diff options
| author | Leonardo Arena <rnalrd@alpinelinux.org> | 2014-08-05 06:56:55 +0000 |
|---|---|---|
| committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2014-08-05 06:59:04 +0000 |
| commit | f293493b963f2ffccc09f71af126856ee5536bb1 (patch) | |
| tree | f5aba732b880a600413d9d8c41b5158f1babe237 /main/linux-virt-grsec | |
| parent | 6461ba3c3ad95a2071276f995696bab1d8b16736 (diff) | |
| download | aports-f293493b963f2ffccc09f71af126856ee5536bb1.tar.bz2 aports-f293493b963f2ffccc09f71af126856ee5536bb1.tar.xz | |
main/linux-virt-grsec: upgrade to 3.14.15
Diffstat (limited to 'main/linux-virt-grsec')
| -rw-r--r-- | main/linux-virt-grsec/APKBUILD | 16 | ||||
| -rw-r--r-- | main/linux-virt-grsec/grsecurity-3.0-3.14.15-201408032014.patch (renamed from main/linux-virt-grsec/grsecurity-3.0-3.14.11-201407072045.patch) | 2293 |
2 files changed, 1526 insertions, 783 deletions
diff --git a/main/linux-virt-grsec/APKBUILD b/main/linux-virt-grsec/APKBUILD index b3d4219879..5259119e45 100644 --- a/main/linux-virt-grsec/APKBUILD +++ b/main/linux-virt-grsec/APKBUILD @@ -3,7 +3,7 @@ _flavor=virt-grsec pkgname=linux-${_flavor} -pkgver=3.14.11 +pkgver=3.14.15 case $pkgver in *.*.*) _kernver=${pkgver%.*};; *.*) _kernver=${pkgver};; @@ -18,7 +18,7 @@ _config=${config:-kernelconfig.${CARCH}} install= source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz - grsecurity-3.0-$pkgver-201407072045.patch + grsecurity-3.0-$pkgver-201408032014.patch fix-memory-map-for-PIE-applications.patch imx6q-no-unclocked-sleep.patch @@ -146,22 +146,22 @@ dev() { } md5sums="b621207b3f6ecbb67db18b13258f8ea8 linux-3.14.tar.xz -5cf3d2cb0f552c2c6faf829b6630e84f patch-3.14.11.xz -53571da447f6543f8741e8c998a01e4f grsecurity-3.0-3.14.11-201407072045.patch +497579393986bb76e08abc355e59550c patch-3.14.15.xz +d1d5b12a0a0f0f8dd8588d42bd3b2375 grsecurity-3.0-3.14.15-201408032014.patch c6a4ae7e8ca6159e1631545515805216 fix-memory-map-for-PIE-applications.patch 1a307fc1d63231bf01d22493a4f14378 imx6q-no-unclocked-sleep.patch 74884a16fa9c58e0cabfaf57c8b64678 kernelconfig.x86 ef60383e07d9e7df6c474a03f3f56782 kernelconfig.x86_64" sha256sums="61558aa490855f42b6340d1a1596be47454909629327c49a5e4e10268065dffa linux-3.14.tar.xz -3f290fb547cb4afe23bf520c8c863b6d1e090814f4a6fa0080ed51b4afd9a409 patch-3.14.11.xz -b9f3eee998c12873b3b4263522c4faaf1c3a1536b513d553377d4b4dc07b9bb5 grsecurity-3.0-3.14.11-201407072045.patch +fd0fff77dd5274fd53bce431275cf203357d1a96a6c6129f0562b07232399ed2 patch-3.14.15.xz +c52e543a680cf82721aa378251fd66f223a03a294343ae9500bc6d1d59771f8f grsecurity-3.0-3.14.15-201408032014.patch 500f3577310be52e87b9fecdc2e9c4ca43210fd97d69089f9005d484563f74c7 fix-memory-map-for-PIE-applications.patch 21179fbb22a5b74af0a609350ae1a170e232908572b201d02e791d2ce0a685d3 imx6q-no-unclocked-sleep.patch 0afbfb07b8c1eaf741593da97ad15ab34196afe541a82efc66cb8648c36c6c68 kernelconfig.x86 92aa8a3f494732762deec3adfe34b0578bf86310c45eafb678c3c518e6ef578f kernelconfig.x86_64" sha512sums="5730d83a7a81134c1e77c0bf89e42dee4f8251ad56c1ac2be20c59e26fdfaa7bea55f277e7af156b637f22e1584914a46089af85039177cb43485089c74ac26e linux-3.14.tar.xz -fb4dca2cf832b04896f4c052ea84eab501c459bf27030b81a88b288d09d320b86254b7e995ae1931c6083ae4c88f62e4ba1976ce2254d88645f9e95a253d19e4 patch-3.14.11.xz -c02ef0f5df3231c3cdb9ebe4aae360ec950a2f6cb6ef11eccaf9736abe71c90cf4a163324ff515aaa1279a57ab70481cb9323dc5896563c716a5fd8461306632 grsecurity-3.0-3.14.11-201407072045.patch +9a9d99a5e6f724f3c7063212ce7187e1bf15a1931aacc0e56fcb46b5f1f8266c47dd61ca0dafdfeb27a7348817629fa2d26df0f0d6f36d7ceab6295b39a5e5d9 patch-3.14.15.xz +2edef8d733b2fbfeb65de833e85d2f2693967263e8b8faf7838192af763b6868ad41daaf71d26327566ab5a8184a87be159388a1ceb48bea88ece1fbc0adaf19 grsecurity-3.0-3.14.15-201408032014.patch 4665c56ae1bbac311f9205d64918e84ee8b01d47d6e2396ff6b8adfb10aada7f7254531ce62e31edbb65c2a54a830f09ad05d314dfcd75d6272f4068945ad7c7 fix-memory-map-for-PIE-applications.patch 87d1ad59732f265a5b0db54490dc1762c14ea4b868e7eb1aedc3ce57b48046de7bbc08cf5cfcf6f1380fa84063b0edb16ba3d5e3c5670be9bbb229275c88b221 imx6q-no-unclocked-sleep.patch 324513d75def9fb78ccc5f446e1fae28e7069e94c1ebac406776750cd05f1bf6f0f8a9216543ee6bf82a68d9834e2a1404093d92cc2acd2cb28e3f9a478ad0c6 kernelconfig.x86 diff --git a/main/linux-virt-grsec/grsecurity-3.0-3.14.11-201407072045.patch b/main/linux-virt-grsec/grsecurity-3.0-3.14.15-201408032014.patch index a883f759f7..96db0fa027 100644 --- a/main/linux-virt-grsec/grsecurity-3.0-3.14.11-201407072045.patch +++ b/main/linux-virt-grsec/grsecurity-3.0-3.14.15-201408032014.patch @@ -287,7 +287,7 @@ index 7116fda..d8ed6e8 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index f1bbec5..d78810b 100644 +index 188523e..5c8d8ee 100644 --- a/Makefile +++ b/Makefile @@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -386,7 +386,7 @@ index f1bbec5..d78810b 100644 include $(srctree)/arch/$(SRCARCH)/Makefile ifdef CONFIG_READABLE_ASM -@@ -779,7 +846,7 @@ export mod_sign_cmd +@@ -781,7 +848,7 @@ export mod_sign_cmd ifeq ($(KBUILD_EXTMOD),) @@ -395,7 +395,7 @@ index f1bbec5..d78810b 100644 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \ $(core-y) $(core-m) $(drivers-y) $(drivers-m) \ -@@ -828,6 +895,8 @@ endif +@@ -830,6 +897,8 @@ endif # The actual objects are generated when descending, # make sure no implicit rule kicks in @@ -404,7 +404,7 @@ index f1bbec5..d78810b 100644 $(sort $(vmlinux-deps)): $(vmlinux-dirs) ; # Handle descending into subdirectories listed in $(vmlinux-dirs) -@@ -837,7 +906,7 @@ $(sort $(vmlinux-deps)): $(vmlinux-dirs) ; +@@ -839,7 +908,7 @@ $(sort $(vmlinux-deps)): $(vmlinux-dirs) ; # Error messages still appears in the original language PHONY += $(vmlinux-dirs) @@ -413,7 +413,7 @@ index f1bbec5..d78810b 100644 $(Q)$(MAKE) $(build)=$@ define filechk_kernel.release -@@ -880,10 +949,13 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \ +@@ -882,10 +951,13 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \ archprepare: archheaders archscripts prepare1 scripts_basic @@ -427,7 +427,7 @@ index f1bbec5..d78810b 100644 prepare: prepare0 # Generate some files -@@ -991,6 +1063,8 @@ all: modules +@@ -993,6 +1065,8 @@ all: modules # using awk while concatenating to the final file. PHONY += modules @@ -436,7 +436,7 @@ index f1bbec5..d78810b 100644 modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux) modules.builtin $(Q)$(AWK) '!x[$$0]++' $(vmlinux-dirs:%=$(objtree)/%/modules.order) > $(objtree)/modules.order @$(kecho) ' Building modules, stage 2.'; -@@ -1006,7 +1080,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin) +@@ -1008,7 +1082,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin) # Target to prepare building external modules PHONY += modules_prepare @@ -445,7 +445,7 @@ index f1bbec5..d78810b 100644 # Target to install modules PHONY += modules_install -@@ -1072,7 +1146,10 @@ MRPROPER_FILES += .config .config.old .version .old_version $(version_h) \ +@@ -1074,7 +1148,10 @@ MRPROPER_FILES += .config .config.old .version .old_version $(version_h) \ Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \ signing_key.priv signing_key.x509 x509.genkey \ extra_certificates signing_key.x509.keyid \ @@ -457,7 +457,7 @@ index f1bbec5..d78810b 100644 # clean - Delete most, but leave enough to build external modules # -@@ -1111,7 +1188,7 @@ distclean: mrproper +@@ -1113,7 +1190,7 @@ distclean: mrproper @find $(srctree) $(RCS_FIND_IGNORE) \ \( -name '*.orig' -o -name '*.rej' -o -name '*~' \ -o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \ @@ -466,7 +466,7 @@ index f1bbec5..d78810b 100644 -o -name '*%' -o -name '.*.cmd' -o -name 'core' \) \ -type f -print | xargs rm -f -@@ -1273,6 +1350,8 @@ PHONY += $(module-dirs) modules +@@ -1275,6 +1352,8 @@ PHONY += $(module-dirs) modules $(module-dirs): crmodverdir $(objtree)/Module.symvers $(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@) @@ -475,7 +475,7 @@ index f1bbec5..d78810b 100644 modules: $(module-dirs) @$(kecho) ' Building modules, stage 2.'; $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost -@@ -1412,17 +1491,21 @@ else +@@ -1414,17 +1493,21 @@ else target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@)) endif @@ -501,7 +501,7 @@ index f1bbec5..d78810b 100644 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) %.symtypes: %.c prepare scripts FORCE $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) -@@ -1432,11 +1515,15 @@ endif +@@ -1434,11 +1517,15 @@ endif $(cmd_crmodverdir) $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \ $(build)=$(build-dir) @@ -852,10 +852,10 @@ index 98838a0..b304fb4 100644 /* Allow reads even for write-only mappings */ if (!(vma->vm_flags & (VM_READ | VM_WRITE))) diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig -index 44298ad..29a20c0 100644 +index 4733d32..b142a40 100644 --- a/arch/arm/Kconfig +++ b/arch/arm/Kconfig -@@ -1862,7 +1862,7 @@ config ALIGNMENT_TRAP +@@ -1863,7 +1863,7 @@ config ALIGNMENT_TRAP config UACCESS_WITH_MEMCPY bool "Use kernel mem{cpy,set}() for {copy_to,clear}_user()" @@ -864,7 +864,7 @@ index 44298ad..29a20c0 100644 default y if CPU_FEROCEON help Implement faster copy_to_user and clear_user methods for CPU -@@ -2125,6 +2125,7 @@ config XIP_PHYS_ADDR +@@ -2126,6 +2126,7 @@ config XIP_PHYS_ADDR config KEXEC bool "Kexec system call (EXPERIMENTAL)" depends on (!SMP || PM_SLEEP_SMP) @@ -7700,7 +7700,7 @@ index 50dfafc..b9fc230 100644 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n", me->arch.unwind_section, table, end, gp); diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c -index 31ffa9b..588a798 100644 +index e1ffea2..46ed66e 100644 --- a/arch/parisc/kernel/sys_parisc.c +++ b/arch/parisc/kernel/sys_parisc.c @@ -89,6 +89,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, @@ -7960,10 +7960,10 @@ index d72197f..c017c84 100644 /* * If for any reason at all we couldn't handle the fault, make diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig -index 957bf34..3430cc8 100644 +index ee3c660..afa4212 100644 --- a/arch/powerpc/Kconfig +++ b/arch/powerpc/Kconfig -@@ -393,6 +393,7 @@ config PPC64_SUPPORTS_MEMORY_FAILURE +@@ -394,6 +394,7 @@ config PPC64_SUPPORTS_MEMORY_FAILURE config KEXEC bool "kexec system call" depends on (PPC_BOOK3S || FSL_BOOKE || (44x && !SMP)) @@ -8567,7 +8567,7 @@ index 1d0848b..d74685f 100644 #endif } diff --git a/arch/powerpc/kernel/module_32.c b/arch/powerpc/kernel/module_32.c -index 6cff040..74ac5d1 100644 +index 6cff040..74ac5d1b 100644 --- a/arch/powerpc/kernel/module_32.c +++ b/arch/powerpc/kernel/module_32.c @@ -161,7 +161,7 @@ int module_frob_arch_sections(Elf32_Ehdr *hdr, @@ -12643,7 +12643,7 @@ index ad8f795..2c7eec6 100644 /* * Memory returned by kmalloc() may be used for DMA, so we must make diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 1981dd9..8f3ff4d 100644 +index 7324107..a63fd9f 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -126,7 +126,7 @@ config X86 @@ -12652,10 +12652,10 @@ index 1981dd9..8f3ff4d 100644 select HAVE_IRQ_EXIT_ON_IRQ_STACK if X86_64 - select HAVE_CC_STACKPROTECTOR + select HAVE_CC_STACKPROTECTOR if X86_64 || !PAX_MEMORY_UDEREF + select ARCH_SUPPORTS_ATOMIC_RMW config INSTRUCTION_DECODER - def_bool y -@@ -251,7 +251,7 @@ config X86_HT +@@ -252,7 +252,7 @@ config X86_HT config X86_32_LAZY_GS def_bool y @@ -12664,7 +12664,7 @@ index 1981dd9..8f3ff4d 100644 config ARCH_HWEIGHT_CFLAGS string -@@ -589,6 +589,7 @@ config SCHED_OMIT_FRAME_POINTER +@@ -590,6 +590,7 @@ config SCHED_OMIT_FRAME_POINTER menuconfig HYPERVISOR_GUEST bool "Linux guest support" @@ -12672,7 +12672,7 @@ index 1981dd9..8f3ff4d 100644 ---help--- Say Y here to enable options for running Linux under various hyper- visors. This option enables basic hypervisor detection and platform -@@ -1111,7 +1112,7 @@ choice +@@ -1112,7 +1113,7 @@ choice config NOHIGHMEM bool "off" @@ -12681,7 +12681,7 @@ index 1981dd9..8f3ff4d 100644 ---help--- Linux can use up to 64 Gigabytes of physical memory on x86 systems. However, the address space of 32-bit x86 processors is only 4 -@@ -1148,7 +1149,7 @@ config NOHIGHMEM +@@ -1149,7 +1150,7 @@ config NOHIGHMEM config HIGHMEM4G bool "4GB" @@ -12690,7 +12690,7 @@ index 1981dd9..8f3ff4d 100644 ---help--- Select this if you have a 32-bit processor and between 1 and 4 gigabytes of physical RAM. -@@ -1201,7 +1202,7 @@ config PAGE_OFFSET +@@ -1202,7 +1203,7 @@ config PAGE_OFFSET hex default 0xB0000000 if VMSPLIT_3G_OPT default 0x80000000 if VMSPLIT_2G @@ -12699,7 +12699,7 @@ index 1981dd9..8f3ff4d 100644 default 0x40000000 if VMSPLIT_1G default 0xC0000000 depends on X86_32 -@@ -1605,6 +1606,7 @@ source kernel/Kconfig.hz +@@ -1606,6 +1607,7 @@ source kernel/Kconfig.hz config KEXEC bool "kexec system call" @@ -12707,7 +12707,7 @@ index 1981dd9..8f3ff4d 100644 ---help--- kexec is a system call that implements the ability to shutdown your current kernel, and to start another kernel. It is like a reboot -@@ -1756,7 +1758,9 @@ config X86_NEED_RELOCS +@@ -1757,7 +1759,9 @@ config X86_NEED_RELOCS config PHYSICAL_ALIGN hex "Alignment value to which kernel should be aligned" @@ -12718,7 +12718,7 @@ index 1981dd9..8f3ff4d 100644 range 0x2000 0x1000000 if X86_32 range 0x200000 0x1000000 if X86_64 ---help--- -@@ -1836,9 +1840,10 @@ config DEBUG_HOTPLUG_CPU0 +@@ -1837,9 +1841,10 @@ config DEBUG_HOTPLUG_CPU0 If unsure, say N. config COMPAT_VDSO @@ -13096,10 +13096,10 @@ index 100a9a1..bb3bdb0 100644 err = check_cpuflags(); } diff --git a/arch/x86/boot/header.S b/arch/x86/boot/header.S -index ec3b8ba..6a0db1f 100644 +index 04da6c2..a151f55 100644 --- a/arch/x86/boot/header.S +++ b/arch/x86/boot/header.S -@@ -416,10 +416,14 @@ setup_data: .quad 0 # 64-bit physical pointer to +@@ -434,10 +434,14 @@ setup_data: .quad 0 # 64-bit physical pointer to # single linked list of # struct setup_data @@ -19763,7 +19763,7 @@ index 04905bf..49203ca 100644 } diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h -index 0d592e0..7437fcc 100644 +index 0d592e0..526f797 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -7,6 +7,7 @@ @@ -20180,7 +20180,7 @@ index 0d592e0..7437fcc 100644 + copy_from_user_overflow(); + else + __copy_from_user_overflow(sz, n); -+ } if (access_ok(VERIFY_READ, from, n)) ++ } else if (access_ok(VERIFY_READ, from, n)) + n = __copy_from_user(to, from, n); + else if ((long)n > 0) + memset(to, 0, n); @@ -21968,10 +21968,10 @@ index 639d128..e92d7e5 100644 while (amd_iommu_v2_event_descs[i].attr.attr.name) diff --git a/arch/x86/kernel/cpu/perf_event_intel.c b/arch/x86/kernel/cpu/perf_event_intel.c -index aa333d9..f9db700 100644 +index 1340ebf..fc6d5c9 100644 --- a/arch/x86/kernel/cpu/perf_event_intel.c +++ b/arch/x86/kernel/cpu/perf_event_intel.c -@@ -2309,10 +2309,10 @@ __init int intel_pmu_init(void) +@@ -2318,10 +2318,10 @@ __init int intel_pmu_init(void) x86_pmu.num_counters_fixed = max((int)edx.split.num_counters_fixed, 3); if (boot_cpu_has(X86_FEATURE_PDCM)) { @@ -22489,7 +22489,7 @@ index 01d1c18..8073693 100644 #include <asm/processor.h> #include <asm/fcntl.h> diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S -index 6491353..a918952 100644 +index c87810b..413d83f 100644 --- a/arch/x86/kernel/entry_32.S +++ b/arch/x86/kernel/entry_32.S @@ -177,13 +177,153 @@ @@ -22832,7 +22832,7 @@ index 6491353..a918952 100644 # system call tracing in operation / emulation testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%ebp) jnz syscall_trace_entry -@@ -525,6 +723,15 @@ syscall_exit: +@@ -526,6 +724,15 @@ syscall_exit: testl $_TIF_ALLWORK_MASK, %ecx # current->work jne syscall_exit_work @@ -22848,7 +22848,7 @@ index 6491353..a918952 100644 restore_all: TRACE_IRQS_IRET restore_all_notrace: -@@ -576,14 +783,34 @@ ldt_ss: +@@ -577,14 +784,34 @@ ldt_ss: * compensating for the offset by changing to the ESPFIX segment with * a base address that matches for the difference. */ @@ -22886,7 +22886,7 @@ index 6491353..a918952 100644 pushl_cfi $__ESPFIX_SS pushl_cfi %eax /* new kernel esp */ /* Disable interrupts, but do not irqtrace this section: we -@@ -612,20 +839,18 @@ work_resched: +@@ -613,20 +840,18 @@ work_resched: movl TI_flags(%ebp), %ecx andl $_TIF_WORK_MASK, %ecx # is there any work to be done other # than syscall tracing? @@ -22909,7 +22909,7 @@ index 6491353..a918952 100644 #endif TRACE_IRQS_ON ENABLE_INTERRUPTS(CLBR_NONE) -@@ -646,7 +871,7 @@ work_notifysig_v86: +@@ -647,7 +872,7 @@ work_notifysig_v86: movl %eax, %esp jmp 1b #endif @@ -22918,7 +22918,7 @@ index 6491353..a918952 100644 # perform syscall exit tracing ALIGN -@@ -654,11 +879,14 @@ syscall_trace_entry: +@@ -655,11 +880,14 @@ syscall_trace_entry: movl $-ENOSYS,PT_EAX(%esp) movl %esp, %eax call syscall_trace_enter @@ -22934,7 +22934,7 @@ index 6491353..a918952 100644 # perform syscall exit tracing ALIGN -@@ -671,26 +899,30 @@ syscall_exit_work: +@@ -672,26 +900,30 @@ syscall_exit_work: movl %esp, %eax call syscall_trace_leave jmp resume_userspace @@ -22956,20 +22956,20 @@ index 6491353..a918952 100644 +ENDPROC(syscall_fault) syscall_badsys: - movl $-ENOSYS,PT_EAX(%esp) - jmp syscall_exit + movl $-ENOSYS,%eax + jmp syscall_after_call -END(syscall_badsys) +ENDPROC(syscall_badsys) sysenter_badsys: - movl $-ENOSYS,PT_EAX(%esp) + movl $-ENOSYS,%eax jmp sysenter_after_call -END(syscall_badsys) +ENDPROC(sysenter_badsys) CFI_ENDPROC /* * End of kprobes section -@@ -706,8 +938,15 @@ END(syscall_badsys) +@@ -707,8 +939,15 @@ END(syscall_badsys) * normal stack and adjusts ESP with the matching offset. */ /* fixup the stack */ @@ -22987,7 +22987,7 @@ index 6491353..a918952 100644 shl $16, %eax addl %esp, %eax /* the adjusted stack pointer */ pushl_cfi $__KERNEL_DS -@@ -760,7 +999,7 @@ vector=vector+1 +@@ -761,7 +1000,7 @@ vector=vector+1 .endr 2: jmp common_interrupt .endr @@ -22996,7 +22996,7 @@ index 6491353..a918952 100644 .previous END(interrupt) -@@ -821,7 +1060,7 @@ ENTRY(coprocessor_error) +@@ -822,7 +1061,7 @@ ENTRY(coprocessor_error) pushl_cfi $do_coprocessor_error jmp error_code CFI_ENDPROC @@ -23005,7 +23005,7 @@ index 6491353..a918952 100644 ENTRY(simd_coprocessor_error) RING0_INT_FRAME -@@ -834,7 +1073,7 @@ ENTRY(simd_coprocessor_error) +@@ -835,7 +1074,7 @@ ENTRY(simd_coprocessor_error) .section .altinstructions,"a" altinstruction_entry 661b, 663f, X86_FEATURE_XMM, 662b-661b, 664f-663f .previous @@ -23014,7 +23014,7 @@ index 6491353..a918952 100644 663: pushl $do_simd_coprocessor_error 664: .previous -@@ -843,7 +1082,7 @@ ENTRY(simd_coprocessor_error) +@@ -844,7 +1083,7 @@ ENTRY(simd_coprocessor_error) #endif jmp error_code CFI_ENDPROC @@ -23023,7 +23023,7 @@ index 6491353..a918952 100644 ENTRY(device_not_available) RING0_INT_FRAME -@@ -852,18 +1091,18 @@ ENTRY(device_not_available) +@@ -853,18 +1092,18 @@ ENTRY(device_not_available) pushl_cfi $do_device_not_available jmp error_code CFI_ENDPROC @@ -23045,7 +23045,7 @@ index 6491353..a918952 100644 #endif ENTRY(overflow) -@@ -873,7 +1112,7 @@ ENTRY(overflow) +@@ -874,7 +1113,7 @@ ENTRY(overflow) pushl_cfi $do_overflow jmp error_code CFI_ENDPROC @@ -23054,7 +23054,7 @@ index 6491353..a918952 100644 ENTRY(bounds) RING0_INT_FRAME -@@ -882,7 +1121,7 @@ ENTRY(bounds) +@@ -883,7 +1122,7 @@ ENTRY(bounds) pushl_cfi $do_bounds jmp error_code CFI_ENDPROC @@ -23063,7 +23063,7 @@ index 6491353..a918952 100644 ENTRY(invalid_op) RING0_INT_FRAME -@@ -891,7 +1130,7 @@ ENTRY(invalid_op) +@@ -892,7 +1131,7 @@ ENTRY(invalid_op) pushl_cfi $do_invalid_op jmp error_code CFI_ENDPROC @@ -23072,7 +23072,7 @@ index 6491353..a918952 100644 ENTRY(coprocessor_segment_overrun) RING0_INT_FRAME -@@ -900,7 +1139,7 @@ ENTRY(coprocessor_segment_overrun) +@@ -901,7 +1140,7 @@ ENTRY(coprocessor_segment_overrun) pushl_cfi $do_coprocessor_segment_overrun jmp error_code CFI_ENDPROC @@ -23081,7 +23081,7 @@ index 6491353..a918952 100644 ENTRY(invalid_TSS) RING0_EC_FRAME -@@ -908,7 +1147,7 @@ ENTRY(invalid_TSS) +@@ -909,7 +1148,7 @@ ENTRY(invalid_TSS) pushl_cfi $do_invalid_TSS jmp error_code CFI_ENDPROC @@ -23090,7 +23090,7 @@ index 6491353..a918952 100644 ENTRY(segment_not_present) RING0_EC_FRAME -@@ -916,7 +1155,7 @@ ENTRY(segment_not_present) +@@ -917,7 +1156,7 @@ ENTRY(segment_not_present) pushl_cfi $do_segment_not_present jmp error_code CFI_ENDPROC @@ -23099,7 +23099,7 @@ index 6491353..a918952 100644 ENTRY(stack_segment) RING0_EC_FRAME -@@ -924,7 +1163,7 @@ ENTRY(stack_segment) +@@ -925,7 +1164,7 @@ ENTRY(stack_segment) pushl_cfi $do_stack_segment jmp error_code CFI_ENDPROC @@ -23108,7 +23108,7 @@ index 6491353..a918952 100644 ENTRY(alignment_check) RING0_EC_FRAME -@@ -932,7 +1171,7 @@ ENTRY(alignment_check) +@@ -933,7 +1172,7 @@ ENTRY(alignment_check) pushl_cfi $do_alignment_check jmp error_code CFI_ENDPROC @@ -23117,7 +23117,7 @@ index 6491353..a918952 100644 ENTRY(divide_error) RING0_INT_FRAME -@@ -941,7 +1180,7 @@ ENTRY(divide_error) +@@ -942,7 +1181,7 @@ ENTRY(divide_error) pushl_cfi $do_divide_error jmp error_code CFI_ENDPROC @@ -23126,7 +23126,7 @@ index 6491353..a918952 100644 #ifdef CONFIG_X86_MCE ENTRY(machine_check) -@@ -951,7 +1190,7 @@ ENTRY(machine_check) +@@ -952,7 +1191,7 @@ ENTRY(machine_check) pushl_cfi machine_check_vector jmp error_code CFI_ENDPROC @@ -23135,7 +23135,7 @@ index 6491353..a918952 100644 #endif ENTRY(spurious_interrupt_bug) -@@ -961,7 +1200,7 @@ ENTRY(spurious_interrupt_bug) +@@ -962,7 +1201,7 @@ ENTRY(spurious_interrupt_bug) pushl_cfi $do_spurious_interrupt_bug jmp error_code CFI_ENDPROC @@ -23144,7 +23144,7 @@ index 6491353..a918952 100644 /* * End of kprobes section */ -@@ -1071,7 +1310,7 @@ BUILD_INTERRUPT3(hyperv_callback_vector, HYPERVISOR_CALLBACK_VECTOR, +@@ -1072,7 +1311,7 @@ BUILD_INTERRUPT3(hyperv_callback_vector, HYPERVISOR_CALLBACK_VECTOR, ENTRY(mcount) ret @@ -23153,7 +23153,7 @@ index 6491353..a918952 100644 ENTRY(ftrace_caller) cmpl $0, function_trace_stop -@@ -1104,7 +1343,7 @@ ftrace_graph_call: +@@ -1105,7 +1344,7 @@ ftrace_graph_call: .globl ftrace_stub ftrace_stub: ret @@ -23162,7 +23162,7 @@ index 6491353..a918952 100644 ENTRY(ftrace_regs_caller) pushf /* push flags before compare (in cs location) */ -@@ -1208,7 +1447,7 @@ trace: +@@ -1209,7 +1448,7 @@ trace: popl %ecx popl %eax jmp ftrace_stub @@ -23171,7 +23171,7 @@ index 6491353..a918952 100644 #endif /* CONFIG_DYNAMIC_FTRACE */ #endif /* CONFIG_FUNCTION_TRACER */ -@@ -1226,7 +1465,7 @@ ENTRY(ftrace_graph_caller) +@@ -1227,7 +1466,7 @@ ENTRY(ftrace_graph_caller) popl %ecx popl %eax ret @@ -23180,7 +23180,7 @@ index 6491353..a918952 100644 .globl return_to_handler return_to_handler: -@@ -1292,15 +1531,18 @@ error_code: +@@ -1293,15 +1532,18 @@ error_code: movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart REG_TO_PTGS %ecx SET_KERNEL_GS %ecx @@ -23201,7 +23201,7 @@ index 6491353..a918952 100644 /* * Debug traps and NMI can happen at the one SYSENTER instruction -@@ -1343,7 +1585,7 @@ debug_stack_correct: +@@ -1344,7 +1586,7 @@ debug_stack_correct: call do_debug jmp ret_from_exception CFI_ENDPROC @@ -23210,7 +23210,7 @@ index 6491353..a918952 100644 /* * NMI is doubly nasty. It can happen _while_ we're handling -@@ -1381,6 +1623,9 @@ nmi_stack_correct: +@@ -1382,6 +1624,9 @@ nmi_stack_correct: xorl %edx,%edx # zero error code movl %esp,%eax # pt_regs pointer call do_nmi @@ -23220,7 +23220,7 @@ index 6491353..a918952 100644 jmp restore_all_notrace CFI_ENDPROC -@@ -1417,12 +1662,15 @@ nmi_espfix_stack: +@@ -1418,12 +1663,15 @@ nmi_espfix_stack: FIXUP_ESPFIX_STACK # %eax == %esp xorl %edx,%edx # zero error code call do_nmi @@ -23237,7 +23237,7 @@ index 6491353..a918952 100644 ENTRY(int3) RING0_INT_FRAME -@@ -1435,14 +1683,14 @@ ENTRY(int3) +@@ -1436,14 +1684,14 @@ ENTRY(int3) call do_int3 jmp ret_from_exception CFI_ENDPROC @@ -23254,7 +23254,7 @@ index 6491353..a918952 100644 #ifdef CONFIG_KVM_GUEST ENTRY(async_page_fault) -@@ -1451,7 +1699,7 @@ ENTRY(async_page_fault) +@@ -1452,7 +1700,7 @@ ENTRY(async_page_fault) pushl_cfi $do_async_page_fault jmp error_code CFI_ENDPROC @@ -24623,7 +24623,7 @@ index 85126cc..1bbce17 100644 init_level4_pgt[511] = early_level4_pgt[511]; diff --git a/arch/x86/kernel/head_32.S b/arch/x86/kernel/head_32.S -index f36bd42..56ee1534 100644 +index f36bd42..0ab4474 100644 --- a/arch/x86/kernel/head_32.S +++ b/arch/x86/kernel/head_32.S @@ -26,6 +26,12 @@ @@ -25035,7 +25035,7 @@ index f36bd42..56ee1534 100644 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */ + .quad 0x004093000000ffff /* 0xc8 APM DS data */ + -+ .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */ ++ .quad 0x00c093000000ffff /* 0xd0 - ESPFIX SS */ + .quad 0x0040930000000000 /* 0xd8 - PERCPU */ + .quad 0x0040910000000017 /* 0xe0 - STACK_CANARY */ + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */ @@ -27368,7 +27368,7 @@ index 5cdff03..80fa283 100644 * Up to this point, the boot CPU has been using .init.data * area. Reload any changed state for the boot CPU. diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c -index 9e5de68..16c53cb 100644 +index 9e5de68..147c254 100644 --- a/arch/x86/kernel/signal.c +++ b/arch/x86/kernel/signal.c @@ -190,7 +190,7 @@ static unsigned long align_sigframe(unsigned long sp) @@ -27385,7 +27385,7 @@ index 9e5de68..16c53cb 100644 if (current->mm->context.vdso) - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn); -+ restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn); ++ restorer = (void __force_user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn); else - restorer = &frame->retcode; + restorer = (void __user *)&frame->retcode; @@ -27407,9 +27407,9 @@ index 9e5de68..16c53cb 100644 /* Set up to return from userspace. */ - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn); + if (current->mm->context.vdso) -+ restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn); ++ restorer = (void __force_user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn); + else -+ restorer = (void __user *)&frame->retcode; ++ restorer = (void __user *)&frame->retcode; if (ksig->ka.sa.sa_flags & SA_RESTORER) restorer = ksig->ka.sa.sa_restorer; put_user_ex(restorer, &frame->pretcode); @@ -28157,7 +28157,7 @@ index 57409f6..b505597 100644 if (!fixup_exception(regs)) { task->thread.error_code = error_code; diff --git a/arch/x86/kernel/tsc.c b/arch/x86/kernel/tsc.c -index cfbe99f..a6e8fa7 100644 +index e0d1d7a..db035d4 100644 --- a/arch/x86/kernel/tsc.c +++ b/arch/x86/kernel/tsc.c @@ -150,7 +150,7 @@ static void cyc2ns_write_end(int cpu, struct cyc2ns_data *data) @@ -28955,7 +28955,7 @@ index 3927528..fc19971 100644 vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index ee0c3b5..773bb94 100644 +index 8fbd1a7..e046eef 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -1776,8 +1776,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data) @@ -33352,19 +33352,21 @@ index 7b179b4..6bd17777 100644 return (void *)vaddr; diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c -index 799580c..72f9fe0 100644 +index 94bd247..7e48391 100644 --- a/arch/x86/mm/ioremap.c +++ b/arch/x86/mm/ioremap.c -@@ -97,7 +97,7 @@ static void __iomem *__ioremap_caller(resource_size_t phys_addr, - for (pfn = phys_addr >> PAGE_SHIFT; pfn <= last_pfn; pfn++) { - int is_ram = page_is_ram(pfn); +@@ -56,8 +56,8 @@ static int __ioremap_check_ram(unsigned long start_pfn, unsigned long nr_pages, + unsigned long i; + + for (i = 0; i < nr_pages; ++i) +- if (pfn_valid(start_pfn + i) && +- !PageReserved(pfn_to_page(start_pfn + i))) ++ if (pfn_valid(start_pfn + i) && (start_pfn + i >= 0x100 || ++ !PageReserved(pfn_to_page(start_pfn + i)))) + return 1; -- if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn))) -+ if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn)))) - return NULL; - WARN_ON_ONCE(is_ram); - } -@@ -256,7 +256,7 @@ EXPORT_SYMBOL(ioremap_prot); + WARN_ONCE(1, "ioremap on RAM pfn 0x%lx\n", start_pfn); +@@ -268,7 +268,7 @@ EXPORT_SYMBOL(ioremap_prot); * * Caller must ensure there is only one unmapping for the same pointer. */ @@ -33373,7 +33375,7 @@ index 799580c..72f9fe0 100644 { struct vm_struct *p, *o; -@@ -310,6 +310,9 @@ void *xlate_dev_mem_ptr(unsigned long phys) +@@ -322,6 +322,9 @@ void *xlate_dev_mem_ptr(unsigned long phys) /* If page is RAM, we can use __va. Otherwise ioremap and unmap. */ if (page_is_ram(start >> PAGE_SHIFT)) @@ -33383,7 +33385,7 @@ index 799580c..72f9fe0 100644 return __va(phys); addr = (void __force *)ioremap_cache(start, PAGE_SIZE); -@@ -322,6 +325,9 @@ void *xlate_dev_mem_ptr(unsigned long phys) +@@ -334,6 +337,9 @@ void *xlate_dev_mem_ptr(unsigned long phys) void unxlate_dev_mem_ptr(unsigned long phys, void *addr) { if (page_is_ram(phys >> PAGE_SHIFT)) @@ -33393,7 +33395,7 @@ index 799580c..72f9fe0 100644 return; iounmap((void __iomem *)((unsigned long)addr & PAGE_MASK)); -@@ -339,7 +345,7 @@ static int __init early_ioremap_debug_setup(char *str) +@@ -351,7 +357,7 @@ static int __init early_ioremap_debug_setup(char *str) early_param("early_ioremap_debug", early_ioremap_debug_setup); static __initdata int after_paging_init; @@ -33402,7 +33404,7 @@ index 799580c..72f9fe0 100644 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr) { -@@ -376,8 +382,7 @@ void __init early_ioremap_init(void) +@@ -388,8 +394,7 @@ void __init early_ioremap_init(void) slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i); pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN)); @@ -36346,10 +36348,10 @@ index af00795..2bb8105 100644 #define XCHAL_ICACHE_SIZE 32768 /* I-cache size in bytes or 0 */ #define XCHAL_DCACHE_SIZE 32768 /* D-cache size in bytes or 0 */ diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c -index 4e491d9..c8e18e4 100644 +index d8f80e7..5f41702 100644 --- a/block/blk-cgroup.c +++ b/block/blk-cgroup.c -@@ -812,7 +812,7 @@ static void blkcg_css_free(struct cgroup_subsys_state *css) +@@ -809,7 +809,7 @@ static void blkcg_css_free(struct cgroup_subsys_state *css) static struct cgroup_subsys_state * blkcg_css_alloc(struct cgroup_subsys_state *parent_css) { @@ -36358,7 +36360,7 @@ index 4e491d9..c8e18e4 100644 struct blkcg *blkcg; if (!parent_css) { -@@ -826,7 +826,7 @@ blkcg_css_alloc(struct cgroup_subsys_state *parent_css) +@@ -823,7 +823,7 @@ blkcg_css_alloc(struct cgroup_subsys_state *parent_css) blkcg->cfq_weight = CFQ_WEIGHT_DEFAULT; blkcg->cfq_leaf_weight = CFQ_WEIGHT_DEFAULT; @@ -36438,7 +36440,7 @@ index 420a5a9..23834aa 100644 if (blk_verify_command(rq->cmd, has_write_perm)) return -EPERM; diff --git a/block/compat_ioctl.c b/block/compat_ioctl.c -index fbd5a67..f24fd95 100644 +index a0926a6..b2b14b2 100644 --- a/block/compat_ioctl.c +++ b/block/compat_ioctl.c @@ -156,7 +156,7 @@ static int compat_cdrom_generic_command(struct block_device *bdev, fmode_t mode, @@ -36580,6 +36582,26 @@ index 2648797..92ed21f 100644 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len)) goto error; +diff --git a/crypto/af_alg.c b/crypto/af_alg.c +index 966f893..6a3ad80 100644 +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -21,6 +21,7 @@ + #include <linux/module.h> + #include <linux/net.h> + #include <linux/rwsem.h> ++#include <linux/security.h> + + struct alg_type_list { + const struct af_alg_type *type; +@@ -243,6 +244,7 @@ int af_alg_accept(struct sock *sk, struct socket *newsock) + + sock_init_data(newsock, sk2); + sock_graft(sk2, newsock); ++ security_sk_clone(sk, sk2); + + err = type->accept(ask->private, sk2); + if (err) { diff --git a/crypto/cryptd.c b/crypto/cryptd.c index 7bdd61b..afec999 100644 --- a/crypto/cryptd.c @@ -36771,7 +36793,7 @@ index 36605ab..6ef6d4b 100644 unsigned long timeout_msec) { diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c -index 62fda16..8063873 100644 +index f761603..3042d5c 100644 --- a/drivers/ata/libata-core.c +++ b/drivers/ata/libata-core.c @@ -98,7 +98,7 @@ static unsigned int ata_dev_set_xfermode(struct ata_device *dev); @@ -36783,7 +36805,7 @@ index 62fda16..8063873 100644 struct ata_force_param { const char *name; -@@ -4858,7 +4858,7 @@ void ata_qc_free(struct ata_queued_cmd *qc) +@@ -4863,7 +4863,7 @@ void ata_qc_free(struct ata_queued_cmd *qc) struct ata_port *ap; unsigned int tag; @@ -36792,7 +36814,7 @@ index 62fda16..8063873 100644 ap = qc->ap; qc->flags = 0; -@@ -4874,7 +4874,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc) +@@ -4879,7 +4879,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc) struct ata_port *ap; struct ata_link *link; @@ -36801,7 +36823,7 @@ index 62fda16..8063873 100644 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE)); ap = qc->ap; link = qc->dev->link; -@@ -5993,6 +5993,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops) +@@ -5998,6 +5998,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops) return; spin_lock(&lock); @@ -36809,7 +36831,7 @@ index 62fda16..8063873 100644 for (cur = ops->inherits; cur; cur = cur->inherits) { void **inherit = (void **)cur; -@@ -6006,8 +6007,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops) +@@ -6011,8 +6012,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops) if (IS_ERR(*pp)) *pp = NULL; @@ -36820,7 +36842,7 @@ index 62fda16..8063873 100644 spin_unlock(&lock); } -@@ -6200,7 +6202,7 @@ int ata_host_register(struct ata_host *host, struct scsi_host_template *sht) +@@ -6208,7 +6210,7 @@ int ata_host_register(struct ata_host *host, struct scsi_host_template *sht) /* give ports names and add SCSI hosts */ for (i = 0; i < host->n_ports; i++) { @@ -37488,7 +37510,7 @@ index 4217f29..88f547a 100644 vcc->tx_quota = vcc->tx_quota * 3 / 4; printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota ); diff --git a/drivers/atm/lanai.c b/drivers/atm/lanai.c -index fa7d701..1e404c7 100644 +index fa7d7019..1e404c7 100644 --- a/drivers/atm/lanai.c +++ b/drivers/atm/lanai.c @@ -1303,7 +1303,7 @@ static void lanai_send_one_aal5(struct lanai_dev *lanai, @@ -39664,7 +39686,7 @@ index 18d4091..434be15 100644 } EXPORT_SYMBOL_GPL(od_unregister_powersave_bias_handler); diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c -index de9ef4a..0b29fc9 100644 +index ae52c77..3d8f69b 100644 --- a/drivers/cpufreq/intel_pstate.c +++ b/drivers/cpufreq/intel_pstate.c @@ -125,10 +125,10 @@ struct pstate_funcs { @@ -39680,7 +39702,7 @@ index de9ef4a..0b29fc9 100644 struct perf_limits { int no_turbo; -@@ -529,7 +529,7 @@ static void intel_pstate_set_pstate(struct cpudata *cpu, int pstate) +@@ -530,7 +530,7 @@ static void intel_pstate_set_pstate(struct cpudata *cpu, int pstate) cpu->pstate.current_pstate = pstate; @@ -39689,7 +39711,7 @@ index de9ef4a..0b29fc9 100644 } static inline void intel_pstate_pstate_increase(struct cpudata *cpu, int steps) -@@ -551,12 +551,12 @@ static void intel_pstate_get_cpu_pstates(struct cpudata *cpu) +@@ -552,12 +552,12 @@ static void intel_pstate_get_cpu_pstates(struct cpudata *cpu) { sprintf(cpu->name, "Intel 2nd generation core"); @@ -39707,7 +39729,7 @@ index de9ef4a..0b29fc9 100644 intel_pstate_set_pstate(cpu, cpu->pstate.min_pstate); } -@@ -838,9 +838,9 @@ static int intel_pstate_msrs_not_valid(void) +@@ -844,9 +844,9 @@ static int intel_pstate_msrs_not_valid(void) rdmsrl(MSR_IA32_APERF, aperf); rdmsrl(MSR_IA32_MPERF, mperf); @@ -39720,7 +39742,7 @@ index de9ef4a..0b29fc9 100644 return -ENODEV; rdmsrl(MSR_IA32_APERF, tmp); -@@ -854,7 +854,7 @@ static int intel_pstate_msrs_not_valid(void) +@@ -860,7 +860,7 @@ static int intel_pstate_msrs_not_valid(void) return 0; } @@ -39729,7 +39751,7 @@ index de9ef4a..0b29fc9 100644 { pid_params.sample_rate_ms = policy->sample_rate_ms; pid_params.p_gain_pct = policy->p_gain_pct; -@@ -866,11 +866,7 @@ static void copy_pid_params(struct pstate_adjust_policy *policy) +@@ -872,11 +872,7 @@ static void copy_pid_params(struct pstate_adjust_policy *policy) static void copy_cpu_funcs(struct pstate_funcs *funcs) { @@ -41310,12 +41332,12 @@ index 0bb86e6..d41416d 100644 return -EFAULT; diff --git a/drivers/gpu/drm/qxl/qxl_irq.c b/drivers/gpu/drm/qxl/qxl_irq.c -index 28f84b4..fb3e224 100644 +index 3485bdc..20d26e3 100644 --- a/drivers/gpu/drm/qxl/qxl_irq.c +++ b/drivers/gpu/drm/qxl/qxl_irq.c -@@ -33,19 +33,19 @@ irqreturn_t qxl_irq_handler(int irq, void *arg) - - pending = xchg(&qdev->ram_header->int_pending, 0); +@@ -36,19 +36,19 @@ irqreturn_t qxl_irq_handler(int irq, void *arg) + if (!pending) + return IRQ_NONE; - atomic_inc(&qdev->irq_received); + atomic_inc_unchecked(&qdev->irq_received); @@ -41337,7 +41359,7 @@ index 28f84b4..fb3e224 100644 wake_up_all(&qdev->io_cmd_event); } if (pending & QXL_INTERRUPT_ERROR) { -@@ -82,10 +82,10 @@ int qxl_irq_init(struct qxl_device *qdev) +@@ -85,10 +85,10 @@ int qxl_irq_init(struct qxl_device *qdev) init_waitqueue_head(&qdev->io_cmd_event); INIT_WORK(&qdev->client_monitors_config_work, qxl_client_monitors_config_work_func); @@ -42021,10 +42043,10 @@ index 8a8725c2..afed796 100644 marker = list_first_entry(&queue->head, struct vmw_marker, head); diff --git a/drivers/gpu/vga/vga_switcheroo.c b/drivers/gpu/vga/vga_switcheroo.c -index ec0ae2d..dc0780b 100644 +index 6866448..2ad2b34 100644 --- a/drivers/gpu/vga/vga_switcheroo.c +++ b/drivers/gpu/vga/vga_switcheroo.c -@@ -643,7 +643,7 @@ static int vga_switcheroo_runtime_resume(struct device *dev) +@@ -644,7 +644,7 @@ static int vga_switcheroo_runtime_resume(struct device *dev) /* this version is for the case where the power switch is separate to the device being powered down. */ @@ -42033,7 +42055,7 @@ index ec0ae2d..dc0780b 100644 { /* copy over all the bus versions */ if (dev->bus && dev->bus->pm) { -@@ -688,7 +688,7 @@ static int vga_switcheroo_runtime_resume_hdmi_audio(struct device *dev) +@@ -689,7 +689,7 @@ static int vga_switcheroo_runtime_resume_hdmi_audio(struct device *dev) return ret; } @@ -43506,10 +43528,10 @@ index 24c41ba..102d71f 100644 gameport->dev.release = gameport_release_port; if (gameport->parent) diff --git a/drivers/input/input.c b/drivers/input/input.c -index 1c4c0db..6f7abe3 100644 +index 29ca0bb..f4bc2e3 100644 --- a/drivers/input/input.c +++ b/drivers/input/input.c -@@ -1772,7 +1772,7 @@ EXPORT_SYMBOL_GPL(input_class); +@@ -1774,7 +1774,7 @@ EXPORT_SYMBOL_GPL(input_class); */ struct input_dev *input_allocate_device(void) { @@ -43518,7 +43540,7 @@ index 1c4c0db..6f7abe3 100644 struct input_dev *dev; dev = kzalloc(sizeof(struct input_dev), GFP_KERNEL); -@@ -1787,7 +1787,7 @@ struct input_dev *input_allocate_device(void) +@@ -1789,7 +1789,7 @@ struct input_dev *input_allocate_device(void) INIT_LIST_HEAD(&dev->node); dev_set_name(&dev->dev, "input%ld", @@ -43697,10 +43719,10 @@ index 228632c9..edfe331 100644 bool setup_remapped_irq(int irq, struct irq_cfg *cfg, struct irq_chip *chip) diff --git a/drivers/irqchip/irq-gic.c b/drivers/irqchip/irq-gic.c -index ac2d41b..c657aa4 100644 +index 12698ee..a58a958 100644 --- a/drivers/irqchip/irq-gic.c +++ b/drivers/irqchip/irq-gic.c -@@ -84,7 +84,7 @@ static u8 gic_cpu_map[NR_GIC_CPU_IF] __read_mostly; +@@ -85,7 +85,7 @@ static u8 gic_cpu_map[NR_GIC_CPU_IF] __read_mostly; * Supported arch specific GIC irq extension. * Default make them NULL. */ @@ -43709,7 +43731,7 @@ index ac2d41b..c657aa4 100644 .irq_eoi = NULL, .irq_mask = NULL, .irq_unmask = NULL, -@@ -336,7 +336,7 @@ static void gic_handle_cascade_irq(unsigned int irq, struct irq_desc *desc) +@@ -337,7 +337,7 @@ static void gic_handle_cascade_irq(unsigned int irq, struct irq_desc *desc) chained_irq_exit(chip, desc); } @@ -44521,7 +44543,7 @@ index 6a7f2b8..fea0bde 100644 "start=%llu, len=%llu, dev_size=%llu", dm_device_name(ti->table->md), bdevname(bdev, b), diff --git a/drivers/md/dm-thin-metadata.c b/drivers/md/dm-thin-metadata.c -index b086a94..74cb67e 100644 +index e9d33ad..dae9880d 100644 --- a/drivers/md/dm-thin-metadata.c +++ b/drivers/md/dm-thin-metadata.c @@ -404,7 +404,7 @@ static void __setup_btree_details(struct dm_pool_metadata *pmd) @@ -44543,10 +44565,10 @@ index b086a94..74cb67e 100644 pmd->bl_info.value_type.inc = data_block_inc; pmd->bl_info.value_type.dec = data_block_dec; diff --git a/drivers/md/dm.c b/drivers/md/dm.c -index 8c53b09..f1fb2b0 100644 +index 65ee3a0..1852af9 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c -@@ -185,9 +185,9 @@ struct mapped_device { +@@ -187,9 +187,9 @@ struct mapped_device { /* * Event handling. */ @@ -44558,7 +44580,7 @@ index 8c53b09..f1fb2b0 100644 struct list_head uevent_list; spinlock_t uevent_lock; /* Protect access to uevent_list */ -@@ -1888,8 +1888,8 @@ static struct mapped_device *alloc_dev(int minor) +@@ -1899,8 +1899,8 @@ static struct mapped_device *alloc_dev(int minor) spin_lock_init(&md->deferred_lock); atomic_set(&md->holders, 1); atomic_set(&md->open_count, 0); @@ -44569,7 +44591,7 @@ index 8c53b09..f1fb2b0 100644 INIT_LIST_HEAD(&md->uevent_list); spin_lock_init(&md->uevent_lock); -@@ -2043,7 +2043,7 @@ static void event_callback(void *context) +@@ -2054,7 +2054,7 @@ static void event_callback(void *context) dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj); @@ -44578,7 +44600,7 @@ index 8c53b09..f1fb2b0 100644 wake_up(&md->eventq); } -@@ -2736,18 +2736,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action, +@@ -2747,18 +2747,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action, uint32_t dm_next_uevent_seq(struct mapped_device *md) { @@ -44601,7 +44623,7 @@ index 8c53b09..f1fb2b0 100644 void dm_uevent_add(struct mapped_device *md, struct list_head *elist) diff --git a/drivers/md/md.c b/drivers/md/md.c -index 8b013f8..93eed41 100644 +index 73aedcb..424968a 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -194,10 +194,10 @@ EXPORT_SYMBOL_GPL(bio_clone_mddev); @@ -45265,6 +45287,79 @@ index a1c641e..3007da9 100644 static int dib7070_set_param_override(struct dvb_frontend *fe) { +diff --git a/drivers/media/usb/dvb-usb/dvb-usb-firmware.c b/drivers/media/usb/dvb-usb/dvb-usb-firmware.c +index 733a7ff..f8b52e3 100644 +--- a/drivers/media/usb/dvb-usb/dvb-usb-firmware.c ++++ b/drivers/media/usb/dvb-usb/dvb-usb-firmware.c +@@ -35,42 +35,57 @@ static int usb_cypress_writemem(struct usb_device *udev,u16 addr,u8 *data, u8 le + + int usb_cypress_load_firmware(struct usb_device *udev, const struct firmware *fw, int type) + { +- struct hexline hx; +- u8 reset; ++ struct hexline *hx; ++ u8 *reset; + int ret,pos=0; + ++ reset = kmalloc(1, GFP_KERNEL); ++ if (reset == NULL) ++ return -ENOMEM; ++ ++ hx = kmalloc(sizeof(struct hexline), GFP_KERNEL); ++ if (hx == NULL) { ++ kfree(reset); ++ return -ENOMEM; ++ } ++ + /* stop the CPU */ +- reset = 1; +- if ((ret = usb_cypress_writemem(udev,cypress[type].cpu_cs_register,&reset,1)) != 1) ++ reset[0] = 1; ++ if ((ret = usb_cypress_writemem(udev,cypress[type].cpu_cs_register,reset,1)) != 1) + err("could not stop the USB controller CPU."); + +- while ((ret = dvb_usb_get_hexline(fw,&hx,&pos)) > 0) { +- deb_fw("writing to address 0x%04x (buffer: 0x%02x %02x)\n",hx.addr,hx.len,hx.chk); +- ret = usb_cypress_writemem(udev,hx.addr,hx.data,hx.len); ++ while ((ret = dvb_usb_get_hexline(fw,hx,&pos)) > 0) { ++ deb_fw("writing to address 0x%04x (buffer: 0x%02x %02x)\n",hx->addr,hx->len,hx->chk); ++ ret = usb_cypress_writemem(udev,hx->addr,hx->data,hx->len); + +- if (ret != hx.len) { ++ if (ret != hx->len) { + err("error while transferring firmware " + "(transferred size: %d, block size: %d)", +- ret,hx.len); ++ ret,hx->len); + ret = -EINVAL; + break; + } + } + if (ret < 0) { + err("firmware download failed at %d with %d",pos,ret); ++ kfree(reset); ++ kfree(hx); + return ret; + } + + if (ret == 0) { + /* restart the CPU */ +- reset = 0; +- if (ret || usb_cypress_writemem(udev,cypress[type].cpu_cs_register,&reset,1) != 1) { ++ reset[0] = 0; ++ if (ret || usb_cypress_writemem(udev,cypress[type].cpu_cs_register,reset,1) != 1) { + err("could not restart the USB controller CPU."); + ret = -EINVAL; + } + } else + ret = -EIO; + ++ kfree(reset); ++ kfree(hx); ++ + return ret; + } + EXPORT_SYMBOL(usb_cypress_load_firmware); diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c index ae0f56a..ec71784 100644 --- a/drivers/media/usb/dvb-usb/dw2102.c @@ -45278,6 +45373,212 @@ index ae0f56a..ec71784 100644 /* debug */ static int dvb_usb_dw2102_debug; +diff --git a/drivers/media/usb/dvb-usb/technisat-usb2.c b/drivers/media/usb/dvb-usb/technisat-usb2.c +index 98d24ae..bc22415 100644 +--- a/drivers/media/usb/dvb-usb/technisat-usb2.c ++++ b/drivers/media/usb/dvb-usb/technisat-usb2.c +@@ -87,8 +87,11 @@ struct technisat_usb2_state { + static int technisat_usb2_i2c_access(struct usb_device *udev, + u8 device_addr, u8 *tx, u8 txlen, u8 *rx, u8 rxlen) + { +- u8 b[64]; +- int ret, actual_length; ++ u8 *b = kmalloc(64, GFP_KERNEL); ++ int ret, actual_length, error = 0; ++ ++ if (b == NULL) ++ return -ENOMEM; + + deb_i2c("i2c-access: %02x, tx: ", device_addr); + debug_dump(tx, txlen, deb_i2c); +@@ -121,7 +124,8 @@ static int technisat_usb2_i2c_access(struct usb_device *udev, + + if (ret < 0) { + err("i2c-error: out failed %02x = %d", device_addr, ret); +- return -ENODEV; ++ error = -ENODEV; ++ goto out; + } + + ret = usb_bulk_msg(udev, +@@ -129,7 +133,8 @@ static int technisat_usb2_i2c_access(struct usb_device *udev, + b, 64, &actual_length, 1000); + if (ret < 0) { + err("i2c-error: in failed %02x = %d", device_addr, ret); +- return -ENODEV; ++ error = -ENODEV; ++ goto out; + } + + if (b[0] != I2C_STATUS_OK) { +@@ -137,8 +142,10 @@ static int technisat_usb2_i2c_access(struct usb_device *udev, + /* handle tuner-i2c-nak */ + if (!(b[0] == I2C_STATUS_NAK && + device_addr == 0x60 +- /* && device_is_technisat_usb2 */)) +- return -ENODEV; ++ /* && device_is_technisat_usb2 */)) { ++ error = -ENODEV; ++ goto out; ++ } + } + + deb_i2c("status: %d, ", b[0]); +@@ -152,7 +159,9 @@ static int technisat_usb2_i2c_access(struct usb_device *udev, + + deb_i2c("\n"); + +- return 0; ++out: ++ kfree(b); ++ return error; + } + + static int technisat_usb2_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg *msg, +@@ -224,14 +233,16 @@ static int technisat_usb2_set_led(struct dvb_usb_device *d, int red, enum techni + { + int ret; + +- u8 led[8] = { +- red ? SET_RED_LED_VENDOR_REQUEST : SET_GREEN_LED_VENDOR_REQUEST, +- 0 +- }; ++ u8 *led = kzalloc(8, GFP_KERNEL); ++ ++ if (led == NULL) ++ return -ENOMEM; + + if (disable_led_control && state != LED_OFF) + return 0; + ++ led[0] = red ? SET_RED_LED_VENDOR_REQUEST : SET_GREEN_LED_VENDOR_REQUEST; ++ + switch (state) { + case LED_ON: + led[1] = 0x82; +@@ -263,16 +274,22 @@ static int technisat_usb2_set_led(struct dvb_usb_device *d, int red, enum techni + red ? SET_RED_LED_VENDOR_REQUEST : SET_GREEN_LED_VENDOR_REQUEST, + USB_TYPE_VENDOR | USB_DIR_OUT, + 0, 0, +- led, sizeof(led), 500); ++ led, 8, 500); + + mutex_unlock(&d->i2c_mutex); ++ ++ kfree(led); ++ + return ret; + } + + static int technisat_usb2_set_led_timer(struct dvb_usb_device *d, u8 red, u8 green) + { + int ret; +- u8 b = 0; ++ u8 *b = kzalloc(1, GFP_KERNEL); ++ ++ if (b == NULL) ++ return -ENOMEM; + + if (mutex_lock_interruptible(&d->i2c_mutex) < 0) + return -EAGAIN; +@@ -281,10 +298,12 @@ static int technisat_usb2_set_led_timer(struct dvb_usb_device *d, u8 red, u8 gre + SET_LED_TIMER_DIVIDER_VENDOR_REQUEST, + USB_TYPE_VENDOR | USB_DIR_OUT, + (red << 8) | green, 0, +- &b, 1, 500); ++ b, 1, 500); + + mutex_unlock(&d->i2c_mutex); + ++ kfree(b); ++ + return ret; + } + +@@ -328,7 +347,7 @@ static int technisat_usb2_identify_state(struct usb_device *udev, + struct dvb_usb_device_description **desc, int *cold) + { + int ret; +- u8 version[3]; ++ u8 *version = kmalloc(3, GFP_KERNEL); + + /* first select the interface */ + if (usb_set_interface(udev, 0, 1) != 0) +@@ -338,11 +357,14 @@ static int technisat_usb2_identify_state(struct usb_device *udev, + + *cold = 0; /* by default do not download a firmware - just in case something is wrong */ + ++ if (version == NULL) ++ return 0; ++ + ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), + GET_VERSION_INFO_VENDOR_REQUEST, + USB_TYPE_VENDOR | USB_DIR_IN, + 0, 0, +- version, sizeof(version), 500); ++ version, 3, 500); + + if (ret < 0) + *cold = 1; +@@ -351,6 +373,8 @@ static int technisat_usb2_identify_state(struct usb_device *udev, + *cold = 0; + } + ++ kfree(version); ++ + return 0; + } + +@@ -591,10 +615,15 @@ static int technisat_usb2_frontend_attach(struct dvb_usb_adapter *a) + + static int technisat_usb2_get_ir(struct dvb_usb_device *d) + { +- u8 buf[62], *b; ++ u8 *buf, *b; + int ret; + struct ir_raw_event ev; + ++ buf = kmalloc(62, GFP_KERNEL); ++ ++ if (buf == NULL) ++ return -ENOMEM; ++ + buf[0] = GET_IR_DATA_VENDOR_REQUEST; + buf[1] = 0x08; + buf[2] = 0x8f; +@@ -617,16 +646,20 @@ static int technisat_usb2_get_ir(struct dvb_usb_device *d) + GET_IR_DATA_VENDOR_REQUEST, + USB_TYPE_VENDOR | USB_DIR_IN, + 0x8080, 0, +- buf, sizeof(buf), 500); ++ buf, 62, 500); + + unlock: + mutex_unlock(&d->i2c_mutex); + +- if (ret < 0) ++ if (ret < 0) { ++ kfree(buf); + return ret; ++ } + +- if (ret == 1) ++ if (ret == 1) { ++ kfree(buf); + return 0; /* no key pressed */ ++ } + + /* decoding */ + b = buf+1; +@@ -653,6 +686,8 @@ unlock: + + ir_raw_event_handle(d->rc_dev); + ++ kfree(buf); ++ + return 1; + } + diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c index fca336b..fb70ab7 100644 --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c @@ -46374,18 +46675,6 @@ index cf49c22..971b133 100644 struct attribute **attributes; struct sm_sysfs_attribute *vendor_attribute; char *vendor; -diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c -index 91ec8cd..562ff5f 100644 ---- a/drivers/net/bonding/bond_main.c -+++ b/drivers/net/bonding/bond_main.c -@@ -4552,6 +4552,7 @@ static void __exit bonding_exit(void) - - bond_netlink_fini(); - unregister_pernet_subsys(&bond_net_ops); -+ rtnl_link_unregister(&bond_link_ops); - - #ifdef CONFIG_NET_POLL_CONTROLLER - /* diff --git a/drivers/net/bonding/bond_netlink.c b/drivers/net/bonding/bond_netlink.c index 70651f8..7eb1bdf 100644 --- a/drivers/net/bonding/bond_netlink.c @@ -46429,20 +46718,6 @@ index 455d4c3..3353ee7 100644 } if (!request_mem_region(mem->start, mem_size, pdev->name)) { -diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c -index dbcff50..5ed5124 100644 ---- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c -+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c -@@ -793,7 +793,8 @@ static void bnx2x_tpa_stop(struct bnx2x *bp, struct bnx2x_fastpath *fp, - - return; - } -- bnx2x_frag_free(fp, new_data); -+ if (new_data) -+ bnx2x_frag_free(fp, new_data); - drop: - /* drop the packet and keep the buffer in the bin */ - DP(NETIF_MSG_RX_STATUS, diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h index a89a40f..5a8a2ac 100644 --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h @@ -46575,7 +46850,7 @@ index c05b66d..ed69872 100644 break; } diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c -index 36c8061..ca5e1e0 100644 +index 80bfa03..45114e6 100644 --- a/drivers/net/ethernet/emulex/benet/be_main.c +++ b/drivers/net/ethernet/emulex/benet/be_main.c @@ -534,7 +534,7 @@ static void accumulate_16bit_val(u32 *acc, u16 val) @@ -46888,18 +47163,6 @@ index 3381c4f..dea5fd5 100644 .notifier_call = macvtap_device_event, }; -diff --git a/drivers/net/phy/mdio-bitbang.c b/drivers/net/phy/mdio-bitbang.c -index daec9b0..6428fcb 100644 ---- a/drivers/net/phy/mdio-bitbang.c -+++ b/drivers/net/phy/mdio-bitbang.c -@@ -234,6 +234,7 @@ void free_mdio_bitbang(struct mii_bus *bus) - struct mdiobb_ctrl *ctrl = bus->priv; - - module_put(ctrl->ops->owner); -+ mdiobus_unregister(bus); - mdiobus_free(bus); - } - EXPORT_SYMBOL(free_mdio_bitbang); diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c index 72ff14b..11d442d 100644 --- a/drivers/net/ppp/ppp_generic.c @@ -46922,6 +47185,19 @@ index 72ff14b..11d442d 100644 break; err = 0; break; +diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c +index 0180531..1aff970 100644 +--- a/drivers/net/ppp/pptp.c ++++ b/drivers/net/ppp/pptp.c +@@ -281,7 +281,7 @@ static int pptp_xmit(struct ppp_channel *chan, struct sk_buff *skb) + nf_reset(skb); + + skb->ip_summed = CHECKSUM_NONE; +- ip_select_ident(skb, &rt->dst, NULL); ++ ip_select_ident(skb, NULL); + ip_send_check(iph); + + ip_local_out(skb); diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c index 1252d9c..80e660b 100644 --- a/drivers/net/slip/slhc.c @@ -47248,6 +47524,24 @@ index 5920c99..ff2e4a5 100644 }; static void +diff --git a/drivers/net/wan/x25_asy.c b/drivers/net/wan/x25_asy.c +index 5895f19..fa9fdfa 100644 +--- a/drivers/net/wan/x25_asy.c ++++ b/drivers/net/wan/x25_asy.c +@@ -122,8 +122,12 @@ static int x25_asy_change_mtu(struct net_device *dev, int newmtu) + { + struct x25_asy *sl = netdev_priv(dev); + unsigned char *xbuff, *rbuff; +- int len = 2 * newmtu; ++ int len; + ++ if (newmtu > 65534) ++ return -EINVAL; ++ ++ len = 2 * newmtu; + xbuff = kmalloc(len + 4, GFP_ATOMIC); + rbuff = kmalloc(len + 4, GFP_ATOMIC); + diff --git a/drivers/net/wan/z85230.c b/drivers/net/wan/z85230.c index feacc3b..5bac0de 100644 --- a/drivers/net/wan/z85230.c @@ -47797,10 +48091,10 @@ index ea7e70c..bc0c45f 100644 data->sku_cap_band_24GHz_enable ? "" : "NOT", "enabled", data->sku_cap_band_52GHz_enable ? "" : "NOT", "enabled", diff --git a/drivers/net/wireless/iwlwifi/pcie/trans.c b/drivers/net/wireless/iwlwifi/pcie/trans.c -index 8d42fd9..d923d65 100644 +index 16be0c0..eb0bc12 100644 --- a/drivers/net/wireless/iwlwifi/pcie/trans.c +++ b/drivers/net/wireless/iwlwifi/pcie/trans.c -@@ -1365,7 +1365,7 @@ static ssize_t iwl_dbgfs_interrupt_write(struct file *file, +@@ -1371,7 +1371,7 @@ static ssize_t iwl_dbgfs_interrupt_write(struct file *file, struct isr_statistics *isr_stats = &trans_pcie->isr_stats; char buf[8]; @@ -47809,7 +48103,7 @@ index 8d42fd9..d923d65 100644 u32 reset_flag; memset(buf, 0, sizeof(buf)); -@@ -1386,7 +1386,7 @@ static ssize_t iwl_dbgfs_csr_write(struct file *file, +@@ -1392,7 +1392,7 @@ static ssize_t iwl_dbgfs_csr_write(struct file *file, { struct iwl_trans *trans = file->private_data; char buf[8]; @@ -47871,7 +48165,7 @@ index 5028557..91cf394 100644 tmp = cpu_to_le32(rts_threshold); diff --git a/drivers/net/wireless/rt2x00/rt2x00.h b/drivers/net/wireless/rt2x00/rt2x00.h -index e3b885d..7a7de2f 100644 +index 5d45a1a..6f5f041 100644 --- a/drivers/net/wireless/rt2x00/rt2x00.h +++ b/drivers/net/wireless/rt2x00/rt2x00.h @@ -375,7 +375,7 @@ struct rt2x00_intf { @@ -50176,10 +50470,25 @@ index d8afec8..3ec7152 100644 /* check if the device is still usable */ if (unlikely(cmd->device->sdev_state == SDEV_DEL)) { diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c -index 62ec84b..93159d8 100644 +index 62ec84b..384f684 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c -@@ -1474,7 +1474,7 @@ static void scsi_kill_request(struct request *req, struct request_queue *q) +@@ -831,6 +831,14 @@ void scsi_io_completion(struct scsi_cmnd *cmd, unsigned int good_bytes) + scsi_next_command(cmd); + return; + } ++ } else if (blk_rq_bytes(req) == 0 && result && !sense_deferred) { ++ /* ++ * Certain non BLOCK_PC requests are commands that don't ++ * actually transfer anything (FLUSH), so cannot use ++ * good_bytes != blk_rq_bytes(req) as the signal for an error. ++ * This sets the error explicitly for the problem case. ++ */ ++ error = __scsi_error_from_host_byte(cmd, result); + } + + /* no bidi support for !REQ_TYPE_BLOCK_PC yet */ +@@ -1474,7 +1482,7 @@ static void scsi_kill_request(struct request *req, struct request_queue *q) shost = sdev->host; scsi_init_cmd_errh(cmd); cmd->result = DID_NO_CONNECT << 16; @@ -50188,7 +50497,7 @@ index 62ec84b..93159d8 100644 /* * SCSI request completion path will do scsi_device_unbusy(), -@@ -1500,9 +1500,9 @@ static void scsi_softirq_done(struct request *rq) +@@ -1500,9 +1508,9 @@ static void scsi_softirq_done(struct request *rq) INIT_LIST_HEAD(&cmd->eh_entry); @@ -51436,7 +51745,7 @@ index 2ebe47b..3205833 100644 dlci->modem_rx = 0; diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c -index e36d1f5..9938e3e 100644 +index 28ac3f3..9019b3b 100644 --- a/drivers/tty/n_tty.c +++ b/drivers/tty/n_tty.c @@ -115,7 +115,7 @@ struct n_tty_data { @@ -51448,7 +51757,7 @@ index e36d1f5..9938e3e 100644 size_t line_start; /* protected by output lock */ -@@ -2519,6 +2519,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops) +@@ -2520,6 +2520,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops) { *ops = tty_ldisc_N_TTY; ops->owner = NULL; @@ -51642,7 +51951,7 @@ index a260cde..6b2b5ce 100644 /* This is only available if kgdboc is a built in for early debugging */ static int __init kgdboc_early_init(char *opt) diff --git a/drivers/tty/serial/msm_serial.c b/drivers/tty/serial/msm_serial.c -index b5d779c..3622cfe 100644 +index c0f2b3e..7e3f80c 100644 --- a/drivers/tty/serial/msm_serial.c +++ b/drivers/tty/serial/msm_serial.c @@ -897,7 +897,7 @@ static struct uart_driver msm_uart_driver = { @@ -51696,7 +52005,7 @@ index 9cd706d..6ff2de7 100644 if (cfg->uart_flags & UPF_CONS_FLOW) { diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c -index ece2049..fba2524 100644 +index ece2049b..fba2524 100644 --- a/drivers/tty/serial/serial_core.c +++ b/drivers/tty/serial/serial_core.c @@ -1448,7 +1448,7 @@ static void uart_hangup(struct tty_struct *tty) @@ -52598,7 +52907,7 @@ index 2518c32..1c201bb 100644 wake_up(&usb_kill_urb_queue); usb_put_urb(urb); diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c -index 3baa51b..92907cf 100644 +index 36b1e85..18fb0a4 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -27,6 +27,7 @@ @@ -52609,7 +52918,7 @@ index 3baa51b..92907cf 100644 #include <asm/uaccess.h> #include <asm/byteorder.h> -@@ -4483,6 +4484,10 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1, +@@ -4502,6 +4503,10 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1, goto done; return; } @@ -52862,6 +53171,36 @@ index 7ae0c4d..35521b7 100644 retval = submit_single_step_set_feature(hcd, urb, 0); if (!retval && !wait_for_completion_timeout(&done, msecs_to_jiffies(2000))) { +diff --git a/drivers/usb/host/hwa-hc.c b/drivers/usb/host/hwa-hc.c +index e076699..6b3b875 100644 +--- a/drivers/usb/host/hwa-hc.c ++++ b/drivers/usb/host/hwa-hc.c +@@ -301,7 +301,10 @@ static int __hwahc_op_bwa_set(struct wusbhc *wusbhc, s8 stream_index, + struct hwahc *hwahc = container_of(wusbhc, struct hwahc, wusbhc); + struct wahc *wa = &hwahc->wa; + struct device *dev = &wa->usb_iface->dev; +- u8 mas_le[UWB_NUM_MAS/8]; ++ u8 *mas_le = kmalloc(UWB_NUM_MAS/8, GFP_KERNEL); ++ ++ if (mas_le == NULL) ++ return -ENOMEM; + + /* Set the stream index */ + result = usb_control_msg(wa->usb_dev, usb_sndctrlpipe(wa->usb_dev, 0), +@@ -320,10 +323,12 @@ static int __hwahc_op_bwa_set(struct wusbhc *wusbhc, s8 stream_index, + WUSB_REQ_SET_WUSB_MAS, + USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE, + 0, wa->usb_iface->cur_altsetting->desc.bInterfaceNumber, +- mas_le, 32, USB_CTRL_SET_TIMEOUT); ++ mas_le, UWB_NUM_MAS/8, USB_CTRL_SET_TIMEOUT); + if (result < 0) + dev_err(dev, "Cannot set WUSB MAS allocation: %d\n", result); + out: ++ kfree(mas_le); ++ + return result; + } + diff --git a/drivers/usb/misc/appledisplay.c b/drivers/usb/misc/appledisplay.c index ba6a5d6..f88f7f3 100644 --- a/drivers/usb/misc/appledisplay.c @@ -56582,10 +56921,10 @@ index ce25d75..dc09eeb 100644 &data); if (!inode) { diff --git a/fs/aio.c b/fs/aio.c -index 19e7d95..af5756a 100644 +index 6d68e01..573d8dc 100644 --- a/fs/aio.c +++ b/fs/aio.c -@@ -375,7 +375,7 @@ static int aio_setup_ring(struct kioctx *ctx) +@@ -380,7 +380,7 @@ static int aio_setup_ring(struct kioctx *ctx) size += sizeof(struct io_event) * nr_events; nr_pages = PFN_UP(size); @@ -58727,7 +59066,7 @@ index a81147e..20bf2b5 100644 /* diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c -index 3881610..ab3df0b 100644 +index 3881610..d4599d0 100644 --- a/fs/compat_ioctl.c +++ b/fs/compat_ioctl.c @@ -621,7 +621,7 @@ static int serial_struct_ioctl(unsigned fd, unsigned cmd, @@ -58745,7 +59084,7 @@ index 3881610..ab3df0b 100644 return -EFAULT; - if (get_user(datap, &umsgs[i].buf) || - put_user(compat_ptr(datap), &tmsgs[i].buf)) -+ if (get_user(datap, (u8 __user * __user *)&umsgs[i].buf) || ++ if (get_user(datap, (compat_caddr_t __user *)&umsgs[i].buf) || + put_user(compat_ptr(datap), (u8 __user * __user *)&tmsgs[i].buf)) return -EFAULT; } @@ -58799,7 +59138,7 @@ index e081acb..911df21 100644 /* * We'll have a dentry and an inode for diff --git a/fs/coredump.c b/fs/coredump.c -index 0b2528f..836c55f 100644 +index a93f7e6..d58bcbe 100644 --- a/fs/coredump.c +++ b/fs/coredump.c @@ -442,8 +442,8 @@ static void wait_for_dump_helpers(struct file *file) @@ -59908,52 +60247,10 @@ index 62f024c..a6a1a61 100644 /* locality groups */ diff --git a/fs/ext4/indirect.c b/fs/ext4/indirect.c -index 594009f..c30cbe2 100644 +index e6574d7..c30cbe2 100644 --- a/fs/ext4/indirect.c +++ b/fs/ext4/indirect.c -@@ -389,7 +389,13 @@ static int ext4_alloc_branch(handle_t *handle, struct inode *inode, - return 0; - failed: - for (; i >= 0; i--) { -- if (i != indirect_blks && branch[i].bh) -+ /* -+ * We want to ext4_forget() only freshly allocated indirect -+ * blocks. Buffer for new_blocks[i-1] is at branch[i].bh and -+ * buffer at branch[0].bh is indirect block / inode already -+ * existing before ext4_alloc_branch() was called. -+ */ -+ if (i > 0 && i != indirect_blks && branch[i].bh) - ext4_forget(handle, 1, inode, branch[i].bh, - branch[i].bh->b_blocknr); - ext4_free_blocks(handle, inode, NULL, new_blocks[i], -@@ -1312,16 +1318,24 @@ static int free_hole_blocks(handle_t *handle, struct inode *inode, - blk = *i_data; - if (level > 0) { - ext4_lblk_t first2; -+ ext4_lblk_t count2; -+ - bh = sb_bread(inode->i_sb, le32_to_cpu(blk)); - if (!bh) { - EXT4_ERROR_INODE_BLOCK(inode, le32_to_cpu(blk), - "Read failure"); - return -EIO; - } -- first2 = (first > offset) ? first - offset : 0; -+ if (first > offset) { -+ first2 = first - offset; -+ count2 = count; -+ } else { -+ first2 = 0; -+ count2 = count - (offset - first); -+ } - ret = free_hole_blocks(handle, inode, bh, - (__le32 *)bh->b_data, level - 1, -- first2, count - offset, -+ first2, count2, - inode->i_sb->s_blocksize >> 2); - if (ret) { - brelse(bh); -@@ -1331,8 +1345,8 @@ static int free_hole_blocks(handle_t *handle, struct inode *inode, +@@ -1345,8 +1345,8 @@ static int free_hole_blocks(handle_t *handle, struct inode *inode, if (level == 0 || (bh && all_zeroes((__le32 *)bh->b_data, (__le32 *)bh->b_data + addr_per_block))) { @@ -59965,7 +60262,7 @@ index 594009f..c30cbe2 100644 brelse(bh); bh = NULL; diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c -index 08ddfda..a48f3f6 100644 +index 502f0fd..bf3b3c1 100644 --- a/fs/ext4/mballoc.c +++ b/fs/ext4/mballoc.c @@ -1880,7 +1880,7 @@ void ext4_mb_simple_scan_group(struct ext4_allocation_context *ac, @@ -60095,7 +60392,7 @@ index 04434ad..6404663 100644 "MMP failure info: last update time: %llu, last update " "node: %s, last update device: %s\n", diff --git a/fs/ext4/super.c b/fs/ext4/super.c -index 710fed2..a82e4e8 100644 +index 25b327e..56f169d 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -1270,7 +1270,7 @@ static ext4_fsblk_t get_sb_block(void **data) @@ -60107,7 +60404,7 @@ index 710fed2..a82e4e8 100644 "Contact linux-ext4@vger.kernel.org if you think we should keep it.