diff options
| author | Leonardo Arena <rnalrd@alpinelinux.org> | 2013-08-23 14:47:51 +0000 |
|---|---|---|
| committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2013-08-23 14:48:08 +0000 |
| commit | db2fc439f3c9f360a9beb7200bb7dc4345b116e0 (patch) | |
| tree | e2db60d98073c2c32c48f8035d32fe792afdfc61 /main/linux-virt-grsec | |
| parent | 11e44998295d10c832dccb35b46d093cdc452401 (diff) | |
| download | aports-db2fc439f3c9f360a9beb7200bb7dc4345b116e0.tar.bz2 aports-db2fc439f3c9f360a9beb7200bb7dc4345b116e0.tar.xz | |
main/linux-virt-grsec: upgrade to 3.10.7
Diffstat (limited to 'main/linux-virt-grsec')
| -rw-r--r-- | main/linux-virt-grsec/APKBUILD | 34 | ||||
| -rw-r--r-- | main/linux-virt-grsec/grsecurity-2.9.1-3.10.7-201308171249.patch (renamed from main/linux-virt-grsec/grsecurity-2.9.1-3.9.11-unofficial-2.patch) | 17055 | ||||
| -rw-r--r-- | main/linux-virt-grsec/kernelconfig.x86 | 162 | ||||
| -rw-r--r-- | main/linux-virt-grsec/kernelconfig.x86_64 | 166 |
4 files changed, 9912 insertions, 7505 deletions
diff --git a/main/linux-virt-grsec/APKBUILD b/main/linux-virt-grsec/APKBUILD index 85d171911..ec49fdc49 100644 --- a/main/linux-virt-grsec/APKBUILD +++ b/main/linux-virt-grsec/APKBUILD @@ -3,7 +3,7 @@ _flavor=grsec pkgname=linux-virt-${_flavor} -pkgver=3.9.11 +pkgver=3.10.7 case $pkgver in *.*.*) _kernver=${pkgver%.*};; *.*) _kernver=${pkgver};; @@ -18,7 +18,7 @@ _config=${config:-kernelconfig.${CARCH}} install= source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz - grsecurity-2.9.1-3.9.11-unofficial-2.patch + grsecurity-2.9.1-3.10.7-201308171249.patch 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch @@ -147,36 +147,36 @@ dev() { "$subpkgdir"/lib/modules/${_abi_release}/build } -md5sums="4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz -552146435b7ecc414bf8e3cd8bb6ac4a patch-3.9.11.xz -808e4e5dd176692d62ccfbf5988a88fa grsecurity-2.9.1-3.9.11-unofficial-2.patch +md5sums="4f25cd5bec5f8d5a7d935b3f2ccb8481 linux-3.10.tar.xz +6b1b6b62044fcf3624f067154d5c1666 patch-3.10.7.xz +e8a352c746da4aaf2e14a89da6896023 grsecurity-2.9.1-3.10.7-201308171249.patch a16f11b12381efb3bec79b9bfb329836 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 656ae7b10dd2f18dbfa1011041d08d60 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch aa454ffb96428586447775c21449e284 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch 2a12a3717052e878c0cd42aa935bfcf4 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch 6ce5fed63aad3f1a1ff1b9ba7b741822 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch 1a5800a2122ba0cc0d06733cb3bb8b8f 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch -35bdbb795392104434fdb16e226606bc kernelconfig.x86 -3fa1281098783b061581f6c1122edd77 kernelconfig.x86_64" -sha256sums="60bc3e64ee5dc778de2cd7cd7640abf518a4c9d4f31b8ed624e16fad53f54541 linux-3.9.tar.xz -29be11d16ef152ae1858d567cbf45f0da0193adf364826f5e3fa8b2fcd839682 patch-3.9.11.xz -bd672d212020b5a7a00b3e0f6df39efbba6d0a1cbad88e0bf65cbaf8f8045204 grsecurity-2.9.1-3.9.11-unofficial-2.patch +246de0aecacde70ce26d9c4a4006aedb kernelconfig.x86 +307fc07ff32a2bc22f34eb2b1d0b886f kernelconfig.x86_64" +sha256sums="df27fa92d27a9c410bfe6c4a89f141638500d7eadcca5cce578954efc2ad3544 linux-3.10.tar.xz +a92836d9ae477a7730c79d8ad521a2859ecdd8dea1ac0fa561fb5ce8517f5d1e patch-3.10.7.xz +9424fb61b373fb3a84cdf0b82183ae4429158a8b582ef49a33af629557330e2a grsecurity-2.9.1-3.10.7-201308171249.patch 6af3757ac36a6cd3cda7b0a71b08143726383b19261294a569ad7f4042c72df3 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch dc8e82108615657f1fb9d641efd42255a5761c06edde1b00a41ae0d314d548f0 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch 0985caa0f3ee8ed0959aeaa4214f5f8057ae8e61d50dcae39194912d31e14892 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch 260fd1807838b68305a96992bf7d3302a2a8ef3a3b08fe079ba9a07e6422f736 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch ae32bb72afa170e6c3788c564b342763aba5945afacc1e2ebfc096adf50d77a3 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch fc613ac466610b866b721c41836fd5bfb2d4b75bceb67972dc6369d7f62ff47e 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch -ca83354dfd4d2938bad03bd05aa25d6ab7228b289eabd43f10dab5c571f0ec07 kernelconfig.x86 -8e64c024e2f8d7d67198ad8c331cd3ef8df40015c85a0b5ef4c2487274404abb kernelconfig.x86_64" -sha512sums="77fa521f42380409f8ab400c26f7b00e225cb075ef40834bb263325cfdcc3e65aef8511ec2fc2b50bbf4f50e226fb5ab07d7a479aaf09162adbbf318325d0790 linux-3.9.tar.xz -c3a0be102d816ae06d7dfdd2738915fc2114cb9bb488b03b34e4f52f2367dcba4d8cb8ba203687bf694c2dcad36d70bb9d3121ac739a28e2c7fb2c44f08a9c71 patch-3.9.11.xz -730e24dffc70250945d873358a2fbe19f1c9249befeaba6e53ce8c1b4ebb19583d51d6a437b6d9a39b705f48001f4a645f92560ef6b4db88ee8fbf9f17bafd41 grsecurity-2.9.1-3.9.11-unofficial-2.patch +324ad615f077368699edc840e34470557be880d2c812a7048cf993c60cec0fa6 kernelconfig.x86 +20a4b46aad191452b7269288dbd205ee05c7d7681e2c129f6381aa2f9a7e8200 kernelconfig.x86_64" +sha512sums="5fb109fcbd59bf3dffc911b853894f0a84afa75151368f783a1252c5ff60c7a1504de216c0012be446df983e2dea400ad8eeed3ce04f24dc61d0ef76c174dc35 linux-3.10.tar.xz +d34729cfca045f12077c44518171a5b933790b112f2576aa55ba7f6684567b04a6beea4da8a635dcc078a844f9cd47aa66ead1fd6d68b926fdc09ecb0ae34324 patch-3.10.7.xz +1ddc7f9f28e5a8451a36b6cf800e173a59cbd2271aca772b24c568b77fa37997d0bd095e032ffb94d897a5e4d9ebc102e8eb69acb04a57f1938cd92fe98e306e grsecurity-2.9.1-3.10.7-201308171249.patch 81e78593288e8b0fd2c03ea9fc1450323887707f087e911f172450a122bc9b591ee83394836789730d951aeec13d0b75a64e1c05f04364abf8f80d883ddc4a02 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 51ecb15b669f6a82940a13a38939116e003bf5dfd24496771c8279e907b72adcc63d607f0340a2940d757e12ddadb7d45c7af78ae311d284935a6296dbcac00c 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch 57d0a8bd35d19cf657ded58efe24517d2252aec6984040713ba173a34edb5887ececaa2985076bc6a149eaa57639fd98a042c1c2d226ed4ad8dd5ed0e230717e 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch d2f578ad1d6e1fe52b55863e5bf338ae8201b828a498ec3e42e549c55295d3d1c6c3adfa9e226d711e3486628ed56ab996484e219d79ac4b0c0ec684ebd380aa 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch 28a33e644bf2faf99c8dd6dbccfe14e140dfdd8824a8fb2d58aa7deb9e572f130d92b6b35ee181084050d82166bdf2e498a451a2a538a67b7ab84204405d2d87 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch 249140374c19a5599876268ff5b3cda2e136681aee103b4a9fff5d7d346f8e3295a907fb43db0701b8a9fece64c299ad2abac0434259cce6631307ce84090205 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch -ffe76f2a13888c7a54d1dadac09f1220c2423c6883d813ea8b69485d2a855152fe24b5b132d72ac6a1abd66eda5f9592e226bc53afeffd31d285a2cc62fc7d5b kernelconfig.x86 -485501f627ab9ac2a3e1ccfdee956989f20d9f0e88b3ed2a7239fb93928d4c054a761306ebccbec9a18ca5dee59b7249cd72add6c65645234798c828afebe52c kernelconfig.x86_64" +3f1965a6c5fc9dc2cd3da407edab473caa964ef7cddba711f6c98b1710d2e50c7bba4ccb21ada794a387f100903ab16feebfd4910a6033d889878100a6bb4e77 kernelconfig.x86 +23fc5c7807d9b4804a2e4cd65c597bec1ca7117e35c1e9b001c0c6d6ff9d736ef166515c1a0a9545a66d78b75e411e192c4cff96f9cbfee1cdd2260d46b6bec0 kernelconfig.x86_64" diff --git a/main/linux-virt-grsec/grsecurity-2.9.1-3.9.11-unofficial-2.patch b/main/linux-virt-grsec/grsecurity-2.9.1-3.10.7-201308171249.patch index cb0d943df..9a72c3e12 100644 --- a/main/linux-virt-grsec/grsecurity-2.9.1-3.9.11-unofficial-2.patch +++ b/main/linux-virt-grsec/grsecurity-2.9.1-3.10.7-201308171249.patch @@ -229,10 +229,10 @@ index b89a739..79768fb 100644 +zconf.lex.c zoffset.h diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt -index 8ccbf27..afffeb4 100644 +index 2fe6e76..889ee23 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt -@@ -948,6 +948,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted. +@@ -976,6 +976,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted. Format: <unsigned int> such that (rxsize & ~0x1fffc0) == 0. Default: 1024 @@ -243,7 +243,18 @@ index 8ccbf27..afffeb4 100644 hashdist= [KNL,NUMA] Large hashes allocated during boot are distributed across NUMA nodes. Defaults on for 64-bit NUMA, off otherwise. -@@ -2147,6 +2151,18 @@ bytes respectively. Such letter suffixes can also be entirely omitted. +@@ -1928,6 +1932,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted. + noexec=on: enable non-executable mappings (default) + noexec=off: disable non-executable mappings + ++ nopcid [X86-64] ++ Disable PCID (Process-Context IDentifier) even if it ++ is supported by the processor. ++ + nosmap [X86] + Disable SMAP (Supervisor Mode Access Prevention) + even if it is supported by processor. +@@ -2195,6 +2203,25 @@ bytes respectively. Such letter suffixes can also be entirely omitted. the specified number of seconds. This is to be used if your oopses keep scrolling off the screen. @@ -252,6 +263,10 @@ index 8ccbf27..afffeb4 100644 + expand down segment used by UDEREF on X86-32 or the frequent + page table updates on X86-64. + ++ pax_sanitize_slab= ++ 0/1 to disable/enable slab object sanitization (enabled by ++ default). ++ + pax_softmode= 0/1 to disable/enable PaX softmode on boot already. + + pax_extra_latent_entropy @@ -259,11 +274,14 @@ index 8ccbf27..afffeb4 100644 + from the first 4GB of memory as the bootmem allocator + passes the memory pages to the buddy allocator. + ++ pax_weakuderef [X86-64] enables the weaker but faster form of UDEREF ++ when the processor supports PCID. ++ pcbit= [HW,ISDN] pcd. [PARIDE] diff --git a/Makefile b/Makefile -index ad368cd..96b21c3 100644 +index 33e36ab..31f1dc8 100644 --- a/Makefile +++ b/Makefile @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -364,7 +382,7 @@ index ad368cd..96b21c3 100644 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \ $(core-y) $(core-m) $(drivers-y) $(drivers-m) \ -@@ -780,6 +840,8 @@ endif +@@ -782,6 +842,8 @@ endif # The actual objects are generated when descending, # make sure no implicit rule kicks in @@ -373,7 +391,7 @@ index ad368cd..96b21c3 100644 $(sort $(vmlinux-deps)): $(vmlinux-dirs) ; # Handle descending into subdirectories listed in $(vmlinux-dirs) -@@ -789,7 +851,7 @@ $(sort $(vmlinux-deps)): $(vmlinux-dirs) ; +@@ -791,7 +853,7 @@ $(sort $(vmlinux-deps)): $(vmlinux-dirs) ; # Error messages still appears in the original language PHONY += $(vmlinux-dirs) @@ -382,7 +400,7 @@ index ad368cd..96b21c3 100644 $(Q)$(MAKE) $(build)=$@ # Store (new) KERNELRELASE string in include/config/kernel.release -@@ -833,6 +895,7 @@ prepare0: archprepare FORCE +@@ -835,6 +897,7 @@ prepare0: archprepare FORCE $(Q)$(MAKE) $(build)=. # All the preparing.. @@ -390,7 +408,7 @@ index ad368cd..96b21c3 100644 prepare: prepare0 # Generate some files -@@ -940,6 +1003,8 @@ all: modules +@@ -942,6 +1005,8 @@ all: modules # using awk while concatenating to the final file. PHONY += modules @@ -399,7 +417,7 @@ index ad368cd..96b21c3 100644 modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux) modules.builtin $(Q)$(AWK) '!x[$$0]++' $(vmlinux-dirs:%=$(objtree)/%/modules.order) > $(objtree)/modules.order @$(kecho) ' Building modules, stage 2.'; -@@ -955,7 +1020,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin) +@@ -957,7 +1022,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin) # Target to prepare building external modules PHONY += modules_prepare @@ -408,7 +426,7 @@ index ad368cd..96b21c3 100644 # Target to install modules PHONY += modules_install -@@ -1021,7 +1086,7 @@ MRPROPER_FILES += .config .config.old .version .old_version $(version_h) \ +@@ -1023,7 +1088,7 @@ MRPROPER_FILES += .config .config.old .version .old_version $(version_h) \ Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \ signing_key.priv signing_key.x509 x509.genkey \ extra_certificates signing_key.x509.keyid \ @@ -417,7 +435,7 @@ index ad368cd..96b21c3 100644 # clean - Delete most, but leave enough to build external modules # -@@ -1061,6 +1126,7 @@ distclean: mrproper +@@ -1063,6 +1128,7 @@ distclean: mrproper \( -name '*.orig' -o -name '*.rej' -o -name '*~' \ -o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \ -o -name '.*.rej' \ @@ -425,7 +443,7 @@ index ad368cd..96b21c3 100644 -o -name '*%' -o -name '.*.cmd' -o -name 'core' \) \ -type f -print | xargs rm -f -@@ -1221,6 +1287,8 @@ PHONY += $(module-dirs) modules +@@ -1223,6 +1289,8 @@ PHONY += $(module-dirs) modules $(module-dirs): crmodverdir $(objtree)/Module.symvers $(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@) @@ -434,7 +452,7 @@ index ad368cd..96b21c3 100644 modules: $(module-dirs) @$(kecho) ' Building modules, stage 2.'; $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost -@@ -1357,17 +1425,21 @@ else +@@ -1359,17 +1427,21 @@ else target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@)) endif @@ -460,7 +478,7 @@ index ad368cd..96b21c3 100644 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) %.symtypes: %.c prepare scripts FORCE $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) -@@ -1377,11 +1449,15 @@ endif +@@ -1379,11 +1451,15 @@ endif $(cmd_crmodverdir) $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \ $(build)=$(build-dir) @@ -811,10 +829,10 @@ index 0c4132d..88f0d53 100644 /* Allow reads even for write-only mappings */ if (!(vma->vm_flags & (VM_READ | VM_WRITE))) diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig -index 70cd012..71b82cd 100644 +index 18a9f5e..ca910b7 100644 --- a/arch/arm/Kconfig +++ b/arch/arm/Kconfig -@@ -1860,7 +1860,7 @@ config ALIGNMENT_TRAP +@@ -1766,7 +1766,7 @@ config ALIGNMENT_TRAP config UACCESS_WITH_MEMCPY bool "Use kernel mem{cpy,set}() for {copy_to,clear}_user()" @@ -824,7 +842,7 @@ index 70cd012..71b82cd 100644 help Implement faster copy_to_user and clear_user methods for CPU diff --git a/arch/arm/include/asm/atomic.h b/arch/arm/include/asm/atomic.h -index c79f61f..9ac0642 100644 +index da1c77d..2ee6056 100644 --- a/arch/arm/include/asm/atomic.h +++ b/arch/arm/include/asm/atomic.h @@ -17,17 +17,35 @@ @@ -1129,8 +1147,44 @@ index c79f61f..9ac0642 100644 + #define ATOMIC64_INIT(i) { (i) } + #ifdef CONFIG_ARM_LPAE +@@ -257,6 +452,19 @@ static inline u64 atomic64_read(const atomic64_t *v) + return result; + } + ++static inline u64 atomic64_read_unchecked(const atomic64_unchecked_t *v) ++{ ++ u64 result; ++ ++ __asm__ __volatile__("@ atomic64_read_unchecked\n" ++" ldrd %0, %H0, [%1]" ++ : "=&r" (result) ++ : "r" (&v->counter), "Qo" (v->counter) ++ ); ++ ++ return result; ++} ++ + static inline void atomic64_set(atomic64_t *v, u64 i) + { + __asm__ __volatile__("@ atomic64_set\n" +@@ -265,6 +473,15 @@ static inline void atomic64_set(atomic64_t *v, u64 i) + : "r" (&v->counter), "r" (i) + ); + } ++ ++static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, u64 i) ++{ ++ __asm__ __volatile__("@ atomic64_set_unchecked\n" ++" strd %2, %H2, [%1]" ++ : "=Qo" (v->counter) ++ : "r" (&v->counter), "r" (i) ++ ); ++} + #else static inline u64 atomic64_read(const atomic64_t *v) -@@ -256,6 +451,19 @@ static inline u64 atomic64_read(const atomic64_t *v) + { +@@ -279,6 +496,19 @@ static inline u64 atomic64_read(const atomic64_t *v) return result; } @@ -1150,10 +1204,11 @@ index c79f61f..9ac0642 100644 static inline void atomic64_set(atomic64_t *v, u64 i) { u64 tmp; -@@ -270,6 +478,20 @@ static inline void atomic64_set(atomic64_t *v, u64 i) +@@ -292,6 +522,21 @@ static inline void atomic64_set(atomic64_t *v, u64 i) + : "r" (&v->counter), "r" (i) : "cc"); } - ++ +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, u64 i) +{ + u64 tmp; @@ -1168,10 +1223,10 @@ index c79f61f..9ac0642 100644 + : "cc"); +} + + #endif + static inline void atomic64_add(u64 i, atomic64_t *v) - { - u64 result; -@@ -278,6 +500,36 @@ static inline void atomic64_add(u64 i, atomic64_t *v) +@@ -302,6 +547,36 @@ static inline void atomic64_add(u64 i, atomic64_t *v) __asm__ __volatile__("@ atomic64_add\n" "1: ldrexd %0, %H0, [%3]\n" " adds %0, %0, %4\n" @@ -1208,15 +1263,17 @@ index c79f61f..9ac0642 100644 " adc %H0, %H0, %H4\n" " strexd %1, %0, %H0, [%3]\n" " teq %1, #0\n" -@@ -289,12 +541,49 @@ static inline void atomic64_add(u64 i, atomic64_t *v) +@@ -313,12 +588,49 @@ static inline void atomic64_add(u64 i, atomic64_t *v) static inline u64 atomic64_add_return(u64 i, atomic64_t *v) { +- u64 result; +- unsigned long tmp; + u64 result, tmp; -+ -+ smp_mb(); -+ -+ __asm__ __volatile__("@ atomic64_add_return\n" + + smp_mb(); + + __asm__ __volatile__("@ atomic64_add_return\n" +"1: ldrexd %1, %H1, [%3]\n" +" adds %0, %1, %4\n" +" adcs %H0, %H1, %H4\n" @@ -1249,21 +1306,19 @@ index c79f61f..9ac0642 100644 + +static inline u64 atomic64_add_return_unchecked(u64 i, atomic64_unchecked_t *v) +{ - u64 result; - unsigned long tmp; - - smp_mb(); - -- __asm__ __volatile__("@ atomic64_add_return\n" ++ u64 result; ++ unsigned long tmp; ++ ++ smp_mb(); ++ + __asm__ __volatile__("@ atomic64_add_return_unchecked\n" "1: ldrexd %0, %H0, [%3]\n" " adds %0, %0, %4\n" " adc %H0, %H0, %H4\n" -@@ -318,23 +607,34 @@ static inline void atomic64_sub(u64 i, atomic64_t *v) +@@ -342,6 +654,36 @@ static inline void atomic64_sub(u64 i, atomic64_t *v) __asm__ __volatile__("@ atomic64_sub\n" "1: ldrexd %0, %H0, [%3]\n" " subs %0, %0, %4\n" --" sbc %H0, %H0, %H4\n" +" sbcs %H0, %H0, %H4\n" + +#ifdef CONFIG_PAX_REFCOUNT @@ -1272,46 +1327,45 @@ index c79f61f..9ac0642 100644 +"3:\n" +#endif + - " strexd %1, %0, %H0, [%3]\n" - " teq %1, #0\n" - " bne 1b" ++" strexd %1, %0, %H0, [%3]\n" ++" teq %1, #0\n" ++" bne 1b" + +#ifdef CONFIG_PAX_REFCOUNT +"\n4:\n" + _ASM_EXTABLE(2b, 4b) +#endif + - : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) - : "r" (&v->counter), "r" (i) - : "cc"); - } - --static inline u64 atomic64_sub_return(u64 i, atomic64_t *v) -+static inline void atomic64_sub_unchecked(u64 i, atomic64_unchecked_t *v) - { - u64 result; - unsigned long tmp; - -- smp_mb(); -- -- __asm__ __volatile__("@ atomic64_sub_return\n" -+ __asm__ __volatile__("@ atomic64_sub_unchecked\n" - "1: ldrexd %0, %H0, [%3]\n" - " subs %0, %0, %4\n" - " sbc %H0, %H0, %H4\n" -@@ -344,6 +644,39 @@ static inline u64 atomic64_sub_return(u64 i, atomic64_t *v) - : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) - : "r" (&v->counter), "r" (i) - : "cc"); ++ : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) ++ : "r" (&v->counter), "r" (i) ++ : "cc"); +} + -+static inline u64 atomic64_sub_return(u64 i, atomic64_t *v) ++static inline void atomic64_sub_unchecked(u64 i, atomic64_unchecked_t *v) +{ -+ u64 result, tmp; -+ -+ smp_mb(); ++ u64 result; ++ unsigned long tmp; + -+ __asm__ __volatile__("@ atomic64_sub_return\n" ++ __asm__ __volatile__("@ atomic64_sub_unchecked\n" ++"1: ldrexd %0, %H0, [%3]\n" ++" subs %0, %0, %4\n" + " sbc %H0, %H0, %H4\n" + " strexd %1, %0, %H0, [%3]\n" + " teq %1, #0\n" +@@ -353,18 +695,32 @@ static inline void atomic64_sub(u64 i, atomic64_t *v) + + static inline u64 atomic64_sub_return(u64 i, atomic64_t *v) + { +- u64 result; +- unsigned long tmp; ++ u64 result, tmp; + + smp_mb(); + + __asm__ __volatile__("@ atomic64_sub_return\n" +-"1: ldrexd %0, %H0, [%3]\n" +-" subs %0, %0, %4\n" +-" sbc %H0, %H0, %H4\n" +"1: ldrexd %1, %H1, [%3]\n" +" subs %0, %1, %4\n" +" sbcs %H0, %H1, %H4\n" @@ -1324,22 +1378,19 @@ index c79f61f..9ac0642 100644 +"3:\n" +#endif + -+" strexd %1, %0, %H0, [%3]\n" -+" teq %1, #0\n" -+" bne 1b" + " strexd %1, %0, %H0, [%3]\n" + " teq %1, #0\n" + " bne 1b" + +#ifdef CONFIG_PAX_REFCOUNT +"\n4:\n" + _ASM_EXTABLE(2b, 4b) +#endif + -+ : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) -+ : "r" (&v->counter), "r" (i) -+ : "cc"); - - smp_mb(); - -@@ -374,6 +707,30 @@ static inline u64 atomic64_cmpxchg(atomic64_t *ptr, u64 old, u64 new) + : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) + : "r" (&v->counter), "r" (i) + : "cc"); +@@ -398,6 +754,30 @@ static inline u64 atomic64_cmpxchg(atomic64_t *ptr, u64 old, u64 new) return oldval; } @@ -1370,7 +1421,7 @@ index c79f61f..9ac0642 100644 static inline u64 atomic64_xchg(atomic64_t *ptr, u64 new) { u64 result; -@@ -397,21 +754,34 @@ static inline u64 atomic64_xchg(atomic64_t *ptr, u64 new) +@@ -421,21 +801,34 @@ static inline u64 atomic64_xchg(atomic64_t *ptr, u64 new) static inline u64 atomic64_dec_if_positive(atomic64_t *v) { @@ -1412,7 +1463,7 @@ index c79f61f..9ac0642 100644 : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) : "r" (&v->counter) : "cc"); -@@ -434,13 +804,25 @@ static inline int atomic64_add_unless(atomic64_t *v, u64 a, u64 u) +@@ -458,13 +851,25 @@ static inline int atomic64_add_unless(atomic64_t *v, u64 a, u64 u) " teq %0, %5\n" " teqeq %H0, %H5\n" " moveq %1, #0\n" @@ -1441,7 +1492,7 @@ index c79f61f..9ac0642 100644 : "=&r" (val), "+r" (ret), "=&r" (tmp), "+Qo" (v->counter) : "r" (&v->counter), "r" (u), "r" (a) : "cc"); -@@ -453,10 +835,13 @@ static inline int atomic64_add_unless(atomic64_t *v, u64 a, u64 u) +@@ -477,10 +882,13 @@ static inline int atomic64_add_unless(atomic64_t *v, u64 a, u64 u) #define atomic64_add_negative(a, v) (atomic64_add_return((a), (v)) < 0) #define atomic64_inc(v) atomic64_add(1LL, (v)) @@ -1479,7 +1530,7 @@ index 75fe66b..ba3dee4 100644 #endif diff --git a/arch/arm/include/asm/cacheflush.h b/arch/arm/include/asm/cacheflush.h -index 738fcba..7a43500 100644 +index 17d0ae8..014e350 100644 --- a/arch/arm/include/asm/cacheflush.h +++ b/arch/arm/include/asm/cacheflush.h @@ -116,7 +116,7 @@ struct cpu_cache_fns { @@ -1543,15 +1594,15 @@ index 6ddbe44..b5e38b1 100644 +#define DOMAIN_KERNELCLIENT 1 #define DOMAIN_MANAGER 3 +#define DOMAIN_VECTORS DOMAIN_USER -+#else + #else + +#ifdef CONFIG_PAX_KERNEXEC -+#define DOMAIN_MANAGER 1 -+#define DOMAIN_KERNEXEC 3 - #else #define DOMAIN_MANAGER 1 - #endif - ++#define DOMAIN_KERNEXEC 3 ++#else ++#define DOMAIN_MANAGER 1 ++#endif ++ +#ifdef CONFIG_PAX_MEMORY_UDEREF +#define DOMAIN_USERCLIENT 0 +#define DOMAIN_UDEREF 1 @@ -1562,8 +1613,8 @@ index 6ddbe44..b5e38b1 100644 +#endif +#define DOMAIN_KERNELCLIENT 1 + -+#endif -+ + #endif + #define domain_val(dom,type) ((type) << (2*(dom))) #ifndef __ASSEMBLY__ @@ -1591,7 +1642,7 @@ index 6ddbe44..b5e38b1 100644 static inline void set_domain(unsigned val) { } static inline void modify_domain(unsigned dom, unsigned type) { } diff --git a/arch/arm/include/asm/elf.h b/arch/arm/include/asm/elf.h -index 38050b1..9d90e8b 100644 +index 56211f2..17e8a25 100644 --- a/arch/arm/include/asm/elf.h +++ b/arch/arm/include/asm/elf.h @@ -116,7 +116,14 @@ int dump_task_regs(struct task_struct *t, elf_gregset_t *elfregs); @@ -1610,7 +1661,7 @@ index 38050b1..9d90e8b 100644 /* When the program starts, a1 contains a pointer to a function to be registered with atexit, as per the SVR4 ABI. A value of 0 means we -@@ -126,8 +133,4 @@ int dump_task_regs(struct task_struct *t, elf_gregset_t *elfregs); +@@ -126,10 +133,6 @@ int dump_task_regs(struct task_struct *t, elf_gregset_t *elfregs); extern void elf_set_personality(const struct elf32_hdr *); #define SET_PERSONALITY(ex) elf_set_personality(&(ex)) @@ -1618,7 +1669,9 @@ index 38050b1..9d90e8b 100644 -extern unsigned long arch_randomize_brk(struct mm_struct *mm); -#define arch_randomize_brk arch_randomize_brk - - #endif + #ifdef CONFIG_MMU + #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1 + struct linux_binprm; diff --git a/arch/arm/include/asm/fncpy.h b/arch/arm/include/asm/fncpy.h index de53547..52b9a28 100644 --- a/arch/arm/include/asm/fncpy.h @@ -1751,7 +1804,7 @@ index 12f71a1..04e063c 100644 #ifdef CONFIG_OUTER_CACHE diff --git a/arch/arm/include/asm/page.h b/arch/arm/include/asm/page.h -index 812a494..71fc0b6 100644 +index cbdc7a2..32f44fe 100644 --- a/arch/arm/include/asm/page.h +++ b/arch/arm/include/asm/page.h @@ -114,7 +114,7 @@ struct cpu_user_fns { @@ -1861,17 +1914,19 @@ index 5cfba15..f415e1a 100644 #define PTE_EXT_AP0 (_AT(pteval_t, 1) << 4) #define PTE_EXT_AP1 (_AT(pteval_t, 2) << 4) diff --git a/arch/arm/include/asm/pgtable-2level.h b/arch/arm/include/asm/pgtable-2level.h -index f97ee02..07f1be5 100644 +index f97ee02..cc9fe9e 100644 --- a/arch/arm/include/asm/pgtable-2level.h +++ b/arch/arm/include/asm/pgtable-2level.h -@@ -125,6 +125,7 @@ - #define L_PTE_XN (_AT(pteval_t, 1) << 9) +@@ -126,6 +126,9 @@ #define L_PTE_SHARED (_AT(pteval_t, 1) << 10) /* shared(v6), coherent(xsc3) */ #define L_PTE_NONE (_AT(pteval_t, 1) << 11) -+#define L_PTE_PXN (_AT(pteval_t, 1) << 12) /* v7*/ ++/* Two-level page tables only have PXN in the PGD, not in the PTE. */ ++#define L_PTE_PXN (_AT(pteval_t, 0)) ++ /* * These are the memory types, defined to be compatible with + * pre-ARMv6 CPUs cacheable and bufferable bits: XXCB diff --git a/arch/arm/include/asm/pgtable-3level-hwdef.h b/arch/arm/include/asm/pgtable-3level-hwdef.h index 18f5cef..25b8f43 100644 --- a/arch/arm/include/asm/pgtable-3level-hwdef.h @@ -2020,22 +2075,6 @@ index f3628fb..a0672dd 100644 #ifndef MULTI_CPU extern void cpu_proc_init(void); -diff --git a/arch/arm/include/asm/processor.h b/arch/arm/include/asm/processor.h -index 06e7d50..8a8e251 100644 ---- a/arch/arm/include/asm/processor.h -+++ b/arch/arm/include/asm/processor.h -@@ -65,9 +65,8 @@ struct thread_struct { - regs->ARM_cpsr |= PSR_ENDSTATE; \ - regs->ARM_pc = pc & ~1; /* pc */ \ - regs->ARM_sp = sp; /* sp */ \ -- regs->ARM_r2 = stack[2]; /* r2 (envp) */ \ -- regs->ARM_r1 = stack[1]; /* r1 (argv) */ \ -- regs->ARM_r0 = stack[0]; /* r0 (argc) */ \ -+ /* r2 (envp), r1 (argv), r0 (argc) */ \ -+ (void)copy_from_user(®s->ARM_r0, (const char __user *)stack, 3 * sizeof(unsigned long)); \ - nommu_start_thread(regs); \ - }) - diff --git a/arch/arm/include/asm/psci.h b/arch/arm/include/asm/psci.h index ce0dbe7..c085b6f 100644 --- a/arch/arm/include/asm/psci.h @@ -2063,7 +2102,7 @@ index d3a22be..3a69ad5 100644 /* * set platform specific SMP operations diff --git a/arch/arm/include/asm/thread_info.h b/arch/arm/include/asm/thread_info.h -index cddda1f..ff357f7 100644 +index f00b569..aa5bb41 100644 --- a/arch/arm/include/asm/thread_info.h +++ b/arch/arm/include/asm/thread_info.h @@ -77,9 +77,9 @@ struct thread_info { @@ -2079,20 +2118,20 @@ index cddda1f..ff357f7 100644 .restart_block = { \ .fn = do_no_restart_syscall, \ }, \ -@@ -152,6 +152,12 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *, +@@ -152,7 +152,11 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *, #define TIF_SYSCALL_AUDIT 9 #define TIF_SYSCALL_TRACEPOINT 10 #define TIF_SECCOMP 11 /* seccomp syscall filtering active */ -+ +-#define TIF_NOHZ 12 /* in adaptive nohz mode */ +/* within 8 bits of TIF_SYSCALL_TRACE + * to meet flexible second operand requirements + */ +#define TIF_GRSEC_SETXID 12 -+ ++#define TIF_NOHZ 13 /* in adaptive nohz mode */ #define TIF_USING_IWMMXT 17 #define TIF_MEMDIE 18 /* is terminating due to OOM killer */ #define TIF_RESTORE_SIGMASK 20 -@@ -165,10 +171,11 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *, +@@ -165,10 +169,11 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *, #define _TIF_SYSCALL_TRACEPOINT (1 << TIF_SYSCALL_TRACEPOINT) #define _TIF_SECCOMP (1 << TIF_SECCOMP) #define _TIF_USING_IWMMXT (1 << TIF_USING_IWMMXT) @@ -2105,8 +2144,35 @@ index cddda1f..ff357f7 100644 /* * Change these and you break ASM code in entry-common.S +diff --git a/arch/arm/include/asm/tlb.h b/arch/arm/include/asm/tlb.h +index bdf2b84..aa9b4ac 100644 +--- a/arch/arm/include/asm/tlb.h ++++ b/arch/arm/include/asm/tlb.h +@@ -43,6 +43,7 @@ struct mmu_gather { + struct mm_struct *mm; + unsigned int fullmm; + struct vm_area_struct *vma; ++ unsigned long start, end; + unsigned long range_start; + unsigned long range_end; + unsigned int nr; +@@ -107,10 +108,12 @@ static inline void tlb_flush_mmu(struct mmu_gather *tlb) + } + + static inline void +-tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned int fullmm) ++tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned long start, unsigned long end) + { + tlb->mm = mm; +- tlb->fullmm = fullmm; ++ tlb->fullmm = !(start | (end+1)); ++ tlb->start = start; ++ tlb->end = end; + tlb->vma = NULL; + tlb->max = ARRAY_SIZE(tlb->local); + tlb->pages = tlb->local; diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h -index 7e1f760..510061e 100644 +index 7e1f760..de33b13 100644 --- a/arch/arm/include/asm/uaccess.h +++ b/arch/arm/include/asm/uaccess.h @@ -18,6 +18,7 @@ @@ -2117,7 +2183,7 @@ index 7e1f760..510061e 100644 #define VERIFY_READ 0 #define VERIFY_WRITE 1 -@@ -63,11 +64,35 @@ extern int __put_user_bad(void); +@@ -63,11 +64,38 @@ extern int __put_user_bad(void); static inline void set_fs(mm_segment_t fs) { current_thread_info()->addr_limit = fs; @@ -2127,11 +2193,14 @@ index 7e1f760..510061e 100644 #define segment_eq(a,b) ((a) == (b)) ++#define __HAVE_ARCH_PAX_OPEN_USERLAND ++#define __HAVE_ARCH_PAX_CLOSE_USERLAND ++ +static inline void pax_open_userland(void) +{ + +#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if (segment_eq(get_fs(), USER_DS) { ++ if (segment_eq(get_fs(), USER_DS)) { + BUG_ON(test_domain(DOMAIN_USER, DOMAIN_UDEREF)); + modify_domain(DOMAIN_USER, DOMAIN_UDEREF); + } @@ -2143,7 +2212,7 @@ index 7e1f760..510061e 100644 +{ + +#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if (segment_eq(get_fs(), USER_DS) { ++ if (segment_eq(get_fs(), USER_DS)) { + BUG_ON(test_domain(DOMAIN_USER, DOMAIN_NOACCESS)); + modify_domain(DOMAIN_USER, DOMAIN_NOACCESS); + } @@ -2154,7 +2223,7 @@ index 7e1f760..510061e 100644 #define __addr_ok(addr) ({ \ unsigned long flag; \ __asm__("cmp %2, %0; movlo %0, #0" \ -@@ -143,8 +168,12 @@ extern int __get_user_4(void *); +@@ -143,8 +171,12 @@ extern int __get_user_4(void *); #define get_user(x,p) \ ({ \ @@ -2168,7 +2237,7 @@ index 7e1f760..510061e 100644 }) extern int __put_user_1(void *, unsigned int); -@@ -188,8 +217,12 @@ extern int __put_user_8(void *, unsigned long long); +@@ -188,8 +220,12 @@ extern int __put_user_8(void *, unsigned long long); #define put_user(x,p) \ ({ \ @@ -2182,7 +2251,7 @@ index 7e1f760..510061e 100644 }) #else /* CONFIG_MMU */ -@@ -230,13 +263,17 @@ static inline void set_fs(mm_segment_t fs) +@@ -230,13 +266,17 @@ static inline void set_fs(mm_segment_t fs) #define __get_user(x,ptr) \ ({ \ long __gu_err = 0; \ @@ -2200,7 +2269,7 @@ index 7e1f760..510061e 100644 (void) 0; \ }) -@@ -312,13 +349,17 @@ do { \ +@@ -312,13 +352,17 @@ do { \ #define __put_user(x,ptr) \ ({ \ long __pu_err = 0; \ @@ -2218,7 +2287,7 @@ index 7e1f760..510061e 100644 (void) 0; \ }) -@@ -418,11 +459,44 @@ do { \ +@@ -418,11 +462,44 @@ do { \ #ifdef CONFIG_MMU @@ -2266,7 +2335,7 @@ index 7e1f760..510061e 100644 #else #define __copy_from_user(to,from,n) (memcpy(to, (void __force *)from, n), 0) #define __copy_to_user(to,from,n) (memcpy((void __force *)to, from, n), 0) -@@ -431,6 +505,9 @@ extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned l +@@ -431,6 +508,9 @@ extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned l static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n) { @@ -2276,7 +2345,7 @@ index 7e1f760..510061e 100644 if (access_ok(VERIFY_READ, from, n)) n = __copy_from_user(to, from, n); else /* security hole - plug it */ -@@ -440,6 +517,9 @@ static inline unsigned long __must_check copy_from_user(void *to, const void __u +@@ -440,6 +520,9 @@ static inline unsigned long __must_check copy_from_user(void *to, const void __u static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n) { @@ -2326,7 +2395,7 @@ index 60d3b73..e5a0f22 100644 EXPORT_SYMBOL(__get_user_1); EXPORT_SYMBOL(__get_user_2); diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S -index 0f82098..fb3d3d5 100644 +index d43c7e5..257c050 100644 --- a/arch/arm/kernel/entry-armv.S +++ b/arch/arm/kernel/entry-armv.S @@ -47,6 +47,87 @@ @@ -2458,7 +2527,7 @@ index 0f82098..fb3d3d5 100644 SPFIX( addeq r2, r2, #4 ) str r3, [sp, #-4]! @ save the "real" r0 copied @ from the exception stack -@@ -359,6 +453,9 @@ ENDPROC(__pabt_svc) +@@ -316,6 +410,9 @@ ENDPROC(__pabt_svc) .macro usr_entry UNWIND(.fnstart ) UNWIND(.cantunwind ) @ don't unwind the user space @@ -2468,7 +2537,17 @@ index 0f82098..fb3d3d5 100644 sub sp, sp, #S_FRAME_SIZE ARM( stmib sp, {r1 - r12} ) THUMB( stmia sp, {r0 - r12} ) -@@ -456,7 +553,9 @@ __und_usr: +@@ -357,7 +454,8 @@ ENDPROC(__pabt_svc) + .endm + + .macro kuser_cmpxchg_check +-#if !defined(CONFIG_CPU_32v6K) && !defined(CONFIG_NEEDS_SYSCALL_FOR_CMPXCHG) ++#if !defined(CONFIG_CPU_32v6K) && defined(CONFIG_KUSER_HELPERS) && \ ++ !defined(CONFIG_NEEDS_SYSCALL_FOR_CMPXCHG) + #ifndef CONFIG_MMU + #warning "NPTL on non MMU needs fixing" + #else +@@ -414,7 +512,9 @@ __und_usr: tst r3, #PSR_T_BIT @ Thumb mode? bne __und_usr_thumb sub r4, r2, #4 @ ARM instr at LR - 4 @@ -2478,7 +2557,7 @@ index 0f82098..fb3d3d5 100644 #ifdef CONFIG_CPU_ENDIAN_BE8 rev r0, r0 @ little endian instruction #endif -@@ -491,10 +590,14 @@ __und_usr_thumb: +@@ -449,10 +549,14 @@ __und_usr_thumb: */ .arch armv6t2 #endif @@ -2493,7 +2572,17 @@ index 0f82098..fb3d3d5 100644 add r2, r2, #2 @ r2 is PC + 2, make it PC + 4 str r2, [sp, #S_PC] @ it's a 2x16bit instr, update orr r0, r0, r5, lsl #16 -@@ -733,7 +836,7 @@ ENTRY(__switch_to) +@@ -481,7 +585,8 @@ ENDPROC(__und_usr) + */ + .pushsection .fixup, "ax" + .align 2 +-4: mov pc, r9 ++4: pax_close_userland ++ mov pc, r9 + .popsection + .pushsection __ex_table,"a" + .long 1b, 4b +@@ -690,7 +795,7 @@ ENTRY(__switch_to) THUMB( stmia ip!, {r4 - sl, fp} ) @ Store most regs on stack THUMB( str sp, [ip], #4 ) THUMB( str lr, [ip], #4 ) @@ -2502,7 +2591,7 @@ index 0f82098..fb3d3d5 100644 ldr r6, [r2, #TI_CPU_DOMAIN] #endif set_tls r3, r4, r5 -@@ -742,7 +845,7 @@ ENTRY(__switch_to) +@@ -699,7 +804,7 @@ ENTRY(__switch_to) ldr r8, =__stack_chk_guard ldr r7, [r7, #TSK_STACK_CANARY] #endif @@ -2512,7 +2601,7 @@ index 0f82098..fb3d3d5 100644 #endif mov r5, r0 diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S -index fefd7f9..e6f250e 100644 +index bc5bc0a..d0998ca 100644 --- a/arch/arm/kernel/entry-common.S +++ b/arch/arm/kernel/entry-common.S @@ -10,18 +10,46 @@ @@ -2565,7 +2654,7 @@ index fefd7f9..e6f250e 100644 .align 5 /* * This is the fast syscall return path. We do as little as -@@ -351,6 +379,7 @@ ENDPROC(ftrace_stub) +@@ -350,6 +378,7 @@ ENDPROC(ftrace_stub) .align 5 ENTRY(vector_swi) @@ -2573,7 +2662,7 @@ index fefd7f9..e6f250e 100644 sub sp, sp, #S_FRAME_SIZE stmia sp, {r0 - r12} @ Calling r0 - r12 ARM( add r8, sp, #S_PC ) -@@ -400,6 +429,12 @@ ENTRY(vector_swi) +@@ -399,6 +428,12 @@ ENTRY(vector_swi) ldr scno, [lr, #-4] @ get SWI instruction #endif @@ -2587,10 +2676,10 @@ index fefd7f9..e6f250e 100644 ldr ip, __cr_alignment ldr ip, [ip] diff --git a/arch/arm/kernel/entry-header.S b/arch/arm/kernel/entry-header.S -index 9a8531e..812e287 100644 +index 160f337..db67ee4 100644 --- a/arch/arm/kernel/entry-header.S +++ b/arch/arm/kernel/entry-header.S -@@ -73,9 +73,66 @@ +@@ -73,6 +73,60 @@ msr cpsr_c, \rtemp @ switch back to the SVC mode .endm @@ -2649,18 +2738,22 @@ index 9a8531e..812e287 100644 + .endm + #ifndef CONFIG_THUMB2_KERNEL - .macro svc_exit, rpsr - msr spsr_cxsf, \rpsr + .macro svc_exit, rpsr, irq = 0 + .if \irq != 0 +@@ -92,6 +146,9 @@ + blne trace_hardirqs_off + #endif + .endif + + pax_exit_kernel + + msr spsr_cxsf, \rpsr #if defined(CONFIG_CPU_V6) ldr r0, [sp] - strex r1, r2, [sp] @ clear the exclusive monitor -@@ -121,6 +178,9 @@ - .endm - #else /* CONFIG_THUMB2_KERNEL */ - .macro svc_exit, rpsr +@@ -155,6 +212,9 @@ + blne trace_hardirqs_off + #endif + .endif + + pax_exit_kernel + @@ -2668,19 +2761,32 @@ index 9a8531e..812e287 100644 ldrd r0, r1, [sp, #S_LR] @ calling lr and pc clrex @ clear the exclusive monitor diff --git a/arch/arm/kernel/fiq.c b/arch/arm/kernel/fiq.c -index 2adda11..7fbe958 100644 +index 25442f4..d4948fc 100644 --- a/arch/arm/kernel/fiq.c +++ b/arch/arm/kernel/fiq.c -@@ -82,7 +82,9 @@ void set_fiq_handler(void *start, unsigned int length) - #if defined(CONFIG_CPU_USE_DOMAINS) - memcpy((void *)0xffff001c, start, length); - #else +@@ -84,17 +84,16 @@ int show_fiq_list(struct seq_file *p, int prec) + + void set_fiq_handler(void *start, unsigned int length) + { +-#if defined(CONFIG_CPU_USE_DOMAINS) +- void *base = (void *)0xffff0000; +-#else + void *base = vectors_page; +-#endif + unsigned offset = FIQ_OFFSET; + + pax_open_kernel(); - memcpy(vectors_page + 0x1c, start, length); + memcpy(base + offset, start, length); + pax_close_kernel(); - #endif - flush_icache_range(0xffff001c, 0xffff001c + length); - if (!vectors_high()) ++ ++ if (!cache_is_vipt_nonaliasing()) ++ flush_icache_range(base + offset, offset + length); + flush_icache_range(0xffff0000 + offset, 0xffff0000 + offset + length); +- if (!vectors_high()) +- flush_icache_range(offset, offset + length); + } + + int claim_fiq(struct fiq_handler *f) diff --git a/arch/arm/kernel/head.S b/arch/arm/kernel/head.S index 8bac553..caee108 100644 --- a/arch/arm/kernel/head.S @@ -2782,6 +2888,34 @@ index 07314af..c46655c 100644 flush_icache_range((uintptr_t)(addr), (uintptr_t)(addr) + size); +diff --git a/arch/arm/kernel/perf_event.c b/arch/arm/kernel/perf_event.c +index d9f5cd4..e186ee1 100644 +--- a/arch/arm/kernel/perf_event.c ++++ b/arch/arm/kernel/perf_event.c +@@ -53,7 +53,12 @@ armpmu_map_cache_event(const unsigned (*cache_map) + static int + armpmu_map_hw_event(const unsigned (*event_map)[PERF_COUNT_HW_MAX], u64 config) + { +- int mapping = (*event_map)[config]; ++ int mapping; ++ ++ if (config >= PERF_COUNT_HW_MAX) ++ return -EINVAL; ++ ++ mapping = (*event_map)[config]; + return mapping == HW_OP_UNSUPPORTED ? -ENOENT : mapping; + } + +@@ -253,6 +258,9 @@ validate_event(struct pmu_hw_events *hw_events, + struct arm_pmu *armpmu = to_arm_pmu(event->pmu); + struct pmu *leader_pmu = event->group_leader->pmu; + ++ if (is_software_event(event)) ++ return 1; ++ + if (event->pmu != leader_pmu || event->state < PERF_EVENT_STATE_OFF) + return 1; + diff --git a/arch/arm/kernel/perf_event_cpu.c b/arch/arm/kernel/perf_event_cpu.c index 1f2740e..b36e225 100644 --- a/arch/arm/kernel/perf_event_cpu.c @@ -2796,10 +2930,10 @@ index 1f2740e..b36e225 100644 }; diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c -index 047d3e4..7e96107 100644 +index 5bc2615..4f1a0c2 100644 --- a/arch/arm/kernel/process.c +++ b/arch/arm/kernel/process.c -@@ -28,7 +28,6 @@ +@@ -28,10 +28,10 @@ #include <linux/tick.h> #include <linux/utsname.h> #include <linux/uaccess.h> @@ -2807,30 +2941,39 @@ index 047d3e4..7e96107 100644 #include <linux/hw_breakpoint.h> #include <linux/cpuidle.h> #include <linux/leds.h> -@@ -251,9 +250,10 @@ void machine_power_off(void) - machine_shutdown(); ++#include <linux/random.h> + + #include <asm/cacheflush.h> + #include <asm/idmap.h> +@@ -223,6 +223,7 @@ void machine_power_off(void) + if (pm_power_off) pm_power_off(); + BUG(); } + /* +@@ -236,7 +237,7 @@ void machine_power_off(void) + * executing pre-reset code, and using RAM that the primary CPU's code wishes + * to use. Implementing such co-ordination would be essentially impossible. + */ -void machine_restart(char *cmd) +__noreturn void machine_restart(char *cmd) { - machine_shutdown(); + smp_send_stop(); + +@@ -258,8 +259,8 @@ void __show_regs(struct pt_regs *regs) + + show_regs_print_info(KERN_DEFAULT); -@@ -278,8 +278,8 @@ void __show_regs(struct pt_regs *regs) - init_utsname()->release, - (int)strcspn(init_utsname()->version, " "), - init_utsname()->version); - print_symbol("PC is at %s\n", instruction_pointer(regs)); - print_symbol("LR is at %s\n", regs->ARM_lr); -+ printk("PC is at %pA\n", instruction_pointer(regs)); -+ printk("LR is at %pA\n", regs->ARM_lr); ++ printk("PC is at %pA\n", (void *)instruction_pointer(regs)); ++ printk("LR is at %pA\n", (void *)regs->ARM_lr); printk("pc : [<%08lx>] lr : [<%08lx>] psr: %08lx\n" "sp : %08lx ip : %08lx fp : %08lx\n", regs->ARM_pc, regs->ARM_lr, regs->ARM_cpsr, -@@ -447,12 +447,6 @@ unsigned long get_wchan(struct task_struct *p) +@@ -426,12 +427,6 @@ unsigned long get_wchan(struct task_struct *p) return 0; } @@ -2841,20 +2984,70 @@ index 047d3e4..7e96107 100644 -} - #ifdef CONFIG_MMU + #ifdef CONFIG_KUSER_HELPERS /* - * The vectors page is always readable from user space for the -@@ -465,9 +459,8 @@ static int __init gate_vma_init(void) - { - gate_vma.vm_start = 0xffff0000; - gate_vma.vm_end = 0xffff0000 + PAGE_SIZE; -- gate_vma.vm_page_prot = PAGE_READONLY_EXEC; -- gate_vma.vm_flags = VM_READ | VM_EXEC | -- VM_MAYREAD | VM_MAYEXEC; -+ gate_vma.vm_flags = VM_NONE; -+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags); +@@ -447,7 +442,7 @@ static struct vm_area_struct gate_vma = { + + static int __init gate_vma_init(void) + { +- gate_vma.vm_page_prot = PAGE_READONLY_EXEC; ++ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags); return 0; } arch_initcall(gate_vma_init); +@@ -466,48 +461,23 @@ int in_gate_area_no_mm(unsigned long addr) + { + return in_gate_area(NULL, addr); + } +-#define is_gate_vma(vma) ((vma) = &gate_vma) ++#define is_gate_vma(vma) ((vma) == &gate_vma) + #else + #define is_gate_vma(vma) 0 + #endif + + const char *arch_vma_name(struct vm_area_struct *vma) + { +- return is_gate_vma(vma) ? "[vectors]" : +- (vma->vm_mm && vma->vm_start == vma->vm_mm->context.sigpage) ? +- "[sigpage]" : NULL; ++ return is_gate_vma(vma) ? "[vectors]" : NULL; + } + +-static struct page *signal_page; +-extern struct page *get_signal_page(void); +- + int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) + { + struct mm_struct *mm = current->mm; +- unsigned long addr; +- int ret; +- +- if (!signal_page) +- signal_page = get_signal_page(); +- if (!signal_page) +- return -ENOMEM; + + down_write(&mm->mmap_sem); +- addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0); +- if (IS_ERR_VALUE(addr)) { +- ret = addr; +- goto up_fail; +- } +- +- ret = install_special_mapping(mm, addr, PAGE_SIZE, +- VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC, +- &signal_page); +- +- if (ret == 0) +- mm->context.sigpage = addr; +- +- up_fail: ++ mm->context.sigpage = (PAGE_OFFSET + (get_random_int() % 0x3FFEFFE0)) & 0xFFFFFFFC; + up_write(&mm->mmap_sem); +- return ret; ++ return 0; + } + #endif diff --git a/arch/arm/kernel/psci.c b/arch/arm/kernel/psci.c index 3653164..d83e55d 100644 --- a/arch/arm/kernel/psci.c @@ -2893,10 +3086,10 @@ index 03deeff..741ce88 100644 if (secure_computing(scno) == -1) return -1; diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c -index 234e339..81264a1 100644 +index b4b1d39..efdc9be 100644 --- a/arch/arm/kernel/setup.c +++ b/arch/arm/kernel/setup.c -@@ -96,21 +96,23 @@ EXPORT_SYMBOL(system_serial_high); +@@ -97,21 +97,23 @@ EXPORT_SYMBOL(system_serial_high); unsigned int elf_hwcap __read_mostly; EXPORT_SYMBOL(elf_hwcap); @@ -2925,7 +3118,7 @@ index 234e339..81264a1 100644 EXPORT_SYMBOL(outer_cache); #endif -@@ -235,9 +237,13 @@ static int __get_cpu_architecture(void) +@@ -236,9 +238,13 @@ static int __get_cpu_architecture(void) asm("mrc p15, 0, %0, c0, c1, 4" : "=r" (mmfr0)); if ((mmfr0 & 0x0000000f) >= 0x00000003 || @@ -2941,7 +3134,7 @@ index 234e339..81264a1 100644 (mmfr0 & 0x000000f0) == 0x00000020) cpu_arch = CPU_ARCH_ARMv6; else -@@ -478,7 +484,7 @@ static void __init setup_processor(void) +@@ -479,7 +485,7 @@ static void __init setup_processor(void) __cpu_architecture = __get_cpu_architecture(); #ifdef MULTI_CPU @@ -2951,42 +3144,64 @@ index 234e339..81264a1 100644 #ifdef MULTI_TLB cpu_tlb = *list->tlb; diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c -index 296786b..a8d4dd5 100644 +index 5a42c12..a2bb7c6 100644 --- a/arch/arm/kernel/signal.c +++ b/arch/arm/kernel/signal.c -@@ -396,22 +396,14 @@ setup_return(struct pt_regs *regs, struct ksignal *ksig, - __put_user(sigreturn_codes[idx+1], rc+1)) - return 1; +@@ -45,8 +45,6 @@ static const unsigned long sigreturn_codes[7] = { + MOV_R7_NR_RT_SIGRETURN, SWI_SYS_RT_SIGRETURN, SWI_THUMB_RT_SIGRETURN, + }; -- if (cpsr & MODE32_BIT) { -- /* -- * 32-bit code can use the new high-page -- * signal return code support. -- */ -- retcode = KERN_SIGRETURN_CODE + (idx << 2) + thumb; -- } else { -- /* -- * Ensure that the instruction cache sees -- * the return code written onto the stack. -- */ -- flush_icache_range((unsigned long)rc, -- (unsigned long)(rc + 2)); +-static unsigned long signal_return_offset; - -- retcode = ((unsigned long)rc) + thumb; -- } -+ /* -+ * Ensure that the instruction cache sees -+ * the return code written onto the stack. -+ */ -+ flush_icache_range((unsigned long)rc, -+ (unsigned long)(rc + 2)); -+ -+ retcode = ((unsigned long)rc) + thumb; - } - - regs->ARM_r0 = map_sig(ksig->sig); + #ifdef CONFIG_CRUNCH + static int preserve_crunch_context(struct crunch_sigframe __user *frame) + { +@@ -406,8 +404,7 @@ setup_return(struct pt_regs *regs, struct ksignal *ksig, + * except when the MPU has protected the vectors + * page from PL0 + */ +- retcode = mm->context.sigpage + signal_return_offset + +- (idx << 2) + thumb; ++ retcode = mm->context.sigpage + (idx << 2) + thumb; + } else + #endif + { +@@ -611,33 +608,3 @@ do_work_pending(struct pt_regs *regs, unsigned int thread_flags, int syscall) + } while (thread_flags & _TIF_WORK_MASK); + return 0; + } +- +-struct page *get_signal_page(void) +-{ +- unsigned long ptr; +- unsigned offset; +- struct page *page; +- void *addr; +- +- page = alloc_pages(GFP_KERNEL, 0); +- +- if (!page) +- return NULL; +- +- addr = page_address(page); +- +- /* Give the signal return code some randomness */ +- offset = 0x200 + (get_random_int() & 0x7fc); +- signal_return_offset = offset; +- +- /* +- * Copy signal return handlers into the vector page, and +- * set sigreturn to be a pointer to these. +- */ +- memcpy(addr + offset, sigreturn_codes, sizeof(sigreturn_codes)); +- +- ptr = (unsigned long)addr + offset; +- flush_icache_range(ptr, ptr + sizeof(sigreturn_codes)); +- +- return page; +-} diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c -index 1f2cccc..f40c02e 100644 +index 5919eb4..b5d6dfe 100644 --- a/arch/arm/kernel/smp.c +++ b/arch/arm/kernel/smp.c @@ -70,7 +70,7 @@ enum ipi_msg_type { @@ -2999,10 +3214,10 @@ index 1f2cccc..f40c02e 100644 void __init smp_set_ops(struct smp_operations *ops) { diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c -index 1c08911..264f009 100644 +index 6b9567e..b8af2d6 100644 --- a/arch/arm/kernel/traps.c +++ b/arch/arm/kernel/traps.c -@@ -57,7 +57,7 @@ static void dump_mem(const char *, const char *, unsigned long, unsigned long); +@@ -55,7 +55,7 @@ static void dump_mem(const char *, const char *, unsigned long, unsigned long); void dump_backtrace_entry(unsigned long where, unsigned long from, unsigned long frame) { #ifdef CONFIG_KALLSYMS @@ -3011,7 +3226,7 @@ index 1c08911..264f009 100644 #else printk("Function entered at [<%08lx>] from [<%08lx>]\n", where, from); #endif -@@ -266,6 +266,8 @@ static arch_spinlock_t die_lock = __ARCH_SPIN_LOCK_UNLOCKED; +@@ -257,6 +257,8 @@ static arch_spinlock_t die_lock = __ARCH_SPIN_LOCK_UNLOCKED; static int die_owner = -1; static unsigned int die_nest_count; @@ -3020,7 +3235,7 @@ index 1c08911..264f009 100644 static unsigned long oops_begin(void) { int cpu; -@@ -308,6 +310,9 @@ static void oops_end(unsigned long flags, struct pt_regs *regs, int signr) +@@ -299,6 +301,9 @@ static void oops_end(unsigned long flags, struct pt_regs *regs, int signr) panic("Fatal exception in interrupt"); if (panic_on_oops) panic("Fatal exception"); @@ -3030,7 +3245,7 @@ index 1c08911..264f009 100644 if (signr) do_exit(signr); } -@@ -601,7 +606,9 @@ asmlinkage int arm_syscall(int no, struct pt_regs *regs) +@@ -592,7 +597,9 @@ asmlinkage int arm_syscall(int no, struct pt_regs *regs) * The user helper at 0xffff0fe0 must be used instead. * (see entry-armv.S for details) */ @@ -3040,18 +3255,10 @@ index 1c08911..264f009 100644 } return 0; -@@ -841,13 +848,10 @@ void __init early_trap_init(void *vectors_base) - */ - kuser_get_tls_init(vectors); +@@ -848,5 +855,9 @@ void __init early_trap_init(void *vectors_base) + kuser_init(vectors_base); -- /* -- * Copy signal return handlers into the vector page, and -- * set sigreturn to be a pointer to these. -- */ -- memcpy((void *)(vectors + KERN_SIGRETURN_CODE - CONFIG_VECTORS_BASE), -- sigreturn_codes, sizeof(sigreturn_codes)); -- - flush_icache_range(vectors, vectors + PAGE_SIZE); + flush_icache_range(vectors, vectors + PAGE_SIZE * 2); - modify_domain(DOMAIN_USER, DOMAIN_CLIENT); + +#ifndef CONFIG_PAX_MEMORY_UDEREF @@ -3060,7 +3267,7 @@ index 1c08911..264f009 100644 + } diff --git a/arch/arm/kernel/vmlinux.lds.S b/arch/arm/kernel/vmlinux.lds.S -index b571484..4b2fc9b 100644 +index 33f2ea3..0b91824 100644 --- a/arch/arm/kernel/vmlinux.lds.S +++ b/arch/arm/kernel/vmlinux.lds.S @@ -8,7 +8,11 @@ @@ -3108,7 +3315,7 @@ index b571484..4b2fc9b 100644 #ifndef CONFIG_XIP_KERNEL . = ALIGN(PAGE_SIZE); -@@ -207,6 +220,11 @@ SECTIONS +@@ -224,6 +237,11 @@ SECTIONS . = PAGE_OFFSET + TEXT_OFFSET; #else __init_end = .; @@ -3258,10 +3465,10 @@ index 025f742..8432b08 100644 /* * This test is stubbed out of the main function above to keep diff --git a/arch/arm/mach-kirkwood/common.c b/arch/arm/mach-kirkwood/common.c -index 49792a0..f192052 100644 +index f389228..592ef66 100644 --- a/arch/arm/mach-kirkwood/common.c +++ b/arch/arm/mach-kirkwood/common.c -@@ -150,7 +150,16 @@ static void clk_gate_fn_disable(struct clk_hw *hw) +@@ -149,7 +149,16 @@ static void clk_gate_fn_disable(struct clk_hw *hw) clk_gate_ops.disable(hw); } @@ -3279,7 +3486,7 @@ index 49792a0..f192052 100644 static struct clk __init *clk_register_gate_fn(struct device *dev, const char *name, -@@ -184,14 +193,6 @@ static struct clk __init *clk_register_gate_fn(struct device *dev, +@@ -183,14 +192,6 @@ static struct clk __init *clk_register_gate_fn(struct device *dev, gate_fn->fn_en = fn_en; gate_fn->fn_dis = fn_dis; @@ -3308,10 +3515,10 @@ index f6eeb87..cc90868 100644 }; diff --git a/arch/arm/mach-omap2/gpmc.c b/arch/arm/mach-omap2/gpmc.c -index 410e1ba..1d2dd59 100644 +index 6c4da12..d9ca72d 100644 --- a/arch/arm/mach-omap2/gpmc.c +++ b/arch/arm/mach-omap2/gpmc.c -@@ -145,7 +145,6 @@ struct omap3_gpmc_regs { +@@ -147,7 +147,6 @@ struct omap3_gpmc_regs { }; static struct gpmc_client_irq gpmc_client_irq[GPMC_NR_IRQ]; @@ -3319,7 +3526,7 @@ index 410e1ba..1d2dd59 100644 static unsigned gpmc_irq_start; static struct resource gpmc_mem_root; -@@ -707,6 +706,18 @@ static void gpmc_irq_noop(struct irq_data *data) { } +@@ -711,6 +710,18 @@ static void gpmc_irq_noop(struct irq_data *data) { } static unsigned int gpmc_irq_noop_ret(struct irq_data *data) { return 0; } @@ -3338,7 +3545,7 @@ index 410e1ba..1d2dd59 100644 static int gpmc_setup_irq(void) { int i; -@@ -721,15 +732,6 @@ static int gpmc_setup_irq(void) +@@ -725,15 +736,6 @@ static int gpmc_setup_irq(void) return gpmc_irq_start; } @@ -3368,7 +3575,7 @@ index f8bb3b9..831e7b8 100644 }; diff --git a/arch/arm/mach-omap2/omap_device.c b/arch/arm/mach-omap2/omap_device.c -index 381be7a..89b9c7e 100644 +index e6d2307..d057195 100644 --- a/arch/arm/mach-omap2/omap_device.c +++ b/arch/arm/mach-omap2/omap_device.c @@ -499,7 +499,7 @@ void omap_device_delete(struct omap_device *od) @@ -3409,10 +3616,10 @@ index 044c31d..2ee0861 100644 struct omap_device *omap_device_alloc(struct platform_device *pdev, struct omap_hwmod **ohs, int oh_cnt); diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c -index 3a750de..4c9b88f 100644 +index 7341eff..fd75e34 100644 --- a/arch/arm/mach-omap2/omap_hwmod.c +++ b/arch/arm/mach-omap2/omap_hwmod.c -@@ -191,10 +191,10 @@ struct omap_hwmod_soc_ops { +@@ -194,10 +194,10 @@ struct omap_hwmod_soc_ops { int (*init_clkdm)(struct omap_hwmod *oh); void (*update_context_lost)(struct omap_hwmod *oh); int (*get_context_lost)(struct omap_hwmod *oh); @@ -3449,10 +3656,23 @@ index d15c7bb..b2d1f0c 100644 pdev = omap_device_build(dev_name, id, oh, &pdata, sizeof(struct omap_wd_timer_platform_data)); WARN(IS_ERR(pdev), "Can't build omap_device for %s:%s.\n", -diff --git a/arch/arm/mach-ux500/include/mach/setup.h b/arch/arm/mach-ux500/include/mach/setup.h -index bddce2b..3eb04e2 100644 ---- a/arch/arm/mach-ux500/include/mach/setup.h -+++ b/arch/arm/mach-ux500/include/mach/setup.h +diff --git a/arch/arm/mach-tegra/cpuidle-tegra20.c b/arch/arm/mach-tegra/cpuidle-tegra20.c +index 0cdba8d..297993e 100644 +--- a/arch/arm/mach-tegra/cpuidle-tegra20.c ++++ b/arch/arm/mach-tegra/cpuidle-tegra20.c +@@ -181,7 +181,7 @@ static int tegra20_idle_lp2_coupled(struct cpuidle_device *dev, + bool entered_lp2 = false; + + if (tegra_pending_sgi()) +- ACCESS_ONCE(abort_flag) = true; ++ ACCESS_ONCE_RW(abort_flag) = true; + + cpuidle_coupled_parallel_barrier(dev, &abort_barrier); + +diff --git a/arch/arm/mach-ux500/setup.h b/arch/arm/mach-ux500/setup.h +index cad3ca86..1d79e0f 100644 +--- a/arch/arm/mach-ux500/setup.h ++++ b/arch/arm/mach-ux500/setup.h @@ -37,13 +37,6 @@ extern void ux500_timer_init(void); .type = MT_DEVICE, \ } @@ -3468,10 +3688,10 @@ index bddce2b..3eb04e2 100644 extern void ux500_cpu_die(unsigned int cpu); diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig -index 4045c49..0263c07 100644 +index 2950082..d0f0782 100644 --- a/arch/arm/mm/Kconfig +++ b/arch/arm/mm/Kconfig -@@ -425,7 +425,7 @@ config CPU_32v5 +@@ -436,7 +436,7 @@ config CPU_32v5 config CPU_32v6 bool @@ -3480,7 +3700,7 @@ index 4045c49..0263c07 100644 select TLS_REG_EMUL if !CPU_32v6K && !MMU config CPU_32v6K -@@ -574,6 +574,7 @@ config CPU_CP15_MPU +@@ -585,6 +585,7 @@ config CPU_CP15_MPU config CPU_USE_DOMAINS bool @@ -3488,8 +3708,25 @@ index 4045c49..0263c07 100644 help This option enables or disables the use of domain switching via the set_fs() function. +@@ -780,6 +781,7 @@ config NEED_KUSER_HELPERS + config KUSER_HELPERS + bool "Enable kuser helpers in vector page" if !NEED_KUSER_HELPERS + default y ++ depends on !(CPU_V6 || CPU_V6K || CPU_V7) + help + Warning: disabling this option may break user programs. + +@@ -790,7 +792,7 @@ config KUSER_HELPERS + run on ARMv4 through to ARMv7 without modification. + + However, the fixed address nature of these helpers can be used +- by ROP (return orientated programming) authors when creating ++ by ROP (Return Oriented Programming) authors when creating + exploits. + + If all of the binaries and libraries which run on your platform diff --git a/arch/arm/mm/alignment.c b/arch/arm/mm/alignment.c -index db26e2e..ee44569 100644 +index 6f4585b..7b6f52b 100644 --- a/arch/arm/mm/alignment.c +++ b/arch/arm/mm/alignment.c @@ -211,10 +211,12 @@ union offset_union { @@ -3554,7 +3791,7 @@ index db26e2e..ee44569 100644 goto fault; \ } while (0) diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c -index 5dbf13f..1a60561 100644 +index 5dbf13f..ee1ec24 100644 --- a/arch/arm/mm/fault.c +++ b/arch/arm/mm/fault.c @@ -25,6 +25,7 @@ @@ -3657,11 +3894,29 @@ index 5dbf13f..1a60561 100644 printk(KERN_ALERT "Unhandled fault: %s (0x%03x) at 0x%08lx\n", inf->name, fsr, addr); -@@ -575,9 +637,49 @@ do_PrefetchAbort(unsigned long addr, unsigned int ifsr, struct pt_regs *regs) +@@ -569,15 +631,67 @@ hook_ifault_code(int nr, int (*fn)(unsigned long, unsigned int, struct pt_regs * + ifsr_info[nr].name = name; + } + ++asmlinkage int sys_sigreturn(struct pt_regs *regs); ++asmlinkage int sys_rt_sigreturn(struct pt_regs *regs); ++ + asmlinkage void __exception + do_PrefetchAbort(unsigned long addr, unsigned int ifsr, struct pt_regs *regs) + { const struct fsr_info *inf = ifsr_info + fsr_fs(ifsr); struct siginfo info; + if (user_mode(regs)) { ++ unsigned long sigpage = current->mm->context.sigpage; ++ ++ if (sigpage <= addr && addr < sigpage + 7*4) { ++ if (addr < sigpage + 3*4) ++ sys_sigreturn(regs); ++ else ++ sys_rt_sigreturn(regs); ++ return; ++ } + if (addr == 0xffff0fe0UL) { + /* + * PaX: __kuser_get_tls emulation @@ -3738,7 +3993,7 @@ index cf08bdf..772656c 100644 unsigned long search_exception_table(unsigned long addr); diff --git a/arch/arm/mm/init.c b/arch/arm/mm/init.c -index ad722f1..763fdd3 100644 +index 0ecc43f..190b956 100644 --- a/arch/arm/mm/init.c +++ b/arch/arm/mm/init.c @@ -30,6 +30,8 @@ @@ -3750,12 +4005,12 @@ index ad722f1..763fdd3 100644 #include <asm/mach/arch.h> #include <asm/mach/map.h> -@@ -736,7 +738,46 @@ void free_initmem(void) +@@ -726,7 +728,46 @@ void free_initmem(void) { #ifdef CONFIG_HAVE_TCM extern char __tcm_start, __tcm_end; +#endif -+ + +#ifdef CONFIG_PAX_KERNEXEC + unsigned long addr; + pgd_t *pgd; @@ -3792,11 +4047,11 @@ index ad722f1..763fdd3 100644 + } + } +#endif - ++ +#ifdef CONFIG_HAVE_TCM poison_init_mem(&__tcm_start, &__tcm_end - &__tcm_start); - totalram_pages += free_area(__phys_to_pfn(__pa(&__tcm_start)), - __phys_to_pfn(__pa(&__tcm_end)), + free_reserved_area(&__tcm_start, &__tcm_end, 0, "TCM link"); + #endif diff --git a/arch/arm/mm/ioremap.c b/arch/arm/mm/ioremap.c index 04d9006..c547d85 100644 --- a/arch/arm/mm/ioremap.c @@ -3926,7 +4181,7 @@ index 10062ce..8695745 100644 mm->unmap_area = arch_unmap_area_topdown; } diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c -index a84ff76..f221c1d 100644 +index daf336f..4e6392c 100644 --- a/arch/arm/mm/mmu.c +++ b/arch/arm/mm/mmu.c @@ -36,6 +36,22 @@ @@ -3952,9 +4207,9 @@ index a84ff76..f221c1d 100644 /* * empty_zero_page is a special page that is used for * zero-initialized data and COW. -@@ -211,10 +227,18 @@ void adjust_cr(unsigned long mask, unsigned long set) - } - #endif +@@ -228,10 +244,18 @@ __setup("noalign", noalign_setup); + + #endif /* ifdef CONFIG_CPU_CP15 / else */ -#define PROT_PTE_DEVICE L_PTE_PRESENT|L_PTE_YOUNG|L_PTE_DIRTY|L_PTE_XN +#define PROT_PTE_DEVICE L_PTE_PRESENT|L_PTE_YOUNG|L_PTE_DIRTY @@ -3973,7 +4228,7 @@ index a84ff76..f221c1d 100644 [MT_DEVICE] = { /* Strongly ordered / ARMv6 shared device */ .prot_pte = PROT_PTE_DEVICE | L_PTE_MT_DEV_SHARED | L_PTE_SHARED, -@@ -243,16 +267,16 @@ static struct mem_type mem_types[] = { +@@ -260,16 +284,16 @@ static struct mem_type mem_types[] = { [MT_UNCACHED] = { .prot_pte = PROT_PTE_DEVICE, .prot_l1 = PMD_TYPE_TABLE, @@ -3993,7 +4248,7 @@ index a84ff76..f221c1d 100644 .domain = DOMAIN_KERNEL, }, #endif -@@ -260,36 +284,54 @@ static struct mem_type mem_types[] = { +@@ -277,36 +301,54 @@ static struct mem_type mem_types[] = { .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY | L_PTE_RDONLY, .prot_l1 = PMD_TYPE_TABLE, @@ -4002,8 +4257,7 @@ index a84ff76..f221c1d 100644 }, [MT_HIGH_VECTORS] = { .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY | -- L_PTE_USER | L_PTE_RDONLY, -+ L_PTE_RDONLY, + L_PTE_USER | L_PTE_RDONLY, .prot_l1 = PMD_TYPE_TABLE, - .domain = DOMAIN_USER, + .domain = DOMAIN_VECTORS, @@ -4057,7 +4311,7 @@ index a84ff76..f221c1d 100644 .domain = DOMAIN_KERNEL, }, [MT_MEMORY_ITCM] = { -@@ -299,10 +341,10 @@ static struct mem_type mem_types[] = { +@@ -316,10 +358,10 @@ static struct mem_type mem_types[] = { }, [MT_MEMORY_SO] = { .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY | @@ -4070,7 +4324,7 @@ index a84ff76..f221c1d 100644 .domain = DOMAIN_KERNEL, }, [MT_MEMORY_DMA_READY] = { -@@ -388,9 +430,35 @@ static void __init build_mem_type_table(void) +@@ -405,9 +447,35 @@ static void __init build_mem_type_table(void) * to prevent speculative instruction fetches. */ mem_types[MT_DEVICE].prot_sect |= PMD_SECT_XN; @@ -4106,7 +4360,7 @@ index a84ff76..f221c1d 100644 } if (cpu_arch >= CPU_ARCH_ARMv7 && (cr & CR_TRE)) { /* -@@ -451,6 +519,9 @@ static void __init build_mem_type_table(void) +@@ -468,6 +536,9 @@ static void __init build_mem_type_table(void) * from SVC mode and no access from userspace. */ mem_types[MT_ROM].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE; @@ -4116,7 +4370,7 @@ index a84ff76..f221c1d 100644 mem_types[MT_MINICLEAN].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE; mem_types[MT_CACHECLEAN].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE; #endif -@@ -468,11 +539,17 @@ static void __init build_mem_type_table(void) +@@ -485,11 +556,17 @@ static void __init build_mem_type_table(void) mem_types[MT_DEVICE_WC].prot_pte |= L_PTE_SHARED; mem_types[MT_DEVICE_CACHED].prot_sect |= PMD_SECT_S; mem_types[MT_DEVICE_CACHED].prot_pte |= L_PTE_SHARED; @@ -4138,7 +4392,7 @@ index a84ff76..f221c1d 100644 } } -@@ -483,15 +560,20 @@ static void __init build_mem_type_table(void) +@@ -500,15 +577,20 @@ static void __init build_mem_type_table(void) if (cpu_arch >= CPU_ARCH_ARMv6) { if (cpu_arch >= CPU_ARCH_ARMv7 && (cr & CR_TRE)) { /* Non-cacheable Normal is XCB = 001 */ @@ -4162,7 +4416,7 @@ index a84ff76..f221c1d 100644 } #ifdef CONFIG_ARM_LPAE -@@ -507,6 +589,8 @@ static void __init build_mem_type_table(void) +@@ -524,6 +606,8 @@ static void __init build_mem_type_table(void) vecs_pgprot |= PTE_EXT_AF; #endif @@ -4171,7 +4425,7 @@ index a84ff76..f221c1d 100644 for (i = 0; i < 16; i++) { pteval_t v = pgprot_val(protection_map[i]); protection_map[i] = __pgprot(v | user_pgprot); -@@ -524,10 +608,15 @@ static void __init build_mem_type_table(void) +@@ -541,10 +625,15 @@ static void __init build_mem_type_table(void) mem_types[MT_LOW_VECTORS].prot_l1 |= ecc_mask; mem_types[MT_HIGH_VECTORS].prot_l1 |= ecc_mask; @@ -4190,30 +4444,30 @@ index a84ff76..f221c1d 100644 mem_types[MT_ROM].prot_sect |= cp->pmd; switch (cp->pmd) { -@@ -1147,18 +1236,15 @@ void __init arm_mm_memblock_reserve(void) +@@ -1166,18 +1255,15 @@ void __init arm_mm_memblock_reserve(void) * called function. This means you can't use any function or debugging * method which may touch any device, otherwise the kernel _will_ crash. */ + -+static char vectors[PAGE_SIZE] __read_only __aligned(PAGE_SIZE); ++static char vectors[PAGE_SIZE * 2] __read_only __aligned(PAGE_SIZE); + static void __init devicemaps_init(struct machine_desc *mdesc) { struct map_desc map; unsigned long addr; - void *vectors; -- + - /* - * Allocate the vector page early. - */ -- vectors = early_alloc(PAGE_SIZE); - +- vectors = early_alloc(PAGE_SIZE * 2); +- - early_trap_init(vectors); + early_trap_init(&vectors); for (addr = VMALLOC_START; addr; addr += PMD_SIZE) pmd_clear(pmd_off_k(addr)); -@@ -1198,7 +1284,7 @@ static void __init devicemaps_init(struct machine_desc *mdesc) +@@ -1217,7 +1303,7 @@ static void __init devicemaps_init(struct machine_desc *mdesc) * location (0xffff0000). If we aren't using high-vectors, also * create a mapping at the low-vectors virtual address. */ @@ -4221,8 +4475,8 @@ index a84ff76..f221c1d 100644 + map.pfn = __phys_to_pfn(virt_to_phys(&vectors)); map.virtual = 0xffff0000; map.length = PAGE_SIZE; - map.type = MT_HIGH_VECTORS; -@@ -1256,8 +1342,39 @@ static void __init map_lowmem(void) + #ifdef CONFIG_KUSER_HELPERS +@@ -1287,8 +1373,39 @@ static void __init map_lowmem(void) map.pfn = __phys_to_pfn(start); map.virtual = __phys_to_virt(start); map.length = end - start; @@ -4263,20 +4517,6 @@ index a84ff76..f221c1d 100644 create_mapping(&map); } } -diff --git a/arch/arm/mm/proc-v7-2level.S b/arch/arm/mm/proc-v7-2level.S -index 78f520b..31f0cb6 100644 ---- a/arch/arm/mm/proc-v7-2level.S -+++ b/arch/arm/mm/proc-v7-2level.S -@@ -99,6 +99,9 @@ ENTRY(cpu_v7_set_pte_ext) - tst r1, #L_PTE_XN - orrne r3, r3, #PTE_EXT_XN - -+ tst r1, #L_PTE_PXN -+ orrne r3, r3, #PTE_EXT_PXN -+ - tst r1, #L_PTE_YOUNG - tstne r1, #L_PTE_VALID - #ifndef CONFIG_CPU_USE_DOMAINS diff --git a/arch/arm/plat-omap/sram.c b/arch/arm/plat-omap/sram.c index a5bc92d..0bb4730 100644 --- a/arch/arm/plat-omap/sram.c @@ -4291,10 +4531,10 @@ index a5bc92d..0bb4730 100644 + pax_close_kernel(); } diff --git a/arch/arm/plat-samsung/include/plat/dma-ops.h b/arch/arm/plat-samsung/include/plat/dma-ops.h -index 1141782..0959d64 100644 +index ce6d763..cfea917 100644 --- a/arch/arm/plat-samsung/include/plat/dma-ops.h +++ b/arch/arm/plat-samsung/include/plat/dma-ops.h -@@ -48,7 +48,7 @@ struct samsung_dma_ops { +@@ -47,7 +47,7 @@ struct samsung_dma_ops { int (*started)(unsigned ch); int (*flush)(unsigned ch); int (*stop)(unsigned ch); @@ -4303,6 +4543,33 @@ index 1141782..0959d64 100644 extern void *samsung_dmadev_get_ops(void); extern void *s3c_dma_get_ops(void); +diff --git a/arch/arm64/include/asm/tlb.h b/arch/arm64/include/asm/tlb.h +index 654f096..5546653 100644 +--- a/arch/arm64/include/asm/tlb.h ++++ b/arch/arm64/include/asm/tlb.h +@@ -35,6 +35,7 @@ struct mmu_gather { + struct mm_struct *mm; + unsigned int fullmm; + struct vm_area_struct *vma; ++ unsigned long start, end; + unsigned long range_start; + unsigned long range_end; + unsigned int nr; +@@ -97,10 +98,12 @@ static inline void tlb_flush_mmu(struct mmu_gather *tlb) + } + + static inline void +-tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned int fullmm) ++tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned long start, unsigned long end) + { + tlb->mm = mm; +- tlb->fullmm = fullmm; ++ tlb->fullmm = !(start | (end+1)); ++ tlb->start = start; ++ tlb->end = end; + tlb->vma = NULL; + tlb->max = ARRAY_SIZE(tlb->local); + tlb->pages = tlb->local; diff --git a/arch/arm64/kernel/debug-monitors.c b/arch/arm64/kernel/debug-monitors.c index f4726dc..39ed646 100644 --- a/arch/arm64/kernel/debug-monitors.c @@ -4712,6 +4979,45 @@ index 54ff557..70c88b7 100644 } static __always_inline void __ticket_spin_unlock_wait(arch_spinlock_t *lock) +diff --git a/arch/ia64/include/asm/tlb.h b/arch/ia64/include/asm/tlb.h +index ef3a9de..bc5efc7 100644 +--- a/arch/ia64/include/asm/tlb.h ++++ b/arch/ia64/include/asm/tlb.h +@@ -22,7 +22,7 @@ + * unmapping a portion of the virtual address space, these hooks are called according to + * the following template: + * +- * tlb <- tlb_gather_mmu(mm, full_mm_flush); // start unmap for address space MM ++ * tlb <- tlb_gather_mmu(mm, start, end); // start unmap for address space MM + * { + * for each vma that needs a shootdown do { + * tlb_start_vma(tlb, vma); +@@ -58,6 +58,7 @@ struct mmu_gather { + unsigned int max; + unsigned char fullmm; /* non-zero means full mm flush */ + unsigned char need_flush; /* really unmapped some PTEs? */ ++ unsigned long start, end; + unsigned long start_addr; + unsigned long end_addr; + struct page **pages; +@@ -155,13 +156,15 @@ static inline void __tlb_alloc_page(struct mmu_gather *tlb) + + + static inline void +-tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned int full_mm_flush) ++tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned long start, unsigned long end) + { + tlb->mm = mm; + tlb->max = ARRAY_SIZE(tlb->local); + tlb->pages = tlb->local; + tlb->nr = 0; +- tlb->fullmm = full_mm_flush; ++ tlb->fullmm = !