aboutsummaryrefslogtreecommitdiffstats
path: root/main/linux-grsec
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2014-07-24 06:14:53 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2014-07-24 13:59:52 +0000
commit72b899d867d849f816edc9be0163938cfda9a1f4 (patch)
treee014ce41155f35d09a7560d8949e6551c414ee17 /main/linux-grsec
parent6639f67d4098c8ad47ebb401f4ac272974870256 (diff)
downloadaports-72b899d867d849f816edc9be0163938cfda9a1f4.tar.bz2
aports-72b899d867d849f816edc9be0163938cfda9a1f4.tar.xz
main/linux-grsec: upgrade to 3.14.13
Diffstat (limited to 'main/linux-grsec')
-rw-r--r--main/linux-grsec/APKBUILD18
-rw-r--r--main/linux-grsec/grsecurity-3.0-3.14.13-201407232159.patch (renamed from main/linux-grsec/grsecurity-3.0-3.14.12-201407100035.patch)791
2 files changed, 654 insertions, 155 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index 4a5c7b996a..70a6c22ec2 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -2,12 +2,12 @@
_flavor=grsec
pkgname=linux-${_flavor}
-pkgver=3.14.12
+pkgver=3.14.13
case $pkgver in
*.*.*) _kernver=${pkgver%.*};;
*.*) _kernver=${pkgver};;
esac
-pkgrel=1
+pkgrel=0
pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs linux-firmware"
@@ -17,7 +17,7 @@ _config=${config:-kernelconfig.${CARCH}}
install=
source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz
- grsecurity-3.0-3.14.12-201407100035.patch
+ grsecurity-3.0-3.14.13-201407232159.patch
fix-memory-map-for-PIE-applications.patch
imx6q-no-unclocked-sleep.patch
@@ -165,24 +165,24 @@ dev() {
}
md5sums="b621207b3f6ecbb67db18b13258f8ea8 linux-3.14.tar.xz
-89a5af1f3609d0c27e63fea298dd80ed patch-3.14.12.xz
-e8b97fb869a7c8267f2601b6a2c4ce0d grsecurity-3.0-3.14.12-201407100035.patch
+132470897fc5d57f5ac7d658100cc430 patch-3.14.13.xz
+a5ee03e4eb9c979a68214661ebf1dece grsecurity-3.0-3.14.13-201407232159.patch
c6a4ae7e8ca6159e1631545515805216 fix-memory-map-for-PIE-applications.patch
1a307fc1d63231bf01d22493a4f14378 imx6q-no-unclocked-sleep.patch
cd4f07e3d4b3aae163454fc2608530be kernelconfig.x86
f2d76b4a0e328957d56fbfb0250b7aad kernelconfig.x86_64
acbd5c6d745f3c733dc791999d8ad946 kernelconfig.armhf"
sha256sums="61558aa490855f42b6340d1a1596be47454909629327c49a5e4e10268065dffa linux-3.14.tar.xz
-b50d9569bc2e47f3be996fdbcb043e7eace9c92cbcb77d825dd1493f2d399475 patch-3.14.12.xz
-cda8726421ef4038b4883212efd1efd044f430929dfb74f29f1dc5f4e618a26d grsecurity-3.0-3.14.12-201407100035.patch
+e6b1a87470ab9f749002959e2c9ca2f7229b4b34f313120b4800eb39f08c4698 patch-3.14.13.xz
+8f892153ab184acec6575ceda7e2b5007aa2e934b193f059064d88b6a7f47477 grsecurity-3.0-3.14.13-201407232159.patch
500f3577310be52e87b9fecdc2e9c4ca43210fd97d69089f9005d484563f74c7 fix-memory-map-for-PIE-applications.patch
21179fbb22a5b74af0a609350ae1a170e232908572b201d02e791d2ce0a685d3 imx6q-no-unclocked-sleep.patch
1702432d9341568a7d9616c6768e200cbd0d6bbc7b627f7c3b7f340f0cb27b18 kernelconfig.x86
366bd930e453197985bf05c4f5e8c8a142c8c0c16a57cf1a4aad6714a76e035b kernelconfig.x86_64
761e3fdb5a84ae00cf4142634bf228b9a3c340dd180a14d5ffaa4e10a1fd6da0 kernelconfig.armhf"
sha512sums="5730d83a7a81134c1e77c0bf89e42dee4f8251ad56c1ac2be20c59e26fdfaa7bea55f277e7af156b637f22e1584914a46089af85039177cb43485089c74ac26e linux-3.14.tar.xz
-d5be9e74c530f1b48fd7fb38c91d375fe60c1d71e165b0cd7a39f49e7b79c0261c8170607e6fd67ef154273601fb5a8f078ee6deb1f973c180e39762634126bf patch-3.14.12.xz
-8b1d8048bd84697c729fcfbfb4c1356773cbdd73e47747db922ce1eff676c399208354c2bfe100f7548a296c33a6d294c6d5d99079a1dad6d195690a36f0b94b grsecurity-3.0-3.14.12-201407100035.patch
+49ec8684af792696230c62960dd2e1623c5ed078de4954739c366cba404cb2e6d5fbd62a8173d48dc29627c9a38e99dbeb9e96fb4f6c6a2fa077e6c5f56535e8 patch-3.14.13.xz
+17289ac3e3ffbd34785d9827cefbf6b7da829e1a878c5e16378b3bb681050fc07d4e94f29b9fcbfe74df21d2743377bc6462fdb25f0ee63f709864cb18060760 grsecurity-3.0-3.14.13-201407232159.patch
4665c56ae1bbac311f9205d64918e84ee8b01d47d6e2396ff6b8adfb10aada7f7254531ce62e31edbb65c2a54a830f09ad05d314dfcd75d6272f4068945ad7c7 fix-memory-map-for-PIE-applications.patch
87d1ad59732f265a5b0db54490dc1762c14ea4b868e7eb1aedc3ce57b48046de7bbc08cf5cfcf6f1380fa84063b0edb16ba3d5e3c5670be9bbb229275c88b221 imx6q-no-unclocked-sleep.patch
911e9ee3d8c38cf83ad187d66000f767cd440d0bb888768388b8fdcae762d3c38f5f000960dac58a50c342d338b0e84c87da009ab85effcb7d1acea070a656db kernelconfig.x86
diff --git a/main/linux-grsec/grsecurity-3.0-3.14.12-201407100035.patch b/main/linux-grsec/grsecurity-3.0-3.14.13-201407232159.patch
index 3a245d4407..81dff0ffb4 100644
--- a/main/linux-grsec/grsecurity-3.0-3.14.12-201407100035.patch
+++ b/main/linux-grsec/grsecurity-3.0-3.14.13-201407232159.patch
@@ -287,7 +287,7 @@ index 7116fda..d8ed6e8 100644
pcd. [PARIDE]
diff --git a/Makefile b/Makefile
-index 13d8f32..a7a7b9b 100644
+index 7a2981c..9fadd78 100644
--- a/Makefile
+++ b/Makefile
@@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -7700,7 +7700,7 @@ index 50dfafc..b9fc230 100644
DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
me->arch.unwind_section, table, end, gp);
diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c
-index 31ffa9b..588a798 100644
+index e1ffea2..46ed66e 100644
--- a/arch/parisc/kernel/sys_parisc.c
+++ b/arch/parisc/kernel/sys_parisc.c
@@ -89,6 +89,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
@@ -7960,7 +7960,7 @@ index d72197f..c017c84 100644
/*
* If for any reason at all we couldn't handle the fault, make
diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
-index 957bf34..3430cc8 100644
+index 2156fa2..cc28613 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -393,6 +393,7 @@ config PPC64_SUPPORTS_MEMORY_FAILURE
@@ -8567,7 +8567,7 @@ index 1d0848b..d74685f 100644
#endif
}
diff --git a/arch/powerpc/kernel/module_32.c b/arch/powerpc/kernel/module_32.c
-index 6cff040..74ac5d1 100644
+index 6cff040..74ac5d1b 100644
--- a/arch/powerpc/kernel/module_32.c
+++ b/arch/powerpc/kernel/module_32.c
@@ -161,7 +161,7 @@ int module_frob_arch_sections(Elf32_Ehdr *hdr,
@@ -33352,19 +33352,21 @@ index 7b179b4..6bd17777 100644
return (void *)vaddr;
diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c
-index 799580c..72f9fe0 100644
+index 94bd247..7e48391 100644
--- a/arch/x86/mm/ioremap.c
+++ b/arch/x86/mm/ioremap.c
-@@ -97,7 +97,7 @@ static void __iomem *__ioremap_caller(resource_size_t phys_addr,
- for (pfn = phys_addr >> PAGE_SHIFT; pfn <= last_pfn; pfn++) {
- int is_ram = page_is_ram(pfn);
+@@ -56,8 +56,8 @@ static int __ioremap_check_ram(unsigned long start_pfn, unsigned long nr_pages,
+ unsigned long i;
+
+ for (i = 0; i < nr_pages; ++i)
+- if (pfn_valid(start_pfn + i) &&
+- !PageReserved(pfn_to_page(start_pfn + i)))
++ if (pfn_valid(start_pfn + i) && (start_pfn + i >= 0x100 ||
++ !PageReserved(pfn_to_page(start_pfn + i))))
+ return 1;
-- if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
-+ if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
- return NULL;
- WARN_ON_ONCE(is_ram);
- }
-@@ -256,7 +256,7 @@ EXPORT_SYMBOL(ioremap_prot);
+ WARN_ONCE(1, "ioremap on RAM pfn 0x%lx\n", start_pfn);
+@@ -268,7 +268,7 @@ EXPORT_SYMBOL(ioremap_prot);
*
* Caller must ensure there is only one unmapping for the same pointer.
