 100644 out: done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { -@@ -3624,9 +3802,16 @@ retry: +@@ -3624,9 +3801,16 @@ retry: if (!IS_POSIXACL(path.dentry->d_inode)) mode &= ~current_umask(); @@ -81519,7 +81966,7 @@ index 36df481..c3045fd 100644 done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; -@@ -3659,7 +3844,7 @@ void dentry_unhash(struct dentry *dentry) +@@ -3659,7 +3843,7 @@ void dentry_unhash(struct dentry *dentry) { shrink_dcache_parent(dentry); spin_lock(&dentry->d_lock); @@ -81528,7 +81975,7 @@ index 36df481..c3045fd 100644 __d_drop(dentry); spin_unlock(&dentry->d_lock); } -@@ -3712,6 +3897,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -3712,6 +3896,8 @@ static long do_rmdir(int dfd, const char __user *pathname) struct path path; struct qstr last; int type; @@ -81537,7 +81984,7 @@ index 36df481..c3045fd 100644 unsigned int lookup_flags = 0; retry: name = user_path_parent(dfd, pathname, -@@ -3744,10 +3931,20 @@ retry: +@@ -3744,10 +3930,20 @@ retry: error = -ENOENT; goto exit3; } @@ -81558,7 +82005,7 @@ index 36df481..c3045fd 100644 exit3: dput(dentry); exit2: -@@ -3842,6 +4039,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -3842,6 +4038,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) int type; struct inode *inode = NULL; struct inode *delegated_inode = NULL; @@ -81567,7 +82014,7 @@ index 36df481..c3045fd 100644 unsigned int lookup_flags = 0; retry: name = user_path_parent(dfd, pathname, -@@ -3868,10 +4067,21 @@ retry_deleg: +@@ -3868,10 +4066,21 @@ retry_deleg: if (d_is_negative(dentry)) goto slashes; ihold(inode); @@ -81589,7 +82036,7 @@ index 36df481..c3045fd 100644 exit2: dput(dentry); } -@@ -3960,9 +4170,17 @@ retry: +@@ -3960,9 +4169,17 @@ retry: if (IS_ERR(dentry)) goto out_putname; @@ -81607,7 +82054,7 @@ index 36df481..c3045fd 100644 done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; -@@ -4066,6 +4284,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -4066,6 +4283,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, struct dentry *new_dentry; struct path old_path, new_path; struct inode *delegated_inode = NULL; @@ -81615,7 +82062,7 @@ index 36df481..c3045fd 100644 int how = 0; int error; -@@ -4089,7 +4308,7 @@ retry: +@@ -4089,7 +4307,7 @@ retry: if (error) return error; @@ -81624,7 +82071,7 @@ index 36df481..c3045fd 100644 (how & LOOKUP_REVAL)); error = PTR_ERR(new_dentry); if (IS_ERR(new_dentry)) -@@ -4101,11 +4320,26 @@ retry: +@@ -4101,11 +4319,26 @@ retry: error = may_linkat(&old_path); if (unlikely(error)) goto out_dput; @@ -81651,7 +82098,7 @@ index 36df481..c3045fd 100644 done_path_create(&new_path, new_dentry); if (delegated_inode) { error = break_deleg_wait(&delegated_inode); -@@ -4420,6 +4654,20 @@ retry_deleg: +@@ -4420,6 +4653,20 @@ retry_deleg: if (new_dentry == trap) goto exit5; @@ -81672,7 +82119,7 @@ index 36df481..c3045fd 100644 error = security_path_rename(&old_path, old_dentry, &new_path, new_dentry, flags); if (error) -@@ -4427,6 +4675,9 @@ retry_deleg: +@@ -4427,6 +4674,9 @@ retry_deleg: error = vfs_rename(old_path.dentry->d_inode, old_dentry, new_path.dentry->d_inode, new_dentry, &delegated_inode, flags); @@ -81682,7 +82129,7 @@ index 36df481..c3045fd 100644 exit5: dput(new_dentry); exit4: -@@ -4483,14 +4734,24 @@ EXPORT_SYMBOL(vfs_whiteout); +@@ -4483,14 +4733,24 @@ EXPORT_SYMBOL(vfs_whiteout); int readlink_copy(char __user *buffer, int buflen, const char *link) { @@ -82400,10 +82847,41 @@ index e33dab2..cdbdad9 100644 } } putname(tmp); +diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c +index 871fcb6..f038f64 100644 +--- a/fs/overlayfs/copy_up.c ++++ b/fs/overlayfs/copy_up.c +@@ -142,7 +142,7 @@ static char *ovl_read_symlink(struct dentry *realdentry) + set_fs(get_ds()); + /* The cast to a user pointer is valid due to the set_fs() */ + res = inode->i_op->readlink(realdentry, +- (char __user *)buf, PAGE_SIZE - 1); ++ (char __force_user *)buf, PAGE_SIZE - 1); + set_fs(old_fs); + if (res < 0) { + free_page((unsigned long) buf); diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c -index ec0c2a0..f9b5b82 100644 +index ec0c2a0..3a64073 100644 --- a/fs/overlayfs/inode.c +++ b/fs/overlayfs/inode.c +@@ -49,13 +49,13 @@ int ovl_setattr(struct dentry *dentry, struct iattr *attr) + if (err) + goto out; + +- upperdentry = ovl_dentry_upper(dentry); +- if (upperdentry) { ++ err = ovl_copy_up(dentry); ++ if (!err) { ++ upperdentry = ovl_dentry_upper(dentry); ++ + mutex_lock(&upperdentry->d_inode->i_mutex); + err = notify_change(upperdentry, attr, NULL); + mutex_unlock(&upperdentry->d_inode->i_mutex); +- } else { +- err = ovl_copy_up_last(dentry, attr, false); + } + ovl_drop_write(dentry); + out: @@ -346,6 +346,9 @@ struct inode *ovl_d_select_inode(struct dentry *dentry, unsigned file_flags) if (d_is_dir(dentry)) return d_backing_inode(dentry); @@ -82803,7 +83281,7 @@ index 1ade120..a86f1a2 100644 help Various /proc files exist to monitor process memory utilization: diff --git a/fs/proc/array.c b/fs/proc/array.c -index ce065cf..8974fed 100644 +index 57fde2d..f6c419f 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -60,6 +60,7 @@ @@ -82861,7 +83339,7 @@ index ce065cf..8974fed 100644 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, struct pid *pid, struct task_struct *task, int whole) { -@@ -390,6 +421,13 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, +@@ -390,9 +421,16 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, char tcomm[sizeof(task->comm)]; unsigned long flags; @@ -82874,7 +83352,11 @@ index ce065cf..8974fed 100644 + state = *get_task_state(task); vsize = eip = esp = 0; - permitted = ptrace_may_access(task, PTRACE_MODE_READ | PTRACE_MODE_NOAUDIT); +- permitted = ptrace_may_access(task, PTRACE_MODE_READ | PTRACE_MODE_NOAUDIT); ++ permitted = ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS | PTRACE_MODE_NOAUDIT); + mm = get_task_mm(task); + if (mm) { + vsize = task_vsize(mm); @@ -460,6 +498,19 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, gtime = task_gtime(task); } @@ -82911,7 +83393,7 @@ index ce065cf..8974fed 100644 seq_put_decimal_ull(m, ' ', esp); seq_put_decimal_ull(m, ' ', eip); /* The signal information here is obsolete. -@@ -515,7 +572,11 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, +@@ -527,7 +584,11 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, seq_put_decimal_ull(m, ' ', cputime_to_clock_t(gtime)); seq_put_decimal_ll(m, ' ', cputime_to_clock_t(cgtime)); @@ -82924,7 +83406,7 @@ index ce065cf..8974fed 100644 seq_put_decimal_ull(m, ' ', mm->start_data); seq_put_decimal_ull(m, ' ', mm->end_data); seq_put_decimal_ull(m, ' ', mm->start_brk); -@@ -553,8 +614,15 @@ int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns, +@@ -565,8 +626,15 @@ int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns, struct pid *pid, struct task_struct *task) { unsigned long size = 0, resident = 0, shared = 0, text = 0, data = 0; @@ -82941,7 +83423,7 @@ index ce065cf..8974fed 100644 if (mm) { size = task_statm(mm, &shared, &text, &data, &resident); mmput(mm); -@@ -577,6 +645,20 @@ int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns, +@@ -589,6 +657,20 @@ int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns, return 0; } @@ -82963,7 +83445,7 @@ index ce065cf..8974fed 100644 static struct pid * get_children_pid(struct inode *inode, struct pid *pid_prev, loff_t pos) diff --git a/fs/proc/base.c b/fs/proc/base.c -index aa50d1a..c202cde 100644 +index 83a43c1..6279ec0 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -113,6 +113,14 @@ struct pid_entry { @@ -83006,7 +83488,8 @@ index aa50d1a..c202cde 100644 static int proc_pid_auxv(struct seq_file *m, struct pid_namespace *ns, struct pid *pid, struct task_struct *task) { - struct mm_struct *mm = mm_access(task, PTRACE_MODE_READ); +- struct mm_struct *mm = mm_access(task, PTRACE_MODE_READ); ++ struct mm_struct *mm = mm_access(task, PTRACE_MODE_READ_FSCREDS); if (mm && !IS_ERR(mm)) { unsigned int nwords = 0; + @@ -83031,7 +83514,25 @@ index aa50d1a..c202cde 100644 /* * Provides a wchan file via kallsyms in a proper one-value-per-file format. * Returns the resolved symbol. If that fails, simply return the address. -@@ -459,7 +488,7 @@ static void unlock_trace(struct task_struct *task) +@@ -430,7 +459,7 @@ static int proc_pid_wchan(struct seq_file *m, struct pid_namespace *ns, + + wchan = get_wchan(task); + +- if (wchan && ptrace_may_access(task, PTRACE_MODE_READ) && !lookup_symbol_name(wchan, symname)) ++ if (wchan && !lookup_symbol_name(wchan, symname) && ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) + seq_printf(m, "%s", symname); + else + seq_putc(m, '0'); +@@ -444,7 +473,7 @@ static int lock_trace(struct task_struct *task) + int err = mutex_lock_killable(&task->signal->cred_guard_mutex); + if (err) + return err; +- if (!ptrace_may_access(task, PTRACE_MODE_ATTACH)) { ++ if (!ptrace_may_access(task, PTRACE_MODE_ATTACH_FSCREDS)) { + mutex_unlock(&task->signal->cred_guard_mutex); + return -EPERM; + } +@@ -456,7 +485,7 @@ static void unlock_trace(struct task_struct *task) mutex_unlock(&task->signal->cred_guard_mutex); } @@ -83040,7 +83541,7 @@ index aa50d1a..c202cde 100644 #define MAX_STACK_TRACE_DEPTH 64 -@@ -657,7 +686,7 @@ static int proc_pid_limits(struct seq_file *m, struct pid_namespace *ns, +@@ -654,7 +683,7 @@ static int proc_pid_limits(struct seq_file *m, struct pid_namespace *ns, return 0; } @@ -83049,7 +83550,7 @@ index aa50d1a..c202cde 100644 static int proc_pid_syscall(struct seq_file *m, struct pid_namespace *ns, struct pid *pid, struct task_struct *task) { -@@ -690,7 +719,7 @@ static int proc_pid_syscall(struct seq_file *m, struct pid_namespace *ns, +@@ -687,7 +716,7 @@ static int proc_pid_syscall(struct seq_file *m, struct pid_namespace *ns, /************************************************************************/ /* permission checks */ @@ -83058,19 +83559,19 @@ index aa50d1a..c202cde 100644 { struct task_struct *task; int allowed = 0; -@@ -700,7 +729,10 @@ static int proc_fd_access_allowed(struct inode *inode) +@@ -697,7 +726,10 @@ static int proc_fd_access_allowed(struct inode *inode) */ task = get_proc_task(inode); if (task) { - allowed = ptrace_may_access(task, PTRACE_MODE_READ); + if (log) -+ allowed = ptrace_may_access(task, PTRACE_MODE_READ); ++ allowed = ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS); + else -+ allowed = ptrace_may_access(task, PTRACE_MODE_READ | PTRACE_MODE_NOAUDIT); ++ allowed = ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS | PTRACE_MODE_NOAUDIT); put_task_struct(task); } return allowed; -@@ -731,10 +763,35 @@ static bool has_pid_permissions(struct pid_namespace *pid, +@@ -728,11 +760,36 @@ static bool has_pid_permissions(struct pid_namespace *pid, struct task_struct *task, int hide_pid_min) { @@ -83095,18 +83596,20 @@ index aa50d1a..c202cde 100644 + rcu_read_unlock(); + + if (!pid->hide_pid) -+ return ptrace_may_access(task, PTRACE_MODE_READ | PTRACE_MODE_NOAUDIT); ++ return ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS | PTRACE_MODE_NOAUDIT); +#endif + if (pid->hide_pid < hide_pid_min) return true; if (in_group_p(pid->pid_gid)) return true; +- return ptrace_may_access(task, PTRACE_MODE_READ); + - return ptrace_may_access(task, PTRACE_MODE_READ); ++ return ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS); } -@@ -752,7 +809,11 @@ static int proc_pid_permission(struct inode *inode, int mask) + +@@ -749,7 +806,11 @@ static int proc_pid_permission(struct inode *inode, int mask) put_task_struct(task); if (!has_perms) { @@ -83118,10 +83621,12 @@ index aa50d1a..c202cde 100644 /* * Let's make getdents(), stat(), and open() * consistent with each other. If a process -@@ -813,6 +874,10 @@ struct mm_struct *proc_mem_open(struct inode *inode, unsigned int mode) +@@ -809,7 +870,11 @@ struct mm_struct *proc_mem_open(struct inode *inode, unsigned int mode) + struct mm_struct *mm = ERR_PTR(-ESRCH); if (task) { - mm = mm_access(task, mode); +- mm = mm_access(task, mode); ++ mm = mm_access(task, mode | PTRACE_MODE_FSCREDS); + if (!IS_ERR_OR_NULL(mm) && gr_acl_handle_procpidmem(task)) { + mmput(mm); + mm = ERR_PTR(-EPERM); @@ -83129,7 +83634,7 @@ index aa50d1a..c202cde 100644 put_task_struct(task); if (!IS_ERR_OR_NULL(mm)) { -@@ -834,6 +899,11 @@ static int __mem_open(struct inode *inode, struct file *file, unsigned int mode) +@@ -831,6 +896,11 @@ static int __mem_open(struct inode *inode, struct file *file, unsigned int mode) return PTR_ERR(mm); file->private_data = mm; @@ -83141,7 +83646,7 @@ index aa50d1a..c202cde 100644 return 0; } -@@ -855,6 +925,17 @@ static ssize_t mem_rw(struct file *file, char __user *buf, +@@ -852,6 +922,17 @@ static ssize_t mem_rw(struct file *file, char __user *buf, ssize_t copied; char *page; @@ -83159,7 +83664,7 @@ index aa50d1a..c202cde 100644 if (!mm) return 0; -@@ -867,7 +948,7 @@ static ssize_t mem_rw(struct file *file, char __user *buf, +@@ -864,7 +945,7 @@ static ssize_t mem_rw(struct file *file, char __user *buf, goto free; while (count > 0) { @@ -83168,7 +83673,7 @@ index aa50d1a..c202cde 100644 if (write && copy_from_user(page, buf, this_len)) { copied = -EFAULT; -@@ -959,6 +1040,13 @@ static ssize_t environ_read(struct file *file, char __user *buf, +@@ -956,6 +1037,13 @@ static ssize_t environ_read(struct file *file, char __user *buf, if (!mm) return 0; @@ -83182,7 +83687,7 @@ index aa50d1a..c202cde 100644 page = (char *)__get_free_page(GFP_TEMPORARY); if (!page) return -ENOMEM; -@@ -968,7 +1056,7 @@ static ssize_t environ_read(struct file *file, char __user *buf, +@@ -965,7 +1053,7 @@ static ssize_t environ_read(struct file *file, char __user *buf, goto free; while (count > 0) { size_t this_len, max_len; @@ -83191,7 +83696,7 @@ index aa50d1a..c202cde 100644 if (src >= (mm->env_end - mm->env_start)) break; -@@ -1582,7 +1670,7 @@ static const char *proc_pid_follow_link(struct dentry *dentry, void **cookie) +@@ -1579,7 +1667,7 @@ static const char *proc_pid_follow_link(struct dentry *dentry, void **cookie) int error = -EACCES; /* Are we allowed to snoop on the tasks file descriptors? */ @@ -83200,7 +83705,7 @@ index aa50d1a..c202cde 100644 goto out; error = PROC_I(inode)->op.proc_get_link(dentry, &path); -@@ -1626,8 +1714,18 @@ static int proc_pid_readlink(struct dentry * dentry, char __user * buffer, int b +@@ -1623,8 +1711,18 @@ static int proc_pid_readlink(struct dentry * dentry, char __user * buffer, int b struct path path; /* Are we allowed to snoop on the tasks file descriptors? */ @@ -83221,7 +83726,7 @@ index aa50d1a..c202cde 100644 error = PROC_I(inode)->op.proc_get_link(dentry, &path); if (error) -@@ -1677,7 +1775,11 @@ struct inode *proc_pid_make_inode(struct super_block * sb, struct task_struct *t +@@ -1674,7 +1772,11 @@ struct inode *proc_pid_make_inode(struct super_block * sb, struct task_struct *t rcu_read_lock(); cred = __task_cred(task); inode->i_uid = cred->euid; @@ -83233,7 +83738,7 @@ index aa50d1a..c202cde 100644 rcu_read_unlock(); } security_task_to_inode(task, inode); -@@ -1713,10 +1815,19 @@ int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat) +@@ -1710,10 +1812,19 @@ int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat) return -ENOENT; } if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) || @@ -83253,7 +83758,7 @@ index aa50d1a..c202cde 100644 } } rcu_read_unlock(); -@@ -1754,11 +1865,20 @@ int pid_revalidate(struct dentry *dentry, unsigned int flags) +@@ -1751,11 +1862,20 @@ int pid_revalidate(struct dentry *dentry, unsigned int flags) if (task) { if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) || @@ -83274,7 +83779,34 @@ index aa50d1a..c202cde 100644 rcu_read_unlock(); } else { inode->i_uid = GLOBAL_ROOT_UID; -@@ -2290,6 +2410,9 @@ static struct dentry *proc_pident_lookup(struct inode *dir, +@@ -1871,7 +1991,7 @@ static int map_files_d_revalidate(struct dentry *dentry, unsigned int flags) + if (!task) + goto out_notask; + +- mm = mm_access(task, PTRACE_MODE_READ); ++ mm = mm_access(task, PTRACE_MODE_READ_FSCREDS); + if (IS_ERR_OR_NULL(mm)) + goto out; + +@@ -2003,7 +2123,7 @@ static struct dentry *proc_map_files_lookup(struct inode *dir, + goto out; + + result = -EACCES; +- if (!ptrace_may_access(task, PTRACE_MODE_READ)) ++ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) + goto out_put_task; + + result = -ENOENT; +@@ -2060,7 +2180,7 @@ proc_map_files_readdir(struct file *file, struct dir_context *ctx) + goto out; + + ret = -EACCES; +- if (!ptrace_may_access(task, PTRACE_MODE_READ)) ++ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) + goto out_put_task; + + ret = 0; +@@ -2287,6 +2407,9 @@ static struct dentry *proc_pident_lookup(struct inode *dir, if (!task) goto out_no_task; @@ -83284,7 +83816,7 @@ index aa50d1a..c202cde 100644 /* * Yes, it does not scale. And it should not. Don't add * new entries into /proc/<tgid>/ without very good reasons. -@@ -2320,6 +2443,9 @@ static int proc_pident_readdir(struct file *file, struct dir_context *ctx, +@@ -2317,6 +2440,9 @@ static int proc_pident_readdir(struct file *file, struct dir_context *ctx, if (!task) return -ENOENT; @@ -83294,7 +83826,16 @@ index aa50d1a..c202cde 100644 if (!dir_emit_dots(file, ctx)) goto out; -@@ -2764,7 +2890,7 @@ static const struct pid_entry tgid_base_stuff[] = { +@@ -2540,7 +2666,7 @@ static int do_io_accounting(struct task_struct *task, struct seq_file *m, int wh + if (result) + return result; + +- if (!ptrace_may_access(task, PTRACE_MODE_READ)) { ++ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) { + result = -EACCES; + goto out_unlock; + } +@@ -2761,7 +2887,7 @@ static const struct pid_entry tgid_base_stuff[] = { REG("autogroup", S_IRUGO|S_IWUSR, proc_pid_sched_autogroup_operations), #endif REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations), @@ -83303,7 +83844,7 @@ index aa50d1a..c202cde 100644 ONE("syscall", S_IRUSR, proc_pid_syscall), #endif REG("cmdline", S_IRUGO, proc_pid_cmdline_ops), -@@ -2789,10 +2915,10 @@ static const struct pid_entry tgid_base_stuff[] = { +@@ -2786,10 +2912,10 @@ static const struct pid_entry tgid_base_stuff[] = { #ifdef CONFIG_SECURITY DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations), #endif @@ -83316,7 +83857,7 @@ index aa50d1a..c202cde 100644 ONE("stack", S_IRUSR, proc_pid_stack), #endif #ifdef CONFIG_SCHED_INFO -@@ -2826,6 +2952,9 @@ static const struct pid_entry tgid_base_stuff[] = { +@@ -2823,6 +2949,9 @@ static const struct pid_entry tgid_base_stuff[] = { #ifdef CONFIG_HARDWALL ONE("hardwall", S_IRUGO, proc_pid_hardwall), #endif @@ -83326,7 +83867,7 @@ index aa50d1a..c202cde 100644 #ifdef CONFIG_USER_NS REG("uid_map", S_IRUGO|S_IWUSR, proc_uid_map_operations), REG("gid_map", S_IRUGO|S_IWUSR, proc_gid_map_operations), -@@ -2958,7 +3087,14 @@ static int proc_pid_instantiate(struct inode *dir, +@@ -2955,7 +3084,14 @@ static int proc_pid_instantiate(struct inode *dir, if (!inode) goto out; @@ -83341,7 +83882,7 @@ index aa50d1a..c202cde 100644 inode->i_op = &proc_tgid_base_inode_operations; inode->i_fop = &proc_tgid_base_operations; inode->i_flags|=S_IMMUTABLE; -@@ -2996,7 +3132,11 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, unsign +@@ -2993,7 +3129,11 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, unsign if (!task) goto out; @@ -83353,7 +83894,7 @@ index aa50d1a..c202cde 100644 put_task_struct(task); out: return ERR_PTR(result); -@@ -3110,7 +3250,7 @@ static const struct pid_entry tid_base_stuff[] = { +@@ -3107,7 +3247,7 @@ static const struct pid_entry tid_base_stuff[] = { REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations), #endif REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations), @@ -83362,7 +83903,7 @@ index aa50d1a..c202cde 100644 ONE("syscall", S_IRUSR, proc_pid_syscall), #endif REG("cmdline", S_IRUGO, proc_pid_cmdline_ops), -@@ -3137,10 +3277,10 @@ static const struct pid_entry tid_base_stuff[] = { +@@ -3134,10 +3274,10 @@ static const struct pid_entry tid_base_stuff[] = { #ifdef CONFIG_SECURITY DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations), #endif @@ -83778,6 +84319,28 @@ index d3ebf2e..abe1823 100644 #endif #ifdef CONFIG_TRANSPARENT_HUGEPAGE , K(global_page_state(NR_ANON_TRANSPARENT_HUGEPAGES) * +diff --git a/fs/proc/namespaces.c b/fs/proc/namespaces.c +index f6e8354..1b0ea4a 100644 +--- a/fs/proc/namespaces.c ++++ b/fs/proc/namespaces.c +@@ -42,7 +42,7 @@ static const char *proc_ns_follow_link(struct dentry *dentry, void **cookie) + if (!task) + return error; + +- if (ptrace_may_access(task, PTRACE_MODE_READ)) { ++ if (ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) { + error = ns_get_path(&ns_path, task, ns_ops); + if (!error) + nd_jump_link(&ns_path); +@@ -63,7 +63,7 @@ static int proc_ns_readlink(struct dentry *dentry, char __user *buffer, int bufl + if (!task) + return res; + +- if (ptrace_may_access(task, PTRACE_MODE_READ)) { ++ if (ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) { + res = ns_get_name(name, sizeof(name), task, ns_ops); + if (res >= 0) + res = readlink_copy(buffer, buflen, name); diff --git a/fs/proc/nommu.c b/fs/proc/nommu.c index f8595e8..e0d13cbd 100644 --- a/fs/proc/nommu.c @@ -84213,7 +84776,7 @@ index 510413eb..34d9a8c 100644 seq_printf(p, "softirq %llu", (unsigned long long)sum_softirq); diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c -index ca1e091..12dd9f1 100644 +index ca1e091..41c80d6 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c @@ -13,12 +13,19 @@ @@ -84381,6 +84944,15 @@ index ca1e091..12dd9f1 100644 mss.resident >> 10, (unsigned long)(mss.pss >> (10 + PSS_SHIFT)), mss.shared_clean >> 10, +@@ -1257,7 +1308,7 @@ static ssize_t pagemap_read(struct file *file, char __user *buf, + if (!pm.buffer) + goto out_task; + +- mm = mm_access(task, PTRACE_MODE_READ); ++ mm = mm_access(task, PTRACE_MODE_READ_FSCREDS); + ret = PTR_ERR(mm); + if (!mm || IS_ERR(mm)) + goto out_free; @@ -1491,6 +1542,13 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid) char buffer[64]; int nid; @@ -84540,7 +85112,7 @@ index 819ef3f..f07222d 100644 count = MAX_RW_COUNT; ret = __vfs_write(file, p, count, pos); diff --git a/fs/readdir.c b/fs/readdir.c -index ced6791..936687b 100644 +index ced6791..e0500c1 100644 --- a/fs/readdir.c +++ b/fs/readdir.c @@ -18,6 +18,7 @@ @@ -84624,7 +85196,7 @@ index ced6791..936687b 100644 dirent = buf->previous; if (dirent) { if (__put_user(offset, &dirent->d_off)) -@@ -293,6 +311,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int, fd, +@@ -293,13 +311,13 @@ SYSCALL_DEFINE3(getdents64, unsigned int, fd, if (!f.file) return -EBADF; @@ -84632,6 +85204,14 @@ index ced6791..936687b 100644 error = iterate_dir(f.file, &buf.ctx); if (error >= 0) error = buf.error; + lastdirent = buf.previous; + if (lastdirent) { +- typeof(lastdirent->d_off) d_off = buf.ctx.pos; +- if (__put_user(d_off, &lastdirent->d_off)) ++ if (__put_user(buf.ctx.pos, &lastdirent->d_off)) + error = -EFAULT; + else + error = count - buf.count; diff --git a/fs/reiserfs/do_balan.c b/fs/reiserfs/do_balan.c index 9c02d96..6562c10 100644 --- a/fs/reiserfs/do_balan.c @@ -85116,6 +85696,20 @@ index cccc1aa..7fe8951 100644 generic_fillattr(inode, stat); return 0; +diff --git a/fs/super.c b/fs/super.c +index b613723..08704f9 100644 +--- a/fs/super.c ++++ b/fs/super.c +@@ -333,7 +333,8 @@ EXPORT_SYMBOL(deactivate_super); + * called for superblocks not in rundown mode (== ones still on ->fs_supers + * of their type), so increment of ->s_count is OK here. + */ +-static int grab_super(struct super_block *s) __releases(sb_lock) ++static int grab_super(struct super_block *s) __releases(&sb_lock); ++static int grab_super(struct super_block *s) + { + s->s_count++; + spin_unlock(&sb_lock); diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c index 94374e4..b5da3a1 100644 --- a/fs/sysfs/dir.c @@ -97754,7 +98348,7 @@ index ea17cca..dd56e56 100644 if (small_const_nbits(nbits)) return hweight_long(*src & BITMAP_LAST_WORD_MASK(nbits)); diff --git a/include/linux/bitops.h b/include/linux/bitops.h -index 297f5bd..5892caa 100644 +index 297f5bd..7812342 100644 --- a/include/linux/bitops.h +++ b/include/linux/bitops.h @@ -75,7 +75,7 @@ static __inline__ int get_count_order(unsigned int count) @@ -97766,15 +98360,18 @@ index 297f5bd..5892caa 100644 { return sizeof(w) == 4 ? hweight32(w) : hweight64(w); } -@@ -105,7 +105,7 @@ static inline __u64 ror64(__u64 word, unsigned int shift) +@@ -105,9 +105,9 @@ static inline __u64 ror64(__u64 word, unsigned int shift) * @word: value to rotate * @shift: bits to roll */ -static inline __u32 rol32(__u32 word, unsigned int shift) +static inline __u32 __intentional_overflow(-1) rol32(__u32 word, unsigned int shift) { - return (word << shift) | (word >> (32 - shift)); +- return (word << shift) | (word >> (32 - shift)); ++ return (word << shift) | (word >> ((-shift) & 31)); } + + /** @@ -115,7 +115,7 @@ static inline __u32 rol32(__u32 word, unsigned int shift) * @word: value to rotate * @shift: bits to roll @@ -97994,7 +98591,7 @@ index dfaa7b3..58cebfb 100644 * Mark a position in code as unreachable. This can be used to * suppress control flow warnings after asm blocks that transfer diff --git a/include/linux/compiler.h b/include/linux/compiler.h -index e08a6ae..8d965c5 100644 +index e08a6ae..42d2098 100644 --- a/include/linux/compiler.h +++ b/include/linux/compiler.h @@ -5,11 +5,14 @@ @@ -98012,7 +98609,7 @@ index e08a6ae..8d965c5 100644 # define __must_hold(x) __attribute__((context(x,1,1))) # define __acquires(x) __attribute__((context(x,0,1))) # define __releases(x) __attribute__((context(x,1,0))) -@@ -17,21 +20,39 @@ +@@ -17,33 +20,78 @@ # define __release(x) __context__(x,-1) # define __cond_lock(x,c) ((c) ? ({ __acquire(x); 1; }) : 0) # define __percpu __attribute__((noderef, address_space(3))) @@ -98032,10 +98629,34 @@ index e08a6ae..8d965c5 100644 -# define __user -# define __kernel +# ifdef CHECKER_PLUGIN ++# ifdef CHECKER_PLUGIN_USER +//# define __user +//# define __force_user +//# define __kernel +//# define __force_kernel ++# else ++# define __user ++# define __force_user ++# define __kernel ++# define __force_kernel ++# endif ++# ifdef CHECKER_PLUGIN_CONTEXT ++# define __must_hold(x) __attribute__((context(#x,1,1))) ++# define __acquires(x) __attribute__((context(#x,0,1))) ++# define __releases(x) __attribute__((context(#x,1,0))) ++# define __acquire(x) __context__(#x,1) ++# define __release(x) __context__(#x,-1) ++# define __cond_lock(x,c) ((c) ? ({ __acquire(x); 1; }) : 0) ++# define __cond_unlock(x,c) ((c) ? ({ __release(x); 1; }) : 0) ++# else ++# define __must_hold(x) ++# define __acquires(x) ++# define __releases(x) ++# define __acquire(x) (void)0 ++# define __release(x) (void)0 ++# define __cond_lock(x,c) (c) ++# define __cond_unlock(x,c) (c) ++# endif +# else +# ifdef STRUCTLEAK_PLUGIN +# define __user __attribute__((user)) @@ -98045,6 +98666,12 @@ index e08a6ae..8d965c5 100644 +# define __force_user +# define __kernel +# define __force_kernel ++# define __must_hold(x) ++# define __acquires(x) ++# define __releases(x) ++# define __acquire(x) (void)0 ++# define __release(x) (void)0 ++# define __cond_lock(x,c) (c) +# endif # define __safe # define __force @@ -98054,9 +98681,12 @@ index e08a6ae..8d965c5 100644 # define __chk_user_ptr(x) (void)0 # define __chk_io_ptr(x) (void)0 # define __builtin_warning(x, y...) (1) -@@ -42,8 +63,11 @@ extern void __chk_io_ptr(const volatile void __iomem *); - # define __release(x) (void)0 - # define __cond_lock(x,c) (c) +-# define __must_hold(x) +-# define __acquires(x) +-# define __releases(x) +-# define __acquire(x) (void)0 +-# define __release(x) (void)0 +-# define __cond_lock(x,c) (c) # define __percpu +# define __force_percpu # define __rcu @@ -98066,7 +98696,7 @@ index e08a6ae..8d965c5 100644 #endif /* Indirect macros required for expanded argument pasting, eg. __LINE__. */ -@@ -198,34 +222,6 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect); +@@ -198,34 +246,6 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect); #include <uapi/linux/types.h> @@ -98101,7 +98731,7 @@ index e08a6ae..8d965c5 100644 /* * Prevent the compiler from merging or refetching reads or writes. The * compiler is also forbidden from reordering successive instances of -@@ -248,11 +244,16 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s +@@ -248,11 +268,16 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s * required ordering. */ @@ -98122,7 +98752,7 @@ index e08a6ae..8d965c5 100644 /** * READ_ONCE_CTRL - Read a value heading a control dependency -@@ -370,6 +371,38 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s +@@ -370,6 +395,38 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s # define __attribute_const__ /* unimplemented */ #endif @@ -98161,7 +98791,7 @@ index e08a6ae..8d965c5 100644 /* * Tell gcc if a function is cold. The compiler will assume any path * directly leading to the call is unlikely. -@@ -379,6 +412,22 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s +@@ -379,6 +436,22 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s #define __cold #endif @@ -98184,7 +98814,7 @@ index e08a6ae..8d965c5 100644 /* Simple