\n"; #ifdef CONFIG_QUOTA -@@ -2450,7 +2450,7 @@ struct ext4_attr { +@@ -2448,7 +2448,7 @@ struct ext4_attr { int offset; int deprecated_val; } u; @@ -61776,10 +62073,10 @@ index 0a648bb..8d463f1 100644 } diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c -index 1d1292c..bba17ea 100644 +index 342f0239..d67794c 100644 --- a/fs/fuse/dir.c +++ b/fs/fuse/dir.c -@@ -1418,7 +1418,7 @@ static char *read_link(struct dentry *dentry) +@@ -1419,7 +1419,7 @@ static char *read_link(struct dentry *dentry) return link; } @@ -62114,7 +62411,7 @@ index b29e42f..5ea7fdf 100644 #define MNT_NS_INTERNAL ERR_PTR(-EINVAL) /* distinct from any mnt_namespace */ diff --git a/fs/namei.c b/fs/namei.c -index 8274c8d..922e189 100644 +index bdea109..e242796 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -330,17 +330,34 @@ int generic_permission(struct inode *inode, int mask) @@ -62250,7 +62547,7 @@ index 8274c8d..922e189 100644 return retval; } -@@ -2557,6 +2590,13 @@ static int may_open(struct path *path, int acc_mode, int flag) +@@ -2558,6 +2591,13 @@ static int may_open(struct path *path, int acc_mode, int flag) if (flag & O_NOATIME && !inode_owner_or_capable(inode)) return -EPERM; @@ -62264,7 +62561,7 @@ index 8274c8d..922e189 100644 return 0; } -@@ -2788,7 +2828,7 @@ looked_up: +@@ -2789,7 +2829,7 @@ looked_up: * cleared otherwise prior to returning. */ static int lookup_open(struct nameidata *nd, struct path *path, @@ -62273,7 +62570,7 @@ index 8274c8d..922e189 100644 const struct open_flags *op, bool got_write, int *opened) { -@@ -2823,6 +2863,17 @@ static int lookup_open(struct nameidata *nd, struct path *path, +@@ -2824,6 +2864,17 @@ static int lookup_open(struct nameidata *nd, struct path *path, /* Negative dentry, just create the file */ if (!dentry->d_inode && (op->open_flag & O_CREAT)) { umode_t mode = op->mode; @@ -62291,7 +62588,7 @@ index 8274c8d..922e189 100644 if (!IS_POSIXACL(dir->d_inode)) mode &= ~current_umask(); /* -@@ -2844,6 +2895,8 @@ static int lookup_open(struct nameidata *nd, struct path *path, +@@ -2845,6 +2896,8 @@ static int lookup_open(struct nameidata *nd, struct path *path, nd->flags & LOOKUP_EXCL); if (error) goto out_dput; @@ -62300,7 +62597,7 @@ index 8274c8d..922e189 100644 } out_no_open: path->dentry = dentry; -@@ -2858,7 +2911,7 @@ out_dput: +@@ -2859,7 +2912,7 @@ out_dput: /* * Handle the last step of open() */ @@ -62309,7 +62606,7 @@ index 8274c8d..922e189 100644 struct file *file, const struct open_flags *op, int *opened, struct filename *name) { -@@ -2908,6 +2961,15 @@ static int do_last(struct nameidata *nd, struct path *path, +@@ -2909,6 +2962,15 @@ static int do_last(struct nameidata *nd, struct path *path, if (error) return error; @@ -62325,7 +62622,7 @@ index 8274c8d..922e189 100644 audit_inode(name, dir, LOOKUP_PARENT); error = -EISDIR; /* trailing slashes? */ -@@ -2927,7 +2989,7 @@ retry_lookup: +@@ -2928,7 +2990,7 @@ retry_lookup: */ } mutex_lock(&dir->d_inode->i_mutex); @@ -62334,7 +62631,7 @@ index 8274c8d..922e189 100644 mutex_unlock(&dir->d_inode->i_mutex); if (error <= 0) { -@@ -2951,11 +3013,28 @@ retry_lookup: +@@ -2952,11 +3014,28 @@ retry_lookup: goto finish_open_created; } @@ -62364,7 +62661,7 @@ index 8274c8d..922e189 100644 /* * If atomic_open() acquired write access it is dropped now due to -@@ -2996,6 +3075,11 @@ finish_lookup: +@@ -2997,6 +3076,11 @@ finish_lookup: } } BUG_ON(inode != path->dentry->d_inode); @@ -62376,7 +62673,7 @@ index 8274c8d..922e189 100644 return 1; } -@@ -3005,7 +3089,6 @@ finish_lookup: +@@ -3006,7 +3090,6 @@ finish_lookup: save_parent.dentry = nd->path.dentry; save_parent.mnt = mntget(path->mnt); nd->path.dentry = path->dentry; @@ -62384,7 +62681,7 @@ index 8274c8d..922e189 100644 } nd->inode = inode; /* Why this, you ask? _Now_ we might have grown LOOKUP_JUMPED... */ -@@ -3015,7 +3098,18 @@ finish_open: +@@ -3016,7 +3099,18 @@ finish_open: path_put(&save_parent); return error; } @@ -62403,7 +62700,7 @@ index 8274c8d..922e189 100644 error = -EISDIR; if ((open_flag & O_CREAT) && (d_is_directory(nd->path.dentry) || d_is_autodir(nd->path.dentry))) -@@ -3179,7 +3273,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, +@@ -3180,7 +3274,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, if (unlikely(error)) goto out; @@ -62412,7 +62709,7 @@ index 8274c8d..922e189 100644 while (unlikely(error > 0)) { /* trailing symlink */ struct path link = path; void *cookie; -@@ -3197,7 +3291,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, +@@ -3198,7 +3292,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, error = follow_link(&link, nd, &cookie); if (unlikely(error)) break; @@ -62421,7 +62718,7 @@ index 8274c8d..922e189 100644 put_link(nd, &link, cookie); } out: -@@ -3297,9 +3391,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, +@@ -3298,9 +3392,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, goto unlock; error = -EEXIST; @@ -62435,7 +62732,7 @@ index 8274c8d..922e189 100644 /* * Special case - lookup gave negative, but... we had foo/bar/ * From the vfs_mknod() POV we just have a negative dentry - -@@ -3351,6 +3447,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, +@@ -3352,6 +3448,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, } EXPORT_SYMBOL(user_path_create); @@ -62456,7 +62753,7 @@ index 8274c8d..922e189 100644 int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) { int error = may_create(dir, dentry); -@@ -3413,6 +3523,17 @@ retry: +@@ -3414,6 +3524,17 @@ retry: if (!IS_POSIXACL(path.dentry->d_inode)) mode &= ~current_umask(); @@ -62474,7 +62771,7 @@ index 8274c8d..922e189 100644 error = security_path_mknod(&path, dentry, mode, dev); if (error) goto out; -@@ -3429,6 +3550,8 @@ retry: +@@ -3430,6 +3551,8 @@ retry: break; } out: @@ -62483,7 +62780,7 @@ index 8274c8d..922e189 100644 done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; -@@ -3481,9 +3604,16 @@ retry: +@@ -3482,9 +3605,16 @@ retry: if (!IS_POSIXACL(path.dentry->d_inode)) mode &= ~current_umask(); @@ -62500,7 +62797,7 @@ index 8274c8d..922e189 100644 done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; -@@ -3564,6 +3694,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -3565,6 +3695,8 @@ static long do_rmdir(int dfd, const char __user *pathname) struct filename *name; struct dentry *dentry; struct nameidata nd; @@ -62509,7 +62806,7 @@ index 8274c8d..922e189 100644 unsigned int lookup_flags = 0; retry: name = user_path_parent(dfd, pathname, &nd, lookup_flags); -@@ -3596,10 +3728,21 @@ retry: +@@ -3597,10 +3729,21 @@ retry: error = -ENOENT; goto exit3; } @@ -62531,7 +62828,7 @@ index 8274c8d..922e189 100644 exit3: dput(dentry); exit2: -@@ -3689,6 +3832,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -3690,6 +3833,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) struct nameidata nd; struct inode *inode = NULL; struct inode *delegated_inode = NULL; @@ -62540,7 +62837,7 @@ index 8274c8d..922e189 100644 unsigned int lookup_flags = 0; retry: name = user_path_parent(dfd, pathname, &nd, lookup_flags); -@@ -3715,10 +3860,22 @@ retry_deleg: +@@ -3716,10 +3861,22 @@ retry_deleg: if (d_is_negative(dentry)) goto slashes; ihold(inode); @@ -62563,7 +62860,7 @@ index 8274c8d..922e189 100644 exit2: dput(dentry); } -@@ -3806,9 +3963,17 @@ retry: +@@ -3807,9 +3964,17 @@ retry: if (IS_ERR(dentry)) goto out_putname; @@ -62581,7 +62878,7 @@ index 8274c8d..922e189 100644 done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; -@@ -3911,6 +4076,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -3912,6 +4077,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, struct dentry *new_dentry; struct path old_path, new_path; struct inode *delegated_inode = NULL; @@ -62589,7 +62886,7 @@ index 8274c8d..922e189 100644 int how = 0; int error; -@@ -3934,7 +4100,7 @@ retry: +@@ -3935,7 +4101,7 @@ retry: if (error) return error; @@ -62598,7 +62895,7 @@ index 8274c8d..922e189 100644 (how & LOOKUP_REVAL)); error = PTR_ERR(new_dentry); if (IS_ERR(new_dentry)) -@@ -3946,11 +4112,28 @@ retry: +@@ -3947,11 +4113,28 @@ retry: error = may_linkat(&old_path); if (unlikely(error)) goto out_dput; @@ -62627,7 +62924,7 @@ index 8274c8d..922e189 100644 done_path_create(&new_path, new_dentry); if (delegated_inode) { error = break_deleg_wait(&delegated_inode); -@@ -4237,6 +4420,12 @@ retry_deleg: +@@ -4238,6 +4421,12 @@ retry_deleg: if (new_dentry == trap) goto exit5; @@ -62640,7 +62937,7 @@ index 8274c8d..922e189 100644 error = security_path_rename(&oldnd.path, old_dentry, &newnd.path, new_dentry); if (error) -@@ -4244,6 +4433,9 @@ retry_deleg: +@@ -4245,6 +4434,9 @@ retry_deleg: error = vfs_rename(old_dir->d_inode, old_dentry, new_dir->d_inode, new_dentry, &delegated_inode); @@ -62650,7 +62947,7 @@ index 8274c8d..922e189 100644 exit5: dput(new_dentry); exit4: -@@ -4280,6 +4472,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna +@@ -4281,6 +4473,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link) { @@ -62659,7 +62956,7 @@ index 8274c8d..922e189 100644 int len; len = PTR_ERR(link); -@@ -4289,7 +4483,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c +@@ -4290,7 +4484,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c len = strlen(link); if (len > (unsigned) buflen) len = buflen; @@ -62841,10 +63138,10 @@ index 15f9d98..082c625 100644 void nfs_fattr_init(struct nfs_fattr *fattr) diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c -index 9a914e8..e89c0ea 100644 +index f23a6ca..730ddcc 100644 --- a/fs/nfsd/nfs4proc.c +++ b/fs/nfsd/nfs4proc.c -@@ -1178,7 +1178,7 @@ struct nfsd4_operation { +@@ -1169,7 +1169,7 @@ struct nfsd4_operation { nfsd4op_rsize op_rsize_bop; stateid_getter op_get_currentstateid; stateid_setter op_set_currentstateid; @@ -62854,10 +63151,10 @@ index 9a914e8..e89c0ea 100644 static struct nfsd4_operation nfsd4_ops[]; diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c -index bc11bf6..324b058 100644 +index 8657335..cd3e37f 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c -@@ -1531,7 +1531,7 @@ nfsd4_decode_notsupp(struct nfsd4_compoundargs *argp, void *p) +@@ -1542,7 +1542,7 @@ nfsd4_decode_notsupp(struct nfsd4_compoundargs *argp, void *p) typedef __be32(*nfsd4_dec)(struct nfsd4_compoundargs *argp, void *); @@ -64644,10 +64941,10 @@ index d4a3574..b421ce9 100644 seq_putc(m, '\n'); diff --git a/fs/proc/proc_net.c b/fs/proc/proc_net.c -index 4677bb7..94067cd 100644 +index 4677bb7..dad3045 100644 --- a/fs/proc/proc_net.c +++ b/fs/proc/proc_net.c -@@ -23,6 +23,7 @@ +@@ -23,9 +23,27 @@ #include <linux/nsproxy.h> #include <net/net_namespace.h> #include <linux/seq_file.h> @@ -64655,7 +64952,27 @@ index 4677bb7..94067cd 100644 #include "internal.h" -@@ -36,6 +37,8 @@ static struct net *get_proc_net(const struct inode *inode) ++#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) ++static struct seq_operations *ipv6_seq_ops_addr; ++ ++void register_ipv6_seq_ops_addr(struct seq_operations *addr) ++{ ++ ipv6_seq_ops_addr = addr; ++} ++ ++void unregister_ipv6_seq_ops_addr(void) ++{ ++ ipv6_seq_ops_addr = NULL; ++} ++ ++EXPORT_SYMBOL_GPL(register_ipv6_seq_ops_addr); ++EXPORT_SYMBOL_GPL(unregister_ipv6_seq_ops_addr); ++#endif ++ + static inline struct net *PDE_NET(struct proc_dir_entry *pde) + { + return pde->parent->data; +@@ -36,6 +54,8 @@ static struct net *get_proc_net(const struct inode *inode) return maybe_get_net(PDE_NET(PDE(inode))); } @@ -64664,18 +64981,22 @@ index 4677bb7..94067cd 100644 int seq_open_net(struct inode *ino, struct file *f, const struct seq_operations *ops, int size) { -@@ -44,6 +47,10 @@ int seq_open_net(struct inode *ino, struct file *f, +@@ -44,6 +64,14 @@ int seq_open_net(struct inode *ino, struct file *f, BUG_ON(size < sizeof(*p)); + /* only permit access to /proc/net/dev */ -+ if (ops != &dev_seq_ops && gr_proc_is_restricted()) ++ if ( ++#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) ++ ops != ipv6_seq_ops_addr && ++#endif ++ ops != &dev_seq_ops && gr_proc_is_restricted()) + return -EACCES; + net = get_proc_net(ino); if (net == NULL) return -ENXIO; -@@ -66,6 +73,9 @@ int single_open_net(struct inode *inode, struct file *file, +@@ -66,6 +94,9 @@ int single_open_net(struct inode *inode, struct file *file, int err; struct net *net; @@ -71669,7 +71990,7 @@ index 0000000..25f54ef +}; diff --git a/grsecurity/gracl_policy.c b/grsecurity/gracl_policy.c new file mode 100644 -index 0000000..361a099 +index 0000000..3f8ade0 --- /dev/null +++ b/grsecurity/gracl_policy.c @@ -0,0 +1,1782 @@ @@ -71728,9 +72049,9 @@ index 0000000..361a099 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum); +extern void gr_clear_learn_entries(void); + -+static struct gr_arg gr_usermode; -+static unsigned char gr_system_salt[GR_SALT_LEN]; -+static unsigned char gr_system_sum[GR_SHA_LEN]; ++struct gr_arg *gr_usermode __read_only; ++unsigned char *gr_system_salt __read_only; ++unsigned char *gr_system_sum __read_only; + +static unsigned int gr_auth_attempts = 0; +static unsigned long gr_auth_expires = 0UL; @@ -72972,8 +73293,8 @@ index 0000000..361a099 +{ + int error = 0; + -+ memcpy(&gr_system_salt, args->salt, sizeof(gr_system_salt)); -+ memcpy(&gr_system_sum, args->sum, sizeof(gr_system_sum)); ++ memcpy(gr_system_salt, args->salt, GR_SALT_LEN); ++ memcpy(gr_system_sum, args->sum, GR_SHA_LEN); + + if (init_variables(args, false)) { + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION); @@ -73200,11 +73521,11 @@ index 0000000..361a099 + if (error) + goto out; + -+ error = copy_gr_arg(uwrap.arg, &gr_usermode); ++ error = copy_gr_arg(uwrap.arg, gr_usermode); + if (error) + goto out; + -+ if (gr_usermode.mode != GR_SPROLE && gr_usermode.mode != GR_SPROLEPAM && ++ if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM && + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES && + time_after(gr_auth_expires, get_seconds())) { + error = -EBUSY; @@ -73216,8 +73537,8 @@ index 0000000..361a099 + locking + */ + -+ if (gr_usermode.mode != GR_SPROLE && gr_usermode.mode != GR_STATUS && -+ gr_usermode.mode != GR_UNSPROLE && gr_usermode.mode != GR_SPROLEPAM && ++ if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS && ++ gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM && + gr_is_global_nonroot(current_uid())) { + error = -EPERM; + goto out; @@ -73225,15 +73546,15 @@ index 0000000..361a099 + + /* ensure pw and special role name are null terminated */ + -+ gr_usermode.pw[GR_PW_LEN - 1] = '\0'; -+ gr_usermode.sp_role[GR_SPROLE_LEN - 1] = '\0'; ++ gr_usermode->pw[GR_PW_LEN - 1] = '\0'; ++ gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0'; + + /* Okay. + * We have our enough of the argument structure..(we have yet + * to copy_from_user the tables themselves) . Copy the tables + * only if we need them, i.e. for loading operations. */ + -+ switch (gr_usermode.mode) { ++ switch (gr_usermode->mode) { + case GR_STATUS: + if (gr_acl_is_enabled()) { + error = 1; @@ -73243,12 +73564,12 @@ index 0000000..361a099 + error = 2; + goto out; + case GR_SHUTDOWN: -+ if (gr_acl_is_enabled() && !(chkpw(&gr_usermode, (unsigned char *)&gr_system_salt, (unsigned char *)&gr_system_sum))) { ++ if (gr_acl_is_enabled() && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) { + stop_machine(gr_rbac_disable, NULL, NULL); + free_variables(false); -+ memset(&gr_usermode, 0, sizeof(gr_usermode)); -+ memset(&gr_system_salt, 0, sizeof(gr_system_salt)); -+ memset(&gr_system_sum, 0, sizeof(gr_system_sum)); ++ memset(gr_usermode, 0, sizeof(struct gr_arg)); ++ memset(gr_system_salt, 0, GR_SALT_LEN); ++ memset(gr_system_sum, 0, GR_SHA_LEN); + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG); + } else if (gr_acl_is_enabled()) { + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG); @@ -73259,7 +73580,7 @@ index 0000000..361a099 + } + break; + case GR_ENABLE: -+ if (!gr_acl_is_enabled() && !(error2 = gracl_init(&gr_usermode))) ++ if (!gr_acl_is_enabled() && !(error2 = gracl_init(gr_usermode))) + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION); + else { + if (gr_acl_is_enabled()) @@ -73275,8 +73596,8 @@ index 0000000..361a099 + if (!gr_acl_is_enabled()) { + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION); + error = -EAGAIN; -+ } else if (!(chkpw(&gr_usermode, (unsigned char *)&gr_system_salt, (unsigned char *)&gr_system_sum))) { -+ error2 = gracl_reload(&gr_usermode, oldmode); ++ } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) { ++ error2 = gracl_reload(gr_usermode, oldmode); + if (!error2) + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION); + else { @@ -73295,20 +73616,20 @@ index 0000000..361a099 + break; + } + -+ if (!(chkpw(&gr_usermode, (unsigned char *)&gr_system_salt, (unsigned char *)&gr_system_sum))) { ++ if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) { + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG); -+ if (gr_usermode.segv_device && gr_usermode.segv_inode) { ++ if (gr_usermode->segv_device && gr_usermode->segv_inode) { + struct acl_subject_label *segvacl; + segvacl = -+ lookup_acl_subj_label(gr_usermode.segv_inode, -+ gr_usermode.segv_device, ++ lookup_acl_subj_label(gr_usermode->segv_inode, ++ gr_usermode->segv_device, + current->role); + if (segvacl) { + segvacl->crashes = 0; + segvacl->expires = 0; + } -+ } else if (gr_find_uid(gr_usermode.segv_uid) >= 0) { -+ gr_remove_uid(gr_usermode.segv_uid); ++ } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) { ++ gr_remove_uid(gr_usermode->segv_uid); + } + } else { + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG); @@ -73335,11 +73656,11 @@ index 0000000..361a099 + } + + if (lookup_special_role_auth -+ (gr_usermode.mode, gr_usermode.sp_role, &sprole_salt, &sprole_sum) ++ (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum) + && ((!sprole_salt && !sprole_sum) -+ || !(chkpw(&gr_usermode, sprole_salt, sprole_sum)))) { ++ || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) { + char *p = ""; -+ assign_special_role(gr_usermode.sp_role); ++ assign_special_role(gr_usermode->sp_role); + read_lock(&tasklist_lock); + if (current->real_parent) + p = current->real_parent->role->rolename; @@ -73347,7 +73668,7 @@ index 0000000..361a099 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG, + p, acl_sp_role_value); + } else { -+ gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode.sp_role); ++ gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role); + error = -EPERM; + if(!(current->role->auth_attempts++)) + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT; @@ -73381,7 +73702,7 @@ index 0000000..361a099 + } + break; + default: -+ gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode.mode); ++ gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode); + error = -EINVAL; + break; + } @@ -75005,10 +75326,10 @@ index 0000000..8ca18bf +} diff --git a/grsecurity/grsec_init.c b/grsecurity/grsec_init.c new file mode 100644 -index 0000000..ae6c028 +index 0000000..b7cb191 --- /dev/null +++ b/grsecurity/grsec_init.c -@@ -0,0 +1,272 @@ +@@ -0,0 +1,286 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/mm.h> @@ -75088,6 +75409,10 @@ index 0000000..ae6c028 +char *gr_alert_log_buf; +char *gr_audit_log_buf; + ++extern struct gr_arg *gr_usermode; ++extern unsigned char *gr_system_salt; ++extern unsigned char *gr_system_sum; ++ +void __init +grsecurity_init(void) +{ @@ -75128,6 +75453,16 @@ index 0000000..ae6c028 + return; + } + ++ /* allocate memory for authentication structure */ ++ gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL); ++ gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL); ++ gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL); ++ ++ if (!gr_usermode || !gr_system_salt || !gr_system_sum) { ++ panic("Unable to allocate grsecurity authentication structure"); ++ return; ++ } ++ +#ifdef CONFIG_GRKERNSEC_IO +#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO) + grsec_disable_privio = 1; @@ -77085,10 +77420,10 @@ index 0000000..ae02d8e +EXPORT_SYMBOL_GPL(gr_handle_new_usb); diff --git a/grsecurity/grsum.c b/grsecurity/grsum.c new file mode 100644 -index 0000000..9f7b1ac +index 0000000..158b330 --- /dev/null +++ b/grsecurity/grsum.c -@@ -0,0 +1,61 @@ +@@ -0,0 +1,64 @@ +#include <linux/err.h> +#include <linux/kernel.h> +#include <linux/sched.h> @@ -77105,47 +77440,50 @@ index 0000000..9f7b1ac +int +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum) +{ -+ char *p; + struct crypto_hash *tfm; + struct hash_desc desc; -+ struct scatterlist sg; -+ unsigned char temp_sum[GR_SHA_LEN]; -+ volatile int retval = 0; ++ struct scatterlist sg[2]; ++ unsigned char temp_sum[GR_SHA_LEN] __attribute__((aligned(__alignof__(unsigned long)))); ++ unsigned long *tmpsumptr = (unsigned long *)temp_sum; ++ unsigned long *sumptr = (unsigned long *)sum; ++ int cryptres; ++ int retval = 1; ++ volatile int mismatched = 0; + volatile int dummy = 0; + unsigned int i; + -+ sg_init_table(&sg, 1); -+ + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC); + if (IS_ERR(tfm)) { + /* should never happen, since sha256 should be built in */ ++ memset(entry->pw, 0, GR_PW_LEN); + return 1; + } + ++ sg_init_table(sg, 2); ++ sg_set_buf(&sg[0], salt, GR_SALT_LEN); ++ sg_set_buf(&sg[1], entry->pw, strlen(entry->pw)); ++ + desc.tfm = tfm; + desc.flags = 0; + -+ crypto_hash_init(&desc); -+ -+ p = salt; -+ sg_set_buf(&sg, p, GR_SALT_LEN); -+ crypto_hash_update(&desc, &sg, sg.length); -+ -+ p = entry->pw; -+ sg_set_buf(&sg, p, strlen(p)); -+ -+ crypto_hash_update(&desc, &sg, sg.length); -+ -+ crypto_hash_final(&desc, temp_sum); ++ cryptres = crypto_hash_digest(&desc, sg, GR_SALT_LEN + strlen(entry->pw), ++ temp_sum); + + memset(entry->pw, 0, GR_PW_LEN); + -+ for (i = 0; i < GR_SHA_LEN; i++) -+ if (sum[i] != temp_sum[i]) -+ retval = 1; ++ if (cryptres) ++ goto out; ++ ++ for (i = 0; i < GR_SHA_LEN/sizeof(tmpsumptr[0]); i++) ++ if (sumptr[i] != tmpsumptr[i]) ++ mismatched = 1; + else + dummy = 1; // waste a cycle + ++ if (!mismatched) ++ retval = dummy - 1; ++ ++out: + crypto_free_hash(tfm); + + return retval; @@ -80844,10 +81182,10 @@ index b8e9a43..632678d 100644 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu); diff --git a/include/linux/libata.h b/include/linux/libata.h -index 3fee55e..42565b7 100644 +index e13b3ae..5f450e6 100644 --- a/include/linux/libata.h +++ b/include/linux/libata.h -@@ -976,7 +976,7 @@ struct ata_port_operations { +@@ -977,7 +977,7 @@ struct ata_port_operations { * fields must be pointers. */ const struct ata_port_operations *inherits; @@ -82125,7 +82463,7 @@ index cc7494a..1e27036 100644 extern bool qid_valid(struct kqid qid); diff --git a/include/linux/random.h b/include/linux/random.h -index 1cfce0e..b0b9235 100644 +index 1cfce0e..bf99e0b 100644 --- a/include/linux/random.h +++ b/include/linux/random.h @@ -9,9 +9,19 @@ @@ -82175,6 +82513,15 @@ index 1cfce0e..b0b9235 100644 /** * prandom_u32_max - returns a pseudo-random number in interval [0, ep_ro) * @ep_ro: right open interval endpoint +@@ -49,7 +64,7 @@ void prandom_bytes_state(struct rnd_state *state, void *buf, int nbytes); + * + * Returns: pseudo-random number in interval [0, ep_ro) + */ +-static inline u32 prandom_u32_max(u32 ep_ro) ++static inline u32 __intentional_overflow(-1) prandom_u32_max(u32 ep_ro) + { + return (u32)(((u64) prandom_u32() * ep_ro) >> 32); + } diff --git a/include/linux/rbtree_augmented.h b/include/linux/rbtree_augmented.h index fea49b5..2ac22bb 100644 --- a/include/linux/rbtree_augmented.h @@ -83927,31 +84274,52 @@ index c55aeed..b3393f4 100644 /** inet_connection_sock - INET connection oriented sock * diff --git a/include/net/inetpeer.h b/include/net/inetpeer.h -index 058271b..1a44af7 100644 +index 058271b..1af4453 100644 --- a/include/net/inetpeer.h +++ b/include/net/inetpeer.h -@@ -47,8 +47,8 @@ struct inet_peer { +@@ -41,14 +41,13 @@ struct inet_peer { + struct rcu_head gc_rcu; + }; + /* +- * Once inet_peer is queued for deletion (refcnt == -1), following fields +- * are not available: rid, ip_id_count ++ * Once inet_peer is queued for deletion (refcnt == -1), following field ++ * is not available: rid + * We can share memory with rcu_head to help keep inet_peer small. */ union { struct { - atomic_t rid; /* Frag reception counter */ - atomic_t ip_id_count; /* IP ID for the next packet */ -+ atomic_unchecked_t rid; /* Frag reception counter */ -+ atomic_unchecked_t ip_id_count; /* IP ID for the next packet */ ++ atomic_unchecked_t rid; /* Frag reception counter */ }; struct rcu_head rcu; struct inet_peer *gc_next; -@@ -179,7 +179,7 @@ static inline int inet_getid(struct inet_peer *p, int more) - { - more++; - inet_peer_refcheck(p); -- return atomic_add_return(more, &p->ip_id_count) - more; -+ return atomic_add_return_unchecked(more, &p->ip_id_count) - more; +@@ -165,7 +164,7 @@ bool inet_peer_xrlim_allow(struct inet_peer *peer, int timeout); + void inetpeer_invalidate_tree(struct inet_peer_base *); + + /* +- * temporary check to make sure we dont access rid, ip_id_count, tcp_ts, ++ * temporary check to make sure we dont access rid, tcp_ts, + * tcp_ts_stamp if no refcount is taken on inet_peer + */ + static inline void inet_peer_refcheck(const struct inet_peer *p) +@@ -173,13 +172,4 @@ static inline void