aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--main/linux-grsec/APKBUILD16
-rw-r--r--main/linux-grsec/grsecurity-3.0-3.14.24-201411150026.patch (renamed from main/linux-grsec/grsecurity-3.0-3.14.23-201410312212.patch)1723
2 files changed, 1161 insertions, 578 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index 5a74c96a7b..41ef488e4b 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -2,7 +2,7 @@
_flavor=grsec
pkgname=linux-${_flavor}
-pkgver=3.14.23
+pkgver=3.14.24
case $pkgver in
*.*.*) _kernver=${pkgver%.*};;
*.*) _kernver=${pkgver};;
@@ -17,7 +17,7 @@ _config=${config:-kernelconfig.${CARCH}}
install=
source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz
- grsecurity-3.0-3.14.23-201410312212.patch
+ grsecurity-3.0-3.14.24-201411150026.patch
fix-memory-map-for-PIE-applications.patch
imx6q-no-unclocked-sleep.patch
@@ -165,24 +165,24 @@ dev() {
}
md5sums="b621207b3f6ecbb67db18b13258f8ea8 linux-3.14.tar.xz
-45a2b9fbe6c9075093fb015f818b4e37 patch-3.14.23.xz
-0de7fd3ed253841e486817250f09dfee grsecurity-3.0-3.14.23-201410312212.patch
+651a92fc1d45c02fa02358bb07e80697 patch-3.14.24.xz
+384982d028a3d484345ef780c11a464f grsecurity-3.0-3.14.24-201411150026.patch
c6a4ae7e8ca6159e1631545515805216 fix-memory-map-for-PIE-applications.patch
1a307fc1d63231bf01d22493a4f14378 imx6q-no-unclocked-sleep.patch
870b91f0eb07294ba453ac61b052c0b6 kernelconfig.x86
38b50cd1a7670f886c5e9fe9f1f91496 kernelconfig.x86_64
3d79d27ce4aea637042bb70055c35a3d kernelconfig.armhf"
sha256sums="61558aa490855f42b6340d1a1596be47454909629327c49a5e4e10268065dffa linux-3.14.tar.xz
-451199487f3e311ff57729f9104c23eeab1db528f15f2091da74cb2fd565f56e patch-3.14.23.xz
-55333d8467e557925bb0116c6ff92ba39c075374a12b7125970364389182f0a5 grsecurity-3.0-3.14.23-201410312212.patch
+80013321b6891216fcff6d0746cb977bd7e8438b02ca13ff261659f3dfa76d51 patch-3.14.24.xz
+36f3dfd5237966661fef9bf18bc3779c3f5e852df48889902e6be94d708b3aef grsecurity-3.0-3.14.24-201411150026.patch
500f3577310be52e87b9fecdc2e9c4ca43210fd97d69089f9005d484563f74c7 fix-memory-map-for-PIE-applications.patch
21179fbb22a5b74af0a609350ae1a170e232908572b201d02e791d2ce0a685d3 imx6q-no-unclocked-sleep.patch
bf953a65ba047b5316509da5bc7a6dbcee12767e343d26e8360369d27bfdbe78 kernelconfig.x86
d555a01f2b464e20cfa71c67ea6d571f80c707c5a3fea33879de09b085e2d7b6 kernelconfig.x86_64
a2dc0e30e1d1d691768543a17b51efccfc11ef17c04ac08f2b54c95f25dab75d kernelconfig.armhf"
sha512sums="5730d83a7a81134c1e77c0bf89e42dee4f8251ad56c1ac2be20c59e26fdfaa7bea55f277e7af156b637f22e1584914a46089af85039177cb43485089c74ac26e linux-3.14.tar.xz
-31883f947d93e8b489f75d3508efab24f3d5c94f75f6f0e66e34ad8f54de2511eb22e92b8a27bde19bba3c1a510435f3ba181157bdef726120226eba18bd825a patch-3.14.23.xz
-7f17d47ffc78e23a80b84921742cfbbc9afff551ad75bfbb4e1399aba6eca6fd8c8b6262232d57cd6c7165ba2bafe80c7f6e1689e495fa3a61740930808a3d53 grsecurity-3.0-3.14.23-201410312212.patch
+7f45dfd7340a41c360c7521b573adbb8569825aa078f7ef067a27f19be5c749e42965badde7cdf9c413374953e776e4cce43cd1856f9e08870793a50ba6ad0fb patch-3.14.24.xz
+35f27312fc83d0c4380742bca33ad2c9d8313d87c9e2299d58f422b15af993f2221e3d2332ad13d3a3151fafb055e738cec23c9de5d0d84d218cdcad70379030 grsecurity-3.0-3.14.24-201411150026.patch
4665c56ae1bbac311f9205d64918e84ee8b01d47d6e2396ff6b8adfb10aada7f7254531ce62e31edbb65c2a54a830f09ad05d314dfcd75d6272f4068945ad7c7 fix-memory-map-for-PIE-applications.patch
87d1ad59732f265a5b0db54490dc1762c14ea4b868e7eb1aedc3ce57b48046de7bbc08cf5cfcf6f1380fa84063b0edb16ba3d5e3c5670be9bbb229275c88b221 imx6q-no-unclocked-sleep.patch
dde402be39f68955f9395f807631f1457e90cda76a80e0e198695c8f946cdba02a00fe12a59a77bf5e8b40f5ecb52efbe364449f3e58d8996f27e07b719ac6a4 kernelconfig.x86
diff --git a/main/linux-grsec/grsecurity-3.0-3.14.23-201410312212.patch b/main/linux-grsec/grsecurity-3.0-3.14.24-201411150026.patch
index 2b0f9bd7fc..b8fbeb3c9e 100644
--- a/main/linux-grsec/grsecurity-3.0-3.14.23-201410312212.patch
+++ b/main/linux-grsec/grsecurity-3.0-3.14.24-201411150026.patch
@@ -292,7 +292,7 @@ index 7116fda..2f71588 100644
pcd. [PARIDE]
diff --git a/Makefile b/Makefile
-index 135a04a..79b5e32 100644
+index 8fd0610..914c673 100644
--- a/Makefile
+++ b/Makefile
@@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -4827,6 +4827,19 @@ index 6c0f684..5faea9d 100644
#define access_ok(type, addr, size) __range_ok(addr, size)
#define user_addr_max get_fs
+diff --git a/arch/arm64/lib/clear_user.S b/arch/arm64/lib/clear_user.S
+index 6e0ed93..c17967f 100644
+--- a/arch/arm64/lib/clear_user.S
++++ b/arch/arm64/lib/clear_user.S
+@@ -46,7 +46,7 @@ USER(9f, strh wzr, [x0], #2 )
+ sub x1, x1, #2
+ 4: adds x1, x1, #1
+ b.mi 5f
+- strb wzr, [x0]
++USER(9f, strb wzr, [x0] )
+ 5: mov x0, #0
+ ret
+ ENDPROC(__clear_user)
diff --git a/arch/avr32/include/asm/cache.h b/arch/avr32/include/asm/cache.h
index c3a58a1..78fbf54 100644
--- a/arch/avr32/include/asm/cache.h
@@ -12341,7 +12354,7 @@ index ad8f795..2c7eec6 100644
/*
* Memory returned by kmalloc() may be used for DMA, so we must make
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index e409891..8ec65be 100644
+index 98aa930..d2cef74 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -22,6 +22,7 @@ config X86_64
@@ -14500,7 +14513,7 @@ index 2206757..85cbcfa 100644
err |= copy_siginfo_to_user32(&frame->info, &ksig->info);
diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
-index 4299eb0..c0687a7 100644
+index 92a2e93..9b829fa 100644
--- a/arch/x86/ia32/ia32entry.S
+++ b/arch/x86/ia32/ia32entry.S
@@ -15,8 +15,10 @@
@@ -14578,7 +14591,7 @@ index 4299eb0..c0687a7 100644
movl %ebp,%ebp /* zero extension */
pushq_cfi $__USER32_DS
/*CFI_REL_OFFSET ss,0*/
-@@ -135,24 +157,49 @@ ENTRY(ia32_sysenter_target)
+@@ -135,23 +157,46 @@ ENTRY(ia32_sysenter_target)
CFI_REL_OFFSET rsp,0
pushfq_cfi
/*CFI_REL_OFFSET rflags,0*/
@@ -14620,20 +14633,27 @@ index 4299eb0..c0687a7 100644
1: movl (%rbp),%ebp
_ASM_EXTABLE(1b,ia32_badarg)
ASM_CLAC
-- orl $TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET)
-- testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET)
-+
+
+#ifdef CONFIG_PAX_MEMORY_UDEREF
+ ASM_PAX_CLOSE_USERLAND
+#endif
+
+ /*
+ * Sysenter doesn't filter flags, so we need to clear NT
+ * ourselves. To save a few cycles, we can check whether
+@@ -161,8 +206,9 @@ ENTRY(ia32_sysenter_target)
+ jnz sysenter_fix_flags
+ sysenter_flags_fixed:
+
+- orl $TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET)
+- testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET)
+ GET_THREAD_INFO(%r11)
+ orl $TS_COMPAT,TI_status(%r11)
+ testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r11)
CFI_REMEMBER_STATE
jnz sysenter_tracesys
cmpq $(IA32_NR_syscalls-1),%rax
-@@ -162,15 +209,18 @@ sysenter_do_call:
+@@ -172,15 +218,18 @@ sysenter_do_call:
sysenter_dispatch:
call *ia32_sys_call_table(,%rax,8)
movq %rax,RAX-ARGOFFSET(%rsp)
@@ -14656,7 +14676,7 @@ index 4299eb0..c0687a7 100644
CFI_REGISTER rip,rdx
RESTORE_ARGS 0,24,0,0,0,0
xorq %r8,%r8
-@@ -193,6 +243,9 @@ sysexit_from_sys_call:
+@@ -205,6 +254,9 @@ sysexit_from_sys_call:
movl %eax,%esi /* 2nd arg: syscall number */
movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */
call __audit_syscall_entry
@@ -14666,7 +14686,7 @@ index 4299eb0..c0687a7 100644
movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */
cmpq $(IA32_NR_syscalls-1),%rax
ja ia32_badsys
-@@ -204,7 +257,7 @@ sysexit_from_sys_call:
+@@ -216,7 +268,7 @@ sysexit_from_sys_call:
.endm
.macro auditsys_exit exit
@@ -14675,7 +14695,7 @@ index 4299eb0..c0687a7 100644
jnz ia32_ret_from_sys_call
TRACE_IRQS_ON
ENABLE_INTERRUPTS(CLBR_NONE)
-@@ -215,11 +268,12 @@ sysexit_from_sys_call:
+@@ -227,11 +279,12 @@ sysexit_from_sys_call:
1: setbe %al /* 1 if error, 0 if not */
movzbl %al,%edi /* zero-extend that into %edi */
call __audit_syscall_exit
@@ -14689,7 +14709,7 @@ index 4299eb0..c0687a7 100644
jz \exit
CLEAR_RREGS -ARGOFFSET
jmp int_with_check
-@@ -237,7 +291,7 @@ sysexit_audit:
+@@ -253,7 +306,7 @@ sysenter_fix_flags:
sysenter_tracesys:
#ifdef CONFIG_AUDITSYSCALL
@@ -14698,7 +14718,7 @@ index 4299eb0..c0687a7 100644
jz sysenter_auditsys
#endif
SAVE_REST
-@@ -249,6 +303,9 @@ sysenter_tracesys:
+@@ -265,6 +318,9 @@ sysenter_tracesys:
RESTORE_REST
cmpq $(IA32_NR_syscalls-1),%rax
ja int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */
@@ -14708,7 +14728,7 @@ index 4299eb0..c0687a7 100644
jmp sysenter_do_call
CFI_ENDPROC
ENDPROC(ia32_sysenter_target)
-@@ -276,19 +333,25 @@ ENDPROC(ia32_sysenter_target)
+@@ -292,19 +348,25 @@ ENDPROC(ia32_sysenter_target)
ENTRY(ia32_cstar_target)
CFI_STARTPROC32 simple
CFI_SIGNAL_FRAME
@@ -14736,7 +14756,7 @@ index 4299eb0..c0687a7 100644
movl %eax,%eax /* zero extension */
movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
movq %rcx,RIP-ARGOFFSET(%rsp)
-@@ -304,12 +367,25 @@ ENTRY(ia32_cstar_target)
+@@ -320,12 +382,25 @@ ENTRY(ia32_cstar_target)
/* no need to do an access_ok check here because r8 has been
32bit zero extended */
/* hardware stack frame is complete now */
@@ -14764,7 +14784,7 @@ index 4299eb0..c0687a7 100644
CFI_REMEMBER_STATE
jnz cstar_tracesys
cmpq $IA32_NR_syscalls-1,%rax
-@@ -319,13 +395,16 @@ cstar_do_call:
+@@ -335,13 +410,16 @@ cstar_do_call:
cstar_dispatch:
call *ia32_sys_call_table(,%rax,8)
movq %rax,RAX-ARGOFFSET(%rsp)
@@ -14784,7 +14804,7 @@ index 4299eb0..c0687a7 100644
movl RIP-ARGOFFSET(%rsp),%ecx
CFI_REGISTER rip,rcx
movl EFLAGS-ARGOFFSET(%rsp),%r11d
-@@ -352,7 +431,7 @@ sysretl_audit:
+@@ -368,7 +446,7 @@ sysretl_audit:
cstar_tracesys:
#ifdef CONFIG_AUDITSYSCALL
@@ -14793,7 +14813,7 @@ index 4299eb0..c0687a7 100644
jz cstar_auditsys
#endif
xchgl %r9d,%ebp
-@@ -366,11 +445,19 @@ cstar_tracesys:
+@@ -382,11 +460,19 @@ cstar_tracesys:
xchgl %ebp,%r9d
cmpq $(IA32_NR_syscalls-1),%rax
ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */
@@ -14813,7 +14833,7 @@ index 4299eb0..c0687a7 100644
movq $-EFAULT,%rax
jmp ia32_sysret
CFI_ENDPROC
-@@ -407,19 +494,26 @@ ENTRY(ia32_syscall)
+@@ -423,19 +509,26 @@ ENTRY(ia32_syscall)
CFI_REL_OFFSET rip,RIP-RIP
PARAVIRT_ADJUST_EXCEPTION_FRAME
SWAPGS
@@ -14847,7 +14867,7 @@ index 4299eb0..c0687a7 100644
jnz ia32_tracesys
cmpq $(IA32_NR_syscalls-1),%rax
ja ia32_badsys
-@@ -442,6 +536,9 @@ ia32_tracesys:
+@@ -458,6 +551,9 @@ ia32_tracesys:
RESTORE_REST
cmpq $(IA32_NR_syscalls-1),%rax
ja int_ret_from_sys_call /* ia32_tracesys has set RAX(%rsp) */
@@ -16612,22 +16632,10 @@ index ced283a..ffe04cc 100644
union {
u64 v64;
diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h
-index 9c999c1..5718a82 100644
+index 01f15b2..5718a82 100644
--- a/arch/x86/include/asm/elf.h
+++ b/arch/x86/include/asm/elf.h
-@@ -155,8 +155,9 @@ do { \
- #define elf_check_arch(x) \
- ((x)->e_machine == EM_X86_64)
-
--#define compat_elf_check_arch(x) \
-- (elf_check_arch_ia32(x) || (x)->e_machine == EM_X86_64)
-+#define compat_elf_check_arch(x) \
-+ (elf_check_arch_ia32(x) || \
-+ (IS_ENABLED(CONFIG_X86_X32_ABI) && (x)->e_machine == EM_X86_64))
-
- #if __USER32_DS != __USER_DS
- # error "The following code assumes __USER32_DS == __USER_DS"
-@@ -243,7 +244,25 @@ extern int force_personality32;
+@@ -244,7 +244,25 @@ extern int force_personality32;
the loader. We need to make sure that it is out of the way of the program
that it will "exec", and that there is sufficient room for the brk. */
@@ -16653,7 +16661,7 @@ index 9c999c1..5718a82 100644
/* This yields a mask that user programs can use to figure out what
instruction set this CPU supports. This could be done in user space,
-@@ -296,16 +315,12 @@ do { \
+@@ -297,16 +315,12 @@ do { \
#define ARCH_DLINFO \
do { \
@@ -16672,7 +16680,7 @@ index 9c999c1..5718a82 100644
} while (0)
#define AT_SYSINFO 32
-@@ -320,7 +335,7 @@ else \
+@@ -321,7 +335,7 @@ else \
#endif /* !CONFIG_X86_32 */
@@ -16681,7 +16689,7 @@ index 9c999c1..5718a82 100644
#define VDSO_ENTRY \
((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
-@@ -336,9 +351,6 @@ extern int x32_setup_additional_pages(struct linux_binprm *bprm,
+@@ -337,9 +351,6 @@ extern int x32_setup_additional_pages(struct linux_binprm *bprm,
extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
#define compat_arch_setup_additional_pages syscall32_setup_pages
@@ -20729,7 +20737,7 @@ index df94598..f3b29bf 100644
bp_int3_handler = handler;
bp_int3_addr = (u8 *)addr + sizeof(int3);
diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
-index 7f26c9a..694544e 100644
+index 523f147..7b996e0 100644
--- a/arch/x86/kernel/apic/apic.c
+++ b/arch/x86/kernel/apic/apic.c
@@ -198,7 +198,7 @@ int first_system_vector = 0xfe;
@@ -21105,7 +21113,7 @@ index c67ffa6..f41fbbf 100644
if (c->x86_model == 3 && c->x86_mask == 0)
size = 64;
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
-index 8e28bf2..bf5c0d2 100644
+index 3f27f5f..6c575e3 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -88,60 +88,6 @@ static const struct cpu_dev default_cpu = {
@@ -27163,7 +27171,7 @@ index 5cdff03..80fa283 100644
* Up to this point, the boot CPU has been using .init.data
* area. Reload any changed state for the boot CPU.
diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
-index 9e5de68..147c254 100644
+index b88fc86..99a7057 100644
--- a/arch/x86/kernel/signal.c
+++ b/arch/x86/kernel/signal.c
@@ -190,7 +190,7 @@ static unsigned long align_sigframe(unsigned long sp)
@@ -27952,7 +27960,7 @@ index 57409f6..b505597 100644
if (!fixup_exception(regs)) {
task->thread.error_code = error_code;
diff --git a/arch/x86/kernel/tsc.c b/arch/x86/kernel/tsc.c
-index e0d1d7a..db035d4 100644
+index de02906..7353850 100644
--- a/arch/x86/kernel/tsc.c
+++ b/arch/x86/kernel/tsc.c
@@ -150,7 +150,7 @@ static void cyc2ns_write_end(int cpu, struct cyc2ns_data *data)
@@ -28435,7 +28443,7 @@ index e48b674..a451dd9 100644
.read = native_io_apic_read,
.write = native_io_apic_write,
diff --git a/arch/x86/kernel/xsave.c b/arch/x86/kernel/xsave.c
-index a4b451c..8dfe1ad 100644
+index dd50e26..6e07dc3 100644
--- a/arch/x86/kernel/xsave.c
+++ b/arch/x86/kernel/xsave.c
@@ -164,18 +164,18 @@ static inline int save_xstate_epilog(void __user *buf, int ia32_frame)
@@ -28477,7 +28485,7 @@ index a4b451c..8dfe1ad 100644
if (use_xsave())
err = xsave_user(buf);
else if (use_fxsr())
-@@ -311,6 +312,7 @@ sanitize_restored_xstate(struct task_struct *tsk,
+@@ -309,6 +310,7 @@ sanitize_restored_xstate(struct task_struct *tsk,
*/
static inline int restore_user_xstate(void __user *buf, u64 xbv, int fx_only)
{
@@ -28563,7 +28571,7 @@ index cba218a..1cc1bed 100644
goto error;
walker->ptep_user[walker->level - 1] = ptep_user;
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
-index 2de1bc0..22251ee 100644
+index 9643eda6..c9cb765 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -3508,7 +3508,11 @@ static void reload_tss(struct kvm_vcpu *vcpu)
@@ -28590,7 +28598,7 @@ index 2de1bc0..22251ee 100644
local_irq_disable();
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index 3927528..cd7f2ac 100644
+index 0c90f4b..9fca4d7 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -441,6 +441,7 @@ struct vcpu_vmx {
@@ -28648,7 +28656,7 @@ index 3927528..cd7f2ac 100644
{
u64 host_tsc, tsc_offset;
-@@ -3024,8 +3033,11 @@ static __init int hardware_setup(void)
+@@ -3027,8 +3036,11 @@ static __init int hardware_setup(void)
if (!cpu_has_vmx_flexpriority())
flexpriority_enabled = 0;
@@ -28662,7 +28670,7 @@ index 3927528..cd7f2ac 100644
if (enable_ept && !cpu_has_vmx_ept_2m_page())
kvm_disable_largepages();
-@@ -3036,13 +3048,15 @@ static __init int hardware_setup(void)
+@@ -3039,13 +3051,15 @@ static __init int hardware_setup(void)
if (!cpu_has_vmx_apicv())
enable_apicv = 0;
@@ -28682,7 +28690,7 @@ index 3927528..cd7f2ac 100644
if (nested)
nested_vmx_setup_ctls_msrs();
-@@ -4162,10 +4176,17 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx)
+@@ -4165,10 +4179,17 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx)
u32 low32, high32;
unsigned long tmpl;
struct desc_ptr dt;
@@ -28701,7 +28709,7 @@ index 3927528..cd7f2ac 100644
vmcs_write16(HOST_CS_SELECTOR, __KERNEL_CS); /* 22.2.4 */
#ifdef CONFIG_X86_64
-@@ -4187,7 +4208,7 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx)
+@@ -4190,7 +4211,7 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx)
vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
vmx->host_idt_base = dt.address;
@@ -28710,7 +28718,7 @@ index 3927528..cd7f2ac 100644
rdmsr(MSR_IA32_SYSENTER_CS, low32, high32);
vmcs_write32(HOST_IA32_SYSENTER_CS, low32);
-@@ -7186,7 +7207,7 @@ static void atomic_switch_perf_msrs(struct vcpu_vmx *vmx)
+@@ -7196,7 +7217,7 @@ static void atomic_switch_perf_msrs(struct vcpu_vmx *vmx)
static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
{
struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -28719,7 +28727,7 @@ index 3927528..cd7f2ac 100644
/* Record the guest's net vcpu time for enforced NMI injections. */
if (unlikely(!cpu_has_virtual_nmis() && vmx->soft_vnmi_blocked))
-@@ -7207,6 +7228,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -7217,6 +7238,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
if (test_bit(VCPU_REGS_RIP, (unsigned long *)&vcpu->arch.regs_dirty))
vmcs_writel(GUEST_RIP, vcpu->arch.regs[VCPU_REGS_RIP]);
@@ -28732,7 +28740,7 @@ index 3927528..cd7f2ac 100644
/* When single-stepping over STI and MOV SS, we must clear the
* corresponding interruptibility bits in the guest state. Otherwise
* vmentry fails as it then expects bit 14 (BS) in pending debug
-@@ -7265,6 +7292,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -7275,6 +7302,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
"jmp 2f \n\t"
"1: " __ex(ASM_VMX_VMRESUME) "\n\t"
"2: "
@@ -28745,7 +28753,7 @@ index 3927528..cd7f2ac 100644
/* Save guest registers, load host registers, keep flags */
"mov %0, %c[wordsize](%%" _ASM_SP ") \n\t"
"pop %0 \n\t"
-@@ -7317,6 +7350,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -7327,6 +7360,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
#endif
[cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)),
[wordsize]"i"(sizeof(ulong))
@@ -28757,7 +28765,7 @@ index 3927528..cd7f2ac 100644
: "cc", "memory"
#ifdef CONFIG_X86_64
, "rax", "rbx", "rdi", "rsi"
-@@ -7330,7 +7368,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -7340,7 +7378,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
if (debugctlmsr)
update_debugctlmsr(debugctlmsr);
@@ -28766,7 +28774,7 @@ index 3927528..cd7f2ac 100644
/*
* The sysexit path does not restore ds/es, so we must set them to
* a reasonable value ourselves.