shorthand for a section definition */ #ifndef __section # define __section(S) __attribute__ ((__section__(#S))) -@@ -393,6 +442,8 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s +@@ -393,6 +466,8 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s # define __same_type(a, b) __builtin_types_compatible_p(typeof(a), typeof(b)) #endif @@ -98193,7 +98823,7 @@ index e08a6ae..8d965c5 100644 /* Is this type a native word size -- useful for atomic operations */ #ifndef __native_word # define __native_word(t) (sizeof(t) == sizeof(char) || sizeof(t) == sizeof(short) || sizeof(t) == sizeof(int) || sizeof(t) == sizeof(long)) -@@ -472,8 +523,9 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s +@@ -472,8 +547,9 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s */ #define __ACCESS_ONCE(x) ({ \ __maybe_unused typeof(x) __var = (__force typeof(x)) 0; \ @@ -102074,6 +102704,41 @@ index 42dfc61..8113a99 100644 extern const struct proc_ns_operations netns_operations; extern const struct proc_ns_operations utsns_operations; +diff --git a/include/linux/ptrace.h b/include/linux/ptrace.h +index 987a73a..998c098 100644 +--- a/include/linux/ptrace.h ++++ b/include/linux/ptrace.h +@@ -56,7 +56,29 @@ extern void exit_ptrace(struct task_struct *tracer, struct list_head *dead); + #define PTRACE_MODE_READ 0x01 + #define PTRACE_MODE_ATTACH 0x02 + #define PTRACE_MODE_NOAUDIT 0x04 +-/* Returns true on success, false on denial. */ ++#define PTRACE_MODE_FSCREDS 0x08 ++#define PTRACE_MODE_REALCREDS 0x10 ++ ++/* shorthands for READ/ATTACH and FSCREDS/REALCREDS combinations */ ++#define PTRACE_MODE_READ_FSCREDS (PTRACE_MODE_READ | PTRACE_MODE_FSCREDS) ++#define PTRACE_MODE_READ_REALCREDS (PTRACE_MODE_READ | PTRACE_MODE_REALCREDS) ++#define PTRACE_MODE_ATTACH_FSCREDS (PTRACE_MODE_ATTACH | PTRACE_MODE_FSCREDS) ++#define PTRACE_MODE_ATTACH_REALCREDS (PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS) ++ ++/** ++ * ptrace_may_access - check whether the caller is permitted to access ++ * a target task. ++ * @task: target task ++ * @mode: selects type of access and caller credentials ++ * ++ * Returns true on success, false on denial. ++ * ++ * One of the flags PTRACE_MODE_FSCREDS and PTRACE_MODE_REALCREDS must ++ * be set in @mode to specify whether the access was requested through ++ * a filesystem syscall (should use effective capabilities and fsuid ++ * of the caller) or through an explicit syscall such as ++ * process_vm_writev or ptrace (and should use the real credentials). ++ */ + extern bool ptrace_may_access(struct task_struct *task, unsigned int mode); + + static inline int ptrace_reparented(struct task_struct *child) diff --git a/include/linux/quota.h b/include/linux/quota.h index b2505ac..5f7ab55 100644 --- a/include/linux/quota.h @@ -102197,6 +102862,74 @@ index 17c6b1f..a65e3f8 100644 /** * hlist_del_init_rcu - deletes entry from hash list with re-initialization * @n: the element to delete from the hash list. +diff --git a/include/linux/rcupdate.h b/include/linux/rcupdate.h +index 4cf5f51..87c7c91 100644 +--- a/include/linux/rcupdate.h ++++ b/include/linux/rcupdate.h +@@ -840,6 +840,7 @@ static inline void rcu_preempt_sleep_check(void) + * read-side critical sections may be preempted and they may also block, but + * only when acquiring spinlocks that are subject to priority inheritance. + */ ++static inline void rcu_read_lock(void) __acquires(RCU); + static inline void rcu_read_lock(void) + { + __rcu_read_lock(); +@@ -894,6 +895,7 @@ static inline void rcu_read_lock(void) + * + * See rcu_read_lock() for more information. + */ ++static inline void rcu_read_unlock(void) __releases(RCU); + static inline void rcu_read_unlock(void) + { + rcu_lockdep_assert(rcu_is_watching(), +@@ -920,6 +922,7 @@ static inline void rcu_read_unlock(void) + * rcu_read_unlock_bh() from one task if the matching rcu_read_lock_bh() + * was invoked from some other task. + */ ++static inline void rcu_read_lock_bh(void) __acquires(RCU_BH); + static inline void rcu_read_lock_bh(void) + { + local_bh_disable(); +@@ -934,6 +937,7 @@ static inline void rcu_read_lock_bh(void) + * + * See rcu_read_lock_bh() for more information. + */ ++static inline void rcu_read_unlock_bh(void) __releases(RCU_BH); + static inline void rcu_read_unlock_bh(void) + { + rcu_lockdep_assert(rcu_is_watching(), +@@ -956,6 +960,7 @@ static inline void rcu_read_unlock_bh(void) + * rcu_read_unlock_sched() from process context if the matching + * rcu_read_lock_sched() was invoked from an NMI handler. + */ ++static inline void rcu_read_lock_sched(void) __acquires(RCU_SCHED); + static inline void rcu_read_lock_sched(void) + { + preempt_disable(); +@@ -966,6 +971,7 @@ static inline void rcu_read_lock_sched(void) + } + + /* Used by lockdep and tracing: cannot be traced, cannot call lockdep. */ ++static inline notrace void rcu_read_lock_sched_notrace(void) __acquires(RCU_SCHED); + static inline notrace void rcu_read_lock_sched_notrace(void) + { + preempt_disable_notrace(); +@@ -977,6 +983,7 @@ static inline notrace void rcu_read_lock_sched_notrace(void) + * + * See rcu_read_lock_sched for more information. + */ ++static inline void rcu_read_unlock_sched(void) __releases(RCU_SCHED); + static inline void rcu_read_unlock_sched(void) + { + rcu_lockdep_assert(rcu_is_watching(), +@@ -987,6 +994,7 @@ static inline void rcu_read_unlock_sched(void) + } + + /* Used by lockdep and tracing: cannot be traced, cannot call lockdep. */ ++static inline notrace void rcu_read_unlock_sched_notrace(void) __releases(RCU_SCHED); + static inline notrace void rcu_read_unlock_sched_notrace(void) + { + __release(RCU_SCHED); diff --git a/include/linux/reboot.h b/include/linux/reboot.h index a7ff409..03e2fa8 100644 --- a/include/linux/reboot.h @@ -102324,7 +103057,7 @@ index 9b1ef0c..9fa3feb 100644 /* diff --git a/include/linux/sched.h b/include/linux/sched.h -index bfca8aa..ac50d1b 100644 +index bfca8aa..d0aedec 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -7,7 +7,7 @@ @@ -102641,6 +103374,15 @@ index bfca8aa..ac50d1b 100644 extern struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns); +@@ -2445,7 +2575,7 @@ extern void proc_caches_init(void); + extern void flush_signals(struct task_struct *); + extern void ignore_signals(struct task_struct *); + extern void flush_signal_handlers(struct task_struct *, int force_default); +-extern int dequeue_signal(struct task_struct *tsk, sigset_t *mask, siginfo_t *info); ++extern int dequeue_signal(struct task_struct *tsk, sigset_t *mask, siginfo_t *info) __must_hold(&tsk->sighand->siglock); + + static inline int dequeue_signal_lock(struct task_struct *tsk, sigset_t *mask, siginfo_t *info) + { @@ -2591,7 +2721,7 @@ extern void __cleanup_sighand(struct sighand_struct *); extern void exit_itimers(struct signal_struct *); extern void flush_itimer_signals(void); @@ -102650,7 +103392,21 @@ index bfca8aa..ac50d1b 100644 extern int do_execve(struct filename *, const char __user * const __user *, -@@ -2796,9 +2926,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) +@@ -2706,11 +2836,13 @@ static inline int thread_group_empty(struct task_struct *p) + * It must not be nested with write_lock_irq(&tasklist_lock), + * neither inside nor outside. + */ ++static inline void task_lock(struct task_struct *p) __acquires(&p->alloc_lock); + static inline void task_lock(struct task_struct *p) + { + spin_lock(&p->alloc_lock); + } + ++static inline void task_unlock(struct task_struct *p) __releases(&p->alloc_lock); + static inline void task_unlock(struct task_struct *p) + { + spin_unlock(&p->alloc_lock); +@@ -2796,9 +2928,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) #define task_stack_end_corrupted(task) \ (*(end_of_stack(task)) != STACK_END_MAGIC) @@ -102750,6 +103506,82 @@ index d4c7271..abf5706 100644 int single_open_size(struct file *, int (*)(struct seq_file *, void *), void *, size_t); int single_release(struct inode *, struct file *); void *__seq_open_private(struct file *, const struct seq_operations *, int); +diff --git a/include/linux/seqlock.h b/include/linux/seqlock.h +index e058210..386666a 100644 +--- a/include/linux/seqlock.h ++++ b/include/linux/seqlock.h +@@ -440,42 +440,49 @@ static inline unsigned read_seqretry(const seqlock_t *sl, unsigned start) + * Acts like a normal spin_lock/unlock. + * Don't need preempt_disable() because that is in the spin_lock already. + */ ++static inline void write_seqlock(seqlock_t *sl) __acquires(sl); + static inline void write_seqlock(seqlock_t *sl) + { + spin_lock(&sl->lock); + write_seqcount_begin(&sl->seqcount); + } + ++static inline void write_sequnlock(seqlock_t *sl) __releases(sl); + static inline void write_sequnlock(seqlock_t *sl) + { + write_seqcount_end(&sl->seqcount); + spin_unlock(&sl->lock); + } + ++static inline void write_seqlock_bh(seqlock_t *sl) __acquires(sl); + static inline void write_seqlock_bh(seqlock_t *sl) + { + spin_lock_bh(&sl->lock); + write_seqcount_begin(&sl->seqcount); + } + ++static inline void write_sequnlock_bh(seqlock_t *sl) __releases(sl); + static inline void write_sequnlock_bh(seqlock_t *sl) + { + write_seqcount_end(&sl->seqcount); + spin_unlock_bh(&sl->lock); + } + ++static inline void write_seqlock_irq(seqlock_t *sl) __acquires(sl); + static inline void write_seqlock_irq(seqlock_t *sl) + { + spin_lock_irq(&sl->lock); + write_seqcount_begin(&sl->seqcount); + } + ++static inline void write_sequnlock_irq(seqlock_t *sl) __releases(sl); + static inline void write_sequnlock_irq(seqlock_t *sl) + { + write_seqcount_end(&sl->seqcount); + spin_unlock_irq(&sl->lock); + } + ++static inline unsigned long __write_seqlock_irqsave(seqlock_t *sl) __acquires(sl); + static inline unsigned long __write_seqlock_irqsave(seqlock_t *sl) + { + unsigned long flags; +@@ -488,6 +495,7 @@ static inline unsigned long __write_seqlock_irqsave(seqlock_t *sl) + #define write_seqlock_irqsave(lock, flags) \ + do { flags = __write_seqlock_irqsave(lock); } while (0) + ++static inline void write_sequnlock_irqrestore(seqlock_t *sl, unsigned long flags) __releases(sl); + static inline void + write_sequnlock_irqrestore(seqlock_t *sl, unsigned long flags) + { +@@ -500,11 +508,13 @@ write_sequnlock_irqrestore(seqlock_t *sl, unsigned long flags) + * but doesn't update the sequence number. Acts like a normal spin_lock/unlock. + * Don't need preempt_disable() because that is in the spin_lock already. + */ ++static inline void read_seqlock_excl(seqlock_t *sl) __acquires(sl); + static inline void read_seqlock_excl(seqlock_t *sl) + { + spin_lock(&sl->lock); + } + ++static inline void read_sequnlock_excl(seqlock_t *sl) __releases(sl); + static inline void read_sequnlock_excl(seqlock_t *sl) + { + spin_unlock(&sl->lock); diff --git a/include/linux/shm.h b/include/linux/shm.h index 6fb8016..2cf60e7 100644 --- a/include/linux/shm.h @@ -103026,6 +103858,112 @@ index 680f9a3..f13aeb0 100644 __SONET_ITEMS #undef __HANDLE_ITEM }; +diff --git a/include/linux/spinlock.h b/include/linux/spinlock.h +index 0063b24..b2f35f7 100644 +--- a/include/linux/spinlock.h ++++ b/include/linux/spinlock.h +@@ -152,14 +152,17 @@ do { \ + extern int do_raw_spin_trylock(raw_spinlock_t *lock); + extern void do_raw_spin_unlock(raw_spinlock_t *lock) __releases(lock); + #else +-static inline void do_raw_spin_lock(raw_spinlock_t *lock) __acquires(lock) ++static inline void do_raw_spin_lock(raw_spinlock_t *lock) __acquires(lock); ++static inline void do_raw_spin_lock(raw_spinlock_t *lock) + { + __acquire(lock); + arch_spin_lock(&lock->raw_lock); + } + + static inline void +-do_raw_spin_lock_flags(raw_spinlock_t *lock, unsigned long *flags) __acquires(lock) ++do_raw_spin_lock_flags(raw_spinlock_t *lock, unsigned long *flags) __acquires(lock); ++static inline void ++do_raw_spin_lock_flags(raw_spinlock_t *lock, unsigned long *flags) + { + __acquire(lock); + arch_spin_lock_flags(&lock->raw_lock, *flags); +@@ -170,7 +173,8 @@ static inline int do_raw_spin_trylock(raw_spinlock_t *lock) + return arch_spin_trylock(&(lock)->raw_lock); + } + +-static inline void do_raw_spin_unlock(raw_spinlock_t *lock) __releases(lock) ++static inline void do_raw_spin_unlock(raw_spinlock_t *lock) __releases(lock); ++static inline void do_raw_spin_unlock(raw_spinlock_t *lock) + { + arch_spin_unlock(&lock->raw_lock); + __release(lock); +@@ -307,11 +311,13 @@ do { \ + raw_spin_lock_init(&(_lock)->rlock); \ + } while (0) + ++static inline void spin_lock(spinlock_t *lock) __acquires(lock); + static inline void spin_lock(spinlock_t *lock) + { + raw_spin_lock(&lock->rlock); + } + ++static inline void spin_lock_bh(spinlock_t *lock) __acquires(lock); + static inline void spin_lock_bh(spinlock_t *lock) + { + raw_spin_lock_bh(&lock->rlock); +@@ -337,6 +343,7 @@ do { \ + raw_spin_lock_nest_lock(spinlock_check(lock), nest_lock); \ + } while (0) + ++static inline void spin_lock_irq(spinlock_t *lock) __acquires(lock); + static inline void spin_lock_irq(spinlock_t *lock) + { + raw_spin_lock_irq(&lock->rlock); +@@ -352,21 +359,25 @@ do { \ + raw_spin_lock_irqsave_nested(spinlock_check(lock), flags, subclass); \ + } while (0) + ++static inline void spin_unlock(spinlock_t *lock) __releases(lock); + static inline void spin_unlock(spinlock_t *lock) + { + raw_spin_unlock(&lock->rlock); + } + ++static inline void spin_unlock_bh(spinlock_t *lock) __releases(lock); + static inline void spin_unlock_bh(spinlock_t *lock) + { + raw_spin_unlock_bh(&lock->rlock); + } + ++static inline void spin_unlock_irq(spinlock_t *lock) __releases(lock); + static inline void spin_unlock_irq(spinlock_t *lock) + { + raw_spin_unlock_irq(&lock->rlock); + } + ++static inline void spin_unlock_irqrestore(spinlock_t *lock, unsigned long flags) __releases(lock); + static inline void spin_unlock_irqrestore(spinlock_t *lock, unsigned long flags) + { + raw_spin_unlock_irqrestore(&lock->rlock, flags); +diff --git a/include/linux/srcu.h b/include/linux/srcu.h +index bdeb456..6412bb0 100644 +--- a/include/linux/srcu.h ++++ b/include/linux/srcu.h +@@ -213,7 +213,8 @@ static inline int srcu_read_lock_held(struct srcu_struct *sp) + * srcu_read_unlock() in an irq handler if the matching srcu_read_lock() + * was invoked in process context. + */ +-static inline int srcu_read_lock(struct srcu_struct *sp) __acquires(sp) ++static inline int srcu_read_lock(struct srcu_struct *sp) __acquires(sp); ++static inline int srcu_read_lock(struct srcu_struct *sp) + { + int retval = __srcu_read_lock(sp); + +@@ -228,8 +229,8 @@ static inline int srcu_read_lock(struct srcu_struct *sp) __acquires(sp) + * + * Exit an