inet_peer_refcheck(const struct inet_peer *p) + WARN_ON_ONCE(atomic_read(&p->refcnt) <= 0); } +- +-/* can be called with or without local BH being disabled */ +-static inline int inet_getid(struct inet_peer *p, int more) +-{ +- more++; +- inet_peer_refcheck(p); +- return atomic_add_return(more, &p->ip_id_count) - more; +-} +- #endif /* _NET_INETPEER_H */ diff --git a/include/net/ip.h b/include/net/ip.h -index 23be0fd..0cb3e2c 100644 +index 23be0fd..7251808 100644 --- a/include/net/ip.h +++ b/include/net/ip.h @@ -214,7 +214,7 @@ static inline void snmp_mib_free(void __percpu *ptr[SNMP_ARRAY_SZ]) @@ -83963,6 +84331,55 @@ index 23be0fd..0cb3e2c 100644 static inline int inet_is_reserved_local_port(int port) { return test_bit(port, sysctl_local_reserved_ports); +@@ -297,9 +297,10 @@ static inline unsigned int ip_skb_dst_mtu(const struct sk_buff *skb) + } + } + +-void __ip_select_ident(struct iphdr *iph, struct dst_entry *dst, int more); ++u32 ip_idents_reserve(u32 hash, int segs) __intentional_overflow(-1); ++void __ip_select_ident(struct iphdr *iph, int segs); + +-static inline void ip_select_ident(struct sk_buff *skb, struct dst_entry *dst, struct sock *sk) ++static inline void ip_select_ident_segs(struct sk_buff *skb, struct sock *sk, int segs) + { + struct iphdr *iph = ip_hdr(skb); + +@@ -309,24 +310,20 @@ static inline void ip_select_ident(struct sk_buff *skb, struct dst_entry *dst, s + * does not change, they drop every other packet in + * a TCP stream using header compression. + */ +- iph->id = (sk && inet_sk(sk)->inet_daddr) ? +- htons(inet_sk(sk)->inet_id++) : 0; +- } else +- __ip_select_ident(iph, dst, 0); +-} +- +-static inline void ip_select_ident_more(struct sk_buff *skb, struct dst_entry *dst, struct sock *sk, int more) +-{ +- struct iphdr *iph = ip_hdr(skb); +- +- if ((iph->frag_off & htons(IP_DF)) && !skb->local_df) { + if (sk && inet_sk(sk)->inet_daddr) { + iph->id = htons(inet_sk(sk)->inet_id); +- inet_sk(sk)->inet_id += 1 + more; +- } else ++ inet_sk(sk)->inet_id += segs; ++ } else { + iph->id = 0; +- } else +- __ip_select_ident(iph, dst, more); ++ } ++ } else { ++ __ip_select_ident(iph, segs); ++ } ++} ++ ++static inline void ip_select_ident(struct sk_buff *skb, struct sock *sk) ++{ ++ ip_select_ident_segs(skb, sk, 1); + } + + /* diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h index 9922093..a1755d6 100644 --- a/include/net/ip_fib.h @@ -84012,6 +84429,19 @@ index 5679d92..2e7a690 100644 /* ip_vs_est */ struct list_head est_list; /* estimator list */ spinlock_t est_lock; +diff --git a/include/net/ipv6.h b/include/net/ipv6.h +index 4f541f1..9ac6578 100644 +--- a/include/net/ipv6.h ++++ b/include/net/ipv6.h +@@ -660,8 +660,6 @@ static inline int ipv6_addr_diff(const struct in6_addr *a1, const struct in6_add + return __ipv6_addr_diff(a1, a2, sizeof(struct in6_addr)); + } + +-void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt); +- + int ip6_dst_hoplimit(struct dst_entry *dst); + + /* diff --git a/include/net/irda/ircomm_tty.h b/include/net/irda/ircomm_tty.h index 8d4f588..2e37ad2 100644 --- a/include/net/irda/ircomm_tty.h @@ -84412,8 +84842,21 @@ index 0dfcc92..7967849 100644 /* Structure to track chunk fragments that have been acked, but peer +diff --git a/include/net/secure_seq.h b/include/net/secure_seq.h +index f257486..3f36d45 100644 +--- a/include/net/secure_seq.h ++++ b/include/net/secure_seq.h +@@ -3,8 +3,6 @@ + + #include <linux/types.h> + +-__u32 secure_ip_id(__be32 daddr); +-__u32 secure_ipv6_id(const __be32 daddr[4]); + u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport); + u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr, + __be16 dport); diff --git a/include/net/sock.h b/include/net/sock.h -index 57c31dd..f5e5196 100644 +index 2f7bc43..530dadc 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -348,7 +348,7 @@ struct sock { @@ -84452,17 +84895,6 @@ index 57c31dd..f5e5196 100644 static inline struct sock_iocb *kiocb_to_siocb(struct kiocb *iocb) { -@@ -1755,8 +1755,8 @@ sk_dst_get(struct sock *sk) - - rcu_read_lock(); - dst = rcu_dereference(sk->sk_dst_cache); -- if (dst) -- dst_hold(dst); -+ if (dst && !atomic_inc_not_zero(&dst->__refcnt)) -+ dst = NULL; - rcu_read_unlock(); - return dst; - } @@ -1830,7 +1830,7 @@ static inline void sk_nocaps_add(struct sock *sk, netdev_features_t flags) } @@ -85955,7 +86387,7 @@ index 0c9dc86..a891393 100644 s.version = AUDIT_VERSION_LATEST; s.backlog_wait_time = audit_backlog_wait_time; diff --git a/kernel/auditsc.c b/kernel/auditsc.c -index 37e6216..3604797 100644 +index 619b58d..e58d957 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1954,7 +1954,7 @@ int auditsc_get_stamp(struct audit_context *ctx, @@ -86504,7 +86936,7 @@ index 0b097c8..11dd5c5 100644 #ifdef CONFIG_MODULE_UNLOAD { diff --git a/kernel/events/core.c b/kernel/events/core.c -index 0e7fea7..f869fde 100644 +index f774e93..c602612 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -158,8 +158,15 @@ static struct srcu_struct pmus_srcu; @@ -89226,7 +89658,7 @@ index 2fac9cc..56fef29 100644 select LZO_COMPRESS select LZO_DECOMPRESS diff --git a/kernel/power/process.c b/kernel/power/process.c -index 06ec886..9dba35e 100644 +index 14f9a8d..98ee610 100644 --- a/kernel/power/process.c +++ b/kernel/power/process.c @@ -34,6 +34,7 @@ static int try_to_freeze_tasks(bool user_only) @@ -90868,7 +91300,7 @@ index c0a58be..784c618 100644 if (!retval) { if (old_rlim) diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index aae21e8..58d8c9a 100644 +index c1b26e1..bc7b50d 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -94,7 +94,6 @@ @@ -90908,7 +91340,7 @@ index aae21e8..58d8c9a 100644 #endif /* this is needed for the proc_doulongvec_minmax of vm_dirty_bytes */ -@@ -182,10 +180,8 @@ static int proc_taint(struct ctl_table *table, int write, +@@ -181,10 +179,8 @@ static int proc_taint(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos); #endif @@ -90919,7 +91351,7 @@ index aae21e8..58d8c9a 100644 static int proc_dointvec_minmax_coredump(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos); -@@ -216,6 +212,8 @@ static int sysrq_sysctl_handler(ctl_table *table, int write, +@@ -215,6 +211,8 @@ static int sysrq_sysctl_handler(ctl_table *table, int write, #endif @@ -90928,7 +91360,7 @@ index aae21e8..58d8c9a 100644 static struct ctl_table kern_table[]; static struct ctl_table vm_table[]; static struct ctl_table fs_table[]; -@@ -230,6 +228,20 @@ extern struct ctl_table epoll_table[]; +@@ -229,6 +227,20 @@ extern struct ctl_table epoll_table[]; int sysctl_legacy_va_layout; #endif @@ -90949,7 +91381,7 @@ index aae21e8..58d8c9a 100644 /* The default sysctl tables: */ static struct ctl_table sysctl_base_table[] = { -@@ -278,6 +290,22 @@ static int max_extfrag_threshold = 1000; +@@ -277,6 +289,22 @@ static int max_extfrag_threshold = 1000; #endif static struct ctl_table kern_table[] = { @@ -90972,7 +91404,7 @@ index aae21e8..58d8c9a 100644 { .procname = "sched_child_runs_first", .data = &sysctl_sched_child_runs_first, -@@ -640,7 +668,7 @@ static struct ctl_table kern_table[] = { +@@ -639,7 +667,7 @@ static struct ctl_table kern_table[] = { .data = &modprobe_path, .maxlen = KMOD_PATH_LEN, .mode = 0644, @@ -90981,7 +91413,7 @@ index aae21e8..58d8c9a 100644 }, { .procname = "modules_disabled", -@@ -807,16 +835,20 @@ static struct ctl_table kern_table[] = { +@@ -806,16 +834,20 @@ static struct ctl_table kern_table[] = { .extra1 = &zero, .extra2 = &one, }, @@ -91003,7 +91435,7 @@ index aae21e8..58d8c9a 100644 { .procname = "ngroups_max", .data = &ngroups_max, -@@ -1061,10 +1093,17 @@ static struct ctl_table kern_table[] = { +@@ -1060,10 +1092,17 @@ static struct ctl_table kern_table[] = { */ { .procname = "perf_event_paranoid", @@ -91024,7 +91456,7 @@ index aae21e8..58d8c9a 100644 }, { .procname = "perf_event_mlock_kb", -@@ -1335,6 +1374,13 @@ static struct ctl_table vm_table[] = { +@@ -1334,6 +1373,13 @@ static struct ctl_table vm_table[] = { .proc_handler = proc_dointvec_minmax, .extra1 = &zero, }, @@ -91038,7 +91470,7 @@ index aae21e8..58d8c9a 100644 #else { .procname = "nr_trim_pages", -@@ -1799,6 +1845,16 @@ int proc_dostring(struct ctl_table *table, int write, +@@ -1798,6 +1844,16 @@ int proc_dostring(struct ctl_table *table, int write, buffer, lenp, ppos); } @@ -91055,7 +91487,7 @@ index aae21e8..58d8c9a 100644 static size_t proc_skip_spaces(char **buf) { size_t ret; -@@ -1904,6 +1960,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val, +@@ -1903,6 +1959,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val, len = strlen(tmp); if (len > *size) len = *size; @@ -91064,7 +91496,7 @@ index aae21e8..58d8c9a 100644 if (copy_to_user(*buf, tmp, len)) return -EFAULT; *size -= len; -@@ -2068,7 +2126,7 @@ int proc_dointvec(struct ctl_table *table, int write, +@@ -2067,7 +2125,7 @@ int proc_dointvec(struct ctl_table *table, int write, static int proc_taint(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { @@ -91073,7 +91505,7 @@ index aae21e8..58d8c9a 100644 unsigned long tmptaint = get_taint(); int err; -@@ -2096,7 +2154,6 @@ static int proc_taint(struct ctl_table *table, int write, +@@ -2095,7 +2153,6 @@ static int proc_taint(struct ctl_table *table, int write, return err; } @@ -91081,7 +91513,7 @@ index aae21e8..58d8c9a 100644 static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { -@@ -2105,7 +2162,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, +@@ -2104,7 +2161,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, return proc_dointvec_minmax(table, write, buffer, lenp, ppos); } @@ -91089,7 +91521,7 @@ index aae21e8..58d8c9a 100644 struct do_proc_dointvec_minmax_conv_param { int *min; -@@ -2652,6 +2708,12 @@ int proc_dostring(struct ctl_table *table, int write, +@@ -2651,6 +2707,12 @@ int proc_dostring(struct ctl_table *table, int write, return -ENOSYS; } @@ -91102,7 +91534,7 @@ index aae21e8..58d8c9a 100644 int proc_dointvec(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { -@@ -2708,5 +2770,6 @@ EXPORT_SYMBOL(proc_dointvec_minmax); +@@ -2707,5 +2769,6 @@ EXPORT_SYMBOL(proc_dointvec_minmax); EXPORT_SYMBOL(proc_dointvec_userhz_jiffies); EXPORT_SYMBOL(proc_dointvec_ms_jiffies); EXPORT_SYMBOL(proc_dostring); @@ -91153,10 +91585,10 @@ index 7c7964c..2a0d412 100644 update_vsyscall_tz(); if (firsttime) { diff --git a/kernel/time/alarmtimer.c b/kernel/time/alarmtimer.c -index 88c9c65..7497ebc 100644 +index fe75444..190c528 100644 --- a/kernel/time/alarmtimer.c +++ b/kernel/time/alarmtimer.c -@@ -795,7 +795,7 @@ static int __init alarmtimer_init(void) +@@ -811,7 +811,7 @@ static int __init alarmtimer_init(void) struct platform_device *pdev; int error = 0; int i; @@ -91357,7 +91789,7 @@ index 4f3a3c03..04b7886 100644 ret = -EIO; diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c -index 868633e..921dc41 100644 +index e3be87e..7480b36 100644 --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c @@ -1965,12 +1965,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec) @@ -91420,7 +91852,7 @@ index 868633e..921dc41 100644 ftrace_graph_active++; diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c -index fc4da2d..f3e800b 100644 +index 0954450..0ed035c 100644 --- a/kernel/trace/ring_buffer.c +++ b/kernel/trace/ring_buffer.c @@ -352,9 +352,9 @@ struct buffer_data_page { @@ -91446,7 +91878,7 @@ index fc4da2d..f3e800b 100644 local_t dropped_events; local_t committing; local_t commits; -@@ -992,8 +992,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer, +@@ -991,8 +991,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer, * * We add a counter to the write field to denote this. */ @@ -91457,7 +91889,7 @@ index fc4da2d..f3e800b 100644 /* * Just make sure we have seen our old_write and synchronize -@@ -1021,8 +1021,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer, +@@ -1020,8 +1020,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer, * cmpxchg to only update if an interrupt did not already * do it for us. If the cmpxchg fails, we don't care. */ @@ -91468,7 +91900,7 @@ index fc4da2d..f3e800b 100644 /* * No need to worry about races with clearing out the commit. -@@ -1386,12 +1386,12 @@ static void rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer); +@@ -1385,12 +1385,12 @@ static void rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer); static inline unsigned long rb_page_entries(struct buffer_page *bpage) { @@ -91483,7 +91915,7 @@ index fc4da2d..f3e800b 100644 } static int -@@ -1486,7 +1486,7 @@ rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned int nr_pages) +@@ -1485,7 +1485,7 @@ rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned int nr_pages) * bytes consumed in ring buffer from here. * Increment overrun to account for the lost events. */ @@ -91492,7 +91924,7 @@ index fc4da2d..f3e800b 100644 local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes); } -@@ -2064,7 +2064,7 @@ rb_handle_head_page(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2063,7 +2063,7 @@ rb_handle_head_page(struct ring_buffer_per_cpu *cpu_buffer, * it is our responsibility to update * the counters. */ @@ -91501,7 +91933,7 @@ index fc4da2d..f3e800b 100644 local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes); /* -@@ -2214,7 +2214,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2213,7 +2213,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer, if (tail == BUF_PAGE_SIZE) tail_page->real_end = 0; @@ -91510,7 +91942,7 @@ index fc4da2d..f3e800b 100644 return; } -@@ -2249,7 +2249,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2248,7 +2248,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer, rb_event_set_padding(event); /* Set the write back to the previous setting */ @@ -91519,7 +91951,7 @@ index fc4da2d..f3e800b 100644 return; } -@@ -2261,7 +2261,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2260,7 +2260,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer, /* Set write to end of buffer */ length = (tail + length) - BUF_PAGE_SIZE; @@ -91528,7 +91960,7 @@ index fc4da2d..f3e800b 100644 } /* -@@ -2287,7 +2287,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2286,7 +2286,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer, * about it. */ if (unlikely(next_page == commit_page)) { @@ -91537,7 +91969,7 @@ index fc4da2d..f3e800b 100644 goto out_reset; } -@@ -2343,7 +2343,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2342,7 +2342,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer, cpu_buffer->tail_page) && (cpu_buffer->commit_page == cpu_buffer->reader_page))) { @@ -91546,7 +91978,7 @@ index fc4da2d..f3e800b 100644 goto out_reset; } } -@@ -2391,7 +2391,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2390,7 +2390,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer, length += RB_LEN_TIME_EXTEND; tail_page = cpu_buffer->tail_page; @@ -91555,7 +91987,7 @@ index fc4da2d..f3e800b 100644 /* set write to only the index of the write */ write &= RB_WRITE_MASK; -@@ -2415,7 +2415,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2414,7 +2414,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer, kmemcheck_annotate_bitfield(event, bitfield); rb_update_event(cpu_buffer, event, length, add_timestamp, delta); @@ -91564,7 +91996,7 @@ index fc4da2d..f3e800b 100644 /* * If this is the first commit on the page, then update -@@ -2448,7 +2448,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2447,7 +2447,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer, if (bpage->page == (void *)addr && rb_page_write(bpage) == old_index) { unsigned long write_mask = @@ -91573,7 +92005,7 @@ index fc4da2d..f3e800b 100644 unsigned long event_length = rb_event_length(event); /* * This is on the tail page. It is possible that -@@ -2458,7 +2458,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2457,7 +2457,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer, */ old_index += write_mask; new_index += write_mask; @@ -91582,7 +92014,7 @@ index fc4da2d..f3e800b 100644 if (index == old_index) { /* update counters */ local_sub(event_length, &cpu_buffer->entries_bytes); -@@ -2850,7 +2850,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2849,7 +2849,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer, /* Do the likely case first */ if (likely(bpage->page == (void *)addr)) { @@ -91591,7 +92023,7 @@ index fc4da2d..f3e800b 100644 return; } -@@ -2862,7 +2862,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2861,7 +2861,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer, start = bpage; do { if (bpage->page == (void *)addr) { @@ -91600,7 +92032,7 @@ index fc4da2d..f3e800b 100644 return; } rb_inc_page(cpu_buffer, &bpage); -@@ -3146,7 +3146,7 @@ static inline unsigned long +@@ -3145,7 +3145,7 @@ static inline unsigned long rb_num_of_entries(struct ring_buffer_per_cpu *cpu_buffer) { return local_read(&cpu_buffer->entries) - @@ -91609,7 +92041,7 @@ index fc4da2d..f3e800b 100644 } /** -@@ -3235,7 +3235,7 @@ unsigned long ring_buffer_overrun_cpu(struct ring_buffer *buffer, int cpu) +@@ -3234,7 +3234,7 @@ unsigned long ring_buffer_overrun_cpu(struct ring_buffer *buffer, int cpu) return 0; cpu_buffer = buffer->buffers[cpu]; @@ -91618,7 +92050,7 @@ index fc4da2d..f3e800b 100644 return ret; } -@@ -3258,7 +3258,7 @@ ring_buffer_commit_overrun_cpu(struct ring_buffer *buffer, int cpu) +@@ -3257,7 +3257,7 @@ ring_buffer_commit_overrun_cpu(struct ring_buffer *buffer, int cpu) return 0; cpu_buffer = buffer->buffers[cpu]; @@ -91627,7 +92059,7 @@ index fc4da2d..f3e800b 100644 return ret; } -@@ -3343,7 +3343,7 @@ unsigned long ring_buffer_overruns(struct ring_buffer *buffer) +@@ -3342,7 +3342,7 @@ unsigned long ring_buffer_overruns(struct ring_buffer *buffer) /* if you care about this being correct, lock the buffer */ for_each_buffer_cpu(buffer, cpu) { cpu_buffer = buffer->buffers[cpu]; @@ -91636,7 +92068,7 @@ index fc4da2d..f3e800b 100644 } return overruns; -@@ -3519,8 +3519,8 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer) +@@ -3518,8 +3518,8 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer) /* * Reset the reader page to size zero. */ @@ -91647,7 +92079,7 @@ index fc4da2d..f3e800b 100644 local_set(&cpu_buffer->reader_page->page->commit, 0); cpu_buffer->reader_page->real_end = 0; -@@ -3554,7 +3554,7 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer) +@@ -3553,7 +3553,7 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer) * want to compare with the last_overrun. */ smp_mb(); @@ -91656,7 +92088,7 @@ index fc4da2d..f3e800b 100644 /* * Here's the tricky part. -@@ -4124,8 +4124,8 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) +@@ -4123,8 +4123,8 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) cpu_buffer->head_page = list_entry(cpu_buffer->pages, struct buffer_page, list); @@ -91667,7 +92099,7 @@ index fc4da2d..f3e800b 100644 local_set(&cpu_buffer->head_page->page->commit, 0); cpu_buffer->head_page->read = 0; -@@ -4135,14 +4135,14 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) +@@ -4134,14 +4134,14 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) INIT_LIST_HEAD(&cpu_buffer->reader_page->list); INIT_LIST_HEAD(&cpu_buffer->new_pages); @@ -91686,7 +92118,7 @@ index fc4da2d..f3e800b 100644 local_set(&cpu_buffer->dropped_events, 0); local_set(&cpu_buffer->entries, 0); local_set(&cpu_buffer->committing, 0); -@@ -4547,8 +4547,8 @@ int ring_buffer_read_page(struct ring_buffer *buffer, +@@ -4546,8 +4546,8 @@ int ring_buffer_read_page(struct ring_buffer *buffer, rb_init_page(bpage); bpage = reader->page; reader->page = *data_page; @@ -91698,10 +92130,10 @@ index fc4da2d..f3e800b 100644 *data_page = bpage; diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c -index f0831c22..4b19cb3 100644 +index 7113672..e8a9c80 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c -@@ -3400,7 +3400,7 @@ int trace_keep_overwrite(struct tracer *tracer, u32 mask, int set) +@@ -3412,7 +3412,7 @@ int trace_keep_overwrite(struct tracer *tracer, u32 mask, int set) return 0; } @@ -91711,7 +92143,7 @@ index f0831c22..4b19cb3 100644 /* do nothing if flag is already set */ if (!!(trace_flags & mask) == !!enabled) diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h -index 02b592f..f971546 100644 +index c8bd809..33d7539 100644 --- a/kernel/trace/trace.h +++ b/kernel/trace/trace.h @@ -1233,7 +1233,7 @@ extern const char *__stop___tracepoint_str[]; @@ -91724,10 +92156,10 @@ index 02b592f..f971546 100644 /* * Normal trace_printk() and friends allocates special buffers diff --git a/kernel/trace/trace_clock.c b/kernel/trace/trace_clock.c -index 26dc348..8708ca7 100644 +index 57b67b1..66082a9 100644 --- a/kernel/trace/trace_clock.c +++ b/kernel/trace/trace_clock.c -@@ -123,7 +123,7 @@ u64 notrace trace_clock_global(void) +@@ -124,7 +124,7 @@ u64 notrace trace_clock_global(void) return now; } @@ -91736,7 +92168,7 @@ index 26dc348..8708ca7 100644 /* * trace_clock_counter(): simply an atomic counter. -@@ -132,5 +132,5 @@ static atomic64_t trace_counter; +@@ -133,5 +133,5 @@ static atomic64_t trace_counter; */ u64 notrace trace_clock_counter(void) { @@ -91744,10 +92176,10 @@ index 26dc348..8708ca7 100644 + return atomic64_inc_return_unchecked(&trace_counter); } diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c -index 7b16d40..1b2875d 100644 +index e4c4efc..ef4e975 100644 --- a/kernel/trace/trace_events.c +++ b/kernel/trace/trace_events.c -@@ -1681,7 +1681,6 @@ __trace_early_add_new_event(struct ftrace_event_call *call, +@@ -1682,7 +1682,6 @@ __trace_early_add_new_event(struct ftrace_event_call *call, return 0; } @@ -91904,10 +92336,10 @@ index c9b6f01..37781d9 100644 .thread_should_run = watchdog_should_run, .thread_fn = watchdog, diff --git a/kernel/workqueue.c b/kernel/workqueue.c -index b6a3941..b68f191 100644 +index b4defde..f092808 100644 --- a/kernel/workqueue.c +++ b/kernel/workqueue.c -@@ -4702,7 +4702,7 @@ static void rebind_workers(struct worker_pool *pool) +@@ -4703,7 +4703,7 @@ static void rebind_workers(struct worker_pool *pool) WARN_ON_ONCE(!(worker_flags & WORKER_UNBOUND)); worker_flags |= WORKER_REBOUND; worker_flags &= ~WORKER_UNBOUND; @@ -92683,7 +93115,7 @@ index 0000000..7cd6065 @@ -0,0 +1 @@ +-grsec diff --git a/mm/Kconfig b/mm/Kconfig -index 9b63c15..2ab509e 100644 +index 0862816..2e3a043 100644 --- a/mm/Kconfig +++ b/mm/Kconfig @@ -329,10 +329,11 @@ config KSM @@ -92848,7 +93280,7 @@ index b32b70c..e512eb0 100644 set_page_address(page, (void *)vaddr); diff --git a/mm/hugetlb.c b/mm/hugetlb.c -index 06a9bc0..cfbba83 100644 +index 923f38e..74e159a 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -2070,15 +2070,17 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy, @@ -92893,7 +93325,7 @@ index 06a9bc0..cfbba83 100644 if (ret) goto out; -@@ -2600,6 +2604,27 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2616,6 +2620,27 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma, return 1; } @@ -92921,7 +93353,7 @@ index 06a9bc0..cfbba83 100644 /* * Hugetlb_cow() should be called with page lock of the original hugepage held. * Called with hugetlb_instantiation_mutex held and pte_page locked so we -@@ -2716,6 +2741,11 @@ retry_avoidcopy: +@@ -2732,6 +2757,11 @@ retry_avoidcopy: make_huge_pte(vma, new_page, 1)); page_remove_rmap(old_page); hugepage_add_new_anon_rmap(new_page, vma, address); @@ -92933,7 +93365,7 @@ index 06a9bc0..cfbba83 100644 /* Make the old page be freed below */ new_page = old_page; } -@@ -2880,6 +2910,10 @@ retry: +@@ -2896,6 +2926,10 @@ retry: && (vma->vm_flags & VM_SHARED))); set_huge_pte_at(mm, address, ptep, new_pte); @@ -92944,7 +93376,7 @@ index 06a9bc0..cfbba83 100644 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) { /* Optimization, do the COW without a second fault */ ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page, ptl); -@@ -2910,6 +2944,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2926,6 +2960,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, static DEFINE_MUTEX(hugetlb_instantiation_mutex); struct hstate *h = hstate_vma(vma); @@ -92955,7 +93387,7 @@ index 06a9bc0..cfbba83 100644 address &= huge_page_mask(h); ptep = huge_pte_offset(mm, address); -@@ -2923,6 +2961,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2939,6 +2977,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, VM_FAULT_SET_HINDEX(hstate_index(h)); } @@ -93127,6 +93559,23 @@ index 539eeb9..e24a987 100644 error = 0; if (end == start) return error; +diff --git a/mm/memcontrol.c b/mm/memcontrol.c +index 5b6b003..9b35da2 100644 +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -5670,8 +5670,12 @@ static int mem_cgroup_oom_notify_cb(struct mem_cgroup *memcg) + { + struct mem_cgroup_eventfd_list *ev; + ++ spin_lock(&memcg_oom_lock); ++ + list_for_each_entry(ev, &memcg->oom_notify, list) + eventfd_signal(ev->eventfd, 1); ++ ++ spin_unlock(&memcg_oom_lock); + return 0; + } + diff --git a/mm/memory-failure.c b/mm/memory-failure.c index 33365e9..2234ef9 100644 --- a/mm/memory-failure.c @@ -93258,7 +93707,7 @@ index 33365e9..2234ef9 100644 } unset_migratetype_isolate(page, MIGRATE_MOVABLE); diff --git a/mm/memory.c b/mm/memory.c -index 49e930f..90d7ec5 100644 +index 2121d8b8..fa1095a 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -403,6 +403,7 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud, @@ -93831,7 +94280,7 @@ index 49e930f..90d7ec5 100644 pgd = pgd_offset(mm, address); pud = pud_alloc(mm, pgd, address); if (!pud) -@@ -3839,6 +4080,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address) +@@ -3836,6 +4077,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address) spin_unlock(&mm->page_table_lock); return 0; } @@ -93855,7 +94304,7 @@ index 49e930f..90d7ec5 100644 #endif /* __PAGETABLE_PUD_FOLDED */ #ifndef __PAGETABLE_PMD_FOLDED -@@ -3869,6 +4127,30 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address) +@@ -3866,6 +4124,30 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address) spin_unlock(&mm->page_table_lock); return 0; } @@ -93886,7 +94335,7 @@ index 49e930f..90d7ec5 100644 #endif /* __PAGETABLE_PMD_FOLDED */ #if !defined(__HAVE_ARCH_GATE_AREA) -@@ -3882,7 +4164,7 @@ static int __init gate_vma_init(void) +@@ -3879,7 +4161,7 @@ static int __init gate_vma_init(void) gate_vma.vm_start = FIXADDR_USER_START; gate_vma.vm_end = FIXADDR_USER_END; gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC; @@ -93895,7 +94344,7 @@ index 49e930f..90d7ec5 100644 return 0; } -@@ -4016,8 +4298,8 @@ out: +@@ -4013,8 +4295,8 @@ out: return ret; } @@ -93906,7 +94355,7 @@ index 49e930f..90d7ec5 100644 { resource_size_t phys_addr; unsigned long prot = 0; -@@ -4043,8 +4325,8 @@ EXPORT_SYMBOL_GPL(generic_access_phys); +@@ -4040,8 +4322,8 @@ EXPORT_SYMBOL_GPL(generic_access_phys); * Access another process' address space as given in mm. If non-NULL, use the * given task for page fault accounting. */ @@ -93917,7 +94366,7 @@ index 49e930f..90d7ec5 100644 { struct vm_area_struct *vma; void *old_buf = buf; -@@ -4052,7 +4334,7 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, +@@ -4049,7 +4331,7 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, down_read(&mm->mmap_sem); /* ignore errors, just check how much was successfully transferred */ while (len) { @@ -93926,7 +94375,7 @@ index 49e930f..90d7ec5 100644 void *maddr; struct page *page = NULL; -@@ -4111,8 +4393,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, +@@ -4108,8 +4390,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, * * The caller must hold a reference on @mm. */ @@ -93937,7 +94386,7 @@ index 49e930f..90d7ec5 100644 { return __access_remote_vm(NULL, mm, addr, buf, len, write); } -@@ -4122,11 +4404,11 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr, +@@ -4119,11 +4401,11 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr, * Source/target buffer must be kernel space, * Do not walk the page table directly, use get_user_pages */ @@ -93953,10 +94402,10 @@ index 49e930f..90d7ec5 100644 mm = get_task_mm(tsk); if (!mm) diff --git a/mm/mempolicy.c b/mm/mempolicy.c -index 56224d9..a74c77e 100644 +index 15a8ea0..cb50389 100644 --- a/mm/mempolicy.c +++ b/mm/mempolicy.c -@@ -750,6 +750,10 @@ static int mbind_range(struct mm_struct *mm, unsigned long start, +@@ -747,6 +747,10 @@ static int mbind_range(struct mm_struct *mm, unsigned long start, unsigned long vmstart; unsigned long vmend; @@ -93967,7 +94416,7 @@ index 56224d9..a74c77e 100644 vma = find_vma(mm, start); if (!vma || vma->vm_start > start) return -EFAULT; -@@ -793,6 +797,16 @@ static int mbind_range(struct mm_struct *mm, unsigned long start, +@@ -790,6 +794,16 @@ static int mbind_range(struct mm_struct *mm, unsigned long start, err = vma_replace_policy(vma, new_pol); if (err) goto out; @@ -93984,7 +94433,7 @@ index 56224d9..a74c77e 100644 } out: -@@ -1256,6 +1270,17 @@ static long do_mbind(unsigned long start, unsigned long len, +@@ -1253,6 +1267,17 @@ static long do_mbind(unsigned long start, unsigned long len, if (end < start) return -EINVAL; @@ -94002,7 +94451,7 @@ index 56224d9..a74c77e 100644 if (end == start) return 0; -@@ -1484,8 +1509,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode, +@@ -1478,8 +1503,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode, */ tcred = __task_cred(task); if (!uid_eq(cred->euid, tcred->suid) && !uid_eq(cred->euid, tcred->uid) && @@ -94012,7 +94461,7 @@ index 56224d9..a74c77e 100644 rcu_read_unlock(); err = -EPERM; goto out_put; -@@ -1516,6 +1540,15 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode, +@@ -1510,6 +1534,15 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode, goto out; } @@ -95784,7 +96233,7 @@ index d013dba..d5ae30d 100644 unsigned long bg_thresh, unsigned long dirty, diff --git a/mm/page_alloc.c b/mm/page_alloc.c -index 4b5d4f6..56dfb0a 100644 +index 7e7f947..254d009 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -61,6 +61,7 @@ @@ -95795,7 +96244,7 @@ index 4b5d4f6..56dfb0a 100644 #include <asm/sections.h> #include <asm/tlbflush.h> -@@ -354,7 +355,7 @@ out: +@@ -355,7 +356,7 @@ out: * This usage means that zero-order pages may not be compound. */ @@ -95804,7 +96253,7 @@ index 4b5d4f6..56dfb0a 100644 { __free_pages_ok(page, compound_order(page)); } -@@ -728,6 +729,10 @@ static bool free_pages_prepare(struct page *page, unsigned int order) +@@ -729,6 +730,10 @@ static bool free_pages_prepare(struct page *page, unsigned int order) int i; int bad = 0; @@ -95815,7 +96264,7 @@ index 4b5d4f6..56dfb0a 100644 trace_mm_page_free(page, order); kmemcheck_free_shadow(page, order); -@@ -744,6 +749,12 @@ static bool free_pages_prepare(struct page *page, unsigned int order) +@@ -745,6 +750,12 @@ static bool free_pages_prepare(struct page *page, unsigned int order) debug_check_no_obj_freed(page_address(page), PAGE_SIZE << order); } @@ -95828,7 +96277,7 @@ index 4b5d4f6..56dfb0a 100644 arch_free_page(page, order); kernel_map_pages(page, 1 << order, 0); -@@ -766,6 +777,20 @@ static void __free_pages_ok(struct page *page, unsigned int order) +@@ -767,6 +778,20 @@ static void __free_pages_ok(struct page *page, unsigned int order) local_irq_restore(flags); } @@ -95849,7 +96298,7 @@ index 4b5d4f6..56dfb0a 100644 void __init __free_pages_bootmem(struct page *page, unsigned int order) { unsigned int nr_pages = 1 << order; -@@ -781,6 +806,19 @@ void __init __free_pages_bootmem(struct page *page, unsigned int order) +@@ -782,6 +807,19 @@ void __init __free_pages_bootmem(struct page *page, unsigned int order) __ClearPageReserved(p); set_page_count(p, 0); @@ -95869,7 +96318,7 @@ index 4b5d4f6..56dfb0a 100644 page_zone(page)->managed_pages += nr_pages; set_page_refcounted(page); __free_pages(page, order); -@@ -897,8 +935,10 @@ static int prep_new_page(struct page *page, int order, gfp_t gfp_flags) +@@ -910,8 +948,10 @@ static int prep_new_page(struct page *page, int order, gfp_t gfp_flags) arch_alloc_page(page, order); kernel_map_pages(page, 1 << order, 1); @@ -95880,7 +96329,7 @@ index 4b5d4f6..56dfb0a 100644 if (order && (gfp_flags & __GFP_COMP)) prep_compound_page(page, order); -@@ -2401,7 +2441,7 @@ static void reset_alloc_batches(struct zonelist *zonelist, +@@ -2414,7 +2454,7 @@ static void reset_alloc_batches(struct zonelist *zonelist, continue; mod_zone_page_state(zone, NR_ALLOC_BATCH, high_wmark_pages(zone) - low_wmark_pages(zone) - @@ -95889,7 +96338,7 @@ index 4b5d4f6..56dfb0a 100644 } } -@@ -6577,4 +6617,4 @@ void dump_page(struct page *page, char *reason) +@@ -6605,4 +6645,4 @@ void dump_page(struct page *page, char *reason) { dump_page_badflags(page, reason, 0); } @@ -96076,7 +96525,7 @@ index cdbd312..2e1e0b9 100644 /* diff --git a/mm/shmem.c b/mm/shmem.c -index 1f18c9d..b550bab 100644 +index ff85863..6aa94ab 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -33,7 +33,7 @@ @@ -96088,7 +96537,7 @@ index 1f18c9d..b550bab 100644 #ifdef CONFIG_SHMEM /* -@@ -77,14 +77,15 @@ static struct vfsmount *shm_mnt; +@@ -77,7 +77,7 @@ static struct vfsmount *shm_mnt; #define BOGO_DIRENT_SIZE 20 /* Symlink up to this size is kmalloc'ed instead of using a swappable page */ @@ -96096,99 +96545,8 @@ index 1f18c9d..b550bab 100644 +#define SHORT_SYMLINK_LEN 64 /* -- * shmem_fallocate and shmem_writepage communicate via inode->i_private -- * (with i_mutex making sure that it has only one user at a time): -- * we would prefer not to enlarge the shmem inode just for that. -+ * shmem_fallocate communicates with shmem_fault or shmem_writepage via -+ * inode->i_private (with i_mutex making sure that it has only one user at -+ * a time): we would prefer not to enlarge the shmem inode just for that. - */ - struct shmem_falloc { -+ int mode; /* FALLOC_FL mode currently operating */ - pgoff_t start; /* start of range currently being fallocated */ - pgoff_t next; /* the next page offset to be fallocated */ - pgoff_t nr_falloced; /* how many new pages have been fallocated */ -@@ -824,6 +825,7 @@ static int shmem_writepage(struct page *page, struct writeback_control *wbc) - spin_lock(&inode->i_lock); - shmem_falloc = inode->i_private; - if (shmem_falloc && -+ !shmem_falloc->mode && - index >= shmem_falloc->start && - index < shmem_falloc->next) - shmem_falloc->nr_unswapped++; -@@ -1298,6 +1300,43 @@ static int shmem_fault(struct vm_area_struct *vma, struct vm_fault *vmf) - int error; - int ret = VM_FAULT_LOCKED; - -+ /* -+ * Trinity finds that probing a hole which tmpfs is punching can -+ * prevent the hole-punch from ever completing: which in turn -+ * locks writers out with its hold on i_mutex. So refrain from -+ * faulting pages into the hole while it's being punched, and -+ * wait on i_mutex to be released if vmf->flags permits, -+ */ -+ if (unlikely(inode->i_private)) { -+ struct shmem_falloc *shmem_falloc; -+ spin_lock(&inode->i_lock); -+ shmem_falloc = inode->i_private; -+ if (!shmem_falloc || -+ shmem_falloc->mode != FALLOC_FL_PUNCH_HOLE || -+ vmf->pgoff < shmem_falloc->start || -+ vmf->pgoff >= shmem_falloc->next) -+ shmem_falloc = NULL; -+ spin_unlock(&inode->i_lock); -+ /* -+ * i_lock has protected us from taking shmem_falloc seriously -+ * once return from shmem_fallocate() went back up that stack. -+ * i_lock does not serialize with i_mutex at all, but it does -+ * not matter if sometimes we wait unnecessarily, or sometimes -+ * miss out on waiting: we just need to make those cases rare. -+ */ -+ if (shmem_falloc) { -+ if ((vmf->flags & FAULT_FLAG_ALLOW_RETRY) && -+ !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) { -+ up_read(&vma->vm_mm->mmap_sem); -+ mutex_lock(&inode->i_mutex); -+ mutex_unlock(&inode->i_mutex); -+ return VM_FAULT_RETRY; -+ } -+ /* cond_resched? Leave that to GUP or return to user */ -+ return VM_FAULT_NOPAGE; -+ } -+ } -+ - error = shmem_getpage(inode, vmf->pgoff, &vmf->page, SGP_CACHE, &ret); - if (error) - return ((error == -ENOMEM) ? VM_FAULT_OOM : VM_FAULT_SIGBUS); -@@ -1813,18 +1852,26 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset, - - mutex_lock(&inode->i_mutex); - -+ shmem_falloc.mode = mode & ~FALLOC_FL_KEEP_SIZE; -+ - if (mode & FALLOC_FL_PUNCH_HOLE) { - struct address_space *mapping = file->f_mapping; - loff_t unmap_start = round_up(offset, PAGE_SIZE); - loff_t unmap_end = round_down(offset + len, PAGE_SIZE) - 1; - -+ shmem_falloc.start = unmap_start >> PAGE_SHIFT; -+ shmem_falloc.next = (unmap_end + 1) >> PAGE_SHIFT; -+ spin_lock(&inode->i_lock); -+ inode->i_private = &shmem_falloc; -+ spin_unlock(&inode->i_lock); -+ - if ((u64)unmap_end > (u64)unmap_start) - unmap_mapping_range(mapping, unmap_start, - 1 + unmap_end - unmap_start, 0); - shmem_truncate_range(inode, offset, offset + len - 1); - /* No need to unmap again: hole-punching leaves COWed pages */ - error = 0; -- goto out; -+ goto undone; - } - - /* We need to check rlimit even when FALLOC_FL_KEEP_SIZE */ -@@ -2218,6 +2265,11 @@ static const struct xattr_handler *shmem_xattr_handlers[] = { + * shmem_fallocate communicates with shmem_fault or shmem_writepage via +@@ -2298,6 +2298,11 @@ static const struct xattr_handler *shmem_xattr_handlers[] = { static int shmem_xattr_validate(const char *name) { struct { const char *prefix; size_t len; } arr[] = { @@ -96200,7 +96558,7 @@ index 1f18c9d..b550bab 100644 { XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN }, { XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN } }; -@@ -2273,6 +2325,15 @@ static int shmem_setxattr(struct dentry *dentry, const char *name, +@@ -2353,6 +2358,15 @@ static int shmem_setxattr(struct dentry *dentry, const char *name, if (err) return err; @@ -96216,7 +96574,7 @@ index 1f18c9d..b550bab 100644 return simple_xattr_set(&info->xattrs, name, value, size, flags); } -@@ -2585,8 +2646,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent) +@@ -2665,8 +2679,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent) int err = -ENOMEM; /* Round up to L1_CACHE_BYTES to resist false sharing */ @@ -96227,7 +96585,7 @@ index 1f18c9d..b550bab 100644 return -ENOMEM; diff --git a/mm/slab.c b/mm/slab.c -index b264214..83872cd 100644 +index 6dd8d5f..2482a6d 100644 --- a/mm/slab.c +++ b/mm/slab.c @@ -300,10 +300,12 @@ static void kmem_cache_node_init(struct kmem_cache_node *parent) @@ -96256,7 +96614,7 @@ index b264214..83872cd 100644 #endif #if DEBUG -@@ -403,7 +407,7 @@ static inline void *index_to_obj(struct kmem_cache *cache, struct page *page, +@@ -436,7 +440,7 @@ static inline void *index_to_obj(struct kmem_cache *cache, struct page *page, * reciprocal_divide(offset, cache->reciprocal_buffer_size) */ static inline unsigned int obj_to_index(const struct kmem_cache *cache, @@ -96265,7 +96623,7 @@ index b264214..83872cd 100644 { u32 offset = (obj - page->s_mem); return reciprocal_divide(offset, cache->reciprocal_buffer_size); -@@ -1489,12 +1493,12 @@ void __init kmem_cache_init(void) +@@ -1536,12 +1540,12 @@ void __init kmem_cache_init(void) */ kmalloc_caches[INDEX_AC] = create_kmalloc_cache("kmalloc-ac", @@ -96280,7 +96638,7 @@ index b264214..83872cd 100644 slab_early_init = 0; -@@ -3428,6 +3432,21 @@ static inline void __cache_free(struct kmem_cache *cachep, void *objp, +@@ -3484,6 +3488,21 @@ static inline void __cache_free(struct kmem_cache *cachep, void *objp, struct array_cache *ac = cpu_cache_get(cachep); check_irq_off(); @@ -96302,7 +96660,7 @@ index b264214..83872cd 100644 kmemleak_free_recursive(objp, cachep->flags); objp = cache_free_debugcheck(cachep, objp, caller); -@@ -3656,6 +3675,7 @@ void kfree(const void *objp) +@@ -3712,6 +3731,7 @@ void kfree(const void *objp) if (unlikely(ZERO_OR_NULL_PTR(objp))) return; @@ -96310,7 +96668,7 @@ index b264214..83872cd 100644 local_irq_save(flags); kfree_debugcheck(objp); c = virt_to_cache(objp); -@@ -4097,14 +4117,22 @@ void slabinfo_show_stats(struct seq_file *m, struct kmem_cache *cachep) +@@ -4153,14 +4173,22 @@ void slabinfo_show_stats(struct seq_file *m, struct kmem_cache *cachep) } /* cpu stats */ { @@ -96337,7 +96695,7 @@ index b264214..83872cd 100644 #endif } -@@ -4334,13 +4362,69 @@ static const struct file_operations proc_slabstats_operations = { +@@ -4381,13 +4409,69 @@ static const struct file_operations proc_slabstats_operations = { static int __init slab_proc_init(void) { #ifdef CONFIG_DEBUG_SLAB_LEAK @@ -96449,7 +96807,7 @@ index 8184a7c..ab27737 100644 if (slab_equal_or_root(cachep, s)) return cachep; diff --git a/mm/slab_common.c b/mm/slab_common.c -index 1ec3c61..2067c11 100644 +index f149e67..b366f92 100644 --- a/mm/slab_common.c +++ b/mm/slab_common.c @@ -23,11 +23,22 @@ @@ -98160,7 +98518,7 @@ index 6afa3b4..7a14180 100644 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) && rfc.mode != chan->mode) diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c -index d4b7702..7122922 100644 +index 27ae841..e5a8343 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -625,7 +625,8 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, @@ -98201,7 +98559,7 @@ index d4b7702..7122922 100644 if (copy_from_user((char *) &sec, optval, len)) { err = -EFAULT; break; -@@ -857,7 +859,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, +@@ -852,7 +854,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, pwr.force_active = BT_POWER_FORCE_ACTIVE_ON; @@ -98421,7 +98779,7 @@ index 988721a..947846d 100644 switch (ss->ss_family) { diff --git a/net/compat.c b/net/compat.c -index f50161f..94fa415 100644 +index f50161f..ab7644e 100644 --- a/net/compat.c +++ b/net/compat.c @@ -73,9 +73,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) @@ -98437,17 +98795,28 @@ index f50161f..94fa415 100644 return 0; } -@@ -87,7 +87,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, +@@ -85,21 +85,22 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, + { + int tot_len; - if (kern_msg->msg_namelen) { +- if (kern_msg->msg_namelen) { ++ if (kern_msg->msg_name && kern_msg->msg_namelen) { if (mode == VERIFY_READ) { - int err = move_addr_to_kernel(kern_msg->msg_name, + int err = move_addr_to_kernel((void __force_user *)kern_msg->msg_name, kern_msg->msg_namelen, kern_address); if (err < 0) -@@ -99,7 +99,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, + return err; + } +- if (kern_msg->msg_name) +- kern_msg->msg_name = kern_address; +- } else ++ kern_msg->msg_name = kern_address; ++ } else { kern_msg->msg_name = NULL; ++ kern_msg->msg_namelen = 0; ++ } tot_len = iov_from_user_compat_to_kern(kern_iov, - (struct compat_iovec __user *)kern_msg->msg_iov, @@ -98455,7 +98824,7 @@ index f50161f..94fa415 100644 kern_msg->msg_iovlen); if (tot_len >= 0) kern_msg->msg_iov = kern_iov; -@@ -119,20 +119,20 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, +@@ -119,20 +120,20 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, #define CMSG_COMPAT_FIRSTHDR(msg) \ (((msg)->msg_controllen) >= sizeof(struct compat_cmsghdr) ? \ @@ -98479,7 +98848,7 @@ index f50161f..94fa415 100644 msg->msg_controllen) return NULL; return (struct compat_cmsghdr __user *)ptr; -@@ -222,7 +222,7 @@ Efault: +@@ -222,7 +223,7 @@ Efault: int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *data) { @@ -98488,7 +98857,7 @@ index f50161f..94fa415 100644 struct compat_cmsghdr cmhdr; struct compat_timeval ctv; struct compat_timespec cts[3]; -@@ -278,7 +278,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat +@@ -278,7 +279,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm) { @@ -98497,7 +98866,7 @@ index f50161f..94fa415 100644 int fdmax = (kmsg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int); int fdnum = scm->fp->count; struct file **fp = scm->fp->fp; -@@ -366,7 +366,7 @@ static int do_set_sock_timeout(struct socket *sock, int level, +@@ -366,7 +367,7 @@ static int do_set_sock_timeout(struct socket *sock, int level, return -EFAULT; old_fs = get_fs(); set_fs(KERNEL_DS); @@ -98506,7 +98875,7 @@ index f50161f..94fa415 100644 set_fs(old_fs); return err; -@@ -427,7 +427,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname, +@@ -427,7 +428,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname, len = sizeof(ktime); old_fs = get_fs(); set_fs(KERNEL_DS); @@ -98515,7 +98884,7 @@ index f50161f..94fa415 100644 set_fs(old_fs); if (!err) { -@@ -570,7 +570,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, +@@ -570,7 +571,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, case MCAST_JOIN_GROUP: case MCAST_LEAVE_GROUP: { @@ -98524,7 +98893,7 @@ index f50161f..94fa415 100644 struct group_req __user *kgr = compat_alloc_user_space(sizeof(struct group_req)); u32 interface; -@@ -591,7 +591,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, +@@ -591,7 +592,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, case MCAST_BLOCK_SOURCE: case MCAST_UNBLOCK_SOURCE: { @@ -98533,7 +98902,7 @@ index f50161f..94fa415 100644 struct group_source_req __user *kgsr = compat_alloc_user_space( sizeof(struct group_source_req)); u32 interface; -@@ -612,7 +612,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, +@@ -612,7 +613,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, } case MCAST_MSFILTER: { @@ -98542,7 +98911,7 @@ index f50161f..94fa415 100644 struct group_filter __user *kgf; u32 interface, fmode, numsrc; -@@ -650,7 +650,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname, +@@ -650,7 +651,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname, char __user *optval, int __user *optlen, int (*getsockopt)(struct sock *, int, int, char __user *, int __user *)) { @@ -98551,7 +98920,7 @@ index f50161f..94fa415 100644 struct group_filter __user *kgf; int __user *koptlen; u32 interface, fmode, numsrc; -@@ -803,7 +803,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args) +@@ -803,7 +804,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args) if (call < SYS_SOCKET || call > SYS_SENDMMSG) return -EINVAL; @@ -98574,10 +98943,10 @@ index a16ed7b..eb44d17 100644 return err; diff --git a/net/core/dev.c b/net/core/dev.c -index 4c1b483..3d45b13 100644 +index 37bddf7..c78c480 100644 --- a/net/core/dev.c +++ b/net/core/dev.c -@@ -1688,14 +1688,14 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb) +@@ -1695,14 +1695,14 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb) { if (skb_shinfo(skb)->tx_flags & SKBTX_DEV_ZEROCOPY) { if (skb_copy_ubufs(skb, GFP_ATOMIC)) { @@ -98594,7 +98963,7 @@ index 4c1b483..3d45b13 100644 kfree_skb(skb); return NET_RX_DROP; } -@@ -2453,7 +2453,7 @@ static int illegal_highdma(const struct net_device *dev, struct sk_buff *skb) +@@ -2460,7 +2460,7 @@ static int illegal_highdma(const struct net_device *dev, struct sk_buff *skb) struct dev_gso_cb { void (*destructor)(struct sk_buff *skb); @@ -98603,7 +98972,7 @@ index 4c1b483..3d45b13 100644 #define DEV_GSO_CB(skb) ((struct dev_gso_cb *)(skb)->cb) -@@ -3227,7 +3227,7 @@ enqueue: +@@ -3234,7 +3234,7 @@ enqueue: local_irq_restore(flags); @@ -98612,7 +98981,7 @@ index 4c1b483..3d45b13 100644 kfree_skb(skb); return NET_RX_DROP; } -@@ -3308,7 +3308,7 @@ int netif_rx_ni(struct sk_buff *skb) +@@ -3315,7 +3315,7 @@ int netif_rx_ni(struct sk_buff *skb) } EXPORT_SYMBOL(netif_rx_ni); @@ -98621,7 +98990,7 @@ index 4c1b483..3d45b13 100644 { struct softnet_data *sd = &__get_cpu_var(softnet_data); -@@ -3645,7 +3645,7 @@ ncls: +@@ -3652,7 +3652,7 @@ ncls: ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev); } else { drop: @@ -98630,7 +98999,7 @@ index 4c1b483..3d45b13 100644 kfree_skb(skb); /* Jamal, now you will not able to escape explaining * me how you were going to use this. :-) -@@ -4333,7 +4333,7 @@ void netif_napi_del(struct napi_struct *napi) +@@ -4342,7 +4342,7 @@ void netif_napi_del(struct napi_struct *napi) } EXPORT_SYMBOL(netif_napi_del); @@ -98639,7 +99008,7 @@ index 4c1b483..3d45b13 100644 { struct softnet_data *sd = &__get_cpu_var(softnet_data); unsigned long time_limit = jiffies + 2; -@@ -6302,7 +6302,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, +@@ -6311,7 +6311,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, } else { netdev_stats_to_stats64(storage, &dev->stats); } @@ -98666,40 +99035,6 @@ index cf999e0..c59a975 100644 } } EXPORT_SYMBOL(dev_load); -diff --git a/net/core/dst.c b/net/core/dst.c -index ca4231e..15b6792 100644 ---- a/net/core/dst.c -+++ b/net/core/dst.c -@@ -267,6 +267,15 @@ again: - } - EXPORT_SYMBOL(dst_destroy); - -+static void dst_destroy_rcu(struct rcu_head *head) -+{ -+ struct dst_entry *dst = container_of(head, struct dst_entry, rcu_head); -+ -+ dst = dst_destroy(dst); -+ if (dst) -+ __dst_free(dst); -+} -+ - void dst_release(struct dst_entry *dst) - { - if (dst) { -@@ -274,11 +283,8 @@ void dst_release(struct dst_entry *dst) - - newrefcnt = atomic_dec_return(&dst->__refcnt); - WARN_ON(newrefcnt < 0); -- if (unlikely(dst->flags & DST_NOCACHE) && !newrefcnt) { -- dst = dst_destroy(dst); -- if (dst) -- __dst_free(dst); -- } -+ if (unlikely(dst->flags & DST_NOCACHE) && !newrefcnt) -+ call_rcu(&dst->rcu_head, dst_destroy_rcu); - } - } - EXPORT_SYMBOL(dst_release); diff --git a/net/core/filter.c b/net/core/filter.c index ebce437..9fed9d0 100644 --- a/net/core/filter.c @@ -98810,11 +99145,15 @@ index dfa602c..3103d88 100644 fle->object = flo; else diff --git a/net/core/iovec.c b/net/core/iovec.c -index b618694..192bbba 100644 +index b618694..cd5f0af 100644 --- a/net/core/iovec.c +++ b/net/core/iovec.c -@@ -42,7 +42,7 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr_storage *a - if (m->msg_namelen) { +@@ -39,23 +39,23 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr_storage *a + { + int size, ct, err; + +- if (m->msg_namelen) { ++ if (m->msg_name && m->msg_namelen) { if (mode == VERIFY_READ) { void __user *namep; - namep = (void __user __force *) m->msg_name; @@ -98822,7 +99161,14 @@ index b618694..192bbba 100644 err = move_addr_to_kernel(namep, m->msg_namelen, address); if (err < 0) -@@ -55,7 +55,7 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr_storage *a + return err; + } +- if (m->msg_name) +- m->msg_name = address; ++ m->msg_name = address; + } else { + m->msg_name = NULL; ++ m->msg_namelen = 0; } size = m->msg_iovlen * sizeof(struct iovec); @@ -99075,8 +99421,44 @@ index b442e7e..6f5b5a2 100644 i++, cmfptr++) { struct socket *sock; +diff --git a/net/core/secure_seq.c b/net/core/secure_seq.c +index 897da56..ba71212 100644 +--- a/net/core/secure_seq.c ++++ b/net/core/secure_seq.c +@@ -85,31 +85,6 @@ EXPORT_SYMBOL(secure_ipv6_port_ephemeral); + #endif + + #ifdef CONFIG_INET +-__u32 secure_ip_id(__be32 daddr) +-{ +- u32 hash[MD5_DIGEST_WORDS]; +- +- net_secret_init(); +- hash[0] = (__force __u32) daddr; +- hash[1] = net_secret[13]; +- hash[2] = net_secret[14]; +- hash[3] = net_secret[15]; +- +- md5_transform(hash, net_secret); +- +- return hash[0]; +-} +- +-__u32 secure_ipv6_id(const __be32 daddr[4]) +-{ +- __u32 hash[4]; +- +- net_secret_init(); +- memcpy(hash, daddr, 16); +- md5_transform(hash, net_secret); +- +- return hash[0]; +-} + + __u32 secure_tcp_sequence_number(__be32 saddr, __be32 daddr, + __be16 sport, __be16 dport) diff --git a/net/core/skbuff.c b/net/core/skbuff.c -index e5ae776e..15c90cb 100644 +index 7f2e1fc..6206b10 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -2003,7 +2003,7 @@ EXPORT_SYMBOL(__skb_checksum); @@ -99088,7 +99470,7 @@ index e5ae776e..15c90cb 100644 .update = csum_partial_ext, .combine = csum_block_add_ext, }; -@@ -3220,13 +3220,15 @@ void __init skb_init(void) +@@ -3221,13 +3221,15 @@ void __init skb_init(void) skbuff_head_cache = kmem_cache_create("skbuff_head_cache", sizeof(struct sk_buff), 0, @@ -99400,10 +99782,10 @@ index 5325b54..a0d4d69 100644 *lenp = len; diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c -index 19ab78a..bf575c9 100644 +index 07bd8ed..c574801 100644 --- a/net/ipv4/af_inet.c +++ b/net/ipv4/af_inet.c -@@ -1703,13 +1703,9 @@ static int __init inet_init(void) +@@ -1706,13 +1706,9 @@ static int __init inet_init(void) BUILD_BUG_ON(sizeof(struct inet_skb_parm) > FIELD_SIZEOF(struct sk_buff, cb)); @@ -99418,7 +99800,7 @@ index 19ab78a..bf575c9 100644 rc = proto_register(&udp_prot, 1); if (rc) -@@ -1816,8 +1812,6 @@ out_unregister_udp_proto: +@@ -1819,8 +1815,6 @@ out_unregister_udp_proto: proto_unregister(&udp_prot); out_unregister_tcp_proto: proto_unregister(&tcp_prot); @@ -99539,6 +99921,28 @@ index 9d43468..ffa28cc 100644 return nh->nh_saddr; } +diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c +index 9db3b87..0ffcd4d 100644 +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -369,7 +369,7 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, int size) + pip->saddr = fl4.saddr; + pip->protocol = IPPROTO_IGMP; + pip->tot_len = 0; /* filled in later */ +- ip_select_ident(skb, &rt->dst, NULL); ++ ip_select_ident(skb, NULL); + ((u8 *)&pip[1])[0] = IPOPT_RA; + ((u8 *)&pip[1])[1] = 4; + ((u8 *)&pip[1])[2] = 0; +@@ -714,7 +714,7 @@ static int igmp_send_report(struct in_device *in_dev, struct ip_mc_list *pmc, + iph->daddr = dst; + iph->saddr = fl4.saddr; + iph->protocol = IPPROTO_IGMP; +- ip_select_ident(skb, &rt->dst, NULL); ++ ip_select_ident(skb, NULL); + ((u8 *)&iph[1])[0] = IPOPT_RA; + ((u8 *)&iph[1])[1] = 4; + ((u8 *)&iph[1])[2] = 0; diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c index 0d1e2cb..4501a2c 100644 --- a/net/ipv4/inet_connection_sock.c @@ -99583,20 +99987,51 @@ index 8b9cf27..0d8d592 100644 inet_twsk_deschedule(tw, death_row); while (twrefcnt) { diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c -index 48f4244..f56d83a 100644 +index 48f4244..d83ba8a 100644 --- a/net/ipv4/inetpeer.c +++ b/net/ipv4/inetpeer.c -@@ -496,8 +496,8 @@ relookup: +@@ -26,20 +26,7 @@ + * Theory of operations. + * We keep one entry for each peer IP address. The nodes contains long-living + * information about the peer which doesn't depend on routes. +- * At this moment this information consists only of ID field for the next +- * outgoing IP packet. This field is incremented with each packet as encoded +- * in inet_getid() function (include/net/inetpeer.h). +- * At the moment of writing this notes identifier of IP packets is generated +- * to be unpredictable using this code only for packets subjected +- * (actually or potentially) to defragmentation. I.e. DF packets less than +- * PMTU in size when local fragmentation is disabled use a constant ID and do +- * not use this code (see ip_select_ident() in include/net/ip.h). + * +- * Route cache entries hold references to our nodes. +- * New cache entries get references via lookup by destination IP address in +- * the avl tree. The reference is grabbed only when it's needed i.e. only +- * when we try to output IP packet which needs an unpredictable ID (see +- * __ip_select_ident() in net/ipv4/route.c). + * Nodes are removed only when reference counter goes to 0. + * When it's happened the node may be removed when a sufficient amount of + * time has been passed since its last use. The less-recently-used entry can +@@ -62,7 +49,6 @@ + * refcnt: atomically against modifications on other CPU; + * usually under some other lock to prevent node disappearing + * daddr: unchangeable +- * ip_id_count: atomic value (no lock needed) + */ + + static struct kmem_cache *peer_cachep __read_mostly; +@@ -496,11 +482,7 @@ relookup: if (p) { p->daddr = *daddr; atomic_set(&p->refcnt, 1); - atomic_set(&p->rid, 0); - atomic_set(&p->ip_id_count, +- (daddr->family == AF_INET) ? +- secure_ip_id(daddr->addr.a4) : +- secure_ipv6_id(daddr->addr.a6)); + atomic_set_unchecked(&p->rid, 0); -+ atomic_set_unchecked(&p->ip_id_count, - (daddr->family == AF_INET) ? - secure_ip_id(daddr->addr.a4) : - secure_ipv6_id(daddr->addr.a6)); + p->metrics[RTAX_LOCK-1] = INETPEER_METRICS_NEW; + p->rate_tokens = 0; + /* 60*HZ is arbitrary, but chosen enough high so that the first diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c index c10a3ce..dd71f84 100644 --- a/net/ipv4/ip_fragment.c @@ -99679,6 +100114,38 @@ index 94213c8..8bdb342 100644 .kind = "gretap", .maxtype = IFLA_GRE_MAX, .policy = ipgre_policy, +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index 73c6b63..ed88d78 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -148,7 +148,7 @@ int ip_build_and_send_pkt(struct sk_buff *skb, struct sock *sk, + iph->daddr = (opt && opt->opt.srr ? opt->opt.faddr : daddr); + iph->saddr = saddr; + iph->protocol = sk->sk_protocol; +- ip_select_ident(skb, &rt->dst, sk); ++ ip_select_ident(skb, sk); + + if (opt && opt->opt.optlen) { + iph->ihl += opt->opt.optlen>>2; +@@ -386,8 +386,7 @@ packet_routed: + ip_options_build(skb, &inet_opt->opt, inet->inet_daddr, rt, 0); + } + +- ip_select_ident_more(skb, &rt->dst, sk, +- (skb_shinfo(skb)->gso_segs ?: 1) - 1); ++ ip_select_ident_segs(skb, sk, skb_shinfo(skb)->gso_segs ?: 1); + + skb->priority = sk->sk_priority; + skb->mark = sk->sk_mark; +@@ -1338,7 +1337,7 @@ struct sk_buff *__ip_make_skb(struct sock *sk, + iph->ttl = ttl; + iph->protocol = sk->sk_protocol; + ip_copy_addrs(iph, fl4); +- ip_select_ident(skb, &rt->dst, sk); ++ ip_select_ident(skb, sk); + + if (opt) { + iph->ihl += opt->optlen>>2; diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index 580dd96..9fcef7e 100644 --- a/net/ipv4/ip_sockglue.c @@ -99702,42 +100169,19 @@ index 580dd96..9fcef7e 100644 msg.msg_controllen = len; msg.msg_flags = flags; -diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c -index 0c3a5d1..c05c07d 100644 ---- a/net/ipv4/ip_tunnel.c -+++ b/net/ipv4/ip_tunnel.c -@@ -73,12 +73,7 @@ static void __tunnel_dst_set(struct ip_tunnel_dst *idst, - { - struct dst_entry *old_dst; - -- if (dst) { -- if (dst->flags & DST_NOCACHE) -- dst = NULL; -- else -- dst_clone(dst); -- } -+ dst_clone(dst); - old_dst = xchg((__force struct dst_entry **)&idst->dst, dst); - dst_release(old_dst); - } -@@ -108,13 +103,14 @@ static struct rtable *tunnel_rtable_get(struct ip_tunnel *t, u32 cookie) - - rcu_read_lock(); - dst = rcu_dereference(this_cpu_ptr(t->dst_cache)->dst); -+ if (dst && !atomic_inc_not_zero(&dst->__refcnt)) -+ dst = NULL; - if (dst) { - if (dst->obsolete && dst->ops->check(dst, cookie) == NULL) { -- rcu_read_unlock(); - tunnel_dst_reset(t); -- return NULL; -+ dst_release(dst); -+ dst = NULL; - } -- dst_hold(dst); - } - rcu_read_unlock(); - return (struct rtable *)dst; +diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c +index 8d69626..65b664d 100644 +--- a/net/ipv4/ip_tunnel_core.c ++++ b/net/ipv4/ip_tunnel_core.c +@@ -74,7 +74,7 @@ int iptunnel_xmit(struct rtable *rt, struct sk_buff *skb, + iph->daddr = dst; + iph->saddr = src; + iph->ttl = ttl; +- __ip_select_ident(iph, &rt->dst, (skb_shinfo(skb)->gso_segs ?: 1) - 1); ++ __ip_select_ident(iph, skb_shinfo(skb)->gso_segs ?: 1); + + err = ip_local_out(skb); + if (unlikely(net_xmit_eval(err))) diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c index e4a8f76..dd8ad72 100644 --- a/net/ipv4/ip_vti.c @@ -99813,6 +100257,19 @@ index 62eaa00..29b2dc2 100644 .kind = "ipip", .maxtype = IFLA_IPTUN_MAX, .policy = ipip_policy, +diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c +index 2886357..1149fc2 100644 +--- a/net/ipv4/ipmr.c ++++ b/net/ipv4/ipmr.c +@@ -1663,7 +1663,7 @@ static void ip_encap(struct sk_buff *skb, __be32 saddr, __be32 daddr) + iph->protocol = IPPROTO_IPIP; + iph->ihl = 5; + iph->tot_len = htons(skb->len); +- ip_select_ident(skb, skb_dst(skb), NULL); ++ ip_select_ident(skb, NULL); + ip_send_check(iph); + + memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt)); diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index f95b6f9..2ee2097 100644 --- a/net/ipv4/netfilter/arp_tables.c @@ -99996,7 +100453,7 @@ index e21934b..4e7cb58 100644 static int ping_v4_seq_show(struct seq_file *seq, void *v) diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c -index c04518f..c402063 100644 +index c04518f..d67116b 100644 --- a/net/ipv4/raw.c +++ b/net/ipv4/raw.c @@ -311,7 +311,7 @@ static int raw_rcv_skb(struct sock *sk, struct sk_buff *skb) @@ -100008,6 +100465,15 @@ index c04518f..c402063 100644 kfree_skb(skb); return NET_RX_DROP; } +@@ -389,7 +389,7 @@ static int raw_send_hdrinc(struct sock *sk, struct flowi4 *fl4, + iph->check = 0; + iph->tot_len = htons(length); + if (!iph->id) +- ip_select_ident(skb, &rt->dst, NULL); ++ ip_select_ident(skb, NULL); + + iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl); + } @@ -748,16 +748,20 @@ static int raw_init(struct sock *sk) static int raw_seticmpfilter(struct sock *sk, char __user *optval, int optlen) @@ -100051,10 +100517,18 @@ index c04518f..c402063 100644 static int raw_seq_show(struct seq_file *seq, void *v) diff --git a/net/ipv4/route.c b/net/ipv4/route.c -index 1344373..02f339e 100644 +index 031553f..1f6f4e2 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c -@@ -233,7 +233,7 @@ static const struct seq_operations rt_cache_seq_ops = { +@@ -89,6 +89,7 @@ + #include <linux/rcupdate.h> + #include <linux/times.h> + #include <linux/slab.h> ++#include <linux/jhash.h> + #include <net/dst.h> + #include <net/net_namespace.h> + #include <net/protocol.h> +@@ -233,7 +234,7 @@ static const struct seq_operations rt_cache_seq_ops = { static int rt_cache_seq_open(struct inode *inode, struct file *file) { @@ -100063,7 +100537,7 @@ index 1344373..02f339e 100644 } static const struct file_operations rt_cache_seq_fops = { -@@ -324,7 +324,7 @@ static const struct seq_operations rt_cpu_seq_ops = { +@@ -324,7 +325,7 @@ static const struct seq_operations rt_cpu_seq_ops = { static int rt_cpu_seq_open(struct inode *inode, struct file *file) { @@ -100072,7 +100546,7 @@ index 1344373..02f339e 100644 } static const struct file_operations rt_cpu_seq_fops = { -@@ -362,7 +362,7 @@ static int rt_acct_proc_show(struct seq_file *m, void *v) +@@ -362,7 +363,7 @@ static int rt_acct_proc_show(struct seq_file *m, void *v) static int rt_acct_proc_open(struct inode *inode, struct file *file) { @@ -100081,7 +100555,78 @@ index 1344373..02f339e 100644 } static const struct file_operations rt_acct_proc_fops = { -@@ -2623,34 +2623,34 @@ static struct ctl_table ipv4_route_flush_table[] = { +@@ -462,39 +463,45 @@ static struct neighbour *ipv4_neigh_lookup(const struct dst_entry *dst, + return neigh_create(&arp_tbl, pkey, dev); + } + +-/* +- * Peer allocation may fail only in serious out-of-memory conditions. However +- * we still can generate some output. +- * Random ID selection looks a bit dangerous because we have no chances to +- * select ID being unique in a reasonable period of time. +- * But broken packet identifier may be better than no packet at all. ++#define IP_IDENTS_SZ 2048u ++struct ip_ident_bucket { ++ atomic_unchecked_t id; ++ u32 stamp32; ++}; ++ ++static struct ip_ident_bucket *ip_idents __read_mostly; ++ ++/* In order to protect privacy, we add a perturbation to identifiers ++ * if one generator is seldom used. This makes hard for an attacker ++ * to infer how many packets were sent between two points in time. + */ +-static void ip_select_fb_ident(struct iphdr *iph) ++u32 ip_idents_reserve(u32 hash, int segs) + { +- static DEFINE_SPINLOCK(ip_fb_id_lock); +- static u32 ip_fallback_id; +- u32 salt; ++ struct ip_ident_bucket *bucket = ip_idents + hash % IP_IDENTS_SZ; ++ u32 old = ACCESS_ONCE(bucket->stamp32); ++ u32 now = (u32)jiffies; ++ u32 delta = 0; + +- spin_lock_bh(&ip_fb_id_lock); +- salt = secure_ip_id((__force __be32)ip_fallback_id ^ iph->daddr); +- iph->id = htons(salt & 0xFFFF); +- ip_fallback_id = salt; +- spin_unlock_bh(&ip_fb_id_lock); ++ if (old != now && cmpxchg(&bucket->stamp32, old, now) == old) ++ delta = prandom_u32_max(now - old); ++ ++ return atomic_add_return_unchecked(segs + delta, &bucket->id) - segs; + } ++EXPORT_SYMBOL(ip_idents_reserve); + +-void __ip_select_ident(struct iphdr *iph, struct dst_entry *dst, int more) ++void __ip_select_ident(struct iphdr *iph, int segs) + { +- struct net *net = dev_net(dst->dev); +- struct inet_peer *peer; ++ static u32 ip_idents_hashrnd __read_mostly; ++ u32 hash, id; + +- peer = inet_getpeer_v4(net->ipv4.peers, iph->daddr, 1); +- if (peer) { +- iph->id = htons(inet_getid(peer, more)); +- inet_putpeer(peer); +- return; +- } ++ net_get_random_once(&ip_idents_hashrnd, sizeof(ip_idents_hashrnd)); + +- ip_select_fb_ident(iph); ++ hash = jhash_3words((__force u32)iph->daddr, ++ (__force u32)iph->saddr, ++ iph->protocol, ++ ip_idents_hashrnd); ++ id = ip_idents_reserve(hash, segs); ++ iph->id = htons(id); + } + EXPORT_SYMBOL(__ip_select_ident); + +@@ -2624,34 +2631,34 @@ static struct ctl_table ipv4_route_flush_table[] = { .maxlen = sizeof(int), .mode = 0200, .proc_handler = ipv4_sysctl_rtcache_flush, @@ -100124,7 +100669,7 @@ index 1344373..02f339e 100644 err_dup: return -ENOMEM; } -@@ -2673,8 +2673,8 @@ static __net_initdata struct pernet_operations sysctl_route_ops = { +@@ -2674,8 +2681,8 @@ static __net_initdata struct pernet_operations sysctl_route_ops = { static __net_init int rt_genid_init(struct net *net) { @@ -100135,6 +100680,19 @@ index 1344373..02f339e 100644 get_random_bytes(&net->ipv4.dev_addr_genid, sizeof(net->ipv4.dev_addr_genid)); return 0; +@@ -2718,6 +2725,12 @@ int __init ip_rt_init(void) + { + int rc = 0; + ++ ip_idents = kmalloc(IP_IDENTS_SZ * sizeof(*ip_idents), GFP_KERNEL); ++ if (!ip_idents) ++ panic("IP: failed to allocate ip_idents\n"); ++ ++ prandom_bytes(ip_idents, IP_IDENTS_SZ * sizeof(*ip_idents)); ++ + #ifdef CONFIG_IP_ROUTE_CLASSID + ip_rt_acct = __alloc_percpu(256 * sizeof(struct ip_rt_acct), __alignof__(struct ip_rt_acct)); + if (!ip_rt_acct) diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c index 44eba05..b36864b 100644 --- a/net/ipv4/sysctl_net_ipv4.c @@ -100257,7 +100815,7 @@ index 44eba05..b36864b 100644 hdr = register_net_sysctl(&init_net, "net/ipv4", ipv4_table); if (hdr == NULL) diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index e364746..598e76e 100644 +index 3898694..9bd1a03 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -761,7 +761,7 @@ static void tcp_update_pacing_rate(struct sock *sk) @@ -100431,6 +100989,33 @@ index 64f0354..a81b39d 100644 if (retransmits_timed_out(sk, retry_until, syn_set ? 0 : icsk->icsk_user_timeout, syn_set)) { /* Has it gone just too far? */ +diff --git a/net/ipv4/tcp_vegas.c b/net/ipv4/tcp_vegas.c +index 06cae62..6b1a5fd 100644 +--- a/net/ipv4/tcp_vegas.c ++++ b/net/ipv4/tcp_vegas.c +@@ -219,7 +219,8 @@ static void tcp_vegas_cong_avoid(struct sock *sk, u32 ack, u32 acked, + * This is: + * (actual rate in segments) * baseRTT + */ +- target_cwnd = tp->snd_cwnd * vegas->baseRTT / rtt; ++ target_cwnd = (u64)tp->snd_cwnd * vegas->baseRTT; ++ do_div(target_cwnd, rtt); + + /* Calculate the difference between the window we had, + * and the window we would like to have. This quantity +diff --git a/net/ipv4/tcp_veno.c b/net/ipv4/tcp_veno.c +index 326475a..603ad49 100644 +--- a/net/ipv4/tcp_veno.c ++++ b/net/ipv4/tcp_veno.c +@@ -145,7 +145,7 @@ static void tcp_veno_cong_avoid(struct sock *sk, u32 ack, u32 acked, + + rtt = veno->minrtt; + +- target_cwnd = (tp->snd_cwnd * veno->basertt); ++ target_cwnd = (u64)tp->snd_cwnd * veno->basertt; + target_cwnd <<= V_PARAM_SHIFT; + do_div(target_cwnd, rtt); + diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c index b25e852..cdc3258 100644 --- a/net/ipv4/udp.c @@ -100549,6 +101134,24 @@ index b25e852..cdc3258 100644 } int udp4_seq_show(struct seq_file *seq, void *v) +diff --git a/net/ipv4/xfrm4_mode_tunnel.c b/net/ipv4/xfrm4_mode_tunnel.c +index 31b1815..1f564a1 100644 +--- a/net/ipv4/xfrm4_mode_tunnel.c ++++ b/net/ipv4/xfrm4_mode_tunnel.c +@@ -117,12 +117,12 @@ static int xfrm4_mode_tunnel_output(struct xfrm_state *x, struct sk_buff *skb) + + top_iph->frag_off = (flags & XFRM_STATE_NOPMTUDISC) ? + 0 : (XFRM_MODE_SKB_CB(skb)->frag_off & htons(IP_DF)); +- ip_select_ident(skb, dst->child, NULL); + + top_iph->ttl = ip4_dst_hoplimit(dst->child); + + top_iph->saddr = x->props.saddr.a4; + top_iph->daddr = x->id.daddr.a4; ++ ip_select_ident(skb, NULL); + + return 0; + } diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c index e1a6393..f634ce5 100644 --- a/net/ipv4/xfrm4_policy.c @@ -100603,7 +101206,7 @@ index e1a6393..f634ce5 100644 return -ENOMEM; } diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c -index 6c7fa08..285086c 100644 +index 6c7fa08..8a31430 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -598,7 +598,7 @@ static int inet6_netconf_dump_devconf(struct sk_buff *skb, @@ -100624,7 +101227,32 @@ index 6c7fa08..285086c 100644 if (ops->ndo_do_ioctl) { mm_segment_t oldfs = get_fs(); -@@ -4146,7 +4146,7 @@ static int inet6_dump_addr(struct sk_buff *skb, struct netlink_callback *cb, +@@ -3528,16 +3528,23 @@ static const struct file_operations if6_fops = { + .release = seq_release_net, + }; + ++extern void register_ipv6_seq_ops_addr(struct seq_operations *addr); ++extern void unregister_ipv6_seq_ops_addr(void); ++ + static int __net_init if6_proc_net_init(struct net *net) + { +- if (!proc_create("if_inet6", S_IRUGO, net->proc_net, &if6_fops)) ++ register_ipv6_seq_ops_addr(&if6_seq_ops); ++ if (!proc_create("if_inet6", S_IRUGO, net->proc_net, &if6_fops)) { ++ unregister_ipv6_seq_ops_addr(); + return -ENOMEM; ++ } + return 0; + } + + static void __net_exit if6_proc_net_exit(struct net *net) + { + remove_proc_entry("if_inet6", net->proc_net); ++ unregister_ipv6_seq_ops_addr(); + } + + static struct pernet_operations if6_proc_net_ops = { +@@ -4146,7 +4153,7 @@ static int inet6_dump_addr(struct sk_buff *skb, struct netlink_callback *cb, s_ip_idx = ip_idx = cb->args[2]; rcu_read_lock(); @@ -100633,7 +101261,7 @@ index 6c7fa08..285086c 100644 for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) { idx = 0; head = &net->dev_index_head[h]; -@@ -4758,7 +4758,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp) +@@ -4758,7 +4765,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp) dst_free(&ifp->rt->dst); break; } @@ -100642,7 +101270,7 @@ index 6c7fa08..285086c 100644 rt_genid_bump_ipv6(net); } -@@ -4779,7 +4779,7 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int write, +@@ -4779,7 +4786,7 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int write, int *valp = ctl->data; int val = *valp; loff_t pos = *ppos; @@ -100651,7 +101279,7 @@ index 6c7fa08..285086c 100644 int ret; /* -@@ -4864,7 +4864,7 @@ int addrconf_sysctl_disable(struct ctl_table *ctl, int write, +@@ -4864,7 +4871,7 @@ int addrconf_sysctl_disable(struct ctl_table *ctl, int write, int *valp = ctl->data; int val = *valp; loff_t pos = *ppos; @@ -100737,6 +101365,31 @@ index 2465d18..bc5bf7f 100644 .kind = "ip6gretap", .maxtype = IFLA_GRE_MAX, .policy = ip6gre_policy, +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index a62b610..073e5a6 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -537,6 +537,20 @@ static void ip6_copy_metadata(struct sk_buff *to, struct sk_buff *from) + skb_copy_secmark(to, from); + } + ++static void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) ++{ ++ static u32 ip6_idents_hashrnd __read_mostly; ++ u32 hash, id; ++ ++ net_get_random_once(&ip6_idents_hashrnd, sizeof(ip6_idents_hashrnd)); ++ ++ hash = __ipv6_addr_jhash(&rt->rt6i_dst.addr, ip6_idents_hashrnd); ++ hash = __ipv6_addr_jhash(&rt->rt6i_src.addr, hash); ++ ++ id = ip_idents_reserve(hash, 1); ++ fhdr->identification = htonl(id); ++} ++ + int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *)) + { + struct sk_buff *frag; diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c index 9120339..cfdd84f 100644 --- a/net/ipv6/ip6_tunnel.c @@ -100886,27 +101539,40 @@ index 767ab8d..c5ec70a 100644 return -ENOMEM; } diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c -index b31a012..c36f09c 100644 +index b31a012..ab2f47d 100644 --- a/net/ipv6/output_core.c +++ b/net/ipv6/output_core.c -@@ -9,7 +9,7 @@ +@@ -7,30 +7,6 @@ + #include <net/ip6_fib.h> + #include <net/addrconf.h> - void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) - { +-void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) +-{ - static atomic_t ipv6_fragmentation_id; -+ static atomic_unchecked_t ipv6_fragmentation_id; - int ident; - - #if IS_ENABLED(CONFIG_IPV6) -@@ -26,7 +26,7 @@ void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) - } - } - #endif +- int ident; +- +-#if IS_ENABLED(CONFIG_IPV6) +- if (rt && !(rt->dst.flags & DST_NOPEER)) { +- struct inet_peer *peer; +- struct net *net; +- +- net = dev_net(rt->dst.dev); +- peer = inet_getpeer_v6(net->ipv6.peers, &rt->rt6i_dst.addr, 1); +- if (peer) { +- fhdr->identification = htonl(inet_getid(peer, 0)); +- inet_putpeer(peer); +- return; +- } +- } +-#endif - ident = atomic_inc_return(&ipv6_fragmentation_id); -+ ident = atomic_inc_return_unchecked(&ipv6_fragmentation_id); - fhdr->identification = htonl(ident); - } - EXPORT_SYMBOL(ipv6_select_ident); +- fhdr->identification = htonl(ident); +-} +-EXPORT_SYMBOL(ipv6_select_ident); +- + int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) + { + u16 offset = sizeof(struct ipv6hdr); diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c index bda7429..469b26b 100644 --- a/net/ipv6/ping.c @@ -101457,6 +102123,28 @@ index 7932697..a13d158 100644 } while (!res); return res; } +diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c +index ec66063..1e05bbd 100644 +--- a/net/l2tp/l2tp_ppp.c ++++ b/net/l2tp/l2tp_ppp.c +@@ -1368,7 +1368,7 @@ static int pppol2tp_setsockopt(struct socket *sock, int level, int optname, + int err; + + if (level != SOL_PPPOL2TP) +- return udp_prot.setsockopt(sk, level, optname, optval, optlen); ++ return -EINVAL; + + if (optlen < sizeof(int)) + return -EINVAL; +@@ -1494,7 +1494,7 @@ static int pppol2tp_getsockopt(struct socket *sock, int level, int optname, + struct pppol2tp_session *ps; + + if (level != SOL_PPPOL2TP) +- return udp_prot.getsockopt(sk, level, optname, optval, optlen); ++ return -EINVAL; + + if (get_user(len, optlen)) + return -EFAULT; diff --git a/net/llc/llc_proc.c b/net/llc/llc_proc.c index 1a3c7e0..80f8b0c 100644 --- a/net/llc/llc_proc.c @@ -101925,9 +102613,18 @@ index db80126..ef7110e 100644 cp->old_state = cp->state; /* diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c -index c47444e..b0961c6 100644 +index c47444e..e9a86e6 100644 --- a/net/netfilter/ipvs/ip_vs_xmit.c +++ b/net/netfilter/ipvs/ip_vs_xmit.c +@@ -883,7 +883,7 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp, + iph->daddr = cp->daddr.ip; + iph->saddr = saddr; + iph->ttl = old_iph->ttl; +- ip_select_ident(skb, &rt->dst, NULL); ++ ip_select_ident(skb, NULL); + + /* Another hack: avoid icmp_send in ip_fragment */ + skb->local_df = 1; @@ -1102,7 +1102,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp, else rc = NF_ACCEPT; @@ -102288,7 +102985,7 @@ index 11de55e..f25e448 100644 return 0; } diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c -index 7f40fd2..c72ef1f 100644 +index 0dfe894..7702a84 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -257,7 +257,7 @@ static void netlink_overrun(struct sock *sk) @@ -102844,6 +103541,18 @@ index f226709..0e735a8 100644 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial)); ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len); +diff --git a/net/sctp/associola.c b/net/sctp/associola.c +index a4d5701..5d97d8f 100644 +--- a/net/sctp/associola.c ++++ b/net/sctp/associola.c +@@ -1151,6 +1151,7 @@ void sctp_assoc_update(struct sctp_association *asoc, + asoc->c = new->c; + asoc->peer.rwnd = new->peer.rwnd; + asoc->peer.sack_needed = new->peer.sack_needed; ++ asoc->peer.auth_capable = new->peer.auth_capable; + asoc->peer.i = new->peer.i; + sctp_tsnmap_init(&asoc->peer.tsn_map, SCTP_TSN_MAP_INITIAL, + asoc->peer.i.initial_tsn, GFP_ATOMIC); diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c index 2b1738e..a9d0fc9 100644 --- a/net/sctp/ipv6.c @@ -103014,37 +103723,37 @@ index 604a6ac..f87f0a3 100644 return -EFAULT; to += addrlen; diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c -index c82fdc1..4ca1f95 100644 +index dfa532f..1dcfb44 100644 --- a/net/sctp/sysctl.c +++ b/net/sctp/sysctl.c -@@ -308,7 +308,7 @@ static int proc_sctp_do_hmac_alg(struct ctl_table *ctl, int write, +@@ -307,7 +307,7 @@ static int proc_sctp_do_hmac_alg(struct ctl_table *ctl, int write, + loff_t *ppos) { struct net *net = current->nsproxy->net_ns; - char tmp[8]; - struct ctl_table tbl; + ctl_table_no_const tbl; - int ret; - int changed = 0; + bool changed = false; char *none = "none"; + char tmp[8]; @@ -355,7 +355,7 @@ static int proc_sctp_do_rto_min(struct ctl_table *ctl, int write, - { struct net *net = current->nsproxy->net_ns; - int new_value; -- struct ctl_table tbl; -+ ctl_table_no_const tbl; unsigned int min = *(unsigned int *) ctl->extra1; unsigned int max = *(unsigned int *) ctl->extra2; - int ret; -@@ -382,7 +382,7 @@ static int proc_sctp_do_rto_max(struct ctl_table *ctl, int write, - { - struct net *net = current->nsproxy->net_ns; - int new_value; - struct ctl_table tbl; + ctl_table_no_const tbl; + int ret, new_value; + + memset(&tbl, 0, sizeof(struct ctl_table)); +@@ -384,7 +384,7 @@ static int proc_sctp_do_rto_max(struct ctl_table *ctl, int write, + struct net *net = current->nsproxy->net_ns; unsigned int min = *(unsigned int *) ctl->extra1; unsigned int max = *(unsigned int *) ctl->extra2; - int ret; -@@ -408,7 +408,7 @@ static int proc_sctp_do_auth(struct ctl_table *ctl, int write, +- struct ctl_table tbl; ++ ctl_table_no_const tbl; + int ret, new_value; + + memset(&tbl, 0, sizeof(struct ctl_table)); +@@ -411,7 +411,7 @@ static int proc_sctp_do_auth(struct ctl_table *ctl, int write, loff_t *ppos) { struct net *net = current->nsproxy->net_ns; @@ -103053,7 +103762,7 @@ index c82fdc1..4ca1f95 100644 int new_value, ret; memset(&tbl, 0, sizeof(struct ctl_table)); -@@ -436,7 +436,7 @@ static int proc_sctp_do_auth(struct ctl_table *ctl, int write, +@@ -438,7 +438,7 @@ static int proc_sctp_do_auth(struct ctl_table *ctl, int write, int sctp_sysctl_net_register(struct net *net) { @@ -103062,7 +103771,7 @@ index c82fdc1..4ca1f95 100644 if (!net_eq(net, &init_net)) { int i; -@@ -449,7 +449,10 @@ int sctp_sysctl_net_register(struct net *net) +@@ -451,7 +451,10 @@ int sctp_sysctl_net_register(struct net *net) table[i].data += (char *)(&net->sctp) - (char *)&init_net.sctp; } @@ -109451,10 +110160,10 @@ index 0000000..39d7cc7 +} diff --git a/tools/gcc/randomize_layout_plugin.c b/tools/gcc/randomize_layout_plugin.c new file mode 100644 -index 0000000..8dafb22 +index 0000000..a5cb46b --- /dev/null +++ b/tools/gcc/randomize_layout_plugin.c -@@ -0,0 +1,910 @@ +@@ -0,0 +1,915 @@ +/* + * Copyright 2014 by Open Source Security, Inc., Brad Spengler <spender@grsecurity.net> + * and PaX Team <pageexec@freemail.hu> @@ -109773,6 +110482,11 @@ index 0000000..8dafb22 + lookup_attribute("no_randomize_layout", TYPE_ATTRIBUTES(TYPE_MAIN_VARIANT(type)))) + return 0; + ++ /* Workaround for 3rd-party VirtualBox source that we can't modify ourselves */ ++ if (!strcmp((const char *)ORIG_TYPE_NAME(type), "INTNETTRUNKFACTORY") || ++ !strcmp((const char *)ORIG_TYPE_NAME(type), "RAWPCIFACTORY")) ++ return 0; ++ + /* throw out any structs in uapi */ + xloc = expand_location(DECL_SOURCE_LOCATION(TYPE_FIELDS(type))); + @@ -110509,10 +111223,10 @@ index 0000000..12b1e3b +exit 0 diff --git a/tools/gcc/size_overflow_plugin/insert_size_overflow_asm.c b/tools/gcc/size_overflow_plugin/insert_size_overflow_asm.c new file mode 100644 -index 0000000..3e8148c +index 0000000..c43901f --- /dev/null +++ b/tools/gcc/size_overflow_plugin/insert_size_overflow_asm.c -@@ -0,0 +1,790 @@ +@@ -0,0 +1,748 @@ +/* + * Copyright 2011-2014 by Emese Revfy <re.emese@gmail.com> + * Licensed under the GPL v2, or (at your option) v3 @@ -110992,45 +111706,6 @@ index 0000000..3e8148c + return true; +} + -+static bool is_from_cast(const_tree node) -+{ -+ gimple def_stmt = get_def_stmt(node); -+ -+ if (!def_stmt) -+ return false; -+ -+ if (gimple_assign_cast_p(def_stmt)) -+ return true; -+ -+ return false; -+} -+ -+// Skip duplication when there is a minus expr and the type of rhs1 or rhs2 is a pointer_type. -+static bool skip_ptr_minus(gimple stmt) -+{ -+ const_tree rhs1, rhs2, ptr1_rhs, ptr2_rhs; -+ -+ if (gimple_assign_rhs_code(stmt) != MINUS_EXPR) -+ return false; -+ -+ rhs1 = gimple_assign_rhs1(stmt); -+ if (!is_from_cast(rhs1)) -+ return false; -+ -+ rhs2 = gimple_assign_rhs2(stmt); -+ if (!is_from_cast(rhs2)) -+ return false; -+ -+ ptr1_rhs = gimple_assign_rhs1(get_def_stmt(rhs1)); -+ ptr2_rhs = gimple_assign_rhs1(get_def_stmt(rhs2)); -+ -+ if (TREE_CODE(TREE_TYPE(ptr1_rhs)) != POINTER_TYPE && TREE_CODE(TREE_TYPE(ptr2_rhs)) != POINTER_TYPE) -+ return false; -+ -+ create_mark_asm(stmt, MARK_YES); -+ return true; -+} -+ +static void walk_use_def_ptr(struct pointer_set_t *visited, const_tree lhs) +{ + gimple def_stmt; @@ -111064,9 +111739,6 @@ index 0000000..3e8148c + walk_use_def_ptr(visited, gimple_assign_rhs1(def_stmt)); + return; + case 3: -+ if (skip_ptr_minus(def_stmt)) -+ return; -+ + walk_use_def_ptr(visited, gimple_assign_rhs1(def_stmt)); + walk_use_def_ptr(visited, gimple_assign_rhs2(def_stmt)); + return; @@ -111305,10 +111977,10 @@ index 0000000..3e8148c +} diff --git a/tools/gcc/size_overflow_plugin/insert_size_overflow_check_core.c b/tools/gcc/size_overflow_plugin/insert_size_overflow_check_core.c new file mode 100644 -index 0000000..88469e9 +index 0000000..73f0a12 --- /dev/null +++ b/tools/gcc/size_overflow_plugin/insert_size_overflow_check_core.c -@@ -0,0 +1,902 @@ +@@ -0,0 +1,943 @@ +/* + * Copyright 2011-2014 by Emese Revfy <re.emese@gmail.com> + * Licensed under the GPL v2, or (at your option) v3 @@ -112032,6 +112704,44 @@ index 0000000..88469e9 + inform(loc, "Integer size_overflow check applied here."); +} + ++static bool is_from_cast(const_tree node) ++{ ++ gimple def_stmt = get_def_stmt(node); ++ ++ if (!def_stmt) ++ return false; ++ ++ if (gimple_assign_cast_p(def_stmt)) ++ return true; ++ ++ return false; ++} ++ ++// Skip duplication when there is a minus expr and the type of rhs1 or rhs2 is a pointer_type. ++static bool is_a_ptr_minus(gimple stmt) ++{ ++ const_tree rhs1, rhs2, ptr1_rhs, ptr2_rhs; ++ ++ if (gimple_assign_rhs_code(stmt) != MINUS_EXPR) ++ return false; ++ ++ rhs1 = gimple_assign_rhs1(stmt); ++ if (!is_from_cast(rhs1)) ++ return false; ++ ++ rhs2 = gimple_assign_rhs2(stmt); ++ if (!is_from_cast(rhs2)) ++ return false; ++ ++ ptr1_rhs = gimple_assign_rhs1(get_def_stmt(rhs1)); ++ ptr2_rhs = gimple_assign_rhs1(get_def_stmt(rhs2)); ++ ++ if (TREE_CODE(TREE_TYPE(ptr1_rhs)) != POINTER_TYPE && TREE_CODE(TREE_TYPE(ptr2_rhs)) != POINTER_TYPE) ++ return false; ++ ++ return true; ++} ++ +static tree handle_binary_ops(struct visited *visited, struct cgraph_node *caller_node, tree lhs) +{ + enum intentional_overflow_type res; @@ -112040,6 +112750,9 @@ index 0000000..88469e9 + tree new_rhs1 = NULL_TREE; + tree new_rhs2 = NULL_TREE; + ++ if (is_a_ptr_minus(def_stmt)) ++ return create_assign(visited, def_stmt, lhs, AFTER_STMT); ++ + rhs1 = gimple_assign_rhs1(def_stmt); + rhs2 = gimple_assign_rhs2(def_stmt); + @@ -112213,10 +112926,10 @@ index 0000000..88469e9 + diff --git a/tools/gcc/size_overflow_plugin/insert_size_overflow_check_ipa.c b/tools/gcc/size_overflow_plugin/insert_size_overflow_check_ipa.c new file mode 100644 -index 0000000..f8f5dd5 +index 0000000..df50164 --- /dev/null +++ b/tools/gcc/size_overflow_plugin/insert_size_overflow_check_ipa.c -@@ -0,0 +1,1133 @@ +@@ -0,0 +1,1141 @@ +/* + * Copyright 2011-2014 by Emese Revfy <re.emese@gmail.com> + * Licensed under the GPL v2, or (at your option) v3 @@ -112431,7 +113144,7 @@ index 0000000..f8f5dd5 +} + +enum conditions { -+ FROM_CONST, NOT_UNARY, CAST ++ FROM_CONST, NOT_UNARY, CAST, RET, PHI +}; + +// Search for constants, cast assignments and binary/ternary assignments @@ -112451,11 +113164,15 @@ index 0000000..f8f5dd5 + return; + + switch (gimple_code(def_stmt)) { -+ case GIMPLE_NOP: + case GIMPLE_CALL: ++ if (lhs == gimple_call_lhs(def_stmt)) ++ interesting_conditions[RET] = true; ++ return; ++ case GIMPLE_NOP: + case GIMPLE_ASM: + return; + case GIMPLE_PHI: ++ interesting_conditions[PHI] = true; + return walk_phi_set_conditions(visited, interesting_conditions, lhs); + case GIMPLE_ASSIGN: + if (gimple_num_ops(def_stmt) == 2) { @@ -112673,11 +113390,11 @@ index 0000000..f8f5dd5 +/* If there is a mark_turn_off intentional attribute on the caller or the callee then there is no duplication and missing size_overflow attribute check anywhere. + * There is only missing size_overflow attribute checking if the intentional_overflow attribute is the mark_no type. + * Stmt duplication is unnecessary if there are no binary/ternary assignements or if the unary assignment isn't a cast. -+ * It skips the possible error codes too. If the def_stmts trace back to a constant and there are no binary/ternary assigments then we assume that it is some kind of error code. ++ * It skips the possible error codes too. + */ +static enum precond check_preconditions(struct interesting_node *cur_node) +{ -+ bool interesting_conditions[3] = {false, false, false}; ++ bool interesting_conditions[5] = {false, false, false, false, false}; + + set_last_nodes(cur_node); + @@ -112687,7 +113404,11 @@ index 0000000..f8f5dd5 + + search_interesting_conditions(cur_node, interesting_conditions); + -+ // error code ++ // error code: a phi, unary assign (not cast) and returns only ++ if (!interesting_conditions[NOT_UNARY] && interesting_conditions[PHI] && interesting_conditions[RET] && !interesting_conditions[CAST]) ++ return NO_ATTRIBUTE_SEARCH; ++ ++ // error code: def_stmts trace back to a constant and there are no binary/ternary assigments + if (interesting_conditions[CAST] && interesting_conditions[FROM_CONST] && !interesting_conditions[NOT_UNARY]) + return NO_ATTRIBUTE_SEARCH; + @@ -113352,10 +114073,10 @@ index 0000000..f8f5dd5 + diff --git a/tools/gcc/size_overflow_plugin/intentional_overflow.c b/tools/gcc/size_overflow_plugin/intentional_overflow.c new file mode 100644 -index 0000000..38904bc +index 0000000..d71d72a --- /dev/null +++ b/tools/gcc/size_overflow_plugin/intentional_overflow.c -@@ -0,0 +1,733 @@ +@@ -0,0 +1,736 @@ +/* + * Copyright 2011-2014 by Emese Revfy <re.emese@gmail.com> + * Licensed under the GPL v2, or (at your option) v3 @@ -113960,6 +114681,9 @@ index 0000000..38904bc + } else + return false; + ++ if (!is_gimple_assign(def_stmt)) ++ return false; ++ + if (gimple_assign_rhs_code(def_stmt) != PLUS_EXPR && gimple_assign_rhs_code(def_stmt) != MINUS_EXPR) + return false; + @@ -120791,7 +121515,7 @@ index 0000000..560cd7b +zpios_read_64734 zpios_read 3 64734 NULL diff --git a/tools/gcc/size_overflow_plugin/size_overflow_plugin.c b/tools/gcc/size_overflow_plugin/size_overflow_plugin.c new file mode 100644 -index 0000000..e6fe17b +index 0000000..95f7abd --- /dev/null +++ b/tools/gcc/size_overflow_plugin/size_overflow_plugin.c @@ -0,0 +1,259 @@ @@ -120827,7 +121551,7 @@ index 0000000..e6fe17b +tree size_overflow_type_TI; + +static struct plugin_info size_overflow_plugin_info = { -+ .version = "20140517", ++ .version = "20140725", + .help = "no-size-overflow\tturn off size overflow checking\n", +}; + @@ -121426,10 +122150,10 @@ index 0000000..0888f6c + diff --git a/tools/gcc/stackleak_plugin.c b/tools/gcc/stackleak_plugin.c new file mode 100644 -index 0000000..dd94983 +index 0000000..924652b --- /dev/null +++ b/tools/gcc/stackleak_plugin.c -@@ -0,0 +1,376 @@ +@@ -0,0 +1,395 @@ +/* + * Copyright 2011-2014 by the PaX Team <pageexec@freemail.hu> + * Licensed under the GPL v2 @@ -121461,7 +122185,7 @@ index 0000000..dd94983 +static bool init_locals; + +static struct plugin_info stackleak_plugin_info = { -+ .version = "201402131920", ++ .version = "201408011900", + .help = "track-lowest-sp=nn\ttrack sp in functions whose frame size is at least nn bytes\n" +// "initialize-locals\t\tforcibly initialize all stack frames\n" +}; @@ -121607,6 +122331,25 @@ index 0000000..dd94983 + +static bool gate_stackleak_track_stack(void) +{ ++ tree section; ++ ++ if (ix86_cmodel != CM_KERNEL) ++ return false; ++ ++ section = lookup_attribute("section", DECL_ATTRIBUTES(current_function_decl)); ++ if (section && TREE_VALUE(section)) { ++ section = TREE_VALUE(TREE_VALUE(section)); ++ ++ if (!strncmp(TREE_STRING_POINTER(section), ".init.text", 10)) ++ return false; ++ if (!strncmp(TREE_STRING_POINTER(section), ".devinit.text", 13)) ++ return false; ++ if (!strncmp(TREE_STRING_POINTER(section), ".cpuinit.text", 13)) ++ return false; ++ if (!strncmp(TREE_STRING_POINTER(section), ".meminit.text", 13)) ++ return false; ++ } ++ + return track_frame_size >= 0; +} + |