* [gentoo-commits] proj/hardened-patchset:master commit in: 2.6.32/, 3.12.4/, 3.2.53/, 3.12.2/
@ 2013-12-09 14:51 Anthony G. Basile
0 siblings, 0 replies; only message in thread
From: Anthony G. Basile @ 2013-12-09 14:51 UTC (permalink / raw
To: gentoo-commits
commit: f5f76b7f471550ff8e1e5a46eb619cd1b0cbacfb
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Mon Dec 9 14:50:52 2013 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Mon Dec 9 14:50:52 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=f5f76b7f
Grsec/PaX: 3.0-{2.6.32,3.2.53,3.12.4}-20131208
---
2.6.32/0000_README | 2 +-
..._grsecurity-2.9.1-2.6.32.61-201312081751.patch} | 170 +-
{3.12.2 => 3.12.4}/0000_README | 6 +-
3.12.4/1003_linux-3.12.4.patch | 4725 ++++++++++++++++++++
.../4420_grsecurity-3.0-3.12.4-201312081754.patch | 1369 +++---
{3.12.2 => 3.12.4}/4425_grsec_remove_EI_PAX.patch | 0
.../4427_force_XATTR_PAX_tmpfs.patch | 0
.../4430_grsec-remove-localversion-grsec.patch | 0
{3.12.2 => 3.12.4}/4435_grsec-mute-warnings.patch | 0
.../4440_grsec-remove-protected-paths.patch | 0
.../4450_grsec-kconfig-default-gids.patch | 0
.../4465_selinux-avc_audit-log-curr_ip.patch | 0
{3.12.2 => 3.12.4}/4470_disable-compat_vdso.patch | 0
{3.12.2 => 3.12.4}/4475_emutramp_default_on.patch | 0
3.2.53/0000_README | 2 +-
... 4420_grsecurity-3.0-3.2.53-201312081752.patch} | 169 +-
16 files changed, 5777 insertions(+), 666 deletions(-)
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 64b8c05..4b248e1 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -38,7 +38,7 @@ Patch: 1060_linux-2.6.32.61.patch
From: http://www.kernel.org
Desc: Linux 2.6.32.61
-Patch: 4420_grsecurity-2.9.1-2.6.32.61-201311142108.patch
+Patch: 4420_grsecurity-2.9.1-2.6.32.61-201312081751.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201311142108.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201312081751.patch
similarity index 99%
rename from 2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201311142108.patch
rename to 2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201312081751.patch
index 4a32c2e..cabb1eb 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201311142108.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201312081751.patch
@@ -2478,6 +2478,19 @@ index 8840a69..cdb63d9 100644
#define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
#define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
#define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
+diff --git a/arch/ia64/include/asm/processor.h b/arch/ia64/include/asm/processor.h
+index 3eaeedf..0530962 100644
+--- a/arch/ia64/include/asm/processor.h
++++ b/arch/ia64/include/asm/processor.h
+@@ -361,7 +361,7 @@ struct thread_struct {
+ regs->loadrs = 0; \
+ regs->r8 = get_dumpable(current->mm); /* set "don't zap registers" flag */ \
+ regs->r12 = new_sp - 16; /* allocate 16 byte scratch area */ \
+- if (unlikely(!get_dumpable(current->mm))) { \
++ if (unlikely(get_dumpable(current->mm) != SUID_DUMP_USER)) { \
+ /* \
+ * Zap scratch regs to avoid leaking bits between processes with different \
+ * uid/privileges. \
diff --git a/arch/ia64/include/asm/spinlock.h b/arch/ia64/include/asm/spinlock.h
index 239ecdc..f94170e 100644
--- a/arch/ia64/include/asm/spinlock.h
@@ -63725,6 +63738,19 @@ index 46db5c5..37c1536 100644
err = platform_driver_register(&sk_isa_driver);
if (err)
+diff --git a/drivers/net/tokenring/tms380tr.c b/drivers/net/tokenring/tms380tr.c
+index fa15214..ebecd45 100644
+--- a/drivers/net/tokenring/tms380tr.c
++++ b/drivers/net/tokenring/tms380tr.c
+@@ -1248,7 +1248,7 @@ void tms380tr_wait(unsigned long time)
+ tmp = schedule_timeout_interruptible(tmp);
+ } while(time_after(tmp, jiffies));
+ #else
+- udelay(time);
++ mdelay(time / 1000);
+ #endif
+ return;
+ }
diff --git a/drivers/net/tulip/de2104x.c b/drivers/net/tulip/de2104x.c
index 74e5ba4..5cf6bc9 100644
--- a/drivers/net/tulip/de2104x.c
@@ -64510,7 +64536,7 @@ index 1465379..fe4d78b 100644
return 0;
if (count < sizeof(buf))
diff --git a/drivers/net/wireless/libertas/debugfs.c b/drivers/net/wireless/libertas/debugfs.c
-index 893a55c..7f66a50 100644
+index 893a55c..48f2a7a 100644
--- a/drivers/net/wireless/libertas/debugfs.c
+++ b/drivers/net/wireless/libertas/debugfs.c
@@ -708,7 +708,7 @@ out_unlock:
@@ -64522,6 +64548,26 @@ index 893a55c..7f66a50 100644
};
static const struct lbs_debugfs_files debugfs_files[] = {
+@@ -925,7 +925,10 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf,
+ char *p2;
+ struct debug_data *d = (struct debug_data *)f->private_data;
+
+- pdata = kmalloc(cnt, GFP_KERNEL);
++ if (cnt == 0)
++ return 0;
++
++ pdata = kmalloc(cnt + 1, GFP_KERNEL);
+ if (pdata == NULL)
+ return 0;
+
+@@ -934,6 +937,7 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf,
+ kfree(pdata);
+ return 0;
+ }
++ pdata[cnt] = '\0';
+
+ p0 = pdata;
+ for (i = 0; i < num_of_items; i++) {
diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c
index 2ecbedb..42704f0 100644
--- a/drivers/net/wireless/rndis_wlan.c
@@ -67884,7 +67930,7 @@ index 3ad61db..c938975 100644
obj-$(CONFIG_ARM) += arm/
diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
-index a5b8e7b..a6a0e43 100644
+index a5b8e7b..ec62be5 100644
--- a/drivers/scsi/aacraid/commctrl.c
+++ b/drivers/scsi/aacraid/commctrl.c
@@ -481,6 +481,7 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
@@ -67895,6 +67941,16 @@ index a5b8e7b..a6a0e43 100644
if (dev->in_reset) {
dprintk((KERN_DEBUG"aacraid: send raw srb -EBUSY\n"));
+@@ -507,7 +508,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
+ goto cleanup;
+ }
+
+- if (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr))) {
++ if ((fibsize < (sizeof(struct user_aac_srb) - sizeof(struct user_sgentry))) ||
++ (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr)))) {
+ rcode = -EINVAL;
+ goto cleanup;
+ }
diff --git a/drivers/scsi/aacraid/linit.c b/drivers/scsi/aacraid/linit.c
index 9b97c3e..f099725 100644
--- a/drivers/scsi/aacraid/linit.c
@@ -71456,7 +71512,7 @@ index 56eb6cc..fabe98a 100644
return 0;
diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c
-index e941367..d73efa7 100644
+index e941367..deb21b5 100644
--- a/drivers/uio/uio.c
+++ b/drivers/uio/uio.c
@@ -23,6 +23,7 @@
@@ -71581,17 +71637,21 @@ index e941367..d73efa7 100644
}
static int uio_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
-@@ -669,16 +672,25 @@ static int uio_mmap_physical(struct vm_area_struct *vma)
+@@ -669,16 +672,30 @@ static int uio_mmap_physical(struct vm_area_struct *vma)
{
struct uio_device *idev = vma->vm_private_data;
int mi = uio_find_mem_index(vma);
+ struct uio_mem *mem;
if (mi < 0)
return -EINVAL;
--
-- vma->vm_flags |= VM_IO | VM_RESERVED;
+ mem = idev->info->mem + mi;
+- vma->vm_flags |= VM_IO | VM_RESERVED;
++ if (mem->addr & ~PAGE_MASK)
++ return -ENODEV;
++ if (vma->vm_end - vma->vm_start > mem->size)
++ return -EINVAL;
+
vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
+ /*
@@ -71610,7 +71670,7 @@ index e941367..d73efa7 100644
vma->vm_end - vma->vm_start,
vma->vm_page_prot);
}
-@@ -840,7 +852,7 @@ int __uio_register_device(struct module *owner,
+@@ -840,7 +857,7 @@ int __uio_register_device(struct module *owner,
idev->owner = owner;
idev->info = info;
init_waitqueue_head(&idev->wait);
@@ -85737,7 +85797,7 @@ index c6ad7c7..f2847a7 100644
struct posix_acl *acl;
struct posix_acl_entry *acl_e;
diff --git a/fs/xfs/linux-2.6/xfs_ioctl.c b/fs/xfs/linux-2.6/xfs_ioctl.c
-index 942362f..88f96f5 100644
+index 942362f..c34007f 100644
--- a/fs/xfs/linux-2.6/xfs_ioctl.c
+++ b/fs/xfs/linux-2.6/xfs_ioctl.c
@@ -134,7 +134,7 @@ xfs_find_handle(
@@ -85749,7 +85809,17 @@ index 942362f..88f96f5 100644
copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
goto out_put;
-@@ -423,7 +423,7 @@ xfs_attrlist_by_handle(
+@@ -410,7 +410,8 @@ xfs_attrlist_by_handle(
+ return -XFS_ERROR(EPERM);
+ if (copy_from_user(&al_hreq, arg, sizeof(xfs_fsop_attrlist_handlereq_t)))
+ return -XFS_ERROR(EFAULT);
+- if (al_hreq.buflen > XATTR_LIST_MAX)
++ if (al_hreq.buflen < sizeof(struct attrlist) ||
++ al_hreq.buflen > XATTR_LIST_MAX)
+ return -XFS_ERROR(EINVAL);
+
+ /*
+@@ -423,7 +424,7 @@ xfs_attrlist_by_handle(
if (IS_ERR(dentry))
return PTR_ERR(dentry);
@@ -85758,7 +85828,7 @@ index 942362f..88f96f5 100644
if (!kbuf)
goto out_dput;
-@@ -697,7 +697,7 @@ xfs_ioc_fsgeometry_v1(
+@@ -697,7 +698,7 @@ xfs_ioc_fsgeometry_v1(
xfs_mount_t *mp,
void __user *arg)
{
@@ -85768,7 +85838,7 @@ index 942362f..88f96f5 100644
error = xfs_fs_geometry(mp, &fsgeo, 3);
diff --git a/fs/xfs/linux-2.6/xfs_ioctl32.c b/fs/xfs/linux-2.6/xfs_ioctl32.c
-index bad485a..479bd32 100644
+index bad485a..93cf913 100644
--- a/fs/xfs/linux-2.6/xfs_ioctl32.c
+++ b/fs/xfs/linux-2.6/xfs_ioctl32.c
@@ -75,6 +75,7 @@ xfs_compat_ioc_fsgeometry_v1(
@@ -85779,6 +85849,16 @@ index bad485a..479bd32 100644
error = xfs_fs_geometry(mp, &fsgeo, 3);
if (error)
return -error;
+@@ -361,7 +362,8 @@ xfs_compat_attrlist_by_handle(
+ if (copy_from_user(&al_hreq, arg,
+ sizeof(compat_xfs_fsop_attrlist_handlereq_t)))
+ return -XFS_ERROR(EFAULT);
+- if (al_hreq.buflen > XATTR_LIST_MAX)
++ if (al_hreq.buflen < sizeof(struct attrlist) ||
++ al_hreq.buflen > XATTR_LIST_MAX)
+ return -XFS_ERROR(EINVAL);
+
+ /*
diff --git a/fs/xfs/linux-2.6/xfs_iops.c b/fs/xfs/linux-2.6/xfs_iops.c
index 1f3b4b8..6102f6d 100644
--- a/fs/xfs/linux-2.6/xfs_iops.c
@@ -93236,7 +93316,7 @@ index 0000000..bc0be01
+}
diff --git a/grsecurity/grsec_chroot.c b/grsecurity/grsec_chroot.c
new file mode 100644
-index 0000000..bc7b363
+index 0000000..bc7b3635
--- /dev/null
+++ b/grsecurity/grsec_chroot.c
@@ -0,0 +1,388 @@
@@ -95225,10 +95305,10 @@ index 0000000..78f8733
+}
diff --git a/grsecurity/grsec_sig.c b/grsecurity/grsec_sig.c
new file mode 100644
-index 0000000..d9d6bac
+index 0000000..1571426
--- /dev/null
+++ b/grsecurity/grsec_sig.c
-@@ -0,0 +1,243 @@
+@@ -0,0 +1,244 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/delay.h>
@@ -95337,8 +95417,9 @@ index 0000000..d9d6bac
+ } else {
+ const struct cred *cred = __task_cred(p), *cred2;
+ struct task_struct *tsk, *tsk2;
++ int dumpable = __get_dumpable(mm_flags);
+
-+ if (!__get_dumpable(mm_flags) && cred->uid) {
++ if (dumpable != SUID_DUMP_USER && cred->uid) {
+ struct user_struct *user;
+
+ uid = cred->uid;
@@ -97445,7 +97526,7 @@ index 0f5f578..8c4f884 100644
extern void backlight_force_update(struct backlight_device *bd,
enum backlight_update_reason reason);
diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h
-index 9ffffec..2c35c79 100644
+index 9ffffec..34819e4 100644
--- a/include/linux/binfmts.h
+++ b/include/linux/binfmts.h
@@ -18,7 +18,7 @@ struct pt_regs;
@@ -97473,6 +97554,16 @@ index 9ffffec..2c35c79 100644
unsigned long min_coredump; /* minimal dump size */
int hasvdso;
};
+@@ -107,9 +109,6 @@ extern int flush_old_exec(struct linux_binprm * bprm);
+ extern void setup_new_exec(struct linux_binprm * bprm);
+
+ extern int suid_dumpable;
+-#define SUID_DUMP_DISABLE 0 /* No setuid dumping */
+-#define SUID_DUMP_USER 1 /* Dump as user of process */
+-#define SUID_DUMP_ROOT 2 /* Dump as root */
+
+ /* Stack area protections */
+ #define EXSTACK_DEFAULT 0 /* Whatever the arch defaults to */
diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
index ec9c10b..dc26428 100644
--- a/include/linux/blkdev.h
@@ -101368,7 +101459,7 @@ index 14a86bc..17d0700 100644
/*
* CONFIG_RELAY kernel API, kernel/relay.c
diff --git a/include/linux/sched.h b/include/linux/sched.h
-index 73c3b9b..a320221 100644
+index 73c3b9b..3bdf669 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -101,6 +101,7 @@ struct bio;
@@ -101410,7 +101501,18 @@ index 73c3b9b..a320221 100644
extern unsigned long
arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
unsigned long, unsigned long);
-@@ -666,7 +679,20 @@ struct signal_struct {
+@@ -442,6 +455,10 @@ static inline unsigned long get_mm_hiwater_vm(struct mm_struct *mm)
+ extern void set_dumpable(struct mm_struct *mm, int value);
+ extern int get_dumpable(struct mm_struct *mm);
+
++#define SUID_DUMP_DISABLE 0 /* No setuid dumping */
++#define SUID_DUMP_USER 1 /* Dump as user of process */
++#define SUID_DUMP_ROOT 2 /* Dump as root */
++
+ /* mm flags */
+ /* dumpable bits */
+ #define MMF_DUMPABLE 0 /* core dump is permitted */
+@@ -666,7 +683,20 @@ struct signal_struct {
struct tty_audit_buf *tty_audit_buf;
#endif
@@ -101431,7 +101533,7 @@ index 73c3b9b..a320221 100644
};
/* Context switch must be unlocked if interrupts are to be enabled */
-@@ -723,6 +749,14 @@ struct user_struct {
+@@ -723,6 +753,14 @@ struct user_struct {
struct key *session_keyring; /* UID's default session keyring */
#endif
@@ -101446,7 +101548,7 @@ index 73c3b9b..a320221 100644
/* Hash table maintenance information */
struct hlist_node uidhash_node;
uid_t uid;
-@@ -1328,8 +1362,8 @@ struct task_struct {
+@@ -1328,8 +1366,8 @@ struct task_struct {
struct list_head thread_group;
struct completion *vfork_done; /* for vfork() */
@@ -101457,7 +101559,7 @@ index 73c3b9b..a320221 100644
cputime_t utime, stime, utimescaled, stimescaled;
cputime_t gtime;
-@@ -1343,16 +1377,6 @@ struct task_struct {
+@@ -1343,16 +1381,6 @@ struct task_struct {
struct task_cputime cputime_expires;
struct list_head cpu_timers[3];
@@ -101474,7 +101576,7 @@ index 73c3b9b..a320221 100644
char comm[TASK_COMM_LEN]; /* executable name excluding path
- access with [gs]et_task_comm (which lock
it with task_lock())
-@@ -1369,6 +1393,10 @@ struct task_struct {
+@@ -1369,6 +1397,10 @@ struct task_struct {
#endif
/* CPU-specific state of this task */
struct thread_struct thread;
@@ -101485,7 +101587,7 @@ index 73c3b9b..a320221 100644
/* filesystem information */
struct fs_struct *fs;
/* open file information */
-@@ -1436,6 +1464,12 @@ struct task_struct {
+@@ -1436,6 +1468,12 @@ struct task_struct {
int hardirq_context;
int softirq_context;
#endif
@@ -101498,7 +101600,7 @@ index 73c3b9b..a320221 100644
#ifdef CONFIG_LOCKDEP
# define MAX_LOCK_DEPTH 48UL
u64 curr_chain_key;
-@@ -1456,6 +1490,9 @@ struct task_struct {
+@@ -1456,6 +1494,9 @@ struct task_struct {
struct backing_dev_info *backing_dev_info;
@@ -101508,7 +101610,7 @@ index 73c3b9b..a320221 100644
struct io_context *io_context;
unsigned long ptrace_message;
-@@ -1519,6 +1556,28 @@ struct task_struct {
+@@ -1519,6 +1560,28 @@ struct task_struct {
unsigned long default_timer_slack_ns;
struct list_head *scm_work_list;
@@ -101537,7 +101639,7 @@ index 73c3b9b..a320221 100644
#ifdef CONFIG_FUNCTION_GRAPH_TRACER
/* Index of current stored adress in ret_stack */
int curr_ret_stack;
-@@ -1542,6 +1601,56 @@ struct task_struct {
+@@ -1542,6 +1605,56 @@ struct task_struct {
#endif /* CONFIG_TRACING */
};
@@ -101594,7 +101696,7 @@ index 73c3b9b..a320221 100644
/* Future-safe accessor for struct task_struct's cpus_allowed. */
#define tsk_cpumask(tsk) (&(tsk)->cpus_allowed)
-@@ -1740,7 +1849,7 @@ extern void thread_group_times(struct task_struct *p, cputime_t *ut, cputime_t *
+@@ -1740,7 +1853,7 @@ extern void thread_group_times(struct task_struct *p, cputime_t *ut, cputime_t *
#define PF_DUMPCORE 0x00000200 /* dumped core */
#define PF_SIGNALED 0x00000400 /* killed by a signal */
#define PF_MEMALLOC 0x00000800 /* Allocating memory */
@@ -101603,7 +101705,7 @@ index 73c3b9b..a320221 100644
#define PF_USED_MATH 0x00002000 /* if unset the fpu must be initialized before use */
#define PF_FREEZING 0x00004000 /* freeze in progress. do not account to load */
#define PF_NOFREEZE 0x00008000 /* this thread should not be frozen */
-@@ -1978,7 +2087,9 @@ void yield(void);
+@@ -1978,7 +2091,9 @@ void yield(void);
extern struct exec_domain default_exec_domain;
union thread_union {
@@ -101613,7 +101715,7 @@ index 73c3b9b..a320221 100644
unsigned long stack[THREAD_SIZE/sizeof(long)];
};
-@@ -2011,6 +2122,7 @@ extern struct pid_namespace init_pid_ns;
+@@ -2011,6 +2126,7 @@ extern struct pid_namespace init_pid_ns;
*/
extern struct task_struct *find_task_by_vpid(pid_t nr);
@@ -101621,7 +101723,7 @@ index 73c3b9b..a320221 100644
extern struct task_struct *find_task_by_pid_ns(pid_t nr,
struct pid_namespace *ns);
-@@ -2155,7 +2267,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
+@@ -2155,7 +2271,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
extern void exit_itimers(struct signal_struct *);
extern void flush_itimer_signals(void);
@@ -101630,7 +101732,7 @@ index 73c3b9b..a320221 100644
extern void daemonize(const char *, ...);
extern int allow_signal(int);
-@@ -2284,9 +2396,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
+@@ -2284,9 +2400,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
#endif
@@ -101642,7 +101744,7 @@ index 73c3b9b..a320221 100644
return (obj >= stack) && (obj < (stack + THREAD_SIZE));
}
-@@ -2625,6 +2737,23 @@ static inline unsigned long rlimit_max(unsigned int limit)
+@@ -2625,6 +2741,23 @@ static inline unsigned long rlimit_max(unsigned int limit)
return task_rlimit_max(current, limit);
}
@@ -107864,7 +107966,7 @@ index dfadc5b..7f59404 100644
}
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
-index d9c8c47..2617b8c 100644
+index d9c8c47..5186770 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -155,7 +155,8 @@ int ptrace_check_attach(struct task_struct *child, int kill)
@@ -107893,7 +107995,7 @@ index d9c8c47..2617b8c 100644
if (task->mm)
dumpable = get_dumpable(task->mm);
- if (!dumpable && !capable(CAP_SYS_PTRACE))
-+ if (!dumpable &&
++ if (dumpable != SUID_DUMP_USER &&
+ ((!log && !capable_nolog(CAP_SYS_PTRACE)) ||
+ (log && !capable(CAP_SYS_PTRACE))))
return -EPERM;
diff --git a/3.12.2/0000_README b/3.12.4/0000_README
similarity index 92%
rename from 3.12.2/0000_README
rename to 3.12.4/0000_README
index ec3c3a9..3cb0775 100644
--- a/3.12.2/0000_README
+++ b/3.12.4/0000_README
@@ -2,7 +2,11 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.0-3.12.2-201312032145.patch
+Patch: 1003_linux-3.12.4.patch
+From: http://www.kernel.org
+Desc: Linux 3.12.4
+
+Patch: 4420_grsecurity-3.0-3.12.4-201312081754.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.12.4/1003_linux-3.12.4.patch b/3.12.4/1003_linux-3.12.4.patch
new file mode 100644
index 0000000..819cfed
--- /dev/null
+++ b/3.12.4/1003_linux-3.12.4.patch
@@ -0,0 +1,4725 @@
+diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
+index a46d785..7d8dc93 100644
+--- a/Documentation/networking/ip-sysctl.txt
++++ b/Documentation/networking/ip-sysctl.txt
+@@ -588,9 +588,6 @@ tcp_limit_output_bytes - INTEGER
+ typical pfifo_fast qdiscs.
+ tcp_limit_output_bytes limits the number of bytes on qdisc
+ or device to reduce artificial RTT/cwnd and reduce bufferbloat.
+- Note: For GSO/TSO enabled flows, we try to have at least two
+- packets in flight. Reducing tcp_limit_output_bytes might also
+- reduce the size of individual GSO packet (64KB being the max)
+ Default: 131072
+
+ tcp_challenge_ack_limit - INTEGER
+diff --git a/Makefile b/Makefile
+index b28bc57..3b7165e 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 3
+ PATCHLEVEL = 12
+-SUBLEVEL = 3
++SUBLEVEL = 4
+ EXTRAVERSION =
+ NAME = One Giant Leap for Frogkind
+
+diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
+index 516593e..26328e8 100644
+--- a/arch/x86/net/bpf_jit_comp.c
++++ b/arch/x86/net/bpf_jit_comp.c
+@@ -788,5 +788,7 @@ void bpf_jit_free(struct sk_filter *fp)
+ if (fp->bpf_func != sk_run_filter) {
+ INIT_WORK(&fp->work, bpf_jit_free_deferred);
+ schedule_work(&fp->work);
++ } else {
++ kfree(fp);
+ }
+ }
+diff --git a/block/blk-core.c b/block/blk-core.c
+index 0c611d8..fce4b93 100644
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -741,9 +741,17 @@ blk_init_allocated_queue(struct request_queue *q, request_fn_proc *rfn,
+
+ q->sg_reserved_size = INT_MAX;
+
++ /* Protect q->elevator from elevator_change */
++ mutex_lock(&q->sysfs_lock);
++
+ /* init elevator */
+- if (elevator_init(q, NULL))
++ if (elevator_init(q, NULL)) {
++ mutex_unlock(&q->sysfs_lock);
+ return NULL;
++ }
++
++ mutex_unlock(&q->sysfs_lock);
++
+ return q;
+ }
+ EXPORT_SYMBOL(blk_init_allocated_queue);
+diff --git a/block/elevator.c b/block/elevator.c
+index 2bcbd8c..b7ff286 100644
+--- a/block/elevator.c
++++ b/block/elevator.c
+@@ -186,6 +186,12 @@ int elevator_init(struct request_queue *q, char *name)
+ struct elevator_type *e = NULL;
+ int err;
+
++ /*
++ * q->sysfs_lock must be held to provide mutual exclusion between
++ * elevator_switch() and here.
++ */
++ lockdep_assert_held(&q->sysfs_lock);
++
+ if (unlikely(q->elevator))
+ return 0;
+
+@@ -959,7 +965,7 @@ fail_init:
+ /*
+ * Switch this queue to the given IO scheduler.
+ */
+-int elevator_change(struct request_queue *q, const char *name)
++static int __elevator_change(struct request_queue *q, const char *name)
+ {
+ char elevator_name[ELV_NAME_MAX];
+ struct elevator_type *e;
+@@ -981,6 +987,18 @@ int elevator_change(struct request_queue *q, const char *name)
+
+ return elevator_switch(q, e);
+ }
++
++int elevator_change(struct request_queue *q, const char *name)
++{
++ int ret;
++
++ /* Protect q->elevator from elevator_init() */
++ mutex_lock(&q->sysfs_lock);
++ ret = __elevator_change(q, name);
++ mutex_unlock(&q->sysfs_lock);
++
++ return ret;
++}
+ EXPORT_SYMBOL(elevator_change);
+
+ ssize_t elv_iosched_store(struct request_queue *q, const char *name,
+@@ -991,7 +1009,7 @@ ssize_t elv_iosched_store(struct request_queue *q, const char *name,
+ if (!q->elevator)
+ return count;
+
+- ret = elevator_change(q, name);
++ ret = __elevator_change(q, name);
+ if (!ret)
+ return count;
+
+diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c
+index 0262210..8502462 100644
+--- a/crypto/algif_hash.c
++++ b/crypto/algif_hash.c
+@@ -114,6 +114,9 @@ static ssize_t hash_sendpage(struct socket *sock, struct page *page,
+ struct hash_ctx *ctx = ask->private;
+ int err;
+
++ if (flags & MSG_SENDPAGE_NOTLAST)
++ flags |= MSG_MORE;
++
+ lock_sock(sk);
+ sg_init_table(ctx->sgl.sg, 1);
+ sg_set_page(ctx->sgl.sg, page, size, offset);
+@@ -161,8 +164,6 @@ static int hash_recvmsg(struct kiocb *unused, struct socket *sock,
+ else if (len < ds)
+ msg->msg_flags |= MSG_TRUNC;
+
+- msg->msg_namelen = 0;
+-
+ lock_sock(sk);
+ if (ctx->more) {
+ ctx->more = 0;
+diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
+index a1c4f0a..a19c027 100644
+--- a/crypto/algif_skcipher.c
++++ b/crypto/algif_skcipher.c
+@@ -378,6 +378,9 @@ static ssize_t skcipher_sendpage(struct socket *sock, struct page *page,
+ struct skcipher_sg_list *sgl;
+ int err = -EINVAL;
+
++ if (flags & MSG_SENDPAGE_NOTLAST)
++ flags |= MSG_MORE;
++
+ lock_sock(sk);
+ if (!ctx->more && ctx->used)
+ goto unlock;
+@@ -432,7 +435,6 @@ static int skcipher_recvmsg(struct kiocb *unused, struct socket *sock,
+ long copied = 0;
+
+ lock_sock(sk);
+- msg->msg_namelen = 0;
+ for (iov = msg->msg_iov, iovlen = msg->msg_iovlen; iovlen > 0;
+ iovlen--, iov++) {
+ unsigned long seglen = iov->iov_len;
+diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c
+index 272f009..1bdf104 100644
+--- a/drivers/atm/idt77252.c
++++ b/drivers/atm/idt77252.c
+@@ -3511,7 +3511,7 @@ static int init_card(struct atm_dev *dev)
+ tmp = dev_get_by_name(&init_net, tname); /* jhs: was "tmp = dev_get(tname);" */
+ if (tmp) {
+ memcpy(card->atmdev->esi, tmp->dev_addr, 6);
+-
++ dev_put(tmp);
+ printk("%s: ESI %pM\n", card->name, card->atmdev->esi);
+ }
+ /*
+diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c
+index c73fc2b..18c5b9b 100644
+--- a/drivers/connector/cn_proc.c
++++ b/drivers/connector/cn_proc.c
+@@ -32,11 +32,23 @@
+ #include <linux/atomic.h>
+ #include <linux/pid_namespace.h>
+
+-#include <asm/unaligned.h>
+-
+ #include <linux/cn_proc.h>
+
+-#define CN_PROC_MSG_SIZE (sizeof(struct cn_msg) + sizeof(struct proc_event))
++/*
++ * Size of a cn_msg followed by a proc_event structure. Since the
++ * sizeof struct cn_msg is a multiple of 4 bytes, but not 8 bytes, we
++ * add one 4-byte word to the size here, and then start the actual
++ * cn_msg structure 4 bytes into the stack buffer. The result is that
++ * the immediately following proc_event structure is aligned to 8 bytes.
++ */
++#define CN_PROC_MSG_SIZE (sizeof(struct cn_msg) + sizeof(struct proc_event) + 4)
++
++/* See comment above; we test our assumption about sizeof struct cn_msg here. */
++static inline struct cn_msg *buffer_to_cn_msg(__u8 *buffer)
++{
++ BUILD_BUG_ON(sizeof(struct cn_msg) != 20);
++ return (struct cn_msg *)(buffer + 4);
++}
+
+ static atomic_t proc_event_num_listeners = ATOMIC_INIT(0);
+ static struct cb_id cn_proc_event_id = { CN_IDX_PROC, CN_VAL_PROC };
+@@ -56,19 +68,19 @@ void proc_fork_connector(struct task_struct *task)
+ {
+ struct cn_msg *msg;
+ struct proc_event *ev;
+- __u8 buffer[CN_PROC_MSG_SIZE];
++ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8);
+ struct timespec ts;
+ struct task_struct *parent;
+
+ if (atomic_read(&proc_event_num_listeners) < 1)
+ return;
+
+- msg = (struct cn_msg *)buffer;
++ msg = buffer_to_cn_msg(buffer);
+ ev = (struct proc_event *)msg->data;
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ get_seq(&msg->seq, &ev->cpu);
+ ktime_get_ts(&ts); /* get high res monotonic timestamp */
+- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
++ ev->timestamp_ns = timespec_to_ns(&ts);
+ ev->what = PROC_EVENT_FORK;
+ rcu_read_lock();
+ parent = rcu_dereference(task->real_parent);
+@@ -91,17 +103,17 @@ void proc_exec_connector(struct task_struct *task)
+ struct cn_msg *msg;
+ struct proc_event *ev;
+ struct timespec ts;
+- __u8 buffer[CN_PROC_MSG_SIZE];
++ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8);
+
+ if (atomic_read(&proc_event_num_listeners) < 1)
+ return;
+
+- msg = (struct cn_msg *)buffer;
++ msg = buffer_to_cn_msg(buffer);
+ ev = (struct proc_event *)msg->data;
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ get_seq(&msg->seq, &ev->cpu);
+ ktime_get_ts(&ts); /* get high res monotonic timestamp */
+- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
++ ev->timestamp_ns = timespec_to_ns(&ts);
+ ev->what = PROC_EVENT_EXEC;
+ ev->event_data.exec.process_pid = task->pid;
+ ev->event_data.exec.process_tgid = task->tgid;
+@@ -117,14 +129,14 @@ void proc_id_connector(struct task_struct *task, int which_id)
+ {
+ struct cn_msg *msg;
+ struct proc_event *ev;
+- __u8 buffer[CN_PROC_MSG_SIZE];
++ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8);
+ struct timespec ts;
+ const struct cred *cred;
+
+ if (atomic_read(&proc_event_num_listeners) < 1)
+ return;
+
+- msg = (struct cn_msg *)buffer;
++ msg = buffer_to_cn_msg(buffer);
+ ev = (struct proc_event *)msg->data;
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ ev->what = which_id;
+@@ -145,7 +157,7 @@ void proc_id_connector(struct task_struct *task, int which_id)
+ rcu_read_unlock();
+ get_seq(&msg->seq, &ev->cpu);
+ ktime_get_ts(&ts); /* get high res monotonic timestamp */
+- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
++ ev->timestamp_ns = timespec_to_ns(&ts);
+
+ memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ msg->ack = 0; /* not used */
+@@ -159,17 +171,17 @@ void proc_sid_connector(struct task_struct *task)
+ struct cn_msg *msg;
+ struct proc_event *ev;
+ struct timespec ts;
+- __u8 buffer[CN_PROC_MSG_SIZE];
++ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8);
+
+ if (atomic_read(&proc_event_num_listeners) < 1)
+ return;
+
+- msg = (struct cn_msg *)buffer;
++ msg = buffer_to_cn_msg(buffer);
+ ev = (struct proc_event *)msg->data;
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ get_seq(&msg->seq, &ev->cpu);
+ ktime_get_ts(&ts); /* get high res monotonic timestamp */
+- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
++ ev->timestamp_ns = timespec_to_ns(&ts);
+ ev->what = PROC_EVENT_SID;
+ ev->event_data.sid.process_pid = task->pid;
+ ev->event_data.sid.process_tgid = task->tgid;
+@@ -186,17 +198,17 @@ void proc_ptrace_connector(struct task_struct *task, int ptrace_id)
+ struct cn_msg *msg;
+ struct proc_event *ev;
+ struct timespec ts;
+- __u8 buffer[CN_PROC_MSG_SIZE];
++ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8);
+
+ if (atomic_read(&proc_event_num_listeners) < 1)
+ return;
+
+- msg = (struct cn_msg *)buffer;
++ msg = buffer_to_cn_msg(buffer);
+ ev = (struct proc_event *)msg->data;
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ get_seq(&msg->seq, &ev->cpu);
+ ktime_get_ts(&ts); /* get high res monotonic timestamp */
+- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
++ ev->timestamp_ns = timespec_to_ns(&ts);
+ ev->what = PROC_EVENT_PTRACE;
+ ev->event_data.ptrace.process_pid = task->pid;
+ ev->event_data.ptrace.process_tgid = task->tgid;
+@@ -221,17 +233,17 @@ void proc_comm_connector(struct task_struct *task)
+ struct cn_msg *msg;
+ struct proc_event *ev;
+ struct timespec ts;
+- __u8 buffer[CN_PROC_MSG_SIZE];
++ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8);
+
+ if (atomic_read(&proc_event_num_listeners) < 1)
+ return;
+
+- msg = (struct cn_msg *)buffer;
++ msg = buffer_to_cn_msg(buffer);
+ ev = (struct proc_event *)msg->data;
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ get_seq(&msg->seq, &ev->cpu);
+ ktime_get_ts(&ts); /* get high res monotonic timestamp */
+- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
++ ev->timestamp_ns = timespec_to_ns(&ts);
+ ev->what = PROC_EVENT_COMM;
+ ev->event_data.comm.process_pid = task->pid;
+ ev->event_data.comm.process_tgid = task->tgid;
+@@ -248,18 +260,18 @@ void proc_coredump_connector(struct task_struct *task)
+ {
+ struct cn_msg *msg;
+ struct proc_event *ev;
+- __u8 buffer[CN_PROC_MSG_SIZE];
++ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8);
+ struct timespec ts;
+
+ if (atomic_read(&proc_event_num_listeners) < 1)
+ return;
+
+- msg = (struct cn_msg *)buffer;
++ msg = buffer_to_cn_msg(buffer);
+ ev = (struct proc_event *)msg->data;
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ get_seq(&msg->seq, &ev->cpu);
+ ktime_get_ts(&ts); /* get high res monotonic timestamp */
+- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
++ ev->timestamp_ns = timespec_to_ns(&ts);
+ ev->what = PROC_EVENT_COREDUMP;
+ ev->event_data.coredump.process_pid = task->pid;
+ ev->event_data.coredump.process_tgid = task->tgid;
+@@ -275,18 +287,18 @@ void proc_exit_connector(struct task_struct *task)
+ {
+ struct cn_msg *msg;
+ struct proc_event *ev;
+- __u8 buffer[CN_PROC_MSG_SIZE];
++ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8);
+ struct timespec ts;
+
+ if (atomic_read(&proc_event_num_listeners) < 1)
+ return;
+
+- msg = (struct cn_msg *)buffer;
++ msg = buffer_to_cn_msg(buffer);
+ ev = (struct proc_event *)msg->data;
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ get_seq(&msg->seq, &ev->cpu);
+ ktime_get_ts(&ts); /* get high res monotonic timestamp */
+- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
++ ev->timestamp_ns = timespec_to_ns(&ts);
+ ev->what = PROC_EVENT_EXIT;
+ ev->event_data.exit.process_pid = task->pid;
+ ev->event_data.exit.process_tgid = task->tgid;
+@@ -312,18 +324,18 @@ static void cn_proc_ack(int err, int rcvd_seq, int rcvd_ack)
+ {
+ struct cn_msg *msg;
+ struct proc_event *ev;
+- __u8 buffer[CN_PROC_MSG_SIZE];
++ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8);
+ struct timespec ts;
+
+ if (atomic_read(&proc_event_num_listeners) < 1)
+ return;
+
+- msg = (struct cn_msg *)buffer;
++ msg = buffer_to_cn_msg(buffer);
+ ev = (struct proc_event *)msg->data;
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
+ msg->seq = rcvd_seq;
+ ktime_get_ts(&ts); /* get high res monotonic timestamp */
+- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
++ ev->timestamp_ns = timespec_to_ns(&ts);
+ ev->cpu = -1;
+ ev->what = PROC_EVENT_NONE;
+ ev->event_data.ack.err = err;
+diff --git a/drivers/gpu/drm/radeon/r600_hdmi.c b/drivers/gpu/drm/radeon/r600_hdmi.c
+index 06022e3..615c5b2 100644
+--- a/drivers/gpu/drm/radeon/r600_hdmi.c
++++ b/drivers/gpu/drm/radeon/r600_hdmi.c
+@@ -24,6 +24,7 @@
+ * Authors: Christian König
+ */
+ #include <linux/hdmi.h>
++#include <linux/gcd.h>
+ #include <drm/drmP.h>
+ #include <drm/radeon_drm.h>
+ #include "radeon.h"
+@@ -57,35 +58,57 @@ enum r600_hdmi_iec_status_bits {
+ static const struct radeon_hdmi_acr r600_hdmi_predefined_acr[] = {
+ /* 32kHz 44.1kHz 48kHz */
+ /* Clock N CTS N CTS N CTS */
+- { 25175, 4576, 28125, 7007, 31250, 6864, 28125 }, /* 25,20/1.001 MHz */
++ { 25175, 4096, 25175, 28224, 125875, 6144, 25175 }, /* 25,20/1.001 MHz */
+ { 25200, 4096, 25200, 6272, 28000, 6144, 25200 }, /* 25.20 MHz */
+ { 27000, 4096, 27000, 6272, 30000, 6144, 27000 }, /* 27.00 MHz */
+ { 27027, 4096, 27027, 6272, 30030, 6144, 27027 }, /* 27.00*1.001 MHz */
+ { 54000, 4096, 54000, 6272, 60000, 6144, 54000 }, /* 54.00 MHz */
+ { 54054, 4096, 54054, 6272, 60060, 6144, 54054 }, /* 54.00*1.001 MHz */
+- { 74176, 11648, 210937, 17836, 234375, 11648, 140625 }, /* 74.25/1.001 MHz */
++ { 74176, 4096, 74176, 5733, 75335, 6144, 74176 }, /* 74.25/1.001 MHz */
+ { 74250, 4096, 74250, 6272, 82500, 6144, 74250 }, /* 74.25 MHz */
+- { 148352, 11648, 421875, 8918, 234375, 5824, 140625 }, /* 148.50/1.001 MHz */
++ { 148352, 4096, 148352, 5733, 150670, 6144, 148352 }, /* 148.50/1.001 MHz */
+ { 148500, 4096, 148500, 6272, 165000, 6144, 148500 }, /* 148.50 MHz */
+- { 0, 4096, 0, 6272, 0, 6144, 0 } /* Other */
+ };
+
++
+ /*
+- * calculate CTS value if it's not found in the table
++ * calculate CTS and N values if they are not found in the table
+ */
+-static void r600_hdmi_calc_cts(uint32_t clock, int *CTS, int N, int freq)
++static void r600_hdmi_calc_cts(uint32_t clock, int *CTS, int *N, int freq)
+ {
+- u64 n;
+- u32 d;
+-
+- if (*CTS == 0) {
+- n = (u64)clock * (u64)N * 1000ULL;
+- d = 128 * freq;
+- do_div(n, d);
+- *CTS = n;
+- }
+- DRM_DEBUG("Using ACR timing N=%d CTS=%d for frequency %d\n",
+- N, *CTS, freq);
++ int n, cts;
++ unsigned long div, mul;
++
++ /* Safe, but overly large values */
++ n = 128 * freq;
++ cts = clock * 1000;
++
++ /* Smallest valid fraction */
++ div = gcd(n, cts);
++
++ n /= div;
++ cts /= div;
++
++ /*
++ * The optimal N is 128*freq/1000. Calculate the closest larger
++ * value that doesn't truncate any bits.
++ */
++ mul = ((128*freq/1000) + (n-1))/n;
++
++ n *= mul;
++ cts *= mul;
++
++ /* Check that we are in spec (not always possible) */
++ if (n < (128*freq/1500))
++ printk(KERN_WARNING "Calculated ACR N value is too small. You may experience audio problems.\n");
++ if (n > (128*freq/300))
++ printk(KERN_WARNING "Calculated ACR N value is too large. You may experience audio problems.\n");
++
++ *N = n;
++ *CTS = cts;
++
++ DRM_DEBUG("Calculated ACR timing N=%d CTS=%d for frequency %d\n",
++ *N, *CTS, freq);
+ }
+
+ struct radeon_hdmi_acr r600_hdmi_acr(uint32_t clock)
+@@ -93,15 +116,16 @@ struct radeon_hdmi_acr r600_hdmi_acr(uint32_t clock)
+ struct radeon_hdmi_acr res;
+ u8 i;
+
+- for (i = 0; r600_hdmi_predefined_acr[i].clock != clock &&
+- r600_hdmi_predefined_acr[i].clock != 0; i++)
+- ;
+- res = r600_hdmi_predefined_acr[i];
++ /* Precalculated values for common clocks */
++ for (i = 0; i < ARRAY_SIZE(r600_hdmi_predefined_acr); i++) {
++ if (r600_hdmi_predefined_acr[i].clock == clock)
++ return r600_hdmi_predefined_acr[i];
++ }
+
+- /* In case some CTS are missing */
+- r600_hdmi_calc_cts(clock, &res.cts_32khz, res.n_32khz, 32000);
+- r600_hdmi_calc_cts(clock, &res.cts_44_1khz, res.n_44_1khz, 44100);
+- r600_hdmi_calc_cts(clock, &res.cts_48khz, res.n_48khz, 48000);
++ /* And odd clocks get manually calculated */
++ r600_hdmi_calc_cts(clock, &res.cts_32khz, &res.n_32khz, 32000);
++ r600_hdmi_calc_cts(clock, &res.cts_44_1khz, &res.n_44_1khz, 44100);
++ r600_hdmi_calc_cts(clock, &res.cts_48khz, &res.n_48khz, 48000);
+
+ return res;
+ }
+diff --git a/drivers/hid/hid-elo.c b/drivers/hid/hid-elo.c
+index f042a6c..55e4920 100644
+--- a/drivers/hid/hid-elo.c
++++ b/drivers/hid/hid-elo.c
+@@ -181,7 +181,40 @@ fail:
+ */
+ static bool elo_broken_firmware(struct usb_device *dev)
+ {
+- return use_fw_quirk && le16_to_cpu(dev->descriptor.bcdDevice) == 0x10d;
++ struct usb_device *hub = dev->parent;
++ struct usb_device *child = NULL;
++ u16 fw_lvl = le16_to_cpu(dev->descriptor.bcdDevice);
++ u16 child_vid, child_pid;
++ int i;
++
++ if (!use_fw_quirk)
++ return false;
++ if (fw_lvl != 0x10d)
++ return false;
++
++ /* iterate sibling devices of the touch controller */
++ usb_hub_for_each_child(hub, i, child) {
++ child_vid = le16_to_cpu(child->descriptor.idVendor);
++ child_pid = le16_to_cpu(child->descriptor.idProduct);
++
++ /*
++ * If one of the devices below is present attached as a sibling of
++ * the touch controller then this is a newer IBM 4820 monitor that
++ * does not need the IBM-requested workaround if fw level is
++ * 0x010d - aka 'M'.
++ * No other HW can have this combination.