*/
@@ -33373,7 +33375,7 @@ index 799580c..72f9fe0 100644
{
struct vm_struct *p, *o;
-@@ -310,6 +310,9 @@ void *xlate_dev_mem_ptr(unsigned long phys)
+@@ -322,6 +322,9 @@ void *xlate_dev_mem_ptr(unsigned long phys)
/* If page is RAM, we can use __va. Otherwise ioremap and unmap. */
if (page_is_ram(start >> PAGE_SHIFT))
@@ -33383,7 +33385,7 @@ index 799580c..72f9fe0 100644
return __va(phys);
addr = (void __force *)ioremap_cache(start, PAGE_SIZE);
-@@ -322,6 +325,9 @@ void *xlate_dev_mem_ptr(unsigned long phys)
+@@ -334,6 +337,9 @@ void *xlate_dev_mem_ptr(unsigned long phys)
void unxlate_dev_mem_ptr(unsigned long phys, void *addr)
{
if (page_is_ram(phys >> PAGE_SHIFT))
@@ -33393,7 +33395,7 @@ index 799580c..72f9fe0 100644
return;
iounmap((void __iomem *)((unsigned long)addr & PAGE_MASK));
-@@ -339,7 +345,7 @@ static int __init early_ioremap_debug_setup(char *str)
+@@ -351,7 +357,7 @@ static int __init early_ioremap_debug_setup(char *str)
early_param("early_ioremap_debug", early_ioremap_debug_setup);
static __initdata int after_paging_init;
@@ -33402,7 +33404,7 @@ index 799580c..72f9fe0 100644
static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
{
-@@ -376,8 +382,7 @@ void __init early_ioremap_init(void)
+@@ -388,8 +394,7 @@ void __init early_ioremap_init(void)
slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
@@ -39664,7 +39666,7 @@ index 18d4091..434be15 100644
}
EXPORT_SYMBOL_GPL(od_unregister_powersave_bias_handler);
diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
-index 6d98c37..a592321 100644
+index ae52c77..3d8f69b 100644
--- a/drivers/cpufreq/intel_pstate.c
+++ b/drivers/cpufreq/intel_pstate.c
@@ -125,10 +125,10 @@ struct pstate_funcs {
@@ -39680,7 +39682,7 @@ index 6d98c37..a592321 100644
struct perf_limits {
int no_turbo;
-@@ -526,7 +526,7 @@ static void intel_pstate_set_pstate(struct cpudata *cpu, int pstate)
+@@ -530,7 +530,7 @@ static void intel_pstate_set_pstate(struct cpudata *cpu, int pstate)
cpu->pstate.current_pstate = pstate;
@@ -39689,7 +39691,7 @@ index 6d98c37..a592321 100644
}
static inline void intel_pstate_pstate_increase(struct cpudata *cpu, int steps)
-@@ -548,12 +548,12 @@ static void intel_pstate_get_cpu_pstates(struct cpudata *cpu)
+@@ -552,12 +552,12 @@ static void intel_pstate_get_cpu_pstates(struct cpudata *cpu)
{
sprintf(cpu->name, "Intel 2nd generation core");
@@ -39707,7 +39709,7 @@ index 6d98c37..a592321 100644
intel_pstate_set_pstate(cpu, cpu->pstate.min_pstate);
}
-@@ -835,9 +835,9 @@ static int intel_pstate_msrs_not_valid(void)
+@@ -844,9 +844,9 @@ static int intel_pstate_msrs_not_valid(void)
rdmsrl(MSR_IA32_APERF, aperf);
rdmsrl(MSR_IA32_MPERF, mperf);
@@ -39720,7 +39722,7 @@ index 6d98c37..a592321 100644
return -ENODEV;
rdmsrl(MSR_IA32_APERF, tmp);
-@@ -851,7 +851,7 @@ static int intel_pstate_msrs_not_valid(void)
+@@ -860,7 +860,7 @@ static int intel_pstate_msrs_not_valid(void)
return 0;
}
@@ -39729,7 +39731,7 @@ index 6d98c37..a592321 100644
{
pid_params.sample_rate_ms = policy->sample_rate_ms;
pid_params.p_gain_pct = policy->p_gain_pct;
-@@ -863,11 +863,7 @@ static void copy_pid_params(struct pstate_adjust_policy *policy)
+@@ -872,11 +872,7 @@ static void copy_pid_params(struct pstate_adjust_policy *policy)
static void copy_cpu_funcs(struct pstate_funcs *funcs)
{
@@ -44543,10 +44545,10 @@ index b086a94..74cb67e 100644
pmd->bl_info.value_type.inc = data_block_inc;
pmd->bl_info.value_type.dec = data_block_dec;
diff --git a/drivers/md/dm.c b/drivers/md/dm.c
-index 8c53b09..f1fb2b0 100644
+index 65ee3a0..1852af9 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
-@@ -185,9 +185,9 @@ struct mapped_device {
+@@ -187,9 +187,9 @@ struct mapped_device {
/*
* Event handling.
*/
@@ -44558,7 +44560,7 @@ index 8c53b09..f1fb2b0 100644
struct list_head uevent_list;
spinlock_t uevent_lock; /* Protect access to uevent_list */
-@@ -1888,8 +1888,8 @@ static struct mapped_device *alloc_dev(int minor)
+@@ -1899,8 +1899,8 @@ static struct mapped_device *alloc_dev(int minor)
spin_lock_init(&md->deferred_lock);
atomic_set(&md->holders, 1);
atomic_set(&md->open_count, 0);
@@ -44569,7 +44571,7 @@ index 8c53b09..f1fb2b0 100644
INIT_LIST_HEAD(&md->uevent_list);
spin_lock_init(&md->uevent_lock);
-@@ -2043,7 +2043,7 @@ static void event_callback(void *context)
+@@ -2054,7 +2054,7 @@ static void event_callback(void *context)
dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj);
@@ -44578,7 +44580,7 @@ index 8c53b09..f1fb2b0 100644
wake_up(&md->eventq);
}
-@@ -2736,18 +2736,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action,
+@@ -2747,18 +2747,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action,
uint32_t dm_next_uevent_seq(struct mapped_device *md)
{
@@ -45265,6 +45267,79 @@ index a1c641e..3007da9 100644
static int dib7070_set_param_override(struct dvb_frontend *fe)
{
+diff --git a/drivers/media/usb/dvb-usb/dvb-usb-firmware.c b/drivers/media/usb/dvb-usb/dvb-usb-firmware.c
+index 733a7ff..f8b52e3 100644
+--- a/drivers/media/usb/dvb-usb/dvb-usb-firmware.c
++++ b/drivers/media/usb/dvb-usb/dvb-usb-firmware.c
+@@ -35,42 +35,57 @@ static int usb_cypress_writemem(struct usb_device *udev,u16 addr,u8 *data, u8 le
+
+ int usb_cypress_load_firmware(struct usb_device *udev, const struct firmware *fw, int type)
+ {
+- struct hexline hx;
+- u8 reset;
++ struct hexline *hx;
++ u8 *reset;
+ int ret,pos=0;
+
++ reset = kmalloc(1, GFP_KERNEL);
++ if (reset == NULL)
++ return -ENOMEM;
++
++ hx = kmalloc(sizeof(struct hexline), GFP_KERNEL);
++ if (hx == NULL) {
++ kfree(reset);
++ return -ENOMEM;
++ }
++
+ /* stop the CPU */
+- reset = 1;
+- if ((ret = usb_cypress_writemem(udev,cypress[type].cpu_cs_register,&reset,1)) != 1)
++ reset[0] = 1;
++ if ((ret = usb_cypress_writemem(udev,cypress[type].cpu_cs_register,reset,1)) != 1)
+ err("could not stop the USB controller CPU.");
+
+- while ((ret = dvb_usb_get_hexline(fw,&hx,&pos)) > 0) {
+- deb_fw("writing to address 0x%04x (buffer: 0x%02x %02x)\n",hx.addr,hx.len,hx.chk);
+- ret = usb_cypress_writemem(udev,hx.addr,hx.data,hx.len);
++ while ((ret = dvb_usb_get_hexline(fw,hx,&pos)) > 0) {
++ deb_fw("writing to address 0x%04x (buffer: 0x%02x %02x)\n",hx->addr,hx->len,hx->chk);
++ ret = usb_cypress_writemem(udev,hx->addr,hx->data,hx->len);
+
+- if (ret != hx.len) {
++ if (ret != hx->len) {
+ err("error while transferring firmware "
+ "(transferred size: %d, block size: %d)",
+- ret,hx.len);
++ ret,hx->len);
+ ret = -EINVAL;
+ break;
+ }
+ }
+ if (ret < 0) {
+ err("firmware download failed at %d with %d",pos,ret);
++ kfree(reset);
++ kfree(hx);
+ return ret;
+ }
+
+ if (ret == 0) {
+ /* restart the CPU */
+- reset = 0;
+- if (ret || usb_cypress_writemem(udev,cypress[type].cpu_cs_register,&reset,1) != 1) {
++ reset[0] = 0;
++ if (ret || usb_cypress_writemem(udev,cypress[type].cpu_cs_register,reset,1) != 1) {
+ err("could not restart the USB controller CPU.");
+ ret = -EINVAL;
+ }
+ } else
+ ret = -EIO;
+
++ kfree(reset);
++ kfree(hx);
++
+ return ret;
+ }
+ EXPORT_SYMBOL(usb_cypress_load_firmware);
diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c
index ae0f56a..ec71784 100644
--- a/drivers/media/usb/dvb-usb/dw2102.c
@@ -45278,6 +45353,212 @@ index ae0f56a..ec71784 100644
/* debug */
static int dvb_usb_dw2102_debug;
+diff --git a/drivers/media/usb/dvb-usb/technisat-usb2.c b/drivers/media/usb/dvb-usb/technisat-usb2.c
+index 98d24ae..bc22415 100644
+--- a/drivers/media/usb/dvb-usb/technisat-usb2.c
++++ b/drivers/media/usb/dvb-usb/technisat-usb2.c
+@@ -87,8 +87,11 @@ struct technisat_usb2_state {
+ static int technisat_usb2_i2c_access(struct usb_device *udev,
+ u8 device_addr, u8 *tx, u8 txlen, u8 *rx, u8 rxlen)
+ {
+- u8 b[64];
+- int ret, actual_length;
++ u8 *b = kmalloc(64, GFP_KERNEL);
++ int ret, actual_length, error = 0;
++
++ if (b == NULL)
++ return -ENOMEM;
+
+ deb_i2c("i2c-access: %02x, tx: ", device_addr);
+ debug_dump(tx, txlen, deb_i2c);
+@@ -121,7 +124,8 @@ static int technisat_usb2_i2c_access(struct usb_device *udev,
+
+ if (ret < 0) {
+ err("i2c-error: out failed %02x = %d", device_addr, ret);
+- return -ENODEV;
++ error = -ENODEV;
++ goto out;
+ }
+
+ ret = usb_bulk_msg(udev,
+@@ -129,7 +133,8 @@ static int technisat_usb2_i2c_access(struct usb_device *udev,
+ b, 64, &actual_length, 1000);
+ if (ret < 0) {
+ err("i2c-error: in failed %02x = %d", device_addr, ret);
+- return -ENODEV;
++ error = -ENODEV;
++ goto out;
+ }
+
+ if (b[0] != I2C_STATUS_OK) {
+@@ -137,8 +142,10 @@ static int technisat_usb2_i2c_access(struct usb_device *udev,
+ /* handle tuner-i2c-nak */
+ if (!(b[0] == I2C_STATUS_NAK &&
+ device_addr == 0x60
+- /* && device_is_technisat_usb2 */))
+- return -ENODEV;
++ /* && device_is_technisat_usb2 */)) {
++ error = -ENODEV;
++ goto out;
++ }
+ }
+
+ deb_i2c("status: %d, ", b[0]);
+@@ -152,7 +159,9 @@ static int technisat_usb2_i2c_access(struct usb_device *udev,
+
+ deb_i2c("\n");
+
+- return 0;
++out:
++ kfree(b);
++ return error;
+ }
+
+ static int technisat_usb2_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg *msg,
+@@ -224,14 +233,16 @@ static int technisat_usb2_set_led(struct dvb_usb_device *d, int red, enum techni
+ {
+ int ret;
+
+- u8 led[8] = {
+- red ? SET_RED_LED_VENDOR_REQUEST : SET_GREEN_LED_VENDOR_REQUEST,
+- 0
+- };
++ u8 *led = kzalloc(8, GFP_KERNEL);
++
++ if (led == NULL)
++ return -ENOMEM;
+
+ if (disable_led_control && state != LED_OFF)
+ return 0;
+
++ led[0] = red ? SET_RED_LED_VENDOR_REQUEST : SET_GREEN_LED_VENDOR_REQUEST;
++
+ switch (state) {
+ case LED_ON:
+ led[1] = 0x82;
+@@ -263,16 +274,22 @@ static int technisat_usb2_set_led(struct dvb_usb_device *d, int red, enum techni
+ red ? SET_RED_LED_VENDOR_REQUEST : SET_GREEN_LED_VENDOR_REQUEST,
+ USB_TYPE_VENDOR | USB_DIR_OUT,
+ 0, 0,
+- led, sizeof(led), 500);
++ led, 8, 500);
+
+ mutex_unlock(&d->i2c_mutex);
++
++ kfree(led);
++
+ return ret;
+ }
+
+ static int technisat_usb2_set_led_timer(struct dvb_usb_device *d, u8 red, u8 green)
+ {
+ int ret;
+- u8 b = 0;
++ u8 *b = kzalloc(1, GFP_KERNEL);
++
++ if (b == NULL)
++ return -ENOMEM;
+
+ if (mutex_lock_interruptible(&d->i2c_mutex) < 0)
+ return -EAGAIN;
+@@ -281,10 +298,12 @@ static int technisat_usb2_set_led_timer(struct dvb_usb_device *d, u8 red, u8 gre
+ SET_LED_TIMER_DIVIDER_VENDOR_REQUEST,
+ USB_TYPE_VENDOR | USB_DIR_OUT,
+ (red << 8) | green, 0,
+- &b, 1, 500);
++ b, 1, 500);
+
+ mutex_unlock(&d->i2c_mutex);
+
++ kfree(b);
++
+ return ret;
+ }
+
+@@ -328,7 +347,7 @@ static int technisat_usb2_identify_state(struct usb_device *udev,
+ struct dvb_usb_device_description **desc, int *cold)
+ {
+ int ret;
+- u8 version[3];
++ u8 *version = kmalloc(3, GFP_KERNEL);
+
+ /* first select the interface */
+ if (usb_set_interface(udev, 0, 1) != 0)
+@@ -338,11 +357,14 @@ static int technisat_usb2_identify_state(struct usb_device *udev,
+
+ *cold = 0; /* by default do not download a firmware - just in case something is wrong */
+
++ if (version == NULL)
++ return 0;
++
+ ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
+ GET_VERSION_INFO_VENDOR_REQUEST,
+ USB_TYPE_VENDOR | USB_DIR_IN,
+ 0, 0,
+- version, sizeof(version), 500);
++ version, 3, 500);
+
+ if (ret < 0)
+ *cold = 1;
+@@ -351,6 +373,8 @@ static int technisat_usb2_identify_state(struct usb_device *udev,
+ *cold = 0;
+ }
+
++ kfree(version);
++
+ return 0;
+ }
+
+@@ -591,10 +615,15 @@ static int technisat_usb2_frontend_attach(struct dvb_usb_adapter *a)
+
+ static int technisat_usb2_get_ir(struct dvb_usb_device *d)
+ {
+- u8 buf[62], *b;
++ u8 *buf, *b;
+ int ret;
+ struct ir_raw_event ev;
+
++ buf = kmalloc(62, GFP_KERNEL);
++
++ if (buf == NULL)
++ return -ENOMEM;
++
+ buf[0] = GET_IR_DATA_VENDOR_REQUEST;
+ buf[1] = 0x08;
+ buf[2] = 0x8f;
+@@ -617,16 +646,20 @@ static int technisat_usb2_get_ir(struct dvb_usb_device *d)
+ GET_IR_DATA_VENDOR_REQUEST,
+ USB_TYPE_VENDOR | USB_DIR_IN,
+ 0x8080, 0,
+- buf, sizeof(buf), 500);
++ buf, 62, 500);
+
+ unlock:
+ mutex_unlock(&d->i2c_mutex);
+
+- if (ret < 0)
++ if (ret < 0) {
++ kfree(buf);
+ return ret;
++ }
+
+- if (ret == 1)
++ if (ret == 1) {
++ kfree(buf);
+ return 0; /* no key pressed */
++ }
+
+ /* decoding */
+ b = buf+1;
+@@ -653,6 +686,8 @@ unlock:
+
+ ir_raw_event_handle(d->rc_dev);
+
++ kfree(buf);
++
+ return 1;
+ }
+
diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
index fca336b..fb70ab7 100644
--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -47224,6 +47505,24 @@ index 5920c99..ff2e4a5 100644
};
static void
+diff --git a/drivers/net/wan/x25_asy.c b/drivers/net/wan/x25_asy.c
+index 5895f19..fa9fdfa 100644
+--- a/drivers/net/wan/x25_asy.c
++++ b/drivers/net/wan/x25_asy.c
+@@ -122,8 +122,12 @@ static int x25_asy_change_mtu(struct net_device *dev, int newmtu)
+ {
+ struct x25_asy *sl = netdev_priv(dev);
+ unsigned char *xbuff, *rbuff;
+- int len = 2 * newmtu;
++ int len;
+
++ if (newmtu > 65534)
++ return -EINVAL;
++
++ len = 2 * newmtu;
+ xbuff = kmalloc(len + 4, GFP_ATOMIC);
+ rbuff = kmalloc(len + 4, GFP_ATOMIC);
+
diff --git a/drivers/net/wan/z85230.c b/drivers/net/wan/z85230.c
index feacc3b..5bac0de 100644
--- a/drivers/net/wan/z85230.c
@@ -51672,7 +51971,7 @@ index 9cd706d..6ff2de7 100644
if (cfg->uart_flags & UPF_CONS_FLOW) {
diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
-index ece2049..fba2524 100644
+index ece2049b..fba2524 100644
--- a/drivers/tty/serial/serial_core.c
+++ b/drivers/tty/serial/serial_core.c
@@ -1448,7 +1448,7 @@ static void uart_hangup(struct tty_struct *tty)
@@ -52838,6 +53137,36 @@ index 7ae0c4d..35521b7 100644
retval = submit_single_step_set_feature(hcd, urb, 0);
if (!retval && !wait_for_completion_timeout(&done,
msecs_to_jiffies(2000))) {
+diff --git a/drivers/usb/host/hwa-hc.c b/drivers/usb/host/hwa-hc.c
+index e076699..6b3b875 100644
+--- a/drivers/usb/host/hwa-hc.c
++++ b/drivers/usb/host/hwa-hc.c
+@@ -301,7 +301,10 @@ static int __hwahc_op_bwa_set(struct wusbhc *wusbhc, s8 stream_index,
+ struct hwahc *hwahc = container_of(wusbhc, struct hwahc, wusbhc);
+ struct wahc *wa = &hwahc->wa;
+ struct device *dev = &wa->usb_iface->dev;
+- u8 mas_le[UWB_NUM_MAS/8];
++ u8 *mas_le = kmalloc(UWB_NUM_MAS/8, GFP_KERNEL);