-@@ -7339,8 +7377,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -7349,8 +7387,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
* may be executed in interrupt context, which saves and restore segments
* around it, nullifying its effect.
*/
@@ -28788,10 +28796,10 @@ index 3927528..cd7f2ac 100644
vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 8fbd1a7..e046eef 100644
+index 51c2851..394306f 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
-@@ -1776,8 +1776,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data)
+@@ -1806,8 +1806,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data)
{
struct kvm *kvm = vcpu->kvm;
int lm = is_long_mode(vcpu);
@@ -28802,7 +28810,7 @@ index 8fbd1a7..e046eef 100644
u8 blob_size = lm ? kvm->arch.xen_hvm_config.blob_size_64
: kvm->arch.xen_hvm_config.blob_size_32;
u32 page_num = data & ~PAGE_MASK;
-@@ -2688,6 +2688,8 @@ long kvm_arch_dev_ioctl(struct file *filp,
+@@ -2718,6 +2718,8 @@ long kvm_arch_dev_ioctl(struct file *filp,
if (n < msr_list.nmsrs)
goto out;
r = -EFAULT;
@@ -28811,7 +28819,16 @@ index 8fbd1a7..e046eef 100644
if (copy_to_user(user_msr_list->indices, &msrs_to_save,
num_msrs_to_save * sizeof(u32)))
goto out;
-@@ -5502,7 +5504,7 @@ static struct notifier_block pvclock_gtod_notifier = {
+@@ -4911,7 +4913,7 @@ static int handle_emulation_failure(struct kvm_vcpu *vcpu)
+
+ ++vcpu->stat.insn_emulation_fail;
+ trace_kvm_emulate_insn_failed(vcpu);
+- if (!is_guest_mode(vcpu)) {
++ if (!is_guest_mode(vcpu) && kvm_x86_ops->get_cpl(vcpu) == 0) {
+ vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
+ vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION;
+ vcpu->run->internal.ndata = 0;
+@@ -5532,7 +5534,7 @@ static struct notifier_block pvclock_gtod_notifier = {
};
#endif
@@ -33416,7 +33433,7 @@ index 461bc82..4e091a3 100644
struct split_state {
diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c
-index a348868..3c64310 100644
+index fed892d..e380153 100644
--- a/arch/x86/mm/pageattr.c
+++ b/arch/x86/mm/pageattr.c
@@ -262,7 +262,7 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address,
@@ -36467,7 +36484,7 @@ index dc51f46..d5446a8 100644
(u8 *) pte, count) < count) {
kfree(pte);
diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
-index 2648797..92ed21f 100644
+index 4044cf7..555ae4e 100644
--- a/block/scsi_ioctl.c
+++ b/block/scsi_ioctl.c
@@ -67,7 +67,7 @@ static int scsi_get_bus(struct request_queue *q, int __user *p)
@@ -38476,7 +38493,7 @@ index 0e06f0c..d98cde3 100644
set_fs(KERNEL_DS);
if (level == SOL_SOCKET)
diff --git a/drivers/block/drbd/drbd_interval.c b/drivers/block/drbd/drbd_interval.c
-index 89c497c..9c736ae 100644
+index 04a14e0..5b8f0aa 100644
--- a/drivers/block/drbd/drbd_interval.c
+++ b/drivers/block/drbd/drbd_interval.c
@@ -67,9 +67,9 @@ static void augment_rotate(struct rb_node *rb_old, struct rb_node *rb_new)
@@ -39381,7 +39398,7 @@ index 8320abd..ec48108 100644
if (cmd != SIOCWANDEV)
diff --git a/drivers/char/random.c b/drivers/char/random.c
-index 429b75b..58488cc 100644
+index 8a64dbe..58488cc 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -284,9 +284,6 @@
@@ -39427,35 +39444,6 @@ index 429b75b..58488cc 100644
unsigned int add =
((pool_size - entropy_count)*anfrac*3) >> s;
-@@ -1063,8 +1060,8 @@ static void extract_buf(struct entropy_store *r, __u8 *out)
- * pool while mixing, and hash one final time.
- */
- sha_transform(hash.w, extract, workspace);
-- memset(extract, 0, sizeof(extract));
-- memset(workspace, 0, sizeof(workspace));
-+ memzero_explicit(extract, sizeof(extract));
-+ memzero_explicit(workspace, sizeof(workspace));
-
- /*
- * In case the hash function has some recognizable output
-@@ -1076,7 +1073,7 @@ static void extract_buf(struct entropy_store *r, __u8 *out)
- hash.w[2] ^= rol32(hash.w[2], 16);
-
- memcpy(out, &hash, EXTRACT_SIZE);
-- memset(&hash, 0, sizeof(hash));
-+ memzero_explicit(&hash, sizeof(hash));
- }
-
- static ssize_t extract_entropy(struct entropy_store *r, void *buf,
-@@ -1124,7 +1121,7 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
- }
-
- /* Wipe data just returned from memory */
-- memset(tmp, 0, sizeof(tmp));
-+ memzero_explicit(tmp, sizeof(tmp));
-
- return ret;
- }
@@ -1151,7 +1148,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
extract_buf(r, tmp);
@@ -39465,15 +39453,6 @@ index 429b75b..58488cc 100644
ret = -EFAULT;
break;
}
-@@ -1162,7 +1159,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
- }
-
- /* Wipe data just returned from memory */
-- memset(tmp, 0, sizeof(tmp));
-+ memzero_explicit(tmp, sizeof(tmp));
-
- return ret;
- }
@@ -1507,7 +1504,7 @@ EXPORT_SYMBOL(generate_random_uuid);
#include <linux/sysctl.h>
@@ -39705,10 +39684,10 @@ index 18448a7..d5fad43 100644
/* Force all MSRs to the same value */
diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
-index 4159236..b850472 100644
+index 4854f81..d9178cb 100644
--- a/drivers/cpufreq/cpufreq.c
+++ b/drivers/cpufreq/cpufreq.c
-@@ -1974,7 +1974,7 @@ void cpufreq_unregister_governor(struct cpufreq_governor *governor)
+@@ -1985,7 +1985,7 @@ void cpufreq_unregister_governor(struct cpufreq_governor *governor)
#endif
mutex_lock(&cpufreq_governor_mutex);
@@ -39717,7 +39696,7 @@ index 4159236..b850472 100644
mutex_unlock(&cpufreq_governor_mutex);
return;
}
-@@ -2204,7 +2204,7 @@ static int cpufreq_cpu_callback(struct notifier_block *nfb,
+@@ -2215,7 +2215,7 @@ static int cpufreq_cpu_callback(struct notifier_block *nfb,
return NOTIFY_OK;
}
@@ -39726,7 +39705,7 @@ index 4159236..b850472 100644
.notifier_call = cpufreq_cpu_callback,
};
-@@ -2244,13 +2244,17 @@ int cpufreq_boost_trigger_state(int state)
+@@ -2255,13 +2255,17 @@ int cpufreq_boost_trigger_state(int state)
return 0;
write_lock_irqsave(&cpufreq_driver_lock, flags);
@@ -39746,7 +39725,7 @@ index 4159236..b850472 100644
write_unlock_irqrestore(&cpufreq_driver_lock, flags);
pr_err("%s: Cannot %s BOOST\n", __func__,
-@@ -2304,8 +2308,11 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data)
+@@ -2315,8 +2319,11 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data)
pr_debug("trying to register driver %s\n", driver_data->name);
@@ -39760,7 +39739,7 @@ index 4159236..b850472 100644
write_lock_irqsave(&cpufreq_driver_lock, flags);
if (cpufreq_driver) {
-@@ -2320,8 +2327,11 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data)
+@@ -2331,8 +2338,11 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data)
* Check if driver provides function to enable boost -
* if not, use cpufreq_boost_set_sw as default
*/
@@ -39862,10 +39841,10 @@ index 18d4091..434be15 100644
}
EXPORT_SYMBOL_GPL(od_unregister_powersave_bias_handler);
diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
-index ae52c77..3d8f69b 100644
+index 533a509..4e1860b 100644
--- a/drivers/cpufreq/intel_pstate.c
+++ b/drivers/cpufreq/intel_pstate.c
-@@ -125,10 +125,10 @@ struct pstate_funcs {
+@@ -138,10 +138,10 @@ struct pstate_funcs {
struct cpu_defaults {
struct pstate_adjust_policy pid_policy;
struct pstate_funcs funcs;
@@ -39878,7 +39857,7 @@ index ae52c77..3d8f69b 100644
struct perf_limits {
int no_turbo;
-@@ -530,7 +530,7 @@ static void intel_pstate_set_pstate(struct cpudata *cpu, int pstate)
+@@ -566,7 +566,7 @@ static void intel_pstate_set_pstate(struct cpudata *cpu, int pstate)
cpu->pstate.current_pstate = pstate;
@@ -39887,16 +39866,18 @@ index ae52c77..3d8f69b 100644
}
static inline void intel_pstate_pstate_increase(struct cpudata *cpu, int steps)
-@@ -552,12 +552,12 @@ static void intel_pstate_get_cpu_pstates(struct cpudata *cpu)
+@@ -588,13 +588,13 @@ static void intel_pstate_get_cpu_pstates(struct cpudata *cpu)
{
sprintf(cpu->name, "Intel 2nd generation core");
- cpu->pstate.min_pstate = pstate_funcs.get_min();
- cpu->pstate.max_pstate = pstate_funcs.get_max();
- cpu->pstate.turbo_pstate = pstate_funcs.get_turbo();
+- cpu->pstate.scaling = pstate_funcs.get_scaling();
+ cpu->pstate.min_pstate = pstate_funcs->get_min();
+ cpu->pstate.max_pstate = pstate_funcs->get_max();
+ cpu->pstate.turbo_pstate = pstate_funcs->get_turbo();
++ cpu->pstate.scaling = pstate_funcs->get_scaling();
- if (pstate_funcs.get_vid)
- pstate_funcs.get_vid(cpu);
@@ -39905,7 +39886,7 @@ index ae52c77..3d8f69b 100644
intel_pstate_set_pstate(cpu, cpu->pstate.min_pstate);
}
-@@ -844,9 +844,9 @@ static int intel_pstate_msrs_not_valid(void)
+@@ -889,9 +889,9 @@ static int intel_pstate_msrs_not_valid(void)
rdmsrl(MSR_IA32_APERF, aperf);
rdmsrl(MSR_IA32_MPERF, mperf);
@@ -39918,7 +39899,7 @@ index ae52c77..3d8f69b 100644
return -ENODEV;
rdmsrl(MSR_IA32_APERF, tmp);
-@@ -860,7 +860,7 @@ static int intel_pstate_msrs_not_valid(void)
+@@ -905,7 +905,7 @@ static int intel_pstate_msrs_not_valid(void)
return 0;
}
@@ -39927,13 +39908,14 @@ index ae52c77..3d8f69b 100644
{
pid_params.sample_rate_ms = policy->sample_rate_ms;
pid_params.p_gain_pct = policy->p_gain_pct;
-@@ -872,11 +872,7 @@ static void copy_pid_params(struct pstate_adjust_policy *policy)
+@@ -917,12 +917,7 @@ static void copy_pid_params(struct pstate_adjust_policy *policy)
static void copy_cpu_funcs(struct pstate_funcs *funcs)
{
- pstate_funcs.get_max = funcs->get_max;
- pstate_funcs.get_min = funcs->get_min;
- pstate_funcs.get_turbo = funcs->get_turbo;
+- pstate_funcs.get_scaling = funcs->get_scaling;
- pstate_funcs.set = funcs->set;
- pstate_funcs.get_vid = funcs->get_vid;
+ pstate_funcs = funcs;
@@ -40420,6 +40402,20 @@ index 57ea7f4..af06b76 100644
card->driver->update_phy_reg(card, 4,
PHY_LINK_ACTIVE | PHY_CONTENDER, 0);
+diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
+index d7d5c8a..6d44568 100644
+--- a/drivers/firewire/core-cdev.c
++++ b/drivers/firewire/core-cdev.c
+@@ -1637,8 +1637,7 @@ static int dispatch_ioctl(struct client *client,
+ _IOC_SIZE(cmd) > sizeof(buffer))
+ return -ENOTTY;
+
+- if (_IOC_DIR(cmd) == _IOC_READ)
+- memset(&buffer, 0, _IOC_SIZE(cmd));
++ memset(&buffer, 0, sizeof(buffer));
+
+ if (_IOC_DIR(cmd) & _IOC_WRITE)
+ if (copy_from_user(&buffer, arg, _IOC_SIZE(cmd)))
diff --git a/drivers/firewire/core-device.c b/drivers/firewire/core-device.c
index 2c6d5e1..a2cca6b 100644
--- a/drivers/firewire/core-device.c
@@ -46166,6 +46162,20 @@ index 98d24ae..bc22415 100644
return 1;
}
+diff --git a/drivers/media/usb/ttusb-dec/ttusbdecfe.c b/drivers/media/usb/ttusb-dec/ttusbdecfe.c
+index 5c45c9d..9c29552 100644
+--- a/drivers/media/usb/ttusb-dec/ttusbdecfe.c
++++ b/drivers/media/usb/ttusb-dec/ttusbdecfe.c
+@@ -156,6 +156,9 @@ static int ttusbdecfe_dvbs_diseqc_send_master_cmd(struct dvb_frontend* fe, struc
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00 };
+
++ if (cmd->msg_len > sizeof(b) - 4)
++ return -EINVAL;
++
+ memcpy(&b[4], cmd->msg, cmd->msg_len);
+
+ state->config->send_command(fe, 0x72,
diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
index fca336b..fb70ab7 100644
--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -47763,9 +47773,18 @@ index fbf7dcd..ad71499 100644
};
diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
-index 0c6adaa..0784e3f 100644
+index f30ceb1..81c589c 100644
--- a/drivers/net/macvtap.c
+++ b/drivers/net/macvtap.c
+@@ -422,7 +422,7 @@ static void macvtap_setup(struct net_device *dev)
+ dev->tx_queue_len = TUN_READQ_SIZE;
+ }
+
+-static struct rtnl_link_ops macvtap_link_ops __read_mostly = {
++static struct rtnl_link_ops macvtap_link_ops = {
+ .kind = "macvtap",
+ .setup = macvtap_setup,
+ .newlink = macvtap_newlink,
@@ -1018,7 +1018,7 @@ static long macvtap_ioctl(struct file *file, unsigned int cmd,
}
@@ -47785,18 +47804,9 @@ index 0c6adaa..0784e3f 100644
};
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
-index 72ff14b..e860630 100644
+index 5a1897d..e860630 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
-@@ -601,7 +601,7 @@ static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- if (file == ppp->owner)
- ppp_shutdown_interface(ppp);
- }
-- if (atomic_long_read(&file->f_count) <= 2) {
-+ if (atomic_long_read(&file->f_count) < 2) {
- ppp_release(NULL, file);
- err = 0;
- } else
@@ -999,7 +999,6 @@ ppp_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
struct ppp_stats stats;
@@ -47842,10 +47852,10 @@ index 979fe43..1f1230c 100644
};
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
-index 26f8635..c237839 100644
+index 2c8b1c2..9942a89 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
-@@ -1876,7 +1876,7 @@ unlock:
+@@ -1883,7 +1883,7 @@ unlock:
}
static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
@@ -47854,7 +47864,7 @@ index 26f8635..c237839 100644
{
struct tun_file *tfile = file->private_data;
struct tun_struct *tun;
-@@ -1889,6 +1889,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
+@@ -1896,6 +1896,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
unsigned int ifindex;
int ret;
@@ -47991,7 +48001,7 @@ index a2515887..6d13233 100644
/* we will have to manufacture ethernet headers, prepare template */
diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
-index 841b608..198a8b7 100644
+index 07a3255..4c59b30 100644
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -47,7 +47,7 @@ module_param(gso, bool, 0444);
@@ -48004,59 +48014,10 @@ index 841b608..198a8b7 100644
#define VIRTNET_DRIVER_VERSION "1.0.0"
diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
-index 9b40532..e3294ac 100644
+index 0704a04..4208d2d 100644
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
-@@ -1447,9 +1447,6 @@ static int neigh_reduce(struct net_device *dev, struct sk_buff *skb)
- if (!in6_dev)
- goto out;
-
-- if (!pskb_may_pull(skb, skb->len))
-- goto out;
--
- iphdr = ipv6_hdr(skb);
- saddr = &iphdr->saddr;
- daddr = &iphdr->daddr;
-@@ -1770,6 +1767,8 @@ static void vxlan_encap_bypass(struct sk_buff *skb, struct vxlan_dev *src_vxlan,
- struct pcpu_sw_netstats *tx_stats, *rx_stats;
- union vxlan_addr loopback;
- union vxlan_addr *remote_ip = &dst_vxlan->default_dst.remote_ip;
-+ struct net_device *dev = skb->dev;
-+ int len = skb->len;
-
- tx_stats = this_cpu_ptr(src_vxlan->dev->tstats);
- rx_stats = this_cpu_ptr(dst_vxlan->dev->tstats);
-@@ -1793,16 +1792,16 @@ static void vxlan_encap_bypass(struct sk_buff *skb, struct vxlan_dev *src_vxlan,
-
- u64_stats_update_begin(&tx_stats->syncp);
- tx_stats->tx_packets++;
-- tx_stats->tx_bytes += skb->len;
-+ tx_stats->tx_bytes += len;
- u64_stats_update_end(&tx_stats->syncp);
-
- if (netif_rx(skb) == NET_RX_SUCCESS) {
- u64_stats_update_begin(&rx_stats->syncp);
- rx_stats->rx_packets++;
-- rx_stats->rx_bytes += skb->len;
-+ rx_stats->rx_bytes += len;
- u64_stats_update_end(&rx_stats->syncp);
- } else {
-- skb->dev->stats.rx_dropped++;
-+ dev->stats.rx_dropped++;
- }
- }
-
-@@ -1977,7 +1976,8 @@ static netdev_tx_t vxlan_xmit(struct sk_buff *skb, struct net_device *dev)
- return arp_reduce(dev, skb);
- #if IS_ENABLED(CONFIG_IPV6)
- else if (ntohs(eth->h_proto) == ETH_P_IPV6 &&
-- skb->len >= sizeof(struct ipv6hdr) + sizeof(struct nd_msg) &&
-+ pskb_may_pull(skb, sizeof(struct ipv6hdr)
-+ + sizeof(struct nd_msg)) &&
- ipv6_hdr(skb)->nexthdr == IPPROTO_ICMPV6) {
- struct nd_msg *msg;
-
-@@ -2846,7 +2846,7 @@ nla_put_failure:
+@@ -2847,7 +2847,7 @@ nla_put_failure:
return -EMSGSIZE;
}
@@ -48065,7 +48026,7 @@ index 9b40532..e3294ac 100644
.kind = "vxlan",
.maxtype = IFLA_VXLAN_MAX,
.policy = vxlan_policy,
-@@ -2893,7 +2893,7 @@ static int vxlan_lowerdev_event(struct notifier_block *unused,
+@@ -2894,7 +2894,7 @@ static int vxlan_lowerdev_event(struct notifier_block *unused,
return NOTIFY_DONE;
}
@@ -49297,7 +49258,7 @@ index fb02fc2..83dc2c3 100644
kfree(msi_dev_attr);
++count;
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
-index 39a207a..d1ec78a 100644
+index a943c6c..ad1a3cc 100644
--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
@@ -1112,7 +1112,7 @@ static int pci_create_attr(struct pci_dev *pdev, int num, int write_combine)
@@ -51402,6 +51363,58 @@ index 236ed66..dd9cd74 100644
ret = -EBUSY;
goto err_busy;
}
+diff --git a/drivers/staging/line6/driver.c b/drivers/staging/line6/driver.c
+index 7a6d85e..4c55a18 100644
+--- a/drivers/staging/line6/driver.c
++++ b/drivers/staging/line6/driver.c
+@@ -458,7 +458,7 @@ int line6_read_data(struct usb_line6 *line6, int address, void *data,
+ {
+ struct usb_device *usbdev = line6->usbdev;
+ int ret;
+- unsigned char len;
++ unsigned char *plen;
+
+ /* query the serial number: */
+ ret = usb_control_msg(usbdev, usb_sndctrlpipe(usbdev, 0), 0x67,
+@@ -471,27 +471,34 @@ int line6_read_data(struct usb_line6 *line6, int address, void *data,
+ return ret;
+ }
+
++ plen = kmalloc(1, GFP_KERNEL);
++ if (plen == NULL)
++ return -ENOMEM;
++
+ /* Wait for data length. We'll get 0xff until length arrives. */
+ do {
+ ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0), 0x67,
+ USB_TYPE_VENDOR | USB_RECIP_DEVICE |
+ USB_DIR_IN,
+- 0x0012, 0x0000, &len, 1,
++ 0x0012, 0x0000, plen, 1,
+ LINE6_TIMEOUT * HZ);
+ if (ret < 0) {
+ dev_err(line6->ifcdev,
+ "receive length failed (error %d)\n", ret);
++ kfree(plen);
+ return ret;
+ }
