diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2012-12-04 10:03:36 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2012-12-04 10:03:36 +0000 |
| commit | 5b95861a7a8be2f706aa8839ce6bf26116fb6809 (patch) | |
| tree | b4ca7af6b4f0ba6716900077a5ffc3f9331f68ec /main/linux-grsec | |
| parent | 523350e71e9ae2453feb59d2a08eca33652eaef0 (diff) | |
| download | aports-5b95861a7a8be2f706aa8839ce6bf26116fb6809.tar.bz2 aports-5b95861a7a8be2f706aa8839ce6bf26116fb6809.tar.xz | |
main/linux-grsec: upgrade to 3.6.9 kernel
Diffstat (limited to 'main/linux-grsec')
| -rw-r--r-- | main/linux-grsec/APKBUILD | 10 | ||||
| -rw-r--r-- | main/linux-grsec/grsecurity-2.9.1-3.6.9-201212031851.patch (renamed from main/linux-grsec/grsecurity-2.9.1-3.6.8-201211261714.patch) | 996 |
2 files changed, 704 insertions, 302 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index 206149c61d..7d7453f728 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD @@ -2,9 +2,9 @@ _flavor=grsec pkgname=linux-${_flavor} -pkgver=3.6.8 +pkgver=3.6.9 _kernver=3.6 -pkgrel=1 +pkgrel=0 pkgdesc="Linux kernel with grsecurity" url=http://grsecurity.net depends="mkinitfs linux-firmware" @@ -14,7 +14,7 @@ _config=${config:-kernelconfig.${CARCH}} install= source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz - grsecurity-2.9.1-3.6.8-201211261714.patch + grsecurity-2.9.1-3.6.9-201212031851.patch 0004-arp-flush-arp-cache-on-device-change.patch @@ -139,8 +139,8 @@ dev() { } md5sums="1a1760420eac802c541a20ab51a093d1 linux-3.6.tar.xz -f248294551c34753c5c019c8d513280c patch-3.6.8.xz -0dbb7227ccf77f6e02772a5bd505b10d grsecurity-2.9.1-3.6.8-201211261714.patch +a7c656034599f90dcbc50895b69022aa patch-3.6.9.xz +f410ce5363d0681ba0d279eb3a5b1544 grsecurity-2.9.1-3.6.9-201212031851.patch 776adeeb5272093574f8836c5037dd7d 0004-arp-flush-arp-cache-on-device-change.patch 0b4abb6b3e32cc7ba656c24e30581349 kernelconfig.x86 ff85d700a38f78861ba04f0eddb26901 kernelconfig.x86_64" diff --git a/main/linux-grsec/grsecurity-2.9.1-3.6.8-201211261714.patch b/main/linux-grsec/grsecurity-2.9.1-3.6.9-201212031851.patch index 13615ed6dd..b057325d0f 100644 --- a/main/linux-grsec/grsecurity-2.9.1-3.6.8-201211261714.patch +++ b/main/linux-grsec/grsecurity-2.9.1-3.6.9-201212031851.patch @@ -251,7 +251,7 @@ index ad7e2e5..199f49e 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index c5cc2f0..6570abb 100644 +index 978af72..1121485 100644 --- a/Makefile +++ b/Makefile @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -3470,32 +3470,8 @@ index 5e34ccf..672bc9c 100644 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n", me->arch.unwind_section, table, end, gp); -diff --git a/arch/parisc/kernel/signal32.c b/arch/parisc/kernel/signal32.c -index fd49aed..5dede04 100644 ---- a/arch/parisc/kernel/signal32.c -+++ b/arch/parisc/kernel/signal32.c -@@ -65,7 +65,8 @@ put_sigset32(compat_sigset_t __user *up, sigset_t *set, size_t sz) - { - compat_sigset_t s; - -- if (sz != sizeof *set) panic("put_sigset32()"); -+ if (sz != sizeof *set) -+ return -EINVAL; - sigset_64to32(&s, set); - - return copy_to_user(up, &s, sizeof s); -@@ -77,7 +78,8 @@ get_sigset32(compat_sigset_t __user *up, sigset_t *set, size_t sz) - compat_sigset_t s; - int r; - -- if (sz != sizeof *set) panic("put_sigset32()"); -+ if (sz != sizeof *set) -+ return -EINVAL; - - if ((r = copy_from_user(&s, up, sz)) == 0) { - sigset_32to64(set, &s); diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c -index 7426e40..30c8dbe 100644 +index f76c108..8117482 100644 --- a/arch/parisc/kernel/sys_parisc.c +++ b/arch/parisc/kernel/sys_parisc.c @@ -43,7 +43,7 @@ static unsigned long get_unshared_area(unsigned long addr, unsigned long len) @@ -3507,7 +3483,7 @@ index 7426e40..30c8dbe 100644 return addr; addr = vma->vm_end; } -@@ -79,7 +79,7 @@ static unsigned long get_shared_area(struct address_space *mapping, +@@ -81,7 +81,7 @@ static unsigned long get_shared_area(struct address_space *mapping, /* At this point: (!vma || addr < vma->vm_end). */ if (TASK_SIZE - len < addr) return -ENOMEM; @@ -3516,7 +3492,7 @@ index 7426e40..30c8dbe 100644 return addr; addr = DCACHE_ALIGN(vma->vm_end - offset) + offset; if (addr < vma->vm_end) /* handle wraparound */ -@@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -100,7 +100,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, if (flags & MAP_FIXED) return addr; if (!addr) @@ -7815,10 +7791,10 @@ index 8a84501..b2d165f 100644 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__ GCOV_PROFILE := n diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index b3e0227..f2c02d5 100644 +index 90201aa..be1de62 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c -@@ -142,7 +142,6 @@ again: +@@ -144,7 +144,6 @@ again: *addr = max_addr; } @@ -7826,7 +7802,7 @@ index b3e0227..f2c02d5 100644 efi_call_phys1(sys_table->boottime->free_pool, map); fail: -@@ -206,7 +205,6 @@ static efi_status_t low_alloc(unsigned long size, unsigned long align, +@@ -208,7 +207,6 @@ static efi_status_t low_alloc(unsigned long size, unsigned long align, if (i == map_size / desc_size) status = EFI_NOT_FOUND; @@ -10627,34 +10603,52 @@ index 75ce3f4..882e801 100644 #endif /* _ASM_X86_EMERGENCY_RESTART_H */ diff --git a/arch/x86/include/asm/fpu-internal.h b/arch/x86/include/asm/fpu-internal.h -index 75f4c6d..ee3eb8f 100644 +index 75f4c6d..9215c4a 100644 --- a/arch/x86/include/asm/fpu-internal.h +++ b/arch/x86/include/asm/fpu-internal.h -@@ -86,6 +86,11 @@ static inline int fxrstor_checking(struct i387_fxsave_struct *fx) +@@ -82,10 +82,12 @@ static inline void sanitize_i387_state(struct task_struct *tsk) + } + + #ifdef CONFIG_X86_64 +-static inline int fxrstor_checking(struct i387_fxsave_struct *fx) ++static inline int fxrstor_checking(struct i387_fxsave_struct __user *fx) { int err; -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -+ if ((unsigned long)fx < PAX_USER_SHADOW_BASE) -+ fx = (struct i387_fxsave_struct __user *)((void *)fx + PAX_USER_SHADOW_BASE); -+#endif ++ fx = (struct i387_fxsave_struct __user *)____m(fx); + /* See comment in fxsave() below. */ #ifdef CONFIG_AS_FXSAVEQ asm volatile("1: fxrstorq %[fx]\n\t" -@@ -115,6 +120,11 @@ static inline int fxsave_user(struct i387_fxsave_struct __user *fx) +@@ -115,6 +117,8 @@ static inline int fxsave_user(struct i387_fxsave_struct __user *fx) { int err; -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -+ if ((unsigned long)fx < PAX_USER_SHADOW_BASE) -+ fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE); -+#endif ++ fx = (struct i387_fxsave_struct __user *)____m(fx); + /* * Clear the bytes not touched by the fxsave and reserved * for the SW usage. -@@ -271,7 +281,7 @@ static inline int restore_fpu_checking(struct task_struct *tsk) +@@ -183,15 +187,15 @@ static inline void fpu_fxsave(struct fpu *fpu) + #else /* CONFIG_X86_32 */ + + /* perform fxrstor iff the processor has extended states, otherwise frstor */ +-static inline int fxrstor_checking(struct i387_fxsave_struct *fx) ++static inline int fxrstor_checking(struct i387_fxsave_struct __user *fx) + { + /* + * The "nop" is needed to make the instructions the same + * length. + */ + alternative_input( +- "nop ; frstor %1", +- "fxrstor %1", ++ __copyuser_seg" frstor %1; nop", ++ __copyuser_seg" fxrstor %1", + X86_FEATURE_FXSR, + "m" (*fx)); + +@@ -271,7 +275,7 @@ static inline int restore_fpu_checking(struct task_struct *tsk) "emms\n\t" /* clear stack tags */ "fildl %P[addr]", /* set F?P to defined value */ X86_FEATURE_FXSAVE_LEAK, @@ -10663,11 +10657,35 @@ index 75f4c6d..ee3eb8f 100644 return fpu_restore_checking(&tsk->thread.fpu); } +@@ -334,14 +338,17 @@ static inline void __thread_fpu_begin(struct task_struct *tsk) + typedef struct { int preload; } fpu_switch_t; + + /* +- * FIXME! We could do a totally lazy restore, but we need to +- * add a per-cpu "this was the task that last touched the FPU +- * on this CPU" variable, and the task needs to have a "I last +- * touched the FPU on this CPU" and check them. ++ * Must be run with preemption disabled: this clears the fpu_owner_task, ++ * on this CPU. + * +- * We don't do that yet, so "fpu_lazy_restore()" always returns +- * false, but some day.. ++ * This will disable any lazy FPU state restore of the current FPU state, ++ * but if the current thread owns the FPU, it will still be saved by. + */ ++static inline void __cpu_disable_lazy_restore(unsigned int cpu) ++{ ++ per_cpu(fpu_owner_task, cpu) = NULL; ++} ++ + static inline int fpu_lazy_restore(struct task_struct *new, unsigned int cpu) + { + return new == this_cpu_read_stable(fpu_owner_task) && diff --git a/arch/x86/include/asm/futex.h b/arch/x86/include/asm/futex.h -index 71ecbcb..bac10b7 100644 +index 71ecbcb..11df950 100644 --- a/arch/x86/include/asm/futex.h +++ b/arch/x86/include/asm/futex.h -@@ -11,16 +11,18 @@ +@@ -11,20 +11,22 @@ #include <asm/processor.h> #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \ @@ -10687,6 +10705,11 @@ index 71ecbcb..bac10b7 100644 asm volatile("1:\tmovl %2, %0\n" \ "\tmovl\t%0, %3\n" \ "\t" insn "\n" \ +- "2:\t" LOCK_PREFIX "cmpxchgl %3, %2\n" \ ++ "2:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %3, %2\n" \ + "\tjnz\t1b\n" \ + "3:\t.section .fixup,\"ax\"\n" \ + "4:\tmov\t%5, %1\n" \ @@ -33,7 +35,7 @@ _ASM_EXTABLE(1b, 4b) \ _ASM_EXTABLE(2b, 4b) \ @@ -12013,7 +12036,7 @@ index d048cad..45e350f 100644 #endif /* _ASM_X86_PROCESSOR_H */ diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h -index dcfde52..dbfea06 100644 +index 19f16eb..b50624b 100644 --- a/arch/x86/include/asm/ptrace.h +++ b/arch/x86/include/asm/ptrace.h @@ -155,28 +155,29 @@ static inline unsigned long regs_return_value(struct pt_regs *regs) @@ -13154,7 +13177,7 @@ index 576e39b..ccd0a39 100644 #endif /* _ASM_X86_UACCESS_32_H */ diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h -index d8def8b..ac7fc15 100644 +index d8def8b..6052b20 100644 --- a/arch/x86/include/asm/uaccess_64.h +++ b/arch/x86/include/asm/uaccess_64.h @@ -10,6 +10,9 @@ @@ -13185,7 +13208,7 @@ index d8def8b..ac7fc15 100644 copy_user_generic(void *to, const void *from, unsigned len) { unsigned ret; -@@ -41,142 +44,238 @@ copy_user_generic(void *to, const void *from, unsigned len) +@@ -41,142 +44,205 @@ copy_user_generic(void *to, const void *from, unsigned len) ASM_OUTPUT2("=a" (ret), "=D" (to), "=S" (from), "=d" (len)), "1" (to), "2" (from), "3" (len) @@ -13285,13 +13308,7 @@ index d8def8b..ac7fc15 100644 + + if (!__builtin_constant_p(size)) { + check_object_size(dst, size, false); -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE) -+ src += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic(dst, (__force_kernel const void *)src, size); ++ return copy_user_generic(dst, (__force_kernel const void *)____m(src), size); + } switch (size) { - case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src, @@ -13334,13 +13351,7 @@ index d8def8b..ac7fc15 100644 return ret; default: - return copy_user_generic(dst, (__force void *)src, size); -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE) -+ src += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic(dst, (__force_kernel const void *)src, size); ++ return copy_user_generic(dst, (__force_kernel const void *)____m(src), size); } } @@ -13371,13 +13382,7 @@ index d8def8b..ac7fc15 100644 + + if (!__builtin_constant_p(size)) { + check_object_size(src, size, true); -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE) -+ dst += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic((__force_kernel void *)dst, src, size); ++ return copy_user_generic((__force_kernel void *)____m(dst), src, size); + } switch (size) { - case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst, @@ -13420,13 +13425,7 @@ index d8def8b..ac7fc15 100644 return ret; default: - return copy_user_generic((__force void *)dst, src, size); -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE) -+ dst += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic((__force_kernel void *)dst, src, size); ++ return copy_user_generic((__force_kernel void *)____m(dst), src, size); } } @@ -13438,9 +13437,6 @@ index d8def8b..ac7fc15 100644 + unsigned ret = 0; might_fault(); -- if (!__builtin_constant_p(size)) -- return copy_user_generic((__force void *)dst, -- (__force void *)src, size); + + if (size > INT_MAX) + return size; @@ -13452,18 +13448,11 @@ index d8def8b..ac7fc15 100644 + return size; +#endif + -+ if (!__builtin_constant_p(size)) { -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE) -+ src += PAX_USER_SHADOW_BASE; -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE) -+ dst += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic((__force_kernel void *)dst, -+ (__force_kernel const void *)src, size); -+ } + if (!__builtin_constant_p(size)) +- return copy_user_generic((__force void *)dst, +- (__force void *)src, size); ++ return copy_user_generic((__force_kernel void *)____m(dst), ++ (__force_kernel const void *)____m(src), size); switch (size) { case 1: { u8 tmp; @@ -13472,7 +13461,7 @@ index d8def8b..ac7fc15 100644 ret, "b", "b", "=q", 1); if (likely(!ret)) __put_user_asm(tmp, (u8 __user *)dst, -@@ -185,7 +284,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) +@@ -185,7 +251,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) } case 2: { u16 tmp; @@ -13481,7 +13470,7 @@ index d8def8b..ac7fc15 100644 ret, "w", "w", "=r", 2); if (likely(!ret)) __put_user_asm(tmp, (u16 __user *)dst, -@@ -195,7 +294,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) +@@ -195,7 +261,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) case 4: { u32 tmp; @@ -13490,7 +13479,7 @@ index d8def8b..ac7fc15 100644 ret, "l", "k", "=r", 4); if (likely(!ret)) __put_user_asm(tmp, (u32 __user *)dst, -@@ -204,7 +303,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) +@@ -204,7 +270,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) } case 8: { u64 tmp; @@ -13499,22 +13488,14 @@ index d8def8b..ac7fc15 100644 ret, "q", "", "=r", 8); if (likely(!ret)) __put_user_asm(tmp, (u64 __user *)dst, -@@ -212,44 +311,89 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) +@@ -212,44 +278,65 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) return ret; } default: - return copy_user_generic((__force void *)dst, - (__force void *)src, size); -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE) -+ src += PAX_USER_SHADOW_BASE; -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE) -+ dst += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic((__force_kernel void *)dst, -+ (__force_kernel const void *)src, size); ++ return copy_user_generic((__force_kernel void *)____m(dst), ++ (__force_kernel const void *)____m(src), size); } } @@ -13531,15 +13512,7 @@ index d8def8b..ac7fc15 100644 + if (size > INT_MAX) + return size; + -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if (!__access_ok(VERIFY_READ, src, size)) -+ return size; -+ -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE) -+ src += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic(dst, (__force_kernel const void *)src, size); ++ return copy_user_generic(dst, (__force_kernel const void *)____m(src), size); } -static __must_check __always_inline int @@ -13551,15 +13524,7 @@ index d8def8b..ac7fc15 100644 + if (size > INT_MAX) + return size; + -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if (!__access_ok(VERIFY_WRITE, dst, size)) -+ return size; -+ -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE) -+ dst += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic((__force_kernel void *)dst, src, size); ++ return copy_user_generic((__force_kernel void *)____m(dst), src, size); } -extern long __copy_user_nocache(void *dst, const void __user *src, @@ -13763,38 +13728,45 @@ index 38155f6..e4184ba 100644 extern struct x86_init_ops x86_init; extern struct x86_cpuinit_ops x86_cpuinit; diff --git a/arch/x86/include/asm/xsave.h b/arch/x86/include/asm/xsave.h -index 8a1b6f9..a29c4e4 100644 +index 8a1b6f9..d47ba6d 100644 --- a/arch/x86/include/asm/xsave.h +++ b/arch/x86/include/asm/xsave.h -@@ -65,6 +65,11 @@ static inline int xsave_user(struct xsave_struct __user *buf) +@@ -65,6 +65,8 @@ static inline int xsave_user(struct xsave_struct __user *buf) { int err; -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -+ if ((unsigned long)buf < PAX_USER_SHADOW_BASE) -+ buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE); -+#endif ++ buf = (struct xsave_struct __user *)____m(buf); + /* * Clear the xsave header first, so that reserved fields are * initialized to zero. -@@ -93,10 +98,15 @@ static inline int xsave_user(struct xsave_struct __user *buf) +@@ -74,7 +76,9 @@ static inline int xsave_user(struct xsave_struct __user *buf) + if (unlikely(err)) + return -EFAULT; + +- __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x27\n" ++ __asm__ __volatile__("1:" ++ __copyuser_seg ++ ".byte " REX_PREFIX "0x0f,0xae,0x27\n" + "2:\n" + ".section .fixup,\"ax\"\n" + "3: movl $-1,%[err]\n" +@@ -93,11 +97,13 @@ static inline int xsave_user(struct xsave_struct __user *buf) static inline int xrestore_user(struct xsave_struct __user *buf, u64 mask) { int err; - struct xsave_struct *xstate = ((__force struct xsave_struct *)buf); -+ struct xsave_struct *xstate = ((__force_kernel struct xsave_struct *)buf); ++ struct xsave_struct *xstate = ((__force_kernel struct xsave_struct *)____m(buf)); u32 lmask = mask; u32 hmask = mask >> 32; -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -+ if ((unsigned long)xstate < PAX_USER_SHADOW_BASE) -+ xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE); -+#endif -+ - __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n" +- __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n" ++ __asm__ __volatile__("1:" ++ __copyuser_seg ++ ".byte " REX_PREFIX "0x0f,0xae,0x2f\n" "2:\n" ".section .fixup,\"ax\"\n" + "3: movl $-1,%[err]\n" diff --git a/arch/x86/kernel/acpi/sleep.c b/arch/x86/kernel/acpi/sleep.c index 1b8e5a0..354fd59 100644 --- a/arch/x86/kernel/acpi/sleep.c @@ -14804,7 +14776,7 @@ index ae42418b..787c16b 100644 if (__die(str, regs, err)) diff --git a/arch/x86/kernel/dumpstack_32.c b/arch/x86/kernel/dumpstack_32.c -index 1038a41..ac7e5f6 100644 +index 1038a41..db2c12b 100644 --- a/arch/x86/kernel/dumpstack_32.c +++ b/arch/x86/kernel/dumpstack_32.c @@ -38,15 +38,13 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs, @@ -14846,7 +14818,7 @@ index 1038a41..ac7e5f6 100644 unsigned int code_len = code_bytes; unsigned char c; u8 *ip; -+ unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]); ++ unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(0)[(0xffff & regs->cs) >> 3]); pr_emerg("Stack:\n"); show_stack_log_lvl(NULL, regs, ®s->sp, 0, KERN_EMERG); @@ -14896,7 +14868,7 @@ index 1038a41..ac7e5f6 100644 +EXPORT_SYMBOL(pax_check_alloca); +#endif diff --git a/arch/x86/kernel/dumpstack_64.c b/arch/x86/kernel/dumpstack_64.c -index b653675..33190c0 100644 +index b653675..51cc8c0 100644 --- a/arch/x86/kernel/dumpstack_64.c +++ b/arch/x86/kernel/dumpstack_64.c @@ -119,9 +119,9 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs, @@ -14960,6 +14932,15 @@ index b653675..33190c0 100644 put_cpu(); } EXPORT_SYMBOL(dump_trace); +@@ -249,7 +253,7 @@ void show_regs(struct pt_regs *regs) + { + int i; + unsigned long sp; +- const int cpu = smp_processor_id(); ++ const int cpu = raw_smp_processor_id(); + struct task_struct *cur = current; + + sp = regs->sp; @@ -304,3 +308,50 @@ int is_valid_bugaddr(unsigned long ip) return ud2 == 0x0b0f; @@ -15831,7 +15812,7 @@ index 8f8e8ee..3617d6e 100644 /* diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S -index dcdd0ea..8f32835 100644 +index dcdd0ea..a520f76 100644 --- a/arch/x86/kernel/entry_64.S +++ b/arch/x86/kernel/entry_64.S @@ -57,6 +57,8 @@ @@ -16465,7 +16446,7 @@ index dcdd0ea..8f32835 100644 retint_restore_args: /* return to kernel space */ DISABLE_INTERRUPTS(CLBR_ANY) + pax_exit_kernel -+ pax_force_retaddr RIP-ARGOFFSET ++ pax_force_retaddr (RIP-ARGOFFSET) /* * The iretq could re-enable interrupts: */ @@ -18677,7 +18658,7 @@ index ef6a845..8028ed3 100644 +} +#endif diff --git a/arch/x86/kernel/process_32.c b/arch/x86/kernel/process_32.c -index 516fa18..80bd9e6 100644 +index 516fa18..d3a7099 100644 --- a/arch/x86/kernel/process_32.c +++ b/arch/x86/kernel/process_32.c @@ -64,6 +64,7 @@ asmlinkage void ret_from_fork(void) __asm__("ret_from_fork"); @@ -18688,7 +18669,7 @@ index 516fa18..80bd9e6 100644 } void __show_regs(struct pt_regs *regs, int all) -@@ -73,15 +74,14 @@ void __show_regs(struct pt_regs *regs, int all) +@@ -73,21 +74,20 @@ void __show_regs(struct pt_regs *regs, int all) unsigned long sp; unsigned short ss, gs; @@ -18706,6 +18687,13 @@ index 516fa18..80bd9e6 100644 show_regs_common(); + printk(KERN_DEFAULT "EIP: %04x:[<%08lx>] EFLAGS: %08lx CPU: %d\n", + (u16)regs->cs, regs->ip, regs->flags, +- smp_processor_id()); ++ raw_smp_processor_id()); + print_symbol("EIP is at %s\n", regs->ip); + + printk(KERN_DEFAULT "EAX: %08lx EBX: %08lx ECX: %08lx EDX: %08lx\n", @@ -134,13 +134,14 @@ int copy_thread(unsigned long clone_flags, unsigned long sp, struct task_struct *tsk; int err; @@ -18826,10 +18814,29 @@ index 0a980c9..1d0e689 100644 ip = *(u64 *)(fp+8); if (!in_sched_functions(ip)) diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c -index c4c6a5c..905f440 100644 +index 9ee1787..33228a7 100644 --- a/arch/x86/kernel/ptrace.c +++ b/arch/x86/kernel/ptrace.c -@@ -824,7 +824,7 @@ long arch_ptrace(struct task_struct *child, long request, +@@ -182,14 +182,13 @@ unsigned long kernel_stack_pointer(struct pt_regs *regs) + { + unsigned long context = (unsigned long)regs & ~(THREAD_SIZE - 1); + unsigned long sp = (unsigned long)®s->sp; +- struct thread_info *tinfo; + +- if (context == (sp & ~(THREAD_SIZE - 1))) ++ if (context == ((sp + 8) & ~(THREAD_SIZE - 1))) + return sp; + +- tinfo = (struct thread_info *)context; +- if (tinfo->previous_esp) +- return tinfo->previous_esp; ++ sp = *(unsigned long *)context; ++ if (sp) ++ return sp; + + return (unsigned long)regs; + } +@@ -854,7 +853,7 @@ long arch_ptrace(struct task_struct *child, long request, unsigned long addr, unsigned long data) { int ret; @@ -18838,7 +18845,7 @@ index c4c6a5c..905f440 100644 switch (request) { /* read the word at location addr in the USER area. */ -@@ -909,14 +909,14 @@ long arch_ptrace(struct task_struct *child, long request, +@@ -939,14 +938,14 @@ long arch_ptrace(struct task_struct *child, long request, if ((int) addr < 0) return -EIO; ret = do_get_thread_area(child, addr, @@ -18855,7 +18862,7 @@ index c4c6a5c..905f440 100644 break; #endif -@@ -1426,7 +1426,7 @@ static void fill_sigtrap_info(struct task_struct *tsk, +@@ -1456,7 +1455,7 @@ static void fill_sigtrap_info(struct task_struct *tsk, memset(info, 0, sizeof(*info)); info->si_signo = SIGTRAP; info->si_code = si_code; @@ -18864,7 +18871,7 @@ index c4c6a5c..905f440 100644 } void user_single_step_siginfo(struct task_struct *tsk, -@@ -1455,6 +1455,10 @@ void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs, +@@ -1485,6 +1484,10 @@ void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs, # define IS_IA32 0 #endif @@ -18875,7 +18882,7 @@ index c4c6a5c..905f440 100644 /* * We must return the syscall number to actually look up in the table. * This can be -1L to skip running any syscall at all. -@@ -1463,6 +1467,11 @@ long syscall_trace_enter(struct pt_regs *regs) +@@ -1493,6 +1496,11 @@ long syscall_trace_enter(struct pt_regs *regs) { long ret = 0; @@ -18887,7 +18894,7 @@ index c4c6a5c..905f440 100644 /* * If we stepped into a sysenter/syscall insn, it trapped in * kernel mode; do_debug() cleared TF and set TIF_SINGLESTEP. -@@ -1511,6 +1520,11 @@ void syscall_trace_leave(struct pt_regs *regs) +@@ -1541,6 +1549,11 @@ void syscall_trace_leave(struct pt_regs *regs) { bool step; @@ -19245,10 +19252,19 @@ index b280908..6de349e 100644 if (err) diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c -index 7c5a8c3..88d422f 100644 +index 7c5a8c3..8a54a1a 100644 --- a/arch/x86/kernel/smpboot.c +++ b/arch/x86/kernel/smpboot.c -@@ -670,6 +670,7 @@ static int __cpuinit do_boot_cpu(int apicid, int cpu, struct task_struct *idle) +@@ -68,6 +68,8 @@ + #include <asm/mwait.h> + #include <asm/apic.h> + #include <asm/io_apic.h> ++#include <asm/i387.h> ++#include <asm/fpu-internal.h> + #include <asm/setup.h> + #include <asm/uv/uv.h> + #include <linux/mc146818rtc.h> +@@ -670,6 +672,7 @@ static int __cpuinit do_boot_cpu(int apicid, int cpu, struct task_struct *idle) idle->thread.sp = (unsigned long) (((struct pt_regs *) (THREAD_SIZE + task_stack_page(idle))) - 1); per_cpu(current_task, cpu) = idle; @@ -19256,7 +19272,7 @@ index 7c5a8c3..88d422f 100644 #ifdef CONFIG_X86_32 /* Stack for startup_32 can be just as for start_secondary onwards */ -@@ -677,11 +678,13 @@ static int __cpuinit do_boot_cpu(int apicid, int cpu, struct task_struct *idle) +@@ -677,11 +680,13 @@ static int __cpuinit do_boot_cpu(int apicid, int cpu, struct task_struct *idle) #else clear_tsk_thread_flag(idle, TIF_FORK); initial_gs = per_cpu_offset(cpu); @@ -19273,7 +19289,7 @@ index 7c5a8c3..88d422f 100644 initial_code = (unsigned long)start_secondary; stack_start = idle->thread.sp; -@@ -817,6 +820,12 @@ int __cpuinit native_cpu_up(unsigned int cpu, struct task_struct *tidle) +@@ -817,6 +822,15 @@ int __cpuinit native_cpu_up(unsigned int cpu, struct task_struct *tidle) per_cpu(cpu_state, cpu) = CPU_UP_PREPARE; @@ -19283,6 +19299,9 @@ index 7c5a8c3..88d422f 100644 + KERNEL_PGD_PTRS); +#endif + ++ /* the FPU context is blank, nobody can own it */ ++ __cpu_disable_lazy_restore(cpu); ++ err = do_boot_cpu(apicid, cpu, tidle); if (err) { pr_debug("do_boot_cpu failed %d\n", err); @@ -20383,7 +20402,7 @@ index 6020f6f..bedd6e3 100644 EXPORT_SYMBOL(copy_page); EXPORT_SYMBOL(clear_page); diff --git a/arch/x86/kernel/xsave.c b/arch/x86/kernel/xsave.c -index 3d3e207..1a73ab2 100644 +index 3d3e207..316a7e0 100644 --- a/arch/x86/kernel/xsave.c +++ b/arch/x86/kernel/xsave.c @@ -132,7 +132,7 @@ int check_for_xstate(struct i387_fxsave_struct __user *buf, @@ -20400,19 +20419,20 @@ index 3d3e207..1a73ab2 100644 */ xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE); - return fxrstor_checking((__force struct i387_fxsave_struct *)buf); -+ return fxrstor_checking((struct i387_fxsave_struct __force_kernel *)buf); ++ return fxrstor_checking((struct i387_fxsave_struct __user *)buf); } /* -@@ -297,7 +297,7 @@ int restore_i387_xstate(void __user *buf) +@@ -297,8 +297,7 @@ int restore_i387_xstate(void __user *buf) if (use_xsave()) err = restore_user_xstate(buf); else - err = fxrstor_checking((__force struct i387_fxsave_struct *) -+ err = fxrstor_checking((struct i387_fxsave_struct __force_kernel *) - buf); +- buf); ++ err = fxrstor_checking((struct i387_fxsave_struct __user *)buf); if (unlikely(err)) { /* + * Encountered an error while doing the restore from the diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c index 0595f13..b544fa3 100644 --- a/arch/x86/kvm/cpuid.c @@ -20464,22 +20484,8 @@ index 0595f13..b544fa3 100644 return 0; out: -diff --git a/arch/x86/kvm/cpuid.h b/arch/x86/kvm/cpuid.h -index a10e460..58fc514 100644 ---- a/arch/x86/kvm/cpuid.h -+++ b/arch/x86/kvm/cpuid.h -@@ -24,6 +24,9 @@ static inline bool guest_cpuid_has_xsave(struct kvm_vcpu *vcpu) - { - struct kvm_cpuid_entry2 *best; - -+ if (!static_cpu_has(X86_FEATURE_XSAVE)) -+ return 0; -+ - best = kvm_find_cpuid_entry(vcpu, 1, 0); - return best && (best->ecx & bit(X86_FEATURE_XSAVE)); - } diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c -index a3b57a2..ebbe732 100644 +index a3b57a2..e8f3324 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -256,6 +256,7 @@ struct gprefix { @@ -20507,6 +20513,16 @@ index a3b57a2..ebbe732 100644 switch ((ctxt)->dst.bytes) { \ case 1: \ ____emulate_2op(ctxt,_op,_bx,_by,"b",u8); \ +@@ -390,8 +388,7 @@ struct gprefix { + _ASM_EXTABLE(1b, 3b) \ + : "=m" ((ctxt)->eflags), "=&r" (_tmp), \ + "+a" (*rax), "+d" (*rdx), "+qm"(_ex) \ +- : "i" (EFLAGS_MASK), "m" ((ctxt)->src.val), \ +- "a" (*rax), "d" (*rdx)); \ ++ : "i" (EFLAGS_MASK), "m" ((ctxt)->src.val)); \ + } while (0) + + /* instruction has only one source operand, destination is implicit (e.g. mul, div, imul, idiv) */ diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c index ce87878..ab48aa3 100644 --- a/arch/x86/kvm/lapic.c @@ -20677,7 +20693,7 @@ index ff66a3b..48ad872 100644 vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index 2966c84..9ac0c3c 100644 +index a201790..9ac0c3c 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -1379,8 +1379,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data) @@ -20718,16 +20734,6 @@ index 2966c84..9ac0c3c 100644 { int r; struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque; -@@ -5762,6 +5764,9 @@ int kvm_arch_vcpu_ioctl_set_sregs(struct kvm_vcpu *vcpu, - int pending_vec, max_bits, idx; - struct desc_ptr dt; - -+ if (!guest_cpuid_has_xsave(vcpu) && (sregs->cr4 & X86_CR4_OSXSAVE)) -+ return -EINVAL; -+ - dt.size = sregs->idt.limit; - dt.address = sregs->idt.base; - kvm_x86_ops->set_idt(vcpu, &dt); diff --git a/arch/x86/lguest/boot.c b/arch/x86/lguest/boot.c index 642d880..cc9ebac 100644 --- a/arch/x86/lguest/boot.c @@ -21847,36 +21853,24 @@ index 2419d5f..953ee51 100644 CFI_RESTORE_STATE diff --git a/arch/x86/lib/csum-wrappers_64.c b/arch/x86/lib/csum-wrappers_64.c -index 25b7ae8..3b52ccd 100644 +index 25b7ae8..169fafc 100644 --- a/arch/x86/lib/csum-wrappers_64.c +++ b/arch/x86/lib/csum-wrappers_64.c -@@ -52,7 +52,13 @@ csum_partial_copy_from_user(const void __user *src, void *dst, +@@ -52,7 +52,7 @@ csum_partial_copy_from_user(const void __user *src, void *dst, len -= 2; } } - isum = csum_partial_copy_generic((__force const void *)src, -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)src < PAX_USER_SHADOW_BASE) -+ src += PAX_USER_SHADOW_BASE; -+#endif -+ -+ isum = csum_partial_copy_generic((const void __force_kernel *)src, ++ isum = csum_partial_copy_generic((const void __force_kernel *)____m(src), dst, len, isum, errp, NULL); if (unlikely(*errp)) goto out_err; -@@ -105,7 +111,13 @@ csum_partial_copy_to_user(const void *src, void __user *dst, +@@ -105,7 +105,7 @@ csum_partial_copy_to_user(const void *src, void __user *dst, } *errp = 0; - return csum_partial_copy_generic(src, (void __force *)dst, -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE) -+ dst += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return csum_partial_copy_generic(src, (void __force_kernel *)dst, ++ return csum_partial_copy_generic(src, (void __force_kernel *)____m(dst), len, isum, NULL, errp); } EXPORT_SYMBOL(csum_partial_copy_to_user); @@ -23576,23 +23570,19 @@ index 1781b2f..90368dd 100644 +EXPORT_SYMBOL(set_fs); +#endif diff --git a/arch/x86/lib/usercopy_64.c b/arch/x86/lib/usercopy_64.c -index e5b130b..6690d31 100644 +index e5b130b..7d33980 100644 --- a/arch/x86/lib/usercopy_64.c +++ b/arch/x86/lib/usercopy_64.c -@@ -16,6 +16,12 @@ unsigned long __clear_user(void __user *addr, unsigned long size) - { - long __d0; - might_fault(); -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)addr < PAX_USER_SHADOW_BASE) -+ addr += PAX_USER_SHADOW_BASE; -+#endif -+ - /* no memory constraint because it doesn't change any memory gcc knows - about */ - asm volatile( -@@ -52,12 +58,20 @@ unsigned long clear_user(void __user *to, unsigned long n) +@@ -38,7 +38,7 @@ unsigned long __clear_user(void __user *addr, unsigned long size) + _ASM_EXTABLE(0b,3b) + _ASM_EXTABLE(1b,2b) + : [size8] "=&c"(size), [dst] "=&D" (__d0) +- : [size1] "r"(size & 7), "[size8]" (size / 8), "[dst]"(addr), ++ : [size1] "r"(size & 7), "[size8]" (size / 8), "[dst]"(____m(addr)), + [zero] "r" (0UL), [eight] "r" (8UL)); + return size; + } +@@ -52,12 +52,11 @@ unsigned long clear_user(void __user *to, unsigned long n) } EXPORT_SYMBOL(clear_user); @@ -23603,22 +23593,13 @@ index e5b130b..6690d31 100644 - return copy_user_generic((__force void *)to, (__force void *)from, len); - } - return len; -+ if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) { -+ -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if ((unsigned long)to < PAX_USER_SHADOW_BASE) -+ to += PAX_USER_SHADOW_BASE; -+ if ((unsigned long)from < PAX_USER_SHADOW_BASE) -+ from += PAX_USER_SHADOW_BASE; -+#endif -+ -+ return copy_user_generic((void __force_kernel *)to, (void __force_kernel *)from, len); -+ } ++ if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) ++ return copy_user_generic((void __force_kernel *)____m(to), (void __force_kernel *)____m(from), len); + return len; } EXPORT_SYMBOL(copy_in_user); -@@ -67,7 +81,7 @@ EXPORT_SYMBOL(copy_in_user); +@@ -67,7 +66,7 @@ EXPORT_SYMBOL(copy_in_user); * it is not necessary to optimize tail handling. */ unsigned long @@ -23627,7 +23608,7 @@ index e5b130b..6690d31 100644 { char c; unsigned zero_len; -@@ -84,3 +98,15 @@ copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest) +@@ -84,3 +83,15 @@ copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest) break; return len; } @@ -33847,7 +33828,7 @@ index 693e149..b7e0fde 100644 pmd->bl_info.value_type.inc = data_block_inc; pmd->bl_info.value_type.dec = data_block_dec; diff --git a/drivers/md/dm.c b/drivers/md/dm.c -index 67ffa39..cb3b1dd 100644 +index 4256200..154b975 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -176,9 +176,9 @@ struct mapped_device { @@ -33862,7 +33843,7 @@ index 67ffa39..cb3b1dd 100644 struct list_head uevent_list; spinlock_t uevent_lock; /* Protect access to uevent_list */ -@@ -1887,8 +1887,8 @@ static struct mapped_device *alloc_dev(int minor) +@@ -1893,8 +1893,8 @@ static struct mapped_device *alloc_dev(int minor) rwlock_init(&md->map_lock); atomic_set(&md->holders, 1); atomic_set(&md->open_count, 0); @@ -33873,7 +33854,7 @@ index 67ffa39..cb3b1dd 100644 INIT_LIST_HEAD(&md->uevent_list); spin_lock_init(&md->uevent_lock); -@@ -2022,7 +2022,7 @@ static void event_callback(void *context) +@@ -2028,7 +2028,7 @@ static void event_callback(void *context) dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj); @@ -33882,7 +33863,7 @@ index 67ffa39..cb3b1dd 100644 wake_up(&md->eventq); } -@@ -2677,18 +2677,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action, +@@ -2683,18 +2683,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action, uint32_t dm_next_uevent_seq(struct mapped_device *md) { @@ -33905,7 +33886,7 @@ index 67ffa39..cb3b1dd 100644 void dm_uevent_add(struct mapped_device *md, struct list_head *elist) diff --git a/drivers/md/md.c b/drivers/md/md.c -index 308e87b..7f365d6 100644 +index c7b000f..15a8b22 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -277,10 +277,10 @@ EXPORT_SYMBOL_GPL(md_trim_bio); @@ -34103,10 +34084,10 @@ index 05bb49e..84d7ce6 100644 "md/raid1:%s: read error corrected " "(%d sectors at %llu on %s)\n", diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c -index a48c215..6bda6f4 100644 +index c52d893..69c5d80 100644 --- a/drivers/md/raid10.c +++ b/drivers/md/raid10.c -@@ -1810,7 +1810,7 @@ static void end_sync_read(struct bio *bio, int error) +@@ -1814,7 +1814,7 @@ static void end_sync_read(struct bio *bio, int error) /* The write handler will notice the lack of * R10BIO_Uptodate and record any errors etc */ @@ -34115,7 +34096,7 @@ index a48c215..6bda6f4 100644 &conf->mirrors[d].rdev->corrected_errors); /* for reconstruct, we always reschedule after a read. -@@ -2159,7 +2159,7 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev) +@@ -2163,7 +2163,7 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev) { struct timespec cur_time_mon; unsigned long hours_since_last; @@ -34124,7 +34105,7 @@ index a48c215..6bda6f4 100644 ktime_get_ts(&cur_time_mon); -@@ -2181,9 +2181,9 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev) +@@ -2185,9 +2185,9 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev) * overflowing the shift of read_errors by hours_since_last. */ if (hours_since_last >= 8 * sizeof(read_errors)) @@ -34136,7 +34117,7 @@ index a48c215..6bda6f4 100644 } static int r10_sync_page_io(struct md_rdev *rdev, sector_t sector, -@@ -2237,8 +2237,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 +@@ -2241,8 +2241,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 return; check_decay_read_errors(mddev, rdev); @@ -34147,7 +34128,7 @@ index a48c215..6bda6f4 100644 char b[BDEVNAME_SIZE]; bdevname(rdev->bdev, b); -@@ -2246,7 +2246,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 +@@ -2250,7 +2250,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 "md/raid10:%s: %s: Raid device exceeded " "read_error threshold [cur %d:max %d]\n", mdname(mddev), b, @@ -34156,7 +34137,7 @@ index a48c215..6bda6f4 100644 printk(KERN_NOTICE "md/raid10:%s: %s: Failing raid device\n", mdname(mddev), b); -@@ -2401,7 +2401,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 +@@ -2405,7 +2405,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 sect + choose_data_offset(r10_bio, rdev)), bdevname(rdev->bdev, b)); @@ -35467,10 +35448,10 @@ index 3456d56..b688d81 100644 /* grab the ptp lock */ diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h b/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h -index 400f86a..7f2e062 100644 +index 0722f33..771758a 100644 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h -@@ -2799,6 +2799,7 @@ struct ixgbe_eeprom_operations { +@@ -2800,6 +2800,7 @@ struct ixgbe_eeprom_operations { s32 (*update_checksum)(struct ixgbe_hw *); u16 (*calc_checksum)(struct ixgbe_hw *); }; @@ -35478,7 +35459,7 @@ index 400f86a..7f2e062 100644 struct ixgbe_mac_operations { s32 (*init_hw)(struct ixgbe_hw *); -@@ -2865,6 +2866,7 @@ struct ixgbe_mac_operations { +@@ -2866,6 +2867,7 @@ struct ixgbe_mac_operations { s32 (*get_thermal_sensor_data)(struct ixgbe_hw *); s32 (*init_thermal_sensor_thresh)(struct ixgbe_hw *hw); }; @@ -35486,7 +35467,7 @@ index 400f86a..7f2e062 100644 struct ixgbe_phy_operations { s32 (*identify)(struct ixgbe_hw *); -@@ -2884,9 +2886,10 @@ struct ixgbe_phy_operations { +@@ -2885,9 +2887,10 @@ struct ixgbe_phy_operations { s32 (*write_i2c_eeprom)(struct ixgbe_hw *, u8, u8); s32 (*check_overtemp)(struct ixgbe_hw *); }; @@ -35498,7 +35479,7 @@ index 400f86a..7f2e062 100644 enum ixgbe_eeprom_type type; u32 semaphore_delay; u16 word_size; -@@ -2896,7 +2899,7 @@ struct ixgbe_eeprom_info { +@@ -2897,7 +2900,7 @@ struct ixgbe_eeprom_info { #define IXGBE_FLAGS_DOUBLE_RESET_REQUIRED 0x01 struct ixgbe_mac_info { @@ -35507,7 +35488,7 @@ index 400f86a..7f2e062 100644 enum ixgbe_mac_type type; u8 addr[ETH_ALEN]; u8 perm_addr[ETH_ALEN]; -@@ -2926,7 +2929,7 @@ struct ixgbe_mac_info { +@@ -2927,7 +2930,7 @@ struct ixgbe_mac_info { }; struct ixgbe_phy_info { @@ -35516,7 +35497,7 @@ index 400f86a..7f2e062 100644 struct mdio_if_info mdio; enum ixgbe_phy_type type; u32 id; -@@ -2954,6 +2957,7 @@ struct ixgbe_mbx_operations { +@@ -2955,6 +2958,7 @@ struct ixgbe_mbx_operations { s32 (*check_for_ack)(struct ixgbe_hw *, u16); s32 (*check_for_rst)(struct ixgbe_hw *, u16); }; @@ -35524,7 +35505,7 @@ index 400f86a..7f2e062 100644 struct ixgbe_mbx_stats { u32 msgs_tx; -@@ -2965,7 +2969,7 @@ struct ixgbe_mbx_stats { +@@ -2966,7 +2970,7 @@ struct ixgbe_mbx_stats { }; struct ixgbe_mbx_info { @@ -35571,6 +35552,19 @@ index 25c951d..cc7cf33 100644 struct ixgbe_mbx_stats stats; u32 timeout; u32 udelay; +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c b/drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c +index 5d367958..b799ab12 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c +@@ -237,7 +237,7 @@ static int mlx4_en_dcbnl_ieee_setmaxrate(struct net_device *dev, + if (err) + return err; + +- memcpy(priv->maxrate, tmp, sizeof(*priv->maxrate)); ++ memcpy(priv->maxrate, tmp, sizeof(priv->maxrate)); + + return 0; + } diff --git a/drivers/net/ethernet/neterion/vxge/vxge-config.h b/drivers/net/ethernet/neterion/vxge/vxge-config.h index 9e0c1ee..8471f77 100644 --- a/drivers/net/ethernet/neterion/vxge/vxge-config.h @@ -39576,6 +39570,54 @@ index 3440812..2a4ef1f 100644 if (file->f_version != event_count) { file->f_version = event_count; return POLLIN | POLLRDNORM; +diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c +index 75ba209..08bf89e 100644 +--- a/drivers/usb/core/hcd.c ++++ b/drivers/usb/core/hcd.c +@@ -1478,7 +1478,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags) + */ + usb_get_urb(urb); + atomic_inc(&urb->use_count); +- atomic_inc(&urb->dev->urbnum); ++ atomic_inc_unchecked(&urb->dev->urbnum); + usbmon_urb_submit(&hcd->self, urb); + + /* NOTE requirements on root-hub callers (usbfs and the hub +@@ -1505,7 +1505,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags) + urb->hcpriv = NULL; + INIT_LIST_HEAD(&urb->urb_list); + atomic_dec(&urb->use_count); +- atomic_dec(&urb->dev->urbnum); ++ atomic_dec_unchecked(&urb->dev->urbnum); + if (atomic_read(&urb->reject)) + wake_up(&usb_kill_urb_queue); + usb_put_urb(urb); +diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c +index 682e825..06d4f69 100644 +--- a/drivers/usb/core/sysfs.c ++++ b/drivers/usb/core/sysfs.c +@@ -226,7 +226,7 @@ show_urbnum(struct device *dev, struct device_attribute *attr, char *buf) + struct usb_device *udev; + + udev = to_usb_device(dev); +- return sprintf(buf, "%d\n", atomic_read(&udev->urbnum)); ++ return sprintf(buf, "%d\n", atomic_read_unchecked(&udev->urbnum)); + } + static DEVICE_ATTR(urbnum, S_IRUGO, show_urbnum, NULL); + +diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c +index cd8fb44..17fbe0c 100644 +--- a/drivers/usb/core/usb.c ++++ b/drivers/usb/core/usb.c +@@ -397,7 +397,7 @@ struct usb_device *usb_alloc_dev(struct usb_device *parent, + set_dev_node(&dev->dev, dev_to_node(bus->controller)); + dev->state = USB_STATE_ATTACHED; + dev->lpm_disable_count = 1; +- atomic_set(&dev->urbnum, 0); ++ atomic_set_unchecked(&dev->urbnum, 0); + + INIT_LIST_HEAD(&dev->ep0.urb_list); + dev->ep0.desc.bLength = USB_DT_ENDPOINT_SIZE; diff --git a/drivers/usb/early/ehci-dbgp.c b/drivers/usb/early/ehci-dbgp.c index 89dcf15..481800b 100644 --- a/drivers/usb/early/ehci-dbgp.c @@ -39769,7 +39811,7 @@ index 57c01ab..8a05959 100644 /* diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c -index ef82a0d..da8a0b3 100644 +index ef82a0d..78a026b 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -634,7 +634,7 @@ static long vhost_set_memory(struct vhost_dev *d, struct vhost_memory __user *m) @@ -39781,6 +39823,15 @@ index ef82a0d..da8a0b3 100644 { struct file *eventfp, *filep = NULL, *pollstart = NULL, *pollstop = NULL; +@@ -1076,7 +1076,7 @@ static int translate_desc(struct vhost_dev *dev, u64 addr, u32 len, + } + _iov = iov + ret; + size = reg->memory_size - addr + reg->guest_phys_addr; +- _iov->iov_len = min((u64)len, size); ++ _iov->iov_len = min((u64)len - s, size); + _iov->iov_base = (void __user *)(unsigned long) + (reg->userspace_addr + addr - reg->guest_phys_addr); + s += size; diff --git a/drivers/video/aty/aty128fb.c b/drivers/video/aty/aty128fb.c index 747442d..7c0c434 100644 --- a/drivers/video/aty/aty128fb.c @@ -44633,6 +44684,29 @@ index ce41fee..ac0d27a 100644 #endif /* CONFIG_CIFS_STATS2 */ } +diff --git a/fs/cifs/readdir.c b/fs/cifs/readdir.c +index d87f826..1bab9d4 100644 +--- a/fs/cifs/readdir.c ++++ b/fs/cifs/readdir.c +@@ -86,14 +86,17 @@ cifs_readdir_lookup(struct dentry *parent, struct qstr *name, + + dentry = d_lookup(parent, name); + if (dentry) { ++ int err; + inode = dentry->d_inode; + /* update inode in place if i_ino didn't change */ + if (inode && CIFS_I(inode)->uniqueid == fattr->cf_uniqueid) { + cifs_fattr_to_inode(inode, fattr); + return dentry; + } +- d_drop(dentry); ++ err = d_invalidate(dentry); + dput(dentry); ++ if (err) ++ return NULL; + } + + dentry = d_alloc(parent, name); diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c index 3129ac7..cc4a948 100644 --- a/fs/cifs/smb1ops.c @@ -47896,10 +47970,10 @@ index 8349a89..51a0254 100644 static int can_do_hugetlb_shm(void) { diff --git a/fs/inode.c b/fs/inode.c -index ac8d904..9f45d40 100644 +index 7c14897..d40169e 100644 --- a/fs/inode.c +++ b/fs/inode.c -@@ -867,8 +867,8 @@ unsigned int get_next_ino(void) +@@ -880,8 +880,8 @@ unsigned int get_next_ino(void) #ifdef CONFIG_SMP if (unlikely((res & (LAST_INO_BATCH-1)) == 0)) { @@ -48023,7 +48097,7 @@ index 7e81bfc..c3649aa 100644 lock_flocks(); diff --git a/fs/namei.c b/fs/namei.c -index 091c4b7..fbcb268 100644 +index 091c4b7..eb220a4 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -265,16 +265,32 @@ int generic_permission(struct inode *inode, int mask) @@ -48164,7 +48238,19 @@ index 091c4b7..fbcb268 100644 if (unlikely(!audit_dummy_context())) { if (nd->path.dentry && nd->inode) audit_inode(name, nd->path.dentry); -@@ -2336,6 +2378,13 @@ static int may_open(struct path *path, int acc_mode, int flag) +@@ -2076,6 +2118,11 @@ struct dentry *lookup_one_len(const char *name, struct dentry *base, int len) + if (!len) + return ERR_PTR(-EACCES); + ++ if (unlikely(name[0] == '.')) { ++ if (len < 2 || (len == 2 && name[1] == '.')) ++ return ERR_PTR(-EACCES); ++ } ++ + while (len--) { + c = *(const unsigned char *)name++; + if (c == '/' || c == '\0') +@@ -2336,6 +2383,13 @@ static int may_open(struct path *path, int acc_mode, int flag) if (flag & O_NOATIME && !inode_owner_or_capable(inode)) return -EPERM; @@ -48178,7 +48264,7 @@ index 091c4b7..fbcb268 100644 return 0; } -@@ -2557,7 +2606,7 @@ looked_up: +@@ -2557,7 +2611,7 @@ looked_up: * cleared otherwise prior to returning. */ static int lookup_open(struct nameidata *nd, struct path *path, @@ -48187,7 +48273,7 @@ index 091c4b7..fbcb268 100644 const struct open_flags *op, bool got_write, int *opened) { -@@ -2592,6 +2641,17 @@ static int lookup_open(struct nameidata *nd, struct path *path, +@@ -2592,6 +2646,17 @@ static int lookup_open(struct nameidata *nd, struct path *path, /* Negative dentry, just create the file */ if (!dentry->d_inode && (op->open_flag & O_CREAT)) { umode_t mode = op->mode; @@ -48205,7 +48291,7 @@ index 091c4b7..fbcb268 100644 if (!IS_POSIXACL(dir->d_inode)) mode &= ~current_umask(); /* -@@ -2613,6 +2673,8 @@ static int lookup_open(struct nameidata *nd, struct path *path, +@@ -2613,6 +2678,8 @@ static int lookup_open(struct nameidata *nd, struct path *path, nd->flags & LOOKUP_EXCL); if (error) goto out_dput; @@ -48214,7 +48300,7 @@ index 091c4b7..fbcb268 100644 } out_no_open: path->dentry = dentry; -@@ -2627,7 +2689,7 @@ out_dput: +@@ -2627,7 +2694,7 @@ out_dput: /* * Handle the last step of open() */ @@ -48223,7 +48309,7 @@ index 091c4b7..fbcb268 100644 struct file *file, const struct open_flags *op, int *opened, const char *pathname) { -@@ -2656,16 +2718,44 @@ static int do_last(struct nameidata *nd, struct path *path, +@@ -2656,16 +2723,44 @@ static int do_last(struct nameidata *nd, struct path *path, error = complete_walk(nd); if (error) return error; @@ -48268,7 +48354,7 @@ index 091c4b7..fbcb268 100644 audit_inode(pathname, dir); goto finish_open; } -@@ -2714,7 +2804,7 @@ retry_lookup: +@@ -2714,7 +2809,7 @@ retry_lookup: */ } mutex_lock(&dir->d_inode->i_mutex); @@ -48277,7 +48363,7 @@ index 091c4b7..fbcb268 100644 mutex_unlock(&dir->d_inode->i_mutex); if (error <= 0) { -@@ -2738,11 +2828,28 @@ retry_lookup: +@@ -2738,11 +2833,28 @@ retry_lookup: goto finish_open_created; } @@ -48307,7 +48393,7 @@ index 091c4b7..fbcb268 100644 /* * If atomic_open() acquired write access it is dropped now due to -@@ -2783,6 +2890,11 @@ finish_lookup: +@@ -2783,6 +2895,11 @@ finish_lookup: } } BUG_ON(inode != path->dentry->d_inode); @@ -48319,7 +48405,7 @@ index 091c4b7..fbcb268 100644 return 1; } -@@ -2792,7 +2904,6 @@ finish_lookup: +@@ -2792,7 +2909,6 @@ finish_lookup: save_parent.dentry = nd->path.dentry; save_parent.mnt = mntget(path->mnt); nd->path.dentry = path->dentry; @@ -48327,7 +48413,7 @@ index 091c4b7..fbcb268 100644 } nd->inode = inode; /* Why this, you ask? _Now_ we might have grown LOOKUP_JUMPED... */ -@@ -2801,6 +2912,22 @@ finish_lookup: +@@ -2801,6 +2917,22 @@ finish_lookup: path_put(&save_parent); return error; } @@ -48350,7 +48436,7 @@ index 091c4b7..fbcb268 100644 error = -EISDIR; if ((open_flag & O_CREAT) && S_ISDIR(nd->inode->i_mode)) goto out; -@@ -2899,7 +3026,7 @@ static struct file *path_openat(int dfd, const char *pathname, +@@ -2899,7 +3031,7 @@ static struct file *path_openat(int dfd, const char *pathname, if (unlikely(error)) goto out; @@ -48359,7 +48445,7 @@ index 091c4b7..fbcb268 100644 while (unlikely(error > 0)) { /* trailing symlink */ struct path link = path; void *cookie; -@@ -2917,7 +3044,7 @@ static struct file *path_openat(int dfd, const char *pathname, +@@ -2917,7 +3049,7 @@ static struct file *path_openat(int dfd, const char *pathname, error = follow_link(&link, nd, &cookie); if (unlikely(error)) break; @@ -48368,7 +48454,7 @@ index 091c4b7..fbcb268 100644 put_link(nd, &link, cookie); } out: -@@ -3006,8 +3133,12 @@ struct dentry *kern_path_create(int dfd, const char *pathname, struct path *path +@@ -3006,8 +3138,12 @@ struct dentry *kern_path_create(int dfd, const char *pathname, struct path *path goto unlock; error = -EEXIST; @@ -48382,7 +48468,7 @@ index 091c4b7..fbcb268 100644 /* * Special case - lookup gave negative, but... we had foo/bar/ * From the vfs_mknod() POV we just have a negative dentry - -@@ -3058,6 +3189,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, struct pat +@@ -3058,6 +3194,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, struct pat } EXPORT_SYMBOL(user_path_create); @@ -48403,7 +48489,7 @@ index 091c4b7..fbcb268 100644 int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) { int error = may_create(dir, dentry); -@@ -3119,6 +3264,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, umode_t, mode, +@@ -3119,6 +3269,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, umode_t, mode, if (!IS_POSIXACL(path.dentry->d_inode)) mode &= ~current_umask(); @@ -48421,7 +48507,7 @@ index 091c4b7..fbcb268 100644 error = security_path_mknod(&path, dentry, mode, dev); if (error) goto out; -@@ -3135,6 +3291,8 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, umode_t, mode, +@@ -3135,6 +3296,8 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, umode_t, mode, break; } out: @@ -48430,7 +48516,7 @@ index 091c4b7..fbcb268 100644 done_path_create(&path, dentry); return error; } -@@ -3181,9 +3339,18 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, umode_t, mode) +@@ -3181,9 +3344,18 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, umode_t, mode) if (!IS_POSIXACL(path.dentry->d_inode)) mode &= ~current_umask(); @@ -48449,7 +48535,7 @@ index 091c4b7..fbcb268 100644 done_path_create(&path, dentry); return error; } -@@ -3260,6 +3427,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -3260,6 +3432,8 @@ static long do_rmdir(int dfd, const char __user *pathname) char * name; struct dentry *dentry; struct nameidata nd; @@ -48458,7 +48544,7 @@ index 091c4b7..fbcb268 100644 error = user_path_parent(dfd, pathname, &nd, &name); if (error) -@@ -3291,10 +3460,21 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -3291,10 +3465,21 @@ static long do_rmdir(int dfd, const char __user *pathname) error = -ENOENT; goto exit3; } @@ -48480,7 +48566,7 @@ index 091c4b7..fbcb268 100644 exit3: dput(dentry); exit2: -@@ -3356,6 +3536,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -3356,6 +3541,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) struct dentry *dentry; struct nameidata nd; struct inode *inode = NULL; @@ -48489,7 +48575,7 @@ index 091c4b7..fbcb268 100644 error = user_path_parent(dfd, pathname, &nd, &name); if (error) -@@ -3381,10 +3563,22 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -3381,10 +3568,22 @@ static long do_unlinkat(int dfd, const char __user *pathname) if (!inode) goto slashes; ihold(inode); @@ -48512,7 +48598,7 @@ index 091c4b7..fbcb268 100644 exit2: dput(dentry); } -@@ -3456,9 +3650,17 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, +@@ -3456,9 +3655,17 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, if (IS_ERR(dentry)) goto out_putname; @@ -48530,7 +48616,7 @@ index 091c4b7..fbcb268 100644 done_path_create(&path, dentry); out_putname: putname(from); -@@ -3528,6 +3730,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -3528,6 +3735,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, { struct dentry *new_dentry; struct path old_path, new_path; @@ -48538,7 +48624,7 @@ index 091c4b7..fbcb268 100644 int how = 0; int error; -@@ -3551,7 +3754,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -3551,7 +3759,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, if (error) return error; @@ -48547,7 +48633,7 @@ index 091c4b7..fbcb268 100644 error = PTR_ERR(new_dentry); if (IS_ERR(new_dentry)) goto out; -@@ -3562,11 +3765,28 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -3562,11 +3770,28 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, error = may_linkat(&old_path); if (unlikely(error)) goto out_dput; @@ -48576,7 +48662,7 @@ index 091c4b7..fbcb268 100644 done_path_create(&new_path, new_dentry); out: path_put(&old_path); -@@ -3802,12 +4022,21 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, +@@ -3802,12 +4027,21 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, if (new_dentry == trap) goto exit5; @@ -48598,7 +48684,7 @@ index 091c4b7..fbcb268 100644 exit5: dput(new_dentry); exit4: -@@ -3832,6 +4061,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna +@@ -3832,6 +4066,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link) { @@ -48607,7 +48693,7 @@ index 091c4b7..fbcb268 100644 int len; len = PTR_ERR(link); -@@ -3841,7 +4072,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c +@@ -3841,7 +4077,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c len = strlen(link); if (len > (unsigned) buflen) len = buflen; @@ -48686,6 +48772,38 @@ index 7bdf790..eb79c4b 100644 get_fs_root(current->fs, &root); error = lock_mount(&old); if (error) +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index 627f108..afc1fc5b 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -450,7 +450,8 @@ void nfs_prime_dcache(struct dentry *parent, struct nfs_entry *entry) + nfs_refresh_inode(dentry->d_inode, entry->fattr); + goto out; + } else { +- d_drop(dentry); ++ if (d_invalidate(dentry) != 0) ++ goto out; + dput(dentry); + } + } +@@ -1100,6 +1101,8 @@ out_set_verifier: + out_zap_parent: + nfs_zap_caches(dir); + out_bad: ++ nfs_free_fattr(fattr); ++ nfs_free_fhandle(fhandle); + nfs_mark_for_revalidate(dir); + if (inode && S_ISDIR(inode->i_mode)) { + /* Purge readdir caches. */ +@@ -1112,8 +1115,6 @@ out_zap_parent: + shrink_dcache_parent(dentry); + } + d_drop(dentry); +- nfs_free_fattr(fattr); +- nfs_free_fhandle(fhandle); + dput(parent); + dfprintk(LOOKUPCACHE, "NFS: %s(%s/%s) is invalid\n", + __func__, dentry->d_parent->d_name.name, diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c index 9b47610..066975e 100644 --- a/fs/nfs/inode.c @@ -63441,18 +63559,20 @@ index aa2e167..84024ce 100644 }; diff --git a/include/linux/init.h b/include/linux/init.h -index 5e664f6..15ae326 100644 +index 5e664f6..ba694f0 100644 --- a/include/linux/init.h +++ b/include/linux/init.h -@@ -39,9 +39,33 @@ +@@ -39,9 +39,36 @@ * Also note, that this data cannot be "const". */ +#ifdef MODULE +#define add_init_latent_entropy ++#define add_devinit_latent_entropy ++#define add_cpuinit_latent_entropy ++#define add_meminit_latent_entropy +#else +#define add_init_latent_entropy __latent_entropy -+#endif + +#ifdef CONFIG_HOTPLUG +#define add_devinit_latent_entropy @@ -63471,6 +63591,7 @@ index 5e664f6..15ae326 100644 +#else +#define add_meminit_latent_entropy __latent_entropy +#endif ++#endif + /* These are for everybody (although not all archs will actually discard it in modules) */ @@ -63479,7 +63600,7 @@ index 5e664f6..15ae326 100644 #define __initdata __section(.init.data) #define __initconst __section(.init.rodata) #define __exitdata __section(.exit.data) -@@ -83,7 +107,7 @@ +@@ -83,7 +110,7 @@ #define __exit __section(.exit.text) __exitused __cold notrace /* Used for HOTPLUG */ @@ -63488,7 +63609,7 @@ index 5e664f6..15ae326 100644 #define __devinitdata __section(.devinit.data) #define __devinitconst __section(.devinit.rodata) #define __devexit __section(.devexit.text) __exitused __cold notrace -@@ -91,7 +115,7 @@ +@@ -91,7 +118,7 @@ #define __devexitconst __section(.devexit.rodata) /* Used for HOTPLUG_CPU */ @@ -63497,7 +63618,7 @@ index 5e664f6..15ae326 100644 #define __cpuinitdata __section(.cpuinit.data) #define __cpuinitconst __section(.cpuinit.rodata) #define __cpuexit __section(.cpuexit.text) __exitused __cold notrace -@@ -99,7 +123,7 @@ +@@ -99,7 +126,7 @@ #define __cpuexitconst __section(.cpuexit.rodata) /* Used for MEMORY_HOTPLUG */ @@ -65339,6 +65460,19 @@ index 99c1b4d..bb94261 100644 } static inline void put_unaligned_le16(u16 val, void *p) +diff --git a/include/linux/usb.h b/include/linux/usb.h +index 30d1ae3..aecd07e 100644 +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -546,7 +546,7 @@ struct usb_device { + struct usb_device **children; + + u32 quirks; +- atomic_t urbnum; ++ atomic_unchecked_t urbnum; + + unsigned long active_duration; + diff --git a/include/linux/usb/renesas_usbhs.h b/include/linux/usb/renesas_usbhs.h index c5d36c6..8478c90 100644 --- a/include/linux/usb/renesas_usbhs.h @@ -67978,7 +68112,7 @@ index 2c8857e..288c9c7 100644 else new_fs = fs; diff --git a/kernel/futex.c b/kernel/futex.c -index 20ef219..b3a0cb2 100644 +index 19eb089..b8c65ea 100644 --- a/kernel/futex.c +++ b/kernel/futex.c @@ -54,6 +54,7 @@ @@ -68001,7 +68135,7 @@ index 20ef219..b3a0cb2 100644 /* * The futex address must be "naturally" aligned. */ -@@ -2717,6 +2723,7 @@ static int __init futex_init(void) +@@ -2733,6 +2739,7 @@ static int __init futex_init(void) { u32 curval; int i; @@ -68009,7 +68143,7 @@ index 20ef219..b3a0cb2 100644 /* * This will fail and we want it. Some arch implementations do -@@ -2728,8 +2735,11 @@ static int __init futex_init(void) +@@ -2744,8 +2751,11 @@ static int __init futex_init(void) * implementation, the non-functional ones will return * -ENOSYS. */ @@ -70412,7 +70546,7 @@ index 98ec494..4241d6d 100644 default: diff --git a/kernel/sched/auto_group.c b/kernel/sched/auto_group.c -index 0984a21..939f183 100644 +index 0984a21..7e50319 100644 --- a/kernel/sched/auto_group.c +++ b/kernel/sched/auto_group.c @@ -11,7 +11,7 @@ @@ -70433,6 +70567,38 @@ index 0984a21..939f183 100644 ag->tg = tg; #ifdef CONFIG_RT_GROUP_SCHED /* +@@ -143,15 +143,11 @@ autogroup_move_group(struct task_struct *p, struct autogroup *ag) + + p->signal->autogroup = autogroup_kref_get(ag); + +- if (!ACCESS_ONCE(sysctl_sched_autogroup_enabled)) +- goto out; +- + t = p; + do { + sched_move_task(t); + } while_each_thread(p, t); + +-out: + unlock_task_sighand(p, &flags); + autogroup_kref_put(prev); + } +diff --git a/kernel/sched/auto_group.h b/kernel/sched/auto_group.h +index 8bd0471..443232e 100644 +--- a/kernel/sched/auto_group.h ++++ b/kernel/sched/auto_group.h +@@ -4,11 +4,6 @@ + #include <linux/rwsem.h> + + struct autogroup { +- /* +- * reference doesn't mean how many thread attach to this +- * autogroup now. It just stands for the number of task +- * could use this autogroup. +- */ + struct kref kref; + struct task_group *tg; + struct rw_semaphore lock; diff --git a/kernel/sched/core.c b/kernel/sched/core.c index 1a48cdb..d3949ff 100644 --- a/kernel/sched/core.c @@ -71546,7 +71712,7 @@ index d4545f4..a9010a1 100644 local_irq_save(flags); diff --git a/kernel/workqueue.c b/kernel/workqueue.c -index 872bd6d..31601a2 100644 +index 872bd6d..b727b3a 100644 --- a/kernel/workqueue.c +++ b/kernel/workqueue.c @@ -1422,7 +1422,7 @@ retry: @@ -71567,6 +71733,18 @@ index 872bd6d..31601a2 100644 if (test_and_set_bit(WORK_STRUCT_PENDING_BIT, work_data_bits(rebind_work))) +@@ -2266,8 +2266,10 @@ static int rescuer_thread(void *__wq) + repeat: + set_current_state(TASK_INTERRUPTIBLE); + +- if (kthread_should_stop()) ++ if (kthread_should_stop()) { ++ __set_current_state(TASK_RUNNING); + return 0; ++ } + + /* + * See whether any cpu is asking for help. Unbounded diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug index 2403a63..5c4be4c 100644 --- a/lib/Kconfig.debug @@ -72306,7 +72484,7 @@ index 14d260f..b2a80fd 100644 if (end == start) goto out; diff --git a/mm/memory-failure.c b/mm/memory-failure.c -index a6e2141..eaf5aad 100644 +index a6e2141..0e32042 100644 --- a/mm/memory-failure.c +++ b/mm/memory-failure.c @@ -61,7 +61,7 @@ int sysctl_memory_failure_early_kill __read_mostly = 0; @@ -72381,7 +72559,25 @@ index a6e2141..eaf5aad 100644 &mce_bad_pages); set_page_hwpoison_huge_page(hpage); dequeue_hwpoisoned_huge_page(hpage); -@@ -1572,7 +1572,7 @@ int soft_offline_page(struct page *page, int flags) +@@ -1474,9 +1474,17 @@ int soft_offline_page(struct page *page, int flags) + { + int ret; + unsigned long pfn = page_to_pfn(page); ++ struct page *hpage = compound_trans_head(page); + + if (PageHuge(page)) + return soft_offline_huge_page(page, flags); ++ if (PageTransHuge(hpage)) { ++ if (PageAnon(hpage) && unlikely(split_huge_page(hpage))) { ++ pr_info("soft offline: %#lx: failed to split THP\n", ++ pfn); ++ return -EBUSY; ++ } ++ } + + ret = get_any_page(page, pfn, flags); + if (ret < 0) +@@ -1572,7 +1580,7 @@ int soft_offline_page(struct page *page, int flags) return ret; done: @@ -76024,6 +76220,47 @@ index 1b7e22a..3fcd4f3 100644 } return pgd; } +diff --git a/mm/sparse.c b/mm/sparse.c +index fac95f2..a83de2f 100644 +--- a/mm/sparse.c ++++ b/mm/sparse.c +@@ -617,7 +617,7 @@ static void __kfree_section_memmap(struct page *memmap, unsigned long nr_pages) + { + return; /* XXX: Not implemented yet */ + } +-static void free_map_bootmem(struct page *page, unsigned long nr_pages) ++static void free_map_bootmem(struct page *memmap, unsigned long nr_pages) + { + } + #else +@@ -658,10 +658,11 @@ static void __kfree_section_memmap(struct page *memmap, unsigned long nr_pages) + get_order(sizeof(struct page) * nr_pages)); + } + +-static void free_map_bootmem(struct page *page, unsigned long nr_pages) ++static void free_map_bootmem(struct page *memmap, unsigned long nr_pages) + { + unsigned long maps_section_nr, removing_section_nr, i; + unsigned long magic; ++ struct page *page = virt_to_page(memmap); + + for (i = 0; i < nr_pages; i++, page++) { + magic = (unsigned long) page->lru.next; +@@ -710,13 +711,10 @@ static void free_section_usemap(struct page *memmap, unsigned long *usemap) + */ + + if (memmap) { +- struct page *memmap_page; +- memmap_page = virt_to_page(memmap); +- + nr_pages = PAGE_ALIGN(PAGES_PER_SECTION * sizeof(struct page)) + >> PAGE_SHIFT; + +- free_map_bootmem(memmap_page, nr_pages); ++ free_map_bootmem(memmap, nr_pages); + } + } + diff --git a/mm/swap.c b/mm/swap.c index 7782588..228c784 100644 --- a/mm/swap.c @@ -76308,6 +76545,72 @@ index 2bb90b1..3795e47 100644 v->addr, v->addr + v->size, v->size); if (v->caller) +diff --git a/mm/vmscan.c b/mm/vmscan.c +index 40db7d1..be5a9c1 100644 +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -2383,6 +2383,19 @@ static void age_active_anon(struct zone *zone, struct scan_control *sc) + } while (memcg); + } + ++static bool zone_balanced(struct zone *zone, int order, ++ unsigned long balance_gap, int classzone_idx) ++{ ++ if (!zone_watermark_ok_safe(zone, order, high_wmark_pages(zone) + ++ balance_gap, classzone_idx, 0)) ++ return false; ++ ++ if (COMPACTION_BUILD && order && !compaction_suitable(zone, order)) ++ return false; ++ ++ return true; ++} ++ + /* + * pgdat_balanced is used when checking if a node is balanced for high-order + * allocations. Only zones that meet watermarks and are in a zone allowed +@@ -2461,8 +2474,7 @@ static bool prepare_kswapd_sleep(pg_data_t *pgdat, int order, long remaining, + continue; + } + +- if (!zone_watermark_ok_safe(zone, order, high_wmark_pages(zone), +- i, 0)) ++ if (!zone_balanced(zone, order, 0, i)) + all_zones_ok = false; + else + balanced += zone->present_pages; +@@ -2571,8 +2583,7 @@ loop_again: + break; + } + +- if (!zone_watermark_ok_safe(zone, order, +- high_wmark_pages(zone), 0, 0)) { ++ if (!zone_balanced(zone, order, 0, 0)) { + end_zone = i; + break; + } else { +@@ -2648,9 +2659,8 @@ loop_again: + testorder = 0; + + if ((buffer_heads_over_limit && is_highmem_idx(i)) || +- !zone_watermark_ok_safe(zone, testorder, +- high_wmark_pages(zone) + balance_gap, +- end_zone, 0)) { ++ !zone_balanced(zone, testorder, ++ balance_gap, end_zone)) { + shrink_zone(zone, &sc); + + reclaim_state->reclaimed_slab = 0; +@@ -2677,8 +2687,7 @@ loop_again: + continue; + } + +- if (!zone_watermark_ok_safe(zone, testorder, +- high_wmark_pages(zone), end_zone, 0)) { ++ if (!zone_balanced(zone, testorder, 0, end_zone)) { + all_zones_ok = 0; + /* + * We are still under min water mark. This diff --git a/mm/vmstat.c b/mm/vmstat.c index df7a674..8b4a4f3 100644 --- a/mm/vmstat.c @@ -77403,6 +77706,20 @@ index 9633661..4e0bc08 100644 return nh->nh_saddr; } +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index f2eccd5..17ff9fd 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -257,7 +257,8 @@ static inline bool icmpv4_xrlim_allow(struct net *net, struct rtable *rt, + struct inet_peer *peer = inet_getpeer_v4(net->ipv4.peers, fl4->daddr, 1); + rc = inet_peer_xrlim_allow(peer, + net->ipv4.sysctl_icmp_ratelimit); +- inet_putpeer(peer); ++ if (peer) ++ inet_putpeer(peer); + } + out: + return rc; diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c index 7880af9..70f92a3 100644 --- a/net/ipv4/inet_hashtables.c @@ -77514,6 +77831,21 @@ index 67e8a6b..386764d 100644 set_fs(oldfs); return res; } +diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c +index ebdf06f..f797f59 100644 +--- a/net/ipv4/ipmr.c ++++ b/net/ipv4/ipmr.c +@@ -1318,6 +1318,10 @@ int ip_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, unsi + if (get_user(v, (u32 __user *)optval)) + return -EFAULT; + ++ /* "pimreg%u" should not exceed 16 bytes (IFNAMSIZ) */ ++ if (v != RT_TABLE_DEFAULT && v >= 1000000000) ++ return -EINVAL; ++ + rtnl_lock(); + ret = 0; + if (sk == rtnl_dereference(mrt->mroute_sk)) { diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index 97e61ea..cac1bbb 100644 --- a/net/ipv4/netfilter/arp_tables.c @@ -78467,6 +78799,18 @@ index 6b9d5a0..4dffaf1 100644 seq_printf(m, "Max data size: %d\n", self->max_data_size); seq_printf(m, "Max header size: %d\n", self->max_header_size); +diff --git a/net/irda/irttp.c b/net/irda/irttp.c +index 5c93f29..71498f0 100644 +--- a/net/irda/irttp.c ++++ b/net/irda/irttp.c +@@ -441,6 +441,7 @@ struct tsap_cb *irttp_open_tsap(__u8 stsap_sel, int credit, notify_t *notify) + lsap = irlmp_open_lsap(stsap_sel, &ttp_notify, 0); + if (lsap == NULL) { + IRDA_WARNING("%s: unable to allocate LSAP!!\n", __func__); ++ __irttp_close_tsap(self); + return NULL; + } + diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c index cd6f7a9..e63fe89 100644 --- a/net/iucv/af_iucv.c @@ -78705,6 +79049,19 @@ index 1c5160f..145ae21 100644 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o +diff --git a/net/netfilter/ipset/ip_set_hash_netiface.c b/net/netfilter/ipset/ip_set_hash_netiface.c +index d5d3607..1b6fa7b 100644 +--- a/net/netfilter/ipset/ip_set_hash_netiface.c ++++ b/net/netfilter/ipset/ip_set_hash_netiface.c +@@ -791,7 +791,7 @@ static struct ip_set_type hash_netiface_type __read_mostly = { + [IPSET_ATTR_IP] = { .type = NLA_NESTED }, + [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED }, + [IPSET_ATTR_IFACE] = { .type = NLA_NUL_STRING, +- .len = IPSET_MAXNAMELEN - 1 }, ++ .len = IFNAMSIZ - 1 }, + [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 }, + [IPSET_ATTR_CIDR] = { .type = NLA_U8 }, + [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c index 1548df9..98ad9b4 100644 --- a/net/netfilter/ipvs/ip_vs_conn.c @@ -79609,6 +79966,38 @@ index f226709..0e735a8 100644 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial)); ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len); +diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c +index 6c85564..9534bf9 100644 +--- a/net/sctp/chunk.c ++++ b/net/sctp/chunk.c +@@ -284,7 +284,7 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc, + goto errout; + err = sctp_user_addto_chunk(chunk, offset, len, msgh->msg_iov); + if (err < 0) +- goto errout; ++ goto errout_chunk_free; + + offset += len; + +@@ -324,7 +324,7 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc, + __skb_pull(chunk->skb, (__u8 *)chunk->chunk_hdr + - (__u8 *)chunk->skb->data); + if (err < 0) +- goto errout; ++ goto errout_chunk_free; + + sctp_datamsg_assign(msg, chunk); + list_add_tail(&chunk->frag_list, &msg->chunks); +@@ -332,6 +332,9 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc, + + return msg; + ++errout_chunk_free: ++ sctp_chunk_free(chunk); ++ + errout: + list_for_each_safe(pos, temp, &msg->chunks) { + list_del_init(pos); diff --git a/net/sctp/proc.c b/net/sctp/proc.c index 1e2eee8..ce3967e 100644 --- a/net/sctp/proc.c @@ -79636,6 +80025,19 @@ index 5e25981..dbda919 100644 if (copy_to_user(to, &temp, addrlen)) return -EFAULT; to += addrlen; +diff --git a/net/sctp/transport.c b/net/sctp/transport.c +index c97472b..3f7c94b 100644 +--- a/net/sctp/transport.c ++++ b/net/sctp/transport.c +@@ -328,7 +328,7 @@ void sctp_transport_update_rto(struct sctp_transport *tp, __u32 rtt) + * 1/8, rto_alpha would be expressed as 3. + */ + tp->rttvar = tp->rttvar - (tp->rttvar >> sctp_rto_beta) +- + ((abs(tp->srtt - rtt)) >> sctp_rto_beta); ++ + (((__u32)abs64((__s64)tp->srtt - (__s64)rtt)) >> sctp_rto_beta); + tp->srtt = tp->srtt - (tp->srtt >> sctp_rto_alpha) + + (rtt >> sctp_rto_alpha); + } else { diff --git a/net/socket.c b/net/socket.c index edc3c4a..4b4e4a8 100644 --- a/net/socket.c |