++
++ if (mas_le == NULL)
++ return -ENOMEM;
+
+ /* Set the stream index */
+ result = usb_control_msg(wa->usb_dev, usb_sndctrlpipe(wa->usb_dev, 0),
+@@ -320,10 +323,12 @@ static int __hwahc_op_bwa_set(struct wusbhc *wusbhc, s8 stream_index,
+ WUSB_REQ_SET_WUSB_MAS,
+ USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE,
+ 0, wa->usb_iface->cur_altsetting->desc.bInterfaceNumber,
+- mas_le, 32, USB_CTRL_SET_TIMEOUT);
++ mas_le, UWB_NUM_MAS/8, USB_CTRL_SET_TIMEOUT);
+ if (result < 0)
+ dev_err(dev, "Cannot set WUSB MAS allocation: %d\n", result);
+ out:
++ kfree(mas_le);
++
+ return result;
+ }
+
diff --git a/drivers/usb/misc/appledisplay.c b/drivers/usb/misc/appledisplay.c
index ba6a5d6..f88f7f3 100644
--- a/drivers/usb/misc/appledisplay.c
@@ -59899,7 +60228,7 @@ index e6574d7..c30cbe2 100644
brelse(bh);
bh = NULL;
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
-index 08ddfda..a48f3f6 100644
+index 502f0fd..bf3b3c1 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -1880,7 +1880,7 @@ void ext4_mb_simple_scan_group(struct ext4_allocation_context *ac,
@@ -60029,7 +60358,7 @@ index 04434ad..6404663 100644
"MMP failure info: last update time: %llu, last update "
"node: %s, last update device: %s\n",
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
-index 710fed2..a82e4e8 100644
+index 25b327e..56f169d 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -1270,7 +1270,7 @@ static ext4_fsblk_t get_sb_block(void **data)
@@ -60041,7 +60370,7 @@ index 710fed2..a82e4e8 100644
"Contact linux-ext4@vger.kernel.org if you think we should keep it.\n";
#ifdef CONFIG_QUOTA
-@@ -2450,7 +2450,7 @@ struct ext4_attr {
+@@ -2448,7 +2448,7 @@ struct ext4_attr {
int offset;
int deprecated_val;
} u;
@@ -62048,7 +62377,7 @@ index b29e42f..5ea7fdf 100644
#define MNT_NS_INTERNAL ERR_PTR(-EINVAL) /* distinct from any mnt_namespace */
diff --git a/fs/namei.c b/fs/namei.c
-index 8274c8d..922e189 100644
+index 8274c8d..e242796 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -330,17 +330,34 @@ int generic_permission(struct inode *inode, int mask)
@@ -62184,7 +62513,19 @@ index 8274c8d..922e189 100644
return retval;
}
-@@ -2557,6 +2590,13 @@ static int may_open(struct path *path, int acc_mode, int flag)
+@@ -2247,9 +2280,10 @@ done:
+ goto out;
+ }
+ path->dentry = dentry;
+- path->mnt = mntget(nd->path.mnt);
++ path->mnt = nd->path.mnt;
+ if (should_follow_link(dentry, nd->flags & LOOKUP_FOLLOW))
+ return 1;
++ mntget(path->mnt);
+ follow_mount(path);
+ error = 0;
+ out:
+@@ -2557,6 +2591,13 @@ static int may_open(struct path *path, int acc_mode, int flag)
if (flag & O_NOATIME && !inode_owner_or_capable(inode))
return -EPERM;
@@ -62198,7 +62539,7 @@ index 8274c8d..922e189 100644
return 0;
}
-@@ -2788,7 +2828,7 @@ looked_up:
+@@ -2788,7 +2829,7 @@ looked_up:
* cleared otherwise prior to returning.
*/
static int lookup_open(struct nameidata *nd, struct path *path,
@@ -62207,7 +62548,7 @@ index 8274c8d..922e189 100644
const struct open_flags *op,
bool got_write, int *opened)
{
-@@ -2823,6 +2863,17 @@ static int lookup_open(struct nameidata *nd, struct path *path,
+@@ -2823,6 +2864,17 @@ static int lookup_open(struct nameidata *nd, struct path *path,
/* Negative dentry, just create the file */
if (!dentry->d_inode && (op->open_flag & O_CREAT)) {
umode_t mode = op->mode;
@@ -62225,7 +62566,7 @@ index 8274c8d..922e189 100644
if (!IS_POSIXACL(dir->d_inode))
mode &= ~current_umask();
/*
-@@ -2844,6 +2895,8 @@ static int lookup_open(struct nameidata *nd, struct path *path,
+@@ -2844,6 +2896,8 @@ static int lookup_open(struct nameidata *nd, struct path *path,
nd->flags & LOOKUP_EXCL);
if (error)
goto out_dput;
@@ -62234,7 +62575,7 @@ index 8274c8d..922e189 100644
}
out_no_open:
path->dentry = dentry;
-@@ -2858,7 +2911,7 @@ out_dput:
+@@ -2858,7 +2912,7 @@ out_dput:
/*
* Handle the last step of open()
*/
@@ -62243,7 +62584,7 @@ index 8274c8d..922e189 100644
struct file *file, const struct open_flags *op,
int *opened, struct filename *name)
{
-@@ -2908,6 +2961,15 @@ static int do_last(struct nameidata *nd, struct path *path,
+@@ -2908,6 +2962,15 @@ static int do_last(struct nameidata *nd, struct path *path,
if (error)
return error;
@@ -62259,7 +62600,7 @@ index 8274c8d..922e189 100644
audit_inode(name, dir, LOOKUP_PARENT);
error = -EISDIR;
/* trailing slashes? */
-@@ -2927,7 +2989,7 @@ retry_lookup:
+@@ -2927,7 +2990,7 @@ retry_lookup:
*/
}
mutex_lock(&dir->d_inode->i_mutex);
@@ -62268,7 +62609,7 @@ index 8274c8d..922e189 100644
mutex_unlock(&dir->d_inode->i_mutex);
if (error <= 0) {
-@@ -2951,11 +3013,28 @@ retry_lookup:
+@@ -2951,11 +3014,28 @@ retry_lookup:
goto finish_open_created;
}
@@ -62298,7 +62639,7 @@ index 8274c8d..922e189 100644
/*
* If atomic_open() acquired write access it is dropped now due to
-@@ -2996,6 +3075,11 @@ finish_lookup:
+@@ -2996,6 +3076,11 @@ finish_lookup:
}
}
BUG_ON(inode != path->dentry->d_inode);
@@ -62310,7 +62651,7 @@ index 8274c8d..922e189 100644
return 1;
}
-@@ -3005,7 +3089,6 @@ finish_lookup:
+@@ -3005,7 +3090,6 @@ finish_lookup:
save_parent.dentry = nd->path.dentry;
save_parent.mnt = mntget(path->mnt);
nd->path.dentry = path->dentry;
@@ -62318,7 +62659,7 @@ index 8274c8d..922e189 100644
}
nd->inode = inode;
/* Why this, you ask? _Now_ we might have grown LOOKUP_JUMPED... */
-@@ -3015,7 +3098,18 @@ finish_open:
+@@ -3015,7 +3099,18 @@ finish_open:
path_put(&save_parent);
return error;
}
@@ -62337,7 +62678,7 @@ index 8274c8d..922e189 100644
error = -EISDIR;
if ((open_flag & O_CREAT) &&
(d_is_directory(nd->path.dentry) || d_is_autodir(nd->path.dentry)))
-@@ -3179,7 +3273,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
+@@ -3179,7 +3274,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
if (unlikely(error))
goto out;
@@ -62346,7 +62687,7 @@ index 8274c8d..922e189 100644
while (unlikely(error > 0)) { /* trailing symlink */
struct path link = path;
void *cookie;
-@@ -3197,7 +3291,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
+@@ -3197,7 +3292,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
error = follow_link(&link, nd, &cookie);
if (unlikely(error))
break;
@@ -62355,7 +62696,7 @@ index 8274c8d..922e189 100644
put_link(nd, &link, cookie);
}
out:
-@@ -3297,9 +3391,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname,
+@@ -3297,9 +3392,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname,
goto unlock;
error = -EEXIST;
@@ -62369,7 +62710,7 @@ index 8274c8d..922e189 100644
/*
* Special case - lookup gave negative, but... we had foo/bar/
* From the vfs_mknod() POV we just have a negative dentry -
-@@ -3351,6 +3447,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname,
+@@ -3351,6 +3448,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname,
}
EXPORT_SYMBOL(user_path_create);
@@ -62390,7 +62731,7 @@ index 8274c8d..922e189 100644
int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
{
int error = may_create(dir, dentry);
-@@ -3413,6 +3523,17 @@ retry:
+@@ -3413,6 +3524,17 @@ retry:
if (!IS_POSIXACL(path.dentry->d_inode))