+- } while (len == 0xff);
++ } while (*plen == 0xff);
+
+- if (len != datalen) {
++ if (*plen != datalen) {
+ /* should be equal or something went wrong */
+ dev_err(line6->ifcdev,
+ "length mismatch (expected %d, got %d)\n",
+- (int)datalen, (int)len);
++ (int)datalen, (int)*plen);
++ kfree(plen);
+ return -EINVAL;
+ }
++ kfree(plen);
+
+ /* receive the result: */
+ ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0), 0x67,
diff --git a/drivers/staging/lustre/lnet/selftest/brw_test.c b/drivers/staging/lustre/lnet/selftest/brw_test.c
index 3f8020c..649fded 100644
--- a/drivers/staging/lustre/lnet/selftest/brw_test.c
@@ -51903,10 +51916,10 @@ index 24884ca..26c8220 100644
login->tgt_agt = sbp_target_agent_register(login);
if (IS_ERR(login->tgt_agt)) {
diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
-index 6ea95d2..88607b4 100644
+index 38b4be2..c68af1c 100644
--- a/drivers/target/target_core_device.c
+++ b/drivers/target/target_core_device.c
-@@ -1525,7 +1525,7 @@ struct se_device *target_alloc_device(struct se_hba *hba, const char *name)
+@@ -1526,7 +1526,7 @@ struct se_device *target_alloc_device(struct se_hba *hba, const char *name)
spin_lock_init(&dev->se_tmr_lock);
spin_lock_init(&dev->qf_cmd_lock);
sema_init(&dev->caw_sem, 1);
@@ -51916,7 +51929,7 @@ index 6ea95d2..88607b4 100644
spin_lock_init(&dev->t10_wwn.t10_vpd_lock);
INIT_LIST_HEAD(&dev->t10_pr.registration_list);
diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
-index 24f5279..046edc5 100644
+index 9232c773..e42a77a 100644
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -1154,7 +1154,7 @@ transport_check_alloc_task_attr(struct se_cmd *cmd)
@@ -52679,7 +52692,7 @@ index 9cd706d..6ff2de7 100644
if (cfg->uart_flags & UPF_CONS_FLOW) {
diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
-index 25b8f68..3e23c14 100644
+index 27b5554..8131d9d 100644
--- a/drivers/tty/serial/serial_core.c
+++ b/drivers/tty/serial/serial_core.c
@@ -1451,7 +1451,7 @@ static void uart_hangup(struct tty_struct *tty)
@@ -53121,10 +53134,10 @@ index ce396ec..04a37be 100644
if (get_user(c, buf))
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
-index d3448a9..28e8db0 100644
+index 25d0741..36e7237 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
-@@ -3475,7 +3475,7 @@ EXPORT_SYMBOL_GPL(get_current_tty);
+@@ -3480,7 +3480,7 @@ EXPORT_SYMBOL_GPL(get_current_tty);
void tty_default_fops(struct file_operations *fops)
{
@@ -53559,7 +53572,7 @@ index 9ca7716..a2ccc2e 100644
dev->rawdescriptors[i] + (*ppos - pos),
min(len, alloclen))) {
diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
-index 2518c32..1c201bb 100644
+index ef6ec13b..5c6e68e 100644
--- a/drivers/usb/core/hcd.c
+++ b/drivers/usb/core/hcd.c
@@ -1550,7 +1550,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags)
@@ -53581,7 +53594,7 @@ index 2518c32..1c201bb 100644
wake_up(&usb_kill_urb_queue);
usb_put_urb(urb);
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
-index 445d62a..e0657a3 100644
+index d2bd9d7..1ddb53a 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -27,6 +27,7 @@
@@ -53592,7 +53605,7 @@ index 445d62a..e0657a3 100644
#include <asm/uaccess.h>
#include <asm/byteorder.h>
-@@ -4551,6 +4552,10 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1,
+@@ -4554,6 +4555,10 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1,
goto done;
return;
}
@@ -53660,19 +53673,6 @@ index 4d11449..f4ccabf 100644
INIT_LIST_HEAD(&dev->ep0.urb_list);
dev->ep0.desc.bLength = USB_DT_ENDPOINT_SIZE;
-diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
-index 09e9619..d266724 100644
---- a/drivers/usb/dwc3/gadget.c
-+++ b/drivers/usb/dwc3/gadget.c
-@@ -532,8 +532,6 @@ static int __dwc3_gadget_ep_enable(struct dwc3_ep *dep,
- if (!usb_endpoint_xfer_isoc(desc))
- return 0;
-
-- memset(&trb_link, 0, sizeof(trb_link));
--
- /* Link TRB for ISOC. The HWO bit is never reset */
- trb_st_hw = &dep->trb_pool[0];
-
diff --git a/drivers/usb/early/ehci-dbgp.c b/drivers/usb/early/ehci-dbgp.c
index 8cfc319..4868255 100644
--- a/drivers/usb/early/ehci-dbgp.c
@@ -58911,22 +58911,10 @@ index ff286f3..8153a14 100644
.attrs = attrs,
};
diff --git a/fs/buffer.c b/fs/buffer.c
-index 71e2d0e..7e40912 100644
+index 4d06a57..5977df8 100644
--- a/fs/buffer.c
+++ b/fs/buffer.c
-@@ -2313,6 +2313,11 @@ static int cont_expand_zero(struct file *file, struct address_space *mapping,
- err = 0;
-
- balance_dirty_pages_ratelimited(mapping);
-+
-+ if (unlikely(fatal_signal_pending(current))) {
-+ err = -EINTR;
-+ goto out;
-+ }
- }
-
- /* page covers the boundary, find the boundary offset */
-@@ -3430,7 +3435,7 @@ void __init buffer_init(void)
+@@ -3438,7 +3438,7 @@ void __init buffer_init(void)
bh_cachep = kmem_cache_create("buffer_head",
sizeof(struct buffer_head), 0,
(SLAB_RECLAIM_ACCOUNT|SLAB_PANIC|
@@ -59966,7 +59954,7 @@ index a93f7e6..d58bcbe 100644
return 0;
while (nr) {
diff --git a/fs/dcache.c b/fs/dcache.c
-index 58d57da..a3f889f 100644
+index 4366127..581b312 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -250,7 +250,7 @@ static void __d_free(struct rcu_head *head)
@@ -60119,7 +60107,7 @@ index 58d57da..a3f889f 100644
if (!spin_trylock(&inode->i_lock)) {
spin_unlock(&dentry->d_lock);
cpu_relax();
-@@ -3313,7 +3314,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry)
+@@ -3318,7 +3319,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry)
if (!(dentry->d_flags & DCACHE_GENOCIDE)) {
dentry->d_flags |= DCACHE_GENOCIDE;
@@ -60128,7 +60116,7 @@ index 58d57da..a3f889f 100644
}
}
return D_WALK_CONTINUE;
-@@ -3429,7 +3430,8 @@ void __init vfs_caches_init(unsigned long mempages)
+@@ -3434,7 +3435,8 @@ void __init vfs_caches_init(unsigned long mempages)
mempages -= reserve;
names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
@@ -61085,7 +61073,7 @@ index 6ea7b14..8fa16d9 100644
if (free_clusters >= (nclusters + dirty_clusters +
resv_clusters))
diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
-index 62f024c..a6a1a61 100644
+index 2a6830a..d25d59c 100644
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -1269,19 +1269,19 @@ struct ext4_sb_info {
@@ -61251,10 +61239,10 @@ index 242226a..f3eb6c1 100644
return 0;
diff --git a/fs/ext4/mmp.c b/fs/ext4/mmp.c
-index 04434ad..6404663 100644
+index 1268a1b..adf949f 100644
--- a/fs/ext4/mmp.c
+++ b/fs/ext4/mmp.c
-@@ -113,7 +113,7 @@ static int read_mmp_block(struct super_block *sb, struct buffer_head **bh,
+@@ -111,7 +111,7 @@ static int read_mmp_block(struct super_block *sb, struct buffer_head **bh,
void __dump_mmp_msg(struct super_block *sb, struct mmp_struct *mmp,
const char *function, unsigned int line, const char *msg)
{
@@ -61264,10 +61252,10 @@ index 04434ad..6404663 100644
"MMP failure info: last update time: %llu, last update "
"node: %s, last update device: %s\n",
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
-index a46030d..1477295 100644
+index 9fb3e6c..9a82508 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
-@@ -1270,7 +1270,7 @@ static ext4_fsblk_t get_sb_block(void **data)
+@@ -1268,7 +1268,7 @@ static ext4_fsblk_t get_sb_block(void **data)
}
#define DEFAULT_JOURNAL_IOPRIO (IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 3))
@@ -61276,7 +61264,7 @@ index a46030d..1477295 100644
"Contact linux-ext4@vger.kernel.org if you think we should keep it.\n";
#ifdef CONFIG_QUOTA
-@@ -2448,7 +2448,7 @@ struct ext4_attr {
+@@ -2442,7 +2442,7 @@ struct ext4_attr {
int offset;
int deprecated_val;
} u;
@@ -61286,10 +61274,10 @@ index a46030d..1477295 100644
static int parse_strtoull(const char *buf,
unsigned long long max, unsigned long long *value)
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
-index 55e611c..cfad16d 100644
+index 8825154..af51586 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
-@@ -381,7 +381,7 @@ static int
+@@ -394,7 +394,7 @@ static int
ext4_xattr_list_entries(struct dentry *dentry, struct ext4_xattr_entry *entry,
char *buffer, size_t buffer_size)
{
@@ -61298,7 +61286,7 @@ index 55e611c..cfad16d 100644
for (; !IS_LAST_ENTRY(entry); entry = EXT4_XATTR_NEXT(entry)) {
const struct xattr_handler *handler =
-@@ -398,9 +398,10 @@ ext4_xattr_list_entries(struct dentry *dentry, struct ext4_xattr_entry *entry,
+@@ -411,9 +411,10 @@ ext4_xattr_list_entries(struct dentry *dentry, struct ext4_xattr_entry *entry,
buffer += size;
}
rest -= size;
@@ -63063,7 +63051,7 @@ index 4a6cf28..d3a29d3 100644
jffs2_prealloc_raw_node_refs(c, jeb, 1);
diff --git a/fs/jffs2/wbuf.c b/fs/jffs2/wbuf.c
-index a6597d6..41b30ec 100644
+index 09ed551..45684f8 100644
--- a/fs/jffs2/wbuf.c
+++ b/fs/jffs2/wbuf.c
@@ -1023,7 +1023,8 @@ static const struct jffs2_unknown_node oob_cleanmarker =
@@ -63283,7 +63271,7 @@ index b29e42f..5ea7fdf 100644
#define MNT_NS_INTERNAL ERR_PTR(-EINVAL) /* distinct from any mnt_namespace */
diff --git a/fs/namei.c b/fs/namei.c
-index dd2f2c5..27e6c48 100644
+index 0dd72c8..34dd17d 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -331,17 +331,34 @@ int generic_permission(struct inode *inode, int mask)
@@ -63626,7 +63614,7 @@ index dd2f2c5..27e6c48 100644
error = -EISDIR;
if ((open_flag & O_CREAT) && d_is_dir(nd->path.dentry))
goto out;
-@@ -3180,7 +3285,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
+@@ -3181,7 +3286,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
if (unlikely(error))
goto out;
@@ -63635,7 +63623,7 @@ index dd2f2c5..27e6c48 100644
while (unlikely(error > 0)) { /* trailing symlink */
struct path link = path;
void *cookie;
-@@ -3198,7 +3303,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
+@@ -3199,7 +3304,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
error = follow_link(&link, nd, &cookie);
if (unlikely(error))
break;
@@ -63644,7 +63632,7 @@ index dd2f2c5..27e6c48 100644
put_link(nd, &link, cookie);
}
out:
-@@ -3298,9 +3403,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname,
+@@ -3299,9 +3404,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname,
goto unlock;
error = -EEXIST;
@@ -63658,7 +63646,7 @@ index dd2f2c5..27e6c48 100644
/*
* Special case - lookup gave negative, but... we had foo/bar/
* From the vfs_mknod() POV we just have a negative dentry -
-@@ -3352,6 +3459,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname,
+@@ -3353,6 +3460,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname,
}
EXPORT_SYMBOL(user_path_create);
@@ -63679,7 +63667,7 @@ index dd2f2c5..27e6c48 100644
int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
{
int error = may_create(dir, dentry);
-@@ -3414,6 +3535,17 @@ retry:
+@@ -3415,6 +3536,17 @@ retry:
if (!IS_POSIXACL(path.dentry->d_inode))
mode &= ~current_umask();
@@ -63697,7 +63685,7 @@ index dd2f2c5..27e6c48 100644
error = security_path_mknod(&path, dentry, mode, dev);
if (error)
goto out;
-@@ -3430,6 +3562,8 @@ retry:
+@@ -3431,6 +3563,8 @@ retry:
break;
}
out:
@@ -63706,7 +63694,7 @@ index dd2f2c5..27e6c48 100644
done_path_create(&path, dentry);
if (retry_estale(error, lookup_flags)) {
lookup_flags |= LOOKUP_REVAL;
-@@ -3482,9 +3616,16 @@ retry:
+@@ -3483,9 +3617,16 @@ retry:
if (!IS_POSIXACL(path.dentry->d_inode))
mode &= ~current_umask();
@@ -63723,7 +63711,7 @@ index dd2f2c5..27e6c48 100644
done_path_create(&path, dentry);
if (retry_estale(error, lookup_flags)) {
lookup_flags |= LOOKUP_REVAL;
-@@ -3565,6 +3706,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
+@@ -3566,6 +3707,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
struct filename *name;
struct dentry *dentry;
struct nameidata nd;
@@ -63732,7 +63720,7 @@ index dd2f2c5..27e6c48 100644
unsigned int lookup_flags = 0;
retry:
name = user_path_parent(dfd, pathname, &nd, lookup_flags);
-@@ -3597,10 +3740,21 @@ retry:
+@@ -3598,10 +3741,21 @@ retry:
error = -ENOENT;
goto exit3;
}
@@ -63754,7 +63742,7 @@ index dd2f2c5..27e6c48 100644
exit3:
dput(dentry);
exit2:
-@@ -3690,6 +3844,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
+@@ -3691,6 +3845,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
struct nameidata nd;
struct inode *inode = NULL;
struct inode *delegated_inode = NULL;
@@ -63763,7 +63751,7 @@ index dd2f2c5..27e6c48 100644
unsigned int lookup_flags = 0;
retry:
name = user_path_parent(dfd, pathname, &nd, lookup_flags);
-@@ -3716,10 +3872,22 @@ retry_deleg:
+@@ -3717,10 +3873,22 @@ retry_deleg:
if (d_is_negative(dentry))
goto slashes;
ihold(inode);
@@ -63786,7 +63774,7 @@ index dd2f2c5..27e6c48 100644
exit2:
dput(dentry);
}
-@@ -3807,9 +3975,17 @@ retry:
+@@ -3808,9 +3976,17 @@ retry:
if (IS_ERR(dentry))
goto out_putname;
@@ -63804,7 +63792,7 @@ index dd2f2c5..27e6c48 100644
done_path_create(&path, dentry);
if (retry_estale(error, lookup_flags)) {
lookup_flags |= LOOKUP_REVAL;
-@@ -3912,6 +4088,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
+@@ -3913,6 +4089,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
struct dentry *new_dentry;
struct path old_path, new_path;
struct inode *delegated_inode = NULL;
@@ -63812,7 +63800,7 @@ index dd2f2c5..27e6c48 100644
int how = 0;
int error;
-@@ -3935,7 +4112,7 @@ retry:
+@@ -3936,7 +4113,7 @@ retry:
if (error)
return error;
@@ -63821,7 +63809,7 @@ index dd2f2c5..27e6c48 100644
(how & LOOKUP_REVAL));
error = PTR_ERR(new_dentry);
if (IS_ERR(new_dentry))
-@@ -3947,11 +4124,28 @@ retry:
+@@ -3948,11 +4125,28 @@ retry:
error = may_linkat(&old_path);
if (unlikely(error))
goto out_dput;
@@ -63850,7 +63838,7 @@ index dd2f2c5..27e6c48 100644
done_path_create(&new_path, new_dentry);
if (delegated_inode) {
error = break_deleg_wait(&delegated_inode);
-@@ -4238,6 +4432,12 @@ retry_deleg:
+@@ -4239,6 +4433,12 @@ retry_deleg:
if (new_dentry == trap)
goto exit5;
@@ -63863,7 +63851,7 @@ index dd2f2c5..27e6c48 100644
error = security_path_rename(&oldnd.path, old_dentry,
&newnd.path, new_dentry);
if (error)
-@@ -4245,6 +4445,9 @@ retry_deleg:
+@@ -4246,6 +4446,9 @@ retry_deleg:
error = vfs_rename(old_dir->d_inode, old_dentry,
new_dir->d_inode, new_dentry,
&delegated_inode);
@@ -63873,7 +63861,7 @@ index dd2f2c5..27e6c48 100644
exit5:
dput(new_dentry);
exit4:
-@@ -4281,6 +4484,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
+@@ -4282,6 +4485,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
{
@@ -63882,7 +63870,7 @@ index dd2f2c5..27e6c48 100644
int len;
len = PTR_ERR(link);
-@@ -4290,7 +4495,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
+@@ -4291,7 +4496,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
len = strlen(link);
if (len > (unsigned) buflen)
len = buflen;
@@ -63899,7 +63887,7 @@ index dd2f2c5..27e6c48 100644
out:
return len;
diff --git a/fs/namespace.c b/fs/namespace.c
-index c7d4a0a..93207ab 100644
+index d9bf3ef..93207ab 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1371,6 +1371,9 @@ static int do_umount(struct mount *mnt, int flags)
@@ -64017,17 +64005,7 @@ index c7d4a0a..93207ab 100644
get_fs_root(current->fs, &root);
old_mp = lock_mount(&old);
error = PTR_ERR(old_mp);
-@@ -2831,6 +2855,9 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
- /* make sure we can reach put_old from new_root */
- if (!is_path_reachable(old_mnt, old.dentry, &new))
- goto out4;
-+ /* make certain new is below the root */
-+ if (!is_path_reachable(new_mnt, new.dentry, &root))
-+ goto out4;
- root_mp->m_count++; /* pin it so it won't go away */
- lock_mount_hash();
- detach_mnt(new_mnt, &parent_path);
-@@ -3062,7 +3089,7 @@ static int mntns_install(struct nsproxy *nsproxy, void *ns)
+@@ -3065,7 +3089,7 @@ static int mntns_install(struct nsproxy *nsproxy, void *ns)
!ns_capable(current_user_ns(), CAP_SYS_ADMIN))
return -EPERM;
@@ -64074,7 +64052,7 @@ index 15f9d98..082c625 100644
void nfs_fattr_init(struct nfs_fattr *fattr)
diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
-index f23a6ca..730ddcc 100644
+index 86f5d3e..ae2d35a 100644
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -1169,7 +1169,7 @@ struct nfsd4_operation {
@@ -67191,19 +67169,6 @@ index ae0c3ce..9ee641c 100644
generic_fillattr(inode, stat);
return 0;
-diff --git a/fs/super.c b/fs/super.c
-index 7624267..88a6bc6 100644
---- a/fs/super.c
-+++ b/fs/super.c
-@@ -81,6 +81,8 @@ static unsigned long super_cache_scan(struct shrinker *shrink,
- inodes = list_lru_count_node(&sb->s_inode_lru, sc->nid);
- dentries = list_lru_count_node(&sb->s_dentry_lru, sc->nid);
- total_objects = dentries + inodes + fs_objects + 1;
-+ if (!total_objects)
-+ total_objects = 1;
-
- /* proportion the scan between the caches */
- dentries = mult_frac(sc->nr_to_scan, dentries, total_objects);
diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c
index ee0d761..b346c58 100644
--- a/fs/sysfs/dir.c
@@ -67605,6 +67570,28 @@ index 78e62cc..eec3706 100644
copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
goto out_put;
+diff --git a/fs/xfs/xfs_linux.h b/fs/xfs/xfs_linux.h
+index f9bb590..af3c389 100644
+--- a/fs/xfs/xfs_linux.h
++++ b/fs/xfs/xfs_linux.h
+@@ -229,7 +229,7 @@ static inline kgid_t xfs_gid_to_kgid(__uint32_t gid)
+ * of the compiler which do not like us using do_div in the middle
+ * of large functions.
+ */
+-static inline __u32 xfs_do_div(void *a, __u32 b, int n)
++static inline __u32 __intentional_overflow(-1) xfs_do_div(void *a, __u32 b, int n)
+ {
+ __u32 mod;
+
+@@ -285,7 +285,7 @@ static inline __u32 xfs_do_mod(void *a, __u32 b, int n)
+ return 0;
+ }
+ #else
+-static inline __u32 xfs_do_div(void *a, __u32 b, int n)
++static inline __u32 __intentional_overflow(-1) xfs_do_div(void *a, __u32 b, int n)
+ {
+ __u32 mod;
+
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
new file mode 100644
index 0000000..cdaa3ef
@@ -79556,10 +79543,10 @@ index be5fd38..d71192a 100644
if (sizeof(l) == 4)
return fls(l);
diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
-index 4afa4f8..1ed7824 100644
+index a693c6d..cec897f 100644
--- a/include/linux/blkdev.h
+++ b/include/linux/blkdev.h
-@@ -1572,7 +1572,7 @@ struct block_device_operations {
+@@ -1571,7 +1571,7 @@ struct block_device_operations {
/* this callback is with swap_lock and sometimes page table lock held */
void (*swap_slot_free_notify) (struct block_device *, unsigned long);
struct module *owner;
@@ -82551,7 +82538,7 @@ index 5bba088..7ad4ae7 100644
static inline int
vma_dup_policy(struct vm_area_struct *src, struct vm_area_struct *dst)
diff --git a/include/linux/mm.h b/include/linux/mm.h
-index c1b7414..5ea2ad8 100644
+index 0a0b024..ebee54f 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -127,6 +127,11 @@ extern unsigned int kobjsize(const void *objp);
@@ -82596,7 +82583,7 @@ index c1b7414..5ea2ad8 100644
static inline void unmap_shared_mapping_range(struct address_space *mapping,
loff_t const holebegin, loff_t const holelen)
-@@ -1152,9 +1158,9 @@ static inline int fixup_user_fault(struct task_struct *tsk,
+@@ -1153,9 +1159,9 @@ static inline int fixup_user_fault(struct task_struct *tsk,
}
#endif
@@ -82609,7 +82596,7 @@ index c1b7414..5ea2ad8 100644
long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
unsigned long start, unsigned long nr_pages,
-@@ -1186,34 +1192,6 @@ int set_page_dirty(struct page *page);
+@@ -1187,34 +1193,6 @@ int set_page_dirty(struct page *page);
int set_page_dirty_lock(struct page *page);
int clear_page_dirty_for_io(struct page *page);
@@ -82644,7 +82631,7 @@ index c1b7414..5ea2ad8 100644
extern pid_t
vm_is_stack(struct task_struct *task, struct vm_area_struct *vma, int in_group);
-@@ -1313,6 +1291,15 @@ static inline void sync_mm_rss(struct mm_struct *mm)
+@@ -1314,6 +1292,15 @@ static inline void sync_mm_rss(struct mm_struct *mm)
}
#endif
@@ -82660,7 +82647,7 @@ index c1b7414..5ea2ad8 100644
int vma_wants_writenotify(struct vm_area_struct *vma);
extern pte_t *__get_locked_pte(struct mm_struct *mm, unsigned long addr,
-@@ -1331,8 +1318,15 @@ static inline int __pud_alloc(struct mm_struct *mm, pgd_t *pgd,
+@@ -1332,8 +1319,15 @@ static inline int __pud_alloc(struct mm_struct *mm, pgd_t *pgd,
{
return 0;
}
@@ -82676,7 +82663,7 @@ index c1b7414..5ea2ad8 100644
#endif
#ifdef __PAGETABLE_PMD_FOLDED
-@@ -1341,8 +1335,15 @@ static inline int __pmd_alloc(struct mm_struct *mm, pud_t *pud,
+@@ -1342,8 +1336,15 @@ static inline int __pmd_alloc(struct mm_struct *mm, pud_t *pud,
{
return 0;
}
@@ -82692,7 +82679,7 @@ index c1b7414..5ea2ad8 100644
#endif
int __pte_alloc(struct mm_struct *mm, struct vm_area_struct *vma,
-@@ -1360,11 +1361,23 @@ static inline pud_t *pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long a
+@@ -1361,11 +1362,23 @@ static inline pud_t *pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long a
NULL: pud_offset(pgd, address);
}
@@ -82716,7 +82703,7 @@ index c1b7414..5ea2ad8 100644
#endif /* CONFIG_MMU && !__ARCH_HAS_4LEVEL_HACK */
#if USE_SPLIT_PTE_PTLOCKS
-@@ -1754,7 +1767,7 @@ extern int install_special_mapping(struct mm_struct *mm,
+@@ -1755,7 +1768,7 @@ extern int install_special_mapping(struct mm_struct *mm,
unsigned long addr, unsigned long len,
unsigned long flags, struct page **pages);
@@ -82725,7 +82712,7 @@ index c1b7414..5ea2ad8 100644
extern unsigned long mmap_region(struct file *file, unsigned long addr,
unsigned long len, vm_flags_t vm_flags, unsigned long pgoff);
-@@ -1762,6 +1775,7 @@ extern unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+@@ -1763,6 +1776,7 @@ extern unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
unsigned long len, unsigned long prot, unsigned long flags,
unsigned long pgoff, unsigned long *populate);
extern int do_munmap(struct mm_struct *, unsigned long, size_t);
@@ -82733,7 +82720,7 @@ index c1b7414..5ea2ad8 100644
#ifdef CONFIG_MMU
extern int __mm_populate(unsigned long addr, unsigned long len,
-@@ -1790,10 +1804,11 @@ struct vm_unmapped_area_info {
+@@ -1791,10 +1805,11 @@ struct vm_unmapped_area_info {
unsigned long high_limit;
unsigned long align_mask;
unsigned long align_offset;
@@ -82747,7 +82734,7 @@ index c1b7414..5ea2ad8 100644
/*
* Search for an unmapped address range.
-@@ -1805,7 +1820,7 @@ extern unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info);
+@@ -1806,7 +1821,7 @@ extern unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info);
* - satisfies (begin_addr & align_mask) == (align_offset & align_mask)
*/
static inline unsigned long
@@ -82756,7 +82743,7 @@ index c1b7414..5ea2ad8 100644
{
if (!(info->flags & VM_UNMAPPED_AREA_TOPDOWN))
return unmapped_area(info);
-@@ -1868,6 +1883,10 @@ extern struct vm_area_struct * find_vma(struct mm_struct * mm, unsigned long add
+@@ -1869,6 +1884,10 @@ extern struct vm_area_struct * find_vma(struct mm_struct * mm, unsigned long add
extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
struct vm_area_struct **pprev);
@@ -82767,7 +82754,7 @@ index c1b7414..5ea2ad8 100644
/* Look up the first VMA which intersects the interval start_addr..end_addr-1,
NULL if none. Assume start_addr < end_addr. */
static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
-@@ -1896,15 +1915,6 @@ static inline struct vm_area_struct *find_exact_vma(struct mm_struct *mm,
+@@ -1897,15 +1916,6 @@ static inline struct vm_area_struct *find_exact_vma(struct mm_struct *mm,
return vma;
}
@@ -82783,7 +82770,7 @@ index c1b7414..5ea2ad8 100644
#ifdef CONFIG_NUMA_BALANCING
unsigned long change_prot_numa(struct vm_area_struct *vma,
unsigned long start, unsigned long end);
-@@ -1956,6 +1966,11 @@ void vm_stat_account(struct mm_struct *, unsigned long, struct file *, long);
+@@ -1957,6 +1967,11 @@ void vm_stat_account(struct mm_struct *, unsigned long, struct file *, long);
static inline void vm_stat_account(struct mm_struct *mm,
unsigned long flags, struct file *file, long pages)
{
@@ -82795,7 +82782,7 @@ index c1b7414..5ea2ad8 100644
mm->total_vm += pages;
}
#endif /* CONFIG_PROC_FS */
-@@ -2037,7 +2052,7 @@ extern int unpoison_memory(unsigned long pfn);
+@@ -2038,7 +2053,7 @@ extern int unpoison_memory(unsigned long pfn);
extern int sysctl_memory_failure_early_kill;
extern int sysctl_memory_failure_recovery;
extern void shake_page(struct page *p, int access);
@@ -82804,7 +82791,7 @@ index c1b7414..5ea2ad8 100644
extern int soft_offline_page(struct page *page, int flags);
#if defined(CONFIG_TRANSPARENT_HUGEPAGE) || defined(CONFIG_HUGETLBFS)
-@@ -2072,5 +2087,11 @@ void __init setup_nr_node_ids(void);
+@@ -2073,5 +2088,11 @@ void __init setup_nr_node_ids(void);
static inline void setup_nr_node_ids(void) {}
#endif
@@ -84633,29 +84620,6 @@ index 680f9a3..f13aeb0 100644
__SONET_ITEMS
#undef __HANDLE_ITEM
};
-diff --git a/include/linux/string.h b/include/linux/string.h
-index ac889c5..0ed878d 100644
---- a/include/linux/string.h
-+++ b/include/linux/string.h
-@@ -129,7 +129,7 @@ int bprintf(u32 *bin_buf, size_t size, const char *fmt, ...) __printf(3, 4);
- #endif
-
- extern ssize_t memory_read_from_buffer(void *to, size_t count, loff_t *ppos,
-- const void *from, size_t available);
-+ const void *from, size_t available);
-
- /**
- * strstarts - does @str start with @prefix?
-@@ -141,7 +141,8 @@ static inline bool strstarts(const char *str, const char *prefix)
- return strncmp(str, prefix, strlen(prefix)) == 0;
- }
-
--extern size_t memweight(const void *ptr, size_t bytes);
-+size_t memweight(const void *ptr, size_t bytes);
-+void memzero_explicit(void *s, size_t count);
-
- /**
- * kbasename - return the last part of a pathname.
diff --git a/include/linux/sunrpc/addr.h b/include/linux/sunrpc/addr.h
index 07d8e53..dc934c9 100644
--- a/include/linux/sunrpc/addr.h
@@ -85993,8 +85957,24 @@ index 4a5b9a3..ca27d73 100644
.update = sctp_csum_update,
.combine = sctp_csum_combine,
};
+diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
+index a3353f4..ba41e01 100644
+--- a/include/net/sctp/sctp.h
++++ b/include/net/sctp/sctp.h
+@@ -433,6 +433,11 @@ static inline void sctp_assoc_pending_pmtu(struct sock *sk, struct sctp_associat
+ asoc->pmtu_pending = 0;
+ }
+
++static inline bool sctp_chunk_pending(const struct sctp_chunk *chunk)
++{
++ return !list_empty(&chunk->list);
++}
++
+ /* Walk through a list of TLV parameters. Don't trust the
+ * individual parameter lengths and instead depend on
+ * the chunk length to indicate when to stop. Make sure
diff --git a/include/net/sctp/sm.h b/include/net/sctp/sm.h
-index 7f4eeb3..37e8fe1 100644
+index 7f4eeb3..aaa63d9 100644
--- a/include/net/sctp/sm.h
+++ b/include/net/sctp/sm.h
@@ -80,7 +80,7 @@ typedef void (sctp_timer_event_t) (unsigned long);
@@ -86006,6 +85986,19 @@ index 7f4eeb3..37e8fe1 100644
/* A naming convention of "sctp_sf_xxx" applies to all the state functions
* currently in use.
+@@ -248,9 +248,9 @@ struct sctp_chunk *sctp_make_asconf_update_ip(struct sctp_association *,
+ int, __be16);
+ struct sctp_chunk *sctp_make_asconf_set_prim(struct sctp_association *asoc,
+ union sctp_addr *addr);
+-int sctp_verify_asconf(const struct sctp_association *asoc,
+- struct sctp_paramhdr *param_hdr, void *chunk_end,
+- struct sctp_paramhdr **errp);
++bool sctp_verify_asconf(const struct sctp_association *asoc,
++ struct sctp_chunk *chunk, bool addr_param_needed,
++ struct sctp_paramhdr **errp);
+ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
+ struct sctp_chunk *asconf);
+ int sctp_process_asconf_ack(struct sctp_association *asoc,
@@ -292,7 +292,7 @@ __u32 sctp_generate_tag(const struct sctp_endpoint *);
__u32 sctp_generate_tsn(const struct sctp_endpoint *);
@@ -89670,7 +89663,7 @@ index 1d96dd0..994ff19 100644
default:
diff --git a/kernel/module.c b/kernel/module.c
-index 6716a1f..acc7443 100644
+index 1d679a6..acc7443 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -61,6 +61,7 @@
@@ -89865,17 +89858,7 @@ index 6716a1f..acc7443 100644
set_memory_ro);
}
}
-@@ -1841,7 +1860,9 @@ static void free_module(struct module *mod)
-
- /* We leave it in list to prevent duplicate loads, but make sure
- * that noone uses it while it's being deconstructed. */
-+ mutex_lock(&module_mutex);
- mod->state = MODULE_STATE_UNFORMED;
-+ mutex_unlock(&module_mutex);
-
- /* Remove dynamic debug info */
- ddebug_remove_module(mod->name);
-@@ -1862,16 +1883,19 @@ static void free_module(struct module *mod)
+@@ -1864,16 +1883,19 @@ static void free_module(struct module *mod)
/* This may be NULL, but that's OK */
unset_module_init_ro_nx(mod);
@@ -89898,7 +89881,7 @@ index 6716a1f..acc7443 100644
#ifdef CONFIG_MPU
update_protections(current->mm);
-@@ -1940,9 +1964,31 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
+@@ -1942,9 +1964,31 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
int ret = 0;
const struct kernel_symbol *ksym;
@@ -89930,7 +89913,7 @@ index 6716a1f..acc7443 100644
switch (sym[i].st_shndx) {
case SHN_COMMON:
/* We compiled with -fno-common. These are not
-@@ -1963,7 +2009,9 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
+@@ -1965,7 +2009,9 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
ksym = resolve_symbol_wait(mod, info, name);
/* Ok if resolved. */
if (ksym && !IS_ERR(ksym)) {
@@ -89940,7 +89923,7 @@ index 6716a1f..acc7443 100644
break;
}
-@@ -1982,11 +2030,20 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
+@@ -1984,11 +2030,20 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
secbase = (unsigned long)mod_percpu(mod);
else
secbase = info->sechdrs[sym[i].st_shndx].sh_addr;
@@ -89961,7 +89944,7 @@ index 6716a1f..acc7443 100644
return ret;
}
-@@ -2070,22 +2127,12 @@ static void layout_sections(struct module *mod, struct load_info *info)
+@@ -2072,22 +2127,12 @@ static void layout_sections(struct module *mod, struct load_info *info)
|| s->sh_entsize != ~0UL
|| strstarts(sname, ".init"))
continue;
@@ -89988,7 +89971,7 @@ index 6716a1f..acc7443 100644
}
pr_debug("Init section allocation order:\n");
-@@ -2099,23 +2146,13 @@ static void layout_sections(struct module *mod, struct load_info *info)
+@@ -2101,23 +2146,13 @@ static void layout_sections(struct module *mod, struct load_info *info)
|| s->sh_entsize != ~0UL
|| !strstarts(sname, ".init"))
continue;
@@ -90017,7 +90000,7 @@ index 6716a1f..acc7443 100644
}
}
-@@ -2288,7 +2325,7 @@ static void layout_symtab(struct module *mod, struct load_info *info)
+@@ -2290,7 +2325,7 @@ static void layout_symtab(struct module *mod, struct load_info *info)
/* Put symbol section at end of init part of module. */
symsect->sh_flags |= SHF_ALLOC;
@@ -90026,7 +90009,7 @@ index 6716a1f..acc7443 100644
info->index.sym) | INIT_OFFSET_MASK;
pr_debug("\t%s\n", info->secstrings + symsect->sh_name);
-@@ -2305,13 +2342,13 @@ static void layout_symtab(struct module *mod, struct load_info *info)
+@@ -2307,13 +2342,13 @@ static void layout_symtab(struct module *mod, struct load_info *info)
}
/* Append room for core symbols at end of core part. */
@@ -90044,7 +90027,7 @@ index 6716a1f..acc7443 100644
info->index.str) | INIT_OFFSET_MASK;
pr_debug("\t%s\n", info->secstrings + strsect->sh_name);
}
-@@ -2329,12 +2366,14 @@ static void add_kallsyms(struct module *mod, const struct load_info *info)
+@@ -2331,12 +2366,14 @@ static void add_kallsyms(struct module *mod, const struct load_info *info)
/* Make sure we get permanent strtab: don't use info->strtab. */
mod->strtab = (void *)info->sechdrs[info->index.str].sh_addr;
@@ -90061,7 +90044,7 @@ index 6716a1f..acc7443 100644
src = mod->symtab;
for (ndst = i = 0; i < mod->num_symtab; i++) {
if (i == 0 ||
-@@ -2346,6 +2385,8 @@ static void add_kallsyms(struct module *mod, const struct load_info *info)
+@@ -2348,6 +2385,8 @@ static void add_kallsyms(struct module *mod, const struct load_info *info)
}
}
mod->core_num_syms = ndst;
@@ -90070,7 +90053,7 @@ index 6716a1f..acc7443 100644
}
#else
static inline void layout_symtab(struct module *mod, struct load_info *info)
-@@ -2379,17 +2420,33 @@ void * __weak module_alloc(unsigned long size)
+@@ -2381,17 +2420,33 @@ void * __weak module_alloc(unsigned long size)
return vmalloc_exec(size);
}
@@ -90109,7 +90092,7 @@ index 6716a1f..acc7443 100644
mutex_unlock(&module_mutex);
}
return ret;
-@@ -2646,7 +2703,15 @@ static struct module *setup_load_info(struct load_info *info, int flags)
+@@ -2648,7 +2703,15 @@ static struct module *setup_load_info(struct load_info *info, int flags)
mod = (void *)info->sechdrs[info->index.mod].sh_addr;
if (info->index.sym == 0) {
@@ -90125,7 +90108,7 @@ index 6716a1f..acc7443 100644
return ERR_PTR(-ENOEXEC);
}
-@@ -2662,8 +2727,14 @@ static struct module *setup_load_info(struct load_info *info, int flags)
+@@ -2664,8 +2727,14 @@ static struct module *setup_load_info(struct load_info *info, int flags)
static int check_modinfo(struct module *mod, struct load_info *info, int flags)
{
const char *modmagic = get_modinfo(info, "vermagic");
@@ -90140,7 +90123,7 @@ index 6716a1f..acc7443 100644
if (flags & MODULE_INIT_IGNORE_VERMAGIC)
modmagic = NULL;
-@@ -2688,7 +2759,7 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags)
+@@ -2690,7 +2759,7 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags)
}
/* Set up license info based on the info section */
@@ -90149,7 +90132,7 @@ index 6716a1f..acc7443 100644
return 0;
}
-@@ -2782,7 +2853,7 @@ static int move_module(struct module *mod, struct load_info *info)
+@@ -2784,7 +2853,7 @@ static int move_module(struct module *mod, struct load_info *info)
void *ptr;
/* Do the allocs. */
@@ -90158,7 +90141,7 @@ index 6716a1f..acc7443 100644
/*
* The pointer to this block is stored in the module structure
* which is inside the block. Just mark it as not being a
-@@ -2792,11 +2863,11 @@ static int move_module(struct module *mod, struct load_info *info)
+@@ -2794,11 +2863,11 @@ static int move_module(struct module *mod, struct load_info *info)
if (!ptr)
return -ENOMEM;
@@ -90174,7 +90157,7 @@ index 6716a1f..acc7443 100644
/*
* The pointer to this block is stored in the module structure
* which is inside the block. This block doesn't need to be
-@@ -2805,13 +2876,45 @@ static int move_module(struct module *mod, struct load_info *info)
+@@ -2807,13 +2876,45 @@ static int move_module(struct module *mod, struct load_info *info)
*/
kmemleak_ignore(ptr);
if (!ptr) {
@@ -90224,7 +90207,7 @@ index 6716a1f..acc7443 100644
/* Transfer each section which specifies SHF_ALLOC */
pr_debug("final section addresses:\n");
-@@ -2822,16 +2925,45 @@ static int move_module(struct module *mod, struct load_info *info)
+@@ -2824,16 +2925,45 @@ static int move_module(struct module *mod, struct load_info *info)
if (!(shdr->sh_flags & SHF_ALLOC))
continue;
@@ -90277,7 +90260,7 @@ index 6716a1f..acc7443 100644
pr_debug("\t0x%lx %s\n",
(long)shdr->sh_addr, info->secstrings + shdr->sh_name);
}
-@@ -2888,12 +3020,12 @@ static void flush_module_icache(const struct module *mod)
+@@ -2890,12 +3020,12 @@ static void flush_module_icache(const struct module *mod)
* Do it before processing of module parameters, so the module
* can provide parameter accessor functions of its own.
*/
@@ -90296,7 +90279,7 @@ index 6716a1f..acc7443 100644
set_fs(old_fs);
}
-@@ -2950,8 +3082,10 @@ static struct module *layout_and_allocate(struct load_info *info, int flags)
+@@ -2952,8 +3082,10 @@ static struct module *layout_and_allocate(struct load_info *info, int flags)
static void module_deallocate(struct module *mod, struct load_info *info)
{
percpu_modfree(mod);
@@ -90309,7 +90292,7 @@ index 6716a1f..acc7443 100644
}
int __weak module_finalize(const Elf_Ehdr *hdr,
-@@ -2964,7 +3098,9 @@ int __weak module_finalize(const Elf_Ehdr *hdr,
+@@ -2966,7 +3098,9 @@ int __weak module_finalize(const Elf_Ehdr *hdr,
static int post_relocation(struct module *mod, const struct load_info *info)
{
/* Sort exception table now relocations are done. */
@@ -90319,7 +90302,7 @@ index 6716a1f..acc7443 100644
/* Copy relocated percpu area over. */
percpu_modcopy(mod, (void *)info->sechdrs[info->index.pcpu].sh_addr,
-@@ -3018,16 +3154,16 @@ static int do_init_module(struct module *mod)
+@@ -3020,16 +3154,16 @@ static int do_init_module(struct module *mod)
MODULE_STATE_COMING, mod);
/* Set RO and NX regions for core */
@@ -90344,7 +90327,7 @@ index 6716a1f..acc7443 100644
do_mod_ctors(mod);
/* Start the module */
-@@ -3088,11 +3224,12 @@ static int do_init_module(struct module *mod)
+@@ -3090,11 +3224,12 @@ static int do_init_module(struct module *mod)
mod->strtab = mod->core_strtab;
#endif
unset_module_init_ro_nx(mod);
@@ -90362,7 +90345,7 @@ index 6716a1f..acc7443 100644
mutex_unlock(&module_mutex);
wake_up_all(&module_wq);
-@@ -3235,9 +3372,38 @@ static int load_module(struct load_info *info, const char __user *uargs,
+@@ -3237,9 +3372,38 @@ static int load_module(struct load_info *info, const char __user *uargs,
if (err)
goto free_unload;
@@ -90401,7 +90384,7 @@ index 6716a1f..acc7443 100644
/* Fix up syms, so that st_value is a pointer to location. */
err = simplify_symbols(mod, info);
if (err < 0)
-@@ -3253,13 +3419,6 @@ static int load_module(struct load_info *info, const char __user *uargs,
+@@ -3255,13 +3419,6 @@ static int load_module(struct load_info *info, const char __user *uargs,
flush_module_icache(mod);
@@ -90415,7 +90398,7 @@ index 6716a1f..acc7443 100644
dynamic_debug_setup(info->debug, info->num_debug);
/* Ftrace init must be called in the MODULE_STATE_UNFORMED state */
-@@ -3297,11 +3456,10 @@ static int load_module(struct load_info *info, const char __user *uargs,
+@@ -3299,11 +3456,10 @@ static int load_module(struct load_info *info, const char __user *uargs,
ddebug_cleanup:
dynamic_debug_remove(info->debug);
synchronize_sched();
@@ -90428,7 +90411,7 @@ index 6716a1f..acc7443 100644
free_unload:
module_unload_free(mod);
unlink_mod:
-@@ -3384,10 +3542,16 @@ static const char *get_ksymbol(struct module *mod,
+@@ -3386,10 +3542,16 @@ static const char *get_ksymbol(struct module *mod,
unsigned long nextval;
/* At worse, next value is at end of module */
@@ -90448,7 +90431,7 @@ index 6716a1f..acc7443 100644
/* Scan for closest preceding symbol, and next symbol. (ELF
starts real symbols at 1). */
-@@ -3638,7 +3802,7 @@ static int m_show(struct seq_file *m, void *p)
+@@ -3640,7 +3802,7 @@ static int m_show(struct seq_file *m, void *p)
return 0;
seq_printf(m, "%s %u",
@@ -90457,7 +90440,7 @@ index 6716a1f..acc7443 100644
print_unload_info(m, mod);
/* Informative for users. */
-@@ -3647,7 +3811,7 @@ static int m_show(struct seq_file *m, void *p)
+@@ -3649,7 +3811,7 @@ static int m_show(struct seq_file *m, void *p)
mod->state == MODULE_STATE_COMING ? "Loading":
"Live");
/* Used by oprofile and other similar tools. */
@@ -90466,7 +90449,7 @@ index 6716a1f..acc7443 100644
/* Taints info */
if (mod->taints)
-@@ -3683,7 +3847,17 @@ static const struct file_operations proc_modules_operations = {
+@@ -3685,7 +3847,17 @@ static const struct file_operations proc_modules_operations = {
static int __init proc_modules_init(void)
{
@@ -90484,7 +90467,7 @@ index 6716a1f..acc7443 100644
return 0;
}
module_init(proc_modules_init);
-@@ -3744,14 +3918,14 @@ struct module *__module_address(unsigned long addr)
+@@ -3746,14 +3918,14 @@ struct module *__module_address(unsigned long addr)
{
struct module *mod;
@@ -90502,7 +90485,7 @@ index 6716a1f..acc7443 100644
return mod;
}
return NULL;
-@@ -3786,11 +3960,20 @@ bool is_module_text_address(unsigned long addr)
+@@ -3788,11 +3960,20 @@ bool is_module_text_address(unsigned long addr)
*/
struct module *__module_text_address(unsigned long addr)
{
@@ -90727,7 +90710,7 @@ index 3b89464..5e38379 100644
.clock_get = thread_cpu_clock_get,
.timer_create = thread_cpu_timer_create,
diff --git a/kernel/posix-timers.c b/kernel/posix-timers.c
-index 424c2d4..679242f 100644
+index 77e6b83..fc021bd 100644
--- a/kernel/posix-timers.c
+++ b/kernel/posix-timers.c
@@ -43,6 +43,7 @@
@@ -90828,7 +90811,7 @@ index 424c2d4..679242f 100644
int it_id_set = IT_ID_NOT_SET;
if (!kc)
-@@ -1011,6 +1012,13 @@ SYSCALL_DEFINE2(clock_settime, const clockid_t, which_clock,
+@@ -1012,6 +1013,13 @@ SYSCALL_DEFINE2(clock_settime, const clockid_t, which_clock,
if (copy_from_user(&new_tp, tp, sizeof (*tp)))
return -EFAULT;
@@ -90856,7 +90839,7 @@ index 2fac9cc..56fef29 100644
select LZO_COMPRESS
select LZO_DECOMPRESS
diff --git a/kernel/power/process.c b/kernel/power/process.c
-index 14f9a8d..98ee610 100644
+index f1fe7ec..7d4e641 100644
--- a/kernel/power/process.c
+++ b/kernel/power/process.c
@@ -34,6 +34,7 @@ static int try_to_freeze_tasks(bool user_only)
@@ -91904,7 +91887,7 @@ index a63f4dc..349bbb0 100644
unsigned long timeout)
{
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
-index 677ebad..e39b352 100644
+index 9a3f3c4..943fa11 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -1775,7 +1775,7 @@ void set_numabalancing_state(bool enabled)
@@ -91916,7 +91899,7 @@ index 677ebad..e39b352 100644
int err;
int state = numabalancing_enabled;
-@@ -2251,8 +2251,10 @@ context_switch(struct rq *rq, struct task_struct *prev,
+@@ -2255,8 +2255,10 @@ context_switch(struct rq *rq, struct task_struct *prev,
next->active_mm = oldmm;
atomic_inc(&oldmm->mm_count);
enter_lazy_tlb(oldmm, next);
@@ -91928,7 +91911,7 @@ index 677ebad..e39b352 100644
if (!prev->mm) {
prev->active_mm = NULL;
-@@ -3049,6 +3051,8 @@ int can_nice(const struct task_struct *p, const int nice)
+@@ -3053,6 +3055,8 @@ int can_nice(const struct task_struct *p, const int nice)
/* convert nice value [19,-20] to rlimit style value [1,40] */
int nice_rlim = 20 - nice;
@@ -91937,7 +91920,7 @@ index 677ebad..e39b352 100644
return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
capable(CAP_SYS_NICE));
}
-@@ -3082,7 +3086,8 @@ SYSCALL_DEFINE1(nice, int, increment)
+@@ -3086,7 +3090,8 @@ SYSCALL_DEFINE1(nice, int, increment)
if (nice > 19)
nice = 19;
@@ -91947,7 +91930,7 @@ index 677ebad..e39b352 100644
return -EPERM;
retval = security_task_setnice(current, nice);
-@@ -3355,6 +3360,7 @@ recheck:
+@@ -3359,6 +3364,7 @@ recheck:
if (policy != p->policy && !rlim_rtprio)
return -EPERM;
@@ -91955,7 +91938,7 @@ index 677ebad..e39b352 100644
/* can't increase priority */
if (attr->sched_priority > p->rt_priority &&
attr->sched_priority > rlim_rtprio)
-@@ -4727,8 +4733,10 @@ void idle_task_exit(void)
+@@ -4732,8 +4738,10 @@ void idle_task_exit(void)
BUG_ON(cpu_online(smp_processor_id()));
@@ -91967,7 +91950,7 @@ index 677ebad..e39b352 100644
mmdrop(mm);
}
-@@ -4806,7 +4814,7 @@ static void migrate_tasks(unsigned int dead_cpu)
+@@ -4811,7 +4819,7 @@ static void migrate_tasks(unsigned int dead_cpu)
#if defined(CONFIG_SCHED_DEBUG) && defined(CONFIG_SYSCTL)
@@ -91976,7 +91959,7 @@ index 677ebad..e39b352 100644
{
.procname = "sched_domain",
.mode = 0555,
-@@ -4823,17 +4831,17 @@ static struct ctl_table sd_ctl_root[] = {
+@@ -4828,17 +4836,17 @@ static struct ctl_table sd_ctl_root[] = {
{}
};
@@ -91998,7 +91981,7 @@ index 677ebad..e39b352 100644
/*
* In the intermediate directories, both the child directory and
-@@ -4841,22 +4849,25 @@ static void sd_free_ctl_entry(struct ctl_table **tablep)
+@@ -4846,22 +4854,25 @@ static void sd_free_ctl_entry(struct ctl_table **tablep)
* will always be set. In the lowest directory the names are
* static strings and all have proc handlers.
*/
@@ -92030,7 +92013,7 @@ index 677ebad..e39b352 100644
const char *procname, void *data, int maxlen,
umode_t mode, proc_handler *proc_handler,
bool load_idx)
-@@ -4876,7 +4887,7 @@ set_table_entry(struct ctl_table *entry,
+@@ -4881,7 +4892,7 @@ set_table_entry(struct ctl_table *entry,
static struct ctl_table *
sd_alloc_ctl_domain_table(struct sched_domain *sd)
{
@@ -92039,7 +92022,7 @@ index 677ebad..e39b352 100644
if (table == NULL)
return NULL;
-@@ -4911,9 +4922,9 @@ sd_alloc_ctl_domain_table(struct sched_domain *sd)
+@@ -4916,9 +4927,9 @@ sd_alloc_ctl_domain_table(struct sched_domain *sd)
return table;
}
@@ -92051,7 +92034,7 @@ index 677ebad..e39b352 100644
struct sched_domain *sd;
int domain_num = 0, i;
char buf[32];
-@@ -4940,11 +4951,13 @@ static struct ctl_table_header *sd_sysctl_header;
+@@ -4945,11 +4956,13 @@ static struct ctl_table_header *sd_sysctl_header;
static void register_sched_domain_sysctl(void)
{
int i, cpu_num = num_possible_cpus();
@@ -92066,7 +92049,7 @@ index 677ebad..e39b352 100644
if (entry == NULL)
return;
-@@ -4967,8 +4980,12 @@ static void unregister_sched_domain_sysctl(void)
+@@ -4972,8 +4985,12 @@ static void unregister_sched_domain_sysctl(void)
if (sd_sysctl_header)
unregister_sysctl_table(sd_sysctl_header);
sd_sysctl_header = NULL;
@@ -93492,6 +93475,46 @@ index e6be585..d73ae5e 100644
return;
local_irq_save(flags);
+diff --git a/kernel/trace/trace_syscalls.c b/kernel/trace/trace_syscalls.c
+index 7e3cd7a..5156a5fe 100644
+--- a/kernel/trace/trace_syscalls.c
++++ b/kernel/trace/trace_syscalls.c
+@@ -602,6 +602,8 @@ static int perf_sysenter_enable(struct ftrace_event_call *call)
+ int num;
+
+ num = ((struct syscall_metadata *)call->data)->syscall_nr;
++ if (WARN_ON_ONCE(num < 0 || num >= NR_syscalls))
++ return -EINVAL;
+
+ mutex_lock(&syscall_trace_lock);
+ if (!sys_perf_refcount_enter)
+@@ -622,6 +624,8 @@ static void perf_sysenter_disable(struct ftrace_event_call *call)
+ int num;
+
+ num = ((struct syscall_metadata *)call->data)->syscall_nr;
++ if (WARN_ON_ONCE(num < 0 || num >= NR_syscalls))
++ return;
+
+ mutex_lock(&syscall_trace_lock);
+ sys_perf_refcount_enter--;
+@@ -674,6 +678,8 @@ static int perf_sysexit_enable(struct ftrace_event_call *call)
+ int num;
+
+ num = ((struct syscall_metadata *)call->data)->syscall_nr;
++ if (WARN_ON_ONCE(num < 0 || num >= NR_syscalls))
++ return -EINVAL;
+
+ mutex_lock(&syscall_trace_lock);
+ if (!sys_perf_refcount_exit)
+@@ -694,6 +700,8 @@ static void perf_sysexit_disable(struct ftrace_event_call *call)
+ int num;
+
+ num = ((struct syscall_metadata *)call->data)->syscall_nr;
++ if (WARN_ON_ONCE(num < 0 || num >= NR_syscalls))
++ return;
+
+ mutex_lock(&syscall_trace_lock);
+ sys_perf_refcount_exit--;
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 80a57af..7f5a7ff 100644
--- a/kernel/user_namespace.c
@@ -93673,32 +93696,10 @@ index 114d1be..ab0350c 100644
(val << avg->factor)) >> avg->weight :
(val << avg->factor);
diff --git a/lib/bitmap.c b/lib/bitmap.c
-index 06f7e4f..9078e42 100644
+index e5c4ebe..9078e42 100644
--- a/lib/bitmap.c
+++ b/lib/bitmap.c
-@@ -131,7 +131,9 @@ void __bitmap_shift_right(unsigned long *dst,
- lower = src[off + k];
- if (left && off + k == lim - 1)
- lower &= mask;
-- dst[k] = upper << (BITS_PER_LONG - rem) | lower >> rem;
-+ dst[k] = lower >> rem;
-+ if (rem)
-+ dst[k] |= upper << (BITS_PER_LONG - rem);
- if (left && k == lim - 1)
- dst[k] &= mask;
- }
-@@ -172,7 +174,9 @@ void __bitmap_shift_left(unsigned long *dst,
- upper = src[k];
- if (left && k == lim - 1)
- upper &= (1UL << left) - 1;
-- dst[k + off] = lower >> (BITS_PER_LONG - rem) | upper << rem;
-+ dst[k + off] = upper << rem;
-+ if (rem)
-+ dst[k + off] |= lower >> (BITS_PER_LONG - rem);
- if (left && k + off == lim - 1)
- dst[k + off] &= (1UL << left) - 1;
- }
-@@ -422,7 +426,7 @@ int __bitmap_parse(const char *buf, unsigned int buflen,
+@@ -426,7 +426,7 @@ int __bitmap_parse(const char *buf, unsigned int buflen,
{
int c, old_c, totaldigits, ndigits, nchunks, nbits;
u32 chunk;
@@ -93707,7 +93708,7 @@ index 06f7e4f..9078e42 100644
bitmap_zero(maskp, nmaskbits);
-@@ -507,7 +511,7 @@ int bitmap_parse_user(const char __user *ubuf,
+@@ -511,7 +511,7 @@ int bitmap_parse_user(const char __user *ubuf,
{
if (!access_ok(VERIFY_READ, ubuf, ulen))
return -EFAULT;
@@ -93716,7 +93717,7 @@ index 06f7e4f..9078e42 100644
ulen, 1, maskp, nmaskbits);
}
-@@ -598,7 +602,7 @@ static int __bitmap_parselist(const char *buf, unsigned int buflen,
+@@ -602,7 +602,7 @@ static int __bitmap_parselist(const char *buf, unsigned int buflen,
{
unsigned a, b;
int c, old_c, totaldigits;
@@ -93725,7 +93726,7 @@ index 06f7e4f..9078e42 100644
int exp_digit, in_range;
totaldigits = c = 0;
-@@ -698,7 +702,7 @@ int bitmap_parselist_user(const char __user *ubuf,
+@@ -702,7 +702,7 @@ int bitmap_parselist_user(const char __user *ubuf,
{
if (!access_ok(VERIFY_READ, ubuf, ulen))
return -EFAULT;
@@ -94306,33 +94307,10 @@ index 0922579..9d7adb9 100644
#endif
}
diff --git a/lib/string.c b/lib/string.c
-index e5878de..64941b2 100644
+index 43d0781..64941b2 100644
--- a/lib/string.c
+++ b/lib/string.c
-@@ -586,6 +586,22 @@ void *memset(void *s, int c, size_t count)
- EXPORT_SYMBOL(memset);
- #endif
-
-+/**
-+ * memzero_explicit - Fill a region of memory (e.g. sensitive
-+ * keying data) with 0s.
-+ * @s: Pointer to the start of the area.
-+ * @count: The size of the area.
-+ *
-+ * memzero_explicit() doesn't need an arch-specific version as
-+ * it just invokes the one of memset() implicitly.
-+ */
-+void memzero_explicit(void *s, size_t count)
-+{
-+ memset(s, 0, count);
-+ OPTIMIZER_HIDE_VAR(s);
-+}
-+EXPORT_SYMBOL(memzero_explicit);
-+
- #ifndef __HAVE_ARCH_MEMCPY
- /**
- * memcpy - Copy one area of memory to another
-@@ -789,9 +805,9 @@ void *memchr_inv(const void *start, int c, size_t bytes)
+@@ -805,9 +805,9 @@ void *memchr_inv(const void *start, int c, size_t bytes)
return check_bytes8(start, value, bytes);
value64 = value;
@@ -97641,7 +97619,7 @@ index 9f45f87..749bfd8 100644
unsigned long bg_thresh,
unsigned long dirty,
diff --git a/mm/page_alloc.c b/mm/page_alloc.c
-index ff0f6b1..8a67124 100644
+index 7b2611a..4407637 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -61,6 +61,7 @@
@@ -97737,7 +97715,16 @@ index ff0f6b1..8a67124 100644
if (order && (gfp_flags & __GFP_COMP))
prep_compound_page(page, order);
-@@ -2414,7 +2454,7 @@ static void reset_alloc_batches(struct zonelist *zonelist,
+@@ -1957,7 +1997,7 @@ zonelist_scan:
+ if (alloc_flags & ALLOC_FAIR) {
+ if (!zone_local(preferred_zone, zone))
+ continue;
+- if (atomic_long_read(&zone->vm_stat[NR_ALLOC_BATCH]) <= 0)
++ if (atomic_long_read_unchecked(&zone->vm_stat[NR_ALLOC_BATCH]) <= 0)
+ continue;
+ }
+ /*
+@@ -2422,7 +2462,7 @@ static void reset_alloc_batches(struct zonelist *zonelist,
continue;
mod_zone_page_state(zone, NR_ALLOC_BATCH,
high_wmark_pages(zone) - low_wmark_pages(zone) -
@@ -97746,7 +97733,16 @@ index ff0f6b1..8a67124 100644
}
}
-@@ -6606,4 +6646,4 @@ void dump_page(struct page *page, char *reason)
+@@ -5671,7 +5711,7 @@ static void __setup_per_zone_wmarks(void)
+
+ __mod_zone_page_state(zone, NR_ALLOC_BATCH,
+ high_wmark_pages(zone) - low_wmark_pages(zone) -
+- atomic_long_read(&zone->vm_stat[NR_ALLOC_BATCH]));
++ atomic_long_read_unchecked(&zone->vm_stat[NR_ALLOC_BATCH]));
+
+ setup_zone_migrate_reserve(zone);
+ spin_unlock_irqrestore(&zone->lock, flags);
+@@ -6613,4 +6653,4 @@ void dump_page(struct page *page, char *reason)
{
dump_page_badflags(page, reason, 0);
}
@@ -97766,7 +97762,7 @@ index 7c59ef6..1358905 100644
};
diff --git a/mm/percpu.c b/mm/percpu.c
-index 8cd4308..ab22f17 100644
+index a2a54a8..43ecb68 100644
--- a/mm/percpu.c
+++ b/mm/percpu.c
@@ -122,7 +122,7 @@ static unsigned int pcpu_low_unit_cpu __read_mostly;
@@ -100238,8 +100234,325 @@ index b543470..d2ddae2 100644
if (!can_dir) {
printk(KERN_INFO "can: failed to create /proc/net/can . "
+diff --git a/net/ceph/crypto.c b/net/ceph/crypto.c
+index 6e7a236..06f19b9 100644
+--- a/net/ceph/crypto.c
++++ b/net/ceph/crypto.c
+@@ -89,11 +89,82 @@ static struct crypto_blkcipher *ceph_crypto_alloc_cipher(void)
+
+ static const u8 *aes_iv = (u8 *)CEPH_AES_IV;
+
++/*
++ * Should be used for buffers allocated with ceph_kvmalloc().
++ * Currently these are encrypt out-buffer (ceph_buffer) and decrypt
++ * in-buffer (msg front).
++ *
++ * Dispose of @sgt with teardown_sgtable().
++ *
++ * @prealloc_sg is to avoid memory allocation inside sg_alloc_table()
++ * in cases where a single sg is sufficient. No attempt to reduce the
++ * number of sgs by squeezing physically contiguous pages together is
++ * made though, for simplicity.
++ */
++static int setup_sgtable(struct sg_table *sgt, struct scatterlist *prealloc_sg,
++ const void *buf, unsigned int buf_len)
++{
++ struct scatterlist *sg;
++ const bool is_vmalloc = is_vmalloc_addr(buf);
++ unsigned int off = offset_in_page(buf);
++ unsigned int chunk_cnt = 1;
++ unsigned int chunk_len = PAGE_ALIGN(off + buf_len);
++ int i;
++ int ret;
++
++ if (buf_len == 0) {
++ memset(sgt, 0, sizeof(*sgt));
++ return -EINVAL;
++ }
++
++ if (is_vmalloc) {
++ chunk_cnt = chunk_len >> PAGE_SHIFT;
++ chunk_len = PAGE_SIZE;
++ }
++
++ if (chunk_cnt > 1) {
++ ret = sg_alloc_table(sgt, chunk_cnt, GFP_NOFS);
++ if (ret)
++ return ret;
++ } else {
++ WARN_ON(chunk_cnt != 1);
++ sg_init_table(prealloc_sg, 1);
++ sgt->sgl = prealloc_sg;
++ sgt->nents = sgt->orig_nents = 1;
++ }
++
++ for_each_sg(sgt->sgl, sg, sgt->orig_nents, i) {
++ struct page *page;
++ unsigned int len = min(chunk_len - off, buf_len);
++
++ if (is_vmalloc)
++ page = vmalloc_to_page(buf);
++ else
++ page = virt_to_page(buf);
++
++ sg_set_page(sg, page, len, off);
++
++ off = 0;
++ buf += len;
++ buf_len -= len;
++ }
++ WARN_ON(buf_len != 0);
++
++ return 0;
++}
++
++static void teardown_sgtable(struct sg_table *sgt)
++{
++ if (sgt->orig_nents > 1)
++ sg_free_table(sgt);
++}
++
+ static int ceph_aes_encrypt(const void *key, int key_len,
+ void *dst, size_t *dst_len,
+ const void *src, size_t src_len)
+ {
+- struct scatterlist sg_in[2], sg_out[1];
++ struct scatterlist sg_in[2], prealloc_sg;
++ struct sg_table sg_out;
+ struct crypto_blkcipher *tfm = ceph_crypto_alloc_cipher();
+ struct blkcipher_desc desc = { .tfm = tfm, .flags = 0 };
+ int ret;
+@@ -109,16 +180,18 @@ static int ceph_aes_encrypt(const void *key, int key_len,
+
+ *dst_len = src_len + zero_padding;
+
+- crypto_blkcipher_setkey((void *)tfm, key, key_len);
+ sg_init_table(sg_in, 2);
+ sg_set_buf(&sg_in[0], src, src_len);
+ sg_set_buf(&sg_in[1], pad, zero_padding);
+- sg_init_table(sg_out, 1);
+- sg_set_buf(sg_out, dst, *dst_len);
++ ret = setup_sgtable(&sg_out, &prealloc_sg, dst, *dst_len);
++ if (ret)
++ goto out_tfm;
++
++ crypto_blkcipher_setkey((void *)tfm, key, key_len);
+ iv = crypto_blkcipher_crt(tfm)->iv;
+ ivsize = crypto_blkcipher_ivsize(tfm);
+-
+ memcpy(iv, aes_iv, ivsize);
++
+ /*
+ print_hex_dump(KERN_ERR, "enc key: ", DUMP_PREFIX_NONE, 16, 1,
+ key, key_len, 1);
+@@ -127,16 +200,22 @@ static int ceph_aes_encrypt(const void *key, int key_len,
+ print_hex_dump(KERN_ERR, "enc pad: ", DUMP_PREFIX_NONE, 16, 1,
+ pad, zero_padding, 1);
+ */
+- ret = crypto_blkcipher_encrypt(&desc, sg_out, sg_in,
++ ret = crypto_blkcipher_encrypt(&desc, sg_out.sgl, sg_in,
+ src_len + zero_padding);
+- crypto_free_blkcipher(tfm);
+- if (ret < 0)
++ if (ret < 0) {
+ pr_err("ceph_aes_crypt failed %d\n", ret);
++ goto out_sg;
++ }
+ /*
+ print_hex_dump(KERN_ERR, "enc out: ", DUMP_PREFIX_NONE, 16, 1,
+ dst, *dst_len, 1);
+ */
+- return 0;
++
++out_sg:
++ teardown_sgtable(&sg_out);
++out_tfm:
++ crypto_free_blkcipher(tfm);
++ return ret;
+ }
+
+ static int ceph_aes_encrypt2(const void *key, int key_len, void *dst,
+@@ -144,7 +223,8 @@ static int ceph_aes_encrypt2(const void *key, int key_len, void *dst,
+ const void *src1, size_t src1_len,
+ const void *src2, size_t src2_len)
+ {
+- struct scatterlist sg_in[3], sg_out[1];
++ struct scatterlist sg_in[3], prealloc_sg;
++ struct sg_table sg_out;
+ struct crypto_blkcipher *tfm = ceph_crypto_alloc_cipher();
+ struct blkcipher_desc desc = { .tfm = tfm, .flags = 0 };
+ int ret;
+@@ -160,17 +240,19 @@ static int ceph_aes_encrypt2(const void *key, int key_len, void *dst,
+
+ *dst_len = src1_len + src2_len + zero_padding;
+
+- crypto_blkcipher_setkey((void *)tfm, key, key_len);
+ sg_init_table(sg_in, 3);
+ sg_set_buf(&sg_in[0], src1, src1_len);
+ sg_set_buf(&sg_in[1], src2, src2_len);
+ sg_set_buf(&sg_in[2], pad, zero_padding);
+- sg_init_table(sg_out, 1);
+- sg_set_buf(sg_out, dst, *dst_len);
++ ret = setup_sgtable(&sg_out, &prealloc_sg, dst, *dst_len);
++ if (ret)
++ goto out_tfm;
++
++ crypto_blkcipher_setkey((void *)tfm, key, key_len);
+ iv = crypto_blkcipher_crt(tfm)->iv;
+ ivsize = crypto_blkcipher_ivsize(tfm);
+-
+ memcpy(iv, aes_iv, ivsize);
++
+ /*
+ print_hex_dump(KERN_ERR, "enc key: ", DUMP_PREFIX_NONE, 16, 1,
+ key, key_len, 1);
+@@ -181,23 +263,30 @@ static int ceph_aes_encrypt2(const void *key, int key_len, void *dst,
+ print_hex_dump(KERN_ERR, "enc pad: ", DUMP_PREFIX_NONE, 16, 1,
+ pad, zero_padding, 1);
+ */
+- ret = crypto_blkcipher_encrypt(&desc, sg_out, sg_in,
++ ret = crypto_blkcipher_encrypt(&desc, sg_out.sgl, sg_in,
+ src1_len + src2_len + zero_padding);
+- crypto_free_blkcipher(tfm);
+- if (ret < 0)
++ if (ret < 0) {
+ pr_err("ceph_aes_crypt2 failed %d\n", ret);
++ goto out_sg;
++ }
+ /*
+ print_hex_dump(KERN_ERR, "enc out: ", DUMP_PREFIX_NONE, 16, 1,
+ dst, *dst_len, 1);
+ */
+- return 0;
++
++out_sg:
++ teardown_sgtable(&sg_out);
++out_tfm:
++ crypto_free_blkcipher(tfm);
++ return ret;
+ }
+
+ static int ceph_aes_decrypt(const void *key, int key_len,
+ void *dst, size_t *dst_len,
+ const void *src, size_t src_len)
+ {
+- struct scatterlist sg_in[1], sg_out[2];
++ struct sg_table sg_in;
++ struct scatterlist sg_out[2], prealloc_sg;
+ struct crypto_blkcipher *tfm = ceph_crypto_alloc_cipher();
+ struct blkcipher_desc desc = { .tfm = tfm };
+ char pad[16];
+@@ -209,16 +298,16 @@ static int ceph_aes_decrypt(const void *key, int key_len,
+ if (IS_ERR(tfm))
+ return PTR_ERR(tfm);
+
+- crypto_blkcipher_setkey((void *)tfm, key, key_len);
+- sg_init_table(sg_in, 1);
+ sg_init_table(sg_out, 2);
+- sg_set_buf(sg_in, src, src_len);
+ sg_set_buf(&sg_out[0], dst, *dst_len);
+ sg_set_buf(&sg_out[1], pad, sizeof(pad));
++ ret = setup_sgtable(&sg_in, &prealloc_sg, src, src_len);
++ if (ret)
++ goto out_tfm;
+
++ crypto_blkcipher_setkey((void *)tfm, key, key_len);
+ iv = crypto_blkcipher_crt(tfm)->iv;
+ ivsize = crypto_blkcipher_ivsize(tfm);
+-
+ memcpy(iv, aes_iv, ivsize);
+
+ /*
+@@ -227,12 +316,10 @@ static int ceph_aes_decrypt(const void *key, int key_len,
+ print_hex_dump(KERN_ERR, "dec in: ", DUMP_PREFIX_NONE, 16, 1,
+ src, src_len, 1);
+ */
+-
+- ret = crypto_blkcipher_decrypt(&desc, sg_out, sg_in, src_len);
+- crypto_free_blkcipher(tfm);
++ ret = crypto_blkcipher_decrypt(&desc, sg_out, sg_in.sgl, src_len);
+ if (ret < 0) {
+ pr_err("ceph_aes_decrypt failed %d\n", ret);
+- return ret;
++ goto out_sg;
+ }
+
+ if (src_len <= *dst_len)
+@@ -250,7 +337,12 @@ static int ceph_aes_decrypt(const void *key, int key_len,
+ print_hex_dump(KERN_ERR, "dec out: ", DUMP_PREFIX_NONE, 16, 1,
+ dst, *dst_len, 1);
+ */
+- return 0;
++
++out_sg:
++ teardown_sgtable(&sg_in);
++out_tfm:
++ crypto_free_blkcipher(tfm);
++ return ret;
+ }
+
+ static int ceph_aes_decrypt2(const void *key, int key_len,
+@@ -258,7 +350,8 @@ static int ceph_aes_decrypt2(const void *key, int key_len,
+ void *dst2, size_t *dst2_len,
+ const void *src, size_t src_len)
+ {
+- struct scatterlist sg_in[1], sg_out[3];
++ struct sg_table sg_in;
++ struct scatterlist sg_out[3], prealloc_sg;
+ struct crypto_blkcipher *tfm = ceph_crypto_alloc_cipher();
+ struct blkcipher_desc desc = { .tfm = tfm };
+ char pad[16];
+@@ -270,17 +363,17 @@ static int ceph_aes_decrypt2(const void *key, int key_len,
+ if (IS_ERR(tfm))
+ return PTR_ERR(tfm);
+
+- sg_init_table(sg_in, 1);
+- sg_set_buf(sg_in, src, src_len);
+ sg_init_table(sg_out, 3);
+ sg_set_buf(&sg_out[0], dst1, *dst1_len);
+ sg_set_buf(&sg_out[1], dst2, *dst2_len);
+ sg_set_buf(&sg_out[2], pad, sizeof(pad));
++ ret = setup_sgtable(&sg_in, &prealloc_sg, src, src_len);
++ if (ret)
++ goto out_tfm;
+
+ crypto_blkcipher_setkey((void *)tfm, key, key_len);
+ iv = crypto_blkcipher_crt(tfm)->iv;
+ ivsize = crypto_blkcipher_ivsize(tfm);
+-
+ memcpy(iv, aes_iv, ivsize);
+
+ /*
+@@ -289,12 +382,10 @@ static int ceph_aes_decrypt2(const void *key, int key_len,
+ print_hex_dump(KERN_ERR, "dec in: ", DUMP_PREFIX_NONE, 16, 1,
+ src, src_len, 1);
+ */
+-
+- ret = crypto_blkcipher_decrypt(&desc, sg_out, sg_in, src_len);
+- crypto_free_blkcipher(tfm);
++ ret = crypto_blkcipher_decrypt(&desc, sg_out, sg_in.sgl, src_len);
+ if (ret < 0) {
+ pr_err("ceph_aes_decrypt failed %d\n", ret);
+- return ret;
++ goto out_sg;
+ }
+
+ if (src_len <= *dst1_len)
+@@ -324,7 +415,11 @@ static int ceph_aes_decrypt2(const void *key, int key_len,
+ dst2, *dst2_len, 1);
+ */
+
+- return 0;
++out_sg:
++ teardown_sgtable(&sg_in);
++out_tfm:
++ crypto_free_blkcipher(tfm);
++ return ret;
+ }
+
+
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
-index 0a31298..241da43 100644
+index 2e87eec..6301eb0 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -187,7 +187,7 @@ static void con_fault(struct ceph_connection *con);
@@ -100489,7 +100802,7 @@ index 3ed11a5..c177c8f 100644
}
EXPORT_SYMBOL(dev_get_stats);
diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c
-index cf999e0..c59a975 100644
+index cf999e0..c59a9754 100644
--- a/net/core/dev_ioctl.c
+++ b/net/core/dev_ioctl.c
@@ -366,9 +366,13 @@ void dev_load(struct net *net, const char *name)
@@ -101379,7 +101692,7 @@ index c7539e2..b455e51 100644
break;
case NETDEV_DOWN:
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
-index 9d43468..ffa28cc 100644
+index 017fa5e..d61ebac 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -767,7 +767,7 @@ __be32 fib_info_update_nh_saddr(struct net *net, struct fib_nh *nh)
@@ -101392,7 +101705,7 @@ index 9d43468..ffa28cc 100644
return nh->nh_saddr;
}
diff --git a/net/ipv4/gre_offload.c b/net/ipv4/gre_offload.c
-index 2d24f29..70fee98 100644
+index 8c8493e..d5214a4 100644
--- a/net/ipv4/gre_offload.c
+++ b/net/ipv4/gre_offload.c
@@ -56,13 +56,13 @@ static struct sk_buff *gre_gso_segment(struct sk_buff *skb,
@@ -101575,43 +101888,6 @@ index 3d4da2c..40f9c29 100644
icmp_send(skb, ICMP_DEST_UNREACH,
ICMP_PROT_UNREACH, 0);
}
-diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
-index ed88d78..844323b 100644
---- a/net/ipv4/ip_output.c
-+++ b/net/ipv4/ip_output.c
-@@ -1487,6 +1487,7 @@ void ip_send_unicast_reply(struct net *net, struct sk_buff *skb, __be32 daddr,
- struct sk_buff *nskb;
- struct sock *sk;
- struct inet_sock *inet;
-+ int err;
-
- if (ip_options_echo(&replyopts.opt.opt, skb))
- return;
-@@ -1525,8 +1526,13 @@ void ip_send_unicast_reply(struct net *net, struct sk_buff *skb, __be32 daddr,
- sock_net_set(sk, net);
- __skb_queue_head_init(&sk->sk_write_queue);
- sk->sk_sndbuf = sysctl_wmem_default;
-- ip_append_data(sk, &fl4, ip_reply_glue_bits, arg->iov->iov_base, len, 0,
-- &ipc, &rt, MSG_DONTWAIT);
-+ err = ip_append_data(sk, &fl4, ip_reply_glue_bits, arg->iov->iov_base,
-+ len, 0, &ipc, &rt, MSG_DONTWAIT);
-+ if (unlikely(err)) {
-+ ip_flush_pending_frames(sk);
-+ goto out;
-+ }
-+
- nskb = skb_peek(&sk->sk_write_queue);
- if (nskb) {
- if (arg->csumoffset >= 0)
-@@ -1538,7 +1544,7 @@ void ip_send_unicast_reply(struct net *net, struct sk_buff *skb, __be32 daddr,
- skb_set_queue_mapping(nskb, skb_get_queue_mapping(skb));
- ip_push_pending_frames(sk, &fl4);
- }
--
-+out:
- put_cpu_var(unicast_sock);
-
- ip_rt_put(rt);
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 580dd96..9fcef7e 100644
--- a/net/ipv4/ip_sockglue.c
@@ -101635,24 +101911,6 @@ index 580dd96..9fcef7e 100644
msg.msg_controllen = len;
msg.msg_flags = flags;
-diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
-index 65b664d..791a419 100644
---- a/net/ipv4/ip_tunnel_core.c
-+++ b/net/ipv4/ip_tunnel_core.c
-@@ -91,11 +91,12 @@ int iptunnel_pull_header(struct sk_buff *skb, int hdr_len, __be16 inner_proto)
- skb_pull_rcsum(skb, hdr_len);
-
- if (inner_proto == htons(ETH_P_TEB)) {
-- struct ethhdr *eh = (struct ethhdr *)skb->data;
-+ struct ethhdr *eh;
-
- if (unlikely(!pskb_may_pull(skb, ETH_HLEN)))
- return -ENOMEM;
-
-+ eh = (struct ethhdr *)skb->data;
- if (likely(ntohs(eh->h_proto) >= ETH_P_802_3_MIN))
- skb->protocol = eh->h_proto;
- else
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index e4a8f76..dd8ad72 100644
--- a/net/ipv4/ip_vti.c
@@ -103683,7 +103941,7 @@ index d478b88..8c8d157 100644
suspend:
diff --git a/net/mac80211/rate.c b/net/mac80211/rate.c
-index 22b223f..ab70070 100644
+index 74350c3..512e9f5 100644
--- a/net/mac80211/rate.c
+++ b/net/mac80211/rate.c
@@ -734,7 +734,7 @@ int ieee80211_init_rate_ctrl_alg(struct ieee80211_local *local,
@@ -104326,7 +104584,7 @@ index 11de55e..f25e448 100644
return 0;
}
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
-index c375d73..d4abd23 100644
+index 7c177bc..d4abd23 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -257,7 +257,7 @@ static void netlink_overrun(struct sock *sk)
@@ -104338,15 +104596,6 @@ index c375d73..d4abd23 100644
}
static void netlink_rcv_wake(struct sock *sk)
-@@ -707,7 +707,7 @@ static int netlink_mmap_sendmsg(struct sock *sk, struct msghdr *msg,
- * after validation, the socket and the ring may only be used by a
- * single process, otherwise we fall back to copying.
- */
-- if (atomic_long_read(&sk->sk_socket->file->f_count) > 2 ||
-+ if (atomic_long_read(&sk->sk_socket->file->f_count) > 1 ||
- atomic_read(&nlk->mapped) > 1)
- excl = false;
-
@@ -3003,7 +3003,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v)
sk_wmem_alloc_get(s),
nlk->cb_running,
@@ -104964,6 +105213,87 @@ index f226709..0e735a8 100644
_proto("Tx RESPONSE %%%u", ntohl(hdr->serial));
ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len);
+diff --git a/net/sctp/associola.c b/net/sctp/associola.c
+index 5d97d8f..d477d47 100644
+--- a/net/sctp/associola.c
++++ b/net/sctp/associola.c
+@@ -1627,6 +1627,8 @@ struct sctp_chunk *sctp_assoc_lookup_asconf_ack(
+ * ack chunk whose serial number matches that of the request.
+ */
+ list_for_each_entry(ack, &asoc->asconf_ack_list, transmitted_list) {
++ if (sctp_chunk_pending(ack))
++ continue;
+ if (ack->subh.addip_hdr->serial == serial) {
+ sctp_chunk_hold(ack);
+ return ack;
+diff --git a/net/sctp/auth.c b/net/sctp/auth.c
+index 0e85291..fb7976a 100644
+--- a/net/sctp/auth.c
++++ b/net/sctp/auth.c
+@@ -862,8 +862,6 @@ int sctp_auth_set_key(struct sctp_endpoint *ep,
+ list_add(&cur_key->key_list, sh_keys);
+
+ cur_key->key = key;
+- sctp_auth_key_hold(key);
+-
+ return 0;
+ nomem:
+ if (!replace)
+diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c
+index 4de12af..7e8a16c 100644
+--- a/net/sctp/inqueue.c
++++ b/net/sctp/inqueue.c
+@@ -140,18 +140,9 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue)
+ } else {
+ /* Nothing to do. Next chunk in the packet, please. */
+ ch = (sctp_chunkhdr_t *) chunk->chunk_end;
+-
+ /* Force chunk->skb->data to chunk->chunk_end. */
+- skb_pull(chunk->skb,
+- chunk->chunk_end - chunk->skb->data);
+-
+- /* Verify that we have at least chunk headers
+- * worth of buffer left.
+- */
+- if (skb_headlen(chunk->skb) < sizeof(sctp_chunkhdr_t)) {
+- sctp_chunk_free(chunk);
+- chunk = queue->in_progress = NULL;
+- }
++ skb_pull(chunk->skb, chunk->chunk_end - chunk->skb->data);
++ /* We are guaranteed to pull a SCTP header. */
+ }
+ }
+
+@@ -187,24 +178,14 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue)
+ skb_pull(chunk->skb, sizeof(sctp_chunkhdr_t));
+ chunk->subh.v = NULL; /* Subheader is no longer valid. */
+
+- if (chunk->chunk_end < skb_tail_pointer(chunk->skb)) {
++ if (chunk->chunk_end + sizeof(sctp_chunkhdr_t) <
++ skb_tail_pointer(chunk->skb)) {
+ /* This is not a singleton */
+ chunk->singleton = 0;
+ } else if (chunk->chunk_end > skb_tail_pointer(chunk->skb)) {
+- /* RFC 2960, Section 6.10 Bundling
+- *
+- * Partial chunks MUST NOT be placed in an SCTP packet.
+- * If the receiver detects a partial chunk, it MUST drop
+- * the chunk.
+- *
+- * Since the end of the chunk is past the end of our buffer
+- * (which contains the whole packet, we can freely discard
+- * the whole packet.
+- */
+- sctp_chunk_free(chunk);
+- chunk = queue->in_progress = NULL;
+-
+- return NULL;
++ /* Discard inside state machine. */
++ chunk->pdiscard = 1;
++ chunk->chunk_end = skb_tail_pointer(chunk->skb);
+ } else {
+ /* We are at the end of the packet, so mark the chunk
+ * in case we need to send a SACK.
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index 2b1738e..a9d0fc9 100644
--- a/net/sctp/ipv6.c
@@ -105038,6 +105368,182 @@ index a62a215..0976540 100644
}
static int sctp_v4_protosw_init(void)
+diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
+index fee5552..43abb64 100644
+--- a/net/sctp/sm_make_chunk.c
++++ b/net/sctp/sm_make_chunk.c
+@@ -2609,6 +2609,9 @@ do_addr_param:
+ addr_param = param.v + sizeof(sctp_addip_param_t);
+
+ af = sctp_get_af_specific(param_type2af(param.p->type));
++ if (af == NULL)
++ break;
++
+ af->from_addr_param(&addr, addr_param,
+ htons(asoc->peer.port), 0);
+
+@@ -3110,50 +3113,63 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
+ return SCTP_ERROR_NO_ERROR;
+ }
+
+-/* Verify the ASCONF packet before we process it. */
+-int sctp_verify_asconf(const struct sctp_association *asoc,
+- struct sctp_paramhdr *param_hdr, void *chunk_end,
+- struct sctp_paramhdr **errp) {
+- sctp_addip_param_t *asconf_param;
++/* Verify the ASCONF packet before we process it. */
++bool sctp_verify_asconf(const struct sctp_association *asoc,
++ struct sctp_chunk *chunk, bool addr_param_needed,
++ struct sctp_paramhdr **errp)
++{
++ sctp_addip_chunk_t *addip = (sctp_addip_chunk_t *) chunk->chunk_hdr;
+ union sctp_params param;
+- int length, plen;
++ bool addr_param_seen = false;
++
++ sctp_walk_params(param, addip, addip_hdr.params) {
++ size_t length = ntohs(param.p->length);
+
+- param.v = (sctp_paramhdr_t *) param_hdr;
+- while (param.v <= chunk_end - sizeof(sctp_paramhdr_t)) {
+- length = ntohs(param.p->length);
+ *errp = param.p;
+-
+- if (param.v > chunk_end - length ||
+- length < sizeof(sctp_paramhdr_t))
+- return 0;
+-
+ switch (param.p->type) {
++ case SCTP_PARAM_ERR_CAUSE:
++ break;
++ case SCTP_PARAM_IPV4_ADDRESS:
++ if (length != sizeof(sctp_ipv4addr_param_t))
++ return false;
++ addr_param_seen = true;
++ break;
++ case SCTP_PARAM_IPV6_ADDRESS:
++ if (length != sizeof(sctp_ipv6addr_param_t))
++ return false;
++ addr_param_seen = true;
++ break;
+ case SCTP_PARAM_ADD_IP:
+ case SCTP_PARAM_DEL_IP:
+ case SCTP_PARAM_SET_PRIMARY:
+- asconf_param = (sctp_addip_param_t *)param.v;
+- plen = ntohs(asconf_param->param_hdr.length);
+- if (plen < sizeof(sctp_addip_param_t) +
+- sizeof(sctp_paramhdr_t))
+- return 0;
++ /* In ASCONF chunks, these need to be first. */
++ if (addr_param_needed && !addr_param_seen)
++ return false;
++ length = ntohs(param.addip->param_hdr.length);
++ if (length < sizeof(sctp_addip_param_t) +
++ sizeof(sctp_paramhdr_t))
++ return false;
+ break;
+ case SCTP_PARAM_SUCCESS_REPORT:
+ case SCTP_PARAM_ADAPTATION_LAYER_IND:
+ if (length != sizeof(sctp_addip_param_t))
+- return 0;
+-
++ return false;
+ break;
+ default:
+- break;
++ /* This is unkown to us, reject! */
++ return false;
+ }
+-
+- param.v += WORD_ROUND(length);
+ }
+
+- if (param.v != chunk_end)
+- return 0;
++ /* Remaining sanity checks. */
++ if (addr_param_needed && !addr_param_seen)
++ return false;
++ if (!addr_param_needed && addr_param_seen)
++ return false;
++ if (param.v != chunk->chunk_end)
++ return false;
+
+- return 1;
++ return true;
+ }
+
+ /* Process an incoming ASCONF chunk with the next expected serial no. and
+@@ -3162,16 +3178,17 @@ int sctp_verify_asconf(const struct sctp_association *asoc,
+ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
+ struct sctp_chunk *asconf)
+ {
++ sctp_addip_chunk_t *addip = (sctp_addip_chunk_t *) asconf->chunk_hdr;
++ bool all_param_pass = true;
++ union sctp_params param;
+ sctp_addiphdr_t *hdr;
+ union sctp_addr_param *addr_param;
+ sctp_addip_param_t *asconf_param;
+ struct sctp_chunk *asconf_ack;
+-
+ __be16 err_code;
+ int length = 0;
+ int chunk_len;
+ __u32 serial;
+- int all_param_pass = 1;
+
+ chunk_len = ntohs(asconf->chunk_hdr->length) - sizeof(sctp_chunkhdr_t);
+ hdr = (sctp_addiphdr_t *)asconf->skb->data;
+@@ -3199,9 +3216,14 @@ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
+ goto done;
+
+ /* Process the TLVs contained within the ASCONF chunk. */
+- while (chunk_len > 0) {
++ sctp_walk_params(param, addip, addip_hdr.params) {
++ /* Skip preceeding address parameters. */
++ if (param.p->type == SCTP_PARAM_IPV4_ADDRESS ||
++ param.p->type == SCTP_PARAM_IPV6_ADDRESS)
++ continue;
++
+ err_code = sctp_process_asconf_param(asoc, asconf,
+- asconf_param);
++ param.addip);
+ /* ADDIP 4.1 A7)
+ * If an error response is received for a TLV parameter,
+ * all TLVs with no response before the failed TLV are
+@@ -3209,28 +3231,20 @@ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
+ * the failed response are considered unsuccessful unless
+ * a specific success indication is present for the parameter.
+ */
+- if (SCTP_ERROR_NO_ERROR != err_code)
+- all_param_pass = 0;
+-
++ if (err_code != SCTP_ERROR_NO_ERROR)
++ all_param_pass = false;
+ if (!all_param_pass)
+- sctp_add_asconf_response(asconf_ack,
+- asconf_param->crr_id, err_code,
+- asconf_param);
++ sctp_add_asconf_response(asconf_ack, param.addip->crr_id,
++ err_code, param.addip);
+
+ /* ADDIP 4.3 D11) When an endpoint receiving an ASCONF to add
+ * an IP address sends an 'Out of Resource' in its response, it
+ * MUST also fail any subsequent add or delete requests bundled
+ * in the ASCONF.
+ */
+- if (SCTP_ERROR_RSRC_LOW == err_code)
++ if (err_code == SCTP_ERROR_RSRC_LOW)
+ goto done;
+-
+- /* Move to the next ASCONF param. */
+- length = ntohs(asconf_param->param_hdr.length);
+- asconf_param = (void *)asconf_param + length;
+- chunk_len -= length;
+ }
+-
+ done:
+ asoc->peer.addip_serial++;
+
diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
index fef2acd..c705c4f 100644
--- a/net/sctp/sm_sideeffect.c
@@ -105051,6 +105557,61 @@ index fef2acd..c705c4f 100644
NULL,
sctp_generate_t1_cookie_event,
sctp_generate_t1_init_event,
+diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
+index 7194fe85..3e287a3 100644
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -170,6 +170,9 @@ sctp_chunk_length_valid(struct sctp_chunk *chunk,
+ {
+ __u16 chunk_length = ntohs(chunk->chunk_hdr->length);
+
++ /* Previously already marked? */
++ if (unlikely(chunk->pdiscard))
++ return 0;
+ if (unlikely(chunk_length < required_length))
+ return 0;
+
+@@ -3591,9 +3594,7 @@ sctp_disposition_t sctp_sf_do_asconf(struct net *net,
+ struct sctp_chunk *asconf_ack = NULL;
+ struct sctp_paramhdr *err_param = NULL;
+ sctp_addiphdr_t *hdr;
+- union sctp_addr_param *addr_param;
+ __u32 serial;
+- int length;
+
+ if (!sctp_vtag_verify(chunk, asoc)) {
+ sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
+@@ -3618,17 +3619,8 @@ sctp_disposition_t sctp_sf_do_asconf(struct net *net,
+ hdr = (sctp_addiphdr_t *)chunk->skb->data;
+ serial = ntohl(hdr->serial);
+
+- addr_param = (union sctp_addr_param *)hdr->params;
+- length = ntohs(addr_param->p.length);
+- if (length < sizeof(sctp_paramhdr_t))
+- return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
+- (void *)addr_param, commands);
+-
+ /* Verify the ASCONF chunk before processing it. */
+- if (!sctp_verify_asconf(asoc,
+- (sctp_paramhdr_t *)((void *)addr_param + length),
+- (void *)chunk->chunk_end,
+- &err_param))
++ if (!sctp_verify_asconf(asoc, chunk, true, &err_param))
+ return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
+ (void *)err_param, commands);
+
+@@ -3745,10 +3737,7 @@ sctp_disposition_t sctp_sf_do_asconf_ack(struct net *net,
+ rcvd_serial = ntohl(addip_hdr->serial);
+
+ /* Verify the ASCONF-ACK chunk before processing it. */
+- if (!sctp_verify_asconf(asoc,
+- (sctp_paramhdr_t *)addip_hdr->params,
+- (void *)asconf_ack->chunk_end,
+- &err_param))
++ if (!sctp_verify_asconf(asoc, asconf_ack, false, &err_param))
+ return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
+ (void *)err_param, commands);
+
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 604a6ac..f87f0a3 100644
--- a/net/sctp/socket.c
@@ -105508,10 +106069,10 @@ index ae333c1..18521f0 100644
goto out_nomem;
cd->u.procfs.channel_ent = NULL;
diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
-index 3ea5cda..bfb3e08 100644
+index 5ff8b87..35af642 100644
--- a/net/sunrpc/clnt.c
+++ b/net/sunrpc/clnt.c
-@@ -1415,7 +1415,9 @@ call_start(struct rpc_task *task)
+@@ -1418,7 +1418,9 @@ call_start(struct rpc_task *task)
(RPC_IS_ASYNC(task) ? "async" : "sync"));
/* Increment call count */
@@ -106698,6 +107259,45 @@ index 152d4d2..791684c 100644
destdir=$kernel_headers_dir/usr/src/linux-headers-$version
mkdir -p "$destdir"
(cd $srctree; tar -c -f - -T "$objtree/debian/hdrsrcfiles") | (cd $destdir; tar -xf -)
+diff --git a/scripts/package/mkspec b/scripts/package/mkspec
+index 1395760..e4f4ac4 100755
+--- a/scripts/package/mkspec
++++ b/scripts/package/mkspec
+@@ -82,6 +82,16 @@ echo ""
+ fi
+
+ echo "%install"
++echo 'chmod -f 0500 /boot'
++echo 'if [ -d /lib/modules ]; then'
++echo 'chmod -f 0500 /lib/modules'
++echo 'fi'
++echo 'if [ -d /lib32/modules ]; then'
++echo 'chmod -f 0500 /lib32/modules'
++echo 'fi'
++echo 'if [ -d /lib64/modules ]; then'
++echo 'chmod -f 0500 /lib64/modules'
++echo 'fi'
+ echo 'KBUILD_IMAGE=$(make image_name)'
+ echo "%ifarch ia64"
+ echo 'mkdir -p $RPM_BUILD_ROOT/boot/efi $RPM_BUILD_ROOT/lib/modules'
+@@ -139,7 +149,7 @@ echo "rm -f /boot/vmlinuz-$KERNELRELEASE-rpm /boot/System.map-$KERNELRELEASE-rpm
+ echo "fi"
+ echo ""
+ echo "%files"
+-echo '%defattr (-, root, root)'
++echo '%defattr (400, root, root, 500)'
+ echo "%dir /lib/modules"
+ echo "/lib/modules/$KERNELRELEASE"
+ echo "%exclude /lib/modules/$KERNELRELEASE/build"
+@@ -152,7 +162,7 @@ echo '%defattr (-, root, root)'
+ echo "/usr/include"
+ echo ""
+ echo "%files devel"
+-echo '%defattr (-, root, root)'
++echo '%defattr (400, root, root, 500)'
+ echo "/usr/src/kernels/$KERNELRELEASE"
+ echo "/lib/modules/$KERNELRELEASE/build"
+ echo "/lib/modules/$KERNELRELEASE/source"
diff --git a/scripts/pnmtologo.c b/scripts/pnmtologo.c
index 68bb4ef..2f419e1 100644
--- a/scripts/pnmtologo.c
@@ -108094,7 +108694,7 @@ index fc3e662..7844c60 100644
lock = &avc_cache.slots_lock[hvalue];
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index e294b86..4fc9b7f 100644
+index 47b5c69..4fc9b7f 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -95,8 +95,6 @@
@@ -108106,22 +108706,6 @@ index e294b86..4fc9b7f 100644
/* SECMARK reference count */
static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
-@@ -470,6 +468,7 @@ next_inode:
- list_entry(sbsec->isec_head.next,
- struct inode_security_struct, list);
- struct inode *inode = isec->inode;
-+ list_del_init(&isec->list);
- spin_unlock(&sbsec->isec_lock);
- inode = igrab(inode);
- if (inode) {
-@@ -478,7 +477,6 @@ next_inode:
- iput(inode);
- }
- spin_lock(&sbsec->isec_lock);
-- list_del_init(&isec->list);
- goto next_inode;
- }
- spin_unlock(&sbsec->isec_lock);
@@ -5759,7 +5757,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
#endif
@@ -108524,7 +109108,7 @@ index 4c1cc51..16040040 100644
}
} else if (runtime->access == SNDRV_PCM_ACCESS_RW_NONINTERLEAVED) {
diff --git a/sound/core/pcm_compat.c b/sound/core/pcm_compat.c
-index af49721..e85058e 100644
+index c4ac3c1..5266261 100644
--- a/sound/core/pcm_compat.c
+++ b/sound/core/pcm_compat.c
@@ -31,7 +31,7 @@ static int snd_pcm_ioctl_delay_compat(struct snd_pcm_substream *substream,
@@ -116884,10 +117468,10 @@ index 0000000..4378111
+}
diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
new file mode 100644
-index 0000000..2f37382
+index 0000000..d14887a6
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
-@@ -0,0 +1,5996 @@
+@@ -0,0 +1,6033 @@
+intel_fake_agp_alloc_by_type_1 intel_fake_agp_alloc_by_type 1 1 NULL
+ocfs2_get_refcount_tree_3 ocfs2_get_refcount_tree 0 3 NULL
+storvsc_connect_to_vsp_22 storvsc_connect_to_vsp 2 22 NULL
@@ -117254,6 +117838,7 @@ index 0000000..2f37382
+userspace_status_4004 userspace_status 4 4004 NULL
+xfs_check_block_4005 xfs_check_block 4 4005 NULL nohasharray
+mei_write_4005 mei_write 3 4005 &xfs_check_block_4005
++gfs2_dir_get_existing_buffer_4007 gfs2_dir_get_existing_buffer 0 4007 NULL
+snd_hdsp_capture_copy_4011 snd_hdsp_capture_copy 5 4011 NULL
+blk_end_request_4024 blk_end_request 3 4024 NULL
+ext4_xattr_find_entry_4025 ext4_xattr_find_entry 0 4025 NULL
@@ -117261,6 +117846,7 @@ index 0000000..2f37382
+mtip_hw_read_registers_4037 mtip_hw_read_registers 3 4037 NULL
+read_file_queues_4078 read_file_queues 3 4078 NULL
+fbcon_do_set_font_4079 fbcon_do_set_font 2-3 4079 NULL
++C_SYSC_rt_sigpending_4114 C_SYSC_rt_sigpending 2 4114 NULL
+tm6000_read_4151 tm6000_read 3 4151 NULL
+mpt_raid_phys_disk_get_num_paths_4155 mpt_raid_phys_disk_get_num_paths 0 4155 NULL
+msg_bits_4158 msg_bits 0-3-4 4158 NULL
@@ -117401,6 +117987,7 @@ index 0000000..2f37382
+ll_statahead_one_5962 ll_statahead_one 3 5962 NULL
+__apu_get_register_5967 __apu_get_register 0 5967 NULL
+ieee80211_if_fmt_rc_rateidx_mask_5ghz_5971 ieee80211_if_fmt_rc_rateidx_mask_5ghz 3 5971 NULL
++SyS_semop_5980 SyS_semop 3 5980 NULL
+alloc_msg_6072 alloc_msg 1 6072 NULL
+sctp_setsockopt_connectx_6073 sctp_setsockopt_connectx 3 6073 NULL
+rts51x_ms_rw_multi_sector_6076 rts51x_ms_rw_multi_sector 3-4 6076 NULL
@@ -117432,6 +118019,7 @@ index 0000000..2f37382
+mei_dbgfs_read_devstate_6352 mei_dbgfs_read_devstate 3 6352 NULL
+_proc_do_string_6376 _proc_do_string 2 6376 NULL
+osd_req_read_sg_kern_6378 osd_req_read_sg_kern 5 6378 NULL
++gfs2_dir_read_stuffed_6380 gfs2_dir_read_stuffed 3 6380 NULL
+xfs_bmap_extents_to_btree_6387 xfs_bmap_extents_to_btree 0 6387 NULL
+posix_acl_fix_xattr_userns_6420 posix_acl_fix_xattr_userns 4 6420 NULL
+add_transaction_credits_6422 add_transaction_credits 2-3 6422 NULL
@@ -117449,6 +118037,7 @@ index 0000000..2f37382
+SyS_semtimedop_6563 SyS_semtimedop 3 6563 NULL
+xfs_iozero_6573 xfs_iozero 0 6573 NULL
+ecryptfs_filldir_6622 ecryptfs_filldir 3 6622 NULL
++xfs_do_div_6649 xfs_do_div 0-2 6649 NULL
+process_rcvd_data_6679 process_rcvd_data 3 6679 NULL
+btrfs_lookup_csums_range_6696 btrfs_lookup_csums_range 2-3 6696 NULL
+ps_pspoll_max_apturn_read_6699 ps_pspoll_max_apturn_read 3 6699 NULL
@@ -117479,6 +118068,7 @@ index 0000000..2f37382
+acm_alloc_minor_6911 acm_alloc_minor 0 6911 &spi_show_regs_6911
+__kfifo_dma_in_finish_r_6913 __kfifo_dma_in_finish_r 2-3 6913 NULL
+lops_scan_elements_6916 lops_scan_elements 0 6916 NULL
++do_msgrcv_6921 do_msgrcv 3 6921 NULL
+cache_do_downcall_6926 cache_do_downcall 3 6926 NULL
+ipath_verbs_send_dma_6929 ipath_verbs_send_dma 6 6929 NULL
+qsfp_cks_6945 qsfp_cks 2-0 6945 NULL
@@ -117572,6 +118162,7 @@ index 0000000..2f37382
+qla4xxx_post_ping_evt_work_8074 qla4xxx_post_ping_evt_work 4 8074 NULL
+venus_lookup_8121 venus_lookup 4 8121 NULL
+ieee80211_if_fmt_num_buffered_multicast_8127 ieee80211_if_fmt_num_buffered_multicast 3 8127 NULL
++xfs_file_fallocate_8150 xfs_file_fallocate 3-4 8150 NULL
+__sk_mem_schedule_8185 __sk_mem_schedule 2 8185 NULL
+ieee80211_if_fmt_dot11MeshHoldingTimeout_8187 ieee80211_if_fmt_dot11MeshHoldingTimeout 3 8187 NULL
+recent_mt_proc_write_8206 recent_mt_proc_write 3 8206 NULL
@@ -118063,6 +118654,7 @@ index 0000000..2f37382
+biovec_create_pool_13079 biovec_create_pool 2 13079 NULL
+xattr_getsecurity_13090 xattr_getsecurity 0 13090 NULL
+ttm_dma_pool_alloc_new_pages_13105 ttm_dma_pool_alloc_new_pages 3 13105 NULL
++SyS_msgrcv_13109 SyS_msgrcv 3 13109 NULL
+snd_rme96_playback_copy_13111 snd_rme96_playback_copy 5 13111 NULL
+bfad_debugfs_read_13119 bfad_debugfs_read 3 13119 NULL
+blk_update_request_13146 blk_update_request 3 13146 NULL
@@ -118102,6 +118694,7 @@ index 0000000..2f37382
+sb_init_dio_done_wq_13482 sb_init_dio_done_wq 0 13482 NULL
+data_read_13494 data_read 3 13494 NULL
+ioat_chansts_32_13506 ioat_chansts_32 0 13506 NULL
++ocfs2_align_bytes_to_blocks_13512 ocfs2_align_bytes_to_blocks 0-2 13512 NULL
+core_status_13515 core_status 4 13515 NULL
+smk_write_mapped_13519 smk_write_mapped 3 13519 NULL
+bm_init_13529 bm_init 2 13529 NULL
@@ -118118,6 +118711,7 @@ index 0000000..2f37382
+blk_msg_write_13655 blk_msg_write 3 13655 NULL
+cache_downcall_13666 cache_downcall 3 13666 NULL
+ext3_xattr_list_entries_13682 ext3_xattr_list_entries 0 13682 NULL
++nv94_aux_13689 nv94_aux 2-5 13689 NULL
+usb_get_string_13693 usb_get_string 0 13693 NULL
+fw_iso_buffer_alloc_13704 fw_iso_buffer_alloc 2 13704 NULL
+audit_unpack_string_13748 audit_unpack_string 3 13748 NULL
@@ -118266,6 +118860,7 @@ index 0000000..2f37382
+smscore_load_firmware_family2_15086 smscore_load_firmware_family2 3 15086 NULL
+xfs_btree_insrec_15090 xfs_btree_insrec 0 15090 NULL
+btrfs_readpage_15094 btrfs_readpage 0 15094 NULL
++compat_SyS_pwritev_15118 compat_SyS_pwritev 3 15118 NULL
+hex_dump_to_buffer_15121 hex_dump_to_buffer 6 15121 NULL
+start_port_15124 start_port 0 15124 NULL
+ipwireless_ppp_mru_15153 ipwireless_ppp_mru 0 15153 NULL
@@ -118598,6 +119193,7 @@ index 0000000..2f37382
+ffs_epfile_read_18775 ffs_epfile_read 3 18775 NULL
+SyS_lsetxattr_18776 SyS_lsetxattr 4 18776 NULL
+alloc_fcdev_18780 alloc_fcdev 1 18780 NULL
++prealloc_18800 prealloc 0 18800 NULL
+dm_stats_print_18815 dm_stats_print 7 18815 NULL
+sys_modify_ldt_18824 sys_modify_ldt 3 18824 NULL
+mtf_test_write_18844 mtf_test_write 3 18844 NULL
@@ -118831,6 +119427,7 @@ index 0000000..2f37382
+use_debug_keys_read_21251 use_debug_keys_read 3 21251 NULL
+fru_length_21257 fru_length 0 21257 NULL
+rtw_set_wps_beacon_21262 rtw_set_wps_beacon 3 21262 NULL
++ocfs2_blocks_for_bytes_21268 ocfs2_blocks_for_bytes 0-2 21268 NULL
+xfs_alloc_ag_vextent_size_21276 xfs_alloc_ag_vextent_size 0 21276 NULL
+do_msg_fill_21307 do_msg_fill 3 21307 NULL
+add_res_range_21310 add_res_range 4 21310 NULL
@@ -118865,6 +119462,7 @@ index 0000000..2f37382
+ocfs2_acl_from_xattr_21604 ocfs2_acl_from_xattr 2 21604 NULL
+filemap_get_page_21606 filemap_get_page 2 21606 NULL
+gfs2_glock_nq_init_21624 gfs2_glock_nq_init 0 21624 NULL
++ocfs2_refcount_cow_hunk_21630 ocfs2_refcount_cow_hunk 3-4 21630 NULL
+__jfs_getxattr_21631 __jfs_getxattr 0 21631 NULL
+atalk_sendmsg_21677 atalk_sendmsg 4 21677 NULL
+ocfs2_xattr_get_nolock_21678 ocfs2_xattr_get_nolock 0 21678 NULL
@@ -118922,6 +119520,7 @@ index 0000000..2f37382
+mesh_table_alloc_22305 mesh_table_alloc 1 22305 NULL
+lov_setstripe_22307 lov_setstripe 2 22307 NULL
+udpv6_sendmsg_22316 udpv6_sendmsg 4 22316 NULL
++C_SYSC_msgrcv_22320 C_SYSC_msgrcv 3 22320 NULL
+atomic_read_22342 atomic_read 0 22342 NULL
+ll_lazystatfs_seq_write_22353 ll_lazystatfs_seq_write 3 22353 NULL
+snd_pcm_alsa_frames_22363 snd_pcm_alsa_frames 2 22363 NULL
@@ -118946,6 +119545,7 @@ index 0000000..2f37382
+wl1271_rx_filter_get_fields_size_22638 wl1271_rx_filter_get_fields_size 0 22638 NULL
+pwr_wake_on_timer_exp_read_22640 pwr_wake_on_timer_exp_read 3 22640 NULL
+iwl_dbgfs_calib_disabled_read_22649 iwl_dbgfs_calib_disabled_read 3 22649 NULL
++compat_SyS_msgrcv_22661 compat_SyS_msgrcv 3 22661 NULL
+ext4_ext_direct_IO_22679 ext4_ext_direct_IO 4 22679 NULL
+l2tp_ip_recvmsg_22681 l2tp_ip_recvmsg 4 22681 NULL
+bch_dump_read_22685 bch_dump_read 3 22685 NULL
@@ -118983,7 +119583,7 @@ index 0000000..2f37382
+remote_settings_file_write_22987 remote_settings_file_write 3 22987 NULL
+viafb_dvp0_proc_write_23023 viafb_dvp0_proc_write 3 23023 NULL
+cifs_local_to_utf16_bytes_23025 cifs_local_to_utf16_bytes 0 23025 NULL
-+ocfs2_refcount_cow_xattr_23029 ocfs2_refcount_cow_xattr 0 23029 NULL
++ocfs2_refcount_cow_xattr_23029 ocfs2_refcount_cow_xattr 0-6-7 23029 NULL
+st_status_23032 st_status 5 23032 NULL
+nv50_disp_chan_create__23056 nv50_disp_chan_create_ 5 23056 NULL
+comedi_buf_write_n_available_23057 comedi_buf_write_n_available 0 23057 NULL
@@ -119120,6 +119720,7 @@ index 0000000..2f37382
+reserve_metadata_bytes_24313 reserve_metadata_bytes 0 24313 NULL
+ath6kl_add_bss_if_needed_24317 ath6kl_add_bss_if_needed 6 24317 NULL
+si476x_radio_read_acf_blob_24336 si476x_radio_read_acf_blob 3 24336 NULL
++C_SYSC_pwritev_24345 C_SYSC_pwritev 3 24345 NULL
+prepare_pages_24349 prepare_pages 0 24349 NULL
+kzalloc_node_24352 kzalloc_node 1 24352 NULL
+qla2x00_handle_queue_full_24365 qla2x00_handle_queue_full 2 24365 NULL
@@ -119166,6 +119767,7 @@ index 0000000..2f37382
+simple_attr_read_24738 simple_attr_read 3 24738 NULL
+qla2x00_change_queue_depth_24742 qla2x00_change_queue_depth 2 24742 NULL
+get_dma_residue_24749 get_dma_residue 0 24749 NULL
++ocfs2_cow_file_pos_24751 ocfs2_cow_file_pos 3 24751 NULL
+kgdb_hex2mem_24755 kgdb_hex2mem 3 24755 NULL
+ocfs2_read_blocks_24777 ocfs2_read_blocks 0 24777 NULL
+datablob_hmac_verify_24786 datablob_hmac_verify 4 24786 NULL
@@ -119382,7 +119984,7 @@ index 0000000..2f37382
+seq_read_27411 seq_read 3 27411 NULL
+ib_dma_map_sg_27413 ib_dma_map_sg 0 27413 NULL
+ieee80211_if_read_smps_27416 ieee80211_if_read_smps 3 27416 NULL
-+ocfs2_refcount_cal_cow_clusters_27422 ocfs2_refcount_cal_cow_clusters 0 27422 NULL
++ocfs2_refcount_cal_cow_clusters_27422 ocfs2_refcount_cal_cow_clusters 0-3-4 27422 NULL
+cypress_write_27423 cypress_write 4 27423 NULL
+sddr09_read_data_27447 sddr09_read_data 3 27447 NULL
+xfs_btree_lookup_get_block_27448 xfs_btree_lookup_get_block 0 27448 NULL
@@ -119580,7 +120182,7 @@ index 0000000..2f37382
+add_to_page_cache_lru_29534 add_to_page_cache_lru 0 29534 NULL
+ftrace_write_29551 ftrace_write 3 29551 NULL
+idetape_queue_rw_tail_29562 idetape_queue_rw_tail 3 29562 NULL
-+leaf_dealloc_29566 leaf_dealloc 3 29566 NULL
++leaf_dealloc_29566 leaf_dealloc 3-2 29566 NULL
+kvm_read_guest_virt_system_29569 kvm_read_guest_virt_system 4-2 29569 NULL
+lbs_lowsnr_read_29571 lbs_lowsnr_read 3 29571 NULL
+security_path_chmod_29578 security_path_chmod 0 29578 NULL
@@ -119639,6 +120241,7 @@ index 0000000..2f37382
+__genwqe_readq_30197 __genwqe_readq 0 30197 NULL
+usblp_ioctl_30203 usblp_ioctl 2 30203 NULL
+read_4k_modal_eeprom_30212 read_4k_modal_eeprom 3 30212 NULL
++SyS_semop_30227 SyS_semop 3 30227 NULL
+bitmap_file_set_bit_30228 bitmap_file_set_bit 2 30228 NULL
+shmem_unuse_inode_30263 shmem_unuse_inode 0 30263 NULL
+rawv6_recvmsg_30265 rawv6_recvmsg 4 30265 NULL
@@ -119681,6 +120284,7 @@ index 0000000..2f37382
+set_le_30581 set_le 4 30581 NULL
+blk_init_tags_30592 blk_init_tags 1 30592 NULL
+sgl_map_user_pages_30610 sgl_map_user_pages 2 30610 NULL
++SyS_msgrcv_30611 SyS_msgrcv 3 30611 NULL
+macvtap_sendmsg_30629 macvtap_sendmsg 4 30629 NULL
+ieee80211_if_read_dot11MeshAwakeWindowDuration_30631 ieee80211_if_read_dot11MeshAwakeWindowDuration 3 30631 NULL
+compat_raw_setsockopt_30634 compat_raw_setsockopt 5 30634 NULL
@@ -119880,6 +120484,7 @@ index 0000000..2f37382
+generic_readlink_32654 generic_readlink 3 32654 NULL
+move_addr_to_kernel_32673 move_addr_to_kernel 2 32673 NULL
+apei_res_add_32674 apei_res_add 0 32674 NULL
++compat_SyS_preadv_32679 compat_SyS_preadv 3 32679 NULL
+jfs_readpages_32702 jfs_readpages 4 32702 NULL
+xfs_filestream_new_ag_32711 xfs_filestream_new_ag 0 32711 NULL
+rt2x00debug_read_queue_dump_32712 rt2x00debug_read_queue_dump 3 32712 NULL
@@ -120147,6 +120752,7 @@ index 0000000..2f37382
+ptlrpcd_steal_rqset_35637 ptlrpcd_steal_rqset 0 35637 NULL
+spi_register_board_info_35651 spi_register_board_info 2 35651 NULL
+rdmaltWithLock_35669 rdmaltWithLock 0 35669 NULL
++compat_sys_kexec_load_35674 compat_sys_kexec_load 2 35674 NULL
+SYSC_pwritev_35690 SYSC_pwritev 3 35690 NULL
+rds_page_copy_user_35691 rds_page_copy_user 4 35691 NULL
+md_super_write_35703 md_super_write 4 35703 NULL
@@ -120401,7 +121007,8 @@ index 0000000..2f37382
+_ipw_read_reg32_38245 _ipw_read_reg32 0 38245 NULL
+xfs_qm_dqrepair_38262 xfs_qm_dqrepair 0 38262 NULL
+mthca_alloc_icm_table_38268 mthca_alloc_icm_table 4-3 38268 NULL nohasharray
-+ieee80211_if_read_auto_open_plinks_38268 ieee80211_if_read_auto_open_plinks 3 38268 &mthca_alloc_icm_table_38268
++ieee80211_if_read_auto_open_plinks_38268 ieee80211_if_read_auto_open_plinks 3 38268 &mthca_alloc_icm_table_38268 nohasharray
++SYSC_msgrcv_38268 SYSC_msgrcv 3 38268 &ieee80211_if_read_auto_open_plinks_38268
+xfs_bmbt_to_bmdr_38275 xfs_bmbt_to_bmdr 3 38275 NULL nohasharray
+xfs_bmdr_to_bmbt_38275 xfs_bmdr_to_bmbt 5 38275 &xfs_bmbt_to_bmdr_38275
+ftdi_process_packet_38281 ftdi_process_packet 4 38281 NULL
@@ -120410,6 +121017,7 @@ index 0000000..2f37382
+ida_simple_get_38326 ida_simple_get 0 38326 NULL
+__snd_gf1_look8_38333 __snd_gf1_look8 0 38333 NULL
+btrfs_file_extent_disk_num_bytes_38363 btrfs_file_extent_disk_num_bytes 0 38363 NULL
++xfs_free_file_space_38383 xfs_free_file_space 2-3 38383 NULL
+dn_sendmsg_38390 dn_sendmsg 4 38390 NULL
+ieee80211_if_read_dtim_count_38419 ieee80211_if_read_dtim_count 3 38419 NULL
+pmcraid_copy_sglist_38431 pmcraid_copy_sglist 3 38431 NULL
@@ -120486,6 +121094,7 @@ index 0000000..2f37382
+insert_reserved_file_extent_39327 insert_reserved_file_extent 3 39327 NULL
+wimax_msg_alloc_39343 wimax_msg_alloc 4 39343 NULL
+ide_complete_rq_39354 ide_complete_rq 3 39354 NULL
++gfs2_dir_write_data_39357 gfs2_dir_write_data 3-4 39357 NULL
+do_write_log_from_user_39362 do_write_log_from_user 3-0 39362 NULL
+vortex_wtdma_getlinearpos_39371 vortex_wtdma_getlinearpos 0 39371 NULL
+regmap_name_read_file_39379 regmap_name_read_file 3 39379 NULL
@@ -120565,7 +121174,7 @@ index 0000000..2f37382
+compress_file_range_40225 compress_file_range 3-4 40225 NULL
+osst_read_40237 osst_read 3 40237 NULL
+lpage_info_slot_40243 lpage_info_slot 3-1 40243 NULL
-+ocfs2_zero_extend_get_range_40248 ocfs2_zero_extend_get_range 4 40248 NULL
++ocfs2_zero_extend_get_range_40248 ocfs2_zero_extend_get_range 4-3 40248 NULL
+rs_sta_dbgfs_scale_table_read_40262 rs_sta_dbgfs_scale_table_read 3 40262 NULL
+ext2_fiemap_40271 ext2_fiemap 4 40271 NULL
+usbnet_read_cmd_40275 usbnet_read_cmd 7 40275 NULL
@@ -120824,6 +121433,7 @@ index 0000000..2f37382
+ieee80211_if_fmt_drop_unencrypted_43107 ieee80211_if_fmt_drop_unencrypted 3 43107 NULL
+calculate_node_totalpages_43118 calculate_node_totalpages 2-3 43118 NULL
+read_file_dfs_43145 read_file_dfs 3 43145 NULL
++gfs2_dir_write_stuffed_43147 gfs2_dir_write_stuffed 0-4 43147 NULL
+cfs_cpt_table_alloc_43159 cfs_cpt_table_alloc 1 43159 NULL
+usb_string_sub_43164 usb_string_sub 0 43164 NULL
+il_dbgfs_power_save_status_read_43165 il_dbgfs_power_save_status_read 3 43165 NULL
@@ -120849,6 +121459,7 @@ index 0000000..2f37382
+gfs2_rgrp_bh_get_43375 gfs2_rgrp_bh_get 0 43375 NULL
+xfs_btree_new_iroot_43392 xfs_btree_new_iroot 0 43392 NULL
+xenfb_write_43412 xenfb_write 3 43412 NULL
++ext4_xattr_check_names_43422 ext4_xattr_check_names 0 43422 NULL
+__alloc_bootmem_low_43423 __alloc_bootmem_low 1 43423 NULL
+usb_alloc_urb_43436 usb_alloc_urb 1 43436 NULL
+cifs_writev_43437 cifs_writev 4 43437 NULL
@@ -120933,6 +121544,7 @@ index 0000000..2f37382
+radix_tree_maybe_preload_44346 radix_tree_maybe_preload 0 44346 NULL
+blk_queue_init_tags_44355 blk_queue_init_tags 2 44355 NULL nohasharray
+nfs_fscache_get_super_cookie_44355 nfs_fscache_get_super_cookie 3 44355 &blk_queue_init_tags_44355
++alloc_requests_44372 alloc_requests 0 44372 NULL
+rts_threshold_read_44384 rts_threshold_read 3 44384 NULL
+mtip_hw_read_flags_44396 mtip_hw_read_flags 3 44396 NULL
+aoedev_flush_44398 aoedev_flush 2 44398 NULL
@@ -121003,7 +121615,7 @@ index 0000000..2f37382
+cfs_trace_daemon_command_usrstr_45147 cfs_trace_daemon_command_usrstr 2 45147 NULL
+gen_bitmask_string_45149 gen_bitmask_string 6 45149 NULL
+device_write_45156 device_write 3 45156 NULL nohasharray
-+ocfs2_remove_inode_range_45156 ocfs2_remove_inode_range 3 45156 &device_write_45156
++ocfs2_remove_inode_range_45156 ocfs2_remove_inode_range 3-4 45156 &device_write_45156
+tomoyo_write_self_45161 tomoyo_write_self 3 45161 NULL
+sta_agg_status_write_45164 sta_agg_status_write 3 45164 NULL
+snd_sb_csp_load_user_45190 snd_sb_csp_load_user 3 45190 NULL nohasharray
@@ -121189,6 +121801,7 @@ index 0000000..2f37382
+ablkcipher_next_slow_47274 ablkcipher_next_slow 4-3 47274 NULL
+gfs2_readpages_47285 gfs2_readpages 4 47285 NULL
+vsnprintf_47291 vsnprintf 0 47291 NULL
++SYSC_semop_47292 SYSC_semop 3 47292 NULL
+tx_internal_desc_overflow_read_47300 tx_internal_desc_overflow_read 3 47300 NULL
+xfs_trans_reserve_quota_nblks_47313 xfs_trans_reserve_quota_nblks 0 47313 NULL
+nouveau_fb_create__47316 nouveau_fb_create_ 4 47316 NULL
@@ -121304,6 +121917,7 @@ index 0000000..2f37382
+compat_SyS_preadv64_48469 compat_SyS_preadv64 3 48469 NULL
+ipath_format_hwerrors_48487 ipath_format_hwerrors 5 48487 NULL
+r8712_usbctrl_vendorreq_48489 r8712_usbctrl_vendorreq 6 48489 NULL
++ocfs2_refcount_cow_48495 ocfs2_refcount_cow 3 48495 NULL
+send_control_msg_48498 send_control_msg 6 48498 NULL
+count_masked_bytes_48507 count_masked_bytes 0-1 48507 NULL
+diva_os_copy_to_user_48508 diva_os_copy_to_user 4 48508 NULL
@@ -121962,6 +122576,7 @@ index 0000000..2f37382
+gsm_control_modem_55303 gsm_control_modem 3 55303 NULL
+wimax_msg_len_55304 wimax_msg_len 0 55304 NULL
+qp_alloc_guest_work_55305 qp_alloc_guest_work 5-3 55305 NULL
++gfs2_dir_read_data_55327 gfs2_dir_read_data 3 55327 NULL
+__vxge_hw_vpath_initialize_55328 __vxge_hw_vpath_initialize 2 55328 NULL
+vme_user_read_55338 vme_user_read 3 55338 NULL
+__wa_xfer_setup_sizes_55342 __wa_xfer_setup_sizes 0 55342 NULL nohasharray
@@ -122228,6 +122843,7 @@ index 0000000..2f37382
+key_algorithm_read_57946 key_algorithm_read 3 57946 NULL
+ip_set_alloc_57953 ip_set_alloc 1 57953 NULL nohasharray
+ioat3_dca_count_dca_slots_57953 ioat3_dca_count_dca_slots 0 57953 &ip_set_alloc_57953
++do_rx_dma_57996 do_rx_dma 5 57996 NULL
+rx_reset_counter_read_58001 rx_reset_counter_read 3 58001 NULL
+iwl_dbgfs_ucode_rx_stats_read_58023 iwl_dbgfs_ucode_rx_stats_read 3 58023 NULL
+io_playback_transfer_58030 io_playback_transfer 4 58030 NULL
@@ -122386,6 +123002,7 @@ index 0000000..2f37382
+cap_inode_need_killpriv_59766 cap_inode_need_killpriv 0 59766 &long_retry_limit_read_59766
+venus_remove_59781 venus_remove 4 59781 NULL
+mei_nfc_recv_59784 mei_nfc_recv 3 59784 NULL
++C_SYSC_preadv_59801 C_SYSC_preadv 3 59801 NULL
+ipw_write_59807 ipw_write 3 59807 NULL
+scsi_init_shared_tag_map_59812 scsi_init_shared_tag_map 2 59812 NULL
+ieee80211_if_read_dot11MeshHWMPmaxPREQretries_59829 ieee80211_if_read_dot11MeshHWMPmaxPREQretries 3 59829 NULL
@@ -122523,6 +123140,7 @@ index 0000000..2f37382
+f1x_map_sysaddr_to_csrow_61344 f1x_map_sysaddr_to_csrow 2 61344 NULL
+debug_debug4_read_61367 debug_debug4_read 3 61367 NULL
+system_enable_write_61396 system_enable_write 3 61396 NULL
++xfs_zero_remaining_bytes_61423 xfs_zero_remaining_bytes 3 61423 NULL
+unix_stream_sendmsg_61455 unix_stream_sendmsg 4 61455 NULL
+snd_pcm_lib_writev_transfer_61483 snd_pcm_lib_writev_transfer 5-4-2 61483 NULL
+btrfs_item_size_61485 btrfs_item_size 0 61485 NULL
@@ -122578,6 +123196,7 @@ index 0000000..2f37382
+il4965_ucode_rx_stats_read_61948 il4965_ucode_rx_stats_read 3 61948 NULL
+squashfs_read_id_index_table_61961 squashfs_read_id_index_table 4 61961 NULL
+fix_read_error_61965 fix_read_error 4 61965 NULL
++ocfs2_quota_write_61972 ocfs2_quota_write 4-5 61972 NULL
+fd_locked_ioctl_61978 fd_locked_ioctl 3 61978 NULL
+cow_file_range_61979 cow_file_range 3 61979 NULL
+set_extent_delalloc_61982 set_extent_delalloc 0 61982 NULL
@@ -122633,6 +123252,7 @@ index 0000000..2f37382
+link_send_sections_long_62557 link_send_sections_long 3 62557 NULL
+compute_bitstructs_62570 compute_bitstructs 0 62570 NULL
+xfrm_user_policy_62573 xfrm_user_policy 4 62573 NULL
++compat_SyS_rt_sigpending_62580 compat_SyS_rt_sigpending 2 62580 NULL
+get_subdir_62581 get_subdir 3 62581 NULL
+nfsd_vfs_read_62605 nfsd_vfs_read 6 62605 NULL
+tipc_port_recv_sections_62609 tipc_port_recv_sections 3 62609 NULL
@@ -122725,6 +123345,7 @@ index 0000000..2f37382
+spidev_compat_ioctl_63778 spidev_compat_ioctl 2 63778 NULL
+mwifiex_11n_create_rx_reorder_tbl_63806 mwifiex_11n_create_rx_reorder_tbl 4 63806 NULL
+copy_nodes_to_user_63807 copy_nodes_to_user 2 63807 NULL
++prepare_copy_63826 prepare_copy 2 63826 NULL
+sel_write_load_63830 sel_write_load 3 63830 NULL
+ll_readlink_63836 ll_readlink 3 63836 NULL
+proc_pid_attr_write_63845 proc_pid_attr_write 3 63845 NULL
@@ -124353,44 +124974,6 @@ index 0a578fe..b81f62d 100644
0; \
})
-diff --git a/virt/kvm/iommu.c b/virt/kvm/iommu.c
-index 714b949..1f0dc1e 100644
---- a/virt/kvm/iommu.c
-+++ b/virt/kvm/iommu.c
-@@ -43,13 +43,13 @@ static void kvm_iommu_put_pages(struct kvm *kvm,
- gfn_t base_gfn, unsigned long npages);
-
- static pfn_t kvm_pin_pages(struct kvm_memory_slot *slot, gfn_t gfn,
-- unsigned long size)
-+ unsigned long npages)
- {
- gfn_t end_gfn;
- pfn_t pfn;
-
- pfn = gfn_to_pfn_memslot(slot, gfn);
-- end_gfn = gfn + (size >> PAGE_SHIFT);
-+ end_gfn = gfn + npages;
- gfn += 1;
-
- if (is_error_noslot_pfn(pfn))
-@@ -119,7 +119,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot)
- * Pin all pages we are about to map in memory. This is
- * important because we unmap and unpin in 4kb steps later.
- */
-- pfn = kvm_pin_pages(slot, gfn, page_size);
-+ pfn = kvm_pin_pages(slot, gfn, page_size >> PAGE_SHIFT);
- if (is_error_noslot_pfn(pfn)) {
- gfn += 1;
- continue;
-@@ -131,7 +131,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot)
- if (r) {
- printk(KERN_ERR "kvm_iommu_map_address:"
- "iommu failed to map pfn=%llx\n", pfn);
-- kvm_unpin_pages(kvm, pfn, page_size);
-+ kvm_unpin_pages(kvm, pfn, page_size >> PAGE_SHIFT);
- goto unmap_pages;
- }
-
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index 6611253..eb4bc0f 100644
--- a/virt/kvm/kvm_main.c