diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2016-10-01 09:53:17 -0400 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2016-10-01 09:53:17 -0400 |
| commit | b36146336c331dd08f2ca1c2599f3afd32c10a8c (patch) | |
| tree | e04e7295fe5c23f5438929c493b5859b054e0968 | |
| parent | grsecurity-3.1-4.7.5-201609261522 (diff) | |
| download | hardened-patchset-b36146336c331dd08f2ca1c2599f3afd32c10a8c.tar.gz hardened-patchset-b36146336c331dd08f2ca1c2599f3afd32c10a8c.tar.bz2 hardened-patchset-b36146336c331dd08f2ca1c2599f3afd32c10a8c.zip | |
grsecurity-3.1-4.7.6-20160930191820160930
| -rw-r--r-- | 4.7.6/0000_README (renamed from 4.7.5/0000_README) | 6 | ||||
| -rw-r--r-- | 4.7.6/1005_linux-4.7.6.patch | 2572 | ||||
| -rw-r--r-- | 4.7.6/4420_grsecurity-3.1-4.7.6-201609301918.patch (renamed from 4.7.5/4420_grsecurity-3.1-4.7.5-201609261522.patch) | 144 | ||||
| -rw-r--r-- | 4.7.6/4425_grsec_remove_EI_PAX.patch (renamed from 4.7.5/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
| -rw-r--r-- | 4.7.6/4427_force_XATTR_PAX_tmpfs.patch (renamed from 4.7.5/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
| -rw-r--r-- | 4.7.6/4430_grsec-remove-localversion-grsec.patch (renamed from 4.7.5/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
| -rw-r--r-- | 4.7.6/4435_grsec-mute-warnings.patch (renamed from 4.7.5/4435_grsec-mute-warnings.patch) | 0 | ||||
| -rw-r--r-- | 4.7.6/4440_grsec-remove-protected-paths.patch (renamed from 4.7.5/4440_grsec-remove-protected-paths.patch) | 0 | ||||
| -rw-r--r-- | 4.7.6/4450_grsec-kconfig-default-gids.patch (renamed from 4.7.5/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
| -rw-r--r-- | 4.7.6/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 4.7.5/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
| -rw-r--r-- | 4.7.6/4470_disable-compat_vdso.patch (renamed from 4.7.5/4470_disable-compat_vdso.patch) | 0 | ||||
| -rw-r--r-- | 4.7.6/4475_emutramp_default_on.patch (renamed from 4.7.5/4475_emutramp_default_on.patch) | 0 |
12 files changed, 2619 insertions, 103 deletions
diff --git a/4.7.5/0000_README b/4.7.6/0000_README index 9104194..65ecad7 100644 --- a/4.7.5/0000_README +++ b/4.7.6/0000_README @@ -2,7 +2,11 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.1-4.7.5-201609261522.patch +Patch: 1005_linux-4.7.6.patch +From: http://www.kernel.org +Desc: Linux 4.7.6 + +Patch: 4420_grsecurity-3.1-4.7.6-201609301918.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.7.6/1005_linux-4.7.6.patch b/4.7.6/1005_linux-4.7.6.patch new file mode 100644 index 0000000..5699974 --- /dev/null +++ b/4.7.6/1005_linux-4.7.6.patch @@ -0,0 +1,2572 @@ +diff --git a/Makefile b/Makefile +index dd755d1..48b0120 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 7 +-SUBLEVEL = 5 ++SUBLEVEL = 6 + EXTRAVERSION = + NAME = Psychotic Stoned Sheep + +@@ -370,7 +370,7 @@ LDFLAGS_MODULE = + CFLAGS_KERNEL = + AFLAGS_KERNEL = + LDFLAGS_vmlinux = +-CFLAGS_GCOV = -fprofile-arcs -ftest-coverage -fno-tree-loop-im -Wno-maybe-uninitialized ++CFLAGS_GCOV = -fprofile-arcs -ftest-coverage -fno-tree-loop-im + CFLAGS_KCOV = -fsanitize-coverage=trace-pc + + +@@ -619,12 +619,13 @@ ARCH_CFLAGS := + include arch/$(SRCARCH)/Makefile + + KBUILD_CFLAGS += $(call cc-option,-fno-delete-null-pointer-checks,) ++KBUILD_CFLAGS += $(call cc-disable-warning,maybe-uninitialized,) + + ifdef CONFIG_CC_OPTIMIZE_FOR_SIZE +-KBUILD_CFLAGS += -Os $(call cc-disable-warning,maybe-uninitialized,) ++KBUILD_CFLAGS += -Os + else + ifdef CONFIG_PROFILE_ALL_BRANCHES +-KBUILD_CFLAGS += -O2 $(call cc-disable-warning,maybe-uninitialized,) ++KBUILD_CFLAGS += -O2 + else + KBUILD_CFLAGS += -O2 + endif +diff --git a/arch/arc/Makefile b/arch/arc/Makefile +index 85814e7..601ed17 100644 +--- a/arch/arc/Makefile ++++ b/arch/arc/Makefile +@@ -74,9 +74,7 @@ endif + ifndef CONFIG_CC_OPTIMIZE_FOR_SIZE + # Generic build system uses -O2, we want -O3 + # Note: No need to add to cflags-y as that happens anyways +-# +-# Disable the false maybe-uninitialized warings gcc spits out at -O3 +-ARCH_CFLAGS += -O3 $(call cc-disable-warning,maybe-uninitialized,) ++ARCH_CFLAGS += -O3 + endif + + # small data is default for elf32 tool-chain. If not usable, disable it +diff --git a/arch/arm/crypto/aes-ce-glue.c b/arch/arm/crypto/aes-ce-glue.c +index da3c042..aef022a 100644 +--- a/arch/arm/crypto/aes-ce-glue.c ++++ b/arch/arm/crypto/aes-ce-glue.c +@@ -284,7 +284,7 @@ static int ctr_encrypt(struct blkcipher_desc *desc, struct scatterlist *dst, + err = blkcipher_walk_done(desc, &walk, + walk.nbytes % AES_BLOCK_SIZE); + } +- if (nbytes) { ++ if (walk.nbytes % AES_BLOCK_SIZE) { + u8 *tdst = walk.dst.virt.addr + blocks * AES_BLOCK_SIZE; + u8 *tsrc = walk.src.virt.addr + blocks * AES_BLOCK_SIZE; + u8 __aligned(8) tail[AES_BLOCK_SIZE]; +diff --git a/arch/arm64/crypto/aes-glue.c b/arch/arm64/crypto/aes-glue.c +index 5c88804..6b2aa0f 100644 +--- a/arch/arm64/crypto/aes-glue.c ++++ b/arch/arm64/crypto/aes-glue.c +@@ -216,7 +216,7 @@ static int ctr_encrypt(struct blkcipher_desc *desc, struct scatterlist *dst, + err = blkcipher_walk_done(desc, &walk, + walk.nbytes % AES_BLOCK_SIZE); + } +- if (nbytes) { ++ if (walk.nbytes % AES_BLOCK_SIZE) { + u8 *tdst = walk.dst.virt.addr + blocks * AES_BLOCK_SIZE; + u8 *tsrc = walk.src.virt.addr + blocks * AES_BLOCK_SIZE; + u8 __aligned(8) tail[AES_BLOCK_SIZE]; +diff --git a/arch/arm64/kernel/smp.c b/arch/arm64/kernel/smp.c +index 490db85..95e32d9 100644 +--- a/arch/arm64/kernel/smp.c ++++ b/arch/arm64/kernel/smp.c +@@ -201,12 +201,6 @@ int __cpu_up(unsigned int cpu, struct task_struct *idle) + return ret; + } + +-static void smp_store_cpu_info(unsigned int cpuid) +-{ +- store_cpu_topology(cpuid); +- numa_store_cpu_info(cpuid); +-} +- + /* + * This is the secondary CPU boot entry. We're using this CPUs + * idle thread stack, but a set of temporary page tables. +@@ -254,7 +248,7 @@ asmlinkage void secondary_start_kernel(void) + */ + notify_cpu_starting(cpu); + +- smp_store_cpu_info(cpu); ++ store_cpu_topology(cpu); + + /* + * OK, now it's safe to let the boot CPU continue. Wait for +@@ -687,10 +681,13 @@ void __init smp_prepare_cpus(unsigned int max_cpus) + { + int err; + unsigned int cpu; ++ unsigned int this_cpu; + + init_cpu_topology(); + +- smp_store_cpu_info(smp_processor_id()); ++ this_cpu = smp_processor_id(); ++ store_cpu_topology(this_cpu); ++ numa_store_cpu_info(this_cpu); + + /* + * If UP is mandated by "nosmp" (which implies "maxcpus=0"), don't set +@@ -717,6 +714,7 @@ void __init smp_prepare_cpus(unsigned int max_cpus) + continue; + + set_cpu_present(cpu, true); ++ numa_store_cpu_info(cpu); + } + } + +diff --git a/arch/mips/Kconfig.debug b/arch/mips/Kconfig.debug +index f0e314c..7f975b2 100644 +--- a/arch/mips/Kconfig.debug ++++ b/arch/mips/Kconfig.debug +@@ -113,42 +113,6 @@ config SPINLOCK_TEST + help + Add several files to the debugfs to test spinlock speed. + +-if CPU_MIPSR6 +- +-choice +- prompt "Compact branch policy" +- default MIPS_COMPACT_BRANCHES_OPTIMAL +- +-config MIPS_COMPACT_BRANCHES_NEVER +- bool "Never (force delay slot branches)" +- help +- Pass the -mcompact-branches=never flag to the compiler in order to +- force it to always emit branches with delay slots, and make no use +- of the compact branch instructions introduced by MIPSr6. This is +- useful if you suspect there may be an issue with compact branches in +- either the compiler or the CPU. +- +-config MIPS_COMPACT_BRANCHES_OPTIMAL +- bool "Optimal (use where beneficial)" +- help +- Pass the -mcompact-branches=optimal flag to the compiler in order for +- it to make use of compact branch instructions where it deems them +- beneficial, and use branches with delay slots elsewhere. This is the +- default compiler behaviour, and should be used unless you have a +- reason to choose otherwise. +- +-config MIPS_COMPACT_BRANCHES_ALWAYS +- bool "Always (force compact branches)" +- help +- Pass the -mcompact-branches=always flag to the compiler in order to +- force it to always emit compact branches, making no use of branch +- instructions with delay slots. This can result in more compact code +- which may be beneficial in some scenarios. +- +-endchoice +- +-endif # CPU_MIPSR6 +- + config SCACHE_DEBUGFS + bool "L2 cache debugfs entries" + depends on DEBUG_FS +diff --git a/arch/mips/Makefile b/arch/mips/Makefile +index efd7a9d..598ab29 100644 +--- a/arch/mips/Makefile ++++ b/arch/mips/Makefile +@@ -203,10 +203,6 @@ endif + toolchain-virt := $(call cc-option-yn,$(mips-cflags) -mvirt) + cflags-$(toolchain-virt) += -DTOOLCHAIN_SUPPORTS_VIRT + +-cflags-$(CONFIG_MIPS_COMPACT_BRANCHES_NEVER) += -mcompact-branches=never +-cflags-$(CONFIG_MIPS_COMPACT_BRANCHES_OPTIMAL) += -mcompact-branches=optimal +-cflags-$(CONFIG_MIPS_COMPACT_BRANCHES_ALWAYS) += -mcompact-branches=always +- + # + # Firmware support + # +diff --git a/arch/mips/include/asm/asmmacro.h b/arch/mips/include/asm/asmmacro.h +index 56584a6..83054f7 100644 +--- a/arch/mips/include/asm/asmmacro.h ++++ b/arch/mips/include/asm/asmmacro.h +@@ -157,6 +157,7 @@ + ldc1 $f28, THREAD_FPR28(\thread) + ldc1 $f30, THREAD_FPR30(\thread) + ctc1 \tmp, fcr31 ++ .set pop + .endm + + .macro fpu_restore_16odd thread +diff --git a/arch/mips/include/asm/mach-paravirt/kernel-entry-init.h b/arch/mips/include/asm/mach-paravirt/kernel-entry-init.h +index 2f82bfa..c9f5769 100644 +--- a/arch/mips/include/asm/mach-paravirt/kernel-entry-init.h ++++ b/arch/mips/include/asm/mach-paravirt/kernel-entry-init.h +@@ -11,11 +11,13 @@ + #define CP0_EBASE $15, 1 + + .macro kernel_entry_setup ++#ifdef CONFIG_SMP + mfc0 t0, CP0_EBASE + andi t0, t0, 0x3ff # CPUNum + beqz t0, 1f + # CPUs other than zero goto smp_bootstrap + j smp_bootstrap ++#endif /* CONFIG_SMP */ + + 1: + .endm +diff --git a/arch/mips/kernel/mips-r2-to-r6-emul.c b/arch/mips/kernel/mips-r2-to-r6-emul.c +index 7ff2a55..ae77575 100644 +--- a/arch/mips/kernel/mips-r2-to-r6-emul.c ++++ b/arch/mips/kernel/mips-r2-to-r6-emul.c +@@ -1164,7 +1164,9 @@ fpu_emul: + regs->regs[31] = r31; + regs->cp0_epc = epc; + if (!used_math()) { /* First time FPU user. */ ++ preempt_disable(); + err = init_fpu(); ++ preempt_enable(); + set_used_math(); + } + lose_fpu(1); /* Save FPU state for the emulator. */ +diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c +index 813ed78..45cff9f 100644 +--- a/arch/mips/kernel/process.c ++++ b/arch/mips/kernel/process.c +@@ -591,14 +591,14 @@ int mips_set_process_fp_mode(struct task_struct *task, unsigned int value) + return -EOPNOTSUPP; + + /* Avoid inadvertently triggering emulation */ +- if ((value & PR_FP_MODE_FR) && cpu_has_fpu && +- !(current_cpu_data.fpu_id & MIPS_FPIR_F64)) ++ if ((value & PR_FP_MODE_FR) && raw_cpu_has_fpu && ++ !(raw_current_cpu_data.fpu_id & MIPS_FPIR_F64)) + return -EOPNOTSUPP; +- if ((value & PR_FP_MODE_FRE) && cpu_has_fpu && !cpu_has_fre) ++ if ((value & PR_FP_MODE_FRE) && raw_cpu_has_fpu && !cpu_has_fre) + return -EOPNOTSUPP; + + /* FR = 0 not supported in MIPS R6 */ +- if (!(value & PR_FP_MODE_FR) && cpu_has_fpu && cpu_has_mips_r6) ++ if (!