aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2014-09-10 07:46:02 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2014-09-10 07:46:02 +0000
commit797023a1712179c0b5e6e69661a51786e0637371 (patch)
treeb4f31b38653a7e8b7813de4dca6371e1f0eb11a7
parent1ab4dbf6662a2f68962800b33a5d13d165b0fdda (diff)
downloadaports-797023a1712179c0b5e6e69661a51786e0637371.tar.bz2
aports-797023a1712179c0b5e6e69661a51786e0637371.tar.xz
main/linux-grsec: upgrade to 3.14.18
-rw-r--r--main/linux-grsec/APKBUILD30
-rw-r--r--main/linux-grsec/grsecurity-3.0-3.14.18-201409082127.patch (renamed from main/linux-grsec/grsecurity-3.0-3.14.17-201408260041.patch)1186
-rw-r--r--main/linux-grsec/kernelconfig.x865
-rw-r--r--main/linux-grsec/kernelconfig.x86_645
4 files changed, 778 insertions, 448 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index a3f3a7b60d..11c21822b6 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -2,12 +2,12 @@
_flavor=grsec
pkgname=linux-${_flavor}
-pkgver=3.14.17
+pkgver=3.14.18
case $pkgver in
*.*.*) _kernver=${pkgver%.*};;
*.*) _kernver=${pkgver};;
esac
-pkgrel=1
+pkgrel=0
pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs linux-firmware"
@@ -17,7 +17,7 @@ _config=${config:-kernelconfig.${CARCH}}
install=
source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz
- grsecurity-3.0-3.14.17-201408260041.patch
+ grsecurity-3.0-3.14.18-201409082127.patch
fix-memory-map-for-PIE-applications.patch
imx6q-no-unclocked-sleep.patch
@@ -165,26 +165,26 @@ dev() {
}
md5sums="b621207b3f6ecbb67db18b13258f8ea8 linux-3.14.tar.xz
-a9a6539c8df7245c2ab9bfca56f2ef04 patch-3.14.17.xz
-25066c4bc665d172b980d09435f18432 grsecurity-3.0-3.14.17-201408260041.patch
+f00741b35127573c3cf085fc43f6e3f0 patch-3.14.18.xz
+43a6f021cff545fa3e3c0386e473ff23 grsecurity-3.0-3.14.18-201409082127.patch
c6a4ae7e8ca6159e1631545515805216 fix-memory-map-for-PIE-applications.patch
1a307fc1d63231bf01d22493a4f14378 imx6q-no-unclocked-sleep.patch
-dc5e04d422b807e740fd15b141b89a62 kernelconfig.x86
-1aea3d3de4013c10712a582c8d738bf7 kernelconfig.x86_64
+5395777f2ffcaeedb482afce441a0e2f kernelconfig.x86
+1a836d0252b3486318321b0e26791a04 kernelconfig.x86_64
0d71b1663f7cbfffc6e403deca4bbe86 kernelconfig.armhf"
sha256sums="61558aa490855f42b6340d1a1596be47454909629327c49a5e4e10268065dffa linux-3.14.tar.xz
-50b0e2a6812597b401a417bd1269b5388fdd980b6009d564fff09605100f0df8 patch-3.14.17.xz
-40352c8bd115d91089444670999925e2a383c66c42ae11d94ec295d656772caf grsecurity-3.0-3.14.17-201408260041.patch
+3723d8d91e1bba0ed57a4951e8089ebfaa21ac186c3b729b4d2bad2da3eaed9f patch-3.14.18.xz
+ac5c311624480651775d6c482a3314edd8f1e1e5730e98f2aa6f648e47e20422 grsecurity-3.0-3.14.18-201409082127.patch
500f3577310be52e87b9fecdc2e9c4ca43210fd97d69089f9005d484563f74c7 fix-memory-map-for-PIE-applications.patch
21179fbb22a5b74af0a609350ae1a170e232908572b201d02e791d2ce0a685d3 imx6q-no-unclocked-sleep.patch
-148fe2f06c98716744139f0c92aa702665bb9da96ecc163ef56c8ba3084d534a kernelconfig.x86
-1b26e8c006dccce38520b9b42a6ae43230d032307ec847ab77ea97d4616164f6 kernelconfig.x86_64
+c1f2bcf8711c2295895f682a8e32a0719f389557deb0f1fa1ce9e751dd04f8ae kernelconfig.x86
+227390b633fd749aaadb3e3fc4d027fc06142a395279beb7ba09f8568aa505c2 kernelconfig.x86_64
3cddaac02211dd0f5eb4531aecc3a1427f29dcec7b31d9fe0042192d591bcdc8 kernelconfig.armhf"
sha512sums="5730d83a7a81134c1e77c0bf89e42dee4f8251ad56c1ac2be20c59e26fdfaa7bea55f277e7af156b637f22e1584914a46089af85039177cb43485089c74ac26e linux-3.14.tar.xz
-03638215934a08a67e3d92d051b6a341e1874872388de910870021934f11f8ed20502a1afbff89a24f0e14053a02f4e40441e2f9878b099ddd1504159ff19872 patch-3.14.17.xz
-6c54a9f120dd896b595239f984c326933e50ba2e324215fb8e4bb6092cb624771dc301e78424f7be3f1d42c542fda086e5d8fe84cf9e06dc8106d3b16c0a69bd grsecurity-3.0-3.14.17-201408260041.patch
+c7c5b281986819cb69592cc4c2b7c7d79f34aa86f21db1dd64b795dda79b5f9df95626dada5c8e0613c58d8d7979f37baf0a87cd458f340018ce61b42e4eb6c5 patch-3.14.18.xz
+2a12ca6dd993fa874da02bdc6913a78a29b21b6621bd243157f5ae65240d4bf934e438f35620935508b7e251445551b1b0c962aec9e26b2d34bca1c8281fdbc2 grsecurity-3.0-3.14.18-201409082127.patch
4665c56ae1bbac311f9205d64918e84ee8b01d47d6e2396ff6b8adfb10aada7f7254531ce62e31edbb65c2a54a830f09ad05d314dfcd75d6272f4068945ad7c7 fix-memory-map-for-PIE-applications.patch
87d1ad59732f265a5b0db54490dc1762c14ea4b868e7eb1aedc3ce57b48046de7bbc08cf5cfcf6f1380fa84063b0edb16ba3d5e3c5670be9bbb229275c88b221 imx6q-no-unclocked-sleep.patch
-65697a0652795bc2f57c74968b4e541b372bf9ebfd8effe9d17b75143f2444a76d41982dddee3c7cda28dc33c88f221b89964282d82761593ec697b5fa77f8d4 kernelconfig.x86
-799e497939ed879e118b9bccae970f69c4c64488f3ef52ed5f07685531f13fa756cc7656351d611e6ffb93809f7af526cab379c2e24171c6bb5eac88f77fcc2e kernelconfig.x86_64
+bba0241bf9d51154959cb06d8ecf328b0475bf1c656baff1c0066285c71f6b0115534c8c4fc238b63b617b5c7a75d0a13371d80a7fe99194eaa4238cd4712357 kernelconfig.x86
+cf7e27e9ed00f07a9743c3ad6a35ff2aff86c5e9f9cd9c8076cb5a3f2e3b3b59d4c1da55fd4cd04b599ceae29775ddde7d9b3bd96093bec07a9bce3e20d6dffe kernelconfig.x86_64
c19ce8d5ef84e42d63435731afab351a68226d7b49caf5d6a3b43421a1a856eadfc69b503a2d757de10cba46bcfdf45c17bb0fed6cf0a14ac284050e655614dd kernelconfig.armhf"
diff --git a/main/linux-grsec/grsecurity-3.0-3.14.17-201408260041.patch b/main/linux-grsec/grsecurity-3.0-3.14.18-201409082127.patch
index c27879a613..2a009861ca 100644
--- a/main/linux-grsec/grsecurity-3.0-3.14.17-201408260041.patch
+++ b/main/linux-grsec/grsecurity-3.0-3.14.18-201409082127.patch
@@ -287,7 +287,7 @@ index 7116fda..d8ed6e8 100644
pcd. [PARIDE]
diff --git a/Makefile b/Makefile
-index 12aac03..33d9e9f 100644
+index 05279d4..c24e149 100644
--- a/Makefile
+++ b/Makefile
@@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -3643,7 +3643,7 @@ index 78c02b3..c94109a 100644
struct omap_device *omap_device_alloc(struct platform_device *pdev,
struct omap_hwmod **ohs, int oh_cnt);
diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c
-index 66c60fe..c78950d 100644
+index c914b00..8a653a7 100644
--- a/arch/arm/mach-omap2/omap_hwmod.c
+++ b/arch/arm/mach-omap2/omap_hwmod.c
@@ -194,10 +194,10 @@ struct omap_hwmod_soc_ops {
@@ -12269,7 +12269,7 @@ index ad8f795..2c7eec6 100644
/*
* Memory returned by kmalloc() may be used for DMA, so we must make
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index c718d9f..511e6fa 100644
+index e409891..d64a8f7 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -126,7 +126,7 @@ config X86
@@ -12325,7 +12325,7 @@ index c718d9f..511e6fa 100644
default 0x40000000 if VMSPLIT_1G
default 0xC0000000
depends on X86_32
-@@ -1623,6 +1624,7 @@ source kernel/Kconfig.hz
+@@ -1624,6 +1625,7 @@ source kernel/Kconfig.hz
config KEXEC
bool "kexec system call"
@@ -12333,7 +12333,7 @@ index c718d9f..511e6fa 100644
---help---
kexec is a system call that implements the ability to shutdown your
current kernel, and to start another kernel. It is like a reboot
-@@ -1774,7 +1776,9 @@ config X86_NEED_RELOCS
+@@ -1775,7 +1777,9 @@ config X86_NEED_RELOCS
config PHYSICAL_ALIGN
hex "Alignment value to which kernel should be aligned"
@@ -12344,7 +12344,7 @@ index c718d9f..511e6fa 100644
range 0x2000 0x1000000 if X86_32
range 0x200000 0x1000000 if X86_64
---help---
-@@ -1854,9 +1858,10 @@ config DEBUG_HOTPLUG_CPU0
+@@ -1855,9 +1859,10 @@ config DEBUG_HOTPLUG_CPU0
If unsure, say N.
config COMPAT_VDSO
@@ -22894,7 +22894,7 @@ index c5a9cb9..228d280 100644
/*
diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
-index 03cd2a8..05a9aed 100644
+index 03cd2a8..d236ccb 100644
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -60,6 +60,8 @@
@@ -23815,7 +23815,7 @@ index 03cd2a8..05a9aed 100644
je retint_kernel
/* Interrupt came from user space */
-@@ -1027,12 +1500,16 @@ retint_swapgs: /* return to user-space */
+@@ -1027,12 +1500,35 @@ retint_swapgs: /* return to user-space */
* The iretq could re-enable interrupts:
*/
DISABLE_INTERRUPTS(CLBR_ANY)
@@ -23828,11 +23828,30 @@ index 03cd2a8..05a9aed 100644
retint_restore_args: /* return to kernel space */
DISABLE_INTERRUPTS(CLBR_ANY)
+ pax_exit_kernel
++
++#if defined(CONFIG_EFI) && defined(CONFIG_PAX_KERNEXEC)
++ /* This is a quirk to allow IRQs/NMIs/MCEs during early EFI setup,
++ * namely calling EFI runtime services with a phys mapping. We're
++ * starting off with NOPs and patch in the real instrumentation
++ * (BTS/OR) before starting any userland process; even before starting
++ * up the APs.
++ */
++ .pushsection .altinstr_replacement, "a"
++ 601: pax_force_retaddr (RIP-ARGOFFSET)
++ 602:
++ .popsection
++ 603: .fill 602b-601b, 1, 0x90
++ .pushsection .altinstructions, "a"
++ altinstruction_entry 603b, 601b, X86_FEATURE_ALWAYS, 602b-601b, 602b-601b
++ .popsection
++#else
+ pax_force_retaddr (RIP-ARGOFFSET)
++#endif
++
/*
* The iretq could re-enable interrupts:
*/
-@@ -1145,7 +1622,7 @@ ENTRY(retint_kernel)
+@@ -1145,7 +1641,7 @@ ENTRY(retint_kernel)
jmp exit_intr
#endif
CFI_ENDPROC
@@ -23841,7 +23860,7 @@ index 03cd2a8..05a9aed 100644
/*
* If IRET takes a fault on the espfix stack, then we
-@@ -1167,13 +1644,13 @@ __do_double_fault:
+@@ -1167,13 +1663,13 @@ __do_double_fault:
cmpq $native_irq_return_iret,%rax
jne do_double_fault /* This shouldn't happen... */
movq PER_CPU_VAR(kernel_stack),%rax
@@ -23857,7 +23876,7 @@ index 03cd2a8..05a9aed 100644
#else
# define __do_double_fault do_double_fault
#endif
-@@ -1195,7 +1672,7 @@ ENTRY(\sym)
+@@ -1195,7 +1691,7 @@ ENTRY(\sym)
interrupt \do_sym
jmp ret_from_intr
CFI_ENDPROC
@@ -23866,7 +23885,7 @@ index 03cd2a8..05a9aed 100644
.endm
#ifdef CONFIG_TRACING
-@@ -1283,7 +1760,7 @@ ENTRY(\sym)
+@@ -1283,7 +1779,7 @@ ENTRY(\sym)
call \do_sym
jmp error_exit /* %ebx: no swapgs flag */
CFI_ENDPROC
@@ -23875,7 +23894,7 @@ index 03cd2a8..05a9aed 100644
.endm
.macro paranoidzeroentry sym do_sym
-@@ -1301,10 +1778,10 @@ ENTRY(\sym)
+@@ -1301,10 +1797,10 @@ ENTRY(\sym)
call \do_sym
jmp paranoid_exit /* %ebx: no swapgs flag */
CFI_ENDPROC
@@ -23888,7 +23907,7 @@ index 03cd2a8..05a9aed 100644
.macro paranoidzeroentry_ist sym do_sym ist
ENTRY(\sym)
INTR_FRAME
-@@ -1317,12 +1794,18 @@ ENTRY(\sym)
+@@ -1317,12 +1813,18 @@ ENTRY(\sym)
TRACE_IRQS_OFF_DEBUG
movq %rsp,%rdi /* pt_regs pointer */
xorl %esi,%esi /* no error code */
@@ -23908,7 +23927,7 @@ index 03cd2a8..05a9aed 100644
.endm
.macro errorentry sym do_sym
-@@ -1340,7 +1823,7 @@ ENTRY(\sym)
+@@ -1340,7 +1842,7 @@ ENTRY(\sym)
call \do_sym
jmp error_exit /* %ebx: no swapgs flag */
CFI_ENDPROC
@@ -23917,7 +23936,7 @@ index 03cd2a8..05a9aed 100644
.endm
#ifdef CONFIG_TRACING
-@@ -1371,7 +1854,7 @@ ENTRY(\sym)
+@@ -1371,7 +1873,7 @@ ENTRY(\sym)
call \do_sym
jmp paranoid_exit /* %ebx: no swapgs flag */
CFI_ENDPROC
@@ -23926,7 +23945,7 @@ index 03cd2a8..05a9aed 100644
.endm
zeroentry divide_error do_divide_error
-@@ -1401,9 +1884,10 @@ gs_change:
+@@ -1401,9 +1903,10 @@ gs_change:
2: mfence /* workaround */
SWAPGS
popfq_cfi
@@ -23938,7 +23957,7 @@ index 03cd2a8..05a9aed 100644
_ASM_EXTABLE(gs_change,bad_gs)
.section .fixup,"ax"
-@@ -1431,9 +1915,10 @@ ENTRY(do_softirq_own_stack)
+@@ -1431,9 +1934,10 @@ ENTRY(do_softirq_own_stack)
CFI_DEF_CFA_REGISTER rsp
CFI_ADJUST_CFA_OFFSET -8
decl PER_CPU_VAR(irq_count)
@@ -23950,7 +23969,7 @@ index 03cd2a8..05a9aed 100644
#ifdef CONFIG_XEN
zeroentry xen_hypervisor_callback xen_do_hypervisor_callback
-@@ -1471,7 +1956,7 @@ ENTRY(xen_do_hypervisor_callback) # do_hypervisor_callback(struct *pt_regs)
+@@ -1471,7 +1975,7 @@ ENTRY(xen_do_hypervisor_callback) # do_hypervisor_callback(struct *pt_regs)
decl PER_CPU_VAR(irq_count)
jmp error_exit
CFI_ENDPROC
@@ -23959,7 +23978,7 @@ index 03cd2a8..05a9aed 100644
/*
* Hypervisor uses this for application faults while it executes.
-@@ -1530,7 +2015,7 @@ ENTRY(xen_failsafe_callback)
+@@ -1530,7 +2034,7 @@ ENTRY(xen_failsafe_callback)
SAVE_ALL
jmp error_exit
CFI_ENDPROC
@@ -23968,7 +23987,7 @@ index 03cd2a8..05a9aed 100644
apicinterrupt3 HYPERVISOR_CALLBACK_VECTOR \
xen_hvm_callback_vector xen_evtchn_do_upcall
-@@ -1582,18 +2067,33 @@ ENTRY(paranoid_exit)
+@@ -1582,18 +2086,33 @@ ENTRY(paranoid_exit)
DEFAULT_FRAME
DISABLE_INTERRUPTS(CLBR_NONE)
TRACE_IRQS_OFF_DEBUG
@@ -24004,7 +24023,7 @@ index 03cd2a8..05a9aed 100644
jmp irq_return
paranoid_userspace:
GET_THREAD_INFO(%rcx)
-@@ -1622,7 +2122,7 @@ paranoid_schedule:
+@@ -1622,7 +2141,7 @@ paranoid_schedule:
TRACE_IRQS_OFF
jmp paranoid_userspace
CFI_ENDPROC
@@ -24013,7 +24032,7 @@ index 03cd2a8..05a9aed 100644
/*
* Exception entry point. This expects an error code/orig_rax on the stack.
-@@ -1649,12 +2149,23 @@ ENTRY(error_entry)
+@@ -1649,12 +2168,23 @@ ENTRY(error_entry)
movq_cfi r14, R14+8
movq_cfi r15, R15+8
xorl %ebx,%ebx
@@ -24038,7 +24057,7 @@ index 03cd2a8..05a9aed 100644
ret
/*
-@@ -1681,7 +2192,7 @@ bstep_iret:
+@@ -1681,7 +2211,7 @@ bstep_iret:
movq %rcx,RIP+8(%rsp)
jmp error_swapgs
CFI_ENDPROC
@@ -24047,7 +24066,7 @@ index 03cd2a8..05a9aed 100644
/* ebx: no swapgs flag (1: don't need swapgs, 0: need it) */
-@@ -1692,7 +2203,7 @@ ENTRY(error_exit)
+@@ -1692,7 +2222,7 @@ ENTRY(error_exit)
DISABLE_INTERRUPTS(CLBR_NONE)
TRACE_IRQS_OFF
GET_THREAD_INFO(%rcx)
@@ -24056,7 +24075,7 @@ index 03cd2a8..05a9aed 100644
jne retint_kernel
LOCKDEP_SYS_EXIT_IRQ
movl TI_flags(%rcx),%edx
-@@ -1701,7 +2212,7 @@ ENTRY(error_exit)
+@@ -1701,7 +2231,7 @@ ENTRY(error_exit)
jnz retint_careful
jmp retint_swapgs
CFI_ENDPROC
@@ -24065,7 +24084,7 @@ index 03cd2a8..05a9aed 100644
/*
* Test if a given stack is an NMI stack or not.
-@@ -1759,9 +2270,11 @@ ENTRY(nmi)
+@@ -1759,9 +2289,11 @@ ENTRY(nmi)
* If %cs was not the kernel segment, then the NMI triggered in user
* space, which means it is definitely not nested.
*/
@@ -24078,7 +24097,7 @@ index 03cd2a8..05a9aed 100644
/*
* Check the special variable on the stack to see if NMIs are
* executing.
-@@ -1795,8 +2308,7 @@ nested_nmi:
+@@ -1795,8 +2327,7 @@ nested_nmi:
1:
/* Set up the interrupted NMIs stack to jump to repeat_nmi */
@@ -24088,7 +24107,7 @@ index 03cd2a8..05a9aed 100644
CFI_ADJUST_CFA_OFFSET 1*8
leaq -10*8(%rsp), %rdx
pushq_cfi $__KERNEL_DS
-@@ -1814,6 +2326,7 @@ nested_nmi_out:
+@@ -1814,6 +2345,7 @@ nested_nmi_out:
CFI_RESTORE rdx
/* No need to check faults here */
@@ -24096,7 +24115,7 @@ index 03cd2a8..05a9aed 100644
INTERRUPT_RETURN
CFI_RESTORE_STATE
-@@ -1910,13 +2423,13 @@ end_repeat_nmi:
+@@ -1910,13 +2442,13 @@ end_repeat_nmi:
subq $ORIG_RAX-R15, %rsp
CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
/*
@@ -24112,7 +24131,7 @@ index 03cd2a8..05a9aed 100644
DEFAULT_FRAME 0
/*
-@@ -1926,9 +2439,9 @@ end_repeat_nmi:
+@@ -1926,9 +2458,9 @@ end_repeat_nmi:
* NMI itself takes a page fault, the page fault that was preempted
* will read the information from the NMI page fault and not the
* origin fault. Save it off and restore it if it changes.
@@ -24124,7 +24143,7 @@ index 03cd2a8..05a9aed 100644
/* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
movq %rsp,%rdi
-@@ -1937,31 +2450,36 @@ end_repeat_nmi:
+@@ -1937,31 +2469,36 @@ end_repeat_nmi:
/* Did the NMI take a page fault? Restore cr2 if it did */
movq %cr2, %rcx
@@ -28195,7 +28214,7 @@ index da6b35a..977e9cf 100644
#ifdef CONFIG_SMP
diff --git a/arch/x86/kernel/vsyscall_64.c b/arch/x86/kernel/vsyscall_64.c
-index 1f96f93..6f29be7 100644
+index 09ce23a..9293938 100644
--- a/arch/x86/kernel/vsyscall_64.c
+++ b/arch/x86/kernel/vsyscall_64.c
@@ -56,15 +56,13 @@
@@ -28401,7 +28420,7 @@ index c697625..a032162 100644
out:
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
-index 0069118..c28ec0a 100644
+index 453e5fb..214168f 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -55,7 +55,7 @@
@@ -41665,19 +41684,6 @@ index 6866448..2ad2b34 100644
{
/* copy over all the bus versions */
if (dev->bus && dev->bus->pm) {
-diff --git a/drivers/hid/hid-cherry.c b/drivers/hid/hid-cherry.c
-index 1bdcccc..f745d2c 100644
---- a/drivers/hid/hid-cherry.c
-+++ b/drivers/hid/hid-cherry.c
-@@ -28,7 +28,7 @@
- static __u8 *ch_report_fixup(struct hid_device *hdev, __u8 *rdesc,
- unsigned int *rsize)
- {
-- if (*rsize >= 17 && rdesc[11] == 0x3c && rdesc[12] == 0x02) {
-+ if (*rsize >= 18 && rdesc[11] == 0x3c && rdesc[12] == 0x02) {
- hid_info(hdev, "fixing up Cherry Cymotion report descriptor\n");
- rdesc[11] = rdesc[16] = 0xff;
- rdesc[12] = rdesc[17] = 0x03;
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 7cd42ea..a367c48 100644
--- a/drivers/hid/hid-core.c
@@ -41700,110 +41706,51 @@ index 7cd42ea..a367c48 100644
hid_debug_register(hdev, dev_name(&hdev->dev));
ret = device_add(&hdev->dev);
-diff --git a/drivers/hid/hid-kye.c b/drivers/hid/hid-kye.c
-index e776963..b92bf01 100644
---- a/drivers/hid/hid-kye.c
-+++ b/drivers/hid/hid-kye.c
-@@ -300,7 +300,7 @@ static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc,
- * - change the button usage range to 4-7 for the extra
- * buttons
- */
-- if (*rsize >= 74 &&
-+ if (*rsize >= 75 &&
- rdesc[61] == 0x05 && rdesc[62] == 0x08 &&
- rdesc[63] == 0x19 && rdesc[64] == 0x08 &&
- rdesc[65] == 0x29 && rdesc[66] == 0x0f &&
-diff --git a/drivers/hid/hid-lg.c b/drivers/hid/hid-lg.c
-index 9fe9d4a..b8207e0 100644
---- a/drivers/hid/hid-lg.c
-+++ b/drivers/hid/hid-lg.c
-@@ -345,14 +345,14 @@ static __u8 *lg_report_fixup(struct hid_device *hdev, __u8 *rdesc,
- struct usb_device_descriptor *udesc;
- __u16 bcdDevice, rev_maj, rev_min;
-
-- if ((drv_data->quirks & LG_RDESC) && *rsize >= 90 && rdesc[83] == 0x26 &&
-+ if ((drv_data->quirks & LG_RDESC) && *rsize >= 91 && rdesc[83] == 0x26 &&
- rdesc[84] == 0x8c && rdesc[85] == 0x02) {
- hid_info(hdev,
- "fixing up Logitech keyboard report descriptor\n");
- rdesc[84] = rdesc[89] = 0x4d;
- rdesc[85] = rdesc[90] = 0x10;
- }
-- if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 50 &&
-+ if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 51 &&
- rdesc[32] == 0x81 && rdesc[33] == 0x06 &&
- rdesc[49] == 0x81 && rdesc[50] == 0x06) {
- hid_info(hdev,
-diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c
-index f45279c..0b14d32 100644
---- a/drivers/hid/hid-logitech-dj.c
-+++ b/drivers/hid/hid-logitech-dj.c
-@@ -237,13 +237,6 @@ static void logi_dj_recv_add_djhid_device(struct dj_receiver_dev *djrcv_dev,
- return;
- }
+diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c
+index 3b43d1c..991ba79 100644
+--- a/drivers/hid/hid-magicmouse.c
++++ b/drivers/hid/hid-magicmouse.c
+@@ -290,6 +290,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
+ if (size < 4 || ((size - 4) % 9) != 0)
+ return 0;
+ npoints = (size - 4) / 9;
++ if (npoints > 15) {
++ hid_warn(hdev, "invalid size value (%d) for TRACKPAD_REPORT_ID\n",
++ size);
++ return 0;
++ }
+ msc->ntouches = 0;
+ for (ii = 0; ii < npoints; ii++)
+ magicmouse_emit_touch(msc, ii, data + ii * 9 + 4);
+@@ -307,6 +312,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
+ if (size < 6 || ((size - 6) % 8) != 0)
+ return 0;
+ npoints = (size - 6) / 8;
++ if (npoints > 15) {
++ hid_warn(hdev, "invalid size value (%d) for MOUSE_REPORT_ID\n",
++ size);
++ return 0;
++ }
+ msc->ntouches = 0;
+ for (ii = 0; ii < npoints; ii++)
+ magicmouse_emit_touch(msc, ii, data + ii * 8 + 6);
+diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
+index acbb0210..020df3c 100644
+--- a/drivers/hid/hid-picolcd_core.c
++++ b/drivers/hid/hid-picolcd_core.c
+@@ -350,6 +350,12 @@ static int picolcd_raw_event(struct hid_device *hdev,
+ if (!data)
+ return 1;
-- if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) ||
-- (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) {
-- dev_err(&djrcv_hdev->dev, "%s: invalid device index:%d\n",
-- __func__, dj_report->device_index);
-- return;
-- }
--
- if (djrcv_dev->paired_dj_devices[dj_report->device_index]) {
- /* The device is already known. No need to reallocate it. */
- dbg_hid("%s: device is already known\n", __func__);
-@@ -721,6 +714,12 @@ static int logi_dj_raw_event(struct hid_device *hdev,
- * device (via hid_input_report() ) and return 1 so hid-core does not do
- * anything else with it.
- */
-+ if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) ||
-+ (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) {
-+ dev_err(&hdev->dev, "%s: invalid device index:%d\n",
-+ __func__, dj_report->device_index);
-+ return false;
++ if (size > 64) {
++ hid_warn(hdev, "invalid size value (%d) for picolcd raw event\n",
++ size);
++ return 0;
+ }
-
- spin_lock_irqsave(&djrcv_dev->lock, flags);
- if (dj_report->report_id == REPORT_ID_DJ_SHORT) {
-diff --git a/drivers/hid/hid-monterey.c b/drivers/hid/hid-monterey.c
-index 9e14c00..25daf28 100644
---- a/drivers/hid/hid-monterey.c
-+++ b/drivers/hid/hid-monterey.c
-@@ -24,7 +24,7 @@
- static __u8 *mr_report_fixup(struct hid_device *hdev, __u8 *rdesc,
- unsigned int *rsize)
- {
-- if (*rsize >= 30 && rdesc[29] == 0x05 && rdesc[30] == 0x09) {
-+ if (*rsize >= 31 && rdesc[29] == 0x05 && rdesc[30] == 0x09) {
- hid_info(hdev, "fixing up button/consumer in HID report descriptor\n");
- rdesc[30] = 0x0c;
- }
-diff --git a/drivers/hid/hid-petalynx.c b/drivers/hid/hid-petalynx.c
-index 736b250..6aca4f2 100644
---- a/drivers/hid/hid-petalynx.c
-+++ b/drivers/hid/hid-petalynx.c
-@@ -25,7 +25,7 @@
- static __u8 *pl_report_fixup(struct hid_device *hdev, __u8 *rdesc,
- unsigned int *rsize)
- {
-- if (*rsize >= 60 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 &&
-+ if (*rsize >= 62 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 &&
- rdesc[41] == 0x00 && rdesc[59] == 0x26 &&
- rdesc[60] == 0xf9 && rdesc[61] == 0x00) {
- hid_info(hdev, "fixing up Petalynx Maxter Remote report descriptor\n");
-diff --git a/drivers/hid/hid-sunplus.c b/drivers/hid/hid-sunplus.c
-index 87fc91e..91072fa 100644
---- a/drivers/hid/hid-sunplus.c
-+++ b/drivers/hid/hid-sunplus.c
-@@ -24,7 +24,7 @@
- static __u8 *sp_report_fixup(struct hid_device *hdev, __u8 *rdesc,
- unsigned int *rsize)
- {
-- if (*rsize >= 107 && rdesc[104] == 0x26 && rdesc[105] == 0x80 &&
-+ if (*rsize >= 112 && rdesc[104] == 0x26 && rdesc[105] == 0x80 &&
- rdesc[106] == 0x03) {
- hid_info(hdev, "fixing up Sunplus Wireless Desktop report descriptor\n");
- rdesc[105] = rdesc[110] = 0x03;
++
+ if (report->id == REPORT_KEY_STATE) {
+ if (data->input_keys)
+ ret = picolcd_raw_keypad(data, report, raw_data+1, size-1);
diff --git a/drivers/hid/hid-wiimote-debug.c b/drivers/hid/hid-wiimote-debug.c
index c13fb5b..55a3802 100644
--- a/drivers/hid/hid-wiimote-debug.c
@@ -45018,6 +44965,433 @@ index 2fd9009..278cc1e 100644
radio = devm_kzalloc(&pdev->dev, sizeof(*radio), GFP_KERNEL);
if (!radio)
+diff --git a/drivers/media/usb/dvb-usb/cinergyT2-core.c b/drivers/media/usb/dvb-usb/cinergyT2-core.c
+index 9fd1527..8927230 100644
+--- a/drivers/media/usb/dvb-usb/cinergyT2-core.c
++++ b/drivers/media/usb/dvb-usb/cinergyT2-core.c
+@@ -50,29 +50,73 @@ static struct dvb_usb_device_properties cinergyt2_properties;
+
+ static int cinergyt2_streaming_ctrl(struct dvb_usb_adapter *adap, int enable)
+ {
+- char buf[] = { CINERGYT2_EP1_CONTROL_STREAM_TRANSFER, enable ? 1 : 0 };
+- char result[64];
+- return dvb_usb_generic_rw(adap->dev, buf, sizeof(buf), result,
+- sizeof(result), 0);
++ char *buf;
++ char *result;
++ int retval;
++
++ buf = kmalloc(2, GFP_KERNEL);
++ if (buf == NULL)
++ return -ENOMEM;
++ result = kmalloc(64, GFP_KERNEL);
++ if (result == NULL) {
++ kfree(buf);
++ return -ENOMEM;
++ }
++
++ buf[0] = CINERGYT2_EP1_CONTROL_STREAM_TRANSFER;
++ buf[1] = enable ? 1 : 0;
++
++ retval = dvb_usb_generic_rw(adap->dev, buf, 2, result, 64, 0);
++
++ kfree(buf);
++ kfree(result);
++ return retval;
+ }
+
+ static int cinergyt2_power_ctrl(struct dvb_usb_device *d, int enable)
+ {
+- char buf[] = { CINERGYT2_EP1_SLEEP_MODE, enable ? 0 : 1 };
+- char state[3];
+- return dvb_usb_generic_rw(d, buf, sizeof(buf), state, sizeof(state), 0);
++ char *buf;
++ char *state;
++ int retval;
++
++ buf = kmalloc(2, GFP_KERNEL);
++ if (buf == NULL)
++ return -ENOMEM;
++ state = kmalloc(3, GFP_KERNEL);
++ if (state == NULL) {
++ kfree(buf);
++ return -ENOMEM;
++ }
++
++ buf[0] = CINERGYT2_EP1_SLEEP_MODE;
++ buf[1] = enable ? 1 : 0;
++
++ retval = dvb_usb_generic_rw(d, buf, 2, state, 3, 0);
++
++ kfree(buf);
++ kfree(state);
++ return retval;
+ }
+
+ static int cinergyt2_frontend_attach(struct dvb_usb_adapter *adap)
+ {
+- char query[] = { CINERGYT2_EP1_GET_FIRMWARE_VERSION };
+- char state[3];
++ char *query;
++ char *state;
+ int ret;
++ query = kmalloc(1, GFP_KERNEL);
++ if (query == NULL)
++ return -ENOMEM;
++ state = kmalloc(3, GFP_KERNEL);
++ if (state == NULL) {
++ kfree(query);
++ return -ENOMEM;
++ }
++
++ query[0] = CINERGYT2_EP1_GET_FIRMWARE_VERSION;
+
+ adap->fe_adap[0].fe = cinergyt2_fe_attach(adap->dev);
+
+- ret = dvb_usb_generic_rw(adap->dev, query, sizeof(query), state,
+- sizeof(state), 0);
++ ret = dvb_usb_generic_rw(adap->dev, query, 1, state, 3, 0);
+ if (ret < 0) {
+ deb_rc("cinergyt2_power_ctrl() Failed to retrieve sleep "
+ "state info\n");
+@@ -80,7 +124,8 @@ static int cinergyt2_frontend_attach(struct dvb_usb_adapter *adap)
+
+ /* Copy this pointer as we are gonna need it in the release phase */
+ cinergyt2_usb_device = adap->dev;
+-
++ kfree(query);
++ kfree(state);
+ return 0;
+ }
+
+@@ -141,12 +186,23 @@ static int repeatable_keys[] = {
+ static int cinergyt2_rc_query(struct dvb_usb_device *d, u32 *event, int *state)
+ {
+ struct cinergyt2_state *st = d->priv;
+- u8 key[5] = {0, 0, 0, 0, 0}, cmd = CINERGYT2_EP1_GET_RC_EVENTS;
++ u8 *key, *cmd;
+ int i;
+
++ cmd = kmalloc(1, GFP_KERNEL);
++ if (cmd == NULL)
++ return -EINVAL;
++ key = kzalloc(5, GFP_KERNEL);
++ if (key == NULL) {
++ kfree(cmd);
++ return -EINVAL;
++ }
++
++ cmd[0] = CINERGYT2_EP1_GET_RC_EVENTS;
++
+ *state = REMOTE_NO_KEY_PRESSED;
+
+- dvb_usb_generic_rw(d, &cmd, 1, key, sizeof(key), 0);
++ dvb_usb_generic_rw(d, cmd, 1, key, 5, 0);
+ if (key[4] == 0xff) {
+ /* key repeat */
+ st->rc_counter++;
+@@ -157,12 +213,12 @@ static int cinergyt2_rc_query(struct dvb_usb_device *d, u32 *event, int *state)
+ *event = d->last_event;
+ deb_rc("repeat key, event %x\n",
+ *event);
+- return 0;
++ goto out;
+ }
+ }
+ deb_rc("repeated key (non repeatable)\n");
+ }
+- return 0;
++ goto out;
+ }
+
+ /* hack to pass checksum on the custom field */
+@@ -174,6 +230,9 @@ static int cinergyt2_rc_query(struct dvb_usb_device *d, u32 *event, int *state)
+
+ deb_rc("key: %*ph\n", 5, key);
+ }
++out:
++ kfree(cmd);
++ kfree(key);
+ return 0;
+ }
+
+diff --git a/drivers/media/usb/dvb-usb/cinergyT2-fe.c b/drivers/media/usb/dvb-usb/cinergyT2-fe.c
+index c890fe4..f9b2ae6 100644
+--- a/drivers/media/usb/dvb-usb/cinergyT2-fe.c
++++ b/drivers/media/usb/dvb-usb/cinergyT2-fe.c
+@@ -145,103 +145,176 @@ static int cinergyt2_fe_read_status(struct dvb_frontend *fe,
+ fe_status_t *status)
+ {
+ struct cinergyt2_fe_state *state = fe->demodulator_priv;
+- struct dvbt_get_status_msg result;
+- u8 cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++ struct dvbt_get_status_msg *result;
++ u8 *cmd;
+ int ret;
+
+- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (u8 *)&result,
+- sizeof(result), 0);
++ cmd = kmalloc(1, GFP_KERNEL);
++ if (cmd == NULL)
++ return -ENOMEM;
++ result = kmalloc(sizeof(*result), GFP_KERNEL);
++ if (result == NULL) {
++ kfree(cmd);
++ return -ENOMEM;
++ }
++
++ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++ ret = dvb_usb_generic_rw(state->d, cmd, 1, (u8 *)result,
++ sizeof(*result), 0);
+ if (ret < 0)
+- return ret;
++ goto out;
+
+ *status = 0;
+
+- if (0xffff - le16_to_cpu(result.gain) > 30)
++ if (0xffff - le16_to_cpu(result->gain) > 30)
+ *status |= FE_HAS_SIGNAL;
+- if (result.lock_bits & (1 << 6))
++ if (result->lock_bits & (1 << 6))
+ *status |= FE_HAS_LOCK;
+- if (result.lock_bits & (1 << 5))
++ if (result->lock_bits & (1 << 5))
+ *status |= FE_HAS_SYNC;
+- if (result.lock_bits & (1 << 4))
++ if (result->lock_bits & (1 << 4))
+ *status |= FE_HAS_CARRIER;
+- if (result.lock_bits & (1 << 1))
++ if (result->lock_bits & (1 << 1))
+ *status |= FE_HAS_VITERBI;
+
+ if ((*status & (FE_HAS_CARRIER | FE_HAS_VITERBI | FE_HAS_SYNC)) !=
+ (FE_HAS_CARRIER | FE_HAS_VITERBI | FE_HAS_SYNC))
+ *status &= ~FE_HAS_LOCK;
+
+- return 0;
++out:
++ kfree(cmd);
++ kfree(result);
++ return ret;
+ }
+
+ static int cinergyt2_fe_read_ber(struct dvb_frontend *fe, u32 *ber)
+ {
+ struct cinergyt2_fe_state *state = fe->demodulator_priv;
+- struct dvbt_get_status_msg status;
+- char cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++ struct dvbt_get_status_msg *status;
++ char *cmd;
+ int ret;
+
+- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (char *)&status,
+- sizeof(status), 0);
++ cmd = kmalloc(1, GFP_KERNEL);
++ if (cmd == NULL)
++ return -ENOMEM;
++ status = kmalloc(sizeof(*status), GFP_KERNEL);
++ if (status == NULL) {
++ kfree(cmd);
++ return -ENOMEM;
++ }
++
++ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++ ret = dvb_usb_generic_rw(state->d, cmd, 1, (char *)status,
++ sizeof(*status), 0);
+ if (ret < 0)
+- return ret;
++ goto out;
+
+- *ber = le32_to_cpu(status.viterbi_error_rate);
++ *ber = le32_to_cpu(status->viterbi_error_rate);
++out:
++ kfree(cmd);
++ kfree(status);
+ return 0;
+ }
+
+ static int cinergyt2_fe_read_unc_blocks(struct dvb_frontend *fe, u32 *unc)
+ {
+ struct cinergyt2_fe_state *state = fe->demodulator_priv;
+- struct dvbt_get_status_msg status;
+- u8 cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++ struct dvbt_get_status_msg *status;
++ u8 *cmd;
+ int ret;
+
+- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (u8 *)&status,
+- sizeof(status), 0);
++ cmd = kmalloc(1, GFP_KERNEL);
++ if (cmd == NULL)
++ return -ENOMEM;
++ status = kmalloc(sizeof(*status), GFP_KERNEL);
++ if (status == NULL) {
++ kfree(cmd);
++ return -ENOMEM;
++ }
++
++ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++ ret = dvb_usb_generic_rw(state->d, cmd, 1, (u8 *)status,
++ sizeof(*status), 0);
+ if (ret < 0) {
+ err("cinergyt2_fe_read_unc_blocks() Failed! (Error=%d)\n",
+ ret);
+- return ret;
++ goto out;
+ }
+- *unc = le32_to_cpu(status.uncorrected_block_count);
+- return 0;
++ *unc = le32_to_cpu(status->uncorrected_block_count);
++
++out:
++ kfree(cmd);
++ kfree(status);
++ return ret;
+ }
+
+ static int cinergyt2_fe_read_signal_strength(struct dvb_frontend *fe,
+ u16 *strength)
+ {
+ struct cinergyt2_fe_state *state = fe->demodulator_priv;
+- struct dvbt_get_status_msg status;
+- char cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++ struct dvbt_get_status_msg *status;
++ char *cmd;
+ int ret;
+
+- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (char *)&status,
+- sizeof(status), 0);
++ cmd = kmalloc(1, GFP_KERNEL);
++ if (cmd == NULL)
++ return -ENOMEM;
++ status = kmalloc(sizeof(*status), GFP_KERNEL);
++ if (status == NULL) {
++ kfree(cmd);
++ return -ENOMEM;
++ }
++
++ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++ ret = dvb_usb_generic_rw(state->d, cmd, 1, (char *)status,
++ sizeof(*status), 0);
+ if (ret < 0) {
+ err("cinergyt2_fe_read_signal_strength() Failed!"
+ " (Error=%d)\n", ret);
+- return ret;
++ goto out;
+ }
+- *strength = (0xffff - le16_to_cpu(status.gain));
++ *strength = (0xffff - le16_to_cpu(status->gain));
++
++out:
++ kfree(cmd);
++ kfree(status);
+ return 0;
+ }
+
+ static int cinergyt2_fe_read_snr(struct dvb_frontend *fe, u16 *snr)
+ {
+ struct cinergyt2_fe_state *state = fe->demodulator_priv;
+- struct dvbt_get_status_msg status;
+- char cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++ struct dvbt_get_status_msg *status;
++ char *cmd;
+ int ret;
+
+- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (char *)&status,
+- sizeof(status), 0);
++ cmd = kmalloc(1, GFP_KERNEL);
++ if (cmd == NULL)
++ return -ENOMEM;
++ status = kmalloc(sizeof(*status), GFP_KERNEL);
++ if (status == NULL) {
++ kfree(cmd);
++ return -ENOMEM;
++ }
++
++ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++ ret = dvb_usb_generic_rw(state->d, cmd, 1, (char *)status,
++ sizeof(*status), 0);
+ if (ret < 0) {
+ err("cinergyt2_fe_read_snr() Failed! (Error=%d)\n", ret);
+- return ret;
++ goto out;
+ }
+- *snr = (status.snr << 8) | status.snr;
+- return 0;
++ *snr = (status->snr << 8) | status->snr;
++
++out:
++ kfree(cmd);
++ kfree(status);
++ return ret;
+ }
+
+ static int cinergyt2_fe_init(struct dvb_frontend *fe)
+@@ -266,35 +339,46 @@ static int cinergyt2_fe_set_frontend(struct dvb_frontend *fe)
+ {
+ struct dtv_frontend_properties *fep = &fe->dtv_property_cache;
+ struct cinergyt2_fe_state *state = fe->demodulator_priv;
+- struct dvbt_set_parameters_msg param;
+- char result[2];
++ struct dvbt_set_parameters_msg *param;
++ char *result;
+ int err;
+
+- param.cmd = CINERGYT2_EP1_SET_TUNER_PARAMETERS;
+- param.tps = cpu_to_le16(compute_tps(fep));
+- param.freq = cpu_to_le32(fep->frequency / 1000);
+- param.flags = 0;
++ result = kmalloc(2, GFP_KERNEL);
++ if (result == NULL)
++ return -ENOMEM;
++ param = kmalloc(sizeof(*param), GFP_KERNEL);
++ if (param == NULL) {
++ kfree(result);
++ return -ENOMEM;
++ }
++
++ param->cmd = CINERGYT2_EP1_SET_TUNER_PARAMETERS;
++ param->tps = cpu_to_le16(compute_tps(fep));
++ param->freq = cpu_to_le32(fep->frequency / 1000);
++ param->flags = 0;
+
+ switch (fep->bandwidth_hz) {
+ default:
+ case 8000000:
+- param.bandwidth = 8;
++ param->bandwidth = 8;
+ break;
+ case 7000000:
+- param.bandwidth = 7;
++ param->bandwidth = 7;
+ break;
+ case 6000000:
+- param.bandwidth = 6;
++ param->bandwidth = 6;
+ break;
+ }
+
+ err = dvb_usb_generic_rw(state->d,
+- (char *)&param, sizeof(param),
+- result, sizeof(result), 0);
++ (char *)param, sizeof(*param),
++ result, 2, 0);
+ if (err < 0)
+ err("cinergyt2_fe_set_frontend() Failed! err=%d\n", err);
+
+- return (err < 0) ? err : 0;
++ kfree(result);
++ kfree(param);
++ return err;
+ }
+
+ static void cinergyt2_fe_release(struct dvb_frontend *fe)
diff --git a/drivers/media/usb/dvb-usb/cxusb.c b/drivers/media/usb/dvb-usb/cxusb.c
index a1c641e..3007da9 100644
--- a/drivers/media/usb/dvb-usb/cxusb.c
@@ -49430,7 +49804,7 @@ index f28ea07..34b16d3 100644
/* These three are default values which can be overridden */
diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
-index 868318a..e07ef3b 100644
+index 528bff5..84963854 100644
--- a/drivers/scsi/hpsa.c
+++ b/drivers/scsi/hpsa.c
@@ -571,7 +571,7 @@ static inline u32 next_command(struct ctlr_info *h, u8 q)
@@ -51721,10 +52095,10 @@ index 9cd706d..6ff2de7 100644
if (cfg->uart_flags & UPF_CONS_FLOW) {
diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
-index ece2049b..fba2524 100644
+index 25b8f68..3e23c14 100644
--- a/drivers/tty/serial/serial_core.c
+++ b/drivers/tty/serial/serial_core.c
-@@ -1448,7 +1448,7 @@ static void uart_hangup(struct tty_struct *tty)
+@@ -1451,7 +1451,7 @@ static void uart_hangup(struct tty_struct *tty)
uart_flush_buffer(tty);
uart_shutdown(tty, state);
spin_lock_irqsave(&port->lock, flags);
@@ -51733,7 +52107,7 @@ index ece2049b..fba2524 100644
clear_bit(ASYNCB_NORMAL_ACTIVE, &port->flags);
spin_unlock_irqrestore(&port->lock, flags);
tty_port_tty_set(port, NULL);
-@@ -1544,7 +1544,7 @@ static int uart_open(struct tty_struct *tty, struct file *filp)
+@@ -1547,7 +1547,7 @@ static int uart_open(struct tty_struct *tty, struct file *filp)
goto end;
}
@@ -51742,7 +52116,7 @@ index ece2049b..fba2524 100644
if (!state->uart_port || state->uart_port->flags & UPF_DEAD) {
retval = -ENXIO;
goto err_dec_count;
-@@ -1572,7 +1572,7 @@ static int uart_open(struct tty_struct *tty, struct file *filp)
+@@ -1575,7 +1575,7 @@ static int uart_open(struct tty_struct *tty, struct file *filp)
/*
* Make sure the device is in D0 state.
*/
@@ -51751,7 +52125,7 @@ index ece2049b..fba2524 100644
uart_change_pm(state, UART_PM_STATE_ON);
/*
-@@ -1590,7 +1590,7 @@ static int uart_open(struct tty_struct *tty, struct file *filp)
+@@ -1593,7 +1593,7 @@ static int uart_open(struct tty_struct *tty, struct file *filp)
end:
return retval;
err_dec_count:
@@ -52561,7 +52935,7 @@ index 2a3bbdf..91d72cf 100644
file->f_version = event_count;
return POLLIN | POLLRDNORM;
diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
-index 90e18f6..5eeda46 100644
+index 9ca7716..a2ccc2e 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -187,7 +187,7 @@ static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes,
@@ -52623,7 +52997,7 @@ index 2518c32..1c201bb 100644
wake_up(&usb_kill_urb_queue);
usb_put_urb(urb);
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
-index 36b1e85..18fb0a4 100644
+index 6650df7..3a94427 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -27,6 +27,7 @@
@@ -52634,7 +53008,7 @@ index 36b1e85..18fb0a4 100644
#include <asm/uaccess.h>
#include <asm/byteorder.h>
-@@ -4502,6 +4503,10 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1,
+@@ -4549,6 +4550,10 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1,
goto done;
return;
}
@@ -52866,7 +53240,7 @@ index 7a55fea..cc0ed4f 100644
#include "u_uac1.h"
diff --git a/drivers/usb/host/ehci-hub.c b/drivers/usb/host/ehci-hub.c
-index 7ae0c4d..35521b7 100644
+index 7d6f64c..37a1efc 100644
--- a/drivers/usb/host/ehci-hub.c
+++ b/drivers/usb/host/ehci-hub.c
@@ -780,7 +780,7 @@ static struct urb *request_single_step_set_feature_urb(
@@ -56637,7 +57011,7 @@ index ce25d75..dc09eeb 100644
&data);
if (!inode) {
diff --git a/fs/aio.c b/fs/aio.c
-index 6d68e01..573d8dc 100644
+index 6d68e01..6bc8e9a 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -380,7 +380,7 @@ static int aio_setup_ring(struct kioctx *ctx)
@@ -56649,6 +57023,19 @@ index 6d68e01..573d8dc 100644
return -EINVAL;
file = aio_private_file(ctx, nr_pages);
+@@ -1065,6 +1065,12 @@ static long aio_read_events_ring(struct kioctx *ctx,
+ tail = ring->tail;
+ kunmap_atomic(ring);
+
++ /*
++ * Ensure that once we've read the current tail pointer, that
++ * we also see the events that were stored up to the tail.
++ */
++ smp_rmb();
++
+ pr_debug("h%u t%u m%u\n", head, tail, ctx->nr_events);
+
+ if (head == tail)
diff --git a/fs/attr.c b/fs/attr.c
index 6530ced..4a827e2 100644
--- a/fs/attr.c
@@ -58120,10 +58507,33 @@ index ebaff36..7e3ea26 100644
kunmap(page);
file_end_write(file);
diff --git a/fs/ceph/dir.c b/fs/ceph/dir.c
-index 5e0982a..b7e82bc 100644
+index 5e0982a..ca18377 100644
--- a/fs/ceph/dir.c
+++ b/fs/ceph/dir.c
-@@ -248,7 +248,7 @@ static int ceph_readdir(struct file *file, struct dir_context *ctx)
+@@ -128,6 +128,8 @@ static int __dcache_readdir(struct file *file, struct dir_context *ctx)
+ struct dentry *dentry, *last;
+ struct ceph_dentry_info *di;
+ int err = 0;
++ char d_name[DNAME_INLINE_LEN];
++ const unsigned char *name;
+
+ /* claim ref on last dentry we returned */
+ last = fi->dentry;
+@@ -183,7 +185,12 @@ more:
+ dout(" %llu (%llu) dentry %p %.*s %p\n", di->offset, ctx->pos,
+ dentry, dentry->d_name.len, dentry->d_name.name, dentry->d_inode);
+ ctx->pos = di->offset;
+- if (!dir_emit(ctx, dentry->d_name.name,
++ name = dentry->d_name.name;
++ if (name == dentry->d_iname) {
++ memcpy(d_name, name, dentry->d_name.len);
++ name = d_name;
++ }
++ if (!dir_emit(ctx, name,
+ dentry->d_name.len,
+ ceph_translate_ino(dentry->d_sb, dentry->d_inode->i_ino),
+ dentry->d_inode->i_mode >> 12)) {
+@@ -248,7 +255,7 @@ static int ceph_readdir(struct file *file, struct dir_context *ctx)
struct ceph_fs_client *fsc = ceph_inode_to_client(inode);
struct ceph_mds_client *mdsc = fsc->mdsc;
unsigned frag = fpos_frag(ctx->pos);
@@ -58983,7 +59393,7 @@ index 7f3b400..9c911f2 100644
dcache_init();
inode_init();
diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
-index 9c0444c..628490c 100644
+index 1576195..49a19ae 100644
--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
@@ -415,7 +415,11 @@ EXPORT_SYMBOL_GPL(debugfs_create_file);
@@ -59978,10 +60388,10 @@ index e6574d7..c30cbe2 100644
brelse(bh);
bh = NULL;
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
-index 502f0fd..bf3b3c1 100644
+index 242226a..f3eb6c1 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
-@@ -1880,7 +1880,7 @@ void ext4_mb_simple_scan_group(struct ext4_allocation_context *ac,
+@@ -1882,7 +1882,7 @@ void ext4_mb_simple_scan_group(struct ext4_allocation_context *ac,
BUG_ON(ac->ac_b_ex.fe_len != ac->ac_g_ex.fe_len);
if (EXT4_SB(sb)->s_mb_stats)
@@ -59990,7 +60400,7 @@ index 502f0fd..bf3b3c1 100644
break;
}
-@@ -2189,7 +2189,7 @@ repeat:
+@@ -2191,7 +2191,7 @@ repeat:
ac->ac_status = AC_STATUS_CONTINUE;
ac->ac_flags |= EXT4_MB_HINT_FIRST;
cr = 3;
@@ -59999,7 +60409,7 @@ index 502f0fd..bf3b3c1 100644
goto repeat;
}
}
-@@ -2697,25 +2697,25 @@ int ext4_mb_release(struct super_block *sb)
+@@ -2699,25 +2699,25 @@ int ext4_mb_release(struct super_block *sb)
if (sbi->s_mb_stats) {
ext4_msg(sb, KERN_INFO,
"mballoc: %u blocks %u reqs (%u success)",
@@ -60035,7 +60445,7 @@ index 502f0fd..bf3b3c1 100644
}
free_percpu(sbi->s_locality_groups);
-@@ -3169,16 +3169,16 @@ static void ext4_mb_collect_stats(struct ext4_allocation_context *ac)
+@@ -3171,16 +3171,16 @@ static void ext4_mb_collect_stats(struct ext4_allocation_context *ac)
struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb);
if (sbi->s_mb_stats && ac->ac_g_ex.fe_len > 1) {
@@ -60058,7 +60468,7 @@ index 502f0fd..bf3b3c1 100644
}
if (ac->ac_op == EXT4_MB_HISTORY_ALLOC)
-@@ -3583,7 +3583,7 @@ ext4_mb_new_inode_pa(struct ext4_allocation_context *ac)
+@@ -3607,7 +3607,7 @@ ext4_mb_new_inode_pa(struct ext4_allocation_context *ac)
trace_ext4_mb_new_inode_pa(ac, pa);
ext4_mb_use_inode_pa(ac, pa);
@@ -60067,7 +60477,7 @@ index 502f0fd..bf3b3c1 100644
ei = EXT4_I(ac->ac_inode);
grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
-@@ -3643,7 +3643,7 @@ ext4_mb_new_group_pa(struct ext4_allocation_context *ac)
+@@ -3667,7 +3667,7 @@ ext4_mb_new_group_pa(struct ext4_allocation_context *ac)
trace_ext4_mb_new_group_pa(ac, pa);
ext4_mb_use_group_pa(ac, pa);
@@ -60076,7 +60486,7 @@ index 502f0fd..bf3b3c1 100644
grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
lg = ac->ac_lg;
-@@ -3732,7 +3732,7 @@ ext4_mb_release_inode_pa(struct ext4_buddy *e4b, struct buffer_head *bitmap_bh,
+@@ -3756,7 +3756,7 @@ ext4_mb_release_inode_pa(struct ext4_buddy *e4b, struct buffer_head *bitmap_bh,
* from the bitmap and continue.
*/
}
@@ -60085,7 +60495,7 @@ index 502f0fd..bf3b3c1 100644
return err;
}
-@@ -3750,7 +3750,7 @@ ext4_mb_release_group_pa(struct ext4_buddy *e4b,
+@@ -3774,7 +3774,7 @@ ext4_mb_release_group_pa(struct ext4_buddy *e4b,
ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit);
BUG_ON(group != e4b->bd_group && pa->pa_len != 0);
mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len);
@@ -60108,7 +60518,7 @@ index 04434ad..6404663 100644
"MMP failure info: last update time: %llu, last update "
"node: %s, last update device: %s\n",
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
-index 25b327e..56f169d 100644
+index a46030d..1477295 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -1270,7 +1270,7 @@ static ext4_fsblk_t get_sb_block(void **data)
@@ -61892,185 +62302,6 @@ index e846a32..bb06bd0 100644
put_cpu_var(last_ino);
return res;
}
-diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c
-index 4a9e10e..a9daccb 100644
---- a/fs/isofs/inode.c
-+++ b/fs/isofs/inode.c
-@@ -61,7 +61,7 @@ static void isofs_put_super(struct super_block *sb)
- return;
- }
-
--static int isofs_read_inode(struct inode *);
-+static int isofs_read_inode(struct inode *, int relocated);
- static int isofs_statfs (struct dentry *, struct kstatfs *);
-
- static struct kmem_cache *isofs_inode_cachep;
-@@ -1258,7 +1258,7 @@ out_toomany:
- goto out;
- }
-
--static int isofs_read_inode(struct inode *inode)
-+static int isofs_read_inode(struct inode *inode, int relocated)
- {
- struct super_block *sb = inode->i_sb;
- struct isofs_sb_info *sbi = ISOFS_SB(sb);
-@@ -1403,7 +1403,7 @@ static int isofs_read_inode(struct inode *inode)
- */
-
- if (!high_sierra) {
-- parse_rock_ridge_inode(de, inode);
-+ parse_rock_ridge_inode(de, inode, relocated);
- /* if we want uid/gid set, override the rock ridge setting */
- if (sbi->s_uid_set)
- inode->i_uid = sbi->s_uid;
-@@ -1482,9 +1482,10 @@ static int isofs_iget5_set(struct inode *ino, void *data)
- * offset that point to the underlying meta-data for the inode. The
- * code below is otherwise similar to the iget() code in
- * include/linux/fs.h */
--struct inode *isofs_iget(struct super_block *sb,
-- unsigned long block,
-- unsigned long offset)
-+struct inode *__isofs_iget(struct super_block *sb,
-+ unsigned long block,
-+ unsigned long offset,
-+ int relocated)
- {
- unsigned long hashval;
- struct inode *inode;
-@@ -1506,7 +1507,7 @@ struct inode *isofs_iget(struct super_block *sb,
- return ERR_PTR(-ENOMEM);
-
- if (inode->i_state & I_NEW) {
-- ret = isofs_read_inode(inode);
-+ ret = isofs_read_inode(inode, relocated);
- if (ret < 0) {
- iget_failed(inode);
- inode = ERR_PTR(ret);
-diff --git a/fs/isofs/isofs.h b/fs/isofs/isofs.h
-index 9916723..0ac4c1f 100644
---- a/fs/isofs/isofs.h
-+++ b/fs/isofs/isofs.h
-@@ -107,7 +107,7 @@ extern int iso_date(char *, int);
-
- struct inode; /* To make gcc happy */
-
--extern int parse_rock_ridge_inode(struct iso_directory_record *, struct inode *);
-+extern int parse_rock_ridge_inode(struct iso_directory_record *, struct inode *, int relocated);
- extern int get_rock_ridge_filename(struct iso_directory_record *, char *, struct inode *);
- extern int isofs_name_translate(struct iso_directory_record *, char *, struct inode *);
-
-@@ -118,9 +118,24 @@ extern struct dentry *isofs_lookup(struct inode *, struct dentry *, unsigned int
- extern struct buffer_head *isofs_bread(struct inode *, sector_t);
- extern int isofs_get_blocks(struct inode *, sector_t, struct buffer_head **, unsigned long);
-
--extern struct inode *isofs_iget(struct super_block *sb,
-- unsigned long block,
-- unsigned long offset);
-+struct inode *__isofs_iget(struct super_block *sb,
-+ unsigned long block,
-+ unsigned long offset,
-+ int relocated);
-+
-+static inline struct inode *isofs_iget(struct super_block *sb,
-+ unsigned long block,
-+ unsigned long offset)
-+{
-+ return __isofs_iget(sb, block, offset, 0);
-+}
-+
-+static inline struct inode *isofs_iget_reloc(struct super_block *sb,
-+ unsigned long block,
-+ unsigned long offset)
-+{
-+ return __isofs_iget(sb, block, offset, 1);
-+}
-
- /* Because the inode number is no longer relevant to finding the
- * underlying meta-data for an inode, we are free to choose a more
-diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
-index c0bf424..f488bba 100644
---- a/fs/isofs/rock.c
-+++ b/fs/isofs/rock.c
-@@ -288,12 +288,16 @@ eio:
- goto out;
- }
-
-+#define RR_REGARD_XA 1
-+#define RR_RELOC_DE 2
-+
- static int
- parse_rock_ridge_inode_internal(struct iso_directory_record *de,
-- struct inode *inode, int regard_xa)
-+ struct inode *inode, int flags)
- {
- int symlink_len = 0;
- int cnt, sig;
-+ unsigned int reloc_block;
- struct inode *reloc;
- struct rock_ridge *rr;
- int rootflag;
-@@ -305,7 +309,7 @@ parse_rock_ridge_inode_internal(struct iso_directory_record *de,
-
- init_rock_state(&rs, inode);
- setup_rock_ridge(de, inode, &rs);
-- if (regard_xa) {
-+ if (flags & RR_REGARD_XA) {
- rs.chr += 14;
- rs.len -= 14;
- if (rs.len < 0)
-@@ -485,12 +489,22 @@ repeat:
- "relocated directory\n");
- goto out;
- case SIG('C', 'L'):
-- ISOFS_I(inode)->i_first_extent =
-- isonum_733(rr->u.CL.location);
-- reloc =
-- isofs_iget(inode->i_sb,
-- ISOFS_I(inode)->i_first_extent,
-- 0);
-+ if (flags & RR_RELOC_DE) {
-+ printk(KERN_ERR
-+ "ISOFS: Recursive directory relocation "
-+ "is not supported\n");
-+ goto eio;
-+ }
-+ reloc_block = isonum_733(rr->u.CL.location);
-+ if (reloc_block == ISOFS_I(inode)->i_iget5_block &&
-+ ISOFS_I(inode)->i_iget5_offset == 0) {
-+ printk(KERN_ERR
-+ "ISOFS: Directory relocation points to "
-+ "itself\n");
-+ goto eio;
-+ }
-+ ISOFS_I(inode)->i_first_extent = reloc_block;
-+ reloc = isofs_iget_reloc(inode->i_sb, reloc_block, 0);
- if (IS_ERR(reloc)) {
- ret = PTR_ERR(reloc);
- goto out;
-@@ -637,9 +651,11 @@ static char *get_symlink_chunk(char *rpnt, struct rock_ridge *rr, char *plimit)
- return rpnt;
- }
-
--int parse_rock_ridge_inode(struct iso_directory_record *de, struct inode *inode)
-+int parse_rock_ridge_inode(struct iso_directory_record *de, struct inode *inode,
-+ int relocated)
- {
-- int result = parse_rock_ridge_inode_internal(de, inode, 0);
-+ int flags = relocated ? RR_RELOC_DE : 0;
-+ int result = parse_rock_ridge_inode_internal(de, inode, flags);
-
- /*
- * if rockridge flag was reset and we didn't look for attributes
-@@ -647,7 +663,8 @@ int parse_rock_ridge_inode(struct iso_directory_record *de, struct inode *inode)
- */
- if ((ISOFS_SB(inode->i_sb)->s_rock_offset == -1)
- && (ISOFS_SB(inode->i_sb)->s_rock == 2)) {
-- result = parse_rock_ridge_inode_internal(de, inode, 14);
-+ result = parse_rock_ridge_inode_internal(de, inode,
-+ flags | RR_REGARD_XA);
- }
- return result;
- }
diff --git a/fs/jffs2/erase.c b/fs/jffs2/erase.c
index 4a6cf28..d3a29d3 100644
--- a/fs/jffs2/erase.c
@@ -63032,19 +63263,6 @@ index 15f9d98..082c625 100644
}
void nfs_fattr_init(struct nfs_fattr *fattr)
-diff --git a/fs/nfs/nfs3acl.c b/fs/nfs/nfs3acl.c
-index 8f854dd..d0fec26 100644
---- a/fs/nfs/nfs3acl.c
-+++ b/fs/nfs/nfs3acl.c
-@@ -256,7 +256,7 @@ nfs3_list_one_acl(struct inode *inode, int type, const char *name, void *data,
- char *p = data + *result;
-
- acl = get_acl(inode, type);
-- if (!acl)
-+ if (IS_ERR_OR_NULL(acl))
- return 0;
-
- posix_acl_release(acl);
diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
index f23a6ca..730ddcc 100644
--- a/fs/nfsd/nfs4proc.c
@@ -63072,7 +63290,7 @@ index 8657335..cd3e37f 100644
[OP_CLOSE] = (nfsd4_dec)nfsd4_decode_close,
[OP_COMMIT] = (nfsd4_dec)nfsd4_decode_commit,
diff --git a/fs/nfsd/nfscache.c b/fs/nfsd/nfscache.c
-index f8f060f..c4ba09a 100644
+index f8f060f..d9a7258 100644
--- a/fs/nfsd/nfscache.c
+++ b/fs/nfsd/nfscache.c
@@ -519,14 +519,17 @@ nfsd_cache_update(struct svc_rqst *rqstp, int cachetype, __be32 *statp)
@@ -63096,6 +63314,15 @@ index f8f060f..c4ba09a 100644
/* Don't cache excessive amounts of data and XDR failures */
if (!statp || len > (256 >> 2)) {
+@@ -537,7 +540,7 @@ nfsd_cache_update(struct svc_rqst *rqstp, int cachetype, __be32 *statp)
+ switch (cachetype) {
+ case RC_REPLSTAT:
+ if (len != 1)
+- printk("nfsd: RC_REPLSTAT/reply len %d!\n",len);
++ printk("nfsd: RC_REPLSTAT/reply len %ld!\n",len);
+ rp->c_replstat = *statp;
+ break;
+ case RC_REPLBUFF:
diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index eea5ad1..5a84ac7 100644
--- a/fs/nfsd/vfs.c
@@ -63128,7 +63355,7 @@ index eea5ad1..5a84ac7 100644
if (host_err < 0)
diff --git a/fs/nls/nls_base.c b/fs/nls/nls_base.c
-index 52ccd34..43a53b1 100644
+index 52ccd34..7a6b202 100644
--- a/fs/nls/nls_base.c
+++ b/fs/nls/nls_base.c
@@ -234,21 +234,25 @@ EXPORT_SYMBOL(utf16s_to_utf8s);
@@ -63180,6 +63407,24 @@ index 52ccd34..43a53b1 100644
spin_unlock(&nls_lock);
return 0;
}
+@@ -272,7 +278,7 @@ int unregister_nls(struct nls_table * nls)
+ return -EINVAL;
+ }
+
+-static struct nls_table *find_nls(char *charset)
++static struct nls_table *find_nls(const char *charset)
+ {
+ struct nls_table *nls;
+ spin_lock(&nls_lock);
+@@ -288,7 +294,7 @@ static struct nls_table *find_nls(char *charset)
+ return nls;
+ }
+
+-struct nls_table *load_nls(char *charset)
++struct nls_table *load_nls(const char *charset)
+ {
+ return try_then_request_module(find_nls(charset), "nls_%s", charset);
+ }
diff --git a/fs/nls/nls_euc-jp.c b/fs/nls/nls_euc-jp.c
index 162b3f1..6076a7c 100644
--- a/fs/nls/nls_euc-jp.c
@@ -81948,7 +82193,7 @@ index 0000000..33f4af8
+
+#endif
diff --git a/include/linux/nls.h b/include/linux/nls.h
-index 520681b..1d67ed2 100644
+index 520681b..2b7fabb 100644
--- a/include/linux/nls.h
+++ b/include/linux/nls.h
@@ -31,7 +31,7 @@ struct nls_table {
@@ -81960,6 +82205,15 @@ index 520681b..1d67ed2 100644
/* this value hold the maximum octet of charset */
#define NLS_MAX_CHARSET_SIZE 6 /* for UTF-8 */
+@@ -46,7 +46,7 @@ enum utf16_endian {
+ /* nls_base.c */
+ extern int __register_nls(struct nls_table *, struct module *);
+ extern int unregister_nls(struct nls_table *);
+-extern struct nls_table *load_nls(char *);
++extern struct nls_table *load_nls(const char *);
+ extern void unload_nls(struct nls_table *);
+ extern struct nls_table *load_nls_default(void);
+ #define register_nls(nls) __register_nls((nls), THIS_MODULE)
diff --git a/include/linux/notifier.h b/include/linux/notifier.h
index d14a4c3..a078786 100644
--- a/include/linux/notifier.h
@@ -84215,7 +84469,7 @@ index c55aeed..b3393f4 100644
/** inet_connection_sock - INET connection oriented sock
*
diff --git a/include/net/inetpeer.h b/include/net/inetpeer.h
-index 823ec7b..1af4453 100644
+index 823ec7b..44c938c 100644
--- a/include/net/inetpeer.h
+++ b/include/net/inetpeer.h
@@ -47,7 +47,7 @@ struct inet_peer {
@@ -84223,7 +84477,7 @@ index 823ec7b..1af4453 100644
union {
struct {
- atomic_t rid; /* Frag reception counter */
-+ atomic_unchecked_t rid; /* Frag reception counter */
++ atomic_unchecked_t rid; /* Frag reception counter */
};
struct rcu_head rcu;
struct inet_peer *gc_next;
@@ -90564,7 +90818,7 @@ index a63f4dc..349bbb0 100644
unsigned long timeout)
{
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
-index 515e212..268a828 100644
+index 677ebad..e39b352 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -1775,7 +1775,7 @@ void set_numabalancing_state(bool enabled)
@@ -90615,7 +90869,7 @@ index 515e212..268a828 100644
/* can't increase priority */
if (attr->sched_priority > p->rt_priority &&
attr->sched_priority > rlim_rtprio)
-@@ -4726,8 +4732,10 @@ void idle_task_exit(void)
+@@ -4727,8 +4733,10 @@ void idle_task_exit(void)
BUG_ON(cpu_online(smp_processor_id()));
@@ -90627,7 +90881,7 @@ index 515e212..268a828 100644
mmdrop(mm);
}
-@@ -4805,7 +4813,7 @@ static void migrate_tasks(unsigned int dead_cpu)
+@@ -4806,7 +4814,7 @@ static void migrate_tasks(unsigned int dead_cpu)
#if defined(CONFIG_SCHED_DEBUG) && defined(CONFIG_SYSCTL)
@@ -90636,7 +90890,7 @@ index 515e212..268a828 100644
{
.procname = "sched_domain",
.mode = 0555,
-@@ -4822,17 +4830,17 @@ static struct ctl_table sd_ctl_root[] = {
+@@ -4823,17 +4831,17 @@ static struct ctl_table sd_ctl_root[] = {
{}
};
@@ -90658,7 +90912,7 @@ index 515e212..268a828 100644
/*
* In the intermediate directories, both the child directory and
-@@ -4840,22 +4848,25 @@ static void sd_free_ctl_entry(struct ctl_table **tablep)
+@@ -4841,22 +4849,25 @@ static void sd_free_ctl_entry(struct ctl_table **tablep)
* will always be set. In the lowest directory the names are
* static strings and all have proc handlers.
*/
@@ -90690,7 +90944,7 @@ index 515e212..268a828 100644
const char *procname, void *data, int maxlen,
umode_t mode, proc_handler *proc_handler,
bool load_idx)
-@@ -4875,7 +4886,7 @@ set_table_entry(struct ctl_table *entry,
+@@ -4876,7 +4887,7 @@ set_table_entry(struct ctl_table *entry,
static struct ctl_table *
sd_alloc_ctl_domain_table(struct sched_domain *sd)
{
@@ -90699,7 +90953,7 @@ index 515e212..268a828 100644
if (table == NULL)
return NULL;
-@@ -4910,9 +4921,9 @@ sd_alloc_ctl_domain_table(struct sched_domain *sd)
+@@ -4911,9 +4922,9 @@ sd_alloc_ctl_domain_table(struct sched_domain *sd)
return table;
}
@@ -90711,7 +90965,7 @@ index 515e212..268a828 100644
struct sched_domain *sd;
int domain_num = 0, i;
char buf[32];
-@@ -4939,11 +4950,13 @@ static struct ctl_table_header *sd_sysctl_header;
+@@ -4940,11 +4951,13 @@ static struct ctl_table_header *sd_sysctl_header;
static void register_sched_domain_sysctl(void)
{
int i, cpu_num = num_possible_cpus();
@@ -90726,7 +90980,7 @@ index 515e212..268a828 100644
if (entry == NULL)
return;
-@@ -4966,8 +4979,12 @@ static void unregister_sched_domain_sysctl(void)
+@@ -4967,8 +4980,12 @@ static void unregister_sched_domain_sysctl(void)
if (sd_sysctl_header)
unregister_sysctl_table(sd_sysctl_header);
sd_sysctl_header = NULL;
@@ -91730,7 +91984,7 @@ index e3be87e..7480b36 100644
ftrace_graph_active++;
diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
-index 0954450..0ed035c 100644
+index 0954450..1e3e687 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -352,9 +352,9 @@ struct buffer_data_page {
@@ -91756,7 +92010,31 @@ index 0954450..0ed035c 100644
local_t dropped_events;
local_t committing;
local_t commits;
-@@ -991,8 +991,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer,
+@@ -626,8 +626,22 @@ int ring_buffer_poll_wait(struct ring_buffer *buffer, int cpu,
+ work = &cpu_buffer->irq_work;
+ }
+
+- work->waiters_pending = true;
+ poll_wait(filp, &work->waiters, poll_table);
++ work->waiters_pending = true;
++ /*
++ * There's a tight race between setting the waiters_pending and
++ * checking if the ring buffer is empty. Once the waiters_pending bit
++ * is set, the next event will wake the task up, but we can get stuck
++ * if there's only a single event in.
++ *
++ * FIXME: Ideally, we need a memory barrier on the writer side as well,
++ * but adding a memory barrier to all events will cause too much of a
++ * performance hit in the fast path. We only need a memory barrier when
++ * the buffer goes from empty to having content. But as this race is
++ * extremely small, and it's not a problem if another event comes in, we
++ * will fix it later.
++ */
++ smp_mb();
+
+ if ((cpu == RING_BUFFER_ALL_CPUS && !ring_buffer_empty(buffer)) ||
+ (cpu != RING_BUFFER_ALL_CPUS && !ring_buffer_empty_cpu(buffer, cpu)))
+@@ -991,8 +1005,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer,
*
* We add a counter to the write field to denote this.
*/
@@ -91767,7 +92045,7 @@ index 0954450..0ed035c 100644
/*
* Just make sure we have seen our old_write and synchronize
-@@ -1020,8 +1020,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer,
+@@ -1020,8 +1034,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer,
* cmpxchg to only update if an interrupt did not already
* do it for us. If the cmpxchg fails, we don't care.
*/
@@ -91778,7 +92056,7 @@ index 0954450..0ed035c 100644
/*
* No need to worry about races with clearing out the commit.
-@@ -1385,12 +1385,12 @@ static void rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer);
+@@ -1385,12 +1399,12 @@ static void rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer);
static inline unsigned long rb_page_entries(struct buffer_page *bpage)
{
@@ -91793,7 +92071,7 @@ index 0954450..0ed035c 100644
}
static int
-@@ -1485,7 +1485,7 @@ rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned int nr_pages)
+@@ -1485,7 +1499,7 @@ rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned int nr_pages)
* bytes consumed in ring buffer from here.
* Increment overrun to account for the lost events.
*/
@@ -91802,7 +92080,7 @@ index 0954450..0ed035c 100644
local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes);
}
-@@ -2063,7 +2063,7 @@ rb_handle_head_page(struct ring_buffer_per_cpu *cpu_buffer,
+@@ -2063,7 +2077,7 @@ rb_handle_head_page(struct ring_buffer_per_cpu *cpu_buffer,
* it is our responsibility to update
* the counters.
*/
@@ -91811,7 +92089,7 @@ index 0954450..0ed035c 100644
local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes);
/*
-@@ -2213,7 +2213,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer,
+@@ -2213,7 +2227,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer,
if (tail == BUF_PAGE_SIZE)
tail_page->real_end = 0;
@@ -91820,7 +92098,7 @@ index 0954450..0ed035c 100644
return;
}
-@@ -2248,7 +2248,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer,
+@@ -2248,7 +2262,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer,
rb_event_set_padding(event);
/* Set the write back to the previous setting */
@@ -91829,7 +92107,7 @@ index 0954450..0ed035c 100644
return;
}
-@@ -2260,7 +2260,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer,
+@@ -2260,7 +2274,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer,
/* Set write to end of buffer */
length = (tail + length) - BUF_PAGE_SIZE;
@@ -91838,7 +92116,7 @@ index 0954450..0ed035c 100644
}
/*
-@@ -2286,7 +2286,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer,
+@@ -2286,7 +2300,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer,
* about it.
*/
if (unlikely(next_page == commit_page)) {
@@ -91847,7 +92125,7 @@ index 0954450..0ed035c 100644
goto out_reset;
}
-@@ -2342,7 +2342,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer,
+@@ -2342,7 +2356,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer,
cpu_buffer->tail_page) &&
(cpu_buffer->commit_page ==
cpu_buffer->reader_page))) {
@@ -91856,7 +92134,7 @@ index 0954450..0ed035c 100644
goto out_reset;
}
}
-@@ -2390,7 +2390,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer,
+@@ -2390,7 +2404,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer,
length += RB_LEN_TIME_EXTEND;
tail_page = cpu_buffer->tail_page;
@@ -91865,7 +92143,7 @@ index 0954450..0ed035c 100644
/* set write to only the index of the write */
write &= RB_WRITE_MASK;
-@@ -2414,7 +2414,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer,
+@@ -2414,7 +2428,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer,
kmemcheck_annotate_bitfield(event, bitfield);
rb_update_event(cpu_buffer, event, length, add_timestamp, delta);
@@ -91874,7 +92152,7 @@ index 0954450..0ed035c 100644
/*
* If this is the first commit on the page, then update
-@@ -2447,7 +2447,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer,
+@@ -2447,7 +2461,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer,
if (bpage->page == (void *)addr && rb_page_write(bpage) == old_index) {
unsigned long write_mask =
@@ -91883,7 +92161,7 @@ index 0954450..0ed035c 100644
unsigned long event_length = rb_event_length(event);
/*
* This is on the tail page. It is possible that
-@@ -2457,7 +2457,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer,
+@@ -2457,7 +2471,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer,
*/
old_index += write_mask;
new_index += write_mask;
@@ -91892,7 +92170,7 @@ index 0954450..0ed035c 100644
if (index == old_index) {
/* update counters */
local_sub(event_length, &cpu_buffer->entries_bytes);
-@@ -2849,7 +2849,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer,
+@@ -2849,7 +2863,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer,
/* Do the likely case first */
if (likely(bpage->page == (void *)addr)) {
@@ -91901,7 +92179,7 @@ index 0954450..0ed035c 100644
return;
}
-@@ -2861,7 +2861,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer,
+@@ -2861,7 +2875,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer,
start = bpage;
do {
if (bpage->page == (void *)addr) {
@@ -91910,7 +92188,7 @@ index 0954450..0ed035c 100644
return;
}
rb_inc_page(cpu_buffer, &bpage);
-@@ -3145,7 +3145,7 @@ static inline unsigned long
+@@ -3145,7 +3159,7 @@ static inline unsigned long
rb_num_of_entries(struct ring_buffer_per_cpu *cpu_buffer)
{
return local_read(&cpu_buffer->entries) -
@@ -91919,7 +92197,7 @@ index 0954450..0ed035c 100644
}
/**
-@@ -3234,7 +3234,7 @@ unsigned long ring_buffer_overrun_cpu(struct ring_buffer *buffer, int cpu)
+@@ -3234,7 +3248,7 @@ unsigned long ring_buffer_overrun_cpu(struct ring_buffer *buffer, int cpu)
return 0;
cpu_buffer = buffer->buffers[cpu];
@@ -91928,7 +92206,7 @@ index 0954450..0ed035c 100644
return ret;
}
-@@ -3257,7 +3257,7 @@ ring_buffer_commit_overrun_cpu(struct ring_buffer *buffer, int cpu)
+@@ -3257,7 +3271,7 @@ ring_buffer_commit_overrun_cpu(struct ring_buffer *buffer, int cpu)
return 0;
cpu_buffer = buffer->buffers[cpu];
@@ -91937,7 +92215,7 @@ index 0954450..0ed035c 100644
return ret;
}
-@@ -3342,7 +3342,7 @@ unsigned long ring_buffer_overruns(struct ring_buffer *buffer)
+@@ -3342,7 +3356,7 @@ unsigned long ring_buffer_overruns(struct ring_buffer *buffer)
/* if you care about this being correct, lock the buffer */
for_each_buffer_cpu(buffer, cpu) {
cpu_buffer = buffer->buffers[cpu];
@@ -91946,7 +92224,7 @@ index 0954450..0ed035c 100644
}
return overruns;
-@@ -3518,8 +3518,8 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer)
+@@ -3518,8 +3532,8 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer)
/*
* Reset the reader page to size zero.
*/
@@ -91957,7 +92235,7 @@ index 0954450..0ed035c 100644
local_set(&cpu_buffer->reader_page->page->commit, 0);
cpu_buffer->reader_page->real_end = 0;
-@@ -3553,7 +3553,7 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer)
+@@ -3553,7 +3567,7 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer)
* want to compare with the last_overrun.
*/
smp_mb();
@@ -91966,7 +92244,7 @@ index 0954450..0ed035c 100644
/*
* Here's the tricky part.
-@@ -4123,8 +4123,8 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
+@@ -4123,8 +4137,8 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
cpu_buffer->head_page
= list_entry(cpu_buffer->pages, struct buffer_page, list);
@@ -91977,7 +92255,7 @@ index 0954450..0ed035c 100644
local_set(&cpu_buffer->head_page->page->commit, 0);
cpu_buffer->head_page->read = 0;
-@@ -4134,14 +4134,14 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
+@@ -4134,14 +4148,14 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
INIT_LIST_HEAD(&cpu_buffer->reader_page->list);
INIT_LIST_HEAD(&cpu_buffer->new_pages);
@@ -91996,7 +92274,7 @@ index 0954450..0ed035c 100644
local_set(&cpu_buffer->dropped_events, 0);
local_set(&cpu_buffer->entries, 0);
local_set(&cpu_buffer->committing, 0);
-@@ -4546,8 +4546,8 @@ int ring_buffer_read_page(struct ring_buffer *buffer,
+@@ -4546,8 +4560,8 @@ int ring_buffer_read_page(struct ring_buffer *buffer,
rb_init_page(bpage);
bpage = reader->page;
reader->page = *data_page;
@@ -92305,6 +92583,19 @@ index 48140e3..de854e5 100644
obj-$(CONFIG_DEBUG_OBJECTS) += debugobjects.o
ifneq ($(CONFIG_HAVE_DEC_LOCK),y)
+diff --git a/lib/assoc_array.c b/lib/assoc_array.c
+index c0b1007..ae146f0 100644
+--- a/lib/assoc_array.c
++++ b/lib/assoc_array.c
+@@ -1735,7 +1735,7 @@ ascend_old_tree:
+ gc_complete:
+ edit->set[0].to = new_root;
+ assoc_array_apply_edit(edit);
+- edit->array->nr_leaves_on_tree = nr_leaves_on_tree;
++ array->nr_leaves_on_tree = nr_leaves_on_tree;
+ return 0;
+
+ enomem:
diff --git a/lib/average.c b/lib/average.c
index 114d1be..ab0350c 100644
--- a/lib/average.c
@@ -96236,6 +96527,19 @@ index a2a54a8..43ecb68 100644
EXPORT_SYMBOL_GPL(pcpu_base_addr);
static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
+diff --git a/mm/pgtable-generic.c b/mm/pgtable-generic.c
+index a8b9199..dfb79e0 100644
+--- a/mm/pgtable-generic.c
++++ b/mm/pgtable-generic.c
+@@ -195,7 +195,7 @@ void pmdp_invalidate(struct vm_area_struct *vma, unsigned long address,
+ pmd_t entry = *pmdp;
+ if (pmd_numa(entry))
+ entry = pmd_mknonnuma(entry);
+- set_pmd_at(vma->vm_mm, address, pmdp, pmd_mknotpresent(*pmdp));
++ set_pmd_at(vma->vm_mm, address, pmdp, pmd_mknotpresent(entry));
+ flush_tlb_range(vma, address, address + HPAGE_PMD_SIZE);
+ }
+ #endif /* CONFIG_TRANSPARENT_HUGEPAGE */
diff --git a/mm/process_vm_access.c b/mm/process_vm_access.c
index fd26d04..0cea1b0 100644
--- a/mm/process_vm_access.c
@@ -97561,10 +97865,10 @@ index 4a7f7e6..22cddf5 100644
if (S_ISREG(inode->i_mode))
diff --git a/mm/util.c b/mm/util.c
-index a24aa22..a0d41ae 100644
+index c1010cb..91e1a36 100644
--- a/mm/util.c
+++ b/mm/util.c
-@@ -297,6 +297,12 @@ done:
+@@ -294,6 +294,12 @@ done:
void arch_pick_mmap_layout(struct mm_struct *mm)
{
mm->mmap_base = TASK_UNMAPPED_BASE;
@@ -100203,7 +100507,7 @@ index 11c8d81..d67116b 100644
static int raw_seq_show(struct seq_file *seq, void *v)
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
-index ca5a01e..1f6f4e2 100644
+index ca5a01e..8c5cdb4 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -234,7 +234,7 @@ static const struct seq_operations rt_cache_seq_ops = {
@@ -100233,7 +100537,7 @@ index ca5a01e..1f6f4e2 100644
}
static const struct file_operations rt_acct_proc_fops = {
-@@ -465,7 +465,7 @@ static struct neighbour *ipv4_neigh_lookup(const struct dst_entry *dst,
+@@ -465,11 +465,11 @@ static struct neighbour *ipv4_neigh_lookup(const struct dst_entry *dst,
#define IP_IDENTS_SZ 2048u
struct ip_ident_bucket {
@@ -100242,6 +100546,11 @@ index ca5a01e..1f6f4e2 100644
u32 stamp32;
};
+-static struct ip_ident_bucket *ip_idents __read_mostly;
++static struct ip_ident_bucket ip_idents[IP_IDENTS_SZ] __read_mostly;
+
+ /* In order to protect privacy, we add a perturbation to identifiers
+ * if one generator is seldom used. This makes hard for an attacker
@@ -485,7 +485,7 @@ u32 ip_idents_reserve(u32 hash, int segs)
if (old != now && cmpxchg(&bucket->stamp32, old, now) == old)
delta = prandom_u32_max(now - old);
@@ -100305,6 +100614,19 @@ index ca5a01e..1f6f4e2 100644
get_random_bytes(&net->ipv4.dev_addr_genid,
sizeof(net->ipv4.dev_addr_genid));
return 0;
+@@ -2725,11 +2725,7 @@ int __init ip_rt_init(void)
+ {
+ int rc = 0;
+
+- ip_idents = kmalloc(IP_IDENTS_SZ * sizeof(*ip_idents), GFP_KERNEL);
+- if (!ip_idents)
+- panic("IP: failed to allocate ip_idents\n");
+-
+- prandom_bytes(ip_idents, IP_IDENTS_SZ * sizeof(*ip_idents));
++ prandom_bytes(ip_idents, sizeof(ip_idents));
+
+ #ifdef CONFIG_IP_ROUTE_CLASSID
+ ip_rt_acct = __alloc_percpu(256 * sizeof(struct ip_rt_acct), __alignof__(struct ip_rt_acct));
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 44eba05..b36864b 100644
--- a/net/ipv4/sysctl_net_ipv4.c
@@ -100773,7 +101095,7 @@ index e1a6393..f634ce5 100644
return -ENOMEM;
}
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
-index 6c7fa08..8a31430 100644
+index 6c7fa08..7c5abd70 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -598,7 +598,7 @@ static int inet6_netconf_dump_devconf(struct sk_buff *skb,
@@ -100828,7 +101150,21 @@ index 6c7fa08..8a31430 100644
for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) {
idx = 0;
head = &net->dev_index_head[h];
-@@ -4758,7 +4765,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
+@@ -4746,11 +4753,8 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
+
+ rt = rt6_lookup(dev_net(dev), &ifp->peer_addr, NULL,
+ dev->ifindex, 1);
+- if (rt) {
+- dst_hold(&rt->dst);
+- if (ip6_del_rt(rt))
+- dst_free(&rt->dst);
+- }
++ if (rt && ip6_del_rt(rt))
++ dst_free(&rt->dst);
+ }
+ dst_hold(&ifp->rt->dst);
+
+@@ -4758,7 +4762,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
dst_free(&ifp->rt->dst);
break;
}
@@ -100837,7 +101173,7 @@ index 6c7fa08..8a31430 100644
rt_genid_bump_ipv6(net);
}
-@@ -4779,7 +4786,7 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int write,
+@@ -4779,7 +4783,7 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int write,
int *valp = ctl->data;
int val = *valp;
loff_t pos = *ppos;
@@ -100846,7 +101182,7 @@ index 6c7fa08..8a31430 100644
int ret;
/*
-@@ -4864,7 +4871,7 @@ int addrconf_sysctl_disable(struct ctl_table *ctl, int write,
+@@ -4864,7 +4868,7 @@ int addrconf_sysctl_disable(struct ctl_table *ctl, int write,
int *valp = ctl->data;
int val = *valp;
loff_t pos = *ppos;
@@ -101080,18 +101416,6 @@ index 767ab8d..c5ec70a 100644
err_alloc:
return -ENOMEM;
}
-diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
-index 798eb0f..ab2f47d 100644
---- a/net/ipv6/output_core.c
-+++ b/net/ipv6/output_core.c
-@@ -7,7 +7,6 @@
- #include <net/ip6_fib.h>
- #include <net/addrconf.h>
-
--
- int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
- {
- u16 offset = sizeof(struct ipv6hdr);
diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c
index bda7429..469b26b 100644
--- a/net/ipv6/ping.c
@@ -103849,10 +104173,10 @@ index c1d124d..acfc59e 100644
goto err;
return 0;
diff --git a/net/sunrpc/xprtrdma/svc_rdma_transport.c b/net/sunrpc/xprtrdma/svc_rdma_transport.c
-index 62e4f9b..dd3f2d7 100644
+index ed36cb5..c55d17f 100644
--- a/net/sunrpc/xprtrdma/svc_rdma_transport.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_transport.c
-@@ -292,7 +292,7 @@ static void rq_cq_reap(struct svcxprt_rdma *xprt)
+@@ -293,7 +293,7 @@ static void rq_cq_reap(struct svcxprt_rdma *xprt)
return;
ib_req_notify_cq(xprt->sc_rq_cq, IB_CQ_NEXT_COMP);
@@ -103861,7 +104185,7 @@ index 62e4f9b..dd3f2d7 100644
while ((ret = ib_poll_cq(xprt->sc_rq_cq, 1, &wc)) > 0) {
ctxt = (struct svc_rdma_op_ctxt *)(unsigned long)wc.wr_id;
-@@ -314,7 +314,7 @@ static void rq_cq_reap(struct svcxprt_rdma *xprt)
+@@ -315,7 +315,7 @@ static void rq_cq_reap(struct svcxprt_rdma *xprt)
}
if (ctxt)
@@ -103870,7 +104194,7 @@ index 62e4f9b..dd3f2d7 100644
set_bit(XPT_DATA, &xprt->sc_xprt.xpt_flags);
/*
-@@ -386,7 +386,7 @@ static void sq_cq_reap(struct svcxprt_rdma *xprt)
+@@ -387,7 +387,7 @@ static void sq_cq_reap(struct svcxprt_rdma *xprt)
return;
ib_req_notify_cq(xprt->sc_sq_cq, IB_CQ_NEXT_COMP);
@@ -103879,7 +104203,7 @@ index 62e4f9b..dd3f2d7 100644
while ((ret = ib_poll_cq(cq, 1, &wc)) > 0) {
if (wc.status != IB_WC_SUCCESS)
/* Close the transport */
-@@ -404,7 +404,7 @@ static void sq_cq_reap(struct svcxprt_rdma *xprt)
+@@ -405,7 +405,7 @@ static void sq_cq_reap(struct svcxprt_rdma *xprt)
}
if (ctxt)
@@ -103888,7 +104212,7 @@ index 62e4f9b..dd3f2d7 100644
}
static void sq_comp_handler(struct ib_cq *cq, void *cq_context)
-@@ -1262,7 +1262,7 @@ int svc_rdma_send(struct svcxprt_rdma *xprt, struct ib_send_wr *wr)
+@@ -1263,7 +1263,7 @@ int svc_rdma_send(struct svcxprt_rdma *xprt, struct ib_send_wr *wr)
spin_lock_bh(&xprt->sc_lock);
if (xprt->sc_sq_depth < atomic_read(&xprt->sc_sq_count) + wr_count) {
spin_unlock_bh(&xprt->sc_lock);
diff --git a/main/linux-grsec/kernelconfig.x86 b/main/linux-grsec/kernelconfig.x86
index d0be256571..8549f8f62f 100644
--- a/main/linux-grsec/kernelconfig.x86
+++ b/main/linux-grsec/kernelconfig.x86
@@ -479,7 +479,10 @@ CONFIG_HZ=300
CONFIG_SCHED_HRTICK=y
# CONFIG_CRASH_DUMP is not set
CONFIG_PHYSICAL_START=0x1000000
-# CONFIG_RELOCATABLE is not set
+CONFIG_RELOCATABLE=y
+CONFIG_RANDOMIZE_BASE=y
+CONFIG_RANDOMIZE_BASE_MAX_OFFSET=0x40000000
+CONFIG_X86_NEED_RELOCS=y
CONFIG_PHYSICAL_ALIGN=0x1000000
CONFIG_HOTPLUG_CPU=y
# CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set
diff --git a/main/linux-grsec/kernelconfig.x86_64 b/main/linux-grsec/kernelconfig.x86_64
index ec7398ea36..cf26680281 100644
--- a/main/linux-grsec/kernelconfig.x86_64
+++ b/main/linux-grsec/kernelconfig.x86_64
@@ -471,7 +471,10 @@ CONFIG_HZ=300
CONFIG_SCHED_HRTICK=y
# CONFIG_CRASH_DUMP is not set
CONFIG_PHYSICAL_START=0x1000000
-# CONFIG_RELOCATABLE is not set
+CONFIG_RELOCATABLE=y
+CONFIG_RANDOMIZE_BASE=y
+CONFIG_RANDOMIZE_BASE_MAX_OFFSET=0x20000000
+CONFIG_X86_NEED_RELOCS=y
CONFIG_PHYSICAL_ALIGN=0x1000000
CONFIG_HOTPLUG_CPU=y
# CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set