mode &= ~current_umask();
@@ -62408,7 +62749,7 @@ index 8274c8d..922e189 100644
error = security_path_mknod(&path, dentry, mode, dev);
if (error)
goto out;
-@@ -3429,6 +3550,8 @@ retry:
+@@ -3429,6 +3551,8 @@ retry:
break;
}
out:
@@ -62417,7 +62758,7 @@ index 8274c8d..922e189 100644
done_path_create(&path, dentry);
if (retry_estale(error, lookup_flags)) {
lookup_flags |= LOOKUP_REVAL;
-@@ -3481,9 +3604,16 @@ retry:
+@@ -3481,9 +3605,16 @@ retry:
if (!IS_POSIXACL(path.dentry->d_inode))
mode &= ~current_umask();
@@ -62434,7 +62775,7 @@ index 8274c8d..922e189 100644
done_path_create(&path, dentry);
if (retry_estale(error, lookup_flags)) {
lookup_flags |= LOOKUP_REVAL;
-@@ -3564,6 +3694,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
+@@ -3564,6 +3695,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
struct filename *name;
struct dentry *dentry;
struct nameidata nd;
@@ -62443,7 +62784,7 @@ index 8274c8d..922e189 100644
unsigned int lookup_flags = 0;
retry:
name = user_path_parent(dfd, pathname, &nd, lookup_flags);
-@@ -3596,10 +3728,21 @@ retry:
+@@ -3596,10 +3729,21 @@ retry:
error = -ENOENT;
goto exit3;
}
@@ -62465,7 +62806,7 @@ index 8274c8d..922e189 100644
exit3:
dput(dentry);
exit2:
-@@ -3689,6 +3832,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
+@@ -3689,6 +3833,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
struct nameidata nd;
struct inode *inode = NULL;
struct inode *delegated_inode = NULL;
@@ -62474,7 +62815,7 @@ index 8274c8d..922e189 100644
unsigned int lookup_flags = 0;
retry:
name = user_path_parent(dfd, pathname, &nd, lookup_flags);
-@@ -3715,10 +3860,22 @@ retry_deleg:
+@@ -3715,10 +3861,22 @@ retry_deleg:
if (d_is_negative(dentry))
goto slashes;
ihold(inode);
@@ -62497,7 +62838,7 @@ index 8274c8d..922e189 100644
exit2:
dput(dentry);
}
-@@ -3806,9 +3963,17 @@ retry:
+@@ -3806,9 +3964,17 @@ retry:
if (IS_ERR(dentry))
goto out_putname;
@@ -62515,7 +62856,7 @@ index 8274c8d..922e189 100644
done_path_create(&path, dentry);
if (retry_estale(error, lookup_flags)) {
lookup_flags |= LOOKUP_REVAL;
-@@ -3911,6 +4076,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
+@@ -3911,6 +4077,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
struct dentry *new_dentry;
struct path old_path, new_path;
struct inode *delegated_inode = NULL;
@@ -62523,7 +62864,7 @@ index 8274c8d..922e189 100644
int how = 0;
int error;
-@@ -3934,7 +4100,7 @@ retry:
+@@ -3934,7 +4101,7 @@ retry:
if (error)
return error;
@@ -62532,7 +62873,7 @@ index 8274c8d..922e189 100644
(how & LOOKUP_REVAL));
error = PTR_ERR(new_dentry);
if (IS_ERR(new_dentry))
-@@ -3946,11 +4112,28 @@ retry:
+@@ -3946,11 +4113,28 @@ retry:
error = may_linkat(&old_path);
if (unlikely(error))
goto out_dput;
@@ -62561,7 +62902,7 @@ index 8274c8d..922e189 100644
done_path_create(&new_path, new_dentry);
if (delegated_inode) {
error = break_deleg_wait(&delegated_inode);
-@@ -4237,6 +4420,12 @@ retry_deleg:
+@@ -4237,6 +4421,12 @@ retry_deleg:
if (new_dentry == trap)
goto exit5;
@@ -62574,7 +62915,7 @@ index 8274c8d..922e189 100644
error = security_path_rename(&oldnd.path, old_dentry,
&newnd.path, new_dentry);
if (error)
-@@ -4244,6 +4433,9 @@ retry_deleg:
+@@ -4244,6 +4434,9 @@ retry_deleg:
error = vfs_rename(old_dir->d_inode, old_dentry,
new_dir->d_inode, new_dentry,
&delegated_inode);
@@ -62584,7 +62925,7 @@ index 8274c8d..922e189 100644
exit5:
dput(new_dentry);
exit4:
-@@ -4280,6 +4472,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
+@@ -4280,6 +4473,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
{
@@ -62593,7 +62934,7 @@ index 8274c8d..922e189 100644
int len;
len = PTR_ERR(link);
-@@ -4289,7 +4483,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
+@@ -4289,7 +4484,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
len = strlen(link);
if (len > (unsigned) buflen)
len = buflen;
@@ -91378,7 +91719,7 @@ index 868633e..921dc41 100644
ftrace_graph_active++;
diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
-index fc4da2d..f3e800b 100644
+index 04202d9..e3e4242 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -352,9 +352,9 @@ struct buffer_data_page {
@@ -91404,7 +91745,7 @@ index fc4da2d..f3e800b 100644
local_t dropped_events;
local_t committing;
local_t commits;
-@@ -992,8 +992,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer,
+@@ -995,8 +995,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer,
*
* We add a counter to the write field to denote this.
*/
@@ -91415,7 +91756,7 @@ index fc4da2d..f3e800b 100644
/*
* Just make sure we have seen our old_write and synchronize
-@@ -1021,8 +1021,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer,
+@@ -1024,8 +1024,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer,
* cmpxchg to only update if an interrupt did not already
* do it for us. If the cmpxchg fails, we don't care.
*/
@@ -91426,7 +91767,7 @@ index fc4da2d..f3e800b 100644
/*
* No need to worry about races with clearing out the commit.
-@@ -1386,12 +1386,12 @@ static void rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer);
+@@ -1389,12 +1389,12 @@ static void rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer);
static inline unsigned long rb_page_entries(struct buffer_page *bpage)
{
@@ -91441,7 +91782,7 @@ index fc4da2d..f3e800b 100644
}
static int
-@@ -1486,7 +1486,7 @@ rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned int nr_pages)
+@@ -1489,7 +1489,7 @@ rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned int nr_pages)
* bytes consumed in ring buffer from here.
* Increment overrun to account for the lost events.
*/
@@ -91450,7 +91791,7 @@ index fc4da2d..f3e800b 100644
local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes);
}
-@@ -2064,7 +2064,7 @@ rb_handle_head_page(struct ring_buffer_per_cpu *cpu_buffer,
+@@ -2067,7 +2067,7 @@ rb_handle_head_page(struct ring_buffer_per_cpu *cpu_buffer,
* it is our responsibility to update
* the counters.
*/
@@ -91459,7 +91800,7 @@ index fc4da2d..f3e800b 100644
local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes);
/*
-@@ -2214,7 +2214,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer,
+@@ -2217,7 +2217,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer,
if (tail == BUF_PAGE_SIZE)
tail_page->real_end = 0;
@@ -91468,7 +91809,7 @@ index fc4da2d..f3e800b 100644
return;
}
-@@ -2249,7 +2249,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer,
+@@ -2252,7 +2252,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer,
rb_event_set_padding(event);
/* Set the write back to the previous setting */
@@ -91477,7 +91818,7 @@ index fc4da2d..f3e800b 100644
return;
}
-@@ -2261,7 +2261,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer,
+@@ -2264,7 +2264,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer,
/* Set write to end of buffer */
length = (tail + length) - BUF_PAGE_SIZE;
@@ -91486,7 +91827,7 @@ index fc4da2d..f3e800b 100644
}
/*
-@@ -2287,7 +2287,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer,
+@@ -2290,7 +2290,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer,
* about it.
