diff options
-rw-r--r-- | 2.6.32/0000_README | 2 | ||||
-rw-r--r-- | 2.6.32/4420_grsecurity-2.9-2.6.32.59-201205131656.patch (renamed from 2.6.32/4420_grsecurity-2.9-2.6.32.59-201205071838.patch) | 674 | ||||
-rw-r--r-- | 3.2.17/0000_README (renamed from 3.2.16/0000_README) | 6 | ||||
-rw-r--r-- | 3.2.17/1016_linux-3.2.17.patch | 5695 | ||||
-rw-r--r-- | 3.2.17/4420_grsecurity-2.9-3.2.17-201205131657.patch (renamed from 3.2.16/4420_grsecurity-2.9-3.2.16-201205071838.patch) | 1031 | ||||
-rw-r--r-- | 3.2.17/4430_grsec-remove-localversion-grsec.patch (renamed from 3.2.16/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
-rw-r--r-- | 3.2.17/4435_grsec-mute-warnings.patch (renamed from 3.2.16/4435_grsec-mute-warnings.patch) | 0 | ||||
-rw-r--r-- | 3.2.17/4440_grsec-remove-protected-paths.patch (renamed from 3.2.16/4440_grsec-remove-protected-paths.patch) | 0 | ||||
-rw-r--r-- | 3.2.17/4445_grsec-pax-without-grsec.patch (renamed from 3.2.16/4445_grsec-pax-without-grsec.patch) | 0 | ||||
-rw-r--r-- | 3.2.17/4450_grsec-kconfig-default-gids.patch (renamed from 3.2.16/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
-rw-r--r-- | 3.2.17/4455_grsec-kconfig-gentoo.patch (renamed from 3.2.16/4455_grsec-kconfig-gentoo.patch) | 0 | ||||
-rw-r--r-- | 3.2.17/4460-grsec-kconfig-proc-user.patch (renamed from 3.2.16/4460-grsec-kconfig-proc-user.patch) | 0 | ||||
-rw-r--r-- | 3.2.17/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.2.16/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
-rw-r--r-- | 3.2.17/4470_disable-compat_vdso.patch (renamed from 3.2.16/4470_disable-compat_vdso.patch) | 0 | ||||
-rw-r--r-- | 3.3.5/1004_linux-3.3.5.patch | 3285 | ||||
-rw-r--r-- | 3.3.6/0000_README (renamed from 3.3.5/0000_README) | 6 | ||||
-rw-r--r-- | 3.3.6/1005_linux-3.3.6.patch | 1832 | ||||
-rw-r--r-- | 3.3.6/4420_grsecurity-2.9-3.3.6-201205131658.patch (renamed from 3.3.5/4420_grsecurity-2.9-3.3.5-201205071839.patch) | 773 | ||||
-rw-r--r-- | 3.3.6/4430_grsec-remove-localversion-grsec.patch (renamed from 3.3.5/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
-rw-r--r-- | 3.3.6/4435_grsec-mute-warnings.patch (renamed from 3.3.5/4435_grsec-mute-warnings.patch) | 0 | ||||
-rw-r--r-- | 3.3.6/4440_grsec-remove-protected-paths.patch (renamed from 3.3.5/4440_grsec-remove-protected-paths.patch) | 0 | ||||
-rw-r--r-- | 3.3.6/4445_grsec-pax-without-grsec.patch (renamed from 3.3.5/4445_grsec-pax-without-grsec.patch) | 0 | ||||
-rw-r--r-- | 3.3.6/4450_grsec-kconfig-default-gids.patch (renamed from 3.3.5/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
-rw-r--r-- | 3.3.6/4455_grsec-kconfig-gentoo.patch (renamed from 3.3.5/4455_grsec-kconfig-gentoo.patch) | 0 | ||||
-rw-r--r-- | 3.3.6/4460-grsec-kconfig-proc-user.patch (renamed from 3.3.5/4460-grsec-kconfig-proc-user.patch) | 0 | ||||
-rw-r--r-- | 3.3.6/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.3.5/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
-rw-r--r-- | 3.3.6/4470_disable-compat_vdso.patch (renamed from 3.3.5/4470_disable-compat_vdso.patch) | 0 |
27 files changed, 9438 insertions, 3866 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index cfcffd4..3655217 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -30,7 +30,7 @@ Patch: 1058_linux-2.6.32.59.patch From: http://www.kernel.org Desc: Linux 2.6.32.59 -Patch: 4420_grsecurity-2.9-2.6.32.59-201205071838.patch +Patch: 4420_grsecurity-2.9-2.6.32.59-201205131656.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.32/4420_grsecurity-2.9-2.6.32.59-201205071838.patch b/2.6.32/4420_grsecurity-2.9-2.6.32.59-201205131656.patch index 185e1d4..d324f88 100644 --- a/2.6.32/4420_grsecurity-2.9-2.6.32.59-201205071838.patch +++ b/2.6.32/4420_grsecurity-2.9-2.6.32.59-201205131656.patch @@ -1171,6 +1171,34 @@ index d65b2f5..9d87555 100644 #endif /* __ASSEMBLY__ */ #define arch_align_stack(x) (x) +diff --git a/arch/arm/include/asm/thread_info.h b/arch/arm/include/asm/thread_info.h +index 2dfb7d7..8fadd73 100644 +--- a/arch/arm/include/asm/thread_info.h ++++ b/arch/arm/include/asm/thread_info.h +@@ -138,6 +138,12 @@ extern void vfp_sync_state(struct thread_info *thread); + #define TIF_NEED_RESCHED 1 + #define TIF_NOTIFY_RESUME 2 /* callback before returning to user */ + #define TIF_SYSCALL_TRACE 8 ++ ++/* within 8 bits of TIF_SYSCALL_TRACE ++ to meet flexible second operand requirements ++*/ ++#define TIF_GRSEC_SETXID 9 ++ + #define TIF_POLLING_NRFLAG 16 + #define TIF_USING_IWMMXT 17 + #define TIF_MEMDIE 18 +@@ -152,6 +158,10 @@ extern void vfp_sync_state(struct thread_info *thread); + #define _TIF_USING_IWMMXT (1 << TIF_USING_IWMMXT) + #define _TIF_FREEZE (1 << TIF_FREEZE) + #define _TIF_RESTORE_SIGMASK (1 << TIF_RESTORE_SIGMASK) ++#define _TIF_GRSEC_SETXID (1 << TIF_GRSEC_SETXID) ++ ++/* Checks for any syscall work in entry-common.S */ ++#define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_GRSEC_SETXID) + + /* + * Change these and you break ASM code in entry-common.S diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h index 1d6bd40..fba0cb9 100644 --- a/arch/arm/include/asm/uaccess.h @@ -1245,6 +1273,28 @@ index 0e62770..e2c2cd6 100644 EXPORT_SYMBOL(__clear_user); EXPORT_SYMBOL(__get_user_1); +diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S +index a6c66f5..bfdad39 100644 +--- a/arch/arm/kernel/entry-common.S ++++ b/arch/arm/kernel/entry-common.S +@@ -77,7 +77,7 @@ ENTRY(ret_from_fork) + get_thread_info tsk + ldr r1, [tsk, #TI_FLAGS] @ check for syscall tracing + mov why, #1 +- tst r1, #_TIF_SYSCALL_TRACE @ are we tracing syscalls? ++ tst r1, #_TIF_SYSCALL_WORK @ are we tracing syscalls? + beq ret_slow_syscall + mov r1, sp + mov r0, #1 @ trace exit [IP = 1] +@@ -275,7 +275,7 @@ ENTRY(vector_swi) + #endif + + stmdb sp!, {r4, r5} @ push fifth and sixth args +- tst ip, #_TIF_SYSCALL_TRACE @ are we tracing syscalls? ++ tst ip, #_TIF_SYSCALL_WORK @ are we tracing syscalls? + bne __sys_trace + + cmp scno, #NR_syscalls @ check upper syscall limit diff --git a/arch/arm/kernel/kgdb.c b/arch/arm/kernel/kgdb.c index ba8ccfe..2dc34dc 100644 --- a/arch/arm/kernel/kgdb.c @@ -1296,6 +1346,30 @@ index 61f90d3..771ab27 100644 } void machine_restart(char *cmd) +diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c +index a2ea385..4783488 100644 +--- a/arch/arm/kernel/ptrace.c ++++ b/arch/arm/kernel/ptrace.c +@@ -847,10 +847,19 @@ long arch_ptrace(struct task_struct *child, long request, long addr, long data) + return ret; + } + ++#ifdef CONFIG_GRKERNSEC_SETXID ++extern void gr_delayed_cred_worker(void); ++#endif ++ + asmlinkage int syscall_trace(int why, struct pt_regs *regs, int scno) + { + unsigned long ip; + ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) ++ gr_delayed_cred_worker(); ++#endif ++ + if (!test_thread_flag(TIF_SYSCALL_TRACE)) + return scno; + if (!(current->ptrace & PT_PTRACED)) diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c index c6c57b6..0c3b29e 100644 --- a/arch/arm/kernel/setup.c @@ -2917,6 +2991,35 @@ index 83b5509..9fa24a23 100644 +#define arch_align_stack(x) ((x) & ~0xfUL) #endif /* _ASM_SYSTEM_H */ +diff --git a/arch/mips/include/asm/thread_info.h b/arch/mips/include/asm/thread_info.h +index 845da21..f2a91b9 100644 +--- a/arch/mips/include/asm/thread_info.h ++++ b/arch/mips/include/asm/thread_info.h +@@ -120,6 +120,8 @@ register struct thread_info *__current_thread_info __asm__("$28"); + #define TIF_32BIT_ADDR 23 /* 32-bit address space (o32/n32) */ + #define TIF_FPUBOUND 24 /* thread bound to FPU-full CPU set */ + #define TIF_LOAD_WATCH 25 /* If set, load watch registers */ ++/* li takes a 32bit immediate */ ++#define TIF_GRSEC_SETXID 29 /* update credentials on syscall entry/exit */ + #define TIF_SYSCALL_TRACE 31 /* syscall trace active */ + + #ifdef CONFIG_MIPS32_O32 +@@ -144,11 +146,14 @@ register struct thread_info *__current_thread_info __asm__("$28"); + #define _TIF_32BIT_ADDR (1<<TIF_32BIT_ADDR) + #define _TIF_FPUBOUND (1<<TIF_FPUBOUND) + #define _TIF_LOAD_WATCH (1<<TIF_LOAD_WATCH) ++#define _TIF_GRSEC_SETXID (1<<TIF_GRSEC_SETXID) ++ ++#define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_GRSEC_SETXID) + + /* work to do on interrupt/exception return */ + #define _TIF_WORK_MASK (0x0000ffef & ~_TIF_SECCOMP) + /* work to do on any return to u-space */ +-#define _TIF_ALLWORK_MASK (0x8000ffff & ~_TIF_SECCOMP) ++#define _TIF_ALLWORK_MASK ((0x8000ffff & ~_TIF_SECCOMP) | _TIF_GRSEC_SETXID) + + #endif /* __KERNEL__ */ + diff --git a/arch/mips/kernel/binfmt_elfn32.c b/arch/mips/kernel/binfmt_elfn32.c index 9fdd8bc..fcf9d68 100644 --- a/arch/mips/kernel/binfmt_elfn32.c @@ -2953,6 +3056,19 @@ index ff44823..cf0b48a 100644 #include <asm/processor.h> /* +diff --git a/arch/mips/kernel/entry.S b/arch/mips/kernel/entry.S +index ffa3310..f8b1e06 100644 +--- a/arch/mips/kernel/entry.S ++++ b/arch/mips/kernel/entry.S +@@ -167,7 +167,7 @@ work_notifysig: # deal with pending signals and + FEXPORT(syscall_exit_work_partial) + SAVE_STATIC + syscall_exit_work: +- li t0, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT ++ li t0, _TIF_SYSCALL_WORK + and t0, a2 # a2 is preloaded with TI_FLAGS + beqz t0, work_pending # trace bit set? + local_irq_enable # could let do_syscall_trace() diff --git a/arch/mips/kernel/kgdb.c b/arch/mips/kernel/kgdb.c index 50c9bb8..efdd5f8 100644 --- a/arch/mips/kernel/kgdb.c @@ -2985,6 +3101,33 @@ index f3d73e1..bb3f57a 100644 - - return sp & ALMASK; -} +diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c +index 054861c..ddbbc7d 100644 +--- a/arch/mips/kernel/ptrace.c ++++ b/arch/mips/kernel/ptrace.c +@@ -558,6 +558,10 @@ static inline int audit_arch(void) + return arch; + } + ++#ifdef CONFIG_GRKERNSEC_SETXID ++extern void gr_delayed_cred_worker(void); ++#endif ++ + /* + * Notification of system call entry/exit + * - triggered by current->work.syscall_trace +@@ -568,6 +572,11 @@ asmlinkage void do_syscall_trace(struct pt_regs *regs, int entryexit) + if (!entryexit) + secure_computing(regs->regs[0]); + ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) ++ gr_delayed_cred_worker(); ++#endif ++ + if (unlikely(current->audit_context) && entryexit) + audit_syscall_exit(AUDITSC_RESULT(regs->regs[2]), + regs->regs[2]); diff --git a/arch/mips/kernel/reset.c b/arch/mips/kernel/reset.c index 060563a..7fbf310 100644 --- a/arch/mips/kernel/reset.c @@ -3020,6 +3163,58 @@ index 060563a..7fbf310 100644 pm_power_off(); + BUG(); } +diff --git a/arch/mips/kernel/scall32-o32.S b/arch/mips/kernel/scall32-o32.S +index fd2a9bb..73ecc89 100644 +--- a/arch/mips/kernel/scall32-o32.S ++++ b/arch/mips/kernel/scall32-o32.S +@@ -52,7 +52,7 @@ NESTED(handle_sys, PT_SIZE, sp) + + stack_done: + lw t0, TI_FLAGS($28) # syscall tracing enabled? +- li t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT ++ li t1, _TIF_SYSCALL_WORK + and t0, t1 + bnez t0, syscall_trace_entry # -> yes + +diff --git a/arch/mips/kernel/scall64-64.S b/arch/mips/kernel/scall64-64.S +index 18bf7f3..6659dde 100644 +--- a/arch/mips/kernel/scall64-64.S ++++ b/arch/mips/kernel/scall64-64.S +@@ -54,7 +54,7 @@ NESTED(handle_sys64, PT_SIZE, sp) + + sd a3, PT_R26(sp) # save a3 for syscall restarting + +- li t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT ++ li t1, _TIF_SYSCALL_WORK + LONG_L t0, TI_FLAGS($28) # syscall tracing enabled? + and t0, t1, t0 + bnez t0, syscall_trace_entry +diff --git a/arch/mips/kernel/scall64-n32.S b/arch/mips/kernel/scall64-n32.S +index 6ebc079..a16f976 100644 +--- a/arch/mips/kernel/scall64-n32.S ++++ b/arch/mips/kernel/scall64-n32.S +@@ -53,7 +53,7 @@ NESTED(handle_sysn32, PT_SIZE, sp) + + sd a3, PT_R26(sp) # save a3 for syscall restarting + +- li t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT ++ li t1, _TIF_SYSCALL_WORK + LONG_L t0, TI_FLAGS($28) # syscall tracing enabled? + and t0, t1, t0 + bnez t0, n32_syscall_trace_entry +diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S +index 14dde4c..dc68acf 100644 +--- a/arch/mips/kernel/scall64-o32.S ++++ b/arch/mips/kernel/scall64-o32.S +@@ -81,7 +81,7 @@ NESTED(handle_sys, PT_SIZE, sp) + PTR 4b, bad_stack + .previous + +- li t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT ++ li t1, _TIF_SYSCALL_WORK + LONG_L t0, TI_FLAGS($28) # syscall tracing enabled? + and t0, t1, t0 + bnez t0, trace_a_syscall diff --git a/arch/mips/kernel/syscall.c b/arch/mips/kernel/syscall.c index 3f7f466..3abe0b5 100644 --- a/arch/mips/kernel/syscall.c @@ -3893,6 +4088,33 @@ index 094a12a..877a60a 100644 /* Used in very early kernel initialization. */ extern unsigned long reloc_offset(void); +diff --git a/arch/powerpc/include/asm/thread_info.h b/arch/powerpc/include/asm/thread_info.h +index aa9d383..0380a05 100644 +--- a/arch/powerpc/include/asm/thread_info.h ++++ b/arch/powerpc/include/asm/thread_info.h +@@ -110,7 +110,9 @@ static inline struct thread_info *current_thread_info(void) + #define TIF_NOERROR 12 /* Force successful syscall return */ + #define TIF_NOTIFY_RESUME 13 /* callback before returning to user */ + #define TIF_FREEZE 14 /* Freezing for suspend */ +-#define TIF_RUNLATCH 15 /* Is the runlatch enabled? */ ++/* mask must be expressable within 16 bits to satisfy 'andi' instruction reqs */ ++#define TIF_GRSEC_SETXID 15 /* update credentials on syscall entry/exit */ ++#define TIF_RUNLATCH 16 /* Is the runlatch enabled? */ + + /* as above, but as bit values */ + #define _TIF_SYSCALL_TRACE (1<<TIF_SYSCALL_TRACE) +@@ -128,7 +130,10 @@ static inline struct thread_info *current_thread_info(void) + #define _TIF_NOTIFY_RESUME (1<<TIF_NOTIFY_RESUME) + #define _TIF_FREEZE (1<<TIF_FREEZE) + #define _TIF_RUNLATCH (1<<TIF_RUNLATCH) +-#define _TIF_SYSCALL_T_OR_A (_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT|_TIF_SECCOMP) ++#define _TIF_GRSEC_SETXID (1<<TIF_GRSEC_SETXID) ++ ++#define _TIF_SYSCALL_T_OR_A (_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT| \ ++ _TIF_SECCOMP|_TIF_GRSEC_SETXID) + + #define _TIF_USER_WORK_MASK (_TIF_SIGPENDING | _TIF_NEED_RESCHED | \ + _TIF_NOTIFY_RESUME) diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h index bd0fb84..a42a14b 100644 --- a/arch/powerpc/include/asm/uaccess.h @@ -4422,7 +4644,7 @@ index 7b816da..8d5c277 100644 - return ret; -} diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c -index ef14988..856c4bc 100644 +index ef14988..8a37ddb 100644 --- a/arch/powerpc/kernel/ptrace.c +++ b/arch/powerpc/kernel/ptrace.c @@ -86,7 +86,7 @@ static int set_user_trap(struct task_struct *task, unsigned long trap) @@ -4443,6 +4665,41 @@ index ef14988..856c4bc 100644 } else { flush_fp_to_thread(child); tmp = ((unsigned long *)child->thread.fpr) +@@ -1033,6 +1033,10 @@ long arch_ptrace(struct task_struct *child, long request, long addr, long data) + return ret; + } + ++#ifdef CONFIG_GRKERNSEC_SETXID ++extern void gr_delayed_cred_worker(void); ++#endif ++ + /* + * We must return the syscall number to actually look up in the table. + * This can be -1L to skip running any syscall at all. +@@ -1043,6 +1047,11 @@ long do_syscall_trace_enter(struct pt_regs *regs) + + secure_computing(regs->gpr[0]); + ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) ++ gr_delayed_cred_worker(); ++#endif ++ + if (test_thread_flag(TIF_SYSCALL_TRACE) && + tracehook_report_syscall_entry(regs)) + /* +@@ -1076,6 +1085,11 @@ void do_syscall_trace_leave(struct pt_regs *regs) + { + int step; + ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) ++ gr_delayed_cred_worker(); ++#endif ++ + if (unlikely(current->audit_context)) + audit_syscall_exit((regs->ccr&0x10000000)?AUDITSC_FAILURE:AUDITSC_SUCCESS, + regs->result); diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c index d670429..2bc59b2 100644 --- a/arch/powerpc/kernel/signal_32.c @@ -5951,7 +6208,7 @@ index 844d73a..f787fb9 100644 /* diff --git a/arch/sparc/include/asm/thread_info_64.h b/arch/sparc/include/asm/thread_info_64.h -index f78ad9a..9f55fc7 100644 +index f78ad9a..a3213ed 100644 --- a/arch/sparc/include/asm/thread_info_64.h +++ b/arch/sparc/include/asm/thread_info_64.h @@ -68,6 +68,8 @@ struct thread_info { @@ -5963,6 +6220,34 @@ index f78ad9a..9f55fc7 100644 unsigned long fpregs[0] __attribute__ ((aligned(64))); }; +@@ -227,6 +229,8 @@ register struct thread_info *current_thread_info_reg asm("g6"); + /* flag bit 8 is available */ + #define TIF_SECCOMP 9 /* secure computing */ + #define TIF_SYSCALL_AUDIT 10 /* syscall auditing active */ ++#define TIF_GRSEC_SETXID 11 /* update credentials on syscall entry/exit */ ++ + /* NOTE: Thread flags >= 12 should be ones we have no interest + * in using in assembly, else we can't use the mask as + * an immediate value in instructions such as andcc. +@@ -247,12 +251,18 @@ register struct thread_info *current_thread_info_reg asm("g6"); + #define _TIF_SYSCALL_AUDIT (1<<TIF_SYSCALL_AUDIT) + #define _TIF_POLLING_NRFLAG (1<<TIF_POLLING_NRFLAG) + #define _TIF_FREEZE (1<<TIF_FREEZE) ++#define _TIF_GRSEC_SETXID (1<<TIF_GRSEC_SETXID) + + #define _TIF_USER_WORK_MASK ((0xff << TI_FLAG_WSAVED_SHIFT) | \ + _TIF_DO_NOTIFY_RESUME_MASK | \ + _TIF_NEED_RESCHED | _TIF_PERFCTR) + #define _TIF_DO_NOTIFY_RESUME_MASK (_TIF_NOTIFY_RESUME | _TIF_SIGPENDING) + ++#define _TIF_WORK_SYSCALL \ ++ (_TIF_SYSCALL_TRACE | _TIF_SECCOMP | _TIF_SYSCALL_AUDIT | \ ++ _TIF_GRSEC_SETXID) ++ ++ + /* + * Thread-synchronous status. + * diff --git a/arch/sparc/include/asm/uaccess.h b/arch/sparc/include/asm/uaccess.h index e88fbe5..96b0ce5 100644 --- a/arch/sparc/include/asm/uaccess.h @@ -6275,6 +6560,45 @@ index cb70476..3d0c191 100644 (void *) gp->tpc, (void *) gp->o7, (void *) gp->i7, +diff --git a/arch/sparc/kernel/ptrace_64.c b/arch/sparc/kernel/ptrace_64.c +index 4ae91dc..c2e705e 100644 +--- a/arch/sparc/kernel/ptrace_64.c ++++ b/arch/sparc/kernel/ptrace_64.c +@@ -1049,6 +1049,10 @@ long arch_ptrace(struct task_struct *child, long request, long addr, long data) + return ret; + } + ++#ifdef CONFIG_GRKERNSEC_SETXID ++extern void gr_delayed_cred_worker(void); ++#endif ++ + asmlinkage int syscall_trace_enter(struct pt_regs *regs) + { + int ret = 0; +@@ -1056,6 +1060,11 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs) + /* do the secure computing check first */ + secure_computing(regs->u_regs[UREG_G1]); + ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) ++ gr_delayed_cred_worker(); ++#endif ++ + if (test_thread_flag(TIF_SYSCALL_TRACE)) + ret = tracehook_report_syscall_entry(regs); + +@@ -1074,6 +1083,11 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs) + + asmlinkage void syscall_trace_leave(struct pt_regs *regs) + { ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) ++ gr_delayed_cred_worker(); ++#endif ++ + if (unlikely(current->audit_context)) { + unsigned long tstate = regs->tstate; + int result = AUDITSC_SUCCESS; diff --git a/arch/sparc/kernel/rtrap_64.S b/arch/sparc/kernel/rtrap_64.S index fd3cee4..cc4b1ff 100644 --- a/arch/sparc/kernel/rtrap_64.S @@ -6486,6 +6810,55 @@ index cfa0e19..98972ac 100644 mm->get_unmapped_area = arch_get_unmapped_area_topdown; mm->unmap_area = arch_unmap_area_topdown; } +diff --git a/arch/sparc/kernel/syscalls.S b/arch/sparc/kernel/syscalls.S +index d150c2a..bffda9d 100644 +--- a/arch/sparc/kernel/syscalls.S ++++ b/arch/sparc/kernel/syscalls.S +@@ -62,7 +62,7 @@ sys32_rt_sigreturn: + #endif + .align 32 + 1: ldx [%g6 + TI_FLAGS], %l5 +- andcc %l5, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT), %g0 ++ andcc %l5, _TIF_WORK_SYSCALL, %g0 + be,pt %icc, rtrap + nop + call syscall_trace_leave +@@ -198,7 +198,7 @@ linux_sparc_syscall32: + + srl %i5, 0, %o5 ! IEU1 + srl %i2, 0, %o2 ! IEU0 Group +- andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT), %g0 ++ andcc %l0, _TIF_WORK_SYSCALL, %g0 + bne,pn %icc, linux_syscall_trace32 ! CTI + mov %i0, %l5 ! IEU1 + call %l7 ! CTI Group brk forced +@@ -221,7 +221,7 @@ linux_sparc_syscall: + + mov %i3, %o3 ! IEU1 + mov %i4, %o4 ! IEU0 Group +- andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT), %g0 ++ andcc %l0, _TIF_WORK_SYSCALL, %g0 + bne,pn %icc, linux_syscall_trace ! CTI Group + mov %i0, %l5 ! IEU0 + 2: call %l7 ! CTI Group brk forced +@@ -245,7 +245,7 @@ ret_sys_call: + + cmp %o0, -ERESTART_RESTARTBLOCK + bgeu,pn %xcc, 1f +- andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT), %l6 ++ andcc %l0, _TIF_WORK_SYSCALL, %l6 + 80: + /* System call success, clear Carry condition code. */ + andn %g3, %g2, %g3 +@@ -260,7 +260,7 @@ ret_sys_call: + /* System call failure, set Carry condition code. + * Also, get abs(errno) to return to the process. + */ +- andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT), %l6 ++ andcc %l0, _TIF_WORK_SYSCALL, %l6 + sub %g0, %o0, %o0 + or %g3, %g2, %g3 + stx %o0, [%sp + PTREGS_OFF + PT_V9_I0] diff --git a/arch/sparc/kernel/traps_32.c b/arch/sparc/kernel/traps_32.c index c0490c7..84959d1 100644 --- a/arch/sparc/kernel/traps_32.c @@ -13413,7 +13786,7 @@ index e0fbf29..858ef4a 100644 /* * Force strict CPU ordering. diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h -index 19c3ce4..8962535 100644 +index 19c3ce4..4ad5ba4 100644 --- a/arch/x86/include/asm/thread_info.h +++ b/arch/x86/include/asm/thread_info.h @@ -10,6 +10,7 @@ @@ -13462,7 +13835,45 @@ index 19c3ce4..8962535 100644 #define init_stack (init_thread_union.stack) #else /* !__ASSEMBLY__ */ -@@ -163,45 +157,40 @@ struct thread_info { +@@ -95,6 +89,7 @@ struct thread_info { + #define TIF_DS_AREA_MSR 26 /* uses thread_struct.ds_area_msr */ + #define TIF_LAZY_MMU_UPDATES 27 /* task is updating the mmu lazily */ + #define TIF_SYSCALL_TRACEPOINT 28 /* syscall tracepoint instrumentation */ ++#define TIF_GRSEC_SETXID 29 /* update credentials on syscall entry/exit */ + + #define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE) + #define _TIF_NOTIFY_RESUME (1 << TIF_NOTIFY_RESUME) +@@ -117,16 +112,17 @@ struct thread_info { + #define _TIF_DS_AREA_MSR (1 << TIF_DS_AREA_MSR) + #define _TIF_LAZY_MMU_UPDATES (1 << TIF_LAZY_MMU_UPDATES) + #define _TIF_SYSCALL_TRACEPOINT (1 << TIF_SYSCALL_TRACEPOINT) ++#define _TIF_GRSEC_SETXID (1 << TIF_GRSEC_SETXID) + + /* work to do in syscall_trace_enter() */ + #define _TIF_WORK_SYSCALL_ENTRY \ + (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_EMU | _TIF_SYSCALL_AUDIT | \ +- _TIF_SECCOMP | _TIF_SINGLESTEP | _TIF_SYSCALL_TRACEPOINT) ++ _TIF_SECCOMP | _TIF_SINGLESTEP | _TIF_SYSCALL_TRACEPOINT | _TIF_GRSEC_SETXID) + + /* work to do in syscall_trace_leave() */ + #define _TIF_WORK_SYSCALL_EXIT \ + (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_SINGLESTEP | \ +- _TIF_SYSCALL_TRACEPOINT) ++ _TIF_SYSCALL_TRACEPOINT | _TIF_GRSEC_SETXID) + + /* work to do on interrupt/exception return */ + #define _TIF_WORK_MASK \ +@@ -136,7 +132,8 @@ struct thread_info { + + /* work to do on any return to user space */ + #define _TIF_ALLWORK_MASK \ +- ((0x0000FFFF & ~_TIF_SECCOMP) | _TIF_SYSCALL_TRACEPOINT) ++ ((0x0000FFFF & ~_TIF_SECCOMP) | _TIF_SYSCALL_TRACEPOINT | \ ++ _TIF_GRSEC_SETXID) + + /* Only used for 64 bit */ + #define _TIF_DO_NOTIFY_MASK \ +@@ -163,45 +160,40 @@ struct thread_info { #define alloc_thread_info(tsk) \ ((struct thread_info *)__get_free_pages(THREAD_FLAGS, THREAD_ORDER)) @@ -13533,7 +13944,7 @@ index 19c3ce4..8962535 100644 /* * macros/functions for gaining access to the thread information structure * preempt_count needs to be 1 initially, until the scheduler is functional. -@@ -209,21 +198,8 @@ static inline struct thread_info *current_thread_info(void) +@@ -209,21 +201,8 @@ static inline struct thread_info *current_thread_info(void) #ifndef __ASSEMBLY__ DECLARE_PER_CPU(unsigned long, kernel_stack); @@ -13557,7 +13968,7 @@ index 19c3ce4..8962535 100644 #endif #endif /* !X86_32 */ -@@ -260,5 +236,16 @@ extern void arch_task_cache_init(void); +@@ -260,5 +239,16 @@ extern void arch_task_cache_init(void); extern void free_thread_info(struct thread_info *ti); extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src); #define arch_task_cache_init arch_task_cache_init @@ -16397,7 +16808,7 @@ index 4c07cca..2c8427d 100644 ret ENDPROC(efi_call6) diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S -index c097e7d..91be126 100644 +index c097e7d..853746c 100644 --- a/arch/x86/kernel/entry_32.S +++ b/arch/x86/kernel/entry_32.S @@ -95,12 +95,6 @@ @@ -16618,7 +17029,7 @@ index c097e7d..91be126 100644 +#ifdef CONFIG_PAX_KERNEXEC + jae resume_userspace + -+ PAX_EXIT_KERNEL ++ pax_exit_kernel + jmp resume_kernel +#else jb resume_kernel # not returning to v8086 or userspace @@ -20524,7 +20935,7 @@ index 39493bc..196816d 100644 ip = *(u64 *)(fp+8); if (!in_sched_functions(ip)) diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c -index c06acdd..09de221 100644 +index c06acdd..e7dffe1 100644 --- a/arch/x86/kernel/ptrace.c +++ b/arch/x86/kernel/ptrace.c @@ -559,6 +559,10 @@ static int ioperm_active(struct task_struct *target, @@ -20606,7 +21017,15 @@ index c06acdd..09de221 100644 /* Send us the fake SIGTRAP */ force_sig_info(SIGTRAP, &info, tsk); -@@ -1469,7 +1473,7 @@ void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs, +@@ -1465,14 +1469,23 @@ void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs, + # define IS_IA32 0 + #endif + ++#ifdef CONFIG_GRKERNSEC_SETXID ++extern void gr_delayed_cred_worker(void); ++#endif ++ + /* * We must return the syscall number to actually look up in the table. * This can be -1L to skip running any syscall at all. */ @@ -20615,15 +21034,29 @@ index c06acdd..09de221 100644 { long ret = 0; -@@ -1514,7 +1518,7 @@ asmregparm long syscall_trace_enter(struct pt_regs *regs) ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) ++ gr_delayed_cred_worker(); ++#endif ++ + /* + * If we stepped into a sysenter/syscall insn, it trapped in + * kernel mode; do_debug() cleared TF and set TIF_SINGLESTEP. +@@ -1514,8 +1527,13 @@ asmregparm long syscall_trace_enter(struct pt_regs *regs) return ret ?: regs->orig_ax; } -asmregparm void syscall_trace_leave(struct pt_regs *regs) +void syscall_trace_leave(struct pt_regs *regs) { ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) ++ gr_delayed_cred_worker(); ++#endif ++ if (unlikely(current->audit_context)) audit_syscall_exit(AUDITSC_RESULT(regs->ax), regs->ax); + diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c index cf98100..e76e03d 100644 --- a/arch/x86/kernel/reboot.c @@ -26424,7 +26857,7 @@ index 63a6ba6..79abd7a 100644 return (void *)vaddr; } diff --git a/arch/x86/mm/hugetlbpage.c b/arch/x86/mm/hugetlbpage.c -index f46c3407..6ff9a26 100644 +index f46c3407..f7e72b0 100644 --- a/arch/x86/mm/hugetlbpage.c +++ b/arch/x86/mm/hugetlbpage.c @@ -267,13 +267,20 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *file, @@ -26500,7 +26933,7 @@ index f46c3407..6ff9a26 100644 /* don't allow allocations above current base */ if (mm->free_area_cache > base) -@@ -322,64 +329,63 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file, +@@ -322,64 +329,68 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file, largest_hole = 0; mm->free_area_cache = base; } @@ -26515,15 +26948,16 @@ index f46c3407..6ff9a26 100644 + addr = (mm->free_area_cache - len); do { + addr &= huge_page_mask(h); -+ vma = find_vma(mm, addr); /* * Lookup failure means no vma is above this address, * i.e. return with success: -- */ + */ - if (!(vma = find_vma_prev(mm, addr, &prev_vma))) -- return addr; -- -- /* ++ vma = find_vma(mm, addr); ++ if (!vma) + return addr; + + /* * new region fits between prev_vma->vm_end and * vma->vm_start, use it: */ @@ -26595,7 +27029,7 @@ index f46c3407..6ff9a26 100644 mm->cached_hole_size = ~0UL; addr = hugetlb_get_unmapped_area_bottomup(file, addr0, len, pgoff, flags); -@@ -387,6 +393,7 @@ fail: +@@ -387,6 +398,7 @@ fail: /* * Restore the topdown base: */ @@ -26603,7 +27037,7 @@ index f46c3407..6ff9a26 100644 mm->free_area_cache = base; mm->cached_hole_size = ~0UL; -@@ -400,10 +407,19 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, +@@ -400,10 +412,19 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, struct hstate *h = hstate_file(file); struct mm_struct *mm = current->mm; struct vm_area_struct *vma; @@ -26624,7 +27058,7 @@ index f46c3407..6ff9a26 100644 return -ENOMEM; if (flags & MAP_FIXED) { -@@ -415,8 +431,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, +@@ -415,8 +436,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, if (addr) { addr = ALIGN(addr, huge_page_size(h)); vma = find_vma(mm, addr); @@ -27083,7 +27517,7 @@ index 30938c1..bda3d5d 100644 printk(KERN_INFO "Write protecting the kernel text: %luk\n", size >> 10); diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c -index 7d095ad..acf1be9 100644 +index 7d095ad..f833fa2 100644 --- a/arch/x86/mm/init_64.c +++ b/arch/x86/mm/init_64.c @@ -123,7 +123,7 @@ static pud_t *fill_pud(pgd_t *pgd, unsigned long vaddr) @@ -27131,6 +27565,15 @@ index 7d095ad..acf1be9 100644 } pmd = pmd_offset(pud, phys); BUG_ON(!pmd_none(*pmd)); +@@ -507,7 +507,7 @@ phys_pud_init(pud_t *pud_page, unsigned long addr, unsigned long end, + unmap_low_page(pmd); + + spin_lock(&init_mm.page_table_lock); +- pud_populate(&init_mm, pud, __va(pmd_phys)); ++ pud_populate_kernel(&init_mm, pud, __va(pmd_phys)); + spin_unlock(&init_mm.page_table_lock); + } + __flush_tlb_all(); @@ -560,7 +560,7 @@ kernel_physical_mapping_init(unsigned long start, unmap_low_page(pud); @@ -74487,10 +74930,10 @@ index 8f32f50..b6a41e8 100644 link[pathlen] = '\0'; diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 0000000..50819f8 +index 0000000..5be91c0 --- /dev/null +++ b/grsecurity/Kconfig -@@ -0,0 +1,1077 @@ +@@ -0,0 +1,1078 @@ +# +# grecurity configuration +# @@ -74625,7 +75068,7 @@ index 0000000..50819f8 + select GRKERNSEC_PROC_ADD + select GRKERNSEC_CHROOT_CHMOD + select GRKERNSEC_CHROOT_NICE -+ select GRKERNSEC_SETXID ++ select GRKERNSEC_SETXID if (X86 || SPARC64 || PPC || ARM || MIPS) + select GRKERNSEC_AUDIT_MOUNT + select GRKERNSEC_MODHARDEN if (MODULES) + select GRKERNSEC_HARDEN_PTRACE @@ -75319,6 +75762,7 @@ index 0000000..50819f8 + +config GRKERNSEC_SETXID + bool "Enforce consistent multithreaded privileges" ++ depends on (X86 || SPARC64 || PPC || ARM || MIPS) + help + If you say Y here, a change from a root uid to a non-root uid + in a multithreaded application will cause the resulting uids, @@ -75614,10 +76058,10 @@ index 0000000..1b9afa9 +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c new file mode 100644 -index 0000000..67b34b9 +index 0000000..c475143 --- /dev/null +++ b/grsecurity/gracl.c -@@ -0,0 +1,4169 @@ +@@ -0,0 +1,4171 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -79454,20 +79898,22 @@ index 0000000..67b34b9 + return 0; +#endif + -+ read_lock(&tasklist_lock); -+ while (tmp->pid > 0) { -+ if (tmp == curtemp) -+ break; -+ tmp = tmp->real_parent; -+ } ++ if (request == PTRACE_ATTACH) { ++ read_lock(&tasklist_lock); ++ while (tmp->pid > 0) { ++ if (tmp == curtemp) ++ break; ++ tmp = tmp->real_parent; ++ } + -+ if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) || -+ ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) { ++ if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) || ++ ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) { ++ read_unlock(&tasklist_lock); ++ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task); ++ return 1; ++ } + read_unlock(&tasklist_lock); -+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task); -+ return 1; + } -+ read_unlock(&tasklist_lock); + +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE + if (!(gr_status & GR_READY)) @@ -91553,7 +91999,7 @@ index 3f2f04f..4e53ded 100644 /* If set, cpu_up and cpu_down will return -EBUSY and do nothing. * Should always be manipulated under cpu_add_remove_lock diff --git a/kernel/cred.c b/kernel/cred.c -index 0b5b5fc..3fe945c 100644 +index 0b5b5fc..f20c6b9 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -160,6 +160,8 @@ static void put_cred_rcu(struct rcu_head *rcu) @@ -91676,7 +92122,7 @@ index 0b5b5fc..3fe945c 100644 */ alter_cred_subscribers(new, 2); if (new->user != old->user) -@@ -595,8 +622,96 @@ int commit_creds(struct cred *new) +@@ -595,8 +622,105 @@ int commit_creds(struct cred *new) put_cred(old); return 0; } @@ -91743,6 +92189,8 @@ index 0b5b5fc..3fe945c 100644 +int commit_creds(struct cred *new) +{ +#ifdef CONFIG_GRKERNSEC_SETXID ++ int ret; ++ int schedule_it = 0; + struct task_struct *t; + + /* we won't get called with tasklist_lock held for writing @@ -91751,20 +92199,27 @@ index 0b5b5fc..3fe945c 100644 + */ + if (grsec_enable_setxid && !current_is_single_threaded() && + !current_uid() && new->uid) { ++ schedule_it = 1; ++ } ++ ret = __commit_creds(new); ++ if (schedule_it) { + rcu_read_lock(); + read_lock(&tasklist_lock); + for (t = next_thread(current); t != current; + t = next_thread(t)) { + if (t->delayed_cred == NULL) { + t->delayed_cred = get_cred(new); ++ set_tsk_thread_flag(t, TIF_GRSEC_SETXID); + set_tsk_need_resched(t); + } + } + read_unlock(&tasklist_lock); + rcu_read_unlock(); + } -+#endif ++ return ret; ++#else + return __commit_creds(new); ++#endif +} + EXPORT_SYMBOL(commit_creds); @@ -91773,7 +92228,7 @@ index 0b5b5fc..3fe945c 100644 /** * abort_creds - Discard a set of credentials and unlock the current task * @new: The credentials that were going to be applied -@@ -606,6 +721,8 @@ EXPORT_SYMBOL(commit_creds); +@@ -606,6 +730,8 @@ EXPORT_SYMBOL(commit_creds); */ void abort_creds(struct cred *new) { @@ -91782,7 +92237,7 @@ index 0b5b5fc..3fe945c 100644 kdebug("abort_creds(%p{%d,%d})", new, atomic_read(&new->usage), read_cred_subscribers(new)); -@@ -629,6 +746,8 @@ const struct cred *override_creds(const struct cred *new) +@@ -629,6 +755,8 @@ const struct cred *override_creds(const struct cred *new) { const struct cred *old = current->cred; @@ -91791,7 +92246,7 @@ index 0b5b5fc..3fe945c 100644 kdebug("override_creds(%p{%d,%d})", new, atomic_read(&new->usage), read_cred_subscribers(new)); -@@ -658,6 +777,8 @@ void revert_creds(const struct cred *old) +@@ -658,6 +786,8 @@ void revert_creds(const struct cred *old) { const struct cred *override = current->cred; @@ -91800,7 +92255,7 @@ index 0b5b5fc..3fe945c 100644 kdebug("revert_creds(%p{%d,%d})", old, atomic_read(&old->usage), read_cred_subscribers(old)); -@@ -704,6 +825,8 @@ struct cred *prepare_kernel_cred(struct task_struct *daemon) +@@ -704,6 +834,8 @@ struct cred *prepare_kernel_cred(struct task_struct *daemon) const struct cred *old; struct cred *new; @@ -91809,7 +92264,7 @@ index 0b5b5fc..3fe945c 100644 new = kmem_cache_alloc(cred_jar, GFP_KERNEL); if (!new) return NULL; -@@ -758,6 +881,8 @@ EXPORT_SYMBOL(prepare_kernel_cred); +@@ -758,6 +890,8 @@ EXPORT_SYMBOL(prepare_kernel_cred); */ int set_security_override(struct cred *new, u32 secid) { @@ -91818,7 +92273,7 @@ index 0b5b5fc..3fe945c 100644 return security_kernel_act_as(new, secid); } EXPORT_SYMBOL(set_security_override); -@@ -777,6 +902,8 @@ int set_security_override_from_ctx(struct cred *new, const char *secctx) +@@ -777,6 +911,8 @@ int set_security_override_from_ctx(struct cred *new, const char *secctx) u32 secid; int ret; @@ -94871,7 +95326,7 @@ index 29bd4ba..8c5de90 100644 WARN_ON(pendowner->pi_blocked_on->lock != lock); diff --git a/kernel/sched.c b/kernel/sched.c -index 0591df8..e3af3a4 100644 +index 0591df8..db35e3d 100644 --- a/kernel/sched.c +++ b/kernel/sched.c @@ -5043,7 +5043,7 @@ out: @@ -94883,27 +95338,7 @@ index 0591df8..e3af3a4 100644 { int this_cpu = smp_processor_id(); struct rq *this_rq = cpu_rq(this_cpu); -@@ -5690,6 +5690,19 @@ pick_next_task(struct rq *rq) - } - } - -+#ifdef CONFIG_GRKERNSEC_SETXID -+extern void gr_delayed_cred_worker(void); -+static inline void gr_cred_schedule(void) -+{ -+ if (unlikely(current->delayed_cred)) -+ gr_delayed_cred_worker(); -+} -+#else -+static inline void gr_cred_schedule(void) -+{ -+} -+#endif -+ - /* - * schedule() is the main scheduler function. - */ -@@ -5700,6 +5713,8 @@ asmlinkage void __sched schedule(void) +@@ -5700,6 +5700,8 @@ asmlinkage void __sched schedule(void) struct rq *rq; int cpu; @@ -94912,16 +95347,7 @@ index 0591df8..e3af3a4 100644 need_resched: preempt_disable(); cpu = smp_processor_id(); -@@ -5713,6 +5728,8 @@ need_resched_nonpreemptible: - - schedule_debug(prev); - -+ gr_cred_schedule(); -+ - if (sched_feat(HRTICK)) - hrtick_clear(rq); - -@@ -5770,7 +5787,7 @@ EXPORT_SYMBOL(schedule); +@@ -5770,7 +5772,7 @@ EXPORT_SYMBOL(schedule); * Look out! "owner" is an entirely speculative pointer * access and not reliable. */ @@ -94930,7 +95356,7 @@ index 0591df8..e3af3a4 100644 { unsigned int cpu; struct rq *rq; -@@ -5784,10 +5801,10 @@ int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner) +@@ -5784,10 +5786,10 @@ int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner) * DEBUG_PAGEALLOC could have unmapped it if * the mutex owner just released it and exited. */ @@ -94943,7 +95369,7 @@ index 0591df8..e3af3a4 100644 #endif /* -@@ -5816,7 +5833,7 @@ int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner) +@@ -5816,7 +5818,7 @@ int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner) /* * Is that owner really running on that cpu? */ @@ -94952,7 +95378,7 @@ index 0591df8..e3af3a4 100644 return 0; cpu_relax(); -@@ -6359,6 +6376,8 @@ int can_nice(const struct task_struct *p, const int nice) +@@ -6359,6 +6361,8 @@ int can_nice(const struct task_struct *p, const int nice) /* convert nice value [19,-20] to rlimit style value [1,40] */ int nice_rlim = 20 - nice; @@ -94961,7 +95387,7 @@ index 0591df8..e3af3a4 100644 return (nice_rlim <= p->signal->rlim[RLIMIT_NICE].rlim_cur || capable(CAP_SYS_NICE)); } -@@ -6392,7 +6411,8 @@ SYSCALL_DEFINE1(nice, int, increment) +@@ -6392,7 +6396,8 @@ SYSCALL_DEFINE1(nice, int, increment) if (nice > 19) nice = 19; @@ -94971,7 +95397,7 @@ index 0591df8..e3af3a4 100644 return -EPERM; retval = security_task_setnice(current, nice); -@@ -8774,7 +8794,7 @@ static void init_sched_groups_power(int cpu, struct sched_domain *sd) +@@ -8774,7 +8779,7 @@ static void init_sched_groups_power(int cpu, struct sched_domain *sd) long power; int weight; @@ -96268,6 +96694,28 @@ index d102559..4215f31 100644 #define free(a) kfree(a) #endif +diff --git a/lib/ioremap.c b/lib/ioremap.c +index 14c6078..65526a1 100644 +--- a/lib/ioremap.c ++++ b/lib/ioremap.c +@@ -37,7 +37,7 @@ static inline int ioremap_pmd_range(pud_t *pud, unsigned long addr, + unsigned long next; + + phys_addr -= addr; +- pmd = pmd_alloc(&init_mm, pud, addr); ++ pmd = pmd_alloc_kernel(&init_mm, pud, addr); + if (!pmd) + return -ENOMEM; + do { +@@ -55,7 +55,7 @@ static inline int ioremap_pud_range(pgd_t *pgd, unsigned long addr, + unsigned long next; + + phys_addr -= addr; +- pud = pud_alloc(&init_mm, pgd, addr); ++ pud = pud_alloc_kernel(&init_mm, pgd, addr); + if (!pud) + return -ENOMEM; + do { diff --git a/lib/is_single_threaded.c b/lib/is_single_threaded.c index bd2bea9..6b3c95e 100644 --- a/lib/is_single_threaded.c @@ -96853,7 +97301,7 @@ index 8aeba53..b4a4198 100644 /* * We need/can do nothing about count=0 pages. diff --git a/mm/memory.c b/mm/memory.c -index 6c836d3..693224d 100644 +index 6c836d3..b2296e1 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -187,8 +187,12 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud, @@ -96955,7 +97403,29 @@ index 6c836d3..693224d 100644 if (addr < vma->vm_start || addr >= vma->vm_end) return -EFAULT; -@@ -1977,6 +2001,186 @@ static inline void cow_user_page(struct page *dst, struct page *src, unsigned lo +@@ -1855,7 +1879,9 @@ static int apply_to_pmd_range(struct mm_struct *mm, pud_t *pud, + + BUG_ON(pud_huge(*pud)); + +- pmd = pmd_alloc(mm, pud, addr); ++ pmd = (mm == &init_mm) ? ++ pmd_alloc_kernel(mm, pud, addr) : ++ pmd_alloc(mm, pud, addr); + if (!pmd) + return -ENOMEM; + do { +@@ -1875,7 +1901,9 @@ static int apply_to_pud_range(struct mm_struct *mm, pgd_t *pgd, + unsigned long next; + int err; + +- pud = pud_alloc(mm, pgd, addr); ++ pud = (mm == &init_mm) ? ++ pud_alloc_kernel(mm, pgd, addr) : ++ pud_alloc(mm, pgd, addr); + if (!pud) + return -ENOMEM; + do { +@@ -1977,6 +2005,186 @@ static inline void cow_user_page(struct page *dst, struct page *src, unsigned lo copy_user_highpage(dst, src, va, vma); } @@ -97142,7 +97612,7 @@ index 6c836d3..693224d 100644 /* * This routine handles present pages, when users try to write * to a shared page. It is done by copying the page to a new address -@@ -2156,6 +2360,12 @@ gotten: +@@ -2156,6 +2364,12 @@ gotten: */ page_table = pte_offset_map_lock(mm, pmd, address, &ptl); if (likely(pte_same(*page_table, orig_pte))) { @@ -97155,7 +97625,7 @@ index 6c836d3..693224d 100644 if (old_page) { if (!PageAnon(old_page)) { dec_mm_counter(mm, file_rss); -@@ -2207,6 +2417,10 @@ gotten: +@@ -2207,6 +2421,10 @@ gotten: page_remove_rmap(old_page); } @@ -97166,7 +97636,7 @@ index 6c836d3..693224d 100644 /* Free the old page.. */ new_page = old_page; ret |= VM_FAULT_WRITE; -@@ -2606,6 +2820,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2606,6 +2824,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, swap_free(entry); if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page)) try_to_free_swap(page); @@ -97178,7 +97648,7 @@ index 6c836d3..693224d 100644 unlock_page(page); if (flags & FAULT_FLAG_WRITE) { -@@ -2617,6 +2836,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2617,6 +2840,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, /* No need to invalidate - it was non-present before */ update_mmu_cache(vma, address, pte); @@ -97190,7 +97660,7 @@ index 6c836d3..693224d 100644 unlock: pte_unmap_unlock(page_table, ptl); out: -@@ -2632,40 +2856,6 @@ out_release: +@@ -2632,40 +2860,6 @@ out_release: } /* @@ -97231,7 +97701,7 @@ index 6c836d3..693224d 100644 * We enter with non-exclusive mmap_sem (to exclude vma changes, * but allow concurrent faults), and pte mapped but not yet locked. * We return with mmap_sem still held, but pte unmapped and unlocked. -@@ -2674,27 +2864,23 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2674,27 +2868,23 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, unsigned long address, pte_t *page_table, pmd_t *pmd, unsigned int flags) { @@ -97264,7 +97734,7 @@ index 6c836d3..693224d 100644 if (unlikely(anon_vma_prepare(vma))) goto oom; page = alloc_zeroed_user_highpage_movable(vma, address); -@@ -2713,6 +2899,11 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2713,6 +2903,11 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, if (!pte_none(*page_table)) goto release; @@ -97276,7 +97746,7 @@ index 6c836d3..693224d 100644 inc_mm_counter(mm, anon_rss); page_add_new_anon_rmap(page, vma, address); setpte: -@@ -2720,6 +2911,12 @@ setpte: +@@ -2720,6 +2915,12 @@ setpte: /* No need to invalidate - it was non-present before */ update_mmu_cache(vma, address, entry); @@ -97289,7 +97759,7 @@ index 6c836d3..693224d 100644 unlock: pte_unmap_unlock(page_table, ptl); return 0; -@@ -2862,6 +3059,12 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2862,6 +3063,12 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma, */ /* Only go through if we didn't race with anybody else... */ if (likely(pte_same(*page_table, orig_pte))) { @@ -97302,7 +97772,7 @@ index 6c836d3..693224d 100644 flush_icache_page(vma, page); entry = mk_pte(page, vma->vm_page_prot); if (flags & FAULT_FLAG_WRITE) -@@ -2881,6 +3084,14 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2881,6 +3088,14 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma, /* no need to invalidate: a not-present page won't be cached */ update_mmu_cache(vma, address, entry); @@ -97317,7 +97787,7 @@ index 6c836d3..693224d 100644 } else { if (charged) mem_cgroup_uncharge_page(page); -@@ -3028,6 +3239,12 @@ static inline int handle_pte_fault(struct mm_struct *mm, +@@ -3028,6 +3243,12 @@ static inline int handle_pte_fault(struct mm_struct *mm, if (flags & FAULT_FLAG_WRITE) flush_tlb_page(vma, address); } @@ -97330,7 +97800,7 @@ index 6c836d3..693224d 100644 unlock: pte_unmap_unlock(pte, ptl); return 0; -@@ -3044,6 +3261,10 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3044,6 +3265,10 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, pmd_t *pmd; pte_t *pte; @@ -97341,7 +97811,7 @@ index 6c836d3..693224d 100644 __set_current_state(TASK_RUNNING); count_vm_event(PGFAULT); -@@ -3051,6 +3272,34 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3051,6 +3276,34 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, if (unlikely(is_vm_hugetlb_page(vma))) return hugetlb_fault(mm, vma, address, flags); @@ -97376,7 +97846,7 @@ index 6c836d3..693224d 100644 pgd = pgd_offset(mm, address); pud = pud_alloc(mm, pgd, address); if (!pud) -@@ -3086,6 +3335,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address) +@@ -3086,6 +3339,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address) spin_unlock(&mm->page_table_lock); return 0; } @@ -97400,7 +97870,7 @@ index 6c836d3..693224d 100644 #endif /* __PAGETABLE_PUD_FOLDED */ #ifndef __PAGETABLE_PMD_FOLDED -@@ -3116,6 +3382,30 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address) +@@ -3116,6 +3386,30 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address) spin_unlock(&mm->page_table_lock); return 0; } @@ -97431,7 +97901,7 @@ index 6c836d3..693224d 100644 #endif /* __PAGETABLE_PMD_FOLDED */ int make_pages_present(unsigned long addr, unsigned long end) -@@ -3148,7 +3438,7 @@ static int __init gate_vma_init(void) +@@ -3148,7 +3442,7 @@ static int __init gate_vma_init(void) gate_vma.vm_start = FIXADDR_USER_START; gate_vma.vm_end = FIXADDR_USER_END; gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC; diff --git a/3.2.16/0000_README b/3.2.17/0000_README index b39a326..d74a42e 100644 --- a/3.2.16/0000_README +++ b/3.2.17/0000_README @@ -2,7 +2,11 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-2.9-3.2.16-201205071838.patch +Patch: 1016_linux-3.2.17.patch +From: http://www.kernel.org +Desc: Linux 3.2.17 + +Patch: 4420_grsecurity-2.9-3.2.17-201205131657.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.17/1016_linux-3.2.17.patch b/3.2.17/1016_linux-3.2.17.patch new file mode 100644 index 0000000..5aeed10 --- /dev/null +++ b/3.2.17/1016_linux-3.2.17.patch @@ -0,0 +1,5695 @@ +diff --git a/Makefile b/Makefile +index 3da29cb..4c4efa3 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 2 +-SUBLEVEL = 16 ++SUBLEVEL = 17 + EXTRAVERSION = + NAME = Saber-toothed Squirrel + +diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig +index ab3740e..ef642a0 100644 +--- a/arch/arm/Kconfig ++++ b/arch/arm/Kconfig +@@ -1155,6 +1155,15 @@ if !MMU + source "arch/arm/Kconfig-nommu" + endif + ++config ARM_ERRATA_326103 ++ bool "ARM errata: FSR write bit incorrect on a SWP to read-only memory" ++ depends on CPU_V6 ++ help ++ Executing a SWP instruction to read-only memory does not set bit 11 ++ of the FSR on the ARM 1136 prior to r1p0. This causes the kernel to ++ treat the access as a read, preventing a COW from occurring and ++ causing the faulting task to livelock. ++ + config ARM_ERRATA_411920 + bool "ARM errata: Invalidation of the Instruction Cache operation can fail" + depends on CPU_V6 || CPU_V6K +diff --git a/arch/arm/include/asm/tls.h b/arch/arm/include/asm/tls.h +index 60843eb..73409e6 100644 +--- a/arch/arm/include/asm/tls.h ++++ b/arch/arm/include/asm/tls.h +@@ -7,6 +7,8 @@ + + .macro set_tls_v6k, tp, tmp1, tmp2 + mcr p15, 0, \tp, c13, c0, 3 @ set TLS register ++ mov \tmp1, #0 ++ mcr p15, 0, \tmp1, c13, c0, 2 @ clear user r/w TLS register + .endm + + .macro set_tls_v6, tp, tmp1, tmp2 +@@ -15,6 +17,8 @@ + mov \tmp2, #0xffff0fff + tst \tmp1, #HWCAP_TLS @ hardware TLS available? + mcrne p15, 0, \tp, c13, c0, 3 @ yes, set TLS register ++ movne \tmp1, #0 ++ mcrne p15, 0, \tmp1, c13, c0, 2 @ clear user r/w TLS register + streq \tp, [\tmp2, #-15] @ set TLS value at 0xffff0ff0 + .endm + +diff --git a/arch/arm/kernel/irq.c b/arch/arm/kernel/irq.c +index 3efd82c..87c8be5 100644 +--- a/arch/arm/kernel/irq.c ++++ b/arch/arm/kernel/irq.c +@@ -156,10 +156,10 @@ static bool migrate_one_irq(struct irq_desc *desc) + } + + c = irq_data_get_irq_chip(d); +- if (c->irq_set_affinity) +- c->irq_set_affinity(d, affinity, true); +- else ++ if (!c->irq_set_affinity) + pr_debug("IRQ%u: unable to set affinity\n", d->irq); ++ else if (c->irq_set_affinity(d, affinity, true) == IRQ_SET_MASK_OK && ret) ++ cpumask_copy(d->affinity, affinity); + + return ret; + } +diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c +index ef5640b..e10e59a 100644 +--- a/arch/arm/kernel/smp.c ++++ b/arch/arm/kernel/smp.c +@@ -297,8 +297,6 @@ asmlinkage void __cpuinit secondary_start_kernel(void) + struct mm_struct *mm = &init_mm; + unsigned int cpu = smp_processor_id(); + +- printk("CPU%u: Booted secondary processor\n", cpu); +- + /* + * All kernel threads share the same mm context; grab a + * reference and switch to it. +@@ -310,6 +308,8 @@ asmlinkage void __cpuinit secondary_start_kernel(void) + enter_lazy_tlb(mm, current); + local_flush_tlb_all(); + ++ printk("CPU%u: Booted secondary processor\n", cpu); ++ + cpu_init(); + preempt_disable(); + trace_hardirqs_off(); +diff --git a/arch/arm/kernel/sys_arm.c b/arch/arm/kernel/sys_arm.c +index d2b1779..76cbb05 100644 +--- a/arch/arm/kernel/sys_arm.c ++++ b/arch/arm/kernel/sys_arm.c +@@ -115,7 +115,7 @@ int kernel_execve(const char *filename, + "Ir" (THREAD_START_SP - sizeof(regs)), + "r" (®s), + "Ir" (sizeof(regs)) +- : "r0", "r1", "r2", "r3", "ip", "lr", "memory"); ++ : "r0", "r1", "r2", "r3", "r8", "r9", "ip", "lr", "memory"); + + out: + return ret; +diff --git a/arch/arm/mach-omap1/timer.c b/arch/arm/mach-omap1/timer.c +index 6e90665..fb202af 100644 +--- a/arch/arm/mach-omap1/timer.c ++++ b/arch/arm/mach-omap1/timer.c +@@ -47,9 +47,9 @@ static int omap1_dm_timer_set_src(struct platform_device *pdev, + int n = (pdev->id - 1) << 1; + u32 l; + +- l = __raw_readl(MOD_CONF_CTRL_1) & ~(0x03 << n); ++ l = omap_readl(MOD_CONF_CTRL_1) & ~(0x03 << n); + l |= source << n; +- __raw_writel(l, MOD_CONF_CTRL_1); ++ omap_writel(l, MOD_CONF_CTRL_1); + + return 0; + } +diff --git a/arch/arm/mm/abort-ev6.S b/arch/arm/mm/abort-ev6.S +index ff1f7cc..8074199 100644 +--- a/arch/arm/mm/abort-ev6.S ++++ b/arch/arm/mm/abort-ev6.S +@@ -26,18 +26,23 @@ ENTRY(v6_early_abort) + mrc p15, 0, r1, c5, c0, 0 @ get FSR + mrc p15, 0, r0, c6, c0, 0 @ get FAR + /* +- * Faulty SWP instruction on 1136 doesn't set bit 11 in DFSR (erratum 326103). +- * The test below covers all the write situations, including Java bytecodes ++ * Faulty SWP instruction on 1136 doesn't set bit 11 in DFSR. + */ +- bic r1, r1, #1 << 11 @ clear bit 11 of FSR ++#ifdef CONFIG_ARM_ERRATA_326103 ++ ldr ip, =0x4107b36 ++ mrc p15, 0, r3, c0, c0, 0 @ get processor id ++ teq ip, r3, lsr #4 @ r0 ARM1136? ++ bne do_DataAbort + tst r5, #PSR_J_BIT @ Java? ++ tsteq r5, #PSR_T_BIT @ Thumb? + bne do_DataAbort +- do_thumb_abort fsr=r1, pc=r4, psr=r5, tmp=r3 +- ldreq r3, [r4] @ read aborted ARM instruction ++ bic r1, r1, #1 << 11 @ clear bit 11 of FSR ++ ldr r3, [r4] @ read aborted ARM instruction + #ifdef CONFIG_CPU_ENDIAN_BE8 +- reveq r3, r3 ++ rev r3, r3 + #endif + do_ldrd_abort tmp=ip, insn=r3 + tst r3, #1 << 20 @ L = 0 -> write + orreq r1, r1, #1 << 11 @ yes. ++#endif + b do_DataAbort +diff --git a/arch/arm/mm/cache-l2x0.c b/arch/arm/mm/cache-l2x0.c +index b1e192b..db7bcc0 100644 +--- a/arch/arm/mm/cache-l2x0.c ++++ b/arch/arm/mm/cache-l2x0.c +@@ -32,6 +32,7 @@ static void __iomem *l2x0_base; + static DEFINE_RAW_SPINLOCK(l2x0_lock); + static uint32_t l2x0_way_mask; /* Bitmask of active ways */ + static uint32_t l2x0_size; ++static unsigned long sync_reg_offset = L2X0_CACHE_SYNC; + + struct l2x0_regs l2x0_saved_regs; + +@@ -61,12 +62,7 @@ static inline void cache_sync(void) + { + void __iomem *base = l2x0_base; + +-#ifdef CONFIG_PL310_ERRATA_753970 +- /* write to an unmmapped register */ +- writel_relaxed(0, base + L2X0_DUMMY_REG); +-#else +- writel_relaxed(0, base + L2X0_CACHE_SYNC); +-#endif ++ writel_relaxed(0, base + sync_reg_offset); + cache_wait(base + L2X0_CACHE_SYNC, 1); + } + +@@ -85,10 +81,13 @@ static inline void l2x0_inv_line(unsigned long addr) + } + + #if defined(CONFIG_PL310_ERRATA_588369) || defined(CONFIG_PL310_ERRATA_727915) ++static inline void debug_writel(unsigned long val) ++{ ++ if (outer_cache.set_debug) ++ outer_cache.set_debug(val); ++} + +-#define debug_writel(val) outer_cache.set_debug(val) +- +-static void l2x0_set_debug(unsigned long val) ++static void pl310_set_debug(unsigned long val) + { + writel_relaxed(val, l2x0_base + L2X0_DEBUG_CTRL); + } +@@ -98,7 +97,7 @@ static inline void debug_writel(unsigned long val) + { + } + +-#define l2x0_set_debug NULL ++#define pl310_set_debug NULL + #endif + + #ifdef CONFIG_PL310_ERRATA_588369 +@@ -331,6 +330,11 @@ void __init l2x0_init(void __iomem *base, __u32 aux_val, __u32 aux_mask) + else + ways = 8; + type = "L310"; ++#ifdef CONFIG_PL310_ERRATA_753970 ++ /* Unmapped register. */ ++ sync_reg_offset = L2X0_DUMMY_REG; ++#endif ++ outer_cache.set_debug = pl310_set_debug; + break; + case L2X0_CACHE_ID_PART_L210: + ways = (aux >> 13) & 0xf; +@@ -379,7 +383,6 @@ void __init l2x0_init(void __iomem *base, __u32 aux_val, __u32 aux_mask) + outer_cache.flush_all = l2x0_flush_all; + outer_cache.inv_all = l2x0_inv_all; + outer_cache.disable = l2x0_disable; +- outer_cache.set_debug = l2x0_set_debug; + + printk(KERN_INFO "%s cache controller enabled\n", type); + printk(KERN_INFO "l2x0: %d ways, CACHE_ID 0x%08x, AUX_CTRL 0x%08x, Cache size: %d B\n", +diff --git a/arch/x86/boot/compressed/relocs.c b/arch/x86/boot/compressed/relocs.c +index 89bbf4e..e77f4e4 100644 +--- a/arch/x86/boot/compressed/relocs.c ++++ b/arch/x86/boot/compressed/relocs.c +@@ -402,13 +402,11 @@ static void print_absolute_symbols(void) + for (i = 0; i < ehdr.e_shnum; i++) { + struct section *sec = &secs[i]; + char *sym_strtab; +- Elf32_Sym *sh_symtab; + int j; + + if (sec->shdr.sh_type != SHT_SYMTAB) { + continue; + } +- sh_symtab = sec->symtab; + sym_strtab = sec->link->strtab; + for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Sym); j++) { + Elf32_Sym *sym; +diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c +index f98d84c..c4e3581 100644 +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -1577,9 +1577,11 @@ static int __init apic_verify(void) + mp_lapic_addr = APIC_DEFAULT_PHYS_BASE; + + /* The BIOS may have set up the APIC at some other address */ +- rdmsr(MSR_IA32_APICBASE, l, h); +- if (l & MSR_IA32_APICBASE_ENABLE) +- mp_lapic_addr = l & MSR_IA32_APICBASE_BASE; ++ if (boot_cpu_data.x86 >= 6) { ++ rdmsr(MSR_IA32_APICBASE, l, h); ++ if (l & MSR_IA32_APICBASE_ENABLE) ++ mp_lapic_addr = l & MSR_IA32_APICBASE_BASE; ++ } + + pr_info("Found and enabled local APIC!\n"); + return 0; +@@ -1597,13 +1599,15 @@ int __init apic_force_enable(unsigned long addr) + * MSR. This can only be done in software for Intel P6 or later + * and AMD K7 (Model > 1) or later. + */ +- rdmsr(MSR_IA32_APICBASE, l, h); +- if (!(l & MSR_IA32_APICBASE_ENABLE)) { +- pr_info("Local APIC disabled by BIOS -- reenabling.\n"); +- l &= ~MSR_IA32_APICBASE_BASE; +- l |= MSR_IA32_APICBASE_ENABLE | addr; +- wrmsr(MSR_IA32_APICBASE, l, h); +- enabled_via_apicbase = 1; ++ if (boot_cpu_data.x86 >= 6) { ++ rdmsr(MSR_IA32_APICBASE, l, h); ++ if (!(l & MSR_IA32_APICBASE_ENABLE)) { ++ pr_info("Local APIC disabled by BIOS -- reenabling.\n"); ++ l &= ~MSR_IA32_APICBASE_BASE; ++ l |= MSR_IA32_APICBASE_ENABLE | addr; ++ wrmsr(MSR_IA32_APICBASE, l, h); ++ enabled_via_apicbase = 1; ++ } + } + return apic_verify(); + } +@@ -2149,10 +2153,12 @@ static void lapic_resume(void) + * FIXME! This will be wrong if we ever support suspend on + * SMP! We'll need to do this as part of the CPU restore! + */ +- rdmsr(MSR_IA32_APICBASE, l, h); +- l &= ~MSR_IA32_APICBASE_BASE; +- l |= MSR_IA32_APICBASE_ENABLE | mp_lapic_addr; +- wrmsr(MSR_IA32_APICBASE, l, h); ++ if (boot_cpu_data.x86 >= 6) { ++ rdmsr(MSR_IA32_APICBASE, l, h); ++ l &= ~MSR_IA32_APICBASE_BASE; ++ l |= MSR_IA32_APICBASE_ENABLE | mp_lapic_addr; ++ wrmsr(MSR_IA32_APICBASE, l, h); ++ } + } + + maxlvt = lapic_get_maxlvt(); +diff --git a/arch/x86/kernel/microcode_core.c b/arch/x86/kernel/microcode_core.c +index 9d46f5e..563a09d 100644 +--- a/arch/x86/kernel/microcode_core.c ++++ b/arch/x86/kernel/microcode_core.c +@@ -418,10 +418,8 @@ static int mc_sysdev_add(struct sys_device *sys_dev) + if (err) + return err; + +- if (microcode_init_cpu(cpu) == UCODE_ERROR) { +- sysfs_remove_group(&sys_dev->kobj, &mc_attr_group); ++ if (microcode_init_cpu(cpu) == UCODE_ERROR) + return -EINVAL; +- } + + return err; + } +diff --git a/arch/x86/kernel/setup_percpu.c b/arch/x86/kernel/setup_percpu.c +index 71f4727..5a98aa2 100644 +--- a/arch/x86/kernel/setup_percpu.c ++++ b/arch/x86/kernel/setup_percpu.c +@@ -185,10 +185,22 @@ void __init setup_per_cpu_areas(void) + #endif + rc = -EINVAL; + if (pcpu_chosen_fc != PCPU_FC_PAGE) { +- const size_t atom_size = cpu_has_pse ? PMD_SIZE : PAGE_SIZE; + const size_t dyn_size = PERCPU_MODULE_RESERVE + + PERCPU_DYNAMIC_RESERVE - PERCPU_FIRST_CHUNK_RESERVE; ++ size_t atom_size; + ++ /* ++ * On 64bit, use PMD_SIZE for atom_size so that embedded ++ * percpu areas are aligned to PMD. This, in the future, ++ * can also allow using PMD mappings in vmalloc area. Use ++ * PAGE_SIZE on 32bit as vmalloc space is highly contended ++ * and large vmalloc area allocs can easily fail. ++ */ ++#ifdef CONFIG_X86_64 ++ atom_size = PMD_SIZE; ++#else ++ atom_size = PAGE_SIZE; ++#endif + rc = pcpu_embed_first_chunk(PERCPU_FIRST_CHUNK_RESERVE, + dyn_size, atom_size, + pcpu_cpu_distance, +diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c +index 1f92865..e7c920b 100644 +--- a/arch/x86/xen/enlighten.c ++++ b/arch/x86/xen/enlighten.c +@@ -62,6 +62,7 @@ + #include <asm/reboot.h> + #include <asm/stackprotector.h> + #include <asm/hypervisor.h> ++#include <asm/pci_x86.h> + + #include "xen-ops.h" + #include "mmu.h" +@@ -1278,8 +1279,10 @@ asmlinkage void __init xen_start_kernel(void) + /* Make sure ACS will be enabled */ + pci_request_acs(); + } +- +- ++#ifdef CONFIG_PCI ++ /* PCI BIOS service won't work from a PV guest. */ ++ pci_probe &= ~PCI_PROBE_BIOS; ++#endif + xen_raw_console_write("about to get started...\n"); + + xen_setup_runstate_info(0); +diff --git a/arch/x86/xen/mmu.c b/arch/x86/xen/mmu.c +index 87f6673..ec3d603 100644 +--- a/arch/x86/xen/mmu.c ++++ b/arch/x86/xen/mmu.c +@@ -353,8 +353,13 @@ static pteval_t pte_mfn_to_pfn(pteval_t val) + { + if (val & _PAGE_PRESENT) { + unsigned long mfn = (val & PTE_PFN_MASK) >> PAGE_SHIFT; ++ unsigned long pfn = mfn_to_pfn(mfn); ++ + pteval_t flags = val & PTE_FLAGS_MASK; +- val = ((pteval_t)mfn_to_pfn(mfn) << PAGE_SHIFT) | flags; ++ if (unlikely(pfn == ~0)) ++ val = flags & ~_PAGE_PRESENT; ++ else ++ val = ((pteval_t)pfn << PAGE_SHIFT) | flags; + } + + return val; +diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c +index 041d4fe..9a23fff 100644 +--- a/arch/x86/xen/smp.c ++++ b/arch/x86/xen/smp.c +@@ -172,6 +172,7 @@ static void __init xen_fill_possible_map(void) + static void __init xen_filter_cpu_maps(void) + { + int i, rc; ++ unsigned int subtract = 0; + + if (!xen_initial_domain()) + return; +@@ -186,8 +187,22 @@ static void __init xen_filter_cpu_maps(void) + } else { + set_cpu_possible(i, false); + set_cpu_present(i, false); ++ subtract++; + } + } ++#ifdef CONFIG_HOTPLUG_CPU ++ /* This is akin to using 'nr_cpus' on the Linux command line. ++ * Which is OK as when we use 'dom0_max_vcpus=X' we can only ++ * have up to X, while nr_cpu_ids is greater than X. This ++ * normally is not a problem, except when CPU hotplugging ++ * is involved and then there might be more than X CPUs ++ * in the guest - which will not work as there is no ++ * hypercall to expand the max number of VCPUs an already ++ * running guest has. So cap it up to X. */ ++ if (subtract) ++ nr_cpu_ids = nr_cpu_ids - subtract; ++#endif ++ + } + + static void __init xen_smp_prepare_boot_cpu(void) +diff --git a/arch/x86/xen/xen-asm.S b/arch/x86/xen/xen-asm.S +index 79d7362..3e45aa0 100644 +--- a/arch/x86/xen/xen-asm.S ++++ b/arch/x86/xen/xen-asm.S +@@ -96,7 +96,7 @@ ENTRY(xen_restore_fl_direct) + + /* check for unmasked and pending */ + cmpw $0x0001, PER_CPU_VAR(xen_vcpu_info) + XEN_vcpu_info_pending +- jz 1f ++ jnz 1f + 2: call check_events + 1: + ENDPATCH(xen_restore_fl_direct) +diff --git a/crypto/sha512_generic.c b/crypto/sha512_generic.c +index 107f6f7..dd30f40 100644 +--- a/crypto/sha512_generic.c ++++ b/crypto/sha512_generic.c +@@ -174,7 +174,7 @@ sha512_update(struct shash_desc *desc, const u8 *data, unsigned int len) + index = sctx->count[0] & 0x7f; + + /* Update number of bytes */ +- if (!(sctx->count[0] += len)) ++ if ((sctx->count[0] += len) < len) + sctx->count[1]++; + + part_len = 128 - index; +diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c +index a9b2820..58db834 100644 +--- a/drivers/ata/libata-eh.c ++++ b/drivers/ata/libata-eh.c +@@ -3500,7 +3500,8 @@ static int ata_count_probe_trials_cb(struct ata_ering_entry *ent, void *void_arg + u64 now = get_jiffies_64(); + int *trials = void_arg; + +- if (ent->timestamp < now - min(now, interval)) ++ if ((ent->eflags & ATA_EFLAG_OLD_ER) || ++ (ent->timestamp < now - min(now, interval))) + return -1; + + (*trials)++; +diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c +index 003cd8d..99fefbd 100644 +--- a/drivers/bluetooth/ath3k.c ++++ b/drivers/bluetooth/ath3k.c +@@ -73,6 +73,7 @@ static struct usb_device_id ath3k_table[] = { + { USB_DEVICE(0x0CF3, 0x3004) }, + { USB_DEVICE(0x0CF3, 0x311D) }, + { USB_DEVICE(0x13d3, 0x3375) }, ++ { USB_DEVICE(0x04CA, 0x3005) }, + + /* Atheros AR5BBU12 with sflash firmware */ + { USB_DEVICE(0x0489, 0xE02C) }, +@@ -91,6 +92,7 @@ static struct usb_device_id ath3k_blist_tbl[] = { + { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x311D), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 }, + + { } /* Terminating entry */ + }; +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index db44ad5..e56da6a 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -129,6 +129,7 @@ static struct usb_device_id blacklist_table[] = { + { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 }, + + /* Atheros AR5BBU12 with sflash firmware */ + { USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE }, +diff --git a/drivers/dma/at_hdmac.c b/drivers/dma/at_hdmac.c +index a60adbf..79dcf6e 100644 +--- a/drivers/dma/at_hdmac.c ++++ b/drivers/dma/at_hdmac.c +@@ -239,10 +239,6 @@ static void atc_dostart(struct at_dma_chan *atchan, struct at_desc *first) + + vdbg_dump_regs(atchan); + +- /* clear any pending interrupt */ +- while (dma_readl(atdma, EBCISR)) +- cpu_relax(); +- + channel_writel(atchan, SADDR, 0); + channel_writel(atchan, DADDR, 0); + channel_writel(atchan, CTRLA, 0); +diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c +index b0a8117..0535c21 100644 +--- a/drivers/firmware/efivars.c ++++ b/drivers/firmware/efivars.c +@@ -191,6 +191,190 @@ utf16_strncmp(const efi_char16_t *a, const efi_char16_t *b, size_t len) + } + } + ++static bool ++validate_device_path(struct efi_variable *var, int match, u8 *buffer, ++ unsigned long len) ++{ ++ struct efi_generic_dev_path *node; ++ int offset = 0; ++ ++ node = (struct efi_generic_dev_path *)buffer; ++ ++ if (len < sizeof(*node)) ++ return false; ++ ++ while (offset <= len - sizeof(*node) && ++ node->length >= sizeof(*node) && ++ node->length <= len - offset) { ++ offset += node->length; ++ ++ if ((node->type == EFI_DEV_END_PATH || ++ node->type == EFI_DEV_END_PATH2) && ++ node->sub_type == EFI_DEV_END_ENTIRE) ++ return true; ++ ++ node = (struct efi_generic_dev_path *)(buffer + offset); ++ } ++ ++ /* ++ * If we're here then either node->length pointed past the end ++ * of the buffer or we reached the end of the buffer without ++ * finding a device path end node. ++ */ ++ return false; ++} ++ ++static bool ++validate_boot_order(struct efi_variable *var, int match, u8 *buffer, ++ unsigned long len) ++{ ++ /* An array of 16-bit integers */ ++ if ((len % 2) != 0) ++ return false; ++ ++ return true; ++} ++ ++static bool ++validate_load_option(struct efi_variable *var, int match, u8 *buffer, ++ unsigned long len) ++{ ++ u16 filepathlength; ++ int i, desclength = 0, namelen; ++ ++ namelen = utf16_strnlen(var->VariableName, sizeof(var->VariableName)); ++ ++ /* Either "Boot" or "Driver" followed by four digits of hex */ ++ for (i = match; i < match+4; i++) { ++ if (var->VariableName[i] > 127 || ++ hex_to_bin(var->VariableName[i] & 0xff) < 0) ++ return true; ++ } ++ ++ /* Reject it if there's 4 digits of hex and then further content */ ++ if (namelen > match + 4) ++ return false; ++ ++ /* A valid entry must be at least 8 bytes */ ++ if (len < 8) ++ return false; ++ ++ filepathlength = buffer[4] | buffer[5] << 8; ++ ++ /* ++ * There's no stored length for the description, so it has to be ++ * found by hand ++ */ ++ desclength = utf16_strsize((efi_char16_t *)(buffer + 6), len - 6) + 2; ++ ++ /* Each boot entry must have a descriptor */ ++ if (!desclength) ++ return false; ++ ++ /* ++ * If the sum of the length of the description, the claimed filepath ++ * length and the original header are greater than the length of the ++ * variable, it's malformed ++ */ ++ if ((desclength + filepathlength + 6) > len) ++ return false; ++ ++ /* ++ * And, finally, check the filepath ++ */ ++ return validate_device_path(var, match, buffer + desclength + 6, ++ filepathlength); ++} ++ ++static bool ++validate_uint16(struct efi_variable *var, int match, u8 *buffer, ++ unsigned long len) ++{ ++ /* A single 16-bit integer */ ++ if (len != 2) ++ return false; ++ ++ return true; ++} ++ ++static bool ++validate_ascii_string(struct efi_variable *var, int match, u8 *buffer, ++ unsigned long len) ++{ ++ int i; ++ ++ for (i = 0; i < len; i++) { ++ if (buffer[i] > 127) ++ return false; ++ ++ if (buffer[i] == 0) ++ return true; ++ } ++ ++ return false; ++} ++ ++struct variable_validate { ++ char *name; ++ bool (*validate)(struct efi_variable *var, int match, u8 *data, ++ unsigned long len); ++}; ++ ++static const struct variable_validate variable_validate[] = { ++ { "BootNext", validate_uint16 }, ++ { "BootOrder", validate_boot_order }, ++ { "DriverOrder", validate_boot_order }, ++ { "Boot*", validate_load_option }, ++ { "Driver*", validate_load_option }, ++ { "ConIn", validate_device_path }, ++ { "ConInDev", validate_device_path }, ++ { "ConOut", validate_device_path }, ++ { "ConOutDev", validate_device_path }, ++ { "ErrOut", validate_device_path }, ++ { "ErrOutDev", validate_device_path }, ++ { "Timeout", validate_uint16 }, ++ { "Lang", validate_ascii_string }, ++ { "PlatformLang", validate_ascii_string }, ++ { "", NULL }, ++}; ++ ++static bool ++validate_var(struct efi_variable *var, u8 *data, unsigned long len) ++{ ++ int i; ++ u16 *unicode_name = var->VariableName; ++ ++ for (i = 0; variable_validate[i].validate != NULL; i++) { ++ const char *name = variable_validate[i].name; ++ int match; ++ ++ for (match = 0; ; match++) { ++ char c = name[match]; ++ u16 u = unicode_name[match]; ++ ++ /* All special variables are plain ascii */ ++ if (u > 127) ++ return true; ++ ++ /* Wildcard in the matching name means we've matched */ ++ if (c == '*') ++ return variable_validate[i].validate(var, ++ match, data, len); ++ ++ /* Case sensitive match */ ++ if (c != u) ++ break; ++ ++ /* Reached the end of the string while matching */ ++ if (!c) ++ return variable_validate[i].validate(var, ++ match, data, len); ++ } ++ } ++ ++ return true; ++} ++ + static efi_status_t + get_var_data_locked(struct efivars *efivars, struct efi_variable *var) + { +@@ -324,6 +508,12 @@ efivar_store_raw(struct efivar_entry *entry, const char *buf, size_t count) + return -EINVAL; + } + ++ if ((new_var->Attributes & ~EFI_VARIABLE_MASK) != 0 || ++ validate_var(new_var, new_var->Data, new_var->DataSize) == false) { ++ printk(KERN_ERR "efivars: Malformed variable content\n"); ++ return -EINVAL; ++ } ++ + spin_lock(&efivars->lock); + status = efivars->ops->set_variable(new_var->VariableName, + &new_var->VendorGuid, +@@ -624,6 +814,12 @@ static ssize_t efivar_create(struct file *filp, struct kobject *kobj, + if (!capable(CAP_SYS_ADMIN)) + return -EACCES; + ++ if ((new_var->Attributes & ~EFI_VARIABLE_MASK) != 0 || ++ validate_var(new_var, new_var->Data, new_var->DataSize) == false) { ++ printk(KERN_ERR "efivars: Malformed variable content\n"); ++ return -EINVAL; ++ } ++ + spin_lock(&efivars->lock); + + /* +diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c +index b9da890..a6c2f7a 100644 +--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c ++++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c +@@ -984,6 +984,7 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data, + struct intel_ring_buffer *ring; + u32 exec_start, exec_len; + u32 seqno; ++ u32 mask; + int ret, mode, i; + + if (!i915_gem_check_execbuffer(args)) { +@@ -1021,6 +1022,7 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data, + } + + mode = args->flags & I915_EXEC_CONSTANTS_MASK; ++ mask = I915_EXEC_CONSTANTS_MASK; + switch (mode) { + case I915_EXEC_CONSTANTS_REL_GENERAL: + case I915_EXEC_CONSTANTS_ABSOLUTE: +@@ -1034,18 +1036,9 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data, + mode == I915_EXEC_CONSTANTS_REL_SURFACE) + return -EINVAL; + +- ret = intel_ring_begin(ring, 4); +- if (ret) +- return ret; +- +- intel_ring_emit(ring, MI_NOOP); +- intel_ring_emit(ring, MI_LOAD_REGISTER_IMM(1)); +- intel_ring_emit(ring, INSTPM); +- intel_ring_emit(ring, +- I915_EXEC_CONSTANTS_MASK << 16 | mode); +- intel_ring_advance(ring); +- +- dev_priv->relative_constants_mode = mode; ++ /* The HW changed the meaning on this bit on gen6 */ ++ if (INTEL_INFO(dev)->gen >= 6) ++ mask &= ~I915_EXEC_CONSTANTS_REL_SURFACE; + } + break; + default: +@@ -1064,6 +1057,11 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data, + return -EINVAL; + } + ++ if (args->num_cliprects > UINT_MAX / sizeof(*cliprects)) { ++ DRM_DEBUG("execbuf with %u cliprects\n", ++ args->num_cliprects); ++ return -EINVAL; ++ } + cliprects = kmalloc(args->num_cliprects * sizeof(*cliprects), + GFP_KERNEL); + if (cliprects == NULL) { +@@ -1176,6 +1174,21 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data, + } + } + ++ if (ring == &dev_priv->ring[RCS] && ++ mode != dev_priv->relative_constants_mode) { ++ ret = intel_ring_begin(ring, 4); ++ if (ret) ++ goto err; ++ ++ intel_ring_emit(ring, MI_NOOP); ++ intel_ring_emit(ring, MI_LOAD_REGISTER_IMM(1)); ++ intel_ring_emit(ring, INSTPM); ++ intel_ring_emit(ring, mask << 16 | mode); ++ intel_ring_advance(ring); ++ ++ dev_priv->relative_constants_mode = mode; ++ } ++ + trace_i915_gem_ring_dispatch(ring, seqno); + + exec_start = batch_obj->gtt_offset + args->batch_start_offset; +@@ -1314,7 +1327,8 @@ i915_gem_execbuffer2(struct drm_device *dev, void *data, + struct drm_i915_gem_exec_object2 *exec2_list = NULL; + int ret; + +- if (args->buffer_count < 1) { ++ if (args->buffer_count < 1 || ++ args->buffer_count > UINT_MAX / sizeof(*exec2_list)) { + DRM_ERROR("execbuf2 with %d buffers\n", args->buffer_count); + return -EINVAL; + } +diff --git a/drivers/gpu/drm/i915/i915_reg.h b/drivers/gpu/drm/i915/i915_reg.h +index 2f99fd4..cbe5a88 100644 +--- a/drivers/gpu/drm/i915/i915_reg.h ++++ b/drivers/gpu/drm/i915/i915_reg.h +@@ -442,6 +442,7 @@ + #define INSTPM_AGPBUSY_DIS (1<<11) /* gen3: when disabled, pending interrupts + will not assert AGPBUSY# and will only + be delivered when out of C3. */ ++#define INSTPM_FORCE_ORDERING (1<<7) /* GEN6+ */ + #define ACTHD 0x020c8 + #define FW_BLC 0x020d8 + #define FW_BLC2 0x020dc +@@ -522,6 +523,7 @@ + #define CM0_MASK_SHIFT 16 + #define CM0_IZ_OPT_DISABLE (1<<6) + #define CM0_ZR_OPT_DISABLE (1<<5) ++#define CM0_STC_EVICT_DISABLE_LRA_SNB (1<<5) + #define CM0_DEPTH_EVICT_DISABLE (1<<4) + #define CM0_COLOR_EVICT_DISABLE (1<<3) + #define CM0_DEPTH_WRITE_DISABLE (1<<1) +diff --git a/drivers/gpu/drm/i915/intel_hdmi.c b/drivers/gpu/drm/i915/intel_hdmi.c +index 64541f7..9cd81ba 100644 +--- a/drivers/gpu/drm/i915/intel_hdmi.c ++++ b/drivers/gpu/drm/i915/intel_hdmi.c +@@ -136,7 +136,7 @@ static void i9xx_write_infoframe(struct drm_encoder *encoder, + + val &= ~VIDEO_DIP_SELECT_MASK; + +- I915_WRITE(VIDEO_DIP_CTL, val | port | flags); ++ I915_WRITE(VIDEO_DIP_CTL, VIDEO_DIP_ENABLE | val | port | flags); + + for (i = 0; i < len; i += 4) { + I915_WRITE(VIDEO_DIP_DATA, *data); +diff --git a/drivers/gpu/drm/i915/intel_ringbuffer.c b/drivers/gpu/drm/i915/intel_ringbuffer.c +index 8673581..62f9ac5 100644 +--- a/drivers/gpu/drm/i915/intel_ringbuffer.c ++++ b/drivers/gpu/drm/i915/intel_ringbuffer.c +@@ -414,6 +414,22 @@ static int init_render_ring(struct intel_ring_buffer *ring) + return ret; + } + ++ ++ if (IS_GEN6(dev)) { ++ /* From the Sandybridge PRM, volume 1 part 3, page 24: ++ * "If this bit is set, STCunit will have LRA as replacement ++ * policy. [...] This bit must be reset. LRA replacement ++ * policy is not supported." ++ */ ++ I915_WRITE(CACHE_MODE_0, ++ CM0_STC_EVICT_DISABLE_LRA_SNB << CM0_MASK_SHIFT); ++ } ++ ++ if (INTEL_INFO(dev)->gen >= 6) { ++ I915_WRITE(INSTPM, ++ INSTPM_FORCE_ORDERING << 16 | INSTPM_FORCE_ORDERING); ++ } ++ + return ret; + } + +diff --git a/drivers/gpu/drm/i915/intel_sdvo.c b/drivers/gpu/drm/i915/intel_sdvo.c +index e334ec3..8eddcca 100644 +--- a/drivers/gpu/drm/i915/intel_sdvo.c ++++ b/drivers/gpu/drm/i915/intel_sdvo.c +@@ -731,6 +731,7 @@ static void intel_sdvo_get_dtd_from_mode(struct intel_sdvo_dtd *dtd, + uint16_t width, height; + uint16_t h_blank_len, h_sync_len, v_blank_len, v_sync_len; + uint16_t h_sync_offset, v_sync_offset; ++ int mode_clock; + + width = mode->crtc_hdisplay; + height = mode->crtc_vdisplay; +@@ -745,7 +746,11 @@ static void intel_sdvo_get_dtd_from_mode(struct intel_sdvo_dtd *dtd, + h_sync_offset = mode->crtc_hsync_start - mode->crtc_hblank_start; + v_sync_offset = mode->crtc_vsync_start - mode->crtc_vblank_start; + +- dtd->part1.clock = mode->clock / 10; ++ mode_clock = mode->clock; ++ mode_clock /= intel_mode_get_pixel_multiplier(mode) ?: 1; ++ mode_clock /= 10; ++ dtd->part1.clock = mode_clock; ++ + dtd->part1.h_active = width & 0xff; + dtd->part1.h_blank = h_blank_len & 0xff; + dtd->part1.h_high = (((width >> 8) & 0xf) << 4) | +@@ -997,7 +1002,7 @@ static void intel_sdvo_mode_set(struct drm_encoder *encoder, + struct intel_sdvo *intel_sdvo = to_intel_sdvo(encoder); + u32 sdvox; + struct intel_sdvo_in_out_map in_out; +- struct intel_sdvo_dtd input_dtd; ++ struct intel_sdvo_dtd input_dtd, output_dtd; + int pixel_multiplier = intel_mode_get_pixel_multiplier(adjusted_mode); + int rate; + +@@ -1022,20 +1027,13 @@ static void intel_sdvo_mode_set(struct drm_encoder *encoder, + intel_sdvo->attached_output)) + return; + +- /* We have tried to get input timing in mode_fixup, and filled into +- * adjusted_mode. +- */ +- if (intel_sdvo->is_tv || intel_sdvo->is_lvds) { +- input_dtd = intel_sdvo->input_dtd; +- } else { +- /* Set the output timing to the screen */ +- if (!intel_sdvo_set_target_output(intel_sdvo, +- intel_sdvo->attached_output)) +- return; +- +- intel_sdvo_get_dtd_from_mode(&input_dtd, adjusted_mode); +- (void) intel_sdvo_set_output_timing(intel_sdvo, &input_dtd); +- } ++ /* lvds has a special fixed output timing. */ ++ if (intel_sdvo->is_lvds) ++ intel_sdvo_get_dtd_from_mode(&output_dtd, ++ intel_sdvo->sdvo_lvds_fixed_mode); ++ else ++ intel_sdvo_get_dtd_from_mode(&output_dtd, mode); ++ (void) intel_sdvo_set_output_timing(intel_sdvo, &output_dtd); + + /* Set the input timing to the screen. Assume always input 0. */ + if (!intel_sdvo_set_target_input(intel_sdvo)) +@@ -1053,6 +1051,10 @@ static void intel_sdvo_mode_set(struct drm_encoder *encoder, + !intel_sdvo_set_tv_format(intel_sdvo)) + return; + ++ /* We have tried to get input timing in mode_fixup, and filled into ++ * adjusted_mode. ++ */ ++ intel_sdvo_get_dtd_from_mode(&input_dtd, adjusted_mode); + (void) intel_sdvo_set_input_timing(intel_sdvo, &input_dtd); + + switch (pixel_multiplier) { +@@ -1219,8 +1221,14 @@ static bool intel_sdvo_get_capabilities(struct intel_sdvo *intel_sdvo, struct in + + static int intel_sdvo_supports_hotplug(struct intel_sdvo *intel_sdvo) + { ++ struct drm_device *dev = intel_sdvo->base.base.dev; + u8 response[2]; + ++ /* HW Erratum: SDVO Hotplug is broken on all i945G chips, there's noise ++ * on the line. */ ++ if (IS_I945G(dev) || IS_I945GM(dev)) ++ return false; ++ + return intel_sdvo_get_value(intel_sdvo, SDVO_CMD_GET_HOT_PLUG_SUPPORT, + &response, 2) && response[0]; + } +diff --git a/drivers/gpu/drm/nouveau/nouveau_acpi.c b/drivers/gpu/drm/nouveau/nouveau_acpi.c +index 525744d..3df56c7 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_acpi.c ++++ b/drivers/gpu/drm/nouveau/nouveau_acpi.c +@@ -245,7 +245,7 @@ static bool nouveau_dsm_detect(void) + struct acpi_buffer buffer = {sizeof(acpi_method_name), acpi_method_name}; + struct pci_dev *pdev = NULL; + int has_dsm = 0; +- int has_optimus; ++ int has_optimus = 0; + int vga_count = 0; + bool guid_valid; + int retval; +diff --git a/drivers/gpu/drm/radeon/atombios_crtc.c b/drivers/gpu/drm/radeon/atombios_crtc.c +index b30081f..757c549 100644 +--- a/drivers/gpu/drm/radeon/atombios_crtc.c ++++ b/drivers/gpu/drm/radeon/atombios_crtc.c +@@ -917,8 +917,8 @@ static void atombios_crtc_set_pll(struct drm_crtc *crtc, struct drm_display_mode + break; + } + +- if (radeon_encoder->active_device & +- (ATOM_DEVICE_LCD_SUPPORT | ATOM_DEVICE_DFP_SUPPORT)) { ++ if ((radeon_encoder->active_device & (ATOM_DEVICE_LCD_SUPPORT | ATOM_DEVICE_DFP_SUPPORT)) || ++ (radeon_encoder_get_dp_bridge_encoder_id(encoder) != ENCODER_OBJECT_ID_NONE)) { + struct radeon_encoder_atom_dig *dig = radeon_encoder->enc_priv; + struct drm_connector *connector = + radeon_get_connector_for_encoder(encoder); +diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c +index 104b376..427468f 100644 +--- a/drivers/hwmon/coretemp.c ++++ b/drivers/hwmon/coretemp.c +@@ -51,7 +51,7 @@ module_param_named(tjmax, force_tjmax, int, 0444); + MODULE_PARM_DESC(tjmax, "TjMax value in degrees Celsius"); + + #define BASE_SYSFS_ATTR_NO 2 /* Sysfs Base attr no for coretemp */ +-#define NUM_REAL_CORES 16 /* Number of Real cores per cpu */ ++#define NUM_REAL_CORES 32 /* Number of Real cores per cpu */ + #define CORETEMP_NAME_LENGTH 17 /* String Length of attrs */ + #define MAX_CORE_ATTRS 4 /* Maximum no of basic attrs */ + #define TOTAL_ATTRS (MAX_CORE_ATTRS + 1) +@@ -705,6 +705,10 @@ static void __cpuinit put_core_offline(unsigned int cpu) + + indx = TO_ATTR_NO(cpu); + ++ /* The core id is too big, just return */ ++ if (indx > MAX_CORE_DATA - 1) ++ return; ++ + if (pdata->core_data[indx] && pdata->core_data[indx]->cpu == cpu) + coretemp_remove_core(pdata, &pdev->dev, indx); + +diff --git a/drivers/hwmon/fam15h_power.c b/drivers/hwmon/fam15h_power.c +index 930370d..9a4c3ab 100644 +--- a/drivers/hwmon/fam15h_power.c ++++ b/drivers/hwmon/fam15h_power.c +@@ -122,6 +122,41 @@ static bool __devinit fam15h_power_is_internal_node0(struct pci_dev *f4) + return true; + } + ++/* ++ * Newer BKDG versions have an updated recommendation on how to properly ++ * initialize the running average range (was: 0xE, now: 0x9). This avoids ++ * counter saturations resulting in bogus power readings. ++ * We correct this value ourselves to cope with older BIOSes. ++ */ ++static DEFINE_PCI_DEVICE_TABLE(affected_device) = { ++ { PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_15H_NB_F4) }, ++ { 0 } ++}; ++ ++static void __devinit tweak_runavg_range(struct pci_dev *pdev) ++{ ++ u32 val; ++ ++ /* ++ * let this quirk apply only to the current version of the ++ * northbridge, since future versions may change the behavior ++ */ ++ if (!pci_match_id(affected_device, pdev)) ++ return; ++ ++ pci_bus_read_config_dword(pdev->bus, ++ PCI_DEVFN(PCI_SLOT(pdev->devfn), 5), ++ REG_TDP_RUNNING_AVERAGE, &val); ++ if ((val & 0xf) != 0xe) ++ return; ++ ++ val &= ~0xf; ++ val |= 0x9; ++ pci_bus_write_config_dword(pdev->bus, ++ PCI_DEVFN(PCI_SLOT(pdev->devfn), 5), ++ REG_TDP_RUNNING_AVERAGE, val); ++} ++ + static void __devinit fam15h_power_init_data(struct pci_dev *f4, + struct fam15h_power_data *data) + { +@@ -155,6 +190,13 @@ static int __devinit fam15h_power_probe(struct pci_dev *pdev, + struct device *dev; + int err; + ++ /* ++ * though we ignore every other northbridge, we still have to ++ * do the tweaking on _each_ node in MCM processors as the counters ++ * are working hand-in-hand ++ */ ++ tweak_runavg_range(pdev); ++ + if (!fam15h_power_is_internal_node0(pdev)) { + err = -ENODEV; + goto exit; +diff --git a/drivers/i2c/busses/i2c-pnx.c b/drivers/i2c/busses/i2c-pnx.c +index 04be9f8..eb8ad53 100644 +--- a/drivers/i2c/busses/i2c-pnx.c ++++ b/drivers/i2c/busses/i2c-pnx.c +@@ -546,8 +546,7 @@ static int i2c_pnx_controller_suspend(struct platform_device *pdev, + { + struct i2c_pnx_algo_data *alg_data = platform_get_drvdata(pdev); + +- /* FIXME: shouldn't this be clk_disable? */ +- clk_enable(alg_data->clk); ++ clk_disable(alg_data->clk); + + return 0; + } +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 6f37aa4..065ab4f 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -8100,7 +8100,8 @@ static int md_notify_reboot(struct notifier_block *this, + + for_each_mddev(mddev, tmp) { + if (mddev_trylock(mddev)) { +- __md_stop_writes(mddev); ++ if (mddev->pers) ++ __md_stop_writes(mddev); + mddev->safemode = 2; + mddev_unlock(mddev); + } +diff --git a/drivers/media/dvb/frontends/drxk_hard.c b/drivers/media/dvb/frontends/drxk_hard.c +index f6431ef..a1f5e3d 100644 +--- a/drivers/media/dvb/frontends/drxk_hard.c ++++ b/drivers/media/dvb/frontends/drxk_hard.c +@@ -1523,8 +1523,10 @@ static int scu_command(struct drxk_state *state, + dprintk(1, "\n"); + + if ((cmd == 0) || ((parameterLen > 0) && (parameter == NULL)) || +- ((resultLen > 0) && (result == NULL))) +- goto error; ++ ((resultLen > 0) && (result == NULL))) { ++ printk(KERN_ERR "drxk: Error %d on %s\n", status, __func__); ++ return status; ++ } + + mutex_lock(&state->mutex); + +diff --git a/drivers/media/rc/winbond-cir.c b/drivers/media/rc/winbond-cir.c +index 13f54b5..a7e7d6f 100644 +--- a/drivers/media/rc/winbond-cir.c ++++ b/drivers/media/rc/winbond-cir.c +@@ -1046,6 +1046,7 @@ wbcir_probe(struct pnp_dev *device, const struct pnp_device_id *dev_id) + goto exit_unregister_led; + } + ++ data->dev->driver_type = RC_DRIVER_IR_RAW; + data->dev->driver_name = WBCIR_NAME; + data->dev->input_name = WBCIR_NAME; + data->dev->input_phys = "wbcir/cir0"; +diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c +index e15e47d..34416d4 100644 +--- a/drivers/mmc/card/block.c ++++ b/drivers/mmc/card/block.c +@@ -799,7 +799,7 @@ static int mmc_blk_issue_secdiscard_rq(struct mmc_queue *mq, + { + struct mmc_blk_data *md = mq->data; + struct mmc_card *card = md->queue.card; +- unsigned int from, nr, arg; ++ unsigned int from, nr, arg, trim_arg, erase_arg; + int err = 0, type = MMC_BLK_SECDISCARD; + + if (!(mmc_can_secure_erase_trim(card) || mmc_can_sanitize(card))) { +@@ -807,20 +807,26 @@ static int mmc_blk_issue_secdiscard_rq(struct mmc_queue *mq, + goto out; + } + ++ from = blk_rq_pos(req); ++ nr = blk_rq_sectors(req); ++ + /* The sanitize operation is supported at v4.5 only */ + if (mmc_can_sanitize(card)) { +- err = mmc_switch(card, EXT_CSD_CMD_SET_NORMAL, +- EXT_CSD_SANITIZE_START, 1, 0); +- goto out; ++ erase_arg = MMC_ERASE_ARG; ++ trim_arg = MMC_TRIM_ARG; ++ } else { ++ erase_arg = MMC_SECURE_ERASE_ARG; ++ trim_arg = MMC_SECURE_TRIM1_ARG; + } + +- from = blk_rq_pos(req); +- nr = blk_rq_sectors(req); +- +- if (mmc_can_trim(card) && !mmc_erase_group_aligned(card, from, nr)) +- arg = MMC_SECURE_TRIM1_ARG; +- else +- arg = MMC_SECURE_ERASE_ARG; ++ if (mmc_erase_group_aligned(card, from, nr)) ++ arg = erase_arg; ++ else if (mmc_can_trim(card)) ++ arg = trim_arg; ++ else { ++ err = -EINVAL; ++ goto out; ++ } + retry: + if (card->quirks & MMC_QUIRK_INAND_CMD38) { + err = mmc_switch(card, EXT_CSD_CMD_SET_NORMAL, +@@ -830,25 +836,41 @@ retry: + INAND_CMD38_ARG_SECERASE, + 0); + if (err) +- goto out; ++ goto out_retry; + } ++ + err = mmc_erase(card, from, nr, arg); +- if (!err && arg == MMC_SECURE_TRIM1_ARG) { ++ if (err == -EIO) ++ goto out_retry; ++ if (err) ++ goto out; ++ ++ if (arg == MMC_SECURE_TRIM1_ARG) { + if (card->quirks & MMC_QUIRK_INAND_CMD38) { + err = mmc_switch(card, EXT_CSD_CMD_SET_NORMAL, + INAND_CMD38_ARG_EXT_CSD, + INAND_CMD38_ARG_SECTRIM2, + 0); + if (err) +- goto out; ++ goto out_retry; + } ++ + err = mmc_erase(card, from, nr, MMC_SECURE_TRIM2_ARG); ++ if (err == -EIO) ++ goto out_retry; ++ if (err) ++ goto out; + } +-out: +- if (err == -EIO && !mmc_blk_reset(md, card->host, type)) ++ ++ if (mmc_can_sanitize(card)) ++ err = mmc_switch(card, EXT_CSD_CMD_SET_NORMAL, ++ EXT_CSD_SANITIZE_START, 1, 0); ++out_retry: ++ if (err && !mmc_blk_reset(md, card->host, type)) + goto retry; + if (!err) + mmc_blk_reset_success(md, type); ++out: + spin_lock_irq(&md->lock); + __blk_end_request(req, err, blk_rq_bytes(req)); + spin_unlock_irq(&md->lock); +diff --git a/drivers/mmc/card/queue.c b/drivers/mmc/card/queue.c +index dcad59c..78690f2 100644 +--- a/drivers/mmc/card/queue.c ++++ b/drivers/mmc/card/queue.c +@@ -134,7 +134,7 @@ static void mmc_queue_setup_discard(struct request_queue *q, + + queue_flag_set_unlocked(QUEUE_FLAG_DISCARD, q); + q->limits.max_discard_sectors = max_discard; +- if (card->erased_byte == 0) ++ if (card->erased_byte == 0 && !mmc_can_discard(card)) + q->limits.discard_zeroes_data = 1; + q->limits.discard_granularity = card->pref_erase << 9; + /* granularity must not be greater than max. discard */ +diff --git a/drivers/mmc/core/core.c b/drivers/mmc/core/core.c +index 950b97d..411a994 100644 +--- a/drivers/mmc/core/core.c ++++ b/drivers/mmc/core/core.c +@@ -1516,7 +1516,10 @@ static unsigned int mmc_mmc_erase_timeout(struct mmc_card *card, + { + unsigned int erase_timeout; + +- if (card->ext_csd.erase_group_def & 1) { ++ if (arg == MMC_DISCARD_ARG || ++ (arg == MMC_TRIM_ARG && card->ext_csd.rev >= 6)) { ++ erase_timeout = card->ext_csd.trim_timeout; ++ } else if (card->ext_csd.erase_group_def & 1) { + /* High Capacity Erase Group Size uses HC timeouts */ + if (arg == MMC_TRIM_ARG) + erase_timeout = card->ext_csd.trim_timeout; +@@ -1788,8 +1791,6 @@ int mmc_can_trim(struct mmc_card *card) + { + if (card->ext_csd.sec_feature_support & EXT_CSD_SEC_GB_CL_EN) + return 1; +- if (mmc_can_discard(card)) +- return 1; + return 0; + } + EXPORT_SYMBOL(mmc_can_trim); +@@ -1808,6 +1809,8 @@ EXPORT_SYMBOL(mmc_can_discard); + + int mmc_can_sanitize(struct mmc_card *card) + { ++ if (!mmc_can_trim(card) && !mmc_can_erase(card)) ++ return 0; + if (card->ext_csd.sec_feature_support & EXT_CSD_SEC_SANITIZE) + return 1; + return 0; +diff --git a/drivers/mmc/host/sdhci-esdhc-imx.c b/drivers/mmc/host/sdhci-esdhc-imx.c +index 4540e37..1b47937 100644 +--- a/drivers/mmc/host/sdhci-esdhc-imx.c ++++ b/drivers/mmc/host/sdhci-esdhc-imx.c +@@ -467,8 +467,7 @@ static int __devinit sdhci_esdhc_imx_probe(struct platform_device *pdev) + clk_enable(clk); + pltfm_host->clk = clk; + +- if (!is_imx25_esdhc(imx_data)) +- host->quirks |= SDHCI_QUIRK_BROKEN_TIMEOUT_VAL; ++ host->quirks |= SDHCI_QUIRK_BROKEN_TIMEOUT_VAL; + + if (is_imx25_esdhc(imx_data) || is_imx35_esdhc(imx_data)) + /* Fix errata ENGcm07207 present on i.MX25 and i.MX35 */ +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index e58aa2b..f65e0b9 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2982,7 +2982,11 @@ static void bond_ab_arp_commit(struct bonding *bond, int delta_in_ticks) + trans_start + delta_in_ticks)) || + bond->curr_active_slave != slave) { + slave->link = BOND_LINK_UP; +- bond->current_arp_slave = NULL; ++ if (bond->current_arp_slave) { ++ bond_set_slave_inactive_flags( ++ bond->current_arp_slave); ++ bond->current_arp_slave = NULL; ++ } + + pr_info("%s: link status definitely up for interface %s.\n", + bond->dev->name, slave->dev->name); +diff --git a/drivers/net/dummy.c b/drivers/net/dummy.c +index a7c5e88..eeac9ca 100644 +--- a/drivers/net/dummy.c ++++ b/drivers/net/dummy.c +@@ -106,14 +106,14 @@ static int dummy_dev_init(struct net_device *dev) + return 0; + } + +-static void dummy_dev_free(struct net_device *dev) ++static void dummy_dev_uninit(struct net_device *dev) + { + free_percpu(dev->dstats); +- free_netdev(dev); + } + + static const struct net_device_ops dummy_netdev_ops = { + .ndo_init = dummy_dev_init, ++ .ndo_uninit = dummy_dev_uninit, + .ndo_start_xmit = dummy_xmit, + .ndo_validate_addr = eth_validate_addr, + .ndo_set_rx_mode = set_multicast_list, +@@ -127,7 +127,7 @@ static void dummy_setup(struct net_device *dev) + + /* Initialize the device structure. */ + dev->netdev_ops = &dummy_netdev_ops; +- dev->destructor = dummy_dev_free; ++ dev->destructor = free_netdev; + + /* Fill in device structure with ethernet-generic values. */ + dev->tx_queue_len = 0; +diff --git a/drivers/net/ethernet/atheros/atlx/atl1.c b/drivers/net/ethernet/atheros/atlx/atl1.c +index 33a4e35..ee532e1 100644 +--- a/drivers/net/ethernet/atheros/atlx/atl1.c ++++ b/drivers/net/ethernet/atheros/atlx/atl1.c +@@ -2473,7 +2473,7 @@ static irqreturn_t atl1_intr(int irq, void *data) + "pcie phy link down %x\n", status); + if (netif_running(adapter->netdev)) { /* reset MAC */ + iowrite32(0, adapter->hw.hw_addr + REG_IMR); +- schedule_work(&adapter->pcie_dma_to_rst_task); ++ schedule_work(&adapter->reset_dev_task); + return IRQ_HANDLED; + } + } +@@ -2485,7 +2485,7 @@ static irqreturn_t atl1_intr(int irq, void *data) + "pcie DMA r/w error (status = 0x%x)\n", + status); + iowrite32(0, adapter->hw.hw_addr + REG_IMR); +- schedule_work(&adapter->pcie_dma_to_rst_task); ++ schedule_work(&adapter->reset_dev_task); + return IRQ_HANDLED; + } + +@@ -2630,10 +2630,10 @@ static void atl1_down(struct atl1_adapter *adapter) + atl1_clean_rx_ring(adapter); + } + +-static void atl1_tx_timeout_task(struct work_struct *work) ++static void atl1_reset_dev_task(struct work_struct *work) + { + struct atl1_adapter *adapter = +- container_of(work, struct atl1_adapter, tx_timeout_task); ++ container_of(work, struct atl1_adapter, reset_dev_task); + struct net_device *netdev = adapter->netdev; + + netif_device_detach(netdev); +@@ -3032,12 +3032,10 @@ static int __devinit atl1_probe(struct pci_dev *pdev, + (unsigned long)adapter); + adapter->phy_timer_pending = false; + +- INIT_WORK(&adapter->tx_timeout_task, atl1_tx_timeout_task); ++ INIT_WORK(&adapter->reset_dev_task, atl1_reset_dev_task); + + INIT_WORK(&adapter->link_chg_task, atlx_link_chg_task); + +- INIT_WORK(&adapter->pcie_dma_to_rst_task, atl1_tx_timeout_task); +- + err = register_netdev(netdev); + if (err) + goto err_common; +diff --git a/drivers/net/ethernet/atheros/atlx/atl1.h b/drivers/net/ethernet/atheros/atlx/atl1.h +index 109d6da..e04bf4d 100644 +--- a/drivers/net/ethernet/atheros/atlx/atl1.h ++++ b/drivers/net/ethernet/atheros/atlx/atl1.h +@@ -758,9 +758,8 @@ struct atl1_adapter { + u16 link_speed; + u16 link_duplex; + spinlock_t lock; +- struct work_struct tx_timeout_task; ++ struct work_struct reset_dev_task; + struct work_struct link_chg_task; +- struct work_struct pcie_dma_to_rst_task; + + struct timer_list phy_config_timer; + bool phy_timer_pending; +diff --git a/drivers/net/ethernet/atheros/atlx/atlx.c b/drivers/net/ethernet/atheros/atlx/atlx.c +index aabcf4b..41c6d83 100644 +--- a/drivers/net/ethernet/atheros/atlx/atlx.c ++++ b/drivers/net/ethernet/atheros/atlx/atlx.c +@@ -193,7 +193,7 @@ static void atlx_tx_timeout(struct net_device *netdev) + { + struct atlx_adapter *adapter = netdev_priv(netdev); + /* Do the reset outside of interrupt context */ +- schedule_work(&adapter->tx_timeout_task); ++ schedule_work(&adapter->reset_dev_task); + } + + /* +diff --git a/drivers/net/ethernet/micrel/ks8851_mll.c b/drivers/net/ethernet/micrel/ks8851_mll.c +index d19c849..77241b6 100644 +--- a/drivers/net/ethernet/micrel/ks8851_mll.c ++++ b/drivers/net/ethernet/micrel/ks8851_mll.c +@@ -40,7 +40,7 @@ + #define DRV_NAME "ks8851_mll" + + static u8 KS_DEFAULT_MAC_ADDRESS[] = { 0x00, 0x10, 0xA1, 0x86, 0x95, 0x11 }; +-#define MAX_RECV_FRAMES 32 ++#define MAX_RECV_FRAMES 255 + #define MAX_BUF_SIZE 2048 + #define TX_BUF_SIZE 2000 + #define RX_BUF_SIZE 2000 +diff --git a/drivers/net/ethernet/micrel/ksz884x.c b/drivers/net/ethernet/micrel/ksz884x.c +index 7ece990..4b9f4bd 100644 +--- a/drivers/net/ethernet/micrel/ksz884x.c ++++ b/drivers/net/ethernet/micrel/ksz884x.c +@@ -5679,7 +5679,7 @@ static int netdev_set_mac_address(struct net_device *dev, void *addr) + memcpy(hw->override_addr, mac->sa_data, MAC_ADDR_LEN); + } + +- memcpy(dev->dev_addr, mac->sa_data, MAX_ADDR_LEN); ++ memcpy(dev->dev_addr, mac->sa_data, ETH_ALEN); + + interrupt = hw_block_intr(hw); + +diff --git a/drivers/net/ethernet/realtek/8139cp.c b/drivers/net/ethernet/realtek/8139cp.c +index aba4f67..8f47907 100644 +--- a/drivers/net/ethernet/realtek/8139cp.c ++++ b/drivers/net/ethernet/realtek/8139cp.c +@@ -961,6 +961,11 @@ static inline void cp_start_hw (struct cp_private *cp) + cpw8(Cmd, RxOn | TxOn); + } + ++static void cp_enable_irq(struct cp_private *cp) ++{ ++ cpw16_f(IntrMask, cp_intr_mask); ++} ++ + static void cp_init_hw (struct cp_private *cp) + { + struct net_device *dev = cp->dev; +@@ -1000,8 +1005,6 @@ static void cp_init_hw (struct cp_private *cp) + + cpw16(MultiIntr, 0); + +- cpw16_f(IntrMask, cp_intr_mask); +- + cpw8_f(Cfg9346, Cfg9346_Lock); + } + +@@ -1133,6 +1136,8 @@ static int cp_open (struct net_device *dev) + if (rc) + goto err_out_hw; + ++ cp_enable_irq(cp); ++ + netif_carrier_off(dev); + mii_check_media(&cp->mii_if, netif_msg_link(cp), true); + netif_start_queue(dev); +@@ -2034,6 +2039,7 @@ static int cp_resume (struct pci_dev *pdev) + /* FIXME: sh*t may happen if the Rx ring buffer is depleted */ + cp_init_rings_index (cp); + cp_init_hw (cp); ++ cp_enable_irq(cp); + netif_start_queue (dev); + + spin_lock_irqsave (&cp->lock, flags); +diff --git a/drivers/net/ethernet/smsc/smsc911x.c b/drivers/net/ethernet/smsc/smsc911x.c +index 8843071..8c7dd21 100644 +--- a/drivers/net/ethernet/smsc/smsc911x.c ++++ b/drivers/net/ethernet/smsc/smsc911x.c +@@ -1089,10 +1089,8 @@ smsc911x_rx_counterrors(struct net_device *dev, unsigned int rxstat) + + /* Quickly dumps bad packets */ + static void +-smsc911x_rx_fastforward(struct smsc911x_data *pdata, unsigned int pktbytes) ++smsc911x_rx_fastforward(struct smsc911x_data *pdata, unsigned int pktwords) + { +- unsigned int pktwords = (pktbytes + NET_IP_ALIGN + 3) >> 2; +- + if (likely(pktwords >= 4)) { + unsigned int timeout = 500; + unsigned int val; +@@ -1156,7 +1154,7 @@ static int smsc911x_poll(struct napi_struct *napi, int budget) + continue; + } + +- skb = netdev_alloc_skb(dev, pktlength + NET_IP_ALIGN); ++ skb = netdev_alloc_skb(dev, pktwords << 2); + if (unlikely(!skb)) { + SMSC_WARN(pdata, rx_err, + "Unable to allocate skb for rx packet"); +@@ -1166,14 +1164,12 @@ static int smsc911x_poll(struct napi_struct *napi, int budget) + break; + } + +- skb->data = skb->head; +- skb_reset_tail_pointer(skb); ++ pdata->ops->rx_readfifo(pdata, ++ (unsigned int *)skb->data, pktwords); + + /* Align IP on 16B boundary */ + skb_reserve(skb, NET_IP_ALIGN); + skb_put(skb, pktlength - 4); +- pdata->ops->rx_readfifo(pdata, +- (unsigned int *)skb->head, pktwords); + skb->protocol = eth_type_trans(skb, dev); + skb_checksum_none_assert(skb); + netif_receive_skb(skb); +@@ -1396,7 +1392,7 @@ static int smsc911x_open(struct net_device *dev) + smsc911x_reg_write(pdata, FIFO_INT, temp); + + /* set RX Data offset to 2 bytes for alignment */ +- smsc911x_reg_write(pdata, RX_CFG, (2 << 8)); ++ smsc911x_reg_write(pdata, RX_CFG, (NET_IP_ALIGN << 8)); + + /* enable NAPI polling before enabling RX interrupts */ + napi_enable(&pdata->napi); +diff --git a/drivers/net/ethernet/ti/davinci_mdio.c b/drivers/net/ethernet/ti/davinci_mdio.c +index 7615040..f470ab6 100644 +--- a/drivers/net/ethernet/ti/davinci_mdio.c ++++ b/drivers/net/ethernet/ti/davinci_mdio.c +@@ -181,6 +181,11 @@ static inline int wait_for_user_access(struct davinci_mdio_data *data) + __davinci_mdio_reset(data); + return -EAGAIN; + } ++ ++ reg = __raw_readl(®s->user[0].access); ++ if ((reg & USERACCESS_GO) == 0) ++ return 0; ++ + dev_err(data->dev, "timed out waiting for user access\n"); + return -ETIMEDOUT; + } +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index 486b404..3ed983c 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -968,7 +968,6 @@ ppp_start_xmit(struct sk_buff *skb, struct net_device *dev) + proto = npindex_to_proto[npi]; + put_unaligned_be16(proto, pp); + +- netif_stop_queue(dev); + skb_queue_tail(&ppp->file.xq, skb); + ppp_xmit_process(ppp); + return NETDEV_TX_OK; +@@ -1063,6 +1062,8 @@ ppp_xmit_process(struct ppp *ppp) + code that we can accept some more. */ + if (!ppp->xmit_pending && !skb_peek(&ppp->file.xq)) + netif_wake_queue(ppp->dev); ++ else ++ netif_stop_queue(ppp->dev); + } + ppp_xmit_unlock(ppp); + } +diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c +index a5b9b12..7bd219b 100644 +--- a/drivers/net/usb/smsc75xx.c ++++ b/drivers/net/usb/smsc75xx.c +@@ -1050,6 +1050,7 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf) + dev->net->ethtool_ops = &smsc75xx_ethtool_ops; + dev->net->flags |= IFF_MULTICAST; + dev->net->hard_header_len += SMSC75XX_TX_OVERHEAD; ++ dev->hard_mtu = dev->net->mtu + dev->net->hard_header_len; + return 0; + } + +diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c +index eff6767..55b3218 100644 +--- a/drivers/net/usb/smsc95xx.c ++++ b/drivers/net/usb/smsc95xx.c +@@ -1190,7 +1190,7 @@ static const struct driver_info smsc95xx_info = { + .rx_fixup = smsc95xx_rx_fixup, + .tx_fixup = smsc95xx_tx_fixup, + .status = smsc95xx_status, +- .flags = FLAG_ETHER | FLAG_SEND_ZLP, ++ .flags = FLAG_ETHER | FLAG_SEND_ZLP | FLAG_LINK_INTR, + }; + + static const struct usb_device_id products[] = { +diff --git a/drivers/net/wimax/i2400m/netdev.c b/drivers/net/wimax/i2400m/netdev.c +index 64a1106..4697cf3 100644 +--- a/drivers/net/wimax/i2400m/netdev.c ++++ b/drivers/net/wimax/i2400m/netdev.c +@@ -607,7 +607,8 @@ static void i2400m_get_drvinfo(struct net_device *net_dev, + struct i2400m *i2400m = net_dev_to_i2400m(net_dev); + + strncpy(info->driver, KBUILD_MODNAME, sizeof(info->driver) - 1); +- strncpy(info->fw_version, i2400m->fw_name, sizeof(info->fw_version) - 1); ++ strncpy(info->fw_version, ++ i2400m->fw_name ? : "", sizeof(info->fw_version) - 1); + if (net_dev->dev.parent) + strncpy(info->bus_info, dev_name(net_dev->dev.parent), + sizeof(info->bus_info) - 1); +diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c +index 5634d9a..680709c 100644 +--- a/drivers/net/wireless/b43/main.c ++++ b/drivers/net/wireless/b43/main.c +@@ -4820,8 +4820,14 @@ static int b43_op_start(struct ieee80211_hw *hw) + out_mutex_unlock: + mutex_unlock(&wl->mutex); + +- /* reload configuration */ +- b43_op_config(hw, ~0); ++ /* ++ * Configuration may have been overwritten during initialization. ++ * Reload the configuration, but only if initialization was ++ * successful. Reloading the configuration after a failed init ++ * may hang the system. ++ */ ++ if (!err) ++ b43_op_config(hw, ~0); + + return err; + } +diff --git a/drivers/net/wireless/brcm80211/brcmsmac/main.c b/drivers/net/wireless/brcm80211/brcmsmac/main.c +index 453f58e..f98becc 100644 +--- a/drivers/net/wireless/brcm80211/brcmsmac/main.c ++++ b/drivers/net/wireless/brcm80211/brcmsmac/main.c +@@ -7865,6 +7865,7 @@ brcms_c_recvctl(struct brcms_c_info *wlc, struct d11rxhdr *rxh, + { + int len_mpdu; + struct ieee80211_rx_status rx_status; ++ struct ieee80211_hdr *hdr; + + memset(&rx_status, 0, sizeof(rx_status)); + prep_mac80211_status(wlc, rxh, p, &rx_status); +@@ -7874,6 +7875,13 @@ brcms_c_recvctl(struct brcms_c_info *wlc, struct d11rxhdr *rxh, + skb_pull(p, D11_PHY_HDR_LEN); + __skb_trim(p, len_mpdu); + ++ /* unmute transmit */ ++ if (wlc->hw->suspended_fifos) { ++ hdr = (struct ieee80211_hdr *)p->data; ++ if (ieee80211_is_beacon(hdr->frame_control)) ++ brcms_b_mute(wlc->hw, false); ++ } ++ + memcpy(IEEE80211_SKB_RXCB(p), &rx_status, sizeof(rx_status)); + ieee80211_rx_irqsafe(wlc->pub->ieee_hw, p); + } +diff --git a/drivers/net/wireless/ipw2x00/ipw2200.c b/drivers/net/wireless/ipw2x00/ipw2200.c +index 99a710d..827889b 100644 +--- a/drivers/net/wireless/ipw2x00/ipw2200.c ++++ b/drivers/net/wireless/ipw2x00/ipw2200.c +@@ -2183,6 +2183,7 @@ static int __ipw_send_cmd(struct ipw_priv *priv, struct host_cmd *cmd) + { + int rc = 0; + unsigned long flags; ++ unsigned long now, end; + + spin_lock_irqsave(&priv->lock, flags); + if (priv->status & STATUS_HCMD_ACTIVE) { +@@ -2224,10 +2225,20 @@ static int __ipw_send_cmd(struct ipw_priv *priv, struct host_cmd *cmd) + } + spin_unlock_irqrestore(&priv->lock, flags); + ++ now = jiffies; ++ end = now + HOST_COMPLETE_TIMEOUT; ++again: + rc = wait_event_interruptible_timeout(priv->wait_command_queue, + !(priv-> + status & STATUS_HCMD_ACTIVE), +- HOST_COMPLETE_TIMEOUT); ++ end - now); ++ if (rc < 0) { ++ now = jiffies; ++ if (time_before(now, end)) ++ goto again; ++ rc = 0; ++ } ++ + if (rc == 0) { + spin_lock_irqsave(&priv->lock, flags); + if (priv->status & STATUS_HCMD_ACTIVE) { +diff --git a/drivers/net/wireless/iwlwifi/iwl-1000.c b/drivers/net/wireless/iwlwifi/iwl-1000.c +index dd008b0..1e6c8cc 100644 +--- a/drivers/net/wireless/iwlwifi/iwl-1000.c ++++ b/drivers/net/wireless/iwlwifi/iwl-1000.c +@@ -45,8 +45,8 @@ + #include "iwl-cfg.h" + + /* Highest firmware API version supported */ +-#define IWL1000_UCODE_API_MAX 6 +-#define IWL100_UCODE_API_MAX 6 ++#define IWL1000_UCODE_API_MAX 5 ++#define IWL100_UCODE_API_MAX 5 + + /* Oldest version we won't warn about */ + #define IWL1000_UCODE_API_OK 5 +@@ -244,5 +244,5 @@ struct iwl_cfg iwl100_bg_cfg = { + IWL_DEVICE_100, + }; + +-MODULE_FIRMWARE(IWL1000_MODULE_FIRMWARE(IWL1000_UCODE_API_MAX)); +-MODULE_FIRMWARE(IWL100_MODULE_FIRMWARE(IWL100_UCODE_API_MAX)); ++MODULE_FIRMWARE(IWL1000_MODULE_FIRMWARE(IWL1000_UCODE_API_OK)); ++MODULE_FIRMWARE(IWL100_MODULE_FIRMWARE(IWL100_UCODE_API_OK)); +diff --git a/drivers/net/wireless/iwlwifi/iwl-2000.c b/drivers/net/wireless/iwlwifi/iwl-2000.c +index 7943197..9823e41 100644 +--- a/drivers/net/wireless/iwlwifi/iwl-2000.c ++++ b/drivers/net/wireless/iwlwifi/iwl-2000.c +@@ -51,10 +51,10 @@ + #define IWL135_UCODE_API_MAX 6 + + /* Oldest version we won't warn about */ +-#define IWL2030_UCODE_API_OK 5 +-#define IWL2000_UCODE_API_OK 5 +-#define IWL105_UCODE_API_OK 5 +-#define IWL135_UCODE_API_OK 5 ++#define IWL2030_UCODE_API_OK 6 ++#define IWL2000_UCODE_API_OK 6 ++#define IWL105_UCODE_API_OK 6 ++#define IWL135_UCODE_API_OK 6 + + /* Lowest firmware API version supported */ + #define IWL2030_UCODE_API_MIN 5 +@@ -372,7 +372,7 @@ struct iwl_cfg iwl135_bgn_cfg = { + .ht_params = &iwl2000_ht_params, + }; + +-MODULE_FIRMWARE(IWL2000_MODULE_FIRMWARE(IWL2000_UCODE_API_MAX)); +-MODULE_FIRMWARE(IWL2030_MODULE_FIRMWARE(IWL2030_UCODE_API_MAX)); +-MODULE_FIRMWARE(IWL105_MODULE_FIRMWARE(IWL105_UCODE_API_MAX)); +-MODULE_FIRMWARE(IWL135_MODULE_FIRMWARE(IWL135_UCODE_API_MAX)); ++MODULE_FIRMWARE(IWL2000_MODULE_FIRMWARE(IWL2000_UCODE_API_OK)); ++MODULE_FIRMWARE(IWL2030_MODULE_FIRMWARE(IWL2030_UCODE_API_OK)); ++MODULE_FIRMWARE(IWL105_MODULE_FIRMWARE(IWL105_UCODE_API_OK)); ++MODULE_FIRMWARE(IWL135_MODULE_FIRMWARE(IWL135_UCODE_API_OK)); +diff --git a/drivers/net/wireless/iwlwifi/iwl-5000.c b/drivers/net/wireless/iwlwifi/iwl-5000.c +index f55fb2d..606213f 100644 +--- a/drivers/net/wireless/iwlwifi/iwl-5000.c ++++ b/drivers/net/wireless/iwlwifi/iwl-5000.c +@@ -50,6 +50,10 @@ + #define IWL5000_UCODE_API_MAX 5 + #define IWL5150_UCODE_API_MAX 2 + ++/* Oldest version we won't warn about */ ++#define IWL5000_UCODE_API_OK 5 ++#define IWL5150_UCODE_API_OK 2 ++ + /* Lowest firmware API version supported */ + #define IWL5000_UCODE_API_MIN 1 + #define IWL5150_UCODE_API_MIN 1 +@@ -373,6 +377,7 @@ static struct iwl_ht_params iwl5000_ht_params = { + #define IWL_DEVICE_5000 \ + .fw_name_pre = IWL5000_FW_PRE, \ + .ucode_api_max = IWL5000_UCODE_API_MAX, \ ++ .ucode_api_ok = IWL5000_UCODE_API_OK, \ + .ucode_api_min = IWL5000_UCODE_API_MIN, \ + .eeprom_ver = EEPROM_5000_EEPROM_VERSION, \ + .eeprom_calib_ver = EEPROM_5000_TX_POWER_VERSION, \ +@@ -416,6 +421,7 @@ struct iwl_cfg iwl5350_agn_cfg = { + .name = "Intel(R) WiMAX/WiFi Link 5350 AGN", + .fw_name_pre = IWL5000_FW_PRE, + .ucode_api_max = IWL5000_UCODE_API_MAX, ++ .ucode_api_ok = IWL5000_UCODE_API_OK, + .ucode_api_min = IWL5000_UCODE_API_MIN, + .eeprom_ver = EEPROM_5050_EEPROM_VERSION, + .eeprom_calib_ver = EEPROM_5050_TX_POWER_VERSION, +@@ -429,6 +435,7 @@ struct iwl_cfg iwl5350_agn_cfg = { + #define IWL_DEVICE_5150 \ + .fw_name_pre = IWL5150_FW_PRE, \ + .ucode_api_max = IWL5150_UCODE_API_MAX, \ ++ .ucode_api_ok = IWL5150_UCODE_API_OK, \ + .ucode_api_min = IWL5150_UCODE_API_MIN, \ + .eeprom_ver = EEPROM_5050_EEPROM_VERSION, \ + .eeprom_calib_ver = EEPROM_5050_TX_POWER_VERSION, \ +@@ -450,5 +457,5 @@ struct iwl_cfg iwl5150_abg_cfg = { + IWL_DEVICE_5150, + }; + +-MODULE_FIRMWARE(IWL5000_MODULE_FIRMWARE(IWL5000_UCODE_API_MAX)); +-MODULE_FIRMWARE(IWL5150_MODULE_FIRMWARE(IWL5150_UCODE_API_MAX)); ++MODULE_FIRMWARE(IWL5000_MODULE_FIRMWARE(IWL5000_UCODE_API_OK)); ++MODULE_FIRMWARE(IWL5150_MODULE_FIRMWARE(IWL5150_UCODE_API_OK)); +diff --git a/drivers/net/wireless/iwlwifi/iwl-6000.c b/drivers/net/wireless/iwlwifi/iwl-6000.c +index c840c78..b4f809c 100644 +--- a/drivers/net/wireless/iwlwifi/iwl-6000.c ++++ b/drivers/net/wireless/iwlwifi/iwl-6000.c +@@ -46,12 +46,15 @@ + #include "iwl-cfg.h" + + /* Highest firmware API version supported */ +-#define IWL6000_UCODE_API_MAX 4 ++#define IWL6000_UCODE_API_MAX 6 + #define IWL6050_UCODE_API_MAX 5 + #define IWL6000G2_UCODE_API_MAX 6 + + /* Oldest version we won't warn about */ ++#define IWL6000_UCODE_API_OK 4 + #define IWL6000G2_UCODE_API_OK 5 ++#define IWL6050_UCODE_API_OK 5 ++#define IWL6000G2B_UCODE_API_OK 6 + + /* Lowest firmware API version supported */ + #define IWL6000_UCODE_API_MIN 4 +@@ -399,7 +402,7 @@ struct iwl_cfg iwl6005_2agn_d_cfg = { + #define IWL_DEVICE_6030 \ + .fw_name_pre = IWL6030_FW_PRE, \ + .ucode_api_max = IWL6000G2_UCODE_API_MAX, \ +- .ucode_api_ok = IWL6000G2_UCODE_API_OK, \ ++ .ucode_api_ok = IWL6000G2B_UCODE_API_OK, \ + .ucode_api_min = IWL6000G2_UCODE_API_MIN, \ + .eeprom_ver = EEPROM_6030_EEPROM_VERSION, \ + .eeprom_calib_ver = EEPROM_6030_TX_POWER_VERSION, \ +@@ -479,6 +482,7 @@ struct iwl_cfg iwl130_bg_cfg = { + #define IWL_DEVICE_6000i \ + .fw_name_pre = IWL6000_FW_PRE, \ + .ucode_api_max = IWL6000_UCODE_API_MAX, \ ++ .ucode_api_ok = IWL6000_UCODE_API_OK, \ + .ucode_api_min = IWL6000_UCODE_API_MIN, \ + .valid_tx_ant = ANT_BC, /* .cfg overwrite */ \ + .valid_rx_ant = ANT_BC, /* .cfg overwrite */ \ +@@ -559,6 +563,7 @@ struct iwl_cfg iwl6000_3agn_cfg = { + .name = "Intel(R) Centrino(R) Ultimate-N 6300 AGN", + .fw_name_pre = IWL6000_FW_PRE, + .ucode_api_max = IWL6000_UCODE_API_MAX, ++ .ucode_api_ok = IWL6000_UCODE_API_OK, + .ucode_api_min = IWL6000_UCODE_API_MIN, + .eeprom_ver = EEPROM_6000_EEPROM_VERSION, + .eeprom_calib_ver = EEPROM_6000_TX_POWER_VERSION, +@@ -569,7 +574,7 @@ struct iwl_cfg iwl6000_3agn_cfg = { + .led_mode = IWL_LED_BLINK, + }; + +-MODULE_FIRMWARE(IWL6000_MODULE_FIRMWARE(IWL6000_UCODE_API_MAX)); +-MODULE_FIRMWARE(IWL6050_MODULE_FIRMWARE(IWL6050_UCODE_API_MAX)); +-MODULE_FIRMWARE(IWL6005_MODULE_FIRMWARE(IWL6000G2_UCODE_API_MAX)); +-MODULE_FIRMWARE(IWL6030_MODULE_FIRMWARE(IWL6000G2_UCODE_API_MAX)); ++MODULE_FIRMWARE(IWL6000_MODULE_FIRMWARE(IWL6000_UCODE_API_OK)); ++MODULE_FIRMWARE(IWL6050_MODULE_FIRMWARE(IWL6050_UCODE_API_OK)); ++MODULE_FIRMWARE(IWL6005_MODULE_FIRMWARE(IWL6000G2_UCODE_API_OK)); ++MODULE_FIRMWARE(IWL6030_MODULE_FIRMWARE(IWL6000G2B_UCODE_API_OK)); +diff --git a/drivers/net/wireless/iwlwifi/iwl-agn.c b/drivers/net/wireless/iwlwifi/iwl-agn.c +index e0e9a3d..d7d2512 100644 +--- a/drivers/net/wireless/iwlwifi/iwl-agn.c ++++ b/drivers/net/wireless/iwlwifi/iwl-agn.c +@@ -1504,7 +1504,6 @@ static void iwl_bg_run_time_calib_work(struct work_struct *work) + + static void iwlagn_prepare_restart(struct iwl_priv *priv) + { +- struct iwl_rxon_context *ctx; + bool bt_full_concurrent; + u8 bt_ci_compliance; + u8 bt_load; +@@ -1513,8 +1512,6 @@ static void iwlagn_prepare_restart(struct iwl_priv *priv) + + lockdep_assert_held(&priv->shrd->mutex); + +- for_each_context(priv, ctx) +- ctx->vif = NULL; + priv->is_open = 0; + + /* +diff --git a/drivers/net/wireless/iwlwifi/iwl-core.c b/drivers/net/wireless/iwlwifi/iwl-core.c +index 3d75d4c..832ec4d 100644 +--- a/drivers/net/wireless/iwlwifi/iwl-core.c ++++ b/drivers/net/wireless/iwlwifi/iwl-core.c +@@ -1228,6 +1228,7 @@ int iwlagn_mac_add_interface(struct ieee80211_hw *hw, + struct iwl_rxon_context *tmp, *ctx = NULL; + int err; + enum nl80211_iftype viftype = ieee80211_vif_type_p2p(vif); ++ bool reset = false; + + IWL_DEBUG_MAC80211(priv, "enter: type %d, addr %pM\n", + viftype, vif->addr); +@@ -1249,6 +1250,13 @@ int iwlagn_mac_add_interface(struct ieee80211_hw *hw, + tmp->interface_modes | tmp->exclusive_interface_modes; + + if (tmp->vif) { ++ /* On reset we need to add the same interface again */ ++ if (tmp->vif == vif) { ++ reset = true; ++ ctx = tmp; ++ break; ++ } ++ + /* check if this busy context is exclusive */ + if (tmp->exclusive_interface_modes & + BIT(tmp->vif->type)) { +@@ -1275,7 +1283,7 @@ int iwlagn_mac_add_interface(struct ieee80211_hw *hw, + ctx->vif = vif; + + err = iwl_setup_interface(priv, ctx); +- if (!err) ++ if (!err || reset) + goto out; + + ctx->vif = NULL; +diff --git a/drivers/net/wireless/iwlwifi/iwl-fh.h b/drivers/net/wireless/iwlwifi/iwl-fh.h +index 5bede9d..aae992a 100644 +--- a/drivers/net/wireless/iwlwifi/iwl-fh.h ++++ b/drivers/net/wireless/iwlwifi/iwl-fh.h +@@ -104,15 +104,29 @@ + * (see struct iwl_tfd_frame). These 16 pointer registers are offset by 0x04 + * bytes from one another. Each TFD circular buffer in DRAM must be 256-byte + * aligned (address bits 0-7 must be 0). ++ * Later devices have 20 (5000 series) or 30 (higher) queues, but the registers ++ * for them are in different places. + * + * Bit fields in each pointer register: + * 27-0: TFD CB physical base address [35:8], must be 256-byte aligned + */ +-#define FH_MEM_CBBC_LOWER_BOUND (FH_MEM_LOWER_BOUND + 0x9D0) +-#define FH_MEM_CBBC_UPPER_BOUND (FH_MEM_LOWER_BOUND + 0xA10) +- +-/* Find TFD CB base pointer for given queue (range 0-15). */ +-#define FH_MEM_CBBC_QUEUE(x) (FH_MEM_CBBC_LOWER_BOUND + (x) * 0x4) ++#define FH_MEM_CBBC_0_15_LOWER_BOUND (FH_MEM_LOWER_BOUND + 0x9D0) ++#define FH_MEM_CBBC_0_15_UPPER_BOUND (FH_MEM_LOWER_BOUND + 0xA10) ++#define FH_MEM_CBBC_16_19_LOWER_BOUND (FH_MEM_LOWER_BOUND + 0xBF0) ++#define FH_MEM_CBBC_16_19_UPPER_BOUND (FH_MEM_LOWER_BOUND + 0xC00) ++#define FH_MEM_CBBC_20_31_LOWER_BOUND (FH_MEM_LOWER_BOUND + 0xB20) ++#define FH_MEM_CBBC_20_31_UPPER_BOUND (FH_MEM_LOWER_BOUND + 0xB80) ++ ++/* Find TFD CB base pointer for given queue */ ++static inline unsigned int FH_MEM_CBBC_QUEUE(unsigned int chnl) ++{ ++ if (chnl < 16) ++ return FH_MEM_CBBC_0_15_LOWER_BOUND + 4 * chnl; ++ if (chnl < 20) ++ return FH_MEM_CBBC_16_19_LOWER_BOUND + 4 * (chnl - 16); ++ WARN_ON_ONCE(chnl >= 32); ++ return FH_MEM_CBBC_20_31_LOWER_BOUND + 4 * (chnl - 20); ++} + + + /** +diff --git a/drivers/net/wireless/iwlwifi/iwl-prph.h b/drivers/net/wireless/iwlwifi/iwl-prph.h +index bebdd82..d9b089e 100644 +--- a/drivers/net/wireless/iwlwifi/iwl-prph.h ++++ b/drivers/net/wireless/iwlwifi/iwl-prph.h +@@ -227,12 +227,33 @@ + #define SCD_AIT (SCD_BASE + 0x0c) + #define SCD_TXFACT (SCD_BASE + 0x10) + #define SCD_ACTIVE (SCD_BASE + 0x14) +-#define SCD_QUEUE_WRPTR(x) (SCD_BASE + 0x18 + (x) * 4) +-#define SCD_QUEUE_RDPTR(x) (SCD_BASE + 0x68 + (x) * 4) + #define SCD_QUEUECHAIN_SEL (SCD_BASE + 0xe8) + #define SCD_AGGR_SEL (SCD_BASE + 0x248) + #define SCD_INTERRUPT_MASK (SCD_BASE + 0x108) +-#define SCD_QUEUE_STATUS_BITS(x) (SCD_BASE + 0x10c + (x) * 4) ++ ++static inline unsigned int SCD_QUEUE_WRPTR(unsigned int chnl) ++{ ++ if (chnl < 20) ++ return SCD_BASE + 0x18 + chnl * 4; ++ WARN_ON_ONCE(chnl >= 32); ++ return SCD_BASE + 0x284 + (chnl - 20) * 4; ++} ++ ++static inline unsigned int SCD_QUEUE_RDPTR(unsigned int chnl) ++{ ++ if (chnl < 20) ++ return SCD_BASE + 0x68 + chnl * 4; ++ WARN_ON_ONCE(chnl >= 32); ++ return SCD_BASE + 0x2B4 + (chnl - 20) * 4; ++} ++ ++static inline unsigned int SCD_QUEUE_STATUS_BITS(unsigned int chnl) ++{ ++ if (chnl < 20) ++ return SCD_BASE + 0x10c + chnl * 4; ++ WARN_ON_ONCE(chnl >= 32); ++ return SCD_BASE + 0x384 + (chnl - 20) * 4; ++} + + /*********************** END TX SCHEDULER *************************************/ + +diff --git a/drivers/net/wireless/mwifiex/pcie.h b/drivers/net/wireless/mwifiex/pcie.h +index 445ff21..2f218f9 100644 +--- a/drivers/net/wireless/mwifiex/pcie.h ++++ b/drivers/net/wireless/mwifiex/pcie.h +@@ -48,15 +48,15 @@ + #define PCIE_HOST_INT_STATUS_MASK 0xC3C + #define PCIE_SCRATCH_2_REG 0xC40 + #define PCIE_SCRATCH_3_REG 0xC44 +-#define PCIE_SCRATCH_4_REG 0xCC0 +-#define PCIE_SCRATCH_5_REG 0xCC4 +-#define PCIE_SCRATCH_6_REG 0xCC8 +-#define PCIE_SCRATCH_7_REG 0xCCC +-#define PCIE_SCRATCH_8_REG 0xCD0 +-#define PCIE_SCRATCH_9_REG 0xCD4 +-#define PCIE_SCRATCH_10_REG 0xCD8 +-#define PCIE_SCRATCH_11_REG 0xCDC +-#define PCIE_SCRATCH_12_REG 0xCE0 ++#define PCIE_SCRATCH_4_REG 0xCD0 ++#define PCIE_SCRATCH_5_REG 0xCD4 ++#define PCIE_SCRATCH_6_REG 0xCD8 ++#define PCIE_SCRATCH_7_REG 0xCDC ++#define PCIE_SCRATCH_8_REG 0xCE0 ++#define PCIE_SCRATCH_9_REG 0xCE4 ++#define PCIE_SCRATCH_10_REG 0xCE8 ++#define PCIE_SCRATCH_11_REG 0xCEC ++#define PCIE_SCRATCH_12_REG 0xCF0 + + #define CPU_INTR_DNLD_RDY BIT(0) + #define CPU_INTR_DOOR_BELL BIT(1) +diff --git a/drivers/net/wireless/rt2x00/rt2800usb.c b/drivers/net/wireless/rt2x00/rt2800usb.c +index cb71e88..0ffa111 100644 +--- a/drivers/net/wireless/rt2x00/rt2800usb.c ++++ b/drivers/net/wireless/rt2x00/rt2800usb.c +@@ -914,12 +914,14 @@ static struct usb_device_id rt2800usb_device_table[] = { + { USB_DEVICE(0x050d, 0x8053) }, + { USB_DEVICE(0x050d, 0x805c) }, + { USB_DEVICE(0x050d, 0x815c) }, ++ { USB_DEVICE(0x050d, 0x825a) }, + { USB_DEVICE(0x050d, 0x825b) }, + { USB_DEVICE(0x050d, 0x935a) }, + { USB_DEVICE(0x050d, 0x935b) }, + /* Buffalo */ + { USB_DEVICE(0x0411, 0x00e8) }, + { USB_DEVICE(0x0411, 0x0158) }, ++ { USB_DEVICE(0x0411, 0x015d) }, + { USB_DEVICE(0x0411, 0x016f) }, + { USB_DEVICE(0x0411, 0x01a2) }, + /* Corega */ +@@ -934,6 +936,8 @@ static struct usb_device_id rt2800usb_device_table[] = { + { USB_DEVICE(0x07d1, 0x3c0e) }, + { USB_DEVICE(0x07d1, 0x3c0f) }, + { USB_DEVICE(0x07d1, 0x3c11) }, ++ { USB_DEVICE(0x07d1, 0x3c13) }, ++ { USB_DEVICE(0x07d1, 0x3c15) }, + { USB_DEVICE(0x07d1, 0x3c16) }, + { USB_DEVICE(0x2001, 0x3c1b) }, + /* Draytek */ +@@ -944,6 +948,7 @@ static struct usb_device_id rt2800usb_device_table[] = { + { USB_DEVICE(0x7392, 0x7711) }, + { USB_DEVICE(0x7392, 0x7717) }, + { USB_DEVICE(0x7392, 0x7718) }, ++ { USB_DEVICE(0x7392, 0x7722) }, + /* Encore */ + { USB_DEVICE(0x203d, 0x1480) }, + { USB_DEVICE(0x203d, 0x14a9) }, +@@ -978,6 +983,7 @@ static struct usb_device_id rt2800usb_device_table[] = { + { USB_DEVICE(0x1737, 0x0070) }, + { USB_DEVICE(0x1737, 0x0071) }, + { USB_DEVICE(0x1737, 0x0077) }, ++ { USB_DEVICE(0x1737, 0x0078) }, + /* Logitec */ + { USB_DEVICE(0x0789, 0x0162) }, + { USB_DEVICE(0x0789, 0x0163) }, +@@ -1001,9 +1007,13 @@ static struct usb_device_id rt2800usb_device_table[] = { + { USB_DEVICE(0x0db0, 0x871b) }, + { USB_DEVICE(0x0db0, 0x871c) }, + { USB_DEVICE(0x0db0, 0x899a) }, ++ /* Ovislink */ ++ { USB_DEVICE(0x1b75, 0x3071) }, ++ { USB_DEVICE(0x1b75, 0x3072) }, + /* Para */ + { USB_DEVICE(0x20b8, 0x8888) }, + /* Pegatron */ ++ { USB_DEVICE(0x1d4d, 0x0002) }, + { USB_DEVICE(0x1d4d, 0x000c) }, + { USB_DEVICE(0x1d4d, 0x000e) }, + { USB_DEVICE(0x1d4d, 0x0011) }, +@@ -1056,7 +1066,9 @@ static struct usb_device_id rt2800usb_device_table[] = { + /* Sparklan */ + { USB_DEVICE(0x15a9, 0x0006) }, + /* Sweex */ ++ { USB_DEVICE(0x177f, 0x0153) }, + { USB_DEVICE(0x177f, 0x0302) }, ++ { USB_DEVICE(0x177f, 0x0313) }, + /* U-Media */ + { USB_DEVICE(0x157e, 0x300e) }, + { USB_DEVICE(0x157e, 0x3013) }, +@@ -1140,27 +1152,24 @@ static struct usb_device_id rt2800usb_device_table[] = { + { USB_DEVICE(0x13d3, 0x3322) }, + /* Belkin */ + { USB_DEVICE(0x050d, 0x1003) }, +- { USB_DEVICE(0x050d, 0x825a) }, + /* Buffalo */ + { USB_DEVICE(0x0411, 0x012e) }, + { USB_DEVICE(0x0411, 0x0148) }, + { USB_DEVICE(0x0411, 0x0150) }, +- { USB_DEVICE(0x0411, 0x015d) }, + /* Corega */ + { USB_DEVICE(0x07aa, 0x0041) }, + { USB_DEVICE(0x07aa, 0x0042) }, + { USB_DEVICE(0x18c5, 0x0008) }, + /* D-Link */ + { USB_DEVICE(0x07d1, 0x3c0b) }, +- { USB_DEVICE(0x07d1, 0x3c13) }, +- { USB_DEVICE(0x07d1, 0x3c15) }, + { USB_DEVICE(0x07d1, 0x3c17) }, + { USB_DEVICE(0x2001, 0x3c17) }, + /* Edimax */ + { USB_DEVICE(0x7392, 0x4085) }, +- { USB_DEVICE(0x7392, 0x7722) }, + /* Encore */ + { USB_DEVICE(0x203d, 0x14a1) }, ++ /* Fujitsu Stylistic 550 */ ++ { USB_DEVICE(0x1690, 0x0761) }, + /* Gemtek */ + { USB_DEVICE(0x15a9, 0x0010) }, + /* Gigabyte */ +@@ -1172,19 +1181,13 @@ static struct usb_device_id rt2800usb_device_table[] = { + /* LevelOne */ + { USB_DEVICE(0x1740, 0x0605) }, + { USB_DEVICE(0x1740, 0x0615) }, +- /* Linksys */ +- { USB_DEVICE(0x1737, 0x0078) }, + /* Logitec */ + { USB_DEVICE(0x0789, 0x0168) }, + { USB_DEVICE(0x0789, 0x0169) }, + /* Motorola */ + { USB_DEVICE(0x100d, 0x9032) }, +- /* Ovislink */ +- { USB_DEVICE(0x1b75, 0x3071) }, +- { USB_DEVICE(0x1b75, 0x3072) }, + /* Pegatron */ + { USB_DEVICE(0x05a6, 0x0101) }, +- { USB_DEVICE(0x1d4d, 0x0002) }, + { USB_DEVICE(0x1d4d, 0x0010) }, + /* Planex */ + { USB_DEVICE(0x2019, 0x5201) }, +@@ -1203,9 +1206,6 @@ static struct usb_device_id rt2800usb_device_table[] = { + { USB_DEVICE(0x083a, 0xc522) }, + { USB_DEVICE(0x083a, 0xd522) }, + { USB_DEVICE(0x083a, 0xf511) }, +- /* Sweex */ +- { USB_DEVICE(0x177f, 0x0153) }, +- { USB_DEVICE(0x177f, 0x0313) }, + /* Zyxel */ + { USB_DEVICE(0x0586, 0x341a) }, + #endif +diff --git a/drivers/net/wireless/rtlwifi/pci.c b/drivers/net/wireless/rtlwifi/pci.c +index d44d398..47ba0f7 100644 +--- a/drivers/net/wireless/rtlwifi/pci.c ++++ b/drivers/net/wireless/rtlwifi/pci.c +@@ -1961,6 +1961,7 @@ void rtl_pci_disconnect(struct pci_dev *pdev) + rtl_deinit_deferred_work(hw); + rtlpriv->intf_ops->adapter_stop(hw); + } ++ rtlpriv->cfg->ops->disable_interrupt(hw); + + /*deinit rfkill */ + rtl_deinit_rfkill(hw); +diff --git a/drivers/net/wireless/wl1251/main.c b/drivers/net/wireless/wl1251/main.c +index ba3268e..40c1574 100644 +--- a/drivers/net/wireless/wl1251/main.c ++++ b/drivers/net/wireless/wl1251/main.c +@@ -479,6 +479,7 @@ static void wl1251_op_stop(struct ieee80211_hw *hw) + cancel_work_sync(&wl->irq_work); + cancel_work_sync(&wl->tx_work); + cancel_work_sync(&wl->filter_work); ++ cancel_delayed_work_sync(&wl->elp_work); + + mutex_lock(&wl->mutex); + +diff --git a/drivers/net/wireless/wl1251/sdio.c b/drivers/net/wireless/wl1251/sdio.c +index f786942..1b851f6 100644 +--- a/drivers/net/wireless/wl1251/sdio.c ++++ b/drivers/net/wireless/wl1251/sdio.c +@@ -315,8 +315,8 @@ static void __devexit wl1251_sdio_remove(struct sdio_func *func) + + if (wl->irq) + free_irq(wl->irq, wl); +- kfree(wl_sdio); + wl1251_free_hw(wl); ++ kfree(wl_sdio); + + sdio_claim_host(func); + sdio_release_irq(func); +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 6476547..78fda9c 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -2906,6 +2906,40 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x65f8, quirk_intel_mc_errata); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x65f9, quirk_intel_mc_errata); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x65fa, quirk_intel_mc_errata); + ++/* ++ * Some BIOS implementations leave the Intel GPU interrupts enabled, ++ * even though no one is handling them (f.e. i915 driver is never loaded). ++ * Additionally the interrupt destination is not set up properly ++ * and the interrupt ends up -somewhere-. ++ * ++ * These spurious interrupts are "sticky" and the kernel disables ++ * the (shared) interrupt line after 100.000+ generated interrupts. ++ * ++ * Fix it by disabling the still enabled interrupts. ++ * This resolves crashes often seen on monitor unplug. ++ */ ++#define I915_DEIER_REG 0x4400c ++static void __devinit disable_igfx_irq(struct pci_dev *dev) ++{ ++ void __iomem *regs = pci_iomap(dev, 0, 0); ++ if (regs == NULL) { ++ dev_warn(&dev->dev, "igfx quirk: Can't iomap PCI device\n"); ++ return; ++ } ++ ++ /* Check if any interrupt line is still enabled */ ++ if (readl(regs + I915_DEIER_REG) != 0) { ++ dev_warn(&dev->dev, "BIOS left Intel GPU interrupts enabled; " ++ "disabling\n"); ++ ++ writel(0, regs + I915_DEIER_REG); ++ } ++ ++ pci_iounmap(dev, regs); ++} ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0102, disable_igfx_irq); ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x010a, disable_igfx_irq); ++ + static void pci_do_fixups(struct pci_dev *dev, struct pci_fixup *f, + struct pci_fixup *end) + { +diff --git a/drivers/platform/x86/dell-laptop.c b/drivers/platform/x86/dell-laptop.c +index d93e962..1d3bcce 100644 +--- a/drivers/platform/x86/dell-laptop.c ++++ b/drivers/platform/x86/dell-laptop.c +@@ -184,6 +184,34 @@ static struct dmi_system_id __devinitdata dell_quirks[] = { + }, + .driver_data = &quirk_dell_vostro_v130, + }, ++ { ++ .callback = dmi_matched, ++ .ident = "Dell Vostro 3555", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 3555"), ++ }, ++ .driver_data = &quirk_dell_vostro_v130, ++ }, ++ { ++ .callback = dmi_matched, ++ .ident = "Dell Inspiron N311z", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron N311z"), ++ }, ++ .driver_data = &quirk_dell_vostro_v130, ++ }, ++ { ++ .callback = dmi_matched, ++ .ident = "Dell Inspiron M5110", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron M5110"), ++ }, ++ .driver_data = &quirk_dell_vostro_v130, ++ }, ++ { } + }; + + static struct calling_interface_buffer *buffer; +@@ -615,6 +643,7 @@ static void touchpad_led_set(struct led_classdev *led_cdev, + static struct led_classdev touchpad_led = { + .name = "dell-laptop::touchpad", + .brightness_set = touchpad_led_set, ++ .flags = LED_CORE_SUSPENDRESUME, + }; + + static int __devinit touchpad_led_init(struct device *dev) +diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c +index 1b831c5..e48ba4b 100644 +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -192,7 +192,14 @@ static void sas_set_ex_phy(struct domain_device *dev, int phy_id, + phy->attached_sata_ps = dr->attached_sata_ps; + phy->attached_iproto = dr->iproto << 1; + phy->attached_tproto = dr->tproto << 1; +- memcpy(phy->attached_sas_addr, dr->attached_sas_addr, SAS_ADDR_SIZE); ++ /* help some expanders that fail to zero sas_address in the 'no ++ * device' case ++ */ ++ if (phy->attached_dev_type == NO_DEVICE || ++ phy->linkrate < SAS_LINK_RATE_1_5_GBPS) ++ memset(phy->attached_sas_addr, 0, SAS_ADDR_SIZE); ++ else ++ memcpy(phy->attached_sas_addr, dr->attached_sas_addr, SAS_ADDR_SIZE); + phy->attached_phy_id = dr->attached_phy_id; + phy->phy_change_count = dr->change_count; + phy->routing_attr = dr->routing_attr; +@@ -1643,9 +1650,17 @@ static int sas_find_bcast_phy(struct domain_device *dev, int *phy_id, + int phy_change_count = 0; + + res = sas_get_phy_change_count(dev, i, &phy_change_count); +- if (res) +- goto out; +- else if (phy_change_count != ex->ex_phy[i].phy_change_count) { ++ switch (res) { ++ case SMP_RESP_PHY_VACANT: ++ case SMP_RESP_NO_PHY: ++ continue; ++ case SMP_RESP_FUNC_ACC: ++ break; ++ default: ++ return res; ++ } ++ ++ if (phy_change_count != ex->ex_phy[i].phy_change_count) { + if (update) + ex->ex_phy[i].phy_change_count = + phy_change_count; +@@ -1653,8 +1668,7 @@ static int sas_find_bcast_phy(struct domain_device *dev, int *phy_id, + return 0; + } + } +-out: +- return res; ++ return 0; + } + + static int sas_get_ex_change_count(struct domain_device *dev, int *ecc) +diff --git a/drivers/spi/spi-fsl-spi.c b/drivers/spi/spi-fsl-spi.c +index 24cacff..5f748c0 100644 +--- a/drivers/spi/spi-fsl-spi.c ++++ b/drivers/spi/spi-fsl-spi.c +@@ -139,10 +139,12 @@ static void fsl_spi_change_mode(struct spi_device *spi) + static void fsl_spi_chipselect(struct spi_device *spi, int value) + { + struct mpc8xxx_spi *mpc8xxx_spi = spi_master_get_devdata(spi->master); +- struct fsl_spi_platform_data *pdata = spi->dev.parent->platform_data; ++ struct fsl_spi_platform_data *pdata; + bool pol = spi->mode & SPI_CS_HIGH; + struct spi_mpc8xxx_cs *cs = spi->controller_state; + ++ pdata = spi->dev.parent->parent->platform_data; ++ + if (value == BITBANG_CS_INACTIVE) { + if (pdata->cs_control) + pdata->cs_control(spi, !pol); +diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c +index 77eae99..b2ccdea 100644 +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -319,7 +319,7 @@ struct spi_device *spi_alloc_device(struct spi_master *master) + } + + spi->master = master; +- spi->dev.parent = dev; ++ spi->dev.parent = &master->dev; + spi->dev.bus = &spi_bus_type; + spi->dev.release = spidev_release; + device_initialize(&spi->dev); +diff --git a/drivers/staging/rtl8712/os_intfs.c b/drivers/staging/rtl8712/os_intfs.c +index fb11743..4bb2797 100644 +--- a/drivers/staging/rtl8712/os_intfs.c ++++ b/drivers/staging/rtl8712/os_intfs.c +@@ -476,9 +476,6 @@ static int netdev_close(struct net_device *pnetdev) + r8712_free_assoc_resources(padapter); + /*s2-4.*/ + r8712_free_network_queue(padapter); +- release_firmware(padapter->fw); +- /* never exit with a firmware callback pending */ +- wait_for_completion(&padapter->rtl8712_fw_ready); + return 0; + } + +diff --git a/drivers/staging/rtl8712/usb_intf.c b/drivers/staging/rtl8712/usb_intf.c +index 9bade18..ec41d38 100644 +--- a/drivers/staging/rtl8712/usb_intf.c ++++ b/drivers/staging/rtl8712/usb_intf.c +@@ -30,6 +30,7 @@ + + #include <linux/usb.h> + #include <linux/module.h> ++#include <linux/firmware.h> + + #include "osdep_service.h" + #include "drv_types.h" +@@ -621,6 +622,10 @@ static void r871xu_dev_remove(struct usb_interface *pusb_intf) + struct _adapter *padapter = netdev_priv(pnetdev); + struct usb_device *udev = interface_to_usbdev(pusb_intf); + ++ if (padapter->fw_found) ++ release_firmware(padapter->fw); ++ /* never exit with a firmware callback pending */ ++ wait_for_completion(&padapter->rtl8712_fw_ready); + usb_set_intfdata(pusb_intf, NULL); + if (padapter) { + if (drvpriv.drv_registered == true) +diff --git a/drivers/tty/amiserial.c b/drivers/tty/amiserial.c +index b84c834..8daf073 100644 +--- a/drivers/tty/amiserial.c ++++ b/drivers/tty/amiserial.c +@@ -1113,8 +1113,10 @@ static int set_serial_info(struct async_struct * info, + (new_serial.close_delay != state->close_delay) || + (new_serial.xmit_fifo_size != state->xmit_fifo_size) || + ((new_serial.flags & ~ASYNC_USR_MASK) != +- (state->flags & ~ASYNC_USR_MASK))) ++ (state->flags & ~ASYNC_USR_MASK))) { ++ tty_unlock(); + return -EPERM; ++ } + state->flags = ((state->flags & ~ASYNC_USR_MASK) | + (new_serial.flags & ASYNC_USR_MASK)); + info->flags = ((info->flags & ~ASYNC_USR_MASK) | +diff --git a/drivers/tty/serial/clps711x.c b/drivers/tty/serial/clps711x.c +index e6c3dbd..836fe273 100644 +--- a/drivers/tty/serial/clps711x.c ++++ b/drivers/tty/serial/clps711x.c +@@ -154,10 +154,9 @@ static irqreturn_t clps711xuart_int_tx(int irq, void *dev_id) + port->x_char = 0; + return IRQ_HANDLED; + } +- if (uart_circ_empty(xmit) || uart_tx_stopped(port)) { +- clps711xuart_stop_tx(port); +- return IRQ_HANDLED; +- } ++ ++ if (uart_circ_empty(xmit) || uart_tx_stopped(port)) ++ goto disable_tx_irq; + + count = port->fifosize >> 1; + do { +@@ -171,8 +170,11 @@ static irqreturn_t clps711xuart_int_tx(int irq, void *dev_id) + if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS) + uart_write_wakeup(port); + +- if (uart_circ_empty(xmit)) +- clps711xuart_stop_tx(port); ++ if (uart_circ_empty(xmit)) { ++ disable_tx_irq: ++ disable_irq_nosync(TX_IRQ(port)); ++ tx_enabled(port) = 0; ++ } + + return IRQ_HANDLED; + } +diff --git a/drivers/tty/serial/pch_uart.c b/drivers/tty/serial/pch_uart.c +index da776a0..a4b192d 100644 +--- a/drivers/tty/serial/pch_uart.c ++++ b/drivers/tty/serial/pch_uart.c +@@ -1356,9 +1356,11 @@ static int pch_uart_verify_port(struct uart_port *port, + __func__); + return -EOPNOTSUPP; + #endif +- priv->use_dma = 1; + priv->use_dma_flag = 1; + dev_info(priv->port.dev, "PCH UART : Use DMA Mode\n"); ++ if (!priv->use_dma) ++ pch_request_dma(port); ++ priv->use_dma = 1; + } + + return 0; +diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c +index 9eb71d8..2db0327 100644 +--- a/drivers/usb/class/cdc-wdm.c ++++ b/drivers/usb/class/cdc-wdm.c +@@ -108,8 +108,9 @@ static void wdm_out_callback(struct urb *urb) + spin_lock(&desc->iuspin); + desc->werr = urb->status; + spin_unlock(&desc->iuspin); +- clear_bit(WDM_IN_USE, &desc->flags); + kfree(desc->outbuf); ++ desc->outbuf = NULL; ++ clear_bit(WDM_IN_USE, &desc->flags); + wake_up(&desc->wait); + } + +@@ -312,7 +313,7 @@ static ssize_t wdm_write + if (we < 0) + return -EIO; + +- desc->outbuf = buf = kmalloc(count, GFP_KERNEL); ++ buf = kmalloc(count, GFP_KERNEL); + if (!buf) { + rv = -ENOMEM; + goto outnl; +@@ -376,10 +377,12 @@ static ssize_t wdm_write + req->wIndex = desc->inum; + req->wLength = cpu_to_le16(count); + set_bit(WDM_IN_USE, &desc->flags); ++ desc->outbuf = buf; + + rv = usb_submit_urb(desc->command, GFP_KERNEL); + if (rv < 0) { + kfree(buf); ++ desc->outbuf = NULL; + clear_bit(WDM_IN_USE, &desc->flags); + dev_err(&desc->intf->dev, "Tx URB error: %d\n", rv); + } else { +diff --git a/drivers/usb/core/hcd-pci.c b/drivers/usb/core/hcd-pci.c +index 61d08dd..5f1404a 100644 +--- a/drivers/usb/core/hcd-pci.c ++++ b/drivers/usb/core/hcd-pci.c +@@ -495,6 +495,15 @@ static int hcd_pci_suspend_noirq(struct device *dev) + + pci_save_state(pci_dev); + ++ /* ++ * Some systems crash if an EHCI controller is in D3 during ++ * a sleep transition. We have to leave such controllers in D0. ++ */ ++ if (hcd->broken_pci_sleep) { ++ dev_dbg(dev, "Staying in PCI D0\n"); ++ return retval; ++ } ++ + /* If the root hub is dead rather than suspended, disallow remote + * wakeup. usb_hc_died() should ensure that both hosts are marked as + * dying, so we only need to check the primary roothub. +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index e238b3b..2b0a341 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -1644,7 +1644,6 @@ void usb_disconnect(struct usb_device **pdev) + { + struct usb_device *udev = *pdev; + int i; +- struct usb_hcd *hcd = bus_to_hcd(udev->bus); + + /* mark the device as inactive, so any further urb submissions for + * this device (and any of its children) will fail immediately. +@@ -1667,9 +1666,7 @@ void usb_disconnect(struct usb_device **pdev) + * so that the hardware is now fully quiesced. + */ + dev_dbg (&udev->dev, "unregistering device\n"); +- mutex_lock(hcd->bandwidth_mutex); + usb_disable_device(udev, 0); +- mutex_unlock(hcd->bandwidth_mutex); + usb_hcd_synchronize_unlinks(udev); + + usb_remove_ep_devs(&udev->ep0); +diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c +index aed3e07..ca717da 100644 +--- a/drivers/usb/core/message.c ++++ b/drivers/usb/core/message.c +@@ -1136,8 +1136,6 @@ void usb_disable_interface(struct usb_device *dev, struct usb_interface *intf, + * Deallocates hcd/hardware state for the endpoints (nuking all or most + * pending urbs) and usbcore state for the interfaces, so that usbcore + * must usb_set_configuration() before any interfaces could be used. +- * +- * Must be called with hcd->bandwidth_mutex held. + */ + void usb_disable_device(struct usb_device *dev, int skip_ep0) + { +@@ -1190,7 +1188,9 @@ void usb_disable_device(struct usb_device *dev, int skip_ep0) + usb_disable_endpoint(dev, i + USB_DIR_IN, false); + } + /* Remove endpoints from the host controller internal state */ ++ mutex_lock(hcd->bandwidth_mutex); + usb_hcd_alloc_bandwidth(dev, NULL, NULL, NULL); ++ mutex_unlock(hcd->bandwidth_mutex); + /* Second pass: remove endpoint pointers */ + } + for (i = skip_ep0; i < 16; ++i) { +@@ -1750,7 +1750,6 @@ free_interfaces: + /* if it's already configured, clear out old state first. + * getting rid of old interfaces means unbinding their drivers. + */ +- mutex_lock(hcd->bandwidth_mutex); + if (dev->state != USB_STATE_ADDRESS) + usb_disable_device(dev, 1); /* Skip ep0 */ + +@@ -1763,6 +1762,7 @@ free_interfaces: + * host controller will not allow submissions to dropped endpoints. If + * this call fails, the device state is unchanged. + */ ++ mutex_lock(hcd->bandwidth_mutex); + ret = usb_hcd_alloc_bandwidth(dev, cp, NULL, NULL); + if (ret < 0) { + mutex_unlock(hcd->bandwidth_mutex); +diff --git a/drivers/usb/dwc3/ep0.c b/drivers/usb/dwc3/ep0.c +index 27bd50a..c0dcf69 100644 +--- a/drivers/usb/dwc3/ep0.c ++++ b/drivers/usb/dwc3/ep0.c +@@ -572,9 +572,10 @@ static void dwc3_ep0_complete_data(struct dwc3 *dwc, + dwc->ep0_bounced = false; + } else { + transferred = ur->length - trb.length; +- ur->actual += transferred; + } + ++ ur->actual += transferred; ++ + if ((epnum & 1) && ur->actual < ur->length) { + /* for some reason we did not get everything out */ + +diff --git a/drivers/usb/gadget/dummy_hcd.c b/drivers/usb/gadget/dummy_hcd.c +index ab8f1b4..527736e 100644 +--- a/drivers/usb/gadget/dummy_hcd.c ++++ b/drivers/usb/gadget/dummy_hcd.c +@@ -925,7 +925,6 @@ static int dummy_udc_stop(struct usb_gadget *g, + + dum->driver = NULL; + +- dummy_pullup(&dum->gadget, 0); + return 0; + } + +diff --git a/drivers/usb/gadget/f_fs.c b/drivers/usb/gadget/f_fs.c +index acb3800..0e641a1 100644 +--- a/drivers/usb/gadget/f_fs.c ++++ b/drivers/usb/gadget/f_fs.c +@@ -712,7 +712,7 @@ static long ffs_ep0_ioctl(struct file *file, unsigned code, unsigned long value) + if (code == FUNCTIONFS_INTERFACE_REVMAP) { + struct ffs_function *func = ffs->func; + ret = func ? ffs_func_revmap_intf(func, value) : -ENODEV; +- } else if (gadget->ops->ioctl) { ++ } else if (gadget && gadget->ops->ioctl) { + ret = gadget->ops->ioctl(gadget, code, value); + } else { + ret = -ENOTTY; +diff --git a/drivers/usb/gadget/f_mass_storage.c b/drivers/usb/gadget/f_mass_storage.c +index 1a6f415..a5570b6 100644 +--- a/drivers/usb/gadget/f_mass_storage.c ++++ b/drivers/usb/gadget/f_mass_storage.c +@@ -2182,7 +2182,7 @@ unknown_cmnd: + common->data_size_from_cmnd = 0; + sprintf(unknown, "Unknown x%02x", common->cmnd[0]); + reply = check_command(common, common->cmnd_size, +- DATA_DIR_UNKNOWN, 0xff, 0, unknown); ++ DATA_DIR_UNKNOWN, ~0, 0, unknown); + if (reply == 0) { + common->curlun->sense_data = SS_INVALID_COMMAND; + reply = -EINVAL; +diff --git a/drivers/usb/gadget/file_storage.c b/drivers/usb/gadget/file_storage.c +index 11b5196..db2d607 100644 +--- a/drivers/usb/gadget/file_storage.c ++++ b/drivers/usb/gadget/file_storage.c +@@ -2569,7 +2569,7 @@ static int do_scsi_command(struct fsg_dev *fsg) + fsg->data_size_from_cmnd = 0; + sprintf(unknown, "Unknown x%02x", fsg->cmnd[0]); + if ((reply = check_command(fsg, fsg->cmnd_size, +- DATA_DIR_UNKNOWN, 0xff, 0, unknown)) == 0) { ++ DATA_DIR_UNKNOWN, ~0, 0, unknown)) == 0) { + fsg->curlun->sense_data = SS_INVALID_COMMAND; + reply = -EINVAL; + } +diff --git a/drivers/usb/gadget/udc-core.c b/drivers/usb/gadget/udc-core.c +index 6939e17..901924a 100644 +--- a/drivers/usb/gadget/udc-core.c ++++ b/drivers/usb/gadget/udc-core.c +@@ -211,9 +211,9 @@ static void usb_gadget_remove_driver(struct usb_udc *udc) + + if (udc_is_newstyle(udc)) { + udc->driver->disconnect(udc->gadget); ++ usb_gadget_disconnect(udc->gadget); + udc->driver->unbind(udc->gadget); + usb_gadget_udc_stop(udc->gadget, udc->driver); +- usb_gadget_disconnect(udc->gadget); + } else { + usb_gadget_stop(udc->gadget, udc->driver); + } +@@ -359,9 +359,13 @@ static ssize_t usb_udc_softconn_store(struct device *dev, + struct usb_udc *udc = container_of(dev, struct usb_udc, dev); + + if (sysfs_streq(buf, "connect")) { ++ if (udc_is_newstyle(udc)) ++ usb_gadget_udc_start(udc->gadget, udc->driver); + usb_gadget_connect(udc->gadget); + } else if (sysfs_streq(buf, "disconnect")) { + usb_gadget_disconnect(udc->gadget); ++ if (udc_is_newstyle(udc)) ++ usb_gadget_udc_stop(udc->gadget, udc->driver); + } else { + dev_err(dev, "unsupported command '%s'\n", buf); + return -EINVAL; +diff --git a/drivers/usb/gadget/uvc.h b/drivers/usb/gadget/uvc.h +index bc78c60..ca4e03a 100644 +--- a/drivers/usb/gadget/uvc.h ++++ b/drivers/usb/gadget/uvc.h +@@ -28,7 +28,7 @@ + + struct uvc_request_data + { +- unsigned int length; ++ __s32 length; + __u8 data[60]; + }; + +diff --git a/drivers/usb/gadget/uvc_v4l2.c b/drivers/usb/gadget/uvc_v4l2.c +index f6e083b..54d7ca5 100644 +--- a/drivers/usb/gadget/uvc_v4l2.c ++++ b/drivers/usb/gadget/uvc_v4l2.c +@@ -39,7 +39,7 @@ uvc_send_response(struct uvc_device *uvc, struct uvc_request_data *data) + if (data->length < 0) + return usb_ep_set_halt(cdev->gadget->ep0); + +- req->length = min(uvc->event_length, data->length); ++ req->length = min_t(unsigned int, uvc->event_length, data->length); + req->zero = data->length < uvc->event_length; + req->dma = DMA_ADDR_INVALID; + +diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c +index 3ff9f82..da2f711 100644 +--- a/drivers/usb/host/ehci-hcd.c ++++ b/drivers/usb/host/ehci-hcd.c +@@ -815,8 +815,13 @@ static irqreturn_t ehci_irq (struct usb_hcd *hcd) + goto dead; + } + ++ /* ++ * We don't use STS_FLR, but some controllers don't like it to ++ * remain on, so mask it out along with the other status bits. ++ */ ++ masked_status = status & (INTR_MASK | STS_FLR); ++ + /* Shared IRQ? */ +- masked_status = status & INTR_MASK; + if (!masked_status || unlikely(ehci->rh_state == EHCI_RH_HALTED)) { + spin_unlock(&ehci->lock); + return IRQ_NONE; +@@ -867,7 +872,7 @@ static irqreturn_t ehci_irq (struct usb_hcd *hcd) + pcd_status = status; + + /* resume root hub? */ +- if (!(cmd & CMD_RUN)) ++ if (ehci->rh_state == EHCI_RH_SUSPENDED) + usb_hcd_resume_root_hub(hcd); + + /* get per-port change detect bits */ +diff --git a/drivers/usb/host/ehci-pci.c b/drivers/usb/host/ehci-pci.c +index f4b627d..971d312 100644 +--- a/drivers/usb/host/ehci-pci.c ++++ b/drivers/usb/host/ehci-pci.c +@@ -144,6 +144,14 @@ static int ehci_pci_setup(struct usb_hcd *hcd) + hcd->has_tt = 1; + tdi_reset(ehci); + } ++ if (pdev->subsystem_vendor == PCI_VENDOR_ID_ASUSTEK) { ++ /* EHCI #1 or #2 on 6 Series/C200 Series chipset */ ++ if (pdev->device == 0x1c26 || pdev->device == 0x1c2d) { ++ ehci_info(ehci, "broken D3 during system sleep on ASUS\n"); ++ hcd->broken_pci_sleep = 1; ++ device_set_wakeup_capable(&pdev->dev, false); ++ } ++ } + break; + case PCI_VENDOR_ID_TDI: + if (pdev->device == PCI_DEVICE_ID_TDI_EHCI) { +diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c +index ac5bfd6..2504694 100644 +--- a/drivers/usb/misc/yurex.c ++++ b/drivers/usb/misc/yurex.c +@@ -99,9 +99,7 @@ static void yurex_delete(struct kref *kref) + usb_put_dev(dev->udev); + if (dev->cntl_urb) { + usb_kill_urb(dev->cntl_urb); +- if (dev->cntl_req) +- usb_free_coherent(dev->udev, YUREX_BUF_SIZE, +- dev->cntl_req, dev->cntl_urb->setup_dma); ++ kfree(dev->cntl_req); + if (dev->cntl_buffer) + usb_free_coherent(dev->udev, YUREX_BUF_SIZE, + dev->cntl_buffer, dev->cntl_urb->transfer_dma); +@@ -234,9 +232,7 @@ static int yurex_probe(struct usb_interface *interface, const struct usb_device_ + } + + /* allocate buffer for control req */ +- dev->cntl_req = usb_alloc_coherent(dev->udev, YUREX_BUF_SIZE, +- GFP_KERNEL, +- &dev->cntl_urb->setup_dma); ++ dev->cntl_req = kmalloc(YUREX_BUF_SIZE, GFP_KERNEL); + if (!dev->cntl_req) { + err("Could not allocate cntl_req"); + goto error; +@@ -286,7 +282,7 @@ static int yurex_probe(struct usb_interface *interface, const struct usb_device_ + usb_rcvintpipe(dev->udev, dev->int_in_endpointAddr), + dev->int_buffer, YUREX_BUF_SIZE, yurex_interrupt, + dev, 1); +- dev->cntl_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; ++ dev->urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; + if (usb_submit_urb(dev->urb, GFP_KERNEL)) { + retval = -EIO; + err("Could not submitting URB"); +diff --git a/drivers/usb/musb/omap2430.c b/drivers/usb/musb/omap2430.c +index ba85f27..a8f0c09 100644 +--- a/drivers/usb/musb/omap2430.c ++++ b/drivers/usb/musb/omap2430.c +@@ -282,7 +282,8 @@ static int musb_otg_notifications(struct notifier_block *nb, + + static int omap2430_musb_init(struct musb *musb) + { +- u32 l, status = 0; ++ u32 l; ++ int status = 0; + struct device *dev = musb->controller; + struct musb_hdrc_platform_data *plat = dev->platform_data; + struct omap_musb_board_data *data = plat->board_data; +@@ -299,7 +300,7 @@ static int omap2430_musb_init(struct musb *musb) + + status = pm_runtime_get_sync(dev); + if (status < 0) { +- dev_err(dev, "pm_runtime_get_sync FAILED"); ++ dev_err(dev, "pm_runtime_get_sync FAILED %d\n", status); + goto err1; + } + +@@ -451,14 +452,14 @@ static int __init omap2430_probe(struct platform_device *pdev) + goto err2; + } + ++ pm_runtime_enable(&pdev->dev); ++ + ret = platform_device_add(musb); + if (ret) { + dev_err(&pdev->dev, "failed to register musb device\n"); + goto err2; + } + +- pm_runtime_enable(&pdev->dev); +- + return 0; + + err2: +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c +index 4c12404..f2c57e0 100644 +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -285,7 +285,8 @@ static int cp210x_get_config(struct usb_serial_port *port, u8 request, + /* Issue the request, attempting to read 'size' bytes */ + result = usb_control_msg(serial->dev, usb_rcvctrlpipe(serial->dev, 0), + request, REQTYPE_DEVICE_TO_HOST, 0x0000, +- port_priv->bInterfaceNumber, buf, size, 300); ++ port_priv->bInterfaceNumber, buf, size, ++ USB_CTRL_GET_TIMEOUT); + + /* Convert data into an array of integers */ + for (i = 0; i < length; i++) +@@ -335,12 +336,14 @@ static int cp210x_set_config(struct usb_serial_port *port, u8 request, + result = usb_control_msg(serial->dev, + usb_sndctrlpipe(serial->dev, 0), + request, REQTYPE_HOST_TO_DEVICE, 0x0000, +- port_priv->bInterfaceNumber, buf, size, 300); ++ port_priv->bInterfaceNumber, buf, size, ++ USB_CTRL_SET_TIMEOUT); + } else { + result = usb_control_msg(serial->dev, + usb_sndctrlpipe(serial->dev, 0), + request, REQTYPE_HOST_TO_DEVICE, data[0], +- port_priv->bInterfaceNumber, NULL, 0, 300); ++ port_priv->bInterfaceNumber, NULL, 0, ++ USB_CTRL_SET_TIMEOUT); + } + + kfree(buf); +diff --git a/drivers/usb/serial/sierra.c b/drivers/usb/serial/sierra.c +index 7c3ec9e..e093585 100644 +--- a/drivers/usb/serial/sierra.c ++++ b/drivers/usb/serial/sierra.c +@@ -221,7 +221,7 @@ static const struct sierra_iface_info typeB_interface_list = { + }; + + /* 'blacklist' of interfaces not served by this driver */ +-static const u8 direct_ip_non_serial_ifaces[] = { 7, 8, 9, 10, 11 }; ++static const u8 direct_ip_non_serial_ifaces[] = { 7, 8, 9, 10, 11, 19, 20 }; + static const struct sierra_iface_info direct_ip_interface_blacklist = { + .infolen = ARRAY_SIZE(direct_ip_non_serial_ifaces), + .ifaceinfo = direct_ip_non_serial_ifaces, +@@ -289,7 +289,6 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x1199, 0x6856) }, /* Sierra Wireless AirCard 881 U */ + { USB_DEVICE(0x1199, 0x6859) }, /* Sierra Wireless AirCard 885 E */ + { USB_DEVICE(0x1199, 0x685A) }, /* Sierra Wireless AirCard 885 E */ +- { USB_DEVICE(0x1199, 0x68A2) }, /* Sierra Wireless MC7710 */ + /* Sierra Wireless C885 */ + { USB_DEVICE_AND_INTERFACE_INFO(0x1199, 0x6880, 0xFF, 0xFF, 0xFF)}, + /* Sierra Wireless C888, Air Card 501, USB 303, USB 304 */ +@@ -299,6 +298,9 @@ static const struct usb_device_id id_table[] = { + /* Sierra Wireless HSPA Non-Composite Device */ + { USB_DEVICE_AND_INTERFACE_INFO(0x1199, 0x6892, 0xFF, 0xFF, 0xFF)}, + { USB_DEVICE(0x1199, 0x6893) }, /* Sierra Wireless Device */ ++ { USB_DEVICE(0x1199, 0x68A2), /* Sierra Wireless MC77xx in QMI mode */ ++ .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist ++ }, + { USB_DEVICE(0x1199, 0x68A3), /* Sierra Wireless Direct IP modems */ + .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist + }, +diff --git a/drivers/uwb/hwa-rc.c b/drivers/uwb/hwa-rc.c +index 2babcd4..86685e9 100644 +--- a/drivers/uwb/hwa-rc.c ++++ b/drivers/uwb/hwa-rc.c +@@ -645,7 +645,8 @@ void hwarc_neep_cb(struct urb *urb) + dev_err(dev, "NEEP: URB error %d\n", urb->status); + } + result = usb_submit_urb(urb, GFP_ATOMIC); +- if (result < 0) { ++ if (result < 0 && result != -ENODEV && result != -EPERM) { ++ /* ignoring unrecoverable errors */ + dev_err(dev, "NEEP: Can't resubmit URB (%d) resetting device\n", + result); + goto error; +diff --git a/drivers/uwb/neh.c b/drivers/uwb/neh.c +index a269937..8cb71bb 100644 +--- a/drivers/uwb/neh.c ++++ b/drivers/uwb/neh.c +@@ -107,6 +107,7 @@ struct uwb_rc_neh { + u8 evt_type; + __le16 evt; + u8 context; ++ u8 completed; + uwb_rc_cmd_cb_f cb; + void *arg; + +@@ -409,6 +410,7 @@ static void uwb_rc_neh_grok_event(struct uwb_rc *rc, struct uwb_rceb *rceb, size + struct device *dev = &rc->uwb_dev.dev; + struct uwb_rc_neh *neh; + struct uwb_rceb *notif; ++ unsigned long flags; + + if (rceb->bEventContext == 0) { + notif = kmalloc(size, GFP_ATOMIC); +@@ -422,7 +424,11 @@ static void uwb_rc_neh_grok_event(struct uwb_rc *rc, struct uwb_rceb *rceb, size + } else { + neh = uwb_rc_neh_lookup(rc, rceb); + if (neh) { +- del_timer_sync(&neh->timer); ++ spin_lock_irqsave(&rc->neh_lock, flags); ++ /* to guard against a timeout */ ++ neh->completed = 1; ++ del_timer(&neh->timer); ++ spin_unlock_irqrestore(&rc->neh_lock, flags); + uwb_rc_neh_cb(neh, rceb, size); + } else + dev_warn(dev, "event 0x%02x/%04x/%02x (%zu bytes): nobody cared\n", +@@ -568,6 +574,10 @@ static void uwb_rc_neh_timer(unsigned long arg) + unsigned long flags; + + spin_lock_irqsave(&rc->neh_lock, flags); ++ if (neh->completed) { ++ spin_unlock_irqrestore(&rc->neh_lock, flags); ++ return; ++ } + if (neh->context) + __uwb_rc_neh_rm(rc, neh); + else +diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c +index afca14d..625890c 100644 +--- a/drivers/xen/gntdev.c ++++ b/drivers/xen/gntdev.c +@@ -692,7 +692,7 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma) + vma->vm_flags |= VM_RESERVED|VM_DONTEXPAND; + + if (use_ptemod) +- vma->vm_flags |= VM_DONTCOPY|VM_PFNMAP; ++ vma->vm_flags |= VM_DONTCOPY; + + vma->vm_private_data = map; + +diff --git a/drivers/xen/xenbus/xenbus_probe_frontend.c b/drivers/xen/xenbus/xenbus_probe_frontend.c +index 2f73195..2ce95c0 100644 +--- a/drivers/xen/xenbus/xenbus_probe_frontend.c ++++ b/drivers/xen/xenbus/xenbus_probe_frontend.c +@@ -129,7 +129,7 @@ static int read_backend_details(struct xenbus_device *xendev) + return xenbus_read_otherend_details(xendev, "backend-id", "backend"); + } + +-static int is_device_connecting(struct device *dev, void *data) ++static int is_device_connecting(struct device *dev, void *data, bool ignore_nonessential) + { + struct xenbus_device *xendev = to_xenbus_device(dev); + struct device_driver *drv = data; +@@ -146,16 +146,41 @@ static int is_device_connecting(struct device *dev, void *data) + if (drv && (dev->driver != drv)) + return 0; + ++ if (ignore_nonessential) { ++ /* With older QEMU, for PVonHVM guests the guest config files ++ * could contain: vfb = [ 'vnc=1, vnclisten=0.0.0.0'] ++ * which is nonsensical as there is no PV FB (there can be ++ * a PVKB) running as HVM guest. */ ++ ++ if ((strncmp(xendev->nodename, "device/vkbd", 11) == 0)) ++ return 0; ++ ++ if ((strncmp(xendev->nodename, "device/vfb", 10) == 0)) ++ return 0; ++ } + xendrv = to_xenbus_driver(dev->driver); + return (xendev->state < XenbusStateConnected || + (xendev->state == XenbusStateConnected && + xendrv->is_ready && !xendrv->is_ready(xendev))); + } ++static int essential_device_connecting(struct device *dev, void *data) ++{ ++ return is_device_connecting(dev, data, true /* ignore PV[KBB+FB] */); ++} ++static int non_essential_device_connecting(struct device *dev, void *data) ++{ ++ return is_device_connecting(dev, data, false); ++} + +-static int exists_connecting_device(struct device_driver *drv) ++static int exists_essential_connecting_device(struct device_driver *drv) + { + return bus_for_each_dev(&xenbus_frontend.bus, NULL, drv, +- is_device_connecting); ++ essential_device_connecting); ++} ++static int exists_non_essential_connecting_device(struct device_driver *drv) ++{ ++ return bus_for_each_dev(&xenbus_frontend.bus, NULL, drv, ++ non_essential_device_connecting); + } + + static int print_device_status(struct device *dev, void *data) +@@ -186,6 +211,23 @@ static int print_device_status(struct device *dev, void *data) + /* We only wait for device setup after most initcalls have run. */ + static int ready_to_wait_for_devices; + ++static bool wait_loop(unsigned long start, unsigned int max_delay, ++ unsigned int *seconds_waited) ++{ ++ if (time_after(jiffies, start + (*seconds_waited+5)*HZ)) { ++ if (!*seconds_waited) ++ printk(KERN_WARNING "XENBUS: Waiting for " ++ "devices to initialise: "); ++ *seconds_waited += 5; ++ printk("%us...", max_delay - *seconds_waited); ++ if (*seconds_waited == max_delay) ++ return true; ++ } ++ ++ schedule_timeout_interruptible(HZ/10); ++ ++ return false; ++} + /* + * On a 5-minute timeout, wait for all devices currently configured. We need + * to do this to guarantee that the filesystems and / or network devices +@@ -209,19 +251,14 @@ static void wait_for_devices(struct xenbus_driver *xendrv) + if (!ready_to_wait_for_devices || !xen_domain()) + return; + +- while (exists_connecting_device(drv)) { +- if (time_after(jiffies, start + (seconds_waited+5)*HZ)) { +- if (!seconds_waited) +- printk(KERN_WARNING "XENBUS: Waiting for " +- "devices to initialise: "); +- seconds_waited += 5; +- printk("%us...", 300 - seconds_waited); +- if (seconds_waited == 300) +- break; +- } +- +- schedule_timeout_interruptible(HZ/10); +- } ++ while (exists_non_essential_connecting_device(drv)) ++ if (wait_loop(start, 30, &seconds_waited)) ++ break; ++ ++ /* Skips PVKB and PVFB check.*/ ++ while (exists_essential_connecting_device(drv)) ++ if (wait_loop(start, 270, &seconds_waited)) ++ break; + + if (seconds_waited) + printk("\n"); +diff --git a/fs/autofs4/autofs_i.h b/fs/autofs4/autofs_i.h +index 308a98b..650d520 100644 +--- a/fs/autofs4/autofs_i.h ++++ b/fs/autofs4/autofs_i.h +@@ -110,7 +110,6 @@ struct autofs_sb_info { + int sub_version; + int min_proto; + int max_proto; +- int compat_daemon; + unsigned long exp_timeout; + unsigned int type; + int reghost_enabled; +@@ -269,6 +268,17 @@ int autofs4_fill_super(struct super_block *, void *, int); + struct autofs_info *autofs4_new_ino(struct autofs_sb_info *); + void autofs4_clean_ino(struct autofs_info *); + ++static inline int autofs_prepare_pipe(struct file *pipe) ++{ ++ if (!pipe->f_op || !pipe->f_op->write) ++ return -EINVAL; ++ if (!S_ISFIFO(pipe->f_dentry->d_inode->i_mode)) ++ return -EINVAL; ++ /* We want a packet pipe */ ++ pipe->f_flags |= O_DIRECT; ++ return 0; ++} ++ + /* Queue management functions */ + + int autofs4_wait(struct autofs_sb_info *,struct dentry *, enum autofs_notify); +diff --git a/fs/autofs4/dev-ioctl.c b/fs/autofs4/dev-ioctl.c +index 56bac70..de54271 100644 +--- a/fs/autofs4/dev-ioctl.c ++++ b/fs/autofs4/dev-ioctl.c +@@ -376,7 +376,7 @@ static int autofs_dev_ioctl_setpipefd(struct file *fp, + err = -EBADF; + goto out; + } +- if (!pipe->f_op || !pipe->f_op->write) { ++ if (autofs_prepare_pipe(pipe) < 0) { + err = -EPIPE; + fput(pipe); + goto out; +@@ -385,7 +385,6 @@ static int autofs_dev_ioctl_setpipefd(struct file *fp, + sbi->pipefd = pipefd; + sbi->pipe = pipe; + sbi->catatonic = 0; +- sbi->compat_daemon = is_compat_task(); + } + out: + mutex_unlock(&sbi->wq_mutex); +diff --git a/fs/autofs4/inode.c b/fs/autofs4/inode.c +index 98a5695..7b5293e 100644 +--- a/fs/autofs4/inode.c ++++ b/fs/autofs4/inode.c +@@ -19,7 +19,6 @@ + #include <linux/parser.h> + #include <linux/bitops.h> + #include <linux/magic.h> +-#include <linux/compat.h> + #include "autofs_i.h" + #include <linux/module.h> + +@@ -225,7 +224,6 @@ int autofs4_fill_super(struct super_block *s, void *data, int silent) + set_autofs_type_indirect(&sbi->type); + sbi->min_proto = 0; + sbi->max_proto = 0; +- sbi->compat_daemon = is_compat_task(); + mutex_init(&sbi->wq_mutex); + spin_lock_init(&sbi->fs_lock); + sbi->queues = NULL; +@@ -294,7 +292,7 @@ int autofs4_fill_super(struct super_block *s, void *data, int silent) + printk("autofs: could not open pipe file descriptor\n"); + goto fail_dput; + } +- if (!pipe->f_op || !pipe->f_op->write) ++ if (autofs_prepare_pipe(pipe) < 0) + goto fail_fput; + sbi->pipe = pipe; + sbi->pipefd = pipefd; +diff --git a/fs/autofs4/waitq.c b/fs/autofs4/waitq.c +index 6861f61..e1fbdee 100644 +--- a/fs/autofs4/waitq.c ++++ b/fs/autofs4/waitq.c +@@ -90,24 +90,7 @@ static int autofs4_write(struct file *file, const void *addr, int bytes) + + return (bytes > 0); + } +- +-/* +- * The autofs_v5 packet was misdesigned. +- * +- * The packets are identical on x86-32 and x86-64, but have different +- * alignment. Which means that 'sizeof()' will give different results. +- * Fix it up for the case of running 32-bit user mode on a 64-bit kernel. +- */ +-static noinline size_t autofs_v5_packet_size(struct autofs_sb_info *sbi) +-{ +- size_t pktsz = sizeof(struct autofs_v5_packet); +-#if defined(CONFIG_X86_64) && defined(CONFIG_COMPAT) +- if (sbi->compat_daemon > 0) +- pktsz -= 4; +-#endif +- return pktsz; +-} +- ++ + static void autofs4_notify_daemon(struct autofs_sb_info *sbi, + struct autofs_wait_queue *wq, + int type) +@@ -164,7 +147,8 @@ static void autofs4_notify_daemon(struct autofs_sb_info *sbi, + { + struct autofs_v5_packet *packet = &pkt.v5_pkt.v5_packet; + +- pktsz = autofs_v5_packet_size(sbi); ++ pktsz = sizeof(*packet); ++ + packet->wait_queue_token = wq->wait_queue_token; + packet->len = wq->name.len; + memcpy(packet->name, wq->name.name, wq->name.len); +diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h +index 6738503..83a871f 100644 +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -2025,7 +2025,7 @@ BTRFS_SETGET_STACK_FUNCS(root_last_snapshot, struct btrfs_root_item, + + static inline bool btrfs_root_readonly(struct btrfs_root *root) + { +- return root->root_item.flags & BTRFS_ROOT_SUBVOL_RDONLY; ++ return (root->root_item.flags & cpu_to_le64(BTRFS_ROOT_SUBVOL_RDONLY)) != 0; + } + + /* struct btrfs_root_backup */ +diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c +index 0e6adac..e89803b 100644 +--- a/fs/cifs/cifssmb.c ++++ b/fs/cifs/cifssmb.c +@@ -4826,8 +4826,12 @@ parse_DFS_referrals(TRANSACTION2_GET_DFS_REFER_RSP *pSMBr, + max_len = data_end - temp; + node->node_name = cifs_strndup_from_ucs(temp, max_len, + is_unicode, nls_codepage); +- if (!node->node_name) ++ if (!node->node_name) { + rc = -ENOMEM; ++ goto parse_DFS_referrals_exit; ++ } ++ ++ ref++; + } + + parse_DFS_referrals_exit: +diff --git a/fs/eventpoll.c b/fs/eventpoll.c +index ea54cde..4d9d3a4 100644 +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -988,6 +988,10 @@ static int path_count[PATH_ARR_SIZE]; + + static int path_count_inc(int nests) + { ++ /* Allow an arbitrary number of depth 1 paths */ ++ if (nests == 0) ++ return 0; ++ + if (++path_count[nests] > path_limits[nests]) + return -1; + return 0; +diff --git a/fs/exec.c b/fs/exec.c +index 3625464..160cd2f 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -973,6 +973,9 @@ static int de_thread(struct task_struct *tsk) + sig->notify_count = 0; + + no_thread_group: ++ /* we have changed execution domain */ ++ tsk->exit_signal = SIGCHLD; ++ + if (current->mm) + setmax_mm_hiwater_rss(&sig->maxrss, current->mm); + +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index c2a2012..54f2bdc 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -2812,7 +2812,7 @@ static int ext4_split_extent_at(handle_t *handle, + if (err) + goto fix_extent_len; + /* update the extent length and mark as initialized */ +- ex->ee_len = cpu_to_le32(ee_len); ++ ex->ee_len = cpu_to_le16(ee_len); + ext4_ext_try_to_merge(inode, path, ex); + err = ext4_ext_dirty(handle, inode, path + depth); + goto out; +diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c +index 4dfbfec..ec2a9c2 100644 +--- a/fs/hfsplus/catalog.c ++++ b/fs/hfsplus/catalog.c +@@ -366,6 +366,10 @@ int hfsplus_rename_cat(u32 cnid, + err = hfs_brec_find(&src_fd); + if (err) + goto out; ++ if (src_fd.entrylength > sizeof(entry) || src_fd.entrylength < 0) { ++ err = -EIO; ++ goto out; ++ } + + hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset, + src_fd.entrylength); +diff --git a/fs/hfsplus/dir.c b/fs/hfsplus/dir.c +index 4536cd3..5adb740 100644 +--- a/fs/hfsplus/dir.c ++++ b/fs/hfsplus/dir.c +@@ -150,6 +150,11 @@ static int hfsplus_readdir(struct file *filp, void *dirent, filldir_t filldir) + filp->f_pos++; + /* fall through */ + case 1: ++ if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) { ++ err = -EIO; ++ goto out; ++ } ++ + hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, + fd.entrylength); + if (be16_to_cpu(entry.type) != HFSPLUS_FOLDER_THREAD) { +@@ -181,6 +186,12 @@ static int hfsplus_readdir(struct file *filp, void *dirent, filldir_t filldir) + err = -EIO; + goto out; + } ++ ++ if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) { ++ err = -EIO; ++ goto out; ++ } ++ + hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, + fd.entrylength); + type = be16_to_cpu(entry.type); +diff --git a/fs/jbd2/commit.c b/fs/jbd2/commit.c +index 68d704d..d751f04 100644 +--- a/fs/jbd2/commit.c ++++ b/fs/jbd2/commit.c +@@ -683,7 +683,7 @@ start_journal_io: + if (commit_transaction->t_need_data_flush && + (journal->j_fs_dev != journal->j_dev) && + (journal->j_flags & JBD2_BARRIER)) +- blkdev_issue_flush(journal->j_fs_dev, GFP_KERNEL, NULL); ++ blkdev_issue_flush(journal->j_fs_dev, GFP_NOFS, NULL); + + /* Done it all: now write the commit record asynchronously. */ + if (JBD2_HAS_INCOMPAT_FEATURE(journal, +@@ -819,7 +819,7 @@ wait_for_iobuf: + if (JBD2_HAS_INCOMPAT_FEATURE(journal, + JBD2_FEATURE_INCOMPAT_ASYNC_COMMIT) && + journal->j_flags & JBD2_BARRIER) { +- blkdev_issue_flush(journal->j_dev, GFP_KERNEL, NULL); ++ blkdev_issue_flush(journal->j_dev, GFP_NOFS, NULL); + } + + if (err) +diff --git a/fs/lockd/clnt4xdr.c b/fs/lockd/clnt4xdr.c +index f848b52..046bb77 100644 +--- a/fs/lockd/clnt4xdr.c ++++ b/fs/lockd/clnt4xdr.c +@@ -241,7 +241,7 @@ static int decode_nlm4_stat(struct xdr_stream *xdr, __be32 *stat) + p = xdr_inline_decode(xdr, 4); + if (unlikely(p == NULL)) + goto out_overflow; +- if (unlikely(*p > nlm4_failed)) ++ if (unlikely(ntohl(*p) > ntohl(nlm4_failed))) + goto out_bad_xdr; + *stat = *p; + return 0; +diff --git a/fs/lockd/clntxdr.c b/fs/lockd/clntxdr.c +index 180ac34..36057ce 100644 +--- a/fs/lockd/clntxdr.c ++++ b/fs/lockd/clntxdr.c +@@ -236,7 +236,7 @@ static int decode_nlm_stat(struct xdr_stream *xdr, + p = xdr_inline_decode(xdr, 4); + if (unlikely(p == NULL)) + goto out_overflow; +- if (unlikely(*p > nlm_lck_denied_grace_period)) ++ if (unlikely(ntohl(*p) > ntohl(nlm_lck_denied_grace_period))) + goto out_enum; + *stat = *p; + return 0; +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 757293b..51f6a40 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -4453,7 +4453,9 @@ static int _nfs4_do_setlk(struct nfs4_state *state, int cmd, struct file_lock *f + static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request) + { + struct nfs_server *server = NFS_SERVER(state->inode); +- struct nfs4_exception exception = { }; ++ struct nfs4_exception exception = { ++ .inode = state->inode, ++ }; + int err; + + do { +@@ -4471,7 +4473,9 @@ static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request + static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request) + { + struct nfs_server *server = NFS_SERVER(state->inode); +- struct nfs4_exception exception = { }; ++ struct nfs4_exception exception = { ++ .inode = state->inode, ++ }; + int err; + + err = nfs4_set_lock_state(state, request); +@@ -4551,6 +4555,7 @@ static int nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock * + { + struct nfs4_exception exception = { + .state = state, ++ .inode = state->inode, + }; + int err; + +@@ -4596,6 +4601,20 @@ nfs4_proc_lock(struct file *filp, int cmd, struct file_lock *request) + + if (state == NULL) + return -ENOLCK; ++ /* ++ * Don't rely on the VFS having checked the file open mode, ++ * since it won't do this for flock() locks. ++ */ ++ switch (request->fl_type & (F_RDLCK|F_WRLCK|F_UNLCK)) { ++ case F_RDLCK: ++ if (!(filp->f_mode & FMODE_READ)) ++ return -EBADF; ++ break; ++ case F_WRLCK: ++ if (!(filp->f_mode & FMODE_WRITE)) ++ return -EBADF; ++ } ++ + do { + status = nfs4_proc_setlk(state, cmd, request); + if ((status != -EAGAIN) || IS_SETLK(cmd)) +diff --git a/fs/nfs/read.c b/fs/nfs/read.c +index cfa175c..41bae32 100644 +--- a/fs/nfs/read.c ++++ b/fs/nfs/read.c +@@ -324,7 +324,7 @@ out_bad: + while (!list_empty(res)) { + data = list_entry(res->next, struct nfs_read_data, list); + list_del(&data->list); +- nfs_readdata_free(data); ++ nfs_readdata_release(data); + } + nfs_readpage_release(req); + return -ENOMEM; +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 3ada13c..376cd65 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -2708,11 +2708,15 @@ static struct vfsmount *nfs_do_root_mount(struct file_system_type *fs_type, + char *root_devname; + size_t len; + +- len = strlen(hostname) + 3; ++ len = strlen(hostname) + 5; + root_devname = kmalloc(len, GFP_KERNEL); + if (root_devname == NULL) + return ERR_PTR(-ENOMEM); +- snprintf(root_devname, len, "%s:/", hostname); ++ /* Does hostname needs to be enclosed in brackets? */ ++ if (strchr(hostname, ':')) ++ snprintf(root_devname, len, "[%s]:/", hostname); ++ else ++ snprintf(root_devname, len, "%s:/", hostname); + root_mnt = vfs_kern_mount(fs_type, flags, root_devname, data); + kfree(root_devname); + return root_mnt; +diff --git a/fs/nfs/write.c b/fs/nfs/write.c +index 1dda78d..4efd421 100644 +--- a/fs/nfs/write.c ++++ b/fs/nfs/write.c +@@ -974,7 +974,7 @@ out_bad: + while (!list_empty(res)) { + data = list_entry(res->next, struct nfs_write_data, list); + list_del(&data->list); +- nfs_writedata_free(data); ++ nfs_writedata_release(data); + } + nfs_redirty_request(req); + return -ENOMEM; +diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c +index 08c6e36..43f46cd 100644 +--- a/fs/nfsd/nfs3xdr.c ++++ b/fs/nfsd/nfs3xdr.c +@@ -803,13 +803,13 @@ encode_entry_baggage(struct nfsd3_readdirres *cd, __be32 *p, const char *name, + return p; + } + +-static int ++static __be32 + compose_entry_fh(struct nfsd3_readdirres *cd, struct svc_fh *fhp, + const char *name, int namlen) + { + struct svc_export *exp; + struct dentry *dparent, *dchild; +- int rv = 0; ++ __be32 rv = nfserr_noent; + + dparent = cd->fh.fh_dentry; + exp = cd->fh.fh_export; +@@ -817,26 +817,20 @@ compose_entry_fh(struct nfsd3_readdirres *cd, struct svc_fh *fhp, + if (isdotent(name, namlen)) { + if (namlen == 2) { + dchild = dget_parent(dparent); +- if (dchild == dparent) { +- /* filesystem root - cannot return filehandle for ".." */ +- dput(dchild); +- return -ENOENT; +- } ++ /* filesystem root - cannot return filehandle for ".." */ ++ if (dchild == dparent) ++ goto out; + } else + dchild = dget(dparent); + } else + dchild = lookup_one_len(name, dparent, namlen); + if (IS_ERR(dchild)) +- return -ENOENT; +- rv = -ENOENT; ++ return rv; + if (d_mountpoint(dchild)) + goto out; +- rv = fh_compose(fhp, exp, dchild, &cd->fh); +- if (rv) +- goto out; + if (!dchild->d_inode) + goto out; +- rv = 0; ++ rv = fh_compose(fhp, exp, dchild, &cd->fh); + out: + dput(dchild); + return rv; +@@ -845,7 +839,7 @@ out: + static __be32 *encode_entryplus_baggage(struct nfsd3_readdirres *cd, __be32 *p, const char *name, int namlen) + { + struct svc_fh fh; +- int err; ++ __be32 err; + + fh_init(&fh, NFS3_FHSIZE); + err = compose_entry_fh(cd, &fh, name, namlen); +diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c +index fa38336..b8c5538 100644 +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -231,17 +231,17 @@ do_open_lookup(struct svc_rqst *rqstp, struct svc_fh *current_fh, struct nfsd4_o + */ + if (open->op_createmode == NFS4_CREATE_EXCLUSIVE && status == 0) + open->op_bmval[1] = (FATTR4_WORD1_TIME_ACCESS | +- FATTR4_WORD1_TIME_MODIFY); ++ FATTR4_WORD1_TIME_MODIFY); + } else { + status = nfsd_lookup(rqstp, current_fh, + open->op_fname.data, open->op_fname.len, &resfh); + fh_unlock(current_fh); +- if (status) +- goto out; +- status = nfsd_check_obj_isreg(&resfh); + } + if (status) + goto out; ++ status = nfsd_check_obj_isreg(&resfh); ++ if (status) ++ goto out; + + if (is_create_with_attrs(open) && open->op_acl != NULL) + do_set_nfs4_acl(rqstp, &resfh, open->op_acl, open->op_bmval); +@@ -827,6 +827,7 @@ nfsd4_setattr(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, + struct nfsd4_setattr *setattr) + { + __be32 status = nfs_ok; ++ int err; + + if (setattr->sa_iattr.ia_valid & ATTR_SIZE) { + nfs4_lock_state(); +@@ -838,9 +839,9 @@ nfsd4_setattr(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, + return status; + } + } +- status = mnt_want_write(cstate->current_fh.fh_export->ex_path.mnt); +- if (status) +- return status; ++ err = mnt_want_write(cstate->current_fh.fh_export->ex_path.mnt); ++ if (err) ++ return nfserrno(err); + status = nfs_ok; + + status = check_attr_support(rqstp, cstate, setattr->sa_bmval, +diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c +index 5abced7..4cfe260 100644 +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -4080,16 +4080,14 @@ out: + * vfs_test_lock. (Arguably perhaps test_lock should be done with an + * inode operation.) + */ +-static int nfsd_test_lock(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file_lock *lock) ++static __be32 nfsd_test_lock(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file_lock *lock) + { + struct file *file; +- int err; +- +- err = nfsd_open(rqstp, fhp, S_IFREG, NFSD_MAY_READ, &file); +- if (err) +- return err; +- err = vfs_test_lock(file, lock); +- nfsd_close(file); ++ __be32 err = nfsd_open(rqstp, fhp, S_IFREG, NFSD_MAY_READ, &file); ++ if (!err) { ++ err = nfserrno(vfs_test_lock(file, lock)); ++ nfsd_close(file); ++ } + return err; + } + +@@ -4103,7 +4101,6 @@ nfsd4_lockt(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, + struct inode *inode; + struct file_lock file_lock; + struct nfs4_lockowner *lo; +- int error; + __be32 status; + + if (locks_in_grace()) +@@ -4149,12 +4146,10 @@ nfsd4_lockt(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, + + nfs4_transform_lock_offset(&file_lock); + +- status = nfs_ok; +- error = nfsd_test_lock(rqstp, &cstate->current_fh, &file_lock); +- if (error) { +- status = nfserrno(error); ++ status = nfsd_test_lock(rqstp, &cstate->current_fh, &file_lock); ++ if (status) + goto out; +- } ++ + if (file_lock.fl_type != F_UNLCK) { + status = nfserr_denied; + nfs4_set_lock_denied(&file_lock, &lockt->lt_denied); +diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c +index b6fa792..9cfa60a 100644 +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -3411,7 +3411,7 @@ nfsd4_encode_test_stateid(struct nfsd4_compoundres *resp, int nfserr, + nfsd4_decode_stateid(argp, &si); + valid = nfs4_validate_stateid(cl, &si); + RESERVE_SPACE(4); +- *p++ = htonl(valid); ++ *p++ = valid; + resp->p = p; + } + nfs4_unlock_state(); +diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c +index 7a2e442..5c3cd82 100644 +--- a/fs/nfsd/vfs.c ++++ b/fs/nfsd/vfs.c +@@ -1439,7 +1439,7 @@ do_nfsd_create(struct svc_rqst *rqstp, struct svc_fh *fhp, + switch (createmode) { + case NFS3_CREATE_UNCHECKED: + if (! S_ISREG(dchild->d_inode->i_mode)) +- err = nfserr_exist; ++ goto out; + else if (truncp) { + /* in nfsv4, we need to treat this case a little + * differently. we don't want to truncate the +diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c +index 3165aeb..31b9463 100644 +--- a/fs/ocfs2/alloc.c ++++ b/fs/ocfs2/alloc.c +@@ -1134,7 +1134,7 @@ static int ocfs2_adjust_rightmost_branch(handle_t *handle, + } + + el = path_leaf_el(path); +- rec = &el->l_recs[le32_to_cpu(el->l_next_free_rec) - 1]; ++ rec = &el->l_recs[le16_to_cpu(el->l_next_free_rec) - 1]; + + ocfs2_adjust_rightmost_records(handle, et, path, rec); + +diff --git a/fs/ocfs2/refcounttree.c b/fs/ocfs2/refcounttree.c +index cf78233..9f32d7c 100644 +--- a/fs/ocfs2/refcounttree.c ++++ b/fs/ocfs2/refcounttree.c +@@ -1036,14 +1036,14 @@ static int ocfs2_get_refcount_cpos_end(struct ocfs2_caching_info *ci, + + tmp_el = left_path->p_node[subtree_root].el; + blkno = left_path->p_node[subtree_root+1].bh->b_blocknr; +- for (i = 0; i < le32_to_cpu(tmp_el->l_next_free_rec); i++) { ++ for (i = 0; i < le16_to_cpu(tmp_el->l_next_free_rec); i++) { + if (le64_to_cpu(tmp_el->l_recs[i].e_blkno) == blkno) { + *cpos_end = le32_to_cpu(tmp_el->l_recs[i+1].e_cpos); + break; + } + } + +- BUG_ON(i == le32_to_cpu(tmp_el->l_next_free_rec)); ++ BUG_ON(i == le16_to_cpu(tmp_el->l_next_free_rec)); + + out: + ocfs2_free_path(left_path); +@@ -1468,7 +1468,7 @@ static int ocfs2_divide_leaf_refcount_block(struct buffer_head *ref_leaf_bh, + + trace_ocfs2_divide_leaf_refcount_block( + (unsigned long long)ref_leaf_bh->b_blocknr, +- le32_to_cpu(rl->rl_count), le32_to_cpu(rl->rl_used)); ++ le16_to_cpu(rl->rl_count), le16_to_cpu(rl->rl_used)); + + /* + * XXX: Improvement later. +@@ -2411,7 +2411,7 @@ static int ocfs2_calc_refcount_meta_credits(struct super_block *sb, + rb = (struct ocfs2_refcount_block *) + prev_bh->b_data; + +- if (le64_to_cpu(rb->rf_records.rl_used) + ++ if (le16_to_cpu(rb->rf_records.rl_used) + + recs_add > + le16_to_cpu(rb->rf_records.rl_count)) + ref_blocks++; +@@ -2476,7 +2476,7 @@ static int ocfs2_calc_refcount_meta_credits(struct super_block *sb, + if (prev_bh) { + rb = (struct ocfs2_refcount_block *)prev_bh->b_data; + +- if (le64_to_cpu(rb->rf_records.rl_used) + recs_add > ++ if (le16_to_cpu(rb->rf_records.rl_used) + recs_add > + le16_to_cpu(rb->rf_records.rl_count)) + ref_blocks++; + +@@ -3629,7 +3629,7 @@ int ocfs2_refcounted_xattr_delete_need(struct inode *inode, + * one will split a refcount rec, so totally we need + * clusters * 2 new refcount rec. + */ +- if (le64_to_cpu(rb->rf_records.rl_used) + clusters * 2 > ++ if (le16_to_cpu(rb->rf_records.rl_used) + clusters * 2 > + le16_to_cpu(rb->rf_records.rl_count)) + ref_blocks++; + +diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c +index ba5d97e..f169da4 100644 +--- a/fs/ocfs2/suballoc.c ++++ b/fs/ocfs2/suballoc.c +@@ -600,7 +600,7 @@ static void ocfs2_bg_alloc_cleanup(handle_t *handle, + ret = ocfs2_free_clusters(handle, cluster_ac->ac_inode, + cluster_ac->ac_bh, + le64_to_cpu(rec->e_blkno), +- le32_to_cpu(rec->e_leaf_clusters)); ++ le16_to_cpu(rec->e_leaf_clusters)); + if (ret) + mlog_errno(ret); + /* Try all the clusters to free */ +@@ -1628,7 +1628,7 @@ static int ocfs2_bg_discontig_fix_by_rec(struct ocfs2_suballoc_result *res, + { + unsigned int bpc = le16_to_cpu(cl->cl_bpc); + unsigned int bitoff = le32_to_cpu(rec->e_cpos) * bpc; +- unsigned int bitcount = le32_to_cpu(rec->e_leaf_clusters) * bpc; ++ unsigned int bitcount = le16_to_cpu(rec->e_leaf_clusters) * bpc; + + if (res->sr_bit_offset < bitoff) + return 0; +diff --git a/fs/pipe.c b/fs/pipe.c +index 4065f07..05ed5ca 100644 +--- a/fs/pipe.c ++++ b/fs/pipe.c +@@ -345,6 +345,16 @@ static const struct pipe_buf_operations anon_pipe_buf_ops = { + .get = generic_pipe_buf_get, + }; + ++static const struct pipe_buf_operations packet_pipe_buf_ops = { ++ .can_merge = 0, ++ .map = generic_pipe_buf_map, ++ .unmap = generic_pipe_buf_unmap, ++ .confirm = generic_pipe_buf_confirm, ++ .release = anon_pipe_buf_release, ++ .steal = generic_pipe_buf_steal, ++ .get = generic_pipe_buf_get, ++}; ++ + static ssize_t + pipe_read(struct kiocb *iocb, const struct iovec *_iov, + unsigned long nr_segs, loff_t pos) +@@ -406,6 +416,13 @@ redo: + ret += chars; + buf->offset += chars; + buf->len -= chars; ++ ++ /* Was it a packet buffer? Clean up and exit */ ++ if (buf->flags & PIPE_BUF_FLAG_PACKET) { ++ total_len = chars; ++ buf->len = 0; ++ } ++ + if (!buf->len) { + buf->ops = NULL; + ops->release(pipe, buf); +@@ -458,6 +475,11 @@ redo: + return ret; + } + ++static inline int is_packetized(struct file *file) ++{ ++ return (file->f_flags & O_DIRECT) != 0; ++} ++ + static ssize_t + pipe_write(struct kiocb *iocb, const struct iovec *_iov, + unsigned long nr_segs, loff_t ppos) +@@ -592,6 +614,11 @@ redo2: + buf->ops = &anon_pipe_buf_ops; + buf->offset = 0; + buf->len = chars; ++ buf->flags = 0; ++ if (is_packetized(filp)) { ++ buf->ops = &packet_pipe_buf_ops; ++ buf->flags = PIPE_BUF_FLAG_PACKET; ++ } + pipe->nrbufs = ++bufs; + pipe->tmp_page = NULL; + +@@ -1012,7 +1039,7 @@ struct file *create_write_pipe(int flags) + goto err_dentry; + f->f_mapping = inode->i_mapping; + +- f->f_flags = O_WRONLY | (flags & O_NONBLOCK); ++ f->f_flags = O_WRONLY | (flags & (O_NONBLOCK | O_DIRECT)); + f->f_version = 0; + + return f; +@@ -1056,7 +1083,7 @@ int do_pipe_flags(int *fd, int flags) + int error; + int fdw, fdr; + +- if (flags & ~(O_CLOEXEC | O_NONBLOCK)) ++ if (flags & ~(O_CLOEXEC | O_NONBLOCK | O_DIRECT)) + return -EINVAL; + + fw = create_write_pipe(flags); +diff --git a/fs/splice.c b/fs/splice.c +index fa2defa..6d0dfb8 100644 +--- a/fs/splice.c ++++ b/fs/splice.c +@@ -31,6 +31,7 @@ + #include <linux/uio.h> + #include <linux/security.h> + #include <linux/gfp.h> ++#include <linux/socket.h> + + /* + * Attempt to steal a page from a pipe buffer. This should perhaps go into +@@ -691,7 +692,9 @@ static int pipe_to_sendpage(struct pipe_inode_info *pipe, + if (!likely(file->f_op && file->f_op->sendpage)) + return -EINVAL; + +- more = (sd->flags & SPLICE_F_MORE) || sd->len < sd->total_len; ++ more = (sd->flags & SPLICE_F_MORE) ? MSG_MORE : 0; ++ if (sd->len < sd->total_len) ++ more |= MSG_SENDPAGE_NOTLAST; + return file->f_op->sendpage(file, buf->page, buf->offset, + sd->len, &pos, more); + } +diff --git a/include/asm-generic/statfs.h b/include/asm-generic/statfs.h +index 0fd28e0..c749af9 100644 +--- a/include/asm-generic/statfs.h ++++ b/include/asm-generic/statfs.h +@@ -15,7 +15,7 @@ typedef __kernel_fsid_t fsid_t; + * with a 10' pole. + */ + #ifndef __statfs_word +-#if BITS_PER_LONG == 64 ++#if __BITS_PER_LONG == 64 + #define __statfs_word long + #else + #define __statfs_word __u32 +diff --git a/include/linux/efi.h b/include/linux/efi.h +index 2362a0b..1328d8c 100644 +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -383,7 +383,18 @@ extern int __init efi_setup_pcdp_console(char *); + #define EFI_VARIABLE_NON_VOLATILE 0x0000000000000001 + #define EFI_VARIABLE_BOOTSERVICE_ACCESS 0x0000000000000002 + #define EFI_VARIABLE_RUNTIME_ACCESS 0x0000000000000004 +- ++#define EFI_VARIABLE_HARDWARE_ERROR_RECORD 0x0000000000000008 ++#define EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS 0x0000000000000010 ++#define EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS 0x0000000000000020 ++#define EFI_VARIABLE_APPEND_WRITE 0x0000000000000040 ++ ++#define EFI_VARIABLE_MASK (EFI_VARIABLE_NON_VOLATILE | \ ++ EFI_VARIABLE_BOOTSERVICE_ACCESS | \ ++ EFI_VARIABLE_RUNTIME_ACCESS | \ ++ EFI_VARIABLE_HARDWARE_ERROR_RECORD | \ ++ EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS | \ ++ EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS | \ ++ EFI_VARIABLE_APPEND_WRITE) + /* + * EFI Device Path information + */ +diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h +index d526231..35410ef 100644 +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -562,6 +562,7 @@ void kvm_free_irq_source_id(struct kvm *kvm, int irq_source_id); + + #ifdef CONFIG_IOMMU_API + int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot); ++void kvm_iommu_unmap_pages(struct kvm *kvm, struct kvm_memory_slot *slot); + int kvm_iommu_map_guest(struct kvm *kvm); + int kvm_iommu_unmap_guest(struct kvm *kvm); + int kvm_assign_device(struct kvm *kvm, +@@ -575,6 +576,11 @@ static inline int kvm_iommu_map_pages(struct kvm *kvm, + return 0; + } + ++static inline void kvm_iommu_unmap_pages(struct kvm *kvm, ++ struct kvm_memory_slot *slot) ++{ ++} ++ + static inline int kvm_iommu_map_guest(struct kvm *kvm) + { + return -ENODEV; +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index a82ad4d..cbeb586 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -2536,8 +2536,6 @@ extern void net_disable_timestamp(void); + extern void *dev_seq_start(struct seq_file *seq, loff_t *pos); + extern void *dev_seq_next(struct seq_file *seq, void *v, loff_t *pos); + extern void dev_seq_stop(struct seq_file *seq, void *v); +-extern int dev_seq_open_ops(struct inode *inode, struct file *file, +- const struct seq_operations *ops); + #endif + + extern int netdev_class_create_file(struct class_attribute *class_attr); +diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h +index 77257c9..0072a53 100644 +--- a/include/linux/pipe_fs_i.h ++++ b/include/linux/pipe_fs_i.h +@@ -8,6 +8,7 @@ + #define PIPE_BUF_FLAG_LRU 0x01 /* page is on the LRU */ + #define PIPE_BUF_FLAG_ATOMIC 0x02 /* was atomically mapped */ + #define PIPE_BUF_FLAG_GIFT 0x04 /* page is a gift */ ++#define PIPE_BUF_FLAG_PACKET 0x08 /* read() as a packet */ + + /** + * struct pipe_buffer - a linux kernel pipe buffer +diff --git a/include/linux/seqlock.h b/include/linux/seqlock.h +index c6db9fb..bb1fac5 100644 +--- a/include/linux/seqlock.h ++++ b/include/linux/seqlock.h +@@ -141,7 +141,7 @@ static inline unsigned __read_seqcount_begin(const seqcount_t *s) + unsigned ret; + + repeat: +- ret = s->sequence; ++ ret = ACCESS_ONCE(s->sequence); + if (unlikely(ret & 1)) { + cpu_relax(); + goto repeat; +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index 6cf8b53..e689b47 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -458,6 +458,7 @@ struct sk_buff { + union { + __u32 mark; + __u32 dropcount; ++ __u32 avail_size; + }; + + __u16 vlan_tci; +@@ -1326,6 +1327,18 @@ static inline int skb_tailroom(const struct sk_buff *skb) + } + + /** ++ * skb_availroom - bytes at buffer end ++ * @skb: buffer to check ++ * ++ * Return the number of bytes of free space at the tail of an sk_buff ++ * allocated by sk_stream_alloc() ++ */ ++static inline int skb_availroom(const struct sk_buff *skb) ++{ ++ return skb_is_nonlinear(skb) ? 0 : skb->avail_size - skb->len; ++} ++ ++/** + * skb_reserve - adjust headroom + * @skb: buffer to alter + * @len: bytes to move +diff --git a/include/linux/socket.h b/include/linux/socket.h +index d0e77f6..ad919e0 100644 +--- a/include/linux/socket.h ++++ b/include/linux/socket.h +@@ -265,7 +265,7 @@ struct ucred { + #define MSG_NOSIGNAL 0x4000 /* Do not generate SIGPIPE */ + #define MSG_MORE 0x8000 /* Sender will send more */ + #define MSG_WAITFORONE 0x10000 /* recvmmsg(): block until 1+ packets avail */ +- ++#define MSG_SENDPAGE_NOTLAST 0x20000 /* sendpage() internal : not the last page */ + #define MSG_EOF MSG_FIN + + #define MSG_CMSG_CLOEXEC 0x40000000 /* Set close_on_exit for file +diff --git a/include/linux/usb/hcd.h b/include/linux/usb/hcd.h +index 03354d5..64cec8d 100644 +--- a/include/linux/usb/hcd.h ++++ b/include/linux/usb/hcd.h +@@ -128,6 +128,8 @@ struct usb_hcd { + unsigned wireless:1; /* Wireless USB HCD */ + unsigned authorized_default:1; + unsigned has_tt:1; /* Integrated TT in root hub */ ++ unsigned broken_pci_sleep:1; /* Don't put the ++ controller in PCI-D3 for system sleep */ + + int irq; /* irq allocated */ + void __iomem *regs; /* device memory/io */ +diff --git a/kernel/exit.c b/kernel/exit.c +index e6e01b9..5a8a66e 100644 +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -819,25 +819,6 @@ static void exit_notify(struct task_struct *tsk, int group_dead) + if (group_dead) + kill_orphaned_pgrp(tsk->group_leader, NULL); + +- /* Let father know we died +- * +- * Thread signals are configurable, but you aren't going to use +- * that to send signals to arbitrary processes. +- * That stops right now. +- * +- * If the parent exec id doesn't match the exec id we saved +- * when we started then we know the parent has changed security +- * domain. +- * +- * If our self_exec id doesn't match our parent_exec_id then +- * we have changed execution domain as these two values started +- * the same after a fork. +- */ +- if (thread_group_leader(tsk) && tsk->exit_signal != SIGCHLD && +- (tsk->parent_exec_id != tsk->real_parent->self_exec_id || +- tsk->self_exec_id != tsk->parent_exec_id)) +- tsk->exit_signal = SIGCHLD; +- + if (unlikely(tsk->ptrace)) { + int sig = thread_group_leader(tsk) && + thread_group_empty(tsk) && +diff --git a/kernel/power/swap.c b/kernel/power/swap.c +index 11a594c..b313086 100644 +--- a/kernel/power/swap.c ++++ b/kernel/power/swap.c +@@ -52,6 +52,23 @@ + + #define MAP_PAGE_ENTRIES (PAGE_SIZE / sizeof(sector_t) - 1) + ++/* ++ * Number of free pages that are not high. ++ */ ++static inline unsigned long low_free_pages(void) ++{ ++ return nr_free_pages() - nr_free_highpages(); ++} ++ ++/* ++ * Number of pages required to be kept free while writing the image. Always ++ * half of all available low pages before the writing starts. ++ */ ++static inline unsigned long reqd_free_pages(void) ++{ ++ return low_free_pages() / 2; ++} ++ + struct swap_map_page { + sector_t entries[MAP_PAGE_ENTRIES]; + sector_t next_swap; +@@ -73,7 +90,7 @@ struct swap_map_handle { + sector_t cur_swap; + sector_t first_sector; + unsigned int k; +- unsigned long nr_free_pages, written; ++ unsigned long reqd_free_pages; + u32 crc32; + }; + +@@ -317,8 +334,7 @@ static int get_swap_writer(struct swap_map_handle *handle) + goto err_rel; + } + handle->k = 0; +- handle->nr_free_pages = nr_free_pages() >> 1; +- handle->written = 0; ++ handle->reqd_free_pages = reqd_free_pages(); + handle->first_sector = handle->cur_swap; + return 0; + err_rel: +@@ -353,11 +369,11 @@ static int swap_write_page(struct swap_map_handle *handle, void *buf, + handle->cur_swap = offset; + handle->k = 0; + } +- if (bio_chain && ++handle->written > handle->nr_free_pages) { ++ if (bio_chain && low_free_pages() <= handle->reqd_free_pages) { + error = hib_wait_on_bio_chain(bio_chain); + if (error) + goto out; +- handle->written = 0; ++ handle->reqd_free_pages = reqd_free_pages(); + } + out: + return error; +@@ -619,7 +635,7 @@ static int save_image_lzo(struct swap_map_handle *handle, + * Adjust number of free pages after all allocations have been done. + * We don't want to run out of pages when writing. + */ +- handle->nr_free_pages = nr_free_pages() >> 1; ++ handle->reqd_free_pages = reqd_free_pages(); + + /* + * Start the CRC32 thread. +diff --git a/kernel/sched.c b/kernel/sched.c +index d6b149c..299f55c 100644 +--- a/kernel/sched.c ++++ b/kernel/sched.c +@@ -3538,13 +3538,10 @@ calc_load_n(unsigned long load, unsigned long exp, + * Once we've updated the global active value, we need to apply the exponential + * weights adjusted to the number of cycles missed. + */ +-static void calc_global_nohz(unsigned long ticks) ++static void calc_global_nohz(void) + { + long delta, active, n; + +- if (time_before(jiffies, calc_load_update)) +- return; +- + /* + * If we crossed a calc_load_update boundary, make sure to fold + * any pending idle changes, the respective CPUs might have +@@ -3556,31 +3553,25 @@ static void calc_global_nohz(unsigned long ticks) + atomic_long_add(delta, &calc_load_tasks); + + /* +- * If we were idle for multiple load cycles, apply them. ++ * It could be the one fold was all it took, we done! + */ +- if (ticks >= LOAD_FREQ) { +- n = ticks / LOAD_FREQ; ++ if (time_before(jiffies, calc_load_update + 10)) ++ return; + +- active = atomic_long_read(&calc_load_tasks); +- active = active > 0 ? active * FIXED_1 : 0; ++ /* ++ * Catch-up, fold however many we are behind still ++ */ ++ delta = jiffies - calc_load_update - 10; ++ n = 1 + (delta / LOAD_FREQ); + +- avenrun[0] = calc_load_n(avenrun[0], EXP_1, active, n); +- avenrun[1] = calc_load_n(avenrun[1], EXP_5, active, n); +- avenrun[2] = calc_load_n(avenrun[2], EXP_15, active, n); ++ active = atomic_long_read(&calc_load_tasks); ++ active = active > 0 ? active * FIXED_1 : 0; + +- calc_load_update += n * LOAD_FREQ; +- } ++ avenrun[0] = calc_load_n(avenrun[0], EXP_1, active, n); ++ avenrun[1] = calc_load_n(avenrun[1], EXP_5, active, n); ++ avenrun[2] = calc_load_n(avenrun[2], EXP_15, active, n); + +- /* +- * Its possible the remainder of the above division also crosses +- * a LOAD_FREQ period, the regular check in calc_global_load() +- * which comes after this will take care of that. +- * +- * Consider us being 11 ticks before a cycle completion, and us +- * sleeping for 4*LOAD_FREQ + 22 ticks, then the above code will +- * age us 4 cycles, and the test in calc_global_load() will +- * pick up the final one. +- */ ++ calc_load_update += n * LOAD_FREQ; + } + #else + static void calc_load_account_idle(struct rq *this_rq) +@@ -3592,7 +3583,7 @@ static inline long calc_load_fold_idle(void) + return 0; + } + +-static void calc_global_nohz(unsigned long ticks) ++static void calc_global_nohz(void) + { + } + #endif +@@ -3620,8 +3611,6 @@ void calc_global_load(unsigned long ticks) + { + long active; + +- calc_global_nohz(ticks); +- + if (time_before(jiffies, calc_load_update + 10)) + return; + +@@ -3633,6 +3622,16 @@ void calc_global_load(unsigned long ticks) + avenrun[2] = calc_load(avenrun[2], EXP_15, active); + + calc_load_update += LOAD_FREQ; ++ ++ /* ++ * Account one period with whatever state we found before ++ * folding in the nohz state and ageing the entire idle period. ++ * ++ * This avoids loosing a sample when we go idle between ++ * calc_load_account_active() (10 ticks ago) and now and thus ++ * under-accounting. ++ */ ++ calc_global_nohz(); + } + + /* +@@ -7605,16 +7604,26 @@ static void __sdt_free(const struct cpumask *cpu_map) + struct sd_data *sdd = &tl->data; + + for_each_cpu(j, cpu_map) { +- struct sched_domain *sd = *per_cpu_ptr(sdd->sd, j); +- if (sd && (sd->flags & SD_OVERLAP)) +- free_sched_groups(sd->groups, 0); +- kfree(*per_cpu_ptr(sdd->sd, j)); +- kfree(*per_cpu_ptr(sdd->sg, j)); +- kfree(*per_cpu_ptr(sdd->sgp, j)); ++ struct sched_domain *sd; ++ ++ if (sdd->sd) { ++ sd = *per_cpu_ptr(sdd->sd, j); ++ if (sd && (sd->flags & SD_OVERLAP)) ++ free_sched_groups(sd->groups, 0); ++ kfree(*per_cpu_ptr(sdd->sd, j)); ++ } ++ ++ if (sdd->sg) ++ kfree(*per_cpu_ptr(sdd->sg, j)); ++ if (sdd->sgp) ++ kfree(*per_cpu_ptr(sdd->sgp, j)); + } + free_percpu(sdd->sd); ++ sdd->sd = NULL; + free_percpu(sdd->sg); ++ sdd->sg = NULL; + free_percpu(sdd->sgp); ++ sdd->sgp = NULL; + } + } + +diff --git a/kernel/signal.c b/kernel/signal.c +index 2065515..08e0b97 100644 +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -1610,6 +1610,15 @@ bool do_notify_parent(struct task_struct *tsk, int sig) + BUG_ON(!tsk->ptrace && + (tsk->group_leader != tsk || !thread_group_empty(tsk))); + ++ if (sig != SIGCHLD) { ++ /* ++ * This is only possible if parent == real_parent. ++ * Check if it has changed security domain. ++ */ ++ if (tsk->parent_exec_id != tsk->parent->self_exec_id) ++ sig = SIGCHLD; ++ } ++ + info.si_signo = sig; + info.si_errno = 0; + /* +diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c +index 5199930..1dcf253 100644 +--- a/kernel/trace/trace_output.c ++++ b/kernel/trace/trace_output.c +@@ -638,6 +638,8 @@ int trace_print_lat_context(struct trace_iterator *iter) + { + u64 next_ts; + int ret; ++ /* trace_find_next_entry will reset ent_size */ ++ int ent_size = iter->ent_size; + struct trace_seq *s = &iter->seq; + struct trace_entry *entry = iter->ent, + *next_entry = trace_find_next_entry(iter, NULL, +@@ -646,6 +648,9 @@ int trace_print_lat_context(struct trace_iterator *iter) + unsigned long abs_usecs = ns2usecs(iter->ts - iter->tr->time_start); + unsigned long rel_usecs; + ++ /* Restore the original ent_size */ ++ iter->ent_size = ent_size; ++ + if (!next_entry) + next_ts = iter->ts; + rel_usecs = ns2usecs(next_ts - iter->ts); +diff --git a/mm/swap_state.c b/mm/swap_state.c +index 78cc4d1..7704d9c 100644 +--- a/mm/swap_state.c ++++ b/mm/swap_state.c +@@ -27,7 +27,7 @@ + */ + static const struct address_space_operations swap_aops = { + .writepage = swap_writepage, +- .set_page_dirty = __set_page_dirty_nobuffers, ++ .set_page_dirty = __set_page_dirty_no_writeback, + .migratepage = migrate_page, + }; + +diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c +index e7c69f4..b04a6ef 100644 +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -2006,16 +2006,17 @@ static void __exit ax25_exit(void) + proc_net_remove(&init_net, "ax25_route"); + proc_net_remove(&init_net, "ax25"); + proc_net_remove(&init_net, "ax25_calls"); +- ax25_rt_free(); +- ax25_uid_free(); +- ax25_dev_free(); + +- ax25_unregister_sysctl(); + unregister_netdevice_notifier(&ax25_dev_notifier); ++ ax25_unregister_sysctl(); + + dev_remove_pack(&ax25_packet_type); + + sock_unregister(PF_AX25); + proto_unregister(&ax25_proto); ++ ++ ax25_rt_free(); ++ ax25_uid_free(); ++ ax25_dev_free(); + } + module_exit(ax25_exit); +diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c +index 8eb6b15..5ac1811 100644 +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -241,7 +241,6 @@ static void br_multicast_group_expired(unsigned long data) + hlist_del_rcu(&mp->hlist[mdb->ver]); + mdb->size--; + +- del_timer(&mp->query_timer); + call_rcu_bh(&mp->rcu, br_multicast_free_group); + + out: +@@ -271,7 +270,6 @@ static void br_multicast_del_pg(struct net_bridge *br, + rcu_assign_pointer(*pp, p->next); + hlist_del_init(&p->mglist); + del_timer(&p->timer); +- del_timer(&p->query_timer); + call_rcu_bh(&p->rcu, br_multicast_free_pg); + + if (!mp->ports && !mp->mglist && +@@ -507,74 +505,6 @@ static struct sk_buff *br_multicast_alloc_query(struct net_bridge *br, + return NULL; + } + +-static void br_multicast_send_group_query(struct net_bridge_mdb_entry *mp) +-{ +- struct net_bridge *br = mp->br; +- struct sk_buff *skb; +- +- skb = br_multicast_alloc_query(br, &mp->addr); +- if (!skb) +- goto timer; +- +- netif_rx(skb); +- +-timer: +- if (++mp->queries_sent < br->multicast_last_member_count) +- mod_timer(&mp->query_timer, +- jiffies + br->multicast_last_member_interval); +-} +- +-static void br_multicast_group_query_expired(unsigned long data) +-{ +- struct net_bridge_mdb_entry *mp = (void *)data; +- struct net_bridge *br = mp->br; +- +- spin_lock(&br->multicast_lock); +- if (!netif_running(br->dev) || !mp->mglist || +- mp->queries_sent >= br->multicast_last_member_count) +- goto out; +- +- br_multicast_send_group_query(mp); +- +-out: +- spin_unlock(&br->multicast_lock); +-} +- +-static void br_multicast_send_port_group_query(struct net_bridge_port_group *pg) +-{ +- struct net_bridge_port *port = pg->port; +- struct net_bridge *br = port->br; +- struct sk_buff *skb; +- +- skb = br_multicast_alloc_query(br, &pg->addr); +- if (!skb) +- goto timer; +- +- br_deliver(port, skb); +- +-timer: +- if (++pg->queries_sent < br->multicast_last_member_count) +- mod_timer(&pg->query_timer, +- jiffies + br->multicast_last_member_interval); +-} +- +-static void br_multicast_port_group_query_expired(unsigned long data) +-{ +- struct net_bridge_port_group *pg = (void *)data; +- struct net_bridge_port *port = pg->port; +- struct net_bridge *br = port->br; +- +- spin_lock(&br->multicast_lock); +- if (!netif_running(br->dev) || hlist_unhashed(&pg->mglist) || +- pg->queries_sent >= br->multicast_last_member_count) +- goto out; +- +- br_multicast_send_port_group_query(pg); +- +-out: +- spin_unlock(&br->multicast_lock); +-} +- + static struct net_bridge_mdb_entry *br_multicast_get_group( + struct net_bridge *br, struct net_bridge_port *port, + struct br_ip *group, int hash) +@@ -690,8 +620,6 @@ rehash: + mp->addr = *group; + setup_timer(&mp->timer, br_multicast_group_expired, + (unsigned long)mp); +- setup_timer(&mp->query_timer, br_multicast_group_query_expired, +- (unsigned long)mp); + + hlist_add_head_rcu(&mp->hlist[mdb->ver], &mdb->mhash[hash]); + mdb->size++; +@@ -746,8 +674,6 @@ static int br_multicast_add_group(struct net_bridge *br, + hlist_add_head(&p->mglist, &port->mglist); + setup_timer(&p->timer, br_multicast_port_group_expired, + (unsigned long)p); +- setup_timer(&p->query_timer, br_multicast_port_group_query_expired, +- (unsigned long)p); + + rcu_assign_pointer(*pp, p); + +@@ -1291,9 +1217,6 @@ static void br_multicast_leave_group(struct net_bridge *br, + time_after(mp->timer.expires, time) : + try_to_del_timer_sync(&mp->timer) >= 0)) { + mod_timer(&mp->timer, time); +- +- mp->queries_sent = 0; +- mod_timer(&mp->query_timer, now); + } + + goto out; +@@ -1310,9 +1233,6 @@ static void br_multicast_leave_group(struct net_bridge *br, + time_after(p->timer.expires, time) : + try_to_del_timer_sync(&p->timer) >= 0)) { + mod_timer(&p->timer, time); +- +- p->queries_sent = 0; +- mod_timer(&p->query_timer, now); + } + + break; +@@ -1680,7 +1600,6 @@ void br_multicast_stop(struct net_bridge *br) + hlist_for_each_entry_safe(mp, p, n, &mdb->mhash[i], + hlist[ver]) { + del_timer(&mp->timer); +- del_timer(&mp->query_timer); + call_rcu_bh(&mp->rcu, br_multicast_free_group); + } + } +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index d7d6fb0..93264df 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -82,9 +82,7 @@ struct net_bridge_port_group { + struct hlist_node mglist; + struct rcu_head rcu; + struct timer_list timer; +- struct timer_list query_timer; + struct br_ip addr; +- u32 queries_sent; + }; + + struct net_bridge_mdb_entry +@@ -94,10 +92,8 @@ struct net_bridge_mdb_entry + struct net_bridge_port_group __rcu *ports; + struct rcu_head rcu; + struct timer_list timer; +- struct timer_list query_timer; + struct br_ip addr; + bool mglist; +- u32 queries_sent; + }; + + struct net_bridge_mdb_htable +diff --git a/net/core/dev.c b/net/core/dev.c +index 55cd370..cd5050e 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -4102,54 +4102,41 @@ static int dev_ifconf(struct net *net, char __user *arg) + + #ifdef CONFIG_PROC_FS + +-#define BUCKET_SPACE (32 - NETDEV_HASHBITS) +- +-struct dev_iter_state { +- struct seq_net_private p; +- unsigned int pos; /* bucket << BUCKET_SPACE + offset */ +-}; ++#define BUCKET_SPACE (32 - NETDEV_HASHBITS - 1) + + #define get_bucket(x) ((x) >> BUCKET_SPACE) + #define get_offset(x) ((x) & ((1 << BUCKET_SPACE) - 1)) + #define set_bucket_offset(b, o) ((b) << BUCKET_SPACE | (o)) + +-static inline struct net_device *dev_from_same_bucket(struct seq_file *seq) ++static inline struct net_device *dev_from_same_bucket(struct seq_file *seq, loff_t *pos) + { +- struct dev_iter_state *state = seq->private; + struct net *net = seq_file_net(seq); + struct net_device *dev; + struct hlist_node *p; + struct hlist_head *h; +- unsigned int count, bucket, offset; ++ unsigned int count = 0, offset = get_offset(*pos); + +- bucket = get_bucket(state->pos); +- offset = get_offset(state->pos); +- h = &net->dev_name_head[bucket]; +- count = 0; ++ h = &net->dev_name_head[get_bucket(*pos)]; + hlist_for_each_entry_rcu(dev, p, h, name_hlist) { +- if (count++ == offset) { +- state->pos = set_bucket_offset(bucket, count); ++ if (++count == offset) + return dev; +- } + } + + return NULL; + } + +-static inline struct net_device *dev_from_new_bucket(struct seq_file *seq) ++static inline struct net_device *dev_from_bucket(struct seq_file *seq, loff_t *pos) + { +- struct dev_iter_state *state = seq->private; + struct net_device *dev; + unsigned int bucket; + +- bucket = get_bucket(state->pos); + do { +- dev = dev_from_same_bucket(seq); ++ dev = dev_from_same_bucket(seq, pos); + if (dev) + return dev; + +- bucket++; +- state->pos = set_bucket_offset(bucket, 0); ++ bucket = get_bucket(*pos) + 1; ++ *pos = set_bucket_offset(bucket, 1); + } while (bucket < NETDEV_HASHENTRIES); + + return NULL; +@@ -4162,33 +4149,20 @@ static inline struct net_device *dev_from_new_bucket(struct seq_file *seq) + void *dev_seq_start(struct seq_file *seq, loff_t *pos) + __acquires(RCU) + { +- struct dev_iter_state *state = seq->private; +- + rcu_read_lock(); + if (!*pos) + return SEQ_START_TOKEN; + +- /* check for end of the hash */ +- if (state->pos == 0 && *pos > 1) ++ if (get_bucket(*pos) >= NETDEV_HASHENTRIES) + return NULL; + +- return dev_from_new_bucket(seq); ++ return dev_from_bucket(seq, pos); + } + + void *dev_seq_next(struct seq_file *seq, void *v, loff_t *pos) + { +- struct net_device *dev; +- + ++*pos; +- +- if (v == SEQ_START_TOKEN) +- return dev_from_new_bucket(seq); +- +- dev = dev_from_same_bucket(seq); +- if (dev) +- return dev; +- +- return dev_from_new_bucket(seq); ++ return dev_from_bucket(seq, pos); + } + + void dev_seq_stop(struct seq_file *seq, void *v) +@@ -4287,13 +4261,7 @@ static const struct seq_operations dev_seq_ops = { + static int dev_seq_open(struct inode *inode, struct file *file) + { + return seq_open_net(inode, file, &dev_seq_ops, +- sizeof(struct dev_iter_state)); +-} +- +-int dev_seq_open_ops(struct inode *inode, struct file *file, +- const struct seq_operations *ops) +-{ +- return seq_open_net(inode, file, ops, sizeof(struct dev_iter_state)); ++ sizeof(struct seq_net_private)); + } + + static const struct file_operations dev_seq_fops = { +diff --git a/net/core/dev_addr_lists.c b/net/core/dev_addr_lists.c +index febba51..277faef 100644 +--- a/net/core/dev_addr_lists.c ++++ b/net/core/dev_addr_lists.c +@@ -696,7 +696,8 @@ static const struct seq_operations dev_mc_seq_ops = { + + static int dev_mc_seq_open(struct inode *inode, struct file *file) + { +- return dev_seq_open_ops(inode, file, &dev_mc_seq_ops); ++ return seq_open_net(inode, file, &dev_mc_seq_ops, ++ sizeof(struct seq_net_private)); + } + + static const struct file_operations dev_mc_seq_fops = { +diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c +index 0e950fd..31a5ae5 100644 +--- a/net/core/net_namespace.c ++++ b/net/core/net_namespace.c +@@ -83,21 +83,29 @@ assign: + + static int ops_init(const struct pernet_operations *ops, struct net *net) + { +- int err; ++ int err = -ENOMEM; ++ void *data = NULL; ++ + if (ops->id && ops->size) { +- void *data = kzalloc(ops->size, GFP_KERNEL); ++ data = kzalloc(ops->size, GFP_KERNEL); + if (!data) +- return -ENOMEM; ++ goto out; + + err = net_assign_generic(net, *ops->id, data); +- if (err) { +- kfree(data); +- return err; +- } ++ if (err) ++ goto cleanup; + } ++ err = 0; + if (ops->init) +- return ops->init(net); +- return 0; ++ err = ops->init(net); ++ if (!err) ++ return 0; ++ ++cleanup: ++ kfree(data); ++ ++out: ++ return err; + } + + static void ops_free(const struct pernet_operations *ops, struct net *net) +@@ -448,12 +456,7 @@ static void __unregister_pernet_operations(struct pernet_operations *ops) + static int __register_pernet_operations(struct list_head *list, + struct pernet_operations *ops) + { +- int err = 0; +- err = ops_init(ops, &init_net); +- if (err) +- ops_free(ops, &init_net); +- return err; +- ++ return ops_init(ops, &init_net); + } + + static void __unregister_pernet_operations(struct pernet_operations *ops) +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 3c30ee4..2ec200de 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -903,9 +903,11 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail, + goto adjust_others; + } + +- data = kmalloc(size + sizeof(struct skb_shared_info), gfp_mask); ++ data = kmalloc(size + SKB_DATA_ALIGN(sizeof(struct skb_shared_info)), ++ gfp_mask); + if (!data) + goto nodata; ++ size = SKB_WITH_OVERHEAD(ksize(data)); + + /* Copy only real data... and, alas, header. This should be + * optimized for the cases when header is void. +@@ -3111,6 +3113,8 @@ static void sock_rmem_free(struct sk_buff *skb) + */ + int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb) + { ++ int len = skb->len; ++ + if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >= + (unsigned)sk->sk_rcvbuf) + return -ENOMEM; +@@ -3125,7 +3129,7 @@ int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb) + + skb_queue_tail(&sk->sk_error_queue, skb); + if (!sock_flag(sk, SOCK_DEAD)) +- sk->sk_data_ready(sk, skb->len); ++ sk->sk_data_ready(sk, len); + return 0; + } + EXPORT_SYMBOL(sock_queue_err_skb); +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 34f5db1..7904db4 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -701,11 +701,12 @@ struct sk_buff *sk_stream_alloc_skb(struct sock *sk, int size, gfp_t gfp) + skb = alloc_skb_fclone(size + sk->sk_prot->max_header, gfp); + if (skb) { + if (sk_wmem_schedule(sk, skb->truesize)) { ++ skb_reserve(skb, sk->sk_prot->max_header); + /* + * Make sure that we have exactly size bytes + * available to the caller, no more, no less. + */ +- skb_reserve(skb, skb_tailroom(skb) - size); ++ skb->avail_size = size; + return skb; + } + __kfree_skb(skb); +@@ -860,7 +861,7 @@ wait_for_memory: + } + + out: +- if (copied) ++ if (copied && !(flags & MSG_SENDPAGE_NOTLAST)) + tcp_push(sk, flags, mss_now, tp->nonagle); + return copied; + +@@ -995,10 +996,9 @@ new_segment: + copy = seglen; + + /* Where to copy to? */ +- if (skb_tailroom(skb) > 0) { ++ if (skb_availroom(skb) > 0) { + /* We have some space in skb head. Superb! */ +- if (copy > skb_tailroom(skb)) +- copy = skb_tailroom(skb); ++ copy = min_t(int, copy, skb_availroom(skb)); + err = skb_add_data_nocache(sk, skb, from, copy); + if (err) + goto do_fault; +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index e4d1e4a..daedc07 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -334,6 +334,7 @@ static void tcp_grow_window(struct sock *sk, const struct sk_buff *skb) + incr = __tcp_grow_window(sk, skb); + + if (incr) { ++ incr = max_t(int, incr, 2 * skb->len); + tp->rcv_ssthresh = min(tp->rcv_ssthresh + incr, + tp->window_clamp); + inet_csk(sk)->icsk_ack.quick |= 1; +@@ -473,8 +474,11 @@ static void tcp_rcv_rtt_update(struct tcp_sock *tp, u32 sample, int win_dep) + if (!win_dep) { + m -= (new_sample >> 3); + new_sample += m; +- } else if (m < new_sample) +- new_sample = m << 3; ++ } else { ++ m <<= 3; ++ if (m < new_sample) ++ new_sample = m; ++ } + } else { + /* No previous measure. */ + new_sample = m << 3; +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 097e0c7..c51dd5b 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -1093,6 +1093,14 @@ static void __pskb_trim_head(struct sk_buff *skb, int len) + { + int i, k, eat; + ++ eat = min_t(int, len, skb_headlen(skb)); ++ if (eat) { ++ __skb_pull(skb, eat); ++ skb->avail_size -= eat; ++ len -= eat; ++ if (!len) ++ return; ++ } + eat = len; + k = 0; + for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) { +@@ -1124,11 +1132,7 @@ int tcp_trim_head(struct sock *sk, struct sk_buff *skb, u32 len) + if (skb_cloned(skb) && pskb_expand_head(skb, 0, 0, GFP_ATOMIC)) + return -ENOMEM; + +- /* If len == headlen, we avoid __skb_pull to preserve alignment. */ +- if (unlikely(len < skb_headlen(skb))) +- __skb_pull(skb, len); +- else +- __pskb_trim_head(skb, len - skb_headlen(skb)); ++ __pskb_trim_head(skb, len); + + TCP_SKB_CB(skb)->seq += len; + skb->ip_summed = CHECKSUM_PARTIAL; +@@ -2057,7 +2061,7 @@ static void tcp_retrans_try_collapse(struct sock *sk, struct sk_buff *to, + /* Punt if not enough space exists in the first SKB for + * the data in the second + */ +- if (skb->len > skb_tailroom(to)) ++ if (skb->len > skb_availroom(to)) + break; + + if (after(TCP_SKB_CB(skb)->end_seq, tcp_wnd_end(tp))) +diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c +index 2257366..f2d74ea 100644 +--- a/net/ipv6/mcast.c ++++ b/net/ipv6/mcast.c +@@ -2054,7 +2054,7 @@ static int ip6_mc_add_src(struct inet6_dev *idev, const struct in6_addr *pmca, + if (!delta) + pmc->mca_sfcount[sfmode]--; + for (j=0; j<i; j++) +- (void) ip6_mc_del1_src(pmc, sfmode, &psfsrc[i]); ++ ip6_mc_del1_src(pmc, sfmode, &psfsrc[j]); + } else if (isexclude != (pmc->mca_sfcount[MCAST_EXCLUDE] != 0)) { + struct ip6_sf_list *psf; + +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index b859e4a..4a56574 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1494,6 +1494,10 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb, + tcp_mtup_init(newsk); + tcp_sync_mss(newsk, dst_mtu(dst)); + newtp->advmss = dst_metric_advmss(dst); ++ if (tcp_sk(sk)->rx_opt.user_mss && ++ tcp_sk(sk)->rx_opt.user_mss < newtp->advmss) ++ newtp->advmss = tcp_sk(sk)->rx_opt.user_mss; ++ + tcp_initialize_rcv_mss(newsk); + if (tcp_rsk(req)->snt_synack) + tcp_valid_rtt_meas(newsk, +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index eff1f4e..4ff35bf 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -1121,7 +1121,8 @@ ieee80211_tx_prepare(struct ieee80211_sub_if_data *sdata, + tx->sta = rcu_dereference(sdata->u.vlan.sta); + if (!tx->sta && sdata->dev->ieee80211_ptr->use_4addr) + return TX_DROP; +- } else if (info->flags & IEEE80211_TX_CTL_INJECTED) { ++ } else if (info->flags & IEEE80211_TX_CTL_INJECTED || ++ tx->sdata->control_port_protocol == tx->skb->protocol) { + tx->sta = sta_info_get_bss(sdata, hdr->addr1); + } + if (!tx->sta) +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 1201b6d..a99fb41 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -830,12 +830,19 @@ int netlink_attachskb(struct sock *sk, struct sk_buff *skb, + return 0; + } + +-int netlink_sendskb(struct sock *sk, struct sk_buff *skb) ++static int __netlink_sendskb(struct sock *sk, struct sk_buff *skb) + { + int len = skb->len; + + skb_queue_tail(&sk->sk_receive_queue, skb); + sk->sk_data_ready(sk, len); ++ return len; ++} ++ ++int netlink_sendskb(struct sock *sk, struct sk_buff *skb) ++{ ++ int len = __netlink_sendskb(sk, skb); ++ + sock_put(sk); + return len; + } +@@ -960,8 +967,7 @@ static inline int netlink_broadcast_deliver(struct sock *sk, + if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf && + !test_bit(0, &nlk->state)) { + skb_set_owner_r(skb, sk); +- skb_queue_tail(&sk->sk_receive_queue, skb); +- sk->sk_data_ready(sk, skb->len); ++ __netlink_sendskb(sk, skb); + return atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf; + } + return -1; +@@ -1684,10 +1690,8 @@ static int netlink_dump(struct sock *sk) + + if (sk_filter(sk, skb)) + kfree_skb(skb); +- else { +- skb_queue_tail(&sk->sk_receive_queue, skb); +- sk->sk_data_ready(sk, skb->len); +- } ++ else ++ __netlink_sendskb(sk, skb); + return 0; + } + +@@ -1701,10 +1705,8 @@ static int netlink_dump(struct sock *sk) + + if (sk_filter(sk, skb)) + kfree_skb(skb); +- else { +- skb_queue_tail(&sk->sk_receive_queue, skb); +- sk->sk_data_ready(sk, skb->len); +- } ++ else ++ __netlink_sendskb(sk, skb); + + if (cb->done) + cb->done(cb); +diff --git a/net/phonet/pep.c b/net/phonet/pep.c +index 2ba6e9f..007546d 100644 +--- a/net/phonet/pep.c ++++ b/net/phonet/pep.c +@@ -1046,6 +1046,9 @@ static int pep_sendmsg(struct kiocb *iocb, struct sock *sk, + int flags = msg->msg_flags; + int err, done; + ++ if (len > USHRT_MAX) ++ return -EMSGSIZE; ++ + if ((msg->msg_flags & ~(MSG_DONTWAIT|MSG_EOR|MSG_NOSIGNAL| + MSG_CMSG_COMPAT)) || + !(msg->msg_flags & MSG_EOR)) +diff --git a/net/sched/sch_gred.c b/net/sched/sch_gred.c +index 6cd8ddf..e1afe0c 100644 +--- a/net/sched/sch_gred.c ++++ b/net/sched/sch_gred.c +@@ -544,11 +544,8 @@ static int gred_dump(struct Qdisc *sch, struct sk_buff *skb) + opt.packets = q->packetsin; + opt.bytesin = q->bytesin; + +- if (gred_wred_mode(table)) { +- q->parms.qidlestart = +- table->tab[table->def]->parms.qidlestart; +- q->parms.qavg = table->tab[table->def]->parms.qavg; +- } ++ if (gred_wred_mode(table)) ++ gred_load_wred_set(table, q); + + opt.qave = red_calc_qavg(&q->parms, q->parms.qavg); + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 54a7cd2..0075554 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -4133,9 +4133,10 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len, + static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, + int __user *optlen) + { +- if (len < sizeof(struct sctp_event_subscribe)) ++ if (len <= 0) + return -EINVAL; +- len = sizeof(struct sctp_event_subscribe); ++ if (len > sizeof(struct sctp_event_subscribe)) ++ len = sizeof(struct sctp_event_subscribe); + if (put_user(len, optlen)) + return -EFAULT; + if (copy_to_user(optval, &sctp_sk(sk)->subscribe, len)) +diff --git a/net/socket.c b/net/socket.c +index 2dce67a..273cbce 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -791,9 +791,9 @@ static ssize_t sock_sendpage(struct file *file, struct page *page, + + sock = file->private_data; + +- flags = !(file->f_flags & O_NONBLOCK) ? 0 : MSG_DONTWAIT; +- if (more) +- flags |= MSG_MORE; ++ flags = (file->f_flags & O_NONBLOCK) ? MSG_DONTWAIT : 0; ++ /* more is a combination of MSG_MORE and MSG_SENDPAGE_NOTLAST */ ++ flags |= more; + + return kernel_sendpage(sock, page, offset, size, flags); + } +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index ffafda5..c06c365 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -1258,6 +1258,11 @@ static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info) + goto bad_res; + } + ++ if (!netif_running(netdev)) { ++ result = -ENETDOWN; ++ goto bad_res; ++ } ++ + nla_for_each_nested(nl_txq_params, + info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS], + rem_txq_params) { +@@ -5944,7 +5949,7 @@ static struct genl_ops nl80211_ops[] = { + .doit = nl80211_get_key, + .policy = nl80211_policy, + .flags = GENL_ADMIN_PERM, +- .internal_flags = NL80211_FLAG_NEED_NETDEV | ++ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | + NL80211_FLAG_NEED_RTNL, + }, + { +@@ -5976,7 +5981,7 @@ static struct genl_ops nl80211_ops[] = { + .policy = nl80211_policy, + .flags = GENL_ADMIN_PERM, + .doit = nl80211_addset_beacon, +- .internal_flags = NL80211_FLAG_NEED_NETDEV | ++ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | + NL80211_FLAG_NEED_RTNL, + }, + { +@@ -5984,7 +5989,7 @@ static struct genl_ops nl80211_ops[] = { + .policy = nl80211_policy, + .flags = GENL_ADMIN_PERM, + .doit = nl80211_addset_beacon, +- .internal_flags = NL80211_FLAG_NEED_NETDEV | ++ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | + NL80211_FLAG_NEED_RTNL, + }, + { +@@ -6008,7 +6013,7 @@ static struct genl_ops nl80211_ops[] = { + .doit = nl80211_set_station, + .policy = nl80211_policy, + .flags = GENL_ADMIN_PERM, +- .internal_flags = NL80211_FLAG_NEED_NETDEV | ++ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | + NL80211_FLAG_NEED_RTNL, + }, + { +@@ -6024,7 +6029,7 @@ static struct genl_ops nl80211_ops[] = { + .doit = nl80211_del_station, + .policy = nl80211_policy, + .flags = GENL_ADMIN_PERM, +- .internal_flags = NL80211_FLAG_NEED_NETDEV | ++ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | + NL80211_FLAG_NEED_RTNL, + }, + { +@@ -6057,7 +6062,7 @@ static struct genl_ops nl80211_ops[] = { + .doit = nl80211_del_mpath, + .policy = nl80211_policy, + .flags = GENL_ADMIN_PERM, +- .internal_flags = NL80211_FLAG_NEED_NETDEV | ++ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | + NL80211_FLAG_NEED_RTNL, + }, + { +@@ -6065,7 +6070,7 @@ static struct genl_ops nl80211_ops[] = { + .doit = nl80211_set_bss, + .policy = nl80211_policy, + .flags = GENL_ADMIN_PERM, +- .internal_flags = NL80211_FLAG_NEED_NETDEV | ++ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | + NL80211_FLAG_NEED_RTNL, + }, + { +@@ -6091,7 +6096,7 @@ static struct genl_ops nl80211_ops[] = { + .doit = nl80211_get_mesh_config, + .policy = nl80211_policy, + /* can be retrieved by unprivileged users */ +- .internal_flags = NL80211_FLAG_NEED_NETDEV | ++ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | + NL80211_FLAG_NEED_RTNL, + }, + { +@@ -6224,7 +6229,7 @@ static struct genl_ops nl80211_ops[] = { + .doit = nl80211_setdel_pmksa, + .policy = nl80211_policy, + .flags = GENL_ADMIN_PERM, +- .internal_flags = NL80211_FLAG_NEED_NETDEV | ++ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | + NL80211_FLAG_NEED_RTNL, + }, + { +@@ -6232,7 +6237,7 @@ static struct genl_ops nl80211_ops[] = { + .doit = nl80211_setdel_pmksa, + .policy = nl80211_policy, + .flags = GENL_ADMIN_PERM, +- .internal_flags = NL80211_FLAG_NEED_NETDEV | ++ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | + NL80211_FLAG_NEED_RTNL, + }, + { +@@ -6240,7 +6245,7 @@ static struct genl_ops nl80211_ops[] = { + .doit = nl80211_flush_pmksa, + .policy = nl80211_policy, + .flags = GENL_ADMIN_PERM, +- .internal_flags = NL80211_FLAG_NEED_NETDEV | ++ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | + NL80211_FLAG_NEED_RTNL, + }, + { +@@ -6328,7 +6333,7 @@ static struct genl_ops nl80211_ops[] = { + .doit = nl80211_set_wds_peer, + .policy = nl80211_policy, + .flags = GENL_ADMIN_PERM, +- .internal_flags = NL80211_FLAG_NEED_NETDEV | ++ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | + NL80211_FLAG_NEED_RTNL, + }, + { +diff --git a/net/wireless/util.c b/net/wireless/util.c +index 4dde429..8bf8902 100644 +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -996,7 +996,7 @@ int cfg80211_can_change_interface(struct cfg80211_registered_device *rdev, + if (rdev->wiphy.software_iftypes & BIT(iftype)) + continue; + for (j = 0; j < c->n_limits; j++) { +- if (!(limits[j].types & iftype)) ++ if (!(limits[j].types & BIT(iftype))) + continue; + if (limits[j].max < num[iftype]) + goto cont; +diff --git a/scripts/mod/file2alias.c b/scripts/mod/file2alias.c +index f936d1f..d1d0ae8 100644 +--- a/scripts/mod/file2alias.c ++++ b/scripts/mod/file2alias.c +@@ -926,6 +926,10 @@ void handle_moddevtable(struct module *mod, struct elf_info *info, + if (!sym->st_shndx || get_secindex(info, sym) >= info->num_sections) + return; + ++ /* We're looking for an object */ ++ if (ELF_ST_TYPE(sym->st_info) != STT_OBJECT) ++ return; ++ + /* Handle all-NULL symbols allocated into .bss */ + if (info->sechdrs[get_secindex(info, sym)].sh_type & SHT_NOBITS) { + zeros = calloc(1, sym->st_size); +diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c +index ae94929..51a1afc 100644 +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -4003,9 +4003,14 @@ static void cx_auto_init_output(struct hda_codec *codec) + int i; + + mute_outputs(codec, spec->multiout.num_dacs, spec->multiout.dac_nids); +- for (i = 0; i < cfg->hp_outs; i++) ++ for (i = 0; i < cfg->hp_outs; i++) { ++ unsigned int val = PIN_OUT; ++ if (snd_hda_query_pin_caps(codec, cfg->hp_pins[i]) & ++ AC_PINCAP_HP_DRV) ++ val |= AC_PINCTL_HP_EN; + snd_hda_codec_write(codec, cfg->hp_pins[i], 0, +- AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_HP); ++ AC_VERB_SET_PIN_WIDGET_CONTROL, val); ++ } + mute_outputs(codec, cfg->hp_outs, cfg->hp_pins); + mute_outputs(codec, cfg->line_outs, cfg->line_out_pins); + mute_outputs(codec, cfg->speaker_outs, cfg->speaker_pins); +@@ -4408,8 +4413,10 @@ static void apply_pin_fixup(struct hda_codec *codec, + + enum { + CXT_PINCFG_LENOVO_X200, ++ CXT_PINCFG_LENOVO_TP410, + }; + ++/* ThinkPad X200 & co with cxt5051 */ + static const struct cxt_pincfg cxt_pincfg_lenovo_x200[] = { + { 0x16, 0x042140ff }, /* HP (seq# overridden) */ + { 0x17, 0x21a11000 }, /* dock-mic */ +@@ -4417,15 +4424,33 @@ static const struct cxt_pincfg cxt_pincfg_lenovo_x200[] = { + {} + }; + ++/* ThinkPad 410/420/510/520, X201 & co with cxt5066 */ ++static const struct cxt_pincfg cxt_pincfg_lenovo_tp410[] = { ++ { 0x19, 0x042110ff }, /* HP (seq# overridden) */ ++ { 0x1a, 0x21a190f0 }, /* dock-mic */ ++ { 0x1c, 0x212140ff }, /* dock-HP */ ++ {} ++}; ++ + static const struct cxt_pincfg *cxt_pincfg_tbl[] = { + [CXT_PINCFG_LENOVO_X200] = cxt_pincfg_lenovo_x200, ++ [CXT_PINCFG_LENOVO_TP410] = cxt_pincfg_lenovo_tp410, + }; + +-static const struct snd_pci_quirk cxt_fixups[] = { ++static const struct snd_pci_quirk cxt5051_fixups[] = { + SND_PCI_QUIRK(0x17aa, 0x20f2, "Lenovo X200", CXT_PINCFG_LENOVO_X200), + {} + }; + ++static const struct snd_pci_quirk cxt5066_fixups[] = { ++ SND_PCI_QUIRK(0x17aa, 0x20f2, "Lenovo T400", CXT_PINCFG_LENOVO_TP410), ++ SND_PCI_QUIRK(0x17aa, 0x215e, "Lenovo T410", CXT_PINCFG_LENOVO_TP410), ++ SND_PCI_QUIRK(0x17aa, 0x215f, "Lenovo T510", CXT_PINCFG_LENOVO_TP410), ++ SND_PCI_QUIRK(0x17aa, 0x21ce, "Lenovo T420", CXT_PINCFG_LENOVO_TP410), ++ SND_PCI_QUIRK(0x17aa, 0x21cf, "Lenovo T520", CXT_PINCFG_LENOVO_TP410), ++ {} ++}; ++ + /* add "fake" mute amp-caps to DACs on cx5051 so that mixer mute switches + * can be created (bko#42825) + */ +@@ -4462,11 +4487,13 @@ static int patch_conexant_auto(struct hda_codec *codec) + break; + case 0x14f15051: + add_cx5051_fake_mutes(codec); ++ apply_pin_fixup(codec, cxt5051_fixups, cxt_pincfg_tbl); ++ break; ++ default: ++ apply_pin_fixup(codec, cxt5066_fixups, cxt_pincfg_tbl); + break; + } + +- apply_pin_fixup(codec, cxt_fixups, cxt_pincfg_tbl); +- + err = cx_auto_search_adcs(codec); + if (err < 0) + return err; +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index dc8a6fc..0bc5a46 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5032,6 +5032,7 @@ static const struct alc_fixup alc269_fixups[] = { + }; + + static const struct snd_pci_quirk alc269_fixup_tbl[] = { ++ SND_PCI_QUIRK(0x1043, 0x1427, "Asus Zenbook UX31E", ALC269VB_FIXUP_DMIC), + SND_PCI_QUIRK(0x1043, 0x1a13, "Asus G73Jw", ALC269_FIXUP_ASUS_G73JW), + SND_PCI_QUIRK(0x1043, 0x16e3, "ASUS UX50", ALC269_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x1043, 0x831a, "ASUS P901", ALC269_FIXUP_STEREO_DMIC), +diff --git a/sound/soc/codecs/tlv320aic23.c b/sound/soc/codecs/tlv320aic23.c +index 336de8f..0e7e26e 100644 +--- a/sound/soc/codecs/tlv320aic23.c ++++ b/sound/soc/codecs/tlv320aic23.c +@@ -473,7 +473,7 @@ static int tlv320aic23_set_dai_sysclk(struct snd_soc_dai *codec_dai, + static int tlv320aic23_set_bias_level(struct snd_soc_codec *codec, + enum snd_soc_bias_level level) + { +- u16 reg = snd_soc_read(codec, TLV320AIC23_PWR) & 0xff7f; ++ u16 reg = snd_soc_read(codec, TLV320AIC23_PWR) & 0x17f; + + switch (level) { + case SND_SOC_BIAS_ON: +@@ -492,7 +492,7 @@ static int tlv320aic23_set_bias_level(struct snd_soc_codec *codec, + case SND_SOC_BIAS_OFF: + /* everything off, dac mute, inactive */ + snd_soc_write(codec, TLV320AIC23_ACTIVE, 0x0); +- snd_soc_write(codec, TLV320AIC23_PWR, 0xffff); ++ snd_soc_write(codec, TLV320AIC23_PWR, 0x1ff); + break; + } + codec->dapm.bias_level = level; +diff --git a/sound/soc/codecs/wm8994.c b/sound/soc/codecs/wm8994.c +index 2f1f5f8..7806301 100644 +--- a/sound/soc/codecs/wm8994.c ++++ b/sound/soc/codecs/wm8994.c +@@ -883,61 +883,170 @@ static void wm8994_update_class_w(struct snd_soc_codec *codec) + } + } + +-static int late_enable_ev(struct snd_soc_dapm_widget *w, +- struct snd_kcontrol *kcontrol, int event) ++static int aif1clk_ev(struct snd_soc_dapm_widget *w, ++ struct snd_kcontrol *kcontrol, int event) + { + struct snd_soc_codec *codec = w->codec; +- struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); ++ struct wm8994 *control = codec->control_data; ++ int mask = WM8994_AIF1DAC1L_ENA | WM8994_AIF1DAC1R_ENA; ++ int dac; ++ int adc; ++ int val; ++ ++ switch (control->type) { ++ case WM8994: ++ case WM8958: ++ mask |= WM8994_AIF1DAC2L_ENA | WM8994_AIF1DAC2R_ENA; ++ break; ++ default: ++ break; ++ } + + switch (event) { + case SND_SOC_DAPM_PRE_PMU: +- if (wm8994->aif1clk_enable) { +- snd_soc_update_bits(codec, WM8994_AIF1_CLOCKING_1, +- WM8994_AIF1CLK_ENA_MASK, +- WM8994_AIF1CLK_ENA); +- wm8994->aif1clk_enable = 0; +- } +- if (wm8994->aif2clk_enable) { +- snd_soc_update_bits(codec, WM8994_AIF2_CLOCKING_1, +- WM8994_AIF2CLK_ENA_MASK, +- WM8994_AIF2CLK_ENA); +- wm8994->aif2clk_enable = 0; +- } ++ val = snd_soc_read(codec, WM8994_AIF1_CONTROL_1); ++ if ((val & WM8994_AIF1ADCL_SRC) && ++ (val & WM8994_AIF1ADCR_SRC)) ++ adc = WM8994_AIF1ADC1R_ENA | WM8994_AIF1ADC2R_ENA; ++ else if (!(val & WM8994_AIF1ADCL_SRC) && ++ !(val & WM8994_AIF1ADCR_SRC)) ++ adc = WM8994_AIF1ADC1L_ENA | WM8994_AIF1ADC2L_ENA; ++ else ++ adc = WM8994_AIF1ADC1R_ENA | WM8994_AIF1ADC2R_ENA | ++ WM8994_AIF1ADC1L_ENA | WM8994_AIF1ADC2L_ENA; ++ ++ val = snd_soc_read(codec, WM8994_AIF1_CONTROL_2); ++ if ((val & WM8994_AIF1DACL_SRC) && ++ (val & WM8994_AIF1DACR_SRC)) ++ dac = WM8994_AIF1DAC1R_ENA | WM8994_AIF1DAC2R_ENA; ++ else if (!(val & WM8994_AIF1DACL_SRC) && ++ !(val & WM8994_AIF1DACR_SRC)) ++ dac = WM8994_AIF1DAC1L_ENA | WM8994_AIF1DAC2L_ENA; ++ else ++ dac = WM8994_AIF1DAC1R_ENA | WM8994_AIF1DAC2R_ENA | ++ WM8994_AIF1DAC1L_ENA | WM8994_AIF1DAC2L_ENA; ++ ++ snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_4, ++ mask, adc); ++ snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_5, ++ mask, dac); ++ snd_soc_update_bits(codec, WM8994_CLOCKING_1, ++ WM8994_AIF1DSPCLK_ENA | ++ WM8994_SYSDSPCLK_ENA, ++ WM8994_AIF1DSPCLK_ENA | ++ WM8994_SYSDSPCLK_ENA); ++ snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_4, mask, ++ WM8994_AIF1ADC1R_ENA | ++ WM8994_AIF1ADC1L_ENA | ++ WM8994_AIF1ADC2R_ENA | ++ WM8994_AIF1ADC2L_ENA); ++ snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_5, mask, ++ WM8994_AIF1DAC1R_ENA | ++ WM8994_AIF1DAC1L_ENA | ++ WM8994_AIF1DAC2R_ENA | ++ WM8994_AIF1DAC2L_ENA); ++ break; ++ ++ case SND_SOC_DAPM_PRE_PMD: ++ case SND_SOC_DAPM_POST_PMD: ++ snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_5, ++ mask, 0); ++ snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_4, ++ mask, 0); ++ ++ val = snd_soc_read(codec, WM8994_CLOCKING_1); ++ if (val & WM8994_AIF2DSPCLK_ENA) ++ val = WM8994_SYSDSPCLK_ENA; ++ else ++ val = 0; ++ snd_soc_update_bits(codec, WM8994_CLOCKING_1, ++ WM8994_SYSDSPCLK_ENA | ++ WM8994_AIF1DSPCLK_ENA, val); + break; + } + +- /* We may also have postponed startup of DSP, handle that. */ +- wm8958_aif_ev(w, kcontrol, event); +- + return 0; + } + +-static int late_disable_ev(struct snd_soc_dapm_widget *w, +- struct snd_kcontrol *kcontrol, int event) ++static int aif2clk_ev(struct snd_soc_dapm_widget *w, ++ struct snd_kcontrol *kcontrol, int event) + { + struct snd_soc_codec *codec = w->codec; +- struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); ++ int dac; ++ int adc; ++ int val; + + switch (event) { ++ case SND_SOC_DAPM_PRE_PMU: ++ val = snd_soc_read(codec, WM8994_AIF2_CONTROL_1); ++ if ((val & WM8994_AIF2ADCL_SRC) && ++ (val & WM8994_AIF2ADCR_SRC)) ++ adc = WM8994_AIF2ADCR_ENA; ++ else if (!(val & WM8994_AIF2ADCL_SRC) && ++ !(val & WM8994_AIF2ADCR_SRC)) ++ adc = WM8994_AIF2ADCL_ENA; ++ else ++ adc = WM8994_AIF2ADCL_ENA | WM8994_AIF2ADCR_ENA; ++ ++ ++ val = snd_soc_read(codec, WM8994_AIF2_CONTROL_2); ++ if ((val & WM8994_AIF2DACL_SRC) && ++ (val & WM8994_AIF2DACR_SRC)) ++ dac = WM8994_AIF2DACR_ENA; ++ else if (!(val & WM8994_AIF2DACL_SRC) && ++ !(val & WM8994_AIF2DACR_SRC)) ++ dac = WM8994_AIF2DACL_ENA; ++ else ++ dac = WM8994_AIF2DACL_ENA | WM8994_AIF2DACR_ENA; ++ ++ snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_4, ++ WM8994_AIF2ADCL_ENA | ++ WM8994_AIF2ADCR_ENA, adc); ++ snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_5, ++ WM8994_AIF2DACL_ENA | ++ WM8994_AIF2DACR_ENA, dac); ++ snd_soc_update_bits(codec, WM8994_CLOCKING_1, ++ WM8994_AIF2DSPCLK_ENA | ++ WM8994_SYSDSPCLK_ENA, ++ WM8994_AIF2DSPCLK_ENA | ++ WM8994_SYSDSPCLK_ENA); ++ snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_4, ++ WM8994_AIF2ADCL_ENA | ++ WM8994_AIF2ADCR_ENA, ++ WM8994_AIF2ADCL_ENA | ++ WM8994_AIF2ADCR_ENA); ++ snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_5, ++ WM8994_AIF2DACL_ENA | ++ WM8994_AIF2DACR_ENA, ++ WM8994_AIF2DACL_ENA | ++ WM8994_AIF2DACR_ENA); ++ break; ++ ++ case SND_SOC_DAPM_PRE_PMD: + case SND_SOC_DAPM_POST_PMD: +- if (wm8994->aif1clk_disable) { +- snd_soc_update_bits(codec, WM8994_AIF1_CLOCKING_1, +- WM8994_AIF1CLK_ENA_MASK, 0); +- wm8994->aif1clk_disable = 0; +- } +- if (wm8994->aif2clk_disable) { +- snd_soc_update_bits(codec, WM8994_AIF2_CLOCKING_1, +- WM8994_AIF2CLK_ENA_MASK, 0); +- wm8994->aif2clk_disable = 0; +- } ++ snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_5, ++ WM8994_AIF2DACL_ENA | ++ WM8994_AIF2DACR_ENA, 0); ++ snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_5, ++ WM8994_AIF2ADCL_ENA | ++ WM8994_AIF2ADCR_ENA, 0); ++ ++ val = snd_soc_read(codec, WM8994_CLOCKING_1); ++ if (val & WM8994_AIF1DSPCLK_ENA) ++ val = WM8994_SYSDSPCLK_ENA; ++ else ++ val = 0; ++ snd_soc_update_bits(codec, WM8994_CLOCKING_1, ++ WM8994_SYSDSPCLK_ENA | ++ WM8994_AIF2DSPCLK_ENA, val); + break; + } + + return 0; + } + +-static int aif1clk_ev(struct snd_soc_dapm_widget *w, +- struct snd_kcontrol *kcontrol, int event) ++static int aif1clk_late_ev(struct snd_soc_dapm_widget *w, ++ struct snd_kcontrol *kcontrol, int event) + { + struct snd_soc_codec *codec = w->codec; + struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); +@@ -954,8 +1063,8 @@ static int aif1clk_ev(struct snd_soc_dapm_widget *w, + return 0; + } + +-static int aif2clk_ev(struct snd_soc_dapm_widget *w, +- struct snd_kcontrol *kcontrol, int event) ++static int aif2clk_late_ev(struct snd_soc_dapm_widget *w, ++ struct snd_kcontrol *kcontrol, int event) + { + struct snd_soc_codec *codec = w->codec; + struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); +@@ -972,6 +1081,63 @@ static int aif2clk_ev(struct snd_soc_dapm_widget *w, + return 0; + } + ++static int late_enable_ev(struct snd_soc_dapm_widget *w, ++ struct snd_kcontrol *kcontrol, int event) ++{ ++ struct snd_soc_codec *codec = w->codec; ++ struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); ++ ++ switch (event) { ++ case SND_SOC_DAPM_PRE_PMU: ++ if (wm8994->aif1clk_enable) { ++ aif1clk_ev(w, kcontrol, event); ++ snd_soc_update_bits(codec, WM8994_AIF1_CLOCKING_1, ++ WM8994_AIF1CLK_ENA_MASK, ++ WM8994_AIF1CLK_ENA); ++ wm8994->aif1clk_enable = 0; ++ } ++ if (wm8994->aif2clk_enable) { ++ aif2clk_ev(w, kcontrol, event); ++ snd_soc_update_bits(codec, WM8994_AIF2_CLOCKING_1, ++ WM8994_AIF2CLK_ENA_MASK, ++ WM8994_AIF2CLK_ENA); ++ wm8994->aif2clk_enable = 0; ++ } ++ break; ++ } ++ ++ /* We may also have postponed startup of DSP, handle that. */ ++ wm8958_aif_ev(w, kcontrol, event); ++ ++ return 0; ++} ++ ++static int late_disable_ev(struct snd_soc_dapm_widget *w, ++ struct snd_kcontrol *kcontrol, int event) ++{ ++ struct snd_soc_codec *codec = w->codec; ++ struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); ++ ++ switch (event) { ++ case SND_SOC_DAPM_POST_PMD: ++ if (wm8994->aif1clk_disable) { ++ snd_soc_update_bits(codec, WM8994_AIF1_CLOCKING_1, ++ WM8994_AIF1CLK_ENA_MASK, 0); ++ aif1clk_ev(w, kcontrol, event); ++ wm8994->aif1clk_disable = 0; ++ } ++ if (wm8994->aif2clk_disable) { ++ snd_soc_update_bits(codec, WM8994_AIF2_CLOCKING_1, ++ WM8994_AIF2CLK_ENA_MASK, 0); ++ aif2clk_ev(w, kcontrol, event); ++ wm8994->aif2clk_disable = 0; ++ } ++ break; ++ } ++ ++ return 0; ++} ++ + static int adc_mux_ev(struct snd_soc_dapm_widget *w, + struct snd_kcontrol *kcontrol, int event) + { +@@ -1268,9 +1434,9 @@ static const struct snd_kcontrol_new aif2dacr_src_mux = + SOC_DAPM_ENUM("AIF2DACR Mux", aif2dacr_src_enum); + + static const struct snd_soc_dapm_widget wm8994_lateclk_revd_widgets[] = { +-SND_SOC_DAPM_SUPPLY("AIF1CLK", SND_SOC_NOPM, 0, 0, aif1clk_ev, ++SND_SOC_DAPM_SUPPLY("AIF1CLK", SND_SOC_NOPM, 0, 0, aif1clk_late_ev, + SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_POST_PMD), +-SND_SOC_DAPM_SUPPLY("AIF2CLK", SND_SOC_NOPM, 0, 0, aif2clk_ev, ++SND_SOC_DAPM_SUPPLY("AIF2CLK", SND_SOC_NOPM, 0, 0, aif2clk_late_ev, + SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_POST_PMD), + + SND_SOC_DAPM_PGA_E("Late DAC1L Enable PGA", SND_SOC_NOPM, 0, 0, NULL, 0, +@@ -1299,8 +1465,10 @@ SND_SOC_DAPM_POST("Late Disable PGA", late_disable_ev) + }; + + static const struct snd_soc_dapm_widget wm8994_lateclk_widgets[] = { +-SND_SOC_DAPM_SUPPLY("AIF1CLK", WM8994_AIF1_CLOCKING_1, 0, 0, NULL, 0), +-SND_SOC_DAPM_SUPPLY("AIF2CLK", WM8994_AIF2_CLOCKING_1, 0, 0, NULL, 0), ++SND_SOC_DAPM_SUPPLY("AIF1CLK", WM8994_AIF1_CLOCKING_1, 0, 0, aif1clk_ev, ++ SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_PRE_PMD), ++SND_SOC_DAPM_SUPPLY("AIF2CLK", WM8994_AIF2_CLOCKING_1, 0, 0, aif2clk_ev, ++ SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_PRE_PMD), + SND_SOC_DAPM_PGA("Direct Voice", SND_SOC_NOPM, 0, 0, NULL, 0), + SND_SOC_DAPM_MIXER("SPKL", WM8994_POWER_MANAGEMENT_3, 8, 0, + left_speaker_mixer, ARRAY_SIZE(left_speaker_mixer)), +@@ -1353,30 +1521,30 @@ SND_SOC_DAPM_SUPPLY("VMID", SND_SOC_NOPM, 0, 0, vmid_event, + SND_SOC_DAPM_SUPPLY("CLK_SYS", SND_SOC_NOPM, 0, 0, clk_sys_event, + SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_PRE_PMD), + +-SND_SOC_DAPM_SUPPLY("DSP1CLK", WM8994_CLOCKING_1, 3, 0, NULL, 0), +-SND_SOC_DAPM_SUPPLY("DSP2CLK", WM8994_CLOCKING_1, 2, 0, NULL, 0), +-SND_SOC_DAPM_SUPPLY("DSPINTCLK", WM8994_CLOCKING_1, 1, 0, NULL, 0), ++SND_SOC_DAPM_SUPPLY("DSP1CLK", SND_SOC_NOPM, 3, 0, NULL, 0), ++SND_SOC_DAPM_SUPPLY("DSP2CLK", SND_SOC_NOPM, 2, 0, NULL, 0), ++SND_SOC_DAPM_SUPPLY("DSPINTCLK", SND_SOC_NOPM, 1, 0, NULL, 0), + + SND_SOC_DAPM_AIF_OUT("AIF1ADC1L", NULL, +- 0, WM8994_POWER_MANAGEMENT_4, 9, 0), ++ 0, SND_SOC_NOPM, 9, 0), + SND_SOC_DAPM_AIF_OUT("AIF1ADC1R", NULL, +- 0, WM8994_POWER_MANAGEMENT_4, 8, 0), ++ 0, SND_SOC_NOPM, 8, 0), + SND_SOC_DAPM_AIF_IN_E("AIF1DAC1L", NULL, 0, +- WM8994_POWER_MANAGEMENT_5, 9, 0, wm8958_aif_ev, ++ SND_SOC_NOPM, 9, 0, wm8958_aif_ev, + SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_POST_PMD), + SND_SOC_DAPM_AIF_IN_E("AIF1DAC1R", NULL, 0, +- WM8994_POWER_MANAGEMENT_5, 8, 0, wm8958_aif_ev, ++ SND_SOC_NOPM, 8, 0, wm8958_aif_ev, + SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_POST_PMD), + + SND_SOC_DAPM_AIF_OUT("AIF1ADC2L", NULL, +- 0, WM8994_POWER_MANAGEMENT_4, 11, 0), ++ 0, SND_SOC_NOPM, 11, 0), + SND_SOC_DAPM_AIF_OUT("AIF1ADC2R", NULL, +- 0, WM8994_POWER_MANAGEMENT_4, 10, 0), ++ 0, SND_SOC_NOPM, 10, 0), + SND_SOC_DAPM_AIF_IN_E("AIF1DAC2L", NULL, 0, +- WM8994_POWER_MANAGEMENT_5, 11, 0, wm8958_aif_ev, ++ SND_SOC_NOPM, 11, 0, wm8958_aif_ev, + SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_POST_PMD), + SND_SOC_DAPM_AIF_IN_E("AIF1DAC2R", NULL, 0, +- WM8994_POWER_MANAGEMENT_5, 10, 0, wm8958_aif_ev, ++ SND_SOC_NOPM, 10, 0, wm8958_aif_ev, + SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_POST_PMD), + + SND_SOC_DAPM_MIXER("AIF1ADC1L Mixer", SND_SOC_NOPM, 0, 0, +@@ -1403,14 +1571,14 @@ SND_SOC_DAPM_MIXER("DAC1R Mixer", SND_SOC_NOPM, 0, 0, + dac1r_mix, ARRAY_SIZE(dac1r_mix)), + + SND_SOC_DAPM_AIF_OUT("AIF2ADCL", NULL, 0, +- WM8994_POWER_MANAGEMENT_4, 13, 0), ++ SND_SOC_NOPM, 13, 0), + SND_SOC_DAPM_AIF_OUT("AIF2ADCR", NULL, 0, +- WM8994_POWER_MANAGEMENT_4, 12, 0), ++ SND_SOC_NOPM, 12, 0), + SND_SOC_DAPM_AIF_IN_E("AIF2DACL", NULL, 0, +- WM8994_POWER_MANAGEMENT_5, 13, 0, wm8958_aif_ev, ++ SND_SOC_NOPM, 13, 0, wm8958_aif_ev, + SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_PRE_PMD), + SND_SOC_DAPM_AIF_IN_E("AIF2DACR", NULL, 0, +- WM8994_POWER_MANAGEMENT_5, 12, 0, wm8958_aif_ev, ++ SND_SOC_NOPM, 12, 0, wm8958_aif_ev, + SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_PRE_PMD), + + SND_SOC_DAPM_AIF_IN("AIF1DACDAT", "AIF1 Playback", 0, SND_SOC_NOPM, 0, 0), +diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c +index ea909c5..90e93bf 100644 +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -69,6 +69,7 @@ static int dapm_up_seq[] = { + [snd_soc_dapm_out_drv] = 10, + [snd_soc_dapm_hp] = 10, + [snd_soc_dapm_spk] = 10, ++ [snd_soc_dapm_line] = 10, + [snd_soc_dapm_post] = 11, + }; + +@@ -77,6 +78,7 @@ static int dapm_down_seq[] = { + [snd_soc_dapm_adc] = 1, + [snd_soc_dapm_hp] = 2, + [snd_soc_dapm_spk] = 2, ++ [snd_soc_dapm_line] = 2, + [snd_soc_dapm_out_drv] = 2, + [snd_soc_dapm_pga] = 4, + [snd_soc_dapm_mixer_named_ctl] = 5, +diff --git a/tools/perf/util/hist.c b/tools/perf/util/hist.c +index adb372d..e0a0970 100644 +--- a/tools/perf/util/hist.c ++++ b/tools/perf/util/hist.c +@@ -237,8 +237,8 @@ struct hist_entry *__hists__add_entry(struct hists *hists, + * mis-adjust symbol addresses when computing + * the history counter to increment. + */ +- if (he->ms.map != entry->ms.map) { +- he->ms.map = entry->ms.map; ++ if (he->ms.map != entry.ms.map) { ++ he->ms.map = entry.ms.map; + if (he->ms.map) + he->ms.map->referenced = true; + } +diff --git a/virt/kvm/iommu.c b/virt/kvm/iommu.c +index a195c07..fd817a2 100644 +--- a/virt/kvm/iommu.c ++++ b/virt/kvm/iommu.c +@@ -309,6 +309,11 @@ static void kvm_iommu_put_pages(struct kvm *kvm, + } + } + ++void kvm_iommu_unmap_pages(struct kvm *kvm, struct kvm_memory_slot *slot) ++{ ++ kvm_iommu_put_pages(kvm, slot->base_gfn, slot->npages); ++} ++ + static int kvm_iommu_unmap_memslots(struct kvm *kvm) + { + int i, idx; +@@ -317,10 +322,9 @@ static int kvm_iommu_unmap_memslots(struct kvm *kvm) + idx = srcu_read_lock(&kvm->srcu); + slots = kvm_memslots(kvm); + +- for (i = 0; i < slots->nmemslots; i++) { +- kvm_iommu_put_pages(kvm, slots->memslots[i].base_gfn, +- slots->memslots[i].npages); +- } ++ for (i = 0; i < slots->nmemslots; i++) ++ kvm_iommu_unmap_pages(kvm, &slots->memslots[i]); ++ + srcu_read_unlock(&kvm->srcu, idx); + + return 0; +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index d9cfb78..e401c1b 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -802,12 +802,13 @@ skip_lpage: + if (r) + goto out_free; + +- /* map the pages in iommu page table */ ++ /* map/unmap the pages in iommu page table */ + if (npages) { + r = kvm_iommu_map_pages(kvm, &new); + if (r) + goto out_free; +- } ++ } else ++ kvm_iommu_unmap_pages(kvm, &old); + + r = -ENOMEM; + slots = kzalloc(sizeof(struct kvm_memslots), GFP_KERNEL); diff --git a/3.2.16/4420_grsecurity-2.9-3.2.16-201205071838.patch b/3.2.17/4420_grsecurity-2.9-3.2.17-201205131657.patch index 390b567..8ddeecb 100644 --- a/3.2.16/4420_grsecurity-2.9-3.2.16-201205071838.patch +++ b/3.2.17/4420_grsecurity-2.9-3.2.17-201205131657.patch @@ -195,7 +195,7 @@ index 81c287f..d456d02 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index 3da29cb..47b7468 100644 +index 4c4efa3..1171c69 100644 --- a/Makefile +++ b/Makefile @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -1454,6 +1454,34 @@ index 984014b..a6d914f 100644 #endif /* __ASSEMBLY__ */ #define arch_align_stack(x) (x) +diff --git a/arch/arm/include/asm/thread_info.h b/arch/arm/include/asm/thread_info.h +index 7b5cc8d..5d70d88 100644 +--- a/arch/arm/include/asm/thread_info.h ++++ b/arch/arm/include/asm/thread_info.h +@@ -139,6 +139,12 @@ extern void vfp_flush_hwstate(struct thread_info *); + #define TIF_NEED_RESCHED 1 + #define TIF_NOTIFY_RESUME 2 /* callback before returning to user */ + #define TIF_SYSCALL_TRACE 8 ++ ++/* within 8 bits of TIF_SYSCALL_TRACE ++ to meet flexible second operand requirements ++*/ ++#define TIF_GRSEC_SETXID 9 ++ + #define TIF_POLLING_NRFLAG 16 + #define TIF_USING_IWMMXT 17 + #define TIF_MEMDIE 18 /* is terminating due to OOM killer */ +@@ -155,6 +161,10 @@ extern void vfp_flush_hwstate(struct thread_info *); + #define _TIF_FREEZE (1 << TIF_FREEZE) + #define _TIF_RESTORE_SIGMASK (1 << TIF_RESTORE_SIGMASK) + #define _TIF_SECCOMP (1 << TIF_SECCOMP) ++#define _TIF_GRSEC_SETXID (1 << TIF_GRSEC_SETXID) ++ ++/* Checks for any syscall work in entry-common.S */ ++#define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_GRSEC_SETXID) + + /* + * Change these and you break ASM code in entry-common.S diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h index b293616..96310e5 100644 --- a/arch/arm/include/asm/uaccess.h @@ -1528,6 +1556,28 @@ index 5b0bce6..becd81c 100644 EXPORT_SYMBOL(__clear_user); EXPORT_SYMBOL(__get_user_1); +diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S +index b2a27b6..520889c 100644 +--- a/arch/arm/kernel/entry-common.S ++++ b/arch/arm/kernel/entry-common.S +@@ -87,7 +87,7 @@ ENTRY(ret_from_fork) + get_thread_info tsk + ldr r1, [tsk, #TI_FLAGS] @ check for syscall tracing + mov why, #1 +- tst r1, #_TIF_SYSCALL_TRACE @ are we tracing syscalls? ++ tst r1, #_TIF_SYSCALL_WORK @ are we tracing syscalls? + beq ret_slow_syscall + mov r1, sp + mov r0, #1 @ trace exit [IP = 1] +@@ -443,7 +443,7 @@ ENTRY(vector_swi) + 1: + #endif + +- tst r10, #_TIF_SYSCALL_TRACE @ are we tracing syscalls? ++ tst r10, #_TIF_SYSCALL_WORK @ are we tracing syscalls? + bne __sys_trace + + cmp scno, #NR_syscalls @ check upper syscall limit diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c index 3d0c6fb..9d326fa 100644 --- a/arch/arm/kernel/process.c @@ -1579,6 +1629,30 @@ index 3d0c6fb..9d326fa 100644 #ifdef CONFIG_MMU /* * The vectors page is always readable from user space for the +diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c +index 90fa8b3..a3a2212 100644 +--- a/arch/arm/kernel/ptrace.c ++++ b/arch/arm/kernel/ptrace.c +@@ -904,10 +904,19 @@ long arch_ptrace(struct task_struct *child, long request, + return ret; + } + ++#ifdef CONFIG_GRKERNSEC_SETXID ++extern void gr_delayed_cred_worker(void); ++#endif ++ + asmlinkage int syscall_trace(int why, struct pt_regs *regs, int scno) + { + unsigned long ip; + ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) ++ gr_delayed_cred_worker(); ++#endif ++ + if (!test_thread_flag(TIF_SYSCALL_TRACE)) + return scno; + if (!(current->ptrace & PT_PTRACED)) diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c index 8fc2c8f..064c150 100644 --- a/arch/arm/kernel/setup.c @@ -2779,6 +2853,40 @@ index 6018c80..7c37203 100644 +#define arch_align_stack(x) ((x) & ~0xfUL) #endif /* _ASM_SYSTEM_H */ +diff --git a/arch/mips/include/asm/thread_info.h b/arch/mips/include/asm/thread_info.h +index 97f8bf6..3986751 100644 +--- a/arch/mips/include/asm/thread_info.h ++++ b/arch/mips/include/asm/thread_info.h +@@ -124,6 +124,8 @@ register struct thread_info *__current_thread_info __asm__("$28"); + #define TIF_32BIT_ADDR 23 /* 32-bit address space (o32/n32) */ + #define TIF_FPUBOUND 24 /* thread bound to FPU-full CPU set */ + #define TIF_LOAD_WATCH 25 /* If set, load watch registers */ ++/* li takes a 32bit immediate */ ++#define TIF_GRSEC_SETXID 29 /* update credentials on syscall entry/exit */ + #define TIF_SYSCALL_TRACE 31 /* syscall trace active */ + + #ifdef CONFIG_MIPS32_O32 +@@ -148,15 +150,18 @@ register struct thread_info *__current_thread_info __asm__("$28"); + #define _TIF_32BIT_ADDR (1<<TIF_32BIT_ADDR) + #define _TIF_FPUBOUND (1<<TIF_FPUBOUND) + #define _TIF_LOAD_WATCH (1<<TIF_LOAD_WATCH) ++#define _TIF_GRSEC_SETXID (1<<TIF_GRSEC_SETXID) ++ ++#define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_GRSEC_SETXID) + + /* work to do in syscall_trace_leave() */ +-#define _TIF_WORK_SYSCALL_EXIT (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT) ++#define _TIF_WORK_SYSCALL_EXIT (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_GRSEC_SETXID) + + /* work to do on interrupt/exception return */ + #define _TIF_WORK_MASK (0x0000ffef & \ + ~(_TIF_SECCOMP | _TIF_SYSCALL_AUDIT)) + /* work to do on any return to u-space */ +-#define _TIF_ALLWORK_MASK (0x8000ffff & ~_TIF_SECCOMP) ++#define _TIF_ALLWORK_MASK ((0x8000ffff & ~_TIF_SECCOMP) | _TIF_GRSEC_SETXID) + + #endif /* __KERNEL__ */ + diff --git a/arch/mips/kernel/binfmt_elfn32.c b/arch/mips/kernel/binfmt_elfn32.c index 9fdd8bc..4bd7f1a 100644 --- a/arch/mips/kernel/binfmt_elfn32.c @@ -2835,6 +2943,85 @@ index c47f96e..661d418 100644 - - return sp & ALMASK; -} +diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c +index 4e6ea1f..0922422 100644 +--- a/arch/mips/kernel/ptrace.c ++++ b/arch/mips/kernel/ptrace.c +@@ -529,6 +529,10 @@ static inline int audit_arch(void) + return arch; + } + ++#ifdef CONFIG_GRKERNSEC_SETXID ++extern void gr_delayed_cred_worker(void); ++#endif ++ + /* + * Notification of system call entry/exit + * - triggered by current->work.syscall_trace +@@ -538,6 +542,11 @@ asmlinkage void syscall_trace_enter(struct pt_regs *regs) + /* do the secure computing check first */ + secure_computing(regs->regs[2]); + ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) ++ gr_delayed_cred_worker(); ++#endif ++ + if (!(current->ptrace & PT_PTRACED)) + goto out; + +diff --git a/arch/mips/kernel/scall32-o32.S b/arch/mips/kernel/scall32-o32.S +index a632bc1..0b77c7c 100644 +--- a/arch/mips/kernel/scall32-o32.S ++++ b/arch/mips/kernel/scall32-o32.S +@@ -52,7 +52,7 @@ NESTED(handle_sys, PT_SIZE, sp) + + stack_done: + lw t0, TI_FLAGS($28) # syscall tracing enabled? +- li t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT ++ li t1, _TIF_SYSCALL_WORK + and t0, t1 + bnez t0, syscall_trace_entry # -> yes + +diff --git a/arch/mips/kernel/scall64-64.S b/arch/mips/kernel/scall64-64.S +index 3b5a5e9..e1ee86d 100644 +--- a/arch/mips/kernel/scall64-64.S ++++ b/arch/mips/kernel/scall64-64.S +@@ -54,7 +54,7 @@ NESTED(handle_sys64, PT_SIZE, sp) + + sd a3, PT_R26(sp) # save a3 for syscall restarting + +- li t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT ++ li t1, _TIF_SYSCALL_WORK + LONG_L t0, TI_FLAGS($28) # syscall tracing enabled? + and t0, t1, t0 + bnez t0, syscall_trace_entry +diff --git a/arch/mips/kernel/scall64-n32.S b/arch/mips/kernel/scall64-n32.S +index 6be6f70..1859577 100644 +--- a/arch/mips/kernel/scall64-n32.S ++++ b/arch/mips/kernel/scall64-n32.S +@@ -53,7 +53,7 @@ NESTED(handle_sysn32, PT_SIZE, sp) + + sd a3, PT_R26(sp) # save a3 for syscall restarting + +- li t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT ++ li t1, _TIF_SYSCALL_WORK + LONG_L t0, TI_FLAGS($28) # syscall tracing enabled? + and t0, t1, t0 + bnez t0, n32_syscall_trace_entry +diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S +index 5422855..74e63a3 100644 +--- a/arch/mips/kernel/scall64-o32.S ++++ b/arch/mips/kernel/scall64-o32.S +@@ -81,7 +81,7 @@ NESTED(handle_sys, PT_SIZE, sp) + PTR 4b, bad_stack + .previous + +- li t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT ++ li t1, _TIF_SYSCALL_WORK + LONG_L t0, TI_FLAGS($28) # syscall tracing enabled? + and t0, t1, t0 + bnez t0, trace_a_syscall diff --git a/arch/mips/mm/fault.c b/arch/mips/mm/fault.c index 937cf33..adb39bb 100644 --- a/arch/mips/mm/fault.c @@ -3677,6 +3864,41 @@ index e30a13d..2b7d994 100644 /* Used in very early kernel initialization. */ extern unsigned long reloc_offset(void); +diff --git a/arch/powerpc/include/asm/thread_info.h b/arch/powerpc/include/asm/thread_info.h +index 836f231..8403cfb 100644 +--- a/arch/powerpc/include/asm/thread_info.h ++++ b/arch/powerpc/include/asm/thread_info.h +@@ -104,7 +104,6 @@ static inline struct thread_info *current_thread_info(void) + #define TIF_PERFMON_CTXSW 6 /* perfmon needs ctxsw calls */ + #define TIF_SYSCALL_AUDIT 7 /* syscall auditing active */ + #define TIF_SINGLESTEP 8 /* singlestepping active */ +-#define TIF_MEMDIE 9 /* is terminating due to OOM killer */ + #define TIF_SECCOMP 10 /* secure computing */ + #define TIF_RESTOREALL 11 /* Restore all regs (implies NOERROR) */ + #define TIF_NOERROR 12 /* Force successful syscall return */ +@@ -112,6 +111,9 @@ static inline struct thread_info *current_thread_info(void) + #define TIF_FREEZE 14 /* Freezing for suspend */ + #define TIF_SYSCALL_TRACEPOINT 15 /* syscall tracepoint instrumentation */ + #define TIF_RUNLATCH 16 /* Is the runlatch enabled? */ ++#define TIF_MEMDIE 17 /* is terminating due to OOM killer */ ++/* mask must be expressable within 16 bits to satisfy 'andi' instruction reqs */ ++#define TIF_GRSEC_SETXID 9 /* update credentials on syscall entry/exit */ + + /* as above, but as bit values */ + #define _TIF_SYSCALL_TRACE (1<<TIF_SYSCALL_TRACE) +@@ -130,8 +132,11 @@ static inline struct thread_info *current_thread_info(void) + #define _TIF_FREEZE (1<<TIF_FREEZE) + #define _TIF_SYSCALL_TRACEPOINT (1<<TIF_SYSCALL_TRACEPOINT) + #define _TIF_RUNLATCH (1<<TIF_RUNLATCH) ++#define _TIF_GRSEC_SETXID (1<<TIF_GRSEC_SETXID) ++ + #define _TIF_SYSCALL_T_OR_A (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \ +- _TIF_SECCOMP | _TIF_SYSCALL_TRACEPOINT) ++ _TIF_SECCOMP | _TIF_SYSCALL_TRACEPOINT \ ++ _TIF_GRSEC_SETXID) + + #define _TIF_USER_WORK_MASK (_TIF_SIGPENDING | _TIF_NEED_RESCHED | \ + _TIF_NOTIFY_RESUME) diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h index bd0fb84..a42a14b 100644 --- a/arch/powerpc/include/asm/uaccess.h @@ -4053,6 +4275,45 @@ index 6457574..08b28d3 100644 - - return ret; -} +diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c +index 5de73db..a05f61c 100644 +--- a/arch/powerpc/kernel/ptrace.c ++++ b/arch/powerpc/kernel/ptrace.c +@@ -1702,6 +1702,10 @@ long arch_ptrace(struct task_struct *child, long request, + return ret; + } + ++#ifdef CONFIG_GRKERNSEC_SETXID ++extern void gr_delayed_cred_worker(void); ++#endif ++ + /* + * We must return the syscall number to actually look up in the table. + * This can be -1L to skip running any syscall at all. +@@ -1712,6 +1716,11 @@ long do_syscall_trace_enter(struct pt_regs *regs) + + secure_computing(regs->gpr[0]); + ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) ++ gr_delayed_cred_worker(); ++#endif ++ + if (test_thread_flag(TIF_SYSCALL_TRACE) && + tracehook_report_syscall_entry(regs)) + /* +@@ -1748,6 +1757,11 @@ void do_syscall_trace_leave(struct pt_regs *regs) + { + int step; + ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) ++ gr_delayed_cred_worker(); ++#endif ++ + if (unlikely(current->audit_context)) + audit_syscall_exit((regs->ccr&0x10000000)?AUDITSC_FAILURE:AUDITSC_SUCCESS, + regs->result); diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c index 836a5a1..27289a3 100644 --- a/arch/powerpc/kernel/signal_32.c @@ -5278,7 +5539,7 @@ index fa57532..e1a4c53 100644 /* diff --git a/arch/sparc/include/asm/thread_info_64.h b/arch/sparc/include/asm/thread_info_64.h -index 60d86be..952dea1 100644 +index 60d86be..6389ac8 100644 --- a/arch/sparc/include/asm/thread_info_64.h +++ b/arch/sparc/include/asm/thread_info_64.h @@ -63,6 +63,8 @@ struct thread_info { @@ -5290,6 +5551,38 @@ index 60d86be..952dea1 100644 unsigned long fpregs[0] __attribute__ ((aligned(64))); }; +@@ -214,10 +216,11 @@ register struct thread_info *current_thread_info_reg asm("g6"); + #define TIF_UNALIGNED 5 /* allowed to do unaligned accesses */ + /* flag bit 6 is available */ + #define TIF_32BIT 7 /* 32-bit binary */ +-/* flag bit 8 is available */ ++#define TIF_GRSEC_SETXID 8 /* update credentials on syscall entry/exit */ + #define TIF_SECCOMP 9 /* secure computing */ + #define TIF_SYSCALL_AUDIT 10 /* syscall auditing active */ + #define TIF_SYSCALL_TRACEPOINT 11 /* syscall tracepoint instrumentation */ ++ + /* NOTE: Thread flags >= 12 should be ones we have no interest + * in using in assembly, else we can't use the mask as + * an immediate value in instructions such as andcc. +@@ -238,12 +241,18 @@ register struct thread_info *current_thread_info_reg asm("g6"); + #define _TIF_SYSCALL_TRACEPOINT (1<<TIF_SYSCALL_TRACEPOINT) + #define _TIF_POLLING_NRFLAG (1<<TIF_POLLING_NRFLAG) + #define _TIF_FREEZE (1<<TIF_FREEZE) ++#define _TIF_GRSEC_SETXID (1<<TIF_GRSEC_SETXID) + + #define _TIF_USER_WORK_MASK ((0xff << TI_FLAG_WSAVED_SHIFT) | \ + _TIF_DO_NOTIFY_RESUME_MASK | \ + _TIF_NEED_RESCHED) + #define _TIF_DO_NOTIFY_RESUME_MASK (_TIF_NOTIFY_RESUME | _TIF_SIGPENDING) + ++#define _TIF_WORK_SYSCALL \ ++ (_TIF_SYSCALL_TRACE | _TIF_SECCOMP | _TIF_SYSCALL_AUDIT | \ ++ _TIF_SYSCALL_TRACEPOINT | _TIF_GRSEC_SETXID) ++ ++ + /* + * Thread-synchronous status. + * diff --git a/arch/sparc/include/asm/uaccess.h b/arch/sparc/include/asm/uaccess.h index e88fbe5..96b0ce5 100644 --- a/arch/sparc/include/asm/uaccess.h @@ -5500,6 +5793,45 @@ index 3739a06..48b2ff0 100644 (void *) gp->tpc, (void *) gp->o7, (void *) gp->i7, +diff --git a/arch/sparc/kernel/ptrace_64.c b/arch/sparc/kernel/ptrace_64.c +index 96ee50a..68ce124 100644 +--- a/arch/sparc/kernel/ptrace_64.c ++++ b/arch/sparc/kernel/ptrace_64.c +@@ -1058,6 +1058,10 @@ long arch_ptrace(struct task_struct *child, long request, + return ret; + } + ++#ifdef CONFIG_GRKERNSEC_SETXID ++extern void gr_delayed_cred_worker(void); ++#endif ++ + asmlinkage int syscall_trace_enter(struct pt_regs *regs) + { + int ret = 0; +@@ -1065,6 +1069,11 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs) + /* do the secure computing check first */ + secure_computing(regs->u_regs[UREG_G1]); + ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) ++ gr_delayed_cred_worker(); ++#endif ++ + if (test_thread_flag(TIF_SYSCALL_TRACE)) + ret = tracehook_report_syscall_entry(regs); + +@@ -1086,6 +1095,11 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs) + + asmlinkage void syscall_trace_leave(struct pt_regs *regs) + { ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) ++ gr_delayed_cred_worker(); ++#endif ++ + #ifdef CONFIG_AUDITSYSCALL + if (unlikely(current->audit_context)) { + unsigned long tstate = regs->tstate; diff --git a/arch/sparc/kernel/sys_sparc_32.c b/arch/sparc/kernel/sys_sparc_32.c index 42b282f..28ce9f2 100644 --- a/arch/sparc/kernel/sys_sparc_32.c @@ -5673,6 +6005,55 @@ index 441521a..b767073 100644 mm->get_unmapped_area = arch_get_unmapped_area_topdown; mm->unmap_area = arch_unmap_area_topdown; } +diff --git a/arch/sparc/kernel/syscalls.S b/arch/sparc/kernel/syscalls.S +index 1d7e274..b39c527 100644 +--- a/arch/sparc/kernel/syscalls.S ++++ b/arch/sparc/kernel/syscalls.S +@@ -62,7 +62,7 @@ sys32_rt_sigreturn: + #endif + .align 32 + 1: ldx [%g6 + TI_FLAGS], %l5 +- andcc %l5, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT), %g0 ++ andcc %l5, _TIF_WORK_SYSCALL, %g0 + be,pt %icc, rtrap + nop + call syscall_trace_leave +@@ -179,7 +179,7 @@ linux_sparc_syscall32: + + srl %i5, 0, %o5 ! IEU1 + srl %i2, 0, %o2 ! IEU0 Group +- andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT), %g0 ++ andcc %l0, _TIF_WORK_SYSCALL, %g0 + bne,pn %icc, linux_syscall_trace32 ! CTI + mov %i0, %l5 ! IEU1 + call %l7 ! CTI Group brk forced +@@ -202,7 +202,7 @@ linux_sparc_syscall: + + mov %i3, %o3 ! IEU1 + mov %i4, %o4 ! IEU0 Group +- andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT), %g0 ++ andcc %l0, _TIF_WORK_SYSCALL, %g0 + bne,pn %icc, linux_syscall_trace ! CTI Group + mov %i0, %l5 ! IEU0 + 2: call %l7 ! CTI Group brk forced +@@ -226,7 +226,7 @@ ret_sys_call: + + cmp %o0, -ERESTART_RESTARTBLOCK + bgeu,pn %xcc, 1f +- andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT), %l6 ++ andcc %l0, _TIF_WORK_SYSCALL, %l6 + 80: + /* System call success, clear Carry condition code. */ + andn %g3, %g2, %g3 +@@ -241,7 +241,7 @@ ret_sys_call: + /* System call failure, set Carry condition code. + * Also, get abs(errno) to return to the process. + */ +- andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT), %l6 ++ andcc %l0, _TIF_WORK_SYSCALL, %l6 + sub %g0, %o0, %o0 + or %g3, %g2, %g3 + stx %o0, [%sp + PTREGS_OFF + PT_V9_I0] diff --git a/arch/sparc/kernel/traps_32.c b/arch/sparc/kernel/traps_32.c index 591f20c..0f1b925 100644 --- a/arch/sparc/kernel/traps_32.c @@ -7544,7 +7925,7 @@ index 3a19d04..7c1d55a 100644 #endif diff --git a/arch/x86/boot/compressed/relocs.c b/arch/x86/boot/compressed/relocs.c -index 89bbf4e..869908e 100644 +index e77f4e4..17e511f 100644 --- a/arch/x86/boot/compressed/relocs.c +++ b/arch/x86/boot/compressed/relocs.c @@ -13,8 +13,11 @@ @@ -7649,7 +8030,7 @@ index 89bbf4e..869908e 100644 rel->r_info = elf32_to_cpu(rel->r_info); } } -@@ -396,14 +440,14 @@ static void read_relocs(FILE *fp) +@@ -396,13 +440,13 @@ static void read_relocs(FILE *fp) static void print_absolute_symbols(void) { @@ -7660,13 +8041,12 @@ index 89bbf4e..869908e 100644 for (i = 0; i < ehdr.e_shnum; i++) { struct section *sec = &secs[i]; char *sym_strtab; - Elf32_Sym *sh_symtab; - int j; + unsigned int j; if (sec->shdr.sh_type != SHT_SYMTAB) { continue; -@@ -431,14 +475,14 @@ static void print_absolute_symbols(void) +@@ -429,14 +473,14 @@ static void print_absolute_symbols(void) static void print_absolute_relocs(void) { @@ -7683,7 +8063,7 @@ index 89bbf4e..869908e 100644 if (sec->shdr.sh_type != SHT_REL) { continue; } -@@ -499,13 +543,13 @@ static void print_absolute_relocs(void) +@@ -497,13 +541,13 @@ static void print_absolute_relocs(void) static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym)) { @@ -7699,7 +8079,7 @@ index 89bbf4e..869908e 100644 struct section *sec = &secs[i]; if (sec->shdr.sh_type != SHT_REL) { -@@ -530,6 +574,22 @@ static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym)) +@@ -528,6 +572,22 @@ static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym)) !is_rel_reloc(sym_name(sym_strtab, sym))) { continue; } @@ -7722,7 +8102,7 @@ index 89bbf4e..869908e 100644 switch (r_type) { case R_386_NONE: case R_386_PC32: -@@ -571,7 +631,7 @@ static int cmp_relocs(const void *va, const void *vb) +@@ -569,7 +629,7 @@ static int cmp_relocs(const void *va, const void *vb) static void emit_relocs(int as_text) { @@ -7731,7 +8111,7 @@ index 89bbf4e..869908e 100644 /* Count how many relocations I have and allocate space for them. */ reloc_count = 0; walk_relocs(count_reloc); -@@ -665,6 +725,7 @@ int main(int argc, char **argv) +@@ -663,6 +723,7 @@ int main(int argc, char **argv) fname, strerror(errno)); } read_ehdr(fp); @@ -12161,7 +12541,7 @@ index 2d2f01c..f985723 100644 /* * Force strict CPU ordering. diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h -index d7ef849..6af292e 100644 +index d7ef849..b1b009a 100644 --- a/arch/x86/include/asm/thread_info.h +++ b/arch/x86/include/asm/thread_info.h @@ -10,6 +10,7 @@ @@ -12210,7 +12590,45 @@ index d7ef849..6af292e 100644 #define init_stack (init_thread_union.stack) #else /* !__ASSEMBLY__ */ -@@ -170,45 +164,40 @@ struct thread_info { +@@ -95,6 +89,7 @@ struct thread_info { + #define TIF_BLOCKSTEP 25 /* set when we want DEBUGCTLMSR_BTF */ + #define TIF_LAZY_MMU_UPDATES 27 /* task is updating the mmu lazily */ + #define TIF_SYSCALL_TRACEPOINT 28 /* syscall tracepoint instrumentation */ ++#define TIF_GRSEC_SETXID 29 /* update credentials on syscall entry/exit */ + + #define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE) + #define _TIF_NOTIFY_RESUME (1 << TIF_NOTIFY_RESUME) +@@ -117,16 +112,17 @@ struct thread_info { + #define _TIF_BLOCKSTEP (1 << TIF_BLOCKSTEP) + #define _TIF_LAZY_MMU_UPDATES (1 << TIF_LAZY_MMU_UPDATES) + #define _TIF_SYSCALL_TRACEPOINT (1 << TIF_SYSCALL_TRACEPOINT) ++#define _TIF_GRSEC_SETXID (1 << TIF_GRSEC_SETXID) + + /* work to do in syscall_trace_enter() */ + #define _TIF_WORK_SYSCALL_ENTRY \ + (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_EMU | _TIF_SYSCALL_AUDIT | \ +- _TIF_SECCOMP | _TIF_SINGLESTEP | _TIF_SYSCALL_TRACEPOINT) ++ _TIF_SECCOMP | _TIF_SINGLESTEP | _TIF_SYSCALL_TRACEPOINT | _TIF_GRSEC_SETXID) + + /* work to do in syscall_trace_leave() */ + #define _TIF_WORK_SYSCALL_EXIT \ + (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_SINGLESTEP | \ +- _TIF_SYSCALL_TRACEPOINT) ++ _TIF_SYSCALL_TRACEPOINT | _TIF_GRSEC_SETXID) + + /* work to do on interrupt/exception return */ + #define _TIF_WORK_MASK \ +@@ -136,7 +132,8 @@ struct thread_info { + + /* work to do on any return to user space */ + #define _TIF_ALLWORK_MASK \ +- ((0x0000FFFF & ~_TIF_SECCOMP) | _TIF_SYSCALL_TRACEPOINT) ++ ((0x0000FFFF & ~_TIF_SECCOMP) | _TIF_SYSCALL_TRACEPOINT | \ ++ _TIF_GRSEC_SETXID) + + /* Only used for 64 bit */ + #define _TIF_DO_NOTIFY_MASK \ +@@ -170,45 +167,40 @@ struct thread_info { ret; \ }) @@ -12281,7 +12699,7 @@ index d7ef849..6af292e 100644 /* * macros/functions for gaining access to the thread information structure * preempt_count needs to be 1 initially, until the scheduler is functional. -@@ -216,21 +205,8 @@ static inline struct thread_info *current_thread_info(void) +@@ -216,21 +208,8 @@ static inline struct thread_info *current_thread_info(void) #ifndef __ASSEMBLY__ DECLARE_PER_CPU(unsigned long, kernel_stack); @@ -12305,7 +12723,7 @@ index d7ef849..6af292e 100644 #endif #endif /* !X86_32 */ -@@ -264,5 +240,16 @@ extern void arch_task_cache_init(void); +@@ -264,5 +243,16 @@ extern void arch_task_cache_init(void); extern void free_thread_info(struct thread_info *ti); extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src); #define arch_task_cache_init arch_task_cache_init @@ -13612,7 +14030,7 @@ index 1f84794..e23f862 100644 } diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c -index f98d84c..e402a69 100644 +index c4e3581..7e2f9d0 100644 --- a/arch/x86/kernel/apic/apic.c +++ b/arch/x86/kernel/apic/apic.c @@ -174,7 +174,7 @@ int first_system_vector = 0xfe; @@ -13624,7 +14042,7 @@ index f98d84c..e402a69 100644 int pic_mode; -@@ -1853,7 +1853,7 @@ void smp_error_interrupt(struct pt_regs *regs) +@@ -1857,7 +1857,7 @@ void smp_error_interrupt(struct pt_regs *regs) apic_write(APIC_ESR, 0); v1 = apic_read(APIC_ESR); ack_APIC_irq(); @@ -14623,7 +15041,7 @@ index cd28a35..c72ed9a 100644 #include <asm/processor.h> #include <asm/fcntl.h> diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S -index bcda816..b0cbdf9 100644 +index bcda816..5c89791 100644 --- a/arch/x86/kernel/entry_32.S +++ b/arch/x86/kernel/entry_32.S @@ -180,13 +180,146 @@ @@ -14816,7 +15234,7 @@ index bcda816..b0cbdf9 100644 +#ifdef CONFIG_PAX_KERNEXEC + jae resume_userspace + -+ PAX_EXIT_KERNEL ++ pax_exit_kernel + jmp resume_kernel +#else jb resume_kernel # not returning to v8086 or userspace @@ -18551,7 +18969,7 @@ index 6a364a6..b147d11 100644 ip = *(u64 *)(fp+8); if (!in_sched_functions(ip)) diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c -index 8252879..f367ec9 100644 +index 8252879..39d15fc 100644 --- a/arch/x86/kernel/ptrace.c +++ b/arch/x86/kernel/ptrace.c @@ -791,6 +791,10 @@ static int ioperm_active(struct task_struct *target, @@ -18600,6 +19018,41 @@ index 8252879..f367ec9 100644 } void user_single_step_siginfo(struct task_struct *tsk, +@@ -1360,6 +1364,10 @@ void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs, + # define IS_IA32 0 + #endif + ++#ifdef CONFIG_GRKERNSEC_SETXID ++extern void gr_delayed_cred_worker(void); ++#endif ++ + /* + * We must return the syscall number to actually look up in the table. + * This can be -1L to skip running any syscall at all. +@@ -1368,6 +1376,11 @@ long syscall_trace_enter(struct pt_regs *regs) + { + long ret = 0; + ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) ++ gr_delayed_cred_worker(); ++#endif ++ + /* + * If we stepped into a sysenter/syscall insn, it trapped in + * kernel mode; do_debug() cleared TF and set TIF_SINGLESTEP. +@@ -1413,6 +1426,11 @@ void syscall_trace_leave(struct pt_regs *regs) + { + bool step; + ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) ++ gr_delayed_cred_worker(); ++#endif ++ + if (unlikely(current->audit_context)) + audit_syscall_exit(AUDITSC_RESULT(regs->ax), regs->ax); + diff --git a/arch/x86/kernel/pvclock.c b/arch/x86/kernel/pvclock.c index 42eb330..139955c 100644 --- a/arch/x86/kernel/pvclock.c @@ -18838,7 +19291,7 @@ index cf0ef98..e3f780b 100644 bss_resource.start = virt_to_phys(&__bss_start); bss_resource.end = virt_to_phys(&__bss_stop)-1; diff --git a/arch/x86/kernel/setup_percpu.c b/arch/x86/kernel/setup_percpu.c -index 71f4727..217419b 100644 +index 5a98aa2..848d2be 100644 --- a/arch/x86/kernel/setup_percpu.c +++ b/arch/x86/kernel/setup_percpu.c @@ -21,19 +21,17 @@ @@ -18897,7 +19350,7 @@ index 71f4727..217419b 100644 write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S); #endif -@@ -207,6 +209,11 @@ void __init setup_per_cpu_areas(void) +@@ -219,6 +221,11 @@ void __init setup_per_cpu_areas(void) /* alrighty, percpu areas up and running */ delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start; for_each_possible_cpu(cpu) { @@ -18909,7 +19362,7 @@ index 71f4727..217419b 100644 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu]; per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu); per_cpu(cpu_number, cpu) = cpu; -@@ -247,6 +254,12 @@ void __init setup_per_cpu_areas(void) +@@ -259,6 +266,12 @@ void __init setup_per_cpu_areas(void) */ set_cpu_numa_node(cpu, early_cpu_to_node(cpu)); #endif @@ -20979,7 +21432,7 @@ index e8e7e0d..56fd1b0 100644 movl %eax, (v) movl %edx, 4(v) diff --git a/arch/x86/lib/atomic64_cx8_32.S b/arch/x86/lib/atomic64_cx8_32.S -index 391a083..d658e9f 100644 +index 391a083..3a2cf39 100644 --- a/arch/x86/lib/atomic64_cx8_32.S +++ b/arch/x86/lib/atomic64_cx8_32.S @@ -35,10 +35,20 @@ ENTRY(atomic64_read_cx8) @@ -21090,7 +21543,7 @@ index 391a083..d658e9f 100644 -.macro incdec_return func ins insc -ENTRY(atomic64_\func\()_return_cx8) -+.macro incdec_return func ins insc unchecked ++.macro incdec_return func ins insc unchecked="" +ENTRY(atomic64_\func\()_return\unchecked\()_cx8) CFI_STARTPROC SAVE ebx @@ -24383,7 +24836,7 @@ index f4f29b1..5cac4fb 100644 return (void *)vaddr; diff --git a/arch/x86/mm/hugetlbpage.c b/arch/x86/mm/hugetlbpage.c -index f581a18..29efd37 100644 +index f581a18..a269cab 100644 --- a/arch/x86/mm/hugetlbpage.c +++ b/arch/x86/mm/hugetlbpage.c @@ -266,13 +266,20 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *file, @@ -24459,7 +24912,7 @@ index f581a18..29efd37 100644 /* don't allow allocations above current base */ if (mm->free_area_cache > base) -@@ -321,64 +328,63 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file, +@@ -321,64 +328,68 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file, largest_hole = 0; mm->free_area_cache = base; } @@ -24474,15 +24927,16 @@ index f581a18..29efd37 100644 + addr = (mm->free_area_cache - len); do { + addr &= huge_page_mask(h); -+ vma = find_vma(mm, addr); /* * Lookup failure means no vma is above this address, * i.e. return with success: -- */ + */ - if (!(vma = find_vma_prev(mm, addr, &prev_vma))) -- return addr; -- -- /* ++ vma = find_vma(mm, addr); ++ if (!vma) + return addr; + + /* * new region fits between prev_vma->vm_end and * vma->vm_start, use it: */ @@ -24554,7 +25008,7 @@ index f581a18..29efd37 100644 mm->cached_hole_size = ~0UL; addr = hugetlb_get_unmapped_area_bottomup(file, addr0, len, pgoff, flags); -@@ -386,6 +392,7 @@ fail: +@@ -386,6 +397,7 @@ fail: /* * Restore the topdown base: */ @@ -24562,7 +25016,7 @@ index f581a18..29efd37 100644 mm->free_area_cache = base; mm->cached_hole_size = ~0UL; -@@ -399,10 +406,19 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, +@@ -399,10 +411,19 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, struct hstate *h = hstate_file(file); struct mm_struct *mm = current->mm; struct vm_area_struct *vma; @@ -24583,7 +25037,7 @@ index f581a18..29efd37 100644 return -ENOMEM; if (flags & MAP_FIXED) { -@@ -414,8 +430,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, +@@ -414,8 +435,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, if (addr) { addr = ALIGN(addr, huge_page_size(h)); vma = find_vma(mm, addr); @@ -25011,7 +25465,7 @@ index 29f7c6d..b46b35b 100644 printk(KERN_INFO "Write protecting the kernel text: %luk\n", size >> 10); diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c -index bbaaa00..0ad4539 100644 +index bbaaa00..020e913 100644 --- a/arch/x86/mm/init_64.c +++ b/arch/x86/mm/init_64.c @@ -75,7 +75,7 @@ early_param("gbpages", parse_direct_gbpages_on); @@ -25128,6 +25582,15 @@ index bbaaa00..0ad4539 100644 adr = (void *)(((unsigned long)adr) | left); return adr; +@@ -546,7 +560,7 @@ phys_pud_init(pud_t *pud_page, unsigned long addr, unsigned long end, + unmap_low_page(pmd); + + spin_lock(&init_mm.page_table_lock); +- pud_populate(&init_mm, pud, __va(pmd_phys)); ++ pud_populate_kernel(&init_mm, pud, __va(pmd_phys)); + spin_unlock(&init_mm.page_table_lock); + } + __flush_tlb_all(); @@ -592,7 +606,7 @@ kernel_physical_mapping_init(unsigned long start, unmap_low_page(pud); @@ -26908,10 +27371,10 @@ index 153407c..611cba9 100644 -} -__setup("vdso=", vdso_setup); diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c -index 1f92865..c843b20 100644 +index e7c920b..c9bdcf7 100644 --- a/arch/x86/xen/enlighten.c +++ b/arch/x86/xen/enlighten.c -@@ -85,8 +85,6 @@ EXPORT_SYMBOL_GPL(xen_start_info); +@@ -86,8 +86,6 @@ EXPORT_SYMBOL_GPL(xen_start_info); struct shared_info xen_dummy_shared_info; @@ -26920,7 +27383,7 @@ index 1f92865..c843b20 100644 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE); __read_mostly int xen_have_vector_callback; EXPORT_SYMBOL_GPL(xen_have_vector_callback); -@@ -1029,7 +1027,7 @@ static const struct pv_apic_ops xen_apic_ops __initconst = { +@@ -1030,7 +1028,7 @@ static const struct pv_apic_ops xen_apic_ops __initconst = { #endif }; @@ -26929,7 +27392,7 @@ index 1f92865..c843b20 100644 { struct sched_shutdown r = { .reason = reason }; -@@ -1037,17 +1035,17 @@ static void xen_reboot(int reason) +@@ -1038,17 +1036,17 @@ static void xen_reboot(int reason) BUG(); } @@ -26950,7 +27413,7 @@ index 1f92865..c843b20 100644 { xen_reboot(SHUTDOWN_poweroff); } -@@ -1153,7 +1151,17 @@ asmlinkage void __init xen_start_kernel(void) +@@ -1154,7 +1152,17 @@ asmlinkage void __init xen_start_kernel(void) __userpte_alloc_gfp &= ~__GFP_HIGHMEM; /* Work out if we support NX */ @@ -26969,7 +27432,7 @@ index 1f92865..c843b20 100644 xen_setup_features(); -@@ -1184,13 +1192,6 @@ asmlinkage void __init xen_start_kernel(void) +@@ -1185,13 +1193,6 @@ asmlinkage void __init xen_start_kernel(void) machine_ops = xen_machine_ops; @@ -26984,10 +27447,10 @@ index 1f92865..c843b20 100644 #ifdef CONFIG_ACPI_NUMA diff --git a/arch/x86/xen/mmu.c b/arch/x86/xen/mmu.c -index 87f6673..e2555a6 100644 +index ec3d603..fa4ed1b 100644 --- a/arch/x86/xen/mmu.c +++ b/arch/x86/xen/mmu.c -@@ -1733,6 +1733,9 @@ pgd_t * __init xen_setup_kernel_pagetable(pgd_t *pgd, +@@ -1738,6 +1738,9 @@ pgd_t * __init xen_setup_kernel_pagetable(pgd_t *pgd, convert_pfn_mfn(init_level4_pgt); convert_pfn_mfn(level3_ident_pgt); convert_pfn_mfn(level3_kernel_pgt); @@ -26997,7 +27460,7 @@ index 87f6673..e2555a6 100644 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd); l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud); -@@ -1751,7 +1754,11 @@ pgd_t * __init xen_setup_kernel_pagetable(pgd_t *pgd, +@@ -1756,7 +1759,11 @@ pgd_t * __init xen_setup_kernel_pagetable(pgd_t *pgd, set_page_prot(init_level4_pgt, PAGE_KERNEL_RO); set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO); set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO); @@ -27009,7 +27472,7 @@ index 87f6673..e2555a6 100644 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO); set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO); -@@ -1962,6 +1969,7 @@ static void __init xen_post_allocator_init(void) +@@ -1967,6 +1974,7 @@ static void __init xen_post_allocator_init(void) pv_mmu_ops.set_pud = xen_set_pud; #if PAGETABLE_LEVELS == 4 pv_mmu_ops.set_pgd = xen_set_pgd; @@ -27017,7 +27480,7 @@ index 87f6673..e2555a6 100644 #endif /* This will work as long as patching hasn't happened yet -@@ -2043,6 +2051,7 @@ static const struct pv_mmu_ops xen_mmu_ops __initconst = { +@@ -2048,6 +2056,7 @@ static const struct pv_mmu_ops xen_mmu_ops __initconst = { .pud_val = PV_CALLEE_SAVE(xen_pud_val), .make_pud = PV_CALLEE_SAVE(xen_make_pud), .set_pgd = xen_set_pgd_hyper, @@ -27026,10 +27489,10 @@ index 87f6673..e2555a6 100644 .alloc_pud = xen_alloc_pmd_init, .release_pud = xen_release_pmd_init, diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c -index 041d4fe..7666b7e 100644 +index 9a23fff..9dfee11ca 100644 --- a/arch/x86/xen/smp.c +++ b/arch/x86/xen/smp.c -@@ -194,11 +194,6 @@ static void __init xen_smp_prepare_boot_cpu(void) +@@ -209,11 +209,6 @@ static void __init xen_smp_prepare_boot_cpu(void) { BUG_ON(smp_processor_id() != 0); native_smp_prepare_boot_cpu(); @@ -27041,7 +27504,7 @@ index 041d4fe..7666b7e 100644 xen_filter_cpu_maps(); xen_setup_vcpu_info_placement(); } -@@ -275,12 +270,12 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle) +@@ -290,12 +285,12 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle) gdt = get_cpu_gdt_table(cpu); ctxt->flags = VGCF_IN_KERNEL; @@ -27057,7 +27520,7 @@ index 041d4fe..7666b7e 100644 #else ctxt->gs_base_kernel = per_cpu_offset(cpu); #endif -@@ -331,13 +326,12 @@ static int __cpuinit xen_cpu_up(unsigned int cpu) +@@ -346,13 +341,12 @@ static int __cpuinit xen_cpu_up(unsigned int cpu) int rc; per_cpu(current_task, cpu) = idle; @@ -27073,19 +27536,6 @@ index 041d4fe..7666b7e 100644 #endif xen_setup_runstate_info(cpu); xen_setup_timer(cpu); -diff --git a/arch/x86/xen/xen-asm.S b/arch/x86/xen/xen-asm.S -index 79d7362..3e45aa0 100644 ---- a/arch/x86/xen/xen-asm.S -+++ b/arch/x86/xen/xen-asm.S -@@ -96,7 +96,7 @@ ENTRY(xen_restore_fl_direct) - - /* check for unmasked and pending */ - cmpw $0x0001, PER_CPU_VAR(xen_vcpu_info) + XEN_vcpu_info_pending -- jz 1f -+ jnz 1f - 2: call check_events - 1: - ENDPATCH(xen_restore_fl_direct) diff --git a/arch/x86/xen/xen-asm_32.S b/arch/x86/xen/xen-asm_32.S index b040b0e..8cc4fe0 100644 --- a/arch/x86/xen/xen-asm_32.S @@ -30676,7 +31126,7 @@ index ae294a0..1755461 100644 return container_of(adapter, struct intel_gmbus, adapter)->force_bit; } diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c -index b9da890..cad1d98 100644 +index a6c2f7a..0eea25d 100644 --- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c +++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c @@ -189,7 +189,7 @@ i915_gem_object_set_to_gpu_domain(struct drm_i915_gem_object *obj, @@ -33705,7 +34155,7 @@ index 4720f68..78d1df7 100644 void dm_uevent_add(struct mapped_device *md, struct list_head *elist) diff --git a/drivers/md/md.c b/drivers/md/md.c -index 6f37aa4..8d49123 100644 +index 065ab4f..653e6d8 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -278,10 +278,10 @@ EXPORT_SYMBOL_GPL(md_trim_bio); @@ -35613,10 +36063,10 @@ index 1b7082d..c786773 100644 if ((num_pages != size) || (num_pages > MAX_SKB_FRAGS - skb_shinfo(skb)->nr_frags)) diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c -index 486b404..0d6677d 100644 +index 3ed983c..a1bb418 100644 --- a/drivers/net/ppp/ppp_generic.c +++ b/drivers/net/ppp/ppp_generic.c -@@ -987,7 +987,6 @@ ppp_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) +@@ -986,7 +986,6 @@ ppp_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data; struct ppp_stats stats; struct ppp_comp_stats cstats; @@ -35624,7 +36074,7 @@ index 486b404..0d6677d 100644 switch (cmd) { case SIOCGPPPSTATS: -@@ -1009,8 +1008,7 @@ ppp_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) +@@ -1008,8 +1007,7 @@ ppp_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) break; case SIOCGPPPVER: @@ -37836,7 +38286,7 @@ index f64250e..1ee3049 100644 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x0800) }, {}, diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c -index 77eae99..b7cdcc9 100644 +index b2ccdea..84cde75 100644 --- a/drivers/spi/spi.c +++ b/drivers/spi/spi.c @@ -1024,7 +1024,7 @@ int spi_bus_unlock(struct spi_master *master) @@ -42484,7 +42934,7 @@ index 7ee7ba4..0c61a60 100644 goto out_sig; if (offset > inode->i_sb->s_maxbytes) diff --git a/fs/autofs4/waitq.c b/fs/autofs4/waitq.c -index 6861f61..a25f010 100644 +index e1fbdee..cd5ea56 100644 --- a/fs/autofs4/waitq.c +++ b/fs/autofs4/waitq.c @@ -60,7 +60,7 @@ static int autofs4_write(struct file *file, const void *addr, int bytes) @@ -44516,7 +44966,7 @@ index 608c1c3..7d040a8 100644 return rc; } diff --git a/fs/exec.c b/fs/exec.c -index 3625464..ff895b9 100644 +index 160cd2f..e74d2a6 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -55,12 +55,28 @@ @@ -44771,7 +45221,7 @@ index 3625464..ff895b9 100644 set_fs(old_fs); return result; } -@@ -1067,6 +1099,21 @@ void set_task_comm(struct task_struct *tsk, char *buf) +@@ -1070,6 +1102,21 @@ void set_task_comm(struct task_struct *tsk, char *buf) perf_event_comm(tsk); } @@ -44793,7 +45243,7 @@ index 3625464..ff895b9 100644 int flush_old_exec(struct linux_binprm * bprm) { int retval; -@@ -1081,6 +1128,7 @@ int flush_old_exec(struct linux_binprm * bprm) +@@ -1084,6 +1131,7 @@ int flush_old_exec(struct linux_binprm * bprm) set_mm_exe_file(bprm->mm, bprm->file); @@ -44801,7 +45251,7 @@ index 3625464..ff895b9 100644 /* * Release all of the old mmap stuff */ -@@ -1112,10 +1160,6 @@ EXPORT_SYMBOL(would_dump); +@@ -1115,10 +1163,6 @@ EXPORT_SYMBOL(would_dump); void setup_new_exec(struct linux_binprm * bprm) { @@ -44812,7 +45262,7 @@ index 3625464..ff895b9 100644 arch_pick_mmap_layout(current->mm); /* This is the point of no return */ -@@ -1126,18 +1170,7 @@ void setup_new_exec(struct linux_binprm * bprm) +@@ -1129,18 +1173,7 @@ void setup_new_exec(struct linux_binprm * bprm) else set_dumpable(current->mm, suid_dumpable); @@ -44832,7 +45282,7 @@ index 3625464..ff895b9 100644 /* Set the new mm task size. We have to do that late because it may * depend on TIF_32BIT which is only updated in flush_thread() on -@@ -1247,7 +1280,7 @@ int check_unsafe_exec(struct linux_binprm *bprm) +@@ -1250,7 +1283,7 @@ int check_unsafe_exec(struct linux_binprm *bprm) } rcu_read_unlock(); @@ -44841,7 +45291,7 @@ index 3625464..ff895b9 100644 bprm->unsafe |= LSM_UNSAFE_SHARE; } else { res = -EAGAIN; -@@ -1442,6 +1475,28 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) +@@ -1445,6 +1478,28 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) EXPORT_SYMBOL(search_binary_handler); @@ -44870,7 +45320,7 @@ index 3625464..ff895b9 100644 /* * sys_execve() executes a new program. */ -@@ -1450,6 +1505,11 @@ static int do_execve_common(const char *filename, +@@ -1453,6 +1508,11 @@ static int do_execve_common(const char *filename, struct user_arg_ptr envp, struct pt_regs *regs) { @@ -44882,7 +45332,7 @@ index 3625464..ff895b9 100644 struct linux_binprm *bprm; struct file *file; struct files_struct *displaced; -@@ -1457,6 +1517,8 @@ static int do_execve_common(const char *filename, +@@ -1460,6 +1520,8 @@ static int do_execve_common(const char *filename, int retval; const struct cred *cred = current_cred(); @@ -44891,7 +45341,7 @@ index 3625464..ff895b9 100644 /* * We move the actual failure in case of RLIMIT_NPROC excess from * set*uid() to execve() because too many poorly written programs -@@ -1497,12 +1559,27 @@ static int do_execve_common(const char *filename, +@@ -1500,12 +1562,27 @@ static int do_execve_common(const char *filename, if (IS_ERR(file)) goto out_unmark; @@ -44919,7 +45369,7 @@ index 3625464..ff895b9 100644 retval = bprm_mm_init(bprm); if (retval) goto out_file; -@@ -1519,24 +1596,65 @@ static int do_execve_common(const char *filename, +@@ -1522,24 +1599,65 @@ static int do_execve_common(const char *filename, if (retval < 0) goto out; @@ -44989,7 +45439,7 @@ index 3625464..ff895b9 100644 current->fs->in_exec = 0; current->in_execve = 0; acct_update_integrals(current); -@@ -1545,6 +1663,14 @@ static int do_execve_common(const char *filename, +@@ -1548,6 +1666,14 @@ static int do_execve_common(const char *filename, put_files_struct(displaced); return retval; @@ -45004,7 +45454,7 @@ index 3625464..ff895b9 100644 out: if (bprm->mm) { acct_arg_size(bprm, 0); -@@ -1618,7 +1744,7 @@ static int expand_corename(struct core_name *cn) +@@ -1621,7 +1747,7 @@ static int expand_corename(struct core_name *cn) { char *old_corename = cn->corename; @@ -45013,7 +45463,7 @@ index 3625464..ff895b9 100644 cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL); if (!cn->corename) { -@@ -1715,7 +1841,7 @@ static int format_corename(struct core_name *cn, long signr) +@@ -1718,7 +1844,7 @@ static int format_corename(struct core_name *cn, long signr) int pid_in_pattern = 0; int err = 0; @@ -45022,7 +45472,7 @@ index 3625464..ff895b9 100644 cn->corename = kmalloc(cn->size, GFP_KERNEL); cn->used = 0; -@@ -1812,6 +1938,228 @@ out: +@@ -1815,6 +1941,228 @@ out: return ispipe; } @@ -45251,7 +45701,7 @@ index 3625464..ff895b9 100644 static int zap_process(struct task_struct *start, int exit_code) { struct task_struct *t; -@@ -2023,17 +2371,17 @@ static void wait_for_dump_helpers(struct file *file) +@@ -2026,17 +2374,17 @@ static void wait_for_dump_helpers(struct file *file) pipe = file->f_path.dentry->d_inode->i_pipe; pipe_lock(pipe); @@ -45274,7 +45724,7 @@ index 3625464..ff895b9 100644 pipe_unlock(pipe); } -@@ -2094,7 +2442,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2097,7 +2445,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) int retval = 0; int flag = 0; int ispipe; @@ -45283,7 +45733,7 @@ index 3625464..ff895b9 100644 struct coredump_params cprm = { .signr = signr, .regs = regs, -@@ -2109,6 +2457,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2112,6 +2460,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) audit_core_dumps(signr); @@ -45293,7 +45743,7 @@ index 3625464..ff895b9 100644 binfmt = mm->binfmt; if (!binfmt || !binfmt->core_dump) goto fail; -@@ -2176,7 +2527,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2179,7 +2530,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) } cprm.limit = RLIM_INFINITY; @@ -45302,7 +45752,7 @@ index 3625464..ff895b9 100644 if (core_pipe_limit && (core_pipe_limit < dump_count)) { printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n", task_tgid_vnr(current), current->comm); -@@ -2203,6 +2554,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2206,6 +2557,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) } else { struct inode *inode; @@ -45311,7 +45761,7 @@ index 3625464..ff895b9 100644 if (cprm.limit < binfmt->min_coredump) goto fail_unlock; -@@ -2246,7 +2599,7 @@ close_fail: +@@ -2249,7 +2602,7 @@ close_fail: filp_close(cprm.file, NULL); fail_dropcount: if (ispipe) @@ -45320,7 +45770,7 @@ index 3625464..ff895b9 100644 fail_unlock: kfree(cn.corename); fail_corename: -@@ -2265,7 +2618,7 @@ fail: +@@ -2268,7 +2621,7 @@ fail: */ int dump_write(struct file *file, const void *addr, int nr) { @@ -47143,50 +47593,6 @@ index cfd4959..a780959 100644 if (!IS_ERR(s)) kfree(s); } -diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c -index 4dfbfec..ec2a9c2 100644 ---- a/fs/hfsplus/catalog.c -+++ b/fs/hfsplus/catalog.c -@@ -366,6 +366,10 @@ int hfsplus_rename_cat(u32 cnid, - err = hfs_brec_find(&src_fd); - if (err) - goto out; -+ if (src_fd.entrylength > sizeof(entry) || src_fd.entrylength < 0) { -+ err = -EIO; -+ goto out; -+ } - - hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset, - src_fd.entrylength); -diff --git a/fs/hfsplus/dir.c b/fs/hfsplus/dir.c -index 4536cd3..5adb740 100644 ---- a/fs/hfsplus/dir.c -+++ b/fs/hfsplus/dir.c -@@ -150,6 +150,11 @@ static int hfsplus_readdir(struct file *filp, void *dirent, filldir_t filldir) - filp->f_pos++; - /* fall through */ - case 1: -+ if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) { -+ err = -EIO; -+ goto out; -+ } -+ - hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, - fd.entrylength); - if (be16_to_cpu(entry.type) != HFSPLUS_FOLDER_THREAD) { -@@ -181,6 +186,12 @@ static int hfsplus_readdir(struct file *filp, void *dirent, filldir_t filldir) - err = -EIO; - goto out; - } -+ -+ if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) { -+ err = -EIO; -+ goto out; -+ } -+ - hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, - fd.entrylength); - type = be16_to_cpu(entry.type); diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c index 2d0ca24..c4b8676511 100644 --- a/fs/hugetlbfs/inode.c @@ -47965,7 +48371,7 @@ index 50a15fa..ca113f9 100644 void nfs_fattr_init(struct nfs_fattr *fattr) diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c -index 7a2e442..8e544cc 100644 +index 5c3cd82..ed535e5 100644 --- a/fs/nfsd/vfs.c +++ b/fs/nfsd/vfs.c @@ -914,7 +914,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file, @@ -48109,7 +48515,7 @@ index d355e6e..578d905 100644 enum ocfs2_local_alloc_state diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c -index ba5d97e..c77db25 100644 +index f169da4..9112253 100644 --- a/fs/ocfs2/suballoc.c +++ b/fs/ocfs2/suballoc.c @@ -872,7 +872,7 @@ static int ocfs2_reserve_suballoc_bits(struct ocfs2_super *osb, @@ -48345,10 +48751,10 @@ index bd8ae78..539d250 100644 ldm_crit ("Out of memory."); return false; diff --git a/fs/pipe.c b/fs/pipe.c -index 4065f07..68c0706 100644 +index 05ed5ca..ab15592 100644 --- a/fs/pipe.c +++ b/fs/pipe.c -@@ -420,9 +420,9 @@ redo: +@@ -437,9 +437,9 @@ redo: } if (bufs) /* More to do? */ continue; @@ -48360,7 +48766,7 @@ index 4065f07..68c0706 100644 /* syscall merging: Usually we must not sleep * if O_NONBLOCK is set, or if we got some data. * But if a writer sleeps in kernel space, then -@@ -481,7 +481,7 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov, +@@ -503,7 +503,7 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov, mutex_lock(&inode->i_mutex); pipe = inode->i_pipe; @@ -48369,7 +48775,7 @@ index 4065f07..68c0706 100644 send_sig(SIGPIPE, current, 0); ret = -EPIPE; goto out; -@@ -530,7 +530,7 @@ redo1: +@@ -552,7 +552,7 @@ redo1: for (;;) { int bufs; @@ -48378,7 +48784,7 @@ index 4065f07..68c0706 100644 send_sig(SIGPIPE, current, 0); if (!ret) ret = -EPIPE; -@@ -616,9 +616,9 @@ redo2: +@@ -643,9 +643,9 @@ redo2: kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN); do_wakeup = 0; } @@ -48390,7 +48796,7 @@ index 4065f07..68c0706 100644 } out: mutex_unlock(&inode->i_mutex); -@@ -685,7 +685,7 @@ pipe_poll(struct file *filp, poll_table *wait) +@@ -712,7 +712,7 @@ pipe_poll(struct file *filp, poll_table *wait) mask = 0; if (filp->f_mode & FMODE_READ) { mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0; @@ -48399,7 +48805,7 @@ index 4065f07..68c0706 100644 mask |= POLLHUP; } -@@ -695,7 +695,7 @@ pipe_poll(struct file *filp, poll_table *wait) +@@ -722,7 +722,7 @@ pipe_poll(struct file *filp, poll_table *wait) * Most Unices do not set POLLERR for FIFOs but on Linux they * behave exactly like pipes for poll(). */ @@ -48408,7 +48814,7 @@ index 4065f07..68c0706 100644 mask |= POLLERR; } -@@ -709,10 +709,10 @@ pipe_release(struct inode *inode, int decr, int decw) +@@ -736,10 +736,10 @@ pipe_release(struct inode *inode, int decr, int decw) mutex_lock(&inode->i_mutex); pipe = inode->i_pipe; @@ -48422,7 +48828,7 @@ index 4065f07..68c0706 100644 free_pipe_info(inode); } else { wake_up_interruptible_sync_poll(&pipe->wait, POLLIN | POLLOUT | POLLRDNORM | POLLWRNORM | POLLERR | POLLHUP); -@@ -802,7 +802,7 @@ pipe_read_open(struct inode *inode, struct file *filp) +@@ -829,7 +829,7 @@ pipe_read_open(struct inode *inode, struct file *filp) if (inode->i_pipe) { ret = 0; @@ -48431,7 +48837,7 @@ index 4065f07..68c0706 100644 } mutex_unlock(&inode->i_mutex); -@@ -819,7 +819,7 @@ pipe_write_open(struct inode *inode, struct file *filp) +@@ -846,7 +846,7 @@ pipe_write_open(struct inode *inode, struct file *filp) if (inode->i_pipe) { ret = 0; @@ -48440,7 +48846,7 @@ index 4065f07..68c0706 100644 } mutex_unlock(&inode->i_mutex); -@@ -837,9 +837,9 @@ pipe_rdwr_open(struct inode *inode, struct file *filp) +@@ -864,9 +864,9 @@ pipe_rdwr_open(struct inode *inode, struct file *filp) if (inode->i_pipe) { ret = 0; if (filp->f_mode & FMODE_READ) @@ -48452,7 +48858,7 @@ index 4065f07..68c0706 100644 } mutex_unlock(&inode->i_mutex); -@@ -931,7 +931,7 @@ void free_pipe_info(struct inode *inode) +@@ -958,7 +958,7 @@ void free_pipe_info(struct inode *inode) inode->i_pipe = NULL; } @@ -48461,7 +48867,7 @@ index 4065f07..68c0706 100644 /* * pipefs_dname() is called from d_path(). -@@ -961,7 +961,8 @@ static struct inode * get_pipe_inode(void) +@@ -988,7 +988,8 @@ static struct inode * get_pipe_inode(void) goto fail_iput; inode->i_pipe = pipe; @@ -49865,10 +50271,10 @@ index dba43c3..4b3f701 100644 if (op) { diff --git a/fs/splice.c b/fs/splice.c -index fa2defa..8601650 100644 +index 6d0dfb8..115bb3a 100644 --- a/fs/splice.c +++ b/fs/splice.c -@@ -194,7 +194,7 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe, +@@ -195,7 +195,7 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe, pipe_lock(pipe); for (;;) { @@ -49877,7 +50283,7 @@ index fa2defa..8601650 100644 send_sig(SIGPIPE, current, 0); if (!ret) ret = -EPIPE; -@@ -248,9 +248,9 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe, +@@ -249,9 +249,9 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe, do_wakeup = 0; } @@ -49889,7 +50295,7 @@ index fa2defa..8601650 100644 } pipe_unlock(pipe); -@@ -560,7 +560,7 @@ static ssize_t kernel_readv(struct file *file, const struct iovec *vec, +@@ -561,7 +561,7 @@ static ssize_t kernel_readv(struct file *file, const struct iovec *vec, old_fs = get_fs(); set_fs(get_ds()); /* The cast to a user pointer is valid due to the set_fs() */ @@ -49898,7 +50304,7 @@ index fa2defa..8601650 100644 set_fs(old_fs); return res; -@@ -575,7 +575,7 @@ static ssize_t kernel_write(struct file *file, const char *buf, size_t count, +@@ -576,7 +576,7 @@ static ssize_t kernel_write(struct file *file, const char *buf, size_t count, old_fs = get_fs(); set_fs(get_ds()); /* The cast to a user pointer is valid due to the set_fs() */ @@ -49907,7 +50313,7 @@ index fa2defa..8601650 100644 set_fs(old_fs); return res; -@@ -626,7 +626,7 @@ ssize_t default_file_splice_read(struct file *in, loff_t *ppos, +@@ -627,7 +627,7 @@ ssize_t default_file_splice_read(struct file *in, loff_t *ppos, goto err; this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset); @@ -49916,7 +50322,7 @@ index fa2defa..8601650 100644 vec[i].iov_len = this_len; spd.pages[i] = page; spd.nr_pages++; -@@ -846,10 +846,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed); +@@ -849,10 +849,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed); int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd) { while (!pipe->nrbufs) { @@ -49929,7 +50335,7 @@ index fa2defa..8601650 100644 return 0; if (sd->flags & SPLICE_F_NONBLOCK) -@@ -1182,7 +1182,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd, +@@ -1185,7 +1185,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd, * out of the pipe right after the splice_to_pipe(). So set * PIPE_READERS appropriately. */ @@ -49938,7 +50344,7 @@ index fa2defa..8601650 100644 current->splice_pipe = pipe; } -@@ -1734,9 +1734,9 @@ static int ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags) +@@ -1737,9 +1737,9 @@ static int ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags) ret = -ERESTARTSYS; break; } @@ -49950,7 +50356,7 @@ index fa2defa..8601650 100644 if (flags & SPLICE_F_NONBLOCK) { ret = -EAGAIN; break; -@@ -1768,7 +1768,7 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags) +@@ -1771,7 +1771,7 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags) pipe_lock(pipe); while (pipe->nrbufs >= pipe->buffers) { @@ -49959,7 +50365,7 @@ index fa2defa..8601650 100644 send_sig(SIGPIPE, current, 0); ret = -EPIPE; break; -@@ -1781,9 +1781,9 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags) +@@ -1784,9 +1784,9 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags) ret = -ERESTARTSYS; break; } @@ -49971,7 +50377,7 @@ index fa2defa..8601650 100644 } pipe_unlock(pipe); -@@ -1819,14 +1819,14 @@ retry: +@@ -1822,14 +1822,14 @@ retry: pipe_double_lock(ipipe, opipe); do { @@ -49988,7 +50394,7 @@ index fa2defa..8601650 100644 break; /* -@@ -1923,7 +1923,7 @@ static int link_pipe(struct pipe_inode_info *ipipe, +@@ -1926,7 +1926,7 @@ static int link_pipe(struct pipe_inode_info *ipipe, pipe_double_lock(ipipe, opipe); do { @@ -49997,7 +50403,7 @@ index fa2defa..8601650 100644 send_sig(SIGPIPE, current, 0); if (!ret) ret = -EPIPE; -@@ -1968,7 +1968,7 @@ static int link_pipe(struct pipe_inode_info *ipipe, +@@ -1971,7 +1971,7 @@ static int link_pipe(struct pipe_inode_info *ipipe, * return EAGAIN if we have the potential of some data in the * future, otherwise just return 0 */ @@ -50306,10 +50712,10 @@ index 23ce927..e274cc1 100644 kfree(s); diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 0000000..4089e05 +index 0000000..2645296 --- /dev/null +++ b/grsecurity/Kconfig -@@ -0,0 +1,1078 @@ +@@ -0,0 +1,1079 @@ +# +# grecurity configuration +# @@ -50444,7 +50850,7 @@ index 0000000..4089e05 + select GRKERNSEC_PROC_ADD + select GRKERNSEC_CHROOT_CHMOD + select GRKERNSEC_CHROOT_NICE -+ select GRKERNSEC_SETXID ++ select GRKERNSEC_SETXID if (X86 || SPARC64 || PPC || ARM || MIPS) + select GRKERNSEC_AUDIT_MOUNT + select GRKERNSEC_MODHARDEN if (MODULES) + select GRKERNSEC_HARDEN_PTRACE @@ -51139,6 +51545,7 @@ index 0000000..4089e05 + +config GRKERNSEC_SETXID + bool "Enforce consistent multithreaded privileges" ++ depends on (X86 || SPARC64 || PPC || ARM || MIPS) + help + If you say Y here, a change from a root uid to a non-root uid + in a multithreaded application will cause the resulting uids, @@ -51434,10 +51841,10 @@ index 0000000..1b9afa9 +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c new file mode 100644 -index 0000000..50b4257 +index 0000000..e22066e --- /dev/null +++ b/grsecurity/gracl.c -@@ -0,0 +1,4185 @@ +@@ -0,0 +1,4186 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -55288,21 +55695,22 @@ index 0000000..50b4257 + if (unlikely(!(gr_status & GR_READY))) + return 0; +#endif ++ if (request == PTRACE_ATTACH || request == PTRACE_SEIZE) { ++ read_lock(&tasklist_lock); ++ while (tmp->pid > 0) { ++ if (tmp == curtemp) ++ break; ++ tmp = tmp->real_parent; ++ } + -+ read_lock(&tasklist_lock); -+ while (tmp->pid > 0) { -+ if (tmp == curtemp) -+ break; -+ tmp = tmp->real_parent; -+ } -+ -+ if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) || -+ ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) { ++ if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) || ++ ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) { ++ read_unlock(&tasklist_lock); ++ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task); ++ return 1; ++ } + read_unlock(&tasklist_lock); -+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task); -+ return 1; + } -+ read_unlock(&tasklist_lock); + +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE + if (!(gr_status & GR_READY)) @@ -61396,10 +61804,10 @@ index e13117c..e9fc938 100644 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1)) diff --git a/include/linux/efi.h b/include/linux/efi.h -index 2362a0b..cfaf8fcc 100644 +index 1328d8c..2cd894c 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -446,7 +446,7 @@ struct efivar_operations { +@@ -457,7 +457,7 @@ struct efivar_operations { efi_get_variable_t *get_variable; efi_get_next_variable_t *get_next_variable; efi_set_variable_t *set_variable; @@ -62939,7 +63347,7 @@ index b16f653..eb908f4 100644 #define request_module_nowait(mod...) __request_module(false, mod) #define try_then_request_module(x, mod...) \ diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h -index d526231..c9599fc 100644 +index 35410ef..9f98b23 100644 --- a/include/linux/kvm_host.h +++ b/include/linux/kvm_host.h @@ -308,7 +308,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vcpu); @@ -62987,7 +63395,7 @@ index d526231..c9599fc 100644 void kvm_arch_exit(void); int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu); -@@ -690,7 +690,7 @@ int kvm_setup_default_irq_routing(struct kvm *kvm); +@@ -696,7 +696,7 @@ int kvm_setup_default_irq_routing(struct kvm *kvm); int kvm_set_irq_routing(struct kvm *kvm, const struct kvm_irq_routing_entry *entries, unsigned nr, @@ -63521,7 +63929,7 @@ index ffc0213..2c1f2cb 100644 return nd->saved_names[nd->depth]; } diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h -index a82ad4d..90d15b7 100644 +index cbeb586..eba9b27 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h @@ -949,6 +949,7 @@ struct net_device_ops { @@ -63646,10 +64054,10 @@ index 8fc7dd1a..c19d89e 100644 /* diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h -index 77257c9..51d473a 100644 +index 0072a53..c5dcca5 100644 --- a/include/linux/pipe_fs_i.h +++ b/include/linux/pipe_fs_i.h -@@ -46,9 +46,9 @@ struct pipe_buffer { +@@ -47,9 +47,9 @@ struct pipe_buffer { struct pipe_inode_info { wait_queue_head_t wait; unsigned int nrbufs, curbuf, buffers; @@ -64223,10 +64631,10 @@ index 92808b8..c28cac4 100644 /* shm_mode upper byte flags */ diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h -index 6cf8b53..bcce844 100644 +index e689b47..3404939 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h -@@ -642,7 +642,7 @@ static inline struct skb_shared_hwtstamps *skb_hwtstamps(struct sk_buff *skb) +@@ -643,7 +643,7 @@ static inline struct skb_shared_hwtstamps *skb_hwtstamps(struct sk_buff *skb) */ static inline int skb_queue_empty(const struct sk_buff_head *list) { @@ -64235,7 +64643,7 @@ index 6cf8b53..bcce844 100644 } /** -@@ -655,7 +655,7 @@ static inline int skb_queue_empty(const struct sk_buff_head *list) +@@ -656,7 +656,7 @@ static inline int skb_queue_empty(const struct sk_buff_head *list) static inline bool skb_queue_is_last(const struct sk_buff_head *list, const struct sk_buff *skb) { @@ -64244,7 +64652,7 @@ index 6cf8b53..bcce844 100644 } /** -@@ -668,7 +668,7 @@ static inline bool skb_queue_is_last(const struct sk_buff_head *list, +@@ -669,7 +669,7 @@ static inline bool skb_queue_is_last(const struct sk_buff_head *list, static inline bool skb_queue_is_first(const struct sk_buff_head *list, const struct sk_buff *skb) { @@ -64253,7 +64661,7 @@ index 6cf8b53..bcce844 100644 } /** -@@ -1533,7 +1533,7 @@ static inline int pskb_network_may_pull(struct sk_buff *skb, unsigned int len) +@@ -1546,7 +1546,7 @@ static inline int pskb_network_may_pull(struct sk_buff *skb, unsigned int len) * NET_IP_ALIGN(2) + ethernet_header(14) + IP_header(20/40) + ports(8) */ #ifndef NET_SKB_PAD @@ -66500,7 +66908,7 @@ index 42e8fa0..9e7406b 100644 return -ENOMEM; diff --git a/kernel/cred.c b/kernel/cred.c -index 48c6fd3..3342f00 100644 +index 48c6fd3..8398912 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -204,6 +204,15 @@ void exit_creds(struct task_struct *tsk) @@ -66537,7 +66945,7 @@ index 48c6fd3..3342f00 100644 /* dumpability changes */ if (old->euid != new->euid || old->egid != new->egid || -@@ -540,6 +551,92 @@ int commit_creds(struct cred *new) +@@ -540,6 +551,101 @@ int commit_creds(struct cred *new) put_cred(old); return 0; } @@ -66603,6 +67011,8 @@ index 48c6fd3..3342f00 100644 +int commit_creds(struct cred *new) +{ +#ifdef CONFIG_GRKERNSEC_SETXID ++ int ret; ++ int schedule_it = 0; + struct task_struct *t; + + /* we won't get called with tasklist_lock held for writing @@ -66611,20 +67021,27 @@ index 48c6fd3..3342f00 100644 + */ + if (grsec_enable_setxid && !current_is_single_threaded() && + !current_uid() && new->uid) { ++ schedule_it = 1; ++ } ++ ret = __commit_creds(new); ++ if (schedule_it) { + rcu_read_lock(); + read_lock(&tasklist_lock); + for (t = next_thread(current); t != current; + t = next_thread(t)) { + if (t->delayed_cred == NULL) { + t->delayed_cred = get_cred(new); ++ set_tsk_thread_flag(t, TIF_GRSEC_SETXID); + set_tsk_need_resched(t); + } + } + read_unlock(&tasklist_lock); + rcu_read_unlock(); + } -+#endif ++ return ret; ++#else + return __commit_creds(new); ++#endif +} + EXPORT_SYMBOL(commit_creds); @@ -66816,7 +67233,7 @@ index 58690af..d903d75 100644 /* diff --git a/kernel/exit.c b/kernel/exit.c -index e6e01b9..0a21b0a 100644 +index 5a8a66e..ded4680 100644 --- a/kernel/exit.c +++ b/kernel/exit.c @@ -57,6 +57,10 @@ @@ -66868,7 +67285,7 @@ index e6e01b9..0a21b0a 100644 /* * If we were started as result of loading a module, close all of the * user space pages. We don't need them, and if we didn't close them -@@ -893,6 +912,8 @@ NORET_TYPE void do_exit(long code) +@@ -874,6 +893,8 @@ NORET_TYPE void do_exit(long code) struct task_struct *tsk = current; int group_dead; @@ -66877,7 +67294,7 @@ index e6e01b9..0a21b0a 100644 profile_task_exit(tsk); WARN_ON(blk_needs_flush_plug(tsk)); -@@ -909,7 +930,6 @@ NORET_TYPE void do_exit(long code) +@@ -890,7 +911,6 @@ NORET_TYPE void do_exit(long code) * mm_release()->clear_child_tid() from writing to a user-controlled * kernel address. */ @@ -66885,7 +67302,7 @@ index e6e01b9..0a21b0a 100644 ptrace_event(PTRACE_EVENT_EXIT, code); -@@ -971,6 +991,9 @@ NORET_TYPE void do_exit(long code) +@@ -952,6 +972,9 @@ NORET_TYPE void do_exit(long code) tsk->exit_code = code; taskstats_exit(tsk, group_dead); @@ -66895,7 +67312,7 @@ index e6e01b9..0a21b0a 100644 exit_mm(tsk); if (group_dead) -@@ -1068,7 +1091,7 @@ SYSCALL_DEFINE1(exit, int, error_code) +@@ -1049,7 +1072,7 @@ SYSCALL_DEFINE1(exit, int, error_code) * Take down every thread in the group. This is called by fatal signals * as well as by sys_exit_group (below). */ @@ -69537,39 +69954,10 @@ index 3d9f31c..7fefc9e 100644 default: diff --git a/kernel/sched.c b/kernel/sched.c -index d6b149c..896cbb8 100644 +index 299f55c..2b2e317 100644 --- a/kernel/sched.c +++ b/kernel/sched.c -@@ -4389,6 +4389,19 @@ pick_next_task(struct rq *rq) - BUG(); /* the idle class will always have a runnable task */ - } - -+#ifdef CONFIG_GRKERNSEC_SETXID -+extern void gr_delayed_cred_worker(void); -+static inline void gr_cred_schedule(void) -+{ -+ if (unlikely(current->delayed_cred)) -+ gr_delayed_cred_worker(); -+} -+#else -+static inline void gr_cred_schedule(void) -+{ -+} -+#endif -+ - /* - * __schedule() is the main scheduler function. - */ -@@ -4408,6 +4421,8 @@ need_resched: - - schedule_debug(prev); - -+ gr_cred_schedule(); -+ - if (sched_feat(HRTICK)) - hrtick_clear(rq); - -@@ -5098,6 +5113,8 @@ int can_nice(const struct task_struct *p, const int nice) +@@ -5097,6 +5097,8 @@ int can_nice(const struct task_struct *p, const int nice) /* convert nice value [19,-20] to rlimit style value [1,40] */ int nice_rlim = 20 - nice; @@ -69578,7 +69966,7 @@ index d6b149c..896cbb8 100644 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) || capable(CAP_SYS_NICE)); } -@@ -5131,7 +5148,8 @@ SYSCALL_DEFINE1(nice, int, increment) +@@ -5130,7 +5132,8 @@ SYSCALL_DEFINE1(nice, int, increment) if (nice > 19) nice = 19; @@ -69588,7 +69976,7 @@ index d6b149c..896cbb8 100644 return -EPERM; retval = security_task_setnice(current, nice); -@@ -5288,6 +5306,7 @@ recheck: +@@ -5287,6 +5290,7 @@ recheck: unsigned long rlim_rtprio = task_rlimit(p, RLIMIT_RTPRIO); @@ -69632,7 +70020,7 @@ index 8a39fa3..34f3dbc 100644 int this_cpu = smp_processor_id(); struct rq *this_rq = cpu_rq(this_cpu); diff --git a/kernel/signal.c b/kernel/signal.c -index 2065515..aed2987 100644 +index 08e0b97..cdf6f49 100644 --- a/kernel/signal.c +++ b/kernel/signal.c @@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cachep; @@ -69741,7 +70129,7 @@ index 2065515..aed2987 100644 return ret; } -@@ -2754,7 +2777,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info) +@@ -2763,7 +2786,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info) int error = -ESRCH; rcu_read_lock(); @@ -70729,7 +71117,7 @@ index fd3c8aa..5f324a6 100644 } entry = ring_buffer_event_data(event); diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c -index 5199930..26c73a0 100644 +index 1dcf253..b31d45c 100644 --- a/kernel/trace/trace_output.c +++ b/kernel/trace/trace_output.c @@ -278,7 +278,7 @@ int trace_seq_path(struct trace_seq *s, struct path *path) @@ -70934,6 +71322,28 @@ index 013a761..c28f3fc 100644 #define free(a) kfree(a) #endif +diff --git a/lib/ioremap.c b/lib/ioremap.c +index da4e2ad..6373b5f 100644 +--- a/lib/ioremap.c ++++ b/lib/ioremap.c +@@ -38,7 +38,7 @@ static inline int ioremap_pmd_range(pud_t *pud, unsigned long addr, + unsigned long next; + + phys_addr -= addr; +- pmd = pmd_alloc(&init_mm, pud, addr); ++ pmd = pmd_alloc_kernel(&init_mm, pud, addr); + if (!pmd) + return -ENOMEM; + do { +@@ -56,7 +56,7 @@ static inline int ioremap_pud_range(pgd_t *pgd, unsigned long addr, + unsigned long next; + + phys_addr -= addr; +- pud = pud_alloc(&init_mm, pgd, addr); ++ pud = pud_alloc_kernel(&init_mm, pgd, addr); + if (!pud) + return -ENOMEM; + do { diff --git a/lib/is_single_threaded.c b/lib/is_single_threaded.c index bd2bea9..6b3c95e 100644 --- a/lib/is_single_threaded.c @@ -71500,7 +71910,7 @@ index 06d3479..0778eef 100644 /* keep elevated page count for bad page */ return ret; diff --git a/mm/memory.c b/mm/memory.c -index 1b1ca17..d49bd61 100644 +index 1b1ca17..e6715dd 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -457,8 +457,12 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud, @@ -71627,7 +72037,29 @@ index 1b1ca17..d49bd61 100644 if (addr < vma->vm_start || addr >= vma->vm_end) return -EFAULT; -@@ -2453,6 +2466,186 @@ static inline void cow_user_page(struct page *dst, struct page *src, unsigned lo +@@ -2345,7 +2358,9 @@ static int apply_to_pmd_range(struct mm_struct *mm, pud_t *pud, + + BUG_ON(pud_huge(*pud)); + +- pmd = pmd_alloc(mm, pud, addr); ++ pmd = (mm == &init_mm) ? ++ pmd_alloc_kernel(mm, pud, addr) : ++ pmd_alloc(mm, pud, addr); + if (!pmd) + return -ENOMEM; + do { +@@ -2365,7 +2380,9 @@ static int apply_to_pud_range(struct mm_struct *mm, pgd_t *pgd, + unsigned long next; + int err; + +- pud = pud_alloc(mm, pgd, addr); ++ pud = (mm == &init_mm) ? ++ pud_alloc_kernel(mm, pgd, addr) : ++ pud_alloc(mm, pgd, addr); + if (!pud) + return -ENOMEM; + do { +@@ -2453,6 +2470,186 @@ static inline void cow_user_page(struct page *dst, struct page *src, unsigned lo copy_user_highpage(dst, src, va, vma); } @@ -71814,7 +72246,7 @@ index 1b1ca17..d49bd61 100644 /* * This routine handles present pages, when users try to write * to a shared page. It is done by copying the page to a new address -@@ -2664,6 +2857,12 @@ gotten: +@@ -2664,6 +2861,12 @@ gotten: */ page_table = pte_offset_map_lock(mm, pmd, address, &ptl); if (likely(pte_same(*page_table, orig_pte))) { @@ -71827,7 +72259,7 @@ index 1b1ca17..d49bd61 100644 if (old_page) { if (!PageAnon(old_page)) { dec_mm_counter_fast(mm, MM_FILEPAGES); -@@ -2715,6 +2914,10 @@ gotten: +@@ -2715,6 +2918,10 @@ gotten: page_remove_rmap(old_page); } @@ -71838,7 +72270,7 @@ index 1b1ca17..d49bd61 100644 /* Free the old page.. */ new_page = old_page; ret |= VM_FAULT_WRITE; -@@ -2994,6 +3197,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2994,6 +3201,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, swap_free(entry); if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page)) try_to_free_swap(page); @@ -71850,7 +72282,7 @@ index 1b1ca17..d49bd61 100644 unlock_page(page); if (swapcache) { /* -@@ -3017,6 +3225,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3017,6 +3229,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, /* No need to invalidate - it was non-present before */ update_mmu_cache(vma, address, page_table); @@ -71862,7 +72294,7 @@ index 1b1ca17..d49bd61 100644 unlock: pte_unmap_unlock(page_table, ptl); out: -@@ -3036,40 +3249,6 @@ out_release: +@@ -3036,40 +3253,6 @@ out_release: } /* @@ -71903,7 +72335,7 @@ index 1b1ca17..d49bd61 100644 * We enter with non-exclusive mmap_sem (to exclude vma changes, * but allow concurrent faults), and pte mapped but not yet locked. * We return with mmap_sem still held, but pte unmapped and unlocked. -@@ -3078,27 +3257,23 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3078,27 +3261,23 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, unsigned long address, pte_t *page_table, pmd_t *pmd, unsigned int flags) { @@ -71936,7 +72368,7 @@ index 1b1ca17..d49bd61 100644 if (unlikely(anon_vma_prepare(vma))) goto oom; page = alloc_zeroed_user_highpage_movable(vma, address); -@@ -3117,6 +3292,11 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3117,6 +3296,11 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, if (!pte_none(*page_table)) goto release; @@ -71948,7 +72380,7 @@ index 1b1ca17..d49bd61 100644 inc_mm_counter_fast(mm, MM_ANONPAGES); page_add_new_anon_rmap(page, vma, address); setpte: -@@ -3124,6 +3304,12 @@ setpte: +@@ -3124,6 +3308,12 @@ setpte: /* No need to invalidate - it was non-present before */ update_mmu_cache(vma, address, page_table); @@ -71961,7 +72393,7 @@ index 1b1ca17..d49bd61 100644 unlock: pte_unmap_unlock(page_table, ptl); return 0; -@@ -3267,6 +3453,12 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3267,6 +3457,12 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma, */ /* Only go through if we didn't race with anybody else... */ if (likely(pte_same(*page_table, orig_pte))) { @@ -71974,7 +72406,7 @@ index 1b1ca17..d49bd61 100644 flush_icache_page(vma, page); entry = mk_pte(page, vma->vm_page_prot); if (flags & FAULT_FLAG_WRITE) -@@ -3286,6 +3478,14 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3286,6 +3482,14 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma, /* no need to invalidate: a not-present page won't be cached */ update_mmu_cache(vma, address, page_table); @@ -71989,7 +72421,7 @@ index 1b1ca17..d49bd61 100644 } else { if (cow_page) mem_cgroup_uncharge_page(cow_page); -@@ -3439,6 +3639,12 @@ int handle_pte_fault(struct mm_struct *mm, +@@ -3439,6 +3643,12 @@ int handle_pte_fault(struct mm_struct *mm, if (flags & FAULT_FLAG_WRITE) flush_tlb_fix_spurious_fault(vma, address); } @@ -72002,7 +72434,7 @@ index 1b1ca17..d49bd61 100644 unlock: pte_unmap_unlock(pte, ptl); return 0; -@@ -3455,6 +3661,10 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3455,6 +3665,10 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, pmd_t *pmd; pte_t *pte; @@ -72013,7 +72445,7 @@ index 1b1ca17..d49bd61 100644 __set_current_state(TASK_RUNNING); count_vm_event(PGFAULT); -@@ -3466,6 +3676,34 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3466,6 +3680,34 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, if (unlikely(is_vm_hugetlb_page(vma))) return hugetlb_fault(mm, vma, address, flags); @@ -72048,7 +72480,7 @@ index 1b1ca17..d49bd61 100644 pgd = pgd_offset(mm, address); pud = pud_alloc(mm, pgd, address); if (!pud) -@@ -3495,7 +3733,7 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3495,7 +3737,7 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, * run pte_offset_map on the pmd, if an huge pmd could * materialize from under us from a different thread. */ @@ -72057,7 +72489,7 @@ index 1b1ca17..d49bd61 100644 return VM_FAULT_OOM; /* if an huge pmd materialized from under us just retry later */ if (unlikely(pmd_trans_huge(*pmd))) -@@ -3532,6 +3770,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address) +@@ -3532,6 +3774,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address) spin_unlock(&mm->page_table_lock); return 0; } @@ -72081,7 +72513,7 @@ index 1b1ca17..d49bd61 100644 #endif /* __PAGETABLE_PUD_FOLDED */ #ifndef __PAGETABLE_PMD_FOLDED -@@ -3562,6 +3817,30 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address) +@@ -3562,6 +3821,30 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address) spin_unlock(&mm->page_table_lock); return 0; } @@ -72112,7 +72544,7 @@ index 1b1ca17..d49bd61 100644 #endif /* __PAGETABLE_PMD_FOLDED */ int make_pages_present(unsigned long addr, unsigned long end) -@@ -3599,7 +3878,7 @@ static int __init gate_vma_init(void) +@@ -3599,7 +3882,7 @@ static int __init gate_vma_init(void) gate_vma.vm_start = FIXADDR_USER_START; gate_vma.vm_end = FIXADDR_USER_END; gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC; @@ -75714,10 +76146,10 @@ index 17b5b1c..826d872 100644 } } diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c -index 8eb6b15..e3db7ab 100644 +index 5ac1811..7eb2320 100644 --- a/net/bridge/br_multicast.c +++ b/net/bridge/br_multicast.c -@@ -1488,7 +1488,7 @@ static int br_multicast_ipv6_rcv(struct net_bridge *br, +@@ -1408,7 +1408,7 @@ static int br_multicast_ipv6_rcv(struct net_bridge *br, nexthdr = ip6h->nexthdr; offset = ipv6_skip_exthdr(skb, sizeof(*ip6h), &nexthdr); @@ -76073,7 +76505,7 @@ index 68bbf9f..5ef0d12 100644 return err; diff --git a/net/core/dev.c b/net/core/dev.c -index 55cd370..672cffa 100644 +index cd5050e..b1b4530 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -1139,10 +1139,14 @@ void dev_load(struct net *net, const char *name) @@ -76154,7 +76586,7 @@ index 55cd370..672cffa 100644 { struct softnet_data *sd = &__get_cpu_var(softnet_data); unsigned long time_limit = jiffies + 2; -@@ -5956,7 +5960,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, +@@ -5924,7 +5928,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, } else { netdev_stats_to_stats64(storage, &dev->stats); } @@ -76278,28 +76710,6 @@ index ff52ad0..aff1c0f 100644 i++, cmfptr++) { int new_fd; -diff --git a/net/core/skbuff.c b/net/core/skbuff.c -index 3c30ee4..29cb392 100644 ---- a/net/core/skbuff.c -+++ b/net/core/skbuff.c -@@ -3111,6 +3111,8 @@ static void sock_rmem_free(struct sk_buff *skb) - */ - int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb) - { -+ int len = skb->len; -+ - if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >= - (unsigned)sk->sk_rcvbuf) - return -ENOMEM; -@@ -3125,7 +3127,7 @@ int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb) - - skb_queue_tail(&sk->sk_error_queue, skb); - if (!sock_flag(sk, SOCK_DEAD)) -- sk->sk_data_ready(sk, skb->len); -+ sk->sk_data_ready(sk, len); - return 0; - } - EXPORT_SYMBOL(sock_queue_err_skb); diff --git a/net/core/sock.c b/net/core/sock.c index b23f174..b9a0d26 100644 --- a/net/core/sock.c @@ -77312,7 +77722,7 @@ index 361ebf3..d5628fb 100644 static int raw6_seq_show(struct seq_file *seq, void *v) diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c -index b859e4a..f9d1589 100644 +index 4a56574..9745b8a 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -93,6 +93,10 @@ static struct tcp_md5sig_key *tcp_v6_md5_do_lookup(struct sock *sk, @@ -77326,7 +77736,7 @@ index b859e4a..f9d1589 100644 static void tcp_v6_hash(struct sock *sk) { if (sk->sk_state != TCP_CLOSE) { -@@ -1651,6 +1655,9 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb) +@@ -1655,6 +1659,9 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb) return 0; reset: @@ -77336,7 +77746,7 @@ index b859e4a..f9d1589 100644 tcp_v6_send_reset(sk, skb); discard: if (opt_skb) -@@ -1730,12 +1737,20 @@ static int tcp_v6_rcv(struct sk_buff *skb) +@@ -1734,12 +1741,20 @@ static int tcp_v6_rcv(struct sk_buff *skb) TCP_SKB_CB(skb)->sacked = 0; sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest); @@ -77359,7 +77769,7 @@ index b859e4a..f9d1589 100644 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) { NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP); -@@ -1783,6 +1798,10 @@ no_tcp_socket: +@@ -1787,6 +1802,10 @@ no_tcp_socket: bad_packet: TCP_INC_STATS_BH(net, TCP_MIB_INERRS); } else { @@ -77370,7 +77780,7 @@ index b859e4a..f9d1589 100644 tcp_v6_send_reset(NULL, skb); } -@@ -2043,7 +2062,13 @@ static void get_openreq6(struct seq_file *seq, +@@ -2047,7 +2066,13 @@ static void get_openreq6(struct seq_file *seq, uid, 0, /* non standard timer */ 0, /* open_requests have no inode */ @@ -77385,7 +77795,7 @@ index b859e4a..f9d1589 100644 } static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i) -@@ -2093,7 +2118,12 @@ static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i) +@@ -2097,7 +2122,12 @@ static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i) sock_i_uid(sp), icsk->icsk_probes_out, sock_i_ino(sp), @@ -77399,7 +77809,7 @@ index b859e4a..f9d1589 100644 jiffies_to_clock_t(icsk->icsk_rto), jiffies_to_clock_t(icsk->icsk_ack.ato), (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong, -@@ -2128,7 +2158,13 @@ static void get_timewait6_sock(struct seq_file *seq, +@@ -2132,7 +2162,13 @@ static void get_timewait6_sock(struct seq_file *seq, dest->s6_addr32[2], dest->s6_addr32[3], destp, tw->tw_substate, 0, 0, 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0, @@ -78097,7 +78507,7 @@ index 4fe4fb4..87a89e5 100644 return 0; } diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c -index 1201b6d..bcff8c6 100644 +index a99fb41..740c2a4 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -742,7 +742,7 @@ static void netlink_overrun(struct sock *sk) @@ -78109,7 +78519,7 @@ index 1201b6d..bcff8c6 100644 } static struct sock *netlink_getsockbypid(struct sock *ssk, u32 pid) -@@ -1999,7 +1999,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v) +@@ -2001,7 +2001,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v) sk_wmem_alloc_get(s), nlk->cb, atomic_read(&s->sk_refcnt), @@ -78201,7 +78611,7 @@ index d65f699..05aa6ce 100644 err = proto_register(pp->prot, 1); diff --git a/net/phonet/pep.c b/net/phonet/pep.c -index 2ba6e9f..409573f 100644 +index 007546d..9a8e5c6 100644 --- a/net/phonet/pep.c +++ b/net/phonet/pep.c @@ -388,7 +388,7 @@ static int pipe_do_rcv(struct sock *sk, struct sk_buff *skb) @@ -78679,10 +79089,10 @@ index 1e2eee8..ce3967e 100644 assoc->assoc_id, assoc->sndbuf_used, diff --git a/net/sctp/socket.c b/net/sctp/socket.c -index 54a7cd2..944edae 100644 +index 0075554..42d36a1 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c -@@ -4574,7 +4574,7 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len, +@@ -4575,7 +4575,7 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len, addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len; if (space_left < addrlen) return -ENOMEM; @@ -78692,7 +79102,7 @@ index 54a7cd2..944edae 100644 to += addrlen; cnt++; diff --git a/net/socket.c b/net/socket.c -index 2dce67a..1e91168 100644 +index 273cbce..fd1e8ff 100644 --- a/net/socket.c +++ b/net/socket.c @@ -88,6 +88,7 @@ @@ -79535,7 +79945,7 @@ index 0000000..8729101 +#!/bin/sh +echo -e "#include \"gcc-plugin.h\"\n#include \"tree.h\"\n#include \"tm.h\"\n#include \"rtl.h\"" | $1 -x c -shared - -o /dev/null -I`$2 -print-file-name=plugin`/include >/dev/null 2>&1 && echo "y" diff --git a/scripts/mod/file2alias.c b/scripts/mod/file2alias.c -index f936d1f..a66d95f 100644 +index d1d0ae8..6b73b2a 100644 --- a/scripts/mod/file2alias.c +++ b/scripts/mod/file2alias.c @@ -72,7 +72,7 @@ static void device_id_check(const char *modname, const char *device_id, @@ -87078,21 +87488,6 @@ index 0000000..b87ec9d + + return 0; +} -diff --git a/tools/perf/util/hist.c b/tools/perf/util/hist.c -index adb372d..e0a0970 100644 ---- a/tools/perf/util/hist.c -+++ b/tools/perf/util/hist.c -@@ -237,8 +237,8 @@ struct hist_entry *__hists__add_entry(struct hists *hists, - * mis-adjust symbol addresses when computing - * the history counter to increment. - */ -- if (he->ms.map != entry->ms.map) { -- he->ms.map = entry->ms.map; -+ if (he->ms.map != entry.ms.map) { -+ he->ms.map = entry.ms.map; - if (he->ms.map) - he->ms.map->referenced = true; - } diff --git a/tools/perf/util/include/asm/alternative-asm.h b/tools/perf/util/include/asm/alternative-asm.h index 6789d78..4afd019 100644 --- a/tools/perf/util/include/asm/alternative-asm.h @@ -87132,7 +87527,7 @@ index af0f22f..9a7d479 100644 break; } diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c -index d9cfb78..4f27c10 100644 +index e401c1b..8d4d5fa 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -75,7 +75,7 @@ LIST_HEAD(vm_list); @@ -87144,7 +87539,7 @@ index d9cfb78..4f27c10 100644 struct kmem_cache *kvm_vcpu_cache; EXPORT_SYMBOL_GPL(kvm_vcpu_cache); -@@ -2268,7 +2268,7 @@ static void hardware_enable_nolock(void *junk) +@@ -2269,7 +2269,7 @@ static void hardware_enable_nolock(void *junk) if (r) { cpumask_clear_cpu(cpu, cpus_hardware_enabled); @@ -87153,7 +87548,7 @@ index d9cfb78..4f27c10 100644 printk(KERN_INFO "kvm: enabling virtualization on " "CPU%d failed\n", cpu); } -@@ -2322,10 +2322,10 @@ static int hardware_enable_all(void) +@@ -2323,10 +2323,10 @@ static int hardware_enable_all(void) kvm_usage_count++; if (kvm_usage_count == 1) { @@ -87166,7 +87561,7 @@ index d9cfb78..4f27c10 100644 hardware_disable_all_nolock(); r = -EBUSY; } -@@ -2676,7 +2676,7 @@ static void kvm_sched_out(struct preempt_notifier *pn, +@@ -2677,7 +2677,7 @@ static void kvm_sched_out(struct preempt_notifier *pn, kvm_arch_vcpu_put(vcpu); } @@ -87175,7 +87570,7 @@ index d9cfb78..4f27c10 100644 struct module *module) { int r; -@@ -2739,7 +2739,7 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, +@@ -2740,7 +2740,7 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, if (!vcpu_align) vcpu_align = __alignof__(struct kvm_vcpu); kvm_vcpu_cache = kmem_cache_create("kvm_vcpu", vcpu_size, vcpu_align, @@ -87184,7 +87579,7 @@ index d9cfb78..4f27c10 100644 if (!kvm_vcpu_cache) { r = -ENOMEM; goto out_free_3; -@@ -2749,9 +2749,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, +@@ -2750,9 +2750,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, if (r) goto out_free; diff --git a/3.2.16/4430_grsec-remove-localversion-grsec.patch b/3.2.17/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.2.16/4430_grsec-remove-localversion-grsec.patch +++ b/3.2.17/4430_grsec-remove-localversion-grsec.patch diff --git a/3.2.16/4435_grsec-mute-warnings.patch b/3.2.17/4435_grsec-mute-warnings.patch index e85abd6..e85abd6 100644 --- a/3.2.16/4435_grsec-mute-warnings.patch +++ b/3.2.17/4435_grsec-mute-warnings.patch diff --git a/3.2.16/4440_grsec-remove-protected-paths.patch b/3.2.17/4440_grsec-remove-protected-paths.patch index 637934a..637934a 100644 --- a/3.2.16/4440_grsec-remove-protected-paths.patch +++ b/3.2.17/4440_grsec-remove-protected-paths.patch diff --git a/3.2.16/4445_grsec-pax-without-grsec.patch b/3.2.17/4445_grsec-pax-without-grsec.patch index 58301c0..58301c0 100644 --- a/3.2.16/4445_grsec-pax-without-grsec.patch +++ b/3.2.17/4445_grsec-pax-without-grsec.patch diff --git a/3.2.16/4450_grsec-kconfig-default-gids.patch b/3.2.17/4450_grsec-kconfig-default-gids.patch index 123f877..123f877 100644 --- a/3.2.16/4450_grsec-kconfig-default-gids.patch +++ b/3.2.17/4450_grsec-kconfig-default-gids.patch diff --git a/3.2.16/4455_grsec-kconfig-gentoo.patch b/3.2.17/4455_grsec-kconfig-gentoo.patch index 87b5454..87b5454 100644 --- a/3.2.16/4455_grsec-kconfig-gentoo.patch +++ b/3.2.17/4455_grsec-kconfig-gentoo.patch diff --git a/3.2.16/4460-grsec-kconfig-proc-user.patch b/3.2.17/4460-grsec-kconfig-proc-user.patch index b2b3188..b2b3188 100644 --- a/3.2.16/4460-grsec-kconfig-proc-user.patch +++ b/3.2.17/4460-grsec-kconfig-proc-user.patch diff --git a/3.2.16/4465_selinux-avc_audit-log-curr_ip.patch b/3.2.17/4465_selinux-avc_audit-log-curr_ip.patch index 5a9d80c..5a9d80c 100644 --- a/3.2.16/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.2.17/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.2.16/4470_disable-compat_vdso.patch b/3.2.17/4470_disable-compat_vdso.patch index 4742d01..4742d01 100644 --- a/3.2.16/4470_disable-compat_vdso.patch +++ b/3.2.17/4470_disable-compat_vdso.patch diff --git a/3.3.5/1004_linux-3.3.5.patch b/3.3.5/1004_linux-3.3.5.patch deleted file mode 100644 index a1fa635..0000000 --- a/3.3.5/1004_linux-3.3.5.patch +++ /dev/null @@ -1,3285 +0,0 @@ -diff --git a/Makefile b/Makefile -index 44ef766..64615e9 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 3 - PATCHLEVEL = 3 --SUBLEVEL = 4 -+SUBLEVEL = 5 - EXTRAVERSION = - NAME = Saber-toothed Squirrel - -diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig -index dfb0312..dedb885 100644 ---- a/arch/arm/Kconfig -+++ b/arch/arm/Kconfig -@@ -1163,6 +1163,15 @@ if !MMU - source "arch/arm/Kconfig-nommu" - endif - -+config ARM_ERRATA_326103 -+ bool "ARM errata: FSR write bit incorrect on a SWP to read-only memory" -+ depends on CPU_V6 -+ help -+ Executing a SWP instruction to read-only memory does not set bit 11 -+ of the FSR on the ARM 1136 prior to r1p0. This causes the kernel to -+ treat the access as a read, preventing a COW from occurring and -+ causing the faulting task to livelock. -+ - config ARM_ERRATA_411920 - bool "ARM errata: Invalidation of the Instruction Cache operation can fail" - depends on CPU_V6 || CPU_V6K -diff --git a/arch/arm/include/asm/tls.h b/arch/arm/include/asm/tls.h -index 60843eb..73409e6 100644 ---- a/arch/arm/include/asm/tls.h -+++ b/arch/arm/include/asm/tls.h -@@ -7,6 +7,8 @@ - - .macro set_tls_v6k, tp, tmp1, tmp2 - mcr p15, 0, \tp, c13, c0, 3 @ set TLS register -+ mov \tmp1, #0 -+ mcr p15, 0, \tmp1, c13, c0, 2 @ clear user r/w TLS register - .endm - - .macro set_tls_v6, tp, tmp1, tmp2 -@@ -15,6 +17,8 @@ - mov \tmp2, #0xffff0fff - tst \tmp1, #HWCAP_TLS @ hardware TLS available? - mcrne p15, 0, \tp, c13, c0, 3 @ yes, set TLS register -+ movne \tmp1, #0 -+ mcrne p15, 0, \tmp1, c13, c0, 2 @ clear user r/w TLS register - streq \tp, [\tmp2, #-15] @ set TLS value at 0xffff0ff0 - .endm - -diff --git a/arch/arm/kernel/irq.c b/arch/arm/kernel/irq.c -index 3efd82c..87c8be5 100644 ---- a/arch/arm/kernel/irq.c -+++ b/arch/arm/kernel/irq.c -@@ -156,10 +156,10 @@ static bool migrate_one_irq(struct irq_desc *desc) - } - - c = irq_data_get_irq_chip(d); -- if (c->irq_set_affinity) -- c->irq_set_affinity(d, affinity, true); -- else -+ if (!c->irq_set_affinity) - pr_debug("IRQ%u: unable to set affinity\n", d->irq); -+ else if (c->irq_set_affinity(d, affinity, true) == IRQ_SET_MASK_OK && ret) -+ cpumask_copy(d->affinity, affinity); - - return ret; - } -diff --git a/arch/arm/mm/abort-ev6.S b/arch/arm/mm/abort-ev6.S -index ff1f7cc..8074199 100644 ---- a/arch/arm/mm/abort-ev6.S -+++ b/arch/arm/mm/abort-ev6.S -@@ -26,18 +26,23 @@ ENTRY(v6_early_abort) - mrc p15, 0, r1, c5, c0, 0 @ get FSR - mrc p15, 0, r0, c6, c0, 0 @ get FAR - /* -- * Faulty SWP instruction on 1136 doesn't set bit 11 in DFSR (erratum 326103). -- * The test below covers all the write situations, including Java bytecodes -+ * Faulty SWP instruction on 1136 doesn't set bit 11 in DFSR. - */ -- bic r1, r1, #1 << 11 @ clear bit 11 of FSR -+#ifdef CONFIG_ARM_ERRATA_326103 -+ ldr ip, =0x4107b36 -+ mrc p15, 0, r3, c0, c0, 0 @ get processor id -+ teq ip, r3, lsr #4 @ r0 ARM1136? -+ bne do_DataAbort - tst r5, #PSR_J_BIT @ Java? -+ tsteq r5, #PSR_T_BIT @ Thumb? - bne do_DataAbort -- do_thumb_abort fsr=r1, pc=r4, psr=r5, tmp=r3 -- ldreq r3, [r4] @ read aborted ARM instruction -+ bic r1, r1, #1 << 11 @ clear bit 11 of FSR -+ ldr r3, [r4] @ read aborted ARM instruction - #ifdef CONFIG_CPU_ENDIAN_BE8 -- reveq r3, r3 -+ rev r3, r3 - #endif - do_ldrd_abort tmp=ip, insn=r3 - tst r3, #1 << 20 @ L = 0 -> write - orreq r1, r1, #1 << 11 @ yes. -+#endif - b do_DataAbort -diff --git a/arch/mips/ath79/dev-wmac.c b/arch/mips/ath79/dev-wmac.c -index e215070..9c717bf 100644 ---- a/arch/mips/ath79/dev-wmac.c -+++ b/arch/mips/ath79/dev-wmac.c -@@ -58,8 +58,8 @@ static void __init ar913x_wmac_setup(void) - - static int ar933x_wmac_reset(void) - { -- ath79_device_reset_clear(AR933X_RESET_WMAC); - ath79_device_reset_set(AR933X_RESET_WMAC); -+ ath79_device_reset_clear(AR933X_RESET_WMAC); - - return 0; - } -diff --git a/arch/powerpc/platforms/85xx/common.c b/arch/powerpc/platforms/85xx/common.c -index 9fef530..67dac22 100644 ---- a/arch/powerpc/platforms/85xx/common.c -+++ b/arch/powerpc/platforms/85xx/common.c -@@ -21,6 +21,12 @@ static struct of_device_id __initdata mpc85xx_common_ids[] = { - { .compatible = "fsl,qe", }, - { .compatible = "fsl,cpm2", }, - { .compatible = "fsl,srio", }, -+ /* So that the DMA channel nodes can be probed individually: */ -+ { .compatible = "fsl,eloplus-dma", }, -+ /* For the PMC driver */ -+ { .compatible = "fsl,mpc8548-guts", }, -+ /* Probably unnecessary? */ -+ { .compatible = "gpio-leds", }, - {}, - }; - -diff --git a/arch/powerpc/platforms/85xx/mpc85xx_mds.c b/arch/powerpc/platforms/85xx/mpc85xx_mds.c -index 1d15a0c..b498864 100644 ---- a/arch/powerpc/platforms/85xx/mpc85xx_mds.c -+++ b/arch/powerpc/platforms/85xx/mpc85xx_mds.c -@@ -405,12 +405,6 @@ static int __init board_fixups(void) - machine_arch_initcall(mpc8568_mds, board_fixups); - machine_arch_initcall(mpc8569_mds, board_fixups); - --static struct of_device_id mpc85xx_ids[] = { -- { .compatible = "fsl,mpc8548-guts", }, -- { .compatible = "gpio-leds", }, -- {}, --}; -- - static int __init mpc85xx_publish_devices(void) - { - if (machine_is(mpc8568_mds)) -@@ -418,10 +412,7 @@ static int __init mpc85xx_publish_devices(void) - if (machine_is(mpc8569_mds)) - simple_gpiochip_init("fsl,mpc8569mds-bcsr-gpio"); - -- mpc85xx_common_publish_devices(); -- of_platform_bus_probe(NULL, mpc85xx_ids, NULL); -- -- return 0; -+ return mpc85xx_common_publish_devices(); - } - - machine_device_initcall(mpc8568_mds, mpc85xx_publish_devices); -diff --git a/arch/powerpc/platforms/85xx/p1022_ds.c b/arch/powerpc/platforms/85xx/p1022_ds.c -index b0984ad..cc79cad8 100644 ---- a/arch/powerpc/platforms/85xx/p1022_ds.c -+++ b/arch/powerpc/platforms/85xx/p1022_ds.c -@@ -303,18 +303,7 @@ static void __init p1022_ds_setup_arch(void) - pr_info("Freescale P1022 DS reference board\n"); - } - --static struct of_device_id __initdata p1022_ds_ids[] = { -- /* So that the DMA channel nodes can be probed individually: */ -- { .compatible = "fsl,eloplus-dma", }, -- {}, --}; -- --static int __init p1022_ds_publish_devices(void) --{ -- mpc85xx_common_publish_devices(); -- return of_platform_bus_probe(NULL, p1022_ds_ids, NULL); --} --machine_device_initcall(p1022_ds, p1022_ds_publish_devices); -+machine_device_initcall(p1022_ds, mpc85xx_common_publish_devices); - - machine_arch_initcall(p1022_ds, swiotlb_setup_bus_notifier); - -diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile -index 95365a8..5a747dd 100644 ---- a/arch/x86/boot/Makefile -+++ b/arch/x86/boot/Makefile -@@ -37,7 +37,8 @@ setup-y += video-bios.o - targets += $(setup-y) - hostprogs-y := mkcpustr tools/build - --HOST_EXTRACFLAGS += $(LINUXINCLUDE) -+HOST_EXTRACFLAGS += -I$(srctree)/tools/include $(LINUXINCLUDE) \ -+ -D__EXPORTED_HEADERS__ - - $(obj)/cpu.o: $(obj)/cpustr.h - -diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile -index b123b9a..fd55a2f 100644 ---- a/arch/x86/boot/compressed/Makefile -+++ b/arch/x86/boot/compressed/Makefile -@@ -22,6 +22,7 @@ LDFLAGS := -m elf_$(UTS_MACHINE) - LDFLAGS_vmlinux := -T - - hostprogs-y := mkpiggy -+HOST_EXTRACFLAGS += -I$(srctree)/tools/include - - VMLINUX_OBJS = $(obj)/vmlinux.lds $(obj)/head_$(BITS).o $(obj)/misc.o \ - $(obj)/string.o $(obj)/cmdline.o $(obj)/early_serial_console.o \ -diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index fec216f..0cdfc0d 100644 ---- a/arch/x86/boot/compressed/eboot.c -+++ b/arch/x86/boot/compressed/eboot.c -@@ -539,7 +539,7 @@ static efi_status_t handle_ramdisks(efi_loaded_image_t *image, - struct initrd *initrd; - efi_file_handle_t *h; - efi_file_info_t *info; -- efi_char16_t filename[256]; -+ efi_char16_t filename_16[256]; - unsigned long info_sz; - efi_guid_t info_guid = EFI_FILE_INFO_ID; - efi_char16_t *p; -@@ -552,14 +552,14 @@ static efi_status_t handle_ramdisks(efi_loaded_image_t *image, - str += 7; - - initrd = &initrds[i]; -- p = filename; -+ p = filename_16; - - /* Skip any leading slashes */ - while (*str == '/' || *str == '\\') - str++; - - while (*str && *str != ' ' && *str != '\n') { -- if (p >= filename + sizeof(filename)) -+ if ((u8 *)p >= (u8 *)filename_16 + sizeof(filename_16)) - break; - - *p++ = *str++; -@@ -583,7 +583,7 @@ static efi_status_t handle_ramdisks(efi_loaded_image_t *image, - goto free_initrds; - } - -- status = efi_call_phys5(fh->open, fh, &h, filename, -+ status = efi_call_phys5(fh->open, fh, &h, filename_16, - EFI_FILE_MODE_READ, (u64)0); - if (status != EFI_SUCCESS) - goto close_handles; -diff --git a/arch/x86/boot/compressed/head_32.S b/arch/x86/boot/compressed/head_32.S -index a055993..c85e3ac 100644 ---- a/arch/x86/boot/compressed/head_32.S -+++ b/arch/x86/boot/compressed/head_32.S -@@ -33,6 +33,9 @@ - __HEAD - ENTRY(startup_32) - #ifdef CONFIG_EFI_STUB -+ jmp preferred_addr -+ -+ .balign 0x10 - /* - * We don't need the return address, so set up the stack so - * efi_main() can find its arugments. -@@ -41,12 +44,17 @@ ENTRY(startup_32) - - call efi_main - cmpl $0, %eax -- je preferred_addr - movl %eax, %esi -- call 1f -+ jne 2f - 1: -+ /* EFI init failed, so hang. */ -+ hlt -+ jmp 1b -+2: -+ call 3f -+3: - popl %eax -- subl $1b, %eax -+ subl $3b, %eax - subl BP_pref_address(%esi), %eax - add BP_code32_start(%esi), %eax - leal preferred_addr(%eax), %eax -diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S -index 558d76c..87e03a1 100644 ---- a/arch/x86/boot/compressed/head_64.S -+++ b/arch/x86/boot/compressed/head_64.S -@@ -200,18 +200,28 @@ ENTRY(startup_64) - * entire text+data+bss and hopefully all of memory. - */ - #ifdef CONFIG_EFI_STUB -- pushq %rsi -+ /* -+ * The entry point for the PE/COFF executable is 0x210, so only -+ * legacy boot loaders will execute this jmp. -+ */ -+ jmp preferred_addr -+ -+ .org 0x210 - mov %rcx, %rdi - mov %rdx, %rsi - call efi_main -- popq %rsi -- cmpq $0,%rax -- je preferred_addr - movq %rax,%rsi -- call 1f -+ cmpq $0,%rax -+ jne 2f - 1: -+ /* EFI init failed, so hang. */ -+ hlt -+ jmp 1b -+2: -+ call 3f -+3: - popq %rax -- subq $1b, %rax -+ subq $3b, %rax - subq BP_pref_address(%rsi), %rax - add BP_code32_start(%esi), %eax - leaq preferred_addr(%rax), %rax -diff --git a/arch/x86/boot/compressed/mkpiggy.c b/arch/x86/boot/compressed/mkpiggy.c -index 46a8238..958a641 100644 ---- a/arch/x86/boot/compressed/mkpiggy.c -+++ b/arch/x86/boot/compressed/mkpiggy.c -@@ -29,14 +29,7 @@ - #include <stdio.h> - #include <string.h> - #include <inttypes.h> -- --static uint32_t getle32(const void *p) --{ -- const uint8_t *cp = p; -- -- return (uint32_t)cp[0] + ((uint32_t)cp[1] << 8) + -- ((uint32_t)cp[2] << 16) + ((uint32_t)cp[3] << 24); --} -+#include <tools/le_byteshift.h> - - int main(int argc, char *argv[]) - { -@@ -69,7 +62,7 @@ int main(int argc, char *argv[]) - } - - ilen = ftell(f); -- olen = getle32(&olen); -+ olen = get_unaligned_le32(&olen); - fclose(f); - - /* -diff --git a/arch/x86/boot/tools/build.c b/arch/x86/boot/tools/build.c -index 4e9bd6b..09ce870 100644 ---- a/arch/x86/boot/tools/build.c -+++ b/arch/x86/boot/tools/build.c -@@ -34,6 +34,7 @@ - #include <fcntl.h> - #include <sys/mman.h> - #include <asm/boot.h> -+#include <tools/le_byteshift.h> - - typedef unsigned char u8; - typedef unsigned short u16; -@@ -41,6 +42,7 @@ typedef unsigned long u32; - - #define DEFAULT_MAJOR_ROOT 0 - #define DEFAULT_MINOR_ROOT 0 -+#define DEFAULT_ROOT_DEV (DEFAULT_MAJOR_ROOT << 8 | DEFAULT_MINOR_ROOT) - - /* Minimal number of setup sectors */ - #define SETUP_SECT_MIN 5 -@@ -159,7 +161,7 @@ int main(int argc, char ** argv) - die("read-error on `setup'"); - if (c < 1024) - die("The setup must be at least 1024 bytes"); -- if (buf[510] != 0x55 || buf[511] != 0xaa) -+ if (get_unaligned_le16(&buf[510]) != 0xAA55) - die("Boot block hasn't got boot flag (0xAA55)"); - fclose(file); - -@@ -171,8 +173,7 @@ int main(int argc, char ** argv) - memset(buf+c, 0, i-c); - - /* Set the default root device */ -- buf[508] = DEFAULT_MINOR_ROOT; -- buf[509] = DEFAULT_MAJOR_ROOT; -+ put_unaligned_le16(DEFAULT_ROOT_DEV, &buf[508]); - - fprintf(stderr, "Setup is %d bytes (padded to %d bytes).\n", c, i); - -@@ -192,44 +193,49 @@ int main(int argc, char ** argv) - - /* Patch the setup code with the appropriate size parameters */ - buf[0x1f1] = setup_sectors-1; -- buf[0x1f4] = sys_size; -- buf[0x1f5] = sys_size >> 8; -- buf[0x1f6] = sys_size >> 16; -- buf[0x1f7] = sys_size >> 24; -+ put_unaligned_le32(sys_size, &buf[0x1f4]); - - #ifdef CONFIG_EFI_STUB - file_sz = sz + i + ((sys_size * 16) - sz); - -- pe_header = *(unsigned int *)&buf[0x3c]; -+ pe_header = get_unaligned_le32(&buf[0x3c]); - - /* Size of code */ -- *(unsigned int *)&buf[pe_header + 0x1c] = file_sz; -+ put_unaligned_le32(file_sz, &buf[pe_header + 0x1c]); - - /* Size of image */ -- *(unsigned int *)&buf[pe_header + 0x50] = file_sz; -+ put_unaligned_le32(file_sz, &buf[pe_header + 0x50]); - - #ifdef CONFIG_X86_32 -- /* Address of entry point */ -- *(unsigned int *)&buf[pe_header + 0x28] = i; -+ /* -+ * Address of entry point. -+ * -+ * The EFI stub entry point is +16 bytes from the start of -+ * the .text section. -+ */ -+ put_unaligned_le32(i + 16, &buf[pe_header + 0x28]); - - /* .text size */ -- *(unsigned int *)&buf[pe_header + 0xb0] = file_sz; -+ put_unaligned_le32(file_sz, &buf[pe_header + 0xb0]); - - /* .text size of initialised data */ -- *(unsigned int *)&buf[pe_header + 0xb8] = file_sz; -+ put_unaligned_le32(file_sz, &buf[pe_header + 0xb8]); - #else - /* - * Address of entry point. startup_32 is at the beginning and - * the 64-bit entry point (startup_64) is always 512 bytes -- * after. -+ * after. The EFI stub entry point is 16 bytes after that, as -+ * the first instruction allows legacy loaders to jump over -+ * the EFI stub initialisation - */ -- *(unsigned int *)&buf[pe_header + 0x28] = i + 512; -+ put_unaligned_le32(i + 528, &buf[pe_header + 0x28]); - - /* .text size */ -- *(unsigned int *)&buf[pe_header + 0xc0] = file_sz; -+ put_unaligned_le32(file_sz, &buf[pe_header + 0xc0]); - - /* .text size of initialised data */ -- *(unsigned int *)&buf[pe_header + 0xc8] = file_sz; -+ put_unaligned_le32(file_sz, &buf[pe_header + 0xc8]); -+ - #endif /* CONFIG_X86_32 */ - #endif /* CONFIG_EFI_STUB */ - -diff --git a/arch/x86/include/asm/x86_init.h b/arch/x86/include/asm/x86_init.h -index 517d476..a609c39 100644 ---- a/arch/x86/include/asm/x86_init.h -+++ b/arch/x86/include/asm/x86_init.h -@@ -189,6 +189,5 @@ extern struct x86_msi_ops x86_msi; - - extern void x86_init_noop(void); - extern void x86_init_uint_noop(unsigned int unused); --extern void x86_default_fixup_cpu_id(struct cpuinfo_x86 *c, int node); - - #endif -diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c -index 2eec05b..5b3f88e 100644 ---- a/arch/x86/kernel/apic/apic.c -+++ b/arch/x86/kernel/apic/apic.c -@@ -1632,9 +1632,11 @@ static int __init apic_verify(void) - mp_lapic_addr = APIC_DEFAULT_PHYS_BASE; - - /* The BIOS may have set up the APIC at some other address */ -- rdmsr(MSR_IA32_APICBASE, l, h); -- if (l & MSR_IA32_APICBASE_ENABLE) -- mp_lapic_addr = l & MSR_IA32_APICBASE_BASE; -+ if (boot_cpu_data.x86 >= 6) { -+ rdmsr(MSR_IA32_APICBASE, l, h); -+ if (l & MSR_IA32_APICBASE_ENABLE) -+ mp_lapic_addr = l & MSR_IA32_APICBASE_BASE; -+ } - - pr_info("Found and enabled local APIC!\n"); - return 0; -@@ -1652,13 +1654,15 @@ int __init apic_force_enable(unsigned long addr) - * MSR. This can only be done in software for Intel P6 or later - * and AMD K7 (Model > 1) or later. - */ -- rdmsr(MSR_IA32_APICBASE, l, h); -- if (!(l & MSR_IA32_APICBASE_ENABLE)) { -- pr_info("Local APIC disabled by BIOS -- reenabling.\n"); -- l &= ~MSR_IA32_APICBASE_BASE; -- l |= MSR_IA32_APICBASE_ENABLE | addr; -- wrmsr(MSR_IA32_APICBASE, l, h); -- enabled_via_apicbase = 1; -+ if (boot_cpu_data.x86 >= 6) { -+ rdmsr(MSR_IA32_APICBASE, l, h); -+ if (!(l & MSR_IA32_APICBASE_ENABLE)) { -+ pr_info("Local APIC disabled by BIOS -- reenabling.\n"); -+ l &= ~MSR_IA32_APICBASE_BASE; -+ l |= MSR_IA32_APICBASE_ENABLE | addr; -+ wrmsr(MSR_IA32_APICBASE, l, h); -+ enabled_via_apicbase = 1; -+ } - } - return apic_verify(); - } -@@ -2204,10 +2208,12 @@ static void lapic_resume(void) - * FIXME! This will be wrong if we ever support suspend on - * SMP! We'll need to do this as part of the CPU restore! - */ -- rdmsr(MSR_IA32_APICBASE, l, h); -- l &= ~MSR_IA32_APICBASE_BASE; -- l |= MSR_IA32_APICBASE_ENABLE | mp_lapic_addr; -- wrmsr(MSR_IA32_APICBASE, l, h); -+ if (boot_cpu_data.x86 >= 6) { -+ rdmsr(MSR_IA32_APICBASE, l, h); -+ l &= ~MSR_IA32_APICBASE_BASE; -+ l |= MSR_IA32_APICBASE_ENABLE | mp_lapic_addr; -+ wrmsr(MSR_IA32_APICBASE, l, h); -+ } - } - - maxlvt = lapic_get_maxlvt(); -diff --git a/arch/x86/kernel/apic/apic_numachip.c b/arch/x86/kernel/apic/apic_numachip.c -index 09d3d8c..ade0182 100644 ---- a/arch/x86/kernel/apic/apic_numachip.c -+++ b/arch/x86/kernel/apic/apic_numachip.c -@@ -201,8 +201,11 @@ static void __init map_csrs(void) - - static void fixup_cpu_id(struct cpuinfo_x86 *c, int node) - { -- c->phys_proc_id = node; -- per_cpu(cpu_llc_id, smp_processor_id()) = node; -+ -+ if (c->phys_proc_id != node) { -+ c->phys_proc_id = node; -+ per_cpu(cpu_llc_id, smp_processor_id()) = node; -+ } - } - - static int __init numachip_system_init(void) -diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c -index f4773f4..80ab83d 100644 ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -352,10 +352,11 @@ static void __cpuinit srat_detect_node(struct cpuinfo_x86 *c) - node = per_cpu(cpu_llc_id, cpu); - - /* -- * If core numbers are inconsistent, it's likely a multi-fabric platform, -- * so invoke platform-specific handler -+ * On multi-fabric platform (e.g. Numascale NumaChip) a -+ * platform-specific handler needs to be called to fixup some -+ * IDs of the CPU. - */ -- if (c->phys_proc_id != node) -+ if (x86_cpuinit.fixup_cpu_id) - x86_cpuinit.fixup_cpu_id(c, node); - - if (!node_online(node)) { -diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c -index c0f7d68..1a810e4 100644 ---- a/arch/x86/kernel/cpu/common.c -+++ b/arch/x86/kernel/cpu/common.c -@@ -1163,15 +1163,6 @@ static void dbg_restore_debug_regs(void) - #endif /* ! CONFIG_KGDB */ - - /* -- * Prints an error where the NUMA and configured core-number mismatch and the -- * platform didn't override this to fix it up -- */ --void __cpuinit x86_default_fixup_cpu_id(struct cpuinfo_x86 *c, int node) --{ -- pr_err("NUMA core number %d differs from configured core number %d\n", node, c->phys_proc_id); --} -- --/* - * cpu_init() initializes state that is per-CPU. Some data is already - * initialized (naturally) in the bootstrap process, such as the GDT - * and IDT. We reload them nevertheless, this function acts as a -diff --git a/arch/x86/kernel/i387.c b/arch/x86/kernel/i387.c -index 739d859..f239f30 100644 ---- a/arch/x86/kernel/i387.c -+++ b/arch/x86/kernel/i387.c -@@ -154,6 +154,7 @@ int init_fpu(struct task_struct *tsk) - if (tsk_used_math(tsk)) { - if (HAVE_HWFP && tsk == current) - unlazy_fpu(tsk); -+ tsk->thread.fpu.last_cpu = ~0; - return 0; - } - -diff --git a/arch/x86/kernel/microcode_amd.c b/arch/x86/kernel/microcode_amd.c -index 73465aa..8a2ce8f 100644 ---- a/arch/x86/kernel/microcode_amd.c -+++ b/arch/x86/kernel/microcode_amd.c -@@ -82,11 +82,6 @@ static int collect_cpu_info_amd(int cpu, struct cpu_signature *csig) - { - struct cpuinfo_x86 *c = &cpu_data(cpu); - -- if (c->x86_vendor != X86_VENDOR_AMD || c->x86 < 0x10) { -- pr_warning("CPU%d: family %d not supported\n", cpu, c->x86); -- return -1; -- } -- - csig->rev = c->microcode; - pr_info("CPU%d: patch_level=0x%08x\n", cpu, csig->rev); - -@@ -380,6 +375,13 @@ static struct microcode_ops microcode_amd_ops = { - - struct microcode_ops * __init init_amd_microcode(void) - { -+ struct cpuinfo_x86 *c = &cpu_data(0); -+ -+ if (c->x86_vendor != X86_VENDOR_AMD || c->x86 < 0x10) { -+ pr_warning("AMD CPU family 0x%x not supported\n", c->x86); -+ return NULL; -+ } -+ - patch = (void *)get_zeroed_page(GFP_KERNEL); - if (!patch) - return NULL; -diff --git a/arch/x86/kernel/microcode_core.c b/arch/x86/kernel/microcode_core.c -index fda91c3..50a5875 100644 ---- a/arch/x86/kernel/microcode_core.c -+++ b/arch/x86/kernel/microcode_core.c -@@ -418,10 +418,8 @@ static int mc_device_add(struct device *dev, struct subsys_interface *sif) - if (err) - return err; - -- if (microcode_init_cpu(cpu) == UCODE_ERROR) { -- sysfs_remove_group(&dev->kobj, &mc_attr_group); -+ if (microcode_init_cpu(cpu) == UCODE_ERROR) - return -EINVAL; -- } - - return err; - } -@@ -513,11 +511,11 @@ static int __init microcode_init(void) - microcode_ops = init_intel_microcode(); - else if (c->x86_vendor == X86_VENDOR_AMD) - microcode_ops = init_amd_microcode(); -- -- if (!microcode_ops) { -+ else - pr_err("no support for this CPU vendor\n"); -+ -+ if (!microcode_ops) - return -ENODEV; -- } - - microcode_pdev = platform_device_register_simple("microcode", -1, - NULL, 0); -diff --git a/arch/x86/kernel/x86_init.c b/arch/x86/kernel/x86_init.c -index 947a06c..83b05ad 100644 ---- a/arch/x86/kernel/x86_init.c -+++ b/arch/x86/kernel/x86_init.c -@@ -92,7 +92,6 @@ struct x86_init_ops x86_init __initdata = { - - struct x86_cpuinit_ops x86_cpuinit __cpuinitdata = { - .setup_percpu_clockev = setup_secondary_APIC_clock, -- .fixup_cpu_id = x86_default_fixup_cpu_id, - }; - - static void default_nmi_init(void) { }; -diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c -index 501d4e0..f2ce60a 100644 ---- a/arch/x86/xen/smp.c -+++ b/arch/x86/xen/smp.c -@@ -172,6 +172,7 @@ static void __init xen_fill_possible_map(void) - static void __init xen_filter_cpu_maps(void) - { - int i, rc; -+ unsigned int subtract = 0; - - if (!xen_initial_domain()) - return; -@@ -186,8 +187,22 @@ static void __init xen_filter_cpu_maps(void) - } else { - set_cpu_possible(i, false); - set_cpu_present(i, false); -+ subtract++; - } - } -+#ifdef CONFIG_HOTPLUG_CPU -+ /* This is akin to using 'nr_cpus' on the Linux command line. -+ * Which is OK as when we use 'dom0_max_vcpus=X' we can only -+ * have up to X, while nr_cpu_ids is greater than X. This -+ * normally is not a problem, except when CPU hotplugging -+ * is involved and then there might be more than X CPUs -+ * in the guest - which will not work as there is no -+ * hypercall to expand the max number of VCPUs an already -+ * running guest has. So cap it up to X. */ -+ if (subtract) -+ nr_cpu_ids = nr_cpu_ids - subtract; -+#endif -+ - } - - static void __init xen_smp_prepare_boot_cpu(void) -diff --git a/arch/x86/xen/xen-asm.S b/arch/x86/xen/xen-asm.S -index 79d7362..3e45aa0 100644 ---- a/arch/x86/xen/xen-asm.S -+++ b/arch/x86/xen/xen-asm.S -@@ -96,7 +96,7 @@ ENTRY(xen_restore_fl_direct) - - /* check for unmasked and pending */ - cmpw $0x0001, PER_CPU_VAR(xen_vcpu_info) + XEN_vcpu_info_pending -- jz 1f -+ jnz 1f - 2: call check_events - 1: - ENDPATCH(xen_restore_fl_direct) -diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c -index a9b2820..58db834 100644 ---- a/drivers/ata/libata-eh.c -+++ b/drivers/ata/libata-eh.c -@@ -3500,7 +3500,8 @@ static int ata_count_probe_trials_cb(struct ata_ering_entry *ent, void *void_arg - u64 now = get_jiffies_64(); - int *trials = void_arg; - -- if (ent->timestamp < now - min(now, interval)) -+ if ((ent->eflags & ATA_EFLAG_OLD_ER) || -+ (ent->timestamp < now - min(now, interval))) - return -1; - - (*trials)++; -diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c -index 2d8c789..b28dbfa 100644 ---- a/drivers/crypto/talitos.c -+++ b/drivers/crypto/talitos.c -@@ -124,6 +124,9 @@ struct talitos_private { - void __iomem *reg; - int irq[2]; - -+ /* SEC global registers lock */ -+ spinlock_t reg_lock ____cacheline_aligned; -+ - /* SEC version geometry (from device tree node) */ - unsigned int num_channels; - unsigned int chfifo_len; -@@ -412,6 +415,7 @@ static void talitos_done_##name(unsigned long data) \ - { \ - struct device *dev = (struct device *)data; \ - struct talitos_private *priv = dev_get_drvdata(dev); \ -+ unsigned long flags; \ - \ - if (ch_done_mask & 1) \ - flush_channel(dev, 0, 0, 0); \ -@@ -427,8 +431,10 @@ static void talitos_done_##name(unsigned long data) \ - out: \ - /* At this point, all completed channels have been processed */ \ - /* Unmask done interrupts for channels completed later on. */ \ -+ spin_lock_irqsave(&priv->reg_lock, flags); \ - setbits32(priv->reg + TALITOS_IMR, ch_done_mask); \ - setbits32(priv->reg + TALITOS_IMR_LO, TALITOS_IMR_LO_INIT); \ -+ spin_unlock_irqrestore(&priv->reg_lock, flags); \ - } - DEF_TALITOS_DONE(4ch, TALITOS_ISR_4CHDONE) - DEF_TALITOS_DONE(ch0_2, TALITOS_ISR_CH_0_2_DONE) -@@ -619,22 +625,28 @@ static irqreturn_t talitos_interrupt_##name(int irq, void *data) \ - struct device *dev = data; \ - struct talitos_private *priv = dev_get_drvdata(dev); \ - u32 isr, isr_lo; \ -+ unsigned long flags; \ - \ -+ spin_lock_irqsave(&priv->reg_lock, flags); \ - isr = in_be32(priv->reg + TALITOS_ISR); \ - isr_lo = in_be32(priv->reg + TALITOS_ISR_LO); \ - /* Acknowledge interrupt */ \ - out_be32(priv->reg + TALITOS_ICR, isr & (ch_done_mask | ch_err_mask)); \ - out_be32(priv->reg + TALITOS_ICR_LO, isr_lo); \ - \ -- if (unlikely((isr & ~TALITOS_ISR_4CHDONE) & ch_err_mask || isr_lo)) \ -- talitos_error(dev, isr, isr_lo); \ -- else \ -+ if (unlikely(isr & ch_err_mask || isr_lo)) { \ -+ spin_unlock_irqrestore(&priv->reg_lock, flags); \ -+ talitos_error(dev, isr & ch_err_mask, isr_lo); \ -+ } \ -+ else { \ - if (likely(isr & ch_done_mask)) { \ - /* mask further done interrupts. */ \ - clrbits32(priv->reg + TALITOS_IMR, ch_done_mask); \ - /* done_task will unmask done interrupts at exit */ \ - tasklet_schedule(&priv->done_task[tlet]); \ - } \ -+ spin_unlock_irqrestore(&priv->reg_lock, flags); \ -+ } \ - \ - return (isr & (ch_done_mask | ch_err_mask) || isr_lo) ? IRQ_HANDLED : \ - IRQ_NONE; \ -@@ -2718,6 +2730,8 @@ static int talitos_probe(struct platform_device *ofdev) - - priv->ofdev = ofdev; - -+ spin_lock_init(&priv->reg_lock); -+ - err = talitos_probe_irq(ofdev); - if (err) - goto err_out; -diff --git a/drivers/dma/at_hdmac.c b/drivers/dma/at_hdmac.c -index f4aed5f..a342873 100644 ---- a/drivers/dma/at_hdmac.c -+++ b/drivers/dma/at_hdmac.c -@@ -241,10 +241,6 @@ static void atc_dostart(struct at_dma_chan *atchan, struct at_desc *first) - - vdbg_dump_regs(atchan); - -- /* clear any pending interrupt */ -- while (dma_readl(atdma, EBCISR)) -- cpu_relax(); -- - channel_writel(atchan, SADDR, 0); - channel_writel(atchan, DADDR, 0); - channel_writel(atchan, CTRLA, 0); -diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c -index d25599f..47408e8 100644 ---- a/drivers/firmware/efivars.c -+++ b/drivers/firmware/efivars.c -@@ -191,6 +191,190 @@ utf16_strncmp(const efi_char16_t *a, const efi_char16_t *b, size_t len) - } - } - -+static bool -+validate_device_path(struct efi_variable *var, int match, u8 *buffer, -+ unsigned long len) -+{ -+ struct efi_generic_dev_path *node; -+ int offset = 0; -+ -+ node = (struct efi_generic_dev_path *)buffer; -+ -+ if (len < sizeof(*node)) -+ return false; -+ -+ while (offset <= len - sizeof(*node) && -+ node->length >= sizeof(*node) && -+ node->length <= len - offset) { -+ offset += node->length; -+ -+ if ((node->type == EFI_DEV_END_PATH || -+ node->type == EFI_DEV_END_PATH2) && -+ node->sub_type == EFI_DEV_END_ENTIRE) -+ return true; -+ -+ node = (struct efi_generic_dev_path *)(buffer + offset); -+ } -+ -+ /* -+ * If we're here then either node->length pointed past the end -+ * of the buffer or we reached the end of the buffer without -+ * finding a device path end node. -+ */ -+ return false; -+} -+ -+static bool -+validate_boot_order(struct efi_variable *var, int match, u8 *buffer, -+ unsigned long len) -+{ -+ /* An array of 16-bit integers */ -+ if ((len % 2) != 0) -+ return false; -+ -+ return true; -+} -+ -+static bool -+validate_load_option(struct efi_variable *var, int match, u8 *buffer, -+ unsigned long len) -+{ -+ u16 filepathlength; -+ int i, desclength = 0, namelen; -+ -+ namelen = utf16_strnlen(var->VariableName, sizeof(var->VariableName)); -+ -+ /* Either "Boot" or "Driver" followed by four digits of hex */ -+ for (i = match; i < match+4; i++) { -+ if (var->VariableName[i] > 127 || -+ hex_to_bin(var->VariableName[i] & 0xff) < 0) -+ return true; -+ } -+ -+ /* Reject it if there's 4 digits of hex and then further content */ -+ if (namelen > match + 4) -+ return false; -+ -+ /* A valid entry must be at least 8 bytes */ -+ if (len < 8) -+ return false; -+ -+ filepathlength = buffer[4] | buffer[5] << 8; -+ -+ /* -+ * There's no stored length for the description, so it has to be -+ * found by hand -+ */ -+ desclength = utf16_strsize((efi_char16_t *)(buffer + 6), len - 6) + 2; -+ -+ /* Each boot entry must have a descriptor */ -+ if (!desclength) -+ return false; -+ -+ /* -+ * If the sum of the length of the description, the claimed filepath -+ * length and the original header are greater than the length of the -+ * variable, it's malformed -+ */ -+ if ((desclength + filepathlength + 6) > len) -+ return false; -+ -+ /* -+ * And, finally, check the filepath -+ */ -+ return validate_device_path(var, match, buffer + desclength + 6, -+ filepathlength); -+} -+ -+static bool -+validate_uint16(struct efi_variable *var, int match, u8 *buffer, -+ unsigned long len) -+{ -+ /* A single 16-bit integer */ -+ if (len != 2) -+ return false; -+ -+ return true; -+} -+ -+static bool -+validate_ascii_string(struct efi_variable *var, int match, u8 *buffer, -+ unsigned long len) -+{ -+ int i; -+ -+ for (i = 0; i < len; i++) { -+ if (buffer[i] > 127) -+ return false; -+ -+ if (buffer[i] == 0) -+ return true; -+ } -+ -+ return false; -+} -+ -+struct variable_validate { -+ char *name; -+ bool (*validate)(struct efi_variable *var, int match, u8 *data, -+ unsigned long len); -+}; -+ -+static const struct variable_validate variable_validate[] = { -+ { "BootNext", validate_uint16 }, -+ { "BootOrder", validate_boot_order }, -+ { "DriverOrder", validate_boot_order }, -+ { "Boot*", validate_load_option }, -+ { "Driver*", validate_load_option }, -+ { "ConIn", validate_device_path }, -+ { "ConInDev", validate_device_path }, -+ { "ConOut", validate_device_path }, -+ { "ConOutDev", validate_device_path }, -+ { "ErrOut", validate_device_path }, -+ { "ErrOutDev", validate_device_path }, -+ { "Timeout", validate_uint16 }, -+ { "Lang", validate_ascii_string }, -+ { "PlatformLang", validate_ascii_string }, -+ { "", NULL }, -+}; -+ -+static bool -+validate_var(struct efi_variable *var, u8 *data, unsigned long len) -+{ -+ int i; -+ u16 *unicode_name = var->VariableName; -+ -+ for (i = 0; variable_validate[i].validate != NULL; i++) { -+ const char *name = variable_validate[i].name; -+ int match; -+ -+ for (match = 0; ; match++) { -+ char c = name[match]; -+ u16 u = unicode_name[match]; -+ -+ /* All special variables are plain ascii */ -+ if (u > 127) -+ return true; -+ -+ /* Wildcard in the matching name means we've matched */ -+ if (c == '*') -+ return variable_validate[i].validate(var, -+ match, data, len); -+ -+ /* Case sensitive match */ -+ if (c != u) -+ break; -+ -+ /* Reached the end of the string while matching */ -+ if (!c) -+ return variable_validate[i].validate(var, -+ match, data, len); -+ } -+ } -+ -+ return true; -+} -+ - static efi_status_t - get_var_data_locked(struct efivars *efivars, struct efi_variable *var) - { -@@ -324,6 +508,12 @@ efivar_store_raw(struct efivar_entry *entry, const char *buf, size_t count) - return -EINVAL; - } - -+ if ((new_var->Attributes & ~EFI_VARIABLE_MASK) != 0 || -+ validate_var(new_var, new_var->Data, new_var->DataSize) == false) { -+ printk(KERN_ERR "efivars: Malformed variable content\n"); -+ return -EINVAL; -+ } -+ - spin_lock(&efivars->lock); - status = efivars->ops->set_variable(new_var->VariableName, - &new_var->VendorGuid, -@@ -626,6 +816,12 @@ static ssize_t efivar_create(struct file *filp, struct kobject *kobj, - if (!capable(CAP_SYS_ADMIN)) - return -EACCES; - -+ if ((new_var->Attributes & ~EFI_VARIABLE_MASK) != 0 || -+ validate_var(new_var, new_var->Data, new_var->DataSize) == false) { -+ printk(KERN_ERR "efivars: Malformed variable content\n"); -+ return -EINVAL; -+ } -+ - spin_lock(&efivars->lock); - - /* -diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c -index 65e1f00..e159e33 100644 ---- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c -+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c -@@ -1082,6 +1082,11 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data, - return -EINVAL; - } - -+ if (args->num_cliprects > UINT_MAX / sizeof(*cliprects)) { -+ DRM_DEBUG("execbuf with %u cliprects\n", -+ args->num_cliprects); -+ return -EINVAL; -+ } - cliprects = kmalloc(args->num_cliprects * sizeof(*cliprects), - GFP_KERNEL); - if (cliprects == NULL) { -@@ -1353,7 +1358,8 @@ i915_gem_execbuffer2(struct drm_device *dev, void *data, - struct drm_i915_gem_exec_object2 *exec2_list = NULL; - int ret; - -- if (args->buffer_count < 1) { -+ if (args->buffer_count < 1 || -+ args->buffer_count > UINT_MAX / sizeof(*exec2_list)) { - DRM_ERROR("execbuf2 with %d buffers\n", args->buffer_count); - return -EINVAL; - } -diff --git a/drivers/gpu/drm/i915/i915_reg.h b/drivers/gpu/drm/i915/i915_reg.h -index 3e6429a..ac38d21 100644 ---- a/drivers/gpu/drm/i915/i915_reg.h -+++ b/drivers/gpu/drm/i915/i915_reg.h -@@ -523,6 +523,7 @@ - #define CM0_MASK_SHIFT 16 - #define CM0_IZ_OPT_DISABLE (1<<6) - #define CM0_ZR_OPT_DISABLE (1<<5) -+#define CM0_STC_EVICT_DISABLE_LRA_SNB (1<<5) - #define CM0_DEPTH_EVICT_DISABLE (1<<4) - #define CM0_COLOR_EVICT_DISABLE (1<<3) - #define CM0_DEPTH_WRITE_DISABLE (1<<1) -diff --git a/drivers/gpu/drm/i915/intel_ringbuffer.c b/drivers/gpu/drm/i915/intel_ringbuffer.c -index cbc3c04..99f71af 100644 ---- a/drivers/gpu/drm/i915/intel_ringbuffer.c -+++ b/drivers/gpu/drm/i915/intel_ringbuffer.c -@@ -417,6 +417,14 @@ static int init_render_ring(struct intel_ring_buffer *ring) - if (INTEL_INFO(dev)->gen >= 6) { - I915_WRITE(INSTPM, - INSTPM_FORCE_ORDERING << 16 | INSTPM_FORCE_ORDERING); -+ -+ /* From the Sandybridge PRM, volume 1 part 3, page 24: -+ * "If this bit is set, STCunit will have LRA as replacement -+ * policy. [...] This bit must be reset. LRA replacement -+ * policy is not supported." -+ */ -+ I915_WRITE(CACHE_MODE_0, -+ CM0_STC_EVICT_DISABLE_LRA_SNB << CM0_MASK_SHIFT); - } - - return ret; -diff --git a/drivers/gpu/drm/i915/intel_sdvo.c b/drivers/gpu/drm/i915/intel_sdvo.c -index e334ec3..0a877dd 100644 ---- a/drivers/gpu/drm/i915/intel_sdvo.c -+++ b/drivers/gpu/drm/i915/intel_sdvo.c -@@ -731,6 +731,7 @@ static void intel_sdvo_get_dtd_from_mode(struct intel_sdvo_dtd *dtd, - uint16_t width, height; - uint16_t h_blank_len, h_sync_len, v_blank_len, v_sync_len; - uint16_t h_sync_offset, v_sync_offset; -+ int mode_clock; - - width = mode->crtc_hdisplay; - height = mode->crtc_vdisplay; -@@ -745,7 +746,11 @@ static void intel_sdvo_get_dtd_from_mode(struct intel_sdvo_dtd *dtd, - h_sync_offset = mode->crtc_hsync_start - mode->crtc_hblank_start; - v_sync_offset = mode->crtc_vsync_start - mode->crtc_vblank_start; - -- dtd->part1.clock = mode->clock / 10; -+ mode_clock = mode->clock; -+ mode_clock /= intel_mode_get_pixel_multiplier(mode) ?: 1; -+ mode_clock /= 10; -+ dtd->part1.clock = mode_clock; -+ - dtd->part1.h_active = width & 0xff; - dtd->part1.h_blank = h_blank_len & 0xff; - dtd->part1.h_high = (((width >> 8) & 0xf) << 4) | -@@ -997,7 +1002,7 @@ static void intel_sdvo_mode_set(struct drm_encoder *encoder, - struct intel_sdvo *intel_sdvo = to_intel_sdvo(encoder); - u32 sdvox; - struct intel_sdvo_in_out_map in_out; -- struct intel_sdvo_dtd input_dtd; -+ struct intel_sdvo_dtd input_dtd, output_dtd; - int pixel_multiplier = intel_mode_get_pixel_multiplier(adjusted_mode); - int rate; - -@@ -1022,20 +1027,13 @@ static void intel_sdvo_mode_set(struct drm_encoder *encoder, - intel_sdvo->attached_output)) - return; - -- /* We have tried to get input timing in mode_fixup, and filled into -- * adjusted_mode. -- */ -- if (intel_sdvo->is_tv || intel_sdvo->is_lvds) { -- input_dtd = intel_sdvo->input_dtd; -- } else { -- /* Set the output timing to the screen */ -- if (!intel_sdvo_set_target_output(intel_sdvo, -- intel_sdvo->attached_output)) -- return; -- -- intel_sdvo_get_dtd_from_mode(&input_dtd, adjusted_mode); -- (void) intel_sdvo_set_output_timing(intel_sdvo, &input_dtd); -- } -+ /* lvds has a special fixed output timing. */ -+ if (intel_sdvo->is_lvds) -+ intel_sdvo_get_dtd_from_mode(&output_dtd, -+ intel_sdvo->sdvo_lvds_fixed_mode); -+ else -+ intel_sdvo_get_dtd_from_mode(&output_dtd, mode); -+ (void) intel_sdvo_set_output_timing(intel_sdvo, &output_dtd); - - /* Set the input timing to the screen. Assume always input 0. */ - if (!intel_sdvo_set_target_input(intel_sdvo)) -@@ -1053,6 +1051,10 @@ static void intel_sdvo_mode_set(struct drm_encoder *encoder, - !intel_sdvo_set_tv_format(intel_sdvo)) - return; - -+ /* We have tried to get input timing in mode_fixup, and filled into -+ * adjusted_mode. -+ */ -+ intel_sdvo_get_dtd_from_mode(&input_dtd, adjusted_mode); - (void) intel_sdvo_set_input_timing(intel_sdvo, &input_dtd); - - switch (pixel_multiplier) { -diff --git a/drivers/gpu/drm/nouveau/nouveau_acpi.c b/drivers/gpu/drm/nouveau/nouveau_acpi.c -index 7814a76..284bd25 100644 ---- a/drivers/gpu/drm/nouveau/nouveau_acpi.c -+++ b/drivers/gpu/drm/nouveau/nouveau_acpi.c -@@ -270,7 +270,7 @@ static bool nouveau_dsm_detect(void) - struct acpi_buffer buffer = {sizeof(acpi_method_name), acpi_method_name}; - struct pci_dev *pdev = NULL; - int has_dsm = 0; -- int has_optimus; -+ int has_optimus = 0; - int vga_count = 0; - bool guid_valid; - int retval; -diff --git a/drivers/gpu/drm/radeon/atombios_crtc.c b/drivers/gpu/drm/radeon/atombios_crtc.c -index 24ed306..2dab552 100644 ---- a/drivers/gpu/drm/radeon/atombios_crtc.c -+++ b/drivers/gpu/drm/radeon/atombios_crtc.c -@@ -912,8 +912,8 @@ static void atombios_crtc_set_pll(struct drm_crtc *crtc, struct drm_display_mode - break; - } - -- if (radeon_encoder->active_device & -- (ATOM_DEVICE_LCD_SUPPORT | ATOM_DEVICE_DFP_SUPPORT)) { -+ if ((radeon_encoder->active_device & (ATOM_DEVICE_LCD_SUPPORT | ATOM_DEVICE_DFP_SUPPORT)) || -+ (radeon_encoder_get_dp_bridge_encoder_id(encoder) != ENCODER_OBJECT_ID_NONE)) { - struct radeon_encoder_atom_dig *dig = radeon_encoder->enc_priv; - struct drm_connector *connector = - radeon_get_connector_for_encoder(encoder); -diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c -index a6c6ec3..1248ee4 100644 ---- a/drivers/hwmon/coretemp.c -+++ b/drivers/hwmon/coretemp.c -@@ -51,7 +51,7 @@ module_param_named(tjmax, force_tjmax, int, 0444); - MODULE_PARM_DESC(tjmax, "TjMax value in degrees Celsius"); - - #define BASE_SYSFS_ATTR_NO 2 /* Sysfs Base attr no for coretemp */ --#define NUM_REAL_CORES 16 /* Number of Real cores per cpu */ -+#define NUM_REAL_CORES 32 /* Number of Real cores per cpu */ - #define CORETEMP_NAME_LENGTH 17 /* String Length of attrs */ - #define MAX_CORE_ATTRS 4 /* Maximum no of basic attrs */ - #define TOTAL_ATTRS (MAX_CORE_ATTRS + 1) -@@ -708,6 +708,10 @@ static void __cpuinit put_core_offline(unsigned int cpu) - - indx = TO_ATTR_NO(cpu); - -+ /* The core id is too big, just return */ -+ if (indx > MAX_CORE_DATA - 1) -+ return; -+ - if (pdata->core_data[indx] && pdata->core_data[indx]->cpu == cpu) - coretemp_remove_core(pdata, &pdev->dev, indx); - -diff --git a/drivers/hwmon/fam15h_power.c b/drivers/hwmon/fam15h_power.c -index 930370d..9a4c3ab 100644 ---- a/drivers/hwmon/fam15h_power.c -+++ b/drivers/hwmon/fam15h_power.c -@@ -122,6 +122,41 @@ static bool __devinit fam15h_power_is_internal_node0(struct pci_dev *f4) - return true; - } - -+/* -+ * Newer BKDG versions have an updated recommendation on how to properly -+ * initialize the running average range (was: 0xE, now: 0x9). This avoids -+ * counter saturations resulting in bogus power readings. -+ * We correct this value ourselves to cope with older BIOSes. -+ */ -+static DEFINE_PCI_DEVICE_TABLE(affected_device) = { -+ { PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_15H_NB_F4) }, -+ { 0 } -+}; -+ -+static void __devinit tweak_runavg_range(struct pci_dev *pdev) -+{ -+ u32 val; -+ -+ /* -+ * let this quirk apply only to the current version of the -+ * northbridge, since future versions may change the behavior -+ */ -+ if (!pci_match_id(affected_device, pdev)) -+ return; -+ -+ pci_bus_read_config_dword(pdev->bus, -+ PCI_DEVFN(PCI_SLOT(pdev->devfn), 5), -+ REG_TDP_RUNNING_AVERAGE, &val); -+ if ((val & 0xf) != 0xe) -+ return; -+ -+ val &= ~0xf; -+ val |= 0x9; -+ pci_bus_write_config_dword(pdev->bus, -+ PCI_DEVFN(PCI_SLOT(pdev->devfn), 5), -+ REG_TDP_RUNNING_AVERAGE, val); -+} -+ - static void __devinit fam15h_power_init_data(struct pci_dev *f4, - struct fam15h_power_data *data) - { -@@ -155,6 +190,13 @@ static int __devinit fam15h_power_probe(struct pci_dev *pdev, - struct device *dev; - int err; - -+ /* -+ * though we ignore every other northbridge, we still have to -+ * do the tweaking on _each_ node in MCM processors as the counters -+ * are working hand-in-hand -+ */ -+ tweak_runavg_range(pdev); -+ - if (!fam15h_power_is_internal_node0(pdev)) { - err = -ENODEV; - goto exit; -diff --git a/drivers/i2c/busses/i2c-pnx.c b/drivers/i2c/busses/i2c-pnx.c -index 04be9f8..eb8ad53 100644 ---- a/drivers/i2c/busses/i2c-pnx.c -+++ b/drivers/i2c/busses/i2c-pnx.c -@@ -546,8 +546,7 @@ static int i2c_pnx_controller_suspend(struct platform_device *pdev, - { - struct i2c_pnx_algo_data *alg_data = platform_get_drvdata(pdev); - -- /* FIXME: shouldn't this be clk_disable? */ -- clk_enable(alg_data->clk); -+ clk_disable(alg_data->clk); - - return 0; - } -diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c -index 8081a0a..a4b14a4 100644 ---- a/drivers/input/mouse/synaptics.c -+++ b/drivers/input/mouse/synaptics.c -@@ -274,7 +274,8 @@ static int synaptics_set_advanced_gesture_mode(struct psmouse *psmouse) - static unsigned char param = 0xc8; - struct synaptics_data *priv = psmouse->private; - -- if (!SYN_CAP_ADV_GESTURE(priv->ext_cap_0c)) -+ if (!(SYN_CAP_ADV_GESTURE(priv->ext_cap_0c) || -+ SYN_CAP_IMAGE_SENSOR(priv->ext_cap_0c))) - return 0; - - if (psmouse_sliced_command(psmouse, SYN_QUE_MODEL)) -diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c -index 360f2b9..d1162e5 100644 ---- a/drivers/md/raid5.c -+++ b/drivers/md/raid5.c -@@ -3277,12 +3277,14 @@ static void analyse_stripe(struct stripe_head *sh, struct stripe_head_state *s) - /* If there is a failed device being replaced, - * we must be recovering. - * else if we are after recovery_cp, we must be syncing -+ * else if MD_RECOVERY_REQUESTED is set, we also are syncing. - * else we can only be replacing - * sync and recovery both need to read all devices, and so - * use the same flag. - */ - if (do_recovery || -- sh->sector >= conf->mddev->recovery_cp) -+ sh->sector >= conf->mddev->recovery_cp || -+ test_bit(MD_RECOVERY_REQUESTED, &(conf->mddev->recovery))) - s->syncing = 1; - else - s->replacing = 1; -diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c -index 23ffb1b..11ab4a4 100644 ---- a/drivers/net/wireless/b43/main.c -+++ b/drivers/net/wireless/b43/main.c -@@ -4841,8 +4841,14 @@ static int b43_op_start(struct ieee80211_hw *hw) - out_mutex_unlock: - mutex_unlock(&wl->mutex); - -- /* reload configuration */ -- b43_op_config(hw, ~0); -+ /* -+ * Configuration may have been overwritten during initialization. -+ * Reload the configuration, but only if initialization was -+ * successful. Reloading the configuration after a failed init -+ * may hang the system. -+ */ -+ if (!err) -+ b43_op_config(hw, ~0); - - return err; - } -diff --git a/drivers/net/wireless/ipw2x00/ipw2200.c b/drivers/net/wireless/ipw2x00/ipw2200.c -index 4fcdac6..cb33e6c 100644 ---- a/drivers/net/wireless/ipw2x00/ipw2200.c -+++ b/drivers/net/wireless/ipw2x00/ipw2200.c -@@ -2191,6 +2191,7 @@ static int __ipw_send_cmd(struct ipw_priv *priv, struct host_cmd *cmd) - { - int rc = 0; - unsigned long flags; -+ unsigned long now, end; - - spin_lock_irqsave(&priv->lock, flags); - if (priv->status & STATUS_HCMD_ACTIVE) { -@@ -2232,10 +2233,20 @@ static int __ipw_send_cmd(struct ipw_priv *priv, struct host_cmd *cmd) - } - spin_unlock_irqrestore(&priv->lock, flags); - -+ now = jiffies; -+ end = now + HOST_COMPLETE_TIMEOUT; -+again: - rc = wait_event_interruptible_timeout(priv->wait_command_queue, - !(priv-> - status & STATUS_HCMD_ACTIVE), -- HOST_COMPLETE_TIMEOUT); -+ end - now); -+ if (rc < 0) { -+ now = jiffies; -+ if (time_before(now, end)) -+ goto again; -+ rc = 0; -+ } -+ - if (rc == 0) { - spin_lock_irqsave(&priv->lock, flags); - if (priv->status & STATUS_HCMD_ACTIVE) { -diff --git a/drivers/net/wireless/iwlwifi/iwl-1000.c b/drivers/net/wireless/iwlwifi/iwl-1000.c -index 1ef7bfc..9fcd417 100644 ---- a/drivers/net/wireless/iwlwifi/iwl-1000.c -+++ b/drivers/net/wireless/iwlwifi/iwl-1000.c -@@ -45,8 +45,8 @@ - #include "iwl-cfg.h" - - /* Highest firmware API version supported */ --#define IWL1000_UCODE_API_MAX 6 --#define IWL100_UCODE_API_MAX 6 -+#define IWL1000_UCODE_API_MAX 5 -+#define IWL100_UCODE_API_MAX 5 - - /* Oldest version we won't warn about */ - #define IWL1000_UCODE_API_OK 5 -@@ -235,5 +235,5 @@ struct iwl_cfg iwl100_bg_cfg = { - IWL_DEVICE_100, - }; - --MODULE_FIRMWARE(IWL1000_MODULE_FIRMWARE(IWL1000_UCODE_API_MAX)); --MODULE_FIRMWARE(IWL100_MODULE_FIRMWARE(IWL100_UCODE_API_MAX)); -+MODULE_FIRMWARE(IWL1000_MODULE_FIRMWARE(IWL1000_UCODE_API_OK)); -+MODULE_FIRMWARE(IWL100_MODULE_FIRMWARE(IWL100_UCODE_API_OK)); -diff --git a/drivers/net/wireless/iwlwifi/iwl-2000.c b/drivers/net/wireless/iwlwifi/iwl-2000.c -index 0946933..369d6b1 100644 ---- a/drivers/net/wireless/iwlwifi/iwl-2000.c -+++ b/drivers/net/wireless/iwlwifi/iwl-2000.c -@@ -51,10 +51,10 @@ - #define IWL135_UCODE_API_MAX 6 - - /* Oldest version we won't warn about */ --#define IWL2030_UCODE_API_OK 5 --#define IWL2000_UCODE_API_OK 5 --#define IWL105_UCODE_API_OK 5 --#define IWL135_UCODE_API_OK 5 -+#define IWL2030_UCODE_API_OK 6 -+#define IWL2000_UCODE_API_OK 6 -+#define IWL105_UCODE_API_OK 6 -+#define IWL135_UCODE_API_OK 6 - - /* Lowest firmware API version supported */ - #define IWL2030_UCODE_API_MIN 5 -@@ -338,7 +338,7 @@ struct iwl_cfg iwl135_bgn_cfg = { - .ht_params = &iwl2000_ht_params, - }; - --MODULE_FIRMWARE(IWL2000_MODULE_FIRMWARE(IWL2000_UCODE_API_MAX)); --MODULE_FIRMWARE(IWL2030_MODULE_FIRMWARE(IWL2030_UCODE_API_MAX)); --MODULE_FIRMWARE(IWL105_MODULE_FIRMWARE(IWL105_UCODE_API_MAX)); --MODULE_FIRMWARE(IWL135_MODULE_FIRMWARE(IWL135_UCODE_API_MAX)); -+MODULE_FIRMWARE(IWL2000_MODULE_FIRMWARE(IWL2000_UCODE_API_OK)); -+MODULE_FIRMWARE(IWL2030_MODULE_FIRMWARE(IWL2030_UCODE_API_OK)); -+MODULE_FIRMWARE(IWL105_MODULE_FIRMWARE(IWL105_UCODE_API_OK)); -+MODULE_FIRMWARE(IWL135_MODULE_FIRMWARE(IWL135_UCODE_API_OK)); -diff --git a/drivers/net/wireless/iwlwifi/iwl-5000.c b/drivers/net/wireless/iwlwifi/iwl-5000.c -index b3a365f..3ce542e 100644 ---- a/drivers/net/wireless/iwlwifi/iwl-5000.c -+++ b/drivers/net/wireless/iwlwifi/iwl-5000.c -@@ -50,6 +50,10 @@ - #define IWL5000_UCODE_API_MAX 5 - #define IWL5150_UCODE_API_MAX 2 - -+/* Oldest version we won't warn about */ -+#define IWL5000_UCODE_API_OK 5 -+#define IWL5150_UCODE_API_OK 2 -+ - /* Lowest firmware API version supported */ - #define IWL5000_UCODE_API_MIN 1 - #define IWL5150_UCODE_API_MIN 1 -@@ -359,6 +363,7 @@ static struct iwl_ht_params iwl5000_ht_params = { - #define IWL_DEVICE_5000 \ - .fw_name_pre = IWL5000_FW_PRE, \ - .ucode_api_max = IWL5000_UCODE_API_MAX, \ -+ .ucode_api_ok = IWL5000_UCODE_API_OK, \ - .ucode_api_min = IWL5000_UCODE_API_MIN, \ - .eeprom_ver = EEPROM_5000_EEPROM_VERSION, \ - .eeprom_calib_ver = EEPROM_5000_TX_POWER_VERSION, \ -@@ -402,6 +407,7 @@ struct iwl_cfg iwl5350_agn_cfg = { - .name = "Intel(R) WiMAX/WiFi Link 5350 AGN", - .fw_name_pre = IWL5000_FW_PRE, - .ucode_api_max = IWL5000_UCODE_API_MAX, -+ .ucode_api_ok = IWL5000_UCODE_API_OK, - .ucode_api_min = IWL5000_UCODE_API_MIN, - .eeprom_ver = EEPROM_5050_EEPROM_VERSION, - .eeprom_calib_ver = EEPROM_5050_TX_POWER_VERSION, -@@ -415,6 +421,7 @@ struct iwl_cfg iwl5350_agn_cfg = { - #define IWL_DEVICE_5150 \ - .fw_name_pre = IWL5150_FW_PRE, \ - .ucode_api_max = IWL5150_UCODE_API_MAX, \ -+ .ucode_api_ok = IWL5150_UCODE_API_OK, \ - .ucode_api_min = IWL5150_UCODE_API_MIN, \ - .eeprom_ver = EEPROM_5050_EEPROM_VERSION, \ - .eeprom_calib_ver = EEPROM_5050_TX_POWER_VERSION, \ -@@ -436,5 +443,5 @@ struct iwl_cfg iwl5150_abg_cfg = { - IWL_DEVICE_5150, - }; - --MODULE_FIRMWARE(IWL5000_MODULE_FIRMWARE(IWL5000_UCODE_API_MAX)); --MODULE_FIRMWARE(IWL5150_MODULE_FIRMWARE(IWL5150_UCODE_API_MAX)); -+MODULE_FIRMWARE(IWL5000_MODULE_FIRMWARE(IWL5000_UCODE_API_OK)); -+MODULE_FIRMWARE(IWL5150_MODULE_FIRMWARE(IWL5150_UCODE_API_OK)); -diff --git a/drivers/net/wireless/iwlwifi/iwl-6000.c b/drivers/net/wireless/iwlwifi/iwl-6000.c -index 54b7533..cf806ae 100644 ---- a/drivers/net/wireless/iwlwifi/iwl-6000.c -+++ b/drivers/net/wireless/iwlwifi/iwl-6000.c -@@ -53,6 +53,8 @@ - /* Oldest version we won't warn about */ - #define IWL6000_UCODE_API_OK 4 - #define IWL6000G2_UCODE_API_OK 5 -+#define IWL6050_UCODE_API_OK 5 -+#define IWL6000G2B_UCODE_API_OK 6 - - /* Lowest firmware API version supported */ - #define IWL6000_UCODE_API_MIN 4 -@@ -389,7 +391,7 @@ struct iwl_cfg iwl6005_2agn_d_cfg = { - #define IWL_DEVICE_6030 \ - .fw_name_pre = IWL6030_FW_PRE, \ - .ucode_api_max = IWL6000G2_UCODE_API_MAX, \ -- .ucode_api_ok = IWL6000G2_UCODE_API_OK, \ -+ .ucode_api_ok = IWL6000G2B_UCODE_API_OK, \ - .ucode_api_min = IWL6000G2_UCODE_API_MIN, \ - .eeprom_ver = EEPROM_6030_EEPROM_VERSION, \ - .eeprom_calib_ver = EEPROM_6030_TX_POWER_VERSION, \ -@@ -548,6 +550,6 @@ struct iwl_cfg iwl6000_3agn_cfg = { - }; - - MODULE_FIRMWARE(IWL6000_MODULE_FIRMWARE(IWL6000_UCODE_API_OK)); --MODULE_FIRMWARE(IWL6050_MODULE_FIRMWARE(IWL6050_UCODE_API_MAX)); --MODULE_FIRMWARE(IWL6005_MODULE_FIRMWARE(IWL6000G2_UCODE_API_MAX)); --MODULE_FIRMWARE(IWL6030_MODULE_FIRMWARE(IWL6000G2_UCODE_API_MAX)); -+MODULE_FIRMWARE(IWL6050_MODULE_FIRMWARE(IWL6050_UCODE_API_OK)); -+MODULE_FIRMWARE(IWL6005_MODULE_FIRMWARE(IWL6000G2_UCODE_API_OK)); -+MODULE_FIRMWARE(IWL6030_MODULE_FIRMWARE(IWL6000G2B_UCODE_API_OK)); -diff --git a/drivers/net/wireless/iwlwifi/iwl-agn.c b/drivers/net/wireless/iwlwifi/iwl-agn.c -index b5c7c5f..2db9cd7 100644 ---- a/drivers/net/wireless/iwlwifi/iwl-agn.c -+++ b/drivers/net/wireless/iwlwifi/iwl-agn.c -@@ -1403,7 +1403,6 @@ static void iwl_bg_run_time_calib_work(struct work_struct *work) - - void iwlagn_prepare_restart(struct iwl_priv *priv) - { -- struct iwl_rxon_context *ctx; - bool bt_full_concurrent; - u8 bt_ci_compliance; - u8 bt_load; -@@ -1412,8 +1411,6 @@ void iwlagn_prepare_restart(struct iwl_priv *priv) - - lockdep_assert_held(&priv->shrd->mutex); - -- for_each_context(priv, ctx) -- ctx->vif = NULL; - priv->is_open = 0; - - /* -diff --git a/drivers/net/wireless/iwlwifi/iwl-fh.h b/drivers/net/wireless/iwlwifi/iwl-fh.h -index 5bede9d..aae992a 100644 ---- a/drivers/net/wireless/iwlwifi/iwl-fh.h -+++ b/drivers/net/wireless/iwlwifi/iwl-fh.h -@@ -104,15 +104,29 @@ - * (see struct iwl_tfd_frame). These 16 pointer registers are offset by 0x04 - * bytes from one another. Each TFD circular buffer in DRAM must be 256-byte - * aligned (address bits 0-7 must be 0). -+ * Later devices have 20 (5000 series) or 30 (higher) queues, but the registers -+ * for them are in different places. - * - * Bit fields in each pointer register: - * 27-0: TFD CB physical base address [35:8], must be 256-byte aligned - */ --#define FH_MEM_CBBC_LOWER_BOUND (FH_MEM_LOWER_BOUND + 0x9D0) --#define FH_MEM_CBBC_UPPER_BOUND (FH_MEM_LOWER_BOUND + 0xA10) -- --/* Find TFD CB base pointer for given queue (range 0-15). */ --#define FH_MEM_CBBC_QUEUE(x) (FH_MEM_CBBC_LOWER_BOUND + (x) * 0x4) -+#define FH_MEM_CBBC_0_15_LOWER_BOUND (FH_MEM_LOWER_BOUND + 0x9D0) -+#define FH_MEM_CBBC_0_15_UPPER_BOUND (FH_MEM_LOWER_BOUND + 0xA10) -+#define FH_MEM_CBBC_16_19_LOWER_BOUND (FH_MEM_LOWER_BOUND + 0xBF0) -+#define FH_MEM_CBBC_16_19_UPPER_BOUND (FH_MEM_LOWER_BOUND + 0xC00) -+#define FH_MEM_CBBC_20_31_LOWER_BOUND (FH_MEM_LOWER_BOUND + 0xB20) -+#define FH_MEM_CBBC_20_31_UPPER_BOUND (FH_MEM_LOWER_BOUND + 0xB80) -+ -+/* Find TFD CB base pointer for given queue */ -+static inline unsigned int FH_MEM_CBBC_QUEUE(unsigned int chnl) -+{ -+ if (chnl < 16) -+ return FH_MEM_CBBC_0_15_LOWER_BOUND + 4 * chnl; -+ if (chnl < 20) -+ return FH_MEM_CBBC_16_19_LOWER_BOUND + 4 * (chnl - 16); -+ WARN_ON_ONCE(chnl >= 32); -+ return FH_MEM_CBBC_20_31_LOWER_BOUND + 4 * (chnl - 20); -+} - - - /** -diff --git a/drivers/net/wireless/iwlwifi/iwl-mac80211.c b/drivers/net/wireless/iwlwifi/iwl-mac80211.c -index f980e57..4fd5199 100644 ---- a/drivers/net/wireless/iwlwifi/iwl-mac80211.c -+++ b/drivers/net/wireless/iwlwifi/iwl-mac80211.c -@@ -1226,6 +1226,7 @@ static int iwlagn_mac_add_interface(struct ieee80211_hw *hw, - struct iwl_rxon_context *tmp, *ctx = NULL; - int err; - enum nl80211_iftype viftype = ieee80211_vif_type_p2p(vif); -+ bool reset = false; - - IWL_DEBUG_MAC80211(priv, "enter: type %d, addr %pM\n", - viftype, vif->addr); -@@ -1247,6 +1248,13 @@ static int iwlagn_mac_add_interface(struct ieee80211_hw *hw, - tmp->interface_modes | tmp->exclusive_interface_modes; - - if (tmp->vif) { -+ /* On reset we need to add the same interface again */ -+ if (tmp->vif == vif) { -+ reset = true; -+ ctx = tmp; -+ break; -+ } -+ - /* check if this busy context is exclusive */ - if (tmp->exclusive_interface_modes & - BIT(tmp->vif->type)) { -@@ -1273,7 +1281,7 @@ static int iwlagn_mac_add_interface(struct ieee80211_hw *hw, - ctx->vif = vif; - - err = iwl_setup_interface(priv, ctx); -- if (!err) -+ if (!err || reset) - goto out; - - ctx->vif = NULL; -diff --git a/drivers/net/wireless/iwlwifi/iwl-prph.h b/drivers/net/wireless/iwlwifi/iwl-prph.h -index bebdd82..d9b089e 100644 ---- a/drivers/net/wireless/iwlwifi/iwl-prph.h -+++ b/drivers/net/wireless/iwlwifi/iwl-prph.h -@@ -227,12 +227,33 @@ - #define SCD_AIT (SCD_BASE + 0x0c) - #define SCD_TXFACT (SCD_BASE + 0x10) - #define SCD_ACTIVE (SCD_BASE + 0x14) --#define SCD_QUEUE_WRPTR(x) (SCD_BASE + 0x18 + (x) * 4) --#define SCD_QUEUE_RDPTR(x) (SCD_BASE + 0x68 + (x) * 4) - #define SCD_QUEUECHAIN_SEL (SCD_BASE + 0xe8) - #define SCD_AGGR_SEL (SCD_BASE + 0x248) - #define SCD_INTERRUPT_MASK (SCD_BASE + 0x108) --#define SCD_QUEUE_STATUS_BITS(x) (SCD_BASE + 0x10c + (x) * 4) -+ -+static inline unsigned int SCD_QUEUE_WRPTR(unsigned int chnl) -+{ -+ if (chnl < 20) -+ return SCD_BASE + 0x18 + chnl * 4; -+ WARN_ON_ONCE(chnl >= 32); -+ return SCD_BASE + 0x284 + (chnl - 20) * 4; -+} -+ -+static inline unsigned int SCD_QUEUE_RDPTR(unsigned int chnl) -+{ -+ if (chnl < 20) -+ return SCD_BASE + 0x68 + chnl * 4; -+ WARN_ON_ONCE(chnl >= 32); -+ return SCD_BASE + 0x2B4 + (chnl - 20) * 4; -+} -+ -+static inline unsigned int SCD_QUEUE_STATUS_BITS(unsigned int chnl) -+{ -+ if (chnl < 20) -+ return SCD_BASE + 0x10c + chnl * 4; -+ WARN_ON_ONCE(chnl >= 32); -+ return SCD_BASE + 0x384 + (chnl - 20) * 4; -+} - - /*********************** END TX SCHEDULER *************************************/ - -diff --git a/drivers/net/wireless/rtlwifi/pci.c b/drivers/net/wireless/rtlwifi/pci.c -index c694cae..b588ca8 100644 ---- a/drivers/net/wireless/rtlwifi/pci.c -+++ b/drivers/net/wireless/rtlwifi/pci.c -@@ -1955,6 +1955,7 @@ void rtl_pci_disconnect(struct pci_dev *pdev) - rtl_deinit_deferred_work(hw); - rtlpriv->intf_ops->adapter_stop(hw); - } -+ rtlpriv->cfg->ops->disable_interrupt(hw); - - /*deinit rfkill */ - rtl_deinit_rfkill(hw); -diff --git a/drivers/net/wireless/wl1251/main.c b/drivers/net/wireless/wl1251/main.c -index ba3268e..40c1574 100644 ---- a/drivers/net/wireless/wl1251/main.c -+++ b/drivers/net/wireless/wl1251/main.c -@@ -479,6 +479,7 @@ static void wl1251_op_stop(struct ieee80211_hw *hw) - cancel_work_sync(&wl->irq_work); - cancel_work_sync(&wl->tx_work); - cancel_work_sync(&wl->filter_work); -+ cancel_delayed_work_sync(&wl->elp_work); - - mutex_lock(&wl->mutex); - -diff --git a/drivers/net/wireless/wl1251/sdio.c b/drivers/net/wireless/wl1251/sdio.c -index f786942..1b851f6 100644 ---- a/drivers/net/wireless/wl1251/sdio.c -+++ b/drivers/net/wireless/wl1251/sdio.c -@@ -315,8 +315,8 @@ static void __devexit wl1251_sdio_remove(struct sdio_func *func) - - if (wl->irq) - free_irq(wl->irq, wl); -- kfree(wl_sdio); - wl1251_free_hw(wl); -+ kfree(wl_sdio); - - sdio_claim_host(func); - sdio_release_irq(func); -diff --git a/drivers/platform/x86/dell-laptop.c b/drivers/platform/x86/dell-laptop.c -index 92e42d4..1d3bcce 100644 ---- a/drivers/platform/x86/dell-laptop.c -+++ b/drivers/platform/x86/dell-laptop.c -@@ -211,6 +211,7 @@ static struct dmi_system_id __devinitdata dell_quirks[] = { - }, - .driver_data = &quirk_dell_vostro_v130, - }, -+ { } - }; - - static struct calling_interface_buffer *buffer; -diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c -index 1b831c5..e48ba4b 100644 ---- a/drivers/scsi/libsas/sas_expander.c -+++ b/drivers/scsi/libsas/sas_expander.c -@@ -192,7 +192,14 @@ static void sas_set_ex_phy(struct domain_device *dev, int phy_id, - phy->attached_sata_ps = dr->attached_sata_ps; - phy->attached_iproto = dr->iproto << 1; - phy->attached_tproto = dr->tproto << 1; -- memcpy(phy->attached_sas_addr, dr->attached_sas_addr, SAS_ADDR_SIZE); -+ /* help some expanders that fail to zero sas_address in the 'no -+ * device' case -+ */ -+ if (phy->attached_dev_type == NO_DEVICE || -+ phy->linkrate < SAS_LINK_RATE_1_5_GBPS) -+ memset(phy->attached_sas_addr, 0, SAS_ADDR_SIZE); -+ else -+ memcpy(phy->attached_sas_addr, dr->attached_sas_addr, SAS_ADDR_SIZE); - phy->attached_phy_id = dr->attached_phy_id; - phy->phy_change_count = dr->change_count; - phy->routing_attr = dr->routing_attr; -@@ -1643,9 +1650,17 @@ static int sas_find_bcast_phy(struct domain_device *dev, int *phy_id, - int phy_change_count = 0; - - res = sas_get_phy_change_count(dev, i, &phy_change_count); -- if (res) -- goto out; -- else if (phy_change_count != ex->ex_phy[i].phy_change_count) { -+ switch (res) { -+ case SMP_RESP_PHY_VACANT: -+ case SMP_RESP_NO_PHY: -+ continue; -+ case SMP_RESP_FUNC_ACC: -+ break; -+ default: -+ return res; -+ } -+ -+ if (phy_change_count != ex->ex_phy[i].phy_change_count) { - if (update) - ex->ex_phy[i].phy_change_count = - phy_change_count; -@@ -1653,8 +1668,7 @@ static int sas_find_bcast_phy(struct domain_device *dev, int *phy_id, - return 0; - } - } --out: -- return res; -+ return 0; - } - - static int sas_get_ex_change_count(struct domain_device *dev, int *ecc) -diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c -index 2f085fb..7b45f66 100644 ---- a/drivers/usb/class/cdc-wdm.c -+++ b/drivers/usb/class/cdc-wdm.c -@@ -108,8 +108,9 @@ static void wdm_out_callback(struct urb *urb) - spin_lock(&desc->iuspin); - desc->werr = urb->status; - spin_unlock(&desc->iuspin); -- clear_bit(WDM_IN_USE, &desc->flags); - kfree(desc->outbuf); -+ desc->outbuf = NULL; -+ clear_bit(WDM_IN_USE, &desc->flags); - wake_up(&desc->wait); - } - -@@ -312,7 +313,7 @@ static ssize_t wdm_write - if (we < 0) - return -EIO; - -- desc->outbuf = buf = kmalloc(count, GFP_KERNEL); -+ buf = kmalloc(count, GFP_KERNEL); - if (!buf) { - rv = -ENOMEM; - goto outnl; -@@ -376,10 +377,12 @@ static ssize_t wdm_write - req->wIndex = desc->inum; - req->wLength = cpu_to_le16(count); - set_bit(WDM_IN_USE, &desc->flags); -+ desc->outbuf = buf; - - rv = usb_submit_urb(desc->command, GFP_KERNEL); - if (rv < 0) { - kfree(buf); -+ desc->outbuf = NULL; - clear_bit(WDM_IN_USE, &desc->flags); - dev_err(&desc->intf->dev, "Tx URB error: %d\n", rv); - } else { -diff --git a/drivers/usb/core/hcd-pci.c b/drivers/usb/core/hcd-pci.c -index 81e2c0d..c4dfcc0 100644 ---- a/drivers/usb/core/hcd-pci.c -+++ b/drivers/usb/core/hcd-pci.c -@@ -491,6 +491,15 @@ static int hcd_pci_suspend_noirq(struct device *dev) - - pci_save_state(pci_dev); - -+ /* -+ * Some systems crash if an EHCI controller is in D3 during -+ * a sleep transition. We have to leave such controllers in D0. -+ */ -+ if (hcd->broken_pci_sleep) { -+ dev_dbg(dev, "Staying in PCI D0\n"); -+ return retval; -+ } -+ - /* If the root hub is dead rather than suspended, disallow remote - * wakeup. usb_hc_died() should ensure that both hosts are marked as - * dying, so we only need to check the primary roothub. -diff --git a/drivers/usb/gadget/dummy_hcd.c b/drivers/usb/gadget/dummy_hcd.c -index db815c2..9098642 100644 ---- a/drivers/usb/gadget/dummy_hcd.c -+++ b/drivers/usb/gadget/dummy_hcd.c -@@ -924,7 +924,6 @@ static int dummy_udc_stop(struct usb_gadget *g, - - dum->driver = NULL; - -- dummy_pullup(&dum->gadget, 0); - return 0; - } - -diff --git a/drivers/usb/gadget/f_mass_storage.c b/drivers/usb/gadget/f_mass_storage.c -index ee8ceec..1d7682d 100644 ---- a/drivers/usb/gadget/f_mass_storage.c -+++ b/drivers/usb/gadget/f_mass_storage.c -@@ -2190,7 +2190,7 @@ unknown_cmnd: - common->data_size_from_cmnd = 0; - sprintf(unknown, "Unknown x%02x", common->cmnd[0]); - reply = check_command(common, common->cmnd_size, -- DATA_DIR_UNKNOWN, 0xff, 0, unknown); -+ DATA_DIR_UNKNOWN, ~0, 0, unknown); - if (reply == 0) { - common->curlun->sense_data = SS_INVALID_COMMAND; - reply = -EINVAL; -diff --git a/drivers/usb/gadget/file_storage.c b/drivers/usb/gadget/file_storage.c -index 47766f0..18d96e0 100644 ---- a/drivers/usb/gadget/file_storage.c -+++ b/drivers/usb/gadget/file_storage.c -@@ -2579,7 +2579,7 @@ static int do_scsi_command(struct fsg_dev *fsg) - fsg->data_size_from_cmnd = 0; - sprintf(unknown, "Unknown x%02x", fsg->cmnd[0]); - if ((reply = check_command(fsg, fsg->cmnd_size, -- DATA_DIR_UNKNOWN, 0xff, 0, unknown)) == 0) { -+ DATA_DIR_UNKNOWN, ~0, 0, unknown)) == 0) { - fsg->curlun->sense_data = SS_INVALID_COMMAND; - reply = -EINVAL; - } -diff --git a/drivers/usb/gadget/uvc.h b/drivers/usb/gadget/uvc.h -index bc78c60..ca4e03a 100644 ---- a/drivers/usb/gadget/uvc.h -+++ b/drivers/usb/gadget/uvc.h -@@ -28,7 +28,7 @@ - - struct uvc_request_data - { -- unsigned int length; -+ __s32 length; - __u8 data[60]; - }; - -diff --git a/drivers/usb/gadget/uvc_v4l2.c b/drivers/usb/gadget/uvc_v4l2.c -index f6e083b..54d7ca5 100644 ---- a/drivers/usb/gadget/uvc_v4l2.c -+++ b/drivers/usb/gadget/uvc_v4l2.c -@@ -39,7 +39,7 @@ uvc_send_response(struct uvc_device *uvc, struct uvc_request_data *data) - if (data->length < 0) - return usb_ep_set_halt(cdev->gadget->ep0); - -- req->length = min(uvc->event_length, data->length); -+ req->length = min_t(unsigned int, uvc->event_length, data->length); - req->zero = data->length < uvc->event_length; - req->dma = DMA_ADDR_INVALID; - -diff --git a/drivers/usb/host/ehci-pci.c b/drivers/usb/host/ehci-pci.c -index 01bb7241d..fe8dc06 100644 ---- a/drivers/usb/host/ehci-pci.c -+++ b/drivers/usb/host/ehci-pci.c -@@ -144,6 +144,14 @@ static int ehci_pci_setup(struct usb_hcd *hcd) - hcd->has_tt = 1; - tdi_reset(ehci); - } -+ if (pdev->subsystem_vendor == PCI_VENDOR_ID_ASUSTEK) { -+ /* EHCI #1 or #2 on 6 Series/C200 Series chipset */ -+ if (pdev->device == 0x1c26 || pdev->device == 0x1c2d) { -+ ehci_info(ehci, "broken D3 during system sleep on ASUS\n"); -+ hcd->broken_pci_sleep = 1; -+ device_set_wakeup_capable(&pdev->dev, false); -+ } -+ } - break; - case PCI_VENDOR_ID_TDI: - if (pdev->device == PCI_DEVICE_ID_TDI_EHCI) { -diff --git a/drivers/usb/host/ehci-tegra.c b/drivers/usb/host/ehci-tegra.c -index dbc7fe8..de36b8c 100644 ---- a/drivers/usb/host/ehci-tegra.c -+++ b/drivers/usb/host/ehci-tegra.c -@@ -601,7 +601,6 @@ static int setup_vbus_gpio(struct platform_device *pdev) - dev_err(&pdev->dev, "can't enable vbus\n"); - return err; - } -- gpio_set_value(gpio, 1); - - return err; - } -diff --git a/fs/autofs4/autofs_i.h b/fs/autofs4/autofs_i.h -index eb1cc92..908e184 100644 ---- a/fs/autofs4/autofs_i.h -+++ b/fs/autofs4/autofs_i.h -@@ -110,7 +110,6 @@ struct autofs_sb_info { - int sub_version; - int min_proto; - int max_proto; -- int compat_daemon; - unsigned long exp_timeout; - unsigned int type; - int reghost_enabled; -@@ -270,6 +269,17 @@ int autofs4_fill_super(struct super_block *, void *, int); - struct autofs_info *autofs4_new_ino(struct autofs_sb_info *); - void autofs4_clean_ino(struct autofs_info *); - -+static inline int autofs_prepare_pipe(struct file *pipe) -+{ -+ if (!pipe->f_op || !pipe->f_op->write) -+ return -EINVAL; -+ if (!S_ISFIFO(pipe->f_dentry->d_inode->i_mode)) -+ return -EINVAL; -+ /* We want a packet pipe */ -+ pipe->f_flags |= O_DIRECT; -+ return 0; -+} -+ - /* Queue management functions */ - - int autofs4_wait(struct autofs_sb_info *,struct dentry *, enum autofs_notify); -diff --git a/fs/autofs4/dev-ioctl.c b/fs/autofs4/dev-ioctl.c -index 85f1fcd..d06d95a 100644 ---- a/fs/autofs4/dev-ioctl.c -+++ b/fs/autofs4/dev-ioctl.c -@@ -376,7 +376,7 @@ static int autofs_dev_ioctl_setpipefd(struct file *fp, - err = -EBADF; - goto out; - } -- if (!pipe->f_op || !pipe->f_op->write) { -+ if (autofs_prepare_pipe(pipe) < 0) { - err = -EPIPE; - fput(pipe); - goto out; -@@ -385,7 +385,6 @@ static int autofs_dev_ioctl_setpipefd(struct file *fp, - sbi->pipefd = pipefd; - sbi->pipe = pipe; - sbi->catatonic = 0; -- sbi->compat_daemon = is_compat_task(); - } - out: - mutex_unlock(&sbi->wq_mutex); -diff --git a/fs/autofs4/inode.c b/fs/autofs4/inode.c -index 06858d9..9ef53a6 100644 ---- a/fs/autofs4/inode.c -+++ b/fs/autofs4/inode.c -@@ -19,7 +19,6 @@ - #include <linux/parser.h> - #include <linux/bitops.h> - #include <linux/magic.h> --#include <linux/compat.h> - #include "autofs_i.h" - #include <linux/module.h> - -@@ -225,7 +224,6 @@ int autofs4_fill_super(struct super_block *s, void *data, int silent) - set_autofs_type_indirect(&sbi->type); - sbi->min_proto = 0; - sbi->max_proto = 0; -- sbi->compat_daemon = is_compat_task(); - mutex_init(&sbi->wq_mutex); - mutex_init(&sbi->pipe_mutex); - spin_lock_init(&sbi->fs_lock); -@@ -295,7 +293,7 @@ int autofs4_fill_super(struct super_block *s, void *data, int silent) - printk("autofs: could not open pipe file descriptor\n"); - goto fail_dput; - } -- if (!pipe->f_op || !pipe->f_op->write) -+ if (autofs_prepare_pipe(pipe) < 0) - goto fail_fput; - sbi->pipe = pipe; - sbi->pipefd = pipefd; -diff --git a/fs/autofs4/waitq.c b/fs/autofs4/waitq.c -index 9c098db..f624cd0 100644 ---- a/fs/autofs4/waitq.c -+++ b/fs/autofs4/waitq.c -@@ -92,23 +92,6 @@ static int autofs4_write(struct autofs_sb_info *sbi, - return (bytes > 0); - } - --/* -- * The autofs_v5 packet was misdesigned. -- * -- * The packets are identical on x86-32 and x86-64, but have different -- * alignment. Which means that 'sizeof()' will give different results. -- * Fix it up for the case of running 32-bit user mode on a 64-bit kernel. -- */ --static noinline size_t autofs_v5_packet_size(struct autofs_sb_info *sbi) --{ -- size_t pktsz = sizeof(struct autofs_v5_packet); --#if defined(CONFIG_X86_64) && defined(CONFIG_COMPAT) -- if (sbi->compat_daemon > 0) -- pktsz -= 4; --#endif -- return pktsz; --} -- - static void autofs4_notify_daemon(struct autofs_sb_info *sbi, - struct autofs_wait_queue *wq, - int type) -@@ -172,7 +155,8 @@ static void autofs4_notify_daemon(struct autofs_sb_info *sbi, - { - struct autofs_v5_packet *packet = &pkt.v5_pkt.v5_packet; - -- pktsz = autofs_v5_packet_size(sbi); -+ pktsz = sizeof(*packet); -+ - packet->wait_queue_token = wq->wait_queue_token; - packet->len = wq->name.len; - memcpy(packet->name, wq->name.name, wq->name.len); -diff --git a/fs/exec.c b/fs/exec.c -index 153dee1..ae42277 100644 ---- a/fs/exec.c -+++ b/fs/exec.c -@@ -975,6 +975,9 @@ static int de_thread(struct task_struct *tsk) - sig->notify_count = 0; - - no_thread_group: -+ /* we have changed execution domain */ -+ tsk->exit_signal = SIGCHLD; -+ - if (current->mm) - setmax_mm_hiwater_rss(&sig->maxrss, current->mm); - -diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c -index 4dfbfec..ec2a9c2 100644 ---- a/fs/hfsplus/catalog.c -+++ b/fs/hfsplus/catalog.c -@@ -366,6 +366,10 @@ int hfsplus_rename_cat(u32 cnid, - err = hfs_brec_find(&src_fd); - if (err) - goto out; -+ if (src_fd.entrylength > sizeof(entry) || src_fd.entrylength < 0) { -+ err = -EIO; -+ goto out; -+ } - - hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset, - src_fd.entrylength); -diff --git a/fs/hfsplus/dir.c b/fs/hfsplus/dir.c -index 88e155f..26b53fb 100644 ---- a/fs/hfsplus/dir.c -+++ b/fs/hfsplus/dir.c -@@ -150,6 +150,11 @@ static int hfsplus_readdir(struct file *filp, void *dirent, filldir_t filldir) - filp->f_pos++; - /* fall through */ - case 1: -+ if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) { -+ err = -EIO; -+ goto out; -+ } -+ - hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, - fd.entrylength); - if (be16_to_cpu(entry.type) != HFSPLUS_FOLDER_THREAD) { -@@ -181,6 +186,12 @@ static int hfsplus_readdir(struct file *filp, void *dirent, filldir_t filldir) - err = -EIO; - goto out; - } -+ -+ if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) { -+ err = -EIO; -+ goto out; -+ } -+ - hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, - fd.entrylength); - type = be16_to_cpu(entry.type); -diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c -index 9a54c9e..2612223 100644 ---- a/fs/nfs/nfs4proc.c -+++ b/fs/nfs/nfs4proc.c -@@ -4460,7 +4460,9 @@ static int _nfs4_do_setlk(struct nfs4_state *state, int cmd, struct file_lock *f - static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request) - { - struct nfs_server *server = NFS_SERVER(state->inode); -- struct nfs4_exception exception = { }; -+ struct nfs4_exception exception = { -+ .inode = state->inode, -+ }; - int err; - - do { -@@ -4478,7 +4480,9 @@ static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request - static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request) - { - struct nfs_server *server = NFS_SERVER(state->inode); -- struct nfs4_exception exception = { }; -+ struct nfs4_exception exception = { -+ .inode = state->inode, -+ }; - int err; - - err = nfs4_set_lock_state(state, request); -@@ -4558,6 +4562,7 @@ static int nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock * - { - struct nfs4_exception exception = { - .state = state, -+ .inode = state->inode, - }; - int err; - -@@ -4603,6 +4608,20 @@ nfs4_proc_lock(struct file *filp, int cmd, struct file_lock *request) - - if (state == NULL) - return -ENOLCK; -+ /* -+ * Don't rely on the VFS having checked the file open mode, -+ * since it won't do this for flock() locks. -+ */ -+ switch (request->fl_type & (F_RDLCK|F_WRLCK|F_UNLCK)) { -+ case F_RDLCK: -+ if (!(filp->f_mode & FMODE_READ)) -+ return -EBADF; -+ break; -+ case F_WRLCK: -+ if (!(filp->f_mode & FMODE_WRITE)) -+ return -EBADF; -+ } -+ - do { - status = nfs4_proc_setlk(state, cmd, request); - if ((status != -EAGAIN) || IS_SETLK(cmd)) -diff --git a/fs/nfs/read.c b/fs/nfs/read.c -index cfa175c..41bae32 100644 ---- a/fs/nfs/read.c -+++ b/fs/nfs/read.c -@@ -324,7 +324,7 @@ out_bad: - while (!list_empty(res)) { - data = list_entry(res->next, struct nfs_read_data, list); - list_del(&data->list); -- nfs_readdata_free(data); -+ nfs_readdata_release(data); - } - nfs_readpage_release(req); - return -ENOMEM; -diff --git a/fs/nfs/super.c b/fs/nfs/super.c -index 3dfa4f1..e4622ee 100644 ---- a/fs/nfs/super.c -+++ b/fs/nfs/super.c -@@ -2707,11 +2707,15 @@ static struct vfsmount *nfs_do_root_mount(struct file_system_type *fs_type, - char *root_devname; - size_t len; - -- len = strlen(hostname) + 3; -+ len = strlen(hostname) + 5; - root_devname = kmalloc(len, GFP_KERNEL); - if (root_devname == NULL) - return ERR_PTR(-ENOMEM); -- snprintf(root_devname, len, "%s:/", hostname); -+ /* Does hostname needs to be enclosed in brackets? */ -+ if (strchr(hostname, ':')) -+ snprintf(root_devname, len, "[%s]:/", hostname); -+ else -+ snprintf(root_devname, len, "%s:/", hostname); - root_mnt = vfs_kern_mount(fs_type, flags, root_devname, data); - kfree(root_devname); - return root_mnt; -diff --git a/fs/nfs/write.c b/fs/nfs/write.c -index 834f0fe..8fcc23a 100644 ---- a/fs/nfs/write.c -+++ b/fs/nfs/write.c -@@ -974,7 +974,7 @@ out_bad: - while (!list_empty(res)) { - data = list_entry(res->next, struct nfs_write_data, list); - list_del(&data->list); -- nfs_writedata_free(data); -+ nfs_writedata_release(data); - } - nfs_redirty_request(req); - return -ENOMEM; -diff --git a/fs/pipe.c b/fs/pipe.c -index a932ced..82e651b 100644 ---- a/fs/pipe.c -+++ b/fs/pipe.c -@@ -345,6 +345,16 @@ static const struct pipe_buf_operations anon_pipe_buf_ops = { - .get = generic_pipe_buf_get, - }; - -+static const struct pipe_buf_operations packet_pipe_buf_ops = { -+ .can_merge = 0, -+ .map = generic_pipe_buf_map, -+ .unmap = generic_pipe_buf_unmap, -+ .confirm = generic_pipe_buf_confirm, -+ .release = anon_pipe_buf_release, -+ .steal = generic_pipe_buf_steal, -+ .get = generic_pipe_buf_get, -+}; -+ - static ssize_t - pipe_read(struct kiocb *iocb, const struct iovec *_iov, - unsigned long nr_segs, loff_t pos) -@@ -406,6 +416,13 @@ redo: - ret += chars; - buf->offset += chars; - buf->len -= chars; -+ -+ /* Was it a packet buffer? Clean up and exit */ -+ if (buf->flags & PIPE_BUF_FLAG_PACKET) { -+ total_len = chars; -+ buf->len = 0; -+ } -+ - if (!buf->len) { - buf->ops = NULL; - ops->release(pipe, buf); -@@ -458,6 +475,11 @@ redo: - return ret; - } - -+static inline int is_packetized(struct file *file) -+{ -+ return (file->f_flags & O_DIRECT) != 0; -+} -+ - static ssize_t - pipe_write(struct kiocb *iocb, const struct iovec *_iov, - unsigned long nr_segs, loff_t ppos) -@@ -592,6 +614,11 @@ redo2: - buf->ops = &anon_pipe_buf_ops; - buf->offset = 0; - buf->len = chars; -+ buf->flags = 0; -+ if (is_packetized(filp)) { -+ buf->ops = &packet_pipe_buf_ops; -+ buf->flags = PIPE_BUF_FLAG_PACKET; -+ } - pipe->nrbufs = ++bufs; - pipe->tmp_page = NULL; - -@@ -1012,7 +1039,7 @@ struct file *create_write_pipe(int flags) - goto err_dentry; - f->f_mapping = inode->i_mapping; - -- f->f_flags = O_WRONLY | (flags & O_NONBLOCK); -+ f->f_flags = O_WRONLY | (flags & (O_NONBLOCK | O_DIRECT)); - f->f_version = 0; - - return f; -@@ -1056,7 +1083,7 @@ int do_pipe_flags(int *fd, int flags) - int error; - int fdw, fdr; - -- if (flags & ~(O_CLOEXEC | O_NONBLOCK)) -+ if (flags & ~(O_CLOEXEC | O_NONBLOCK | O_DIRECT)) - return -EINVAL; - - fw = create_write_pipe(flags); -diff --git a/include/linux/efi.h b/include/linux/efi.h -index 37c3007..7cce0ea 100644 ---- a/include/linux/efi.h -+++ b/include/linux/efi.h -@@ -510,7 +510,18 @@ extern int __init efi_setup_pcdp_console(char *); - #define EFI_VARIABLE_NON_VOLATILE 0x0000000000000001 - #define EFI_VARIABLE_BOOTSERVICE_ACCESS 0x0000000000000002 - #define EFI_VARIABLE_RUNTIME_ACCESS 0x0000000000000004 -- -+#define EFI_VARIABLE_HARDWARE_ERROR_RECORD 0x0000000000000008 -+#define EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS 0x0000000000000010 -+#define EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS 0x0000000000000020 -+#define EFI_VARIABLE_APPEND_WRITE 0x0000000000000040 -+ -+#define EFI_VARIABLE_MASK (EFI_VARIABLE_NON_VOLATILE | \ -+ EFI_VARIABLE_BOOTSERVICE_ACCESS | \ -+ EFI_VARIABLE_RUNTIME_ACCESS | \ -+ EFI_VARIABLE_HARDWARE_ERROR_RECORD | \ -+ EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS | \ -+ EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS | \ -+ EFI_VARIABLE_APPEND_WRITE) - /* - * The type of search to perform when calling boottime->locate_handle - */ -diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h -index 77257c9..0072a53 100644 ---- a/include/linux/pipe_fs_i.h -+++ b/include/linux/pipe_fs_i.h -@@ -8,6 +8,7 @@ - #define PIPE_BUF_FLAG_LRU 0x01 /* page is on the LRU */ - #define PIPE_BUF_FLAG_ATOMIC 0x02 /* was atomically mapped */ - #define PIPE_BUF_FLAG_GIFT 0x04 /* page is a gift */ -+#define PIPE_BUF_FLAG_PACKET 0x08 /* read() as a packet */ - - /** - * struct pipe_buffer - a linux kernel pipe buffer -diff --git a/include/linux/usb/hcd.h b/include/linux/usb/hcd.h -index b2f62f3..05695ba 100644 ---- a/include/linux/usb/hcd.h -+++ b/include/linux/usb/hcd.h -@@ -126,6 +126,8 @@ struct usb_hcd { - unsigned wireless:1; /* Wireless USB HCD */ - unsigned authorized_default:1; - unsigned has_tt:1; /* Integrated TT in root hub */ -+ unsigned broken_pci_sleep:1; /* Don't put the -+ controller in PCI-D3 for system sleep */ - - int irq; /* irq allocated */ - void __iomem *regs; /* device memory/io */ -diff --git a/kernel/exit.c b/kernel/exit.c -index 4b4042f..46c8b14 100644 ---- a/kernel/exit.c -+++ b/kernel/exit.c -@@ -818,25 +818,6 @@ static void exit_notify(struct task_struct *tsk, int group_dead) - if (group_dead) - kill_orphaned_pgrp(tsk->group_leader, NULL); - -- /* Let father know we died -- * -- * Thread signals are configurable, but you aren't going to use -- * that to send signals to arbitrary processes. -- * That stops right now. -- * -- * If the parent exec id doesn't match the exec id we saved -- * when we started then we know the parent has changed security -- * domain. -- * -- * If our self_exec id doesn't match our parent_exec_id then -- * we have changed execution domain as these two values started -- * the same after a fork. -- */ -- if (thread_group_leader(tsk) && tsk->exit_signal != SIGCHLD && -- (tsk->parent_exec_id != tsk->real_parent->self_exec_id || -- tsk->self_exec_id != tsk->parent_exec_id)) -- tsk->exit_signal = SIGCHLD; -- - if (unlikely(tsk->ptrace)) { - int sig = thread_group_leader(tsk) && - thread_group_empty(tsk) && -diff --git a/kernel/power/swap.c b/kernel/power/swap.c -index 8742fd0..eef311a 100644 ---- a/kernel/power/swap.c -+++ b/kernel/power/swap.c -@@ -51,6 +51,23 @@ - - #define MAP_PAGE_ENTRIES (PAGE_SIZE / sizeof(sector_t) - 1) - -+/* -+ * Number of free pages that are not high. -+ */ -+static inline unsigned long low_free_pages(void) -+{ -+ return nr_free_pages() - nr_free_highpages(); -+} -+ -+/* -+ * Number of pages required to be kept free while writing the image. Always -+ * half of all available low pages before the writing starts. -+ */ -+static inline unsigned long reqd_free_pages(void) -+{ -+ return low_free_pages() / 2; -+} -+ - struct swap_map_page { - sector_t entries[MAP_PAGE_ENTRIES]; - sector_t next_swap; -@@ -72,7 +89,7 @@ struct swap_map_handle { - sector_t cur_swap; - sector_t first_sector; - unsigned int k; -- unsigned long nr_free_pages, written; -+ unsigned long reqd_free_pages; - u32 crc32; - }; - -@@ -316,8 +333,7 @@ static int get_swap_writer(struct swap_map_handle *handle) - goto err_rel; - } - handle->k = 0; -- handle->nr_free_pages = nr_free_pages() >> 1; -- handle->written = 0; -+ handle->reqd_free_pages = reqd_free_pages(); - handle->first_sector = handle->cur_swap; - return 0; - err_rel: -@@ -352,11 +368,11 @@ static int swap_write_page(struct swap_map_handle *handle, void *buf, - handle->cur_swap = offset; - handle->k = 0; - } -- if (bio_chain && ++handle->written > handle->nr_free_pages) { -+ if (bio_chain && low_free_pages() <= handle->reqd_free_pages) { - error = hib_wait_on_bio_chain(bio_chain); - if (error) - goto out; -- handle->written = 0; -+ handle->reqd_free_pages = reqd_free_pages(); - } - out: - return error; -@@ -618,7 +634,7 @@ static int save_image_lzo(struct swap_map_handle *handle, - * Adjust number of free pages after all allocations have been done. - * We don't want to run out of pages when writing. - */ -- handle->nr_free_pages = nr_free_pages() >> 1; -+ handle->reqd_free_pages = reqd_free_pages(); - - /* - * Start the CRC32 thread. -diff --git a/kernel/sched/core.c b/kernel/sched/core.c -index b342f57..478a04c 100644 ---- a/kernel/sched/core.c -+++ b/kernel/sched/core.c -@@ -2266,13 +2266,10 @@ calc_load_n(unsigned long load, unsigned long exp, - * Once we've updated the global active value, we need to apply the exponential - * weights adjusted to the number of cycles missed. - */ --static void calc_global_nohz(unsigned long ticks) -+static void calc_global_nohz(void) - { - long delta, active, n; - -- if (time_before(jiffies, calc_load_update)) -- return; -- - /* - * If we crossed a calc_load_update boundary, make sure to fold - * any pending idle changes, the respective CPUs might have -@@ -2284,31 +2281,25 @@ static void calc_global_nohz(unsigned long ticks) - atomic_long_add(delta, &calc_load_tasks); - - /* -- * If we were idle for multiple load cycles, apply them. -+ * It could be the one fold was all it took, we done! - */ -- if (ticks >= LOAD_FREQ) { -- n = ticks / LOAD_FREQ; -+ if (time_before(jiffies, calc_load_update + 10)) -+ return; - -- active = atomic_long_read(&calc_load_tasks); -- active = active > 0 ? active * FIXED_1 : 0; -+ /* -+ * Catch-up, fold however many we are behind still -+ */ -+ delta = jiffies - calc_load_update - 10; -+ n = 1 + (delta / LOAD_FREQ); - -- avenrun[0] = calc_load_n(avenrun[0], EXP_1, active, n); -- avenrun[1] = calc_load_n(avenrun[1], EXP_5, active, n); -- avenrun[2] = calc_load_n(avenrun[2], EXP_15, active, n); -+ active = atomic_long_read(&calc_load_tasks); -+ active = active > 0 ? active * FIXED_1 : 0; - -- calc_load_update += n * LOAD_FREQ; -- } -+ avenrun[0] = calc_load_n(avenrun[0], EXP_1, active, n); -+ avenrun[1] = calc_load_n(avenrun[1], EXP_5, active, n); -+ avenrun[2] = calc_load_n(avenrun[2], EXP_15, active, n); - -- /* -- * Its possible the remainder of the above division also crosses -- * a LOAD_FREQ period, the regular check in calc_global_load() -- * which comes after this will take care of that. -- * -- * Consider us being 11 ticks before a cycle completion, and us -- * sleeping for 4*LOAD_FREQ + 22 ticks, then the above code will -- * age us 4 cycles, and the test in calc_global_load() will -- * pick up the final one. -- */ -+ calc_load_update += n * LOAD_FREQ; - } - #else - void calc_load_account_idle(struct rq *this_rq) -@@ -2320,7 +2311,7 @@ static inline long calc_load_fold_idle(void) - return 0; - } - --static void calc_global_nohz(unsigned long ticks) -+static void calc_global_nohz(void) - { - } - #endif -@@ -2348,8 +2339,6 @@ void calc_global_load(unsigned long ticks) - { - long active; - -- calc_global_nohz(ticks); -- - if (time_before(jiffies, calc_load_update + 10)) - return; - -@@ -2361,6 +2350,16 @@ void calc_global_load(unsigned long ticks) - avenrun[2] = calc_load(avenrun[2], EXP_15, active); - - calc_load_update += LOAD_FREQ; -+ -+ /* -+ * Account one period with whatever state we found before -+ * folding in the nohz state and ageing the entire idle period. -+ * -+ * This avoids loosing a sample when we go idle between -+ * calc_load_account_active() (10 ticks ago) and now and thus -+ * under-accounting. -+ */ -+ calc_global_nohz(); - } - - /* -@@ -6334,16 +6333,26 @@ static void __sdt_free(const struct cpumask *cpu_map) - struct sd_data *sdd = &tl->data; - - for_each_cpu(j, cpu_map) { -- struct sched_domain *sd = *per_cpu_ptr(sdd->sd, j); -- if (sd && (sd->flags & SD_OVERLAP)) -- free_sched_groups(sd->groups, 0); -- kfree(*per_cpu_ptr(sdd->sd, j)); -- kfree(*per_cpu_ptr(sdd->sg, j)); -- kfree(*per_cpu_ptr(sdd->sgp, j)); -+ struct sched_domain *sd; -+ -+ if (sdd->sd) { -+ sd = *per_cpu_ptr(sdd->sd, j); -+ if (sd && (sd->flags & SD_OVERLAP)) -+ free_sched_groups(sd->groups, 0); -+ kfree(*per_cpu_ptr(sdd->sd, j)); -+ } -+ -+ if (sdd->sg) -+ kfree(*per_cpu_ptr(sdd->sg, j)); -+ if (sdd->sgp) -+ kfree(*per_cpu_ptr(sdd->sgp, j)); - } - free_percpu(sdd->sd); -+ sdd->sd = NULL; - free_percpu(sdd->sg); -+ sdd->sg = NULL; - free_percpu(sdd->sgp); -+ sdd->sgp = NULL; - } - } - -diff --git a/kernel/signal.c b/kernel/signal.c -index c73c428..b09cf3b 100644 ---- a/kernel/signal.c -+++ b/kernel/signal.c -@@ -1642,6 +1642,15 @@ bool do_notify_parent(struct task_struct *tsk, int sig) - BUG_ON(!tsk->ptrace && - (tsk->group_leader != tsk || !thread_group_empty(tsk))); - -+ if (sig != SIGCHLD) { -+ /* -+ * This is only possible if parent == real_parent. -+ * Check if it has changed security domain. -+ */ -+ if (tsk->parent_exec_id != tsk->parent->self_exec_id) -+ sig = SIGCHLD; -+ } -+ - info.si_signo = sig; - info.si_errno = 0; - /* -diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c -index 0d6ff35..d9c07f0 100644 ---- a/kernel/trace/trace_output.c -+++ b/kernel/trace/trace_output.c -@@ -650,6 +650,8 @@ int trace_print_lat_context(struct trace_iterator *iter) - { - u64 next_ts; - int ret; -+ /* trace_find_next_entry will reset ent_size */ -+ int ent_size = iter->ent_size; - struct trace_seq *s = &iter->seq; - struct trace_entry *entry = iter->ent, - *next_entry = trace_find_next_entry(iter, NULL, -@@ -658,6 +660,9 @@ int trace_print_lat_context(struct trace_iterator *iter) - unsigned long abs_usecs = ns2usecs(iter->ts - iter->tr->time_start); - unsigned long rel_usecs; - -+ /* Restore the original ent_size */ -+ iter->ent_size = ent_size; -+ - if (!next_entry) - next_ts = iter->ts; - rel_usecs = ns2usecs(next_ts - iter->ts); -diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c -index e05667c..6a31cea 100644 ---- a/net/mac80211/tx.c -+++ b/net/mac80211/tx.c -@@ -1144,7 +1144,8 @@ ieee80211_tx_prepare(struct ieee80211_sub_if_data *sdata, - tx->sta = rcu_dereference(sdata->u.vlan.sta); - if (!tx->sta && sdata->dev->ieee80211_ptr->use_4addr) - return TX_DROP; -- } else if (info->flags & IEEE80211_TX_CTL_INJECTED) { -+ } else if (info->flags & IEEE80211_TX_CTL_INJECTED || -+ tx->sdata->control_port_protocol == tx->skb->protocol) { - tx->sta = sta_info_get_bss(sdata, hdr->addr1); - } - if (!tx->sta) -diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c -index afeea32..bf945c9 100644 ---- a/net/wireless/nl80211.c -+++ b/net/wireless/nl80211.c -@@ -1293,6 +1293,11 @@ static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info) - goto bad_res; - } - -+ if (!netif_running(netdev)) { -+ result = -ENETDOWN; -+ goto bad_res; -+ } -+ - nla_for_each_nested(nl_txq_params, - info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS], - rem_txq_params) { -@@ -6262,7 +6267,7 @@ static struct genl_ops nl80211_ops[] = { - .doit = nl80211_get_key, - .policy = nl80211_policy, - .flags = GENL_ADMIN_PERM, -- .internal_flags = NL80211_FLAG_NEED_NETDEV | -+ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | - NL80211_FLAG_NEED_RTNL, - }, - { -@@ -6294,7 +6299,7 @@ static struct genl_ops nl80211_ops[] = { - .policy = nl80211_policy, - .flags = GENL_ADMIN_PERM, - .doit = nl80211_addset_beacon, -- .internal_flags = NL80211_FLAG_NEED_NETDEV | -+ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | - NL80211_FLAG_NEED_RTNL, - }, - { -@@ -6302,7 +6307,7 @@ static struct genl_ops nl80211_ops[] = { - .policy = nl80211_policy, - .flags = GENL_ADMIN_PERM, - .doit = nl80211_addset_beacon, -- .internal_flags = NL80211_FLAG_NEED_NETDEV | -+ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | - NL80211_FLAG_NEED_RTNL, - }, - { -@@ -6326,7 +6331,7 @@ static struct genl_ops nl80211_ops[] = { - .doit = nl80211_set_station, - .policy = nl80211_policy, - .flags = GENL_ADMIN_PERM, -- .internal_flags = NL80211_FLAG_NEED_NETDEV | -+ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | - NL80211_FLAG_NEED_RTNL, - }, - { -@@ -6342,7 +6347,7 @@ static struct genl_ops nl80211_ops[] = { - .doit = nl80211_del_station, - .policy = nl80211_policy, - .flags = GENL_ADMIN_PERM, -- .internal_flags = NL80211_FLAG_NEED_NETDEV | -+ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | - NL80211_FLAG_NEED_RTNL, - }, - { -@@ -6375,7 +6380,7 @@ static struct genl_ops nl80211_ops[] = { - .doit = nl80211_del_mpath, - .policy = nl80211_policy, - .flags = GENL_ADMIN_PERM, -- .internal_flags = NL80211_FLAG_NEED_NETDEV | -+ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | - NL80211_FLAG_NEED_RTNL, - }, - { -@@ -6383,7 +6388,7 @@ static struct genl_ops nl80211_ops[] = { - .doit = nl80211_set_bss, - .policy = nl80211_policy, - .flags = GENL_ADMIN_PERM, -- .internal_flags = NL80211_FLAG_NEED_NETDEV | -+ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | - NL80211_FLAG_NEED_RTNL, - }, - { -@@ -6409,7 +6414,7 @@ static struct genl_ops nl80211_ops[] = { - .doit = nl80211_get_mesh_config, - .policy = nl80211_policy, - /* can be retrieved by unprivileged users */ -- .internal_flags = NL80211_FLAG_NEED_NETDEV | -+ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | - NL80211_FLAG_NEED_RTNL, - }, - { -@@ -6542,7 +6547,7 @@ static struct genl_ops nl80211_ops[] = { - .doit = nl80211_setdel_pmksa, - .policy = nl80211_policy, - .flags = GENL_ADMIN_PERM, -- .internal_flags = NL80211_FLAG_NEED_NETDEV | -+ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | - NL80211_FLAG_NEED_RTNL, - }, - { -@@ -6550,7 +6555,7 @@ static struct genl_ops nl80211_ops[] = { - .doit = nl80211_setdel_pmksa, - .policy = nl80211_policy, - .flags = GENL_ADMIN_PERM, -- .internal_flags = NL80211_FLAG_NEED_NETDEV | -+ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | - NL80211_FLAG_NEED_RTNL, - }, - { -@@ -6558,7 +6563,7 @@ static struct genl_ops nl80211_ops[] = { - .doit = nl80211_flush_pmksa, - .policy = nl80211_policy, - .flags = GENL_ADMIN_PERM, -- .internal_flags = NL80211_FLAG_NEED_NETDEV | -+ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | - NL80211_FLAG_NEED_RTNL, - }, - { -@@ -6718,7 +6723,7 @@ static struct genl_ops nl80211_ops[] = { - .doit = nl80211_probe_client, - .policy = nl80211_policy, - .flags = GENL_ADMIN_PERM, -- .internal_flags = NL80211_FLAG_NEED_NETDEV | -+ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | - NL80211_FLAG_NEED_RTNL, - }, - { -diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c -index e5153ea..0960ece 100644 ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -5402,6 +5402,7 @@ static const struct alc_fixup alc269_fixups[] = { - }; - - static const struct snd_pci_quirk alc269_fixup_tbl[] = { -+ SND_PCI_QUIRK(0x1043, 0x1427, "Asus Zenbook UX31E", ALC269VB_FIXUP_DMIC), - SND_PCI_QUIRK(0x1043, 0x1a13, "Asus G73Jw", ALC269_FIXUP_ASUS_G73JW), - SND_PCI_QUIRK(0x1043, 0x16e3, "ASUS UX50", ALC269_FIXUP_STEREO_DMIC), - SND_PCI_QUIRK(0x1043, 0x831a, "ASUS P901", ALC269_FIXUP_STEREO_DMIC), -diff --git a/sound/soc/codecs/wm8994.c b/sound/soc/codecs/wm8994.c -index 900c91b..e5cc616 100644 ---- a/sound/soc/codecs/wm8994.c -+++ b/sound/soc/codecs/wm8994.c -@@ -929,61 +929,170 @@ static void wm8994_update_class_w(struct snd_soc_codec *codec) - } - } - --static int late_enable_ev(struct snd_soc_dapm_widget *w, -- struct snd_kcontrol *kcontrol, int event) -+static int aif1clk_ev(struct snd_soc_dapm_widget *w, -+ struct snd_kcontrol *kcontrol, int event) - { - struct snd_soc_codec *codec = w->codec; -- struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); -+ struct wm8994 *control = codec->control_data; -+ int mask = WM8994_AIF1DAC1L_ENA | WM8994_AIF1DAC1R_ENA; -+ int dac; -+ int adc; -+ int val; -+ -+ switch (control->type) { -+ case WM8994: -+ case WM8958: -+ mask |= WM8994_AIF1DAC2L_ENA | WM8994_AIF1DAC2R_ENA; -+ break; -+ default: -+ break; -+ } - - switch (event) { - case SND_SOC_DAPM_PRE_PMU: -- if (wm8994->aif1clk_enable) { -- snd_soc_update_bits(codec, WM8994_AIF1_CLOCKING_1, -- WM8994_AIF1CLK_ENA_MASK, -- WM8994_AIF1CLK_ENA); -- wm8994->aif1clk_enable = 0; -- } -- if (wm8994->aif2clk_enable) { -- snd_soc_update_bits(codec, WM8994_AIF2_CLOCKING_1, -- WM8994_AIF2CLK_ENA_MASK, -- WM8994_AIF2CLK_ENA); -- wm8994->aif2clk_enable = 0; -- } -+ val = snd_soc_read(codec, WM8994_AIF1_CONTROL_1); -+ if ((val & WM8994_AIF1ADCL_SRC) && -+ (val & WM8994_AIF1ADCR_SRC)) -+ adc = WM8994_AIF1ADC1R_ENA | WM8994_AIF1ADC2R_ENA; -+ else if (!