++ */
++ if (child_vid==0x04b3) {
++ switch (child_pid) {
++ case 0x4676: /* 4820 21x Video */
++ case 0x4677: /* 4820 51x Video */
++ case 0x4678: /* 4820 2Lx Video */
++ case 0x4679: /* 4820 5Lx Video */
++ return false;
++ }
++ }
++ }
++ return true;
+ }
+
+ static int elo_probe(struct hid_device *hdev, const struct hid_device_id *id)
+diff --git a/drivers/hid/hid-lg.c b/drivers/hid/hid-lg.c
+index 1bfd292..06eb45f 100644
+--- a/drivers/hid/hid-lg.c
++++ b/drivers/hid/hid-lg.c
+@@ -47,6 +47,7 @@
+ #define DFP_RDESC_ORIG_SIZE 97
+ #define FV_RDESC_ORIG_SIZE 130
+ #define MOMO_RDESC_ORIG_SIZE 87
++#define MOMO2_RDESC_ORIG_SIZE 87
+
+ /* Fixed report descriptors for Logitech Driving Force (and Pro)
+ * wheel controllers
+@@ -284,6 +285,54 @@ static __u8 momo_rdesc_fixed[] = {
+ 0xC0 /* End Collection */
+ };
+
++static __u8 momo2_rdesc_fixed[] = {
++0x05, 0x01, /* Usage Page (Desktop), */
++0x09, 0x04, /* Usage (Joystik), */
++0xA1, 0x01, /* Collection (Application), */
++0xA1, 0x02, /* Collection (Logical), */
++0x95, 0x01, /* Report Count (1), */
++0x75, 0x0A, /* Report Size (10), */
++0x15, 0x00, /* Logical Minimum (0), */
++0x26, 0xFF, 0x03, /* Logical Maximum (1023), */
++0x35, 0x00, /* Physical Minimum (0), */
++0x46, 0xFF, 0x03, /* Physical Maximum (1023), */
++0x09, 0x30, /* Usage (X), */
++0x81, 0x02, /* Input (Variable), */
++0x95, 0x0A, /* Report Count (10), */
++0x75, 0x01, /* Report Size (1), */
++0x25, 0x01, /* Logical Maximum (1), */
++0x45, 0x01, /* Physical Maximum (1), */
++0x05, 0x09, /* Usage Page (Button), */
++0x19, 0x01, /* Usage Minimum (01h), */
++0x29, 0x0A, /* Usage Maximum (0Ah), */
++0x81, 0x02, /* Input (Variable), */
++0x06, 0x00, 0xFF, /* Usage Page (FF00h), */
++0x09, 0x00, /* Usage (00h), */
++0x95, 0x04, /* Report Count (4), */
++0x81, 0x02, /* Input (Variable), */
++0x95, 0x01, /* Report Count (1), */
++0x75, 0x08, /* Report Size (8), */
++0x26, 0xFF, 0x00, /* Logical Maximum (255), */
++0x46, 0xFF, 0x00, /* Physical Maximum (255), */
++0x09, 0x01, /* Usage (01h), */
++0x81, 0x02, /* Input (Variable), */
++0x05, 0x01, /* Usage Page (Desktop), */
++0x09, 0x31, /* Usage (Y), */
++0x81, 0x02, /* Input (Variable), */
++0x09, 0x32, /* Usage (Z), */
++0x81, 0x02, /* Input (Variable), */
++0x06, 0x00, 0xFF, /* Usage Page (FF00h), */
++0x09, 0x00, /* Usage (00h), */
++0x81, 0x02, /* Input (Variable), */
++0xC0, /* End Collection, */
++0xA1, 0x02, /* Collection (Logical), */
++0x09, 0x02, /* Usage (02h), */
++0x95, 0x07, /* Report Count (7), */
++0x91, 0x02, /* Output (Variable), */
++0xC0, /* End Collection, */
++0xC0 /* End Collection */
++};
++
+ /*
+ * Certain Logitech keyboards send in report #3 keys which are far
+ * above the logical maximum described in descriptor. This extends
+@@ -343,6 +392,15 @@ static __u8 *lg_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+ }
+ break;
+
++ case USB_DEVICE_ID_LOGITECH_MOMO_WHEEL2:
++ if (*rsize == MOMO2_RDESC_ORIG_SIZE) {
++ hid_info(hdev,
++ "fixing up Logitech Momo Racing Force (Black) report descriptor\n");
++ rdesc = momo2_rdesc_fixed;
++ *rsize = sizeof(momo2_rdesc_fixed);
++ }
++ break;
++
+ case USB_DEVICE_ID_LOGITECH_VIBRATION_WHEEL:
+ if (*rsize == FV_RDESC_ORIG_SIZE) {
+ hid_info(hdev,
+diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
+index 15e9b57..40203ad 100644
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -782,7 +782,11 @@ static struct dma_pte *pfn_to_dma_pte(struct dmar_domain *domain,
+ int offset;
+
+ BUG_ON(!domain->pgd);
+- BUG_ON(addr_width < BITS_PER_LONG && pfn >> addr_width);
++
++ if (addr_width < BITS_PER_LONG && pfn >> addr_width)
++ /* Address beyond IOMMU's addressing capabilities. */
++ return NULL;
++
+ parent = domain->pgd;
+
+ while (level > 0) {
+diff --git a/drivers/iommu/intel_irq_remapping.c b/drivers/iommu/intel_irq_remapping.c
+index f71673d..b97d70b 100644
+--- a/drivers/iommu/intel_irq_remapping.c
++++ b/drivers/iommu/intel_irq_remapping.c
+@@ -525,12 +525,13 @@ static int __init intel_irq_remapping_supported(void)
+ if (disable_irq_remap)
+ return 0;
+ if (irq_remap_broken) {
+- WARN_TAINT(1, TAINT_FIRMWARE_WORKAROUND,
+- "This system BIOS has enabled interrupt remapping\n"
+- "on a chipset that contains an erratum making that\n"
+- "feature unstable. To maintain system stability\n"
+- "interrupt remapping is being disabled. Please\n"
+- "contact your BIOS vendor for an update\n");
++ printk(KERN_WARNING
++ "This system BIOS has enabled interrupt remapping\n"
++ "on a chipset that contains an erratum making that\n"
++ "feature unstable. To maintain system stability\n"
++ "interrupt remapping is being disabled. Please\n"
++ "contact your BIOS vendor for an update\n");
++ add_taint(TAINT_FIRMWARE_WORKAROUND, LOCKDEP_STILL_OK);
+ disable_irq_remap = 1;
+ return 0;
+ }
+diff --git a/drivers/isdn/isdnloop/isdnloop.c b/drivers/isdn/isdnloop/isdnloop.c
+index baf2686..02125e6 100644
+--- a/drivers/isdn/isdnloop/isdnloop.c
++++ b/drivers/isdn/isdnloop/isdnloop.c
+@@ -1083,8 +1083,10 @@ isdnloop_start(isdnloop_card *card, isdnloop_sdef *sdefp)
+ spin_unlock_irqrestore(&card->isdnloop_lock, flags);
+ return -ENOMEM;
+ }
+- for (i = 0; i < 3; i++)
+- strcpy(card->s0num[i], sdef.num[i]);
++ for (i = 0; i < 3; i++) {
++ strlcpy(card->s0num[i], sdef.num[i],
++ sizeof(card->s0num[0]));
++ }
+ break;
+ case ISDN_PTYPE_1TR6:
+ if (isdnloop_fake(card, "DRV1.04TC-1TR6-CAPI-CNS-BASIS-29.11.95",
+@@ -1097,7 +1099,7 @@ isdnloop_start(isdnloop_card *card, isdnloop_sdef *sdefp)
+ spin_unlock_irqrestore(&card->isdnloop_lock, flags);
+ return -ENOMEM;
+ }
+- strcpy(card->s0num[0], sdef.num[0]);
++ strlcpy(card->s0num[0], sdef.num[0], sizeof(card->s0num[0]));
+ card->s0num[1][0] = '\0';
+ card->s0num[2][0] = '\0';
+ break;
+diff --git a/drivers/isdn/mISDN/socket.c b/drivers/isdn/mISDN/socket.c
+index e47dcb9..5cefb47 100644
+--- a/drivers/isdn/mISDN/socket.c
++++ b/drivers/isdn/mISDN/socket.c
+@@ -117,7 +117,6 @@ mISDN_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+ {
+ struct sk_buff *skb;
+ struct sock *sk = sock->sk;
+- struct sockaddr_mISDN *maddr;
+
+ int copied, err;
+
+@@ -135,9 +134,9 @@ mISDN_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+ if (!skb)
+ return err;
+
+- if (msg->msg_namelen >= sizeof(struct sockaddr_mISDN)) {
+- msg->msg_namelen = sizeof(struct sockaddr_mISDN);
+- maddr = (struct sockaddr_mISDN *)msg->msg_name;
++ if (msg->msg_name) {
++ struct sockaddr_mISDN *maddr = msg->msg_name;
++
+ maddr->family = AF_ISDN;
+ maddr->dev = _pms(sk)->dev->id;
+ if ((sk->sk_protocol == ISDN_P_LAPD_TE) ||
+@@ -150,11 +149,7 @@ mISDN_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+ maddr->sapi = _pms(sk)->ch.addr & 0xFF;
+ maddr->tei = (_pms(sk)->ch.addr >> 8) & 0xFF;
+ }
+- } else {
+- if (msg->msg_namelen)
+- printk(KERN_WARNING "%s: too small namelen %d\n",
+- __func__, msg->msg_namelen);
+- msg->msg_namelen = 0;
++ msg->msg_namelen = sizeof(*maddr);
+ }
+
+ copied = skb->len + MISDN_HEADER_LEN;
+diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
+index e4109f6..8a0665d 100644
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -5214,15 +5214,18 @@ raid5_show_group_thread_cnt(struct mddev *mddev, char *page)
+ return 0;
+ }
+
+-static int alloc_thread_groups(struct r5conf *conf, int cnt);
++static int alloc_thread_groups(struct r5conf *conf, int cnt,
++ int *group_cnt,
++ int *worker_cnt_per_group,
++ struct r5worker_group **worker_groups);
+ static ssize_t
+ raid5_store_group_thread_cnt(struct mddev *mddev, const char *page, size_t len)
+ {
+ struct r5conf *conf = mddev->private;
+ unsigned long new;
+ int err;
+- struct r5worker_group *old_groups;
+- int old_group_cnt;
++ struct r5worker_group *new_groups, *old_groups;
++ int group_cnt, worker_cnt_per_group;
+
+ if (len >= PAGE_SIZE)
+ return -EINVAL;
+@@ -5238,17 +5241,19 @@ raid5_store_group_thread_cnt(struct mddev *mddev, const char *page, size_t len)
+ mddev_suspend(mddev);
+
+ old_groups = conf->worker_groups;
+- old_group_cnt = conf->worker_cnt_per_group;
+-
+ if (old_groups)
+ flush_workqueue(raid5_wq);
+
+- conf->worker_groups = NULL;
+- err = alloc_thread_groups(conf, new);
+- if (err) {
+- conf->worker_groups = old_groups;
+- conf->worker_cnt_per_group = old_group_cnt;
+- } else {
++ err = alloc_thread_groups(conf, new,
++ &group_cnt, &worker_cnt_per_group,
++ &new_groups);
++ if (!err) {
++ spin_lock_irq(&conf->device_lock);
++ conf->group_cnt = group_cnt;
++ conf->worker_cnt_per_group = worker_cnt_per_group;
++ conf->worker_groups = new_groups;
++ spin_unlock_irq(&conf->device_lock);
++
+ if (old_groups)
+ kfree(old_groups[0].workers);
+ kfree(old_groups);
+@@ -5278,33 +5283,36 @@ static struct attribute_group raid5_attrs_group = {
+ .attrs = raid5_attrs,
+ };
+
+-static int alloc_thread_groups(struct r5conf *conf, int cnt)
++static int alloc_thread_groups(struct r5conf *conf, int cnt,
++ int *group_cnt,
++ int *worker_cnt_per_group,
++ struct r5worker_group **worker_groups)
+ {
+ int i, j;
+ ssize_t size;
+ struct r5worker *workers;
+
+- conf->worker_cnt_per_group = cnt;
++ *worker_cnt_per_group = cnt;
+ if (cnt == 0) {
+- conf->worker_groups = NULL;
++ *group_cnt = 0;
++ *worker_groups = NULL;
+ return 0;
+ }
+- conf->group_cnt = num_possible_nodes();
++ *group_cnt = num_possible_nodes();
+ size = sizeof(struct r5worker) * cnt;
+- workers = kzalloc(size * conf->group_cnt, GFP_NOIO);
+- conf->worker_groups = kzalloc(sizeof(struct r5worker_group) *
+- conf->group_cnt, GFP_NOIO);
+- if (!conf->worker_groups || !workers) {
++ workers = kzalloc(size * *group_cnt, GFP_NOIO);
++ *worker_groups = kzalloc(sizeof(struct r5worker_group) *
++ *group_cnt, GFP_NOIO);
++ if (!*worker_groups || !workers) {
+ kfree(workers);
+- kfree(conf->worker_groups);
+- conf->worker_groups = NULL;
++ kfree(*worker_groups);
+ return -ENOMEM;
+ }
+
+- for (i = 0; i < conf->group_cnt; i++) {
++ for (i = 0; i < *group_cnt; i++) {
+ struct r5worker_group *group;
+
+- group = &conf->worker_groups[i];
++ group = &(*worker_groups)[i];
+ INIT_LIST_HEAD(&group->handle_list);
+ group->conf = conf;
+ group->workers = workers + i * cnt;
+@@ -5462,6 +5470,8 @@ static struct r5conf *setup_conf(struct mddev *mddev)
+ struct md_rdev *rdev;
+ struct disk_info *disk;
+ char pers_name[6];
++ int group_cnt, worker_cnt_per_group;
++ struct r5worker_group *new_group;
+
+ if (mddev->new_level != 5
+ && mddev->new_level != 4
+@@ -5496,7 +5506,12 @@ static struct r5conf *setup_conf(struct mddev *mddev)
+ if (conf == NULL)
+ goto abort;
+ /* Don't enable multi-threading by default*/
+- if (alloc_thread_groups(conf, 0))
++ if (!alloc_thread_groups(conf, 0, &group_cnt, &worker_cnt_per_group,
++ &new_group)) {
++ conf->group_cnt = group_cnt;
++ conf->worker_cnt_per_group = worker_cnt_per_group;
++ conf->worker_groups = new_group;
++ } else
+ goto abort;
+ spin_lock_init(&conf->device_lock);
+ seqcount_init(&conf->gen_lock);
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index e883bfe..dd8057d 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -3395,20 +3395,20 @@ static void bond_set_rx_mode(struct net_device *bond_dev)
+ struct bonding *bond = netdev_priv(bond_dev);
+ struct slave *slave;
+
+- ASSERT_RTNL();
+-
++ rcu_read_lock();
+ if (USES_PRIMARY(bond->params.mode)) {
+- slave = rtnl_dereference(bond->curr_active_slave);
++ slave = rcu_dereference(bond->curr_active_slave);
+ if (slave) {
+ dev_uc_sync(slave->dev, bond_dev);
+ dev_mc_sync(slave->dev, bond_dev);
+ }
+ } else {
+- bond_for_each_slave(bond, slave) {
++ bond_for_each_slave_rcu(bond, slave) {
+ dev_uc_sync_multiple(slave->dev, bond_dev);
+ dev_mc_sync_multiple(slave->dev, bond_dev);
+ }
+ }
++ rcu_read_unlock();
+ }
+
+ static int bond_neigh_init(struct neighbour *n)
+diff --git a/drivers/net/bonding/bond_sysfs.c b/drivers/net/bonding/bond_sysfs.c
+index c29b836..b60f95b 100644
+--- a/drivers/net/bonding/bond_sysfs.c
++++ b/drivers/net/bonding/bond_sysfs.c
+@@ -587,8 +587,9 @@ static ssize_t bonding_store_arp_interval(struct device *d,
+ goto out;
+ }
+ if (bond->params.mode == BOND_MODE_ALB ||
+- bond->params.mode == BOND_MODE_TLB) {
+- pr_info("%s: ARP monitoring cannot be used with ALB/TLB. Only MII monitoring is supported on %s.\n",
++ bond->params.mode == BOND_MODE_TLB ||
++ bond->params.mode == BOND_MODE_8023AD) {
++ pr_info("%s: ARP monitoring cannot be used with ALB/TLB/802.3ad. Only MII monitoring is supported on %s.\n",
+ bond->dev->name, bond->dev->name);
+ ret = -EINVAL;
+ goto out;
+@@ -759,6 +760,8 @@ static ssize_t bonding_store_downdelay(struct device *d,
+ int new_value, ret = count;
+ struct bonding *bond = to_bond(d);
+
++ if (!rtnl_trylock())
++ return restart_syscall();
+ if (!(bond->params.miimon)) {
+ pr_err("%s: Unable to set down delay as MII monitoring is disabled\n",
+ bond->dev->name);
+@@ -792,6 +795,7 @@ static ssize_t bonding_store_downdelay(struct device *d,
+ }
+
+ out:
++ rtnl_unlock();
+ return ret;
+ }
+ static DEVICE_ATTR(downdelay, S_IRUGO | S_IWUSR,
+@@ -814,6 +818,8 @@ static ssize_t bonding_store_updelay(struct device *d,
+ int new_value, ret = count;
+ struct bonding *bond = to_bond(d);
+
++ if (!rtnl_trylock())
++ return restart_syscall();
+ if (!(bond->params.miimon)) {
+ pr_err("%s: Unable to set up delay as MII monitoring is disabled\n",
+ bond->dev->name);
+@@ -847,6 +853,7 @@ static ssize_t bonding_store_updelay(struct device *d,
+ }
+
+ out:
++ rtnl_unlock();
+ return ret;
+ }
+ static DEVICE_ATTR(updelay, S_IRUGO | S_IWUSR,
+diff --git a/drivers/net/ethernet/marvell/mv643xx_eth.c b/drivers/net/ethernet/marvell/mv643xx_eth.c
+index 2c210ec..f2f6d85 100644
+--- a/drivers/net/ethernet/marvell/mv643xx_eth.c
++++ b/drivers/net/ethernet/marvell/mv643xx_eth.c
+@@ -2890,6 +2890,8 @@ static int mv643xx_eth_probe(struct platform_device *pdev)
+ PHY_INTERFACE_MODE_GMII);
+ if (!mp->phy)
+ err = -ENODEV;
++ else
++ phy_addr_set(mp, mp->phy->addr);
+ } else if (pd->phy_addr != MV643XX_ETH_PHY_NONE) {
+ mp->phy = phy_scan(mp, pd->phy_addr);
+
+diff --git a/drivers/net/ethernet/mellanox/mlx4/en_main.c b/drivers/net/ethernet/mellanox/mlx4/en_main.c
+index a071cda..0d087b0 100644
+--- a/drivers/net/ethernet/mellanox/mlx4/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_main.c
+@@ -264,6 +264,10 @@ static void *mlx4_en_add(struct mlx4_dev *dev)
+ mlx4_foreach_port(i, dev, MLX4_PORT_TYPE_ETH)
+ mdev->port_cnt++;
+
++ /* Initialize time stamp mechanism */
++ if (mdev->dev->caps.flags2 & MLX4_DEV_CAP_FLAG2_TS)
++ mlx4_en_init_timestamp(mdev);
++
+ mlx4_foreach_port(i, dev, MLX4_PORT_TYPE_ETH) {
+ if (!dev->caps.comp_pool) {
+ mdev->profile.prof[i].rx_ring_num =
+@@ -301,10 +305,6 @@ static void *mlx4_en_add(struct mlx4_dev *dev)
+ mdev->pndev[i] = NULL;
+ }
+
+- /* Initialize time stamp mechanism */
+- if (mdev->dev->caps.flags2 & MLX4_DEV_CAP_FLAG2_TS)
+- mlx4_en_init_timestamp(mdev);
+-
+ return mdev;
+
+ err_mr:
+diff --git a/drivers/net/ethernet/realtek/8139cp.c b/drivers/net/ethernet/realtek/8139cp.c
+index d2e5919..0095af5 100644
+--- a/drivers/net/ethernet/realtek/8139cp.c
++++ b/drivers/net/ethernet/realtek/8139cp.c
+@@ -678,9 +678,6 @@ static void cp_tx (struct cp_private *cp)
+ le32_to_cpu(txd->opts1) & 0xffff,
+ PCI_DMA_TODEVICE);
+
+- bytes_compl += skb->len;
+- pkts_compl++;
+-
+ if (status & LastFrag) {
+ if (status & (TxError | TxFIFOUnder)) {
+ netif_dbg(cp, tx_err, cp->dev,
+@@ -702,6 +699,8 @@ static void cp_tx (struct cp_private *cp)
+ netif_dbg(cp, tx_done, cp->dev,
+ "tx done, slot %d\n", tx_tail);
+ }
++ bytes_compl += skb->len;
++ pkts_compl++;
+ dev_kfree_skb_irq(skb);
+ }
+
+diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
+index 3397cee..fb3f8dc 100644
+--- a/drivers/net/ethernet/realtek/r8169.c
++++ b/drivers/net/ethernet/realtek/r8169.c
+@@ -3465,6 +3465,11 @@ static void rtl8168g_1_hw_phy_config(struct rtl8169_private *tp)
+ rtl_writephy(tp, 0x14, 0x9065);
+ rtl_writephy(tp, 0x14, 0x1065);
+
++ /* Check ALDPS bit, disable it if enabled */
++ rtl_writephy(tp, 0x1f, 0x0a43);
++ if (rtl_readphy(tp, 0x10) & 0x0004)
++ rtl_w1w0_phy(tp, 0x10, 0x0000, 0x0004);
++
+ rtl_writephy(tp, 0x1f, 0x0000);
+ }
+
+diff --git a/drivers/net/ethernet/smsc/smc91x.h b/drivers/net/ethernet/smsc/smc91x.h
+index 98eedb9..fc3e25c 100644
+--- a/drivers/net/ethernet/smsc/smc91x.h
++++ b/drivers/net/ethernet/smsc/smc91x.h
+@@ -46,7 +46,8 @@
+ defined(CONFIG_MACH_LITTLETON) ||\
+ defined(CONFIG_MACH_ZYLONITE2) ||\
+ defined(CONFIG_ARCH_VIPER) ||\
+- defined(CONFIG_MACH_STARGATE2)
++ defined(CONFIG_MACH_STARGATE2) ||\
++ defined(CONFIG_ARCH_VERSATILE)
+
+ #include <asm/mach-types.h>
+
+@@ -154,6 +155,8 @@ static inline void SMC_outw(u16 val, void __iomem *ioaddr, int reg)
+ #define SMC_outl(v, a, r) writel(v, (a) + (r))
+ #define SMC_insl(a, r, p, l) readsl((a) + (r), p, l)
+ #define SMC_outsl(a, r, p, l) writesl((a) + (r), p, l)
++#define SMC_insw(a, r, p, l) readsw((a) + (r), p, l)
++#define SMC_outsw(a, r, p, l) writesw((a) + (r), p, l)
+ #define SMC_IRQ_FLAGS (-1) /* from resource */
+
+ /* We actually can't write halfwords properly if not word aligned */
+@@ -206,23 +209,6 @@ SMC_outw(u16 val, void __iomem *ioaddr, int reg)
+ #define RPC_LSA_DEFAULT RPC_LED_TX_RX
+ #define RPC_LSB_DEFAULT RPC_LED_100_10
+
+-#elif defined(CONFIG_ARCH_VERSATILE)
+-
+-#define SMC_CAN_USE_8BIT 1
+-#define SMC_CAN_USE_16BIT 1
+-#define SMC_CAN_USE_32BIT 1
+-#define SMC_NOWAIT 1
+-
+-#define SMC_inb(a, r) readb((a) + (r))
+-#define SMC_inw(a, r) readw((a) + (r))
+-#define SMC_inl(a, r) readl((a) + (r))
+-#define SMC_outb(v, a, r) writeb(v, (a) + (r))
+-#define SMC_outw(v, a, r) writew(v, (a) + (r))
+-#define SMC_outl(v, a, r) writel(v, (a) + (r))
+-#define SMC_insl(a, r, p, l) readsl((a) + (r), p, l)
+-#define SMC_outsl(a, r, p, l) writesl((a) + (r), p, l)
+-#define SMC_IRQ_FLAGS (-1) /* from resource */
+-
+ #elif defined(CONFIG_MN10300)
+
+ /*
+diff --git a/drivers/net/ethernet/via/via-velocity.c b/drivers/net/ethernet/via/via-velocity.c
+index d022bf9..ad61d26 100644
+--- a/drivers/net/ethernet/via/via-velocity.c
++++ b/drivers/net/ethernet/via/via-velocity.c
+@@ -2172,16 +2172,13 @@ static int velocity_poll(struct napi_struct *napi, int budget)
+ unsigned int rx_done;
+ unsigned long flags;
+
+- spin_lock_irqsave(&vptr->lock, flags);
+ /*
+ * Do rx and tx twice for performance (taken from the VIA
+ * out-of-tree driver).
+ */
+- rx_done = velocity_rx_srv(vptr, budget / 2);
+- velocity_tx_srv(vptr);
+- rx_done += velocity_rx_srv(vptr, budget - rx_done);
++ rx_done = velocity_rx_srv(vptr, budget);
++ spin_lock_irqsave(&vptr->lock, flags);
+ velocity_tx_srv(vptr);
+-
+ /* If budget not fully consumed, exit the polling mode */
+ if (rx_done < budget) {
+ napi_complete(napi);
+@@ -2342,6 +2339,8 @@ static int velocity_change_mtu(struct net_device *dev, int new_mtu)
+ if (ret < 0)
+ goto out_free_tmp_vptr_1;
+
++ napi_disable(&vptr->napi);
++
+ spin_lock_irqsave(&vptr->lock, flags);
+
+ netif_stop_queue(dev);
+@@ -2362,6 +2361,8 @@ static int velocity_change_mtu(struct net_device *dev, int new_mtu)
+
+ velocity_give_many_rx_descs(vptr);
+
++ napi_enable(&vptr->napi);
++
+ mac_enable_int(vptr->mac_regs);
+ netif_start_queue(dev);
+
+diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
+index 9dccb1e..dc76670 100644
+--- a/drivers/net/macvtap.c
++++ b/drivers/net/macvtap.c
+@@ -628,6 +628,7 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m,
+ const struct iovec *iv, unsigned long total_len,
+ size_t count, int noblock)
+ {
++ int good_linear = SKB_MAX_HEAD(NET_IP_ALIGN);
+ struct sk_buff *skb;
+ struct macvlan_dev *vlan;
+ unsigned long len = total_len;
+@@ -670,6 +671,8 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m,
+
+ if (m && m->msg_control && sock_flag(&q->sk, SOCK_ZEROCOPY)) {
+ copylen = vnet_hdr.hdr_len ? vnet_hdr.hdr_len : GOODCOPY_LEN;
++ if (copylen > good_linear)
++ copylen = good_linear;
+ linear = copylen;
+ if (iov_pages(iv, vnet_hdr_len + copylen, count)
+ <= MAX_SKB_FRAGS)
+@@ -678,7 +681,10 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m,
+
+ if (!zerocopy) {
+ copylen = len;
+- linear = vnet_hdr.hdr_len;
++ if (vnet_hdr.hdr_len > good_linear)
++ linear = good_linear;
++ else
++ linear = vnet_hdr.hdr_len;
+ }
+
+ skb = macvtap_alloc_skb(&q->sk, NET_IP_ALIGN, copylen,
+diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
+index 5f66e30..82ee6ed 100644
+--- a/drivers/net/ppp/pppoe.c
++++ b/drivers/net/ppp/pppoe.c
+@@ -979,8 +979,6 @@ static int pppoe_recvmsg(struct kiocb *iocb, struct socket *sock,
+ if (error < 0)
+ goto end;
+
+- m->msg_namelen = 0;
+-
+ if (skb) {
+ total_len = min_t(size_t, total_len, skb->len);
+ error = skb_copy_datagram_iovec(skb, 0, m->msg_iov, total_len);
+diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
+index 50e43e6..6327df2 100644
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -1366,6 +1366,8 @@ static int team_user_linkup_option_get(struct team *team,
+ return 0;
+ }
+
++static void __team_carrier_check(struct team *team);
++
+ static int team_user_linkup_option_set(struct team *team,
+ struct team_gsetter_ctx *ctx)
+ {
+@@ -1373,6 +1375,7 @@ static int team_user_linkup_option_set(struct team *team,
+
+ port->user.linkup = ctx->data.bool_val;
+ team_refresh_port_linkup(port);
++ __team_carrier_check(port->team);
+ return 0;
+ }
+
+@@ -1392,6 +1395,7 @@ static int team_user_linkup_en_option_set(struct team *team,
+
+ port->user.linkup_enabled = ctx->data.bool_val;
+ team_refresh_port_linkup(port);
++ __team_carrier_check(port->team);
+ return 0;
+ }
+
+diff --git a/drivers/net/tun.c b/drivers/net/tun.c
+index 7cb105c..782e38b 100644
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -981,6 +981,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
+ struct sk_buff *skb;
+ size_t len = total_len, align = NET_SKB_PAD, linear;
+ struct virtio_net_hdr gso = { 0 };
++ int good_linear;
+ int offset = 0;
+ int copylen;
+ bool zerocopy = false;
+@@ -1021,12 +1022,16 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
+ return -EINVAL;
+ }
+
++ good_linear = SKB_MAX_HEAD(align);
++
+ if (msg_control) {
+ /* There are 256 bytes to be copied in skb, so there is
+ * enough room for skb expand head in case it is used.
+ * The rest of the buffer is mapped from userspace.
+ */
+ copylen = gso.hdr_len ? gso.hdr_len : GOODCOPY_LEN;
++ if (copylen > good_linear)
++ copylen = good_linear;
+ linear = copylen;
+ if (iov_pages(iv, offset + copylen, count) <= MAX_SKB_FRAGS)
+ zerocopy = true;
+@@ -1034,7 +1039,10 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
+
+ if (!zerocopy) {
+ copylen = len;
+- linear = gso.hdr_len;
++ if (gso.hdr_len > good_linear)
++ linear = good_linear;
++ else
++ linear = gso.hdr_len;
+ }
+
+ skb = tun_alloc_skb(tfile, align, copylen, linear, noblock);
+diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
+index 90a429b..8494bb5 100644
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -204,9 +204,6 @@ static void intr_complete (struct urb *urb)
+ break;
+ }
+
+- if (!netif_running (dev->net))
+- return;
+-
+ status = usb_submit_urb (urb, GFP_ATOMIC);
+ if (status != 0)
+ netif_err(dev, timer, dev->net,
+diff --git a/drivers/net/wireless/rt2x00/rt2800.h b/drivers/net/wireless/rt2x00/rt2800.h
+index fa33b5e..e3eb952 100644
+--- a/drivers/net/wireless/rt2x00/rt2800.h
++++ b/drivers/net/wireless/rt2x00/rt2800.h
+@@ -52,6 +52,7 @@
+ * RF3322 2.4G 2T2R(RT3352/RT3371/RT3372/RT3391/RT3392)
+ * RF3053 2.4G/5G 3T3R(RT3883/RT3563/RT3573/RT3593/RT3662)
+ * RF5592 2.4G/5G 2T2R
++ * RF3070 2.4G 1T1R
+ * RF5360 2.4G 1T1R
+ * RF5370 2.4G 1T1R
+ * RF5390 2.4G 1T1R
+@@ -70,6 +71,7 @@
+ #define RF3322 0x000c
+ #define RF3053 0x000d
+ #define RF5592 0x000f
++#define RF3070 0x3070
+ #define RF3290 0x3290
+ #define RF5360 0x5360
+ #define RF5370 0x5370
+diff --git a/drivers/net/wireless/rt2x00/rt2800lib.c b/drivers/net/wireless/rt2x00/rt2800lib.c
+index 1400787..446eade 100644
+--- a/drivers/net/wireless/rt2x00/rt2800lib.c
++++ b/drivers/net/wireless/rt2x00/rt2800lib.c
+@@ -3152,6 +3152,7 @@ static void rt2800_config_channel(struct rt2x00_dev *rt2x00dev,
+ case RF3322:
+ rt2800_config_channel_rf3322(rt2x00dev, conf, rf, info);
+ break;
++ case RF3070:
+ case RF5360:
+ case RF5370:
+ case RF5372:
+@@ -3166,7 +3167,8 @@ static void rt2800_config_channel(struct rt2x00_dev *rt2x00dev,
+ rt2800_config_channel_rf2xxx(rt2x00dev, conf, rf, info);
+ }
+
+- if (rt2x00_rf(rt2x00dev, RF3290) ||
++ if (rt2x00_rf(rt2x00dev, RF3070) ||
++ rt2x00_rf(rt2x00dev, RF3290) ||
+ rt2x00_rf(rt2x00dev, RF3322) ||
+ rt2x00_rf(rt2x00dev, RF5360) ||
+ rt2x00_rf(rt2x00dev, RF5370) ||
+@@ -4264,6 +4266,7 @@ void rt2800_vco_calibration(struct rt2x00_dev *rt2x00dev)
+ rt2800_rfcsr_write(rt2x00dev, 7, rfcsr);
+ break;
+ case RF3053:
++ case RF3070:
+ case RF3290:
+ case RF5360:
+ case RF5370:
+@@ -7024,6 +7027,7 @@ static int rt2800_init_eeprom(struct rt2x00_dev *rt2x00dev)
+ case RF3022:
+ case RF3052:
+ case RF3053:
++ case RF3070:
+ case RF3290:
+ case RF3320:
+ case RF3322:
+@@ -7546,6 +7550,7 @@ static int rt2800_probe_hw_mode(struct rt2x00_dev *rt2x00dev)
+ rt2x00_rf(rt2x00dev, RF2020) ||
+ rt2x00_rf(rt2x00dev, RF3021) ||
+ rt2x00_rf(rt2x00dev, RF3022) ||
++ rt2x00_rf(rt2x00dev, RF3070) ||
+ rt2x00_rf(rt2x00dev, RF3290) ||
+ rt2x00_rf(rt2x00dev, RF3320) ||
+ rt2x00_rf(rt2x00dev, RF3322) ||
+@@ -7674,6 +7679,7 @@ static int rt2800_probe_hw_mode(struct rt2x00_dev *rt2x00dev)
+ case RF3320:
+ case RF3052:
+ case RF3053:
++ case RF3070:
+ case RF3290:
+ case RF5360:
+ case RF5370:
+diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c
+index 900da4b..6255850 100644
+--- a/drivers/net/xen-netback/netback.c
++++ b/drivers/net/xen-netback/netback.c
+@@ -39,6 +39,7 @@
+ #include <linux/udp.h>
+
+ #include <net/tcp.h>
++#include <net/ip6_checksum.h>
+
+ #include <xen/xen.h>
+ #include <xen/events.h>
+diff --git a/drivers/usb/musb/davinci.c b/drivers/usb/musb/davinci.c
+index ed0834e..ab69245 100644
+--- a/drivers/usb/musb/davinci.c
++++ b/drivers/usb/musb/davinci.c
+@@ -509,7 +509,7 @@ static u64 davinci_dmamask = DMA_BIT_MASK(32);
+
+ static int davinci_probe(struct platform_device *pdev)
+ {
+- struct resource musb_resources[2];
++ struct resource musb_resources[3];
+ struct musb_hdrc_platform_data *pdata = dev_get_platdata(&pdev->dev);
+ struct platform_device *musb;
+ struct davinci_glue *glue;
+@@ -567,6 +567,15 @@ static int davinci_probe(struct platform_device *pdev)
+ musb_resources[1].end = pdev->resource[1].end;
+ musb_resources[1].flags = pdev->resource[1].flags;
+
++ /*
++ * For DM6467 3 resources are passed. A placeholder for the 3rd
++ * resource is always there, so it's safe to always copy it...
++ */
++ musb_resources[2].name = pdev->resource[2].name;
++ musb_resources[2].start = pdev->resource[2].start;
++ musb_resources[2].end = pdev->resource[2].end;
++ musb_resources[2].flags = pdev->resource[2].flags;
++
+ ret = platform_device_add_resources(musb, musb_resources,
+ ARRAY_SIZE(musb_resources));
+ if (ret) {
+diff --git a/drivers/usb/wusbcore/wa-xfer.c b/drivers/usb/wusbcore/wa-xfer.c
+index 6ad02f5..3dcf66f 100644
+--- a/drivers/usb/wusbcore/wa-xfer.c
++++ b/drivers/usb/wusbcore/wa-xfer.c
+@@ -91,7 +91,8 @@
+ #include "wusbhc.h"
+
+ enum {
+- WA_SEGS_MAX = 255,
++ /* [WUSB] section 8.3.3 allocates 7 bits for the segment index. */
++ WA_SEGS_MAX = 128,
+ };
+
+ enum wa_seg_status {
+@@ -446,7 +447,7 @@ static ssize_t __wa_xfer_setup_sizes(struct wa_xfer *xfer,
+ }
+ xfer->seg_size = (xfer->seg_size / maxpktsize) * maxpktsize;
+ xfer->segs = DIV_ROUND_UP(urb->transfer_buffer_length, xfer->seg_size);
+- if (xfer->segs >= WA_SEGS_MAX) {
++ if (xfer->segs > WA_SEGS_MAX) {
+ dev_err(dev, "BUG? ops, number of segments %d bigger than %d\n",
+ (int)(urb->transfer_buffer_length / xfer->seg_size),
+ WA_SEGS_MAX);
+diff --git a/drivers/video/kyro/fbdev.c b/drivers/video/kyro/fbdev.c
+index 6157f74..ec7fc87 100644
+--- a/drivers/video/kyro/fbdev.c
++++ b/drivers/video/kyro/fbdev.c
+@@ -625,15 +625,15 @@ static int kyrofb_ioctl(struct fb_info *info,
+ }
+ break;
+ case KYRO_IOCTL_UVSTRIDE:
+- if (copy_to_user(argp, &deviceInfo.ulOverlayUVStride, sizeof(unsigned long)))
++ if (copy_to_user(argp, &deviceInfo.ulOverlayUVStride, sizeof(deviceInfo.ulOverlayUVStride)))
+ return -EFAULT;
+ break;
+ case KYRO_IOCTL_STRIDE:
+- if (copy_to_user(argp, &deviceInfo.ulOverlayStride, sizeof(unsigned long)))
++ if (copy_to_user(argp, &deviceInfo.ulOverlayStride, sizeof(deviceInfo.ulOverlayStride)))
+ return -EFAULT;
+ break;
+ case KYRO_IOCTL_OVERLAY_OFFSET:
+- if (copy_to_user(argp, &deviceInfo.ulOverlayOffset, sizeof(unsigned long)))
++ if (copy_to_user(argp, &deviceInfo.ulOverlayOffset, sizeof(deviceInfo.ulOverlayOffset)))
+ return -EFAULT;
+ break;
+ }
+diff --git a/fs/aio.c b/fs/aio.c
+index 067e3d3..6efb7f6 100644
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -36,10 +36,10 @@
+ #include <linux/eventfd.h>
+ #include <linux/blkdev.h>
+ #include <linux/compat.h>
+-#include <linux/anon_inodes.h>
+ #include <linux/migrate.h>
+ #include <linux/ramfs.h>
+ #include <linux/percpu-refcount.h>
++#include <linux/mount.h>
+
+ #include <asm/kmap_types.h>
+ #include <asm/uaccess.h>
+@@ -80,6 +80,8 @@ struct kioctx {
+ struct percpu_ref users;
+ atomic_t dead;
+
++ struct percpu_ref reqs;
++
+ unsigned long user_id;
+
+ struct __percpu kioctx_cpu *cpu;
+@@ -107,7 +109,6 @@ struct kioctx {
+ struct page **ring_pages;
+ long nr_pages;
+
+- struct rcu_head rcu_head;
+ struct work_struct free_work;
+
+ struct {
+@@ -152,12 +153,67 @@ unsigned long aio_max_nr = 0x10000; /* system wide maximum number of aio request
+ static struct kmem_cache *kiocb_cachep;
+ static struct kmem_cache *kioctx_cachep;
+
++static struct vfsmount *aio_mnt;
++
++static const struct file_operations aio_ring_fops;
++static const struct address_space_operations aio_ctx_aops;
++
++static struct file *aio_private_file(struct kioctx *ctx, loff_t nr_pages)
++{
++ struct qstr this = QSTR_INIT("[aio]", 5);
++ struct file *file;
++ struct path path;
++ struct inode *inode = alloc_anon_inode(aio_mnt->mnt_sb);
++ if (IS_ERR(inode))
++ return ERR_CAST(inode);
++
++ inode->i_mapping->a_ops = &aio_ctx_aops;
++ inode->i_mapping->private_data = ctx;
++ inode->i_size = PAGE_SIZE * nr_pages;
++
++ path.dentry = d_alloc_pseudo(aio_mnt->mnt_sb, &this);
++ if (!path.dentry) {
++ iput(inode);
++ return ERR_PTR(-ENOMEM);
++ }
++ path.mnt = mntget(aio_mnt);
++
++ d_instantiate(path.dentry, inode);
++ file = alloc_file(&path, FMODE_READ | FMODE_WRITE, &aio_ring_fops);
++ if (IS_ERR(file)) {
++ path_put(&path);
++ return file;
++ }
++
++ file->f_flags = O_RDWR;
++ file->private_data = ctx;
++ return file;
++}
++
++static struct dentry *aio_mount(struct file_system_type *fs_type,
++ int flags, const char *dev_name, void *data)
++{
++ static const struct dentry_operations ops = {
++ .d_dname = simple_dname,
++ };
++ return mount_pseudo(fs_type, "aio:", NULL, &ops, 0xa10a10a1);
++}
++
+ /* aio_setup
+ * Creates the slab caches used by the aio routines, panic on
+ * failure as this is done early during the boot sequence.
+ */
+ static int __init aio_setup(void)
+ {
++ static struct file_system_type aio_fs = {
++ .name = "aio",
++ .mount = aio_mount,
++ .kill_sb = kill_anon_super,
++ };
++ aio_mnt = kern_mount(&aio_fs);
++ if (IS_ERR(aio_mnt))
++ panic("Failed to create aio fs mount.");
++
+ kiocb_cachep = KMEM_CACHE(kiocb, SLAB_HWCACHE_ALIGN|SLAB_PANIC);
+ kioctx_cachep = KMEM_CACHE(kioctx,SLAB_HWCACHE_ALIGN|SLAB_PANIC);
+
+@@ -195,8 +251,10 @@ static void aio_free_ring(struct kioctx *ctx)
+
+ put_aio_ring_file(ctx);
+
+- if (ctx->ring_pages && ctx->ring_pages != ctx->internal_pages)
++ if (ctx->ring_pages && ctx->ring_pages != ctx->internal_pages) {
+ kfree(ctx->ring_pages);
++ ctx->ring_pages = NULL;
++ }
+ }
+
+ static int aio_ring_mmap(struct file *file, struct vm_area_struct *vma)
+@@ -283,16 +341,12 @@ static int aio_setup_ring(struct kioctx *ctx)
+ if (nr_pages < 0)
+ return -EINVAL;
+
+- file = anon_inode_getfile_private("[aio]", &aio_ring_fops, ctx, O_RDWR);
++ file = aio_private_file(ctx, nr_pages);
+ if (IS_ERR(file)) {
+ ctx->aio_ring_file = NULL;
+ return -EAGAIN;
+ }
+
+- file->f_inode->i_mapping->a_ops = &aio_ctx_aops;
+- file->f_inode->i_mapping->private_data = ctx;
+- file->f_inode->i_size = PAGE_SIZE * (loff_t)nr_pages;
+-
+ for (i = 0; i < nr_pages; i++) {
+ struct page *page;
+ page = find_or_create_page(file->f_inode->i_mapping,
+@@ -313,8 +367,10 @@ static int aio_setup_ring(struct kioctx *ctx)
+ if (nr_pages > AIO_RING_PAGES) {
+ ctx->ring_pages = kcalloc(nr_pages, sizeof(struct page *),
+ GFP_KERNEL);
+- if (!ctx->ring_pages)
++ if (!ctx->ring_pages) {
++ put_aio_ring_file(ctx);
+ return -ENOMEM;
++ }
+ }
+
+ ctx->mmap_size = nr_pages * PAGE_SIZE;
+@@ -412,26 +468,34 @@ static int kiocb_cancel(struct kioctx *ctx, struct kiocb *kiocb)
+ return cancel(kiocb);
+ }
+
+-static void free_ioctx_rcu(struct rcu_head *head)
++static void free_ioctx(struct work_struct *work)
+ {
+- struct kioctx *ctx = container_of(head, struct kioctx, rcu_head);
++ struct kioctx *ctx = container_of(work, struct kioctx, free_work);
+
++ pr_debug("freeing %p\n", ctx);
++
++ aio_free_ring(ctx);
+ free_percpu(ctx->cpu);
+ kmem_cache_free(kioctx_cachep, ctx);
+ }
+
++static void free_ioctx_reqs(struct percpu_ref *ref)
++{
++ struct kioctx *ctx = container_of(ref, struct kioctx, reqs);
++
++ INIT_WORK(&ctx->free_work, free_ioctx);
++ schedule_work(&ctx->free_work);
++}
++
+ /*
+ * When this function runs, the kioctx has been removed from the "hash table"
+ * and ctx->users has dropped to 0, so we know no more kiocbs can be submitted -
+ * now it's safe to cancel any that need to be.
+ */
+-static void free_ioctx(struct work_struct *work)
++static void free_ioctx_users(struct percpu_ref *ref)
+ {
+- struct kioctx *ctx = container_of(work, struct kioctx, free_work);
+- struct aio_ring *ring;
++ struct kioctx *ctx = container_of(ref, struct kioctx, users);
+ struct kiocb *req;
+- unsigned cpu, avail;
+- DEFINE_WAIT(wait);
+
+ spin_lock_irq(&ctx->ctx_lock);
+
+@@ -445,54 +509,8 @@ static void free_ioctx(struct work_struct *work)
+
+ spin_unlock_irq(&ctx->ctx_lock);
+
+- for_each_possible_cpu(cpu) {
+- struct kioctx_cpu *kcpu = per_cpu_ptr(ctx->cpu, cpu);
+-
+- atomic_add(kcpu->reqs_available, &ctx->reqs_available);
+- kcpu->reqs_available = 0;
+- }
+-
+- while (1) {
+- prepare_to_wait(&ctx->wait, &wait, TASK_UNINTERRUPTIBLE);
+-
+- ring = kmap_atomic(ctx->ring_pages[0]);
+- avail = (ring->head <= ring->tail)
+- ? ring->tail - ring->head
+- : ctx->nr_events - ring->head + ring->tail;
+-
+- atomic_add(avail, &ctx->reqs_available);
+- ring->head = ring->tail;
+- kunmap_atomic(ring);
+-
+- if (atomic_read(&ctx->reqs_available) >= ctx->nr_events - 1)
+- break;
+-
+- schedule();
+- }
+- finish_wait(&ctx->wait, &wait);
+-
+- WARN_ON(atomic_read(&ctx->reqs_available) > ctx->nr_events - 1);
+-
+- aio_free_ring(ctx);
+-
+- pr_debug("freeing %p\n", ctx);
+-
+- /*
+- * Here the call_rcu() is between the wait_event() for reqs_active to
+- * hit 0, and freeing the ioctx.
+- *
+- * aio_complete() decrements reqs_active, but it has to touch the ioctx
+- * after to issue a wakeup so we use rcu.
+- */
+- call_rcu(&ctx->rcu_head, free_ioctx_rcu);
+-}
+-
+-static void free_ioctx_ref(struct percpu_ref *ref)
+-{
+- struct kioctx *ctx = container_of(ref, struct kioctx, users);
+-
+- INIT_WORK(&ctx->free_work, free_ioctx);
+- schedule_work(&ctx->free_work);
++ percpu_ref_kill(&ctx->reqs);
++ percpu_ref_put(&ctx->reqs);
+ }
+
+ static int ioctx_add_table(struct kioctx *ctx, struct mm_struct *mm)
+@@ -551,6 +569,16 @@ static int ioctx_add_table(struct kioctx *ctx, struct mm_struct *mm)
+ }
+ }
+
++static void aio_nr_sub(unsigned nr)
++{
++ spin_lock(&aio_nr_lock);
++ if (WARN_ON(aio_nr - nr > aio_nr))
++ aio_nr = 0;
++ else
++ aio_nr -= nr;
++ spin_unlock(&aio_nr_lock);
++}
++
+ /* ioctx_alloc
+ * Allocates and initializes an ioctx. Returns an ERR_PTR if it failed.
+ */
+@@ -588,8 +616,11 @@ static struct kioctx *ioctx_alloc(unsigned nr_events)
+
+ ctx->max_reqs = nr_events;
+
+- if (percpu_ref_init(&ctx->users, free_ioctx_ref))
+- goto out_freectx;
++ if (percpu_ref_init(&ctx->users, free_ioctx_users))
++ goto err;
++
++ if (percpu_ref_init(&ctx->reqs, free_ioctx_reqs))
++ goto err;
+
+ spin_lock_init(&ctx->ctx_lock);
+ spin_lock_init(&ctx->completion_lock);
+@@ -600,10 +631,10 @@ static struct kioctx *ioctx_alloc(unsigned nr_events)
+
+ ctx->cpu = alloc_percpu(struct kioctx_cpu);
+ if (!ctx->cpu)
+- goto out_freeref;
++ goto err;
+
+ if (aio_setup_ring(ctx) < 0)
+- goto out_freepcpu;
++ goto err;
+
+ atomic_set(&ctx->reqs_available, ctx->nr_events - 1);
+ ctx->req_batch = (ctx->nr_events - 1) / (num_possible_cpus() * 4);
+@@ -615,7 +646,8 @@ static struct kioctx *ioctx_alloc(unsigned nr_events)
+ if (aio_nr + nr_events > (aio_max_nr * 2UL) ||
+ aio_nr + nr_events < aio_nr) {
+ spin_unlock(&aio_nr_lock);
+- goto out_cleanup;
++ err = -EAGAIN;
++ goto err_ctx;
+ }
+ aio_nr += ctx->max_reqs;
+ spin_unlock(&aio_nr_lock);
+@@ -624,23 +656,20 @@ static struct kioctx *ioctx_alloc(unsigned nr_events)
+
+ err = ioctx_add_table(ctx, mm);
+ if (err)
+- goto out_cleanup_put;
++ goto err_cleanup;
+
+ pr_debug("allocated ioctx %p[%ld]: mm=%p mask=0x%x\n",
+ ctx, ctx->user_id, mm, ctx->nr_events);
+ return ctx;
+
+-out_cleanup_put:
+- percpu_ref_put(&ctx->users);
+-out_cleanup:
+- err = -EAGAIN;
++err_cleanup:
++ aio_nr_sub(ctx->max_reqs);
++err_ctx:
+ aio_free_ring(ctx);
+-out_freepcpu:
++err:
+ free_percpu(ctx->cpu);
+-out_freeref:
++ free_percpu(ctx->reqs.pcpu_count);
+ free_percpu(ctx->users.pcpu_count);
+-out_freectx:
+- put_aio_ring_file(ctx);
+ kmem_cache_free(kioctx_cachep, ctx);
+ pr_debug("error allocating ioctx %d\n", err);
+ return ERR_PTR(err);
+@@ -675,10 +704,7 @@ static void kill_ioctx(struct mm_struct *mm, struct kioctx *ctx)
+ * -EAGAIN with no ioctxs actually in use (as far as userspace
+ * could tell).
+ */
+- spin_lock(&aio_nr_lock);
+- BUG_ON(aio_nr - ctx->max_reqs > aio_nr);
+- aio_nr -= ctx->max_reqs;
+- spin_unlock(&aio_nr_lock);
++ aio_nr_sub(ctx->max_reqs);
+
+ if (ctx->mmap_size)
+ vm_munmap(ctx->mmap_base, ctx->mmap_size);
+@@ -810,6 +836,8 @@ static inline struct kiocb *aio_get_req(struct kioctx *ctx)
+ if (unlikely(!req))
+ goto out_put;
+
++ percpu_ref_get(&ctx->reqs);
++
+ req->ki_ctx = ctx;
+ return req;
+ out_put:
+@@ -879,12 +907,6 @@ void aio_complete(struct kiocb *iocb, long res, long res2)
+ return;
+ }
+
+- /*
+- * Take rcu_read_lock() in case the kioctx is being destroyed, as we
+- * need to issue a wakeup after incrementing reqs_available.
+- */
+- rcu_read_lock();
+-
+ if (iocb->ki_list.next) {
+ unsigned long flags;
+
+@@ -959,7 +981,7 @@ void aio_complete(struct kiocb *iocb, long res, long res2)
+ if (waitqueue_active(&ctx->wait))
+ wake_up(&ctx->wait);
+
+- rcu_read_unlock();
++ percpu_ref_put(&ctx->reqs);
+ }
+ EXPORT_SYMBOL(aio_complete);
+
+@@ -1370,6 +1392,7 @@ static int io_submit_one(struct kioctx *ctx, struct iocb __user *user_iocb,
+ return 0;
+ out_put_req:
+ put_reqs_available(ctx, 1);
++ percpu_ref_put(&ctx->reqs);
+ kiocb_free(req);
+ return ret;
+ }
+diff --git a/fs/anon_inodes.c b/fs/anon_inodes.c
+index 85c9618..22f9698 100644
+--- a/fs/anon_inodes.c
++++ b/fs/anon_inodes.c
+@@ -24,7 +24,6 @@
+
+ static struct vfsmount *anon_inode_mnt __read_mostly;
+ static struct inode *anon_inode_inode;
+-static const struct file_operations anon_inode_fops;
+
+ /*
+ * anon_inodefs_dname() is called from d_path().
+@@ -39,51 +38,6 @@ static const struct dentry_operations anon_inodefs_dentry_operations = {
+ .d_dname = anon_inodefs_dname,
+ };
+
+-/*
+- * nop .set_page_dirty method so that people can use .page_mkwrite on
+- * anon inodes.
+- */
+-static int anon_set_page_dirty(struct page *page)
+-{
+- return 0;
+-};
+-
+-static const struct address_space_operations anon_aops = {
+- .set_page_dirty = anon_set_page_dirty,
+-};
+-
+-/*
+- * A single inode exists for all anon_inode files. Contrary to pipes,
+- * anon_inode inodes have no associated per-instance data, so we need
+- * only allocate one of them.
+- */
+-static struct inode *anon_inode_mkinode(struct super_block *s)
+-{
+- struct inode *inode = new_inode_pseudo(s);
+-
+- if (!inode)
+- return ERR_PTR(-ENOMEM);
+-
+- inode->i_ino = get_next_ino();
+- inode->i_fop = &anon_inode_fops;
+-
+- inode->i_mapping->a_ops = &anon_aops;
+-
+- /*
+- * Mark the inode dirty from the very beginning,
+- * that way it will never be moved to the dirty
+- * list because mark_inode_dirty() will think
+- * that it already _is_ on the dirty list.
+- */
+- inode->i_state = I_DIRTY;
+- inode->i_mode = S_IRUSR | S_IWUSR;
+- inode->i_uid = current_fsuid();
+- inode->i_gid = current_fsgid();
+- inode->i_flags |= S_PRIVATE;
+- inode->i_atime = inode->i_mtime = inode->i_ctime = CURRENT_TIME;
+- return inode;
+-}
+-
+ static struct dentry *anon_inodefs_mount(struct file_system_type *fs_type,
+ int flags, const char *dev_name, void *data)
+ {
+@@ -92,7 +46,7 @@ static struct dentry *anon_inodefs_mount(struct file_system_type *fs_type,
+ &anon_inodefs_dentry_operations, ANON_INODE_FS_MAGIC);
+ if (!IS_ERR(root)) {
+ struct super_block *s = root->d_sb;
+- anon_inode_inode = anon_inode_mkinode(s);
++ anon_inode_inode = alloc_anon_inode(s);
+ if (IS_ERR(anon_inode_inode)) {
+ dput(root);
+ deactivate_locked_super(s);
+@@ -134,7 +88,7 @@ struct file *anon_inode_getfile_private(const char *name,
+ if (fops->owner && !try_module_get(fops->owner))
+ return ERR_PTR(-ENOENT);
+
+- inode = anon_inode_mkinode(anon_inode_mnt->mnt_sb);
++ inode = alloc_anon_inode(anon_inode_mnt->mnt_sb);
+ if (IS_ERR(inode)) {
+ file = ERR_PTR(-ENOMEM);
+ goto err_module;
+diff --git a/fs/libfs.c b/fs/libfs.c
+index 3a3a9b5..193e0c2 100644
+--- a/fs/libfs.c
++++ b/fs/libfs.c
+@@ -993,3 +993,46 @@ EXPORT_SYMBOL_GPL(simple_attr_open);
+ EXPORT_SYMBOL_GPL(simple_attr_release);
+ EXPORT_SYMBOL_GPL(simple_attr_read);
+ EXPORT_SYMBOL_GPL(simple_attr_write);
++
++/*
++ * nop .set_page_dirty method so that people can use .page_mkwrite on
++ * anon inodes.
++ */
++static int anon_set_page_dirty(struct page *page)
++{
++ return 0;
++};
++
++/*
++ * A single inode exists for all anon_inode files. Contrary to pipes,
++ * anon_inode inodes have no associated per-instance data, so we need
++ * only allocate one of them.
++ */
++struct inode *alloc_anon_inode(struct super_block *s)
++{
++ static const struct address_space_operations anon_aops = {
++ .set_page_dirty = anon_set_page_dirty,
++ };
++ struct inode *inode = new_inode_pseudo(s);
++
++ if (!inode)
++ return ERR_PTR(-ENOMEM);
++
++ inode->i_ino = get_next_ino();
++ inode->i_mapping->a_ops = &anon_aops;
++
++ /*
++ * Mark the inode dirty from the very beginning,
++ * that way it will never be moved to the dirty
++ * list because mark_inode_dirty() will think
++ * that it already _is_ on the dirty list.
++ */
++ inode->i_state = I_DIRTY;
++ inode->i_mode = S_IRUSR | S_IWUSR;
++ inode->i_uid = current_fsuid();
++ inode->i_gid = current_fsgid();
++ inode->i_flags |= S_PRIVATE;
++ inode->i_atime = inode->i_mtime = inode->i_ctime = CURRENT_TIME;
++ return inode;
++}
++EXPORT_SYMBOL(alloc_anon_inode);
+diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
+index 668e8f4..2e1e6c3 100644
+--- a/fs/xfs/xfs_ioctl.c
++++ b/fs/xfs/xfs_ioctl.c
+@@ -1717,6 +1717,12 @@ xfs_file_ioctl(
+ if (mp->m_flags & XFS_MOUNT_RDONLY)
+ return -XFS_ERROR(EROFS);
+
++ if (!capable(CAP_SYS_ADMIN))
++ return -EPERM;
++
++ if (mp->m_flags & XFS_MOUNT_RDONLY)
++ return -XFS_ERROR(EROFS);
++
+ if (copy_from_user(&eofb, arg, sizeof(eofb)))
+ return -XFS_ERROR(EFAULT);
+
+diff --git a/include/linux/fs.h b/include/linux/fs.h
+index 3f40547..fefa7b0 100644
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -2562,6 +2562,7 @@ extern int simple_write_begin(struct file *file, struct address_space *mapping,
+ extern int simple_write_end(struct file *file, struct address_space *mapping,
+ loff_t pos, unsigned len, unsigned copied,
+ struct page *page, void *fsdata);
++extern struct inode *alloc_anon_inode(struct super_block *);
+
+ extern struct dentry *simple_lookup(struct inode *, struct dentry *, unsigned int flags);
+ extern ssize_t generic_read_dir(struct file *, char __user *, size_t, loff_t *);
+diff --git a/include/linux/net.h b/include/linux/net.h
+index 4f27575..8bd9d92 100644
+--- a/include/linux/net.h
++++ b/include/linux/net.h
+@@ -163,6 +163,14 @@ struct proto_ops {
+ #endif
+ int (*sendmsg) (struct kiocb *iocb, struct socket *sock,
+ struct msghdr *m, size_t total_len);
++ /* Notes for implementing recvmsg:
++ * ===============================
++ * msg->msg_namelen should get updated by the recvmsg handlers
++ * iff msg_name != NULL. It is by default 0 to prevent
++ * returning uninitialized memory to user space. The recvfrom
++ * handlers can assume that msg.msg_name is either NULL or has
++ * a minimum size of sizeof(struct sockaddr_storage).
++ */
+ int (*recvmsg) (struct kiocb *iocb, struct socket *sock,
+ struct msghdr *m, size_t total_len,
+ int flags);
+diff --git a/include/linux/random.h b/include/linux/random.h
+index 6312dd9..bf9085e 100644
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -50,9 +50,9 @@ static inline void prandom_seed_state(struct rnd_state *state, u64 seed)
+ {
+ u32 i = (seed >> 32) ^ (seed << 10) ^ seed;
+
+- state->s1 = __seed(i, 1);
+- state->s2 = __seed(i, 7);
+- state->s3 = __seed(i, 15);
++ state->s1 = __seed(i, 2);
++ state->s2 = __seed(i, 8);
++ state->s3 = __seed(i, 16);
+ }
+
+ #ifdef CONFIG_ARCH_RANDOM
+diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
+index c2d8933..f66f346 100644
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -333,11 +333,6 @@ typedef unsigned int sk_buff_data_t;
+ typedef unsigned char *sk_buff_data_t;
+ #endif
+
+-#if defined(CONFIG_NF_DEFRAG_IPV4) || defined(CONFIG_NF_DEFRAG_IPV4_MODULE) || \
+- defined(CONFIG_NF_DEFRAG_IPV6) || defined(CONFIG_NF_DEFRAG_IPV6_MODULE)
+-#define NET_SKBUFF_NF_DEFRAG_NEEDED 1
+-#endif
+-
+ /**
+ * struct sk_buff - socket buffer
+ * @next: Next buffer in list
+@@ -370,7 +365,6 @@ typedef unsigned char *sk_buff_data_t;
+ * @protocol: Packet protocol from driver
+ * @destructor: Destruct function
+ * @nfct: Associated connection, if any
+- * @nfct_reasm: netfilter conntrack re-assembly pointer
+ * @nf_bridge: Saved data about a bridged frame - see br_netfilter.c
+ * @skb_iif: ifindex of device we arrived on
+ * @tc_index: Traffic control index
+@@ -459,9 +453,6 @@ struct sk_buff {
+ #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
+ struct nf_conntrack *nfct;
+ #endif
+-#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED
+- struct sk_buff *nfct_reasm;
+-#endif
+ #ifdef CONFIG_BRIDGE_NETFILTER
+ struct nf_bridge_info *nf_bridge;
+ #endif
+@@ -2605,18 +2596,6 @@ static inline void nf_conntrack_get(struct nf_conntrack *nfct)
+ atomic_inc(&nfct->use);
+ }
+ #endif
+-#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED
+-static inline void nf_conntrack_get_reasm(struct sk_buff *skb)
+-{
+- if (skb)
+- atomic_inc(&skb->users);
+-}
+-static inline void nf_conntrack_put_reasm(struct sk_buff *skb)
+-{
+- if (skb)
+- kfree_skb(skb);
+-}
+-#endif
+ #ifdef CONFIG_BRIDGE_NETFILTER
+ static inline void nf_bridge_put(struct nf_bridge_info *nf_bridge)
+ {
+@@ -2635,10 +2614,6 @@ static inline void nf_reset(struct sk_buff *skb)
+ nf_conntrack_put(skb->nfct);
+ skb->nfct = NULL;
+ #endif
+-#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED
+- nf_conntrack_put_reasm(skb->nfct_reasm);
+- skb->nfct_reasm = NULL;
+-#endif
+ #ifdef CONFIG_BRIDGE_NETFILTER
+ nf_bridge_put(skb->nf_bridge);
+ skb->nf_bridge = NULL;
+@@ -2660,10 +2635,6 @@ static inline void __nf_copy(struct sk_buff *dst, const struct sk_buff *src)
+ nf_conntrack_get(src->nfct);
+ dst->nfctinfo = src->nfctinfo;
+ #endif
+-#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED
+- dst->nfct_reasm = src->nfct_reasm;
+- nf_conntrack_get_reasm(src->nfct_reasm);
+-#endif
+ #ifdef CONFIG_BRIDGE_NETFILTER
+ dst->nf_bridge = src->nf_bridge;
+ nf_bridge_get(src->nf_bridge);
+@@ -2675,9 +2646,6 @@ static inline void nf_copy(struct sk_buff *dst, const struct sk_buff *src)
+ #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
+ nf_conntrack_put(dst->nfct);
+ #endif
+-#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED
+- nf_conntrack_put_reasm(dst->nfct_reasm);
+-#endif
+ #ifdef CONFIG_BRIDGE_NETFILTER
+ nf_bridge_put(dst->nf_bridge);
+ #endif
+diff --git a/include/linux/vm_event_item.h b/include/linux/vm_event_item.h
+index 1855f0a..c557c6d 100644
+--- a/include/linux/vm_event_item.h
++++ b/include/linux/vm_event_item.h
+@@ -39,6 +39,7 @@ enum vm_event_item { PGPGIN, PGPGOUT, PSWPIN, PSWPOUT,
+ PAGEOUTRUN, ALLOCSTALL, PGROTATED,
+ #ifdef CONFIG_NUMA_BALANCING
+ NUMA_PTE_UPDATES,
++ NUMA_HUGE_PTE_UPDATES,
+ NUMA_HINT_FAULTS,
+ NUMA_HINT_FAULTS_LOCAL,
+ NUMA_PAGE_MIGRATE,
+diff --git a/include/net/ip.h b/include/net/ip.h
+index 5e52688..301f10c 100644
+--- a/include/net/ip.h
++++ b/include/net/ip.h
+@@ -464,7 +464,7 @@ extern int compat_ip_getsockopt(struct sock *sk, int level,
+ int optname, char __user *optval, int __user *optlen);
+ extern int ip_ra_control(struct sock *sk, unsigned char on, void (*destructor)(struct sock *));
+
+-extern int ip_recv_error(struct sock *sk, struct msghdr *msg, int len);
++extern int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len);
+ extern void ip_icmp_error(struct sock *sk, struct sk_buff *skb, int err,
+ __be16 port, u32 info, u8 *payload);
+ extern void ip_local_error(struct sock *sk, int err, __be32 daddr, __be16 dport,
+diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
+index 9c4d37e..772252d 100644
+--- a/include/net/ip_vs.h
++++ b/include/net/ip_vs.h
+@@ -109,7 +109,6 @@ extern int ip_vs_conn_tab_size;
+ struct ip_vs_iphdr {
+ __u32 len; /* IPv4 simply where L4 starts
+ IPv6 where L4 Transport Header starts */
+- __u32 thoff_reasm; /* Transport Header Offset in nfct_reasm skb */
+ __u16 fragoffs; /* IPv6 fragment offset, 0 if first frag (or not frag)*/
+ __s16 protocol;
+ __s32 flags;
+@@ -117,34 +116,12 @@ struct ip_vs_iphdr {
+ union nf_inet_addr daddr;
+ };
+
+-/* Dependency to module: nf_defrag_ipv6 */
+-#if defined(CONFIG_NF_DEFRAG_IPV6) || defined(CONFIG_NF_DEFRAG_IPV6_MODULE)
+-static inline struct sk_buff *skb_nfct_reasm(const struct sk_buff *skb)
+-{
+- return skb->nfct_reasm;
+-}
+-static inline void *frag_safe_skb_hp(const struct sk_buff *skb, int offset,
+- int len, void *buffer,
+- const struct ip_vs_iphdr *ipvsh)
+-{
+- if (unlikely(ipvsh->fragoffs && skb_nfct_reasm(skb)))
+- return skb_header_pointer(skb_nfct_reasm(skb),
+- ipvsh->thoff_reasm, len, buffer);
+-
+- return skb_header_pointer(skb, offset, len, buffer);
+-}
+-#else
+-static inline struct sk_buff *skb_nfct_reasm(const struct sk_buff *skb)
+-{
+- return NULL;
+-}
+ static inline void *frag_safe_skb_hp(const struct sk_buff *skb, int offset,
+ int len, void *buffer,
+ const struct ip_vs_iphdr *ipvsh)
+ {
+ return skb_header_pointer(skb, offset, len, buffer);
+ }
+-#endif
+
+ static inline void
+ ip_vs_fill_ip4hdr(const void *nh, struct ip_vs_iphdr *iphdr)
+@@ -171,19 +148,12 @@ ip_vs_fill_iph_skb(int af, const struct sk_buff *skb, struct ip_vs_iphdr *iphdr)
+ (struct ipv6hdr *)skb_network_header(skb);
+ iphdr->saddr.in6 = iph->saddr;
+ iphdr->daddr.in6 = iph->daddr;
+- /* ipv6_find_hdr() updates len, flags, thoff_reasm */
+- iphdr->thoff_reasm = 0;
++ /* ipv6_find_hdr() updates len, flags */
+ iphdr->len = 0;
+ iphdr->flags = 0;
+ iphdr->protocol = ipv6_find_hdr(skb, &iphdr->len, -1,
+ &iphdr->fragoffs,
+ &iphdr->flags);
+- /* get proto from re-assembled packet and it's offset */
+- if (skb_nfct_reasm(skb))
+- iphdr->protocol = ipv6_find_hdr(skb_nfct_reasm(skb),
+- &iphdr->thoff_reasm,
+- -1, NULL, NULL);
+-
+ } else
+ #endif
+ {
+diff --git a/include/net/ipv6.h b/include/net/ipv6.h
+index bbf1c8f..1f96efd 100644
+--- a/include/net/ipv6.h
++++ b/include/net/ipv6.h
+@@ -802,8 +802,10 @@ extern int compat_ipv6_getsockopt(struct sock *sk,
+ extern int ip6_datagram_connect(struct sock *sk,
+ struct sockaddr *addr, int addr_len);
+
+-extern int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len);
+-extern int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len);
++extern int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len,
++ int *addr_len);
++extern int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len,
++ int *addr_len);
+ extern void ipv6_icmp_error(struct sock *sk, struct sk_buff *skb, int err, __be16 port,
+ u32 info, u8 *payload);
+ extern void ipv6_local_error(struct sock *sk, int err, struct flowi6 *fl6, u32 info);
+diff --git a/include/net/netfilter/ipv6/nf_defrag_ipv6.h b/include/net/netfilter/ipv6/nf_defrag_ipv6.h
+index fd79c9a..17920d8 100644
+--- a/include/net/netfilter/ipv6/nf_defrag_ipv6.h
++++ b/include/net/netfilter/ipv6/nf_defrag_ipv6.h
+@@ -6,10 +6,7 @@ extern void nf_defrag_ipv6_enable(void);
+ extern int nf_ct_frag6_init(void);
+ extern void nf_ct_frag6_cleanup(void);
+ extern struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user);
+-extern void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb,
+- struct net_device *in,
+- struct net_device *out,
+- int (*okfn)(struct sk_buff *));
++extern void nf_ct_frag6_consume_orig(struct sk_buff *skb);
+
+ struct inet_frags_ctl;
+
+diff --git a/include/net/ping.h b/include/net/ping.h
+index 5db0224..2b496e9 100644
+--- a/include/net/ping.h
++++ b/include/net/ping.h
+@@ -31,7 +31,8 @@
+
+ /* Compatibility glue so we can support IPv6 when it's compiled as a module */
+ struct pingv6_ops {
+- int (*ipv6_recv_error)(struct sock *sk, struct msghdr *msg, int len);
++ int (*ipv6_recv_error)(struct sock *sk, struct msghdr *msg, int len,
++ int *addr_len);
+ int (*ip6_datagram_recv_ctl)(struct sock *sk, struct msghdr *msg,
+ struct sk_buff *skb);
+ int (*icmpv6_err_convert)(u8 type, u8 code, int *err);
+diff --git a/include/uapi/linux/pkt_sched.h b/include/uapi/linux/pkt_sched.h
+index 9b82913..66f925d 100644
+--- a/include/uapi/linux/pkt_sched.h
++++ b/include/uapi/linux/pkt_sched.h
+@@ -759,13 +759,14 @@ enum {
+
+ TCA_FQ_RATE_ENABLE, /* enable/disable rate limiting */
+
+- TCA_FQ_FLOW_DEFAULT_RATE,/* for sockets with unspecified sk_rate,
+- * use the following rate
+- */
++ TCA_FQ_FLOW_DEFAULT_RATE,/* obsolete, do not use */
+
+ TCA_FQ_FLOW_MAX_RATE, /* per flow max rate */
+
+ TCA_FQ_BUCKETS_LOG, /* log2(number of buckets) */
++
++ TCA_FQ_FLOW_REFILL_DELAY, /* flow credit refill delay in usec */
++
+ __TCA_FQ_MAX
+ };
+
+diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c
+index bb22151..af8d1d4 100644
+--- a/kernel/time/ntp.c
++++ b/kernel/time/ntp.c
+@@ -475,6 +475,7 @@ static void sync_cmos_clock(struct work_struct *work)
+ * called as close as possible to 500 ms before the new second starts.