(value & PR_FP_MODE_FR) && raw_cpu_has_fpu && cpu_has_mips_r6) + return -EOPNOTSUPP; + + /* Proceed with the mode switch */ +diff --git a/arch/mips/kernel/smp.c b/arch/mips/kernel/smp.c +index f9d01e9..dcf4a23 100644 +--- a/arch/mips/kernel/smp.c ++++ b/arch/mips/kernel/smp.c +@@ -320,6 +320,9 @@ asmlinkage void start_secondary(void) + cpumask_set_cpu(cpu, &cpu_coherent_mask); + notify_cpu_starting(cpu); + ++ cpumask_set_cpu(cpu, &cpu_callin_map); ++ synchronise_count_slave(cpu); ++ + set_cpu_online(cpu, true); + + set_cpu_sibling_map(cpu); +@@ -327,10 +330,6 @@ asmlinkage void start_secondary(void) + + calculate_cpu_foreign_map(); + +- cpumask_set_cpu(cpu, &cpu_callin_map); +- +- synchronise_count_slave(cpu); +- + /* + * irq will be enabled in ->smp_finish(), enabling it too early + * is dangerous. +diff --git a/arch/mips/kernel/vdso.c b/arch/mips/kernel/vdso.c +index 54e1663..0b30c02 100644 +--- a/arch/mips/kernel/vdso.c ++++ b/arch/mips/kernel/vdso.c +@@ -39,16 +39,16 @@ static struct vm_special_mapping vdso_vvar_mapping = { + static void __init init_vdso_image(struct mips_vdso_image *image) + { + unsigned long num_pages, i; ++ unsigned long data_pfn; + + BUG_ON(!PAGE_ALIGNED(image->data)); + BUG_ON(!PAGE_ALIGNED(image->size)); + + num_pages = image->size / PAGE_SIZE; + +- for (i = 0; i < num_pages; i++) { +- image->mapping.pages[i] = +- virt_to_page(image->data + (i * PAGE_SIZE)); +- } ++ data_pfn = __phys_to_pfn(__pa_symbol(image->data)); ++ for (i = 0; i < num_pages; i++) ++ image->mapping.pages[i] = pfn_to_page(data_pfn + i); + } + + static int __init init_vdso(void) +diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c +index 7a1f7bb..b2659b9 100644 +--- a/arch/x86/mm/pageattr.c ++++ b/arch/x86/mm/pageattr.c +@@ -932,11 +932,11 @@ static void populate_pte(struct cpa_data *cpa, + } + } + +-static int populate_pmd(struct cpa_data *cpa, +- unsigned long start, unsigned long end, +- unsigned num_pages, pud_t *pud, pgprot_t pgprot) ++static long populate_pmd(struct cpa_data *cpa, ++ unsigned long start, unsigned long end, ++ unsigned num_pages, pud_t *pud, pgprot_t pgprot) + { +- unsigned int cur_pages = 0; ++ long cur_pages = 0; + pmd_t *pmd; + pgprot_t pmd_pgprot; + +@@ -1006,12 +1006,12 @@ static int populate_pmd(struct cpa_data *cpa, + return num_pages; + } + +-static int populate_pud(struct cpa_data *cpa, unsigned long start, pgd_t *pgd, +- pgprot_t pgprot) ++static long populate_pud(struct cpa_data *cpa, unsigned long start, pgd_t *pgd, ++ pgprot_t pgprot) + { + pud_t *pud; + unsigned long end; +- int cur_pages = 0; ++ long cur_pages = 0; + pgprot_t pud_pgprot; + + end = start + (cpa->numpages << PAGE_SHIFT); +@@ -1067,7 +1067,7 @@ static int populate_pud(struct cpa_data *cpa, unsigned long start, pgd_t *pgd, + + /* Map trailing leftover */ + if (start < end) { +- int tmp; ++ long tmp; + + pud = pud_offset(pgd, start); + if (pud_none(*pud)) +@@ -1093,7 +1093,7 @@ static int populate_pgd(struct cpa_data *cpa, unsigned long addr) + pgprot_t pgprot = __pgprot(_KERNPG_TABLE); + pud_t *pud = NULL; /* shut up gcc */ + pgd_t *pgd_entry; +- int ret; ++ long ret; + + pgd_entry = cpa->pgd + pgd_index(addr); + +@@ -1336,7 +1336,8 @@ static int cpa_process_alias(struct cpa_data *cpa) + + static int __change_page_attr_set_clr(struct cpa_data *cpa, int checkalias) + { +- int ret, numpages = cpa->numpages; ++ unsigned long numpages = cpa->numpages; ++ int ret; + + while (numpages) { + /* +diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c +index b226b3f..964c702 100644 +--- a/arch/x86/platform/efi/efi_64.c ++++ b/arch/x86/platform/efi/efi_64.c +@@ -244,7 +244,7 @@ int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages) + * text and allocate a new stack because we can't rely on the + * stack pointer being < 4GB. + */ +- if (!IS_ENABLED(CONFIG_EFI_MIXED)) ++ if (!IS_ENABLED(CONFIG_EFI_MIXED) || efi_is_native()) + return 0; + + /* +diff --git a/crypto/blkcipher.c b/crypto/blkcipher.c +index 8cc1622..dca7bc8 100644 +--- a/crypto/blkcipher.c ++++ b/crypto/blkcipher.c +@@ -234,6 +234,8 @@ static int blkcipher_walk_next(struct blkcipher_desc *desc, + return blkcipher_walk_done(desc, walk, -EINVAL); + } + ++ bsize = min(walk->walk_blocksize, n); ++ + walk->flags &= ~(BLKCIPHER_WALK_SLOW | BLKCIPHER_WALK_COPY | + BLKCIPHER_WALK_DIFF); + if (!scatterwalk_aligned(&walk->in, walk->alignmask) || +@@ -246,7 +248,6 @@ static int blkcipher_walk_next(struct blkcipher_desc *desc, + } + } + +- bsize = min(walk->walk_blocksize, n); + n = scatterwalk_clamp(&walk->in, n); + n = scatterwalk_clamp(&walk->out, n); + +diff --git a/crypto/echainiv.c b/crypto/echainiv.c +index b96a8456..343a74e 100644 +--- a/crypto/echainiv.c ++++ b/crypto/echainiv.c +@@ -1,8 +1,8 @@ + /* + * echainiv: Encrypted Chain IV Generator + * +- * This generator generates an IV based on a sequence number by xoring it +- * with a salt and then encrypting it with the same key as used to encrypt ++ * This generator generates an IV based on a sequence number by multiplying ++ * it with a salt and then encrypting it with the same key as used to encrypt + * the plain text. This algorithm requires that the block size be equal + * to the IV size. It is mainly useful for CBC. + * +@@ -23,81 +23,17 @@ + #include <linux/err.h> + #include <linux/init.h> + #include <linux/kernel.h> +-#include <linux/mm.h> + #include <linux/module.h> +-#include <linux/percpu.h> +-#include <linux/spinlock.h> ++#include <linux/slab.h> + #include <linux/string.h> + +-#define MAX_IV_SIZE 16 +- +-static DEFINE_PER_CPU(u32 [MAX_IV_SIZE / sizeof(u32)], echainiv_iv); +- +-/* We don't care if we get preempted and read/write IVs from the next CPU. */ +-static void echainiv_read_iv(u8 *dst, unsigned size) +-{ +- u32 *a = (u32 *)dst; +- u32 __percpu *b = echainiv_iv; +- +- for (; size >= 4; size -= 4) { +- *a++ = this_cpu_read(*b); +- b++; +- } +-} +- +-static void echainiv_write_iv(const u8 *src, unsigned size) +-{ +- const u32 *a = (const u32 *)src; +- u32 __percpu *b = echainiv_iv; +- +- for (; size >= 4; size -= 4) { +- this_cpu_write(*b, *a); +- a++; +- b++; +- } +-} +- +-static void echainiv_encrypt_complete2(struct aead_request *req, int err) +-{ +- struct aead_request *subreq = aead_request_ctx(req); +- struct crypto_aead *geniv; +- unsigned int ivsize; +- +- if (err == -EINPROGRESS) +- return; +- +- if (err) +- goto out; +- +- geniv = crypto_aead_reqtfm(req); +- ivsize = crypto_aead_ivsize(geniv); +- +- echainiv_write_iv(subreq->iv, ivsize); +- +- if (req->iv != subreq->iv) +- memcpy(req->iv, subreq->iv, ivsize); +- +-out: +- if (req->iv != subreq->iv) +- kzfree(subreq->iv); +-} +- +-static void echainiv_encrypt_complete(struct crypto_async_request *base, +- int err) +-{ +- struct aead_request *req = base->data; +- +- echainiv_encrypt_complete2(req, err); +- aead_request_complete(req, err); +-} +- + static int echainiv_encrypt(struct aead_request *req) + { + struct crypto_aead *geniv = crypto_aead_reqtfm(req); + struct aead_geniv_ctx *ctx = crypto_aead_ctx(geniv); + struct aead_request *subreq = aead_request_ctx(req); +- crypto_completion_t compl; +- void *data; ++ __be64 nseqno; ++ u64 seqno; + u8 *info; + unsigned int ivsize = crypto_aead_ivsize(geniv); + int err; +@@ -107,8 +43,6 @@ static int echainiv_encrypt(struct aead_request *req) + + aead_request_set_tfm(subreq, ctx->child); + +- compl = echainiv_encrypt_complete; +- data = req; + info = req->iv; + + if (req->src != req->dst) { +@@ -123,29 +57,30 @@ static int echainiv_encrypt(struct aead_request *req) + return err; + } + +- if (unlikely(!IS_ALIGNED((unsigned long)info, +- crypto_aead_alignmask(geniv) + 1))) { +- info = kmalloc(ivsize, req->base.flags & +- CRYPTO_TFM_REQ_MAY_SLEEP ? GFP_KERNEL: +- GFP_ATOMIC); +- if (!info) +- return -ENOMEM; +- +- memcpy(info, req->iv, ivsize); +- } +- +- aead_request_set_callback(subreq, req->base.flags, compl, data); ++ aead_request_set_callback(subreq, req->base.flags, ++ req->base.complete, req->base.data); + aead_request_set_crypt(subreq, req->dst, req->dst, + req->cryptlen, info); + aead_request_set_ad(subreq, req->assoclen); + +- crypto_xor(info, ctx->salt, ivsize); ++ memcpy(&nseqno, info + ivsize - 8, 8); ++ seqno = be64_to_cpu(nseqno); ++ memset(info, 0, ivsize); ++ + scatterwalk_map_and_copy(info, req->dst, req->assoclen, ivsize, 1); +- echainiv_read_iv(info, ivsize); + +- err = crypto_aead_encrypt(subreq); +- echainiv_encrypt_complete2(req, err); +- return err; ++ do { ++ u64 a; ++ ++ memcpy(&a, ctx->salt + ivsize - 8, 8); ++ ++ a |= 1; ++ a *= seqno; ++ ++ memcpy(info + ivsize - 8, &a, 8); ++ } while ((ivsize -= 8)); ++ ++ return crypto_aead_encrypt(subreq); + } + + static int echainiv_decrypt(struct aead_request *req) +@@ -192,8 +127,7 @@ static int echainiv_aead_create(struct crypto_template *tmpl, + alg = crypto_spawn_aead_alg(spawn); + + err = -EINVAL; +- if (inst->alg.ivsize & (sizeof(u32) - 1) || +- inst->alg.ivsize > MAX_IV_SIZE) ++ if (inst->alg.ivsize & (sizeof(u64) - 1) || !inst->alg.ivsize) + goto free_inst; + + inst->alg.encrypt = echainiv_encrypt; +@@ -202,7 +136,6 @@ static int echainiv_aead_create(struct crypto_template *tmpl, + inst->alg.init = aead_init_geniv; + inst->alg.exit = aead_exit_geniv; + +- inst->alg.base.cra_alignmask |= __alignof__(u32) - 1; + inst->alg.base.cra_ctxsize = sizeof(struct aead_geniv_ctx); + inst->alg.base.cra_ctxsize += inst->alg.ivsize; + +diff --git a/drivers/gpu/drm/qxl/qxl_draw.c b/drivers/gpu/drm/qxl/qxl_draw.c +index 56e1d63..6e6c760 100644 +--- a/drivers/gpu/drm/qxl/qxl_draw.c ++++ b/drivers/gpu/drm/qxl/qxl_draw.c +@@ -136,6 +136,8 @@ static int qxl_palette_create_1bit(struct qxl_bo *palette_bo, + * correctly globaly, since that would require + * tracking all of our palettes. */ + ret = qxl_bo_kmap(palette_bo, (void **)&pal); ++ if (ret) ++ return ret; + pal->num_ents = 2; + pal->unique = unique++; + if (visual == FB_VISUAL_TRUECOLOR || visual == FB_VISUAL_DIRECTCOLOR) { +diff --git a/drivers/i2c/busses/i2c-eg20t.c b/drivers/i2c/busses/i2c-eg20t.c +index 137125b..5ce71ce 100644 +--- a/drivers/i2c/busses/i2c-eg20t.c ++++ b/drivers/i2c/busses/i2c-eg20t.c +@@ -773,13 +773,6 @@ static int pch_i2c_probe(struct pci_dev *pdev, + /* Set the number of I2C channel instance */ + adap_info->ch_num = id->driver_data; + +- ret = request_irq(pdev->irq, pch_i2c_handler, IRQF_SHARED, +- KBUILD_MODNAME, adap_info); +- if (ret) { +- pch_pci_err(pdev, "request_irq FAILED\n"); +- goto err_request_irq; +- } +- + for (i = 0; i < adap_info->ch_num; i++) { + pch_adap = &adap_info->pch_data[i].pch_adapter; + adap_info->pch_i2c_suspended = false; +@@ -797,6 +790,17 @@ static int pch_i2c_probe(struct pci_dev *pdev, + + pch_adap->dev.of_node = pdev->dev.of_node; + pch_adap->dev.parent = &pdev->dev; ++ } ++ ++ ret = request_irq(pdev->irq, pch_i2c_handler, IRQF_SHARED, ++ KBUILD_MODNAME, adap_info); ++ if (ret) { ++ pch_pci_err(pdev, "request_irq FAILED\n"); ++ goto err_request_irq; ++ } ++ ++ for (i = 0; i < adap_info->ch_num; i++) { ++ pch_adap = &adap_info->pch_data[i].pch_adapter; + + pch_i2c_init(&adap_info->pch_data[i]); + +diff --git a/drivers/i2c/busses/i2c-qup.c b/drivers/i2c/busses/i2c-qup.c +index 041050e..57256bb 100644 +--- a/drivers/i2c/busses/i2c-qup.c ++++ b/drivers/i2c/busses/i2c-qup.c +@@ -1610,7 +1610,8 @@ static int qup_i2c_pm_resume_runtime(struct device *device) + #ifdef CONFIG_PM_SLEEP + static int qup_i2c_suspend(struct device *device) + { +- qup_i2c_pm_suspend_runtime(device); ++ if (!pm_runtime_suspended(device)) ++ return qup_i2c_pm_suspend_runtime(device); + return 0; + } + +diff --git a/drivers/i2c/muxes/i2c-mux-pca954x.c b/drivers/i2c/muxes/i2c-mux-pca954x.c +index 528e755..3278ebf 100644 +--- a/drivers/i2c/muxes/i2c-mux-pca954x.c ++++ b/drivers/i2c/muxes/i2c-mux-pca954x.c +@@ -164,7 +164,7 @@ static int pca954x_select_chan(struct i2c_mux_core *muxc, u32 chan) + /* Only select the channel if its different from the last channel */ + if (data->last_chan != regval) { + ret = pca954x_reg_write(muxc->parent, client, regval); +- data->last_chan = regval; ++ data->last_chan = ret ? 0 : regval; + } + + return ret; +diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c +index a3a6721..be00c4b 100644 +--- a/drivers/infiniband/hw/cxgb4/cm.c ++++ b/drivers/infiniband/hw/cxgb4/cm.c +@@ -3011,9 +3011,9 @@ static int fw4_ack(struct c4iw_dev *dev, struct sk_buff *skb) + PDBG("%s last streaming msg ack ep %p tid %u state %u " + "initiator %u freeing skb\n", __func__, ep, ep->hwtid, + state_read(&ep->com), ep->mpa_attr.initiator ? 1 : 0); ++ mutex_lock(&ep->com.mutex); + kfree_skb(ep->mpa_skb); + ep->mpa_skb = NULL; +- mutex_lock(&ep->com.mutex); + if (test_bit(STOP_MPA_TIMER, &ep->com.flags)) + stop_ep_timer(ep); + mutex_unlock(&ep->com.mutex); +@@ -3582,6 +3582,16 @@ int c4iw_ep_disconnect(struct c4iw_ep *ep, int abrupt, gfp_t gfp) + ep->com.state = ABORTING; + else { + ep->com.state = CLOSING; ++ ++ /* ++ * if we close before we see the fw4_ack() then we fix ++ * up the timer state since we're reusing it. ++ */ ++ if (ep->mpa_skb && ++ test_bit(STOP_MPA_TIMER, &ep->com.flags)) { ++ clear_bit(STOP_MPA_TIMER, &ep->com.flags); ++ stop_ep_timer(ep); ++ } + start_ep_timer(ep); + } + set_bit(CLOSE_SENT, &ep->com.flags); +diff --git a/drivers/irqchip/irq-mips-gic.c b/drivers/irqchip/irq-mips-gic.c +index d3ef0fc..6acf69e 100644 +--- a/drivers/irqchip/irq-mips-gic.c ++++ b/drivers/irqchip/irq-mips-gic.c +@@ -638,27 +638,6 @@ static int gic_local_irq_domain_map(struct irq_domain *d, unsigned int virq, + if (!gic_local_irq_is_routable(intr)) + return -EPERM; + +- /* +- * HACK: These are all really percpu interrupts, but the rest +- * of the MIPS kernel code does not use the percpu IRQ API for +- * the CP0 timer and performance counter interrupts. +- */ +- switch (intr) { +- case GIC_LOCAL_INT_TIMER: +- case GIC_LOCAL_INT_PERFCTR: +- case GIC_LOCAL_INT_FDC: +- irq_set_chip_and_handler(virq, +- &gic_all_vpes_local_irq_controller, +- handle_percpu_irq); +- break; +- default: +- irq_set_chip_and_handler(virq, +- &gic_local_irq_controller, +- handle_percpu_devid_irq); +- irq_set_percpu_devid(virq); +- break; +- } +- + spin_lock_irqsave(&gic_lock, flags); + for (i = 0; i < gic_vpes; i++) { + u32 val = GIC_MAP_TO_PIN_MSK | gic_cpu_pin; +@@ -724,16 +703,42 @@ static int gic_shared_irq_domain_map(struct irq_domain *d, unsigned int virq, + return 0; + } + +-static int gic_irq_domain_map(struct irq_domain *d, unsigned int virq, +- irq_hw_number_t hw) ++static int gic_setup_dev_chip(struct irq_domain *d, unsigned int virq, ++ unsigned int hwirq) + { +- if (GIC_HWIRQ_TO_LOCAL(hw) < GIC_NUM_LOCAL_INTRS) +- return gic_local_irq_domain_map(d, virq, hw); ++ struct irq_chip *chip; ++ int err; ++ ++ if (hwirq >= GIC_SHARED_HWIRQ_BASE) { ++ err = irq_domain_set_hwirq_and_chip(d, virq, hwirq, ++ &gic_level_irq_controller, ++ NULL); ++ } else { ++ switch (GIC_HWIRQ_TO_LOCAL(hwirq)) { ++ case GIC_LOCAL_INT_TIMER: ++ case GIC_LOCAL_INT_PERFCTR: ++ case GIC_LOCAL_INT_FDC: ++ /* ++ * HACK: These are all really percpu interrupts, but ++ * the rest of the MIPS kernel code does not use the ++ * percpu IRQ API for them. ++ */ ++ chip = &gic_all_vpes_local_irq_controller; ++ irq_set_handler(virq, handle_percpu_irq); ++ break; ++ ++ default: ++ chip = &gic_local_irq_controller; ++ irq_set_handler(virq, handle_percpu_devid_irq); ++ irq_set_percpu_devid(virq); ++ break; ++ } + +- irq_set_chip_and_handler(virq, &gic_level_irq_controller, +- handle_level_irq); ++ err = irq_domain_set_hwirq_and_chip(d, virq, hwirq, ++ chip, NULL); ++ } + +- return gic_shared_irq_domain_map(d, virq, hw, 0); ++ return err; + } + + static int gic_irq_domain_alloc(struct irq_domain *d, unsigned int virq, +@@ -744,15 +749,12 @@ static int gic_irq_domain_alloc(struct irq_domain *d, unsigned int virq, + int cpu, ret, i; + + if (spec->type == GIC_DEVICE) { +- /* verify that it doesn't conflict with an IPI irq */ +- if (test_bit(spec->hwirq, ipi_resrv)) ++ /* verify that shared irqs don't conflict with an IPI irq */ ++ if ((spec->hwirq >= GIC_SHARED_HWIRQ_BASE) && ++ test_bit(GIC_HWIRQ_TO_SHARED(spec->hwirq), ipi_resrv)) + return -EBUSY; + +- hwirq = GIC_SHARED_TO_HWIRQ(spec->hwirq); +- +- return irq_domain_set_hwirq_and_chip(d, virq, hwirq, +- &gic_level_irq_controller, +- NULL); ++ return gic_setup_dev_chip(d, virq, spec->hwirq); + } else { + base_hwirq = find_first_bit(ipi_resrv, gic_shared_intrs); + if (base_hwirq == gic_shared_intrs) { +@@ -821,7 +823,6 @@ int gic_irq_domain_match(struct irq_domain *d, struct device_node *node, + } + + static const struct irq_domain_ops gic_irq_domain_ops = { +- .map = gic_irq_domain_map, + .alloc = gic_irq_domain_alloc, + .free = gic_irq_domain_free, + .match = gic_irq_domain_match, +@@ -852,29 +853,20 @@ static int gic_dev_domain_alloc(struct irq_domain *d, unsigned int virq, + struct irq_fwspec *fwspec = arg; + struct gic_irq_spec spec = { + .type = GIC_DEVICE, +- .hwirq = fwspec->param[1], + }; + int i, ret; +- bool is_shared = fwspec->param[0] == GIC_SHARED; + +- if (is_shared) { +- ret = irq_domain_alloc_irqs_parent(d, virq, nr_irqs, &spec); +- if (ret) +- return ret; +- } +- +- for (i = 0; i < nr_irqs; i++) { +- irq_hw_number_t hwirq; ++ if (fwspec->param[0] == GIC_SHARED) ++ spec.hwirq = GIC_SHARED_TO_HWIRQ(fwspec->param[1]); ++ else ++ spec.hwirq = GIC_LOCAL_TO_HWIRQ(fwspec->param[1]); + +- if (is_shared) +- hwirq = GIC_SHARED_TO_HWIRQ(spec.hwirq + i); +- else +- hwirq = GIC_LOCAL_TO_HWIRQ(spec.hwirq + i); ++ ret = irq_domain_alloc_irqs_parent(d, virq, nr_irqs, &spec); ++ if (ret) ++ return ret; + +- ret = irq_domain_set_hwirq_and_chip(d, virq + i, +- hwirq, +- &gic_level_irq_controller, +- NULL); ++ for (i = 0; i < nr_irqs; i++) { ++ ret = gic_setup_dev_chip(d, virq + i, spec.hwirq + i); + if (ret) + goto error; + } +@@ -896,7 +888,10 @@ void gic_dev_domain_free(struct irq_domain *d, unsigned int virq, + static void gic_dev_domain_activate(struct irq_domain *domain, + struct irq_data *d) + { +- gic_shared_irq_domain_map(domain, d->irq, d->hwirq, 0); ++ if (GIC_HWIRQ_TO_LOCAL(d->hwirq) < GIC_NUM_LOCAL_INTRS) ++ gic_local_irq_domain_map(domain, d->irq, d->hwirq); ++ else ++ gic_shared_irq_domain_map(domain, d->irq, d->hwirq, 0); + } + + static struct irq_domain_ops gic_dev_domain_ops = { +diff --git a/drivers/mtd/maps/pmcmsp-flash.c b/drivers/mtd/maps/pmcmsp-flash.c +index 744ca5c..f9fa3fa 100644 +--- a/drivers/mtd/maps/pmcmsp-flash.c ++++ b/drivers/mtd/maps/pmcmsp-flash.c +@@ -75,15 +75,15 @@ static int __init init_msp_flash(void) + + printk(KERN_NOTICE "Found %d PMC flash devices\n", fcnt); + +- msp_flash = kmalloc(fcnt * sizeof(struct map_info *), GFP_KERNEL); ++ msp_flash = kcalloc(fcnt, sizeof(*msp_flash), GFP_KERNEL); + if (!msp_flash) + return -ENOMEM; + +- msp_parts = kmalloc(fcnt * sizeof(struct mtd_partition *), GFP_KERNEL); ++ msp_parts = kcalloc(fcnt, sizeof(*msp_parts), GFP_KERNEL); + if (!msp_parts) + goto free_msp_flash; + +- msp_maps = kcalloc(fcnt, sizeof(struct mtd_info), GFP_KERNEL); ++ msp_maps = kcalloc(fcnt, sizeof(*msp_maps), GFP_KERNEL); + if (!msp_maps) + goto free_msp_parts; + +diff --git a/drivers/mtd/maps/sa1100-flash.c b/drivers/mtd/maps/sa1100-flash.c +index 142fc3d..784c6e1 100644 +--- a/drivers/mtd/maps/sa1100-flash.c ++++ b/drivers/mtd/maps/sa1100-flash.c +@@ -230,8 +230,10 @@ static struct sa_info *sa1100_setup_mtd(struct platform_device *pdev, + + info->mtd = mtd_concat_create(cdev, info->num_subdev, + plat->name); +- if (info->mtd == NULL) ++ if (info->mtd == NULL) { + ret = -ENXIO; ++ goto err; ++ } + } + info->mtd->dev.parent = &pdev->dev; + +diff --git a/drivers/mtd/nand/mxc_nand.c b/drivers/mtd/nand/mxc_nand.c +index 5173fad..57cbe2b 100644 +--- a/drivers/mtd/nand/mxc_nand.c ++++ b/drivers/mtd/nand/mxc_nand.c +@@ -943,7 +943,7 @@ static int mxc_v2_ooblayout_free(struct mtd_info *mtd, int section, + struct nand_chip *nand_chip = mtd_to_nand(mtd); + int stepsize = nand_chip->ecc.bytes == 9 ? 16 : 26; + +- if (section > nand_chip->ecc.steps) ++ if (section >= nand_chip->ecc.steps) + return -ERANGE; + + if (!section) { +diff --git a/drivers/mtd/spi-nor/spi-nor.c b/drivers/mtd/spi-nor/spi-nor.c +index c52e455..a6adb27 100644 +--- a/drivers/mtd/spi-nor/spi-nor.c ++++ b/drivers/mtd/spi-nor/spi-nor.c +@@ -661,7 +661,7 @@ static int stm_unlock(struct spi_nor *nor, loff_t ofs, uint64_t len) + status_new = (status_old & ~mask & ~SR_TB) | val; + + /* Don't protect status register if we're fully unlocked */ +- if (lock_len == mtd->size) ++ if (lock_len == 0) + status_new &= ~SR_SRWD; + + if (!use_top) +diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c +index 41c0fc9..16f7cad 100644 +--- a/drivers/net/can/flexcan.c ++++ b/drivers/net/can/flexcan.c +@@ -1268,11 +1268,10 @@ static int __maybe_unused flexcan_suspend(struct device *device) + struct flexcan_priv *priv = netdev_priv(dev); + int err; + +- err = flexcan_chip_disable(priv); +- if (err) +- return err; +- + if (netif_running(dev)) { ++ err = flexcan_chip_disable(priv); ++ if (err) ++ return err; + netif_stop_queue(dev); + netif_device_detach(dev); + } +@@ -1285,13 +1284,17 @@ static int __maybe_unused flexcan_resume(struct device *device) + { + struct net_device *dev = dev_get_drvdata(device); + struct flexcan_priv *priv = netdev_priv(dev); ++ int err; + + priv->can.state = CAN_STATE_ERROR_ACTIVE; + if (netif_running(dev)) { + netif_device_attach(dev); + netif_start_queue(dev); ++ err = flexcan_chip_enable(priv); ++ if (err) ++ return err; + } +- return flexcan_chip_enable(priv); ++ return 0; + } + + static SIMPLE_DEV_PM_OPS(flexcan_pm_ops, flexcan_suspend, flexcan_resume); +diff --git a/drivers/net/can/ifi_canfd/ifi_canfd.c b/drivers/net/can/ifi_canfd/ifi_canfd.c +index 2d1d22e..368bb07 100644 +--- a/drivers/net/can/ifi_canfd/ifi_canfd.c ++++ b/drivers/net/can/ifi_canfd/ifi_canfd.c +@@ -81,6 +81,10 @@ + #define IFI_CANFD_TIME_SET_TIMEA_4_12_6_6 BIT(15) + + #define IFI_CANFD_TDELAY 0x1c ++#define IFI_CANFD_TDELAY_DEFAULT 0xb ++#define IFI_CANFD_TDELAY_MASK 0x3fff ++#define IFI_CANFD_TDELAY_ABS BIT(14) ++#define IFI_CANFD_TDELAY_EN BIT(15) + + #define IFI_CANFD_ERROR 0x20 + #define IFI_CANFD_ERROR_TX_OFFSET 0 +@@ -641,7 +645,7 @@ static void ifi_canfd_set_bittiming(struct net_device *ndev) + struct ifi_canfd_priv *priv = netdev_priv(ndev); + const struct can_bittiming *bt = &priv->can.bittiming; + const struct can_bittiming *dbt = &priv->can.data_bittiming; +- u16 brp, sjw, tseg1, tseg2; ++ u16 brp, sjw, tseg1, tseg2, tdc; + + /* Configure bit timing */ + brp = bt->brp - 2; +@@ -664,6 +668,11 @@ static void ifi_canfd_set_bittiming(struct net_device *ndev) + (brp << IFI_CANFD_TIME_PRESCALE_OFF) | + (sjw << IFI_CANFD_TIME_SJW_OFF_7_9_8_8), + priv->base + IFI_CANFD_FTIME); ++ ++ /* Configure transmitter delay */ ++ tdc = (dbt->brp * (dbt->phase_seg1 + 1)) & IFI_CANFD_TDELAY_MASK; ++ writel(IFI_CANFD_TDELAY_EN | IFI_CANFD_TDELAY_ABS | tdc, ++ priv->base + IFI_CANFD_TDELAY); + } + + static void ifi_canfd_set_filter(struct net_device *ndev, const u32 id, +diff --git a/drivers/net/ethernet/intel/igb/igb_ptp.c b/drivers/net/ethernet/intel/igb/igb_ptp.c +index f097c5a..3c7bcdf 100644 +--- a/drivers/net/ethernet/intel/igb/igb_ptp.c ++++ b/drivers/net/ethernet/intel/igb/igb_ptp.c +@@ -743,7 +743,8 @@ static void igb_ptp_tx_hwtstamp(struct igb_adapter *adapter) + } + } + +- shhwtstamps.hwtstamp = ktime_sub_ns(shhwtstamps.hwtstamp, adjust); ++ shhwtstamps.hwtstamp = ++ ktime_add_ns(shhwtstamps.hwtstamp, adjust); + + skb_tstamp_tx(adapter->ptp_tx_skb, &shhwtstamps); + dev_kfree_skb_any(adapter->ptp_tx_skb); +@@ -766,13 +767,32 @@ void igb_ptp_rx_pktstamp(struct igb_q_vector *q_vector, + struct sk_buff *skb) + { + __le64 *regval = (__le64 *)va; ++ struct igb_adapter *adapter = q_vector->adapter; ++ int adjust = 0; + + /* The timestamp is recorded in little endian format. + * DWORD: 0 1 2 3 + * Field: Reserved Reserved SYSTIML SYSTIMH + */ +- igb_ptp_systim_to_hwtstamp(q_vector->adapter, skb_hwtstamps(skb), ++ igb_ptp_systim_to_hwtstamp(adapter, skb_hwtstamps(skb), + le64_to_cpu(regval[1])); ++ ++ /* adjust timestamp for the RX latency based on link speed */ ++ if (adapter->hw.mac.type == e1000_i210) { ++ switch (adapter->link_speed) { ++ case SPEED_10: ++ adjust = IGB_I210_RX_LATENCY_10; ++ break; ++ case SPEED_100: ++ adjust = IGB_I210_RX_LATENCY_100; ++ break; ++ case SPEED_1000: ++ adjust = IGB_I210_RX_LATENCY_1000; ++ break; ++ } ++ } ++ skb_hwtstamps(skb)->hwtstamp = ++ ktime_sub_ns(skb_hwtstamps(skb)->hwtstamp, adjust); + } + + /** +@@ -824,7 +844,7 @@ void igb_ptp_rx_rgtstamp(struct igb_q_vector *q_vector, + } + } + skb_hwtstamps(skb)->hwtstamp = +- ktime_add_ns(skb_hwtstamps(skb)->hwtstamp, adjust); ++ ktime_sub_ns(skb_hwtstamps(skb)->hwtstamp, adjust); + + /* Update the last_rx_timestamp timer in order to enable watchdog check + * for error case of latched timestamp on a dropped packet. +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +index 8bebd86..58153e8 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -4100,6 +4100,8 @@ static void ixgbe_vlan_promisc_enable(struct ixgbe_adapter *adapter) + struct ixgbe_hw *hw = &adapter->hw; + u32 vlnctrl, i; + ++ vlnctrl = IXGBE_READ_REG(hw, IXGBE_VLNCTRL); ++ + switch (hw->mac.type) { + case ixgbe_mac_82599EB: + case ixgbe_mac_X540: +@@ -4112,8 +4114,7 @@ static void ixgbe_vlan_promisc_enable(struct ixgbe_adapter *adapter) + /* fall through */ + case ixgbe_mac_82598EB: + /* legacy case, we can just disable VLAN filtering */ +- vlnctrl = IXGBE_READ_REG(hw, IXGBE_VLNCTRL); +- vlnctrl &= ~(IXGBE_VLNCTRL_VFE | IXGBE_VLNCTRL_CFIEN); ++ vlnctrl &= ~IXGBE_VLNCTRL_VFE; + IXGBE_WRITE_REG(hw, IXGBE_VLNCTRL, vlnctrl); + return; + } +@@ -4125,6 +4126,10 @@ static void ixgbe_vlan_promisc_enable(struct ixgbe_adapter *adapter) + /* Set flag so we don't redo unnecessary work */ + adapter->flags2 |= IXGBE_FLAG2_VLAN_PROMISC; + ++ /* For VMDq and SR-IOV we must leave VLAN filtering enabled */ ++ vlnctrl |= IXGBE_VLNCTRL_VFE; ++ IXGBE_WRITE_REG(hw, IXGBE_VLNCTRL, vlnctrl); ++ + /* Add PF to all active pools */ + for (i = IXGBE_VLVF_ENTRIES; --i;) { + u32 reg_offset = IXGBE_VLVFB(i * 2 + VMDQ_P(0) / 32); +@@ -4191,6 +4196,11 @@ static void ixgbe_vlan_promisc_disable(struct ixgbe_adapter *adapter) + struct ixgbe_hw *hw = &adapter->hw; + u32 vlnctrl, i; + ++ /* Set VLAN filtering to enabled */ ++ vlnctrl = IXGBE_READ_REG(hw, IXGBE_VLNCTRL); ++ vlnctrl |= IXGBE_VLNCTRL_VFE; ++ IXGBE_WRITE_REG(hw, IXGBE_VLNCTRL, vlnctrl); ++ + switch (hw->mac.type) { + case ixgbe_mac_82599EB: + case ixgbe_mac_X540: +@@ -4202,10 +4212,6 @@ static void ixgbe_vlan_promisc_disable(struct ixgbe_adapter *adapter) + break; + /* fall through */ + case ixgbe_mac_82598EB: +- vlnctrl = IXGBE_READ_REG(hw, IXGBE_VLNCTRL); +- vlnctrl &= ~IXGBE_VLNCTRL_CFIEN; +- vlnctrl |= IXGBE_VLNCTRL_VFE; +- IXGBE_WRITE_REG(hw, IXGBE_VLNCTRL, vlnctrl); + return; + } + +@@ -9496,6 +9502,7 @@ skip_sriov: + + /* copy netdev features into list of user selectable features */ + netdev->hw_features |= netdev->features | ++ NETIF_F_HW_VLAN_CTAG_FILTER | + NETIF_F_HW_VLAN_CTAG_RX | + NETIF_F_HW_VLAN_CTAG_TX | + NETIF_F_RXALL | +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +index 779bafc..b92b75f 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +@@ -501,6 +501,15 @@ int iwl_mvm_tx_skb_non_sta(struct iwl_mvm *mvm, struct sk_buff *skb) + int hdrlen = ieee80211_hdrlen(hdr->frame_control); + int queue; + ++ /* IWL_MVM_OFFCHANNEL_QUEUE is used for ROC packets that can be used ++ * in 2 different types of vifs, P2P & STATION. P2P uses the offchannel ++ * queue. STATION (HS2.0) uses the auxiliary context of the FW, ++ * and hence needs to be sent on the aux queue ++ */ ++ if (IEEE80211_SKB_CB(skb)->hw_queue == IWL_MVM_OFFCHANNEL_QUEUE && ++ skb_info->control.vif->type == NL80211_IFTYPE_STATION) ++ IEEE80211_SKB_CB(skb)->hw_queue = mvm->aux_queue; ++ + memcpy(&info, skb->cb, sizeof(info)); + + if (WARN_ON_ONCE(info.flags & IEEE80211_TX_CTL_AMPDU)) +@@ -514,16 +523,6 @@ int iwl_mvm_tx_skb_non_sta(struct iwl_mvm *mvm, struct sk_buff *skb) + /* This holds the amsdu headers length */ + skb_info->driver_data[0] = (void *)(uintptr_t)0; + +- /* +- * IWL_MVM_OFFCHANNEL_QUEUE is used for ROC packets that can be used +- * in 2 different types of vifs, P2P & STATION. P2P uses the offchannel +- * queue. STATION (HS2.0) uses the auxiliary context of the FW, +- * and hence needs to be sent on the aux queue +- */ +- if (IEEE80211_SKB_CB(skb)->hw_queue == IWL_MVM_OFFCHANNEL_QUEUE && +- info.control.vif->type == NL80211_IFTYPE_STATION) +- IEEE80211_SKB_CB(skb)->hw_queue = mvm->aux_queue; +- + queue = info.hw_queue; + + /* +diff --git a/drivers/power/max17042_battery.c b/drivers/power/max17042_battery.c +index 9c65f13..da7a75f 100644 +--- a/drivers/power/max17042_battery.c ++++ b/drivers/power/max17042_battery.c +@@ -457,13 +457,16 @@ static inline void max17042_write_model_data(struct max17042_chip *chip, + } + + static inline void max17042_read_model_data(struct max17042_chip *chip, +- u8 addr, u32 *data, int size) ++ u8 addr, u16 *data, int size) + { + struct regmap *map = chip->regmap; + int i; ++ u32 tmp; + +- for (i = 0; i < size; i++) +- regmap_read(map, addr + i, &data[i]); ++ for (i = 0; i < size; i++) { ++ regmap_read(map, addr + i, &tmp); ++ data[i] = (u16)tmp; ++ } + } + + static inline int max17042_model_data_compare(struct max17042_chip *chip, +@@ -486,7 +489,7 @@ static int max17042_init_model(struct max17042_chip *chip) + { + int ret; + int table_size = ARRAY_SIZE(chip->pdata->config_data->cell_char_tbl); +- u32 *temp_data; ++ u16 *temp_data; + + temp_data = kcalloc(table_size, sizeof(*temp_data), GFP_KERNEL); + if (!temp_data) +@@ -501,7 +504,7 @@ static int max17042_init_model(struct max17042_chip *chip) + ret = max17042_model_data_compare( + chip, + chip->pdata->config_data->cell_char_tbl, +- (u16 *)temp_data, ++ temp_data, + table_size); + + max10742_lock_model(chip); +@@ -514,7 +517,7 @@ static int max17042_verify_model_lock(struct max17042_chip *chip) + { + int i; + int table_size = ARRAY_SIZE(chip->pdata->config_data->cell_char_tbl); +- u32 *temp_data; ++ u16 *temp_data; + int ret = 0; + + temp_data = kcalloc(table_size, sizeof(*temp_data), GFP_KERNEL); +diff --git a/drivers/power/reset/hisi-reboot.c b/drivers/power/reset/hisi-reboot.c +index 9ab7f56..f69387e 100644 +--- a/drivers/power/reset/hisi-reboot.c ++++ b/drivers/power/reset/hisi-reboot.c +@@ -53,13 +53,16 @@ static int hisi_reboot_probe(struct platform_device *pdev) + + if (of_property_read_u32(np, "reboot-offset", &reboot_offset) < 0) { + pr_err("failed to find reboot-offset property\n"); ++ iounmap(base); + return -EINVAL; + } + + err = register_restart_handler(&hisi_restart_nb); +- if (err) ++ if (err) { + dev_err(&pdev->dev, "cannot register restart handler (err=%d)\n", + err); ++ iounmap(base); ++ } + + return err; + } +diff --git a/drivers/power/tps65217_charger.c b/drivers/power/tps65217_charger.c +index 73dfae4..4c56e54 100644 +--- a/drivers/power/tps65217_charger.c ++++ b/drivers/power/tps65217_charger.c +@@ -206,6 +206,7 @@ static int tps65217_charger_probe(struct platform_device *pdev) + if (!charger) + return -ENOMEM; + ++ platform_set_drvdata(pdev, charger); + charger->tps = tps; + charger->dev = &pdev->dev; + +diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c +index 821d9c0..f25f7dc 100644 +--- a/drivers/rtc/rtc-ds1307.c ++++ b/drivers/rtc/rtc-ds1307.c +@@ -602,6 +602,8 @@ static const struct rtc_class_ops ds13xx_rtc_ops = { + * Alarm support for mcp794xx devices. + */ + ++#define MCP794XX_REG_WEEKDAY 0x3 ++#define MCP794XX_REG_WEEKDAY_WDAY_MASK 0x7 + #define MCP794XX_REG_CONTROL 0x07 + # define MCP794XX_BIT_ALM0_EN 0x10 + # define MCP794XX_BIT_ALM1_EN 0x20 +@@ -1231,13 +1233,16 @@ static int ds1307_probe(struct i2c_client *client, + { + struct ds1307 *ds1307; + int err = -ENODEV; +- int tmp; ++ int tmp, wday; + struct chip_desc *chip = &chips[id->driver_data]; + struct i2c_adapter *adapter = to_i2c_adapter(client->dev.parent); + bool want_irq = false; + bool ds1307_can_wakeup_device = false; + unsigned char *buf; + struct ds1307_platform_data *pdata = dev_get_platdata(&client->dev); ++ struct rtc_time tm; ++ unsigned long timestamp; ++ + irq_handler_t irq_handler = ds1307_irq; + + static const int bbsqi_bitpos[] = { +@@ -1526,6 +1531,27 @@ read_rtc: + bin2bcd(tmp)); + } + ++ /* ++ * Some IPs have weekday reset value = 0x1 which might not correct ++ * hence compute the wday using the current date/month/year values ++ */ ++ ds1307_get_time(&client->dev, &tm); ++ wday = tm.tm_wday; ++ timestamp = rtc_tm_to_time64(&tm); ++ rtc_time64_to_tm(timestamp, &tm); ++ ++ /* ++ * Check if reset wday is different from the computed wday ++ * If different then set the wday which we computed using ++ * timestamp ++ */ ++ if (wday != tm.tm_wday) { ++ wday = i2c_smbus_read_byte_data(client, MCP794XX_REG_WEEKDAY); ++ wday = wday & ~MCP794XX_REG_WEEKDAY_WDAY_MASK; ++ wday = wday | (tm.tm_wday + 1); ++ i2c_smbus_write_byte_data(client, MCP794XX_REG_WEEKDAY, wday); ++ } ++ + if (want_irq) { + device_set_wakeup_capable(&client->dev, true); + set_bit(HAS_ALARM, &ds1307->flags); +diff --git a/drivers/soc/tegra/pmc.c b/drivers/soc/tegra/pmc.c +index bb17345..5031c89 100644 +--- a/drivers/soc/tegra/pmc.c ++++ b/drivers/soc/tegra/pmc.c +@@ -1205,6 +1205,14 @@ static int tegra_pmc_probe(struct platform_device *pdev) + struct resource *res; + int err; + ++ /* ++ * Early initialisation should have configured an initial ++ * register mapping and setup the soc data pointer. If these ++ * are not valid then something went badly wrong! ++ */ ++ if (WARN_ON(!pmc->base || !pmc->soc)) ++ return -ENODEV; ++ + err = tegra_pmc_parse_dt(pmc, pdev->dev.of_node); + if (err < 0) + return err; +diff --git a/fs/autofs4/expire.c b/fs/autofs4/expire.c +index b493909..d8e6d42 100644 +--- a/fs/autofs4/expire.c ++++ b/fs/autofs4/expire.c +@@ -417,6 +417,7 @@ static struct dentry *should_expire(struct dentry *dentry, + } + return NULL; + } ++ + /* + * Find an eligible tree to time-out + * A tree is eligible if :- +@@ -432,6 +433,7 @@ struct dentry *autofs4_expire_indirect(struct super_block *sb, + struct dentry *root = sb->s_root; + struct dentry *dentry; + struct dentry *expired; ++ struct dentry *found; + struct autofs_info *ino; + + if (!root) +@@ -442,31 +444,46 @@ struct dentry *autofs4_expire_indirect(struct super_block *sb, + + dentry = NULL; + while ((dentry = get_next_positive_subdir(dentry, root))) { ++ int flags = how; ++ + spin_lock(&sbi->fs_lock); + ino = autofs4_dentry_ino(dentry); +- if (ino->flags & AUTOFS_INF_WANT_EXPIRE) +- expired = NULL; +- else +- expired = should_expire(dentry, mnt, timeout, how); +- if (!expired) { ++ if (ino->flags & AUTOFS_INF_WANT_EXPIRE) { + spin_unlock(&sbi->fs_lock); + continue; + } ++ spin_unlock(&sbi->fs_lock); ++ ++ expired = should_expire(dentry, mnt, timeout, flags); ++ if (!expired) ++ continue; ++ ++ spin_lock(&sbi->fs_lock); + ino = autofs4_dentry_ino(expired); + ino->flags |= AUTOFS_INF_WANT_EXPIRE; + spin_unlock(&sbi->fs_lock); + synchronize_rcu(); +- spin_lock(&sbi->fs_lock); +- if (should_expire(expired, mnt, timeout, how)) { +- if (expired != dentry) +- dput(dentry); +- goto found; +- } + ++ /* Make sure a reference is not taken on found if ++ * things have changed. ++ */ ++ flags &= ~AUTOFS_EXP_LEAVES; ++ found = should_expire(expired, mnt, timeout, how); ++ if (!found || found != expired) ++ /* Something has changed, continue */ ++ goto next; ++ ++ if (expired != dentry) ++ dput(dentry); ++ ++ spin_lock(&sbi->fs_lock); ++ goto found; ++next: ++ spin_lock(&sbi->fs_lock); + ino->flags &= ~AUTOFS_INF_WANT_EXPIRE; ++ spin_unlock(&sbi->fs_lock); + if (expired != dentry) + dput(expired); +- spin_unlock(&sbi->fs_lock); + } + return NULL; + +@@ -483,6 +500,7 @@ int autofs4_expire_wait(struct dentry *dentry, int rcu_walk) + struct autofs_sb_info *sbi = autofs4_sbi(dentry->d_sb); + struct autofs_info *ino = autofs4_dentry_ino(dentry); + int status; ++ int state; + + /* Block on any pending expire */ + if (!(ino->flags & AUTOFS_INF_WANT_EXPIRE)) +@@ -490,8 +508,19 @@ int autofs4_expire_wait(struct dentry *dentry, int rcu_walk) + if (rcu_walk) + return -ECHILD; + ++retry: + spin_lock(&sbi->fs_lock); +- if (ino->flags & AUTOFS_INF_EXPIRING) { ++ state = ino->flags & (AUTOFS_INF_WANT_EXPIRE | AUTOFS_INF_EXPIRING); ++ if (state == AUTOFS_INF_WANT_EXPIRE) { ++ spin_unlock(&sbi->fs_lock); ++ /* ++ * Possibly being selected for expire, wait until ++ * it's selected or not. ++ */ ++ schedule_timeout_uninterruptible(HZ/10); ++ goto retry; ++ } ++ if (state & AUTOFS_INF_EXPIRING) { + spin_unlock(&sbi->fs_lock); + + pr_debug("waiting for expire %p name=%pd\n", dentry, dentry); +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c +index 3722a1f..4ffcf0c 100644 +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -1634,6 +1634,9 @@ static noinline int btrfs_ioctl_snap_create_transid(struct file *file, + int namelen; + int ret = 0; + ++ if (!S_ISDIR(file_inode(file)->i_mode)) ++ return -ENOTDIR; ++ + ret = mnt_want_write_file(file); + if (ret) + goto out; +@@ -1691,6 +1694,9 @@ static noinline int btrfs_ioctl_snap_create(struct file *file, + struct btrfs_ioctl_vol_args *vol_args; + int ret; + ++ if (!S_ISDIR(file_inode(file)->i_mode)) ++ return -ENOTDIR; ++ + vol_args = memdup_user(arg, sizeof(*vol_args)); + if (IS_ERR(vol_args)) + return PTR_ERR(vol_args); +@@ -1714,6 +1720,9 @@ static noinline int btrfs_ioctl_snap_create_v2(struct file *file, + bool readonly = false; + struct btrfs_qgroup_inherit *inherit = NULL; + ++ if (!S_ISDIR(file_inode(file)->i_mode)) ++ return -ENOTDIR; ++ + vol_args = memdup_user(arg, sizeof(*vol_args)); + if (IS_ERR(vol_args)) + return PTR_ERR(vol_args); +@@ -2358,6 +2367,9 @@ static noinline int btrfs_ioctl_snap_destroy(struct file *file, + int ret; + int err = 0; + ++ if (!S_ISDIR(dir->i_mode)) ++ return -ENOTDIR; ++ + vol_args = memdup_user(arg, sizeof(*vol_args)); + if (IS_ERR(vol_args)) + return PTR_ERR(vol_args); +diff --git a/fs/ceph/file.c b/fs/ceph/file.c +index 0daaf7c..b1b9b48 100644 +--- a/fs/ceph/file.c ++++ b/fs/ceph/file.c +@@ -1448,16 +1448,14 @@ static loff_t ceph_llseek(struct file *file, loff_t offset, int whence) + { + struct inode *inode = file->f_mapping->host; + loff_t i_size; +- int ret; ++ loff_t ret; + + inode_lock(inode); + + if (whence == SEEK_END || whence == SEEK_DATA || whence == SEEK_HOLE) { + ret = ceph_do_getattr(inode, CEPH_STAT_CAP_SIZE, false); +- if (ret < 0) { +- offset = ret; ++ if (ret < 0) + goto out; +- } + } + + i_size = i_size_read(inode); +@@ -1473,7 +1471,7 @@ static loff_t ceph_llseek(struct file *file, loff_t offset, int whence) + * write() or lseek() might have altered it + */ + if (offset == 0) { +- offset = file->f_pos; ++ ret = file->f_pos; + goto out; + } + offset += file->f_pos; +@@ -1493,11 +1491,11 @@ static loff_t ceph_llseek(struct file *file, loff_t offset, int whence) + break; + } + +- offset = vfs_setpos(file, offset, inode->i_sb->s_maxbytes); ++ ret = vfs_setpos(file, offset, inode->i_sb->s_maxbytes); + + out: + inode_unlock(inode); +- return offset; ++ return ret; + } + + static inline void ceph_zero_partial_page( +diff --git a/fs/ceph/ioctl.c b/fs/ceph/ioctl.c +index be6b165..0946f2d 100644 +--- a/fs/ceph/ioctl.c ++++ b/fs/ceph/ioctl.c +@@ -183,7 +183,7 @@ static long ceph_ioctl_get_dataloc(struct file *file, void __user *arg) + struct ceph_osd_client *osdc = + &ceph_sb_to_client(inode->i_sb)->client->osdc; + struct ceph_object_locator oloc; +- struct ceph_object_id oid; ++ CEPH_DEFINE_OID_ONSTACK(oid); + u64 len = 1, olen; + u64 tmp; + struct ceph_pg pgid; +diff --git a/fs/configfs/file.c b/fs/configfs/file.c +index bbc1252..2ddfa05 100644 +--- a/fs/configfs/file.c ++++ b/fs/configfs/file.c +@@ -333,6 +333,7 @@ configfs_write_bin_file(struct file *file, const char __user *buf, + if (bin_attr->cb_max_size && + *ppos + count > bin_attr->cb_max_size) { + len = -EFBIG; ++ goto out; + } + + tbuf = vmalloc(*ppos + count); +diff --git a/fs/hostfs/hostfs_kern.c b/fs/hostfs/hostfs_kern.c +index 5c57654..90e46cd 100644 +--- a/fs/hostfs/hostfs_kern.c ++++ b/fs/hostfs/hostfs_kern.c +@@ -959,10 +959,11 @@ static int hostfs_fill_sb_common(struct super_block *sb, void *d, int silent) + + if (S_ISLNK(root_inode->i_mode)) { + char *name = follow_link(host_root_path); +- if (IS_ERR(name)) ++ if (IS_ERR(name)) { + err = PTR_ERR(name); +- else +- err = read_name(root_inode, name); ++ goto out_put; ++ } ++ err = read_name(root_inode, name); + kfree(name); + if (err) + goto out_put; +diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c +index d2f97ec..e0e5f7c 100644 +--- a/fs/notify/fanotify/fanotify.c ++++ b/fs/notify/fanotify/fanotify.c +@@ -67,18 +67,7 @@ static int fanotify_get_response(struct fsnotify_group *group, + + pr_debug("%s: group=%p event=%p\n", __func__, group, event); + +- wait_event(group->fanotify_data.access_waitq, event->response || +- atomic_read(&group->fanotify_data.bypass_perm)); +- +- if (!event->response) { /* bypass_perm set */ +- /* +- * Event was canceled because group is being destroyed. Remove +- * it from group's event list because we are responsible for +- * freeing the permission event. +- */ +- fsnotify_remove_event(group, &event->fae.fse); +- return 0; +- } ++ wait_event(group->fanotify_data.access_waitq, event->response); + + /* userspace responded, convert to something usable */ + switch (event->response) { +diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c +index 8e8e6bc..a643138 100644 +--- a/fs/notify/fanotify/fanotify_user.c ++++ b/fs/notify/fanotify/fanotify_user.c +@@ -358,16 +358,20 @@ static int fanotify_release(struct inode *ignored, struct file *file) + + #ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS + struct fanotify_perm_event_info *event, *next; ++ struct fsnotify_event *fsn_event; + + /* +- * There may be still new events arriving in the notification queue +- * but since userspace cannot use fanotify fd anymore, no event can +- * enter or leave access_list by now. ++ * Stop new events from arriving in the notification queue. since ++ * userspace cannot use fanotify fd anymore, no event can enter or ++ * leave access_list by now either. + */ +- spin_lock(&group->fanotify_data.access_lock); +- +- atomic_inc(&group->fanotify_data.bypass_perm); ++ fsnotify_group_stop_queueing(group); + ++ /* ++ * Process all permission events on access_list and notification queue ++ * and simulate reply from userspace. ++ */ ++ spin_lock(&group->fanotify_data.access_lock); + list_for_each_entry_safe(event, next, &group->fanotify_data.access_list, + fae.fse.list) { + pr_debug("%s: found group=%p event=%p\n", __func__, group, +@@ -379,12 +383,21 @@ static int fanotify_release(struct inode *ignored, struct file *file) + spin_unlock(&group->fanotify_data.access_lock); + + /* +- * Since bypass_perm is set, newly queued events will not wait for +- * access response. Wake up the already sleeping ones now. +- * synchronize_srcu() in fsnotify_destroy_group() will wait for all +- * processes sleeping in fanotify_handle_event() waiting for access +- * response and thus also for all permission events to be freed. ++ * Destroy all non-permission events. For permission events just ++ * dequeue them and set the response. They will be freed once the ++ * response is consumed and fanotify_get_response() returns. + */ ++ mutex_lock(&group->notification_mutex); ++ while (!fsnotify_notify_queue_is_empty(group)) { ++ fsn_event = fsnotify_remove_first_event(group); ++ if (!(fsn_event->mask & FAN_ALL_PERM_EVENTS)) ++ fsnotify_destroy_event(group, fsn_event); ++ else ++ FANOTIFY_PE(fsn_event)->response = FAN_ALLOW; ++ } ++ mutex_unlock(&group->notification_mutex); ++ ++ /* Response for all permission events it set, wakeup waiters */ + wake_up(&group->fanotify_data.access_waitq); + #endif + +@@ -755,7 +768,6 @@ SYSCALL_DEFINE2(fanotify_init, unsigned int, flags, unsigned int, event_f_flags) + spin_lock_init(&group->fanotify_data.access_lock); + init_waitqueue_head(&group->fanotify_data.access_waitq); + INIT_LIST_HEAD(&group->fanotify_data.access_list); +- atomic_set(&group->fanotify_data.bypass_perm, 0); + #endif + switch (flags & FAN_ALL_CLASS_BITS) { + case FAN_CLASS_NOTIF: +diff --git a/fs/notify/group.c b/fs/notify/group.c +index 3e2dd85..b47f7cf 100644 +--- a/fs/notify/group.c ++++ b/fs/notify/group.c +@@ -40,6 +40,17 @@ static void fsnotify_final_destroy_group(struct fsnotify_group *group) + } + + /* ++ * Stop queueing new events for this group. Once this function returns ++ * fsnotify_add_event() will not add any new events to the group's queue. ++ */ ++void fsnotify_group_stop_queueing(struct fsnotify_group *group) ++{ ++ mutex_lock(&group->notification_mutex); ++ group->shutdown = true; ++ mutex_unlock(&group->notification_mutex); ++} ++ ++/* + * Trying to get rid of a group. Remove all marks, flush all events and release + * the group reference. + * Note that another thread calling fsnotify_clear_marks_by_group() may still +@@ -47,6 +58,14 @@ static void fsnotify_final_destroy_group(struct fsnotify_group *group) + */ + void fsnotify_destroy_group(struct fsnotify_group *group) + { ++ /* ++ * Stop queueing new events. The code below is careful enough to not ++ * require this but fanotify needs to stop queuing events even before ++ * fsnotify_destroy_group() is called and this makes the other callers ++ * of fsnotify_destroy_group() to see the same behavior. ++ */ ++ fsnotify_group_stop_queueing(group); ++ + /* clear all inode marks for this group, attach them to destroy_list */ + fsnotify_detach_group_marks(group); + +diff --git a/fs/notify/notification.c b/fs/notify/notification.c +index a95d8e0..e455e83 100644 +--- a/fs/notify/notification.c ++++ b/fs/notify/notification.c +@@ -82,7 +82,8 @@ void fsnotify_destroy_event(struct fsnotify_group *group, + * Add an event to the group notification queue. The group can later pull this + * event off the queue to deal with. The function returns 0 if the event was + * added to the queue, 1 if the event was merged with some other queued event, +- * 2 if the queue of events has overflown. ++ * 2 if the event was not queued - either the queue of events has overflown ++ * or the group is shutting down. + */ + int fsnotify_add_event(struct fsnotify_group *group, + struct fsnotify_event *event, +@@ -96,6 +97,11 @@ int fsnotify_add_event(struct fsnotify_group *group, + + mutex_lock(&group->notification_mutex); + ++ if (group->shutdown) { ++ mutex_unlock(&group->notification_mutex); ++ return 2; ++ } ++ + if (group->q_len >= group->max_events) { + ret = 2; + /* Queue overflow event only if it isn't already queued */ +@@ -126,21 +132,6 @@ queue: + } + + /* +- * Remove @event from group's notification queue. It is the responsibility of +- * the caller to destroy the event. +- */ +-void fsnotify_remove_event(struct fsnotify_group *group, +- struct fsnotify_event *event) +-{ +- mutex_lock(&group->notification_mutex); +- if (!list_empty(&event->list)) { +- list_del_init(&event->list); +- group->q_len--; +- } +- mutex_unlock(&group->notification_mutex); +-} +- +-/* + * Remove and return the first event from the notification list. It is the + * responsibility of the caller to destroy the obtained event + */ +diff --git a/fs/ocfs2/cluster/tcp_internal.h b/fs/ocfs2/cluster/tcp_internal.h +index 94b1836..b95e7df 100644 +--- a/fs/ocfs2/cluster/tcp_internal.h ++++ b/fs/ocfs2/cluster/tcp_internal.h +@@ -44,9 +44,6 @@ + * version here in tcp_internal.h should not need to be bumped for + * filesystem locking changes. + * +- * New in version 12 +- * - Negotiate hb timeout when storage is down. +- * + * New in version 11 + * - Negotiation of filesystem locking in the dlm join. + * +@@ -78,7 +75,7 @@ + * - full 64 bit i_size in the metadata lock lvbs + * - introduction of "rw" lock and pushing meta/data locking down + */ +-#define O2NET_PROTOCOL_VERSION 12ULL ++#define O2NET_PROTOCOL_VERSION 11ULL + struct o2net_handshake { + __be64 protocol_version; + __be64 connector_id; +diff --git a/fs/ocfs2/dlm/dlmconvert.c b/fs/ocfs2/dlm/dlmconvert.c +index cdeafb4..0bb1286 100644 +--- a/fs/ocfs2/dlm/dlmconvert.c ++++ b/fs/ocfs2/dlm/dlmconvert.c +@@ -268,7 +268,6 @@ enum dlm_status dlmconvert_remote(struct dlm_ctxt *dlm, + struct dlm_lock *lock, int flags, int type) + { + enum dlm_status status; +- u8 old_owner = res->owner; + + mlog(0, "type=%d, convert_type=%d, busy=%d\n", lock->ml.type, + lock->ml.convert_type, res->state & DLM_LOCK_RES_IN_PROGRESS); +@@ -335,7 +334,6 @@ enum dlm_status dlmconvert_remote(struct dlm_ctxt *dlm, + + spin_lock(&res->spinlock); + res->state &= ~DLM_LOCK_RES_IN_PROGRESS; +- lock->convert_pending = 0; + /* if it failed, move it back to granted queue. + * if master returns DLM_NORMAL and then down before sending ast, + * it may have already been moved to granted queue, reset to +@@ -344,12 +342,14 @@ enum dlm_status dlmconvert_remote(struct dlm_ctxt *dlm, + if (status != DLM_NOTQUEUED) + dlm_error(status); + dlm_revert_pending_convert(res, lock); +- } else if ((res->state & DLM_LOCK_RES_RECOVERING) || +- (old_owner != res->owner)) { +- mlog(0, "res %.*s is in recovering or has been recovered.\n", +- res->lockname.len, res->lockname.name); ++ } else if (!lock->convert_pending) { ++ mlog(0, "%s: res %.*s, owner died and lock has been moved back " ++ "to granted list, retry convert.\n", ++ dlm->name, res->lockname.len, res->lockname.name); + status = DLM_RECOVERING; + } ++ ++ lock->convert_pending = 0; + bail: + spin_unlock(&res->spinlock); + +diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c +index 4e7b0dc..0b055bf 100644 +--- a/fs/ocfs2/file.c ++++ b/fs/ocfs2/file.c +@@ -1506,7 +1506,8 @@ static int ocfs2_zero_partial_clusters(struct inode *inode, + u64 start, u64 len) + { + int ret = 0; +- u64 tmpend, end = start + len; ++ u64 tmpend = 0; ++ u64 end = start + len; + struct ocfs2_super *osb = OCFS2_SB(inode->i_sb); + unsigned int csize = osb->s_clustersize; + handle_t *handle; +@@ -1538,18 +1539,31 @@ static int ocfs2_zero_partial_clusters(struct inode *inode, + } + + /* +- * We want to get the byte offset of the end of the 1st cluster. ++ * If start is on a cluster boundary and end is somewhere in another ++ * cluster, we have not COWed the cluster starting at start, unless ++ * end is also within the same cluster. So, in this case, we skip this ++ * first call to ocfs2_zero_range_for_truncate() truncate and move on ++ * to the next one. + */ +- tmpend = (u64)osb->s_clustersize + (start & ~(osb->s_clustersize - 1)); +- if (tmpend > end) +- tmpend = end; ++ if ((start & (csize - 1)) != 0) { ++ /* ++ * We want to get the byte offset of the end of the 1st ++ * cluster. ++ */ ++ tmpend = (u64)osb->s_clustersize + ++ (start & ~(osb->s_clustersize - 1)); ++ if (tmpend > end) ++ tmpend = end; + +- trace_ocfs2_zero_partial_clusters_range1((unsigned long long)start, +- (unsigned long long)tmpend); ++ trace_ocfs2_zero_partial_clusters_range1( ++ (unsigned long long)start, ++ (unsigned long long)tmpend); + +- ret = ocfs2_zero_range_for_truncate(inode, handle, start, tmpend); +- if (ret) +- mlog_errno(ret); ++ ret = ocfs2_zero_range_for_truncate(inode, handle, start, ++ tmpend); ++ if (ret) ++ mlog_errno(ret); ++ } + + if (tmpend < end) { + /* +diff --git a/fs/reiserfs/ibalance.c b/fs/reiserfs/ibalance.c +index b751eea..5db6f45 100644 +--- a/fs/reiserfs/ibalance.c ++++ b/fs/reiserfs/ibalance.c +@@ -1153,8 +1153,9 @@ int balance_internal(struct tree_balance *tb, + insert_ptr); + } + +- memcpy(new_insert_key_addr, &new_insert_key, KEY_SIZE); + insert_ptr[0] = new_insert_ptr; ++ if (new_insert_ptr) ++ memcpy(new_insert_key_addr, &new_insert_key, KEY_SIZE); + + return order; + } +diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c +index e71cfbd..41c20b6 100644 +--- a/fs/xfs/xfs_buf.c ++++ b/fs/xfs/xfs_buf.c +@@ -1531,7 +1531,7 @@ xfs_wait_buftarg( + * ensure here that all reference counts have been dropped before we + * start walking the LRU list. + */ +- drain_workqueue(btp->bt_mount->m_buf_workqueue); ++ flush_workqueue(btp->bt_mount->m_buf_workqueue); + + /* loop until there is nothing left on the lru list. */ + while (list_lru_count(&btp->bt_lru)) { +diff --git a/include/linux/ceph/libceph.h b/include/linux/ceph/libceph.h +index 690985d..6b79a6b 100644 +--- a/include/linux/ceph/libceph.h ++++ b/include/linux/ceph/libceph.h +@@ -214,8 +214,9 @@ static void erase_##name(struct rb_root *root, type *t) \ + } + + #define DEFINE_RB_LOOKUP_FUNC(name, type, keyfld, nodefld) \ ++extern type __lookup_##name##_key; \ + static type *lookup_##name(struct rb_root *root, \ +- typeof(((type *)0)->keyfld) key) \ ++ typeof(__lookup_##name##_key.keyfld) key) \ + { \ + struct rb_node *n = root->rb_node; \ + \ +diff --git a/include/linux/ceph/osdmap.h b/include/linux/ceph/osdmap.h +index 9ccf4db..21d7f04 100644 +--- a/include/linux/ceph/osdmap.h ++++ b/include/linux/ceph/osdmap.h +@@ -115,6 +115,11 @@ static inline void ceph_oid_init(struct ceph_object_id *oid) + oid->name_len = 0; + } + ++#define CEPH_OID_INIT_ONSTACK(oid) \ ++ ({ ceph_oid_init(&oid); oid; }) ++#define CEPH_DEFINE_OID_ONSTACK(oid) \ ++ struct ceph_object_id oid = CEPH_OID_INIT_ONSTACK(oid) ++ + static inline bool ceph_oid_empty(const struct ceph_object_id *oid) + { + return oid->name == oid->inline_name && !oid->name_len; +diff --git a/include/linux/fsnotify_backend.h b/include/linux/fsnotify_backend.h +index 29f9175..16af670 100644 +--- a/include/linux/fsnotify_backend.h ++++ b/include/linux/fsnotify_backend.h +@@ -148,6 +148,7 @@ struct fsnotify_group { + #define FS_PRIO_1 1 /* fanotify content based access control */ + #define FS_PRIO_2 2 /* fanotify pre-content access */ + unsigned int priority; ++ bool shutdown; /* group is being shut down, don't queue more events */ + + /* stores all fastpath marks assoc with this group so they can be cleaned on unregister */ + struct mutex mark_mutex; /* protect marks_list */ +@@ -179,7 +180,6 @@ struct fsnotify_group { + spinlock_t access_lock; + struct list_head access_list; + wait_queue_head_t access_waitq; +- atomic_t bypass_perm; + #endif /* CONFIG_FANOTIFY_ACCESS_PERMISSIONS */ + int f_flags; + unsigned int max_marks; +@@ -303,6 +303,8 @@ extern struct fsnotify_group *fsnotify_alloc_group(const struct fsnotify_ops *op + extern void fsnotify_get_group(struct fsnotify_group *group); + /* drop reference on a group from fsnotify_alloc_group */ + extern void fsnotify_put_group(struct fsnotify_group *group); ++/* group destruction begins, stop queuing new events */ ++extern void fsnotify_group_stop_queueing(struct fsnotify_group *group); + /* destroy group */ + extern void fsnotify_destroy_group(struct fsnotify_group *group); + /* fasync handler function */ +@@ -315,8 +317,6 @@ extern int fsnotify_add_event(struct fsnotify_group *group, + struct fsnotify_event *event, + int (*merge)(struct list_head *, + struct fsnotify_event *)); +-/* Remove passed event from groups notification queue */ +-extern void fsnotify_remove_event(struct fsnotify_group *group, struct fsnotify_event *event); + /* true if the group notification queue is empty */ + extern bool fsnotify_notify_queue_is_empty(struct fsnotify_group *group); + /* return, but do not dequeue the first event on the notification queue */ +diff --git a/include/linux/pagemap.h b/include/linux/pagemap.h +index 9735410..1f94053 100644 +--- a/include/linux/pagemap.h ++++ b/include/linux/pagemap.h +@@ -571,56 +571,56 @@ static inline int fault_in_pages_readable(const char __user *uaddr, int size) + */ + static inline int fault_in_multipages_writeable(char __user *uaddr, int size) + { +- int ret = 0; + char __user *end = uaddr + size - 1; + + if (unlikely(size == 0)) +- return ret; ++ return 0; + ++ if (unlikely(uaddr > end)) ++ return -EFAULT; + /* + * Writing zeroes into userspace here is OK, because we know that if + * the zero gets there, we'll be overwriting it. + */ +- while (uaddr <= end) { +- ret = __put_user(0, uaddr); +- if (ret != 0) +- return ret; ++ do { ++ if (unlikely(__put_user(0, uaddr) != 0)) ++ return -EFAULT; + uaddr += PAGE_SIZE; +- } ++ } while (uaddr <= end); + + /* Check whether the range spilled into the next page. */ + if (((unsigned long)uaddr & PAGE_MASK) == + ((unsigned long)end & PAGE_MASK)) +- ret = __put_user(0, end); ++ return __put_user(0, end); + +- return ret; ++ return 0; + } + + static inline int fault_in_multipages_readable(const char __user *uaddr, + int size) + { + volatile char c; +- int ret = 0; + const char __user *end = uaddr + size - 1; + + if (unlikely(size == 0)) +- return ret; ++ return 0; + +- while (uaddr <= end) { +- ret = __get_user(c, uaddr); +- if (ret != 0) +- return ret; ++ if (unlikely(uaddr > end)) ++ return -EFAULT; ++ ++ do { ++ if (unlikely(__get_user(c, uaddr) != 0)) ++ return -EFAULT; + uaddr += PAGE_SIZE; +- } ++ } while (uaddr <= end); + + /* Check whether the range spilled into the next page. */ + if (((unsigned long)uaddr & PAGE_MASK) == + ((unsigned long)end & PAGE_MASK)) { +- ret = __get_user(c, end); +- (void)c; ++ return __get_user(c, end); + } + +- return ret; ++ return 0; + } + + int add_to_page_cache_locked(struct page *page, struct address_space *mapping, +diff --git a/include/linux/reset.h b/include/linux/reset.h +index 45a4abe..5daff15 100644 +--- a/include/linux/reset.h ++++ b/include/linux/reset.h +@@ -71,14 +71,14 @@ static inline struct reset_control *__of_reset_control_get( + struct device_node *node, + const char *id, int index, int shared) + { +- return ERR_PTR(-EINVAL); ++ return ERR_PTR(-ENOTSUPP); + } + + static inline struct reset_control *__devm_reset_control_get( + struct device *dev, + const char *id, int index, int shared) + { +- return ERR_PTR(-EINVAL); ++ return ERR_PTR(-ENOTSUPP); + } + + #endif /* CONFIG_RESET_CONTROLLER */ +diff --git a/kernel/cgroup.c b/kernel/cgroup.c +index e0be49f..129a7ca 100644 +--- a/kernel/cgroup.c ++++ b/kernel/cgroup.c +@@ -6240,6 +6240,12 @@ void cgroup_sk_alloc(struct sock_cgroup_data *skcd) + if (cgroup_sk_alloc_disabled) + return; + ++ /* Socket clone path */ ++ if (skcd->val) { ++ cgroup_get(sock_cgroup_ptr(skcd)); ++ return; ++ } ++ + rcu_read_lock(); + + while (true) { +diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c +index fca9254..2fc1177 100644 +--- a/kernel/power/hibernate.c ++++ b/kernel/power/hibernate.c +@@ -299,12 +299,12 @@ static int create_image(int platform_mode) + save_processor_state(); + trace_suspend_resume(TPS("machine_suspend"), PM_EVENT_HIBERNATE, true); + error = swsusp_arch_suspend(); ++ /* Restore control flow magically appears here */ ++ restore_processor_state(); + trace_suspend_resume(TPS("machine_suspend"), PM_EVENT_HIBERNATE, false); + if (error) + printk(KERN_ERR "PM: Error %d creating hibernation image\n", + error); +- /* Restore control flow magically appears here */ +- restore_processor_state(); + if (!in_suspend) + events_check_enabled = false; + +diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c +index 3a97060..f155c62 100644 +--- a/kernel/power/snapshot.c ++++ b/kernel/power/snapshot.c +@@ -765,9 +765,9 @@ static bool memory_bm_pfn_present(struct memory_bitmap *bm, unsigned long pfn) + */ + static bool rtree_next_node(struct memory_bitmap *bm) + { +- bm->cur.node = list_entry(bm->cur.node->list.next, +- struct rtree_node, list); +- if (&bm->cur.node->list != &bm->cur.zone->leaves) { ++ if (!list_is_last(&bm->cur.node->list, &bm->cur.zone->leaves)) { ++ bm->cur.node = list_entry(bm->cur.node->list.next, ++ struct rtree_node, list); + bm->cur.node_pfn += BM_BITS_PER_BLOCK; + bm->cur.node_bit = 0; + touch_softlockup_watchdog(); +@@ -775,9 +775,9 @@ static bool rtree_next_node(struct memory_bitmap *bm) + } + + /* No more nodes, goto next zone */ +- bm->cur.zone = list_entry(bm->cur.zone->list.next, ++ if (!list_is_last(&bm->cur.zone->list, &bm->zones)) { ++ bm->cur.zone = list_entry(bm->cur.zone->list.next, + struct mem_zone_bm_rtree, list); +- if (&bm->cur.zone->list != &bm->zones) { + bm->cur.node = list_entry(bm->cur.zone->leaves.next, + struct rtree_node, list); + bm->cur.node_pfn = 0; +diff --git a/kernel/trace/Makefile b/kernel/trace/Makefile +index 979e7bf..d0a1617 100644 +--- a/kernel/trace/Makefile ++++ b/kernel/trace/Makefile +@@ -1,4 +1,8 @@ + ++# We are fully aware of the dangers of __builtin_return_address() ++FRAME_CFLAGS := $(call cc-disable-warning,frame-address) ++KBUILD_CFLAGS += $(FRAME_CFLAGS) ++ + # Do not instrument the tracer itself: + + ifdef CONFIG_FUNCTION_TRACER +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 8a4bd6b..77eeab2 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -4890,19 +4890,20 @@ tracing_read_pipe(struct file *filp, char __user *ubuf, + struct trace_iterator *iter = filp->private_data; + ssize_t sret; + +- /* return any leftover data */ +- sret = trace_seq_to_user(&iter->seq, ubuf, cnt); +- if (sret != -EBUSY) +- return sret; +- +- trace_seq_init(&iter->seq); +- + /* + * Avoid more than one consumer on a single file descriptor + * This is just a matter of traces coherency, the ring buffer itself + * is protected. + */ + mutex_lock(&iter->mutex); ++ ++ /* return any leftover data */ ++ sret = trace_seq_to_user(&iter->seq, ubuf, cnt); ++ if (sret != -EBUSY) ++ goto out; ++ ++ trace_seq_init(&iter->seq); ++ + if (iter->trace->read) { + sret = iter->trace->read(iter, filp, ubuf, cnt, ppos); + if (sret) +@@ -5929,9 +5930,6 @@ tracing_buffers_splice_read(struct file *file, loff_t *ppos, + return -EBUSY; + #endif + +- if (splice_grow_spd(pipe, &spd)) +- return -ENOMEM; +- + if (*ppos & (PAGE_SIZE - 1)) + return -EINVAL; + +@@ -5941,6 +5939,9 @@ tracing_buffers_splice_read(struct file *file, loff_t *ppos, + len &= PAGE_MASK; + } + ++ if (splice_grow_spd(pipe, &spd)) ++ return -ENOMEM; ++ + again: + trace_access_lock(iter->cpu_file); + entries = ring_buffer_entries_cpu(iter->trace_buffer->buffer, iter->cpu_file); +@@ -5998,19 +5999,21 @@ tracing_buffers_splice_read(struct file *file, loff_t *ppos, + /* did we read anything? */ + if (!spd.nr_pages) { + if (ret) +- return ret; ++ goto out; + ++ ret = -EAGAIN; + if ((file->f_flags & O_NONBLOCK) || (flags & SPLICE_F_NONBLOCK)) +- return -EAGAIN; ++ goto out; + + ret = wait_on_pipe(iter, true); + if (ret) +- return ret; ++ goto out; + + goto again; + } + + ret = splice_to_pipe(pipe, &spd); ++out: + splice_shrink_spd(&spd); + + return ret; +diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c +index 6845f92..50e92c5 100644 +--- a/mm/kasan/kasan.c ++++ b/mm/kasan/kasan.c +@@ -562,7 +562,7 @@ void kasan_kmalloc(struct kmem_cache *cache, const void *object, size_t size, + unsigned long redzone_start; + unsigned long redzone_end; + +- if (flags & __GFP_RECLAIM) ++ if (gfpflags_allow_blocking(flags)) + quarantine_reduce(); + + if (unlikely(object == NULL)) +@@ -595,7 +595,7 @@ void kasan_kmalloc_large(const void *ptr, size_t size, gfp_t flags) + unsigned long redzone_start; + unsigned long redzone_end; + +- if (flags & __GFP_RECLAIM) ++ if (gfpflags_allow_blocking(flags)) + quarantine_reduce(); + + if (unlikely(ptr == NULL)) +diff --git a/mm/kasan/quarantine.c b/mm/kasan/quarantine.c +index 65793f1..a04887c 100644 +--- a/mm/kasan/quarantine.c ++++ b/mm/kasan/quarantine.c +@@ -196,7 +196,7 @@ void quarantine_put(struct kasan_free_meta *info, struct kmem_cache *cache) + + void quarantine_reduce(void) + { +- size_t new_quarantine_size; ++ size_t new_quarantine_size, percpu_quarantines; + unsigned long flags; + struct qlist_head to_free = QLIST_INIT; + size_t size_to_free = 0; +@@ -214,7 +214,12 @@ void quarantine_reduce(void) + */ + new_quarantine_size = (READ_ONCE(totalram_pages) << PAGE_SHIFT) / + QUARANTINE_FRACTION; +- new_quarantine_size -= QUARANTINE_PERCPU_SIZE * num_online_cpus(); ++ percpu_quarantines = QUARANTINE_PERCPU_SIZE * num_online_cpus(); ++ if (WARN_ONCE(new_quarantine_size < percpu_quarantines, ++ "Too little memory, disabling global KASAN quarantine.\n")) ++ new_quarantine_size = 0; ++ else ++ new_quarantine_size -= percpu_quarantines; + WRITE_ONCE(quarantine_size, new_quarantine_size); + + last = global_quarantine.head; +diff --git a/mm/memcontrol.c b/mm/memcontrol.c +index ca847d9..fcb5b8c 100644 +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -1797,17 +1797,22 @@ static DEFINE_MUTEX(percpu_charge_mutex); + static bool consume_stock(struct mem_cgroup *memcg, unsigned int nr_pages) + { + struct memcg_stock_pcp *stock; ++ unsigned long flags; + bool ret = false; + + if (nr_pages > CHARGE_BATCH) + return ret; + +- stock = &get_cpu_var(memcg_stock); ++ local_irq_save(flags); ++ ++ stock = this_cpu_ptr(&memcg_stock); + if (memcg == stock->cached && stock->nr_pages >= nr_pages) { + stock->nr_pages -= nr_pages; + ret = true; + } +- put_cpu_var(memcg_stock); ++ ++ local_irq_restore(flags); ++ + return ret; + } + +@@ -1828,15 +1833,18 @@ static void drain_stock(struct memcg_stock_pcp *stock) + stock->cached = NULL; + } + +-/* +- * This must be called under preempt disabled or must be called by +- * a thread which is pinned to local cpu. +- */ + static void drain_local_stock(struct work_struct *dummy) + { +- struct memcg_stock_pcp *stock = this_cpu_ptr(&memcg_stock); ++ struct memcg_stock_pcp *stock; ++ unsigned long flags; ++ ++ local_irq_save(flags); ++ ++ stock = this_cpu_ptr(&memcg_stock); + drain_stock(stock); + clear_bit(FLUSHING_CACHED_CHARGE, &stock->flags); ++ ++ local_irq_restore(flags); + } + + /* +@@ -1845,14 +1853,19 @@ static void drain_local_stock(struct work_struct *dummy) + */ + static void refill_stock(struct mem_cgroup *memcg, unsigned int nr_pages) + { +- struct memcg_stock_pcp *stock = &get_cpu_var(memcg_stock); ++ struct memcg_stock_pcp *stock; ++ unsigned long flags; ++ ++ local_irq_save(flags); + ++ stock = this_cpu_ptr(&memcg_stock); + if (stock->cached != memcg) { /* reset if necessary */ + drain_stock(stock); + stock->cached = memcg; + } + stock->nr_pages += nr_pages; +- put_cpu_var(memcg_stock); ++ ++ local_irq_restore(flags); + } + + /* +diff --git a/mm/page_io.c b/mm/page_io.c +index 242dba0..dc1af1e 100644 +--- a/mm/page_io.c ++++ b/mm/page_io.c +@@ -262,6 +262,7 @@ int __swap_writepage(struct page *page, struct writeback_control *wbc, + int ret, rw = WRITE; + struct swap_info_struct *sis = page_swap_info(page); + ++ BUG_ON(!PageSwapCache(page)); + if (sis->flags & SWP_FILE) { + struct kiocb kiocb; + struct file *swap_file = sis->swap_file; +@@ -333,6 +334,7 @@ int swap_readpage(struct