diff options
| -rw-r--r-- | main/linux-virt-grsec/APKBUILD | 16 | ||||
| -rw-r--r-- | main/linux-virt-grsec/grsecurity-3.0-3.14.20-201410062037.patch (renamed from main/linux-virt-grsec/grsecurity-3.0-3.14.18-201409141906.patch) | 1738 |
2 files changed, 774 insertions, 980 deletions
diff --git a/main/linux-virt-grsec/APKBUILD b/main/linux-virt-grsec/APKBUILD index a21ed668df..5f6790fe05 100644 --- a/main/linux-virt-grsec/APKBUILD +++ b/main/linux-virt-grsec/APKBUILD @@ -3,7 +3,7 @@ _flavor=virt-grsec pkgname=linux-${_flavor} -pkgver=3.14.18 +pkgver=3.14.20 case $pkgver in *.*.*) _kernver=${pkgver%.*};; *.*) _kernver=${pkgver};; @@ -18,7 +18,7 @@ _config=${config:-kernelconfig.${CARCH}} install= source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz - grsecurity-3.0-$pkgver-201409141906.patch + grsecurity-3.0-$pkgver-201410062037.patch fix-memory-map-for-PIE-applications.patch imx6q-no-unclocked-sleep.patch @@ -146,22 +146,22 @@ dev() { } md5sums="b621207b3f6ecbb67db18b13258f8ea8 linux-3.14.tar.xz -f00741b35127573c3cf085fc43f6e3f0 patch-3.14.18.xz -eb7a53b063df0e0018014049a08f5b40 grsecurity-3.0-3.14.18-201409141906.patch +e581089540b747c39d528fc4c47b70b6 patch-3.14.20.xz +149cb0b654a5eb6122c7e47b0f113c98 grsecurity-3.0-3.14.20-201410062037.patch c6a4ae7e8ca6159e1631545515805216 fix-memory-map-for-PIE-applications.patch 1a307fc1d63231bf01d22493a4f14378 imx6q-no-unclocked-sleep.patch 6b30dd8284f37ecc244d556bebf32046 kernelconfig.x86 8df8378d305bdd302b01293ff44e982d kernelconfig.x86_64" sha256sums="61558aa490855f42b6340d1a1596be47454909629327c49a5e4e10268065dffa linux-3.14.tar.xz -3723d8d91e1bba0ed57a4951e8089ebfaa21ac186c3b729b4d2bad2da3eaed9f patch-3.14.18.xz -a9f82ac307226ea1726e7c7e904627e69ee8016985b73fd4cb8dec4f5768b222 grsecurity-3.0-3.14.18-201409141906.patch +b01ba521cce12d3b9e8c25807567837dd88878b861f27c453c29cee80b6cb84b patch-3.14.20.xz +578f55546016f72c9ed3afedebb0cf6e74ab613f25c29d0a2f3a6b4bfbd1456f grsecurity-3.0-3.14.20-201410062037.patch 500f3577310be52e87b9fecdc2e9c4ca43210fd97d69089f9005d484563f74c7 fix-memory-map-for-PIE-applications.patch 21179fbb22a5b74af0a609350ae1a170e232908572b201d02e791d2ce0a685d3 imx6q-no-unclocked-sleep.patch 5e06e22ca723e50ae9f4bfabdda2e738f7b28cbbfe77b6be295285d6cd75c916 kernelconfig.x86 0ec1e1eb4445bd9751cb98a55afd4a430bed08e8d8c3c0a107d2f14ec5746dd2 kernelconfig.x86_64" sha512sums="5730d83a7a81134c1e77c0bf89e42dee4f8251ad56c1ac2be20c59e26fdfaa7bea55f277e7af156b637f22e1584914a46089af85039177cb43485089c74ac26e linux-3.14.tar.xz -c7c5b281986819cb69592cc4c2b7c7d79f34aa86f21db1dd64b795dda79b5f9df95626dada5c8e0613c58d8d7979f37baf0a87cd458f340018ce61b42e4eb6c5 patch-3.14.18.xz -ff711fc291a3a795a1421936f0e3168ef8a6b92bcad21f9b7a1468945ee33cf9dcb3e56a5424be99af4cc660bd00e1770812ee2beb0fad9b34dd610558bd9cd9 grsecurity-3.0-3.14.18-201409141906.patch +91231ec4e8e10a09b407d8db123e29a87ef4bf03fa3707f7ed511f22248de7d7b9cfc5169de5e9630854c97166594d3a00293571529d9b7a529118e6d2295b4f patch-3.14.20.xz +2a515f7ef49df5ef1d1de725884f541438f980d364db94789eb8381bf10a7902c7a5647ef1d7e296952980e6918e6697d0212b61cc1b7e171137ca6abba56504 grsecurity-3.0-3.14.20-201410062037.patch 4665c56ae1bbac311f9205d64918e84ee8b01d47d6e2396ff6b8adfb10aada7f7254531ce62e31edbb65c2a54a830f09ad05d314dfcd75d6272f4068945ad7c7 fix-memory-map-for-PIE-applications.patch 87d1ad59732f265a5b0db54490dc1762c14ea4b868e7eb1aedc3ce57b48046de7bbc08cf5cfcf6f1380fa84063b0edb16ba3d5e3c5670be9bbb229275c88b221 imx6q-no-unclocked-sleep.patch 29dc4bbde6052bb16200d87b7137717a053ad3c716a305a51d2b523531f35c1a7e144099f7a251c85849c9117a65ed961262dd314e0832f58750f489aeb1440e kernelconfig.x86 diff --git a/main/linux-virt-grsec/grsecurity-3.0-3.14.18-201409141906.patch b/main/linux-virt-grsec/grsecurity-3.0-3.14.20-201410062037.patch index 54a332ad20..07a0783bae 100644 --- a/main/linux-virt-grsec/grsecurity-3.0-3.14.18-201409141906.patch +++ b/main/linux-virt-grsec/grsecurity-3.0-3.14.20-201410062037.patch @@ -287,7 +287,7 @@ index 7116fda..d8ed6e8 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index 05279d4..c24e149 100644 +index beb7e6f..70db31f 100644 --- a/Makefile +++ b/Makefile @@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -2166,6 +2166,28 @@ index 71a06b2..8bb9ae1 100644 /* * Change these and you break ASM code in entry-common.S +diff --git a/arch/arm/include/asm/tls.h b/arch/arm/include/asm/tls.h +index 5f833f7..76e6644 100644 +--- a/arch/arm/include/asm/tls.h ++++ b/arch/arm/include/asm/tls.h +@@ -3,6 +3,7 @@ + + #include <linux/compiler.h> + #include <asm/thread_info.h> ++#include <asm/pgtable.h> + + #ifdef __ASSEMBLY__ + #include <asm/asm-offsets.h> +@@ -89,7 +90,9 @@ static inline void set_tls(unsigned long val) + * at 0xffff0fe0 must be used instead. (see + * entry-armv.S for details) + */ ++ pax_open_kernel(); + *((unsigned int *)0xffff0ff0) = val; ++ pax_close_kernel(); + #endif + } + diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h index 7f3f3cc..bdf0665 100644 --- a/arch/arm/include/asm/uaccess.h @@ -2841,7 +2863,7 @@ index 07314af..c46655c 100644 flush_icache_range((uintptr_t)(addr), (uintptr_t)(addr) + size); diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c -index 92f7b15..7048500 100644 +index 5f6e650..b5e6630 100644 --- a/arch/arm/kernel/process.c +++ b/arch/arm/kernel/process.c @@ -217,6 +217,7 @@ void machine_power_off(void) @@ -2872,7 +2894,7 @@ index 92f7b15..7048500 100644 printk("pc : [<%08lx>] lr : [<%08lx>] psr: %08lx\n" "sp : %08lx ip : %08lx fp : %08lx\n", regs->ARM_pc, regs->ARM_lr, regs->ARM_cpsr, -@@ -425,12 +426,6 @@ unsigned long get_wchan(struct task_struct *p) +@@ -427,12 +428,6 @@ unsigned long get_wchan(struct task_struct *p) return 0; } @@ -2885,7 +2907,7 @@ index 92f7b15..7048500 100644 #ifdef CONFIG_MMU #ifdef CONFIG_KUSER_HELPERS /* -@@ -446,7 +441,7 @@ static struct vm_area_struct gate_vma = { +@@ -448,7 +443,7 @@ static struct vm_area_struct gate_vma = { static int __init gate_vma_init(void) { @@ -2894,7 +2916,7 @@ index 92f7b15..7048500 100644 return 0; } arch_initcall(gate_vma_init); -@@ -472,41 +467,16 @@ int in_gate_area_no_mm(unsigned long addr) +@@ -474,41 +469,16 @@ int in_gate_area_no_mm(unsigned long addr) const char *arch_vma_name(struct vm_area_struct *vma) { @@ -3140,7 +3162,7 @@ index 7a3be1d..b00c7de 100644 start, end); itcm_present = true; diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c -index 172ee18..ce4ec3d 100644 +index 9265b8b..381ce44 100644 --- a/arch/arm/kernel/traps.c +++ b/arch/arm/kernel/traps.c @@ -62,7 +62,7 @@ static void dump_mem(const char *, const char *, unsigned long, unsigned long); @@ -3171,17 +3193,7 @@ index 172ee18..ce4ec3d 100644 if (signr) do_exit(signr); } -@@ -642,7 +647,9 @@ asmlinkage int arm_syscall(int no, struct pt_regs *regs) - * The user helper at 0xffff0fe0 must be used instead. - * (see entry-armv.S for details) - */ -+ pax_open_kernel(); - *((unsigned int *)0xffff0ff0) = regs->ARM_r0; -+ pax_close_kernel(); - } - return 0; - -@@ -899,7 +906,11 @@ void __init early_trap_init(void *vectors_base) +@@ -884,7 +889,11 @@ void __init early_trap_init(void *vectors_base) kuser_init(vectors_base); flush_icache_range(vectors, vectors + PAGE_SIZE * 2); @@ -3646,7 +3658,7 @@ index 78c02b3..c94109a 100644 struct omap_device *omap_device_alloc(struct platform_device *pdev, struct omap_hwmod **ohs, int oh_cnt); diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c -index c914b00..8a653a7 100644 +index 4551efd..d487c24 100644 --- a/arch/arm/mach-omap2/omap_hwmod.c +++ b/arch/arm/mach-omap2/omap_hwmod.c @@ -194,10 +194,10 @@ struct omap_hwmod_soc_ops { @@ -3778,10 +3790,10 @@ index ca8ecde..58ba893 100644 If all of the binaries and libraries which run on your platform diff --git a/arch/arm/mm/alignment.c b/arch/arm/mm/alignment.c -index 9240364..a2b8cf3 100644 +index d301662..a6ef72c 100644 --- a/arch/arm/mm/alignment.c +++ b/arch/arm/mm/alignment.c -@@ -212,10 +212,12 @@ union offset_union { +@@ -213,10 +213,12 @@ union offset_union { #define __get16_unaligned_check(ins,val,addr) \ do { \ unsigned int err = 0, v, a = addr; \ @@ -3794,7 +3806,7 @@ index 9240364..a2b8cf3 100644 if (err) \ goto fault; \ } while (0) -@@ -229,6 +231,7 @@ union offset_union { +@@ -230,6 +232,7 @@ union offset_union { #define __get32_unaligned_check(ins,val,addr) \ do { \ unsigned int err = 0, v, a = addr; \ @@ -3802,7 +3814,7 @@ index 9240364..a2b8cf3 100644 __get8_unaligned_check(ins,v,a,err); \ val = v << ((BE) ? 24 : 0); \ __get8_unaligned_check(ins,v,a,err); \ -@@ -237,6 +240,7 @@ union offset_union { +@@ -238,6 +241,7 @@ union offset_union { val |= v << ((BE) ? 8 : 16); \ __get8_unaligned_check(ins,v,a,err); \ val |= v << ((BE) ? 0 : 24); \ @@ -3810,7 +3822,7 @@ index 9240364..a2b8cf3 100644 if (err) \ goto fault; \ } while (0) -@@ -250,6 +254,7 @@ union offset_union { +@@ -251,6 +255,7 @@ union offset_union { #define __put16_unaligned_check(ins,val,addr) \ do { \ unsigned int err = 0, v = val, a = addr; \ @@ -3818,7 +3830,7 @@ index 9240364..a2b8cf3 100644 __asm__( FIRST_BYTE_16 \ ARM( "1: "ins" %1, [%2], #1\n" ) \ THUMB( "1: "ins" %1, [%2]\n" ) \ -@@ -269,6 +274,7 @@ union offset_union { +@@ -270,6 +275,7 @@ union offset_union { " .popsection\n" \ : "=r" (err), "=&r" (v), "=&r" (a) \ : "0" (err), "1" (v), "2" (a)); \ @@ -3826,7 +3838,7 @@ index 9240364..a2b8cf3 100644 if (err) \ goto fault; \ } while (0) -@@ -282,6 +288,7 @@ union offset_union { +@@ -283,6 +289,7 @@ union offset_union { #define __put32_unaligned_check(ins,val,addr) \ do { \ unsigned int err = 0, v = val, a = addr; \ @@ -3834,7 +3846,7 @@ index 9240364..a2b8cf3 100644 __asm__( FIRST_BYTE_32 \ ARM( "1: "ins" %1, [%2], #1\n" ) \ THUMB( "1: "ins" %1, [%2]\n" ) \ -@@ -311,6 +318,7 @@ union offset_union { +@@ -312,6 +319,7 @@ union offset_union { " .popsection\n" \ : "=r" (err), "=&r" (v), "=&r" (a) \ : "0" (err), "1" (v), "2" (a)); \ @@ -6847,7 +6859,7 @@ index 1188e00..41cf144 100644 #include <linux/module.h> #include <linux/elfcore.h> diff --git a/arch/mips/kernel/binfmt_elfo32.c b/arch/mips/kernel/binfmt_elfo32.c -index 7faf5f2..f3d3cf4 100644 +index 71df942..199dd19 100644 --- a/arch/mips/kernel/binfmt_elfo32.c +++ b/arch/mips/kernel/binfmt_elfo32.c @@ -70,6 +70,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_NFPREG]; @@ -6863,7 +6875,7 @@ index 7faf5f2..f3d3cf4 100644 + #include <asm/processor.h> - /* + /* These MUST be defined before elf.h gets included */ diff --git a/arch/mips/kernel/i8259.c b/arch/mips/kernel/i8259.c index 2b91fe8..fe4f6b4 100644 --- a/arch/mips/kernel/i8259.c @@ -6955,10 +6967,10 @@ index 6ae540e..b7396dc 100644 - return sp & ALMASK; -} diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c -index 7da9b76..21578be 100644 +index 60f48fe..a2df508 100644 --- a/arch/mips/kernel/ptrace.c +++ b/arch/mips/kernel/ptrace.c -@@ -658,6 +658,10 @@ long arch_ptrace(struct task_struct *child, long request, +@@ -790,6 +790,10 @@ long arch_ptrace(struct task_struct *child, long request, return ret; } @@ -6969,7 +6981,7 @@ index 7da9b76..21578be 100644 /* * Notification of system call entry/exit * - triggered by current->work.syscall_trace -@@ -674,6 +678,11 @@ asmlinkage void syscall_trace_enter(struct pt_regs *regs) +@@ -806,6 +810,11 @@ asmlinkage void syscall_trace_enter(struct pt_regs *regs) tracehook_report_syscall_entry(regs)) ret = -1; @@ -17716,7 +17728,7 @@ index 81bb91b..9392125 100644 /* diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h -index bbc8b12..f228861 100644 +index bbc8b12..a614983 100644 --- a/arch/x86/include/asm/pgtable.h +++ b/arch/x86/include/asm/pgtable.h @@ -45,6 +45,7 @@ extern struct mm_struct *pgd_page_get_mm(struct page *page); @@ -17727,7 +17739,7 @@ index bbc8b12..f228861 100644 #define pgd_clear(pgd) native_pgd_clear(pgd) #endif -@@ -82,12 +83,51 @@ extern struct mm_struct *pgd_page_get_mm(struct page *page); +@@ -82,12 +83,53 @@ extern struct mm_struct *pgd_page_get_mm(struct page *page); #define arch_end_context_switch(prev) do {} while(0) @@ -17748,6 +17760,7 @@ index bbc8b12..f228861 100644 + cr0 = read_cr0() ^ X86_CR0_WP; + BUG_ON(cr0 & X86_CR0_WP); + write_cr0(cr0); ++ barrier(); + return cr0 ^ X86_CR0_WP; +} + @@ -17755,6 +17768,7 @@ index bbc8b12..f228861 100644 +{ + unsigned long cr0; + ++ barrier(); + cr0 = read_cr0() ^ X86_CR0_WP; + BUG_ON(!(cr0 & X86_CR0_WP)); + write_cr0(cr0); @@ -17779,7 +17793,7 @@ index bbc8b12..f228861 100644 static inline int pte_dirty(pte_t pte) { return pte_flags(pte) & _PAGE_DIRTY; -@@ -148,6 +188,11 @@ static inline unsigned long pud_pfn(pud_t pud) +@@ -148,6 +190,11 @@ static inline unsigned long pud_pfn(pud_t pud) return (pud_val(pud) & PTE_PFN_MASK) >> PAGE_SHIFT; } @@ -17791,7 +17805,7 @@ index bbc8b12..f228861 100644 #define pte_page(pte) pfn_to_page(pte_pfn(pte)) static inline int pmd_large(pmd_t pte) -@@ -201,9 +246,29 @@ static inline pte_t pte_wrprotect(pte_t pte) +@@ -201,9 +248,29 @@ static inline pte_t pte_wrprotect(pte_t pte) return pte_clear_flags(pte, _PAGE_RW); } @@ -17822,7 +17836,7 @@ index bbc8b12..f228861 100644 } static inline pte_t pte_mkdirty(pte_t pte) -@@ -430,6 +495,16 @@ pte_t *populate_extra_pte(unsigned long vaddr); +@@ -430,6 +497,16 @@ pte_t *populate_extra_pte(unsigned long vaddr); #endif #ifndef __ASSEMBLY__ @@ -17839,7 +17853,7 @@ index bbc8b12..f228861 100644 #include <linux/mm_types.h> #include <linux/mmdebug.h> #include <linux/log2.h> -@@ -570,7 +645,7 @@ static inline unsigned long pud_page_vaddr(pud_t pud) +@@ -570,7 +647,7 @@ static inline unsigned long pud_page_vaddr(pud_t pud) * Currently stuck as a macro due to indirect forward reference to * linux/mmzone.h's __section_mem_map_addr() definition: */ @@ -17848,7 +17862,7 @@ index bbc8b12..f228861 100644 /* Find an entry in the second-level page table.. */ static inline pmd_t *pmd_offset(pud_t *pud, unsigned long address) -@@ -610,7 +685,7 @@ static inline unsigned long pgd_page_vaddr(pgd_t pgd) +@@ -610,7 +687,7 @@ static inline unsigned long pgd_page_vaddr(pgd_t pgd) * Currently stuck as a macro due to indirect forward reference to * linux/mmzone.h's __section_mem_map_addr() definition: */ @@ -17857,7 +17871,7 @@ index bbc8b12..f228861 100644 /* to find an entry in a page-table-directory. */ static inline unsigned long pud_index(unsigned long address) -@@ -625,7 +700,7 @@ static inline pud_t *pud_offset(pgd_t *pgd, unsigned long address) +@@ -625,7 +702,7 @@ static inline pud_t *pud_offset(pgd_t *pgd, unsigned long address) static inline int pgd_bad(pgd_t pgd) { @@ -17866,7 +17880,7 @@ index bbc8b12..f228861 100644 } static inline int pgd_none(pgd_t pgd) -@@ -648,7 +723,12 @@ static inline int pgd_none(pgd_t pgd) +@@ -648,7 +725,12 @@ static inline int pgd_none(pgd_t pgd) * pgd_offset() returns a (pgd_t *) * pgd_index() is used get the offset into the pgd page's array of pgd_t's; */ @@ -17880,7 +17894,7 @@ index bbc8b12..f228861 100644 /* * a shortcut which implies the use of the kernel's pgd, instead * of a process's -@@ -659,6 +739,23 @@ static inline int pgd_none(pgd_t pgd) +@@ -659,6 +741,23 @@ static inline int pgd_none(pgd_t pgd) #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET) #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY) @@ -17904,7 +17918,7 @@ index bbc8b12..f228861 100644 #ifndef __ASSEMBLY__ extern int direct_gbpages; -@@ -825,11 +922,24 @@ static inline void pmdp_set_wrprotect(struct mm_struct *mm, +@@ -825,11 +924,24 @@ static inline void pmdp_set_wrprotect(struct mm_struct *mm, * dst and src can be on the same page, but the range must not overlap, * and must not cross a page boundary. */ @@ -18010,10 +18024,10 @@ index ed5903b..c7fe163 100644 #define MODULES_END VMALLOC_END #define MODULES_LEN (MODULES_VADDR - MODULES_END) diff --git a/arch/x86/include/asm/pgtable_64.h b/arch/x86/include/asm/pgtable_64.h -index e22c1db..23a625a 100644 +index d869931..82f2923 100644 --- a/arch/x86/include/asm/pgtable_64.h +++ b/arch/x86/include/asm/pgtable_64.h -@@ -16,10 +16,14 @@ +@@ -16,11 +16,15 @@ extern pud_t level3_kernel_pgt[512]; extern pud_t level3_ident_pgt[512]; @@ -18024,13 +18038,14 @@ index e22c1db..23a625a 100644 extern pmd_t level2_kernel_pgt[512]; extern pmd_t level2_fixmap_pgt[512]; -extern pmd_t level2_ident_pgt[512]; --extern pgd_t init_level4_pgt[]; +extern pmd_t level2_ident_pgt[512*2]; + extern pte_t level1_fixmap_pgt[512]; +-extern pgd_t init_level4_pgt[]; +extern pgd_t init_level4_pgt[512]; #define swapper_pg_dir init_level4_pgt -@@ -61,7 +65,9 @@ static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte) +@@ -62,7 +66,9 @@ static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte) static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd) { @@ -18040,7 +18055,7 @@ index e22c1db..23a625a 100644 } static inline void native_pmd_clear(pmd_t *pmd) -@@ -97,7 +103,9 @@ static inline pmd_t native_pmdp_get_and_clear(pmd_t *xp) +@@ -98,7 +104,9 @@ static inline pmd_t native_pmdp_get_and_clear(pmd_t *xp) static inline void native_set_pud(pud_t *pudp, pud_t pud) { @@ -18050,7 +18065,7 @@ index e22c1db..23a625a 100644 } static inline void native_pud_clear(pud_t *pud) -@@ -107,6 +115,13 @@ static inline void native_pud_clear(pud_t *pud) +@@ -108,6 +116,13 @@ static inline void native_pud_clear(pud_t *pud) static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd) { @@ -21659,7 +21674,7 @@ index 1340ebf..fc6d5c9 100644 intel_ds_init(); diff --git a/arch/x86/kernel/cpu/perf_event_intel_rapl.c b/arch/x86/kernel/cpu/perf_event_intel_rapl.c -index 5ad35ad..e0a3960 100644 +index 95700e5..19779f8 100644 --- a/arch/x86/kernel/cpu/perf_event_intel_rapl.c +++ b/arch/x86/kernel/cpu/perf_event_intel_rapl.c @@ -425,7 +425,7 @@ static struct attribute *rapl_events_cln_attr[] = { @@ -21775,7 +21790,7 @@ index f6dfd93..892ade4 100644 .__cr3 = __pa_nodebug(swapper_pg_dir), diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c -index d9c12d3..7858b62 100644 +index d9c12d3..3e70198 100644 --- a/arch/x86/kernel/dumpstack.c +++ b/arch/x86/kernel/dumpstack.c @@ -2,6 +2,9 @@ @@ -21788,7 +21803,15 @@ index d9c12d3..7858b62 100644 #include <linux/kallsyms.h> #include <linux/kprobes.h> #include <linux/uaccess.h> -@@ -40,16 +43,14 @@ void printk_address(unsigned long address) +@@ -33,23 +36,21 @@ static void printk_stack_address(unsigned long address, int reliable) + + void printk_address(unsigned long address) + { +- pr_cont(" [<%p>] %pS\n", (void *)address, (void *)address); ++ pr_cont(" [<%p>] %pA\n", (void *)address, (void *)address); + } + + #ifdef CONFIG_FUNCTION_GRAPH_TRACER static void print_ftrace_graph_addr(unsigned long addr, void *data, const struct stacktrace_ops *ops, @@ -24768,7 +24791,7 @@ index f36bd42..0ab4474 100644 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0 + .endr diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S -index a468c0a..c7dec74 100644 +index a468c0a..8b5a879 100644 --- a/arch/x86/kernel/head_64.S +++ b/arch/x86/kernel/head_64.S @@ -20,6 +20,8 @@ @@ -24820,7 +24843,11 @@ index a468c0a..c7dec74 100644 /* * Set up the identity mapping for the switchover. These -@@ -177,8 +198,8 @@ ENTRY(secondary_startup_64) +@@ -174,11 +195,12 @@ ENTRY(secondary_startup_64) + * after the boot processor executes this code. + */ + ++ orq $-1, %rbp movq $(init_level4_pgt - __START_KERNEL_map), %rax 1: @@ -24831,7 +24858,7 @@ index a468c0a..c7dec74 100644 movq %rcx, %cr4 /* Setup early boot stage 4 level pagetables. */ -@@ -199,10 +220,19 @@ ENTRY(secondary_startup_64) +@@ -199,10 +221,19 @@ ENTRY(secondary_startup_64) movl $MSR_EFER, %ecx rdmsr btsl $_EFER_SCE, %eax /* Enable System Call */ @@ -24839,10 +24866,10 @@ index a468c0a..c7dec74 100644 + btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */ jnc 1f btsl $_EFER_NX, %eax ++ cmpq $-1, %rbp ++ je 1f btsq $_PAGE_BIT_NX,early_pmd_flags(%rip) -+#ifndef CONFIG_EFI + btsq $_PAGE_BIT_NX, init_level4_pgt + 8*L4_PAGE_OFFSET(%rip) -+#endif + btsq $_PAGE_BIT_NX, init_level4_pgt + 8*L4_VMALLOC_START(%rip) + btsq $_PAGE_BIT_NX, init_level4_pgt + 8*L4_VMALLOC_END(%rip) + btsq $_PAGE_BIT_NX, init_level4_pgt + 8*L4_VMEMMAP_START(%rip) @@ -24852,7 +24879,7 @@ index a468c0a..c7dec74 100644 1: wrmsr /* Make changes effective */ /* Setup cr0 */ -@@ -282,6 +312,7 @@ ENTRY(secondary_startup_64) +@@ -282,6 +313,7 @@ ENTRY(secondary_startup_64) * REX.W + FF /5 JMP m16:64 Jump far, absolute indirect, * address given in m16:64. */ @@ -24860,7 +24887,7 @@ index a468c0a..c7dec74 100644 movq initial_code(%rip),%rax pushq $0 # fake return address to stop unwinder pushq $__KERNEL_CS # set correct cs -@@ -313,7 +344,7 @@ ENDPROC(start_cpu0) +@@ -313,7 +345,7 @@ ENDPROC(start_cpu0) .quad INIT_PER_CPU_VAR(irq_stack_union) GLOBAL(stack_start) @@ -24869,7 +24896,7 @@ index a468c0a..c7dec74 100644 .word 0 __FINITDATA -@@ -391,7 +422,7 @@ ENTRY(early_idt_handler) +@@ -391,7 +423,7 @@ ENTRY(early_idt_handler) call dump_stack #ifdef CONFIG_KALLSYMS leaq early_idt_ripmsg(%rip),%rdi @@ -24878,7 +24905,7 @@ index a468c0a..c7dec74 100644 call __print_symbol #endif #endif /* EARLY_PRINTK */ -@@ -420,6 +451,7 @@ ENDPROC(early_idt_handler) +@@ -420,6 +452,7 @@ ENDPROC(early_idt_handler) early_recursion_flag: .long 0 @@ -24886,7 +24913,7 @@ index a468c0a..c7dec74 100644 #ifdef CONFIG_EARLY_PRINTK early_idt_msg: .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n" -@@ -447,29 +479,52 @@ NEXT_PAGE(early_level4_pgt) +@@ -447,29 +480,52 @@ NEXT_PAGE(early_level4_pgt) NEXT_PAGE(early_dynamic_pgts) .fill 512*EARLY_DYNAMIC_PAGE_TABLES,8,0 @@ -24948,7 +24975,7 @@ index a468c0a..c7dec74 100644 NEXT_PAGE(level3_kernel_pgt) .fill L3_START_KERNEL,8,0 -@@ -477,6 +532,9 @@ NEXT_PAGE(level3_kernel_pgt) +@@ -477,6 +533,9 @@ NEXT_PAGE(level3_kernel_pgt) .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE @@ -24958,7 +24985,7 @@ index a468c0a..c7dec74 100644 NEXT_PAGE(level2_kernel_pgt) /* * 512 MB kernel mapping. We spend a full page on this pagetable -@@ -494,28 +552,64 @@ NEXT_PAGE(level2_kernel_pgt) +@@ -494,28 +553,64 @@ NEXT_PAGE(level2_kernel_pgt) NEXT_PAGE(level2_fixmap_pgt) .fill 506,8,0 .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE @@ -27181,7 +27208,7 @@ index 7c3a5a6..f0a8961 100644 .smp_prepare_cpus = native_smp_prepare_cpus, .smp_cpus_done = native_smp_cpus_done, diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c -index 395be6d..11665af 100644 +index 68287653..3597685 100644 --- a/arch/x86/kernel/smpboot.c +++ b/arch/x86/kernel/smpboot.c @@ -229,14 +229,17 @@ static void notrace start_secondary(void *unused) @@ -34859,7 +34886,7 @@ index 9ee3491..872192f 100644 local_irq_restore(efi_rt_eflags); diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c -index 666b74a..673d88f 100644 +index 666b74a..7c90b04 100644 --- a/arch/x86/platform/efi/efi_64.c +++ b/arch/x86/platform/efi/efi_64.c @@ -97,6 +97,11 @@ void __init efi_call_phys_prelog(void) @@ -34886,6 +34913,31 @@ index 666b74a..673d88f 100644 __flush_tlb_all(); local_irq_restore(efi_flags); early_code_mapping_set_exec(0); +@@ -141,8 +151,23 @@ int efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages) + { + pgd_t *pgd; + +- if (efi_enabled(EFI_OLD_MEMMAP)) ++ if (efi_enabled(EFI_OLD_MEMMAP)) { ++ /* PaX: We need to disable the NX bit in the PGD, otherwise we won't be ++ * able to execute the EFI services. ++ */ ++ if (__supported_pte_mask & _PAGE_NX) { ++ unsigned long addr = (unsigned long) __va(0); ++ pgd_t pe = __pgd(pgd_val(*pgd_offset_k(addr)) & ~_PAGE_NX); ++ ++ pr_alert("PAX: Disabling NX protection for low memory map. Try booting without \"efi=old_map\"\n"); ++#ifdef CONFIG_PAX_PER_CPU_PGD ++ set_pgd(pgd_offset_cpu(0, kernel, addr), pe); ++#endif ++ set_pgd(pgd_offset_k(addr), pe); ++ } ++ + return 0; ++ } + + efi_scratch.efi_pgt = (pgd_t *)(unsigned long)real_mode_header->trampoline_pgd; + pgd = __va(efi_scratch.efi_pgt); diff --git a/arch/x86/platform/efi/efi_stub_32.S b/arch/x86/platform/efi/efi_stub_32.S index fbe66e6..eae5e38 100644 --- a/arch/x86/platform/efi/efi_stub_32.S @@ -35828,7 +35880,7 @@ index 201d09a..e4723e5 100644 #ifdef CONFIG_ACPI_NUMA diff --git a/arch/x86/xen/mmu.c b/arch/x86/xen/mmu.c -index 2423ef0..4f6fb5b 100644 +index c83da6f..a5f0379 100644 --- a/arch/x86/xen/mmu.c +++ b/arch/x86/xen/mmu.c @@ -379,7 +379,7 @@ static pteval_t pte_mfn_to_pfn(pteval_t val) @@ -35840,17 +35892,17 @@ index 2423ef0..4f6fb5b 100644 { if (val & _PAGE_PRESENT) { unsigned long pfn = (val & PTE_PFN_MASK) >> PAGE_SHIFT; -@@ -1904,6 +1904,9 @@ void __init xen_setup_kernel_pagetable(pgd_t *pgd, unsigned long max_pfn) +@@ -1903,6 +1903,9 @@ void __init xen_setup_kernel_pagetable(pgd_t *pgd, unsigned long max_pfn) /* L3_k[510] -> level2_kernel_pgt - * L3_i[511] -> level2_fixmap_pgt */ + * L3_k[511] -> level2_fixmap_pgt */ convert_pfn_mfn(level3_kernel_pgt); + convert_pfn_mfn(level3_vmalloc_start_pgt); + convert_pfn_mfn(level3_vmalloc_end_pgt); + convert_pfn_mfn(level3_vmemmap_pgt); - } - /* We get [511][511] and have Xen's version of level2_kernel_pgt */ - l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd); -@@ -1933,8 +1936,12 @@ void __init xen_setup_kernel_pagetable(pgd_t *pgd, unsigned long max_pfn) + + /* L3_k[511][506] -> level1_fixmap_pgt */ + convert_pfn_mfn(level2_fixmap_pgt); +@@ -1929,8 +1932,12 @@ void __init xen_setup_kernel_pagetable(pgd_t *pgd, unsigned long max_pfn) set_page_prot(init_level4_pgt, PAGE_KERNEL_RO); set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO); set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO); @@ -35862,8 +35914,8 @@ index 2423ef0..4f6fb5b 100644 + set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO); set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO); set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO); - -@@ -2123,6 +2130,7 @@ static void __init xen_post_allocator_init(void) + set_page_prot(level1_fixmap_pgt, PAGE_KERNEL_RO); +@@ -2120,6 +2127,7 @@ static void __init xen_post_allocator_init(void) pv_mmu_ops.set_pud = xen_set_pud; #if PAGETABLE_LEVELS == 4 pv_mmu_ops.set_pgd = xen_set_pgd; @@ -35871,7 +35923,7 @@ index 2423ef0..4f6fb5b 100644 #endif /* This will work as long as patching hasn't happened yet -@@ -2201,6 +2209,7 @@ static const struct pv_mmu_ops xen_mmu_ops __initconst = { +@@ -2198,6 +2206,7 @@ static const struct pv_mmu_ops xen_mmu_ops __initconst = { .pud_val = PV_CALLEE_SAVE(xen_pud_val), .make_pud = PV_CALLEE_SAVE(xen_make_pud), .set_pgd = xen_set_pgd_hyper, @@ -36091,6 +36143,18 @@ index d8f80e7..5f41702 100644 done: spin_lock_init(&blkcg->lock); INIT_RADIX_TREE(&blkcg->blkg_tree, GFP_ATOMIC); +diff --git a/block/blk-exec.c b/block/blk-exec.c +index dbf4502..3394b6e 100644 +--- a/block/blk-exec.c ++++ b/block/blk-exec.c +@@ -56,6 +56,7 @@ void blk_execute_rq_nowait(struct request_queue *q, struct gendisk *bd_disk, + bool is_pm_resume; + + WARN_ON(irqs_disabled()); ++ WARN_ON(rq->cmd_type == REQ_TYPE_FS); + + rq->rq_disk = bd_disk; + rq->end_io = done; diff --git a/block/blk-iopoll.c b/block/blk-iopoll.c index 1855bf5..af12b06 100644 --- a/block/blk-iopoll.c @@ -36117,6 +36181,28 @@ index ae4ae10..c470b8d 100644 if (do_copy) bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading); else +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 883f720..37322f0 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -710,14 +710,9 @@ void blk_mq_insert_request(struct request *rq, bool at_head, bool run_queue, + + hctx = q->mq_ops->map_queue(q, ctx->cpu); + +- if (rq->cmd_flags & (REQ_FLUSH | REQ_FUA) && +- !(rq->cmd_flags & (REQ_FLUSH_SEQ))) { +- blk_insert_flush(rq); +- } else { +- spin_lock(&ctx->lock); +- __blk_mq_insert_request(hctx, rq, at_head); +- spin_unlock(&ctx->lock); +- } ++ spin_lock(&ctx->lock); ++ __blk_mq_insert_request(hctx, rq, at_head); ++ spin_unlock(&ctx->lock); + + blk_mq_put_ctx(current_ctx); + diff --git a/block/blk-softirq.c b/block/blk-softirq.c index 57790c1..5e988dd 100644 --- a/block/blk-softirq.c @@ -36184,10 +36270,10 @@ index a0926a6..b2b14b2 100644 err = -EFAULT; goto out; diff --git a/block/genhd.c b/block/genhd.c -index 791f419..89f21c4 100644 +index e6723bd..703e4ac 100644 --- a/block/genhd.c +++ b/block/genhd.c -@@ -467,21 +467,24 @@ static char *bdevt_str(dev_t devt, char *buf) +@@ -469,21 +469,24 @@ static char *bdevt_str(dev_t devt, char *buf) /* * Register device numbers dev..(dev+range-1) @@ -36451,7 +36537,7 @@ index c68e724..e863008 100644 /* parse the table header to get the table length */ if (count <= sizeof(struct acpi_table_header)) diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c -index 3dca36d..abaf070 100644 +index 17f9ec5..d9a455e 100644 --- a/drivers/acpi/processor_idle.c +++ b/drivers/acpi/processor_idle.c @@ -952,7 +952,7 @@ static int acpi_processor_setup_cpuidle_states(struct acpi_processor *pr) @@ -36495,7 +36581,7 @@ index 36605ab..6ef6d4b 100644 unsigned long timeout_msec) { diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c -index f761603..3042d5c 100644 +index 538574f..4344396 100644 --- a/drivers/ata/libata-core.c +++ b/drivers/ata/libata-core.c @@ -98,7 +98,7 @@ static unsigned int ata_dev_set_xfermode(struct ata_device *dev); @@ -38068,8 +38154,21 @@ index be73e9d..7fbf140 100644 cmdlist_t *reqQ; cmdlist_t *cmpQ; +diff --git a/drivers/block/drbd/drbd_bitmap.c b/drivers/block/drbd/drbd_bitmap.c +index 597f111..c700970 100644 +--- a/drivers/block/drbd/drbd_bitmap.c ++++ b/drivers/block/drbd/drbd_bitmap.c +@@ -1042,7 +1042,7 @@ static void bm_page_io_async(struct bm_aio_ctx *ctx, int page_nr, int rw) __must + submit_bio(rw, bio); + /* this should not count as user activity and cause the + * resync to throttle -- see drbd_rs_should_slow_down(). */ +- atomic_add(len >> 9, &mdev->rs_sect_ev); ++ atomic_add_unchecked(len >> 9, &mdev->rs_sect_ev); + } + } + diff --git a/drivers/block/drbd/drbd_int.h b/drivers/block/drbd/drbd_int.h -index 0e06f0c..c47b81d 100644 +index 0e06f0c..d98cde3 100644 --- a/drivers/block/drbd/drbd_int.h +++ b/drivers/block/drbd/drbd_int.h @@ -582,7 +582,7 @@ struct drbd_epoch { @@ -38090,6 +38189,17 @@ index 0e06f0c..c47b81d 100644 unsigned int peer_seq; spinlock_t peer_seq_lock; unsigned int minor; +@@ -1032,8 +1032,8 @@ struct drbd_conf { + struct mutex own_state_mutex; + struct mutex *state_mutex; /* either own_state_mutex or mdev->tconn->cstate_mutex */ + char congestion_reason; /* Why we where congested... */ +- atomic_t rs_sect_in; /* for incoming resync data rate, SyncTarget */ +- atomic_t rs_sect_ev; /* for submitted resync data rate, both */ ++ atomic_unchecked_t rs_sect_in; /* for incoming resync data rate, SyncTarget */ ++ atomic_unchecked_t rs_sect_ev; /* for submitted resync data rate, both */ + int rs_last_sect_ev; /* counter to compare with */ + int rs_last_events; /* counter of read or write "events" (unit sectors) + * on the lower level device when we last looked. */ @@ -1573,7 +1573,7 @@ static inline int drbd_setsockopt(struct socket *sock, int level, int optname, char __user *uoptval; int err; @@ -38117,7 +38227,7 @@ index 89c497c..9c736ae 100644 /** diff --git a/drivers/block/drbd/drbd_main.c b/drivers/block/drbd/drbd_main.c -index 929468e..7d934eb 100644 +index 929468e..efb12f0 100644 --- a/drivers/block/drbd/drbd_main.c +++ b/drivers/block/drbd/drbd_main.c @@ -1317,7 +1317,7 @@ static int _drbd_send_ack(struct drbd_conf *mdev, enum drbd_packet cmd, @@ -38138,6 +38248,17 @@ index 929468e..7d934eb 100644 dp_flags = bio_flags_to_wire(mdev, req->master_bio->bi_rw); if (mdev->state.conn >= C_SYNC_SOURCE && mdev->state.conn <= C_PAUSED_SYNC_T) +@@ -1886,8 +1886,8 @@ void drbd_init_set_defaults(struct drbd_conf *mdev) + atomic_set(&mdev->unacked_cnt, 0); + atomic_set(&mdev->local_cnt, 0); + atomic_set(&mdev->pp_in_use_by_net, 0); +- atomic_set(&mdev->rs_sect_in, 0); +- atomic_set(&mdev->rs_sect_ev, 0); ++ atomic_set_unchecked(&mdev->rs_sect_in, 0); ++ atomic_set_unchecked(&mdev->rs_sect_ev, 0); + atomic_set(&mdev->ap_in_flight, 0); + atomic_set(&mdev->md_io_in_use, 0); + @@ -2577,8 +2577,8 @@ void conn_destroy(struct kref *kref) { struct drbd_tconn *tconn = container_of(kref, struct drbd_tconn, kref); @@ -38172,7 +38293,7 @@ index c706d50..5e1b472 100644 if (!msg) goto failed; diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c -index d073305..4998fea 100644 +index d073305..958be8f 100644 --- a/drivers/block/drbd/drbd_receiver.c +++ b/drivers/block/drbd/drbd_receiver.c @@ -834,7 +834,7 @@ int drbd_connected(struct drbd_conf *mdev) @@ -38225,6 +38346,24 @@ index d073305..4998fea 100644 list_add(&epoch->list, &tconn->current_epoch->list); tconn->current_epoch = epoch; tconn->epochs++; +@@ -1688,7 +1688,7 @@ static int recv_resync_read(struct drbd_conf *mdev, sector_t sector, int data_si + list_add(&peer_req->w.list, &mdev->sync_ee); + spin_unlock_irq(&mdev->tconn->req_lock); + +- atomic_add(data_size >> 9, &mdev->rs_sect_ev); ++ atomic_add_unchecked(data_size >> 9, &mdev->rs_sect_ev); + if (drbd_submit_peer_request(mdev, peer_req, WRITE, DRBD_FAULT_RS_WR) == 0) + return 0; + +@@ -1782,7 +1782,7 @@ static int receive_RSDataReply(struct drbd_tconn *tconn, struct packet_info *pi) + drbd_send_ack_dp(mdev, P_NEG_ACK, p, pi->size); + } + +- atomic_add(pi->size >> 9, &mdev->rs_sect_in); ++ atomic_add_unchecked(pi->size >> 9, &mdev->rs_sect_in); + + return err; + } @@ -2164,7 +2164,7 @@ static int receive_Data(struct drbd_tconn *tconn, struct packet_info *pi) err = wait_for_and_update_peer_seq(mdev, peer_seq); @@ -38243,6 +38382,33 @@ index d073305..4998fea 100644 atomic_inc(&peer_req->epoch->active); spin_unlock(&tconn->epoch_lock); +@@ -2326,7 +2326,7 @@ int drbd_rs_should_slow_down(struct drbd_conf *mdev, sector_t sector) + + curr_events = (int)part_stat_read(&disk->part0, sectors[0]) + + (int)part_stat_read(&disk->part0, sectors[1]) - +- atomic_read(&mdev->rs_sect_ev); ++ atomic_read_unchecked(&mdev->rs_sect_ev); + + if (!mdev->rs_last_events || curr_events - mdev->rs_last_events > 64) { + unsigned long rs_left; +@@ -2459,7 +2459,7 @@ static int receive_DataRequest(struct drbd_tconn *tconn, struct packet_info *pi) + mdev->bm_resync_fo = BM_SECT_TO_BIT(sector); + } else if (pi->cmd == P_OV_REPLY) { + /* track progress, we may need to throttle */ +- atomic_add(size >> 9, &mdev->rs_sect_in); ++ atomic_add_unchecked(size >> 9, &mdev->rs_sect_in); + peer_req->w.cb = w_e_end_ov_reply; + dec_rs_pending(mdev); + /* drbd_rs_begin_io done when we sent this request, +@@ -2520,7 +2520,7 @@ static int receive_DataRequest(struct drbd_tconn *tconn, struct packet_info *pi) + goto out_free_e; + + submit_for_resync: +- atomic_add(size >> 9, &mdev->rs_sect_ev); ++ atomic_add_unchecked(size >> 9, &mdev->rs_sect_ev); + + submit: + inc_unacked(mdev); @@ -4345,7 +4345,7 @@ struct data_cmd { int expect_payload; size_t pkt_size; @@ -38261,6 +38427,15 @@ index d073305..4998fea 100644 tconn->send.seen_any_write_yet = false; conn_info(tconn, "Connection closed\n"); +@@ -4947,7 +4947,7 @@ static int got_IsInSync(struct drbd_tconn *tconn, struct packet_info *pi) + put_ldev(mdev); + } + dec_rs_pending(mdev); +- atomic_add(blksize >> 9, &mdev->rs_sect_in); ++ atomic_add_unchecked(blksize >> 9, &mdev->rs_sect_in); + + return 0; + } @@ -5221,7 +5221,7 @@ static int tconn_finish_peer_reqs(struct drbd_tconn *tconn) struct asender_cmd { size_t pkt_size; @@ -38270,6 +38445,39 @@ index d073305..4998fea 100644 static struct asender_cmd asender_tbl[] = { [P_PING] = { 0, got_Ping }, +diff --git a/drivers/block/drbd/drbd_worker.c b/drivers/block/drbd/drbd_worker.c +index 84d3175..ccea188 100644 +--- a/drivers/block/drbd/drbd_worker.c ++++ b/drivers/block/drbd/drbd_worker.c +@@ -400,7 +400,7 @@ static int read_for_csum(struct drbd_conf *mdev, sector_t sector, int size) + list_add(&peer_req->w.list, &mdev->read_ee); + spin_unlock_irq(&mdev->tconn->req_lock); + +- atomic_add(size >> 9, &mdev->rs_sect_ev); ++ atomic_add_unchecked(size >> 9, &mdev->rs_sect_ev); + if (drbd_submit_peer_request(mdev, peer_req, READ, DRBD_FAULT_RS_RD) == 0) + return 0; + +@@ -498,7 +498,7 @@ static int drbd_rs_controller(struct drbd_conf *mdev) + int max_sect; + struct fifo_buffer *plan; + +- sect_in = atomic_xchg(&mdev->rs_sect_in, 0); /* Number of sectors that came in */ ++ sect_in = atomic_xchg_unchecked(&mdev->rs_sect_in, 0); /* Number of sectors that came in */ + mdev->rs_in_flight -= sect_in; + + dc = rcu_dereference(mdev->ldev->disk_conf); +@@ -1561,8 +1561,8 @@ void drbd_rs_controller_reset(struct drbd_conf *mdev) + { + struct fifo_buffer *plan; + +- atomic_set(&mdev->rs_sect_in, 0); +- atomic_set(&mdev->rs_sect_ev, 0); ++ atomic_set_unchecked(&mdev->rs_sect_in, 0); ++ atomic_set_unchecked(&mdev->rs_sect_ev, 0); + mdev->rs_in_flight = 0; + + /* Updating the RCU protected object in place is necessary since diff --git a/drivers/block/loop.c b/drivers/block/loop.c index 66e8c3b..9b68dd9 100644 --- a/drivers/block/loop.c @@ -39193,10 +39401,10 @@ index 18448a7..d5fad43 100644 /* Force all MSRs to the same value */ diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c -index 153f4b9..d47054a 100644 +index 4159236..b850472 100644 --- a/drivers/cpufreq/cpufreq.c +++ b/drivers/cpufreq/cpufreq.c -@@ -1972,7 +1972,7 @@ void cpufreq_unregister_governor(struct cpufreq_governor *governor) +@@ -1974,7 +1974,7 @@ void cpufreq_unregister_governor(struct cpufreq_governor *governor) #endif mutex_lock(&cpufreq_governor_mutex); @@ -39205,7 +39413,7 @@ index 153f4b9..d47054a 100644 mutex_unlock(&cpufreq_governor_mutex); return; } -@@ -2202,7 +2202,7 @@ static int cpufreq_cpu_callback(struct notifier_block *nfb, +@@ -2204,7 +2204,7 @@ static int cpufreq_cpu_callback(struct notifier_block *nfb, return NOTIFY_OK; } @@ -39214,7 +39422,7 @@ index 153f4b9..d47054a 100644 .notifier_call = cpufreq_cpu_callback, }; -@@ -2242,13 +2242,17 @@ int cpufreq_boost_trigger_state(int state) +@@ -2244,13 +2244,17 @@ int cpufreq_boost_trigger_state(int state) return 0; write_lock_irqsave(&cpufreq_driver_lock, flags); @@ -39234,7 +39442,7 @@ index 153f4b9..d47054a 100644 write_unlock_irqrestore(&cpufreq_driver_lock, flags); pr_err("%s: Cannot %s BOOST\n", __func__, -@@ -2302,8 +2306,11 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data) +@@ -2304,8 +2308,11 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data) pr_debug("trying to register driver %s\n", driver_data->name); @@ -39248,7 +39456,7 @@ index 153f4b9..d47054a 100644 write_lock_irqsave(&cpufreq_driver_lock, flags); if (cpufreq_driver) { -@@ -2318,8 +2325,11 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data) +@@ -2320,8 +2327,11 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data) * Check if driver provides function to enable boost - * if not, use cpufreq_boost_set_sw as default */ @@ -40791,10 +40999,10 @@ index 4c3feaa..26391ce 100644 #define BIT_TABLE(id, funcid) ((struct bit_table){ id, parse_bit_##funcid##_tbl_entry }) diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.h b/drivers/gpu/drm/nouveau/nouveau_drm.h -index 23ca7a5..b6c955d 100644 +index 74ed08a..e81b8c5 100644 --- a/drivers/gpu/drm/nouveau/nouveau_drm.h +++ b/drivers/gpu/drm/nouveau/nouveau_drm.h -@@ -97,7 +97,6 @@ struct nouveau_drm { +@@ -99,7 +99,6 @@ struct nouveau_drm { struct drm_global_reference mem_global_ref; struct ttm_bo_global_ref bo_global_ref; struct ttm_bo_device bdev; @@ -40871,7 +41079,7 @@ index d45d50d..72a5dd2 100644 int diff --git a/drivers/gpu/drm/nouveau/nouveau_vga.c b/drivers/gpu/drm/nouveau/nouveau_vga.c -index 471347e..5adc6b9d 100644 +index a92fb01..35e0602 100644 --- a/drivers/gpu/drm/nouveau/nouveau_vga.c +++ b/drivers/gpu/drm/nouveau/nouveau_vga.c @@ -67,7 +67,7 @@ nouveau_switcheroo_can_switch(struct pci_dev *pdev) @@ -41233,7 +41441,7 @@ index 4a85bb6..aaea819 100644 if (regcomp (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) { diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c -index 0bf6f4a..18e2437 100644 +index e39026c..b32e98e 100644 --- a/drivers/gpu/drm/radeon/radeon_device.c +++ b/drivers/gpu/drm/radeon/radeon_device.c @@ -1128,7 +1128,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev) @@ -41453,22 +41661,6 @@ index dbc2def..0a9f710 100644 if (unlikely(ret != 0)) { kobject_put(&zone->kobj); return ret; -diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c -index 863bef9..cba15cf 100644 ---- a/drivers/gpu/drm/ttm/ttm_page_alloc.c -+++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c -@@ -391,9 +391,9 @@ out: - static unsigned long - ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) - { -- static atomic_t start_pool = ATOMIC_INIT(0); -+ static atomic_unchecked_t start_pool = ATOMIC_INIT(0); - unsigned i; -- unsigned pool_offset = atomic_add_return(1, &start_pool); -+ unsigned pool_offset = atomic_add_return_unchecked(1, &start_pool); - struct ttm_page_pool *pool; - int shrink_pages = sc->nr_to_scan; - unsigned long freed = 0; diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c index dbadd49..1b7457b 100644 --- a/drivers/gpu/drm/udl/udl_fb.c @@ -41591,7 +41783,7 @@ index 0783155..b29e18e 100644 wait_queue_head_t fifo_queue; int fence_queue_waiters; /* Protected by hw_mutex */ diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c b/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c -index 6ccd993..618d592 100644 +index 6eae14d..aa311b3 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c @@ -154,7 +154,7 @@ int vmw_fifo_init(struct vmw_private *dev_priv, struct vmw_fifo_state *fifo) @@ -41603,7 +41795,7 @@ index 6ccd993..618d592 100644 iowrite32(dev_priv->last_read_seqno, fifo_mem + SVGA_FIFO_FENCE); vmw_marker_queue_init(&fifo->marker_queue); return vmw_fifo_send_fence(dev_priv, &dummy); -@@ -372,7 +372,7 @@ void *vmw_fifo_reserve(struct vmw_private *dev_priv, uint32_t bytes) +@@ -373,7 +373,7 @@ void *vmw_fifo_reserve(struct vmw_private *dev_priv, uint32_t bytes) if (reserveable) iowrite32(bytes, fifo_mem + SVGA_FIFO_RESERVED); @@ -41612,7 +41804,7 @@ index 6ccd993..618d592 100644 } else { need_bounce = true; } -@@ -492,7 +492,7 @@ int vmw_fifo_send_fence(struct vmw_private *dev_priv, uint32_t *seqno) +@@ -493,7 +493,7 @@ int vmw_fifo_send_fence(struct vmw_private *dev_priv, uint32_t *seqno) fm = vmw_fifo_reserve(dev_priv, bytes); if (unlikely(fm == NULL)) { @@ -41621,7 +41813,7 @@ index 6ccd993..618d592 100644 ret = -ENOMEM; (void)vmw_fallback_wait(dev_priv, false, true, *seqno, false, 3*HZ); -@@ -500,7 +500,7 @@ int vmw_fifo_send_fence(struct vmw_private *dev_priv, uint32_t *seqno) +@@ -501,7 +501,7 @@ int vmw_fifo_send_fence(struct vmw_private *dev_priv, uint32_t *seqno) } do { @@ -41707,7 +41899,7 @@ index 8a8725c2..afed796 100644 marker = list_first_entry(&queue->head, struct vmw_marker, head); diff --git a/drivers/gpu/vga/vga_switcheroo.c b/drivers/gpu/vga/vga_switcheroo.c -index 6866448..2ad2b34 100644 +index 37ac7b5..d52a5c9 100644 --- a/drivers/gpu/vga/vga_switcheroo.c +++ b/drivers/gpu/vga/vga_switcheroo.c @@ -644,7 +644,7 @@ static int vga_switcheroo_runtime_resume(struct device *dev) @@ -41719,7 +41911,7 @@ index 6866448..2ad2b34 100644 { /* copy over all the bus versions */ if (dev->bus && dev->bus->pm) { -@@ -689,7 +689,7 @@ static int vga_switcheroo_runtime_resume_hdmi_audio(struct device *dev) +@@ -695,7 +695,7 @@ static int vga_switcheroo_runtime_resume_hdmi_audio(struct device *dev) return ret; } @@ -41750,51 +41942,6 @@ index 7cd42ea..a367c48 100644 hid_debug_register(hdev, dev_name(&hdev->dev)); ret = device_add(&hdev->dev); -diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c -index 3b43d1c..991ba79 100644 ---- a/drivers/hid/hid-magicmouse.c -+++ b/drivers/hid/hid-magicmouse.c -@@ -290,6 +290,11 @@ static int magicmouse_raw_event(struct hid_device *hdev, - if (size < 4 || ((size - 4) % 9) != 0) - return 0; - npoints = (size - 4) / 9; -+ if (npoints > 15) { -+ hid_warn(hdev, "invalid size value (%d) for TRACKPAD_REPORT_ID\n", -+ size); -+ return 0; -+ } - msc->ntouches = 0; - for (ii = 0; ii < npoints; ii++) - magicmouse_emit_touch(msc, ii, data + ii * 9 + 4); -@@ -307,6 +312,11 @@ static int magicmouse_raw_event(struct hid_device *hdev, - if (size < 6 || ((size - 6) % 8) != 0) - return 0; - npoints = (size - 6) / 8; -+ if (npoints > 15) { -+ hid_warn(hdev, "invalid size value (%d) for MOUSE_REPORT_ID\n", -+ size); -+ return 0; -+ } - msc->ntouches = 0; - for (ii = 0; ii < npoints; ii++) - magicmouse_emit_touch(msc, ii, data + ii * 8 + 6); -diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c -index acbb0210..020df3c 100644 ---- a/drivers/hid/hid-picolcd_core.c -+++ b/drivers/hid/hid-picolcd_core.c -@@ -350,6 +350,12 @@ static int picolcd_raw_event(struct hid_device *hdev, - if (!data) - return 1; - -+ if (size > 64) { -+ hid_warn(hdev, "invalid size value (%d) for picolcd raw event\n", -+ size); -+ return 0; -+ } -+ - if (report->id == REPORT_KEY_STATE) { - if (data->input_keys) - ret = picolcd_raw_keypad(data, report, raw_data+1, size-1); diff --git a/drivers/hid/hid-wiimote-debug.c b/drivers/hid/hid-wiimote-debug.c index c13fb5b..55a3802 100644 --- a/drivers/hid/hid-wiimote-debug.c @@ -44504,10 +44651,10 @@ index 3e6d115..ffecdeb 100644 /*----------------------------------------------------------------*/ diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c -index 56e24c0..e1c8e1f 100644 +index 55de4f6..b1c57fe 100644 --- a/drivers/md/raid1.c +++ b/drivers/md/raid1.c -@@ -1931,7 +1931,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio) +@@ -1936,7 +1936,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio) if (r1_sync_page_io(rdev, sect, s, bio->bi_io_vec[idx].bv_page, READ) != 0) @@ -44516,8 +44663,8 @@ index 56e24c0..e1c8e1f 100644 } sectors -= s; sect += s; -@@ -2165,7 +2165,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk, - test_bit(In_sync, &rdev->flags)) { +@@ -2170,7 +2170,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk, + !test_bit(Faulty, &rdev->flags)) { if (r1_sync_page_io(rdev, sect, s, conf->tmppage, READ)) { - atomic_add(s, &rdev->corrected_errors); @@ -44526,10 +44673,10 @@ index 56e24c0..e1c8e1f 100644 "md/raid1:%s: read error corrected " "(%d sectors at %llu on %s)\n", diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c -index cb882aa..cb8aeca 100644 +index a46124e..caf0bd55 100644 --- a/drivers/md/raid10.c +++ b/drivers/md/raid10.c -@@ -1949,7 +1949,7 @@ static void end_sync_read(struct bio *bio, int error) +@@ -1948,7 +1948,7 @@ static void end_sync_read(struct bio *bio, int error) /* The write handler will notice the lack of * R10BIO_Uptodate and record any errors etc */ @@ -44538,7 +44685,7 @@ index cb882aa..cb8aeca 100644 &conf->mirrors[d].rdev->corrected_errors); /* for reconstruct, we always reschedule after a read. -@@ -2307,7 +2307,7 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev) +@@ -2306,7 +2306,7 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev) { struct timespec cur_time_mon; unsigned long hours_since_last; @@ -44547,7 +44694,7 @@ index cb882aa..cb8aeca 100644 ktime_get_ts(&cur_time_mon); -@@ -2329,9 +2329,9 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev) +@@ -2328,9 +2328,9 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev) * overflowing the shift of read_errors by hours_since_last. */ if (hours_since_last >= 8 * sizeof(read_errors)) @@ -44559,7 +44706,7 @@ index cb882aa..cb8aeca 100644 } static int r10_sync_page_io(struct md_rdev *rdev, sector_t sector, -@@ -2385,8 +2385,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 +@@ -2384,8 +2384,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 return; check_decay_read_errors(mddev, rdev); @@ -44570,7 +44717,7 @@ index cb882aa..cb8aeca 100644 char b[BDEVNAME_SIZE]; bdevname(rdev->bdev, b); -@@ -2394,7 +2394,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 +@@ -2393,7 +2393,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 "md/raid10:%s: %s: Raid device exceeded " "read_error threshold [cur %d:max %d]\n", mdname(mddev), b, @@ -44579,7 +44726,7 @@ index cb882aa..cb8aeca 100644 printk(KERN_NOTICE "md/raid10:%s: %s: Failing raid device\n", mdname(mddev), b); -@@ -2549,7 +2549,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 +@@ -2548,7 +2548,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 sect + choose_data_offset(r10_bio, rdev)), bdevname(rdev->bdev, b)); @@ -44588,25 +44735,8 @@ index cb882aa..cb8aeca 100644 } rdev_dec_pending(rdev, mddev); -@@ -2954,6 +2954,7 @@ static sector_t sync_request(struct mddev *mddev, sector_t sector_nr, - */ - if (test_bit(MD_RECOVERY_RESHAPE, &mddev->recovery)) { - end_reshape(conf); -+ close_sync(conf); - return 0; - } - -@@ -4411,7 +4412,7 @@ read_more: - read_bio->bi_private = r10_bio; - read_bio->bi_end_io = end_sync_read; - read_bio->bi_rw = READ; -- read_bio->bi_flags &= ~(BIO_POOL_MASK - 1); -+ read_bio->bi_flags &= (~0UL << BIO_RESET_BITS); - read_bio->bi_flags |= 1 << BIO_UPTODATE; - read_bio->bi_vcnt = 0; - read_bio->bi_iter.bi_size = 0; diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c -index 16f5c21..c5d72c7 100644 +index 18cda77..c5d72c7 100644 --- a/drivers/md/raid5.c +++ b/drivers/md/raid5.c @@ -1707,6 +1707,10 @@ static int grow_one_stripe(struct r5conf *conf, int hash) @@ -44667,15 +44797,6 @@ index 16f5c21..c5d72c7 100644 > conf->max_nr_stripes) printk(KERN_WARNING "md/raid:%s: Too many read errors, failing device %s.\n", -@@ -3779,6 +3787,8 @@ static void handle_stripe(struct stripe_head *sh) - set_bit(R5_Wantwrite, &dev->flags); - if (prexor) - continue; -+ if (s.failed > 1) -+ continue; - if (!test_bit(R5_Insync, &dev->flags) || - ((i == sh->pd_idx || i == sh->qd_idx) && - s.failed == 0)) diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c index 983db75..ef9248c 100644 --- a/drivers/media/dvb-core/dvbdev.c @@ -49737,7 +49858,7 @@ index ff75ef8..2dfe00a 100644 /* * fcs_port_sm FCS logical port state machine diff --git a/drivers/scsi/bfa/bfa_ioc.h b/drivers/scsi/bfa/bfa_ioc.h -index 2e28392..9d865b6 100644 +index a38aafa0..fe8f03b 100644 --- a/drivers/scsi/bfa/bfa_ioc.h +++ b/drivers/scsi/bfa/bfa_ioc.h @@ -258,7 +258,7 @@ struct bfa_ioc_cbfn_s { @@ -50741,7 +50862,7 @@ index fd8ffe6..fd0bebf 100644 err = class_register(&iscsi_transport_class); if (err) diff --git a/drivers/scsi/scsi_transport_srp.c b/drivers/scsi/scsi_transport_srp.c -index d47ffc8..30f46a9 100644 +index e3e794e..f72f20c 100644 --- a/drivers/scsi/scsi_transport_srp.c +++ b/drivers/scsi/scsi_transport_srp.c @@ -36,7 +36,7 @@ @@ -50762,7 +50883,7 @@ index d47ffc8..30f46a9 100644 return 0; } -@@ -734,7 +734,7 @@ struct srp_rport *srp_rport_add(struct Scsi_Host *shost, +@@ -735,7 +735,7 @@ struct srp_rport *srp_rport_add(struct Scsi_Host *shost, rport_fast_io_fail_timedout); INIT_DELAYED_WORK(&rport->dev_loss_work, rport_dev_loss_timedout); @@ -50772,10 +50893,10 @@ index d47ffc8..30f46a9 100644 transport_setup_device(&rport->dev); diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c -index 36d1a23..3f33303 100644 +index e8abb73..faa6fbe 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c -@@ -2962,7 +2962,7 @@ static int sd_probe(struct device *dev) +@@ -2967,7 +2967,7 @@ static int sd_probe(struct device *dev) sdkp->disk = gd; sdkp->index = index; atomic_set(&sdkp->openers, 0); @@ -51067,6 +51188,19 @@ index 52b7731..d604da0 100644 op_data = ll_prep_md_op_data(NULL, dir, NULL, filename, strlen(filename), mode, LUSTRE_OPC_MKDIR, lump); +diff --git a/drivers/staging/lustre/lustre/llite/llite_lib.c b/drivers/staging/lustre/lustre/llite/llite_lib.c +index 6cfdb9e..1ddab59 100644 +--- a/drivers/staging/lustre/lustre/llite/llite_lib.c ++++ b/drivers/staging/lustre/lustre/llite/llite_lib.c +@@ -576,7 +576,7 @@ static int client_common_fill_super(struct super_block *sb, char *md, char *dt, + if (sb->s_root == NULL) { + CERROR("%s: can't make root dentry\n", + ll_get_fsname(sb, NULL, 0)); +- GOTO(out_root, err = -ENOMEM); ++ GOTO(out_lock_cn_cb, err = -ENOMEM); + } + + /* kernel >= 2.6.38 store dentry operations in sb->s_d_op. */ diff --git a/drivers/staging/media/solo6x10/solo6x10-core.c b/drivers/staging/media/solo6x10/solo6x10-core.c index 480b7c4..6846324 100644 --- a/drivers/staging/media/solo6x10/solo6x10-core.c @@ -51281,7 +51415,7 @@ index d07fcb5..358e1e1 100644 return; } diff --git a/drivers/staging/vt6655/hostap.c b/drivers/staging/vt6655/hostap.c -index 6eecd53..29317c6 100644 +index 6eecd53..1025c8b 100644 --- a/drivers/staging/vt6655/hostap.c +++ b/drivers/staging/vt6655/hostap.c @@ -69,14 +69,13 @@ static int msglevel = MSG_LEVEL_INFO; @@ -51310,6 +51444,16 @@ index 6eecd53..29317c6 100644 pDevice->apdev->netdev_ops = &apdev_netdev_ops; pDevice->apdev->type = ARPHRD_IEEE80211; +@@ -385,6 +386,9 @@ static int hostap_set_generic_element(PSDevice pDevice, + { + PSMgmtObject pMgmt = pDevice->pMgmt; + ++ if (param->u.generic_elem.len > sizeof(pMgmt->abyWPAIE)) ++ return -EINVAL; ++ + memcpy(pMgmt->abyWPAIE, + param->u.generic_elem.data, + param->u.generic_elem.len diff --git a/drivers/staging/vt6656/hostap.c b/drivers/staging/vt6656/hostap.c index 67ba48b..24e602f 100644 --- a/drivers/staging/vt6656/hostap.c @@ -53041,7 +53185,7 @@ index 2518c32..1c201bb 100644 wake_up(&usb_kill_urb_queue); usb_put_urb(urb); diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c -index 6650df7..3a94427 100644 +index 263612c..dbc0f3d 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -27,6 +27,7 @@ @@ -57055,10 +57199,10 @@ index ce25d75..dc09eeb 100644 &data); if (!inode) { diff --git a/fs/aio.c b/fs/aio.c -index 6d68e01..6bc8e9a 100644 +index f45ddaa..0160abc 100644 --- a/fs/aio.c +++ b/fs/aio.c -@@ -380,7 +380,7 @@ static int aio_setup_ring(struct kioctx *ctx) +@@ -381,7 +381,7 @@ static int aio_setup_ring(struct kioctx *ctx) size += sizeof(struct io_event) * nr_events; nr_pages = PFN_UP(size); @@ -57067,19 +57211,6 @@ index 6d68e01..6bc8e9a 100644 return -EINVAL; file = aio_private_file(ctx, nr_pages); -@@ -1065,6 +1065,12 @@ static long aio_read_events_ring(struct kioctx *ctx, - tail = ring->tail; - kunmap_atomic(ring); - -+ /* -+ * Ensure that once we've read the current tail pointer, that -+ * we also see the events that were stored up to the tail. -+ */ -+ smp_rmb(); -+ - pr_debug("h%u t%u m%u\n", head, tail, ctx->nr_events); - - if (head == tail) diff --git a/fs/attr.c b/fs/attr.c index 6530ced..4a827e2 100644 --- a/fs/attr.c @@ -58384,10 +58515,10 @@ index ff286f3..8153a14 100644 .attrs = attrs, }; diff --git a/fs/buffer.c b/fs/buffer.c -index 27265a8..289f488 100644 +index 71e2d0e..8673b7b 100644 --- a/fs/buffer.c +++ b/fs/buffer.c -@@ -3428,7 +3428,7 @@ void __init buffer_init(void) +@@ -3430,7 +3430,7 @@ void __init buffer_init(void) bh_cachep = kmem_cache_create("buffer_head", sizeof(struct buffer_head), 0, (SLAB_RECLAIM_ACCOUNT|SLAB_PANIC| @@ -58686,10 +58817,10 @@ index 7c6b73c..a8f0db2 100644 atomic_set(&midCount, 0); diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h -index 30f6e92..e915ba5 100644 +index f15d435..0f61ef5 100644 --- a/fs/cifs/cifsglob.h +++ b/fs/cifs/cifsglob.h -@@ -806,35 +806,35 @@ struct cifs_tcon { +@@ -801,35 +801,35 @@ struct cifs_tcon { __u16 Flags; /* optional support bits */ enum statusEnum tidStatus; #ifdef CONFIG_CIFS_STATS @@ -58749,7 +58880,7 @@ index 30f6e92..e915ba5 100644 } smb2_stats; #endif /* CONFIG_CIFS_SMB2 */ } stats; -@@ -1170,7 +1170,7 @@ convert_delimiter(char *path, char delim) +@@ -1165,7 +1165,7 @@ convert_delimiter(char *path, char delim) } #ifdef CONFIG_CIFS_STATS @@ -58758,7 +58889,7 @@ index 30f6e92..e915ba5 100644 static inline void cifs_stats_bytes_written(struct cifs_tcon *tcon, unsigned int bytes) -@@ -1536,8 +1536,8 @@ GLOBAL_EXTERN atomic_t tconInfoReconnectCount; +@@ -1531,8 +1531,8 @@ GLOBAL_EXTERN atomic_t tconInfoReconnectCount; /* Various Debug counters */ GLOBAL_EXTERN atomic_t bufAllocCount; /* current number allocated */ #ifdef CONFIG_CIFS_STATS2 @@ -58770,7 +58901,7 @@ index 30f6e92..e915ba5 100644 GLOBAL_EXTERN atomic_t smBufAllocCount; GLOBAL_EXTERN atomic_t midCount; diff --git a/fs/cifs/file.c b/fs/cifs/file.c -index 87c4dd0..a90f115 100644 +index 8175b18..9525542 100644 --- a/fs/cifs/file.c +++ b/fs/cifs/file.c @@ -1900,10 +1900,14 @@ static int cifs_writepages(struct address_space *mapping, @@ -58814,9 +58945,18 @@ index 3b0c62e..f7d090c 100644 } diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c -index d1fdfa8..94558f8 100644 +index d1fdfa8..186defc 100644 --- a/fs/cifs/smb1ops.c +++ b/fs/cifs/smb1ops.c +@@ -586,7 +586,7 @@ cifs_query_path_info(const unsigned int xid, struct cifs_tcon *tcon, + tmprc = CIFS_open(xid, &oparms, &oplock, NULL); + if (tmprc == -EOPNOTSUPP) + *symlink = true; +- else ++ else if (tmprc == 0) + CIFSSMBClose(xid, tcon, fid.netfid); + } + @@ -626,27 +626,27 @@ static void cifs_clear_stats(struct cifs_tcon *tcon) { @@ -58922,8 +59062,21 @@ index d1fdfa8..94558f8 100644 #endif } +diff --git a/fs/cifs/smb2maperror.c b/fs/cifs/smb2maperror.c +index e31a9df..1007867 100644 +--- a/fs/cifs/smb2maperror.c ++++ b/fs/cifs/smb2maperror.c +@@ -256,6 +256,8 @@ static const struct status_to_posix_error smb2_error_map_table[] = { + {STATUS_DLL_MIGHT_BE_INCOMPATIBLE, -EIO, + "STATUS_DLL_MIGHT_BE_INCOMPATIBLE"}, + {STATUS_STOPPED_ON_SYMLINK, -EOPNOTSUPP, "STATUS_STOPPED_ON_SYMLINK"}, ++ {STATUS_IO_REPARSE_TAG_NOT_HANDLED, -EOPNOTSUPP, ++ "STATUS_REPARSE_NOT_HANDLED"}, + {STATUS_DEVICE_REQUIRES_CLEANING, -EIO, + "STATUS_DEVICE_REQUIRES_CLEANING"}, + {STATUS_DEVICE_DOOR_OPEN, -EIO, "STATUS_DEVICE_DOOR_OPEN"}, diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c -index 35ddc3e..563e809 100644 +index f8977b2..bb38079 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -364,8 +364,8 @@ smb2_clear_stats(struct cifs_tcon *tcon) @@ -59044,10 +59197,10 @@ index 35ddc3e..563e809 100644 } diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c -index 049a3f2..0f41305 100644 +index 9aab8fe..2bd5f3b 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c -@@ -2099,8 +2099,7 @@ SMB2_query_directory(const unsigned int xid, struct cifs_tcon *tcon, +@@ -2100,8 +2100,7 @@ SMB2_query_directory(const unsigned int xid, struct cifs_tcon *tcon, default: cifs_dbg(VFS, "info level %u isn't supported\n", srch_inf->info_level); @@ -59414,20 +59567,10 @@ index a93f7e6..d58bcbe 100644 return 0; while (nr) { diff --git a/fs/dcache.c b/fs/dcache.c -index 7f3b400..f91b141 100644 +index 58d57da..f91b141 100644 --- a/fs/dcache.c +++ b/fs/dcache.c -@@ -106,8 +106,7 @@ static inline struct hlist_bl_head *d_hash(const struct dentry *parent, - unsigned int hash) - { - hash += (unsigned long) parent / L1_CACHE_BYTES; -- hash = hash + (hash >> d_hash_shift); -- return dentry_hashtable + (hash & d_hash_mask); -+ return dentry_hashtable + hash_32(hash, d_hash_shift); - } - - /* Statistics gathering. */ -@@ -251,7 +250,7 @@ static void __d_free(struct rcu_head *head) +@@ -250,7 +250,7 @@ static void __d_free(struct rcu_head *head) */ static void d_free(struct dentry *dentry) { @@ -59436,7 +59579,7 @@ index 7f3b400..f91b141 100644 this_cpu_dec(nr_dentry); if (dentry->d_op && dentry->d_op->d_release) dentry->d_op->d_release(dentry); -@@ -597,7 +596,7 @@ repeat: +@@ -596,7 +596,7 @@ repeat: dentry->d_flags |= DCACHE_REFERENCED; dentry_lru_add(dentry); @@ -59445,7 +59588,7 @@ index 7f3b400..f91b141 100644 spin_unlock(&dentry->d_lock); return; -@@ -652,7 +651,7 @@ int d_invalidate(struct dentry * dentry) +@@ -651,7 +651,7 @@ int d_invalidate(struct dentry * dentry) * We also need to leave mountpoints alone, * directory or not. */ @@ -59454,7 +59597,7 @@ index 7f3b400..f91b141 100644 if (S_ISDIR(dentry->d_inode->i_mode) || d_mountpoint(dentry)) { spin_unlock(&dentry->d_lock); return -EBUSY; -@@ -668,7 +667,7 @@ EXPORT_SYMBOL(d_invalidate); +@@ -667,7 +667,7 @@ EXPORT_SYMBOL(d_invalidate); /* This must be called with d_lock held */ static inline void __dget_dlock(struct dentry *dentry) { @@ -59463,7 +59606,7 @@ index 7f3b400..f91b141 100644 } static inline void __dget(struct dentry *dentry) -@@ -709,8 +708,8 @@ repeat: +@@ -708,8 +708,8 @@ repeat: goto repeat; } rcu_read_unlock(); @@ -59474,7 +59617,7 @@ index 7f3b400..f91b141 100644 spin_unlock(&ret->d_lock); return ret; } -@@ -793,7 +792,7 @@ restart: +@@ -792,7 +792,7 @@ restart: spin_lock(&inode->i_lock); hlist_for_each_entry(dentry, &inode->i_dentry, d_alias) { spin_lock(&dentry->d_lock); @@ -59483,7 +59626,7 @@ index 7f3b400..f91b141 100644 /* * inform the fs via d_prune that this dentry * is about to be unhashed and destroyed. -@@ -885,7 +884,7 @@ static void shrink_dentry_list(struct list_head *list) +@@ -884,7 +884,7 @@ static void shrink_dentry_list(struct list_head *list) * We found an inuse dentry which was not removed from * the LRU because of laziness during lookup. Do not free it. */ @@ -59492,7 +59635,7 @@ index 7f3b400..f91b141 100644 spin_unlock(&dentry->d_lock); continue; } -@@ -931,7 +930,7 @@ dentry_lru_isolate(struct list_head *item, spinlock_t *lru_lock, void *arg) +@@ -930,7 +930,7 @@ dentry_lru_isolate(struct list_head *item, spinlock_t *lru_lock, void *arg) * counts, just remove them from the LRU. Otherwise give them * another pass through the LRU. */ @@ -59501,7 +59644,7 @@ index 7f3b400..f91b141 100644 d_lru_isolate(dentry); spin_unlock(&dentry->d_lock); return LRU_REMOVED; -@@ -1269,7 +1268,7 @@ static enum d_walk_ret select_collect(void *_data, struct dentry *dentry) +@@ -1268,7 +1268,7 @@ static enum d_walk_ret select_collect(void *_data, struct dentry *dentry) * loop in shrink_dcache_parent() might not make any progress * and loop forever. */ @@ -59510,7 +59653,7 @@ index 7f3b400..f91b141 100644 dentry_lru_del(dentry); } else if (!(dentry->d_flags & DCACHE_SHRINK_LIST)) { /* -@@ -1323,11 +1322,11 @@ static enum d_walk_ret umount_collect(void *_data, struct dentry *dentry) +@@ -1322,11 +1322,11 @@ static enum d_walk_ret umount_collect(void *_data, struct dentry *dentry) struct select_data *data = _data; enum d_walk_ret ret = D_WALK_CONTINUE; @@ -59524,7 +59667,7 @@ index 7f3b400..f91b141 100644 goto out; printk(KERN_ERR "BUG: Dentry %p{i=%lx,n=%s}" -@@ -1337,7 +1336,7 @@ static enum d_walk_ret umount_collect(void *_data, struct dentry *dentry) +@@ -1336,7 +1336,7 @@ static enum d_walk_ret umount_collect(void *_data, struct dentry *dentry) dentry->d_inode ? dentry->d_inode->i_ino : 0UL, dentry->d_name.name, @@ -59533,7 +59676,7 @@ index 7f3b400..f91b141 100644 dentry->d_sb->s_type->name, dentry->d_sb->s_id); BUG(); -@@ -1495,7 +1494,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name) +@@ -1494,7 +1494,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name) */ dentry->d_iname[DNAME_INLINE_LEN-1] = 0; if (name->len > DNAME_INLINE_LEN-1) { @@ -59542,7 +59685,7 @@ index 7f3b400..f91b141 100644 if (!dname) { kmem_cache_free(dentry_cache, dentry); return NULL; -@@ -1513,7 +1512,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name) +@@ -1512,7 +1512,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name) smp_wmb(); dentry->d_name.name = dname; @@ -59551,7 +59694,7 @@ index 7f3b400..f91b141 100644 dentry->d_flags = 0; spin_lock_init(&dentry->d_lock); seqcount_init(&dentry->d_seq); -@@ -2276,7 +2275,7 @@ struct dentry *__d_lookup(const struct dentry *parent, const struct qstr *name) +@@ -2275,7 +2275,7 @@ struct dentry *__d_lookup(const struct dentry *parent, const struct qstr *name) goto next; } @@ -59560,7 +59703,7 @@ index 7f3b400..f91b141 100644 found = dentry; spin_unlock(&dentry->d_lock); break; -@@ -2375,7 +2374,7 @@ again: +@@ -2374,7 +2374,7 @@ again: spin_lock(&dentry->d_lock); inode = dentry->d_inode; isdir = S_ISDIR(inode->i_mode); @@ -59569,7 +59712,7 @@ index 7f3b400..f91b141 100644 if (!spin_trylock(&inode->i_lock)) { spin_unlock(&dentry->d_lock); cpu_relax(); -@@ -3314,7 +3313,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry) +@@ -3313,7 +3313,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry) if (!(dentry->d_flags & DCACHE_GENOCIDE)) { dentry->d_flags |= DCACHE_GENOCIDE; @@ -59578,7 +59721,7 @@ index 7f3b400..f91b141 100644 } } return D_WALK_CONTINUE; -@@ -3430,7 +3429,8 @@ void __init vfs_caches_init(unsigned long mempages) +@@ -3429,7 +3429,8 @@ void __init vfs_caches_init(unsigned long mempages) mempages -= reserve; names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0, @@ -62733,18 +62876,10 @@ index b29e42f..5ea7fdf 100644 #define MNT_NS_INTERNAL ERR_PTR(-EINVAL) /* distinct from any mnt_namespace */ diff --git a/fs/namei.c b/fs/namei.c -index bdea109..6e919ab 100644 +index dd2f2c5..27e6c48 100644 --- a/fs/namei.c +++ b/fs/namei.c -@@ -34,6 +34,7 @@ - #include <linux/device_cgroup.h> - #include <linux/fs_struct.h> - #include <linux/posix_acl.h> -+#include <linux/hash.h> - #include <asm/uaccess.h> - - #include "internal.h" -@@ -330,17 +331,34 @@ int generic_permission(struct inode *inode, int mask) +@@ -331,17 +331,34 @@ int generic_permission(struct inode *inode, int mask) if (ret != -EACCES) return ret; @@ -62782,7 +62917,7 @@ index bdea109..6e919ab 100644 * Read/write DACs are always overridable. * Executable DACs are overridable when there is * at least one exec bit set. -@@ -349,14 +367,6 @@ int generic_permission(struct inode *inode, int mask) +@@ -350,14 +367,6 @@ int generic_permission(struct inode *inode, int mask) if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE)) return 0; @@ -62797,7 +62932,7 @@ index bdea109..6e919ab 100644 return -EACCES; } -@@ -822,7 +832,7 @@ follow_link(struct path *link, struct nameidata *nd, void **p) +@@ -821,7 +830,7 @@ follow_link(struct path *link, struct nameidata *nd, void **p) { struct dentry *dentry = link->dentry; int error; @@ -62806,7 +62941,7 @@ index bdea109..6e919ab 100644 BUG_ON(nd->flags & LOOKUP_RCU); -@@ -843,6 +853,12 @@ follow_link(struct path *link, struct nameidata *nd, void **p) +@@ -842,6 +851,12 @@ follow_link(struct path *link, struct nameidata *nd, void **p) if (error) goto out_put_nd_path; @@ -62819,7 +62954,45 @@ index bdea109..6e919ab 100644 nd->last_type = LAST_BIND; *p = dentry->d_inode->i_op->follow_link(dentry, nd); error = PTR_ERR(*p); -@@ -1591,6 +1607,8 @@ static inline int nested_symlink(struct path *path, struct nameidata *nd) +@@ -1131,6 +1146,7 @@ static bool __follow_mount_rcu(struct nameidata *nd, struct path *path, + + static int follow_dotdot_rcu(struct nameidata *nd) + { ++ struct inode *inode = nd->inode; + if (!nd->root.mnt) + set_root_rcu(nd); + +@@ -1144,6 +1160,7 @@ static int follow_dotdot_rcu(struct nameidata *nd) + struct dentry *parent = old->d_parent; + unsigned seq; + ++ inode = parent->d_inode; + seq = read_seqcount_begin(&parent->d_seq); + if (read_seqcount_retry(&old->d_seq, nd->seq)) + goto failed; +@@ -1153,6 +1170,7 @@ static int follow_dotdot_rcu(struct nameidata *nd) + } + if (!follow_up_rcu(&nd->path)) + break; ++ inode = nd->path.dentry->d_inode; + nd->seq = read_seqcount_begin(&nd->path.dentry->d_seq); + } + while (d_mountpoint(nd->path.dentry)) { +@@ -1162,11 +1180,12 @@ static int follow_dotdot_rcu(struct nameidata *nd) + break; + nd->path.mnt = &mounted->mnt; + nd->path.dentry = mounted->mnt.mnt_root; ++ inode = nd->path.dentry->d_inode; + nd->seq = read_seqcount_begin(&nd->path.dentry->d_seq); + if (!read_seqretry(&mount_lock, nd->m_seq)) + goto failed; + } +- nd->inode = nd->path.dentry->d_inode; ++ nd->inode = inode; + return 0; + + failed: +@@ -1593,6 +1612,8 @@ static inline int nested_symlink(struct path *path, struct nameidata *nd) if (res) break; res = walk_component(nd, path, LOOKUP_FOLLOW); @@ -62828,17 +63001,7 @@ index bdea109..6e919ab 100644 put_link(nd, &link, cookie); } while (res > 0); -@@ -1624,8 +1642,7 @@ static inline int nested_symlink(struct path *path, struct nameidata *nd) - - static inline unsigned int fold_hash(unsigned long hash) - { -- hash += hash >> (8*sizeof(int)); -- return hash; -+ return hash_64(hash, 32); - } - - #else /* 32-bit case */ -@@ -1664,7 +1681,7 @@ EXPORT_SYMBOL(full_name_hash); +@@ -1665,7 +1686,7 @@ EXPORT_SYMBOL(full_name_hash); static inline unsigned long hash_name(const char *name, unsigned int *hashp) { unsigned long a, b, adata, bdata, mask, hash, len; @@ -62847,7 +63010,23 @@ index bdea109..6e919ab 100644 hash = a = 0; len = -sizeof(unsigned long); -@@ -1948,6 +1965,8 @@ static int path_lookupat(int dfd, const char *name, +@@ -1894,7 +1915,14 @@ static int path_init(int dfd, const char *name, unsigned int flags, + } + + nd->inode = nd->path.dentry->d_inode; +- return 0; ++ if (!(flags & LOOKUP_RCU)) ++ return 0; ++ if (likely(!read_seqcount_retry(&nd->path.dentry->d_seq, nd->seq))) ++ return 0; ++ if (!(nd->flags & LOOKUP_ROOT)) ++ nd->root.mnt = NULL; ++ rcu_read_unlock(); ++ return -ECHILD; + } + + static inline int lookup_last(struct nameidata *nd, struct path *path) +@@ -1949,6 +1977,8 @@ static int path_lookupat(int dfd, const char *name, if (err) break; err = lookup_last(nd, &path); @@ -62856,7 +63035,7 @@ index bdea109..6e919ab 100644 put_link(nd, &link, cookie); } } -@@ -1955,6 +1974,13 @@ static int path_lookupat(int dfd, const char *name, +@@ -1956,6 +1986,13 @@ static int path_lookupat(int dfd, const char *name, if (!err) err = complete_walk(nd); @@ -62868,9 +63047,9 @@ index bdea109..6e919ab 100644 + } + if (!err && nd->flags & LOOKUP_DIRECTORY) { - if (!d_is_directory(nd->path.dentry)) { + if (!d_can_lookup(nd->path.dentry)) { path_put(&nd->path); -@@ -1982,8 +2008,15 @@ static int filename_lookup(int dfd, struct filename *name, +@@ -1983,8 +2020,15 @@ static int filename_lookup(int dfd, struct filename *name, retval = path_lookupat(dfd, name->name, flags | LOOKUP_REVAL, nd); @@ -62887,7 +63066,7 @@ index bdea109..6e919ab 100644 return retval; } -@@ -2558,6 +2591,13 @@ static int may_open(struct path *path, int acc_mode, int flag) +@@ -2559,6 +2603,13 @@ static int may_open(struct path *path, int acc_mode, int flag) if (flag & O_NOATIME && !inode_owner_or_capable(inode)) return -EPERM; @@ -62901,7 +63080,7 @@ index bdea109..6e919ab 100644 return 0; } -@@ -2789,7 +2829,7 @@ looked_up: +@@ -2790,7 +2841,7 @@ looked_up: * cleared otherwise prior to returning. */ static int lookup_open(struct nameidata *nd, struct path *path, @@ -62910,7 +63089,7 @@ index bdea109..6e919ab 100644 const struct open_flags *op, bool got_write, int *opened) { -@@ -2824,6 +2864,17 @@ static int lookup_open(struct nameidata *nd, struct path *path, +@@ -2825,6 +2876,17 @@ static int lookup_open(struct nameidata *nd, struct path *path, /* Negative dentry, just create the file */ if (!dentry->d_inode && (op->open_flag & O_CREAT)) { umode_t mode = op->mode; @@ -62928,7 +63107,7 @@ index bdea109..6e919ab 100644 if (!IS_POSIXACL(dir->d_inode)) mode &= ~current_umask(); /* -@@ -2845,6 +2896,8 @@ static int lookup_open(struct nameidata *nd, struct path *path, +@@ -2846,6 +2908,8 @@ static int lookup_open(struct nameidata *nd, struct path *path, nd->flags & LOOKUP_EXCL); if (error) goto out_dput; @@ -62937,7 +63116,7 @@ index bdea109..6e919ab 100644 } out_no_open: path->dentry = dentry; -@@ -2859,7 +2912,7 @@ out_dput: +@@ -2860,7 +2924,7 @@ out_dput: /* * Handle the last step of open() */ @@ -62946,7 +63125,7 @@ index bdea109..6e919ab 100644 struct file *file, const struct open_flags *op, int *opened, struct filename *name) { -@@ -2909,6 +2962,15 @@ static int do_last(struct nameidata *nd, struct path *path, +@@ -2910,6 +2974,15 @@ static int do_last(struct nameidata *nd, struct path *path, if (error) return error; @@ -62962,7 +63141,7 @@ index bdea109..6e919ab 100644 audit_inode(name, dir, LOOKUP_PARENT); error = -EISDIR; /* trailing slashes? */ -@@ -2928,7 +2990,7 @@ retry_lookup: +@@ -2929,7 +3002,7 @@ retry_lookup: */ } mutex_lock(&dir->d_inode->i_mutex); @@ -62971,7 +63150,7 @@ index bdea109..6e919ab 100644 mutex_unlock(&dir->d_inode->i_mutex); if (error <= 0) { -@@ -2952,11 +3014,28 @@ retry_lookup: +@@ -2953,11 +3026,28 @@ retry_lookup: goto finish_open_created; } @@ -63001,7 +63180,7 @@ index bdea109..6e919ab 100644 /* * If atomic_open() acquired write access it is dropped now due to -@@ -2997,6 +3076,11 @@ finish_lookup: +@@ -2998,6 +3088,11 @@ finish_lookup: } } BUG_ON(inode != path->dentry->d_inode); @@ -63013,7 +63192,7 @@ index bdea109..6e919ab 100644 return 1; } -@@ -3006,7 +3090,6 @@ finish_lookup: +@@ -3007,7 +3102,6 @@ finish_lookup: save_parent.dentry = nd->path.dentry; save_parent.mnt = mntget(path->mnt); nd->path.dentry = path->dentry; @@ -63021,7 +63200,7 @@ index bdea109..6e919ab 100644 } nd->inode = inode; /* Why this, you ask? _Now_ we might have grown LOOKUP_JUMPED... */ -@@ -3016,7 +3099,18 @@ finish_open: +@@ -3017,7 +3111,18 @@ finish_open: path_put(&save_parent); return error; } @@ -63038,9 +63217,9 @@ index bdea109..6e919ab 100644 audit_inode(name, nd->path.dentry, 0); + error = -EISDIR; - if ((open_flag & O_CREAT) && - (d_is_directory(nd->path.dentry) || d_is_autodir(nd->path.dentry))) -@@ -3180,7 +3274,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, + if ((open_flag & O_CREAT) && d_is_dir(nd->path.dentry)) + goto out; +@@ -3180,7 +3285,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, if (unlikely(error)) goto out; @@ -63049,7 +63228,7 @@ index bdea109..6e919ab 100644 while (unlikely(error > 0)) { /* trailing symlink */ struct path link = path; void *cookie; -@@ -3198,7 +3292,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, +@@ -3198,7 +3303,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, error = follow_link(&link, nd, &cookie); if (unlikely(error)) break; @@ -63058,7 +63237,7 @@ index bdea109..6e919ab 100644 put_link(nd, &link, cookie); } out: -@@ -3298,9 +3392,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, +@@ -3298,9 +3403,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, goto unlock; error = -EEXIST; @@ -63072,7 +63251,7 @@ index bdea109..6e919ab 100644 /* * Special case - lookup gave negative, but... we had foo/bar/ * From the vfs_mknod() POV we just have a negative dentry - -@@ -3352,6 +3448,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, +@@ -3352,6 +3459,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, } EXPORT_SYMBOL(user_path_create); @@ -63093,7 +63272,7 @@ index bdea109..6e919ab 100644 int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) { int error = may_create(dir, dentry); -@@ -3414,6 +3524,17 @@ retry: +@@ -3414,6 +3535,17 @@ retry: if (!IS_POSIXACL(path.dentry->d_inode)) mode &= ~current_umask(); @@ -63111,7 +63290,7 @@ index bdea109..6e919ab 100644 error = security_path_mknod(&path, dentry, mode, dev); if (error) goto out; -@@ -3430,6 +3551,8 @@ retry: +@@ -3430,6 +3562,8 @@ retry: break; } out: @@ -63120,7 +63299,7 @@ index bdea109..6e919ab 100644 done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; -@@ -3482,9 +3605,16 @@ retry: +@@ -3482,9 +3616,16 @@ retry: if (!IS_POSIXACL(path.dentry->d_inode)) mode &= ~current_umask(); @@ -63137,7 +63316,7 @@ index bdea109..6e919ab 100644 done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; -@@ -3565,6 +3695,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -3565,6 +3706,8 @@ static long do_rmdir(int dfd, const char __user *pathname) struct filename *name; struct dentry *dentry; struct nameidata nd; @@ -63146,7 +63325,7 @@ index bdea109..6e919ab 100644 unsigned int lookup_flags = 0; retry: name = user_path_parent(dfd, pathname, &nd, lookup_flags); -@@ -3597,10 +3729,21 @@ retry: +@@ -3597,10 +3740,21 @@ retry: error = -ENOENT; goto exit3; } @@ -63168,7 +63347,7 @@ index bdea109..6e919ab 100644 exit3: dput(dentry); exit2: -@@ -3690,6 +3833,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -3690,6 +3844,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) struct nameidata nd; struct inode *inode = NULL; struct inode *delegated_inode = NULL; @@ -63177,7 +63356,7 @@ index bdea109..6e919ab 100644 unsigned int lookup_flags = 0; retry: name = user_path_parent(dfd, pathname, &nd, lookup_flags); -@@ -3716,10 +3861,22 @@ retry_deleg: +@@ -3716,10 +3872,22 @@ retry_deleg: if (d_is_negative(dentry)) goto slashes; ihold(inode); @@ -63200,7 +63379,7 @@ index bdea109..6e919ab 100644 exit2: dput(dentry); } -@@ -3807,9 +3964,17 @@ retry: +@@ -3807,9 +3975,17 @@ retry: if (IS_ERR(dentry)) goto out_putname; @@ -63218,7 +63397,7 @@ index bdea109..6e919ab 100644 done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; -@@ -3912,6 +4077,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -3912,6 +4088,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, struct dentry *new_dentry; struct path old_path, new_path; struct inode *delegated_inode = NULL; @@ -63226,7 +63405,7 @@ index bdea109..6e919ab 100644 int how = 0; int error; -@@ -3935,7 +4101,7 @@ retry: +@@ -3935,7 +4112,7 @@ retry: if (error) return error; @@ -63235,7 +63414,7 @@ index bdea109..6e919ab 100644 (how & LOOKUP_REVAL)); error = PTR_ERR(new_dentry); if (IS_ERR(new_dentry)) -@@ -3947,11 +4113,28 @@ retry: +@@ -3947,11 +4124,28 @@ retry: error = may_linkat(&old_path); if (unlikely(error)) goto out_dput; @@ -63264,7 +63443,7 @@ index bdea109..6e919ab 100644 done_path_create(&new_path, new_dentry); if (delegated_inode) { error = break_deleg_wait(&delegated_inode); -@@ -4238,6 +4421,12 @@ retry_deleg: +@@ -4238,6 +4432,12 @@ retry_deleg: if (new_dentry == trap) goto exit5; @@ -63277,7 +63456,7 @@ index bdea109..6e919ab 100644 error = security_path_rename(&oldnd.path, old_dentry, &newnd.path, new_dentry); if (error) -@@ -4245,6 +4434,9 @@ retry_deleg: +@@ -4245,6 +4445,9 @@ retry_deleg: error = vfs_rename(old_dir->d_inode, old_dentry, new_dir->d_inode, new_dentry, &delegated_inode); @@ -63287,7 +63466,7 @@ index bdea109..6e919ab 100644 exit5: dput(new_dentry); exit4: -@@ -4281,6 +4473,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna +@@ -4281,6 +4484,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link) { @@ -63296,7 +63475,7 @@ index bdea109..6e919ab 100644 int len; len = PTR_ERR(link); -@@ -4290,7 +4484,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c +@@ -4290,7 +4495,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c len = strlen(link); if (len > (unsigned) buflen) len = buflen; @@ -63313,10 +63492,10 @@ index bdea109..6e919ab 100644 out: return len; diff --git a/fs/namespace.c b/fs/namespace.c -index 65233a5..82ac953 100644 +index 75536db..5cda729 100644 --- a/fs/namespace.c +++ b/fs/namespace.c -@@ -1339,6 +1339,9 @@ static int do_umount(struct mount *mnt, int flags) +@@ -1369,6 +1369,9 @@ static int do_umount(struct mount *mnt, int flags) if (!(sb->s_flags & MS_RDONLY)) retval = do_remount_sb(sb, MS_RDONLY, NULL, 0); up_write(&sb->s_umount); @@ -63326,7 +63505,7 @@ index 65233a5..82ac953 100644 return retval; } -@@ -1361,6 +1364,9 @@ static int do_umount(struct mount *mnt, int flags) +@@ -1391,6 +1394,9 @@ static int do_umount(struct mount *mnt, int flags) } unlock_mount_hash(); namespace_unlock(); @@ -63336,7 +63515,7 @@ index 65233a5..82ac953 100644 return retval; } -@@ -1380,7 +1386,7 @@ static inline bool may_mount(void) +@@ -1410,7 +1416,7 @@ static inline bool may_mount(void) * unixes. Our API is identical to OSF/1 to avoid making a mess of AMD */ @@ -63345,7 +63524,7 @@ index 65233a5..82ac953 100644 { struct path path; struct mount *mnt; -@@ -1422,7 +1428,7 @@ out: +@@ -1452,7 +1458,7 @@ out: /* * The 2.0 compatible umount. No flags. */ @@ -63354,7 +63533,7 @@ index 65233a5..82ac953 100644 { return sys_umount(name, 0); } -@@ -2431,6 +2437,16 @@ long do_mount(const char *dev_name, const char *dir_name, +@@ -2501,6 +2507,16 @@ long do_mount(const char *dev_name, const char *dir_name, MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT | MS_STRICTATIME); @@ -63371,7 +63550,7 @@ index 65233a5..82ac953 100644 if (flags & MS_REMOUNT) retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags, data_page); -@@ -2445,6 +2461,9 @@ long do_mount(const char *dev_name, const char *dir_name, +@@ -2515,6 +2531,9 @@ long do_mount(const char *dev_name, const char *dir_name, dev_name, data_page); dput_out: path_put(&path); @@ -63381,7 +63560,7 @@ index 65233a5..82ac953 100644 return retval; } -@@ -2462,7 +2481,7 @@ static void free_mnt_ns(struct mnt_namespace *ns) +@@ -2532,7 +2551,7 @@ static void free_mnt_ns(struct mnt_namespace *ns) * number incrementing at 10Ghz will take 12,427 years to wrap which * is effectively never, so we can ignore the possibility. */ @@ -63390,7 +63569,7 @@ index 65233a5..82ac953 100644 static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns) { -@@ -2477,7 +2496,7 @@ static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns) +@@ -2547,7 +2566,7 @@ static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns) kfree(new_ns); return ERR_PTR(ret); } @@ -63399,7 +63578,7 @@ index 65233a5..82ac953 100644 atomic_set(&new_ns->count, 1); new_ns->root = NULL; INIT_LIST_HEAD(&new_ns->list); -@@ -2487,7 +2506,7 @@ static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns) +@@ -2557,7 +2576,7 @@ static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns) return new_ns; } @@ -63408,7 +63587,7 @@ index 65233a5..82ac953 100644 struct user_namespace *user_ns, struct fs_struct *new_fs) { struct mnt_namespace *new_ns; -@@ -2608,8 +2627,8 @@ struct dentry *mount_subtree(struct vfsmount *mnt, const char *name) +@@ -2678,8 +2697,8 @@ struct dentry *mount_subtree(struct vfsmount *mnt, const char *name) } EXPORT_SYMBOL(mount_subtree); @@ -63419,7 +63598,7 @@ index 65233a5..82ac953 100644 { int ret; char *kernel_type; -@@ -2722,6 +2741,11 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, +@@ -2792,6 +2811,11 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, if (error) goto out2; @@ -63431,7 +63610,7 @@ index 65233a5..82ac953 100644 get_fs_root(current->fs, &root); old_mp = lock_mount(&old); error = PTR_ERR(old_mp); -@@ -2990,7 +3014,7 @@ static int mntns_install(struct nsproxy *nsproxy, void *ns) +@@ -3060,7 +3084,7 @@ static int mntns_install(struct nsproxy *nsproxy, void *ns) !ns_capable(current_user_ns(), CAP_SYS_ADMIN)) return -EPERM; @@ -63697,28 +63876,6 @@ index 287a22c..4e56e4e 100644 group->fanotify_data.f_flags = event_f_flags; #ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS oevent->response = 0; -diff --git a/fs/notify/fdinfo.c b/fs/notify/fdinfo.c -index 238a593..9d7e2b9 100644 ---- a/fs/notify/fdinfo.c -+++ b/fs/notify/fdinfo.c -@@ -42,7 +42,7 @@ static int show_mark_fhandle(struct seq_file *m, struct inode *inode) - { - struct { - struct file_handle handle; -- u8 pad[64]; -+ u8 pad[MAX_HANDLE_SZ]; - } f; - int size, ret, i; - -@@ -50,7 +50,7 @@ static int show_mark_fhandle(struct seq_file *m, struct inode *inode) - size = f.handle.handle_bytes >> 2; - - ret = exportfs_encode_inode_fh(inode, (struct fid *)f.handle.f_handle, &size, 0); -- if ((ret == 255) || (ret == -ENOSPC)) { -+ if ((ret == FILEID_INVALID) || (ret < 0)) { - WARN_ONCE(1, "Can't encode file handler for inotify: %d\n", ret); - return 0; - } diff --git a/fs/notify/notification.c b/fs/notify/notification.c index 1e58402..bb2d6f4 100644 --- a/fs/notify/notification.c @@ -64368,7 +64525,7 @@ index 2183fcf..3c32a98 100644 help Various /proc files exist to monitor process memory utilization: diff --git a/fs/proc/array.c b/fs/proc/array.c -index 656e401..b5b86b9 100644 +index baf3464..6873520 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -60,6 +60,7 @@ @@ -64379,7 +64536,7 @@ index 656e401..b5b86b9 100644 #include <linux/proc_fs.h> #include <linux/ioport.h> #include <linux/uaccess.h> -@@ -356,6 +357,21 @@ static void task_cpus_allowed(struct seq_file *m, struct task_struct *task) +@@ -347,6 +348,21 @@ static void task_cpus_allowed(struct seq_file *m, struct task_struct *task) seq_putc(m, '\n'); } @@ -64401,7 +64558,7 @@ index 656e401..b5b86b9 100644 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns, struct pid *pid, struct task_struct *task) { -@@ -374,9 +390,24 @@ int proc_pid_status(struct seq_file *m, struct pid_namespace *ns, +@@ -365,9 +381,24 @@ int proc_pid_status(struct seq_file *m, struct pid_namespace *ns, task_cpus_allowed(m, task); cpuset_task_status_allowed(m, task); task_context_switch_counts(m, task); @@ -64426,7 +64583,7 @@ index 656e401..b5b86b9 100644 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, struct pid *pid, struct task_struct *task, int whole) { -@@ -398,6 +429,13 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, +@@ -389,6 +420,13 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, char tcomm[sizeof(task->comm)]; unsigned long flags; @@ -64440,7 +64597,7 @@ index 656e401..b5b86b9 100644 state = *get_task_state(task); vsize = eip = esp = 0; permitted = ptrace_may_access(task, PTRACE_MODE_READ | PTRACE_MODE_NOAUDIT); -@@ -468,6 +506,19 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, +@@ -459,6 +497,19 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, gtime = task_gtime(task); } @@ -64460,7 +64617,7 @@ index 656e401..b5b86b9 100644 /* scale priority and nice values from timeslices to -20..20 */ /* to make it look like a "normal" Unix priority/nice value */ priority = task_prio(task); -@@ -504,9 +555,15 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, +@@ -495,9 +546,15 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, seq_put_decimal_ull(m, ' ', vsize); seq_put_decimal_ull(m, ' ', mm ? get_mm_rss(mm) : 0); seq_put_decimal_ull(m, ' ', rsslim); @@ -64476,7 +64633,7 @@ index 656e401..b5b86b9 100644 seq_put_decimal_ull(m, ' ', esp); seq_put_decimal_ull(m, ' ', eip); /* The signal information here is obsolete. -@@ -528,7 +585,11 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, +@@ -519,7 +576,11 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, seq_put_decimal_ull(m, ' ', cputime_to_clock_t(gtime)); seq_put_decimal_ll(m, ' ', cputime_to_clock_t(cgtime)); @@ -64489,7 +64646,7 @@ index 656e401..b5b86b9 100644 seq_put_decimal_ull(m, ' ', mm->start_data); seq_put_decimal_ull(m, ' ', mm->end_data); seq_put_decimal_ull(m, ' ', mm->start_brk); -@@ -566,8 +627,15 @@ int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns, +@@ -557,8 +618,15 @@ int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns, struct pid *pid, struct task_struct *task) { unsigned long size = 0, resident = 0, shared = 0, text = 0, data = 0; @@ -64506,7 +64663,7 @@ index 656e401..b5b86b9 100644 if (mm) { size = task_statm(mm, &shared, &text, &data, &resident); mmput(mm); -@@ -590,6 +658,13 @@ int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns, +@@ -581,6 +649,13 @@ int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns, return 0; } @@ -79029,10 +79186,10 @@ index 17e7e82..1d7da26 100644 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES))) #endif diff --git a/include/linux/capability.h b/include/linux/capability.h -index 84b13ad..d7b6550 100644 +index aa93e5e..18bb953 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h -@@ -212,8 +212,13 @@ extern bool capable(int cap); +@@ -215,8 +215,13 @@ extern bool capable(int cap); extern bool ns_capable(struct user_namespace *ns, int cap); extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap); extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap); @@ -79500,7 +79657,7 @@ index 653589e..4ef254a 100644 return c | 0x20; } diff --git a/include/linux/dcache.h b/include/linux/dcache.h -index bf72e9a..4ca7927 100644 +index 3b50cac..71a4cec 100644 --- a/include/linux/dcache.h +++ b/include/linux/dcache.h @@ -133,7 +133,7 @@ struct dentry { @@ -82499,10 +82656,10 @@ index c3eb102..073c4a6 100644 .ops = ¶m_ops_##type, \ .elemsize = sizeof(array[0]), .elem = array }; \ diff --git a/include/linux/mount.h b/include/linux/mount.h -index 839bac2..a96b37c 100644 +index b0c1e65..fd6baf1 100644 --- a/include/linux/mount.h +++ b/include/linux/mount.h -@@ -59,7 +59,7 @@ struct vfsmount { +@@ -66,7 +66,7 @@ struct vfsmount { struct dentry *mnt_root; /* root of the mounted tree */ struct super_block *mnt_sb; /* pointer to superblock */ int mnt_flags; @@ -84573,27 +84730,29 @@ index 6f8fbcf..4efc177 100644 + MODULE_GRSEC MODULE_RANDSTRUCT_PLUGIN diff --git a/include/linux/vga_switcheroo.h b/include/linux/vga_switcheroo.h -index 502073a..a7de024 100644 +index b483abd..af305ad 100644 --- a/include/linux/vga_switcheroo.h +++ b/include/linux/vga_switcheroo.h -@@ -63,8 +63,8 @@ int vga_switcheroo_get_client_state(struct pci_dev *dev); +@@ -63,9 +63,9 @@ int vga_switcheroo_get_client_state(struct pci_dev *dev); void vga_switcheroo_set_dynamic_switch(struct pci_dev *pdev, enum vga_switcheroo_state dynamic); -int vga_switcheroo_init_domain_pm_ops(struct device *dev, struct dev_pm_domain *domain); --int vga_switcheroo_init_domain_pm_optimus_hdmi_audio(struct device *dev, struct dev_pm_domain *domain); +int vga_switcheroo_init_domain_pm_ops(struct device *dev, dev_pm_domain_no_const *domain); + void vga_switcheroo_fini_domain_pm_ops(struct device *dev); +-int vga_switcheroo_init_domain_pm_optimus_hdmi_audio(struct device *dev, struct dev_pm_domain *domain); +int vga_switcheroo_init_domain_pm_optimus_hdmi_audio(struct device *dev, dev_pm_domain_no_const *domain); #else static inline void vga_switcheroo_unregister_client(struct pci_dev *dev) {} -@@ -81,8 +81,8 @@ static inline int vga_switcheroo_get_client_state(struct pci_dev *dev) { return +@@ -82,9 +82,9 @@ static inline int vga_switcheroo_get_client_state(struct pci_dev *dev) { return static inline void vga_switcheroo_set_dynamic_switch(struct pci_dev *pdev, enum vga_switcheroo_state dynamic) {} -static inline int vga_switcheroo_init_domain_pm_ops(struct device *dev, struct dev_pm_domain *domain) { return -EINVAL; } --static inline int vga_switcheroo_init_domain_pm_optimus_hdmi_audio(struct device *dev, struct dev_pm_domain *domain) { return -EINVAL; } +static inline int vga_switcheroo_init_domain_pm_ops(struct device *dev, dev_pm_domain_no_const *domain) { return -EINVAL; } + static inline void vga_switcheroo_fini_domain_pm_ops(struct device *dev) {} +-static inline int vga_switcheroo_init_domain_pm_optimus_hdmi_audio(struct device *dev, struct dev_pm_domain *domain) { return -EINVAL; } +static inline int vga_switcheroo_init_domain_pm_optimus_hdmi_audio(struct device *dev, dev_pm_domain_no_const *domain) { return -EINVAL; } #endif @@ -85566,10 +85725,10 @@ index 52beadf..598734c 100644 u8 qfull; enum fc_lport_state state; diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h -index b4f1eff..7fdbd46 100644 +index 409fafb..efc53b0 100644 --- a/include/scsi/scsi_device.h +++ b/include/scsi/scsi_device.h -@@ -180,9 +180,9 @@ struct scsi_device { +@@ -181,9 +181,9 @@ struct scsi_device { unsigned int max_device_blocked; /* what device_blocked counts down from */ #define SCSI_DEFAULT_DEVICE_BLOCKED 3 @@ -85981,7 +86140,7 @@ index fe94bb9..c9e51c2 100644 } __attribute__ ((packed)); diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h -index c38355c..17a57bc 100644 +index 1590c49..5eab462 100644 --- a/include/uapi/linux/xattr.h +++ b/include/uapi/linux/xattr.h @@ -73,5 +73,9 @@ @@ -86866,7 +87025,7 @@ index 8d6e145..33e0b1e 100644 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim; set_fs(fs); diff --git a/kernel/audit.c b/kernel/audit.c -index 0c9dc86..a891393 100644 +index 2c0ecd1..80d068a 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -122,7 +122,7 @@ u32 audit_sig_sid = 0; @@ -86928,7 +87087,7 @@ index 619b58d..e58d957 100644 task->sessionid = sessionid; task->loginuid = loginuid; diff --git a/kernel/capability.c b/kernel/capability.c -index 1191a44..7c81292 100644 +index 00adb21..d5954a8 100644 --- a/kernel/capability.c +++ b/kernel/capability.c @@ -202,6 +202,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr) @@ -86941,7 +87100,7 @@ index 1191a44..7c81292 100644 if (copy_to_user(dataptr, kdata, tocopy * sizeof(struct __user_cap_data_struct))) { return -EFAULT; -@@ -303,10 +306,11 @@ bool has_ns_capability(struct task_struct *t, +@@ -307,10 +310,11 @@ bool has_ns_capability(struct task_struct *t, int ret; rcu_read_lock(); @@ -86955,7 +87114,7 @@ index 1191a44..7c81292 100644 } /** -@@ -343,10 +347,10 @@ bool has_ns_capability_noaudit(struct task_struct *t, +@@ -347,10 +351,10 @@ bool has_ns_capability_noaudit(struct task_struct *t, int ret; rcu_read_lock(); @@ -86968,7 +87127,7 @@ index 1191a44..7c81292 100644 } /** -@@ -384,7 +388,7 @@ bool ns_capable(struct user_namespace *ns, int cap) +@@ -388,7 +392,7 @@ bool ns_capable(struct user_namespace *ns, int cap) BUG(); } @@ -86977,7 +87136,7 @@ index 1191a44..7c81292 100644 current->flags |= PF_SUPERPRIV; return true; } -@@ -392,6 +396,21 @@ bool ns_capable(struct user_namespace *ns, int cap) +@@ -396,6 +400,21 @@ bool ns_capable(struct user_namespace *ns, int cap) } EXPORT_SYMBOL(ns_capable); @@ -86999,7 +87158,7 @@ index 1191a44..7c81292 100644 /** * file_ns_capable - Determine if the file's opener had a capability in effect * @file: The file we want to check -@@ -432,6 +451,12 @@ bool capable(int cap) +@@ -436,6 +455,12 @@ bool capable(int cap) } EXPORT_SYMBOL(capable); @@ -87012,7 +87171,7 @@ index 1191a44..7c81292 100644 /** * capable_wrt_inode_uidgid - Check nsown_capable and uid and gid mapped * @inode: The inode in question -@@ -449,3 +474,12 @@ bool capable_wrt_inode_uidgid(const struct inode *inode, int cap) +@@ -453,3 +478,12 @@ bool capable_wrt_inode_uidgid(const struct inode *inode, int cap) kgid_has_mapping(ns, inode->i_gid); } EXPORT_SYMBOL(capable_wrt_inode_uidgid); @@ -87026,10 +87185,10 @@ index 1191a44..7c81292 100644 +} +EXPORT_SYMBOL(capable_wrt_inode_uidgid_nolog); diff --git a/kernel/cgroup.c b/kernel/cgroup.c -index 0c753dd..3ce8cca 100644 +index 550e205..b0a7f7d 100644 --- a/kernel/cgroup.c +++ b/kernel/cgroup.c -@@ -5190,6 +5190,14 @@ static void cgroup_release_agent(struct work_struct *work) +@@ -5189,6 +5189,14 @@ static void cgroup_release_agent(struct work_struct *work) release_list); list_del_init(&cgrp->release_list); raw_spin_unlock(&release_list_lock); @@ -87044,7 +87203,7 @@ index 0c753dd..3ce8cca 100644 pathbuf = kmalloc(PAGE_SIZE, GFP_KERNEL); if (!pathbuf) goto continue_free; -@@ -5372,7 +5380,7 @@ static int cgroup_css_links_read(struct seq_file *seq, void *v) +@@ -5371,7 +5379,7 @@ static int cgroup_css_links_read(struct seq_file *seq, void *v) struct css_set *cset = link->cset; struct task_struct *task; int count = 0; @@ -87470,7 +87629,7 @@ index 0b097c8..11dd5c5 100644 #ifdef CONFIG_MODULE_UNLOAD { diff --git a/kernel/events/core.c b/kernel/events/core.c -index f774e93..c602612 100644 +index 3a140ca..6624485 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -158,8 +158,15 @@ static struct srcu_struct pmus_srcu; @@ -87508,7 +87667,7 @@ index f774e93..c602612 100644 static void cpu_ctx_sched_out(struct perf_cpu_context *cpuctx, enum event_type_t event_type); -@@ -3000,7 +3007,7 @@ static void __perf_event_read(void *info) +@@ -3010,7 +3017,7 @@ static void __perf_event_read(void *info) static inline u64 perf_event_count(struct perf_event *event) { @@ -87517,7 +87676,7 @@ index f774e93..c602612 100644 } static u64 perf_event_read(struct perf_event *event) -@@ -3365,9 +3372,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running) +@@ -3375,9 +3382,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running) mutex_lock(&event->child_mutex); total += perf_event_read(event); *enabled += event->total_time_enabled + @@ -87529,7 +87688,7 @@ index f774e93..c602612 100644 list_for_each_entry(child, &event->child_list, child_list) { total += perf_event_read(child); -@@ -3796,10 +3803,10 @@ void perf_event_update_userpage(struct perf_event *event) +@@ -3806,10 +3813,10 @@ void perf_event_update_userpage(struct perf_event *event) userpg->offset -= local64_read(&event->hw.prev_count); userpg->time_enabled = enabled + @@ -87542,7 +87701,7 @@ index f774e93..c602612 100644 arch_perf_update_userpage(userpg, now); -@@ -4350,7 +4357,7 @@ perf_output_sample_ustack(struct perf_output_handle *handle, u64 dump_size, +@@ -4360,7 +4367,7 @@ perf_output_sample_ustack(struct perf_output_handle *handle, u64 dump_size, /* Data. */ sp = perf_user_stack_pointer(regs); @@ -87551,7 +87710,7 @@ index f774e93..c602612 100644 dyn_size = dump_size - rem; perf_output_skip(handle, rem); -@@ -4441,11 +4448,11 @@ static void perf_output_read_one(struct perf_output_handle *handle, +@@ -4451,11 +4458,11 @@ static void perf_output_read_one(struct perf_output_handle *handle, values[n++] = perf_event_count(event); if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) { values[n++] = enabled + @@ -87565,7 +87724,7 @@ index f774e93..c602612 100644 } if (read_format & PERF_FORMAT_ID) values[n++] = primary_event_id(event); -@@ -6724,7 +6731,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu, +@@ -6734,7 +6741,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu, event->parent = parent_event; event->ns = get_pid_ns(task_active_pid_ns(current)); @@ -87574,7 +87733,7 @@ index f774e93..c602612 100644 event->state = PERF_EVENT_STATE_INACTIVE; -@@ -7024,6 +7031,11 @@ SYSCALL_DEFINE5(perf_event_open, +@@ -7034,6 +7041,11 @@ SYSCALL_DEFINE5(perf_event_open, if (flags & ~PERF_FLAG_ALL) return -EINVAL; @@ -87586,7 +87745,7 @@ index f774e93..c602612 100644 err = perf_copy_attr(attr_uptr, &attr); if (err) return err; -@@ -7362,10 +7374,10 @@ static void sync_child_event(struct perf_event *child_event, +@@ -7372,10 +7384,10 @@ static void sync_child_event(struct perf_event *child_event, /* * Add back the child's count to the parent's count: */ @@ -87600,6 +87759,18 @@ index f774e93..c602612 100644 &parent_event->child_total_time_running); /* +@@ -7836,8 +7848,10 @@ int perf_event_init_task(struct task_struct *child) + + for_each_task_context_nr(ctxn) { + ret = perf_event_init_context(child, ctxn); +- if (ret) ++ if (ret) { ++ perf_event_free_task(child); + return ret; ++ } + } + + return 0; diff --git a/kernel/events/internal.h b/kernel/events/internal.h index 569b2187..19940d9 100644 --- a/kernel/events/internal.h @@ -87718,7 +87889,7 @@ index 81b3d67..ef189a4 100644 { struct signal_struct *sig = current->signal; diff --git a/kernel/fork.c b/kernel/fork.c -index c44bff8..a3c5876 100644 +index c44bff8..7361260 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -180,6 +180,48 @@ void thread_info_cache_init(void) @@ -88088,6 +88259,15 @@ index c44bff8..a3c5876 100644 if (atomic_read(&p->real_cred->user->processes) >= task_rlimit(p, RLIMIT_NPROC)) { if (p->real_cred->user != INIT_USER && +@@ -1323,7 +1428,7 @@ static struct task_struct *copy_process(unsigned long clone_flags, + goto bad_fork_cleanup_policy; + retval = audit_alloc(p); + if (retval) +- goto bad_fork_cleanup_policy; ++ goto bad_fork_cleanup_perf; + /* copy all the process information */ + retval = copy_semundo(clone_flags, p); + if (retval) @@ -1449,6 +1554,11 @@ static struct task_struct *copy_process(unsigned long clone_flags, goto bad_fork_free_pid; } @@ -88100,7 +88280,18 @@ index c44bff8..a3c5876 100644 if (likely(p->pid)) { ptrace_init_task(p, (clone_flags & CLONE_PTRACE) || trace); -@@ -1539,6 +1649,8 @@ bad_fork_cleanup_count: +@@ -1522,8 +1632,9 @@ bad_fork_cleanup_semundo: + exit_sem(p); + bad_fork_cleanup_audit: + audit_free(p); +-bad_fork_cleanup_policy: ++bad_fork_cleanup_perf: + perf_event_free_task(p); ++bad_fork_cleanup_policy: + #ifdef CONFIG_NUMA + mpol_put(p->mempolicy); + bad_fork_cleanup_cgroup: +@@ -1539,6 +1650,8 @@ bad_fork_cleanup_count: bad_fork_free: free_task(p); fork_out: @@ -88109,7 +88300,7 @@ index c44bff8..a3c5876 100644 return ERR_PTR(retval); } -@@ -1600,6 +1712,7 @@ long do_fork(unsigned long clone_flags, +@@ -1600,6 +1713,7 @@ long do_fork(unsigned long clone_flags, p = copy_process(clone_flags, stack_start, stack_size, child_tidptr, NULL, trace); @@ -88117,7 +88308,7 @@ index c44bff8..a3c5876 100644 /* * Do this prior waking up the new thread - the thread pointer * might get invalid after that point, if the thread exits quickly. -@@ -1616,6 +1729,8 @@ long do_fork(unsigned long clone_flags, +@@ -1616,6 +1730,8 @@ long do_fork(unsigned long clone_flags, if (clone_flags & CLONE_PARENT_SETTID) put_user(nr, parent_tidptr); @@ -88126,7 +88317,7 @@ index c44bff8..a3c5876 100644 if (clone_flags & CLONE_VFORK) { p->vfork_done = &vfork; init_completion(&vfork); -@@ -1734,7 +1849,7 @@ void __init proc_caches_init(void) +@@ -1734,7 +1850,7 @@ void __init proc_caches_init(void) mm_cachep = kmem_cache_create("mm_struct", sizeof(struct mm_struct), ARCH_MIN_MMSTRUCT_ALIGN, SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_NOTRACK, NULL); @@ -88135,7 +88326,7 @@ index c44bff8..a3c5876 100644 mmap_init(); nsproxy_cache_init(); } -@@ -1774,7 +1889,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) +@@ -1774,7 +1890,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) return 0; /* don't need lock here; in the worst case we'll do useless copy */ @@ -88144,7 +88335,7 @@ index c44bff8..a3c5876 100644 return 0; *new_fsp = copy_fs_struct(fs); -@@ -1881,7 +1996,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) +@@ -1881,7 +1997,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) fs = current->fs; spin_lock(&fs->lock); current->fs = new_fs; @@ -88155,7 +88346,7 @@ index c44bff8..a3c5876 100644 else new_fs = fs; diff --git a/kernel/futex.c b/kernel/futex.c -index e3087af..4730710 100644 +index 0b0dc02..4730710 100644 --- a/kernel/futex.c +++ b/kernel/futex.c @@ -54,6 +54,7 @@ @@ -88205,15 +88396,7 @@ index e3087af..4730710 100644 pagefault_disable(); ret = __copy_from_user_inatomic(dest, from, sizeof(u32)); -@@ -2614,6 +2620,7 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags, - * shared futexes. We need to compare the keys: - */ - if (match_futex(&q.key, &key2)) { -+ queue_unlock(hb); - ret = -EINVAL; - goto out_put_keys; - } -@@ -3019,6 +3026,7 @@ static void __init futex_detect_cmpxchg(void) +@@ -3020,6 +3026,7 @@ static void __init futex_detect_cmpxchg(void) { #ifndef CONFIG_HAVE_FUTEX_CMPXCHG u32 curval; @@ -88221,7 +88404,7 @@ index e3087af..4730710 100644 /* * This will fail and we want it. Some arch implementations do -@@ -3030,8 +3038,11 @@ static void __init futex_detect_cmpxchg(void) +@@ -3031,8 +3038,11 @@ static void __init futex_detect_cmpxchg(void) * implementation, the non-functional ones will return * -ENOSYS. */ @@ -88455,26 +88638,10 @@ index 3127ad5..159d880 100644 return -ENOMEM; reset_iter(iter, 0); diff --git a/kernel/kcmp.c b/kernel/kcmp.c -index e30ac0f..a7fcafb 100644 +index 0aa69ea..a7fcafb 100644 --- a/kernel/kcmp.c +++ b/kernel/kcmp.c -@@ -44,11 +44,12 @@ static long kptr_obfuscate(long v, int type) - */ - static int kcmp_ptr(void *v1, void *v2, enum kcmp_type type) - { -- long ret; -+ long t1, t2; - -- ret = kptr_obfuscate((long)v1, type) - kptr_obfuscate((long)v2, type); -+ t1 = kptr_obfuscate((long)v1, type); -+ t2 = kptr_obfuscate((long)v2, type); - -- return (ret < 0) | ((ret > 0) << 1); -+ return (t1 < t2) | ((t1 > t2) << 1); - } - - /* The caller must have pinned the task */ -@@ -99,6 +100,10 @@ SYSCALL_DEFINE5(kcmp, pid_t, pid1, pid_t, pid2, int, type, +@@ -100,6 +100,10 @@ SYSCALL_DEFINE5(kcmp, pid_t, pid1, pid_t, pid2, int, type, struct task_struct *task1, *task2; int ret; @@ -92163,71 +92330,10 @@ index 7c7964c..2a0d412 100644 update_vsyscall_tz(); if (firsttime) { diff --git a/kernel/time/alarmtimer.c b/kernel/time/alarmtimer.c -index fe75444..b8a1463 100644 +index cd45a07..b8a1463 100644 --- a/kernel/time/alarmtimer.c +++ b/kernel/time/alarmtimer.c -@@ -464,18 +464,26 @@ static enum alarmtimer_type clock2alarm(clockid_t clockid) - static enum alarmtimer_restart alarm_handle_timer(struct alarm *alarm, - ktime_t now) - { -+ unsigned long flags; - struct k_itimer *ptr = container_of(alarm, struct k_itimer, - it.alarm.alarmtimer); -- if (posix_timer_event(ptr, 0) != 0) -- ptr->it_overrun++; -+ enum alarmtimer_restart result = ALARMTIMER_NORESTART; -+ -+ spin_lock_irqsave(&ptr->it_lock, flags); -+ if ((ptr->it_sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_NONE) { -+ if (posix_timer_event(ptr, 0) != 0) -+ ptr->it_overrun++; -+ } - - /* Re-add periodic timers */ - if (ptr->it.alarm.interval.tv64) { - ptr->it_overrun += alarm_forward(alarm, now, - ptr->it.alarm.interval); -- return ALARMTIMER_RESTART; -+ result = ALARMTIMER_RESTART; - } -- return ALARMTIMER_NORESTART; -+ spin_unlock_irqrestore(&ptr->it_lock, flags); -+ -+ return result; - } - - /** -@@ -541,18 +549,22 @@ static int alarm_timer_create(struct k_itimer *new_timer) - * @new_timer: k_itimer pointer - * @cur_setting: itimerspec data to fill - * -- * Copies the itimerspec data out from the k_itimer -+ * Copies out the current itimerspec data - */ - static void alarm_timer_get(struct k_itimer *timr, - struct itimerspec *cur_setting) - { -- memset(cur_setting, 0, sizeof(struct itimerspec)); -+ ktime_t relative_expiry_time = -+ alarm_expires_remaining(&(timr->it.alarm.alarmtimer)); - -- cur_setting->it_interval = -- ktime_to_timespec(timr->it.alarm.interval); -- cur_setting->it_value = -- ktime_to_timespec(timr->it.alarm.alarmtimer.node.expires); -- return; -+ if (ktime_to_ns(relative_expiry_time) > 0) { -+ cur_setting->it_value = ktime_to_timespec(relative_expiry_time); -+ } else { -+ cur_setting->it_value.tv_sec = 0; -+ cur_setting->it_value.tv_nsec = 0; -+ } -+ -+ cur_setting->it_interval = ktime_to_timespec(timr->it.alarm.interval); - } - - /** -@@ -811,7 +823,7 @@ static int __init alarmtimer_init(void) +@@ -823,7 +823,7 @@ static int __init alarmtimer_init(void) struct platform_device *pdev; int error = 0; int i; @@ -92491,7 +92597,7 @@ index e3be87e..7480b36 100644 ftrace_graph_active++; diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c -index 0954450..1e3e687 100644 +index 773aba8..0e70660 100644 --- a/kernel/trace/ring_buffer.c +++ b/kernel/trace/ring_buffer.c @@ -352,9 +352,9 @@ struct buffer_data_page { @@ -92517,31 +92623,7 @@ index 0954450..1e3e687 100644 local_t dropped_events; local_t committing; local_t commits; -@@ -626,8 +626,22 @@ int ring_buffer_poll_wait(struct ring_buffer *buffer, int cpu, - work = &cpu_buffer->irq_work; - } - -- work->waiters_pending = true; - poll_wait(filp, &work->waiters, poll_table); -+ work->waiters_pending = true; -+ /* -+ * There's a tight race between setting the waiters_pending and -+ * checking if the ring buffer is empty. Once the waiters_pending bit -+ * is set, the next event will wake the task up, but we can get stuck -+ * if there's only a single event in. -+ * -+ * FIXME: Ideally, we need a memory barrier on the writer side as well, -+ * but adding a memory barrier to all events will cause too much of a -+ * performance hit in the fast path. We only need a memory barrier when -+ * the buffer goes from empty to having content. But as this race is -+ * extremely small, and it's not a problem if another event comes in, we -+ * will fix it later. -+ */ -+ smp_mb(); - - if ((cpu == RING_BUFFER_ALL_CPUS && !ring_buffer_empty(buffer)) || - (cpu != RING_BUFFER_ALL_CPUS && !ring_buffer_empty_cpu(buffer, cpu))) -@@ -991,8 +1005,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer, +@@ -1005,8 +1005,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer, * * We add a counter to the write field to denote this. */ @@ -92552,7 +92634,7 @@ index 0954450..1e3e687 100644 /* * Just make sure we have seen our old_write and synchronize -@@ -1020,8 +1034,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer, +@@ -1034,8 +1034,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer, * cmpxchg to only update if an interrupt did not already * do it for us. If the cmpxchg fails, we don't care. */ @@ -92563,7 +92645,7 @@ index 0954450..1e3e687 100644 /* * No need to worry about races with clearing out the commit. -@@ -1385,12 +1399,12 @@ static void rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer); +@@ -1399,12 +1399,12 @@ static void rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer); static inline unsigned long rb_page_entries(struct buffer_page *bpage) { @@ -92578,7 +92660,7 @@ index 0954450..1e3e687 100644 } static int -@@ -1485,7 +1499,7 @@ rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned int nr_pages) +@@ -1499,7 +1499,7 @@ rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned int nr_pages) * bytes consumed in ring buffer from here. * Increment overrun to account for the lost events. */ @@ -92587,7 +92669,7 @@ index 0954450..1e3e687 100644 local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes); } -@@ -2063,7 +2077,7 @@ rb_handle_head_page(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2077,7 +2077,7 @@ rb_handle_head_page(struct ring_buffer_per_cpu *cpu_buffer, * it is our responsibility to update * the counters. */ @@ -92596,7 +92678,7 @@ index 0954450..1e3e687 100644 local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes); /* -@@ -2213,7 +2227,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2227,7 +2227,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer, if (tail == BUF_PAGE_SIZE) tail_page->real_end = 0; @@ -92605,7 +92687,7 @@ index 0954450..1e3e687 100644 return; } -@@ -2248,7 +2262,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2262,7 +2262,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer, rb_event_set_padding(event); /* Set the write back to the previous setting */ @@ -92614,7 +92696,7 @@ index 0954450..1e3e687 100644 return; } -@@ -2260,7 +2274,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2274,7 +2274,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer, /* Set write to end of buffer */ length = (tail + length) - BUF_PAGE_SIZE; @@ -92623,7 +92705,7 @@ index 0954450..1e3e687 100644 } /* -@@ -2286,7 +2300,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2300,7 +2300,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer, * about it. */ if (unlikely(next_page == commit_page)) { @@ -92632,7 +92714,7 @@ index 0954450..1e3e687 100644 goto out_reset; } -@@ -2342,7 +2356,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2356,7 +2356,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer, cpu_buffer->tail_page) && (cpu_buffer->commit_page == cpu_buffer->reader_page))) { @@ -92641,7 +92723,7 @@ index 0954450..1e3e687 100644 goto out_reset; } } -@@ -2390,7 +2404,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2404,7 +2404,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer, length += RB_LEN_TIME_EXTEND; tail_page = cpu_buffer->tail_page; @@ -92650,7 +92732,7 @@ index 0954450..1e3e687 100644 /* set write to only the index of the write */ write &= RB_WRITE_MASK; -@@ -2414,7 +2428,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2428,7 +2428,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer, kmemcheck_annotate_bitfield(event, bitfield); rb_update_event(cpu_buffer, event, length, add_timestamp, delta); @@ -92659,7 +92741,7 @@ index 0954450..1e3e687 100644 /* * If this is the first commit on the page, then update -@@ -2447,7 +2461,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2461,7 +2461,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer, if (bpage->page == (void *)addr && rb_page_write(bpage) == old_index) { unsigned long write_mask = @@ -92668,7 +92750,7 @@ index 0954450..1e3e687 100644 unsigned long event_length = rb_event_length(event); /* * This is on the tail page. It is possible that -@@ -2457,7 +2471,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2471,7 +2471,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer, */ old_index += write_mask; new_index += write_mask; @@ -92677,7 +92759,7 @@ index 0954450..1e3e687 100644 if (index == old_index) { /* update counters */ local_sub(event_length, &cpu_buffer->entries_bytes); -@@ -2849,7 +2863,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2863,7 +2863,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer, /* Do the likely case first */ if (likely(bpage->page == (void *)addr)) { @@ -92686,7 +92768,7 @@ index 0954450..1e3e687 100644 return; } -@@ -2861,7 +2875,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2875,7 +2875,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer, start = bpage; do { if (bpage->page == (void *)addr) { @@ -92695,7 +92777,7 @@ index 0954450..1e3e687 100644 return; } rb_inc_page(cpu_buffer, &bpage); -@@ -3145,7 +3159,7 @@ static inline unsigned long +@@ -3159,7 +3159,7 @@ static inline unsigned long rb_num_of_entries(struct ring_buffer_per_cpu *cpu_buffer) { return local_read(&cpu_buffer->entries) - @@ -92704,7 +92786,7 @@ index 0954450..1e3e687 100644 } /** -@@ -3234,7 +3248,7 @@ unsigned long ring_buffer_overrun_cpu(struct ring_buffer *buffer, int cpu) +@@ -3248,7 +3248,7 @@ unsigned long ring_buffer_overrun_cpu(struct ring_buffer *buffer, int cpu) return 0; cpu_buffer = buffer->buffers[cpu]; @@ -92713,7 +92795,7 @@ index 0954450..1e3e687 100644 return ret; } -@@ -3257,7 +3271,7 @@ ring_buffer_commit_overrun_cpu(struct ring_buffer *buffer, int cpu) +@@ -3271,7 +3271,7 @@ ring_buffer_commit_overrun_cpu(struct ring_buffer *buffer, int cpu) return 0; cpu_buffer = buffer->buffers[cpu]; @@ -92722,7 +92804,7 @@ index 0954450..1e3e687 100644 return ret; } -@@ -3342,7 +3356,7 @@ unsigned long ring_buffer_overruns(struct ring_buffer *buffer) +@@ -3356,7 +3356,7 @@ unsigned long ring_buffer_overruns(struct ring_buffer *buffer) /* if you care about this being correct, lock the buffer */ for_each_buffer_cpu(buffer, cpu) { cpu_buffer = buffer->buffers[cpu]; @@ -92731,7 +92813,7 @@ index 0954450..1e3e687 100644 } return overruns; -@@ -3518,8 +3532,8 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer) +@@ -3527,8 +3527,8 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer) /* * Reset the reader page to size zero. */ @@ -92742,7 +92824,7 @@ index 0954450..1e3e687 100644 local_set(&cpu_buffer->reader_page->page->commit, 0); cpu_buffer->reader_page->real_end = 0; -@@ -3553,7 +3567,7 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer) +@@ -3562,7 +3562,7 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer) * want to compare with the last_overrun. */ smp_mb(); @@ -92751,7 +92833,7 @@ index 0954450..1e3e687 100644 /* * Here's the tricky part. -@@ -4123,8 +4137,8 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) +@@ -4134,8 +4134,8 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) cpu_buffer->head_page = list_entry(cpu_buffer->pages, struct buffer_page, list); @@ -92762,7 +92844,7 @@ index 0954450..1e3e687 100644 local_set(&cpu_buffer->head_page->page->commit, 0); cpu_buffer->head_page->read = 0; -@@ -4134,14 +4148,14 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) +@@ -4145,14 +4145,14 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) INIT_LIST_HEAD(&cpu_buffer->reader_page->list); INIT_LIST_HEAD(&cpu_buffer->new_pages); @@ -92781,7 +92863,7 @@ index 0954450..1e3e687 100644 local_set(&cpu_buffer->dropped_events, 0); local_set(&cpu_buffer->entries, 0); local_set(&cpu_buffer->committing, 0); -@@ -4546,8 +4560,8 @@ int ring_buffer_read_page(struct ring_buffer *buffer, +@@ -4557,8 +4557,8 @@ int ring_buffer_read_page(struct ring_buffer *buffer, rb_init_page(bpage); bpage = reader->page; reader->page = *data_page; @@ -93104,34 +93186,6 @@ index 48140e3..de854e5 100644 obj-$(CONFIG_DEBUG_OBJECTS) += debugobjects.o ifneq ($(CONFIG_HAVE_DEC_LOCK),y) -diff --git a/lib/assoc_array.c b/lib/assoc_array.c -index c0b1007..2404d03 100644 ---- a/lib/assoc_array.c -+++ b/lib/assoc_array.c -@@ -1723,11 +1723,13 @@ ascend_old_tree: - shortcut = assoc_array_ptr_to_shortcut(ptr); - slot = shortcut->parent_slot; - cursor = shortcut->back_pointer; -+ if (!cursor) -+ goto gc_complete; - } else { - slot = node->parent_slot; - cursor = ptr; - } -- BUG_ON(!ptr); -+ BUG_ON(!cursor); - node = assoc_array_ptr_to_node(cursor); - slot++; - goto continue_node; -@@ -1735,7 +1737,7 @@ ascend_old_tree: - gc_complete: - edit->set[0].to = new_root; - assoc_array_apply_edit(edit); -- edit->array->nr_leaves_on_tree = nr_leaves_on_tree; -+ array->nr_leaves_on_tree = nr_leaves_on_tree; - return 0; - - enomem: diff --git a/lib/average.c b/lib/average.c index 114d1be..ab0350c 100644 --- a/lib/average.c @@ -94114,6 +94168,31 @@ index b32b70c..e512eb0 100644 pkmap_count[last_pkmap_nr] = 1; set_page_address(page, (void *)vaddr); +diff --git a/mm/huge_memory.c b/mm/huge_memory.c +index 1c42d0c..2a99426 100644 +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -1824,6 +1824,11 @@ static int __split_huge_page_map(struct page *page, + for (i = 0; i < HPAGE_PMD_NR; i++, haddr += PAGE_SIZE) { + pte_t *pte, entry; + BUG_ON(PageCompound(page+i)); ++ /* ++ * Note that pmd_numa is not transferred deliberately ++ * to avoid any possibility that pte_numa leaks to ++ * a PROT_NONE VMA by accident. ++ */ + entry = mk_pte(page + i, vma->vm_page_prot); + entry = maybe_mkwrite(pte_mkdirty(entry), vma); + if (!pmd_write(*pmd)) +@@ -1832,8 +1837,6 @@ static int __split_huge_page_map(struct page *page, + BUG_ON(page_mapcount(page) != 1); + if (!pmd_young(*pmd)) + entry = pte_mkold(entry); +- if (pmd_numa(*pmd)) +- entry = pte_mknuma(entry); + pte = pte_offset_map(&_pmd, haddr); + BUG_ON(!pte_none(*pte)); + set_pte_at(mm, haddr, pte, entry); diff --git a/mm/hugetlb.c b/mm/hugetlb.c index 923f38e..74e159a 100644 --- a/mm/hugetlb.c @@ -94525,7 +94604,7 @@ index 33365e9..2234ef9 100644 } unset_migratetype_isolate(page, MIGRATE_MOVABLE); diff --git a/mm/memory.c b/mm/memory.c -index 2121d8b8..fa1095a 100644 +index 492e36f..3771c0a 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -403,6 +403,7 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud, @@ -95296,10 +95375,23 @@ index 15a8ea0..cb50389 100644 capable(CAP_SYS_NICE) ? MPOL_MF_MOVE_ALL : MPOL_MF_MOVE); diff --git a/mm/migrate.c b/mm/migrate.c -index bed4880..a493f67 100644 +index bed4880..95c4b9f 100644 --- a/mm/migrate.c +++ b/mm/migrate.c -@@ -1485,8 +1485,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages, +@@ -148,8 +148,11 @@ static int remove_migration_pte(struct page *new, struct vm_area_struct *vma, + pte = pte_mkold(mk_pte(new, vma->vm_page_prot)); + if (pte_swp_soft_dirty(*ptep)) + pte = pte_mksoft_dirty(pte); ++ ++ /* Recheck VMA as permissions can change since migration started */ + if (is_write_migration_entry(entry)) +- pte = pte_mkwrite(pte); ++ pte = maybe_mkwrite(pte, vma); ++ + #ifdef CONFIG_HUGETLB_PAGE + if (PageHuge(new)) { + pte = pte_mkhuge(pte); +@@ -1485,8 +1488,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages, */ tcred = __task_cred(task); if (!uid_eq(cred->euid, tcred->suid) && !uid_eq(cred->euid, tcred->uid) && @@ -97181,7 +97273,7 @@ index 7c59ef6..1358905 100644 }; diff --git a/mm/percpu.c b/mm/percpu.c -index a2a54a8..43ecb68 100644 +index 8cd4308..ab22f17 100644 --- a/mm/percpu.c +++ b/mm/percpu.c @@ -122,7 +122,7 @@ static unsigned int pcpu_low_unit_cpu __read_mostly; @@ -97361,7 +97453,7 @@ index cdbd312..2e1e0b9 100644 /* diff --git a/mm/shmem.c b/mm/shmem.c -index ff85863..6aa94ab 100644 +index f0d698b..7037c25 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -33,7 +33,7 @@ @@ -97382,7 +97474,7 @@ index ff85863..6aa94ab 100644 /* * shmem_fallocate communicates with shmem_fault or shmem_writepage via -@@ -2298,6 +2298,11 @@ static const struct xattr_handler *shmem_xattr_handlers[] = { +@@ -2300,6 +2300,11 @@ static const struct xattr_handler *shmem_xattr_handlers[] = { static int shmem_xattr_validate(const char *name) { struct { const char *prefix; size_t len; } arr[] = { @@ -97394,7 +97486,7 @@ index ff85863..6aa94ab 100644 { XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN }, { XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN } }; -@@ -2353,6 +2358,15 @@ static int shmem_setxattr(struct dentry *dentry, const char *name, +@@ -2355,6 +2360,15 @@ static int shmem_setxattr(struct dentry *dentry, const char *name, if (err) return err; @@ -97410,7 +97502,7 @@ index ff85863..6aa94ab 100644 return simple_xattr_set(&info->xattrs, name, value, size, flags); } -@@ -2665,8 +2679,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent) +@@ -2667,8 +2681,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent) int err = -ENOMEM; /* Round up to L1_CACHE_BYTES to resist false sharing */ @@ -97421,7 +97513,7 @@ index ff85863..6aa94ab 100644 return -ENOMEM; diff --git a/mm/slab.c b/mm/slab.c -index 6dd8d5f..2482a6d 100644 +index ea854eb..673c763 100644 --- a/mm/slab.c +++ b/mm/slab.c @@ -300,10 +300,12 @@ static void kmem_cache_node_init(struct kmem_cache_node *parent) @@ -97474,7 +97566,7 @@ index 6dd8d5f..2482a6d 100644 slab_early_init = 0; -@@ -3484,6 +3488,21 @@ static inline void __cache_free(struct kmem_cache *cachep, void *objp, +@@ -3477,6 +3481,21 @@ static inline void __cache_free(struct kmem_cache *cachep, void *objp, struct array_cache *ac = cpu_cache_get(cachep); check_irq_off(); @@ -97496,7 +97588,7 @@ index 6dd8d5f..2482a6d 100644 kmemleak_free_recursive(objp, cachep->flags); objp = cache_free_debugcheck(cachep, objp, caller); -@@ -3712,6 +3731,7 @@ void kfree(const void *objp) +@@ -3705,6 +3724,7 @@ void kfree(const void *objp) if (unlikely(ZERO_OR_NULL_PTR(objp))) return; @@ -97504,7 +97596,7 @@ index 6dd8d5f..2482a6d 100644 local_irq_save(flags); kfree_debugcheck(objp); c = virt_to_cache(objp); -@@ -4153,14 +4173,22 @@ void slabinfo_show_stats(struct seq_file *m, struct kmem_cache *cachep) +@@ -4146,14 +4166,22 @@ void slabinfo_show_stats(struct seq_file *m, struct kmem_cache *cachep) } /* cpu stats */ { @@ -97531,7 +97623,7 @@ index 6dd8d5f..2482a6d 100644 #endif } -@@ -4381,13 +4409,69 @@ static const struct file_operations proc_slabstats_operations = { +@@ -4374,13 +4402,69 @@ static const struct file_operations proc_slabstats_operations = { static int __init slab_proc_init(void) { #ifdef CONFIG_DEBUG_SLAB_LEAK @@ -99354,7 +99446,7 @@ index 6afa3b4..7a14180 100644 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) && rfc.mode != chan->mode) diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c -index 27ae841..e5a8343 100644 +index 06a7a76..86dd829 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -625,7 +625,8 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, @@ -99405,7 +99497,7 @@ index 27ae841..e5a8343 100644 err = -EFAULT; break; diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c -index 3c2d3e4..884855a 100644 +index a0050de..59c6178 100644 --- a/net/bluetooth/rfcomm/sock.c +++ b/net/bluetooth/rfcomm/sock.c @@ -672,7 +672,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c @@ -99592,342 +99684,8 @@ index b543470..d2ddae2 100644 if (!can_dir) { printk(KERN_INFO "can: failed to create /proc/net/can . " -diff --git a/net/ceph/auth_x.c b/net/ceph/auth_x.c -index 96238ba..de6662b 100644 ---- a/net/ceph/auth_x.c -+++ b/net/ceph/auth_x.c -@@ -13,8 +13,6 @@ - #include "auth_x.h" - #include "auth_x_protocol.h" - --#define TEMP_TICKET_BUF_LEN 256 -- - static void ceph_x_validate_tickets(struct ceph_auth_client *ac, int *pneed); - - static int ceph_x_is_authenticated(struct ceph_auth_client *ac) -@@ -64,7 +62,7 @@ static int ceph_x_encrypt(struct ceph_crypto_key *secret, - } - - static int ceph_x_decrypt(struct ceph_crypto_key *secret, -- void **p, void *end, void *obuf, size_t olen) -+ void **p, void *end, void **obuf, size_t olen) - { - struct ceph_x_encrypt_header head; - size_t head_len = sizeof(head); -@@ -75,8 +73,14 @@ static int ceph_x_decrypt(struct ceph_crypto_key *secret, - return -EINVAL; - - dout("ceph_x_decrypt len %d\n", len); -- ret = ceph_decrypt2(secret, &head, &head_len, obuf, &olen, -- *p, len); -+ if (*obuf == NULL) { -+ *obuf = kmalloc(len, GFP_NOFS); -+ if (!*obuf) -+ return -ENOMEM; -+ olen = len; -+ } -+ -+ ret = ceph_decrypt2(secret, &head, &head_len, *obuf, &olen, *p, len); - if (ret) - return ret; - if (head.struct_v != 1 || le64_to_cpu(head.magic) != CEPHX_ENC_MAGIC) -@@ -129,145 +133,154 @@ static void remove_ticket_handler(struct ceph_auth_client *ac, - kfree(th); - } - -+static int process_one_ticket(struct ceph_auth_client *ac, -+ struct ceph_crypto_key *secret, -+ void **p, void *end) -+{ -+ struct ceph_x_info *xi = ac->private; -+ int type; -+ u8 tkt_struct_v, blob_struct_v; -+ struct ceph_x_ticket_handler *th; -+ void *dbuf = NULL; -+ void *dp, *dend; -+ int dlen; -+ char is_enc; -+ struct timespec validity; -+ struct ceph_crypto_key old_key; -+ void *ticket_buf = NULL; -+ void *tp, *tpend; -+ struct ceph_timespec new_validity; -+ struct ceph_crypto_key new_session_key; -+ struct ceph_buffer *new_ticket_blob; -+ unsigned long new_expires, new_renew_after; -+ u64 new_secret_id; -+ int ret; -+ -+ ceph_decode_need(p, end, sizeof(u32) + 1, bad); -+ -+ type = ceph_decode_32(p); -+ dout(" ticket type %d %s\n", type, ceph_entity_type_name(type)); -+ -+ tkt_struct_v = ceph_decode_8(p); -+ if (tkt_struct_v != 1) -+ goto bad; -+ -+ th = get_ticket_handler(ac, type); -+ if (IS_ERR(th)) { -+ ret = PTR_ERR(th); -+ goto out; -+ } -+ -+ /* blob for me */ -+ dlen = ceph_x_decrypt(secret, p, end, &dbuf, 0); -+ if (dlen <= 0) { -+ ret = dlen; -+ goto out; -+ } -+ dout(" decrypted %d bytes\n", dlen); -+ dp = dbuf; -+ dend = dp + dlen; -+ -+ tkt_struct_v = ceph_decode_8(&dp); -+ if (tkt_struct_v != 1) -+ goto bad; -+ -+ memcpy(&old_key, &th->session_key, sizeof(old_key)); -+ ret = ceph_crypto_key_decode(&new_session_key, &dp, dend); -+ if (ret) -+ goto out; -+ -+ ceph_decode_copy(&dp, &new_validity, sizeof(new_validity)); -+ ceph_decode_timespec(&validity, &new_validity); -+ new_expires = get_seconds() + validity.tv_sec; -+ new_renew_after = new_expires - (validity.tv_sec / 4); -+ dout(" expires=%lu renew_after=%lu\n", new_expires, -+ new_renew_after); -+ -+ /* ticket blob for service */ -+ ceph_decode_8_safe(p, end, is_enc, bad); -+ if (is_enc) { -+ /* encrypted */ -+ dout(" encrypted ticket\n"); -+ dlen = ceph_x_decrypt(&old_key, p, end, &ticket_buf, 0); -+ if (dlen < 0) { -+ ret = dlen; -+ goto out; -+ } -+ tp = ticket_buf; -+ dlen = ceph_decode_32(&tp); -+ } else { -+ /* unencrypted */ -+ ceph_decode_32_safe(p, end, dlen, bad); -+ ticket_buf = kmalloc(dlen, GFP_NOFS); -+ if (!ticket_buf) { -+ ret = -ENOMEM; -+ goto out; -+ } -+ tp = ticket_buf; -+ ceph_decode_need(p, end, dlen, bad); -+ ceph_decode_copy(p, ticket_buf, dlen); -+ } -+ tpend = tp + dlen; -+ dout(" ticket blob is %d bytes\n", dlen); -+ ceph_decode_need(&tp, tpend, 1 + sizeof(u64), bad); -+ blob_struct_v = ceph_decode_8(&tp); -+ new_secret_id = ceph_decode_64(&tp); -+ ret = ceph_decode_buffer(&new_ticket_blob, &tp, tpend); -+ if (ret) -+ goto out; -+ -+ /* all is well, update our ticket */ -+ ceph_crypto_key_destroy(&th->session_key); -+ if (th->ticket_blob) -+ ceph_buffer_put(th->ticket_blob); -+ th->session_key = new_session_key; -+ th->ticket_blob = new_ticket_blob; -+ th->validity = new_validity; -+ th->secret_id = new_secret_id; -+ th->expires = new_expires; -+ th->renew_after = new_renew_after; -+ dout(" got ticket service %d (%s) secret_id %lld len %d\n", -+ type, ceph_entity_type_name(type), th->secret_id, -+ (int)th->ticket_blob->vec.iov_len); -+ xi->have_keys |= th->service; -+ -+out: -+ kfree(ticket_buf); -+ kfree(dbuf); -+ return ret; -+ -+bad: -+ ret = -EINVAL; -+ goto out; -+} -+ - static int ceph_x_proc_ticket_reply(struct ceph_auth_client *ac, - struct ceph_crypto_key *secret, - void *buf, void *end) - { -- struct ceph_x_info *xi = ac->private; -- int num; - void *p = buf; -- int ret; -- char *dbuf; -- char *ticket_buf; - u8 reply_struct_v; -+ u32 num; -+ int ret; - -- dbuf = kmalloc(TEMP_TICKET_BUF_LEN, GFP_NOFS); -- if (!dbuf) -- return -ENOMEM; -- -- ret = -ENOMEM; -- ticket_buf = kmalloc(TEMP_TICKET_BUF_LEN, GFP_NOFS); -- if (!ticket_buf) -- goto out_dbuf; -- -- ceph_decode_need(&p, end, 1 + sizeof(u32), bad); -- reply_struct_v = ceph_decode_8(&p); -+ ceph_decode_8_safe(&p, end, reply_struct_v, bad); - if (reply_struct_v != 1) -- goto bad; -- num = ceph_decode_32(&p); -+ return -EINVAL; -+ -+ ceph_decode_32_safe(&p, end, num, bad); - dout("%d tickets\n", num); -+ - while (num--) { -- int type; -- u8 tkt_struct_v, blob_struct_v; -- struct ceph_x_ticket_handler *th; -- void *dp, *dend; -- int dlen; -- char is_enc; -- struct timespec validity; -- struct ceph_crypto_key old_key; -- void *tp, *tpend; -- struct ceph_timespec new_validity; -- struct ceph_crypto_key new_session_key; -- struct ceph_buffer *new_ticket_blob; -- unsigned long new_expires, new_renew_after; -- u64 new_secret_id; -- -- ceph_decode_need(&p, end, sizeof(u32) + 1, bad); -- -- type = ceph_decode_32(&p); -- dout(" ticket type %d %s\n", type, ceph_entity_type_name(type)); -- -- tkt_struct_v = ceph_decode_8(&p); -- if (tkt_struct_v != 1) -- goto bad; -- -- th = get_ticket_handler(ac, type); -- if (IS_ERR(th)) { -- ret = PTR_ERR(th); -- goto out; -- } -- -- /* blob for me */ -- dlen = ceph_x_decrypt(secret, &p, end, dbuf, -- TEMP_TICKET_BUF_LEN); -- if (dlen <= 0) { -- ret = dlen; -- goto out; -- } -- dout(" decrypted %d bytes\n", dlen); -- dend = dbuf + dlen; -- dp = dbuf; -- -- tkt_struct_v = ceph_decode_8(&dp); -- if (tkt_struct_v != 1) -- goto bad; -- -- memcpy(&old_key, &th->session_key, sizeof(old_key)); -- ret = ceph_crypto_key_decode(&new_session_key, &dp, dend); -+ ret = process_one_ticket(ac, secret, &p, end); - if (ret) -- goto out; -- -- ceph_decode_copy(&dp, &new_validity, sizeof(new_validity)); -- ceph_decode_timespec(&validity, &new_validity); -- new_expires = get_seconds() + validity.tv_sec; -- new_renew_after = new_expires - (validity.tv_sec / 4); -- dout(" expires=%lu renew_after=%lu\n", new_expires, -- new_renew_after); -- -- /* ticket blob for service */ -- ceph_decode_8_safe(&p, end, is_enc, bad); -- tp = ticket_buf; -- if (is_enc) { -- /* encrypted */ -- dout(" encrypted ticket\n"); -- dlen = ceph_x_decrypt(&old_key, &p, end, ticket_buf, -- TEMP_TICKET_BUF_LEN); -- if (dlen < 0) { -- ret = dlen; -- goto out; -- } -- dlen = ceph_decode_32(&tp); -- } else { -- /* unencrypted */ -- ceph_decode_32_safe(&p, end, dlen, bad); -- ceph_decode_need(&p, end, dlen, bad); -- ceph_decode_copy(&p, ticket_buf, dlen); -- } -- tpend = tp + dlen; -- dout(" ticket blob is %d bytes\n", dlen); -- ceph_decode_need(&tp, tpend, 1 + sizeof(u64), bad); -- blob_struct_v = ceph_decode_8(&tp); -- new_secret_id = ceph_decode_64(&tp); -- ret = ceph_decode_buffer(&new_ticket_blob, &tp, tpend); -- if (ret) -- goto out; -- -- /* all is well, update our ticket */ -- ceph_crypto_key_destroy(&th->session_key); -- if (th->ticket_blob) -- ceph_buffer_put(th->ticket_blob); -- th->session_key = new_session_key; -- th->ticket_blob = new_ticket_blob; -- th->validity = new_validity; -- th->secret_id = new_secret_id; -- th->expires = new_expires; -- th->renew_after = new_renew_after; -- dout(" got ticket service %d (%s) secret_id %lld len %d\n", -- type, ceph_entity_type_name(type), th->secret_id, -- (int)th->ticket_blob->vec.iov_len); -- xi->have_keys |= th->service; -+ return ret; - } - -- ret = 0; --out: -- kfree(ticket_buf); --out_dbuf: -- kfree(dbuf); -- return ret; -+ return 0; - - bad: -- ret = -EINVAL; -- goto out; -+ return -EINVAL; - } - - static int ceph_x_build_authorizer(struct ceph_auth_client *ac, -@@ -583,13 +596,14 @@ static int ceph_x_verify_authorizer_reply(struct ceph_auth_client *ac, - struct ceph_x_ticket_handler *th; - int ret = 0; - struct ceph_x_authorize_reply reply; -+ void *preply = &reply; - void *p = au->reply_buf; - void *end = p + sizeof(au->reply_buf); - - th = get_ticket_handler(ac, au->service); - if (IS_ERR(th)) - return PTR_ERR(th); -- ret = ceph_x_decrypt(&th->session_key, &p, end, &reply, sizeof(reply)); -+ ret = ceph_x_decrypt(&th->session_key, &p, end, &preply, sizeof(reply)); - if (ret < 0) - return ret; - if (ret != sizeof(reply)) diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c -index 988721a..947846d 100644 +index 0a31298..241da43 100644 --- a/net/ceph/messenger.c +++ b/net/ceph/messenger.c @@ -187,7 +187,7 @@ static void con_fault(struct ceph_connection *con); @@ -99948,26 +99706,6 @@ index 988721a..947846d 100644 s = addr_str[i]; switch (ss->ss_family) { -diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c -index 2ac9ef3..dbcbf5a 100644 ---- a/net/ceph/mon_client.c -+++ b/net/ceph/mon_client.c -@@ -1041,7 +1041,15 @@ static struct ceph_msg *mon_alloc_msg(struct ceph_connection *con, - if (!m) { - pr_info("alloc_msg unknown type %d\n", type); - *skip = 1; -+ } else if (front_len > m->front_alloc_len) { -+ pr_warning("mon_alloc_msg front %d > prealloc %d (%u#%llu)\n", -+ front_len, m->front_alloc_len, -+ (unsigned int)con->peer_name.type, -+ le64_to_cpu(con->peer_name.num)); -+ ceph_msg_put(m); -+ m = ceph_msg_new(type, front_len, GFP_NOFS, false); - } -+ - return m; - } - diff --git a/net/compat.c b/net/compat.c index cbc1a2a..ab7644e 100644 --- a/net/compat.c @@ -103268,7 +103006,7 @@ index de770ec..3fc49d2 100644 .get_optmin = SO_IP_SET, .get_optmax = SO_IP_SET + 1, diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c -index a8eb0a8..86f2de4 100644 +index 610e19c..08d0c3f 100644 --- a/net/netfilter/ipvs/ip_vs_conn.c +++ b/net/netfilter/ipvs/ip_vs_conn.c @@ -556,7 +556,7 @@ ip_vs_bind_dest(struct ip_vs_conn *cp, struct ip_vs_dest *dest) @@ -103280,7 +103018,7 @@ index a8eb0a8..86f2de4 100644 if (cp->protocol != IPPROTO_UDP) conn_flags &= ~IP_VS_CONN_F_ONE_PACKET; flags = cp->flags; -@@ -900,7 +900,7 @@ ip_vs_conn_new(const struct ip_vs_conn_param *p, +@@ -899,7 +899,7 @@ ip_vs_conn_new(const struct ip_vs_conn_param *p, cp->control = NULL; atomic_set(&cp->n_control, 0); @@ -103289,7 +103027,7 @@ index a8eb0a8..86f2de4 100644 cp->packet_xmit = NULL; cp->app = NULL; -@@ -1188,7 +1188,7 @@ static inline int todrop_entry(struct ip_vs_conn *cp) +@@ -1187,7 +1187,7 @@ static inline int todrop_entry(struct ip_vs_conn *cp) /* Don't drop the entry if its number of incoming packets is not located in [0, 8] */ @@ -103299,7 +103037,7 @@ index a8eb0a8..86f2de4 100644 if (!todrop_rate[i]) return 0; diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c -index 3d2d2c8..c87e4d3 100644 +index 27d3f40..f95d8d0 100644 --- a/net/netfilter/ipvs/ip_vs_core.c +++ b/net/netfilter/ipvs/ip_vs_core.c @@ -567,7 +567,7 @@ int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb, @@ -103454,7 +103192,7 @@ index db80126..ef7110e 100644 cp->old_state = cp->state; /* diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c -index 7f0e1cf..e9a86e6 100644 +index 1692e75..0d7c8e3 100644 --- a/net/netfilter/ipvs/ip_vs_xmit.c +++ b/net/netfilter/ipvs/ip_vs_xmit.c @@ -1102,7 +1102,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp, @@ -103752,10 +103490,10 @@ index 0000000..c566332 +MODULE_ALIAS("ipt_gradm"); +MODULE_ALIAS("ip6t_gradm"); diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c -index a3910fc..2d2ba14 100644 +index 47dc683..2e0d52c 100644 --- a/net/netfilter/xt_hashlimit.c +++ b/net/netfilter/xt_hashlimit.c -@@ -870,11 +870,11 @@ static int __net_init hashlimit_proc_net_init(struct net *net) +@@ -871,11 +871,11 @@ static int __net_init hashlimit_proc_net_init(struct net *net) { struct hashlimit_net *hashlimit_net = hashlimit_pernet(net); @@ -104137,6 +103875,43 @@ index 48f8ffc..0ef3eec 100644 struct rds_sock { struct sock rs_sk; +diff --git a/net/rds/send.c b/net/rds/send.c +index a82fb66..1ea9251 100644 +--- a/net/rds/send.c ++++ b/net/rds/send.c +@@ -593,8 +593,11 @@ static void rds_send_remove_from_sock(struct list_head *messages, int status) + sock_put(rds_rs_to_sk(rs)); + } + rs = rm->m_rs; +- sock_hold(rds_rs_to_sk(rs)); ++ if (rs) ++ sock_hold(rds_rs_to_sk(rs)); + } ++ if (!rs) ++ goto unlock_and_drop; + spin_lock(&rs->rs_lock); + + if (test_and_clear_bit(RDS_MSG_ON_SOCK, &rm->m_flags)) { +@@ -638,9 +641,6 @@ unlock_and_drop: + * queue. This means that in the TCP case, the message may not have been + * assigned the m_ack_seq yet - but that's fine as long as tcp_is_acked + * checks the RDS_MSG_HAS_ACK_SEQ bit. +- * +- * XXX It's not clear to me how this is safely serialized with socket +- * destruction. Maybe it should bail if it sees SOCK_DEAD. + */ + void rds_send_drop_acked(struct rds_connection *conn, u64 ack, + is_acked_func is_acked) +@@ -711,6 +711,9 @@ void rds_send_drop_to(struct rds_sock *rs, struct sockaddr_in *dest) + */ + if (!test_and_clear_bit(RDS_MSG_ON_CONN, &rm->m_flags)) { + spin_unlock_irqrestore(&conn->c_lock, flags); ++ spin_lock_irqsave(&rm->m_rs_lock, flags); ++ rm->m_rs = NULL; ++ spin_unlock_irqrestore(&rm->m_rs_lock, flags); + continue; + } + list_del_init(&rm->m_conn_item); diff --git a/net/rds/tcp.c b/net/rds/tcp.c index edac9ef..16bcb98 100644 --- a/net/rds/tcp.c @@ -105867,11 +105642,11 @@ index 078fe1d..fbdb363 100644 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianness? %#x\n", diff --git a/scripts/gcc-plugin.sh b/scripts/gcc-plugin.sh new file mode 100644 -index 0000000..3fd3699 +index 0000000..42018ed --- /dev/null +++ b/scripts/gcc-plugin.sh -@@ -0,0 +1,43 @@ -+#!/bin/bash +@@ -0,0 +1,51 @@ ++#!/bin/sh +srctree=$(dirname "$0") +gccplugins_dir=$($3 -print-file-name=plugin) +plugincc=$($1 -E - -o /dev/null -I${srctree}/../tools/gcc -I${gccplugins_dir}/include 2>&1 <<EOF @@ -105889,15 +105664,23 @@ index 0000000..3fd3699 + exit 1 +fi + -+if [[ "$plugincc" =~ "$1 CC" ]] -+then -+ echo "$1" -+ exit 0 -+fi ++case "$plugincc" in ++ *"$1 CC"*) ++ echo "$1" ++ exit 0 ++ ;; + -+if [[ "$plugincc" =~ "$2 CXX" ]] -+then -+plugincc=$($1 -c -x c++ -std=gnu++98 - -o /dev/null -I${srctree}/../tools/gcc -I${gccplugins_dir}/include 2>&1 <<EOF ++ *"$2 CXX"*) ++ # the c++ compiler needs another test, see below ++ ;; ++ ++ *) ++ exit 1 ++ ;; ++esac ++ ++# we need a c++ compiler that supports the designated initializer GNU extension ++plugincc=$($2 -c -x c++ -std=gnu++98 - -fsyntax-only -I${srctree}/../tools/gcc -I${gccplugins_dir}/include 2>&1 <<EOF +#include "gcc-common.h" +class test { +public: @@ -105907,12 +105690,12 @@ index 0000000..3fd3699 +}; +EOF +) ++ +if [ $? -eq 0 ] +then + echo "$2" + exit 0 +fi -+fi +exit 1 diff --git a/scripts/headers_install.sh b/scripts/headers_install.sh index 5de5660..d3deb89 100644 @@ -106197,10 +105980,10 @@ index 8fac3fd..32ff38d 100644 unsigned int secindex_strings; diff --git a/security/Kconfig b/security/Kconfig -index beb86b5..40b1edb 100644 +index beb86b5..9becb4a 100644 --- a/security/Kconfig +++ b/security/Kconfig -@@ -4,6 +4,957 @@ +@@ -4,6 +4,965 @@ menu "Security options" @@ -106789,6 +106572,14 @@ index beb86b5..40b1edb 100644 + that is, enabling this option will make it harder to inject + and execute 'foreign' code in kernel memory itself. + ++ Note that on amd64, CONFIG_EFI enabled with "efi=old_map" on ++ the kernel command-line will result in an RWX physical map. ++ ++ Likewise, the EFI runtime services are necessarily mapped as ++ RWX. If CONFIG_EFI is enabled on an EFI-capable system, it ++ is recommended that you boot with "noefi" on the kernel ++ command-line if possible to eliminate the mapping. ++ +choice + prompt "Return Address Instrumentation Method" + default PAX_KERNEXEC_PLUGIN_METHOD_BTS @@ -107158,7 +106949,7 @@ index beb86b5..40b1edb 100644 source security/keys/Kconfig config SECURITY_DMESG_RESTRICT -@@ -103,7 +1054,7 @@ config INTEL_TXT +@@ -103,7 +1062,7 @@ config INTEL_TXT config LSM_MMAP_MIN_ADDR int "Low address space for LSM to protect from user allocation" depends on SECURITY && SECURITY_SELINUX @@ -107225,10 +107016,10 @@ index 4257b7e..2d0732d 100644 .ptrace_access_check = apparmor_ptrace_access_check, diff --git a/security/commoncap.c b/security/commoncap.c -index b9d613e..f68305c 100644 +index 963dc59..12ebd0c 100644 --- a/security/commoncap.c +++ b/security/commoncap.c -@@ -424,6 +424,32 @@ int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data +@@ -427,6 +427,32 @@ int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data return 0; } @@ -107261,7 +107052,7 @@ index b9d613e..f68305c 100644 /* * Attempt to get the on-exec apply capability sets for an executable file from * its xattrs and, if present, apply them to the proposed credentials being -@@ -592,6 +618,9 @@ int cap_bprm_secureexec(struct linux_binprm *bprm) +@@ -595,6 +621,9 @@ int cap_bprm_secureexec(struct linux_binprm *bprm) const struct cred *cred = current_cred(); kuid_t root_uid = make_kuid(cred->user_ns, 0); @@ -111998,7 +111789,7 @@ index 0000000..1ae2ed5 + +targets += size_overflow_hash.h size_overflow_hash_aux.h diff --git a/tools/gcc/size_overflow_plugin/generate_size_overflow_hash.sh b/tools/gcc/size_overflow_plugin/generate_size_overflow_hash.sh -new file mode 100644 +new file mode 100755 index 0000000..12b1e3b --- /dev/null +++ b/tools/gcc/size_overflow_plugin/generate_size_overflow_hash.sh @@ -116307,10 +116098,10 @@ index 0000000..4378111 +} diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data new file mode 100644 -index 0000000..4077712 +index 0000000..e4b26fe --- /dev/null +++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data -@@ -0,0 +1,5988 @@ +@@ -0,0 +1,5991 @@ +intel_fake_agp_alloc_by_type_1 intel_fake_agp_alloc_by_type 1 1 NULL +ocfs2_get_refcount_tree_3 ocfs2_get_refcount_tree 0 3 NULL +storvsc_connect_to_vsp_22 storvsc_connect_to_vsp 2 22 NULL @@ -117655,7 +117446,8 @@ index 0000000..4077712 +sta_dev_read_14782 sta_dev_read 3 14782 NULL +keys_proc_write_14792 keys_proc_write 3 14792 NULL +ext4_kvmalloc_14796 ext4_kvmalloc 1 14796 NULL -+__kfifo_in_14797 __kfifo_in 3-0 14797 NULL ++__kfifo_in_14797 __kfifo_in 3-0 14797 NULL nohasharray ++ttm_page_pool_free_14797 ttm_page_pool_free 2 14797 &__kfifo_in_14797 +hpet_readl_14801 hpet_readl 0 14801 NULL nohasharray +snd_als300_gcr_read_14801 snd_als300_gcr_read 0 14801 &hpet_readl_14801 +security_inode_rename_14805 security_inode_rename 0 14805 NULL @@ -118078,6 +117870,7 @@ index 0000000..4077712 +kstrtoll_from_user_19500 kstrtoll_from_user 2 19500 NULL +ext4_add_new_descs_19509 ext4_add_new_descs 3 19509 NULL +batadv_tvlv_container_register_19520 batadv_tvlv_container_register 5 19520 NULL ++ttm_dma_page_pool_free_19527 ttm_dma_page_pool_free 2 19527 NULL +apei_exec_pre_map_gars_19529 apei_exec_pre_map_gars 0 19529 NULL nohasharray +cfc_write_array_to_buffer_19529 cfc_write_array_to_buffer 3 19529 &apei_exec_pre_map_gars_19529 +nfc_llcp_build_tlv_19536 nfc_llcp_build_tlv 3 19536 NULL @@ -121066,6 +120859,7 @@ index 0000000..4077712 +nsm_get_handle_52089 nsm_get_handle 4 52089 NULL +ulist_add_merge_52096 ulist_add_merge 0 52096 NULL +o2net_debug_read_52105 o2net_debug_read 3 52105 NULL ++smsdvb_stats_read_52114 smsdvb_stats_read 3 52114 NULL +split_scan_timeout_write_52128 split_scan_timeout_write 3 52128 NULL +retry_count_read_52129 retry_count_read 3 52129 NULL +xfs_btree_change_owner_52137 xfs_btree_change_owner 0 52137 NULL |