+ * This code is run on a timer. If the clock is set, that timer
+ * may not expire at the correct time. Thus, we adjust...
++ * We want the clock to be within a couple of ticks from the target.
+ */
+ if (!ntp_synced()) {
+ /*
+@@ -485,7 +486,7 @@ static void sync_cmos_clock(struct work_struct *work)
+ }
+
+ getnstimeofday(&now);
+- if (abs(now.tv_nsec - (NSEC_PER_SEC / 2)) <= tick_nsec / 2) {
++ if (abs(now.tv_nsec - (NSEC_PER_SEC / 2)) <= tick_nsec * 5) {
+ struct timespec adjust = now;
+
+ fail = -ENODEV;
+diff --git a/lib/random32.c b/lib/random32.c
+index 52280d5..01e8890 100644
+--- a/lib/random32.c
++++ b/lib/random32.c
+@@ -141,7 +141,7 @@ void prandom_seed(u32 entropy)
+ */
+ for_each_possible_cpu (i) {
+ struct rnd_state *state = &per_cpu(net_rand_state, i);
+- state->s1 = __seed(state->s1 ^ entropy, 1);
++ state->s1 = __seed(state->s1 ^ entropy, 2);
+ }
+ }
+ EXPORT_SYMBOL(prandom_seed);
+@@ -158,9 +158,9 @@ static int __init prandom_init(void)
+ struct rnd_state *state = &per_cpu(net_rand_state,i);
+
+ #define LCG(x) ((x) * 69069) /* super-duper LCG */
+- state->s1 = __seed(LCG(i + jiffies), 1);
+- state->s2 = __seed(LCG(state->s1), 7);
+- state->s3 = __seed(LCG(state->s2), 15);
++ state->s1 = __seed(LCG(i + jiffies), 2);
++ state->s2 = __seed(LCG(state->s1), 8);
++ state->s3 = __seed(LCG(state->s2), 16);
+
+ /* "warm it up" */
+ prandom_u32_state(state);
+@@ -187,9 +187,9 @@ static int __init prandom_reseed(void)
+ u32 seeds[3];
+
+ get_random_bytes(&seeds, sizeof(seeds));
+- state->s1 = __seed(seeds[0], 1);
+- state->s2 = __seed(seeds[1], 7);
+- state->s3 = __seed(seeds[2], 15);
++ state->s1 = __seed(seeds[0], 2);
++ state->s2 = __seed(seeds[1], 8);
++ state->s3 = __seed(seeds[2], 16);
+
+ /* mix it in */
+ prandom_u32_state(state);
+diff --git a/mm/mprotect.c b/mm/mprotect.c
+index 412ba2b..6c3f56f 100644
+--- a/mm/mprotect.c
++++ b/mm/mprotect.c
+@@ -138,6 +138,7 @@ static inline unsigned long change_pmd_range(struct vm_area_struct *vma,
+ pmd_t *pmd;
+ unsigned long next;
+ unsigned long pages = 0;
++ unsigned long nr_huge_updates = 0;
+ bool all_same_node;
+
+ pmd = pmd_offset(pud, addr);
+@@ -148,7 +149,8 @@ static inline unsigned long change_pmd_range(struct vm_area_struct *vma,
+ split_huge_page_pmd(vma, addr, pmd);
+ else if (change_huge_pmd(vma, pmd, addr, newprot,
+ prot_numa)) {
+- pages++;
++ pages += HPAGE_PMD_NR;
++ nr_huge_updates++;
+ continue;
+ }
+ /* fall through */
+@@ -168,6 +170,9 @@ static inline unsigned long change_pmd_range(struct vm_area_struct *vma,
+ change_pmd_protnuma(vma->vm_mm, addr, pmd);
+ } while (pmd++, addr = next, addr != end);
+
++ if (nr_huge_updates)
++ count_vm_numa_events(NUMA_HUGE_PTE_UPDATES, nr_huge_updates);
++
+ return pages;
+ }
+
+diff --git a/mm/vmstat.c b/mm/vmstat.c
+index 9bb3145..5a442a7 100644
+--- a/mm/vmstat.c
++++ b/mm/vmstat.c
+@@ -812,6 +812,7 @@ const char * const vmstat_text[] = {
+
+ #ifdef CONFIG_NUMA_BALANCING
+ "numa_pte_updates",
++ "numa_huge_pte_updates",
+ "numa_hint_faults",
+ "numa_hint_faults_local",
+ "numa_pages_migrated",
+diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
+index 7fee50d..7d424ac 100644
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1735,7 +1735,6 @@ static int atalk_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr
+ size_t size, int flags)
+ {
+ struct sock *sk = sock->sk;
+- struct sockaddr_at *sat = (struct sockaddr_at *)msg->msg_name;
+ struct ddpehdr *ddp;
+ int copied = 0;
+ int offset = 0;
+@@ -1764,14 +1763,13 @@ static int atalk_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr
+ }
+ err = skb_copy_datagram_iovec(skb, offset, msg->msg_iov, copied);
+
+- if (!err) {
+- if (sat) {
+- sat->sat_family = AF_APPLETALK;
+- sat->sat_port = ddp->deh_sport;
+- sat->sat_addr.s_node = ddp->deh_snode;
+- sat->sat_addr.s_net = ddp->deh_snet;
+- }
+- msg->msg_namelen = sizeof(*sat);
++ if (!err && msg->msg_name) {
++ struct sockaddr_at *sat = msg->msg_name;
++ sat->sat_family = AF_APPLETALK;
++ sat->sat_port = ddp->deh_sport;
++ sat->sat_addr.s_node = ddp->deh_snode;
++ sat->sat_addr.s_net = ddp->deh_snet;
++ msg->msg_namelen = sizeof(*sat);
+ }
+
+ skb_free_datagram(sk, skb); /* Free the datagram. */
+diff --git a/net/atm/common.c b/net/atm/common.c
+index 737bef5..7b49100 100644
+--- a/net/atm/common.c
++++ b/net/atm/common.c
+@@ -531,8 +531,6 @@ int vcc_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
+ struct sk_buff *skb;
+ int copied, error = -EINVAL;
+
+- msg->msg_namelen = 0;
+-
+ if (sock->state != SS_CONNECTED)
+ return -ENOTCONN;
+
+diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
+index 4b4d2b7..78c474f 100644
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -1636,11 +1636,11 @@ static int ax25_recvmsg(struct kiocb *iocb, struct socket *sock,
+
+ skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
+
+- if (msg->msg_namelen != 0) {
+- struct sockaddr_ax25 *sax = (struct sockaddr_ax25 *)msg->msg_name;
++ if (msg->msg_name) {
+ ax25_digi digi;
+ ax25_address src;
+ const unsigned char *mac = skb_mac_header(skb);
++ struct sockaddr_ax25 *sax = msg->msg_name;
+
+ memset(sax, 0, sizeof(struct full_sockaddr_ax25));
+ ax25_addr_parse(mac + 1, skb->data - mac - 1, &src, NULL,
+diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
+index 9096137..6629cdc 100644
+--- a/net/bluetooth/af_bluetooth.c
++++ b/net/bluetooth/af_bluetooth.c
+@@ -221,8 +221,6 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+ if (flags & (MSG_OOB))
+ return -EOPNOTSUPP;
+
+- msg->msg_namelen = 0;
+-
+ skb = skb_recv_datagram(sk, flags, noblock, &err);
+ if (!skb) {
+ if (sk->sk_shutdown & RCV_SHUTDOWN)
+@@ -287,8 +285,6 @@ int bt_sock_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
+ if (flags & MSG_OOB)
+ return -EOPNOTSUPP;
+
+- msg->msg_namelen = 0;
+-
+ BT_DBG("sk %p size %zu", sk, size);
+
+ lock_sock(sk);
+diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
+index 9bd7d95..fa4bf66 100644
+--- a/net/bluetooth/hci_sock.c
++++ b/net/bluetooth/hci_sock.c
+@@ -752,8 +752,6 @@ static int hci_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+ if (!skb)
+ return err;
+
+- msg->msg_namelen = 0;
+-
+ copied = skb->len;
+ if (len < copied) {
+ msg->msg_flags |= MSG_TRUNC;
+diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
+index 30b3721..c1c6028 100644
+--- a/net/bluetooth/rfcomm/sock.c
++++ b/net/bluetooth/rfcomm/sock.c
+@@ -608,7 +608,6 @@ static int rfcomm_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+
+ if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
+ rfcomm_dlc_accept(d);
+- msg->msg_namelen = 0;
+ return 0;
+ }
+
+diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
+index 96bd388..d021e44 100644
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -715,7 +715,6 @@ static int sco_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+ test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
+ sco_conn_defer_accept(pi->conn->hcon, pi->setting);
+ sk->sk_state = BT_CONFIG;
+- msg->msg_namelen = 0;
+
+ release_sock(sk);
+ return 0;
+diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
+index c41d5fb..547504c 100644
+--- a/net/bridge/br_if.c
++++ b/net/bridge/br_if.c
+@@ -172,6 +172,8 @@ void br_dev_delete(struct net_device *dev, struct list_head *head)
+ del_nbp(p);
+ }
+
++ br_fdb_delete_by_port(br, NULL, 1);
++
+ del_timer_sync(&br->gc_timer);
+
+ br_sysfs_delbr(br->dev);
+diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
+index 05a41c7..d6be3ed 100644
+--- a/net/caif/caif_socket.c
++++ b/net/caif/caif_socket.c
+@@ -286,8 +286,6 @@ static int caif_seqpkt_recvmsg(struct kiocb *iocb, struct socket *sock,
+ if (m->msg_flags&MSG_OOB)
+ goto read_error;
+
+- m->msg_namelen = 0;
+-
+ skb = skb_recv_datagram(sk, flags, 0 , &ret);
+ if (!skb)
+ goto read_error;
+@@ -361,8 +359,6 @@ static int caif_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
+ if (flags&MSG_OOB)
+ goto out;
+
+- msg->msg_namelen = 0;
+-
+ /*
+ * Lock the socket to prevent queue disordering
+ * while sleeps in memcpy_tomsg
+diff --git a/net/compat.c b/net/compat.c
+index 8903258..dd32e34 100644
+--- a/net/compat.c
++++ b/net/compat.c
+@@ -72,7 +72,7 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg)
+ __get_user(kmsg->msg_flags, &umsg->msg_flags))
+ return -EFAULT;
+ if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
+- return -EINVAL;
++ kmsg->msg_namelen = sizeof(struct sockaddr_storage);
+ kmsg->msg_name = compat_ptr(tmp1);
+ kmsg->msg_iov = compat_ptr(tmp2);
+ kmsg->msg_control = compat_ptr(tmp3);
+@@ -93,7 +93,8 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
+ if (err < 0)
+ return err;
+ }
+- kern_msg->msg_name = kern_address;
++ if (kern_msg->msg_name)
++ kern_msg->msg_name = kern_address;
+ } else
+ kern_msg->msg_name = NULL;
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 3430b1e..3d13874 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -1691,13 +1691,9 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
+ kfree_skb(skb);
+ return NET_RX_DROP;
+ }
+- skb->protocol = eth_type_trans(skb, dev);
+
+- /* eth_type_trans() can set pkt_type.
+- * call skb_scrub_packet() after it to clear pkt_type _after_ calling
+- * eth_type_trans().
+- */
+ skb_scrub_packet(skb, true);
++ skb->protocol = eth_type_trans(skb, dev);
+
+ return netif_rx(skb);
+ }
+@@ -4819,7 +4815,7 @@ static void dev_change_rx_flags(struct net_device *dev, int flags)
+ {
+ const struct net_device_ops *ops = dev->netdev_ops;
+
+- if ((dev->flags & IFF_UP) && ops->ndo_change_rx_flags)
++ if (ops->ndo_change_rx_flags)
+ ops->ndo_change_rx_flags(dev, flags);
+ }
+
+diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
+index 2e65413..f409e0b 100644
+--- a/net/core/fib_rules.c
++++ b/net/core/fib_rules.c
+@@ -460,7 +460,8 @@ static int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr* nlh)
+ if (frh->action && (frh->action != rule->action))
+ continue;
+
+- if (frh->table && (frh_get_table(frh, tb) != rule->table))
++ if (frh_get_table(frh, tb) &&
++ (frh_get_table(frh, tb) != rule->table))
+ continue;
+
+ if (tb[FRA_PRIORITY] &&
+diff --git a/net/core/iovec.c b/net/core/iovec.c
+index b77eeec..7d84ea1 100644
+--- a/net/core/iovec.c
++++ b/net/core/iovec.c
+@@ -48,7 +48,8 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr_storage *a
+ if (err < 0)
+ return err;
+ }
+- m->msg_name = address;
++ if (m->msg_name)
++ m->msg_name = address;
+ } else {
+ m->msg_name = NULL;
+ }
+diff --git a/net/core/pktgen.c b/net/core/pktgen.c
+index 261357a..a797fff 100644
+--- a/net/core/pktgen.c
++++ b/net/core/pktgen.c
+@@ -2527,6 +2527,8 @@ static int process_ipsec(struct pktgen_dev *pkt_dev,
+ if (x) {
+ int ret;
+ __u8 *eth;
++ struct iphdr *iph;
++
+ nhead = x->props.header_len - skb_headroom(skb);
+ if (nhead > 0) {
+ ret = pskb_expand_head(skb, nhead, 0, GFP_ATOMIC);
+@@ -2548,6 +2550,11 @@ static int process_ipsec(struct pktgen_dev *pkt_dev,
+ eth = (__u8 *) skb_push(skb, ETH_HLEN);
+ memcpy(eth, pkt_dev->hh, 12);
+ *(u16 *) ð[12] = protocol;
++
++ /* Update IPv4 header len as well as checksum value */
++ iph = ip_hdr(skb);
++ iph->tot_len = htons(skb->len - ETH_HLEN);
++ ip_send_check(iph);
+ }
+ }
+ return 1;
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index d81cff1..c28c7fe 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -580,9 +580,6 @@ static void skb_release_head_state(struct sk_buff *skb)
+ #if IS_ENABLED(CONFIG_NF_CONNTRACK)
+ nf_conntrack_put(skb->nfct);
+ #endif
+-#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED
+- nf_conntrack_put_reasm(skb->nfct_reasm);
+-#endif
+ #ifdef CONFIG_BRIDGE_NETFILTER
+ nf_bridge_put(skb->nf_bridge);
+ #endif
+@@ -2758,6 +2755,7 @@ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features)
+ struct sk_buff *segs = NULL;
+ struct sk_buff *tail = NULL;
+ struct sk_buff *fskb = skb_shinfo(skb)->frag_list;
++ skb_frag_t *skb_frag = skb_shinfo(skb)->frags;
+ unsigned int mss = skb_shinfo(skb)->gso_size;
+ unsigned int doffset = skb->data - skb_mac_header(skb);
+ unsigned int offset = doffset;
+@@ -2797,16 +2795,38 @@ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features)
+ if (hsize > len || !sg)
+ hsize = len;
+
+- if (!hsize && i >= nfrags) {
+- BUG_ON(fskb->len != len);
++ if (!hsize && i >= nfrags && skb_headlen(fskb) &&
++ (skb_headlen(fskb) == len || sg)) {
++ BUG_ON(skb_headlen(fskb) > len);
++
++ i = 0;
++ nfrags = skb_shinfo(fskb)->nr_frags;
++ skb_frag = skb_shinfo(fskb)->frags;
++ pos += skb_headlen(fskb);
++
++ while (pos < offset + len) {
++ BUG_ON(i >= nfrags);
++
++ size = skb_frag_size(skb_frag);
++ if (pos + size > offset + len)
++ break;
++
++ i++;
++ pos += size;
++ skb_frag++;
++ }
+
+- pos += len;
+ nskb = skb_clone(fskb, GFP_ATOMIC);
+ fskb = fskb->next;
+
+ if (unlikely(!nskb))
+ goto err;
+
++ if (unlikely(pskb_trim(nskb, len))) {
++ kfree_skb(nskb);
++ goto err;
++ }
++
+ hsize = skb_end_offset(nskb);
+ if (skb_cow_head(nskb, doffset + headroom)) {
+ kfree_skb(nskb);
+@@ -2850,7 +2870,7 @@ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features)
+ nskb->data - tnl_hlen,
+ doffset + tnl_hlen);
+
+- if (fskb != skb_shinfo(skb)->frag_list)
++ if (nskb->len == len + doffset)
+ goto perform_csum_check;
+
+ if (!sg) {
+@@ -2868,8 +2888,28 @@ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features)
+
+ skb_shinfo(nskb)->tx_flags = skb_shinfo(skb)->tx_flags & SKBTX_SHARED_FRAG;
+
+- while (pos < offset + len && i < nfrags) {
+- *frag = skb_shinfo(skb)->frags[i];
++ while (pos < offset + len) {
++ if (i >= nfrags) {
++ BUG_ON(skb_headlen(fskb));
++
++ i = 0;
++ nfrags = skb_shinfo(fskb)->nr_frags;
++ skb_frag = skb_shinfo(fskb)->frags;
++
++ BUG_ON(!nfrags);
++
++ fskb = fskb->next;
++ }
++
++ if (unlikely(skb_shinfo(nskb)->nr_frags >=
++ MAX_SKB_FRAGS)) {
++ net_warn_ratelimited(
++ "skb_segment: too many frags: %u %u\n",
++ pos, mss);
++ goto err;
++ }
++
++ *frag = *skb_frag;
+ __skb_frag_ref(frag);
+ size = skb_frag_size(frag);
+
+@@ -2882,6 +2922,7 @@ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features)
+
+ if (pos + size <= offset + len) {
+ i++;
++ skb_frag++;
+ pos += size;
+ } else {
+ skb_frag_size_sub(frag, pos + size - (offset + len));
+@@ -2891,25 +2932,6 @@ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features)
+ frag++;
+ }
+
+- if (pos < offset + len) {
+- struct sk_buff *fskb2 = fskb;
+-
+- BUG_ON(pos + fskb->len != offset + len);
+-
+- pos += fskb->len;
+- fskb = fskb->next;
+-
+- if (fskb2->next) {
+- fskb2 = skb_clone(fskb2, GFP_ATOMIC);
+- if (!fskb2)
+- goto err;
+- } else
+- skb_get(fskb2);
+-
+- SKB_FRAG_ASSERT(nskb);
+- skb_shinfo(nskb)->frag_list = fskb2;
+- }
+-
+ skip_fraglist:
+ nskb->data_len = len - hsize;
+ nskb->len += nskb->data_len;
+diff --git a/net/ieee802154/6lowpan.c b/net/ieee802154/6lowpan.c
+index ff41b4d..008f337 100644
+--- a/net/ieee802154/6lowpan.c
++++ b/net/ieee802154/6lowpan.c
+@@ -957,7 +957,7 @@ lowpan_process_data(struct sk_buff *skb)
+ * Traffic class carried in-line
+ * ECN + DSCP (1 byte), Flow Label is elided
+ */
+- case 1: /* 10b */
++ case 2: /* 10b */
+ if (lowpan_fetch_skb_u8(skb, &tmp))
+ goto drop;
+
+@@ -968,7 +968,7 @@ lowpan_process_data(struct sk_buff *skb)
+ * Flow Label carried in-line
+ * ECN + 2-bit Pad + Flow Label (3 bytes), DSCP is elided
+ */
+- case 2: /* 01b */
++ case 1: /* 01b */
+ if (lowpan_fetch_skb_u8(skb, &tmp))
+ goto drop;
+
+diff --git a/net/ieee802154/dgram.c b/net/ieee802154/dgram.c
+index 581a595..1865fdf 100644
+--- a/net/ieee802154/dgram.c
++++ b/net/ieee802154/dgram.c
+@@ -315,9 +315,8 @@ static int dgram_recvmsg(struct kiocb *iocb, struct sock *sk,
+ if (saddr) {
+ saddr->family = AF_IEEE802154;
+ saddr->addr = mac_cb(skb)->sa;
+- }
+- if (addr_len)
+ *addr_len = sizeof(*saddr);
++ }
+
+ if (flags & MSG_TRUNC)
+ copied = skb->len;
+diff --git a/net/ipv4/datagram.c b/net/ipv4/datagram.c
+index b28e863..19e3637 100644
+--- a/net/ipv4/datagram.c
++++ b/net/ipv4/datagram.c
+@@ -57,7 +57,7 @@ int ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
+ if (IS_ERR(rt)) {
+ err = PTR_ERR(rt);
+ if (err == -ENETUNREACH)
+- IP_INC_STATS_BH(sock_net(sk), IPSTATS_MIB_OUTNOROUTES);
++ IP_INC_STATS(sock_net(sk), IPSTATS_MIB_OUTNOROUTES);
+ goto out;
+ }
+
+diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
+index d9c4f11..23e6ab0 100644
+--- a/net/ipv4/ip_sockglue.c
++++ b/net/ipv4/ip_sockglue.c
+@@ -368,7 +368,7 @@ void ip_local_error(struct sock *sk, int err, __be32 daddr, __be16 port, u32 inf
+ /*
+ * Handle MSG_ERRQUEUE
+ */
+-int ip_recv_error(struct sock *sk, struct msghdr *msg, int len)
++int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
+ {
+ struct sock_exterr_skb *serr;
+ struct sk_buff *skb, *skb2;
+@@ -405,6 +405,7 @@ int ip_recv_error(struct sock *sk, struct msghdr *msg, int len)
+ serr->addr_offset);
+ sin->sin_port = serr->port;
+ memset(&sin->sin_zero, 0, sizeof(sin->sin_zero));
++ *addr_len = sizeof(*sin);
+ }
+
+ memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err));
+diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
+index 63a6d6d..254f11c 100644
+--- a/net/ipv4/ip_tunnel.c
++++ b/net/ipv4/ip_tunnel.c
+@@ -454,6 +454,8 @@ int ip_tunnel_rcv(struct ip_tunnel *tunnel, struct sk_buff *skb,
+ tstats->rx_bytes += skb->len;
+ u64_stats_update_end(&tstats->syncp);
+
++ skb_scrub_packet(skb, !net_eq(tunnel->net, dev_net(tunnel->dev)));
++
+ if (tunnel->dev->type == ARPHRD_ETHER) {
+ skb->protocol = eth_type_trans(skb, tunnel->dev);
+ skb_postpull_rcsum(skb, eth_hdr(skb), ETH_HLEN);
+@@ -461,8 +463,6 @@ int ip_tunnel_rcv(struct ip_tunnel *tunnel, struct sk_buff *skb,
+ skb->dev = tunnel->dev;
+ }
+
+- skb_scrub_packet(skb, !net_eq(tunnel->net, dev_net(tunnel->dev)));
+-
+ gro_cells_receive(&tunnel->gro_cells, skb);
+ return 0;
+
+diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
+index 6e87f85..26847e1 100644
+--- a/net/ipv4/ip_vti.c
++++ b/net/ipv4/ip_vti.c
+@@ -190,6 +190,7 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
+ if (!rt->dst.xfrm ||
+ rt->dst.xfrm->props.mode != XFRM_MODE_TUNNEL) {
+ dev->stats.tx_carrier_errors++;
++ ip_rt_put(rt);
+ goto tx_error_icmp;
+ }
+ tdev = rt->dst.dev;
+diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
+index d7d9882..c482f7c 100644
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -769,7 +769,7 @@ int ping_v4_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+ err = PTR_ERR(rt);
+ rt = NULL;
+ if (err == -ENETUNREACH)
+- IP_INC_STATS_BH(net, IPSTATS_MIB_OUTNOROUTES);
++ IP_INC_STATS(net, IPSTATS_MIB_OUTNOROUTES);
+ goto out;
+ }
+
+@@ -827,8 +827,6 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+ {
+ struct inet_sock *isk = inet_sk(sk);
+ int family = sk->sk_family;
+- struct sockaddr_in *sin;
+- struct sockaddr_in6 *sin6;
+ struct sk_buff *skb;
+ int copied, err;
+
+@@ -838,19 +836,13 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+ if (flags & MSG_OOB)
+ goto out;
+
+- if (addr_len) {
+- if (family == AF_INET)
+- *addr_len = sizeof(*sin);
+- else if (family == AF_INET6 && addr_len)
+- *addr_len = sizeof(*sin6);
+- }
+-
+ if (flags & MSG_ERRQUEUE) {
+ if (family == AF_INET) {
+- return ip_recv_error(sk, msg, len);
++ return ip_recv_error(sk, msg, len, addr_len);
+ #if IS_ENABLED(CONFIG_IPV6)
+ } else if (family == AF_INET6) {
+- return pingv6_ops.ipv6_recv_error(sk, msg, len);
++ return pingv6_ops.ipv6_recv_error(sk, msg, len,
++ addr_len);
+ #endif
+ }
+ }
+@@ -874,11 +866,15 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+
+ /* Copy the address and add cmsg data. */
+ if (family == AF_INET) {
+- sin = (struct sockaddr_in *) msg->msg_name;
+- sin->sin_family = AF_INET;
+- sin->sin_port = 0 /* skb->h.uh->source */;
+- sin->sin_addr.s_addr = ip_hdr(skb)->saddr;
+- memset(sin->sin_zero, 0, sizeof(sin->sin_zero));
++ struct sockaddr_in *sin = (struct sockaddr_in *)msg->msg_name;
++
++ if (sin) {
++ sin->sin_family = AF_INET;
++ sin->sin_port = 0 /* skb->h.uh->source */;
++ sin->sin_addr.s_addr = ip_hdr(skb)->saddr;
++ memset(sin->sin_zero, 0, sizeof(sin->sin_zero));
++ *addr_len = sizeof(*sin);
++ }
+
+ if (isk->cmsg_flags)
+ ip_cmsg_recv(msg, skb);
+@@ -887,17 +883,21 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+ } else if (family == AF_INET6) {
+ struct ipv6_pinfo *np = inet6_sk(sk);
+ struct ipv6hdr *ip6 = ipv6_hdr(skb);
+- sin6 = (struct sockaddr_in6 *) msg->msg_name;
+- sin6->sin6_family = AF_INET6;
+- sin6->sin6_port = 0;
+- sin6->sin6_addr = ip6->saddr;
+-
+- sin6->sin6_flowinfo = 0;
+- if (np->sndflow)
+- sin6->sin6_flowinfo = ip6_flowinfo(ip6);
+-
+- sin6->sin6_scope_id = ipv6_iface_scope_id(&sin6->sin6_addr,
+- IP6CB(skb)->iif);
++ struct sockaddr_in6 *sin6 =
++ (struct sockaddr_in6 *)msg->msg_name;
++
++ if (sin6) {
++ sin6->sin6_family = AF_INET6;
++ sin6->sin6_port = 0;
++ sin6->sin6_addr = ip6->saddr;
++ sin6->sin6_flowinfo = 0;
++ if (np->sndflow)
++ sin6->sin6_flowinfo = ip6_flowinfo(ip6);
++ sin6->sin6_scope_id =
++ ipv6_iface_scope_id(&sin6->sin6_addr,
++ IP6CB(skb)->iif);
++ *addr_len = sizeof(*sin6);
++ }
+
+ if (inet6_sk(sk)->rxopt.all)
+ pingv6_ops.ip6_datagram_recv_ctl(sk, msg, skb);
+diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
+index 193db03..7d3db78 100644
+--- a/net/ipv4/raw.c
++++ b/net/ipv4/raw.c
+@@ -694,11 +694,8 @@ static int raw_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+ if (flags & MSG_OOB)
+ goto out;
+
+- if (addr_len)
+- *addr_len = sizeof(*sin);
+-
+ if (flags & MSG_ERRQUEUE) {
+- err = ip_recv_error(sk, msg, len);
++ err = ip_recv_error(sk, msg, len, addr_len);
+ goto out;
+ }
+
+@@ -724,6 +721,7 @@ static int raw_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+ sin->sin_addr.s_addr = ip_hdr(skb)->saddr;
+ sin->sin_port = 0;
+ memset(&sin->sin_zero, 0, sizeof(sin->sin_zero));
++ *addr_len = sizeof(*sin);
+ }
+ if (inet->cmsg_flags)
+ ip_cmsg_recv(msg, skb);
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 6011615..62290b5 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1772,8 +1772,12 @@ local_input:
+ rth->dst.error= -err;
+ rth->rt_flags &= ~RTCF_LOCAL;
+ }
+- if (do_cache)
+- rt_cache_route(&FIB_RES_NH(res), rth);
++ if (do_cache) {
++ if (unlikely(!rt_cache_route(&FIB_RES_NH(res), rth))) {
++ rth->dst.flags |= DST_NOCACHE;
++ rt_add_uncached_list(rth);
++ }
++ }
+ skb_dst_set(skb, &rth->dst);
+ err = 0;
+ goto out;
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index 6e5617b..be5246e 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -806,12 +806,6 @@ static unsigned int tcp_xmit_size_goal(struct sock *sk, u32 mss_now,
+ xmit_size_goal = min_t(u32, gso_size,
+ sk->sk_gso_max_size - 1 - hlen);
+
+- /* TSQ : try to have at least two segments in flight
+- * (one in NIC TX ring, another in Qdisc)
+- */
+- xmit_size_goal = min_t(u32, xmit_size_goal,
+- sysctl_tcp_limit_output_bytes >> 1);
+-
+ xmit_size_goal = tcp_bound_to_half_wnd(tp, xmit_size_goal);
+
+ /* We try hard to avoid divides here */
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index b14266b..5031f68 100644
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -177,7 +177,7 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
+ if (IS_ERR(rt)) {
+ err = PTR_ERR(rt);
+ if (err == -ENETUNREACH)
+- IP_INC_STATS_BH(sock_net(sk), IPSTATS_MIB_OUTNOROUTES);
++ IP_INC_STATS(sock_net(sk), IPSTATS_MIB_OUTNOROUTES);
+ return err;
+ }
+
+diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c
+index 52f3c6b..3107114 100644
+--- a/net/ipv4/tcp_metrics.c
++++ b/net/ipv4/tcp_metrics.c
+@@ -659,10 +659,13 @@ void tcp_fastopen_cache_get(struct sock *sk, u16 *mss,
+ void tcp_fastopen_cache_set(struct sock *sk, u16 mss,
+ struct tcp_fastopen_cookie *cookie, bool syn_lost)
+ {
++ struct dst_entry *dst = __sk_dst_get(sk);
+ struct tcp_metrics_block *tm;
+
++ if (!dst)
++ return;
+ rcu_read_lock();
+- tm = tcp_get_metrics(sk, __sk_dst_get(sk), true);
++ tm = tcp_get_metrics(sk, dst, true);
+ if (tm) {
+ struct tcp_fastopen_metrics *tfom = &tm->tcpm_fastopen;
+
+diff --git a/net/ipv4/tcp_offload.c b/net/ipv4/tcp_offload.c
+index 533c58a..910ab81 100644
+--- a/net/ipv4/tcp_offload.c
++++ b/net/ipv4/tcp_offload.c
+@@ -272,33 +272,32 @@ static struct sk_buff **tcp4_gro_receive(struct sk_buff **head, struct sk_buff *
+ {
+ const struct iphdr *iph = skb_gro_network_header(skb);
+ __wsum wsum;
+- __sum16 sum;
++
++ /* Don't bother verifying checksum if we're going to flush anyway. */
++ if (NAPI_GRO_CB(skb)->flush)
++ goto skip_csum;
++
++ wsum = skb->csum;
+
+ switch (skb->ip_summed) {
++ case CHECKSUM_NONE:
++ wsum = skb_checksum(skb, skb_gro_offset(skb), skb_gro_len(skb),
++ 0);
++
++ /* fall through */
++
+ case CHECKSUM_COMPLETE:
+ if (!tcp_v4_check(skb_gro_len(skb), iph->saddr, iph->daddr,
+- skb->csum)) {
++ wsum)) {
+ skb->ip_summed = CHECKSUM_UNNECESSARY;
+ break;
+ }
+-flush:
++
+ NAPI_GRO_CB(skb)->flush = 1;
+ return NULL;
+-
+- case CHECKSUM_NONE:
+- wsum = csum_tcpudp_nofold(iph->saddr, iph->daddr,
+- skb_gro_len(skb), IPPROTO_TCP, 0);
+- sum = csum_fold(skb_checksum(skb,
+- skb_gro_offset(skb),
+- skb_gro_len(skb),
+- wsum));
+- if (sum)
+- goto flush;
+-
+- skb->ip_summed = CHECKSUM_UNNECESSARY;
+- break;
+ }
+
++skip_csum:
+ return tcp_gro_receive(head, skb);
+ }
+
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index d46f214..e912634 100644
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -1875,8 +1875,12 @@ static bool tcp_write_xmit(struct sock *sk, unsigned int mss_now, int nonagle,
+ * - better RTT estimation and ACK scheduling
+ * - faster recovery
+ * - high rates
++ * Alas, some drivers / subsystems require a fair amount
++ * of queued bytes to ensure line rate.
++ * One example is wifi aggregation (802.11 AMPDU)
+ */
+- limit = max(skb->truesize, sk->sk_pacing_rate >> 10);
++ limit = max_t(unsigned int, sysctl_tcp_limit_output_bytes,
++ sk->sk_pacing_rate >> 10);
+
+ if (atomic_read(&sk->sk_wmem_alloc) > limit) {
+ set_bit(TSQ_THROTTLED, &tp->tsq_flags);
+@@ -3108,7 +3112,6 @@ void tcp_send_window_probe(struct sock *sk)
+ {
+ if (sk->sk_state == TCP_ESTABLISHED) {
+ tcp_sk(sk)->snd_wl1 = tcp_sk(sk)->rcv_nxt - 1;
+- tcp_sk(sk)->snd_nxt = tcp_sk(sk)->write_seq;
+ tcp_xmit_probe_skb(sk, 0);
+ }
+ }
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
+index 0ca44df..5e2c2f1 100644
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -973,7 +973,7 @@ int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+ err = PTR_ERR(rt);
+ rt = NULL;
+ if (err == -ENETUNREACH)
+- IP_INC_STATS_BH(net, IPSTATS_MIB_OUTNOROUTES);
++ IP_INC_STATS(net, IPSTATS_MIB_OUTNOROUTES);
+ goto out;
+ }
+
+@@ -1072,6 +1072,9 @@ int udp_sendpage(struct sock *sk, struct page *page, int offset,
+ struct udp_sock *up = udp_sk(sk);
+ int ret;
+
++ if (flags & MSG_SENDPAGE_NOTLAST)
++ flags |= MSG_MORE;
++
+ if (!up->pending) {
+ struct msghdr msg = { .msg_flags = flags|MSG_MORE };
+
+@@ -1209,14 +1212,8 @@ int udp_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+ int is_udplite = IS_UDPLITE(sk);
+ bool slow;
+
+- /*
+- * Check any passed addresses
+- */
+- if (addr_len)
+- *addr_len = sizeof(*sin);
+-
+ if (flags & MSG_ERRQUEUE)
+- return ip_recv_error(sk, msg, len);
++ return ip_recv_error(sk, msg, len, addr_len);
+
+ try_again:
+ skb = __skb_recv_datagram(sk, flags | (noblock ? MSG_DONTWAIT : 0),
+@@ -1276,6 +1273,7 @@ try_again:
+ sin->sin_port = udp_hdr(skb)->source;
+ sin->sin_addr.s_addr = ip_hdr(skb)->saddr;
+ memset(sin->sin_zero, 0, sizeof(sin->sin_zero));
++ *addr_len = sizeof(*sin);
+ }
+ if (inet->cmsg_flags)
+ ip_cmsg_recv(msg, skb);
+diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
+index ccde542..adf9983 100644
+--- a/net/ipv4/xfrm4_policy.c
++++ b/net/ipv4/xfrm4_policy.c
+@@ -104,10 +104,14 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
+ const struct iphdr *iph = ip_hdr(skb);
+ u8 *xprth = skb_network_header(skb) + iph->ihl * 4;
+ struct flowi4 *fl4 = &fl->u.ip4;
++ int oif = 0;
++
++ if (skb_dst(skb))
++ oif = skb_dst(skb)->dev->ifindex;
+
+ memset(fl4, 0, sizeof(struct flowi4));
+ fl4->flowi4_mark = skb->mark;
+- fl4->flowi4_oif = skb_dst(skb)->dev->ifindex;
++ fl4->flowi4_oif = reverse ? skb->skb_iif : oif;
+
+ if (!ip_is_fragment(iph)) {
+ switch (iph->protocol) {
+diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
+index 7c96100..8132b44 100644
+--- a/net/ipv6/af_inet6.c
++++ b/net/ipv6/af_inet6.c
+@@ -965,10 +965,10 @@ out:
+
+ #ifdef CONFIG_SYSCTL
+ sysctl_fail:
+- ipv6_packet_cleanup();
++ pingv6_exit();
+ #endif
+ pingv6_fail:
+- pingv6_exit();
++ ipv6_packet_cleanup();
+ ipv6_packet_fail:
+ tcpv6_exit();
+ tcpv6_fail:
+diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
+index 48b6bd2..c66c6df 100644
+--- a/net/ipv6/datagram.c
++++ b/net/ipv6/datagram.c
+@@ -318,7 +318,7 @@ void ipv6_local_rxpmtu(struct sock *sk, struct flowi6 *fl6, u32 mtu)
+ /*
+ * Handle MSG_ERRQUEUE
+ */
+-int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len)
++int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
+ {
+ struct ipv6_pinfo *np = inet6_sk(sk);
+ struct sock_exterr_skb *serr;
+@@ -369,6 +369,7 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len)
+ &sin->sin6_addr);
+ sin->sin6_scope_id = 0;
+ }
++ *addr_len = sizeof(*sin);
+ }
+
+ memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err));
+@@ -377,6 +378,7 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len)
+ if (serr->ee.ee_origin != SO_EE_ORIGIN_LOCAL) {
+ sin->sin6_family = AF_INET6;
+ sin->sin6_flowinfo = 0;
++ sin->sin6_port = 0;
+ if (skb->protocol == htons(ETH_P_IPV6)) {
+ sin->sin6_addr = ipv6_hdr(skb)->saddr;
+ if (np->rxopt.all)
+@@ -423,7 +425,8 @@ EXPORT_SYMBOL_GPL(ipv6_recv_error);
+ /*
+ * Handle IPV6_RECVPATHMTU
+ */
+-int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len)
++int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len,
++ int *addr_len)
+ {
+ struct ipv6_pinfo *np = inet6_sk(sk);
+ struct sk_buff *skb;
+@@ -457,6 +460,7 @@ int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len)
+ sin->sin6_port = 0;
+ sin->sin6_scope_id = mtu_info.ip6m_addr.sin6_scope_id;
+ sin->sin6_addr = mtu_info.ip6m_addr.sin6_addr;
++ *addr_len = sizeof(*sin);
+ }
+
+ put_cmsg(msg, SOL_IPV6, IPV6_PATHMTU, sizeof(mtu_info), &mtu_info);
+diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
+index 46e8843..f0ccdb7 100644
+--- a/net/ipv6/ip6_flowlabel.c
++++ b/net/ipv6/ip6_flowlabel.c
+@@ -453,8 +453,10 @@ static int mem_check(struct sock *sk)
+ if (room > FL_MAX_SIZE - FL_MAX_PER_SOCK)
+ return 0;
+
++ rcu_read_lock_bh();
+ for_each_sk_fl_rcu(np, sfl)
+ count++;
++ rcu_read_unlock_bh();
+
+ if (room <= 0 ||
+ ((count >= FL_MAX_PER_SOCK ||
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index 91fb4e8..b6fa35e 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -116,8 +116,8 @@ static int ip6_finish_output2(struct sk_buff *skb)
+ }
+ rcu_read_unlock_bh();
+
+- IP6_INC_STATS_BH(dev_net(dst->dev),
+- ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
++ IP6_INC_STATS(dev_net(dst->dev),
++ ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
+ kfree_skb(skb);
+ return -EINVAL;
+ }
+@@ -125,7 +125,8 @@ static int ip6_finish_output2(struct sk_buff *skb)
+ static int ip6_finish_output(struct sk_buff *skb)
+ {
+ if ((skb->len > ip6_skb_dst_mtu(skb) && !skb_is_gso(skb)) ||
+- dst_allfrag(skb_dst(skb)))
++ dst_allfrag(skb_dst(skb)) ||
++ (IP6CB(skb)->frag_max_size && skb->len > IP6CB(skb)->frag_max_size))
+ return ip6_fragment(skb, ip6_finish_output2);
+ else
+ return ip6_finish_output2(skb);
+diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
+index 583b77e..c1e11b5 100644
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -1635,6 +1635,15 @@ static int ip6_tnl_changelink(struct net_device *dev, struct nlattr *tb[],
+ return ip6_tnl_update(t, &p);
+ }
+
++static void ip6_tnl_dellink(struct net_device *dev, struct list_head *head)
++{
++ struct net *net = dev_net(dev);
++ struct ip6_tnl_net *ip6n = net_generic(net, ip6_tnl_net_id);
++
++ if (dev != ip6n->fb_tnl_dev)
++ unregister_netdevice_queue(dev, head);
++}
++
+ static size_t ip6_tnl_get_size(const struct net_device *dev)
+ {
+ return
+@@ -1699,6 +1708,7 @@ static struct rtnl_link_ops ip6_link_ops __read_mostly = {
+ .validate = ip6_tnl_validate,
+ .newlink = ip6_tnl_newlink,
+ .changelink = ip6_tnl_changelink,
++ .dellink = ip6_tnl_dellink,
+ .get_size = ip6_tnl_get_size,
+ .fill_info = ip6_tnl_fill_info,
+ };
+@@ -1715,9 +1725,9 @@ static struct xfrm6_tunnel ip6ip6_handler __read_mostly = {
+ .priority = 1,
+ };
+
+-static void __net_exit ip6_tnl_destroy_tunnels(struct ip6_tnl_net *ip6n)
++static void __net_exit ip6_tnl_destroy_tunnels(struct net *net)
+ {
+- struct net *net = dev_net(ip6n->fb_tnl_dev);
++ struct ip6_tnl_net *ip6n = net_generic(net, ip6_tnl_net_id);
+ struct net_device *dev, *aux;
+ int h;
+ struct ip6_tnl *t;
+@@ -1785,10 +1795,8 @@ err_alloc_dev:
+
+ static void __net_exit ip6_tnl_exit_net(struct net *net)
+ {
+- struct ip6_tnl_net *ip6n = net_generic(net, ip6_tnl_net_id);
+-
+ rtnl_lock();
+- ip6_tnl_destroy_tunnels(ip6n);
++ ip6_tnl_destroy_tunnels(net);
+ rtnl_unlock();
+ }
+
+diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+index d6e4dd8..83ab37c 100644
+--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
++++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+@@ -169,63 +169,13 @@ out:
+ return nf_conntrack_confirm(skb);
+ }
+
+-static unsigned int __ipv6_conntrack_in(struct net *net,
+- unsigned int hooknum,
+- struct sk_buff *skb,
+- const struct net_device *in,
+- const struct net_device *out,
+- int (*okfn)(struct sk_buff *))
+-{
+- struct sk_buff *reasm = skb->nfct_reasm;
+- const struct nf_conn_help *help;
+- struct nf_conn *ct;
+- enum ip_conntrack_info ctinfo;
+-
+- /* This packet is fragmented and has reassembled packet. */
+- if (reasm) {
+- /* Reassembled packet isn't parsed yet ? */
+- if (!reasm->nfct) {
+- unsigned int ret;
+-
+- ret = nf_conntrack_in(net, PF_INET6, hooknum, reasm);
+- if (ret != NF_ACCEPT)
+- return ret;
+- }
+-
+- /* Conntrack helpers need the entire reassembled packet in the
+- * POST_ROUTING hook. In case of unconfirmed connections NAT
+- * might reassign a helper, so the entire packet is also
+- * required.