*/
if (unlikely(next_page == commit_page)) {
@@ -91495,7 +91836,7 @@ index fc4da2d..f3e800b 100644
goto out_reset;
}
-@@ -2343,7 +2343,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer,
+@@ -2346,7 +2346,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer,
cpu_buffer->tail_page) &&
(cpu_buffer->commit_page ==
cpu_buffer->reader_page))) {
@@ -91504,7 +91845,7 @@ index fc4da2d..f3e800b 100644
goto out_reset;
}
}
-@@ -2391,7 +2391,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer,
+@@ -2394,7 +2394,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer,
length += RB_LEN_TIME_EXTEND;
tail_page = cpu_buffer->tail_page;
@@ -91513,7 +91854,7 @@ index fc4da2d..f3e800b 100644
/* set write to only the index of the write */
write &= RB_WRITE_MASK;
-@@ -2415,7 +2415,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer,
+@@ -2418,7 +2418,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer,
kmemcheck_annotate_bitfield(event, bitfield);
rb_update_event(cpu_buffer, event, length, add_timestamp, delta);
@@ -91522,7 +91863,7 @@ index fc4da2d..f3e800b 100644
/*
* If this is the first commit on the page, then update
-@@ -2448,7 +2448,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer,
+@@ -2451,7 +2451,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer,
if (bpage->page == (void *)addr && rb_page_write(bpage) == old_index) {
unsigned long write_mask =
@@ -91531,7 +91872,7 @@ index fc4da2d..f3e800b 100644
unsigned long event_length = rb_event_length(event);
/*
* This is on the tail page. It is possible that
-@@ -2458,7 +2458,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer,
+@@ -2461,7 +2461,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer,
*/
old_index += write_mask;
new_index += write_mask;
@@ -91540,7 +91881,7 @@ index fc4da2d..f3e800b 100644
if (index == old_index) {
/* update counters */
local_sub(event_length, &cpu_buffer->entries_bytes);
-@@ -2850,7 +2850,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer,
+@@ -2853,7 +2853,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer,
/* Do the likely case first */
if (likely(bpage->page == (void *)addr)) {
@@ -91549,7 +91890,7 @@ index fc4da2d..f3e800b 100644
return;
}
-@@ -2862,7 +2862,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer,
+@@ -2865,7 +2865,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer,
start = bpage;
do {
if (bpage->page == (void *)addr) {
@@ -91558,7 +91899,7 @@ index fc4da2d..f3e800b 100644
return;
}
rb_inc_page(cpu_buffer, &bpage);
-@@ -3146,7 +3146,7 @@ static inline unsigned long
+@@ -3149,7 +3149,7 @@ static inline unsigned long
rb_num_of_entries(struct ring_buffer_per_cpu *cpu_buffer)
{
return local_read(&cpu_buffer->entries) -
@@ -91567,7 +91908,7 @@ index fc4da2d..f3e800b 100644
}
/**
-@@ -3235,7 +3235,7 @@ unsigned long ring_buffer_overrun_cpu(struct ring_buffer *buffer, int cpu)
+@@ -3238,7 +3238,7 @@ unsigned long ring_buffer_overrun_cpu(struct ring_buffer *buffer, int cpu)
return 0;
cpu_buffer = buffer->buffers[cpu];
@@ -91576,7 +91917,7 @@ index fc4da2d..f3e800b 100644
return ret;
}
-@@ -3258,7 +3258,7 @@ ring_buffer_commit_overrun_cpu(struct ring_buffer *buffer, int cpu)
+@@ -3261,7 +3261,7 @@ ring_buffer_commit_overrun_cpu(struct ring_buffer *buffer, int cpu)
return 0;
cpu_buffer = buffer->buffers[cpu];
@@ -91585,7 +91926,7 @@ index fc4da2d..f3e800b 100644
return ret;
}
-@@ -3343,7 +3343,7 @@ unsigned long ring_buffer_overruns(struct ring_buffer *buffer)
+@@ -3346,7 +3346,7 @@ unsigned long ring_buffer_overruns(struct ring_buffer *buffer)
/* if you care about this being correct, lock the buffer */
for_each_buffer_cpu(buffer, cpu) {
cpu_buffer = buffer->buffers[cpu];
@@ -91594,7 +91935,7 @@ index fc4da2d..f3e800b 100644
}
return overruns;
-@@ -3519,8 +3519,8 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer)
+@@ -3522,8 +3522,8 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer)
/*
* Reset the reader page to size zero.
*/
@@ -91605,7 +91946,7 @@ index fc4da2d..f3e800b 100644
local_set(&cpu_buffer->reader_page->page->commit, 0);
cpu_buffer->reader_page->real_end = 0;
-@@ -3554,7 +3554,7 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer)
+@@ -3557,7 +3557,7 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer)
* want to compare with the last_overrun.
*/
smp_mb();
@@ -91614,7 +91955,7 @@ index fc4da2d..f3e800b 100644
/*
* Here's the tricky part.
-@@ -4124,8 +4124,8 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
+@@ -4127,8 +4127,8 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
cpu_buffer->head_page
= list_entry(cpu_buffer->pages, struct buffer_page, list);
@@ -91625,7 +91966,7 @@ index fc4da2d..f3e800b 100644
local_set(&cpu_buffer->head_page->page->commit, 0);
cpu_buffer->head_page->read = 0;
-@@ -4135,14 +4135,14 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
+@@ -4138,14 +4138,14 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
INIT_LIST_HEAD(&cpu_buffer->reader_page->list);
INIT_LIST_HEAD(&cpu_buffer->new_pages);
@@ -91644,7 +91985,7 @@ index fc4da2d..f3e800b 100644
local_set(&cpu_buffer->dropped_events, 0);
local_set(&cpu_buffer->entries, 0);
local_set(&cpu_buffer->committing, 0);
-@@ -4547,8 +4547,8 @@ int ring_buffer_read_page(struct ring_buffer *buffer,
+@@ -4550,8 +4550,8 @@ int ring_buffer_read_page(struct ring_buffer *buffer,
rb_init_page(bpage);
bpage = reader->page;
reader->page = *data_page;
@@ -91656,7 +91997,7 @@ index fc4da2d..f3e800b 100644
*data_page = bpage;
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
-index fd21e60..eb47c25 100644
+index 922657f..3d229d9 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -3398,7 +3398,7 @@ int trace_keep_overwrite(struct tracer *tracer, u32 mask, int set)
@@ -91669,7 +92010,7 @@ index fd21e60..eb47c25 100644
/* do nothing if flag is already set */
if (!!(trace_flags & mask) == !!enabled)
diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h
-index 02b592f..f971546 100644
+index c8bd809..33d7539 100644
--- a/kernel/trace/trace.h
+++ b/kernel/trace/trace.h
@@ -1233,7 +1233,7 @@ extern const char *__stop___tracepoint_str[];
@@ -91862,10 +92203,10 @@ index c9b6f01..37781d9 100644
.thread_should_run = watchdog_should_run,
.thread_fn = watchdog,
diff --git a/kernel/workqueue.c b/kernel/workqueue.c
-index b6a3941..b68f191 100644
+index b4defde..f092808 100644
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
-@@ -4702,7 +4702,7 @@ static void rebind_workers(struct worker_pool *pool)
+@@ -4703,7 +4703,7 @@ static void rebind_workers(struct worker_pool *pool)
WARN_ON_ONCE(!(worker_flags & WORKER_UNBOUND));
worker_flags |= WORKER_REBOUND;
worker_flags &= ~WORKER_UNBOUND;
@@ -92641,7 +92982,7 @@ index 0000000..7cd6065
@@ -0,0 +1 @@
+-grsec
diff --git a/mm/Kconfig b/mm/Kconfig
-index 9b63c15..2ab509e 100644
+index 0862816..2e3a043 100644
--- a/mm/Kconfig
+++ b/mm/Kconfig
@@ -329,10 +329,11 @@ config KSM
@@ -93911,7 +94252,7 @@ index 2121d8b8..fa1095a 100644
mm = get_task_mm(tsk);
if (!mm)
diff --git a/mm/mempolicy.c b/mm/mempolicy.c
-index 9c6288a..b0ea97e 100644
+index 15a8ea0..cb50389 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -747,6 +747,10 @@ static int mbind_range(struct mm_struct *mm, unsigned long start,
@@ -96034,7 +96375,7 @@ index cdbd312..2e1e0b9 100644
/*
diff --git a/mm/shmem.c b/mm/shmem.c
-index 1f18c9d..b550bab 100644
+index 1f18c9d..6aa94ab 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -33,7 +33,7 @@
@@ -96062,19 +96403,73 @@ index 1f18c9d..b550bab 100644
+ * a time): we would prefer not to enlarge the shmem inode just for that.
*/
struct shmem_falloc {
-+ int mode; /* FALLOC_FL mode currently operating */
++ wait_queue_head_t *waitq; /* faults into hole wait for punch to end */
pgoff_t start; /* start of range currently being fallocated */
pgoff_t next; /* the next page offset to be fallocated */
pgoff_t nr_falloced; /* how many new pages have been fallocated */
-@@ -824,6 +825,7 @@ static int shmem_writepage(struct page *page, struct writeback_control *wbc)
+@@ -533,22 +534,19 @@ static void shmem_undo_range(struct inode *inode, loff_t lstart, loff_t lend,
+ return;
+
+ index = start;
+- for ( ; ; ) {
++ while (index < end) {
+ cond_resched();
+ pvec.nr = shmem_find_get_pages_and_swap(mapping, index,
+ min(end - index, (pgoff_t)PAGEVEC_SIZE),
+ pvec.pages, indices);
+ if (!pvec.nr) {
+- if (index == start || unfalloc)
++ /* If all gone or hole-punch or unfalloc, we're done */
++ if (index == start || end != -1)
+ break;
++ /* But if truncating, restart to make sure all gone */
+ index = start;
+ continue;
+ }
+- if ((index == start || unfalloc) && indices[0] >= end) {
+- shmem_deswap_pagevec(&pvec);
+- pagevec_release(&pvec);
+- break;
+- }
+ mem_cgroup_uncharge_start();
+ for (i = 0; i < pagevec_count(&pvec); i++) {
+ struct page *page = pvec.pages[i];
+@@ -560,8 +558,12 @@ static void shmem_undo_range(struct inode *inode, loff_t lstart, loff_t lend,
+ if (radix_tree_exceptional_entry(page)) {
+ if (unfalloc)
+ continue;
+- nr_swaps_freed += !shmem_free_swap(mapping,
+- index, page);
++ if (shmem_free_swap(mapping, index, page)) {
++ /* Swap was replaced by page: retry */
++ index--;
++ break;
++ }
++ nr_swaps_freed++;
+ continue;
+ }
+
+@@ -570,6 +572,11 @@ static void shmem_undo_range(struct inode *inode, loff_t lstart, loff_t lend,
+ if (page->mapping == mapping) {
+ VM_BUG_ON_PAGE(PageWriteback(page), page);
+ truncate_inode_page(mapping, page);
++ } else {
++ /* Page was replaced by swap: retry */
++ unlock_page(page);
++ index--;
++ break;
+ }
+ }
+ unlock_page(page);
+@@ -824,6 +831,7 @@ static int shmem_writepage(struct page *page, struct writeback_control *wbc)
spin_lock(&inode->i_lock);
shmem_falloc = inode->i_private;
if (shmem_falloc &&
-+ !shmem_falloc->mode &&
++ !shmem_falloc->waitq &&
index >= shmem_falloc->start &&
index < shmem_falloc->next)
shmem_falloc->nr_unswapped++;
-@@ -1298,6 +1300,43 @@ static int shmem_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
+@@ -1298,6 +1306,64 @@ static int shmem_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
int error;
int ret = VM_FAULT_LOCKED;
@@ -96082,71 +96477,98 @@ index 1f18c9d..b550bab 100644
+ * Trinity finds that probing a hole which tmpfs is punching can
+ * prevent the hole-punch from ever completing: which in turn
+ * locks writers out with its hold on i_mutex. So refrain from
-+ * faulting pages into the hole while it's being punched, and
-+ * wait on i_mutex to be released if vmf->flags permits,
++ * faulting pages into the hole while it's being punched. Although
++ * shmem_undo_range() does remove the additions, it may be unable to
++ * keep up, as each new page needs its own unmap_mapping_range() call,
++ * and the i_mmap tree grows ever slower to scan if new vmas are added.
++ *
++ * It does not matter if we sometimes reach this check just before the
++ * hole-punch begins, so that one fault then races with the punch:
++ * we just need to make racing faults a rare case.
++ *
++ * The implementation below would be much simpler if we just used a
++ * standard mutex or completion: but we cannot take i_mutex in fault,
++ * and bloating every shmem inode for this unlikely case would be sad.
+ */
+ if (unlikely(inode->i_private)) {
+ struct shmem_falloc *shmem_falloc;
++
+ spin_lock(&inode->i_lock);
+ shmem_falloc = inode->i_private;
-+ if (!shmem_falloc ||
-+ shmem_falloc->mode != FALLOC_FL_PUNCH_HOLE ||
-+ vmf->pgoff < shmem_falloc->start ||
-+ vmf->pgoff >= shmem_falloc->next)
-+ shmem_falloc = NULL;
-+ spin_unlock(&inode->i_lock);
-+ /*
-+ * i_lock has protected us from taking shmem_falloc seriously
-+ * once return from shmem_fallocate() went back up that stack.
-+ * i_lock does not serialize with i_mutex at all, but it does
-+ * not matter if sometimes we wait unnecessarily, or sometimes
-+ * miss out on waiting: we just need to make those cases rare.
-+ */
-+ if (shmem_falloc) {
++ if (shmem_falloc &&
++ shmem_falloc->waitq &&
++ vmf->pgoff >= shmem_falloc->start &&
++ vmf->pgoff < shmem_falloc->next) {
++ wait_queue_head_t *shmem_falloc_waitq;
++ DEFINE_WAIT(shmem_fault_wait);
++
++ ret = VM_FAULT_NOPAGE;
+ if ((vmf->flags & FAULT_FLAG_ALLOW_RETRY) &&
+ !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) {
++ /* It's polite to up mmap_sem if we can */
+ up_read(&vma->vm_mm->mmap_sem);
-+ mutex_lock(&inode->i_mutex);
-+ mutex_unlock(&inode->i_mutex);
-+ return VM_FAULT_RETRY;
++ ret = VM_FAULT_RETRY;
+ }
-+ /* cond_resched? Leave that to GUP or return to user */
-+ return VM_FAULT_NOPAGE;
++
++ shmem_falloc_waitq = shmem_falloc->waitq;
++ prepare_to_wait(shmem_falloc_waitq, &shmem_fault_wait,
++ TASK_UNINTERRUPTIBLE);
++ spin_unlock(&inode->i_lock);
++ schedule();
++
++ /*
++ * shmem_falloc_waitq points into the shmem_fallocate()
++ * stack of the hole-punching task: shmem_falloc_waitq
++ * is usually invalid by the time we reach here, but
++ * finish_wait() does not dereference it in that case;
++ * though i_lock needed lest racing with wake_up_all().