(val & WM8994_AIF1ADCL_SRC) && -+ !(val & WM8994_AIF1ADCR_SRC)) -+ adc = WM8994_AIF1ADC1L_ENA | WM8994_AIF1ADC2L_ENA; -+ else -+ adc = WM8994_AIF1ADC1R_ENA | WM8994_AIF1ADC2R_ENA | -+ WM8994_AIF1ADC1L_ENA | WM8994_AIF1ADC2L_ENA; -+ -+ val = snd_soc_read(codec, WM8994_AIF1_CONTROL_2); -+ if ((val & WM8994_AIF1DACL_SRC) && -+ (val & WM8994_AIF1DACR_SRC)) -+ dac = WM8994_AIF1DAC1R_ENA | WM8994_AIF1DAC2R_ENA; -+ else if (!(val & WM8994_AIF1DACL_SRC) && -+ !(val & WM8994_AIF1DACR_SRC)) -+ dac = WM8994_AIF1DAC1L_ENA | WM8994_AIF1DAC2L_ENA; -+ else -+ dac = WM8994_AIF1DAC1R_ENA | WM8994_AIF1DAC2R_ENA | -+ WM8994_AIF1DAC1L_ENA | WM8994_AIF1DAC2L_ENA; -+ -+ snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_4, -+ mask, adc); -+ snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_5, -+ mask, dac); -+ snd_soc_update_bits(codec, WM8994_CLOCKING_1, -+ WM8994_AIF1DSPCLK_ENA | -+ WM8994_SYSDSPCLK_ENA, -+ WM8994_AIF1DSPCLK_ENA | -+ WM8994_SYSDSPCLK_ENA); -+ snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_4, mask, -+ WM8994_AIF1ADC1R_ENA | -+ WM8994_AIF1ADC1L_ENA | -+ WM8994_AIF1ADC2R_ENA | -+ WM8994_AIF1ADC2L_ENA); -+ snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_5, mask, -+ WM8994_AIF1DAC1R_ENA | -+ WM8994_AIF1DAC1L_ENA | -+ WM8994_AIF1DAC2R_ENA | -+ WM8994_AIF1DAC2L_ENA); -+ break; -+ -+ case SND_SOC_DAPM_PRE_PMD: -+ case SND_SOC_DAPM_POST_PMD: -+ snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_5, -+ mask, 0); -+ snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_4, -+ mask, 0); -+ -+ val = snd_soc_read(codec, WM8994_CLOCKING_1); -+ if (val & WM8994_AIF2DSPCLK_ENA) -+ val = WM8994_SYSDSPCLK_ENA; -+ else -+ val = 0; -+ snd_soc_update_bits(codec, WM8994_CLOCKING_1, -+ WM8994_SYSDSPCLK_ENA | -+ WM8994_AIF1DSPCLK_ENA, val); - break; - } - -- /* We may also have postponed startup of DSP, handle that. */ -- wm8958_aif_ev(w, kcontrol, event); -- - return 0; - } - --static int late_disable_ev(struct snd_soc_dapm_widget *w, -- struct snd_kcontrol *kcontrol, int event) -+static int aif2clk_ev(struct snd_soc_dapm_widget *w, -+ struct snd_kcontrol *kcontrol, int event) - { - struct snd_soc_codec *codec = w->codec; -- struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); -+ int dac; -+ int adc; -+ int val; - - switch (event) { -+ case SND_SOC_DAPM_PRE_PMU: -+ val = snd_soc_read(codec, WM8994_AIF2_CONTROL_1); -+ if ((val & WM8994_AIF2ADCL_SRC) && -+ (val & WM8994_AIF2ADCR_SRC)) -+ adc = WM8994_AIF2ADCR_ENA; -+ else if (!(val & WM8994_AIF2ADCL_SRC) && -+ !(val & WM8994_AIF2ADCR_SRC)) -+ adc = WM8994_AIF2ADCL_ENA; -+ else -+ adc = WM8994_AIF2ADCL_ENA | WM8994_AIF2ADCR_ENA; -+ -+ -+ val = snd_soc_read(codec, WM8994_AIF2_CONTROL_2); -+ if ((val & WM8994_AIF2DACL_SRC) && -+ (val & WM8994_AIF2DACR_SRC)) -+ dac = WM8994_AIF2DACR_ENA; -+ else if (!(val & WM8994_AIF2DACL_SRC) && -+ !(val & WM8994_AIF2DACR_SRC)) -+ dac = WM8994_AIF2DACL_ENA; -+ else -+ dac = WM8994_AIF2DACL_ENA | WM8994_AIF2DACR_ENA; -+ -+ snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_4, -+ WM8994_AIF2ADCL_ENA | -+ WM8994_AIF2ADCR_ENA, adc); -+ snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_5, -+ WM8994_AIF2DACL_ENA | -+ WM8994_AIF2DACR_ENA, dac); -+ snd_soc_update_bits(codec, WM8994_CLOCKING_1, -+ WM8994_AIF2DSPCLK_ENA | -+ WM8994_SYSDSPCLK_ENA, -+ WM8994_AIF2DSPCLK_ENA | -+ WM8994_SYSDSPCLK_ENA); -+ snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_4, -+ WM8994_AIF2ADCL_ENA | -+ WM8994_AIF2ADCR_ENA, -+ WM8994_AIF2ADCL_ENA | -+ WM8994_AIF2ADCR_ENA); -+ snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_5, -+ WM8994_AIF2DACL_ENA | -+ WM8994_AIF2DACR_ENA, -+ WM8994_AIF2DACL_ENA | -+ WM8994_AIF2DACR_ENA); -+ break; -+ -+ case SND_SOC_DAPM_PRE_PMD: - case SND_SOC_DAPM_POST_PMD: -- if (wm8994->aif1clk_disable) { -- snd_soc_update_bits(codec, WM8994_AIF1_CLOCKING_1, -- WM8994_AIF1CLK_ENA_MASK, 0); -- wm8994->aif1clk_disable = 0; -- } -- if (wm8994->aif2clk_disable) { -- snd_soc_update_bits(codec, WM8994_AIF2_CLOCKING_1, -- WM8994_AIF2CLK_ENA_MASK, 0); -- wm8994->aif2clk_disable = 0; -- } -+ snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_5, -+ WM8994_AIF2DACL_ENA | -+ WM8994_AIF2DACR_ENA, 0); -+ snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_5, -+ WM8994_AIF2ADCL_ENA | -+ WM8994_AIF2ADCR_ENA, 0); -+ -+ val = snd_soc_read(codec, WM8994_CLOCKING_1); -+ if (val & WM8994_AIF1DSPCLK_ENA) -+ val = WM8994_SYSDSPCLK_ENA; -+ else -+ val = 0; -+ snd_soc_update_bits(codec, WM8994_CLOCKING_1, -+ WM8994_SYSDSPCLK_ENA | -+ WM8994_AIF2DSPCLK_ENA, val); - break; - } - - return 0; - } - --static int aif1clk_ev(struct snd_soc_dapm_widget *w, -- struct snd_kcontrol *kcontrol, int event) -+static int aif1clk_late_ev(struct snd_soc_dapm_widget *w, -+ struct snd_kcontrol *kcontrol, int event) - { - struct snd_soc_codec *codec = w->codec; - struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); -@@ -1000,8 +1109,8 @@ static int aif1clk_ev(struct snd_soc_dapm_widget *w, - return 0; - } - --static int aif2clk_ev(struct snd_soc_dapm_widget *w, -- struct snd_kcontrol *kcontrol, int event) -+static int aif2clk_late_ev(struct snd_soc_dapm_widget *w, -+ struct snd_kcontrol *kcontrol, int event) - { - struct snd_soc_codec *codec = w->codec; - struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); -@@ -1018,6 +1127,63 @@ static int aif2clk_ev(struct snd_soc_dapm_widget *w, - return 0; - } - -+static int late_enable_ev(struct snd_soc_dapm_widget *w, -+ struct snd_kcontrol *kcontrol, int event) -+{ -+ struct snd_soc_codec *codec = w->codec; -+ struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); -+ -+ switch (event) { -+ case SND_SOC_DAPM_PRE_PMU: -+ if (wm8994->aif1clk_enable) { -+ aif1clk_ev(w, kcontrol, event); -+ snd_soc_update_bits(codec, WM8994_AIF1_CLOCKING_1, -+ WM8994_AIF1CLK_ENA_MASK, -+ WM8994_AIF1CLK_ENA); -+ wm8994->aif1clk_enable = 0; -+ } -+ if (wm8994->aif2clk_enable) { -+ aif2clk_ev(w, kcontrol, event); -+ snd_soc_update_bits(codec, WM8994_AIF2_CLOCKING_1, -+ WM8994_AIF2CLK_ENA_MASK, -+ WM8994_AIF2CLK_ENA); -+ wm8994->aif2clk_enable = 0; -+ } -+ break; -+ } -+ -+ /* We may also have postponed startup of DSP, handle that. */ -+ wm8958_aif_ev(w, kcontrol, event); -+ -+ return 0; -+} -+ -+static int late_disable_ev(struct snd_soc_dapm_widget *w, -+ struct snd_kcontrol *kcontrol, int event) -+{ -+ struct snd_soc_codec *codec = w->codec; -+ struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); -+ -+ switch (event) { -+ case SND_SOC_DAPM_POST_PMD: -+ if (wm8994->aif1clk_disable) { -+ snd_soc_update_bits(codec, WM8994_AIF1_CLOCKING_1, -+ WM8994_AIF1CLK_ENA_MASK, 0); -+ aif1clk_ev(w, kcontrol, event); -+ wm8994->aif1clk_disable = 0; -+ } -+ if (wm8994->aif2clk_disable) { -+ snd_soc_update_bits(codec, WM8994_AIF2_CLOCKING_1, -+ WM8994_AIF2CLK_ENA_MASK, 0); -+ aif2clk_ev(w, kcontrol, event); -+ wm8994->aif2clk_disable = 0; -+ } -+ break; -+ } -+ -+ return 0; -+} -+ - static int adc_mux_ev(struct snd_soc_dapm_widget *w, - struct snd_kcontrol *kcontrol, int event) - { -@@ -1314,9 +1480,9 @@ static const struct snd_kcontrol_new aif2dacr_src_mux = - SOC_DAPM_ENUM("AIF2DACR Mux", aif2dacr_src_enum); - - static const struct snd_soc_dapm_widget wm8994_lateclk_revd_widgets[] = { --SND_SOC_DAPM_SUPPLY("AIF1CLK", SND_SOC_NOPM, 0, 0, aif1clk_ev, -+SND_SOC_DAPM_SUPPLY("AIF1CLK", SND_SOC_NOPM, 0, 0, aif1clk_late_ev, - SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_POST_PMD), --SND_SOC_DAPM_SUPPLY("AIF2CLK", SND_SOC_NOPM, 0, 0, aif2clk_ev, -+SND_SOC_DAPM_SUPPLY("AIF2CLK", SND_SOC_NOPM, 0, 0, aif2clk_late_ev, - SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_POST_PMD), - - SND_SOC_DAPM_PGA_E("Late DAC1L Enable PGA", SND_SOC_NOPM, 0, 0, NULL, 0, -@@ -1345,8 +1511,10 @@ SND_SOC_DAPM_POST("Late Disable PGA", late_disable_ev) - }; - - static const struct snd_soc_dapm_widget wm8994_lateclk_widgets[] = { --SND_SOC_DAPM_SUPPLY("AIF1CLK", WM8994_AIF1_CLOCKING_1, 0, 0, NULL, 0), --SND_SOC_DAPM_SUPPLY("AIF2CLK", WM8994_AIF2_CLOCKING_1, 0, 0, NULL, 0), -+SND_SOC_DAPM_SUPPLY("AIF1CLK", WM8994_AIF1_CLOCKING_1, 0, 0, aif1clk_ev, -+ SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_PRE_PMD), -+SND_SOC_DAPM_SUPPLY("AIF2CLK", WM8994_AIF2_CLOCKING_1, 0, 0, aif2clk_ev, -+ SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_PRE_PMD), - SND_SOC_DAPM_PGA("Direct Voice", SND_SOC_NOPM, 0, 0, NULL, 0), - SND_SOC_DAPM_MIXER("SPKL", WM8994_POWER_MANAGEMENT_3, 8, 0, - left_speaker_mixer, ARRAY_SIZE(left_speaker_mixer)), -@@ -1399,30 +1567,30 @@ SND_SOC_DAPM_SUPPLY("VMID", SND_SOC_NOPM, 0, 0, vmid_event, - SND_SOC_DAPM_SUPPLY("CLK_SYS", SND_SOC_NOPM, 0, 0, clk_sys_event, - SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_PRE_PMD), - --SND_SOC_DAPM_SUPPLY("DSP1CLK", WM8994_CLOCKING_1, 3, 0, NULL, 0), --SND_SOC_DAPM_SUPPLY("DSP2CLK", WM8994_CLOCKING_1, 2, 0, NULL, 0), --SND_SOC_DAPM_SUPPLY("DSPINTCLK", WM8994_CLOCKING_1, 1, 0, NULL, 0), -+SND_SOC_DAPM_SUPPLY("DSP1CLK", SND_SOC_NOPM, 3, 0, NULL, 0), -+SND_SOC_DAPM_SUPPLY("DSP2CLK", SND_SOC_NOPM, 2, 0, NULL, 0), -+SND_SOC_DAPM_SUPPLY("DSPINTCLK", SND_SOC_NOPM, 1, 0, NULL, 0), - - SND_SOC_DAPM_AIF_OUT("AIF1ADC1L", NULL, -- 0, WM8994_POWER_MANAGEMENT_4, 9, 0), -+ 0, SND_SOC_NOPM, 9, 0), - SND_SOC_DAPM_AIF_OUT("AIF1ADC1R", NULL, -- 0, WM8994_POWER_MANAGEMENT_4, 8, 0), -+ 0, SND_SOC_NOPM, 8, 0), - SND_SOC_DAPM_AIF_IN_E("AIF1DAC1L", NULL, 0, -- WM8994_POWER_MANAGEMENT_5, 9, 0, wm8958_aif_ev, -+ SND_SOC_NOPM, 9, 0, wm8958_aif_ev, - SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_POST_PMD), - SND_SOC_DAPM_AIF_IN_E("AIF1DAC1R", NULL, 0, -- WM8994_POWER_MANAGEMENT_5, 8, 0, wm8958_aif_ev, -+ SND_SOC_NOPM, 8, 0, wm8958_aif_ev, - SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_POST_PMD), - - SND_SOC_DAPM_AIF_OUT("AIF1ADC2L", NULL, -- 0, WM8994_POWER_MANAGEMENT_4, 11, 0), -+ 0, SND_SOC_NOPM, 11, 0), - SND_SOC_DAPM_AIF_OUT("AIF1ADC2R", NULL, -- 0, WM8994_POWER_MANAGEMENT_4, 10, 0), -+ 0, SND_SOC_NOPM, 10, 0), - SND_SOC_DAPM_AIF_IN_E("AIF1DAC2L", NULL, 0, -- WM8994_POWER_MANAGEMENT_5, 11, 0, wm8958_aif_ev, -+ SND_SOC_NOPM, 11, 0, wm8958_aif_ev, - SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_POST_PMD), - SND_SOC_DAPM_AIF_IN_E("AIF1DAC2R", NULL, 0, -- WM8994_POWER_MANAGEMENT_5, 10, 0, wm8958_aif_ev, -+ SND_SOC_NOPM, 10, 0, wm8958_aif_ev, - SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_POST_PMD), - - SND_SOC_DAPM_MIXER("AIF1ADC1L Mixer", SND_SOC_NOPM, 0, 0, -@@ -1449,14 +1617,14 @@ SND_SOC_DAPM_MIXER("DAC1R Mixer", SND_SOC_NOPM, 0, 0, - dac1r_mix, ARRAY_SIZE(dac1r_mix)), - - SND_SOC_DAPM_AIF_OUT("AIF2ADCL", NULL, 0, -- WM8994_POWER_MANAGEMENT_4, 13, 0), -+ SND_SOC_NOPM, 13, 0), - SND_SOC_DAPM_AIF_OUT("AIF2ADCR", NULL, 0, -- WM8994_POWER_MANAGEMENT_4, 12, 0), -+ SND_SOC_NOPM, 12, 0), - SND_SOC_DAPM_AIF_IN_E("AIF2DACL", NULL, 0, -- WM8994_POWER_MANAGEMENT_5, 13, 0, wm8958_aif_ev, -+ SND_SOC_NOPM, 13, 0, wm8958_aif_ev, - SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_PRE_PMD), - SND_SOC_DAPM_AIF_IN_E("AIF2DACR", NULL, 0, -- WM8994_POWER_MANAGEMENT_5, 12, 0, wm8958_aif_ev, -+ SND_SOC_NOPM, 12, 0, wm8958_aif_ev, - SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_PRE_PMD), - - SND_SOC_DAPM_AIF_IN("AIF1DACDAT", "AIF1 Playback", 0, SND_SOC_NOPM, 0, 0), -diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c -index 1315663..ac6b869 100644 ---- a/sound/soc/soc-dapm.c -+++ b/sound/soc/soc-dapm.c -@@ -70,6 +70,7 @@ static int dapm_up_seq[] = { - [snd_soc_dapm_out_drv] = 10, - [snd_soc_dapm_hp] = 10, - [snd_soc_dapm_spk] = 10, -+ [snd_soc_dapm_line] = 10, - [snd_soc_dapm_post] = 11, - }; - -@@ -78,6 +79,7 @@ static int dapm_down_seq[] = { - [snd_soc_dapm_adc] = 1, - [snd_soc_dapm_hp] = 2, - [snd_soc_dapm_spk] = 2, -+ [snd_soc_dapm_line] = 2, - [snd_soc_dapm_out_drv] = 2, - [snd_soc_dapm_pga] = 4, - [snd_soc_dapm_mixer_named_ctl] = 5, -diff --git a/tools/include/tools/be_byteshift.h b/tools/include/tools/be_byteshift.h -new file mode 100644 -index 0000000..f4912e2 ---- /dev/null -+++ b/tools/include/tools/be_byteshift.h -@@ -0,0 +1,70 @@ -+#ifndef _TOOLS_BE_BYTESHIFT_H -+#define _TOOLS_BE_BYTESHIFT_H -+ -+#include <linux/types.h> -+ -+static inline __u16 __get_unaligned_be16(const __u8 *p) -+{ -+ return p[0] << 8 | p[1]; -+} -+ -+static inline __u32 __get_unaligned_be32(const __u8 *p) -+{ -+ return p[0] << 24 | p[1] << 16 | p[2] << 8 | p[3]; -+} -+ -+static inline __u64 __get_unaligned_be64(const __u8 *p) -+{ -+ return (__u64)__get_unaligned_be32(p) << 32 | -+ __get_unaligned_be32(p + 4); -+} -+ -+static inline void __put_unaligned_be16(__u16 val, __u8 *p) -+{ -+ *p++ = val >> 8; -+ *p++ = val; -+} -+ -+static inline void __put_unaligned_be32(__u32 val, __u8 *p) -+{ -+ __put_unaligned_be16(val >> 16, p); -+ __put_unaligned_be16(val, p + 2); -+} -+ -+static inline void __put_unaligned_be64(__u64 val, __u8 *p) -+{ -+ __put_unaligned_be32(val >> 32, p); -+ __put_unaligned_be32(val, p + 4); -+} -+ -+static inline __u16 get_unaligned_be16(const void *p) -+{ -+ return __get_unaligned_be16((const __u8 *)p); -+} -+ -+static inline __u32 get_unaligned_be32(const void *p) -+{ -+ return __get_unaligned_be32((const __u8 *)p); -+} -+ -+static inline __u64 get_unaligned_be64(const void *p) -+{ -+ return __get_unaligned_be64((const __u8 *)p); -+} -+ -+static inline void put_unaligned_be16(__u16 val, void *p) -+{ -+ __put_unaligned_be16(val, p); -+} -+ -+static inline void put_unaligned_be32(__u32 val, void *p) -+{ -+ __put_unaligned_be32(val, p); -+} -+ -+static inline void put_unaligned_be64(__u64 val, void *p) -+{ -+ __put_unaligned_be64(val, p); -+} -+ -+#endif /* _TOOLS_BE_BYTESHIFT_H */ -diff --git a/tools/include/tools/le_byteshift.h b/tools/include/tools/le_byteshift.h -new file mode 100644 -index 0000000..c99d45a ---- /dev/null -+++ b/tools/include/tools/le_byteshift.h -@@ -0,0 +1,70 @@ -+#ifndef _TOOLS_LE_BYTESHIFT_H -+#define _TOOLS_LE_BYTESHIFT_H -+ -+#include <linux/types.h> -+ -+static inline __u16 __get_unaligned_le16(const __u8 *p) -+{ -+ return p[0] | p[1] << 8; -+} -+ -+static inline __u32 __get_unaligned_le32(const __u8 *p) -+{ -+ return p[0] | p[1] << 8 | p[2] << 16 | p[3] << 24; -+} -+ -+static inline __u64 __get_unaligned_le64(const __u8 *p) -+{ -+ return (__u64)__get_unaligned_le32(p + 4) << 32 | -+ __get_unaligned_le32(p); -+} -+ -+static inline void __put_unaligned_le16(__u16 val, __u8 *p) -+{ -+ *p++ = val; -+ *p++ = val >> 8; -+} -+ -+static inline void __put_unaligned_le32(__u32 val, __u8 *p) -+{ -+ __put_unaligned_le16(val >> 16, p + 2); -+ __put_unaligned_le16(val, p); -+} -+ -+static inline void __put_unaligned_le64(__u64 val, __u8 *p) -+{ -+ __put_unaligned_le32(val >> 32, p + 4); -+ __put_unaligned_le32(val, p); -+} -+ -+static inline __u16 get_unaligned_le16(const void *p) -+{ -+ return __get_unaligned_le16((const __u8 *)p); -+} -+ -+static inline __u32 get_unaligned_le32(const void *p) -+{ -+ return __get_unaligned_le32((const __u8 *)p); -+} -+ -+static inline __u64 get_unaligned_le64(const void *p) -+{ -+ return __get_unaligned_le64((const __u8 *)p); -+} -+ -+static inline void put_unaligned_le16(__u16 val, void *p) -+{ -+ __put_unaligned_le16(val, p); -+} -+ -+static inline void put_unaligned_le32(__u32 val, void *p) -+{ -+ __put_unaligned_le32(val, p); -+} -+ -+static inline void put_unaligned_le64(__u64 val, void *p) -+{ -+ __put_unaligned_le64(val, p); -+} -+ -+#endif /* _TOOLS_LE_BYTESHIFT_H */ diff --git a/3.3.5/0000_README b/3.3.6/0000_README index 9dc6525..f827d9b 100644 --- a/3.3.5/0000_README +++ b/3.3.6/0000_README @@ -2,11 +2,11 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 1004_linux-3.3.5.patch +Patch: 1005_linux-3.3.6.patch From: http://www.kernel.org -Desc: Linux 3.3.5 +Desc: Linux 3.3.6 -Patch: 4420_grsecurity-2.9-3.3.5-201205071839.patch +Patch: 4420_grsecurity-2.9-3.3.6-201205131658.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.3.6/1005_linux-3.3.6.patch b/3.3.6/1005_linux-3.3.6.patch new file mode 100644 index 0000000..f02721b --- /dev/null +++ b/3.3.6/1005_linux-3.3.6.patch @@ -0,0 +1,1832 @@ +diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt +index ad3e80e..d18bbac 100644 +--- a/Documentation/networking/ip-sysctl.txt ++++ b/Documentation/networking/ip-sysctl.txt +@@ -147,7 +147,7 @@ tcp_adv_win_scale - INTEGER + (if tcp_adv_win_scale > 0) or bytes-bytes/2^(-tcp_adv_win_scale), + if it is <= 0. + Possible values are [-31, 31], inclusive. +- Default: 2 ++ Default: 1 + + tcp_allowed_congestion_control - STRING + Show/set the congestion control choices available to non-privileged +@@ -410,7 +410,7 @@ tcp_rmem - vector of 3 INTEGERs: min, default, max + net.core.rmem_max. Calling setsockopt() with SO_RCVBUF disables + automatic tuning of that socket's receive buffer size, in which + case this value is ignored. +- Default: between 87380B and 4MB, depending on RAM size. ++ Default: between 87380B and 6MB, depending on RAM size. + + tcp_sack - BOOLEAN + Enable select acknowledgments (SACKS). +diff --git a/Makefile b/Makefile +index 64615e9..9cd6941 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 3 +-SUBLEVEL = 5 ++SUBLEVEL = 6 + EXTRAVERSION = + NAME = Saber-toothed Squirrel + +diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c +index ede6443..f5ce8ab 100644 +--- a/arch/arm/kernel/ptrace.c ++++ b/arch/arm/kernel/ptrace.c +@@ -905,27 +905,14 @@ long arch_ptrace(struct task_struct *child, long request, + return ret; + } + +-#ifdef __ARMEB__ +-#define AUDIT_ARCH_NR AUDIT_ARCH_ARMEB +-#else +-#define AUDIT_ARCH_NR AUDIT_ARCH_ARM +-#endif +- + asmlinkage int syscall_trace(int why, struct pt_regs *regs, int scno) + { + unsigned long ip; + +- /* +- * Save IP. IP is used to denote syscall entry/exit: +- * IP = 0 -> entry, = 1 -> exit +- */ +- ip = regs->ARM_ip; +- regs->ARM_ip = why; +- +- if (!ip) ++ if (why) + audit_syscall_exit(regs); + else +- audit_syscall_entry(AUDIT_ARCH_NR, scno, regs->ARM_r0, ++ audit_syscall_entry(AUDIT_ARCH_ARM, scno, regs->ARM_r0, + regs->ARM_r1, regs->ARM_r2, regs->ARM_r3); + + if (!test_thread_flag(TIF_SYSCALL_TRACE)) +@@ -935,6 +922,13 @@ asmlinkage int syscall_trace(int why, struct pt_regs *regs, int scno) + + current_thread_info()->syscall = scno; + ++ /* ++ * IP is used to denote syscall entry/exit: ++ * IP = 0 -> entry, =1 -> exit ++ */ ++ ip = regs->ARM_ip; ++ regs->ARM_ip = why; ++ + /* the 0x80 provides a way for the tracing parent to distinguish + between a syscall stop and SIGTRAP delivery */ + ptrace_notify(SIGTRAP | ((current->ptrace & PT_TRACESYSGOOD) +diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c +index cdeb727..31c2567 100644 +--- a/arch/arm/kernel/smp.c ++++ b/arch/arm/kernel/smp.c +@@ -255,8 +255,6 @@ asmlinkage void __cpuinit secondary_start_kernel(void) + struct mm_struct *mm = &init_mm; + unsigned int cpu = smp_processor_id(); + +- printk("CPU%u: Booted secondary processor\n", cpu); +- + /* + * All kernel threads share the same mm context; grab a + * reference and switch to it. +@@ -268,6 +266,8 @@ asmlinkage void __cpuinit secondary_start_kernel(void) + enter_lazy_tlb(mm, current); + local_flush_tlb_all(); + ++ printk("CPU%u: Booted secondary processor\n", cpu); ++ + cpu_init(); + preempt_disable(); + trace_hardirqs_off(); +diff --git a/arch/arm/kernel/sys_arm.c b/arch/arm/kernel/sys_arm.c +index d2b1779..76cbb05 100644 +--- a/arch/arm/kernel/sys_arm.c ++++ b/arch/arm/kernel/sys_arm.c +@@ -115,7 +115,7 @@ int kernel_execve(const char *filename, + "Ir" (THREAD_START_SP - sizeof(regs)), + "r" (®s), + "Ir" (sizeof(regs)) +- : "r0", "r1", "r2", "r3", "ip", "lr", "memory"); ++ : "r0", "r1", "r2", "r3", "r8", "r9", "ip", "lr", "memory"); + + out: + return ret; +diff --git a/arch/arm/mach-omap2/include/mach/ctrl_module_pad_core_44xx.h b/arch/arm/mach-omap2/include/mach/ctrl_module_pad_core_44xx.h +index 1e2d332..c88420d 100644 +--- a/arch/arm/mach-omap2/include/mach/ctrl_module_pad_core_44xx.h ++++ b/arch/arm/mach-omap2/include/mach/ctrl_module_pad_core_44xx.h +@@ -941,10 +941,10 @@ + #define OMAP4_DSI2_LANEENABLE_MASK (0x7 << 29) + #define OMAP4_DSI1_LANEENABLE_SHIFT 24 + #define OMAP4_DSI1_LANEENABLE_MASK (0x1f << 24) +-#define OMAP4_DSI2_PIPD_SHIFT 19 +-#define OMAP4_DSI2_PIPD_MASK (0x1f << 19) +-#define OMAP4_DSI1_PIPD_SHIFT 14 +-#define OMAP4_DSI1_PIPD_MASK (0x1f << 14) ++#define OMAP4_DSI1_PIPD_SHIFT 19 ++#define OMAP4_DSI1_PIPD_MASK (0x1f << 19) ++#define OMAP4_DSI2_PIPD_SHIFT 14 ++#define OMAP4_DSI2_PIPD_MASK (0x1f << 14) + + /* CONTROL_MCBSPLP */ + #define OMAP4_ALBCTRLRX_FSX_SHIFT 31 +diff --git a/arch/arm/mach-orion5x/mpp.h b/arch/arm/mach-orion5x/mpp.h +index eac6897..db70e79 100644 +--- a/arch/arm/mach-orion5x/mpp.h ++++ b/arch/arm/mach-orion5x/mpp.h +@@ -65,8 +65,8 @@ + #define MPP8_GIGE MPP(8, 0x1, 0, 0, 1, 1, 1) + + #define MPP9_UNUSED MPP(9, 0x0, 0, 0, 1, 1, 1) +-#define MPP9_GPIO MPP(9, 0x0, 0, 0, 1, 1, 1) +-#define MPP9_GIGE MPP(9, 0x1, 1, 1, 1, 1, 1) ++#define MPP9_GPIO MPP(9, 0x0, 1, 1, 1, 1, 1) ++#define MPP9_GIGE MPP(9, 0x1, 0, 0, 1, 1, 1) + + #define MPP10_UNUSED MPP(10, 0x0, 0, 0, 1, 1, 1) + #define MPP10_GPIO MPP(10, 0x0, 1, 1, 1, 1, 1) +diff --git a/arch/arm/mm/cache-l2x0.c b/arch/arm/mm/cache-l2x0.c +index b1e192b..db7bcc0 100644 +--- a/arch/arm/mm/cache-l2x0.c ++++ b/arch/arm/mm/cache-l2x0.c +@@ -32,6 +32,7 @@ static void __iomem *l2x0_base; + static DEFINE_RAW_SPINLOCK(l2x0_lock); + static uint32_t l2x0_way_mask; /* Bitmask of active ways */ + static uint32_t l2x0_size; ++static unsigned long sync_reg_offset = L2X0_CACHE_SYNC; + + struct l2x0_regs l2x0_saved_regs; + +@@ -61,12 +62,7 @@ static inline void cache_sync(void) + { + void __iomem *base = l2x0_base; + +-#ifdef CONFIG_PL310_ERRATA_753970 +- /* write to an unmmapped register */ +- writel_relaxed(0, base + L2X0_DUMMY_REG); +-#else +- writel_relaxed(0, base + L2X0_CACHE_SYNC); +-#endif ++ writel_relaxed(0, base + sync_reg_offset); + cache_wait(base + L2X0_CACHE_SYNC, 1); + } + +@@ -85,10 +81,13 @@ static inline void l2x0_inv_line(unsigned long addr) + } + + #if defined(CONFIG_PL310_ERRATA_588369) || defined(CONFIG_PL310_ERRATA_727915) ++static inline void debug_writel(unsigned long val) ++{ ++ if (outer_cache.set_debug) ++ outer_cache.set_debug(val); ++} + +-#define debug_writel(val) outer_cache.set_debug(val) +- +-static void l2x0_set_debug(unsigned long val) ++static void pl310_set_debug(unsigned long val) + { + writel_relaxed(val, l2x0_base + L2X0_DEBUG_CTRL); + } +@@ -98,7 +97,7 @@ static inline void debug_writel(unsigned long val) + { + } + +-#define l2x0_set_debug NULL ++#define pl310_set_debug NULL + #endif + + #ifdef CONFIG_PL310_ERRATA_588369 +@@ -331,6 +330,11 @@ void __init l2x0_init(void __iomem *base, __u32 aux_val, __u32 aux_mask) + else + ways = 8; + type = "L310"; ++#ifdef CONFIG_PL310_ERRATA_753970 ++ /* Unmapped register. */ ++ sync_reg_offset = L2X0_DUMMY_REG; ++#endif ++ outer_cache.set_debug = pl310_set_debug; + break; + case L2X0_CACHE_ID_PART_L210: + ways = (aux >> 13) & 0xf; +@@ -379,7 +383,6 @@ void __init l2x0_init(void __iomem *base, __u32 aux_val, __u32 aux_mask) + outer_cache.flush_all = l2x0_flush_all; + outer_cache.inv_all = l2x0_inv_all; + outer_cache.disable = l2x0_disable; +- outer_cache.set_debug = l2x0_set_debug; + + printk(KERN_INFO "%s cache controller enabled\n", type); + printk(KERN_INFO "l2x0: %d ways, CACHE_ID 0x%08x, AUX_CTRL 0x%08x, Cache size: %d B\n", +diff --git a/arch/ia64/kvm/kvm-ia64.c b/arch/ia64/kvm/kvm-ia64.c +index 4050520..8c25855 100644 +--- a/arch/ia64/kvm/kvm-ia64.c ++++ b/arch/ia64/kvm/kvm-ia64.c +@@ -1169,6 +1169,11 @@ out: + + #define PALE_RESET_ENTRY 0x80000000ffffffb0UL + ++bool kvm_vcpu_compatible(struct kvm_vcpu *vcpu) ++{ ++ return irqchip_in_kernel(vcpu->kcm) == (vcpu->arch.apic != NULL); ++} ++ + int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu) + { + struct kvm_vcpu *v; +diff --git a/arch/s390/kvm/intercept.c b/arch/s390/kvm/intercept.c +index 0243454..a5f6eff 100644 +--- a/arch/s390/kvm/intercept.c ++++ b/arch/s390/kvm/intercept.c +@@ -133,13 +133,6 @@ static int handle_stop(struct kvm_vcpu *vcpu) + + vcpu->stat.exit_stop_request++; + spin_lock_bh(&vcpu->arch.local_int.lock); +- if (vcpu->arch.local_int.action_bits & ACTION_STORE_ON_STOP) { +- vcpu->arch.local_int.action_bits &= ~ACTION_STORE_ON_STOP; +- rc = kvm_s390_vcpu_store_status(vcpu, +- KVM_S390_STORE_STATUS_NOADDR); +- if (rc >= 0) +- rc = -EOPNOTSUPP; +- } + + if (vcpu->arch.local_int.action_bits & ACTION_RELOADVCPU_ON_STOP) { + vcpu->arch.local_int.action_bits &= ~ACTION_RELOADVCPU_ON_STOP; +@@ -155,7 +148,18 @@ static int handle_stop(struct kvm_vcpu *vcpu) + rc = -EOPNOTSUPP; + } + +- spin_unlock_bh(&vcpu->arch.local_int.lock); ++ if (vcpu->arch.local_int.action_bits & ACTION_STORE_ON_STOP) { ++ vcpu->arch.local_int.action_bits &= ~ACTION_STORE_ON_STOP; ++ /* store status must be called unlocked. Since local_int.lock ++ * only protects local_int.* and not guest memory we can give ++ * up the lock here */ ++ spin_unlock_bh(&vcpu->arch.local_int.lock); ++ rc = kvm_s390_vcpu_store_status(vcpu, ++ KVM_S390_STORE_STATUS_NOADDR); ++ if (rc >= 0) ++ rc = -EOPNOTSUPP; ++ } else ++ spin_unlock_bh(&vcpu->arch.local_int.lock); + return rc; + } + +diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c +index d1c44573..d3cb86c 100644 +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -418,7 +418,7 @@ int kvm_arch_vcpu_ioctl_get_sregs(struct kvm_vcpu *vcpu, + int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu) + { + memcpy(&vcpu->arch.guest_fpregs.fprs, &fpu->fprs, sizeof(fpu->fprs)); +- vcpu->arch.guest_fpregs.fpc = fpu->fpc; ++ vcpu->arch.guest_fpregs.fpc = fpu->fpc & FPC_VALID_MASK; + restore_fp_regs(&vcpu->arch.guest_fpregs); + return 0; + } +diff --git a/arch/x86/boot/compressed/relocs.c b/arch/x86/boot/compressed/relocs.c +index 89bbf4e..e77f4e4 100644 +--- a/arch/x86/boot/compressed/relocs.c ++++ b/arch/x86/boot/compressed/relocs.c +@@ -402,13 +402,11 @@ static void print_absolute_symbols(void) + for (i = 0; i < ehdr.e_shnum; i++) { + struct section *sec = &secs[i]; + char *sym_strtab; +- Elf32_Sym *sh_symtab; + int j; + + if (sec->shdr.sh_type != SHT_SYMTAB) { + continue; + } +- sh_symtab = sec->symtab; + sym_strtab = sec->link->strtab; + for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Sym); j++) { + Elf32_Sym *sym; +diff --git a/arch/x86/kernel/setup_percpu.c b/arch/x86/kernel/setup_percpu.c +index 71f4727..5a98aa2 100644 +--- a/arch/x86/kernel/setup_percpu.c ++++ b/arch/x86/kernel/setup_percpu.c +@@ -185,10 +185,22 @@ void __init setup_per_cpu_areas(void) + #endif + rc = -EINVAL; + if (pcpu_chosen_fc != PCPU_FC_PAGE) { +- const size_t atom_size = cpu_has_pse ? PMD_SIZE : PAGE_SIZE; + const size_t dyn_size = PERCPU_MODULE_RESERVE + + PERCPU_DYNAMIC_RESERVE - PERCPU_FIRST_CHUNK_RESERVE; ++ size_t atom_size; + ++ /* ++ * On 64bit, use PMD_SIZE for atom_size so that embedded ++ * percpu areas are aligned to PMD. This, in the future, ++ * can also allow using PMD mappings in vmalloc area. Use ++ * PAGE_SIZE on 32bit as vmalloc space is highly contended ++ * and large vmalloc area allocs can easily fail. ++ */ ++#ifdef CONFIG_X86_64 ++ atom_size = PMD_SIZE; ++#else ++ atom_size = PAGE_SIZE; ++#endif + rc = pcpu_embed_first_chunk(PERCPU_FIRST_CHUNK_RESERVE, + dyn_size, atom_size, + pcpu_cpu_distance, +diff --git a/arch/x86/kvm/pmu.c b/arch/x86/kvm/pmu.c +index 7aad544..3e48c1d 100644 +--- a/arch/x86/kvm/pmu.c ++++ b/arch/x86/kvm/pmu.c +@@ -413,7 +413,7 @@ int kvm_pmu_read_pmc(struct kvm_vcpu *vcpu, unsigned pmc, u64 *data) + struct kvm_pmc *counters; + u64 ctr; + +- pmc &= (3u << 30) - 1; ++ pmc &= ~(3u << 30); + if (!fixed && pmc >= pmu->nr_arch_gp_counters) + return 1; + if (fixed && pmc >= pmu->nr_arch_fixed_counters) +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index 3b4c8d8..a7a6f60 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -1678,7 +1678,7 @@ static int nested_pf_handled(struct kvm_vcpu *vcpu) + struct vmcs12 *vmcs12 = get_vmcs12(vcpu); + + /* TODO: also check PFEC_MATCH/MASK, not just EB.PF. */ +- if (!(vmcs12->exception_bitmap & PF_VECTOR)) ++ if (!(vmcs12->exception_bitmap & (1u << PF_VECTOR))) + return 0; + + nested_vmx_vmexit(vcpu); +@@ -2219,6 +2219,12 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 data) + msr = find_msr_entry(vmx, msr_index); + if (msr) { + msr->data = data; ++ if (msr - vmx->guest_msrs < vmx->save_nmsrs) { ++ preempt_disable(); ++ kvm_set_shared_msr(msr->index, msr->data, ++ msr->mask); ++ preempt_enable(); ++ } + break; + } + ret = kvm_set_msr_common(vcpu, msr_index, data); +@@ -3915,7 +3921,9 @@ static int vmx_vcpu_reset(struct kvm_vcpu *vcpu) + vmcs_write16(VIRTUAL_PROCESSOR_ID, vmx->vpid); + + vmx->vcpu.arch.cr0 = X86_CR0_NW | X86_CR0_CD | X86_CR0_ET; ++ vcpu->srcu_idx = srcu_read_lock(&vcpu->kvm->srcu); + vmx_set_cr0(&vmx->vcpu, kvm_read_cr0(vcpu)); /* enter rmode */ ++ srcu_read_unlock(&vcpu->kvm->srcu, vcpu->srcu_idx); + vmx_set_cr4(&vmx->vcpu, 0); + vmx_set_efer(&vmx->vcpu, 0); + vmx_fpu_activate(&vmx->vcpu); +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 9cbfc06..8d1c6c6 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -2997,6 +2997,8 @@ static void write_protect_slot(struct kvm *kvm, + unsigned long *dirty_bitmap, + unsigned long nr_dirty_pages) + { ++ spin_lock(&kvm->mmu_lock); ++ + /* Not many dirty pages compared to # of shadow pages. */ + if (nr_dirty_pages < kvm->arch.n_used_mmu_pages) { + unsigned long gfn_offset; +@@ -3004,16 +3006,13 @@ static void write_protect_slot(struct kvm *kvm, + for_each_set_bit(gfn_offset, dirty_bitmap, memslot->npages) { + unsigned long gfn = memslot->base_gfn + gfn_offset; + +- spin_lock(&kvm->mmu_lock); + kvm_mmu_rmap_write_protect(kvm, gfn, memslot); +- spin_unlock(&kvm->mmu_lock); + } + kvm_flush_remote_tlbs(kvm); +- } else { +- spin_lock(&kvm->mmu_lock); ++ } else + kvm_mmu_slot_remove_write_access(kvm, memslot->id); +- spin_unlock(&kvm->mmu_lock); +- } ++ ++ spin_unlock(&kvm->mmu_lock); + } + + /* +@@ -3132,6 +3131,9 @@ long kvm_arch_vm_ioctl(struct file *filp, + r = -EEXIST; + if (kvm->arch.vpic) + goto create_irqchip_unlock; ++ r = -EINVAL; ++ if (atomic_read(&kvm->online_vcpus)) ++ goto create_irqchip_unlock; + r = -ENOMEM; + vpic = kvm_create_pic(kvm); + if (vpic) { +@@ -5957,6 +5959,11 @@ void kvm_arch_check_processor_compat(void *rtn) + kvm_x86_ops->check_processor_compatibility(rtn); + } + ++bool kvm_vcpu_compatible(struct kvm_vcpu *vcpu) ++{ ++ return irqchip_in_kernel(vcpu->kvm) == (vcpu->arch.apic != NULL); ++} ++ + int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu) + { + struct page *page; +diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c +index 4172af8..4e517d4 100644 +--- a/arch/x86/xen/enlighten.c ++++ b/arch/x86/xen/enlighten.c +@@ -62,6 +62,7 @@ + #include <asm/reboot.h> + #include <asm/stackprotector.h> + #include <asm/hypervisor.h> ++#include <asm/pci_x86.h> + + #include "xen-ops.h" + #include "mmu.h" +@@ -1274,8 +1275,10 @@ asmlinkage void __init xen_start_kernel(void) + /* Make sure ACS will be enabled */ + pci_request_acs(); + } +- +- ++#ifdef CONFIG_PCI ++ /* PCI BIOS service won't work from a PV guest. */ ++ pci_probe &= ~PCI_PROBE_BIOS; ++#endif + xen_raw_console_write("about to get started...\n"); + + xen_setup_runstate_info(0); +diff --git a/arch/x86/xen/mmu.c b/arch/x86/xen/mmu.c +index 95c1cf6..dc19347 100644 +--- a/arch/x86/xen/mmu.c ++++ b/arch/x86/xen/mmu.c +@@ -353,8 +353,13 @@ static pteval_t pte_mfn_to_pfn(pteval_t val) + { + if (val & _PAGE_PRESENT) { + unsigned long mfn = (val & PTE_PFN_MASK) >> PAGE_SHIFT; ++ unsigned long pfn = mfn_to_pfn(mfn); ++ + pteval_t flags = val & PTE_FLAGS_MASK; +- val = ((pteval_t)mfn_to_pfn(mfn) << PAGE_SHIFT) | flags; ++ if (unlikely(pfn == ~0)) ++ val = flags & ~_PAGE_PRESENT; ++ else ++ val = ((pteval_t)pfn << PAGE_SHIFT) | flags; + } + + return val; +diff --git a/drivers/block/mtip32xx/Kconfig b/drivers/block/mtip32xx/Kconfig +index b5dd14e..0ba837f 100644 +--- a/drivers/block/mtip32xx/Kconfig ++++ b/drivers/block/mtip32xx/Kconfig +@@ -4,6 +4,6 @@ + + config BLK_DEV_PCIESSD_MTIP32XX + tristate "Block Device Driver for Micron PCIe SSDs" +- depends on HOTPLUG_PCI_PCIE ++ depends on PCI + help + This enables the block driver for Micron PCIe SSDs. +diff --git a/drivers/block/mtip32xx/mtip32xx.c b/drivers/block/mtip32xx/mtip32xx.c +index 8eb81c9..c37073d 100644 +--- a/drivers/block/mtip32xx/mtip32xx.c ++++ b/drivers/block/mtip32xx/mtip32xx.c +@@ -422,6 +422,10 @@ static void mtip_init_port(struct mtip_port *port) + /* Clear any pending interrupts for this port */ + writel(readl(port->mmio + PORT_IRQ_STAT), port->mmio + PORT_IRQ_STAT); + ++ /* Clear any pending interrupts on the HBA. */ ++ writel(readl(port->dd->mmio + HOST_IRQ_STAT), ++ port->dd->mmio + HOST_IRQ_STAT); ++ + /* Enable port interrupts */ + writel(DEF_PORT_IRQ, port->mmio + PORT_IRQ_MASK); + } +@@ -490,11 +494,9 @@ static void mtip_restart_port(struct mtip_port *port) + dev_warn(&port->dd->pdev->dev, + "COM reset failed\n"); + +- /* Clear SError, the PxSERR.DIAG.x should be set so clear it */ +- writel(readl(port->mmio + PORT_SCR_ERR), port->mmio + PORT_SCR_ERR); ++ mtip_init_port(port); ++ mtip_start_port(port); + +- /* Enable the DMA engine */ +- mtip_enable_engine(port, 1); + } + + /* +@@ -3359,9 +3361,6 @@ static int mtip_pci_probe(struct pci_dev *pdev, + return -ENOMEM; + } + +- /* Set the atomic variable as 1 in case of SRSI */ +- atomic_set(&dd->drv_cleanup_done, true); +- + atomic_set(&dd->resumeflag, false); + + /* Attach the private data to this PCI device. */ +@@ -3434,8 +3433,8 @@ iomap_err: + pci_set_drvdata(pdev, NULL); + return rv; + done: +- /* Set the atomic variable as 0 in case of SRSI */ +- atomic_set(&dd->drv_cleanup_done, true); ++ /* Set the atomic variable as 0 */ ++ atomic_set(&dd->drv_cleanup_done, false); + + return rv; + } +@@ -3463,8 +3462,6 @@ static void mtip_pci_remove(struct pci_dev *pdev) + } + } + } +- /* Set the atomic variable as 1 in case of SRSI */ +- atomic_set(&dd->drv_cleanup_done, true); + + /* Clean up the block layer. */ + mtip_block_remove(dd); +@@ -3608,18 +3605,25 @@ MODULE_DEVICE_TABLE(pci, mtip_pci_tbl); + */ + static int __init mtip_init(void) + { ++ int error; ++ + printk(KERN_INFO MTIP_DRV_NAME " Version " MTIP_DRV_VERSION "\n"); + + /* Allocate a major block device number to use with this driver. */ +- mtip_major = register_blkdev(0, MTIP_DRV_NAME); +- if (mtip_major < 0) { ++ error = register_blkdev(0, MTIP_DRV_NAME); ++ if (error <= 0) { + printk(KERN_ERR "Unable to register block device (%d)\n", +- mtip_major); ++ error); + return -EBUSY; + } ++ mtip_major = error; + + /* Register our PCI operations. */ +- return pci_register_driver(&mtip_pci_driver); ++ error = pci_register_driver(&mtip_pci_driver); ++ if (error) ++ unregister_blkdev(mtip_major, MTIP_DRV_NAME); ++ ++ return error; + } + + /* +diff --git a/drivers/gpu/drm/i915/intel_hdmi.c b/drivers/gpu/drm/i915/intel_hdmi.c +index 64541f7..9cd81ba 100644 +--- a/drivers/gpu/drm/i915/intel_hdmi.c ++++ b/drivers/gpu/drm/i915/intel_hdmi.c +@@ -136,7 +136,7 @@ static void i9xx_write_infoframe(struct drm_encoder *encoder, + + val &= ~VIDEO_DIP_SELECT_MASK; + +- I915_WRITE(VIDEO_DIP_CTL, val | port | flags); ++ I915_WRITE(VIDEO_DIP_CTL, VIDEO_DIP_ENABLE | val | port | flags); + + for (i = 0; i < len; i += 4) { + I915_WRITE(VIDEO_DIP_DATA, *data); +diff --git a/drivers/gpu/drm/i915/intel_ringbuffer.c b/drivers/gpu/drm/i915/intel_ringbuffer.c +index 99f71af..6753f59 100644 +--- a/drivers/gpu/drm/i915/intel_ringbuffer.c ++++ b/drivers/gpu/drm/i915/intel_ringbuffer.c +@@ -414,10 +414,8 @@ static int init_render_ring(struct intel_ring_buffer *ring) + return ret; + } + +- if (INTEL_INFO(dev)->gen >= 6) { +- I915_WRITE(INSTPM, +- INSTPM_FORCE_ORDERING << 16 | INSTPM_FORCE_ORDERING); + ++ if (IS_GEN6(dev)) { + /* From the Sandybridge PRM, volume 1 part 3, page 24: + * "If this bit is set, STCunit will have LRA as replacement + * policy. [...] This bit must be reset. LRA replacement +@@ -427,6 +425,11 @@ static int init_render_ring(struct intel_ring_buffer *ring) + CM0_STC_EVICT_DISABLE_LRA_SNB << CM0_MASK_SHIFT); + } + ++ if (INTEL_INFO(dev)->gen >= 6) { ++ I915_WRITE(INSTPM, ++ INSTPM_FORCE_ORDERING << 16 | INSTPM_FORCE_ORDERING); ++ } ++ + return ret; + } + +diff --git a/drivers/gpu/drm/i915/intel_sdvo.c b/drivers/gpu/drm/i915/intel_sdvo.c +index 0a877dd..8eddcca 100644 +--- a/drivers/gpu/drm/i915/intel_sdvo.c ++++ b/drivers/gpu/drm/i915/intel_sdvo.c +@@ -1221,8 +1221,14 @@ static bool intel_sdvo_get_capabilities(struct intel_sdvo *intel_sdvo, struct in + + static int intel_sdvo_supports_hotplug(struct intel_sdvo *intel_sdvo) + { ++ struct drm_device *dev = intel_sdvo->base.base.dev; + u8 response[2]; + ++ /* HW Erratum: SDVO Hotplug is broken on all i945G chips, there's noise ++ * on the line. */ ++ if (IS_I945G(dev) || IS_I945GM(dev)) ++ return false; ++ + return intel_sdvo_get_value(intel_sdvo, SDVO_CMD_GET_HOT_PLUG_SUPPORT, + &response, 2) && response[0]; + } +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c +index 83047783..ecbd765 100644 +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -879,8 +879,13 @@ static inline unsigned int tg3_has_work(struct tg3_napi *tnapi) + if (sblk->status & SD_STATUS_LINK_CHG) + work_exists = 1; + } +- /* check for RX/TX work to do */ +- if (sblk->idx[0].tx_consumer != tnapi->tx_cons || ++ ++ /* check for TX work to do */ ++ if (sblk->idx[0].tx_consumer != tnapi->tx_cons) ++ work_exists = 1; ++ ++ /* check for RX work to do */ ++ if (tnapi->rx_rcb_prod_idx && + *(tnapi->rx_rcb_prod_idx) != tnapi->rx_rcb_ptr) + work_exists = 1; + +@@ -5877,6 +5882,9 @@ static int tg3_poll_work(struct tg3_napi *tnapi, int work_done, int budget) + return work_done; + } + ++ if (!tnapi->rx_rcb_prod_idx) ++ return work_done; ++ + /* run RX thread, within the bounds set by NAPI. + * All RX "locking" is done by ensuring outside + * code synchronizes with tg3->napi.poll() +@@ -7428,6 +7436,12 @@ static int tg3_alloc_consistent(struct tg3 *tp) + */ + switch (i) { + default: ++ if (tg3_flag(tp, ENABLE_RSS)) { ++ tnapi->rx_rcb_prod_idx = NULL; ++ break; ++ } ++ /* Fall through */ ++ case 1: + tnapi->rx_rcb_prod_idx = &sblk->idx[0].rx_producer; + break; + case 2: +diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c +index d94d64b..b444f21 100644 +--- a/drivers/net/ethernet/intel/e1000/e1000_main.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c +@@ -164,6 +164,8 @@ static int e1000_82547_fifo_workaround(struct e1000_adapter *adapter, + static bool e1000_vlan_used(struct e1000_adapter *adapter); + static void e1000_vlan_mode(struct net_device *netdev, + netdev_features_t features); ++static void e1000_vlan_filter_on_off(struct e1000_adapter *adapter, ++ bool filter_on); + static int e1000_vlan_rx_add_vid(struct net_device *netdev, u16 vid); + static int e1000_vlan_rx_kill_vid(struct net_device *netdev, u16 vid); + static void e1000_restore_vlan(struct e1000_adapter *adapter); +@@ -1213,7 +1215,7 @@ static int __devinit e1000_probe(struct pci_dev *pdev, + if (err) + goto err_register; + +- e1000_vlan_mode(netdev, netdev->features); ++ e1000_vlan_filter_on_off(adapter, false); + + /* print bus type/speed/width info */ + e_info(probe, "(PCI%s:%dMHz:%d-bit) %pM\n", +@@ -4549,6 +4551,22 @@ static bool e1000_vlan_used(struct e1000_adapter *adapter) + return false; + } + ++static void __e1000_vlan_mode(struct e1000_adapter *adapter, ++ netdev_features_t features) ++{ ++ struct e1000_hw *hw = &adapter->hw; ++ u32 ctrl; ++ ++ ctrl = er32(CTRL); ++ if (features & NETIF_F_HW_VLAN_RX) { ++ /* enable VLAN tag insert/strip */ ++ ctrl |= E1000_CTRL_VME; ++ } else { ++ /* disable VLAN tag insert/strip */ ++ ctrl &= ~E1000_CTRL_VME; ++ } ++ ew32(CTRL, ctrl); ++} + static void e1000_vlan_filter_on_off(struct e1000_adapter *adapter, + bool filter_on) + { +@@ -4558,6 +4576,7 @@ static void e1000_vlan_filter_on_off(struct e1000_adapter *adapter, + if (!test_bit(__E1000_DOWN, &adapter->flags)) + e1000_irq_disable(adapter); + ++ __e1000_vlan_mode(adapter, adapter->netdev->features); + if (filter_on) { + /* enable VLAN receive filtering */ + rctl = er32(RCTL); +@@ -4578,24 +4597,14 @@ static void e1000_vlan_filter_on_off(struct e1000_adapter *adapter, + } + + static void e1000_vlan_mode(struct net_device *netdev, +- netdev_features_t features) ++ netdev_features_t features) + { + struct e1000_adapter *adapter = netdev_priv(netdev); +- struct e1000_hw *hw = &adapter->hw; +- u32 ctrl; + + if (!test_bit(__E1000_DOWN, &adapter->flags)) + e1000_irq_disable(adapter); + +- ctrl = er32(CTRL); +- if (features & NETIF_F_HW_VLAN_RX) { +- /* enable VLAN tag insert/strip */ +- ctrl |= E1000_CTRL_VME; +- } else { +- /* disable VLAN tag insert/strip */ +- ctrl &= ~E1000_CTRL_VME; +- } +- ew32(CTRL, ctrl); ++ __e1000_vlan_mode(adapter, features); + + if (!test_bit(__E1000_DOWN, &adapter->flags)) + e1000_irq_enable(adapter); +diff --git a/drivers/net/ethernet/marvell/sky2.c b/drivers/net/ethernet/marvell/sky2.c +index ec6136f..1d04182 100644 +--- a/drivers/net/ethernet/marvell/sky2.c ++++ b/drivers/net/ethernet/marvell/sky2.c +@@ -2483,8 +2483,13 @@ static struct sk_buff *receive_copy(struct sky2_port *sky2, + skb_copy_from_linear_data(re->skb, skb->data, length); + skb->ip_summed = re->skb->ip_summed; + skb->csum = re->skb->csum; ++ skb->rxhash = re->skb->rxhash; ++ skb->vlan_tci = re->skb->vlan_tci; ++ + pci_dma_sync_single_for_device(sky2->hw->pdev, re->data_addr, + length, PCI_DMA_FROMDEVICE); ++ re->skb->vlan_tci = 0; ++ re->skb->rxhash = 0; + re->skb->ip_summed = CHECKSUM_NONE; + skb_put(skb, length); + } +@@ -2569,9 +2574,6 @@ static struct sk_buff *sky2_receive(struct net_device *dev, + struct sk_buff *skb = NULL; + u16 count = (status & GMR_FS_LEN) >> 16; + +- if (status & GMR_FS_VLAN) +- count -= VLAN_HLEN; /* Account for vlan tag */ +- + netif_printk(sky2, rx_status, KERN_DEBUG, dev, + "rx slot %u status 0x%x len %d\n", + sky2->rx_next, status, length); +@@ -2579,6 +2581,9 @@ static struct sk_buff *sky2_receive(struct net_device *dev, + sky2->rx_next = (sky2->rx_next + 1) % sky2->rx_pending; + prefetch(sky2->rx_ring + sky2->rx_next); + ++ if (vlan_tx_tag_present(re->skb)) ++ count -= VLAN_HLEN; /* Account for vlan tag */ ++ + /* This chip has hardware problems that generates bogus status. + * So do only marginal checking and expect higher level protocols + * to handle crap frames. +@@ -2636,11 +2641,8 @@ static inline void sky2_tx_done(struct net_device *dev, u16 last) + } + + static inline void sky2_skb_rx(const struct sky2_port *sky2, +- u32 status, struct sk_buff *skb) ++ struct sk_buff *skb) + { +- if (status & GMR_FS_VLAN) +- __vlan_hwaccel_put_tag(skb, be16_to_cpu(sky2->rx_tag)); +- + if (skb->ip_summed == CHECKSUM_NONE) + netif_receive_skb(skb); + else +@@ -2694,6 +2696,14 @@ static void sky2_rx_checksum(struct sky2_port *sky2, u32 status) + } + } + ++static void sky2_rx_tag(struct sky2_port *sky2, u16 length) ++{ ++ struct sk_buff *skb; ++ ++ skb = sky2->rx_ring[sky2->rx_next].skb; ++ __vlan_hwaccel_put_tag(skb, be16_to_cpu(length)); ++} ++ + static void sky2_rx_hash(struct sky2_port *sky2, u32 status) + { + struct sk_buff *skb; +@@ -2752,8 +2762,7 @@ static int sky2_status_intr(struct sky2_hw *hw, int to_do, u16 idx) + } + + skb->protocol = eth_type_trans(skb, dev); +- +- sky2_skb_rx(sky2, status, skb); ++ sky2_skb_rx(sky2, skb); + + /* Stop after net poll weight */ + if (++work_done >= to_do) +@@ -2761,11 +2770,11 @@ static int sky2_status_intr(struct sky2_hw *hw, int to_do, u16 idx) + break; + + case OP_RXVLAN: +- sky2->rx_tag = length; ++ sky2_rx_tag(sky2, length); + break; + + case OP_RXCHKSVLAN: +- sky2->rx_tag = length; ++ sky2_rx_tag(sky2, length); + /* fall through */ + case OP_RXCHKS: + if (likely(dev->features & NETIF_F_RXCSUM)) +diff --git a/drivers/net/ethernet/marvell/sky2.h b/drivers/net/ethernet/marvell/sky2.h +index ff6f58b..3c896ce 100644 +--- a/drivers/net/ethernet/marvell/sky2.h ++++ b/drivers/net/ethernet/marvell/sky2.h +@@ -2241,7 +2241,6 @@ struct sky2_port { + u16 rx_pending; + u16 rx_data_size; + u16 rx_nfrags; +- u16 rx_tag; + + struct { + unsigned long last; +diff --git a/drivers/net/ethernet/sun/sungem.c b/drivers/net/ethernet/sun/sungem.c +index 31441a8..d14a011 100644 +--- a/drivers/net/ethernet/sun/sungem.c ++++ b/drivers/net/ethernet/sun/sungem.c +@@ -2340,7 +2340,7 @@ static int gem_suspend(struct pci_dev *pdev, pm_message_t state) + netif_device_detach(dev); + + /* Switch off chip, remember WOL setting */ +- gp->asleep_wol = gp->wake_on_lan; ++ gp->asleep_wol = !!gp->wake_on_lan; + gem_do_stop(dev, gp->asleep_wol); + + /* Unlock the network stack */ +diff --git a/drivers/net/usb/asix.c b/drivers/net/usb/asix.c +index d6da5ee..c7ada22 100644 +--- a/drivers/net/usb/asix.c ++++ b/drivers/net/usb/asix.c +@@ -403,7 +403,7 @@ static struct sk_buff *asix_tx_fixup(struct usbnet *dev, struct sk_buff *skb, + u32 packet_len; + u32 padbytes = 0xffff0000; + +- padlen = ((skb->len + 4) % 512) ? 0 : 4; ++ padlen = ((skb->len + 4) & (dev->maxpacket - 1)) ? 0 : 4; + + if ((!skb_cloned(skb)) && + ((headroom + tailroom) >= (4 + padlen))) { +@@ -425,7 +425,7 @@ static struct sk_buff *asix_tx_fixup(struct usbnet *dev, struct sk_buff *skb, + cpu_to_le32s(&packet_len); + skb_copy_to_linear_data(skb, &packet_len, sizeof(packet_len)); + +- if ((skb->len % 512) == 0) { ++ if (padlen) { + cpu_to_le32s(&padbytes); + memcpy(skb_tail_pointer(skb), &padbytes, sizeof(padbytes)); + skb_put(skb, sizeof(padbytes)); +diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c +index d45520e..f1e77b1 100644 +--- a/drivers/net/usb/smsc95xx.c ++++ b/drivers/net/usb/smsc95xx.c +@@ -1191,7 +1191,7 @@ static const struct driver_info smsc95xx_info = { + .rx_fixup = smsc95xx_rx_fixup, + .tx_fixup = smsc95xx_tx_fixup, + .status = smsc95xx_status, +- .flags = FLAG_ETHER | FLAG_SEND_ZLP, ++ .flags = FLAG_ETHER | FLAG_SEND_ZLP | FLAG_LINK_INTR, + }; + + static const struct usb_device_id products[] = { +diff --git a/drivers/platform/x86/sony-laptop.c b/drivers/platform/x86/sony-laptop.c +index c006dee..40c4705 100644 +--- a/drivers/platform/x86/sony-laptop.c ++++ b/drivers/platform/x86/sony-laptop.c +@@ -127,7 +127,7 @@ MODULE_PARM_DESC(minor, + "default is -1 (automatic)"); + #endif + +-static int kbd_backlight; /* = 1 */ ++static int kbd_backlight = 1; + module_param(kbd_backlight, int, 0444); + MODULE_PARM_DESC(kbd_backlight, + "set this to 0 to disable keyboard backlight, " +diff --git a/drivers/regulator/max8997.c b/drivers/regulator/max8997.c +index d26e864..cf73ab2 100644 +--- a/drivers/regulator/max8997.c ++++ b/drivers/regulator/max8997.c +@@ -689,7 +689,7 @@ static int max8997_set_voltage_buck(struct regulator_dev *rdev, + } + + new_val++; +- } while (desc->min + desc->step + new_val <= desc->max); ++ } while (desc->min + desc->step * new_val <= desc->max); + + new_idx = tmp_idx; + new_val = tmp_val; +diff --git a/drivers/usb/gadget/udc-core.c b/drivers/usb/gadget/udc-core.c +index ec02ed0..4e2e13e 100644 +--- a/drivers/usb/gadget/udc-core.c ++++ b/drivers/usb/gadget/udc-core.c +@@ -211,8 +211,8 @@ static void usb_gadget_remove_driver(struct usb_udc *udc) + + if (udc_is_newstyle(udc)) { + udc->driver->disconnect(udc->gadget); +- udc->driver->unbind(udc->gadget); + usb_gadget_disconnect(udc->gadget); ++ udc->driver->unbind(udc->gadget); + usb_gadget_udc_stop(udc->gadget, udc->driver); + } else { + usb_gadget_stop(udc->gadget, udc->driver); +@@ -363,9 +363,9 @@ static ssize_t usb_udc_softconn_store(struct device *dev, + usb_gadget_udc_start(udc->gadget, udc->driver); + usb_gadget_connect(udc->gadget); + } else if (sysfs_streq(buf, "disconnect")) { ++ usb_gadget_disconnect(udc->gadget); + if (udc_is_newstyle(udc)) + usb_gadget_udc_stop(udc->gadget, udc->driver); +- usb_gadget_disconnect(udc->gadget); + } else { + dev_err(dev, "unsupported command '%s'\n", buf); + return -EINVAL; +diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c +index cd66b76..1250bba 100644 +--- a/fs/cifs/cifssmb.c ++++ b/fs/cifs/cifssmb.c +@@ -4831,8 +4831,12 @@ parse_DFS_referrals(TRANSACTION2_GET_DFS_REFER_RSP *pSMBr, + max_len = data_end - temp; + node->node_name = cifs_strndup_from_utf16(temp, max_len, + is_unicode, nls_codepage); +- if (!node->node_name) ++ if (!node->node_name) { + rc = -ENOMEM; ++ goto parse_DFS_referrals_exit; ++ } ++ ++ ref++; + } + + parse_DFS_referrals_exit: +diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c +index 3645cd3..c60267e 100644 +--- a/fs/hugetlbfs/inode.c ++++ b/fs/hugetlbfs/inode.c +@@ -600,9 +600,15 @@ static int hugetlbfs_statfs(struct dentry *dentry, struct kstatfs *buf) + spin_lock(&sbinfo->stat_lock); + /* If no limits set, just report 0 for max/free/used + * blocks, like simple_statfs() */ +- if (sbinfo->max_blocks >= 0) { +- buf->f_blocks = sbinfo->max_blocks; +- buf->f_bavail = buf->f_bfree = sbinfo->free_blocks; ++ if (sbinfo->spool) { ++ long free_pages; ++ ++ spin_lock(&sbinfo->spool->lock); ++ buf->f_blocks = sbinfo->spool->max_hpages; ++ free_pages = sbinfo->spool->max_hpages ++ - sbinfo->spool->used_hpages; ++ buf->f_bavail = buf->f_bfree = free_pages; ++ spin_unlock(&sbinfo->spool->lock); + buf->f_files = sbinfo->max_inodes; + buf->f_ffree = sbinfo->free_inodes; + } +@@ -618,6 +624,10 @@ static void hugetlbfs_put_super(struct super_block *sb) + + if (sbi) { + sb->s_fs_info = NULL; ++ ++ if (sbi->spool) ++ hugepage_put_subpool(sbi->spool); ++ + kfree(sbi); + } + } +@@ -848,10 +858,14 @@ hugetlbfs_fill_super(struct super_block *sb, void *data, int silent) + sb->s_fs_info = sbinfo; + sbinfo->hstate = config.hstate; + spin_lock_init(&sbinfo->stat_lock); +- sbinfo->max_blocks = config.nr_blocks; +- sbinfo->free_blocks = config.nr_blocks; + sbinfo->max_inodes = config.nr_inodes; + sbinfo->free_inodes = config.nr_inodes; ++ sbinfo->spool = NULL; ++ if (config.nr_blocks != -1) { ++ sbinfo->spool = hugepage_new_subpool(config.nr_blocks); ++ if (!sbinfo->spool) ++ goto out_free; ++ } + sb->s_maxbytes = MAX_LFS_FILESIZE; + sb->s_blocksize = huge_page_size(config.hstate); + sb->s_blocksize_bits = huge_page_shift(config.hstate); +@@ -870,38 +884,12 @@ hugetlbfs_fill_super(struct super_block *sb, void *data, int silent) + sb->s_root = root; + return 0; + out_free: ++ if (sbinfo->spool) ++ kfree(sbinfo->spool); + kfree(sbinfo); + return -ENOMEM; + } + +-int hugetlb_get_quota(struct address_space *mapping, long delta) +-{ +- int ret = 0; +- struct hugetlbfs_sb_info *sbinfo = HUGETLBFS_SB(mapping->host->i_sb); +- +- if (sbinfo->free_blocks > -1) { +- spin_lock(&sbinfo->stat_lock); +- if (sbinfo->free_blocks - delta >= 0) +- sbinfo->free_blocks -= delta; +- else +- ret = -ENOMEM; +- spin_unlock(&sbinfo->stat_lock); +- } +- +- return ret; +-} +- +-void hugetlb_put_quota(struct address_space *mapping, long delta) +-{ +- struct hugetlbfs_sb_info *sbinfo = HUGETLBFS_SB(mapping->host->i_sb); +- +- if (sbinfo->free_blocks > -1) { +- spin_lock(&sbinfo->stat_lock); +- sbinfo->free_blocks += delta; +- spin_unlock(&sbinfo->stat_lock); +- } +-} +- + static struct dentry *hugetlbfs_mount(struct file_system_type *fs_type, + int flags, const char *dev_name, void *data) + { +diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c +index de3fa1a..2c1244b 100644 +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -231,17 +231,17 @@ do_open_lookup(struct svc_rqst *rqstp, struct svc_fh *current_fh, struct nfsd4_o + */ + if (open->op_createmode == NFS4_CREATE_EXCLUSIVE && status == 0) + open->op_bmval[1] = (FATTR4_WORD1_TIME_ACCESS | +- FATTR4_WORD1_TIME_MODIFY); ++ FATTR4_WORD1_TIME_MODIFY); + } else { + status = nfsd_lookup(rqstp, current_fh, + open->op_fname.data, open->op_fname.len, &resfh); + fh_unlock(current_fh); +- if (status) +- goto out; +- status = nfsd_check_obj_isreg(&resfh); + } + if (status) + goto out; ++ status = nfsd_check_obj_isreg(&resfh); ++ if (status) ++ goto out; + + if (is_create_with_attrs(open) && open->op_acl != NULL) + do_set_nfs4_acl(rqstp, &resfh, open->op_acl, open->op_bmval); +diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c +index edf6d3e..b96fe94 100644 +--- a/fs/nfsd/vfs.c ++++ b/fs/nfsd/vfs.c +@@ -1450,7 +1450,7 @@ do_nfsd_create(struct svc_rqst *rqstp, struct svc_fh *fhp, + switch (createmode) { + case NFS3_CREATE_UNCHECKED: + if (! S_ISREG(dchild->d_inode->i_mode)) +- err = nfserr_exist; ++ goto out; + else if (truncp) { + /* in nfsv4, we need to treat this case a little + * differently. we don't want to truncate the +diff --git a/include/asm-generic/statfs.h b/include/asm-generic/statfs.h +index 0fd28e0..c749af9 100644 +--- a/include/asm-generic/statfs.h ++++ b/include/asm-generic/statfs.h +@@ -15,7 +15,7 @@ typedef __kernel_fsid_t fsid_t; + * with a 10' pole. + */ + #ifndef __statfs_word +-#if BITS_PER_LONG == 64 ++#if __BITS_PER_LONG == 64 + #define __statfs_word long + #else + #define __statfs_word __u32 +diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h +index d9d6c86..c5ed2f1 100644 +--- a/include/linux/hugetlb.h ++++ b/include/linux/hugetlb.h +@@ -14,6 +14,15 @@ struct user_struct; + #include <linux/shm.h> + #include <asm/tlbflush.h> + ++struct hugepage_subpool { ++ spinlock_t lock; ++ long count; ++ long max_hpages, used_hpages; ++}; ++ ++struct hugepage_subpool *hugepage_new_subpool(long nr_blocks); ++void hugepage_put_subpool(struct hugepage_subpool *spool); ++ + int PageHuge(struct page *page); + + void reset_vma_resv_huge_pages(struct vm_area_struct *vma); +@@ -138,12 +147,11 @@ struct hugetlbfs_config { + }; + + struct hugetlbfs_sb_info { +- long max_blocks; /* blocks allowed */ +- long free_blocks; /* blocks free */ + long max_inodes; /* inodes allowed */ + long free_inodes; /* inodes free */ + spinlock_t stat_lock; + struct hstate *hstate; ++ struct hugepage_subpool *spool; + }; + + +@@ -166,8 +174,6 @@ extern const struct file_operations hugetlbfs_file_operations; + extern const struct vm_operations_struct hugetlb_vm_ops; + struct file *hugetlb_file_setup(const char *name, size_t size, vm_flags_t acct, + struct user_struct **user, int creat_flags); +-int hugetlb_get_quota(struct address_space *mapping, long delta); +-void hugetlb_put_quota(struct address_space *mapping, long delta); + + static inline int is_file_hugepages(struct file *file) + { +diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h +index bc21720..4c4e83d 100644 +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -775,6 +775,13 @@ static inline bool kvm_vcpu_is_bsp(struct kvm_vcpu *vcpu) + { + return vcpu->kvm->bsp_vcpu_id == vcpu->vcpu_id; + } ++ ++bool kvm_vcpu_compatible(struct kvm_vcpu *vcpu); ++ ++#else ++ ++static inline bool kvm_vcpu_compatible(struct kvm_vcpu *vcpu) { return true; } ++ + #endif + + #ifdef __KVM_HAVE_DEVICE_ASSIGNMENT +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 4f3b01a..7e472b7 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -1898,12 +1898,22 @@ static inline void netdev_tx_sent_queue(struct netdev_queue *dev_queue, + { + #ifdef CONFIG_BQL + dql_queued(&dev_queue->dql, bytes); +- if (unlikely(dql_avail(&dev_queue->dql) < 0)) { +- set_bit(__QUEUE_STATE_STACK_XOFF, &dev_queue->state); +- if (unlikely(dql_avail(&dev_queue->dql) >= 0)) +- clear_bit(__QUEUE_STATE_STACK_XOFF, +- &dev_queue->state); +- } ++ ++ if (likely(dql_avail(&dev_queue->dql) >= 0)) ++ return; ++ ++ set_bit(__QUEUE_STATE_STACK_XOFF, &dev_queue->state); ++ ++ /* ++ * The XOFF flag must be set before checking the dql_avail below, ++ * because in netdev_tx_completed_queue we update the dql_completed ++ * before checking the XOFF flag. ++ */ ++ smp_mb(); ++ ++ /* check again in case another CPU has just made room avail */ ++ if (unlikely(dql_avail(&dev_queue->dql) >= 0)) ++ clear_bit(__QUEUE_STATE_STACK_XOFF, &dev_queue->state); + #endif + } + +@@ -1916,16 +1926,23 @@ static inline void netdev_tx_completed_queue(struct netdev_queue *dev_queue, + unsigned pkts, unsigned bytes) + { + #ifdef CONFIG_BQL +- if (likely(bytes)) { +- dql_completed(&dev_queue->dql, bytes); +- if (unlikely(test_bit(__QUEUE_STATE_STACK_XOFF, +- &dev_queue->state) && +- dql_avail(&dev_queue->dql) >= 0)) { +- if (test_and_clear_bit(__QUEUE_STATE_STACK_XOFF, +- &dev_queue->state)) +- netif_schedule_queue(dev_queue); +- } +- } ++ if (unlikely(!bytes)) ++ return; ++ ++ dql_completed(&dev_queue->dql, bytes); ++ ++ /* ++ * Without the memory barrier there is a small possiblity that ++ * netdev_tx_sent_queue will miss the update and cause the queue to ++ * be stopped forever ++ */ ++ smp_mb(); ++ ++ if (dql_avail(&dev_queue->dql) < 0) ++ return; ++ ++ if (test_and_clear_bit(__QUEUE_STATE_STACK_XOFF, &dev_queue->state)) ++ netif_schedule_queue(dev_queue); + #endif + } + +@@ -1938,6 +1955,7 @@ static inline void netdev_completed_queue(struct net_device *dev, + static inline void netdev_tx_reset_queue(struct netdev_queue *q) + { + #ifdef CONFIG_BQL ++ clear_bit(__QUEUE_STATE_STACK_XOFF, &q->state); + dql_reset(&q->dql); + #endif + } +diff --git a/include/linux/seqlock.h b/include/linux/seqlock.h +index c6db9fb..bb1fac5 100644 +--- a/include/linux/seqlock.h ++++ b/include/linux/seqlock.h +@@ -141,7 +141,7 @@ static inline unsigned __read_seqcount_begin(const seqcount_t *s) + unsigned ret; + + repeat: +- ret = s->sequence; ++ ret = ACCESS_ONCE(s->sequence); + if (unlikely(ret & 1)) { + cpu_relax(); + goto repeat; +diff --git a/mm/hugetlb.c b/mm/hugetlb.c +index a7cf829..24b1787 100644 +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -53,6 +53,84 @@ static unsigned long __initdata default_hstate_size; + */ + static DEFINE_SPINLOCK(hugetlb_lock); + ++static inline void unlock_or_release_subpool(struct hugepage_subpool *spool) ++{ ++ bool free = (spool->count == 0) && (spool->used_hpages == 0); ++ ++ spin_unlock(&spool->lock); ++ ++ /* If no pages are used, and no other handles to the subpool ++ * remain, free the subpool the subpool remain */ ++ if (free) ++ kfree(spool); ++} ++ ++struct hugepage_subpool *hugepage_new_subpool(long nr_blocks) ++{ ++ struct hugepage_subpool *spool; ++ ++ spool = kmalloc(sizeof(*spool), GFP_KERNEL); ++ if (!spool) ++ return NULL; ++ ++ spin_lock_init(&spool->lock); ++ spool->count = 1; ++ spool->max_hpages = nr_blocks; ++ spool->used_hpages = 0; ++ ++ return spool; ++} ++ ++void hugepage_put_subpool(struct hugepage_subpool *spool) ++{ ++ spin_lock(&spool->lock); ++ BUG_ON(!spool->count); ++ spool->count--; ++ unlock_or_release_subpool(spool); ++} ++ ++static int hugepage_subpool_get_pages(struct hugepage_subpool *spool, ++ long delta) ++{ ++ int ret = 0; ++ ++ if (!spool) ++ return 0; ++ ++ spin_lock(&spool->lock); ++ if ((spool->used_hpages + delta) <= spool->max_hpages) { ++ spool->used_hpages += delta; ++ } else { ++ ret = -ENOMEM; ++ } ++ spin_unlock(&spool->lock); ++ ++ return ret; ++} ++ ++static void hugepage_subpool_put_pages(struct hugepage_subpool *spool, ++ long delta) ++{ ++ if (!spool) ++ return; ++ ++ spin_lock(&spool->lock); ++ spool->used_hpages -= delta; ++ /* If hugetlbfs_put_super couldn't free spool due to ++ * an outstanding quota reference, free it now. */ ++ unlock_or_release_subpool(spool); ++} ++ ++static inline struct hugepage_subpool *subpool_inode(struct inode *inode) ++{ ++ return HUGETLBFS_SB(inode->i_sb)->spool; ++} ++ ++static inline struct hugepage_subpool *subpool_vma(struct vm_area_struct *vma) ++{ ++ return subpool_inode(vma->vm_file->f_dentry->d_inode); ++} ++ + /* + * Region tracking -- allows tracking of reservations and instantiated pages + * across the pages in a mapping. +@@ -533,9 +611,9 @@ static void free_huge_page(struct page *page) + */ + struct hstate *h = page_hstate(page); + int nid = page_to_nid(page); +- struct address_space *mapping; ++ struct hugepage_subpool *spool = ++ (struct hugepage_subpool *)page_private(page); + +- mapping = (struct address_space *) page_private(page); + set_page_private(page, 0); + page->mapping = NULL; + BUG_ON(page_count(page)); +@@ -551,8 +629,7 @@ static void free_huge_page(struct page *page) + enqueue_huge_page(h, page); + } + spin_unlock(&hugetlb_lock); +- if (mapping) +- hugetlb_put_quota(mapping, 1); ++ hugepage_subpool_put_pages(spool, 1); + } + + static void prep_new_huge_page(struct hstate *h, struct page *page, int nid) +@@ -966,11 +1043,12 @@ static void return_unused_surplus_pages(struct hstate *h, + /* + * Determine if the huge page at addr within the vma has an associated + * reservation. Where it does not we will need to logically increase +- * reservation and actually increase quota before an allocation can occur. +- * Where any new reservation would be required the reservation change is +- * prepared, but not committed. Once the page has been quota'd allocated +- * an instantiated the change should be committed via vma_commit_reservation. +- * No action is required on failure. ++ * reservation and actually increase subpool usage before an allocation ++ * can occur. Where any new reservation would be required the ++ * reservation change is prepared, but not committed. Once the page ++ * has been allocated from the subpool and instantiated the change should ++ * be committed via vma_commit_reservation. No action is required on ++ * failure. + */ + static long vma_needs_reservation(struct hstate *h, + struct vm_area_struct *vma, unsigned long addr) +@@ -1019,24 +1097,24 @@ static void vma_commit_reservation(struct hstate *h, + static struct page *alloc_huge_page(struct vm_area_struct *vma, + unsigned long addr, int avoid_reserve) + { ++ struct hugepage_subpool *spool = subpool_vma(vma); + struct hstate *h = hstate_vma(vma); + struct page *page; +- struct address_space *mapping = vma->vm_file->f_mapping; +- struct inode *inode = mapping->host; + long chg; + + /* +- * Processes that did not create the mapping will have no reserves and +- * will not have accounted against quota. Check that the quota can be +- * made before satisfying the allocation +- * MAP_NORESERVE mappings may also need pages and quota allocated +- * if no reserve mapping overlaps. ++ * Processes that did not create the mapping will have no ++ * reserves and will not have accounted against subpool ++ * limit. Check that the subpool limit can be made before ++ * satisfying the allocation MAP_NORESERVE mappings may also ++ * need pages and subpool limit allocated allocated if no reserve ++ * mapping overlaps. + */ + chg = vma_needs_reservation(h, vma, addr); + if (chg < 0) + return ERR_PTR(-VM_FAULT_OOM); + if (chg) +- if (hugetlb_get_quota(inode->i_mapping, chg)) ++ if (hugepage_subpool_get_pages(spool, chg)) + return ERR_PTR(-VM_FAULT_SIGBUS); + + spin_lock(&hugetlb_lock); +@@ -1046,12 +1124,12 @@ static struct page *alloc_huge_page(struct vm_area_struct *vma, + if (!page) { + page = alloc_buddy_huge_page(h, NUMA_NO_NODE); + if (!page) { +- hugetlb_put_quota(inode->i_mapping, chg); ++ hugepage_subpool_put_pages(spool, chg); + return ERR_PTR(-VM_FAULT_SIGBUS); + } + } + +- set_page_private(page, (unsigned long) mapping); ++ set_page_private(page, (unsigned long)spool); + + vma_commit_reservation(h, vma, addr); + +@@ -2072,6 +2150,7 @@ static void hugetlb_vm_op_close(struct vm_area_struct *vma) + { + struct hstate *h = hstate_vma(vma); + struct resv_map *reservations = vma_resv_map(vma); ++ struct hugepage_subpool *spool = subpool_vma(vma); + unsigned long reserve; + unsigned long start; + unsigned long end; +@@ -2087,7 +2166,7 @@ static void hugetlb_vm_op_close(struct vm_area_struct *vma) + + if (reserve) { + hugetlb_acct_memory(h, -reserve); +- hugetlb_put_quota(vma->vm_file->f_mapping, reserve); ++ hugepage_subpool_put_pages(spool, reserve); + } + } + } +@@ -2316,7 +2395,7 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma, + */ + address = address & huge_page_mask(h); + pgoff = vma_hugecache_offset(h, vma, address); +- mapping = (struct address_space *)page_private(page); ++ mapping = vma->vm_file->f_dentry->d_inode->i_mapping; + + /* + * Take the mapping lock for the duration of the table walk. As +@@ -2871,11 +2950,12 @@ int hugetlb_reserve_pages(struct inode *inode, + { + long ret, chg; + struct hstate *h = hstate_inode(inode); ++ struct hugepage_subpool *spool = subpool_inode(inode); + + /* + * Only apply hugepage reservation if asked. At fault time, an + * attempt will be made for VM_NORESERVE to allocate a page +- * and filesystem quota without using reserves ++ * without using reserves + */ + if (vm_flags & VM_NORESERVE) + return 0; +@@ -2902,17 +2982,17 @@ int hugetlb_reserve_pages(struct inode *inode, + if (chg < 0) + return chg; + +- /* There must be enough filesystem quota for the mapping */ +- if (hugetlb_get_quota(inode->i_mapping, chg)) ++ /* There must be enough pages in the subpool for the mapping */ ++ if (hugepage_subpool_get_pages(spool, chg)) + return -ENOSPC; + + /* + * Check enough hugepages are available for the reservation. +- * Hand back the quota if there are not ++ * Hand the pages back to the subpool if there are not + */ + ret = hugetlb_acct_memory(h, chg); + if (ret < 0) { +- hugetlb_put_quota(inode->i_mapping, chg); ++ hugepage_subpool_put_pages(spool, chg); + return ret; + } + +@@ -2936,12 +3016,13 @@ void hugetlb_unreserve_pages(struct inode *inode, long offset, long freed) + { + struct hstate *h = hstate_inode(inode); + long chg = region_truncate(&inode->i_mapping->private_list, offset); ++ struct hugepage_subpool *spool = subpool_inode(inode); + + spin_lock(&inode->i_lock); + inode->i_blocks -= (blocks_per_huge_page(h) * freed); + spin_unlock(&inode->i_lock); + +- hugetlb_put_quota(inode->i_mapping, (chg - freed)); ++ hugepage_subpool_put_pages(spool, (chg - freed)); + hugetlb_acct_memory(h, -(chg - freed)); + } + +diff --git a/net/core/dev.c b/net/core/dev.c +index 7f72c9c..0336374 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -1412,14 +1412,34 @@ EXPORT_SYMBOL(register_netdevice_notifier); + * register_netdevice_notifier(). The notifier is unlinked into the + * kernel structures and may then be reused. A negative errno code + * is returned on a failure. ++ * ++ * After unregistering unregister and down device events are synthesized ++ * for all devices on the device list to the removed notifier to remove ++ * the need for special case cleanup code. + */ + + int unregister_netdevice_notifier(struct notifier_block *nb) + { ++ struct net_device *dev; ++ struct net *net; + int err; + + rtnl_lock(); + err = raw_notifier_chain_unregister(&netdev_chain, nb); ++ if (err) ++ goto unlock; ++ ++ for_each_net(net) { ++ for_each_netdev(net, dev) { ++ if (dev->flags & IFF_UP) { ++ nb->notifier_call(nb, NETDEV_GOING_DOWN, dev); ++ nb->notifier_call(nb, NETDEV_DOWN, dev); ++ } ++ nb->notifier_call(nb, NETDEV_UNREGISTER, dev); ++ nb->notifier_call(nb, NETDEV_UNREGISTER_BATCH, dev); ++ } ++ } ++unlock: + rtnl_unlock(); + return err; + } +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 8c85021..e2327db 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3240,7 +3240,7 @@ void __init tcp_init(void) + { + struct sk_buff *skb = NULL; + unsigned long limit; +- int max_share, cnt; ++ int max_rshare, max_wshare, cnt; + unsigned int i; + unsigned long jiffy = jiffies; + +@@ -3300,15 +3300,16 @@ void __init tcp_init(void) + tcp_init_mem(&init_net); + /* Set per-socket limits to no more than 1/128 the pressure threshold */ + limit = nr_free_buffer_pages() << (PAGE_SHIFT - 7); +- max_share = min(4UL*1024*1024, limit); ++ max_wshare = min(4UL*1024*1024, limit); ++ max_rshare = min(6UL*1024*1024, limit); + + sysctl_tcp_wmem[0] = SK_MEM_QUANTUM; + sysctl_tcp_wmem[1] = 16*1024; +- sysctl_tcp_wmem[2] = max(64*1024, max_share); ++ sysctl_tcp_wmem[2] = max(64*1024, max_wshare); + + sysctl_tcp_rmem[0] = SK_MEM_QUANTUM; + sysctl_tcp_rmem[1] = 87380; +- sysctl_tcp_rmem[2] = max(87380, max_share); ++ sysctl_tcp_rmem[2] = max(87380, max_rshare); + + printk(KERN_INFO "TCP: Hash tables configured " + "(established %u bind %u)\n", +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 1c30511..169f3a6 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -83,7 +83,7 @@ int sysctl_tcp_ecn __read_mostly = 2; + EXPORT_SYMBOL(sysctl_tcp_ecn); + int sysctl_tcp_dsack __read_mostly = 1; + int sysctl_tcp_app_win __read_mostly = 31; +-int sysctl_tcp_adv_win_scale __read_mostly = 2; ++int sysctl_tcp_adv_win_scale __read_mostly = 1; + EXPORT_SYMBOL(sysctl_tcp_adv_win_scale); + + int sysctl_tcp_stdurg __read_mostly; +@@ -2866,11 +2866,14 @@ static inline void tcp_complete_cwr(struct sock *sk) + + /* Do not moderate cwnd if it's already undone in cwr or recovery. */ + if (tp->undo_marker) { +- if (inet_csk(sk)->icsk_ca_state == TCP_CA_CWR) ++ if (inet_csk(sk)->icsk_ca_state == TCP_CA_CWR) { + tp->snd_cwnd = min(tp->snd_cwnd, tp->snd_ssthresh); +- else /* PRR */ ++ tp->snd_cwnd_stamp = tcp_time_stamp; ++ } else if (tp->snd_ssthresh < TCP_INFINITE_SSTHRESH) { ++ /* PRR algorithm. */ + tp->snd_cwnd = tp->snd_ssthresh; +- tp->snd_cwnd_stamp = tcp_time_stamp; ++ tp->snd_cwnd_stamp = tcp_time_stamp; ++ } + } + tcp_ca_event(sk, CA_EVENT_COMPLETE_CWR); + } +diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c +index 55670ec..2a2a3e7 100644 +--- a/net/l2tp/l2tp_ip.c ++++ b/net/l2tp/l2tp_ip.c +@@ -441,8 +441,9 @@ static int l2tp_ip_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m + + daddr = lip->l2tp_addr.s_addr; + } else { ++ rc = -EDESTADDRREQ; + if (sk->sk_state != TCP_ESTABLISHED) +- return -EDESTADDRREQ; ++ goto out; + + daddr = inet->inet_daddr; + connected = 1; +diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c +index 5da548f..ebd2296 100644 +--- a/net/sched/sch_netem.c ++++ b/net/sched/sch_netem.c +@@ -408,10 +408,8 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch) + if (q->corrupt && q->corrupt >= get_crandom(&q->corrupt_cor)) { + if (!(skb = skb_unshare(skb, GFP_ATOMIC)) || + (skb->ip_summed == CHECKSUM_PARTIAL && +- skb_checksum_help(skb))) { +- sch->qstats.drops++; +- return NET_XMIT_DROP; +- } ++ skb_checksum_help(skb))) ++ return qdisc_drop(skb, sch); + + skb->data[net_random() % skb_headlen(skb)] ^= 1<<(net_random() % 8); + } +diff --git a/sound/soc/codecs/tlv320aic23.c b/sound/soc/codecs/tlv320aic23.c +index dfa41a9..e7de911 100644 +--- a/sound/soc/codecs/tlv320aic23.c ++++ b/sound/soc/codecs/tlv320aic23.c +@@ -472,7 +472,7 @@ static int tlv320aic23_set_dai_sysclk(struct snd_soc_dai *codec_dai, + static int tlv320aic23_set_bias_level(struct snd_soc_codec *codec, + enum snd_soc_bias_level level) + { +- u16 reg = snd_soc_read(codec, TLV320AIC23_PWR) & 0xff7f; ++ u16 reg = snd_soc_read(codec, TLV320AIC23_PWR) & 0x17f; + + switch (level) { + case SND_SOC_BIAS_ON: +@@ -491,7 +491,7 @@ static int tlv320aic23_set_bias_level(struct snd_soc_codec *codec, + case SND_SOC_BIAS_OFF: + /* everything off, dac mute, inactive */ + snd_soc_write(codec, TLV320AIC23_ACTIVE, 0x0); +- snd_soc_write(codec, TLV320AIC23_PWR, 0xffff); ++ snd_soc_write(codec, TLV320AIC23_PWR, 0x1ff); + break; + } + codec->dapm.bias_level = level; +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index 92cee24..48e91cd 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -3420,10 +3420,10 @@ int snd_soc_of_parse_audio_routing(struct snd_soc_card *card, + int i, ret; + + num_routes = of_property_count_strings(np, propname); +- if (num_routes & 1) { ++ if (num_routes < 0 || num_routes & 1) { + dev_err(card->dev, +- "Property '%s's length is not even\n", +- propname); ++ "Property '%s' does not exist or its length is not even\n", ++ propname); + return -EINVAL; + } + num_routes /= 2; +diff --git a/virt/kvm/iommu.c b/virt/kvm/iommu.c +index fec1723..e9fff98 100644 +--- a/virt/kvm/iommu.c ++++ b/virt/kvm/iommu.c +@@ -240,9 +240,13 @@ int kvm_iommu_map_guest(struct kvm *kvm) + return -ENODEV; + } + ++ mutex_lock(&kvm->slots_lock); ++ + kvm->arch.iommu_domain = iommu_domain_alloc(&pci_bus_type); +- if (!kvm->arch.iommu_domain) +- return -ENOMEM; ++ if (!kvm->arch.iommu_domain) { ++ r = -ENOMEM; ++ goto out_unlock; ++ } + + if (!allow_unsafe_assigned_interrupts && + !iommu_domain_has_cap(kvm->arch.iommu_domain, +@@ -253,17 +257,16 @@ int kvm_iommu_map_guest(struct kvm *kvm) + " module option.\n", __func__); + iommu_domain_free(kvm->arch.iommu_domain); + kvm->arch.iommu_domain = NULL; +- return -EPERM; ++ r = -EPERM; ++ goto out_unlock; + } + + r = kvm_iommu_map_memslots(kvm); + if (r) +- goto out_unmap; +- +- return 0; ++ kvm_iommu_unmap_memslots(kvm); + +-out_unmap: +- kvm_iommu_unmap_memslots(kvm); ++out_unlock: ++ mutex_unlock(&kvm->slots_lock); + return r; + } + +@@ -340,7 +343,11 @@ int kvm_iommu_unmap_guest(struct kvm *kvm) + if (!domain) + return 0; + ++ mutex_lock(&kvm->slots_lock); + kvm_iommu_unmap_memslots(kvm); ++ kvm->arch.iommu_domain = NULL; ++ mutex_unlock(&kvm->slots_lock); ++ + iommu_domain_free(domain); + return 0; + } +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index c4ac57e..7858228 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -289,15 +289,15 @@ static void kvm_mmu_notifier_invalidate_page(struct mmu_notifier *mn, + */ + idx = srcu_read_lock(&kvm->srcu); + spin_lock(&kvm->mmu_lock); ++ + kvm->mmu_notifier_seq++; + need_tlb_flush = kvm_unmap_hva(kvm, address) | kvm->tlbs_dirty; +- spin_unlock(&kvm->mmu_lock); +- srcu_read_unlock(&kvm->srcu, idx); +- + /* we've to flush the tlb before the pages can be freed */ + if (need_tlb_flush) + kvm_flush_remote_tlbs(kvm); + ++ spin_unlock(&kvm->mmu_lock); ++ srcu_read_unlock(&kvm->srcu, idx); + } + + static void kvm_mmu_notifier_change_pte(struct mmu_notifier *mn, +@@ -335,12 +335,12 @@ static void kvm_mmu_notifier_invalidate_range_start(struct mmu_notifier *mn, + for (; start < end; start += PAGE_SIZE) + need_tlb_flush |= kvm_unmap_hva(kvm, start); + need_tlb_flush |= kvm->tlbs_dirty; +- spin_unlock(&kvm->mmu_lock); +- srcu_read_unlock(&kvm->srcu, idx); +- + /* we've to flush the tlb before the pages can be freed */ + if (need_tlb_flush) + kvm_flush_remote_tlbs(kvm); ++ ++ spin_unlock(&kvm->mmu_lock); ++ srcu_read_unlock(&kvm->srcu, idx); + } + + static void kvm_mmu_notifier_invalidate_range_end(struct mmu_notifier *mn, +@@ -378,13 +378,14 @@ static int kvm_mmu_notifier_clear_flush_young(struct mmu_notifier *mn, + + idx = srcu_read_lock(&kvm->srcu); + spin_lock(&kvm->mmu_lock); +- young = kvm_age_hva(kvm, address); +- spin_unlock(&kvm->mmu_lock); +- srcu_read_unlock(&kvm->srcu, idx); + ++ young = kvm_age_hva(kvm, address); + if (young) + kvm_flush_remote_tlbs(kvm); + ++ spin_unlock(&kvm->mmu_lock); ++ srcu_read_unlock(&kvm->srcu, idx); ++ + return young; + } + +@@ -1719,6 +1720,10 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, u32 id) + goto vcpu_destroy; + + mutex_lock(&kvm->lock); ++ if (!kvm_vcpu_compatible(vcpu)) { ++ r = -EINVAL; ++ goto unlock_vcpu_destroy; ++ } + if (atomic_read(&kvm->online_vcpus) == KVM_MAX_VCPUS) { + r = -EINVAL; + goto unlock_vcpu_destroy; diff --git a/3.3.5/4420_grsecurity-2.9-3.3.5-201205071839.patch b/3.3.6/4420_grsecurity-2.9-3.3.6-201205131658.patch index 222eccd..0bad506 100644 --- a/3.3.5/4420_grsecurity-2.9-3.3.5-201205071839.patch +++ b/3.3.6/4420_grsecurity-2.9-3.3.6-201205131658.patch @@ -195,7 +195,7 @@ index d99fd9c..8689fef 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index 64615e9..64d72ce 100644 +index 9cd6941..92e68ff 100644 --- a/Makefile +++ b/Makefile @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -1457,6 +1457,36 @@ index e4c96cc..1145653 100644 #endif /* __ASSEMBLY__ */ #define arch_align_stack(x) (x) +diff --git a/arch/arm/include/asm/thread_info.h b/arch/arm/include/asm/thread_info.h +index d4c24d4..4ac53e8 100644 +--- a/arch/arm/include/asm/thread_info.h ++++ b/arch/arm/include/asm/thread_info.h +@@ -141,6 +141,12 @@ extern void vfp_flush_hwstate(struct thread_info *); + #define TIF_NOTIFY_RESUME 2 /* callback before returning to user */ + #define TIF_SYSCALL_TRACE 8 + #define TIF_SYSCALL_AUDIT 9 ++ ++/* within 8 bits of TIF_SYSCALL_TRACE ++ to meet flexible second operand requirements ++*/ ++#define TIF_GRSEC_SETXID 10 ++ + #define TIF_POLLING_NRFLAG 16 + #define TIF_USING_IWMMXT 17 + #define TIF_MEMDIE 18 /* is terminating due to OOM killer */ +@@ -156,9 +162,11 @@ extern void vfp_flush_hwstate(struct thread_info *); + #define _TIF_USING_IWMMXT (1 << TIF_USING_IWMMXT) + #define _TIF_RESTORE_SIGMASK (1 << TIF_RESTORE_SIGMASK) + #define _TIF_SECCOMP (1 << TIF_SECCOMP) ++#define _TIF_GRSEC_SETXID (1 << TIF_GRSEC_SETXID) + + /* Checks for any syscall work in entry-common.S */ +-#define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT) ++#define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \ ++ _TIF_GRSEC_SETXID) + + /* + * Change these and you break ASM code in entry-common.S diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h index 2958976..12ccac4 100644 --- a/arch/arm/include/asm/uaccess.h @@ -1568,6 +1598,30 @@ index 971d65c..cc936fb 100644 #ifdef CONFIG_MMU /* * The vectors page is always readable from user space for the +diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c +index f5ce8ab..4b73893 100644 +--- a/arch/arm/kernel/ptrace.c ++++ b/arch/arm/kernel/ptrace.c +@@ -905,10 +905,19 @@ long arch_ptrace(struct task_struct *child, long request, + return ret; + } + ++#ifdef CONFIG_GRKERNSEC_SETXID ++extern void gr_delayed_cred_worker(void); ++#endif ++ + asmlinkage int syscall_trace(int why, struct pt_regs *regs, int scno) + { + unsigned long ip; + ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) ++ gr_delayed_cred_worker(); ++#endif ++ + if (why) + audit_syscall_exit(regs); + else diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c index a255c39..4a19b25 100644 --- a/arch/arm/kernel/setup.c @@ -2791,6 +2845,40 @@ index 6018c80..7c37203 100644 +#define arch_align_stack(x) ((x) & ~0xfUL) #endif /* _ASM_SYSTEM_H */ +diff --git a/arch/mips/include/asm/thread_info.h b/arch/mips/include/asm/thread_info.h +index 0d85d8e..ec71487 100644 +--- a/arch/mips/include/asm/thread_info.h ++++ b/arch/mips/include/asm/thread_info.h +@@ -123,6 +123,8 @@ register struct thread_info *__current_thread_info __asm__("$28"); + #define TIF_32BIT_ADDR 23 /* 32-bit address space (o32/n32) */ + #define TIF_FPUBOUND 24 /* thread bound to FPU-full CPU set */ + #define TIF_LOAD_WATCH 25 /* If set, load watch registers */ ++/* li takes a 32bit immediate */ ++#define TIF_GRSEC_SETXID 29 /* update credentials on syscall entry/exit */ + #define TIF_SYSCALL_TRACE 31 /* syscall trace active */ + + #ifdef CONFIG_MIPS32_O32 +@@ -146,15 +148,18 @@ register struct thread_info *__current_thread_info __asm__("$28"); + #define _TIF_32BIT_ADDR (1<<TIF_32BIT_ADDR) + #define _TIF_FPUBOUND (1<<TIF_FPUBOUND) + #define _TIF_LOAD_WATCH (1<<TIF_LOAD_WATCH) ++#define _TIF_GRSEC_SETXID (1<<TIF_GRSEC_SETXID) ++ ++#define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_GRSEC_SETXID) + + /* work to do in syscall_trace_leave() */ +-#define _TIF_WORK_SYSCALL_EXIT (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT) ++#define _TIF_WORK_SYSCALL_EXIT (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_GRSEC_SETXID) + + /* work to do on interrupt/exception return */ + #define _TIF_WORK_MASK (0x0000ffef & \ + ~(_TIF_SECCOMP | _TIF_SYSCALL_AUDIT)) + /* work to do on any return to u-space */ +-#define _TIF_ALLWORK_MASK (0x8000ffff & ~_TIF_SECCOMP) ++#define _TIF_ALLWORK_MASK ((0x8000ffff & ~_TIF_SECCOMP) | _TIF_GRSEC_SETXID) + + #endif /* __KERNEL__ */ + diff --git a/arch/mips/kernel/binfmt_elfn32.c b/arch/mips/kernel/binfmt_elfn32.c index 9fdd8bc..4bd7f1a 100644 --- a/arch/mips/kernel/binfmt_elfn32.c @@ -2847,6 +2935,85 @@ index 7955409..ceaea7c 100644 - - return sp & ALMASK; -} +diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c +index 7786b60..3e38c72 100644 +--- a/arch/mips/kernel/ptrace.c ++++ b/arch/mips/kernel/ptrace.c +@@ -529,6 +529,10 @@ static inline int audit_arch(void) + return arch; + } + ++#ifdef CONFIG_GRKERNSEC_SETXID ++extern void gr_delayed_cred_worker(void); ++#endif ++ + /* + * Notification of system call entry/exit + * - triggered by current->work.syscall_trace +@@ -538,6 +542,11 @@ asmlinkage void syscall_trace_enter(struct pt_regs *regs) + /* do the secure computing check first */ + secure_computing(regs->regs[2]); + ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) ++ gr_delayed_cred_worker(); ++#endif ++ + if (!(current->ptrace & PT_PTRACED)) + goto out; + +diff --git a/arch/mips/kernel/scall32-o32.S b/arch/mips/kernel/scall32-o32.S +index a632bc1..0b77c7c 100644 +--- a/arch/mips/kernel/scall32-o32.S ++++ b/arch/mips/kernel/scall32-o32.S +@@ -52,7 +52,7 @@ NESTED(handle_sys, PT_SIZE, sp) + + stack_done: + lw t0, TI_FLAGS($28) # syscall tracing enabled? +- li t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT ++ li t1, _TIF_SYSCALL_WORK + and t0, t1 + bnez t0, syscall_trace_entry # -> yes + +diff --git a/arch/mips/kernel/scall64-64.S b/arch/mips/kernel/scall64-64.S +index 3b5a5e9..e1ee86d 100644 +--- a/arch/mips/kernel/scall64-64.S ++++ b/arch/mips/kernel/scall64-64.S +@@ -54,7 +54,7 @@ NESTED(handle_sys64, PT_SIZE, sp) + + sd a3, PT_R26(sp) # save a3 for syscall restarting + +- li t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT ++ li t1, _TIF_SYSCALL_WORK + LONG_L t0, TI_FLAGS($28) # syscall tracing enabled? + and t0, t1, t0 + bnez t0, syscall_trace_entry +diff --git a/arch/mips/kernel/scall64-n32.S b/arch/mips/kernel/scall64-n32.S +index 6be6f70..1859577 100644 +--- a/arch/mips/kernel/scall64-n32.S ++++ b/arch/mips/kernel/scall64-n32.S +@@ -53,7 +53,7 @@ NESTED(handle_sysn32, PT_SIZE, sp) + + sd a3, PT_R26(sp) # save a3 for syscall restarting + +- li t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT ++ li t1, _TIF_SYSCALL_WORK + LONG_L t0, TI_FLAGS($28) # syscall tracing enabled? + and t0, t1, t0 + bnez t0, n32_syscall_trace_entry +diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S +index 5422855..74e63a3 100644 +--- a/arch/mips/kernel/scall64-o32.S ++++ b/arch/mips/kernel/scall64-o32.S +@@ -81,7 +81,7 @@ NESTED(handle_sys, PT_SIZE, sp) + PTR 4b, bad_stack + .previous + +- li t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT ++ li t1, _TIF_SYSCALL_WORK + LONG_L t0, TI_FLAGS($28) # syscall tracing enabled? + and t0, t1, t0 + bnez t0, trace_a_syscall diff --git a/arch/mips/mm/fault.c b/arch/mips/mm/fault.c index 69ebd58..e4bff83 100644 --- a/arch/mips/mm/fault.c @@ -3689,6 +3856,40 @@ index c377457..3c69fbc 100644 /* Used in very early kernel initialization. */ extern unsigned long reloc_offset(void); +diff --git a/arch/powerpc/include/asm/thread_info.h b/arch/powerpc/include/asm/thread_info.h +index 96471494..60ed5a2 100644 +--- a/arch/powerpc/include/asm/thread_info.h ++++ b/arch/powerpc/include/asm/thread_info.h +@@ -104,13 +104,15 @@ static inline struct thread_info *current_thread_info(void) + #define TIF_PERFMON_CTXSW 6 /* perfmon needs ctxsw calls */ + #define TIF_SYSCALL_AUDIT 7 /* syscall auditing active */ + #define TIF_SINGLESTEP 8 /* singlestepping active */ +-#define TIF_MEMDIE 9 /* is terminating due to OOM killer */ + #define TIF_SECCOMP 10 /* secure computing */ + #define TIF_RESTOREALL 11 /* Restore all regs (implies NOERROR) */ + #define TIF_NOERROR 12 /* Force successful syscall return */ + #define TIF_NOTIFY_RESUME 13 /* callback before returning to user */ + #define TIF_SYSCALL_TRACEPOINT 15 /* syscall tracepoint instrumentation */ + #define TIF_RUNLATCH 16 /* Is the runlatch enabled? */ ++#define TIF_MEMDIE 17 /* is terminating due to OOM killer */ ++/* mask must be expressable within 16 bits to satisfy 'andi' instruction reqs */ ++#define TIF_GRSEC_SETXID 9 /* update credentials on syscall entry/exit */ + + /* as above, but as bit values */ + #define _TIF_SYSCALL_TRACE (1<<TIF_SYSCALL_TRACE) +@@ -128,8 +130,11 @@ static inline struct thread_info *current_thread_info(void) + #define _TIF_NOTIFY_RESUME (1<<TIF_NOTIFY_RESUME) + #define _TIF_SYSCALL_TRACEPOINT (1<<TIF_SYSCALL_TRACEPOINT) + #define _TIF_RUNLATCH (1<<TIF_RUNLATCH) ++#define _TIF_GRSEC_SETXID (1<<TIF_GRSEC_SETXID) ++ + #define _TIF_SYSCALL_T_OR_A (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \ +- _TIF_SECCOMP | _TIF_SYSCALL_TRACEPOINT) ++ _TIF_SECCOMP | _TIF_SYSCALL_TRACEPOINT \ ++ _TIF_GRSEC_SETXID) + + #define _TIF_USER_WORK_MASK (_TIF_SIGPENDING | _TIF_NEED_RESCHED | \ + _TIF_NOTIFY_RESUME) diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h index bd0fb84..a42a14b 100644 --- a/arch/powerpc/include/asm/uaccess.h @@ -4065,6 +4266,45 @@ index d817ab0..b23b18e 100644 - - return ret; -} +diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c +index 5b43325..94a5bb4 100644 +--- a/arch/powerpc/kernel/ptrace.c ++++ b/arch/powerpc/kernel/ptrace.c +@@ -1702,6 +1702,10 @@ long arch_ptrace(struct task_struct *child, long request, + return ret; + } + ++#ifdef CONFIG_GRKERNSEC_SETXID ++extern void gr_delayed_cred_worker(void); ++#endif ++ + /* + * We must return the syscall number to actually look up in the table. + * This can be -1L to skip running any syscall at all. +@@ -1712,6 +1716,11 @@ long do_syscall_trace_enter(struct pt_regs *regs) + + secure_computing(regs->gpr[0]); + ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) ++ gr_delayed_cred_worker(); ++#endif ++ + if (test_thread_flag(TIF_SYSCALL_TRACE) && + tracehook_report_syscall_entry(regs)) + /* +@@ -1746,6 +1755,11 @@ void do_syscall_trace_leave(struct pt_regs *regs) + { + int step; + ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) ++ gr_delayed_cred_worker(); ++#endif ++ + audit_syscall_exit(regs); + + if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c index 836a5a1..27289a3 100644 --- a/arch/powerpc/kernel/signal_32.c @@ -5253,7 +5493,7 @@ index c2a1080..21ed218 100644 /* diff --git a/arch/sparc/include/asm/thread_info_64.h b/arch/sparc/include/asm/thread_info_64.h -index 01d057f..0a02f7e 100644 +index 01d057f..13a7d2f 100644 --- a/arch/sparc/include/asm/thread_info_64.h +++ b/arch/sparc/include/asm/thread_info_64.h @@ -63,6 +63,8 @@ struct thread_info { @@ -5265,6 +5505,38 @@ index 01d057f..0a02f7e 100644 unsigned long fpregs[0] __attribute__ ((aligned(64))); }; +@@ -214,10 +216,11 @@ register struct thread_info *current_thread_info_reg asm("g6"); + #define TIF_UNALIGNED 5 /* allowed to do unaligned accesses */ + /* flag bit 6 is available */ + #define TIF_32BIT 7 /* 32-bit binary */ +-/* flag bit 8 is available */ ++#define TIF_GRSEC_SETXID 8 /* update credentials on syscall entry/exit */ + #define TIF_SECCOMP 9 /* secure computing */ + #define TIF_SYSCALL_AUDIT 10 /* syscall auditing active */ + #define TIF_SYSCALL_TRACEPOINT 11 /* syscall tracepoint instrumentation */ ++ + /* NOTE: Thread flags >= 12 should be ones we have no interest + * in using in assembly, else we can't use the mask as + * an immediate value in instructions such as andcc. +@@ -236,12 +239,18 @@ register struct thread_info *current_thread_info_reg asm("g6"); + #define _TIF_SYSCALL_AUDIT (1<<TIF_SYSCALL_AUDIT) + #define _TIF_SYSCALL_TRACEPOINT (1<<TIF_SYSCALL_TRACEPOINT) + #define _TIF_POLLING_NRFLAG (1<<TIF_POLLING_NRFLAG) ++#define _TIF_GRSEC_SETXID (1<<TIF_GRSEC_SETXID) + + #define _TIF_USER_WORK_MASK ((0xff << TI_FLAG_WSAVED_SHIFT) | \ + _TIF_DO_NOTIFY_RESUME_MASK | \ + _TIF_NEED_RESCHED) + #define _TIF_DO_NOTIFY_RESUME_MASK (_TIF_NOTIFY_RESUME | _TIF_SIGPENDING) + ++#define _TIF_WORK_SYSCALL \ ++ (_TIF_SYSCALL_TRACE | _TIF_SECCOMP | _TIF_SYSCALL_AUDIT | \ ++ _TIF_SYSCALL_TRACEPOINT | _TIF_GRSEC_SETXID) ++ ++ + /* + * Thread-synchronous status. + * diff --git a/arch/sparc/include/asm/uaccess.h b/arch/sparc/include/asm/uaccess.h index e88fbe5..96b0ce5 100644 --- a/arch/sparc/include/asm/uaccess.h @@ -5475,6 +5747,45 @@ index 39d8b05..d1a7d90 100644 (void *) gp->tpc, (void *) gp->o7, (void *) gp->i7, +diff --git a/arch/sparc/kernel/ptrace_64.c b/arch/sparc/kernel/ptrace_64.c +index 9388844..0075fd2 100644 +--- a/arch/sparc/kernel/ptrace_64.c ++++ b/arch/sparc/kernel/ptrace_64.c +@@ -1058,6 +1058,10 @@ long arch_ptrace(struct task_struct *child, long request, + return ret; + } + ++#ifdef CONFIG_GRKERNSEC_SETXID ++extern void gr_delayed_cred_worker(void); ++#endif ++ + asmlinkage int syscall_trace_enter(struct pt_regs *regs) + { + int ret = 0; +@@ -1065,6 +1069,11 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs) + /* do the secure computing check first */ + secure_computing(regs->u_regs[UREG_G1]); + ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) ++ gr_delayed_cred_worker(); ++#endif ++ + if (test_thread_flag(TIF_SYSCALL_TRACE)) + ret = tracehook_report_syscall_entry(regs); + +@@ -1085,6 +1094,11 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs) + + asmlinkage void syscall_trace_leave(struct pt_regs *regs) + { ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) ++ gr_delayed_cred_worker(); ++#endif ++ + audit_syscall_exit(regs); + + if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) diff --git a/arch/sparc/kernel/sys_sparc_32.c b/arch/sparc/kernel/sys_sparc_32.c index 42b282f..28ce9f2 100644 --- a/arch/sparc/kernel/sys_sparc_32.c @@ -5648,6 +5959,55 @@ index 232df99..cee1f9c 100644 mm->get_unmapped_area = arch_get_unmapped_area_topdown; mm->unmap_area = arch_unmap_area_topdown; } +diff --git a/arch/sparc/kernel/syscalls.S b/arch/sparc/kernel/syscalls.S +index 1d7e274..b39c527 100644 +--- a/arch/sparc/kernel/syscalls.S ++++ b/arch/sparc/kernel/syscalls.S +@@ -62,7 +62,7 @@ sys32_rt_sigreturn: + #endif + .align 32 + 1: ldx [%g6 + TI_FLAGS], %l5 +- andcc %l5, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT), %g0 ++ andcc %l5, _TIF_WORK_SYSCALL, %g0 + be,pt %icc, rtrap + nop + call syscall_trace_leave +@@ -179,7 +179,7 @@ linux_sparc_syscall32: + + srl %i5, 0, %o5 ! IEU1 + srl %i2, 0, %o2 ! IEU0 Group +- andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT), %g0 ++ andcc %l0, _TIF_WORK_SYSCALL, %g0 + bne,pn %icc, linux_syscall_trace32 ! CTI + mov %i0, %l5 ! IEU1 + call %l7 ! CTI Group brk forced +@@ -202,7 +202,7 @@ linux_sparc_syscall: + + mov %i3, %o3 ! IEU1 + mov %i4, %o4 ! IEU0 Group +- andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT), %g0 ++ andcc %l0, _TIF_WORK_SYSCALL, %g0 + bne,pn %icc, linux_syscall_trace ! CTI Group + mov %i0, %l5 ! IEU0 + 2: call %l7 ! CTI Group brk forced +@@ -226,7 +226,7 @@ ret_sys_call: + + cmp %o0, -ERESTART_RESTARTBLOCK + bgeu,pn %xcc, 1f +- andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT), %l6 ++ andcc %l0, _TIF_WORK_SYSCALL, %l6 + 80: + /* System call success, clear Carry condition code. */ + andn %g3, %g2, %g3 +@@ -241,7 +241,7 @@ ret_sys_call: + /* System call failure, set Carry condition code. + * Also, get abs(errno) to return to the process. + */ +- andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT), %l6 ++ andcc %l0, _TIF_WORK_SYSCALL, %l6 + sub %g0, %o0, %o0 + or %g3, %g2, %g3 + stx %o0, [%sp + PTREGS_OFF + PT_V9_I0] diff --git a/arch/sparc/kernel/traps_32.c b/arch/sparc/kernel/traps_32.c index 591f20c..0f1b925 100644 --- a/arch/sparc/kernel/traps_32.c @@ -7519,7 +7879,7 @@ index 7116dcb..d9ae1d7 100644 #endif diff --git a/arch/x86/boot/compressed/relocs.c b/arch/x86/boot/compressed/relocs.c -index 89bbf4e..869908e 100644 +index e77f4e4..17e511f 100644 --- a/arch/x86/boot/compressed/relocs.c +++ b/arch/x86/boot/compressed/relocs.c @@ -13,8 +13,11 @@ @@ -7624,7 +7984,7 @@ index 89bbf4e..869908e 100644 rel->r_info = elf32_to_cpu(rel->r_info); } } -@@ -396,14 +440,14 @@ static void read_relocs(FILE *fp) +@@ -396,13 +440,13 @@ static void read_relocs(FILE *fp) static void print_absolute_symbols(void) { @@ -7635,13 +7995,12 @@ index 89bbf4e..869908e 100644 for (i = 0; i < ehdr.e_shnum; i++) { struct section *sec = &secs[i]; char *sym_strtab; - Elf32_Sym *sh_symtab; - int j; + unsigned int j; if (sec->shdr.sh_type != SHT_SYMTAB) { continue; -@@ -431,14 +475,14 @@ static void print_absolute_symbols(void) +@@ -429,14 +473,14 @@ static void print_absolute_symbols(void) static void print_absolute_relocs(void) { @@ -7658,7 +8017,7 @@ index 89bbf4e..869908e 100644 if (sec->shdr.sh_type != SHT_REL) { continue; } -@@ -499,13 +543,13 @@ static void print_absolute_relocs(void) +@@ -497,13 +541,13 @@ static void print_absolute_relocs(void) static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym)) { @@ -7674,7 +8033,7 @@ index 89bbf4e..869908e 100644 struct section *sec = &secs[i]; if (sec->shdr.sh_type != SHT_REL) { -@@ -530,6 +574,22 @@ static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym)) +@@ -528,6 +572,22 @@ static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym)) !is_rel_reloc(sym_name(sym_strtab, sym))) { continue; } @@ -7697,7 +8056,7 @@ index 89bbf4e..869908e 100644 switch (r_type) { case R_386_NONE: case R_386_PC32: -@@ -571,7 +631,7 @@ static int cmp_relocs(const void *va, const void *vb) +@@ -569,7 +629,7 @@ static int cmp_relocs(const void *va, const void *vb) static void emit_relocs(int as_text) { @@ -7706,7 +8065,7 @@ index 89bbf4e..869908e 100644 /* Count how many relocations I have and allocate space for them. */ reloc_count = 0; walk_relocs(count_reloc); -@@ -665,6 +725,7 @@ int main(int argc, char **argv) +@@ -663,6 +723,7 @@ int main(int argc, char **argv) fname, strerror(errno)); } read_ehdr(fp); @@ -12132,7 +12491,7 @@ index 2d2f01c..f985723 100644 /* * Force strict CPU ordering. diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h -index cfd8144..1b1127d 100644 +index cfd8144..664ac89 100644 --- a/arch/x86/include/asm/thread_info.h +++ b/arch/x86/include/asm/thread_info.h @@ -10,6 +10,7 @@ @@ -12182,7 +12541,45 @@ index cfd8144..1b1127d 100644 #define init_stack (init_thread_union.stack) #else /* !__ASSEMBLY__ */ -@@ -169,45 +163,40 @@ struct thread_info { +@@ -95,6 +89,7 @@ struct thread_info { + #define TIF_BLOCKSTEP 25 /* set when we want DEBUGCTLMSR_BTF */ + #define TIF_LAZY_MMU_UPDATES 27 /* task is updating the mmu lazily */ + #define TIF_SYSCALL_TRACEPOINT 28 /* syscall tracepoint instrumentation */ ++#define TIF_GRSEC_SETXID 29 /* update credentials on syscall entry/exit */ + + #define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE) + #define _TIF_NOTIFY_RESUME (1 << TIF_NOTIFY_RESUME) +@@ -116,16 +111,17 @@ struct thread_info { + #define _TIF_BLOCKSTEP (1 << TIF_BLOCKSTEP) + #define _TIF_LAZY_MMU_UPDATES (1 << TIF_LAZY_MMU_UPDATES) + #define _TIF_SYSCALL_TRACEPOINT (1 << TIF_SYSCALL_TRACEPOINT) ++#define _TIF_GRSEC_SETXID (1 << TIF_GRSEC_SETXID) + + /* work to do in syscall_trace_enter() */ + #define _TIF_WORK_SYSCALL_ENTRY \ + (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_EMU | _TIF_SYSCALL_AUDIT | \ +- _TIF_SECCOMP | _TIF_SINGLESTEP | _TIF_SYSCALL_TRACEPOINT) ++ _TIF_SECCOMP | _TIF_SINGLESTEP | _TIF_SYSCALL_TRACEPOINT | _TIF_GRSEC_SETXID) + + /* work to do in syscall_trace_leave() */ + #define _TIF_WORK_SYSCALL_EXIT \ + (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_SINGLESTEP | \ +- _TIF_SYSCALL_TRACEPOINT) ++ _TIF_SYSCALL_TRACEPOINT | _TIF_GRSEC_SETXID) + + /* work to do on interrupt/exception return */ + #define _TIF_WORK_MASK \ +@@ -135,7 +131,8 @@ struct thread_info { + + /* work to do on any return to user space */ + #define _TIF_ALLWORK_MASK \ +- ((0x0000FFFF & ~_TIF_SECCOMP) | _TIF_SYSCALL_TRACEPOINT) ++ ((0x0000FFFF & ~_TIF_SECCOMP) | _TIF_SYSCALL_TRACEPOINT | \ ++ _TIF_GRSEC_SETXID) + + /* Only used for 64 bit */ + #define _TIF_DO_NOTIFY_MASK \ +@@ -169,45 +166,40 @@ struct thread_info { ret; \ }) @@ -12253,7 +12650,7 @@ index cfd8144..1b1127d 100644 /* * macros/functions for gaining access to the thread information structure * preempt_count needs to be 1 initially, until the scheduler is functional. -@@ -215,27 +204,8 @@ static inline struct thread_info *current_thread_info(void) +@@ -215,27 +207,8 @@ static inline struct thread_info *current_thread_info(void) #ifndef __ASSEMBLY__ DECLARE_PER_CPU(unsigned long, kernel_stack); @@ -12283,7 +12680,7 @@ index cfd8144..1b1127d 100644 #endif #endif /* !X86_32 */ -@@ -269,5 +239,16 @@ extern void arch_task_cache_init(void); +@@ -269,5 +242,16 @@ extern void arch_task_cache_init(void); extern void free_thread_info(struct thread_info *ti); extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src); #define arch_task_cache_init arch_task_cache_init @@ -14606,7 +15003,7 @@ index 9b9f18b..9fcaa04 100644 #include <asm/processor.h> #include <asm/fcntl.h> diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S -index 7b784f4..76aaad7 100644 +index 7b784f4..db6b628 100644 --- a/arch/x86/kernel/entry_32.S +++ b/arch/x86/kernel/entry_32.S @@ -179,13 +179,146 @@ @@ -14799,7 +15196,7 @@ index 7b784f4..76aaad7 100644 +#ifdef CONFIG_PAX_KERNEXEC + jae resume_userspace + -+ PAX_EXIT_KERNEL ++ pax_exit_kernel + jmp resume_kernel +#else jb resume_kernel # not returning to v8086 or userspace @@ -18533,7 +18930,7 @@ index cfa5c90..4facd28 100644 ip = *(u64 *)(fp+8); if (!in_sched_functions(ip)) diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c -index 5026738..e1b5aa8 100644 +index 5026738..574f70a 100644 --- a/arch/x86/kernel/ptrace.c +++ b/arch/x86/kernel/ptrace.c @@ -792,6 +792,10 @@ static int ioperm_active(struct task_struct *target, @@ -18582,6 +18979,41 @@ index 5026738..e1b5aa8 100644 } void user_single_step_siginfo(struct task_struct *tsk, +@@ -1361,6 +1365,10 @@ void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs, + # define IS_IA32 0 + #endif + ++#ifdef CONFIG_GRKERNSEC_SETXID ++extern void gr_delayed_cred_worker(void); ++#endif ++ + /* + * We must return the syscall number to actually look up in the table. + * This can be -1L to skip running any syscall at all. +@@ -1369,6 +1377,11 @@ long syscall_trace_enter(struct pt_regs *regs) + { + long ret = 0; + ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) ++ gr_delayed_cred_worker(); ++#endif ++ + /* + * If we stepped into a sysenter/syscall insn, it trapped in + * kernel mode; do_debug() cleared TF and set TIF_SINGLESTEP. +@@ -1412,6 +1425,11 @@ void syscall_trace_leave(struct pt_regs *regs) + { + bool step; + ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) ++ gr_delayed_cred_worker(); ++#endif ++ + audit_syscall_exit(regs); + + if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) diff --git a/arch/x86/kernel/pvclock.c b/arch/x86/kernel/pvclock.c index 42eb330..139955c 100644 --- a/arch/x86/kernel/pvclock.c @@ -18820,7 +19252,7 @@ index d7d5099..28555d0 100644 bss_resource.start = virt_to_phys(&__bss_start); bss_resource.end = virt_to_phys(&__bss_stop)-1; diff --git a/arch/x86/kernel/setup_percpu.c b/arch/x86/kernel/setup_percpu.c -index 71f4727..217419b 100644 +index 5a98aa2..848d2be 100644 --- a/arch/x86/kernel/setup_percpu.c +++ b/arch/x86/kernel/setup_percpu.c @@ -21,19 +21,17 @@ @@ -18879,7 +19311,7 @@ index 71f4727..217419b 100644 write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S); #endif -@@ -207,6 +209,11 @@ void __init setup_per_cpu_areas(void) +@@ -219,6 +221,11 @@ void __init setup_per_cpu_areas(void) /* alrighty, percpu areas up and running */ delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start; for_each_possible_cpu(cpu) { @@ -18891,7 +19323,7 @@ index 71f4727..217419b 100644 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu]; per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu); per_cpu(cpu_number, cpu) = cpu; -@@ -247,6 +254,12 @@ void __init setup_per_cpu_areas(void) +@@ -259,6 +266,12 @@ void __init setup_per_cpu_areas(void) */ set_cpu_numa_node(cpu, early_cpu_to_node(cpu)); #endif @@ -20334,7 +20766,7 @@ index e385214..f8df033 100644 local_irq_disable(); diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c -index 3b4c8d8..f457b63 100644 +index a7a6f60..04b745a 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -1306,7 +1306,11 @@ static void reload_tss(void) @@ -20349,7 +20781,7 @@ index 3b4c8d8..f457b63 100644 load_TR_desc(); } -@@ -2631,8 +2635,11 @@ static __init int hardware_setup(void) +@@ -2637,8 +2641,11 @@ static __init int hardware_setup(void) if (!cpu_has_vmx_flexpriority()) flexpriority_enabled = 0; @@ -20363,7 +20795,7 @@ index 3b4c8d8..f457b63 100644 if (enable_ept && !cpu_has_vmx_ept_2m_page()) kvm_disable_largepages(); -@@ -3648,7 +3655,7 @@ static void vmx_set_constant_host_state(void) +@@ -3654,7 +3661,7 @@ static void vmx_set_constant_host_state(void) vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */ asm("mov $.Lkvm_vmx_return, %0" : "=r"(tmpl)); @@ -20372,7 +20804,7 @@ index 3b4c8d8..f457b63 100644 rdmsr(MSR_IA32_SYSENTER_CS, low32, high32); vmcs_write32(HOST_IA32_SYSENTER_CS, low32); -@@ -6184,6 +6191,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) +@@ -6192,6 +6199,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) "jmp .Lkvm_vmx_return \n\t" ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t" ".Lkvm_vmx_return: " @@ -20385,7 +20817,7 @@ index 3b4c8d8..f457b63 100644 /* Save guest registers, load host registers, keep flags */ "mov %0, %c[wordsize](%%"R"sp) \n\t" "pop %0 \n\t" -@@ -6232,6 +6245,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) +@@ -6240,6 +6253,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) #endif [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)), [wordsize]"i"(sizeof(ulong)) @@ -20397,7 +20829,7 @@ index 3b4c8d8..f457b63 100644 : "cc", "memory" , R"ax", R"bx", R"di", R"si" #ifdef CONFIG_X86_64 -@@ -6260,7 +6278,16 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) +@@ -6268,7 +6286,16 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) } } @@ -20416,7 +20848,7 @@ index 3b4c8d8..f457b63 100644 vmx->exit_reason = vmcs_read32(VM_EXIT_REASON); diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index 9cbfc06..943ffa6 100644 +index 8d1c6c6..6e6d611 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -873,6 +873,7 @@ static int do_set_msr(struct kvm_vcpu *vcpu, unsigned index, u64 *data) @@ -20461,7 +20893,7 @@ index 9cbfc06..943ffa6 100644 return -EINVAL; if (irqchip_in_kernel(vcpu->kvm)) return -ENXIO; -@@ -3497,6 +3501,9 @@ gpa_t kvm_mmu_gva_to_gpa_system(struct kvm_vcpu *vcpu, gva_t gva, +@@ -3499,6 +3503,9 @@ gpa_t kvm_mmu_gva_to_gpa_system(struct kvm_vcpu *vcpu, gva_t gva, static int kvm_read_guest_virt_helper(gva_t addr, void *val, unsigned int bytes, struct kvm_vcpu *vcpu, u32 access, @@ -20471,7 +20903,7 @@ index 9cbfc06..943ffa6 100644 struct x86_exception *exception) { void *data = val; -@@ -3528,6 +3535,9 @@ out: +@@ -3530,6 +3537,9 @@ out: /* used for instruction fetching */ static int kvm_fetch_guest_virt(struct x86_emulate_ctxt *ctxt, gva_t addr, void *val, unsigned int bytes, @@ -20481,7 +20913,7 @@ index 9cbfc06..943ffa6 100644 struct x86_exception *exception) { struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt); -@@ -3552,6 +3562,9 @@ EXPORT_SYMBOL_GPL(kvm_read_guest_virt); +@@ -3554,6 +3564,9 @@ EXPORT_SYMBOL_GPL(kvm_read_guest_virt); static int kvm_read_guest_virt_system(struct x86_emulate_ctxt *ctxt, gva_t addr, void *val, unsigned int bytes, @@ -20491,7 +20923,7 @@ index 9cbfc06..943ffa6 100644 struct x86_exception *exception) { struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt); -@@ -3665,12 +3678,16 @@ static int read_prepare(struct kvm_vcpu *vcpu, void *val, int bytes) +@@ -3667,12 +3680,16 @@ static int read_prepare(struct kvm_vcpu *vcpu, void *val, int bytes) } static int read_emulate(struct kvm_vcpu *vcpu, gpa_t gpa, @@ -20508,7 +20940,7 @@ index 9cbfc06..943ffa6 100644 void *val, int bytes) { return emulator_write_phys(vcpu, gpa, val, bytes); -@@ -3821,6 +3838,12 @@ static int emulator_cmpxchg_emulated(struct x86_emulate_ctxt *ctxt, +@@ -3823,6 +3840,12 @@ static int emulator_cmpxchg_emulated(struct x86_emulate_ctxt *ctxt, const void *old, const void *new, unsigned int bytes, @@ -20521,7 +20953,7 @@ index 9cbfc06..943ffa6 100644 struct x86_exception *exception) { struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt); -@@ -4780,7 +4803,7 @@ static void kvm_set_mmio_spte_mask(void) +@@ -4782,7 +4805,7 @@ static void kvm_set_mmio_spte_mask(void) kvm_mmu_set_mmio_spte_mask(mask); } @@ -20906,7 +21338,7 @@ index e8e7e0d..56fd1b0 100644 movl %eax, (v) movl %edx, 4(v) diff --git a/arch/x86/lib/atomic64_cx8_32.S b/arch/x86/lib/atomic64_cx8_32.S -index 391a083..d658e9f 100644 +index 391a083..3a2cf39 100644 --- a/arch/x86/lib/atomic64_cx8_32.S +++ b/arch/x86/lib/atomic64_cx8_32.S @@ -35,10 +35,20 @@ ENTRY(atomic64_read_cx8) @@ -21017,7 +21449,7 @@ index 391a083..d658e9f 100644 -.macro incdec_return func ins insc -ENTRY(atomic64_\func\()_return_cx8) -+.macro incdec_return func ins insc unchecked ++.macro incdec_return func ins insc unchecked="" +ENTRY(atomic64_\func\()_return\unchecked\()_cx8) CFI_STARTPROC SAVE ebx @@ -24310,7 +24742,7 @@ index f4f29b1..5cac4fb 100644 return (void *)vaddr; diff --git a/arch/x86/mm/hugetlbpage.c b/arch/x86/mm/hugetlbpage.c -index 8ecbb4b..29efd37 100644 +index 8ecbb4b..a269cab 100644 --- a/arch/x86/mm/hugetlbpage.c +++ b/arch/x86/mm/hugetlbpage.c @@ -266,13 +266,20 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *file, @@ -24386,7 +24818,7 @@ index 8ecbb4b..29efd37 100644 /* don't allow allocations above current base */ if (mm->free_area_cache > base) -@@ -321,66 +328,63 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file, +@@ -321,14 +328,15 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file, largest_hole = 0; mm->free_area_cache = base; } @@ -24401,16 +24833,10 @@ index 8ecbb4b..29efd37 100644 + addr = (mm->free_area_cache - len); do { + addr &= huge_page_mask(h); -+ vma = find_vma(mm, addr); /* * Lookup failure means no vma is above this address, * i.e. return with success: -- */ -- vma = find_vma(mm, addr); -- if (!vma) -- return addr; -- -- /* +@@ -341,46 +349,47 @@ try_again: * new region fits between prev_vma->vm_end and * vma->vm_start, use it: */ @@ -24483,7 +24909,7 @@ index 8ecbb4b..29efd37 100644 mm->cached_hole_size = ~0UL; addr = hugetlb_get_unmapped_area_bottomup(file, addr0, len, pgoff, flags); -@@ -388,6 +392,7 @@ fail: +@@ -388,6 +397,7 @@ fail: /* * Restore the topdown base: */ @@ -24491,7 +24917,7 @@ index 8ecbb4b..29efd37 100644 mm->free_area_cache = base; mm->cached_hole_size = ~0UL; -@@ -401,10 +406,19 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, +@@ -401,10 +411,19 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, struct hstate *h = hstate_file(file); struct mm_struct *mm = current->mm; struct vm_area_struct *vma; @@ -24512,7 +24938,7 @@ index 8ecbb4b..29efd37 100644 return -ENOMEM; if (flags & MAP_FIXED) { -@@ -416,8 +430,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, +@@ -416,8 +435,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, if (addr) { addr = ALIGN(addr, huge_page_size(h)); vma = find_vma(mm, addr); @@ -24940,7 +25366,7 @@ index 8663f6c..829ae76 100644 printk(KERN_INFO "Write protecting the kernel text: %luk\n", size >> 10); diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c -index 436a030..2b60088 100644 +index 436a030..4f97ffc 100644 --- a/arch/x86/mm/init_64.c +++ b/arch/x86/mm/init_64.c @@ -75,7 +75,7 @@ early_param("gbpages", parse_direct_gbpages_on); @@ -25057,6 +25483,15 @@ index 436a030..2b60088 100644 adr = (void *)(((unsigned long)adr) | left); return adr; +@@ -546,7 +560,7 @@ phys_pud_init(pud_t *pud_page, unsigned long addr, unsigned long end, + unmap_low_page(pmd); + + spin_lock(&init_mm.page_table_lock); +- pud_populate(&init_mm, pud, __va(pmd_phys)); ++ pud_populate_kernel(&init_mm, pud, __va(pmd_phys)); + spin_unlock(&init_mm.page_table_lock); + } + __flush_tlb_all(); @@ -592,7 +606,7 @@ kernel_physical_mapping_init(unsigned long start, unmap_low_page(pud); @@ -26837,10 +27272,10 @@ index 153407c..611cba9 100644 -} -__setup("vdso=", vdso_setup); diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c -index 4172af8..2c8ed7f 100644 +index 4e517d4..68a48f5 100644 --- a/arch/x86/xen/enlighten.c +++ b/arch/x86/xen/enlighten.c -@@ -85,8 +85,6 @@ EXPORT_SYMBOL_GPL(xen_start_info); +@@ -86,8 +86,6 @@ EXPORT_SYMBOL_GPL(xen_start_info); struct shared_info xen_dummy_shared_info; @@ -26849,7 +27284,7 @@ index 4172af8..2c8ed7f 100644 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE); __read_mostly int xen_have_vector_callback; EXPORT_SYMBOL_GPL(xen_have_vector_callback); -@@ -1029,30 +1027,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = { +@@ -1030,30 +1028,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = { #endif }; @@ -26887,7 +27322,7 @@ index 4172af8..2c8ed7f 100644 { if (pm_power_off) pm_power_off(); -@@ -1155,7 +1153,17 @@ asmlinkage void __init xen_start_kernel(void) +@@ -1156,7 +1154,17 @@ asmlinkage void __init xen_start_kernel(void) __userpte_alloc_gfp &= ~__GFP_HIGHMEM; /* Work out if we support NX */ @@ -26906,7 +27341,7 @@ index 4172af8..2c8ed7f 100644 xen_setup_features(); -@@ -1186,13 +1194,6 @@ asmlinkage void __init xen_start_kernel(void) +@@ -1187,13 +1195,6 @@ asmlinkage void __init xen_start_kernel(void) machine_ops = xen_machine_ops; @@ -26921,10 +27356,10 @@ index 4172af8..2c8ed7f 100644 #ifdef CONFIG_ACPI_NUMA diff --git a/arch/x86/xen/mmu.c b/arch/x86/xen/mmu.c -index 95c1cf6..4bfa5be 100644 +index dc19347..1b07a2c 100644 --- a/arch/x86/xen/mmu.c +++ b/arch/x86/xen/mmu.c -@@ -1733,6 +1733,9 @@ pgd_t * __init xen_setup_kernel_pagetable(pgd_t *pgd, +@@ -1738,6 +1738,9 @@ pgd_t * __init xen_setup_kernel_pagetable(pgd_t *pgd, convert_pfn_mfn(init_level4_pgt); convert_pfn_mfn(level3_ident_pgt); convert_pfn_mfn(level3_kernel_pgt); @@ -26934,7 +27369,7 @@ index 95c1cf6..4bfa5be 100644 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd); l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud); -@@ -1751,7 +1754,11 @@ pgd_t * __init xen_setup_kernel_pagetable(pgd_t *pgd, +@@ -1756,7 +1759,11 @@ pgd_t * __init xen_setup_kernel_pagetable(pgd_t *pgd, set_page_prot(init_level4_pgt, PAGE_KERNEL_RO); set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO); set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO); @@ -26946,7 +27381,7 @@ index 95c1cf6..4bfa5be 100644 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO); set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO); -@@ -1958,6 +1965,7 @@ static void __init xen_post_allocator_init(void) +@@ -1963,6 +1970,7 @@ static void __init xen_post_allocator_init(void) pv_mmu_ops.set_pud = xen_set_pud; #if PAGETABLE_LEVELS == 4 pv_mmu_ops.set_pgd = xen_set_pgd; @@ -26954,7 +27389,7 @@ index 95c1cf6..4bfa5be 100644 #endif /* This will work as long as patching hasn't happened yet -@@ -2039,6 +2047,7 @@ static const struct pv_mmu_ops xen_mmu_ops __initconst = { +@@ -2044,6 +2052,7 @@ static const struct pv_mmu_ops xen_mmu_ops __initconst = { .pud_val = PV_CALLEE_SAVE(xen_pud_val), .make_pud = PV_CALLEE_SAVE(xen_make_pud), .set_pgd = xen_set_pgd_hyper, @@ -46851,10 +47286,10 @@ index 5698746..6086012 100644 kfree(s); } diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c -index 3645cd3..786809c 100644 +index c60267e..193d9e4 100644 --- a/fs/hugetlbfs/inode.c +++ b/fs/hugetlbfs/inode.c -@@ -914,7 +914,7 @@ static struct file_system_type hugetlbfs_fs_type = { +@@ -902,7 +902,7 @@ static struct file_system_type hugetlbfs_fs_type = { .kill_sb = kill_litter_super, }; @@ -47597,7 +48032,7 @@ index f649fba..236bf92 100644 void nfs_fattr_init(struct nfs_fattr *fattr) diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c -index edf6d3e..bdd1da7 100644 +index b96fe94..a4dbece 100644 --- a/fs/nfsd/vfs.c +++ b/fs/nfsd/vfs.c @@ -925,7 +925,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file, @@ -49831,10 +50266,10 @@ index ab30253..4d86958 100644 kfree(s); diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 0000000..4089e05 +index 0000000..2645296 --- /dev/null +++ b/grsecurity/Kconfig -@@ -0,0 +1,1078 @@ +@@ -0,0 +1,1079 @@ +# +# grecurity configuration +# @@ -49969,7 +50404,7 @@ index 0000000..4089e05 + select GRKERNSEC_PROC_ADD + select GRKERNSEC_CHROOT_CHMOD + select GRKERNSEC_CHROOT_NICE -+ select GRKERNSEC_SETXID ++ select GRKERNSEC_SETXID if (X86 || SPARC64 || PPC || ARM || MIPS) + select GRKERNSEC_AUDIT_MOUNT + select GRKERNSEC_MODHARDEN if (MODULES) + select GRKERNSEC_HARDEN_PTRACE @@ -50664,6 +51099,7 @@ index 0000000..4089e05 + +config GRKERNSEC_SETXID + bool "Enforce consistent multithreaded privileges" ++ depends on (X86 || SPARC64 || PPC || ARM || MIPS) + help + If you say Y here, a change from a root uid to a non-root uid + in a multithreaded application will cause the resulting uids, @@ -50959,10 +51395,10 @@ index 0000000..1b9afa9 +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c new file mode 100644 -index 0000000..42813ac +index 0000000..a6d83f0 --- /dev/null +++ b/grsecurity/gracl.c -@@ -0,0 +1,4192 @@ +@@ -0,0 +1,4193 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -54820,21 +55256,22 @@ index 0000000..42813ac + if (unlikely(!(gr_status & GR_READY))) + return 0; +#endif ++ if (request == PTRACE_ATTACH || request == PTRACE_SEIZE) { ++ read_lock(&tasklist_lock); ++ while (tmp->pid > 0) { ++ if (tmp == curtemp) ++ break; ++ tmp = tmp->real_parent; ++ } + -+ read_lock(&tasklist_lock); -+ while (tmp->pid > 0) { -+ if (tmp == curtemp) -+ break; -+ tmp = tmp->real_parent; -+ } -+ -+ if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) || -+ ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) { ++ if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) || ++ ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) { ++ read_unlock(&tasklist_lock); ++ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task); ++ return 1; ++ } + read_unlock(&tasklist_lock); -+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task); -+ return 1; + } -+ read_unlock(&tasklist_lock); + +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE + if (!(gr_status & GR_READY)) @@ -62544,7 +62981,7 @@ index 9c07dce..a92fa71 100644 if (atomic_sub_and_test((int) count, &kref->refcount)) { release(kref); diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h -index bc21720..098aefa 100644 +index 4c4e83d..5f16617 100644 --- a/include/linux/kvm_host.h +++ b/include/linux/kvm_host.h @@ -326,7 +326,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vcpu); @@ -63114,7 +63551,7 @@ index ffc0213..2c1f2cb 100644 return nd->saved_names[nd->depth]; } diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h -index 4f3b01a..8256d1a 100644 +index 7e472b7..212d381 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h @@ -1002,6 +1002,7 @@ struct net_device_ops { @@ -66076,7 +66513,7 @@ index 42e8fa0..9e7406b 100644 return -ENOMEM; diff --git a/kernel/cred.c b/kernel/cred.c -index 48c6fd3..3342f00 100644 +index 48c6fd3..8398912 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -204,6 +204,15 @@ void exit_creds(struct task_struct *tsk) @@ -66113,7 +66550,7 @@ index 48c6fd3..3342f00 100644 /* dumpability changes */ if (old->euid != new->euid || old->egid != new->egid || -@@ -540,6 +551,92 @@ int commit_creds(struct cred *new) +@@ -540,6 +551,101 @@ int commit_creds(struct cred *new) put_cred(old); return 0; } @@ -66179,6 +66616,8 @@ index 48c6fd3..3342f00 100644 +int commit_creds(struct cred *new) +{ +#ifdef CONFIG_GRKERNSEC_SETXID ++ int ret; ++ int schedule_it = 0; + struct task_struct *t; + + /* we won't get called with tasklist_lock held for writing @@ -66187,20 +66626,27 @@ index 48c6fd3..3342f00 100644 + */ + if (grsec_enable_setxid && !current_is_single_threaded() && + !current_uid() && new->uid) { ++ schedule_it = 1; ++ } ++ ret = __commit_creds(new); ++ if (schedule_it) { + rcu_read_lock(); + read_lock(&tasklist_lock); + for (t = next_thread(current); t != current; + t = next_thread(t)) { + if (t->delayed_cred == NULL) { + t->delayed_cred = get_cred(new); ++ set_tsk_thread_flag(t, TIF_GRSEC_SETXID); + set_tsk_need_resched(t); + } + } + read_unlock(&tasklist_lock); + rcu_read_unlock(); + } -+#endif ++ return ret; ++#else + return __commit_creds(new); ++#endif +} + EXPORT_SYMBOL(commit_creds); @@ -69073,39 +69519,10 @@ index e8a1f83..363d17d 100644 #ifdef CONFIG_RT_GROUP_SCHED /* diff --git a/kernel/sched/core.c b/kernel/sched/core.c -index 478a04c..6970d99 100644 +index 478a04c..e16339a 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c -@@ -3142,6 +3142,19 @@ pick_next_task(struct rq *rq) - BUG(); /* the idle class will always have a runnable task */ - } - -+#ifdef CONFIG_GRKERNSEC_SETXID -+extern void gr_delayed_cred_worker(void); -+static inline void gr_cred_schedule(void) -+{ -+ if (unlikely(current->delayed_cred)) -+ gr_delayed_cred_worker(); -+} -+#else -+static inline void gr_cred_schedule(void) -+{ -+} -+#endif -+ - /* - * __schedule() is the main scheduler function. - */ -@@ -3161,6 +3174,8 @@ need_resched: - - schedule_debug(prev); - -+ gr_cred_schedule(); -+ - if (sched_feat(HRTICK)) - hrtick_clear(rq); - -@@ -3851,6 +3866,8 @@ int can_nice(const struct task_struct *p, const int nice) +@@ -3851,6 +3851,8 @@ int can_nice(const struct task_struct *p, const int nice) /* convert nice value [19,-20] to rlimit style value [1,40] */ int nice_rlim = 20 - nice; @@ -69114,7 +69531,7 @@ index 478a04c..6970d99 100644 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) || capable(CAP_SYS_NICE)); } -@@ -3884,7 +3901,8 @@ SYSCALL_DEFINE1(nice, int, increment) +@@ -3884,7 +3886,8 @@ SYSCALL_DEFINE1(nice, int, increment) if (nice > 19) nice = 19; @@ -69124,7 +69541,7 @@ index 478a04c..6970d99 100644 return -EPERM; retval = security_task_setnice(current, nice); -@@ -4041,6 +4059,7 @@ recheck: +@@ -4041,6 +4044,7 @@ recheck: unsigned long rlim_rtprio = task_rlimit(p, RLIMIT_RTPRIO); @@ -70448,6 +70865,28 @@ index 013a761..c28f3fc 100644 #define free(a) kfree(a) #endif +diff --git a/lib/ioremap.c b/lib/ioremap.c +index da4e2ad..6373b5f 100644 +--- a/lib/ioremap.c ++++ b/lib/ioremap.c +@@ -38,7 +38,7 @@ static inline int ioremap_pmd_range(pud_t *pud, unsigned long addr, + unsigned long next; + + phys_addr -= addr; +- pmd = pmd_alloc(&init_mm, pud, addr); ++ pmd = pmd_alloc_kernel(&init_mm, pud, addr); + if (!pmd) + return -ENOMEM; + do { +@@ -56,7 +56,7 @@ static inline int ioremap_pud_range(pgd_t *pgd, unsigned long addr, + unsigned long next; + + phys_addr -= addr; +- pud = pud_alloc(&init_mm, pgd, addr); ++ pud = pud_alloc_kernel(&init_mm, pgd, addr); + if (!pud) + return -ENOMEM; + do { diff --git a/lib/is_single_threaded.c b/lib/is_single_threaded.c index bd2bea9..6b3c95e 100644 --- a/lib/is_single_threaded.c @@ -70677,10 +71116,10 @@ index 8f7fc39..69bf1e9 100644 /* if an huge pmd materialized from under us just retry later */ if (unlikely(pmd_trans_huge(*pmd))) diff --git a/mm/hugetlb.c b/mm/hugetlb.c -index a7cf829..d60e0e1 100644 +index 24b1787..e0fbc01 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c -@@ -2346,6 +2346,27 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2425,6 +2425,27 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma, return 1; } @@ -70708,7 +71147,7 @@ index a7cf829..d60e0e1 100644 /* * Hugetlb_cow() should be called with page lock of the original hugepage held. * Called with hugetlb_instantiation_mutex held and pte_page locked so we -@@ -2459,6 +2480,11 @@ retry_avoidcopy: +@@ -2538,6 +2559,11 @@ retry_avoidcopy: make_huge_pte(vma, new_page, 1)); page_remove_rmap(old_page); hugepage_add_new_anon_rmap(new_page, vma, address); @@ -70720,7 +71159,7 @@ index a7cf829..d60e0e1 100644 /* Make the old page be freed below */ new_page = old_page; mmu_notifier_invalidate_range_end(mm, -@@ -2613,6 +2639,10 @@ retry: +@@ -2692,6 +2718,10 @@ retry: && (vma->vm_flags & VM_SHARED))); set_huge_pte_at(mm, address, ptep, new_pte); @@ -70731,7 +71170,7 @@ index a7cf829..d60e0e1 100644 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) { /* Optimization, do the COW without a second fault */ ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page); -@@ -2642,6 +2672,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2721,6 +2751,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, static DEFINE_MUTEX(hugetlb_instantiation_mutex); struct hstate *h = hstate_vma(vma); @@ -70742,7 +71181,7 @@ index a7cf829..d60e0e1 100644 address &= huge_page_mask(h); ptep = huge_pte_offset(mm, address); -@@ -2655,6 +2689,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2734,6 +2768,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, VM_FAULT_SET_HINDEX(h - hstates); } @@ -70982,7 +71421,7 @@ index 56080ea..115071e 100644 /* keep elevated page count for bad page */ return ret; diff --git a/mm/memory.c b/mm/memory.c -index 10b4dda..b1f60ad 100644 +index 10b4dda..06857f3 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -457,8 +457,12 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud, @@ -71109,7 +71548,29 @@ index 10b4dda..b1f60ad 100644 if (addr < vma->vm_start || addr >= vma->vm_end) return -EFAULT; -@@ -2472,6 +2485,186 @@ static inline void cow_user_page(struct page *dst, struct page *src, unsigned lo +@@ -2364,7 +2377,9 @@ static int apply_to_pmd_range(struct mm_struct *mm, pud_t *pud, + + BUG_ON(pud_huge(*pud)); + +- pmd = pmd_alloc(mm, pud, addr); ++ pmd = (mm == &init_mm) ? ++ pmd_alloc_kernel(mm, pud, addr) : ++ pmd_alloc(mm, pud, addr); + if (!pmd) + return -ENOMEM; + do { +@@ -2384,7 +2399,9 @@ static int apply_to_pud_range(struct mm_struct *mm, pgd_t *pgd, + unsigned long next; + int err; + +- pud = pud_alloc(mm, pgd, addr); ++ pud = (mm == &init_mm) ? ++ pud_alloc_kernel(mm, pgd, addr) : ++ pud_alloc(mm, pgd, addr); + if (!pud) + return -ENOMEM; + do { +@@ -2472,6 +2489,186 @@ static inline void cow_user_page(struct page *dst, struct page *src, unsigned lo copy_user_highpage(dst, src, va, vma); } @@ -71296,7 +71757,7 @@ index 10b4dda..b1f60ad 100644 /* * This routine handles present pages, when users try to write * to a shared page. It is done by copying the page to a new address -@@ -2683,6 +2876,12 @@ gotten: +@@ -2683,6 +2880,12 @@ gotten: */ page_table = pte_offset_map_lock(mm, pmd, address, &ptl); if (likely(pte_same(*page_table, orig_pte))) { @@ -71309,7 +71770,7 @@ index 10b4dda..b1f60ad 100644 if (old_page) { if (!PageAnon(old_page)) { dec_mm_counter_fast(mm, MM_FILEPAGES); -@@ -2734,6 +2933,10 @@ gotten: +@@ -2734,6 +2937,10 @@ gotten: page_remove_rmap(old_page); } @@ -71320,7 +71781,7 @@ index 10b4dda..b1f60ad 100644 /* Free the old page.. */ new_page = old_page; ret |= VM_FAULT_WRITE; -@@ -3013,6 +3216,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3013,6 +3220,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, swap_free(entry); if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page)) try_to_free_swap(page); @@ -71332,7 +71793,7 @@ index 10b4dda..b1f60ad 100644 unlock_page(page); if (swapcache) { /* -@@ -3036,6 +3244,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3036,6 +3248,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, /* No need to invalidate - it was non-present before */ update_mmu_cache(vma, address, page_table); @@ -71344,7 +71805,7 @@ index 10b4dda..b1f60ad 100644 unlock: pte_unmap_unlock(page_table, ptl); out: -@@ -3055,40 +3268,6 @@ out_release: +@@ -3055,40 +3272,6 @@ out_release: } /* @@ -71385,7 +71846,7 @@ index 10b4dda..b1f60ad 100644 * We enter with non-exclusive mmap_sem (to exclude vma changes, * but allow concurrent faults), and pte mapped but not yet locked. * We return with mmap_sem still held, but pte unmapped and unlocked. -@@ -3097,27 +3276,23 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3097,27 +3280,23 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, unsigned long address, pte_t *page_table, pmd_t *pmd, unsigned int flags) { @@ -71418,7 +71879,7 @@ index 10b4dda..b1f60ad 100644 if (unlikely(anon_vma_prepare(vma))) goto oom; page = alloc_zeroed_user_highpage_movable(vma, address); -@@ -3136,6 +3311,11 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3136,6 +3315,11 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, if (!pte_none(*page_table)) goto release; @@ -71430,7 +71891,7 @@ index 10b4dda..b1f60ad 100644 inc_mm_counter_fast(mm, MM_ANONPAGES); page_add_new_anon_rmap(page, vma, address); setpte: -@@ -3143,6 +3323,12 @@ setpte: +@@ -3143,6 +3327,12 @@ setpte: /* No need to invalidate - it was non-present before */ update_mmu_cache(vma, address, page_table); @@ -71443,7 +71904,7 @@ index 10b4dda..b1f60ad 100644 unlock: pte_unmap_unlock(page_table, ptl); return 0; -@@ -3286,6 +3472,12 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3286,6 +3476,12 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma, */ /* Only go through if we didn't race with anybody else... */ if (likely(pte_same(*page_table, orig_pte))) { @@ -71456,7 +71917,7 @@ index 10b4dda..b1f60ad 100644 flush_icache_page(vma, page); entry = mk_pte(page, vma->vm_page_prot); if (flags & FAULT_FLAG_WRITE) -@@ -3305,6 +3497,14 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3305,6 +3501,14 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma, /* no need to invalidate: a not-present page won't be cached */ update_mmu_cache(vma, address, page_table); @@ -71471,7 +71932,7 @@ index 10b4dda..b1f60ad 100644 } else { if (cow_page) mem_cgroup_uncharge_page(cow_page); -@@ -3458,6 +3658,12 @@ int handle_pte_fault(struct mm_struct *mm, +@@ -3458,6 +3662,12 @@ int handle_pte_fault(struct mm_struct *mm, if (flags & FAULT_FLAG_WRITE) flush_tlb_fix_spurious_fault(vma, address); } @@ -71484,7 +71945,7 @@ index 10b4dda..b1f60ad 100644 unlock: pte_unmap_unlock(pte, ptl); return 0; -@@ -3474,6 +3680,10 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3474,6 +3684,10 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, pmd_t *pmd; pte_t *pte; @@ -71495,7 +71956,7 @@ index 10b4dda..b1f60ad 100644 __set_current_state(TASK_RUNNING); count_vm_event(PGFAULT); -@@ -3485,6 +3695,34 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3485,6 +3699,34 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, if (unlikely(is_vm_hugetlb_page(vma))) return hugetlb_fault(mm, vma, address, flags); @@ -71530,7 +71991,7 @@ index 10b4dda..b1f60ad 100644 pgd = pgd_offset(mm, address); pud = pud_alloc(mm, pgd, address); if (!pud) -@@ -3514,7 +3752,7 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3514,7 +3756,7 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, * run pte_offset_map on the pmd, if an huge pmd could * materialize from under us from a different thread. */ @@ -71539,7 +72000,7 @@ index 10b4dda..b1f60ad 100644 return VM_FAULT_OOM; /* if an huge pmd materialized from under us just retry later */ if (unlikely(pmd_trans_huge(*pmd))) -@@ -3551,6 +3789,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address) +@@ -3551,6 +3793,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address) spin_unlock(&mm->page_table_lock); return 0; } @@ -71563,7 +72024,7 @@ index 10b4dda..b1f60ad 100644 #endif /* __PAGETABLE_PUD_FOLDED */ #ifndef __PAGETABLE_PMD_FOLDED -@@ -3581,6 +3836,30 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address) +@@ -3581,6 +3840,30 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address) spin_unlock(&mm->page_table_lock); return 0; } @@ -71594,7 +72055,7 @@ index 10b4dda..b1f60ad 100644 #endif /* __PAGETABLE_PMD_FOLDED */ int make_pages_present(unsigned long addr, unsigned long end) -@@ -3618,7 +3897,7 @@ static int __init gate_vma_init(void) +@@ -3618,7 +3901,7 @@ static int __init gate_vma_init(void) gate_vma.vm_start = FIXADDR_USER_START; gate_vma.vm_end = FIXADDR_USER_END; gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC; @@ -75428,7 +75889,7 @@ index 68bbf9f..5ef0d12 100644 return err; diff --git a/net/core/dev.c b/net/core/dev.c -index 7f72c9c..e29943b 100644 +index 0336374..659088a 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -1138,10 +1138,14 @@ void dev_load(struct net *net, const char *name) @@ -75446,7 +75907,7 @@ index 7f72c9c..e29943b 100644 } } EXPORT_SYMBOL(dev_load); -@@ -1585,7 +1589,7 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb) +@@ -1605,7 +1609,7 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb) { if (skb_shinfo(skb)->tx_flags & SKBTX_DEV_ZEROCOPY) { if (skb_copy_ubufs(skb, GFP_ATOMIC)) { @@ -75455,7 +75916,7 @@ index 7f72c9c..e29943b 100644 kfree_skb(skb); return NET_RX_DROP; } -@@ -1595,7 +1599,7 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb) +@@ -1615,7 +1619,7 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb) nf_reset(skb); if (unlikely(!is_skb_forwardable(dev, skb))) { @@ -75464,7 +75925,7 @@ index 7f72c9c..e29943b 100644 kfree_skb(skb); return NET_RX_DROP; } -@@ -2057,7 +2061,7 @@ static int illegal_highdma(struct net_device *dev, struct sk_buff *skb) +@@ -2077,7 +2081,7 @@ static int illegal_highdma(struct net_device *dev, struct sk_buff *skb) struct dev_gso_cb { void (*destructor)(struct sk_buff *skb); @@ -75473,7 +75934,7 @@ index 7f72c9c..e29943b 100644 #define DEV_GSO_CB(skb) ((struct dev_gso_cb *)(skb)->cb) -@@ -2913,7 +2917,7 @@ enqueue: +@@ -2933,7 +2937,7 @@ enqueue: local_irq_restore(flags); @@ -75482,7 +75943,7 @@ index 7f72c9c..e29943b 100644 kfree_skb(skb); return NET_RX_DROP; } -@@ -2985,7 +2989,7 @@ int netif_rx_ni(struct sk_buff *skb) +@@ -3005,7 +3009,7 @@ int netif_rx_ni(struct sk_buff *skb) } EXPORT_SYMBOL(netif_rx_ni); @@ -75491,7 +75952,7 @@ index 7f72c9c..e29943b 100644 { struct softnet_data *sd = &__get_cpu_var(softnet_data); -@@ -3273,7 +3277,7 @@ ncls: +@@ -3293,7 +3297,7 @@ ncls: if (pt_prev) { ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev); } else { @@ -75500,7 +75961,7 @@ index 7f72c9c..e29943b 100644 kfree_skb(skb); /* Jamal, now you will not able to escape explaining * me how you were going to use this. :-) -@@ -3833,7 +3837,7 @@ void netif_napi_del(struct napi_struct *napi) +@@ -3853,7 +3857,7 @@ void netif_napi_del(struct napi_struct *napi) } EXPORT_SYMBOL(netif_napi_del); @@ -75509,7 +75970,7 @@ index 7f72c9c..e29943b 100644 { struct softnet_data *sd = &__get_cpu_var(softnet_data); unsigned long time_limit = jiffies + 2; -@@ -5858,7 +5862,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, +@@ -5878,7 +5882,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, } else { netdev_stats_to_stats64(storage, &dev->stats); } @@ -86454,7 +86915,7 @@ index af0f22f..9a7d479 100644 break; } diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c -index c4ac57e..527711d 100644 +index 7858228..2919715 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -75,7 +75,7 @@ LIST_HEAD(vm_list); @@ -86466,7 +86927,7 @@ index c4ac57e..527711d 100644 struct kmem_cache *kvm_vcpu_cache; EXPORT_SYMBOL_GPL(kvm_vcpu_cache); -@@ -2313,7 +2313,7 @@ static void hardware_enable_nolock(void *junk) +@@ -2318,7 +2318,7 @@ static void hardware_enable_nolock(void *junk) if (r) { cpumask_clear_cpu(cpu, cpus_hardware_enabled); @@ -86475,7 +86936,7 @@ index c4ac57e..527711d 100644 printk(KERN_INFO "kvm: enabling virtualization on " "CPU%d failed\n", cpu); } -@@ -2367,10 +2367,10 @@ static int hardware_enable_all(void) +@@ -2372,10 +2372,10 @@ static int hardware_enable_all(void) kvm_usage_count++; if (kvm_usage_count == 1) { @@ -86488,7 +86949,7 @@ index c4ac57e..527711d 100644 hardware_disable_all_nolock(); r = -EBUSY; } -@@ -2733,7 +2733,7 @@ static void kvm_sched_out(struct preempt_notifier *pn, +@@ -2738,7 +2738,7 @@ static void kvm_sched_out(struct preempt_notifier *pn, kvm_arch_vcpu_put(vcpu); } @@ -86497,7 +86958,7 @@ index c4ac57e..527711d 100644 struct module *module) { int r; -@@ -2796,7 +2796,7 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, +@@ -2801,7 +2801,7 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, if (!vcpu_align) vcpu_align = __alignof__(struct kvm_vcpu); kvm_vcpu_cache = kmem_cache_create("kvm_vcpu", vcpu_size, vcpu_align, @@ -86506,7 +86967,7 @@ index c4ac57e..527711d 100644 if (!kvm_vcpu_cache) { r = -ENOMEM; goto out_free_3; -@@ -2806,9 +2806,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, +@@ -2811,9 +2811,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, if (r) goto out_free; diff --git a/3.3.5/4430_grsec-remove-localversion-grsec.patch b/3.3.6/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.3.5/4430_grsec-remove-localversion-grsec.patch +++ b/3.3.6/4430_grsec-remove-localversion-grsec.patch diff --git a/3.3.5/4435_grsec-mute-warnings.patch b/3.3.6/4435_grsec-mute-warnings.patch index e85abd6..e85abd6 100644 --- a/3.3.5/4435_grsec-mute-warnings.patch +++ b/3.3.6/4435_grsec-mute-warnings.patch diff --git a/3.3.5/4440_grsec-remove-protected-paths.patch b/3.3.6/4440_grsec-remove-protected-paths.patch index 637934a..637934a 100644 --- a/3.3.5/4440_grsec-remove-protected-paths.patch +++ b/3.3.6/4440_grsec-remove-protected-paths.patch diff --git a/3.3.5/4445_grsec-pax-without-grsec.patch b/3.3.6/4445_grsec-pax-without-grsec.patch index 35255c2..35255c2 100644 --- a/3.3.5/4445_grsec-pax-without-grsec.patch +++ b/3.3.6/4445_grsec-pax-without-grsec.patch diff --git a/3.3.5/4450_grsec-kconfig-default-gids.patch b/3.3.6/4450_grsec-kconfig-default-gids.patch index 123f877..123f877 100644 --- a/3.3.5/4450_grsec-kconfig-default-gids.patch +++ b/3.3.6/4450_grsec-kconfig-default-gids.patch diff --git a/3.3.5/4455_grsec-kconfig-gentoo.patch b/3.3.6/4455_grsec-kconfig-gentoo.patch index b9dc3e5..b9dc3e5 100644 --- a/3.3.5/4455_grsec-kconfig-gentoo.patch +++ b/3.3.6/4455_grsec-kconfig-gentoo.patch diff --git a/3.3.5/4460-grsec-kconfig-proc-user.patch b/3.3.6/4460-grsec-kconfig-proc-user.patch index b2b3188..b2b3188 100644 --- a/3.3.5/4460-grsec-kconfig-proc-user.patch +++ b/3.3.6/4460-grsec-kconfig-proc-user.patch diff --git a/3.3.5/4465_selinux-avc_audit-log-curr_ip.patch b/3.3.6/4465_selinux-avc_audit-log-curr_ip.patch index 5a9d80c..5a9d80c 100644 --- a/3.3.5/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.3.6/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.3.5/4470_disable-compat_vdso.patch b/3.3.6/4470_disable-compat_vdso.patch index c40f44f..c40f44f 100644 --- a/3.3.5/4470_disable-compat_vdso.patch +++ b/3.3.6/4470_disable-compat_vdso.patch |