page *page) + int ret = 0; + struct swap_info_struct *sis = page_swap_info(page); + ++ BUG_ON(!PageSwapCache(page)); + VM_BUG_ON_PAGE(!PageLocked(page), page); + VM_BUG_ON_PAGE(PageUptodate(page), page); + if (frontswap_load(page) == 0) { +@@ -381,6 +383,7 @@ int swap_set_page_dirty(struct page *page) + + if (sis->flags & SWP_FILE) { + struct address_space *mapping = sis->swap_file->f_mapping; ++ BUG_ON(!PageSwapCache(page)); + return mapping->a_ops->set_page_dirty(page); + } else { + return __set_page_dirty_no_writeback(page); +diff --git a/mm/swapfile.c b/mm/swapfile.c +index 031713ab..46502f5 100644 +--- a/mm/swapfile.c ++++ b/mm/swapfile.c +@@ -2724,7 +2724,6 @@ int swapcache_prepare(swp_entry_t entry) + struct swap_info_struct *page_swap_info(struct page *page) + { + swp_entry_t swap = { .val = page_private(page) }; +- BUG_ON(!PageSwapCache(page)); + return swap_info[swp_type(swap)]; + } + +diff --git a/mm/vmscan.c b/mm/vmscan.c +index c4a2f45..38a2691 100644 +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -2150,23 +2150,6 @@ out: + } + } + +-#ifdef CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH +-static void init_tlb_ubc(void) +-{ +- /* +- * This deliberately does not clear the cpumask as it's expensive +- * and unnecessary. If there happens to be data in there then the +- * first SWAP_CLUSTER_MAX pages will send an unnecessary IPI and +- * then will be cleared. +- */ +- current->tlb_ubc.flush_required = false; +-} +-#else +-static inline void init_tlb_ubc(void) +-{ +-} +-#endif /* CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH */ +- + /* + * This is a basic per-zone page freer. Used by both kswapd and direct reclaim. + */ +@@ -2202,8 +2185,6 @@ static void shrink_zone_memcg(struct zone *zone, struct mem_cgroup *memcg, + scan_adjusted = (global_reclaim(sc) && !current_is_kswapd() && + sc->priority == DEF_PRIORITY); + +- init_tlb_ubc(); +- + blk_start_plug(&plug); + while (nr[LRU_INACTIVE_ANON] || nr[LRU_ACTIVE_FILE] || + nr[LRU_INACTIVE_FILE]) { +diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c +index 8946959..aee117f 100644 +--- a/net/ceph/osd_client.c ++++ b/net/ceph/osd_client.c +@@ -4187,7 +4187,7 @@ static struct ceph_msg *alloc_msg_with_page_vector(struct ceph_msg_header *hdr) + + pages = ceph_alloc_page_vector(calc_pages_for(0, data_len), + GFP_NOIO); +- if (!pages) { ++ if (IS_ERR(pages)) { + ceph_msg_put(m); + return NULL; + } +diff --git a/net/core/sock.c b/net/core/sock.c +index 25dab8b..fd7b41e 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1362,7 +1362,6 @@ static struct sock *sk_prot_alloc(struct proto *prot, gfp_t priority, + if (!try_module_get(prot->owner)) + goto out_free_sec; + sk_tx_queue_clear(sk); +- cgroup_sk_alloc(&sk->sk_cgrp_data); + } + + return sk; +@@ -1422,6 +1421,7 @@ struct sock *sk_alloc(struct net *net, int family, gfp_t priority, + sock_net_set(sk, net); + atomic_set(&sk->sk_wmem_alloc, 1); + ++ cgroup_sk_alloc(&sk->sk_cgrp_data); + sock_update_classid(&sk->sk_cgrp_data); + sock_update_netprioidx(&sk->sk_cgrp_data); + } +@@ -1566,6 +1566,9 @@ struct sock *sk_clone_lock(const struct sock *sk, const gfp_t priority) + newsk->sk_priority = 0; + newsk->sk_incoming_cpu = raw_smp_processor_id(); + atomic64_set(&newsk->sk_cookie, 0); ++ ++ cgroup_sk_alloc(&newsk->sk_cgrp_data); ++ + /* + * Before updating sk_refcnt, we must commit prior changes to memory + * (Documentation/RCU/rculist_nulls.txt for details) +diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c +index 3a8f881..0a7305a 100644 +--- a/net/mac80211/agg-rx.c ++++ b/net/mac80211/agg-rx.c +@@ -261,10 +261,16 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta, + .timeout = timeout, + .ssn = start_seq_num, + }; +- + int i, ret = -EOPNOTSUPP; + u16 status = WLAN_STATUS_REQUEST_DECLINED; + ++ if (tid >= IEEE80211_FIRST_TSPEC_TSID) { ++ ht_dbg(sta->sdata, ++ "STA %pM requests BA session on unsupported tid %d\n", ++ sta->sta.addr, tid); ++ goto end_no_lock; ++ } ++ + if (!sta->sta.ht_cap.ht_supported) { + ht_dbg(sta->sdata, + "STA %pM erroneously requests BA session on tid %d w/o QoS\n", +diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c +index 42fa810..744ad1c 100644 +--- a/net/mac80211/agg-tx.c ++++ b/net/mac80211/agg-tx.c +@@ -580,6 +580,9 @@ int ieee80211_start_tx_ba_session(struct ieee80211_sta *pubsta, u16 tid, + ieee80211_hw_check(&local->hw, TX_AMPDU_SETUP_IN_HW)) + return -EINVAL; + ++ if (WARN_ON(tid >= IEEE80211_FIRST_TSPEC_TSID)) ++ return -EINVAL; ++ + ht_dbg(sdata, "Open BA session requested for %pM tid %u\n", + pubsta->addr, tid); + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 7d72283..7d38dd6 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -6811,7 +6811,7 @@ static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info) + + params.n_counter_offsets_presp = len / sizeof(u16); + if (rdev->wiphy.max_num_csa_counters && +- (params.n_counter_offsets_beacon > ++ (params.n_counter_offsets_presp > + rdev->wiphy.max_num_csa_counters)) + return -EINVAL; + +diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan +index 77ce538..8ab6867 100644 +--- a/scripts/Makefile.ubsan ++++ b/scripts/Makefile.ubsan +@@ -14,8 +14,4 @@ ifdef CONFIG_UBSAN + ifdef CONFIG_UBSAN_ALIGNMENT + CFLAGS_UBSAN += $(call cc-option, -fsanitize=alignment) + endif +- +- # -fsanitize=* options makes GCC less smart than usual and +- # increase number of 'maybe-uninitialized false-positives +- CFLAGS_UBSAN += $(call cc-option, -Wno-maybe-uninitialized) + endif +diff --git a/scripts/package/builddeb b/scripts/package/builddeb +index 86e56fe..202d6e7 100755 +--- a/scripts/package/builddeb ++++ b/scripts/package/builddeb +@@ -322,12 +322,12 @@ fi + + # Build kernel header package + (cd $srctree; find . -name Makefile\* -o -name Kconfig\* -o -name \*.pl) > "$objtree/debian/hdrsrcfiles" +-if grep -q '^CONFIG_STACK_VALIDATION=y' $KCONFIG_CONFIG ; then +- (cd $srctree; find tools/objtool -type f -executable) >> "$objtree/debian/hdrsrcfiles" +-fi + (cd $srctree; find arch/*/include include scripts -type f) >> "$objtree/debian/hdrsrcfiles" + (cd $srctree; find arch/$SRCARCH -name module.lds -o -name Kbuild.platforms -o -name Platform) >> "$objtree/debian/hdrsrcfiles" + (cd $srctree; find $(find arch/$SRCARCH -name include -o -name scripts -type d) -type f) >> "$objtree/debian/hdrsrcfiles" ++if grep -q '^CONFIG_STACK_VALIDATION=y' $KCONFIG_CONFIG ; then ++ (cd $objtree; find tools/objtool -type f -executable) >> "$objtree/debian/hdrobjfiles" ++fi + (cd $objtree; find arch/$SRCARCH/include Module.symvers include scripts -type f) >> "$objtree/debian/hdrobjfiles" + destdir=$kernel_headers_dir/usr/src/linux-headers-$version + mkdir -p "$destdir" +diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c +index 5adbfc3..17a0610 100644 +--- a/security/keys/encrypted-keys/encrypted.c ++++ b/security/keys/encrypted-keys/encrypted.c +@@ -29,6 +29,7 @@ + #include <linux/rcupdate.h> + #include <linux/scatterlist.h> + #include <linux/ctype.h> ++#include <crypto/aes.h> + #include <crypto/hash.h> + #include <crypto/sha.h> + #include <crypto/skcipher.h> +@@ -478,6 +479,7 @@ static int derived_key_encrypt(struct encrypted_key_payload *epayload, + struct crypto_skcipher *tfm; + struct skcipher_request *req; + unsigned int encrypted_datalen; ++ u8 iv[AES_BLOCK_SIZE]; + unsigned int padlen; + char pad[16]; + int ret; +@@ -500,8 +502,8 @@ static int derived_key_encrypt(struct encrypted_key_payload *epayload, + sg_init_table(sg_out, 1); + sg_set_buf(sg_out, epayload->encrypted_data, encrypted_datalen); + +- skcipher_request_set_crypt(req, sg_in, sg_out, encrypted_datalen, +- epayload->iv); ++ memcpy(iv, epayload->iv, sizeof(iv)); ++ skcipher_request_set_crypt(req, sg_in, sg_out, encrypted_datalen, iv); + ret = crypto_skcipher_encrypt(req); + tfm = crypto_skcipher_reqtfm(req); + skcipher_request_free(req); +@@ -581,6 +583,7 @@ static int derived_key_decrypt(struct encrypted_key_payload *epayload, + struct crypto_skcipher *tfm; + struct skcipher_request *req; + unsigned int encrypted_datalen; ++ u8 iv[AES_BLOCK_SIZE]; + char pad[16]; + int ret; + +@@ -599,8 +602,8 @@ static int derived_key_decrypt(struct encrypted_key_payload *epayload, + epayload->decrypted_datalen); + sg_set_buf(&sg_out[1], pad, sizeof pad); + +- skcipher_request_set_crypt(req, sg_in, sg_out, encrypted_datalen, +- epayload->iv); ++ memcpy(iv, epayload->iv, sizeof(iv)); ++ skcipher_request_set_crypt(req, sg_in, sg_out, encrypted_datalen, iv); + ret = crypto_skcipher_decrypt(req); + tfm = crypto_skcipher_reqtfm(req); + skcipher_request_free(req); diff --git a/4.7.5/4420_grsecurity-3.1-4.7.5-201609261522.patch b/4.7.6/4420_grsecurity-3.1-4.7.6-201609301918.patch index 9169f89..c2732fa 100644 --- a/4.7.5/4420_grsecurity-3.1-4.7.5-201609261522.patch +++ b/4.7.6/4420_grsecurity-3.1-4.7.6-201609301918.patch @@ -420,7 +420,7 @@ index a3683ce..5ec8bf4 100644 A toggle value indicating if modules are allowed to be loaded diff --git a/Makefile b/Makefile -index dd755d19..b480d63 100644 +index 48b0120..b7cbcd2 100644 --- a/Makefile +++ b/Makefile @@ -302,7 +302,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -443,7 +443,7 @@ index dd755d19..b480d63 100644 $(Q)$(MAKE) $(build)=$(@) # Objects we will link into vmlinux / subdirs we need to visit -@@ -633,6 +635,8 @@ endif +@@ -634,6 +636,8 @@ endif # Tell gcc to never replace conditional load with a non-conditional one KBUILD_CFLAGS += $(call cc-option,--param=allow-store-data-races=0) @@ -452,7 +452,7 @@ index dd755d19..b480d63 100644 ifdef CONFIG_READABLE_ASM # Disable optimizations that make assembler listings hard to read. # reorder blocks reorders the control in the function -@@ -734,7 +738,7 @@ KBUILD_CFLAGS += $(call cc-option, -gsplit-dwarf, -g) +@@ -735,7 +739,7 @@ KBUILD_CFLAGS += $(call cc-option, -gsplit-dwarf, -g) else KBUILD_CFLAGS += -g endif @@ -461,7 +461,7 @@ index dd755d19..b480d63 100644 endif ifdef CONFIG_DEBUG_INFO_DWARF4 KBUILD_CFLAGS += $(call cc-option, -gdwarf-4,) -@@ -909,7 +913,7 @@ export mod_sign_cmd +@@ -910,7 +914,7 @@ export mod_sign_cmd ifeq ($(KBUILD_EXTMOD),) @@ -470,7 +470,7 @@ index dd755d19..b480d63 100644 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \ $(core-y) $(core-m) $(drivers-y) $(drivers-m) \ -@@ -1028,7 +1032,7 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \ +@@ -1029,7 +1033,7 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \ archprepare: archheaders archscripts prepare1 scripts_basic @@ -479,7 +479,7 @@ index dd755d19..b480d63 100644 $(Q)$(MAKE) $(build)=. # All the preparing.. -@@ -1247,7 +1251,11 @@ MRPROPER_FILES += .config .config.old .version .old_version \ +@@ -1248,7 +1252,11 @@ MRPROPER_FILES += .config .config.old .version .old_version \ Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \ signing_key.pem signing_key.priv signing_key.x509 \ x509.genkey extra_certificates signing_key.x509.keyid \ @@ -492,7 +492,7 @@ index dd755d19..b480d63 100644 # clean - Delete most, but leave enough to build external modules # -@@ -1286,7 +1294,7 @@ distclean: mrproper +@@ -1287,7 +1295,7 @@ distclean: mrproper @find $(srctree) $(RCS_FIND_IGNORE) \ \( -name '*.orig' -o -name '*.rej' -o -name '*~' \ -o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \ @@ -501,7 +501,7 @@ index dd755d19..b480d63 100644 -type f -print | xargs rm -f -@@ -1509,6 +1517,7 @@ clean: $(clean-dirs) +@@ -1510,6 +1518,7 @@ clean: $(clean-dirs) -o -name '.*.d' -o -name '.*.tmp' -o -name '*.mod.c' \ -o -name '*.symtypes' -o -name 'modules.order' \ -o -name modules.builtin -o -name '.tmp_*.o.