++ */
++ spin_lock(&inode->i_lock);
++ finish_wait(shmem_falloc_waitq, &shmem_fault_wait);
++ spin_unlock(&inode->i_lock);
++ return ret;
+ }
++ spin_unlock(&inode->i_lock);
+ }
+
error = shmem_getpage(inode, vmf->pgoff, &vmf->page, SGP_CACHE, &ret);
if (error)
return ((error == -ENOMEM) ? VM_FAULT_OOM : VM_FAULT_SIGBUS);
-@@ -1813,18 +1852,26 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset,
-
- mutex_lock(&inode->i_mutex);
-
-+ shmem_falloc.mode = mode & ~FALLOC_FL_KEEP_SIZE;
-+
- if (mode & FALLOC_FL_PUNCH_HOLE) {
+@@ -1817,12 +1883,25 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset,
struct address_space *mapping = file->f_mapping;
loff_t unmap_start = round_up(offset, PAGE_SIZE);
loff_t unmap_end = round_down(offset + len, PAGE_SIZE) - 1;
-
++ DECLARE_WAIT_QUEUE_HEAD_ONSTACK(shmem_falloc_waitq);
++
++ shmem_falloc.waitq = &shmem_falloc_waitq;
+ shmem_falloc.start = unmap_start >> PAGE_SHIFT;
+ shmem_falloc.next = (unmap_end + 1) >> PAGE_SHIFT;
+ spin_lock(&inode->i_lock);
+ inode->i_private = &shmem_falloc;
+ spin_unlock(&inode->i_lock);
-+
+
if ((u64)unmap_end > (u64)unmap_start)
unmap_mapping_range(mapping, unmap_start,
1 + unmap_end - unmap_start, 0);
shmem_truncate_range(inode, offset, offset + len - 1);
/* No need to unmap again: hole-punching leaves COWed pages */
++
++ spin_lock(&inode->i_lock);
++ inode->i_private = NULL;
++ wake_up_all(&shmem_falloc_waitq);
++ spin_unlock(&inode->i_lock);
error = 0;
-- goto out;
-+ goto undone;
+ goto out;
+ }
+@@ -1840,6 +1919,7 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset,
+ goto out;
}
- /* We need to check rlimit even when FALLOC_FL_KEEP_SIZE */
-@@ -2218,6 +2265,11 @@ static const struct xattr_handler *shmem_xattr_handlers[] = {
++ shmem_falloc.waitq = NULL;
+ shmem_falloc.start = start;
+ shmem_falloc.next = start;
+ shmem_falloc.nr_falloced = 0;
+@@ -2218,6 +2298,11 @@ static const struct xattr_handler *shmem_xattr_handlers[] = {
static int shmem_xattr_validate(const char *name)
{
struct { const char *prefix; size_t len; } arr[] = {
@@ -96158,7 +96580,7 @@ index 1f18c9d..b550bab 100644
{ XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN },
{ XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN }
};
-@@ -2273,6 +2325,15 @@ static int shmem_setxattr(struct dentry *dentry, const char *name,
+@@ -2273,6 +2358,15 @@ static int shmem_setxattr(struct dentry *dentry, const char *name,
if (err)
return err;
@@ -96174,7 +96596,7 @@ index 1f18c9d..b550bab 100644
return simple_xattr_set(&info->xattrs, name, value, size, flags);
}
-@@ -2585,8 +2646,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent)
+@@ -2585,8 +2679,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent)
int err = -ENOMEM;
/* Round up to L1_CACHE_BYTES to resist false sharing */
@@ -99357,6 +99779,21 @@ index 5325b54..a0d4d69 100644
return -EFAULT;
*lenp = len;
+diff --git a/net/dns_resolver/dns_query.c b/net/dns_resolver/dns_query.c
+index e7b6d53..f005cc7 100644
+--- a/net/dns_resolver/dns_query.c
++++ b/net/dns_resolver/dns_query.c
+@@ -149,7 +149,9 @@ int dns_query(const char *type, const char *name, size_t namelen,
+ if (!*_result)
+ goto put;
+
+- memcpy(*_result, upayload->data, len + 1);
++ memcpy(*_result, upayload->data, len);
++ (*_result)[len] = '\0';
++
+ if (_expiry)
+ *_expiry = rkey->expiry;
+
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 19ab78a..bf575c9 100644
--- a/net/ipv4/af_inet.c
@@ -101440,6 +101877,28 @@ index 7932697..a13d158 100644
} while (!res);
return res;
}
+diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
+index ec66063..1e05bbd 100644
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -1368,7 +1368,7 @@ static int pppol2tp_setsockopt(struct socket *sock, int level, int optname,
+ int err;
+
+ if (level != SOL_PPPOL2TP)
+- return udp_prot.setsockopt(sk, level, optname, optval, optlen);
++ return -EINVAL;
+
+ if (optlen < sizeof(int))
+ return -EINVAL;
+@@ -1494,7 +1494,7 @@ static int pppol2tp_getsockopt(struct socket *sock, int level, int optname,
+ struct pppol2tp_session *ps;
+
+ if (level != SOL_PPPOL2TP)
+- return udp_prot.getsockopt(sk, level, optname, optval, optlen);
++ return -EINVAL;
+
+ if (get_user(len, optlen))
+ return -EFAULT;
diff --git a/net/llc/llc_proc.c b/net/llc/llc_proc.c
index 1a3c7e0..80f8b0c 100644
--- a/net/llc/llc_proc.c
@@ -102827,6 +103286,18 @@ index f226709..0e735a8 100644
_proto("Tx RESPONSE %%%u", ntohl(hdr->serial));
ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len);
+diff --git a/net/sctp/associola.c b/net/sctp/associola.c
+index a4d5701..5d97d8f 100644
+--- a/net/sctp/associola.c
++++ b/net/sctp/associola.c
+@@ -1151,6 +1151,7 @@ void sctp_assoc_update(struct sctp_association *asoc,
+ asoc->c = new->c;
+ asoc->peer.rwnd = new->peer.rwnd;
+ asoc->peer.sack_needed = new->peer.sack_needed;
++ asoc->peer.auth_capable = new->peer.auth_capable;
+ asoc->peer.i = new->peer.i;
+ sctp_tsnmap_init(&asoc->peer.tsn_map, SCTP_TSN_MAP_INITIAL,
+ asoc->peer.i.initial_tsn, GFP_ATOMIC);
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index 2b1738e..a9d0fc9 100644
--- a/net/sctp/ipv6.c
@@ -103057,6 +103528,26 @@ index c82fdc1..4ca1f95 100644
return 0;
}
+diff --git a/net/sctp/ulpevent.c b/net/sctp/ulpevent.c
+index 85c6465..879f3cd 100644
+--- a/net/sctp/ulpevent.c
++++ b/net/sctp/ulpevent.c
+@@ -411,6 +411,7 @@ struct sctp_ulpevent *sctp_ulpevent_make_remote_error(
+ * sre_type:
+ * It should be SCTP_REMOTE_ERROR.
+ */
++ memset(sre, 0, sizeof(*sre));
+ sre->sre_type = SCTP_REMOTE_ERROR;
+
+ /*
+@@ -916,6 +917,7 @@ void sctp_ulpevent_read_sndrcvinfo(const struct sctp_ulpevent *event,
+ * For recvmsg() the SCTP stack places the message's stream number in
+ * this value.
+ */
++ memset(&sinfo, 0, sizeof(sinfo));
+ sinfo.sinfo_stream = event->stream;
+ /* sinfo_ssn: 16 bits (unsigned integer)
+ *
diff --git a/net/socket.c b/net/socket.c
index a19ae19..89554dc 100644
--- a/net/socket.c
@@ -112196,10 +112687,10 @@ index 0000000..88469e9
+
diff --git a/tools/gcc/size_overflow_plugin/insert_size_overflow_check_ipa.c b/tools/gcc/size_overflow_plugin/insert_size_overflow_check_ipa.c
new file mode 100644
-index 0000000..f8f5dd5
+index 0000000..715a590
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin/insert_size_overflow_check_ipa.c
-@@ -0,0 +1,1133 @@
+@@ -0,0 +1,1141 @@
+/*
+ * Copyright 2011-2014 by Emese Revfy <re.emese@gmail.com>
+ * Licensed under the GPL v2, or (at your option) v3
@@ -112414,7 +112905,7 @@ index 0000000..f8f5dd5
+}
+
+enum conditions {
-+ FROM_CONST, NOT_UNARY, CAST
++ FROM_CONST, NOT_UNARY, CAST, RET, PHI
+};
+
+// Search for constants, cast assignments and binary/ternary assignments
@@ -112434,11 +112925,15 @@ index 0000000..f8f5dd5
+ return;
+
+ switch (gimple_code(def_stmt)) {
-+ case GIMPLE_NOP:
+ case GIMPLE_CALL:
++ if (lhs == gimple_return_retval(def_stmt))
++ interesting_conditions[RET] = true;
++ return;
++ case GIMPLE_NOP:
+ case GIMPLE_ASM:
+ return;
+ case GIMPLE_PHI:
++ interesting_conditions[PHI] = true;
+ return walk_phi_set_conditions(visited, interesting_conditions, lhs);
+ case GIMPLE_ASSIGN:
+ if (gimple_num_ops(def_stmt) == 2) {
@@ -112656,11 +113151,11 @@ index 0000000..f8f5dd5
+/* If there is a mark_turn_off intentional attribute on the caller or the callee then there is no duplication and missing size_overflow attribute check anywhere.
+ * There is only missing size_overflow attribute checking if the intentional_overflow attribute is the mark_no type.
+ * Stmt duplication is unnecessary if there are no binary/ternary assignements or if the unary assignment isn't a cast.
-+ * It skips the possible error codes too. If the def_stmts trace back to a constant and there are no binary/ternary assigments then we assume that it is some kind of error code.
++ * It skips the possible error codes too.
+ */
+static enum precond check_preconditions(struct interesting_node *cur_node)
+{
-+ bool interesting_conditions[3] = {false, false, false};
++ bool interesting_conditions[5] = {false, false, false, false, false};
+
+ set_last_nodes(cur_node);
+
@@ -112670,7 +113165,11 @@ index 0000000..f8f5dd5
+
+ search_interesting_conditions(cur_node, interesting_conditions);
+
-+ // error code
++ // error code: a phi, unary assign (not cast) and returns only
++ if (!interesting_conditions[NOT_UNARY] && interesting_conditions[PHI] && interesting_conditions[RET] && !interesting_conditions[CAST])
++ return NO_ATTRIBUTE_SEARCH;
++
++ // error code: def_stmts trace back to a constant and there are no binary/ternary assigments
+ if (interesting_conditions[CAST] && interesting_conditions[FROM_CONST] && !interesting_conditions[NOT_UNARY])
+ return NO_ATTRIBUTE_SEARCH;
+
@@ -120774,7 +121273,7 @@ index 0000000..560cd7b
+zpios_read_64734 zpios_read 3 64734 NULL
diff --git a/tools/gcc/size_overflow_plugin/size_overflow_plugin.c b/tools/gcc/size_overflow_plugin/size_overflow_plugin.c
new file mode 100644
-index 0000000..e6fe17b
+index 0000000..a15328d
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin/size_overflow_plugin.c
@@ -0,0 +1,259 @@
@@ -120810,7 +121309,7 @@ index 0000000..e6fe17b
+tree size_overflow_type_TI;
+
+static struct plugin_info size_overflow_plugin_info = {
-+ .version = "20140517",
++ .version = "20140713",
+ .help = "no-size-overflow\tturn off size overflow checking\n",
+};
+