SRCU read-side critical section. + */ ++static inline void srcu_read_unlock(struct srcu_struct *sp, int idx) __releases(sp); + static inline void srcu_read_unlock(struct srcu_struct *sp, int idx) +- __releases(sp) + { + rcu_lock_release(&(sp)->dep_map); + __srcu_read_unlock(sp, idx); diff --git a/include/linux/sunrpc/addr.h b/include/linux/sunrpc/addr.h index 07d8e53..dc934c9 100644 --- a/include/linux/sunrpc/addr.h @@ -103143,7 +104081,7 @@ index e7a018e..49f8b17 100644 extern dma_addr_t swiotlb_map_page(struct device *dev, struct page *page, unsigned long offset, size_t size, diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h -index b45c45b..a6ae64c 100644 +index b45c45b..2a4f077 100644 --- a/include/linux/syscalls.h +++ b/include/linux/syscalls.h @@ -102,7 +102,12 @@ union bpf_attr; @@ -103198,6 +104136,15 @@ index b45c45b..a6ae64c 100644 const struct timespec __user *timeout); asmlinkage long sys_shmat(int shmid, char __user *shmaddr, int shmflg); asmlinkage long sys_shmget(key_t key, size_t size, int flag); +@@ -878,7 +883,7 @@ asmlinkage long sys_seccomp(unsigned int op, unsigned int flags, + const char __user *uargs); + asmlinkage long sys_getrandom(char __user *buf, size_t count, + unsigned int flags); +-asmlinkage long sys_bpf(int cmd, union bpf_attr *attr, unsigned int size); ++asmlinkage long sys_bpf(int cmd, union bpf_attr __user *attr, unsigned int size); + + asmlinkage long sys_execveat(int dfd, const char __user *filename, + const char __user *const __user *argv, diff --git a/include/linux/syscore_ops.h b/include/linux/syscore_ops.h index 27b3b0b..e093dd9 100644 --- a/include/linux/syscore_ops.h @@ -103365,7 +104312,7 @@ index ff307b5..f1a4468 100644 #endif /* _LINUX_THREAD_INFO_H */ diff --git a/include/linux/tty.h b/include/linux/tty.h -index ad6c891..93a8f45 100644 +index 342a760..24296fa 100644 --- a/include/linux/tty.h +++ b/include/linux/tty.h @@ -225,7 +225,7 @@ struct tty_port { @@ -103395,6 +104342,26 @@ index ad6c891..93a8f45 100644 } extern int tty_register_ldisc(int disc, struct tty_ldisc_ops *new_ldisc); +@@ -605,7 +605,7 @@ extern void n_tty_inherit_ops(struct tty_ldisc_ops *ops); + + /* tty_audit.c */ + #ifdef CONFIG_AUDIT +-extern void tty_audit_add_data(struct tty_struct *tty, const void *data, ++extern void tty_audit_add_data(struct tty_struct *tty, const unsigned char *data, + size_t size, unsigned icanon); + extern void tty_audit_exit(void); + extern void tty_audit_fork(struct signal_struct *sig); +@@ -613,8 +613,8 @@ extern void tty_audit_tiocsti(struct tty_struct *tty, char ch); + extern void tty_audit_push(struct tty_struct *tty); + extern int tty_audit_push_current(void); + #else +-static inline void tty_audit_add_data(struct tty_struct *tty, const void *data, +- size_t size, unsigned icanon) ++static inline void tty_audit_add_data(struct tty_struct *tty, ++ const unsigned char *data, size_t size, unsigned icanon) + { + } + static inline void tty_audit_tiocsti(struct tty_struct *tty, char ch) diff --git a/include/linux/tty_driver.h b/include/linux/tty_driver.h index 92e337c..f46757b 100644 --- a/include/linux/tty_driver.h @@ -103861,6 +104828,21 @@ index 82e7db7..f8ce3d0 100644 } static inline void __inc_zone_page_state(struct page *page, +diff --git a/include/linux/writeback.h b/include/linux/writeback.h +index b333c94..6b59f39 100644 +--- a/include/linux/writeback.h ++++ b/include/linux/writeback.h +@@ -277,8 +277,9 @@ static inline void inode_detach_wb(struct inode *inode) + } + + static inline void wbc_attach_and_unlock_inode(struct writeback_control *wbc, ++ struct inode *inode) __releases(&inode->i_lock); ++static inline void wbc_attach_and_unlock_inode(struct writeback_control *wbc, + struct inode *inode) +- __releases(&inode->i_lock) + { + spin_unlock(&inode->i_lock); + } diff --git a/include/linux/xattr.h b/include/linux/xattr.h index 91b0a68..0e9adf6 100644 --- a/include/linux/xattr.h @@ -104124,7 +105106,7 @@ index b8529aa..b0f7445 100644 stats->tx_errors++; stats->tx_aborted_errors++; diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h -index 5fa643b..d871e20 100644 +index ff6d78f..7b5933f 100644 --- a/include/net/ip_fib.h +++ b/include/net/ip_fib.h @@ -170,7 +170,7 @@ __be32 fib_info_update_nh_saddr(struct net *net, struct fib_nh *nh); @@ -105221,7 +106203,7 @@ index 7530e74..e714828 100644 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */ diff --git a/include/uapi/linux/swab.h b/include/uapi/linux/swab.h -index 0e011eb..82681b1 100644 +index 0e011eb..0020b3c 100644 --- a/include/uapi/linux/swab.h +++ b/include/uapi/linux/swab.h @@ -43,7 +43,7 @@ @@ -105229,7 +106211,7 @@ index 0e011eb..82681b1 100644 */ -static inline __attribute_const__ __u16 __fswab16(__u16 val) -+static inline __intentional_overflow(-1) __attribute_const__ __u16 __fswab16(__u16 val) ++static inline __intentional_overflow(0) __attribute_const__ __u16 __fswab16(__u16 val) { #ifdef __HAVE_BUILTIN_BSWAP16__ return __builtin_bswap16(val); @@ -105238,7 +106220,7 @@ index 0e011eb..82681b1 100644 } -static inline __attribute_const__ __u32 __fswab32(__u32 val) -+static inline __intentional_overflow(-1) __attribute_const__ __u32 __fswab32(__u32 val) ++static inline __intentional_overflow(0) __attribute_const__ __u32 __fswab32(__u32 val) { #ifdef __HAVE_BUILTIN_BSWAP32__ return __builtin_bswap32(val); @@ -105247,7 +106229,7 @@ index 0e011eb..82681b1 100644 } -static inline __attribute_const__ __u64 __fswab64(__u64 val) -+static inline __intentional_overflow(-1) __attribute_const__ __u64 __fswab64(__u64 val) ++static inline __intentional_overflow(0) __attribute_const__ __u64 __fswab64(__u64 val) { #ifdef __HAVE_BUILTIN_BSWAP64__ return __builtin_bswap64(val); @@ -105846,7 +106828,7 @@ index 9b3c85f..5266b0f 100644 { struct timespec __user *ts64; diff --git a/ipc/ipc_sysctl.c b/ipc/ipc_sysctl.c -index 8ad93c2..efd80f8 100644 +index 8ad93c2..54036e1 100644 --- a/ipc/ipc_sysctl.c +++ b/ipc/ipc_sysctl.c @@ -30,7 +30,7 @@ static void *get_ipc(struct ctl_table *table) @@ -105885,6 +106867,33 @@ index 8ad93c2..efd80f8 100644 int dummy = 0; memcpy(&ipc_table, table, sizeof(ipc_table)); +@@ -99,6 +99,8 @@ static int proc_ipc_auto_msgmni(struct ctl_table *table, int write, + static int zero; + static int one = 1; + static int int_max = INT_MAX; ++static unsigned long long_zero = 0; ++static unsigned long long_max = LONG_MAX; + + static struct ctl_table ipc_kern_table[] = { + { +@@ -107,6 +109,8 @@ static struct ctl_table ipc_kern_table[] = { + .maxlen = sizeof(init_ipc_ns.shm_ctlmax), + .mode = 0644, + .proc_handler = proc_ipc_doulongvec_minmax, ++ .extra1 = &long_zero, ++ .extra2 = &long_max, + }, + { + .procname = "shmall", +@@ -114,6 +118,8 @@ static struct ctl_table ipc_kern_table[] = { + .maxlen = sizeof(init_ipc_ns.shm_ctlall), + .mode = 0644, + .proc_handler = proc_ipc_doulongvec_minmax, ++ .extra1 = &long_zero, ++ .extra2 = &long_max, + }, + { + .procname = "shmmni", diff --git a/ipc/mq_sysctl.c b/ipc/mq_sysctl.c index 68d4e95..1477ded 100644 --- a/ipc/mq_sysctl.c @@ -106723,7 +107732,7 @@ index 41213454..861e178 100644 #ifdef CONFIG_MODULE_UNLOAD { diff --git a/kernel/events/core.c b/kernel/events/core.c -index e6feb51..470c853 100644 +index e6feb51..ce984cb 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -174,8 +174,15 @@ static struct srcu_struct pmus_srcu; @@ -106761,6 +107770,15 @@ index e6feb51..470c853 100644 static void cpu_ctx_sched_out(struct perf_cpu_context *cpuctx, enum event_type_t event_type); +@@ -3296,7 +3303,7 @@ find_lively_task_by_vpid(pid_t vpid) + + /* Reuse ptrace permission checks for now. */ + err = -EACCES; +- if (!ptrace_may_access(task, PTRACE_MODE_READ)) ++ if (!ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS)) + goto errout; + + return task; @@ -3753,9 +3760,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running) mutex_lock(&event->child_mutex); total += perf_event_read(event); @@ -106902,7 +107920,7 @@ index cb346f2..e4dc317 100644 pagefault_disable(); result = __copy_from_user_inatomic(&opcode, (void __user*)vaddr, diff --git a/kernel/exit.c b/kernel/exit.c -index 031325e..c6342c4 100644 +index 031325e..7ac751f 100644 --- a/kernel/exit.c +++ b/kernel/exit.c @@ -171,6 +171,10 @@ void release_task(struct task_struct *p) @@ -106916,7 +107934,27 @@ index 031325e..c6342c4 100644 /* don't need to get the RCU readlock here - the process is dead and * can't be modifying its own credentials. But shut RCU-lockdep up */ rcu_read_lock(); -@@ -656,6 +660,8 @@ void do_exit(long code) +@@ -450,9 +454,8 @@ static struct task_struct *find_alive_thread(struct task_struct *p) + return NULL; + } + ++static struct task_struct *find_child_reaper(struct task_struct *father) __must_hold(&tasklist_lock); + static struct task_struct *find_child_reaper(struct task_struct *father) +- __releases(&tasklist_lock) +- __acquires(&tasklist_lock) + { + struct pid_namespace *pid_ns = task_active_pid_ns(father); + struct task_struct *reaper = pid_ns->child_reaper; +@@ -549,6 +552,8 @@ static void reparent_leader(struct task_struct *father, struct task_struct *p, + * jobs, send them a SIGHUP and then a SIGCONT. (POSIX 3.2.2.2) + */ + static void forget_original_parent(struct task_struct *father, ++ struct list_head *dead) __must_hold(&tasklist_lock); ++static void forget_original_parent(struct task_struct *father, + struct list_head *dead) + { + struct task_struct *p, *t, *reaper; +@@ -656,6 +661,8 @@ void do_exit(long code) int group_dead; TASKS_RCU(int tasks_rcu_i); @@ -106925,7 +107963,7 @@ index 031325e..c6342c4 100644 profile_task_exit(tsk); WARN_ON(blk_needs_flush_plug(tsk)); -@@ -672,7 +678,6 @@ void do_exit(long code) +@@ -672,7 +679,6 @@ void do_exit(long code) * mm_release()->clear_child_tid() from writing to a user-controlled * kernel address. */ @@ -106933,7 +107971,7 @@ index 031325e..c6342c4 100644 ptrace_event(PTRACE_EVENT_EXIT, code); -@@ -730,6 +735,9 @@ void do_exit(long code) +@@ -730,6 +736,9 @@ void do_exit(long code) tsk->exit_code = code; taskstats_exit(tsk, group_dead); @@ -106943,7 +107981,7 @@ index 031325e..c6342c4 100644 exit_mm(tsk); if (group_dead) -@@ -847,7 +855,7 @@ SYSCALL_DEFINE1(exit, int, error_code) +@@ -847,7 +856,7 @@ SYSCALL_DEFINE1(exit, int, error_code) * Take down every thread in the group. This is called by fatal signals * as well as by sys_exit_group (below). */ @@ -106952,8 +107990,109 @@ index 031325e..c6342c4 100644 do_group_exit(int exit_code) { struct signal_struct *sig = current->signal; +@@ -964,6 +973,7 @@ static int wait_noreap_copyout(struct wait_opts *wo, struct task_struct *p, + * the lock and this task is uninteresting. If we return nonzero, we have + * released the lock and the system call should return. + */ ++static int wait_task_zombie(struct wait_opts *wo, struct task_struct *p) __must_hold(&tasklist_lock); + static int wait_task_zombie(struct wait_opts *wo, struct task_struct *p) + { + int state, retval, status; +@@ -980,6 +990,7 @@ static int wait_task_zombie(struct wait_opts *wo, struct task_struct *p) + + get_task_struct(p); + read_unlock(&tasklist_lock); ++ __acquire(&tasklist_lock); // XXX sparse can't model conditional release + sched_annotate_sleep(); + + if ((exit_code & 0x7f) == 0) { +@@ -1002,6 +1013,7 @@ static int wait_task_zombie(struct wait_opts *wo, struct task_struct *p) + * We own this thread, nobody else can reap it. + */ + read_unlock(&tasklist_lock); ++ __acquire(&tasklist_lock); // XXX sparse can't model conditional release + sched_annotate_sleep(); + + /* +@@ -1145,6 +1157,8 @@ static int *task_stopped_code(struct task_struct *p, bool ptrace) + * search should terminate. + */ + static int wait_task_stopped(struct wait_opts *wo, ++ int ptrace, struct task_struct *p) __must_hold(&tasklist_lock); ++static int wait_task_stopped(struct wait_opts *wo, + int ptrace, struct task_struct *p) + { + struct siginfo __user *infop; +@@ -1192,6 +1206,7 @@ unlock_sig: + pid = task_pid_vnr(p); + why = ptrace ? CLD_TRAPPED : CLD_STOPPED; + read_unlock(&tasklist_lock); ++ __acquire(&tasklist_lock); // XXX sparse can't model conditional release + sched_annotate_sleep(); + + if (unlikely(wo->wo_flags & WNOWAIT)) +@@ -1229,6 +1244,7 @@ unlock_sig: + * the lock and this task is uninteresting. If we return nonzero, we have + * released the lock and the system call should return. + */ ++static int wait_task_continued(struct wait_opts *wo, struct task_struct *p) __must_hold(&tasklist_lock); + static int wait_task_continued(struct wait_opts *wo, struct task_struct *p) + { + int retval; +@@ -1255,6 +1271,7 @@ static int wait_task_continued(struct wait_opts *wo, struct task_struct *p) + pid = task_pid_vnr(p); + get_task_struct(p); + read_unlock(&tasklist_lock); ++ __acquire(&tasklist_lock); // XXX sparse can't model conditional release + sched_annotate_sleep(); + + if (!wo->wo_info) { +@@ -1284,6 +1301,8 @@ static int wait_task_continued(struct wait_opts *wo, struct task_struct *p) + * or another error from security_task_wait(), or still -ECHILD. + */ + static int wait_consider_task(struct wait_opts *wo, int ptrace, ++ struct task_struct *p) __must_hold(&tasklist_lock); ++static int wait_consider_task(struct wait_opts *wo, int ptrace, + struct task_struct *p) + { + /* +@@ -1409,6 +1428,7 @@ static int wait_consider_task(struct wait_opts *wo, int ptrace, + * ->notask_error is 0 if there were any eligible children, + * or another error from security_task_wait(), or still -ECHILD. + */ ++static int do_wait_thread(struct wait_opts *wo, struct task_struct *tsk) __must_hold(&tasklist_lock); + static int do_wait_thread(struct wait_opts *wo, struct task_struct *tsk) + { + struct task_struct *p; +@@ -1423,6 +1443,7 @@ static int do_wait_thread(struct wait_opts *wo, struct task_struct *tsk) + return 0; + } + ++static int ptrace_do_wait(struct wait_opts *wo, struct task_struct *tsk) __must_hold(&tasklist_lock); + static int ptrace_do_wait(struct wait_opts *wo, struct task_struct *tsk) + { + struct task_struct *p; +@@ -1486,12 +1507,16 @@ repeat: + tsk = current; + do { + retval = do_wait_thread(wo, tsk); +- if (retval) ++ if (retval) { ++ __release(&tasklist_lock); // XXX sparse can't model conditional release + goto end; ++ } + + retval = ptrace_do_wait(wo, tsk); +- if (retval) ++ if (retval) { ++ __release(&tasklist_lock); // XXX sparse can't model conditional release + goto end; ++ } + + if (wo->wo_flags & __WNOTHREAD) + break; diff --git a/kernel/fork.c b/kernel/fork.c -index e769c8c..9fa1de5 100644 +index e769c8c..882ebbb 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -188,12 +188,54 @@ static void free_thread_info(struct thread_info *ti) @@ -107287,7 +108426,7 @@ index e769c8c..9fa1de5 100644 - if (mm && mm != current->mm && - !ptrace_may_access(task, mode)) { + if (mm && ((mm != current->mm && !ptrace_may_access(task, mode)) || -+ (mode == PTRACE_MODE_ATTACH && (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))))) { ++ ((mode & PTRACE_MODE_ATTACH) && (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))))) { mmput(mm); mm = ERR_PTR(-EACCES); } @@ -107408,7 +108547,7 @@ index e769c8c..9fa1de5 100644 int threads = max_threads; int min = MIN_THREADS; diff --git a/kernel/futex.c b/kernel/futex.c -index c4a182f..e789324 100644 +index c4a182f..32e2eac 100644 --- a/kernel/futex.c +++ b/kernel/futex.c @@ -201,7 +201,7 @@ struct futex_pi_state { @@ -107450,6 +108589,15 @@ index c4a182f..e789324 100644 pagefault_disable(); ret = __copy_from_user_inatomic(dest, from, sizeof(u32)); +@@ -2782,7 +2787,7 @@ SYSCALL_DEFINE3(get_robust_list, int, pid, + } + + ret = -EPERM; +- if (!ptrace_may_access(p, PTRACE_MODE_READ)) ++ if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS)) + goto err_unlock; + + head = p->robust_list; @@ -3030,6 +3035,7 @@ static void __init futex_detect_cmpxchg(void) { #ifndef CONFIG_HAVE_FUTEX_CMPXCHG @@ -107471,7 +108619,7 @@ index c4a182f..e789324 100644 } diff --git a/kernel/futex_compat.c b/kernel/futex_compat.c -index 55c8c93..9ba7ad6 100644 +index 55c8c93..5adee02 100644 --- a/kernel/futex_compat.c +++ b/kernel/futex_compat.c @@ -32,7 +32,7 @@ fetch_robust_entry(compat_uptr_t *uentry, struct robust_list __user **entry, @@ -107483,6 +108631,15 @@ index 55c8c93..9ba7ad6 100644 compat_long_t futex_offset) { compat_uptr_t base = ptr_to_compat(entry); +@@ -155,7 +155,7 @@ COMPAT_SYSCALL_DEFINE3(get_robust_list, int, pid, + } + + ret = -EPERM; +- if (!ptrace_may_access(p, PTRACE_MODE_READ)) ++ if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS)) + goto err_unlock; + + head = p->compat_robust_list; diff --git a/kernel/gcov/base.c b/kernel/gcov/base.c index 7080ae1..c9b3761 100644 --- a/kernel/gcov/base.c @@ -107721,7 +108878,7 @@ index 5c5987f..bc502b0 100644 type, iter->name, iter->module_name); } else diff --git a/kernel/kcmp.c b/kernel/kcmp.c -index 0aa69ea..a7fcafb 100644 +index 0aa69ea..bcb17e3 100644 --- a/kernel/kcmp.c +++ b/kernel/kcmp.c @@ -100,6 +100,10 @@ SYSCALL_DEFINE5(kcmp, pid_t, pid1, pid_t, pid2, int, type, @@ -107735,6 +108892,17 @@ index 0aa69ea..a7fcafb 100644 rcu_read_lock(); /* +@@ -122,8 +126,8 @@ SYSCALL_DEFINE5(kcmp, pid_t, pid1, pid_t, pid2, int, type, + &task2->signal->cred_guard_mutex); + if (ret) + goto err; +- if (!ptrace_may_access(task1, PTRACE_MODE_READ) || +- !ptrace_may_access(task2, PTRACE_MODE_READ)) { ++ if (!ptrace_may_access(task1, PTRACE_MODE_READ_REALCREDS) || ++ !ptrace_may_access(task2, PTRACE_MODE_READ_REALCREDS)) { + ret = -EPERM; + goto err_unlock; + } diff --git a/kernel/kexec.c b/kernel/kexec.c index a785c10..6dbb06f 100644 --- a/kernel/kexec.c @@ -109675,10 +110843,74 @@ index a7bcd28..5b368fa 100644 } diff --git a/kernel/ptrace.c b/kernel/ptrace.c -index c8e0e05..2be5614 100644 +index c8e0e05..0a6d59d 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c -@@ -321,7 +321,7 @@ static int ptrace_attach(struct task_struct *task, long request, +@@ -219,6 +219,14 @@ static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode) + static int __ptrace_may_access(struct task_struct *task, unsigned int mode) + { + const struct cred *cred = current_cred(), *tcred; ++ int dumpable = 0; ++ kuid_t caller_uid; ++ kgid_t caller_gid; ++ ++ if (!(mode & PTRACE_MODE_FSCREDS) == !(mode & PTRACE_MODE_REALCREDS)) { ++ WARN(1, "denying ptrace access check without PTRACE_MODE_*CREDS\n"); ++ return -EPERM; ++ } + + /* May we inspect the given task? + * This check is used both for attaching with ptrace +@@ -228,18 +236,32 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode) + * because setting up the necessary parent/child relationship + * or halting the specified task is impossible. + */ +- int dumpable = 0; + /* Don't let security modules deny introspection */ + if (same_thread_group(task, current)) + return 0; + rcu_read_lock(); ++ if (mode & PTRACE_MODE_FSCREDS) { ++ caller_uid = cred->fsuid; ++ caller_gid = cred->fsgid; ++ } else { ++ /* ++ * Using the euid would make more sense here, but something ++ * in userland might rely on the old behavior, and this ++ * shouldn't be a security problem since ++ * PTRACE_MODE_REALCREDS implies that the caller explicitly ++ * used a syscall that requests access to another process ++ * (and not a filesystem syscall to procfs). ++ */ ++ caller_uid = cred->uid; ++ caller_gid = cred->gid; ++ } + tcred = __task_cred(task); +- if (uid_eq(cred->uid, tcred->euid) && +- uid_eq(cred->uid, tcred->suid) && +- uid_eq(cred->uid, tcred->uid) && +- gid_eq(cred->gid, tcred->egid) && +- gid_eq(cred->gid, tcred->sgid) && +- gid_eq(cred->gid, tcred->gid)) ++ if (uid_eq(caller_uid, tcred->euid) && ++ uid_eq(caller_uid, tcred->suid) && ++ uid_eq(caller_uid, tcred->uid) && ++ gid_eq(caller_gid, tcred->egid) && ++ gid_eq(caller_gid, tcred->sgid) && ++ gid_eq(caller_gid, tcred->gid)) + goto ok; + if (ptrace_has_cap(tcred->user_ns, mode)) + goto ok; +@@ -306,7 +328,7 @@ static int ptrace_attach(struct task_struct *task, long request, + goto out; + + task_lock(task); +- retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH); ++ retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS); + task_unlock(task); + if (retval) + goto unlock_creds; +@@ -321,7 +343,7 @@ static int ptrace_attach(struct task_struct *task, long request, if (seize) flags |= PT_SEIZED; rcu_read_lock(); @@ -109687,7 +110919,7 @@ index c8e0e05..2be5614 100644 flags |= PT_PTRACE_CAP; rcu_read_unlock(); task->ptrace = flags; -@@ -514,7 +514,7 @@ int ptrace_readdata(struct task_struct *tsk, unsigned long src, char __user *dst +@@ -514,7 +536,7 @@ int ptrace_readdata(struct task_struct *tsk, unsigned long src, char __user *dst break; return -EIO; } @@ -109696,7 +110928,7 @@ index c8e0e05..2be5614 100644 return -EFAULT; copied += retval; src += retval; -@@ -802,7 +802,7 @@ int ptrace_request(struct task_struct *child, long request, +@@ -802,7 +824,7 @@ int ptrace_request(struct task_struct *child, long request, bool seized = child->ptrace & PT_SEIZED; int ret = -EIO; siginfo_t siginfo, *si; @@ -109705,7 +110937,7 @@ index c8e0e05..2be5614 100644 unsigned long __user *datalp = datavp; unsigned long flags; -@@ -1048,14 +1048,21 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr, +@@ -1048,14 +1070,21 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr, goto out; } @@ -109728,7 +110960,7 @@ index c8e0e05..2be5614 100644 goto out_put_task_struct; } -@@ -1083,7 +1090,7 @@ int generic_ptrace_peekdata(struct task_struct *tsk, unsigned long addr, +@@ -1083,7 +1112,7 @@ int generic_ptrace_peekdata(struct task_struct *tsk, unsigned long addr, copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0); if (copied != sizeof(tmp)) return -EIO; @@ -109737,7 +110969,7 @@ index c8e0e05..2be5614 100644 } int generic_ptrace_pokedata(struct task_struct *tsk, unsigned long addr, -@@ -1176,7 +1183,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request, +@@ -1176,7 +1205,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request, } COMPAT_SYSCALL_DEFINE4(ptrace, compat_long_t, request, compat_long_t, pid, @@ -109746,7 +110978,7 @@ index c8e0e05..2be5614 100644 { struct task_struct *child; long ret; -@@ -1192,14 +1199,21 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_long_t, request, compat_long_t, pid, +@@ -1192,14 +1221,21 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_long_t, request, compat_long_t, pid, goto out; } @@ -110359,9 +111591,29 @@ index 3ea7ffc..cb06f2d 100644 } diff --git a/kernel/resource.c b/kernel/resource.c -index fed052a..ad13346 100644 +index fed052a..14936eb 100644 --- a/kernel/resource.c +++ b/kernel/resource.c +@@ -84,8 +84,8 @@ static void *r_next(struct seq_file *m, void *v, loff_t *pos) + + enum { MAX_IORES_LEVEL = 5 }; + ++static void *r_start(struct seq_file *m, loff_t *pos) __acquires(&resource_lock); + static void *r_start(struct seq_file *m, loff_t *pos) +- __acquires(resource_lock) + { + struct resource *p = m->private; + loff_t l = 0; +@@ -95,8 +95,8 @@ static void *r_start(struct seq_file *m, loff_t *pos) + return p; + } + ++static void r_stop(struct seq_file *m, void *v) __releases(&resource_lock); + static void r_stop(struct seq_file *m, void *v) +- __releases(resource_lock) + { + read_unlock(&resource_lock); + } @@ -162,8 +162,18 @@ static const struct file_operations proc_iomem_operations = { static int __init ioresources_init(void) @@ -110604,7 +111856,7 @@ index 08ab96b..82ab34c 100644 static inline void put_prev_task(struct rq *rq, struct task_struct *prev) { diff --git a/kernel/signal.c b/kernel/signal.c -index 0f6bbbe..d77d2c3 100644 +index 0f6bbbe..4791c7d 100644 --- a/kernel/signal.c +++ b/kernel/signal.c @@ -53,12 +53,12 @@ static struct kmem_cache *sigqueue_cachep; @@ -110650,7 +111902,15 @@ index 0f6bbbe..d77d2c3 100644 if (is_global_init(tsk)) return 1; if (handler != SIG_IGN && handler != SIG_DFL) -@@ -788,6 +791,13 @@ static int check_kill_permission(int sig, struct siginfo *info, +@@ -602,6 +605,7 @@ static int __dequeue_signal(struct sigpending *pending, sigset_t *mask, + * + * All callers have to hold the siglock. + */ ++int dequeue_signal(struct task_struct *tsk, sigset_t *mask, siginfo_t *info) __must_hold(&tsk->sighand->siglock); + int dequeue_signal(struct task_struct *tsk, sigset_t *mask, siginfo_t *info) + { + int signr; +@@ -788,6 +792,13 @@ static int check_kill_permission(int sig, struct siginfo *info, } } @@ -110664,7 +111924,7 @@ index 0f6bbbe..d77d2c3 100644 return security_task_kill(t, info, sig, 0); } -@@ -1171,7 +1181,7 @@ __group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p) +@@ -1171,7 +1182,7 @@ __group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p) return send_signal(sig, info, p, 1); } @@ -110673,7 +111933,7 @@ index 0f6bbbe..d77d2c3 100644 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t) { return send_signal(sig, info, t, 0); -@@ -1208,6 +1218,7 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t) +@@ -1208,6 +1219,7 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t) unsigned long int flags; int ret, blocked, ignored; struct k_sigaction *action; @@ -110681,7 +111941,7 @@ index 0f6bbbe..d77d2c3 100644 spin_lock_irqsave(&t->sighand->siglock, flags); action = &t->sighand->action[sig-1]; -@@ -1222,9 +1233,18 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t) +@@ -1222,9 +1234,18 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t) } if (action->sa.sa_handler == SIG_DFL) t->signal->flags &= ~SIGNAL_UNKILLABLE; @@ -110700,7 +111960,7 @@ index 0f6bbbe..d77d2c3 100644 return ret; } -@@ -1305,8 +1325,11 @@ int group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p) +@@ -1305,8 +1326,11 @@ int group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p) ret = check_kill_permission(sig, info, p); rcu_read_unlock(); @@ -110713,7 +111973,56 @@ index 0f6bbbe..d77d2c3 100644 return ret; } -@@ -2913,7 +2936,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info) +@@ -1820,9 +1844,8 @@ static int sigkill_pending(struct task_struct *tsk) + * If we actually decide not to stop at all because the tracer + * is gone, we keep current->exit_code unless clear_code. + */ ++static void ptrace_stop(int exit_code, int why, int clear_code, siginfo_t *info) __must_hold(¤t->sighand->siglock); + static void ptrace_stop(int exit_code, int why, int clear_code, siginfo_t *info) +- __releases(¤t->sighand->siglock) +- __acquires(¤t->sighand->siglock) + { + bool gstop_done = false; + +@@ -1942,6 +1965,7 @@ static void ptrace_stop(int exit_code, int why, int clear_code, siginfo_t *info) + recalc_sigpending_tsk(current); + } + ++static void ptrace_do_notify(int signr, int exit_code, int why) __must_hold(¤t->sighand->siglock); + static void ptrace_do_notify(int signr, int exit_code, int why) + { + siginfo_t info; +@@ -1989,8 +2013,8 @@ void ptrace_notify(int exit_code) + * %false if group stop is already cancelled or ptrace trap is scheduled. + * %true if participated in group stop. + */ ++static bool do_signal_stop(int signr) __releases(¤t->sighand->siglock); + static bool do_signal_stop(int signr) +- __releases(¤t->sighand->siglock) + { + struct signal_struct *sig = current->signal; + +@@ -2002,8 +2026,10 @@ static bool do_signal_stop(int signr) + WARN_ON_ONCE(signr & ~JOBCTL_STOP_SIGMASK); + + if (!likely(current->jobctl & JOBCTL_STOP_DEQUEUED) || +- unlikely(signal_group_exit(sig))) ++ unlikely(signal_group_exit(sig))) { ++ __release(¤t->sighand->siglock); // XXX sparse can't model conditional release + return false; ++ } + /* + * There is no group stop already in progress. We must + * initiate one now. +@@ -2087,6 +2113,7 @@ static bool do_signal_stop(int signr) + * Schedule it and let the caller deal with it. + */ + task_set_jobctl_pending(current, JOBCTL_TRAP_STOP); ++ __release(¤t->sighand->siglock); // XXX sparse can't model conditional release + return false; + } + } +@@ -2913,7 +2940,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info) int error = -ESRCH; rcu_read_lock(); @@ -110730,7 +112039,7 @@ index 0f6bbbe..d77d2c3 100644 if (p && (tgid <= 0 || task_tgid_vnr(p) == tgid)) { error = check_kill_permission(sig, info, p); /* -@@ -3242,8 +3273,8 @@ COMPAT_SYSCALL_DEFINE2(sigaltstack, +@@ -3242,8 +3277,8 @@ COMPAT_SYSCALL_DEFINE2(sigaltstack, } seg = get_fs(); set_fs(KERNEL_DS); @@ -112435,6 +113744,20 @@ index 7d567a4..407a28d 100644 mutex_lock(&syscall_trace_lock); sys_perf_refcount_exit--; +diff --git a/kernel/user.c b/kernel/user.c +index b069ccb..c59fe26 100644 +--- a/kernel/user.c ++++ b/kernel/user.c +@@ -127,8 +127,8 @@ static struct user_struct *uid_hash_find(kuid_t uid, struct hlist_head *hashent) + * IRQ state (as stored in flags) is restored and uidhash_lock released + * upon function exit. + */ ++static void free_user(struct user_struct *up, unsigned long flags) __releases(&uidhash_lock); + static void free_user(struct user_struct *up, unsigned long flags) +- __releases(&uidhash_lock) + { + uid_hash_remove(up); + spin_unlock_irqrestore(&uidhash_lock, flags); diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c index 4109f83..fe1f830 100644 --- a/kernel/user_namespace.c @@ -112497,10 +113820,32 @@ index a6ffa43..e48103b 100644 .thread_should_run = watchdog_should_run, .thread_fn = watchdog, diff --git a/kernel/workqueue.c b/kernel/workqueue.c -index 1de0f5fab..dbf1ec6 100644 +index 1de0f5fab..74907c6 100644 --- a/kernel/workqueue.c +++ b/kernel/workqueue.c -@@ -4452,7 +4452,7 @@ static void rebind_workers(struct worker_pool *pool) +@@ -1858,9 +1858,8 @@ static void pool_mayday_timeout(unsigned long __pool) + * multiple times. Does GFP_KERNEL allocations. Called only from + * manager. + */ ++static void maybe_create_worker(struct worker_pool *pool) __must_hold(&pool->lock); + static void maybe_create_worker(struct worker_pool *pool) +-__releases(&pool->lock) +-__acquires(&pool->lock) + { + restart: + spin_unlock_irq(&pool->lock); +@@ -1950,9 +1949,8 @@ static bool manage_workers(struct worker *worker) + * CONTEXT: + * spin_lock_irq(pool->lock) which is released and regrabbed. + */ ++static void process_one_work(struct worker *worker, struct work_struct *work) __must_hold(&pool->lock); + static void process_one_work(struct worker *worker, struct work_struct *work) +-__releases(&pool->lock) +-__acquires(&pool->lock) + { + struct pool_workqueue *pwq = get_work_pwq(work); + struct worker_pool *pool = worker->pool; +@@ -4452,7 +4450,7 @@ static void rebind_workers(struct worker_pool *pool) WARN_ON_ONCE(!