*' \ @@ -1532,7 +1532,7 @@ index 75fe66b..2255c86 100644 /* * Memory returned by kmalloc() may be used for DMA, so we must make diff --git a/arch/arm/include/asm/cacheflush.h b/arch/arm/include/asm/cacheflush.h -index 9156fc3..9791d17 100644 +index 9156fc3..0521e3e 100644 --- a/arch/arm/include/asm/cacheflush.h +++ b/arch/arm/include/asm/cacheflush.h @@ -116,7 +116,7 @@ struct cpu_cache_fns { @@ -1540,7 +1540,7 @@ index 9156fc3..9791d17 100644 void (*dma_flush_range)(const void *, const void *); -}; -+} __no_const; ++} __no_const __no_randomize_layout; /* * Select the calling method @@ -6839,7 +6839,7 @@ index adda3ff..ac067e2 100644 /* Run the generated entry code */ diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c -index 813ed78..0acf903 100644 +index 45cff9f..f3eae55 100644 --- a/arch/mips/kernel/process.c +++ b/arch/mips/kernel/process.c @@ -531,18 +531,6 @@ out: @@ -37343,7 +37343,7 @@ index 9c086c5..421e25b 100644 unsigned long uninitialized_var(pfn_align); int i, nid; diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c -index 7a1f7bb..5b4b5cc 100644 +index b2659b9..5715042 100644 --- a/arch/x86/mm/pageattr.c +++ b/arch/x86/mm/pageattr.c @@ -258,7 +258,7 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address, @@ -37454,16 +37454,6 @@ index 7a1f7bb..5b4b5cc 100644 cpa->flags |= CPA_FLUSHTLB; } cpa->numpages = 1; -@@ -1336,7 +1362,8 @@ static int cpa_process_alias(struct cpa_data *cpa) - - static int __change_page_attr_set_clr(struct cpa_data *cpa, int checkalias) - { -- int ret, numpages = cpa->numpages; -+ int ret; -+ unsigned long numpages = cpa->numpages; - - while (numpages) { - /* diff --git a/arch/x86/mm/pat.c b/arch/x86/mm/pat.c index 5431a32..137f092 100644 --- a/arch/x86/mm/pat.c @@ -38826,7 +38816,7 @@ index 338402b9..29ea50ab 100644 gdt_descr.size = GDT_SIZE - 1; load_gdt(&gdt_descr); diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c -index b226b3f..c9a3540 100644 +index 964c702..142ffdb 100644 --- a/arch/x86/platform/efi/efi_64.c +++ b/arch/x86/platform/efi/efi_64.c @@ -91,6 +91,11 @@ pgd_t * __init efi_call_phys_prolog(void) @@ -60062,7 +60052,7 @@ index ad535a8..b7e3ad7 100644 .maxtype = IFLA_CAN_MAX, .policy = can_policy, diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c -index 41c0fc9..517f7e3 100644 +index 16f7cad..e643cf4 100644 --- a/drivers/net/can/flexcan.c +++ b/drivers/net/can/flexcan.c @@ -465,7 +465,7 @@ static int flexcan_get_berr_counter(const struct net_device *dev, @@ -62922,10 +62912,10 @@ index b0778ba..ed4357a 100644 struct net_device *netdev = pci_get_drvdata(pdev); struct igbvf_adapter *adapter = netdev_priv(netdev); diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c -index 8bebd86..61406f4 100644 +index 58153e8..a159edd 100644 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c -@@ -9818,7 +9818,7 @@ static void ixgbe_remove(struct pci_dev *pdev) +@@ -9825,7 +9825,7 @@ static void ixgbe_remove(struct pci_dev *pdev) * this device has been detected. */ static pci_ers_result_t ixgbe_io_error_detected(struct pci_dev *pdev, @@ -66671,7 +66661,7 @@ index 4fdc3da..4f63dd9 100644 ((u64)seq.tkip.iv32 << 16)); break; diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c -index 779bafc..6ec6ea1 100644 +index b92b75f..04a4e09 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c @@ -405,7 +405,7 @@ static void iwl_mvm_set_tx_cmd_crypto(struct iwl_mvm *mvm, @@ -70872,7 +70862,7 @@ index a6d9434..dc26b71 100644 case RTC_PIE_ON: diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c -index 821d9c0..d71c3b5 100644 +index f25f7dc..e89a400 100644 --- a/drivers/rtc/rtc-ds1307.c +++ b/drivers/rtc/rtc-ds1307.c @@ -111,7 +111,7 @@ struct ds1307 { @@ -113224,7 +113214,7 @@ index a80a741..f28c9c9 100644 } diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c -index 8e8e6bc..211eeca 100644 +index a643138..4b88993 100644 --- a/fs/notify/fanotify/fanotify_user.c +++ b/fs/notify/fanotify/fanotify_user.c @@ -216,8 +216,8 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group, @@ -113239,7 +113229,7 @@ index 8e8e6bc..211eeca 100644 #ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS diff --git a/fs/notify/notification.c b/fs/notify/notification.c -index a95d8e0..a91a5fd 100644 +index e455e83..6e2b732 100644 --- a/fs/notify/notification.c +++ b/fs/notify/notification.c @@ -48,7 +48,7 @@ @@ -134397,7 +134387,7 @@ index 113ee62..70198a7 100644 spinlock_t lock ____cacheline_aligned; unsigned int processed; diff --git a/include/linux/pagemap.h b/include/linux/pagemap.h -index 9735410..701e42e 100644 +index 1f94053..b668cf9 100644 --- a/include/linux/pagemap.h +++ b/include/linux/pagemap.h @@ -215,7 +215,7 @@ static inline struct page *page_cache_alloc_readahead(struct address_space *x) @@ -140039,7 +140029,7 @@ index 00411c8..aaad585 100644 +} +EXPORT_SYMBOL(capable_wrt_inode_uidgid_nolog); diff --git a/kernel/cgroup.c b/kernel/cgroup.c -index e0be49f..d599a0e 100644 +index 129a7ca..4fa9405 100644 --- a/kernel/cgroup.c +++ b/kernel/cgroup.c @@ -3632,7 +3632,7 @@ static int cgroup_add_file(struct cgroup_subsys_state *css, struct cgroup *cgrp, @@ -140134,7 +140124,7 @@ index e0be49f..d599a0e 100644 spin_lock_irq(&css_set_lock); path = cgroup_path_ns_locked(cgrp, pathbuf, PATH_MAX, &init_cgroup_ns); spin_unlock_irq(&css_set_lock); -@@ -6465,7 +6477,7 @@ static int cgroup_css_links_read(struct seq_file *seq, void *v) +@@ -6471,7 +6483,7 @@ static int cgroup_css_links_read(struct seq_file *seq, void *v) struct task_struct *task; int count = 0; @@ -143386,13 +143376,13 @@ index 68d3ebc..554935d 100644 select LZO_COMPRESS select LZO_DECOMPRESS diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c -index fca9254..a40591f 100644 +index 2fc1177..6abfde0a 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -305,8 +305,10 @@ static int create_image(int platform_mode) + if (error) + printk(KERN_ERR "PM: Error %d creating hibernation image\n", error); - /* Restore control flow magically appears here */ - restore_processor_state(); - if (!in_suspend) + if (!in_suspend) { events_check_enabled = false; @@ -143458,7 +143448,7 @@ index 0c2ee97..63229a6 100644 if (pm_wakeup_pending()) { diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c -index 3a97060..12c1d4e 100644 +index f155c62..facb59e 100644 --- a/kernel/power/snapshot.c +++ b/kernel/power/snapshot.c @@ -1032,6 +1032,26 @@ void free_basic_memory_bitmaps(void) @@ -146500,7 +146490,7 @@ index 9c14373..5ddd763 100644 *data_page = bpage; diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c -index 8a4bd6b..3b741d7 100644 +index 77eeab2..f8ac159 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -3649,7 +3649,7 @@ int trace_keep_overwrite(struct tracer *tracer, u32 mask, int set) @@ -148749,7 +148739,7 @@ index 93fb63e..0aa6448 100644 if (end == start) return error; diff --git a/mm/memcontrol.c b/mm/memcontrol.c -index ca847d9..3582387 100644 +index fcb5b8c..5551323 100644 --- a/mm/memcontrol.c +++ b/mm/memcontrol.c @@ -723,7 +723,7 @@ static void memcg_check_events(struct mem_cgroup *memcg, struct page *page) @@ -153133,7 +153123,7 @@ index 90530ff..9735082 100644 } diff --git a/mm/swapfile.c b/mm/swapfile.c -index 031713ab..f2c0e55 100644 +index 46502f5..59af784 100644 --- a/mm/swapfile.c +++ b/mm/swapfile.c @@ -90,7 +90,7 @@ static DEFINE_MUTEX(swapon_mutex); @@ -155512,7 +155502,7 @@ index eb12d21..3551c47 100644 } diff --git a/net/core/sock.c b/net/core/sock.c -index 25dab8b..51aa624 100644 +index fd7b41e..71dae11 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -411,13 +411,13 @@ int __sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) @@ -155653,10 +155643,10 @@ index 25dab8b..51aa624 100644 newsk->sk_incoming_cpu = raw_smp_processor_id(); - atomic64_set(&newsk->sk_cookie, 0); + atomic64_set_unchecked(&newsk->sk_cookie, 0); - /* - * Before updating sk_refcnt, we must commit prior changes to memory - * (Documentation/RCU/rculist_nulls.txt for details) -@@ -2494,7 +2497,7 @@ void sock_init_data(struct socket *sock, struct sock *sk) + + cgroup_sk_alloc(&newsk->sk_cgrp_data); + +@@ -2497,7 +2500,7 @@ void sock_init_data(struct socket *sock, struct sock *sk) */ smp_wmb(); atomic_set(&sk->sk_refcnt, 1); @@ -155665,7 +155655,7 @@ index 25dab8b..51aa624 100644 } EXPORT_SYMBOL(sock_init_data); -@@ -2618,6 +2621,7 @@ void sock_enable_timestamp(struct sock *sk, int flag) +@@ -2621,6 +2624,7 @@ void sock_enable_timestamp(struct sock *sk, int flag) int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len, int level, int type) { @@ -155673,7 +155663,7 @@ index 25dab8b..51aa624 100644 struct sock_exterr_skb *serr; struct sk_buff *skb; int copied, err; -@@ -2639,7 +2643,8 @@ int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len, +@@ -2642,7 +2646,8 @@ int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len, sock_recv_timestamp(msg, sk, skb); serr = SKB_EXT_ERR(skb); @@ -155683,7 +155673,7 @@ index 25dab8b..51aa624 100644 msg->msg_flags |= MSG_ERRQUEUE; err = copied; -@@ -3091,7 +3096,7 @@ static __net_exit void proto_exit_net(struct net *net) +@@ -3094,7 +3099,7 @@ static __net_exit void proto_exit_net(struct net *net) } @@ -213489,12 +213479,12 @@ index 71b4a8a..dcb89c5 100644 rm -f $(2) $(objtree)/.scmversion diff --git a/scripts/package/builddeb b/scripts/package/builddeb -index 86e56fe..4d4418a 100755 +index 202d6e7..4184398 100755 --- a/scripts/package/builddeb +++ b/scripts/package/builddeb -@@ -329,6 +329,7 @@ fi - (cd $srctree; find arch/$SRCARCH -name module.lds -o -name Kbuild.platforms -o -name Platform) >> "$objtree/debian/hdrsrcfiles" - (cd $srctree; find $(find arch/$SRCARCH -name include -o -name scripts -type d) -type f) >> "$objtree/debian/hdrsrcfiles" +@@ -329,6 +329,7 @@ if grep -q '^CONFIG_STACK_VALIDATION=y' $KCONFIG_CONFIG ; then + (cd $objtree; find tools/objtool -type f -executable) >> "$objtree/debian/hdrobjfiles" + fi (cd $objtree; find arch/$SRCARCH/include Module.symvers include scripts -type f) >> "$objtree/debian/hdrobjfiles" +(cd $objtree; find scripts/gcc-plugins -name \*.so -o -name gcc-common.h) >> "$objtree/debian/hdrobjfiles" destdir=$kernel_headers_dir/usr/src/linux-headers-$version @@ -214904,56 +214894,6 @@ index 552705d..9920f4fb 100644 key = ima_hash_key(entry->digest); hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]); return 0; -diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c -index 5adbfc3..17a0610 100644 ---- a/security/keys/encrypted-keys/encrypted.c -+++ b/security/keys/encrypted-keys/encrypted.c -@@ -29,6 +29,7 @@ - #include <linux/rcupdate.h> - #include <linux/scatterlist.h> - #include <linux/ctype.h> -+#include <crypto/aes.h> - #include <crypto/hash.h> - #include <crypto/sha.h> - #include <crypto/skcipher.h> -@@ -478,6 +479,7 @@ static int derived_key_encrypt(struct encrypted_key_payload *epayload, - struct crypto_skcipher *tfm; - struct skcipher_request *req; - unsigned int encrypted_datalen; -+ u8 iv[AES_BLOCK_SIZE]; - unsigned int padlen; - char pad[16]; - int ret; -@@ -500,8 +502,8 @@ static int derived_key_encrypt(struct encrypted_key_payload *epayload, - sg_init_table(sg_out, 1); - sg_set_buf(sg_out, epayload->encrypted_data, encrypted_datalen); - -- skcipher_request_set_crypt(req, sg_in, sg_out, encrypted_datalen, -- epayload->iv); -+ memcpy(iv, epayload->iv, sizeof(iv)); -+ skcipher_request_set_crypt(req, sg_in, sg_out, encrypted_datalen, iv); - ret = crypto_skcipher_encrypt(req); - tfm = crypto_skcipher_reqtfm(req); - skcipher_request_free(req); -@@ -581,6 +583,7 @@ static int derived_key_decrypt(struct encrypted_key_payload *epayload, - struct crypto_skcipher *tfm; - struct skcipher_request *req; - unsigned int encrypted_datalen; -+ u8 iv[AES_BLOCK_SIZE]; - char pad[16]; - int ret; - -@@ -599,8 +602,8 @@ static int derived_key_decrypt(struct encrypted_key_payload *epayload, - epayload->decrypted_datalen); - sg_set_buf(&sg_out[1], pad, sizeof pad); - -- skcipher_request_set_crypt(req, sg_in, sg_out, encrypted_datalen, -- epayload->iv); -+ memcpy(iv, epayload->iv, sizeof(iv)); -+ skcipher_request_set_crypt(req, sg_in, sg_out, encrypted_datalen, iv); - ret = crypto_skcipher_decrypt(req); - tfm = crypto_skcipher_reqtfm(req); - skcipher_request_free(req); diff --git a/security/keys/internal.h b/security/keys/internal.h index a705a7d..898c675 100644 --- a/security/keys/internal.h diff --git a/4.7.5/4425_grsec_remove_EI_PAX.patch b/4.7.6/4425_grsec_remove_EI_PAX.patch index ba92792..ba92792 100644 --- a/4.7.5/4425_grsec_remove_EI_PAX.patch +++ b/4.7.6/4425_grsec_remove_EI_PAX.patch diff --git a/4.7.5/4427_force_XATTR_PAX_tmpfs.patch b/4.7.6/4427_force_XATTR_PAX_tmpfs.patch index b4714fc..b4714fc 100644 --- a/4.7.5/4427_force_XATTR_PAX_tmpfs.patch +++ b/4.7.6/4427_force_XATTR_PAX_tmpfs.patch diff --git a/4.7.5/4430_grsec-remove-localversion-grsec.patch b/4.7.6/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/4.7.5/4430_grsec-remove-localversion-grsec.patch +++ b/4.7.6/4430_grsec-remove-localversion-grsec.patch diff --git a/4.7.5/4435_grsec-mute-warnings.patch b/4.7.6/4435_grsec-mute-warnings.patch index 8929222..8929222 100644 --- a/4.7.5/4435_grsec-mute-warnings.patch +++ b/4.7.6/4435_grsec-mute-warnings.patch diff --git a/4.7.5/4440_grsec-remove-protected-paths.patch b/4.7.6/4440_grsec-remove-protected-paths.patch index 741546d..741546d 100644 --- a/4.7.5/4440_grsec-remove-protected-paths.patch +++ b/4.7.6/4440_grsec-remove-protected-paths.patch diff --git a/4.7.5/4450_grsec-kconfig-default-gids.patch b/4.7.6/4450_grsec-kconfig-default-gids.patch index e892c8a..e892c8a 100644 --- a/4.7.5/4450_grsec-kconfig-default-gids.patch +++ b/4.7.6/4450_grsec-kconfig-default-gids.patch diff --git a/4.7.5/4465_selinux-avc_audit-log-curr_ip.patch b/4.7.6/4465_selinux-avc_audit-log-curr_ip.patch index 7248385..7248385 100644 --- a/4.7.5/4465_selinux-avc_audit-log-curr_ip.patch +++ b/4.7.6/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/4.7.5/4470_disable-compat_vdso.patch b/4.7.6/4470_disable-compat_vdso.patch index 0f82d7e..0f82d7e 100644 --- a/4.7.5/4470_disable-compat_vdso.patch +++ b/4.7.6/4470_disable-compat_vdso.patch diff --git a/4.7.5/4475_emutramp_default_on.patch b/4.7.6/4475_emutramp_default_on.patch index 2db58ab..2db58ab 100644 --- a/4.7.5/4475_emutramp_default_on.patch +++ b/4.7.6/4475_emutramp_default_on.patch |