+- */
+- ct = nf_ct_get(reasm, &ctinfo);
+- if (ct != NULL && !nf_ct_is_untracked(ct)) {
+- help = nfct_help(ct);
+- if ((help && help->helper) || !nf_ct_is_confirmed(ct)) {
+- nf_conntrack_get_reasm(reasm);
+- NF_HOOK_THRESH(NFPROTO_IPV6, hooknum, reasm,
+- (struct net_device *)in,
+- (struct net_device *)out,
+- okfn, NF_IP6_PRI_CONNTRACK + 1);
+- return NF_DROP_ERR(-ECANCELED);
+- }
+- }
+-
+- nf_conntrack_get(reasm->nfct);
+- skb->nfct = reasm->nfct;
+- skb->nfctinfo = reasm->nfctinfo;
+- return NF_ACCEPT;
+- }
+-
+- return nf_conntrack_in(net, PF_INET6, hooknum, skb);
+-}
+-
+ static unsigned int ipv6_conntrack_in(unsigned int hooknum,
+ struct sk_buff *skb,
+ const struct net_device *in,
+ const struct net_device *out,
+ int (*okfn)(struct sk_buff *))
+ {
+- return __ipv6_conntrack_in(dev_net(in), hooknum, skb, in, out, okfn);
++ return nf_conntrack_in(dev_net(in), PF_INET6, hooknum, skb);
+ }
+
+ static unsigned int ipv6_conntrack_local(unsigned int hooknum,
+@@ -239,7 +189,7 @@ static unsigned int ipv6_conntrack_local(unsigned int hooknum,
+ net_notice_ratelimited("ipv6_conntrack_local: packet too short\n");
+ return NF_ACCEPT;
+ }
+- return __ipv6_conntrack_in(dev_net(out), hooknum, skb, in, out, okfn);
++ return nf_conntrack_in(dev_net(out), PF_INET6, hooknum, skb);
+ }
+
+ static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = {
+diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
+index dffdc1a..253566a 100644
+--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
+@@ -621,31 +621,16 @@ ret_orig:
+ return skb;
+ }
+
+-void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb,
+- struct net_device *in, struct net_device *out,
+- int (*okfn)(struct sk_buff *))
++void nf_ct_frag6_consume_orig(struct sk_buff *skb)
+ {
+ struct sk_buff *s, *s2;
+- unsigned int ret = 0;
+
+ for (s = NFCT_FRAG6_CB(skb)->orig; s;) {
+- nf_conntrack_put_reasm(s->nfct_reasm);
+- nf_conntrack_get_reasm(skb);
+- s->nfct_reasm = skb;
+-
+ s2 = s->next;
+ s->next = NULL;
+-
+- if (ret != -ECANCELED)
+- ret = NF_HOOK_THRESH(NFPROTO_IPV6, hooknum, s,
+- in, out, okfn,
+- NF_IP6_PRI_CONNTRACK_DEFRAG + 1);
+- else
+- kfree_skb(s);
+-
++ consume_skb(s);
+ s = s2;
+ }
+- nf_conntrack_put_reasm(skb);
+ }
+
+ static int nf_ct_net_init(struct net *net)
+diff --git a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
+index aacd121..581dd9e 100644
+--- a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
++++ b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
+@@ -75,8 +75,11 @@ static unsigned int ipv6_defrag(unsigned int hooknum,
+ if (reasm == skb)
+ return NF_ACCEPT;
+
+- nf_ct_frag6_output(hooknum, reasm, (struct net_device *)in,
+- (struct net_device *)out, okfn);
++ nf_ct_frag6_consume_orig(reasm);
++
++ NF_HOOK_THRESH(NFPROTO_IPV6, hooknum, reasm,
++ (struct net_device *) in, (struct net_device *) out,
++ okfn, NF_IP6_PRI_CONNTRACK_DEFRAG + 1);
+
+ return NF_STOLEN;
+ }
+diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c
+index 18f19df..7856e96 100644
+--- a/net/ipv6/ping.c
++++ b/net/ipv6/ping.c
+@@ -57,7 +57,8 @@ static struct inet_protosw pingv6_protosw = {
+
+
+ /* Compatibility glue so we can support IPv6 when it's compiled as a module */
+-static int dummy_ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len)
++static int dummy_ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len,
++ int *addr_len)
+ {
+ return -EAFNOSUPPORT;
+ }
+diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
+index a4ed241..430067c 100644
+--- a/net/ipv6/raw.c
++++ b/net/ipv6/raw.c
+@@ -466,14 +466,11 @@ static int rawv6_recvmsg(struct kiocb *iocb, struct sock *sk,
+ if (flags & MSG_OOB)
+ return -EOPNOTSUPP;
+
+- if (addr_len)
+- *addr_len=sizeof(*sin6);
+-
+ if (flags & MSG_ERRQUEUE)
+- return ipv6_recv_error(sk, msg, len);
++ return ipv6_recv_error(sk, msg, len, addr_len);
+
+ if (np->rxpmtu && np->rxopt.bits.rxpmtu)
+- return ipv6_recv_rxpmtu(sk, msg, len);
++ return ipv6_recv_rxpmtu(sk, msg, len, addr_len);
+
+ skb = skb_recv_datagram(sk, flags, noblock, &err);
+ if (!skb)
+@@ -507,6 +504,7 @@ static int rawv6_recvmsg(struct kiocb *iocb, struct sock *sk,
+ sin6->sin6_flowinfo = 0;
+ sin6->sin6_scope_id = ipv6_iface_scope_id(&sin6->sin6_addr,
+ IP6CB(skb)->iif);
++ *addr_len = sizeof(*sin6);
+ }
+
+ sock_recv_ts_and_drops(msg, sk, skb);
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index 04e17b3..77308af 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -731,8 +731,11 @@ int rt6_route_rcv(struct net_device *dev, u8 *opt, int len,
+ prefix = &prefix_buf;
+ }
+
+- rt = rt6_get_route_info(net, prefix, rinfo->prefix_len, gwaddr,
+- dev->ifindex);
++ if (rinfo->prefix_len == 0)
++ rt = rt6_get_dflt_router(gwaddr, dev);
++ else
++ rt = rt6_get_route_info(net, prefix, rinfo->prefix_len,
++ gwaddr, dev->ifindex);
+
+ if (rt && !lifetime) {
+ ip6_del_rt(rt);
+diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
+index 1926945..b433884 100644
+--- a/net/ipv6/sit.c
++++ b/net/ipv6/sit.c
+@@ -1594,6 +1594,15 @@ static const struct nla_policy ipip6_policy[IFLA_IPTUN_MAX + 1] = {
+ #endif
+ };
+
++static void ipip6_dellink(struct net_device *dev, struct list_head *head)
++{
++ struct net *net = dev_net(dev);
++ struct sit_net *sitn = net_generic(net, sit_net_id);
++
++ if (dev != sitn->fb_tunnel_dev)
++ unregister_netdevice_queue(dev, head);
++}
++
+ static struct rtnl_link_ops sit_link_ops __read_mostly = {
+ .kind = "sit",
+ .maxtype = IFLA_IPTUN_MAX,
+@@ -1605,6 +1614,7 @@ static struct rtnl_link_ops sit_link_ops __read_mostly = {
+ .changelink = ipip6_changelink,
+ .get_size = ipip6_get_size,
+ .fill_info = ipip6_fill_info,
++ .dellink = ipip6_dellink,
+ };
+
+ static struct xfrm_tunnel sit_handler __read_mostly = {
+@@ -1619,9 +1629,10 @@ static struct xfrm_tunnel ipip_handler __read_mostly = {
+ .priority = 2,
+ };
+
+-static void __net_exit sit_destroy_tunnels(struct sit_net *sitn, struct list_head *head)
++static void __net_exit sit_destroy_tunnels(struct net *net,
++ struct list_head *head)
+ {
+- struct net *net = dev_net(sitn->fb_tunnel_dev);
++ struct sit_net *sitn = net_generic(net, sit_net_id);
+ struct net_device *dev, *aux;
+ int prio;
+
+@@ -1696,11 +1707,10 @@ err_alloc_dev:
+
+ static void __net_exit sit_exit_net(struct net *net)
+ {
+- struct sit_net *sitn = net_generic(net, sit_net_id);
+ LIST_HEAD(list);
+
+ rtnl_lock();
+- sit_destroy_tunnels(sitn, &list);
++ sit_destroy_tunnels(net, &list);
+ unregister_netdevice_many(&list);
+ rtnl_unlock();
+ }
+diff --git a/net/ipv6/tcpv6_offload.c b/net/ipv6/tcpv6_offload.c
+index 2ec6bf6..a7a2384 100644
+--- a/net/ipv6/tcpv6_offload.c
++++ b/net/ipv6/tcpv6_offload.c
+@@ -37,34 +37,32 @@ static struct sk_buff **tcp6_gro_receive(struct sk_buff **head,
+ {
+ const struct ipv6hdr *iph = skb_gro_network_header(skb);
+ __wsum wsum;
+- __sum16 sum;
++
++ /* Don't bother verifying checksum if we're going to flush anyway. */
++ if (NAPI_GRO_CB(skb)->flush)
++ goto skip_csum;
++
++ wsum = skb->csum;
+
+ switch (skb->ip_summed) {
++ case CHECKSUM_NONE:
++ wsum = skb_checksum(skb, skb_gro_offset(skb), skb_gro_len(skb),
++ wsum);
++
++ /* fall through */
++
+ case CHECKSUM_COMPLETE:
+ if (!tcp_v6_check(skb_gro_len(skb), &iph->saddr, &iph->daddr,
+- skb->csum)) {
++ wsum)) {
+ skb->ip_summed = CHECKSUM_UNNECESSARY;
+ break;
+ }
+-flush:
++
+ NAPI_GRO_CB(skb)->flush = 1;
+ return NULL;
+-
+- case CHECKSUM_NONE:
+- wsum = ~csum_unfold(csum_ipv6_magic(&iph->saddr, &iph->daddr,
+- skb_gro_len(skb),
+- IPPROTO_TCP, 0));
+- sum = csum_fold(skb_checksum(skb,
+- skb_gro_offset(skb),
+- skb_gro_len(skb),
+- wsum));
+- if (sum)
+- goto flush;
+-
+- skb->ip_summed = CHECKSUM_UNNECESSARY;
+- break;
+ }
+
++skip_csum:
+ return tcp_gro_receive(head, skb);
+ }
+
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
+index 1878609..3d2758d 100644
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -374,14 +374,11 @@ int udpv6_recvmsg(struct kiocb *iocb, struct sock *sk,
+ int is_udp4;
+ bool slow;
+
+- if (addr_len)
+- *addr_len = sizeof(struct sockaddr_in6);
+-
+ if (flags & MSG_ERRQUEUE)
+- return ipv6_recv_error(sk, msg, len);
++ return ipv6_recv_error(sk, msg, len, addr_len);
+
+ if (np->rxpmtu && np->rxopt.bits.rxpmtu)
+- return ipv6_recv_rxpmtu(sk, msg, len);
++ return ipv6_recv_rxpmtu(sk, msg, len, addr_len);
+
+ try_again:
+ skb = __skb_recv_datagram(sk, flags | (noblock ? MSG_DONTWAIT : 0),
+@@ -462,7 +459,7 @@ try_again:
+ ipv6_iface_scope_id(&sin6->sin6_addr,
+ IP6CB(skb)->iif);
+ }
+-
++ *addr_len = sizeof(*sin6);
+ }
+ if (is_udp4) {
+ if (inet->cmsg_flags)
+diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c
+index 6055951..34c6fff 100644
+--- a/net/ipv6/udp_offload.c
++++ b/net/ipv6/udp_offload.c
+@@ -88,7 +88,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
+
+ /* Check if there is enough headroom to insert fragment header. */
+ tnl_hlen = skb_tnl_header_len(skb);
+- if (skb_headroom(skb) < (tnl_hlen + frag_hdr_sz)) {
++ if (skb->mac_header < (tnl_hlen + frag_hdr_sz)) {
+ if (gso_pskb_expand_head(skb, tnl_hlen + frag_hdr_sz))
+ goto out;
+ }
+diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
+index 08ed277..550b195 100644
+--- a/net/ipv6/xfrm6_policy.c
++++ b/net/ipv6/xfrm6_policy.c
+@@ -135,10 +135,14 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
+ struct ipv6_opt_hdr *exthdr;
+ const unsigned char *nh = skb_network_header(skb);
+ u8 nexthdr = nh[IP6CB(skb)->nhoff];
++ int oif = 0;
++
++ if (skb_dst(skb))
++ oif = skb_dst(skb)->dev->ifindex;
+
+ memset(fl6, 0, sizeof(struct flowi6));
+ fl6->flowi6_mark = skb->mark;
+- fl6->flowi6_oif = skb_dst(skb)->dev->ifindex;
++ fl6->flowi6_oif = reverse ? skb->skb_iif : oif;
+
+ fl6->daddr = reverse ? hdr->saddr : hdr->daddr;
+ fl6->saddr = reverse ? hdr->daddr : hdr->saddr;
+diff --git a/net/ipx/af_ipx.c b/net/ipx/af_ipx.c
+index 7a1e0fc..e096025 100644
+--- a/net/ipx/af_ipx.c
++++ b/net/ipx/af_ipx.c
+@@ -1823,8 +1823,6 @@ static int ipx_recvmsg(struct kiocb *iocb, struct socket *sock,
+ if (skb->tstamp.tv64)
+ sk->sk_stamp = skb->tstamp;
+
+- msg->msg_namelen = sizeof(*sipx);
+-
+ if (sipx) {
+ sipx->sipx_family = AF_IPX;
+ sipx->sipx_port = ipx->ipx_source.sock;
+@@ -1832,6 +1830,7 @@ static int ipx_recvmsg(struct kiocb *iocb, struct socket *sock,
+ sipx->sipx_network = IPX_SKB_CB(skb)->ipx_source_net;
+ sipx->sipx_type = ipx->ipx_type;
+ sipx->sipx_zero = 0;
++ msg->msg_namelen = sizeof(*sipx);
+ }
+ rc = copied;
+
+diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
+index 0578d4f..a5e62ef5 100644
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -1385,8 +1385,6 @@ static int irda_recvmsg_dgram(struct kiocb *iocb, struct socket *sock,
+
+ IRDA_DEBUG(4, "%s()\n", __func__);
+
+- msg->msg_namelen = 0;
+-
+ skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
+ flags & MSG_DONTWAIT, &err);
+ if (!skb)
+@@ -1451,8 +1449,6 @@ static int irda_recvmsg_stream(struct kiocb *iocb, struct socket *sock,
+ target = sock_rcvlowat(sk, flags & MSG_WAITALL, size);
+ timeo = sock_rcvtimeo(sk, noblock);
+
+- msg->msg_namelen = 0;
+-
+ do {
+ int chunk;
+ struct sk_buff *skb = skb_dequeue(&sk->sk_receive_queue);
+diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
+index 168aff5..c4b7218 100644
+--- a/net/iucv/af_iucv.c
++++ b/net/iucv/af_iucv.c
+@@ -1324,8 +1324,6 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+ int err = 0;
+ u32 offset;
+
+- msg->msg_namelen = 0;
+-
+ if ((sk->sk_state == IUCV_DISCONN) &&
+ skb_queue_empty(&iucv->backlog_skb_q) &&
+ skb_queue_empty(&sk->sk_receive_queue) &&
+diff --git a/net/key/af_key.c b/net/key/af_key.c
+index 911ef03..545f047 100644
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -3616,7 +3616,6 @@ static int pfkey_recvmsg(struct kiocb *kiocb,
+ if (flags & ~(MSG_PEEK|MSG_DONTWAIT|MSG_TRUNC|MSG_CMSG_COMPAT))
+ goto out;
+
+- msg->msg_namelen = 0;
+ skb = skb_recv_datagram(sk, flags, flags & MSG_DONTWAIT, &err);
+ if (skb == NULL)
+ goto out;
+diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
+index 571db8d..da1a1ce 100644
+--- a/net/l2tp/l2tp_ip.c
++++ b/net/l2tp/l2tp_ip.c
+@@ -518,9 +518,6 @@ static int l2tp_ip_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m
+ if (flags & MSG_OOB)
+ goto out;
+
+- if (addr_len)
+- *addr_len = sizeof(*sin);
+-
+ skb = skb_recv_datagram(sk, flags, noblock, &err);
+ if (!skb)
+ goto out;
+@@ -543,6 +540,7 @@ static int l2tp_ip_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m
+ sin->sin_addr.s_addr = ip_hdr(skb)->saddr;
+ sin->sin_port = 0;
+ memset(&sin->sin_zero, 0, sizeof(sin->sin_zero));
++ *addr_len = sizeof(*sin);
+ }
+ if (inet->cmsg_flags)
+ ip_cmsg_recv(msg, skb);
+diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
+index b8a6039..e6e8408 100644
+--- a/net/l2tp/l2tp_ip6.c
++++ b/net/l2tp/l2tp_ip6.c
+@@ -665,7 +665,7 @@ static int l2tp_ip6_recvmsg(struct kiocb *iocb, struct sock *sk,
+ *addr_len = sizeof(*lsa);
+
+ if (flags & MSG_ERRQUEUE)
+- return ipv6_recv_error(sk, msg, len);
++ return ipv6_recv_error(sk, msg, len, addr_len);
+
+ skb = skb_recv_datagram(sk, flags, noblock, &err);
+ if (!skb)
+diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
+index 8c46b27..44441c0 100644
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -197,8 +197,6 @@ static int pppol2tp_recvmsg(struct kiocb *iocb, struct socket *sock,
+ if (sk->sk_state & PPPOX_BOUND)
+ goto end;
+
+- msg->msg_namelen = 0;
+-
+ err = 0;
+ skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
+ flags & MSG_DONTWAIT, &err);
+diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
+index 6cba486..7b01b9f 100644
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -720,8 +720,6 @@ static int llc_ui_recvmsg(struct kiocb *iocb, struct socket *sock,
+ int target; /* Read at least this many bytes */
+ long timeo;
+
+- msg->msg_namelen = 0;
+-
+ lock_sock(sk);
+ copied = -ENOTCONN;
+ if (unlikely(sk->sk_type == SOCK_STREAM && sk->sk_state == TCP_LISTEN))
+diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
+index 74fd00c..3581736 100644
+--- a/net/netfilter/ipvs/ip_vs_core.c
++++ b/net/netfilter/ipvs/ip_vs_core.c
+@@ -1139,12 +1139,6 @@ ip_vs_out(unsigned int hooknum, struct sk_buff *skb, int af)
+ ip_vs_fill_iph_skb(af, skb, &iph);
+ #ifdef CONFIG_IP_VS_IPV6
+ if (af == AF_INET6) {
+- if (!iph.fragoffs && skb_nfct_reasm(skb)) {
+- struct sk_buff *reasm = skb_nfct_reasm(skb);
+- /* Save fw mark for coming frags */
+- reasm->ipvs_property = 1;
+- reasm->mark = skb->mark;
+- }
+ if (unlikely(iph.protocol == IPPROTO_ICMPV6)) {
+ int related;
+ int verdict = ip_vs_out_icmp_v6(skb, &related,
+@@ -1614,12 +1608,6 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
+
+ #ifdef CONFIG_IP_VS_IPV6
+ if (af == AF_INET6) {
+- if (!iph.fragoffs && skb_nfct_reasm(skb)) {
+- struct sk_buff *reasm = skb_nfct_reasm(skb);
+- /* Save fw mark for coming frags. */
+- reasm->ipvs_property = 1;
+- reasm->mark = skb->mark;
+- }
+ if (unlikely(iph.protocol == IPPROTO_ICMPV6)) {
+ int related;
+ int verdict = ip_vs_in_icmp_v6(skb, &related, hooknum,
+@@ -1671,9 +1659,8 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
+ /* sorry, all this trouble for a no-hit :) */
+ IP_VS_DBG_PKT(12, af, pp, skb, 0,
+ "ip_vs_in: packet continues traversal as normal");
+- if (iph.fragoffs && !skb_nfct_reasm(skb)) {
++ if (iph.fragoffs) {
+ /* Fragment that couldn't be mapped to a conn entry
+- * and don't have any pointer to a reasm skb
+ * is missing module nf_defrag_ipv6
+ */
+ IP_VS_DBG_RL("Unhandled frag, load nf_defrag_ipv6\n");
+@@ -1756,38 +1743,6 @@ ip_vs_local_request4(unsigned int hooknum, struct sk_buff *skb,
+ #ifdef CONFIG_IP_VS_IPV6
+
+ /*
+- * AF_INET6 fragment handling
+- * Copy info from first fragment, to the rest of them.
+- */
+-static unsigned int
+-ip_vs_preroute_frag6(unsigned int hooknum, struct sk_buff *skb,
+- const struct net_device *in,
+- const struct net_device *out,
+- int (*okfn)(struct sk_buff *))
+-{
+- struct sk_buff *reasm = skb_nfct_reasm(skb);
+- struct net *net;
+-
+- /* Skip if not a "replay" from nf_ct_frag6_output or first fragment.
+- * ipvs_property is set when checking first fragment
+- * in ip_vs_in() and ip_vs_out().
+- */
+- if (reasm)
+- IP_VS_DBG(2, "Fragment recv prop:%d\n", reasm->ipvs_property);
+- if (!reasm || !reasm->ipvs_property)
+- return NF_ACCEPT;
+-
+- net = skb_net(skb);
+- if (!net_ipvs(net)->enable)
+- return NF_ACCEPT;
+-
+- /* Copy stored fw mark, saved in ip_vs_{in,out} */
+- skb->mark = reasm->mark;
+-
+- return NF_ACCEPT;
+-}
+-
+-/*
+ * AF_INET6 handler in NF_INET_LOCAL_IN chain
+ * Schedule and forward packets from remote clients
+ */
+@@ -1924,14 +1879,6 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
+ .priority = 100,
+ },
+ #ifdef CONFIG_IP_VS_IPV6
+- /* After mangle & nat fetch 2:nd fragment and following */
+- {
+- .hook = ip_vs_preroute_frag6,
+- .owner = THIS_MODULE,
+- .pf = NFPROTO_IPV6,
+- .hooknum = NF_INET_PRE_ROUTING,
+- .priority = NF_IP6_PRI_NAT_DST + 1,
+- },
+ /* After packet filtering, change source only for VS/NAT */
+ {
+ .hook = ip_vs_reply6,
+diff --git a/net/netfilter/ipvs/ip_vs_pe_sip.c b/net/netfilter/ipvs/ip_vs_pe_sip.c
+index 9ef22bd..bed5f70 100644
+--- a/net/netfilter/ipvs/ip_vs_pe_sip.c
++++ b/net/netfilter/ipvs/ip_vs_pe_sip.c
+@@ -65,7 +65,6 @@ static int get_callid(const char *dptr, unsigned int dataoff,
+ static int
+ ip_vs_sip_fill_param(struct ip_vs_conn_param *p, struct sk_buff *skb)
+ {
+- struct sk_buff *reasm = skb_nfct_reasm(skb);
+ struct ip_vs_iphdr iph;
+ unsigned int dataoff, datalen, matchoff, matchlen;
+ const char *dptr;
+@@ -79,15 +78,10 @@ ip_vs_sip_fill_param(struct ip_vs_conn_param *p, struct sk_buff *skb)
+ /* todo: IPv6 fragments:
+ * I think this only should be done for the first fragment. /HS
+ */
+- if (reasm) {
+- skb = reasm;
+- dataoff = iph.thoff_reasm + sizeof(struct udphdr);
+- } else
+- dataoff = iph.len + sizeof(struct udphdr);
++ dataoff = iph.len + sizeof(struct udphdr);
+
+ if (dataoff >= skb->len)
+ return -EINVAL;
+- /* todo: Check if this will mess-up the reasm skb !!! /HS */
+ retc = skb_linearize(skb);
+ if (retc < 0)
+ return retc;
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index 8df7f64..6135635 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -2335,8 +2335,6 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock,
+ }
+ #endif
+
+- msg->msg_namelen = 0;
+-
+ copied = data_skb->len;
+ if (len < copied) {
+ msg->msg_flags |= MSG_TRUNC;
+diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
+index 698814b..53c19a3 100644
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -1179,10 +1179,9 @@ static int nr_recvmsg(struct kiocb *iocb, struct socket *sock,
+ sax->sax25_family = AF_NETROM;
+ skb_copy_from_linear_data_offset(skb, 7, sax->sax25_call.ax25_call,
+ AX25_ADDR_LEN);
++ msg->msg_namelen = sizeof(*sax);
+ }
+
+- msg->msg_namelen = sizeof(*sax);
+-
+ skb_free_datagram(sk, skb);
+
+ release_sock(sk);
+diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
+index d308402..824c605 100644
+--- a/net/nfc/llcp_sock.c
++++ b/net/nfc/llcp_sock.c
+@@ -807,8 +807,6 @@ static int llcp_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+
+ pr_debug("%p %zu\n", sk, len);
+
+- msg->msg_namelen = 0;
+-
+ lock_sock(sk);
+
+ if (sk->sk_state == LLCP_CLOSED &&
+diff --git a/net/nfc/rawsock.c b/net/nfc/rawsock.c
+index 313bf1b..5d11f4a 100644
+--- a/net/nfc/rawsock.c
++++ b/net/nfc/rawsock.c
+@@ -241,8 +241,6 @@ static int rawsock_recvmsg(struct kiocb *iocb, struct socket *sock,
+ if (!skb)
+ return rc;
+
+- msg->msg_namelen = 0;
+-
+ copied = skb->len;
+ if (len < copied) {
+ msg->msg_flags |= MSG_TRUNC;
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 2e8286b..ba2548b 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -244,11 +244,15 @@ static void __fanout_link(struct sock *sk, struct packet_sock *po);
+ static void register_prot_hook(struct sock *sk)
+ {
+ struct packet_sock *po = pkt_sk(sk);
++
+ if (!po->running) {
+- if (po->fanout)
++ if (po->fanout) {
+ __fanout_link(sk, po);
+- else
++ } else {
+ dev_add_pack(&po->prot_hook);
++ rcu_assign_pointer(po->cached_dev, po->prot_hook.dev);
++ }
++
+ sock_hold(sk);
+ po->running = 1;
+ }
+@@ -266,10 +270,13 @@ static void __unregister_prot_hook(struct sock *sk, bool sync)
+ struct packet_sock *po = pkt_sk(sk);
+
+ po->running = 0;
+- if (po->fanout)
++ if (po->fanout) {
+ __fanout_unlink(sk, po);
+- else
++ } else {
+ __dev_remove_pack(&po->prot_hook);
++ RCU_INIT_POINTER(po->cached_dev, NULL);
++ }
++
+ __sock_put(sk);
+
+ if (sync) {
+@@ -432,9 +439,9 @@ static void prb_shutdown_retire_blk_timer(struct packet_sock *po,
+
+ pkc = tx_ring ? &po->tx_ring.prb_bdqc : &po->rx_ring.prb_bdqc;
+
+- spin_lock(&rb_queue->lock);
++ spin_lock_bh(&rb_queue->lock);
+ pkc->delete_blk_timer = 1;
+- spin_unlock(&rb_queue->lock);
++ spin_unlock_bh(&rb_queue->lock);
+
+ prb_del_retire_blk_timer(pkc);
+ }
+@@ -2052,12 +2059,24 @@ static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb,
+ return tp_len;
+ }
+
++static struct net_device *packet_cached_dev_get(struct packet_sock *po)
++{
++ struct net_device *dev;
++
++ rcu_read_lock();
++ dev = rcu_dereference(po->cached_dev);
++ if (dev)
++ dev_hold(dev);
++ rcu_read_unlock();
++
++ return dev;
++}
++
+ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
+ {
+ struct sk_buff *skb;
+ struct net_device *dev;
+ __be16 proto;
+- bool need_rls_dev = false;
+ int err, reserve = 0;
+ void *ph;
+ struct sockaddr_ll *saddr = (struct sockaddr_ll *)msg->msg_name;
+@@ -2070,7 +2089,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
+ mutex_lock(&po->pg_vec_lock);
+
+ if (saddr == NULL) {
+- dev = po->prot_hook.dev;
++ dev = packet_cached_dev_get(po);
+ proto = po->num;
+ addr = NULL;
+ } else {
+@@ -2084,19 +2103,17 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
+ proto = saddr->sll_protocol;
+ addr = saddr->sll_addr;
+ dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex);
+- need_rls_dev = true;
+ }
+
+ err = -ENXIO;
+ if (unlikely(dev == NULL))
+ goto out;
+-
+- reserve = dev->hard_header_len;
+-
+ err = -ENETDOWN;
+ if (unlikely(!(dev->flags & IFF_UP)))
+ goto out_put;
+
++ reserve = dev->hard_header_len;
++
+ size_max = po->tx_ring.frame_size
+ - (po->tp_hdrlen - sizeof(struct sockaddr_ll));
+
+@@ -2173,8 +2190,7 @@ out_status:
+ __packet_set_status(po, ph, status);
+ kfree_skb(skb);
+ out_put:
+- if (need_rls_dev)
+- dev_put(dev);
++ dev_put(dev);
+ out:
+ mutex_unlock(&po->pg_vec_lock);
+ return err;
+@@ -2212,7 +2228,6 @@ static int packet_snd(struct socket *sock,
+ struct sk_buff *skb;
+ struct net_device *dev;
+ __be16 proto;
+- bool need_rls_dev = false;
+ unsigned char *addr;
+ int err, reserve = 0;
+ struct virtio_net_hdr vnet_hdr = { 0 };
+@@ -2228,7 +2243,7 @@ static int packet_snd(struct socket *sock,
+ */
+
+ if (saddr == NULL) {
+- dev = po->prot_hook.dev;
++ dev = packet_cached_dev_get(po);
+ proto = po->num;
+ addr = NULL;
+ } else {
+@@ -2240,19 +2255,17 @@ static int packet_snd(struct socket *sock,
+ proto = saddr->sll_protocol;
+ addr = saddr->sll_addr;
+ dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex);
+- need_rls_dev = true;
+ }
+
+ err = -ENXIO;
+- if (dev == NULL)
++ if (unlikely(dev == NULL))
+ goto out_unlock;
+- if (sock->type == SOCK_RAW)
+- reserve = dev->hard_header_len;
+-
+ err = -ENETDOWN;
+- if (!(dev->flags & IFF_UP))
++ if (unlikely(!(dev->flags & IFF_UP)))
+ goto out_unlock;
+
++ if (sock->type == SOCK_RAW)
++ reserve = dev->hard_header_len;
+ if (po->has_vnet_hdr) {
+ vnet_hdr_len = sizeof(vnet_hdr);
+
+@@ -2386,15 +2399,14 @@ static int packet_snd(struct socket *sock,
+ if (err > 0 && (err = net_xmit_errno(err)) != 0)
+ goto out_unlock;
+
+- if (need_rls_dev)
+- dev_put(dev);
++ dev_put(dev);
+
+ return len;
+
+ out_free:
+ kfree_skb(skb);
+ out_unlock:
+- if (dev && need_rls_dev)
++ if (dev)
+ dev_put(dev);
+ out:
+ return err;
+@@ -2614,6 +2626,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol,
+ po = pkt_sk(sk);
+ sk->sk_family = PF_PACKET;
+ po->num = proto;
++ RCU_INIT_POINTER(po->cached_dev, NULL);
+
+ sk->sk_destruct = packet_sock_destruct;
+ sk_refcnt_debug_inc(sk);
+@@ -2660,7 +2673,6 @@ static int packet_recvmsg(struct kiocb *iocb, struct socket *sock,
+ struct sock *sk = sock->sk;
+ struct sk_buff *skb;
+ int copied, err;
+- struct sockaddr_ll *sll;
+ int vnet_hdr_len = 0;
+
+ err = -EINVAL;
+@@ -2744,22 +2756,10 @@ static int packet_recvmsg(struct kiocb *iocb, struct socket *sock,
+ goto out_free;
+ }
+
+- /*
+- * If the address length field is there to be filled in, we fill
+- * it in now.
++ /* You lose any data beyond the buffer you gave. If it worries
++ * a user program they can ask the device for its MTU
++ * anyway.
+ */
+-
+- sll = &PACKET_SKB_CB(skb)->sa.ll;
+- if (sock->type == SOCK_PACKET)
+- msg->msg_namelen = sizeof(struct sockaddr_pkt);
+- else
+- msg->msg_namelen = sll->sll_halen + offsetof(struct sockaddr_ll, sll_addr);
+-
+- /*
+- * You lose any data beyond the buffer you gave. If it worries a
+- * user program they can ask the device for its MTU anyway.
+- */
+-
+ copied = skb->len;
+ if (copied > len) {
+ copied = len;
+@@ -2772,9 +2772,20 @@ static int packet_recvmsg(struct kiocb *iocb, struct socket *sock,
+
+ sock_recv_ts_and_drops(msg, sk, skb);
+
+- if (msg->msg_name)
++ if (msg->msg_name) {
++ /* If the address length field is there to be filled
++ * in, we fill it in now.
++ */
++ if (sock->type == SOCK_PACKET) {
++ msg->msg_namelen = sizeof(struct sockaddr_pkt);
++ } else {
++ struct sockaddr_ll *sll = &PACKET_SKB_CB(skb)->sa.ll;
++ msg->msg_namelen = sll->sll_halen +
++ offsetof(struct sockaddr_ll, sll_addr);
++ }
+ memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa,
+ msg->msg_namelen);
++ }
+
+ if (pkt_sk(sk)->auxdata) {
+ struct tpacket_auxdata aux;
+diff --git a/net/packet/internal.h b/net/packet/internal.h
+index c4e4b45..1035fa2 100644
+--- a/net/packet/internal.h
++++ b/net/packet/internal.h
+@@ -113,6 +113,7 @@ struct packet_sock {
+ unsigned int tp_loss:1;
+ unsigned int tp_tx_has_off:1;
+ unsigned int tp_tstamp;
++ struct net_device __rcu *cached_dev;
+ struct packet_type prot_hook ____cacheline_aligned_in_smp;
+ };
+
+diff --git a/net/phonet/datagram.c b/net/phonet/datagram.c
+index 12c30f3..38946b2 100644
+--- a/net/phonet/datagram.c
++++ b/net/phonet/datagram.c
+@@ -139,9 +139,6 @@ static int pn_recvmsg(struct kiocb *iocb, struct sock *sk,
+ MSG_CMSG_COMPAT))
+ goto out_nofree;
+
+- if (addr_len)
+- *addr_len = sizeof(sa);
+-
+ skb = skb_recv_datagram(sk, flags, noblock, &rval);
+ if (skb == NULL)
+ goto out_nofree;
+@@ -162,8 +159,10 @@ static int pn_recvmsg(struct kiocb *iocb, struct sock *sk,
+
+ rval = (flags & MSG_TRUNC) ? skb->len : copylen;
+
+- if (msg->msg_name != NULL)
+- memcpy(msg->msg_name, &sa, sizeof(struct sockaddr_pn));
++ if (msg->msg_name != NULL) {
++ memcpy(msg->msg_name, &sa, sizeof(sa));
++ *addr_len = sizeof(sa);
++ }
+
+ out:
+ skb_free_datagram(sk, skb);
+diff --git a/net/rds/recv.c b/net/rds/recv.c
+index 9f0f17c..de339b2 100644
+--- a/net/rds/recv.c
++++ b/net/rds/recv.c
+@@ -410,8 +410,6 @@ int rds_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
+
+ rdsdebug("size %zu flags 0x%x timeo %ld\n", size, msg_flags, timeo);
+
+- msg->msg_namelen = 0;
+-
+ if (msg_flags & MSG_OOB)
+ goto out;
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index e98fcfb..33af772 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -1216,7 +1216,6 @@ static int rose_recvmsg(struct kiocb *iocb, struct socket *sock,
+ {
+ struct sock *sk = sock->sk;
+ struct rose_sock *rose = rose_sk(sk);
+- struct sockaddr_rose *srose = (struct sockaddr_rose *)msg->msg_name;
+ size_t copied;
+ unsigned char *asmptr;
+ struct sk_buff *skb;
+@@ -1252,8 +1251,11 @@ static int rose_recvmsg(struct kiocb *iocb, struct socket *sock,
+
+ skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
+
+- if (srose != NULL) {
+- memset(srose, 0, msg->msg_namelen);
++ if (msg->msg_name) {
++ struct sockaddr_rose *srose;
++
++ memset(msg->msg_name, 0, sizeof(struct full_sockaddr_rose));
++ srose = msg->msg_name;
+ srose->srose_family = AF_ROSE;
+ srose->srose_addr = rose->dest_addr;
+ srose->srose_call = rose->dest_call;
+diff --git a/net/rxrpc/ar-recvmsg.c b/net/rxrpc/ar-recvmsg.c
+index 4b48687..898492a 100644
+--- a/net/rxrpc/ar-recvmsg.c
++++ b/net/rxrpc/ar-recvmsg.c
+@@ -143,10 +143,13 @@ int rxrpc_recvmsg(struct kiocb *iocb, struct socket *sock,
+
+ /* copy the peer address and timestamp */
+ if (!continue_call) {
+- if (msg->msg_name && msg->msg_namelen > 0)
++ if (msg->msg_name) {
++ size_t len =
++ sizeof(call->conn->trans->peer->srx);
+ memcpy(msg->msg_name,
+- &call->conn->trans->peer->srx,
+- sizeof(call->conn->trans->peer->srx));
++ &call->conn->trans->peer->srx, len);
++ msg->msg_namelen = len;
++ }
+ sock_recv_ts_and_drops(msg, &rx->sk, skb);
+ }
+
+diff --git a/net/sched/sch_fq.c b/net/sched/sch_fq.c
+index a9dfdda..2e55f81 100644
+--- a/net/sched/sch_fq.c
++++ b/net/sched/sch_fq.c
+@@ -88,7 +88,7 @@ struct fq_sched_data {
+ struct fq_flow internal; /* for non classified or high prio packets */
+ u32 quantum;
+ u32 initial_quantum;
+- u32 flow_default_rate;/* rate per flow : bytes per second */
++ u32 flow_refill_delay;
+ u32 flow_max_rate; /* optional max rate per flow */
+ u32 flow_plimit; /* max packets per flow */
+ struct rb_root *fq_root;
+@@ -115,6 +115,7 @@ static struct fq_flow detached, throttled;
+ static void fq_flow_set_detached(struct fq_flow *f)
+ {
+ f->next = &detached;
++ f->age = jiffies;
+ }
+
+ static bool fq_flow_is_detached(const struct fq_flow *f)
+@@ -209,21 +210,15 @@ static void fq_gc(struct fq_sched_data *q,
+ }
+ }
+
+-static const u8 prio2band[TC_PRIO_MAX + 1] = {
+- 1, 2, 2, 2, 1, 2, 0, 0 , 1, 1, 1, 1, 1, 1, 1, 1
+-};
+-
+ static struct fq_flow *fq_classify(struct sk_buff *skb, struct fq_sched_data *q)
+ {
+ struct rb_node **p, *parent;
+ struct sock *sk = skb->sk;
+ struct rb_root *root;
+ struct fq_flow *f;
+- int band;
+
+ /* warning: no starvation prevention... */
+- band = prio2band[skb->priority & TC_PRIO_MAX];
+- if (unlikely(band == 0))
++ if (unlikely((skb->priority & TC_PRIO_MAX) == TC_PRIO_CONTROL))
+ return &q->internal;
+
+ if (unlikely(!sk)) {
+@@ -372,17 +367,20 @@ static int fq_enqueue(struct sk_buff *skb, struct Qdisc *sch)
+ }
+
+ f->qlen++;
+- flow_queue_add(f, skb);
+ if (skb_is_retransmit(skb))
+ q->stat_tcp_retrans++;
+ sch->qstats.backlog += qdisc_pkt_len(skb);
+ if (fq_flow_is_detached(f)) {
+ fq_flow_add_tail(&q->new_flows, f);
+- if (q->quantum > f->credit)
+- f->credit = q->quantum;
++ if (time_after(jiffies, f->age + q->flow_refill_delay))
++ f->credit = max_t(u32, f->credit, q->quantum);
+ q->inactive_flows--;
+ qdisc_unthrottled(sch);
+ }
++
++ /* Note: this overwrites f->age */
++ flow_queue_add(f, skb);
++
+ if (unlikely(f == &q->internal)) {
+ q->stat_internal_packets++;
+ qdisc_unthrottled(sch);
+@@ -460,7 +458,6 @@ begin:
+ fq_flow_add_tail(&q->old_flows, f);
+ } else {
+ fq_flow_set_detached(f);
+- f->age = jiffies;
+ q->inactive_flows++;
+ }
+ goto begin;
+@@ -614,6 +611,7 @@ static const struct nla_policy fq_policy[TCA_FQ_MAX + 1] = {
+ [TCA_FQ_FLOW_DEFAULT_RATE] = { .type = NLA_U32 },
+ [TCA_FQ_FLOW_MAX_RATE] = { .type = NLA_U32 },
+ [TCA_FQ_BUCKETS_LOG] = { .type = NLA_U32 },
++ [TCA_FQ_FLOW_REFILL_DELAY] = { .type = NLA_U32 },
+ };
+
+ static int fq_change(struct Qdisc *sch, struct nlattr *opt)
+@@ -655,7 +653,8 @@ static int fq_change(struct Qdisc *sch, struct nlattr *opt)
+ q->initial_quantum = nla_get_u32(tb[TCA_FQ_INITIAL_QUANTUM]);
+
+ if (tb[TCA_FQ_FLOW_DEFAULT_RATE])
+- q->flow_default_rate = nla_get_u32(tb[TCA_FQ_FLOW_DEFAULT_RATE]);
++ pr_warn_ratelimited("sch_fq: defrate %u ignored.\n",
++ nla_get_u32(tb[TCA_FQ_FLOW_DEFAULT_RATE]));
+
+ if (tb[TCA_FQ_FLOW_MAX_RATE])
+ q->flow_max_rate = nla_get_u32(tb[TCA_FQ_FLOW_MAX_RATE]);
+@@ -669,6 +668,12 @@ static int fq_change(struct Qdisc *sch, struct nlattr *opt)
+ err = -EINVAL;
+ }
+
++ if (tb[TCA_FQ_FLOW_REFILL_DELAY]) {
++ u32 usecs_delay = nla_get_u32(tb[TCA_FQ_FLOW_REFILL_DELAY]) ;
++
++ q->flow_refill_delay = usecs_to_jiffies(usecs_delay);
++ }
++
+ if (!err)
+ err = fq_resize(q, fq_log);
+
+@@ -704,7 +709,7 @@ static int fq_init(struct Qdisc *sch, struct nlattr *opt)
+ q->flow_plimit = 100;
+ q->quantum = 2 * psched_mtu(qdisc_dev(sch));
+ q->initial_quantum = 10 * psched_mtu(qdisc_dev(sch));
+- q->flow_default_rate = 0;
++ q->flow_refill_delay = msecs_to_jiffies(40);
+ q->flow_max_rate = ~0U;
+ q->rate_enable = 1;
+ q->new_flows.first = NULL;
+@@ -731,15 +736,16 @@ static int fq_dump(struct Qdisc *sch, struct sk_buff *skb)
+ if (opts == NULL)
+ goto nla_put_failure;
+
+- /* TCA_FQ_FLOW_DEFAULT_RATE is not used anymore,
+- * do not bother giving its value
+- */
++ /* TCA_FQ_FLOW_DEFAULT_RATE is not used anymore */
++
+ if (nla_put_u32(skb, TCA_FQ_PLIMIT, sch->limit) ||
+ nla_put_u32(skb, TCA_FQ_FLOW_PLIMIT, q->flow_plimit) ||
+ nla_put_u32(skb, TCA_FQ_QUANTUM, q->quantum) ||
+ nla_put_u32(skb, TCA_FQ_INITIAL_QUANTUM, q->initial_quantum) ||
+ nla_put_u32(skb, TCA_FQ_RATE_ENABLE, q->rate_enable) ||
+ nla_put_u32(skb, TCA_FQ_FLOW_MAX_RATE, q->flow_max_rate) ||
++ nla_put_u32(skb, TCA_FQ_FLOW_REFILL_DELAY,
++ jiffies_to_usecs(q->flow_refill_delay)) ||
+ nla_put_u32(skb, TCA_FQ_BUCKETS_LOG, q->fq_trees_log))
+ goto nla_put_failure;
+
+diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c
+index 1aaf1b6..6ddda28 100644
+--- a/net/sched/sch_tbf.c
++++ b/net/sched/sch_tbf.c
+@@ -21,6 +21,7 @@
+ #include <net/netlink.h>
+ #include <net/sch_generic.h>
+ #include <net/pkt_sched.h>
++#include <net/tcp.h>
+
+
+ /* Simple Token Bucket Filter.
+@@ -117,6 +118,22 @@ struct tbf_sched_data {
+ };
+
+
++/*
++ * Return length of individual segments of a gso packet,
++ * including all headers (MAC, IP, TCP/UDP)
++ */
++static unsigned int skb_gso_seglen(const struct sk_buff *skb)
++{
++ unsigned int hdr_len = skb_transport_header(skb) - skb_mac_header(skb);
++ const struct skb_shared_info *shinfo = skb_shinfo(skb);
++
++ if (likely(shinfo->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6)))
++ hdr_len += tcp_hdrlen(skb);
++ else
++ hdr_len += sizeof(struct udphdr);
++ return hdr_len + shinfo->gso_size;
++}
++
+ /* GSO packet is too big, segment it so that tbf can transmit
+ * each segment in time
+ */
+@@ -136,12 +153,8 @@ static int tbf_segment(struct sk_buff *skb, struct Qdisc *sch)
+ while (segs) {
+ nskb = segs->next;
+ segs->next = NULL;
+- if (likely(segs->len <= q->max_size)) {
+- qdisc_skb_cb(segs)->pkt_len = segs->len;
+- ret = qdisc_enqueue(segs, q->qdisc);
+- } else {
+- ret = qdisc_reshape_fail(skb, sch);
+- }
++ qdisc_skb_cb(segs)->pkt_len = segs->len;
++ ret = qdisc_enqueue(segs, q->qdisc);
+ if (ret != NET_XMIT_SUCCESS) {
+ if (net_xmit_drop_count(ret))
+ sch->qstats.drops++;
+@@ -163,7 +176,7 @@ static int tbf_enqueue(struct sk_buff *skb, struct Qdisc *sch)
+ int ret;
+
+ if (qdisc_pkt_len(skb) > q->max_size) {
+- if (skb_is_gso(skb))
++ if (skb_is_gso(skb) && skb_gso_seglen(skb) <= q->max_size)
+ return tbf_segment(skb, sch);
+ return qdisc_reshape_fail(skb, sch);
+ }
+@@ -316,6 +329,11 @@ static int tbf_change(struct Qdisc *sch, struct nlattr *opt)
+ if (max_size < 0)
+ goto done;
+
++ if (max_size < psched_mtu(qdisc_dev(sch)))
++ pr_warn_ratelimited("sch_tbf: burst %u is lower than device %s mtu (%u) !\n",
++ max_size, qdisc_dev(sch)->name,
++ psched_mtu(qdisc_dev(sch)));
++
+ if (q->qdisc != &noop_qdisc) {
+ err = fifo_set_limit(q->qdisc, qopt->limit);
+ if (err)
+diff --git a/net/socket.c b/net/socket.c
+index c226ace..e83c416 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -221,12 +221,13 @@ static int move_addr_to_user(struct sockaddr_storage *kaddr, int klen,
+ int err;
+ int len;
+
++ BUG_ON(klen > sizeof(struct sockaddr_storage));
+ err = get_user(len, ulen);
+ if (err)
+ return err;
+ if (len > klen)
+ len = klen;
+- if (len < 0 || len > sizeof(struct sockaddr_storage))
++ if (len < 0)
+ return -EINVAL;
+ if (len) {
+ if (audit_sockaddr(klen, kaddr))
+@@ -1840,8 +1841,10 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
+ msg.msg_iov = &iov;
+ iov.iov_len = size;
+ iov.iov_base = ubuf;
+- msg.msg_name = (struct sockaddr *)&address;
+- msg.msg_namelen = sizeof(address);
++ /* Save some cycles and don't copy the address if not needed */
++ msg.msg_name = addr ? (struct sockaddr *)&address : NULL;
++ /* We assume all kernel code knows the size of sockaddr_storage */
++ msg.msg_namelen = 0;
+ if (sock->file->f_flags & O_NONBLOCK)
+ flags |= MSG_DONTWAIT;
+ err = sock_recvmsg(sock, &msg, size, flags);
+@@ -1970,7 +1973,7 @@ static int copy_msghdr_from_user(struct msghdr *kmsg,
+ if (copy_from_user(kmsg, umsg, sizeof(struct msghdr)))
+ return -EFAULT;
+ if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
+- return -EINVAL;
++ kmsg->msg_namelen = sizeof(struct sockaddr_storage);
+ return 0;
+ }
+
+@@ -2221,16 +2224,14 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
+ goto out;
+ }
+
+- /*
+- * Save the user-mode address (verify_iovec will change the
+- * kernel msghdr to use the kernel address space)
++ /* Save the user-mode address (verify_iovec will change the
++ * kernel msghdr to use the kernel address space)
+ */
+-
+ uaddr = (__force void __user *)msg_sys->msg_name;
+ uaddr_len = COMPAT_NAMELEN(msg);
+- if (MSG_CMSG_COMPAT & flags) {
++ if (MSG_CMSG_COMPAT & flags)
+ err = verify_compat_iovec(msg_sys, iov, &addr, VERIFY_WRITE);
+- } else
++ else
+ err = verify_iovec(msg_sys, iov, &addr, VERIFY_WRITE);
+ if (err < 0)
+ goto out_freeiov;
+@@ -2239,6 +2240,9 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
+ cmsg_ptr = (unsigned long)msg_sys->msg_control;
+ msg_sys->msg_flags = flags & (MSG_CMSG_CLOEXEC|MSG_CMSG_COMPAT);
+
++ /* We assume all kernel code knows the size of sockaddr_storage */
++ msg_sys->msg_namelen = 0;
++
+ if (sock->file->f_flags & O_NONBLOCK)
+ flags |= MSG_DONTWAIT;
+ err = (nosec ? sock_recvmsg_nosec : sock_recvmsg)(sock, msg_sys,
+diff --git a/net/tipc/socket.c b/net/tipc/socket.c
+index 6cc7ddd..dffdbea 100644
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -984,9 +984,6 @@ static int recv_msg(struct kiocb *iocb, struct socket *sock,
+ goto exit;
+ }
+
+- /* will be updated in set_orig_addr() if needed */
+- m->msg_namelen = 0;
+-
+ timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
+ restart:
+
+@@ -1095,9 +1092,6 @@ static int recv_stream(struct kiocb *iocb, struct socket *sock,
+ goto exit;
+ }
+
+- /* will be updated in set_orig_addr() if needed */
+- m->msg_namelen = 0;
+-
+ target = sock_rcvlowat(sk, flags & MSG_WAITALL, buf_len);
+ timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index c1f403b..01625cc 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -1754,7 +1754,6 @@ static void unix_copy_addr(struct msghdr *msg, struct sock *sk)
+ {
+ struct unix_sock *u = unix_sk(sk);
+
+- msg->msg_namelen = 0;
+ if (u->addr) {
+ msg->msg_namelen = u->addr->len;
+ memcpy(msg->msg_name, u->addr->name, u->addr->len);
+@@ -1778,8 +1777,6 @@ static int unix_dgram_recvmsg(struct kiocb *iocb, struct socket *sock,
+ if (flags&MSG_OOB)
+ goto out;
+
+- msg->msg_namelen = 0;
+-
+ err = mutex_lock_interruptible(&u->readlock);
+ if (err) {
+ err = sock_intr_errno(sock_rcvtimeo(sk, noblock));
+@@ -1924,8 +1921,6 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
+ target = sock_rcvlowat(sk, flags&MSG_WAITALL, size);
+ timeo = sock_rcvtimeo(sk, flags&MSG_DONTWAIT);
+
+- msg->msg_namelen = 0;
+-
+ /* Lock the socket to prevent queue disordering
+ * while sleeps in memcpy_tomsg
+ */
+diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
+index 545c08b..5adfd94 100644
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1662,8 +1662,6 @@ vsock_stream_recvmsg(struct kiocb *kiocb,
+ vsk = vsock_sk(sk);
+ err = 0;
+
+- msg->msg_namelen = 0;
+-
+ lock_sock(sk);
+
+ if (sk->sk_state != SS_CONNECTED) {
+diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
+index 9d69866..687360d 100644
+--- a/net/vmw_vsock/vmci_transport.c
++++ b/net/vmw_vsock/vmci_transport.c
+@@ -1746,8 +1746,6 @@ static int vmci_transport_dgram_dequeue(struct kiocb *kiocb,
+ if (flags & MSG_OOB || flags & MSG_ERRQUEUE)
+ return -EOPNOTSUPP;
+
+- msg->msg_namelen = 0;
+-
+ /* Retrieve the head sk_buff from the socket's receive queue. */
+ err = 0;
+ skb = skb_recv_datagram(&vsk->sk, flags, noblock, &err);
+diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
+index 45a3ab5..7622789 100644
+--- a/net/x25/af_x25.c
++++ b/net/x25/af_x25.c
+@@ -1340,10 +1340,9 @@ static int x25_recvmsg(struct kiocb *iocb, struct socket *sock,
+ if (sx25) {
+ sx25->sx25_family = AF_X25;
+ sx25->sx25_addr = x25->dest_addr;
++ msg->msg_namelen = sizeof(*sx25);
+ }
+
+- msg->msg_namelen = sizeof(struct sockaddr_x25);
+-
+ x25_check_rbuf(sk);
+ rc = copied;
+ out_free_dgram:
diff --git a/3.12.2/4420_grsecurity-3.0-3.12.2-201312032145.patch b/3.12.4/4420_grsecurity-3.0-3.12.4-201312081754.patch
similarity index 99%
rename from 3.12.2/4420_grsecurity-3.0-3.12.2-201312032145.patch
rename to 3.12.4/4420_grsecurity-3.0-3.12.4-201312081754.patch
index f703780..fa9c2c7 100644
--- a/3.12.2/4420_grsecurity-3.0-3.12.2-201312032145.patch
+++ b/3.12.4/4420_grsecurity-3.0-3.12.4-201312081754.patch
@@ -281,7 +281,7 @@ index fcbb736..5508d8c 100644
pcd. [PARIDE]
diff --git a/Makefile b/Makefile
-index e6e72b6..570e70a 100644
+index 3b7165e..9112a63 100644
--- a/Makefile
+++ b/Makefile
@@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -1799,7 +1799,7 @@ index 2fe141f..192dc01 100644
#ifdef CONFIG_MMU
extern void iotable_init(struct map_desc *, int);
diff --git a/arch/arm/include/asm/outercache.h b/arch/arm/include/asm/outercache.h
-index f94784f..41c7f61 100644
+index f94784f..9a09a4a 100644
--- a/arch/arm/include/asm/outercache.h
+++ b/arch/arm/include/asm/outercache.h
@@ -35,7 +35,7 @@ struct outer_cache_fns {
@@ -1807,7 +1807,7 @@ index f94784f..41c7f61 100644
void (*set_debug)(unsigned long);
void (*resume)(void);
-};
-+} __do_const;
++} __no_const;
extern struct outer_cache_fns outer_cache;
@@ -2366,7 +2366,7 @@ index 60d3b73..e5a0f22 100644
EXPORT_SYMBOL(__get_user_1);
EXPORT_SYMBOL(__get_user_2);
diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S
-index 9cbe70c..a7b5e34 100644
+index ec3e5cf..b450ee3 100644
--- a/arch/arm/kernel/entry-armv.S
+++ b/arch/arm/kernel/entry-armv.S
@@ -47,6 +47,87 @@
@@ -2498,7 +2498,7 @@ index 9cbe70c..a7b5e34 100644
SPFIX( addeq r2, r2, #4 )
str r3, [sp, #-4]! @ save the "real" r0 copied
@ from the exception stack
-@@ -316,6 +410,9 @@ ENDPROC(__pabt_svc)
+@@ -317,6 +411,9 @@ ENDPROC(__pabt_svc)
.macro usr_entry
UNWIND(.fnstart )
UNWIND(.cantunwind ) @ don't unwind the user space
@@ -2508,7 +2508,7 @@ index 9cbe70c..a7b5e34 100644
sub sp, sp, #S_FRAME_SIZE
ARM( stmib sp, {r1 - r12} )
THUMB( stmia sp, {r0 - r12} )
-@@ -415,7 +512,9 @@ __und_usr:
+@@ -416,7 +513,9 @@ __und_usr:
tst r3, #PSR_T_BIT @ Thumb mode?
bne __und_usr_thumb
sub r4, r2, #4 @ ARM instr at LR - 4
@@ -2518,7 +2518,7 @@ index 9cbe70c..a7b5e34 100644
#ifdef CONFIG_CPU_ENDIAN_BE8
rev r0, r0 @ little endian instruction
#endif
-@@ -450,10 +549,14 @@ __und_usr_thumb:
+@@ -451,10 +550,14 @@ __und_usr_thumb:
*/
.arch armv6t2
#endif
@@ -2533,7 +2533,7 @@ index 9cbe70c..a7b5e34 100644
add r2, r2, #2 @ r2 is PC + 2, make it PC + 4
str r2, [sp, #S_PC] @ it's a 2x16bit instr, update
orr r0, r0, r5, lsl #16
-@@ -482,7 +585,8 @@ ENDPROC(__und_usr)
+@@ -483,7 +586,8 @@ ENDPROC(__und_usr)
*/
.pushsection .fixup, "ax"
.align 2
@@ -2543,7 +2543,7 @@ index 9cbe70c..a7b5e34 100644
.popsection
.pushsection __ex_table,"a"
.long 1b, 4b
-@@ -692,7 +796,7 @@ ENTRY(__switch_to)
+@@ -693,7 +797,7 @@ ENTRY(__switch_to)
THUMB( str lr, [ip], #4 )
ldr r4, [r2, #TI_TP_VALUE]
ldr r5, [r2, #TI_TP_VALUE + 4]
@@ -2552,7 +2552,7 @@ index 9cbe70c..a7b5e34 100644
ldr r6, [r2, #TI_CPU_DOMAIN]
#endif
switch_tls r1, r4, r5, r3, r7
-@@ -701,7 +805,7 @@ ENTRY(__switch_to)
+@@ -702,7 +806,7 @@ ENTRY(__switch_to)
ldr r8, =__stack_chk_guard
ldr r7, [r7, #TSK_STACK_CANARY]
#endif
@@ -3526,7 +3526,7 @@ index 813c615..ce467c6 100644
};
diff --git a/arch/arm/mach-omap2/omap_device.c b/arch/arm/mach-omap2/omap_device.c
-index b69dd9a..70e5409 100644
+index 53f0735..5b54eb6 100644
--- a/arch/arm/mach-omap2/omap_device.c
+++ b/arch/arm/mach-omap2/omap_device.c
@@ -504,7 +504,7 @@ void omap_device_delete(struct omap_device *od)
@@ -3741,6 +3741,19 @@ index 6f4585b..7b6f52b 100644
if (err) \
goto fault; \
} while (0)
+diff --git a/arch/arm/mm/cache-l2x0.c b/arch/arm/mm/cache-l2x0.c
+index 447da6f..77a5057 100644
+--- a/arch/arm/mm/cache-l2x0.c
++++ b/arch/arm/mm/cache-l2x0.c
+@@ -45,7 +45,7 @@ struct l2x0_of_data {
+ void (*setup)(const struct device_node *, u32 *, u32 *);
+ void (*save)(void);
+ struct outer_cache_fns outer_cache;
+-};
++} __do_const;
+
+ static bool of_init = false;
+
diff --git a/arch/arm/mm/context.c b/arch/arm/mm/context.c
index 84e6f77..0b52f31 100644
--- a/arch/arm/mm/context.c
@@ -5146,7 +5159,7 @@ index ab33328..f39506c 100644
.notifier_call = palinfo_cpu_callback,
.priority = 0,
diff --git a/arch/ia64/kernel/sys_ia64.c b/arch/ia64/kernel/sys_ia64.c
-index 41e33f8..65180b2 100644
+index 41e33f8..65180b2a 100644
--- a/arch/ia64/kernel/sys_ia64.c
+++ b/arch/ia64/kernel/sys_ia64.c
@@ -28,6 +28,7 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len
@@ -8164,10 +8177,10 @@ index 9a0d24c..e7fbedf 100644
if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
-index 36d49e6..9147e39d 100644
+index fea2dba..a779f6b 100644
--- a/arch/powerpc/kernel/signal_32.c
+++ b/arch/powerpc/kernel/signal_32.c
-@@ -1004,7 +1004,7 @@ int handle_rt_signal32(unsigned long sig, struct k_sigaction *ka,
+@@ -1002,7 +1002,7 @@ int handle_rt_signal32(unsigned long sig, struct k_sigaction *ka,
/* Save user registers on the stack */
frame = &rt_sf->uc.uc_mcontext;
addr = frame;
@@ -8177,10 +8190,10 @@ index 36d49e6..9147e39d 100644
tramp = current->mm->context.vdso_base + vdso32_rt_sigtramp;
} else {
diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
-index f93ec28..97e0fbb 100644
+index 1e7ba88..17afb1b 100644
--- a/arch/powerpc/kernel/signal_64.c
+++ b/arch/powerpc/kernel/signal_64.c
-@@ -757,7 +757,7 @@ int handle_rt_signal64(int signr, struct k_sigaction *ka, siginfo_t *info,
+@@ -763,7 +763,7 @@ int handle_rt_signal64(int signr, struct k_sigaction *ka, siginfo_t *info,
#endif
/* Set up to return from userspace. */
@@ -14271,7 +14284,7 @@ index 722aa3b..3a0bb27 100644
/* Atomic operations are already serializing on x86 */
#define smp_mb__before_atomic_dec() barrier()
diff --git a/arch/x86/include/asm/atomic64_32.h b/arch/x86/include/asm/atomic64_32.h
-index b154de7..a7cef48 100644
+index b154de7..aadebd8 100644
--- a/arch/x86/include/asm/atomic64_32.h
+++ b/arch/x86/include/asm/atomic64_32.h
@@ -12,6 +12,14 @@ typedef struct {
@@ -14343,7 +14356,7 @@ index b154de7..a7cef48 100644
* atomic64_xchg - xchg atomic64 variable
* @v: pointer to type atomic64_t
* @n: value to assign
-@@ -112,12 +145,41 @@ static inline void atomic64_set(atomic64_t *v, long long i)
+@@ -112,6 +145,22 @@ static inline void atomic64_set(atomic64_t *v, long long i)
}
/**
@@ -14366,10 +14379,16 @@ index b154de7..a7cef48 100644
* atomic64_read - read atomic64 variable
* @v: pointer to type atomic64_t
*
- * Atomically reads the value of @v and returns it.
- */
--static inline long long atomic64_read(const atomic64_t *v)
-+static inline long long __intentional_overflow(-1) atomic64_read(const atomic64_t *v)
+@@ -125,6 +174,19 @@ static inline long long atomic64_read(const atomic64_t *v)
+ }
+
+ /**
++ * atomic64_read_unchecked - read atomic64 variable
++ * @v: pointer to type atomic64_unchecked_t
++ *
++ * Atomically reads the value of @v and returns it.