(worker_flags & WORKER_UNBOUND)); worker_flags |= WORKER_REBOUND; worker_flags &= ~WORKER_UNBOUND; @@ -113280,6 +114625,30 @@ index 1356454..70ce6c6 100644 }; void rb_insert_color(struct rb_node *node, struct rb_root *root) +diff --git a/lib/rhashtable.c b/lib/rhashtable.c +index cc0c697..935eddb 100644 +--- a/lib/rhashtable.c ++++ b/lib/rhashtable.c +@@ -545,8 +545,8 @@ EXPORT_SYMBOL_GPL(rhashtable_walk_exit); + * will rewind back to the beginning and you may use it immediately + * by calling rhashtable_walk_next. + */ ++int rhashtable_walk_start(struct rhashtable_iter *iter) __acquires(RCU); + int rhashtable_walk_start(struct rhashtable_iter *iter) +- __acquires(RCU) + { + struct rhashtable *ht = iter->ht; + +@@ -632,8 +632,8 @@ EXPORT_SYMBOL_GPL(rhashtable_walk_next); + * + * Finish a hash table walk. + */ ++void rhashtable_walk_stop(struct rhashtable_iter *iter) __releases(RCU); + void rhashtable_walk_stop(struct rhashtable_iter *iter) +- __releases(RCU) + { + struct rhashtable *ht; + struct bucket_table *tbl = iter->walker->tbl; diff --git a/lib/show_mem.c b/lib/show_mem.c index adc98e18..0ce83c2 100644 --- a/lib/show_mem.c @@ -116786,7 +118155,7 @@ index 2dd7448..9bb6305 100644 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */ diff --git a/mm/process_vm_access.c b/mm/process_vm_access.c -index e88d071..d80e01a 100644 +index e88d071..4043093 100644 --- a/mm/process_vm_access.c +++ b/mm/process_vm_access.c @@ -13,6 +13,7 @@ @@ -116824,18 +118193,20 @@ index e88d071..d80e01a 100644 } if (nr_pages == 0) -@@ -194,6 +195,11 @@ static ssize_t process_vm_rw_core(pid_t pid, struct iov_iter *iter, +@@ -194,7 +195,12 @@ static ssize_t process_vm_rw_core(pid_t pid, struct iov_iter *iter, goto free_proc_pages; } +- mm = mm_access(task, PTRACE_MODE_ATTACH); + if (gr_handle_ptrace(task, vm_write ? PTRACE_POKETEXT : PTRACE_ATTACH)) { + rc = -EPERM; + goto put_task_struct; + } + - mm = mm_access(task, PTRACE_MODE_ATTACH); ++ mm = mm_access(task, PTRACE_MODE_ATTACH_REALCREDS); if (!mm || IS_ERR(mm)) { rc = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH; + /* diff --git a/mm/rmap.c b/mm/rmap.c index 171b687..1a4b7e8 100644 --- a/mm/rmap.c @@ -119556,9 +120927,18 @@ index e3be1d2..254c555 100644 switch (ss->ss_family) { diff --git a/net/compat.c b/net/compat.c -index 5cfd26a..7e43828 100644 +index 5cfd26a..3c50cb0 100644 --- a/net/compat.c +++ b/net/compat.c +@@ -58,7 +58,7 @@ int get_compat_msghdr(struct msghdr *kmsg, + + if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) + kmsg->msg_namelen = sizeof(struct sockaddr_storage); +- kmsg->msg_control = compat_ptr(tmp3); ++ kmsg->msg_control = (void __force_kernel *)compat_ptr(tmp3); + + if (save_addr) + *save_addr = compat_ptr(uaddr); @@ -98,20 +98,20 @@ int get_compat_msghdr(struct msghdr *kmsg, #define CMSG_COMPAT_FIRSTHDR(msg) \ @@ -120637,10 +122017,10 @@ index 2d9cb17..20ae904 100644 #endif if (dflt != &ipv4_devconf_dflt) diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c -index 6bbc549..28d74951 100644 +index d7116cf..a561739 100644 --- a/net/ipv4/fib_frontend.c +++ b/net/ipv4/fib_frontend.c -@@ -1083,12 +1083,12 @@ static int fib_inetaddr_event(struct notifier_block *this, unsigned long event, +@@ -1084,12 +1084,12 @@ static int fib_inetaddr_event(struct notifier_block *this, unsigned long event, #ifdef CONFIG_IP_ROUTE_MULTIPATH fib_sync_up(dev, RTNH_F_DEAD); #endif @@ -120655,7 +122035,7 @@ index 6bbc549..28d74951 100644 if (!ifa->ifa_dev->ifa_list) { /* Last address was deleted from this interface. * Disable IP. -@@ -1127,7 +1127,7 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo +@@ -1128,7 +1128,7 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo #ifdef CONFIG_IP_ROUTE_MULTIPATH fib_sync_up(dev, RTNH_F_DEAD); #endif @@ -120665,7 +122045,7 @@ index 6bbc549..28d74951 100644 break; case NETDEV_DOWN: diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c -index 3a06586..1020c5b 100644 +index 71bad5c..114aaa3 100644 --- a/net/ipv4/fib_semantics.c +++ b/net/ipv4/fib_semantics.c @@ -755,7 +755,7 @@ __be32 fib_info_update_nh_saddr(struct net *net, struct fib_nh *nh) @@ -121320,7 +122700,7 @@ index e681b85..8a43a65 100644 ip_tstamps = kcalloc(IP_IDENTS_SZ, sizeof(*ip_tstamps), GFP_KERNEL); if (!ip_tstamps) diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c -index 0330ab2..4745d2c 100644 +index a1442c5..73a63cd 100644 --- a/net/ipv4/sysctl_net_ipv4.c +++ b/net/ipv4/sysctl_net_ipv4.c @@ -66,7 +66,7 @@ static int ipv4_local_port_range(struct ctl_table *table, int write, @@ -121715,6 +123095,19 @@ index 1b8c5ba..e1f0542 100644 } int udp4_seq_show(struct seq_file *seq, void *v) +diff --git a/net/ipv4/xfrm4_mode_transport.c b/net/ipv4/xfrm4_mode_transport.c +index fd840c7..b517627 100644 +--- a/net/ipv4/xfrm4_mode_transport.c ++++ b/net/ipv4/xfrm4_mode_transport.c +@@ -18,7 +18,7 @@ + * The IP header will be moved forward to make space for the encapsulation + * header. + */ +-static int xfrm4_transport_output(struct xfrm_state *x, struct sk_buff *skb) ++static int __intentional_overflow(0) xfrm4_transport_output(struct xfrm_state *x, struct sk_buff *skb) + { + struct iphdr *iph = ip_hdr(skb); + int ihl = iph->ihl * 4; diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c index bff6974..c63736c 100644 --- a/net/ipv4/xfrm4_policy.c @@ -121769,7 +123162,7 @@ index bff6974..c63736c 100644 return -ENOMEM; } diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c -index 21c2c81..373c1ba 100644 +index c8c1fea..233a855 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -178,7 +178,7 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = { @@ -121790,7 +123183,7 @@ index 21c2c81..373c1ba 100644 .autoconf = 1, .force_mld_version = 0, .mldv1_unsolicited_report_interval = 10 * HZ, -@@ -620,7 +620,7 @@ static int inet6_netconf_dump_devconf(struct sk_buff *skb, +@@ -621,7 +621,7 @@ static int inet6_netconf_dump_devconf(struct sk_buff *skb, idx = 0; head = &net->dev_index_head[h]; rcu_read_lock(); @@ -121799,7 +123192,7 @@ index 21c2c81..373c1ba 100644 net->dev_base_seq; hlist_for_each_entry_rcu(dev, head, index_hlist) { if (idx < s_idx) -@@ -2508,7 +2508,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg) +@@ -2509,7 +2509,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg) p.iph.ihl = 5; p.iph.protocol = IPPROTO_IPV6; p.iph.ttl = 64; @@ -121808,7 +123201,7 @@ index 21c2c81..373c1ba 100644 if (ops->ndo_do_ioctl) { mm_segment_t oldfs = get_fs(); -@@ -3774,16 +3774,23 @@ static const struct file_operations if6_fops = { +@@ -3775,16 +3775,23 @@ static const struct file_operations if6_fops = { .release = seq_release_net, }; @@ -121833,7 +123226,7 @@ index 21c2c81..373c1ba 100644 } static struct pernet_operations if6_proc_net_ops = { -@@ -4402,7 +4409,7 @@ static int inet6_dump_addr(struct sk_buff *skb, struct netlink_callback *cb, +@@ -4403,7 +4410,7 @@ static int inet6_dump_addr(struct sk_buff *skb, struct netlink_callback *cb, s_ip_idx = ip_idx = cb->args[2]; rcu_read_lock(); @@ -121842,7 +123235,7 @@ index 21c2c81..373c1ba 100644 for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) { idx = 0; head = &net->dev_index_head[h]; -@@ -5059,7 +5066,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp) +@@ -5060,7 +5067,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp) rt_genid_bump_ipv6(net); break; } @@ -121851,7 +123244,7 @@ index 21c2c81..373c1ba 100644 } static void ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp) -@@ -5079,7 +5086,7 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int write, +@@ -5080,7 +5087,7 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int write, int *valp = ctl->data; int val = *valp; loff_t pos = *ppos; @@ -121860,7 +123253,7 @@ index 21c2c81..373c1ba 100644 int ret; /* -@@ -5104,7 +5111,7 @@ int addrconf_sysctl_mtu(struct ctl_table *ctl, int write, +@@ -5105,7 +5112,7 @@ int addrconf_sysctl_mtu(struct ctl_table *ctl, int write, { struct inet6_dev *idev = ctl->extra1; int min_mtu = IPV6_MIN_MTU; @@ -121869,7 +123262,7 @@ index 21c2c81..373c1ba 100644 lctl = *ctl; lctl.extra1 = &min_mtu; -@@ -5179,7 +5186,7 @@ int addrconf_sysctl_disable(struct ctl_table *ctl, int write, +@@ -5180,7 +5187,7 @@ int addrconf_sysctl_disable(struct ctl_table *ctl, int write, int *valp = ctl->data; int val = *valp; loff_t pos = *ppos; @@ -121878,7 +123271,7 @@ index 21c2c81..373c1ba 100644 int ret; /* -@@ -5244,7 +5251,7 @@ static int addrconf_sysctl_stable_secret(struct ctl_table *ctl, int write, +@@ -5245,7 +5252,7 @@ static int addrconf_sysctl_stable_secret(struct ctl_table *ctl, int write, int err; struct in6_addr addr; char str[IPV6_MAX_STRLEN]; @@ -122347,7 +123740,7 @@ index dd6ebba..69d56e8 100644 table = kmemdup(ipv6_route_table_template, sizeof(ipv6_route_table_template), diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c -index ac35a28..070cc8c 100644 +index 85c4b2f..4e2062f 100644 --- a/net/ipv6/sit.c +++ b/net/ipv6/sit.c @@ -74,7 +74,7 @@ static void ipip6_tunnel_setup(struct net_device *dev); @@ -122359,7 +123752,7 @@ index ac35a28..070cc8c 100644 static int sit_net_id __read_mostly; struct sit_net { -@@ -1749,7 +1749,7 @@ static void ipip6_dellink(struct net_device *dev, struct list_head *head) +@@ -1735,7 +1735,7 @@ static void ipip6_dellink(struct net_device *dev, struct list_head *head) unregister_netdevice_queue(dev, head); } @@ -122652,19 +124045,6 @@ index 683346d..cb0e12d 100644 seq_printf(m, "Max data size: %d\n", self->max_data_size); seq_printf(m, "Max header size: %d\n", self->max_header_size); -diff --git a/net/irda/irlmp.c b/net/irda/irlmp.c -index a26c401..4396459 100644 ---- a/net/irda/irlmp.c -+++ b/net/irda/irlmp.c -@@ -1839,7 +1839,7 @@ static void *irlmp_seq_hb_idx(struct irlmp_iter_state *iter, loff_t *off) - for (element = hashbin_get_first(iter->hashbin); - element != NULL; - element = hashbin_get_next(iter->hashbin)) { -- if (!off || *off-- == 0) { -+ if (!off || (*off)-- == 0) { - /* NB: hashbin left locked */ - return element; - } diff --git a/net/irda/irproc.c b/net/irda/irproc.c index b9ac598..f88cc56 100644 --- a/net/irda/irproc.c @@ -123043,7 +124423,7 @@ index 666ddac..0cad93b 100644 goto free; diff --git a/net/mac80211/util.c b/net/mac80211/util.c -index 43e5aad..d117c3a 100644 +index f5fa8c0..c24eae8 100644 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -1761,7 +1761,7 @@ int ieee80211_reconfig(struct ieee80211_local *local) @@ -123682,7 +125062,7 @@ index 11de55e..f25e448 100644 return 0; } diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c -index a133d16..fafee70 100644 +index 8b158f7..c43cfdb 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -286,7 +286,7 @@ static void netlink_overrun(struct sock *sk) @@ -123779,7 +125159,7 @@ index bc85331..0d3dce0 100644 /** * struct vport_portids - array of netlink portids of a vport. diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c -index 7851b12..b665c0c 100644 +index 71cb085..89e2202 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -277,7 +277,7 @@ static int packet_direct_xmit(struct sk_buff *skb) @@ -123800,7 +125180,7 @@ index 7851b12..b665c0c 100644 spin_unlock(&sk->sk_receive_queue.lock); drop_n_restore: -@@ -3616,7 +3616,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, +@@ -3634,7 +3634,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, case PACKET_HDRLEN: if (len > sizeof(int)) len = sizeof(int); @@ -123809,7 +125189,7 @@ index 7851b12..b665c0c 100644 return -EFAULT; switch (val) { case TPACKET_V1: -@@ -3671,7 +3671,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, +@@ -3689,7 +3689,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, len = lv; if (put_user(len, optlen)) return -EFAULT; @@ -128067,10 +129447,29 @@ index dec607c..2f291ad9 100644 d_backing_inode(old_dentry)->i_mode }; diff --git a/security/commoncap.c b/security/commoncap.c -index d103f5a4..3f7369a 100644 +index d103f5a4..cedcad8 100644 --- a/security/commoncap.c +++ b/security/commoncap.c -@@ -422,6 +422,32 @@ int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data +@@ -137,12 +137,17 @@ int cap_ptrace_access_check(struct task_struct *child, unsigned int mode) + { + int ret = 0; + const struct cred *cred, *child_cred; ++ const kernel_cap_t *caller_caps; + + rcu_read_lock(); + cred = current_cred(); + child_cred = __task_cred(child); ++ if (mode & PTRACE_MODE_FSCREDS) ++ caller_caps = &cred->cap_effective; ++ else ++ caller_caps = &cred->cap_permitted; + if (cred->user_ns == child_cred->user_ns && +- cap_issubset(child_cred->cap_permitted, cred->cap_permitted)) ++ cap_issubset(child_cred->cap_permitted, *caller_caps)) + goto out; + if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE)) + goto out; +@@ -422,6 +427,32 @@ int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data return 0; } @@ -128103,7 +129502,7 @@ index d103f5a4..3f7369a 100644 /* * Attempt to get the on-exec apply capability sets for an executable file from * its xattrs and, if present, apply them to the proposed credentials being -@@ -586,6 +612,9 @@ int cap_bprm_secureexec(struct linux_binprm *bprm) +@@ -586,6 +617,9 @@ int cap_bprm_secureexec(struct linux_binprm *bprm) const struct cred *cred = current_cred(); kuid_t root_uid = make_kuid(cred->user_ns, 0); @@ -128173,6 +129572,29 @@ index 552705d..9920f4fb 100644 key = ima_hash_key(entry->digest); hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]); return 0; +diff --git a/security/keys/internal.h b/security/keys/internal.h +index 5105c2c..fd59e52 100644 +--- a/security/keys/internal.h ++++ b/security/keys/internal.h +@@ -90,12 +90,16 @@ extern void key_type_put(struct key_type *ktype); + + extern int __key_link_begin(struct key *keyring, + const struct keyring_index_key *index_key, +- struct assoc_array_edit **_edit); ++ struct assoc_array_edit **_edit) ++ __acquires(&keyring->sem) ++ __acquires(&keyring_serialise_link_sem); + extern int __key_link_check_live_key(struct key *keyring, struct key *key); + extern void __key_link(struct key *key, struct assoc_array_edit **_edit); + extern void __key_link_end(struct key *keyring, + const struct keyring_index_key *index_key, +- struct assoc_array_edit *edit); ++ struct assoc_array_edit *edit) ++ __releases(&keyring->sem) ++ __releases(&keyring_serialise_link_sem); + + extern key_ref_t find_key_to_update(key_ref_t keyring_ref, + const struct keyring_index_key *index_key); diff --git a/security/keys/key.c b/security/keys/key.c index aee2ec5..c276071 100644 --- a/security/keys/key.c @@ -128230,6 +129652,28 @@ index aee2ec5..c276071 100644 /* record the root user tracking */ rb_link_node(&root_key_user.node, +diff --git a/security/keys/keyring.c b/security/keys/keyring.c +index d334370..b03e5a8 100644 +--- a/security/keys/keyring.c ++++ b/security/keys/keyring.c +@@ -1071,8 +1071,6 @@ static int keyring_detect_cycle(struct key *A, struct key *B) + int __key_link_begin(struct key *keyring, + const struct keyring_index_key *index_key, + struct assoc_array_edit **_edit) +- __acquires(&keyring->sem) +- __acquires(&keyring_serialise_link_sem) + { + struct assoc_array_edit *edit; + int ret; +@@ -1172,8 +1170,6 @@ void __key_link(struct key *key, struct assoc_array_edit **_edit) + void __key_link_end(struct key *keyring, + const struct keyring_index_key *index_key, + struct assoc_array_edit *edit) +- __releases(&keyring->sem) +- __releases(&keyring_serialise_link_sem) + { + BUG_ON(index_key->type == NULL); + kenter("%d,%s,", keyring->serial, index_key->type->name); diff --git a/security/keys/request_key.c b/security/keys/request_key.c index 486ef6f..0d62531 100644 --- a/security/keys/request_key.c @@ -128308,6 +129752,26 @@ index 1450f85..a91e0bc 100644 rt_genid_bump_all(net); } rtnl_unlock(); +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index a143328..0c29901 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -358,12 +358,10 @@ static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead, + */ + static inline unsigned int smk_ptrace_mode(unsigned int mode) + { +- switch (mode) { +- case PTRACE_MODE_READ: +- return MAY_READ; +- case PTRACE_MODE_ATTACH: ++ if (mode & PTRACE_MODE_ATTACH) + return MAY_READWRITE; +- } ++ if (mode & PTRACE_MODE_READ) ++ return MAY_READ; + + return 0; + } diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c index 2367b10..a0c3c51 100644 --- a/security/tomoyo/file.c @@ -128467,9 +129931,27 @@ index 3123e1d..951f48d 100644 help This selects Yama, which extends DAC support with additional diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c -index 5ebb896..68147a2 100644 +index 5ebb896..6da9ba8 100644 --- a/security/yama/yama_lsm.c +++ b/security/yama/yama_lsm.c +@@ -281,7 +281,7 @@ static int yama_ptrace_access_check(struct task_struct *child, + int rc = 0; + + /* require ptrace target be a child of ptracer on attach */ +- if (mode == PTRACE_MODE_ATTACH) { ++ if (mode & PTRACE_MODE_ATTACH) { + switch (ptrace_scope) { + case YAMA_SCOPE_DISABLED: + /* No additional restrictions. */ +@@ -307,7 +307,7 @@ static int yama_ptrace_access_check(struct task_struct *child, + } + } + +- if (rc) { ++ if (rc && (mode & PTRACE_MODE_NOAUDIT) == 0) { + printk_ratelimited(KERN_NOTICE + "ptrace of pid %d was attempted by: %s (pid %d)\n", + child->pid, current->comm, current->pid); @@ -362,7 +362,7 @@ void __init yama_add_hooks(void) static int yama_dointvec_minmax(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) @@ -128629,6 +130111,88 @@ index 75888dd..c940854 100644 break; default: result = -EINVAL; +diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c +index b64f20d..aff6c32 100644 +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -446,7 +446,7 @@ static ssize_t snd_seq_read(struct file *file, char __user *buf, size_t count, + count -= sizeof(struct snd_seq_event); + buf += sizeof(struct snd_seq_event); + err = snd_seq_expand_var_event(&cell->event, count, +- (char __force *)buf, 0, ++ (char __force_kernel *)buf, 0, + sizeof(struct snd_seq_event)); + if (err < 0) + break; +@@ -1059,13 +1059,13 @@ static ssize_t snd_seq_write(struct file *file, const char __user *buf, + } + /* set user space pointer */ + event.data.ext.len = extlen | SNDRV_SEQ_EXT_USRPTR; +- event.data.ext.ptr = (char __force *)buf ++ event.data.ext.ptr = (char __force_kernel *)buf + + sizeof(struct snd_seq_event); + len += extlen; /* increment data length */ + } else { + #ifdef CONFIG_COMPAT + if (client->convert32 && snd_seq_ev_is_varusr(&event)) { +- void *ptr = (void __force *)compat_ptr(event.data.raw32.d[1]); ++ void *ptr = (void __force_kernel *)compat_ptr(event.data.raw32.d[1]); + event.data.ext.ptr = ptr; + } + #endif +@@ -2420,7 +2420,7 @@ int snd_seq_kernel_client_ctl(int clientid, unsigned int cmd, void *arg) + if (client == NULL) + return -ENXIO; + fs = snd_enter_user(); +- result = snd_seq_do_ioctl(client, cmd, (void __force __user *)arg); ++ result = snd_seq_do_ioctl(client, cmd, (void __force_user *)arg); + snd_leave_user(fs); + return result; + } +diff --git a/sound/core/seq/seq_compat.c b/sound/core/seq/seq_compat.c +index 81f7c10..296bd6fd 100644 +--- a/sound/core/seq/seq_compat.c ++++ b/sound/core/seq/seq_compat.c +@@ -59,7 +59,7 @@ static int snd_seq_call_port_info_ioctl(struct snd_seq_client *client, unsigned + data->kernel = NULL; + + fs = snd_enter_user(); +- err = snd_seq_do_ioctl(client, cmd, data); ++ err = snd_seq_do_ioctl(client, cmd, (void __force_user *)data); + snd_leave_user(fs); + if (err < 0) + goto error; +diff --git a/sound/core/seq/seq_memory.c b/sound/core/seq/seq_memory.c +index 8010766..4bd361f 100644 +--- a/sound/core/seq/seq_memory.c ++++ b/sound/core/seq/seq_memory.c +@@ -87,7 +87,7 @@ int snd_seq_dump_var_event(const struct snd_seq_event *event, + + if (event->data.ext.len & SNDRV_SEQ_EXT_USRPTR) { + char buf[32]; +- char __user *curptr = (char __force __user *)event->data.ext.ptr; ++ char __user *curptr = (char __force_user *)event->data.ext.ptr; + while (len > 0) { + int size = sizeof(buf); + if (len < size) +@@ -158,7 +158,7 @@ int snd_seq_expand_var_event(const struct snd_seq_event *event, int count, char + if (event->data.ext.len & SNDRV_SEQ_EXT_USRPTR) { + if (! in_kernel) + return -EINVAL; +- if (copy_from_user(buf, (void __force __user *)event->data.ext.ptr, len)) ++ if (copy_from_user(buf, (void __force_user *)event->data.ext.ptr, len)) + return -EFAULT; + return newlen; + } +@@ -344,7 +344,7 @@ int snd_seq_event_dup(struct snd_seq_pool *pool, struct snd_seq_event *event, + tmp->event = src->event; + src = src->next; + } else if (is_usrptr) { +- if (copy_from_user(&tmp->event, (char __force __user *)buf, size)) { ++ if (copy_from_user(&tmp->event, (char __force_user *)buf, size)) { + err = -EFAULT; + goto __error; + } diff --git a/sound/core/sound.c b/sound/core/sound.c index 175f9e4..3518d31 100644 --- a/sound/core/sound.c @@ -129251,12 +130815,12 @@ index 0000000..4945d82 +targets += randomize_layout_seed.h randomize_layout_hash.h diff --git a/tools/gcc/checker_plugin.c b/tools/gcc/checker_plugin.c new file mode 100644 -index 0000000..5452feea +index 0000000..1264799f --- /dev/null +++ b/tools/gcc/checker_plugin.c -@@ -0,0 +1,150 @@ +@@ -0,0 +1,549 @@ +/* -+ * Copyright 2011-2014 by the PaX Team <pageexec@freemail.hu> ++ * Copyright 2011-2015 by the PaX Team <pageexec@freemail.hu> + * Licensed under the GPL v2 + * + * Note: the choice of the license means that the compilation process is @@ -129285,8 +130849,9 @@ index 0000000..5452feea +int plugin_is_GPL_compatible; + +static struct plugin_info checker_plugin_info = { -+ .version = "201304082245", -+ .help = NULL, ++ .version = "201512100145", ++ .help = "user\tturn on user/kernel address space checking\n" ++ "context\tturn on locking context checking\n" +}; + +#define ADDR_SPACE_KERNEL 0 @@ -129381,12 +130946,395 @@ index 0000000..5452feea + targetm.addr_space.convert = checker_addr_space_convert; +} + ++static bool split_context_attribute(tree args, tree *lock, tree *in, tree *out) ++{ ++ *in = TREE_VALUE(args); ++ ++ if (TREE_CODE(*in) != INTEGER_CST) { ++ *lock = *in; ++ args = TREE_CHAIN(args); ++ *in = TREE_VALUE(args); ++ } else ++ *lock = NULL_TREE; ++ ++ args = TREE_CHAIN(args); ++ if (*lock && !args) ++ return false; ++ ++ *out = TREE_VALUE(args); ++ return true; ++} ++ ++static tree handle_context_attribute(tree *node, tree name, tree args, int flags, bool *no_add_attrs) ++{ ++ *no_add_attrs = true; ++ tree lock, in, out; ++ ++ if (TREE_CODE(*node) != FUNCTION_DECL) { ++ error("%qE attribute applies to functions only (%qD)", name, *node); ++ return NULL_TREE; ++ } ++ ++ if (!split_context_attribute(args, &lock, &in, &out)) { ++ error("%qE attribute needs two integers after the lock expression", name); ++ return NULL_TREE; ++ } ++ ++ if (TREE_CODE(in) != INTEGER_CST) { ++ error("the 'in' argument of the %qE attribute must be an integer (%qE)", name, in); ++ return NULL_TREE; ++ } ++ ++ if (TREE_CODE(out) != INTEGER_CST) { ++ error("the 'out' argument of the %qE attribute must be an integer (%qE)", name, out); ++ return NULL_TREE; ++ } ++ ++ *no_add_attrs = false; ++ return NULL_TREE; ++} ++ ++static struct attribute_spec context_attr = { ++ .name = "context", ++ .min_length = 2, ++ .max_length = 3, ++ .decl_required = true, ++ .type_required = false, ++ .function_type_required = false, ++ .handler = handle_context_attribute, ++#if BUILDING_GCC_VERSION >= 4007 ++ .affects_type_identity = true ++#endif ++}; ++ ++static void register_attributes(void *event_data, void *data) ++{ ++ register_attribute(&context_attr); ++} ++ ++static const char context_function[] = "__context__"; ++static GTY(()) tree context_function_decl; ++ ++static const char context_error[] = "__context_error__"; ++static GTY(()) tree context_error_decl; ++ ++static void context_start_unit(void __unused *gcc_data, void __unused *user_data) ++{ ++ tree fntype, attr; ++ ++ // void __context__(void *, int); ++ fntype = build_function_type_list(void_type_node, ptr_type_node, integer_type_node, NULL_TREE); ++ context_function_decl = build_fn_decl(context_function, fntype); ++ ++ TREE_PUBLIC(context_function_decl) = 1; ++ TREE_USED(context_function_decl) = 1; ++ DECL_EXTERNAL(context_function_decl) = 1; ++ DECL_ARTIFICIAL(context_function_decl) = 1; ++ DECL_PRESERVE_P(context_function_decl) = 1; ++// TREE_NOTHROW(context_function_decl) = 1; ++// DECL_UNINLINABLE(context_function_decl) = 1; ++ DECL_ASSEMBLER_NAME(context_function_decl); // for LTO ++ lang_hooks.decls.pushdecl(context_function_decl); ++ ++ // void __context_error__(const void *, int) __attribute__((error("context error"))); ++ fntype = build_function_type_list(void_type_node, const_ptr_type_node, integer_type_node, NULL_TREE); ++ context_error_decl = build_fn_decl(context_error, fntype); ++ ++ TREE_PUBLIC(context_error_decl) = 1; ++ TREE_USED(context_error_decl) = 1; ++ DECL_EXTERNAL(context_error_decl) = 1; ++ DECL_ARTIFICIAL(context_error_decl) = 1; ++ DECL_PRESERVE_P(context_error_decl) = 1; ++// TREE_NOTHROW(context_error_decl) = 1; ++// DECL_UNINLINABLE(context_error_decl) = 1; ++ TREE_THIS_VOLATILE(context_error_decl) = 1; ++ DECL_ASSEMBLER_NAME(context_error_decl); ++ ++ attr = tree_cons(NULL, build_string(14, "context error"), NULL); ++ attr = tree_cons(get_identifier("error"), attr, NULL); ++ decl_attributes(&context_error_decl, attr, 0); ++} ++ ++static bool gate_context(void) ++{ ++ tree context_attr; ++ ++return true; ++ ++ context_attr = lookup_attribute("context", DECL_ATTRIBUTES(current_function_decl)); ++ return context_attr != NULL_TREE; ++} ++ ++static basic_block verify_context_before(gimple_stmt_iterator *gsi, tree context, tree inout, tree error) ++{ ++ gimple stmt; ++ basic_block cond_bb, join_bb, true_bb; ++ edge e; ++ location_t loc; ++ const char *file; ++ int line; ++ size_t len; ++ tree filename; ++ ++ stmt = gsi_stmt(*gsi); ++ if (gimple_has_location(stmt)) { ++ loc = gimple_location(stmt); ++ file = gimple_filename(stmt); ++ line = gimple_lineno(stmt); ++ } else { ++ loc = DECL_SOURCE_LOCATION(current_function_decl); ++ file = DECL_SOURCE_FILE(current_function_decl); ++ line = DECL_SOURCE_LINE(current_function_decl); ++ } ++ gcc_assert(file); ++ ++ // if (context != count) __context_error__(__FILE__, __LINE__); ++ stmt = gimple_build_cond(NE_EXPR, context, inout, NULL_TREE, NULL_TREE); ++ gimple_set_location(stmt, loc); ++ gsi_insert_before(gsi, stmt, GSI_NEW_STMT); ++ ++ cond_bb = gsi_bb(*gsi); ++ gcc_assert(!gsi_end_p(*gsi)); ++ gcc_assert(stmt == gsi_stmt(*gsi)); ++ ++ e = split_block(cond_bb, gsi_stmt(*gsi)); ++ cond_bb = e->src; ++ join_bb = e->dest; ++ e->flags = EDGE_FALSE_VALUE; ++ e->probability = REG_BR_PROB_BASE; ++ ++ true_bb = create_empty_bb(EXIT_BLOCK_PTR_FOR_FN(cfun)->prev_bb); ++ make_edge(cond_bb, true_bb, EDGE_TRUE_VALUE); ++ make_edge(true_bb, join_bb, EDGE_FALLTHRU); ++ ++ set_immediate_dominator(CDI_DOMINATORS, true_bb, cond_bb); ++ set_immediate_dominator(CDI_DOMINATORS, join_bb, cond_bb); ++ ++ gcc_assert(cond_bb->loop_father == join_bb->loop_father); ++ add_bb_to_loop(true_bb, cond_bb->loop_father); ++ ++ // insert call to builtin_trap or __context_error__ ++ *gsi = gsi_start_bb(true_bb); ++ ++// stmt = gimple_build_call(builtin_decl_implicit(BUILT_IN_TRAP), 0); ++ len = strlen(file) + 1; ++ filename = build_string(len, file); ++ TREE_TYPE(filename) = build_array_type(unsigned_char_type_node, build_index_type(size_int(len))); ++ filename = build1(ADDR_EXPR, const_ptr_type_node, filename); ++ stmt = gimple_build_call(error, 2, filename, build_int_cst(NULL_TREE, line)); ++ gimple_set_location(stmt, loc); ++ gsi_insert_after(gsi, stmt, GSI_CONTINUE_LINKING); ++ ++ *gsi = gsi_start_nondebug_bb(join_bb); ++ return join_bb; ++} ++ ++static void update_context(gimple_stmt_iterator *gsi, tree context, int diff) ++{ ++ gimple assign; ++ tree op; ++ ++ op = fold_build2_loc(UNKNOWN_LOCATION, PLUS_EXPR, integer_type_node, context, build_int_cst(integer_type_node, diff)); ++ assign = gimple_build_assign(context, op); ++ gsi_insert_after(gsi, assign, GSI_NEW_STMT); ++ update_stmt(assign); ++} ++ ++static basic_block track_context(basic_block bb, tree context) ++{ ++ gimple_stmt_iterator gsi; ++ gimple assign; ++ ++ // adjust context according to the context information on any call stmt ++ for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) { ++ gimple stmt = gsi_stmt(gsi); ++ tree fndecl, context_attr; ++ tree lock, in, out; ++ int incount, outcount; ++ ++ if (!is_gimple_call(stmt)) ++ continue; ++ ++ fndecl = gimple_call_fndecl(stmt); ++ if (!fndecl) ++ continue; ++ ++ if (fndecl == context_function_decl) { ++ unsigned int num_ops = gimple_num_ops(stmt); ++ int diff = tree_to_shwi(gimple_op(stmt, num_ops - 1)); ++ ++ gcc_assert(diff); ++ update_context(&gsi, context, diff); ++ continue; ++ } ++ ++ context_attr = lookup_attribute("context", DECL_ATTRIBUTES(fndecl)); ++ if (!context_attr) ++ continue; ++ ++ gcc_assert(split_context_attribute(TREE_VALUE(context_attr), &lock, &in, &out)); ++ incount = tree_to_shwi(in); ++ outcount = tree_to_shwi(out); ++ bb = verify_context_before(&gsi, context, in, context_error_decl); ++ update_context(&gsi, context, outcount - incount); ++ } ++ ++ return bb; ++} ++ ++static bool bb_any_loop(basic_block bb) ++{ ++ return bb_loop_depth(bb) || (bb->flags & BB_IRREDUCIBLE_LOOP); ++} ++ ++static unsigned int execute_context(void) ++{ ++ basic_block bb; ++ gimple assign; ++ gimple_stmt_iterator gsi; ++ tree context_attr, context; ++ tree lock, in, out; ++ ++ loop_optimizer_init(LOOPS_NORMAL | LOOPS_HAVE_RECORDED_EXITS); ++ gcc_assert(current_loops); ++ ++ calculate_dominance_info(CDI_DOMINATORS); ++ calculate_dominance_info(CDI_POST_DOMINATORS); ++ ++ context_attr = lookup_attribute("context", DECL_ATTRIBUTES(current_function_decl)); ++ if (context_attr) { ++ gcc_assert(split_context_attribute(TREE_VALUE(context_attr), &lock, &in, &out)); ++ } else { ++ in = out = integer_zero_node; ++ } ++ ++ // 1. create local context variable ++ context = create_tmp_var(integer_type_node, "context"); ++ add_referenced_var(context); ++ mark_sym_for_renaming(context); ++ ++ // 2. initialize local context variable ++ gcc_assert(single_succ_p(ENTRY_BLOCK_PTR_FOR_FN(cfun))); ++ bb = single_succ(ENTRY_BLOCK_PTR_FOR_FN(cfun)); ++ if (!single_pred_p(bb)) { ++ gcc_assert(bb_any_loop(bb)); ++ split_edge(single_succ_edge(ENTRY_BLOCK_PTR_FOR_FN(cfun))); ++ bb = single_succ(ENTRY_BLOCK_PTR_FOR_FN(cfun)); ++ } ++ gsi = gsi_start_bb(bb); ++ assign = gimple_build_assign(context, in); ++ gsi_insert_before(&gsi, assign, GSI_NEW_STMT); ++ update_stmt(assign); ++ ++ // 3. instrument each BB to track the local context variable ++ FOR_EACH_BB_FN(bb, cfun) { ++ bb = track_context(bb, context); ++ } ++ ++ // 4. verify the local context variable against the expected state ++ if (EDGE_COUNT(EXIT_BLOCK_PTR_FOR_FN(cfun)->preds)) { ++ gcc_assert(single_pred_p(EXIT_BLOCK_PTR_FOR_FN(cfun))); ++ gsi = gsi_last_nondebug_bb(single_pred(EXIT_BLOCK_PTR_FOR_FN(cfun))); ++ verify_context_before(&gsi, context, out, context_error_decl); ++ } ++ ++ free_dominance_info(CDI_DOMINATORS); ++ free_dominance_info(CDI_POST_DOMINATORS); ++ loop_optimizer_finalize(); ++ return 0; ++} ++ ++#if BUILDING_GCC_VERSION >= 4009 ++namespace { ++static const struct pass_data context_pass_data = { ++#else ++static struct gimple_opt_pass context_pass = { ++ .pass = { ++#endif ++ .type = GIMPLE_PASS, ++ .name = "context", ++#if BUILDING_GCC_VERSION >= 4008 ++ .optinfo_flags = OPTGROUP_NONE, ++#endif ++#if BUILDING_GCC_VERSION >= 5000 ++#elif BUILDING_GCC_VERSION == 4009 ++ .has_gate = true, ++ .has_execute = true, ++#else ++ .gate = gate_context, ++ .execute = execute_context, ++ .sub = NULL, ++ .next = NULL, ++ .static_pass_number = 0, ++#endif ++ .tv_id = TV_NONE, ++ .properties_required = PROP_gimple_leh | PROP_cfg, ++ .properties_provided = 0, ++ .properties_destroyed = 0, ++ .todo_flags_start = 0, //TODO_verify_ssa | TODO_verify_flow | TODO_verify_stmts, ++ .todo_flags_finish = TODO_verify_ssa | TODO_verify_stmts | TODO_dump_func | TODO_verify_flow | TODO_update_ssa ++#if BUILDING_GCC_VERSION < 4009 ++ } ++#endif ++}; ++ ++#if BUILDING_GCC_VERSION >= 4009 ++class context_pass : public gimple_opt_pass { ++public: ++ context_pass() : gimple_opt_pass(context_pass_data, g) {} ++#if BUILDING_GCC_VERSION >= 5000 ++ virtual bool gate(function *) { return gate_context(); } ++ virtual unsigned int execute(function *) { return execute_context(); } ++#else ++ bool gate() { return gate_context(); } ++ unsigned int execute() { return execute_context(); } ++#endif ++}; ++} ++ ++static opt_pass *make_context_pass(void) ++{ ++ return new context_pass(); ++} ++#else ++static struct opt_pass *make_context_pass(void) ++{ ++ return &context_pass.pass; ++} ++#endif ++ +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version) +{ + const char * const plugin_name = plugin_info->base_name; + const int argc = plugin_info->argc; + const struct plugin_argument * const argv = plugin_info->argv; + int i; ++ bool enable_user, enable_context; ++ struct register_pass_info context_pass_info; ++ ++ static const struct ggc_root_tab gt_ggc_r_gt_checker[] = { ++ { ++ .base = &context_function_decl, ++ .nelt = 1, ++ .stride = sizeof(context_function_decl), ++ .cb = >_ggc_mx_tree_node, ++ .pchw = >_pch_nx_tree_node ++ }, ++ { ++ .base = &context_error_decl, ++ .nelt = 1, ++ .stride = sizeof(context_error_decl), ++ .cb = >_ggc_mx_tree_node, ++ .pchw = >_pch_nx_tree_node ++ }, ++ LAST_GGC_ROOT_TAB ++ }; ++ ++ context_pass_info.pass = make_context_pass(); ++// context_pass_info.reference_pass_name = "ssa"; ++ context_pass_info.reference_pass_name = "phiprop"; ++ context_pass_info.ref_pass_instance_number = 1; ++ context_pass_info.pos_op = PASS_POS_INSERT_AFTER; + + if (!plugin_default_version_check(version, &gcc_version)) { + error(G_("incompatible gcc/plugin versions")); @@ -129395,13 +131343,28 @@ index 0000000..5452feea + + register_callback(plugin_name, PLUGIN_INFO, NULL, &checker_plugin_info); + -+ for (i = 0; i < argc; ++i) ++ enable_user = false; ++ enable_context = false; ++ for (i = 0; i < argc; ++i) { ++ if (!strcmp(argv[i].key, "user")) { ++ enable_user = true; ++ continue; ++ } ++ if (!strcmp(argv[i].key, "context")) { ++ enable_context = true; ++ continue; ++ } + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); ++ } + -+ if (TARGET_64BIT == 0) -+ return 0; -+ -+ register_callback(plugin_name, PLUGIN_PRAGMAS, register_checker_address_spaces, NULL); ++ if (enable_user) ++ register_callback(plugin_name, PLUGIN_PRAGMAS, register_checker_address_spaces, NULL); ++ if (enable_context) { ++ register_callback(plugin_name, PLUGIN_ATTRIBUTES, register_attributes, NULL); ++ register_callback(plugin_name, PLUGIN_START_UNIT, context_start_unit, NULL); ++ register_callback(plugin_name, PLUGIN_REGISTER_GGC_ROOTS, NULL, (void *)>_ggc_r_gt_checker); ++ register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &context_pass_info); ++ } + + return 0; +} @@ -130205,10 +132168,10 @@ index 0000000..0b98f34 +} diff --git a/tools/gcc/gcc-common.h b/tools/gcc/gcc-common.h new file mode 100644 -index 0000000..2ec0551 +index 0000000..9d33451 --- /dev/null +++ b/tools/gcc/gcc-common.h -@@ -0,0 +1,812 @@ +@@ -0,0 +1,813 @@ +#ifndef GCC_COMMON_H_INCLUDED +#define GCC_COMMON_H_INCLUDED + @@ -130308,6 +132271,7 @@ index 0000000..2ec0551 +#include "ipa-utils.h" + +#if BUILDING_GCC_VERSION >= 4009 ++#include "attribs.h" +#include "varasm.h" +#include "stor-layout.h" +#include "internal-fn.h" @@ -131037,10 +133001,10 @@ index 0000000..7514850 +fi diff --git a/tools/gcc/initify_plugin.c b/tools/gcc/initify_plugin.c new file mode 100644 -index 0000000..39c0731 +index 0000000..a9d491f --- /dev/null +++ b/tools/gcc/initify_plugin.c -@@ -0,0 +1,552 @@ +@@ -0,0 +1,581 @@ +/* + * Copyright 2011-2015 by Emese Revfy <re.emese@gmail.com> + * Licensed under the GPL v2, or (at your option) v3 @@ -131061,7 +133025,7 @@ index 0000000..39c0731 +int plugin_is_GPL_compatible; + +static struct plugin_info initify_plugin_info = { -+ .version = "20151128", ++ .version = "20151209", + .help = "initify_plugin\n", +}; + @@ -131250,7 +133214,7 @@ index 0000000..39c0731 + tree decl, offset; + HOST_WIDE_INT bitsize, bitpos; + enum machine_mode mode; -+ int unsignedp, reversep, volatilep; ++ int unsignedp, reversep __unused, volatilep; + enum tree_code code = TREE_CODE(op); + + if (TREE_CODE_CLASS(code) == tcc_exceptional && code != SSA_NAME) @@ -131343,10 +133307,39 @@ index 0000000..39c0731 + return false; +} + ++static bool is_in_capture_init(const_tree vardecl) ++{ ++ unsigned int i; ++ tree var; ++ ++ FOR_EACH_LOCAL_DECL(cfun, i, var) { ++ unsigned HOST_WIDE_INT cnt; ++ tree index __unused, value; ++ const_tree initial = DECL_INITIAL(var); ++ ++ if (initial == NULL_TREE) ++ continue; ++ if (TREE_CODE(initial) != CONSTRUCTOR) ++ continue; ++ ++ FOR_EACH_CONSTRUCTOR_ELT(CONSTRUCTOR_ELTS(initial), cnt, index, value) { ++ if (TREE_CODE(value) != ADDR_EXPR) ++ continue; ++ if (TREE_OPERAND(value, 0) == vardecl) ++ return true; ++ } ++ } ++ ++ return false; ++} ++ +static bool has_capture_use_local_var(const_tree vardecl) +{ + basic_block bb; + ++ if (is_in_capture_init(vardecl)) ++ return true; ++ + FOR_EACH_BB_FN(bb, cfun) { + gimple_stmt_iterator gsi; + @@ -133799,10 +135792,10 @@ index 0000000..f74d85a +targets += size_overflow_hash.h size_overflow_hash_aux.h disable_size_overflow_hash.h diff --git a/tools/gcc/size_overflow_plugin/disable_size_overflow_hash.data b/tools/gcc/size_overflow_plugin/disable_size_overflow_hash.data new file mode 100644 -index 0000000..07f2628 +index 0000000..8b72888 --- /dev/null +++ b/tools/gcc/size_overflow_plugin/disable_size_overflow_hash.data -@@ -0,0 +1,12424 @@ +@@ -0,0 +1,12425 @@ +disable_so_interrupt_pnode_gru_message_queue_desc_4 interrupt_pnode gru_message_queue_desc 0 4 NULL +disable_so_bch_btree_insert_fndecl_12 bch_btree_insert fndecl 0 12 NULL +disable_so_macvlan_sync_address_fndecl_22 macvlan_sync_address fndecl 0 22 NULL nohasharray @@ -146227,6 +148220,7 @@ index 0000000..07f2628 +enable_so_i_size_high_ext4_inode_18545 i_size_high ext4_inode 0 18545 NULL +enable_so_nr_kvm_queued_interrupt_34927 nr kvm_queued_interrupt 0 34927 NULL +enable_so_last_used_idx_vhost_virtqueue_40059 last_used_idx vhost_virtqueue 0 40059 NULL ++enable_so___load_segment_descriptor_fndecl_30833 __load_segment_descriptor fndecl 2-4 30833 NULL diff --git a/tools/gcc/size_overflow_plugin/generate_size_overflow_hash.sh b/tools/gcc/size_overflow_plugin/generate_size_overflow_hash.sh new file mode 100644 index 0000000..be9724d @@ -148470,7 +150464,7 @@ index 0000000..fc58e16 +} diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data new file mode 100644 -index 0000000..a907202 +index 0000000..509d3f8 --- /dev/null +++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data @@ -0,0 +1,20733 @@ @@ -149604,7 +151598,8 @@ index 0000000..a907202 +enable_so_bytes_btrfs_dio_private_3624 bytes btrfs_dio_private 0 3624 &enable_so_ns_blocksize_the_nilfs_3624 nohasharray +enable_so_do_msg_fill_fndecl_3624 do_msg_fill fndecl 3 3624 &enable_so_bytes_btrfs_dio_private_3624 +enable_so_offline_pages_fndecl_3625 offline_pages fndecl 1-2 3625 NULL -+enable_so_tail_timestamp_event_queue_3626 tail timestamp_event_queue 0 3626 NULL ++enable_so_tail_timestamp_event_queue_3626 tail timestamp_event_queue 0 3626 NULL nohasharray ++enable_so_length_pseudo_hdr_3626 length pseudo_hdr 0 3626 &enable_so_tail_timestamp_event_queue_3626 +enable_so_add_res_range_fndecl_3629 add_res_range fndecl 4 3629 NULL +enable_so_cbuf_eat_fndecl_3631 cbuf_eat fndecl 2 3631 NULL +enable_so_vmci_transport_queue_pair_alloc_fndecl_3639 vmci_transport_queue_pair_alloc fndecl 4-3 3639 NULL nohasharray @@ -158206,7 +160201,6 @@ index 0000000..a907202 +enable_so_shmem_write_begin_fndecl_30822 shmem_write_begin fndecl 3 30822 NULL +enable_so_report_count_hid_field_30826 report_count hid_field 0 30826 NULL +enable_so_s_root_blkno_ocfs2_super_block_30828 s_root_blkno ocfs2_super_block 0 30828 NULL -+enable_so___load_segment_descriptor_fndecl_30833 __load_segment_descriptor fndecl 2-4 30833 NULL +enable_so_add_memory_fndecl_30836 add_memory fndecl 3-2 30836 NULL +enable_so_f2fs_read_data_pages_fndecl_30837 f2fs_read_data_pages fndecl 4 30837 NULL +enable_so_shadow_root_level_kvm_mmu_30842 shadow_root_level kvm_mmu 0 30842 NULL diff --git a/4.2.6/4425_grsec_remove_EI_PAX.patch b/4.2.7/4425_grsec_remove_EI_PAX.patch index 2a1aa6c..2a1aa6c 100644 --- a/4.2.6/4425_grsec_remove_EI_PAX.patch +++ b/4.2.7/4425_grsec_remove_EI_PAX.patch diff --git a/4.2.6/4427_force_XATTR_PAX_tmpfs.patch b/4.2.7/4427_force_XATTR_PAX_tmpfs.patch index 9157231..9157231 100644 --- a/4.2.6/4427_force_XATTR_PAX_tmpfs.patch +++ b/4.2.7/4427_force_XATTR_PAX_tmpfs.patch diff --git a/4.2.6/4430_grsec-remove-localversion-grsec.patch b/4.2.7/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/4.2.6/4430_grsec-remove-localversion-grsec.patch +++ b/4.2.7/4430_grsec-remove-localversion-grsec.patch diff --git a/4.2.6/4435_grsec-mute-warnings.patch b/4.2.7/4435_grsec-mute-warnings.patch index b7564e4..b7564e4 100644 --- a/4.2.6/4435_grsec-mute-warnings.patch +++ b/4.2.7/4435_grsec-mute-warnings.patch diff --git a/4.2.6/4440_grsec-remove-protected-paths.patch b/4.2.7/4440_grsec-remove-protected-paths.patch index 741546d..741546d 100644 --- a/4.2.6/4440_grsec-remove-protected-paths.patch +++ b/4.2.7/4440_grsec-remove-protected-paths.patch diff --git a/4.2.6/4450_grsec-kconfig-default-gids.patch b/4.2.7/4450_grsec-kconfig-default-gids.patch index 9524b1f..9524b1f 100644 --- a/4.2.6/4450_grsec-kconfig-default-gids.patch +++ b/4.2.7/4450_grsec-kconfig-default-gids.patch diff --git a/4.2.6/4465_selinux-avc_audit-log-curr_ip.patch b/4.2.7/4465_selinux-avc_audit-log-curr_ip.patch index ba89596..ba89596 100644 --- a/4.2.6/4465_selinux-avc_audit-log-curr_ip.patch +++ b/4.2.7/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/4.2.6/4470_disable-compat_vdso.patch b/4.2.7/4470_disable-compat_vdso.patch index 7f84a27..7f84a27 100644 --- a/4.2.6/4470_disable-compat_vdso.patch +++ b/4.2.7/4470_disable-compat_vdso.patch diff --git a/4.2.6/4475_emutramp_default_on.patch b/4.2.7/4475_emutramp_default_on.patch index afd6019..afd6019 100644 --- a/4.2.6/4475_emutramp_default_on.patch +++ b/4.2.7/4475_emutramp_default_on.patch |