(start | (end+1)); ++ tlb->start = start; ++ tlb->end = end; + tlb->start_addr = ~0UL; + } + diff --git a/arch/ia64/include/asm/uaccess.h b/arch/ia64/include/asm/uaccess.h index 449c8c0..18965fb 100644 --- a/arch/ia64/include/asm/uaccess.h @@ -4893,10 +5199,10 @@ index 24603be..948052d 100644 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp); } diff --git a/arch/ia64/kernel/palinfo.c b/arch/ia64/kernel/palinfo.c -index 79521d5..43dddff 100644 +index 2b3c2d7..a318d84 100644 --- a/arch/ia64/kernel/palinfo.c +++ b/arch/ia64/kernel/palinfo.c -@@ -1006,7 +1006,7 @@ static int __cpuinit palinfo_cpu_callback(struct notifier_block *nfb, +@@ -980,7 +980,7 @@ static int __cpuinit palinfo_cpu_callback(struct notifier_block *nfb, return NOTIFY_OK; } @@ -4906,10 +5212,10 @@ index 79521d5..43dddff 100644 .notifier_call = palinfo_cpu_callback, .priority = 0, diff --git a/arch/ia64/kernel/salinfo.c b/arch/ia64/kernel/salinfo.c -index aa527d7..f237752 100644 +index 4bc580a..7767f24 100644 --- a/arch/ia64/kernel/salinfo.c +++ b/arch/ia64/kernel/salinfo.c -@@ -616,7 +616,7 @@ salinfo_cpu_callback(struct notifier_block *nb, unsigned long action, void *hcpu +@@ -609,7 +609,7 @@ salinfo_cpu_callback(struct notifier_block *nb, unsigned long action, void *hcpu return NOTIFY_OK; } @@ -5050,7 +5356,7 @@ index 76069c1..c2aa816 100644 } diff --git a/arch/ia64/mm/init.c b/arch/ia64/mm/init.c -index 20bc967..a26993e 100644 +index d1fe4b4..2628f37 100644 --- a/arch/ia64/mm/init.c +++ b/arch/ia64/mm/init.c @@ -120,6 +120,19 @@ ia64_init_addr_space (void) @@ -5246,11 +5552,102 @@ index c1f6afa..38cc6e9 100644 +#define arch_align_stack(x) ((x) & ~0xfUL) #endif /* _ASM_EXEC_H */ +diff --git a/arch/mips/include/asm/local.h b/arch/mips/include/asm/local.h +index d44622c..64990d2 100644 +--- a/arch/mips/include/asm/local.h ++++ b/arch/mips/include/asm/local.h +@@ -12,15 +12,25 @@ typedef struct + atomic_long_t a; + } local_t; + ++typedef struct { ++ atomic_long_unchecked_t a; ++} local_unchecked_t; ++ + #define LOCAL_INIT(i) { ATOMIC_LONG_INIT(i) } + + #define local_read(l) atomic_long_read(&(l)->a) ++#define local_read_unchecked(l) atomic_long_read_unchecked(&(l)->a) + #define local_set(l, i) atomic_long_set(&(l)->a, (i)) ++#define local_set_unchecked(l, i) atomic_long_set_unchecked(&(l)->a, (i)) + + #define local_add(i, l) atomic_long_add((i), (&(l)->a)) ++#define local_add_unchecked(i, l) atomic_long_add_unchecked((i), (&(l)->a)) + #define local_sub(i, l) atomic_long_sub((i), (&(l)->a)) ++#define local_sub_unchecked(i, l) atomic_long_sub_unchecked((i), (&(l)->a)) + #define local_inc(l) atomic_long_inc(&(l)->a) ++#define local_inc_unchecked(l) atomic_long_inc_unchecked(&(l)->a) + #define local_dec(l) atomic_long_dec(&(l)->a) ++#define local_dec_unchecked(l) atomic_long_dec_unchecked(&(l)->a) + + /* + * Same as above, but return the result value +@@ -70,6 +80,51 @@ static __inline__ long local_add_return(long i, local_t * l) + return result; + } + ++static __inline__ long local_add_return_unchecked(long i, local_unchecked_t * l) ++{ ++ unsigned long result; ++ ++ if (kernel_uses_llsc && R10000_LLSC_WAR) { ++ unsigned long temp; ++ ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1:" __LL "%1, %2 # local_add_return \n" ++ " addu %0, %1, %3 \n" ++ __SC "%0, %2 \n" ++ " beqzl %0, 1b \n" ++ " addu %0, %1, %3 \n" ++ " .set mips0 \n" ++ : "=&r" (result), "=&r" (temp), "=m" (l->a.counter) ++ : "Ir" (i), "m" (l->a.counter) ++ : "memory"); ++ } else if (kernel_uses_llsc) { ++ unsigned long temp; ++ ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1:" __LL "%1, %2 # local_add_return \n" ++ " addu %0, %1, %3 \n" ++ __SC "%0, %2 \n" ++ " beqz %0, 1b \n" ++ " addu %0, %1, %3 \n" ++ " .set mips0 \n" ++ : "=&r" (result), "=&r" (temp), "=m" (l->a.counter) ++ : "Ir" (i), "m" (l->a.counter) ++ : "memory"); ++ } else { ++ unsigned long flags; ++ ++ local_irq_save(flags); ++ result = l->a.counter; ++ result += i; ++ l->a.counter = result; ++ local_irq_restore(flags); ++ } ++ ++ return result; ++} ++ + static __inline__ long local_sub_return(long i, local_t * l) + { + unsigned long result; +@@ -117,6 +172,8 @@ static __inline__ long local_sub_return(long i, local_t * l) + + #define local_cmpxchg(l, o, n) \ + ((long)cmpxchg_local(&((l)->a.counter), (o), (n))) ++#define local_cmpxchg_unchecked(l, o, n) \ ++ ((long)cmpxchg_local(&((l)->a.counter), (o), (n))) + #define local_xchg(l, n) (atomic_long_xchg((&(l)->a), (n))) + + /** diff --git a/arch/mips/include/asm/page.h b/arch/mips/include/asm/page.h -index eab99e5..607c98e 100644 +index f59552f..3abe9b9 100644 --- a/arch/mips/include/asm/page.h +++ b/arch/mips/include/asm/page.h -@@ -96,7 +96,7 @@ extern void copy_user_highpage(struct page *to, struct page *from, +@@ -95,7 +95,7 @@ extern void copy_user_highpage(struct page *to, struct page *from, #ifdef CONFIG_CPU_MIPS32 typedef struct { unsigned long pte_low, pte_high; } pte_t; #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32)) @@ -5276,10 +5673,10 @@ index 881d18b..cea38bc 100644 /* diff --git a/arch/mips/include/asm/thread_info.h b/arch/mips/include/asm/thread_info.h -index 178f792..8ebc510 100644 +index 895320e..bf63e10 100644 --- a/arch/mips/include/asm/thread_info.h +++ b/arch/mips/include/asm/thread_info.h -@@ -111,6 +111,8 @@ register struct thread_info *__current_thread_info __asm__("$28"); +@@ -115,6 +115,8 @@ static inline struct thread_info *current_thread_info(void) #define TIF_32BIT_ADDR 23 /* 32-bit address space (o32/n32) */ #define TIF_FPUBOUND 24 /* thread bound to FPU-full CPU set */ #define TIF_LOAD_WATCH 25 /* If set, load watch registers */ @@ -5288,7 +5685,7 @@ index 178f792..8ebc510 100644 #define TIF_SYSCALL_TRACE 31 /* syscall trace active */ #define _TIF_SYSCALL_TRACE (1<<TIF_SYSCALL_TRACE) -@@ -126,15 +128,18 @@ register struct thread_info *__current_thread_info __asm__("$28"); +@@ -130,15 +132,18 @@ static inline struct thread_info *current_thread_info(void) #define _TIF_32BIT_ADDR (1<<TIF_32BIT_ADDR) #define _TIF_FPUBOUND (1<<TIF_FPUBOUND) #define _TIF_LOAD_WATCH (1<<TIF_LOAD_WATCH) @@ -5310,7 +5707,7 @@ index 178f792..8ebc510 100644 #endif /* __KERNEL__ */ diff --git a/arch/mips/kernel/binfmt_elfn32.c b/arch/mips/kernel/binfmt_elfn32.c -index e06f777..3244284 100644 +index 1188e00..41cf144 100644 --- a/arch/mips/kernel/binfmt_elfn32.c +++ b/arch/mips/kernel/binfmt_elfn32.c @@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_NFPREG]; @@ -5328,10 +5725,10 @@ index e06f777..3244284 100644 #include <linux/module.h> #include <linux/elfcore.h> diff --git a/arch/mips/kernel/binfmt_elfo32.c b/arch/mips/kernel/binfmt_elfo32.c -index 556a435..b4fd2e3 100644 +index 202e581..689ca79 100644 --- a/arch/mips/kernel/binfmt_elfo32.c +++ b/arch/mips/kernel/binfmt_elfo32.c -@@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_NFPREG]; +@@ -56,6 +56,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_NFPREG]; #undef ELF_ET_DYN_BASE #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2) @@ -5346,10 +5743,10 @@ index 556a435..b4fd2e3 100644 /* diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c -index 3be4405..a799827 100644 +index c6a041d..b3e7318 100644 --- a/arch/mips/kernel/process.c +++ b/arch/mips/kernel/process.c -@@ -461,15 +461,3 @@ unsigned long get_wchan(struct task_struct *task) +@@ -563,15 +563,3 @@ unsigned long get_wchan(struct task_struct *task) out: return pc; } @@ -5393,7 +5790,7 @@ index 9c6299c..2fb4c22 100644 goto out; diff --git a/arch/mips/kernel/scall32-o32.S b/arch/mips/kernel/scall32-o32.S -index 9ea2964..c4329c3 100644 +index 9b36424..e7f4154 100644 --- a/arch/mips/kernel/scall32-o32.S +++ b/arch/mips/kernel/scall32-o32.S @@ -52,7 +52,7 @@ NESTED(handle_sys, PT_SIZE, sp) @@ -5406,7 +5803,7 @@ index 9ea2964..c4329c3 100644 bnez t0, syscall_trace_entry # -> yes diff --git a/arch/mips/kernel/scall64-64.S b/arch/mips/kernel/scall64-64.S -index 36cfd40..b1436e0 100644 +index 97a5909..59622f8 100644 --- a/arch/mips/kernel/scall64-64.S +++ b/arch/mips/kernel/scall64-64.S @@ -54,7 +54,7 @@ NESTED(handle_sys64, PT_SIZE, sp) @@ -5419,7 +5816,7 @@ index 36cfd40..b1436e0 100644 and t0, t1, t0 bnez t0, syscall_trace_entry diff --git a/arch/mips/kernel/scall64-n32.S b/arch/mips/kernel/scall64-n32.S -index 693d60b..ae0ba75 100644 +index edcb659..fb2ab09 100644 --- a/arch/mips/kernel/scall64-n32.S +++ b/arch/mips/kernel/scall64-n32.S @@ -47,7 +47,7 @@ NESTED(handle_sysn32, PT_SIZE, sp) @@ -5432,7 +5829,7 @@ index 693d60b..ae0ba75 100644 and t0, t1, t0 bnez t0, n32_syscall_trace_entry diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S -index af8887f..611ccb6 100644 +index 74f485d..47d2c38 100644 --- a/arch/mips/kernel/scall64-o32.S +++ b/arch/mips/kernel/scall64-o32.S @@ -81,7 +81,7 @@ NESTED(handle_sys, PT_SIZE, sp) @@ -5445,7 +5842,7 @@ index af8887f..611ccb6 100644 and t0, t1, t0 bnez t0, trace_a_syscall diff --git a/arch/mips/mm/fault.c b/arch/mips/mm/fault.c -index 0fead53..a2c0fb5 100644 +index 0fead53..eeb00a6 100644 --- a/arch/mips/mm/fault.c +++ b/arch/mips/mm/fault.c @@ -27,6 +27,23 @@ @@ -5472,6 +5869,21 @@ index 0fead53..a2c0fb5 100644 /* * This routine handles page faults. It determines the address, * and the problem, and then passes it off to one of the appropriate +@@ -196,6 +213,14 @@ bad_area: + bad_area_nosemaphore: + /* User mode accesses just cause a SIGSEGV */ + if (user_mode(regs)) { ++ ++#ifdef CONFIG_PAX_PAGEEXEC ++ if (cpu_has_rixi && (mm->pax_flags & MF_PAX_PAGEEXEC) && !write && address == instruction_pointer(regs)) { ++ pax_report_fault(regs, (void *)address, (void *)user_stack_pointer(regs)); ++ do_group_exit(SIGKILL); ++ } ++#endif ++ + tsk->thread.cp0_badvaddr = address; + tsk->thread.error_code = write; + #if 0 diff --git a/arch/mips/mm/mmap.c b/arch/mips/mm/mmap.c index 7e5fe27..9656513 100644 --- a/arch/mips/mm/mmap.c @@ -5640,12 +6052,12 @@ index 4ce7a01..449202a 100644 #endif /* __ASM_OPENRISC_CACHE_H */ diff --git a/arch/parisc/include/asm/atomic.h b/arch/parisc/include/asm/atomic.h -index f38e198..4179e38 100644 +index 472886c..00e7df9 100644 --- a/arch/parisc/include/asm/atomic.h +++ b/arch/parisc/include/asm/atomic.h -@@ -229,6 +229,16 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u) - - #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0) +@@ -252,6 +252,16 @@ static inline long atomic64_dec_if_positive(atomic64_t *v) + return dec; + } +#define atomic64_read_unchecked(v) atomic64_read(v) +#define atomic64_set_unchecked(v, i) atomic64_set((v), (i)) @@ -5947,10 +6359,10 @@ index 5dfd248..64914ac 100644 return addr; } diff --git a/arch/parisc/kernel/traps.c b/arch/parisc/kernel/traps.c -index c6ae9f5..e9c3cf4 100644 +index 04e47c6..7a8faf6 100644 --- a/arch/parisc/kernel/traps.c +++ b/arch/parisc/kernel/traps.c -@@ -733,9 +733,7 @@ void notrace handle_interruption(int code, struct pt_regs *regs) +@@ -727,9 +727,7 @@ void notrace handle_interruption(int code, struct pt_regs *regs) down_read(¤t->mm->mmap_sem); vma = find_vma(current->mm,regs->iaoq[0]); @@ -6177,7 +6589,7 @@ index 9e495c9..b6878e5 100644 #define SMP_CACHE_BYTES L1_CACHE_BYTES diff --git a/arch/powerpc/include/asm/elf.h b/arch/powerpc/include/asm/elf.h -index ac9790f..6d30741 100644 +index cc0655a..13eac2e 100644 --- a/arch/powerpc/include/asm/elf.h +++ b/arch/powerpc/include/asm/elf.h @@ -28,8 +28,19 @@ @@ -6202,7 +6614,7 @@ index ac9790f..6d30741 100644 /* * Our registers are always unsigned longs, whether we're a 32 bit -@@ -122,10 +133,6 @@ extern int arch_setup_additional_pages(struct linux_binprm *bprm, +@@ -123,10 +134,6 @@ extern int arch_setup_additional_pages(struct linux_binprm *bprm, (0x7ff >> (PAGE_SHIFT - 12)) : \ (0x3ffff >> (PAGE_SHIFT - 12))) @@ -6252,7 +6664,7 @@ index 8565c25..2865190 100644 return (vm_flags & VM_SAO) ? __pgprot(_PAGE_SAO) : __pgprot(0); } diff --git a/arch/powerpc/include/asm/page.h b/arch/powerpc/include/asm/page.h -index f072e97..b436dee 100644 +index 988c812..63c7d70 100644 --- a/arch/powerpc/include/asm/page.h +++ b/arch/powerpc/include/asm/page.h @@ -220,8 +220,9 @@ extern long long virt_phys_offset; @@ -6274,14 +6686,14 @@ index f072e97..b436dee 100644 +#define ktla_ktva(addr) (addr) +#define ktva_ktla(addr) (addr) + + #ifndef CONFIG_PPC_BOOK3S_64 /* * Use the top bit of the higher-level page table entries to indicate whether - * the entries we point to contain hugepages. This works because we know that diff --git a/arch/powerpc/include/asm/page_64.h b/arch/powerpc/include/asm/page_64.h -index cd915d6..c10cee8 100644 +index 88693ce..ac6f9ab 100644 --- a/arch/powerpc/include/asm/page_64.h +++ b/arch/powerpc/include/asm/page_64.h -@@ -154,15 +154,18 @@ do { \ +@@ -153,15 +153,18 @@ do { \ * stack by default, so in the absence of a PT_GNU_STACK program header * we turn execute permission off. */ @@ -6303,10 +6715,10 @@ index cd915d6..c10cee8 100644 #include <asm-generic/getorder.h> diff --git a/arch/powerpc/include/asm/pgalloc-64.h b/arch/powerpc/include/asm/pgalloc-64.h -index 292725c..f87ae14 100644 +index b66ae72..4a378cd 100644 --- a/arch/powerpc/include/asm/pgalloc-64.h +++ b/arch/powerpc/include/asm/pgalloc-64.h -@@ -50,6 +50,7 @@ static inline void pgd_free(struct mm_struct *mm, pgd_t *pgd) +@@ -53,6 +53,7 @@ static inline void pgd_free(struct mm_struct *mm, pgd_t *pgd) #ifndef CONFIG_PPC_64K_PAGES #define pgd_populate(MM, PGD, PUD) pgd_set(PGD, PUD) @@ -6314,7 +6726,7 @@ index 292725c..f87ae14 100644 static inline pud_t *pud_alloc_one(struct mm_struct *mm, unsigned long addr) { -@@ -67,6 +68,11 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd) +@@ -70,6 +71,11 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd) pud_set(pud, (unsigned long)pmd); } @@ -6326,8 +6738,8 @@ index 292725c..f87ae14 100644 #define pmd_populate(mm, pmd, pte_page) \ pmd_populate_kernel(mm, pmd, page_address(pte_page)) #define pmd_populate_kernel(mm, pmd, pte) pmd_set(pmd, (unsigned long)(pte)) -@@ -76,6 +82,7 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd) - #else /* CONFIG_PPC_64K_PAGES */ +@@ -171,6 +177,7 @@ extern void __tlb_remove_table(void *_table); + #endif #define pud_populate(mm, pud, pmd) pud_set(pud, (unsigned long)pmd) +#define pud_populate_kernel(mm, pud, pmd) pud_populate((mm), (pud), (pmd)) @@ -6335,7 +6747,7 @@ index 292725c..f87ae14 100644 static inline void pmd_populate_kernel(struct mm_struct *mm, pmd_t *pmd, pte_t *pte) diff --git a/arch/powerpc/include/asm/pgtable.h b/arch/powerpc/include/asm/pgtable.h -index a9cbd3b..3b67efa 100644 +index 7aeb955..19f748e 100644 --- a/arch/powerpc/include/asm/pgtable.h +++ b/arch/powerpc/include/asm/pgtable.h @@ -2,6 +2,7 @@ @@ -6359,7 +6771,7 @@ index 4aad413..85d86bf 100644 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */ #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */ diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h -index 3b097a8..8f8c774 100644 +index e1fb161..2290d1d 100644 --- a/arch/powerpc/include/asm/reg.h +++ b/arch/powerpc/include/asm/reg.h @@ -234,6 +234,7 @@ @@ -6371,7 +6783,7 @@ index 3b097a8..8f8c774 100644 #define DSISR_ISSTORE 0x02000000 /* access was a store */ #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */ diff --git a/arch/powerpc/include/asm/smp.h b/arch/powerpc/include/asm/smp.h -index 195ce2a..ab5c614 100644 +index 48cfc85..891382f 100644 --- a/arch/powerpc/include/asm/smp.h +++ b/arch/powerpc/include/asm/smp.h @@ -50,7 +50,7 @@ struct smp_ops_t { @@ -6384,36 +6796,36 @@ index 195ce2a..ab5c614 100644 extern void smp_send_debugger_break(void); extern void start_secondary_resume(void); diff --git a/arch/powerpc/include/asm/thread_info.h b/arch/powerpc/include/asm/thread_info.h -index 406b7b9..af63426 100644 +index ba7b197..d292e26 100644 --- a/arch/powerpc/include/asm/thread_info.h +++ b/arch/powerpc/include/asm/thread_info.h -@@ -97,7 +97,6 @@ static inline struct thread_info *current_thread_info(void) +@@ -93,7 +93,6 @@ static inline struct thread_info *current_thread_info(void) + #define TIF_POLLING_NRFLAG 3 /* true if poll_idle() is polling + TIF_NEED_RESCHED */ + #define TIF_32BIT 4 /* 32 bit binary */ +-#define TIF_PERFMON_WORK 5 /* work for pfm_handle_work() */ #define TIF_PERFMON_CTXSW 6 /* perfmon needs ctxsw calls */ #define TIF_SYSCALL_AUDIT 7 /* syscall auditing active */ #define TIF_SINGLESTEP 8 /* singlestepping active */ --#define TIF_MEMDIE 9 /* is terminating due to OOM killer */ - #define TIF_SECCOMP 10 /* secure computing */ - #define TIF_RESTOREALL 11 /* Restore all regs (implies NOERROR) */ - #define TIF_NOERROR 12 /* Force successful syscall return */ -@@ -106,6 +105,9 @@ static inline struct thread_info *current_thread_info(void) - #define TIF_SYSCALL_TRACEPOINT 15 /* syscall tracepoint instrumentation */ +@@ -107,6 +106,9 @@ static inline struct thread_info *current_thread_info(void) #define TIF_EMULATE_STACK_STORE 16 /* Is an instruction emulation for stack store? */ -+#define TIF_MEMDIE 17 /* is terminating due to OOM killer */ + #define TIF_MEMDIE 17 /* is terminating due to OOM killer */ ++#define TIF_PERFMON_WORK 18 /* work for pfm_handle_work() */ +/* mask must be expressable within 16 bits to satisfy 'andi' instruction reqs */ -+#define TIF_GRSEC_SETXID 9 /* update credentials on syscall entry/exit */ ++#define TIF_GRSEC_SETXID 5 /* update credentials on syscall entry/exit */ /* as above, but as bit values */ #define _TIF_SYSCALL_TRACE (1<<TIF_SYSCALL_TRACE) -@@ -124,8 +126,10 @@ static inline struct thread_info *current_thread_info(void) - #define _TIF_UPROBE (1<<TIF_UPROBE) +@@ -126,9 +128,10 @@ static inline struct thread_info *current_thread_info(void) #define _TIF_SYSCALL_TRACEPOINT (1<<TIF_SYSCALL_TRACEPOINT) #define _TIF_EMULATE_STACK_STORE (1<<TIF_EMULATE_STACK_STORE) + #define _TIF_NOHZ (1<<TIF_NOHZ) +#define _TIF_GRSEC_SETXID (1<<TIF_GRSEC_SETXID) #define _TIF_SYSCALL_T_OR_A (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \ -- _TIF_SECCOMP | _TIF_SYSCALL_TRACEPOINT) -+ _TIF_SECCOMP | _TIF_SYSCALL_TRACEPOINT | \ -+ _TIF_GRSEC_SETXID) + _TIF_SECCOMP | _TIF_SYSCALL_TRACEPOINT | \ +- _TIF_NOHZ) ++ _TIF_NOHZ | _TIF_GRSEC_SETXID) #define _TIF_USER_WORK_MASK (_TIF_SIGPENDING | _TIF_NEED_RESCHED | \ _TIF_NOTIFY_RESUME | _TIF_UPROBE) @@ -6590,10 +7002,10 @@ index 4db4959..aba5c41 100644 static inline unsigned long clear_user(void __user *addr, unsigned long size) diff --git a/arch/powerpc/kernel/exceptions-64e.S b/arch/powerpc/kernel/exceptions-64e.S -index ae54553..cf2184d 100644 +index 645170a..6cf0271 100644 --- a/arch/powerpc/kernel/exceptions-64e.S +++ b/arch/powerpc/kernel/exceptions-64e.S -@@ -716,6 +716,7 @@ storage_fault_common: +@@ -757,6 +757,7 @@ storage_fault_common: std r14,_DAR(r1) std r15,_DSISR(r1) addi r3,r1,STACK_FRAME_OVERHEAD @@ -6601,7 +7013,7 @@ index ae54553..cf2184d 100644 mr r4,r14 mr r5,r15 ld r14,PACA_EXGEN+EX_R14(r13) -@@ -724,8 +725,7 @@ storage_fault_common: +@@ -765,8 +766,7 @@ storage_fault_common: cmpdi r3,0 bne- 1f b .ret_from_except_lite @@ -6612,10 +7024,10 @@ index ae54553..cf2184d 100644 ld r4,_DAR(r1) bl .bad_page_fault diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S -index 644378e..b6f2c26 100644 +index 902ca3c..e942155 100644 --- a/arch/powerpc/kernel/exceptions-64s.S +++ b/arch/powerpc/kernel/exceptions-64s.S -@@ -1390,10 +1390,10 @@ handle_page_fault: +@@ -1357,10 +1357,10 @@ handle_page_fault: 11: ld r4,_DAR(r1) ld r5,_DSISR(r1) addi r3,r1,STACK_FRAME_OVERHEAD @@ -6661,10 +7073,10 @@ index 2e3200c..72095ce 100644 /* Find this entry, or if that fails, the next avail. entry */ while (entry->jump[0]) { diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c -index 0d86c8a..df4c5f2 100644 +index 7baa27b..f6b394a 100644 --- a/arch/powerpc/kernel/process.c +++ b/arch/powerpc/kernel/process.c -@@ -871,8 +871,8 @@ void show_regs(struct pt_regs * regs) +@@ -884,8 +884,8 @@ void show_regs(struct pt_regs * regs) * Lookup NIP late so we have the best change of getting the * above info out without failing */ @@ -6675,7 +7087,7 @@ index 0d86c8a..df4c5f2 100644 #endif #ifdef CONFIG_PPC_TRANSACTIONAL_MEM printk("PACATMSCRATCH [%llx]\n", get_paca()->tm_scratch); -@@ -1331,10 +1331,10 @@ void show_stack(struct task_struct *tsk, unsigned long *stack) +@@ -1345,10 +1345,10 @@ void show_stack(struct task_struct *tsk, unsigned long *stack) newsp = stack[0]; ip = stack[STACK_FRAME_LR_SAVE]; if (!firstframe || ip != lr) { @@ -6688,7 +7100,7 @@ index 0d86c8a..df4c5f2 100644 (void *)current->ret_stack[curr_frame].ret); curr_frame--; } -@@ -1354,7 +1354,7 @@ void show_stack(struct task_struct *tsk, unsigned long *stack) +@@ -1368,7 +1368,7 @@ void show_stack(struct task_struct *tsk, unsigned long *stack) struct pt_regs *regs = (struct pt_regs *) (sp + STACK_FRAME_OVERHEAD); lr = regs->link; @@ -6697,7 +7109,7 @@ index 0d86c8a..df4c5f2 100644 regs->trap, (void *)regs->nip, (void *)lr); firstframe = 1; } -@@ -1396,58 +1396,3 @@ void notrace __ppc64_runlatch_off(void) +@@ -1404,58 +1404,3 @@ void notrace __ppc64_runlatch_off(void) mtspr(SPRN_CTRLT, ctrl); } #endif /* CONFIG_PPC64 */ @@ -6757,10 +7169,10 @@ index 0d86c8a..df4c5f2 100644 - return ret; -} diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c -index f9b30c6..d72e7a3 100644 +index 64f7bd5..8dd550f 100644 --- a/arch/powerpc/kernel/ptrace.c +++ b/arch/powerpc/kernel/ptrace.c -@@ -1771,6 +1771,10 @@ long arch_ptrace(struct task_struct *child, long request, +@@ -1783,6 +1783,10 @@ long arch_ptrace(struct task_struct *child, long request, return ret; } @@ -6771,7 +7183,7 @@ index f9b30c6..d72e7a3 100644 /* * We must return the syscall number to actually look up in the table. * This can be -1L to skip running any syscall at all. -@@ -1781,6 +1785,11 @@ long do_syscall_trace_enter(struct pt_regs *regs) +@@ -1795,6 +1799,11 @@ long do_syscall_trace_enter(struct pt_regs *regs) secure_computing_strict(regs->gpr[0]); @@ -6783,7 +7195,7 @@ index f9b30c6..d72e7a3 100644 if (test_thread_flag(TIF_SYSCALL_TRACE) && tracehook_report_syscall_entry(regs)) /* -@@ -1815,6 +1824,11 @@ void do_syscall_trace_leave(struct pt_regs *regs) +@@ -1829,6 +1838,11 @@ void do_syscall_trace_leave(struct pt_regs *regs) { int step; @@ -6796,10 +7208,10 @@ index f9b30c6..d72e7a3 100644 if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c -index 201385c..0f01828 100644 +index 0f83122..c0aca6a 100644 --- a/arch/powerpc/kernel/signal_32.c +++ b/arch/powerpc/kernel/signal_32.c -@@ -976,7 +976,7 @@ int handle_rt_signal32(unsigned long sig, struct k_sigaction *ka, +@@ -987,7 +987,7 @@ int handle_rt_signal32(unsigned long sig, struct k_sigaction *ka, /* Save user registers on the stack */ frame = &rt_sf->uc.uc_mcontext; addr = frame; @@ -6809,10 +7221,10 @@ index 201385c..0f01828 100644 tramp = current->mm->context.vdso_base + vdso32_rt_sigtramp; } else { diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c -index 3459473..2d40783 100644 +index 887e99d..310bc11 100644 --- a/arch/powerpc/kernel/signal_64.c +++ b/arch/powerpc/kernel/signal_64.c -@@ -749,7 +749,7 @@ int handle_rt_signal64(int signr, struct k_sigaction *ka, siginfo_t *info, +@@ -751,7 +751,7 @@ int handle_rt_signal64(int signr, struct k_sigaction *ka, siginfo_t *info, #endif /* Set up to return from userspace. */ @@ -6822,7 +7234,7 @@ index 3459473..2d40783 100644 } else { err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]); diff --git a/arch/powerpc/kernel/sysfs.c b/arch/powerpc/kernel/sysfs.c -index 3ce1f86..c30e629 100644 +index e68a845..8b140e6 100644 --- a/arch/powerpc/kernel/sysfs.c +++ b/arch/powerpc/kernel/sysfs.c @@ -522,7 +522,7 @@ static int __cpuinit sysfs_cpu_notify(struct notifier_block *self, @@ -6835,10 +7247,10 @@ index 3ce1f86..c30e629 100644 }; diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c -index bf33ace..e836d8b 100644 +index 88929b1..bece8f8 100644 --- a/arch/powerpc/kernel/traps.c +++ b/arch/powerpc/kernel/traps.c -@@ -142,6 +142,8 @@ static unsigned __kprobes long oops_begin(struct pt_regs *regs) +@@ -141,6 +141,8 @@ static unsigned __kprobes long oops_begin(struct pt_regs *regs) return flags; } @@ -6847,7 +7259,7 @@ index bf33ace..e836d8b 100644 static void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, int signr) { -@@ -191,6 +193,9 @@ static void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, +@@ -190,6 +192,9 @@ static void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, panic("Fatal exception in interrupt"); if (panic_on_oops) panic("Fatal exception"); @@ -6858,7 +7270,7 @@ index bf33ace..e836d8b 100644 } diff --git a/arch/powerpc/kernel/vdso.c b/arch/powerpc/kernel/vdso.c -index 1b2076f..835e4be 100644 +index d4f463a..8fb7431 100644 --- a/arch/powerpc/kernel/vdso.c +++ b/arch/powerpc/kernel/vdso.c @@ -34,6 +34,7 @@ @@ -6869,7 +7281,7 @@ index 1b2076f..835e4be 100644 #include "setup.h" -@@ -218,7 +219,7 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) +@@ -222,7 +223,7 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) vdso_base = VDSO32_MBASE; #endif @@ -6878,7 +7290,7 @@ index 1b2076f..835e4be 100644 /* vDSO has a problem and was disabled, just don't "enable" it for the * process -@@ -238,7 +239,7 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) +@@ -242,7 +243,7 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) vdso_base = get_unmapped_area(NULL, vdso_base, (vdso_pages << PAGE_SHIFT) + ((VDSO_ALIGNMENT - 1) & PAGE_MASK), @@ -6923,13 +7335,13 @@ index 5eea6f3..5d10396 100644 EXPORT_SYMBOL(copy_in_user); diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c -index 229951f..cdeca42 100644 +index 8726779..a33c512 100644 --- a/arch/powerpc/mm/fault.c +++ b/arch/powerpc/mm/fault.c -@@ -32,6 +32,10 @@ - #include <linux/perf_event.h> +@@ -33,6 +33,10 @@ #include <linux/magic.h> #include <linux/ratelimit.h> + #include <linux/context_tracking.h> +#include <linux/slab.h> +#include <linux/pagemap.h> +#include <linux/compiler.h> @@ -6937,7 +7349,7 @@ index 229951f..cdeca42 100644 #include <asm/firmware.h> #include <asm/page.h> -@@ -68,6 +72,33 @@ static inline int notify_page_fault(struct pt_regs *regs) +@@ -69,6 +73,33 @@ static inline int notify_page_fault(struct pt_regs *regs) } #endif @@ -6971,7 +7383,7 @@ index 229951f..cdeca42 100644 /* * Check whether the instruction at regs->nip is a store using * an update addressing form which will update r1. -@@ -213,7 +244,7 @@ int __kprobes do_page_fault(struct pt_regs *regs, unsigned long address, +@@ -216,7 +247,7 @@ int __kprobes do_page_fault(struct pt_regs *regs, unsigned long address, * indicate errors in DSISR but can validly be set in SRR1. */ if (trap == 0x400) @@ -6980,7 +7392,7 @@ index 229951f..cdeca42 100644 else is_write = error_code & DSISR_ISSTORE; #else -@@ -364,7 +395,7 @@ good_area: +@@ -371,7 +402,7 @@ good_area: * "undefined". Of those that can be set, this is the only * one which seems bad. */ @@ -6989,7 +7401,7 @@ index 229951f..cdeca42 100644 /* Guarded storage error. */ goto bad_area; #endif /* CONFIG_8xx */ -@@ -379,7 +410,7 @@ good_area: +@@ -386,7 +417,7 @@ good_area: * processors use the same I/D cache coherency mechanism * as embedded. */ @@ -6998,7 +7410,7 @@ index 229951f..cdeca42 100644 goto bad_area; #endif /* CONFIG_PPC_STD_MMU */ -@@ -462,6 +493,23 @@ bad_area: +@@ -471,6 +502,23 @@ bad_area: bad_area_nosemaphore: /* User mode accesses cause a SIGSEGV */ if (user_mode(regs)) { @@ -7020,7 +7432,7 @@ index 229951f..cdeca42 100644 +#endif + _exception(SIGSEGV, regs, code, address); - return 0; + goto bail; } diff --git a/arch/powerpc/mm/mmap_64.c b/arch/powerpc/mm/mmap_64.c index 67a42ed..cd463e0 100644 @@ -7074,10 +7486,10 @@ index e779642..e5bb889 100644 }; diff --git a/arch/powerpc/mm/numa.c b/arch/powerpc/mm/numa.c -index 6a252c4..3024d81 100644 +index cafad40..9cbc0fc 100644 --- a/arch/powerpc/mm/numa.c +++ b/arch/powerpc/mm/numa.c -@@ -932,7 +932,7 @@ static void __init *careful_zallocation(int nid, unsigned long size, +@@ -920,7 +920,7 @@ static void __init *careful_zallocation(int nid, unsigned long size, return ret; } @@ -7087,7 +7499,7 @@ index 6a252c4..3024d81 100644 .priority = 1 /* Must run before sched domains notifier. */ }; diff --git a/arch/powerpc/mm/slice.c b/arch/powerpc/mm/slice.c -index cf9dada..241529f 100644 +index 3e99c14..f00953c 100644 --- a/arch/powerpc/mm/slice.c +++ b/arch/powerpc/mm/slice.c @@ -103,7 +103,7 @@ static int slice_area_is_free(struct mm_struct *mm, unsigned long addr, @@ -7099,52 +7511,20 @@ index cf9dada..241529f 100644 } static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice) -@@ -272,7 +272,7 @@ full_search: - addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT); - continue; - } -- if (!vma || addr + len <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr, len, 0)) { - /* - * Remember the place where we stopped the search: - */ -@@ -329,10 +329,14 @@ static unsigned long slice_find_area_topdown(struct mm_struct *mm, - } - } +@@ -277,6 +277,12 @@ static unsigned long slice_find_area_bottomup(struct mm_struct *mm, + info.align_offset = 0; -- addr = mm->mmap_base; -- while (addr > len) { -+ if (mm->mmap_base < len) -+ addr = -ENOMEM; -+ else -+ addr = mm->mmap_base - len; + addr = TASK_UNMAPPED_BASE; + -+ while (!IS_ERR_VALUE(addr)) { - /* Go down by chunk size */ -- addr = _ALIGN_DOWN(addr - len, 1ul << pshift); -+ addr = _ALIGN_DOWN(addr, 1ul << pshift); - - /* Check for hit with different page size */ - mask = slice_range_to_mask(addr, len); -@@ -352,7 +356,7 @@ static unsigned long slice_find_area_topdown(struct mm_struct *mm, - * return with success: - */ - vma = find_vma(mm, addr); -- if (!vma || (addr + len) <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr, len, 0)) { - /* remember the address as a hint for next time */ - if (use_cache) - mm->free_area_cache = addr; -@@ -364,7 +368,7 @@ static unsigned long slice_find_area_topdown(struct mm_struct *mm, - mm->cached_hole_size = vma->vm_start - addr; - - /* try just below the current vma->vm_start */ -- addr = vma->vm_start; -+ addr = skip_heap_stack_gap(vma, len, 0); - } - - /* -@@ -442,6 +446,11 @@ unsigned long slice_get_unmapped_area(unsigned long addr, unsigned long len, ++#ifdef CONFIG_PAX_RANDMMAP ++ if (mm->pax_flags & MF_PAX_RANDMMAP) ++ addr += mm->delta_mmap; ++#endif ++ + while (addr < TASK_SIZE) { + info.low_limit = addr; + if (!slice_scan_available(addr, available, 1, &addr)) +@@ -410,6 +416,11 @@ unsigned long slice_get_unmapped_area(unsigned long addr, unsigned long len, if (fixed && addr > (mm->task_size - len)) return -EINVAL; @@ -7157,10 +7537,10 @@ index cf9dada..241529f 100644 if (!fixed && addr) { addr = _ALIGN_UP(addr, 1ul << pshift); diff --git a/arch/powerpc/platforms/cell/spufs/file.c b/arch/powerpc/platforms/cell/spufs/file.c -index 68c57d3..1fdcfb2 100644 +index 9098692..3d54cd1 100644 --- a/arch/powerpc/platforms/cell/spufs/file.c +++ b/arch/powerpc/platforms/cell/spufs/file.c -@@ -281,9 +281,9 @@ spufs_mem_mmap_fault(struct vm_area_struct *vma, struct vm_fault *vmf) +@@ -280,9 +280,9 @@ spufs_mem_mmap_fault(struct vm_area_struct *vma, struct vm_fault *vmf) return VM_FAULT_NOPAGE; } @@ -7223,10 +7603,10 @@ index 4d7ccac..d03d0ad 100644 #define __read_mostly __attribute__((__section__(".data..read_mostly"))) diff --git a/arch/s390/include/asm/elf.h b/arch/s390/include/asm/elf.h -index 1bfdf24..9c9ab2e 100644 +index 78f4f87..598ce39 100644 --- a/arch/s390/include/asm/elf.h +++ b/arch/s390/include/asm/elf.h -@@ -160,8 +160,14 @@ extern unsigned int vdso_enabled; +@@ -162,8 +162,14 @@ extern unsigned int vdso_enabled; the loader. We need to make sure that it is out of the way of the program that it will "exec", and that there is sufficient room for the brk. */ @@ -7243,7 +7623,7 @@ index 1bfdf24..9c9ab2e 100644 /* This yields a mask that user programs can use to figure out what instruction set this CPU supports. */ -@@ -207,9 +213,6 @@ struct linux_binprm; +@@ -222,9 +228,6 @@ struct linux_binprm; #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1 int arch_setup_additional_pages(struct linux_binprm *, int); @@ -7265,6 +7645,34 @@ index c4a93d6..4d2a9b4 100644 +#define arch_align_stack(x) ((x) & ~0xfUL) #endif /* __ASM_EXEC_H */ +diff --git a/arch/s390/include/asm/tlb.h b/arch/s390/include/asm/tlb.h +index b75d7d6..6d6d92b 100644 +--- a/arch/s390/include/asm/tlb.h ++++ b/arch/s390/include/asm/tlb.h +@@ -32,6 +32,7 @@ struct mmu_gather { + struct mm_struct *mm; + struct mmu_table_batch *batch; + unsigned int fullmm; ++ unsigned long start, end; + }; + + struct mmu_table_batch { +@@ -48,10 +49,13 @@ extern void tlb_remove_table(struct mmu_gather *tlb, void *table); + + static inline void tlb_gather_mmu(struct mmu_gather *tlb, + struct mm_struct *mm, +- unsigned int full_mm_flush) ++ unsigned long start, ++ unsigned long end) + { + tlb->mm = mm; +- tlb->fullmm = full_mm_flush; ++ tlb->start = start; ++ tlb->end = end; ++ tlb->fullmm = !(start | (end+1)); + tlb->batch = NULL; + if (tlb->fullmm) + __tlb_flush_mm(mm); diff --git a/arch/s390/include/asm/uaccess.h b/arch/s390/include/asm/uaccess.h index 9c33ed4..e40cbef 100644 --- a/arch/s390/include/asm/uaccess.h @@ -7383,10 +7791,10 @@ index 7845e15..59c4353 100644 if (r_type == R_390_GOTPC) rc = apply_rela_bits(loc, val, 1, 32, 0); diff --git a/arch/s390/kernel/process.c b/arch/s390/kernel/process.c -index 536d645..4a5bd9e 100644 +index 2bc3edd..ab9d598 100644 --- a/arch/s390/kernel/process.c +++ b/arch/s390/kernel/process.c -@@ -250,39 +250,3 @@ unsigned long get_wchan(struct task_struct *p) +@@ -236,39 +236,3 @@ unsigned long get_wchan(struct task_struct *p) } return 0; } @@ -7504,10 +7912,10 @@ index f9f3cd5..58ff438 100644 #endif /* _ASM_SCORE_EXEC_H */ diff --git a/arch/score/kernel/process.c b/arch/score/kernel/process.c -index 7956846..5f37677 100644 +index f4c6d02..e9355c3 100644 --- a/arch/score/kernel/process.c +++ b/arch/score/kernel/process.c -@@ -134,8 +134,3 @@ unsigned long get_wchan(struct task_struct *task) +@@ -116,8 +116,3 @@ unsigned long get_wchan(struct task_struct *task) return task_pt_regs(task)->cp0_epc; } @@ -7533,6 +7941,25 @@ index ef9e555..331bd29 100644 #define __read_mostly __attribute__((__section__(".data..read_mostly"))) +diff --git a/arch/sh/include/asm/tlb.h b/arch/sh/include/asm/tlb.h +index e61d43d..362192e 100644 +--- a/arch/sh/include/asm/tlb.h ++++ b/arch/sh/include/asm/tlb.h +@@ -36,10 +36,12 @@ static inline void init_tlb_gather(struct mmu_gather *tlb) + } + + static inline void +-tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned int full_mm_flush) ++tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned long start, unsigned long end) + { + tlb->mm = mm; +- tlb->fullmm = full_mm_flush; ++ tlb->start = start; ++ tlb->end = end; ++ tlb->fullmm = !(start | (end+1)); + + init_tlb_gather(tlb); + } diff --git a/arch/sh/kernel/cpu/sh4a/smp-shx3.c b/arch/sh/kernel/cpu/sh4a/smp-shx3.c index 03f2b55..b0270327 100644 --- a/arch/sh/kernel/cpu/sh4a/smp-shx3.c @@ -8053,7 +8480,7 @@ index 9689176..63c18ea 100644 unsigned long mask, tmp1, tmp2, result; diff --git a/arch/sparc/include/asm/thread_info_32.h b/arch/sparc/include/asm/thread_info_32.h -index 25849ae..924c54b 100644 +index dd38075..e7cac83 100644 --- a/arch/sparc/include/asm/thread_info_32.h +++ b/arch/sparc/include/asm/thread_info_32.h @@ -49,6 +49,8 @@ struct thread_info { @@ -8066,7 +8493,7 @@ index 25849ae..924c54b 100644 /* diff --git a/arch/sparc/include/asm/thread_info_64.h b/arch/sparc/include/asm/thread_info_64.h -index 269bd92..e46a9b8 100644 +index d5e5042..9bfee76 100644 --- a/arch/sparc/include/asm/thread_info_64.h +++ b/arch/sparc/include/asm/thread_info_64.h @@ -63,6 +63,8 @@ struct thread_info { @@ -8211,19 +8638,19 @@ index e562d3c..191f176 100644 { - unsigned long ret = ___copy_to_user(to, from, size); + unsigned long ret; -+ + + if ((long)size < 0 || size > INT_MAX) + return size; + + if (!__builtin_constant_p(size)) + check_object_size(from, size, true); - ++ + ret = ___copy_to_user(to, from, size); if (unlikely(ret)) ret = copy_to_user_fixup(to, from, size); return ret; diff --git a/arch/sparc/kernel/Makefile b/arch/sparc/kernel/Makefile -index 6cf591b..b49e65a 100644 +index d432fb2..6056af1 100644 --- a/arch/sparc/kernel/Makefile +++ b/arch/sparc/kernel/Makefile @@ -3,7 +3,7 @@ @@ -8235,11 +8662,32 @@ index 6cf591b..b49e65a 100644 extra-y := head_$(BITS).o +diff --git a/arch/sparc/kernel/ds.c b/arch/sparc/kernel/ds.c +index 5ef48da..11d460f 100644 +--- a/arch/sparc/kernel/ds.c ++++ b/arch/sparc/kernel/ds.c +@@ -783,6 +783,16 @@ void ldom_set_var(const char *var, const char *value) + char *base, *p; + int msg_len, loops; + ++ if (strlen(var) + strlen(value) + 2 > ++ sizeof(pkt) - sizeof(pkt.header)) { ++ printk(KERN_ERR PFX ++ "contents length: %zu, which more than max: %lu," ++ "so could not set (%s) variable to (%s).\n", ++ strlen(var) + strlen(value) + 2, ++ sizeof(pkt) - sizeof(pkt.header), var, value); ++ return; ++ } ++ + memset(&pkt, 0, sizeof(pkt)); + pkt.header.data.tag.type = DS_DATA; + pkt.header.data.handle = cp->handle; diff --git a/arch/sparc/kernel/process_32.c b/arch/sparc/kernel/process_32.c -index 62eede1..9c5b904 100644 +index fdd819d..5af08c8 100644 --- a/arch/sparc/kernel/process_32.c +++ b/arch/sparc/kernel/process_32.c -@@ -125,14 +125,14 @@ void show_regs(struct pt_regs *r) +@@ -116,14 +116,14 @@ void show_regs(struct pt_regs *r) printk("PSR: %08lx PC: %08lx NPC: %08lx Y: %08lx %s\n", r->psr, r->pc, r->npc, r->y, print_tainted()); @@ -8256,7 +8704,7 @@ index 62eede1..9c5b904 100644 printk("%%L: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n", rw->locals[0], rw->locals[1], rw->locals[2], rw->locals[3], -@@ -167,7 +167,7 @@ void show_stack(struct task_struct *tsk, unsigned long *_ksp) +@@ -160,7 +160,7 @@ void show_stack(struct task_struct *tsk, unsigned long *_ksp) rw = (struct reg_window32 *) fp; pc = rw->ins[7]; printk("[%08lx : ", pc); @@ -8266,10 +8714,10 @@ index 62eede1..9c5b904 100644 } while (++count < 16); printk("\n"); diff --git a/arch/sparc/kernel/process_64.c b/arch/sparc/kernel/process_64.c -index cdb80b2..5ca141d 100644 +index baebab2..9cd13b1 100644 --- a/arch/sparc/kernel/process_64.c +++ b/arch/sparc/kernel/process_64.c -@@ -181,14 +181,14 @@ static void show_regwindow(struct pt_regs *regs) +@@ -158,7 +158,7 @@ static void show_regwindow(struct pt_regs *regs) printk("i4: %016lx i5: %016lx i6: %016lx i7: %016lx\n", rwk->ins[4], rwk->ins[5], rwk->ins[6], rwk->ins[7]); if (regs->tstate & TSTATE_PRIV) @@ -8278,7 +8726,8 @@ index cdb80b2..5ca141d 100644 } void show_regs(struct pt_regs *regs) - { +@@ -167,7 +167,7 @@ void show_regs(struct pt_regs *regs) + printk("TSTATE: %016lx TPC: %016lx TNPC: %016lx Y: %08x %s\n", regs->tstate, regs->tpc, regs->tnpc, regs->y, print_tainted()); - printk("TPC: <%pS>\n", (void *) regs->tpc); @@ -8286,7 +8735,7 @@ index cdb80b2..5ca141d 100644 printk("g0: %016lx g1: %016lx g2: %016lx g3: %016lx\n", regs->u_regs[0], regs->u_regs[1], regs->u_regs[2], regs->u_regs[3]); -@@ -201,7 +201,7 @@ void show_regs(struct pt_regs *regs) +@@ -180,7 +180,7 @@ void show_regs(struct pt_regs *regs) printk("o4: %016lx o5: %016lx sp: %016lx ret_pc: %016lx\n", regs->u_regs[12], regs->u_regs[13], regs->u_regs[14], regs->u_regs[15]); @@ -8295,7 +8744,7 @@ index cdb80b2..5ca141d 100644 show_regwindow(regs); show_stack(current, (unsigned long *) regs->u_regs[UREG_FP]); } -@@ -290,7 +290,7 @@ void arch_trigger_all_cpu_backtrace(void) +@@ -269,7 +269,7 @@ void arch_trigger_all_cpu_backtrace(void) ((tp && tp->task) ? tp->task->pid : -1)); if (gp->tstate & TSTATE_PRIV) { @@ -8305,10 +8754,10 @@ index cdb80b2..5ca141d 100644 (void *) gp->o7, (void *) gp->i7, diff --git a/arch/sparc/kernel/prom_common.c b/arch/sparc/kernel/prom_common.c -index 9f20566..67eb41b 100644 +index 79cc0d1..ec62734 100644 --- a/arch/sparc/kernel/prom_common.c +++ b/arch/sparc/kernel/prom_common.c -@@ -143,7 +143,7 @@ static int __init prom_common_nextprop(phandle node, char *prev, char *buf) +@@ -144,7 +144,7 @@ static int __init prom_common_nextprop(phandle node, char *prev, char *buf) unsigned int prom_early_allocated __initdata; @@ -8370,7 +8819,7 @@ index 3a8d184..49498a8 100644 info.flags = 0; info.length = len; diff --git a/arch/sparc/kernel/sys_sparc_64.c b/arch/sparc/kernel/sys_sparc_64.c -index 708bc29..6bfdfad 100644 +index 2daaaa6..4fb84dc 100644 --- a/arch/sparc/kernel/sys_sparc_64.c +++ b/arch/sparc/kernel/sys_sparc_64.c @@ -90,13 +90,14 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi @@ -8491,7 +8940,12 @@ index 708bc29..6bfdfad 100644 info.high_limit = STACK_TOP32; addr = vm_unmapped_area(&info); } -@@ -264,6 +286,10 @@ static unsigned long mmap_rnd(void) +@@ -260,10 +282,14 @@ unsigned long get_fb_unmapped_area(struct file *filp, unsigned long orig_addr, u + EXPORT_SYMBOL(get_fb_unmapped_area); + + /* Essentially the same as PowerPC. */ +-static unsigned long mmap_rnd(void) ++static unsigned long mmap_rnd(struct mm_struct *mm) { unsigned long rnd = 0UL; @@ -8502,6 +8956,15 @@ index 708bc29..6bfdfad 100644 if (current->flags & PF_RANDOMIZE) { unsigned long val = get_random_int(); if (test_thread_flag(TIF_32BIT)) +@@ -276,7 +302,7 @@ static unsigned long mmap_rnd(void) + + void arch_pick_mmap_layout(struct mm_struct *mm) + { +- unsigned long random_factor = mmap_rnd(); ++ unsigned long random_factor = mmap_rnd(mm); + unsigned long gap; + + /* @@ -289,6 +315,12 @@ void arch_pick_mmap_layout(struct mm_struct *mm) gap == RLIM_INFINITY || sysctl_legacy_va_layout) { @@ -8615,7 +9078,7 @@ index 6629829..036032d 100644 } diff --git a/arch/sparc/kernel/traps_64.c b/arch/sparc/kernel/traps_64.c -index 8d38ca9..845b1d6 100644 +index b3f833a..ac74b2d 100644 --- a/arch/sparc/kernel/traps_64.c +++ b/arch/sparc/kernel/traps_64.c @@ -76,7 +76,7 @@ static void dump_tl1_traplog(struct tl1_traplog *p) @@ -8725,7 +9188,7 @@ index 8d38ca9..845b1d6 100644 graph++; } } -@@ -2367,6 +2378,8 @@ static inline struct reg_window *kernel_stack_up(struct reg_window *rw) +@@ -2360,6 +2371,8 @@ static inline struct reg_window *kernel_stack_up(struct reg_window *rw) return (struct reg_window *) (fp + STACK_BIAS); } @@ -8734,7 +9197,7 @@ index 8d38ca9..845b1d6 100644 void die_if_kernel(char *str, struct pt_regs *regs) { static int die_counter; -@@ -2395,7 +2408,7 @@ void die_if_kernel(char *str, struct pt_regs *regs) +@@ -2388,7 +2401,7 @@ void die_if_kernel(char *str, struct pt_regs *regs) while (rw && count++ < 30 && kstack_valid(tp, (unsigned long) rw)) { @@ -8743,7 +9206,7 @@ index 8d38ca9..845b1d6 100644 (void *) rw->ins[7]); rw = kernel_stack_up(rw); -@@ -2408,8 +2421,10 @@ void die_if_kernel(char *str, struct pt_regs *regs) +@@ -2401,8 +2414,10 @@ void die_if_kernel(char *str, struct pt_regs *regs) } user_instruction_dump ((unsigned int __user *) regs->tpc); } @@ -8768,117 +9231,8 @@ index 8201c25e..072a2a7 100644 regs->tpc, (void *) regs->tpc); } } -diff --git a/arch/sparc/kernel/us3_cpufreq.c b/arch/sparc/kernel/us3_cpufreq.c -index eb1624b..55100de 100644 ---- a/arch/sparc/kernel/us3_cpufreq.c -+++ b/arch/sparc/kernel/us3_cpufreq.c -@@ -18,14 +18,12 @@ - #include <asm/head.h> - #include <asm/timer.h> - --static struct cpufreq_driver *cpufreq_us3_driver; -- - struct us3_freq_percpu_info { - struct cpufreq_frequency_table table[4]; - }; - - /* Indexed by cpu number. */ --static struct us3_freq_percpu_info *us3_freq_table; -+static struct us3_freq_percpu_info us3_freq_table[NR_CPUS]; - - /* UltraSPARC-III has three dividers: 1, 2, and 32. These are controlled - * in the Safari config register. -@@ -191,12 +189,25 @@ static int __init us3_freq_cpu_init(struct cpufreq_policy *policy) - - static int us3_freq_cpu_exit(struct cpufreq_policy *policy) - { -- if (cpufreq_us3_driver) -- us3_set_cpu_divider_index(policy->cpu, 0); -+ us3_set_cpu_divider_index(policy->cpu, 0); - - return 0; - } - -+static int __init us3_freq_init(void); -+static void __exit us3_freq_exit(void); -+ -+static struct cpufreq_driver cpufreq_us3_driver = { -+ .init = us3_freq_cpu_init, -+ .verify = us3_freq_verify, -+ .target = us3_freq_target, -+ .get = us3_freq_get, -+ .exit = us3_freq_cpu_exit, -+ .owner = THIS_MODULE, -+ .name = "UltraSPARC-III", -+ -+}; -+ - static int __init us3_freq_init(void) - { - unsigned long manuf, impl, ver; -@@ -213,57 +224,15 @@ static int __init us3_freq_init(void) - (impl == CHEETAH_IMPL || - impl == CHEETAH_PLUS_IMPL || - impl == JAGUAR_IMPL || -- impl == PANTHER_IMPL)) { -- struct cpufreq_driver *driver; -- -- ret = -ENOMEM; -- driver = kzalloc(sizeof(struct cpufreq_driver), GFP_KERNEL); -- if (!driver) -- goto err_out; -- -- us3_freq_table = kzalloc( -- (NR_CPUS * sizeof(struct us3_freq_percpu_info)), -- GFP_KERNEL); -- if (!us3_freq_table) -- goto err_out; -- -- driver->init = us3_freq_cpu_init; -- driver->verify = us3_freq_verify; -- driver->target = us3_freq_target; -- driver->get = us3_freq_get; -- driver->exit = us3_freq_cpu_exit; -- driver->owner = THIS_MODULE, -- strcpy(driver->name, "UltraSPARC-III"); -- -- cpufreq_us3_driver = driver; -- ret = cpufreq_register_driver(driver); -- if (ret) -- goto err_out; -- -- return 0; -- --err_out: -- if (driver) { -- kfree(driver); -- cpufreq_us3_driver = NULL; -- } -- kfree(us3_freq_table); -- us3_freq_table = NULL; -- return ret; -- } -+ impl == PANTHER_IMPL)) -+ return cpufreq_register_driver(&cpufreq_us3_driver); - - return -ENODEV; - } - - static void __exit us3_freq_exit(void) - { -- if (cpufreq_us3_driver) { -- cpufreq_unregister_driver(cpufreq_us3_driver); -- kfree(cpufreq_us3_driver); -- cpufreq_us3_driver = NULL; -- kfree(us3_freq_table); -- us3_freq_table = NULL; -- } -+ cpufreq_unregister_driver(&cpufreq_us3_driver); - } - - MODULE_AUTHOR("David S. Miller <davem@redhat.com>"); diff --git a/arch/sparc/lib/Makefile b/arch/sparc/lib/Makefile -index 8410065f2..4fd4ca22 100644 +index dbe119b..089c7c1 100644 --- a/arch/sparc/lib/Makefile +++ b/arch/sparc/lib/Makefile @@ -2,7 +2,7 @@ @@ -9978,10 +10332,20 @@ index 5062ff3..e0b75f3 100644 * load/store/atomic was a write or not, it only says that there * was no match. So in such a case we (carefully) read the diff --git a/arch/sparc/mm/hugetlbpage.c b/arch/sparc/mm/hugetlbpage.c -index d2b5944..bd813f2 100644 +index d2b5944..d878f3c 100644 --- a/arch/sparc/mm/hugetlbpage.c +++ b/arch/sparc/mm/hugetlbpage.c -@@ -38,7 +38,7 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *filp, +@@ -28,7 +28,8 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *filp, + unsigned long addr, + unsigned long len, + unsigned long pgoff, +- unsigned long flags) ++ unsigned long flags, ++ unsigned long offset) + { + unsigned long task_size = TASK_SIZE; + struct vm_unmapped_area_info info; +@@ -38,15 +39,22 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *filp, info.flags = 0; info.length = len; @@ -9990,7 +10354,9 @@ index d2b5944..bd813f2 100644 info.high_limit = min(task_size, VA_EXCLUDE_START); info.align_mask = PAGE_MASK & ~HPAGE_MASK; info.align_offset = 0; -@@ -47,6 +47,12 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *filp, ++ info.threadstack_offset = offset; + addr = vm_unmapped_area(&info); + if ((addr & ~PAGE_MASK) && task_size > VA_EXCLUDE_END) { VM_BUG_ON(addr != -ENOMEM); info.low_limit = VA_EXCLUDE_END; @@ -10003,7 +10369,25 @@ index d2b5944..bd813f2 100644 info.high_limit = task_size; addr = vm_unmapped_area(&info); } -@@ -85,6 +91,12 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -58,7 +66,8 @@ static unsigned long + hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + const unsigned long len, + const unsigned long pgoff, +- const unsigned long flags) ++ const unsigned long flags, ++ const unsigned long offset) + { + struct mm_struct *mm = current->mm; + unsigned long addr = addr0; +@@ -73,6 +82,7 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + info.high_limit = mm->mmap_base; + info.align_mask = PAGE_MASK & ~HPAGE_MASK; + info.align_offset = 0; ++ info.threadstack_offset = offset; + addr = vm_unmapped_area(&info); + + /* +@@ -85,6 +95,12 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, VM_BUG_ON(addr != -ENOMEM); info.flags = 0; info.low_limit = TASK_UNMAPPED_BASE; @@ -10016,7 +10400,7 @@ index d2b5944..bd813f2 100644 info.high_limit = STACK_TOP32; addr = vm_unmapped_area(&info); } -@@ -99,6 +111,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, +@@ -99,6 +115,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, struct mm_struct *mm = current->mm; struct vm_area_struct *vma; unsigned long task_size = TASK_SIZE; @@ -10024,7 +10408,7 @@ index d2b5944..bd813f2 100644 if (test_thread_flag(TIF_32BIT)) task_size = STACK_TOP32; -@@ -114,11 +127,14 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, +@@ -114,19 +131,22 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, return addr; } @@ -10041,20 +10425,16 @@ index d2b5944..bd813f2 100644 return addr; } if (mm->get_unmapped_area == arch_get_unmapped_area) -diff --git a/arch/sparc/mm/tlb.c b/arch/sparc/mm/tlb.c -index 83d89bc..37e7bc4 100644 ---- a/arch/sparc/mm/tlb.c -+++ b/arch/sparc/mm/tlb.c -@@ -85,8 +85,8 @@ static void tlb_batch_add_one(struct mm_struct *mm, unsigned long vaddr, - } - - if (!tb->active) { -- global_flush_tlb_page(mm, vaddr); - flush_tsb_user_page(mm, vaddr); -+ global_flush_tlb_page(mm, vaddr); - goto out; - } + return hugetlb_get_unmapped_area_bottomup(file, addr, len, +- pgoff, flags); ++ pgoff, flags, offset); + else + return hugetlb_get_unmapped_area_topdown(file, addr, len, +- pgoff, flags); ++ pgoff, flags, offset); + } + pte_t *huge_pte_alloc(struct mm_struct *mm, diff --git a/arch/tile/include/asm/atomic_64.h b/arch/tile/include/asm/atomic_64.h index f4500c6..889656c 100644 --- a/arch/tile/include/asm/atomic_64.h @@ -10095,10 +10475,10 @@ index a9a5299..0fce79e 100644 /* bytes per L2 cache line */ #define L2_CACHE_SHIFT CHIP_L2_LOG_LINE_SIZE() diff --git a/arch/tile/include/asm/uaccess.h b/arch/tile/include/asm/uaccess.h -index 9ab078a..d6635c2 100644 +index 8a082bc..7a6bf87 100644 --- a/arch/tile/include/asm/uaccess.h +++ b/arch/tile/include/asm/uaccess.h -@@ -403,9 +403,9 @@ static inline unsigned long __must_check copy_from_user(void *to, +@@ -408,9 +408,9 @@ static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n) { @@ -10215,11 +10595,30 @@ index 0032f92..cd151e0 100644 #ifdef CONFIG_64BIT #define set_pud(pudptr, pudval) set_64bit((u64 *) (pudptr), pud_val(pudval)) +diff --git a/arch/um/include/asm/tlb.h b/arch/um/include/asm/tlb.h +index 4febacd..29b0301 100644 +--- a/arch/um/include/asm/tlb.h ++++ b/arch/um/include/asm/tlb.h +@@ -45,10 +45,12 @@ static inline void init_tlb_gather(struct mmu_gather *tlb) + } + + static inline void +-tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned int full_mm_flush) ++tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned long start, unsigned long end) + { + tlb->mm = mm; +- tlb->fullmm = full_mm_flush; ++ tlb->start = start; ++ tlb->end = end; ++ tlb->fullmm = !(start | (end+1)); + + init_tlb_gather(tlb); + } diff --git a/arch/um/kernel/process.c b/arch/um/kernel/process.c -index b462b13..e7a19aa 100644 +index bbcef52..6a2a483 100644 --- a/arch/um/kernel/process.c +++ b/arch/um/kernel/process.c -@@ -386,22 +386,6 @@ int singlestepping(void * t) +@@ -367,22 +367,6 @@ int singlestepping(void * t) return 2; } @@ -10260,10 +10659,10 @@ index ad8f795..2c7eec6 100644 /* * Memory returned by kmalloc() may be used for DMA, so we must make diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index de80b33..c0f0899 100644 +index fe120da..24177f7 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -243,7 +243,7 @@ config X86_HT +@@ -239,7 +239,7 @@ config X86_HT config X86_32_LAZY_GS def_bool y @@ -10272,7 +10671,7 @@ index de80b33..c0f0899 100644 config ARCH_HWEIGHT_CFLAGS string -@@ -1076,6 +1076,7 @@ config MICROCODE_EARLY +@@ -1073,6 +1073,7 @@ config MICROCODE_EARLY config X86_MSR tristate "/dev/cpu/*/msr - Model-specific register support" @@ -10280,7 +10679,7 @@ index de80b33..c0f0899 100644 ---help--- This device gives privileged processes access to the x86 Model-Specific Registers (MSRs). It is a character device with -@@ -1099,7 +1100,7 @@ choice +@@ -1096,7 +1097,7 @@ choice config NOHIGHMEM bool "off" @@ -10289,7 +10688,7 @@ index de80b33..c0f0899 100644 ---help--- Linux can use up to 64 Gigabytes of physical memory on x86 systems. However, the address space of 32-bit x86 processors is only 4 -@@ -1136,7 +1137,7 @@ config NOHIGHMEM +@@ -1133,7 +1134,7 @@ config NOHIGHMEM config HIGHMEM4G bool "4GB" @@ -10298,7 +10697,7 @@ index de80b33..c0f0899 100644 ---help--- Select this if you have a 32-bit processor and between 1 and 4 gigabytes of physical RAM. -@@ -1189,7 +1190,7 @@ config PAGE_OFFSET +@@ -1186,7 +1187,7 @@ config PAGE_OFFSET hex default 0xB0000000 if VMSPLIT_3G_OPT default 0x80000000 if VMSPLIT_2G @@ -10307,7 +10706,7 @@ index de80b33..c0f0899 100644 default 0x40000000 if VMSPLIT_1G default 0xC0000000 depends on X86_32 -@@ -1587,6 +1588,7 @@ config SECCOMP +@@ -1584,6 +1585,7 @@ config SECCOMP config CC_STACKPROTECTOR bool "Enable -fstack-protector buffer overflow detection" @@ -10315,7 +10714,7 @@ index de80b33..c0f0899 100644 ---help--- This option turns on the -fstack-protector GCC feature. This feature puts, at the beginning of functions, a canary value on -@@ -1706,6 +1708,8 @@ config X86_NEED_RELOCS +@@ -1703,6 +1705,8 @@ config X86_NEED_RELOCS config PHYSICAL_ALIGN hex "Alignment value to which kernel should be aligned" if X86_32 default "0x1000000" @@ -10324,7 +10723,7 @@ index de80b33..c0f0899 100644 range 0x2000 0x1000000 ---help--- This value puts the alignment restrictions on physical address -@@ -1781,9 +1785,10 @@ config DEBUG_HOTPLUG_CPU0 +@@ -1778,9 +1782,10 @@ config DEBUG_HOTPLUG_CPU0 If unsure, say N. config COMPAT_VDSO @@ -10368,7 +10767,7 @@ index c026cca..14657ae 100644 config X86_MINIMUM_CPU_FAMILY int diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug -index b322f12..652d0d9 100644 +index c198b7e..63eea60 100644 --- a/arch/x86/Kconfig.debug +++ b/arch/x86/Kconfig.debug @@ -84,7 +84,7 @@ config X86_PTDUMP @@ -10389,15 +10788,6 @@ index b322f12..652d0d9 100644 ---help--- This option helps catch unintended modifications to loadable kernel module's text and read-only data. It also prevents execution -@@ -294,7 +294,7 @@ config OPTIMIZE_INLINING - - config DEBUG_STRICT_USER_COPY_CHECKS - bool "Strict copy size checks" -- depends on DEBUG_KERNEL && !TRACE_BRANCH_PROFILING -+ depends on DEBUG_KERNEL && !TRACE_BRANCH_PROFILING && !PAX_SIZE_OVERFLOW - ---help--- - Enabling this option turns a certain set of sanity checks for user - copy operations into compile time failures. diff --git a/arch/x86/Makefile b/arch/x86/Makefile index 5c47726..8c4fa67 100644 --- a/arch/x86/Makefile @@ -10496,7 +10886,7 @@ index 5ef205c..342191d 100644 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__ GCOV_PROFILE := n diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index c205035..5853587 100644 +index d606463..b887794 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c @@ -150,7 +150,6 @@ again: @@ -10590,7 +10980,7 @@ index 1e3184f..0d11e2e 100644 jmp 1b 2: diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S -index c1d383d..57ab51c 100644 +index 16f24e6..47491a3 100644 --- a/arch/x86/boot/compressed/head_64.S +++ b/arch/x86/boot/compressed/head_64.S @@ -97,7 +97,7 @@ ENTRY(startup_32) @@ -10824,7 +11214,7 @@ index 9105655..5e37f27 100644 movq r1,r2; \ movq r3,r4; \ diff --git a/arch/x86/crypto/aesni-intel_asm.S b/arch/x86/crypto/aesni-intel_asm.S -index 04b7977..402f223 100644 +index 477e9d7..3ab339f 100644 --- a/arch/x86/crypto/aesni-intel_asm.S +++ b/arch/x86/crypto/aesni-intel_asm.S @@ -31,6 +31,7 @@ @@ -10835,7 +11225,7 @@ index 04b7977..402f223 100644 #ifdef __x86_64__ .data -@@ -1435,6 +1436,7 @@ _return_T_done_decrypt: +@@ -1441,6 +1442,7 @@ _return_T_done_decrypt: pop %r14 pop %r13 pop %r12 @@ -10843,7 +11233,7 @@ index 04b7977..402f223 100644 ret ENDPROC(aesni_gcm_dec) -@@ -1699,6 +1701,7 @@ _return_T_done_encrypt: +@@ -1705,6 +1707,7 @@ _return_T_done_encrypt: pop %r14 pop %r13 pop %r12 @@ -10851,7 +11241,7 @@ index 04b7977..402f223 100644 ret ENDPROC(aesni_gcm_enc) -@@ -1716,6 +1719,7 @@ _key_expansion_256a: +@@ -1722,6 +1725,7 @@ _key_expansion_256a: pxor %xmm1, %xmm0 movaps %xmm0, (TKEYP) add $0x10, TKEYP @@ -10859,7 +11249,7 @@ index 04b7977..402f223 100644 ret ENDPROC(_key_expansion_128) ENDPROC(_key_expansion_256a) -@@ -1742,6 +1746,7 @@ _key_expansion_192a: +@@ -1748,6 +1752,7 @@ _key_expansion_192a: shufps $0b01001110, %xmm2, %xmm1 movaps %xmm1, 0x10(TKEYP) add $0x20, TKEYP @@ -10867,7 +11257,7 @@ index 04b7977..402f223 100644 ret ENDPROC(_key_expansion_192a) -@@ -1762,6 +1767,7 @@ _key_expansion_192b: +@@ -1768,6 +1773,7 @@ _key_expansion_192b: movaps %xmm0, (TKEYP) add $0x10, TKEYP @@ -10875,7 +11265,7 @@ index 04b7977..402f223 100644 ret ENDPROC(_key_expansion_192b) -@@ -1775,6 +1781,7 @@ _key_expansion_256b: +@@ -1781,6 +1787,7 @@ _key_expansion_256b: pxor %xmm1, %xmm2 movaps %xmm2, (TKEYP) add $0x10, TKEYP @@ -10883,7 +11273,7 @@ index 04b7977..402f223 100644 ret ENDPROC(_key_expansion_256b) -@@ -1888,6 +1895,7 @@ ENTRY(aesni_set_key) +@@ -1894,6 +1901,7 @@ ENTRY(aesni_set_key) #ifndef __x86_64__ popl KEYP #endif @@ -10891,7 +11281,7 @@ index 04b7977..402f223 100644 ret ENDPROC(aesni_set_key) -@@ -1910,6 +1918,7 @@ ENTRY(aesni_enc) +@@ -1916,6 +1924,7 @@ ENTRY(aesni_enc) popl KLEN popl KEYP #endif @@ -10899,7 +11289,7 @@ index 04b7977..402f223 100644 ret ENDPROC(aesni_enc) -@@ -1968,6 +1977,7 @@ _aesni_enc1: +@@ -1974,6 +1983,7 @@ _aesni_enc1: AESENC KEY STATE movaps 0x70(TKEYP), KEY AESENCLAST KEY STATE @@ -10907,7 +11297,7 @@ index 04b7977..402f223 100644 ret ENDPROC(_aesni_enc1) -@@ -2077,6 +2087,7 @@ _aesni_enc4: +@@ -2083,6 +2093,7 @@ _aesni_enc4: AESENCLAST KEY STATE2 AESENCLAST KEY STATE3 AESENCLAST KEY STATE4 @@ -10915,7 +11305,7 @@ index 04b7977..402f223 100644 ret ENDPROC(_aesni_enc4) -@@ -2100,6 +2111,7 @@ ENTRY(aesni_dec) +@@ -2106,6 +2117,7 @@ ENTRY(aesni_dec) popl KLEN popl KEYP #endif @@ -10923,7 +11313,7 @@ index 04b7977..402f223 100644 ret ENDPROC(aesni_dec) -@@ -2158,6 +2170,7 @@ _aesni_dec1: +@@ -2164,6 +2176,7 @@ _aesni_dec1: AESDEC KEY STATE movaps 0x70(TKEYP), KEY AESDECLAST KEY STATE @@ -10931,7 +11321,7 @@ index 04b7977..402f223 100644 ret ENDPROC(_aesni_dec1) -@@ -2267,6 +2280,7 @@ _aesni_dec4: +@@ -2273,6 +2286,7 @@ _aesni_dec4: AESDECLAST KEY STATE2 AESDECLAST KEY STATE3 AESDECLAST KEY STATE4 @@ -10939,7 +11329,7 @@ index 04b7977..402f223 100644 ret ENDPROC(_aesni_dec4) -@@ -2325,6 +2339,7 @@ ENTRY(aesni_ecb_enc) +@@ -2331,6 +2345,7 @@ ENTRY(aesni_ecb_enc) popl KEYP popl LEN #endif @@ -10947,7 +11337,7 @@ index 04b7977..402f223 100644 ret ENDPROC(aesni_ecb_enc) -@@ -2384,6 +2399,7 @@ ENTRY(aesni_ecb_dec) +@@ -2390,6 +2405,7 @@ ENTRY(aesni_ecb_dec) popl KEYP popl LEN #endif @@ -10955,7 +11345,7 @@ index 04b7977..402f223 100644 ret ENDPROC(aesni_ecb_dec) -@@ -2426,6 +2442,7 @@ ENTRY(aesni_cbc_enc) +@@ -2432,6 +2448,7 @@ ENTRY(aesni_cbc_enc) popl LEN popl IVP #endif @@ -10963,7 +11353,7 @@ index 04b7977..402f223 100644 ret ENDPROC(aesni_cbc_enc) -@@ -2517,6 +2534,7 @@ ENTRY(aesni_cbc_dec) +@@ -2523,6 +2540,7 @@ ENTRY(aesni_cbc_dec) popl LEN popl IVP #endif @@ -10971,7 +11361,7 @@ index 04b7977..402f223 100644 ret ENDPROC(aesni_cbc_dec) -@@ -2544,6 +2562,7 @@ _aesni_inc_init: +@@ -2550,6 +2568,7 @@ _aesni_inc_init: mov $1, TCTR_LOW MOVQ_R64_XMM TCTR_LOW INC MOVQ_R64_XMM CTR TCTR_LOW @@ -10979,7 +11369,7 @@ index 04b7977..402f223 100644 ret ENDPROC(_aesni_inc_init) -@@ -2573,6 +2592,7 @@ _aesni_inc: +@@ -2579,6 +2598,7 @@ _aesni_inc: .Linc_low: movaps CTR, IV PSHUFB_XMM BSWAP_MASK IV @@ -10987,14 +11377,73 @@ index 04b7977..402f223 100644 ret ENDPROC(_aesni_inc) -@@ -2634,6 +2654,7 @@ ENTRY(aesni_ctr_enc) +@@ -2640,6 +2660,7 @@ ENTRY(aesni_ctr_enc) .Lctr_enc_ret: movups IV, (IVP) .Lctr_enc_just_ret: + pax_force_retaddr 0, 1 ret ENDPROC(aesni_ctr_enc) - #endif + +@@ -2766,6 +2787,7 @@ ENTRY(aesni_xts_crypt8) + pxor INC, STATE4 + movdqu STATE4, 0x70(OUTP) + ++ pax_force_retaddr 0, 1 + ret + ENDPROC(aesni_xts_crypt8) + +diff --git a/arch/x86/crypto/blowfish-avx2-asm_64.S b/arch/x86/crypto/blowfish-avx2-asm_64.S +index 784452e..46982c7 100644 +--- a/arch/x86/crypto/blowfish-avx2-asm_64.S ++++ b/arch/x86/crypto/blowfish-avx2-asm_64.S +@@ -221,6 +221,7 @@ __blowfish_enc_blk32: + + write_block(RXl, RXr); + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(__blowfish_enc_blk32) + +@@ -250,6 +251,7 @@ __blowfish_dec_blk32: + + write_block(RXl, RXr); + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(__blowfish_dec_blk32) + +@@ -284,6 +286,7 @@ ENTRY(blowfish_ecb_enc_32way) + + vzeroupper; + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(blowfish_ecb_enc_32way) + +@@ -318,6 +321,7 @@ ENTRY(blowfish_ecb_dec_32way) + + vzeroupper; + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(blowfish_ecb_dec_32way) + +@@ -365,6 +369,7 @@ ENTRY(blowfish_cbc_dec_32way) + + vzeroupper; + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(blowfish_cbc_dec_32way) + +@@ -445,5 +450,6 @@ ENTRY(blowfish_ctr_32way) + + vzeroupper; + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(blowfish_ctr_32way) diff --git a/arch/x86/crypto/blowfish-x86_64-asm_64.S b/arch/x86/crypto/blowfish-x86_64-asm_64.S index 246c670..4d1ed00 100644 --- a/arch/x86/crypto/blowfish-x86_64-asm_64.S @@ -11050,6 +11499,174 @@ index 246c670..4d1ed00 100644 + pax_force_retaddr 0, 1 ret; ENDPROC(blowfish_dec_blk_4way) +diff --git a/arch/x86/crypto/camellia-aesni-avx-asm_64.S b/arch/x86/crypto/camellia-aesni-avx-asm_64.S +index ce71f92..2dd5b1e 100644 +--- a/arch/x86/crypto/camellia-aesni-avx-asm_64.S ++++ b/arch/x86/crypto/camellia-aesni-avx-asm_64.S +@@ -16,6 +16,7 @@ + */ + + #include <linux/linkage.h> ++#include <asm/alternative-asm.h> + + #define CAMELLIA_TABLE_BYTE_LEN 272 + +@@ -191,6 +192,7 @@ roundsm16_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd: + roundsm16(%xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7, + %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14, %xmm15, + %rcx, (%r9)); ++ pax_force_retaddr_bts + ret; + ENDPROC(roundsm16_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd) + +@@ -199,6 +201,7 @@ roundsm16_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab: + roundsm16(%xmm4, %xmm5, %xmm6, %xmm7, %xmm0, %xmm1, %xmm2, %xmm3, + %xmm12, %xmm13, %xmm14, %xmm15, %xmm8, %xmm9, %xmm10, %xmm11, + %rax, (%r9)); ++ pax_force_retaddr_bts + ret; + ENDPROC(roundsm16_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab) + +@@ -780,6 +783,7 @@ __camellia_enc_blk16: + %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14, + %xmm15, (key_table)(CTX, %r8, 8), (%rax), 1 * 16(%rax)); + ++ pax_force_retaddr_bts + ret; + + .align 8 +@@ -865,6 +869,7 @@ __camellia_dec_blk16: + %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14, + %xmm15, (key_table)(CTX), (%rax), 1 * 16(%rax)); + ++ pax_force_retaddr_bts + ret; + + .align 8 +@@ -904,6 +909,7 @@ ENTRY(camellia_ecb_enc_16way) + %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9, + %xmm8, %rsi); + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(camellia_ecb_enc_16way) + +@@ -932,6 +938,7 @@ ENTRY(camellia_ecb_dec_16way) + %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9, + %xmm8, %rsi); + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(camellia_ecb_dec_16way) + +@@ -981,6 +988,7 @@ ENTRY(camellia_cbc_dec_16way) + %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9, + %xmm8, %rsi); + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(camellia_cbc_dec_16way) + +@@ -1092,6 +1100,7 @@ ENTRY(camellia_ctr_16way) + %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9, + %xmm8, %rsi); + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(camellia_ctr_16way) + +@@ -1234,6 +1243,7 @@ camellia_xts_crypt_16way: + %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9, + %xmm8, %rsi); + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(camellia_xts_crypt_16way) + +diff --git a/arch/x86/crypto/camellia-aesni-avx2-asm_64.S b/arch/x86/crypto/camellia-aesni-avx2-asm_64.S +index 91a1878..bcf340a 100644 +--- a/arch/x86/crypto/camellia-aesni-avx2-asm_64.S ++++ b/arch/x86/crypto/camellia-aesni-avx2-asm_64.S +@@ -11,6 +11,7 @@ + */ + + #include <linux/linkage.h> ++#include <asm/alternative-asm.h> + + #define CAMELLIA_TABLE_BYTE_LEN 272 + +@@ -212,6 +213,7 @@ roundsm32_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd: + roundsm32(%ymm0, %ymm1, %ymm2, %ymm3, %ymm4, %ymm5, %ymm6, %ymm7, + %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14, %ymm15, + %rcx, (%r9)); ++ pax_force_retaddr_bts + ret; + ENDPROC(roundsm32_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd) + +@@ -220,6 +222,7 @@ roundsm32_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab: + roundsm32(%ymm4, %ymm5, %ymm6, %ymm7, %ymm0, %ymm1, %ymm2, %ymm3, + %ymm12, %ymm13, %ymm14, %ymm15, %ymm8, %ymm9, %ymm10, %ymm11, + %rax, (%r9)); ++ pax_force_retaddr_bts + ret; + ENDPROC(roundsm32_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab) + +@@ -802,6 +805,7 @@ __camellia_enc_blk32: + %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14, + %ymm15, (key_table)(CTX, %r8, 8), (%rax), 1 * 32(%rax)); + ++ pax_force_retaddr_bts + ret; + + .align 8 +@@ -887,6 +891,7 @@ __camellia_dec_blk32: + %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14, + %ymm15, (key_table)(CTX), (%rax), 1 * 32(%rax)); + ++ pax_force_retaddr_bts + ret; + + .align 8 +@@ -930,6 +935,7 @@ ENTRY(camellia_ecb_enc_32way) + + vzeroupper; + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(camellia_ecb_enc_32way) + +@@ -962,6 +968,7 @@ ENTRY(camellia_ecb_dec_32way) + + vzeroupper; + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(camellia_ecb_dec_32way) + +@@ -1028,6 +1035,7 @@ ENTRY(camellia_cbc_dec_32way) + + vzeroupper; + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(camellia_cbc_dec_32way) + +@@ -1166,6 +1174,7 @@ ENTRY(camellia_ctr_32way) + + vzeroupper; + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(camellia_ctr_32way) + +@@ -1331,6 +1340,7 @@ camellia_xts_crypt_32way: + + vzeroupper; + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(camellia_xts_crypt_32way) + diff --git a/arch/x86/crypto/camellia-x86_64-asm_64.S b/arch/x86/crypto/camellia-x86_64-asm_64.S index 310319c..ce174a4 100644 --- a/arch/x86/crypto/camellia-x86_64-asm_64.S @@ -11168,7 +11785,7 @@ index c35fd5d..c1ee236 100644 ret; ENDPROC(cast5_ctr_16way) diff --git a/arch/x86/crypto/cast6-avx-x86_64-asm_64.S b/arch/x86/crypto/cast6-avx-x86_64-asm_64.S -index f93b610..c09bf40 100644 +index e3531f8..18ded3a 100644 --- a/arch/x86/crypto/cast6-avx-x86_64-asm_64.S +++ b/arch/x86/crypto/cast6-avx-x86_64-asm_64.S @@ -24,6 +24,7 @@ @@ -11179,7 +11796,7 @@ index f93b610..c09bf40 100644 #include "glue_helper-asm-avx.S" .file "cast6-avx-x86_64-asm_64.S" -@@ -293,6 +294,7 @@ __cast6_enc_blk8: +@@ -295,6 +296,7 @@ __cast6_enc_blk8: outunpack_blocks(RA1, RB1, RC1, RD1, RTMP, RX, RKRF, RKM); outunpack_blocks(RA2, RB2, RC2, RD2, RTMP, RX, RKRF, RKM); @@ -11187,7 +11804,7 @@ index f93b610..c09bf40 100644 ret; ENDPROC(__cast6_enc_blk8) -@@ -338,6 +340,7 @@ __cast6_dec_blk8: +@@ -340,6 +342,7 @@ __cast6_dec_blk8: outunpack_blocks(RA1, RB1, RC1, RD1, RTMP, RX, RKRF, RKM); outunpack_blocks(RA2, RB2, RC2, RD2, RTMP, RX, RKRF, RKM); @@ -11195,7 +11812,7 @@ index f93b610..c09bf40 100644 ret; ENDPROC(__cast6_dec_blk8) -@@ -356,6 +359,7 @@ ENTRY(cast6_ecb_enc_8way) +@@ -358,6 +361,7 @@ ENTRY(cast6_ecb_enc_8way) store_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); @@ -11203,7 +11820,7 @@ index f93b610..c09bf40 100644 ret; ENDPROC(cast6_ecb_enc_8way) -@@ -374,6 +378,7 @@ ENTRY(cast6_ecb_dec_8way) +@@ -376,6 +380,7 @@ ENTRY(cast6_ecb_dec_8way) store_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); @@ -11211,7 +11828,7 @@ index f93b610..c09bf40 100644 ret; ENDPROC(cast6_ecb_dec_8way) -@@ -397,6 +402,7 @@ ENTRY(cast6_cbc_dec_8way) +@@ -399,6 +404,7 @@ ENTRY(cast6_cbc_dec_8way) popq %r12; @@ -11219,13 +11836,92 @@ index f93b610..c09bf40 100644 ret; ENDPROC(cast6_cbc_dec_8way) -@@ -422,5 +428,6 @@ ENTRY(cast6_ctr_8way) +@@ -424,6 +430,7 @@ ENTRY(cast6_ctr_8way) popq %r12; + pax_force_retaddr ret; ENDPROC(cast6_ctr_8way) + +@@ -446,6 +453,7 @@ ENTRY(cast6_xts_enc_8way) + /* dst <= regs xor IVs(in dst) */ + store_xts_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); + ++ pax_force_retaddr + ret; + ENDPROC(cast6_xts_enc_8way) + +@@ -468,5 +476,6 @@ ENTRY(cast6_xts_dec_8way) + /* dst <= regs xor IVs(in dst) */ + store_xts_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); + ++ pax_force_retaddr + ret; + ENDPROC(cast6_xts_dec_8way) +diff --git a/arch/x86/crypto/crc32c-pcl-intel-asm_64.S b/arch/x86/crypto/crc32c-pcl-intel-asm_64.S +index dbc4339..3d868c5 100644 +--- a/arch/x86/crypto/crc32c-pcl-intel-asm_64.S ++++ b/arch/x86/crypto/crc32c-pcl-intel-asm_64.S +@@ -45,6 +45,7 @@ + + #include <asm/inst.h> + #include <linux/linkage.h> ++#include <asm/alternative-asm.h> + + ## ISCSI CRC 32 Implementation with crc32 and pclmulqdq Instruction + +@@ -312,6 +313,7 @@ do_return: + popq %rsi + popq %rdi + popq %rbx ++ pax_force_retaddr 0, 1 + ret + + ################################################################ +diff --git a/arch/x86/crypto/ghash-clmulni-intel_asm.S b/arch/x86/crypto/ghash-clmulni-intel_asm.S +index 586f41a..d02851e 100644 +--- a/arch/x86/crypto/ghash-clmulni-intel_asm.S ++++ b/arch/x86/crypto/ghash-clmulni-intel_asm.S +@@ -18,6 +18,7 @@ + + #include <linux/linkage.h> + #include <asm/inst.h> ++#include <asm/alternative-asm.h> + + .data + +@@ -93,6 +94,7 @@ __clmul_gf128mul_ble: + psrlq $1, T2 + pxor T2, T1 + pxor T1, DATA ++ pax_force_retaddr + ret + ENDPROC(__clmul_gf128mul_ble) + +@@ -105,6 +107,7 @@ ENTRY(clmul_ghash_mul) + call __clmul_gf128mul_ble + PSHUFB_XMM BSWAP DATA + movups DATA, (%rdi) ++ pax_force_retaddr + ret + ENDPROC(clmul_ghash_mul) + +@@ -132,6 +135,7 @@ ENTRY(clmul_ghash_update) + PSHUFB_XMM BSWAP DATA + movups DATA, (%rdi) + .Lupdate_just_ret: ++ pax_force_retaddr + ret + ENDPROC(clmul_ghash_update) + +@@ -157,5 +161,6 @@ ENTRY(clmul_ghash_setkey) + pand .Lpoly, %xmm1 + pxor %xmm1, %xmm0 + movups %xmm0, (%rdi) ++ pax_force_retaddr + ret + ENDPROC(clmul_ghash_setkey) diff --git a/arch/x86/crypto/salsa20-x86_64-asm_64.S b/arch/x86/crypto/salsa20-x86_64-asm_64.S index 9279e0b..9270820 100644 --- a/arch/x86/crypto/salsa20-x86_64-asm_64.S @@ -11260,10 +11956,10 @@ index 9279e0b..9270820 100644 ret ENDPROC(salsa20_ivsetup) diff --git a/arch/x86/crypto/serpent-avx-x86_64-asm_64.S b/arch/x86/crypto/serpent-avx-x86_64-asm_64.S -index 43c9386..a0e2d60 100644 +index 2f202f4..d9164d6 100644 --- a/arch/x86/crypto/serpent-avx-x86_64-asm_64.S +++ b/arch/x86/crypto/serpent-avx-x86_64-asm_64.S -@@ -25,6 +25,7 @@ +@@ -24,6 +24,7 @@ */ #include <linux/linkage.h> @@ -11271,7 +11967,7 @@ index 43c9386..a0e2d60 100644 #include "glue_helper-asm-avx.S" .file "serpent-avx-x86_64-asm_64.S" -@@ -617,6 +618,7 @@ __serpent_enc_blk8_avx: +@@ -618,6 +619,7 @@ __serpent_enc_blk8_avx: write_blocks(RA1, RB1, RC1, RD1, RK0, RK1, RK2); write_blocks(RA2, RB2, RC2, RD2, RK0, RK1, RK2); @@ -11279,7 +11975,7 @@ index 43c9386..a0e2d60 100644 ret; ENDPROC(__serpent_enc_blk8_avx) -@@ -671,6 +673,7 @@ __serpent_dec_blk8_avx: +@@ -672,6 +674,7 @@ __serpent_dec_blk8_avx: write_blocks(RC1, RD1, RB1, RE1, RK0, RK1, RK2); write_blocks(RC2, RD2, RB2, RE2, RK0, RK1, RK2); @@ -11287,7 +11983,7 @@ index 43c9386..a0e2d60 100644 ret; ENDPROC(__serpent_dec_blk8_avx) -@@ -687,6 +690,7 @@ ENTRY(serpent_ecb_enc_8way_avx) +@@ -688,6 +691,7 @@ ENTRY(serpent_ecb_enc_8way_avx) store_8way(%rsi, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); @@ -11295,7 +11991,7 @@ index 43c9386..a0e2d60 100644 ret; ENDPROC(serpent_ecb_enc_8way_avx) -@@ -703,6 +707,7 @@ ENTRY(serpent_ecb_dec_8way_avx) +@@ -704,6 +708,7 @@ ENTRY(serpent_ecb_dec_8way_avx) store_8way(%rsi, RC1, RD1, RB1, RE1, RC2, RD2, RB2, RE2); @@ -11303,7 +11999,7 @@ index 43c9386..a0e2d60 100644 ret; ENDPROC(serpent_ecb_dec_8way_avx) -@@ -719,6 +724,7 @@ ENTRY(serpent_cbc_dec_8way_avx) +@@ -720,6 +725,7 @@ ENTRY(serpent_cbc_dec_8way_avx) store_cbc_8way(%rdx, %rsi, RC1, RD1, RB1, RE1, RC2, RD2, RB2, RE2); @@ -11311,13 +12007,104 @@ index 43c9386..a0e2d60 100644 ret; ENDPROC(serpent_cbc_dec_8way_avx) -@@ -737,5 +743,6 @@ ENTRY(serpent_ctr_8way_avx) +@@ -738,6 +744,7 @@ ENTRY(serpent_ctr_8way_avx) store_ctr_8way(%rdx, %rsi, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); + pax_force_retaddr ret; ENDPROC(serpent_ctr_8way_avx) + +@@ -758,6 +765,7 @@ ENTRY(serpent_xts_enc_8way_avx) + /* dst <= regs xor IVs(in dst) */ + store_xts_8way(%rsi, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); + ++ pax_force_retaddr + ret; + ENDPROC(serpent_xts_enc_8way_avx) + +@@ -778,5 +786,6 @@ ENTRY(serpent_xts_dec_8way_avx) + /* dst <= regs xor IVs(in dst) */ + store_xts_8way(%rsi, RC1, RD1, RB1, RE1, RC2, RD2, RB2, RE2); + ++ pax_force_retaddr + ret; + ENDPROC(serpent_xts_dec_8way_avx) +diff --git a/arch/x86/crypto/serpent-avx2-asm_64.S b/arch/x86/crypto/serpent-avx2-asm_64.S +index b222085..abd483c 100644 +--- a/arch/x86/crypto/serpent-avx2-asm_64.S ++++ b/arch/x86/crypto/serpent-avx2-asm_64.S +@@ -15,6 +15,7 @@ + */ + + #include <linux/linkage.h> ++#include <asm/alternative-asm.h> + #include "glue_helper-asm-avx2.S" + + .file "serpent-avx2-asm_64.S" +@@ -610,6 +611,7 @@ __serpent_enc_blk16: + write_blocks(RA1, RB1, RC1, RD1, RK0, RK1, RK2); + write_blocks(RA2, RB2, RC2, RD2, RK0, RK1, RK2); + ++ pax_force_retaddr + ret; + ENDPROC(__serpent_enc_blk16) + +@@ -664,6 +666,7 @@ __serpent_dec_blk16: + write_blocks(RC1, RD1, RB1, RE1, RK0, RK1, RK2); + write_blocks(RC2, RD2, RB2, RE2, RK0, RK1, RK2); + ++ pax_force_retaddr + ret; + ENDPROC(__serpent_dec_blk16) + +@@ -684,6 +687,7 @@ ENTRY(serpent_ecb_enc_16way) + + vzeroupper; + ++ pax_force_retaddr + ret; + ENDPROC(serpent_ecb_enc_16way) + +@@ -704,6 +708,7 @@ ENTRY(serpent_ecb_dec_16way) + + vzeroupper; + ++ pax_force_retaddr + ret; + ENDPROC(serpent_ecb_dec_16way) + +@@ -725,6 +730,7 @@ ENTRY(serpent_cbc_dec_16way) + + vzeroupper; + ++ pax_force_retaddr + ret; + ENDPROC(serpent_cbc_dec_16way) + +@@ -748,6 +754,7 @@ ENTRY(serpent_ctr_16way) + + vzeroupper; + ++ pax_force_retaddr + ret; + ENDPROC(serpent_ctr_16way) + +@@ -772,6 +779,7 @@ ENTRY(serpent_xts_enc_16way) + + vzeroupper; + ++ pax_force_retaddr + ret; + ENDPROC(serpent_xts_enc_16way) + +@@ -796,5 +804,6 @@ ENTRY(serpent_xts_dec_16way) + + vzeroupper; + ++ pax_force_retaddr + ret; + ENDPROC(serpent_xts_dec_16way) diff --git a/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S b/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S index acc066c..1559cc4 100644 --- a/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S @@ -11372,8 +12159,128 @@ index a410950..3356d42 100644 ret ENDPROC(\name) +diff --git a/arch/x86/crypto/sha256-avx-asm.S b/arch/x86/crypto/sha256-avx-asm.S +index 642f156..4ab07b9 100644 +--- a/arch/x86/crypto/sha256-avx-asm.S ++++ b/arch/x86/crypto/sha256-avx-asm.S +@@ -49,6 +49,7 @@ + + #ifdef CONFIG_AS_AVX + #include <linux/linkage.h> ++#include <asm/alternative-asm.h> + + ## assume buffers not aligned + #define VMOVDQ vmovdqu +@@ -460,6 +461,7 @@ done_hash: + popq %r13 + popq %rbp + popq %rbx ++ pax_force_retaddr 0, 1 + ret + ENDPROC(sha256_transform_avx) + +diff --git a/arch/x86/crypto/sha256-avx2-asm.S b/arch/x86/crypto/sha256-avx2-asm.S +index 9e86944..2e7f95a 100644 +--- a/arch/x86/crypto/sha256-avx2-asm.S ++++ b/arch/x86/crypto/sha256-avx2-asm.S +@@ -50,6 +50,7 @@ + + #ifdef CONFIG_AS_AVX2 + #include <linux/linkage.h> ++#include <asm/alternative-asm.h> + + ## assume buffers not aligned + #define VMOVDQ vmovdqu +@@ -720,6 +721,7 @@ done_hash: + popq %r12 + popq %rbp + popq %rbx ++ pax_force_retaddr 0, 1 + ret + ENDPROC(sha256_transform_rorx) + +diff --git a/arch/x86/crypto/sha256-ssse3-asm.S b/arch/x86/crypto/sha256-ssse3-asm.S +index f833b74..c36ed14 100644 +--- a/arch/x86/crypto/sha256-ssse3-asm.S ++++ b/arch/x86/crypto/sha256-ssse3-asm.S +@@ -47,6 +47,7 @@ + ######################################################################## + + #include <linux/linkage.h> ++#include <asm/alternative-asm.h> + + ## assume buffers not aligned + #define MOVDQ movdqu +@@ -471,6 +472,7 @@ done_hash: + popq %rbp + popq %rbx + ++ pax_force_retaddr 0, 1 + ret + ENDPROC(sha256_transform_ssse3) + +diff --git a/arch/x86/crypto/sha512-avx-asm.S b/arch/x86/crypto/sha512-avx-asm.S +index 974dde9..4533d34 100644 +--- a/arch/x86/crypto/sha512-avx-asm.S ++++ b/arch/x86/crypto/sha512-avx-asm.S +@@ -49,6 +49,7 @@ + + #ifdef CONFIG_AS_AVX + #include <linux/linkage.h> ++#include <asm/alternative-asm.h> + + .text + +@@ -364,6 +365,7 @@ updateblock: + mov frame_RSPSAVE(%rsp), %rsp + + nowork: ++ pax_force_retaddr 0, 1 + ret + ENDPROC(sha512_transform_avx) + +diff --git a/arch/x86/crypto/sha512-avx2-asm.S b/arch/x86/crypto/sha512-avx2-asm.S +index 568b961..061ef1d 100644 +--- a/arch/x86/crypto/sha512-avx2-asm.S ++++ b/arch/x86/crypto/sha512-avx2-asm.S +@@ -51,6 +51,7 @@ + + #ifdef CONFIG_AS_AVX2 + #include <linux/linkage.h> ++#include <asm/alternative-asm.h> + + .text + +@@ -678,6 +679,7 @@ done_hash: + + # Restore Stack Pointer + mov frame_RSPSAVE(%rsp), %rsp ++ pax_force_retaddr 0, 1 + ret + ENDPROC(sha512_transform_rorx) + +diff --git a/arch/x86/crypto/sha512-ssse3-asm.S b/arch/x86/crypto/sha512-ssse3-asm.S +index fb56855..e23914f 100644 +--- a/arch/x86/crypto/sha512-ssse3-asm.S ++++ b/arch/x86/crypto/sha512-ssse3-asm.S +@@ -48,6 +48,7 @@ + ######################################################################## + + #include <linux/linkage.h> ++#include <asm/alternative-asm.h> + + .text + +@@ -363,6 +364,7 @@ updateblock: + mov frame_RSPSAVE(%rsp), %rsp + + nowork: ++ pax_force_retaddr 0, 1 + ret + ENDPROC(sha512_transform_ssse3) + diff --git a/arch/x86/crypto/twofish-avx-x86_64-asm_64.S b/arch/x86/crypto/twofish-avx-x86_64-asm_64.S -index 8d3e113..898b161 100644 +index 0505813..63b1d00 100644 --- a/arch/x86/crypto/twofish-avx-x86_64-asm_64.S +++ b/arch/x86/crypto/twofish-avx-x86_64-asm_64.S @@ -24,6 +24,7 @@ @@ -11384,7 +12291,7 @@ index 8d3e113..898b161 100644 #include "glue_helper-asm-avx.S" .file "twofish-avx-x86_64-asm_64.S" -@@ -282,6 +283,7 @@ __twofish_enc_blk8: +@@ -284,6 +285,7 @@ __twofish_enc_blk8: outunpack_blocks(RC1, RD1, RA1, RB1, RK1, RX0, RY0, RK2); outunpack_blocks(RC2, RD2, RA2, RB2, RK1, RX0, RY0, RK2); @@ -11392,7 +12299,7 @@ index 8d3e113..898b161 100644 ret; ENDPROC(__twofish_enc_blk8) -@@ -322,6 +324,7 @@ __twofish_dec_blk8: +@@ -324,6 +326,7 @@ __twofish_dec_blk8: outunpack_blocks(RA1, RB1, RC1, RD1, RK1, RX0, RY0, RK2); outunpack_blocks(RA2, RB2, RC2, RD2, RK1, RX0, RY0, RK2); @@ -11400,7 +12307,7 @@ index 8d3e113..898b161 100644 ret; ENDPROC(__twofish_dec_blk8) -@@ -340,6 +343,7 @@ ENTRY(twofish_ecb_enc_8way) +@@ -342,6 +345,7 @@ ENTRY(twofish_ecb_enc_8way) store_8way(%r11, RC1, RD1, RA1, RB1, RC2, RD2, RA2, RB2); @@ -11408,7 +12315,7 @@ index 8d3e113..898b161 100644 ret; ENDPROC(twofish_ecb_enc_8way) -@@ -358,6 +362,7 @@ ENTRY(twofish_ecb_dec_8way) +@@ -360,6 +364,7 @@ ENTRY(twofish_ecb_dec_8way) store_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); @@ -11416,7 +12323,7 @@ index 8d3e113..898b161 100644 ret; ENDPROC(twofish_ecb_dec_8way) -@@ -381,6 +386,7 @@ ENTRY(twofish_cbc_dec_8way) +@@ -383,6 +388,7 @@ ENTRY(twofish_cbc_dec_8way) popq %r12; @@ -11424,13 +12331,97 @@ index 8d3e113..898b161 100644 ret; ENDPROC(twofish_cbc_dec_8way) -@@ -406,5 +412,6 @@ ENTRY(twofish_ctr_8way) +@@ -408,6 +414,7 @@ ENTRY(twofish_ctr_8way) popq %r12; + pax_force_retaddr 0, 1 ret; ENDPROC(twofish_ctr_8way) + +@@ -430,6 +437,7 @@ ENTRY(twofish_xts_enc_8way) + /* dst <= regs xor IVs(in dst) */ + store_xts_8way(%r11, RC1, RD1, RA1, RB1, RC2, RD2, RA2, RB2); + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(twofish_xts_enc_8way) + +@@ -452,5 +460,6 @@ ENTRY(twofish_xts_dec_8way) + /* dst <= regs xor IVs(in dst) */ + store_xts_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(twofish_xts_dec_8way) +diff --git a/arch/x86/crypto/twofish-avx2-asm_64.S b/arch/x86/crypto/twofish-avx2-asm_64.S +index e1a83b9..33006b9 100644 +--- a/arch/x86/crypto/twofish-avx2-asm_64.S ++++ b/arch/x86/crypto/twofish-avx2-asm_64.S +@@ -11,6 +11,7 @@ + */ + + #include <linux/linkage.h> ++#include <asm/alternative-asm.h> + #include "glue_helper-asm-avx2.S" + + .file "twofish-avx2-asm_64.S" +@@ -422,6 +423,7 @@ __twofish_enc_blk16: + outunpack_enc16(RA, RB, RC, RD); + write_blocks16(RA, RB, RC, RD); + ++ pax_force_retaddr_bts + ret; + ENDPROC(__twofish_enc_blk16) + +@@ -454,6 +456,7 @@ __twofish_dec_blk16: + outunpack_dec16(RA, RB, RC, RD); + write_blocks16(RA, RB, RC, RD); + ++ pax_force_retaddr_bts + ret; + ENDPROC(__twofish_dec_blk16) + +@@ -476,6 +479,7 @@ ENTRY(twofish_ecb_enc_16way) + popq %r12; + vzeroupper; + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(twofish_ecb_enc_16way) + +@@ -498,6 +502,7 @@ ENTRY(twofish_ecb_dec_16way) + popq %r12; + vzeroupper; + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(twofish_ecb_dec_16way) + +@@ -521,6 +526,7 @@ ENTRY(twofish_cbc_dec_16way) + popq %r12; + vzeroupper; + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(twofish_cbc_dec_16way) + +@@ -546,6 +552,7 @@ ENTRY(twofish_ctr_16way) + popq %r12; + vzeroupper; + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(twofish_ctr_16way) + +@@ -574,6 +581,7 @@ twofish_xts_crypt_16way: + popq %r12; + vzeroupper; + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(twofish_xts_crypt_16way) + diff --git a/arch/x86/crypto/twofish-x86_64-asm_64-3way.S b/arch/x86/crypto/twofish-x86_64-asm_64-3way.S index 1c3b7ce..b365c5e 100644 --- a/arch/x86/crypto/twofish-x86_64-asm_64-3way.S @@ -11494,7 +12485,7 @@ index a039d21..29e7615 100644 ret ENDPROC(twofish_dec_blk) diff --git a/arch/x86/ia32/ia32_aout.c b/arch/x86/ia32/ia32_aout.c -index 03abf9b..a42ba29 100644 +index 52ff81c..98af645 100644 --- a/arch/x86/ia32/ia32_aout.c +++ b/arch/x86/ia32/ia32_aout.c @@ -159,6 +159,8 @@ static int aout_core_dump(long signr, struct pt_regs *regs, struct file *file, @@ -11507,7 +12498,7 @@ index 03abf9b..a42ba29 100644 set_fs(KERNEL_DS); has_dumped = 1; diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c -index cf1a471..3bc4cf8 100644 +index cf1a471..5ba2673 100644 --- a/arch/x86/ia32/ia32_signal.c +++ b/arch/x86/ia32/ia32_signal.c @@ -340,7 +340,7 @@ static void __user *get_sigframe(struct ksignal *ksig, struct pt_regs *regs, @@ -11537,7 +12528,12 @@ index cf1a471..3bc4cf8 100644 }; frame = get_sigframe(ksig, regs, sizeof(*frame), &fpstate); -@@ -463,16 +463,18 @@ int ia32_setup_rt_frame(int sig, struct ksignal *ksig, +@@ -459,20 +459,22 @@ int ia32_setup_rt_frame(int sig, struct ksignal *ksig, + else + put_user_ex(0, &frame->uc.uc_flags); + put_user_ex(0, &frame->uc.uc_link); +- err |= __compat_save_altstack(&frame->uc.uc_stack, regs->sp); ++ __compat_save_altstack_ex(&frame->uc.uc_stack, regs->sp); if (ksig->ka.sa.sa_flags & SA_RESTORER) restorer = ksig->ka.sa.sa_restorer; @@ -11560,7 +12556,7 @@ index cf1a471..3bc4cf8 100644 err |= copy_siginfo_to_user32(&frame->info, &ksig->info); diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S -index 474dc1b..24aaa3e 100644 +index 474dc1b..9297c58 100644 --- a/arch/x86/ia32/ia32entry.S +++ b/arch/x86/ia32/ia32entry.S @@ -15,8 +15,10 @@ @@ -11620,7 +12616,7 @@ index 474dc1b..24aaa3e 100644 movl %ebp,%ebp /* zero extension */ pushq_cfi $__USER32_DS /*CFI_REL_OFFSET ss,0*/ -@@ -135,24 +157,44 @@ ENTRY(ia32_sysenter_target) +@@ -135,24 +157,49 @@ ENTRY(ia32_sysenter_target) CFI_REL_OFFSET rsp,0 pushfq_cfi /*CFI_REL_OFFSET rflags,0*/ @@ -11654,8 +12650,8 @@ index 474dc1b..24aaa3e 100644 32bit zero extended */ + +#ifdef CONFIG_PAX_MEMORY_UDEREF -+ mov pax_user_shadow_base,%r11 -+ add %r11,%rbp ++ addq pax_user_shadow_base,%rbp ++ ASM_PAX_OPEN_USERLAND +#endif + ASM_STAC @@ -11664,13 +12660,18 @@ index 474dc1b..24aaa3e 100644 ASM_CLAC - orl $TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET) - testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET) ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ ASM_PAX_CLOSE_USERLAND ++#endif ++ + GET_THREAD_INFO(%r11) + orl $TS_COMPAT,TI_status(%r11) + testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r11) CFI_REMEMBER_STATE jnz sysenter_tracesys cmpq $(IA32_NR_syscalls-1),%rax -@@ -162,12 +204,15 @@ sysenter_do_call: +@@ -162,12 +209,15 @@ sysenter_do_call: sysenter_dispatch: call *ia32_sys_call_table(,%rax,8) movq %rax,RAX-ARGOFFSET(%rsp) @@ -11688,7 +12689,7 @@ index 474dc1b..24aaa3e 100644 /* clear IF, that popfq doesn't enable interrupts early */ andl $~0x200,EFLAGS-R11(%rsp) movl RIP-R11(%rsp),%edx /* User %eip */ -@@ -193,6 +238,9 @@ sysexit_from_sys_call: +@@ -193,6 +243,9 @@ sysexit_from_sys_call: movl %eax,%esi /* 2nd arg: syscall number */ movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */ call __audit_syscall_entry @@ -11698,7 +12699,7 @@ index 474dc1b..24aaa3e 100644 movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */ cmpq $(IA32_NR_syscalls-1),%rax ja ia32_badsys -@@ -204,7 +252,7 @@ sysexit_from_sys_call: +@@ -204,7 +257,7 @@ sysexit_from_sys_call: .endm .macro auditsys_exit exit @@ -11707,7 +12708,7 @@ index 474dc1b..24aaa3e 100644 jnz ia32_ret_from_sys_call TRACE_IRQS_ON ENABLE_INTERRUPTS(CLBR_NONE) -@@ -215,11 +263,12 @@ sysexit_from_sys_call: +@@ -215,11 +268,12 @@ sysexit_from_sys_call: 1: setbe %al /* 1 if error, 0 if not */ movzbl %al,%edi /* zero-extend that into %edi */ call __audit_syscall_exit @@ -11721,7 +12722,7 @@ index 474dc1b..24aaa3e 100644 jz \exit CLEAR_RREGS -ARGOFFSET jmp int_with_check -@@ -237,7 +286,7 @@ sysexit_audit: +@@ -237,7 +291,7 @@ sysexit_audit: sysenter_tracesys: #ifdef CONFIG_AUDITSYSCALL @@ -11730,7 +12731,7 @@ index 474dc1b..24aaa3e 100644 jz sysenter_auditsys #endif SAVE_REST -@@ -249,6 +298,9 @@ sysenter_tracesys: +@@ -249,6 +303,9 @@ sysenter_tracesys: RESTORE_REST cmpq $(IA32_NR_syscalls-1),%rax ja int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */ @@ -11740,7 +12741,7 @@ index 474dc1b..24aaa3e 100644 jmp sysenter_do_call CFI_ENDPROC ENDPROC(ia32_sysenter_target) -@@ -276,19 +328,25 @@ ENDPROC(ia32_sysenter_target) +@@ -276,19 +333,25 @@ ENDPROC(ia32_sysenter_target) ENTRY(ia32_cstar_target) CFI_STARTPROC32 simple CFI_SIGNAL_FRAME @@ -11768,14 +12769,15 @@ index 474dc1b..24aaa3e 100644 movl %eax,%eax /* zero extension */ movq %rax,ORIG_RAX-ARGOFFSET(%rsp) movq %rcx,RIP-ARGOFFSET(%rsp) -@@ -304,12 +362,19 @@ ENTRY(ia32_cstar_target) +@@ -304,12 +367,25 @@ ENTRY(ia32_cstar_target) /* no need to do an access_ok check here because r8 has been 32bit zero extended */ /* hardware stack frame is complete now */ + +#ifdef CONFIG_PAX_MEMORY_UDEREF -+ mov pax_user_shadow_base,%r11 -+ add %r11,%r8 ++ ASM_PAX_OPEN_USERLAND ++ movq pax_user_shadow_base,%r8 ++ addq RSP-ARGOFFSET(%rsp),%r8 +#endif + ASM_STAC @@ -11784,13 +12786,18 @@ index 474dc1b..24aaa3e 100644 ASM_CLAC - orl $TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET) - testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET) ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ ASM_PAX_CLOSE_USERLAND ++#endif ++ + GET_THREAD_INFO(%r11) + orl $TS_COMPAT,TI_status(%r11) + testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r11) CFI_REMEMBER_STATE jnz cstar_tracesys cmpq $IA32_NR_syscalls-1,%rax -@@ -319,12 +384,15 @@ cstar_do_call: +@@ -319,12 +395,15 @@ cstar_do_call: cstar_dispatch: call *ia32_sys_call_table(,%rax,8) movq %rax,RAX-ARGOFFSET(%rsp) @@ -11808,7 +12815,7 @@ index 474dc1b..24aaa3e 100644 RESTORE_ARGS 0,-ARG_SKIP,0,0,0 movl RIP-ARGOFFSET(%rsp),%ecx CFI_REGISTER rip,rcx -@@ -352,7 +420,7 @@ sysretl_audit: +@@ -352,7 +431,7 @@ sysretl_audit: cstar_tracesys: #ifdef CONFIG_AUDITSYSCALL @@ -11817,7 +12824,7 @@ index 474dc1b..24aaa3e 100644 jz cstar_auditsys #endif xchgl %r9d,%ebp -@@ -366,6 +434,9 @@ cstar_tracesys: +@@ -366,11 +445,19 @@ cstar_tracesys: xchgl %ebp,%r9d cmpq $(IA32_NR_syscalls-1),%rax ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */ @@ -11827,7 +12834,17 @@ index 474dc1b..24aaa3e 100644 jmp cstar_do_call END(ia32_cstar_target) -@@ -407,19 +478,26 @@ ENTRY(ia32_syscall) + ia32_badarg: + ASM_CLAC ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ ASM_PAX_CLOSE_USERLAND ++#endif ++ + movq $-EFAULT,%rax + jmp ia32_sysret + CFI_ENDPROC +@@ -407,19 +494,26 @@ ENTRY(ia32_syscall) CFI_REL_OFFSET rip,RIP-RIP PARAVIRT_ADJUST_EXCEPTION_FRAME SWAPGS @@ -11861,7 +12878,7 @@ index 474dc1b..24aaa3e 100644 jnz ia32_tracesys cmpq $(IA32_NR_syscalls-1),%rax ja ia32_badsys -@@ -442,6 +520,9 @@ ia32_tracesys: +@@ -442,6 +536,9 @@ ia32_tracesys: RESTORE_REST cmpq $(IA32_NR_syscalls-1),%rax ja int_ret_from_sys_call /* ia32_tracesys has set RAX(%rsp) */ @@ -11872,7 +12889,7 @@ index 474dc1b..24aaa3e 100644 END(ia32_syscall) diff --git a/arch/x86/ia32/sys_ia32.c b/arch/x86/ia32/sys_ia32.c -index ad7a20c..1ffa3c1 100644 +index 8e0ceec..af13504 100644 --- a/arch/x86/ia32/sys_ia32.c +++ b/arch/x86/ia32/sys_ia32.c @@ -69,8 +69,8 @@ asmlinkage long sys32_ftruncate64(unsigned int fd, unsigned long offset_low, @@ -11886,15 +12903,6 @@ index ad7a20c..1ffa3c1 100644 SET_UID(uid, from_kuid_munged(current_user_ns(), stat->uid)); SET_GID(gid, from_kgid_munged(current_user_ns(), stat->gid)); if (!access_ok(VERIFY_WRITE, ubuf, sizeof(struct stat64)) || -@@ -205,7 +205,7 @@ asmlinkage long sys32_sendfile(int out_fd, int in_fd, - return -EFAULT; - - set_fs(KERNEL_DS); -- ret = sys_sendfile(out_fd, in_fd, offset ? (off_t __user *)&of : NULL, -+ ret = sys_sendfile(out_fd, in_fd, offset ? (off_t __force_user *)&of : NULL, - count); - set_fs(old_fs); - diff --git a/arch/x86/include/asm/alternative-asm.h b/arch/x86/include/asm/alternative-asm.h index 372231c..a5aa1a1 100644 --- a/arch/x86/include/asm/alternative-asm.h @@ -12394,11 +13402,6 @@ index 722aa3b..3a0bb27 100644 -#define atomic_clear_mask(mask, addr) \ - asm volatile(LOCK_PREFIX "andl %0,%1" \ - : : "r" (~(mask)), "m" (*(addr)) : "memory") -- --#define atomic_set_mask(mask, addr) \ -- asm volatile(LOCK_PREFIX "orl %0,%1" \ -- : : "r" ((unsigned)(mask)), "m" (*(addr)) \ -- : "memory") +static inline void atomic_clear_mask(unsigned int mask, atomic_t *v) +{ + asm volatile(LOCK_PREFIX "andl %1,%0" @@ -12406,7 +13409,11 @@ index 722aa3b..3a0bb27 100644 + : "r" (~(mask)) + : "memory"); +} -+ + +-#define atomic_set_mask(mask, addr) \ +- asm volatile(LOCK_PREFIX "orl %0,%1" \ +- : : "r" ((unsigned)(mask)), "m" (*(addr)) \ +- : "memory") +static inline void atomic_clear_mask_unchecked(unsigned int mask, atomic_unchecked_t *v) +{ + asm volatile(LOCK_PREFIX "andl %1,%0" @@ -13033,7 +14040,7 @@ index 46fc474..b02b0f9 100644 if (len) diff --git a/arch/x86/include/asm/cmpxchg.h b/arch/x86/include/asm/cmpxchg.h -index 8d871ea..c1a0dc9 100644 +index d47786a..ce1b05d 100644 --- a/arch/x86/include/asm/cmpxchg.h +++ b/arch/x86/include/asm/cmpxchg.h @@ -14,8 +14,12 @@ extern void __cmpxchg_wrong_size(void) @@ -13108,10 +14115,19 @@ index 59c6c40..5e0b22c 100644 struct compat_timespec { compat_time_t tv_sec; diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h -index 93fe929..90858b7 100644 +index e99ac27..10d834e 100644 --- a/arch/x86/include/asm/cpufeature.h +++ b/arch/x86/include/asm/cpufeature.h -@@ -207,7 +207,7 @@ +@@ -203,7 +203,7 @@ + #define X86_FEATURE_DECODEASSISTS (8*32+12) /* AMD Decode Assists support */ + #define X86_FEATURE_PAUSEFILTER (8*32+13) /* AMD filtered pause intercept */ + #define X86_FEATURE_PFTHRESHOLD (8*32+14) /* AMD pause filter threshold */ +- ++#define X86_FEATURE_STRONGUDEREF (8*32+31) /* PaX PCID based strong UDEREF */ + + /* Intel-defined CPU features, CPUID level 0x00000007:0 (ebx), word 9 */ + #define X86_FEATURE_FSGSBASE (9*32+ 0) /* {RD/WR}{FS/GS}BASE instructions*/ +@@ -211,7 +211,7 @@ #define X86_FEATURE_BMI1 (9*32+ 3) /* 1st group bit manipulation extensions */ #define X86_FEATURE_HLE (9*32+ 4) /* Hardware Lock Elision */ #define X86_FEATURE_AVX2 (9*32+ 5) /* AVX2 instructions */ @@ -13120,7 +14136,15 @@ index 93fe929..90858b7 100644 #define X86_FEATURE_BMI2 (9*32+ 8) /* 2nd group bit manipulation extensions */ #define X86_FEATURE_ERMS (9*32+ 9) /* Enhanced REP MOVSB/STOSB */ #define X86_FEATURE_INVPCID (9*32+10) /* Invalidate Processor Context ID */ -@@ -377,7 +377,7 @@ static __always_inline __pure bool __static_cpu_has(u16 bit) +@@ -353,6 +353,7 @@ extern const char * const x86_power_flags[32]; + #undef cpu_has_centaur_mcr + #define cpu_has_centaur_mcr 0 + ++#define cpu_has_pcid boot_cpu_has(X86_FEATURE_PCID) + #endif /* CONFIG_X86_64 */ + + #if __GNUC__ >= 4 +@@ -394,7 +395,7 @@ static __always_inline __pure bool __static_cpu_has(u16 bit) ".section .discard,\"aw\",@progbits\n" " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */ ".previous\n" @@ -13443,12 +14467,14 @@ index 75ce3f4..882e801 100644 #endif /* _ASM_X86_EMERGENCY_RESTART_H */ diff --git a/arch/x86/include/asm/fpu-internal.h b/arch/x86/include/asm/fpu-internal.h -index e25cc33..425d099 100644 +index e25cc33..7d3ec01 100644 --- a/arch/x86/include/asm/fpu-internal.h +++ b/arch/x86/include/asm/fpu-internal.h -@@ -127,7 +127,9 @@ static inline void sanitize_i387_state(struct task_struct *tsk) +@@ -126,8 +126,11 @@ static inline void sanitize_i387_state(struct task_struct *tsk) + #define user_insn(insn, output, input...) \ ({ \ int err; \ ++ pax_open_userland(); \ asm volatile(ASM_STAC "\n" \ - "1:" #insn "\n\t" \ + "1:" \ @@ -13457,7 +14483,15 @@ index e25cc33..425d099 100644 "2: " ASM_CLAC "\n" \ ".section .fixup,\"ax\"\n" \ "3: movl $-1,%[err]\n" \ -@@ -300,7 +302,7 @@ static inline int restore_fpu_checking(struct task_struct *tsk) +@@ -136,6 +139,7 @@ static inline void sanitize_i387_state(struct task_struct *tsk) + _ASM_EXTABLE(1b, 3b) \ + : [err] "=r" (err), output \ + : "0"(0), input); \ ++ pax_close_userland(); \ + err; \ + }) + +@@ -300,7 +304,7 @@ static inline int restore_fpu_checking(struct task_struct *tsk) "emms\n\t" /* clear stack tags */ "fildl %P[addr]", /* set F?P to defined value */ X86_FEATURE_FXSAVE_LEAK, @@ -13467,7 +14501,7 @@ index e25cc33..425d099 100644 return fpu_restore_checking(&tsk->thread.fpu); } diff --git a/arch/x86/include/asm/futex.h b/arch/x86/include/asm/futex.h -index be27ba1..8f13ff9 100644 +index be27ba1..04a8801 100644 --- a/arch/x86/include/asm/futex.h +++ b/arch/x86/include/asm/futex.h @@ -12,6 +12,7 @@ @@ -13506,8 +14540,11 @@ index be27ba1..8f13ff9 100644 : "r" (oparg), "i" (-EFAULT), "1" (0)) static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) -@@ -59,10 +61,10 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) +@@ -57,12 +59,13 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) + + pagefault_disable(); ++ pax_open_userland(); switch (op) { case FUTEX_OP_SET: - __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg); @@ -13519,9 +14556,19 @@ index be27ba1..8f13ff9 100644 uaddr, oparg); break; case FUTEX_OP_OR: -@@ -116,14 +118,14 @@ static inline int futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, +@@ -77,6 +80,7 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) + default: + ret = -ENOSYS; + } ++ pax_close_userland(); + + pagefault_enable(); + +@@ -115,18 +119,20 @@ static inline int futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) return -EFAULT; ++ pax_open_userland(); asm volatile("\t" ASM_STAC "\n" - "1:\t" LOCK_PREFIX "cmpxchgl %4, %2\n" + "1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %4, %2\n" @@ -13536,11 +14583,15 @@ index be27ba1..8f13ff9 100644 : "i" (-EFAULT), "r" (newval), "1" (oldval) : "memory" ); ++ pax_close_userland(); + + *uval = oldval; + return ret; diff --git a/arch/x86/include/asm/hw_irq.h b/arch/x86/include/asm/hw_irq.h -index 10a78c3..cc77143 100644 +index 1da97ef..9c2ebff 100644 --- a/arch/x86/include/asm/hw_irq.h +++ b/arch/x86/include/asm/hw_irq.h -@@ -147,8 +147,8 @@ extern void setup_ioapic_dest(void); +@@ -148,8 +148,8 @@ extern void setup_ioapic_dest(void); extern void enable_IO_APIC(void); /* Statistics */ @@ -13922,29 +14973,31 @@ index 5f55e69..e20bfb1 100644 #ifdef CONFIG_SMP diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h -index cdbf367..adb37ac 100644 +index cdbf367..4c73c9e 100644 --- a/arch/x86/include/asm/mmu_context.h +++ b/arch/x86/include/asm/mmu_context.h -@@ -24,6 +24,18 @@ void destroy_context(struct mm_struct *mm); +@@ -24,6 +24,20 @@ void destroy_context(struct mm_struct *mm); static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk) { + +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -+ unsigned int i; -+ pgd_t *pgd; ++ if (!(static_cpu_has(X86_FEATURE_PCID))) { ++ unsigned int i; ++ pgd_t *pgd; + -+ pax_open_kernel(); -+ pgd = get_cpu_pgd(smp_processor_id()); -+ for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i) -+ set_pgd_batched(pgd+i, native_make_pgd(0)); -+ pax_close_kernel(); ++ pax_open_kernel(); ++ pgd = get_cpu_pgd(smp_processor_id(), kernel); ++ for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i) ++ set_pgd_batched(pgd+i, native_make_pgd(0)); ++ pax_close_kernel(); ++ } +#endif + #ifdef CONFIG_SMP if (this_cpu_read(cpu_tlbstate.state) == TLBSTATE_OK) this_cpu_write(cpu_tlbstate.state, TLBSTATE_LAZY); -@@ -34,16 +46,30 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, +@@ -34,16 +48,55 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, struct task_struct *tsk) { unsigned cpu = smp_processor_id(); @@ -13965,17 +15018,42 @@ index cdbf367..adb37ac 100644 /* Re-load page tables */ +#ifdef CONFIG_PAX_PER_CPU_PGD + pax_open_kernel(); -+ __clone_user_pgds(get_cpu_pgd(cpu), next->pgd); -+ __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd); ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ if (static_cpu_has(X86_FEATURE_PCID)) ++ __clone_user_pgds(get_cpu_pgd(cpu, user), next->pgd); ++ else ++#endif ++ ++ __clone_user_pgds(get_cpu_pgd(cpu, kernel), next->pgd); ++ __shadow_user_pgds(get_cpu_pgd(cpu, kernel) + USER_PGD_PTRS, next->pgd); + pax_close_kernel(); -+ load_cr3(get_cpu_pgd(cpu)); ++ BUG_ON((__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL) != (read_cr3() & __PHYSICAL_MASK) && (__pa(get_cpu_pgd(cpu, user)) | PCID_USER) != (read_cr3() & __PHYSICAL_MASK)); ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ if (static_cpu_has(X86_FEATURE_PCID)) { ++ if (static_cpu_has(X86_FEATURE_INVPCID)) { ++ unsigned long descriptor[2]; ++ descriptor[0] = PCID_USER; ++ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_CONTEXT) : "memory"); ++ } else { ++ write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER); ++ if (static_cpu_has(X86_FEATURE_STRONGUDEREF)) ++ write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH); ++ else ++ write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL); ++ } ++ } else ++#endif ++ ++ load_cr3(get_cpu_pgd(cpu, kernel)); +#else load_cr3(next->pgd); +#endif /* stop flush ipis for the previous mm */ cpumask_clear_cpu(cpu, mm_cpumask(prev)); -@@ -53,9 +79,38 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, +@@ -53,9 +106,63 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, */ if (unlikely(prev->context.ldt != next->context.ldt)) load_LDT_nolock(&next->context); @@ -14005,17 +15083,42 @@ index cdbf367..adb37ac 100644 + +#ifdef CONFIG_PAX_PER_CPU_PGD + pax_open_kernel(); -+ __clone_user_pgds(get_cpu_pgd(cpu), next->pgd); -+ __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd); ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ if (static_cpu_has(X86_FEATURE_PCID)) ++ __clone_user_pgds(get_cpu_pgd(cpu, user), next->pgd); ++ else ++#endif ++ ++ __clone_user_pgds(get_cpu_pgd(cpu, kernel), next->pgd); ++ __shadow_user_pgds(get_cpu_pgd(cpu, kernel) + USER_PGD_PTRS, next->pgd); + pax_close_kernel(); -+ load_cr3(get_cpu_pgd(cpu)); ++ BUG_ON((__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL) != (read_cr3() & __PHYSICAL_MASK) && (__pa(get_cpu_pgd(cpu, user)) | PCID_USER) != (read_cr3() & __PHYSICAL_MASK)); ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ if (static_cpu_has(X86_FEATURE_PCID)) { ++ if (static_cpu_has(X86_FEATURE_INVPCID)) { ++ unsigned long descriptor[2]; ++ descriptor[0] = PCID_USER; ++ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_CONTEXT) : "memory"); ++ } else { ++ write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER); ++ if (static_cpu_has(X86_FEATURE_STRONGUDEREF)) ++ write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH); ++ else ++ write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL); ++ } ++ } else ++#endif ++ ++ load_cr3(get_cpu_pgd(cpu, kernel)); +#endif + +#ifdef CONFIG_SMP this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK); BUG_ON(this_cpu_read(cpu_tlbstate.active_mm) != next); -@@ -64,11 +119,28 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, +@@ -64,11 +171,28 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, * tlb flush IPI delivery. We must reload CR3 * to make sure to use no freed page tables. */ @@ -14039,9 +15142,9 @@ index cdbf367..adb37ac 100644 +#endif + } -- } - #endif -+ } ++#endif + } +-#endif } #define activate_mm(prev, next) \ @@ -14081,10 +15184,10 @@ index e3b7819..b257c64 100644 + #endif /* _ASM_X86_MODULE_H */ diff --git a/arch/x86/include/asm/nmi.h b/arch/x86/include/asm/nmi.h -index c0fa356..07a498a 100644 +index 86f9301..b365cda 100644 --- a/arch/x86/include/asm/nmi.h +++ b/arch/x86/include/asm/nmi.h -@@ -42,11 +42,11 @@ struct nmiaction { +@@ -40,11 +40,11 @@ struct nmiaction { nmi_handler_t handler; unsigned long flags; const char *name; @@ -14098,7 +15201,7 @@ index c0fa356..07a498a 100644 .handler = (fn), \ .name = (n), \ .flags = (fg), \ -@@ -54,7 +54,7 @@ struct nmiaction { +@@ -52,7 +52,7 @@ struct nmiaction { __register_nmi_handler((t), &fn##_na); \ }) @@ -14136,10 +15239,10 @@ index 0f1ddee..e2fc3d1 100644 unsigned long y = x - __START_KERNEL_map; diff --git a/arch/x86/include/asm/paravirt.h b/arch/x86/include/asm/paravirt.h -index 7361e47..16dc226 100644 +index cfdc9ee..3f7b5d6 100644 --- a/arch/x86/include/asm/paravirt.h +++ b/arch/x86/include/asm/paravirt.h -@@ -564,7 +564,7 @@ static inline pmd_t __pmd(pmdval_t val) +@@ -560,7 +560,7 @@ static inline pmd_t __pmd(pmdval_t val) return (pmd_t) { ret }; } @@ -14148,7 +15251,7 @@ index 7361e47..16dc226 100644 { pmdval_t ret; -@@ -630,6 +630,18 @@ static inline void set_pgd(pgd_t *pgdp, pgd_t pgd) +@@ -626,6 +626,18 @@ static inline void set_pgd(pgd_t *pgdp, pgd_t pgd) val); } @@ -14167,7 +15270,7 @@ index 7361e47..16dc226 100644 static inline void pgd_clear(pgd_t *pgdp) { set_pgd(pgdp, __pgd(0)); -@@ -714,6 +726,21 @@ static inline void __set_fixmap(unsigned /* enum fixed_addresses */ idx, +@@ -710,6 +722,21 @@ static inline void __set_fixmap(unsigned /* enum fixed_addresses */ idx, pv_mmu_ops.set_fixmap(idx, phys, flags); } @@ -14189,7 +15292,7 @@ index 7361e47..16dc226 100644 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS) static inline int arch_spin_is_locked(struct arch_spinlock *lock) -@@ -930,7 +957,7 @@ extern void default_banner(void); +@@ -926,7 +953,7 @@ extern void default_banner(void); #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4) #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4) @@ -14198,7 +15301,7 @@ index 7361e47..16dc226 100644 #endif #define INTERRUPT_RETURN \ -@@ -1005,6 +1032,21 @@ extern void default_banner(void); +@@ -1001,6 +1028,21 @@ extern void default_banner(void); PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \ CLBR_NONE, \ jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit)) @@ -14221,7 +15324,7 @@ index 7361e47..16dc226 100644 #endif /* __ASSEMBLY__ */ diff --git a/arch/x86/include/asm/paravirt_types.h b/arch/x86/include/asm/paravirt_types.h -index b3b0ec1..b1cd3eb 100644 +index 0db1fca..52310cc 100644 --- a/arch/x86/include/asm/paravirt_types.h +++ b/arch/x86/include/asm/paravirt_types.h @@ -84,7 +84,7 @@ struct pv_init_ops { @@ -14380,7 +15483,7 @@ index 4cc9f2b..5fd9226 100644 /* diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h -index 1e67223..dd6e7ea 100644 +index 1e67223..92a9585 100644 --- a/arch/x86/include/asm/pgtable.h +++ b/arch/x86/include/asm/pgtable.h @@ -44,6 +44,7 @@ extern struct mm_struct *pgd_page_get_mm(struct page *page); @@ -14486,23 +15589,24 @@ index 1e67223..dd6e7ea 100644 } static inline pte_t pte_mkdirty(pte_t pte) -@@ -394,6 +459,15 @@ pte_t *populate_extra_pte(unsigned long vaddr); +@@ -394,6 +459,16 @@ pte_t *populate_extra_pte(unsigned long vaddr); #endif #ifndef __ASSEMBLY__ + +#ifdef CONFIG_PAX_PER_CPU_PGD -+extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD]; -+static inline pgd_t *get_cpu_pgd(unsigned int cpu) ++extern pgd_t cpu_pgd[NR_CPUS][2][PTRS_PER_PGD]; ++enum cpu_pgd_type {kernel = 0, user = 1}; ++static inline pgd_t *get_cpu_pgd(unsigned int cpu, enum cpu_pgd_type type) +{ -+ return cpu_pgd[cpu]; ++ return cpu_pgd[cpu][type]; +} +#endif + #include <linux/mm_types.h> #include <linux/log2.h> -@@ -529,7 +603,7 @@ static inline unsigned long pud_page_vaddr(pud_t pud) +@@ -529,7 +604,7 @@ static inline unsigned long pud_page_vaddr(pud_t pud) * Currently stuck as a macro due to indirect forward reference to * linux/mmzone.h's __section_mem_map_addr() definition: */ @@ -14511,7 +15615,7 @@ index 1e67223..dd6e7ea 100644 /* Find an entry in the second-level page table.. */ static inline pmd_t *pmd_offset(pud_t *pud, unsigned long address) -@@ -569,7 +643,7 @@ static inline unsigned long pgd_page_vaddr(pgd_t pgd) +@@ -569,7 +644,7 @@ static inline unsigned long pgd_page_vaddr(pgd_t pgd) * Currently stuck as a macro due to indirect forward reference to * linux/mmzone.h's __section_mem_map_addr() definition: */ @@ -14520,7 +15624,7 @@ index 1e67223..dd6e7ea 100644 /* to find an entry in a page-table-directory. */ static inline unsigned long pud_index(unsigned long address) -@@ -584,7 +658,7 @@ static inline pud_t *pud_offset(pgd_t *pgd, unsigned long address) +@@ -584,7 +659,7 @@ static inline pud_t *pud_offset(pgd_t *pgd, unsigned long address) static inline int pgd_bad(pgd_t pgd) { @@ -14529,7 +15633,7 @@ index 1e67223..dd6e7ea 100644 } static inline int pgd_none(pgd_t pgd) -@@ -607,7 +681,12 @@ static inline int pgd_none(pgd_t pgd) +@@ -607,7 +682,12 @@ static inline int pgd_none(pgd_t pgd) * pgd_offset() returns a (pgd_t *) * pgd_index() is used get the offset into the pgd page's array of pgd_t's; */ @@ -14537,13 +15641,13 @@ index 1e67223..dd6e7ea 100644 +#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address)) + +#ifdef CONFIG_PAX_PER_CPU_PGD -+#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address)) ++#define pgd_offset_cpu(cpu, type, address) (get_cpu_pgd(cpu, type) + pgd_index(address)) +#endif + /* * a shortcut which implies the use of the kernel's pgd, instead * of a process's -@@ -618,6 +697,22 @@ static inline int pgd_none(pgd_t pgd) +@@ -618,6 +698,23 @@ static inline int pgd_none(pgd_t pgd) #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET) #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY) @@ -14558,6 +15662,7 @@ index 1e67223..dd6e7ea 100644 +#define pax_user_shadow_base pax_user_shadow_base(%rip) +#else +extern unsigned long pax_user_shadow_base; ++extern pgdval_t clone_pgd_mask; +#endif +#endif + @@ -14566,7 +15671,7 @@ index 1e67223..dd6e7ea 100644 #ifndef __ASSEMBLY__ extern int direct_gbpages; -@@ -784,11 +879,24 @@ static inline void pmdp_set_wrprotect(struct mm_struct *mm, +@@ -784,11 +881,24 @@ static inline void pmdp_set_wrprotect(struct mm_struct *mm, * dst and src can be on the same page, but the range must not overlap, * and must not cross a page boundary. */ @@ -14743,7 +15848,7 @@ index 2d88344..4679fc3 100644 #define EARLY_DYNAMIC_PAGE_TABLES 64 diff --git a/arch/x86/include/asm/pgtable_types.h b/arch/x86/include/asm/pgtable_types.h -index 567b5d0..bd91d64 100644 +index e642300..0ef8f31 100644 --- a/arch/x86/include/asm/pgtable_types.h +++ b/arch/x86/include/asm/pgtable_types.h @@ -16,13 +16,12 @@ @@ -14858,10 +15963,33 @@ index 567b5d0..bd91d64 100644 #define pgprot_writecombine pgprot_writecombine extern pgprot_t pgprot_writecombine(pgprot_t prot); diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h -index 3270116..8d99d82 100644 +index 22224b3..c5d8d7d 100644 --- a/arch/x86/include/asm/processor.h +++ b/arch/x86/include/asm/processor.h -@@ -285,7 +285,7 @@ struct tss_struct { +@@ -198,9 +198,21 @@ static inline void native_cpuid(unsigned int *eax, unsigned int *ebx, + : "memory"); + } + ++/* invpcid (%rdx),%rax */ ++#define __ASM_INVPCID ".byte 0x66,0x0f,0x38,0x82,0x02" ++ ++#define INVPCID_SINGLE_ADDRESS 0UL ++#define INVPCID_SINGLE_CONTEXT 1UL ++#define INVPCID_ALL_GLOBAL 2UL ++#define INVPCID_ALL_MONGLOBAL 3UL ++ ++#define PCID_KERNEL 0UL ++#define PCID_USER 1UL ++#define PCID_NOFLUSH (1UL << 63) ++ + static inline void load_cr3(pgd_t *pgdir) + { +- write_cr3(__pa(pgdir)); ++ write_cr3(__pa(pgdir) | PCID_KERNEL); + } + + #ifdef CONFIG_X86_32 +@@ -282,7 +294,7 @@ struct tss_struct { } ____cacheline_aligned; @@ -14870,7 +15998,15 @@ index 3270116..8d99d82 100644 /* * Save the original ist values for checking stack pointers during debugging -@@ -826,11 +826,18 @@ static inline void spin_lock_prefetch(const void *x) +@@ -452,6 +464,7 @@ struct thread_struct { + unsigned short ds; + unsigned short fsindex; + unsigned short gsindex; ++ unsigned short ss; + #endif + #ifdef CONFIG_X86_32 + unsigned long ip; +@@ -823,11 +836,18 @@ static inline void spin_lock_prefetch(const void *x) */ #define TASK_SIZE PAGE_OFFSET #define TASK_SIZE_MAX TASK_SIZE @@ -14891,7 +16027,7 @@ index 3270116..8d99d82 100644 .vm86_info = NULL, \ .sysenter_cs = __KERNEL_CS, \ .io_bitmap_ptr = NULL, \ -@@ -844,7 +851,7 @@ static inline void spin_lock_prefetch(const void *x) +@@ -841,7 +861,7 @@ static inline void spin_lock_prefetch(const void *x) */ #define INIT_TSS { \ .x86_tss = { \ @@ -14900,7 +16036,7 @@ index 3270116..8d99d82 100644 .ss0 = __KERNEL_DS, \ .ss1 = __KERNEL_CS, \ .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \ -@@ -855,11 +862,7 @@ static inline void spin_lock_prefetch(const void *x) +@@ -852,11 +872,7 @@ static inline void spin_lock_prefetch(const void *x) extern unsigned long thread_saved_pc(struct task_struct *tsk); #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long)) @@ -14913,7 +16049,7 @@ index 3270116..8d99d82 100644 /* * The below -8 is to reserve 8 bytes on top of the ring0 stack. -@@ -874,7 +877,7 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk); +@@ -871,7 +887,7 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk); #define task_pt_regs(task) \ ({ \ struct pt_regs *__regs__; \ @@ -14922,7 +16058,7 @@ index 3270116..8d99d82 100644 __regs__ - 1; \ }) -@@ -884,13 +887,13 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk); +@@ -881,13 +897,13 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk); /* * User space process size. 47bits minus one guard page. */ @@ -14938,7 +16074,7 @@ index 3270116..8d99d82 100644 #define TASK_SIZE (test_thread_flag(TIF_ADDR32) ? \ IA32_PAGE_OFFSET : TASK_SIZE_MAX) -@@ -901,11 +904,11 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk); +@@ -898,11 +914,11 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk); #define STACK_TOP_MAX TASK_SIZE_MAX #define INIT_THREAD { \ @@ -14952,7 +16088,7 @@ index 3270116..8d99d82 100644 } /* -@@ -933,6 +936,10 @@ extern void start_thread(struct pt_regs *regs, unsigned long new_ip, +@@ -930,6 +946,10 @@ extern void start_thread(struct pt_regs *regs, unsigned long new_ip, */ #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3)) @@ -14963,16 +16099,26 @@ index 3270116..8d99d82 100644 #define KSTK_EIP(task) (task_pt_regs(task)->ip) /* Get/set a process' ability to use the timestamp counter instruction */ -@@ -993,7 +1000,7 @@ extern bool cpu_has_amd_erratum(const int *); - #define cpu_has_amd_erratum(x) (false) - #endif /* CONFIG_CPU_SUP_AMD */ +@@ -942,7 +962,8 @@ extern int set_tsc_mode(unsigned int val); + extern u16 amd_get_nb_id(int cpu); + + struct aperfmperf { +- u64 aperf, mperf; ++ u64 aperf __intentional_overflow(0); ++ u64 mperf __intentional_overflow(0); + }; + + static inline void get_aperfmperf(struct aperfmperf *am) +@@ -970,7 +991,7 @@ unsigned long calc_aperfmperf_ratio(struct aperfmperf *old, + return ratio; + } -extern unsigned long arch_align_stack(unsigned long sp); +#define arch_align_stack(x) ((x) & ~0xfUL) extern void free_init_pages(char *what, unsigned long begin, unsigned long end); void default_idle(void); -@@ -1003,6 +1010,6 @@ bool xen_set_default_idle(void); +@@ -980,6 +1001,6 @@ bool xen_set_default_idle(void); #define xen_set_default_idle 0 #endif @@ -15100,7 +16246,7 @@ index a82c4f1..ac45053 100644 extern struct machine_ops machine_ops; diff --git a/arch/x86/include/asm/rwsem.h b/arch/x86/include/asm/rwsem.h -index 2dbe4a7..ce1db00 100644 +index cad82c9..2e5c5c1 100644 --- a/arch/x86/include/asm/rwsem.h +++ b/arch/x86/include/asm/rwsem.h @@ -64,6 +64,14 @@ static inline void __down_read(struct rw_semaphore *sem) @@ -15146,9 +16292,9 @@ index 2dbe4a7..ce1db00 100644 +#endif + /* adds 0xffff0001, returns the old value */ - " test %1,%1\n\t" - /* was the count 0 before? */ -@@ -141,6 +165,14 @@ static inline void __up_read(struct rw_semaphore *sem) + " test " __ASM_SEL(%w1,%k1) "," __ASM_SEL(%w1,%k1) "\n\t" + /* was the active mask 0 before? */ +@@ -155,6 +179,14 @@ static inline void __up_read(struct rw_semaphore *sem) long tmp; asm volatile("# beginning __up_read\n\t" LOCK_PREFIX " xadd %1,(%2)\n\t" @@ -15163,7 +16309,7 @@ index 2dbe4a7..ce1db00 100644 /* subtracts 1, returns the old value */ " jns 1f\n\t" " call call_rwsem_wake\n" /* expects old value in %edx */ -@@ -159,6 +191,14 @@ static inline void __up_write(struct rw_semaphore *sem) +@@ -173,6 +205,14 @@ static inline void __up_write(struct rw_semaphore *sem) long tmp; asm volatile("# beginning __up_write\n\t" LOCK_PREFIX " xadd %1,(%2)\n\t" @@ -15178,7 +16324,7 @@ index 2dbe4a7..ce1db00 100644 /* subtracts 0xffff0001, returns the old value */ " jns 1f\n\t" " call call_rwsem_wake\n" /* expects old value in %edx */ -@@ -176,6 +216,14 @@ static inline void __downgrade_write(struct rw_semaphore *sem) +@@ -190,6 +230,14 @@ static inline void __downgrade_write(struct rw_semaphore *sem) { asm volatile("# beginning __downgrade_write\n\t" LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t" @@ -15193,7 +16339,7 @@ index 2dbe4a7..ce1db00 100644 /* * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386) * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64) -@@ -194,7 +242,15 @@ static inline void __downgrade_write(struct rw_semaphore *sem) +@@ -208,7 +256,15 @@ static inline void __downgrade_write(struct rw_semaphore *sem) */ static inline void rwsem_atomic_add(long delta, struct rw_semaphore *sem) { @@ -15210,7 +16356,7 @@ index 2dbe4a7..ce1db00 100644 : "+m" (sem->count) : "er" (delta)); } -@@ -204,7 +260,7 @@ static inline void rwsem_atomic_add(long delta, struct rw_semaphore *sem) +@@ -218,7 +274,7 @@ static inline void rwsem_atomic_add(long delta, struct rw_semaphore *sem) */ static inline long rwsem_atomic_update(long delta, struct rw_semaphore *sem) { @@ -15220,7 +16366,7 @@ index 2dbe4a7..ce1db00 100644 #endif /* __KERNEL__ */ diff --git a/arch/x86/include/asm/segment.h b/arch/x86/include/asm/segment.h -index c48a950..c6d7468 100644 +index c48a950..bc40804 100644 --- a/arch/x86/include/asm/segment.h +++ b/arch/x86/include/asm/segment.h @@ -64,10 +64,15 @@ @@ -15281,15 +16427,32 @@ index c48a950..c6d7468 100644 #define GDT_ENTRY_TSS 8 /* needs two entries */ #define GDT_ENTRY_LDT 10 /* needs two entries */ #define GDT_ENTRY_TLS_MIN 12 -@@ -185,6 +200,7 @@ +@@ -173,6 +188,8 @@ + #define GDT_ENTRY_PER_CPU 15 /* Abused to load per CPU data from limit */ + #define __PER_CPU_SEG (GDT_ENTRY_PER_CPU * 8 + 3) + ++#define GDT_ENTRY_UDEREF_KERNEL_DS 16 ++ + /* TLS indexes for 64bit - hardcoded in arch_prctl */ + #define FS_TLS 0 + #define GS_TLS 1 +@@ -180,12 +197,14 @@ + #define GS_TLS_SEL ((GDT_ENTRY_TLS_MIN+GS_TLS)*8 + 3) + #define FS_TLS_SEL ((GDT_ENTRY_TLS_MIN+FS_TLS)*8 + 3) + +-#define GDT_ENTRIES 16 ++#define GDT_ENTRIES 17 + #endif #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS*8) +#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS*8) #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS*8) ++#define __UDEREF_KERNEL_DS (GDT_ENTRY_UDEREF_KERNEL_DS*8) #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS*8+3) #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS*8+3) -@@ -265,7 +281,7 @@ static inline unsigned long get_limit(unsigned long segment) + #ifndef CONFIG_PARAVIRT +@@ -265,7 +284,7 @@ static inline unsigned long get_limit(unsigned long segment) { unsigned long __limit; asm("lsll %1,%0" : "=r" (__limit) : "r" (segment)); @@ -15298,6 +16461,99 @@ index c48a950..c6d7468 100644 } #endif /* !__ASSEMBLY__ */ +diff --git a/arch/x86/include/asm/smap.h b/arch/x86/include/asm/smap.h +index 8d3120f..352b440 100644 +--- a/arch/x86/include/asm/smap.h ++++ b/arch/x86/include/asm/smap.h +@@ -25,11 +25,40 @@ + + #include <asm/alternative-asm.h> + ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++#define ASM_PAX_OPEN_USERLAND \ ++ 661: jmp 663f; \ ++ .pushsection .altinstr_replacement, "a" ; \ ++ 662: pushq %rax; nop; \ ++ .popsection ; \ ++ .pushsection .altinstructions, "a" ; \ ++ altinstruction_entry 661b, 662b, X86_FEATURE_STRONGUDEREF, 2, 2;\ ++ .popsection ; \ ++ call __pax_open_userland; \ ++ popq %rax; \ ++ 663: ++ ++#define ASM_PAX_CLOSE_USERLAND \ ++ 661: jmp 663f; \ ++ .pushsection .altinstr_replacement, "a" ; \ ++ 662: pushq %rax; nop; \ ++ .popsection; \ ++ .pushsection .altinstructions, "a" ; \ ++ altinstruction_entry 661b, 662b, X86_FEATURE_STRONGUDEREF, 2, 2;\ ++ .popsection; \ ++ call __pax_close_userland; \ ++ popq %rax; \ ++ 663: ++#else ++#define ASM_PAX_OPEN_USERLAND ++#define ASM_PAX_CLOSE_USERLAND ++#endif ++ + #ifdef CONFIG_X86_SMAP + + #define ASM_CLAC \ + 661: ASM_NOP3 ; \ +- .pushsection .altinstr_replacement, "ax" ; \ ++ .pushsection .altinstr_replacement, "a" ; \ + 662: __ASM_CLAC ; \ + .popsection ; \ + .pushsection .altinstructions, "a" ; \ +@@ -38,7 +67,7 @@ + + #define ASM_STAC \ + 661: ASM_NOP3 ; \ +- .pushsection .altinstr_replacement, "ax" ; \ ++ .pushsection .altinstr_replacement, "a" ; \ + 662: __ASM_STAC ; \ + .popsection ; \ + .pushsection .altinstructions, "a" ; \ +@@ -56,6 +85,37 @@ + + #include <asm/alternative.h> + ++#define __HAVE_ARCH_PAX_OPEN_USERLAND ++#define __HAVE_ARCH_PAX_CLOSE_USERLAND ++ ++extern void __pax_open_userland(void); ++static __always_inline unsigned long pax_open_userland(void) ++{ ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ asm volatile(ALTERNATIVE(ASM_NOP5, "call %P[open]", X86_FEATURE_STRONGUDEREF) ++ : ++ : [open] "i" (__pax_open_userland) ++ : "memory", "rax"); ++#endif ++ ++ return 0; ++} ++ ++extern void __pax_close_userland(void); ++static __always_inline unsigned long pax_close_userland(void) ++{ ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ asm volatile(ALTERNATIVE(ASM_NOP5, "call %P[close]", X86_FEATURE_STRONGUDEREF) ++ : ++ : [close] "i" (__pax_close_userland) ++ : "memory", "rax"); ++#endif ++ ++ return 0; ++} ++ + #ifdef CONFIG_X86_SMAP + + static __always_inline void clac(void) diff --git a/arch/x86/include/asm/smp.h b/arch/x86/include/asm/smp.h index b073aae..39f9bdd 100644 --- a/arch/x86/include/asm/smp.h @@ -15444,7 +16700,15 @@ index 70bbe39..4ae2bd4 100644 - void *data, - unsigned long *end, - int *graph); -- ++typedef unsigned long walk_stack_t(struct task_struct *task, ++ void *stack_start, ++ unsigned long *stack, ++ unsigned long bp, ++ const struct stacktrace_ops *ops, ++ void *data, ++ unsigned long *end, ++ int *graph); + -extern unsigned long -print_context_stack(struct thread_info *tinfo, - unsigned long *stack, unsigned long bp, @@ -15456,15 +16720,6 @@ index 70bbe39..4ae2bd4 100644 - unsigned long *stack, unsigned long bp, - const struct stacktrace_ops *ops, void *data, - unsigned long *end, int *graph); -+typedef unsigned long walk_stack_t(struct task_struct *task, -+ void *stack_start, -+ unsigned long *stack, -+ unsigned long bp, -+ const struct stacktrace_ops *ops, -+ void *data, -+ unsigned long *end, -+ int *graph); -+ +extern walk_stack_t print_context_stack; +extern walk_stack_t print_context_stack_bp; @@ -15502,7 +16757,7 @@ index 4ec45b3..a4f0a8a 100644 __switch_canary_iparam \ : "memory", "cc" __EXTRA_CLOBBER) diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h -index 2cd056e..0224df8 100644 +index a1df6e8..e002940 100644 --- a/arch/x86/include/asm/thread_info.h +++ b/arch/x86/include/asm/thread_info.h @@ -10,6 +10,7 @@ @@ -15590,38 +16845,24 @@ index 2cd056e..0224df8 100644 /* Only used for 64 bit */ #define _TIF_DO_NOTIFY_MASK \ -@@ -158,6 +154,23 @@ struct thread_info { +@@ -158,45 +154,40 @@ struct thread_info { #define PREEMPT_ACTIVE 0x10000000 -+#ifdef __ASSEMBLY__ -+/* how to get the thread information struct from ASM */ -+#define GET_THREAD_INFO(reg) \ -+ mov PER_CPU_VAR(current_tinfo), reg -+ -+/* use this one if reg already contains %esp */ -+#define GET_THREAD_INFO_WITH_ESP(reg) GET_THREAD_INFO(reg) -+#else -+/* how to get the thread information struct from C */ -+DECLARE_PER_CPU(struct thread_info *, current_tinfo); -+ -+static __always_inline struct thread_info *current_thread_info(void) -+{ -+ return this_cpu_read_stable(current_tinfo); -+} -+#endif -+ - #ifdef CONFIG_X86_32 - - #define STACK_WARN (THREAD_SIZE/8) -@@ -168,35 +181,13 @@ struct thread_info { - */ - #ifndef __ASSEMBLY__ - +-#ifdef CONFIG_X86_32 +- +-#define STACK_WARN (THREAD_SIZE/8) +-/* +- * macros/functions for gaining access to the thread information structure +- * +- * preempt_count needs to be 1 initially, until the scheduler is functional. +- */ +-#ifndef __ASSEMBLY__ +- +- +-/* how to get the current stack pointer from C */ +-register unsigned long current_stack_pointer asm("esp") __used; - - /* how to get the current stack pointer from C */ - register unsigned long current_stack_pointer asm("esp") __used; - -/* how to get the thread information struct from C */ -static inline struct thread_info *current_thread_info(void) -{ @@ -15631,15 +16872,40 @@ index 2cd056e..0224df8 100644 - -#else /* !__ASSEMBLY__ */ - --/* how to get the thread information struct from ASM */ --#define GET_THREAD_INFO(reg) \ ++#ifdef __ASSEMBLY__ + /* how to get the thread information struct from ASM */ + #define GET_THREAD_INFO(reg) \ - movl $-THREAD_SIZE, reg; \ - andl %esp, reg -- --/* use this one if reg already contains %esp */ ++ mov PER_CPU_VAR(current_tinfo), reg + + /* use this one if reg already contains %esp */ -#define GET_THREAD_INFO_WITH_ESP(reg) \ - andl $-THREAD_SIZE, reg -- ++#define GET_THREAD_INFO_WITH_ESP(reg) GET_THREAD_INFO(reg) ++#else ++/* how to get the thread information struct from C */ ++DECLARE_PER_CPU(struct thread_info *, current_tinfo); ++ ++static __always_inline struct thread_info *current_thread_info(void) ++{ ++ return this_cpu_read_stable(current_tinfo); ++} ++#endif ++ ++#ifdef CONFIG_X86_32 ++ ++#define STACK_WARN (THREAD_SIZE/8) ++/* ++ * macros/functions for gaining access to the thread information structure ++ * ++ * preempt_count needs to be 1 initially, until the scheduler is functional. ++ */ ++#ifndef __ASSEMBLY__ ++ ++/* how to get the current stack pointer from C */ ++register unsigned long current_stack_pointer asm("esp") __used; + #endif #else /* X86_32 */ @@ -15680,7 +16946,7 @@ index 2cd056e..0224df8 100644 #endif #endif /* !X86_32 */ -@@ -285,5 +257,12 @@ static inline bool is_ia32_task(void) +@@ -283,5 +255,12 @@ static inline bool is_ia32_task(void) extern void arch_task_cache_init(void); extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src); extern void arch_release_task_struct(struct task_struct *tsk); @@ -15693,8 +16959,94 @@ index 2cd056e..0224df8 100644 + #endif #endif /* _ASM_X86_THREAD_INFO_H */ +diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h +index 50a7fc0..d00c622 100644 +--- a/arch/x86/include/asm/tlbflush.h ++++ b/arch/x86/include/asm/tlbflush.h +@@ -17,18 +17,39 @@ + + static inline void __native_flush_tlb(void) + { +- native_write_cr3(native_read_cr3()); ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ if (static_cpu_has(X86_FEATURE_PCID)) { ++ unsigned int cpu = raw_get_cpu(); ++ ++ if (static_cpu_has(X86_FEATURE_INVPCID)) { ++ unsigned long descriptor[2]; ++ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_ALL_MONGLOBAL) : "memory"); ++ } else { ++ native_write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER); ++ native_write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL); ++ } ++ raw_put_cpu_no_resched(); ++ } else ++#endif ++ ++ native_write_cr3(native_read_cr3()); + } + + static inline void __native_flush_tlb_global_irq_disabled(void) + { +- unsigned long cr4; ++ if (static_cpu_has(X86_FEATURE_INVPCID)) { ++ unsigned long descriptor[2]; ++ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_ALL_GLOBAL) : "memory"); ++ } else { ++ unsigned long cr4; + +- cr4 = native_read_cr4(); +- /* clear PGE */ +- native_write_cr4(cr4 & ~X86_CR4_PGE); +- /* write old PGE again and flush TLBs */ +- native_write_cr4(cr4); ++ cr4 = native_read_cr4(); ++ /* clear PGE */ ++ native_write_cr4(cr4 & ~X86_CR4_PGE); ++ /* write old PGE again and flush TLBs */ ++ native_write_cr4(cr4); ++ } + } + + static inline void __native_flush_tlb_global(void) +@@ -49,7 +70,33 @@ static inline void __native_flush_tlb_global(void) + + static inline void __native_flush_tlb_single(unsigned long addr) + { +- asm volatile("invlpg (%0)" ::"r" (addr) : "memory"); ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ if (static_cpu_has(X86_FEATURE_PCID) && addr < TASK_SIZE_MAX) { ++ unsigned int cpu = raw_get_cpu(); ++ ++ if (static_cpu_has(X86_FEATURE_INVPCID)) { ++ unsigned long descriptor[2]; ++ descriptor[0] = PCID_USER; ++ descriptor[1] = addr; ++ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_ADDRESS) : "memory"); ++ if (!static_cpu_has(X86_FEATURE_STRONGUDEREF)) { ++ descriptor[0] = PCID_KERNEL; ++ descriptor[1] = addr + pax_user_shadow_base; ++ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_ADDRESS) : "memory"); ++ } ++ } else { ++ native_write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER | PCID_NOFLUSH); ++ asm volatile("invlpg (%0)" ::"r" (addr) : "memory"); ++ native_write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH); ++ if (!static_cpu_has(X86_FEATURE_STRONGUDEREF)) ++ asm volatile("invlpg (%0)" ::"r" (addr + pax_user_shadow_base) : "memory"); ++ } ++ raw_put_cpu_no_resched(); ++ } else ++#endif ++ ++ asm volatile("invlpg (%0)" ::"r" (addr) : "memory"); + } + + static inline void __flush_tlb_all(void) diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h -index 5ee2687..70d5895 100644 +index 5ee2687..74590b9 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -7,6 +7,7 @@ @@ -15754,7 +17106,20 @@ index 5ee2687..70d5895 100644 /* * The exception table consists of pairs of addresses relative to the -@@ -176,13 +207,21 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL)) +@@ -165,10 +196,12 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL)) + register __inttype(*(ptr)) __val_gu asm("%edx"); \ + __chk_user_ptr(ptr); \ + might_fault(); \ ++ pax_open_userland(); \ + asm volatile("call __get_user_%P3" \ + : "=a" (__ret_gu), "=r" (__val_gu) \ + : "0" (ptr), "i" (sizeof(*(ptr)))); \ + (x) = (__typeof__(*(ptr))) __val_gu; \ ++ pax_close_userland(); \ + __ret_gu; \ + }) + +@@ -176,13 +209,21 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL)) asm volatile("call __put_user_" #size : "=a" (__ret_pu) \ : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx") @@ -15779,7 +17144,7 @@ index 5ee2687..70d5895 100644 "3: " ASM_CLAC "\n" \ ".section .fixup,\"ax\"\n" \ "4: movl %3,%0\n" \ -@@ -195,8 +234,8 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL)) +@@ -195,8 +236,8 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL)) #define __put_user_asm_ex_u64(x, addr) \ asm volatile(ASM_STAC "\n" \ @@ -15790,34 +17155,50 @@ index 5ee2687..70d5895 100644 "3: " ASM_CLAC "\n" \ _ASM_EXTABLE_EX(1b, 2b) \ _ASM_EXTABLE_EX(2b, 3b) \ -@@ -246,7 +285,7 @@ extern void __put_user_8(void); +@@ -246,7 +287,8 @@ extern void __put_user_8(void); __typeof__(*(ptr)) __pu_val; \ __chk_user_ptr(ptr); \ might_fault(); \ - __pu_val = x; \ + __pu_val = (x); \ ++ pax_open_userland(); \ switch (sizeof(*(ptr))) { \ case 1: \ __put_user_x(1, __pu_val, ptr, __ret_pu); \ -@@ -345,7 +384,7 @@ do { \ +@@ -264,6 +306,7 @@ extern void __put_user_8(void); + __put_user_x(X, __pu_val, ptr, __ret_pu); \ + break; \ + } \ ++ pax_close_userland(); \ + __ret_pu; \ + }) + +@@ -344,8 +387,10 @@ do { \ + } while (0) #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \ ++do { \ ++ pax_open_userland(); \ asm volatile(ASM_STAC "\n" \ - "1: mov"itype" %2,%"rtype"1\n" \ + "1: "__copyuser_seg"mov"itype" %2,%"rtype"1\n"\ "2: " ASM_CLAC "\n" \ ".section .fixup,\"ax\"\n" \ "3: mov %3,%0\n" \ -@@ -353,7 +392,7 @@ do { \ +@@ -353,8 +398,10 @@ do { \ " jmp 2b\n" \ ".previous\n" \ _ASM_EXTABLE(1b, 3b) \ - : "=r" (err), ltype(x) \ +- : "m" (__m(addr)), "i" (errret), "0" (err)) + : "=r" (err), ltype (x) \ - : "m" (__m(addr)), "i" (errret), "0" (err)) ++ : "m" (__m(addr)), "i" (errret), "0" (err)); \ ++ pax_close_userland(); \ ++} while (0) #define __get_user_size_ex(x, ptr, size) \ -@@ -378,7 +417,7 @@ do { \ + do { \ +@@ -378,7 +425,7 @@ do { \ } while (0) #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \ @@ -15826,7 +17207,7 @@ index 5ee2687..70d5895 100644 "2:\n" \ _ASM_EXTABLE_EX(1b, 2b) \ : ltype(x) : "m" (__m(addr))) -@@ -395,13 +434,24 @@ do { \ +@@ -395,13 +442,24 @@ do { \ int __gu_err; \ unsigned long __gu_val; \ __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \ @@ -15853,21 +17234,26 @@ index 5ee2687..70d5895 100644 /* * Tell gcc we read from memory instead of writing: this is because -@@ -410,7 +460,7 @@ struct __large_struct { unsigned long buf[100]; }; +@@ -409,8 +467,10 @@ struct __large_struct { unsigned long buf[100]; }; + * aliasing issues. */ #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \ ++do { \ ++ pax_open_userland(); \ asm volatile(ASM_STAC "\n" \ - "1: mov"itype" %"rtype"1,%2\n" \ + "1: "__copyuser_seg"mov"itype" %"rtype"1,%2\n"\ "2: " ASM_CLAC "\n" \ ".section .fixup,\"ax\"\n" \ "3: mov %3,%0\n" \ -@@ -418,10 +468,10 @@ struct __large_struct { unsigned long buf[100]; }; +@@ -418,10 +478,12 @@ struct __large_struct { unsigned long buf[100]; }; ".previous\n" \ _ASM_EXTABLE(1b, 3b) \ : "=r"(err) \ - : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err)) -+ : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err)) ++ : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err));\ ++ pax_close_userland(); \ ++} while (0) #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \ - asm volatile("1: mov"itype" %"rtype"0,%1\n" \ @@ -15875,7 +17261,21 @@ index 5ee2687..70d5895 100644 "2:\n" \ _ASM_EXTABLE_EX(1b, 2b) \ : : ltype(x), "m" (__m(addr))) -@@ -460,8 +510,12 @@ struct __large_struct { unsigned long buf[100]; }; +@@ -431,11 +493,13 @@ struct __large_struct { unsigned long buf[100]; }; + */ + #define uaccess_try do { \ + current_thread_info()->uaccess_err = 0; \ ++ pax_open_userland(); \ + stac(); \ + barrier(); + + #define uaccess_catch(err) \ + clac(); \ ++ pax_close_userland(); \ + (err) |= (current_thread_info()->uaccess_err ? -EFAULT : 0); \ + } while (0) + +@@ -460,8 +524,12 @@ struct __large_struct { unsigned long buf[100]; }; * On error, the variable @x is set to zero. */ @@ -15888,7 +17288,7 @@ index 5ee2687..70d5895 100644 /** * __put_user: - Write a simple value into user space, with less checking. -@@ -483,8 +537,12 @@ struct __large_struct { unsigned long buf[100]; }; +@@ -483,8 +551,12 @@ struct __large_struct { unsigned long buf[100]; }; * Returns zero on success, or -EFAULT on error. */ @@ -15901,7 +17301,7 @@ index 5ee2687..70d5895 100644 #define __get_user_unaligned __get_user #define __put_user_unaligned __put_user -@@ -502,7 +560,7 @@ struct __large_struct { unsigned long buf[100]; }; +@@ -502,7 +574,7 @@ struct __large_struct { unsigned long buf[100]; }; #define get_user_ex(x, ptr) do { \ unsigned long __gue_val; \ __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \ @@ -15910,7 +17310,7 @@ index 5ee2687..70d5895 100644 } while (0) #define put_user_try uaccess_try -@@ -519,8 +577,8 @@ strncpy_from_user(char *dst, const char __user *src, long count); +@@ -519,8 +591,8 @@ strncpy_from_user(char *dst, const char __user *src, long count); extern __must_check long strlen_user(const char __user *str); extern __must_check long strnlen_user(const char __user *str, long n); @@ -16004,18 +17404,18 @@ index 7f760a9..04b1c65 100644 unsigned long n) { - return __copy_from_user_ll_nocache_nozero(to, from, n); --} + if ((long)n < 0) + return n; ++ ++ return __copy_from_user_ll_nocache_nozero(to, from, n); + } -unsigned long __must_check copy_to_user(void __user *to, - const void *from, unsigned long n); -unsigned long __must_check _copy_from_user(void *to, - const void __user *from, - unsigned long n); -+ return __copy_from_user_ll_nocache_nozero(to, from, n); -+} - +- +extern void copy_to_user_overflow(void) +#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS + __compiletime_error("copy_to_user() buffer size is not provably correct") @@ -16055,14 +17455,13 @@ index 7f760a9..04b1c65 100644 - if (likely(sz == -1 || sz >= n)) - n = _copy_from_user(to, from, n); - else -- copy_from_user_overflow(); + if (unlikely(sz != (size_t)-1 && sz < n)) + copy_to_user_overflow(); + else if (access_ok(VERIFY_WRITE, to, n)) + n = __copy_to_user(to, from, n); + return n; +} - ++ +/** + * copy_from_user: - Copy a block of data from user space. + * @to: Destination address, in kernel space. @@ -16087,7 +17486,8 @@ index 7f760a9..04b1c65 100644 + check_object_size(to, n, false); + + if (unlikely(sz != (size_t)-1 && sz < n)) -+ copy_from_user_overflow(); + copy_from_user_overflow(); +- + else if (access_ok(VERIFY_READ, from, n)) + n = __copy_from_user(to, from, n); + else if ((long)n > 0) @@ -16556,12 +17956,14 @@ index d8d9922..bf6cecb 100644 extern struct x86_init_ops x86_init; extern struct x86_cpuinit_ops x86_cpuinit; diff --git a/arch/x86/include/asm/xsave.h b/arch/x86/include/asm/xsave.h -index 0415cda..b43d877 100644 +index 0415cda..3b22adc 100644 --- a/arch/x86/include/asm/xsave.h +++ b/arch/x86/include/asm/xsave.h -@@ -71,7 +71,9 @@ static inline int xsave_user(struct xsave_struct __user *buf) +@@ -70,8 +70,11 @@ static inline int xsave_user(struct xsave_struct __user *buf) + if (unlikely(err)) return -EFAULT; ++ pax_open_userland(); __asm__ __volatile__(ASM_STAC "\n" - "1: .byte " REX_PREFIX "0x0f,0xae,0x27\n" + "1:" @@ -16570,7 +17972,14 @@ index 0415cda..b43d877 100644 "2: " ASM_CLAC "\n" ".section .fixup,\"ax\"\n" "3: movl $-1,%[err]\n" -@@ -87,12 +89,14 @@ static inline int xsave_user(struct xsave_struct __user *buf) +@@ -81,18 +84,22 @@ static inline int xsave_user(struct xsave_struct __user *buf) + : [err] "=r" (err) + : "D" (buf), "a" (-1), "d" (-1), "0" (0) + : "memory"); ++ pax_close_userland(); + return err; + } + static inline int xrestore_user(struct xsave_struct __user *buf, u64 mask) { int err; @@ -16579,6 +17988,7 @@ index 0415cda..b43d877 100644 u32 lmask = mask; u32 hmask = mask >> 32; ++ pax_open_userland(); __asm__ __volatile__(ASM_STAC "\n" - "1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n" + "1:" @@ -16587,6 +17997,14 @@ index 0415cda..b43d877 100644 "2: " ASM_CLAC "\n" ".section .fixup,\"ax\"\n" "3: movl $-1,%[err]\n" +@@ -102,6 +109,7 @@ static inline int xrestore_user(struct xsave_struct __user *buf, u64 mask) + : [err] "=r" (err) + : "D" (xstate), "a" (lmask), "d" (hmask), "0" (0) + : "memory"); /* memory required? */ ++ pax_close_userland(); + return err; + } + diff --git a/arch/x86/include/uapi/asm/e820.h b/arch/x86/include/uapi/asm/e820.h index bbae024..e1528f9 100644 --- a/arch/x86/include/uapi/asm/e820.h @@ -16636,10 +18054,10 @@ index 230c8ea..f915130 100644 * HP laptops which use a DSDT reporting as HP/SB400/10000, * which includes some code which overrides all temperature diff --git a/arch/x86/kernel/acpi/sleep.c b/arch/x86/kernel/acpi/sleep.c -index 0532f5d..36afc0a 100644 +index ec94e11..7fbbec0 100644 --- a/arch/x86/kernel/acpi/sleep.c +++ b/arch/x86/kernel/acpi/sleep.c -@@ -74,8 +74,12 @@ int acpi_suspend_lowlevel(void) +@@ -88,8 +88,12 @@ int acpi_suspend_lowlevel(void) #else /* CONFIG_64BIT */ #ifdef CONFIG_SMP stack_start = (unsigned long)temp_stack + sizeof(temp_stack); @@ -16653,10 +18071,10 @@ index 0532f5d..36afc0a 100644 #endif initial_code = (unsigned long)wakeup_long64; diff --git a/arch/x86/kernel/acpi/wakeup_32.S b/arch/x86/kernel/acpi/wakeup_32.S -index 13ab720..95d5442 100644 +index d1daa66..59fecba 100644 --- a/arch/x86/kernel/acpi/wakeup_32.S +++ b/arch/x86/kernel/acpi/wakeup_32.S -@@ -30,13 +30,11 @@ wakeup_pmode_return: +@@ -29,13 +29,11 @@ wakeup_pmode_return: # and restore the stack ... but you need gdt for this to work movl saved_context_esp, %esp @@ -16673,7 +18091,7 @@ index 13ab720..95d5442 100644 bogus_magic: jmp bogus_magic diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c -index ef5ccca..bd83949 100644 +index c15cf9a..0e63558 100644 --- a/arch/x86/kernel/alternative.c +++ b/arch/x86/kernel/alternative.c @@ -268,6 +268,13 @@ void __init_or_module apply_alternatives(struct alt_instr *start, @@ -17031,10 +18449,10 @@ index 794f6eb..67e1db2 100644 .name = "UV large system", .probe = uv_probe, diff --git a/arch/x86/kernel/apm_32.c b/arch/x86/kernel/apm_32.c -index 66b5faf..3442423 100644 +index 53a4e27..038760a 100644 --- a/arch/x86/kernel/apm_32.c +++ b/arch/x86/kernel/apm_32.c -@@ -434,7 +434,7 @@ static DEFINE_MUTEX(apm_mutex); +@@ -433,7 +433,7 @@ static DEFINE_MUTEX(apm_mutex); * This is for buggy BIOS's that refer to (real mode) segment 0x40 * even though they are called in protected mode. */ @@ -17043,7 +18461,7 @@ index 66b5faf..3442423 100644 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1); static const char driver_version[] = "1.16ac"; /* no spaces */ -@@ -612,7 +612,10 @@ static long __apm_bios_call(void *_call) +@@ -611,7 +611,10 @@ static long __apm_bios_call(void *_call) BUG_ON(cpu != 0); gdt = get_cpu_gdt_table(cpu); save_desc_40 = gdt[0x40 / 8]; @@ -17054,7 +18472,7 @@ index 66b5faf..3442423 100644 apm_irq_save(flags); APM_DO_SAVE_SEGS; -@@ -621,7 +624,11 @@ static long __apm_bios_call(void *_call) +@@ -620,7 +623,11 @@ static long __apm_bios_call(void *_call) &call->esi); APM_DO_RESTORE_SEGS; apm_irq_restore(flags); @@ -17066,7 +18484,7 @@ index 66b5faf..3442423 100644 put_cpu(); return call->eax & 0xff; -@@ -688,7 +695,10 @@ static long __apm_bios_call_simple(void *_call) +@@ -687,7 +694,10 @@ static long __apm_bios_call_simple(void *_call) BUG_ON(cpu != 0); gdt = get_cpu_gdt_table(cpu); save_desc_40 = gdt[0x40 / 8]; @@ -17077,7 +18495,7 @@ index 66b5faf..3442423 100644 apm_irq_save(flags); APM_DO_SAVE_SEGS; -@@ -696,7 +706,11 @@ static long __apm_bios_call_simple(void *_call) +@@ -695,7 +705,11 @@ static long __apm_bios_call_simple(void *_call) &call->eax); APM_DO_RESTORE_SEGS; apm_irq_restore(flags); @@ -17089,7 +18507,7 @@ index 66b5faf..3442423 100644 put_cpu(); return error; } -@@ -2363,12 +2377,15 @@ static int __init apm_init(void) +@@ -2362,12 +2376,15 @@ static int __init apm_init(void) * code to that CPU. */ gdt = get_cpu_gdt_table(0); @@ -17125,16 +18543,16 @@ index 2861082..6d4718e 100644 + +#ifdef CONFIG_PAX_KERNEXEC + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0); -+#endif -+ + #endif + +#ifdef CONFIG_PAX_MEMORY_UDEREF + OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3); + OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3); +#ifdef CONFIG_X86_64 + OFFSET(PV_MMU_set_pgd_batched, pv_mmu_ops, set_pgd_batched); +#endif - #endif - ++#endif ++ +#endif + + BLANK(); @@ -17146,10 +18564,10 @@ index 2861082..6d4718e 100644 BLANK(); OFFSET(XEN_vcpu_info_mask, vcpu_info, evtchn_upcall_mask); diff --git a/arch/x86/kernel/asm-offsets_64.c b/arch/x86/kernel/asm-offsets_64.c -index 1b4754f..fbb4227 100644 +index e7c798b..2b2019b 100644 --- a/arch/x86/kernel/asm-offsets_64.c +++ b/arch/x86/kernel/asm-offsets_64.c -@@ -76,6 +76,7 @@ int main(void) +@@ -77,6 +77,7 @@ int main(void) BLANK(); #undef ENTRY @@ -17158,7 +18576,7 @@ index 1b4754f..fbb4227 100644 BLANK(); diff --git a/arch/x86/kernel/cpu/Makefile b/arch/x86/kernel/cpu/Makefile -index a0e067d..9c7db16 100644 +index b0684e4..22ccfd7 100644 --- a/arch/x86/kernel/cpu/Makefile +++ b/arch/x86/kernel/cpu/Makefile @@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg @@ -17171,12 +18589,12 @@ index a0e067d..9c7db16 100644 - obj-y := intel_cacheinfo.o scattered.o topology.o obj-y += proc.o capflags.o powerflags.o common.o - obj-y += vmware.o hypervisor.o mshyperv.o + obj-y += rdrand.o diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c -index fa96eb0..03efe73 100644 +index 5013a48..0782c53 100644 --- a/arch/x86/kernel/cpu/amd.c +++ b/arch/x86/kernel/cpu/amd.c -@@ -737,7 +737,7 @@ static unsigned int __cpuinit amd_size_cache(struct cpuinfo_x86 *c, +@@ -744,7 +744,7 @@ static unsigned int __cpuinit amd_size_cache(struct cpuinfo_x86 *c, unsigned int size) { /* AMD errata T13 (order #21922) */ @@ -17186,7 +18604,7 @@ index fa96eb0..03efe73 100644 if (c->x86_model == 3 && c->x86_mask == 0) size = 64; diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c -index d814772..c615653 100644 +index 22018f7..a5883af 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -88,60 +88,6 @@ static const struct cpu_dev __cpuinitconst default_cpu = { @@ -17250,7 +18668,48 @@ index d814772..c615653 100644 static int __init x86_xsave_setup(char *s) { setup_clear_cpu_cap(X86_FEATURE_XSAVE); -@@ -386,7 +332,7 @@ void switch_to_new_gdt(int cpu) +@@ -288,6 +234,40 @@ static __always_inline void setup_smap(struct cpuinfo_x86 *c) + set_in_cr4(X86_CR4_SMAP); + } + ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++static __init int setup_disable_pcid(char *arg) ++{ ++ setup_clear_cpu_cap(X86_FEATURE_PCID); ++ if (clone_pgd_mask != ~(pgdval_t)0UL) ++ pax_user_shadow_base = 1UL << TASK_SIZE_MAX_SHIFT; ++ return 1; ++} ++__setup("nopcid", setup_disable_pcid); ++ ++static void setup_pcid(struct cpuinfo_x86 *c) ++{ ++ if (cpu_has(c, X86_FEATURE_PCID)) ++ printk("PAX: PCID detected\n"); ++ ++ if (cpu_has(c, X86_FEATURE_INVPCID)) ++ printk("PAX: INVPCID detected\n"); ++ ++ if (cpu_has(c, X86_FEATURE_PCID)) { ++ set_in_cr4(X86_CR4_PCIDE); ++ clone_pgd_mask = ~(pgdval_t)0UL; ++ if (pax_user_shadow_base) ++ printk("PAX: weak UDEREF enabled\n"); ++ else { ++ set_cpu_cap(c, X86_FEATURE_STRONGUDEREF); ++ printk("PAX: strong UDEREF enabled\n"); ++ } ++ } else if (pax_user_shadow_base) ++ printk("PAX: slow and weak UDEREF enabled\n"); ++ else ++ printk("PAX: UDEREF disabled\n"); ++} ++#endif ++ + /* + * Some CPU features depend on higher CPUID levels, which may not always + * be available due to CPUID level capping or broken virtualization +@@ -386,7 +366,7 @@ void switch_to_new_gdt(int cpu) { struct desc_ptr gdt_descr; @@ -17259,7 +18718,18 @@ index d814772..c615653 100644 gdt_descr.size = GDT_SIZE - 1; load_gdt(&gdt_descr); /* Reload the per-cpu base */ -@@ -882,6 +828,10 @@ static void __cpuinit identify_cpu(struct cpuinfo_x86 *c) +@@ -874,6 +854,10 @@ static void __cpuinit identify_cpu(struct cpuinfo_x86 *c) + setup_smep(c); + setup_smap(c); + ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ setup_pcid(c); ++#endif ++ + /* + * The vendor-specific functions might have changed features. + * Now we do "generic changes." +@@ -882,6 +866,10 @@ static void __cpuinit identify_cpu(struct cpuinfo_x86 *c) /* Filter out anything that depends on CPUID levels we don't have */ filter_cpuid_features(c, true); @@ -17270,7 +18740,7 @@ index d814772..c615653 100644 /* If the model name is still unset, do table lookup. */ if (!c->x86_model_id[0]) { const char *p; -@@ -1065,10 +1015,12 @@ static __init int setup_disablecpuid(char *arg) +@@ -1069,10 +1057,12 @@ static __init int setup_disablecpuid(char *arg) } __setup("clearcpuid=", setup_disablecpuid); @@ -17285,7 +18755,7 @@ index d814772..c615653 100644 DEFINE_PER_CPU_FIRST(union irq_stack_union, irq_stack_union) __aligned(PAGE_SIZE); -@@ -1082,7 +1034,7 @@ DEFINE_PER_CPU(struct task_struct *, current_task) ____cacheline_aligned = +@@ -1086,7 +1076,7 @@ DEFINE_PER_CPU(struct task_struct *, current_task) ____cacheline_aligned = EXPORT_PER_CPU_SYMBOL(current_task); DEFINE_PER_CPU(unsigned long, kernel_stack) = @@ -17294,7 +18764,7 @@ index d814772..c615653 100644 EXPORT_PER_CPU_SYMBOL(kernel_stack); DEFINE_PER_CPU(char *, irq_stack_ptr) = -@@ -1227,7 +1179,7 @@ void __cpuinit cpu_init(void) +@@ -1231,7 +1221,7 @@ void __cpuinit cpu_init(void) load_ucode_ap(); cpu = stack_smp_processor_id(); @@ -17303,7 +18773,7 @@ index d814772..c615653 100644 oist = &per_cpu(orig_ist, cpu); #ifdef CONFIG_NUMA -@@ -1253,7 +1205,7 @@ void __cpuinit cpu_init(void) +@@ -1257,7 +1247,7 @@ void __cpuinit cpu_init(void) switch_to_new_gdt(cpu); loadsegment(fs, 0); @@ -17312,7 +18782,7 @@ index d814772..c615653 100644 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8); syscall_init(); -@@ -1262,7 +1214,6 @@ void __cpuinit cpu_init(void) +@@ -1266,7 +1256,6 @@ void __cpuinit cpu_init(void) wrmsrl(MSR_KERNEL_GS_BASE, 0); barrier(); @@ -17320,7 +18790,7 @@ index d814772..c615653 100644 enable_x2apic(); /* -@@ -1314,7 +1265,7 @@ void __cpuinit cpu_init(void) +@@ -1318,7 +1307,7 @@ void __cpuinit cpu_init(void) { int cpu = smp_processor_id(); struct task_struct *curr = current; @@ -17329,19 +18799,6 @@ index d814772..c615653 100644 struct thread_struct *thread = &curr->thread; show_ucode_info_early(); -diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c -index 1905ce9..a7ac587 100644 ---- a/arch/x86/kernel/cpu/intel.c -+++ b/arch/x86/kernel/cpu/intel.c -@@ -173,7 +173,7 @@ static void __cpuinit trap_init_f00f_bug(void) - * Update the IDT descriptor and reload the IDT so that - * it uses the read-only mapped virtual address. - */ -- idt_descr.address = fix_to_virt(FIX_F00F_IDT); -+ idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT); - load_idt(&idt_descr); - } - #endif diff --git a/arch/x86/kernel/cpu/intel_cacheinfo.c b/arch/x86/kernel/cpu/intel_cacheinfo.c index 7c6f7d5..8cac382 100644 --- a/arch/x86/kernel/cpu/intel_cacheinfo.c @@ -17443,7 +18900,7 @@ index 7c6f7d5..8cac382 100644 }; diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c -index 7bc1263..bff5686 100644 +index 9239504..b2471ce 100644 --- a/arch/x86/kernel/cpu/mcheck/mce.c +++ b/arch/x86/kernel/cpu/mcheck/mce.c @@ -45,6 +45,7 @@ @@ -17652,7 +19109,7 @@ index e9a701a..35317d6 100644 wmb(); diff --git a/arch/x86/kernel/cpu/mtrr/main.c b/arch/x86/kernel/cpu/mtrr/main.c -index 726bf96..81f0526 100644 +index ca22b73..9987afe 100644 --- a/arch/x86/kernel/cpu/mtrr/main.c +++ b/arch/x86/kernel/cpu/mtrr/main.c @@ -62,7 +62,7 @@ static DEFINE_MUTEX(mtrr_mutex); @@ -17678,10 +19135,10 @@ index df5e41f..816c719 100644 extern int generic_get_free_region(unsigned long base, unsigned long size, int replace_reg); diff --git a/arch/x86/kernel/cpu/perf_event.c b/arch/x86/kernel/cpu/perf_event.c -index bf0f01a..9adfee1 100644 +index 1025f3c..824f677 100644 --- a/arch/x86/kernel/cpu/perf_event.c +++ b/arch/x86/kernel/cpu/perf_event.c -@@ -1305,7 +1305,7 @@ static void __init pmu_check_apic(void) +@@ -1311,7 +1311,7 @@ static void __init pmu_check_apic(void) pr_info("no hardware sampling interrupt available.\n"); } @@ -17690,7 +19147,7 @@ index bf0f01a..9adfee1 100644 .name = "format", .attrs = NULL, }; -@@ -1374,7 +1374,7 @@ static struct attribute *events_attr[] = { +@@ -1410,7 +1410,7 @@ static struct attribute *events_attr[] = { NULL, }; @@ -17699,7 +19156,7 @@ index bf0f01a..9adfee1 100644 .name = "events", .attrs = events_attr, }; -@@ -1873,7 +1873,7 @@ static unsigned long get_segment_base(unsigned int segment) +@@ -1920,7 +1920,7 @@ static unsigned long get_segment_base(unsigned int segment) if (idx > GDT_ENTRIES) return 0; @@ -17708,7 +19165,7 @@ index bf0f01a..9adfee1 100644 } return get_desc_base(desc + idx); -@@ -1963,7 +1963,7 @@ perf_callchain_user(struct perf_callchain_entry *entry, struct pt_regs *regs) +@@ -2010,7 +2010,7 @@ perf_callchain_user(struct perf_callchain_entry *entry, struct pt_regs *regs) break; perf_callchain_store(entry, frame.return_address); @@ -17718,10 +19175,10 @@ index bf0f01a..9adfee1 100644 } diff --git a/arch/x86/kernel/cpu/perf_event_intel.c b/arch/x86/kernel/cpu/perf_event_intel.c -index 4a0a462..be3b204 100644 +index a9e2207..d70c83a 100644 --- a/arch/x86/kernel/cpu/perf_event_intel.c +++ b/arch/x86/kernel/cpu/perf_event_intel.c -@@ -1994,10 +1994,10 @@ __init int intel_pmu_init(void) +@@ -2022,10 +2022,10 @@ __init int intel_pmu_init(void) * v2 and above have a perf capabilities MSR */ if (version > 1) { @@ -17736,10 +19193,10 @@ index 4a0a462..be3b204 100644 intel_ds_init(); diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore.c b/arch/x86/kernel/cpu/perf_event_intel_uncore.c -index 3e091f0..d2dc8d6 100644 +index 52441a2..f94fae8 100644 --- a/arch/x86/kernel/cpu/perf_event_intel_uncore.c +++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.c -@@ -2428,7 +2428,7 @@ static void __init uncore_types_exit(struct intel_uncore_type **types) +@@ -3093,7 +3093,7 @@ static void __init uncore_types_exit(struct intel_uncore_type **types) static int __init uncore_type_init(struct intel_uncore_type *type) { struct intel_uncore_pmu *pmus; @@ -17748,7 +19205,7 @@ index 3e091f0..d2dc8d6 100644 struct attribute **attrs; int i, j; -@@ -2826,7 +2826,7 @@ static int +@@ -3518,7 +3518,7 @@ static int return NOTIFY_OK; } @@ -17758,10 +19215,10 @@ index 3e091f0..d2dc8d6 100644 /* * to migrate uncore events, our notifier should be executed diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore.h b/arch/x86/kernel/cpu/perf_event_intel_uncore.h -index e68a455..975a932 100644 +index f952891..4722ad4 100644 --- a/arch/x86/kernel/cpu/perf_event_intel_uncore.h +++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.h -@@ -428,7 +428,7 @@ struct intel_uncore_box { +@@ -488,7 +488,7 @@ struct intel_uncore_box { struct uncore_event_desc { struct kobj_attribute attr; const char *config; @@ -17813,7 +19270,7 @@ index afa64ad..dce67dd 100644 return -EFAULT; } diff --git a/arch/x86/kernel/doublefault_32.c b/arch/x86/kernel/doublefault_32.c -index 37250fe..bf2ec74 100644 +index 155a13f..1672b9b 100644 --- a/arch/x86/kernel/doublefault_32.c +++ b/arch/x86/kernel/doublefault_32.c @@ -11,7 +11,7 @@ @@ -17828,7 +19285,7 @@ index 37250fe..bf2ec74 100644 @@ -21,7 +21,7 @@ static void doublefault_fn(void) unsigned long gdt, tss; - store_gdt(&gdt_desc); + native_store_gdt(&gdt_desc); - gdt = gdt_desc.address; + gdt = (unsigned long)gdt_desc.address; @@ -17848,7 +19305,7 @@ index 37250fe..bf2ec74 100644 .__cr3 = __pa_nodebug(swapper_pg_dir), diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c -index c8797d5..c605e53 100644 +index deb6421..76bbc12 100644 --- a/arch/x86/kernel/dumpstack.c +++ b/arch/x86/kernel/dumpstack.c @@ -2,6 +2,9 @@ @@ -17953,16 +19410,16 @@ index c8797d5..c605e53 100644 } return (unsigned long)frame; -@@ -189,7 +188,7 @@ void dump_stack(void) +@@ -150,7 +149,7 @@ static int print_trace_stack(void *data, char *name) + static void print_trace_address(void *data, unsigned long addr, int reliable) + { + touch_nmi_watchdog(); +- printk(data); ++ printk("%s", (char *)data); + printk_address(addr, reliable); + } - bp = stack_frame(current, NULL); - printk("Pid: %d, comm: %.20s %s %s %.*s\n", -- current->pid, current->comm, print_tainted(), -+ task_pid_nr(current), current->comm, print_tainted(), - init_utsname()->release, - (int)strcspn(init_utsname()->version, " "), - init_utsname()->version); -@@ -225,6 +224,8 @@ unsigned __kprobes long oops_begin(void) +@@ -219,6 +218,8 @@ unsigned __kprobes long oops_begin(void) } EXPORT_SYMBOL_GPL(oops_begin); @@ -17971,7 +19428,7 @@ index c8797d5..c605e53 100644 void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, int signr) { if (regs && kexec_should_crash(current)) -@@ -246,7 +247,10 @@ void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, int signr) +@@ -240,7 +241,10 @@ void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, int signr) panic("Fatal exception in interrupt"); if (panic_on_oops) panic("Fatal exception"); @@ -17983,7 +19440,7 @@ index c8797d5..c605e53 100644 } int __kprobes __die(const char *str, struct pt_regs *regs, long err) -@@ -274,7 +278,7 @@ int __kprobes __die(const char *str, struct pt_regs *regs, long err) +@@ -268,7 +272,7 @@ int __kprobes __die(const char *str, struct pt_regs *regs, long err) print_modules(); show_regs(regs); #ifdef CONFIG_X86_32 @@ -17992,7 +19449,7 @@ index c8797d5..c605e53 100644 sp = regs->sp; ss = regs->ss & 0xffff; } else { -@@ -302,7 +306,7 @@ void die(const char *str, struct pt_regs *regs, long err) +@@ -296,7 +300,7 @@ void die(const char *str, struct pt_regs *regs, long err) unsigned long flags = oops_begin(); int sig = SIGSEGV; @@ -18002,7 +19459,7 @@ index c8797d5..c605e53 100644 if (__die(str, regs, err)) diff --git a/arch/x86/kernel/dumpstack_32.c b/arch/x86/kernel/dumpstack_32.c -index 1038a41..db2c12b 100644 +index f2a1770..540657f 100644 --- a/arch/x86/kernel/dumpstack_32.c +++ b/arch/x86/kernel/dumpstack_32.c @@ -38,15 +38,13 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs, @@ -18025,16 +19482,14 @@ index 1038a41..db2c12b 100644 if (ops->stack(data, "IRQ") < 0) break; touch_nmi_watchdog(); -@@ -86,7 +84,7 @@ void show_regs(struct pt_regs *regs) - { +@@ -87,27 +85,28 @@ void show_regs(struct pt_regs *regs) int i; + show_regs_print_info(KERN_EMERG); - __show_regs(regs, !user_mode_vm(regs)); + __show_regs(regs, !user_mode(regs)); - pr_emerg("Process %.*s (pid: %d, ti=%p task=%p task.ti=%p)\n", - TASK_COMM_LEN, current->comm, task_pid_nr(current), -@@ -95,21 +93,22 @@ void show_regs(struct pt_regs *regs) + /* * When in-kernel, we also print out the stack and code at the * time of the fault.. */ @@ -18060,7 +19515,7 @@ index 1038a41..db2c12b 100644 code_len = code_len - code_prologue + 1; } for (i = 0; i < code_len; i++, ip++) { -@@ -118,7 +117,7 @@ void show_regs(struct pt_regs *regs) +@@ -116,7 +115,7 @@ void show_regs(struct pt_regs *regs) pr_cont(" Bad EIP value."); break; } @@ -18069,7 +19524,7 @@ index 1038a41..db2c12b 100644 pr_cont(" <%02x>", c); else pr_cont(" %02x", c); -@@ -131,6 +130,7 @@ int is_valid_bugaddr(unsigned long ip) +@@ -129,6 +128,7 @@ int is_valid_bugaddr(unsigned long ip) { unsigned short ud2; @@ -18077,7 +19532,7 @@ index 1038a41..db2c12b 100644 if (ip < PAGE_OFFSET) return 0; if (probe_kernel_address((unsigned short *)ip, ud2)) -@@ -138,3 +138,15 @@ int is_valid_bugaddr(unsigned long ip) +@@ -136,3 +136,15 @@ int is_valid_bugaddr(unsigned long ip) return ud2 == 0x0b0f; } @@ -18094,7 +19549,7 @@ index 1038a41..db2c12b 100644 +EXPORT_SYMBOL(pax_check_alloca); +#endif diff --git a/arch/x86/kernel/dumpstack_64.c b/arch/x86/kernel/dumpstack_64.c -index b653675..51cc8c0 100644 +index addb207..99635fa 100644 --- a/arch/x86/kernel/dumpstack_64.c +++ b/arch/x86/kernel/dumpstack_64.c @@ -119,9 +119,9 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs, @@ -18158,16 +19613,7 @@ index b653675..51cc8c0 100644 put_cpu(); } EXPORT_SYMBOL(dump_trace); -@@ -249,7 +253,7 @@ void show_regs(struct pt_regs *regs) - { - int i; - unsigned long sp; -- const int cpu = smp_processor_id(); -+ const int cpu = raw_smp_processor_id(); - struct task_struct *cur = current; - - sp = regs->sp; -@@ -304,3 +308,50 @@ int is_valid_bugaddr(unsigned long ip) +@@ -300,3 +304,50 @@ int is_valid_bugaddr(unsigned long ip) return ud2 == 0x0b0f; } @@ -18234,7 +19680,7 @@ index d32abea..74daf4f 100644 static int userdef __initdata; diff --git a/arch/x86/kernel/early_printk.c b/arch/x86/kernel/early_printk.c -index 9b9f18b..9fcaa04 100644 +index d15f575..d692043 100644 --- a/arch/x86/kernel/early_printk.c +++ b/arch/x86/kernel/early_printk.c @@ -7,6 +7,7 @@ @@ -18246,7 +19692,7 @@ index 9b9f18b..9fcaa04 100644 #include <asm/processor.h> #include <asm/fcntl.h> diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S -index 8f3e2de..caecc4e 100644 +index 8f3e2de..6b71e39 100644 --- a/arch/x86/kernel/entry_32.S +++ b/arch/x86/kernel/entry_32.S @@ -177,13 +177,153 @@ @@ -18756,6 +20202,15 @@ index 8f3e2de..caecc4e 100644 ENTRY(simd_coprocessor_error) RING0_INT_FRAME +@@ -826,7 +1065,7 @@ ENTRY(simd_coprocessor_error) + .section .altinstructions,"a" + altinstruction_entry 661b, 663f, X86_FEATURE_XMM, 662b-661b, 664f-663f + .previous +-.section .altinstr_replacement,"ax" ++.section .altinstr_replacement,"a" + 663: pushl $do_simd_coprocessor_error + 664: + .previous @@ -835,7 +1074,7 @@ ENTRY(simd_coprocessor_error) #endif jmp error_code @@ -19006,7 +20461,7 @@ index 8f3e2de..caecc4e 100644 /* diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S -index c1d01e6..a88cf02 100644 +index 7272089..833fdf8 100644 --- a/arch/x86/kernel/entry_64.S +++ b/arch/x86/kernel/entry_64.S @@ -59,6 +59,8 @@ @@ -19093,7 +20548,7 @@ index c1d01e6..a88cf02 100644 #endif -@@ -284,6 +293,309 @@ ENTRY(native_usergs_sysret64) +@@ -284,6 +293,427 @@ ENTRY(native_usergs_sysret64) ENDPROC(native_usergs_sysret64) #endif /* CONFIG_PARAVIRT */ @@ -19113,18 +20568,19 @@ index c1d01e6..a88cf02 100644 + + .macro pax_enter_kernel + pax_set_fptr_mask -+#ifdef CONFIG_PAX_KERNEXEC ++#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) + call pax_enter_kernel +#endif + .endm + + .macro pax_exit_kernel -+#ifdef CONFIG_PAX_KERNEXEC ++#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) + call pax_exit_kernel +#endif ++ + .endm + -+#ifdef CONFIG_PAX_KERNEXEC ++#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) +ENTRY(pax_enter_kernel) + pushq %rdi + @@ -19132,6 +20588,7 @@ index c1d01e6..a88cf02 100644 + PV_SAVE_REGS(CLBR_RDI) +#endif + ++#ifdef CONFIG_PAX_KERNEXEC + GET_CR0_INTO_RDI + bts $16,%rdi + jnc 3f @@ -19139,6 +20596,32 @@ index c1d01e6..a88cf02 100644 + cmp $__KERNEL_CS,%edi + jnz 2f +1: ++#endif ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ 661: jmp 111f ++ .pushsection .altinstr_replacement, "a" ++ 662: ASM_NOP2 ++ .popsection ++ .pushsection .altinstructions, "a" ++ altinstruction_entry 661b, 662b, X86_FEATURE_PCID, 2, 2 ++ .popsection ++ GET_CR3_INTO_RDI ++ cmp $0,%dil ++ jnz 112f ++ mov $__KERNEL_DS,%edi ++ mov %edi,%ss ++ jmp 111f ++112: cmp $1,%dil ++ jz 113f ++ ud2 ++113: sub $4097,%rdi ++ bts $63,%rdi ++ SET_RDI_INTO_CR3 ++ mov $__UDEREF_KERNEL_DS,%edi ++ mov %edi,%ss ++111: ++#endif + +#ifdef CONFIG_PARAVIRT + PV_RESTORE_REGS(CLBR_RDI) @@ -19148,10 +20631,12 @@ index c1d01e6..a88cf02 100644 + pax_force_retaddr + retq + ++#ifdef CONFIG_PAX_KERNEXEC +2: ljmpq __KERNEL_CS,1b +3: ljmpq __KERNEXEC_KERNEL_CS,4f +4: SET_RDI_INTO_CR0 + jmp 1b ++#endif +ENDPROC(pax_enter_kernel) + +ENTRY(pax_exit_kernel) @@ -19161,6 +20646,7 @@ index c1d01e6..a88cf02 100644 + PV_SAVE_REGS(CLBR_RDI) +#endif + ++#ifdef CONFIG_PAX_KERNEXEC + mov %cs,%rdi + cmp $__KERNEXEC_KERNEL_CS,%edi + jz 2f @@ -19168,6 +20654,30 @@ index c1d01e6..a88cf02 100644 + bts $16,%rdi + jnc 4f +1: ++#endif ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ 661: jmp 111f ++ .pushsection .altinstr_replacement, "a" ++ 662: ASM_NOP2 ++ .popsection ++ .pushsection .altinstructions, "a" ++ altinstruction_entry 661b, 662b, X86_FEATURE_PCID, 2, 2 ++ .popsection ++ mov %ss,%edi ++ cmp $__UDEREF_KERNEL_DS,%edi ++ jnz 111f ++ GET_CR3_INTO_RDI ++ cmp $0,%dil ++ jz 112f ++ ud2 ++112: add $4097,%rdi ++ bts $63,%rdi ++ SET_RDI_INTO_CR3 ++ mov $__KERNEL_DS,%edi ++ mov %edi,%ss ++111: ++#endif + +#ifdef CONFIG_PARAVIRT + PV_RESTORE_REGS(CLBR_RDI); @@ -19177,6 +20687,7 @@ index c1d01e6..a88cf02 100644 + pax_force_retaddr + retq + ++#ifdef CONFIG_PAX_KERNEXEC +2: GET_CR0_INTO_RDI + btr $16,%rdi + jnc 4f @@ -19185,6 +20696,7 @@ index c1d01e6..a88cf02 100644 + jmp 1b +4: ud2 + jmp 4b ++#endif +ENDPROC(pax_exit_kernel) +#endif + @@ -19217,6 +20729,21 @@ index c1d01e6..a88cf02 100644 + PV_SAVE_REGS(CLBR_RDI) +#endif + ++ 661: jmp 111f ++ .pushsection .altinstr_replacement, "a" ++ 662: ASM_NOP2 ++ .popsection ++ .pushsection .altinstructions, "a" ++ altinstruction_entry 661b, 662b, X86_FEATURE_PCID, 2, 2 ++ .popsection ++ GET_CR3_INTO_RDI ++ cmp $1,%dil ++ jnz 3f ++ sub $4097,%rdi ++ bts $63,%rdi ++ jmp 2f ++111: ++ + GET_CR3_INTO_RDI + mov %rdi,%rbx + add $__START_KERNEL_map,%rbx @@ -19245,17 +20772,14 @@ index c1d01e6..a88cf02 100644 + i = i + 1 + .endr + -+#ifdef CONFIG_PARAVIRT -+2: -+#endif -+ SET_RDI_INTO_CR3 -+ +#ifdef CONFIG_PAX_KERNEXEC + GET_CR0_INTO_RDI + bts $16,%rdi + SET_RDI_INTO_CR0 +#endif + ++2: SET_RDI_INTO_CR3 ++ +#ifdef CONFIG_PARAVIRT + PV_RESTORE_REGS(CLBR_RDI) +#endif @@ -19264,6 +20788,7 @@ index c1d01e6..a88cf02 100644 + popq %rdi + pax_force_retaddr + retq ++3: ud2 +ENDPROC(pax_enter_kernel_user) + +ENTRY(pax_exit_kernel_user) @@ -19274,14 +20799,21 @@ index c1d01e6..a88cf02 100644 + PV_SAVE_REGS(CLBR_RDI) +#endif + -+#ifdef CONFIG_PAX_KERNEXEC -+ GET_CR0_INTO_RDI -+ btr $16,%rdi -+ jnc 3f -+ SET_RDI_INTO_CR0 -+#endif -+ + GET_CR3_INTO_RDI ++ 661: jmp 1f ++ .pushsection .altinstr_replacement, "a" ++ 662: ASM_NOP2 ++ .popsection ++ .pushsection .altinstructions, "a" ++ altinstruction_entry 661b, 662b, X86_FEATURE_PCID, 2, 2 ++ .popsection ++ cmp $0,%dil ++ jnz 3f ++ add $4097,%rdi ++ bts $63,%rdi ++ SET_RDI_INTO_CR3 ++ jmp 2f ++1: + mov %rdi,%rbx + add $__START_KERNEL_map,%rbx + sub phys_base(%rip),%rbx @@ -19289,6 +20821,7 @@ index c1d01e6..a88cf02 100644 +#ifdef CONFIG_PARAVIRT + cmpl $0, pv_info+PARAVIRT_enabled + jz 1f ++ pushq %rdi + i = 0 + .rept USER_PGD_PTRS + mov i*8(%rbx),%rsi @@ -19297,18 +20830,27 @@ index c1d01e6..a88cf02 100644 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched) + i = i + 1 + .endr ++ popq %rdi + jmp 2f +1: +#endif + ++#ifdef CONFIG_PAX_KERNEXEC ++ GET_CR0_INTO_RDI ++ btr $16,%rdi ++ jnc 3f ++ SET_RDI_INTO_CR0 ++#endif ++ + i = 0 + .rept USER_PGD_PTRS + movb $0x67,i*8(%rbx) + i = i + 1 + .endr ++2: + +#ifdef CONFIG_PARAVIRT -+2: PV_RESTORE_REGS(CLBR_RDI) ++ PV_RESTORE_REGS(CLBR_RDI) +#endif + + popq %rbx @@ -19316,7 +20858,6 @@ index c1d01e6..a88cf02 100644 + pax_force_retaddr + retq +3: ud2 -+ jmp 3b +ENDPROC(pax_exit_kernel_user) +#endif + @@ -19331,6 +20872,26 @@ index c1d01e6..a88cf02 100644 + or $2,%ebx +110: +#endif ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ 661: jmp 111f ++ .pushsection .altinstr_replacement, "a" ++ 662: ASM_NOP2 ++ .popsection ++ .pushsection .altinstructions, "a" ++ altinstruction_entry 661b, 662b, X86_FEATURE_PCID, 2, 2 ++ .popsection ++ GET_CR3_INTO_RDI ++ cmp $0,%dil ++ jz 111f ++ sub $4097,%rdi ++ or $4,%ebx ++ bts $63,%rdi ++ SET_RDI_INTO_CR3 ++ mov $__UDEREF_KERNEL_DS,%edi ++ mov %edi,%ss ++111: ++#endif + .endm + + .macro pax_exit_kernel_nmi @@ -19342,6 +20903,18 @@ index c1d01e6..a88cf02 100644 + SET_RDI_INTO_CR0 +110: +#endif ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ btr $2,%ebx ++ jnc 111f ++ GET_CR3_INTO_RDI ++ add $4097,%rdi ++ bts $63,%rdi ++ SET_RDI_INTO_CR3 ++ mov $__KERNEL_DS,%edi ++ mov %edi,%ss ++111: ++#endif + .endm + + .macro pax_erase_kstack @@ -19403,7 +20976,7 @@ index c1d01e6..a88cf02 100644 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET #ifdef CONFIG_TRACE_IRQFLAGS -@@ -375,8 +687,8 @@ ENDPROC(native_usergs_sysret64) +@@ -375,8 +805,8 @@ ENDPROC(native_usergs_sysret64) .endm .macro UNFAKE_STACK_FRAME @@ -19414,7 +20987,7 @@ index c1d01e6..a88cf02 100644 .endm /* -@@ -463,7 +775,7 @@ ENDPROC(native_usergs_sysret64) +@@ -463,7 +893,7 @@ ENDPROC(native_usergs_sysret64) movq %rsp, %rsi leaq -RBP(%rsp),%rdi /* arg1 for handler */ @@ -19423,7 +20996,7 @@ index c1d01e6..a88cf02 100644 je 1f SWAPGS /* -@@ -498,9 +810,10 @@ ENTRY(save_rest) +@@ -498,9 +928,10 @@ ENTRY(save_rest) movq_cfi r15, R15+16 movq %r11, 8(%rsp) /* return address */ FIXUP_TOP_OF_STACK %r11, 16 @@ -19435,7 +21008,7 @@ index c1d01e6..a88cf02 100644 /* save complete stack frame */ .pushsection .kprobes.text, "ax" -@@ -529,9 +842,10 @@ ENTRY(save_paranoid) +@@ -529,9 +960,10 @@ ENTRY(save_paranoid) js 1f /* negative -> in kernel */ SWAPGS xorl %ebx,%ebx @@ -19448,7 +21021,7 @@ index c1d01e6..a88cf02 100644 .popsection /* -@@ -553,7 +867,7 @@ ENTRY(ret_from_fork) +@@ -553,7 +985,7 @@ ENTRY(ret_from_fork) RESTORE_REST @@ -19457,7 +21030,7 @@ index c1d01e6..a88cf02 100644 jz 1f testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET -@@ -571,7 +885,7 @@ ENTRY(ret_from_fork) +@@ -571,7 +1003,7 @@ ENTRY(ret_from_fork) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -19466,7 +21039,7 @@ index c1d01e6..a88cf02 100644 /* * System call entry. Up to 6 arguments in registers are supported. -@@ -608,7 +922,7 @@ END(ret_from_fork) +@@ -608,7 +1040,7 @@ END(ret_from_fork) ENTRY(system_call) CFI_STARTPROC simple CFI_SIGNAL_FRAME @@ -19475,7 +21048,7 @@ index c1d01e6..a88cf02 100644 CFI_REGISTER rip,rcx /*CFI_REGISTER rflags,r11*/ SWAPGS_UNSAFE_STACK -@@ -621,16 +935,23 @@ GLOBAL(system_call_after_swapgs) +@@ -621,16 +1053,23 @@ GLOBAL(system_call_after_swapgs) movq %rsp,PER_CPU_VAR(old_rsp) movq PER_CPU_VAR(kernel_stack),%rsp @@ -19501,7 +21074,7 @@ index c1d01e6..a88cf02 100644 jnz tracesys system_call_fastpath: #if __SYSCALL_MASK == ~0 -@@ -640,7 +961,7 @@ system_call_fastpath: +@@ -640,7 +1079,7 @@ system_call_fastpath: cmpl $__NR_syscall_max,%eax #endif ja badsys @@ -19510,7 +21083,7 @@ index c1d01e6..a88cf02 100644 call *sys_call_table(,%rax,8) # XXX: rip relative movq %rax,RAX-ARGOFFSET(%rsp) /* -@@ -654,10 +975,13 @@ sysret_check: +@@ -654,10 +1093,13 @@ sysret_check: LOCKDEP_SYS_EXIT DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF @@ -19525,7 +21098,7 @@ index c1d01e6..a88cf02 100644 /* * sysretq will re-enable interrupts: */ -@@ -709,14 +1033,18 @@ badsys: +@@ -709,14 +1151,18 @@ badsys: * jump back to the normal fast path. */ auditsys: @@ -19545,7 +21118,7 @@ index c1d01e6..a88cf02 100644 jmp system_call_fastpath /* -@@ -737,7 +1065,7 @@ sysret_audit: +@@ -737,7 +1183,7 @@ sysret_audit: /* Do syscall tracing */ tracesys: #ifdef CONFIG_AUDITSYSCALL @@ -19554,7 +21127,7 @@ index c1d01e6..a88cf02 100644 jz auditsys #endif SAVE_REST -@@ -745,12 +1073,16 @@ tracesys: +@@ -745,12 +1191,16 @@ tracesys: FIXUP_TOP_OF_STACK %rdi movq %rsp,%rdi call syscall_trace_enter @@ -19571,7 +21144,7 @@ index c1d01e6..a88cf02 100644 RESTORE_REST #if __SYSCALL_MASK == ~0 cmpq $__NR_syscall_max,%rax -@@ -759,7 +1091,7 @@ tracesys: +@@ -759,7 +1209,7 @@ tracesys: cmpl $__NR_syscall_max,%eax #endif ja int_ret_from_sys_call /* RAX(%rsp) set to -ENOSYS above */ @@ -19580,7 +21153,7 @@ index c1d01e6..a88cf02 100644 call *sys_call_table(,%rax,8) movq %rax,RAX-ARGOFFSET(%rsp) /* Use IRET because user could have changed frame */ -@@ -780,7 +1112,9 @@ GLOBAL(int_with_check) +@@ -780,7 +1230,9 @@ GLOBAL(int_with_check) andl %edi,%edx jnz int_careful andl $~TS_COMPAT,TI_status(%rcx) @@ -19591,7 +21164,7 @@ index c1d01e6..a88cf02 100644 /* Either reschedule or signal or syscall exit tracking needed. */ /* First do a reschedule test. */ -@@ -826,7 +1160,7 @@ int_restore_rest: +@@ -826,7 +1278,7 @@ int_restore_rest: TRACE_IRQS_OFF jmp int_with_check CFI_ENDPROC @@ -19600,7 +21173,7 @@ index c1d01e6..a88cf02 100644 .macro FORK_LIKE func ENTRY(stub_\func) -@@ -839,9 +1173,10 @@ ENTRY(stub_\func) +@@ -839,9 +1291,10 @@ ENTRY(stub_\func) DEFAULT_FRAME 0 8 /* offset 8: return address */ call sys_\func RESTORE_TOP_OF_STACK %r11, 8 @@ -19612,7 +21185,7 @@ index c1d01e6..a88cf02 100644 .endm .macro FIXED_FRAME label,func -@@ -851,9 +1186,10 @@ ENTRY(\label) +@@ -851,9 +1304,10 @@ ENTRY(\label) FIXUP_TOP_OF_STACK %r11, 8-ARGOFFSET call \func RESTORE_TOP_OF_STACK %r11, 8-ARGOFFSET @@ -19624,7 +21197,7 @@ index c1d01e6..a88cf02 100644 .endm FORK_LIKE clone -@@ -870,9 +1206,10 @@ ENTRY(ptregscall_common) +@@ -870,9 +1324,10 @@ ENTRY(ptregscall_common) movq_cfi_restore R12+8, r12 movq_cfi_restore RBP+8, rbp movq_cfi_restore RBX+8, rbx @@ -19636,7 +21209,7 @@ index c1d01e6..a88cf02 100644 ENTRY(stub_execve) CFI_STARTPROC -@@ -885,7 +1222,7 @@ ENTRY(stub_execve) +@@ -885,7 +1340,7 @@ ENTRY(stub_execve) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -19645,7 +21218,7 @@ index c1d01e6..a88cf02 100644 /* * sigreturn is special because it needs to restore all registers on return. -@@ -902,7 +1239,7 @@ ENTRY(stub_rt_sigreturn) +@@ -902,7 +1357,7 @@ ENTRY(stub_rt_sigreturn) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -19654,7 +21227,7 @@ index c1d01e6..a88cf02 100644 #ifdef CONFIG_X86_X32_ABI ENTRY(stub_x32_rt_sigreturn) -@@ -916,7 +1253,7 @@ ENTRY(stub_x32_rt_sigreturn) +@@ -916,7 +1371,7 @@ ENTRY(stub_x32_rt_sigreturn) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -19663,7 +21236,7 @@ index c1d01e6..a88cf02 100644 ENTRY(stub_x32_execve) CFI_STARTPROC -@@ -930,7 +1267,7 @@ ENTRY(stub_x32_execve) +@@ -930,7 +1385,7 @@ ENTRY(stub_x32_execve) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -19672,7 +21245,7 @@ index c1d01e6..a88cf02 100644 #endif -@@ -967,7 +1304,7 @@ vector=vector+1 +@@ -967,7 +1422,7 @@ vector=vector+1 2: jmp common_interrupt .endr CFI_ENDPROC @@ -19681,7 +21254,7 @@ index c1d01e6..a88cf02 100644 .previous END(interrupt) -@@ -987,6 +1324,16 @@ END(interrupt) +@@ -987,6 +1442,16 @@ END(interrupt) subq $ORIG_RAX-RBP, %rsp CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP SAVE_ARGS_IRQ @@ -19698,7 +21271,7 @@ index c1d01e6..a88cf02 100644 call \func .endm -@@ -1019,7 +1366,7 @@ ret_from_intr: +@@ -1019,7 +1484,7 @@ ret_from_intr: exit_intr: GET_THREAD_INFO(%rcx) @@ -19707,7 +21280,7 @@ index c1d01e6..a88cf02 100644 je retint_kernel /* Interrupt came from user space */ -@@ -1041,12 +1388,16 @@ retint_swapgs: /* return to user-space */ +@@ -1041,12 +1506,16 @@ retint_swapgs: /* return to user-space */ * The iretq could re-enable interrupts: */ DISABLE_INTERRUPTS(CLBR_ANY) @@ -19724,7 +21297,7 @@ index c1d01e6..a88cf02 100644 /* * The iretq could re-enable interrupts: */ -@@ -1129,7 +1480,7 @@ ENTRY(retint_kernel) +@@ -1129,7 +1598,7 @@ ENTRY(retint_kernel) #endif CFI_ENDPROC @@ -19733,7 +21306,7 @@ index c1d01e6..a88cf02 100644 /* * End of kprobes section */ -@@ -1147,7 +1498,7 @@ ENTRY(\sym) +@@ -1147,7 +1616,7 @@ ENTRY(\sym) interrupt \do_sym jmp ret_from_intr CFI_ENDPROC @@ -19742,7 +21315,7 @@ index c1d01e6..a88cf02 100644 .endm #ifdef CONFIG_SMP -@@ -1203,12 +1554,22 @@ ENTRY(\sym) +@@ -1208,12 +1677,22 @@ ENTRY(\sym) CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 call error_entry DEFAULT_FRAME 0 @@ -19766,7 +21339,7 @@ index c1d01e6..a88cf02 100644 .endm .macro paranoidzeroentry sym do_sym -@@ -1221,15 +1582,25 @@ ENTRY(\sym) +@@ -1226,15 +1705,25 @@ ENTRY(\sym) CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 call save_paranoid TRACE_IRQS_OFF @@ -19794,7 +21367,7 @@ index c1d01e6..a88cf02 100644 .macro paranoidzeroentry_ist sym do_sym ist ENTRY(\sym) INTR_FRAME -@@ -1240,14 +1611,30 @@ ENTRY(\sym) +@@ -1245,14 +1734,30 @@ ENTRY(\sym) CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 call save_paranoid TRACE_IRQS_OFF_DEBUG @@ -19826,7 +21399,7 @@ index c1d01e6..a88cf02 100644 .endm .macro errorentry sym do_sym -@@ -1259,13 +1646,23 @@ ENTRY(\sym) +@@ -1264,13 +1769,23 @@ ENTRY(\sym) CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 call error_entry DEFAULT_FRAME 0 @@ -19851,7 +21424,7 @@ index c1d01e6..a88cf02 100644 .endm /* error code is on the stack already */ -@@ -1279,13 +1676,23 @@ ENTRY(\sym) +@@ -1284,13 +1799,23 @@ ENTRY(\sym) call save_paranoid DEFAULT_FRAME 0 TRACE_IRQS_OFF @@ -19876,7 +21449,7 @@ index c1d01e6..a88cf02 100644 .endm zeroentry divide_error do_divide_error -@@ -1315,9 +1722,10 @@ gs_change: +@@ -1320,9 +1845,10 @@ gs_change: 2: mfence /* workaround */ SWAPGS popfq_cfi @@ -19888,7 +21461,7 @@ index c1d01e6..a88cf02 100644 _ASM_EXTABLE(gs_change,bad_gs) .section .fixup,"ax" -@@ -1345,9 +1753,10 @@ ENTRY(call_softirq) +@@ -1350,9 +1876,10 @@ ENTRY(call_softirq) CFI_DEF_CFA_REGISTER rsp CFI_ADJUST_CFA_OFFSET -8 decl PER_CPU_VAR(irq_count) @@ -19900,7 +21473,7 @@ index c1d01e6..a88cf02 100644 #ifdef CONFIG_XEN zeroentry xen_hypervisor_callback xen_do_hypervisor_callback -@@ -1385,7 +1794,7 @@ ENTRY(xen_do_hypervisor_callback) # do_hypervisor_callback(struct *pt_regs) +@@ -1390,7 +1917,7 @@ ENTRY(xen_do_hypervisor_callback) # do_hypervisor_callback(struct *pt_regs) decl PER_CPU_VAR(irq_count) jmp error_exit CFI_ENDPROC @@ -19909,7 +21482,7 @@ index c1d01e6..a88cf02 100644 /* * Hypervisor uses this for application faults while it executes. -@@ -1444,7 +1853,7 @@ ENTRY(xen_failsafe_callback) +@@ -1449,7 +1976,7 @@ ENTRY(xen_failsafe_callback) SAVE_ALL jmp error_exit CFI_ENDPROC @@ -19918,7 +21491,7 @@ index c1d01e6..a88cf02 100644 apicinterrupt HYPERVISOR_CALLBACK_VECTOR \ xen_hvm_callback_vector xen_evtchn_do_upcall -@@ -1496,18 +1905,33 @@ ENTRY(paranoid_exit) +@@ -1501,18 +2028,33 @@ ENTRY(paranoid_exit) DEFAULT_FRAME DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF_DEBUG @@ -19954,7 +21527,7 @@ index c1d01e6..a88cf02 100644 jmp irq_return paranoid_userspace: GET_THREAD_INFO(%rcx) -@@ -1536,7 +1960,7 @@ paranoid_schedule: +@@ -1541,7 +2083,7 @@ paranoid_schedule: TRACE_IRQS_OFF jmp paranoid_userspace CFI_ENDPROC @@ -19963,7 +21536,7 @@ index c1d01e6..a88cf02 100644 /* * Exception entry point. This expects an error code/orig_rax on the stack. -@@ -1563,12 +1987,13 @@ ENTRY(error_entry) +@@ -1568,12 +2110,13 @@ ENTRY(error_entry) movq_cfi r14, R14+8 movq_cfi r15, R15+8 xorl %ebx,%ebx @@ -19978,7 +21551,7 @@ index c1d01e6..a88cf02 100644 ret /* -@@ -1595,7 +2020,7 @@ bstep_iret: +@@ -1600,7 +2143,7 @@ bstep_iret: movq %rcx,RIP+8(%rsp) jmp error_swapgs CFI_ENDPROC @@ -19987,7 +21560,7 @@ index c1d01e6..a88cf02 100644 /* ebx: no swapgs flag (1: don't need swapgs, 0: need it) */ -@@ -1606,7 +2031,7 @@ ENTRY(error_exit) +@@ -1611,7 +2154,7 @@ ENTRY(error_exit) DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF GET_THREAD_INFO(%rcx) @@ -19996,7 +21569,7 @@ index c1d01e6..a88cf02 100644 jne retint_kernel LOCKDEP_SYS_EXIT_IRQ movl TI_flags(%rcx),%edx -@@ -1615,7 +2040,7 @@ ENTRY(error_exit) +@@ -1620,7 +2163,7 @@ ENTRY(error_exit) jnz retint_careful jmp retint_swapgs CFI_ENDPROC @@ -20005,7 +21578,7 @@ index c1d01e6..a88cf02 100644 /* * Test if a given stack is an NMI stack or not. -@@ -1673,9 +2098,11 @@ ENTRY(nmi) +@@ -1678,9 +2221,11 @@ ENTRY(nmi) * If %cs was not the kernel segment, then the NMI triggered in user * space, which means it is definitely not nested. */ @@ -20018,7 +21591,7 @@ index c1d01e6..a88cf02 100644 /* * Check the special variable on the stack to see if NMIs are * executing. -@@ -1709,8 +2136,7 @@ nested_nmi: +@@ -1714,8 +2259,7 @@ nested_nmi: 1: /* Set up the interrupted NMIs stack to jump to repeat_nmi */ @@ -20028,7 +21601,7 @@ index c1d01e6..a88cf02 100644 CFI_ADJUST_CFA_OFFSET 1*8 leaq -10*8(%rsp), %rdx pushq_cfi $__KERNEL_DS -@@ -1728,6 +2154,7 @@ nested_nmi_out: +@@ -1733,6 +2277,7 @@ nested_nmi_out: CFI_RESTORE rdx /* No need to check faults here */ @@ -20036,7 +21609,7 @@ index c1d01e6..a88cf02 100644 INTERRUPT_RETURN CFI_RESTORE_STATE -@@ -1844,6 +2271,8 @@ end_repeat_nmi: +@@ -1849,6 +2394,8 @@ end_repeat_nmi: */ movq %cr2, %r12 @@ -20045,7 +21618,7 @@ index c1d01e6..a88cf02 100644 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */ movq %rsp,%rdi movq $-1,%rsi -@@ -1856,26 +2285,31 @@ end_repeat_nmi: +@@ -1861,26 +2408,31 @@ end_repeat_nmi: movq %r12, %cr2 1: @@ -20148,7 +21721,7 @@ index 42a392a..fbbd930 100644 return -EFAULT; diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c -index 8f3201d..6898c0c 100644 +index 55b6761..a6456fc 100644 --- a/arch/x86/kernel/head64.c +++ b/arch/x86/kernel/head64.c @@ -67,12 +67,12 @@ again: @@ -20201,7 +21774,7 @@ index 8f3201d..6898c0c 100644 init_level4_pgt[511] = early_level4_pgt[511]; diff --git a/arch/x86/kernel/head_32.S b/arch/x86/kernel/head_32.S -index 73afd11..d1670f5 100644 +index 73afd11..0ef46f2 100644 --- a/arch/x86/kernel/head_32.S +++ b/arch/x86/kernel/head_32.S @@ -26,6 +26,12 @@ @@ -20522,7 +22095,7 @@ index 73afd11..d1670f5 100644 + +#ifdef CONFIG_PAX_PER_CPU_PGD +ENTRY(cpu_pgd) -+ .rept NR_CPUS ++ .rept 2*NR_CPUS + .fill 4,8,0 + .endr +#endif @@ -20633,7 +22206,7 @@ index 73afd11..d1670f5 100644 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0 + .endr diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S -index 321d65e..ad8817d 100644 +index a836860..1b5c665 100644 --- a/arch/x86/kernel/head_64.S +++ b/arch/x86/kernel/head_64.S @@ -20,6 +20,8 @@ @@ -20674,10 +22247,10 @@ index 321d65e..ad8817d 100644 +#ifndef CONFIG_XEN + addq %rbp, level3_ident_pgt + (1*8)(%rip) +#endif -+ -+ addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip) - addq %rbp, level2_fixmap_pgt + (506*8)(%rip) ++ addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip) ++ + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip) + addq %rbp, level3_kernel_pgt + ((L3_START_KERNEL+1)*8)(%rip) + @@ -20749,10 +22322,10 @@ index 321d65e..ad8817d 100644 + .section .rodata,"a",@progbits -#ifndef CONFIG_XEN --NEXT_PAGE(init_level4_pgt) + NEXT_PAGE(init_level4_pgt) - .fill 512,8,0 -#else - NEXT_PAGE(init_level4_pgt) +-NEXT_PAGE(init_level4_pgt) - .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE .org init_level4_pgt + L4_PAGE_OFFSET*8, 0 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE @@ -20768,7 +22341,7 @@ index 321d65e..ad8817d 100644 +#ifdef CONFIG_PAX_PER_CPU_PGD +NEXT_PAGE(cpu_pgd) -+ .rept NR_CPUS ++ .rept 2*NR_CPUS + .fill 512,8,0 + .endr +#endif @@ -20813,7 +22386,7 @@ index 321d65e..ad8817d 100644 NEXT_PAGE(level2_kernel_pgt) /* * 512 MB kernel mapping. We spend a full page on this pagetable -@@ -488,39 +544,64 @@ NEXT_PAGE(level2_kernel_pgt) +@@ -488,39 +544,70 @@ NEXT_PAGE(level2_kernel_pgt) KERNEL_IMAGE_SIZE/PMD_SIZE) NEXT_PAGE(level2_fixmap_pgt) @@ -20856,6 +22429,12 @@ index 321d65e..ad8817d 100644 + .quad 0x0000f40000000000 /* node/CPU stored in limit */ + /* asm/segment.h:GDT_ENTRIES must match this */ + ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ .quad 0x00cf93000000ffff /* __UDEREF_KERNEL_DS */ ++#else ++ .quad 0x0 /* unused */ ++#endif ++ + /* zero the remaining page */ + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0 + .endr @@ -20877,7 +22456,10 @@ index 321d65e..ad8817d 100644 - .section .bss, "aw", @nobits + + .section .rodata,"a",@progbits - .align L1_CACHE_BYTES ++NEXT_PAGE(empty_zero_page) ++ .skip PAGE_SIZE ++ + .align PAGE_SIZE ENTRY(idt_table) - .skip IDT_ENTRIES * 16 + .fill 512,8,0 @@ -20885,11 +22467,11 @@ index 321d65e..ad8817d 100644 .align L1_CACHE_BYTES ENTRY(nmi_idt_table) - .skip IDT_ENTRIES * 16 -+ .fill 512,8,0 - +- - __PAGE_ALIGNED_BSS - NEXT_PAGE(empty_zero_page) - .skip PAGE_SIZE +-NEXT_PAGE(empty_zero_page) +- .skip PAGE_SIZE ++ .fill 512,8,0 diff --git a/arch/x86/kernel/i386_ksyms_32.c b/arch/x86/kernel/i386_ksyms_32.c index 0fa6912..37fce70 100644 --- a/arch/x86/kernel/i386_ksyms_32.c @@ -20916,7 +22498,7 @@ index 0fa6912..37fce70 100644 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR); +#endif diff --git a/arch/x86/kernel/i387.c b/arch/x86/kernel/i387.c -index cb33909..1163b40 100644 +index f7ea30d..6318acc 100644 --- a/arch/x86/kernel/i387.c +++ b/arch/x86/kernel/i387.c @@ -51,7 +51,7 @@ static inline bool interrupted_kernel_fpu_idle(void) @@ -21030,7 +22612,7 @@ index 4ddaf66..6292f4e 100644 return -EPERM; } diff --git a/arch/x86/kernel/irq.c b/arch/x86/kernel/irq.c -index 84b7789..e65e8be 100644 +index ac0631d..ff7cb62 100644 --- a/arch/x86/kernel/irq.c +++ b/arch/x86/kernel/irq.c @@ -18,7 +18,7 @@ @@ -21333,7 +22915,7 @@ index 836f832..a8bda67 100644 } diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c -index 7bfe318..383d238 100644 +index 211bce4..6e2580a 100644 --- a/arch/x86/kernel/kprobes/core.c +++ b/arch/x86/kernel/kprobes/core.c @@ -119,9 +119,12 @@ static void __kprobes __synthesize_relative_insn(void *from, void *to, u8 op) @@ -21381,9 +22963,9 @@ index 7bfe318..383d238 100644 #ifdef CONFIG_X86_64 if (insn_rip_relative(&insn)) { -@@ -355,7 +360,9 @@ int __kprobes __copy_instruction(u8 *dest, u8 *src) - newdisp = (u8 *) src + (s64) insn.displacement.value - (u8 *) dest; - BUG_ON((s64) (s32) newdisp != newdisp); /* Sanity check. */ +@@ -359,7 +364,9 @@ int __kprobes __copy_instruction(u8 *dest, u8 *src) + return 0; + } disp = (u8 *) dest + insn_offset_displacement(&insn); + pax_open_kernel(); *(s32 *) disp = (s32) newdisp; @@ -21391,7 +22973,7 @@ index 7bfe318..383d238 100644 } #endif return insn.length; -@@ -488,7 +495,7 @@ setup_singlestep(struct kprobe *p, struct pt_regs *regs, struct kprobe_ctlblk *k +@@ -498,7 +505,7 @@ setup_singlestep(struct kprobe *p, struct pt_regs *regs, struct kprobe_ctlblk *k * nor set current_kprobe, because it doesn't use single * stepping. */ @@ -21400,7 +22982,7 @@ index 7bfe318..383d238 100644 preempt_enable_no_resched(); return; } -@@ -505,9 +512,9 @@ setup_singlestep(struct kprobe *p, struct pt_regs *regs, struct kprobe_ctlblk *k +@@ -515,9 +522,9 @@ setup_singlestep(struct kprobe *p, struct pt_regs *regs, struct kprobe_ctlblk *k regs->flags &= ~X86_EFLAGS_IF; /* single step inline if the instruction is an int3 */ if (p->opcode == BREAKPOINT_INSTRUCTION) @@ -21412,7 +22994,7 @@ index 7bfe318..383d238 100644 } /* -@@ -586,7 +593,7 @@ static int __kprobes kprobe_handler(struct pt_regs *regs) +@@ -596,7 +603,7 @@ static int __kprobes kprobe_handler(struct pt_regs *regs) setup_singlestep(p, regs, kcb, 0); return 1; } @@ -21421,7 +23003,7 @@ index 7bfe318..383d238 100644 /* * The breakpoint instruction was removed right * after we hit it. Another cpu has removed -@@ -632,6 +639,9 @@ static void __used __kprobes kretprobe_trampoline_holder(void) +@@ -642,6 +649,9 @@ static void __used __kprobes kretprobe_trampoline_holder(void) " movq %rax, 152(%rsp)\n" RESTORE_REGS_STRING " popfq\n" @@ -21431,7 +23013,7 @@ index 7bfe318..383d238 100644 #else " pushf\n" SAVE_REGS_STRING -@@ -769,7 +779,7 @@ static void __kprobes +@@ -779,7 +789,7 @@ static void __kprobes resume_execution(struct kprobe *p, struct pt_regs *regs, struct kprobe_ctlblk *kcb) { unsigned long *tos = stack_addr(regs); @@ -21440,7 +23022,7 @@ index 7bfe318..383d238 100644 unsigned long orig_ip = (unsigned long)p->addr; kprobe_opcode_t *insn = p->ainsn.insn; -@@ -951,7 +961,7 @@ kprobe_exceptions_notify(struct notifier_block *self, unsigned long val, void *d +@@ -961,7 +971,7 @@ kprobe_exceptions_notify(struct notifier_block *self, unsigned long val, void *d struct die_args *args = data; int ret = NOTIFY_DONE; @@ -21519,10 +23101,10 @@ index 76dc6f0..66bdfc3 100644 reset_current_kprobe(); preempt_enable_no_resched(); diff --git a/arch/x86/kernel/kvm.c b/arch/x86/kernel/kvm.c -index b686a90..60d36fb 100644 +index cd6d9a5..16245a4 100644 --- a/arch/x86/kernel/kvm.c +++ b/arch/x86/kernel/kvm.c -@@ -453,7 +453,7 @@ static int __cpuinit kvm_cpu_notify(struct notifier_block *self, +@@ -455,7 +455,7 @@ static int __cpuinit kvm_cpu_notify(struct notifier_block *self, return NOTIFY_OK; } @@ -21901,7 +23483,7 @@ index 676b8c7..870ba04 100644 .spin_is_locked = __ticket_spin_is_locked, .spin_is_contended = __ticket_spin_is_contended, diff --git a/arch/x86/kernel/paravirt.c b/arch/x86/kernel/paravirt.c -index 8bfb335..c1463c6 100644 +index cd6de64..27c6af0 100644 --- a/arch/x86/kernel/paravirt.c +++ b/arch/x86/kernel/paravirt.c @@ -55,6 +55,9 @@ u64 _paravirt_ident_64(u64 x) @@ -21929,10 +23511,10 @@ index 8bfb335..c1463c6 100644 ret = paravirt_patch_ident_32(insnbuf, len); - else if (opfunc == _paravirt_ident_64) + else if (opfunc == (void *)_paravirt_ident_64) -+ ret = paravirt_patch_ident_64(insnbuf, len); + ret = paravirt_patch_ident_64(insnbuf, len); +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE) + else if (opfunc == (void *)__raw_callee_save__paravirt_ident_64) - ret = paravirt_patch_ident_64(insnbuf, len); ++ ret = paravirt_patch_ident_64(insnbuf, len); +#endif else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) || @@ -21984,7 +23566,7 @@ index 8bfb335..c1463c6 100644 .cpuid = native_cpuid, .get_debugreg = native_get_debugreg, .set_debugreg = native_set_debugreg, -@@ -395,21 +402,26 @@ struct pv_cpu_ops pv_cpu_ops = { +@@ -394,21 +401,26 @@ struct pv_cpu_ops pv_cpu_ops = { .end_context_switch = paravirt_nop, }; @@ -22014,7 +23596,7 @@ index 8bfb335..c1463c6 100644 .read_cr2 = native_read_cr2, .write_cr2 = native_write_cr2, -@@ -459,6 +471,7 @@ struct pv_mmu_ops pv_mmu_ops = { +@@ -458,6 +470,7 @@ struct pv_mmu_ops pv_mmu_ops = { .make_pud = PTE_IDENT, .set_pgd = native_set_pgd, @@ -22022,7 +23604,7 @@ index 8bfb335..c1463c6 100644 #endif #endif /* PAGETABLE_LEVELS >= 3 */ -@@ -479,6 +492,12 @@ struct pv_mmu_ops pv_mmu_ops = { +@@ -478,6 +491,12 @@ struct pv_mmu_ops pv_mmu_ops = { }, .set_fixmap = native_set_fixmap, @@ -22075,7 +23657,7 @@ index 6c483ba..d10ce2f 100644 static struct dma_map_ops swiotlb_dma_ops = { diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c -index 14ae100..752a4f6 100644 +index 81a5f5e..20f8b58 100644 --- a/arch/x86/kernel/process.c +++ b/arch/x86/kernel/process.c @@ -36,7 +36,8 @@ @@ -22106,16 +23688,7 @@ index 14ae100..752a4f6 100644 t->io_bitmap_ptr = NULL; clear_thread_flag(TIF_IO_BITMAP); -@@ -136,7 +137,7 @@ void show_regs_common(void) - board = dmi_get_system_info(DMI_BOARD_NAME); - - printk(KERN_DEFAULT "Pid: %d, comm: %.20s %s %s %.*s %s %s%s%s\n", -- current->pid, current->comm, print_tainted(), -+ task_pid_nr(current), current->comm, print_tainted(), - init_utsname()->release, - (int)strcspn(init_utsname()->version, " "), - init_utsname()->version, -@@ -149,6 +150,9 @@ void flush_thread(void) +@@ -125,6 +126,9 @@ void flush_thread(void) { struct task_struct *tsk = current; @@ -22125,7 +23698,7 @@ index 14ae100..752a4f6 100644 flush_ptrace_hw_breakpoint(tsk); memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array)); drop_init_fpu(tsk); -@@ -295,7 +299,7 @@ static void __exit_idle(void) +@@ -271,7 +275,7 @@ static void __exit_idle(void) void exit_idle(void) { /* idle loop has pid 0 */ @@ -22134,7 +23707,7 @@ index 14ae100..752a4f6 100644 return; __exit_idle(); } -@@ -398,7 +402,7 @@ bool xen_set_default_idle(void) +@@ -327,7 +331,7 @@ bool xen_set_default_idle(void) return ret; } #endif @@ -22143,7 +23716,7 @@ index 14ae100..752a4f6 100644 { local_irq_disable(); /* -@@ -544,16 +548,37 @@ static int __init idle_setup(char *str) +@@ -456,16 +460,37 @@ static int __init idle_setup(char *str) } early_param("idle", idle_setup); @@ -22192,7 +23765,7 @@ index 14ae100..752a4f6 100644 +} +#endif diff --git a/arch/x86/kernel/process_32.c b/arch/x86/kernel/process_32.c -index b5a8905..d9cacac 100644 +index 7305f7d..22f73d6 100644 --- a/arch/x86/kernel/process_32.c +++ b/arch/x86/kernel/process_32.c @@ -65,6 +65,7 @@ asmlinkage void ret_from_kernel_thread(void) __asm__("ret_from_kernel_thread"); @@ -22203,7 +23776,7 @@ index b5a8905..d9cacac 100644 } void __show_regs(struct pt_regs *regs, int all) -@@ -74,21 +75,20 @@ void __show_regs(struct pt_regs *regs, int all) +@@ -74,19 +75,18 @@ void __show_regs(struct pt_regs *regs, int all) unsigned long sp; unsigned short ss, gs; @@ -22219,8 +23792,6 @@ index b5a8905..d9cacac 100644 } + gs = get_user_gs(regs); - show_regs_common(); - printk(KERN_DEFAULT "EIP: %04x:[<%08lx>] EFLAGS: %08lx CPU: %d\n", (u16)regs->cs, regs->ip, regs->flags, - smp_processor_id()); @@ -22228,7 +23799,7 @@ index b5a8905..d9cacac 100644 print_symbol("EIP is at %s\n", regs->ip); printk(KERN_DEFAULT "EAX: %08lx EBX: %08lx ECX: %08lx EDX: %08lx\n", -@@ -130,20 +130,21 @@ void release_thread(struct task_struct *dead_task) +@@ -128,20 +128,21 @@ void release_thread(struct task_struct *dead_task) int copy_thread(unsigned long clone_flags, unsigned long sp, unsigned long arg, struct task_struct *p) { @@ -22254,7 +23825,7 @@ index b5a8905..d9cacac 100644 childregs->fs = __KERNEL_PERCPU; childregs->bx = sp; /* function */ childregs->bp = arg; -@@ -250,7 +251,7 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) +@@ -248,7 +249,7 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) struct thread_struct *prev = &prev_p->thread, *next = &next_p->thread; int cpu = smp_processor_id(); @@ -22263,7 +23834,7 @@ index b5a8905..d9cacac 100644 fpu_switch_t fpu; /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */ -@@ -274,6 +275,10 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) +@@ -272,6 +273,10 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) */ lazy_save_gs(prev->gs); @@ -22274,7 +23845,7 @@ index b5a8905..d9cacac 100644 /* * Load the per-thread Thread-Local Storage descriptor. */ -@@ -304,6 +309,9 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) +@@ -302,6 +307,9 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) */ arch_end_context_switch(next_p); @@ -22284,7 +23855,7 @@ index b5a8905..d9cacac 100644 /* * Restore %gs if needed (which is common) */ -@@ -312,8 +320,6 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) +@@ -310,8 +318,6 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) switch_fpu_finish(next_p, fpu); @@ -22293,16 +23864,16 @@ index b5a8905..d9cacac 100644 return prev_p; } -@@ -343,4 +349,3 @@ unsigned long get_wchan(struct task_struct *p) +@@ -341,4 +347,3 @@ unsigned long get_wchan(struct task_struct *p) } while (count++ < 16); return 0; } - diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c -index 0f49677..fcbf88c 100644 +index 355ae06..560fbbe 100644 --- a/arch/x86/kernel/process_64.c +++ b/arch/x86/kernel/process_64.c -@@ -152,10 +152,11 @@ int copy_thread(unsigned long clone_flags, unsigned long sp, +@@ -151,10 +151,11 @@ int copy_thread(unsigned long clone_flags, unsigned long sp, struct pt_regs *childregs; struct task_struct *me = current; @@ -22315,7 +23886,16 @@ index 0f49677..fcbf88c 100644 set_tsk_thread_flag(p, TIF_FORK); p->fpu_counter = 0; p->thread.io_bitmap_ptr = NULL; -@@ -274,7 +275,7 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) +@@ -165,6 +166,8 @@ int copy_thread(unsigned long clone_flags, unsigned long sp, + p->thread.fs = p->thread.fsindex ? 0 : me->thread.fs; + savesegment(es, p->thread.es); + savesegment(ds, p->thread.ds); ++ savesegment(ss, p->thread.ss); ++ BUG_ON(p->thread.ss == __UDEREF_KERNEL_DS); + memset(p->thread.ptrace_bps, 0, sizeof(p->thread.ptrace_bps)); + + if (unlikely(p->flags & PF_KTHREAD)) { +@@ -273,7 +276,7 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) struct thread_struct *prev = &prev_p->thread; struct thread_struct *next = &next_p->thread; int cpu = smp_processor_id(); @@ -22324,7 +23904,17 @@ index 0f49677..fcbf88c 100644 unsigned fsindex, gsindex; fpu_switch_t fpu; -@@ -356,10 +357,9 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) +@@ -296,6 +299,9 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) + if (unlikely(next->ds | prev->ds)) + loadsegment(ds, next->ds); + ++ savesegment(ss, prev->ss); ++ if (unlikely(next->ss != prev->ss)) ++ loadsegment(ss, next->ss); + + /* We must save %fs and %gs before load_TLS() because + * %fs and %gs may be cleared by load_TLS(). +@@ -355,10 +361,9 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) prev->usersp = this_cpu_read(old_rsp); this_cpu_write(old_rsp, next->usersp); this_cpu_write(current_task, next_p); @@ -22337,7 +23927,7 @@ index 0f49677..fcbf88c 100644 /* * Now maybe reload the debug registers and handle I/O bitmaps -@@ -428,12 +428,11 @@ unsigned long get_wchan(struct task_struct *p) +@@ -427,12 +432,11 @@ unsigned long get_wchan(struct task_struct *p) if (!p || p == current || p->state == TASK_RUNNING) return 0; stack = (unsigned long)task_stack_page(p); @@ -22624,6 +24214,19 @@ index 76fa1e9..abf09ea 100644 .power_off = native_machine_power_off, .shutdown = native_machine_shutdown, .emergency_restart = native_machine_emergency_restart, +diff --git a/arch/x86/kernel/reboot_fixups_32.c b/arch/x86/kernel/reboot_fixups_32.c +index c8e41e9..64049ef 100644 +--- a/arch/x86/kernel/reboot_fixups_32.c ++++ b/arch/x86/kernel/reboot_fixups_32.c +@@ -57,7 +57,7 @@ struct device_fixup { + unsigned int vendor; + unsigned int device; + void (*reboot_fixup)(struct pci_dev *); +-}; ++} __do_const; + + /* + * PCI ids solely used for fixups_table go here diff --git a/arch/x86/kernel/relocate_kernel_64.S b/arch/x86/kernel/relocate_kernel_64.S index f2bb9c9..bed145d7 100644 --- a/arch/x86/kernel/relocate_kernel_64.S @@ -22645,10 +24248,10 @@ index f2bb9c9..bed145d7 100644 1: diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index fae9134..8fcd87c 100644 +index 56f7fcf..3b88ad1 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -111,6 +111,7 @@ +@@ -110,6 +110,7 @@ #include <asm/mce.h> #include <asm/alternative.h> #include <asm/prom.h> @@ -22656,7 +24259,23 @@ index fae9134..8fcd87c 100644 /* * max_low_pfn_mapped: highest direct mapped pfn under 4GB -@@ -447,7 +448,7 @@ static void __init parse_setup_data(void) +@@ -205,10 +206,12 @@ EXPORT_SYMBOL(boot_cpu_data); + #endif + + +-#if !defined(CONFIG_X86_PAE) || defined(CONFIG_X86_64) +-unsigned long mmu_cr4_features; ++#ifdef CONFIG_X86_64 ++unsigned long mmu_cr4_features __read_only = X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE; ++#elif defined(CONFIG_X86_PAE) ++unsigned long mmu_cr4_features __read_only = X86_CR4_PAE; + #else +-unsigned long mmu_cr4_features = X86_CR4_PAE; ++unsigned long mmu_cr4_features __read_only; + #endif + + /* Boot loader ID and version as integers, for the benefit of proc_dointvec */ +@@ -444,7 +447,7 @@ static void __init parse_setup_data(void) switch (data->type) { case SETUP_E820_EXT: @@ -22665,7 +24284,7 @@ index fae9134..8fcd87c 100644 break; case SETUP_DTB: add_dtb(pa_data); -@@ -774,7 +775,7 @@ static void __init trim_bios_range(void) +@@ -771,7 +774,7 @@ static void __init trim_bios_range(void) * area (640->1Mb) as ram even though it is not. * take them out. */ @@ -22674,7 +24293,7 @@ index fae9134..8fcd87c 100644 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map); } -@@ -782,7 +783,7 @@ static void __init trim_bios_range(void) +@@ -779,7 +782,7 @@ static void __init trim_bios_range(void) /* called before trim_bios_range() to spare extra sanitize */ static void __init e820_add_kernel_range(void) { @@ -22683,7 +24302,7 @@ index fae9134..8fcd87c 100644 u64 size = __pa_symbol(_end) - start; /* -@@ -844,8 +845,12 @@ static void __init trim_low_memory_range(void) +@@ -841,8 +844,12 @@ static void __init trim_low_memory_range(void) void __init setup_arch(char **cmdline_p) { @@ -22696,7 +24315,7 @@ index fae9134..8fcd87c 100644 early_reserve_initrd(); -@@ -937,14 +942,14 @@ void __init setup_arch(char **cmdline_p) +@@ -934,14 +941,14 @@ void __init setup_arch(char **cmdline_p) if (!boot_params.hdr.root_flags) root_mountflags &= ~MS_RDONLY; @@ -22793,7 +24412,7 @@ index 5cdff03..80fa283 100644 * Up to this point, the boot CPU has been using .init.data * area. Reload any changed state for the boot CPU. diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c -index 6956299..f20beae 100644 +index 6956299..18126ec4 100644 --- a/arch/x86/kernel/signal.c +++ b/arch/x86/kernel/signal.c @@ -196,7 +196,7 @@ static unsigned long align_sigframe(unsigned long sp) @@ -22826,8 +24445,12 @@ index 6956299..f20beae 100644 if (err) return -EFAULT; -@@ -367,7 +367,10 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig, - err |= __save_altstack(&frame->uc.uc_stack, regs->sp); +@@ -364,10 +364,13 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig, + else + put_user_ex(0, &frame->uc.uc_flags); + put_user_ex(0, &frame->uc.uc_link); +- err |= __save_altstack(&frame->uc.uc_stack, regs->sp); ++ __save_altstack_ex(&frame->uc.uc_stack, regs->sp); /* Set up to return from userspace. */ - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn); @@ -22847,6 +24470,15 @@ index 6956299..f20beae 100644 } put_user_catch(err); err |= copy_siginfo_to_user(&frame->info, &ksig->info); +@@ -429,7 +432,7 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig, + else + put_user_ex(0, &frame->uc.uc_flags); + put_user_ex(0, &frame->uc.uc_link); +- err |= __save_altstack(&frame->uc.uc_stack, regs->sp); ++ __save_altstack_ex(&frame->uc.uc_stack, regs->sp); + + /* Set up to return from userspace. If provided, use a stub + already in userspace. */ @@ -615,7 +618,12 @@ setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs) { int usig = signr_convert(ksig->sig); @@ -22884,10 +24516,35 @@ index 48d2b7d..90d328a 100644 .smp_prepare_cpus = native_smp_prepare_cpus, .smp_cpus_done = native_smp_cpus_done, diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c -index 9f190a2..90a0688 100644 +index bfd348e..f0c1bf2 100644 --- a/arch/x86/kernel/smpboot.c +++ b/arch/x86/kernel/smpboot.c -@@ -748,6 +748,7 @@ static int __cpuinit do_boot_cpu(int apicid, int cpu, struct task_struct *idle) +@@ -251,14 +251,18 @@ notrace static void __cpuinit start_secondary(void *unused) + + enable_start_cpu0 = 0; + +-#ifdef CONFIG_X86_32 +- /* switch away from the initial page table */ +- load_cr3(swapper_pg_dir); +- __flush_tlb_all(); +-#endif +- + /* otherwise gcc will move up smp_processor_id before the cpu_init */ + barrier(); ++ ++ /* switch away from the initial page table */ ++#ifdef CONFIG_PAX_PER_CPU_PGD ++ load_cr3(get_cpu_pgd(smp_processor_id(), kernel)); ++ __flush_tlb_all(); ++#elif defined(CONFIG_X86_32) ++ load_cr3(swapper_pg_dir); ++ __flush_tlb_all(); ++#endif ++ + /* + * Check TSC synchronization with the BP: + */ +@@ -748,6 +752,7 @@ static int __cpuinit do_boot_cpu(int apicid, int cpu, struct task_struct *idle) idle->thread.sp = (unsigned long) (((struct pt_regs *) (THREAD_SIZE + task_stack_page(idle))) - 1); per_cpu(current_task, cpu) = idle; @@ -22895,7 +24552,7 @@ index 9f190a2..90a0688 100644 #ifdef CONFIG_X86_32 /* Stack for startup_32 can be just as for start_secondary onwards */ -@@ -755,11 +756,13 @@ static int __cpuinit do_boot_cpu(int apicid, int cpu, struct task_struct *idle) +@@ -755,11 +760,13 @@ static int __cpuinit do_boot_cpu(int apicid, int cpu, struct task_struct *idle) #else clear_tsk_thread_flag(idle, TIF_FORK); initial_gs = per_cpu_offset(cpu); @@ -22912,12 +24569,15 @@ index 9f190a2..90a0688 100644 initial_code = (unsigned long)start_secondary; stack_start = idle->thread.sp; -@@ -908,6 +911,15 @@ int __cpuinit native_cpu_up(unsigned int cpu, struct task_struct *tidle) +@@ -908,6 +915,18 @@ int __cpuinit native_cpu_up(unsigned int cpu, struct task_struct *tidle) /* the FPU context is blank, nobody can own it */ __cpu_disable_lazy_restore(cpu); +#ifdef CONFIG_PAX_PER_CPU_PGD -+ clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY, ++ clone_pgd_range(get_cpu_pgd(cpu, kernel) + KERNEL_PGD_BOUNDARY, ++ swapper_pg_dir + KERNEL_PGD_BOUNDARY, ++ KERNEL_PGD_PTRS); ++ clone_pgd_range(get_cpu_pgd(cpu, user) + KERNEL_PGD_BOUNDARY, + swapper_pg_dir + KERNEL_PGD_BOUNDARY, + KERNEL_PGD_PTRS); +#endif @@ -23349,7 +25009,7 @@ index 24d3c91..d06b473 100644 return pc; } diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c -index 9d9d2f9..cad418a 100644 +index f7fec09..9991981 100644 --- a/arch/x86/kernel/tls.c +++ b/arch/x86/kernel/tls.c @@ -84,6 +84,11 @@ int do_set_thread_area(struct task_struct *p, int idx, @@ -23364,7 +25024,7 @@ index 9d9d2f9..cad418a 100644 set_tls_desc(p, idx, &info, 1); return 0; -@@ -204,7 +209,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset, +@@ -200,7 +205,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset, if (kbuf) info = kbuf; @@ -23374,7 +25034,7 @@ index 9d9d2f9..cad418a 100644 else info = infobuf; diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c -index 68bda7a..3ec7bb7 100644 +index 772e2a8..bad5bf6 100644 --- a/arch/x86/kernel/traps.c +++ b/arch/x86/kernel/traps.c @@ -68,12 +68,6 @@ @@ -23448,7 +25108,7 @@ index 68bda7a..3ec7bb7 100644 regs->ip, regs->sp, error_code); print_vma_addr(" in ", regs->ip); pr_cont("\n"); -@@ -266,7 +272,7 @@ do_general_protection(struct pt_regs *regs, long error_code) +@@ -273,7 +279,7 @@ do_general_protection(struct pt_regs *regs, long error_code) conditional_sti(regs); #ifdef CONFIG_X86_32 @@ -23457,7 +25117,7 @@ index 68bda7a..3ec7bb7 100644 local_irq_enable(); handle_vm86_fault((struct kernel_vm86_regs *) regs, error_code); goto exit; -@@ -274,18 +280,42 @@ do_general_protection(struct pt_regs *regs, long error_code) +@@ -281,18 +287,42 @@ do_general_protection(struct pt_regs *regs, long error_code) #endif tsk = current; @@ -23502,7 +25162,7 @@ index 68bda7a..3ec7bb7 100644 tsk->thread.error_code = error_code; tsk->thread.trap_nr = X86_TRAP_GP; -@@ -440,7 +470,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code) +@@ -450,7 +480,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code) /* It's safe to allow irq's after DR6 has been saved */ preempt_conditional_sti(regs); @@ -23511,7 +25171,7 @@ index 68bda7a..3ec7bb7 100644 handle_vm86_trap((struct kernel_vm86_regs *) regs, error_code, X86_TRAP_DB); preempt_conditional_cli(regs); -@@ -455,7 +485,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code) +@@ -465,7 +495,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code) * We already checked v86 mode above, so we can check for kernel mode * by just checking the CPL of CS. */ @@ -23520,7 +25180,7 @@ index 68bda7a..3ec7bb7 100644 tsk->thread.debugreg6 &= ~DR_STEP; set_tsk_thread_flag(tsk, TIF_SINGLESTEP); regs->flags &= ~X86_EFLAGS_TF; -@@ -487,7 +517,7 @@ void math_error(struct pt_regs *regs, int error_code, int trapnr) +@@ -497,7 +527,7 @@ void math_error(struct pt_regs *regs, int error_code, int trapnr) return; conditional_sti(regs); @@ -23530,7 +25190,7 @@ index 68bda7a..3ec7bb7 100644 if (!fixup_exception(regs)) { task->thread.error_code = error_code; diff --git a/arch/x86/kernel/uprobes.c b/arch/x86/kernel/uprobes.c -index 0ba4cfb..4596bec 100644 +index 2ed8459..7cf329f 100644 --- a/arch/x86/kernel/uprobes.c +++ b/arch/x86/kernel/uprobes.c @@ -629,7 +629,7 @@ int arch_uprobe_exception_notify(struct notifier_block *self, unsigned long val, @@ -23542,6 +25202,15 @@ index 0ba4cfb..4596bec 100644 return NOTIFY_DONE; switch (val) { +@@ -719,7 +719,7 @@ arch_uretprobe_hijack_return_addr(unsigned long trampoline_vaddr, struct pt_regs + + if (ncopied != rasize) { + pr_err("uprobe: return address clobbered: pid=%d, %%sp=%#lx, " +- "%%ip=%#lx\n", current->pid, regs->sp, regs->ip); ++ "%%ip=%#lx\n", task_pid_nr(current), regs->sp, regs->ip); + + force_sig_info(SIGSEGV, SEND_SIG_FORCED, current); + } diff --git a/arch/x86/kernel/verify_cpu.S b/arch/x86/kernel/verify_cpu.S index b9242ba..50c5edd 100644 --- a/arch/x86/kernel/verify_cpu.S @@ -23555,7 +25224,7 @@ index b9242ba..50c5edd 100644 * verify_cpu, returns the status of longmode and SSE in register %eax. * 0: Success 1: Failure diff --git a/arch/x86/kernel/vm86_32.c b/arch/x86/kernel/vm86_32.c -index 3dbdd9c..888b14e 100644 +index e8edcf5..27f9344 100644 --- a/arch/x86/kernel/vm86_32.c +++ b/arch/x86/kernel/vm86_32.c @@ -44,6 +44,7 @@ @@ -23578,34 +25247,33 @@ index 3dbdd9c..888b14e 100644 @@ -214,6 +215,14 @@ SYSCALL_DEFINE1(vm86old, struct vm86_struct __user *, v86) if (tsk->thread.saved_sp0) - goto out; + return -EPERM; + +#ifdef CONFIG_GRKERNSEC_VM86 + if (!capable(CAP_SYS_RAWIO)) { + gr_handle_vm86(); -+ goto out; ++ return -EPERM; + } +#endif + tmp = copy_vm86_regs_from_user(&info.regs, &v86->regs, offsetof(struct kernel_vm86_struct, vm86plus) - sizeof(info.regs)); -@@ -242,6 +251,14 @@ SYSCALL_DEFINE2(vm86, unsigned long, cmd, unsigned long, arg) - int tmp, ret; +@@ -238,6 +247,13 @@ SYSCALL_DEFINE2(vm86, unsigned long, cmd, unsigned long, arg) + int tmp; struct vm86plus_struct __user *v86; +#ifdef CONFIG_GRKERNSEC_VM86 + if (!capable(CAP_SYS_RAWIO)) { + gr_handle_vm86(); -+ ret = -EPERM; -+ goto out; ++ return -EPERM; + } +#endif + tsk = current; switch (cmd) { case VM86_REQUEST_IRQ: -@@ -329,7 +346,7 @@ static void do_sys_vm86(struct kernel_vm86_struct *info, struct task_struct *tsk +@@ -318,7 +334,7 @@ static void do_sys_vm86(struct kernel_vm86_struct *info, struct task_struct *tsk tsk->thread.saved_fs = info->regs32->fs; tsk->thread.saved_gs = get_user_gs(info->regs32); @@ -23614,7 +25282,7 @@ index 3dbdd9c..888b14e 100644 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0; if (cpu_has_sep) tsk->thread.sysenter_cs = 0; -@@ -536,7 +553,7 @@ static void do_int(struct kernel_vm86_regs *regs, int i, +@@ -525,7 +541,7 @@ static void do_int(struct kernel_vm86_regs *regs, int i, goto cannot_handle; if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored)) goto cannot_handle; @@ -23624,7 +25292,7 @@ index 3dbdd9c..888b14e 100644 goto cannot_handle; if ((segoffs >> 16) == BIOSSEG) diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S -index 22a1530..5efafbf 100644 +index 10c4f30..57377c2 100644 --- a/arch/x86/kernel/vmlinux.lds.S +++ b/arch/x86/kernel/vmlinux.lds.S @@ -26,6 +26,13 @@ @@ -23691,9 +25359,9 @@ index 22a1530..5efafbf 100644 + __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET; + _text = .; HEAD_TEXT - #ifdef CONFIG_X86_32 - . = ALIGN(PAGE_SIZE); -@@ -108,13 +128,48 @@ SECTIONS + . = ALIGN(8); + _stext = .; +@@ -104,13 +124,48 @@ SECTIONS IRQENTRY_TEXT *(.fixup) *(.gnu.warning) @@ -23746,7 +25414,7 @@ index 22a1530..5efafbf 100644 #if defined(CONFIG_DEBUG_RODATA) /* .text should occupy whole number of pages */ -@@ -126,16 +181,20 @@ SECTIONS +@@ -122,16 +177,20 @@ SECTIONS /* Data */ .data : AT(ADDR(.data) - LOAD_OFFSET) { @@ -23770,7 +25438,7 @@ index 22a1530..5efafbf 100644 PAGE_ALIGNED_DATA(PAGE_SIZE) -@@ -176,12 +235,19 @@ SECTIONS +@@ -172,12 +231,19 @@ SECTIONS #endif /* CONFIG_X86_64 */ /* Init code and data - will be freed after init */ @@ -23793,7 +25461,7 @@ index 22a1530..5efafbf 100644 /* * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the * output PHDR, so the next output section - .init.text - should -@@ -190,12 +256,27 @@ SECTIONS +@@ -186,12 +252,27 @@ SECTIONS PERCPU_VADDR(INTERNODE_CACHE_BYTES, 0, :percpu) #endif @@ -23826,7 +25494,7 @@ index 22a1530..5efafbf 100644 .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) { __x86_cpu_dev_start = .; -@@ -257,19 +338,12 @@ SECTIONS +@@ -253,19 +334,12 @@ SECTIONS } . = ALIGN(8); @@ -23847,7 +25515,7 @@ index 22a1530..5efafbf 100644 PERCPU_SECTION(INTERNODE_CACHE_BYTES) #endif -@@ -288,16 +362,10 @@ SECTIONS +@@ -284,16 +358,10 @@ SECTIONS .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) { __smp_locks = .; *(.smp_locks) @@ -23865,7 +25533,7 @@ index 22a1530..5efafbf 100644 /* BSS */ . = ALIGN(PAGE_SIZE); .bss : AT(ADDR(.bss) - LOAD_OFFSET) { -@@ -313,6 +381,7 @@ SECTIONS +@@ -309,6 +377,7 @@ SECTIONS __brk_base = .; . += 64 * 1024; /* 64k alignment slop space */ *(.brk_reservation) /* areas brk users have reserved */ @@ -23873,7 +25541,7 @@ index 22a1530..5efafbf 100644 __brk_limit = .; } -@@ -339,13 +408,12 @@ SECTIONS +@@ -335,13 +404,12 @@ SECTIONS * for the boot processor. */ #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load @@ -24056,10 +25724,10 @@ index a20ecb5..d0e2194 100644 out: diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c -index 698eece..776b682 100644 +index 5953dce..f11a7d2 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c -@@ -328,6 +328,7 @@ static void invalidate_registers(struct x86_emulate_ctxt *ctxt) +@@ -329,6 +329,7 @@ static void invalidate_registers(struct x86_emulate_ctxt *ctxt) #define ____emulate_2op(ctxt, _op, _x, _y, _suffix, _dsttype) \ do { \ @@ -24067,7 +25735,7 @@ index 698eece..776b682 100644 __asm__ __volatile__ ( \ _PRE_EFLAGS("0", "4", "2") \ _op _suffix " %"_x"3,%1; " \ -@@ -342,8 +343,6 @@ static void invalidate_registers(struct x86_emulate_ctxt *ctxt) +@@ -343,8 +344,6 @@ static void invalidate_registers(struct x86_emulate_ctxt *ctxt) /* Raw emulation: instruction has two explicit operands. */ #define __emulate_2op_nobyte(ctxt,_op,_wx,_wy,_lx,_ly,_qx,_qy) \ do { \ @@ -24076,7 +25744,7 @@ index 698eece..776b682 100644 switch ((ctxt)->dst.bytes) { \ case 2: \ ____emulate_2op(ctxt,_op,_wx,_wy,"w",u16); \ -@@ -359,7 +358,6 @@ static void invalidate_registers(struct x86_emulate_ctxt *ctxt) +@@ -360,7 +359,6 @@ static void invalidate_registers(struct x86_emulate_ctxt *ctxt) #define __emulate_2op(ctxt,_op,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \ do { \ @@ -24085,7 +25753,7 @@ index 698eece..776b682 100644 case 1: \ ____emulate_2op(ctxt,_op,_bx,_by,"b",u8); \ diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c -index f77df1c..6f20690 100644 +index 0eee2c8..94a32c3 100644 --- a/arch/x86/kvm/lapic.c +++ b/arch/x86/kvm/lapic.c @@ -55,7 +55,7 @@ @@ -24098,7 +25766,7 @@ index f77df1c..6f20690 100644 #define APIC_LVT_NUM 6 /* 14 is the version for Xeon and Pentium 8.4.8*/ diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h -index 105dd5b..1b0ccc2 100644 +index da20860..d19fdf5 100644 --- a/arch/x86/kvm/paging_tmpl.h +++ b/arch/x86/kvm/paging_tmpl.h @@ -208,7 +208,7 @@ retry_walk: @@ -24111,10 +25779,10 @@ index 105dd5b..1b0ccc2 100644 goto error; walker->ptep_user[walker->level - 1] = ptep_user; diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c -index e1b1ce2..f7b4b43 100644 +index a14a6ea..dc86cf0 100644 --- a/arch/x86/kvm/svm.c +++ b/arch/x86/kvm/svm.c -@@ -3507,7 +3507,11 @@ static void reload_tss(struct kvm_vcpu *vcpu) +@@ -3493,7 +3493,11 @@ static void reload_tss(struct kvm_vcpu *vcpu) int cpu = raw_smp_processor_id(); struct svm_cpu_data *sd = per_cpu(svm_data, cpu); @@ -24126,7 +25794,7 @@ index e1b1ce2..f7b4b43 100644 load_TR_desc(); } -@@ -3901,6 +3905,10 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) +@@ -3894,6 +3898,10 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) #endif #endif @@ -24138,10 +25806,10 @@ index e1b1ce2..f7b4b43 100644 local_irq_disable(); diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c -index 0e2f2a4..4331db2 100644 +index 5402c94..c3bdeee 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c -@@ -1184,12 +1184,12 @@ static void vmcs_write64(unsigned long field, u64 value) +@@ -1311,12 +1311,12 @@ static void vmcs_write64(unsigned long field, u64 value) #endif } @@ -24156,7 +25824,7 @@ index 0e2f2a4..4331db2 100644 { vmcs_writel(field, vmcs_readl(field) | mask); } -@@ -1390,7 +1390,11 @@ static void reload_tss(void) +@@ -1517,7 +1517,11 @@ static void reload_tss(void) struct desc_struct *descs; descs = (void *)gdt->address; @@ -24168,7 +25836,7 @@ index 0e2f2a4..4331db2 100644 load_TR_desc(); } -@@ -1614,6 +1618,10 @@ static void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu) +@@ -1741,6 +1745,10 @@ static void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu) vmcs_writel(HOST_TR_BASE, kvm_read_tr_base()); /* 22.2.4 */ vmcs_writel(HOST_GDTR_BASE, gdt->address); /* 22.2.4 */ @@ -24179,7 +25847,7 @@ index 0e2f2a4..4331db2 100644 rdmsrl(MSR_IA32_SYSENTER_ESP, sysenter_esp); vmcs_writel(HOST_IA32_SYSENTER_ESP, sysenter_esp); /* 22.2.3 */ vmx->loaded_vmcs->cpu = cpu; -@@ -2779,8 +2787,11 @@ static __init int hardware_setup(void) +@@ -2935,8 +2943,11 @@ static __init int hardware_setup(void) if (!cpu_has_vmx_flexpriority()) flexpriority_enabled = 0; @@ -24193,22 +25861,27 @@ index 0e2f2a4..4331db2 100644 if (enable_ept && !cpu_has_vmx_ept_2m_page()) kvm_disable_largepages(); -@@ -2792,10 +2803,12 @@ static __init int hardware_setup(void) - !cpu_has_vmx_virtual_intr_delivery()) - enable_apicv_reg_vid = 0; +@@ -2947,13 +2958,15 @@ static __init int hardware_setup(void) + if (!cpu_has_vmx_apicv()) + enable_apicv = 0; + pax_open_kernel(); - if (enable_apicv_reg_vid) + if (enable_apicv) - kvm_x86_ops->update_cr8_intercept = NULL; + *(void **)&kvm_x86_ops->update_cr8_intercept = NULL; - else + else { - kvm_x86_ops->hwapic_irr_update = NULL; +- kvm_x86_ops->deliver_posted_interrupt = NULL; +- kvm_x86_ops->sync_pir_to_irr = vmx_sync_pir_to_irr_dummy; + *(void **)&kvm_x86_ops->hwapic_irr_update = NULL; ++ *(void **)&kvm_x86_ops->deliver_posted_interrupt = NULL; ++ *(void **)&kvm_x86_ops->sync_pir_to_irr = vmx_sync_pir_to_irr_dummy; + } + pax_close_kernel(); if (nested) nested_vmx_setup_ctls_msrs(); -@@ -3890,7 +3903,10 @@ static void vmx_set_constant_host_state(void) +@@ -4076,7 +4089,10 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx) vmcs_writel(HOST_CR0, read_cr0() & ~X86_CR0_TS); /* 22.2.3 */ vmcs_writel(HOST_CR4, read_cr4()); /* 22.2.3, 22.2.5 */ @@ -24219,16 +25892,16 @@ index 0e2f2a4..4331db2 100644 vmcs_write16(HOST_CS_SELECTOR, __KERNEL_CS); /* 22.2.4 */ #ifdef CONFIG_X86_64 -@@ -3911,7 +3927,7 @@ static void vmx_set_constant_host_state(void) - native_store_idt(&dt); +@@ -4098,7 +4114,7 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx) vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */ + vmx->host_idt_base = dt.address; - vmcs_writel(HOST_RIP, vmx_return); /* 22.2.5 */ + vmcs_writel(HOST_RIP, ktla_ktva(vmx_return)); /* 22.2.5 */ rdmsr(MSR_IA32_SYSENTER_CS, low32, high32); vmcs_write32(HOST_IA32_SYSENTER_CS, low32); -@@ -6587,6 +6603,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) +@@ -7030,6 +7046,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) "jmp 2f \n\t" "1: " __ex(ASM_VMX_VMRESUME) "\n\t" "2: " @@ -24241,7 +25914,7 @@ index 0e2f2a4..4331db2 100644 /* Save guest registers, load host registers, keep flags */ "mov %0, %c[wordsize](%%" _ASM_SP ") \n\t" "pop %0 \n\t" -@@ -6639,6 +6661,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) +@@ -7082,6 +7104,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) #endif [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)), [wordsize]"i"(sizeof(ulong)) @@ -24253,7 +25926,7 @@ index 0e2f2a4..4331db2 100644 : "cc", "memory" #ifdef CONFIG_X86_64 , "rax", "rbx", "rdi", "rsi" -@@ -6652,7 +6679,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) +@@ -7095,7 +7122,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) if (debugctlmsr) update_debugctlmsr(debugctlmsr); @@ -24262,7 +25935,7 @@ index 0e2f2a4..4331db2 100644 /* * The sysexit path does not restore ds/es, so we must set them to * a reasonable value ourselves. -@@ -6661,8 +6688,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) +@@ -7104,8 +7131,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) * may be executed in interrupt context, which saves and restore segments * around it, nullifying its effect. */ @@ -24284,10 +25957,10 @@ index 0e2f2a4..4331db2 100644 vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index 8563b45..272f1fe 100644 +index e8ba99c..ee9d7d9 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c -@@ -1685,8 +1685,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data) +@@ -1725,8 +1725,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data) { struct kvm *kvm = vcpu->kvm; int lm = is_long_mode(vcpu); @@ -24298,7 +25971,7 @@ index 8563b45..272f1fe 100644 u8 blob_size = lm ? kvm->arch.xen_hvm_config.blob_size_64 : kvm->arch.xen_hvm_config.blob_size_32; u32 page_num = data & ~PAGE_MASK; -@@ -2566,6 +2566,8 @@ long kvm_arch_dev_ioctl(struct file *filp, +@@ -2609,6 +2609,8 @@ long kvm_arch_dev_ioctl(struct file *filp, if (n < msr_list.nmsrs) goto out; r = -EFAULT; @@ -24307,16 +25980,7 @@ index 8563b45..272f1fe 100644 if (copy_to_user(user_msr_list->indices, &msrs_to_save, num_msrs_to_save * sizeof(u32))) goto out; -@@ -2695,7 +2697,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu, - static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu, - struct kvm_interrupt *irq) - { -- if (irq->irq < 0 || irq->irq >= KVM_NR_INTERRUPTS) -+ if (irq->irq >= KVM_NR_INTERRUPTS) - return -EINVAL; - if (irqchip_in_kernel(vcpu->kvm)) - return -ENXIO; -@@ -5246,7 +5248,7 @@ static struct notifier_block pvclock_gtod_notifier = { +@@ -5297,7 +5299,7 @@ static struct notifier_block pvclock_gtod_notifier = { }; #endif @@ -24826,7 +26490,7 @@ index f5cc9eb..51fa319 100644 CFI_ENDPROC ENDPROC(atomic64_inc_not_zero_cx8) diff --git a/arch/x86/lib/checksum_32.S b/arch/x86/lib/checksum_32.S -index 2af5df3..62b1a5a 100644 +index e78b8ee..7e173a8 100644 --- a/arch/x86/lib/checksum_32.S +++ b/arch/x86/lib/checksum_32.S @@ -29,7 +29,8 @@ @@ -25217,27 +26881,43 @@ index 176cca6..1166c50 100644 .byte (copy_page_rep - copy_page) - (2f - 1b) /* offset */ 2: diff --git a/arch/x86/lib/copy_user_64.S b/arch/x86/lib/copy_user_64.S -index a30ca15..d25fab6 100644 +index a30ca15..6b3f4e1 100644 --- a/arch/x86/lib/copy_user_64.S +++ b/arch/x86/lib/copy_user_64.S -@@ -18,6 +18,7 @@ +@@ -18,31 +18,7 @@ #include <asm/alternative-asm.h> #include <asm/asm.h> #include <asm/smap.h> +- +-/* +- * By placing feature2 after feature1 in altinstructions section, we logically +- * implement: +- * If CPU has feature2, jmp to alt2 is used +- * else if CPU has feature1, jmp to alt1 is used +- * else jmp to orig is used. +- */ +- .macro ALTERNATIVE_JUMP feature1,feature2,orig,alt1,alt2 +-0: +- .byte 0xe9 /* 32bit jump */ +- .long \orig-1f /* by default jump to orig */ +-1: +- .section .altinstr_replacement,"ax" +-2: .byte 0xe9 /* near jump with 32bit immediate */ +- .long \alt1-1b /* offset */ /* or alternatively to alt1 */ +-3: .byte 0xe9 /* near jump with 32bit immediate */ +- .long \alt2-1b /* offset */ /* or alternatively to alt2 */ +- .previous +- +- .section .altinstructions,"a" +- altinstruction_entry 0b,2b,\feature1,5,5 +- altinstruction_entry 0b,3b,\feature2,5,5 +- .previous +- .endm +#include <asm/pgtable.h> - /* - * By placing feature2 after feature1 in altinstructions section, we logically -@@ -31,7 +32,7 @@ - .byte 0xe9 /* 32bit jump */ - .long \orig-1f /* by default jump to orig */ - 1: -- .section .altinstr_replacement,"ax" -+ .section .altinstr_replacement,"a" - 2: .byte 0xe9 /* near jump with 32bit immediate */ - .long \alt1-1b /* offset */ /* or alternatively to alt1 */ - 3: .byte 0xe9 /* near jump with 32bit immediate */ -@@ -70,47 +71,20 @@ + .macro ALIGN_DESTINATION + #ifdef FIX_ALIGNMENT +@@ -70,52 +46,6 @@ #endif .endm @@ -25271,24 +26951,34 @@ index a30ca15..d25fab6 100644 - CFI_ENDPROC -ENDPROC(_copy_from_user) - - .section .fixup,"ax" - /* must zero dest */ - ENTRY(bad_from_user) - bad_from_user: +- .section .fixup,"ax" +- /* must zero dest */ +-ENTRY(bad_from_user) +-bad_from_user: +- CFI_STARTPROC +- movl %edx,%ecx +- xorl %eax,%eax +- rep +- stosb +-bad_to_user: +- movl %edx,%eax +- ret +- CFI_ENDPROC +-ENDPROC(bad_from_user) +- .previous +- + /* + * copy_user_generic_unrolled - memory copy with exception handling. + * This version is for CPUs like P4 that don't have efficient micro +@@ -131,6 +61,7 @@ ENDPROC(bad_from_user) + */ + ENTRY(copy_user_generic_unrolled) CFI_STARTPROC -+ testl %edx,%edx -+ js bad_to_user - movl %edx,%ecx - xorl %eax,%eax - rep - stosb - bad_to_user: - movl %edx,%eax -+ pax_force_retaddr - ret - CFI_ENDPROC - ENDPROC(bad_from_user) -@@ -141,19 +115,19 @@ ENTRY(copy_user_generic_unrolled) ++ ASM_PAX_OPEN_USERLAND + ASM_STAC + cmpl $8,%edx + jb 20f /* less then 8 bytes, go to byte copy loop */ +@@ -141,19 +72,19 @@ ENTRY(copy_user_generic_unrolled) jz 17f 1: movq (%rsi),%r8 2: movq 1*8(%rsi),%r9 @@ -25312,32 +27002,51 @@ index a30ca15..d25fab6 100644 16: movq %r11,7*8(%rdi) leaq 64(%rsi),%rsi leaq 64(%rdi),%rdi -@@ -180,6 +154,7 @@ ENTRY(copy_user_generic_unrolled) +@@ -180,6 +111,8 @@ ENTRY(copy_user_generic_unrolled) jnz 21b 23: xor %eax,%eax ASM_CLAC ++ ASM_PAX_CLOSE_USERLAND + pax_force_retaddr ret .section .fixup,"ax" -@@ -251,6 +226,7 @@ ENTRY(copy_user_generic_string) +@@ -235,6 +168,7 @@ ENDPROC(copy_user_generic_unrolled) + */ + ENTRY(copy_user_generic_string) + CFI_STARTPROC ++ ASM_PAX_OPEN_USERLAND + ASM_STAC + andl %edx,%edx + jz 4f +@@ -251,6 +185,8 @@ ENTRY(copy_user_generic_string) movsb 4: xorl %eax,%eax ASM_CLAC ++ ASM_PAX_CLOSE_USERLAND + pax_force_retaddr ret .section .fixup,"ax" -@@ -286,6 +262,7 @@ ENTRY(copy_user_enhanced_fast_string) +@@ -278,6 +214,7 @@ ENDPROC(copy_user_generic_string) + */ + ENTRY(copy_user_enhanced_fast_string) + CFI_STARTPROC ++ ASM_PAX_OPEN_USERLAND + ASM_STAC + andl %edx,%edx + jz 2f +@@ -286,6 +223,8 @@ ENTRY(copy_user_enhanced_fast_string) movsb 2: xorl %eax,%eax ASM_CLAC ++ ASM_PAX_CLOSE_USERLAND + pax_force_retaddr ret .section .fixup,"ax" diff --git a/arch/x86/lib/copy_user_nocache_64.S b/arch/x86/lib/copy_user_nocache_64.S -index 6a4f43c..f08b4a2 100644 +index 6a4f43c..55d26f2 100644 --- a/arch/x86/lib/copy_user_nocache_64.S +++ b/arch/x86/lib/copy_user_nocache_64.S @@ -8,6 +8,7 @@ @@ -25356,7 +27065,7 @@ index 6a4f43c..f08b4a2 100644 .macro ALIGN_DESTINATION #ifdef FIX_ALIGNMENT -@@ -49,6 +51,15 @@ +@@ -49,6 +51,16 @@ */ ENTRY(__copy_user_nocache) CFI_STARTPROC @@ -25369,10 +27078,11 @@ index 6a4f43c..f08b4a2 100644 +1: +#endif + ++ ASM_PAX_OPEN_USERLAND ASM_STAC cmpl $8,%edx jb 20f /* less then 8 bytes, go to byte copy loop */ -@@ -59,19 +70,19 @@ ENTRY(__copy_user_nocache) +@@ -59,19 +71,19 @@ ENTRY(__copy_user_nocache) jz 17f 1: movq (%rsi),%r8 2: movq 1*8(%rsi),%r9 @@ -25396,9 +27106,11 @@ index 6a4f43c..f08b4a2 100644 16: movnti %r11,7*8(%rdi) leaq 64(%rsi),%rsi leaq 64(%rdi),%rdi -@@ -99,6 +110,7 @@ ENTRY(__copy_user_nocache) +@@ -98,7 +110,9 @@ ENTRY(__copy_user_nocache) + jnz 21b 23: xorl %eax,%eax ASM_CLAC ++ ASM_PAX_CLOSE_USERLAND sfence + pax_force_retaddr ret @@ -25425,29 +27137,40 @@ index 2419d5f..953ee51 100644 CFI_RESTORE_STATE diff --git a/arch/x86/lib/csum-wrappers_64.c b/arch/x86/lib/csum-wrappers_64.c -index 25b7ae8..169fafc 100644 +index 25b7ae8..c40113e 100644 --- a/arch/x86/lib/csum-wrappers_64.c +++ b/arch/x86/lib/csum-wrappers_64.c -@@ -52,7 +52,7 @@ csum_partial_copy_from_user(const void __user *src, void *dst, +@@ -52,8 +52,12 @@ csum_partial_copy_from_user(const void __user *src, void *dst, len -= 2; } } - isum = csum_partial_copy_generic((__force const void *)src, ++ pax_open_userland(); ++ stac(); + isum = csum_partial_copy_generic((const void __force_kernel *)____m(src), dst, len, isum, errp, NULL); ++ clac(); ++ pax_close_userland(); if (unlikely(*errp)) goto out_err; -@@ -105,7 +105,7 @@ csum_partial_copy_to_user(const void *src, void __user *dst, + +@@ -105,8 +109,13 @@ csum_partial_copy_to_user(const void *src, void __user *dst, } *errp = 0; - return csum_partial_copy_generic(src, (void __force *)dst, -+ return csum_partial_copy_generic(src, (void __force_kernel *)____m(dst), ++ pax_open_userland(); ++ stac(); ++ isum = csum_partial_copy_generic(src, (void __force_kernel *)____m(dst), len, isum, NULL, errp); ++ clac(); ++ pax_close_userland(); ++ return isum; } EXPORT_SYMBOL(csum_partial_copy_to_user); + diff --git a/arch/x86/lib/getuser.S b/arch/x86/lib/getuser.S -index a451235..79fb5cf 100644 +index a451235..1daa956 100644 --- a/arch/x86/lib/getuser.S +++ b/arch/x86/lib/getuser.S @@ -33,17 +33,40 @@ @@ -25573,8 +27296,14 @@ index a451235..79fb5cf 100644 ret #else add $7,%_ASM_AX -@@ -102,6 +163,7 @@ ENTRY(__get_user_8) - 5: movl -3(%_ASM_AX),%ecx +@@ -98,10 +159,11 @@ ENTRY(__get_user_8) + cmp TI_addr_limit(%_ASM_DX),%_ASM_AX + jae bad_get_user_8 + ASM_STAC +-4: movl -7(%_ASM_AX),%edx +-5: movl -3(%_ASM_AX),%ecx ++4: __copyuser_seg movl -7(%_ASM_AX),%edx ++5: __copyuser_seg movl -3(%_ASM_AX),%ecx xor %eax,%eax ASM_CLAC + pax_force_retaddr @@ -25644,9 +27373,18 @@ index 05a95e7..326f2fa 100644 CFI_ENDPROC ENDPROC(__iowrite32_copy) diff --git a/arch/x86/lib/memcpy_64.S b/arch/x86/lib/memcpy_64.S -index 1c273be..da9cc0e 100644 +index 56313a3..9b59269 100644 --- a/arch/x86/lib/memcpy_64.S +++ b/arch/x86/lib/memcpy_64.S +@@ -24,7 +24,7 @@ + * This gets patched over the unrolled variant (below) via the + * alternative instructions framework: + */ +- .section .altinstr_replacement, "ax", @progbits ++ .section .altinstr_replacement, "a", @progbits + .Lmemcpy_c: + movq %rdi, %rax + movq %rdx, %rcx @@ -33,6 +33,7 @@ rep movsq movl %edx, %ecx @@ -25655,7 +27393,13 @@ index 1c273be..da9cc0e 100644 ret .Lmemcpy_e: .previous -@@ -49,6 +50,7 @@ +@@ -44,11 +45,12 @@ + * This gets patched over the unrolled variant (below) via the + * alternative instructions framework: + */ +- .section .altinstr_replacement, "ax", @progbits ++ .section .altinstr_replacement, "a", @progbits + .Lmemcpy_c_e: movq %rdi, %rax movq %rdx, %rcx rep movsb @@ -25735,7 +27479,7 @@ index 1c273be..da9cc0e 100644 CFI_ENDPROC ENDPROC(memcpy) diff --git a/arch/x86/lib/memmove_64.S b/arch/x86/lib/memmove_64.S -index ee16461..c39c199 100644 +index 65268a6..5aa7815 100644 --- a/arch/x86/lib/memmove_64.S +++ b/arch/x86/lib/memmove_64.S @@ -61,13 +61,13 @@ ENTRY(memmove) @@ -25850,7 +27594,7 @@ index ee16461..c39c199 100644 jmp 13f 12: cmp $1, %rdx -@@ -202,6 +202,7 @@ ENTRY(memmove) +@@ -202,14 +202,16 @@ ENTRY(memmove) movb (%rsi), %r11b movb %r11b, (%rdi) 13: @@ -25858,7 +27602,9 @@ index ee16461..c39c199 100644 retq CFI_ENDPROC -@@ -210,6 +211,7 @@ ENTRY(memmove) +- .section .altinstr_replacement,"ax" ++ .section .altinstr_replacement,"a" + .Lmemmove_begin_forward_efs: /* Forward moving data. */ movq %rdx, %rcx rep movsb @@ -25867,9 +27613,18 @@ index ee16461..c39c199 100644 .Lmemmove_end_forward_efs: .previous diff --git a/arch/x86/lib/memset_64.S b/arch/x86/lib/memset_64.S -index 2dcb380..963660a 100644 +index 2dcb380..50a78bc 100644 --- a/arch/x86/lib/memset_64.S +++ b/arch/x86/lib/memset_64.S +@@ -16,7 +16,7 @@ + * + * rax original destination + */ +- .section .altinstr_replacement, "ax", @progbits ++ .section .altinstr_replacement, "a", @progbits + .Lmemset_c: + movq %rdi,%r9 + movq %rdx,%rcx @@ -30,6 +30,7 @@ movl %edx,%ecx rep stosb @@ -25878,7 +27633,15 @@ index 2dcb380..963660a 100644 ret .Lmemset_e: .previous -@@ -52,6 +53,7 @@ +@@ -45,13 +46,14 @@ + * + * rax original destination + */ +- .section .altinstr_replacement, "ax", @progbits ++ .section .altinstr_replacement, "a", @progbits + .Lmemset_c_e: + movq %rdi,%r9 + movb %sil,%al movq %rdx,%rcx rep stosb movq %r9,%rax @@ -26552,7 +28315,7 @@ index a63efd6..ccecad8 100644 ret CFI_ENDPROC diff --git a/arch/x86/lib/usercopy_32.c b/arch/x86/lib/usercopy_32.c -index f0312d7..9c39d63 100644 +index 3eb18ac..6890bc3 100644 --- a/arch/x86/lib/usercopy_32.c +++ b/arch/x86/lib/usercopy_32.c @@ -42,11 +42,13 @@ do { \ @@ -27070,7 +28833,7 @@ index f0312d7..9c39d63 100644 clac(); return n; } -@@ -632,66 +743,51 @@ unsigned long __copy_from_user_ll_nocache_nozero(void *to, const void __user *fr +@@ -632,60 +743,38 @@ unsigned long __copy_from_user_ll_nocache_nozero(void *to, const void __user *fr if (n > 64 && cpu_has_xmm2) n = __copy_user_intel_nocache(to, from, n); else @@ -27100,15 +28863,28 @@ index f0312d7..9c39d63 100644 - */ -unsigned long -copy_to_user(void __user *to, const void *from, unsigned long n) -+void copy_from_user_overflow(void) ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++void __set_fs(mm_segment_t x) { - if (access_ok(VERIFY_WRITE, to, n)) - n = __copy_to_user(to, from, n); - return n; -+ WARN(1, "Buffer overflow detected!\n"); ++ switch (x.seg) { ++ case 0: ++ loadsegment(gs, 0); ++ break; ++ case TASK_SIZE_MAX: ++ loadsegment(gs, __USER_DS); ++ break; ++ case -1UL: ++ loadsegment(gs, __KERNEL_DS); ++ break; ++ default: ++ BUG(); ++ } } -EXPORT_SYMBOL(copy_to_user); -+EXPORT_SYMBOL(copy_from_user_overflow); ++EXPORT_SYMBOL(__set_fs); -/** - * copy_from_user: - Copy a block of data from user space. @@ -27128,53 +28904,32 @@ index f0312d7..9c39d63 100644 - */ -unsigned long -_copy_from_user(void *to, const void __user *from, unsigned long n) -+void copy_to_user_overflow(void) ++void set_fs(mm_segment_t x) { - if (access_ok(VERIFY_READ, from, n)) - n = __copy_from_user(to, from, n); - else - memset(to, 0, n); - return n; -+ WARN(1, "Buffer overflow detected!\n"); - } --EXPORT_SYMBOL(_copy_from_user); -+EXPORT_SYMBOL(copy_to_user_overflow); - --void copy_from_user_overflow(void) -+#ifdef CONFIG_PAX_MEMORY_UDEREF -+void __set_fs(mm_segment_t x) - { -- WARN(1, "Buffer overflow detected!\n"); -+ switch (x.seg) { -+ case 0: -+ loadsegment(gs, 0); -+ break; -+ case TASK_SIZE_MAX: -+ loadsegment(gs, __USER_DS); -+ break; -+ case -1UL: -+ loadsegment(gs, __KERNEL_DS); -+ break; -+ default: -+ BUG(); -+ } -+ return; - } --EXPORT_SYMBOL(copy_from_user_overflow); -+EXPORT_SYMBOL(__set_fs); -+ -+void set_fs(mm_segment_t x) -+{ + current_thread_info()->addr_limit = x; + __set_fs(x); -+} + } +-EXPORT_SYMBOL(_copy_from_user); +EXPORT_SYMBOL(set_fs); +#endif diff --git a/arch/x86/lib/usercopy_64.c b/arch/x86/lib/usercopy_64.c -index 906fea3..ee8a097 100644 +index 906fea3..0194a18 100644 --- a/arch/x86/lib/usercopy_64.c +++ b/arch/x86/lib/usercopy_64.c -@@ -39,7 +39,7 @@ unsigned long __clear_user(void __user *addr, unsigned long size) +@@ -18,6 +18,7 @@ unsigned long __clear_user(void __user *addr, unsigned long size) + might_fault(); + /* no memory constraint because it doesn't change any memory gcc knows + about */ ++ pax_open_userland(); + stac(); + asm volatile( + " testq %[size8],%[size8]\n" +@@ -39,9 +40,10 @@ unsigned long __clear_user(void __user *addr, unsigned long size) _ASM_EXTABLE(0b,3b) _ASM_EXTABLE(1b,2b) : [size8] "=&c"(size), [dst] "=&D" (__d0) @@ -27182,8 +28937,11 @@ index 906fea3..ee8a097 100644 + : [size1] "r"(size & 7), "[size8]" (size / 8), "[dst]"(____m(addr)), [zero] "r" (0UL), [eight] "r" (8UL)); clac(); ++ pax_close_userland(); return size; -@@ -54,12 +54,11 @@ unsigned long clear_user(void __user *to, unsigned long n) + } + EXPORT_SYMBOL(__clear_user); +@@ -54,12 +56,11 @@ unsigned long clear_user(void __user *to, unsigned long n) } EXPORT_SYMBOL(clear_user); @@ -27200,7 +28958,7 @@ index 906fea3..ee8a097 100644 } EXPORT_SYMBOL(copy_in_user); -@@ -69,7 +68,7 @@ EXPORT_SYMBOL(copy_in_user); +@@ -69,11 +70,13 @@ EXPORT_SYMBOL(copy_in_user); * it is not necessary to optimize tail handling. */ unsigned long @@ -27209,22 +28967,31 @@ index 906fea3..ee8a097 100644 { char c; unsigned zero_len; -@@ -87,3 +86,15 @@ copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest) - clac(); + ++ clac(); ++ pax_close_userland(); + for (; len; --len, to++) { + if (__get_user_nocheck(c, from++, sizeof(char))) + break; +@@ -84,6 +87,5 @@ copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest) + for (c = 0, zero_len = len; zerorest && zero_len; --zero_len) + if (__put_user_nocheck(c, to++, sizeof(char))) + break; +- clac(); return len; } +diff --git a/arch/x86/mm/Makefile b/arch/x86/mm/Makefile +index 23d8e5f..9ccc13a 100644 +--- a/arch/x86/mm/Makefile ++++ b/arch/x86/mm/Makefile +@@ -28,3 +28,7 @@ obj-$(CONFIG_ACPI_NUMA) += srat.o + obj-$(CONFIG_NUMA_EMU) += numa_emulation.o + + obj-$(CONFIG_MEMTEST) += memtest.o + -+void copy_from_user_overflow(void) -+{ -+ WARN(1, "Buffer overflow detected!\n"); -+} -+EXPORT_SYMBOL(copy_from_user_overflow); -+ -+void copy_to_user_overflow(void) -+{ -+ WARN(1, "Buffer overflow detected!\n"); -+} -+EXPORT_SYMBOL(copy_to_user_overflow); ++quote:=" ++obj-$(CONFIG_X86_64) += uderef_64.o ++CFLAGS_uderef_64.o := $(subst $(quote),,$(CONFIG_ARCH_HWEIGHT_CFLAGS)) diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c index 903ec1e..c4166b2 100644 --- a/arch/x86/mm/extable.c @@ -27280,13 +29047,13 @@ index 903ec1e..c4166b2 100644 } diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c -index 0e88336..2bb9777 100644 +index 654be4a..a4a3da1 100644 --- a/arch/x86/mm/fault.c +++ b/arch/x86/mm/fault.c -@@ -13,12 +13,19 @@ - #include <linux/perf_event.h> /* perf_sw_event */ +@@ -14,11 +14,18 @@ #include <linux/hugetlb.h> /* hstate_index_to_shift */ #include <linux/prefetch.h> /* prefetchw */ + #include <linux/context_tracking.h> /* exception_enter(), ... */ +#include <linux/unistd.h> +#include <linux/compiler.h> @@ -27294,7 +29061,6 @@ index 0e88336..2bb9777 100644 #include <asm/pgalloc.h> /* pgd_*(), ... */ #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */ #include <asm/fixmap.h> /* VSYSCALL_START */ - #include <asm/context_tracking.h> /* exception_enter(), ... */ +#include <asm/tlbflush.h> + +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) @@ -27371,7 +29137,7 @@ index 0e88336..2bb9777 100644 DEFINE_SPINLOCK(pgd_lock); LIST_HEAD(pgd_list); -@@ -232,10 +273,22 @@ void vmalloc_sync_all(void) +@@ -232,10 +273,27 @@ void vmalloc_sync_all(void) for (address = VMALLOC_START & PMD_MASK; address >= TASK_SIZE && address < FIXADDR_TOP; address += PMD_SIZE) { @@ -27386,15 +29152,20 @@ index 0e88336..2bb9777 100644 + +#ifdef CONFIG_PAX_PER_CPU_PGD + for (cpu = 0; cpu < nr_cpu_ids; ++cpu) { -+ pgd_t *pgd = get_cpu_pgd(cpu); ++ pgd_t *pgd = get_cpu_pgd(cpu, user); + pmd_t *ret; ++ ++ ret = vmalloc_sync_one(pgd, address); ++ if (!ret) ++ break; ++ pgd = get_cpu_pgd(cpu, kernel); +#else list_for_each_entry(page, &pgd_list, lru) { + pgd_t *pgd; spinlock_t *pgt_lock; pmd_t *ret; -@@ -243,8 +296,14 @@ void vmalloc_sync_all(void) +@@ -243,8 +301,14 @@ void vmalloc_sync_all(void) pgt_lock = &pgd_page_get_mm(page)->page_table_lock; spin_lock(pgt_lock); @@ -27410,34 +29181,47 @@ index 0e88336..2bb9777 100644 if (!ret) break; -@@ -278,6 +337,11 @@ static noinline __kprobes int vmalloc_fault(unsigned long address) +@@ -278,6 +342,12 @@ static noinline __kprobes int vmalloc_fault(unsigned long address) * an interrupt in the middle of a task switch.. */ pgd_paddr = read_cr3(); + +#ifdef CONFIG_PAX_PER_CPU_PGD -+ BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK)); ++ BUG_ON(__pa(get_cpu_pgd(smp_processor_id(), kernel)) != (pgd_paddr & __PHYSICAL_MASK)); ++ vmalloc_sync_one(__va(pgd_paddr + PAGE_SIZE), address); +#endif + pmd_k = vmalloc_sync_one(__va(pgd_paddr), address); if (!pmd_k) return -1; -@@ -373,7 +437,14 @@ static noinline __kprobes int vmalloc_fault(unsigned long address) +@@ -373,11 +443,25 @@ static noinline __kprobes int vmalloc_fault(unsigned long address) * happen within a race in page table update. In the later * case just flush: */ +- pgd = pgd_offset(current->active_mm, address); + + pgd_ref = pgd_offset_k(address); + if (pgd_none(*pgd_ref)) + return -1; + +#ifdef CONFIG_PAX_PER_CPU_PGD -+ BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK)); -+ pgd = pgd_offset_cpu(smp_processor_id(), address); ++ BUG_ON(__pa(get_cpu_pgd(smp_processor_id(), kernel)) != (read_cr3() & __PHYSICAL_MASK)); ++ pgd = pgd_offset_cpu(smp_processor_id(), user, address); ++ if (pgd_none(*pgd)) { ++ set_pgd(pgd, *pgd_ref); ++ arch_flush_lazy_mmu_mode(); ++ } else { ++ BUG_ON(pgd_page_vaddr(*pgd) != pgd_page_vaddr(*pgd_ref)); ++ } ++ pgd = pgd_offset_cpu(smp_processor_id(), kernel, address); +#else - pgd = pgd_offset(current->active_mm, address); ++ pgd = pgd_offset(current->active_mm, address); +#endif + - pgd_ref = pgd_offset_k(address); - if (pgd_none(*pgd_ref)) - return -1; -@@ -543,7 +614,7 @@ static int is_errata93(struct pt_regs *regs, unsigned long address) + if (pgd_none(*pgd)) { + set_pgd(pgd, *pgd_ref); + arch_flush_lazy_mmu_mode(); +@@ -543,7 +627,7 @@ static int is_errata93(struct pt_regs *regs, unsigned long address) static int is_errata100(struct pt_regs *regs, unsigned long address) { #ifdef CONFIG_X86_64 @@ -27446,7 +29230,7 @@ index 0e88336..2bb9777 100644 return 1; #endif return 0; -@@ -570,7 +641,7 @@ static int is_f00f_bug(struct pt_regs *regs, unsigned long address) +@@ -570,7 +654,7 @@ static int is_f00f_bug(struct pt_regs *regs, unsigned long address) } static const char nx_warning[] = KERN_CRIT @@ -27455,7 +29239,7 @@ index 0e88336..2bb9777 100644 static void show_fault_oops(struct pt_regs *regs, unsigned long error_code, -@@ -579,15 +650,27 @@ show_fault_oops(struct pt_regs *regs, unsigned long error_code, +@@ -579,15 +663,27 @@ show_fault_oops(struct pt_regs *regs, unsigned long error_code, if (!oops_may_print()) return; @@ -27485,7 +29269,7 @@ index 0e88336..2bb9777 100644 printk(KERN_ALERT "BUG: unable to handle kernel "); if (address < PAGE_SIZE) printk(KERN_CONT "NULL pointer dereference"); -@@ -750,6 +833,22 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code, +@@ -750,6 +846,22 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code, return; } #endif @@ -27508,7 +29292,7 @@ index 0e88336..2bb9777 100644 /* Kernel addresses are always protection faults: */ if (address >= TASK_SIZE) error_code |= PF_PROT; -@@ -835,7 +934,7 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address, +@@ -835,7 +947,7 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address, if (fault & (VM_FAULT_HWPOISON|VM_FAULT_HWPOISON_LARGE)) { printk(KERN_ERR "MCE: Killing %s:%d due to hardware memory corruption fault at %lx\n", @@ -27517,7 +29301,7 @@ index 0e88336..2bb9777 100644 code = BUS_MCEERR_AR; } #endif -@@ -898,6 +997,99 @@ static int spurious_fault_check(unsigned long error_code, pte_t *pte) +@@ -898,6 +1010,99 @@ static int spurious_fault_check(unsigned long error_code, pte_t *pte) return 1; } @@ -27617,7 +29401,7 @@ index 0e88336..2bb9777 100644 /* * Handle a spurious fault caused by a stale TLB entry. * -@@ -964,6 +1156,9 @@ int show_unhandled_signals = 1; +@@ -964,6 +1169,9 @@ int show_unhandled_signals = 1; static inline int access_error(unsigned long error_code, struct vm_area_struct *vma) { @@ -27627,7 +29411,7 @@ index 0e88336..2bb9777 100644 if (error_code & PF_WRITE) { /* write, present and write, not present: */ if (unlikely(!(vma->vm_flags & VM_WRITE))) -@@ -992,7 +1187,7 @@ static inline bool smap_violation(int error_code, struct pt_regs *regs) +@@ -992,7 +1200,7 @@ static inline bool smap_violation(int error_code, struct pt_regs *regs) if (error_code & PF_USER) return false; @@ -27636,7 +29420,7 @@ index 0e88336..2bb9777 100644 return false; return true; -@@ -1008,19 +1203,34 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code) +@@ -1008,18 +1216,33 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code) { struct vm_area_struct *vma; struct task_struct *tsk; @@ -27647,7 +29431,11 @@ index 0e88336..2bb9777 100644 unsigned int flags = FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE | (write ? FAULT_FLAG_WRITE : 0); -+ /* Get the faulting address: */ +- tsk = current; +- mm = tsk->mm; +- + /* Get the faulting address: */ +- address = read_cr2(); + unsigned long address = read_cr2(); + +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) @@ -27666,16 +29454,12 @@ index 0e88336..2bb9777 100644 + } +#endif + - tsk = current; - mm = tsk->mm; ++ tsk = current; ++ mm = tsk->mm; -- /* Get the faulting address: */ -- address = read_cr2(); -- /* * Detect and handle instructions that would cause a page fault for - * both a tracked kernel page and a userspace page. -@@ -1080,7 +1290,7 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code) +@@ -1080,7 +1303,7 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code) * User-mode registers count as a user access even for any * potential system fault or CPU buglet: */ @@ -27684,7 +29468,7 @@ index 0e88336..2bb9777 100644 local_irq_enable(); error_code |= PF_USER; } else { -@@ -1142,6 +1352,11 @@ retry: +@@ -1142,6 +1365,11 @@ retry: might_sleep(); } @@ -27696,7 +29480,7 @@ index 0e88336..2bb9777 100644 vma = find_vma(mm, address); if (unlikely(!vma)) { bad_area(regs, error_code, address); -@@ -1153,18 +1368,24 @@ retry: +@@ -1153,18 +1381,24 @@ retry: bad_area(regs, error_code, address); return; } @@ -27732,9 +29516,9 @@ index 0e88336..2bb9777 100644 if (unlikely(expand_stack(vma, address))) { bad_area(regs, error_code, address); return; -@@ -1228,3 +1449,292 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code) +@@ -1230,3 +1464,292 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code) __do_page_fault(regs, error_code); - exception_exit(regs); + exception_exit(prev_state); } + +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) @@ -28039,7 +29823,7 @@ index dd74e46..7d26398 100644 return 0; diff --git a/arch/x86/mm/highmem_32.c b/arch/x86/mm/highmem_32.c -index 6f31ee5..8ee4164 100644 +index 252b8f5..4dcfdc1 100644 --- a/arch/x86/mm/highmem_32.c +++ b/arch/x86/mm/highmem_32.c @@ -44,7 +44,11 @@ void *kmap_atomic_prot(struct page *page, pgprot_t prot) @@ -28163,7 +29947,7 @@ index ae1aa71..d9bea75 100644 #endif /*HAVE_ARCH_HUGETLB_UNMAPPED_AREA*/ diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c -index 0c13708..ca05f23 100644 +index 1f34e92..c97b98f 100644 --- a/arch/x86/mm/init.c +++ b/arch/x86/mm/init.c @@ -4,6 +4,7 @@ @@ -28183,15 +29967,18 @@ index 0c13708..ca05f23 100644 #include "mm_internal.h" -@@ -448,7 +451,15 @@ void __init init_mem_mapping(void) +@@ -465,7 +468,18 @@ void __init init_mem_mapping(void) early_ioremap_page_table_range_init(); #endif +#ifdef CONFIG_PAX_PER_CPU_PGD -+ clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY, ++ clone_pgd_range(get_cpu_pgd(0, kernel) + KERNEL_PGD_BOUNDARY, + swapper_pg_dir + KERNEL_PGD_BOUNDARY, + KERNEL_PGD_PTRS); -+ load_cr3(get_cpu_pgd(0)); ++ clone_pgd_range(get_cpu_pgd(0, user) + KERNEL_PGD_BOUNDARY, ++ swapper_pg_dir + KERNEL_PGD_BOUNDARY, ++ KERNEL_PGD_PTRS); ++ load_cr3(get_cpu_pgd(0, kernel)); +#else load_cr3(swapper_pg_dir); +#endif @@ -28199,7 +29986,7 @@ index 0c13708..ca05f23 100644 __flush_tlb_all(); early_memtest(0, max_pfn_mapped << PAGE_SHIFT); -@@ -464,10 +475,40 @@ void __init init_mem_mapping(void) +@@ -481,10 +495,40 @@ void __init init_mem_mapping(void) * Access has to be given to non-kernel-ram areas as well, these contain the PCI * mmio resources as well as potential bios/acpi data regions. */ @@ -28215,10 +30002,10 @@ index 0c13708..ca05f23 100644 +#ifdef CONFIG_GRKERNSEC_KMEM + /* allow BDA */ + if (!pagenr) -+ return 1; + return 1; + /* allow EBDA */ + if (pagenr >= ebda_start && pagenr < ebda_end) - return 1; ++ return 1; + /* if tboot is in use, allow access to its hardcoded serial log range */ + if (tboot_enabled() && ((0x60000 >> PAGE_SHIFT) <= pagenr) && (pagenr < (0x68000 >> PAGE_SHIFT))) + return 1; @@ -28241,7 +30028,7 @@ index 0c13708..ca05f23 100644 if (iomem_is_exclusive(pagenr << PAGE_SHIFT)) return 0; if (!page_is_ram(pagenr)) -@@ -524,8 +565,117 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end) +@@ -538,8 +582,117 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end) #endif } @@ -28360,7 +30147,7 @@ index 0c13708..ca05f23 100644 (unsigned long)(&__init_begin), (unsigned long)(&__init_end)); diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c -index 2d19001..e549d98 100644 +index 3ac7e31..89611b7 100644 --- a/arch/x86/mm/init_32.c +++ b/arch/x86/mm/init_32.c @@ -62,33 +62,6 @@ static noinline int do_test_wp_bit(void); @@ -28550,7 +30337,7 @@ index 2d19001..e549d98 100644 prot = PAGE_KERNEL_EXEC; pages_4k++; -@@ -482,7 +486,7 @@ void __init native_pagetable_init(void) +@@ -474,7 +478,7 @@ void __init native_pagetable_init(void) pud = pud_offset(pgd, va); pmd = pmd_offset(pud, va); @@ -28559,7 +30346,7 @@ index 2d19001..e549d98 100644 break; /* should not be large page here */ -@@ -540,12 +544,10 @@ void __init early_ioremap_page_table_range_init(void) +@@ -532,12 +536,10 @@ void __init early_ioremap_page_table_range_init(void) static void __init pagetable_init(void) { @@ -28574,7 +30361,7 @@ index 2d19001..e549d98 100644 EXPORT_SYMBOL_GPL(__supported_pte_mask); /* user-defined highmem size */ -@@ -780,7 +782,7 @@ void __init mem_init(void) +@@ -772,7 +774,7 @@ void __init mem_init(void) after_bootmem = 1; codesize = (unsigned long) &_etext - (unsigned long) &_text; @@ -28583,7 +30370,7 @@ index 2d19001..e549d98 100644 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin; printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, " -@@ -821,10 +823,10 @@ void __init mem_init(void) +@@ -813,10 +815,10 @@ void __init mem_init(void) ((unsigned long)&__init_end - (unsigned long)&__init_begin) >> 10, @@ -28597,7 +30384,7 @@ index 2d19001..e549d98 100644 ((unsigned long)&_etext - (unsigned long)&_text) >> 10); /* -@@ -914,6 +916,7 @@ void set_kernel_text_rw(void) +@@ -906,6 +908,7 @@ void set_kernel_text_rw(void) if (!kernel_set_to_readonly) return; @@ -28605,7 +30392,7 @@ index 2d19001..e549d98 100644 pr_debug("Set kernel text: %lx - %lx for read write\n", start, start+size); -@@ -928,6 +931,7 @@ void set_kernel_text_ro(void) +@@ -920,6 +923,7 @@ void set_kernel_text_ro(void) if (!kernel_set_to_readonly) return; @@ -28613,7 +30400,7 @@ index 2d19001..e549d98 100644 pr_debug("Set kernel text: %lx - %lx for read only\n", start, start+size); -@@ -956,6 +960,7 @@ void mark_rodata_ro(void) +@@ -948,6 +952,7 @@ void mark_rodata_ro(void) unsigned long start = PFN_ALIGN(_text); unsigned long size = PFN_ALIGN(_etext) - start; @@ -28622,10 +30409,10 @@ index 2d19001..e549d98 100644 printk(KERN_INFO "Write protecting the kernel text: %luk\n", size >> 10); diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c -index 474e28f..f016b6e 100644 +index bb00c46..bf91a67 100644 --- a/arch/x86/mm/init_64.c +++ b/arch/x86/mm/init_64.c -@@ -150,7 +150,7 @@ early_param("gbpages", parse_direct_gbpages_on); +@@ -151,7 +151,7 @@ early_param("gbpages", parse_direct_gbpages_on); * around without checking the pgd every time. */ @@ -28634,7 +30421,7 @@ index 474e28f..f016b6e 100644 EXPORT_SYMBOL_GPL(__supported_pte_mask); int force_personality32; -@@ -183,12 +183,22 @@ void sync_global_pgds(unsigned long start, unsigned long end) +@@ -184,12 +184,29 @@ void sync_global_pgds(unsigned long start, unsigned long end) for (address = start; address <= end; address += PGDIR_SIZE) { const pgd_t *pgd_ref = pgd_offset_k(address); @@ -28652,12 +30439,19 @@ index 474e28f..f016b6e 100644 + +#ifdef CONFIG_PAX_PER_CPU_PGD + for (cpu = 0; cpu < nr_cpu_ids; ++cpu) { -+ pgd_t *pgd = pgd_offset_cpu(cpu, address); ++ pgd_t *pgd = pgd_offset_cpu(cpu, user, address); ++ ++ if (pgd_none(*pgd)) ++ set_pgd(pgd, *pgd_ref); ++ else ++ BUG_ON(pgd_page_vaddr(*pgd) ++ != pgd_page_vaddr(*pgd_ref)); ++ pgd = pgd_offset_cpu(cpu, kernel, address); +#else list_for_each_entry(page, &pgd_list, lru) { pgd_t *pgd; spinlock_t *pgt_lock; -@@ -197,6 +207,7 @@ void sync_global_pgds(unsigned long start, unsigned long end) +@@ -198,6 +215,7 @@ void sync_global_pgds(unsigned long start, unsigned long end) /* the pgt_lock only for Xen */ pgt_lock = &pgd_page_get_mm(page)->page_table_lock; spin_lock(pgt_lock); @@ -28665,7 +30459,7 @@ index 474e28f..f016b6e 100644 if (pgd_none(*pgd)) set_pgd(pgd, *pgd_ref); -@@ -204,7 +215,10 @@ void sync_global_pgds(unsigned long start, unsigned long end) +@@ -205,7 +223,10 @@ void sync_global_pgds(unsigned long start, unsigned long end) BUG_ON(pgd_page_vaddr(*pgd) != pgd_page_vaddr(*pgd_ref)); @@ -28676,7 +30470,7 @@ index 474e28f..f016b6e 100644 } spin_unlock(&pgd_lock); } -@@ -237,7 +251,7 @@ static pud_t *fill_pud(pgd_t *pgd, unsigned long vaddr) +@@ -238,7 +259,7 @@ static pud_t *fill_pud(pgd_t *pgd, unsigned long vaddr) { if (pgd_none(*pgd)) { pud_t *pud = (pud_t *)spp_getpage(); @@ -28685,7 +30479,7 @@ index 474e28f..f016b6e 100644 if (pud != pud_offset(pgd, 0)) printk(KERN_ERR "PAGETABLE BUG #00! %p <-> %p\n", pud, pud_offset(pgd, 0)); -@@ -249,7 +263,7 @@ static pmd_t *fill_pmd(pud_t *pud, unsigned long vaddr) +@@ -250,7 +271,7 @@ static pmd_t *fill_pmd(pud_t *pud, unsigned long vaddr) { if (pud_none(*pud)) { pmd_t *pmd = (pmd_t *) spp_getpage(); @@ -28694,7 +30488,7 @@ index 474e28f..f016b6e 100644 if (pmd != pmd_offset(pud, 0)) printk(KERN_ERR "PAGETABLE BUG #01! %p <-> %p\n", pmd, pmd_offset(pud, 0)); -@@ -278,7 +292,9 @@ void set_pte_vaddr_pud(pud_t *pud_page, unsigned long vaddr, pte_t new_pte) +@@ -279,7 +300,9 @@ void set_pte_vaddr_pud(pud_t *pud_page, unsigned long vaddr, pte_t new_pte) pmd = fill_pmd(pud, vaddr); pte = fill_pte(pmd, vaddr); @@ -28704,7 +30498,7 @@ index 474e28f..f016b6e 100644 /* * It's enough to flush this one mapping. -@@ -337,14 +353,12 @@ static void __init __init_extra_mapping(unsigned long phys, unsigned long size, +@@ -338,14 +361,12 @@ static void __init __init_extra_mapping(unsigned long phys, unsigned long size, pgd = pgd_offset_k((unsigned long)__va(phys)); if (pgd_none(*pgd)) { pud = (pud_t *) spp_getpage(); @@ -28721,7 +30515,7 @@ index 474e28f..f016b6e 100644 } pmd = pmd_offset(pud, phys); BUG_ON(!pmd_none(*pmd)); -@@ -585,7 +599,7 @@ phys_pud_init(pud_t *pud_page, unsigned long addr, unsigned long end, +@@ -586,7 +607,7 @@ phys_pud_init(pud_t *pud_page, unsigned long addr, unsigned long end, prot); spin_lock(&init_mm.page_table_lock); @@ -28730,7 +30524,7 @@ index 474e28f..f016b6e 100644 spin_unlock(&init_mm.page_table_lock); } __flush_tlb_all(); -@@ -626,7 +640,7 @@ kernel_physical_mapping_init(unsigned long start, +@@ -627,7 +648,7 @@ kernel_physical_mapping_init(unsigned long start, page_size_mask); spin_lock(&init_mm.page_table_lock); @@ -28739,7 +30533,7 @@ index 474e28f..f016b6e 100644 spin_unlock(&init_mm.page_table_lock); pgd_changed = true; } -@@ -1224,8 +1238,8 @@ int kern_addr_valid(unsigned long addr) +@@ -1221,8 +1242,8 @@ int kern_addr_valid(unsigned long addr) static struct vm_area_struct gate_vma = { .vm_start = VSYSCALL_START, .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE), @@ -28750,7 +30544,7 @@ index 474e28f..f016b6e 100644 }; struct vm_area_struct *get_gate_vma(struct mm_struct *mm) -@@ -1259,7 +1273,7 @@ int in_gate_area_no_mm(unsigned long addr) +@@ -1256,7 +1277,7 @@ int in_gate_area_no_mm(unsigned long addr) const char *arch_vma_name(struct vm_area_struct *vma) { @@ -28760,7 +30554,7 @@ index 474e28f..f016b6e 100644 if (vma == &gate_vma) return "[vsyscall]"; diff --git a/arch/x86/mm/iomap_32.c b/arch/x86/mm/iomap_32.c -index 7b179b4..6bd1777 100644 +index 7b179b4..6bd17777 100644 --- a/arch/x86/mm/iomap_32.c +++ b/arch/x86/mm/iomap_32.c @@ -64,7 +64,11 @@ void *kmap_atomic_prot_pfn(unsigned long pfn, pgprot_t prot) @@ -28776,7 +30570,7 @@ index 7b179b4..6bd1777 100644 return (void *)vaddr; diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c -index 78fe3f1..73b95e2 100644 +index 9a1e658..da003f3 100644 --- a/arch/x86/mm/ioremap.c +++ b/arch/x86/mm/ioremap.c @@ -97,7 +97,7 @@ static void __iomem *__ioremap_caller(resource_size_t phys_addr, @@ -28797,7 +30591,7 @@ index 78fe3f1..73b95e2 100644 { struct vm_struct *p, *o; -@@ -315,6 +315,9 @@ void *xlate_dev_mem_ptr(unsigned long phys) +@@ -310,6 +310,9 @@ void *xlate_dev_mem_ptr(unsigned long phys) /* If page is RAM, we can use __va. Otherwise ioremap and unmap. */ if (page_is_ram(start >> PAGE_SHIFT)) @@ -28807,7 +30601,7 @@ index 78fe3f1..73b95e2 100644 return __va(phys); addr = (void __force *)ioremap_cache(start, PAGE_SIZE); -@@ -327,6 +330,9 @@ void *xlate_dev_mem_ptr(unsigned long phys) +@@ -322,6 +325,9 @@ void *xlate_dev_mem_ptr(unsigned long phys) void unxlate_dev_mem_ptr(unsigned long phys, void *addr) { if (page_is_ram(phys >> PAGE_SHIFT)) @@ -28817,7 +30611,7 @@ index 78fe3f1..73b95e2 100644 return; iounmap((void __iomem *)((unsigned long)addr & PAGE_MASK)); -@@ -344,7 +350,7 @@ static int __init early_ioremap_debug_setup(char *str) +@@ -339,7 +345,7 @@ static int __init early_ioremap_debug_setup(char *str) early_param("early_ioremap_debug", early_ioremap_debug_setup); static __initdata int after_paging_init; @@ -28826,7 +30620,7 @@ index 78fe3f1..73b95e2 100644 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr) { -@@ -381,8 +387,7 @@ void __init early_ioremap_init(void) +@@ -376,8 +382,7 @@ void __init early_ioremap_init(void) slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i); pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN)); @@ -28987,10 +30781,10 @@ index dc0b727..f612039 100644 might_sleep(); if (is_enabled()) /* recheck and proper locking in *_core() */ diff --git a/arch/x86/mm/numa.c b/arch/x86/mm/numa.c -index 72fe01e..f1a8daa 100644 +index a71c4e2..301ae44 100644 --- a/arch/x86/mm/numa.c +++ b/arch/x86/mm/numa.c -@@ -477,7 +477,7 @@ static bool __init numa_meminfo_cover_memory(const struct numa_meminfo *mi) +@@ -474,7 +474,7 @@ static bool __init numa_meminfo_cover_memory(const struct numa_meminfo *mi) return true; } @@ -29000,7 +30794,7 @@ index 72fe01e..f1a8daa 100644 unsigned long uninitialized_var(pfn_align); int i, nid; diff --git a/arch/x86/mm/pageattr-test.c b/arch/x86/mm/pageattr-test.c -index 0e38951..4ca8458 100644 +index d0b1773..4c3327c 100644 --- a/arch/x86/mm/pageattr-test.c +++ b/arch/x86/mm/pageattr-test.c @@ -36,7 +36,7 @@ enum { @@ -29013,7 +30807,7 @@ index 0e38951..4ca8458 100644 struct split_state { diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c -index fb4e73e..43f7238 100644 +index bb32480..75f2f5e 100644 --- a/arch/x86/mm/pageattr.c +++ b/arch/x86/mm/pageattr.c @@ -261,7 +261,7 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address, @@ -29078,7 +30872,7 @@ index fb4e73e..43f7238 100644 +#ifdef CONFIG_PAX_PER_CPU_PGD + for (cpu = 0; cpu < nr_cpu_ids; ++cpu) { -+ pgd_t *pgd = get_cpu_pgd(cpu); ++ pgd_t *pgd = get_cpu_pgd(cpu, kernel); +#else list_for_each_entry(page, &pgd_list, lru) { - pgd_t *pgd; @@ -29151,6 +30945,19 @@ index 6574388..87e9bef 100644 cattr_name(want_flags), (unsigned long long)paddr, (unsigned long long)(paddr + size - 1), +diff --git a/arch/x86/mm/pat_rbtree.c b/arch/x86/mm/pat_rbtree.c +index 415f6c4..d319983 100644 +--- a/arch/x86/mm/pat_rbtree.c ++++ b/arch/x86/mm/pat_rbtree.c +@@ -160,7 +160,7 @@ success: + + failure: + printk(KERN_INFO "%s:%d conflicting memory types " +- "%Lx-%Lx %s<->%s\n", current->comm, current->pid, start, ++ "%Lx-%Lx %s<->%s\n", current->comm, task_pid_nr(current), start, + end, cattr_name(found_type), cattr_name(match->type)); + return -EBUSY; + } diff --git a/arch/x86/mm/pf_in.c b/arch/x86/mm/pf_in.c index 9f0614d..92ae64a 100644 --- a/arch/x86/mm/pf_in.c @@ -29201,10 +31008,10 @@ index 9f0614d..92ae64a 100644 p += get_opcode(p, &opcode); for (i = 0; i < ARRAY_SIZE(imm_wop); i++) diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c -index 17fda6a..489c74a 100644 +index 17fda6a..f7d54a0 100644 --- a/arch/x86/mm/pgtable.c +++ b/arch/x86/mm/pgtable.c -@@ -91,10 +91,64 @@ static inline void pgd_list_del(pgd_t *pgd) +@@ -91,10 +91,67 @@ static inline void pgd_list_del(pgd_t *pgd) list_del(&page->lru); } @@ -29216,6 +31023,9 @@ index 17fda6a..489c74a 100644 +void __shadow_user_pgds(pgd_t *dst, const pgd_t *src) +{ + unsigned int count = USER_PGD_PTRS; + ++ if (!pax_user_shadow_base) ++ return; + + while (count--) + *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER); @@ -29229,7 +31039,7 @@ index 17fda6a..489c74a 100644 + + while (count--) { + pgd_t pgd; - ++ +#ifdef CONFIG_X86_64 + pgd = __pgd(pgd_val(*src++) | _PAGE_USER); +#else @@ -29271,7 +31081,7 @@ index 17fda6a..489c74a 100644 static void pgd_set_mm(pgd_t *pgd, struct mm_struct *mm) { BUILD_BUG_ON(sizeof(virt_to_page(pgd)->index) < sizeof(mm)); -@@ -135,6 +189,7 @@ static void pgd_dtor(pgd_t *pgd) +@@ -135,6 +192,7 @@ static void pgd_dtor(pgd_t *pgd) pgd_list_del(pgd); spin_unlock(&pgd_lock); } @@ -29279,7 +31089,7 @@ index 17fda6a..489c74a 100644 /* * List of all pgd's needed for non-PAE so it can invalidate entries -@@ -147,7 +202,7 @@ static void pgd_dtor(pgd_t *pgd) +@@ -147,7 +205,7 @@ static void pgd_dtor(pgd_t *pgd) * -- nyc */ @@ -29288,7 +31098,7 @@ index 17fda6a..489c74a 100644 /* * In PAE mode, we need to do a cr3 reload (=tlb flush) when * updating the top-level pagetable entries to guarantee the -@@ -159,7 +214,7 @@ static void pgd_dtor(pgd_t *pgd) +@@ -159,7 +217,7 @@ static void pgd_dtor(pgd_t *pgd) * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate * and initialize the kernel pmds here. */ @@ -29297,7 +31107,7 @@ index 17fda6a..489c74a 100644 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd) { -@@ -177,36 +232,38 @@ void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd) +@@ -177,36 +235,38 @@ void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd) */ flush_tlb_mm(mm); } @@ -29347,7 +31157,7 @@ index 17fda6a..489c74a 100644 return -ENOMEM; } -@@ -219,51 +276,55 @@ static int preallocate_pmds(pmd_t *pmds[]) +@@ -219,51 +279,55 @@ static int preallocate_pmds(pmd_t *pmds[]) * preallocate which never got a corresponding vma will need to be * freed manually. */ @@ -29420,7 +31230,7 @@ index 17fda6a..489c74a 100644 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP); -@@ -272,11 +333,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm) +@@ -272,11 +336,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm) mm->pgd = pgd; @@ -29434,7 +31244,7 @@ index 17fda6a..489c74a 100644 /* * Make sure that pre-populating the pmds is atomic with -@@ -286,14 +347,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm) +@@ -286,14 +350,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm) spin_lock(&pgd_lock); pgd_ctor(mm, pgd); @@ -29452,7 +31262,7 @@ index 17fda6a..489c74a 100644 out_free_pgd: free_page((unsigned long)pgd); out: -@@ -302,7 +363,7 @@ out: +@@ -302,7 +366,7 @@ out: void pgd_free(struct mm_struct *mm, pgd_t *pgd) { @@ -29550,6 +31360,49 @@ index 282375f..e03a98f 100644 } } EXPORT_SYMBOL_GPL(leave_mm); +diff --git a/arch/x86/mm/uderef_64.c b/arch/x86/mm/uderef_64.c +new file mode 100644 +index 0000000..dace51c +--- /dev/null ++++ b/arch/x86/mm/uderef_64.c +@@ -0,0 +1,37 @@ ++#include <linux/mm.h> ++#include <asm/pgtable.h> ++#include <asm/uaccess.h> ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++/* PaX: due to the special call convention these functions must ++ * - remain leaf functions under all configurations, ++ * - never be called directly, only dereferenced from the wrappers. ++ */ ++void __pax_open_userland(void) ++{ ++ unsigned int cpu; ++ ++ if (unlikely(!segment_eq(get_fs(), USER_DS))) ++ return; ++ ++ cpu = raw_get_cpu(); ++ BUG_ON((read_cr3() & ~PAGE_MASK) != PCID_KERNEL); ++ write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER | PCID_NOFLUSH); ++ raw_put_cpu_no_resched(); ++} ++EXPORT_SYMBOL(__pax_open_userland); ++ ++void __pax_close_userland(void) ++{ ++ unsigned int cpu; ++ ++ if (unlikely(!segment_eq(get_fs(), USER_DS))) ++ return; ++ ++ cpu = raw_get_cpu(); ++ BUG_ON((read_cr3() & ~PAGE_MASK) != PCID_USER); ++ write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH); ++ raw_put_cpu_no_resched(); ++} ++EXPORT_SYMBOL(__pax_close_userland); ++#endif diff --git a/arch/x86/net/bpf_jit.S b/arch/x86/net/bpf_jit.S index 877b9a1..a8ecf42 100644 --- a/arch/x86/net/bpf_jit.S @@ -29664,7 +31517,7 @@ index 877b9a1..a8ecf42 100644 + pax_force_retaddr ret diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c -index 3cbe4538..003d011 100644 +index f66b540..3e88dfb 100644 --- a/arch/x86/net/bpf_jit_comp.c +++ b/arch/x86/net/bpf_jit_comp.c @@ -12,6 +12,7 @@ @@ -29936,9 +31789,9 @@ index 3cbe4538..003d011 100644 } oldproglen = proglen; } -@@ -737,7 +856,10 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; +@@ -732,7 +851,10 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; + if (image) { bpf_flush_icache(image, image + proglen); - fp->bpf_func = (void *)image; - } + } else @@ -29948,7 +31801,7 @@ index 3cbe4538..003d011 100644 out: kfree(addrs); return; -@@ -745,18 +867,20 @@ out: +@@ -740,18 +862,20 @@ out: static void jit_free_defer(struct work_struct *arg) { @@ -30462,7 +32315,7 @@ index c77b24a..c979855 100644 } EXPORT_SYMBOL(pcibios_set_irq_routing); diff --git a/arch/x86/platform/efi/efi_32.c b/arch/x86/platform/efi/efi_32.c -index 40e4469..0592924 100644 +index 40e4469..d915bf9 100644 --- a/arch/x86/platform/efi/efi_32.c +++ b/arch/x86/platform/efi/efi_32.c @@ -44,11 +44,22 @@ void efi_call_phys_prelog(void) @@ -30505,7 +32358,7 @@ index 40e4469..0592924 100644 load_gdt(&gdt_descr); +#ifdef CONFIG_PAX_PER_CPU_PGD -+ load_cr3(get_cpu_pgd(smp_processor_id())); ++ load_cr3(get_cpu_pgd(smp_processor_id(), kernel)); +#else load_cr3(swapper_pg_dir); +#endif @@ -30514,10 +32367,10 @@ index 40e4469..0592924 100644 local_irq_restore(efi_rt_eflags); diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c -index 2b20038..eaf558f 100644 +index 39a0e7f1..872396e 100644 --- a/arch/x86/platform/efi/efi_64.c +++ b/arch/x86/platform/efi/efi_64.c -@@ -75,6 +75,11 @@ void __init efi_call_phys_prelog(void) +@@ -76,6 +76,11 @@ void __init efi_call_phys_prelog(void) vaddress = (unsigned long)__va(pgd * PGDIR_SIZE); set_pgd(pgd_offset_k(pgd * PGDIR_SIZE), *pgd_offset_k(vaddress)); } @@ -30529,13 +32382,13 @@ index 2b20038..eaf558f 100644 __flush_tlb_all(); } -@@ -88,6 +93,11 @@ void __init efi_call_phys_epilog(void) +@@ -89,6 +94,11 @@ void __init efi_call_phys_epilog(void) for (pgd = 0; pgd < n_pgds; pgd++) set_pgd(pgd_offset_k(pgd * PGDIR_SIZE), save_pgd[pgd]); kfree(save_pgd); + +#ifdef CONFIG_PAX_PER_CPU_PGD -+ load_cr3(get_cpu_pgd(smp_processor_id())); ++ load_cr3(get_cpu_pgd(smp_processor_id(), kernel)); +#endif + __flush_tlb_all(); @@ -30738,7 +32591,7 @@ index 4c07cca..2c8427d 100644 ret ENDPROC(efi_call6) diff --git a/arch/x86/platform/mrst/mrst.c b/arch/x86/platform/mrst/mrst.c -index e31bcd8..f12dc46 100644 +index a0a0a43..a48e233 100644 --- a/arch/x86/platform/mrst/mrst.c +++ b/arch/x86/platform/mrst/mrst.c @@ -78,13 +78,15 @@ struct sfi_rtc_table_entry sfi_mrtc_array[SFI_MRTC_MAX]; @@ -30773,23 +32626,30 @@ index d6ee929..3637cb5 100644 .getproplen = olpc_dt_getproplen, .getproperty = olpc_dt_getproperty, diff --git a/arch/x86/power/cpu.c b/arch/x86/power/cpu.c -index 3c68768..07e82b8 100644 +index 1cf5b30..fd45732 100644 --- a/arch/x86/power/cpu.c +++ b/arch/x86/power/cpu.c -@@ -134,7 +134,7 @@ static void do_fpu_end(void) +@@ -137,11 +137,8 @@ static void do_fpu_end(void) static void fix_processor_context(void) { int cpu = smp_processor_id(); - struct tss_struct *t = &per_cpu(init_tss, cpu); +-#ifdef CONFIG_X86_64 +- struct desc_struct *desc = get_cpu_gdt_table(cpu); +- tss_desc tss; +-#endif + struct tss_struct *t = init_tss + cpu; - ++ set_tss_desc(cpu, t); /* * This just modifies memory; should not be -@@ -144,8 +144,6 @@ static void fix_processor_context(void) + * necessary. But... This is necessary, because +@@ -150,10 +147,6 @@ static void fix_processor_context(void) */ #ifdef CONFIG_X86_64 -- get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9; +- memcpy(&tss, &desc[GDT_ENTRY_TSS], sizeof(tss_desc)); +- tss.type = 0x9; /* The available 64-bit TSS (see AMD vol 2, pg 91 */ +- write_gdt_entry(desc, GDT_ENTRY_TSS, &tss, DESC_TSS); - syscall_init(); /* This sets MSR_*STAR and related */ #endif @@ -30895,10 +32755,18 @@ index c1b2791..f9e31c7 100644 END(trampoline_header) diff --git a/arch/x86/realmode/rm/trampoline_64.S b/arch/x86/realmode/rm/trampoline_64.S -index bb360dc..3e5945f 100644 +index bb360dc..d0fd8f8 100644 --- a/arch/x86/realmode/rm/trampoline_64.S +++ b/arch/x86/realmode/rm/trampoline_64.S -@@ -107,7 +107,7 @@ ENTRY(startup_32) +@@ -94,6 +94,7 @@ ENTRY(startup_32) + movl %edx, %gs + + movl pa_tr_cr4, %eax ++ andl $~X86_CR4_PCIDE, %eax + movl %eax, %cr4 # Enable PAE mode + + # Setup trampoline 4 level pagetables +@@ -107,7 +108,7 @@ ENTRY(startup_32) wrmsr # Enable paging and in turn activate Long Mode @@ -30907,25 +32775,40 @@ index bb360dc..3e5945f 100644 movl %eax, %cr0 /* +diff --git a/arch/x86/tools/Makefile b/arch/x86/tools/Makefile +index e812034..c747134 100644 +--- a/arch/x86/tools/Makefile ++++ b/arch/x86/tools/Makefile +@@ -37,7 +37,7 @@ $(obj)/test_get_len.o: $(srctree)/arch/x86/lib/insn.c $(srctree)/arch/x86/lib/in + + $(obj)/insn_sanity.o: $(srctree)/arch/x86/lib/insn.c $(srctree)/arch/x86/lib/inat.c $(srctree)/arch/x86/include/asm/inat_types.h $(srctree)/arch/x86/include/asm/inat.h $(srctree)/arch/x86/include/asm/insn.h $(objtree)/arch/x86/lib/inat-tables.c + +-HOST_EXTRACFLAGS += -I$(srctree)/tools/include ++HOST_EXTRACFLAGS += -I$(srctree)/tools/include -ggdb + hostprogs-y += relocs + relocs-objs := relocs_32.o relocs_64.o relocs_common.o + relocs: $(obj)/relocs diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c -index 79d67bd..c7e1b90 100644 +index f7bab68..b6d9886 100644 --- a/arch/x86/tools/relocs.c +++ b/arch/x86/tools/relocs.c -@@ -12,10 +12,13 @@ - #include <regex.h> - #include <tools/le_byteshift.h> +@@ -1,5 +1,7 @@ + /* This is included from relocs_32/64.c */ +#include "../../../include/generated/autoconf.h" + - static void die(char *fmt, ...); + #define ElfW(type) _ElfW(ELF_BITS, type) + #define _ElfW(bits, type) __ElfW(bits, type) + #define __ElfW(bits, type) Elf##bits##_##type +@@ -11,6 +13,7 @@ + #define Elf_Sym ElfW(Sym) + + static Elf_Ehdr ehdr; ++static Elf_Phdr *phdr; - #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) - static Elf32_Ehdr ehdr; -+static Elf32_Phdr *phdr; - static unsigned long reloc_count, reloc_idx; - static unsigned long *relocs; - static unsigned long reloc16_count, reloc16_idx; -@@ -330,9 +333,39 @@ static void read_ehdr(FILE *fp) + struct relocs { + uint32_t *offset; +@@ -383,9 +386,39 @@ static void read_ehdr(FILE *fp) } } @@ -30933,7 +32816,7 @@ index 79d67bd..c7e1b90 100644 +{ + unsigned int i; + -+ phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr)); ++ phdr = calloc(ehdr.e_phnum, sizeof(Elf_Phdr)); + if (!phdr) { + die("Unable to allocate %d program headers\n", + ehdr.e_phnum); @@ -30947,14 +32830,14 @@ index 79d67bd..c7e1b90 100644 + strerror(errno)); + } + for(i = 0; i < ehdr.e_phnum; i++) { -+ phdr[i].p_type = elf32_to_cpu(phdr[i].p_type); -+ phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset); -+ phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr); -+ phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr); -+ phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz); -+ phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz); -+ phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags); -+ phdr[i].p_align = elf32_to_cpu(phdr[i].p_align); ++ phdr[i].p_type = elf_word_to_cpu(phdr[i].p_type); ++ phdr[i].p_offset = elf_off_to_cpu(phdr[i].p_offset); ++ phdr[i].p_vaddr = elf_addr_to_cpu(phdr[i].p_vaddr); ++ phdr[i].p_paddr = elf_addr_to_cpu(phdr[i].p_paddr); ++ phdr[i].p_filesz = elf_word_to_cpu(phdr[i].p_filesz); ++ phdr[i].p_memsz = elf_word_to_cpu(phdr[i].p_memsz); ++ phdr[i].p_flags = elf_word_to_cpu(phdr[i].p_flags); ++ phdr[i].p_align = elf_word_to_cpu(phdr[i].p_align); + } + +} @@ -30963,10 +32846,10 @@ index 79d67bd..c7e1b90 100644 { - int i; + unsigned int i; - Elf32_Shdr shdr; + Elf_Shdr shdr; secs = calloc(ehdr.e_shnum, sizeof(struct section)); -@@ -367,7 +400,7 @@ static void read_shdrs(FILE *fp) +@@ -420,7 +453,7 @@ static void read_shdrs(FILE *fp) static void read_strtabs(FILE *fp) { @@ -30975,7 +32858,7 @@ index 79d67bd..c7e1b90 100644 for (i = 0; i < ehdr.e_shnum; i++) { struct section *sec = &secs[i]; if (sec->shdr.sh_type != SHT_STRTAB) { -@@ -392,7 +425,7 @@ static void read_strtabs(FILE *fp) +@@ -445,7 +478,7 @@ static void read_strtabs(FILE *fp) static void read_symtabs(FILE *fp) { @@ -30984,7 +32867,7 @@ index 79d67bd..c7e1b90 100644 for (i = 0; i < ehdr.e_shnum; i++) { struct section *sec = &secs[i]; if (sec->shdr.sh_type != SHT_SYMTAB) { -@@ -423,9 +456,11 @@ static void read_symtabs(FILE *fp) +@@ -476,9 +509,11 @@ static void read_symtabs(FILE *fp) } @@ -30997,8 +32880,8 @@ index 79d67bd..c7e1b90 100644 + for (i = 0; i < ehdr.e_shnum; i++) { struct section *sec = &secs[i]; - if (sec->shdr.sh_type != SHT_REL) { -@@ -445,9 +480,22 @@ static void read_relocs(FILE *fp) + if (sec->shdr.sh_type != SHT_REL_TYPE) { +@@ -498,9 +533,22 @@ static void read_relocs(FILE *fp) die("Cannot read symbol table: %s\n", strerror(errno)); } @@ -31015,21 +32898,23 @@ index 79d67bd..c7e1b90 100644 + } +#endif + - for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) { - Elf32_Rel *rel = &sec->reltab[j]; -- rel->r_offset = elf32_to_cpu(rel->r_offset); -+ rel->r_offset = elf32_to_cpu(rel->r_offset) + base; - rel->r_info = elf32_to_cpu(rel->r_info); - } - } -@@ -456,13 +504,13 @@ static void read_relocs(FILE *fp) + for (j = 0; j < sec->shdr.sh_size/sizeof(Elf_Rel); j++) { + Elf_Rel *rel = &sec->reltab[j]; +- rel->r_offset = elf_addr_to_cpu(rel->r_offset); ++ rel->r_offset = elf_addr_to_cpu(rel->r_offset) + base; + rel->r_info = elf_xword_to_cpu(rel->r_info); + #if (SHT_REL_TYPE == SHT_RELA) + rel->r_addend = elf_xword_to_cpu(rel->r_addend); +@@ -512,7 +560,7 @@ static void read_relocs(FILE *fp) static void print_absolute_symbols(void) { - int i; + unsigned int i; - printf("Absolute symbols\n"); - printf(" Num: Value Size Type Bind Visibility Name\n"); + const char *format; + + if (ELF_BITS == 64) +@@ -525,7 +573,7 @@ static void print_absolute_symbols(void) for (i = 0; i < ehdr.e_shnum; i++) { struct section *sec = &secs[i]; char *sym_strtab; @@ -31038,76 +32923,76 @@ index 79d67bd..c7e1b90 100644 if (sec->shdr.sh_type != SHT_SYMTAB) { continue; -@@ -489,14 +537,14 @@ static void print_absolute_symbols(void) +@@ -552,7 +600,7 @@ static void print_absolute_symbols(void) static void print_absolute_relocs(void) { - int i, printed = 0; + unsigned int i, printed = 0; + const char *format; - for (i = 0; i < ehdr.e_shnum; i++) { - struct section *sec = &secs[i]; + if (ELF_BITS == 64) +@@ -565,7 +613,7 @@ static void print_absolute_relocs(void) struct section *sec_applies, *sec_symtab; char *sym_strtab; - Elf32_Sym *sh_symtab; + Elf_Sym *sh_symtab; - int j; + unsigned int j; - if (sec->shdr.sh_type != SHT_REL) { + if (sec->shdr.sh_type != SHT_REL_TYPE) { continue; } -@@ -558,13 +606,13 @@ static void print_absolute_relocs(void) - static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym), - int use_real_mode) +@@ -642,13 +690,13 @@ static void add_reloc(struct relocs *r, uint32_t offset) + static void walk_relocs(int (*process)(struct section *sec, Elf_Rel *rel, + Elf_Sym *sym, const char *symname)) { - int i; + unsigned int i; /* Walk through the relocations */ for (i = 0; i < ehdr.e_shnum; i++) { char *sym_strtab; - Elf32_Sym *sh_symtab; + Elf_Sym *sh_symtab; struct section *sec_applies, *sec_symtab; - int j; + unsigned int j; struct section *sec = &secs[i]; - if (sec->shdr.sh_type != SHT_REL) { -@@ -588,6 +636,24 @@ static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym), - sym = &sh_symtab[ELF32_R_SYM(rel->r_info)]; - r_type = ELF32_R_TYPE(rel->r_info); - -+ if (!use_real_mode) { -+ /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */ -+ if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load")) -+ continue; + if (sec->shdr.sh_type != SHT_REL_TYPE) { +@@ -812,6 +860,23 @@ static int do_reloc32(struct section *sec, Elf_Rel *rel, Elf_Sym *sym, + { + unsigned r_type = ELF32_R_TYPE(rel->r_info); + int shn_abs = (sym->st_shndx == SHN_ABS) && !is_reloc(S_REL, symname); ++ char *sym_strtab = sec->link->link->strtab; + -+#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32) -+ /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */ -+ if (!strcmp(sec_name(sym->st_shndx), ".text.end") && !strcmp(sym_name(sym_strtab, sym), "_etext")) -+ continue; -+ if (!strcmp(sec_name(sym->st_shndx), ".init.text")) -+ continue; -+ if (!strcmp(sec_name(sym->st_shndx), ".exit.text")) -+ continue; -+ if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR")) -+ continue; -+#endif -+ } ++ /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */ ++ if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load")) ++ return 0; + - shn_abs = sym->st_shndx == SHN_ABS; ++#ifdef CONFIG_PAX_KERNEXEC ++ /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */ ++ if (!strcmp(sec_name(sym->st_shndx), ".text.end") && !strcmp(sym_name(sym_strtab, sym), "_etext")) ++ return 0; ++ if (!strcmp(sec_name(sym->st_shndx), ".init.text")) ++ return 0; ++ if (!strcmp(sec_name(sym->st_shndx), ".exit.text")) ++ return 0; ++ if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR")) ++ return 0; ++#endif - switch (r_type) { -@@ -681,7 +747,7 @@ static int write32(unsigned int v, FILE *f) + switch (r_type) { + case R_386_NONE: +@@ -950,7 +1015,7 @@ static int write32_as_text(uint32_t v, FILE *f) static void emit_relocs(int as_text, int use_real_mode) { - int i; + unsigned int i; - /* Count how many relocations I have and allocate space for them. */ - reloc_count = 0; - walk_relocs(count_reloc, use_real_mode); -@@ -808,10 +874,11 @@ int main(int argc, char **argv) - fname, strerror(errno)); - } + int (*write_reloc)(uint32_t, FILE *) = write32; + int (*do_reloc)(struct section *sec, Elf_Rel *rel, Elf_Sym *sym, + const char *symname); +@@ -1026,10 +1091,11 @@ void process(FILE *fp, int use_real_mode, int as_text, + { + regex_init(use_real_mode); read_ehdr(fp); + read_phdrs(fp); read_shdrs(fp); @@ -31115,9 +33000,22 @@ index 79d67bd..c7e1b90 100644 read_symtabs(fp); - read_relocs(fp); + read_relocs(fp, use_real_mode); + if (ELF_BITS == 64) + percpu_init(); if (show_absolute_syms) { - print_absolute_symbols(); - goto out; +diff --git a/arch/x86/um/tls_32.c b/arch/x86/um/tls_32.c +index 80ffa5b..a33bd15 100644 +--- a/arch/x86/um/tls_32.c ++++ b/arch/x86/um/tls_32.c +@@ -260,7 +260,7 @@ out: + if (unlikely(task == current && + !t->arch.tls_array[idx - GDT_ENTRY_TLS_MIN].flushed)) { + printk(KERN_ERR "get_tls_entry: task with pid %d got here " +- "without flushed TLS.", current->pid); ++ "without flushed TLS.", task_pid_nr(current)); + } + + return 0; diff --git a/arch/x86/vdso/Makefile b/arch/x86/vdso/Makefile index fd14be1..e3c79c0 100644 --- a/arch/x86/vdso/Makefile @@ -31291,10 +33189,10 @@ index 431e875..cbb23f3 100644 -} -__setup("vdso=", vdso_setup); diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c -index cf95e19..17e9f50 100644 +index a492be2..08678da 100644 --- a/arch/x86/xen/enlighten.c +++ b/arch/x86/xen/enlighten.c -@@ -100,8 +100,6 @@ EXPORT_SYMBOL_GPL(xen_start_info); +@@ -123,8 +123,6 @@ EXPORT_SYMBOL_GPL(xen_start_info); struct shared_info xen_dummy_shared_info; @@ -31303,7 +33201,7 @@ index cf95e19..17e9f50 100644 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE); __read_mostly int xen_have_vector_callback; EXPORT_SYMBOL_GPL(xen_have_vector_callback); -@@ -511,8 +509,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr) +@@ -542,8 +540,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr) { unsigned long va = dtr->address; unsigned int size = dtr->size + 1; @@ -31313,7 +33211,7 @@ index cf95e19..17e9f50 100644 int f; /* -@@ -560,8 +557,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr) +@@ -591,8 +588,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr) { unsigned long va = dtr->address; unsigned int size = dtr->size + 1; @@ -31323,7 +33221,7 @@ index cf95e19..17e9f50 100644 int f; /* -@@ -569,7 +565,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr) +@@ -600,7 +596,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr) * 8-byte entries, or 16 4k pages.. */ @@ -31332,7 +33230,7 @@ index cf95e19..17e9f50 100644 BUG_ON(va & ~PAGE_MASK); for (f = 0; va < dtr->address + size; va += PAGE_SIZE, f++) { -@@ -954,7 +950,7 @@ static u32 xen_safe_apic_wait_icr_idle(void) +@@ -985,7 +981,7 @@ static u32 xen_safe_apic_wait_icr_idle(void) return 0; } @@ -31341,7 +33239,7 @@ index cf95e19..17e9f50 100644 { apic->read = xen_apic_read; apic->write = xen_apic_write; -@@ -1260,30 +1256,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = { +@@ -1290,30 +1286,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = { #endif }; @@ -31379,7 +33277,7 @@ index cf95e19..17e9f50 100644 { if (pm_power_off) pm_power_off(); -@@ -1385,7 +1381,17 @@ asmlinkage void __init xen_start_kernel(void) +@@ -1464,7 +1460,17 @@ asmlinkage void __init xen_start_kernel(void) __userpte_alloc_gfp &= ~__GFP_HIGHMEM; /* Work out if we support NX */ @@ -31398,7 +33296,7 @@ index cf95e19..17e9f50 100644 xen_setup_features(); -@@ -1416,13 +1422,6 @@ asmlinkage void __init xen_start_kernel(void) +@@ -1495,13 +1501,6 @@ asmlinkage void __init xen_start_kernel(void) machine_ops = xen_machine_ops; @@ -31412,7 +33310,7 @@ index cf95e19..17e9f50 100644 xen_smp_init(); #ifdef CONFIG_ACPI_NUMA -@@ -1616,7 +1615,7 @@ static int __cpuinit xen_hvm_cpu_notify(struct notifier_block *self, +@@ -1700,7 +1699,7 @@ static int __cpuinit xen_hvm_cpu_notify(struct notifier_block *self, return NOTIFY_OK; } @@ -31422,7 +33320,7 @@ index cf95e19..17e9f50 100644 }; diff --git a/arch/x86/xen/mmu.c b/arch/x86/xen/mmu.c -index e006c18..b9a7d6c 100644 +index fdc3ba2..3daee39 100644 --- a/arch/x86/xen/mmu.c +++ b/arch/x86/xen/mmu.c @@ -1894,6 +1894,9 @@ void __init xen_setup_kernel_pagetable(pgd_t *pgd, unsigned long max_pfn) @@ -31448,7 +33346,7 @@ index e006c18..b9a7d6c 100644 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO); set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO); -@@ -2110,6 +2117,7 @@ static void __init xen_post_allocator_init(void) +@@ -2108,6 +2115,7 @@ static void __init xen_post_allocator_init(void) pv_mmu_ops.set_pud = xen_set_pud; #if PAGETABLE_LEVELS == 4 pv_mmu_ops.set_pgd = xen_set_pgd; @@ -31456,7 +33354,7 @@ index e006c18..b9a7d6c 100644 #endif /* This will work as long as patching hasn't happened yet -@@ -2188,6 +2196,7 @@ static const struct pv_mmu_ops xen_mmu_ops __initconst = { +@@ -2186,6 +2194,7 @@ static const struct pv_mmu_ops xen_mmu_ops __initconst = { .pud_val = PV_CALLEE_SAVE(xen_pud_val), .make_pud = PV_CALLEE_SAVE(xen_make_pud), .set_pgd = xen_set_pgd_hyper, @@ -31465,10 +33363,10 @@ index e006c18..b9a7d6c 100644 .alloc_pud = xen_alloc_pmd_init, .release_pud = xen_release_pmd_init, diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c -index 96c4e85..284fded 100644 +index d99cae8..18401e1 100644 --- a/arch/x86/xen/smp.c +++ b/arch/x86/xen/smp.c -@@ -230,11 +230,6 @@ static void __init xen_smp_prepare_boot_cpu(void) +@@ -240,11 +240,6 @@ static void __init xen_smp_prepare_boot_cpu(void) { BUG_ON(smp_processor_id() != 0); native_smp_prepare_boot_cpu(); @@ -31480,7 +33378,7 @@ index 96c4e85..284fded 100644 xen_filter_cpu_maps(); xen_setup_vcpu_info_placement(); } -@@ -304,7 +299,7 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle) +@@ -314,7 +309,7 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle) ctxt->user_regs.ss = __KERNEL_DS; #ifdef CONFIG_X86_32 ctxt->user_regs.fs = __KERNEL_PERCPU; @@ -31489,7 +33387,7 @@ index 96c4e85..284fded 100644 #else ctxt->gs_base_kernel = per_cpu_offset(cpu); #endif -@@ -314,8 +309,8 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle) +@@ -324,8 +319,8 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle) { ctxt->user_regs.eflags = 0x1000; /* IOPL_RING1 */ @@ -31500,7 +33398,7 @@ index 96c4e85..284fded 100644 xen_copy_trap_info(ctxt->trap_ctxt); -@@ -360,13 +355,12 @@ static int __cpuinit xen_cpu_up(unsigned int cpu, struct task_struct *idle) +@@ -370,13 +365,12 @@ static int __cpuinit xen_cpu_up(unsigned int cpu, struct task_struct *idle) int rc; per_cpu(current_task, cpu) = idle; @@ -31516,7 +33414,7 @@ index 96c4e85..284fded 100644 #endif xen_setup_runstate_info(cpu); xen_setup_timer(cpu); -@@ -642,7 +636,7 @@ static const struct smp_ops xen_smp_ops __initconst = { +@@ -651,7 +645,7 @@ static const struct smp_ops xen_smp_ops __initconst = { void __init xen_smp_init(void) { @@ -31647,7 +33545,7 @@ index af00795..2bb8105 100644 #define XCHAL_ICACHE_SIZE 32768 /* I-cache size in bytes or 0 */ #define XCHAL_DCACHE_SIZE 32768 /* D-cache size in bytes or 0 */ diff --git a/block/blk-iopoll.c b/block/blk-iopoll.c -index 58916af..eb9dbcf 100644 +index 58916af..eb9dbcf6 100644 --- a/block/blk-iopoll.c +++ b/block/blk-iopoll.c @@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopoll *iopoll) @@ -31748,7 +33646,7 @@ index 7c668c8..db3521c 100644 err = -EFAULT; goto out; diff --git a/block/genhd.c b/block/genhd.c -index 5098a64..d15a9e8 100644 +index cdeb527..10aa34db 100644 --- a/block/genhd.c +++ b/block/genhd.c @@ -467,21 +467,24 @@ static char *bdevt_str(dev_t devt, char *buf) @@ -31780,33 +33678,35 @@ index 5098a64..d15a9e8 100644 EXPORT_SYMBOL(blk_unregister_region); diff --git a/block/partitions/efi.c b/block/partitions/efi.c -index ff5804e..a88acad 100644 +index c85fc89..51e690b 100644 --- a/block/partitions/efi.c +++ b/block/partitions/efi.c @@ -234,14 +234,14 @@ static gpt_entry *alloc_read_gpt_entries(struct parsed_partitions *state, if (!gpt) return NULL; -- count = le32_to_cpu(gpt->num_partition_entries) * -- le32_to_cpu(gpt->sizeof_partition_entry); -- if (!count) + if (!le32_to_cpu(gpt->num_partition_entries)) - return NULL; -- pte = kzalloc(count, GFP_KERNEL); ++ return NULL; + pte = kcalloc(le32_to_cpu(gpt->num_partition_entries), le32_to_cpu(gpt->sizeof_partition_entry), GFP_KERNEL); - if (!pte) - return NULL; - -+ count = le32_to_cpu(gpt->num_partition_entries) * -+ le32_to_cpu(gpt->sizeof_partition_entry); ++ if (!pte) ++ return NULL; ++ + count = le32_to_cpu(gpt->num_partition_entries) * + le32_to_cpu(gpt->sizeof_partition_entry); +- if (!count) +- return NULL; +- pte = kmalloc(count, GFP_KERNEL); +- if (!pte) +- return NULL; +- if (read_lba(state, le64_to_cpu(gpt->partition_entry_lba), (u8 *) pte, count) < count) { diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c -index 9a87daa..fb17486 100644 +index a5ffcc9..3cedc9c 100644 --- a/block/scsi_ioctl.c +++ b/block/scsi_ioctl.c -@@ -223,8 +223,20 @@ EXPORT_SYMBOL(blk_verify_command); +@@ -224,8 +224,20 @@ EXPORT_SYMBOL(blk_verify_command); static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq, struct sg_io_hdr *hdr, fmode_t mode) { @@ -31828,7 +33728,7 @@ index 9a87daa..fb17486 100644 if (blk_verify_command(rq->cmd, mode & FMODE_WRITE)) return -EPERM; -@@ -433,6 +445,8 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode, +@@ -434,6 +446,8 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode, int err; unsigned int in_len, out_len, bytes, opcode, cmdlen; char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE]; @@ -31837,7 +33737,7 @@ index 9a87daa..fb17486 100644 if (!sic) return -EINVAL; -@@ -466,9 +480,18 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode, +@@ -467,9 +481,18 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode, */ err = -EFAULT; rq->cmd_len = cmdlen; @@ -31917,7 +33817,7 @@ index f220d64..d359ad6 100644 struct apei_exec_context { u32 ip; diff --git a/drivers/acpi/apei/cper.c b/drivers/acpi/apei/cper.c -index fefc2ca..12a535d 100644 +index 33dc6a0..4b24b47 100644 --- a/drivers/acpi/apei/cper.c +++ b/drivers/acpi/apei/cper.c @@ -39,12 +39,12 @@ @@ -32030,10 +33930,10 @@ index 7586544..636a2f0 100644 if (err) return err; diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c -index ee255c6..747c68b 100644 +index eb133c7..f571552 100644 --- a/drivers/acpi/processor_idle.c +++ b/drivers/acpi/processor_idle.c -@@ -986,7 +986,7 @@ static int acpi_processor_setup_cpuidle_states(struct acpi_processor *pr) +@@ -994,7 +994,7 @@ static int acpi_processor_setup_cpuidle_states(struct acpi_processor *pr) { int i, count = CPUIDLE_DRIVER_STATE_START; struct acpi_processor_cx *cx; @@ -32043,10 +33943,10 @@ index ee255c6..747c68b 100644 if (!pr->flags.power_setup_done) diff --git a/drivers/acpi/sysfs.c b/drivers/acpi/sysfs.c -index 41c0504..f8c0836 100644 +index fcae5fa..e9f71ea 100644 --- a/drivers/acpi/sysfs.c +++ b/drivers/acpi/sysfs.c -@@ -420,11 +420,11 @@ static u32 num_counters; +@@ -423,11 +423,11 @@ static u32 num_counters; static struct attribute **all_attrs; static u32 acpi_gpe_count; @@ -32061,7 +33961,7 @@ index 41c0504..f8c0836 100644 static void delete_gpe_attr_array(void) { diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c -index 09f6047..3b3dab4 100644 +index 7b9bdd8..37638ca 100644 --- a/drivers/ata/libahci.c +++ b/drivers/ata/libahci.c @@ -1230,7 +1230,7 @@ int ahci_kick_engine(struct ata_port *ap) @@ -32074,7 +33974,7 @@ index 09f6047..3b3dab4 100644 unsigned long timeout_msec) { diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c -index 8038ee3..a19a6e6 100644 +index adf002a..39bb8f9 100644 --- a/drivers/ata/libata-core.c +++ b/drivers/ata/libata-core.c @@ -4792,7 +4792,7 @@ void ata_qc_free(struct ata_queued_cmd *qc) @@ -32115,20 +34015,20 @@ index 8038ee3..a19a6e6 100644 } diff --git a/drivers/ata/pata_arasan_cf.c b/drivers/ata/pata_arasan_cf.c -index 405022d..fb70e53 100644 +index 7638121..357a965 100644 --- a/drivers/ata/pata_arasan_cf.c +++ b/drivers/ata/pata_arasan_cf.c -@@ -864,7 +864,9 @@ static int arasan_cf_probe(struct platform_device *pdev) +@@ -865,7 +865,9 @@ static int arasan_cf_probe(struct platform_device *pdev) /* Handle platform specific quirks */ - if (pdata->quirk) { - if (pdata->quirk & CF_BROKEN_PIO) { + if (quirk) { + if (quirk & CF_BROKEN_PIO) { - ap->ops->set_piomode = NULL; + pax_open_kernel(); + *(void **)&ap->ops->set_piomode = NULL; + pax_close_kernel(); ap->pio_mask = 0; } - if (pdata->quirk & CF_BROKEN_MWDMA) + if (quirk & CF_BROKEN_MWDMA) diff --git a/drivers/atm/adummy.c b/drivers/atm/adummy.c index f9b983a..887b9d8 100644 --- a/drivers/atm/adummy.c @@ -32382,7 +34282,7 @@ index 204814e..cede831 100644 fore200e->tx_sat++; DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n", diff --git a/drivers/atm/he.c b/drivers/atm/he.c -index d689126..e78e412 100644 +index 507362a..a845e57 100644 --- a/drivers/atm/he.c +++ b/drivers/atm/he.c @@ -1698,7 +1698,7 @@ he_service_rbrq(struct he_dev *he_dev, int group) @@ -33139,7 +35039,7 @@ index d78b204..ecc1929 100644 fn(cont, dev, &ic->classdev); else diff --git a/drivers/base/bus.c b/drivers/base/bus.c -index 519865b..e540db3 100644 +index d414331..b4dd4ba 100644 --- a/drivers/base/bus.c +++ b/drivers/base/bus.c @@ -1163,7 +1163,7 @@ int subsys_interface_register(struct subsys_interface *sif) @@ -33161,10 +35061,10 @@ index 519865b..e540db3 100644 subsys_dev_iter_init(&iter, subsys, NULL, NULL); while ((dev = subsys_dev_iter_next(&iter))) diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c -index 01fc5b0..917801f 100644 +index 7413d06..79155fa 100644 --- a/drivers/base/devtmpfs.c +++ b/drivers/base/devtmpfs.c -@@ -348,7 +348,7 @@ int devtmpfs_mount(const char *mntdir) +@@ -354,7 +354,7 @@ int devtmpfs_mount(const char *mntdir) if (!thread) return 0; @@ -33173,7 +35073,7 @@ index 01fc5b0..917801f 100644 if (err) printk(KERN_INFO "devtmpfs: error mounting %i\n", err); else -@@ -373,11 +373,11 @@ static int devtmpfsd(void *p) +@@ -380,11 +380,11 @@ static int devtmpfsd(void *p) *err = sys_unshare(CLONE_NEWNS); if (*err) goto out; @@ -33189,10 +35089,10 @@ index 01fc5b0..917801f 100644 while (1) { spin_lock(&req_lock); diff --git a/drivers/base/node.c b/drivers/base/node.c -index fac124a..66bd4ab 100644 +index 7616a77c..8f57f51 100644 --- a/drivers/base/node.c +++ b/drivers/base/node.c -@@ -625,7 +625,7 @@ static ssize_t print_nodes_state(enum node_states state, char *buf) +@@ -626,7 +626,7 @@ static ssize_t print_nodes_state(enum node_states state, char *buf) struct node_attr { struct device_attribute attr; enum node_states state; @@ -33202,7 +35102,7 @@ index fac124a..66bd4ab 100644 static ssize_t show_node_state(struct device *dev, struct device_attribute *attr, char *buf) diff --git a/drivers/base/power/domain.c b/drivers/base/power/domain.c -index 9a6b05a..2fc8fb9 100644 +index 7072404..76dcebd 100644 --- a/drivers/base/power/domain.c +++ b/drivers/base/power/domain.c @@ -1850,7 +1850,7 @@ int pm_genpd_attach_cpuidle(struct generic_pm_domain *genpd, int state) @@ -33298,10 +35198,10 @@ index e8d11b6..7b1b36f 100644 } EXPORT_SYMBOL_GPL(unregister_syscore_ops); diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c -index dadea48..a1f3835 100644 +index 62b6c2c..4a11354 100644 --- a/drivers/block/cciss.c +++ b/drivers/block/cciss.c -@@ -1184,6 +1184,8 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode, +@@ -1189,6 +1189,8 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode, int err; u32 cp; @@ -33310,7 +35210,7 @@ index dadea48..a1f3835 100644 err = 0; err |= copy_from_user(&arg64.LUN_info, &arg32->LUN_info, -@@ -3005,7 +3007,7 @@ static void start_io(ctlr_info_t *h) +@@ -3010,7 +3012,7 @@ static void start_io(ctlr_info_t *h) while (!list_empty(&h->reqQ)) { c = list_entry(h->reqQ.next, CommandList_struct, list); /* can't do anything if fifo is full */ @@ -33319,7 +35219,7 @@ index dadea48..a1f3835 100644 dev_warn(&h->pdev->dev, "fifo full\n"); break; } -@@ -3015,7 +3017,7 @@ static void start_io(ctlr_info_t *h) +@@ -3020,7 +3022,7 @@ static void start_io(ctlr_info_t *h) h->Qdepth--; /* Tell the controller execute command */ @@ -33328,7 +35228,7 @@ index dadea48..a1f3835 100644 /* Put job onto the completed Q */ addQ(&h->cmpQ, c); -@@ -3441,17 +3443,17 @@ startio: +@@ -3446,17 +3448,17 @@ startio: static inline unsigned long get_next_completion(ctlr_info_t *h) { @@ -33349,7 +35249,7 @@ index dadea48..a1f3835 100644 (h->interrupts_enabled == 0)); } -@@ -3484,7 +3486,7 @@ static inline u32 next_command(ctlr_info_t *h) +@@ -3489,7 +3491,7 @@ static inline u32 next_command(ctlr_info_t *h) u32 a; if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant))) @@ -33358,7 +35258,7 @@ index dadea48..a1f3835 100644 if ((*(h->reply_pool_head) & 1) == (h->reply_pool_wraparound)) { a = *(h->reply_pool_head); /* Next cmd in ring buffer */ -@@ -4041,7 +4043,7 @@ static void cciss_put_controller_into_performant_mode(ctlr_info_t *h) +@@ -4046,7 +4048,7 @@ static void cciss_put_controller_into_performant_mode(ctlr_info_t *h) trans_support & CFGTBL_Trans_use_short_tags); /* Change the access methods to the performant access methods */ @@ -33367,7 +35267,7 @@ index dadea48..a1f3835 100644 h->transMethod = CFGTBL_Trans_Performant; return; -@@ -4310,7 +4312,7 @@ static int cciss_pci_init(ctlr_info_t *h) +@@ -4319,7 +4321,7 @@ static int cciss_pci_init(ctlr_info_t *h) if (prod_index < 0) return -ENODEV; h->product_name = products[prod_index].product_name; @@ -33376,7 +35276,7 @@ index dadea48..a1f3835 100644 if (cciss_board_disabled(h)) { dev_warn(&h->pdev->dev, "controller appears to be disabled\n"); -@@ -5032,7 +5034,7 @@ reinit_after_soft_reset: +@@ -5051,7 +5053,7 @@ reinit_after_soft_reset: } /* make sure the board interrupts are off */ @@ -33385,7 +35285,7 @@ index dadea48..a1f3835 100644 rc = cciss_request_irq(h, do_cciss_msix_intr, do_cciss_intx); if (rc) goto clean2; -@@ -5082,7 +5084,7 @@ reinit_after_soft_reset: +@@ -5101,7 +5103,7 @@ reinit_after_soft_reset: * fake ones to scoop up any residual completions. */ spin_lock_irqsave(&h->lock, flags); @@ -33394,7 +35294,7 @@ index dadea48..a1f3835 100644 spin_unlock_irqrestore(&h->lock, flags); free_irq(h->intr[h->intr_mode], h); rc = cciss_request_irq(h, cciss_msix_discard_completions, -@@ -5102,9 +5104,9 @@ reinit_after_soft_reset: +@@ -5121,9 +5123,9 @@ reinit_after_soft_reset: dev_info(&h->pdev->dev, "Board READY.\n"); dev_info(&h->pdev->dev, "Waiting for stale completions to drain.\n"); @@ -33406,7 +35306,7 @@ index dadea48..a1f3835 100644 rc = controller_reset_failed(h->cfgtable); if (rc) -@@ -5127,7 +5129,7 @@ reinit_after_soft_reset: +@@ -5146,7 +5148,7 @@ reinit_after_soft_reset: cciss_scsi_setup(h); /* Turn the interrupts on so we can service requests */ @@ -33415,7 +35315,7 @@ index dadea48..a1f3835 100644 /* Get the firmware version */ inq_buff = kzalloc(sizeof(InquiryData_struct), GFP_KERNEL); -@@ -5199,7 +5201,7 @@ static void cciss_shutdown(struct pci_dev *pdev) +@@ -5218,7 +5220,7 @@ static void cciss_shutdown(struct pci_dev *pdev) kfree(flush_buf); if (return_code != IO_OK) dev_warn(&h->pdev->dev, "Error flushing cache\n"); @@ -33438,7 +35338,7 @@ index 7fda30e..eb5dfe0 100644 /* queue and queue Info */ struct list_head reqQ; diff --git a/drivers/block/cpqarray.c b/drivers/block/cpqarray.c -index 3f08713..87d4b4a 100644 +index 639d26b..fd6ad1f 100644 --- a/drivers/block/cpqarray.c +++ b/drivers/block/cpqarray.c @@ -404,7 +404,7 @@ static int cpqarray_register_ctlr(int i, struct pci_dev *pdev) @@ -33477,7 +35377,7 @@ index 3f08713..87d4b4a 100644 hba[ctlr]->ctlr = ctlr; hba[ctlr]->board_id = board_id; hba[ctlr]->pci_dev = NULL; /* not PCI */ -@@ -980,7 +980,7 @@ static void start_io(ctlr_info_t *h) +@@ -978,7 +978,7 @@ static void start_io(ctlr_info_t *h) while((c = h->reqQ) != NULL) { /* Can't do anything if we're busy */ @@ -33486,7 +35386,7 @@ index 3f08713..87d4b4a 100644 return; /* Get the first entry from the request Q */ -@@ -988,7 +988,7 @@ static void start_io(ctlr_info_t *h) +@@ -986,7 +986,7 @@ static void start_io(ctlr_info_t *h) h->Qdepth--; /* Tell the controller to do our bidding */ @@ -33495,7 +35395,7 @@ index 3f08713..87d4b4a 100644 /* Get onto the completion Q */ addQ(&h->cmpQ, c); -@@ -1050,7 +1050,7 @@ static irqreturn_t do_ida_intr(int irq, void *dev_id) +@@ -1048,7 +1048,7 @@ static irqreturn_t do_ida_intr(int irq, void *dev_id) unsigned long flags; __u32 a,a1; @@ -33504,7 +35404,7 @@ index 3f08713..87d4b4a 100644 /* Is this interrupt for us? */ if (istat == 0) return IRQ_NONE; -@@ -1061,7 +1061,7 @@ static irqreturn_t do_ida_intr(int irq, void *dev_id) +@@ -1059,7 +1059,7 @@ static irqreturn_t do_ida_intr(int irq, void *dev_id) */ spin_lock_irqsave(IDA_LOCK(h->ctlr), flags); if (istat & FIFO_NOT_EMPTY) { @@ -33513,7 +35413,7 @@ index 3f08713..87d4b4a 100644 a1 = a; a &= ~3; if ((c = h->cmpQ) == NULL) { -@@ -1195,6 +1195,7 @@ out_passthru: +@@ -1193,6 +1193,7 @@ out_passthru: ida_pci_info_struct pciinfo; if (!arg) return -EINVAL; @@ -33521,7 +35421,7 @@ index 3f08713..87d4b4a 100644 pciinfo.bus = host->pci_dev->bus->number; pciinfo.dev_fn = host->pci_dev->devfn; pciinfo.board_id = host->board_id; -@@ -1449,11 +1450,11 @@ static int sendcmd( +@@ -1447,11 +1448,11 @@ static int sendcmd( /* * Disable interrupt */ @@ -33535,7 +35435,7 @@ index 3f08713..87d4b4a 100644 if (temp != 0) { break; } -@@ -1466,7 +1467,7 @@ DBG( +@@ -1464,7 +1465,7 @@ DBG( /* * Send the cmd */ @@ -33544,7 +35444,7 @@ index 3f08713..87d4b4a 100644 complete = pollcomplete(ctlr); pci_unmap_single(info_p->pci_dev, (dma_addr_t) c->req.sg[0].addr, -@@ -1549,9 +1550,9 @@ static int revalidate_allvol(ctlr_info_t *host) +@@ -1547,9 +1548,9 @@ static int revalidate_allvol(ctlr_info_t *host) * we check the new geometry. Then turn interrupts back on when * we're done. */ @@ -33556,7 +35456,7 @@ index 3f08713..87d4b4a 100644 for(i=0; i<NWD; i++) { struct gendisk *disk = ida_gendisk[ctlr][i]; -@@ -1591,7 +1592,7 @@ static int pollcomplete(int ctlr) +@@ -1589,7 +1590,7 @@ static int pollcomplete(int ctlr) /* Wait (up to 2 seconds) for a command to complete */ for (i = 200000; i > 0; i--) { @@ -33579,7 +35479,7 @@ index be73e9d..7fbf140 100644 cmdlist_t *reqQ; cmdlist_t *cmpQ; diff --git a/drivers/block/drbd/drbd_int.h b/drivers/block/drbd/drbd_int.h -index 6b51afa..17e1191 100644 +index f943aac..99bfd19 100644 --- a/drivers/block/drbd/drbd_int.h +++ b/drivers/block/drbd/drbd_int.h @@ -582,7 +582,7 @@ struct drbd_epoch { @@ -33591,16 +35491,16 @@ index 6b51afa..17e1191 100644 atomic_t active; /* increased on every req. added, and dec on every finished. */ unsigned long flags; }; -@@ -1011,7 +1011,7 @@ struct drbd_conf { +@@ -1021,7 +1021,7 @@ struct drbd_conf { + unsigned int al_tr_number; int al_tr_cycle; - int al_tr_pos; /* position of the next transaction in the journal */ wait_queue_head_t seq_wait; - atomic_t packet_seq; + atomic_unchecked_t packet_seq; unsigned int peer_seq; spinlock_t peer_seq_lock; unsigned int minor; -@@ -1527,7 +1527,7 @@ static inline int drbd_setsockopt(struct socket *sock, int level, int optname, +@@ -1562,7 +1562,7 @@ static inline int drbd_setsockopt(struct socket *sock, int level, int optname, char __user *uoptval; int err; @@ -33610,7 +35510,7 @@ index 6b51afa..17e1191 100644 set_fs(KERNEL_DS); if (level == SOL_SOCKET) diff --git a/drivers/block/drbd/drbd_main.c b/drivers/block/drbd/drbd_main.c -index 54d03d4..332f311 100644 +index a5dca6a..bb27967 100644 --- a/drivers/block/drbd/drbd_main.c +++ b/drivers/block/drbd/drbd_main.c @@ -1317,7 +1317,7 @@ static int _drbd_send_ack(struct drbd_conf *mdev, enum drbd_packet cmd, @@ -33643,10 +35543,10 @@ index 54d03d4..332f311 100644 idr_destroy(&tconn->volumes); diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c -index 2f5fffd..b22a1ae 100644 +index 4222aff..1f79506 100644 --- a/drivers/block/drbd/drbd_receiver.c +++ b/drivers/block/drbd/drbd_receiver.c -@@ -833,7 +833,7 @@ int drbd_connected(struct drbd_conf *mdev) +@@ -834,7 +834,7 @@ int drbd_connected(struct drbd_conf *mdev) { int err; @@ -33655,7 +35555,7 @@ index 2f5fffd..b22a1ae 100644 mdev->peer_seq = 0; mdev->state_mutex = mdev->tconn->agreed_pro_version < 100 ? -@@ -1191,7 +1191,7 @@ static enum finish_epoch drbd_may_finish_epoch(struct drbd_tconn *tconn, +@@ -1193,7 +1193,7 @@ static enum finish_epoch drbd_may_finish_epoch(struct drbd_tconn *tconn, do { next_epoch = NULL; @@ -33664,7 +35564,7 @@ index 2f5fffd..b22a1ae 100644 switch (ev & ~EV_CLEANUP) { case EV_PUT: -@@ -1231,7 +1231,7 @@ static enum finish_epoch drbd_may_finish_epoch(struct drbd_tconn *tconn, +@@ -1233,7 +1233,7 @@ static enum finish_epoch drbd_may_finish_epoch(struct drbd_tconn *tconn, rv = FE_DESTROYED; } else { epoch->flags = 0; @@ -33673,7 +35573,7 @@ index 2f5fffd..b22a1ae 100644 /* atomic_set(&epoch->active, 0); is already zero */ if (rv == FE_STILL_LIVE) rv = FE_RECYCLED; -@@ -1449,7 +1449,7 @@ static int receive_Barrier(struct drbd_tconn *tconn, struct packet_info *pi) +@@ -1451,7 +1451,7 @@ static int receive_Barrier(struct drbd_tconn *tconn, struct packet_info *pi) conn_wait_active_ee_empty(tconn); drbd_flush(tconn); @@ -33682,7 +35582,7 @@ index 2f5fffd..b22a1ae 100644 epoch = kmalloc(sizeof(struct drbd_epoch), GFP_NOIO); if (epoch) break; -@@ -1462,11 +1462,11 @@ static int receive_Barrier(struct drbd_tconn *tconn, struct packet_info *pi) +@@ -1464,11 +1464,11 @@ static int receive_Barrier(struct drbd_tconn *tconn, struct packet_info *pi) } epoch->flags = 0; @@ -33696,7 +35596,7 @@ index 2f5fffd..b22a1ae 100644 list_add(&epoch->list, &tconn->current_epoch->list); tconn->current_epoch = epoch; tconn->epochs++; -@@ -2170,7 +2170,7 @@ static int receive_Data(struct drbd_tconn *tconn, struct packet_info *pi) +@@ -2172,7 +2172,7 @@ static int receive_Data(struct drbd_tconn *tconn, struct packet_info *pi) err = wait_for_and_update_peer_seq(mdev, peer_seq); drbd_send_ack_dp(mdev, P_NEG_ACK, p, pi->size); @@ -33705,7 +35605,7 @@ index 2f5fffd..b22a1ae 100644 err2 = drbd_drain_block(mdev, pi->size); if (!err) err = err2; -@@ -2204,7 +2204,7 @@ static int receive_Data(struct drbd_tconn *tconn, struct packet_info *pi) +@@ -2206,7 +2206,7 @@ static int receive_Data(struct drbd_tconn *tconn, struct packet_info *pi) spin_lock(&tconn->epoch_lock); peer_req->epoch = tconn->current_epoch; @@ -33714,7 +35614,7 @@ index 2f5fffd..b22a1ae 100644 atomic_inc(&peer_req->epoch->active); spin_unlock(&tconn->epoch_lock); -@@ -4345,7 +4345,7 @@ struct data_cmd { +@@ -4347,7 +4347,7 @@ struct data_cmd { int expect_payload; size_t pkt_size; int (*fn)(struct drbd_tconn *, struct packet_info *); @@ -33723,7 +35623,7 @@ index 2f5fffd..b22a1ae 100644 static struct data_cmd drbd_cmd_handler[] = { [P_DATA] = { 1, sizeof(struct p_data), receive_Data }, -@@ -4465,7 +4465,7 @@ static void conn_disconnect(struct drbd_tconn *tconn) +@@ -4467,7 +4467,7 @@ static void conn_disconnect(struct drbd_tconn *tconn) if (!list_empty(&tconn->current_epoch->list)) conn_err(tconn, "ASSERTION FAILED: tconn->current_epoch->list not empty\n"); /* ok, no more ee's on the fly, it is safe to reset the epoch_size */ @@ -33732,7 +35632,7 @@ index 2f5fffd..b22a1ae 100644 tconn->send.seen_any_write_yet = false; conn_info(tconn, "Connection closed\n"); -@@ -5221,7 +5221,7 @@ static int tconn_finish_peer_reqs(struct drbd_tconn *tconn) +@@ -5223,7 +5223,7 @@ static int tconn_finish_peer_reqs(struct drbd_tconn *tconn) struct asender_cmd { size_t pkt_size; int (*fn)(struct drbd_tconn *tconn, struct packet_info *); @@ -33742,28 +35642,28 @@ index 2f5fffd..b22a1ae 100644 static struct asender_cmd asender_tbl[] = { [P_PING] = { 0, got_Ping }, diff --git a/drivers/block/loop.c b/drivers/block/loop.c -index dfe7583..83768bb 100644 +index d92d50f..a7e9d97 100644 --- a/drivers/block/loop.c +++ b/drivers/block/loop.c -@@ -231,7 +231,7 @@ static int __do_lo_send_write(struct file *file, - mm_segment_t old_fs = get_fs(); +@@ -232,7 +232,7 @@ static int __do_lo_send_write(struct file *file, + file_start_write(file); set_fs(get_ds()); - bw = file->f_op->write(file, buf, len, &pos); + bw = file->f_op->write(file, (const char __force_user *)buf, len, &pos); set_fs(old_fs); + file_end_write(file); if (likely(bw == len)) - return 0; diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c -index 2e7de7a..ed86dc0 100644 +index f5d0ea1..c62380a 100644 --- a/drivers/block/pktcdvd.c +++ b/drivers/block/pktcdvd.c -@@ -83,7 +83,7 @@ - +@@ -84,7 +84,7 @@ #define MAX_SPEED 0xffff --#define ZONE(sector, pd) (((sector) + (pd)->offset) & ~((pd)->settings.size - 1)) -+#define ZONE(sector, pd) (((sector) + (pd)->offset) & ~((pd)->settings.size - 1UL)) + #define ZONE(sector, pd) (((sector) + (pd)->offset) & \ +- ~(sector_t)((pd)->settings.size - 1)) ++ ~(sector_t)((pd)->settings.size - 1UL)) static DEFINE_MUTEX(pktcdvd_mutex); static struct pktcdvd_device *pkt_devs[MAX_WRITERS]; @@ -33820,7 +35720,7 @@ index 8a3aff7..d7538c2 100644 return 1; diff --git a/drivers/cdrom/gdrom.c b/drivers/cdrom/gdrom.c -index d59cdcb..11afddf 100644 +index 4afcb65..a68a32d 100644 --- a/drivers/cdrom/gdrom.c +++ b/drivers/cdrom/gdrom.c @@ -491,7 +491,6 @@ static struct cdrom_device_ops gdrom_ops = { @@ -33889,10 +35789,10 @@ index 2e04433..771f2cc 100644 kfree(segment); return -EFAULT; diff --git a/drivers/char/genrtc.c b/drivers/char/genrtc.c -index 21cb980..f15107c 100644 +index 4f94375..413694e 100644 --- a/drivers/char/genrtc.c +++ b/drivers/char/genrtc.c -@@ -272,6 +272,7 @@ static int gen_rtc_ioctl(struct file *file, +@@ -273,6 +273,7 @@ static int gen_rtc_ioctl(struct file *file, switch (cmd) { case RTC_PLL_GET: @@ -33927,7 +35827,7 @@ index 86fe45c..c0ea948 100644 } diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c -index 053201b..8335cce 100644 +index 4445fa1..7c6de37 100644 --- a/drivers/char/ipmi/ipmi_msghandler.c +++ b/drivers/char/ipmi/ipmi_msghandler.c @@ -420,7 +420,7 @@ struct ipmi_smi { @@ -33951,7 +35851,7 @@ index 053201b..8335cce 100644 static int is_lan_addr(struct ipmi_addr *addr) { -@@ -2884,7 +2884,7 @@ int ipmi_register_smi(struct ipmi_smi_handlers *handlers, +@@ -2883,7 +2883,7 @@ int ipmi_register_smi(struct ipmi_smi_handlers *handlers, INIT_LIST_HEAD(&intf->cmd_rcvrs); init_waitqueue_head(&intf->waitq); for (i = 0; i < IPMI_NUM_STATS; i++) @@ -33961,7 +35861,7 @@ index 053201b..8335cce 100644 intf->proc_dir = NULL; diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c -index 0ac9b45..6179fb5 100644 +index af4b23f..79806fc 100644 --- a/drivers/char/ipmi/ipmi_si_intf.c +++ b/drivers/char/ipmi/ipmi_si_intf.c @@ -275,7 +275,7 @@ struct smi_info { @@ -33985,7 +35885,7 @@ index 0ac9b45..6179fb5 100644 #define SI_MAX_PARMS 4 -@@ -3254,7 +3254,7 @@ static int try_smi_init(struct smi_info *new_smi) +@@ -3258,7 +3258,7 @@ static int try_smi_init(struct smi_info *new_smi) atomic_set(&new_smi->req_events, 0); new_smi->run_to_completion = 0; for (i = 0; i < SI_NUM_STATS; i++) @@ -33995,7 +35895,7 @@ index 0ac9b45..6179fb5 100644 new_smi->interrupt_disabled = 1; atomic_set(&new_smi->stop_operation, 0); diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index 2c644af..4b7aede 100644 +index 1ccbe94..6ad651a 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -18,6 +18,7 @@ @@ -34006,7 +35906,7 @@ index 2c644af..4b7aede 100644 #include <linux/ptrace.h> #include <linux/device.h> #include <linux/highmem.h> -@@ -37,6 +38,10 @@ +@@ -38,6 +39,10 @@ #define DEVPORT_MINOR 4 @@ -34017,7 +35917,7 @@ index 2c644af..4b7aede 100644 static inline unsigned long size_inside_page(unsigned long start, unsigned long size) { -@@ -68,9 +73,13 @@ static inline int range_is_allowed(unsigned long pfn, unsigned long size) +@@ -69,9 +74,13 @@ static inline int range_is_allowed(unsigned long pfn, unsigned long size) while (cursor < to) { if (!devmem_is_allowed(pfn)) { @@ -34031,7 +35931,7 @@ index 2c644af..4b7aede 100644 return 0; } cursor += PAGE_SIZE; -@@ -78,6 +87,11 @@ static inline int range_is_allowed(unsigned long pfn, unsigned long size) +@@ -79,6 +88,11 @@ static inline int range_is_allowed(unsigned long pfn, unsigned long size) } return 1; } @@ -34043,7 +35943,7 @@ index 2c644af..4b7aede 100644 #else static inline int range_is_allowed(unsigned long pfn, unsigned long size) { -@@ -120,6 +134,7 @@ static ssize_t read_mem(struct file *file, char __user *buf, +@@ -121,6 +135,7 @@ static ssize_t read_mem(struct file *file, char __user *buf, while (count > 0) { unsigned long remaining; @@ -34051,7 +35951,7 @@ index 2c644af..4b7aede 100644 sz = size_inside_page(p, count); -@@ -135,7 +150,23 @@ static ssize_t read_mem(struct file *file, char __user *buf, +@@ -136,7 +151,23 @@ static ssize_t read_mem(struct file *file, char __user *buf, if (!ptr) return -EFAULT; @@ -34076,7 +35976,7 @@ index 2c644af..4b7aede 100644 unxlate_dev_mem_ptr(p, ptr); if (remaining) return -EFAULT; -@@ -378,7 +409,7 @@ static ssize_t read_oldmem(struct file *file, char __user *buf, +@@ -379,7 +410,7 @@ static ssize_t read_oldmem(struct file *file, char __user *buf, else csize = count; @@ -34085,7 +35985,7 @@ index 2c644af..4b7aede 100644 if (rc < 0) return rc; buf += csize; -@@ -398,9 +429,8 @@ static ssize_t read_kmem(struct file *file, char __user *buf, +@@ -399,9 +430,8 @@ static ssize_t read_kmem(struct file *file, char __user *buf, size_t count, loff_t *ppos) { unsigned long p = *ppos; @@ -34096,7 +35996,7 @@ index 2c644af..4b7aede 100644 read = 0; if (p < (unsigned long) high_memory) { -@@ -422,6 +452,8 @@ static ssize_t read_kmem(struct file *file, char __user *buf, +@@ -423,6 +453,8 @@ static ssize_t read_kmem(struct file *file, char __user *buf, } #endif while (low_count > 0) { @@ -34105,7 +36005,7 @@ index 2c644af..4b7aede 100644 sz = size_inside_page(p, low_count); /* -@@ -431,7 +463,22 @@ static ssize_t read_kmem(struct file *file, char __user *buf, +@@ -432,7 +464,22 @@ static ssize_t read_kmem(struct file *file, char __user *buf, */ kbuf = xlate_dev_kmem_ptr((char *)p); @@ -34129,7 +36029,7 @@ index 2c644af..4b7aede 100644 return -EFAULT; buf += sz; p += sz; -@@ -833,6 +880,9 @@ static const struct memdev { +@@ -869,6 +916,9 @@ static const struct memdev { #ifdef CONFIG_CRASH_DUMP [12] = { "oldmem", 0, &oldmem_fops, NULL }, #endif @@ -34139,7 +36039,7 @@ index 2c644af..4b7aede 100644 }; static int memory_open(struct inode *inode, struct file *filp) -@@ -904,7 +954,7 @@ static int __init chr_dev_init(void) +@@ -940,7 +990,7 @@ static int __init chr_dev_init(void) continue; device_create(mem_class, NULL, MKDEV(MEM_MAJOR, minor), @@ -34149,7 +36049,7 @@ index 2c644af..4b7aede 100644 return tty_init(); diff --git a/drivers/char/mwave/tp3780i.c b/drivers/char/mwave/tp3780i.c -index c689697..04e6d6a 100644 +index c689697..04e6d6a2 100644 --- a/drivers/char/mwave/tp3780i.c +++ b/drivers/char/mwave/tp3780i.c @@ -479,6 +479,7 @@ int tp3780I_QueryAbilities(THINKPAD_BD_DATA * pBDData, MW_ABILITIES * pAbilities @@ -34249,7 +36149,7 @@ index 5c5cc00..ac9edb7 100644 if (cmd != SIOCWANDEV) diff --git a/drivers/char/random.c b/drivers/char/random.c -index eccd7cc..98038d5 100644 +index 35487e8..dac8bd1 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -272,8 +272,13 @@ @@ -34415,10 +36315,10 @@ index 84ddc55..1d32f1e 100644 return 0; } diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c -index ce5f3fc..e2d3e55 100644 +index fc45567..fa2a590 100644 --- a/drivers/char/virtio_console.c +++ b/drivers/char/virtio_console.c -@@ -679,7 +679,7 @@ static ssize_t fill_readbuf(struct port *port, char *out_buf, size_t out_count, +@@ -682,7 +682,7 @@ static ssize_t fill_readbuf(struct port *port, char *out_buf, size_t out_count, if (to_user) { ssize_t ret; @@ -34427,7 +36327,7 @@ index ce5f3fc..e2d3e55 100644 if (ret) return -EFAULT; } else { -@@ -778,7 +778,7 @@ static ssize_t port_fops_read(struct file *filp, char __user *ubuf, +@@ -785,7 +785,7 @@ static ssize_t port_fops_read(struct file *filp, char __user *ubuf, if (!port_has_data(port) && !port->host_connected) return 0; @@ -34436,11 +36336,49 @@ index ce5f3fc..e2d3e55 100644 } static int wait_port_writable(struct port *port, bool nonblock) +diff --git a/drivers/clk/clk-composite.c b/drivers/clk/clk-composite.c +index a33f46f..a720eed 100644 +--- a/drivers/clk/clk-composite.c ++++ b/drivers/clk/clk-composite.c +@@ -122,7 +122,7 @@ struct clk *clk_register_composite(struct device *dev, const char *name, + struct clk *clk; + struct clk_init_data init; + struct clk_composite *composite; +- struct clk_ops *clk_composite_ops; ++ clk_ops_no_const *clk_composite_ops; + + composite = kzalloc(sizeof(*composite), GFP_KERNEL); + if (!composite) { +diff --git a/drivers/clk/socfpga/clk.c b/drivers/clk/socfpga/clk.c +index bd11315..7f87098 100644 +--- a/drivers/clk/socfpga/clk.c ++++ b/drivers/clk/socfpga/clk.c +@@ -22,6 +22,7 @@ + #include <linux/clk-provider.h> + #include <linux/io.h> + #include <linux/of.h> ++#include <asm/pgtable.h> + + /* Clock Manager offsets */ + #define CLKMGR_CTRL 0x0 +@@ -135,8 +136,10 @@ static __init struct clk *socfpga_clk_init(struct device_node *node, + if (strcmp(clk_name, "main_pll") || strcmp(clk_name, "periph_pll") || + strcmp(clk_name, "sdram_pll")) { + socfpga_clk->hw.bit_idx = SOCFPGA_PLL_EXT_ENA; +- clk_pll_ops.enable = clk_gate_ops.enable; +- clk_pll_ops.disable = clk_gate_ops.disable; ++ pax_open_kernel(); ++ *(void **)&clk_pll_ops.enable = clk_gate_ops.enable; ++ *(void **)&clk_pll_ops.disable = clk_gate_ops.disable; ++ pax_close_kernel(); + } + + clk = clk_register(NULL, &socfpga_clk->hw.hw); diff --git a/drivers/clocksource/arm_arch_timer.c b/drivers/clocksource/arm_arch_timer.c -index d7ad425..3e3f81f 100644 +index a2b2541..bc1e7ff 100644 --- a/drivers/clocksource/arm_arch_timer.c +++ b/drivers/clocksource/arm_arch_timer.c -@@ -262,7 +262,7 @@ static int __cpuinit arch_timer_cpu_notify(struct notifier_block *self, +@@ -264,7 +264,7 @@ static int __cpuinit arch_timer_cpu_notify(struct notifier_block *self, return NOTIFY_OK; } @@ -34449,6 +36387,19 @@ index d7ad425..3e3f81f 100644 .notifier_call = arch_timer_cpu_notify, }; +diff --git a/drivers/clocksource/bcm_kona_timer.c b/drivers/clocksource/bcm_kona_timer.c +index 350f493..489479e 100644 +--- a/drivers/clocksource/bcm_kona_timer.c ++++ b/drivers/clocksource/bcm_kona_timer.c +@@ -199,7 +199,7 @@ static struct irqaction kona_timer_irq = { + .handler = kona_timer_interrupt, + }; + +-static void __init kona_timer_init(void) ++static void __init kona_timer_init(struct device_node *np) + { + kona_timers_init(); + kona_timer_clockevents_init(); diff --git a/drivers/clocksource/metag_generic.c b/drivers/clocksource/metag_generic.c index ade7513..069445f 100644 --- a/drivers/clocksource/metag_generic.c @@ -34463,7 +36414,7 @@ index ade7513..069445f 100644 }; diff --git a/drivers/cpufreq/acpi-cpufreq.c b/drivers/cpufreq/acpi-cpufreq.c -index bb5939b..d9accb7 100644 +index edc089e..bc7c0bc 100644 --- a/drivers/cpufreq/acpi-cpufreq.c +++ b/drivers/cpufreq/acpi-cpufreq.c @@ -172,7 +172,7 @@ static ssize_t show_global_boost(struct kobject *kobj, @@ -34475,7 +36426,7 @@ index bb5939b..d9accb7 100644 show_global_boost, store_global_boost); -@@ -712,8 +712,11 @@ static int acpi_cpufreq_cpu_init(struct cpufreq_policy *policy) +@@ -705,8 +705,11 @@ static int acpi_cpufreq_cpu_init(struct cpufreq_policy *policy) data->acpi_data = per_cpu_ptr(acpi_perf_data, cpu); per_cpu(acfreq_data, cpu) = data; @@ -34489,7 +36440,7 @@ index bb5939b..d9accb7 100644 result = acpi_processor_register_performance(data->acpi_data, cpu); if (result) -@@ -839,7 +842,9 @@ static int acpi_cpufreq_cpu_init(struct cpufreq_policy *policy) +@@ -832,7 +835,9 @@ static int acpi_cpufreq_cpu_init(struct cpufreq_policy *policy) policy->cur = acpi_cpufreq_guess_freq(data, policy->cpu); break; case ACPI_ADR_SPACE_FIXED_HARDWARE: @@ -34500,7 +36451,7 @@ index bb5939b..d9accb7 100644 policy->cur = get_cur_freq_on_cpu(cpu); break; default: -@@ -850,8 +855,11 @@ static int acpi_cpufreq_cpu_init(struct cpufreq_policy *policy) +@@ -843,8 +848,11 @@ static int acpi_cpufreq_cpu_init(struct cpufreq_policy *policy) acpi_processor_notify_smm(THIS_MODULE); /* Check for APERF/MPERF support in hardware */ @@ -34515,10 +36466,10 @@ index bb5939b..d9accb7 100644 pr_debug("CPU%u - ACPI performance management activated.\n", cpu); for (i = 0; i < perf->state_count; i++) diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c -index b02824d..51e44aa 100644 +index 6485547..477033e 100644 --- a/drivers/cpufreq/cpufreq.c +++ b/drivers/cpufreq/cpufreq.c -@@ -1813,7 +1813,7 @@ static int __cpuinit cpufreq_cpu_callback(struct notifier_block *nfb, +@@ -1854,7 +1854,7 @@ static int __cpuinit cpufreq_cpu_callback(struct notifier_block *nfb, return NOTIFY_OK; } @@ -34527,7 +36478,7 @@ index b02824d..51e44aa 100644 .notifier_call = cpufreq_cpu_callback, }; -@@ -1845,8 +1845,11 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data) +@@ -1886,8 +1886,11 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data) pr_debug("trying to register driver %s\n", driver_data->name); @@ -34539,36 +36490,77 @@ index b02824d..51e44aa 100644 + pax_close_kernel(); + } - spin_lock_irqsave(&cpufreq_driver_lock, flags); + write_lock_irqsave(&cpufreq_driver_lock, flags); if (cpufreq_driver) { diff --git a/drivers/cpufreq/cpufreq_governor.c b/drivers/cpufreq/cpufreq_governor.c -index 5a76086..0f4d394 100644 +index a86ff72..aad2b03 100644 --- a/drivers/cpufreq/cpufreq_governor.c +++ b/drivers/cpufreq/cpufreq_governor.c -@@ -201,8 +201,8 @@ int cpufreq_governor_dbs(struct dbs_data *dbs_data, - { +@@ -235,7 +235,7 @@ int cpufreq_governor_dbs(struct cpufreq_policy *policy, + struct dbs_data *dbs_data; struct od_cpu_dbs_info_s *od_dbs_info = NULL; struct cs_cpu_dbs_info_s *cs_dbs_info = NULL; -- struct cs_ops *cs_ops = NULL; - struct od_ops *od_ops = NULL; -+ const struct cs_ops *cs_ops = NULL; + const struct od_ops *od_ops = NULL; - struct od_dbs_tuners *od_tuners = dbs_data->tuners; - struct cs_dbs_tuners *cs_tuners = dbs_data->tuners; + struct od_dbs_tuners *od_tuners = NULL; + struct cs_dbs_tuners *cs_tuners = NULL; struct cpu_dbs_common_info *cpu_cdbs; +@@ -298,7 +298,7 @@ int cpufreq_governor_dbs(struct cpufreq_policy *policy, + + if ((cdata->governor == GOV_CONSERVATIVE) && + (!policy->governor->initialized)) { +- struct cs_ops *cs_ops = dbs_data->cdata->gov_ops; ++ const struct cs_ops *cs_ops = dbs_data->cdata->gov_ops; + + cpufreq_register_notifier(cs_ops->notifier_block, + CPUFREQ_TRANSITION_NOTIFIER); +@@ -315,7 +315,7 @@ int cpufreq_governor_dbs(struct cpufreq_policy *policy, + + if ((dbs_data->cdata->governor == GOV_CONSERVATIVE) && + (policy->governor->initialized == 1)) { +- struct cs_ops *cs_ops = dbs_data->cdata->gov_ops; ++ const struct cs_ops *cs_ops = dbs_data->cdata->gov_ops; + + cpufreq_unregister_notifier(cs_ops->notifier_block, + CPUFREQ_TRANSITION_NOTIFIER); diff --git a/drivers/cpufreq/cpufreq_governor.h b/drivers/cpufreq/cpufreq_governor.h -index cc4bd2f..ad142bc 100644 +index 0d9e6be..461fd3b 100644 --- a/drivers/cpufreq/cpufreq_governor.h +++ b/drivers/cpufreq/cpufreq_governor.h -@@ -142,7 +142,7 @@ struct dbs_data { - void (*gov_check_cpu)(int cpu, unsigned int load); +@@ -204,7 +204,7 @@ struct common_dbs_data { + void (*exit)(struct dbs_data *dbs_data); /* Governor specific ops, see below */ - void *gov_ops; + const void *gov_ops; }; - /* Governor specific ops, will be passed to dbs_data->gov_ops */ + /* Governer Per policy data */ +diff --git a/drivers/cpufreq/cpufreq_ondemand.c b/drivers/cpufreq/cpufreq_ondemand.c +index c087347..dad6268 100644 +--- a/drivers/cpufreq/cpufreq_ondemand.c ++++ b/drivers/cpufreq/cpufreq_ondemand.c +@@ -615,14 +615,18 @@ void od_register_powersave_bias_handler(unsigned int (*f) + (struct cpufreq_policy *, unsigned int, unsigned int), + unsigned int powersave_bias) + { +- od_ops.powersave_bias_target = f; ++ pax_open_kernel(); ++ *(void **)&od_ops.powersave_bias_target = f; ++ pax_close_kernel(); + od_set_powersave_bias(powersave_bias); + } + EXPORT_SYMBOL_GPL(od_register_powersave_bias_handler); + + void od_unregister_powersave_bias_handler(void) + { +- od_ops.powersave_bias_target = generic_powersave_bias_target; ++ pax_open_kernel(); ++ *(void **)&od_ops.powersave_bias_target = generic_powersave_bias_target; ++ pax_close_kernel(); + od_set_powersave_bias(0); + } + EXPORT_SYMBOL_GPL(od_unregister_powersave_bias_handler); diff --git a/drivers/cpufreq/cpufreq_stats.c b/drivers/cpufreq/cpufreq_stats.c index bfd6273..e39dd63 100644 --- a/drivers/cpufreq/cpufreq_stats.c @@ -34583,10 +36575,10 @@ index bfd6273..e39dd63 100644 .priority = 1, }; diff --git a/drivers/cpufreq/p4-clockmod.c b/drivers/cpufreq/p4-clockmod.c -index 827629c9..0bc6a03 100644 +index 421ef37..e708530c 100644 --- a/drivers/cpufreq/p4-clockmod.c +++ b/drivers/cpufreq/p4-clockmod.c -@@ -167,10 +167,14 @@ static unsigned int cpufreq_p4_get_frequency(struct cpuinfo_x86 *c) +@@ -160,10 +160,14 @@ static unsigned int cpufreq_p4_get_frequency(struct cpuinfo_x86 *c) case 0x0F: /* Core Duo */ case 0x16: /* Celeron Core */ case 0x1C: /* Atom */ @@ -34603,7 +36595,7 @@ index 827629c9..0bc6a03 100644 /* fall through */ case 0x09: /* Pentium M (Banias) */ return speedstep_get_frequency(SPEEDSTEP_CPU_PM); -@@ -182,7 +186,9 @@ static unsigned int cpufreq_p4_get_frequency(struct cpuinfo_x86 *c) +@@ -175,7 +179,9 @@ static unsigned int cpufreq_p4_get_frequency(struct cpuinfo_x86 *c) /* on P-4s, the TSC runs with constant frequency independent whether * throttling is active or not. */ @@ -34614,8 +36606,117 @@ index 827629c9..0bc6a03 100644 if (speedstep_detect_processor() == SPEEDSTEP_CPU_P4M) { printk(KERN_WARNING PFX "Warning: Pentium 4-M detected. " +diff --git a/drivers/cpufreq/sparc-us3-cpufreq.c b/drivers/cpufreq/sparc-us3-cpufreq.c +index c71ee14..7c2e183 100644 +--- a/drivers/cpufreq/sparc-us3-cpufreq.c ++++ b/drivers/cpufreq/sparc-us3-cpufreq.c +@@ -18,14 +18,12 @@ + #include <asm/head.h> + #include <asm/timer.h> + +-static struct cpufreq_driver *cpufreq_us3_driver; +- + struct us3_freq_percpu_info { + struct cpufreq_frequency_table table[4]; + }; + + /* Indexed by cpu number. */ +-static struct us3_freq_percpu_info *us3_freq_table; ++static struct us3_freq_percpu_info us3_freq_table[NR_CPUS]; + + /* UltraSPARC-III has three dividers: 1, 2, and 32. These are controlled + * in the Safari config register. +@@ -186,12 +184,25 @@ static int __init us3_freq_cpu_init(struct cpufreq_policy *policy) + + static int us3_freq_cpu_exit(struct cpufreq_policy *policy) + { +- if (cpufreq_us3_driver) +- us3_set_cpu_divider_index(policy, 0); ++ us3_set_cpu_divider_index(policy->cpu, 0); + + return 0; + } + ++static int __init us3_freq_init(void); ++static void __exit us3_freq_exit(void); ++ ++static struct cpufreq_driver cpufreq_us3_driver = { ++ .init = us3_freq_cpu_init, ++ .verify = us3_freq_verify, ++ .target = us3_freq_target, ++ .get = us3_freq_get, ++ .exit = us3_freq_cpu_exit, ++ .owner = THIS_MODULE, ++ .name = "UltraSPARC-III", ++ ++}; ++ + static int __init us3_freq_init(void) + { + unsigned long manuf, impl, ver; +@@ -208,57 +219,15 @@ static int __init us3_freq_init(void) + (impl == CHEETAH_IMPL || + impl == CHEETAH_PLUS_IMPL || + impl == JAGUAR_IMPL || +- impl == PANTHER_IMPL)) { +- struct cpufreq_driver *driver; +- +- ret = -ENOMEM; +- driver = kzalloc(sizeof(struct cpufreq_driver), GFP_KERNEL); +- if (!driver) +- goto err_out; +- +- us3_freq_table = kzalloc( +- (NR_CPUS * sizeof(struct us3_freq_percpu_info)), +- GFP_KERNEL); +- if (!us3_freq_table) +- goto err_out; +- +- driver->init = us3_freq_cpu_init; +- driver->verify = us3_freq_verify; +- driver->target = us3_freq_target; +- driver->get = us3_freq_get; +- driver->exit = us3_freq_cpu_exit; +- driver->owner = THIS_MODULE, +- strcpy(driver->name, "UltraSPARC-III"); +- +- cpufreq_us3_driver = driver; +- ret = cpufreq_register_driver(driver); +- if (ret) +- goto err_out; +- +- return 0; +- +-err_out: +- if (driver) { +- kfree(driver); +- cpufreq_us3_driver = NULL; +- } +- kfree(us3_freq_table); +- us3_freq_table = NULL; +- return ret; +- } ++ impl == PANTHER_IMPL)) ++ return cpufreq_register_driver(&cpufreq_us3_driver); + + return -ENODEV; + } + + static void __exit us3_freq_exit(void) + { +- if (cpufreq_us3_driver) { +- cpufreq_unregister_driver(cpufreq_us3_driver); +- kfree(cpufreq_us3_driver); +- cpufreq_us3_driver = NULL; +- kfree(us3_freq_table); +- us3_freq_table = NULL; +- } ++ cpufreq_unregister_driver(&cpufreq_us3_driver); + } + + MODULE_AUTHOR("David S. Miller <davem@redhat.com>"); diff --git a/drivers/cpufreq/speedstep-centrino.c b/drivers/cpufreq/speedstep-centrino.c -index 3a953d5..f5993f6 100644 +index 618e6f4..e89d915 100644 --- a/drivers/cpufreq/speedstep-centrino.c +++ b/drivers/cpufreq/speedstep-centrino.c @@ -353,8 +353,11 @@ static int centrino_cpu_init(struct cpufreq_policy *policy) @@ -34633,10 +36734,10 @@ index 3a953d5..f5993f6 100644 if (policy->cpu != 0) return -ENODEV; diff --git a/drivers/cpuidle/cpuidle.c b/drivers/cpuidle/cpuidle.c -index eba6929..0f53baf 100644 +index c3a93fe..e808f24 100644 --- a/drivers/cpuidle/cpuidle.c +++ b/drivers/cpuidle/cpuidle.c -@@ -277,7 +277,7 @@ static int poll_idle(struct cpuidle_device *dev, +@@ -254,7 +254,7 @@ static int poll_idle(struct cpuidle_device *dev, static void poll_idle_init(struct cpuidle_driver *drv) { @@ -34724,45 +36825,11 @@ index b70709b..1d8d02a 100644 .notifier_call = sh_dmae_nmi_handler, /* Run before NMI debug handler and KGDB */ -diff --git a/drivers/edac/edac_mc.c b/drivers/edac/edac_mc.c -index 27e86d9..89e1090 100644 ---- a/drivers/edac/edac_mc.c -+++ b/drivers/edac/edac_mc.c -@@ -48,6 +48,8 @@ static LIST_HEAD(mc_devices); - */ - static void const *edac_mc_owner; - -+static struct bus_type mc_bus[EDAC_MAX_MCS]; -+ - unsigned edac_dimm_info_location(struct dimm_info *dimm, char *buf, - unsigned len) - { -@@ -723,6 +725,11 @@ int edac_mc_add_mc(struct mem_ctl_info *mci) - int ret = -EINVAL; - edac_dbg(0, "\n"); - -+ if (mci->mc_idx >= EDAC_MAX_MCS) { -+ pr_warn_once("Too many memory controllers: %d\n", mci->mc_idx); -+ return -ENODEV; -+ } -+ - #ifdef CONFIG_EDAC_DEBUG - if (edac_debug_level >= 3) - edac_mc_dump_mci(mci); -@@ -762,6 +769,8 @@ int edac_mc_add_mc(struct mem_ctl_info *mci) - /* set load time so that error rate can be tracked */ - mci->start_time = jiffies; - -+ mci->bus = &mc_bus[mci->mc_idx]; -+ - if (edac_create_sysfs_mci_device(mci)) { - edac_mc_printk(mci, KERN_WARNING, - "failed to create sysfs device\n"); diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c -index 769d92e..8baa11a 100644 +index c4d700a..0b57abd 100644 --- a/drivers/edac/edac_mc_sysfs.c +++ b/drivers/edac/edac_mc_sysfs.c -@@ -148,7 +148,7 @@ static const char *edac_caps[] = { +@@ -148,7 +148,7 @@ static const char * const edac_caps[] = { struct dev_ch_attribute { struct device_attribute attr; int channel; @@ -34771,60 +36838,7 @@ index 769d92e..8baa11a 100644 #define DEVICE_CHANNEL(_name, _mode, _show, _store, _var) \ struct dev_ch_attribute dev_attr_legacy_##_name = \ -@@ -370,7 +370,7 @@ static int edac_create_csrow_object(struct mem_ctl_info *mci, - return -ENODEV; - - csrow->dev.type = &csrow_attr_type; -- csrow->dev.bus = &mci->bus; -+ csrow->dev.bus = mci->bus; - device_initialize(&csrow->dev); - csrow->dev.parent = &mci->dev; - csrow->mci = mci; -@@ -605,7 +605,7 @@ static int edac_create_dimm_object(struct mem_ctl_info *mci, - dimm->mci = mci; - - dimm->dev.type = &dimm_attr_type; -- dimm->dev.bus = &mci->bus; -+ dimm->dev.bus = mci->bus; - device_initialize(&dimm->dev); - - dimm->dev.parent = &mci->dev; -@@ -975,11 +975,13 @@ int edac_create_sysfs_mci_device(struct mem_ctl_info *mci) - * The memory controller needs its own bus, in order to avoid - * namespace conflicts at /sys/bus/edac. - */ -- mci->bus.name = kasprintf(GFP_KERNEL, "mc%d", mci->mc_idx); -- if (!mci->bus.name) -+ mci->bus->name = kasprintf(GFP_KERNEL, "mc%d", mci->mc_idx); -+ if (!mci->bus->name) - return -ENOMEM; -- edac_dbg(0, "creating bus %s\n", mci->bus.name); -- err = bus_register(&mci->bus); -+ -+ edac_dbg(0, "creating bus %s\n", mci->bus->name); -+ -+ err = bus_register(mci->bus); - if (err < 0) - return err; - -@@ -988,7 +990,7 @@ int edac_create_sysfs_mci_device(struct mem_ctl_info *mci) - device_initialize(&mci->dev); - - mci->dev.parent = mci_pdev; -- mci->dev.bus = &mci->bus; -+ mci->dev.bus = mci->bus; - dev_set_name(&mci->dev, "mc%d", mci->mc_idx); - dev_set_drvdata(&mci->dev, mci); - pm_runtime_forbid(&mci->dev); -@@ -997,20 +999,22 @@ int edac_create_sysfs_mci_device(struct mem_ctl_info *mci) - err = device_add(&mci->dev); - if (err < 0) { - edac_dbg(1, "failure: create device %s\n", dev_name(&mci->dev)); -- bus_unregister(&mci->bus); -- kfree(mci->bus.name); -+ bus_unregister(mci->bus); -+ kfree(mci->bus->name); - return err; +@@ -1005,14 +1005,16 @@ int edac_create_sysfs_mci_device(struct mem_ctl_info *mci) } if (mci->set_sdram_scrub_rate || mci->get_sdram_scrub_rate) { @@ -34845,28 +36859,6 @@ index 769d92e..8baa11a 100644 err = device_create_file(&mci->dev, &dev_attr_sdram_scrub_rate); if (err) { -@@ -1064,8 +1068,8 @@ fail: - } - fail2: - device_unregister(&mci->dev); -- bus_unregister(&mci->bus); -- kfree(mci->bus.name); -+ bus_unregister(mci->bus); -+ kfree(mci->bus->name); - return err; - } - -@@ -1098,8 +1102,8 @@ void edac_unregister_sysfs(struct mem_ctl_info *mci) - { - edac_dbg(1, "Unregistering device %s\n", dev_name(&mci->dev)); - device_unregister(&mci->dev); -- bus_unregister(&mci->bus); -- kfree(mci->bus.name); -+ bus_unregister(mci->bus); -+ kfree(mci->bus->name); - } - - static void mc_attr_release(struct device *dev) diff --git a/drivers/edac/edac_pci_sysfs.c b/drivers/edac/edac_pci_sysfs.c index e8658e4..22746d6 100644 --- a/drivers/edac/edac_pci_sysfs.c @@ -34963,19 +36955,6 @@ index e8658e4..22746d6 100644 panic("EDAC: PCI Parity Error"); } } -diff --git a/drivers/edac/i5100_edac.c b/drivers/edac/i5100_edac.c -index 1b63517..157b934 100644 ---- a/drivers/edac/i5100_edac.c -+++ b/drivers/edac/i5100_edac.c -@@ -974,7 +974,7 @@ static int i5100_setup_debugfs(struct mem_ctl_info *mci) - if (!i5100_debugfs) - return -ENODEV; - -- priv->debugfs = debugfs_create_dir(mci->bus.name, i5100_debugfs); -+ priv->debugfs = debugfs_create_dir(mci->bus->name, i5100_debugfs); - - if (!priv->debugfs) - return -ENOMEM; diff --git a/drivers/edac/mce_amd.h b/drivers/edac/mce_amd.h index 51b7e3a..aa8a3e8 100644 --- a/drivers/edac/mce_amd.h @@ -35002,22 +36981,8 @@ index 57ea7f4..789e3c3 100644 card->driver->update_phy_reg(card, 4, PHY_LINK_ACTIVE | PHY_CONTENDER, 0); -diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c -index 27ac423..13573e8 100644 ---- a/drivers/firewire/core-cdev.c -+++ b/drivers/firewire/core-cdev.c -@@ -1366,8 +1366,7 @@ static int init_iso_resource(struct client *client, - int ret; - - if ((request->channels == 0 && request->bandwidth == 0) || -- request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL || -- request->bandwidth < 0) -+ request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL) - return -EINVAL; - - r = kmalloc(sizeof(*r), GFP_KERNEL); diff --git a/drivers/firewire/core-device.c b/drivers/firewire/core-device.c -index 03ce7d9..b70f5da 100644 +index 664a6ff..af13580 100644 --- a/drivers/firewire/core-device.c +++ b/drivers/firewire/core-device.c @@ -232,7 +232,7 @@ EXPORT_SYMBOL(fw_device_enable_phys_dma); @@ -35067,10 +37032,10 @@ index 94a58a0..f5eba42 100644 container_of(_dev_attr, struct dmi_device_attribute, dev_attr) diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c -index 4cd392d..4b629e1 100644 +index b95159b..841ae55 100644 --- a/drivers/firmware/dmi_scan.c +++ b/drivers/firmware/dmi_scan.c -@@ -490,11 +490,6 @@ void __init dmi_scan_machine(void) +@@ -497,11 +497,6 @@ void __init dmi_scan_machine(void) } } else { @@ -35082,7 +37047,7 @@ index 4cd392d..4b629e1 100644 p = dmi_ioremap(0xF0000, 0x10000); if (p == NULL) goto error; -@@ -769,7 +764,7 @@ int dmi_walk(void (*decode)(const struct dmi_header *, void *), +@@ -786,7 +781,7 @@ int dmi_walk(void (*decode)(const struct dmi_header *, void *), if (buf == NULL) return -1; @@ -35091,22 +37056,39 @@ index 4cd392d..4b629e1 100644 iounmap(buf); return 0; -diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c -index f4baa11..7970c3a 100644 ---- a/drivers/firmware/efivars.c -+++ b/drivers/firmware/efivars.c -@@ -139,7 +139,7 @@ struct efivar_attribute { +diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c +index 5145fa3..0d3babd 100644 +--- a/drivers/firmware/efi/efi.c ++++ b/drivers/firmware/efi/efi.c +@@ -65,14 +65,16 @@ static struct attribute_group efi_subsys_attr_group = { }; - static struct efivars __efivars; --static struct efivar_operations ops; -+static efivar_operations_no_const ops __read_only; + static struct efivars generic_efivars; +-static struct efivar_operations generic_ops; ++static efivar_operations_no_const generic_ops __read_only; - #define PSTORE_EFI_ATTRIBUTES \ - (EFI_VARIABLE_NON_VOLATILE | \ -@@ -1844,7 +1844,7 @@ efivar_create_sysfs_entry(struct efivars *efivars, + static int generic_ops_register(void) + { +- generic_ops.get_variable = efi.get_variable; +- generic_ops.set_variable = efi.set_variable; +- generic_ops.get_next_variable = efi.get_next_variable; +- generic_ops.query_variable_store = efi_query_variable_store; ++ pax_open_kernel(); ++ *(void **)&generic_ops.get_variable = efi.get_variable; ++ *(void **)&generic_ops.set_variable = efi.set_variable; ++ *(void **)&generic_ops.get_next_variable = efi.get_next_variable; ++ *(void **)&generic_ops.query_variable_store = efi_query_variable_store; ++ pax_close_kernel(); + + return efivars_register(&generic_efivars, &generic_ops, efi_kobj); + } +diff --git a/drivers/firmware/efi/efivars.c b/drivers/firmware/efi/efivars.c +index 8bd1bb6..c48b0c6 100644 +--- a/drivers/firmware/efi/efivars.c ++++ b/drivers/firmware/efi/efivars.c +@@ -452,7 +452,7 @@ efivar_create_sysfs_entry(struct efivar_entry *new_var) static int - create_efivars_bin_attributes(struct efivars *efivars) + create_efivars_bin_attributes(void) { - struct bin_attribute *attr; + bin_attribute_no_const *attr; @@ -35129,7 +37111,7 @@ index 2a90ba6..07f3733 100644 ret = sysfs_create_bin_file(firmware_kobj, &memconsole_bin_attr); diff --git a/drivers/gpio/gpio-ich.c b/drivers/gpio/gpio-ich.c -index de3c317..b7cd029 100644 +index e16d932..f0206ef 100644 --- a/drivers/gpio/gpio-ich.c +++ b/drivers/gpio/gpio-ich.c @@ -69,7 +69,7 @@ struct ichx_desc { @@ -35155,10 +37137,10 @@ index 9902732..64b62dd 100644 return -EINVAL; } diff --git a/drivers/gpu/drm/drm_crtc_helper.c b/drivers/gpu/drm/drm_crtc_helper.c -index 7b2d378..cc947ea 100644 +index ed1334e..ee0dd42 100644 --- a/drivers/gpu/drm/drm_crtc_helper.c +++ b/drivers/gpu/drm/drm_crtc_helper.c -@@ -319,7 +319,7 @@ static bool drm_encoder_crtc_ok(struct drm_encoder *encoder, +@@ -321,7 +321,7 @@ static bool drm_encoder_crtc_ok(struct drm_encoder *encoder, struct drm_crtc *tmp; int crtc_mask = 1; @@ -35168,7 +37150,7 @@ index 7b2d378..cc947ea 100644 dev = crtc->dev; diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c -index 25f91cd..a376f55 100644 +index 9cc247f..36aa285 100644 --- a/drivers/gpu/drm/drm_drv.c +++ b/drivers/gpu/drm/drm_drv.c @@ -306,7 +306,7 @@ module_exit(drm_core_exit); @@ -35183,7 +37165,7 @@ index 25f91cd..a376f55 100644 @@ -376,7 +376,7 @@ long drm_ioctl(struct file *filp, struct drm_file *file_priv = filp->private_data; struct drm_device *dev; - struct drm_ioctl_desc *ioctl; + const struct drm_ioctl_desc *ioctl = NULL; - drm_ioctl_t *func; + drm_ioctl_no_const_t func; unsigned int nr = DRM_IOCTL_NR(cmd); @@ -35197,29 +37179,7 @@ index 25f91cd..a376f55 100644 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]); ++file_priv->ioctl_count; - DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n", -diff --git a/drivers/gpu/drm/drm_encoder_slave.c b/drivers/gpu/drm/drm_encoder_slave.c -index 48c52f7..0cfb60f 100644 ---- a/drivers/gpu/drm/drm_encoder_slave.c -+++ b/drivers/gpu/drm/drm_encoder_slave.c -@@ -54,16 +54,12 @@ int drm_i2c_encoder_init(struct drm_device *dev, - struct i2c_adapter *adap, - const struct i2c_board_info *info) - { -- char modalias[sizeof(I2C_MODULE_PREFIX) -- + I2C_NAME_SIZE]; - struct module *module = NULL; - struct i2c_client *client; - struct drm_i2c_encoder_driver *encoder_drv; - int err = 0; - -- snprintf(modalias, sizeof(modalias), -- "%s%s", I2C_MODULE_PREFIX, info->type); -- request_module(modalias); -+ request_module("%s%s", I2C_MODULE_PREFIX, info->type); - - client = i2c_new_device(adap, info); - if (!client) { + if ((nr >= DRM_CORE_IOCTL_COUNT) && diff --git a/drivers/gpu/drm/drm_fops.c b/drivers/gpu/drm/drm_fops.c index 429e07d..e681a2c 100644 --- a/drivers/gpu/drm/drm_fops.c @@ -35486,7 +37446,7 @@ index d752c96..fe08455 100644 if (drm_lock_free(&master->lock, lock->context)) { /* FIXME: Should really bail out here. */ diff --git a/drivers/gpu/drm/drm_stub.c b/drivers/gpu/drm/drm_stub.c -index 7d30802..42c6cbb 100644 +index 16f3ec5..b28f9ca 100644 --- a/drivers/gpu/drm/drm_stub.c +++ b/drivers/gpu/drm/drm_stub.c @@ -501,7 +501,7 @@ void drm_unplug_dev(struct drm_device *dev) @@ -35553,7 +37513,7 @@ index 6e0acad..93c8289 100644 int front_offset; } drm_i810_private_t; diff --git a/drivers/gpu/drm/i915/i915_debugfs.c b/drivers/gpu/drm/i915/i915_debugfs.c -index 7299ea4..5314487 100644 +index e913d32..4d9b351 100644 --- a/drivers/gpu/drm/i915/i915_debugfs.c +++ b/drivers/gpu/drm/i915/i915_debugfs.c @@ -499,7 +499,7 @@ static int i915_interrupt_info(struct seq_file *m, void *data) @@ -35566,7 +37526,7 @@ index 7299ea4..5314487 100644 if (IS_GEN6(dev) || IS_GEN7(dev)) { seq_printf(m, diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c -index 4fa6beb..f930fec 100644 +index 17d9b0b..860e6d9 100644 --- a/drivers/gpu/drm/i915/i915_dma.c +++ b/drivers/gpu/drm/i915/i915_dma.c @@ -1259,7 +1259,7 @@ static bool i915_switcheroo_can_switch(struct pci_dev *pdev) @@ -35579,10 +37539,10 @@ index 4fa6beb..f930fec 100644 return can_switch; } diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h -index ef99b1c..09ce7fb 100644 +index 47d8b68..52f5d8d 100644 --- a/drivers/gpu/drm/i915/i915_drv.h +++ b/drivers/gpu/drm/i915/i915_drv.h -@@ -893,7 +893,7 @@ typedef struct drm_i915_private { +@@ -916,7 +916,7 @@ typedef struct drm_i915_private { drm_dma_handle_t *status_page_dmah; struct resource mch_res; @@ -35591,7 +37551,7 @@ index ef99b1c..09ce7fb 100644 /* protects the irq masks */ spinlock_t irq_lock; -@@ -1775,7 +1775,7 @@ extern struct i2c_adapter *intel_gmbus_get_adapter( +@@ -1813,7 +1813,7 @@ extern struct i2c_adapter *intel_gmbus_get_adapter( struct drm_i915_private *dev_priv, unsigned port); extern void intel_gmbus_set_speed(struct i2c_adapter *adapter, int speed); extern void intel_gmbus_force_bit(struct i2c_adapter *adapter, bool force_bit); @@ -35601,10 +37561,10 @@ index ef99b1c..09ce7fb 100644 return container_of(adapter, struct intel_gmbus, adapter)->force_bit; } diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c -index 9a48e1a..f0cbc3e 100644 +index 117ce38..eefd237 100644 --- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c +++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c -@@ -729,9 +729,9 @@ i915_gem_check_execbuffer(struct drm_i915_gem_execbuffer2 *exec) +@@ -727,9 +727,9 @@ i915_gem_check_execbuffer(struct drm_i915_gem_execbuffer2 *exec) static int validate_exec_list(struct drm_i915_gem_exec_object2 *exec, @@ -35616,15 +37576,6 @@ index 9a48e1a..f0cbc3e 100644 int relocs_total = 0; int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry); -@@ -1195,7 +1195,7 @@ i915_gem_execbuffer2(struct drm_device *dev, void *data, - return -ENOMEM; - } - ret = copy_from_user(exec2_list, -- (struct drm_i915_relocation_entry __user *) -+ (struct drm_i915_gem_exec_object2 __user *) - (uintptr_t) args->buffers_ptr, - sizeof(*exec2_list) * args->buffer_count); - if (ret != 0) { diff --git a/drivers/gpu/drm/i915/i915_ioc32.c b/drivers/gpu/drm/i915/i915_ioc32.c index 3c59584..500f2e9 100644 --- a/drivers/gpu/drm/i915/i915_ioc32.c @@ -35661,10 +37612,10 @@ index 3c59584..500f2e9 100644 return ret; diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c -index 3c7bb04..182e049 100644 +index e5e32869..1678f36 100644 --- a/drivers/gpu/drm/i915/i915_irq.c +++ b/drivers/gpu/drm/i915/i915_irq.c -@@ -549,7 +549,7 @@ static irqreturn_t valleyview_irq_handler(int irq, void *arg) +@@ -670,7 +670,7 @@ static irqreturn_t valleyview_irq_handler(int irq, void *arg) int pipe; u32 pipe_stats[I915_MAX_PIPES]; @@ -35673,7 +37624,7 @@ index 3c7bb04..182e049 100644 while (true) { iir = I915_READ(VLV_IIR); -@@ -705,7 +705,7 @@ static irqreturn_t ivybridge_irq_handler(int irq, void *arg) +@@ -835,7 +835,7 @@ static irqreturn_t ivybridge_irq_handler(int irq, void *arg) irqreturn_t ret = IRQ_NONE; int i; @@ -35682,7 +37633,7 @@ index 3c7bb04..182e049 100644 /* disable master interrupt before clearing iir */ de_ier = I915_READ(DEIER); -@@ -791,7 +791,7 @@ static irqreturn_t ironlake_irq_handler(int irq, void *arg) +@@ -925,7 +925,7 @@ static irqreturn_t ironlake_irq_handler(int irq, void *arg) int ret = IRQ_NONE; u32 de_iir, gt_iir, de_ier, pm_iir, sde_ier; @@ -35691,7 +37642,7 @@ index 3c7bb04..182e049 100644 /* disable master interrupt before clearing iir */ de_ier = I915_READ(DEIER); -@@ -1886,7 +1886,7 @@ static void ironlake_irq_preinstall(struct drm_device *dev) +@@ -2089,7 +2089,7 @@ static void ironlake_irq_preinstall(struct drm_device *dev) { drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; @@ -35700,7 +37651,7 @@ index 3c7bb04..182e049 100644 I915_WRITE(HWSTAM, 0xeffe); -@@ -1912,7 +1912,7 @@ static void valleyview_irq_preinstall(struct drm_device *dev) +@@ -2124,7 +2124,7 @@ static void valleyview_irq_preinstall(struct drm_device *dev) drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; int pipe; @@ -35709,7 +37660,7 @@ index 3c7bb04..182e049 100644 /* VLV magic */ I915_WRITE(VLV_IMR, 0); -@@ -2208,7 +2208,7 @@ static void i8xx_irq_preinstall(struct drm_device * dev) +@@ -2411,7 +2411,7 @@ static void i8xx_irq_preinstall(struct drm_device * dev) drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; int pipe; @@ -35718,7 +37669,7 @@ index 3c7bb04..182e049 100644 for_each_pipe(pipe) I915_WRITE(PIPESTAT(pipe), 0); -@@ -2259,7 +2259,7 @@ static irqreturn_t i8xx_irq_handler(int irq, void *arg) +@@ -2490,7 +2490,7 @@ static irqreturn_t i8xx_irq_handler(int irq, void *arg) I915_DISPLAY_PLANE_A_FLIP_PENDING_INTERRUPT | I915_DISPLAY_PLANE_B_FLIP_PENDING_INTERRUPT; @@ -35727,7 +37678,7 @@ index 3c7bb04..182e049 100644 iir = I915_READ16(IIR); if (iir == 0) -@@ -2344,7 +2344,7 @@ static void i915_irq_preinstall(struct drm_device * dev) +@@ -2565,7 +2565,7 @@ static void i915_irq_preinstall(struct drm_device * dev) drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; int pipe; @@ -35736,8 +37687,8 @@ index 3c7bb04..182e049 100644 if (I915_HAS_HOTPLUG(dev)) { I915_WRITE(PORT_HOTPLUG_EN, 0); -@@ -2448,7 +2448,7 @@ static irqreturn_t i915_irq_handler(int irq, void *arg) - }; +@@ -2664,7 +2664,7 @@ static irqreturn_t i915_irq_handler(int irq, void *arg) + I915_DISPLAY_PLANE_B_FLIP_PENDING_INTERRUPT; int pipe, ret = IRQ_NONE; - atomic_inc(&dev_priv->irq_received); @@ -35745,7 +37696,7 @@ index 3c7bb04..182e049 100644 iir = I915_READ(IIR); do { -@@ -2574,7 +2574,7 @@ static void i965_irq_preinstall(struct drm_device * dev) +@@ -2791,7 +2791,7 @@ static void i965_irq_preinstall(struct drm_device * dev) drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; int pipe; @@ -35754,9 +37705,9 @@ index 3c7bb04..182e049 100644 I915_WRITE(PORT_HOTPLUG_EN, 0); I915_WRITE(PORT_HOTPLUG_STAT, I915_READ(PORT_HOTPLUG_STAT)); -@@ -2690,7 +2690,7 @@ static irqreturn_t i965_irq_handler(int irq, void *arg) - int irq_received; - int ret = IRQ_NONE, pipe; +@@ -2898,7 +2898,7 @@ static irqreturn_t i965_irq_handler(int irq, void *arg) + I915_DISPLAY_PLANE_A_FLIP_PENDING_INTERRUPT | + I915_DISPLAY_PLANE_B_FLIP_PENDING_INTERRUPT; - atomic_inc(&dev_priv->irq_received); + atomic_inc_unchecked(&dev_priv->irq_received); @@ -35764,10 +37715,10 @@ index 3c7bb04..182e049 100644 iir = I915_READ(IIR); diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c -index 2ab65b4..acbd821 100644 +index eea5982..eeef407 100644 --- a/drivers/gpu/drm/i915/intel_display.c +++ b/drivers/gpu/drm/i915/intel_display.c -@@ -8742,13 +8742,13 @@ struct intel_quirk { +@@ -8935,13 +8935,13 @@ struct intel_quirk { int subsystem_vendor; int subsystem_device; void (*hook)(struct drm_device *dev); @@ -35783,7 +37734,7 @@ index 2ab65b4..acbd821 100644 static int intel_dmi_reverse_brightness(const struct dmi_system_id *id) { -@@ -8756,18 +8756,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id) +@@ -8949,18 +8949,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id) return 1; } @@ -35906,7 +37857,7 @@ index 598c281..60d590e 100644 *sequence = cur_fence; diff --git a/drivers/gpu/drm/nouveau/nouveau_bios.c b/drivers/gpu/drm/nouveau/nouveau_bios.c -index 50a6dd0..ea66ed8 100644 +index 6aa2137..fe8dc55 100644 --- a/drivers/gpu/drm/nouveau/nouveau_bios.c +++ b/drivers/gpu/drm/nouveau/nouveau_bios.c @@ -965,7 +965,7 @@ static int parse_bit_tmds_tbl_entry(struct drm_device *dev, struct nvbios *bios, @@ -35919,10 +37870,10 @@ index 50a6dd0..ea66ed8 100644 #define BIT_TABLE(id, funcid) ((struct bit_table){ id, parse_bit_##funcid##_tbl_entry }) diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.h b/drivers/gpu/drm/nouveau/nouveau_drm.h -index 9c39baf..30a22be 100644 +index f2b30f8..d0f9a95 100644 --- a/drivers/gpu/drm/nouveau/nouveau_drm.h +++ b/drivers/gpu/drm/nouveau/nouveau_drm.h -@@ -81,7 +81,7 @@ struct nouveau_drm { +@@ -92,7 +92,7 @@ struct nouveau_drm { struct drm_global_reference mem_global_ref; struct ttm_bo_global_ref bo_global_ref; struct ttm_bo_device bdev; @@ -35979,6 +37930,71 @@ index 25d3495..d81aaf6 100644 spin_unlock(&dev->count_lock); return can_switch; } +diff --git a/drivers/gpu/drm/qxl/qxl_ttm.c b/drivers/gpu/drm/qxl/qxl_ttm.c +index 489cb8c..0b8d0d3 100644 +--- a/drivers/gpu/drm/qxl/qxl_ttm.c ++++ b/drivers/gpu/drm/qxl/qxl_ttm.c +@@ -103,7 +103,7 @@ static void qxl_ttm_global_fini(struct qxl_device *qdev) + } + } + +-static struct vm_operations_struct qxl_ttm_vm_ops; ++static vm_operations_struct_no_const qxl_ttm_vm_ops __read_only; + static const struct vm_operations_struct *ttm_vm_ops; + + static int qxl_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf) +@@ -147,8 +147,10 @@ int qxl_mmap(struct file *filp, struct vm_area_struct *vma) + return r; + if (unlikely(ttm_vm_ops == NULL)) { + ttm_vm_ops = vma->vm_ops; ++ pax_open_kernel(); + qxl_ttm_vm_ops = *ttm_vm_ops; + qxl_ttm_vm_ops.fault = &qxl_ttm_fault; ++ pax_close_kernel(); + } + vma->vm_ops = &qxl_ttm_vm_ops; + return 0; +@@ -556,25 +558,23 @@ static int qxl_mm_dump_table(struct seq_file *m, void *data) + static int qxl_ttm_debugfs_init(struct qxl_device *qdev) + { + #if defined(CONFIG_DEBUG_FS) +- static struct drm_info_list qxl_mem_types_list[QXL_DEBUGFS_MEM_TYPES]; +- static char qxl_mem_types_names[QXL_DEBUGFS_MEM_TYPES][32]; +- unsigned i; ++ static struct drm_info_list qxl_mem_types_list[QXL_DEBUGFS_MEM_TYPES] = { ++ { ++ .name = "qxl_mem_mm", ++ .show = &qxl_mm_dump_table, ++ }, ++ { ++ .name = "qxl_surf_mm", ++ .show = &qxl_mm_dump_table, ++ } ++ }; + +- for (i = 0; i < QXL_DEBUGFS_MEM_TYPES; i++) { +- if (i == 0) +- sprintf(qxl_mem_types_names[i], "qxl_mem_mm"); +- else +- sprintf(qxl_mem_types_names[i], "qxl_surf_mm"); +- qxl_mem_types_list[i].name = qxl_mem_types_names[i]; +- qxl_mem_types_list[i].show = &qxl_mm_dump_table; +- qxl_mem_types_list[i].driver_features = 0; +- if (i == 0) +- qxl_mem_types_list[i].data = qdev->mman.bdev.man[TTM_PL_VRAM].priv; +- else +- qxl_mem_types_list[i].data = qdev->mman.bdev.man[TTM_PL_PRIV0].priv; ++ pax_open_kernel(); ++ *(void **)&qxl_mem_types_list[0].data = qdev->mman.bdev.man[TTM_PL_VRAM].priv; ++ *(void **)&qxl_mem_types_list[1].data = qdev->mman.bdev.man[TTM_PL_PRIV0].priv; ++ pax_close_kernel(); + +- } +- return qxl_debugfs_add_files(qdev, qxl_mem_types_list, i); ++ return qxl_debugfs_add_files(qdev, qxl_mem_types_list, QXL_DEBUGFS_MEM_TYPES); + #else + return 0; + #endif diff --git a/drivers/gpu/drm/r128/r128_cce.c b/drivers/gpu/drm/r128/r128_cce.c index d4660cf..70dbe65 100644 --- a/drivers/gpu/drm/r128/r128_cce.c @@ -36109,10 +38125,10 @@ index 5a82b6b..9e69c73 100644 if (regcomp (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) { diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c -index 5073665..31d15a6 100644 +index b0dc0b6..a9bfe9c 100644 --- a/drivers/gpu/drm/radeon/radeon_device.c +++ b/drivers/gpu/drm/radeon/radeon_device.c -@@ -976,7 +976,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev) +@@ -1014,7 +1014,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev) bool can_switch; spin_lock(&dev->count_lock); @@ -36225,7 +38241,7 @@ index 4d20910..6726b6d 100644 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID); diff --git a/drivers/gpu/drm/radeon/radeon_ttm.c b/drivers/gpu/drm/radeon/radeon_ttm.c -index 6c0ce89..66f6d65 100644 +index 6c0ce89..57a2529 100644 --- a/drivers/gpu/drm/radeon/radeon_ttm.c +++ b/drivers/gpu/drm/radeon/radeon_ttm.c @@ -782,7 +782,7 @@ void radeon_ttm_set_active_vram_size(struct radeon_device *rdev, u64 size) @@ -36248,59 +38264,74 @@ index 6c0ce89..66f6d65 100644 } vma->vm_ops = &radeon_ttm_vm_ops; return 0; -@@ -862,28 +864,33 @@ static int radeon_ttm_debugfs_init(struct radeon_device *rdev) - sprintf(radeon_mem_types_names[i], "radeon_vram_mm"); - else - sprintf(radeon_mem_types_names[i], "radeon_gtt_mm"); +@@ -853,38 +855,33 @@ static int radeon_mm_dump_table(struct seq_file *m, void *data) + static int radeon_ttm_debugfs_init(struct radeon_device *rdev) + { + #if defined(CONFIG_DEBUG_FS) +- static struct drm_info_list radeon_mem_types_list[RADEON_DEBUGFS_MEM_TYPES+2]; +- static char radeon_mem_types_names[RADEON_DEBUGFS_MEM_TYPES+2][32]; ++ static struct drm_info_list radeon_mem_types_list[RADEON_DEBUGFS_MEM_TYPES+2] = { ++ { ++ .name = "radeon_vram_mm", ++ .show = &radeon_mm_dump_table, ++ }, ++ { ++ .name = "radeon_gtt_mm", ++ .show = &radeon_mm_dump_table, ++ }, ++ { ++ .name = "ttm_page_pool", ++ .show = &ttm_page_alloc_debugfs, ++ }, ++ { ++ .name = "ttm_dma_page_pool", ++ .show = &ttm_dma_page_alloc_debugfs, ++ }, ++ }; + unsigned i; + +- for (i = 0; i < RADEON_DEBUGFS_MEM_TYPES; i++) { +- if (i == 0) +- sprintf(radeon_mem_types_names[i], "radeon_vram_mm"); +- else +- sprintf(radeon_mem_types_names[i], "radeon_gtt_mm"); - radeon_mem_types_list[i].name = radeon_mem_types_names[i]; - radeon_mem_types_list[i].show = &radeon_mm_dump_table; - radeon_mem_types_list[i].driver_features = 0; -+ pax_open_kernel(); -+ *(const char **)&radeon_mem_types_list[i].name = radeon_mem_types_names[i]; -+ *(void **)&radeon_mem_types_list[i].show = &radeon_mm_dump_table; -+ *(u32 *)&radeon_mem_types_list[i].driver_features = 0; - if (i == 0) +- if (i == 0) - radeon_mem_types_list[i].data = rdev->mman.bdev.man[TTM_PL_VRAM].priv; -+ *(void **)&radeon_mem_types_list[i].data = rdev->mman.bdev.man[TTM_PL_VRAM].priv; - else +- else - radeon_mem_types_list[i].data = rdev->mman.bdev.man[TTM_PL_TT].priv; - -+ *(void **)&radeon_mem_types_list[i].data = rdev->mman.bdev.man[TTM_PL_TT].priv; -+ pax_close_kernel(); - } - /* Add ttm page pool to debugfs */ - sprintf(radeon_mem_types_names[i], "ttm_page_pool"); +- } +- /* Add ttm page pool to debugfs */ +- sprintf(radeon_mem_types_names[i], "ttm_page_pool"); - radeon_mem_types_list[i].name = radeon_mem_types_names[i]; - radeon_mem_types_list[i].show = &ttm_page_alloc_debugfs; - radeon_mem_types_list[i].driver_features = 0; - radeon_mem_types_list[i++].data = NULL; + pax_open_kernel(); -+ *(const char **)&radeon_mem_types_list[i].name = radeon_mem_types_names[i]; -+ *(void **)&radeon_mem_types_list[i].show = &ttm_page_alloc_debugfs; -+ *(u32 *)&radeon_mem_types_list[i].driver_features = 0; -+ *(void **)&radeon_mem_types_list[i++].data = NULL; ++ *(void **)&radeon_mem_types_list[0].data = rdev->mman.bdev.man[TTM_PL_VRAM].priv; ++ *(void **)&radeon_mem_types_list[1].data = rdev->mman.bdev.man[TTM_PL_TT].priv; + pax_close_kernel(); #ifdef CONFIG_SWIOTLB - if (swiotlb_nr_tbl()) { - sprintf(radeon_mem_types_names[i], "ttm_dma_page_pool"); +- if (swiotlb_nr_tbl()) { +- sprintf(radeon_mem_types_names[i], "ttm_dma_page_pool"); - radeon_mem_types_list[i].name = radeon_mem_types_names[i]; - radeon_mem_types_list[i].show = &ttm_dma_page_alloc_debugfs; - radeon_mem_types_list[i].driver_features = 0; - radeon_mem_types_list[i++].data = NULL; -+ pax_open_kernel(); -+ *(const char **)&radeon_mem_types_list[i].name = radeon_mem_types_names[i]; -+ *(void **)&radeon_mem_types_list[i].show = &ttm_dma_page_alloc_debugfs; -+ *(u32 *)&radeon_mem_types_list[i].driver_features = 0; -+ *(void **)&radeon_mem_types_list[i++].data = NULL; -+ pax_close_kernel(); - } +- } ++ if (swiotlb_nr_tbl()) ++ i++; #endif return radeon_debugfs_add_files(rdev, radeon_mem_types_list, i); + diff --git a/drivers/gpu/drm/radeon/rs690.c b/drivers/gpu/drm/radeon/rs690.c -index fad6633..4ff94de 100644 +index 55880d5..9e95342 100644 --- a/drivers/gpu/drm/radeon/rs690.c +++ b/drivers/gpu/drm/radeon/rs690.c -@@ -304,9 +304,11 @@ static void rs690_crtc_bandwidth_compute(struct radeon_device *rdev, +@@ -327,9 +327,11 @@ static void rs690_crtc_bandwidth_compute(struct radeon_device *rdev, if (rdev->pm.max_bandwidth.full > rdev->pm.sideport_bandwidth.full && rdev->pm.sideport_bandwidth.full) rdev->pm.max_bandwidth = rdev->pm.sideport_bandwidth; @@ -36352,7 +38383,7 @@ index bd2a3b4..122d9ad 100644 int shrink_pages = sc->nr_to_scan; diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c -index 9f4be3d..cbc9fcc 100644 +index dc0c065..58a0782 100644 --- a/drivers/gpu/drm/udl/udl_fb.c +++ b/drivers/gpu/drm/udl/udl_fb.c @@ -367,7 +367,6 @@ static int udl_fb_release(struct fb_info *info, int user) @@ -36569,11 +38600,24 @@ index 8a8725c2..afed796 100644 else { marker = list_first_entry(&queue->head, struct vmw_marker, head); +diff --git a/drivers/gpu/host1x/drm/dc.c b/drivers/gpu/host1x/drm/dc.c +index 8c04943..4370ed9 100644 +--- a/drivers/gpu/host1x/drm/dc.c ++++ b/drivers/gpu/host1x/drm/dc.c +@@ -999,7 +999,7 @@ static int tegra_dc_debugfs_init(struct tegra_dc *dc, struct drm_minor *minor) + } + + for (i = 0; i < ARRAY_SIZE(debugfs_files); i++) +- dc->debugfs_files[i].data = dc; ++ *(void **)&dc->debugfs_files[i].data = dc; + + err = drm_debugfs_create_files(dc->debugfs_files, + ARRAY_SIZE(debugfs_files), diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c -index e6dbf09..3dd2540 100644 +index 402f486..f862d7e 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c -@@ -2268,7 +2268,7 @@ EXPORT_SYMBOL_GPL(hid_ignore); +@@ -2275,7 +2275,7 @@ EXPORT_SYMBOL_GPL(hid_ignore); int hid_add_device(struct hid_device *hdev) { @@ -36582,7 +38626,7 @@ index e6dbf09..3dd2540 100644 int ret; if (WARN_ON(hdev->status & HID_STAT_ADDED)) -@@ -2302,7 +2302,7 @@ int hid_add_device(struct hid_device *hdev) +@@ -2309,7 +2309,7 @@ int hid_add_device(struct hid_device *hdev) /* XXX hack, any other cleaner solution after the driver core * is converted to allow more than 20 bytes as the device name? */ dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus, @@ -36620,7 +38664,7 @@ index 0b122f8..b1d8160 100644 ret = create_gpadl_header(kbuffer, size, &msginfo, &msgcount); if (ret) diff --git a/drivers/hv/hv.c b/drivers/hv/hv.c -index 7311589..861e9ef 100644 +index ae49237..380d4c9 100644 --- a/drivers/hv/hv.c +++ b/drivers/hv/hv.c @@ -112,7 +112,7 @@ static u64 do_hypercall(u64 control, void *input, void *output) @@ -36685,7 +38729,7 @@ index 6351aba..dc4aaf4 100644 int res = 0; diff --git a/drivers/hwmon/applesmc.c b/drivers/hwmon/applesmc.c -index b41baff..4953e4d 100644 +index 62c2e32..8f2859a 100644 --- a/drivers/hwmon/applesmc.c +++ b/drivers/hwmon/applesmc.c @@ -1084,7 +1084,7 @@ static int applesmc_create_nodes(struct applesmc_node_group *groups, int num) @@ -36726,10 +38770,10 @@ index b25c643..a13460d 100644 { sysfs_attr_init(&attr->attr); diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c -index 3f1e297..a6cafb5 100644 +index 658ce3a..0d0c2f3 100644 --- a/drivers/hwmon/coretemp.c +++ b/drivers/hwmon/coretemp.c -@@ -791,7 +791,7 @@ static int __cpuinit coretemp_cpu_callback(struct notifier_block *nfb, +@@ -790,7 +790,7 @@ static int __cpuinit coretemp_cpu_callback(struct notifier_block *nfb, return NOTIFY_OK; } @@ -36739,10 +38783,10 @@ index 3f1e297..a6cafb5 100644 }; diff --git a/drivers/hwmon/ibmaem.c b/drivers/hwmon/ibmaem.c -index a14f634..2916ee2 100644 +index 1429f6e..ee03d59 100644 --- a/drivers/hwmon/ibmaem.c +++ b/drivers/hwmon/ibmaem.c -@@ -925,7 +925,7 @@ static int aem_register_sensors(struct aem_data *data, +@@ -926,7 +926,7 @@ static int aem_register_sensors(struct aem_data *data, struct aem_rw_sensor_template *rw) { struct device *dev = &data->pdev->dev; @@ -36751,6 +38795,19 @@ index a14f634..2916ee2 100644 int err; /* Set up read-only sensors */ +diff --git a/drivers/hwmon/iio_hwmon.c b/drivers/hwmon/iio_hwmon.c +index 52b77af..aed1ddf 100644 +--- a/drivers/hwmon/iio_hwmon.c ++++ b/drivers/hwmon/iio_hwmon.c +@@ -73,7 +73,7 @@ static int iio_hwmon_probe(struct platform_device *pdev) + { + struct device *dev = &pdev->dev; + struct iio_hwmon_state *st; +- struct sensor_device_attribute *a; ++ sensor_device_attribute_no_const *a; + int ret, i; + int in_i = 1, temp_i = 1, curr_i = 1; + enum iio_chan_type type; diff --git a/drivers/hwmon/pmbus/pmbus_core.c b/drivers/hwmon/pmbus/pmbus_core.c index 9add6092..ee7ba3f 100644 --- a/drivers/hwmon/pmbus/pmbus_core.c @@ -36866,7 +38923,7 @@ index 76f157b..9c0db1b 100644 }; diff --git a/drivers/i2c/busses/i2c-amd756-s4882.c b/drivers/i2c/busses/i2c-amd756-s4882.c -index 378fcb5..5e91fa8 100644 +index 07f01ac..d79ad3d 100644 --- a/drivers/i2c/busses/i2c-amd756-s4882.c +++ b/drivers/i2c/busses/i2c-amd756-s4882.c @@ -43,7 +43,7 @@ @@ -36879,7 +38936,7 @@ index 378fcb5..5e91fa8 100644 /* Wrapper access functions for multiplexed SMBus */ static DEFINE_MUTEX(amd756_lock); diff --git a/drivers/i2c/busses/i2c-nforce2-s4985.c b/drivers/i2c/busses/i2c-nforce2-s4985.c -index 29015eb..af2d8e9 100644 +index 2ca268d..c6acbdf 100644 --- a/drivers/i2c/busses/i2c-nforce2-s4985.c +++ b/drivers/i2c/busses/i2c-nforce2-s4985.c @@ -41,7 +41,7 @@ @@ -36905,7 +38962,7 @@ index c3ccdea..5b3dc1a 100644 if (IS_ERR(rdwr_pa[i].buf)) { res = PTR_ERR(rdwr_pa[i].buf); diff --git a/drivers/ide/ide-cd.c b/drivers/ide/ide-cd.c -index 8126824..55a2798 100644 +index 2ff6204..218c16e 100644 --- a/drivers/ide/ide-cd.c +++ b/drivers/ide/ide-cd.c @@ -768,7 +768,7 @@ static void cdrom_do_block_pc(ide_drive_t *drive, struct request *rq) @@ -36918,7 +38975,7 @@ index 8126824..55a2798 100644 } } diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c -index 8848f16..f8e6dd8 100644 +index e145931..08bfc59 100644 --- a/drivers/iio/industrialio-core.c +++ b/drivers/iio/industrialio-core.c @@ -506,7 +506,7 @@ static ssize_t iio_write_channel_info(struct device *dev, @@ -37145,10 +39202,10 @@ index 9f5ad7c..588cd84 100644 } } diff --git a/drivers/infiniband/hw/cxgb4/mem.c b/drivers/infiniband/hw/cxgb4/mem.c -index 903a92d..9262548 100644 +index 4cb8eb2..146bf60 100644 --- a/drivers/infiniband/hw/cxgb4/mem.c +++ b/drivers/infiniband/hw/cxgb4/mem.c -@@ -122,7 +122,7 @@ static int write_tpt_entry(struct c4iw_rdev *rdev, u32 reset_tpt_entry, +@@ -249,7 +249,7 @@ static int write_tpt_entry(struct c4iw_rdev *rdev, u32 reset_tpt_entry, int err; struct fw_ri_tpte tpt; u32 stag_idx; @@ -37157,7 +39214,7 @@ index 903a92d..9262548 100644 if (c4iw_fatal_error(rdev)) return -EIO; -@@ -139,7 +139,7 @@ static int write_tpt_entry(struct c4iw_rdev *rdev, u32 reset_tpt_entry, +@@ -266,7 +266,7 @@ static int write_tpt_entry(struct c4iw_rdev *rdev, u32 reset_tpt_entry, if (rdev->stats.stag.cur > rdev->stats.stag.max) rdev->stats.stag.max = rdev->stats.stag.cur; mutex_unlock(&rdev->stats.lock); @@ -37561,7 +39618,7 @@ index 4166452..fc952c3 100644 } diff --git a/drivers/infiniband/hw/nes/nes_nic.c b/drivers/infiniband/hw/nes/nes_nic.c -index 85cf4d1..05d8e71 100644 +index 49eb511..a774366 100644 --- a/drivers/infiniband/hw/nes/nes_nic.c +++ b/drivers/infiniband/hw/nes/nes_nic.c @@ -1273,39 +1273,39 @@ static void nes_netdev_get_ethtool_stats(struct net_device *netdev, @@ -37797,10 +39854,10 @@ index 25fc597..558bf3b3 100644 serio->dev.release = serio_release_port; serio->dev.groups = serio_device_attr_groups; diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c -index b972d43..8943713 100644 +index d8f98b1..f62a640 100644 --- a/drivers/iommu/iommu.c +++ b/drivers/iommu/iommu.c -@@ -554,7 +554,7 @@ static struct notifier_block iommu_bus_nb = { +@@ -583,7 +583,7 @@ static struct notifier_block iommu_bus_nb = { static void iommu_bus_init(struct bus_type *bus, struct iommu_ops *ops) { bus_register_notifier(bus, &iommu_bus_nb); @@ -37840,10 +39897,10 @@ index dcfea4e..f4226b2 100644 bool setup_remapped_irq(int irq, struct irq_cfg *cfg, struct irq_chip *chip) diff --git a/drivers/irqchip/irq-gic.c b/drivers/irqchip/irq-gic.c -index fc6aebf..762c5f5 100644 +index 19ceaa6..3625818 100644 --- a/drivers/irqchip/irq-gic.c +++ b/drivers/irqchip/irq-gic.c -@@ -83,7 +83,7 @@ static u8 gic_cpu_map[NR_GIC_CPU_IF] __read_mostly; +@@ -84,7 +84,7 @@ static u8 gic_cpu_map[NR_GIC_CPU_IF] __read_mostly; * Supported arch specific GIC irq extension. * Default make them NULL. */ @@ -37852,7 +39909,7 @@ index fc6aebf..762c5f5 100644 .irq_eoi = NULL, .irq_mask = NULL, .irq_unmask = NULL, -@@ -332,7 +332,7 @@ static void gic_handle_cascade_irq(unsigned int irq, struct irq_desc *desc) +@@ -333,7 +333,7 @@ static void gic_handle_cascade_irq(unsigned int irq, struct irq_desc *desc) chained_irq_exit(chip, desc); } @@ -37862,7 +39919,7 @@ index fc6aebf..762c5f5 100644 .irq_mask = gic_mask_irq, .irq_unmask = gic_unmask_irq, diff --git a/drivers/isdn/capi/capi.c b/drivers/isdn/capi/capi.c -index 89562a8..218999b 100644 +index ac6f72b..81150f2 100644 --- a/drivers/isdn/capi/capi.c +++ b/drivers/isdn/capi/capi.c @@ -81,8 +81,8 @@ struct capiminor { @@ -37902,39 +39959,8 @@ index 89562a8..218999b 100644 capimsg_setu32(skb->data, 8, mp->ncci); /* NCCI */ capimsg_setu32(skb->data, 12, (u32)(long)skb->data);/* Data32 */ capimsg_setu16(skb->data, 16, len); /* Data length */ -diff --git a/drivers/isdn/capi/kcapi.c b/drivers/isdn/capi/kcapi.c -index 9b1b274..c123709 100644 ---- a/drivers/isdn/capi/kcapi.c -+++ b/drivers/isdn/capi/kcapi.c -@@ -93,7 +93,7 @@ capi_ctr_put(struct capi_ctr *ctr) - - static inline struct capi_ctr *get_capi_ctr_by_nr(u16 contr) - { -- if (contr - 1 >= CAPI_MAXCONTR) -+ if (contr < 1 || contr - 1 >= CAPI_MAXCONTR) - return NULL; - - return capi_controller[contr - 1]; -@@ -103,7 +103,7 @@ static inline struct capi20_appl *__get_capi_appl_by_nr(u16 applid) - { - lockdep_assert_held(&capi_controller_lock); - -- if (applid - 1 >= CAPI_MAXAPPL) -+ if (applid < 1 || applid - 1 >= CAPI_MAXAPPL) - return NULL; - - return capi_applications[applid - 1]; -@@ -111,7 +111,7 @@ static inline struct capi20_appl *__get_capi_appl_by_nr(u16 applid) - - static inline struct capi20_appl *get_capi_appl_by_nr(u16 applid) - { -- if (applid - 1 >= CAPI_MAXAPPL) -+ if (applid < 1 || applid - 1 >= CAPI_MAXAPPL) - return NULL; - - return rcu_dereference(capi_applications[applid - 1]); diff --git a/drivers/isdn/gigaset/interface.c b/drivers/isdn/gigaset/interface.c -index e2b5396..c5486dc 100644 +index 600c79b..3752bab 100644 --- a/drivers/isdn/gigaset/interface.c +++ b/drivers/isdn/gigaset/interface.c @@ -130,9 +130,9 @@ static int if_open(struct tty_struct *tty, struct file *filp) @@ -37962,7 +39988,7 @@ index e2b5396..c5486dc 100644 mutex_unlock(&cs->mutex); diff --git a/drivers/isdn/hardware/avm/b1.c b/drivers/isdn/hardware/avm/b1.c -index 821f7ac..28d4030 100644 +index 4d9b195..455075c 100644 --- a/drivers/isdn/hardware/avm/b1.c +++ b/drivers/isdn/hardware/avm/b1.c @@ -176,7 +176,7 @@ int b1_load_t4file(avmcard *card, capiloaddatapart *t4file) @@ -37984,10 +40010,10 @@ index 821f7ac..28d4030 100644 } else { memcpy(buf, dp, left); diff --git a/drivers/isdn/i4l/isdn_tty.c b/drivers/isdn/i4l/isdn_tty.c -index ebaebdf..acd4405 100644 +index 3c5f249..5fac4d0 100644 --- a/drivers/isdn/i4l/isdn_tty.c +++ b/drivers/isdn/i4l/isdn_tty.c -@@ -1511,9 +1511,9 @@ isdn_tty_open(struct tty_struct *tty, struct file *filp) +@@ -1508,9 +1508,9 @@ isdn_tty_open(struct tty_struct *tty, struct file *filp) #ifdef ISDN_DEBUG_MODEM_OPEN printk(KERN_DEBUG "isdn_tty_open %s, count = %d\n", tty->name, @@ -37999,7 +40025,7 @@ index ebaebdf..acd4405 100644 port->tty = tty; /* * Start up serial port -@@ -1557,7 +1557,7 @@ isdn_tty_close(struct tty_struct *tty, struct file *filp) +@@ -1554,7 +1554,7 @@ isdn_tty_close(struct tty_struct *tty, struct file *filp) #endif return; } @@ -38008,7 +40034,7 @@ index ebaebdf..acd4405 100644 /* * Uh, oh. tty->count is 1, which means that the tty * structure will be freed. Info->count should always -@@ -1566,15 +1566,15 @@ isdn_tty_close(struct tty_struct *tty, struct file *filp) +@@ -1563,15 +1563,15 @@ isdn_tty_close(struct tty_struct *tty, struct file *filp) * serial port won't be shutdown. */ printk(KERN_ERR "isdn_tty_close: bad port count; tty->count is 1, " @@ -38030,7 +40056,7 @@ index ebaebdf..acd4405 100644 #ifdef ISDN_DEBUG_MODEM_OPEN printk(KERN_DEBUG "isdn_tty_close after info->count != 0\n"); #endif -@@ -1628,7 +1628,7 @@ isdn_tty_hangup(struct tty_struct *tty) +@@ -1625,7 +1625,7 @@ isdn_tty_hangup(struct tty_struct *tty) if (isdn_tty_paranoia_check(info, tty->name, "isdn_tty_hangup")) return; isdn_tty_shutdown(info); @@ -38039,7 +40065,7 @@ index ebaebdf..acd4405 100644 port->flags &= ~ASYNC_NORMAL_ACTIVE; port->tty = NULL; wake_up_interruptible(&port->open_wait); -@@ -1973,7 +1973,7 @@ isdn_tty_find_icall(int di, int ch, setup_parm *setup) +@@ -1970,7 +1970,7 @@ isdn_tty_find_icall(int di, int ch, setup_parm *setup) for (i = 0; i < ISDN_MAX_CHANNELS; i++) { modem_info *info = &dev->mdm.info[i]; @@ -38088,28 +40114,28 @@ index 64e204e..c6bf189 100644 .callback = ss4200_led_dmi_callback, .ident = "Intel SS4200-E", diff --git a/drivers/lguest/core.c b/drivers/lguest/core.c -index a5ebc00..3de3364 100644 +index 0bf1e4e..b4bf44e 100644 --- a/drivers/lguest/core.c +++ b/drivers/lguest/core.c -@@ -92,9 +92,17 @@ static __init int map_switcher(void) - * it's worked so far. The end address needs +1 because __get_vm_area - * allocates an extra guard page, so we need space for that. +@@ -97,9 +97,17 @@ static __init int map_switcher(void) + * The end address needs +1 because __get_vm_area allocates an + * extra guard page, so we need space for that. */ + +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE, -+ VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR ++ VM_ALLOC | VM_KERNEXEC, switcher_addr, switcher_addr + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE); +#else switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE, - VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR + VM_ALLOC, switcher_addr, switcher_addr + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE); +#endif + if (!switcher_vma) { err = -ENOMEM; printk("lguest: could not map switcher pages high\n"); -@@ -119,7 +127,7 @@ static __init int map_switcher(void) +@@ -124,7 +132,7 @@ static __init int map_switcher(void) * Now the Switcher is mapped at the right address, we can't fail! * Copy in the compiled-in Switcher code (from x86/switcher_32.S). */ @@ -38119,10 +40145,10 @@ index a5ebc00..3de3364 100644 printk(KERN_INFO "lguest: mapped switcher at %p\n", diff --git a/drivers/lguest/page_tables.c b/drivers/lguest/page_tables.c -index 3b62be16..e33134a 100644 +index 5b9ac32..2ef4f26 100644 --- a/drivers/lguest/page_tables.c +++ b/drivers/lguest/page_tables.c -@@ -532,7 +532,7 @@ void pin_page(struct lg_cpu *cpu, unsigned long vaddr) +@@ -559,7 +559,7 @@ void pin_page(struct lg_cpu *cpu, unsigned long vaddr) /*:*/ #ifdef CONFIG_X86_PAE @@ -38132,19 +40158,19 @@ index 3b62be16..e33134a 100644 /* If the entry's not present, there's nothing to release. */ if (pmd_flags(*spmd) & _PAGE_PRESENT) { diff --git a/drivers/lguest/x86/core.c b/drivers/lguest/x86/core.c -index 4af12e1..0e89afe 100644 +index f0a3347..f6608b2 100644 --- a/drivers/lguest/x86/core.c +++ b/drivers/lguest/x86/core.c @@ -59,7 +59,7 @@ static struct { /* Offset from where switcher.S was compiled to where we've copied it */ static unsigned long switcher_offset(void) { -- return SWITCHER_ADDR - (unsigned long)start_switcher_text; -+ return SWITCHER_ADDR - (unsigned long)ktla_ktva(start_switcher_text); +- return switcher_addr - (unsigned long)start_switcher_text; ++ return switcher_addr - (unsigned long)ktla_ktva(start_switcher_text); } - /* This cpu's struct lguest_pages. */ -@@ -100,7 +100,13 @@ static void copy_in_guest_info(struct lg_cpu *cpu, struct lguest_pages *pages) + /* This cpu's struct lguest_pages (after the Switcher text page) */ +@@ -99,7 +99,13 @@ static void copy_in_guest_info(struct lg_cpu *cpu, struct lguest_pages *pages) * These copies are pretty cheap, so we do them unconditionally: */ /* Save the current Host top-level page directory. */ @@ -38158,7 +40184,7 @@ index 4af12e1..0e89afe 100644 /* * Set up the Guest's page tables to see this CPU's pages (and no * other CPU's pages). -@@ -476,7 +482,7 @@ void __init lguest_arch_host_init(void) +@@ -475,7 +481,7 @@ void __init lguest_arch_host_init(void) * compiled-in switcher code and the high-mapped copy we just made. */ for (i = 0; i < IDT_ENTRIES; i++) @@ -38167,7 +40193,7 @@ index 4af12e1..0e89afe 100644 /* * Set up the Switcher's per-cpu areas. -@@ -559,7 +565,7 @@ void __init lguest_arch_host_init(void) +@@ -558,7 +564,7 @@ void __init lguest_arch_host_init(void) * it will be undisturbed when we switch. To change %cs and jump we * need this structure to feed to Intel's "lcall" instruction. */ @@ -38238,8 +40264,21 @@ index 40634b0..4f5855e 100644 // Every interrupt can come to us here // But we must truly tell each apart. +diff --git a/drivers/md/bcache/closure.h b/drivers/md/bcache/closure.h +index 0003992..854bbce 100644 +--- a/drivers/md/bcache/closure.h ++++ b/drivers/md/bcache/closure.h +@@ -622,7 +622,7 @@ static inline void closure_wake_up(struct closure_waitlist *list) + static inline void set_closure_fn(struct closure *cl, closure_fn *fn, + struct workqueue_struct *wq) + { +- BUG_ON(object_is_on_stack(cl)); ++ BUG_ON(object_starts_on_stack(cl)); + closure_set_ip(cl); + cl->fn = fn; + cl->wq = wq; diff --git a/drivers/md/bitmap.c b/drivers/md/bitmap.c -index 4fd9d6a..834fa03 100644 +index 5a2c754..0fa55db 100644 --- a/drivers/md/bitmap.c +++ b/drivers/md/bitmap.c @@ -1779,7 +1779,7 @@ void bitmap_status(struct seq_file *seq, struct bitmap *bitmap) @@ -38252,10 +40291,10 @@ index 4fd9d6a..834fa03 100644 seq_printf(seq, "\n"); diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c -index aa04f02..2a1309e 100644 +index 81a79b7..87a0f73 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c -@@ -1694,7 +1694,7 @@ static int validate_params(uint cmd, struct dm_ioctl *param) +@@ -1697,7 +1697,7 @@ static int validate_params(uint cmd, struct dm_ioctl *param) cmd == DM_LIST_VERSIONS_CMD) return 0; @@ -38265,7 +40304,7 @@ index aa04f02..2a1309e 100644 DMWARN("name not supplied when creating device"); return -EINVAL; diff --git a/drivers/md/dm-raid1.c b/drivers/md/dm-raid1.c -index d053098..05cc375 100644 +index 699b5be..eac0a15 100644 --- a/drivers/md/dm-raid1.c +++ b/drivers/md/dm-raid1.c @@ -40,7 +40,7 @@ enum dm_raid1_error { @@ -38341,7 +40380,7 @@ index d053098..05cc375 100644 return (test_bit(DM_RAID1_FLUSH_ERROR, &(m->error_type))) ? 'F' : diff --git a/drivers/md/dm-stripe.c b/drivers/md/dm-stripe.c -index 7b8b2b9..9c7d145 100644 +index d907ca6..cfb8384 100644 --- a/drivers/md/dm-stripe.c +++ b/drivers/md/dm-stripe.c @@ -20,7 +20,7 @@ struct stripe { @@ -38396,7 +40435,7 @@ index 1ff252a..ee384c1 100644 "start=%llu, len=%llu, dev_size=%llu", dm_device_name(ti->table->md), bdevname(bdev, b), diff --git a/drivers/md/dm-thin-metadata.c b/drivers/md/dm-thin-metadata.c -index 00cee02..b89a29d 100644 +index 60bce43..9b997d0 100644 --- a/drivers/md/dm-thin-metadata.c +++ b/drivers/md/dm-thin-metadata.c @@ -397,7 +397,7 @@ static void __setup_btree_details(struct dm_pool_metadata *pmd) @@ -38418,7 +40457,7 @@ index 00cee02..b89a29d 100644 pmd->bl_info.value_type.inc = data_block_inc; pmd->bl_info.value_type.dec = data_block_dec; diff --git a/drivers/md/dm.c b/drivers/md/dm.c -index 9a0bdad..4df9543 100644 +index 33f2010..23fb84c 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -169,9 +169,9 @@ struct mapped_device { @@ -38433,7 +40472,7 @@ index 9a0bdad..4df9543 100644 struct list_head uevent_list; spinlock_t uevent_lock; /* Protect access to uevent_list */ -@@ -1879,8 +1879,8 @@ static struct mapped_device *alloc_dev(int minor) +@@ -1884,8 +1884,8 @@ static struct mapped_device *alloc_dev(int minor) rwlock_init(&md->map_lock); atomic_set(&md->holders, 1); atomic_set(&md->open_count, 0); @@ -38444,7 +40483,7 @@ index 9a0bdad..4df9543 100644 INIT_LIST_HEAD(&md->uevent_list); spin_lock_init(&md->uevent_lock); -@@ -2028,7 +2028,7 @@ static void event_callback(void *context) +@@ -2033,7 +2033,7 @@ static void event_callback(void *context) dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj); @@ -38453,7 +40492,7 @@ index 9a0bdad..4df9543 100644 wake_up(&md->eventq); } -@@ -2685,18 +2685,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action, +@@ -2690,18 +2690,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action, uint32_t dm_next_uevent_seq(struct mapped_device *md) { @@ -38476,10 +40515,10 @@ index 9a0bdad..4df9543 100644 void dm_uevent_add(struct mapped_device *md, struct list_head *elist) diff --git a/drivers/md/md.c b/drivers/md/md.c -index a4a93b9..4747b63 100644 +index 51f0345..c77810e 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c -@@ -240,10 +240,10 @@ EXPORT_SYMBOL_GPL(md_trim_bio); +@@ -234,10 +234,10 @@ EXPORT_SYMBOL_GPL(md_trim_bio); * start build, activate spare */ static DECLARE_WAIT_QUEUE_HEAD(md_event_waiters); @@ -38492,7 +40531,7 @@ index a4a93b9..4747b63 100644 wake_up(&md_event_waiters); } EXPORT_SYMBOL_GPL(md_new_event); -@@ -253,7 +253,7 @@ EXPORT_SYMBOL_GPL(md_new_event); +@@ -247,7 +247,7 @@ EXPORT_SYMBOL_GPL(md_new_event); */ static void md_new_event_inintr(struct mddev *mddev) { @@ -38501,7 +40540,7 @@ index a4a93b9..4747b63 100644 wake_up(&md_event_waiters); } -@@ -1507,7 +1507,7 @@ static int super_1_load(struct md_rdev *rdev, struct md_rdev *refdev, int minor_ +@@ -1501,7 +1501,7 @@ static int super_1_load(struct md_rdev *rdev, struct md_rdev *refdev, int minor_ if ((le32_to_cpu(sb->feature_map) & MD_FEATURE_RESHAPE_ACTIVE) && (le32_to_cpu(sb->feature_map) & MD_FEATURE_NEW_OFFSET)) rdev->new_data_offset += (s32)le32_to_cpu(sb->new_offset); @@ -38510,7 +40549,7 @@ index a4a93b9..4747b63 100644 rdev->sb_size = le32_to_cpu(sb->max_dev) * 2 + 256; bmask = queue_logical_block_size(rdev->bdev->bd_disk->queue)-1; -@@ -1751,7 +1751,7 @@ static void super_1_sync(struct mddev *mddev, struct md_rdev *rdev) +@@ -1745,7 +1745,7 @@ static void super_1_sync(struct mddev *mddev, struct md_rdev *rdev) else sb->resync_offset = cpu_to_le64(0); @@ -38519,7 +40558,7 @@ index a4a93b9..4747b63 100644 sb->raid_disks = cpu_to_le32(mddev->raid_disks); sb->size = cpu_to_le64(mddev->dev_sectors); -@@ -2751,7 +2751,7 @@ __ATTR(state, S_IRUGO|S_IWUSR, state_show, state_store); +@@ -2750,7 +2750,7 @@ __ATTR(state, S_IRUGO|S_IWUSR, state_show, state_store); static ssize_t errors_show(struct md_rdev *rdev, char *page) { @@ -38528,7 +40567,7 @@ index a4a93b9..4747b63 100644 } static ssize_t -@@ -2760,7 +2760,7 @@ errors_store(struct md_rdev *rdev, const char *buf, size_t len) +@@ -2759,7 +2759,7 @@ errors_store(struct md_rdev *rdev, const char *buf, size_t len) char *e; unsigned long n = simple_strtoul(buf, &e, 10); if (*buf && (*e == 0 || *e == '\n')) { @@ -38537,7 +40576,7 @@ index a4a93b9..4747b63 100644 return len; } return -EINVAL; -@@ -3210,8 +3210,8 @@ int md_rdev_init(struct md_rdev *rdev) +@@ -3207,8 +3207,8 @@ int md_rdev_init(struct md_rdev *rdev) rdev->sb_loaded = 0; rdev->bb_page = NULL; atomic_set(&rdev->nr_pending, 0); @@ -38548,7 +40587,7 @@ index a4a93b9..4747b63 100644 INIT_LIST_HEAD(&rdev->same_set); init_waitqueue_head(&rdev->blocked_wait); -@@ -6994,7 +6994,7 @@ static int md_seq_show(struct seq_file *seq, void *v) +@@ -7009,7 +7009,7 @@ static int md_seq_show(struct seq_file *seq, void *v) spin_unlock(&pers_lock); seq_printf(seq, "\n"); @@ -38557,7 +40596,7 @@ index a4a93b9..4747b63 100644 return 0; } if (v == (void*)2) { -@@ -7097,7 +7097,7 @@ static int md_seq_open(struct inode *inode, struct file *file) +@@ -7112,7 +7112,7 @@ static int md_seq_open(struct inode *inode, struct file *file) return error; seq = file->private_data; @@ -38566,7 +40605,7 @@ index a4a93b9..4747b63 100644 return error; } -@@ -7111,7 +7111,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait) +@@ -7126,7 +7126,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait) /* always allow read */ mask = POLLIN | POLLRDNORM; @@ -38575,7 +40614,7 @@ index a4a93b9..4747b63 100644 mask |= POLLERR | POLLPRI; return mask; } -@@ -7155,7 +7155,7 @@ static int is_mddev_idle(struct mddev *mddev, int init) +@@ -7170,7 +7170,7 @@ static int is_mddev_idle(struct mddev *mddev, int init) struct gendisk *disk = rdev->bdev->bd_contains->bd_disk; curr_events = (int)part_stat_read(&disk->part0, sectors[0]) + (int)part_stat_read(&disk->part0, sectors[1]) - @@ -38585,7 +40624,7 @@ index a4a93b9..4747b63 100644 * as sync_io is counted when a request starts, and * disk_stats is counted when it completes. diff --git a/drivers/md/md.h b/drivers/md/md.h -index d90fb1a..4174a2b 100644 +index 653f992b6..6af6c40 100644 --- a/drivers/md/md.h +++ b/drivers/md/md.h @@ -94,13 +94,13 @@ struct md_rdev { @@ -38614,22 +40653,22 @@ index d90fb1a..4174a2b 100644 struct md_personality diff --git a/drivers/md/persistent-data/dm-space-map.h b/drivers/md/persistent-data/dm-space-map.h -index 1cbfc6b..56e1dbb 100644 +index 3e6d115..ffecdeb 100644 --- a/drivers/md/persistent-data/dm-space-map.h +++ b/drivers/md/persistent-data/dm-space-map.h -@@ -60,6 +60,7 @@ struct dm_space_map { - int (*root_size)(struct dm_space_map *sm, size_t *result); - int (*copy_root)(struct dm_space_map *sm, void *copy_to_here_le, size_t len); +@@ -71,6 +71,7 @@ struct dm_space_map { + dm_sm_threshold_fn fn, + void *context); }; +typedef struct dm_space_map __no_const dm_space_map_no_const; /*----------------------------------------------------------------*/ diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c -index 7116798..c81390c 100644 +index 6f48244..7d29145 100644 --- a/drivers/md/raid1.c +++ b/drivers/md/raid1.c -@@ -1836,7 +1836,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio) +@@ -1822,7 +1822,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio) if (r1_sync_page_io(rdev, sect, s, bio->bi_io_vec[idx].bv_page, READ) != 0) @@ -38638,7 +40677,7 @@ index 7116798..c81390c 100644 } sectors -= s; sect += s; -@@ -2058,7 +2058,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk, +@@ -2049,7 +2049,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk, test_bit(In_sync, &rdev->flags)) { if (r1_sync_page_io(rdev, sect, s, conf->tmppage, READ)) { @@ -38648,10 +40687,10 @@ index 7116798..c81390c 100644 "md/raid1:%s: read error corrected " "(%d sectors at %llu on %s)\n", diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c -index e4ea992..d234520 100644 +index 081bb33..3c4b287 100644 --- a/drivers/md/raid10.c +++ b/drivers/md/raid10.c -@@ -1942,7 +1942,7 @@ static void end_sync_read(struct bio *bio, int error) +@@ -1940,7 +1940,7 @@ static void end_sync_read(struct bio *bio, int error) /* The write handler will notice the lack of * R10BIO_Uptodate and record any errors etc */ @@ -38660,7 +40699,7 @@ index e4ea992..d234520 100644 &conf->mirrors[d].rdev->corrected_errors); /* for reconstruct, we always reschedule after a read. -@@ -2291,7 +2291,7 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev) +@@ -2298,7 +2298,7 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev) { struct timespec cur_time_mon; unsigned long hours_since_last; @@ -38669,7 +40708,7 @@ index e4ea992..d234520 100644 ktime_get_ts(&cur_time_mon); -@@ -2313,9 +2313,9 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev) +@@ -2320,9 +2320,9 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev) * overflowing the shift of read_errors by hours_since_last. */ if (hours_since_last >= 8 * sizeof(read_errors)) @@ -38681,7 +40720,7 @@ index e4ea992..d234520 100644 } static int r10_sync_page_io(struct md_rdev *rdev, sector_t sector, -@@ -2369,8 +2369,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 +@@ -2376,8 +2376,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 return; check_decay_read_errors(mddev, rdev); @@ -38692,7 +40731,7 @@ index e4ea992..d234520 100644 char b[BDEVNAME_SIZE]; bdevname(rdev->bdev, b); -@@ -2378,7 +2378,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 +@@ -2385,7 +2385,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 "md/raid10:%s: %s: Raid device exceeded " "read_error threshold [cur %d:max %d]\n", mdname(mddev), b, @@ -38701,7 +40740,7 @@ index e4ea992..d234520 100644 printk(KERN_NOTICE "md/raid10:%s: %s: Failing raid device\n", mdname(mddev), b); -@@ -2533,7 +2533,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 +@@ -2540,7 +2540,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 sect + choose_data_offset(r10_bio, rdev)), bdevname(rdev->bdev, b)); @@ -38711,10 +40750,10 @@ index e4ea992..d234520 100644 rdev_dec_pending(rdev, mddev); diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c -index 251ab64..ed23a18 100644 +index a35b846..e295c6d 100644 --- a/drivers/md/raid5.c +++ b/drivers/md/raid5.c -@@ -1763,21 +1763,21 @@ static void raid5_end_read_request(struct bio * bi, int error) +@@ -1764,21 +1764,21 @@ static void raid5_end_read_request(struct bio * bi, int error) mdname(conf->mddev), STRIPE_SECTORS, (unsigned long long)s, bdevname(rdev->bdev, b)); @@ -38740,7 +40779,7 @@ index 251ab64..ed23a18 100644 if (test_bit(R5_ReadRepl, &sh->dev[i].flags)) printk_ratelimited( KERN_WARNING -@@ -1805,7 +1805,7 @@ static void raid5_end_read_request(struct bio * bi, int error) +@@ -1806,7 +1806,7 @@ static void raid5_end_read_request(struct bio * bi, int error) mdname(conf->mddev), (unsigned long long)s, bdn); @@ -38776,7 +40815,7 @@ index 9b6c3bb..baeb5c7 100644 #if IS_ENABLED(CONFIG_DVB_DIB3000MB) extern struct dvb_frontend* dib3000mb_attach(const struct dib3000_config* config, diff --git a/drivers/media/pci/cx88/cx88-video.c b/drivers/media/pci/cx88/cx88-video.c -index bc78354..42c9459 100644 +index c7a9be1..683f6f8 100644 --- a/drivers/media/pci/cx88/cx88-video.c +++ b/drivers/media/pci/cx88/cx88-video.c @@ -50,9 +50,9 @@ MODULE_VERSION(CX88_VERSION); @@ -38792,22 +40831,8 @@ index bc78354..42c9459 100644 module_param_array(video_nr, int, NULL, 0444); module_param_array(vbi_nr, int, NULL, 0444); -diff --git a/drivers/media/pci/saa7134/saa7134-alsa.c b/drivers/media/pci/saa7134/saa7134-alsa.c -index 10460fd..dbcdfbf 100644 ---- a/drivers/media/pci/saa7134/saa7134-alsa.c -+++ b/drivers/media/pci/saa7134/saa7134-alsa.c -@@ -172,7 +172,9 @@ static void saa7134_irq_alsa_done(struct saa7134_dev *dev, - dprintk("irq: overrun [full=%d/%d] - Blocks in %d\n",dev->dmasound.read_count, - dev->dmasound.bufsize, dev->dmasound.blocks); - spin_unlock(&dev->slock); -+ snd_pcm_stream_lock(dev->dmasound.substream); - snd_pcm_stop(dev->dmasound.substream,SNDRV_PCM_STATE_XRUN); -+ snd_pcm_stream_unlock(dev->dmasound.substream); - return; - } - diff --git a/drivers/media/platform/omap/omap_vout.c b/drivers/media/platform/omap/omap_vout.c -index 96c4a17..1305a79 100644 +index d338b19..aae4f9e 100644 --- a/drivers/media/platform/omap/omap_vout.c +++ b/drivers/media/platform/omap/omap_vout.c @@ -63,7 +63,6 @@ enum omap_vout_channels { @@ -38818,7 +40843,7 @@ index 96c4a17..1305a79 100644 /* Variables configurable through module params*/ static u32 video1_numbuffers = 3; static u32 video2_numbuffers = 3; -@@ -1012,6 +1011,12 @@ static int omap_vout_open(struct file *file) +@@ -1015,6 +1014,12 @@ static int omap_vout_open(struct file *file) { struct videobuf_queue *q; struct omap_vout_device *vout = NULL; @@ -38831,7 +40856,7 @@ index 96c4a17..1305a79 100644 vout = video_drvdata(file); v4l2_dbg(1, debug, &vout->vid_dev->v4l2_dev, "Entering %s\n", __func__); -@@ -1029,10 +1034,6 @@ static int omap_vout_open(struct file *file) +@@ -1032,10 +1037,6 @@ static int omap_vout_open(struct file *file) vout->type = V4L2_BUF_TYPE_VIDEO_OUTPUT; q = &vout->vbq; @@ -38882,7 +40907,7 @@ index b713403..53cb5ad 100644 if (done && done != layer->shadow_buf) vb2_buffer_done(&done->vb, VB2_BUF_STATE_DONE); diff --git a/drivers/media/platform/s5p-tv/mixer_video.c b/drivers/media/platform/s5p-tv/mixer_video.c -index 82142a2..6de47e8 100644 +index ef0efdf..8c78eb6 100644 --- a/drivers/media/platform/s5p-tv/mixer_video.c +++ b/drivers/media/platform/s5p-tv/mixer_video.c @@ -209,7 +209,7 @@ static void mxr_layer_default_geo(struct mxr_layer *layer) @@ -38936,7 +40961,7 @@ index 82142a2..6de47e8 100644 /* retrieve update selection rectangle */ res.left = target->x_offset; -@@ -938,13 +938,13 @@ static int start_streaming(struct vb2_queue *vq, unsigned int count) +@@ -954,13 +954,13 @@ static int start_streaming(struct vb2_queue *vq, unsigned int count) mxr_output_get(mdev); mxr_layer_update_output(layer); @@ -38952,7 +40977,7 @@ index 82142a2..6de47e8 100644 mxr_streamer_get(mdev); return 0; -@@ -1014,7 +1014,7 @@ static int stop_streaming(struct vb2_queue *vq) +@@ -1030,7 +1030,7 @@ static int stop_streaming(struct vb2_queue *vq) spin_unlock_irqrestore(&layer->enq_slock, flags); /* disabling layer in hardware */ @@ -38961,7 +40986,7 @@ index 82142a2..6de47e8 100644 /* remove one streamer */ mxr_streamer_put(mdev); /* allow changes in output configuration */ -@@ -1053,8 +1053,8 @@ void mxr_base_layer_unregister(struct mxr_layer *layer) +@@ -1069,8 +1069,8 @@ void mxr_base_layer_unregister(struct mxr_layer *layer) void mxr_layer_release(struct mxr_layer *layer) { @@ -38972,7 +40997,7 @@ index 82142a2..6de47e8 100644 } void mxr_base_layer_release(struct mxr_layer *layer) -@@ -1080,7 +1080,7 @@ struct mxr_layer *mxr_base_layer_create(struct mxr_device *mdev, +@@ -1096,7 +1096,7 @@ struct mxr_layer *mxr_base_layer_create(struct mxr_device *mdev, layer->mdev = mdev; layer->idx = idx; @@ -38995,10 +41020,10 @@ index 3d13a63..da31bf1 100644 .buffer_set = mxr_vp_buffer_set, .stream_set = mxr_vp_stream_set, diff --git a/drivers/media/radio/radio-cadet.c b/drivers/media/radio/radio-cadet.c -index 643d80a..56bb96b 100644 +index 545c04c..a14bded 100644 --- a/drivers/media/radio/radio-cadet.c +++ b/drivers/media/radio/radio-cadet.c -@@ -302,6 +302,8 @@ static ssize_t cadet_read(struct file *file, char __user *data, size_t count, lo +@@ -324,6 +324,8 @@ static ssize_t cadet_read(struct file *file, char __user *data, size_t count, lo unsigned char readbuf[RDS_BUFFER]; int i = 0; @@ -39007,7 +41032,7 @@ index 643d80a..56bb96b 100644 mutex_lock(&dev->lock); if (dev->rdsstat == 0) cadet_start_rds(dev); -@@ -317,7 +319,7 @@ static ssize_t cadet_read(struct file *file, char __user *data, size_t count, lo +@@ -339,7 +341,7 @@ static ssize_t cadet_read(struct file *file, char __user *data, size_t count, lo while (i < count && dev->rdsin != dev->rdsout) readbuf[i++] = dev->rdsbuf[dev->rdsout++]; @@ -39030,10 +41055,10 @@ index 3940bb0..fb3952a 100644 static int dib7070_set_param_override(struct dvb_frontend *fe) { diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c -index 9578a67..31aa652 100644 +index 6e237b6..dc25556 100644 --- a/drivers/media/usb/dvb-usb/dw2102.c +++ b/drivers/media/usb/dvb-usb/dw2102.c -@@ -115,7 +115,7 @@ struct su3000_state { +@@ -118,7 +118,7 @@ struct su3000_state { struct s6x0_state { int (*old_set_voltage)(struct dvb_frontend *f, fe_sec_voltage_t v); @@ -39043,7 +41068,7 @@ index 9578a67..31aa652 100644 /* debug */ static int dvb_usb_dw2102_debug; diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c -index 7157af3..139e91a 100644 +index f129551..ecf6514 100644 --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c @@ -326,7 +326,7 @@ struct v4l2_buffer32 { @@ -39074,40 +41099,10 @@ index 7157af3..139e91a 100644 return 0; } diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c -index aa6e7c7..cb5de87 100644 +index 7658586..1079260 100644 --- a/drivers/media/v4l2-core/v4l2-ioctl.c +++ b/drivers/media/v4l2-core/v4l2-ioctl.c -@@ -236,7 +236,7 @@ static void v4l_print_format(const void *arg, bool write_only) - const struct v4l2_vbi_format *vbi; - const struct v4l2_sliced_vbi_format *sliced; - const struct v4l2_window *win; -- const struct v4l2_clip *clip; -+ const struct v4l2_clip __user *pclip; - unsigned i; - - pr_cont("type=%s", prt_names(p->type, v4l2_type_names)); -@@ -284,12 +284,16 @@ static void v4l_print_format(const void *arg, bool write_only) - win->w.left, win->w.top, - prt_names(win->field, v4l2_field_names), - win->chromakey, win->bitmap, win->global_alpha); -- clip = win->clips; -+ pclip = win->clips; - for (i = 0; i < win->clipcount; i++) { -+ struct v4l2_clip clip; -+ -+ if (copy_from_user(&clip, pclip, sizeof clip)) -+ break; - printk(KERN_DEBUG "clip %u: wxh=%dx%d, x,y=%d,%d\n", -- i, clip->c.width, clip->c.height, -- clip->c.left, clip->c.top); -- clip = clip->next; -+ i, clip.c.width, clip.c.height, -+ clip.c.left, clip.c.top); -+ pclip = clip.next; - } - break; - case V4L2_BUF_TYPE_VBI_CAPTURE: -@@ -1923,7 +1927,8 @@ struct v4l2_ioctl_info { +@@ -1995,7 +1995,8 @@ struct v4l2_ioctl_info { struct file *file, void *fh, void *p); } u; void (*debug)(const void *arg, bool write_only); @@ -39117,7 +41112,7 @@ index aa6e7c7..cb5de87 100644 /* This control needs a priority check */ #define INFO_FL_PRIO (1 << 0) -@@ -2108,7 +2113,7 @@ static long __video_do_ioctl(struct file *file, +@@ -2177,7 +2178,7 @@ static long __video_do_ioctl(struct file *file, struct video_device *vfd = video_devdata(file); const struct v4l2_ioctl_ops *ops = vfd->ioctl_ops; bool write_only = false; @@ -39126,7 +41121,7 @@ index aa6e7c7..cb5de87 100644 const struct v4l2_ioctl_info *info; void *fh = file->private_data; struct v4l2_fh *vfh = NULL; -@@ -2193,7 +2198,7 @@ done: +@@ -2251,7 +2252,7 @@ done: } static int check_array_args(unsigned int cmd, void *parg, size_t *array_size, @@ -39135,7 +41130,7 @@ index aa6e7c7..cb5de87 100644 { int ret = 0; -@@ -2209,7 +2214,7 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size, +@@ -2267,7 +2268,7 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size, ret = -EINVAL; break; } @@ -39144,7 +41139,7 @@ index aa6e7c7..cb5de87 100644 *kernel_ptr = (void *)&buf->m.planes; *array_size = sizeof(struct v4l2_plane) * buf->length; ret = 1; -@@ -2244,7 +2249,7 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size, +@@ -2302,7 +2303,7 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size, ret = -EINVAL; break; } @@ -39154,7 +41149,7 @@ index aa6e7c7..cb5de87 100644 *array_size = sizeof(struct v4l2_ext_control) * ctrls->count; diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c -index fb69baa..3aeea2e 100644 +index 767ff4d..c69d259 100644 --- a/drivers/message/fusion/mptbase.c +++ b/drivers/message/fusion/mptbase.c @@ -6755,8 +6755,13 @@ static int mpt_iocinfo_proc_show(struct seq_file *m, void *v) @@ -39184,7 +41179,7 @@ index fb69baa..3aeea2e 100644 seq_printf(m, " {CurRepSz=%d} x {CurRepDepth=%d} = %d bytes ^= 0x%x\n", ioc->reply_sz, ioc->reply_depth, ioc->reply_sz*ioc->reply_depth, sz); diff --git a/drivers/message/fusion/mptsas.c b/drivers/message/fusion/mptsas.c -index fa43c39..daeb158 100644 +index dd239bd..689c4f7 100644 --- a/drivers/message/fusion/mptsas.c +++ b/drivers/message/fusion/mptsas.c @@ -446,6 +446,23 @@ mptsas_is_end_device(struct mptsas_devinfo * attached) @@ -39236,7 +41231,7 @@ index fa43c39..daeb158 100644 mptsas_get_port(struct mptsas_phyinfo *phy_info) { diff --git a/drivers/message/fusion/mptscsih.c b/drivers/message/fusion/mptscsih.c -index 164afa7..b6b2e74 100644 +index 727819c..ad74694 100644 --- a/drivers/message/fusion/mptscsih.c +++ b/drivers/message/fusion/mptscsih.c @@ -1271,15 +1271,16 @@ mptscsih_info(struct Scsi_Host *SChost) @@ -39265,7 +41260,7 @@ index 164afa7..b6b2e74 100644 return h->info_kbuf; } diff --git a/drivers/message/i2o/i2o_proc.c b/drivers/message/i2o/i2o_proc.c -index 8001aa6..b137580 100644 +index b7d87cd..9890039 100644 --- a/drivers/message/i2o/i2o_proc.c +++ b/drivers/message/i2o/i2o_proc.c @@ -255,12 +255,6 @@ static char *scsi_devices[] = { @@ -39522,7 +41517,7 @@ index 36f5d52..32311c3 100644 if (memcmp(before, after, BREAK_INSTR_SIZE)) { printk(KERN_CRIT "kgdbts: ERROR kgdb corrupted memory\n"); diff --git a/drivers/misc/lis3lv02d/lis3lv02d.c b/drivers/misc/lis3lv02d/lis3lv02d.c -index 4a87e5c..76bdf5c 100644 +index 4cd4a3d..b48cbc7 100644 --- a/drivers/misc/lis3lv02d/lis3lv02d.c +++ b/drivers/misc/lis3lv02d/lis3lv02d.c @@ -498,7 +498,7 @@ static irqreturn_t lis302dl_interrupt(int irq, void *data) @@ -39543,7 +41538,7 @@ index 4a87e5c..76bdf5c 100644 return 0; } -@@ -617,7 +617,7 @@ static ssize_t lis3lv02d_misc_read(struct file *file, char __user *buf, +@@ -616,7 +616,7 @@ static ssize_t lis3lv02d_misc_read(struct file *file, char __user *buf, add_wait_queue(&lis3->misc_wait, &wait); while (true) { set_current_state(TASK_INTERRUPTIBLE); @@ -39552,7 +41547,7 @@ index 4a87e5c..76bdf5c 100644 if (data) break; -@@ -658,7 +658,7 @@ static unsigned int lis3lv02d_misc_poll(struct file *file, poll_table *wait) +@@ -657,7 +657,7 @@ static unsigned int lis3lv02d_misc_poll(struct file *file, poll_table *wait) struct lis3lv02d, miscdev); poll_wait(file, &lis3->misc_wait, wait); @@ -39590,7 +41585,7 @@ index 2f30bad..c4c13d0 100644 mcs_op_statistics[op].max = nsec; } diff --git a/drivers/misc/sgi-gru/gruprocfs.c b/drivers/misc/sgi-gru/gruprocfs.c -index 950dbe9..eeef0f8 100644 +index 797d796..ae8f01e 100644 --- a/drivers/misc/sgi-gru/gruprocfs.c +++ b/drivers/misc/sgi-gru/gruprocfs.c @@ -32,9 +32,9 @@ @@ -39675,31 +41670,6 @@ index 5c3ce24..4915ccb 100644 - atomic_long_t flush_tlb_gru; - atomic_long_t flush_tlb_gru_tgh; - atomic_long_t flush_tlb_gru_zero_asid; -- -- atomic_long_t copy_gpa; -- atomic_long_t read_gpa; -- -- atomic_long_t mesq_receive; -- atomic_long_t mesq_receive_none; -- atomic_long_t mesq_send; -- atomic_long_t mesq_send_failed; -- atomic_long_t mesq_noop; -- atomic_long_t mesq_send_unexpected_error; -- atomic_long_t mesq_send_lb_overflow; -- atomic_long_t mesq_send_qlimit_reached; -- atomic_long_t mesq_send_amo_nacked; -- atomic_long_t mesq_send_put_nacked; -- atomic_long_t mesq_page_overflow; -- atomic_long_t mesq_qf_locked; -- atomic_long_t mesq_qf_noop_not_full; -- atomic_long_t mesq_qf_switch_head_failed; -- atomic_long_t mesq_qf_unexpected_error; -- atomic_long_t mesq_noop_unexpected_error; -- atomic_long_t mesq_noop_lb_overflow; -- atomic_long_t mesq_noop_qlimit_reached; -- atomic_long_t mesq_noop_amo_nacked; -- atomic_long_t mesq_noop_put_nacked; -- atomic_long_t mesq_noop_page_overflow; + atomic_long_unchecked_t vdata_alloc; + atomic_long_unchecked_t vdata_free; + atomic_long_unchecked_t gts_alloc; @@ -39751,10 +41721,33 @@ index 5c3ce24..4915ccb 100644 + atomic_long_unchecked_t flush_tlb_gru; + atomic_long_unchecked_t flush_tlb_gru_tgh; + atomic_long_unchecked_t flush_tlb_gru_zero_asid; -+ + +- atomic_long_t copy_gpa; +- atomic_long_t read_gpa; + atomic_long_unchecked_t copy_gpa; + atomic_long_unchecked_t read_gpa; -+ + +- atomic_long_t mesq_receive; +- atomic_long_t mesq_receive_none; +- atomic_long_t mesq_send; +- atomic_long_t mesq_send_failed; +- atomic_long_t mesq_noop; +- atomic_long_t mesq_send_unexpected_error; +- atomic_long_t mesq_send_lb_overflow; +- atomic_long_t mesq_send_qlimit_reached; +- atomic_long_t mesq_send_amo_nacked; +- atomic_long_t mesq_send_put_nacked; +- atomic_long_t mesq_page_overflow; +- atomic_long_t mesq_qf_locked; +- atomic_long_t mesq_qf_noop_not_full; +- atomic_long_t mesq_qf_switch_head_failed; +- atomic_long_t mesq_qf_unexpected_error; +- atomic_long_t mesq_noop_unexpected_error; +- atomic_long_t mesq_noop_lb_overflow; +- atomic_long_t mesq_noop_qlimit_reached; +- atomic_long_t mesq_noop_amo_nacked; +- atomic_long_t mesq_noop_put_nacked; +- atomic_long_t mesq_noop_page_overflow; + atomic_long_unchecked_t mesq_receive; + atomic_long_unchecked_t mesq_receive_none; + atomic_long_unchecked_t mesq_send; @@ -39869,21 +41862,21 @@ index 49f04bc..65660c2 100644 /* * dma onto stack is unsafe/nonportable, but callers to this diff --git a/drivers/mmc/host/dw_mmc.h b/drivers/mmc/host/dw_mmc.h -index 53b8fd9..615b462 100644 +index 0b74189..818358f 100644 --- a/drivers/mmc/host/dw_mmc.h +++ b/drivers/mmc/host/dw_mmc.h -@@ -205,5 +205,5 @@ struct dw_mci_drv_data { +@@ -202,5 +202,5 @@ struct dw_mci_drv_data { + void (*prepare_command)(struct dw_mci *host, u32 *cmdr); + void (*set_ios)(struct dw_mci *host, struct mmc_ios *ios); int (*parse_dt)(struct dw_mci *host); - int (*setup_bus)(struct dw_mci *host, - struct device_node *slot_np, u8 bus_width); -}; +} __do_const; #endif /* _DW_MMC_H_ */ diff --git a/drivers/mmc/host/sdhci-s3c.c b/drivers/mmc/host/sdhci-s3c.c -index 7363efe..681558e 100644 +index c6f6246..60760a8 100644 --- a/drivers/mmc/host/sdhci-s3c.c +++ b/drivers/mmc/host/sdhci-s3c.c -@@ -720,9 +720,11 @@ static int sdhci_s3c_probe(struct platform_device *pdev) +@@ -664,9 +664,11 @@ static int sdhci_s3c_probe(struct platform_device *pdev) * we can use overriding functions instead of default. */ if (host->quirks & SDHCI_QUIRK_NONSTANDARD_CLOCK) { @@ -39898,19 +41891,6 @@ index 7363efe..681558e 100644 } /* It supports additional host capabilities if needed */ -diff --git a/drivers/mtd/devices/doc2000.c b/drivers/mtd/devices/doc2000.c -index a4eb8b5..8c0628f 100644 ---- a/drivers/mtd/devices/doc2000.c -+++ b/drivers/mtd/devices/doc2000.c -@@ -753,7 +753,7 @@ static int doc_write(struct mtd_info *mtd, loff_t to, size_t len, - - /* The ECC will not be calculated correctly if less than 512 is written */ - /* DBB- -- if (len != 0x200 && eccbuf) -+ if (len != 0x200) - printk(KERN_WARNING - "ECC needs a full sector write (adr: %lx size %lx)\n", - (long) to, (long) len); diff --git a/drivers/mtd/nand/denali.c b/drivers/mtd/nand/denali.c index 0c8bb6b..6f35deb 100644 --- a/drivers/mtd/nand/denali.c @@ -39936,7 +41916,7 @@ index 51b9d6a..52af9a7 100644 #include <linux/mtd/nand.h> #include <linux/mtd/nftl.h> diff --git a/drivers/mtd/sm_ftl.c b/drivers/mtd/sm_ftl.c -index 8dd6ba5..419cc1d 100644 +index f9d5615..99dd95f 100644 --- a/drivers/mtd/sm_ftl.c +++ b/drivers/mtd/sm_ftl.c @@ -56,7 +56,7 @@ ssize_t sm_attr_show(struct device *dev, struct device_attribute *attr, @@ -39949,10 +41929,10 @@ index 8dd6ba5..419cc1d 100644 struct sm_sysfs_attribute *vendor_attribute; diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c -index dbbea0e..3f4a0b1 100644 +index f975696..4597e21 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c -@@ -4822,7 +4822,7 @@ static unsigned int bond_get_num_tx_queues(void) +@@ -4870,7 +4870,7 @@ static unsigned int bond_get_num_tx_queues(void) return tx_queues; } @@ -39961,7 +41941,7 @@ index dbbea0e..3f4a0b1 100644 .kind = "bond", .priv_size = sizeof(struct bonding), .setup = bond_setup, -@@ -4947,8 +4947,8 @@ static void __exit bonding_exit(void) +@@ -4995,8 +4995,8 @@ static void __exit bonding_exit(void) bond_destroy_debugfs(); @@ -39971,28 +41951,19 @@ index dbbea0e..3f4a0b1 100644 #ifdef CONFIG_NET_POLL_CONTROLLER /* -diff --git a/drivers/net/dummy.c b/drivers/net/dummy.c -index 42aa54a..b710c6b 100644 ---- a/drivers/net/dummy.c -+++ b/drivers/net/dummy.c -@@ -185,6 +185,8 @@ static int __init dummy_init_module(void) - - rtnl_lock(); - err = __rtnl_link_register(&dummy_link_ops); -+ if (err < 0) -+ goto out; +diff --git a/drivers/net/can/usb/peak_usb/pcan_usb.c b/drivers/net/can/usb/peak_usb/pcan_usb.c +index 25723d8..925ab8e 100644 +--- a/drivers/net/can/usb/peak_usb/pcan_usb.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb.c +@@ -649,7 +649,7 @@ static int pcan_usb_decode_data(struct pcan_usb_msg_context *mc, u8 status_len) + if ((mc->ptr + rec_len) > mc->end) + goto decode_failed; - for (i = 0; i < numdummies && !err; i++) { - err = dummy_init_one(); -@@ -192,6 +194,8 @@ static int __init dummy_init_module(void) +- memcpy(cf->data, mc->ptr, rec_len); ++ memcpy(cf->data, mc->ptr, cf->can_dlc); + mc->ptr += rec_len; } - if (err < 0) - __rtnl_link_unregister(&dummy_link_ops); -+ -+out: - rtnl_unlock(); - return err; diff --git a/drivers/net/ethernet/8390/ax88796.c b/drivers/net/ethernet/8390/ax88796.c index e1d2643..7f4133b 100644 --- a/drivers/net/ethernet/8390/ax88796.c @@ -40010,117 +41981,11 @@ index e1d2643..7f4133b 100644 } if (!request_mem_region(mem->start, mem_size, pdev->name)) { -diff --git a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c -index ac25f05..35c9d1a 100644 ---- a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c -+++ b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c -@@ -1667,8 +1667,8 @@ check_sum: - return 0; - } - --static void atl1e_tx_map(struct atl1e_adapter *adapter, -- struct sk_buff *skb, struct atl1e_tpd_desc *tpd) -+static int atl1e_tx_map(struct atl1e_adapter *adapter, -+ struct sk_buff *skb, struct atl1e_tpd_desc *tpd) - { - struct atl1e_tpd_desc *use_tpd = NULL; - struct atl1e_tx_buffer *tx_buffer = NULL; -@@ -1679,6 +1679,8 @@ static void atl1e_tx_map(struct atl1e_adapter *adapter, - u16 nr_frags; - u16 f; - int segment; -+ int ring_start = adapter->tx_ring.next_to_use; -+ int ring_end; - - nr_frags = skb_shinfo(skb)->nr_frags; - segment = (tpd->word3 >> TPD_SEGMENT_EN_SHIFT) & TPD_SEGMENT_EN_MASK; -@@ -1691,6 +1693,9 @@ static void atl1e_tx_map(struct atl1e_adapter *adapter, - tx_buffer->length = map_len; - tx_buffer->dma = pci_map_single(adapter->pdev, - skb->data, hdr_len, PCI_DMA_TODEVICE); -+ if (dma_mapping_error(&adapter->pdev->dev, tx_buffer->dma)) -+ return -ENOSPC; -+ - ATL1E_SET_PCIMAP_TYPE(tx_buffer, ATL1E_TX_PCIMAP_SINGLE); - mapped_len += map_len; - use_tpd->buffer_addr = cpu_to_le64(tx_buffer->dma); -@@ -1717,6 +1722,22 @@ static void atl1e_tx_map(struct atl1e_adapter *adapter, - tx_buffer->dma = - pci_map_single(adapter->pdev, skb->data + mapped_len, - map_len, PCI_DMA_TODEVICE); -+ -+ if (dma_mapping_error(&adapter->pdev->dev, tx_buffer->dma)) { -+ /* We need to unwind the mappings we've done */ -+ ring_end = adapter->tx_ring.next_to_use; -+ adapter->tx_ring.next_to_use = ring_start; -+ while (adapter->tx_ring.next_to_use != ring_end) { -+ tpd = atl1e_get_tpd(adapter); -+ tx_buffer = atl1e_get_tx_buffer(adapter, tpd); -+ pci_unmap_single(adapter->pdev, tx_buffer->dma, -+ tx_buffer->length, PCI_DMA_TODEVICE); -+ } -+ /* Reset the tx rings next pointer */ -+ adapter->tx_ring.next_to_use = ring_start; -+ return -ENOSPC; -+ } -+ - ATL1E_SET_PCIMAP_TYPE(tx_buffer, ATL1E_TX_PCIMAP_SINGLE); - mapped_len += map_len; - use_tpd->buffer_addr = cpu_to_le64(tx_buffer->dma); -@@ -1752,6 +1773,23 @@ static void atl1e_tx_map(struct atl1e_adapter *adapter, - (i * MAX_TX_BUF_LEN), - tx_buffer->length, - DMA_TO_DEVICE); -+ -+ if (dma_mapping_error(&adapter->pdev->dev, tx_buffer->dma)) { -+ /* We need to unwind the mappings we've done */ -+ ring_end = adapter->tx_ring.next_to_use; -+ adapter->tx_ring.next_to_use = ring_start; -+ while (adapter->tx_ring.next_to_use != ring_end) { -+ tpd = atl1e_get_tpd(adapter); -+ tx_buffer = atl1e_get_tx_buffer(adapter, tpd); -+ dma_unmap_page(&adapter->pdev->dev, tx_buffer->dma, -+ tx_buffer->length, DMA_TO_DEVICE); -+ } -+ -+ /* Reset the ring next to use pointer */ -+ adapter->tx_ring.next_to_use = ring_start; -+ return -ENOSPC; -+ } -+ - ATL1E_SET_PCIMAP_TYPE(tx_buffer, ATL1E_TX_PCIMAP_PAGE); - use_tpd->buffer_addr = cpu_to_le64(tx_buffer->dma); - use_tpd->word2 = (use_tpd->word2 & (~TPD_BUFLEN_MASK)) | -@@ -1769,6 +1807,7 @@ static void atl1e_tx_map(struct atl1e_adapter *adapter, - /* The last buffer info contain the skb address, - so it will be free after unmap */ - tx_buffer->skb = skb; -+ return 0; - } - - static void atl1e_tx_queue(struct atl1e_adapter *adapter, u16 count, -@@ -1836,10 +1875,15 @@ static netdev_tx_t atl1e_xmit_frame(struct sk_buff *skb, - return NETDEV_TX_OK; - } - -- atl1e_tx_map(adapter, skb, tpd); -+ if (atl1e_tx_map(adapter, skb, tpd)) { -+ dev_kfree_skb_any(skb); -+ goto out; -+ } -+ - atl1e_tx_queue(adapter, tpd_req, tpd); - - netdev->trans_start = jiffies; /* NETIF_F_LLTX driver :( */ -+out: - spin_unlock_irqrestore(&adapter->tx_lock, flags); - return NETDEV_TX_OK; - } diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h -index aee7671..3ca2651 100644 +index 151675d..0139a9d 100644 --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h -@@ -1093,7 +1093,7 @@ static inline u8 bnx2x_get_path_func_num(struct bnx2x *bp) +@@ -1112,7 +1112,7 @@ static inline u8 bnx2x_get_path_func_num(struct bnx2x *bp) static inline void bnx2x_init_bp_objs(struct bnx2x *bp) { /* RX_MODE controlling object */ @@ -40130,7 +41995,7 @@ index aee7671..3ca2651 100644 /* multicast configuration controlling object */ bnx2x_init_mcast_obj(bp, &bp->mcast_obj, bp->fp->cl_id, bp->fp->cid, diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c -index edfa67a..d6c52ae 100644 +index ce1a916..10b52b0 100644 --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c @@ -960,6 +960,9 @@ static int bnx2x_set_dump(struct net_device *dev, struct ethtool_dump *val) @@ -40153,10 +42018,10 @@ index edfa67a..d6c52ae 100644 * cause false alarms by reading never written registers. We * will re-enable parity attentions right after the dump. diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c -index c50696b..cf96f52 100644 +index b4c9dea..2a9927f 100644 --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c -@@ -11394,6 +11394,8 @@ static int bnx2x_init_bp(struct bnx2x *bp) +@@ -11497,6 +11497,8 @@ static int bnx2x_init_bp(struct bnx2x *bp) bp->min_msix_vec_cnt = 2; BNX2X_DEV_INFO("bp->min_msix_vec_cnt %d", bp->min_msix_vec_cnt); @@ -40166,10 +42031,10 @@ index c50696b..cf96f52 100644 } diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c -index 7306416..5fb7fb5 100644 +index 32a9609..0b1c53a 100644 --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c -@@ -2381,15 +2381,14 @@ int bnx2x_config_rx_mode(struct bnx2x *bp, +@@ -2387,15 +2387,14 @@ int bnx2x_config_rx_mode(struct bnx2x *bp, return rc; } @@ -40191,10 +42056,10 @@ index 7306416..5fb7fb5 100644 } diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h -index ff90760..08d8aed 100644 +index 43c00bc..dd1d03d 100644 --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h -@@ -1306,8 +1306,7 @@ int bnx2x_vlan_mac_move(struct bnx2x *bp, +@@ -1321,8 +1321,7 @@ int bnx2x_vlan_mac_move(struct bnx2x *bp, /********************* RX MODE ****************/ @@ -40205,7 +42070,7 @@ index ff90760..08d8aed 100644 /** * bnx2x_config_rx_mode - Send and RX_MODE ramrod according to the provided parameters. diff --git a/drivers/net/ethernet/broadcom/tg3.h b/drivers/net/ethernet/broadcom/tg3.h -index 25309bf..fcfd54c 100644 +index ff6e30e..87e8452 100644 --- a/drivers/net/ethernet/broadcom/tg3.h +++ b/drivers/net/ethernet/broadcom/tg3.h @@ -147,6 +147,7 @@ @@ -40216,24 +42081,11 @@ index 25309bf..fcfd54c 100644 #define CHIPREV_ID_5750_C2 0x4202 #define CHIPREV_ID_5752_A0_HW 0x5000 #define CHIPREV_ID_5752_A0 0x6000 -diff --git a/drivers/net/ethernet/brocade/bna/bnad_debugfs.c b/drivers/net/ethernet/brocade/bna/bnad_debugfs.c -index 6e8bc9d..94d957d 100644 ---- a/drivers/net/ethernet/brocade/bna/bnad_debugfs.c -+++ b/drivers/net/ethernet/brocade/bna/bnad_debugfs.c -@@ -244,7 +244,7 @@ bnad_debugfs_lseek(struct file *file, loff_t offset, int orig) - file->f_pos += offset; - break; - case 2: -- file->f_pos = debug->buffer_len - offset; -+ file->f_pos = debug->buffer_len + offset; - break; - default: - return -EINVAL; diff --git a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c -index 2b5e621..32187b8 100644 +index 71497e8..b650951 100644 --- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c +++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c -@@ -3036,7 +3036,9 @@ static void t3_io_resume(struct pci_dev *pdev) +@@ -3037,7 +3037,9 @@ static void t3_io_resume(struct pci_dev *pdev) CH_ALERT(adapter, "adapter recovering, PEX ERR 0x%x\n", t3_read_reg(adapter, A_PCIE_PEX_ERR)); @@ -40279,10 +42131,10 @@ index 4c83003..2a2a5b9 100644 break; } diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c -index 2886c9b..db71673 100644 +index 6e43426..1bd8365 100644 --- a/drivers/net/ethernet/emulex/benet/be_main.c +++ b/drivers/net/ethernet/emulex/benet/be_main.c -@@ -455,7 +455,7 @@ static void accumulate_16bit_val(u32 *acc, u16 val) +@@ -469,7 +469,7 @@ static void accumulate_16bit_val(u32 *acc, u16 val) if (wrapped) newacc += 65536; @@ -40290,9 +42142,9 @@ index 2886c9b..db71673 100644 + ACCESS_ONCE_RW(*acc) = newacc; } - void be_parse_stats(struct be_adapter *adapter) + void populate_erx_stats(struct be_adapter *adapter, diff --git a/drivers/net/ethernet/faraday/ftgmac100.c b/drivers/net/ethernet/faraday/ftgmac100.c -index 7c361d1..57e3ff1 100644 +index 21b85fb..b49e5fc 100644 --- a/drivers/net/ethernet/faraday/ftgmac100.c +++ b/drivers/net/ethernet/faraday/ftgmac100.c @@ -31,6 +31,8 @@ @@ -40305,7 +42157,7 @@ index 7c361d1..57e3ff1 100644 #include "ftgmac100.h" diff --git a/drivers/net/ethernet/faraday/ftmac100.c b/drivers/net/ethernet/faraday/ftmac100.c -index b5ea8fb..bd25e9a 100644 +index a6eda8d..935d273 100644 --- a/drivers/net/ethernet/faraday/ftmac100.c +++ b/drivers/net/ethernet/faraday/ftmac100.c @@ -31,6 +31,8 @@ @@ -40356,11 +42208,11 @@ index fbe5363..266b4e3 100644 __vxge_hw_mempool_create(vpath->hldev, fifo->config->memblock_size, diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c -index 5c033f2..7bbb0d8 100644 +index 5e7fb1d..f8d1810 100644 --- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c +++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c -@@ -1894,7 +1894,9 @@ int qlcnic_83xx_config_default_opmode(struct qlcnic_adapter *adapter) - op_mode = QLCRDX(ahw, QLC_83XX_DRV_OP_MODE); +@@ -1948,7 +1948,9 @@ int qlcnic_83xx_config_default_opmode(struct qlcnic_adapter *adapter) + op_mode = QLC_83XX_DEFAULT_OPMODE; if (op_mode == QLC_83XX_DEFAULT_OPMODE) { - adapter->nic_ops->init_driver = qlcnic_83xx_init_default_driver; @@ -40399,11 +42251,54 @@ index b0c3de9..fc5857e 100644 } else { return -EIO; } +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c +index 6acf82b..14b097e 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c +@@ -206,10 +206,10 @@ int qlcnic_fw_cmd_set_drv_version(struct qlcnic_adapter *adapter) + if (err) { + dev_info(&adapter->pdev->dev, + "Failed to set driver version in firmware\n"); +- return -EIO; ++ err = -EIO; + } +- +- return 0; ++ qlcnic_free_mbx_args(&cmd); ++ return err; + } + + int +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c +index d3f8797..82a03d3 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c +@@ -262,7 +262,7 @@ void qlcnic_82xx_change_filter(struct qlcnic_adapter *adapter, u64 *uaddr, + + mac_req = (struct qlcnic_mac_req *)&(req->words[0]); + mac_req->op = vlan_id ? QLCNIC_MAC_VLAN_ADD : QLCNIC_MAC_ADD; +- memcpy(mac_req->mac_addr, &uaddr, ETH_ALEN); ++ memcpy(mac_req->mac_addr, uaddr, ETH_ALEN); + + vlan_req = (struct qlcnic_vlan_req *)&req->words[1]; + vlan_req->vlan_id = cpu_to_le16(vlan_id); +diff --git a/drivers/net/ethernet/realtek/8139cp.c b/drivers/net/ethernet/realtek/8139cp.c +index 887aebe..9095ff9 100644 +--- a/drivers/net/ethernet/realtek/8139cp.c ++++ b/drivers/net/ethernet/realtek/8139cp.c +@@ -524,6 +524,7 @@ rx_status_loop: + PCI_DMA_FROMDEVICE); + if (dma_mapping_error(&cp->pdev->dev, new_mapping)) { + dev->stats.rx_dropped++; ++ kfree_skb(new_skb); + goto rx_next; + } + diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c -index 54fd2ef..33c8a4f 100644 +index 393f961..d343034 100644 --- a/drivers/net/ethernet/realtek/r8169.c +++ b/drivers/net/ethernet/realtek/r8169.c -@@ -740,22 +740,22 @@ struct rtl8169_private { +@@ -753,22 +753,22 @@ struct rtl8169_private { struct mdio_ops { void (*write)(struct rtl8169_private *, int, int); int (*read)(struct rtl8169_private *, int); @@ -40430,66 +42325,11 @@ index 54fd2ef..33c8a4f 100644 int (*set_speed)(struct net_device *, u8 aneg, u16 sp, u8 dpx, u32 adv); int (*get_settings)(struct net_device *, struct ethtool_cmd *); -diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c -index 8791999..68caa85 100644 ---- a/drivers/net/ethernet/renesas/sh_eth.c -+++ b/drivers/net/ethernet/renesas/sh_eth.c -@@ -172,8 +172,9 @@ static struct sh_eth_cpu_data sh_eth_my_cpu_data = { - .rmcr_value = 0x00000001, - - .tx_check = EESR_FTC | EESR_CND | EESR_DLC | EESR_CD | EESR_RTO, -- .eesr_err_check = EESR_TWB | EESR_TABT | EESR_RABT | EESR_RDE | -- EESR_RFRMER | EESR_TFE | EESR_TDE | EESR_ECI, -+ .eesr_err_check = EESR_TWB | EESR_TABT | EESR_RABT | EESR_RFE | -+ EESR_RDE | EESR_RFRMER | EESR_TFE | EESR_TDE | -+ EESR_ECI, - .tx_error_check = EESR_TWB | EESR_TABT | EESR_TDE | EESR_TFE, - - .apr = 1, -@@ -286,9 +287,9 @@ static struct sh_eth_cpu_data sh_eth_my_cpu_data_giga = { - .eesipr_value = DMAC_M_RFRMER | DMAC_M_ECI | 0x003fffff, - - .tx_check = EESR_TC1 | EESR_FTC, -- .eesr_err_check = EESR_TWB1 | EESR_TWB | EESR_TABT | EESR_RABT | \ -- EESR_RDE | EESR_RFRMER | EESR_TFE | EESR_TDE | \ -- EESR_ECI, -+ .eesr_err_check = EESR_TWB1 | EESR_TWB | EESR_TABT | EESR_RABT | -+ EESR_RFE | EESR_RDE | EESR_RFRMER | EESR_TFE | -+ EESR_TDE | EESR_ECI, - .tx_error_check = EESR_TWB1 | EESR_TWB | EESR_TABT | EESR_TDE | \ - EESR_TFE, - .fdr_value = 0x0000072f, -@@ -505,9 +506,9 @@ static struct sh_eth_cpu_data sh_eth_my_cpu_data = { - .eesipr_value = DMAC_M_RFRMER | DMAC_M_ECI | 0x003fffff, - - .tx_check = EESR_TC1 | EESR_FTC, -- .eesr_err_check = EESR_TWB1 | EESR_TWB | EESR_TABT | EESR_RABT | \ -- EESR_RDE | EESR_RFRMER | EESR_TFE | EESR_TDE | \ -- EESR_ECI, -+ .eesr_err_check = EESR_TWB1 | EESR_TWB | EESR_TABT | EESR_RABT | -+ EESR_RFE | EESR_RDE | EESR_RFRMER | EESR_TFE | -+ EESR_TDE | EESR_ECI, - .tx_error_check = EESR_TWB1 | EESR_TWB | EESR_TABT | EESR_TDE | \ - EESR_TFE, - -diff --git a/drivers/net/ethernet/renesas/sh_eth.h b/drivers/net/ethernet/renesas/sh_eth.h -index 828be45..832be11 100644 ---- a/drivers/net/ethernet/renesas/sh_eth.h -+++ b/drivers/net/ethernet/renesas/sh_eth.h -@@ -472,7 +472,7 @@ enum EESR_BIT { - - #define DEFAULT_TX_CHECK (EESR_FTC | EESR_CND | EESR_DLC | EESR_CD | \ - EESR_RTO) --#define DEFAULT_EESR_ERR_CHECK (EESR_TWB | EESR_TABT | EESR_RABT | \ -+#define DEFAULT_EESR_ERR_CHECK (EESR_TWB | EESR_TABT | EESR_RABT | EESR_RFE | \ - EESR_RDE | EESR_RFRMER | EESR_ADE | \ - EESR_TFE | EESR_TDE | EESR_ECI) - #define DEFAULT_TX_ERROR_CHECK (EESR_TWB | EESR_TABT | EESR_ADE | EESR_TDE | \ diff --git a/drivers/net/ethernet/sfc/ptp.c b/drivers/net/ethernet/sfc/ptp.c -index 3f93624..cf01144 100644 +index 9a95abf..36df7f9 100644 --- a/drivers/net/ethernet/sfc/ptp.c +++ b/drivers/net/ethernet/sfc/ptp.c -@@ -553,7 +553,7 @@ static int efx_ptp_synchronize(struct efx_nic *efx, unsigned int num_readings) +@@ -535,7 +535,7 @@ static int efx_ptp_synchronize(struct efx_nic *efx, unsigned int num_readings) (u32)((u64)ptp->start.dma_addr >> 32)); /* Clear flag that signals MC ready */ @@ -40513,19 +42353,6 @@ index 50617c5..b13724c 100644 } /* To mask all all interrupts.*/ -diff --git a/drivers/net/ethernet/sun/sunvnet.c b/drivers/net/ethernet/sun/sunvnet.c -index 1df0ff3..3df5684 100644 ---- a/drivers/net/ethernet/sun/sunvnet.c -+++ b/drivers/net/ethernet/sun/sunvnet.c -@@ -1239,6 +1239,8 @@ static int vnet_port_remove(struct vio_dev *vdev) - dev_set_drvdata(&vdev->dev, NULL); - - kfree(port); -+ -+ unregister_netdev(vp->dev); - } - return 0; - } diff --git a/drivers/net/hyperv/hyperv_net.h b/drivers/net/hyperv/hyperv_net.h index e6fe0d8..2b7d752 100644 --- a/drivers/net/hyperv/hyperv_net.h @@ -40562,10 +42389,10 @@ index 0775f0a..d4fb316 100644 /* Ignore return since this msg is optional. */ rndis_filter_send_request(dev, request); diff --git a/drivers/net/ieee802154/fakehard.c b/drivers/net/ieee802154/fakehard.c -index 8f1c256..a2991d1 100644 +index bf0d55e..82bcfbd1 100644 --- a/drivers/net/ieee802154/fakehard.c +++ b/drivers/net/ieee802154/fakehard.c -@@ -385,7 +385,7 @@ static int ieee802154fake_probe(struct platform_device *pdev) +@@ -364,7 +364,7 @@ static int ieee802154fake_probe(struct platform_device *pdev) phy->transmit_power = 0xbf; dev->netdev_ops = &fake_ops; @@ -40574,34 +42401,11 @@ index 8f1c256..a2991d1 100644 priv = netdev_priv(dev); priv->phy = phy; -diff --git a/drivers/net/ifb.c b/drivers/net/ifb.c -index 8216438..c51944d 100644 ---- a/drivers/net/ifb.c -+++ b/drivers/net/ifb.c -@@ -290,11 +290,17 @@ static int __init ifb_init_module(void) - - rtnl_lock(); - err = __rtnl_link_register(&ifb_link_ops); -+ if (err < 0) -+ goto out; - -- for (i = 0; i < numifbs && !err; i++) -+ for (i = 0; i < numifbs && !err; i++) { - err = ifb_init_one(i); -+ cond_resched(); -+ } - if (err) - __rtnl_link_unregister(&ifb_link_ops); -+ -+out: - rtnl_unlock(); - - return err; diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c -index 011062e..ada88e9 100644 +index 6e91931..2b0ebe7 100644 --- a/drivers/net/macvlan.c +++ b/drivers/net/macvlan.c -@@ -892,13 +892,15 @@ static const struct nla_policy macvlan_policy[IFLA_MACVLAN_MAX + 1] = { +@@ -905,13 +905,15 @@ static const struct nla_policy macvlan_policy[IFLA_MACVLAN_MAX + 1] = { int macvlan_link_register(struct rtnl_link_ops *ops) { /* common fields */ @@ -40624,7 +42428,7 @@ index 011062e..ada88e9 100644 return rtnl_link_register(ops); }; -@@ -954,7 +956,7 @@ static int macvlan_device_event(struct notifier_block *unused, +@@ -967,7 +969,7 @@ static int macvlan_device_event(struct notifier_block *unused, return NOTIFY_DONE; } @@ -40634,121 +42438,10 @@ index 011062e..ada88e9 100644 }; diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c -index acf6450..d880503 100644 +index 523d6b2..5e16aa1 100644 --- a/drivers/net/macvtap.c +++ b/drivers/net/macvtap.c -@@ -525,8 +525,10 @@ static int zerocopy_sg_from_iovec(struct sk_buff *skb, const struct iovec *from, - return -EMSGSIZE; - num_pages = get_user_pages_fast(base, size, 0, &page[i]); - if (num_pages != size) { -- for (i = 0; i < num_pages; i++) -- put_page(page[i]); -+ int j; -+ -+ for (j = 0; j < num_pages; j++) -+ put_page(page[i + j]); - return -EFAULT; - } - truesize = size * PAGE_SIZE; -@@ -632,6 +634,28 @@ static int macvtap_skb_to_vnet_hdr(const struct sk_buff *skb, - return 0; - } - -+static unsigned long iov_pages(const struct iovec *iv, int offset, -+ unsigned long nr_segs) -+{ -+ unsigned long seg, base; -+ int pages = 0, len, size; -+ -+ while (nr_segs && (offset >= iv->iov_len)) { -+ offset -= iv->iov_len; -+ ++iv; -+ --nr_segs; -+ } -+ -+ for (seg = 0; seg < nr_segs; seg++) { -+ base = (unsigned long)iv[seg].iov_base + offset; -+ len = iv[seg].iov_len - offset; -+ size = ((base & ~PAGE_MASK) + len + ~PAGE_MASK) >> PAGE_SHIFT; -+ pages += size; -+ offset = 0; -+ } -+ -+ return pages; -+} - - /* Get packet from user space buffer */ - static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m, -@@ -647,6 +671,7 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m, - int copylen = 0; - bool zerocopy = false; - struct flow_keys keys; -+ size_t linear; - - if (q->flags & IFF_VNET_HDR) { - vnet_hdr_len = q->vnet_hdr_sz; -@@ -678,42 +703,35 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m, - if (unlikely(count > UIO_MAXIOV)) - goto err; - -- if (m && m->msg_control && sock_flag(&q->sk, SOCK_ZEROCOPY)) -- zerocopy = true; -+ if (m && m->msg_control && sock_flag(&q->sk, SOCK_ZEROCOPY)) { -+ copylen = vnet_hdr.hdr_len ? vnet_hdr.hdr_len : GOODCOPY_LEN; -+ linear = copylen; -+ if (iov_pages(iv, vnet_hdr_len + copylen, count) -+ <= MAX_SKB_FRAGS) -+ zerocopy = true; -+ } - -- if (zerocopy) { -- /* Userspace may produce vectors with count greater than -- * MAX_SKB_FRAGS, so we need to linearize parts of the skb -- * to let the rest of data to be fit in the frags. -- */ -- if (count > MAX_SKB_FRAGS) { -- copylen = iov_length(iv, count - MAX_SKB_FRAGS); -- if (copylen < vnet_hdr_len) -- copylen = 0; -- else -- copylen -= vnet_hdr_len; -- } -- /* There are 256 bytes to be copied in skb, so there is enough -- * room for skb expand head in case it is used. -- * The rest buffer is mapped from userspace. -- */ -- if (copylen < vnet_hdr.hdr_len) -- copylen = vnet_hdr.hdr_len; -- if (!copylen) -- copylen = GOODCOPY_LEN; -- } else -+ if (!zerocopy) { - copylen = len; -+ linear = vnet_hdr.hdr_len; -+ } - - skb = macvtap_alloc_skb(&q->sk, NET_IP_ALIGN, copylen, -- vnet_hdr.hdr_len, noblock, &err); -+ linear, noblock, &err); - if (!skb) - goto err; - - if (zerocopy) - err = zerocopy_sg_from_iovec(skb, iv, vnet_hdr_len, count); -- else -+ else { - err = skb_copy_datagram_from_iovec(skb, 0, iv, vnet_hdr_len, - len); -+ if (!err && m && m->msg_control) { -+ struct ubuf_info *uarg = m->msg_control; -+ uarg->callback(uarg, false); -+ } -+ } -+ - if (err) - goto err_kfree; - -@@ -1099,7 +1117,7 @@ static int macvtap_device_event(struct notifier_block *unused, +@@ -1110,7 +1110,7 @@ static int macvtap_device_event(struct notifier_block *unused, return NOTIFY_DONE; } @@ -40805,10 +42498,10 @@ index 1252d9c..80e660b 100644 /* We've got a compressed packet; read the change byte */ diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c -index 0017b67..ab8f595 100644 +index b305105..8ead6df 100644 --- a/drivers/net/team/team.c +++ b/drivers/net/team/team.c -@@ -2668,7 +2668,7 @@ static int team_device_event(struct notifier_block *unused, +@@ -2682,7 +2682,7 @@ static int team_device_event(struct notifier_block *unused, return NOTIFY_DONE; } @@ -40818,125 +42511,32 @@ index 0017b67..ab8f595 100644 }; diff --git a/drivers/net/tun.c b/drivers/net/tun.c -index 8ad822e..9bf0655 100644 +index 2491eb2..1a453eb 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c -@@ -1013,8 +1013,10 @@ static int zerocopy_sg_from_iovec(struct sk_buff *skb, const struct iovec *from, - return -EMSGSIZE; - num_pages = get_user_pages_fast(base, size, 0, &page[i]); - if (num_pages != size) { -- for (i = 0; i < num_pages; i++) -- put_page(page[i]); -+ int j; -+ -+ for (j = 0; j < num_pages; j++) -+ put_page(page[i + j]); - return -EFAULT; - } - truesize = size * PAGE_SIZE; -@@ -1038,6 +1040,29 @@ static int zerocopy_sg_from_iovec(struct sk_buff *skb, const struct iovec *from, - return 0; - } +@@ -1076,8 +1076,9 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, + u32 rxhash; -+static unsigned long iov_pages(const struct iovec *iv, int offset, -+ unsigned long nr_segs) -+{ -+ unsigned long seg, base; -+ int pages = 0, len, size; -+ -+ while (nr_segs && (offset >= iv->iov_len)) { -+ offset -= iv->iov_len; -+ ++iv; -+ --nr_segs; -+ } -+ -+ for (seg = 0; seg < nr_segs; seg++) { -+ base = (unsigned long)iv[seg].iov_base + offset; -+ len = iv[seg].iov_len - offset; -+ size = ((base & ~PAGE_MASK) + len + ~PAGE_MASK) >> PAGE_SHIFT; -+ pages += size; -+ offset = 0; -+ } -+ -+ return pages; -+} -+ - /* Get packet from user space buffer */ - static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, - void *msg_control, const struct iovec *iv, -@@ -1045,7 +1070,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, - { - struct tun_pi pi = { 0, cpu_to_be16(ETH_P_IP) }; - struct sk_buff *skb; -- size_t len = total_len, align = NET_SKB_PAD; -+ size_t len = total_len, align = NET_SKB_PAD, linear; - struct virtio_net_hdr gso = { 0 }; - int offset = 0; - int copylen; -@@ -1086,34 +1111,23 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, + if (!(tun->flags & TUN_NO_PI)) { +- if ((len -= sizeof(pi)) > total_len) ++ if (len < sizeof(pi)) return -EINVAL; - } ++ len -= sizeof(pi); -- if (msg_control) -- zerocopy = true; -- -- if (zerocopy) { -- /* Userspace may produce vectors with count greater than -- * MAX_SKB_FRAGS, so we need to linearize parts of the skb -- * to let the rest of data to be fit in the frags. -- */ -- if (count > MAX_SKB_FRAGS) { -- copylen = iov_length(iv, count - MAX_SKB_FRAGS); -- if (copylen < offset) -- copylen = 0; -- else -- copylen -= offset; -- } else -- copylen = 0; -- /* There are 256 bytes to be copied in skb, so there is enough -- * room for skb expand head in case it is used. -+ if (msg_control) { -+ /* There are 256 bytes to be copied in skb, so there is -+ * enough room for skb expand head in case it is used. - * The rest of the buffer is mapped from userspace. - */ -- if (copylen < gso.hdr_len) -- copylen = gso.hdr_len; -- if (!copylen) -- copylen = GOODCOPY_LEN; -- } else -+ copylen = gso.hdr_len ? gso.hdr_len : GOODCOPY_LEN; -+ linear = copylen; -+ if (iov_pages(iv, offset + copylen, count) <= MAX_SKB_FRAGS) -+ zerocopy = true; -+ } -+ -+ if (!zerocopy) { - copylen = len; -+ linear = gso.hdr_len; -+ } - -- skb = tun_alloc_skb(tfile, align, copylen, gso.hdr_len, noblock); -+ skb = tun_alloc_skb(tfile, align, copylen, linear, noblock); - if (IS_ERR(skb)) { - if (PTR_ERR(skb) != -EAGAIN) - tun->dev->stats.rx_dropped++; -@@ -1122,8 +1136,13 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, + if (memcpy_fromiovecend((void *)&pi, iv, 0, sizeof(pi))) + return -EFAULT; +@@ -1085,8 +1086,9 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, + } - if (zerocopy) - err = zerocopy_sg_from_iovec(skb, iv, offset, count); -- else -+ else { - err = skb_copy_datagram_from_iovec(skb, 0, iv, offset, len); -+ if (!err && msg_control) { -+ struct ubuf_info *uarg = msg_control; -+ uarg->callback(uarg, false); -+ } -+ } + if (tun->flags & TUN_VNET_HDR) { +- if ((len -= tun->vnet_hdr_sz) > total_len) ++ if (len < tun->vnet_hdr_sz) + return -EINVAL; ++ len -= tun->vnet_hdr_sz; - if (err) { - tun->dev->stats.rx_dropped++; -@@ -1859,7 +1878,7 @@ unlock: + if (memcpy_fromiovecend((void *)&gso, iv, offset, sizeof(gso))) + return -EFAULT; +@@ -1869,7 +1871,7 @@ unlock: } static long __tun_chr_ioctl(struct file *file, unsigned int cmd, @@ -40945,7 +42545,7 @@ index 8ad822e..9bf0655 100644 { struct tun_file *tfile = file->private_data; struct tun_struct *tun; -@@ -1871,6 +1890,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd, +@@ -1881,6 +1883,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd, int vnet_hdr_sz; int ret; @@ -40956,7 +42556,7 @@ index 8ad822e..9bf0655 100644 if (copy_from_user(&ifr, argp, ifreq_len)) return -EFAULT; diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c -index e2dd324..be92fcf 100644 +index cba1d46..f703766 100644 --- a/drivers/net/usb/hso.c +++ b/drivers/net/usb/hso.c @@ -71,7 +71,7 @@ @@ -41037,7 +42637,7 @@ index e2dd324..be92fcf 100644 /* Setup and send a ctrl req read on * port i */ if (!serial->rx_urb_filled[0]) { -@@ -3066,7 +3065,7 @@ static int hso_resume(struct usb_interface *iface) +@@ -3057,7 +3056,7 @@ static int hso_resume(struct usb_interface *iface) /* Start all serial ports */ for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) { if (serial_table[i] && (serial_table[i]->interface == iface)) { @@ -41047,10 +42647,10 @@ index e2dd324..be92fcf 100644 hso_start_serial_device(serial_table[i], GFP_NOIO); hso_kick_transmit(dev2ser(serial_table[i])); diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c -index a4fe5f1..6c9e77f 100644 +index 57325f3..36b181f 100644 --- a/drivers/net/vxlan.c +++ b/drivers/net/vxlan.c -@@ -1454,7 +1454,7 @@ nla_put_failure: +@@ -1579,7 +1579,7 @@ nla_put_failure: return -EMSGSIZE; } @@ -41060,7 +42660,7 @@ index a4fe5f1..6c9e77f 100644 .maxtype = IFLA_VXLAN_MAX, .policy = vxlan_policy, diff --git a/drivers/net/wireless/at76c50x-usb.c b/drivers/net/wireless/at76c50x-usb.c -index 5ac5f7a..5f82012 100644 +index 34c8a33..3261fdc 100644 --- a/drivers/net/wireless/at76c50x-usb.c +++ b/drivers/net/wireless/at76c50x-usb.c @@ -353,7 +353,7 @@ static int at76_dfu_get_state(struct usb_device *udev, u8 *state) @@ -41278,10 +42878,10 @@ index 301bf72..3f5654f 100644 static u16 ar9003_calc_ptr_chksum(struct ar9003_txc *ads) diff --git a/drivers/net/wireless/ath/ath9k/hw.h b/drivers/net/wireless/ath/ath9k/hw.h -index 784e81c..349e01e 100644 +index ae30343..a117806 100644 --- a/drivers/net/wireless/ath/ath9k/hw.h +++ b/drivers/net/wireless/ath/ath9k/hw.h -@@ -653,7 +653,7 @@ struct ath_hw_private_ops { +@@ -652,7 +652,7 @@ struct ath_hw_private_ops { /* ANI */ void (*ani_cache_ini_regs)(struct ath_hw *ah); @@ -41290,7 +42890,7 @@ index 784e81c..349e01e 100644 /** * struct ath_spec_scan - parameters for Atheros spectral scan -@@ -722,7 +722,7 @@ struct ath_hw_ops { +@@ -721,7 +721,7 @@ struct ath_hw_ops { struct ath_spec_scan *param); void (*spectral_scan_trigger)(struct ath_hw *ah); void (*spectral_scan_wait)(struct ath_hw *ah); @@ -41300,7 +42900,7 @@ index 784e81c..349e01e 100644 struct ath_nf_limits { s16 max; diff --git a/drivers/net/wireless/iwlegacy/3945-mac.c b/drivers/net/wireless/iwlegacy/3945-mac.c -index c353b5f..62aaca2 100644 +index b37a582..680835d 100644 --- a/drivers/net/wireless/iwlegacy/3945-mac.c +++ b/drivers/net/wireless/iwlegacy/3945-mac.c @@ -3639,7 +3639,9 @@ il3945_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent) @@ -41315,7 +42915,7 @@ index c353b5f..62aaca2 100644 D_INFO("*** LOAD DRIVER ***\n"); diff --git a/drivers/net/wireless/iwlwifi/dvm/debugfs.c b/drivers/net/wireless/iwlwifi/dvm/debugfs.c -index 81d4071..f2071ea 100644 +index d532948..e0d8bb1 100644 --- a/drivers/net/wireless/iwlwifi/dvm/debugfs.c +++ b/drivers/net/wireless/iwlwifi/dvm/debugfs.c @@ -203,7 +203,7 @@ static ssize_t iwl_dbgfs_sram_write(struct file *file, @@ -41354,6 +42954,21 @@ index 81d4071..f2071ea 100644 int value; memset(buf, 0, sizeof(buf)); +@@ -698,10 +698,10 @@ DEBUGFS_READ_FILE_OPS(temperature); + DEBUGFS_READ_WRITE_FILE_OPS(sleep_level_override); + DEBUGFS_READ_FILE_OPS(current_sleep_command); + +-static const char *fmt_value = " %-30s %10u\n"; +-static const char *fmt_hex = " %-30s 0x%02X\n"; +-static const char *fmt_table = " %-30s %10u %10u %10u %10u\n"; +-static const char *fmt_header = ++static const char fmt_value[] = " %-30s %10u\n"; ++static const char fmt_hex[] = " %-30s 0x%02X\n"; ++static const char fmt_table[] = " %-30s %10u %10u %10u %10u\n"; ++static const char fmt_header[] = + "%-32s current cumulative delta max\n"; + + static int iwl_statistics_flag(struct iwl_priv *priv, char *buf, int bufsz) @@ -1871,7 +1871,7 @@ static ssize_t iwl_dbgfs_clear_ucode_statistics_write(struct file *file, { struct iwl_priv *priv = file->private_data; @@ -41417,7 +43032,7 @@ index 81d4071..f2071ea 100644 memset(buf, 0, sizeof(buf)); buf_size = min(count, sizeof(buf) - 1); -@@ -2256,7 +2256,7 @@ static ssize_t iwl_dbgfs_log_event_write(struct file *file, +@@ -2254,7 +2254,7 @@ static ssize_t iwl_dbgfs_log_event_write(struct file *file, struct iwl_priv *priv = file->private_data; u32 event_log_flag; char buf[8]; @@ -41426,7 +43041,7 @@ index 81d4071..f2071ea 100644 /* check that the interface is up */ if (!iwl_is_ready(priv)) -@@ -2310,7 +2310,7 @@ static ssize_t iwl_dbgfs_calib_disabled_write(struct file *file, +@@ -2308,7 +2308,7 @@ static ssize_t iwl_dbgfs_calib_disabled_write(struct file *file, struct iwl_priv *priv = file->private_data; char buf[8]; u32 calib_disabled; @@ -41436,10 +43051,10 @@ index 81d4071..f2071ea 100644 memset(buf, 0, sizeof(buf)); buf_size = min(count, sizeof(buf) - 1); diff --git a/drivers/net/wireless/iwlwifi/pcie/trans.c b/drivers/net/wireless/iwlwifi/pcie/trans.c -index 12c4f31..484d948 100644 +index 50ba0a4..29424e7 100644 --- a/drivers/net/wireless/iwlwifi/pcie/trans.c +++ b/drivers/net/wireless/iwlwifi/pcie/trans.c -@@ -1328,7 +1328,7 @@ static ssize_t iwl_dbgfs_interrupt_write(struct file *file, +@@ -1329,7 +1329,7 @@ static ssize_t iwl_dbgfs_interrupt_write(struct file *file, struct isr_statistics *isr_stats = &trans_pcie->isr_stats; char buf[8]; @@ -41448,7 +43063,7 @@ index 12c4f31..484d948 100644 u32 reset_flag; memset(buf, 0, sizeof(buf)); -@@ -1349,7 +1349,7 @@ static ssize_t iwl_dbgfs_csr_write(struct file *file, +@@ -1350,7 +1350,7 @@ static ssize_t iwl_dbgfs_csr_write(struct file *file, { struct iwl_trans *trans = file->private_data; char buf[8]; @@ -41458,10 +43073,10 @@ index 12c4f31..484d948 100644 memset(buf, 0, sizeof(buf)); diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c -index 2b49f48..14fc244 100644 +index cb34c78..9fec0dc 100644 --- a/drivers/net/wireless/mac80211_hwsim.c +++ b/drivers/net/wireless/mac80211_hwsim.c -@@ -2143,25 +2143,19 @@ static int __init init_mac80211_hwsim(void) +@@ -2195,25 +2195,19 @@ static int __init init_mac80211_hwsim(void) if (channels > 1) { hwsim_if_comb.num_different_channels = channels; @@ -41500,48 +43115,8 @@ index 2b49f48..14fc244 100644 } spin_lock_init(&hwsim_radio_lock); -diff --git a/drivers/net/wireless/mwifiex/debugfs.c b/drivers/net/wireless/mwifiex/debugfs.c -index 753b568..a5f9875 100644 ---- a/drivers/net/wireless/mwifiex/debugfs.c -+++ b/drivers/net/wireless/mwifiex/debugfs.c -@@ -26,10 +26,17 @@ - static struct dentry *mwifiex_dfs_dir; - - static char *bss_modes[] = { -- "Unknown", -- "Ad-hoc", -- "Managed", -- "Auto" -+ "UNSPECIFIED", -+ "ADHOC", -+ "STATION", -+ "AP", -+ "AP_VLAN", -+ "WDS", -+ "MONITOR", -+ "MESH_POINT", -+ "P2P_CLIENT", -+ "P2P_GO", -+ "P2P_DEVICE", - }; - - /* size/addr for mwifiex_debug_info */ -@@ -200,7 +207,12 @@ mwifiex_info_read(struct file *file, char __user *ubuf, - p += sprintf(p, "driver_version = %s", fmt); - p += sprintf(p, "\nverext = %s", priv->version_str); - p += sprintf(p, "\ninterface_name=\"%s\"\n", netdev->name); -- p += sprintf(p, "bss_mode=\"%s\"\n", bss_modes[info.bss_mode]); -+ -+ if (info.bss_mode >= ARRAY_SIZE(bss_modes)) -+ p += sprintf(p, "bss_mode=\"%d\"\n", info.bss_mode); -+ else -+ p += sprintf(p, "bss_mode=\"%s\"\n", bss_modes[info.bss_mode]); -+ - p += sprintf(p, "media_state=\"%s\"\n", - (!priv->media_connected ? "Disconnected" : "Connected")); - p += sprintf(p, "mac_address=\"%pM\"\n", netdev->dev_addr); diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c -index 525fd75..6c9f791 100644 +index 8169a85..7fa3b47 100644 --- a/drivers/net/wireless/rndis_wlan.c +++ b/drivers/net/wireless/rndis_wlan.c @@ -1238,7 +1238,7 @@ static int set_rts_threshold(struct usbnet *usbdev, u32 rts_threshold) @@ -41554,10 +43129,10 @@ index 525fd75..6c9f791 100644 tmp = cpu_to_le32(rts_threshold); diff --git a/drivers/net/wireless/rt2x00/rt2x00.h b/drivers/net/wireless/rt2x00/rt2x00.h -index 086abb4..8279c30 100644 +index 7510723..5ba37f5 100644 --- a/drivers/net/wireless/rt2x00/rt2x00.h +++ b/drivers/net/wireless/rt2x00/rt2x00.h -@@ -396,7 +396,7 @@ struct rt2x00_intf { +@@ -386,7 +386,7 @@ struct rt2x00_intf { * for hardware which doesn't support hardware * sequence counting. */ @@ -41567,10 +43142,10 @@ index 086abb4..8279c30 100644 static inline struct rt2x00_intf* vif_to_intf(struct ieee80211_vif *vif) diff --git a/drivers/net/wireless/rt2x00/rt2x00queue.c b/drivers/net/wireless/rt2x00/rt2x00queue.c -index 4d91795..62fccff 100644 +index d955741..8730748 100644 --- a/drivers/net/wireless/rt2x00/rt2x00queue.c +++ b/drivers/net/wireless/rt2x00/rt2x00queue.c -@@ -251,9 +251,9 @@ static void rt2x00queue_create_tx_descriptor_seq(struct rt2x00_dev *rt2x00dev, +@@ -252,9 +252,9 @@ static void rt2x00queue_create_tx_descriptor_seq(struct rt2x00_dev *rt2x00dev, * sequence counter given by mac80211. */ if (test_bit(ENTRY_TXD_FIRST_FRAGMENT, &txdesc->flags)) @@ -41583,10 +43158,10 @@ index 4d91795..62fccff 100644 hdr->seq_ctrl &= cpu_to_le16(IEEE80211_SCTL_FRAG); hdr->seq_ctrl |= cpu_to_le16(seqno); diff --git a/drivers/net/wireless/ti/wl1251/sdio.c b/drivers/net/wireless/ti/wl1251/sdio.c -index e57ee48..541cf6c 100644 +index e2b3d9c..67a5184 100644 --- a/drivers/net/wireless/ti/wl1251/sdio.c +++ b/drivers/net/wireless/ti/wl1251/sdio.c -@@ -269,13 +269,17 @@ static int wl1251_sdio_probe(struct sdio_func *func, +@@ -271,13 +271,17 @@ static int wl1251_sdio_probe(struct sdio_func *func, irq_set_irq_type(wl->irq, IRQ_TYPE_EDGE_RISING); @@ -41609,7 +43184,7 @@ index e57ee48..541cf6c 100644 wl1251_info("using SDIO interrupt"); } diff --git a/drivers/net/wireless/ti/wl12xx/main.c b/drivers/net/wireless/ti/wl12xx/main.c -index 09694e3..24ccec7 100644 +index 1c627da..69f7d17 100644 --- a/drivers/net/wireless/ti/wl12xx/main.c +++ b/drivers/net/wireless/ti/wl12xx/main.c @@ -656,7 +656,9 @@ static int wl12xx_identify_chip(struct wl1271 *wl) @@ -41635,10 +43210,10 @@ index 09694e3..24ccec7 100644 wlcore_set_min_fw_ver(wl, WL127X_CHIP_VER, WL127X_IFTYPE_SR_VER, WL127X_MAJOR_SR_VER, diff --git a/drivers/net/wireless/ti/wl18xx/main.c b/drivers/net/wireless/ti/wl18xx/main.c -index da3ef1b..4790b95 100644 +index 9fa692d..b31fee0 100644 --- a/drivers/net/wireless/ti/wl18xx/main.c +++ b/drivers/net/wireless/ti/wl18xx/main.c -@@ -1664,8 +1664,10 @@ static int wl18xx_setup(struct wl1271 *wl) +@@ -1687,8 +1687,10 @@ static int wl18xx_setup(struct wl1271 *wl) } if (!checksum_param) { @@ -41811,7 +43386,7 @@ index 93404f7..4a313d8 100644 }; diff --git a/drivers/parport/procfs.c b/drivers/parport/procfs.c -index 3f56bc0..707d642 100644 +index 92ed045..62d39bd7 100644 --- a/drivers/parport/procfs.c +++ b/drivers/parport/procfs.c @@ -64,7 +64,7 @@ static int do_active_device(ctl_table *table, int write, @@ -41942,10 +43517,10 @@ index 76ba8a1..20ca857 100644 /* initialize our int15 lock */ diff --git a/drivers/pci/hotplug/pci_hotplug_core.c b/drivers/pci/hotplug/pci_hotplug_core.c -index 202f4a9..8ee47d0 100644 +index ec20f74..c1d961e 100644 --- a/drivers/pci/hotplug/pci_hotplug_core.c +++ b/drivers/pci/hotplug/pci_hotplug_core.c -@@ -448,8 +448,10 @@ int __pci_hp_register(struct hotplug_slot *slot, struct pci_bus *bus, +@@ -441,8 +441,10 @@ int __pci_hp_register(struct hotplug_slot *slot, struct pci_bus *bus, return -EINVAL; } @@ -41972,7 +43547,7 @@ index 7d72c5e..edce02c 100644 int retval = -ENOMEM; diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c -index 9c6e9bb..2916736 100644 +index 5b4a9d9..cd5ac1f 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -1071,7 +1071,7 @@ static int pci_create_attr(struct pci_dev *pdev, int num, int write_combine) @@ -42003,10 +43578,10 @@ index 9c6e9bb..2916736 100644 if (!sysfs_initialized) return -EACCES; diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h -index 7346ee6..41520eb 100644 +index d1182c4..2a138ec 100644 --- a/drivers/pci/pci.h +++ b/drivers/pci/pci.h -@@ -93,7 +93,7 @@ struct pci_vpd_ops { +@@ -92,7 +92,7 @@ struct pci_vpd_ops { struct pci_vpd { unsigned int len; const struct pci_vpd_ops *ops; @@ -42014,7 +43589,7 @@ index 7346ee6..41520eb 100644 + bin_attribute_no_const *attr; /* descriptor for sysfs VPD entry */ }; - extern int pci_vpd_pci22_init(struct pci_dev *dev); + int pci_vpd_pci22_init(struct pci_dev *dev); diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c index d320df6..ca9a8f6 100644 --- a/drivers/pci/pcie/aspm.c @@ -42033,7 +43608,7 @@ index d320df6..ca9a8f6 100644 #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1) diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c -index 9c8b3bd..899c8fa 100644 +index ea37072..10e58e56 100644 --- a/drivers/pci/probe.c +++ b/drivers/pci/probe.c @@ -173,7 +173,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type, @@ -42046,10 +43621,10 @@ index 9c8b3bd..899c8fa 100644 /* No printks while decoding is disabled! */ if (!dev->mmio_always_on) { diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c -index 0b00947..64f7c0a 100644 +index 0812608..b04018c4 100644 --- a/drivers/pci/proc.c +++ b/drivers/pci/proc.c -@@ -465,7 +465,16 @@ static const struct file_operations proc_bus_pci_dev_operations = { +@@ -453,7 +453,16 @@ static const struct file_operations proc_bus_pci_dev_operations = { static int __init pci_proc_init(void) { struct pci_dev *dev = NULL; @@ -42105,10 +43680,10 @@ index 6b22938..bc9700e 100644 /* disable hardware control by fn key */ diff --git a/drivers/platform/x86/sony-laptop.c b/drivers/platform/x86/sony-laptop.c -index 14d4dce..b129917 100644 +index 2ac045f..39c443d 100644 --- a/drivers/platform/x86/sony-laptop.c +++ b/drivers/platform/x86/sony-laptop.c -@@ -2465,7 +2465,7 @@ static void sony_nc_gfx_switch_cleanup(struct platform_device *pd) +@@ -2483,7 +2483,7 @@ static void sony_nc_gfx_switch_cleanup(struct platform_device *pd) } /* High speed charging function */ @@ -42118,7 +43693,7 @@ index 14d4dce..b129917 100644 static ssize_t sony_nc_highspeed_charging_store(struct device *dev, struct device_attribute *attr, diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c -index edec135..59a24a3 100644 +index 54d31c0..3f896d3 100644 --- a/drivers/platform/x86/thinkpad_acpi.c +++ b/drivers/platform/x86/thinkpad_acpi.c @@ -2093,7 +2093,7 @@ static int hotkey_mask_get(void) @@ -42332,12 +43907,12 @@ index 3e6db1c..1fbbdae 100644 /* check if the resource is reserved */ diff --git a/drivers/power/pda_power.c b/drivers/power/pda_power.c -index 7df7c5f..bd48c47 100644 +index 0c52e2a..3421ab7 100644 --- a/drivers/power/pda_power.c +++ b/drivers/power/pda_power.c @@ -37,7 +37,11 @@ static int polling; - #ifdef CONFIG_USB_OTG_UTILS + #if IS_ENABLED(CONFIG_USB_PHY) static struct usb_phy *transceiver; -static struct notifier_block otg_nb; +static int otg_handle_notification(struct notifier_block *nb, @@ -42350,7 +43925,7 @@ index 7df7c5f..bd48c47 100644 static struct regulator *ac_draw; @@ -369,7 +373,6 @@ static int pda_power_probe(struct platform_device *pdev) - #ifdef CONFIG_USB_OTG_UTILS + #if IS_ENABLED(CONFIG_USB_PHY) if (!IS_ERR_OR_NULL(transceiver) && pdata->use_otg_notifier) { - otg_nb.notifier_call = otg_handle_notification; ret = usb_register_notifier(transceiver, &otg_nb); @@ -42376,7 +43951,7 @@ index cc439fd..8fa30df 100644 #endif /* CONFIG_SYSFS */ diff --git a/drivers/power/power_supply_core.c b/drivers/power/power_supply_core.c -index 5deac43..608c5ff 100644 +index 1c517c3..ffa2f17 100644 --- a/drivers/power/power_supply_core.c +++ b/drivers/power/power_supply_core.c @@ -24,7 +24,10 @@ @@ -42389,9 +43964,9 @@ index 5deac43..608c5ff 100644 + .groups = power_supply_attr_groups, +}; - static int __power_supply_changed_work(struct device *dev, void *data) - { -@@ -393,7 +396,7 @@ static int __init power_supply_class_init(void) + static bool __power_supply_is_supplied_by(struct power_supply *supplier, + struct power_supply *supply) +@@ -554,7 +557,7 @@ static int __init power_supply_class_init(void) return PTR_ERR(power_supply_class); power_supply_class->dev_uevent = power_supply_uevent; @@ -42425,7 +44000,7 @@ index 29178f7..c65f324 100644 __power_supply_attrs[i] = &power_supply_attrs[i].attr; } diff --git a/drivers/regulator/max8660.c b/drivers/regulator/max8660.c -index 4d7c635..9860196 100644 +index d428ef9..fdc0357 100644 --- a/drivers/regulator/max8660.c +++ b/drivers/regulator/max8660.c @@ -333,8 +333,10 @@ static int max8660_probe(struct i2c_client *client, @@ -42442,7 +44017,7 @@ index 4d7c635..9860196 100644 /* diff --git a/drivers/regulator/max8973-regulator.c b/drivers/regulator/max8973-regulator.c -index 9a8ea91..c483dd9 100644 +index adb1414..c13e0ce 100644 --- a/drivers/regulator/max8973-regulator.c +++ b/drivers/regulator/max8973-regulator.c @@ -401,9 +401,11 @@ static int max8973_probe(struct i2c_client *client, @@ -42461,10 +44036,10 @@ index 9a8ea91..c483dd9 100644 max->enable_external_control = pdata->enable_ext_control; diff --git a/drivers/regulator/mc13892-regulator.c b/drivers/regulator/mc13892-regulator.c -index 9891aec..beb3083 100644 +index b716283..3cc4349 100644 --- a/drivers/regulator/mc13892-regulator.c +++ b/drivers/regulator/mc13892-regulator.c -@@ -583,10 +583,12 @@ static int mc13892_regulator_probe(struct platform_device *pdev) +@@ -582,10 +582,12 @@ static int mc13892_regulator_probe(struct platform_device *pdev) } mc13xxx_unlock(mc13892); @@ -42478,9 +44053,9 @@ index 9891aec..beb3083 100644 + pax_close_kernel(); mc13xxx_data = mc13xxx_parse_regulators_dt(pdev, mc13892_regulators, - ARRAY_SIZE(mc13892_regulators), + ARRAY_SIZE(mc13892_regulators)); diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c -index cc5bea9..689f7d9 100644 +index f1cb706..4c7832a 100644 --- a/drivers/rtc/rtc-cmos.c +++ b/drivers/rtc/rtc-cmos.c @@ -724,7 +724,9 @@ cmos_do_probe(struct device *dev, struct resource *ports, int rtc_irq) @@ -42516,10 +44091,10 @@ index d049393..bb20be0 100644 case RTC_PIE_ON: diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c -index 970a236..3613169 100644 +index b53992a..776df84 100644 --- a/drivers/rtc/rtc-ds1307.c +++ b/drivers/rtc/rtc-ds1307.c -@@ -106,7 +106,7 @@ struct ds1307 { +@@ -107,7 +107,7 @@ struct ds1307 { u8 offset; /* register's offset */ u8 regs[11]; u16 nvram_offset; @@ -42578,32 +44153,6 @@ index 23a90e7..9cf04ee 100644 /* * Queue element to wait for room in request queue. FIFO order is -diff --git a/drivers/scsi/bfa/bfad_debugfs.c b/drivers/scsi/bfa/bfad_debugfs.c -index 439c012..b63d534 100644 ---- a/drivers/scsi/bfa/bfad_debugfs.c -+++ b/drivers/scsi/bfa/bfad_debugfs.c -@@ -186,7 +186,7 @@ bfad_debugfs_lseek(struct file *file, loff_t offset, int orig) - file->f_pos += offset; - break; - case 2: -- file->f_pos = debug->buffer_len - offset; -+ file->f_pos = debug->buffer_len + offset; - break; - default: - return -EINVAL; -diff --git a/drivers/scsi/fnic/fnic_debugfs.c b/drivers/scsi/fnic/fnic_debugfs.c -index adc1f7f..85e1ffd 100644 ---- a/drivers/scsi/fnic/fnic_debugfs.c -+++ b/drivers/scsi/fnic/fnic_debugfs.c -@@ -174,7 +174,7 @@ static loff_t fnic_trace_debugfs_lseek(struct file *file, - pos = file->f_pos + offset; - break; - case 2: -- pos = fnic_dbg_prt->buffer_len - offset; -+ pos = fnic_dbg_prt->buffer_len + offset; - } - return (pos < 0 || pos > fnic_dbg_prt->buffer_len) ? - -EINVAL : (file->f_pos = pos); diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c index df0c3c7..b00e1d0 100644 --- a/drivers/scsi/hosts.c @@ -42767,7 +44316,7 @@ index 9816479..c5d4e97 100644 /* queue and queue Info */ struct list_head reqQ; diff --git a/drivers/scsi/libfc/fc_exch.c b/drivers/scsi/libfc/fc_exch.c -index c772d8d..35c362c 100644 +index 8b928c6..9c76300 100644 --- a/drivers/scsi/libfc/fc_exch.c +++ b/drivers/scsi/libfc/fc_exch.c @@ -100,12 +100,12 @@ struct fc_exch_mgr { @@ -42789,7 +44338,7 @@ index c772d8d..35c362c 100644 } stats; }; -@@ -725,7 +725,7 @@ static struct fc_exch *fc_exch_em_alloc(struct fc_lport *lport, +@@ -736,7 +736,7 @@ static struct fc_exch *fc_exch_em_alloc(struct fc_lport *lport, /* allocate memory for exchange */ ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC); if (!ep) { @@ -42798,7 +44347,7 @@ index c772d8d..35c362c 100644 goto out; } memset(ep, 0, sizeof(*ep)); -@@ -786,7 +786,7 @@ out: +@@ -797,7 +797,7 @@ out: return ep; err: spin_unlock_bh(&pool->lock); @@ -42807,7 +44356,7 @@ index c772d8d..35c362c 100644 mempool_free(ep, mp->ep_pool); return NULL; } -@@ -929,7 +929,7 @@ static enum fc_pf_rjt_reason fc_seq_lookup_recip(struct fc_lport *lport, +@@ -940,7 +940,7 @@ static enum fc_pf_rjt_reason fc_seq_lookup_recip(struct fc_lport *lport, xid = ntohs(fh->fh_ox_id); /* we originated exch */ ep = fc_exch_find(mp, xid); if (!ep) { @@ -42816,7 +44365,7 @@ index c772d8d..35c362c 100644 reject = FC_RJT_OX_ID; goto out; } -@@ -959,7 +959,7 @@ static enum fc_pf_rjt_reason fc_seq_lookup_recip(struct fc_lport *lport, +@@ -970,7 +970,7 @@ static enum fc_pf_rjt_reason fc_seq_lookup_recip(struct fc_lport *lport, ep = fc_exch_find(mp, xid); if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) { if (ep) { @@ -42825,7 +44374,7 @@ index c772d8d..35c362c 100644 reject = FC_RJT_RX_ID; goto rel; } -@@ -970,7 +970,7 @@ static enum fc_pf_rjt_reason fc_seq_lookup_recip(struct fc_lport *lport, +@@ -981,7 +981,7 @@ static enum fc_pf_rjt_reason fc_seq_lookup_recip(struct fc_lport *lport, } xid = ep->xid; /* get our XID */ } else if (!ep) { @@ -42834,7 +44383,7 @@ index c772d8d..35c362c 100644 reject = FC_RJT_RX_ID; /* XID not found */ goto out; } -@@ -987,7 +987,7 @@ static enum fc_pf_rjt_reason fc_seq_lookup_recip(struct fc_lport *lport, +@@ -998,7 +998,7 @@ static enum fc_pf_rjt_reason fc_seq_lookup_recip(struct fc_lport *lport, } else { sp = &ep->seq; if (sp->id != fh->fh_seq_id) { @@ -42843,7 +44392,7 @@ index c772d8d..35c362c 100644 if (f_ctl & FC_FC_END_SEQ) { /* * Update sequence_id based on incoming last -@@ -1437,22 +1437,22 @@ static void fc_exch_recv_seq_resp(struct fc_exch_mgr *mp, struct fc_frame *fp) +@@ -1448,22 +1448,22 @@ static void fc_exch_recv_seq_resp(struct fc_exch_mgr *mp, struct fc_frame *fp) ep = fc_exch_find(mp, ntohs(fh->fh_ox_id)); if (!ep) { @@ -42870,7 +44419,7 @@ index c772d8d..35c362c 100644 goto rel; } sof = fr_sof(fp); -@@ -1461,7 +1461,7 @@ static void fc_exch_recv_seq_resp(struct fc_exch_mgr *mp, struct fc_frame *fp) +@@ -1472,7 +1472,7 @@ static void fc_exch_recv_seq_resp(struct fc_exch_mgr *mp, struct fc_frame *fp) sp->ssb_stat |= SSB_ST_RESP; sp->id = fh->fh_seq_id; } else if (sp->id != fh->fh_seq_id) { @@ -42879,7 +44428,7 @@ index c772d8d..35c362c 100644 goto rel; } -@@ -1525,9 +1525,9 @@ static void fc_exch_recv_resp(struct fc_exch_mgr *mp, struct fc_frame *fp) +@@ -1536,9 +1536,9 @@ static void fc_exch_recv_resp(struct fc_exch_mgr *mp, struct fc_frame *fp) sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */ if (!sp) @@ -42891,7 +44440,7 @@ index c772d8d..35c362c 100644 fc_frame_free(fp); } -@@ -2174,13 +2174,13 @@ void fc_exch_update_stats(struct fc_lport *lport) +@@ -2185,13 +2185,13 @@ void fc_exch_update_stats(struct fc_lport *lport) list_for_each_entry(ema, &lport->ema_list, ema_list) { mp = ema->mp; @@ -42912,7 +44461,7 @@ index c772d8d..35c362c 100644 } EXPORT_SYMBOL(fc_exch_update_stats); diff --git a/drivers/scsi/libsas/sas_ata.c b/drivers/scsi/libsas/sas_ata.c -index bdb81cd..d3c7c2c 100644 +index 161c98e..6d563b3 100644 --- a/drivers/scsi/libsas/sas_ata.c +++ b/drivers/scsi/libsas/sas_ata.c @@ -554,7 +554,7 @@ static struct ata_port_operations sas_sata_ops = { @@ -42925,10 +44474,10 @@ index bdb81cd..d3c7c2c 100644 .qc_issue = sas_ata_qc_issue, .qc_fill_rtf = sas_ata_qc_fill_rtf, diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h -index 7706c99..3b4fc0c 100644 +index bcc56ca..6f4174a 100644 --- a/drivers/scsi/lpfc/lpfc.h +++ b/drivers/scsi/lpfc/lpfc.h -@@ -424,7 +424,7 @@ struct lpfc_vport { +@@ -431,7 +431,7 @@ struct lpfc_vport { struct dentry *debug_nodelist; struct dentry *vport_debugfs_root; struct lpfc_debugfs_trc *disc_trc; @@ -42937,7 +44486,7 @@ index 7706c99..3b4fc0c 100644 #endif uint8_t stat_data_enabled; uint8_t stat_data_blocked; -@@ -853,8 +853,8 @@ struct lpfc_hba { +@@ -865,8 +865,8 @@ struct lpfc_hba { struct timer_list fabric_block_timer; unsigned long bit_flags; #define FABRIC_COMANDS_BLOCKED 0 @@ -42948,7 +44497,7 @@ index 7706c99..3b4fc0c 100644 unsigned long last_rsrc_error_time; unsigned long last_ramp_down_time; unsigned long last_ramp_up_time; -@@ -890,7 +890,7 @@ struct lpfc_hba { +@@ -902,7 +902,7 @@ struct lpfc_hba { struct dentry *debug_slow_ring_trc; struct lpfc_debugfs_trc *slow_ring_trc; @@ -42958,7 +44507,7 @@ index 7706c99..3b4fc0c 100644 struct dentry *idiag_root; struct dentry *idiag_pci_cfg; diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c -index f63f5ff..32549a4 100644 +index f525ecb..32549a4 100644 --- a/drivers/scsi/lpfc/lpfc_debugfs.c +++ b/drivers/scsi/lpfc/lpfc_debugfs.c @@ -106,7 +106,7 @@ MODULE_PARM_DESC(lpfc_debugfs_mask_disc_trc, @@ -43022,15 +44571,6 @@ index f63f5ff..32549a4 100644 dtp->jif = jiffies; #endif return; -@@ -1178,7 +1178,7 @@ lpfc_debugfs_lseek(struct file *file, loff_t off, int whence) - pos = file->f_pos + off; - break; - case 2: -- pos = debug->len - off; -+ pos = debug->len + off; - } - return (pos < 0 || pos > debug->len) ? -EINVAL : (file->f_pos = pos); - } @@ -4182,7 +4182,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport) "slow_ring buffer\n"); goto debug_failed; @@ -43050,10 +44590,10 @@ index f63f5ff..32549a4 100644 snprintf(name, sizeof(name), "discovery_trace"); vport->debug_disc_trc = diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c -index 314b4f6..7005d10 100644 +index cb465b2..2e7b25f 100644 --- a/drivers/scsi/lpfc/lpfc_init.c +++ b/drivers/scsi/lpfc/lpfc_init.c -@@ -10551,8 +10551,10 @@ lpfc_init(void) +@@ -10950,8 +10950,10 @@ lpfc_init(void) "misc_register returned with status %d", error); if (lpfc_enable_npiv) { @@ -43067,10 +44607,10 @@ index 314b4f6..7005d10 100644 lpfc_transport_template = fc_attach_transport(&lpfc_transport_functions); diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c -index 98af07c..7625fb5 100644 +index 8523b278e..ce1d812 100644 --- a/drivers/scsi/lpfc/lpfc_scsi.c +++ b/drivers/scsi/lpfc/lpfc_scsi.c -@@ -325,7 +325,7 @@ lpfc_rampdown_queue_depth(struct lpfc_hba *phba) +@@ -331,7 +331,7 @@ lpfc_rampdown_queue_depth(struct lpfc_hba *phba) uint32_t evt_posted; spin_lock_irqsave(&phba->hbalock, flags); @@ -43079,7 +44619,7 @@ index 98af07c..7625fb5 100644 phba->last_rsrc_error_time = jiffies; if ((phba->last_ramp_down_time + QUEUE_RAMP_DOWN_INTERVAL) > jiffies) { -@@ -366,7 +366,7 @@ lpfc_rampup_queue_depth(struct lpfc_vport *vport, +@@ -372,7 +372,7 @@ lpfc_rampup_queue_depth(struct lpfc_vport *vport, unsigned long flags; struct lpfc_hba *phba = vport->phba; uint32_t evt_posted; @@ -43088,7 +44628,7 @@ index 98af07c..7625fb5 100644 if (vport->cfg_lun_queue_depth <= queue_depth) return; -@@ -410,8 +410,8 @@ lpfc_ramp_down_queue_handler(struct lpfc_hba *phba) +@@ -416,8 +416,8 @@ lpfc_ramp_down_queue_handler(struct lpfc_hba *phba) unsigned long num_rsrc_err, num_cmd_success; int i; @@ -43099,7 +44639,7 @@ index 98af07c..7625fb5 100644 /* * The error and success command counters are global per -@@ -439,8 +439,8 @@ lpfc_ramp_down_queue_handler(struct lpfc_hba *phba) +@@ -445,8 +445,8 @@ lpfc_ramp_down_queue_handler(struct lpfc_hba *phba) } } lpfc_destroy_vport_work_array(phba, vports); @@ -43110,7 +44650,7 @@ index 98af07c..7625fb5 100644 } /** -@@ -474,8 +474,8 @@ lpfc_ramp_up_queue_handler(struct lpfc_hba *phba) +@@ -480,8 +480,8 @@ lpfc_ramp_up_queue_handler(struct lpfc_hba *phba) } } lpfc_destroy_vport_work_array(phba, vports); @@ -43121,133 +44661,8 @@ index 98af07c..7625fb5 100644 } /** -diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c -index 9d53540..e5a5746 100644 ---- a/drivers/scsi/megaraid/megaraid_sas_base.c -+++ b/drivers/scsi/megaraid/megaraid_sas_base.c -@@ -4852,10 +4852,12 @@ megasas_mgmt_fw_ioctl(struct megasas_instance *instance, - sense, sense_handle); - } - -- for (i = 0; i < ioc->sge_count && kbuff_arr[i]; i++) { -- dma_free_coherent(&instance->pdev->dev, -- kern_sge32[i].length, -- kbuff_arr[i], kern_sge32[i].phys_addr); -+ for (i = 0; i < ioc->sge_count; i++) { -+ if (kbuff_arr[i]) -+ dma_free_coherent(&instance->pdev->dev, -+ kern_sge32[i].length, -+ kbuff_arr[i], -+ kern_sge32[i].phys_addr); - } - - megasas_return_cmd(instance, cmd); -diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c -index dcbf7c8..f8c4b85 100644 ---- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c -+++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c -@@ -1273,6 +1273,7 @@ _scsih_slave_alloc(struct scsi_device *sdev) - struct MPT3SAS_DEVICE *sas_device_priv_data; - struct scsi_target *starget; - struct _raid_device *raid_device; -+ struct _sas_device *sas_device; - unsigned long flags; - - sas_device_priv_data = kzalloc(sizeof(struct scsi_device), GFP_KERNEL); -@@ -1301,6 +1302,19 @@ _scsih_slave_alloc(struct scsi_device *sdev) - spin_unlock_irqrestore(&ioc->raid_device_lock, flags); - } - -+ if (!(sas_target_priv_data->flags & MPT_TARGET_FLAGS_VOLUME)) { -+ spin_lock_irqsave(&ioc->sas_device_lock, flags); -+ sas_device = mpt3sas_scsih_sas_device_find_by_sas_address(ioc, -+ sas_target_priv_data->sas_address); -+ if (sas_device && (sas_device->starget == NULL)) { -+ sdev_printk(KERN_INFO, sdev, -+ "%s : sas_device->starget set to starget @ %d\n", -+ __func__, __LINE__); -+ sas_device->starget = starget; -+ } -+ spin_unlock_irqrestore(&ioc->sas_device_lock, flags); -+ } -+ - return 0; - } - -@@ -6392,7 +6406,7 @@ _scsih_search_responding_sas_devices(struct MPT3SAS_ADAPTER *ioc) - handle))) { - ioc_status = le16_to_cpu(mpi_reply.IOCStatus) & - MPI2_IOCSTATUS_MASK; -- if (ioc_status == MPI2_IOCSTATUS_CONFIG_INVALID_PAGE) -+ if (ioc_status != MPI2_IOCSTATUS_SUCCESS) - break; - handle = le16_to_cpu(sas_device_pg0.DevHandle); - device_info = le32_to_cpu(sas_device_pg0.DeviceInfo); -@@ -6494,7 +6508,7 @@ _scsih_search_responding_raid_devices(struct MPT3SAS_ADAPTER *ioc) - &volume_pg1, MPI2_RAID_VOLUME_PGAD_FORM_GET_NEXT_HANDLE, handle))) { - ioc_status = le16_to_cpu(mpi_reply.IOCStatus) & - MPI2_IOCSTATUS_MASK; -- if (ioc_status == MPI2_IOCSTATUS_CONFIG_INVALID_PAGE) -+ if (ioc_status != MPI2_IOCSTATUS_SUCCESS) - break; - handle = le16_to_cpu(volume_pg1.DevHandle); - -@@ -6518,7 +6532,7 @@ _scsih_search_responding_raid_devices(struct MPT3SAS_ADAPTER *ioc) - phys_disk_num))) { - ioc_status = le16_to_cpu(mpi_reply.IOCStatus) & - MPI2_IOCSTATUS_MASK; -- if (ioc_status == MPI2_IOCSTATUS_CONFIG_INVALID_PAGE) -+ if (ioc_status != MPI2_IOCSTATUS_SUCCESS) - break; - phys_disk_num = pd_pg0.PhysDiskNum; - handle = le16_to_cpu(pd_pg0.DevHandle); -@@ -6597,7 +6611,7 @@ _scsih_search_responding_expanders(struct MPT3SAS_ADAPTER *ioc) - - ioc_status = le16_to_cpu(mpi_reply.IOCStatus) & - MPI2_IOCSTATUS_MASK; -- if (ioc_status == MPI2_IOCSTATUS_CONFIG_INVALID_PAGE) -+ if (ioc_status != MPI2_IOCSTATUS_SUCCESS) - break; - - handle = le16_to_cpu(expander_pg0.DevHandle); -@@ -6742,8 +6756,6 @@ _scsih_scan_for_devices_after_reset(struct MPT3SAS_ADAPTER *ioc) - MPI2_SAS_EXPAND_PGAD_FORM_GET_NEXT_HNDL, handle))) { - ioc_status = le16_to_cpu(mpi_reply.IOCStatus) & - MPI2_IOCSTATUS_MASK; -- if (ioc_status == MPI2_IOCSTATUS_CONFIG_INVALID_PAGE) -- break; - if (ioc_status != MPI2_IOCSTATUS_SUCCESS) { - pr_info(MPT3SAS_FMT "\tbreak from expander scan: " \ - "ioc_status(0x%04x), loginfo(0x%08x)\n", -@@ -6787,8 +6799,6 @@ _scsih_scan_for_devices_after_reset(struct MPT3SAS_ADAPTER *ioc) - phys_disk_num))) { - ioc_status = le16_to_cpu(mpi_reply.IOCStatus) & - MPI2_IOCSTATUS_MASK; -- if (ioc_status == MPI2_IOCSTATUS_CONFIG_INVALID_PAGE) -- break; - if (ioc_status != MPI2_IOCSTATUS_SUCCESS) { - pr_info(MPT3SAS_FMT "\tbreak from phys disk scan: "\ - "ioc_status(0x%04x), loginfo(0x%08x)\n", -@@ -6854,8 +6864,6 @@ _scsih_scan_for_devices_after_reset(struct MPT3SAS_ADAPTER *ioc) - &volume_pg1, MPI2_RAID_VOLUME_PGAD_FORM_GET_NEXT_HANDLE, handle))) { - ioc_status = le16_to_cpu(mpi_reply.IOCStatus) & - MPI2_IOCSTATUS_MASK; -- if (ioc_status == MPI2_IOCSTATUS_CONFIG_INVALID_PAGE) -- break; - if (ioc_status != MPI2_IOCSTATUS_SUCCESS) { - pr_info(MPT3SAS_FMT "\tbreak from volume scan: " \ - "ioc_status(0x%04x), loginfo(0x%08x)\n", -@@ -6914,8 +6922,6 @@ _scsih_scan_for_devices_after_reset(struct MPT3SAS_ADAPTER *ioc) - handle))) { - ioc_status = le16_to_cpu(mpi_reply.IOCStatus) & - MPI2_IOCSTATUS_MASK; -- if (ioc_status == MPI2_IOCSTATUS_CONFIG_INVALID_PAGE) -- break; - if (ioc_status != MPI2_IOCSTATUS_SUCCESS) { - pr_info(MPT3SAS_FMT "\tbreak from end device scan:"\ - " ioc_status(0x%04x), loginfo(0x%08x)\n", diff --git a/drivers/scsi/pmcraid.c b/drivers/scsi/pmcraid.c -index b46f5e9..c4c4ccb 100644 +index 8e1b737..50ff510 100644 --- a/drivers/scsi/pmcraid.c +++ b/drivers/scsi/pmcraid.c @@ -200,8 +200,8 @@ static int pmcraid_slave_alloc(struct scsi_device *scsi_dev) @@ -43282,7 +44697,7 @@ index b46f5e9..c4c4ccb 100644 pinstance->num_hrrq; cmd->cmd_done = pmcraid_io_done; -@@ -3859,7 +3859,7 @@ static long pmcraid_ioctl_passthrough( +@@ -3846,7 +3846,7 @@ static long pmcraid_ioctl_passthrough( * block of scsi_cmd which is re-used (e.g. cancel/abort), which uses * hrrq_id assigned here in queuecommand */ @@ -43291,7 +44706,7 @@ index b46f5e9..c4c4ccb 100644 pinstance->num_hrrq; if (request_size) { -@@ -4497,7 +4497,7 @@ static void pmcraid_worker_function(struct work_struct *workp) +@@ -4483,7 +4483,7 @@ static void pmcraid_worker_function(struct work_struct *workp) pinstance = container_of(workp, struct pmcraid_instance, worker_q); /* add resources only after host is added into system */ @@ -43300,7 +44715,7 @@ index b46f5e9..c4c4ccb 100644 return; fw_version = be16_to_cpu(pinstance->inq_data->fw_version); -@@ -5324,8 +5324,8 @@ static int pmcraid_init_instance(struct pci_dev *pdev, struct Scsi_Host *host, +@@ -5310,8 +5310,8 @@ static int pmcraid_init_instance(struct pci_dev *pdev, struct Scsi_Host *host, init_waitqueue_head(&pinstance->reset_wait_q); atomic_set(&pinstance->outstanding_cmds, 0); @@ -43311,7 +44726,7 @@ index b46f5e9..c4c4ccb 100644 INIT_LIST_HEAD(&pinstance->free_res_q); INIT_LIST_HEAD(&pinstance->used_res_q); -@@ -6038,7 +6038,7 @@ static int pmcraid_probe(struct pci_dev *pdev, +@@ -6024,7 +6024,7 @@ static int pmcraid_probe(struct pci_dev *pdev, /* Schedule worker thread to handle CCN and take care of adding and * removing devices to OS */ @@ -43354,10 +44769,10 @@ index e1d150f..6c6df44 100644 /* To indicate add/delete/modify during CCN */ u8 change_detected; diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c -index b3db9dc..c3b1756 100644 +index bf60c63..74d4dce 100644 --- a/drivers/scsi/qla2xxx/qla_attr.c +++ b/drivers/scsi/qla2xxx/qla_attr.c -@@ -1971,7 +1971,7 @@ qla24xx_vport_disable(struct fc_vport *fc_vport, bool disable) +@@ -2001,7 +2001,7 @@ qla24xx_vport_disable(struct fc_vport *fc_vport, bool disable) return 0; } @@ -43366,7 +44781,7 @@ index b3db9dc..c3b1756 100644 .show_host_node_name = 1, .show_host_port_name = 1, -@@ -2018,7 +2018,7 @@ struct fc_function_template qla2xxx_transport_functions = { +@@ -2048,7 +2048,7 @@ struct fc_function_template qla2xxx_transport_functions = { .bsg_timeout = qla24xx_bsg_timeout, }; @@ -43376,10 +44791,10 @@ index b3db9dc..c3b1756 100644 .show_host_node_name = 1, .show_host_port_name = 1, diff --git a/drivers/scsi/qla2xxx/qla_gbl.h b/drivers/scsi/qla2xxx/qla_gbl.h -index b310fa9..b9b3944 100644 +index 026bfde..90c4018 100644 --- a/drivers/scsi/qla2xxx/qla_gbl.h +++ b/drivers/scsi/qla2xxx/qla_gbl.h -@@ -523,8 +523,8 @@ extern void qla2x00_get_sym_node_name(scsi_qla_host_t *, uint8_t *); +@@ -528,8 +528,8 @@ extern void qla2x00_get_sym_node_name(scsi_qla_host_t *, uint8_t *); struct device_attribute; extern struct device_attribute *qla2x00_host_attrs[]; struct fc_function_template; @@ -43391,10 +44806,10 @@ index b310fa9..b9b3944 100644 extern void qla2x00_free_sysfs_attr(scsi_qla_host_t *); extern void qla2x00_init_host_attr(scsi_qla_host_t *); diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c -index 2c6dd3d..e5ecd82 100644 +index ad72c1d..afc9a98 100644 --- a/drivers/scsi/qla2xxx/qla_os.c +++ b/drivers/scsi/qla2xxx/qla_os.c -@@ -1554,8 +1554,10 @@ qla2x00_config_dma_addressing(struct qla_hw_data *ha) +@@ -1571,8 +1571,10 @@ qla2x00_config_dma_addressing(struct qla_hw_data *ha) !pci_set_consistent_dma_mask(ha->pdev, DMA_BIT_MASK(64))) { /* Ok, a 64bit DMA mask is applicable. */ ha->flags.enable_64bit_addressing = 1; @@ -43408,10 +44823,10 @@ index 2c6dd3d..e5ecd82 100644 } } diff --git a/drivers/scsi/qla4xxx/ql4_def.h b/drivers/scsi/qla4xxx/ql4_def.h -index 129f5dd..ade53e8 100644 +index ddf16a8..80f4dd0 100644 --- a/drivers/scsi/qla4xxx/ql4_def.h +++ b/drivers/scsi/qla4xxx/ql4_def.h -@@ -275,7 +275,7 @@ struct ddb_entry { +@@ -291,7 +291,7 @@ struct ddb_entry { * (4000 only) */ atomic_t relogin_timer; /* Max Time to wait for * relogin to complete */ @@ -43421,10 +44836,10 @@ index 129f5dd..ade53e8 100644 uint32_t default_time2wait; /* Default Min time between * relogins (+aens) */ diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c -index 6142729..b6a85c9 100644 +index 4d231c1..2892c37 100644 --- a/drivers/scsi/qla4xxx/ql4_os.c +++ b/drivers/scsi/qla4xxx/ql4_os.c -@@ -2622,12 +2622,12 @@ static void qla4xxx_check_relogin_flash_ddb(struct iscsi_cls_session *cls_sess) +@@ -2971,12 +2971,12 @@ static void qla4xxx_check_relogin_flash_ddb(struct iscsi_cls_session *cls_sess) */ if (!iscsi_is_session_online(cls_sess)) { /* Reset retry relogin timer */ @@ -43439,7 +44854,7 @@ index 6142729..b6a85c9 100644 ddb_entry->default_time2wait + 4)); set_bit(DPC_RELOGIN_DEVICE, &ha->dpc_flags); atomic_set(&ddb_entry->retry_relogin_timer, -@@ -4742,7 +4742,7 @@ static void qla4xxx_setup_flash_ddb_entry(struct scsi_qla_host *ha, +@@ -5081,7 +5081,7 @@ static void qla4xxx_setup_flash_ddb_entry(struct scsi_qla_host *ha, atomic_set(&ddb_entry->retry_relogin_timer, INVALID_ENTRY); atomic_set(&ddb_entry->relogin_timer, 0); @@ -43449,7 +44864,7 @@ index 6142729..b6a85c9 100644 ddb_entry->default_relogin_timeout = (def_timeout > LOGIN_TOV) && (def_timeout < LOGIN_TOV * 10) ? diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c -index 2c0d0ec..4e8681a 100644 +index eaa808e..95f8841 100644 --- a/drivers/scsi/scsi.c +++ b/drivers/scsi/scsi.c @@ -661,7 +661,7 @@ int scsi_dispatch_cmd(struct scsi_cmnd *cmd) @@ -43462,10 +44877,10 @@ index 2c0d0ec..4e8681a 100644 /* check if the device is still usable */ if (unlikely(cmd->device->sdev_state == SDEV_DEL)) { diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c -index c31187d..0ead8c3 100644 +index 86d5220..f22c51a 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c -@@ -1459,7 +1459,7 @@ static void scsi_kill_request(struct request *req, struct request_queue *q) +@@ -1458,7 +1458,7 @@ static void scsi_kill_request(struct request *req, struct request_queue *q) shost = sdev->host; scsi_init_cmd_errh(cmd); cmd->result = DID_NO_CONNECT << 16; @@ -43474,7 +44889,7 @@ index c31187d..0ead8c3 100644 /* * SCSI request completion path will do scsi_device_unbusy(), -@@ -1485,9 +1485,9 @@ static void scsi_softirq_done(struct request *rq) +@@ -1484,9 +1484,9 @@ static void scsi_softirq_done(struct request *rq) INIT_LIST_HEAD(&cmd->eh_entry); @@ -43513,10 +44928,10 @@ index 84a1fdf..693b0d6 100644 /* * TODO: need to fixup sg_tablesize, max_segment_size, diff --git a/drivers/scsi/scsi_transport_fc.c b/drivers/scsi/scsi_transport_fc.c -index e894ca7..de9d7660 100644 +index e106c27..11a380e 100644 --- a/drivers/scsi/scsi_transport_fc.c +++ b/drivers/scsi/scsi_transport_fc.c -@@ -498,7 +498,7 @@ static DECLARE_TRANSPORT_CLASS(fc_vport_class, +@@ -497,7 +497,7 @@ static DECLARE_TRANSPORT_CLASS(fc_vport_class, * Netlink Infrastructure */ @@ -43525,7 +44940,7 @@ index e894ca7..de9d7660 100644 /** * fc_get_event_number - Obtain the next sequential FC event number -@@ -511,7 +511,7 @@ static atomic_t fc_event_seq; +@@ -510,7 +510,7 @@ static atomic_t fc_event_seq; u32 fc_get_event_number(void) { @@ -43534,7 +44949,7 @@ index e894ca7..de9d7660 100644 } EXPORT_SYMBOL(fc_get_event_number); -@@ -659,7 +659,7 @@ static __init int fc_transport_init(void) +@@ -654,7 +654,7 @@ static __init int fc_transport_init(void) { int error; @@ -43543,7 +44958,7 @@ index e894ca7..de9d7660 100644 error = transport_class_register(&fc_host_class); if (error) -@@ -849,7 +849,7 @@ static int fc_str_to_dev_loss(const char *buf, unsigned long *val) +@@ -844,7 +844,7 @@ static int fc_str_to_dev_loss(const char *buf, unsigned long *val) char *cp; *val = simple_strtoul(buf, &cp, 0); @@ -43553,10 +44968,10 @@ index e894ca7..de9d7660 100644 /* * Check for overflow; dev_loss_tmo is u32 diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c -index 0a74b97..fa8d648 100644 +index 133926b..903000d 100644 --- a/drivers/scsi/scsi_transport_iscsi.c +++ b/drivers/scsi/scsi_transport_iscsi.c -@@ -79,7 +79,7 @@ struct iscsi_internal { +@@ -80,7 +80,7 @@ struct iscsi_internal { struct transport_container session_cont; }; @@ -43565,7 +44980,7 @@ index 0a74b97..fa8d648 100644 static struct workqueue_struct *iscsi_eh_timer_workq; static DEFINE_IDA(iscsi_sess_ida); -@@ -1064,7 +1064,7 @@ int iscsi_add_session(struct iscsi_cls_session *session, unsigned int target_id) +@@ -1738,7 +1738,7 @@ int iscsi_add_session(struct iscsi_cls_session *session, unsigned int target_id) int err; ihost = shost->shost_data; @@ -43574,7 +44989,7 @@ index 0a74b97..fa8d648 100644 if (target_id == ISCSI_MAX_TARGET) { id = ida_simple_get(&iscsi_sess_ida, 0, 0, GFP_KERNEL); -@@ -2955,7 +2955,7 @@ static __init int iscsi_transport_init(void) +@@ -3944,7 +3944,7 @@ static __init int iscsi_transport_init(void) printk(KERN_INFO "Loading iSCSI transport class v%s.\n", ISCSI_TRANSPORT_VERSION); @@ -43615,10 +45030,10 @@ index f379c7f..e8fc69c 100644 transport_setup_device(&rport->dev); diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c -index 0f0370f..7e076c4 100644 +index 610417e..1544fa9 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c -@@ -2929,7 +2929,7 @@ static int sd_probe(struct device *dev) +@@ -2928,7 +2928,7 @@ static int sd_probe(struct device *dev) sdkp->disk = gd; sdkp->index = index; atomic_set(&sdkp->openers, 0); @@ -43628,10 +45043,10 @@ index 0f0370f..7e076c4 100644 if (!sdp->request_queue->rq_timeout) { if (sdp->type != TYPE_MOD) diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c -index 9f0c465..47194ee 100644 +index df5e961..df6b97f 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c -@@ -1101,7 +1101,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg) +@@ -1102,7 +1102,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg) sdp->disk->disk_name, MKDEV(SCSI_GENERIC_MAJOR, sdp->index), NULL, @@ -43641,10 +45056,10 @@ index 9f0c465..47194ee 100644 return blk_trace_startstop(sdp->device->request_queue, 1); case BLKTRACESTOP: diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c -index 004b10f..7c98d51 100644 +index 32b7bb1..2f1c4bd 100644 --- a/drivers/spi/spi.c +++ b/drivers/spi/spi.c -@@ -1620,7 +1620,7 @@ int spi_bus_unlock(struct spi_master *master) +@@ -1631,7 +1631,7 @@ int spi_bus_unlock(struct spi_master *master) EXPORT_SYMBOL_GPL(spi_bus_unlock); /* portable code must never pass more than 32 bytes */ @@ -43653,19 +45068,19 @@ index 004b10f..7c98d51 100644 static u8 *buf; -diff --git a/drivers/staging/iio/iio_hwmon.c b/drivers/staging/iio/iio_hwmon.c -index 93af756..a4bc5bf 100644 ---- a/drivers/staging/iio/iio_hwmon.c -+++ b/drivers/staging/iio/iio_hwmon.c -@@ -67,7 +67,7 @@ static int iio_hwmon_probe(struct platform_device *pdev) +diff --git a/drivers/staging/media/solo6x10/solo6x10-core.c b/drivers/staging/media/solo6x10/solo6x10-core.c +index 3675020..e80d92c 100644 +--- a/drivers/staging/media/solo6x10/solo6x10-core.c ++++ b/drivers/staging/media/solo6x10/solo6x10-core.c +@@ -434,7 +434,7 @@ static void solo_device_release(struct device *dev) + + static int solo_sysfs_init(struct solo_dev *solo_dev) { - struct device *dev = &pdev->dev; - struct iio_hwmon_state *st; -- struct sensor_device_attribute *a; -+ sensor_device_attribute_no_const *a; - int ret, i; - int in_i = 1, temp_i = 1, curr_i = 1; - enum iio_chan_type type; +- struct bin_attribute *sdram_attr = &solo_dev->sdram_attr; ++ bin_attribute_no_const *sdram_attr = &solo_dev->sdram_attr; + struct device *dev = &solo_dev->dev; + const char *driver; + int i; diff --git a/drivers/staging/octeon/ethernet-rx.c b/drivers/staging/octeon/ethernet-rx.c index 34afc16..ffe44dd 100644 --- a/drivers/staging/octeon/ethernet-rx.c @@ -43745,7 +45160,7 @@ index 1f5088b..0e59820 100644 return 0; diff --git a/drivers/staging/usbip/vhci.h b/drivers/staging/usbip/vhci.h -index 5dddc4d..34fcb2f 100644 +index a863a98..d272795 100644 --- a/drivers/staging/usbip/vhci.h +++ b/drivers/staging/usbip/vhci.h @@ -83,7 +83,7 @@ struct vhci_hcd { @@ -43758,7 +45173,7 @@ index 5dddc4d..34fcb2f 100644 /* * NOTE: diff --git a/drivers/staging/usbip/vhci_hcd.c b/drivers/staging/usbip/vhci_hcd.c -index f1ca084..7b5c0c3 100644 +index d7974cb..d78076b 100644 --- a/drivers/staging/usbip/vhci_hcd.c +++ b/drivers/staging/usbip/vhci_hcd.c @@ -441,7 +441,7 @@ static void vhci_tx_urb(struct urb *urb) @@ -43789,10 +45204,10 @@ index f1ca084..7b5c0c3 100644 hcd->power_budget = 0; /* no limit */ diff --git a/drivers/staging/usbip/vhci_rx.c b/drivers/staging/usbip/vhci_rx.c -index faf8e60..c46f8ab 100644 +index d07fcb5..358e1e1 100644 --- a/drivers/staging/usbip/vhci_rx.c +++ b/drivers/staging/usbip/vhci_rx.c -@@ -76,7 +76,7 @@ static void vhci_recv_ret_submit(struct vhci_device *vdev, +@@ -80,7 +80,7 @@ static void vhci_recv_ret_submit(struct vhci_device *vdev, if (!urb) { pr_err("cannot find a urb of seqnum %u\n", pdu->base.seqnum); pr_info("max seqnum %d\n", @@ -43802,10 +45217,10 @@ index faf8e60..c46f8ab 100644 return; } diff --git a/drivers/staging/vt6655/hostap.c b/drivers/staging/vt6655/hostap.c -index 5f13890..36a044b 100644 +index 8417c2f..ef5ebd6 100644 --- a/drivers/staging/vt6655/hostap.c +++ b/drivers/staging/vt6655/hostap.c -@@ -73,14 +73,13 @@ static int msglevel =MSG_LEVEL_INFO; +@@ -69,14 +69,13 @@ static int msglevel = MSG_LEVEL_INFO; * */ @@ -43813,17 +45228,17 @@ index 5f13890..36a044b 100644 + static int hostap_enable_hostapd(PSDevice pDevice, int rtnl_locked) { - PSDevice apdev_priv; + PSDevice apdev_priv; struct net_device *dev = pDevice->dev; int ret; - const struct net_device_ops apdev_netdev_ops = { - .ndo_start_xmit = pDevice->tx_80211, - }; - DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "%s: Enabling hostapd mode\n", dev->name); + DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "%s: Enabling hostapd mode\n", dev->name); -@@ -92,6 +91,8 @@ static int hostap_enable_hostapd(PSDevice pDevice, int rtnl_locked) - *apdev_priv = *pDevice; +@@ -88,6 +87,8 @@ static int hostap_enable_hostapd(PSDevice pDevice, int rtnl_locked) + *apdev_priv = *pDevice; memcpy(pDevice->apdev->dev_addr, dev->dev_addr, ETH_ALEN); + /* only half broken now */ @@ -43832,7 +45247,7 @@ index 5f13890..36a044b 100644 pDevice->apdev->type = ARPHRD_IEEE80211; diff --git a/drivers/staging/vt6656/hostap.c b/drivers/staging/vt6656/hostap.c -index a94e66f..31984d0 100644 +index c699a30..b90a5fd 100644 --- a/drivers/staging/vt6656/hostap.c +++ b/drivers/staging/vt6656/hostap.c @@ -60,14 +60,13 @@ static int msglevel =MSG_LEVEL_INFO; @@ -43862,10 +45277,10 @@ index a94e66f..31984d0 100644 pDevice->apdev->type = ARPHRD_IEEE80211; diff --git a/drivers/staging/zcache/tmem.c b/drivers/staging/zcache/tmem.c -index a2b7e03..9ff4bbd 100644 +index d7e51e4..d07eaab 100644 --- a/drivers/staging/zcache/tmem.c +++ b/drivers/staging/zcache/tmem.c -@@ -50,7 +50,7 @@ +@@ -51,7 +51,7 @@ * A tmem host implementation must use this function to register callbacks * for memory allocation. */ @@ -43874,7 +45289,7 @@ index a2b7e03..9ff4bbd 100644 static void tmem_objnode_tree_init(void); -@@ -64,7 +64,7 @@ void tmem_register_hostops(struct tmem_hostops *m) +@@ -65,7 +65,7 @@ void tmem_register_hostops(struct tmem_hostops *m) * A tmem host implementation must use this function to register * callbacks for a page-accessible memory (PAM) implementation. */ @@ -43884,7 +45299,7 @@ index a2b7e03..9ff4bbd 100644 void tmem_register_pamops(struct tmem_pamops *m) { diff --git a/drivers/staging/zcache/tmem.h b/drivers/staging/zcache/tmem.h -index adbe5a8..d387359 100644 +index d128ce2..a43980c 100644 --- a/drivers/staging/zcache/tmem.h +++ b/drivers/staging/zcache/tmem.h @@ -226,6 +226,7 @@ struct tmem_pamops { @@ -43904,10 +45319,10 @@ index adbe5a8..d387359 100644 /* core tmem accessor functions */ diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c -index 2e4d655..fd72e68 100644 +index 4630481..c26782a 100644 --- a/drivers/target/target_core_device.c +++ b/drivers/target/target_core_device.c -@@ -1414,7 +1414,7 @@ struct se_device *target_alloc_device(struct se_hba *hba, const char *name) +@@ -1400,7 +1400,7 @@ struct se_device *target_alloc_device(struct se_hba *hba, const char *name) spin_lock_init(&dev->se_port_lock); spin_lock_init(&dev->se_tmr_lock); spin_lock_init(&dev->qf_cmd_lock); @@ -43917,10 +45332,10 @@ index 2e4d655..fd72e68 100644 spin_lock_init(&dev->t10_wwn.t10_vpd_lock); INIT_LIST_HEAD(&dev->t10_pr.registration_list); diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c -index fc9a5a0..1d5975e 100644 +index 21e3158..43c6004 100644 --- a/drivers/target/target_core_transport.c +++ b/drivers/target/target_core_transport.c -@@ -1081,7 +1081,7 @@ transport_check_alloc_task_attr(struct se_cmd *cmd) +@@ -1080,7 +1080,7 @@ transport_check_alloc_task_attr(struct se_cmd *cmd) * Used to determine when ORDERED commands should go from * Dormant to Active status. */ @@ -43930,10 +45345,10 @@ index fc9a5a0..1d5975e 100644 pr_debug("Allocated se_ordered_id: %u for Task Attr: 0x%02x on %s\n", cmd->se_ordered_id, cmd->sam_task_attr, diff --git a/drivers/tty/cyclades.c b/drivers/tty/cyclades.c -index 345bd0e..61d5375 100644 +index 33f83fe..d80f8e1 100644 --- a/drivers/tty/cyclades.c +++ b/drivers/tty/cyclades.c -@@ -1576,10 +1576,10 @@ static int cy_open(struct tty_struct *tty, struct file *filp) +@@ -1570,10 +1570,10 @@ static int cy_open(struct tty_struct *tty, struct file *filp) printk(KERN_DEBUG "cyc:cy_open ttyC%d, count = %d\n", info->line, info->port.count); #endif @@ -43946,7 +45361,7 @@ index 345bd0e..61d5375 100644 #endif /* -@@ -3978,7 +3978,7 @@ static int cyclades_proc_show(struct seq_file *m, void *v) +@@ -3972,7 +3972,7 @@ static int cyclades_proc_show(struct seq_file *m, void *v) for (j = 0; j < cy_card[i].nports; j++) { info = &cy_card[i].ports[j]; @@ -44228,10 +45643,10 @@ index 8fd72ff..34a0bed 100644 ipwireless_disassociate_network_ttys(network, ttyj->channel_idx); diff --git a/drivers/tty/moxa.c b/drivers/tty/moxa.c -index adeac25..787a0a1 100644 +index 1deaca4..c8582d4 100644 --- a/drivers/tty/moxa.c +++ b/drivers/tty/moxa.c -@@ -1193,7 +1193,7 @@ static int moxa_open(struct tty_struct *tty, struct file *filp) +@@ -1189,7 +1189,7 @@ static int moxa_open(struct tty_struct *tty, struct file *filp) } ch = &brd->ports[port % MAX_PORTS_PER_BOARD]; @@ -44241,10 +45656,10 @@ index adeac25..787a0a1 100644 tty_port_tty_set(&ch->port, tty); mutex_lock(&ch->port.mutex); diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c -index 4a43ef5d7..aa71f27 100644 +index 6422390..49003ac8 100644 --- a/drivers/tty/n_gsm.c +++ b/drivers/tty/n_gsm.c -@@ -1636,7 +1636,7 @@ static struct gsm_dlci *gsm_dlci_alloc(struct gsm_mux *gsm, int addr) +@@ -1632,7 +1632,7 @@ static struct gsm_dlci *gsm_dlci_alloc(struct gsm_mux *gsm, int addr) spin_lock_init(&dlci->lock); mutex_init(&dlci->mutex); dlci->fifo = &dlci->_fifo; @@ -44253,7 +45668,7 @@ index 4a43ef5d7..aa71f27 100644 kfree(dlci); return NULL; } -@@ -2936,7 +2936,7 @@ static int gsmtty_open(struct tty_struct *tty, struct file *filp) +@@ -2932,7 +2932,7 @@ static int gsmtty_open(struct tty_struct *tty, struct file *filp) struct gsm_dlci *dlci = tty->driver_data; struct tty_port *port = &dlci->port; @@ -44263,10 +45678,10 @@ index 4a43ef5d7..aa71f27 100644 dlci_get(dlci->gsm->dlci[0]); mux_get(dlci->gsm); diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c -index 1f8cba6..47b06c2 100644 +index 6c7fe90..9241dab 100644 --- a/drivers/tty/n_tty.c +++ b/drivers/tty/n_tty.c -@@ -2205,6 +2205,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops) +@@ -2203,6 +2203,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops) { *ops = tty_ldisc_N_TTY; ops->owner = NULL; @@ -44276,10 +45691,10 @@ index 1f8cba6..47b06c2 100644 } EXPORT_SYMBOL_GPL(n_tty_inherit_ops); diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c -index 74a5e8b..40c36a7 100644 +index abfd990..5ab5da9 100644 --- a/drivers/tty/pty.c +++ b/drivers/tty/pty.c -@@ -797,8 +797,10 @@ static void __init unix98_pty_init(void) +@@ -796,8 +796,10 @@ static void __init unix98_pty_init(void) panic("Couldn't register Unix98 pts driver"); /* Now create the /dev/ptmx special device */ @@ -44292,10 +45707,10 @@ index 74a5e8b..40c36a7 100644 cdev_init(&ptmx_cdev, &ptmx_fops); if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) || diff --git a/drivers/tty/rocket.c b/drivers/tty/rocket.c -index 1d27003..959f452 100644 +index 354564e..fe50d9a 100644 --- a/drivers/tty/rocket.c +++ b/drivers/tty/rocket.c -@@ -923,7 +923,7 @@ static int rp_open(struct tty_struct *tty, struct file *filp) +@@ -914,7 +914,7 @@ static int rp_open(struct tty_struct *tty, struct file *filp) tty->driver_data = info; tty_port_tty_set(port, tty); @@ -44304,7 +45719,7 @@ index 1d27003..959f452 100644 atomic_inc(&rp_num_ports_open); #ifdef ROCKET_DEBUG_OPEN -@@ -932,7 +932,7 @@ static int rp_open(struct tty_struct *tty, struct file *filp) +@@ -923,7 +923,7 @@ static int rp_open(struct tty_struct *tty, struct file *filp) #endif } #ifdef ROCKET_DEBUG_OPEN @@ -44313,7 +45728,7 @@ index 1d27003..959f452 100644 #endif /* -@@ -1527,7 +1527,7 @@ static void rp_hangup(struct tty_struct *tty) +@@ -1515,7 +1515,7 @@ static void rp_hangup(struct tty_struct *tty) spin_unlock_irqrestore(&info->port.lock, flags); return; } @@ -44429,10 +45844,10 @@ index 1002054..dd644a8 100644 /* This is only available if kgdboc is a built in for early debugging */ static int __init kgdboc_early_init(char *opt) diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c -index 2769a38..f3dbe48 100644 +index 0c8a9fa..234a95f 100644 --- a/drivers/tty/serial/samsung.c +++ b/drivers/tty/serial/samsung.c -@@ -451,11 +451,16 @@ static void s3c24xx_serial_shutdown(struct uart_port *port) +@@ -453,11 +453,16 @@ static void s3c24xx_serial_shutdown(struct uart_port *port) } } @@ -44449,7 +45864,7 @@ index 2769a38..f3dbe48 100644 dbg("s3c24xx_serial_startup: port=%p (%08lx,%p)\n", port->mapbase, port->membase); -@@ -1120,10 +1125,6 @@ static int s3c24xx_serial_init_port(struct s3c24xx_uart_port *ourport, +@@ -1124,10 +1129,6 @@ static int s3c24xx_serial_init_port(struct s3c24xx_uart_port *ourport, /* setup info for port */ port->dev = &platdev->dev; @@ -44461,7 +45876,7 @@ index 2769a38..f3dbe48 100644 if (cfg->uart_flags & UPF_CONS_FLOW) { diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c -index 8fbb6d2..822a9e6 100644 +index f87dbfd..42ad4b1 100644 --- a/drivers/tty/serial/serial_core.c +++ b/drivers/tty/serial/serial_core.c @@ -1454,7 +1454,7 @@ static void uart_hangup(struct tty_struct *tty) @@ -44501,10 +45916,10 @@ index 8fbb6d2..822a9e6 100644 goto end; } diff --git a/drivers/tty/synclink.c b/drivers/tty/synclink.c -index 8983276..72a4090 100644 +index 8eaf1ab..85c030d 100644 --- a/drivers/tty/synclink.c +++ b/drivers/tty/synclink.c -@@ -3093,7 +3093,7 @@ static void mgsl_close(struct tty_struct *tty, struct file * filp) +@@ -3090,7 +3090,7 @@ static void mgsl_close(struct tty_struct *tty, struct file * filp) if (debug_level >= DEBUG_LEVEL_INFO) printk("%s(%d):mgsl_close(%s) entry, count=%d\n", @@ -44513,7 +45928,7 @@ index 8983276..72a4090 100644 if (tty_port_close_start(&info->port, tty, filp) == 0) goto cleanup; -@@ -3111,7 +3111,7 @@ static void mgsl_close(struct tty_struct *tty, struct file * filp) +@@ -3108,7 +3108,7 @@ static void mgsl_close(struct tty_struct *tty, struct file * filp) cleanup: if (debug_level >= DEBUG_LEVEL_INFO) printk("%s(%d):mgsl_close(%s) exit, count=%d\n", __FILE__,__LINE__, @@ -44522,7 +45937,7 @@ index 8983276..72a4090 100644 } /* end of mgsl_close() */ -@@ -3210,8 +3210,8 @@ static void mgsl_hangup(struct tty_struct *tty) +@@ -3207,8 +3207,8 @@ static void mgsl_hangup(struct tty_struct *tty) mgsl_flush_buffer(tty); shutdown(info); @@ -44533,7 +45948,7 @@ index 8983276..72a4090 100644 info->port.flags &= ~ASYNC_NORMAL_ACTIVE; info->port.tty = NULL; -@@ -3300,12 +3300,12 @@ static int block_til_ready(struct tty_struct *tty, struct file * filp, +@@ -3297,12 +3297,12 @@ static int block_til_ready(struct tty_struct *tty, struct file * filp, if (debug_level >= DEBUG_LEVEL_INFO) printk("%s(%d):block_til_ready before block on %s count=%d\n", @@ -44548,7 +45963,7 @@ index 8983276..72a4090 100644 } spin_unlock_irqrestore(&info->irq_spinlock, flags); port->blocked_open++; -@@ -3334,7 +3334,7 @@ static int block_til_ready(struct tty_struct *tty, struct file * filp, +@@ -3331,7 +3331,7 @@ static int block_til_ready(struct tty_struct *tty, struct file * filp, if (debug_level >= DEBUG_LEVEL_INFO) printk("%s(%d):block_til_ready blocking on %s count=%d\n", @@ -44557,7 +45972,7 @@ index 8983276..72a4090 100644 tty_unlock(tty); schedule(); -@@ -3346,12 +3346,12 @@ static int block_til_ready(struct tty_struct *tty, struct file * filp, +@@ -3343,12 +3343,12 @@ static int block_til_ready(struct tty_struct *tty, struct file * filp, /* FIXME: Racy on hangup during close wait */ if (extra_count) @@ -44572,7 +45987,7 @@ index 8983276..72a4090 100644 if (!retval) port->flags |= ASYNC_NORMAL_ACTIVE; -@@ -3403,7 +3403,7 @@ static int mgsl_open(struct tty_struct *tty, struct file * filp) +@@ -3400,7 +3400,7 @@ static int mgsl_open(struct tty_struct *tty, struct file * filp) if (debug_level >= DEBUG_LEVEL_INFO) printk("%s(%d):mgsl_open(%s), old ref count = %d\n", @@ -44581,7 +45996,7 @@ index 8983276..72a4090 100644 /* If port is closing, signal caller to try again */ if (tty_hung_up_p(filp) || info->port.flags & ASYNC_CLOSING){ -@@ -3422,10 +3422,10 @@ static int mgsl_open(struct tty_struct *tty, struct file * filp) +@@ -3419,10 +3419,10 @@ static int mgsl_open(struct tty_struct *tty, struct file * filp) spin_unlock_irqrestore(&info->netlock, flags); goto cleanup; } @@ -44594,7 +46009,7 @@ index 8983276..72a4090 100644 /* 1st open on this device, init hardware */ retval = startup(info); if (retval < 0) -@@ -3449,8 +3449,8 @@ cleanup: +@@ -3446,8 +3446,8 @@ cleanup: if (retval) { if (tty->count == 1) info->port.tty = NULL; /* tty layer will release tty struct */ @@ -44605,7 +46020,7 @@ index 8983276..72a4090 100644 } return retval; -@@ -7668,7 +7668,7 @@ static int hdlcdev_attach(struct net_device *dev, unsigned short encoding, +@@ -7665,7 +7665,7 @@ static int hdlcdev_attach(struct net_device *dev, unsigned short encoding, unsigned short new_crctype; /* return error if TTY interface open */ @@ -44614,7 +46029,7 @@ index 8983276..72a4090 100644 return -EBUSY; switch (encoding) -@@ -7763,7 +7763,7 @@ static int hdlcdev_open(struct net_device *dev) +@@ -7760,7 +7760,7 @@ static int hdlcdev_open(struct net_device *dev) /* arbitrate between network and tty opens */ spin_lock_irqsave(&info->netlock, flags); @@ -44623,7 +46038,7 @@ index 8983276..72a4090 100644 printk(KERN_WARNING "%s: hdlc_open returning busy\n", dev->name); spin_unlock_irqrestore(&info->netlock, flags); return -EBUSY; -@@ -7849,7 +7849,7 @@ static int hdlcdev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) +@@ -7846,7 +7846,7 @@ static int hdlcdev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) printk("%s:hdlcdev_ioctl(%s)\n",__FILE__,dev->name); /* return error if TTY interface open */ @@ -44633,7 +46048,7 @@ index 8983276..72a4090 100644 if (cmd != SIOCWANDEV) diff --git a/drivers/tty/synclink_gt.c b/drivers/tty/synclink_gt.c -index aa9eece..d8baaec 100644 +index 1abf946..1ee34fc 100644 --- a/drivers/tty/synclink_gt.c +++ b/drivers/tty/synclink_gt.c @@ -670,7 +670,7 @@ static int open(struct tty_struct *tty, struct file *filp) @@ -44751,7 +46166,7 @@ index aa9eece..d8baaec 100644 if (!retval) diff --git a/drivers/tty/synclinkmp.c b/drivers/tty/synclinkmp.c -index 6d5780c..aa4d8cd 100644 +index ff17138..e38b41e 100644 --- a/drivers/tty/synclinkmp.c +++ b/drivers/tty/synclinkmp.c @@ -750,7 +750,7 @@ static int open(struct tty_struct *tty, struct file *filp) @@ -44890,10 +46305,10 @@ index 6d5780c..aa4d8cd 100644 if (!retval) port->flags |= ASYNC_NORMAL_ACTIVE; diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c -index 3687f0c..6b9b808 100644 +index b51c154..17d55d1 100644 --- a/drivers/tty/sysrq.c +++ b/drivers/tty/sysrq.c -@@ -995,7 +995,7 @@ EXPORT_SYMBOL(unregister_sysrq_key); +@@ -1022,7 +1022,7 @@ EXPORT_SYMBOL(unregister_sysrq_key); static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf, size_t count, loff_t *ppos) { @@ -44903,10 +46318,10 @@ index 3687f0c..6b9b808 100644 if (get_user(c, buf)) diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c -index a9cd0b9..47b9336 100644 +index 4476682..d77e748 100644 --- a/drivers/tty/tty_io.c +++ b/drivers/tty/tty_io.c -@@ -3398,7 +3398,7 @@ EXPORT_SYMBOL_GPL(get_current_tty); +@@ -3466,7 +3466,7 @@ EXPORT_SYMBOL_GPL(get_current_tty); void tty_default_fops(struct file_operations *fops) { @@ -44916,19 +46331,10 @@ index a9cd0b9..47b9336 100644 /* diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c -index d794087..e4f49e5 100644 +index 1afe192..73d2c20 100644 --- a/drivers/tty/tty_ldisc.c +++ b/drivers/tty/tty_ldisc.c -@@ -56,7 +56,7 @@ static void put_ldisc(struct tty_ldisc *ld) - if (atomic_dec_and_test(&ld->users)) { - struct tty_ldisc_ops *ldo = ld->ops; - -- ldo->refcount--; -+ atomic_dec(&ldo->refcount); - module_put(ldo->owner); - raw_spin_unlock_irqrestore(&tty_ldisc_lock, flags); - -@@ -93,7 +93,7 @@ int tty_register_ldisc(int disc, struct tty_ldisc_ops *new_ldisc) +@@ -66,7 +66,7 @@ int tty_register_ldisc(int disc, struct tty_ldisc_ops *new_ldisc) raw_spin_lock_irqsave(&tty_ldisc_lock, flags); tty_ldiscs[disc] = new_ldisc; new_ldisc->num = disc; @@ -44937,7 +46343,7 @@ index d794087..e4f49e5 100644 raw_spin_unlock_irqrestore(&tty_ldisc_lock, flags); return ret; -@@ -121,7 +121,7 @@ int tty_unregister_ldisc(int disc) +@@ -94,7 +94,7 @@ int tty_unregister_ldisc(int disc) return -EINVAL; raw_spin_lock_irqsave(&tty_ldisc_lock, flags); @@ -44946,7 +46352,7 @@ index d794087..e4f49e5 100644 ret = -EBUSY; else tty_ldiscs[disc] = NULL; -@@ -142,7 +142,7 @@ static struct tty_ldisc_ops *get_ldops(int disc) +@@ -115,7 +115,7 @@ static struct tty_ldisc_ops *get_ldops(int disc) if (ldops) { ret = ERR_PTR(-EAGAIN); if (try_module_get(ldops->owner)) { @@ -44955,7 +46361,7 @@ index d794087..e4f49e5 100644 ret = ldops; } } -@@ -155,7 +155,7 @@ static void put_ldops(struct tty_ldisc_ops *ldops) +@@ -128,7 +128,7 @@ static void put_ldops(struct tty_ldisc_ops *ldops) unsigned long flags; raw_spin_lock_irqsave(&tty_ldisc_lock, flags); @@ -44964,20 +46370,29 @@ index d794087..e4f49e5 100644 module_put(ldops->owner); raw_spin_unlock_irqrestore(&tty_ldisc_lock, flags); } +@@ -196,7 +196,7 @@ static inline void tty_ldisc_put(struct tty_ldisc *ld) + /* unreleased reader reference(s) will cause this WARN */ + WARN_ON(!atomic_dec_and_test(&ld->users)); + +- ld->ops->refcount--; ++ atomic_dec(&ld->ops->refcount); + module_put(ld->ops->owner); + kfree(ld); + raw_spin_unlock_irqrestore(&tty_ldisc_lock, flags); diff --git a/drivers/tty/tty_port.c b/drivers/tty/tty_port.c -index b7ff59d..7c6105e 100644 +index f597e88..b7f68ed 100644 --- a/drivers/tty/tty_port.c +++ b/drivers/tty/tty_port.c -@@ -218,7 +218,7 @@ void tty_port_hangup(struct tty_port *port) +@@ -232,7 +232,7 @@ void tty_port_hangup(struct tty_port *port) unsigned long flags; spin_lock_irqsave(&port->lock, flags); - port->count = 0; + atomic_set(&port->count, 0); port->flags &= ~ASYNC_NORMAL_ACTIVE; - if (port->tty) { - set_bit(TTY_IO_ERROR, &port->tty->flags); -@@ -344,7 +344,7 @@ int tty_port_block_til_ready(struct tty_port *port, + tty = port->tty; + if (tty) +@@ -390,7 +390,7 @@ int tty_port_block_til_ready(struct tty_port *port, /* The port lock protects the port counts */ spin_lock_irqsave(&port->lock, flags); if (!tty_hung_up_p(filp)) @@ -44986,7 +46401,7 @@ index b7ff59d..7c6105e 100644 port->blocked_open++; spin_unlock_irqrestore(&port->lock, flags); -@@ -386,7 +386,7 @@ int tty_port_block_til_ready(struct tty_port *port, +@@ -432,7 +432,7 @@ int tty_port_block_til_ready(struct tty_port *port, we must not mess that up further */ spin_lock_irqsave(&port->lock, flags); if (!tty_hung_up_p(filp)) @@ -44995,7 +46410,7 @@ index b7ff59d..7c6105e 100644 port->blocked_open--; if (retval == 0) port->flags |= ASYNC_NORMAL_ACTIVE; -@@ -406,19 +406,19 @@ int tty_port_close_start(struct tty_port *port, +@@ -466,19 +466,19 @@ int tty_port_close_start(struct tty_port *port, return 0; } @@ -45022,7 +46437,7 @@ index b7ff59d..7c6105e 100644 spin_unlock_irqrestore(&port->lock, flags); if (port->ops->drop) port->ops->drop(port); -@@ -516,7 +516,7 @@ int tty_port_open(struct tty_port *port, struct tty_struct *tty, +@@ -564,7 +564,7 @@ int tty_port_open(struct tty_port *port, struct tty_struct *tty, { spin_lock_irq(&port->lock); if (!tty_hung_up_p(filp)) @@ -45201,7 +46616,7 @@ index 8a7eb77..c00402f 100644 pos += tmp; diff --git a/drivers/usb/atm/usbatm.c b/drivers/usb/atm/usbatm.c -index 35f10bf..6a38a0b 100644 +index d3527dd..26effa2 100644 --- a/drivers/usb/atm/usbatm.c +++ b/drivers/usb/atm/usbatm.c @@ -333,7 +333,7 @@ static void usbatm_extract_one_cell(struct usbatm_data *instance, unsigned char @@ -45315,7 +46730,7 @@ index 2a3bbdf..91d72cf 100644 file->f_version = event_count; return POLLIN | POLLRDNORM; diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c -index f9ec44c..eb5779f 100644 +index d53547d..6a22d02 100644 --- a/drivers/usb/core/hcd.c +++ b/drivers/usb/core/hcd.c @@ -1526,7 +1526,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags) @@ -45350,7 +46765,7 @@ index 444d30e..f15c850 100644 __u16 size, int timeout) { diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c -index 3f81a3d..a3aa993 100644 +index aa38db4..0a08682 100644 --- a/drivers/usb/core/sysfs.c +++ b/drivers/usb/core/sysfs.c @@ -239,7 +239,7 @@ show_urbnum(struct device *dev, struct device_attribute *attr, char *buf) @@ -45363,10 +46778,10 @@ index 3f81a3d..a3aa993 100644 static DEVICE_ATTR(urbnum, S_IRUGO, show_urbnum, NULL); diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c -index f81b925..78d22ec 100644 +index b10da72..43aa0b2 100644 --- a/drivers/usb/core/usb.c +++ b/drivers/usb/core/usb.c -@@ -388,7 +388,7 @@ struct usb_device *usb_alloc_dev(struct usb_device *parent, +@@ -389,7 +389,7 @@ struct usb_device *usb_alloc_dev(struct usb_device *parent, set_dev_node(&dev->dev, dev_to_node(bus->controller)); dev->state = USB_STATE_ATTACHED; dev->lpm_disable_count = 1; @@ -45532,132 +46947,6 @@ index 5f3bcd3..bfca43f 100644 usb_autopm_put_interface(serial->interface); error_get_interface: usb_serial_put(serial); -diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c -index 4747d1c..3850e92 100644 ---- a/drivers/usb/serial/cp210x.c -+++ b/drivers/usb/serial/cp210x.c -@@ -53,6 +53,7 @@ static const struct usb_device_id id_table[] = { - { USB_DEVICE(0x0489, 0xE000) }, /* Pirelli Broadband S.p.A, DP-L10 SIP/GSM Mobile */ - { USB_DEVICE(0x0489, 0xE003) }, /* Pirelli Broadband S.p.A, DP-L10 SIP/GSM Mobile */ - { USB_DEVICE(0x0745, 0x1000) }, /* CipherLab USB CCD Barcode Scanner 1000 */ -+ { USB_DEVICE(0x0846, 0x1100) }, /* NetGear Managed Switch M4100 series, M5300 series, M7100 series */ - { USB_DEVICE(0x08e6, 0x5501) }, /* Gemalto Prox-PU/CU contactless smartcard reader */ - { USB_DEVICE(0x08FD, 0x000A) }, /* Digianswer A/S , ZigBee/802.15.4 MAC Device */ - { USB_DEVICE(0x0BED, 0x1100) }, /* MEI (TM) Cashflow-SC Bill/Voucher Acceptor */ -@@ -118,6 +119,8 @@ static const struct usb_device_id id_table[] = { - { USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */ - { USB_DEVICE(0x10C4, 0x8664) }, /* AC-Services CAN-IF */ - { USB_DEVICE(0x10C4, 0x8665) }, /* AC-Services OBD-IF */ -+ { USB_DEVICE(0x10C4, 0x88A4) }, /* MMB Networks ZigBee USB Device */ -+ { USB_DEVICE(0x10C4, 0x88A5) }, /* Planet Innovation Ingeni ZigBee USB Device */ - { USB_DEVICE(0x10C4, 0xEA60) }, /* Silicon Labs factory default */ - { USB_DEVICE(0x10C4, 0xEA61) }, /* Silicon Labs factory default */ - { USB_DEVICE(0x10C4, 0xEA70) }, /* Silicon Labs factory default */ -@@ -148,6 +151,7 @@ static const struct usb_device_id id_table[] = { - { USB_DEVICE(0x17F4, 0xAAAA) }, /* Wavesense Jazz blood glucose meter */ - { USB_DEVICE(0x1843, 0x0200) }, /* Vaisala USB Instrument Cable */ - { USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */ -+ { USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */ - { USB_DEVICE(0x1BE3, 0x07A6) }, /* WAGO 750-923 USB Service Cable */ - { USB_DEVICE(0x1E29, 0x0102) }, /* Festo CPX-USB */ - { USB_DEVICE(0x1E29, 0x0501) }, /* Festo CMSP */ -diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c -index 9162db2..b7cabbf 100644 ---- a/drivers/usb/serial/option.c -+++ b/drivers/usb/serial/option.c -@@ -343,17 +343,12 @@ static void option_instat_callback(struct urb *urb); - #define OLIVETTI_VENDOR_ID 0x0b3c - #define OLIVETTI_PRODUCT_OLICARD100 0xc000 - #define OLIVETTI_PRODUCT_OLICARD145 0xc003 -+#define OLIVETTI_PRODUCT_OLICARD200 0xc005 - - /* Celot products */ - #define CELOT_VENDOR_ID 0x211f - #define CELOT_PRODUCT_CT680M 0x6801 - --/* ONDA Communication vendor id */ --#define ONDA_VENDOR_ID 0x1ee8 -- --/* ONDA MT825UP HSDPA 14.2 modem */ --#define ONDA_MT825UP 0x000b -- - /* Samsung products */ - #define SAMSUNG_VENDOR_ID 0x04e8 - #define SAMSUNG_PRODUCT_GT_B3730 0x6889 -@@ -446,7 +441,8 @@ static void option_instat_callback(struct urb *urb); - - /* Hyundai Petatel Inc. products */ - #define PETATEL_VENDOR_ID 0x1ff4 --#define PETATEL_PRODUCT_NP10T 0x600e -+#define PETATEL_PRODUCT_NP10T_600A 0x600a -+#define PETATEL_PRODUCT_NP10T_600E 0x600e - - /* TP-LINK Incorporated products */ - #define TPLINK_VENDOR_ID 0x2357 -@@ -786,6 +782,7 @@ static const struct usb_device_id option_ids[] = { - { USB_DEVICE(KYOCERA_VENDOR_ID, KYOCERA_PRODUCT_KPC650) }, - { USB_DEVICE(KYOCERA_VENDOR_ID, KYOCERA_PRODUCT_KPC680) }, - { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x6613)}, /* Onda H600/ZTE MF330 */ -+ { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x0023)}, /* ONYX 3G device */ - { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9000)}, /* SIMCom SIM5218 */ - { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6280) }, /* BP3-USB & BP3-EXT HSDPA */ - { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6008) }, -@@ -821,7 +818,8 @@ static const struct usb_device_id option_ids[] = { - { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0017, 0xff, 0xff, 0xff), - .driver_info = (kernel_ulong_t)&net_intf3_blacklist }, - { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0018, 0xff, 0xff, 0xff) }, -- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0019, 0xff, 0xff, 0xff) }, -+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0019, 0xff, 0xff, 0xff), -+ .driver_info = (kernel_ulong_t)&net_intf3_blacklist }, - { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0020, 0xff, 0xff, 0xff) }, - { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0021, 0xff, 0xff, 0xff), - .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, -@@ -1260,8 +1258,8 @@ static const struct usb_device_id option_ids[] = { - - { USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD100) }, - { USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD145) }, -+ { USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD200) }, - { USB_DEVICE(CELOT_VENDOR_ID, CELOT_PRODUCT_CT680M) }, /* CT-650 CDMA 450 1xEVDO modem */ -- { USB_DEVICE(ONDA_VENDOR_ID, ONDA_MT825UP) }, /* ONDA MT825UP modem */ - { USB_DEVICE_AND_INTERFACE_INFO(SAMSUNG_VENDOR_ID, SAMSUNG_PRODUCT_GT_B3730, USB_CLASS_CDC_DATA, 0x00, 0x00) }, /* Samsung GT-B3730 LTE USB modem.*/ - { USB_DEVICE(YUGA_VENDOR_ID, YUGA_PRODUCT_CEM600) }, - { USB_DEVICE(YUGA_VENDOR_ID, YUGA_PRODUCT_CEM610) }, -@@ -1333,9 +1331,12 @@ static const struct usb_device_id option_ids[] = { - { USB_DEVICE_AND_INTERFACE_INFO(MEDIATEK_VENDOR_ID, MEDIATEK_PRODUCT_DC_4COM2, 0xff, 0x02, 0x01) }, - { USB_DEVICE_AND_INTERFACE_INFO(MEDIATEK_VENDOR_ID, MEDIATEK_PRODUCT_DC_4COM2, 0xff, 0x00, 0x00) }, - { USB_DEVICE(CELLIENT_VENDOR_ID, CELLIENT_PRODUCT_MEN200) }, -- { USB_DEVICE(PETATEL_VENDOR_ID, PETATEL_PRODUCT_NP10T) }, -+ { USB_DEVICE(PETATEL_VENDOR_ID, PETATEL_PRODUCT_NP10T_600A) }, -+ { USB_DEVICE(PETATEL_VENDOR_ID, PETATEL_PRODUCT_NP10T_600E) }, - { USB_DEVICE(TPLINK_VENDOR_ID, TPLINK_PRODUCT_MA180), - .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, -+ { USB_DEVICE(TPLINK_VENDOR_ID, 0x9000), /* TP-Link MA260 */ -+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, - { USB_DEVICE(CHANGHONG_VENDOR_ID, CHANGHONG_PRODUCT_CH690) }, - { USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d01, 0xff, 0x02, 0x01) }, /* D-Link DWM-156 (variant) */ - { USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d01, 0xff, 0x00, 0x00) }, /* D-Link DWM-156 (variant) */ -@@ -1343,6 +1344,8 @@ static const struct usb_device_id option_ids[] = { - { USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d02, 0xff, 0x00, 0x00) }, - { USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d03, 0xff, 0x02, 0x01) }, - { USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d03, 0xff, 0x00, 0x00) }, -+ { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff, 0xff) }, /* D-Link DWM-152/C1 */ -+ { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e02, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/C1 */ - { } /* Terminating entry */ - }; - MODULE_DEVICE_TABLE(usb, option_ids); -diff --git a/drivers/usb/storage/realtek_cr.c b/drivers/usb/storage/realtek_cr.c -index 6c3586a..a94e621 100644 ---- a/drivers/usb/storage/realtek_cr.c -+++ b/drivers/usb/storage/realtek_cr.c -@@ -429,7 +429,7 @@ static int rts51x_read_status(struct us_data *us, - - buf = kmalloc(len, GFP_NOIO); - if (buf == NULL) -- return USB_STOR_TRANSPORT_ERROR; -+ return -ENOMEM; - - US_DEBUGP("%s, lun = %d\n", __func__, lun); - diff --git a/drivers/usb/storage/usb.h b/drivers/usb/storage/usb.h index 75f70f0..d467e1a 100644 --- a/drivers/usb/storage/usb.h @@ -45706,55 +46995,18 @@ index 6ef94bc..1b41265 100644 } /* -diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c -index dfff647..3a19054 100644 ---- a/drivers/vhost/net.c -+++ b/drivers/vhost/net.c -@@ -857,7 +857,7 @@ static long vhost_net_set_backend(struct vhost_net *n, unsigned index, int fd) - mutex_unlock(&vq->mutex); - - if (oldubufs) { -- vhost_ubuf_put_and_wait(oldubufs); -+ vhost_ubuf_put_and_wait_and_free(oldubufs); - mutex_lock(&vq->mutex); - vhost_zerocopy_signal_used(n, vq); - mutex_unlock(&vq->mutex); -@@ -875,7 +875,7 @@ err_used: - rcu_assign_pointer(vq->private_data, oldsock); - vhost_net_enable_vq(n, vq); - if (ubufs) -- vhost_ubuf_put_and_wait(ubufs); -+ vhost_ubuf_put_and_wait_and_free(ubufs); - err_ubufs: - fput(sock->file); - err_vq: -diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c -index 9759249..2e2524c 100644 ---- a/drivers/vhost/vhost.c -+++ b/drivers/vhost/vhost.c -@@ -1581,5 +1581,11 @@ void vhost_ubuf_put_and_wait(struct vhost_ubuf_ref *ubufs) - { - kref_put(&ubufs->kref, vhost_zerocopy_done_signal); - wait_event(ubufs->wait, !atomic_read(&ubufs->kref.refcount)); -+} -+ -+void vhost_ubuf_put_and_wait_and_free(struct vhost_ubuf_ref *ubufs) -+{ -+ vhost_ubuf_put_and_wait(ubufs); - kfree(ubufs); - } -+ -diff --git a/drivers/vhost/vhost.h b/drivers/vhost/vhost.h -index 17261e2..70cbe6f 100644 ---- a/drivers/vhost/vhost.h -+++ b/drivers/vhost/vhost.h -@@ -63,6 +63,7 @@ struct vhost_ubuf_ref { - struct vhost_ubuf_ref *vhost_ubuf_alloc(struct vhost_virtqueue *, bool zcopy); - void vhost_ubuf_put(struct vhost_ubuf_ref *); - void vhost_ubuf_put_and_wait(struct vhost_ubuf_ref *); -+void vhost_ubuf_put_and_wait_and_free(struct vhost_ubuf_ref *); - - struct ubuf_info; +diff --git a/drivers/vhost/vringh.c b/drivers/vhost/vringh.c +index 5174eba..86e764a 100644 +--- a/drivers/vhost/vringh.c ++++ b/drivers/vhost/vringh.c +@@ -800,7 +800,7 @@ static inline int getu16_kern(u16 *val, const u16 *p) + + static inline int putu16_kern(u16 *p, u16 val) + { +- ACCESS_ONCE(*p) = val; ++ ACCESS_ONCE_RW(*p) = val; + return 0; + } diff --git a/drivers/video/aty/aty128fb.c b/drivers/video/aty/aty128fb.c index 8c55011..eed4ae1a 100644 @@ -45813,8 +47065,21 @@ index 95ec042..e6affdd 100644 return 0; } +diff --git a/drivers/video/backlight/backlight.c b/drivers/video/backlight/backlight.c +index c74e7aa..e3c2790 100644 +--- a/drivers/video/backlight/backlight.c ++++ b/drivers/video/backlight/backlight.c +@@ -304,7 +304,7 @@ struct backlight_device *backlight_device_register(const char *name, + new_bd->dev.class = backlight_class; + new_bd->dev.parent = parent; + new_bd->dev.release = bl_device_release; +- dev_set_name(&new_bd->dev, name); ++ dev_set_name(&new_bd->dev, "%s", name); + dev_set_drvdata(&new_bd->dev, devdata); + + /* Set default properties */ diff --git a/drivers/video/backlight/kb3886_bl.c b/drivers/video/backlight/kb3886_bl.c -index 6c5ed6b..b727c88 100644 +index bca6ccc..252107e 100644 --- a/drivers/video/backlight/kb3886_bl.c +++ b/drivers/video/backlight/kb3886_bl.c @@ -78,7 +78,7 @@ static struct kb3886bl_machinfo *bl_machinfo; @@ -45826,6 +47091,19 @@ index 6c5ed6b..b727c88 100644 { .ident = "Sahara Touch-iT", .matches = { +diff --git a/drivers/video/backlight/lcd.c b/drivers/video/backlight/lcd.c +index 34fb6bd..3649fd9 100644 +--- a/drivers/video/backlight/lcd.c ++++ b/drivers/video/backlight/lcd.c +@@ -219,7 +219,7 @@ struct lcd_device *lcd_device_register(const char *name, struct device *parent, + new_ld->dev.class = lcd_class; + new_ld->dev.parent = parent; + new_ld->dev.release = lcd_device_release; +- dev_set_name(&new_ld->dev, name); ++ dev_set_name(&new_ld->dev, "%s", name); + dev_set_drvdata(&new_ld->dev, devdata); + + rc = device_register(&new_ld->dev); diff --git a/drivers/video/fb_defio.c b/drivers/video/fb_defio.c index 900aa4e..6d49418 100644 --- a/drivers/video/fb_defio.c @@ -45865,7 +47143,7 @@ index 5c3960d..15cf8fc 100644 goto out1; } diff --git a/drivers/video/fbmem.c b/drivers/video/fbmem.c -index 86291dc..7cc5962 100644 +index 098bfc6..796841d 100644 --- a/drivers/video/fbmem.c +++ b/drivers/video/fbmem.c @@ -428,7 +428,7 @@ static void fb_do_show_logo(struct fb_info *info, struct fb_image *image, @@ -48729,7 +50007,7 @@ index 0d6f2cd..6285b97 100644 ret_code = device_register(&new_dev->dev); if (ret_code) { diff --git a/drivers/video/s1d13xxxfb.c b/drivers/video/s1d13xxxfb.c -index 76d9053..dec2bfd 100644 +index 05c2dc3..ea1f391 100644 --- a/drivers/video/s1d13xxxfb.c +++ b/drivers/video/s1d13xxxfb.c @@ -881,8 +881,10 @@ static int s1d13xxxfb_probe(struct platform_device *pdev) @@ -48746,10 +50024,10 @@ index 76d9053..dec2bfd 100644 FBINFO_HWACCEL_FILLRECT | FBINFO_HWACCEL_COPYAREA; break; diff --git a/drivers/video/smscufx.c b/drivers/video/smscufx.c -index 97bd662..39fab85 100644 +index b2b33fc..f9f4658 100644 --- a/drivers/video/smscufx.c +++ b/drivers/video/smscufx.c -@@ -1171,7 +1171,9 @@ static int ufx_ops_release(struct fb_info *info, int user) +@@ -1175,7 +1175,9 @@ static int ufx_ops_release(struct fb_info *info, int user) fb_deferred_io_cleanup(info); kfree(info->fbdefio); info->fbdefio = NULL; @@ -48761,10 +50039,10 @@ index 97bd662..39fab85 100644 pr_debug("released /dev/fb%d user=%d count=%d", diff --git a/drivers/video/udlfb.c b/drivers/video/udlfb.c -index 86d449e..8e04dc5 100644 +index ec03e72..f578436 100644 --- a/drivers/video/udlfb.c +++ b/drivers/video/udlfb.c -@@ -619,11 +619,11 @@ int dlfb_handle_damage(struct dlfb_data *dev, int x, int y, +@@ -623,11 +623,11 @@ int dlfb_handle_damage(struct dlfb_data *dev, int x, int y, dlfb_urb_completion(urb); error: @@ -48780,7 +50058,7 @@ index 86d449e..8e04dc5 100644 >> 10)), /* Kcycles */ &dev->cpu_kcycles_used); -@@ -744,11 +744,11 @@ static void dlfb_dpy_deferred_io(struct fb_info *info, +@@ -748,11 +748,11 @@ static void dlfb_dpy_deferred_io(struct fb_info *info, dlfb_urb_completion(urb); error: @@ -48796,7 +50074,7 @@ index 86d449e..8e04dc5 100644 >> 10)), /* Kcycles */ &dev->cpu_kcycles_used); } -@@ -989,7 +989,9 @@ static int dlfb_ops_release(struct fb_info *info, int user) +@@ -993,7 +993,9 @@ static int dlfb_ops_release(struct fb_info *info, int user) fb_deferred_io_cleanup(info); kfree(info->fbdefio); info->fbdefio = NULL; @@ -48807,7 +50085,7 @@ index 86d449e..8e04dc5 100644 } pr_warn("released /dev/fb%d user=%d count=%d\n", -@@ -1372,7 +1374,7 @@ static ssize_t metrics_bytes_rendered_show(struct device *fbdev, +@@ -1376,7 +1378,7 @@ static ssize_t metrics_bytes_rendered_show(struct device *fbdev, struct fb_info *fb_info = dev_get_drvdata(fbdev); struct dlfb_data *dev = fb_info->par; return snprintf(buf, PAGE_SIZE, "%u\n", @@ -48816,7 +50094,7 @@ index 86d449e..8e04dc5 100644 } static ssize_t metrics_bytes_identical_show(struct device *fbdev, -@@ -1380,7 +1382,7 @@ static ssize_t metrics_bytes_identical_show(struct device *fbdev, +@@ -1384,7 +1386,7 @@ static ssize_t metrics_bytes_identical_show(struct device *fbdev, struct fb_info *fb_info = dev_get_drvdata(fbdev); struct dlfb_data *dev = fb_info->par; return snprintf(buf, PAGE_SIZE, "%u\n", @@ -48825,7 +50103,7 @@ index 86d449e..8e04dc5 100644 } static ssize_t metrics_bytes_sent_show(struct device *fbdev, -@@ -1388,7 +1390,7 @@ static ssize_t metrics_bytes_sent_show(struct device *fbdev, +@@ -1392,7 +1394,7 @@ static ssize_t metrics_bytes_sent_show(struct device *fbdev, struct fb_info *fb_info = dev_get_drvdata(fbdev); struct dlfb_data *dev = fb_info->par; return snprintf(buf, PAGE_SIZE, "%u\n", @@ -48834,7 +50112,7 @@ index 86d449e..8e04dc5 100644 } static ssize_t metrics_cpu_kcycles_used_show(struct device *fbdev, -@@ -1396,7 +1398,7 @@ static ssize_t metrics_cpu_kcycles_used_show(struct device *fbdev, +@@ -1400,7 +1402,7 @@ static ssize_t metrics_cpu_kcycles_used_show(struct device *fbdev, struct fb_info *fb_info = dev_get_drvdata(fbdev); struct dlfb_data *dev = fb_info->par; return snprintf(buf, PAGE_SIZE, "%u\n", @@ -48843,7 +50121,7 @@ index 86d449e..8e04dc5 100644 } static ssize_t edid_show( -@@ -1456,10 +1458,10 @@ static ssize_t metrics_reset_store(struct device *fbdev, +@@ -1460,10 +1462,10 @@ static ssize_t metrics_reset_store(struct device *fbdev, struct fb_info *fb_info = dev_get_drvdata(fbdev); struct dlfb_data *dev = fb_info->par; @@ -48859,7 +50137,7 @@ index 86d449e..8e04dc5 100644 return count; } diff --git a/drivers/video/uvesafb.c b/drivers/video/uvesafb.c -index d428445..79a78df 100644 +index e328a61..1b08ecb 100644 --- a/drivers/video/uvesafb.c +++ b/drivers/video/uvesafb.c @@ -19,6 +19,7 @@ @@ -49124,10 +50402,10 @@ index fef20db..d28b1ab 100644 return -ENOMEM; return 0; diff --git a/fs/9p/vfs_addr.c b/fs/9p/vfs_addr.c -index 0ad61c6..f198bd7 100644 +index 055562c..fdfb10d 100644 --- a/fs/9p/vfs_addr.c +++ b/fs/9p/vfs_addr.c -@@ -185,7 +185,7 @@ static int v9fs_vfs_writepage_locked(struct page *page) +@@ -186,7 +186,7 @@ static int v9fs_vfs_writepage_locked(struct page *page) retval = v9fs_file_write_internal(inode, v9inode->writeback_fid, @@ -49150,10 +50428,10 @@ index d86edc8..40ff2fb 100644 p9_debug(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name, IS_ERR(s) ? "<error>" : s); diff --git a/fs/Kconfig.binfmt b/fs/Kconfig.binfmt -index 0efd152..b5802ad 100644 +index 370b24c..ff0be7b 100644 --- a/fs/Kconfig.binfmt +++ b/fs/Kconfig.binfmt -@@ -89,7 +89,7 @@ config HAVE_AOUT +@@ -103,7 +103,7 @@ config HAVE_AOUT config BINFMT_AOUT tristate "Kernel support for a.out and ECOFF binaries" @@ -49163,10 +50441,10 @@ index 0efd152..b5802ad 100644 A.out (Assembler.OUTput) is a set of formats for libraries and executables used in the earliest versions of UNIX. Linux used diff --git a/fs/aio.c b/fs/aio.c -index 1dc8786..d3b29e8 100644 +index 2bbcacf..8614116 100644 --- a/fs/aio.c +++ b/fs/aio.c -@@ -111,7 +111,7 @@ static int aio_setup_ring(struct kioctx *ctx) +@@ -160,7 +160,7 @@ static int aio_setup_ring(struct kioctx *ctx) size += sizeof(struct io_event) * nr_events; nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT; @@ -49175,39 +50453,39 @@ index 1dc8786..d3b29e8 100644 return -EINVAL; nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event); -@@ -1375,18 +1375,19 @@ static ssize_t aio_fsync(struct kiocb *iocb) - static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb, bool compat) +@@ -950,6 +950,7 @@ static ssize_t aio_rw_vect_retry(struct kiocb *iocb, int rw, aio_rw_op *rw_op) + static ssize_t aio_setup_vectored_rw(int rw, struct kiocb *kiocb, bool compat) { ssize_t ret; + struct iovec iovstack; - #ifdef CONFIG_COMPAT + kiocb->ki_nr_segs = kiocb->ki_nbytes; + +@@ -957,17 +958,22 @@ static ssize_t aio_setup_vectored_rw(int rw, struct kiocb *kiocb, bool compat) if (compat) - ret = compat_rw_copy_check_uvector(type, + ret = compat_rw_copy_check_uvector(rw, (struct compat_iovec __user *)kiocb->ki_buf, -- kiocb->ki_nbytes, 1, &kiocb->ki_inline_vec, -+ kiocb->ki_nbytes, 1, &iovstack, +- kiocb->ki_nr_segs, 1, &kiocb->ki_inline_vec, ++ kiocb->ki_nr_segs, 1, &iovstack, &kiocb->ki_iovec); else #endif - ret = rw_copy_check_uvector(type, + ret = rw_copy_check_uvector(rw, (struct iovec __user *)kiocb->ki_buf, -- kiocb->ki_nbytes, 1, &kiocb->ki_inline_vec, -+ kiocb->ki_nbytes, 1, &iovstack, +- kiocb->ki_nr_segs, 1, &kiocb->ki_inline_vec, ++ kiocb->ki_nr_segs, 1, &iovstack, &kiocb->ki_iovec); if (ret < 0) - goto out; -@@ -1395,6 +1396,10 @@ static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb, bool compat) - if (ret < 0) - goto out; + return ret; + if (kiocb->ki_iovec == &iovstack) { + kiocb->ki_inline_vec = iovstack; + kiocb->ki_iovec = &kiocb->ki_inline_vec; + } - kiocb->ki_nr_segs = kiocb->ki_nbytes; - kiocb->ki_cur_seg = 0; - /* ki_nbytes/left now reflect bytes instead of segs */ ++ + /* ki_nbytes now reflect bytes instead of segs */ + kiocb->ki_nbytes = ret; + return 0; diff --git a/fs/attr.c b/fs/attr.c index 1449adb..a2038c2 100644 --- a/fs/attr.c @@ -49280,7 +50558,7 @@ index 2722387..c8dd2a7 100644 { if (BEFS_SB(sb)->byte_order == BEFS_BYTESEX_LE) diff --git a/fs/befs/linuxvfs.c b/fs/befs/linuxvfs.c -index 8615ee8..388ed68 100644 +index f95dddc..b1e2c1c 100644 --- a/fs/befs/linuxvfs.c +++ b/fs/befs/linuxvfs.c @@ -510,7 +510,7 @@ static void befs_put_link(struct dentry *dentry, struct nameidata *nd, void *p) @@ -49293,7 +50571,7 @@ index 8615ee8..388ed68 100644 kfree(link); } diff --git a/fs/binfmt_aout.c b/fs/binfmt_aout.c -index bbc8f88..7c7ac97 100644 +index bce8769..7fc7544 100644 --- a/fs/binfmt_aout.c +++ b/fs/binfmt_aout.c @@ -16,6 +16,7 @@ @@ -49313,7 +50591,7 @@ index bbc8f88..7c7ac97 100644 fs = get_fs(); set_fs(KERNEL_DS); has_dumped = 1; -@@ -70,10 +73,12 @@ static int aout_core_dump(struct coredump_params *cprm) +@@ -69,10 +72,12 @@ static int aout_core_dump(struct coredump_params *cprm) /* If the size of the dump file exceeds the rlimit, then see what would happen if we wrote the stack, but not the data area. */ @@ -49326,7 +50604,7 @@ index bbc8f88..7c7ac97 100644 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit) dump.u_ssize = 0; -@@ -234,6 +239,8 @@ static int load_aout_binary(struct linux_binprm * bprm) +@@ -233,6 +238,8 @@ static int load_aout_binary(struct linux_binprm * bprm) rlim = rlimit(RLIMIT_DATA); if (rlim >= RLIM_INFINITY) rlim = ~0; @@ -49335,7 +50613,7 @@ index bbc8f88..7c7ac97 100644 if (ex.a_data + ex.a_bss > rlim) return -ENOMEM; -@@ -268,6 +275,27 @@ static int load_aout_binary(struct linux_binprm * bprm) +@@ -267,6 +274,27 @@ static int load_aout_binary(struct linux_binprm * bprm) install_exec_creds(bprm); @@ -49363,7 +50641,7 @@ index bbc8f88..7c7ac97 100644 if (N_MAGIC(ex) == OMAGIC) { unsigned long text_addr, map_size; loff_t pos; -@@ -333,7 +361,7 @@ static int load_aout_binary(struct linux_binprm * bprm) +@@ -324,7 +352,7 @@ static int load_aout_binary(struct linux_binprm * bprm) } error = vm_mmap(bprm->file, N_DATADDR(ex), ex.a_data, @@ -49373,7 +50651,7 @@ index bbc8f88..7c7ac97 100644 fd_offset + ex.a_text); if (error != N_DATADDR(ex)) { diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c -index 86af964..5d53bf6 100644 +index f8a0b0e..6f036ed 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -34,6 +34,7 @@ @@ -49384,7 +50662,7 @@ index 86af964..5d53bf6 100644 #include <asm/uaccess.h> #include <asm/param.h> #include <asm/page.h> -@@ -60,6 +61,10 @@ static int elf_core_dump(struct coredump_params *cprm); +@@ -60,6 +61,14 @@ static int elf_core_dump(struct coredump_params *cprm); #define elf_core_dump NULL #endif @@ -49392,10 +50670,14 @@ index 86af964..5d53bf6 100644 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags); +#endif + ++#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG ++static void elf_handle_mmap(struct file *file); ++#endif ++ #if ELF_EXEC_PAGESIZE > PAGE_SIZE #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE #else -@@ -79,6 +84,11 @@ static struct linux_binfmt elf_format = { +@@ -79,6 +88,15 @@ static struct linux_binfmt elf_format = { .load_binary = load_elf_binary, .load_shlib = load_elf_library, .core_dump = elf_core_dump, @@ -49404,10 +50686,14 @@ index 86af964..5d53bf6 100644 + .handle_mprotect= elf_handle_mprotect, +#endif + ++#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG ++ .handle_mmap = elf_handle_mmap, ++#endif ++ .min_coredump = ELF_EXEC_PAGESIZE, }; -@@ -86,6 +96,8 @@ static struct linux_binfmt elf_format = { +@@ -86,6 +104,8 @@ static struct linux_binfmt elf_format = { static int set_brk(unsigned long start, unsigned long end) { @@ -49416,7 +50702,7 @@ index 86af964..5d53bf6 100644 start = ELF_PAGEALIGN(start); end = ELF_PAGEALIGN(end); if (end > start) { -@@ -94,7 +106,7 @@ static int set_brk(unsigned long start, unsigned long end) +@@ -94,7 +114,7 @@ static int set_brk(unsigned long start, unsigned long end) if (BAD_ADDR(addr)) return addr; } @@ -49425,7 +50711,7 @@ index 86af964..5d53bf6 100644 return 0; } -@@ -155,12 +167,13 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec, +@@ -155,12 +175,13 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec, elf_addr_t __user *u_rand_bytes; const char *k_platform = ELF_PLATFORM; const char *k_base_platform = ELF_BASE_PLATFORM; @@ -49440,22 +50726,22 @@ index 86af964..5d53bf6 100644 /* * In some cases (e.g. Hyper-Threading), we want to avoid L1 -@@ -202,8 +215,12 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec, +@@ -202,8 +223,12 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec, * Generate 16 random bytes for userspace PRNG seeding. */ get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes)); - u_rand_bytes = (elf_addr_t __user *) - STACK_ALLOC(p, sizeof(k_rand_bytes)); -+ srandom32(k_rand_bytes[0] ^ random32()); -+ srandom32(k_rand_bytes[1] ^ random32()); -+ srandom32(k_rand_bytes[2] ^ random32()); -+ srandom32(k_rand_bytes[3] ^ random32()); ++ prandom_seed(k_rand_bytes[0] ^ prandom_u32()); ++ prandom_seed(k_rand_bytes[1] ^ prandom_u32()); ++ prandom_seed(k_rand_bytes[2] ^ prandom_u32()); ++ prandom_seed(k_rand_bytes[3] ^ prandom_u32()); + p = STACK_ROUND(p, sizeof(k_rand_bytes)); + u_rand_bytes = (elf_addr_t __user *) p; if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes))) return -EFAULT; -@@ -315,9 +332,11 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec, +@@ -318,9 +343,11 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec, return -EFAULT; current->mm->env_end = p; @@ -49468,7 +50754,7 @@ index 86af964..5d53bf6 100644 return -EFAULT; return 0; } -@@ -385,15 +404,14 @@ static unsigned long total_mapping_size(struct elf_phdr *cmds, int nr) +@@ -388,15 +415,14 @@ static unsigned long total_mapping_size(struct elf_phdr *cmds, int nr) an ELF header */ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex, @@ -49487,7 +50773,7 @@ index 86af964..5d53bf6 100644 unsigned long total_size; int retval, i, size; -@@ -439,6 +457,11 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex, +@@ -442,6 +468,11 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex, goto out_close; } @@ -49499,7 +50785,7 @@ index 86af964..5d53bf6 100644 eppnt = elf_phdata; for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) { if (eppnt->p_type == PT_LOAD) { -@@ -462,8 +485,6 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex, +@@ -465,8 +496,6 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex, map_addr = elf_map(interpreter, load_addr + vaddr, eppnt, elf_prot, elf_type, total_size); total_size = 0; @@ -49508,7 +50794,7 @@ index 86af964..5d53bf6 100644 error = map_addr; if (BAD_ADDR(map_addr)) goto out_close; -@@ -482,8 +503,8 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex, +@@ -485,8 +514,8 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex, k = load_addr + eppnt->p_vaddr; if (BAD_ADDR(k) || eppnt->p_filesz > eppnt->p_memsz || @@ -49519,7 +50805,7 @@ index 86af964..5d53bf6 100644 error = -ENOMEM; goto out_close; } -@@ -535,6 +556,315 @@ out: +@@ -538,6 +567,315 @@ out: return error; } @@ -49835,7 +51121,7 @@ index 86af964..5d53bf6 100644 /* * These are the functions used to load ELF style executables and shared * libraries. There is no binary dependent code anywhere else. -@@ -551,6 +881,11 @@ static unsigned long randomize_stack_top(unsigned long stack_top) +@@ -554,6 +892,11 @@ static unsigned long randomize_stack_top(unsigned long stack_top) { unsigned int random_variable = 0; @@ -49847,7 +51133,7 @@ index 86af964..5d53bf6 100644 if ((current->flags & PF_RANDOMIZE) && !(current->personality & ADDR_NO_RANDOMIZE)) { random_variable = get_random_int() & STACK_RND_MASK; -@@ -569,7 +904,7 @@ static int load_elf_binary(struct linux_binprm *bprm) +@@ -572,7 +915,7 @@ static int load_elf_binary(struct linux_binprm *bprm) unsigned long load_addr = 0, load_bias = 0; int load_addr_set = 0; char * elf_interpreter = NULL; @@ -49856,7 +51142,7 @@ index 86af964..5d53bf6 100644 struct elf_phdr *elf_ppnt, *elf_phdata; unsigned long elf_bss, elf_brk; int retval, i; -@@ -579,12 +914,12 @@ static int load_elf_binary(struct linux_binprm *bprm) +@@ -582,12 +925,12 @@ static int load_elf_binary(struct linux_binprm *bprm) unsigned long start_code, end_code, start_data, end_data; unsigned long reloc_func_desc __maybe_unused = 0; int executable_stack = EXSTACK_DEFAULT; @@ -49870,7 +51156,7 @@ index 86af964..5d53bf6 100644 loc = kmalloc(sizeof(*loc), GFP_KERNEL); if (!loc) { -@@ -720,11 +1055,81 @@ static int load_elf_binary(struct linux_binprm *bprm) +@@ -723,11 +1066,81 @@ static int load_elf_binary(struct linux_binprm *bprm) goto out_free_dentry; /* OK, This is the point of no return */ @@ -49953,7 +51239,7 @@ index 86af964..5d53bf6 100644 if (elf_read_implies_exec(loc->elf_ex, executable_stack)) current->personality |= READ_IMPLIES_EXEC; -@@ -815,6 +1220,20 @@ static int load_elf_binary(struct linux_binprm *bprm) +@@ -819,6 +1232,20 @@ static int load_elf_binary(struct linux_binprm *bprm) #else load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr); #endif @@ -49974,7 +51260,7 @@ index 86af964..5d53bf6 100644 } error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt, -@@ -847,9 +1266,9 @@ static int load_elf_binary(struct linux_binprm *bprm) +@@ -851,9 +1278,9 @@ static int load_elf_binary(struct linux_binprm *bprm) * allowed task size. Note that p_filesz must always be * <= p_memsz so it is only necessary to check p_memsz. */ @@ -49987,7 +51273,7 @@ index 86af964..5d53bf6 100644 /* set_brk can never work. Avoid overflows. */ send_sig(SIGKILL, current, 0); retval = -EINVAL; -@@ -888,17 +1307,45 @@ static int load_elf_binary(struct linux_binprm *bprm) +@@ -892,17 +1319,45 @@ static int load_elf_binary(struct linux_binprm *bprm) goto out_free_dentry; } if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) { @@ -50001,8 +51287,6 @@ index 86af964..5d53bf6 100644 + */ } -- if (elf_interpreter) { -- unsigned long interp_map_addr = 0; +#ifdef CONFIG_PAX_RANDMMAP + if (current->mm->pax_flags & MF_PAX_RANDMMAP) { + unsigned long start, size, flags; @@ -50012,7 +51296,7 @@ index 86af964..5d53bf6 100644 + size = PAGE_SIZE + ((pax_get_random_long() & ((1UL << 22) - 1UL)) << 4); + flags = MAP_FIXED | MAP_PRIVATE; + vm_flags = VM_DONTEXPAND | VM_DONTDUMP; - ++ + down_write(¤t->mm->mmap_sem); + start = get_unmapped_area(NULL, start, PAGE_ALIGN(size), 0, flags); + retval = -ENOMEM; @@ -50032,14 +51316,16 @@ index 86af964..5d53bf6 100644 + } +#endif + -+ if (elf_interpreter) { + if (elf_interpreter) { +- unsigned long interp_map_addr = 0; +- elf_entry = load_elf_interp(&loc->interp_elf_ex, interpreter, - &interp_map_addr, load_bias); if (!IS_ERR((void *)elf_entry)) { /* -@@ -1120,7 +1567,7 @@ static bool always_dump_vma(struct vm_area_struct *vma) +@@ -1124,7 +1579,7 @@ static bool always_dump_vma(struct vm_area_struct *vma) * Decide what to dump of a segment, part, all or none. */ static unsigned long vma_dump_size(struct vm_area_struct *vma, @@ -50048,7 +51334,7 @@ index 86af964..5d53bf6 100644 { #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type)) -@@ -1158,7 +1605,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma, +@@ -1162,7 +1617,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma, if (vma->vm_file == NULL) return 0; @@ -50057,7 +51343,7 @@ index 86af964..5d53bf6 100644 goto whole; /* -@@ -1383,9 +1830,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm) +@@ -1387,9 +1842,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm) { elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv; int i = 0; @@ -50069,7 +51355,7 @@ index 86af964..5d53bf6 100644 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv); } -@@ -1394,7 +1841,7 @@ static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata, +@@ -1398,7 +1853,7 @@ static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata, { mm_segment_t old_fs = get_fs(); set_fs(KERNEL_DS); @@ -50078,7 +51364,7 @@ index 86af964..5d53bf6 100644 set_fs(old_fs); fill_note(note, "CORE", NT_SIGINFO, sizeof(*csigdata), csigdata); } -@@ -2015,14 +2462,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum, +@@ -2019,14 +2474,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum, } static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma, @@ -50095,7 +51381,7 @@ index 86af964..5d53bf6 100644 return size; } -@@ -2116,7 +2563,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2119,7 +2574,7 @@ static int elf_core_dump(struct coredump_params *cprm) dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE); @@ -50104,7 +51390,7 @@ index 86af964..5d53bf6 100644 offset += elf_core_extra_data_size(); e_shoff = offset; -@@ -2130,10 +2577,12 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2133,10 +2588,12 @@ static int elf_core_dump(struct coredump_params *cprm) offset = dataoff; size += sizeof(*elf); @@ -50117,7 +51403,7 @@ index 86af964..5d53bf6 100644 if (size > cprm->limit || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note))) goto end_coredump; -@@ -2147,7 +2596,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2150,7 +2607,7 @@ static int elf_core_dump(struct coredump_params *cprm) phdr.p_offset = offset; phdr.p_vaddr = vma->vm_start; phdr.p_paddr = 0; @@ -50126,7 +51412,7 @@ index 86af964..5d53bf6 100644 phdr.p_memsz = vma->vm_end - vma->vm_start; offset += phdr.p_filesz; phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0; -@@ -2158,6 +2607,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2161,6 +2618,7 @@ static int elf_core_dump(struct coredump_params *cprm) phdr.p_align = ELF_EXEC_PAGESIZE; size += sizeof(phdr); @@ -50134,7 +51420,7 @@ index 86af964..5d53bf6 100644 if (size > cprm->limit || !dump_write(cprm->file, &phdr, sizeof(phdr))) goto end_coredump; -@@ -2182,7 +2632,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2185,7 +2643,7 @@ static int elf_core_dump(struct coredump_params *cprm) unsigned long addr; unsigned long end; @@ -50143,7 +51429,7 @@ index 86af964..5d53bf6 100644 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) { struct page *page; -@@ -2191,6 +2641,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2194,6 +2652,7 @@ static int elf_core_dump(struct coredump_params *cprm) page = get_dump_page(addr); if (page) { void *kaddr = kmap(page); @@ -50151,7 +51437,7 @@ index 86af964..5d53bf6 100644 stop = ((size += PAGE_SIZE) > cprm->limit) || !dump_write(cprm->file, kaddr, PAGE_SIZE); -@@ -2208,6 +2659,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2211,6 +2670,7 @@ static int elf_core_dump(struct coredump_params *cprm) if (e_phnum == PN_XNUM) { size += sizeof(*shdr4extnum); @@ -50159,7 +51445,7 @@ index 86af964..5d53bf6 100644 if (size > cprm->limit || !dump_write(cprm->file, shdr4extnum, sizeof(*shdr4extnum))) -@@ -2228,6 +2680,97 @@ out: +@@ -2231,6 +2691,167 @@ out: #endif /* CONFIG_ELF_CORE */ @@ -50179,7 +51465,7 @@ index 86af964..5d53bf6 100644 + unsigned long oldflags; + bool is_textrel_rw, is_textrel_rx, is_relro; + -+ if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT)) ++ if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT) || !vma->vm_file) + return; + + oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ); @@ -50187,15 +51473,15 @@ index 86af964..5d53bf6 100644 + +#ifdef CONFIG_PAX_ELFRELOCS + /* possible TEXTREL */ -+ is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ); -+ is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ); ++ is_textrel_rw = !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ); ++ is_textrel_rx = vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ); +#else + is_textrel_rw = false; + is_textrel_rx = false; +#endif + + /* possible RELRO */ -+ is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ); ++ is_relro = vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ); + + if (!is_textrel_rw && !is_textrel_rx && !is_relro) + return; @@ -50227,9 +51513,9 @@ index 86af964..5d53bf6 100644 + elf_dyn dyn; + + if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn))) -+ return; ++ break; + if (dyn.d_tag == DT_NULL) -+ return; ++ break; + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) { + gr_log_textrel(vma); + if (is_textrel_rw) @@ -50237,19 +51523,89 @@ index 86af964..5d53bf6 100644 + else + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */ + vma->vm_flags &= ~VM_MAYWRITE; -+ return; ++ break; + } + i++; + } -+ return; ++ is_textrel_rw = false; ++ is_textrel_rx = false; ++ continue; + + case PT_GNU_RELRO: + if (!is_relro) + continue; + if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start) + vma->vm_flags &= ~VM_MAYWRITE; -+ return; ++ is_relro = false; ++ continue; ++ ++#ifdef CONFIG_PAX_PT_PAX_FLAGS ++ case PT_PAX_FLAGS: { ++ const char *msg_mprotect = "", *msg_emutramp = ""; ++ char *buffer_lib, *buffer_exe; ++ ++ if (elf_p.p_flags & PF_NOMPROTECT) ++ msg_mprotect = "MPROTECT disabled"; ++ ++#ifdef CONFIG_PAX_EMUTRAMP ++ if (!(vma->vm_mm->pax_flags & MF_PAX_EMUTRAMP) && !(elf_p.p_flags & PF_NOEMUTRAMP)) ++ msg_emutramp = "EMUTRAMP enabled"; ++#endif ++ ++ if (!msg_mprotect[0] && !msg_emutramp[0]) ++ continue; ++ ++ if (!printk_ratelimit()) ++ continue; ++ ++ buffer_lib = (char *)__get_free_page(GFP_KERNEL); ++ buffer_exe = (char *)__get_free_page(GFP_KERNEL); ++ if (buffer_lib && buffer_exe) { ++ char *path_lib, *path_exe; ++ ++ path_lib = pax_get_path(&vma->vm_file->f_path, buffer_lib, PAGE_SIZE); ++ path_exe = pax_get_path(&vma->vm_mm->exe_file->f_path, buffer_exe, PAGE_SIZE); ++ ++ pr_info("PAX: %s wants %s%s%s on %s\n", path_lib, msg_mprotect, ++ (msg_mprotect[0] && msg_emutramp[0] ? " and " : ""), msg_emutramp, path_exe); ++ ++ } ++ free_page((unsigned long)buffer_exe); ++ free_page((unsigned long)buffer_lib); ++ continue; + } ++#endif ++ ++ } ++ } ++} ++#endif ++ ++#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG ++ ++extern int grsec_enable_log_rwxmaps; ++ ++static void elf_handle_mmap(struct file *file) ++{ ++ struct elfhdr elf_h; ++ struct elf_phdr elf_p; ++ unsigned long i; ++ ++ if (!grsec_enable_log_rwxmaps) ++ return; ++ ++ if (sizeof(elf_h) != kernel_read(file, 0UL, (char *)&elf_h, sizeof(elf_h)) || ++ memcmp(elf_h.e_ident, ELFMAG, SELFMAG) || ++ (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC) || !elf_check_arch(&elf_h) || ++ elf_h.e_phentsize != sizeof(struct elf_phdr) || ++ elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr)) ++ return; ++ ++ for (i = 0UL; i < elf_h.e_phnum; i++) { ++ if (sizeof(elf_p) != kernel_read(file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p))) ++ return; ++ if (elf_p.p_type == PT_GNU_STACK && (elf_p.p_flags & PF_X)) ++ gr_log_ptgnustack(file); + } +} +#endif @@ -50258,10 +51614,10 @@ index 86af964..5d53bf6 100644 { register_binfmt(&elf_format); diff --git a/fs/binfmt_flat.c b/fs/binfmt_flat.c -index 2036d21..b0430d0 100644 +index d50bbe5..af3b649 100644 --- a/fs/binfmt_flat.c +++ b/fs/binfmt_flat.c -@@ -562,7 +562,9 @@ static int load_flat_file(struct linux_binprm * bprm, +@@ -566,7 +566,9 @@ static int load_flat_file(struct linux_binprm * bprm, realdatastart = (unsigned long) -ENOMEM; printk("Unable to allocate RAM for process data, errno %d\n", (int)-realdatastart); @@ -50271,7 +51627,7 @@ index 2036d21..b0430d0 100644 ret = realdatastart; goto err; } -@@ -586,8 +588,10 @@ static int load_flat_file(struct linux_binprm * bprm, +@@ -590,8 +592,10 @@ static int load_flat_file(struct linux_binprm * bprm, } if (IS_ERR_VALUE(result)) { printk("Unable to read data+bss, errno %d\n", (int)-result); @@ -50282,7 +51638,7 @@ index 2036d21..b0430d0 100644 ret = result; goto err; } -@@ -654,8 +658,10 @@ static int load_flat_file(struct linux_binprm * bprm, +@@ -653,8 +657,10 @@ static int load_flat_file(struct linux_binprm * bprm, } if (IS_ERR_VALUE(result)) { printk("Unable to read code+data+bss, errno %d\n",(int)-result); @@ -50294,10 +51650,10 @@ index 2036d21..b0430d0 100644 goto err; } diff --git a/fs/bio.c b/fs/bio.c -index b96fc6c..431d628 100644 +index 94bbc04..6fe78a4 100644 --- a/fs/bio.c +++ b/fs/bio.c -@@ -818,7 +818,7 @@ struct bio *bio_copy_user_iov(struct request_queue *q, +@@ -1096,7 +1096,7 @@ struct bio *bio_copy_user_iov(struct request_queue *q, /* * Overflow, abort */ @@ -50306,7 +51662,7 @@ index b96fc6c..431d628 100644 return ERR_PTR(-EINVAL); nr_pages += end - start; -@@ -952,7 +952,7 @@ static struct bio *__bio_map_user_iov(struct request_queue *q, +@@ -1230,7 +1230,7 @@ static struct bio *__bio_map_user_iov(struct request_queue *q, /* * Overflow, abort */ @@ -50315,46 +51671,20 @@ index b96fc6c..431d628 100644 return ERR_PTR(-EINVAL); nr_pages += end - start; -@@ -1214,7 +1214,7 @@ static void bio_copy_kern_endio(struct bio *bio, int err) +@@ -1492,7 +1492,7 @@ static void bio_copy_kern_endio(struct bio *bio, int err) const int read = bio_data_dir(bio) == READ; struct bio_map_data *bmd = bio->bi_private; int i; - char *p = bmd->sgvecs[0].iov_base; + char *p = (char __force_kernel *)bmd->sgvecs[0].iov_base; - __bio_for_each_segment(bvec, bio, i, 0) { + bio_for_each_segment_all(bvec, bio, i) { char *addr = page_address(bvec->bv_page); diff --git a/fs/block_dev.c b/fs/block_dev.c -index aae187a..8325c5d 100644 +index 85f5c85..d6f0b1a 100644 --- a/fs/block_dev.c +++ b/fs/block_dev.c -@@ -57,17 +57,24 @@ static void bdev_inode_switch_bdi(struct inode *inode, - struct backing_dev_info *dst) - { - struct backing_dev_info *old = inode->i_data.backing_dev_info; -+ bool wakeup_bdi = false; - - if (unlikely(dst == old)) /* deadlock avoidance */ - return; - bdi_lock_two(&old->wb, &dst->wb); - spin_lock(&inode->i_lock); - inode->i_data.backing_dev_info = dst; -- if (inode->i_state & I_DIRTY) -+ if (inode->i_state & I_DIRTY) { -+ if (bdi_cap_writeback_dirty(dst) && !wb_has_dirty_io(&dst->wb)) -+ wakeup_bdi = true; - list_move(&inode->i_wb_list, &dst->wb.b_dirty); -+ } - spin_unlock(&inode->i_lock); - spin_unlock(&old->wb.list_lock); - spin_unlock(&dst->wb.list_lock); -+ -+ if (wakeup_bdi) -+ bdi_wakeup_thread_delayed(dst); - } - - /* Kill _all_ buffers and pagecache , dirty or not.. */ -@@ -652,7 +659,7 @@ static bool bd_may_claim(struct block_device *bdev, struct block_device *whole, +@@ -658,7 +658,7 @@ static bool bd_may_claim(struct block_device *bdev, struct block_device *whole, else if (bdev->bd_contains == bdev) return true; /* is a whole device which isn't held */ @@ -50364,10 +51694,10 @@ index aae187a..8325c5d 100644 else if (whole->bd_holder != NULL) return false; /* is a partition of a held device */ diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c -index 7a983f7..c73ee93 100644 +index 7fb054b..ad36c67 100644 --- a/fs/btrfs/ctree.c +++ b/fs/btrfs/ctree.c -@@ -1036,9 +1036,12 @@ static noinline int __btrfs_cow_block(struct btrfs_trans_handle *trans, +@@ -1076,9 +1076,12 @@ static noinline int __btrfs_cow_block(struct btrfs_trans_handle *trans, free_extent_buffer(buf); add_root_to_dirty_list(root); } else { @@ -50384,10 +51714,10 @@ index 7a983f7..c73ee93 100644 WARN_ON(trans->transid != btrfs_header_generation(parent)); diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c -index f49b62f..07834ab 100644 +index 0f81d67..0ad55fe 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c -@@ -3077,9 +3077,12 @@ long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg) +@@ -3084,9 +3084,12 @@ static long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg) for (i = 0; i < num_types; i++) { struct btrfs_space_info *tmp; @@ -50400,7 +51730,7 @@ index f49b62f..07834ab 100644 info = NULL; rcu_read_lock(); list_for_each_entry_rcu(tmp, &root->fs_info->space_info, -@@ -3101,10 +3104,7 @@ long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg) +@@ -3108,10 +3111,7 @@ static long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg) memcpy(dest, &space, sizeof(space)); dest++; space_args.total_spaces++; @@ -50412,11 +51742,11 @@ index f49b62f..07834ab 100644 up_read(&info->groups_sem); } diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c -index f6b8859..54fe8c5 100644 +index f0857e0..e7023c5 100644 --- a/fs/btrfs/super.c +++ b/fs/btrfs/super.c -@@ -266,7 +266,7 @@ void __btrfs_abort_transaction(struct btrfs_trans_handle *trans, - function, line, errstr); +@@ -265,7 +265,7 @@ void __btrfs_abort_transaction(struct btrfs_trans_handle *trans, + function, line, errstr); return; } - ACCESS_ONCE(trans->transaction->aborted) = errno; @@ -50424,6 +51754,19 @@ index f6b8859..54fe8c5 100644 __btrfs_std_error(root->fs_info, function, line, errno, NULL); } /* +diff --git a/fs/buffer.c b/fs/buffer.c +index d2a4d1b..df798ca 100644 +--- a/fs/buffer.c ++++ b/fs/buffer.c +@@ -3367,7 +3367,7 @@ void __init buffer_init(void) + bh_cachep = kmem_cache_create("buffer_head", + sizeof(struct buffer_head), 0, + (SLAB_RECLAIM_ACCOUNT|SLAB_PANIC| +- SLAB_MEM_SPREAD), ++ SLAB_MEM_SPREAD|SLAB_NO_SANITIZE), + NULL); + + /* diff --git a/fs/cachefiles/bind.c b/fs/cachefiles/bind.c index 622f469..e8d2d55 100644 --- a/fs/cachefiles/bind.c @@ -50566,10 +51909,10 @@ index eccd339..4c1d995 100644 return 0; diff --git a/fs/cachefiles/rdwr.c b/fs/cachefiles/rdwr.c -index 4809922..aab2c39 100644 +index 317f9ee..3d24511 100644 --- a/fs/cachefiles/rdwr.c +++ b/fs/cachefiles/rdwr.c -@@ -965,7 +965,7 @@ int cachefiles_write_page(struct fscache_storage *op, struct page *page) +@@ -966,7 +966,7 @@ int cachefiles_write_page(struct fscache_storage *op, struct page *page) old_fs = get_fs(); set_fs(KERNEL_DS); ret = file->f_op->write( @@ -50577,9 +51920,9 @@ index 4809922..aab2c39 100644 + file, (const void __force_user *) data, len, &pos); set_fs(old_fs); kunmap(page); - if (ret != len) + file_end_write(file); diff --git a/fs/ceph/dir.c b/fs/ceph/dir.c -index 6d797f4..0ace2e5 100644 +index f02d82b..2632cf86 100644 --- a/fs/ceph/dir.c +++ b/fs/ceph/dir.c @@ -243,7 +243,7 @@ static int ceph_readdir(struct file *filp, void *dirent, filldir_t filldir) @@ -50592,10 +51935,10 @@ index 6d797f4..0ace2e5 100644 u32 ftype; struct ceph_mds_reply_info_parsed *rinfo; diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c -index d9ea6ed..1e6c8ac 100644 +index d597483..747901b 100644 --- a/fs/cifs/cifs_debug.c +++ b/fs/cifs/cifs_debug.c -@@ -267,8 +267,8 @@ static ssize_t cifs_stats_proc_write(struct file *file, +@@ -284,8 +284,8 @@ static ssize_t cifs_stats_proc_write(struct file *file, if (c == '1' || c == 'y' || c == 'Y' || c == '0') { #ifdef CONFIG_CIFS_STATS2 @@ -50606,7 +51949,7 @@ index d9ea6ed..1e6c8ac 100644 #endif /* CONFIG_CIFS_STATS2 */ spin_lock(&cifs_tcp_ses_lock); list_for_each(tmp1, &cifs_tcp_ses_list) { -@@ -281,7 +281,7 @@ static ssize_t cifs_stats_proc_write(struct file *file, +@@ -298,7 +298,7 @@ static ssize_t cifs_stats_proc_write(struct file *file, tcon = list_entry(tmp3, struct cifs_tcon, tcon_list); @@ -50615,7 +51958,7 @@ index d9ea6ed..1e6c8ac 100644 if (server->ops->clear_stats) server->ops->clear_stats(tcon); } -@@ -313,8 +313,8 @@ static int cifs_stats_proc_show(struct seq_file *m, void *v) +@@ -330,8 +330,8 @@ static int cifs_stats_proc_show(struct seq_file *m, void *v) smBufAllocCount.counter, cifs_min_small); #ifdef CONFIG_CIFS_STATS2 seq_printf(m, "Total Large %d Small %d Allocations\n", @@ -50626,7 +51969,7 @@ index d9ea6ed..1e6c8ac 100644 #endif /* CONFIG_CIFS_STATS2 */ seq_printf(m, "Operations (MIDs): %d\n", atomic_read(&midCount)); -@@ -343,7 +343,7 @@ static int cifs_stats_proc_show(struct seq_file *m, void *v) +@@ -360,7 +360,7 @@ static int cifs_stats_proc_show(struct seq_file *m, void *v) if (tcon->need_reconnect) seq_puts(m, "\tDISCONNECTED "); seq_printf(m, "\nSMBs: %d", @@ -50636,11 +51979,11 @@ index d9ea6ed..1e6c8ac 100644 server->ops->print_stats(m, tcon); } diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c -index 345fc89..b2acae5 100644 +index 3752b9f..8db5569 100644 --- a/fs/cifs/cifsfs.c +++ b/fs/cifs/cifsfs.c -@@ -1033,7 +1033,7 @@ cifs_init_request_bufs(void) - /* cERROR(1, "CIFSMaxBufSize %d 0x%x",CIFSMaxBufSize,CIFSMaxBufSize); */ +@@ -1035,7 +1035,7 @@ cifs_init_request_bufs(void) + */ cifs_req_cachep = kmem_cache_create("cifs_request", CIFSMaxBufSize + max_hdr_size, 0, - SLAB_HWCACHE_ALIGN, NULL); @@ -50648,7 +51991,7 @@ index 345fc89..b2acae5 100644 if (cifs_req_cachep == NULL) return -ENOMEM; -@@ -1060,7 +1060,7 @@ cifs_init_request_bufs(void) +@@ -1062,7 +1062,7 @@ cifs_init_request_bufs(void) efficient to alloc 1 per page off the slab compared to 17K (5page) alloc of large cifs buffers even when page debugging is on */ cifs_sm_req_cachep = kmem_cache_create("cifs_small_rq", @@ -50657,7 +52000,7 @@ index 345fc89..b2acae5 100644 NULL); if (cifs_sm_req_cachep == NULL) { mempool_destroy(cifs_req_poolp); -@@ -1145,8 +1145,8 @@ init_cifs(void) +@@ -1147,8 +1147,8 @@ init_cifs(void) atomic_set(&bufAllocCount, 0); atomic_set(&smBufAllocCount, 0); #ifdef CONFIG_CIFS_STATS2 @@ -50669,10 +52012,10 @@ index 345fc89..b2acae5 100644 atomic_set(&midCount, 0); diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h -index 4f07f6f..55de8ce 100644 +index ea3a0b3..0194e39 100644 --- a/fs/cifs/cifsglob.h +++ b/fs/cifs/cifsglob.h -@@ -751,35 +751,35 @@ struct cifs_tcon { +@@ -752,35 +752,35 @@ struct cifs_tcon { __u16 Flags; /* optional support bits */ enum statusEnum tidStatus; #ifdef CONFIG_CIFS_STATS @@ -50732,7 +52075,7 @@ index 4f07f6f..55de8ce 100644 } smb2_stats; #endif /* CONFIG_CIFS_SMB2 */ } stats; -@@ -1080,7 +1080,7 @@ convert_delimiter(char *path, char delim) +@@ -1081,7 +1081,7 @@ convert_delimiter(char *path, char delim) } #ifdef CONFIG_CIFS_STATS @@ -50741,7 +52084,7 @@ index 4f07f6f..55de8ce 100644 static inline void cifs_stats_bytes_written(struct cifs_tcon *tcon, unsigned int bytes) -@@ -1445,8 +1445,8 @@ GLOBAL_EXTERN atomic_t tconInfoReconnectCount; +@@ -1446,8 +1446,8 @@ GLOBAL_EXTERN atomic_t tconInfoReconnectCount; /* Various Debug counters */ GLOBAL_EXTERN atomic_t bufAllocCount; /* current number allocated */ #ifdef CONFIG_CIFS_STATS2 @@ -50753,7 +52096,7 @@ index 4f07f6f..55de8ce 100644 GLOBAL_EXTERN atomic_t smBufAllocCount; GLOBAL_EXTERN atomic_t midCount; diff --git a/fs/cifs/link.c b/fs/cifs/link.c -index 9f6c4c4..8de307a 100644 +index b83c3f5..6437caa 100644 --- a/fs/cifs/link.c +++ b/fs/cifs/link.c @@ -616,7 +616,7 @@ symlink_exit: @@ -50766,7 +52109,7 @@ index 9f6c4c4..8de307a 100644 kfree(p); } diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c -index 1b15bf8..1ce489e 100644 +index 1bec014..f329411 100644 --- a/fs/cifs/misc.c +++ b/fs/cifs/misc.c @@ -169,7 +169,7 @@ cifs_buf_get(void) @@ -50788,10 +52131,10 @@ index 1b15bf8..1ce489e 100644 } diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c -index 47bc5a8..10decbe 100644 +index 3efdb9d..e845a5e 100644 --- a/fs/cifs/smb1ops.c +++ b/fs/cifs/smb1ops.c -@@ -586,27 +586,27 @@ static void +@@ -591,27 +591,27 @@ static void cifs_clear_stats(struct cifs_tcon *tcon) { #ifdef CONFIG_CIFS_STATS @@ -50840,7 +52183,7 @@ index 47bc5a8..10decbe 100644 #endif } -@@ -615,36 +615,36 @@ cifs_print_stats(struct seq_file *m, struct cifs_tcon *tcon) +@@ -620,36 +620,36 @@ cifs_print_stats(struct seq_file *m, struct cifs_tcon *tcon) { #ifdef CONFIG_CIFS_STATS seq_printf(m, " Oplocks breaks: %d", @@ -50897,7 +52240,7 @@ index 47bc5a8..10decbe 100644 } diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c -index bceffe7..cd1ae59 100644 +index f2e76f3..c44fac7 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -274,8 +274,8 @@ smb2_clear_stats(struct cifs_tcon *tcon) @@ -51019,13 +52362,13 @@ index bceffe7..cd1ae59 100644 } diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c -index 41d9d07..dbb4772 100644 +index 2b95ce2..d079d75 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c -@@ -1761,8 +1761,7 @@ SMB2_query_directory(const unsigned int xid, struct cifs_tcon *tcon, +@@ -1760,8 +1760,7 @@ SMB2_query_directory(const unsigned int xid, struct cifs_tcon *tcon, default: - cERROR(1, "info level %u isn't supported", - srch_inf->info_level); + cifs_dbg(VFS, "info level %u isn't supported\n", + srch_inf->info_level); - rc = -EINVAL; - goto qdir_exit; + return -EINVAL; @@ -51081,7 +52424,7 @@ index 1da168c..8bc7ff6 100644 return hit; diff --git a/fs/compat.c b/fs/compat.c -index d487985..c9e04b1 100644 +index fc3b55d..7b568ae 100644 --- a/fs/compat.c +++ b/fs/compat.c @@ -54,7 +54,7 @@ @@ -51093,7 +52436,7 @@ index d487985..c9e04b1 100644 int compat_printk(const char *fmt, ...) { -@@ -490,7 +490,7 @@ compat_sys_io_setup(unsigned nr_reqs, u32 __user *ctx32p) +@@ -488,7 +488,7 @@ compat_sys_io_setup(unsigned nr_reqs, u32 __user *ctx32p) set_fs(KERNEL_DS); /* The __user pointer cast is valid because of the set_fs() */ @@ -51102,7 +52445,7 @@ index d487985..c9e04b1 100644 set_fs(oldfs); /* truncating is ok because it's a user address */ if (!ret) -@@ -548,7 +548,7 @@ ssize_t compat_rw_copy_check_uvector(int type, +@@ -546,7 +546,7 @@ ssize_t compat_rw_copy_check_uvector(int type, goto out; ret = -EINVAL; @@ -51111,7 +52454,7 @@ index d487985..c9e04b1 100644 goto out; if (nr_segs > fast_segs) { ret = -ENOMEM; -@@ -835,6 +835,7 @@ struct compat_old_linux_dirent { +@@ -833, |