++ */
++static inline long long atomic64_read_unchecked(atomic64_unchecked_t *v)
+{
+ long long r;
+ alternative_atomic64(read, "=&A" (r), "c" (v) : "memory");
@@ -14377,15 +14396,9 @@ index b154de7..a7cef48 100644
+ }
+
+/**
-+ * atomic64_read_unchecked - read atomic64 variable
-+ * @v: pointer to type atomic64_unchecked_t
-+ *
-+ * Atomically reads the value of @v and returns it.
-+ */
-+static inline long long atomic64_read_unchecked(atomic64_unchecked_t *v)
- {
- long long r;
- alternative_atomic64(read, "=&A" (r), "c" (v) : "memory");
+ * atomic64_add_return - add and return
+ * @i: integer value to add
+ * @v: pointer to type atomic64_t
@@ -139,6 +201,21 @@ static inline long long atomic64_add_return(long long i, atomic64_t *v)
return i;
}
@@ -14446,15 +14459,12 @@ index b154de7..a7cef48 100644
* @i: integer value to subtract
* @v: pointer to type atomic64_t
diff --git a/arch/x86/include/asm/atomic64_64.h b/arch/x86/include/asm/atomic64_64.h
-index 0e1cbfc..adf5aa7 100644
+index 0e1cbfc..5623683 100644
--- a/arch/x86/include/asm/atomic64_64.h
+++ b/arch/x86/include/asm/atomic64_64.h
-@@ -16,9 +16,21 @@
- * Atomically reads the value of @v.
- * Doesn't imply a read memory barrier.
+@@ -18,7 +18,19 @@
*/
--static inline long atomic64_read(const atomic64_t *v)
-+static inline long __intentional_overflow(-1) atomic64_read(const atomic64_t *v)
+ static inline long atomic64_read(const atomic64_t *v)
{
- return (*(volatile long *)&(v)->counter);
+ return (*(volatile const long *)&(v)->counter);
@@ -14760,7 +14770,7 @@ index 0e1cbfc..adf5aa7 100644
#define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
diff --git a/arch/x86/include/asm/bitops.h b/arch/x86/include/asm/bitops.h
-index 41639ce..0bd8c87 100644
+index 41639ce..ebce552 100644
--- a/arch/x86/include/asm/bitops.h
+++ b/arch/x86/include/asm/bitops.h
@@ -48,7 +48,7 @@
@@ -14790,6 +14800,24 @@ index 41639ce..0bd8c87 100644
{
asm("rep; bsf %1,%0"
: "=r" (word)
+@@ -389,7 +389,7 @@ static inline unsigned long ffz(unsigned long word)
+ *
+ * Undefined if no set bit exists, so code should check against 0 first.
+ */
+-static inline unsigned long __fls(unsigned long word)
++static inline unsigned long __intentional_overflow(-1) __fls(unsigned long word)
+ {
+ asm("bsr %1,%0"
+ : "=r" (word)
+@@ -452,7 +452,7 @@ static inline int ffs(int x)
+ * set bit if value is nonzero. The last (most significant) bit is
+ * at position 32.
+ */
+-static inline int fls(int x)
++static inline int __intentional_overflow(-1) fls(int x)
+ {
+ int r;
+
@@ -494,7 +494,7 @@ static inline int fls(int x)
* at position 64.
*/
@@ -19537,7 +19565,7 @@ index 903a264..fc955f3 100644
if (c->x86_model == 3 && c->x86_mask == 0)
size = 64;
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
-index 2793d1f..5c04a30 100644
+index 2793d1f..b4f313a 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -88,60 +88,6 @@ static const struct cpu_dev default_cpu = {
@@ -19601,7 +19629,7 @@ index 2793d1f..5c04a30 100644
static int __init x86_xsave_setup(char *s)
{
setup_clear_cpu_cap(X86_FEATURE_XSAVE);
-@@ -288,6 +234,57 @@ static __always_inline void setup_smap(struct cpuinfo_x86 *c)
+@@ -288,6 +234,59 @@ static __always_inline void setup_smap(struct cpuinfo_x86 *c)
set_in_cr4(X86_CR4_SMAP);
}
@@ -19609,6 +19637,7 @@ index 2793d1f..5c04a30 100644
+static __init int setup_disable_pcid(char *arg)
+{
+ setup_clear_cpu_cap(X86_FEATURE_PCID);
++ setup_clear_cpu_cap(X86_FEATURE_INVPCID);
+
+#ifdef CONFIG_PAX_MEMORY_UDEREF
+ if (clone_pgd_mask != ~(pgdval_t)0UL)
@@ -19622,6 +19651,7 @@ index 2793d1f..5c04a30 100644
+static void setup_pcid(struct cpuinfo_x86 *c)
+{
+ if (!cpu_has(c, X86_FEATURE_PCID)) {
++ clear_cpu_cap(c, X86_FEATURE_INVPCID);
+
+#ifdef CONFIG_PAX_MEMORY_UDEREF
+ if (clone_pgd_mask != ~(pgdval_t)0UL) {
@@ -19659,7 +19689,7 @@ index 2793d1f..5c04a30 100644
/*
* Some CPU features depend on higher CPUID levels, which may not always
* be available due to CPUID level capping or broken virtualization
-@@ -386,7 +383,7 @@ void switch_to_new_gdt(int cpu)
+@@ -386,7 +385,7 @@ void switch_to_new_gdt(int cpu)
{
struct desc_ptr gdt_descr;
@@ -19668,7 +19698,7 @@ index 2793d1f..5c04a30 100644
gdt_descr.size = GDT_SIZE - 1;
load_gdt(&gdt_descr);
/* Reload the per-cpu base */
-@@ -875,6 +872,10 @@ static void identify_cpu(struct cpuinfo_x86 *c)
+@@ -875,6 +874,10 @@ static void identify_cpu(struct cpuinfo_x86 *c)
setup_smep(c);
setup_smap(c);
@@ -19679,7 +19709,7 @@ index 2793d1f..5c04a30 100644
/*
* The vendor-specific functions might have changed features.
* Now we do "generic changes."
-@@ -883,6 +884,10 @@ static void identify_cpu(struct cpuinfo_x86 *c)
+@@ -883,6 +886,10 @@ static void identify_cpu(struct cpuinfo_x86 *c)
/* Filter out anything that depends on CPUID levels we don't have */
filter_cpuid_features(c, true);
@@ -19690,7 +19720,7 @@ index 2793d1f..5c04a30 100644
/* If the model name is still unset, do table lookup. */
if (!c->x86_model_id[0]) {
const char *p;
-@@ -1070,10 +1075,12 @@ static __init int setup_disablecpuid(char *arg)
+@@ -1070,10 +1077,12 @@ static __init int setup_disablecpuid(char *arg)
}
__setup("clearcpuid=", setup_disablecpuid);
@@ -19706,7 +19736,7 @@ index 2793d1f..5c04a30 100644
DEFINE_PER_CPU_FIRST(union irq_stack_union,
irq_stack_union) __aligned(PAGE_SIZE) __visible;
-@@ -1087,7 +1094,7 @@ DEFINE_PER_CPU(struct task_struct *, current_task) ____cacheline_aligned =
+@@ -1087,7 +1096,7 @@ DEFINE_PER_CPU(struct task_struct *, current_task) ____cacheline_aligned =
EXPORT_PER_CPU_SYMBOL(current_task);
DEFINE_PER_CPU(unsigned long, kernel_stack) =
@@ -19715,7 +19745,7 @@ index 2793d1f..5c04a30 100644
EXPORT_PER_CPU_SYMBOL(kernel_stack);
DEFINE_PER_CPU(char *, irq_stack_ptr) =
-@@ -1232,7 +1239,7 @@ void cpu_init(void)
+@@ -1232,7 +1241,7 @@ void cpu_init(void)
load_ucode_ap();
cpu = stack_smp_processor_id();
@@ -19724,7 +19754,7 @@ index 2793d1f..5c04a30 100644
oist = &per_cpu(orig_ist, cpu);
#ifdef CONFIG_NUMA
-@@ -1267,7 +1274,6 @@ void cpu_init(void)
+@@ -1267,7 +1276,6 @@ void cpu_init(void)
wrmsrl(MSR_KERNEL_GS_BASE, 0);
barrier();
@@ -19732,7 +19762,7 @@ index 2793d1f..5c04a30 100644
enable_x2apic();
/*
-@@ -1319,7 +1325,7 @@ void cpu_init(void)
+@@ -1319,7 +1327,7 @@ void cpu_init(void)
{
int cpu = smp_processor_id();
struct task_struct *curr = current;
@@ -32355,7 +32385,7 @@ index 877b9a1..a8ecf42 100644
+ pax_force_retaddr
ret
diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
-index 516593e..29d3c55 100644
+index 26328e8..5f96c25 100644
--- a/arch/x86/net/bpf_jit_comp.c
+++ b/arch/x86/net/bpf_jit_comp.c
@@ -50,13 +50,90 @@ static inline u8 *emit_code(u8 *ptr, u32 bytes, unsigned int len)
@@ -34756,7 +34786,7 @@ index 05306a5..733d1f0 100644
static void delete_gpe_attr_array(void)
{
diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c
-index aaac4fb..e325c00 100644
+index cfb7447..98f2149 100644
--- a/drivers/ata/libahci.c
+++ b/drivers/ata/libahci.c
@@ -1239,7 +1239,7 @@ int ahci_kick_engine(struct ata_port *ap)
@@ -34769,7 +34799,7 @@ index aaac4fb..e325c00 100644
unsigned long timeout_msec)
{
diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
-index 83b1a9f..005b1ec 100644
+index 81a94a3..b711c74 100644
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -98,7 +98,7 @@ static unsigned int ata_dev_set_xfermode(struct ata_device *dev);
@@ -34781,7 +34811,7 @@ index 83b1a9f..005b1ec 100644
struct ata_force_param {
const char *name;
-@@ -4808,7 +4808,7 @@ void ata_qc_free(struct ata_queued_cmd *qc)
+@@ -4809,7 +4809,7 @@ void ata_qc_free(struct ata_queued_cmd *qc)
struct ata_port *ap;
unsigned int tag;
@@ -34790,7 +34820,7 @@ index 83b1a9f..005b1ec 100644
ap = qc->ap;
qc->flags = 0;
-@@ -4824,7 +4824,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc)
+@@ -4825,7 +4825,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc)
struct ata_port *ap;
struct ata_link *link;
@@ -34799,7 +34829,7 @@ index 83b1a9f..005b1ec 100644
WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
ap = qc->ap;
link = qc->dev->link;
-@@ -5943,6 +5943,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
+@@ -5944,6 +5944,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
return;
spin_lock(&lock);
@@ -34807,7 +34837,7 @@ index 83b1a9f..005b1ec 100644
for (cur = ops->inherits; cur; cur = cur->inherits) {
void **inherit = (void **)cur;
-@@ -5956,8 +5957,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
+@@ -5957,8 +5958,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
if (IS_ERR(*pp))
*pp = NULL;
@@ -34818,7 +34848,7 @@ index 83b1a9f..005b1ec 100644
spin_unlock(&lock);
}
-@@ -6150,7 +6152,7 @@ int ata_host_register(struct ata_host *host, struct scsi_host_template *sht)
+@@ -6151,7 +6153,7 @@ int ata_host_register(struct ata_host *host, struct scsi_host_template *sht)
/* give ports names and add SCSI hosts */
for (i = 0; i < host->n_ports; i++) {
@@ -35228,7 +35258,7 @@ index 1dc0519..1aadaf7 100644
// free the skb
hrz_kfree_skb (skb);
diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c
-index 272f009..a18ba55 100644
+index 1bdf104..9dc44b1 100644
--- a/drivers/atm/idt77252.c
+++ b/drivers/atm/idt77252.c
@@ -812,7 +812,7 @@ drain_scq(struct idt77252_dev *card, struct vc_map *vc)
@@ -36473,7 +36503,7 @@ index cc29cd3..d4b058b 100644
static struct asender_cmd asender_tbl[] = {
[P_PING] = { 0, got_Ping },
diff --git a/drivers/block/loop.c b/drivers/block/loop.c
-index 2f036ca..68d3f40 100644
+index c8dac73..1800093 100644
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -232,7 +232,7 @@ static int __do_lo_send_write(struct file *file,
@@ -38552,10 +38582,10 @@ index 4b91228..590c643 100644
iir = I915_READ(IIR);
diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
-index d78d33f..01d7c58 100644
+index 333aa1b..0183e38 100644
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
-@@ -9972,13 +9972,13 @@ struct intel_quirk {
+@@ -9976,13 +9976,13 @@ struct intel_quirk {
int subsystem_vendor;
int subsystem_device;
void (*hook)(struct drm_device *dev);
@@ -38571,7 +38601,7 @@ index d78d33f..01d7c58 100644
static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
{
-@@ -9986,18 +9986,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
+@@ -9990,18 +9990,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
return 1;
}
@@ -39570,10 +39600,10 @@ index ec0ae2d..dc0780b 100644
/* copy over all the bus versions */
if (dev->bus && dev->bus->pm) {
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
-index e80da62..bbcba01 100644
+index c08b5c1..6c3d50b 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
-@@ -2417,7 +2417,7 @@ EXPORT_SYMBOL_GPL(hid_ignore);
+@@ -2415,7 +2415,7 @@ EXPORT_SYMBOL_GPL(hid_ignore);
int hid_add_device(struct hid_device *hdev)
{
@@ -39582,7 +39612,7 @@ index e80da62..bbcba01 100644
int ret;
if (WARN_ON(hdev->status & HID_STAT_ADDED))
-@@ -2451,7 +2451,7 @@ int hid_add_device(struct hid_device *hdev)
+@@ -2449,7 +2449,7 @@ int hid_add_device(struct hid_device *hdev)
/* XXX hack, any other cleaner solution after the driver core
* is converted to allow more than 20 bytes as the device name? */
dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
@@ -39605,7 +39635,7 @@ index c13fb5b..55a3802 100644
*off += size;
diff --git a/drivers/hid/uhid.c b/drivers/hid/uhid.c
-index 93b00d7..0a71596 100644
+index cedc6da..2c3da2a 100644
--- a/drivers/hid/uhid.c
+++ b/drivers/hid/uhid.c
@@ -47,7 +47,7 @@ struct uhid_device {
@@ -41370,32 +41400,6 @@ index e74df7c..03a03ba 100644
return -EFAULT;
} else
memcpy(msg, buf, count);
-diff --git a/drivers/isdn/isdnloop/isdnloop.c b/drivers/isdn/isdnloop/isdnloop.c
-index baf2686..02125e6 100644
---- a/drivers/isdn/isdnloop/isdnloop.c
-+++ b/drivers/isdn/isdnloop/isdnloop.c
-@@ -1083,8 +1083,10 @@ isdnloop_start(isdnloop_card *card, isdnloop_sdef *sdefp)
- spin_unlock_irqrestore(&card->isdnloop_lock, flags);
- return -ENOMEM;
- }
-- for (i = 0; i < 3; i++)
-- strcpy(card->s0num[i], sdef.num[i]);
-+ for (i = 0; i < 3; i++) {
-+ strlcpy(card->s0num[i], sdef.num[i],
-+ sizeof(card->s0num[0]));
-+ }
- break;
- case ISDN_PTYPE_1TR6:
- if (isdnloop_fake(card, "DRV1.04TC-1TR6-CAPI-CNS-BASIS-29.11.95",
-@@ -1097,7 +1099,7 @@ isdnloop_start(isdnloop_card *card, isdnloop_sdef *sdefp)
- spin_unlock_irqrestore(&card->isdnloop_lock, flags);
- return -ENOMEM;
- }
-- strcpy(card->s0num[0], sdef.num[0]);
-+ strlcpy(card->s0num[0], sdef.num[0], sizeof(card->s0num[0]));
- card->s0num[1][0] = '\0';
- card->s0num[2][0] = '\0';
- break;
diff --git a/drivers/isdn/mISDN/dsp_cmx.c b/drivers/isdn/mISDN/dsp_cmx.c
index a4f05c5..1433bc5 100644
--- a/drivers/isdn/mISDN/dsp_cmx.c
@@ -41781,7 +41785,7 @@ index 73c1712..7347292 100644
schedule_work(&sc->trigger_event);
}
diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c
-index 8f87835..531854d 100644
+index 41d907b..34b87ee 100644
--- a/drivers/md/dm-table.c
+++ b/drivers/md/dm-table.c
@@ -286,7 +286,7 @@ static struct dm_dev_internal *find_device(struct list_head *l, dev_t dev)
@@ -41883,7 +41887,7 @@ index b3e26c7..1efca94 100644
void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
diff --git a/drivers/md/md.c b/drivers/md/md.c
-index 561a65f..f4e8c71 100644
+index ba46d97..f8f5019 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -234,10 +234,10 @@ EXPORT_SYMBOL_GPL(md_trim_bio);
@@ -41955,7 +41959,7 @@ index 561a65f..f4e8c71 100644
INIT_LIST_HEAD(&rdev->same_set);
init_waitqueue_head(&rdev->blocked_wait);
-@@ -7042,7 +7042,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
+@@ -7043,7 +7043,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
spin_unlock(&pers_lock);
seq_printf(seq, "\n");
@@ -41964,7 +41968,7 @@ index 561a65f..f4e8c71 100644
return 0;
}
if (v == (void*)2) {
-@@ -7145,7 +7145,7 @@ static int md_seq_open(struct inode *inode, struct file *file)
+@@ -7146,7 +7146,7 @@ static int md_seq_open(struct inode *inode, struct file *file)
return error;
seq = file->private_data;
@@ -41973,7 +41977,7 @@ index 561a65f..f4e8c71 100644
return error;
}
-@@ -7159,7 +7159,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait)
+@@ -7160,7 +7160,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait)
/* always allow read */
mask = POLLIN | POLLRDNORM;
@@ -41982,7 +41986,7 @@ index 561a65f..f4e8c71 100644
mask |= POLLERR | POLLPRI;
return mask;
}
-@@ -7203,7 +7203,7 @@ static int is_mddev_idle(struct mddev *mddev, int init)
+@@ -7204,7 +7204,7 @@ static int is_mddev_idle(struct mddev *mddev, int init)
struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
(int)part_stat_read(&disk->part0, sectors[1]) -
@@ -42118,10 +42122,10 @@ index 73dc8a3..bdd515a 100644
rdev_dec_pending(rdev, mddev);
diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
-index f8b9068..7a2b9fc 100644
+index 8a0665d..984c46d 100644
--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
-@@ -1886,21 +1886,21 @@ static void raid5_end_read_request(struct bio * bi, int error)
+@@ -1887,21 +1887,21 @@ static void raid5_end_read_request(struct bio * bi, int error)
mdname(conf->mddev), STRIPE_SECTORS,
(unsigned long long)s,
bdevname(rdev->bdev, b));
@@ -42147,7 +42151,7 @@ index f8b9068..7a2b9fc 100644
if (test_bit(R5_ReadRepl, &sh->dev[i].flags))
printk_ratelimited(
KERN_WARNING
-@@ -1928,7 +1928,7 @@ static void raid5_end_read_request(struct bio * bi, int error)
+@@ -1929,7 +1929,7 @@ static void raid5_end_read_request(struct bio * bi, int error)
mdname(conf->mddev),
(unsigned long long)s,
bdn);
@@ -42497,10 +42501,10 @@ index 46da365..3ba4206 100644
dev_set_drvdata(&dev->dev, dev);
rc = device_add(&dev->dev);
diff --git a/drivers/media/usb/dvb-usb/cxusb.c b/drivers/media/usb/dvb-usb/cxusb.c
-index 3940bb0..fb3952a 100644
+index 20e345d..da56fe4 100644
--- a/drivers/media/usb/dvb-usb/cxusb.c
+++ b/drivers/media/usb/dvb-usb/cxusb.c
-@@ -1068,7 +1068,7 @@ static struct dib0070_config dib7070p_dib0070_config = {
+@@ -1101,7 +1101,7 @@ static struct dib0070_config dib7070p_dib0070_config = {
struct dib0700_adapter_state {
int (*set_param_save) (struct dvb_frontend *);
@@ -42510,10 +42514,10 @@ index 3940bb0..fb3952a 100644
static int dib7070_set_param_override(struct dvb_frontend *fe)
{
diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c
-index 6e237b6..dc25556 100644
+index 71b22f5..a63b33f 100644
--- a/drivers/media/usb/dvb-usb/dw2102.c
+++ b/drivers/media/usb/dvb-usb/dw2102.c
-@@ -118,7 +118,7 @@ struct su3000_state {
+@@ -121,7 +121,7 @@ struct su3000_state {
struct s6x0_state {
int (*old_set_voltage)(struct dvb_frontend *f, fe_sec_voltage_t v);
@@ -43465,7 +43469,7 @@ index 4b8e895..6b3c498 100644
struct sm_sysfs_attribute *vendor_attribute;
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
-index e883bfe..e51a1ec 100644
+index dd8057d..22aaf36 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -4511,7 +4511,7 @@ static unsigned int bond_get_num_tx_queues(void)
@@ -43753,7 +43757,7 @@ index 1551360..ed6510f 100644
struct qlcnic_hardware_context *ahw;
void *temp_buffer;
diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
-index 3397cee..101f8fa 100644
+index fb3f8dc..9d2ff38 100644
--- a/drivers/net/ethernet/realtek/r8169.c
+++ b/drivers/net/ethernet/realtek/r8169.c
@@ -759,22 +759,22 @@ struct rtl8169_private {
@@ -43896,10 +43900,10 @@ index 9bf46bd..bfdaa84 100644
};
diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
-index 9dccb1e..19fd4c9 100644
+index dc76670..e18f39c 100644
--- a/drivers/net/macvtap.c
+++ b/drivers/net/macvtap.c
-@@ -1183,7 +1183,7 @@ static int macvtap_device_event(struct notifier_block *unused,
+@@ -1189,7 +1189,7 @@ static int macvtap_device_event(struct notifier_block *unused,
return NOTIFY_DONE;
}
@@ -43956,10 +43960,10 @@ index 1252d9c..80e660b 100644
/* We've got a compressed packet; read the change byte */
diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
-index 50e43e6..e1a5807 100644
+index 6327df2..e6e1ebe 100644
--- a/drivers/net/team/team.c
+++ b/drivers/net/team/team.c
-@@ -2869,7 +2869,7 @@ static int team_device_event(struct notifier_block *unused,
+@@ -2873,7 +2873,7 @@ static int team_device_event(struct notifier_block *unused,
return NOTIFY_DONE;
}
@@ -43969,10 +43973,10 @@ index 50e43e6..e1a5807 100644
};
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
-index 7cb105c..11214ff 100644
+index 782e38b..d076fdc 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
-@@ -1826,7 +1826,7 @@ unlock:
+@@ -1834,7 +1834,7 @@ unlock:
}
static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
@@ -43981,7 +43985,7 @@ index 7cb105c..11214ff 100644
{
struct tun_file *tfile = file->private_data;
struct tun_struct *tun;
-@@ -1839,6 +1839,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
+@@ -1847,6 +1847,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
unsigned int ifindex;
int ret;
@@ -45279,10 +45283,10 @@ index 70222f2..8c8ce66 100644
acpi_status status;
diff --git a/drivers/platform/x86/sony-laptop.c b/drivers/platform/x86/sony-laptop.c
-index 13ec195..6af61af 100644
+index 3484dd2..13ee730 100644
--- a/drivers/platform/x86/sony-laptop.c
+++ b/drivers/platform/x86/sony-laptop.c
-@@ -2475,7 +2475,7 @@ static void sony_nc_gfx_switch_cleanup(struct platform_device *pd)
+@@ -2448,7 +2448,7 @@ static void sony_nc_gfx_switch_cleanup(struct platform_device *pd)
}
/* High speed charging function */
@@ -47289,7 +47293,7 @@ index d90dbb0..6cbe585 100644
spin_lock_init(&dev->t10_wwn.t10_vpd_lock);
INIT_LIST_HEAD(&dev->t10_pr.registration_list);
diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
-index 81e945e..e40c92f 100644
+index 0b0009b..215e88e 100644
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -1137,7 +1137,7 @@ transport_check_alloc_task_attr(struct se_cmd *cmd)
@@ -47724,10 +47728,10 @@ index c0f76da..d974c32 100644
dlci_get(dlci->gsm->dlci[0]);
mux_get(dlci->gsm);
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
-index 7a744b6..6aa4aa9 100644
+index ff58293..71c87bc 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
-@@ -2498,6 +2498,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops)
+@@ -2502,6 +2502,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops)
{
*ops = tty_ldisc_N_TTY;
ops->owner = NULL;
@@ -48417,10 +48421,10 @@ index 40a9fe9..a3f10cc 100644
if (get_user(c, buf))
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
-index 3a1a01a..b12cda2 100644
+index c74a00a..02cf211a 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
-@@ -3473,7 +3473,7 @@ EXPORT_SYMBOL_GPL(get_current_tty);
+@@ -3474,7 +3474,7 @@ EXPORT_SYMBOL_GPL(get_current_tty);
void tty_default_fops(struct file_operations *fops)
{
@@ -48598,7 +48602,7 @@ index d0e3a44..5f8b754 100644
ret = -EPERM;
goto reterr;
diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c
-index 0e808cf..26c24ab 100644
+index 0e808cf..d7d274b 100644
--- a/drivers/uio/uio.c
+++ b/drivers/uio/uio.c
@@ -25,6 +25,7 @@
@@ -48678,7 +48682,16 @@ index 0e808cf..26c24ab 100644
return -1;
return (int)vma->vm_pgoff;
}
-@@ -818,7 +823,7 @@ int __uio_register_device(struct module *owner,
+@@ -647,6 +652,8 @@ static int uio_mmap_physical(struct vm_area_struct *vma)
+ return -EINVAL;
+ mem = idev->info->mem + mi;
+
++ if (mem->addr & ~PAGE_MASK)
++ return -ENODEV;
+ if (vma->vm_end - vma->vm_start > mem->size)
+ return -EINVAL;
+
+@@ -818,7 +825,7 @@ int __uio_register_device(struct module *owner,
idev->owner = owner;
idev->info = info;
init_waitqueue_head(&idev->wait);
@@ -48814,6 +48827,35 @@ index 2a3bbdf..91d72cf 100644
if (file->f_version != event_count) {
file->f_version = event_count;
return POLLIN | POLLRDNORM;
+diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
+index 71dc5d7..6135ff2 100644
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -187,7 +187,7 @@ static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes,
+ struct dev_state *ps = file->private_data;
+ struct usb_device *dev = ps->dev;
+ ssize_t ret = 0;
+- unsigned len;
++ size_t len;
+ loff_t pos;
+ int i;
+
+@@ -229,13 +229,13 @@ static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes,
+ for (i = 0; nbytes && i < dev->descriptor.bNumConfigurations; i++) {
+ struct usb_config_descriptor *config =
+ (struct usb_config_descriptor *)dev->rawdescriptors[i];
+- unsigned int length = le16_to_cpu(config->wTotalLength);
++ size_t length = le16_to_cpu(config->wTotalLength);
+
+ if (*ppos < pos + length) {
+
+ /* The descriptor may claim to be longer than it
+ * really is. Here is the actual allocated length. */
+- unsigned alloclen =
++ size_t alloclen =
+ le16_to_cpu(dev->config[i].desc.wTotalLength);
+
+ len = length - (*ppos - pos);
diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
index f20a044..d1059aa 100644
--- a/drivers/usb/core/hcd.c
@@ -49175,10 +49217,10 @@ index cf250c2..ad9d904 100644
/**
diff --git a/drivers/usb/wusbcore/wa-xfer.c b/drivers/usb/wusbcore/wa-xfer.c
-index 6ad02f5..cc52c8b 100644
+index 3dcf66f..8faaf6e 100644
--- a/drivers/usb/wusbcore/wa-xfer.c
+++ b/drivers/usb/wusbcore/wa-xfer.c
-@@ -299,7 +299,7 @@ out:
+@@ -300,7 +300,7 @@ out:
*/
static void wa_xfer_id_init(struct wa_xfer *xfer)
{
@@ -52192,6 +52234,28 @@ index ff22871..b129bed 100644
info->var.accel_flags = (!noaccel);
+diff --git a/drivers/video/omap2/dss/display.c b/drivers/video/omap2/dss/display.c
+index fafe7c9..93197b9 100644
+--- a/drivers/video/omap2/dss/display.c
++++ b/drivers/video/omap2/dss/display.c
+@@ -137,12 +137,14 @@ int omapdss_register_display(struct omap_dss_device *dssdev)
+ snprintf(dssdev->alias, sizeof(dssdev->alias),
+ "display%d", disp_num_counter++);
+
++ pax_open_kernel();
+ if (drv && drv->get_resolution == NULL)
+- drv->get_resolution = omapdss_default_get_resolution;
++ *(void **)&drv->get_resolution = omapdss_default_get_resolution;
+ if (drv && drv->get_recommended_bpp == NULL)
+- drv->get_recommended_bpp = omapdss_default_get_recommended_bpp;
++ *(void **)&drv->get_recommended_bpp = omapdss_default_get_recommended_bpp;
+ if (drv && drv->get_timings == NULL)
+- drv->get_timings = omapdss_default_get_timings;
++ *(void **)&drv->get_timings = omapdss_default_get_timings;
++ pax_close_kernel();
+
+ mutex_lock(&panel_list_mutex);
+ list_add_tail(&dssdev->panel_list, &panel_list);
diff --git a/drivers/video/s1d13xxxfb.c b/drivers/video/s1d13xxxfb.c
index 05c2dc3..ea1f391 100644
--- a/drivers/video/s1d13xxxfb.c
@@ -52649,10 +52713,10 @@ index 789bc25..fafaeea 100644
&data);
if (!inode) {
diff --git a/fs/aio.c b/fs/aio.c
-index 067e3d3..634a850 100644
+index 6efb7f6..37da952 100644
--- a/fs/aio.c
+++ b/fs/aio.c
-@@ -280,7 +280,7 @@ static int aio_setup_ring(struct kioctx *ctx)
+@@ -338,7 +338,7 @@ static int aio_setup_ring(struct kioctx *ctx)
size += sizeof(struct io_event) * nr_events;
nr_pages = PFN_UP(size);
@@ -52660,7 +52724,7 @@ index 067e3d3..634a850 100644
+ if (nr_pages <= 0)
return -EINVAL;
- file = anon_inode_getfile_private("[aio]", &aio_ring_fops, ctx, O_RDWR);
+ file = aio_private_file(ctx, nr_pages);
diff --git a/fs/attr.c b/fs/attr.c
index 1449adb..a2038c2 100644
--- a/fs/attr.c
@@ -54286,7 +54350,7 @@ index 77fc5e1..e3d13e6 100644
atomic_set(&midCount, 0);
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
-index 52b6f6c..68db1f4 100644
+index c8e03f8..75362f6 100644
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -758,35 +758,35 @@ struct cifs_tcon {
@@ -54405,10 +54469,10 @@ index 138a011..cf9e13a 100644
}
diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c
-index 8233b17..2b83e95 100644
+index e50554b..c011413 100644
--- a/fs/cifs/smb1ops.c
+++ b/fs/cifs/smb1ops.c
-@@ -590,27 +590,27 @@ static void
+@@ -609,27 +609,27 @@ static void
cifs_clear_stats(struct cifs_tcon *tcon)
{
#ifdef CONFIG_CIFS_STATS
@@ -54457,7 +54521,7 @@ index 8233b17..2b83e95 100644
#endif
}
-@@ -619,36 +619,36 @@ cifs_print_stats(struct seq_file *m, struct cifs_tcon *tcon)
+@@ -638,36 +638,36 @@ cifs_print_stats(struct seq_file *m, struct cifs_tcon *tcon)
{
#ifdef CONFIG_CIFS_STATS
seq_printf(m, " Oplocks breaks: %d",
@@ -54899,7 +54963,7 @@ index 511d415..319d0e5 100644
/*
* We'll have a dentry and an inode for
diff --git a/fs/coredump.c b/fs/coredump.c
-index 9bdeca1..2247b92 100644
+index 9bdeca1..2a9b08d 100644
--- a/fs/coredump.c
+++ b/fs/coredump.c
@@ -438,8 +438,8 @@ static void wait_for_dump_helpers(struct file *file)
@@ -54928,29 +54992,38 @@ index 9bdeca1..2247b92 100644
pipe_unlock(pipe);
}
-@@ -499,7 +499,8 @@ void do_coredump(siginfo_t *siginfo)
+@@ -499,7 +499,9 @@ void do_coredump(siginfo_t *siginfo)
struct files_struct *displaced;
bool need_nonrelative = false;
bool core_dumped = false;
- static atomic_t core_dump_count = ATOMIC_INIT(0);
+ static atomic_unchecked_t core_dump_count = ATOMIC_INIT(0);
+ long signr = siginfo->si_signo;
++ int dumpable;
struct coredump_params cprm = {
.siginfo = siginfo,
.regs = signal_pt_regs(),
-@@ -512,7 +513,10 @@ void do_coredump(siginfo_t *siginfo)
+@@ -512,12 +514,17 @@ void do_coredump(siginfo_t *siginfo)
.mm_flags = mm->flags,
};
- audit_core_dumps(siginfo->si_signo);
+ audit_core_dumps(signr);
+
++ dumpable = __get_dumpable(cprm.mm_flags);
++
+ if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
-+ gr_handle_brute_attach(cprm.mm_flags);
++ gr_handle_brute_attach(dumpable);
binfmt = mm->binfmt;
if (!binfmt || !binfmt->core_dump)
-@@ -536,7 +540,7 @@ void do_coredump(siginfo_t *siginfo)
+ goto fail;
+- if (!__get_dumpable(cprm.mm_flags))
++ if (!dumpable)
+ goto fail;
+
+ cred = prepare_creds();
+@@ -536,7 +543,7 @@ void do_coredump(siginfo_t *siginfo)
need_nonrelative = true;
}
@@ -54959,7 +55032,7 @@ index 9bdeca1..2247b92 100644
if (retval < 0)
goto fail_creds;
-@@ -579,7 +583,7 @@ void do_coredump(siginfo_t *siginfo)
+@@ -579,7 +586,7 @@ void do_coredump(siginfo_t *siginfo)
}
cprm.limit = RLIM_INFINITY;
@@ -54968,7 +55041,7 @@ index 9bdeca1..2247b92 100644
if (core_pipe_limit && (core_pipe_limit < dump_count)) {
printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
task_tgid_vnr(current), current->comm);
-@@ -611,6 +615,8 @@ void do_coredump(siginfo_t *siginfo)
+@@ -611,6 +618,8 @@ void do_coredump(siginfo_t *siginfo)
} else {
struct inode *inode;
@@ -54977,7 +55050,7 @@ index 9bdeca1..2247b92 100644
if (cprm.limit < binfmt->min_coredump)
goto fail_unlock;
-@@ -669,7 +675,7 @@ close_fail:
+@@ -669,7 +678,7 @@ close_fail:
filp_close(cprm.file, NULL);
fail_dropcount:
if (ispipe)
@@ -54986,7 +55059,7 @@ index 9bdeca1..2247b92 100644
fail_unlock:
kfree(cn.corename);
coredump_finish(mm, core_dumped);
-@@ -689,7 +695,7 @@ int dump_write(struct file *file, const void *addr, int nr)
+@@ -689,7 +698,7 @@ int dump_write(struct file *file, const void *addr, int nr)
{
return !dump_interrupted() &&
access_ok(VERIFY_READ, addr, nr) &&
@@ -56134,7 +56207,7 @@ index 2c2e6cb..7c3ee62 100644
static int parse_strtoull(const char *buf,
unsigned long long max, unsigned long long *value)
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
-index 03e9beb..e86ce98 100644
+index 1423c48..9c0c6dc 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -381,7 +381,7 @@ static int
@@ -57769,10 +57842,10 @@ index b7989f2..1f72ec4 100644
if (!IS_ERR(link))
free_page((unsigned long) link);
diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
-index 968d4c56..54a398d 100644
+index 1298766..c964c60 100644
--- a/fs/gfs2/inode.c
+++ b/fs/gfs2/inode.c
-@@ -1512,7 +1512,7 @@ out:
+@@ -1515,7 +1515,7 @@ out:
static void gfs2_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
{
@@ -57901,7 +57974,7 @@ index 6669aa2..36b033d 100644
if (jfs_inode_cachep == NULL)
return -ENOMEM;
diff --git a/fs/libfs.c b/fs/libfs.c
-index 3a3a9b5..3a9b074 100644
+index 193e0c2..7404665 100644
--- a/fs/libfs.c
+++ b/fs/libfs.c
@@ -150,6 +150,9 @@ int dcache_readdir(struct file *file, struct dir_context *ctx)
@@ -57972,7 +58045,7 @@ index b27a300..4156d0b 100644
spin_lock(&inode->i_lock);
diff --git a/fs/namei.c b/fs/namei.c
-index caa2805..c9d3edc 100644
+index 23ac50f..c6757a5 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -319,16 +319,32 @@ int generic_permission(struct inode *inode, int mask)
@@ -58106,7 +58179,7 @@ index caa2805..c9d3edc 100644
return retval;
}
-@@ -2586,6 +2618,13 @@ static int may_open(struct path *path, int acc_mode, int flag)
+@@ -2587,6 +2619,13 @@ static int may_open(struct path *path, int acc_mode, int flag)
if (flag & O_NOATIME && !inode_owner_or_capable(inode))
return -EPERM;
@@ -58120,7 +58193,7 @@ index caa2805..c9d3edc 100644
return 0;
}
-@@ -2817,7 +2856,7 @@ looked_up:
+@@ -2818,7 +2857,7 @@ looked_up:
* cleared otherwise prior to returning.
*/
static int lookup_open(struct nameidata *nd, struct path *path,
@@ -58129,7 +58202,7 @@ index caa2805..c9d3edc 100644
const struct open_flags *op,
bool got_write, int *opened)
{
-@@ -2852,6 +2891,17 @@ static int lookup_open(struct nameidata *nd, struct path *path,
+@@ -2853,6 +2892,17 @@ static int lookup_open(struct nameidata *nd, struct path *path,
/* Negative dentry, just create the file */
if (!dentry->d_inode && (op->open_flag & O_CREAT)) {
umode_t mode = op->mode;
@@ -58147,7 +58220,7 @@ index caa2805..c9d3edc 100644
if (!IS_POSIXACL(dir->d_inode))
mode &= ~current_umask();
/*
-@@ -2873,6 +2923,8 @@ static int lookup_open(struct nameidata *nd, struct path *path,
+@@ -2874,6 +2924,8 @@ static int lookup_open(struct nameidata *nd, struct path *path,
nd->flags & LOOKUP_EXCL);
if (error)
goto out_dput;
@@ -58156,7 +58229,7 @@ index caa2805..c9d3edc 100644
}
out_no_open:
path->dentry = dentry;
-@@ -2887,7 +2939,7 @@ out_dput:
+@@ -2888,7 +2940,7 @@ out_dput:
/*
* Handle the last step of open()
*/
@@ -58165,7 +58238,7 @@ index caa2805..c9d3edc 100644
struct file *file, const struct open_flags *op,
int *opened, struct filename *name)
{
-@@ -2937,6 +2989,15 @@ static int do_last(struct nameidata *nd, struct path *path,
+@@ -2938,6 +2990,15 @@ static int do_last(struct nameidata *nd, struct path *path,
if (error)
return error;
@@ -58181,7 +58254,7 @@ index caa2805..c9d3edc 100644
audit_inode(name, dir, LOOKUP_PARENT);
error = -EISDIR;
/* trailing slashes? */
-@@ -2956,7 +3017,7 @@ retry_lookup:
+@@ -2957,7 +3018,7 @@ retry_lookup:
*/
}
mutex_lock(&dir->d_inode->i_mutex);
@@ -58190,7 +58263,7 @@ index caa2805..c9d3edc 100644
mutex_unlock(&dir->d_inode->i_mutex);
if (error <= 0) {
-@@ -2980,11 +3041,28 @@ retry_lookup:
+@@ -2981,11 +3042,28 @@ retry_lookup:
goto finish_open_created;
}
@@ -58220,7 +58293,7 @@ index caa2805..c9d3edc 100644
/*
* If atomic_open() acquired write access it is dropped now due to
-@@ -3025,6 +3103,11 @@ finish_lookup:
+@@ -3026,6 +3104,11 @@ finish_lookup:
}
}
BUG_ON(inode != path->dentry->d_inode);
@@ -58232,7 +58305,7 @@ index caa2805..c9d3edc 100644
return 1;
}
-@@ -3034,7 +3117,6 @@ finish_lookup:
+@@ -3035,7 +3118,6 @@ finish_lookup:
save_parent.dentry = nd->path.dentry;
save_parent.mnt = mntget(path->mnt);
nd->path.dentry = path->dentry;
@@ -58240,7 +58313,7 @@ index caa2805..c9d3edc 100644
}
nd->inode = inode;
/* Why this, you ask? _Now_ we might have grown LOOKUP_JUMPED... */
-@@ -3044,7 +3126,18 @@ finish_open:
+@@ -3045,7 +3127,18 @@ finish_open:
path_put(&save_parent);
return error;
}
@@ -58259,7 +58332,7 @@ index caa2805..c9d3edc 100644
error = -EISDIR;
if ((open_flag & O_CREAT) && S_ISDIR(nd->inode->i_mode))
goto out;
-@@ -3207,7 +3300,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
+@@ -3208,7 +3301,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
if (unlikely(error))
goto out;
@@ -58268,7 +58341,7 @@ index caa2805..c9d3edc 100644
while (unlikely(error > 0)) { /* trailing symlink */
struct path link = path;
void *cookie;
-@@ -3225,7 +3318,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
+@@ -3226,7 +3319,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
error = follow_link(&link, nd, &cookie);
if (unlikely(error))
break;
@@ -58277,7 +58350,7 @@ index caa2805..c9d3edc 100644
put_link(nd, &link, cookie);
}
out:
-@@ -3325,8 +3418,12 @@ struct dentry *kern_path_create(int dfd, const char *pathname,
+@@ -3326,8 +3419,12 @@ struct dentry *kern_path_create(int dfd, const char *pathname,
goto unlock;
error = -EEXIST;
@@ -58291,7 +58364,7 @@ index caa2805..c9d3edc 100644
/*
* Special case - lookup gave negative, but... we had foo/bar/
* From the vfs_mknod() POV we just have a negative dentry -
-@@ -3378,6 +3475,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname,
+@@ -3379,6 +3476,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname,
}
EXPORT_SYMBOL(user_path_create);
@@ -58312,7 +58385,7 @@ index caa2805..c9d3edc 100644
int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
{
int error = may_create(dir, dentry);
-@@ -3440,6 +3551,17 @@ retry:
+@@ -3441,6 +3552,17 @@ retry:
if (!IS_POSIXACL(path.dentry->d_inode))
mode &= ~current_umask();
@@ -58330,7 +58403,7 @@ index caa2805..c9d3edc 100644
error = security_path_mknod(&path, dentry, mode, dev);
if (error)
goto out;
-@@ -3456,6 +3578,8 @@ retry:
+@@ -3457,6 +3579,8 @@ retry:
break;
}
out:
@@ -58339,7 +58412,7 @@ index caa2805..c9d3edc 100644
done_path_create(&path, dentry);
if (retry_estale(error, lookup_flags)) {
lookup_flags |= LOOKUP_REVAL;
-@@ -3508,9 +3632,16 @@ retry:
+@@ -3509,9 +3633,16 @@ retry:
if (!IS_POSIXACL(path.dentry->d_inode))
mode &= ~current_umask();
@@ -58356,7 +58429,7 @@ index caa2805..c9d3edc 100644
done_path_create(&path, dentry);
if (retry_estale(error, lookup_flags)) {
lookup_flags |= LOOKUP_REVAL;
-@@ -3591,6 +3722,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
+@@ -3592,6 +3723,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
struct filename *name;
struct dentry *dentry;
struct nameidata nd;
@@ -58365,7 +58438,7 @@ index caa2805..c9d3edc 100644
unsigned int lookup_flags = 0;
retry:
name = user_path_parent(dfd, pathname, &nd, lookup_flags);
-@@ -3623,10 +3756,21 @@ retry:
+@@ -3624,10 +3757,21 @@ retry:
error = -ENOENT;
goto exit3;
}
@@ -58387,7 +58460,7 @@ index caa2805..c9d3edc 100644
exit3:
dput(dentry);
exit2:
-@@ -3692,6 +3836,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
+@@ -3693,6 +3837,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
struct dentry *dentry;
struct nameidata nd;
struct inode *inode = NULL;
@@ -58396,7 +58469,7 @@ index caa2805..c9d3edc 100644
unsigned int lookup_flags = 0;
retry:
name = user_path_parent(dfd, pathname, &nd, lookup_flags);
-@@ -3718,10 +3864,22 @@ retry:
+@@ -3719,10 +3865,22 @@ retry:
if (!inode)
goto slashes;
ihold(inode);
@@ -58419,7 +58492,7 @@ index caa2805..c9d3edc 100644
exit2:
dput(dentry);
}
-@@ -3799,9 +3957,17 @@ retry:
+@@ -3800,9 +3958,17 @@ retry:
if (IS_ERR(dentry))
goto out_putname;
@@ -58437,7 +58510,7 @@ index caa2805..c9d3edc 100644
done_path_create(&path, dentry);
if (retry_estale(error, lookup_flags)) {
lookup_flags |= LOOKUP_REVAL;
-@@ -3881,6 +4047,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
+@@ -3882,6 +4048,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
{
struct dentry *new_dentry;
struct path old_path, new_path;
@@ -58445,7 +58518,7 @@ index caa2805..c9d3edc 100644
int how = 0;
int error;
-@@ -3904,7 +4071,7 @@ retry:
+@@ -3905,7 +4072,7 @@ retry:
if (error)
return error;
@@ -58454,7 +58527,7 @@ index caa2805..c9d3edc 100644
(how & LOOKUP_REVAL));
error = PTR_ERR(new_dentry);
if (IS_ERR(new_dentry))
-@@ -3916,11 +4083,28 @@ retry:
+@@ -3917,11 +4084,28 @@ retry:
error = may_linkat(&old_path);
if (unlikely(error))
goto out_dput;
@@ -58483,7 +58556,7 @@ index caa2805..c9d3edc 100644
done_path_create(&new_path, new_dentry);
if (retry_estale(error, how)) {
how |= LOOKUP_REVAL;
-@@ -4166,12 +4350,21 @@ retry:
+@@ -4167,12 +4351,21 @@ retry:
if (new_dentry == trap)
goto exit5;
@@ -58505,7 +58578,7 @@ index caa2805..c9d3edc 100644
exit5:
dput(new_dentry);
exit4:
-@@ -4203,6 +4396,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
+@@ -4204,6 +4397,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
{
@@ -58514,7 +58587,7 @@ index caa2805..c9d3edc 100644
int len;
len = PTR_ERR(link);
-@@ -4212,7 +4407,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
+@@ -4213,7 +4408,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
len = strlen(link);
if (len > (unsigned) buflen)
len = buflen;
@@ -61597,7 +61670,7 @@ index 8f84153..7ce60d0 100644
return 0;
sfep = xfs_dir3_sf_nextentry(mp, sfp, sfep);
diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
-index 668e8f4..9d38104 100644
+index 2e1e6c3..689f742 100644
--- a/fs/xfs/xfs_ioctl.c
+++ b/fs/xfs/xfs_ioctl.c
@@ -127,7 +127,7 @@ xfs_find_handle(
@@ -61609,6 +61682,30 @@ index 668e8f4..9d38104 100644
copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
goto out_put;
+@@ -443,7 +443,8 @@ xfs_attrlist_by_handle(
+ return -XFS_ERROR(EPERM);
+ if (copy_from_user(&al_hreq, arg, sizeof(xfs_fsop_attrlist_handlereq_t)))
+ return -XFS_ERROR(EFAULT);
+- if (al_hreq.buflen > XATTR_LIST_MAX)
++ if (al_hreq.buflen < sizeof(struct attrlist) ||
++ al_hreq.buflen > XATTR_LIST_MAX)
+ return -XFS_ERROR(EINVAL);
+
+ /*
+diff --git a/fs/xfs/xfs_ioctl32.c b/fs/xfs/xfs_ioctl32.c
+index f671f7e..53365c6 100644
+--- a/fs/xfs/xfs_ioctl32.c
++++ b/fs/xfs/xfs_ioctl32.c
+@@ -357,7 +357,8 @@ xfs_compat_attrlist_by_handle(
+ if (copy_from_user(&al_hreq, arg,
+ sizeof(compat_xfs_fsop_attrlist_handlereq_t)))
+ return -XFS_ERROR(EFAULT);
+- if (al_hreq.buflen > XATTR_LIST_MAX)
++ if (al_hreq.buflen < sizeof(struct attrlist) ||
++ al_hreq.buflen > XATTR_LIST_MAX)
+ return -XFS_ERROR(EINVAL);
+
+ /*
diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
index 2b8952d..a60c6be 100644
--- a/fs/xfs/xfs_iops.c
@@ -71242,10 +71339,10 @@ index 0000000..f7f29aa
+}
diff --git a/grsecurity/grsec_sig.c b/grsecurity/grsec_sig.c
new file mode 100644
-index 0000000..4e29cc7
+index 0000000..3860c7e
--- /dev/null
+++ b/grsecurity/grsec_sig.c
-@@ -0,0 +1,246 @@
+@@ -0,0 +1,236 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/fs.h>
@@ -71322,20 +71419,10 @@ index 0000000..4e29cc7
+}
+#endif
+
-+#ifdef CONFIG_GRKERNSEC_BRUTE
+#define GR_USER_BAN_TIME (15 * 60)
+#define GR_DAEMON_BRUTE_TIME (30 * 60)
+
-+static int __get_dumpable(unsigned long mm_flags)
-+{
-+ int ret;
-+
-+ ret = mm_flags & MMF_DUMPABLE_MASK;
-+ return (ret >= 2) ? 2 : ret;
-+}
-+#endif
-+
-+void gr_handle_brute_attach(unsigned long mm_flags)
++void gr_handle_brute_attach(int dumpable)
+{
+#ifdef CONFIG_GRKERNSEC_BRUTE
+ struct task_struct *p = current;
@@ -71356,7 +71443,7 @@ index 0000000..4e29cc7
+ const struct cred *cred = __task_cred(p), *cred2;
+ struct task_struct *tsk, *tsk2;
+
-+ if (!__get_dumpable(mm_flags) && gr_is_global_nonroot(cred->uid)) {
++ if (dumpable != SUID_DUMP_USER && gr_is_global_nonroot(cred->uid)) {
+ struct user_struct *user;
+
+ uid = cred->uid;
@@ -72817,6 +72904,54 @@ index b18ce4f..2ee2843 100644
+#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
+
#endif /* _ASM_GENERIC_ATOMIC64_H */
+diff --git a/include/asm-generic/bitops/__fls.h b/include/asm-generic/bitops/__fls.h
+index a60a7cc..0fe12f2 100644
+--- a/include/asm-generic/bitops/__fls.h
++++ b/include/asm-generic/bitops/__fls.h
+@@ -9,7 +9,7 @@
+ *
+ * Undefined if no set bit exists, so code should check against 0 first.
+ */
+-static __always_inline unsigned long __fls(unsigned long word)
++static __always_inline unsigned long __intentional_overflow(-1) __fls(unsigned long word)
+ {
+ int num = BITS_PER_LONG - 1;
+
+diff --git a/include/asm-generic/bitops/fls.h b/include/asm-generic/bitops/fls.h
+index 0576d1f..dad6c71 100644
+--- a/include/asm-generic/bitops/fls.h
++++ b/include/asm-generic/bitops/fls.h
+@@ -9,7 +9,7 @@
+ * Note fls(0) = 0, fls(1) = 1, fls(0x80000000) = 32.
+ */
+
+-static __always_inline int fls(int x)
++static __always_inline int __intentional_overflow(-1) fls(int x)
+ {
+ int r = 32;
+
+diff --git a/include/asm-generic/bitops/fls64.h b/include/asm-generic/bitops/fls64.h
+index b097cf8..3d40e14 100644
+--- a/include/asm-generic/bitops/fls64.h
++++ b/include/asm-generic/bitops/fls64.h
+@@ -15,7 +15,7 @@
+ * at position 64.
+ */
+ #if BITS_PER_LONG == 32
+-static __always_inline int fls64(__u64 x)
++static __always_inline int __intentional_overflow(-1) fls64(__u64 x)
+ {
+ __u32 h = x >> 32;
+ if (h)
+@@ -23,7 +23,7 @@ static __always_inline int fls64(__u64 x)
+ return fls(x);
+ }
+ #elif BITS_PER_LONG == 64
+-static __always_inline int fls64(__u64 x)
++static __always_inline int __intentional_overflow(-1) fls64(__u64 x)
+ {
+ if (x == 0)
+ return 0;
diff --git a/include/asm-generic/cache.h b/include/asm-generic/cache.h
index 1bfcfe5..e04c5c9 100644
--- a/include/asm-generic/cache.h
@@ -73255,7 +73390,7 @@ index 7554fd4..0f86379 100644
extern void __register_binfmt(struct linux_binfmt *fmt, int insert);
diff --git a/include/linux/bitops.h b/include/linux/bitops.h
-index a3b6b82..cd8f69c 100644
+index a3b6b82..2a7d758 100644
--- a/include/linux/bitops.h
+++ b/include/linux/bitops.h
@@ -91,7 +91,7 @@ static inline __u64 ror64(__u64 word, unsigned int shift)
@@ -73276,6 +73411,15 @@ index a3b6b82..cd8f69c 100644
{
return (word >> shift) | (word << (32 - shift));
}
+@@ -157,7 +157,7 @@ static inline __s32 sign_extend32(__u32 value, int index)
+ return (__s32)(value << shift) >> shift;
+ }
+
+-static inline unsigned fls_long(unsigned long l)
++static inline unsigned __intentional_overflow(-1) fls_long(unsigned long l)
+ {
+ if (sizeof(l) == 4)
+ return fls(l);
diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
index 0e6f765..885bb2b 100644
--- a/include/linux/blkdev.h
@@ -73948,7 +74092,7 @@ index 8293262..2b3b8bd 100644
extern bool frontswap_enabled;
extern struct frontswap_ops *
diff --git a/include/linux/fs.h b/include/linux/fs.h
-index 3f40547..46f76eb 100644
+index fefa7b0..5e04a8b 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1552,7 +1552,8 @@ struct file_operations {
@@ -73961,7 +74105,7 @@ index 3f40547..46f76eb 100644
struct inode_operations {
struct dentry * (*lookup) (struct inode *,struct dentry *, unsigned int);
-@@ -2745,4 +2746,14 @@ static inline bool dir_relax(struct inode *inode)
+@@ -2746,4 +2747,14 @@ static inline bool dir_relax(struct inode *inode)
return !IS_DEADDIR(inode);
}
@@ -75162,7 +75306,7 @@ index 0000000..378a81a
+#define GR_IPC_DENIED_MSG "denied %s of globally-%sable IPC with creator uid %u by "
diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
new file mode 100644
-index 0000000..b2edfb1
+index 0000000..134860c
--- /dev/null
+++ b/include/linux/grsecurity.h
@@ -0,0 +1,243 @@
@@ -75189,7 +75333,7 @@ index 0000000..b2edfb1
+
+int gr_handle_new_usb(void);
+
-+void gr_handle_brute_attach(unsigned long mm_flags);
++void gr_handle_brute_attach(int dumpable);
+void gr_handle_brute_check(void);
+void gr_handle_kernel_exploit(void);
+
@@ -76584,10 +76728,10 @@ index 8e47bc7..c70fd73 100644
return nd->saved_names[nd->depth];
}
diff --git a/include/linux/net.h b/include/linux/net.h
-index 4f27575..fc8a65f 100644
+index 8bd9d92..08b1c20 100644
--- a/include/linux/net.h
+++ b/include/linux/net.h
-@@ -183,7 +183,7 @@ struct net_proto_family {
+@@ -191,7 +191,7 @@ struct net_proto_family {
int (*create)(struct net *net, struct socket *sock,
int protocol, int kern);
struct module *owner;
@@ -76630,19 +76774,6 @@ index 708fe72ab9..77084a3 100644
/* Function to register/unregister hook points. */
int nf_register_hook(struct nf_hook_ops *reg);
-diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h
-index 9ac9fbd..f92edb4 100644
---- a/include/linux/netfilter/ipset/ip_set.h
-+++ b/include/linux/netfilter/ipset/ip_set.h
-@@ -124,7 +124,7 @@ struct ip_set_type_variant {
- /* Return true if "b" set is the same as "a"
- * according to the create set parameters */
- bool (*same_set)(const struct ip_set *a, const struct ip_set *b);
--};
-+} __do_const;
-
- /* The core set type structure */
- struct ip_set_type {
diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
index cadb740..d7c37c0 100644
--- a/include/linux/netfilter/nfnetlink.h
@@ -77064,7 +77195,7 @@ index cc7494a..1e27036 100644
extern bool qid_valid(struct kqid qid);
diff --git a/include/linux/random.h b/include/linux/random.h
-index 6312dd9..2561947 100644
+index bf9085e..128eade 100644
--- a/include/linux/random.h
+++ b/include/linux/random.h
@@ -10,9 +10,19 @@
@@ -77584,10 +77715,10 @@ index 429c199..4d42e38 100644
/* shm_mode upper byte flags */
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
-index c2d8933..b2b4ed6 100644
+index f66f346..2e304d5 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
-@@ -648,7 +648,7 @@ extern bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from,
+@@ -639,7 +639,7 @@ extern bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from,
extern struct sk_buff *__alloc_skb(unsigned int size,
gfp_t priority, int flags, int node);
extern struct sk_buff *build_skb(void *data, unsigned int frag_size);
@@ -77596,7 +77727,7 @@ index c2d8933..b2b4ed6 100644
gfp_t priority)
{
return __alloc_skb(size, priority, 0, NUMA_NO_NODE);
-@@ -764,7 +764,7 @@ static inline struct skb_shared_hwtstamps *skb_hwtstamps(struct sk_buff *skb)
+@@ -755,7 +755,7 @@ static inline struct skb_shared_hwtstamps *skb_hwtstamps(struct sk_buff *skb)
*/
static inline int skb_queue_empty(const struct sk_buff_head *list)
{
@@ -77605,7 +77736,7 @@ index c2d8933..b2b4ed6 100644
}
/**
-@@ -777,7 +777,7 @@ static inline int skb_queue_empty(const struct sk_buff_head *list)
+@@ -768,7 +768,7 @@ static inline int skb_queue_empty(const struct sk_buff_head *list)
static inline bool skb_queue_is_last(const struct sk_buff_head *list,
const struct sk_buff *skb)
{
@@ -77614,7 +77745,7 @@ index c2d8933..b2b4ed6 100644
}
/**
-@@ -790,7 +790,7 @@ static inline bool skb_queue_is_last(const struct sk_buff_head *list,
+@@ -781,7 +781,7 @@ static inline bool skb_queue_is_last(const struct sk_buff_head *list,
static inline bool skb_queue_is_first(const struct sk_buff_head *list,
const struct sk_buff *skb)
{
@@ -77623,7 +77754,7 @@ index c2d8933..b2b4ed6 100644
}
/**
-@@ -1750,7 +1750,7 @@ static inline int pskb_network_may_pull(struct sk_buff *skb, unsigned int len)
+@@ -1741,7 +1741,7 @@ static inline int pskb_network_may_pull(struct sk_buff *skb, unsigned int len)
* NET_IP_ALIGN(2) + ethernet_header(14) + IP_header(20/40) + ports(8)
*/
#ifndef NET_SKB_PAD
@@ -77632,7 +77763,7 @@ index c2d8933..b2b4ed6 100644
#endif
extern int ___pskb_trim(struct sk_buff *skb, unsigned int len);
-@@ -2348,7 +2348,7 @@ extern struct sk_buff *skb_recv_datagram(struct sock *sk, unsigned flags,
+@@ -2339,7 +2339,7 @@ extern struct sk_buff *skb_recv_datagram(struct sock *sk, unsigned flags,
int noblock, int *err);
extern unsigned int datagram_poll(struct file *file, struct socket *sock,
struct poll_table_struct *wait);
@@ -77641,7 +77772,7 @@ index c2d8933..b2b4ed6 100644
int offset, struct iovec *to,
int size);
extern int skb_copy_and_csum_datagram_iovec(struct sk_buff *skb,
-@@ -2643,6 +2643,9 @@ static inline void nf_reset(struct sk_buff *skb)
+@@ -2618,6 +2618,9 @@ static inline void nf_reset(struct sk_buff *skb)
nf_bridge_put(skb->nf_bridge);
skb->nf_bridge = NULL;
#endif
@@ -78386,7 +78517,7 @@ index 502073a..a7de024 100644
#endif
#endif /* _LINUX_VGA_SWITCHEROO_H_ */
diff --git a/include/linux/vmalloc.h b/include/linux/vmalloc.h
-index 4b8a891..cc929b4 100644
+index 4b8a891..cb8df6e 100644
--- a/include/linux/vmalloc.h
+++ b/include/linux/vmalloc.h
@@ -16,6 +16,11 @@ struct vm_area_struct; /* vma defining user mapping in mm_types.h */
@@ -78401,15 +78532,6 @@ index 4b8a891..cc929b4 100644
/* bits [20..32] reserved for arch specific ioremap internals */
/*
-@@ -75,7 +80,7 @@ extern void *vmalloc_32_user(unsigned long size);
- extern void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot);
- extern void *__vmalloc_node_range(unsigned long size, unsigned long align,
- unsigned long start, unsigned long end, gfp_t gfp_mask,
-- pgprot_t prot, int node, const void *caller);
-+ pgprot_t prot, int node, const void *caller) __size_overflow(1);
- extern void vfree(const void *addr);
-
- extern void *vmap(struct page **pages, unsigned int count,
@@ -142,7 +147,7 @@ extern void free_vm_area(struct vm_struct *area);
/* for /dev/kmem */
@@ -78420,7 +78542,7 @@ index 4b8a891..cc929b4 100644
/*
* Internals. Dont't use..
diff --git a/include/linux/vmstat.h b/include/linux/vmstat.h
-index e4b9480..b96d5ab 100644
+index e4b9480..5a5f65a 100644
--- a/include/linux/vmstat.h
+++ b/include/linux/vmstat.h
@@ -90,18 +90,18 @@ static inline void vm_events_fold_cpu(int cpu)
@@ -78439,15 +78561,20 @@ index e4b9480..b96d5ab 100644
+ atomic_long_add_unchecked(x, &vm_stat[item]);
}
- static inline unsigned long global_page_state(enum zone_stat_item item)
+-static inline unsigned long global_page_state(enum zone_stat_item item)
++static inline unsigned long __intentional_overflow(-1) global_page_state(enum zone_stat_item item)
{
- long x = atomic_long_read(&vm_stat[item]);
+ long x = atomic_long_read_unchecked(&vm_stat[item]);
#ifdef CONFIG_SMP
if (x < 0)
x = 0;
-@@ -112,7 +112,7 @@ static inline unsigned long global_page_state(enum zone_stat_item item)
- static inline unsigned long zone_page_state(struct zone *zone,
+@@ -109,10 +109,10 @@ static inline unsigned long global_page_state(enum zone_stat_item item)
+ return x;
+ }
+
+-static inline unsigned long zone_page_state(struct zone *zone,
++static inline unsigned long __intentional_overflow(-1) zone_page_state(struct zone *zone,
enum zone_stat_item item)
{
- long x = atomic_long_read(&zone->vm_stat[item]);
@@ -78695,7 +78822,7 @@ index 53f464d..0bd0b49 100644
#endif /* _NET_INETPEER_H */
diff --git a/include/net/ip.h b/include/net/ip.h
-index 5e52688..f181e95 100644
+index 301f10c..b52cdaf 100644
--- a/include/net/ip.h
+++ b/include/net/ip.h
@@ -212,7 +212,7 @@ extern struct local_ports {
@@ -78721,10 +78848,10 @@ index cbf2be3..3683f6d 100644
fib_info_update_nh_saddr((net), &FIB_RES_NH(res)))
#define FIB_RES_GW(res) (FIB_RES_NH(res).nh_gw)
diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
-index 9c4d37e..eed6d41 100644
+index 772252d..1e69799 100644
--- a/include/net/ip_vs.h
+++ b/include/net/ip_vs.h
-@@ -588,7 +588,7 @@ struct ip_vs_conn {
+@@ -558,7 +558,7 @@ struct ip_vs_conn {
struct ip_vs_conn *control; /* Master control connection */
atomic_t n_control; /* Number of controlled ones */
struct ip_vs_dest *dest; /* real server */
@@ -78733,7 +78860,7 @@ index 9c4d37e..eed6d41 100644
/* packet transmitter for different forwarding methods. If it
mangles the packet, it must return NF_DROP or better NF_STOLEN,
-@@ -735,7 +735,7 @@ struct ip_vs_dest {
+@@ -705,7 +705,7 @@ struct ip_vs_dest {
__be16 port; /* port number of the server */
union nf_inet_addr addr; /* IP address of the server */
volatile unsigned int flags; /* dest status flags */
@@ -78742,7 +78869,7 @@ index 9c4d37e..eed6d41 100644
atomic_t weight; /* server weight */
atomic_t refcnt; /* reference counter */
-@@ -990,11 +990,11 @@ struct netns_ipvs {
+@@ -960,11 +960,11 @@ struct netns_ipvs {
/* ip_vs_lblc */
int sysctl_lblc_expiration;
struct ctl_table_header *lblc_ctl_header;
@@ -79040,10 +79167,10 @@ index 0fb2401..477d81c 100644
#if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6)
diff --git a/include/net/ping.h b/include/net/ping.h
-index 5db0224..0d65365 100644
+index 2b496e9..935fd8d 100644
--- a/include/net/ping.h
+++ b/include/net/ping.h
-@@ -55,7 +55,7 @@ struct ping_iter_state {
+@@ -56,7 +56,7 @@ struct ping_iter_state {
extern struct proto ping_prot;
extern struct ping_table ping_table;
#if IS_ENABLED(CONFIG_IPV6)
@@ -79123,7 +79250,7 @@ index 2174d8d..71d5257 100644
/* Structure to track chunk fragments that have been acked, but peer
diff --git a/include/net/sock.h b/include/net/sock.h
-index 808cbc2..f6f6ac3 100644
+index 808cbc2..8617e9c 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -332,7 +332,7 @@ struct sock {
@@ -79135,6 +79262,15 @@ index 808cbc2..f6f6ac3 100644
int sk_rcvbuf;
struct sk_filter __rcu *sk_filter;
+@@ -1194,7 +1194,7 @@ static inline u64 memcg_memory_allocated_read(struct cg_proto *prot)
+ return ret >> PAGE_SHIFT;
+ }
+
+-static inline long
++static inline long __intentional_overflow(-1)
+ sk_memory_allocated(const struct sock *sk)
+ {
+ struct proto *prot = sk->sk_prot;
@@ -1821,7 +1821,7 @@ static inline void sk_nocaps_add(struct sock *sk, netdev_features_t flags)
}
@@ -80536,7 +80672,7 @@ index 8d6e145..33e0b1e 100644
current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
set_fs(fs);
diff --git a/kernel/audit.c b/kernel/audit.c
-index 7b0e23a..f4d172f 100644
+index 7ddfd8a..49766eb 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -118,7 +118,7 @@ u32 audit_sig_sid = 0;
@@ -80566,13 +80702,7 @@ index 7b0e23a..f4d172f 100644
audit_rate_limit,
audit_backlog_limit);
audit_panic(message);
-@@ -659,18 +659,19 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
-
- switch (msg_type) {
- case AUDIT_GET:
-+ status_set.mask = 0;
- status_set.enabled = audit_enabled;
- status_set.failure = audit_failure;
+@@ -665,7 +665,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
status_set.pid = audit_pid;
status_set.rate_limit = audit_rate_limit;
status_set.backlog_limit = audit_backlog_limit;
@@ -80581,23 +80711,7 @@ index 7b0e23a..f4d172f 100644
status_set.backlog = skb_queue_len(&audit_skb_queue);
audit_send_reply(NETLINK_CB(skb).portid, seq, AUDIT_GET, 0, 0,
&status_set, sizeof(status_set));
- break;
- case AUDIT_SET:
-- if (nlh->nlmsg_len < sizeof(struct audit_status))
-+ if (nlmsg_len(nlh) < sizeof(struct audit_status))
- return -EINVAL;
- status_get = (struct audit_status *)data;
- if (status_get->mask & AUDIT_STATUS_ENABLED) {
-@@ -832,7 +833,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
-
- memset(&s, 0, sizeof(s));
- /* guard against past and future API changes */
-- memcpy(&s, data, min(sizeof(s), (size_t)nlh->nlmsg_len));
-+ memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh)));
- if ((s.enabled != 0 && s.enabled != 1) ||
- (s.log_passwd != 0 && s.log_passwd != 1))
- return -EINVAL;
-@@ -1251,7 +1252,7 @@ void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf,
+@@ -1252,7 +1252,7 @@ void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf,
int i, avail, new_len;
unsigned char *ptr;
struct sk_buff *skb;
@@ -80726,10 +80840,10 @@ index 4e66bf9..cdccecf 100644
+}
+EXPORT_SYMBOL(inode_capable_nolog);
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
-index 8bd9cfd..9faf120 100644
+index 5c9127d..f871169 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
-@@ -5817,7 +5817,7 @@ static int cgroup_css_links_read(struct cgroup_subsys_state *css,
+@@ -5844,7 +5844,7 @@ static int cgroup_css_links_read(struct cgroup_subsys_state *css,
struct css_set *cset = link->cset;
struct task_struct *task;
int count = 0;
@@ -84304,9 +84418,18 @@ index 5f97eab..db8f687 100644
unsigned long jiffies_force_qs; /* Time at which to invoke */
/* force_quiescent_state(). */
diff --git a/kernel/rcutree_plugin.h b/kernel/rcutree_plugin.h
-index 130c97b..33c0d3d 100644
+index 130c97b..bcbe7f7 100644
--- a/kernel/rcutree_plugin.h
+++ b/kernel/rcutree_plugin.h
+@@ -744,7 +744,7 @@ static int rcu_preempted_readers_exp(struct rcu_node *rnp)
+ static int sync_rcu_preempt_exp_done(struct rcu_node *rnp)
+ {
+ return !rcu_preempted_readers_exp(rnp) &&
+- ACCESS_ONCE(rnp->expmask) == 0;
++ ACCESS_ONCE_RW(rnp->expmask) == 0;
+ }
+
+ /*
@@ -900,7 +900,7 @@ void synchronize_rcu_expedited(void)
/* Clean up and exit. */
@@ -85528,7 +85651,7 @@ index 7c7964c..2a0d412 100644
update_vsyscall_tz();
if (firsttime) {
diff --git a/kernel/time/alarmtimer.c b/kernel/time/alarmtimer.c
-index eec50fc..65e5df6 100644
+index 88c9c65..7497ebc 100644
--- a/kernel/time/alarmtimer.c
+++ b/kernel/time/alarmtimer.c
@@ -795,7 +795,7 @@ static int __init alarmtimer_init(void)
@@ -85733,10 +85856,10 @@ index b8b8560..75b1a09 100644
ret = -EIO;
bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt,
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
-index 03cf44a..3051c64 100644
+index f3bd09ee..9bb9586 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
-@@ -1950,12 +1950,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec)
+@@ -1944,12 +1944,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec)
if (unlikely(ftrace_disabled))
return 0;
@@ -85767,7 +85890,7 @@ index 03cf44a..3051c64 100644
start_pg = ftrace_allocate_pages(count);
if (!start_pg)
-@@ -4767,8 +4774,6 @@ ftrace_enable_sysctl(struct ctl_table *table, int write,
+@@ -4766,8 +4773,6 @@ ftrace_enable_sysctl(struct ctl_table *table, int write,
#ifdef CONFIG_FUNCTION_GRAPH_TRACER
static int ftrace_graph_active;
@@ -85776,9 +85899,9 @@ index 03cf44a..3051c64 100644
int ftrace_graph_entry_stub(struct ftrace_graph_ent *trace)
{
return 0;
-@@ -4912,6 +4917,10 @@ ftrace_suspend_notifier_call(struct notifier_block *bl, unsigned long state,
- return NOTIFY_DONE;
- }
+@@ -4918,6 +4923,10 @@ static struct ftrace_ops fgraph_ops __read_mostly = {
+ FTRACE_OPS_FL_RECURSION_SAFE,
+ };
+static struct notifier_block ftrace_suspend_notifier = {
+ .notifier_call = ftrace_suspend_notifier_call
@@ -85787,7 +85910,7 @@ index 03cf44a..3051c64 100644
int register_ftrace_graph(trace_func_graph_ret_t retfunc,
trace_func_graph_ent_t entryfunc)
{
-@@ -4925,7 +4934,6 @@ int register_ftrace_graph(trace_func_graph_ret_t retfunc,
+@@ -4931,7 +4940,6 @@ int register_ftrace_graph(trace_func_graph_ret_t retfunc,
goto out;
}
@@ -86280,10 +86403,10 @@ index 4431610..4265616 100644
.thread_should_run = watchdog_should_run,
.thread_fn = watchdog,
diff --git a/kernel/workqueue.c b/kernel/workqueue.c
-index 987293d..60b3043 100644
+index 93c2652..66a1cfd 100644
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
-@@ -4658,7 +4658,7 @@ static void rebind_workers(struct worker_pool *pool)
+@@ -4668,7 +4668,7 @@ static void rebind_workers(struct worker_pool *pool)
WARN_ON_ONCE(!(worker_flags & WORKER_UNBOUND));
worker_flags |= WORKER_REBOUND;
worker_flags &= ~WORKER_UNBOUND;
@@ -86878,7 +87001,7 @@ index 4f5b1dd..7cab418 100644
+}
+EXPORT_SYMBOL(copy_to_user_overflow);
diff --git a/lib/vsprintf.c b/lib/vsprintf.c
-index 26559bd..ed614df 100644
+index d76555c..62d4bfe 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -16,6 +16,9 @@
@@ -86891,7 +87014,7 @@ index 26559bd..ed614df 100644
#include <stdarg.h>
#include <linux/module.h> /* for KSYM_SYMBOL_LEN */
#include <linux/types.h>
-@@ -1154,7 +1157,11 @@ char *netdev_feature_string(char *buf, char *end, const u8 *addr,
+@@ -1155,7 +1158,11 @@ char *netdev_feature_string(char *buf, char *end, const u8 *addr,
return number(buf, end, *(const netdev_features_t *)addr, spec);
}
@@ -86903,7 +87026,7 @@ index 26559bd..ed614df 100644
/*
* Show a '%p' thing. A kernel extension is that the '%p' is followed
-@@ -1167,6 +1174,7 @@ int kptr_restrict __read_mostly;
+@@ -1168,6 +1175,7 @@ int kptr_restrict __read_mostly;
* - 'f' For simple symbolic function names without offset
* - 'S' For symbolic direct pointers with offset
* - 's' For symbolic direct pointers without offset
@@ -86911,7 +87034,7 @@ index 26559bd..ed614df 100644
* - '[FfSs]R' as above with __builtin_extract_return_addr() translation
* - 'B' For backtraced symbolic direct pointers with offset
* - 'R' For decoded struct resource, e.g., [mem 0x0-0x1f 64bit pref]
-@@ -1231,12 +1239,12 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
+@@ -1232,12 +1240,12 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
if (!ptr && *fmt != 'K') {
/*
@@ -86926,7 +87049,7 @@ index 26559bd..ed614df 100644
}
switch (*fmt) {
-@@ -1246,6 +1254,12 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
+@@ -1247,6 +1255,12 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
/* Fallthrough */
case 'S':
case 's':
@@ -86939,7 +87062,7 @@ index 26559bd..ed614df 100644
case 'B':
return symbol_string(buf, end, ptr, spec, fmt);
case 'R':
-@@ -1301,6 +1315,8 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
+@@ -1302,6 +1316,8 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
va_end(va);
return buf;
}
@@ -86948,7 +87071,7 @@ index 26559bd..ed614df 100644
case 'K':
/*
* %pK cannot be used in IRQ context because its test
-@@ -1336,6 +1352,21 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
+@@ -1363,6 +1379,21 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
((const struct file *)ptr)->f_path.dentry,
spec, fmt);
}
@@ -86970,7 +87093,7 @@ index 26559bd..ed614df 100644
spec.flags |= SMALL;
if (spec.field_width == -1) {
spec.field_width = default_width;
-@@ -2059,11 +2090,11 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
+@@ -2086,11 +2117,11 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
typeof(type) value; \
if (sizeof(type) == 8) { \
args = PTR_ALIGN(args, sizeof(u32)); \
@@ -86985,7 +87108,7 @@ index 26559bd..ed614df 100644
} \
args += sizeof(type); \
value; \
-@@ -2126,7 +2157,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
+@@ -2153,7 +2184,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
case FORMAT_TYPE_STR: {
const char *str_arg = args;
args += strlen(str_arg) + 1;
@@ -88406,7 +88529,7 @@ index d480cd6..0f98458 100644
capable(CAP_IPC_LOCK))
ret = do_mlockall(flags);
diff --git a/mm/mmap.c b/mm/mmap.c
-index 9d54851..e8c6035 100644
+index 362e5f1..8968e02 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -36,6 +36,7 @@
@@ -88955,9 +89078,9 @@ index 9d54851..e8c6035 100644
struct vm_unmapped_area_info info;
+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
- if (len > TASK_SIZE)
+ if (len > TASK_SIZE - mmap_min_addr)
return -ENOMEM;
-@@ -1862,19 +2123,29 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
+@@ -1862,19 +2123,30 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
if (flags & MAP_FIXED)
return addr;
@@ -88968,9 +89091,9 @@ index 9d54851..e8c6035 100644
if (addr) {
addr = PAGE_ALIGN(addr);
vma = find_vma(mm, addr);
-- if (TASK_SIZE - len >= addr &&
+ if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
- (!vma || addr + len <= vma->vm_start))
-+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
++ check_heap_stack_gap(vma, addr, len, offset))
return addr;
}
@@ -88989,15 +89112,15 @@ index 9d54851..e8c6035 100644
return vm_unmapped_area(&info);
}
#endif
-@@ -1893,6 +2164,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1893,6 +2165,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
struct mm_struct *mm = current->mm;
unsigned long addr = addr0;
struct vm_unmapped_area_info info;
+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
/* requested length too big for entire address space */
- if (len > TASK_SIZE)
-@@ -1901,12 +2173,15 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+ if (len > TASK_SIZE - mmap_min_addr)
+@@ -1901,12 +2174,16 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
if (flags & MAP_FIXED)
return addr;
@@ -89009,21 +89132,21 @@ index 9d54851..e8c6035 100644
if (addr) {
addr = PAGE_ALIGN(addr);
vma = find_vma(mm, addr);
-- if (TASK_SIZE - len >= addr &&
+ if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
- (!vma || addr + len <= vma->vm_start))
-+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
++ check_heap_stack_gap(vma, addr, len, offset))
return addr;
}
-@@ -1915,6 +2190,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
- info.low_limit = PAGE_SIZE;
+@@ -1915,6 +2192,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+ info.low_limit = max(PAGE_SIZE, mmap_min_addr);
info.high_limit = mm->mmap_base;
info.align_mask = 0;
+ info.threadstack_offset = offset;
addr = vm_unmapped_area(&info);
/*
-@@ -1927,6 +2203,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1927,6 +2205,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
VM_BUG_ON(addr != -ENOMEM);
info.flags = 0;
info.low_limit = TASK_UNMAPPED_BASE;
@@ -89036,7 +89159,7 @@ index 9d54851..e8c6035 100644
info.high_limit = TASK_SIZE;
addr = vm_unmapped_area(&info);
}
-@@ -2028,6 +2310,28 @@ find_vma_prev(struct mm_struct *mm, unsigned long addr,
+@@ -2028,6 +2312,28 @@ find_vma_prev(struct mm_struct *mm, unsigned long addr,
return vma;
}
@@ -89065,7 +89188,7 @@ index 9d54851..e8c6035 100644
/*
* Verify that the stack growth is acceptable and
* update accounting. This is shared with both the
-@@ -2044,6 +2348,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -2044,6 +2350,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
return -ENOMEM;
/* Stack limit test */
@@ -89073,7 +89196,7 @@ index 9d54851..e8c6035 100644
if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
return -ENOMEM;
-@@ -2054,6 +2359,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -2054,6 +2361,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
locked = mm->locked_vm + grow;
limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
limit >>= PAGE_SHIFT;
@@ -89081,7 +89204,7 @@ index 9d54851..e8c6035 100644
if (locked > limit && !capable(CAP_IPC_LOCK))
return -ENOMEM;
}
-@@ -2083,37 +2389,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -2083,37 +2391,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
* PA-RISC uses this for its stack; IA64 for its Register Backing Store.
* vma is the last one with address > vma->vm_end. Have to extend vma.
*/
@@ -89139,7 +89262,7 @@ index 9d54851..e8c6035 100644
unsigned long size, grow;
size = address - vma->vm_start;
-@@ -2148,6 +2465,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
+@@ -2148,6 +2467,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
}
}
}
@@ -89148,7 +89271,7 @@ index 9d54851..e8c6035 100644
vma_unlock_anon_vma(vma);
khugepaged_enter_vma_merge(vma);
validate_mm(vma->vm_mm);
-@@ -2162,6 +2481,8 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -2162,6 +2483,8 @@ int expand_downwards(struct vm_area_struct *vma,
unsigned long address)
{
int error;
@@ -89157,7 +89280,7 @@ index 9d54851..e8c6035 100644
/*
* We must make sure the anon_vma is allocated
-@@ -2175,6 +2496,15 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -2175,6 +2498,15 @@ int expand_downwards(struct vm_area_struct *vma,
if (error)
return error;
@@ -89173,7 +89296,7 @@ index 9d54851..e8c6035 100644
vma_lock_anon_vma(vma);
/*
-@@ -2184,9 +2514,17 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -2184,9 +2516,17 @@ int expand_downwards(struct vm_area_struct *vma,
*/
/* Somebody else might have raced and expanded it already */
@@ -89192,7 +89315,7 @@ index 9d54851..e8c6035 100644
size = vma->vm_end - address;
grow = (vma->vm_start - address) >> PAGE_SHIFT;
-@@ -2211,13 +2549,27 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -2211,13 +2551,27 @@ int expand_downwards(struct vm_area_struct *vma,
vma->vm_pgoff -= grow;
anon_vma_interval_tree_post_update_vma(vma);
vma_gap_update(vma);
@@ -89220,7 +89343,7 @@ index 9d54851..e8c6035 100644
khugepaged_enter_vma_merge(vma);
validate_mm(vma->vm_mm);
return error;
-@@ -2315,6 +2667,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -2315,6 +2669,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
do {
long nrpages = vma_pages(vma);
@@ -89234,7 +89357,7 @@ index 9d54851..e8c6035 100644
if (vma->vm_flags & VM_ACCOUNT)
nr_accounted += nrpages;
vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
-@@ -2359,6 +2718,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2359,6 +2720,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
insertion_point = (prev ? &prev->vm_next : &mm->mmap);
vma->vm_prev = NULL;
do {
@@ -89251,7 +89374,7 @@ index 9d54851..e8c6035 100644
vma_rb_erase(vma, &mm->mm_rb);
mm->map_count--;
tail_vma = vma;
-@@ -2384,14 +2753,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2384,14 +2755,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
struct vm_area_struct *new;
int err = -ENOMEM;
@@ -89285,7 +89408,7 @@ index 9d54851..e8c6035 100644
/* most fields are the same, copy all, and then fixup */
*new = *vma;
-@@ -2404,6 +2792,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2404,6 +2794,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
}
@@ -89308,7 +89431,7 @@ index 9d54851..e8c6035 100644
err = vma_dup_policy(vma, new);
if (err)
goto out_free_vma;
-@@ -2423,6 +2827,38 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2423,6 +2829,38 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
else
err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
@@ -89347,7 +89470,7 @@ index 9d54851..e8c6035 100644
/* Success. */
if (!err)
return 0;
-@@ -2432,10 +2868,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2432,10 +2870,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
new->vm_ops->close(new);
if (new->vm_file)
fput(new->vm_file);
@@ -89367,7 +89490,7 @@ index 9d54851..e8c6035 100644
kmem_cache_free(vm_area_cachep, new);
out_err:
return err;
-@@ -2448,6 +2892,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2448,6 +2894,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
unsigned long addr, int new_below)
{
@@ -89383,7 +89506,7 @@ index 9d54851..e8c6035 100644
if (mm->map_count >= sysctl_max_map_count)
return -ENOMEM;
-@@ -2459,11 +2912,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2459,11 +2914,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
* work. This now handles partial unmappings.
* Jeremy Fitzhardinge <jeremy@goop.org>
*/
@@ -89414,7 +89537,7 @@ index 9d54851..e8c6035 100644
if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
return -EINVAL;
-@@ -2538,6 +3010,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
+@@ -2538,6 +3012,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
/* Fix up all other VM information */
remove_vma_list(mm, vma);
@@ -89423,7 +89546,7 @@ index 9d54851..e8c6035 100644
return 0;
}
-@@ -2546,6 +3020,13 @@ int vm_munmap(unsigned long start, size_t len)
+@@ -2546,6 +3022,13 @@ int vm_munmap(unsigned long start, size_t len)
int ret;
struct mm_struct *mm = current->mm;
@@ -89437,7 +89560,7 @@ index 9d54851..e8c6035 100644
down_write(&mm->mmap_sem);
ret = do_munmap(mm, start, len);
up_write(&mm->mmap_sem);
-@@ -2559,16 +3040,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
+@@ -2559,16 +3042,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
return vm_munmap(addr, len);
}
@@ -89454,7 +89577,7 @@ index 9d54851..e8c6035 100644
/*
* this is really a simplified "do_mmap". it only handles
* anonymous maps. eventually we may be able to do some
-@@ -2582,6 +3053,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2582,6 +3055,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
struct rb_node ** rb_link, * rb_parent;
pgoff_t pgoff = addr >> PAGE_SHIFT;
int error;
@@ -89462,7 +89585,7 @@ index 9d54851..e8c6035 100644
len = PAGE_ALIGN(len);
if (!len)
-@@ -2589,16 +3061,30 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2589,16 +3063,30 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
@@ -89494,7 +89617,7 @@ index 9d54851..e8c6035 100644
locked += mm->locked_vm;
lock_limit = rlimit(RLIMIT_MEMLOCK);
lock_limit >>= PAGE_SHIFT;
-@@ -2615,21 +3101,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2615,21 +3103,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
/*
* Clear old maps. this also does some error checking for us
*/
@@ -89519,7 +89642,7 @@ index 9d54851..e8c6035 100644
return -ENOMEM;
/* Can we just expand an old private anonymous mapping? */
-@@ -2643,7 +3128,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2643,7 +3130,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
*/
vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
if (!vma) {
@@ -89528,7 +89651,7 @@ index 9d54851..e8c6035 100644
return -ENOMEM;
}
-@@ -2657,10 +3142,11 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2657,10 +3144,11 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
vma_link(mm, vma, prev, rb_link, rb_parent);
out:
perf_event_mmap(vma);
@@ -89542,7 +89665,7 @@ index 9d54851..e8c6035 100644
return addr;
}
-@@ -2722,6 +3208,7 @@ void exit_mmap(struct mm_struct *mm)
+@@ -2722,6 +3210,7 @@ void exit_mmap(struct mm_struct *mm)
while (vma) {
if (vma->vm_flags & VM_ACCOUNT)
nr_accounted += vma_pages(vma);
@@ -89550,7 +89673,7 @@ index 9d54851..e8c6035 100644
vma = remove_vma(vma);
}
vm_unacct_memory(nr_accounted);
-@@ -2738,6 +3225,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -2738,6 +3227,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
struct vm_area_struct *prev;
struct rb_node **rb_link, *rb_parent;
@@ -89564,7 +89687,7 @@ index 9d54851..e8c6035 100644
/*
* The vm_pgoff of a purely anonymous vma should be irrelevant
* until its first write fault, when page's anon_vma and index
-@@ -2761,7 +3255,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -2761,7 +3257,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
security_vm_enough_memory_mm(mm, vma_pages(vma)))
return -ENOMEM;
@@ -89586,7 +89709,7 @@ index 9d54851..e8c6035 100644
return 0;
}
-@@ -2780,6 +3288,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
+@@ -2780,6 +3290,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
struct rb_node **rb_link, *rb_parent;
bool faulted_in_anon_vma = true;
@@ -89595,7 +89718,7 @@ index 9d54851..e8c6035 100644
/*
* If anonymous vma has not yet been faulted, update new pgoff
* to match new location, to increase its chance of merging.
-@@ -2844,6 +3354,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
+@@ -2844,6 +3356,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
return NULL;
}
@@ -89635,7 +89758,7 @@ index 9d54851..e8c6035 100644
/*
* Return true if the calling process may expand its vm space by the passed
* number of pages
-@@ -2855,6 +3398,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
+@@ -2855,6 +3400,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
@@ -89643,7 +89766,7 @@ index 9d54851..e8c6035 100644
if (cur + npages > lim)
return 0;
return 1;
-@@ -2925,6 +3469,22 @@ int install_special_mapping(struct mm_struct *mm,
+@@ -2925,6 +3471,22 @@ int install_special_mapping(struct mm_struct *mm,
vma->vm_start = addr;
vma->vm_end = addr + len;
@@ -89667,7 +89790,7 @@ index 9d54851..e8c6035 100644
vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
diff --git a/mm/mprotect.c b/mm/mprotect.c
-index 412ba2b..cb41d42 100644
+index 6c3f56f..b2340b0 100644
--- a/mm/mprotect.c
+++ b/mm/mprotect.c
@@ -23,10 +23,18 @@
@@ -89689,7 +89812,7 @@ index 412ba2b..cb41d42 100644
#ifndef pgprot_modify
static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
-@@ -236,6 +244,48 @@ unsigned long change_protection(struct vm_area_struct *vma, unsigned long start,
+@@ -241,6 +249,48 @@ unsigned long change_protection(struct vm_area_struct *vma, unsigned long start,
return pages;
}
@@ -89738,7 +89861,7 @@ index 412ba2b..cb41d42 100644
int
mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
unsigned long start, unsigned long end, unsigned long newflags)
-@@ -248,11 +298,29 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
+@@ -253,11 +303,29 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
int error;
int dirty_accountable = 0;
@@ -89768,7 +89891,7 @@ index 412ba2b..cb41d42 100644
/*
* If we make a private mapping writable we increase our commit;
* but (without finer accounting) cannot reduce our commit if we
-@@ -269,6 +337,42 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
+@@ -274,6 +342,42 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
}
}
@@ -89811,7 +89934,7 @@ index 412ba2b..cb41d42 100644
/*
* First try to merge with previous and/or next vma.
*/
-@@ -299,9 +403,21 @@ success:
+@@ -304,9 +408,21 @@ success:
* vm_flags and vm_page_prot are protected by the mmap_sem
* held in write mode.
*/
@@ -89834,7 +89957,7 @@ index 412ba2b..cb41d42 100644
if (vma_wants_writenotify(vma)) {
vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
-@@ -340,6 +456,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
+@@ -345,6 +461,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
end = start + len;
if (end <= start)
return -ENOMEM;
@@ -89852,7 +89975,7 @@ index 412ba2b..cb41d42 100644
if (!arch_validate_prot(prot))
return -EINVAL;
-@@ -347,7 +474,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
+@@ -352,7 +479,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
/*
* Does the application expect PROT_READ to imply PROT_EXEC:
*/
@@ -89861,7 +89984,7 @@ index 412ba2b..cb41d42 100644
prot |= PROT_EXEC;
vm_flags = calc_vm_prot_bits(prot);
-@@ -379,6 +506,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
+@@ -384,6 +511,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
if (start > vma->vm_start)
prev = vma;
@@ -89873,7 +89996,7 @@ index 412ba2b..cb41d42 100644
for (nstart = start ; ; ) {
unsigned long newflags;
-@@ -389,6 +521,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
+@@ -394,6 +526,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
/* newflags >> 4 shift VM_MAY% in place of VM_% */
if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
@@ -89888,7 +90011,7 @@ index 412ba2b..cb41d42 100644
error = -EACCES;
goto out;
}
-@@ -403,6 +543,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
+@@ -408,6 +548,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
if (error)
goto out;
@@ -91711,7 +91834,7 @@ index 1074543..136dbe0 100644
if (v->nr_pages)
seq_printf(m, " pages=%d", v->nr_pages);
diff --git a/mm/vmstat.c b/mm/vmstat.c
-index 9bb3145..98e5f68 100644
+index 5a442a7..5eb281e 100644
--- a/mm/vmstat.c
+++ b/mm/vmstat.c
@@ -79,7 +79,7 @@ void vm_events_fold_cpu(int cpu)
@@ -91761,7 +91884,7 @@ index 9bb3145..98e5f68 100644
}
}
#endif
-@@ -1280,10 +1280,20 @@ static int __init setup_vmstat(void)
+@@ -1281,10 +1281,20 @@ static int __init setup_vmstat(void)
start_cpu_timer(cpu);
#endif
#ifdef CONFIG_PROC_FS
@@ -92063,10 +92186,10 @@ index 48b31d3..62a0bcb 100644
frag2->seqno = htons(seqno);
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
-index 9bd7d95..6c4884f 100644
+index fa4bf66..e92948f 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
-@@ -934,7 +934,7 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
+@@ -932,7 +932,7 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
uf.event_mask[1] = *((u32 *) f->event_mask + 1);
}
@@ -92144,10 +92267,10 @@ index 0098af8..fb5a31f 100644
err = -EFAULT;
break;
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
-index 30b3721..c1bd0a0 100644
+index c1c6028..17e8dcc 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
-@@ -666,7 +666,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c
+@@ -665,7 +665,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c
struct sock *sk = sock->sk;
struct bt_security sec;
int err = 0;
@@ -92156,7 +92279,7 @@ index 30b3721..c1bd0a0 100644
u32 opt;
BT_DBG("sk %p", sk);
-@@ -688,7 +688,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c
+@@ -687,7 +687,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c
sec.level = BT_SECURITY_LOW;
@@ -92368,13 +92491,13 @@ index 4a5df7b..9ad1f1d 100644
switch (ss->ss_family) {
diff --git a/net/compat.c b/net/compat.c
-index 8903258..24e30e5 100644
+index dd32e34..6066f87 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -73,9 +73,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg)
return -EFAULT;
if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
- return -EINVAL;
+ kmsg->msg_namelen = sizeof(struct sockaddr_storage);
- kmsg->msg_name = compat_ptr(tmp1);
- kmsg->msg_iov = compat_ptr(tmp2);
- kmsg->msg_control = compat_ptr(tmp3);
@@ -92393,7 +92516,7 @@ index 8903258..24e30e5 100644
kern_msg->msg_namelen,
kern_address);
if (err < 0)
-@@ -98,7 +98,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
+@@ -99,7 +99,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
kern_msg->msg_name = NULL;
tot_len = iov_from_user_compat_to_kern(kern_iov,
@@ -92402,7 +92525,7 @@ index 8903258..24e30e5 100644
kern_msg->msg_iovlen);
if (tot_len >= 0)
kern_msg->msg_iov = kern_iov;
-@@ -118,20 +118,20 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
+@@ -119,20 +119,20 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
#define CMSG_COMPAT_FIRSTHDR(msg) \
(((msg)->msg_controllen) >= sizeof(struct compat_cmsghdr) ? \
@@ -92426,7 +92549,7 @@ index 8903258..24e30e5 100644
msg->msg_controllen)
return NULL;
return (struct compat_cmsghdr __user *)ptr;
-@@ -221,7 +221,7 @@ Efault:
+@@ -222,7 +222,7 @@ Efault:
int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *data)
{
@@ -92435,7 +92558,7 @@ index 8903258..24e30e5 100644
struct compat_cmsghdr cmhdr;
struct compat_timeval ctv;
struct compat_timespec cts[3];
-@@ -277,7 +277,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat
+@@ -278,7 +278,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat
void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm)
{
@@ -92444,7 +92567,7 @@ index 8903258..24e30e5 100644
int fdmax = (kmsg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int);
int fdnum = scm->fp->count;
struct file **fp = scm->fp->fp;
-@@ -365,7 +365,7 @@ static int do_set_sock_timeout(struct socket *sock, int level,
+@@ -366,7 +366,7 @@ static int do_set_sock_timeout(struct socket *sock, int level,
return -EFAULT;
old_fs = get_fs();
set_fs(KERNEL_DS);
@@ -92453,7 +92576,7 @@ index 8903258..24e30e5 100644
set_fs(old_fs);
return err;
-@@ -426,7 +426,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname,
+@@ -427,7 +427,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname,
len = sizeof(ktime);
old_fs = get_fs();
set_fs(KERNEL_DS);
@@ -92462,7 +92585,7 @@ index 8903258..24e30e5 100644
set_fs(old_fs);
if (!err) {
-@@ -569,7 +569,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
+@@ -570,7 +570,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
case MCAST_JOIN_GROUP:
case MCAST_LEAVE_GROUP:
{
@@ -92471,7 +92594,7 @@ index 8903258..24e30e5 100644
struct group_req __user *kgr =
compat_alloc_user_space(sizeof(struct group_req));
u32 interface;
-@@ -590,7 +590,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
+@@ -591,7 +591,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
case MCAST_BLOCK_SOURCE:
case MCAST_UNBLOCK_SOURCE:
{
@@ -92480,7 +92603,7 @@ index 8903258..24e30e5 100644
struct group_source_req __user *kgsr = compat_alloc_user_space(
sizeof(struct group_source_req));
u32 interface;
-@@ -611,7 +611,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
+@@ -612,7 +612,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
}
case MCAST_MSFILTER:
{
@@ -92489,7 +92612,7 @@ index 8903258..24e30e5 100644
struct group_filter __user *kgf;
u32 interface, fmode, numsrc;
-@@ -649,7 +649,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname,
+@@ -650,7 +650,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname,
char __user *optval, int __user *optlen,
int (*getsockopt)(struct sock *, int, int, char __user *, int __user *))
{
@@ -92498,7 +92621,7 @@ index 8903258..24e30e5 100644
struct group_filter __user *kgf;
int __user *koptlen;
u32 interface, fmode, numsrc;
-@@ -807,7 +807,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args)
+@@ -808,7 +808,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args)
if (call < SYS_SOCKET || call > SYS_SENDMMSG)
return -EINVAL;
@@ -92521,7 +92644,7 @@ index af814e7..3d761de 100644
return err;
diff --git a/net/core/dev.c b/net/core/dev.c
-index 3430b1e..d6453ad 100644
+index 3d13874..6e78dc7 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1680,14 +1680,14 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
@@ -92541,7 +92664,7 @@ index 3430b1e..d6453ad 100644
kfree_skb(skb);
return NET_RX_DROP;
}
-@@ -2432,7 +2432,7 @@ static int illegal_highdma(struct net_device *dev, struct sk_buff *skb)
+@@ -2428,7 +2428,7 @@ static int illegal_highdma(struct net_device *dev, struct sk_buff *skb)
struct dev_gso_cb {
void (*destructor)(struct sk_buff *skb);
@@ -92550,7 +92673,7 @@ index 3430b1e..d6453ad 100644
#define DEV_GSO_CB(skb) ((struct dev_gso_cb *)(skb)->cb)
-@@ -3207,7 +3207,7 @@ enqueue:
+@@ -3203,7 +3203,7 @@ enqueue:
local_irq_restore(flags);
@@ -92559,7 +92682,7 @@ index 3430b1e..d6453ad 100644
kfree_skb(skb);
return NET_RX_DROP;
}
-@@ -3279,7 +3279,7 @@ int netif_rx_ni(struct sk_buff *skb)
+@@ -3275,7 +3275,7 @@ int netif_rx_ni(struct sk_buff *skb)
}
EXPORT_SYMBOL(netif_rx_ni);
@@ -92568,7 +92691,7 @@ index 3430b1e..d6453ad 100644
{
struct softnet_data *sd = &__get_cpu_var(softnet_data);
-@@ -3613,7 +3613,7 @@ ncls:
+@@ -3609,7 +3609,7 @@ ncls:
ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev);
} else {
drop:
@@ -92577,7 +92700,7 @@ index 3430b1e..d6453ad 100644
kfree_skb(skb);
/* Jamal, now you will not able to escape explaining
* me how you were going to use this. :-)
-@@ -4273,7 +4273,7 @@ void netif_napi_del(struct napi_struct *napi)
+@@ -4269,7 +4269,7 @@ void netif_napi_del(struct napi_struct *napi)
}
EXPORT_SYMBOL(netif_napi_del);
@@ -92586,7 +92709,7 @@ index 3430b1e..d6453ad 100644
{
struct softnet_data *sd = &__get_cpu_var(softnet_data);
unsigned long time_limit = jiffies + 2;
-@@ -5977,7 +5977,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev,
+@@ -5973,7 +5973,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev,
} else {
netdev_stats_to_stats64(storage, &dev->stats);
}
@@ -92654,7 +92777,7 @@ index dfa602c..3103d88 100644
fle->object = flo;
else
diff --git a/net/core/iovec.c b/net/core/iovec.c
-index b77eeec..2890aca 100644
+index 7d84ea1..55385ae 100644
--- a/net/core/iovec.c
+++ b/net/core/iovec.c
@@ -42,7 +42,7 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr_storage *a
@@ -92666,7 +92789,7 @@ index b77eeec..2890aca 100644
err = move_addr_to_kernel(namep, m->msg_namelen,
address);
if (err < 0)
-@@ -54,7 +54,7 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr_storage *a
+@@ -55,7 +55,7 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr_storage *a
}
size = m->msg_iovlen * sizeof(struct iovec);
@@ -92861,10 +92984,10 @@ index b442e7e..6f5b5a2 100644
{
struct socket *sock;
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
-index d81cff1..e31f952 100644
+index c28c7fe..a399a6d 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
-@@ -3082,13 +3082,15 @@ void __init skb_init(void)
+@@ -3104,13 +3104,15 @@ void __init skb_init(void)
skbuff_head_cache = kmem_cache_create("skbuff_head_cache",
sizeof(struct sk_buff),
0,
@@ -92882,6 +93005,14 @@ index d81cff1..e31f952 100644
NULL);
}
+@@ -3541,6 +3543,7 @@ void skb_scrub_packet(struct sk_buff *skb, bool xnet)
+ skb->tstamp.tv64 = 0;
+ skb->pkt_type = PACKET_HOST;
+ skb->skb_iif = 0;
++ skb->local_df = 0;
+ skb_dst_drop(skb);
+ skb->mark = 0;
+ secpath_reset(skb);
diff --git a/net/core/sock.c b/net/core/sock.c
index 0b39e7a..5e9f91e 100644
--- a/net/core/sock.c
@@ -93163,7 +93294,7 @@ index 5325b54..a0d4d69 100644
*lenp = len;
diff --git a/net/ieee802154/6lowpan.c b/net/ieee802154/6lowpan.c
-index ff41b4d6..6125050 100644
+index 008f337..b03b8c9 100644
--- a/net/ieee802154/6lowpan.c
+++ b/net/ieee802154/6lowpan.c
@@ -548,7 +548,7 @@ static int lowpan_header_create(struct sk_buff *skb,
@@ -93203,19 +93334,6 @@ index cfeb85c..385989a 100644
goto out;
}
-diff --git a/net/ipv4/datagram.c b/net/ipv4/datagram.c
-index b28e863..19e3637 100644
---- a/net/ipv4/datagram.c
-+++ b/net/ipv4/datagram.c
-@@ -57,7 +57,7 @@ int ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
- if (IS_ERR(rt)) {
- err = PTR_ERR(rt);
- if (err == -ENETUNREACH)
-- IP_INC_STATS_BH(sock_net(sk), IPSTATS_MIB_OUTNOROUTES);
-+ IP_INC_STATS(sock_net(sk), IPSTATS_MIB_OUTNOROUTES);
- goto out;
- }
-
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index a1b5bcb..62ec5c6 100644
--- a/net/ipv4/devinet.c
@@ -93468,10 +93586,10 @@ index d7aea4c..a8ee872 100644
.maxtype = IFLA_GRE_MAX,
.policy = ipgre_policy,
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
-index d9c4f11..02b82dbc 100644
+index 23e6ab0..be67a57 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
-@@ -1152,7 +1152,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
+@@ -1153,7 +1153,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
len = min_t(unsigned int, len, opt->optlen);
if (put_user(len, optlen))
return -EFAULT;
@@ -93481,7 +93599,7 @@ index d9c4f11..02b82dbc 100644
return -EFAULT;
return 0;
}
-@@ -1283,7 +1284,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
+@@ -1284,7 +1285,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
if (sk->sk_type != SOCK_STREAM)
return -ENOPROTOOPT;
@@ -93491,7 +93609,7 @@ index d9c4f11..02b82dbc 100644
msg.msg_flags = flags;
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
-index 6e87f85..2c28e240 100644
+index 26847e1..75d2d2f 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -44,7 +44,7 @@
@@ -93503,7 +93621,7 @@ index 6e87f85..2c28e240 100644
static int vti_net_id __read_mostly;
static int vti_tunnel_init(struct net_device *dev);
-@@ -424,7 +424,7 @@ static const struct nla_policy vti_policy[IFLA_VTI_MAX + 1] = {
+@@ -425,7 +425,7 @@ static const struct nla_policy vti_policy[IFLA_VTI_MAX + 1] = {
[IFLA_VTI_REMOTE] = { .len = FIELD_SIZEOF(struct iphdr, daddr) },
};
@@ -93699,7 +93817,7 @@ index cbc2215..9cb993c 100644
/* copy_len <= skb->len, so can't fail. */
if (skb_copy_bits(skb, 0, pm->payload, copy_len) < 0)
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
-index d7d9882..d700c68 100644
+index c482f7c..2784262 100644
--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -55,7 +55,7 @@
@@ -93738,63 +93856,17 @@ index d7d9882..d700c68 100644
info, (u8 *)icmph);
#endif
}
-@@ -850,7 +850,7 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
- return ip_recv_error(sk, msg, len);
+@@ -841,7 +841,7 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+ return ip_recv_error(sk, msg, len, addr_len);
#if IS_ENABLED(CONFIG_IPV6)
} else if (family == AF_INET6) {
-- return pingv6_ops.ipv6_recv_error(sk, msg, len);
-+ return pingv6_ops->ipv6_recv_error(sk, msg, len);
+- return pingv6_ops.ipv6_recv_error(sk, msg, len,
++ return pingv6_ops->ipv6_recv_error(sk, msg, len,
+ addr_len);
#endif
}
- }
-@@ -874,11 +874,14 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
-
- /* Copy the address and add cmsg data. */
- if (family == AF_INET) {
-- sin = (struct sockaddr_in *) msg->msg_name;
-- sin->sin_family = AF_INET;
-- sin->sin_port = 0 /* skb->h.uh->source */;
-- sin->sin_addr.s_addr = ip_hdr(skb)->saddr;
-- memset(sin->sin_zero, 0, sizeof(sin->sin_zero));
-+ struct sockaddr_in *sin = (struct sockaddr_in *)msg->msg_name;
-+
-+ if (sin) {
-+ sin->sin_family = AF_INET;
-+ sin->sin_port = 0 /* skb->h.uh->source */;
-+ sin->sin_addr.s_addr = ip_hdr(skb)->saddr;
-+ memset(sin->sin_zero, 0, sizeof(sin->sin_zero));
-+ }
-
- if (isk->cmsg_flags)
- ip_cmsg_recv(msg, skb);
-@@ -887,20 +890,23 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
- } else if (family == AF_INET6) {
- struct ipv6_pinfo *np = inet6_sk(sk);
- struct ipv6hdr *ip6 = ipv6_hdr(skb);
-- sin6 = (struct sockaddr_in6 *) msg->msg_name;
-- sin6->sin6_family = AF_INET6;
-- sin6->sin6_port = 0;
-- sin6->sin6_addr = ip6->saddr;
-+ struct sockaddr_in6 *sin6 =
-+ (struct sockaddr_in6 *)msg->msg_name;
-
-- sin6->sin6_flowinfo = 0;
-- if (np->sndflow)
-- sin6->sin6_flowinfo = ip6_flowinfo(ip6);
--
-- sin6->sin6_scope_id = ipv6_iface_scope_id(&sin6->sin6_addr,
-- IP6CB(skb)->iif);
-+ if (sin6) {
-+ sin6->sin6_family = AF_INET6;
-+ sin6->sin6_port = 0;
-+ sin6->sin6_addr = ip6->saddr;
-+ sin6->sin6_flowinfo = 0;
-+ if (np->sndflow)
-+ sin6->sin6_flowinfo = ip6_flowinfo(ip6);
-+ sin6->sin6_scope_id =
-+ ipv6_iface_scope_id(&sin6->sin6_addr,
-+ IP6CB(skb)->iif);
-+ }
+@@ -900,7 +900,7 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+ }
if (inet6_sk(sk)->rxopt.all)
- pingv6_ops.ip6_datagram_recv_ctl(sk, msg, skb);
@@ -93802,7 +93874,7 @@ index d7d9882..d700c68 100644
#endif
} else {
BUG();
-@@ -1090,7 +1096,7 @@ static void ping_v4_format_sock(struct sock *sp, struct seq_file *f,
+@@ -1090,7 +1090,7 @@ static void ping_v4_format_sock(struct sock *sp, struct seq_file *f,
from_kuid_munged(seq_user_ns(f), sock_i_uid(sp)),
0, sock_i_ino(sp),
atomic_read(&sp->sk_refcnt), sp,
@@ -93812,7 +93884,7 @@ index d7d9882..d700c68 100644
static int ping_v4_seq_show(struct seq_file *seq, void *v)
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
-index 193db03..05ba36c 100644
+index 7d3db78..9fd511d 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -311,7 +311,7 @@ static int raw_rcv_skb(struct sock *sk, struct sk_buff *skb)
@@ -93824,7 +93896,7 @@ index 193db03..05ba36c 100644
kfree_skb(skb);
return NET_RX_DROP;
}
-@@ -748,16 +748,20 @@ static int raw_init(struct sock *sk)
+@@ -746,16 +746,20 @@ static int raw_init(struct sock *sk)
static int raw_seticmpfilter(struct sock *sk, char __user *optval, int optlen)
{
@@ -93846,7 +93918,7 @@ index 193db03..05ba36c 100644
if (get_user(len, optlen))
goto out;
-@@ -767,8 +771,8 @@ static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *o
+@@ -765,8 +769,8 @@ static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *o
if (len > sizeof(struct icmp_filter))
len = sizeof(struct icmp_filter);
ret = -EFAULT;
@@ -93857,7 +93929,7 @@ index 193db03..05ba36c 100644
goto out;
ret = 0;
out: return ret;
-@@ -997,7 +1001,7 @@ static void raw_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
+@@ -995,7 +999,7 @@ static void raw_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
0, 0L, 0,
from_kuid_munged(seq_user_ns(seq), sock_i_uid(sp)),
0, sock_i_ino(sp),
@@ -93867,10 +93939,10 @@ index 193db03..05ba36c 100644
static int raw_seq_show(struct seq_file *seq, void *v)
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
-index 6011615..f418576 100644
+index 62290b5..f0d944f 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
-@@ -2613,34 +2613,34 @@ static struct ctl_table ipv4_route_flush_table[] = {
+@@ -2617,34 +2617,34 @@ static struct ctl_table ipv4_route_flush_table[] = {
.maxlen = sizeof(int),
.mode = 0200,
.proc_handler = ipv4_sysctl_rtcache_flush,
@@ -93913,7 +93985,7 @@ index 6011615..f418576 100644
err_dup:
return -ENOMEM;
}
-@@ -2663,8 +2663,8 @@ static __net_initdata struct pernet_operations sysctl_route_ops = {
+@@ -2667,8 +2667,8 @@ static __net_initdata struct pernet_operations sysctl_route_ops = {
static __net_init int rt_genid_init(struct net *net)
{
@@ -94103,7 +94175,7 @@ index 068c8fb..a755c52 100644
if (icsk->icsk_af_ops->conn_request(sk, skb) < 0)
return 1;
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
-index b14266b..c5fe725 100644
+index 5031f68..91569e2 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -91,6 +91,10 @@ int sysctl_tcp_low_latency __read_mostly;
@@ -94231,7 +94303,7 @@ index 4b85e6f..22f9ac9 100644
syn_set ? 0 : icsk->icsk_user_timeout, syn_set)) {
/* Has it gone just too far? */
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
-index 0ca44df..b5e4b11 100644
+index 5e2c2f1..6473c22 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -87,6 +87,7 @@
@@ -94282,7 +94354,7 @@ index 0ca44df..b5e4b11 100644
daddr = inet->inet_daddr;
dport = inet->inet_dport;
/* Open fast path for connected socket.
-@@ -1138,7 +1155,7 @@ static unsigned int first_packet_length(struct sock *sk)
+@@ -1141,7 +1158,7 @@ static unsigned int first_packet_length(struct sock *sk)
IS_UDPLITE(sk));
UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
IS_UDPLITE(sk));
@@ -94291,7 +94363,7 @@ index 0ca44df..b5e4b11 100644
__skb_unlink(skb, rcvq);
__skb_queue_tail(&list_kill, skb);
}
-@@ -1224,6 +1241,10 @@ try_again:
+@@ -1221,6 +1238,10 @@ try_again:
if (!skb)
goto out;
@@ -94302,7 +94374,7 @@ index 0ca44df..b5e4b11 100644
ulen = skb->len - sizeof(struct udphdr);
copied = len;
if (copied > ulen)
-@@ -1257,7 +1278,7 @@ try_again:
+@@ -1254,7 +1275,7 @@ try_again:
if (unlikely(err)) {
trace_kfree_skb(skb, udp_recvmsg);
if (!peeked) {
@@ -94311,7 +94383,7 @@ index 0ca44df..b5e4b11 100644
UDP_INC_STATS_USER(sock_net(sk),
UDP_MIB_INERRORS, is_udplite);
}
-@@ -1544,7 +1565,7 @@ csum_error:
+@@ -1542,7 +1563,7 @@ csum_error:
UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_CSUMERRORS, is_udplite);
drop:
UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
@@ -94320,7 +94392,7 @@ index 0ca44df..b5e4b11 100644
kfree_skb(skb);
return -1;
}
-@@ -1563,7 +1584,7 @@ static void flush_stack(struct sock **stack, unsigned int count,
+@@ -1561,7 +1582,7 @@ static void flush_stack(struct sock **stack, unsigned int count,
skb1 = (i == final) ? skb : skb_clone(skb, GFP_ATOMIC);
if (!skb1) {
@@ -94329,7 +94401,7 @@ index 0ca44df..b5e4b11 100644
UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS,
IS_UDPLITE(sk));
UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
-@@ -1735,6 +1756,9 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
+@@ -1733,6 +1754,9 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
goto csum_error;
UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
@@ -94339,7 +94411,7 @@ index 0ca44df..b5e4b11 100644
icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
/*
-@@ -2167,7 +2191,7 @@ static void udp4_format_sock(struct sock *sp, struct seq_file *f,
+@@ -2165,7 +2189,7 @@ static void udp4_format_sock(struct sock *sp, struct seq_file *f,
from_kuid_munged(seq_user_ns(f), sock_i_uid(sp)),
0, sock_i_ino(sp),
atomic_read(&sp->sk_refcnt), sp,
@@ -94349,10 +94421,10 @@ index 0ca44df..b5e4b11 100644
int udp4_seq_show(struct seq_file *seq, void *v)
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
-index ccde542..eeb5ff7 100644
+index adf9983..8e45d0a 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
-@@ -182,11 +182,11 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
+@@ -186,11 +186,11 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
fl4->flowi4_tos = iph->tos;
}
@@ -94366,7 +94438,7 @@ index ccde542..eeb5ff7 100644
return (dst_entries_get_slow(ops) > ops->gc_thresh * 2);
}
-@@ -265,19 +265,18 @@ static struct ctl_table xfrm4_policy_table[] = {
+@@ -269,19 +269,18 @@ static struct ctl_table xfrm4_policy_table[] = {
static int __net_init xfrm4_net_init(struct net *net)
{
@@ -94391,7 +94463,7 @@ index ccde542..eeb5ff7 100644
if (!hdr)
goto err_reg;
-@@ -285,8 +284,7 @@ static int __net_init xfrm4_net_init(struct net *net)
+@@ -289,8 +288,7 @@ static int __net_init xfrm4_net_init(struct net *net)
return 0;
err_reg:
@@ -94460,7 +94532,7 @@ index cd3fb30..b7dfef7 100644
/*
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
-index 7c96100..bfd994a 100644
+index 8132b44..b8eca70 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -767,7 +767,7 @@ static int __net_init inet6_net_init(struct net *net)
@@ -94473,10 +94545,10 @@ index 7c96100..bfd994a 100644
err = ipv6_init_mibs(net);
if (err)
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
-index 48b6bd2..76d3458 100644
+index c66c6df..f375d3c 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
-@@ -904,5 +904,5 @@ void ip6_dgram_sock_seq_show(struct seq_file *seq, struct sock *sp,
+@@ -908,5 +908,5 @@ void ip6_dgram_sock_seq_show(struct seq_file *seq, struct sock *sp,
0,
sock_i_ino(sp),
atomic_read(&sp->sk_refcnt), sp,
@@ -94537,7 +94609,7 @@ index bf4a9a0..e5f6ac5 100644
.maxtype = IFLA_GRE_MAX,
.policy = ip6gre_policy,
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
-index 583b77e..99522b8 100644
+index c1e11b5..568e633 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -89,7 +89,7 @@ static u32 HASH(const struct in6_addr *addr1, const struct in6_addr *addr2)
@@ -94549,7 +94621,7 @@ index 583b77e..99522b8 100644
static int ip6_tnl_net_id __read_mostly;
struct ip6_tnl_net {
-@@ -1690,7 +1690,7 @@ static const struct nla_policy ip6_tnl_policy[IFLA_IPTUN_MAX + 1] = {
+@@ -1699,7 +1699,7 @@ static const struct nla_policy ip6_tnl_policy[IFLA_IPTUN_MAX + 1] = {
[IFLA_IPTUN_PROTO] = { .type = NLA_U8 },
};
@@ -94621,7 +94693,7 @@ index 44400c2..8e11f52 100644
case IP6T_SO_GET_ENTRIES:
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
-index dffdc1a..ccc6678 100644
+index 253566a..9fa50c7 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -90,12 +90,11 @@ static struct ctl_table nf_ct_frag6_sysctl_table[] = {
@@ -94696,10 +94768,10 @@ index 827f795..7e28e82 100644
EXPORT_SYMBOL(ipv6_select_ident);
diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c
-index 18f19df..b46ada1 100644
+index 7856e96..75ebc7f 100644
--- a/net/ipv6/ping.c
+++ b/net/ipv6/ping.c
-@@ -245,6 +245,22 @@ static struct pernet_operations ping_v6_net_ops = {
+@@ -246,6 +246,22 @@ static struct pernet_operations ping_v6_net_ops = {
};
#endif
@@ -94722,7 +94794,7 @@ index 18f19df..b46ada1 100644
int __init pingv6_init(void)
{
#ifdef CONFIG_PROC_FS
-@@ -252,11 +268,7 @@ int __init pingv6_init(void)
+@@ -253,11 +269,7 @@ int __init pingv6_init(void)
if (ret)
return ret;
#endif
@@ -94735,7 +94807,7 @@ index 18f19df..b46ada1 100644
return inet6_register_protosw(&pingv6_protosw);
}
-@@ -265,11 +277,7 @@ int __init pingv6_init(void)
+@@ -266,11 +278,7 @@ int __init pingv6_init(void)
*/
void pingv6_exit(void)
{
@@ -94749,7 +94821,7 @@ index 18f19df..b46ada1 100644
unregister_pernet_subsys(&ping_v6_net_ops);
#endif
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
-index a4ed241..8bf6277 100644
+index 430067c..4adf088 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -385,7 +385,7 @@ static inline int rawv6_rcv_skb(struct sock *sk, struct sk_buff *skb)
@@ -94779,7 +94851,7 @@ index a4ed241..8bf6277 100644
kfree_skb(skb);
return NET_RX_DROP;
}
-@@ -609,7 +609,7 @@ out:
+@@ -607,7 +607,7 @@ out:
return err;
}
@@ -94788,7 +94860,7 @@ index a4ed241..8bf6277 100644
struct flowi6 *fl6, struct dst_entry **dstp,
unsigned int flags)
{
-@@ -922,12 +922,15 @@ do_confirm:
+@@ -920,12 +920,15 @@ do_confirm:
static int rawv6_seticmpfilter(struct sock *sk, int level, int optname,
char __user *optval, int optlen)
{
@@ -94805,7 +94877,7 @@ index a4ed241..8bf6277 100644
return 0;
default:
return -ENOPROTOOPT;
-@@ -940,6 +943,7 @@ static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
+@@ -938,6 +941,7 @@ static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
char __user *optval, int __user *optlen)
{
int len;
@@ -94813,7 +94885,7 @@ index a4ed241..8bf6277 100644
switch (optname) {
case ICMPV6_FILTER:
-@@ -951,7 +955,8 @@ static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
+@@ -949,7 +953,8 @@ static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
len = sizeof(struct icmp6_filter);
if (put_user(len, optlen))
return -EFAULT;
@@ -94866,10 +94938,10 @@ index 1aeb473..bea761c 100644
return -ENOMEM;
}
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
-index 04e17b3..83502e9 100644
+index 77308af..36ed509 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
-@@ -3006,7 +3006,7 @@ struct ctl_table ipv6_route_table_template[] = {
+@@ -3009,7 +3009,7 @@ struct ctl_table ipv6_route_table_template[] = {
struct ctl_table * __net_init ipv6_route_sysctl_init(struct net *net)
{
@@ -94879,7 +94951,7 @@ index 04e17b3..83502e9 100644
table = kmemdup(ipv6_route_table_template,
sizeof(ipv6_route_table_template),
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
-index 1926945..30a1a57 100644
+index b433884..3875266 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -74,7 +74,7 @@ static void ipip6_tunnel_setup(struct net_device *dev);
@@ -94891,9 +94963,9 @@ index 1926945..30a1a57 100644
static int sit_net_id __read_mostly;
struct sit_net {
-@@ -1594,7 +1594,7 @@ static const struct nla_policy ipip6_policy[IFLA_IPTUN_MAX + 1] = {
- #endif
- };
+@@ -1603,7 +1603,7 @@ static void ipip6_dellink(struct net_device *dev, struct list_head *head)
+ unregister_netdevice_queue(dev, head);
+ }
-static struct rtnl_link_ops sit_link_ops __read_mostly = {
+static struct rtnl_link_ops sit_link_ops = {
@@ -94973,7 +95045,7 @@ index 5c71501..7e8d5d3 100644
}
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
-index 1878609..b48e1d4 100644
+index 3d2758d..626c422 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -53,6 +53,10 @@
@@ -94987,7 +95059,7 @@ index 1878609..b48e1d4 100644
int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
{
const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
-@@ -420,7 +424,7 @@ try_again:
+@@ -417,7 +421,7 @@ try_again:
if (unlikely(err)) {
trace_kfree_skb(skb, udpv6_recvmsg);
if (!peeked) {
@@ -94996,7 +95068,7 @@ index 1878609..b48e1d4 100644
if (is_udp4)
UDP_INC_STATS_USER(sock_net(sk),
UDP_MIB_INERRORS,
-@@ -668,7 +672,7 @@ csum_error:
+@@ -665,7 +669,7 @@ csum_error:
UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_CSUMERRORS, is_udplite);
drop:
UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
@@ -95005,7 +95077,7 @@ index 1878609..b48e1d4 100644
kfree_skb(skb);
return -1;
}
-@@ -726,7 +730,7 @@ static void flush_stack(struct sock **stack, unsigned int count,
+@@ -723,7 +727,7 @@ static void flush_stack(struct sock **stack, unsigned int count,
if (likely(skb1 == NULL))
skb1 = (i == final) ? skb : skb_clone(skb, GFP_ATOMIC);
if (!skb1) {
@@ -95014,7 +95086,7 @@ index 1878609..b48e1d4 100644
UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS,
IS_UDPLITE(sk));
UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
-@@ -866,6 +870,9 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
+@@ -863,6 +867,9 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
goto csum_error;
UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
@@ -95025,10 +95097,10 @@ index 1878609..b48e1d4 100644
kfree_skb(skb);
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
-index 08ed277..80e4bc8 100644
+index 550b195..6acea83 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
-@@ -208,11 +208,11 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
+@@ -212,11 +212,11 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
}
}
@@ -95042,7 +95114,7 @@ index 08ed277..80e4bc8 100644
return dst_entries_get_fast(ops) > ops->gc_thresh * 2;
}
-@@ -325,19 +325,19 @@ static struct ctl_table xfrm6_policy_table[] = {
+@@ -329,19 +329,19 @@ static struct ctl_table xfrm6_policy_table[] = {
static int __net_init xfrm6_net_init(struct net *net)
{
@@ -95067,7 +95139,7 @@ index 08ed277..80e4bc8 100644
if (!hdr)
goto err_reg;
-@@ -345,8 +345,7 @@ static int __net_init xfrm6_net_init(struct net *net)
+@@ -349,8 +349,7 @@ static int __net_init xfrm6_net_init(struct net *net)
return 0;
err_reg:
@@ -95153,7 +95225,7 @@ index 41ac7938..75e3bb1 100644
seq_printf(m, "Max header size: %d\n", self->max_header_size);
diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
-index 168aff5..9d43132 100644
+index c4b7218..3e83259 100644
--- a/net/iucv/af_iucv.c
+++ b/net/iucv/af_iucv.c
@@ -773,10 +773,10 @@ static int iucv_sock_autobind(struct sock *sk)
@@ -95183,7 +95255,7 @@ index cd5b8ec..f205e6b 100644
};
diff --git a/net/key/af_key.c b/net/key/af_key.c
-index 911ef03..58f9c96 100644
+index 545f047..9757a9d 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -3041,10 +3041,10 @@ static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, const struc
@@ -95499,7 +95571,7 @@ index 4c8e5c0..5a79b4d 100644
if (!todrop_rate[i]) return 0;
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
-index 74fd00c..06e7ac7 100644
+index 3581736..c0453e9 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -567,7 +567,7 @@ int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
@@ -95511,7 +95583,7 @@ index 74fd00c..06e7ac7 100644
ip_vs_conn_put(cp);
return ret;
}
-@@ -1719,7 +1719,7 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
+@@ -1706,7 +1706,7 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
if (cp->flags & IP_VS_CONN_F_ONE_PACKET)
pkts = sysctl_sync_threshold(ipvs);
else
@@ -95989,7 +96061,7 @@ index 4fe4fb4..87a89e5 100644
return 0;
}
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
-index 8df7f64..c5d6821 100644
+index 6135635..5bdc54a 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -249,7 +249,7 @@ static void netlink_overrun(struct sock *sk)
@@ -96001,7 +96073,7 @@ index 8df7f64..c5d6821 100644
}
static void netlink_rcv_wake(struct sock *sk)
-@@ -2942,7 +2942,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v)
+@@ -2940,7 +2940,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v)
sk_wmem_alloc_get(s),
nlk->cb_running,
atomic_read(&s->sk_refcnt),
@@ -96053,7 +96125,7 @@ index 0c741ce..f8c8ca7 100644
}
}
diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
-index 698814b..7cfde4e 100644
+index 53c19a3..b0ac04a 100644
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -850,7 +850,6 @@ static int nr_getname(struct socket *sock, struct sockaddr *uaddr,
@@ -96065,10 +96137,10 @@ index 698814b..7cfde4e 100644
*uaddr_len = sizeof(struct sockaddr_ax25);
}
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index 2e8286b..b2659ee 100644
+index ba2548b..1a4e98e 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
-@@ -1692,7 +1692,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
+@@ -1699,7 +1699,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
spin_lock(&sk->sk_receive_queue.lock);
po->stats.stats1.tp_packets++;
@@ -96077,7 +96149,7 @@ index 2e8286b..b2659ee 100644
__skb_queue_tail(&sk->sk_receive_queue, skb);
spin_unlock(&sk->sk_receive_queue.lock);
sk->sk_data_ready(sk, skb->len);
-@@ -1701,7 +1701,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
+@@ -1708,7 +1708,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
drop_n_acct:
spin_lock(&sk->sk_receive_queue.lock);
po->stats.stats1.tp_drops++;
@@ -96086,7 +96158,7 @@ index 2e8286b..b2659ee 100644
spin_unlock(&sk->sk_receive_queue.lock);
drop_n_restore:
-@@ -3250,7 +3250,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+@@ -3261,7 +3261,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
case PACKET_HDRLEN:
if (len > sizeof(int))
len = sizeof(int);
@@ -96095,7 +96167,7 @@ index 2e8286b..b2659ee 100644
return -EFAULT;
switch (val) {
case TPACKET_V1:
-@@ -3293,7 +3293,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+@@ -3304,7 +3304,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
len = lv;
if (put_user(len, optlen))
return -EFAULT;
@@ -96779,7 +96851,7 @@ index 6b36561..4f21064 100644
table = kmemdup(sctp_net_table, sizeof(sctp_net_table), GFP_KERNEL);
diff --git a/net/socket.c b/net/socket.c
-index c226ace..561e8f7 100644
+index e83c416..17afbfa 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -88,6 +88,7 @@
@@ -96808,7 +96880,7 @@ index c226ace..561e8f7 100644
/*
* Statistics counters of the socket lists
-@@ -327,7 +330,7 @@ static struct dentry *sockfs_mount(struct file_system_type *fs_type,
+@@ -328,7 +331,7 @@ static struct dentry *sockfs_mount(struct file_system_type *fs_type,
&sockfs_dentry_operations, SOCKFS_MAGIC);
}
@@ -96817,7 +96889,7 @@ index c226ace..561e8f7 100644
static struct file_system_type sock_fs_type = {
.name = "sockfs",
-@@ -1254,6 +1257,8 @@ int __sock_create(struct net *net, int family, int type, int protocol,
+@@ -1255,6 +1258,8 @@ int __sock_create(struct net *net, int family, int type, int protocol,
return -EAFNOSUPPORT;
if (type < 0 || type >= SOCK_MAX)
return -EINVAL;
@@ -96826,7 +96898,7 @@ index c226ace..561e8f7 100644
/* Compatibility.
-@@ -1274,6 +1279,20 @@ int __sock_create(struct net *net, int family, int type, int protocol,
+@@ -1275,6 +1280,20 @@ int __sock_create(struct net *net, int family, int type, int protocol,
if (err)
return err;
@@ -96847,7 +96919,7 @@ index c226ace..561e8f7 100644
/*
* Allocate the socket and allow the family to set things up. if
* the protocol is 0, the family is instructed to select an appropriate
-@@ -1512,6 +1531,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen)
+@@ -1513,6 +1532,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen)
if (sock) {
err = move_addr_to_kernel(umyaddr, addrlen, &address);
if (err >= 0) {
@@ -96862,7 +96934,7 @@ index c226ace..561e8f7 100644
err = security_socket_bind(sock,
(struct sockaddr *)&address,
addrlen);
-@@ -1520,6 +1547,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen)
+@@ -1521,6 +1548,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen)
(struct sockaddr *)
&address, addrlen);
}
@@ -96870,7 +96942,7 @@ index c226ace..561e8f7 100644
fput_light(sock->file, fput_needed);
}
return err;
-@@ -1543,10 +1571,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, backlog)
+@@ -1544,10 +1572,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, backlog)
if ((unsigned int)backlog > somaxconn)
backlog = somaxconn;
@@ -96891,7 +96963,7 @@ index c226ace..561e8f7 100644
fput_light(sock->file, fput_needed);
}
return err;
-@@ -1590,6 +1628,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
+@@ -1591,6 +1629,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
newsock->type = sock->type;
newsock->ops = sock->ops;
@@ -96910,7 +96982,7 @@ index c226ace..561e8f7 100644
/*
* We don't need try_module_get here, as the listening socket (sock)
* has the protocol module (sock->ops->owner) held.
-@@ -1635,6 +1685,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
+@@ -1636,6 +1686,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
fd_install(newfd, newfile);
err = newfd;
@@ -96919,7 +96991,7 @@ index c226ace..561e8f7 100644
out_put:
fput_light(sock->file, fput_needed);
out:
-@@ -1667,6 +1719,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,
+@@ -1668,6 +1720,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,
int, addrlen)
{
struct socket *sock;
@@ -96927,7 +96999,7 @@ index c226ace..561e8f7 100644
struct sockaddr_storage address;
int err, fput_needed;
-@@ -1677,6 +1730,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,
+@@ -1678,6 +1731,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,
if (err < 0)
goto out_put;
@@ -96945,7 +97017,7 @@ index c226ace..561e8f7 100644
err =
security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
if (err)
-@@ -1758,6 +1822,8 @@ SYSCALL_DEFINE3(getpeername, int, fd, struct sockaddr __user *, usockaddr,
+@@ -1759,6 +1823,8 @@ SYSCALL_DEFINE3(getpeername, int, fd, struct sockaddr __user *, usockaddr,
* the protocol.
*/
@@ -96954,7 +97026,7 @@ index c226ace..561e8f7 100644
SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,
unsigned int, flags, struct sockaddr __user *, addr,
int, addr_len)
-@@ -1824,7 +1890,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
+@@ -1825,7 +1891,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
struct socket *sock;
struct iovec iov;
struct msghdr msg;
@@ -96963,7 +97035,7 @@ index c226ace..561e8f7 100644
int err, err2;
int fput_needed;
-@@ -2044,7 +2110,7 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
+@@ -2047,7 +2113,7 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
* checking falls down on this.
*/
if (copy_from_user(ctl_buf,
@@ -96972,7 +97044,7 @@ index c226ace..561e8f7 100644
ctl_len))
goto out_freectl;
msg_sys->msg_control = ctl_buf;
-@@ -2195,7 +2261,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
+@@ -2198,7 +2264,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
int err, total_len, len;
/* kernel mode address */
@@ -96981,16 +97053,7 @@ index c226ace..561e8f7 100644
/* user mode address pointers */
struct sockaddr __user *uaddr;
-@@ -2226,7 +2292,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
- * kernel msghdr to use the kernel address space)
- */
-
-- uaddr = (__force void __user *)msg_sys->msg_name;
-+ uaddr = (void __force_user *)msg_sys->msg_name;
- uaddr_len = COMPAT_NAMELEN(msg);
- if (MSG_CMSG_COMPAT & flags) {
- err = verify_compat_iovec(msg_sys, iov, &addr, VERIFY_WRITE);
-@@ -2981,7 +3047,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd,
+@@ -2985,7 +3051,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd,
old_fs = get_fs();
set_fs(KERNEL_DS);
err = dev_ioctl(net, cmd,
@@ -96999,7 +97062,7 @@ index c226ace..561e8f7 100644
set_fs(old_fs);
return err;
-@@ -3090,7 +3156,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd,
+@@ -3094,7 +3160,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd,
old_fs = get_fs();
set_fs(KERNEL_DS);
@@ -97008,7 +97071,7 @@ index c226ace..561e8f7 100644
set_fs(old_fs);
if (cmd == SIOCGIFMAP && !err) {
-@@ -3195,7 +3261,7 @@ static int routing_ioctl(struct net *net, struct socket *sock,
+@@ -3199,7 +3265,7 @@ static int routing_ioctl(struct net *net, struct socket *sock,
ret |= get_user(rtdev, &(ur4->rt_dev));
if (rtdev) {
ret |= copy_from_user(devname, compat_ptr(rtdev), 15);
@@ -97017,7 +97080,7 @@ index c226ace..561e8f7 100644
devname[15] = 0;
} else
r4.rt_dev = NULL;
-@@ -3421,8 +3487,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname,
+@@ -3425,8 +3491,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname,
int __user *uoptlen;
int err;
@@ -97028,7 +97091,7 @@ index c226ace..561e8f7 100644
set_fs(KERNEL_DS);
if (level == SOL_SOCKET)
-@@ -3442,7 +3508,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname,
+@@ -3446,7 +3512,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname,
char __user *uoptval;
int err;
@@ -97393,7 +97456,7 @@ index d38bb45..4fd6ac6 100644
sub->evt.event = htohl(event, sub->swap);
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
-index c1f403b..b246d87 100644
+index 01625cc..d486b64 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -784,6 +784,12 @@ static struct sock *unix_find_other(struct net *net,
@@ -97442,7 +97505,7 @@ index c1f403b..b246d87 100644
done_path_create(&path, dentry);
return err;
}
-@@ -2333,9 +2352,13 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+@@ -2328,9 +2347,13 @@ static int unix_seq_show(struct seq_file *seq, void *v)
seq_puts(seq, "Num RefCount Protocol Flags Type St "
"Inode Path\n");
else {
@@ -97457,7 +97520,7 @@ index c1f403b..b246d87 100644
seq_printf(seq, "%pK: %08X %08X %08X %04X %02X %5lu",
s,
-@@ -2362,8 +2385,10 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+@@ -2357,8 +2380,10 @@ static int unix_seq_show(struct seq_file *seq, void *v)
}
for ( ; i < len; i++)
seq_putc(seq, u->addr->name->sun_path[i]);
@@ -100641,10 +100704,10 @@ index 0000000..414fe5e
+}
diff --git a/tools/gcc/constify_plugin.c b/tools/gcc/constify_plugin.c
new file mode 100644
-index 0000000..c17312d
+index 0000000..ba59e50
--- /dev/null
+++ b/tools/gcc/constify_plugin.c
-@@ -0,0 +1,560 @@
+@@ -0,0 +1,558 @@
+/*
+ * Copyright 2011 by Emese Revfy <re.emese@gmail.com>
+ * Copyright 2011-2013 by PaX Team <pageexec@freemail.hu>
@@ -100691,7 +100754,7 @@ index 0000000..c17312d
+int plugin_is_GPL_compatible;
+
+static struct plugin_info const_plugin_info = {
-+ .version = "201305231310",
++ .version = "201312032345",
+ .help = "no-constify\tturn off constification\n",
+};
+
@@ -100856,17 +100919,17 @@ index 0000000..c17312d
+
+ *no_add_attrs = true;
+ if (TREE_CODE(*node) == FUNCTION_DECL) {
-+ error("%qE attribute does not apply to functions", name);
++ error("%qE attribute does not apply to functions (%qF)", name, *node);
+ return NULL_TREE;
+ }
+
+ if (TREE_CODE(*node) == PARM_DECL) {
-+ error("%qE attribute does not apply to function parameters", name);
++ error("%qE attribute does not apply to function parameters (%qD)", name, *node);
+ return NULL_TREE;
+ }
+
+ if (TREE_CODE(*node) == VAR_DECL) {
-+ error("%qE attribute does not apply to variables", name);
++ error("%qE attribute does not apply to variables (%qD)", name, *node);
+ return NULL_TREE;
+ }
+
@@ -100879,18 +100942,18 @@ index 0000000..c17312d
+ }
+
+ if (TREE_CODE(type) != RECORD_TYPE && TREE_CODE(type) != UNION_TYPE) {
-+ error("%qE attribute applies to struct and union types only", name);
++ error("%qE attribute used on %qT applies to struct and union types only", name, type);
+ return NULL_TREE;
+ }
+
+ if (lookup_attribute(IDENTIFIER_POINTER(name), TYPE_ATTRIBUTES(type))) {
-+ error("%qE attribute is already applied to the type", name);
++ error("%qE attribute is already applied to the type %qT", name, type);
+ return NULL_TREE;
+ }
+
+ if (TYPE_P(*node)) {
+ if (lookup_attribute("do_const", TYPE_ATTRIBUTES(type)))
-+ error("%qE attribute is incompatible with 'do_const'", name);
++ error("%qE attribute used on type %qT is incompatible with 'do_const'", name, type);
+ return NULL_TREE;
+ }
+
@@ -100901,7 +100964,7 @@ index 0000000..c17312d
+ return NULL_TREE;
+ }
+
-+ error("%qE attribute used on type that is not constified", name);
++ error("%qE attribute used on type %qT that is not constified", name, type);
+ return NULL_TREE;
+}
+
@@ -100917,22 +100980,22 @@ index 0000000..c17312d
+{
+ *no_add_attrs = true;
+ if (!TYPE_P(*node)) {
-+ error("%qE attribute applies to types only", name);
++ error("%qE attribute applies to types only (%qD)", name, *node);
+ return NULL_TREE;
+ }
+
+ if (TREE_CODE(*node) != RECORD_TYPE && TREE_CODE(*node) != UNION_TYPE) {
-+ error("%qE attribute applies to struct and union types only", name);
++ error("%qE attribute used on %qT applies to struct and union types only", name, *node);
+ return NULL_TREE;
+ }
+
+ if (lookup_attribute(IDENTIFIER_POINTER(name), TYPE_ATTRIBUTES(*node))) {
-+ error("%qE attribute is already applied to the type", name);
++ error("%qE attribute used on %qT is already applied to the type", name, *node);
+ return NULL_TREE;
+ }
+
+ if (lookup_attribute("no_const", TYPE_ATTRIBUTES(*node))) {
-+ error("%qE attribute is incompatible with 'no_const'", name);
++ error("%qE attribute used on %qT is incompatible with 'no_const'", name, *node);
+ return NULL_TREE;
+ }
+
@@ -100990,30 +101053,29 @@ index 0000000..c17312d
+
+ constifiable(type, &cinfo);
+
-+ if (TYPE_READONLY(type) && C_TYPE_FIELDS_READONLY(type)) {
-+ if (!lookup_attribute("do_const", TYPE_ATTRIBUTES(type)))
-+ return;
-+ if (cinfo.has_writable_field)
-+ return;
-+ error("'do_const' attribute used on type that is%sconstified", cinfo.has_fptr_field ? " " : " not ");
-+ return;
-+ }
-+
+ if (lookup_attribute("no_const", TYPE_ATTRIBUTES(type))) {
+ if ((cinfo.has_fptr_field && !cinfo.has_writable_field) || cinfo.has_do_const_field) {
+ deconstify_type(type);
+ TYPE_CONSTIFY_VISITED(type) = 1;
+ } else
-+ error("'no_const' attribute used on type that is not constified");
++ error("'no_const' attribute used on type %qT that is not constified", type);
+ return;
+ }
+
+ if (lookup_attribute("do_const", TYPE_ATTRIBUTES(type))) {
++ if (!cinfo.has_writable_field) {
++ error("'do_const' attribute used on type %qT that is%sconstified", type, cinfo.has_fptr_field ? " " : " not ");
++ return;
++ }
+ constify_type(type);
+ return;
+ }
+
+ if (cinfo.has_fptr_field && !cinfo.has_writable_field) {
++ if (lookup_attribute("do_const", TYPE_ATTRIBUTES(type))) {
++ error("'do_const' attribute used on type %qT that is constified", type);
++ return;
++ }
+ constify_type(type);
+ return;
+ }
@@ -101101,7 +101163,6 @@ index 0000000..c17312d
+ return check_local_variables();
+}
+
-+ unsigned int ret = 0;
+static struct gimple_opt_pass pass_local_variable = {
+ {
+ .type = GIMPLE_PASS,
@@ -102301,10 +102362,10 @@ index 0000000..679b9ef
+}
diff --git a/tools/gcc/size_overflow_hash.data b/tools/gcc/size_overflow_hash.data
new file mode 100644
-index 0000000..0a9d518
+index 0000000..3a5b4b5
--- /dev/null
+++ b/tools/gcc/size_overflow_hash.data
-@@ -0,0 +1,7637 @@
+@@ -0,0 +1,7687 @@
+intel_fake_agp_alloc_by_type_1 intel_fake_agp_alloc_by_type 1 1 NULL
+ocfs2_get_refcount_tree_3 ocfs2_get_refcount_tree 0 3 NULL
+batadv_orig_node_del_if_4 batadv_orig_node_del_if 2 4 NULL
@@ -102347,6 +102408,7 @@ index 0000000..0a9d518
+aio_read_events_ring_410 aio_read_events_ring 3 410 NULL
+lbs_rdmac_read_418 lbs_rdmac_read 3 418 NULL
+snd_ca0106_ptr_read_467 snd_ca0106_ptr_read 0 467 NULL
++sparse_index_init_482 sparse_index_init 2 482 NULL
+cfs_trace_set_debug_mb_usrstr_486 cfs_trace_set_debug_mb_usrstr 2 486 NULL
+nvme_trans_modesel_data_488 nvme_trans_modesel_data 4 488 NULL
+iwl_dbgfs_protection_mode_write_502 iwl_dbgfs_protection_mode_write 3 502 NULL
@@ -102386,7 +102448,8 @@ index 0000000..0a9d518
+cfs_trace_allocate_string_buffer_781 cfs_trace_allocate_string_buffer 2 781 NULL
+jbd2_journal_dirty_metadata_784 jbd2_journal_dirty_metadata 0 784 NULL
+ath6kl_disconnect_timeout_write_794 ath6kl_disconnect_timeout_write 3 794 NULL
-+snd_pcm_drain_811 snd_pcm_drain 0 811 NULL
++__vmalloc_node_range_811 __vmalloc_node_range 7 811 NULL nohasharray
++snd_pcm_drain_811 snd_pcm_drain 0 811 &__vmalloc_node_range_811
+if_writecmd_815 if_writecmd 2 815 NULL
+aac_change_queue_depth_825 aac_change_queue_depth 2 825 NULL
+SyS_write_846 SyS_write 3 846 NULL
@@ -102514,6 +102577,7 @@ index 0000000..0a9d518
+batadv_tt_commit_changes_2008 batadv_tt_commit_changes 4 2008 NULL
+sep_prepare_input_dma_table_2009 sep_prepare_input_dma_table 2-3 2009 NULL
+rx_rx_defrag_read_2010 rx_rx_defrag_read 3 2010 NULL
++ksm_madvise_2012 ksm_madvise 0 2012 NULL
+ocfs2_global_qinit_alloc_2018 ocfs2_global_qinit_alloc 0 2018 NULL
+write_flush_pipefs_2021 write_flush_pipefs 3 2021 NULL
+BcmCopySection_2035 BcmCopySection 5-0 2035 NULL
@@ -102659,7 +102723,7 @@ index 0000000..0a9d518
+uvc_video_stats_dump_3181 uvc_video_stats_dump 3 3181 NULL
+compat_do_ip6t_set_ctl_3184 compat_do_ip6t_set_ctl 4 3184 NULL
+wait_table_bits_3187 wait_table_bits 1 3187 NULL
-+mempool_create_node_3191 mempool_create_node 1 3191 NULL
++mempool_create_node_3191 mempool_create_node 1-6 3191 NULL
+alloc_context_3194 alloc_context 1 3194 NULL
+shmem_pread_slow_3198 shmem_pread_slow 3-2 3198 NULL
+codec_reg_write_file_3204 codec_reg_write_file 3 3204 NULL
@@ -102691,6 +102755,7 @@ index 0000000..0a9d518
+send_stream_3397 send_stream 4 3397 NULL
+isdn_readbchan_3401 isdn_readbchan 0-5 3401 NULL
+mei_io_cb_alloc_resp_buf_3414 mei_io_cb_alloc_resp_buf 2 3414 NULL
++zone_to_nid_3415 zone_to_nid 0 3415 NULL
+pci_add_cap_save_buffer_3426 pci_add_cap_save_buffer 3 3426 NULL
+crystalhd_create_dio_pool_3427 crystalhd_create_dio_pool 2 3427 NULL
+SyS_msgsnd_3436 SyS_msgsnd 3 3436 NULL
@@ -102723,6 +102788,7 @@ index 0000000..0a9d518
+x86_swiotlb_alloc_coherent_3649 x86_swiotlb_alloc_coherent 2 3649 NULL
+ath6kl_disconnect_timeout_read_3650 ath6kl_disconnect_timeout_read 3 3650 NULL
+i915_compat_ioctl_3656 i915_compat_ioctl 2 3656 NULL
++replace_pin_at_irq_node_3687 replace_pin_at_irq_node 2 3687 NULL
+ntfs_attr_make_non_resident_3694 ntfs_attr_make_non_resident 0 3694 NULL
+snd_m3_assp_read_3703 snd_m3_assp_read 0 3703 NULL nohasharray
+create_irq_3703 create_irq 0 3703 &snd_m3_assp_read_3703
@@ -102977,6 +103043,7 @@ index 0000000..0a9d518
+wl1251_cmd_template_set_6172 wl1251_cmd_template_set 4 6172 NULL
+paging64_walk_addr_generic_6180 paging64_walk_addr_generic 4 6180 NULL
+SyS_setgroups_6182 SyS_setgroups 1 6182 NULL
++__add_pin_to_irq_node_6188 __add_pin_to_irq_node 2 6188 NULL
+qp_host_get_user_memory_6189 qp_host_get_user_memory 1-2 6189 NULL
+cl_sync_io_wait_6196 cl_sync_io_wait 0 6196 NULL
+i915_gem_execbuffer_move_to_gpu_6197 i915_gem_execbuffer_move_to_gpu 0 6197 NULL
@@ -103171,7 +103238,7 @@ index 0000000..0a9d518
+ext3_group_extend_7911 ext3_group_extend 3 7911 NULL
+libfc_host_alloc_7917 libfc_host_alloc 2 7917 NULL
+f_hidg_write_7932 f_hidg_write 3 7932 NULL
-+io_apic_setup_irq_pin_once_7934 io_apic_setup_irq_pin_once 1 7934 NULL
++io_apic_setup_irq_pin_once_7934 io_apic_setup_irq_pin_once 1-2 7934 NULL
+compare_refs_7938 compare_refs 0 7938 NULL
+fsnotify_7943 fsnotify 0 7943 NULL
+hash_netiface6_expire_7944 hash_netiface6_expire 3 7944 NULL
@@ -103268,7 +103335,7 @@ index 0000000..0a9d518
+tracing_max_lat_write_8728 tracing_max_lat_write 3 8728 NULL
+jffs2_acl_count_8729 jffs2_acl_count 0-1 8729 NULL
+f_dupfd_8730 f_dupfd 1 8730 NULL
-+__create_irqs_8733 __create_irqs 2-1-0 8733 NULL
++__create_irqs_8733 __create_irqs 2-1-0-3 8733 NULL
+pca953x_gpio_irq_map_8737 pca953x_gpio_irq_map 2 8737 NULL
+tx_tx_exch_expiry_read_8749 tx_tx_exch_expiry_read 3 8749 NULL
+compound_order_8750 compound_order 0 8750 NULL
@@ -103314,6 +103381,7 @@ index 0000000..0a9d518
+btrfs_alloc_free_block_8986 btrfs_alloc_free_block 3-8 8986 NULL
+jbd2_journal_blocks_per_page_9004 jbd2_journal_blocks_per_page 0 9004 NULL
+il_dbgfs_clear_ucode_stats_write_9016 il_dbgfs_clear_ucode_stats_write 3 9016 NULL
++sparse_index_alloc_9021 sparse_index_alloc 1 9021 NULL
+snd_emu10k1_ptr_read_9026 snd_emu10k1_ptr_read 0-2 9026 NULL
+fd_ioctl_9028 fd_ioctl 3 9028 NULL
+nla_put_9042 nla_put 3 9042 NULL
@@ -103324,6 +103392,7 @@ index 0000000..0a9d518
+create_queues_9088 create_queues 3-2 9088 NULL
+ftdi_prepare_write_buffer_9093 ftdi_prepare_write_buffer 3 9093 NULL
+adxl34x_spi_read_block_9108 adxl34x_spi_read_block 3 9108 NULL
++alloc_slabmgmt_9109 alloc_slabmgmt 5 9109 NULL
+caif_stream_sendmsg_9110 caif_stream_sendmsg 4 9110 NULL nohasharray
+gfn_to_rmap_9110 gfn_to_rmap 3-2 9110 &caif_stream_sendmsg_9110
+udf_direct_IO_9111 udf_direct_IO 4 9111 NULL
@@ -103357,6 +103426,7 @@ index 0000000..0a9d518
+nvme_trans_fmt_get_parm_header_9340 nvme_trans_fmt_get_parm_header 2 9340 NULL
+ocfs2_orphan_for_truncate_9342 ocfs2_orphan_for_truncate 4 9342 NULL
+ll_direct_rw_pages_9361 ll_direct_rw_pages 0 9361 NULL
++of_node_to_nid_9367 of_node_to_nid 0 9367 NULL
+sta_beacon_loss_count_read_9370 sta_beacon_loss_count_read 3 9370 NULL
+get_request_type_9393 get_request_type 0 9393 NULL nohasharray
+mlx4_bitmap_init_9393 mlx4_bitmap_init 5-2 9393 &get_request_type_9393
@@ -103426,6 +103496,7 @@ index 0000000..0a9d518
+ttm_bo_fbdev_io_9805 ttm_bo_fbdev_io 4 9805 NULL
+udpv6_recvmsg_9813 udpv6_recvmsg 4 9813 NULL nohasharray
+ieee80211_if_read_state_9813 ieee80211_if_read_state 3 9813 &udpv6_recvmsg_9813
++svc_pool_map_get_node_9817 svc_pool_map_get_node 0 9817 NULL
+dvb_dvr_set_buffer_size_9840 dvb_dvr_set_buffer_size 2 9840 NULL
+pmcraid_alloc_sglist_9864 pmcraid_alloc_sglist 1 9864 NULL
+btrfs_free_reserved_extent_9867 btrfs_free_reserved_extent 2 9867 NULL
@@ -103516,6 +103587,7 @@ index 0000000..0a9d518
+efx_max_tx_len_10662 efx_max_tx_len 0-2 10662 NULL
+dtf_read_device_10663 dtf_read_device 3 10663 NULL
+parport_write_10669 parport_write 0 10669 NULL
++alloc_vmap_area_10682 alloc_vmap_area 5 10682 NULL
+edge_write_10692 edge_write 4 10692 NULL
+ubi_wl_get_peb_10699 ubi_wl_get_peb 0 10699 NULL
+inl_10708 inl 0 10708 NULL nohasharray
@@ -103572,7 +103644,7 @@ index 0000000..0a9d518
+page_offset_11120 page_offset 0 11120 NULL
+tracing_buffers_read_11124 tracing_buffers_read 3 11124 NULL nohasharray
+cea_db_payload_len_11124 cea_db_payload_len 0 11124 &tracing_buffers_read_11124
-+alloc_alien_cache_11127 alloc_alien_cache 2 11127 NULL
++alloc_alien_cache_11127 alloc_alien_cache 2-1 11127 NULL
+eb_lookup_objects_11163 eb_lookup_objects 0 11163 NULL
+snd_gf1_pcm_playback_silence_11172 snd_gf1_pcm_playback_silence 4-3 11172 NULL
+il_dbgfs_rx_queue_read_11221 il_dbgfs_rx_queue_read 3 11221 NULL
@@ -103583,6 +103655,7 @@ index 0000000..0a9d518
+hugetlbfs_read_11268 hugetlbfs_read 3 11268 NULL
+ath6kl_power_params_write_11274 ath6kl_power_params_write 3 11274 NULL
+__proc_daemon_file_11305 __proc_daemon_file 5 11305 NULL
++split_vma_11312 split_vma 0 11312 NULL
+btrfs_update_inode_fallback_11313 btrfs_update_inode_fallback 0 11313 NULL
+ext4_xattr_check_names_11314 ext4_xattr_check_names 0 11314 NULL
+sk_filter_size_11316 sk_filter_size 0 11316 NULL nohasharray
@@ -103877,6 +103950,7 @@ index 0000000..0a9d518
+atomic_cmpxchg_13700 atomic_cmpxchg 0 13700 NULL
+fw_iso_buffer_alloc_13704 fw_iso_buffer_alloc 2 13704 NULL
+ocfs2_cache_block_dealloc_13731 ocfs2_cache_block_dealloc 0 13731 NULL
++netdev_queue_numa_node_read_13732 netdev_queue_numa_node_read 0 13732 NULL
+audit_unpack_string_13748 audit_unpack_string 3 13748 NULL
+ufs_dtog_13750 ufs_dtog 0-2 13750 NULL
+ieee802154_alloc_device_13767 ieee802154_alloc_device 1 13767 NULL
@@ -103944,6 +104018,7 @@ index 0000000..0a9d518
+ext4_journal_restart_14251 ext4_journal_restart 0 14251 NULL
+will_overwrite_ref_14252 will_overwrite_ref 0 14252 NULL
+ath6kl_connect_event_14267 ath6kl_connect_event 7-8-9 14267 NULL
++numa_mem_id_14279 numa_mem_id 0 14279 NULL
+rr_status_14293 rr_status 5 14293 NULL
+read_default_ldt_14302 read_default_ldt 2 14302 NULL
+__readl_14308 __readl 0 14308 NULL
@@ -104112,7 +104187,8 @@ index 0000000..0a9d518
+SyS_connect_15674 SyS_connect 3 15674 NULL nohasharray
+dm_read_15674 dm_read 3 15674 &SyS_connect_15674
+pstore_mkfile_15675 pstore_mkfile 6 15675 NULL
-+i915_gem_object_set_to_cpu_domain_15705 i915_gem_object_set_to_cpu_domain 0 15705 NULL
++i915_gem_object_set_to_cpu_domain_15705 i915_gem_object_set_to_cpu_domain 0 15705 NULL nohasharray
++uncore_alloc_box_15705 uncore_alloc_box 2 15705 &i915_gem_object_set_to_cpu_domain_15705
+ocfs2_split_tree_15716 ocfs2_split_tree 5-0 15716 NULL
+tracing_snapshot_write_15719 tracing_snapshot_write 3 15719 NULL
+HiSax_readstatus_15752 HiSax_readstatus 2 15752 NULL
@@ -104197,6 +104273,7 @@ index 0000000..0a9d518
+btrfs_truncate_inode_items_16452 btrfs_truncate_inode_items 0 16452 NULL
+ocfs2_expand_refcount_tree_16455 ocfs2_expand_refcount_tree 0 16455 NULL
+netlink_change_ngroups_16457 netlink_change_ngroups 2 16457 NULL
++alloc_disk_node_16458 alloc_disk_node 2 16458 NULL
+req_capsule_get_size_16467 req_capsule_get_size 0 16467 NULL
+ocfs2_block_group_set_bits_16488 ocfs2_block_group_set_bits 0 16488 NULL
+add_qgroup_item_16492 add_qgroup_item 0 16492 NULL
@@ -104225,6 +104302,7 @@ index 0000000..0a9d518
+get_server_iovec_16804 get_server_iovec 2 16804 NULL
+tipc_send2name_16809 tipc_send2name 6 16809 NULL
+dm_vcalloc_16814 dm_vcalloc 1-2 16814 NULL
++cache_grow_16818 cache_grow 3 16818 NULL
+drm_malloc_ab_16831 drm_malloc_ab 1-2 16831 NULL
+scsi_mode_sense_16835 scsi_mode_sense 5 16835 NULL
+hfsplus_min_io_size_16859 hfsplus_min_io_size 0 16859 NULL
@@ -104251,6 +104329,7 @@ index 0000000..0a9d518
+sddr55_read_data_17072 sddr55_read_data 4 17072 NULL
+dvb_dvr_read_17073 dvb_dvr_read 3 17073 NULL
+simple_transaction_read_17076 simple_transaction_read 3 17076 NULL
++__kmalloc_reserve_17080 __kmalloc_reserve 3 17080 NULL
+carl9170_debugfs_mem_usage_read_17084 carl9170_debugfs_mem_usage_read 3 17084 NULL
+entry_length_17093 entry_length 0 17093 NULL
+ocfs2_get_refcount_cpos_end_17113 ocfs2_get_refcount_cpos_end 0 17113 NULL
@@ -104466,6 +104545,7 @@ index 0000000..0a9d518
+ieee80211_if_fmt_rssi_threshold_18664 ieee80211_if_fmt_rssi_threshold 3 18664 NULL
+unmap_page_18665 unmap_page 2-3 18665 NULL
+xfs_iext_insert_18667 xfs_iext_insert 3 18667 NULL
++__alloc_skb_head_18683 __alloc_skb_head 2 18683 NULL
+echo_client_prep_commit_18693 echo_client_prep_commit 8 18693 NULL
+replay_log_leb_18704 replay_log_leb 3 18704 NULL
+iwl_dbgfs_rx_handlers_read_18708 iwl_dbgfs_rx_handlers_read 3 18708 NULL
@@ -104496,6 +104576,7 @@ index 0000000..0a9d518
+xlog_find_verify_log_record_18870 xlog_find_verify_log_record 2 18870 NULL
+width_to_agaw_18883 width_to_agaw 0-1 18883 NULL
+overwrite_item_18896 overwrite_item 0 18896 NULL
++kmem_cache_alloc_node_18899 kmem_cache_alloc_node 3 18899 NULL
+ceph_setxattr_18913 ceph_setxattr 4 18913 NULL
+ext4_block_in_group_18922 ext4_block_in_group 2 18922 NULL
+ieee80211_rx_mgmt_disassoc_18927 ieee80211_rx_mgmt_disassoc 3 18927 NULL
@@ -104542,6 +104623,7 @@ index 0000000..0a9d518
+write_one_cache_group_19261 write_one_cache_group 0 19261 NULL
+il_dbgfs_rxon_filter_flags_read_19281 il_dbgfs_rxon_filter_flags_read 3 19281 NULL
+cfg80211_rx_unprot_mlme_mgmt_19288 cfg80211_rx_unprot_mlme_mgmt 3 19288 NULL
++____cache_alloc_node_19297 ____cache_alloc_node 3 19297 NULL
+qc_capture_19298 qc_capture 3 19298 NULL
+ocfs2_prepare_inode_for_refcount_19303 ocfs2_prepare_inode_for_refcount 4-3 19303 NULL
+event_tx_stuck_read_19305 event_tx_stuck_read 3 19305 NULL
@@ -104609,6 +104691,7 @@ index 0000000..0a9d518
+cfg80211_mlme_register_mgmt_19852 cfg80211_mlme_register_mgmt 5 19852 NULL
+__nla_put_19857 __nla_put 3 19857 NULL
+mrp_request_join_19882 mrp_request_join 4 19882 NULL
++blk_alloc_queue_node_19887 blk_alloc_queue_node 2 19887 NULL
+aes_decrypt_interrupt_read_19910 aes_decrypt_interrupt_read 3 19910 NULL
+ps_upsd_max_apturn_read_19918 ps_upsd_max_apturn_read 3 19918 NULL
+mangle_name_19923 mangle_name 0 19923 NULL
@@ -104812,10 +104895,11 @@ index 0000000..0a9d518
+filemap_get_page_21606 filemap_get_page 2 21606 NULL
+xlog_do_recovery_pass_21618 xlog_do_recovery_pass 3 21618 NULL
+pci_cardbus_resource_alignment_21625 pci_cardbus_resource_alignment 0 21625 NULL
++add_pin_to_irq_node_21628 add_pin_to_irq_node 2 21628 NULL
+ocfs2_refcount_cow_hunk_21630 ocfs2_refcount_cow_hunk 3-4 21630 NULL
+__jfs_getxattr_21631 __jfs_getxattr 0 21631 NULL
+validate_nnode_21638 validate_nnode 0 21638 NULL
-+__irq_alloc_descs_21639 __irq_alloc_descs 2-1-0-3 21639 NULL
++__irq_alloc_descs_21639 __irq_alloc_descs 2-1-0-3-4 21639 NULL
+ocfs2_lock_refcount_allocators_21646 ocfs2_lock_refcount_allocators 0 21646 NULL
+atalk_sendmsg_21677 atalk_sendmsg 4 21677 NULL
+ocfs2_xattr_get_nolock_21678 ocfs2_xattr_get_nolock 0 21678 NULL
@@ -104830,7 +104914,7 @@ index 0000000..0a9d518
+vm_brk_21739 vm_brk 1-2 21739 NULL
+mthca_alloc_init_21754 mthca_alloc_init 2 21754 NULL
+usbat_flash_read_data_21762 usbat_flash_read_data 4 21762 NULL
-+gen_pool_add_21776 gen_pool_add 3 21776 NULL
++gen_pool_add_21776 gen_pool_add 3-4 21776 NULL
+SyS_sendfile_21777 SyS_sendfile 4 21777 NULL
+atomic64_cmpxchg_21782 atomic64_cmpxchg 0 21782 NULL
+xfs_da_grow_inode_int_21785 xfs_da_grow_inode_int 3 21785 NULL
@@ -104915,6 +104999,7 @@ index 0000000..0a9d518
+btrfs_write_out_cache_22471 btrfs_write_out_cache 0 22471 NULL nohasharray
+dtf_write_device_22471 dtf_write_device 3 22471 &btrfs_write_out_cache_22471
+source_sink_start_ep_22472 source_sink_start_ep 0 22472 NULL
++alloc_desc_22487 alloc_desc 2 22487 NULL
+ecryptfs_write_22488 ecryptfs_write 4-3 22488 NULL
+qib_user_sdma_alloc_header_22490 qib_user_sdma_alloc_header 2 22490 NULL
+cache_write_procfs_22491 cache_write_procfs 3 22491 NULL
@@ -104923,7 +105008,6 @@ index 0000000..0a9d518
+__btrfs_add_delayed_item_22511 __btrfs_add_delayed_item 0 22511 NULL
+trim_no_bitmap_22524 trim_no_bitmap 4-3 22524 NULL
+ocfs2_read_extent_block_22550 ocfs2_read_extent_block 0 22550 NULL
-+atomic_long_read_unchecked_22551 atomic_long_read_unchecked 0 22551 NULL
+agp_alloc_page_array_22554 agp_alloc_page_array 1 22554 NULL
+snd_pcm_hw_params_choose_22560 snd_pcm_hw_params_choose 0 22560 NULL
+dbFindCtl_22587 dbFindCtl 0 22587 NULL
@@ -104988,7 +105072,8 @@ index 0000000..0a9d518
+mei_cl_send_23068 mei_cl_send 3 23068 NULL
+filp_close_23071 filp_close 0 23071 NULL
+kvm_mmu_gva_to_gpa_write_23075 kvm_mmu_gva_to_gpa_write 0 23075 NULL
-+raw_sendmsg_23078 raw_sendmsg 4 23078 NULL
++vm_map_ram_23078 vm_map_ram 3 23078 NULL nohasharray
++raw_sendmsg_23078 raw_sendmsg 4 23078 &vm_map_ram_23078
+get_user_hdr_len_23079 get_user_hdr_len 0 23079 NULL
+isr_tx_procs_read_23084 isr_tx_procs_read 3 23084 NULL
+lnw_gpio_irq_map_23087 lnw_gpio_irq_map 2 23087 NULL
@@ -105033,7 +105118,7 @@ index 0000000..0a9d518
+fd_setup_write_same_buf_23369 fd_setup_write_same_buf 3 23369 NULL
+iscsi_change_queue_depth_23416 iscsi_change_queue_depth 2 23416 NULL
+vga_mm_r_23419 vga_mm_r 0 23419 NULL
-+vzalloc_node_23424 vzalloc_node 1 23424 NULL
++vzalloc_node_23424 vzalloc_node 1-2 23424 NULL
+__ctzsi2_23444 __ctzsi2 1 23444 NULL
+ocfs2_zero_tail_23447 ocfs2_zero_tail 3 23447 NULL
+hidraw_send_report_23449 hidraw_send_report 3 23449 NULL
@@ -105070,6 +105155,7 @@ index 0000000..0a9d518
+mp_config_acpi_gsi_23728 mp_config_acpi_gsi 2 23728 NULL
+rx_rx_dropped_frame_read_23748 rx_rx_dropped_frame_read 3 23748 NULL
+__kfifo_max_r_23768 __kfifo_max_r 0-2-1 23768 NULL
++svc_prepare_thread_23772 svc_prepare_thread 3 23772 NULL
+__build_packet_message_23778 __build_packet_message 4-10 23778 NULL
+security_inode_getxattr_23781 security_inode_getxattr 0 23781 NULL
+cfg80211_inform_bss_width_frame_23782 cfg80211_inform_bss_width_frame 5 23782 NULL
@@ -105101,6 +105187,7 @@ index 0000000..0a9d518
+mpihelp_mul_karatsuba_case_23918 mpihelp_mul_karatsuba_case 5-3 23918 &ipath_reg_phys_mr_23918
+kvm_read_guest_23928 kvm_read_guest 4-2 23928 NULL nohasharray
+intel_ring_alloc_seqno_23928 intel_ring_alloc_seqno 0 23928 &kvm_read_guest_23928
++__alloc_skb_23940 __alloc_skb 4 23940 NULL
+uvc_endpoint_max_bpi_23944 uvc_endpoint_max_bpi 0 23944 NULL
+cifs_setxattr_23957 cifs_setxattr 4 23957 NULL
+size_roundup_power2_23958 size_roundup_power2 0-1 23958 NULL
@@ -105153,7 +105240,7 @@ index 0000000..0a9d518
+ath6kl_add_bss_if_needed_24317 ath6kl_add_bss_if_needed 6 24317 NULL
+ocfs2_direct_IO_get_blocks_24333 ocfs2_direct_IO_get_blocks 2 24333 NULL
+si476x_radio_read_acf_blob_24336 si476x_radio_read_acf_blob 3 24336 NULL
-+kzalloc_node_24352 kzalloc_node 1 24352 NULL
++kzalloc_node_24352 kzalloc_node 1-3 24352 NULL
+qla2x00_handle_queue_full_24365 qla2x00_handle_queue_full 2 24365 NULL
+cfi_read_pri_24366 cfi_read_pri 3 24366 NULL
+btrfs_item_size_nr_24367 btrfs_item_size_nr 0 24367 NULL
@@ -105341,6 +105428,7 @@ index 0000000..0a9d518
+udp_setsockopt_25985 udp_setsockopt 5 25985 NULL
+lustre_msg_buflen_v2_25997 lustre_msg_buflen_v2 0 25997 NULL
+ebt_compat_entry_padsize_26001 ebt_compat_entry_padsize 0 26001 NULL
++blk_init_queue_node_26015 blk_init_queue_node 3 26015 NULL
+SyS_process_vm_readv_26019 SyS_process_vm_readv 3-5 26019 NULL
+irq_create_strict_mappings_26025 irq_create_strict_mappings 2-4 26025 NULL
+xfs_xattr_acl_set_26028 xfs_xattr_acl_set 4 26028 NULL
@@ -105358,7 +105446,6 @@ index 0000000..0a9d518
+copy_oldmem_page_26164 copy_oldmem_page 3 26164 NULL
+gfs2_xattr_acl_get_26166 gfs2_xattr_acl_get 0 26166 NULL nohasharray
+ath6kl_roam_table_read_26166 ath6kl_roam_table_read 3 26166 &gfs2_xattr_acl_get_26166
-+perf_adjust_period_26168 perf_adjust_period 2-3 26168 NULL
+disk_devt_26180 disk_devt 0 26180 NULL
+cgroup_setxattr_26188 cgroup_setxattr 4 26188 NULL
+ieee80211_if_fmt_dot11MeshTTL_26198 ieee80211_if_fmt_dot11MeshTTL 3 26198 NULL
@@ -105389,6 +105476,7 @@ index 0000000..0a9d518
+tower_read_26461 tower_read 3 26461 NULL nohasharray
+enc_pools_add_pages_26461 enc_pools_add_pages 1 26461 &tower_read_26461 nohasharray
+numa_cpu_node_26461 numa_cpu_node 0 26461 &enc_pools_add_pages_26461
++memory_present_26470 memory_present 1 26470 NULL
+ib_alloc_device_26483 ib_alloc_device 1 26483 NULL
+ulong_write_file_26485 ulong_write_file 3 26485 NULL
+dvb_ca_en50221_io_ioctl_26490 dvb_ca_en50221_io_ioctl 2 26490 NULL
@@ -105406,6 +105494,7 @@ index 0000000..0a9d518
+rts51x_read_mem_26577 rts51x_read_mem 4 26577 NULL
+regcache_set_reg_present_26598 regcache_set_reg_present 2 26598 NULL
+__unmap_single_26604 __unmap_single 2-3 26604 NULL
++dev_to_node_26617 dev_to_node 0 26617 NULL
+iommu_alloc_26621 iommu_alloc 4 26621 NULL
+pack_value_26625 pack_value 1 26625 NULL
+pwr_fix_tsf_ps_read_26627 pwr_fix_tsf_ps_read 3 26627 NULL
@@ -105598,6 +105687,7 @@ index 0000000..0a9d518
+kstrtos16_from_user_28300 kstrtos16_from_user 2 28300 NULL
+acpi_register_gsi_xen_28305 acpi_register_gsi_xen 2 28305 NULL nohasharray
+nouveau_compat_ioctl_28305 nouveau_compat_ioctl 2 28305 &acpi_register_gsi_xen_28305
++create_io_context_28306 create_io_context 2 28306 NULL
+__mlock_vma_pages_range_28315 __mlock_vma_pages_range 2-3-0 28315 NULL
+snd_pcm_oss_read_28317 snd_pcm_oss_read 3 28317 NULL
+bm_entry_write_28338 bm_entry_write 3 28338 NULL
@@ -105647,6 +105737,7 @@ index 0000000..0a9d518
+kvm_mmu_get_page_28692 kvm_mmu_get_page 2 28692 NULL
+balance_level_28707 balance_level 0 28707 NULL
+drm_plane_init_28731 drm_plane_init 6 28731 NULL
++alloc_irq_cfg_28734 alloc_irq_cfg 2 28734 NULL
+spi_execute_28736 spi_execute 5 28736 NULL
+snd_pcm_aio_write_28738 snd_pcm_aio_write 3 28738 NULL
+read_file_btcoex_28743 read_file_btcoex 3 28743 NULL
@@ -105689,11 +105780,12 @@ index 0000000..0a9d518
+sctp_getsockopt_assoc_stats_29074 sctp_getsockopt_assoc_stats 2 29074 NULL
+iwl_dbgfs_log_event_write_29088 iwl_dbgfs_log_event_write 3 29088 NULL
+i915_error_object_create_sized_29091 i915_error_object_create_sized 3 29091 NULL
++init_cache_node_node_29092 init_cache_node_node 1 29092 NULL
+isdn_ppp_write_29109 isdn_ppp_write 4 29109 NULL
+snprintf_29125 snprintf 0 29125 NULL
+iov_shorten_29130 iov_shorten 0 29130 NULL
+proc_scsi_write_29142 proc_scsi_write 3 29142 NULL
-+alloc_irqs_from_29152 alloc_irqs_from 1-2-0 29152 NULL
++alloc_irqs_from_29152 alloc_irqs_from 1-2-0-3 29152 NULL
+kvm_mmu_notifier_clear_flush_young_29154 kvm_mmu_notifier_clear_flush_young 3 29154 NULL
+drm_property_create_enum_29201 drm_property_create_enum 5 29201 NULL
+wusb_prf_256_29203 wusb_prf_256 7 29203 NULL
@@ -105729,6 +105821,7 @@ index 0000000..0a9d518
+crypto_ahash_alignmask_29445 crypto_ahash_alignmask 0 29445 NULL
+p9_client_prepare_req_29448 p9_client_prepare_req 3 29448 NULL
+ept_page_fault_29450 ept_page_fault 2 29450 NULL
++__kmalloc_node_29455 __kmalloc_node 3 29455 NULL
+validate_scan_freqs_29462 validate_scan_freqs 0 29462 NULL
+SyS_flistxattr_29474 SyS_flistxattr 3 29474 NULL
+do_register_entry_29478 do_register_entry 4 29478 NULL
@@ -105827,7 +105920,7 @@ index 0000000..0a9d518
+generic_ptrace_pokedata_30338 generic_ptrace_pokedata 2 30338 NULL
+resource_from_user_30341 resource_from_user 3 30341 NULL
+o2nm_this_node_30342 o2nm_this_node 0 30342 NULL
-+__vmalloc_node_flags_30352 __vmalloc_node_flags 1 30352 NULL
++__vmalloc_node_flags_30352 __vmalloc_node_flags 1-2 30352 NULL
+kstrtou32_from_user_30361 kstrtou32_from_user 2 30361 NULL
+inet_getid_30365 inet_getid 2 30365 NULL
+C_SYSC_readv_30369 C_SYSC_readv 3 30369 NULL
@@ -106116,7 +106209,7 @@ index 0000000..0a9d518
+ocfs2_read_inode_block_full_32790 ocfs2_read_inode_block_full 0 32790 NULL
+rproc_name_read_32805 rproc_name_read 3 32805 NULL
+new_tape_buffer_32866 new_tape_buffer 2 32866 NULL
-+io_apic_setup_irq_pin_32868 io_apic_setup_irq_pin 1 32868 NULL
++io_apic_setup_irq_pin_32868 io_apic_setup_irq_pin 1-2 32868 NULL
+ath6kl_usb_submit_ctrl_in_32880 ath6kl_usb_submit_ctrl_in 6 32880 NULL nohasharray
+cifs_writedata_alloc_32880 cifs_writedata_alloc 1 32880 &ath6kl_usb_submit_ctrl_in_32880
+vp702x_usb_inout_cmd_32884 vp702x_usb_inout_cmd 6-4 32884 NULL
@@ -106203,6 +106296,7 @@ index 0000000..0a9d518
+il_dbgfs_qos_read_33615 il_dbgfs_qos_read 3 33615 &usb_gstrings_attach_33615
+do_sync_write_33624 do_sync_write 0 33624 NULL
+stride_page_count_33641 stride_page_count 2 33641 NULL
++slab_alloc_node_33663 slab_alloc_node 3 33663 NULL
+irq_blk_threshold_read_33666 irq_blk_threshold_read 3 33666 NULL
+inw_p_33668 inw_p 0 33668 NULL
+arp_hdr_len_33671 arp_hdr_len 0 33671 NULL
@@ -106216,6 +106310,7 @@ index 0000000..0a9d518
+write_file_spectral_count_33723 write_file_spectral_count 3 33723 NULL nohasharray
+ocfs2_lock_allocators_move_extents_33723 ocfs2_lock_allocators_move_extents 0 33723 &write_file_spectral_count_33723
+__mutex_lock_interruptible_slowpath_33735 __mutex_lock_interruptible_slowpath 0 33735 NULL
++do_munmap_33752 do_munmap 0 33752 NULL
+vifs_state_read_33762 vifs_state_read 3 33762 NULL
+hashtab_create_33769 hashtab_create 3 33769 NULL
+btrfs_delayed_refs_qgroup_accounting_33775 btrfs_delayed_refs_qgroup_accounting 0 33775 NULL
@@ -106272,6 +106367,7 @@ index 0000000..0a9d518
+ocfs2_dlm_lock_34265 ocfs2_dlm_lock 0 34265 NULL
+pcf857x_to_irq_34273 pcf857x_to_irq 2 34273 NULL
+device_private_init_34279 device_private_init 0 34279 NULL
++get_task_io_context_34316 get_task_io_context 3 34316 NULL
+ext4_get_groups_count_34324 ext4_get_groups_count 0 34324 NULL
+iov_iter_single_seg_count_34326 iov_iter_single_seg_count 0 34326 NULL nohasharray
+pcpu_need_to_extend_34326 pcpu_need_to_extend 0 34326 &iov_iter_single_seg_count_34326
@@ -106326,7 +106422,7 @@ index 0000000..0a9d518
+sleep_auth_write_34676 sleep_auth_write 3 34676 NULL
+isr_fiqs_read_34687 isr_fiqs_read 3 34687 NULL
+port_print_34704 port_print 3 34704 NULL
-+alloc_irq_and_cfg_at_34706 alloc_irq_and_cfg_at 1 34706 NULL
++alloc_irq_and_cfg_at_34706 alloc_irq_and_cfg_at 1-2 34706 NULL
+ext4_listxattr_34712 ext4_listxattr 3 34712 NULL
+ieee80211_if_read_num_sta_ps_34722 ieee80211_if_read_num_sta_ps 3 34722 NULL
+platform_list_read_file_34734 platform_list_read_file 3 34734 NULL
@@ -106568,7 +106664,6 @@ index 0000000..0a9d518
+convert_extent_item_v0_36645 convert_extent_item_v0 4-0 36645 NULL
+ced_ioctl_36647 ced_ioctl 2 36647 NULL
+lpfc_idiag_extacc_alloc_get_36648 lpfc_idiag_extacc_alloc_get 0-3 36648 NULL
-+perf_calculate_period_36662 perf_calculate_period 2-3 36662 NULL
+osd_req_list_collection_objects_36664 osd_req_list_collection_objects 5 36664 NULL
+iscsi_host_alloc_36671 iscsi_host_alloc 2 36671 NULL
+xillybus_read_36678 xillybus_read 3 36678 NULL
@@ -106657,6 +106752,7 @@ index 0000000..0a9d518
+scsi_mode_select_37330 scsi_mode_select 6 37330 NULL
+rxrpc_server_sendmsg_37331 rxrpc_server_sendmsg 4 37331 NULL
+lz4_compressbound_37337 lz4_compressbound 0-1 37337 NULL
++move_vma_37341 move_vma 0-5 37341 NULL
+security_inode_getsecurity_37354 security_inode_getsecurity 0 37354 NULL
+cl_io_submit_rw_37374 cl_io_submit_rw 0 37374 NULL
+iterate_leaf_refs_37385 iterate_leaf_refs 0 37385 NULL
@@ -106688,7 +106784,7 @@ index 0000000..0a9d518
+ioat_chansts_37558 ioat_chansts 0 37558 NULL
+xhci_alloc_streams_37586 xhci_alloc_streams 5 37586 NULL
+ocfs2_add_branch_37588 ocfs2_add_branch 0 37588 NULL
-+alloc_descs_37593 alloc_descs 0-1 37593 NULL
++alloc_descs_37593 alloc_descs 0-1-3 37593 NULL
+qla2x00_debounce_register_37597 qla2x00_debounce_register 0 37597 NULL
+find_extent_clone_37603 find_extent_clone 0 37603 NULL
+btrfs_write_and_wait_marked_extents_37604 btrfs_write_and_wait_marked_extents 0 37604 NULL
@@ -106869,6 +106965,7 @@ index 0000000..0a9d518
+acpi_install_gpe_block_39031 acpi_install_gpe_block 4 39031 NULL
+_zd_iowrite32v_async_locked_39034 _zd_iowrite32v_async_locked 3 39034 NULL
+do_write_kmem_39051 do_write_kmem 1-3-0 39051 NULL
++gen_pool_create_39064 gen_pool_create 2 39064 NULL
+ext4_init_block_bitmap_39071 ext4_init_block_bitmap 3 39071 NULL
+atomic64_add_negative_39098 atomic64_add_negative 1 39098 NULL
+ReadHFC_39104 ReadHFC 0 39104 NULL
@@ -106893,7 +106990,7 @@ index 0000000..0a9d518
+i915_error_state_read_39254 i915_error_state_read 3 39254 NULL
+bitmap_set_bits_39272 bitmap_set_bits 3 39272 NULL
+rx_filter_protection_filter_read_39282 rx_filter_protection_filter_read 3 39282 NULL
-+__vmalloc_node_39308 __vmalloc_node 1 39308 NULL
++__vmalloc_node_39308 __vmalloc_node 1-5 39308 NULL
+__cfg80211_connect_result_39326 __cfg80211_connect_result 4-6 39326 NULL
+insert_reserved_file_extent_39327 insert_reserved_file_extent 3-0 39327 NULL
+wimax_msg_alloc_39343 wimax_msg_alloc 4 39343 NULL
@@ -106913,7 +107010,6 @@ index 0000000..0a9d518
+setkey_unaligned_39474 setkey_unaligned 3 39474 NULL
+do_get_mempolicy_39485 do_get_mempolicy 3 39485 NULL
+ieee80211_if_fmt_dot11MeshHWMPmaxPREQretries_39499 ieee80211_if_fmt_dot11MeshHWMPmaxPREQretries 3 39499 NULL
-+atomic64_read_unchecked_39505 atomic64_read_unchecked 0 39505 NULL
+cl_req_alloc_39523 cl_req_alloc 4 39523 NULL
+int_proc_write_39542 int_proc_write 3 39542 NULL
+pp_write_39554 pp_write 3 39554 NULL
@@ -106944,7 +107040,7 @@ index 0000000..0a9d518
+can_rmdir_39890 can_rmdir 0 39890 NULL
+pkt_add_39897 pkt_add 3 39897 NULL
+read_file_modal_eeprom_39909 read_file_modal_eeprom 3 39909 NULL
-+gen_pool_add_virt_39913 gen_pool_add_virt 4 39913 NULL
++gen_pool_add_virt_39913 gen_pool_add_virt 4-5 39913 NULL
+dw210x_op_rw_39915 dw210x_op_rw 6 39915 NULL
+dma_to_mm_pfn_39916 dma_to_mm_pfn 0-1 39916 NULL
+aes_encrypt_interrupt_read_39919 aes_encrypt_interrupt_read 3 39919 NULL
@@ -107556,7 +107652,7 @@ index 0000000..0a9d518
+bytepos_delta_45017 bytepos_delta 0-2 45017 NULL
+read_block_bitmap_45021 read_block_bitmap 2 45021 NULL nohasharray
+ptrace_writedata_45021 ptrace_writedata 4-3 45021 &read_block_bitmap_45021
-+dm_kvzalloc_45025 dm_kvzalloc 1 45025 NULL
++dm_kvzalloc_45025 dm_kvzalloc 1-2 45025 NULL
+vhci_get_user_45039 vhci_get_user 3 45039 NULL
+sysfs_do_create_link_sd_45057 sysfs_do_create_link_sd 0 45057 NULL
+remap_oldmem_pfn_range_45060 remap_oldmem_pfn_range 2-3-4 45060 NULL nohasharray
@@ -107596,6 +107692,7 @@ index 0000000..0a9d518
+sock_recv_errqueue_45412 sock_recv_errqueue 3 45412 NULL
+paging64_gva_to_gpa_45421 paging64_gva_to_gpa 2 45421 NULL nohasharray
+ieee80211_if_fmt_dot11MeshHWMProotInterval_45421 ieee80211_if_fmt_dot11MeshHWMProotInterval 3 45421 &paging64_gva_to_gpa_45421
++alloc_task_struct_node_45426 alloc_task_struct_node 1 45426 NULL
+ll_iocontrol_register_45430 ll_iocontrol_register 2 45430 NULL
+tty_buffer_alloc_45437 tty_buffer_alloc 2 45437 NULL
+SYSC_mremap_45446 SYSC_mremap 5-1-2-3 45446 NULL
@@ -107606,6 +107703,7 @@ index 0000000..0a9d518
+arizona_init_fll_45503 arizona_init_fll 5 45503 NULL
+rds_message_copy_from_user_45510 rds_message_copy_from_user 3 45510 NULL
+i40e_alloc_vfs_45511 i40e_alloc_vfs 2 45511 NULL
++__split_vma_45522 __split_vma 0 45522 NULL
+cgroup_read_u64_45532 cgroup_read_u64 5 45532 NULL
+copy_macs_45534 copy_macs 4 45534 NULL
+nla_attr_size_45545 nla_attr_size 0-1 45545 NULL
@@ -107659,6 +107757,7 @@ index 0000000..0a9d518
+wm_adsp_region_to_reg_45915 wm_adsp_region_to_reg 0-2 45915 NULL
+dbgfs_frame_45917 dbgfs_frame 3 45917 NULL
+alloc_mr_45935 alloc_mr 1 45935 NULL
++kmem_cache_alloc_node_trace_45968 kmem_cache_alloc_node_trace 3 45968 NULL
+copy_to_45969 copy_to 3 45969 NULL
+rb_simple_read_45972 rb_simple_read 3 45972 NULL
+ioat2_dca_count_dca_slots_45984 ioat2_dca_count_dca_slots 0 45984 NULL
@@ -107700,6 +107799,7 @@ index 0000000..0a9d518
+__iommu_calculate_agaw_46366 __iommu_calculate_agaw 2 46366 NULL
+ubi_dump_flash_46381 ubi_dump_flash 4 46381 NULL
+mmap_ureg_46388 mmap_ureg 3 46388 NULL
++vma_adjust_46390 vma_adjust 0 46390 NULL
+fuse_file_aio_write_46399 fuse_file_aio_write 4 46399 NULL
+crypto_ablkcipher_reqsize_46411 crypto_ablkcipher_reqsize 0 46411 NULL
+ttm_page_pool_get_pages_46431 ttm_page_pool_get_pages 0-5 46431 NULL
@@ -107833,7 +107933,7 @@ index 0000000..0a9d518
+mcp23s17_read_regs_47491 mcp23s17_read_regs 4 47491 NULL
+core_sys_select_47494 core_sys_select 1 47494 NULL
+read_block_for_search_47502 read_block_for_search 0 47502 NULL
-+alloc_arraycache_47505 alloc_arraycache 2 47505 NULL nohasharray
++alloc_arraycache_47505 alloc_arraycache 2-1 47505 NULL nohasharray
+btrfs_init_inode_security_47505 btrfs_init_inode_security 0 47505 &alloc_arraycache_47505
+unlink_simple_47506 unlink_simple 3 47506 NULL
+pstore_decompress_47510 pstore_decompress 0 47510 NULL
@@ -107949,6 +108049,7 @@ index 0000000..0a9d518
+div64_u64_rem_48418 div64_u64_rem 0-1-2 48418 NULL
+snd_power_wait_48422 snd_power_wait 0 48422 NULL
+pwr_tx_without_ps_read_48423 pwr_tx_without_ps_read 3 48423 NULL
++hugepage_madvise_48435 hugepage_madvise 0 48435 NULL
+print_filtered_48442 print_filtered 2-0 48442 NULL
+tun_recvmsg_48463 tun_recvmsg 4 48463 NULL
+compat_SyS_preadv64_48469 compat_SyS_preadv64 3 48469 NULL
@@ -108085,6 +108186,7 @@ index 0000000..0a9d518
+sctp_setsockopt_default_send_param_49578 sctp_setsockopt_default_send_param 3 49578 NULL
+readfifo_49583 readfifo 1 49583 NULL
+tap_write_49595 tap_write 3 49595 NULL
++create_task_io_context_49601 create_task_io_context 3 49601 NULL
+isr_wakeups_read_49607 isr_wakeups_read 3 49607 NULL
+btrfs_mksubvol_49616 btrfs_mksubvol 3 49616 NULL
+heap_init_49617 heap_init 2 49617 NULL
@@ -108158,7 +108260,7 @@ index 0000000..0a9d518
+copy_items_50140 copy_items 6 50140 NULL
+tx_frag_need_fragmentation_read_50153 tx_frag_need_fragmentation_read 3 50153 NULL
+reiserfs_bmap_count_50160 reiserfs_bmap_count 0 50160 NULL
-+kmalloc_node_50163 kmalloc_node 1 50163 NULL
++kmalloc_node_50163 kmalloc_node 1-3 50163 NULL
+rx_filter_ibss_filter_read_50167 rx_filter_ibss_filter_read 3 50167 NULL
+ahd_probe_stack_size_50168 ahd_probe_stack_size 0 50168 NULL
+odev_update_50169 odev_update 2 50169 NULL
@@ -108174,6 +108276,7 @@ index 0000000..0a9d518
+l2cap_sock_setsockopt_50207 l2cap_sock_setsockopt 5 50207 NULL
+mon_bin_compat_ioctl_50234 mon_bin_compat_ioctl 3 50234 NULL
+sg_kmalloc_50240 sg_kmalloc 1 50240 NULL
++vma_dup_policy_50269 vma_dup_policy 0 50269 NULL
+rxrpc_setsockopt_50286 rxrpc_setsockopt 5 50286 NULL
+soc_codec_reg_show_50302 soc_codec_reg_show 0-3 50302 NULL
+SYSC_flistxattr_50307 SYSC_flistxattr 3 50307 NULL
@@ -108429,7 +108532,6 @@ index 0000000..0a9d518
+hva_to_pfn_slow_52262 hva_to_pfn_slow 1 52262 NULL
+sisusbcon_do_font_op_52271 sisusbcon_do_font_op 9 52271 NULL
+handle_supp_msgs_52284 handle_supp_msgs 4 52284 NULL
-+atomic64_read_52300 atomic64_read 0 52300 NULL
+kobject_set_name_vargs_52309 kobject_set_name_vargs 0 52309 NULL
+read_file_reset_52310 read_file_reset 3 52310 NULL
+request_asymmetric_key_52317 request_asymmetric_key 4-2 52317 NULL
@@ -108548,6 +108650,7 @@ index 0000000..0a9d518
+xfs_trans_read_buf_map_53258 xfs_trans_read_buf_map 5 53258 NULL
+wil_write_file_ssid_53266 wil_write_file_ssid 3 53266 NULL
+btrfs_file_extent_num_bytes_53269 btrfs_file_extent_num_bytes 0 53269 NULL
++tsk_fork_get_node_53271 tsk_fork_get_node 0 53271 NULL
+btrfs_find_highest_objectid_53284 btrfs_find_highest_objectid 0 53284 NULL
+setup_leaf_for_split_53312 setup_leaf_for_split 0 53312 NULL
+ftrace_profile_write_53327 ftrace_profile_write 3 53327 NULL
@@ -108695,6 +108798,7 @@ index 0000000..0a9d518
+fw_iso_buffer_init_54582 fw_iso_buffer_init 3 54582 NULL
+nvme_npages_54601 nvme_npages 0-1 54601 NULL
+irq_pkt_threshold_write_54605 irq_pkt_threshold_write 3 54605 NULL
++devm_gen_pool_create_54607 devm_gen_pool_create 3 54607 NULL
+port_fops_write_54627 port_fops_write 3 54627 NULL
+irq_timeout_read_54653 irq_timeout_read 3 54653 NULL
+dns_resolver_read_54658 dns_resolver_read 3 54658 NULL
@@ -108787,7 +108891,8 @@ index 0000000..0a9d518
+lov_get_stripecnt_55297 lov_get_stripecnt 0-3 55297 NULL
+gsm_control_modem_55303 gsm_control_modem 3 55303 NULL
+wimax_msg_len_55304 wimax_msg_len 0 55304 NULL
-+qp_alloc_guest_work_55305 qp_alloc_guest_work 5-3 55305 NULL
++__get_vm_area_node_55305 __get_vm_area_node 6 55305 NULL nohasharray
++qp_alloc_guest_work_55305 qp_alloc_guest_work 5-3 55305 &__get_vm_area_node_55305
+__vxge_hw_vpath_initialize_55328 __vxge_hw_vpath_initialize 2 55328 NULL
+do_shmat_55336 do_shmat 5 55336 NULL
+vme_user_read_55338 vme_user_read 3 55338 NULL
@@ -108875,7 +108980,7 @@ index 0000000..0a9d518
+add_extent_mapping_56157 add_extent_mapping 0 56157 NULL
+__i2c_transfer_56162 __i2c_transfer 0 56162 NULL
+rawv6_setsockopt_56165 rawv6_setsockopt 5 56165 NULL
-+create_irq_nr_56180 create_irq_nr 1-0 56180 NULL
++create_irq_nr_56180 create_irq_nr 1-0-2 56180 NULL
+ath9k_dump_legacy_btcoex_56194 ath9k_dump_legacy_btcoex 0 56194 NULL
+ocfs2_journal_access_gd_56209 ocfs2_journal_access_gd 0 56209 NULL
+update_space_info_56213 update_space_info 0 56213 NULL
@@ -109175,7 +109280,7 @@ index 0000000..0a9d518
+find_zero_58685 find_zero 0-1 58685 NULL
+uwb_bce_print_IEs_58686 uwb_bce_print_IEs 4 58686 NULL
+tps6586x_writes_58689 tps6586x_writes 2-3 58689 NULL
-+vmalloc_node_58700 vmalloc_node 1 58700 NULL
++vmalloc_node_58700 vmalloc_node 1-2 58700 NULL
+vx_send_msg_58711 vx_send_msg 0 58711 NULL
+i915_gem_execbuffer_reserve_58722 i915_gem_execbuffer_reserve 0 58722 NULL
+da9052_gpio_to_irq_58729 da9052_gpio_to_irq 2 58729 NULL
@@ -109202,6 +109307,7 @@ index 0000000..0a9d518
+ieee80211_if_fmt_dot11MeshHWMPactivePathToRootTimeout_58965 ieee80211_if_fmt_dot11MeshHWMPactivePathToRootTimeout 3 58965 NULL
+crypto_aead_ivsize_58970 crypto_aead_ivsize 0 58970 NULL
+__mem_cgroup_try_charge_58976 __mem_cgroup_try_charge 0 58976 NULL
++init_list_58990 init_list 3 58990 NULL
+remap_to_cache_dirty_58991 remap_to_cache_dirty 4-3 58991 NULL
+ep_write_59008 ep_write 3 59008 NULL
+lpfc_idiag_baracc_write_59014 lpfc_idiag_baracc_write 3 59014 NULL
@@ -109353,6 +109459,7 @@ index 0000000..0a9d518
+wm831x_irq_60254 wm831x_irq 2 60254 NULL
+irq_alloc_domain_generic_chips_60264 irq_alloc_domain_generic_chips 3-2 60264 NULL
+printer_write_60276 printer_write 3 60276 NULL
++alloc_irq_pin_list_60277 alloc_irq_pin_list 1 60277 NULL
+do_xip_mapping_read_60297 do_xip_mapping_read 5 60297 NULL
+getDataLength_60301 getDataLength 0 60301 NULL
+xfs_next_bit_60322 xfs_next_bit 0-3 60322 NULL
@@ -109479,6 +109586,7 @@ index 0000000..0a9d518
+snd_pcm_lib_writev_transfer_61483 snd_pcm_lib_writev_transfer 5-4-2 61483 NULL
+btrfs_item_size_61485 btrfs_item_size 0 61485 NULL
+ocfs2_get_refcount_rec_61514 ocfs2_get_refcount_rec 0 61514 NULL
++__vmalloc_area_node_61525 __vmalloc_area_node 4 61525 NULL
+erst_errno_61526 erst_errno 0 61526 NULL
+ntfs_attr_lookup_61539 ntfs_attr_lookup 0 61539 NULL
+get_ohm_of_thermistor_61545 get_ohm_of_thermistor 2 61545 NULL
@@ -109591,7 +109699,8 @@ index 0000000..0a9d518
+ext_rts51x_sd_execute_read_data_62501 ext_rts51x_sd_execute_read_data 9 62501 NULL
+ocfs2_path_bh_journal_access_62504 ocfs2_path_bh_journal_access 0 62504 NULL
+pep_sendmsg_62524 pep_sendmsg 4 62524 NULL
-+test_iso_queue_62534 test_iso_queue 5 62534 NULL
++test_iso_queue_62534 test_iso_queue 5 62534 NULL nohasharray
++__kmalloc_node_track_caller_62534 __kmalloc_node_track_caller 3 62534 &test_iso_queue_62534
+debugfs_read_62535 debugfs_read 3 62535 NULL
+sco_sock_sendmsg_62542 sco_sock_sendmsg 4 62542 NULL
+qib_refresh_qsfp_cache_62547 qib_refresh_qsfp_cache 0 62547 NULL
@@ -109651,6 +109760,7 @@ index 0000000..0a9d518
+scsi_host_alloc_63041 scsi_host_alloc 2 63041 NULL
+run_delayed_tree_ref_63042 run_delayed_tree_ref 0 63042 NULL
+unlink1_63059 unlink1 3 63059 NULL
++__do_munmap_63063 __do_munmap 0 63063 NULL
+xen_set_nslabs_63066 xen_set_nslabs 0 63066 NULL
+iwl_dbgfs_fw_rx_stats_read_63070 iwl_dbgfs_fw_rx_stats_read 3 63070 NULL
+ocfs2_decrease_refcount_63078 ocfs2_decrease_refcount 4-3-0 63078 NULL
@@ -109685,6 +109795,7 @@ index 0000000..0a9d518
+nfsd_symlink_63442 nfsd_symlink 6 63442 NULL
+lookup_dir_item_inode_63447 lookup_dir_item_inode 0 63447 NULL
+i915_gem_object_get_fence_63455 i915_gem_object_get_fence 0 63455 NULL
++__do_kmalloc_node_63461 __do_kmalloc_node 3 63461 NULL
+si5351_bulk_write_63468 si5351_bulk_write 2-3 63468 NULL
+snd_info_entry_write_63474 snd_info_entry_write 3 63474 NULL
+do_work_63483 do_work 0 63483 NULL
@@ -109850,7 +109961,8 @@ index 0000000..0a9d518
+efx_tsoh_get_buffer_64664 efx_tsoh_get_buffer 3 64664 NULL
+rx_rx_out_of_mpdu_nodes_read_64668 rx_rx_out_of_mpdu_nodes_read 3 64668 NULL
+nr_free_zone_pages_64680 nr_free_zone_pages 0 64680 NULL
-+sec_bulk_write_64691 sec_bulk_write 2-3 64691 NULL
++sec_bulk_write_64691 sec_bulk_write 2-3 64691 NULL nohasharray
++mremap_to_64691 mremap_to 0-3 64691 &sec_bulk_write_64691
+pfn_to_hpa_64703 pfn_to_hpa 0-1 64703 NULL
+ip_select_ident_more_64707 ip_select_ident_more 4 64707 NULL
+snd_pcm_oss_capture_position_fixup_64713 snd_pcm_oss_capture_position_fixup 0 64713 NULL
@@ -109907,7 +110019,6 @@ index 0000000..0a9d518
+print_endpoint_stat_65232 print_endpoint_stat 3-4-0 65232 NULL
+journal_get_write_access_65243 journal_get_write_access 0 65243 NULL
+whci_n_caps_65247 whci_n_caps 0 65247 NULL
-+atomic_long_read_65263 atomic_long_read 0 65263 NULL
+kmem_zalloc_greedy_65268 kmem_zalloc_greedy 3-2 65268 NULL
+kmalloc_parameter_65279 kmalloc_parameter 1 65279 NULL
+compat_core_sys_select_65285 compat_core_sys_select 1 65285 NULL
@@ -109944,10 +110055,10 @@ index 0000000..0a9d518
+nvme_trans_standard_inquiry_page_65526 nvme_trans_standard_inquiry_page 4 65526 NULL
diff --git a/tools/gcc/size_overflow_plugin.c b/tools/gcc/size_overflow_plugin.c
new file mode 100644
-index 0000000..87dd5e2
+index 0000000..a3f9702
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin.c
-@@ -0,0 +1,3840 @@
+@@ -0,0 +1,3870 @@
+/*
+ * Copyright 2011, 2012, 2013 by Emese Revfy <re.emese@gmail.com>
+ * Licensed under the GPL v2, or (at your option) v3
@@ -110073,7 +110184,7 @@ index 0000000..87dd5e2
+static tree dup_assign(struct pointer_set_t *visited, gimple oldstmt, const_tree node, tree rhs1, tree rhs2, tree __unused rhs3);
+
+static struct plugin_info size_overflow_plugin_info = {
-+ .version = "20131120beta",
++ .version = "20131203beta",
+ .help = "no-size-overflow\tturn off size overflow checking\n",
+};
+
@@ -112011,12 +112122,17 @@ index 0000000..87dd5e2
+}
+
+// determine whether duplication will be necessary or not.
-+static void search_interesting_conditions(const_tree arg, bool *interesting_conditions)
++static void search_interesting_conditions(struct interesting_node *cur_node, bool *interesting_conditions)
+{
+ struct pointer_set_t *visited;
+
++ if (gimple_assign_cast_p(cur_node->first_stmt))
++ interesting_conditions[CAST] = true;
++ else if (is_gimple_assign(cur_node->first_stmt) && gimple_num_ops(cur_node->first_stmt) > 2)
++ interesting_conditions[NOT_UNARY] = true;
++
+ visited = pointer_set_create();
-+ set_conditions(visited, interesting_conditions, arg);
++ set_conditions(visited, interesting_conditions, cur_node->node);
+ pointer_set_destroy(visited);
+}
+
@@ -112482,7 +112598,7 @@ index 0000000..87dd5e2
+ if (cur_node->intentional_attr_decl == MARK_TURN_OFF || cur_node->intentional_attr_cur_fndecl == MARK_TURN_OFF)
+ return cnodes;
+
-+ search_interesting_conditions(orig_node, interesting_conditions);
++ search_interesting_conditions(cur_node, interesting_conditions);
+
+ // error code
+ if (interesting_conditions[CAST] && interesting_conditions[FROM_CONST] && !interesting_conditions[NOT_UNARY])
@@ -112761,10 +112877,22 @@ index 0000000..87dd5e2
+static void remove_size_overflow_asm(gimple stmt)
+{
+ gimple_stmt_iterator gsi;
++ tree input, output;
+
-+ gcc_assert(gimple_code(stmt) == GIMPLE_ASM);
-+ gsi = gsi_for_stmt(stmt);
-+ gsi_remove(&gsi, true);
++ if (gimple_code(stmt) != GIMPLE_ASM)
++ return;
++ if (!is_size_overflow_asm(stmt))
++ return;
++
++ if (gimple_asm_noutputs(stmt) == 0) {
++ gsi = gsi_for_stmt(stmt);
++ gsi_remove(&gsi, true);
++ return;
++ }
++
++ input = gimple_asm_input_op(stmt, 0);
++ output = gimple_asm_output_op(stmt, 0);
++ replace_size_overflow_asm_with_assign(stmt, TREE_VALUE(output), TREE_VALUE(input));
+}
+
+/* handle the size_overflow asm stmts from the gimple pass and collect the interesting stmts.
@@ -112773,7 +112901,7 @@ index 0000000..87dd5e2
+ */
+static struct interesting_node *handle_stmt_by_size_overflow_asm(gimple stmt, struct interesting_node *head)
+{
-+ const_tree output, input;
++ const_tree output;
+ struct pointer_set_t *visited;
+ gimple intentional_asm = NOT_INTENTIONAL_ASM;
+
@@ -112784,9 +112912,10 @@ index 0000000..87dd5e2
+ intentional_asm = stmt;
+
+ gcc_assert(gimple_asm_ninputs(stmt) == 1);
-+ input = gimple_asm_input_op(stmt, 0);
+
+ if (gimple_asm_noutputs(stmt) == 0) {
++ const_tree input = gimple_asm_input_op(stmt, 0);
++
+ remove_size_overflow_asm(stmt);
+ if (is_gimple_constant(TREE_VALUE(input)))
+ return head;
@@ -112797,12 +112926,11 @@ index 0000000..87dd5e2
+ return head;
+ }
+
-+ output = gimple_asm_output_op(stmt, 0);
-+
+ if (!is_size_overflow_intentional_asm_yes(stmt) && !is_size_overflow_intentional_asm_turn_off(stmt))
-+ replace_size_overflow_asm_with_assign(stmt, TREE_VALUE(output), TREE_VALUE(input));
++ remove_size_overflow_asm(stmt);
+
+ visited = pointer_set_create();
++ output = gimple_asm_output_op(stmt, 0);
+ head = get_interesting_ret_or_call(visited, head, TREE_VALUE(output), intentional_asm);
+ pointer_set_destroy(visited);
+ return head;
@@ -112920,6 +113048,18 @@ index 0000000..87dd5e2
+ }
+}
+
++static void remove_all_size_overflow_asm(void)
++{
++ basic_block bb;
++
++ FOR_ALL_BB(bb) {
++ gimple_stmt_iterator si;
++
++ for (si = gsi_start_bb(bb); !gsi_end_p(si); gsi_next(&si))
++ remove_size_overflow_asm(gsi_stmt(si));
++ }
++}
++
+/* Main recursive walk of the ipa pass: iterate over the collected interesting stmts in a function
+ * (they are interesting if they have an associated size_overflow asm stmt) and recursively walk
+ * the newly collected interesting functions (they are interesting if there is control flow between
@@ -112946,6 +113086,7 @@ index 0000000..87dd5e2
+ }
+
+ free_interesting_node(head);
++ remove_all_size_overflow_asm();
+ unset_current_function_decl();
+
+ for (cur_cnodes = cnodes_head; cur_cnodes; cur_cnodes = cur_cnodes->next)
diff --git a/3.12.2/4425_grsec_remove_EI_PAX.patch b/3.12.4/4425_grsec_remove_EI_PAX.patch
similarity index 100%
rename from 3.12.2/4425_grsec_remove_EI_PAX.patch
rename to 3.12.4/4425_grsec_remove_EI_PAX.patch
diff --git a/3.12.2/4427_force_XATTR_PAX_tmpfs.patch b/3.12.4/4427_force_XATTR_PAX_tmpfs.patch
similarity index 100%
rename from 3.12.2/4427_force_XATTR_PAX_tmpfs.patch
rename to 3.12.4/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/3.12.2/4430_grsec-remove-localversion-grsec.patch b/3.12.4/4430_grsec-remove-localversion-grsec.patch
similarity index 100%
rename from 3.12.2/4430_grsec-remove-localversion-grsec.patch
rename to 3.12.4/4430_grsec-remove-localversion-grsec.patch
diff --git a/3.12.2/4435_grsec-mute-warnings.patch b/3.12.4/4435_grsec-mute-warnings.patch
similarity index 100%
rename from 3.12.2/4435_grsec-mute-warnings.patch
rename to 3.12.4/4435_grsec-mute-warnings.patch
diff --git a/3.12.2/4440_grsec-remove-protected-paths.patch b/3.12.4/4440_grsec-remove-protected-paths.patch
similarity index 100%
rename from 3.12.2/4440_grsec-remove-protected-paths.patch
rename to 3.12.4/4440_grsec-remove-protected-paths.patch
diff --git a/3.12.2/4450_grsec-kconfig-default-gids.patch b/3.12.4/4450_grsec-kconfig-default-gids.patch
similarity index 100%
rename from 3.12.2/4450_grsec-kconfig-default-gids.patch
rename to 3.12.4/4450_grsec-kconfig-default-gids.patch
diff --git a/3.12.2/4465_selinux-avc_audit-log-curr_ip.patch b/3.12.4/4465_selinux-avc_audit-log-curr_ip.patch
similarity index 100%
rename from 3.12.2/4465_selinux-avc_audit-log-curr_ip.patch
rename to 3.12.4/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/3.12.2/4470_disable-compat_vdso.patch b/3.12.4/4470_disable-compat_vdso.patch
similarity index 100%
rename from 3.12.2/4470_disable-compat_vdso.patch
rename to 3.12.4/4470_disable-compat_vdso.patch
diff --git a/3.12.2/4475_emutramp_default_on.patch b/3.12.4/4475_emutramp_default_on.patch
similarity index 100%
rename from 3.12.2/4475_emutramp_default_on.patch
rename to 3.12.4/4475_emutramp_default_on.patch
diff --git a/3.2.53/0000_README b/3.2.53/0000_README
index 9af2616..3a69687 100644
--- a/3.2.53/0000_README
+++ b/3.2.53/0000_README
@@ -130,7 +130,7 @@ Patch: 1052_linux-3.2.53.patch
From: http://www.kernel.org
Desc: Linux 3.2.53
-Patch: 4420_grsecurity-3.0-3.2.53-201312021727.patch
+Patch: 4420_grsecurity-3.0-3.2.53-201312081752.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.53/4420_grsecurity-3.0-3.2.53-201312021727.patch b/3.2.53/4420_grsecurity-3.0-3.2.53-201312081752.patch
similarity index 99%
rename from 3.2.53/4420_grsecurity-3.0-3.2.53-201312021727.patch
rename to 3.2.53/4420_grsecurity-3.0-3.2.53-201312081752.patch
index 0b81548..eb4e1a1 100644
--- a/3.2.53/4420_grsecurity-3.0-3.2.53-201312021727.patch
+++ b/3.2.53/4420_grsecurity-3.0-3.2.53-201312081752.patch
@@ -3285,6 +3285,19 @@ index 1a97af3..7529d31 100644
#define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
#define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
#define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
+diff --git a/arch/ia64/include/asm/processor.h b/arch/ia64/include/asm/processor.h
+index d9f397f..70d477b 100644
+--- a/arch/ia64/include/asm/processor.h
++++ b/arch/ia64/include/asm/processor.h
+@@ -320,7 +320,7 @@ struct thread_struct {
+ regs->loadrs = 0; \
+ regs->r8 = get_dumpable(current->mm); /* set "don't zap registers" flag */ \
+ regs->r12 = new_sp - 16; /* allocate 16 byte scratch area */ \
+- if (unlikely(!get_dumpable(current->mm))) { \
++ if (unlikely(get_dumpable(current->mm) != SUID_DUMPABLE_ENABLED)) { \
+ /* \
+ * Zap scratch regs to avoid leaking bits between processes with different \
+ * uid/privileges. \
diff --git a/arch/ia64/include/asm/spinlock.h b/arch/ia64/include/asm/spinlock.h
index b77768d..e0795eb 100644
--- a/arch/ia64/include/asm/spinlock.h
@@ -42310,6 +42323,30 @@ index 75da4bc..7737dff 100644
int csr;
memset(buf, 0, sizeof(buf));
+diff --git a/drivers/net/wireless/libertas/debugfs.c b/drivers/net/wireless/libertas/debugfs.c
+index d8d8f0d..35d86fa 100644
+--- a/drivers/net/wireless/libertas/debugfs.c
++++ b/drivers/net/wireless/libertas/debugfs.c
+@@ -919,7 +919,10 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf,
+ char *p2;
+ struct debug_data *d = f->private_data;
+
+- pdata = kmalloc(cnt, GFP_KERNEL);
++ if (cnt == 0)
++ return 0;
++
++ pdata = kmalloc(cnt + 1, GFP_KERNEL);
+ if (pdata == NULL)
+ return 0;
+
+@@ -928,6 +931,7 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf,
+ kfree(pdata);
+ return 0;
+ }
++ pdata[cnt] = '\0';
+
+ p0 = pdata;
+ for (i = 0; i < num_of_items; i++) {
diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
index 523ad55..f8c5dc5 100644
--- a/drivers/net/wireless/mac80211_hwsim.c
@@ -43286,6 +43323,44 @@ index 2836538..30edf9d 100644
ret = sysfs_create_bin_file(&pdev->dev.kobj, &m48t59_nvram_attr);
if (ret) {
+diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c
+index fff57de..55f6488 100644
+--- a/drivers/s390/net/qeth_core_main.c
++++ b/drivers/s390/net/qeth_core_main.c
+@@ -4322,7 +4322,7 @@ int qeth_snmp_command(struct qeth_card *card, char __user *udata)
+ struct qeth_cmd_buffer *iob;
+ struct qeth_ipa_cmd *cmd;
+ struct qeth_snmp_ureq *ureq;
+- int req_len;
++ unsigned int req_len;
+ struct qeth_arp_query_info qinfo = {0, };
+ int rc = 0;
+
+@@ -4338,6 +4338,10 @@ int qeth_snmp_command(struct qeth_card *card, char __user *udata)
+ /* skip 4 bytes (data_len struct member) to get req_len */
+ if (copy_from_user(&req_len, udata + sizeof(int), sizeof(int)))
+ return -EFAULT;
++ if (req_len > (QETH_BUFSIZE - IPA_PDU_HEADER_SIZE -
++ sizeof(struct qeth_ipacmd_hdr) -
++ sizeof(struct qeth_ipacmd_setadpparms_hdr)))
++ return -EINVAL;
+ ureq = memdup_user(udata, req_len + sizeof(struct qeth_snmp_ureq_hdr));
+ if (IS_ERR(ureq)) {
+ QETH_CARD_TEXT(card, 2, "snmpnome");
+diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
+index 8a0b330..1254431 100644
+--- a/drivers/scsi/aacraid/commctrl.c
++++ b/drivers/scsi/aacraid/commctrl.c
+@@ -508,7 +508,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
+ goto cleanup;
+ }
+
+- if (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr))) {
++ if ((fibsize < (sizeof(struct user_aac_srb) - sizeof(struct user_sgentry))) ||
++ (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr)))) {
+ rcode = -EINVAL;
+ goto cleanup;
+ }
diff --git a/drivers/scsi/aacraid/linit.c b/drivers/scsi/aacraid/linit.c
index 2e658d2..46f4afb 100644
--- a/drivers/scsi/aacraid/linit.c
@@ -45566,7 +45641,7 @@ index 65447c5..0526f0a 100644
ret = -EPERM;
goto reterr;
diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c
-index af57648..2b62a69 100644
+index af57648..2a8a122 100644
--- a/drivers/uio/uio.c
+++ b/drivers/uio/uio.c
@@ -25,6 +25,7 @@
@@ -45666,7 +45741,16 @@ index af57648..2b62a69 100644
}
static int uio_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
-@@ -833,7 +838,7 @@ int __uio_register_device(struct module *owner,
+@@ -655,6 +660,8 @@ static int uio_mmap_physical(struct vm_area_struct *vma)
+ return -EINVAL;
+ mem = idev->info->mem + mi;
+
++ if (mem->addr & ~PAGE_MASK)
++ return -ENODEV;
+ if (vma->vm_end - vma->vm_start > mem->size)
+ return -EINVAL;
+
+@@ -833,7 +840,7 @@ int __uio_register_device(struct module *owner,
idev->owner = owner;
idev->info = info;
init_waitqueue_head(&idev->wait);
@@ -52209,7 +52293,7 @@ index 451b9b8..12e5a03 100644
out_free_fd:
diff --git a/fs/exec.c b/fs/exec.c
-index a2d0e51..8ece03f 100644
+index a2d0e51..64ad6ea 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -55,12 +55,35 @@
@@ -52596,6 +52680,15 @@ index a2d0e51..8ece03f 100644
/* Set the new mm task size. We have to do that late because it may
* depend on TIF_32BIT which is only updated in flush_thread() on
+@@ -1229,7 +1308,7 @@ void install_exec_creds(struct linux_binprm *bprm)
+ * wait until new credentials are committed
+ * by commit_creds() above
+ */
+- if (get_dumpable(current->mm) != SUID_DUMP_USER)
++ if (get_dumpable(current->mm) != SUID_DUMPABLE_ENABLED)
+ perf_event_exit_task(current);
+ /*
+ * cred_guard_mutex must be held at least to this point to prevent
@@ -1259,6 +1338,13 @@ int check_unsafe_exec(struct linux_binprm *bprm)
bprm->unsafe |= LSM_UNSAFE_PTRACE;
}
@@ -59813,7 +59906,7 @@ index 79d05e8..e3e5861 100644
*offset = off & 0x7fffffff;
return 0;
diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
-index d99a905..9f88202 100644
+index d99a905..a7569b5 100644
--- a/fs/xfs/xfs_ioctl.c
+++ b/fs/xfs/xfs_ioctl.c
@@ -128,7 +128,7 @@ xfs_find_handle(
@@ -59825,6 +59918,30 @@ index d99a905..9f88202 100644
copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
goto out_put;
+@@ -404,7 +404,8 @@ xfs_attrlist_by_handle(
+ return -XFS_ERROR(EPERM);
+ if (copy_from_user(&al_hreq, arg, sizeof(xfs_fsop_attrlist_handlereq_t)))
+ return -XFS_ERROR(EFAULT);
+- if (al_hreq.buflen > XATTR_LIST_MAX)
++ if (al_hreq.buflen < sizeof(struct attrlist) ||
++ al_hreq.buflen > XATTR_LIST_MAX)
+ return -XFS_ERROR(EINVAL);
+
+ /*
+diff --git a/fs/xfs/xfs_ioctl32.c b/fs/xfs/xfs_ioctl32.c
+index 54e623b..0d685b3 100644
+--- a/fs/xfs/xfs_ioctl32.c
++++ b/fs/xfs/xfs_ioctl32.c
+@@ -361,7 +361,8 @@ xfs_compat_attrlist_by_handle(
+ if (copy_from_user(&al_hreq, arg,
+ sizeof(compat_xfs_fsop_attrlist_handlereq_t)))
+ return -XFS_ERROR(EFAULT);
+- if (al_hreq.buflen > XATTR_LIST_MAX)
++ if (al_hreq.buflen < sizeof(struct attrlist) ||
++ al_hreq.buflen > XATTR_LIST_MAX)
+ return -XFS_ERROR(EINVAL);
+
+ /*
diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
index bd2fb43..86fd3e8d 100644
--- a/fs/xfs/xfs_iops.c
@@ -69515,10 +69632,10 @@ index 0000000..f7f29aa
+}
diff --git a/grsecurity/grsec_sig.c b/grsecurity/grsec_sig.c
new file mode 100644
-index 0000000..3752208
+index 0000000..c6a07aa
--- /dev/null
+++ b/grsecurity/grsec_sig.c
-@@ -0,0 +1,244 @@
+@@ -0,0 +1,245 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/delay.h>
@@ -69603,7 +69720,7 @@ index 0000000..3752208
+ int ret;
+
+ ret = mm_flags & MMF_DUMPABLE_MASK;
-+ return (ret >= 2) ? 2 : ret;
++ return (ret > SUID_DUMPABLE_ENABLED) ? SUID_DUMPABLE_SAFE : ret;
+}
+#endif
+
@@ -69627,8 +69744,9 @@ index 0000000..3752208
+ } else {
+ const struct cred *cred = __task_cred(p), *cred2;
+ struct task_struct *tsk, *tsk2;
++ int dumpable = __get_dumpable(mm_flags);
+
-+ if (!__get_dumpable(mm_flags) && cred->uid) {
++ if (dumpable != SUID_DUMPABLE_ENABLED && cred->uid) {
+ struct user_struct *user;
+
+ uid = cred->uid;
@@ -71609,7 +71727,7 @@ index 2f81c6f..225b4e4 100644
#define audit_get_loginuid(t) (-1)
#define audit_get_sessionid(t) (-1)
diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h
-index acd8d4b..f2defe2 100644
+index acd8d4b..c87c74b 100644
--- a/include/linux/binfmts.h
+++ b/include/linux/binfmts.h
@@ -18,7 +18,7 @@ struct pt_regs;
@@ -71641,6 +71759,16 @@ index acd8d4b..f2defe2 100644
extern int __register_binfmt(struct linux_binfmt *fmt, int insert);
+@@ -112,9 +115,6 @@ extern void setup_new_exec(struct linux_binprm * bprm);
+ extern void would_dump(struct linux_binprm *, struct file *);
+
+ extern int suid_dumpable;
+-#define SUID_DUMP_DISABLE 0 /* No setuid dumping */
+-#define SUID_DUMP_USER 1 /* Dump as user of process */
+-#define SUID_DUMP_ROOT 2 /* Dump as root */
+
+ /* Stack area protections */
+ #define EXSTACK_DEFAULT 0 /* Whatever the arch defaults to */
diff --git a/include/linux/bitops.h b/include/linux/bitops.h
index fc8a3ff..e48401e 100644
--- a/include/linux/bitops.h
@@ -82399,7 +82527,7 @@ index 76b8e77..a2930e8 100644
}
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
-index 67fedad..82362a6 100644
+index 67fedad..8a94754 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -211,7 +211,8 @@ int ptrace_check_attach(struct task_struct *child, bool ignore_state)
@@ -82427,7 +82555,7 @@ index 67fedad..82362a6 100644
if (task->mm)
dumpable = get_dumpable(task->mm);
- if (!dumpable && !task_ns_capable(task, CAP_SYS_PTRACE))
-+ if (!dumpable &&
++ if (dumpable != SUID_DUMPABLE_ENABLED &&
+ ((!log && !task_ns_capable_nolog(task, CAP_SYS_PTRACE)) ||
+ (log && !task_ns_capable(task, CAP_SYS_PTRACE))))
return -EPERM;
@@ -92262,16 +92390,18 @@ index f78f898..d7aa843 100644
if (__rtnl_register(PF_CAN, RTM_GETROUTE, NULL, cgw_dump_jobs, NULL)) {
diff --git a/net/compat.c b/net/compat.c
-index 3139ef2..453a165 100644
+index 3139ef2..2717671 100644
--- a/net/compat.c
+++ b/net/compat.c
-@@ -73,9 +73,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg)
+@@ -72,10 +72,10 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg)
+ __get_user(kmsg->msg_flags, &umsg->msg_flags))
return -EFAULT;
if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
- return -EINVAL;
+- return -EINVAL;
- kmsg->msg_name = compat_ptr(tmp1);
- kmsg->msg_iov = compat_ptr(tmp2);
- kmsg->msg_control = compat_ptr(tmp3);
++ kmsg->msg_namelen = sizeof(struct sockaddr_storage);
+ kmsg->msg_name = (void __force_kernel *)compat_ptr(tmp1);
+ kmsg->msg_iov = (void __force_kernel *)compat_ptr(tmp2);
+ kmsg->msg_control = (void __force_kernel *)compat_ptr(tmp3);
@@ -97121,7 +97251,7 @@ index 8da4481..d02565e 100644
+ (rtt >> sctp_rto_alpha);
} else {
diff --git a/net/socket.c b/net/socket.c
-index bf7adaa..3cb0fca 100644
+index bf7adaa..997cbc7 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -88,6 +88,7 @@
@@ -97305,6 +97435,15 @@ index bf7adaa..3cb0fca 100644
int err, err2;
int fput_needed;
+@@ -1882,7 +1948,7 @@ static int copy_msghdr_from_user(struct msghdr *kmsg,
+ if (copy_from_user(kmsg, umsg, sizeof(struct msghdr)))
+ return -EFAULT;
+ if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
+- return -EINVAL;
++ kmsg->msg_namelen = sizeof(struct sockaddr_storage);
+ return 0;
+ }
+
@@ -1963,7 +2029,7 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
* checking falls down on this.
*/
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2013-12-09 14:51 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-12-09 14:51 [gentoo-commits] proj/hardened-patchset:master commit in: 2.6.32/, 3.12.4/, 3.2.53/, 3.12.2/ Anthony G. Basile
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox