* [gentoo-commits] proj/hardened-patchset:master commit in: 2.6.32/, 3.2.46/, 3.9.6/, 3.9.5/, 3.2.47/
@ 2013-06-21 0:40 Anthony G. Basile
0 siblings, 0 replies; only message in thread
From: Anthony G. Basile @ 2013-06-21 0:40 UTC (permalink / raw
To: gentoo-commits
commit: 845d88931e05031ae2fad88e07f2614be2f698b8
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Fri Jun 21 00:40:47 2013 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Fri Jun 21 00:40:47 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=845d8893
Grsec/PaX: 2.9.1-{2.6.32.61,3.2.47,3.9.6}-201306182033
---
2.6.32/0000_README | 2 +-
..._grsecurity-2.9.1-2.6.32.61-201306171902.patch} | 104 +-
{3.2.46 => 3.2.47}/0000_README | 6 +-
{3.2.46 => 3.2.47}/1021_linux-3.2.22.patch | 0
{3.2.46 => 3.2.47}/1022_linux-3.2.23.patch | 0
{3.2.46 => 3.2.47}/1023_linux-3.2.24.patch | 0
{3.2.46 => 3.2.47}/1024_linux-3.2.25.patch | 0
{3.2.46 => 3.2.47}/1025_linux-3.2.26.patch | 0
{3.2.46 => 3.2.47}/1026_linux-3.2.27.patch | 0
{3.2.46 => 3.2.47}/1027_linux-3.2.28.patch | 0
{3.2.46 => 3.2.47}/1028_linux-3.2.29.patch | 0
{3.2.46 => 3.2.47}/1029_linux-3.2.30.patch | 0
{3.2.46 => 3.2.47}/1030_linux-3.2.31.patch | 0
{3.2.46 => 3.2.47}/1031_linux-3.2.32.patch | 0
{3.2.46 => 3.2.47}/1032_linux-3.2.33.patch | 0
{3.2.46 => 3.2.47}/1033_linux-3.2.34.patch | 0
{3.2.46 => 3.2.47}/1034_linux-3.2.35.patch | 0
{3.2.46 => 3.2.47}/1035_linux-3.2.36.patch | 0
{3.2.46 => 3.2.47}/1036_linux-3.2.37.patch | 0
{3.2.46 => 3.2.47}/1037_linux-3.2.38.patch | 0
{3.2.46 => 3.2.47}/1038_linux-3.2.39.patch | 0
{3.2.46 => 3.2.47}/1039_linux-3.2.40.patch | 0
{3.2.46 => 3.2.47}/1040_linux-3.2.41.patch | 0
{3.2.46 => 3.2.47}/1041_linux-3.2.42.patch | 0
{3.2.46 => 3.2.47}/1042_linux-3.2.43.patch | 0
{3.2.46 => 3.2.47}/1043_linux-3.2.44.patch | 0
{3.2.46 => 3.2.47}/1044_linux-3.2.45.patch | 0
{3.2.46 => 3.2.47}/1045_linux-3.2.46.patch | 0
3.2.47/1046_linux-3.2.47.patch | 3314 ++++++++++++++++++++
...4420_grsecurity-2.9.1-3.2.47-201306191807.patch | 1372 ++++++--
{3.2.46 => 3.2.47}/4425_grsec_remove_EI_PAX.patch | 0
.../4427_force_XATTR_PAX_tmpfs.patch | 0
.../4430_grsec-remove-localversion-grsec.patch | 0
{3.2.46 => 3.2.47}/4435_grsec-mute-warnings.patch | 0
.../4440_grsec-remove-protected-paths.patch | 0
.../4450_grsec-kconfig-default-gids.patch | 0
.../4465_selinux-avc_audit-log-curr_ip.patch | 0
{3.2.46 => 3.2.47}/4470_disable-compat_vdso.patch | 0
{3.2.46 => 3.2.47}/4475_emutramp_default_on.patch | 0
{3.9.5 => 3.9.6}/0000_README | 2 +-
.../4420_grsecurity-2.9.1-3.9.6-201306182033.patch | 1111 ++++++-
{3.9.5 => 3.9.6}/4425_grsec_remove_EI_PAX.patch | 0
{3.9.5 => 3.9.6}/4427_force_XATTR_PAX_tmpfs.patch | 0
.../4430_grsec-remove-localversion-grsec.patch | 0
{3.9.5 => 3.9.6}/4435_grsec-mute-warnings.patch | 0
.../4440_grsec-remove-protected-paths.patch | 0
.../4450_grsec-kconfig-default-gids.patch | 0
.../4465_selinux-avc_audit-log-curr_ip.patch | 0
{3.9.5 => 3.9.6}/4470_disable-compat_vdso.patch | 0
{3.9.5 => 3.9.6}/4475_emutramp_default_on.patch | 0
50 files changed, 5603 insertions(+), 308 deletions(-)
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 4d58a67..82857df 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -38,7 +38,7 @@ Patch: 1060_linux-2.6.32.61.patch
From: http://www.kernel.org
Desc: Linux 2.6.32.61
-Patch: 4420_grsecurity-2.9.1-2.6.32.61-201306102216.patch
+Patch: 4420_grsecurity-2.9.1-2.6.32.61-201306171902.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201306102216.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201306171902.patch
similarity index 99%
rename from 2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201306102216.patch
rename to 2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201306171902.patch
index 7ee0064..2aa8c14 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201306102216.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201306171902.patch
@@ -43113,7 +43113,7 @@ index 918711a..4ffaf5e 100644
.clock_set = sgi_clock_set,
.clock_get = sgi_clock_get,
diff --git a/drivers/char/mwave/tp3780i.c b/drivers/char/mwave/tp3780i.c
-index c689697..04e6d6a 100644
+index c689697..04e6d6a2 100644
--- a/drivers/char/mwave/tp3780i.c
+++ b/drivers/char/mwave/tp3780i.c
@@ -479,6 +479,7 @@ int tp3780I_QueryAbilities(THINKPAD_BD_DATA * pBDData, MW_ABILITIES * pAbilities
@@ -64058,6 +64058,19 @@ index 80b19a4..dab3a45 100644
/* Offset of struct b43_dfs_file in struct b43_dfsentry */
size_t file_struct_offset;
};
+diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c
+index 94dae56..3cf2472 100644
+--- a/drivers/net/wireless/b43/main.c
++++ b/drivers/net/wireless/b43/main.c
+@@ -2257,7 +2257,7 @@ static int b43_request_firmware(struct b43_wldev *dev)
+ for (i = 0; i < B43_NR_FWTYPES; i++) {
+ errmsg = ctx->errors[i];
+ if (strlen(errmsg))
+- b43err(dev->wl, errmsg);
++ b43err(dev->wl, "%s", errmsg);
+ }
+ b43_print_fw_helptext(dev->wl, 1);
+ err = -ENOENT;
diff --git a/drivers/net/wireless/b43legacy/debugfs.c b/drivers/net/wireless/b43legacy/debugfs.c
index 1f85ac5..c99b4b4 100644
--- a/drivers/net/wireless/b43legacy/debugfs.c
@@ -68137,7 +68150,7 @@ index aa10f79..5cc79e4 100644
/* Used for deferred freeing of ELS data buffers */
diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c
-index 8d0f0de..7c77a62 100644
+index 8d0f0de..e679b1e 100644
--- a/drivers/scsi/lpfc/lpfc_debugfs.c
+++ b/drivers/scsi/lpfc/lpfc_debugfs.c
@@ -124,7 +124,7 @@ struct lpfc_debug {
@@ -68210,6 +68223,15 @@ index 8d0f0de..7c77a62 100644
dtp->jif = jiffies;
#endif
return;
+@@ -1072,7 +1074,7 @@ lpfc_debugfs_lseek(struct file *file, loff_t off, int whence)
+ pos = file->f_pos + off;
+ break;
+ case 2:
+- pos = debug->len - off;
++ pos = debug->len + off;
+ }
+ return (pos < 0 || pos > debug->len) ? -EINVAL : (file->f_pos = pos);
+ }
@@ -1364,7 +1366,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
"slow_ring buffer\n");
goto debug_failed;
@@ -102081,6 +102103,18 @@ index 0b4baba..0106e9e 100644
struct scsi_host_template {
struct module *module;
const char *name;
+diff --git a/include/scsi/scsi_netlink.h b/include/scsi/scsi_netlink.h
+index 58ce8fe..4db1438 100644
+--- a/include/scsi/scsi_netlink.h
++++ b/include/scsi/scsi_netlink.h
+@@ -22,6 +22,7 @@
+ #ifndef SCSI_NETLINK_H
+ #define SCSI_NETLINK_H
+
++#include <linux/types.h>
+ #include <linux/netlink.h>
+
+
diff --git a/include/scsi/scsi_transport_fc.h b/include/scsi/scsi_transport_fc.h
index fc50bd6..81ba9cb 100644
--- a/include/scsi/scsi_transport_fc.h
@@ -116800,7 +116834,7 @@ index b95699f..5fee919 100644
(ip_vs_sync_state & IP_VS_STATE_MASTER) &&
(((cp->protocol != IPPROTO_TCP ||
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
-index 9bcd972..1cdb215 100644
+index 9bcd972..3e98c53 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -792,7 +792,7 @@ __ip_vs_update_dest(struct ip_vs_service *svc,
@@ -116848,7 +116882,14 @@ index 9bcd972..1cdb215 100644
};
#endif
-@@ -2292,7 +2292,7 @@ __ip_vs_get_dest_entries(const struct ip_vs_get_dests *get,
+@@ -2286,13 +2286,14 @@ __ip_vs_get_dest_entries(const struct ip_vs_get_dests *get,
+ struct ip_vs_dest *dest;
+ struct ip_vs_dest_entry entry;
+
++ memset(&entry, 0, sizeof(entry));
+ list_for_each_entry(dest, &svc->destinations, n_list) {
+ if (count >= get->num_dests)
+ break;
entry.addr = dest->addr.ip;
entry.port = dest->port;
@@ -116857,7 +116898,7 @@ index 9bcd972..1cdb215 100644
entry.weight = atomic_read(&dest->weight);
entry.u_threshold = dest->u_threshold;
entry.l_threshold = dest->l_threshold;
-@@ -2353,6 +2353,8 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
+@@ -2353,6 +2354,8 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
unsigned char arg[128];
int ret = 0;
@@ -116866,7 +116907,7 @@ index 9bcd972..1cdb215 100644
if (!capable(CAP_NET_ADMIN))
return -EPERM;
-@@ -2803,7 +2805,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest)
+@@ -2803,7 +2806,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest)
NLA_PUT_U16(skb, IPVS_DEST_ATTR_PORT, dest->port);
NLA_PUT_U32(skb, IPVS_DEST_ATTR_FWD_METHOD,
@@ -117138,10 +117179,26 @@ index 7a83495..ab0062f 100644
*uaddr_len = sizeof(struct sockaddr_ax25);
}
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index 728c080..02b775c 100644
+index 728c080..ee6ea78 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
-@@ -1723,7 +1723,7 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
+@@ -1525,12 +1525,10 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr,
+ return -EOPNOTSUPP;
+
+ uaddr->sa_family = AF_PACKET;
++ memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data));
+ dev = dev_get_by_index(sock_net(sk), pkt_sk(sk)->ifindex);
+- if (dev) {
+- strncpy(uaddr->sa_data, dev->name, 14);
+- dev_put(dev);
+- } else
+- memset(uaddr->sa_data, 0, 14);
++ if (dev)
++ strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data));
+ *uaddr_len = sizeof(*uaddr);
+
+ return 0;
+@@ -1723,7 +1721,7 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
case PACKET_DROP_MEMBERSHIP:
{
struct packet_mreq_max mreq;
@@ -117150,7 +117207,7 @@ index 728c080..02b775c 100644
memset(&mreq, 0, sizeof(mreq));
if (len < sizeof(struct packet_mreq))
return -EINVAL;
-@@ -1894,7 +1894,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+@@ -1894,7 +1892,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
case PACKET_HDRLEN:
if (len > sizeof(int))
len = sizeof(int);
@@ -117159,7 +117216,7 @@ index 728c080..02b775c 100644
return -EFAULT;
switch (val) {
case TPACKET_V1:
-@@ -2428,7 +2428,11 @@ static int packet_seq_show(struct seq_file *seq, void *v)
+@@ -2428,7 +2426,11 @@ static int packet_seq_show(struct seq_file *seq, void *v)
seq_printf(seq,
"%p %-6d %-4d %04x %-5d %1d %-6u %-6u %-6lu\n",
@@ -117699,6 +117756,33 @@ index bb280e6..747720f 100644
}
/* Initialize IPv6 support and register with socket layer. */
+diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
+index 23e5e97..bc423b4 100644
+--- a/net/sctp/outqueue.c
++++ b/net/sctp/outqueue.c
+@@ -203,6 +203,8 @@ static inline int sctp_cacc_skip(struct sctp_transport *primary,
+ */
+ void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q)
+ {
++ memset(q, 0, sizeof(struct sctp_outq));
++
+ q->asoc = asoc;
+ INIT_LIST_HEAD(&q->out_chunk_list);
+ INIT_LIST_HEAD(&q->control_chunk_list);
+@@ -210,13 +212,7 @@ void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q)
+ INIT_LIST_HEAD(&q->sacked);
+ INIT_LIST_HEAD(&q->abandoned);
+
+- q->fast_rtx = 0;
+- q->outstanding_bytes = 0;
+ q->empty = 1;
+- q->cork = 0;
+-
+- q->malloced = 0;
+- q->out_qlen = 0;
+ }
+
+ /* Free the outqueue structure and any related pending chunks.
diff --git a/net/sctp/proc.c b/net/sctp/proc.c
index d093cbf..9fc36fc 100644
--- a/net/sctp/proc.c
diff --git a/3.2.46/0000_README b/3.2.47/0000_README
similarity index 96%
rename from 3.2.46/0000_README
rename to 3.2.47/0000_README
index a0ae244..2a74306 100644
--- a/3.2.46/0000_README
+++ b/3.2.47/0000_README
@@ -102,7 +102,11 @@ Patch: 1045_linux-3.2.46.patch
From: http://www.kernel.org
Desc: Linux 3.2.46
-Patch: 4420_grsecurity-2.9.1-3.2.46-201306102217.patch
+Patch: 1046_linux-3.2.47.patch
+From: http://www.kernel.org
+Desc: Linux 3.2.47
+
+Patch: 4420_grsecurity-2.9.1-3.2.47-201306191807.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.46/1021_linux-3.2.22.patch b/3.2.47/1021_linux-3.2.22.patch
similarity index 100%
rename from 3.2.46/1021_linux-3.2.22.patch
rename to 3.2.47/1021_linux-3.2.22.patch
diff --git a/3.2.46/1022_linux-3.2.23.patch b/3.2.47/1022_linux-3.2.23.patch
similarity index 100%
rename from 3.2.46/1022_linux-3.2.23.patch
rename to 3.2.47/1022_linux-3.2.23.patch
diff --git a/3.2.46/1023_linux-3.2.24.patch b/3.2.47/1023_linux-3.2.24.patch
similarity index 100%
rename from 3.2.46/1023_linux-3.2.24.patch
rename to 3.2.47/1023_linux-3.2.24.patch
diff --git a/3.2.46/1024_linux-3.2.25.patch b/3.2.47/1024_linux-3.2.25.patch
similarity index 100%
rename from 3.2.46/1024_linux-3.2.25.patch
rename to 3.2.47/1024_linux-3.2.25.patch
diff --git a/3.2.46/1025_linux-3.2.26.patch b/3.2.47/1025_linux-3.2.26.patch
similarity index 100%
rename from 3.2.46/1025_linux-3.2.26.patch
rename to 3.2.47/1025_linux-3.2.26.patch
diff --git a/3.2.46/1026_linux-3.2.27.patch b/3.2.47/1026_linux-3.2.27.patch
similarity index 100%
rename from 3.2.46/1026_linux-3.2.27.patch
rename to 3.2.47/1026_linux-3.2.27.patch
diff --git a/3.2.46/1027_linux-3.2.28.patch b/3.2.47/1027_linux-3.2.28.patch
similarity index 100%
rename from 3.2.46/1027_linux-3.2.28.patch
rename to 3.2.47/1027_linux-3.2.28.patch
diff --git a/3.2.46/1028_linux-3.2.29.patch b/3.2.47/1028_linux-3.2.29.patch
similarity index 100%
rename from 3.2.46/1028_linux-3.2.29.patch
rename to 3.2.47/1028_linux-3.2.29.patch
diff --git a/3.2.46/1029_linux-3.2.30.patch b/3.2.47/1029_linux-3.2.30.patch
similarity index 100%
rename from 3.2.46/1029_linux-3.2.30.patch
rename to 3.2.47/1029_linux-3.2.30.patch
diff --git a/3.2.46/1030_linux-3.2.31.patch b/3.2.47/1030_linux-3.2.31.patch
similarity index 100%
rename from 3.2.46/1030_linux-3.2.31.patch
rename to 3.2.47/1030_linux-3.2.31.patch
diff --git a/3.2.46/1031_linux-3.2.32.patch b/3.2.47/1031_linux-3.2.32.patch
similarity index 100%
rename from 3.2.46/1031_linux-3.2.32.patch
rename to 3.2.47/1031_linux-3.2.32.patch
diff --git a/3.2.46/1032_linux-3.2.33.patch b/3.2.47/1032_linux-3.2.33.patch
similarity index 100%
rename from 3.2.46/1032_linux-3.2.33.patch
rename to 3.2.47/1032_linux-3.2.33.patch
diff --git a/3.2.46/1033_linux-3.2.34.patch b/3.2.47/1033_linux-3.2.34.patch
similarity index 100%
rename from 3.2.46/1033_linux-3.2.34.patch
rename to 3.2.47/1033_linux-3.2.34.patch
diff --git a/3.2.46/1034_linux-3.2.35.patch b/3.2.47/1034_linux-3.2.35.patch
similarity index 100%
rename from 3.2.46/1034_linux-3.2.35.patch
rename to 3.2.47/1034_linux-3.2.35.patch
diff --git a/3.2.46/1035_linux-3.2.36.patch b/3.2.47/1035_linux-3.2.36.patch
similarity index 100%
rename from 3.2.46/1035_linux-3.2.36.patch
rename to 3.2.47/1035_linux-3.2.36.patch
diff --git a/3.2.46/1036_linux-3.2.37.patch b/3.2.47/1036_linux-3.2.37.patch
similarity index 100%
rename from 3.2.46/1036_linux-3.2.37.patch
rename to 3.2.47/1036_linux-3.2.37.patch
diff --git a/3.2.46/1037_linux-3.2.38.patch b/3.2.47/1037_linux-3.2.38.patch
similarity index 100%
rename from 3.2.46/1037_linux-3.2.38.patch
rename to 3.2.47/1037_linux-3.2.38.patch
diff --git a/3.2.46/1038_linux-3.2.39.patch b/3.2.47/1038_linux-3.2.39.patch
similarity index 100%
rename from 3.2.46/1038_linux-3.2.39.patch
rename to 3.2.47/1038_linux-3.2.39.patch
diff --git a/3.2.46/1039_linux-3.2.40.patch b/3.2.47/1039_linux-3.2.40.patch
similarity index 100%
rename from 3.2.46/1039_linux-3.2.40.patch
rename to 3.2.47/1039_linux-3.2.40.patch
diff --git a/3.2.46/1040_linux-3.2.41.patch b/3.2.47/1040_linux-3.2.41.patch
similarity index 100%
rename from 3.2.46/1040_linux-3.2.41.patch
rename to 3.2.47/1040_linux-3.2.41.patch
diff --git a/3.2.46/1041_linux-3.2.42.patch b/3.2.47/1041_linux-3.2.42.patch
similarity index 100%
rename from 3.2.46/1041_linux-3.2.42.patch
rename to 3.2.47/1041_linux-3.2.42.patch
diff --git a/3.2.46/1042_linux-3.2.43.patch b/3.2.47/1042_linux-3.2.43.patch
similarity index 100%
rename from 3.2.46/1042_linux-3.2.43.patch
rename to 3.2.47/1042_linux-3.2.43.patch
diff --git a/3.2.46/1043_linux-3.2.44.patch b/3.2.47/1043_linux-3.2.44.patch
similarity index 100%
rename from 3.2.46/1043_linux-3.2.44.patch
rename to 3.2.47/1043_linux-3.2.44.patch
diff --git a/3.2.46/1044_linux-3.2.45.patch b/3.2.47/1044_linux-3.2.45.patch
similarity index 100%
rename from 3.2.46/1044_linux-3.2.45.patch
rename to 3.2.47/1044_linux-3.2.45.patch
diff --git a/3.2.46/1045_linux-3.2.46.patch b/3.2.47/1045_linux-3.2.46.patch
similarity index 100%
rename from 3.2.46/1045_linux-3.2.46.patch
rename to 3.2.47/1045_linux-3.2.46.patch
diff --git a/3.2.47/1046_linux-3.2.47.patch b/3.2.47/1046_linux-3.2.47.patch
new file mode 100644
index 0000000..b74563c
--- /dev/null
+++ b/3.2.47/1046_linux-3.2.47.patch
@@ -0,0 +1,3314 @@
+diff --git a/Makefile b/Makefile
+index f600582..40e2a11 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 3
+ PATCHLEVEL = 2
+-SUBLEVEL = 46
++SUBLEVEL = 47
+ EXTRAVERSION =
+ NAME = Saber-toothed Squirrel
+
+diff --git a/arch/arm/boot/compressed/Makefile b/arch/arm/boot/compressed/Makefile
+index 21f56ff..5954a1a 100644
+--- a/arch/arm/boot/compressed/Makefile
++++ b/arch/arm/boot/compressed/Makefile
+@@ -123,7 +123,6 @@ KBUILD_CFLAGS = $(subst -pg, , $(ORIG_CFLAGS))
+ endif
+
+ ccflags-y := -fpic -fno-builtin -I$(obj)
+-asflags-y := -Wa,-march=all
+
+ # Supply kernel BSS size to the decompressor via a linker symbol.
+ KBSS_SZ = $(shell size $(obj)/../../../../vmlinux | awk 'END{print $$3}')
+diff --git a/arch/arm/boot/compressed/head-sa1100.S b/arch/arm/boot/compressed/head-sa1100.S
+index 6179d94..3115e31 100644
+--- a/arch/arm/boot/compressed/head-sa1100.S
++++ b/arch/arm/boot/compressed/head-sa1100.S
+@@ -11,6 +11,7 @@
+ #include <asm/mach-types.h>
+
+ .section ".start", "ax"
++ .arch armv4
+
+ __SA1100_start:
+
+diff --git a/arch/arm/boot/compressed/head-shark.S b/arch/arm/boot/compressed/head-shark.S
+index 089c560..92b5689 100644
+--- a/arch/arm/boot/compressed/head-shark.S
++++ b/arch/arm/boot/compressed/head-shark.S
+@@ -18,6 +18,7 @@
+
+ .section ".start", "ax"
+
++ .arch armv4
+ b __beginning
+
+ __ofw_data: .long 0 @ the number of memory blocks
+diff --git a/arch/arm/boot/compressed/head.S b/arch/arm/boot/compressed/head.S
+index d63632f..8c57359 100644
+--- a/arch/arm/boot/compressed/head.S
++++ b/arch/arm/boot/compressed/head.S
+@@ -10,6 +10,7 @@
+ */
+ #include <linux/linkage.h>
+
++ .arch armv7-a
+ /*
+ * Debugging stuff
+ *
+diff --git a/arch/arm/kernel/topology.c b/arch/arm/kernel/topology.c
+index 8200dea..140c817 100644
+--- a/arch/arm/kernel/topology.c
++++ b/arch/arm/kernel/topology.c
+@@ -13,6 +13,7 @@
+
+ #include <linux/cpu.h>
+ #include <linux/cpumask.h>
++#include <linux/export.h>
+ #include <linux/init.h>
+ #include <linux/percpu.h>
+ #include <linux/node.h>
+@@ -42,6 +43,7 @@
+ #define MPIDR_LEVEL2_SHIFT 16
+
+ struct cputopo_arm cpu_topology[NR_CPUS];
++EXPORT_SYMBOL_GPL(cpu_topology);
+
+ const struct cpumask *cpu_coregroup_mask(int cpu)
+ {
+diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S
+index cf9c69b..8c3baa0 100644
+--- a/arch/powerpc/kernel/exceptions-64s.S
++++ b/arch/powerpc/kernel/exceptions-64s.S
+@@ -463,7 +463,7 @@ machine_check_common:
+ STD_EXCEPTION_COMMON(0xb00, trap_0b, .unknown_exception)
+ STD_EXCEPTION_COMMON(0xd00, single_step, .single_step_exception)
+ STD_EXCEPTION_COMMON(0xe00, trap_0e, .unknown_exception)
+- STD_EXCEPTION_COMMON(0xe40, emulation_assist, .program_check_exception)
++ STD_EXCEPTION_COMMON(0xe40, emulation_assist, .emulation_assist_interrupt)
+ STD_EXCEPTION_COMMON(0xe60, hmi_exception, .unknown_exception)
+ STD_EXCEPTION_COMMON_IDLE(0xf00, performance_monitor, .performance_monitor_exception)
+ STD_EXCEPTION_COMMON(0x1300, instruction_breakpoint, .instruction_breakpoint_exception)
+diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c
+index 82dcd4d..9844662 100644
+--- a/arch/powerpc/kernel/traps.c
++++ b/arch/powerpc/kernel/traps.c
+@@ -1036,6 +1036,16 @@ void __kprobes program_check_exception(struct pt_regs *regs)
+ _exception(SIGILL, regs, ILL_ILLOPC, regs->nip);
+ }
+
++/*
++ * This occurs when running in hypervisor mode on POWER6 or later
++ * and an illegal instruction is encountered.
++ */
++void __kprobes emulation_assist_interrupt(struct pt_regs *regs)
++{
++ regs->msr |= REASON_ILLEGAL;
++ program_check_exception(regs);
++}
++
+ void alignment_exception(struct pt_regs *regs)
+ {
+ int sig, code, fixed = 0;
+diff --git a/arch/x86/kernel/relocate_kernel_64.S b/arch/x86/kernel/relocate_kernel_64.S
+index 7a6f3b3..f2bb9c9 100644
+--- a/arch/x86/kernel/relocate_kernel_64.S
++++ b/arch/x86/kernel/relocate_kernel_64.S
+@@ -160,7 +160,7 @@ identity_mapped:
+ xorq %rbp, %rbp
+ xorq %r8, %r8
+ xorq %r9, %r9
+- xorq %r10, %r9
++ xorq %r10, %r10
+ xorq %r11, %r11
+ xorq %r12, %r12
+ xorq %r13, %r13
+diff --git a/drivers/acpi/video.c b/drivers/acpi/video.c
+index 0e47949..e19898d 100644
+--- a/drivers/acpi/video.c
++++ b/drivers/acpi/video.c
+@@ -447,6 +447,38 @@ static struct dmi_system_id video_dmi_table[] __initdata = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "HP Folio 13 - 2000 Notebook PC"),
+ },
+ },
++ {
++ .callback = video_ignore_initial_backlight,
++ .ident = "HP Pavilion dm4",
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "Hewlett-Packard"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion dm4 Notebook PC"),
++ },
++ },
++ {
++ .callback = video_ignore_initial_backlight,
++ .ident = "HP Pavilion g6 Notebook PC",
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "Hewlett-Packard"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion g6 Notebook PC"),
++ },
++ },
++ {
++ .callback = video_ignore_initial_backlight,
++ .ident = "HP 1000 Notebook PC",
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "Hewlett-Packard"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "HP 1000 Notebook PC"),
++ },
++ },
++ {
++ .callback = video_ignore_initial_backlight,
++ .ident = "HP Pavilion m4",
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "Hewlett-Packard"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion m4 Notebook PC"),
++ },
++ },
+ {}
+ };
+
+diff --git a/drivers/ata/ata_piix.c b/drivers/ata/ata_piix.c
+index ddfc1c1..0e92326 100644
+--- a/drivers/ata/ata_piix.c
++++ b/drivers/ata/ata_piix.c
+@@ -151,6 +151,7 @@ enum piix_controller_ids {
+ piix_pata_vmw, /* PIIX4 for VMware, spurious DMA_ERR */
+ ich8_sata_snb,
+ ich8_2port_sata_snb,
++ ich8_2port_sata_byt,
+ };
+
+ struct piix_map_db {
+@@ -356,6 +357,9 @@ static const struct pci_device_id piix_pci_tbl[] = {
+ { 0x8086, 0x8d60, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata_snb },
+ /* SATA Controller IDE (Wellsburg) */
+ { 0x8086, 0x8d68, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
++ /* SATA Controller IDE (BayTrail) */
++ { 0x8086, 0x0F20, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata_byt },
++ { 0x8086, 0x0F21, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata_byt },
+
+ { } /* terminate list */
+ };
+@@ -521,6 +525,7 @@ static const struct piix_map_db *piix_map_db_table[] = {
+ [tolapai_sata] = &tolapai_map_db,
+ [ich8_sata_snb] = &ich8_map_db,
+ [ich8_2port_sata_snb] = &ich8_2port_map_db,
++ [ich8_2port_sata_byt] = &ich8_2port_map_db,
+ };
+
+ static struct ata_port_info piix_port_info[] = {
+@@ -672,6 +677,15 @@ static struct ata_port_info piix_port_info[] = {
+ .port_ops = &piix_sata_ops,
+ },
+
++ [ich8_2port_sata_byt] =
++ {
++ .flags = PIIX_SATA_FLAGS | PIIX_FLAG_SIDPR | PIIX_FLAG_PIO16,
++ .pio_mask = ATA_PIO4,
++ .mwdma_mask = ATA_MWDMA2,
++ .udma_mask = ATA_UDMA6,
++ .port_ops = &piix_sata_ops,
++ },
++
+ };
+
+ static struct pci_bits piix_enable_bits[] = {
+diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
+index 288b635..d54b7d6 100644
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -1598,6 +1598,12 @@ unsigned ata_exec_internal_sg(struct ata_device *dev,
+ qc->tf = *tf;
+ if (cdb)
+ memcpy(qc->cdb, cdb, ATAPI_CDB_LEN);
++
++ /* some SATA bridges need us to indicate data xfer direction */
++ if (tf->protocol == ATAPI_PROT_DMA && (dev->flags & ATA_DFLAG_DMADIR) &&
++ dma_dir == DMA_FROM_DEVICE)
++ qc->tf.feature |= ATAPI_DMADIR;
++
+ qc->flags |= ATA_QCFLAG_RESULT_TF;
+ qc->dma_dir = dma_dir;
+ if (dma_dir != DMA_NONE) {
+diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
+index b0f553b..d3446f6 100644
+--- a/drivers/block/cciss.c
++++ b/drivers/block/cciss.c
+@@ -161,8 +161,6 @@ static irqreturn_t do_cciss_msix_intr(int irq, void *dev_id);
+ static int cciss_open(struct block_device *bdev, fmode_t mode);
+ static int cciss_unlocked_open(struct block_device *bdev, fmode_t mode);
+ static int cciss_release(struct gendisk *disk, fmode_t mode);
+-static int do_ioctl(struct block_device *bdev, fmode_t mode,
+- unsigned int cmd, unsigned long arg);
+ static int cciss_ioctl(struct block_device *bdev, fmode_t mode,
+ unsigned int cmd, unsigned long arg);
+ static int cciss_getgeo(struct block_device *bdev, struct hd_geometry *geo);
+@@ -229,7 +227,7 @@ static const struct block_device_operations cciss_fops = {
+ .owner = THIS_MODULE,
+ .open = cciss_unlocked_open,
+ .release = cciss_release,
+- .ioctl = do_ioctl,
++ .ioctl = cciss_ioctl,
+ .getgeo = cciss_getgeo,
+ #ifdef CONFIG_COMPAT
+ .compat_ioctl = cciss_compat_ioctl,
+@@ -1140,16 +1138,6 @@ static int cciss_release(struct gendisk *disk, fmode_t mode)
+ return 0;
+ }
+
+-static int do_ioctl(struct block_device *bdev, fmode_t mode,
+- unsigned cmd, unsigned long arg)
+-{
+- int ret;
+- mutex_lock(&cciss_mutex);
+- ret = cciss_ioctl(bdev, mode, cmd, arg);
+- mutex_unlock(&cciss_mutex);
+- return ret;
+-}
+-
+ #ifdef CONFIG_COMPAT
+
+ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
+@@ -1176,7 +1164,7 @@ static int cciss_compat_ioctl(struct block_device *bdev, fmode_t mode,
+ case CCISS_REGNEWD:
+ case CCISS_RESCANDISK:
+ case CCISS_GETLUNINFO:
+- return do_ioctl(bdev, mode, cmd, arg);
++ return cciss_ioctl(bdev, mode, cmd, arg);
+
+ case CCISS_PASSTHRU32:
+ return cciss_ioctl32_passthru(bdev, mode, cmd, arg);
+@@ -1216,7 +1204,7 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
+ if (err)
+ return -EFAULT;
+
+- err = do_ioctl(bdev, mode, CCISS_PASSTHRU, (unsigned long)p);
++ err = cciss_ioctl(bdev, mode, CCISS_PASSTHRU, (unsigned long)p);
+ if (err)
+ return err;
+ err |=
+@@ -1258,7 +1246,7 @@ static int cciss_ioctl32_big_passthru(struct block_device *bdev, fmode_t mode,
+ if (err)
+ return -EFAULT;
+
+- err = do_ioctl(bdev, mode, CCISS_BIG_PASSTHRU, (unsigned long)p);
++ err = cciss_ioctl(bdev, mode, CCISS_BIG_PASSTHRU, (unsigned long)p);
+ if (err)
+ return err;
+ err |=
+@@ -1308,11 +1296,14 @@ static int cciss_getpciinfo(ctlr_info_t *h, void __user *argp)
+ static int cciss_getintinfo(ctlr_info_t *h, void __user *argp)
+ {
+ cciss_coalint_struct intinfo;
++ unsigned long flags;
+
+ if (!argp)
+ return -EINVAL;
++ spin_lock_irqsave(&h->lock, flags);
+ intinfo.delay = readl(&h->cfgtable->HostWrite.CoalIntDelay);
+ intinfo.count = readl(&h->cfgtable->HostWrite.CoalIntCount);
++ spin_unlock_irqrestore(&h->lock, flags);
+ if (copy_to_user
+ (argp, &intinfo, sizeof(cciss_coalint_struct)))
+ return -EFAULT;
+@@ -1353,12 +1344,15 @@ static int cciss_setintinfo(ctlr_info_t *h, void __user *argp)
+ static int cciss_getnodename(ctlr_info_t *h, void __user *argp)
+ {
+ NodeName_type NodeName;
++ unsigned long flags;
+ int i;
+
+ if (!argp)
+ return -EINVAL;
++ spin_lock_irqsave(&h->lock, flags);
+ for (i = 0; i < 16; i++)
+ NodeName[i] = readb(&h->cfgtable->ServerName[i]);
++ spin_unlock_irqrestore(&h->lock, flags);
+ if (copy_to_user(argp, NodeName, sizeof(NodeName_type)))
+ return -EFAULT;
+ return 0;
+@@ -1395,10 +1389,13 @@ static int cciss_setnodename(ctlr_info_t *h, void __user *argp)
+ static int cciss_getheartbeat(ctlr_info_t *h, void __user *argp)
+ {
+ Heartbeat_type heartbeat;
++ unsigned long flags;
+
+ if (!argp)
+ return -EINVAL;
++ spin_lock_irqsave(&h->lock, flags);
+ heartbeat = readl(&h->cfgtable->HeartBeat);
++ spin_unlock_irqrestore(&h->lock, flags);
+ if (copy_to_user(argp, &heartbeat, sizeof(Heartbeat_type)))
+ return -EFAULT;
+ return 0;
+@@ -1407,10 +1404,13 @@ static int cciss_getheartbeat(ctlr_info_t *h, void __user *argp)
+ static int cciss_getbustypes(ctlr_info_t *h, void __user *argp)
+ {
+ BusTypes_type BusTypes;
++ unsigned long flags;
+
+ if (!argp)
+ return -EINVAL;
++ spin_lock_irqsave(&h->lock, flags);
+ BusTypes = readl(&h->cfgtable->BusTypes);
++ spin_unlock_irqrestore(&h->lock, flags);
+ if (copy_to_user(argp, &BusTypes, sizeof(BusTypes_type)))
+ return -EFAULT;
+ return 0;
+diff --git a/drivers/gpu/drm/drm_irq.c b/drivers/gpu/drm/drm_irq.c
+index 44a5d0a..73af885 100644
+--- a/drivers/gpu/drm/drm_irq.c
++++ b/drivers/gpu/drm/drm_irq.c
+@@ -981,7 +981,7 @@ EXPORT_SYMBOL(drm_vblank_off);
+ */
+ void drm_vblank_pre_modeset(struct drm_device *dev, int crtc)
+ {
+- /* vblank is not initialized (IRQ not installed ?) */
++ /* vblank is not initialized (IRQ not installed ?), or has been freed */
+ if (!dev->num_crtcs)
+ return;
+ /*
+@@ -1003,6 +1003,10 @@ void drm_vblank_post_modeset(struct drm_device *dev, int crtc)
+ {
+ unsigned long irqflags;
+
++ /* vblank is not initialized (IRQ not installed ?), or has been freed */
++ if (!dev->num_crtcs)
++ return;
++
+ if (dev->vblank_inmodeset[crtc]) {
+ spin_lock_irqsave(&dev->vbl_lock, irqflags);
+ dev->vblank_disable_allowed = 1;
+diff --git a/drivers/gpu/drm/i915/intel_lvds.c b/drivers/gpu/drm/i915/intel_lvds.c
+index 876bac0..2ffa740 100644
+--- a/drivers/gpu/drm/i915/intel_lvds.c
++++ b/drivers/gpu/drm/i915/intel_lvds.c
+@@ -740,10 +740,10 @@ static const struct dmi_system_id intel_no_lvds[] = {
+ },
+ {
+ .callback = intel_no_lvds_dmi_callback,
+- .ident = "Hewlett-Packard HP t5740e Thin Client",
++ .ident = "Hewlett-Packard HP t5740",
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "Hewlett-Packard"),
+- DMI_MATCH(DMI_PRODUCT_NAME, "HP t5740e Thin Client"),
++ DMI_MATCH(DMI_PRODUCT_NAME, " t5740"),
+ },
+ },
+ {
+diff --git a/drivers/gpu/drm/i915/intel_sdvo.c b/drivers/gpu/drm/i915/intel_sdvo.c
+index 9e24670..00ec0dd 100644
+--- a/drivers/gpu/drm/i915/intel_sdvo.c
++++ b/drivers/gpu/drm/i915/intel_sdvo.c
+@@ -1582,11 +1582,14 @@ static void intel_sdvo_get_lvds_modes(struct drm_connector *connector)
+ * Assume that the preferred modes are
+ * arranged in priority order.
+ */
+- intel_ddc_get_modes(connector, intel_sdvo->i2c);
+- if (list_empty(&connector->probed_modes) == false)
+- goto end;
++ intel_ddc_get_modes(connector, &intel_sdvo->ddc);
+
+- /* Fetch modes from VBT */
++ /*
++ * Fetch modes from VBT. For SDVO prefer the VBT mode since some
++ * SDVO->LVDS transcoders can't cope with the EDID mode. Since
++ * drm_mode_probed_add adds the mode at the head of the list we add it
++ * last.
++ */
+ if (dev_priv->sdvo_lvds_vbt_mode != NULL) {
+ newmode = drm_mode_duplicate(connector->dev,
+ dev_priv->sdvo_lvds_vbt_mode);
+@@ -1598,7 +1601,6 @@ static void intel_sdvo_get_lvds_modes(struct drm_connector *connector)
+ }
+ }
+
+-end:
+ list_for_each_entry(newmode, &connector->probed_modes, head) {
+ if (newmode->type & DRM_MODE_TYPE_PREFERRED) {
+ intel_sdvo->sdvo_lvds_fixed_mode =
+diff --git a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c
+index 0495a50..9bea4a6 100644
+--- a/drivers/gpu/drm/radeon/evergreen.c
++++ b/drivers/gpu/drm/radeon/evergreen.c
+@@ -3086,6 +3086,12 @@ static int evergreen_startup(struct radeon_device *rdev)
+ return r;
+
+ /* Enable IRQ */
++ if (!rdev->irq.installed) {
++ r = radeon_irq_kms_init(rdev);
++ if (r)
++ return r;
++ }
++
+ r = r600_irq_init(rdev);
+ if (r) {
+ DRM_ERROR("radeon: IH init failed (%d).\n", r);
+@@ -3218,10 +3224,6 @@ int evergreen_init(struct radeon_device *rdev)
+ if (r)
+ return r;
+
+- r = radeon_irq_kms_init(rdev);
+- if (r)
+- return r;
+-
+ rdev->cp.ring_obj = NULL;
+ r600_ring_init(rdev, 1024 * 1024);
+
+diff --git a/drivers/gpu/drm/radeon/ni.c b/drivers/gpu/drm/radeon/ni.c
+index 636255b..3f9705b 100644
+--- a/drivers/gpu/drm/radeon/ni.c
++++ b/drivers/gpu/drm/radeon/ni.c
+@@ -1389,6 +1389,12 @@ static int cayman_startup(struct radeon_device *rdev)
+ return r;
+
+ /* Enable IRQ */
++ if (!rdev->irq.installed) {
++ r = radeon_irq_kms_init(rdev);
++ if (r)
++ return r;
++ }
++
+ r = r600_irq_init(rdev);
+ if (r) {
+ DRM_ERROR("radeon: IH init failed (%d).\n", r);
+@@ -1506,10 +1512,6 @@ int cayman_init(struct radeon_device *rdev)
+ if (r)
+ return r;
+
+- r = radeon_irq_kms_init(rdev);
+- if (r)
+- return r;
+-
+ rdev->cp.ring_obj = NULL;
+ r600_ring_init(rdev, 1024 * 1024);
+
+diff --git a/drivers/gpu/drm/radeon/r100.c b/drivers/gpu/drm/radeon/r100.c
+index fad7cd1..76c1290 100644
+--- a/drivers/gpu/drm/radeon/r100.c
++++ b/drivers/gpu/drm/radeon/r100.c
+@@ -3905,6 +3905,12 @@ static int r100_startup(struct radeon_device *rdev)
+ return r;
+
+ /* Enable IRQ */
++ if (!rdev->irq.installed) {
++ r = radeon_irq_kms_init(rdev);
++ if (r)
++ return r;
++ }
++
+ r100_irq_set(rdev);
+ rdev->config.r100.hdp_cntl = RREG32(RADEON_HOST_PATH_CNTL);
+ /* 1M ring buffer */
+@@ -4050,9 +4056,6 @@ int r100_init(struct radeon_device *rdev)
+ r = radeon_fence_driver_init(rdev);
+ if (r)
+ return r;
+- r = radeon_irq_kms_init(rdev);
+- if (r)
+- return r;
+ /* Memory manager */
+ r = radeon_bo_init(rdev);
+ if (r)
+diff --git a/drivers/gpu/drm/radeon/r300.c b/drivers/gpu/drm/radeon/r300.c
+index c93bc64..441570b 100644
+--- a/drivers/gpu/drm/radeon/r300.c
++++ b/drivers/gpu/drm/radeon/r300.c
+@@ -1397,6 +1397,12 @@ static int r300_startup(struct radeon_device *rdev)
+ return r;
+
+ /* Enable IRQ */
++ if (!rdev->irq.installed) {
++ r = radeon_irq_kms_init(rdev);
++ if (r)
++ return r;
++ }
++
+ r100_irq_set(rdev);
+ rdev->config.r300.hdp_cntl = RREG32(RADEON_HOST_PATH_CNTL);
+ /* 1M ring buffer */
+@@ -1521,9 +1527,6 @@ int r300_init(struct radeon_device *rdev)
+ r = radeon_fence_driver_init(rdev);
+ if (r)
+ return r;
+- r = radeon_irq_kms_init(rdev);
+- if (r)
+- return r;
+ /* Memory manager */
+ r = radeon_bo_init(rdev);
+ if (r)
+diff --git a/drivers/gpu/drm/radeon/r420.c b/drivers/gpu/drm/radeon/r420.c
+index 417fab8..5b219b8 100644
+--- a/drivers/gpu/drm/radeon/r420.c
++++ b/drivers/gpu/drm/radeon/r420.c
+@@ -255,6 +255,12 @@ static int r420_startup(struct radeon_device *rdev)
+ return r;
+
+ /* Enable IRQ */
++ if (!rdev->irq.installed) {
++ r = radeon_irq_kms_init(rdev);
++ if (r)
++ return r;
++ }
++
+ r100_irq_set(rdev);
+ rdev->config.r300.hdp_cntl = RREG32(RADEON_HOST_PATH_CNTL);
+ /* 1M ring buffer */
+@@ -391,10 +397,6 @@ int r420_init(struct radeon_device *rdev)
+ if (r) {
+ return r;
+ }
+- r = radeon_irq_kms_init(rdev);
+- if (r) {
+- return r;
+- }
+ /* Memory manager */
+ r = radeon_bo_init(rdev);
+ if (r) {
+diff --git a/drivers/gpu/drm/radeon/r520.c b/drivers/gpu/drm/radeon/r520.c
+index 3081d07..f36a5c9 100644
+--- a/drivers/gpu/drm/radeon/r520.c
++++ b/drivers/gpu/drm/radeon/r520.c
+@@ -188,6 +188,12 @@ static int r520_startup(struct radeon_device *rdev)
+ return r;
+
+ /* Enable IRQ */
++ if (!rdev->irq.installed) {
++ r = radeon_irq_kms_init(rdev);
++ if (r)
++ return r;
++ }
++
+ rs600_irq_set(rdev);
+ rdev->config.r300.hdp_cntl = RREG32(RADEON_HOST_PATH_CNTL);
+ /* 1M ring buffer */
+@@ -281,9 +287,6 @@ int r520_init(struct radeon_device *rdev)
+ r = radeon_fence_driver_init(rdev);
+ if (r)
+ return r;
+- r = radeon_irq_kms_init(rdev);
+- if (r)
+- return r;
+ /* Memory manager */
+ r = radeon_bo_init(rdev);
+ if (r)
+diff --git a/drivers/gpu/drm/radeon/r600.c b/drivers/gpu/drm/radeon/r600.c
+index bdfa82a..3d46d7d4 100644
+--- a/drivers/gpu/drm/radeon/r600.c
++++ b/drivers/gpu/drm/radeon/r600.c
+@@ -2449,6 +2449,12 @@ int r600_startup(struct radeon_device *rdev)
+ return r;
+
+ /* Enable IRQ */
++ if (!rdev->irq.installed) {
++ r = radeon_irq_kms_init(rdev);
++ if (r)
++ return r;
++ }
++
+ r = r600_irq_init(rdev);
+ if (r) {
+ DRM_ERROR("radeon: IH init failed (%d).\n", r);
+@@ -2592,10 +2598,6 @@ int r600_init(struct radeon_device *rdev)
+ if (r)
+ return r;
+
+- r = radeon_irq_kms_init(rdev);
+- if (r)
+- return r;
+-
+ rdev->cp.ring_obj = NULL;
+ r600_ring_init(rdev, 1024 * 1024);
+
+diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c
+index bd959c1..cd94abb 100644
+--- a/drivers/gpu/drm/radeon/radeon_device.c
++++ b/drivers/gpu/drm/radeon/radeon_device.c
+@@ -359,18 +359,17 @@ bool radeon_card_posted(struct radeon_device *rdev)
+ return false;
+
+ /* first check CRTCs */
+- if (ASIC_IS_DCE41(rdev)) {
++ if (ASIC_IS_DCE4(rdev)) {
+ reg = RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC0_REGISTER_OFFSET) |
+ RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC1_REGISTER_OFFSET);
+- if (reg & EVERGREEN_CRTC_MASTER_EN)
+- return true;
+- } else if (ASIC_IS_DCE4(rdev)) {
+- reg = RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC0_REGISTER_OFFSET) |
+- RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC1_REGISTER_OFFSET) |
+- RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC2_REGISTER_OFFSET) |
+- RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC3_REGISTER_OFFSET) |
+- RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC4_REGISTER_OFFSET) |
+- RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC5_REGISTER_OFFSET);
++ if (rdev->num_crtc >= 4) {
++ reg |= RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC2_REGISTER_OFFSET) |
++ RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC3_REGISTER_OFFSET);
++ }
++ if (rdev->num_crtc >= 6) {
++ reg |= RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC4_REGISTER_OFFSET) |
++ RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC5_REGISTER_OFFSET);
++ }
+ if (reg & EVERGREEN_CRTC_MASTER_EN)
+ return true;
+ } else if (ASIC_IS_AVIVO(rdev)) {
+diff --git a/drivers/gpu/drm/radeon/rs400.c b/drivers/gpu/drm/radeon/rs400.c
+index 06b90c8..4dd9512 100644
+--- a/drivers/gpu/drm/radeon/rs400.c
++++ b/drivers/gpu/drm/radeon/rs400.c
+@@ -411,6 +411,12 @@ static int rs400_startup(struct radeon_device *rdev)
+ return r;
+
+ /* Enable IRQ */
++ if (!rdev->irq.installed) {
++ r = radeon_irq_kms_init(rdev);
++ if (r)
++ return r;
++ }
++
+ r100_irq_set(rdev);
+ rdev->config.r300.hdp_cntl = RREG32(RADEON_HOST_PATH_CNTL);
+ /* 1M ring buffer */
+@@ -519,9 +525,6 @@ int rs400_init(struct radeon_device *rdev)
+ r = radeon_fence_driver_init(rdev);
+ if (r)
+ return r;
+- r = radeon_irq_kms_init(rdev);
+- if (r)
+- return r;
+ /* Memory manager */
+ r = radeon_bo_init(rdev);
+ if (r)
+diff --git a/drivers/gpu/drm/radeon/rs600.c b/drivers/gpu/drm/radeon/rs600.c
+index ee898e9..cea482a 100644
+--- a/drivers/gpu/drm/radeon/rs600.c
++++ b/drivers/gpu/drm/radeon/rs600.c
+@@ -848,6 +848,12 @@ static int rs600_startup(struct radeon_device *rdev)
+ return r;
+
+ /* Enable IRQ */
++ if (!rdev->irq.installed) {
++ r = radeon_irq_kms_init(rdev);
++ if (r)
++ return r;
++ }
++
+ rs600_irq_set(rdev);
+ rdev->config.r300.hdp_cntl = RREG32(RADEON_HOST_PATH_CNTL);
+ /* 1M ring buffer */
+@@ -963,9 +969,6 @@ int rs600_init(struct radeon_device *rdev)
+ r = radeon_fence_driver_init(rdev);
+ if (r)
+ return r;
+- r = radeon_irq_kms_init(rdev);
+- if (r)
+- return r;
+ /* Memory manager */
+ r = radeon_bo_init(rdev);
+ if (r)
+diff --git a/drivers/gpu/drm/radeon/rs690.c b/drivers/gpu/drm/radeon/rs690.c
+index a9049ed..93bce72 100644
+--- a/drivers/gpu/drm/radeon/rs690.c
++++ b/drivers/gpu/drm/radeon/rs690.c
+@@ -622,6 +622,12 @@ static int rs690_startup(struct radeon_device *rdev)
+ return r;
+
+ /* Enable IRQ */
++ if (!rdev->irq.installed) {
++ r = radeon_irq_kms_init(rdev);
++ if (r)
++ return r;
++ }
++
+ rs600_irq_set(rdev);
+ rdev->config.r300.hdp_cntl = RREG32(RADEON_HOST_PATH_CNTL);
+ /* 1M ring buffer */
+@@ -738,9 +744,6 @@ int rs690_init(struct radeon_device *rdev)
+ r = radeon_fence_driver_init(rdev);
+ if (r)
+ return r;
+- r = radeon_irq_kms_init(rdev);
+- if (r)
+- return r;
+ /* Memory manager */
+ r = radeon_bo_init(rdev);
+ if (r)
+diff --git a/drivers/gpu/drm/radeon/rv515.c b/drivers/gpu/drm/radeon/rv515.c
+index d5f45b4..9103638 100644
+--- a/drivers/gpu/drm/radeon/rv515.c
++++ b/drivers/gpu/drm/radeon/rv515.c
+@@ -380,6 +380,12 @@ static int rv515_startup(struct radeon_device *rdev)
+ return r;
+
+ /* Enable IRQ */
++ if (!rdev->irq.installed) {
++ r = radeon_irq_kms_init(rdev);
++ if (r)
++ return r;
++ }
++
+ rs600_irq_set(rdev);
+ rdev->config.r300.hdp_cntl = RREG32(RADEON_HOST_PATH_CNTL);
+ /* 1M ring buffer */
+@@ -500,9 +506,6 @@ int rv515_init(struct radeon_device *rdev)
+ r = radeon_fence_driver_init(rdev);
+ if (r)
+ return r;
+- r = radeon_irq_kms_init(rdev);
+- if (r)
+- return r;
+ /* Memory manager */
+ r = radeon_bo_init(rdev);
+ if (r)
+diff --git a/drivers/gpu/drm/radeon/rv770.c b/drivers/gpu/drm/radeon/rv770.c
+index cc79449..63db75d 100644
+--- a/drivers/gpu/drm/radeon/rv770.c
++++ b/drivers/gpu/drm/radeon/rv770.c
+@@ -1092,6 +1092,12 @@ static int rv770_startup(struct radeon_device *rdev)
+ return r;
+
+ /* Enable IRQ */
++ if (!rdev->irq.installed) {
++ r = radeon_irq_kms_init(rdev);
++ if (r)
++ return r;
++ }
++
+ r = r600_irq_init(rdev);
+ if (r) {
+ DRM_ERROR("radeon: IH init failed (%d).\n", r);
+@@ -1220,10 +1226,6 @@ int rv770_init(struct radeon_device *rdev)
+ if (r)
+ return r;
+
+- r = radeon_irq_kms_init(rdev);
+- if (r)
+- return r;
+-
+ rdev->cp.ring_obj = NULL;
+ r600_ring_init(rdev, 1024 * 1024);
+
+diff --git a/drivers/hwmon/adm1021.c b/drivers/hwmon/adm1021.c
+index 1ad0a88..8178927 100644
+--- a/drivers/hwmon/adm1021.c
++++ b/drivers/hwmon/adm1021.c
+@@ -311,26 +311,68 @@ static int adm1021_detect(struct i2c_client *client,
+ man_id = i2c_smbus_read_byte_data(client, ADM1021_REG_MAN_ID);
+ dev_id = i2c_smbus_read_byte_data(client, ADM1021_REG_DEV_ID);
+
++ if (man_id < 0 || dev_id < 0)
++ return -ENODEV;
++
+ if (man_id == 0x4d && dev_id == 0x01)
+ type_name = "max1617a";
+ else if (man_id == 0x41) {
+ if ((dev_id & 0xF0) == 0x30)
+ type_name = "adm1023";
+- else
++ else if ((dev_id & 0xF0) == 0x00)
+ type_name = "adm1021";
++ else
++ return -ENODEV;
+ } else if (man_id == 0x49)
+ type_name = "thmc10";
+ else if (man_id == 0x23)
+ type_name = "gl523sm";
+ else if (man_id == 0x54)
+ type_name = "mc1066";
+- /* LM84 Mfr ID in a different place, and it has more unused bits */
+- else if (conv_rate == 0x00
+- && (config & 0x7F) == 0x00
+- && (status & 0xAB) == 0x00)
+- type_name = "lm84";
+- else
+- type_name = "max1617";
++ else {
++ int lte, rte, lhi, rhi, llo, rlo;
++
++ /* extra checks for LM84 and MAX1617 to avoid misdetections */
++
++ llo = i2c_smbus_read_byte_data(client, ADM1021_REG_THYST_R(0));
++ rlo = i2c_smbus_read_byte_data(client, ADM1021_REG_THYST_R(1));
++
++ /* fail if any of the additional register reads failed */
++ if (llo < 0 || rlo < 0)
++ return -ENODEV;
++
++ lte = i2c_smbus_read_byte_data(client, ADM1021_REG_TEMP(0));
++ rte = i2c_smbus_read_byte_data(client, ADM1021_REG_TEMP(1));
++ lhi = i2c_smbus_read_byte_data(client, ADM1021_REG_TOS_R(0));
++ rhi = i2c_smbus_read_byte_data(client, ADM1021_REG_TOS_R(1));
++
++ /*
++ * Fail for negative temperatures and negative high limits.
++ * This check also catches read errors on the tested registers.
++ */
++ if ((s8)lte < 0 || (s8)rte < 0 || (s8)lhi < 0 || (s8)rhi < 0)
++ return -ENODEV;
++
++ /* fail if all registers hold the same value */
++ if (lte == rte && lte == lhi && lte == rhi && lte == llo
++ && lte == rlo)
++ return -ENODEV;
++
++ /*
++ * LM84 Mfr ID is in a different place,
++ * and it has more unused bits.
++ */
++ if (conv_rate == 0x00
++ && (config & 0x7F) == 0x00
++ && (status & 0xAB) == 0x00) {
++ type_name = "lm84";
++ } else {
++ /* fail if low limits are larger than high limits */
++ if ((s8)llo > lhi || (s8)rlo > rhi)
++ return -ENODEV;
++ type_name = "max1617";
++ }
++ }
+
+ pr_debug("adm1021: Detected chip %s at adapter %d, address 0x%02x.\n",
+ type_name, i2c_adapter_id(adapter), client->addr);
+diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
+index 62306e5..298e02a 100644
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -407,7 +407,17 @@ static void raid1_end_write_request(struct bio *bio, int error)
+
+ r1_bio->bios[mirror] = NULL;
+ to_put = bio;
+- set_bit(R1BIO_Uptodate, &r1_bio->state);
++ /*
++ * Do not set R1BIO_Uptodate if the current device is
++ * rebuilding or Faulty. This is because we cannot use
++ * such device for properly reading the data back (we could
++ * potentially use it, if the current write would have felt
++ * before rdev->recovery_offset, but for simplicity we don't
++ * check this here.
++ */
++ if (test_bit(In_sync, &conf->mirrors[mirror].rdev->flags) &&
++ !test_bit(Faulty, &conf->mirrors[mirror].rdev->flags))
++ set_bit(R1BIO_Uptodate, &r1_bio->state);
+
+ /* Maybe we can clear some bad blocks. */
+ if (is_badblock(conf->mirrors[mirror].rdev,
+diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
+index 8f67c4d..8bba438 100644
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -390,7 +390,17 @@ static void raid10_end_write_request(struct bio *bio, int error)
+ sector_t first_bad;
+ int bad_sectors;
+
+- set_bit(R10BIO_Uptodate, &r10_bio->state);
++ /*
++ * Do not set R10BIO_Uptodate if the current device is
++ * rebuilding or Faulty. This is because we cannot use
++ * such device for properly reading the data back (we could
++ * potentially use it, if the current write would have felt
++ * before rdev->recovery_offset, but for simplicity we don't
++ * check this here.
++ */
++ if (test_bit(In_sync, &conf->mirrors[dev].rdev->flags) &&
++ !test_bit(Faulty, &conf->mirrors[dev].rdev->flags))
++ set_bit(R10BIO_Uptodate, &r10_bio->state);
+
+ /* Maybe we can clear some bad blocks. */
+ if (is_badblock(conf->mirrors[dev].rdev,
+diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
+index ec13a59..1bc927a 100644
+--- a/drivers/net/ethernet/broadcom/tg3.c
++++ b/drivers/net/ethernet/broadcom/tg3.c
+@@ -1620,6 +1620,9 @@ static int tg3_poll_fw(struct tg3 *tp)
+ int i;
+ u32 val;
+
++ if (tg3_flag(tp, NO_FWARE_REPORTED))
++ return 0;
++
+ if (GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5906) {
+ /* Wait up to 20ms for init done. */
+ for (i = 0; i < 200; i++) {
+@@ -8282,6 +8285,14 @@ static void tg3_setup_rxbd_thresholds(struct tg3 *tp)
+ tw32(JMB_REPLENISH_LWM, bdcache_maxcnt);
+ }
+
++static inline u32 tg3_lso_rd_dma_workaround_bit(struct tg3 *tp)
++{
++ if (GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5719)
++ return TG3_LSO_RD_DMA_TX_LENGTH_WA_5719;
++ else
++ return TG3_LSO_RD_DMA_TX_LENGTH_WA_5720;
++}
++
+ /* tp->lock is held. */
+ static int tg3_reset_hw(struct tg3 *tp, int reset_phy)
+ {
+@@ -8920,6 +8931,20 @@ static int tg3_reset_hw(struct tg3 *tp, int reset_phy)
+ tw32_f(RDMAC_MODE, rdmac_mode);
+ udelay(40);
+
++ if (GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5719 ||
++ GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5720) {
++ for (i = 0; i < TG3_NUM_RDMA_CHANNELS; i++) {
++ if (tr32(TG3_RDMA_LENGTH + (i << 2)) > TG3_MAX_MTU(tp))
++ break;
++ }
++ if (i < TG3_NUM_RDMA_CHANNELS) {
++ val = tr32(TG3_LSO_RD_DMA_CRPTEN_CTRL);
++ val |= tg3_lso_rd_dma_workaround_bit(tp);
++ tw32(TG3_LSO_RD_DMA_CRPTEN_CTRL, val);
++ tg3_flag_set(tp, 5719_5720_RDMA_BUG);
++ }
++ }
++
+ tw32(RCVDCC_MODE, RCVDCC_MODE_ENABLE | RCVDCC_MODE_ATTN_ENABLE);
+ if (!tg3_flag(tp, 5705_PLUS))
+ tw32(MBFREE_MODE, MBFREE_MODE_ENABLE);
+@@ -9166,6 +9191,13 @@ static int tg3_reset_hw(struct tg3 *tp, int reset_phy)
+ */
+ static int tg3_init_hw(struct tg3 *tp, int reset_phy)
+ {
++ /* Chip may have been just powered on. If so, the boot code may still
++ * be running initialization. Wait for it to finish to avoid races in
++ * accessing the hardware.
++ */
++ tg3_enable_register_access(tp);
++ tg3_poll_fw(tp);
++
+ tg3_switch_clocks(tp);
+
+ tw32(TG3PCI_MEM_WIN_BASE_ADDR, 0);
+@@ -9200,6 +9232,16 @@ static void tg3_periodic_fetch_stats(struct tg3 *tp)
+ TG3_STAT_ADD32(&sp->tx_ucast_packets, MAC_TX_STATS_UCAST);
+ TG3_STAT_ADD32(&sp->tx_mcast_packets, MAC_TX_STATS_MCAST);
+ TG3_STAT_ADD32(&sp->tx_bcast_packets, MAC_TX_STATS_BCAST);
++ if (unlikely(tg3_flag(tp, 5719_5720_RDMA_BUG) &&
++ (sp->tx_ucast_packets.low + sp->tx_mcast_packets.low +
++ sp->tx_bcast_packets.low) > TG3_NUM_RDMA_CHANNELS)) {
++ u32 val;
++
++ val = tr32(TG3_LSO_RD_DMA_CRPTEN_CTRL);
++ val &= ~tg3_lso_rd_dma_workaround_bit(tp);
++ tw32(TG3_LSO_RD_DMA_CRPTEN_CTRL, val);
++ tg3_flag_clear(tp, 5719_5720_RDMA_BUG);
++ }
+
+ TG3_STAT_ADD32(&sp->rx_octets, MAC_RX_STATS_OCTETS);
+ TG3_STAT_ADD32(&sp->rx_fragments, MAC_RX_STATS_FRAGMENTS);
+diff --git a/drivers/net/ethernet/broadcom/tg3.h b/drivers/net/ethernet/broadcom/tg3.h
+index 94b4bd0..da90ba5 100644
+--- a/drivers/net/ethernet/broadcom/tg3.h
++++ b/drivers/net/ethernet/broadcom/tg3.h
+@@ -1368,7 +1368,12 @@
+ #define TG3_LSO_RD_DMA_CRPTEN_CTRL 0x00004910
+ #define TG3_LSO_RD_DMA_CRPTEN_CTRL_BLEN_BD_4K 0x00030000
+ #define TG3_LSO_RD_DMA_CRPTEN_CTRL_BLEN_LSO_4K 0x000c0000
+-/* 0x4914 --> 0x4c00 unused */
++#define TG3_LSO_RD_DMA_TX_LENGTH_WA_5719 0x02000000
++#define TG3_LSO_RD_DMA_TX_LENGTH_WA_5720 0x00200000
++/* 0x4914 --> 0x4be0 unused */
++
++#define TG3_NUM_RDMA_CHANNELS 4
++#define TG3_RDMA_LENGTH 0x00004be0
+
+ /* Write DMA control registers */
+ #define WDMAC_MODE 0x00004c00
+@@ -2921,6 +2926,7 @@ enum TG3_FLAGS {
+ TG3_FLAG_APE_HAS_NCSI,
+ TG3_FLAG_5717_PLUS,
+ TG3_FLAG_4K_FIFO_LIMIT,
++ TG3_FLAG_5719_5720_RDMA_BUG,
+ TG3_FLAG_RESET_TASK_PENDING,
+
+ /* Add new flags before this comment and TG3_FLAG_NUMBER_OF_FLAGS */
+diff --git a/drivers/net/wireless/ath/ath9k/Kconfig b/drivers/net/wireless/ath/ath9k/Kconfig
+index d9c08c6..f4ed4d8 100644
+--- a/drivers/net/wireless/ath/ath9k/Kconfig
++++ b/drivers/net/wireless/ath/ath9k/Kconfig
+@@ -50,13 +50,17 @@ config ATH9K_DEBUGFS
+
+ Also required for changing debug message flags at run time.
+
+-config ATH9K_RATE_CONTROL
++config ATH9K_LEGACY_RATE_CONTROL
+ bool "Atheros ath9k rate control"
+ depends on ATH9K
+- default y
++ default n
+ ---help---
+ Say Y, if you want to use the ath9k specific rate control
+- module instead of minstrel_ht.
++ module instead of minstrel_ht. Be warned that there are various
++ issues with the ath9k RC and minstrel is a more robust algorithm.
++ Note that even if this option is selected, "ath9k_rate_control"
++ has to be passed to mac80211 using the module parameter,
++ ieee80211_default_rc_algo.
+
+ config ATH9K_HTC
+ tristate "Atheros HTC based wireless cards support"
+diff --git a/drivers/net/wireless/ath/ath9k/Makefile b/drivers/net/wireless/ath/ath9k/Makefile
+index 36ed3c4..1cdb246 100644
+--- a/drivers/net/wireless/ath/ath9k/Makefile
++++ b/drivers/net/wireless/ath/ath9k/Makefile
+@@ -5,7 +5,7 @@ ath9k-y += beacon.o \
+ recv.o \
+ xmit.o \
+
+-ath9k-$(CONFIG_ATH9K_RATE_CONTROL) += rc.o
++ath9k-$(CONFIG_ATH9K_LEGACY_RATE_CONTROL) += rc.o
+ ath9k-$(CONFIG_ATH9K_PCI) += pci.o
+ ath9k-$(CONFIG_ATH9K_AHB) += ahb.o
+ ath9k-$(CONFIG_ATH9K_DEBUGFS) += debug.o
+diff --git a/drivers/net/wireless/ath/ath9k/init.c b/drivers/net/wireless/ath/ath9k/init.c
+index 57622e0..ba6a49c 100644
+--- a/drivers/net/wireless/ath/ath9k/init.c
++++ b/drivers/net/wireless/ath/ath9k/init.c
+@@ -691,8 +691,7 @@ void ath9k_set_hw_capab(struct ath_softc *sc, struct ieee80211_hw *hw)
+ BIT(NL80211_IFTYPE_ADHOC) |
+ BIT(NL80211_IFTYPE_MESH_POINT);
+
+- if (AR_SREV_5416(sc->sc_ah))
+- hw->wiphy->flags &= ~WIPHY_FLAG_PS_ON_BY_DEFAULT;
++ hw->wiphy->flags &= ~WIPHY_FLAG_PS_ON_BY_DEFAULT;
+
+ hw->wiphy->flags |= WIPHY_FLAG_IBSS_RSN;
+
+@@ -714,10 +713,6 @@ void ath9k_set_hw_capab(struct ath_softc *sc, struct ieee80211_hw *hw)
+ sc->ant_rx = hw->wiphy->available_antennas_rx;
+ sc->ant_tx = hw->wiphy->available_antennas_tx;
+
+-#ifdef CONFIG_ATH9K_RATE_CONTROL
+- hw->rate_control_algorithm = "ath9k_rate_control";
+-#endif
+-
+ if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_2GHZ)
+ hw->wiphy->bands[IEEE80211_BAND_2GHZ] =
+ &sc->sbands[IEEE80211_BAND_2GHZ];
+diff --git a/drivers/net/wireless/ath/ath9k/rc.h b/drivers/net/wireless/ath/ath9k/rc.h
+index b7a4bcd..e8e1901 100644
+--- a/drivers/net/wireless/ath/ath9k/rc.h
++++ b/drivers/net/wireless/ath/ath9k/rc.h
+@@ -221,7 +221,7 @@ struct ath_rate_priv {
+ struct ath_rc_stats rcstats[RATE_TABLE_SIZE];
+ };
+
+-#ifdef CONFIG_ATH9K_RATE_CONTROL
++#ifdef CONFIG_ATH9K_LEGACY_RATE_CONTROL
+ int ath_rate_control_register(void);
+ void ath_rate_control_unregister(void);
+ #else
+diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c
+index c0f2041..b0c2801 100644
+--- a/drivers/net/wireless/b43/main.c
++++ b/drivers/net/wireless/b43/main.c
+@@ -2421,7 +2421,7 @@ static int b43_request_firmware(struct b43_wldev *dev)
+ for (i = 0; i < B43_NR_FWTYPES; i++) {
+ errmsg = ctx->errors[i];
+ if (strlen(errmsg))
+- b43err(dev->wl, errmsg);
++ b43err(dev->wl, "%s", errmsg);
+ }
+ b43_print_fw_helptext(dev->wl, 1);
+ err = -ENOENT;
+diff --git a/drivers/net/wireless/b43legacy/main.c b/drivers/net/wireless/b43legacy/main.c
+index c5ce163..71195cb 100644
+--- a/drivers/net/wireless/b43legacy/main.c
++++ b/drivers/net/wireless/b43legacy/main.c
+@@ -3837,6 +3837,8 @@ static void b43legacy_remove(struct ssb_device *dev)
+ cancel_work_sync(&wldev->restart_work);
+
+ B43legacy_WARN_ON(!wl);
++ if (!wldev->fw.ucode)
++ return; /* NULL if fw never loaded */
+ if (wl->current_dev == wldev)
+ ieee80211_unregister_hw(wl->hw);
+
+diff --git a/drivers/net/wireless/iwlwifi/iwl-agn-sta.c b/drivers/net/wireless/iwlwifi/iwl-agn-sta.c
+index 3935994..bc30a5f 100644
+--- a/drivers/net/wireless/iwlwifi/iwl-agn-sta.c
++++ b/drivers/net/wireless/iwlwifi/iwl-agn-sta.c
+@@ -604,7 +604,7 @@ void iwl_restore_stations(struct iwl_priv *priv, struct iwl_rxon_context *ctx)
+ memcpy(&lq, priv->stations[i].lq,
+ sizeof(struct iwl_link_quality_cmd));
+
+- if (!memcmp(&lq, &zero_lq, sizeof(lq)))
++ if (memcmp(&lq, &zero_lq, sizeof(lq)))
+ send_lq = true;
+ }
+ spin_unlock_irqrestore(&priv->shrd->sta_lock,
+diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c
+index 185a0eb..fd2b92d 100644
+--- a/drivers/net/xen-netback/netback.c
++++ b/drivers/net/xen-netback/netback.c
+@@ -46,11 +46,33 @@
+ #include <asm/xen/hypercall.h>
+ #include <asm/xen/page.h>
+
++/*
++ * This is the maximum slots a skb can have. If a guest sends a skb
++ * which exceeds this limit it is considered malicious.
++ */
++#define FATAL_SKB_SLOTS_DEFAULT 20
++static unsigned int fatal_skb_slots = FATAL_SKB_SLOTS_DEFAULT;
++module_param(fatal_skb_slots, uint, 0444);
++
++/*
++ * To avoid confusion, we define XEN_NETBK_LEGACY_SLOTS_MAX indicating
++ * the maximum slots a valid packet can use. Now this value is defined
++ * to be XEN_NETIF_NR_SLOTS_MIN, which is supposed to be supported by
++ * all backend.
++ */
++#define XEN_NETBK_LEGACY_SLOTS_MAX XEN_NETIF_NR_SLOTS_MIN
++
++typedef unsigned int pending_ring_idx_t;
++#define INVALID_PENDING_RING_IDX (~0U)
++
+ struct pending_tx_info {
+- struct xen_netif_tx_request req;
++ struct xen_netif_tx_request req; /* coalesced tx request */
+ struct xenvif *vif;
++ pending_ring_idx_t head; /* head != INVALID_PENDING_RING_IDX
++ * if it is head of one or more tx
++ * reqs
++ */
+ };
+-typedef unsigned int pending_ring_idx_t;
+
+ struct netbk_rx_meta {
+ int id;
+@@ -101,7 +123,11 @@ struct xen_netbk {
+ atomic_t netfront_count;
+
+ struct pending_tx_info pending_tx_info[MAX_PENDING_REQS];
+- struct gnttab_copy tx_copy_ops[MAX_PENDING_REQS];
++ /* Coalescing tx requests before copying makes number of grant
++ * copy ops greater or equal to number of slots required. In
++ * worst case a tx request consumes 2 gnttab_copy.
++ */
++ struct gnttab_copy tx_copy_ops[2*MAX_PENDING_REQS];
+
+ u16 pending_ring[MAX_PENDING_REQS];
+
+@@ -117,6 +143,16 @@ struct xen_netbk {
+ static struct xen_netbk *xen_netbk;
+ static int xen_netbk_group_nr;
+
++/*
++ * If head != INVALID_PENDING_RING_IDX, it means this tx request is head of
++ * one or more merged tx requests, otherwise it is the continuation of
++ * previous tx request.
++ */
++static inline int pending_tx_is_head(struct xen_netbk *netbk, RING_IDX idx)
++{
++ return netbk->pending_tx_info[idx].head != INVALID_PENDING_RING_IDX;
++}
++
+ void xen_netbk_add_xenvif(struct xenvif *vif)
+ {
+ int i;
+@@ -249,6 +285,7 @@ static int max_required_rx_slots(struct xenvif *vif)
+ {
+ int max = DIV_ROUND_UP(vif->dev->mtu, PAGE_SIZE);
+
++ /* XXX FIXME: RX path dependent on MAX_SKB_FRAGS */
+ if (vif->can_sg || vif->gso || vif->gso_prefix)
+ max += MAX_SKB_FRAGS + 1; /* extra_info + frags */
+
+@@ -627,6 +664,7 @@ static void xen_netbk_rx_action(struct xen_netbk *netbk)
+ __skb_queue_tail(&rxq, skb);
+
+ /* Filled the batch queue? */
++ /* XXX FIXME: RX path dependent on MAX_SKB_FRAGS */
+ if (count + MAX_SKB_FRAGS >= XEN_NETIF_RX_RING_SIZE)
+ break;
+ }
+@@ -874,47 +912,99 @@ static int netbk_count_requests(struct xenvif *vif,
+ int work_to_do)
+ {
+ RING_IDX cons = vif->tx.req_cons;
+- int frags = 0;
++ int slots = 0;
++ int drop_err = 0;
++ int more_data;
+
+ if (!(first->flags & XEN_NETTXF_more_data))
+ return 0;
+
+ do {
+- if (frags >= work_to_do) {
+- netdev_err(vif->dev, "Need more frags\n");
++ struct xen_netif_tx_request dropped_tx = { 0 };
++
++ if (slots >= work_to_do) {
++ netdev_err(vif->dev,
++ "Asked for %d slots but exceeds this limit\n",
++ work_to_do);
+ netbk_fatal_tx_err(vif);
+ return -ENODATA;
+ }
+
+- if (unlikely(frags >= MAX_SKB_FRAGS)) {
+- netdev_err(vif->dev, "Too many frags\n");
++ /* This guest is really using too many slots and
++ * considered malicious.
++ */
++ if (unlikely(slots >= fatal_skb_slots)) {
++ netdev_err(vif->dev,
++ "Malicious frontend using %d slots, threshold %u\n",
++ slots, fatal_skb_slots);
+ netbk_fatal_tx_err(vif);
+ return -E2BIG;
+ }
+
+- memcpy(txp, RING_GET_REQUEST(&vif->tx, cons + frags),
++ /* Xen network protocol had implicit dependency on
++ * MAX_SKB_FRAGS. XEN_NETBK_LEGACY_SLOTS_MAX is set to
++ * the historical MAX_SKB_FRAGS value 18 to honor the
++ * same behavior as before. Any packet using more than
++ * 18 slots but less than fatal_skb_slots slots is
++ * dropped
++ */
++ if (!drop_err && slots >= XEN_NETBK_LEGACY_SLOTS_MAX) {
++ if (net_ratelimit())
++ netdev_dbg(vif->dev,
++ "Too many slots (%d) exceeding limit (%d), dropping packet\n",
++ slots, XEN_NETBK_LEGACY_SLOTS_MAX);
++ drop_err = -E2BIG;
++ }
++
++ if (drop_err)
++ txp = &dropped_tx;
++
++ memcpy(txp, RING_GET_REQUEST(&vif->tx, cons + slots),
+ sizeof(*txp));
+- if (txp->size > first->size) {
+- netdev_err(vif->dev, "Frag is bigger than frame.\n");
+- netbk_fatal_tx_err(vif);
+- return -EIO;
++
++ /* If the guest submitted a frame >= 64 KiB then
++ * first->size overflowed and following slots will
++ * appear to be larger than the frame.
++ *
++ * This cannot be fatal error as there are buggy
++ * frontends that do this.
++ *
++ * Consume all slots and drop the packet.
++ */
++ if (!drop_err && txp->size > first->size) {
++ if (net_ratelimit())
++ netdev_dbg(vif->dev,
++ "Invalid tx request, slot size %u > remaining size %u\n",
++ txp->size, first->size);
++ drop_err = -EIO;
+ }
+
+ first->size -= txp->size;
+- frags++;
++ slots++;
+
+ if (unlikely((txp->offset + txp->size) > PAGE_SIZE)) {
+- netdev_err(vif->dev, "txp->offset: %x, size: %u\n",
++ netdev_err(vif->dev, "Cross page boundary, txp->offset: %x, size: %u\n",
+ txp->offset, txp->size);
+ netbk_fatal_tx_err(vif);
+ return -EINVAL;
+ }
+- } while ((txp++)->flags & XEN_NETTXF_more_data);
+- return frags;
++
++ more_data = txp->flags & XEN_NETTXF_more_data;
++
++ if (!drop_err)
++ txp++;
++
++ } while (more_data);
++
++ if (drop_err) {
++ netbk_tx_err(vif, first, cons + slots);
++ return drop_err;
++ }
++
++ return slots;
+ }
+
+ static struct page *xen_netbk_alloc_page(struct xen_netbk *netbk,
+- struct sk_buff *skb,
+ u16 pending_idx)
+ {
+ struct page *page;
+@@ -935,50 +1025,114 @@ static struct gnttab_copy *xen_netbk_get_requests(struct xen_netbk *netbk,
+ struct skb_shared_info *shinfo = skb_shinfo(skb);
+ skb_frag_t *frags = shinfo->frags;
+ u16 pending_idx = *((u16 *)skb->data);
+- int i, start;
++ u16 head_idx = 0;
++ int slot, start;
++ struct page *page;
++ pending_ring_idx_t index, start_idx = 0;
++ uint16_t dst_offset;
++ unsigned int nr_slots;
++ struct pending_tx_info *first = NULL;
++
++ /* At this point shinfo->nr_frags is in fact the number of
++ * slots, which can be as large as XEN_NETBK_LEGACY_SLOTS_MAX.
++ */
++ nr_slots = shinfo->nr_frags;
+
+ /* Skip first skb fragment if it is on same page as header fragment. */
+ start = (frag_get_pending_idx(&shinfo->frags[0]) == pending_idx);
+
+- for (i = start; i < shinfo->nr_frags; i++, txp++) {
+- struct page *page;
+- pending_ring_idx_t index;
++ /* Coalesce tx requests, at this point the packet passed in
++ * should be <= 64K. Any packets larger than 64K have been
++ * handled in netbk_count_requests().
++ */
++ for (shinfo->nr_frags = slot = start; slot < nr_slots;
++ shinfo->nr_frags++) {
+ struct pending_tx_info *pending_tx_info =
+ netbk->pending_tx_info;
+
+- index = pending_index(netbk->pending_cons++);
+- pending_idx = netbk->pending_ring[index];
+- page = xen_netbk_alloc_page(netbk, skb, pending_idx);
++ page = alloc_page(GFP_KERNEL|__GFP_COLD);
+ if (!page)
+ goto err;
+
+- netbk->mmap_pages[pending_idx] = page;
+-
+- gop->source.u.ref = txp->gref;
+- gop->source.domid = vif->domid;
+- gop->source.offset = txp->offset;
+-
+- gop->dest.u.gmfn = virt_to_mfn(page_address(page));
+- gop->dest.domid = DOMID_SELF;
+- gop->dest.offset = txp->offset;
+-
+- gop->len = txp->size;
+- gop->flags = GNTCOPY_source_gref;
++ dst_offset = 0;
++ first = NULL;
++ while (dst_offset < PAGE_SIZE && slot < nr_slots) {
++ gop->flags = GNTCOPY_source_gref;
++
++ gop->source.u.ref = txp->gref;
++ gop->source.domid = vif->domid;
++ gop->source.offset = txp->offset;
++
++ gop->dest.domid = DOMID_SELF;
++
++ gop->dest.offset = dst_offset;
++ gop->dest.u.gmfn = virt_to_mfn(page_address(page));
++
++ if (dst_offset + txp->size > PAGE_SIZE) {
++ /* This page can only merge a portion
++ * of tx request. Do not increment any
++ * pointer / counter here. The txp
++ * will be dealt with in future
++ * rounds, eventually hitting the
++ * `else` branch.
++ */
++ gop->len = PAGE_SIZE - dst_offset;
++ txp->offset += gop->len;
++ txp->size -= gop->len;
++ dst_offset += gop->len; /* quit loop */
++ } else {
++ /* This tx request can be merged in the page */
++ gop->len = txp->size;
++ dst_offset += gop->len;
++
++ index = pending_index(netbk->pending_cons++);
++
++ pending_idx = netbk->pending_ring[index];
++
++ memcpy(&pending_tx_info[pending_idx].req, txp,
++ sizeof(*txp));
++ xenvif_get(vif);
++
++ pending_tx_info[pending_idx].vif = vif;
++
++ /* Poison these fields, corresponding
++ * fields for head tx req will be set
++ * to correct values after the loop.
++ */
++ netbk->mmap_pages[pending_idx] = (void *)(~0UL);
++ pending_tx_info[pending_idx].head =
++ INVALID_PENDING_RING_IDX;
++
++ if (!first) {
++ first = &pending_tx_info[pending_idx];
++ start_idx = index;
++ head_idx = pending_idx;
++ }
++
++ txp++;
++ slot++;
++ }
+
+- gop++;
++ gop++;
++ }
+
+- memcpy(&pending_tx_info[pending_idx].req, txp, sizeof(*txp));
+- xenvif_get(vif);
+- pending_tx_info[pending_idx].vif = vif;
+- frag_set_pending_idx(&frags[i], pending_idx);
++ first->req.offset = 0;
++ first->req.size = dst_offset;
++ first->head = start_idx;
++ set_page_ext(page, netbk, head_idx);
++ netbk->mmap_pages[head_idx] = page;
++ frag_set_pending_idx(&frags[shinfo->nr_frags], head_idx);
+ }
+
++ BUG_ON(shinfo->nr_frags > MAX_SKB_FRAGS);
++
+ return gop;
+ err:
+ /* Unwind, freeing all pages and sending error responses. */
+- while (i-- > start) {
+- xen_netbk_idx_release(netbk, frag_get_pending_idx(&frags[i]),
+- XEN_NETIF_RSP_ERROR);
++ while (shinfo->nr_frags-- > start) {
++ xen_netbk_idx_release(netbk,
++ frag_get_pending_idx(&frags[shinfo->nr_frags]),
++ XEN_NETIF_RSP_ERROR);
+ }
+ /* The head too, if necessary. */
+ if (start)
+@@ -994,8 +1148,10 @@ static int xen_netbk_tx_check_gop(struct xen_netbk *netbk,
+ struct gnttab_copy *gop = *gopp;
+ u16 pending_idx = *((u16 *)skb->data);
+ struct skb_shared_info *shinfo = skb_shinfo(skb);
++ struct pending_tx_info *tx_info;
+ int nr_frags = shinfo->nr_frags;
+ int i, err, start;
++ u16 peek; /* peek into next tx request */
+
+ /* Check status of header. */
+ err = gop->status;
+@@ -1007,11 +1163,20 @@ static int xen_netbk_tx_check_gop(struct xen_netbk *netbk,
+
+ for (i = start; i < nr_frags; i++) {
+ int j, newerr;
++ pending_ring_idx_t head;
+
+ pending_idx = frag_get_pending_idx(&shinfo->frags[i]);
++ tx_info = &netbk->pending_tx_info[pending_idx];
++ head = tx_info->head;
+
+ /* Check error status: if okay then remember grant handle. */
+- newerr = (++gop)->status;
++ do {
++ newerr = (++gop)->status;
++ if (newerr)
++ break;
++ peek = netbk->pending_ring[pending_index(++head)];
++ } while (!pending_tx_is_head(netbk, peek));
++
+ if (likely(!newerr)) {
+ /* Had a previous error? Invalidate this fragment. */
+ if (unlikely(err))
+@@ -1236,11 +1401,12 @@ static unsigned xen_netbk_tx_build_gops(struct xen_netbk *netbk)
+ struct sk_buff *skb;
+ int ret;
+
+- while (((nr_pending_reqs(netbk) + MAX_SKB_FRAGS) < MAX_PENDING_REQS) &&
++ while ((nr_pending_reqs(netbk) + XEN_NETBK_LEGACY_SLOTS_MAX
++ < MAX_PENDING_REQS) &&
+ !list_empty(&netbk->net_schedule_list)) {
+ struct xenvif *vif;
+ struct xen_netif_tx_request txreq;
+- struct xen_netif_tx_request txfrags[MAX_SKB_FRAGS];
++ struct xen_netif_tx_request txfrags[XEN_NETBK_LEGACY_SLOTS_MAX];
+ struct page *page;
+ struct xen_netif_extra_info extras[XEN_NETIF_EXTRA_TYPE_MAX-1];
+ u16 pending_idx;
+@@ -1328,7 +1494,7 @@ static unsigned xen_netbk_tx_build_gops(struct xen_netbk *netbk)
+ pending_idx = netbk->pending_ring[index];
+
+ data_len = (txreq.size > PKT_PROT_LEN &&
+- ret < MAX_SKB_FRAGS) ?
++ ret < XEN_NETBK_LEGACY_SLOTS_MAX) ?
+ PKT_PROT_LEN : txreq.size;
+
+ skb = alloc_skb(data_len + NET_SKB_PAD + NET_IP_ALIGN,
+@@ -1355,15 +1521,13 @@ static unsigned xen_netbk_tx_build_gops(struct xen_netbk *netbk)
+ }
+
+ /* XXX could copy straight to head */
+- page = xen_netbk_alloc_page(netbk, skb, pending_idx);
++ page = xen_netbk_alloc_page(netbk, pending_idx);
+ if (!page) {
+ kfree_skb(skb);
+ netbk_tx_err(vif, &txreq, idx);
+ continue;
+ }
+
+- netbk->mmap_pages[pending_idx] = page;
+-
+ gop->source.u.ref = txreq.gref;
+ gop->source.domid = vif->domid;
+ gop->source.offset = txreq.offset;
+@@ -1380,6 +1544,7 @@ static unsigned xen_netbk_tx_build_gops(struct xen_netbk *netbk)
+ memcpy(&netbk->pending_tx_info[pending_idx].req,
+ &txreq, sizeof(txreq));
+ netbk->pending_tx_info[pending_idx].vif = vif;
++ netbk->pending_tx_info[pending_idx].head = index;
+ *((u16 *)skb->data) = pending_idx;
+
+ __skb_put(skb, data_len);
+@@ -1510,7 +1675,10 @@ static void xen_netbk_idx_release(struct xen_netbk *netbk, u16 pending_idx,
+ {
+ struct xenvif *vif;
+ struct pending_tx_info *pending_tx_info;
+- pending_ring_idx_t index;
++ pending_ring_idx_t head;
++ u16 peek; /* peek into next tx request */
++
++ BUG_ON(netbk->mmap_pages[pending_idx] == (void *)(~0UL));
+
+ /* Already complete? */
+ if (netbk->mmap_pages[pending_idx] == NULL)
+@@ -1519,19 +1687,40 @@ static void xen_netbk_idx_release(struct xen_netbk *netbk, u16 pending_idx,
+ pending_tx_info = &netbk->pending_tx_info[pending_idx];
+
+ vif = pending_tx_info->vif;
++ head = pending_tx_info->head;
++
++ BUG_ON(!pending_tx_is_head(netbk, head));
++ BUG_ON(netbk->pending_ring[pending_index(head)] != pending_idx);
+
+- make_tx_response(vif, &pending_tx_info->req, status);
++ do {
++ pending_ring_idx_t index;
++ pending_ring_idx_t idx = pending_index(head);
++ u16 info_idx = netbk->pending_ring[idx];
+
+- index = pending_index(netbk->pending_prod++);
+- netbk->pending_ring[index] = pending_idx;
++ pending_tx_info = &netbk->pending_tx_info[info_idx];
++ make_tx_response(vif, &pending_tx_info->req, status);
+
+- xenvif_put(vif);
++ /* Setting any number other than
++ * INVALID_PENDING_RING_IDX indicates this slot is
++ * starting a new packet / ending a previous packet.
++ */
++ pending_tx_info->head = 0;
++
++ index = pending_index(netbk->pending_prod++);
++ netbk->pending_ring[index] = netbk->pending_ring[info_idx];
++
++ xenvif_put(vif);
++
++ peek = netbk->pending_ring[pending_index(++head)];
++
++ } while (!pending_tx_is_head(netbk, peek));
+
+ netbk->mmap_pages[pending_idx]->mapping = 0;
+ put_page(netbk->mmap_pages[pending_idx]);
+ netbk->mmap_pages[pending_idx] = NULL;
+ }
+
++
+ static void make_tx_response(struct xenvif *vif,
+ struct xen_netif_tx_request *txp,
+ s8 st)
+@@ -1584,8 +1773,9 @@ static inline int rx_work_todo(struct xen_netbk *netbk)
+ static inline int tx_work_todo(struct xen_netbk *netbk)
+ {
+
+- if (((nr_pending_reqs(netbk) + MAX_SKB_FRAGS) < MAX_PENDING_REQS) &&
+- !list_empty(&netbk->net_schedule_list))
++ if ((nr_pending_reqs(netbk) + XEN_NETBK_LEGACY_SLOTS_MAX
++ < MAX_PENDING_REQS) &&
++ !list_empty(&netbk->net_schedule_list))
+ return 1;
+
+ return 0;
+@@ -1668,6 +1858,13 @@ static int __init netback_init(void)
+ if (!xen_pv_domain())
+ return -ENODEV;
+
++ if (fatal_skb_slots < XEN_NETBK_LEGACY_SLOTS_MAX) {
++ printk(KERN_INFO
++ "xen-netback: fatal_skb_slots too small (%d), bump it to XEN_NETBK_LEGACY_SLOTS_MAX (%d)\n",
++ fatal_skb_slots, XEN_NETBK_LEGACY_SLOTS_MAX);
++ fatal_skb_slots = XEN_NETBK_LEGACY_SLOTS_MAX;
++ }
++
+ xen_netbk_group_nr = num_online_cpus();
+ xen_netbk = vzalloc(sizeof(struct xen_netbk) * xen_netbk_group_nr);
+ if (!xen_netbk) {
+diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
+index 9b9843e..0d9914b 100644
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -36,7 +36,7 @@
+ #include <linux/skbuff.h>
+ #include <linux/ethtool.h>
+ #include <linux/if_ether.h>
+-#include <linux/tcp.h>
++#include <net/tcp.h>
+ #include <linux/udp.h>
+ #include <linux/moduleparam.h>
+ #include <linux/mm.h>
+@@ -490,6 +490,16 @@ static int xennet_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ unsigned int offset = offset_in_page(data);
+ unsigned int len = skb_headlen(skb);
+
++ /* If skb->len is too big for wire format, drop skb and alert
++ * user about misconfiguration.
++ */
++ if (unlikely(skb->len > XEN_NETIF_MAX_TX_SIZE)) {
++ net_alert_ratelimited(
++ "xennet: skb->len = %u, too big for wire format\n",
++ skb->len);
++ goto drop;
++ }
++
+ frags += DIV_ROUND_UP(offset + len, PAGE_SIZE);
+ if (unlikely(frags > MAX_SKB_FRAGS + 1)) {
+ printk(KERN_ALERT "xennet: skb rides the rocket: %d frags\n",
+@@ -1043,7 +1053,8 @@ err:
+
+ static int xennet_change_mtu(struct net_device *dev, int mtu)
+ {
+- int max = xennet_can_sg(dev) ? 65535 - ETH_HLEN : ETH_DATA_LEN;
++ int max = xennet_can_sg(dev) ?
++ XEN_NETIF_MAX_TX_SIZE - MAX_TCP_HEADER : ETH_DATA_LEN;
+
+ if (mtu > max)
+ return -EINVAL;
+@@ -1318,6 +1329,8 @@ static struct net_device * __devinit xennet_create_dev(struct xenbus_device *dev
+ SET_ETHTOOL_OPS(netdev, &xennet_ethtool_ops);
+ SET_NETDEV_DEV(netdev, &dev->dev);
+
++ netif_set_gso_max_size(netdev, XEN_NETIF_MAX_TX_SIZE - MAX_TCP_HEADER);
++
+ np->netdev = netdev;
+
+ netif_carrier_off(netdev);
+diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c
+index 7b82868..8e6c4fa 100644
+--- a/drivers/platform/x86/thinkpad_acpi.c
++++ b/drivers/platform/x86/thinkpad_acpi.c
+@@ -8665,6 +8665,13 @@ static int __must_check __init get_thinkpad_model_data(
+ tp->model_str = kstrdup(s, GFP_KERNEL);
+ if (!tp->model_str)
+ return -ENOMEM;
++ } else {
++ s = dmi_get_system_info(DMI_BIOS_VENDOR);
++ if (s && !(strnicmp(s, "Lenovo", 6))) {
++ tp->model_str = kstrdup(s, GFP_KERNEL);
++ if (!tp->model_str)
++ return -ENOMEM;
++ }
+ }
+
+ s = dmi_get_system_info(DMI_PRODUCT_NAME);
+diff --git a/drivers/rapidio/devices/tsi721.c b/drivers/rapidio/devices/tsi721.c
+index 23ef16c..84eab3f 100644
+--- a/drivers/rapidio/devices/tsi721.c
++++ b/drivers/rapidio/devices/tsi721.c
+@@ -555,7 +555,7 @@ static irqreturn_t tsi721_irqhandler(int irq, void *ptr)
+ /* For MSI mode re-enable device-level interrupts */
+ if (priv->flags & TSI721_USING_MSI) {
+ dev_int = TSI721_DEV_INT_SR2PC_CH | TSI721_DEV_INT_SRIO |
+- TSI721_DEV_INT_SMSG_CH | TSI721_DEV_INT_BDMA_CH;
++ TSI721_DEV_INT_SMSG_CH;
+ iowrite32(dev_int, priv->regs + TSI721_DEV_INTE);
+ }
+
+diff --git a/drivers/rtc/rtc-twl.c b/drivers/rtc/rtc-twl.c
+index a3e98f1..b37c8b0 100644
+--- a/drivers/rtc/rtc-twl.c
++++ b/drivers/rtc/rtc-twl.c
+@@ -490,6 +490,7 @@ static int __devinit twl_rtc_probe(struct platform_device *pdev)
+ }
+
+ platform_set_drvdata(pdev, rtc);
++ device_init_wakeup(&pdev->dev, 1);
+ return 0;
+
+ out2:
+diff --git a/drivers/staging/gma500/cdv_intel_display.c b/drivers/staging/gma500/cdv_intel_display.c
+index 7b97c60..626ae47 100644
+--- a/drivers/staging/gma500/cdv_intel_display.c
++++ b/drivers/staging/gma500/cdv_intel_display.c
+@@ -1457,6 +1457,19 @@ static void cdv_intel_crtc_destroy(struct drm_crtc *crtc)
+ kfree(psb_intel_crtc);
+ }
+
++static void cdv_intel_crtc_disable(struct drm_crtc *crtc)
++{
++ struct gtt_range *gt;
++ struct drm_crtc_helper_funcs *crtc_funcs = crtc->helper_private;
++
++ crtc_funcs->dpms(crtc, DRM_MODE_DPMS_OFF);
++
++ if (crtc->fb) {
++ gt = to_psb_fb(crtc->fb)->gtt;
++ psb_gtt_unpin(gt);
++ }
++}
++
+ const struct drm_crtc_helper_funcs cdv_intel_helper_funcs = {
+ .dpms = cdv_intel_crtc_dpms,
+ .mode_fixup = cdv_intel_crtc_mode_fixup,
+@@ -1464,6 +1477,7 @@ const struct drm_crtc_helper_funcs cdv_intel_helper_funcs = {
+ .mode_set_base = cdv_intel_pipe_set_base,
+ .prepare = cdv_intel_crtc_prepare,
+ .commit = cdv_intel_crtc_commit,
++ .disable = cdv_intel_crtc_disable,
+ };
+
+ const struct drm_crtc_funcs cdv_intel_crtc_funcs = {
+diff --git a/drivers/staging/gma500/framebuffer.c b/drivers/staging/gma500/framebuffer.c
+index 3f39a37..d28fdc2 100644
+--- a/drivers/staging/gma500/framebuffer.c
++++ b/drivers/staging/gma500/framebuffer.c
+@@ -831,8 +831,8 @@ void psb_modeset_init(struct drm_device *dev)
+ for (i = 0; i < dev_priv->num_pipe; i++)
+ psb_intel_crtc_init(dev, i, mode_dev);
+
+- dev->mode_config.max_width = 2048;
+- dev->mode_config.max_height = 2048;
++ dev->mode_config.max_width = 4096;
++ dev->mode_config.max_height = 4096;
+
+ psb_setup_outputs(dev);
+ }
+diff --git a/drivers/staging/gma500/psb_intel_display.c b/drivers/staging/gma500/psb_intel_display.c
+index caa9d86..0d872e9 100644
+--- a/drivers/staging/gma500/psb_intel_display.c
++++ b/drivers/staging/gma500/psb_intel_display.c
+@@ -1255,6 +1255,19 @@ void psb_intel_crtc_destroy(struct drm_crtc *crtc)
+ kfree(psb_intel_crtc);
+ }
+
++static void psb_intel_crtc_disable(struct drm_crtc *crtc)
++{
++ struct gtt_range *gt;
++ struct drm_crtc_helper_funcs *crtc_funcs = crtc->helper_private;
++
++ crtc_funcs->dpms(crtc, DRM_MODE_DPMS_OFF);
++
++ if (crtc->fb) {
++ gt = to_psb_fb(crtc->fb)->gtt;
++ psb_gtt_unpin(gt);
++ }
++}
++
+ const struct drm_crtc_helper_funcs psb_intel_helper_funcs = {
+ .dpms = psb_intel_crtc_dpms,
+ .mode_fixup = psb_intel_crtc_mode_fixup,
+@@ -1262,6 +1275,7 @@ const struct drm_crtc_helper_funcs psb_intel_helper_funcs = {
+ .mode_set_base = psb_intel_pipe_set_base,
+ .prepare = psb_intel_crtc_prepare,
+ .commit = psb_intel_crtc_commit,
++ .disable = psb_intel_crtc_disable,
+ };
+
+ const struct drm_crtc_funcs psb_intel_crtc_funcs = {
+diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c
+index 5b77316..db313ba 100644
+--- a/drivers/target/iscsi/iscsi_target_parameters.c
++++ b/drivers/target/iscsi/iscsi_target_parameters.c
+@@ -713,9 +713,9 @@ static int iscsi_add_notunderstood_response(
+ }
+ INIT_LIST_HEAD(&extra_response->er_list);
+
+- strncpy(extra_response->key, key, strlen(key) + 1);
+- strncpy(extra_response->value, NOTUNDERSTOOD,
+- strlen(NOTUNDERSTOOD) + 1);
++ strlcpy(extra_response->key, key, sizeof(extra_response->key));
++ strlcpy(extra_response->value, NOTUNDERSTOOD,
++ sizeof(extra_response->value));
+
+ list_add_tail(&extra_response->er_list,
+ ¶m_list->extra_response_list);
+@@ -1572,8 +1572,6 @@ int iscsi_decode_text_input(
+
+ if (phase & PHASE_SECURITY) {
+ if (iscsi_check_for_auth_key(key) > 0) {
+- char *tmpptr = key + strlen(key);
+- *tmpptr = '=';
+ kfree(tmpbuf);
+ return 1;
+ }
+diff --git a/drivers/target/iscsi/iscsi_target_parameters.h b/drivers/target/iscsi/iscsi_target_parameters.h
+index 6a37fd6..83eed65 100644
+--- a/drivers/target/iscsi/iscsi_target_parameters.h
++++ b/drivers/target/iscsi/iscsi_target_parameters.h
+@@ -1,8 +1,10 @@
+ #ifndef ISCSI_PARAMETERS_H
+ #define ISCSI_PARAMETERS_H
+
++#include <scsi/iscsi_proto.h>
++
+ struct iscsi_extra_response {
+- char key[64];
++ char key[KEY_MAXLEN];
+ char value[32];
+ struct list_head er_list;
+ } ____cacheline_aligned;
+diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
+index e9637f9..b368b83 100644
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -1310,10 +1310,19 @@ static void dwc3_gadget_free_endpoints(struct dwc3 *dwc)
+
+ for (epnum = 0; epnum < DWC3_ENDPOINTS_NUM; epnum++) {
+ dep = dwc->eps[epnum];
+- dwc3_free_trb_pool(dep);
+-
+- if (epnum != 0 && epnum != 1)
++ /*
++ * Physical endpoints 0 and 1 are special; they form the
++ * bi-directional USB endpoint 0.
++ *
++ * For those two physical endpoints, we don't allocate a TRB
++ * pool nor do we add them the endpoints list. Due to that, we
++ * shouldn't do these two operations otherwise we would end up
++ * with all sorts of bugs when removing dwc3.ko.
++ */
++ if (epnum != 0 && epnum != 1) {
++ dwc3_free_trb_pool(dep);
+ list_del(&dep->endpoint.ep_list);
++ }
+
+ kfree(dep);
+ }
+diff --git a/drivers/usb/host/ehci-sched.c b/drivers/usb/host/ehci-sched.c
+index 08e470f..34655d0 100644
+--- a/drivers/usb/host/ehci-sched.c
++++ b/drivers/usb/host/ehci-sched.c
+@@ -236,7 +236,7 @@ static inline unsigned char tt_start_uframe(struct ehci_hcd *ehci, __hc32 mask)
+ }
+
+ static const unsigned char
+-max_tt_usecs[] = { 125, 125, 125, 125, 125, 125, 125, 25 };
++max_tt_usecs[] = { 125, 125, 125, 125, 125, 125, 30, 0 };
+
+ /* carryover low/fullspeed bandwidth that crosses uframe boundries */
+ static inline void carryover_tt_bandwidth(unsigned short tt_usecs[8])
+diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
+index 430c1d5..5018e33 100644
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -1755,6 +1755,9 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci)
+ }
+ spin_unlock_irqrestore(&xhci->lock, flags);
+
++ if (!xhci->rh_bw)
++ goto no_bw;
++
+ num_ports = HCS_MAX_PORTS(xhci->hcs_params1);
+ for (i = 0; i < num_ports; i++) {
+ struct xhci_interval_bw_table *bwt = &xhci->rh_bw[i].bw_table;
+@@ -1773,6 +1776,7 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci)
+ }
+ }
+
++no_bw:
+ xhci->num_usb2_ports = 0;
+ xhci->num_usb3_ports = 0;
+ xhci->num_active_eps = 0;
+@@ -2184,6 +2188,9 @@ int xhci_mem_init(struct xhci_hcd *xhci, gfp_t flags)
+ u32 page_size;
+ int i;
+
++ INIT_LIST_HEAD(&xhci->lpm_failed_devs);
++ INIT_LIST_HEAD(&xhci->cancel_cmd_list);
++
+ page_size = xhci_readl(xhci, &xhci->op_regs->page_size);
+ xhci_dbg(xhci, "Supported page size register = 0x%x\n", page_size);
+ for (i = 0; i < 16; i++) {
+@@ -2262,7 +2269,6 @@ int xhci_mem_init(struct xhci_hcd *xhci, gfp_t flags)
+ xhci->cmd_ring = xhci_ring_alloc(xhci, 1, true, false, flags);
+ if (!xhci->cmd_ring)
+ goto fail;
+- INIT_LIST_HEAD(&xhci->cancel_cmd_list);
+ xhci_dbg(xhci, "Allocated command ring at %p\n", xhci->cmd_ring);
+ xhci_dbg(xhci, "First segment DMA is 0x%llx\n",
+ (unsigned long long)xhci->cmd_ring->first_seg->dma);
+@@ -2363,8 +2369,6 @@ int xhci_mem_init(struct xhci_hcd *xhci, gfp_t flags)
+ if (xhci_setup_port_arrays(xhci, flags))
+ goto fail;
+
+- INIT_LIST_HEAD(&xhci->lpm_failed_devs);
+-
+ return 0;
+
+ fail:
+diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
+index 2c0350f..136c357 100644
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -938,6 +938,7 @@ int xhci_resume(struct xhci_hcd *xhci, bool hibernated)
+ struct usb_hcd *hcd = xhci_to_hcd(xhci);
+ struct usb_hcd *secondary_hcd;
+ int retval = 0;
++ bool comp_timer_running = false;
+
+ /* Wait a bit if either of the roothubs need to settle from the
+ * transition into bus suspend.
+@@ -975,6 +976,13 @@ int xhci_resume(struct xhci_hcd *xhci, bool hibernated)
+
+ /* If restore operation fails, re-initialize the HC during resume */
+ if ((temp & STS_SRE) || hibernated) {
++
++ if ((xhci->quirks & XHCI_COMP_MODE_QUIRK) &&
++ !(xhci_all_ports_seen_u0(xhci))) {
++ del_timer_sync(&xhci->comp_mode_recovery_timer);
++ xhci_dbg(xhci, "Compliance Mode Recovery Timer deleted!\n");
++ }
++
+ /* Let the USB core know _both_ roothubs lost power. */
+ usb_root_hub_lost_power(xhci->main_hcd->self.root_hub);
+ usb_root_hub_lost_power(xhci->shared_hcd->self.root_hub);
+@@ -1017,6 +1025,8 @@ int xhci_resume(struct xhci_hcd *xhci, bool hibernated)
+ retval = xhci_init(hcd->primary_hcd);
+ if (retval)
+ return retval;
++ comp_timer_running = true;
++
+ xhci_dbg(xhci, "Start the primary HCD\n");
+ retval = xhci_run(hcd->primary_hcd);
+ if (!retval) {
+@@ -1058,7 +1068,7 @@ int xhci_resume(struct xhci_hcd *xhci, bool hibernated)
+ * to suffer the Compliance Mode issue again. It doesn't matter if
+ * ports have entered previously to U0 before system's suspension.
+ */
+- if (xhci->quirks & XHCI_COMP_MODE_QUIRK)
++ if ((xhci->quirks & XHCI_COMP_MODE_QUIRK) && !comp_timer_running)
+ compliance_mode_recovery_timer_init(xhci);
+
+ /* Re-enable port polling. */
+diff --git a/drivers/usb/serial/ark3116.c b/drivers/usb/serial/ark3116.c
+index 3ca6c0d..1a715f6 100644
+--- a/drivers/usb/serial/ark3116.c
++++ b/drivers/usb/serial/ark3116.c
+@@ -49,7 +49,7 @@ static int debug;
+ #define DRIVER_NAME "ark3116"
+
+ /* usb timeout of 1 second */
+-#define ARK_TIMEOUT (1*HZ)
++#define ARK_TIMEOUT 1000
+
+ static const struct usb_device_id id_table[] = {
+ { USB_DEVICE(0x6547, 0x0232) },
+diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m8.c
+index 01a44d3..10c30ad 100644
+--- a/drivers/usb/serial/cypress_m8.c
++++ b/drivers/usb/serial/cypress_m8.c
+@@ -96,6 +96,7 @@ static const struct usb_device_id id_table_earthmate[] = {
+ static const struct usb_device_id id_table_cyphidcomrs232[] = {
+ { USB_DEVICE(VENDOR_ID_CYPRESS, PRODUCT_ID_CYPHIDCOM) },
+ { USB_DEVICE(VENDOR_ID_POWERCOM, PRODUCT_ID_UPS) },
++ { USB_DEVICE(VENDOR_ID_FRWD, PRODUCT_ID_CYPHIDCOM_FRWD) },
+ { } /* Terminating entry */
+ };
+
+@@ -109,6 +110,7 @@ static const struct usb_device_id id_table_combined[] = {
+ { USB_DEVICE(VENDOR_ID_DELORME, PRODUCT_ID_EARTHMATEUSB_LT20) },
+ { USB_DEVICE(VENDOR_ID_CYPRESS, PRODUCT_ID_CYPHIDCOM) },
+ { USB_DEVICE(VENDOR_ID_POWERCOM, PRODUCT_ID_UPS) },
++ { USB_DEVICE(VENDOR_ID_FRWD, PRODUCT_ID_CYPHIDCOM_FRWD) },
+ { USB_DEVICE(VENDOR_ID_DAZZLE, PRODUCT_ID_CA42) },
+ { } /* Terminating entry */
+ };
+@@ -267,6 +269,12 @@ static struct usb_serial_driver cypress_ca42v2_device = {
+ * Cypress serial helper functions
+ *****************************************************************************/
+
++/* FRWD Dongle hidcom needs to skip reset and speed checks */
++static inline bool is_frwd(struct usb_device *dev)
++{
++ return ((le16_to_cpu(dev->descriptor.idVendor) == VENDOR_ID_FRWD) &&
++ (le16_to_cpu(dev->descriptor.idProduct) == PRODUCT_ID_CYPHIDCOM_FRWD));
++}
+
+ static int analyze_baud_rate(struct usb_serial_port *port, speed_t new_rate)
+ {
+@@ -276,6 +284,10 @@ static int analyze_baud_rate(struct usb_serial_port *port, speed_t new_rate)
+ if (unstable_bauds)
+ return new_rate;
+
++ /* FRWD Dongle uses 115200 bps */
++ if (is_frwd(port->serial->dev))
++ return new_rate;
++
+ /*
+ * The general purpose firmware for the Cypress M8 allows for
+ * a maximum speed of 57600bps (I have no idea whether DeLorme
+@@ -488,7 +500,11 @@ static int generic_startup(struct usb_serial *serial)
+ return -ENOMEM;
+ }
+
+- usb_reset_configuration(serial->dev);
++ /* Skip reset for FRWD device. It is a workaound:
++ device hangs if it receives SET_CONFIGURE in Configured
++ state. */
++ if (!is_frwd(serial->dev))
++ usb_reset_configuration(serial->dev);
+
+ priv->cmd_ctrl = 0;
+ priv->line_control = 0;
+diff --git a/drivers/usb/serial/cypress_m8.h b/drivers/usb/serial/cypress_m8.h
+index 67cf608..b461311 100644
+--- a/drivers/usb/serial/cypress_m8.h
++++ b/drivers/usb/serial/cypress_m8.h
+@@ -24,6 +24,10 @@
+ #define VENDOR_ID_CYPRESS 0x04b4
+ #define PRODUCT_ID_CYPHIDCOM 0x5500
+
++/* FRWD Dongle - a GPS sports watch */
++#define VENDOR_ID_FRWD 0x6737
++#define PRODUCT_ID_CYPHIDCOM_FRWD 0x0001
++
+ /* Powercom UPS, chip CY7C63723 */
+ #define VENDOR_ID_POWERCOM 0x0d9f
+ #define PRODUCT_ID_UPS 0x0002
+diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
+index 918ec98..ce9f87f 100644
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -2169,6 +2169,9 @@ static void ftdi_set_termios(struct tty_struct *tty,
+
+ cflag = termios->c_cflag;
+
++ if (!old_termios)
++ goto no_skip;
++
+ if (old_termios->c_cflag == termios->c_cflag
+ && old_termios->c_ispeed == termios->c_ispeed
+ && old_termios->c_ospeed == termios->c_ospeed)
+@@ -2182,6 +2185,7 @@ static void ftdi_set_termios(struct tty_struct *tty,
+ (termios->c_cflag & (CSIZE|PARODD|PARENB|CMSPAR|CSTOPB)))
+ goto no_data_parity_stop_changes;
+
++no_skip:
+ /* Set number of data bits, parity, stop bits */
+
+ urb_value = 0;
+diff --git a/drivers/usb/serial/iuu_phoenix.c b/drivers/usb/serial/iuu_phoenix.c
+index 6aca631..cf2668e 100644
+--- a/drivers/usb/serial/iuu_phoenix.c
++++ b/drivers/usb/serial/iuu_phoenix.c
+@@ -327,7 +327,7 @@ static int bulk_immediate(struct usb_serial_port *port, u8 *buf, u8 count)
+ usb_bulk_msg(serial->dev,
+ usb_sndbulkpipe(serial->dev,
+ port->bulk_out_endpointAddress), buf,
+- count, &actual, HZ * 1);
++ count, &actual, 1000);
+
+ if (status != IUU_OPERATION_OK)
+ dbg("%s - error = %2x", __func__, status);
+@@ -350,7 +350,7 @@ static int read_immediate(struct usb_serial_port *port, u8 *buf, u8 count)
+ usb_bulk_msg(serial->dev,
+ usb_rcvbulkpipe(serial->dev,
+ port->bulk_in_endpointAddress), buf,
+- count, &actual, HZ * 1);
++ count, &actual, 1000);
+
+ if (status != IUU_OPERATION_OK)
+ dbg("%s - error = %2x", __func__, status);
+diff --git a/drivers/usb/serial/keyspan.c b/drivers/usb/serial/keyspan.c
+index a442352..4f415e28 100644
+--- a/drivers/usb/serial/keyspan.c
++++ b/drivers/usb/serial/keyspan.c
+@@ -1833,7 +1833,7 @@ static int keyspan_usa26_send_setup(struct usb_serial *serial,
+ d_details = s_priv->device_details;
+ device_port = port->number - port->serial->minor;
+
+- outcont_urb = d_details->outcont_endpoints[port->number];
++ outcont_urb = d_details->outcont_endpoints[device_port];
+ this_urb = p_priv->outcont_urb;
+
+ dbg("%s - endpoint %d", __func__, usb_pipeendpoint(this_urb->pipe));
+diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c
+index 3524a10..9580679 100644
+--- a/drivers/usb/serial/mos7720.c
++++ b/drivers/usb/serial/mos7720.c
+@@ -44,7 +44,7 @@
+ #define DRIVER_DESC "Moschip USB Serial Driver"
+
+ /* default urb timeout */
+-#define MOS_WDR_TIMEOUT (HZ * 5)
++#define MOS_WDR_TIMEOUT 5000
+
+ #define MOS_MAX_PORT 0x02
+ #define MOS_WRITE 0x0E
+@@ -234,11 +234,22 @@ static int read_mos_reg(struct usb_serial *serial, unsigned int serial_portnum,
+ __u8 requesttype = (__u8)0xc0;
+ __u16 index = get_reg_index(reg);
+ __u16 value = get_reg_value(reg, serial_portnum);
+- int status = usb_control_msg(usbdev, pipe, request, requesttype, value,
+- index, data, 1, MOS_WDR_TIMEOUT);
+- if (status < 0)
++ u8 *buf;
++ int status;
++
++ buf = kmalloc(1, GFP_KERNEL);
++ if (!buf)
++ return -ENOMEM;
++
++ status = usb_control_msg(usbdev, pipe, request, requesttype, value,
++ index, buf, 1, MOS_WDR_TIMEOUT);
++ if (status == 1)
++ *data = *buf;
++ else if (status < 0)
+ dev_err(&usbdev->dev,
+ "mos7720: usb_control_msg() failed: %d", status);
++ kfree(buf);
++
+ return status;
+ }
+
+@@ -1700,7 +1711,7 @@ static void change_port_settings(struct tty_struct *tty,
+ mos7720_port->shadowMCR |= (UART_MCR_XONANY);
+ /* To set hardware flow control to the specified *
+ * serial port, in SP1/2_CONTROL_REG */
+- if (port->number)
++ if (port_number)
+ write_mos_reg(serial, dummy, SP_CONTROL_REG, 0x01);
+ else
+ write_mos_reg(serial, dummy, SP_CONTROL_REG, 0x02);
+@@ -2112,7 +2123,7 @@ static int mos7720_startup(struct usb_serial *serial)
+
+ /* setting configuration feature to one */
+ usb_control_msg(serial->dev, usb_sndctrlpipe(serial->dev, 0),
+- (__u8)0x03, 0x00, 0x01, 0x00, NULL, 0x00, 5*HZ);
++ (__u8)0x03, 0x00, 0x01, 0x00, NULL, 0x00, 5000);
+
+ /* start the interrupt urb */
+ ret_val = usb_submit_urb(serial->port[0]->interrupt_in_urb, GFP_KERNEL);
+@@ -2157,7 +2168,7 @@ static void mos7720_release(struct usb_serial *serial)
+ /* wait for synchronous usb calls to return */
+ if (mos_parport->msg_pending)
+ wait_for_completion_timeout(&mos_parport->syncmsg_compl,
+- MOS_WDR_TIMEOUT);
++ msecs_to_jiffies(MOS_WDR_TIMEOUT));
+
+ parport_remove_port(mos_parport->pp);
+ usb_set_serial_data(serial, NULL);
+diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
+index 59c4997..8ea37bc 100644
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -593,6 +593,8 @@ static const struct usb_device_id option_ids[] = {
+ .driver_info = (kernel_ulong_t) &huawei_cdc12_blacklist },
+ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_K3765, 0xff, 0xff, 0xff),
+ .driver_info = (kernel_ulong_t) &huawei_cdc12_blacklist },
++ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x14ac, 0xff, 0xff, 0xff), /* Huawei E1820 */
++ .driver_info = (kernel_ulong_t) &net_intf1_blacklist },
+ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_K4605, 0xff, 0xff, 0xff),
+ .driver_info = (kernel_ulong_t) &huawei_cdc12_blacklist },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0xff, 0xff) },
+diff --git a/drivers/usb/serial/pl2303.c b/drivers/usb/serial/pl2303.c
+index fd86e0e..317e503 100644
+--- a/drivers/usb/serial/pl2303.c
++++ b/drivers/usb/serial/pl2303.c
+@@ -270,7 +270,7 @@ static void pl2303_set_termios(struct tty_struct *tty,
+ serial settings even to the same values as before. Thus
+ we actually need to filter in this specific case */
+
+- if (!tty_termios_hw_change(tty->termios, old_termios))
++ if (old_termios && !tty_termios_hw_change(tty->termios, old_termios))
+ return;
+
+ cflag = tty->termios->c_cflag;
+@@ -279,7 +279,8 @@ static void pl2303_set_termios(struct tty_struct *tty,
+ if (!buf) {
+ dev_err(&port->dev, "%s - out of memory.\n", __func__);
+ /* Report back no change occurred */
+- *tty->termios = *old_termios;
++ if (old_termios)
++ *tty->termios = *old_termios;
+ return;
+ }
+
+@@ -419,7 +420,7 @@ static void pl2303_set_termios(struct tty_struct *tty,
+ control = priv->line_control;
+ if ((cflag & CBAUD) == B0)
+ priv->line_control &= ~(CONTROL_DTR | CONTROL_RTS);
+- else if ((old_termios->c_cflag & CBAUD) == B0)
++ else if (old_termios && (old_termios->c_cflag & CBAUD) == B0)
+ priv->line_control |= (CONTROL_DTR | CONTROL_RTS);
+ if (control != priv->line_control) {
+ control = priv->line_control;
+@@ -480,7 +481,6 @@ static void pl2303_close(struct usb_serial_port *port)
+
+ static int pl2303_open(struct tty_struct *tty, struct usb_serial_port *port)
+ {
+- struct ktermios tmp_termios;
+ struct usb_serial *serial = port->serial;
+ struct pl2303_private *priv = usb_get_serial_port_data(port);
+ int result;
+@@ -498,7 +498,7 @@ static int pl2303_open(struct tty_struct *tty, struct usb_serial_port *port)
+
+ /* Setup termios */
+ if (tty)
+- pl2303_set_termios(tty, port, &tmp_termios);
++ pl2303_set_termios(tty, port, NULL);
+
+ dbg("%s - submitting read urb", __func__);
+ result = usb_serial_generic_submit_read_urb(port, GFP_KERNEL);
+diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c
+index 14c4a82..5535c3a 100644
+--- a/drivers/usb/serial/qcserial.c
++++ b/drivers/usb/serial/qcserial.c
+@@ -115,6 +115,7 @@ static const struct usb_device_id id_table[] = {
+ {USB_DEVICE(0x1199, 0x9019)}, /* Sierra Wireless Gobi 3000 Modem device */
+ {USB_DEVICE(0x12D1, 0x14F0)}, /* Sony Gobi 3000 QDL */
+ {USB_DEVICE(0x12D1, 0x14F1)}, /* Sony Gobi 3000 Composite */
++ {USB_DEVICE(0x0AF0, 0x8120)}, /* Option GTM681W */
+ { } /* Terminating entry */
+ };
+ MODULE_DEVICE_TABLE(usb, id_table);
+diff --git a/drivers/usb/serial/spcp8x5.c b/drivers/usb/serial/spcp8x5.c
+index ba6b438..f3179b0 100644
+--- a/drivers/usb/serial/spcp8x5.c
++++ b/drivers/usb/serial/spcp8x5.c
+@@ -338,7 +338,6 @@ static void spcp8x5_set_termios(struct tty_struct *tty,
+ struct spcp8x5_private *priv = usb_get_serial_port_data(port);
+ unsigned long flags;
+ unsigned int cflag = tty->termios->c_cflag;
+- unsigned int old_cflag = old_termios->c_cflag;
+ unsigned short uartdata;
+ unsigned char buf[2] = {0, 0};
+ int baud;
+@@ -347,15 +346,15 @@ static void spcp8x5_set_termios(struct tty_struct *tty,
+
+
+ /* check that they really want us to change something */
+- if (!tty_termios_hw_change(tty->termios, old_termios))
++ if (old_termios && !tty_termios_hw_change(tty->termios, old_termios))
+ return;
+
+ /* set DTR/RTS active */
+ spin_lock_irqsave(&priv->lock, flags);
+ control = priv->line_control;
+- if ((old_cflag & CBAUD) == B0) {
++ if (old_termios && (old_termios->c_cflag & CBAUD) == B0) {
+ priv->line_control |= MCR_DTR;
+- if (!(old_cflag & CRTSCTS))
++ if (!(old_termios->c_cflag & CRTSCTS))
+ priv->line_control |= MCR_RTS;
+ }
+ if (control != priv->line_control) {
+@@ -445,7 +444,6 @@ static void spcp8x5_set_termios(struct tty_struct *tty,
+ * status of the device. */
+ static int spcp8x5_open(struct tty_struct *tty, struct usb_serial_port *port)
+ {
+- struct ktermios tmp_termios;
+ struct usb_serial *serial = port->serial;
+ struct spcp8x5_private *priv = usb_get_serial_port_data(port);
+ int ret;
+@@ -468,7 +466,7 @@ static int spcp8x5_open(struct tty_struct *tty, struct usb_serial_port *port)
+
+ /* Setup termios */
+ if (tty)
+- spcp8x5_set_termios(tty, port, &tmp_termios);
++ spcp8x5_set_termios(tty, port, NULL);
+
+ spcp8x5_get_msr(serial->dev, &status, priv->type);
+
+diff --git a/drivers/usb/serial/visor.c b/drivers/usb/serial/visor.c
+index 1c11959..80a6ff6 100644
+--- a/drivers/usb/serial/visor.c
++++ b/drivers/usb/serial/visor.c
+@@ -599,7 +599,9 @@ static int treo_attach(struct usb_serial *serial)
+ dest->read_urb = src->read_urb; \
+ dest->bulk_in_endpointAddress = src->bulk_in_endpointAddress;\
+ dest->bulk_in_buffer = src->bulk_in_buffer; \
++ dest->bulk_in_size = src->bulk_in_size; \
+ dest->interrupt_in_urb = src->interrupt_in_urb; \
++ dest->interrupt_in_urb->context = dest; \
+ dest->interrupt_in_endpointAddress = \
+ src->interrupt_in_endpointAddress;\
+ dest->interrupt_in_buffer = src->interrupt_in_buffer; \
+diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c
+index 59d646d..0ec60cd 100644
+--- a/drivers/usb/serial/whiteheat.c
++++ b/drivers/usb/serial/whiteheat.c
+@@ -1209,7 +1209,7 @@ static void firm_setup_port(struct tty_struct *tty)
+ struct whiteheat_port_settings port_settings;
+ unsigned int cflag = tty->termios->c_cflag;
+
+- port_settings.port = port->number + 1;
++ port_settings.port = port->number - port->serial->minor + 1;
+
+ /* get the byte size */
+ switch (cflag & CSIZE) {
+diff --git a/drivers/xen/events.c b/drivers/xen/events.c
+index fec1204..11d7b64 100644
+--- a/drivers/xen/events.c
++++ b/drivers/xen/events.c
+@@ -1176,7 +1176,7 @@ static void __xen_evtchn_do_upcall(void)
+ {
+ int start_word_idx, start_bit_idx;
+ int word_idx, bit_idx;
+- int i;
++ int i, irq;
+ int cpu = get_cpu();
+ struct shared_info *s = HYPERVISOR_shared_info;
+ struct vcpu_info *vcpu_info = __this_cpu_read(xen_vcpu);
+@@ -1184,6 +1184,8 @@ static void __xen_evtchn_do_upcall(void)
+
+ do {
+ unsigned long pending_words;
++ unsigned long pending_bits;
++ struct irq_desc *desc;
+
+ vcpu_info->evtchn_upcall_pending = 0;
+
+@@ -1194,6 +1196,17 @@ static void __xen_evtchn_do_upcall(void)
+ /* Clear master flag /before/ clearing selector flag. */
+ wmb();
+ #endif
++ if ((irq = per_cpu(virq_to_irq, cpu)[VIRQ_TIMER]) != -1) {
++ int evtchn = evtchn_from_irq(irq);
++ word_idx = evtchn / BITS_PER_LONG;
++ pending_bits = evtchn % BITS_PER_LONG;
++ if (active_evtchns(cpu, s, word_idx) & (1ULL << pending_bits)) {
++ desc = irq_to_desc(irq);
++ if (desc)
++ generic_handle_irq_desc(irq, desc);
++ }
++ }
++
+ pending_words = xchg(&vcpu_info->evtchn_pending_sel, 0);
+
+ start_word_idx = __this_cpu_read(current_word_idx);
+@@ -1202,7 +1215,6 @@ static void __xen_evtchn_do_upcall(void)
+ word_idx = start_word_idx;
+
+ for (i = 0; pending_words != 0; i++) {
+- unsigned long pending_bits;
+ unsigned long words;
+
+ words = MASK_LSBS(pending_words, word_idx);
+@@ -1231,8 +1243,7 @@ static void __xen_evtchn_do_upcall(void)
+
+ do {
+ unsigned long bits;
+- int port, irq;
+- struct irq_desc *desc;
++ int port;
+
+ bits = MASK_LSBS(pending_bits, bit_idx);
+
+diff --git a/fs/cifs/cifs_dfs_ref.c b/fs/cifs/cifs_dfs_ref.c
+index 2263144..d0e5fc5 100644
+--- a/fs/cifs/cifs_dfs_ref.c
++++ b/fs/cifs/cifs_dfs_ref.c
+@@ -18,6 +18,7 @@
+ #include <linux/slab.h>
+ #include <linux/vfs.h>
+ #include <linux/fs.h>
++#include <linux/inet.h>
+ #include "cifsglob.h"
+ #include "cifsproto.h"
+ #include "cifsfs.h"
+@@ -150,7 +151,8 @@ char *cifs_compose_mount_options(const char *sb_mountdata,
+ * assuming that we have 'unc=' and 'ip=' in
+ * the original sb_mountdata
+ */
+- md_len = strlen(sb_mountdata) + rc + strlen(ref->node_name) + 12;
++ md_len = strlen(sb_mountdata) + rc + strlen(ref->node_name) + 12 +
++ INET6_ADDRSTRLEN;
+ mountdata = kzalloc(md_len+1, GFP_KERNEL);
+ if (mountdata == NULL) {
+ rc = -ENOMEM;
+diff --git a/fs/ext4/super.c b/fs/ext4/super.c
+index cc386b2..259e950 100644
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -2260,7 +2260,9 @@ static void ext4_orphan_cleanup(struct super_block *sb,
+ __func__, inode->i_ino, inode->i_size);
+ jbd_debug(2, "truncating inode %lu to %lld bytes\n",
+ inode->i_ino, inode->i_size);
++ mutex_lock(&inode->i_mutex);
+ ext4_truncate(inode);
++ mutex_unlock(&inode->i_mutex);
+ nr_truncates++;
+ } else {
+ ext4_msg(sb, KERN_DEBUG,
+diff --git a/fs/jfs/inode.c b/fs/jfs/inode.c
+index 77b69b2..13fc885 100644
+--- a/fs/jfs/inode.c
++++ b/fs/jfs/inode.c
+@@ -125,7 +125,7 @@ int jfs_write_inode(struct inode *inode, struct writeback_control *wbc)
+ {
+ int wait = wbc->sync_mode == WB_SYNC_ALL;
+
+- if (test_cflag(COMMIT_Nolink, inode))
++ if (inode->i_nlink == 0)
+ return 0;
+ /*
+ * If COMMIT_DIRTY is not set, the inode isn't really dirty.
+diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
+index cc5f811..bfb2a91 100644
+--- a/fs/jfs/jfs_logmgr.c
++++ b/fs/jfs/jfs_logmgr.c
+@@ -1058,7 +1058,8 @@ static int lmLogSync(struct jfs_log * log, int hard_sync)
+ */
+ void jfs_syncpt(struct jfs_log *log, int hard_sync)
+ { LOG_LOCK(log);
+- lmLogSync(log, hard_sync);
++ if (!test_bit(log_QUIESCE, &log->flag))
++ lmLogSync(log, hard_sync);
+ LOG_UNLOCK(log);
+ }
+
+diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
+index 23ce927..bd2fb43 100644
+--- a/fs/xfs/xfs_iops.c
++++ b/fs/xfs/xfs_iops.c
+@@ -507,6 +507,28 @@ xfs_vn_getattr(
+ return 0;
+ }
+
++static void
++xfs_setattr_mode(
++ struct xfs_trans *tp,
++ struct xfs_inode *ip,
++ struct iattr *iattr)
++{
++ struct inode *inode = VFS_I(ip);
++ umode_t mode = iattr->ia_mode;
++
++ ASSERT(tp);
++ ASSERT(xfs_isilocked(ip, XFS_ILOCK_EXCL));
++
++ if (!in_group_p(inode->i_gid) && !capable(CAP_FSETID))
++ mode &= ~S_ISGID;
++
++ ip->i_d.di_mode &= S_IFMT;
++ ip->i_d.di_mode |= mode & ~S_IFMT;
++
++ inode->i_mode &= S_IFMT;
++ inode->i_mode |= mode & ~S_IFMT;
++}
++
+ int
+ xfs_setattr_nonsize(
+ struct xfs_inode *ip,
+@@ -658,18 +680,8 @@ xfs_setattr_nonsize(
+ /*
+ * Change file access modes.
+ */
+- if (mask & ATTR_MODE) {
+- umode_t mode = iattr->ia_mode;
+-
+- if (!in_group_p(inode->i_gid) && !capable(CAP_FSETID))
+- mode &= ~S_ISGID;
+-
+- ip->i_d.di_mode &= S_IFMT;
+- ip->i_d.di_mode |= mode & ~S_IFMT;
+-
+- inode->i_mode &= S_IFMT;
+- inode->i_mode |= mode & ~S_IFMT;
+- }
++ if (mask & ATTR_MODE)
++ xfs_setattr_mode(tp, ip, iattr);
+
+ /*
+ * Change file access or modified times.
+@@ -768,9 +780,8 @@ xfs_setattr_size(
+ return XFS_ERROR(error);
+
+ ASSERT(S_ISREG(ip->i_d.di_mode));
+- ASSERT((mask & (ATTR_MODE|ATTR_UID|ATTR_GID|ATTR_ATIME|ATTR_ATIME_SET|
+- ATTR_MTIME_SET|ATTR_KILL_SUID|ATTR_KILL_SGID|
+- ATTR_KILL_PRIV|ATTR_TIMES_SET)) == 0);
++ ASSERT((mask & (ATTR_UID|ATTR_GID|ATTR_ATIME|ATTR_ATIME_SET|
++ ATTR_MTIME_SET|ATTR_KILL_PRIV|ATTR_TIMES_SET)) == 0);
+
+ lock_flags = XFS_ILOCK_EXCL;
+ if (!(flags & XFS_ATTR_NOLOCK))
+@@ -902,6 +913,12 @@ xfs_setattr_size(
+ xfs_iflags_set(ip, XFS_ITRUNCATED);
+ }
+
++ /*
++ * Change file access modes.
++ */
++ if (mask & ATTR_MODE)
++ xfs_setattr_mode(tp, ip, iattr);
++
+ if (mask & ATTR_CTIME) {
+ inode->i_ctime = iattr->ia_ctime;
+ ip->i_d.di_ctime.t_sec = iattr->ia_ctime.tv_sec;
+diff --git a/include/linux/cpu.h b/include/linux/cpu.h
+index c692acc..9c3e071 100644
+--- a/include/linux/cpu.h
++++ b/include/linux/cpu.h
+@@ -168,6 +168,8 @@ extern struct sysdev_class cpu_sysdev_class;
+
+ extern void get_online_cpus(void);
+ extern void put_online_cpus(void);
++extern void cpu_hotplug_disable(void);
++extern void cpu_hotplug_enable(void);
+ #define hotcpu_notifier(fn, pri) cpu_notifier(fn, pri)
+ #define register_hotcpu_notifier(nb) register_cpu_notifier(nb)
+ #define unregister_hotcpu_notifier(nb) unregister_cpu_notifier(nb)
+@@ -190,6 +192,8 @@ static inline void cpu_hotplug_driver_unlock(void)
+
+ #define get_online_cpus() do { } while (0)
+ #define put_online_cpus() do { } while (0)
++#define cpu_hotplug_disable() do { } while (0)
++#define cpu_hotplug_enable() do { } while (0)
+ #define hotcpu_notifier(fn, pri) do { (void)(fn); } while (0)
+ /* These aren't inline functions due to a GCC bug. */
+ #define register_hotcpu_notifier(nb) ({ (void)(nb); 0; })
+diff --git a/include/linux/net.h b/include/linux/net.h
+index b299230..b7ca08e 100644
+--- a/include/linux/net.h
++++ b/include/linux/net.h
+@@ -249,6 +249,29 @@ extern struct socket *sockfd_lookup(int fd, int *err);
+ #define sockfd_put(sock) fput(sock->file)
+ extern int net_ratelimit(void);
+
++#define net_ratelimited_function(function, ...) \
++do { \
++ if (net_ratelimit()) \
++ function(__VA_ARGS__); \
++} while (0)
++
++#define net_emerg_ratelimited(fmt, ...) \
++ net_ratelimited_function(pr_emerg, fmt, ##__VA_ARGS__)
++#define net_alert_ratelimited(fmt, ...) \
++ net_ratelimited_function(pr_alert, fmt, ##__VA_ARGS__)
++#define net_crit_ratelimited(fmt, ...) \
++ net_ratelimited_function(pr_crit, fmt, ##__VA_ARGS__)
++#define net_err_ratelimited(fmt, ...) \
++ net_ratelimited_function(pr_err, fmt, ##__VA_ARGS__)
++#define net_notice_ratelimited(fmt, ...) \
++ net_ratelimited_function(pr_notice, fmt, ##__VA_ARGS__)
++#define net_warn_ratelimited(fmt, ...) \
++ net_ratelimited_function(pr_warn, fmt, ##__VA_ARGS__)
++#define net_info_ratelimited(fmt, ...) \
++ net_ratelimited_function(pr_info, fmt, ##__VA_ARGS__)
++#define net_dbg_ratelimited(fmt, ...) \
++ net_ratelimited_function(pr_debug, fmt, ##__VA_ARGS__)
++
+ #define net_random() random32()
+ #define net_srandom(seed) srandom32((__force u32)seed)
+
+diff --git a/include/linux/swapops.h b/include/linux/swapops.h
+index d6955607..7f62faf 100644
+--- a/include/linux/swapops.h
++++ b/include/linux/swapops.h
+@@ -136,6 +136,7 @@ static inline void make_migration_entry_read(swp_entry_t *entry)
+
+ extern void migration_entry_wait(struct mm_struct *mm, pmd_t *pmd,
+ unsigned long address);
++extern void migration_entry_wait_huge(struct mm_struct *mm, pte_t *pte);
+ #else
+
+ #define make_migration_entry(page, write) swp_entry(0, 0)
+@@ -147,6 +148,8 @@ static inline int is_migration_entry(swp_entry_t swp)
+ static inline void make_migration_entry_read(swp_entry_t *entryp) { }
+ static inline void migration_entry_wait(struct mm_struct *mm, pmd_t *pmd,
+ unsigned long address) { }
++static inline void migration_entry_wait_huge(struct mm_struct *mm,
++ pte_t *pte) { }
+ static inline int is_write_migration_entry(swp_entry_t entry)
+ {
+ return 0;
+diff --git a/include/xen/interface/io/netif.h b/include/xen/interface/io/netif.h
+index cb94668..d4635cd 100644
+--- a/include/xen/interface/io/netif.h
++++ b/include/xen/interface/io/netif.h
+@@ -13,6 +13,24 @@
+ #include "../grant_table.h"
+
+ /*
++ * Older implementation of Xen network frontend / backend has an
++ * implicit dependency on the MAX_SKB_FRAGS as the maximum number of
++ * ring slots a skb can use. Netfront / netback may not work as
++ * expected when frontend and backend have different MAX_SKB_FRAGS.
++ *
++ * A better approach is to add mechanism for netfront / netback to
++ * negotiate this value. However we cannot fix all possible
++ * frontends, so we need to define a value which states the minimum
++ * slots backend must support.
++ *
++ * The minimum value derives from older Linux kernel's MAX_SKB_FRAGS
++ * (18), which is proved to work with most frontends. Any new backend
++ * which doesn't negotiate with frontend should expect frontend to
++ * send a valid packet using slots up to this value.
++ */
++#define XEN_NETIF_NR_SLOTS_MIN 18
++
++/*
+ * Notifications after enqueuing any type of message should be conditional on
+ * the appropriate req_event or rsp_event field in the shared ring.
+ * If the client sends notification for rx requests then it should specify
+@@ -47,6 +65,7 @@
+ #define _XEN_NETTXF_extra_info (3)
+ #define XEN_NETTXF_extra_info (1U<<_XEN_NETTXF_extra_info)
+
++#define XEN_NETIF_MAX_TX_SIZE 0xFFFF
+ struct xen_netif_tx_request {
+ grant_ref_t gref; /* Reference to buffer page */
+ uint16_t offset; /* Offset within buffer page */
+diff --git a/kernel/audit.c b/kernel/audit.c
+index 09fae26..d4bc594 100644
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -1167,7 +1167,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
+
+ /* Wait for auditd to drain the queue a little */
+ DECLARE_WAITQUEUE(wait, current);
+- set_current_state(TASK_INTERRUPTIBLE);
++ set_current_state(TASK_UNINTERRUPTIBLE);
+ add_wait_queue(&audit_backlog_wait, &wait);
+
+ if (audit_backlog_limit &&
+diff --git a/kernel/cpu.c b/kernel/cpu.c
+index 563f136..82c91f1 100644
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -124,6 +124,27 @@ static void cpu_hotplug_done(void)
+ mutex_unlock(&cpu_hotplug.lock);
+ }
+
++/*
++ * Wait for currently running CPU hotplug operations to complete (if any) and
++ * disable future CPU hotplug (from sysfs). The 'cpu_add_remove_lock' protects
++ * the 'cpu_hotplug_disabled' flag. The same lock is also acquired by the
++ * hotplug path before performing hotplug operations. So acquiring that lock
++ * guarantees mutual exclusion from any currently running hotplug operations.
++ */
++void cpu_hotplug_disable(void)
++{
++ cpu_maps_update_begin();
++ cpu_hotplug_disabled = 1;
++ cpu_maps_update_done();
++}
++
++void cpu_hotplug_enable(void)
++{
++ cpu_maps_update_begin();
++ cpu_hotplug_disabled = 0;
++ cpu_maps_update_done();
++}
++
+ #else /* #if CONFIG_HOTPLUG_CPU */
+ static void cpu_hotplug_begin(void) {}
+ static void cpu_hotplug_done(void) {}
+@@ -479,36 +500,6 @@ static int alloc_frozen_cpus(void)
+ core_initcall(alloc_frozen_cpus);
+
+ /*
+- * Prevent regular CPU hotplug from racing with the freezer, by disabling CPU
+- * hotplug when tasks are about to be frozen. Also, don't allow the freezer
+- * to continue until any currently running CPU hotplug operation gets
+- * completed.
+- * To modify the 'cpu_hotplug_disabled' flag, we need to acquire the
+- * 'cpu_add_remove_lock'. And this same lock is also taken by the regular
+- * CPU hotplug path and released only after it is complete. Thus, we
+- * (and hence the freezer) will block here until any currently running CPU
+- * hotplug operation gets completed.
+- */
+-void cpu_hotplug_disable_before_freeze(void)
+-{
+- cpu_maps_update_begin();
+- cpu_hotplug_disabled = 1;
+- cpu_maps_update_done();
+-}
+-
+-
+-/*
+- * When tasks have been thawed, re-enable regular CPU hotplug (which had been
+- * disabled while beginning to freeze tasks).
+- */
+-void cpu_hotplug_enable_after_thaw(void)
+-{
+- cpu_maps_update_begin();
+- cpu_hotplug_disabled = 0;
+- cpu_maps_update_done();
+-}
+-
+-/*
+ * When callbacks for CPU hotplug notifications are being executed, we must
+ * ensure that the state of the system with respect to the tasks being frozen
+ * or not, as reported by the notification, remains unchanged *throughout the
+@@ -527,12 +518,12 @@ cpu_hotplug_pm_callback(struct notifier_block *nb,
+
+ case PM_SUSPEND_PREPARE:
+ case PM_HIBERNATION_PREPARE:
+- cpu_hotplug_disable_before_freeze();
++ cpu_hotplug_disable();
+ break;
+
+ case PM_POST_SUSPEND:
+ case PM_POST_HIBERNATION:
+- cpu_hotplug_enable_after_thaw();
++ cpu_hotplug_enable();
+ break;
+
+ default:
+diff --git a/kernel/sys.c b/kernel/sys.c
+index be5fa8b..9d557df 100644
+--- a/kernel/sys.c
++++ b/kernel/sys.c
+@@ -353,6 +353,29 @@ int unregister_reboot_notifier(struct notifier_block *nb)
+ }
+ EXPORT_SYMBOL(unregister_reboot_notifier);
+
++/* Add backwards compatibility for stable trees. */
++#ifndef PF_NO_SETAFFINITY
++#define PF_NO_SETAFFINITY PF_THREAD_BOUND
++#endif
++
++static void migrate_to_reboot_cpu(void)
++{
++ /* The boot cpu is always logical cpu 0 */
++ int cpu = 0;
++
++ cpu_hotplug_disable();
++
++ /* Make certain the cpu I'm about to reboot on is online */
++ if (!cpu_online(cpu))
++ cpu = cpumask_first(cpu_online_mask);
++
++ /* Prevent races with other tasks migrating this task */
++ current->flags |= PF_NO_SETAFFINITY;
++
++ /* Make certain I only run on the appropriate processor */
++ set_cpus_allowed_ptr(current, cpumask_of(cpu));
++}
++
+ /**
+ * kernel_restart - reboot the system
+ * @cmd: pointer to buffer containing command to execute for restart
+@@ -364,7 +387,7 @@ EXPORT_SYMBOL(unregister_reboot_notifier);
+ void kernel_restart(char *cmd)
+ {
+ kernel_restart_prepare(cmd);
+- disable_nonboot_cpus();
++ migrate_to_reboot_cpu();
+ syscore_shutdown();
+ if (!cmd)
+ printk(KERN_EMERG "Restarting system.\n");
+@@ -391,7 +414,7 @@ static void kernel_shutdown_prepare(enum system_states state)
+ void kernel_halt(void)
+ {
+ kernel_shutdown_prepare(SYSTEM_HALT);
+- disable_nonboot_cpus();
++ migrate_to_reboot_cpu();
+ syscore_shutdown();
+ printk(KERN_EMERG "System halted.\n");
+ kmsg_dump(KMSG_DUMP_HALT);
+@@ -410,7 +433,7 @@ void kernel_power_off(void)
+ kernel_shutdown_prepare(SYSTEM_POWER_OFF);
+ if (pm_power_off_prepare)
+ pm_power_off_prepare();
+- disable_nonboot_cpus();
++ migrate_to_reboot_cpu();
+ syscore_shutdown();
+ printk(KERN_EMERG "Power down.\n");
+ kmsg_dump(KMSG_DUMP_POWEROFF);
+diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
+index 24b3759..226776b 100644
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -929,6 +929,19 @@ static __init void ftrace_profile_debugfs(struct dentry *d_tracer)
+
+ static struct pid * const ftrace_swapper_pid = &init_struct_pid;
+
++static loff_t
++ftrace_filter_lseek(struct file *file, loff_t offset, int whence)
++{
++ loff_t ret;
++
++ if (file->f_mode & FMODE_READ)
++ ret = seq_lseek(file, offset, whence);
++ else
++ file->f_pos = ret = 1;
++
++ return ret;
++}
++
+ #ifdef CONFIG_DYNAMIC_FTRACE
+
+ #ifndef CONFIG_FTRACE_MCOUNT_RECORD
+@@ -2315,19 +2328,6 @@ ftrace_notrace_open(struct inode *inode, struct file *file)
+ inode, file);
+ }
+
+-static loff_t
+-ftrace_filter_lseek(struct file *file, loff_t offset, int origin)
+-{
+- loff_t ret;
+-
+- if (file->f_mode & FMODE_READ)
+- ret = seq_lseek(file, offset, origin);
+- else
+- file->f_pos = ret = 1;
+-
+- return ret;
+-}
+-
+ static int ftrace_match(char *str, char *regex, int len, int type)
+ {
+ int matched = 0;
+diff --git a/mm/hugetlb.c b/mm/hugetlb.c
+index 70b4733..2dcd716 100644
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -2751,7 +2751,7 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+ if (ptep) {
+ entry = huge_ptep_get(ptep);
+ if (unlikely(is_hugetlb_entry_migration(entry))) {
+- migration_entry_wait(mm, (pmd_t *)ptep, address);
++ migration_entry_wait_huge(mm, ptep);
+ return 0;
+ } else if (unlikely(is_hugetlb_entry_hwpoisoned(entry)))
+ return VM_FAULT_HWPOISON_LARGE |
+diff --git a/mm/migrate.c b/mm/migrate.c
+index e1052d1..09d6a9d 100644
+--- a/mm/migrate.c
++++ b/mm/migrate.c
+@@ -184,15 +184,14 @@ static void remove_migration_ptes(struct page *old, struct page *new)
+ *
+ * This function is called from do_swap_page().
+ */
+-void migration_entry_wait(struct mm_struct *mm, pmd_t *pmd,
+- unsigned long address)
++static void __migration_entry_wait(struct mm_struct *mm, pte_t *ptep,
++ spinlock_t *ptl)
+ {
+- pte_t *ptep, pte;
+- spinlock_t *ptl;
++ pte_t pte;
+ swp_entry_t entry;
+ struct page *page;
+
+- ptep = pte_offset_map_lock(mm, pmd, address, &ptl);
++ spin_lock(ptl);
+ pte = *ptep;
+ if (!is_swap_pte(pte))
+ goto out;
+@@ -220,6 +219,20 @@ out:
+ pte_unmap_unlock(ptep, ptl);
+ }
+
++void migration_entry_wait(struct mm_struct *mm, pmd_t *pmd,
++ unsigned long address)
++{
++ spinlock_t *ptl = pte_lockptr(mm, pmd);
++ pte_t *ptep = pte_offset_map(pmd, address);
++ __migration_entry_wait(mm, ptep, ptl);
++}
++
++void migration_entry_wait_huge(struct mm_struct *mm, pte_t *pte)
++{
++ spinlock_t *ptl = &(mm)->page_table_lock;
++ __migration_entry_wait(mm, pte, ptl);
++}
++
+ #ifdef CONFIG_BLOCK
+ /* Returns true if all buffers are successfully locked */
+ static bool buffer_migrate_lock_buffers(struct buffer_head *head,
+diff --git a/mm/swap_state.c b/mm/swap_state.c
+index 7704d9c..7b3dadd 100644
+--- a/mm/swap_state.c
++++ b/mm/swap_state.c
+@@ -314,8 +314,24 @@ struct page *read_swap_cache_async(swp_entry_t entry, gfp_t gfp_mask,
+ * Swap entry may have been freed since our caller observed it.
+ */
+ err = swapcache_prepare(entry);
+- if (err == -EEXIST) { /* seems racy */
++ if (err == -EEXIST) {
+ radix_tree_preload_end();
++ /*
++ * We might race against get_swap_page() and stumble
++ * across a SWAP_HAS_CACHE swap_map entry whose page
++ * has not been brought into the swapcache yet, while
++ * the other end is scheduled away waiting on discard
++ * I/O completion at scan_swap_map().
++ *
++ * In order to avoid turning this transitory state
++ * into a permanent loop around this -EEXIST case
++ * if !CONFIG_PREEMPT and the I/O completion happens
++ * to be waiting on the CPU waitqueue where we are now
++ * busy looping, we just conditionally invoke the
++ * scheduler here, if there are some more important
++ * tasks to run.
++ */
++ cond_resched();
+ continue;
+ }
+ if (err) { /* swp entry is obsolete ? */
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 04175d9..a0b6c50 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -2297,10 +2297,15 @@ done:
+ }
+ }
+
+-static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
++static inline int l2cap_command_rej(struct l2cap_conn *conn,
++ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++ u8 *data)
+ {
+ struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
+
++ if (cmd_len < sizeof(*rej))
++ return -EPROTO;
++
+ if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
+ return 0;
+
+@@ -2317,7 +2322,8 @@ static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hd
+ return 0;
+ }
+
+-static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
++static int l2cap_connect_req(struct l2cap_conn *conn,
++ struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
+ {
+ struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
+ struct l2cap_conn_rsp rsp;
+@@ -2325,8 +2331,14 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
+ struct sock *parent, *sk = NULL;
+ int result, status = L2CAP_CS_NO_INFO;
+
+- u16 dcid = 0, scid = __le16_to_cpu(req->scid);
+- __le16 psm = req->psm;
++ u16 dcid = 0, scid;
++ __le16 psm;
++
++ if (cmd_len < sizeof(struct l2cap_conn_req))
++ return -EPROTO;
++
++ scid = __le16_to_cpu(req->scid);
++ psm = req->psm;
+
+ BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
+
+@@ -2451,7 +2463,9 @@ sendresp:
+ return 0;
+ }
+
+-static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
++static int l2cap_connect_rsp(struct l2cap_conn *conn,
++ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++ u8 *data)
+ {
+ struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
+ u16 scid, dcid, result, status;
+@@ -2459,6 +2473,9 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
+ struct sock *sk;
+ u8 req[128];
+
++ if (cmd_len < sizeof(*rsp))
++ return -EPROTO;
++
+ scid = __le16_to_cpu(rsp->scid);
+ dcid = __le16_to_cpu(rsp->dcid);
+ result = __le16_to_cpu(rsp->result);
+@@ -2534,6 +2551,9 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
+ struct sock *sk;
+ int len;
+
++ if (cmd_len < sizeof(*req))
++ return -EPROTO;
++
+ dcid = __le16_to_cpu(req->dcid);
+ flags = __le16_to_cpu(req->flags);
+
+@@ -2559,7 +2579,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
+
+ /* Reject if config buffer is too small. */
+ len = cmd_len - sizeof(*req);
+- if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
++ if (chan->conf_len + len > sizeof(chan->conf_req)) {
+ l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
+ l2cap_build_conf_rsp(chan, rsp,
+ L2CAP_CONF_REJECT, flags), rsp);
+@@ -2621,13 +2641,18 @@ unlock:
+ return 0;
+ }
+
+-static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
++static inline int l2cap_config_rsp(struct l2cap_conn *conn,
++ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++ u8 *data)
+ {
+ struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
+ u16 scid, flags, result;
+ struct l2cap_chan *chan;
+ struct sock *sk;
+- int len = cmd->len - sizeof(*rsp);
++ int len = cmd_len - sizeof(*rsp);
++
++ if (cmd_len < sizeof(*rsp))
++ return -EPROTO;
+
+ scid = __le16_to_cpu(rsp->scid);
+ flags = __le16_to_cpu(rsp->flags);
+@@ -2703,7 +2728,9 @@ done:
+ return 0;
+ }
+
+-static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
++static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
++ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++ u8 *data)
+ {
+ struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
+ struct l2cap_disconn_rsp rsp;
+@@ -2711,6 +2738,9 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd
+ struct l2cap_chan *chan;
+ struct sock *sk;
+
++ if (cmd_len != sizeof(*req))
++ return -EPROTO;
++
+ scid = __le16_to_cpu(req->scid);
+ dcid = __le16_to_cpu(req->dcid);
+
+@@ -2744,13 +2774,18 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd
+ return 0;
+ }
+
+-static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
++static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
++ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++ u8 *data)
+ {
+ struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
+ u16 dcid, scid;
+ struct l2cap_chan *chan;
+ struct sock *sk;
+
++ if (cmd_len != sizeof(*rsp))
++ return -EPROTO;
++
+ scid = __le16_to_cpu(rsp->scid);
+ dcid = __le16_to_cpu(rsp->dcid);
+
+@@ -2778,11 +2813,16 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd
+ return 0;
+ }
+
+-static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
++static inline int l2cap_information_req(struct l2cap_conn *conn,
++ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++ u8 *data)
+ {
+ struct l2cap_info_req *req = (struct l2cap_info_req *) data;
+ u16 type;
+
++ if (cmd_len != sizeof(*req))
++ return -EPROTO;
++
+ type = __le16_to_cpu(req->type);
+
+ BT_DBG("type 0x%4.4x", type);
+@@ -2818,11 +2858,16 @@ static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cm
+ return 0;
+ }
+
+-static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
++static inline int l2cap_information_rsp(struct l2cap_conn *conn,
++ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++ u8 *data)
+ {
+ struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
+ u16 type, result;
+
++ if (cmd_len != sizeof(*rsp))
++ return -EPROTO;
++
+ type = __le16_to_cpu(rsp->type);
+ result = __le16_to_cpu(rsp->result);
+
+@@ -2941,15 +2986,15 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
+
+ switch (cmd->code) {
+ case L2CAP_COMMAND_REJ:
+- l2cap_command_rej(conn, cmd, data);
++ l2cap_command_rej(conn, cmd, cmd_len, data);
+ break;
+
+ case L2CAP_CONN_REQ:
+- err = l2cap_connect_req(conn, cmd, data);
++ err = l2cap_connect_req(conn, cmd, cmd_len, data);
+ break;
+
+ case L2CAP_CONN_RSP:
+- err = l2cap_connect_rsp(conn, cmd, data);
++ err = l2cap_connect_rsp(conn, cmd, cmd_len, data);
+ break;
+
+ case L2CAP_CONF_REQ:
+@@ -2957,15 +3002,15 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
+ break;
+
+ case L2CAP_CONF_RSP:
+- err = l2cap_config_rsp(conn, cmd, data);
++ err = l2cap_config_rsp(conn, cmd, cmd_len, data);
+ break;
+
+ case L2CAP_DISCONN_REQ:
+- err = l2cap_disconnect_req(conn, cmd, data);
++ err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
+ break;
+
+ case L2CAP_DISCONN_RSP:
+- err = l2cap_disconnect_rsp(conn, cmd, data);
++ err = l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
+ break;
+
+ case L2CAP_ECHO_REQ:
+@@ -2976,11 +3021,11 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
+ break;
+
+ case L2CAP_INFO_REQ:
+- err = l2cap_information_req(conn, cmd, data);
++ err = l2cap_information_req(conn, cmd, cmd_len, data);
+ break;
+
+ case L2CAP_INFO_RSP:
+- err = l2cap_information_rsp(conn, cmd, data);
++ err = l2cap_information_rsp(conn, cmd, cmd_len, data);
+ break;
+
+ default:
+diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
+index f4ddf34..8260cd5 100644
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -1242,6 +1242,15 @@ void ieee80211_remove_interfaces(struct ieee80211_local *local)
+
+ ASSERT_RTNL();
+
++ /*
++ * Close all AP_VLAN interfaces first, as otherwise they
++ * might be closed while the AP interface they belong to
++ * is closed, causing unregister_netdevice_many() to crash.
++ */
++ list_for_each_entry(sdata, &local->interfaces, list)
++ if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
++ dev_close(sdata->dev);
++
+ mutex_lock(&local->iflist_mtx);
+ list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {
+ list_del(&sdata->list);
+diff --git a/net/wireless/sme.c b/net/wireless/sme.c
+index 0acfdc9..c1c6e6d 100644
+--- a/net/wireless/sme.c
++++ b/net/wireless/sme.c
+@@ -220,6 +220,9 @@ void cfg80211_conn_work(struct work_struct *work)
+ mutex_lock(&rdev->devlist_mtx);
+
+ list_for_each_entry(wdev, &rdev->netdev_list, list) {
++ if (!wdev->netdev)
++ continue;
++
+ wdev_lock(wdev);
+ if (!netif_running(wdev->netdev)) {
+ wdev_unlock(wdev);
+diff --git a/sound/usb/card.h b/sound/usb/card.h
+index 2b7559c..0a7ca6c 100644
+--- a/sound/usb/card.h
++++ b/sound/usb/card.h
+@@ -1,6 +1,7 @@
+ #ifndef __USBAUDIO_CARD_H
+ #define __USBAUDIO_CARD_H
+
++#define MAX_NR_RATES 1024
+ #define MAX_PACKS 20
+ #define MAX_PACKS_HS (MAX_PACKS * 8) /* in high speed mode */
+ #define MAX_URBS 8
+diff --git a/sound/usb/format.c b/sound/usb/format.c
+index 89421d1..ddfef57 100644
+--- a/sound/usb/format.c
++++ b/sound/usb/format.c
+@@ -226,7 +226,7 @@ static int parse_uac2_sample_rate_range(struct audioformat *fp, int nr_triplets,
+ int min = combine_quad(&data[2 + 12 * i]);
+ int max = combine_quad(&data[6 + 12 * i]);
+ int res = combine_quad(&data[10 + 12 * i]);
+- int rate;
++ unsigned int rate;
+
+ if ((max < 0) || (min < 0) || (res < 0) || (max < min))
+ continue;
+@@ -253,6 +253,10 @@ static int parse_uac2_sample_rate_range(struct audioformat *fp, int nr_triplets,
+ fp->rates |= snd_pcm_rate_to_rate_bit(rate);
+
+ nr_rates++;
++ if (nr_rates >= MAX_NR_RATES) {
++ snd_printk(KERN_ERR "invalid uac2 rates\n");
++ break;
++ }
+
+ /* avoid endless loop */
+ if (res == 0)
+diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
+index f4540bf..97ec155 100644
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -822,6 +822,7 @@ static void volume_control_quirks(struct usb_mixer_elem_info *cval,
+ case USB_ID(0x046d, 0x0808):
+ case USB_ID(0x046d, 0x0809):
+ case USB_ID(0x046d, 0x081d): /* HD Webcam c510 */
++ case USB_ID(0x046d, 0x0825): /* HD Webcam c270 */
+ case USB_ID(0x046d, 0x0991):
+ /* Most audio usb devices lie about volume resolution.
+ * Most Logitech webcams have res = 384.
+diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h
+index 4e25148..e467a58 100644
+--- a/sound/usb/quirks-table.h
++++ b/sound/usb/quirks-table.h
+@@ -157,7 +157,13 @@
+ .bInterfaceSubClass = USB_SUBCLASS_AUDIOCONTROL
+ },
+ {
+- USB_DEVICE(0x046d, 0x0990),
++ .match_flags = USB_DEVICE_ID_MATCH_DEVICE |
++ USB_DEVICE_ID_MATCH_INT_CLASS |
++ USB_DEVICE_ID_MATCH_INT_SUBCLASS,
++ .idVendor = 0x046d,
++ .idProduct = 0x0990,
++ .bInterfaceClass = USB_CLASS_AUDIO,
++ .bInterfaceSubClass = USB_SUBCLASS_AUDIOCONTROL,
+ .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ .vendor_name = "Logitech, Inc.",
+ .product_name = "QuickCam Pro 9000",
+diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
+index 42eeee8..9c82f8b 100644
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -132,10 +132,14 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip,
+ unsigned *rate_table = NULL;
+
+ fp = kmemdup(quirk->data, sizeof(*fp), GFP_KERNEL);
+- if (! fp) {
++ if (!fp) {
+ snd_printk(KERN_ERR "cannot memdup\n");
+ return -ENOMEM;
+ }
++ if (fp->nr_rates > MAX_NR_RATES) {
++ kfree(fp);
++ return -EINVAL;
++ }
+ if (fp->nr_rates > 0) {
+ rate_table = kmemdup(fp->rate_table,
+ sizeof(int) * fp->nr_rates, GFP_KERNEL);
diff --git a/3.2.46/4420_grsecurity-2.9.1-3.2.46-201306102217.patch b/3.2.47/4420_grsecurity-2.9.1-3.2.47-201306191807.patch
similarity index 99%
rename from 3.2.46/4420_grsecurity-2.9.1-3.2.46-201306102217.patch
rename to 3.2.47/4420_grsecurity-2.9.1-3.2.47-201306191807.patch
index b788f3b..579f1c1 100644
--- a/3.2.46/4420_grsecurity-2.9.1-3.2.46-201306102217.patch
+++ b/3.2.47/4420_grsecurity-2.9.1-3.2.47-201306191807.patch
@@ -262,7 +262,7 @@ index 88fd7f5..b318a78 100644
==============================================================
diff --git a/Makefile b/Makefile
-index f600582..30efca3 100644
+index 40e2a11..8c31286 100644
--- a/Makefile
+++ b/Makefile
@@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -4725,7 +4725,7 @@ index 429983c..7af363b 100644
ld r4,_DAR(r1)
bl .bad_page_fault
diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S
-index cf9c69b..ebc9640 100644
+index 8c3baa0..4d8c6f1 100644
--- a/arch/powerpc/kernel/exceptions-64s.S
+++ b/arch/powerpc/kernel/exceptions-64s.S
@@ -1004,10 +1004,10 @@ handle_page_fault:
@@ -4996,7 +4996,7 @@ index 55be64d..94d8783 100644
};
diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c
-index 82dcd4d..a80088a 100644
+index 9844662..04a2a1e 100644
--- a/arch/powerpc/kernel/traps.c
+++ b/arch/powerpc/kernel/traps.c
@@ -98,6 +98,8 @@ static void pmac_backlight_unblank(void)
@@ -20735,7 +20735,7 @@ index 47f4e5f..849a8a6 100644
.shutdown = native_machine_shutdown,
.emergency_restart = native_machine_emergency_restart,
diff --git a/arch/x86/kernel/relocate_kernel_64.S b/arch/x86/kernel/relocate_kernel_64.S
-index 7a6f3b3..bed145d7 100644
+index f2bb9c9..bed145d7 100644
--- a/arch/x86/kernel/relocate_kernel_64.S
+++ b/arch/x86/kernel/relocate_kernel_64.S
@@ -11,6 +11,7 @@
@@ -20746,15 +20746,7 @@ index 7a6f3b3..bed145d7 100644
/*
* Must be relocatable PIC code callable as a C function
-@@ -160,13 +161,14 @@ identity_mapped:
- xorq %rbp, %rbp
- xorq %r8, %r8
- xorq %r9, %r9
-- xorq %r10, %r9
-+ xorq %r10, %r10
- xorq %r11, %r11
- xorq %r12, %r12
- xorq %r13, %r13
+@@ -167,6 +168,7 @@ identity_mapped:
xorq %r14, %r14
xorq %r15, %r15
@@ -30317,10 +30309,10 @@ index 3c92dbd..008b08b 100644
unsigned long timeout_msec)
{
diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
-index 288b635..455273d 100644
+index d54b7d6..33e80e0 100644
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
-@@ -4739,7 +4739,7 @@ void ata_qc_free(struct ata_queued_cmd *qc)
+@@ -4745,7 +4745,7 @@ void ata_qc_free(struct ata_queued_cmd *qc)
struct ata_port *ap;
unsigned int tag;
@@ -30329,7 +30321,7 @@ index 288b635..455273d 100644
ap = qc->ap;
qc->flags = 0;
-@@ -4755,7 +4755,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc)
+@@ -4761,7 +4761,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc)
struct ata_port *ap;
struct ata_link *link;
@@ -30338,7 +30330,7 @@ index 288b635..455273d 100644
WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
ap = qc->ap;
link = qc->dev->link;
-@@ -5760,6 +5760,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
+@@ -5766,6 +5766,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
return;
spin_lock(&lock);
@@ -30346,7 +30338,7 @@ index 288b635..455273d 100644
for (cur = ops->inherits; cur; cur = cur->inherits) {
void **inherit = (void **)cur;
-@@ -5773,8 +5774,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
+@@ -5779,8 +5780,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
if (IS_ERR(*pp))
*pp = NULL;
@@ -31479,10 +31471,10 @@ index e8d11b6..7b1b36f 100644
}
EXPORT_SYMBOL_GPL(unregister_syscore_ops);
diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
-index b0f553b..77b928b 100644
+index d3446f6..12de1df 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
-@@ -1198,6 +1198,8 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
+@@ -1186,6 +1186,8 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
int err;
u32 cp;
@@ -32444,7 +32436,7 @@ index 1451790..d42d89d 100644
static int memory_open(struct inode *inode, struct file *filp)
diff --git a/drivers/char/mwave/tp3780i.c b/drivers/char/mwave/tp3780i.c
-index c689697..04e6d6a 100644
+index c689697..04e6d6a2 100644
--- a/drivers/char/mwave/tp3780i.c
+++ b/drivers/char/mwave/tp3780i.c
@@ -479,6 +479,7 @@ int tp3780I_QueryAbilities(THINKPAD_BD_DATA * pBDData, MW_ABILITIES * pAbilities
@@ -34508,7 +34500,7 @@ index a9e33ce..09edd4b 100644
#endif
diff --git a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c
-index 0495a50..6d67dd7 100644
+index 9bea4a6..31ee257 100644
--- a/drivers/gpu/drm/radeon/evergreen.c
+++ b/drivers/gpu/drm/radeon/evergreen.c
@@ -3076,7 +3076,9 @@ static int evergreen_startup(struct radeon_device *rdev)
@@ -34544,7 +34536,7 @@ index 5a82b6b..9e69c73 100644
if (regcomp
(&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
diff --git a/drivers/gpu/drm/radeon/ni.c b/drivers/gpu/drm/radeon/ni.c
-index 636255b..4b2411d 100644
+index 3f9705b..5d4f642 100644
--- a/drivers/gpu/drm/radeon/ni.c
+++ b/drivers/gpu/drm/radeon/ni.c
@@ -1379,7 +1379,9 @@ static int cayman_startup(struct radeon_device *rdev)
@@ -34559,7 +34551,7 @@ index 636255b..4b2411d 100644
}
diff --git a/drivers/gpu/drm/radeon/r100.c b/drivers/gpu/drm/radeon/r100.c
-index fad7cd1..56ef262 100644
+index 76c1290..865d31e 100644
--- a/drivers/gpu/drm/radeon/r100.c
+++ b/drivers/gpu/drm/radeon/r100.c
@@ -592,8 +592,10 @@ int r100_pci_gart_init(struct radeon_device *rdev)
@@ -34576,7 +34568,7 @@ index fad7cd1..56ef262 100644
}
diff --git a/drivers/gpu/drm/radeon/r300.c b/drivers/gpu/drm/radeon/r300.c
-index c93bc64..5a58f5b 100644
+index 441570b..8896094 100644
--- a/drivers/gpu/drm/radeon/r300.c
+++ b/drivers/gpu/drm/radeon/r300.c
@@ -105,8 +105,10 @@ int rv370_pcie_gart_init(struct radeon_device *rdev)
@@ -34593,7 +34585,7 @@ index c93bc64..5a58f5b 100644
}
diff --git a/drivers/gpu/drm/radeon/r600.c b/drivers/gpu/drm/radeon/r600.c
-index bdfa82a..96e91ee 100644
+index 3d46d7d4..82a26ab 100644
--- a/drivers/gpu/drm/radeon/r600.c
+++ b/drivers/gpu/drm/radeon/r600.c
@@ -2439,7 +2439,9 @@ int r600_startup(struct radeon_device *rdev)
@@ -34689,10 +34681,10 @@ index a2e1eae..8e4a0ec 100644
return 0;
diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c
-index bd959c1..46dba3b 100644
+index cd94abb..5a6052d 100644
--- a/drivers/gpu/drm/radeon/radeon_device.c
+++ b/drivers/gpu/drm/radeon/radeon_device.c
-@@ -688,7 +688,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev)
+@@ -687,7 +687,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev)
bool can_switch;
spin_lock(&dev->count_lock);
@@ -34916,7 +34908,7 @@ index 0b5468b..7ecf242 100644
#endif
diff --git a/drivers/gpu/drm/radeon/rs690.c b/drivers/gpu/drm/radeon/rs690.c
-index a9049ed..501f284 100644
+index 93bce72..00332c1 100644
--- a/drivers/gpu/drm/radeon/rs690.c
+++ b/drivers/gpu/drm/radeon/rs690.c
@@ -304,9 +304,11 @@ void rs690_crtc_bandwidth_compute(struct radeon_device *rdev,
@@ -34933,7 +34925,7 @@ index a9049ed..501f284 100644
if (rdev->pm.max_bandwidth.full > rdev->pm.k8_bandwidth.full &&
rdev->pm.k8_bandwidth.full)
diff --git a/drivers/gpu/drm/radeon/rv770.c b/drivers/gpu/drm/radeon/rv770.c
-index cc79449..611b32a 100644
+index 63db75d..999004d 100644
--- a/drivers/gpu/drm/radeon/rv770.c
+++ b/drivers/gpu/drm/radeon/rv770.c
@@ -1082,7 +1082,9 @@ static int rv770_startup(struct radeon_device *rdev)
@@ -35915,7 +35907,7 @@ index f21dc2a..d051cd2 100644
.init_chipset = init_chipset_sl82c105,
.enablebits = {{0x40,0x01,0x01}, {0x40,0x10,0x10}},
diff --git a/drivers/ide/slc90e66.c b/drivers/ide/slc90e66.c
-index 864ffe0..863a5e9 100644
+index 864ffe0..863a5e92 100644
--- a/drivers/ide/slc90e66.c
+++ b/drivers/ide/slc90e66.c
@@ -132,7 +132,7 @@ static const struct ide_port_ops slc90e66_port_ops = {
@@ -37753,10 +37745,10 @@ index 1cbfc6b..56e1dbb 100644
/*----------------------------------------------------------------*/
diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
-index 62306e5..c32000a 100644
+index 298e02a..b7f2f93 100644
--- a/drivers/md/raid1.c
+++ b/drivers/md/raid1.c
-@@ -1581,7 +1581,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio)
+@@ -1591,7 +1591,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio)
if (r1_sync_page_io(rdev, sect, s,
bio->bi_io_vec[idx].bv_page,
READ) != 0)
@@ -37765,7 +37757,7 @@ index 62306e5..c32000a 100644
}
sectors -= s;
sect += s;
-@@ -1800,7 +1800,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk,
+@@ -1810,7 +1810,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk,
test_bit(In_sync, &rdev->flags)) {
if (r1_sync_page_io(rdev, sect, s,
conf->tmppage, READ)) {
@@ -37775,10 +37767,10 @@ index 62306e5..c32000a 100644
"md/raid1:%s: read error corrected "
"(%d sectors at %llu on %s)\n",
diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
-index 8f67c4d..cea5925 100644
+index 8bba438..f065cc3 100644
--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
-@@ -1455,7 +1455,7 @@ static void end_sync_read(struct bio *bio, int error)
+@@ -1465,7 +1465,7 @@ static void end_sync_read(struct bio *bio, int error)
/* The write handler will notice the lack of
* R10BIO_Uptodate and record any errors etc
*/
@@ -37787,7 +37779,7 @@ index 8f67c4d..cea5925 100644
&conf->mirrors[d].rdev->corrected_errors);
/* for reconstruct, we always reschedule after a read.
-@@ -1755,7 +1755,7 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
+@@ -1765,7 +1765,7 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
{
struct timespec cur_time_mon;
unsigned long hours_since_last;
@@ -37796,7 +37788,7 @@ index 8f67c4d..cea5925 100644
ktime_get_ts(&cur_time_mon);
-@@ -1777,9 +1777,9 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
+@@ -1787,9 +1787,9 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
* overflowing the shift of read_errors by hours_since_last.
*/
if (hours_since_last >= 8 * sizeof(read_errors))
@@ -37808,7 +37800,7 @@ index 8f67c4d..cea5925 100644
}
static int r10_sync_page_io(struct md_rdev *rdev, sector_t sector,
-@@ -1829,8 +1829,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
+@@ -1839,8 +1839,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
return;
check_decay_read_errors(mddev, rdev);
@@ -37819,7 +37811,7 @@ index 8f67c4d..cea5925 100644
char b[BDEVNAME_SIZE];
bdevname(rdev->bdev, b);
-@@ -1838,7 +1838,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
+@@ -1848,7 +1848,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
"md/raid10:%s: %s: Raid device exceeded "
"read_error threshold [cur %d:max %d]\n",
mdname(mddev), b,
@@ -37828,7 +37820,7 @@ index 8f67c4d..cea5925 100644
printk(KERN_NOTICE
"md/raid10:%s: %s: Failing raid device\n",
mdname(mddev), b);
-@@ -1983,7 +1983,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
+@@ -1993,7 +1993,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
(unsigned long long)(
sect + rdev->data_offset),
bdevname(rdev->bdev, b));
@@ -39063,7 +39055,7 @@ index 9a517c2..6d245e1 100644
/**
* Send and RX_MODE ramrod according to the provided parameters.
diff --git a/drivers/net/ethernet/broadcom/tg3.h b/drivers/net/ethernet/broadcom/tg3.h
-index 94b4bd0..73c02de 100644
+index da90ba5..dcba1fd 100644
--- a/drivers/net/ethernet/broadcom/tg3.h
+++ b/drivers/net/ethernet/broadcom/tg3.h
@@ -134,6 +134,7 @@
@@ -40465,6 +40457,46 @@ index 523ad55..f8c5dc5 100644
}
spin_lock_init(&hwsim_radio_lock);
+diff --git a/drivers/net/wireless/mwifiex/debugfs.c b/drivers/net/wireless/mwifiex/debugfs.c
+index d26a78b..156ad04 100644
+--- a/drivers/net/wireless/mwifiex/debugfs.c
++++ b/drivers/net/wireless/mwifiex/debugfs.c
+@@ -26,10 +26,17 @@
+ static struct dentry *mwifiex_dfs_dir;
+
+ static char *bss_modes[] = {
+- "Unknown",
+- "Ad-hoc",
+- "Managed",
+- "Auto"
++ "UNSPECIFIED",
++ "ADHOC",
++ "STATION",
++ "AP",
++ "AP_VLAN",
++ "WDS",
++ "MONITOR",
++ "MESH_POINT",
++ "P2P_CLIENT",
++ "P2P_GO",
++ "P2P_DEVICE",
+ };
+
+ /* size/addr for mwifiex_debug_info */
+@@ -213,7 +220,12 @@ mwifiex_info_read(struct file *file, char __user *ubuf,
+ p += sprintf(p, "driver_version = %s", fmt);
+ p += sprintf(p, "\nverext = %s", priv->version_str);
+ p += sprintf(p, "\ninterface_name=\"%s\"\n", netdev->name);
+- p += sprintf(p, "bss_mode=\"%s\"\n", bss_modes[info.bss_mode]);
++
++ if (info.bss_mode >= ARRAY_SIZE(bss_modes))
++ p += sprintf(p, "bss_mode=\"%d\"\n", info.bss_mode);
++ else
++ p += sprintf(p, "bss_mode=\"%s\"\n", bss_modes[info.bss_mode]);
++
+ p += sprintf(p, "media_state=\"%s\"\n",
+ (!priv->media_connected ? "Disconnected" : "Connected"));
+ p += sprintf(p, "mac_address=\"%pM\"\n", netdev->dev_addr);
diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c
index 0c13840..a5c3ed6 100644
--- a/drivers/net/wireless/rndis_wlan.c
@@ -40953,7 +40985,7 @@ index f204643..9ccea74 100644
/* disable hardware control by fn key */
result = ec_read(MSI_STANDARD_EC_SCM_LOAD_ADDRESS, &data);
diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c
-index 7b82868..b9344c9 100644
+index 8e6c4fa..a7539b3 100644
--- a/drivers/platform/x86/thinkpad_acpi.c
+++ b/drivers/platform/x86/thinkpad_acpi.c
@@ -2094,7 +2094,7 @@ static int hotkey_mask_get(void)
@@ -41382,6 +41414,19 @@ index 546d46b..642fa5b 100644
/*
* Queue element to wait for room in request queue. FIFO order is
+diff --git a/drivers/scsi/bfa/bfad_debugfs.c b/drivers/scsi/bfa/bfad_debugfs.c
+index dee1a09..24adab6 100644
+--- a/drivers/scsi/bfa/bfad_debugfs.c
++++ b/drivers/scsi/bfa/bfad_debugfs.c
+@@ -186,7 +186,7 @@ bfad_debugfs_lseek(struct file *file, loff_t offset, int orig)
+ file->f_pos += offset;
+ break;
+ case 2:
+- file->f_pos = debug->buffer_len - offset;
++ file->f_pos = debug->buffer_len + offset;
+ break;
+ default:
+ return -EINVAL;
diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
index ee77a58..af9d518 100644
--- a/drivers/scsi/hosts.c
@@ -41716,7 +41761,7 @@ index bb4c8e0..f33d849 100644
struct dentry *idiag_root;
struct dentry *idiag_pci_cfg;
diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c
-index 2838259..a07cfb5 100644
+index 2838259..35b747a 100644
--- a/drivers/scsi/lpfc/lpfc_debugfs.c
+++ b/drivers/scsi/lpfc/lpfc_debugfs.c
@@ -106,7 +106,7 @@ MODULE_PARM_DESC(lpfc_debugfs_mask_disc_trc,
@@ -41780,6 +41825,15 @@ index 2838259..a07cfb5 100644
dtp->jif = jiffies;
#endif
return;
+@@ -1151,7 +1151,7 @@ lpfc_debugfs_lseek(struct file *file, loff_t off, int whence)
+ pos = file->f_pos + off;
+ break;
+ case 2:
+- pos = debug->len - off;
++ pos = debug->len + off;
+ }
+ return (pos < 0 || pos > debug->len) ? -EINVAL : (file->f_pos = pos);
+ }
@@ -3986,7 +3986,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
"slow_ring buffer\n");
goto debug_failed;
@@ -42675,48 +42729,6 @@ index 3effde2..dda7d46 100644
if (hdr->flags & ISCSI_FLAG_CMD_FINAL)
if (--cmd->outstanding_r2ts < 1) {
iscsit_stop_dataout_timer(cmd);
-diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c
-index 5b77316..db313ba 100644
---- a/drivers/target/iscsi/iscsi_target_parameters.c
-+++ b/drivers/target/iscsi/iscsi_target_parameters.c
-@@ -713,9 +713,9 @@ static int iscsi_add_notunderstood_response(
- }
- INIT_LIST_HEAD(&extra_response->er_list);
-
-- strncpy(extra_response->key, key, strlen(key) + 1);
-- strncpy(extra_response->value, NOTUNDERSTOOD,
-- strlen(NOTUNDERSTOOD) + 1);
-+ strlcpy(extra_response->key, key, sizeof(extra_response->key));
-+ strlcpy(extra_response->value, NOTUNDERSTOOD,
-+ sizeof(extra_response->value));
-
- list_add_tail(&extra_response->er_list,
- ¶m_list->extra_response_list);
-@@ -1572,8 +1572,6 @@ int iscsi_decode_text_input(
-
- if (phase & PHASE_SECURITY) {
- if (iscsi_check_for_auth_key(key) > 0) {
-- char *tmpptr = key + strlen(key);
-- *tmpptr = '=';
- kfree(tmpbuf);
- return 1;
- }
-diff --git a/drivers/target/iscsi/iscsi_target_parameters.h b/drivers/target/iscsi/iscsi_target_parameters.h
-index 6a37fd6..83eed65 100644
---- a/drivers/target/iscsi/iscsi_target_parameters.h
-+++ b/drivers/target/iscsi/iscsi_target_parameters.h
-@@ -1,8 +1,10 @@
- #ifndef ISCSI_PARAMETERS_H
- #define ISCSI_PARAMETERS_H
-
-+#include <scsi/iscsi_proto.h>
-+
- struct iscsi_extra_response {
-- char key[64];
-+ char key[KEY_MAXLEN];
- char value[32];
- struct list_head er_list;
- } ____cacheline_aligned;
diff --git a/drivers/target/target_core_tmr.c b/drivers/target/target_core_tmr.c
index 6845228..df77141 100644
--- a/drivers/target/target_core_tmr.c
@@ -50886,7 +50898,7 @@ index 9243103..750691a 100644
return 0;
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
-index cc386b2..22725d2 100644
+index 259e950..ee9c9f3 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -92,6 +92,8 @@ static struct file_system_type ext2_fs_type = {
@@ -50907,7 +50919,7 @@ index cc386b2..22725d2 100644
#define IS_EXT3_SB(sb) ((sb)->s_bdev->bd_holder == &ext3_fs_type)
#else
#define IS_EXT3_SB(sb) (0)
-@@ -2467,7 +2471,7 @@ struct ext4_attr {
+@@ -2469,7 +2473,7 @@ struct ext4_attr {
ssize_t (*store)(struct ext4_attr *, struct ext4_sb_info *,
const char *, size_t);
int offset;
@@ -50916,7 +50928,7 @@ index cc386b2..22725d2 100644
static int parse_strtoul(const char *buf,
unsigned long max, unsigned long *value)
-@@ -3173,7 +3177,6 @@ int ext4_calculate_overhead(struct super_block *sb)
+@@ -3175,7 +3179,6 @@ int ext4_calculate_overhead(struct super_block *sb)
ext4_fsblk_t overhead = 0;
char *buf = (char *) get_zeroed_page(GFP_KERNEL);
@@ -50924,7 +50936,7 @@ index cc386b2..22725d2 100644
if (!buf)
return -ENOMEM;
-@@ -5035,7 +5038,6 @@ static inline int ext2_feature_set_ok(struct super_block *sb)
+@@ -5037,7 +5040,6 @@ static inline int ext2_feature_set_ok(struct super_block *sb)
return 0;
return 1;
}
@@ -50932,7 +50944,7 @@ index cc386b2..22725d2 100644
#else
static inline void register_as_ext2(void) { }
static inline void unregister_as_ext2(void) { }
-@@ -5068,7 +5070,6 @@ static inline int ext3_feature_set_ok(struct super_block *sb)
+@@ -5070,7 +5072,6 @@ static inline int ext3_feature_set_ok(struct super_block *sb)
return 0;
return 1;
}
@@ -50940,7 +50952,7 @@ index cc386b2..22725d2 100644
#else
static inline void register_as_ext3(void) { }
static inline void unregister_as_ext3(void) { }
-@@ -5082,6 +5083,7 @@ static struct file_system_type ext4_fs_type = {
+@@ -5084,6 +5085,7 @@ static struct file_system_type ext4_fs_type = {
.kill_sb = kill_block_super,
.fs_flags = FS_REQUIRES_DEV,
};
@@ -56907,7 +56919,7 @@ index d99a905..9f88202 100644
goto out_put;
diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
-index 23ce927..86fd3e8d 100644
+index bd2fb43..86fd3e8d 100644
--- a/fs/xfs/xfs_iops.c
+++ b/fs/xfs/xfs_iops.c
@@ -447,7 +447,7 @@ xfs_vn_put_link(
@@ -56919,81 +56931,6 @@ index 23ce927..86fd3e8d 100644
if (!IS_ERR(s))
kfree(s);
-@@ -507,6 +507,28 @@ xfs_vn_getattr(
- return 0;
- }
-
-+static void
-+xfs_setattr_mode(
-+ struct xfs_trans *tp,
-+ struct xfs_inode *ip,
-+ struct iattr *iattr)
-+{
-+ struct inode *inode = VFS_I(ip);
-+ umode_t mode = iattr->ia_mode;
-+
-+ ASSERT(tp);
-+ ASSERT(xfs_isilocked(ip, XFS_ILOCK_EXCL));
-+
-+ if (!in_group_p(inode->i_gid) && !capable(CAP_FSETID))
-+ mode &= ~S_ISGID;
-+
-+ ip->i_d.di_mode &= S_IFMT;
-+ ip->i_d.di_mode |= mode & ~S_IFMT;
-+
-+ inode->i_mode &= S_IFMT;
-+ inode->i_mode |= mode & ~S_IFMT;
-+}
-+
- int
- xfs_setattr_nonsize(
- struct xfs_inode *ip,
-@@ -658,18 +680,8 @@ xfs_setattr_nonsize(
- /*
- * Change file access modes.
- */
-- if (mask & ATTR_MODE) {
-- umode_t mode = iattr->ia_mode;
--
-- if (!in_group_p(inode->i_gid) && !capable(CAP_FSETID))
-- mode &= ~S_ISGID;
--
-- ip->i_d.di_mode &= S_IFMT;
-- ip->i_d.di_mode |= mode & ~S_IFMT;
--
-- inode->i_mode &= S_IFMT;
-- inode->i_mode |= mode & ~S_IFMT;
-- }
-+ if (mask & ATTR_MODE)
-+ xfs_setattr_mode(tp, ip, iattr);
-
- /*
- * Change file access or modified times.
-@@ -768,9 +780,8 @@ xfs_setattr_size(
- return XFS_ERROR(error);
-
- ASSERT(S_ISREG(ip->i_d.di_mode));
-- ASSERT((mask & (ATTR_MODE|ATTR_UID|ATTR_GID|ATTR_ATIME|ATTR_ATIME_SET|
-- ATTR_MTIME_SET|ATTR_KILL_SUID|ATTR_KILL_SGID|
-- ATTR_KILL_PRIV|ATTR_TIMES_SET)) == 0);
-+ ASSERT((mask & (ATTR_UID|ATTR_GID|ATTR_ATIME|ATTR_ATIME_SET|
-+ ATTR_MTIME_SET|ATTR_KILL_PRIV|ATTR_TIMES_SET)) == 0);
-
- lock_flags = XFS_ILOCK_EXCL;
- if (!(flags & XFS_ATTR_NOLOCK))
-@@ -902,6 +913,12 @@ xfs_setattr_size(
- xfs_iflags_set(ip, XFS_ITRUNCATED);
- }
-
-+ /*
-+ * Change file access modes.
-+ */
-+ if (mask & ATTR_MODE)
-+ xfs_setattr_mode(tp, ip, iattr);
-+
- if (mask & ATTR_CTIME) {
- inode->i_ctime = iattr->ia_ctime;
- ip->i_d.di_ctime.t_sec = iattr->ia_ctime.tv_sec;
diff --git a/fs/xfs/xfs_rtalloc.c b/fs/xfs/xfs_rtalloc.c
index 87323f1..dab9d00 100644
--- a/fs/xfs/xfs_rtalloc.c
@@ -68275,7 +68212,7 @@ index 3081c58..7714c00 100644
/*
* Users often need to create attribute structures for their configurable
diff --git a/include/linux/cpu.h b/include/linux/cpu.h
-index c692acc..95bcc75 100644
+index 9c3e071..8a8ebea 100644
--- a/include/linux/cpu.h
+++ b/include/linux/cpu.h
@@ -108,7 +108,7 @@ enum {
@@ -70400,6 +70337,21 @@ index cc6d2aa..c10ee83 100644
/**
* list_move - delete from one list and add as another's head
* @list: the entry to move
+diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
+index 88e78de..c63979a 100644
+--- a/include/linux/lsm_audit.h
++++ b/include/linux/lsm_audit.h
+@@ -124,6 +124,10 @@ struct common_audit_data {
+ u32 denied;
+ uid_t ouid;
+ } fs;
++ struct {
++ int type, protocol;
++ struct sock *sk;
++ } net;
+ };
+ } apparmor_audit_data;
+ #endif
diff --git a/include/linux/math64.h b/include/linux/math64.h
index b8ba855..0148090 100644
--- a/include/linux/math64.h
@@ -71011,7 +70963,7 @@ index ffc0213..2c1f2cb 100644
return nd->saved_names[nd->depth];
}
diff --git a/include/linux/net.h b/include/linux/net.h
-index b299230..4915063 100644
+index b7ca08e..c8350cb 100644
--- a/include/linux/net.h
+++ b/include/linux/net.h
@@ -216,7 +216,7 @@ struct net_proto_family {
@@ -74628,7 +74580,7 @@ index fa7eb3d..7faf116 100644
current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
set_fs(fs);
diff --git a/kernel/audit.c b/kernel/audit.c
-index 09fae26..ed71d5b 100644
+index d4bc594..cf6b5d7 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -115,7 +115,7 @@ u32 audit_sig_sid = 0;
@@ -75202,7 +75154,7 @@ index 63786e7..0780cac 100644
#ifdef CONFIG_MODULE_UNLOAD
{
diff --git a/kernel/events/core.c b/kernel/events/core.c
-index 9f21915..840113c 100644
+index 9f21915..73a9f27 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -145,8 +145,15 @@ static struct srcu_struct pmus_srcu;
@@ -75214,7 +75166,7 @@ index 9f21915..840113c 100644
-int sysctl_perf_event_paranoid __read_mostly = 1;
+#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
+int sysctl_perf_event_legitimately_concerned __read_mostly = 3;
-+#elif CONFIG_GRKERNSEC_HIDESYM
++#elif defined(CONFIG_GRKERNSEC_HIDESYM)
+int sysctl_perf_event_legitimately_concerned __read_mostly = 2;
+#else
+int sysctl_perf_event_legitimately_concerned __read_mostly = 1;
@@ -78786,7 +78738,7 @@ index 2f194e9..2c05ea9 100644
.priority = 10,
};
diff --git a/kernel/sys.c b/kernel/sys.c
-index be5fa8b..a8c2090 100644
+index 9d557df..691558c 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -158,6 +158,12 @@ static int set_one_prio(struct task_struct *p, int niceval, int error)
@@ -78802,7 +78754,7 @@ index be5fa8b..a8c2090 100644
no_nice = security_task_setnice(p, niceval);
if (no_nice) {
error = no_nice;
-@@ -574,6 +580,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, gid_t, egid)
+@@ -597,6 +603,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, gid_t, egid)
goto error;
}
@@ -78812,7 +78764,7 @@ index be5fa8b..a8c2090 100644
if (rgid != (gid_t) -1 ||
(egid != (gid_t) -1 && egid != old->gid))
new->sgid = new->egid;
-@@ -603,6 +612,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
+@@ -626,6 +635,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
old = current_cred();
retval = -EPERM;
@@ -78823,7 +78775,7 @@ index be5fa8b..a8c2090 100644
if (nsown_capable(CAP_SETGID))
new->gid = new->egid = new->sgid = new->fsgid = gid;
else if (gid == old->gid || gid == old->sgid)
-@@ -620,7 +633,7 @@ error:
+@@ -643,7 +656,7 @@ error:
/*
* change the user struct in a credentials set to match the new UID
*/
@@ -78832,7 +78784,7 @@ index be5fa8b..a8c2090 100644
{
struct user_struct *new_user;
-@@ -690,6 +703,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, uid_t, euid)
+@@ -713,6 +726,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, uid_t, euid)
goto error;
}
@@ -78842,7 +78794,7 @@ index be5fa8b..a8c2090 100644
if (new->uid != old->uid) {
retval = set_user(new);
if (retval < 0)
-@@ -734,6 +750,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
+@@ -757,6 +773,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
old = current_cred();
retval = -EPERM;
@@ -78855,7 +78807,7 @@ index be5fa8b..a8c2090 100644
if (nsown_capable(CAP_SETUID)) {
new->suid = new->uid = uid;
if (uid != old->uid) {
-@@ -788,6 +810,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid)
+@@ -811,6 +833,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid)
goto error;
}
@@ -78865,7 +78817,7 @@ index be5fa8b..a8c2090 100644
if (ruid != (uid_t) -1) {
new->uid = ruid;
if (ruid != old->uid) {
-@@ -852,6 +877,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid)
+@@ -875,6 +900,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid)
goto error;
}
@@ -78875,7 +78827,7 @@ index be5fa8b..a8c2090 100644
if (rgid != (gid_t) -1)
new->gid = rgid;
if (egid != (gid_t) -1)
-@@ -902,12 +930,16 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
+@@ -925,12 +953,16 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
uid == old->suid || uid == old->fsuid ||
nsown_capable(CAP_SETUID)) {
if (uid != old_fsuid) {
@@ -78892,7 +78844,7 @@ index be5fa8b..a8c2090 100644
abort_creds(new);
return old_fsuid;
-@@ -934,12 +966,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
+@@ -957,12 +989,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
if (gid == old->gid || gid == old->egid ||
gid == old->sgid || gid == old->fsgid ||
nsown_capable(CAP_SETGID)) {
@@ -78909,7 +78861,7 @@ index be5fa8b..a8c2090 100644
abort_creds(new);
return old_fsgid;
-@@ -1247,19 +1283,19 @@ SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name)
+@@ -1270,19 +1306,19 @@ SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name)
return -EFAULT;
down_read(&uts_sem);
@@ -78934,7 +78886,7 @@ index be5fa8b..a8c2090 100644
__OLD_UTS_LEN);
error |= __put_user(0, name->machine + __OLD_UTS_LEN);
up_read(&uts_sem);
-@@ -1461,6 +1497,13 @@ int do_prlimit(struct task_struct *tsk, unsigned int resource,
+@@ -1484,6 +1520,13 @@ int do_prlimit(struct task_struct *tsk, unsigned int resource,
*/
new_rlim->rlim_cur = 1;
}
@@ -78948,7 +78900,7 @@ index be5fa8b..a8c2090 100644
}
if (!retval) {
if (old_rlim)
-@@ -1724,7 +1767,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
+@@ -1747,7 +1790,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
error = get_dumpable(me->mm);
break;
case PR_SET_DUMPABLE:
@@ -79682,10 +79634,10 @@ index 16fc34a..efd8bb8 100644
ret = -EIO;
bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt,
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
-index 24b3759..e460d0b 100644
+index 226776b..175300f 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
-@@ -1586,12 +1586,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec)
+@@ -1599,12 +1599,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec)
if (unlikely(ftrace_disabled))
return 0;
@@ -81054,7 +81006,7 @@ index d80ac4b..9fd73bc 100644
/* if an huge pmd materialized from under us just retry later */
if (unlikely(pmd_trans_huge(*pmd)))
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
-index 70b4733..ab692a7 100644
+index 2dcd716..984ad56 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -1973,15 +1973,17 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy,
@@ -82202,10 +82154,10 @@ index 4d1e637..9e0a005 100644
err = -EPERM;
goto out;
diff --git a/mm/migrate.c b/mm/migrate.c
-index e1052d1..61c9e50 100644
+index 09d6a9d..c514c22 100644
--- a/mm/migrate.c
+++ b/mm/migrate.c
-@@ -1376,6 +1376,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages,
+@@ -1389,6 +1389,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages,
if (!mm)
return -EINVAL;
@@ -82220,7 +82172,7 @@ index e1052d1..61c9e50 100644
/*
* Check if this process has the right to modify the specified
* process. The right exists if the process has administrative
-@@ -1385,8 +1393,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages,
+@@ -1398,8 +1406,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages,
rcu_read_lock();
tcred = __task_cred(task);
if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
@@ -86191,7 +86143,7 @@ index 0274157..f8afbf3c7 100644
hid->dev.parent = hidp_get_device(session);
hid->ll_driver = &hidp_hid_driver;
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
-index 04175d9..26291c1 100644
+index a0b6c50..5b22003 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -2178,8 +2178,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, voi
@@ -89408,6 +89360,33 @@ index 93a41a0..d4b4edb 100644
NLA_PUT_U32(skb, L2TP_ATTR_CONN_ID, tunnel->tunnel_id);
NLA_PUT_U32(skb, L2TP_ATTR_SESSION_ID, session->session_id);
+diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
+index 6f60175..74410e6 100644
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -350,19 +350,19 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh
+ skb_put(skb, 2);
+
+ /* Copy user data into skb */
+- error = memcpy_fromiovec(skb->data, m->msg_iov, total_len);
++ error = memcpy_fromiovec(skb_put(skb, total_len), m->msg_iov,
++ total_len);
+ if (error < 0) {
+ kfree_skb(skb);
+ goto error_put_sess_tun;
+ }
+- skb_put(skb, total_len);
+
+ l2tp_xmit_skb(session, skb, session->hdr_len);
+
+ sock_put(ps->tunnel_sock);
+ sock_put(sk);
+
+- return error;
++ return total_len;
+
+ error_put_sess_tun:
+ sock_put(ps->tunnel_sock);
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index 73495f1..ad51356 100644
--- a/net/mac80211/ieee80211_i.h
@@ -89430,7 +89409,7 @@ index 73495f1..ad51356 100644
/* number of interfaces with corresponding FIF_ flags */
int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll,
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
-index f4ddf34..842d3b5 100644
+index 8260cd5..f13516d 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -211,7 +211,7 @@ static int ieee80211_do_open(struct net_device *dev, bool coming_up)
@@ -89683,7 +89662,7 @@ index 6dc7d7d..e45913a 100644
if ((ipvs->sync_state & IP_VS_STATE_MASTER) &&
cp->protocol == IPPROTO_SCTP) {
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
-index 72f4253..f5222ae 100644
+index 72f4253..c9a3f57 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -788,7 +788,7 @@ __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest,
@@ -89722,7 +89701,14 @@ index 72f4253..f5222ae 100644
atomic_read(&dest->weight),
atomic_read(&dest->activeconns),
atomic_read(&dest->inactconns));
-@@ -2509,7 +2509,7 @@ __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get,
+@@ -2503,13 +2503,14 @@ __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get,
+ struct ip_vs_dest *dest;
+ struct ip_vs_dest_entry entry;
+
++ memset(&entry, 0, sizeof(entry));
+ list_for_each_entry(dest, &svc->destinations, n_list) {
+ if (count >= get->num_dests)
+ break;
entry.addr = dest->addr.ip;
entry.port = dest->port;
@@ -89731,7 +89717,7 @@ index 72f4253..f5222ae 100644
entry.weight = atomic_read(&dest->weight);
entry.u_threshold = dest->u_threshold;
entry.l_threshold = dest->l_threshold;
-@@ -3043,7 +3043,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest)
+@@ -3043,7 +3044,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest)
NLA_PUT_U16(skb, IPVS_DEST_ATTR_PORT, dest->port);
NLA_PUT_U32(skb, IPVS_DEST_ATTR_FWD_METHOD,
@@ -89740,7 +89726,7 @@ index 72f4253..f5222ae 100644
NLA_PUT_U32(skb, IPVS_DEST_ATTR_WEIGHT, atomic_read(&dest->weight));
NLA_PUT_U32(skb, IPVS_DEST_ATTR_U_THRESH, dest->u_threshold);
NLA_PUT_U32(skb, IPVS_DEST_ATTR_L_THRESH, dest->l_threshold);
-@@ -3626,7 +3626,7 @@ int __net_init ip_vs_control_net_init_sysctl(struct net *net)
+@@ -3626,7 +3627,7 @@ int __net_init ip_vs_control_net_init_sysctl(struct net *net)
{
int idx;
struct netns_ipvs *ipvs = net_ipvs(net);
@@ -90173,7 +90159,7 @@ index 3df7c5a..8f324b0 100644
*uaddr_len = sizeof(struct sockaddr_ax25);
}
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index 5a70215..379f8ee 100644
+index 5a70215..070be35 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1670,7 +1670,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
@@ -90213,7 +90199,22 @@ index 5a70215..379f8ee 100644
msg->msg_flags |= MSG_ERRQUEUE;
err = copied;
-@@ -3262,7 +3264,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+@@ -2820,12 +2822,11 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr,
+ return -EOPNOTSUPP;
+
+ uaddr->sa_family = AF_PACKET;
++ memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data));
+ rcu_read_lock();
+ dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex);
+ if (dev)
+- strncpy(uaddr->sa_data, dev->name, 14);
+- else
+- memset(uaddr->sa_data, 0, 14);
++ strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data));
+ rcu_read_unlock();
+ *uaddr_len = sizeof(*uaddr);
+
+@@ -3262,7 +3263,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
case PACKET_HDRLEN:
if (len > sizeof(int))
len = sizeof(int);
@@ -90222,7 +90223,7 @@ index 5a70215..379f8ee 100644
return -EFAULT;
switch (val) {
case TPACKET_V1:
-@@ -3312,7 +3314,11 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+@@ -3312,7 +3313,11 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
if (put_user(len, optlen))
return -EFAULT;
@@ -90791,6 +90792,33 @@ index 8104278..300d89d 100644
}
/* Initialize IPv6 support and register with socket layer. */
+diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
+index 96eb168..3dd7207 100644
+--- a/net/sctp/outqueue.c
++++ b/net/sctp/outqueue.c
+@@ -205,6 +205,8 @@ static inline int sctp_cacc_skip(struct sctp_transport *primary,
+ */
+ void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q)
+ {
++ memset(q, 0, sizeof(struct sctp_outq));
++
+ q->asoc = asoc;
+ INIT_LIST_HEAD(&q->out_chunk_list);
+ INIT_LIST_HEAD(&q->control_chunk_list);
+@@ -212,13 +214,7 @@ void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q)
+ INIT_LIST_HEAD(&q->sacked);
+ INIT_LIST_HEAD(&q->abandoned);
+
+- q->fast_rtx = 0;
+- q->outstanding_bytes = 0;
+ q->empty = 1;
+- q->cork = 0;
+-
+- q->malloced = 0;
+- q->out_qlen = 0;
+ }
+
+ /* Free the outqueue structure and any related pending chunks.
diff --git a/net/sctp/probe.c b/net/sctp/probe.c
index bc6cd75..749e4eb 100644
--- a/net/sctp/probe.c
@@ -90875,7 +90903,7 @@ index 9032d50..49eb875 100644
sctp_generate_t1_cookie_event,
sctp_generate_t1_init_event,
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index 5e0d86e..e2a4da1 100644
+index 5e0d86e..f09fd13 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -2157,11 +2157,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval,
@@ -90893,7 +90921,20 @@ index 5e0d86e..e2a4da1 100644
/*
* At the time when a user app subscribes to SCTP_SENDER_DRY_EVENT,
-@@ -4141,13 +4143,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
+@@ -3929,6 +3931,12 @@ SCTP_STATIC void sctp_destroy_sock(struct sock *sk)
+
+ /* Release our hold on the endpoint. */
+ sp = sctp_sk(sk);
++ /* This could happen during socket init, thus we bail out
++ * early, since the rest of the below is not setup either.
++ */
++ if (sp->ep == NULL)
++ return;
++
+ if (sp->do_auto_asconf) {
+ sp->do_auto_asconf = 0;
+ list_del(&sp->auto_asconf_list);
+@@ -4141,13 +4149,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
int __user *optlen)
{
@@ -90911,7 +90952,7 @@ index 5e0d86e..e2a4da1 100644
return -EFAULT;
return 0;
}
-@@ -4165,6 +4170,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
+@@ -4165,6 +4176,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
*/
static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optval, int __user *optlen)
{
@@ -90920,7 +90961,7 @@ index 5e0d86e..e2a4da1 100644
/* Applicable to UDP-style socket only */
if (sctp_style(sk, TCP))
return -EOPNOTSUPP;
-@@ -4173,7 +4180,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv
+@@ -4173,7 +4186,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv
len = sizeof(int);
if (put_user(len, optlen))
return -EFAULT;
@@ -90930,7 +90971,7 @@ index 5e0d86e..e2a4da1 100644
return -EFAULT;
return 0;
}
-@@ -4537,12 +4545,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len,
+@@ -4537,12 +4551,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len,
*/
static int sctp_getsockopt_initmsg(struct sock *sk, int len, char __user *optval, int __user *optlen)
{
@@ -90947,7 +90988,7 @@ index 5e0d86e..e2a4da1 100644
return -EFAULT;
return 0;
}
-@@ -4583,6 +4594,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
+@@ -4583,6 +4600,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
if (space_left < addrlen)
return -ENOMEM;
@@ -93513,19 +93554,926 @@ index 51bd5a0..7b71be9 100644
default 65536
help
This is the portion of low virtual memory which should be protected
+diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig
+index 9b9013b..51ebf96 100644
+--- a/security/apparmor/Kconfig
++++ b/security/apparmor/Kconfig
+@@ -29,3 +29,12 @@ config SECURITY_APPARMOR_BOOTPARAM_VALUE
+ boot.
+
+ If you are unsure how to answer this question, answer 1.
++
++config SECURITY_APPARMOR_COMPAT_24
++ bool "Enable AppArmor 2.4 compatability"
++ depends on SECURITY_APPARMOR
++ default y
++ help
++ This option enables compatability with AppArmor 2.4. It is
++ recommended if compatability with older versions of AppArmor
++ is desired.
+diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
+index 2dafe50..0bb604b 100644
+--- a/security/apparmor/Makefile
++++ b/security/apparmor/Makefile
+@@ -4,9 +4,10 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
+
+ apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
+ path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
+- resource.o sid.o file.o
++ resource.o sid.o file.o net.o
++apparmor-$(CONFIG_SECURITY_APPARMOR_COMPAT_24) += apparmorfs-24.o
+
+-clean-files := capability_names.h rlim_names.h
++clean-files := capability_names.h rlim_names.h af_names.h
+
+
+ # Build a lower case string table of capability names
+@@ -44,9 +45,24 @@ cmd_make-rlim = echo "static const char *rlim_names[] = {" > $@ ;\
+ sed -r -n "s/^\# ?define[ \t]+(RLIMIT_[A-Z0-9_]+).*/\1,/p" $< >> $@ ;\
+ echo "};" >> $@
+
++# Build a lower case string table of address family names.
++# Transform lines from
++# #define AF_INET 2 /* Internet IP Protocol */
++# to
++# [2] = "inet",
++quiet_cmd_make-af = GEN $@
++cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ;\
++ sed $< >> $@ -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e \
++ 's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+).*/[\2] = "\L\1",/p';\
++ echo "};" >> $@
++
++
+ $(obj)/capability.o : $(obj)/capability_names.h
+ $(obj)/resource.o : $(obj)/rlim_names.h
++$(obj)/net.o : $(obj)/af_names.h
+ $(obj)/capability_names.h : $(srctree)/include/linux/capability.h
+ $(call cmd,make-caps)
+ $(obj)/rlim_names.h : $(srctree)/include/asm-generic/resource.h
+ $(call cmd,make-rlim)
++$(obj)/af_names.h : $(srctree)/include/linux/socket.h
++ $(call cmd,make-af)
+\ No newline at end of file
+diff --git a/security/apparmor/apparmorfs-24.c b/security/apparmor/apparmorfs-24.c
+new file mode 100644
+index 0000000..dc8c744
+--- /dev/null
++++ b/security/apparmor/apparmorfs-24.c
+@@ -0,0 +1,287 @@
++/*
++ * AppArmor security module
++ *
++ * This file contains AppArmor /sys/kernel/secrutiy/apparmor interface functions
++ *
++ * Copyright (C) 1998-2008 Novell/SUSE
++ * Copyright 2009-2010 Canonical Ltd.
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License as
++ * published by the Free Software Foundation, version 2 of the
++ * License.
++ *
++ *
++ * This file contain functions providing an interface for <= AppArmor 2.4
++ * compatibility. It is dependent on CONFIG_SECURITY_APPARMOR_COMPAT_24
++ * being set (see Makefile).
++ */
++
++#include <linux/security.h>
++#include <linux/vmalloc.h>
++#include <linux/module.h>
++#include <linux/seq_file.h>
++#include <linux/uaccess.h>
++#include <linux/namei.h>
++
++#include "include/apparmor.h"
++#include "include/audit.h"
++#include "include/context.h"
++#include "include/policy.h"
++
++
++/* apparmor/matching */
++static ssize_t aa_matching_read(struct file *file, char __user *buf,
++ size_t size, loff_t *ppos)
++{
++ const char matching[] = "pattern=aadfa audit perms=crwxamlk/ "
++ "user::other";
++
++ return simple_read_from_buffer(buf, size, ppos, matching,
++ sizeof(matching) - 1);
++}
++
++const struct file_operations aa_fs_matching_fops = {
++ .read = aa_matching_read,
++};
++
++/* apparmor/features */
++static ssize_t aa_features_read(struct file *file, char __user *buf,
++ size_t size, loff_t *ppos)
++{
++ const char features[] = "file=3.1 capability=2.0 network=1.0 "
++ "change_hat=1.5 change_profile=1.1 " "aanamespaces=1.1 rlimit=1.1";
++
++ return simple_read_from_buffer(buf, size, ppos, features,
++ sizeof(features) - 1);
++}
++
++const struct file_operations aa_fs_features_fops = {
++ .read = aa_features_read,
++};
++
++/**
++ * __next_namespace - find the next namespace to list
++ * @root: root namespace to stop search at (NOT NULL)
++ * @ns: current ns position (NOT NULL)
++ *
++ * Find the next namespace from @ns under @root and handle all locking needed
++ * while switching current namespace.
++ *
++ * Returns: next namespace or NULL if at last namespace under @root
++ * NOTE: will not unlock root->lock
++ */
++static struct aa_namespace *__next_namespace(struct aa_namespace *root,
++ struct aa_namespace *ns)
++{
++ struct aa_namespace *parent;
++
++ /* is next namespace a child */
++ if (!list_empty(&ns->sub_ns)) {
++ struct aa_namespace *next;
++ next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list);
++ read_lock(&next->lock);
++ return next;
++ }
++
++ /* check if the next ns is a sibling, parent, gp, .. */
++ parent = ns->parent;
++ while (parent) {
++ read_unlock(&ns->lock);
++ list_for_each_entry_continue(ns, &parent->sub_ns, base.list) {
++ read_lock(&ns->lock);
++ return ns;
++ }
++ if (parent == root)
++ return NULL;
++ ns = parent;
++ parent = parent->parent;
++ }
++
++ return NULL;
++}
++
++/**
++ * __first_profile - find the first profile in a namespace
++ * @root: namespace that is root of profiles being displayed (NOT NULL)
++ * @ns: namespace to start in (NOT NULL)
++ *
++ * Returns: unrefcounted profile or NULL if no profile
++ */
++static struct aa_profile *__first_profile(struct aa_namespace *root,
++ struct aa_namespace *ns)
++{
++ for ( ; ns; ns = __next_namespace(root, ns)) {
++ if (!list_empty(&ns->base.profiles))
++ return list_first_entry(&ns->base.profiles,
++ struct aa_profile, base.list);
++ }
++ return NULL;
++}
++
++/**
++ * __next_profile - step to the next profile in a profile tree
++ * @profile: current profile in tree (NOT NULL)
++ *
++ * Perform a depth first taversal on the profile tree in a namespace
++ *
++ * Returns: next profile or NULL if done
++ * Requires: profile->ns.lock to be held
++ */
++static struct aa_profile *__next_profile(struct aa_profile *p)
++{
++ struct aa_profile *parent;
++ struct aa_namespace *ns = p->ns;
++
++ /* is next profile a child */
++ if (!list_empty(&p->base.profiles))
++ return list_first_entry(&p->base.profiles, typeof(*p),
++ base.list);
++
++ /* is next profile a sibling, parent sibling, gp, subling, .. */
++ parent = p->parent;
++ while (parent) {
++ list_for_each_entry_continue(p, &parent->base.profiles,
++ base.list)
++ return p;
++ p = parent;
++ parent = parent->parent;
++ }
++
++ /* is next another profile in the namespace */
++ list_for_each_entry_continue(p, &ns->base.profiles, base.list)
++ return p;
++
++ return NULL;
++}
++
++/**
++ * next_profile - step to the next profile in where ever it may be
++ * @root: root namespace (NOT NULL)
++ * @profile: current profile (NOT NULL)
++ *
++ * Returns: next profile or NULL if there isn't one
++ */
++static struct aa_profile *next_profile(struct aa_namespace *root,
++ struct aa_profile *profile)
++{
++ struct aa_profile *next = __next_profile(profile);
++ if (next)
++ return next;
++
++ /* finished all profiles in namespace move to next namespace */
++ return __first_profile(root, __next_namespace(root, profile->ns));
++}
++
++/**
++ * p_start - start a depth first traversal of profile tree
++ * @f: seq_file to fill
++ * @pos: current position
++ *
++ * Returns: first profile under current namespace or NULL if none found
++ *
++ * acquires first ns->lock
++ */
++static void *p_start(struct seq_file *f, loff_t *pos)
++ __acquires(root->lock)
++{
++ struct aa_profile *profile = NULL;
++ struct aa_namespace *root = aa_current_profile()->ns;
++ loff_t l = *pos;
++ f->private = aa_get_namespace(root);
++
++
++ /* find the first profile */
++ read_lock(&root->lock);
++ profile = __first_profile(root, root);
++
++ /* skip to position */
++ for (; profile && l > 0; l--)
++ profile = next_profile(root, profile);
++
++ return profile;
++}
++
++/**
++ * p_next - read the next profile entry
++ * @f: seq_file to fill
++ * @p: profile previously returned
++ * @pos: current position
++ *
++ * Returns: next profile after @p or NULL if none
++ *
++ * may acquire/release locks in namespace tree as necessary
++ */
++static void *p_next(struct seq_file *f, void *p, loff_t *pos)
++{
++ struct aa_profile *profile = p;
++ struct aa_namespace *root = f->private;
++ (*pos)++;
++
++ return next_profile(root, profile);
++}
++
++/**
++ * p_stop - stop depth first traversal
++ * @f: seq_file we are filling
++ * @p: the last profile writen
++ *
++ * Release all locking done by p_start/p_next on namespace tree
++ */
++static void p_stop(struct seq_file *f, void *p)
++ __releases(root->lock)
++{
++ struct aa_profile *profile = p;
++ struct aa_namespace *root = f->private, *ns;
++
++ if (profile) {
++ for (ns = profile->ns; ns && ns != root; ns = ns->parent)
++ read_unlock(&ns->lock);
++ }
++ read_unlock(&root->lock);
++ aa_put_namespace(root);
++}
++
++/**
++ * seq_show_profile - show a profile entry
++ * @f: seq_file to file
++ * @p: current position (profile) (NOT NULL)
++ *
++ * Returns: error on failure
++ */
++static int seq_show_profile(struct seq_file *f, void *p)
++{
++ struct aa_profile *profile = (struct aa_profile *)p;
++ struct aa_namespace *root = f->private;
++
++ if (profile->ns != root)
++ seq_printf(f, ":%s://", aa_ns_name(root, profile->ns));
++ seq_printf(f, "%s (%s)\n", profile->base.hname,
++ COMPLAIN_MODE(profile) ? "complain" : "enforce");
++
++ return 0;
++}
++
++static const struct seq_operations aa_fs_profiles_op = {
++ .start = p_start,
++ .next = p_next,
++ .stop = p_stop,
++ .show = seq_show_profile,
++};
++
++static int profiles_open(struct inode *inode, struct file *file)
++{
++ return seq_open(file, &aa_fs_profiles_op);
++}
++
++static int profiles_release(struct inode *inode, struct file *file)
++{
++ return seq_release(inode, file);
++}
++
++const struct file_operations aa_fs_profiles_fops = {
++ .open = profiles_open,
++ .read = seq_read,
++ .llseek = seq_lseek,
++ .release = profiles_release,
++};
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index 69ddb47..be0f0f9 100644
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -187,7 +187,11 @@ void __init aa_destroy_aafs(void)
+ aafs_remove(".remove");
+ aafs_remove(".replace");
+ aafs_remove(".load");
+-
++#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
++ aafs_remove("profiles");
++ aafs_remove("matching");
++ aafs_remove("features");
++#endif
+ securityfs_remove(aa_fs_dentry);
+ aa_fs_dentry = NULL;
+ }
+@@ -218,7 +222,17 @@ static int __init aa_create_aafs(void)
+ aa_fs_dentry = NULL;
+ goto error;
+ }
+-
++#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
++ error = aafs_create("matching", 0444, &aa_fs_matching_fops);
++ if (error)
++ goto error;
++ error = aafs_create("features", 0444, &aa_fs_features_fops);
++ if (error)
++ goto error;
++ error = aafs_create("profiles", 0440, &aa_fs_profiles_fops);
++ if (error)
++ goto error;
++#endif
+ error = aafs_create(".load", 0640, &aa_fs_profile_load);
+ if (error)
+ goto error;
+diff --git a/security/apparmor/include/apparmorfs.h b/security/apparmor/include/apparmorfs.h
+index cb1e93a..14f955c 100644
+--- a/security/apparmor/include/apparmorfs.h
++++ b/security/apparmor/include/apparmorfs.h
+@@ -17,4 +17,10 @@
+
+ extern void __init aa_destroy_aafs(void);
+
++#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
++extern const struct file_operations aa_fs_matching_fops;
++extern const struct file_operations aa_fs_features_fops;
++extern const struct file_operations aa_fs_profiles_fops;
++#endif
++
+ #endif /* __AA_APPARMORFS_H */
+diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
+new file mode 100644
+index 0000000..3c7d599
+--- /dev/null
++++ b/security/apparmor/include/net.h
+@@ -0,0 +1,40 @@
++/*
++ * AppArmor security module
++ *
++ * This file contains AppArmor network mediation definitions.
++ *
++ * Copyright (C) 1998-2008 Novell/SUSE
++ * Copyright 2009-2010 Canonical Ltd.
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License as
++ * published by the Free Software Foundation, version 2 of the
++ * License.
++ */
++
++#ifndef __AA_NET_H
++#define __AA_NET_H
++
++#include <net/sock.h>
++
++/* struct aa_net - network confinement data
++ * @allowed: basic network families permissions
++ * @audit_network: which network permissions to force audit
++ * @quiet_network: which network permissions to quiet rejects
++ */
++struct aa_net {
++ u16 allow[AF_MAX];
++ u16 audit[AF_MAX];
++ u16 quiet[AF_MAX];
++};
++
++extern int aa_net_perm(int op, struct aa_profile *profile, u16 family,
++ int type, int protocol, struct sock *sk);
++extern int aa_revalidate_sk(int op, struct sock *sk);
++
++static inline void aa_free_net_rules(struct aa_net *new)
++{
++ /* NOP */
++}
++
++#endif /* __AA_NET_H */
+diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
+index aeda5cf..6776929 100644
+--- a/security/apparmor/include/policy.h
++++ b/security/apparmor/include/policy.h
+@@ -27,6 +27,7 @@
+ #include "capability.h"
+ #include "domain.h"
+ #include "file.h"
++#include "net.h"
+ #include "resource.h"
+
+ extern const char *profile_mode_names[];
+@@ -145,6 +146,7 @@ struct aa_namespace {
+ * @size: the memory consumed by this profiles rules
+ * @file: The set of rules governing basic file access and domain transitions
+ * @caps: capabilities for the profile
++ * @net: network controls for the profile
+ * @rlimits: rlimits for the profile
+ *
+ * The AppArmor profile contains the basic confinement data. Each profile
+@@ -181,6 +183,7 @@ struct aa_profile {
+
+ struct aa_file_rules file;
+ struct aa_caps caps;
++ struct aa_net net;
+ struct aa_rlimit rlimits;
+ };
+
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
-index 3783202..1852837 100644
+index 3783202..d70ae70 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
-@@ -621,7 +621,7 @@ static int apparmor_task_setrlimit(struct task_struct *task,
+@@ -32,6 +32,7 @@
+ #include "include/context.h"
+ #include "include/file.h"
+ #include "include/ipc.h"
++#include "include/net.h"
+ #include "include/path.h"
+ #include "include/policy.h"
+ #include "include/procattr.h"
+@@ -621,7 +622,105 @@ static int apparmor_task_setrlimit(struct task_struct *task,
return error;
}
-static struct security_operations apparmor_ops = {
++static int apparmor_socket_create(int family, int type, int protocol, int kern)
++{
++ struct aa_profile *profile;
++ int error = 0;
++
++ if (kern)
++ return 0;
++
++ profile = __aa_current_profile();
++ if (!unconfined(profile))
++ error = aa_net_perm(OP_CREATE, profile, family, type, protocol,
++ NULL);
++ return error;
++}
++
++static int apparmor_socket_bind(struct socket *sock,
++ struct sockaddr *address, int addrlen)
++{
++ struct sock *sk = sock->sk;
++
++ return aa_revalidate_sk(OP_BIND, sk);
++}
++
++static int apparmor_socket_connect(struct socket *sock,
++ struct sockaddr *address, int addrlen)
++{
++ struct sock *sk = sock->sk;
++
++ return aa_revalidate_sk(OP_CONNECT, sk);
++}
++
++static int apparmor_socket_listen(struct socket *sock, int backlog)
++{
++ struct sock *sk = sock->sk;
++
++ return aa_revalidate_sk(OP_LISTEN, sk);
++}
++
++static int apparmor_socket_accept(struct socket *sock, struct socket *newsock)
++{
++ struct sock *sk = sock->sk;
++
++ return aa_revalidate_sk(OP_ACCEPT, sk);
++}
++
++static int apparmor_socket_sendmsg(struct socket *sock,
++ struct msghdr *msg, int size)
++{
++ struct sock *sk = sock->sk;
++
++ return aa_revalidate_sk(OP_SENDMSG, sk);
++}
++
++static int apparmor_socket_recvmsg(struct socket *sock,
++ struct msghdr *msg, int size, int flags)
++{
++ struct sock *sk = sock->sk;
++
++ return aa_revalidate_sk(OP_RECVMSG, sk);
++}
++
++static int apparmor_socket_getsockname(struct socket *sock)
++{
++ struct sock *sk = sock->sk;
++
++ return aa_revalidate_sk(OP_GETSOCKNAME, sk);
++}
++
++static int apparmor_socket_getpeername(struct socket *sock)
++{
++ struct sock *sk = sock->sk;
++
++ return aa_revalidate_sk(OP_GETPEERNAME, sk);
++}
++
++static int apparmor_socket_getsockopt(struct socket *sock, int level,
++ int optname)
++{
++ struct sock *sk = sock->sk;
++
++ return aa_revalidate_sk(OP_GETSOCKOPT, sk);
++}
++
++static int apparmor_socket_setsockopt(struct socket *sock, int level,
++ int optname)
++{
++ struct sock *sk = sock->sk;
++
++ return aa_revalidate_sk(OP_SETSOCKOPT, sk);
++}
++
++static int apparmor_socket_shutdown(struct socket *sock, int how)
++{
++ struct sock *sk = sock->sk;
++
++ return aa_revalidate_sk(OP_SOCK_SHUTDOWN, sk);
++}
++
+static struct security_operations apparmor_ops __read_only = {
.name = "apparmor",
.ptrace_access_check = apparmor_ptrace_access_check,
+@@ -652,6 +751,19 @@ static struct security_operations apparmor_ops = {
+ .getprocattr = apparmor_getprocattr,
+ .setprocattr = apparmor_setprocattr,
+
++ .socket_create = apparmor_socket_create,
++ .socket_bind = apparmor_socket_bind,
++ .socket_connect = apparmor_socket_connect,
++ .socket_listen = apparmor_socket_listen,
++ .socket_accept = apparmor_socket_accept,
++ .socket_sendmsg = apparmor_socket_sendmsg,
++ .socket_recvmsg = apparmor_socket_recvmsg,
++ .socket_getsockname = apparmor_socket_getsockname,
++ .socket_getpeername = apparmor_socket_getpeername,
++ .socket_getsockopt = apparmor_socket_getsockopt,
++ .socket_setsockopt = apparmor_socket_setsockopt,
++ .socket_shutdown = apparmor_socket_shutdown,
++
+ .cred_alloc_blank = apparmor_cred_alloc_blank,
+ .cred_free = apparmor_cred_free,
+ .cred_prepare = apparmor_cred_prepare,
+diff --git a/security/apparmor/match.c b/security/apparmor/match.c
+index 94de6b4..081491e 100644
+--- a/security/apparmor/match.c
++++ b/security/apparmor/match.c
+@@ -57,8 +57,17 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
+ if (bsize < tsize)
+ goto out;
+
++ /* Pad table allocation for next/check by 256 entries to remain
++ * backwards compatible with old (buggy) tools and remain safe without
++ * run time checks
++ */
++ if (th.td_id == YYTD_ID_NXT || th.td_id == YYTD_ID_CHK)
++ tsize += 256 * th.td_flags;
++
+ table = kvmalloc(tsize);
+ if (table) {
++ /* ensure the pad is clear, else there will be errors */
++ memset(table, 0, tsize);
+ *table = th;
+ if (th.td_flags == YYTD_DATA8)
+ UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
+@@ -134,11 +143,19 @@ static int verify_dfa(struct aa_dfa *dfa, int flags)
+ goto out;
+
+ if (flags & DFA_FLAG_VERIFY_STATES) {
++ int warning = 0;
+ for (i = 0; i < state_count; i++) {
+ if (DEFAULT_TABLE(dfa)[i] >= state_count)
+ goto out;
+ /* TODO: do check that DEF state recursion terminates */
+ if (BASE_TABLE(dfa)[i] + 255 >= trans_count) {
++ if (warning)
++ continue;
++ printk(KERN_WARNING "AppArmor DFA next/check "
++ "upper bounds error fixed, upgrade "
++ "user space tools \n");
++ warning = 1;
++ } else if (BASE_TABLE(dfa)[i] >= trans_count) {
+ printk(KERN_ERR "AppArmor DFA next/check upper "
+ "bounds error\n");
+ goto out;
+diff --git a/security/apparmor/net.c b/security/apparmor/net.c
+new file mode 100644
+index 0000000..1765901
+--- /dev/null
++++ b/security/apparmor/net.c
+@@ -0,0 +1,170 @@
++/*
++ * AppArmor security module
++ *
++ * This file contains AppArmor network mediation
++ *
++ * Copyright (C) 1998-2008 Novell/SUSE
++ * Copyright 2009-2010 Canonical Ltd.
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License as
++ * published by the Free Software Foundation, version 2 of the
++ * License.
++ */
++
++#include "include/apparmor.h"
++#include "include/audit.h"
++#include "include/context.h"
++#include "include/net.h"
++#include "include/policy.h"
++
++#include "af_names.h"
++
++static const char *sock_type_names[] = {
++ "unknown(0)",
++ "stream",
++ "dgram",
++ "raw",
++ "rdm",
++ "seqpacket",
++ "dccp",
++ "unknown(7)",
++ "unknown(8)",
++ "unknown(9)",
++ "packet",
++};
++
++/* audit callback for net specific fields */
++static void audit_cb(struct audit_buffer *ab, void *va)
++{
++ struct common_audit_data *sa = va;
++
++ audit_log_format(ab, " family=");
++ if (address_family_names[sa->u.net.family]) {
++ audit_log_string(ab, address_family_names[sa->u.net.family]);
++ } else {
++ audit_log_format(ab, " \"unknown(%d)\"", sa->u.net.family);
++ }
++
++ audit_log_format(ab, " sock_type=");
++ if (sock_type_names[sa->aad.net.type]) {
++ audit_log_string(ab, sock_type_names[sa->aad.net.type]);
++ } else {
++ audit_log_format(ab, "\"unknown(%d)\"", sa->aad.net.type);
++ }
++
++ audit_log_format(ab, " protocol=%d", sa->aad.net.protocol);
++}
++
++/**
++ * audit_net - audit network access
++ * @profile: profile being enforced (NOT NULL)
++ * @op: operation being checked
++ * @family: network family
++ * @type: network type
++ * @protocol: network protocol
++ * @sk: socket auditing is being applied to
++ * @error: error code for failure else 0
++ *
++ * Returns: %0 or sa->error else other errorcode on failure
++ */
++static int audit_net(struct aa_profile *profile, int op, u16 family, int type,
++ int protocol, struct sock *sk, int error)
++{
++ int audit_type = AUDIT_APPARMOR_AUTO;
++ struct common_audit_data sa;
++ if (sk) {
++ COMMON_AUDIT_DATA_INIT(&sa, NET);
++ } else {
++ COMMON_AUDIT_DATA_INIT(&sa, NONE);
++ }
++ /* todo fill in socket addr info */
++
++ sa.aad.op = op,
++ sa.u.net.family = family;
++ sa.u.net.sk = sk;
++ sa.aad.net.type = type;
++ sa.aad.net.protocol = protocol;
++ sa.aad.error = error;
++
++ if (likely(!sa.aad.error)) {
++ u16 audit_mask = profile->net.audit[sa.u.net.family];
++ if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&
++ !(1 << sa.aad.net.type & audit_mask)))
++ return 0;
++ audit_type = AUDIT_APPARMOR_AUDIT;
++ } else {
++ u16 quiet_mask = profile->net.quiet[sa.u.net.family];
++ u16 kill_mask = 0;
++ u16 denied = (1 << sa.aad.net.type) & ~quiet_mask;
++
++ if (denied & kill_mask)
++ audit_type = AUDIT_APPARMOR_KILL;
++
++ if ((denied & quiet_mask) &&
++ AUDIT_MODE(profile) != AUDIT_NOQUIET &&
++ AUDIT_MODE(profile) != AUDIT_ALL)
++ return COMPLAIN_MODE(profile) ? 0 : sa.aad.error;
++ }
++
++ return aa_audit(audit_type, profile, GFP_KERNEL, &sa, audit_cb);
++}
++
++/**
++ * aa_net_perm - very course network access check
++ * @op: operation being checked
++ * @profile: profile being enforced (NOT NULL)
++ * @family: network family
++ * @type: network type
++ * @protocol: network protocol
++ *
++ * Returns: %0 else error if permission denied
++ */
++int aa_net_perm(int op, struct aa_profile *profile, u16 family, int type,
++ int protocol, struct sock *sk)
++{
++ u16 family_mask;
++ int error;
++
++ if ((family < 0) || (family >= AF_MAX))
++ return -EINVAL;
++
++ if ((type < 0) || (type >= SOCK_MAX))
++ return -EINVAL;
++
++ /* unix domain and netlink sockets are handled by ipc */
++ if (family == AF_UNIX || family == AF_NETLINK)
++ return 0;
++
++ family_mask = profile->net.allow[family];
++
++ error = (family_mask & (1 << type)) ? 0 : -EACCES;
++
++ return audit_net(profile, op, family, type, protocol, sk, error);
++}
++
++/**
++ * aa_revalidate_sk - Revalidate access to a sock
++ * @op: operation being checked
++ * @sk: sock being revalidated (NOT NULL)
++ *
++ * Returns: %0 else error if permission denied
++ */
++int aa_revalidate_sk(int op, struct sock *sk)
++{
++ struct aa_profile *profile;
++ int error = 0;
++
++ /* aa_revalidate_sk should not be called from interrupt context
++ * don't mediate these calls as they are not task related
++ */
++ if (in_interrupt())
++ return 0;
++
++ profile = __aa_current_profile();
++ if (!unconfined(profile))
++ error = aa_net_perm(op, profile, sk->sk_family, sk->sk_type,
++ sk->sk_protocol, sk);
++
++ return error;
++}
+diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
+index 4f0eade..4d5ce13 100644
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -745,6 +745,7 @@ static void free_profile(struct aa_profile *profile)
+
+ aa_free_file_rules(&profile->file);
+ aa_free_cap_rules(&profile->caps);
++ aa_free_net_rules(&profile->net);
+ aa_free_rlimit_rules(&profile->rlimits);
+
+ aa_free_sid(profile->sid);
+diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
+index 741dd13..ee8043e 100644
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -190,6 +190,19 @@ fail:
+ return 0;
+ }
+
++static bool unpack_u16(struct aa_ext *e, u16 *data, const char *name)
++{
++ if (unpack_nameX(e, AA_U16, name)) {
++ if (!inbounds(e, sizeof(u16)))
++ return 0;
++ if (data)
++ *data = le16_to_cpu(get_unaligned((u16 *) e->pos));
++ e->pos += sizeof(u16);
++ return 1;
++ }
++ return 0;
++}
++
+ static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
+ {
+ if (unpack_nameX(e, AA_U32, name)) {
+@@ -468,7 +481,8 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
+ {
+ struct aa_profile *profile = NULL;
+ const char *name = NULL;
+- int error = -EPROTO;
++ size_t size = 0;
++ int i, error = -EPROTO;
+ kernel_cap_t tmpcap;
+ u32 tmp;
+
+@@ -559,6 +573,38 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
+ if (!unpack_rlimits(e, profile))
+ goto fail;
+
++ size = unpack_array(e, "net_allowed_af");
++ if (size) {
++
++ for (i = 0; i < size; i++) {
++ /* discard extraneous rules that this kernel will
++ * never request
++ */
++ if (i >= AF_MAX) {
++ u16 tmp;
++ if (!unpack_u16(e, &tmp, NULL) ||
++ !unpack_u16(e, &tmp, NULL) ||
++ !unpack_u16(e, &tmp, NULL))
++ goto fail;
++ continue;
++ }
++ if (!unpack_u16(e, &profile->net.allow[i], NULL))
++ goto fail;
++ if (!unpack_u16(e, &profile->net.audit[i], NULL))
++ goto fail;
++ if (!unpack_u16(e, &profile->net.quiet[i], NULL))
++ goto fail;
++ }
++ if (!unpack_nameX(e, AA_ARRAYEND, NULL))
++ goto fail;
++ /*
++ * allow unix domain and netlink sockets they are handled
++ * by IPC
++ */
++ }
++ profile->net.allow[AF_UNIX] = 0xffff;
++ profile->net.allow[AF_NETLINK] = 0xffff;
++
+ /* get file rules */
+ profile->file.dfa = unpack_dfa(e);
+ if (IS_ERR(profile->file.dfa)) {
diff --git a/security/commoncap.c b/security/commoncap.c
index 12440ee..e16cba1 100644
--- a/security/commoncap.c
@@ -94460,10 +95408,10 @@ index ee15337..ab0ec34 100644
if (playback)
diff --git a/sound/usb/card.h b/sound/usb/card.h
-index 2b7559c..3a42a04 100644
+index 0a7ca6c..f4b948c 100644
--- a/sound/usb/card.h
+++ b/sound/usb/card.h
-@@ -44,6 +44,7 @@ struct snd_urb_ops {
+@@ -45,6 +45,7 @@ struct snd_urb_ops {
int (*prepare_sync)(struct snd_usb_substream *subs, struct snd_pcm_runtime *runtime, struct urb *u);
int (*retire_sync)(struct snd_usb_substream *subs, struct snd_pcm_runtime *runtime, struct urb *u);
};
@@ -94471,7 +95419,7 @@ index 2b7559c..3a42a04 100644
struct snd_usb_substream {
struct snd_usb_stream *stream;
-@@ -95,7 +96,7 @@ struct snd_usb_substream {
+@@ -96,7 +97,7 @@ struct snd_usb_substream {
struct snd_pcm_hw_constraint_list rate_list; /* limited rates */
spinlock_t lock;
diff --git a/3.2.46/4425_grsec_remove_EI_PAX.patch b/3.2.47/4425_grsec_remove_EI_PAX.patch
similarity index 100%
rename from 3.2.46/4425_grsec_remove_EI_PAX.patch
rename to 3.2.47/4425_grsec_remove_EI_PAX.patch
diff --git a/3.2.46/4427_force_XATTR_PAX_tmpfs.patch b/3.2.47/4427_force_XATTR_PAX_tmpfs.patch
similarity index 100%
rename from 3.2.46/4427_force_XATTR_PAX_tmpfs.patch
rename to 3.2.47/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/3.2.46/4430_grsec-remove-localversion-grsec.patch b/3.2.47/4430_grsec-remove-localversion-grsec.patch
similarity index 100%
rename from 3.2.46/4430_grsec-remove-localversion-grsec.patch
rename to 3.2.47/4430_grsec-remove-localversion-grsec.patch
diff --git a/3.2.46/4435_grsec-mute-warnings.patch b/3.2.47/4435_grsec-mute-warnings.patch
similarity index 100%
rename from 3.2.46/4435_grsec-mute-warnings.patch
rename to 3.2.47/4435_grsec-mute-warnings.patch
diff --git a/3.2.46/4440_grsec-remove-protected-paths.patch b/3.2.47/4440_grsec-remove-protected-paths.patch
similarity index 100%
rename from 3.2.46/4440_grsec-remove-protected-paths.patch
rename to 3.2.47/4440_grsec-remove-protected-paths.patch
diff --git a/3.2.46/4450_grsec-kconfig-default-gids.patch b/3.2.47/4450_grsec-kconfig-default-gids.patch
similarity index 100%
rename from 3.2.46/4450_grsec-kconfig-default-gids.patch
rename to 3.2.47/4450_grsec-kconfig-default-gids.patch
diff --git a/3.2.46/4465_selinux-avc_audit-log-curr_ip.patch b/3.2.47/4465_selinux-avc_audit-log-curr_ip.patch
similarity index 100%
rename from 3.2.46/4465_selinux-avc_audit-log-curr_ip.patch
rename to 3.2.47/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/3.2.46/4470_disable-compat_vdso.patch b/3.2.47/4470_disable-compat_vdso.patch
similarity index 100%
rename from 3.2.46/4470_disable-compat_vdso.patch
rename to 3.2.47/4470_disable-compat_vdso.patch
diff --git a/3.2.46/4475_emutramp_default_on.patch b/3.2.47/4475_emutramp_default_on.patch
similarity index 100%
rename from 3.2.46/4475_emutramp_default_on.patch
rename to 3.2.47/4475_emutramp_default_on.patch
diff --git a/3.9.5/0000_README b/3.9.6/0000_README
similarity index 96%
rename from 3.9.5/0000_README
rename to 3.9.6/0000_README
index 39f1bd8..39efc0a 100644
--- a/3.9.5/0000_README
+++ b/3.9.6/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-2.9.1-3.9.5-201306111850.patch
+Patch: 4420_grsecurity-2.9.1-3.9.6-201306182033.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.9.5/4420_grsecurity-2.9.1-3.9.5-201306111850.patch b/3.9.6/4420_grsecurity-2.9.1-3.9.6-201306182033.patch
similarity index 99%
rename from 3.9.5/4420_grsecurity-2.9.1-3.9.5-201306111850.patch
rename to 3.9.6/4420_grsecurity-2.9.1-3.9.6-201306182033.patch
index 183d9f7..5702fad 100644
--- a/3.9.5/4420_grsecurity-2.9.1-3.9.5-201306111850.patch
+++ b/3.9.6/4420_grsecurity-2.9.1-3.9.6-201306182033.patch
@@ -259,7 +259,7 @@ index 8ccbf27..afffeb4 100644
pcd. [PARIDE]
diff --git a/Makefile b/Makefile
-index 8818c95..ced0bb1 100644
+index 4a40307..9ac699b 100644
--- a/Makefile
+++ b/Makefile
@@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -6682,10 +6682,10 @@ index 2e3200c..72095ce 100644
/* Find this entry, or if that fails, the next avail. entry */
while (entry->jump[0]) {
diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
-index 16e77a8..4501b41 100644
+index 9600c36..0c156d7 100644
--- a/arch/powerpc/kernel/process.c
+++ b/arch/powerpc/kernel/process.c
-@@ -870,8 +870,8 @@ void show_regs(struct pt_regs * regs)
+@@ -871,8 +871,8 @@ void show_regs(struct pt_regs * regs)
* Lookup NIP late so we have the best change of getting the
* above info out without failing
*/
@@ -6696,7 +6696,7 @@ index 16e77a8..4501b41 100644
#endif
#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
printk("PACATMSCRATCH [%llx]\n", get_paca()->tm_scratch);
-@@ -1330,10 +1330,10 @@ void show_stack(struct task_struct *tsk, unsigned long *stack)
+@@ -1331,10 +1331,10 @@ void show_stack(struct task_struct *tsk, unsigned long *stack)
newsp = stack[0];
ip = stack[STACK_FRAME_LR_SAVE];
if (!firstframe || ip != lr) {
@@ -6709,7 +6709,7 @@ index 16e77a8..4501b41 100644
(void *)current->ret_stack[curr_frame].ret);
curr_frame--;
}
-@@ -1353,7 +1353,7 @@ void show_stack(struct task_struct *tsk, unsigned long *stack)
+@@ -1354,7 +1354,7 @@ void show_stack(struct task_struct *tsk, unsigned long *stack)
struct pt_regs *regs = (struct pt_regs *)
(sp + STACK_FRAME_OVERHEAD);
lr = regs->link;
@@ -6718,7 +6718,7 @@ index 16e77a8..4501b41 100644
regs->trap, (void *)regs->nip, (void *)lr);
firstframe = 1;
}
-@@ -1395,58 +1395,3 @@ void __ppc64_runlatch_off(void)
+@@ -1396,58 +1396,3 @@ void __ppc64_runlatch_off(void)
mtspr(SPRN_CTRLT, ctrl);
}
#endif /* CONFIG_PPC64 */
@@ -6856,7 +6856,7 @@ index 3ce1f86..c30e629 100644
};
diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c
-index 1c22b2d..3b56e67 100644
+index 29857c6..bd31e27 100644
--- a/arch/powerpc/kernel/traps.c
+++ b/arch/powerpc/kernel/traps.c
@@ -142,6 +142,8 @@ static unsigned __kprobes long oops_begin(struct pt_regs *regs)
@@ -31363,10 +31363,10 @@ index e006c18..b9a7d6c 100644
.alloc_pud = xen_alloc_pmd_init,
.release_pud = xen_release_pmd_init,
diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c
-index 22c800a..8915f1e 100644
+index 96c4e85..284fded 100644
--- a/arch/x86/xen/smp.c
+++ b/arch/x86/xen/smp.c
-@@ -229,11 +229,6 @@ static void __init xen_smp_prepare_boot_cpu(void)
+@@ -230,11 +230,6 @@ static void __init xen_smp_prepare_boot_cpu(void)
{
BUG_ON(smp_processor_id() != 0);
native_smp_prepare_boot_cpu();
@@ -31378,7 +31378,7 @@ index 22c800a..8915f1e 100644
xen_filter_cpu_maps();
xen_setup_vcpu_info_placement();
}
-@@ -303,7 +298,7 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
+@@ -304,7 +299,7 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
ctxt->user_regs.ss = __KERNEL_DS;
#ifdef CONFIG_X86_32
ctxt->user_regs.fs = __KERNEL_PERCPU;
@@ -31387,7 +31387,7 @@ index 22c800a..8915f1e 100644
#else
ctxt->gs_base_kernel = per_cpu_offset(cpu);
#endif
-@@ -313,8 +308,8 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
+@@ -314,8 +309,8 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
{
ctxt->user_regs.eflags = 0x1000; /* IOPL_RING1 */
@@ -31398,7 +31398,7 @@ index 22c800a..8915f1e 100644
xen_copy_trap_info(ctxt->trap_ctxt);
-@@ -359,13 +354,12 @@ static int __cpuinit xen_cpu_up(unsigned int cpu, struct task_struct *idle)
+@@ -360,13 +355,12 @@ static int __cpuinit xen_cpu_up(unsigned int cpu, struct task_struct *idle)
int rc;
per_cpu(current_task, cpu) = idle;
@@ -31414,7 +31414,7 @@ index 22c800a..8915f1e 100644
#endif
xen_setup_runstate_info(cpu);
xen_setup_timer(cpu);
-@@ -634,7 +628,7 @@ static const struct smp_ops xen_smp_ops __initconst = {
+@@ -642,7 +636,7 @@ static const struct smp_ops xen_smp_ops __initconst = {
void __init xen_smp_init(void)
{
@@ -33945,7 +33945,7 @@ index 2c644af..d4d7f17 100644
static int memory_open(struct inode *inode, struct file *filp)
diff --git a/drivers/char/mwave/tp3780i.c b/drivers/char/mwave/tp3780i.c
-index c689697..04e6d6a 100644
+index c689697..04e6d6a2 100644
--- a/drivers/char/mwave/tp3780i.c
+++ b/drivers/char/mwave/tp3780i.c
@@ -479,6 +479,7 @@ int tp3780I_QueryAbilities(THINKPAD_BD_DATA * pBDData, MW_ABILITIES * pAbilities
@@ -34259,7 +34259,7 @@ index ade7513..069445f 100644
};
diff --git a/drivers/cpufreq/acpi-cpufreq.c b/drivers/cpufreq/acpi-cpufreq.c
-index 57a8774..545e993 100644
+index bb5939b..d9accb7 100644
--- a/drivers/cpufreq/acpi-cpufreq.c
+++ b/drivers/cpufreq/acpi-cpufreq.c
@@ -172,7 +172,7 @@ static ssize_t show_global_boost(struct kobject *kobj,
@@ -35394,10 +35394,10 @@ index 3c7bb04..182e049 100644
iir = I915_READ(IIR);
diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
-index c2d173a..f4357cc 100644
+index 2ab65b4..acbd821 100644
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
-@@ -8722,13 +8722,13 @@ struct intel_quirk {
+@@ -8742,13 +8742,13 @@ struct intel_quirk {
int subsystem_vendor;
int subsystem_device;
void (*hook)(struct drm_device *dev);
@@ -35413,7 +35413,7 @@ index c2d173a..f4357cc 100644
static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
{
-@@ -8736,18 +8736,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
+@@ -8756,18 +8756,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
return 1;
}
@@ -35927,7 +35927,7 @@ index 6c0ce89..66f6d65 100644
#endif
return radeon_debugfs_add_files(rdev, radeon_mem_types_list, i);
diff --git a/drivers/gpu/drm/radeon/rs690.c b/drivers/gpu/drm/radeon/rs690.c
-index 5706d2a..17aedaa 100644
+index fad6633..4ff94de 100644
--- a/drivers/gpu/drm/radeon/rs690.c
+++ b/drivers/gpu/drm/radeon/rs690.c
@@ -304,9 +304,11 @@ static void rs690_crtc_bandwidth_compute(struct radeon_device *rdev,
@@ -39635,6 +39635,19 @@ index 25309bf..fcfd54c 100644
#define CHIPREV_ID_5750_C2 0x4202
#define CHIPREV_ID_5752_A0_HW 0x5000
#define CHIPREV_ID_5752_A0 0x6000
+diff --git a/drivers/net/ethernet/brocade/bna/bnad_debugfs.c b/drivers/net/ethernet/brocade/bna/bnad_debugfs.c
+index 6e8bc9d..94d957d 100644
+--- a/drivers/net/ethernet/brocade/bna/bnad_debugfs.c
++++ b/drivers/net/ethernet/brocade/bna/bnad_debugfs.c
+@@ -244,7 +244,7 @@ bnad_debugfs_lseek(struct file *file, loff_t offset, int orig)
+ file->f_pos += offset;
+ break;
+ case 2:
+- file->f_pos = debug->buffer_len - offset;
++ file->f_pos = debug->buffer_len + offset;
+ break;
+ default:
+ return -EINVAL;
diff --git a/drivers/net/ethernet/chelsio/cxgb3/l2t.h b/drivers/net/ethernet/chelsio/cxgb3/l2t.h
index 8cffcdf..aadf043 100644
--- a/drivers/net/ethernet/chelsio/cxgb3/l2t.h
@@ -40374,6 +40387,19 @@ index 784e81c..349e01e 100644
struct ath_nf_limits {
s16 max;
+diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c
+index 64b637a..911c4c0 100644
+--- a/drivers/net/wireless/b43/main.c
++++ b/drivers/net/wireless/b43/main.c
+@@ -2451,7 +2451,7 @@ static void b43_request_firmware(struct work_struct *work)
+ for (i = 0; i < B43_NR_FWTYPES; i++) {
+ errmsg = ctx->errors[i];
+ if (strlen(errmsg))
+- b43err(dev->wl, errmsg);
++ b43err(dev->wl, "%s", errmsg);
+ }
+ b43_print_fw_helptext(dev->wl, 1);
+ goto out;
diff --git a/drivers/net/wireless/iwlegacy/3945-mac.c b/drivers/net/wireless/iwlegacy/3945-mac.c
index c353b5f..62aaca2 100644
--- a/drivers/net/wireless/iwlegacy/3945-mac.c
@@ -40575,6 +40601,46 @@ index 2b49f48..14fc244 100644
}
spin_lock_init(&hwsim_radio_lock);
+diff --git a/drivers/net/wireless/mwifiex/debugfs.c b/drivers/net/wireless/mwifiex/debugfs.c
+index 753b568..a5f9875 100644
+--- a/drivers/net/wireless/mwifiex/debugfs.c
++++ b/drivers/net/wireless/mwifiex/debugfs.c
+@@ -26,10 +26,17 @@
+ static struct dentry *mwifiex_dfs_dir;
+
+ static char *bss_modes[] = {
+- "Unknown",
+- "Ad-hoc",
+- "Managed",
+- "Auto"
++ "UNSPECIFIED",
++ "ADHOC",
++ "STATION",
++ "AP",
++ "AP_VLAN",
++ "WDS",
++ "MONITOR",
++ "MESH_POINT",
++ "P2P_CLIENT",
++ "P2P_GO",
++ "P2P_DEVICE",
+ };
+
+ /* size/addr for mwifiex_debug_info */
+@@ -200,7 +207,12 @@ mwifiex_info_read(struct file *file, char __user *ubuf,
+ p += sprintf(p, "driver_version = %s", fmt);
+ p += sprintf(p, "\nverext = %s", priv->version_str);
+ p += sprintf(p, "\ninterface_name=\"%s\"\n", netdev->name);
+- p += sprintf(p, "bss_mode=\"%s\"\n", bss_modes[info.bss_mode]);
++
++ if (info.bss_mode >= ARRAY_SIZE(bss_modes))
++ p += sprintf(p, "bss_mode=\"%d\"\n", info.bss_mode);
++ else
++ p += sprintf(p, "bss_mode=\"%s\"\n", bss_modes[info.bss_mode]);
++
+ p += sprintf(p, "media_state=\"%s\"\n",
+ (!priv->media_connected ? "Disconnected" : "Connected"));
+ p += sprintf(p, "mac_address=\"%pM\"\n", netdev->dev_addr);
diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c
index 525fd75..6c9f791 100644
--- a/drivers/net/wireless/rndis_wlan.c
@@ -41068,7 +41134,7 @@ index d320df6..ca9a8f6 100644
#define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1)
diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
-index 5427787..8df273b 100644
+index 563771f..4e3c368 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -173,7 +173,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
@@ -41613,6 +41679,32 @@ index 23a90e7..9cf04ee 100644
/*
* Queue element to wait for room in request queue. FIFO order is
+diff --git a/drivers/scsi/bfa/bfad_debugfs.c b/drivers/scsi/bfa/bfad_debugfs.c
+index 439c012..b63d534 100644
+--- a/drivers/scsi/bfa/bfad_debugfs.c
++++ b/drivers/scsi/bfa/bfad_debugfs.c
+@@ -186,7 +186,7 @@ bfad_debugfs_lseek(struct file *file, loff_t offset, int orig)
+ file->f_pos += offset;
+ break;
+ case 2:
+- file->f_pos = debug->buffer_len - offset;
++ file->f_pos = debug->buffer_len + offset;
+ break;
+ default:
+ return -EINVAL;
+diff --git a/drivers/scsi/fnic/fnic_debugfs.c b/drivers/scsi/fnic/fnic_debugfs.c
+index adc1f7f..85e1ffd 100644
+--- a/drivers/scsi/fnic/fnic_debugfs.c
++++ b/drivers/scsi/fnic/fnic_debugfs.c
+@@ -174,7 +174,7 @@ static loff_t fnic_trace_debugfs_lseek(struct file *file,
+ pos = file->f_pos + offset;
+ break;
+ case 2:
+- pos = fnic_dbg_prt->buffer_len - offset;
++ pos = fnic_dbg_prt->buffer_len + offset;
+ }
+ return (pos < 0 || pos > fnic_dbg_prt->buffer_len) ?
+ -EINVAL : (file->f_pos = pos);
diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
index df0c3c7..b00e1d0 100644
--- a/drivers/scsi/hosts.c
@@ -41967,7 +42059,7 @@ index 7706c99..3b4fc0c 100644
struct dentry *idiag_root;
struct dentry *idiag_pci_cfg;
diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c
-index f63f5ff..de29189 100644
+index f63f5ff..32549a4 100644
--- a/drivers/scsi/lpfc/lpfc_debugfs.c
+++ b/drivers/scsi/lpfc/lpfc_debugfs.c
@@ -106,7 +106,7 @@ MODULE_PARM_DESC(lpfc_debugfs_mask_disc_trc,
@@ -42031,6 +42123,15 @@ index f63f5ff..de29189 100644
dtp->jif = jiffies;
#endif
return;
+@@ -1178,7 +1178,7 @@ lpfc_debugfs_lseek(struct file *file, loff_t off, int whence)
+ pos = file->f_pos + off;
+ break;
+ case 2:
+- pos = debug->len - off;
++ pos = debug->len + off;
+ }
+ return (pos < 0 || pos > debug->len) ? -EINVAL : (file->f_pos = pos);
+ }
@@ -4182,7 +4182,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
"slow_ring buffer\n");
goto debug_failed;
@@ -51123,6 +51224,45 @@ index f3190ab..84ffb21 100644
trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len);
return 0;
+diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
+index 3beae6a..8cc5637 100644
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -79,12 +79,20 @@ static int verify_group_input(struct super_block *sb,
+ ext4_fsblk_t end = start + input->blocks_count;
+ ext4_group_t group = input->group;
+ ext4_fsblk_t itend = input->inode_table + sbi->s_itb_per_group;
+- unsigned overhead = ext4_group_overhead_blocks(sb, group);
+- ext4_fsblk_t metaend = start + overhead;
++ unsigned overhead;
++ ext4_fsblk_t metaend;
+ struct buffer_head *bh = NULL;
+ ext4_grpblk_t free_blocks_count, offset;
+ int err = -EINVAL;
+
++ if (group != sbi->s_groups_count) {
++ ext4_warning(sb, "Cannot add at group %u (only %u groups)",
++ input->group, sbi->s_groups_count);
++ return -EINVAL;
++ }
++
++ overhead = ext4_group_overhead_blocks(sb, group);
++ metaend = start + overhead;
+ input->free_blocks_count = free_blocks_count =
+ input->blocks_count - 2 - overhead - sbi->s_itb_per_group;
+
+@@ -96,10 +104,7 @@ static int verify_group_input(struct super_block *sb,
+ free_blocks_count, input->reserved_blocks);
+
+ ext4_get_group_no_and_offset(sb, start, NULL, &offset);
+- if (group != sbi->s_groups_count)
+- ext4_warning(sb, "Cannot add at group %u (only %u groups)",
+- input->group, sbi->s_groups_count);
+- else if (offset != 0)
++ if (offset != 0)
+ ext4_warning(sb, "Last group not full");
+ else if (input->reserved_blocks > input->blocks_count / 5)
+ ext4_warning(sb, "Reserved blocks too high (%u)",
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index febbe0e..782c4fd 100644
--- a/fs/ext4/super.c
@@ -71468,6 +71608,20 @@ index e8d702e..0a56eb4 100644
int sock_diag_register(const struct sock_diag_handler *h);
void sock_diag_unregister(const struct sock_diag_handler *h);
+diff --git a/include/linux/socket.h b/include/linux/socket.h
+index 2b9f74b..e897bdc 100644
+--- a/include/linux/socket.h
++++ b/include/linux/socket.h
+@@ -321,6 +321,9 @@ extern int put_cmsg(struct msghdr*, int level, int type, int len, void *data);
+
+ struct timespec;
+
++/* The __sys_...msg variants allow MSG_CMSG_COMPAT */
++extern long __sys_recvmsg(int fd, struct msghdr __user *msg, unsigned flags);
++extern long __sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags);
+ extern int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
+ unsigned int flags, struct timespec *timeout);
+ extern int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg,
diff --git a/include/linux/sonet.h b/include/linux/sonet.h
index 680f9a3..f13aeb0 100644
--- a/include/linux/sonet.h
@@ -74611,7 +74765,7 @@ index 00eb8f7..d7e3244 100644
#ifdef CONFIG_MODULE_UNLOAD
{
diff --git a/kernel/events/core.c b/kernel/events/core.c
-index 9fcb094..8370228 100644
+index 9fcb094..353baaaf 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -154,8 +154,15 @@ static struct srcu_struct pmus_srcu;
@@ -74623,7 +74777,7 @@ index 9fcb094..8370228 100644
-int sysctl_perf_event_paranoid __read_mostly = 1;
+#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
+int sysctl_perf_event_legitimately_concerned __read_mostly = 3;
-+#elif CONFIG_GRKERNSEC_HIDESYM
++#elif defined(CONFIG_GRKERNSEC_HIDESYM)
+int sysctl_perf_event_legitimately_concerned __read_mostly = 2;
+#else
+int sysctl_perf_event_legitimately_concerned __read_mostly = 1;
@@ -78324,7 +78478,7 @@ index 02fc5c9..e54c335 100644
mutex_unlock(&smpboot_threads_lock);
put_online_cpus();
diff --git a/kernel/softirq.c b/kernel/softirq.c
-index 14d7758..012121f 100644
+index d93dcb1..1cd8a71 100644
--- a/kernel/softirq.c
+++ b/kernel/softirq.c
@@ -53,11 +53,11 @@ irq_cpustat_t irq_stat[NR_CPUS] ____cacheline_aligned;
@@ -78341,7 +78495,7 @@ index 14d7758..012121f 100644
"HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
"TASKLET", "SCHED", "HRTIMER", "RCU"
};
-@@ -244,7 +244,7 @@ restart:
+@@ -250,7 +250,7 @@ restart:
kstat_incr_softirqs_this_cpu(vec_nr);
trace_softirq_entry(vec_nr);
@@ -78350,7 +78504,7 @@ index 14d7758..012121f 100644
trace_softirq_exit(vec_nr);
if (unlikely(prev_count != preempt_count())) {
printk(KERN_ERR "huh, entered softirq %u %s %p"
-@@ -389,7 +389,7 @@ void __raise_softirq_irqoff(unsigned int nr)
+@@ -396,7 +396,7 @@ void __raise_softirq_irqoff(unsigned int nr)
or_softirq_pending(1UL << nr);
}
@@ -78359,7 +78513,7 @@ index 14d7758..012121f 100644
{
softirq_vec[nr].action = action;
}
-@@ -445,7 +445,7 @@ void __tasklet_hi_schedule_first(struct tasklet_struct *t)
+@@ -452,7 +452,7 @@ void __tasklet_hi_schedule_first(struct tasklet_struct *t)
EXPORT_SYMBOL(__tasklet_hi_schedule_first);
@@ -78368,7 +78522,7 @@ index 14d7758..012121f 100644
{
struct tasklet_struct *list;
-@@ -480,7 +480,7 @@ static void tasklet_action(struct softirq_action *a)
+@@ -487,7 +487,7 @@ static void tasklet_action(struct softirq_action *a)
}
}
@@ -78377,7 +78531,7 @@ index 14d7758..012121f 100644
{
struct tasklet_struct *list;
-@@ -716,7 +716,7 @@ static int __cpuinit remote_softirq_cpu_notify(struct notifier_block *self,
+@@ -723,7 +723,7 @@ static int __cpuinit remote_softirq_cpu_notify(struct notifier_block *self,
return NOTIFY_OK;
}
@@ -78386,7 +78540,7 @@ index 14d7758..012121f 100644
.notifier_call = remote_softirq_cpu_notify,
};
-@@ -833,11 +833,11 @@ static int __cpuinit cpu_callback(struct notifier_block *nfb,
+@@ -840,11 +840,11 @@ static int __cpuinit cpu_callback(struct notifier_block *nfb,
return NOTIFY_OK;
}
@@ -78912,7 +79066,7 @@ index 90ad470..1814e9a 100644
tick_broadcast_clear_oneshot(cpu);
} else {
diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
-index 9a0bc98..fceb7d0 100644
+index 183df62..59b1442 100644
--- a/kernel/time/timekeeping.c
+++ b/kernel/time/timekeeping.c
@@ -15,6 +15,7 @@
@@ -81653,7 +81807,7 @@ index 79b7cf7..9944291 100644
capable(CAP_IPC_LOCK))
ret = do_mlockall(flags);
diff --git a/mm/mmap.c b/mm/mmap.c
-index 0dceed8..671951c 100644
+index 0dceed8..e7cfc40 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -33,6 +33,7 @@
@@ -82402,11 +82556,10 @@ index 0dceed8..671951c 100644
size = vma->vm_end - address;
grow = (vma->vm_start - address) >> PAGE_SHIFT;
-@@ -2184,6 +2492,18 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -2184,13 +2492,27 @@ int expand_downwards(struct vm_area_struct *vma,
vma->vm_pgoff -= grow;
anon_vma_interval_tree_post_update_vma(vma);
vma_gap_update(vma);
-+ track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
+
+#ifdef CONFIG_PAX_SEGMEXEC
+ if (vma_m) {
@@ -82420,8 +82573,18 @@ index 0dceed8..671951c 100644
+
spin_unlock(&vma->vm_mm->page_table_lock);
++ track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
perf_event_mmap(vma);
-@@ -2288,6 +2608,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
+ }
+ }
+ }
+ vma_unlock_anon_vma(vma);
++ if (lockprev)
++ vma_unlock_anon_vma(prev);
+ khugepaged_enter_vma_merge(vma);
+ validate_mm(vma->vm_mm);
+ return error;
+@@ -2288,6 +2610,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
do {
long nrpages = vma_pages(vma);
@@ -82435,7 +82598,7 @@ index 0dceed8..671951c 100644
if (vma->vm_flags & VM_ACCOUNT)
nr_accounted += nrpages;
vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
-@@ -2333,6 +2660,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2333,6 +2662,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
insertion_point = (prev ? &prev->vm_next : &mm->mmap);
vma->vm_prev = NULL;
do {
@@ -82452,7 +82615,7 @@ index 0dceed8..671951c 100644
vma_rb_erase(vma, &mm->mm_rb);
mm->map_count--;
tail_vma = vma;
-@@ -2364,14 +2701,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2364,14 +2703,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
struct vm_area_struct *new;
int err = -ENOMEM;
@@ -82486,7 +82649,7 @@ index 0dceed8..671951c 100644
/* most fields are the same, copy all, and then fixup */
*new = *vma;
-@@ -2384,6 +2740,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2384,6 +2742,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
}
@@ -82509,7 +82672,7 @@ index 0dceed8..671951c 100644
pol = mpol_dup(vma_policy(vma));
if (IS_ERR(pol)) {
err = PTR_ERR(pol);
-@@ -2406,6 +2778,36 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2406,6 +2780,36 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
else
err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
@@ -82546,7 +82709,7 @@ index 0dceed8..671951c 100644
/* Success. */
if (!err)
return 0;
-@@ -2415,10 +2817,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2415,10 +2819,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
new->vm_ops->close(new);
if (new->vm_file)
fput(new->vm_file);
@@ -82566,7 +82729,7 @@ index 0dceed8..671951c 100644
kmem_cache_free(vm_area_cachep, new);
out_err:
return err;
-@@ -2431,6 +2841,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2431,6 +2843,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
unsigned long addr, int new_below)
{
@@ -82582,7 +82745,7 @@ index 0dceed8..671951c 100644
if (mm->map_count >= sysctl_max_map_count)
return -ENOMEM;
-@@ -2442,11 +2861,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2442,11 +2863,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
* work. This now handles partial unmappings.
* Jeremy Fitzhardinge <jeremy@goop.org>
*/
@@ -82613,7 +82776,7 @@ index 0dceed8..671951c 100644
if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
return -EINVAL;
-@@ -2521,6 +2959,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
+@@ -2521,6 +2961,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
/* Fix up all other VM information */
remove_vma_list(mm, vma);
@@ -82622,7 +82785,7 @@ index 0dceed8..671951c 100644
return 0;
}
-@@ -2529,6 +2969,13 @@ int vm_munmap(unsigned long start, size_t len)
+@@ -2529,6 +2971,13 @@ int vm_munmap(unsigned long start, size_t len)
int ret;
struct mm_struct *mm = current->mm;
@@ -82636,7 +82799,7 @@ index 0dceed8..671951c 100644
down_write(&mm->mmap_sem);
ret = do_munmap(mm, start, len);
up_write(&mm->mmap_sem);
-@@ -2542,16 +2989,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
+@@ -2542,16 +2991,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
return vm_munmap(addr, len);
}
@@ -82653,7 +82816,7 @@ index 0dceed8..671951c 100644
/*
* this is really a simplified "do_mmap". it only handles
* anonymous maps. eventually we may be able to do some
-@@ -2565,6 +3002,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2565,6 +3004,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
struct rb_node ** rb_link, * rb_parent;
pgoff_t pgoff = addr >> PAGE_SHIFT;
int error;
@@ -82661,7 +82824,7 @@ index 0dceed8..671951c 100644
len = PAGE_ALIGN(len);
if (!len)
-@@ -2572,16 +3010,30 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2572,16 +3012,30 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
@@ -82693,7 +82856,7 @@ index 0dceed8..671951c 100644
locked += mm->locked_vm;
lock_limit = rlimit(RLIMIT_MEMLOCK);
lock_limit >>= PAGE_SHIFT;
-@@ -2598,21 +3050,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2598,21 +3052,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
/*
* Clear old maps. this also does some error checking for us
*/
@@ -82718,7 +82881,7 @@ index 0dceed8..671951c 100644
return -ENOMEM;
/* Can we just expand an old private anonymous mapping? */
-@@ -2626,7 +3077,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2626,7 +3079,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
*/
vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
if (!vma) {
@@ -82727,7 +82890,7 @@ index 0dceed8..671951c 100644
return -ENOMEM;
}
-@@ -2640,9 +3091,10 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2640,9 +3093,10 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
vma_link(mm, vma, prev, rb_link, rb_parent);
out:
perf_event_mmap(vma);
@@ -82740,7 +82903,7 @@ index 0dceed8..671951c 100644
return addr;
}
-@@ -2704,6 +3156,7 @@ void exit_mmap(struct mm_struct *mm)
+@@ -2704,6 +3158,7 @@ void exit_mmap(struct mm_struct *mm)
while (vma) {
if (vma->vm_flags & VM_ACCOUNT)
nr_accounted += vma_pages(vma);
@@ -82748,7 +82911,7 @@ index 0dceed8..671951c 100644
vma = remove_vma(vma);
}
vm_unacct_memory(nr_accounted);
-@@ -2720,6 +3173,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -2720,6 +3175,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
struct vm_area_struct *prev;
struct rb_node **rb_link, *rb_parent;
@@ -82762,7 +82925,7 @@ index 0dceed8..671951c 100644
/*
* The vm_pgoff of a purely anonymous vma should be irrelevant
* until its first write fault, when page's anon_vma and index
-@@ -2743,7 +3203,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -2743,7 +3205,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
security_vm_enough_memory_mm(mm, vma_pages(vma)))
return -ENOMEM;
@@ -82784,7 +82947,7 @@ index 0dceed8..671951c 100644
return 0;
}
-@@ -2763,6 +3237,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
+@@ -2763,6 +3239,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
struct mempolicy *pol;
bool faulted_in_anon_vma = true;
@@ -82793,7 +82956,7 @@ index 0dceed8..671951c 100644
/*
* If anonymous vma has not yet been faulted, update new pgoff
* to match new location, to increase its chance of merging.
-@@ -2829,6 +3305,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
+@@ -2829,6 +3307,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
return NULL;
}
@@ -82833,7 +82996,7 @@ index 0dceed8..671951c 100644
/*
* Return true if the calling process may expand its vm space by the passed
* number of pages
-@@ -2840,6 +3349,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
+@@ -2840,6 +3351,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
@@ -82841,7 +83004,7 @@ index 0dceed8..671951c 100644
if (cur + npages > lim)
return 0;
return 1;
-@@ -2910,6 +3420,22 @@ int install_special_mapping(struct mm_struct *mm,
+@@ -2910,6 +3422,22 @@ int install_special_mapping(struct mm_struct *mm,
vma->vm_start = addr;
vma->vm_end = addr + len;
@@ -85239,7 +85402,7 @@ index 6a93614..1415549 100644
err = -EFAULT;
break;
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
-index 7c7e932..7a7815d 100644
+index 7c7e932..8d23158 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -3395,8 +3395,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
@@ -85255,6 +85418,223 @@ index 7c7e932..7a7815d 100644
if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
rfc.mode != chan->mode)
+@@ -3568,10 +3570,14 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
+ }
+
+ static inline int l2cap_command_rej(struct l2cap_conn *conn,
+- struct l2cap_cmd_hdr *cmd, u8 *data)
++ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++ u8 *data)
+ {
+ struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
+
++ if (cmd_len < sizeof(*rej))
++ return -EPROTO;
++
+ if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
+ return 0;
+
+@@ -3720,11 +3726,14 @@ sendresp:
+ }
+
+ static int l2cap_connect_req(struct l2cap_conn *conn,
+- struct l2cap_cmd_hdr *cmd, u8 *data)
++ struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
+ {
+ struct hci_dev *hdev = conn->hcon->hdev;
+ struct hci_conn *hcon = conn->hcon;
+
++ if (cmd_len < sizeof(struct l2cap_conn_req))
++ return -EPROTO;
++
+ hci_dev_lock(hdev);
+ if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
+ !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
+@@ -3738,7 +3747,8 @@ static int l2cap_connect_req(struct l2cap_conn *conn,
+ }
+
+ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
+- struct l2cap_cmd_hdr *cmd, u8 *data)
++ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++ u8 *data)
+ {
+ struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
+ u16 scid, dcid, result, status;
+@@ -3746,6 +3756,9 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
+ u8 req[128];
+ int err;
+
++ if (cmd_len < sizeof(*rsp))
++ return -EPROTO;
++
+ scid = __le16_to_cpu(rsp->scid);
+ dcid = __le16_to_cpu(rsp->dcid);
+ result = __le16_to_cpu(rsp->result);
+@@ -3843,6 +3856,9 @@ static inline int l2cap_config_req(struct l2cap_conn *conn,
+ struct l2cap_chan *chan;
+ int len, err = 0;
+
++ if (cmd_len < sizeof(*req))
++ return -EPROTO;
++
+ dcid = __le16_to_cpu(req->dcid);
+ flags = __le16_to_cpu(req->flags);
+
+@@ -3866,7 +3882,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn,
+
+ /* Reject if config buffer is too small. */
+ len = cmd_len - sizeof(*req);
+- if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
++ if (chan->conf_len + len > sizeof(chan->conf_req)) {
+ l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
+ l2cap_build_conf_rsp(chan, rsp,
+ L2CAP_CONF_REJECT, flags), rsp);
+@@ -3944,14 +3960,18 @@ unlock:
+ }
+
+ static inline int l2cap_config_rsp(struct l2cap_conn *conn,
+- struct l2cap_cmd_hdr *cmd, u8 *data)
++ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++ u8 *data)
+ {
+ struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
+ u16 scid, flags, result;
+ struct l2cap_chan *chan;
+- int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
++ int len = cmd_len - sizeof(*rsp);
+ int err = 0;
+
++ if (cmd_len < sizeof(*rsp))
++ return -EPROTO;
++
+ scid = __le16_to_cpu(rsp->scid);
+ flags = __le16_to_cpu(rsp->flags);
+ result = __le16_to_cpu(rsp->result);
+@@ -4052,7 +4072,8 @@ done:
+ }
+
+ static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
+- struct l2cap_cmd_hdr *cmd, u8 *data)
++ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++ u8 *data)
+ {
+ struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
+ struct l2cap_disconn_rsp rsp;
+@@ -4060,6 +4081,9 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
+ struct l2cap_chan *chan;
+ struct sock *sk;
+
++ if (cmd_len != sizeof(*req))
++ return -EPROTO;
++
+ scid = __le16_to_cpu(req->scid);
+ dcid = __le16_to_cpu(req->dcid);
+
+@@ -4099,12 +4123,16 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
+ }
+
+ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
+- struct l2cap_cmd_hdr *cmd, u8 *data)
++ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++ u8 *data)
+ {
+ struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
+ u16 dcid, scid;
+ struct l2cap_chan *chan;
+
++ if (cmd_len != sizeof(*rsp))
++ return -EPROTO;
++
+ scid = __le16_to_cpu(rsp->scid);
+ dcid = __le16_to_cpu(rsp->dcid);
+
+@@ -4134,11 +4162,15 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
+ }
+
+ static inline int l2cap_information_req(struct l2cap_conn *conn,
+- struct l2cap_cmd_hdr *cmd, u8 *data)
++ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++ u8 *data)
+ {
+ struct l2cap_info_req *req = (struct l2cap_info_req *) data;
+ u16 type;
+
++ if (cmd_len != sizeof(*req))
++ return -EPROTO;
++
+ type = __le16_to_cpu(req->type);
+
+ BT_DBG("type 0x%4.4x", type);
+@@ -4185,11 +4217,15 @@ static inline int l2cap_information_req(struct l2cap_conn *conn,
+ }
+
+ static inline int l2cap_information_rsp(struct l2cap_conn *conn,
+- struct l2cap_cmd_hdr *cmd, u8 *data)
++ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++ u8 *data)
+ {
+ struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
+ u16 type, result;
+
++ if (cmd_len != sizeof(*rsp))
++ return -EPROTO;
++
+ type = __le16_to_cpu(rsp->type);
+ result = __le16_to_cpu(rsp->result);
+
+@@ -5055,16 +5091,16 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
+
+ switch (cmd->code) {
+ case L2CAP_COMMAND_REJ:
+- l2cap_command_rej(conn, cmd, data);
++ l2cap_command_rej(conn, cmd, cmd_len, data);
+ break;
+
+ case L2CAP_CONN_REQ:
+- err = l2cap_connect_req(conn, cmd, data);
++ err = l2cap_connect_req(conn, cmd, cmd_len, data);
+ break;
+
+ case L2CAP_CONN_RSP:
+ case L2CAP_CREATE_CHAN_RSP:
+- err = l2cap_connect_create_rsp(conn, cmd, data);
++ err = l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
+ break;
+
+ case L2CAP_CONF_REQ:
+@@ -5072,15 +5108,15 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
+ break;
+
+ case L2CAP_CONF_RSP:
+- err = l2cap_config_rsp(conn, cmd, data);
++ err = l2cap_config_rsp(conn, cmd, cmd_len, data);
+ break;
+
+ case L2CAP_DISCONN_REQ:
+- err = l2cap_disconnect_req(conn, cmd, data);
++ err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
+ break;
+
+ case L2CAP_DISCONN_RSP:
+- err = l2cap_disconnect_rsp(conn, cmd, data);
++ err = l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
+ break;
+
+ case L2CAP_ECHO_REQ:
+@@ -5091,11 +5127,11 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
+ break;
+
+ case L2CAP_INFO_REQ:
+- err = l2cap_information_req(conn, cmd, data);
++ err = l2cap_information_req(conn, cmd, cmd_len, data);
+ break;
+
+ case L2CAP_INFO_RSP:
+- err = l2cap_information_rsp(conn, cmd, data);
++ err = l2cap_information_rsp(conn, cmd, cmd_len, data);
+ break;
+
+ case L2CAP_CREATE_CHAN_REQ:
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 1bcfb84..dad9f98 100644
--- a/net/bluetooth/l2cap_sock.c
@@ -85486,7 +85866,7 @@ index 117814a..ad4fb73 100644
if (__rtnl_register(PF_CAN, RTM_GETROUTE, NULL, cgw_dump_jobs, NULL)) {
diff --git a/net/compat.c b/net/compat.c
-index 79ae884..17c5c09 100644
+index 79ae884..0541331 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -71,9 +71,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg)
@@ -85616,7 +85996,45 @@ index 79ae884..17c5c09 100644
struct group_filter __user *kgf;
int __user *koptlen;
u32 interface, fmode, numsrc;
-@@ -796,7 +796,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args)
+@@ -734,19 +734,25 @@ static unsigned char nas[21] = {
+
+ asmlinkage long compat_sys_sendmsg(int fd, struct compat_msghdr __user *msg, unsigned int flags)
+ {
+- return sys_sendmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
++ if (flags & MSG_CMSG_COMPAT)
++ return -EINVAL;
++ return __sys_sendmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
+ }
+
+ asmlinkage long compat_sys_sendmmsg(int fd, struct compat_mmsghdr __user *mmsg,
+ unsigned int vlen, unsigned int flags)
+ {
++ if (flags & MSG_CMSG_COMPAT)
++ return -EINVAL;
+ return __sys_sendmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
+ flags | MSG_CMSG_COMPAT);
+ }
+
+ asmlinkage long compat_sys_recvmsg(int fd, struct compat_msghdr __user *msg, unsigned int flags)
+ {
+- return sys_recvmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
++ if (flags & MSG_CMSG_COMPAT)
++ return -EINVAL;
++ return __sys_recvmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
+ }
+
+ asmlinkage long compat_sys_recv(int fd, void __user *buf, size_t len, unsigned int flags)
+@@ -768,6 +774,9 @@ asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg,
+ int datagrams;
+ struct timespec ktspec;
+
++ if (flags & MSG_CMSG_COMPAT)
++ return -EINVAL;
++
+ if (COMPAT_USE_64BIT_TIME)
+ return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
+ flags | MSG_CMSG_COMPAT,
+@@ -796,7 +805,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args)
if (call < SYS_SOCKET || call > SYS_SENDMMSG)
return -EINVAL;
@@ -86559,7 +86977,7 @@ index d9c4f11..02b82dbc 100644
msg.msg_flags = flags;
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
-index c3a4233..1412161 100644
+index c3a4233..7df5626 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -47,7 +47,7 @@
@@ -86571,7 +86989,17 @@ index c3a4233..1412161 100644
static int vti_net_id __read_mostly;
struct vti_net {
-@@ -886,7 +886,7 @@ static const struct nla_policy vti_policy[IFLA_VTI_MAX + 1] = {
+@@ -399,8 +399,7 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
+ tunnel->err_count = 0;
+ }
+
+- IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED |
+- IPSKB_REROUTED);
++ memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
+ skb_dst_drop(skb);
+ skb_dst_set(skb, &rt->dst);
+ nf_reset(skb);
+@@ -886,7 +885,7 @@ static const struct nla_policy vti_policy[IFLA_VTI_MAX + 1] = {
[IFLA_VTI_REMOTE] = { .len = FIELD_SIZEOF(struct iphdr, daddr) },
};
@@ -88040,6 +88468,33 @@ index 5b1e5af..2358147 100644
} while (!res);
return res;
}
+diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
+index 637a341..8dec687 100644
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -346,19 +346,19 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh
+ skb_put(skb, 2);
+
+ /* Copy user data into skb */
+- error = memcpy_fromiovec(skb->data, m->msg_iov, total_len);
++ error = memcpy_fromiovec(skb_put(skb, total_len), m->msg_iov,
++ total_len);
+ if (error < 0) {
+ kfree_skb(skb);
+ goto error_put_sess_tun;
+ }
+- skb_put(skb, total_len);
+
+ l2tp_xmit_skb(session, skb, session->hdr_len);
+
+ sock_put(ps->tunnel_sock);
+ sock_put(sk);
+
+- return error;
++ return total_len;
+
+ error_put_sess_tun:
+ sock_put(ps->tunnel_sock);
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 843d8c4..cb04fa1 100644
--- a/net/mac80211/cfg.c
@@ -88344,7 +88799,7 @@ index 61f49d2..6c8c5bc 100644
if (ipvs->sync_state & IP_VS_STATE_MASTER)
ip_vs_sync_conn(net, cp, pkts);
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
-index 9e2d1cc..7f8f569 100644
+index 9e2d1cc..6ed0748 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -787,7 +787,7 @@ __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest,
@@ -88383,7 +88838,14 @@ index 9e2d1cc..7f8f569 100644
atomic_read(&dest->weight),
atomic_read(&dest->activeconns),
atomic_read(&dest->inactconns));
-@@ -2568,7 +2568,7 @@ __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get,
+@@ -2562,13 +2562,14 @@ __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get,
+ struct ip_vs_dest *dest;
+ struct ip_vs_dest_entry entry;
+
++ memset(&entry, 0, sizeof(entry));
+ list_for_each_entry(dest, &svc->destinations, n_list) {
+ if (count >= get->num_dests)
+ break;
entry.addr = dest->addr.ip;
entry.port = dest->port;
@@ -88392,7 +88854,7 @@ index 9e2d1cc..7f8f569 100644
entry.weight = atomic_read(&dest->weight);
entry.u_threshold = dest->u_threshold;
entry.l_threshold = dest->l_threshold;
-@@ -3104,7 +3104,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest)
+@@ -3104,7 +3105,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest)
if (nla_put(skb, IPVS_DEST_ATTR_ADDR, sizeof(dest->addr), &dest->addr) ||
nla_put_u16(skb, IPVS_DEST_ATTR_PORT, dest->port) ||
nla_put_u32(skb, IPVS_DEST_ATTR_FWD_METHOD,
@@ -88401,7 +88863,7 @@ index 9e2d1cc..7f8f569 100644
IP_VS_CONN_F_FWD_MASK)) ||
nla_put_u32(skb, IPVS_DEST_ATTR_WEIGHT,
atomic_read(&dest->weight)) ||
-@@ -3694,7 +3694,7 @@ static int __net_init ip_vs_control_net_init_sysctl(struct net *net)
+@@ -3694,7 +3695,7 @@ static int __net_init ip_vs_control_net_init_sysctl(struct net *net)
{
int idx;
struct netns_ipvs *ipvs = net_ipvs(net);
@@ -88847,7 +89309,7 @@ index 103bd70..f21aad3 100644
*uaddr_len = sizeof(struct sockaddr_ax25);
}
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index f83e172..b57140d 100644
+index f83e172..223ffe1 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1571,7 +1571,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
@@ -88887,7 +89349,22 @@ index f83e172..b57140d 100644
msg->msg_flags |= MSG_ERRQUEUE;
err = copied;
-@@ -3205,7 +3207,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+@@ -2769,12 +2771,11 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr,
+ return -EOPNOTSUPP;
+
+ uaddr->sa_family = AF_PACKET;
++ memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data));
+ rcu_read_lock();
+ dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex);
+ if (dev)
+- strncpy(uaddr->sa_data, dev->name, 14);
+- else
+- memset(uaddr->sa_data, 0, 14);
++ strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data));
+ rcu_read_unlock();
+ *uaddr_len = sizeof(*uaddr);
+
+@@ -3205,7 +3206,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
case PACKET_HDRLEN:
if (len > sizeof(int))
len = sizeof(int);
@@ -88896,7 +89373,7 @@ index f83e172..b57140d 100644
return -EFAULT;
switch (val) {
case TPACKET_V1:
-@@ -3247,7 +3249,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+@@ -3247,7 +3248,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
len = lv;
if (put_user(len, optlen))
return -EFAULT;
@@ -89432,6 +89909,33 @@ index 391a245..296b3d7 100644
}
/* Initialize IPv6 support and register with socket layer. */
+diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
+index 01dca75..e9426bb 100644
+--- a/net/sctp/outqueue.c
++++ b/net/sctp/outqueue.c
+@@ -206,6 +206,8 @@ static inline int sctp_cacc_skip(struct sctp_transport *primary,
+ */
+ void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q)
+ {
++ memset(q, 0, sizeof(struct sctp_outq));
++
+ q->asoc = asoc;
+ INIT_LIST_HEAD(&q->out_chunk_list);
+ INIT_LIST_HEAD(&q->control_chunk_list);
+@@ -213,13 +215,7 @@ void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q)
+ INIT_LIST_HEAD(&q->sacked);
+ INIT_LIST_HEAD(&q->abandoned);
+
+- q->fast_rtx = 0;
+- q->outstanding_bytes = 0;
+ q->empty = 1;
+- q->cork = 0;
+-
+- q->malloced = 0;
+- q->out_qlen = 0;
+ }
+
+ /* Free the outqueue structure and any related pending chunks.
diff --git a/net/sctp/probe.c b/net/sctp/probe.c
index ad0dba8..e62c225 100644
--- a/net/sctp/probe.c
@@ -89516,7 +90020,7 @@ index 8aab894..f6b7e7d 100644
sctp_generate_t1_cookie_event,
sctp_generate_t1_init_event,
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index b907073..57fef6c 100644
+index b907073..7bea2ca 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -2166,11 +2166,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval,
@@ -89534,7 +90038,20 @@ index b907073..57fef6c 100644
/*
* At the time when a user app subscribes to SCTP_SENDER_DRY_EVENT,
-@@ -4215,13 +4217,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
+@@ -4002,6 +4004,12 @@ SCTP_STATIC void sctp_destroy_sock(struct sock *sk)
+
+ /* Release our hold on the endpoint. */
+ sp = sctp_sk(sk);
++ /* This could happen during socket init, thus we bail out
++ * early, since the rest of the below is not setup either.
++ */
++ if (sp->ep == NULL)
++ return;
++
+ if (sp->do_auto_asconf) {
+ sp->do_auto_asconf = 0;
+ list_del(&sp->auto_asconf_list);
+@@ -4215,13 +4223,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
int __user *optlen)
{
@@ -89552,7 +90069,7 @@ index b907073..57fef6c 100644
return -EFAULT;
return 0;
}
-@@ -4239,6 +4244,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
+@@ -4239,6 +4250,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
*/
static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optval, int __user *optlen)
{
@@ -89561,7 +90078,7 @@ index b907073..57fef6c 100644
/* Applicable to UDP-style socket only */
if (sctp_style(sk, TCP))
return -EOPNOTSUPP;
-@@ -4247,7 +4254,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv
+@@ -4247,7 +4260,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv
len = sizeof(int);
if (put_user(len, optlen))
return -EFAULT;
@@ -89571,7 +90088,7 @@ index b907073..57fef6c 100644
return -EFAULT;
return 0;
}
-@@ -4619,12 +4627,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len,
+@@ -4619,12 +4633,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len,
*/
static int sctp_getsockopt_initmsg(struct sock *sk, int len, char __user *optval, int __user *optlen)
{
@@ -89588,7 +90105,7 @@ index b907073..57fef6c 100644
return -EFAULT;
return 0;
}
-@@ -4665,6 +4676,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
+@@ -4665,6 +4682,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
if (space_left < addrlen)
return -ENOMEM;
@@ -89620,7 +90137,7 @@ index bf3c6e8..376d8d0 100644
table = kmemdup(sctp_net_table, sizeof(sctp_net_table), GFP_KERNEL);
diff --git a/net/socket.c b/net/socket.c
-index 88f759a..c6933de 100644
+index 88f759a..74be616 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -88,6 +88,7 @@
@@ -89791,6 +90308,15 @@ index 88f759a..c6933de 100644
int err, err2;
int fput_needed;
+@@ -1978,7 +2040,7 @@ struct used_address {
+ unsigned int name_len;
+ };
+
+-static int __sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
++static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
+ struct msghdr *msg_sys, unsigned int flags,
+ struct used_address *used_address)
+ {
@@ -2045,7 +2107,7 @@ static int __sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
* checking falls down on this.
*/
@@ -89800,7 +90326,83 @@ index 88f759a..c6933de 100644
ctl_len))
goto out_freectl;
msg_sys->msg_control = ctl_buf;
-@@ -2185,7 +2247,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
+@@ -2093,20 +2155,28 @@ out:
+ * BSD sendmsg interface
+ */
+
++long __sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags)
++{
++ int fput_needed, err;
++ struct msghdr msg_sys;
++ struct socket *sock;
++
++ sock = sockfd_lookup_light(fd, &err, &fput_needed);
++ if (!sock)
++ goto out;
++
++ err = ___sys_sendmsg(sock, msg, &msg_sys, flags, NULL);
++
++ fput_light(sock->file, fput_needed);
++out:
++ return err;
++}
++
+ SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned int, flags)
+ {
+- int fput_needed, err;
+- struct msghdr msg_sys;
+- struct socket *sock = sockfd_lookup_light(fd, &err, &fput_needed);
+-
+- if (!sock)
+- goto out;
+-
+- err = __sys_sendmsg(sock, msg, &msg_sys, flags, NULL);
+-
+- fput_light(sock->file, fput_needed);
+-out:
+- return err;
++ if (flags & MSG_CMSG_COMPAT)
++ return -EINVAL;
++ return __sys_sendmsg(fd, msg, flags);
+ }
+
+ /*
+@@ -2139,15 +2209,16 @@ int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
+
+ while (datagrams < vlen) {
+ if (MSG_CMSG_COMPAT & flags) {
+- err = __sys_sendmsg(sock, (struct msghdr __user *)compat_entry,
+- &msg_sys, flags, &used_address);
++ err = ___sys_sendmsg(sock, (struct msghdr __user *)compat_entry,
++ &msg_sys, flags, &used_address);
+ if (err < 0)
+ break;
+ err = __put_user(err, &compat_entry->msg_len);
+ ++compat_entry;
+ } else {
+- err = __sys_sendmsg(sock, (struct msghdr __user *)entry,
+- &msg_sys, flags, &used_address);
++ err = ___sys_sendmsg(sock,
++ (struct msghdr __user *)entry,
++ &msg_sys, flags, &used_address);
+ if (err < 0)
+ break;
+ err = put_user(err, &entry->msg_len);
+@@ -2171,10 +2242,12 @@ int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
+ SYSCALL_DEFINE4(sendmmsg, int, fd, struct mmsghdr __user *, mmsg,
+ unsigned int, vlen, unsigned int, flags)
+ {
++ if (flags & MSG_CMSG_COMPAT)
++ return -EINVAL;
+ return __sys_sendmmsg(fd, mmsg, vlen, flags);
+ }
+
+-static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
++static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
+ struct msghdr *msg_sys, unsigned int flags, int nosec)
+ {
+ struct compat_msghdr __user *msg_compat =
+@@ -2185,7 +2258,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
int err, total_len, len;
/* kernel mode address */
@@ -89809,7 +90411,7 @@ index 88f759a..c6933de 100644
/* user mode address pointers */
struct sockaddr __user *uaddr;
-@@ -2213,7 +2275,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
+@@ -2213,7 +2286,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
* kernel msghdr to use the kernel address space)
*/
@@ -89818,7 +90420,84 @@ index 88f759a..c6933de 100644
uaddr_len = COMPAT_NAMELEN(msg);
if (MSG_CMSG_COMPAT & flags) {
err = verify_compat_iovec(msg_sys, iov, &addr, VERIFY_WRITE);
-@@ -2952,7 +3014,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd,
+@@ -2266,21 +2339,29 @@ out:
+ * BSD recvmsg interface
+ */
+
++long __sys_recvmsg(int fd, struct msghdr __user *msg, unsigned flags)
++{
++ int fput_needed, err;
++ struct msghdr msg_sys;
++ struct socket *sock;
++
++ sock = sockfd_lookup_light(fd, &err, &fput_needed);
++ if (!sock)
++ goto out;
++
++ err = ___sys_recvmsg(sock, msg, &msg_sys, flags, 0);
++
++ fput_light(sock->file, fput_needed);
++out:
++ return err;
++}
++
+ SYSCALL_DEFINE3(recvmsg, int, fd, struct msghdr __user *, msg,
+ unsigned int, flags)
+ {
+- int fput_needed, err;
+- struct msghdr msg_sys;
+- struct socket *sock = sockfd_lookup_light(fd, &err, &fput_needed);
+-
+- if (!sock)
+- goto out;
+-
+- err = __sys_recvmsg(sock, msg, &msg_sys, flags, 0);
+-
+- fput_light(sock->file, fput_needed);
+-out:
+- return err;
++ if (flags & MSG_CMSG_COMPAT)
++ return -EINVAL;
++ return __sys_recvmsg(fd, msg, flags);
+ }
+
+ /*
+@@ -2320,17 +2401,18 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
+ * No need to ask LSM for more than the first datagram.
+ */
+ if (MSG_CMSG_COMPAT & flags) {
+- err = __sys_recvmsg(sock, (struct msghdr __user *)compat_entry,
+- &msg_sys, flags & ~MSG_WAITFORONE,
+- datagrams);
++ err = ___sys_recvmsg(sock, (struct msghdr __user *)compat_entry,
++ &msg_sys, flags & ~MSG_WAITFORONE,
++ datagrams);
+ if (err < 0)
+ break;
+ err = __put_user(err, &compat_entry->msg_len);
+ ++compat_entry;
+ } else {
+- err = __sys_recvmsg(sock, (struct msghdr __user *)entry,
+- &msg_sys, flags & ~MSG_WAITFORONE,
+- datagrams);
++ err = ___sys_recvmsg(sock,
++ (struct msghdr __user *)entry,
++ &msg_sys, flags & ~MSG_WAITFORONE,
++ datagrams);
+ if (err < 0)
+ break;
+ err = put_user(err, &entry->msg_len);
+@@ -2397,6 +2479,9 @@ SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg,
+ int datagrams;
+ struct timespec timeout_sys;
+
++ if (flags & MSG_CMSG_COMPAT)
++ return -EINVAL;
++
+ if (!timeout)
+ return __sys_recvmmsg(fd, mmsg, vlen, flags, NULL);
+
+@@ -2952,7 +3037,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd,
old_fs = get_fs();
set_fs(KERNEL_DS);
err = dev_ioctl(net, cmd,
@@ -89827,7 +90506,7 @@ index 88f759a..c6933de 100644
set_fs(old_fs);
return err;
-@@ -3061,7 +3123,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd,
+@@ -3061,7 +3146,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd,
old_fs = get_fs();
set_fs(KERNEL_DS);
@@ -89836,7 +90515,7 @@ index 88f759a..c6933de 100644
set_fs(old_fs);
if (cmd == SIOCGIFMAP && !err) {
-@@ -3166,7 +3228,7 @@ static int routing_ioctl(struct net *net, struct socket *sock,
+@@ -3166,7 +3251,7 @@ static int routing_ioctl(struct net *net, struct socket *sock,
ret |= __get_user(rtdev, &(ur4->rt_dev));
if (rtdev) {
ret |= copy_from_user(devname, compat_ptr(rtdev), 15);
@@ -89845,7 +90524,7 @@ index 88f759a..c6933de 100644
devname[15] = 0;
} else
r4.rt_dev = NULL;
-@@ -3392,8 +3454,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname,
+@@ -3392,8 +3477,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname,
int __user *uoptlen;
int err;
@@ -89856,7 +90535,7 @@ index 88f759a..c6933de 100644
set_fs(KERNEL_DS);
if (level == SOL_SOCKET)
-@@ -3413,7 +3475,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname,
+@@ -3413,7 +3498,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname,
char __user *uoptval;
int err;
@@ -91959,6 +92638,272 @@ index e9c6ac7..e6254cf 100644
default 65536
help
This is the portion of low virtual memory which should be protected
+diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig
+index 9b9013b..51ebf96 100644
+--- a/security/apparmor/Kconfig
++++ b/security/apparmor/Kconfig
+@@ -29,3 +29,12 @@ config SECURITY_APPARMOR_BOOTPARAM_VALUE
+ boot.
+
+ If you are unsure how to answer this question, answer 1.
++
++config SECURITY_APPARMOR_COMPAT_24
++ bool "Enable AppArmor 2.4 compatability"
++ depends on SECURITY_APPARMOR
++ default y
++ help
++ This option enables compatability with AppArmor 2.4. It is
++ recommended if compatability with older versions of AppArmor
++ is desired.
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index 16c15ec..42b7c9f 100644
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -182,6 +182,234 @@ const struct file_operations aa_fs_seq_file_ops = {
+ .release = single_release,
+ };
+
++#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
++/**
++ * __next_namespace - find the next namespace to list
++ * @root: root namespace to stop search at (NOT NULL)
++ * @ns: current ns position (NOT NULL)
++ *
++ * Find the next namespace from @ns under @root and handle all locking needed
++ * while switching current namespace.
++ *
++ * Returns: next namespace or NULL if at last namespace under @root
++ * NOTE: will not unlock root->lock
++ */
++static struct aa_namespace *__next_namespace(struct aa_namespace *root,
++ struct aa_namespace *ns)
++{
++ struct aa_namespace *parent;
++
++ /* is next namespace a child */
++ if (!list_empty(&ns->sub_ns)) {
++ struct aa_namespace *next;
++ next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list);
++ read_lock(&next->lock);
++ return next;
++ }
++
++ /* check if the next ns is a sibling, parent, gp, .. */
++ parent = ns->parent;
++ while (parent) {
++ read_unlock(&ns->lock);
++ list_for_each_entry_continue(ns, &parent->sub_ns, base.list) {
++ read_lock(&ns->lock);
++ return ns;
++ }
++ if (parent == root)
++ return NULL;
++ ns = parent;
++ parent = parent->parent;
++ }
++
++ return NULL;
++}
++
++/**
++ * __first_profile - find the first profile in a namespace
++ * @root: namespace that is root of profiles being displayed (NOT NULL)
++ * @ns: namespace to start in (NOT NULL)
++ *
++ * Returns: unrefcounted profile or NULL if no profile
++ */
++static struct aa_profile *__first_profile(struct aa_namespace *root,
++ struct aa_namespace *ns)
++{
++ for ( ; ns; ns = __next_namespace(root, ns)) {
++ if (!list_empty(&ns->base.profiles))
++ return list_first_entry(&ns->base.profiles,
++ struct aa_profile, base.list);
++ }
++ return NULL;
++}
++
++/**
++ * __next_profile - step to the next profile in a profile tree
++ * @profile: current profile in tree (NOT NULL)
++ *
++ * Perform a depth first taversal on the profile tree in a namespace
++ *
++ * Returns: next profile or NULL if done
++ * Requires: profile->ns.lock to be held
++ */
++static struct aa_profile *__next_profile(struct aa_profile *p)
++{
++ struct aa_profile *parent;
++ struct aa_namespace *ns = p->ns;
++
++ /* is next profile a child */
++ if (!list_empty(&p->base.profiles))
++ return list_first_entry(&p->base.profiles, typeof(*p),
++ base.list);
++
++ /* is next profile a sibling, parent sibling, gp, subling, .. */
++ parent = p->parent;
++ while (parent) {
++ list_for_each_entry_continue(p, &parent->base.profiles,
++ base.list)
++ return p;
++ p = parent;
++ parent = parent->parent;
++ }
++
++ /* is next another profile in the namespace */
++ list_for_each_entry_continue(p, &ns->base.profiles, base.list)
++ return p;
++
++ return NULL;
++}
++
++/**
++ * next_profile - step to the next profile in where ever it may be
++ * @root: root namespace (NOT NULL)
++ * @profile: current profile (NOT NULL)
++ *
++ * Returns: next profile or NULL if there isn't one
++ */
++static struct aa_profile *next_profile(struct aa_namespace *root,
++ struct aa_profile *profile)
++{
++ struct aa_profile *next = __next_profile(profile);
++ if (next)
++ return next;
++
++ /* finished all profiles in namespace move to next namespace */
++ return __first_profile(root, __next_namespace(root, profile->ns));
++}
++
++/**
++ * p_start - start a depth first traversal of profile tree
++ * @f: seq_file to fill
++ * @pos: current position
++ *
++ * Returns: first profile under current namespace or NULL if none found
++ *
++ * acquires first ns->lock
++ */
++static void *p_start(struct seq_file *f, loff_t *pos)
++ __acquires(root->lock)
++{
++ struct aa_profile *profile = NULL;
++ struct aa_namespace *root = aa_current_profile()->ns;
++ loff_t l = *pos;
++ f->private = aa_get_namespace(root);
++
++
++ /* find the first profile */
++ read_lock(&root->lock);
++ profile = __first_profile(root, root);
++
++ /* skip to position */
++ for (; profile && l > 0; l--)
++ profile = next_profile(root, profile);
++
++ return profile;
++}
++
++/**
++ * p_next - read the next profile entry
++ * @f: seq_file to fill
++ * @p: profile previously returned
++ * @pos: current position
++ *
++ * Returns: next profile after @p or NULL if none
++ *
++ * may acquire/release locks in namespace tree as necessary
++ */
++static void *p_next(struct seq_file *f, void *p, loff_t *pos)
++{
++ struct aa_profile *profile = p;
++ struct aa_namespace *root = f->private;
++ (*pos)++;
++
++ return next_profile(root, profile);
++}
++
++/**
++ * p_stop - stop depth first traversal
++ * @f: seq_file we are filling
++ * @p: the last profile writen
++ *
++ * Release all locking done by p_start/p_next on namespace tree
++ */
++static void p_stop(struct seq_file *f, void *p)
++ __releases(root->lock)
++{
++ struct aa_profile *profile = p;
++ struct aa_namespace *root = f->private, *ns;
++
++ if (profile) {
++ for (ns = profile->ns; ns && ns != root; ns = ns->parent)
++ read_unlock(&ns->lock);
++ }
++ read_unlock(&root->lock);
++ aa_put_namespace(root);
++}
++
++/**
++ * seq_show_profile - show a profile entry
++ * @f: seq_file to file
++ * @p: current position (profile) (NOT NULL)
++ *
++ * Returns: error on failure
++ */
++static int seq_show_profile(struct seq_file *f, void *p)
++{
++ struct aa_profile *profile = (struct aa_profile *)p;
++ struct aa_namespace *root = f->private;
++
++ if (profile->ns != root)
++ seq_printf(f, ":%s://", aa_ns_name(root, profile->ns));
++ seq_printf(f, "%s (%s)\n", profile->base.hname,
++ COMPLAIN_MODE(profile) ? "complain" : "enforce");
++
++ return 0;
++}
++
++static const struct seq_operations aa_fs_profiles_op = {
++ .start = p_start,
++ .next = p_next,
++ .stop = p_stop,
++ .show = seq_show_profile,
++};
++
++static int profiles_open(struct inode *inode, struct file *file)
++{
++ return seq_open(file, &aa_fs_profiles_op);
++}
++
++static int profiles_release(struct inode *inode, struct file *file)
++{
++ return seq_release(inode, file);
++}
++
++const struct file_operations aa_fs_profiles_fops = {
++ .open = profiles_open,
++ .read = seq_read,
++ .llseek = seq_lseek,
++ .release = profiles_release,
++};
++#endif /* CONFIG_SECURITY_APPARMOR_COMPAT_24 */
++
+ /** Base file system setup **/
+
+ static struct aa_fs_entry aa_fs_entry_file[] = {
+@@ -210,6 +438,9 @@ static struct aa_fs_entry aa_fs_entry_apparmor[] = {
+ AA_FS_FILE_FOPS(".load", 0640, &aa_fs_profile_load),
+ AA_FS_FILE_FOPS(".replace", 0640, &aa_fs_profile_replace),
+ AA_FS_FILE_FOPS(".remove", 0640, &aa_fs_profile_remove),
++#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
++ AA_FS_FILE_FOPS("profiles", 0640, &aa_fs_profiles_fops),
++#endif
+ AA_FS_DIR("features", aa_fs_entry_features),
+ { }
+ };
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index b21830e..a7d1a17 100644
--- a/security/apparmor/lsm.c
diff --git a/3.9.5/4425_grsec_remove_EI_PAX.patch b/3.9.6/4425_grsec_remove_EI_PAX.patch
similarity index 100%
rename from 3.9.5/4425_grsec_remove_EI_PAX.patch
rename to 3.9.6/4425_grsec_remove_EI_PAX.patch
diff --git a/3.9.5/4427_force_XATTR_PAX_tmpfs.patch b/3.9.6/4427_force_XATTR_PAX_tmpfs.patch
similarity index 100%
rename from 3.9.5/4427_force_XATTR_PAX_tmpfs.patch
rename to 3.9.6/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/3.9.5/4430_grsec-remove-localversion-grsec.patch b/3.9.6/4430_grsec-remove-localversion-grsec.patch
similarity index 100%
rename from 3.9.5/4430_grsec-remove-localversion-grsec.patch
rename to 3.9.6/4430_grsec-remove-localversion-grsec.patch
diff --git a/3.9.5/4435_grsec-mute-warnings.patch b/3.9.6/4435_grsec-mute-warnings.patch
similarity index 100%
rename from 3.9.5/4435_grsec-mute-warnings.patch
rename to 3.9.6/4435_grsec-mute-warnings.patch
diff --git a/3.9.5/4440_grsec-remove-protected-paths.patch b/3.9.6/4440_grsec-remove-protected-paths.patch
similarity index 100%
rename from 3.9.5/4440_grsec-remove-protected-paths.patch
rename to 3.9.6/4440_grsec-remove-protected-paths.patch
diff --git a/3.9.5/4450_grsec-kconfig-default-gids.patch b/3.9.6/4450_grsec-kconfig-default-gids.patch
similarity index 100%
rename from 3.9.5/4450_grsec-kconfig-default-gids.patch
rename to 3.9.6/4450_grsec-kconfig-default-gids.patch
diff --git a/3.9.5/4465_selinux-avc_audit-log-curr_ip.patch b/3.9.6/4465_selinux-avc_audit-log-curr_ip.patch
similarity index 100%
rename from 3.9.5/4465_selinux-avc_audit-log-curr_ip.patch
rename to 3.9.6/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/3.9.5/4470_disable-compat_vdso.patch b/3.9.6/4470_disable-compat_vdso.patch
similarity index 100%
rename from 3.9.5/4470_disable-compat_vdso.patch
rename to 3.9.6/4470_disable-compat_vdso.patch
diff --git a/3.9.5/4475_emutramp_default_on.patch b/3.9.6/4475_emutramp_default_on.patch
similarity index 100%
rename from 3.9.5/4475_emutramp_default_on.patch
rename to 3.9.6/4475_emutramp_default_on.patch
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2013-06-21 0:40 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-06-21 0:40 [gentoo-commits] proj/hardened-patchset:master commit in: 2.6.32/, 3.2.46/, 3.9.6/, 3.9.5/, 3.2.47/ Anthony G. Basile
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox