diff --git a/changelog b/changelog index 0b57d2c..7d268ff 100644 --- a/changelog +++ b/changelog @@ -1,3 +1,9 @@ +linux-image (linux-3.2.70-mempo-0.2.137) UNRELEASED; urgency=medium + * linux: rds: fix an integer overflow test in rds_info_getsockopt() + * linux: Backport virtio-net security fix by Jason Wang + * grsec: merge 'linux-3.2.y' into pax-stable, 'pax-stable' into grsec-stable + + -- mempo Sun, 11 Aug 2015 10:17:00 +0200 linux-image (linux-3.2.69-mempo-0.2.136) UNRELEASED; urgency=high * linux: kzalloc md kernel mem infoleak!! diff --git a/kernel-build/linux-mempo/configs-kernel/deb7-desk.kernel-config b/kernel-build/linux-mempo/configs-kernel/deb7-desk.kernel-config index 5163b93..472240e 100644 --- a/kernel-build/linux-mempo/configs-kernel/deb7-desk.kernel-config +++ b/kernel-build/linux-mempo/configs-kernel/deb7-desk.kernel-config @@ -62,7 +62,7 @@ CONFIG_IRQ_WORK=y CONFIG_EXPERIMENTAL=y CONFIG_INIT_ENV_ARG_LIMIT=32 CONFIG_CROSS_COMPILE="" -CONFIG_LOCALVERSION="-mempo.desk.0.2.136" +CONFIG_LOCALVERSION="-mempo.desk.0.2.137" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_HAVE_KERNEL_GZIP=y CONFIG_HAVE_KERNEL_BZIP2=y diff --git a/kernel-build/linux-mempo/configs-kernel/deb7-deskmax.kernel-config b/kernel-build/linux-mempo/configs-kernel/deb7-deskmax.kernel-config index 5c70765..61ab405 100644 --- a/kernel-build/linux-mempo/configs-kernel/deb7-deskmax.kernel-config +++ b/kernel-build/linux-mempo/configs-kernel/deb7-deskmax.kernel-config @@ -62,7 +62,7 @@ CONFIG_IRQ_WORK=y CONFIG_EXPERIMENTAL=y CONFIG_INIT_ENV_ARG_LIMIT=32 CONFIG_CROSS_COMPILE="" -CONFIG_LOCALVERSION="-mempo.deskmax.0.2.136" +CONFIG_LOCALVERSION="-mempo.deskmax.0.2.137" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_HAVE_KERNEL_GZIP=y CONFIG_HAVE_KERNEL_BZIP2=y diff --git a/kernel-build/linux-mempo/configs-kernel/deb7-deskmaxdbg.kernel-config b/kernel-build/linux-mempo/configs-kernel/deb7-deskmaxdbg.kernel-config index 7893e81..10045c1 100644 --- a/kernel-build/linux-mempo/configs-kernel/deb7-deskmaxdbg.kernel-config +++ b/kernel-build/linux-mempo/configs-kernel/deb7-deskmaxdbg.kernel-config @@ -62,7 +62,7 @@ CONFIG_IRQ_WORK=y CONFIG_EXPERIMENTAL=y CONFIG_INIT_ENV_ARG_LIMIT=32 CONFIG_CROSS_COMPILE="" -CONFIG_LOCALVERSION="-mempo.deskmaxdbg.0.2.136" +CONFIG_LOCALVERSION="-mempo.deskmaxdbg.0.2.137" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_HAVE_KERNEL_GZIP=y CONFIG_HAVE_KERNEL_BZIP2=y diff --git a/kernel-build/linux-mempo/configs-kernel/deb7-insecuregrsoff.kernel-config b/kernel-build/linux-mempo/configs-kernel/deb7-insecuregrsoff.kernel-config index 55b4a6f..e22e9df 100644 --- a/kernel-build/linux-mempo/configs-kernel/deb7-insecuregrsoff.kernel-config +++ b/kernel-build/linux-mempo/configs-kernel/deb7-insecuregrsoff.kernel-config @@ -62,7 +62,7 @@ CONFIG_IRQ_WORK=y CONFIG_EXPERIMENTAL=y CONFIG_INIT_ENV_ARG_LIMIT=32 CONFIG_CROSS_COMPILE="" -CONFIG_LOCALVERSION="-mempo.insecuregrsoff.0.2.136" +CONFIG_LOCALVERSION="-mempo.insecuregrsoff.0.2.137" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_HAVE_KERNEL_GZIP=y CONFIG_HAVE_KERNEL_BZIP2=y diff --git a/kernel-build/linux-mempo/configs-kernel/deb7-serv.kernel-config b/kernel-build/linux-mempo/configs-kernel/deb7-serv.kernel-config index eb67c0f..ff4ced1 100644 --- a/kernel-build/linux-mempo/configs-kernel/deb7-serv.kernel-config +++ b/kernel-build/linux-mempo/configs-kernel/deb7-serv.kernel-config @@ -62,7 +62,7 @@ CONFIG_IRQ_WORK=y CONFIG_EXPERIMENTAL=y CONFIG_INIT_ENV_ARG_LIMIT=32 CONFIG_CROSS_COMPILE="" -CONFIG_LOCALVERSION="-mempo.serv.0.2.136" +CONFIG_LOCALVERSION="-mempo.serv.0.2.137" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_HAVE_KERNEL_GZIP=y CONFIG_HAVE_KERNEL_BZIP2=y diff --git a/kernel-build/linux-mempo/configs-kernel/deb7-servmax.kernel-config b/kernel-build/linux-mempo/configs-kernel/deb7-servmax.kernel-config index 6055d75..bbe9b81 100644 --- a/kernel-build/linux-mempo/configs-kernel/deb7-servmax.kernel-config +++ b/kernel-build/linux-mempo/configs-kernel/deb7-servmax.kernel-config @@ -62,7 +62,7 @@ CONFIG_IRQ_WORK=y CONFIG_EXPERIMENTAL=y CONFIG_INIT_ENV_ARG_LIMIT=32 CONFIG_CROSS_COMPILE="" -CONFIG_LOCALVERSION="-mempo.servmax.0.2.136" +CONFIG_LOCALVERSION="-mempo.servmax.0.2.137" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_HAVE_KERNEL_GZIP=y CONFIG_HAVE_KERNEL_BZIP2=y diff --git a/kernel-build/linux-mempo/configs-kernel/deb7-servmaxdbg.kernel-config b/kernel-build/linux-mempo/configs-kernel/deb7-servmaxdbg.kernel-config index d2ca9d3..b3cf3a9 100644 --- a/kernel-build/linux-mempo/configs-kernel/deb7-servmaxdbg.kernel-config +++ b/kernel-build/linux-mempo/configs-kernel/deb7-servmaxdbg.kernel-config @@ -62,7 +62,7 @@ CONFIG_IRQ_WORK=y CONFIG_EXPERIMENTAL=y CONFIG_INIT_ENV_ARG_LIMIT=32 CONFIG_CROSS_COMPILE="" -CONFIG_LOCALVERSION="-mempo.servmaxdbg.0.2.136" +CONFIG_LOCALVERSION="-mempo.servmaxdbg.0.2.137" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_HAVE_KERNEL_GZIP=y CONFIG_HAVE_KERNEL_BZIP2=y diff --git a/kernel-build/linux-mempo/configs-kernel/deb7-vanilladbg.kernel-config b/kernel-build/linux-mempo/configs-kernel/deb7-vanilladbg.kernel-config index 5d764ba..abdb82c 100644 --- a/kernel-build/linux-mempo/configs-kernel/deb7-vanilladbg.kernel-config +++ b/kernel-build/linux-mempo/configs-kernel/deb7-vanilladbg.kernel-config @@ -62,7 +62,7 @@ CONFIG_IRQ_WORK=y CONFIG_EXPERIMENTAL=y CONFIG_INIT_ENV_ARG_LIMIT=32 CONFIG_CROSS_COMPILE="" -CONFIG_LOCALVERSION="-mempo.vanilladbg.0.2.136" +CONFIG_LOCALVERSION="-mempo.vanilladbg.0.2.137" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_HAVE_KERNEL_GZIP=y CONFIG_HAVE_KERNEL_BZIP2=y diff --git a/kernel-build/linux-mempo/configs-kernel/deb7-zero.kernel-config b/kernel-build/linux-mempo/configs-kernel/deb7-zero.kernel-config index 914c67b..82a46c2 100644 --- a/kernel-build/linux-mempo/configs-kernel/deb7-zero.kernel-config +++ b/kernel-build/linux-mempo/configs-kernel/deb7-zero.kernel-config @@ -58,7 +58,7 @@ CONFIG_EXPERIMENTAL=y CONFIG_BROKEN_ON_SMP=y CONFIG_INIT_ENV_ARG_LIMIT=32 CONFIG_CROSS_COMPILE="" -CONFIG_LOCALVERSION="-mempo.zero.0.2.136" +CONFIG_LOCALVERSION="-mempo.zero.0.2.137" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_HAVE_KERNEL_GZIP=y CONFIG_HAVE_KERNEL_BZIP2=y diff --git a/kernel-build/linux-mempo/env-data.sh b/kernel-build/linux-mempo/env-data.sh index ab137f9..fede9a9 100755 --- a/kernel-build/linux-mempo/env-data.sh +++ b/kernel-build/linux-mempo/env-data.sh @@ -1,5 +1,5 @@ # place for STATIC settings for release. [autogenerated] -export kernel_general_version="3.2.69" # base version (should match the one is sourcecode.list) -export KERNEL_DATE='2015-08-02 00:16:17' # UTC time of mempo version. This is > then max(kernel,grsec,patches) times -export CURRENT_SEED='1184c4861ddd73b5adb31adf2ccd02251f80958d3c8a13461e234667edb94e62' # block 826275 (*) +export kernel_general_version="3.2.70" # base version (should match the one is sourcecode.list) +export KERNEL_DATE='2015-08-11 10:12:02' # UTC time of mempo version. This is > then max(kernel,grsec,patches) times +export CURRENT_SEED='36cc0c0b00fefda5b8376bdf142bc6d0a9d6718302dce9bc5ed30163b79edeb9' # block 831687 (*) export DEBIAN_REVISION='001' # see README.md how to update it on git tag, on rc and final releases diff --git a/kernel-build/linux-mempo/sourcecode.list b/kernel-build/linux-mempo/sourcecode.list index 20ebae2..791ee35 100644 --- a/kernel-build/linux-mempo/sourcecode.list +++ b/kernel-build/linux-mempo/sourcecode.list @@ -1,4 +1,4 @@ -V,ID_kernel_vanilla_ID,x,kernel,linux-3.2.69.tar,sha256,c574b6872e329ede400d4e413c4add4cc59bb81b327de02dc6e4c10e47c31dc2,./ -P,ID_grsecurity_main_ID,x,grsecurity,grsecurity-3.1-3.2.69-201508011610.patch,sha256,5ce8af9f0aafa510a8835120b1f36e319ec31a48284ddd1f55ca167bd2637565,./tmp-path/ +V,ID_kernel_vanilla_ID,x,kernel,linux-3.2.70.tar,sha256,0cbac3ea8d97946e7d184f21cce888e113701934b7a5b4f0a6714819efdad473,./ +P,ID_grsecurity_main_ID,x,grsecurity,grsecurity-3.1-3.2.70-201508102127.patch,sha256,,./tmp-path/ P,ID_mempo_grsec_ID,x,mempo,grsecurity-3.0-3.2.55-201402152203-mempo-extra.patch,sha256,a8e81062e44ea899af688a326aaebcfd86d759da69b39f6ed66b7a8e7bcf9a8d,./tmp-path/ P,ID_mempo_determ_ID,x,mempo,linux-3.2.57-grsec-deterministic-build.patch,sha256,aca4001855c4c822c78aee90acc8706a3ffb3b5e4d42f07b4ffe827190d77d59,./tmp-path/ diff --git a/kernel-sources/grsecurity/changelog-stable.txt b/kernel-sources/grsecurity/changelog-stable.txt index adac82b..9d6f713 100644 --- a/kernel-sources/grsecurity/changelog-stable.txt +++ b/kernel-sources/grsecurity/changelog-stable.txt @@ -1,3 +1,69 @@ +commit 13e09e261792b1cdb577d89af5cdf7dafe6403b1 +Author: Dan Carpenter +Date: Sat Aug 1 15:33:26 2015 +0300 + + rds: fix an integer overflow test in rds_info_getsockopt() + + "len" is a signed integer. We check that len is not negative, so it + goes from zero to INT_MAX. PAGE_SIZE is unsigned long so the comparison + is type promoted to unsigned long. ULONG_MAX - 4095 is a higher than + INT_MAX so the condition can never be true. + + I don't know if this is harmful but it seems safe to limit "len" to + INT_MAX - 4095. + + Fixes: a8c879a7ee98 ('RDS: Info and stats') + Signed-off-by: Dan Carpenter + Signed-off-by: David S. Miller + + net/rds/info.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 5f71a17e4b3f406474055ef8723e55f82118517c +Author: Brad Spengler +Date: Mon Aug 10 02:39:35 2015 -0400 + + Backport virtio-net security fix by Jason Wang from: + http://marc.info/?l=linux-netdev&m=143868216724068&w=2 + + drivers/net/virtio_net.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 655452be4ba3abe1864d157001723762498432f7 +Merge: a6667a3 92efcfe +Author: Brad Spengler +Date: Mon Aug 10 01:50:01 2015 -0400 + + Merge branch 'pax-stable' into grsec-stable + + Conflicts: + arch/mips/kernel/irq.c + kernel/trace/trace_events_filter.c + +commit 92efcfeca5be11a36c8a089a374d9396764e397d +Merge: 16c1a7a 058fbb1 +Author: Brad Spengler +Date: Mon Aug 10 01:48:25 2015 -0400 + + Update to pax-linux-3.2.70-test179.patch: + + Merge branch 'linux-3.2.y' into pax-stable + + Conflicts: + arch/arm/include/asm/elf.h + arch/powerpc/mm/mmap_64.c + fs/binfmt_elf.c + +commit a6667a39ecfc62cad6ae68e7f38f7b40f6dd559f +Author: Brad Spengler +Date: Sun Aug 2 08:26:16 2015 -0400 + + Update plugins from 4.1 tree to fix reported compilation errors + + tools/gcc/kernexec_plugin.c | 8 ++++++-- + tools/gcc/stackleak_plugin.c | 8 ++++++-- + 2 files changed, 12 insertions(+), 4 deletions(-) + commit 5088787d1a19583ff0a46387a108e3b99c11bf92 Author: Benjamin Randazzo Date: Sat Jul 25 16:36:50 2015 +0200 diff --git a/kernel-sources/grsecurity/grsecurity-3.1-3.2.69-201508011610.patch.sig b/kernel-sources/grsecurity/grsecurity-3.1-3.2.69-201508011610.patch.sig deleted file mode 100644 index 3005a43..0000000 Binary files a/kernel-sources/grsecurity/grsecurity-3.1-3.2.69-201508011610.patch.sig and /dev/null differ diff --git a/kernel-sources/grsecurity/grsecurity-3.1-3.2.69-201508011610.patch b/kernel-sources/grsecurity/grsecurity-3.1-3.2.70-201508102127.patch similarity index 99% rename from kernel-sources/grsecurity/grsecurity-3.1-3.2.69-201508011610.patch rename to kernel-sources/grsecurity/grsecurity-3.1-3.2.70-201508102127.patch index 5120321..9aaf5cc 100644 --- a/kernel-sources/grsecurity/grsecurity-3.1-3.2.69-201508011610.patch +++ b/kernel-sources/grsecurity/grsecurity-3.1-3.2.70-201508102127.patch @@ -315,7 +315,7 @@ index 2a68089..b3300e1 100644 A toggle value indicating if modules are allowed to be loaded diff --git a/Makefile b/Makefile -index 8071888..b024b7b 100644 +index 41a626b..31e889e 100644 --- a/Makefile +++ b/Makefile @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -1693,14 +1693,14 @@ index af18cea..b5dc173 100644 #endif /* __ASSEMBLY__ */ diff --git a/arch/arm/include/asm/elf.h b/arch/arm/include/asm/elf.h -index 0e9ce8d..6ef1e03 100644 +index a4b1186..6ef1e03 100644 --- a/arch/arm/include/asm/elf.h +++ b/arch/arm/include/asm/elf.h @@ -116,7 +116,14 @@ int dump_task_regs(struct task_struct *t, elf_gregset_t *elfregs); the loader. We need to make sure that it is out of the way of the program that it will "exec", and that there is sufficient room for the brk. */ --#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3) +-#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2) +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2) + +#ifdef CONFIG_PAX_ASLR @@ -4188,21 +4188,19 @@ index 883fc6c..28c0acd 100644 void __init gt641xx_irq_init(void) diff --git a/arch/mips/kernel/irq.c b/arch/mips/kernel/irq.c -index 7f50318..20685b9 100644 +index 6e489e5..79e10cb 100644 --- a/arch/mips/kernel/irq.c +++ b/arch/mips/kernel/irq.c -@@ -111,7 +111,10 @@ void __init init_IRQ(void) - #endif +@@ -112,6 +112,8 @@ void __init init_IRQ(void) } + #ifdef CONFIG_DEBUG_STACKOVERFLOW + - #ifdef DEBUG_STACKOVERFLOW +extern void gr_handle_kernel_exploit(void); -+ static inline void check_stack_overflow(void) { unsigned long sp; -@@ -127,6 +130,7 @@ static inline void check_stack_overflow(void) +@@ -127,6 +129,7 @@ static inline void check_stack_overflow(void) printk("do_IRQ: stack overflow: %ld\n", sp - sizeof(struct thread_info)); dump_stack(); @@ -4472,10 +4470,10 @@ index 302d779..b8b4e97 100644 - return ret; -} diff --git a/arch/mips/pci/pci-octeon.c b/arch/mips/pci/pci-octeon.c -index ed1c542..88552ac 100644 +index 66d3c38..fed57fa 100644 --- a/arch/mips/pci/pci-octeon.c +++ b/arch/mips/pci/pci-octeon.c -@@ -335,8 +335,8 @@ static int octeon_write_config(struct pci_bus *bus, unsigned int devfn, +@@ -329,8 +329,8 @@ static int octeon_write_config(struct pci_bus *bus, unsigned int devfn, static struct pci_ops octeon_pci_ops = { @@ -4487,10 +4485,10 @@ index ed1c542..88552ac 100644 static struct resource octeon_pci_mem_resource = { diff --git a/arch/mips/pci/pcie-octeon.c b/arch/mips/pci/pcie-octeon.c -index 0583c463..c07a38e 100644 +index 37a8790..dd636c1 100644 --- a/arch/mips/pci/pcie-octeon.c +++ b/arch/mips/pci/pcie-octeon.c -@@ -1238,8 +1238,8 @@ static int octeon_pcie1_write_config(struct pci_bus *bus, unsigned int devfn, +@@ -1235,8 +1235,8 @@ static int octeon_pcie1_write_config(struct pci_bus *bus, unsigned int devfn, } static struct pci_ops octeon_pcie0_ops = { @@ -4501,7 +4499,7 @@ index 0583c463..c07a38e 100644 }; static struct resource octeon_pcie0_mem_resource = { -@@ -1259,8 +1259,8 @@ static struct pci_controller octeon_pcie0_controller = { +@@ -1256,8 +1256,8 @@ static struct pci_controller octeon_pcie0_controller = { }; static struct pci_ops octeon_pcie1_ops = { @@ -6337,13 +6335,13 @@ index 7450843..9f8cfc7 100644 return 0; } diff --git a/arch/powerpc/mm/mmap_64.c b/arch/powerpc/mm/mmap_64.c -index 5a783d8..522eb00 100644 +index 67a42ed..333731a 100644 --- a/arch/powerpc/mm/mmap_64.c +++ b/arch/powerpc/mm/mmap_64.c -@@ -61,10 +61,14 @@ static inline int mmap_is_legacy(void) - * - * To avoid this we can shift the randomness by 1 bit. - */ +@@ -53,10 +53,14 @@ static inline int mmap_is_legacy(void) + return sysctl_legacy_va_layout; + } + -static unsigned long mmap_rnd(void) +static unsigned long mmap_rnd(struct mm_struct *mm) { @@ -6356,8 +6354,8 @@ index 5a783d8..522eb00 100644 if (current->flags & PF_RANDOMIZE) { /* 8MB for 32bit, 1GB for 64bit */ if (is_32bit_task()) -@@ -75,7 +79,7 @@ static unsigned long mmap_rnd(void) - return (rnd << PAGE_SHIFT) * 2; +@@ -67,7 +71,7 @@ static unsigned long mmap_rnd(void) + return rnd << PAGE_SHIFT; } -static inline unsigned long mmap_base(void) @@ -6365,7 +6363,7 @@ index 5a783d8..522eb00 100644 { unsigned long gap = rlimit(RLIMIT_STACK); -@@ -84,7 +88,7 @@ static inline unsigned long mmap_base(void) +@@ -76,7 +80,7 @@ static inline unsigned long mmap_base(void) else if (gap > MAX_GAP) gap = MAX_GAP; @@ -6374,7 +6372,7 @@ index 5a783d8..522eb00 100644 } /* -@@ -99,10 +103,22 @@ void arch_pick_mmap_layout(struct mm_struct *mm) +@@ -91,10 +95,22 @@ void arch_pick_mmap_layout(struct mm_struct *mm) */ if (mmap_is_legacy()) { mm->mmap_base = TASK_UNMAPPED_BASE; @@ -8258,7 +8256,7 @@ index 42b282f..408977c 100644 addr = vmm->vm_end; if (flags & MAP_SHARED) diff --git a/arch/sparc/kernel/sys_sparc_64.c b/arch/sparc/kernel/sys_sparc_64.c -index 5e4252b..379f84f 100644 +index 0ff682d..60e979d 100644 --- a/arch/sparc/kernel/sys_sparc_64.c +++ b/arch/sparc/kernel/sys_sparc_64.c @@ -119,12 +119,13 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi @@ -10487,7 +10485,7 @@ index ad8f795..2c7eec6 100644 /* * Memory returned by kmalloc() may be used for DMA, so we must make diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 28a1bca..0443883 100644 +index d720208..5653761 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -75,6 +75,7 @@ config X86 @@ -10498,7 +10496,7 @@ index 28a1bca..0443883 100644 select ARCH_SUPPORTS_ATOMIC_RMW config INSTRUCTION_DECODER -@@ -236,7 +237,7 @@ config X86_HT +@@ -237,7 +238,7 @@ config X86_HT config X86_32_LAZY_GS def_bool y @@ -10507,7 +10505,7 @@ index 28a1bca..0443883 100644 config ARCH_HWEIGHT_CFLAGS string -@@ -526,6 +527,7 @@ config SCHED_OMIT_FRAME_POINTER +@@ -527,6 +528,7 @@ config SCHED_OMIT_FRAME_POINTER menuconfig PARAVIRT_GUEST bool "Paravirtualized guest support" @@ -10515,7 +10513,7 @@ index 28a1bca..0443883 100644 ---help--- Say Y here to get to see options related to running Linux under various hypervisors. This option alone does not add any kernel code. -@@ -903,6 +905,7 @@ config VM86 +@@ -904,6 +906,7 @@ config VM86 config X86_16BIT bool "Enable support for 16-bit segments" if EXPERT @@ -10523,7 +10521,7 @@ index 28a1bca..0443883 100644 default y ---help--- This option is required by programs like Wine to run 16-bit -@@ -1040,7 +1043,7 @@ choice +@@ -1041,7 +1044,7 @@ choice config NOHIGHMEM bool "off" @@ -10532,7 +10530,7 @@ index 28a1bca..0443883 100644 ---help--- Linux can use up to 64 Gigabytes of physical memory on x86 systems. However, the address space of 32-bit x86 processors is only 4 -@@ -1077,7 +1080,7 @@ config NOHIGHMEM +@@ -1078,7 +1081,7 @@ config NOHIGHMEM config HIGHMEM4G bool "4GB" @@ -10541,7 +10539,7 @@ index 28a1bca..0443883 100644 ---help--- Select this if you have a 32-bit processor and between 1 and 4 gigabytes of physical RAM. -@@ -1131,7 +1134,7 @@ config PAGE_OFFSET +@@ -1132,7 +1135,7 @@ config PAGE_OFFSET hex default 0xB0000000 if VMSPLIT_3G_OPT default 0x80000000 if VMSPLIT_2G @@ -10550,7 +10548,7 @@ index 28a1bca..0443883 100644 default 0x40000000 if VMSPLIT_1G default 0xC0000000 depends on X86_32 -@@ -1514,6 +1517,7 @@ config SECCOMP +@@ -1515,6 +1518,7 @@ config SECCOMP config CC_STACKPROTECTOR bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)" @@ -10558,7 +10556,7 @@ index 28a1bca..0443883 100644 ---help--- This option turns on the -fstack-protector GCC feature. This feature puts, at the beginning of functions, a canary value on -@@ -1532,6 +1536,7 @@ source kernel/Kconfig.hz +@@ -1533,6 +1537,7 @@ source kernel/Kconfig.hz config KEXEC bool "kexec system call" @@ -10566,7 +10564,7 @@ index 28a1bca..0443883 100644 ---help--- kexec is a system call that implements the ability to shutdown your current kernel, and to start another kernel. It is like a reboot -@@ -1634,6 +1639,8 @@ config X86_NEED_RELOCS +@@ -1635,6 +1640,8 @@ config X86_NEED_RELOCS config PHYSICAL_ALIGN hex "Alignment value to which kernel should be aligned" if X86_32 default "0x1000000" @@ -10575,7 +10573,7 @@ index 28a1bca..0443883 100644 range 0x2000 0x1000000 ---help--- This value puts the alignment restrictions on physical address -@@ -1665,9 +1672,10 @@ config HOTPLUG_CPU +@@ -1666,9 +1673,10 @@ config HOTPLUG_CPU Say N if you want to disable CPU hotplug. config COMPAT_VDSO @@ -10587,7 +10585,7 @@ index 28a1bca..0443883 100644 ---help--- Map the 32-bit VDSO to the predictable old-style address too. -@@ -1720,6 +1728,22 @@ config CMDLINE_OVERRIDE +@@ -1721,6 +1729,22 @@ config CMDLINE_OVERRIDE This is used to work around broken boot loaders. This should be set to 'N' under normal conditions. @@ -23597,7 +23595,7 @@ index 42eb330..139955c 100644 return ret; diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c -index 41b2f57..9dd7145 100644 +index 78842ce..2e4b56d 100644 --- a/arch/x86/kernel/reboot.c +++ b/arch/x86/kernel/reboot.c @@ -35,7 +35,7 @@ void (*pm_power_off)(void); @@ -23700,7 +23698,7 @@ index 41b2f57..9dd7145 100644 { int i; int attempt = 0; -@@ -717,13 +749,13 @@ void native_machine_shutdown(void) +@@ -720,13 +752,13 @@ void native_machine_shutdown(void) #endif } @@ -23716,7 +23714,7 @@ index 41b2f57..9dd7145 100644 { printk("machine restart\n"); -@@ -732,7 +764,7 @@ static void native_machine_restart(char *__unused) +@@ -735,7 +767,7 @@ static void native_machine_restart(char *__unused) __machine_emergency_restart(0); } @@ -23725,7 +23723,7 @@ index 41b2f57..9dd7145 100644 { /* stop other cpus and apics */ machine_shutdown(); -@@ -743,7 +775,7 @@ static void native_machine_halt(void) +@@ -746,7 +778,7 @@ static void native_machine_halt(void) stop_this_cpu(NULL); } @@ -23734,7 +23732,7 @@ index 41b2f57..9dd7145 100644 { if (pm_power_off) { if (!reboot_force) -@@ -752,9 +784,10 @@ static void native_machine_power_off(void) +@@ -755,9 +787,10 @@ static void native_machine_power_off(void) } /* a fallback in case there is no PM info available */ tboot_shutdown(TB_SHUTDOWN_HALT); @@ -25424,7 +25422,7 @@ index 176205a..920cd58 100644 #define APIC_LVT_NUM 6 /* 14 is the version for Xeon and Pentium 8.4.8*/ diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c -index bfc9507..bf85b38 100644 +index 4a949c7..a1e965f 100644 --- a/arch/x86/kvm/mmu.c +++ b/arch/x86/kvm/mmu.c @@ -3558,7 +3558,7 @@ void kvm_mmu_pte_write(struct kvm_vcpu *vcpu, gpa_t gpa, @@ -25495,7 +25493,7 @@ index 7a2d9d6..0e8286c 100644 local_irq_disable(); diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c -index 8831c43..98f1a3e 100644 +index 421958f..79e1420 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -1100,12 +1100,12 @@ static void vmcs_write64(unsigned long field, u64 value) @@ -25550,7 +25548,7 @@ index 8831c43..98f1a3e 100644 if (enable_ept && !cpu_has_vmx_ept_2m_page()) kvm_disable_largepages(); -@@ -3638,7 +3649,10 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx) +@@ -3646,7 +3657,10 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx) unsigned long cr4; vmcs_writel(HOST_CR0, read_cr0() | X86_CR0_TS); /* 22.2.3 */ @@ -25561,7 +25559,7 @@ index 8831c43..98f1a3e 100644 /* Save the most likely value for this task's CR4 in the VMCS. */ cr4 = read_cr4(); -@@ -3655,7 +3669,7 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx) +@@ -3663,7 +3677,7 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx) vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */ asm("mov $.Lkvm_vmx_return, %0" : "=r"(tmpl)); @@ -25570,7 +25568,7 @@ index 8831c43..98f1a3e 100644 rdmsr(MSR_IA32_SYSENTER_CS, low32, high32); vmcs_write32(HOST_IA32_SYSENTER_CS, low32); -@@ -6206,6 +6220,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) +@@ -6214,6 +6228,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) "jmp .Lkvm_vmx_return \n\t" ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t" ".Lkvm_vmx_return: " @@ -25583,7 +25581,7 @@ index 8831c43..98f1a3e 100644 /* Save guest registers, load host registers, keep flags */ "mov %0, %c[wordsize](%%"R"sp) \n\t" "pop %0 \n\t" -@@ -6254,6 +6274,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) +@@ -6262,6 +6282,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) #endif [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)), [wordsize]"i"(sizeof(ulong)) @@ -25595,7 +25593,7 @@ index 8831c43..98f1a3e 100644 : "cc", "memory" , R"ax", R"bx", R"di", R"si" #ifdef CONFIG_X86_64 -@@ -6282,7 +6307,16 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) +@@ -6290,7 +6315,16 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) } } @@ -28443,7 +28441,7 @@ index e218d5d..3966c85 100644 +EXPORT_SYMBOL(set_fs); +#endif diff --git a/arch/x86/lib/usercopy_64.c b/arch/x86/lib/usercopy_64.c -index 554b7b5..4027e2c 100644 +index 433b21d..466fd0c 100644 --- a/arch/x86/lib/usercopy_64.c +++ b/arch/x86/lib/usercopy_64.c @@ -42,6 +42,12 @@ long @@ -31046,7 +31044,7 @@ index 6687022..ceabcfa 100644 + pax_force_retaddr ret diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c -index 5a5b6e4..07b4acb 100644 +index 11e3100..db113e1 100644 --- a/arch/x86/net/bpf_jit_comp.c +++ b/arch/x86/net/bpf_jit_comp.c @@ -11,6 +11,7 @@ @@ -31241,7 +31239,7 @@ index 5a5b6e4..07b4acb 100644 addrs[i] = proglen; } cleanup_addr = proglen; /* epilogue address */ -@@ -221,6 +337,10 @@ void bpf_jit_compile(struct sk_filter *fp) +@@ -226,6 +342,10 @@ void bpf_jit_compile(struct sk_filter *fp) for (i = 0; i < flen; i++) { unsigned int K = filter[i].k; @@ -31252,7 +31250,7 @@ index 5a5b6e4..07b4acb 100644 switch (filter[i].code) { case BPF_S_ALU_ADD_X: /* A += X; */ seen |= SEEN_XREG; -@@ -253,10 +373,8 @@ void bpf_jit_compile(struct sk_filter *fp) +@@ -258,10 +378,8 @@ void bpf_jit_compile(struct sk_filter *fp) case BPF_S_ALU_MUL_K: /* A *= K */ if (is_imm8(K)) EMIT3(0x6b, 0xc0, K); /* imul imm8,%eax,%eax */ @@ -31265,7 +31263,7 @@ index 5a5b6e4..07b4acb 100644 break; case BPF_S_ALU_DIV_X: /* A /= X; */ seen |= SEEN_XREG; -@@ -269,15 +387,21 @@ void bpf_jit_compile(struct sk_filter *fp) +@@ -274,15 +392,21 @@ void bpf_jit_compile(struct sk_filter *fp) EMIT_COND_JMP(X86_JE, addrs[pc_ret0 - 1] - (addrs[i] - 4)); } else { @@ -31288,7 +31286,7 @@ index 5a5b6e4..07b4acb 100644 EMIT4(0x48, 0xc1, 0xe8, 0x20); /* shr $0x20,%rax */ break; case BPF_S_ALU_AND_X: -@@ -477,7 +601,7 @@ void bpf_jit_compile(struct sk_filter *fp) +@@ -482,7 +606,7 @@ void bpf_jit_compile(struct sk_filter *fp) common_load: seen |= SEEN_DATAREF; if ((int)K < 0) { /* Abort the JIT because __load_pointer() is needed. */ @@ -31297,7 +31295,7 @@ index 5a5b6e4..07b4acb 100644 } t_offset = func - (image + addrs[i]); EMIT1_off32(0xbe, K); /* mov imm32,%esi */ -@@ -492,7 +616,7 @@ common_load: seen |= SEEN_DATAREF; +@@ -497,7 +621,7 @@ common_load: seen |= SEEN_DATAREF; case BPF_S_LDX_B_MSH: if ((int)K < 0) { /* Abort the JIT because __load_pointer() is needed. */ @@ -31306,7 +31304,7 @@ index 5a5b6e4..07b4acb 100644 } seen |= SEEN_DATAREF | SEEN_XREG; t_offset = sk_load_byte_msh - (image + addrs[i]); -@@ -572,7 +696,7 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; +@@ -577,7 +701,7 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; } if (filter[i].jt != 0) { if (filter[i].jf && f_offset) @@ -31315,7 +31313,7 @@ index 5a5b6e4..07b4acb 100644 EMIT_COND_JMP(t_op, t_offset); if (filter[i].jf) EMIT_JMP(f_offset); -@@ -582,17 +706,18 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; +@@ -587,17 +711,18 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; break; default: /* hmm, too complex filter, give up with jit compiler */ @@ -31338,7 +31336,7 @@ index 5a5b6e4..07b4acb 100644 } proglen += ilen; addrs[i] = proglen; -@@ -613,11 +738,9 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; +@@ -618,11 +743,9 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; break; } if (proglen == oldproglen) { @@ -31352,7 +31350,7 @@ index 5a5b6e4..07b4acb 100644 } oldproglen = proglen; } -@@ -633,7 +756,10 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; +@@ -638,7 +761,10 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; bpf_flush_icache(image, image + proglen); fp->bpf_func = (void *)image; @@ -31364,7 +31362,7 @@ index 5a5b6e4..07b4acb 100644 out: kfree(addrs); return; -@@ -641,18 +767,20 @@ out: +@@ -646,18 +772,20 @@ out: static void jit_free_defer(struct work_struct *arg) { @@ -33729,10 +33727,10 @@ index cb842a8..6688e24 100644 * Broken _BQC workaround http://bugzilla.kernel.org/show_bug.cgi?id=13121 */ diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c -index de2802c..2260da9 100644 +index 41ffb8c..2afaff8 100644 --- a/drivers/ata/libahci.c +++ b/drivers/ata/libahci.c -@@ -1211,7 +1211,7 @@ int ahci_kick_engine(struct ata_port *ap) +@@ -1212,7 +1212,7 @@ int ahci_kick_engine(struct ata_port *ap) } EXPORT_SYMBOL_GPL(ahci_kick_engine); @@ -33742,7 +33740,7 @@ index de2802c..2260da9 100644 unsigned long timeout_msec) { diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c -index 5d8fc3d..d537f03 100644 +index fcd8586..19ba966 100644 --- a/drivers/ata/libata-core.c +++ b/drivers/ata/libata-core.c @@ -4790,7 +4790,7 @@ void ata_qc_free(struct ata_queued_cmd *qc) @@ -38367,10 +38365,10 @@ index b153674..ad2ba9b 100644 PCI_DEVICE(PCI_VENDOR_ID_RADISYS, R82600_BRIDGE_ID) }, diff --git a/drivers/edac/sb_edac.c b/drivers/edac/sb_edac.c -index da71881..8d7d62c 100644 +index f8f790c..b43f147 100644 --- a/drivers/edac/sb_edac.c +++ b/drivers/edac/sb_edac.c -@@ -367,7 +367,7 @@ static const struct pci_id_table pci_dev_descr_sbridge_table[] = { +@@ -368,7 +368,7 @@ static const struct pci_id_table pci_dev_descr_sbridge_table[] = { /* * pci_device_id table for which devices we are looking for */ @@ -38482,10 +38480,10 @@ index 94a58a0..f5eba42 100644 container_of(_dev_attr, struct dmi_device_attribute, dev_attr) diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c -index 2861ef4..9e90c69 100644 +index 20f7daa..91678be 100644 --- a/drivers/firmware/dmi_scan.c +++ b/drivers/firmware/dmi_scan.c -@@ -490,11 +490,6 @@ void __init dmi_scan_machine(void) +@@ -488,11 +488,6 @@ void __init dmi_scan_machine(void) } } else { @@ -38497,7 +38495,7 @@ index 2861ef4..9e90c69 100644 p = dmi_ioremap(0xF0000, 0x10000); if (p == NULL) goto error; -@@ -775,7 +770,7 @@ int dmi_walk(void (*decode)(const struct dmi_header *, void *), +@@ -770,7 +765,7 @@ int dmi_walk(void (*decode)(const struct dmi_header *, void *), if (buf == NULL) return -1; @@ -40584,10 +40582,10 @@ index 4ef02b2..8a96831 100644 for (i = 0; i < hid->maxcollection; i++) diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c -index 44a1ea4..21cce84 100644 +index a7e6f03..a2b6d86 100644 --- a/drivers/hv/channel.c +++ b/drivers/hv/channel.c -@@ -403,8 +403,8 @@ int vmbus_establish_gpadl(struct vmbus_channel *channel, void *kbuffer, +@@ -406,8 +406,8 @@ int vmbus_establish_gpadl(struct vmbus_channel *channel, void *kbuffer, unsigned long flags; int ret = 0; @@ -43051,7 +43049,7 @@ index 614ebeb..ce439fd 100644 .callback = ss4200_led_dmi_callback, .ident = "Intel SS4200-E", diff --git a/drivers/lguest/core.c b/drivers/lguest/core.c -index b5fdcb7..3cb34b8 100644 +index 34842e5..3cb34b8 100644 --- a/drivers/lguest/core.c +++ b/drivers/lguest/core.c @@ -92,9 +92,17 @@ static __init int map_switcher(void) @@ -43081,15 +43079,6 @@ index b5fdcb7..3cb34b8 100644 end_switcher_text - start_switcher_text); printk(KERN_INFO "lguest: mapped switcher at %p\n", -@@ -171,7 +179,7 @@ static void unmap_switcher(void) - bool lguest_address_ok(const struct lguest *lg, - unsigned long addr, unsigned long len) - { -- return (addr+len) / PAGE_SIZE < lg->pfn_limit && (addr+len >= addr); -+ return addr+len <= lg->pfn_limit * PAGE_SIZE && (addr+len >= addr); - } - - /* diff --git a/drivers/lguest/page_tables.c b/drivers/lguest/page_tables.c index 3b62be16..e33134a 100644 --- a/drivers/lguest/page_tables.c @@ -43750,7 +43739,7 @@ index abac83a..3652f35 100644 rdev_dec_pending(rdev, mddev); diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c -index c293d9c..808ae97 100644 +index 6056ee7..a4c3ba4 100644 --- a/drivers/md/raid5.c +++ b/drivers/md/raid5.c @@ -598,23 +598,23 @@ async_copy_data(int frombio, struct bio *bio, struct page *page, @@ -43806,7 +43795,7 @@ index c293d9c..808ae97 100644 sprintf(conf->cache_name[1], "%s-alt", conf->cache_name[0]); conf->active_name = 0; -@@ -1618,19 +1626,19 @@ static void raid5_end_read_request(struct bio * bi, int error) +@@ -1619,19 +1627,19 @@ static void raid5_end_read_request(struct bio * bi, int error) (unsigned long long)(sh->sector + rdev->data_offset), bdevname(rdev->bdev, b)); @@ -43830,7 +43819,7 @@ index c293d9c..808ae97 100644 if (conf->mddev->degraded >= conf->max_degraded) printk_ratelimited( KERN_WARNING -@@ -1650,7 +1658,7 @@ static void raid5_end_read_request(struct bio * bi, int error) +@@ -1651,7 +1659,7 @@ static void raid5_end_read_request(struct bio * bi, int error) (unsigned long long)(sh->sector + rdev->data_offset), bdn); @@ -46997,6 +46986,22 @@ index 3d21742..b8e03e7 100644 // waiting for all pending urbs to complete? if (dev->wait) { if ((dev->txq.qlen + dev->rxq.qlen + dev->done.qlen) == 0) { +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index f13a673..218ebf0 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -981,9 +981,9 @@ static int virtnet_probe(struct virtio_device *vdev) + /* Do we support "hardware" checksums? */ + if (virtio_has_feature(vdev, VIRTIO_NET_F_CSUM)) { + /* This opens up the world of extra features. */ +- dev->hw_features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST; ++ dev->hw_features |= NETIF_F_HW_CSUM|NETIF_F_SG; + if (csum) +- dev->features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST; ++ dev->features |= NETIF_F_HW_CSUM|NETIF_F_SG; + + if (virtio_has_feature(vdev, VIRTIO_NET_F_GSO)) { + dev->hw_features |= NETIF_F_TSO | NETIF_F_UFO diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c index 28ceef2..655b059 100644 --- a/drivers/net/vmxnet3/vmxnet3_drv.c @@ -48357,7 +48362,7 @@ index 26fba2d..693b4d3 100644 1, asus->debug.method_id, &input, &output); diff --git a/drivers/platform/x86/compal-laptop.c b/drivers/platform/x86/compal-laptop.c -index 8877b83..024cf2c 100644 +index ba3638e..70e74af 100644 --- a/drivers/platform/x86/compal-laptop.c +++ b/drivers/platform/x86/compal-laptop.c @@ -775,7 +775,7 @@ static int dmi_check_cb_extra(const struct dmi_system_id *id) @@ -50086,7 +50091,7 @@ index 21a045e..ec89e03 100644 transport_setup_device(&rport->dev); diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c -index 5c6b5f5..015ec9d 100644 +index a50825b..7995f6ea 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -105,7 +105,7 @@ static void sd_shutdown(struct device *); @@ -50098,7 +50103,7 @@ index 5c6b5f5..015ec9d 100644 static void sd_read_capacity(struct scsi_disk *sdkp, unsigned char *buffer); static void scsi_disk_release(struct device *cdev); static void sd_print_sense_hdr(struct scsi_disk *, struct scsi_sense_hdr *); -@@ -1390,7 +1390,7 @@ static unsigned int sd_completed_bytes(struct scsi_cmnd *scmd) +@@ -1384,7 +1384,7 @@ static unsigned int sd_completed_bytes(struct scsi_cmnd *scmd) * * Note: potentially run from within an ISR. Must not block. **/ @@ -50107,7 +50112,7 @@ index 5c6b5f5..015ec9d 100644 { int result = SCpnt->result; unsigned int good_bytes = result ? 0 : scsi_bufflen(SCpnt); -@@ -2635,7 +2635,7 @@ static int sd_probe(struct device *dev) +@@ -2626,7 +2626,7 @@ static int sd_probe(struct device *dev) device_initialize(&sdkp->dev); sdkp->dev.parent = dev; sdkp->dev.class = &sd_disk_class; @@ -50117,7 +50122,7 @@ index 5c6b5f5..015ec9d 100644 if (device_add(&sdkp->dev)) goto out_free_index; diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c -index 2d25616..c464bcf 100644 +index b4cac39..c464bcf 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -1077,7 +1077,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg) @@ -50129,17 +50134,7 @@ index 2d25616..c464bcf 100644 case BLKTRACESTART: return blk_trace_startstop(sdp->device->request_queue, 1); case BLKTRACESTOP: -@@ -1687,6 +1687,9 @@ static int sg_start_req(Sg_request *srp, unsigned char *cmd) - md->from_user = 0; - } - -+ if (unlikely(iov_count > UIO_MAXIOV)) -+ return -EINVAL; -+ - if (iov_count) { - int len, size = sizeof(struct sg_iovec) * iov_count; - struct iovec *iov; -@@ -2312,7 +2315,7 @@ struct sg_proc_leaf { +@@ -2315,7 +2315,7 @@ struct sg_proc_leaf { const struct file_operations * fops; }; @@ -50148,7 +50143,7 @@ index 2d25616..c464bcf 100644 {"allow_dio", &adio_fops}, {"debug", &debug_fops}, {"def_reserved_size", &dressz_fops}, -@@ -2327,7 +2330,7 @@ sg_proc_init(void) +@@ -2330,7 +2330,7 @@ sg_proc_init(void) { int k, mask; int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr); @@ -56912,10 +56907,10 @@ index 4a88ac3..d2e1657 100644 EXPORT_SYMBOL_GPL(virtqueue_kick); diff --git a/drivers/xen/events.c b/drivers/xen/events.c -index f6227cc..3e22fab 100644 +index bcf7711..98a489c 100644 --- a/drivers/xen/events.c +++ b/drivers/xen/events.c -@@ -1632,7 +1632,7 @@ void xen_irq_resume(void) +@@ -1636,7 +1636,7 @@ void xen_irq_resume(void) restore_pirqs(); } @@ -56924,7 +56919,7 @@ index f6227cc..3e22fab 100644 .name = "xen-dyn", .irq_disable = disable_dynirq, -@@ -1646,7 +1646,7 @@ static struct irq_chip xen_dynamic_chip __read_mostly = { +@@ -1650,7 +1650,7 @@ static struct irq_chip xen_dynamic_chip __read_mostly = { .irq_retrigger = retrigger_dynirq, }; @@ -56933,7 +56928,7 @@ index f6227cc..3e22fab 100644 .name = "xen-pirq", .irq_startup = startup_pirq, -@@ -1666,7 +1666,7 @@ static struct irq_chip xen_pirq_chip __read_mostly = { +@@ -1670,7 +1670,7 @@ static struct irq_chip xen_pirq_chip __read_mostly = { .irq_retrigger = retrigger_dynirq, }; @@ -57368,7 +57363,7 @@ index a6395bd..f1e376a 100644 (unsigned long) create_aout_tables((char __user *) bprm->p, bprm); #ifdef __alpha__ diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c -index 2aed667..52b96fd 100644 +index d252462..ebd7fd4 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -32,6 +32,7 @@ @@ -58005,10 +58000,12 @@ index 2aed667..52b96fd 100644 if (elf_read_implies_exec(loc->elf_ex, executable_stack)) current->personality |= READ_IMPLIES_EXEC; -@@ -809,6 +1246,20 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -810,8 +1247,21 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) #else load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr); #endif +- total_size = total_mapping_size(elf_phdata, +- loc->elf_ex.e_phnum); + +#ifdef CONFIG_PAX_RANDMMAP + /* PaX: randomize base address at the default exe base if requested */ @@ -58023,10 +58020,11 @@ index 2aed667..52b96fd 100644 + } +#endif + - } - - error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt, -@@ -841,9 +1292,9 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) ++ total_size = total_mapping_size(elf_phdata, loc->elf_ex.e_phnum); + if (!total_size) { + retval = -EINVAL; + goto out_free_dentry; +@@ -848,9 +1298,9 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) * allowed task size. Note that p_filesz must always be * <= p_memsz so it is only necessary to check p_memsz. */ @@ -58039,7 +58037,7 @@ index 2aed667..52b96fd 100644 /* set_brk can never work. Avoid overflows. */ send_sig(SIGKILL, current, 0); retval = -EINVAL; -@@ -882,17 +1333,44 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -889,17 +1339,44 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) goto out_free_dentry; } if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) { @@ -58090,7 +58088,7 @@ index 2aed667..52b96fd 100644 load_bias); if (!IS_ERR((void *)elf_entry)) { /* -@@ -1099,7 +1577,7 @@ out: +@@ -1106,7 +1583,7 @@ out: * Decide what to dump of a segment, part, all or none. */ static unsigned long vma_dump_size(struct vm_area_struct *vma, @@ -58099,7 +58097,7 @@ index 2aed667..52b96fd 100644 { #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type)) -@@ -1133,7 +1611,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma, +@@ -1140,7 +1617,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma, if (vma->vm_file == NULL) return 0; @@ -58108,7 +58106,7 @@ index 2aed667..52b96fd 100644 goto whole; /* -@@ -1355,9 +1833,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm) +@@ -1362,9 +1839,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm) { elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv; int i = 0; @@ -58120,7 +58118,7 @@ index 2aed667..52b96fd 100644 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv); } -@@ -1852,14 +2330,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum, +@@ -1859,14 +2336,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum, } static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma, @@ -58137,7 +58135,7 @@ index 2aed667..52b96fd 100644 return size; } -@@ -1953,7 +2431,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -1960,7 +2437,7 @@ static int elf_core_dump(struct coredump_params *cprm) dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE); @@ -58146,7 +58144,7 @@ index 2aed667..52b96fd 100644 offset += elf_core_extra_data_size(); e_shoff = offset; -@@ -1967,10 +2445,12 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -1974,10 +2451,12 @@ static int elf_core_dump(struct coredump_params *cprm) offset = dataoff; size += sizeof(*elf); @@ -58159,7 +58157,7 @@ index 2aed667..52b96fd 100644 if (size > cprm->limit || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note))) goto end_coredump; -@@ -1984,7 +2464,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -1991,7 +2470,7 @@ static int elf_core_dump(struct coredump_params *cprm) phdr.p_offset = offset; phdr.p_vaddr = vma->vm_start; phdr.p_paddr = 0; @@ -58168,7 +58166,7 @@ index 2aed667..52b96fd 100644 phdr.p_memsz = vma->vm_end - vma->vm_start; offset += phdr.p_filesz; phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0; -@@ -1995,6 +2475,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2002,6 +2481,7 @@ static int elf_core_dump(struct coredump_params *cprm) phdr.p_align = ELF_EXEC_PAGESIZE; size += sizeof(phdr); @@ -58176,7 +58174,7 @@ index 2aed667..52b96fd 100644 if (size > cprm->limit || !dump_write(cprm->file, &phdr, sizeof(phdr))) goto end_coredump; -@@ -2019,7 +2500,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2026,7 +2506,7 @@ static int elf_core_dump(struct coredump_params *cprm) unsigned long addr; unsigned long end; @@ -58185,7 +58183,7 @@ index 2aed667..52b96fd 100644 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) { struct page *page; -@@ -2028,6 +2509,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2035,6 +2515,7 @@ static int elf_core_dump(struct coredump_params *cprm) page = get_dump_page(addr); if (page) { void *kaddr = kmap(page); @@ -58193,7 +58191,7 @@ index 2aed667..52b96fd 100644 stop = ((size += PAGE_SIZE) > cprm->limit) || !dump_write(cprm->file, kaddr, PAGE_SIZE); -@@ -2045,6 +2527,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2052,6 +2533,7 @@ static int elf_core_dump(struct coredump_params *cprm) if (e_phnum == PN_XNUM) { size += sizeof(*shdr4extnum); @@ -58201,7 +58199,7 @@ index 2aed667..52b96fd 100644 if (size > cprm->limit || !dump_write(cprm->file, shdr4extnum, sizeof(*shdr4extnum))) -@@ -2065,6 +2548,167 @@ out: +@@ -2072,6 +2554,167 @@ out: #endif /* CONFIG_ELF_CORE */ @@ -58482,7 +58480,7 @@ index dede441..f2a2507 100644 WARN_ON(trans->transid != btrfs_header_generation(parent)); diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c -index a694317..dc698a1 100644 +index da528f8..97002a3 100644 --- a/fs/btrfs/extent-tree.c +++ b/fs/btrfs/extent-tree.c @@ -5644,7 +5644,7 @@ again: @@ -58495,10 +58493,10 @@ index a694317..dc698a1 100644 do_chunk_alloc(trans, root->fs_info->extent_root, num_bytes, data, CHUNK_ALLOC_FORCE); diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c -index 7cbe2f8..20cc43f 100644 +index 52bacff..a4b7f29 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c -@@ -2770,7 +2770,7 @@ long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg) +@@ -2775,7 +2775,7 @@ long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg) up_read(&info->groups_sem); } @@ -59438,7 +59436,7 @@ index 739fb59..5385976 100644 static int __init init_cramfs_fs(void) { diff --git a/fs/dcache.c b/fs/dcache.c -index 8bc98af..68601d9 100644 +index 8a35300..aee4955 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -103,11 +103,11 @@ static unsigned int d_hash_shift __read_mostly; @@ -59481,24 +59479,6 @@ index 8bc98af..68601d9 100644 /* * If this dentry needs lookup, don't set the referenced flag so that it * is more likely to be cleaned up by the dcache shrinker in case of -@@ -1016,13 +1019,13 @@ ascend: - /* might go back up the wrong parent if we have had a rename */ - if (!locked && read_seqretry(&rename_lock, seq)) - goto rename_retry; -- next = child->d_child.next; -- while (unlikely(child->d_flags & DCACHE_DENTRY_KILLED)) { -+ /* go into the first sibling still alive */ -+ do { -+ next = child->d_child.next; - if (next == &this_parent->d_subdirs) - goto ascend; - child = list_entry(next, struct dentry, d_child); -- next = next->next; -- } -+ } while (unlikely(child->d_flags & DCACHE_DENTRY_KILLED)); - rcu_read_unlock(); - goto resume; - } @@ -1235,6 +1238,9 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name) dentry->d_sb = sb; dentry->d_op = NULL; @@ -59520,10 +59500,10 @@ index 8bc98af..68601d9 100644 dcache_init(); inode_init(); diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c -index a15f1e2..3077628 100644 +index 74f03b5..c4a9396 100644 --- a/fs/debugfs/inode.c +++ b/fs/debugfs/inode.c -@@ -164,6 +164,7 @@ static struct file_system_type debug_fs_type = { +@@ -165,6 +165,7 @@ static struct file_system_type debug_fs_type = { .mount = debug_mount, .kill_sb = kill_litter_super, }; @@ -59531,7 +59511,7 @@ index a15f1e2..3077628 100644 static int debugfs_create_by_name(const char *name, mode_t mode, struct dentry *parent, -@@ -277,11 +278,20 @@ EXPORT_SYMBOL_GPL(debugfs_create_file); +@@ -278,11 +279,20 @@ EXPORT_SYMBOL_GPL(debugfs_create_file); * If debugfs is not enabled in the kernel, the value -%ENODEV will be * returned. */ @@ -61286,7 +61266,7 @@ index 22764c7..86372c9 100644 break; err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0); diff --git a/fs/fhandle.c b/fs/fhandle.c -index 6b08864..030db71 100644 +index c9e18f3..030db71 100644 --- a/fs/fhandle.c +++ b/fs/fhandle.c @@ -8,6 +8,7 @@ @@ -61306,18 +61286,6 @@ index 6b08864..030db71 100644 retval = -EPERM; goto out_err; } -@@ -196,8 +197,9 @@ static int handle_to_path(int mountdirfd, struct file_handle __user *ufh, - goto out_err; - } - /* copy the full handle */ -- if (copy_from_user(handle, ufh, -- sizeof(struct file_handle) + -+ *handle = f_handle; -+ if (copy_from_user(&handle->f_handle, -+ &ufh->f_handle, - f_handle.handle_bytes)) { - retval = -EFAULT; - goto out_handle; diff --git a/fs/fifo.c b/fs/fifo.c index cf6f434..3d7942c 100644 --- a/fs/fifo.c @@ -64749,10 +64717,10 @@ index 5d22872..523db20 100644 kfree(link); } diff --git a/fs/omfs/inode.c b/fs/omfs/inode.c -index e043c4c..f99d456 100644 +index f58f1c4..7aed9d4 100644 --- a/fs/omfs/inode.c +++ b/fs/omfs/inode.c -@@ -570,6 +570,7 @@ static struct file_system_type omfs_fs_type = { +@@ -571,6 +571,7 @@ static struct file_system_type omfs_fs_type = { .kill_sb = kill_block_super, .fs_flags = FS_REQUIRES_DEV, }; @@ -64917,7 +64885,7 @@ index bd8ae78..539d250 100644 ldm_crit ("Out of memory."); return false; diff --git a/fs/pipe.c b/fs/pipe.c -index 8ca88fc..db6ce82 100644 +index d2cbeff..db6ce82 100644 --- a/fs/pipe.c +++ b/fs/pipe.c @@ -33,7 +33,7 @@ unsigned int pipe_max_size = 1048576; @@ -64929,109 +64897,7 @@ index 8ca88fc..db6ce82 100644 /* * We use a start+len construction, which provides full use of the -@@ -103,25 +103,27 @@ void pipe_wait(struct pipe_inode_info *pipe) - } - - static int --pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len, -- int atomic) -+pipe_iov_copy_from_user(void *addr, int *offset, struct iovec *iov, -+ size_t *remaining, int atomic) - { - unsigned long copy; - -- while (len > 0) { -+ while (*remaining > 0) { - while (!iov->iov_len) - iov++; -- copy = min_t(unsigned long, len, iov->iov_len); -+ copy = min_t(unsigned long, *remaining, iov->iov_len); - - if (atomic) { -- if (__copy_from_user_inatomic(to, iov->iov_base, copy)) -+ if (__copy_from_user_inatomic(addr + *offset, -+ iov->iov_base, copy)) - return -EFAULT; - } else { -- if (copy_from_user(to, iov->iov_base, copy)) -+ if (copy_from_user(addr + *offset, -+ iov->iov_base, copy)) - return -EFAULT; - } -- to += copy; -- len -= copy; -+ *offset += copy; -+ *remaining -= copy; - iov->iov_base += copy; - iov->iov_len -= copy; - } -@@ -129,25 +131,27 @@ pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len, - } - - static int --pipe_iov_copy_to_user(struct iovec *iov, const void *from, unsigned long len, -- int atomic) -+pipe_iov_copy_to_user(struct iovec *iov, void *addr, int *offset, -+ size_t *remaining, int atomic) - { - unsigned long copy; - -- while (len > 0) { -+ while (*remaining > 0) { - while (!iov->iov_len) - iov++; -- copy = min_t(unsigned long, len, iov->iov_len); -+ copy = min_t(unsigned long, *remaining, iov->iov_len); - - if (atomic) { -- if (__copy_to_user_inatomic(iov->iov_base, from, copy)) -+ if (__copy_to_user_inatomic(iov->iov_base, -+ addr + *offset, copy)) - return -EFAULT; - } else { -- if (copy_to_user(iov->iov_base, from, copy)) -+ if (copy_to_user(iov->iov_base, -+ addr + *offset, copy)) - return -EFAULT; - } -- from += copy; -- len -= copy; -+ *offset += copy; -+ *remaining -= copy; - iov->iov_base += copy; - iov->iov_len -= copy; - } -@@ -383,7 +387,7 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov, - struct pipe_buffer *buf = pipe->bufs + curbuf; - const struct pipe_buf_operations *ops = buf->ops; - void *addr; -- size_t chars = buf->len; -+ size_t chars = buf->len, remaining; - int error, atomic; - - if (chars > total_len) -@@ -397,9 +401,11 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov, - } - - atomic = !iov_fault_in_pages_write(iov, chars); -+ remaining = chars; - redo: - addr = ops->map(pipe, buf, atomic); -- error = pipe_iov_copy_to_user(iov, addr + buf->offset, chars, atomic); -+ error = pipe_iov_copy_to_user(iov, addr, &buf->offset, -+ &remaining, atomic); - ops->unmap(pipe, buf, addr); - if (unlikely(error)) { - /* -@@ -414,7 +420,6 @@ redo: - break; - } - ret += chars; -- buf->offset += chars; - buf->len -= chars; - - /* Was it a packet buffer? Clean up and exit */ -@@ -437,9 +442,9 @@ redo: +@@ -442,9 +442,9 @@ redo: } if (bufs) /* More to do? */ continue; @@ -65043,7 +64909,7 @@ index 8ca88fc..db6ce82 100644 /* syscall merging: Usually we must not sleep * if O_NONBLOCK is set, or if we got some data. * But if a writer sleeps in kernel space, then -@@ -503,7 +508,7 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov, +@@ -508,7 +508,7 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov, mutex_lock(&inode->i_mutex); pipe = inode->i_pipe; @@ -65052,26 +64918,7 @@ index 8ca88fc..db6ce82 100644 send_sig(SIGPIPE, current, 0); ret = -EPIPE; goto out; -@@ -521,6 +526,7 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov, - if (ops->can_merge && offset + chars <= PAGE_SIZE) { - int error, atomic = 1; - void *addr; -+ size_t remaining = chars; - - error = ops->confirm(pipe, buf); - if (error) -@@ -529,8 +535,8 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov, - iov_fault_in_pages_read(iov, chars); - redo1: - addr = ops->map(pipe, buf, atomic); -- error = pipe_iov_copy_from_user(offset + addr, iov, -- chars, atomic); -+ error = pipe_iov_copy_from_user(addr, &offset, iov, -+ &remaining, atomic); - ops->unmap(pipe, buf, addr); - ret = error; - do_wakeup = 1; -@@ -552,7 +558,7 @@ redo1: +@@ -558,7 +558,7 @@ redo1: for (;;) { int bufs; @@ -65080,34 +64927,7 @@ index 8ca88fc..db6ce82 100644 send_sig(SIGPIPE, current, 0); if (!ret) ret = -EPIPE; -@@ -565,6 +571,8 @@ redo1: - struct page *page = pipe->tmp_page; - char *src; - int error, atomic = 1; -+ int offset = 0; -+ size_t remaining; - - if (!page) { - page = alloc_page(GFP_HIGHUSER); -@@ -585,14 +593,15 @@ redo1: - chars = total_len; - - iov_fault_in_pages_read(iov, chars); -+ remaining = chars; - redo2: - if (atomic) - src = kmap_atomic(page, KM_USER0); - else - src = kmap(page); - -- error = pipe_iov_copy_from_user(src, iov, chars, -- atomic); -+ error = pipe_iov_copy_from_user(src, &offset, iov, -+ &remaining, atomic); - if (atomic) - kunmap_atomic(src, KM_USER0); - else -@@ -643,9 +652,9 @@ redo2: +@@ -652,9 +652,9 @@ redo2: kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN); do_wakeup = 0; } @@ -65119,7 +64939,7 @@ index 8ca88fc..db6ce82 100644 } out: mutex_unlock(&inode->i_mutex); -@@ -712,7 +721,7 @@ pipe_poll(struct file *filp, poll_table *wait) +@@ -721,7 +721,7 @@ pipe_poll(struct file *filp, poll_table *wait) mask = 0; if (filp->f_mode & FMODE_READ) { mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0; @@ -65128,7 +64948,7 @@ index 8ca88fc..db6ce82 100644 mask |= POLLHUP; } -@@ -722,7 +731,7 @@ pipe_poll(struct file *filp, poll_table *wait) +@@ -731,7 +731,7 @@ pipe_poll(struct file *filp, poll_table *wait) * Most Unices do not set POLLERR for FIFOs but on Linux they * behave exactly like pipes for poll(). */ @@ -65137,7 +64957,7 @@ index 8ca88fc..db6ce82 100644 mask |= POLLERR; } -@@ -736,10 +745,10 @@ pipe_release(struct inode *inode, int decr, int decw) +@@ -745,10 +745,10 @@ pipe_release(struct inode *inode, int decr, int decw) mutex_lock(&inode->i_mutex); pipe = inode->i_pipe; @@ -65151,7 +64971,7 @@ index 8ca88fc..db6ce82 100644 free_pipe_info(inode); } else { wake_up_interruptible_sync_poll(&pipe->wait, POLLIN | POLLOUT | POLLRDNORM | POLLWRNORM | POLLERR | POLLHUP); -@@ -829,7 +838,7 @@ pipe_read_open(struct inode *inode, struct file *filp) +@@ -838,7 +838,7 @@ pipe_read_open(struct inode *inode, struct file *filp) if (inode->i_pipe) { ret = 0; @@ -65160,7 +64980,7 @@ index 8ca88fc..db6ce82 100644 } mutex_unlock(&inode->i_mutex); -@@ -846,7 +855,7 @@ pipe_write_open(struct inode *inode, struct file *filp) +@@ -855,7 +855,7 @@ pipe_write_open(struct inode *inode, struct file *filp) if (inode->i_pipe) { ret = 0; @@ -65169,7 +64989,7 @@ index 8ca88fc..db6ce82 100644 } mutex_unlock(&inode->i_mutex); -@@ -867,9 +876,9 @@ pipe_rdwr_open(struct inode *inode, struct file *filp) +@@ -876,9 +876,9 @@ pipe_rdwr_open(struct inode *inode, struct file *filp) if (inode->i_pipe) { ret = 0; if (filp->f_mode & FMODE_READ) @@ -65181,7 +65001,7 @@ index 8ca88fc..db6ce82 100644 } mutex_unlock(&inode->i_mutex); -@@ -961,7 +970,7 @@ void free_pipe_info(struct inode *inode) +@@ -970,7 +970,7 @@ void free_pipe_info(struct inode *inode) inode->i_pipe = NULL; } @@ -65190,7 +65010,7 @@ index 8ca88fc..db6ce82 100644 /* * pipefs_dname() is called from d_path(). -@@ -991,7 +1000,8 @@ static struct inode * get_pipe_inode(void) +@@ -1000,7 +1000,8 @@ static struct inode * get_pipe_inode(void) goto fail_iput; inode->i_pipe = pipe; @@ -65200,7 +65020,7 @@ index 8ca88fc..db6ce82 100644 inode->i_fop = &rdwr_pipefifo_fops; /* -@@ -1203,7 +1213,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long nr_pages) +@@ -1212,7 +1213,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long nr_pages) * Currently we rely on the pipe array holding a power-of-2 number * of pages. */ @@ -65209,7 +65029,7 @@ index 8ca88fc..db6ce82 100644 { unsigned long nr_pages; -@@ -1253,13 +1263,16 @@ long pipe_fcntl(struct file *file, unsigned int cmd, unsigned long arg) +@@ -1262,13 +1263,16 @@ long pipe_fcntl(struct file *file, unsigned int cmd, unsigned long arg) switch (cmd) { case F_SETPIPE_SZ: { @@ -84014,10 +83834,10 @@ index f93d8c1..71244f6 100644 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu); diff --git a/include/linux/libata.h b/include/linux/libata.h -index 42ac6ad..703f223 100644 +index 3d4b5b6..3648fe8 100644 --- a/include/linux/libata.h +++ b/include/linux/libata.h -@@ -915,7 +915,7 @@ struct ata_port_operations { +@@ -924,7 +924,7 @@ struct ata_port_operations { * fields must be pointers. */ const struct ata_port_operations *inherits; @@ -85621,7 +85441,7 @@ index 9aaf5bf..d5ee2a5 100644 } diff --git a/include/linux/sched.h b/include/linux/sched.h -index cb34ff4..c086c98 100644 +index 44e5f47..bf5c1f5 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -101,6 +101,7 @@ struct bio_list; @@ -87830,7 +87650,7 @@ index 6e4569f..0c8aa25 100644 fib_info_update_nh_saddr((net), &FIB_RES_NH(res))) #define FIB_RES_GW(res) (FIB_RES_NH(res).nh_gw) diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h -index 416dcb0..e203877 100644 +index b8b2e50..91489a1 100644 --- a/include/net/ip_vs.h +++ b/include/net/ip_vs.h @@ -509,7 +509,7 @@ struct ip_vs_conn { @@ -88203,10 +88023,10 @@ index 4d1be75..a54d29e 100644 /* Get the size of a DATA chunk payload. */ diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h -index a15432da..9459dcc 100644 +index 2cccd82..03b6412 100644 --- a/include/net/sctp/structs.h +++ b/include/net/sctp/structs.h -@@ -644,7 +644,7 @@ struct sctp_pf { +@@ -649,7 +649,7 @@ struct sctp_pf { struct sctp_association *asoc); void (*addr_v4map) (struct sctp_sock *, union sctp_addr *); struct sctp_af *af; @@ -96335,7 +96155,7 @@ index 76b8e77..a2930e8 100644 } diff --git a/kernel/ptrace.c b/kernel/ptrace.c -index f79803a..0dcc1be 100644 +index f07c144..d2ad3b0 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -211,7 +211,8 @@ int ptrace_check_attach(struct task_struct *child, bool ignore_state) @@ -96428,7 +96248,7 @@ index f79803a..0dcc1be 100644 return (data & ~PTRACE_O_MASK) ? -EINVAL : 0; } -@@ -720,7 +740,7 @@ int ptrace_request(struct task_struct *child, long request, +@@ -740,7 +760,7 @@ int ptrace_request(struct task_struct *child, long request, bool seized = child->ptrace & PT_SEIZED; int ret = -EIO; siginfo_t siginfo, *si; @@ -96437,7 +96257,7 @@ index f79803a..0dcc1be 100644 unsigned long __user *datalp = datavp; unsigned long flags; -@@ -922,14 +942,21 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr, +@@ -942,14 +962,21 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr, goto out; } @@ -96460,7 +96280,7 @@ index f79803a..0dcc1be 100644 goto out_put_task_struct; } -@@ -957,7 +984,7 @@ int generic_ptrace_peekdata(struct task_struct *tsk, unsigned long addr, +@@ -977,7 +1004,7 @@ int generic_ptrace_peekdata(struct task_struct *tsk, unsigned long addr, copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0); if (copied != sizeof(tmp)) return -EIO; @@ -96469,7 +96289,7 @@ index f79803a..0dcc1be 100644 } int generic_ptrace_pokedata(struct task_struct *tsk, unsigned long addr, -@@ -1051,7 +1078,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request, +@@ -1071,7 +1098,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request, } asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid, @@ -96478,7 +96298,7 @@ index f79803a..0dcc1be 100644 { struct task_struct *child; long ret; -@@ -1067,14 +1094,21 @@ asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid, +@@ -1087,14 +1114,21 @@ asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid, goto out; } @@ -97949,7 +97769,7 @@ index 9e800b2..1533ba5 100644 raw_spin_unlock_irq(&call_function.lock); } diff --git a/kernel/softirq.c b/kernel/softirq.c -index 2c71d91..6b690a4 100644 +index 44bc103..c131116 100644 --- a/kernel/softirq.c +++ b/kernel/softirq.c @@ -52,11 +52,11 @@ irq_cpustat_t irq_stat[NR_CPUS] ____cacheline_aligned; @@ -97966,7 +97786,7 @@ index 2c71d91..6b690a4 100644 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL", "TASKLET", "SCHED", "HRTIMER", "RCU" }; -@@ -235,7 +235,7 @@ restart: +@@ -241,7 +241,7 @@ restart: kstat_incr_softirqs_this_cpu(vec_nr); trace_softirq_entry(vec_nr); @@ -97975,7 +97795,7 @@ index 2c71d91..6b690a4 100644 trace_softirq_exit(vec_nr); if (unlikely(prev_count != preempt_count())) { printk(KERN_ERR "huh, entered softirq %u %s %p" -@@ -385,7 +385,7 @@ void raise_softirq(unsigned int nr) +@@ -393,7 +393,7 @@ void raise_softirq(unsigned int nr) local_irq_restore(flags); } @@ -97984,7 +97804,7 @@ index 2c71d91..6b690a4 100644 { softirq_vec[nr].action = action; } -@@ -441,7 +441,7 @@ void __tasklet_hi_schedule_first(struct tasklet_struct *t) +@@ -449,7 +449,7 @@ void __tasklet_hi_schedule_first(struct tasklet_struct *t) EXPORT_SYMBOL(__tasklet_hi_schedule_first); @@ -97993,7 +97813,7 @@ index 2c71d91..6b690a4 100644 { struct tasklet_struct *list; -@@ -476,7 +476,7 @@ static void tasklet_action(struct softirq_action *a) +@@ -484,7 +484,7 @@ static void tasklet_action(struct softirq_action *a) } } @@ -98002,7 +97822,7 @@ index 2c71d91..6b690a4 100644 { struct tasklet_struct *list; -@@ -712,7 +712,7 @@ static int __cpuinit remote_softirq_cpu_notify(struct notifier_block *self, +@@ -720,7 +720,7 @@ static int __cpuinit remote_softirq_cpu_notify(struct notifier_block *self, return NOTIFY_OK; } @@ -98011,7 +97831,7 @@ index 2c71d91..6b690a4 100644 .notifier_call = remote_softirq_cpu_notify, }; -@@ -894,7 +894,7 @@ static int __cpuinit cpu_callback(struct notifier_block *nfb, +@@ -902,7 +902,7 @@ static int __cpuinit cpu_callback(struct notifier_block *nfb, return NOTIFY_OK; } @@ -99610,7 +99430,7 @@ index 875fed4..7a76cbb 100644 } diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c -index b0996c1..9c39703 100644 +index 47343cc..9c39703 100644 --- a/kernel/trace/trace_events_filter.c +++ b/kernel/trace/trace_events_filter.c @@ -1027,6 +1027,9 @@ static void parse_init(struct filter_parse_state *ps, @@ -99633,36 +99453,15 @@ index b0996c1..9c39703 100644 ps->infix.cnt--; ps->infix.tail++; } -@@ -1343,19 +1349,27 @@ static int check_preds(struct filter_parse_state *ps) - { - int n_normal_preds = 0, n_logical_preds = 0; - struct postfix_elt *elt; -+ int cnt = 0; - - list_for_each_entry(elt, &ps->postfix, list) { -- if (elt->op == OP_NONE) -+ if (elt->op == OP_NONE) { -+ cnt++; - continue; -+ } - - if (elt->op == OP_AND || elt->op == OP_OR) { - n_logical_preds++; -+ cnt--; +@@ -1356,6 +1362,8 @@ static int check_preds(struct filter_parse_state *ps) + cnt--; continue; } + // OP_NOT is not supported in this kernel, will get + // a reject here when it's backported -+ cnt--; + cnt--; n_normal_preds++; -+ WARN_ON_ONCE(cnt < 0); - } - -- if (!n_normal_preds || n_logical_preds >= n_normal_preds) { -+ if (cnt != 1 || !n_normal_preds || n_logical_preds >= n_normal_preds) { - parse_error(ps, FILT_ERR_INVALID_FILTER, 0); - return -EINVAL; - } + WARN_ON_ONCE(cnt < 0); diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c index a7d2a4c..b034c76 100644 --- a/kernel/trace/trace_functions_graph.c @@ -104650,7 +104449,7 @@ index d0cb11f..e0a7fea 100644 struct mm_struct *mm; diff --git a/mm/page-writeback.c b/mm/page-writeback.c -index 1bf1f74..5e27559 100644 +index 62bfbd9..bfd70ee 100644 --- a/mm/page-writeback.c +++ b/mm/page-writeback.c @@ -522,7 +522,7 @@ unsigned long bdi_dirty_limit(struct backing_dev_info *bdi, unsigned long dirty) @@ -105763,7 +105562,7 @@ index 8105be4..93fb21c 100644 EXPORT_SYMBOL(kmem_cache_free); diff --git a/mm/slub.c b/mm/slub.c -index 6a4c2fb..18d36e8 100644 +index 60c6969..dd5e22f 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -186,7 +186,7 @@ static enum { @@ -105793,7 +105592,7 @@ index 6a4c2fb..18d36e8 100644 s, (void *)t->addr, jiffies - t->when, t->cpu, t->pid); #ifdef CONFIG_STACKTRACE { -@@ -2537,6 +2537,14 @@ static __always_inline void slab_free(struct kmem_cache *s, +@@ -2520,6 +2520,14 @@ static __always_inline void slab_free(struct kmem_cache *s, slab_free_hook(s, x); @@ -105808,7 +105607,7 @@ index 6a4c2fb..18d36e8 100644 redo: /* * Determine the currently cpus per cpu slab. -@@ -2572,6 +2580,8 @@ void kmem_cache_free(struct kmem_cache *s, void *x) +@@ -2555,6 +2563,8 @@ void kmem_cache_free(struct kmem_cache *s, void *x) page = virt_to_head_page(x); @@ -105817,7 +105616,7 @@ index 6a4c2fb..18d36e8 100644 slab_free(s, page, x, _RET_IP_); trace_kmem_cache_free(_RET_IP_, x); -@@ -2605,7 +2615,7 @@ static int slub_min_objects; +@@ -2588,7 +2598,7 @@ static int slub_min_objects; * Merge control. If this is set then no merging of slab caches will occur. * (Could be removed. This was introduced to pacify the merge skeptics.) */ @@ -105826,7 +105625,7 @@ index 6a4c2fb..18d36e8 100644 /* * Calculate the order of allocation given an slab object size. -@@ -2909,6 +2919,9 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) +@@ -2892,6 +2902,9 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) s->inuse = size; if (((flags & (SLAB_DESTROY_BY_RCU | SLAB_POISON)) || @@ -105836,7 +105635,7 @@ index 6a4c2fb..18d36e8 100644 s->ctor)) { /* * Relocate free pointer after the object if it is not -@@ -3055,7 +3068,7 @@ static int kmem_cache_open(struct kmem_cache *s, +@@ -3038,7 +3051,7 @@ static int kmem_cache_open(struct kmem_cache *s, else s->cpu_partial = 30; @@ -105845,7 +105644,7 @@ index 6a4c2fb..18d36e8 100644 #ifdef CONFIG_NUMA s->remote_node_defrag_ratio = 1000; #endif -@@ -3159,8 +3172,7 @@ static inline int kmem_cache_close(struct kmem_cache *s) +@@ -3142,8 +3155,7 @@ static inline int kmem_cache_close(struct kmem_cache *s) void kmem_cache_destroy(struct kmem_cache *s) { down_write(&slub_lock); @@ -105855,7 +105654,7 @@ index 6a4c2fb..18d36e8 100644 list_del(&s->list); up_write(&slub_lock); if (kmem_cache_close(s)) { -@@ -3189,6 +3201,10 @@ static struct kmem_cache *kmem_cache; +@@ -3172,6 +3184,10 @@ static struct kmem_cache *kmem_cache; static struct kmem_cache *kmalloc_dma_caches[SLUB_PAGE_SHIFT]; #endif @@ -105866,7 +105665,7 @@ index 6a4c2fb..18d36e8 100644 static int __init setup_slub_min_order(char *str) { get_option(&str, &slub_min_order); -@@ -3303,6 +3319,13 @@ static struct kmem_cache *get_slab(size_t size, gfp_t flags) +@@ -3286,6 +3302,13 @@ static struct kmem_cache *get_slab(size_t size, gfp_t flags) return kmalloc_dma_caches[index]; #endif @@ -105880,7 +105679,7 @@ index 6a4c2fb..18d36e8 100644 return kmalloc_caches[index]; } -@@ -3371,6 +3394,59 @@ void *__kmalloc_node(size_t size, gfp_t flags, int node) +@@ -3354,6 +3377,59 @@ void *__kmalloc_node(size_t size, gfp_t flags, int node) EXPORT_SYMBOL(__kmalloc_node); #endif @@ -105940,7 +105739,7 @@ index 6a4c2fb..18d36e8 100644 size_t ksize(const void *object) { struct page *page; -@@ -3435,6 +3511,7 @@ void kfree(const void *x) +@@ -3418,6 +3494,7 @@ void kfree(const void *x) if (unlikely(ZERO_OR_NULL_PTR(x))) return; @@ -105948,7 +105747,7 @@ index 6a4c2fb..18d36e8 100644 page = virt_to_head_page(x); if (unlikely(!PageSlab(page))) { BUG_ON(!PageCompound(page)); -@@ -3645,7 +3722,7 @@ static void __init kmem_cache_bootstrap_fixup(struct kmem_cache *s) +@@ -3628,7 +3705,7 @@ static void __init kmem_cache_bootstrap_fixup(struct kmem_cache *s) int node; list_add(&s->list, &slab_caches); @@ -105957,7 +105756,7 @@ index 6a4c2fb..18d36e8 100644 for_each_node_state(node, N_NORMAL_MEMORY) { struct kmem_cache_node *n = get_node(s, node); -@@ -3762,17 +3839,17 @@ void __init kmem_cache_init(void) +@@ -3745,17 +3822,17 @@ void __init kmem_cache_init(void) /* Caches that are not of the two-to-the-power-of size */ if (KMALLOC_MIN_SIZE <= 32) { @@ -105978,7 +105777,7 @@ index 6a4c2fb..18d36e8 100644 caches++; } -@@ -3814,6 +3891,22 @@ void __init kmem_cache_init(void) +@@ -3797,6 +3874,22 @@ void __init kmem_cache_init(void) } } #endif @@ -106001,7 +105800,7 @@ index 6a4c2fb..18d36e8 100644 printk(KERN_INFO "SLUB: Genslabs=%d, HWalign=%d, Order=%d-%d, MinObjects=%d," " CPUs=%d, Nodes=%d\n", -@@ -3840,7 +3933,7 @@ static int slab_unmergeable(struct kmem_cache *s) +@@ -3823,7 +3916,7 @@ static int slab_unmergeable(struct kmem_cache *s) /* * We may have set a slab to be unmergeable during bootstrap. */ @@ -106010,7 +105809,7 @@ index 6a4c2fb..18d36e8 100644 return 1; return 0; -@@ -3897,9 +3990,17 @@ struct kmem_cache *kmem_cache_create(const char *name, size_t size, +@@ -3880,9 +3973,17 @@ struct kmem_cache *kmem_cache_create(const char *name, size_t size, return NULL; down_write(&slub_lock); @@ -106029,7 +105828,7 @@ index 6a4c2fb..18d36e8 100644 /* * Adjust the object sizes so that we clear * the complete object on kzalloc. -@@ -3908,7 +4009,7 @@ struct kmem_cache *kmem_cache_create(const char *name, size_t size, +@@ -3891,7 +3992,7 @@ struct kmem_cache *kmem_cache_create(const char *name, size_t size, s->inuse = max_t(int, s->inuse, ALIGN(size, sizeof(void *))); if (sysfs_slab_alias(s, name)) { @@ -106038,7 +105837,7 @@ index 6a4c2fb..18d36e8 100644 goto err; } up_write(&slub_lock); -@@ -3979,7 +4080,7 @@ static int __cpuinit slab_cpuup_callback(struct notifier_block *nfb, +@@ -3962,7 +4063,7 @@ static int __cpuinit slab_cpuup_callback(struct notifier_block *nfb, return NOTIFY_OK; } @@ -106047,7 +105846,7 @@ index 6a4c2fb..18d36e8 100644 .notifier_call = slab_cpuup_callback }; -@@ -4037,7 +4138,7 @@ void *__kmalloc_node_track_caller(size_t size, gfp_t gfpflags, +@@ -4020,7 +4121,7 @@ void *__kmalloc_node_track_caller(size_t size, gfp_t gfpflags, } #endif @@ -106056,7 +105855,7 @@ index 6a4c2fb..18d36e8 100644 static int count_inuse(struct page *page) { return page->inuse; -@@ -4424,12 +4525,12 @@ static void resiliency_test(void) +@@ -4407,12 +4508,12 @@ static void resiliency_test(void) validate_slab_cache(kmalloc_caches[9]); } #else @@ -106071,7 +105870,7 @@ index 6a4c2fb..18d36e8 100644 enum slab_stat_type { SL_ALL, /* All slabs */ SL_PARTIAL, /* Only partially allocated slabs */ -@@ -4676,7 +4777,7 @@ SLAB_ATTR_RO(ctor); +@@ -4659,7 +4760,7 @@ SLAB_ATTR_RO(ctor); static ssize_t aliases_show(struct kmem_cache *s, char *buf) { @@ -106080,7 +105879,7 @@ index 6a4c2fb..18d36e8 100644 } SLAB_ATTR_RO(aliases); -@@ -5243,6 +5344,7 @@ static char *create_unique_id(struct kmem_cache *s) +@@ -5226,6 +5327,7 @@ static char *create_unique_id(struct kmem_cache *s) return name; } @@ -106088,7 +105887,7 @@ index 6a4c2fb..18d36e8 100644 static int sysfs_slab_add(struct kmem_cache *s) { int err; -@@ -5271,7 +5373,7 @@ static int sysfs_slab_add(struct kmem_cache *s) +@@ -5254,7 +5356,7 @@ static int sysfs_slab_add(struct kmem_cache *s) } s->kobj.kset = slab_kset; @@ -106097,7 +105896,7 @@ index 6a4c2fb..18d36e8 100644 if (err) { kobject_put(&s->kobj); return err; -@@ -5305,6 +5407,7 @@ static void sysfs_slab_remove(struct kmem_cache *s) +@@ -5288,6 +5390,7 @@ static void sysfs_slab_remove(struct kmem_cache *s) kobject_del(&s->kobj); kobject_put(&s->kobj); } @@ -106105,7 +105904,7 @@ index 6a4c2fb..18d36e8 100644 /* * Need to buffer aliases during bootup until sysfs becomes -@@ -5318,6 +5421,7 @@ struct saved_alias { +@@ -5301,6 +5404,7 @@ struct saved_alias { static struct saved_alias *alias_list; @@ -106113,7 +105912,7 @@ index 6a4c2fb..18d36e8 100644 static int sysfs_slab_alias(struct kmem_cache *s, const char *name) { struct saved_alias *al; -@@ -5340,6 +5444,7 @@ static int sysfs_slab_alias(struct kmem_cache *s, const char *name) +@@ -5323,6 +5427,7 @@ static int sysfs_slab_alias(struct kmem_cache *s, const char *name) alias_list = al; return 0; } @@ -107247,10 +107046,10 @@ index f20c4fd..73aee41 100644 if (err < 0) { pr_err("bridge: can't register sap for STP\n"); diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c -index 398a297..83fc29c 100644 +index 1bd197f..1119378 100644 --- a/net/bridge/br_multicast.c +++ b/net/bridge/br_multicast.c -@@ -1416,7 +1416,7 @@ static int br_multicast_ipv6_rcv(struct net_bridge *br, +@@ -1415,7 +1415,7 @@ static int br_multicast_ipv6_rcv(struct net_bridge *br, nexthdr = ip6h->nexthdr; offset = ipv6_skip_exthdr(skb, sizeof(*ip6h), &nexthdr); @@ -107344,7 +107143,7 @@ index 45f93f8..550f429 100644 break; } diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c -index 7eed9eb..fd7291e 100644 +index 7e4b4b4..6c8ce35 100644 --- a/net/caif/caif_socket.c +++ b/net/caif/caif_socket.c @@ -48,19 +48,20 @@ static struct dentry *debugfsdir; @@ -107449,7 +107248,7 @@ index 7eed9eb..fd7291e 100644 set_rx_flow_on(cf_sk); caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_ON_REQ); } -@@ -852,7 +853,7 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr, +@@ -860,7 +861,7 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr, /*ifindex = id of the interface.*/ cf_sk->conn_req.ifindex = cf_sk->sk.sk_bound_dev_if; @@ -107458,7 +107257,7 @@ index 7eed9eb..fd7291e 100644 cf_sk->layer.receive = caif_sktrecv_cb; err = caif_connect_client(sock_net(sk), &cf_sk->conn_req, -@@ -941,7 +942,7 @@ static int caif_release(struct socket *sock) +@@ -949,7 +950,7 @@ static int caif_release(struct socket *sock) spin_unlock_bh(&sk->sk_receive_queue.lock); sock->sk = NULL; @@ -107467,7 +107266,7 @@ index 7eed9eb..fd7291e 100644 WARN_ON(IS_ERR(cf_sk->debugfs_socket_dir)); if (cf_sk->debugfs_socket_dir != NULL) -@@ -1120,7 +1121,7 @@ static int caif_create(struct net *net, struct socket *sock, int protocol, +@@ -1128,7 +1129,7 @@ static int caif_create(struct net *net, struct socket *sock, int protocol, cf_sk->conn_req.protocol = protocol; /* Increase the number of sockets created. */ dbfs_atomic_inc(&cnt.caif_nr_socks); @@ -108245,10 +108044,10 @@ index 66e3f1f..317ae80 100644 m->msg_iov = iov; diff --git a/net/core/neighbour.c b/net/core/neighbour.c -index 0ea3fd3..d87fef1 100644 +index c8c2645..e503d27 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c -@@ -2803,11 +2803,12 @@ int neigh_sysctl_register(struct net_device *dev, struct neigh_parms *p, +@@ -2814,11 +2814,12 @@ int neigh_sysctl_register(struct net_device *dev, struct neigh_parms *p, /* Terminate the table early */ memset(&t->neigh_vars[14], 0, sizeof(t->neigh_vars[14])); } else { @@ -110199,7 +109998,7 @@ index 2e0f0af..e2948bf 100644 syn_set ? 0 : icsk->icsk_user_timeout, syn_set)) { /* Has it gone just too far? */ diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c -index 8c2e259..90d7b4e 100644 +index 5e92043..90d7b4e 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -86,6 +86,7 @@ @@ -110270,20 +110069,7 @@ index 8c2e259..90d7b4e 100644 ulen = skb->len - sizeof(struct udphdr); copied = len; if (copied > ulen) -@@ -1248,10 +1269,8 @@ csum_copy_err: - UDP_INC_STATS_USER(sock_net(sk), UDP_MIB_INERRORS, is_udplite); - unlock_sock_fast(sk, slow); - -- if (noblock) -- return -EAGAIN; -- -- /* starting over for a new packet */ -+ /* starting over for a new packet, but check if we need to yield */ -+ cond_resched(); - msg->msg_flags &= ~MSG_TRUNC; - goto try_again; - } -@@ -1486,7 +1505,7 @@ int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) +@@ -1484,7 +1505,7 @@ int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) drop: UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite); @@ -110292,7 +110078,7 @@ index 8c2e259..90d7b4e 100644 kfree_skb(skb); return -1; } -@@ -1505,7 +1524,7 @@ static void flush_stack(struct sock **stack, unsigned int count, +@@ -1503,7 +1524,7 @@ static void flush_stack(struct sock **stack, unsigned int count, skb1 = (i == final) ? skb : skb_clone(skb, GFP_ATOMIC); if (!skb1) { @@ -110301,7 +110087,7 @@ index 8c2e259..90d7b4e 100644 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS, IS_UDPLITE(sk)); UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, -@@ -1674,6 +1693,9 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, +@@ -1672,6 +1693,9 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, goto csum_error; UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE); @@ -110311,7 +110097,7 @@ index 8c2e259..90d7b4e 100644 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0); /* -@@ -2097,8 +2119,13 @@ static void udp4_format_sock(struct sock *sp, struct seq_file *f, +@@ -2095,8 +2119,13 @@ static void udp4_format_sock(struct sock *sp, struct seq_file *f, sk_wmem_alloc_get(sp), sk_rmem_alloc_get(sp), 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp), @@ -110906,7 +110692,7 @@ index 655cc60..c49497a 100644 static int tcp6_seq_show(struct seq_file *seq, void *v) diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c -index d131a95..59d5161 100644 +index dc08afd..59d5161 100644 --- a/net/ipv6/udp.c +++ b/net/ipv6/udp.c @@ -50,6 +50,10 @@ @@ -110920,20 +110706,7 @@ index d131a95..59d5161 100644 int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2) { const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr; -@@ -451,10 +455,8 @@ csum_copy_err: - } - unlock_sock_fast(sk, slow); - -- if (noblock) -- return -EAGAIN; -- -- /* starting over for a new packet */ -+ /* starting over for a new packet, but check if we need to yield */ -+ cond_resched(); - msg->msg_flags &= ~MSG_TRUNC; - goto try_again; - } -@@ -546,7 +548,7 @@ int udpv6_queue_rcv_skb(struct sock * sk, struct sk_buff *skb) +@@ -544,7 +548,7 @@ int udpv6_queue_rcv_skb(struct sock * sk, struct sk_buff *skb) return 0; drop: @@ -110942,7 +110715,7 @@ index d131a95..59d5161 100644 drop_no_sk_drops_inc: UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite); kfree_skb(skb); -@@ -622,7 +624,7 @@ static void flush_stack(struct sock **stack, unsigned int count, +@@ -620,7 +624,7 @@ static void flush_stack(struct sock **stack, unsigned int count, continue; } drop: @@ -110951,7 +110724,7 @@ index d131a95..59d5161 100644 UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS, IS_UDPLITE(sk)); UDP6_INC_STATS_BH(sock_net(sk), -@@ -777,6 +779,9 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, +@@ -775,6 +779,9 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE); @@ -110961,7 +110734,7 @@ index d131a95..59d5161 100644 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0); kfree_skb(skb); -@@ -793,7 +798,7 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, +@@ -791,7 +798,7 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, if (!sock_owned_by_user(sk)) udpv6_queue_rcv_skb(sk, skb); else if (sk_add_backlog(sk, skb)) { @@ -110970,7 +110743,7 @@ index d131a95..59d5161 100644 bh_unlock_sock(sk); sock_put(sk); goto discard; -@@ -1409,8 +1414,13 @@ static void udp6_sock_seq_show(struct seq_file *seq, struct sock *sp, int bucket +@@ -1407,8 +1414,13 @@ static void udp6_sock_seq_show(struct seq_file *seq, struct sock *sp, int bucket 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp), @@ -111640,7 +111413,7 @@ index 6422845..2c19968 100644 if (!todrop_rate[i]) return 0; diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c -index d864aaf..d6afbda 100644 +index 197ed93..49519a9 100644 --- a/net/netfilter/ipvs/ip_vs_core.c +++ b/net/netfilter/ipvs/ip_vs_core.c @@ -562,7 +562,7 @@ int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb, @@ -111662,7 +111435,7 @@ index d864aaf..d6afbda 100644 if ((ipvs->sync_state & IP_VS_STATE_MASTER) && cp->protocol == IPPROTO_SCTP) { diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c -index 93acfa1..e846c43 100644 +index 1e27a1f..9774f6b 100644 --- a/net/netfilter/ipvs/ip_vs_ctl.c +++ b/net/netfilter/ipvs/ip_vs_ctl.c @@ -788,7 +788,7 @@ __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest, @@ -112385,7 +112158,7 @@ index b4d889b..bb33240 100644 *uaddr_len = sizeof(struct sockaddr_ax25); } diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c -index 4f19bf2..e3a2b51 100644 +index 0c21f06..0f53a06 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -195,6 +195,7 @@ struct tpacket_kbdq_core { @@ -112404,7 +112177,7 @@ index 4f19bf2..e3a2b51 100644 prb_init_ft_ops(p1, req_u); prb_setup_retire_blk_timer(po, tx_ring); prb_open_block(p1, pbd); -@@ -1678,7 +1680,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, +@@ -1664,7 +1666,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, spin_lock(&sk->sk_receive_queue.lock); po->stats.tp_packets++; @@ -112413,7 +112186,7 @@ index 4f19bf2..e3a2b51 100644 __skb_queue_tail(&sk->sk_receive_queue, skb); spin_unlock(&sk->sk_receive_queue.lock); sk->sk_data_ready(sk, skb->len); -@@ -1687,7 +1689,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, +@@ -1673,7 +1675,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, drop_n_acct: spin_lock(&sk->sk_receive_queue.lock); po->stats.tp_drops++; @@ -112422,7 +112195,7 @@ index 4f19bf2..e3a2b51 100644 spin_unlock(&sk->sk_receive_queue.lock); drop_n_restore: -@@ -1778,6 +1780,18 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, +@@ -1764,6 +1766,18 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, if ((int)snaplen < 0) snaplen = 0; } @@ -112441,7 +112214,7 @@ index 4f19bf2..e3a2b51 100644 } spin_lock(&sk->sk_receive_queue.lock); h.raw = packet_current_rx_frame(po, skb, -@@ -2623,6 +2637,7 @@ out: +@@ -2609,6 +2623,7 @@ out: static int packet_recv_error(struct sock *sk, struct msghdr *msg, int len) { @@ -112449,7 +112222,7 @@ index 4f19bf2..e3a2b51 100644 struct sock_exterr_skb *serr; struct sk_buff *skb, *skb2; int copied, err; -@@ -2644,8 +2659,9 @@ static int packet_recv_error(struct sock *sk, struct msghdr *msg, int len) +@@ -2630,8 +2645,9 @@ static int packet_recv_error(struct sock *sk, struct msghdr *msg, int len) sock_recv_timestamp(msg, sk, skb); serr = SKB_EXT_ERR(skb); @@ -112460,7 +112233,7 @@ index 4f19bf2..e3a2b51 100644 msg->msg_flags |= MSG_ERRQUEUE; err = copied; -@@ -3273,7 +3289,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, +@@ -3259,7 +3275,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, case PACKET_HDRLEN: if (len > sizeof(int)) len = sizeof(int); @@ -112469,7 +112242,7 @@ index 4f19bf2..e3a2b51 100644 return -EFAULT; switch (val) { case TPACKET_V1: -@@ -3323,7 +3339,11 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, +@@ -3309,7 +3325,11 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, if (put_user(len, optlen)) return -EFAULT; @@ -112482,7 +112255,7 @@ index 4f19bf2..e3a2b51 100644 return -EFAULT; return 0; } -@@ -3614,6 +3634,10 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, +@@ -3600,6 +3620,10 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, goto out; if (unlikely(req->tp_block_size & (PAGE_SIZE - 1))) goto out; @@ -112661,6 +112434,19 @@ index e29e0ca..fa3a6a3 100644 } #endif +diff --git a/net/rds/info.c b/net/rds/info.c +index f1c016c..a4adb39 100644 +--- a/net/rds/info.c ++++ b/net/rds/info.c +@@ -176,7 +176,7 @@ int rds_info_getsockopt(struct socket *sock, int optname, char __user *optval, + + /* check for all kinds of wrapping and the like */ + start = (unsigned long)optval; +- if (len < 0 || len + PAGE_SIZE - 1 < len || start + len < start) { ++ if (len < 0 || len > INT_MAX - PAGE_SIZE + 1 || start + len < start) { + ret = -EINVAL; + goto out; + } diff --git a/net/rds/iw.h b/net/rds/iw.h index 04ce3b1..48119a6 100644 --- a/net/rds/iw.h @@ -113310,10 +113096,10 @@ index 76388b0..a967f68 100644 sctp_generate_t1_cookie_event, sctp_generate_t1_init_event, diff --git a/net/sctp/socket.c b/net/sctp/socket.c -index fc63664..832978a 100644 +index 24e88af..047e703 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c -@@ -2190,11 +2190,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval, +@@ -2192,11 +2192,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval, { struct sctp_association *asoc; struct sctp_ulpevent *event; @@ -113328,7 +113114,7 @@ index fc63664..832978a 100644 /* * At the time when a user app subscribes to SCTP_SENDER_DRY_EVENT, -@@ -4180,13 +4182,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len, +@@ -4194,13 +4196,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len, static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, int __user *optlen) { @@ -113346,7 +113132,7 @@ index fc63664..832978a 100644 return -EFAULT; return 0; } -@@ -4204,6 +4209,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, +@@ -4218,6 +4223,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, */ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optval, int __user *optlen) { @@ -113355,7 +113141,7 @@ index fc63664..832978a 100644 /* Applicable to UDP-style socket only */ if (sctp_style(sk, TCP)) return -EOPNOTSUPP; -@@ -4212,7 +4219,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv +@@ -4226,7 +4233,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv len = sizeof(int); if (put_user(len, optlen)) return -EFAULT; @@ -113365,7 +113151,7 @@ index fc63664..832978a 100644 return -EFAULT; return 0; } -@@ -4576,12 +4584,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len, +@@ -4590,12 +4598,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len, */ static int sctp_getsockopt_initmsg(struct sock *sk, int len, char __user *optval, int __user *optlen) { @@ -113382,7 +113168,7 @@ index fc63664..832978a 100644 return -EFAULT; return 0; } -@@ -4622,6 +4633,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len, +@@ -4636,6 +4647,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len, addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len; if (space_left < addrlen) return -ENOMEM; @@ -113445,7 +113231,7 @@ index 8da4481..d02565e 100644 + (rtt >> sctp_rto_alpha); } else { diff --git a/net/socket.c b/net/socket.c -index 116cf9d..a13ae17 100644 +index 10ea25a..e5f6b01 100644 --- a/net/socket.c +++ b/net/socket.c @@ -88,6 +88,7 @@ @@ -113629,7 +113415,7 @@ index 116cf9d..a13ae17 100644 int err, err2; int fput_needed; -@@ -1973,7 +2039,7 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg, +@@ -1971,7 +2037,7 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg, * checking falls down on this. */ if (copy_from_user(ctl_buf, @@ -113638,7 +113424,7 @@ index 116cf9d..a13ae17 100644 ctl_len)) goto out_freectl; msg_sys->msg_control = ctl_buf; -@@ -2124,7 +2190,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, +@@ -2122,7 +2188,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, int err, iov_size, total_len, len; /* kernel mode address */ @@ -113647,7 +113433,7 @@ index 116cf9d..a13ae17 100644 /* user mode address pointers */ struct sockaddr __user *uaddr; -@@ -2155,7 +2221,8 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, +@@ -2151,7 +2217,8 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, /* Save the user-mode address (verify_iovec will change the * kernel msghdr to use the kernel address space) */ @@ -113657,7 +113443,7 @@ index 116cf9d..a13ae17 100644 uaddr_len = COMPAT_NAMELEN(msg); if (MSG_CMSG_COMPAT & flags) err = verify_compat_iovec(msg_sys, iov, -@@ -2799,9 +2866,9 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) +@@ -2795,9 +2862,9 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) } ifr = compat_alloc_user_space(buf_size); @@ -113669,7 +113455,7 @@ index 116cf9d..a13ae17 100644 return -EFAULT; if (put_user(convert_in ? rxnfc : compat_ptr(data), -@@ -2823,12 +2890,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) +@@ -2819,12 +2886,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) offsetof(struct ethtool_rxnfc, fs.ring_cookie)); if (copy_in_user(rxnfc, compat_rxnfc, @@ -113686,7 +113472,7 @@ index 116cf9d..a13ae17 100644 copy_in_user(&rxnfc->rule_cnt, &compat_rxnfc->rule_cnt, sizeof(rxnfc->rule_cnt))) return -EFAULT; -@@ -2840,12 +2907,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) +@@ -2836,12 +2903,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) if (convert_out) { if (copy_in_user(compat_rxnfc, rxnfc, @@ -113703,7 +113489,7 @@ index 116cf9d..a13ae17 100644 copy_in_user(&compat_rxnfc->rule_cnt, &rxnfc->rule_cnt, sizeof(rxnfc->rule_cnt))) return -EFAULT; -@@ -2915,14 +2982,14 @@ static int bond_ioctl(struct net *net, unsigned int cmd, +@@ -2911,14 +2978,14 @@ static int bond_ioctl(struct net *net, unsigned int cmd, old_fs = get_fs(); set_fs(KERNEL_DS); err = dev_ioctl(net, cmd, @@ -113720,7 +113506,7 @@ index 116cf9d..a13ae17 100644 return -EFAULT; if (get_user(data, &ifr32->ifr_ifru.ifru_data)) -@@ -3024,7 +3091,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd, +@@ -3020,7 +3087,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd, old_fs = get_fs(); set_fs(KERNEL_DS); @@ -113729,7 +113515,7 @@ index 116cf9d..a13ae17 100644 set_fs(old_fs); if (cmd == SIOCGIFMAP && !err) { -@@ -3129,7 +3196,7 @@ static int routing_ioctl(struct net *net, struct socket *sock, +@@ -3125,7 +3192,7 @@ static int routing_ioctl(struct net *net, struct socket *sock, ret |= __get_user(rtdev, &(ur4->rt_dev)); if (rtdev) { ret |= copy_from_user(devname, compat_ptr(rtdev), 15); @@ -113738,7 +113524,7 @@ index 116cf9d..a13ae17 100644 devname[15] = 0; } else r4.rt_dev = NULL; -@@ -3369,8 +3436,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname, +@@ -3365,8 +3432,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname, int __user *uoptlen; int err; @@ -113749,7 +113535,7 @@ index 116cf9d..a13ae17 100644 set_fs(KERNEL_DS); if (level == SOL_SOCKET) -@@ -3390,7 +3457,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname, +@@ -3386,7 +3453,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname, char __user *uoptval; int err; @@ -114590,7 +114376,7 @@ index 1983717..4d6102c 100644 sub->evt.event = htohl(event, sub->swap); diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 8705ee3..cf68ef1 100644 +index 9b1f371..ff529bf 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -768,6 +768,12 @@ static struct sock *unix_find_other(struct net *net, @@ -114639,7 +114425,7 @@ index 8705ee3..cf68ef1 100644 mutex_unlock(&path.dentry->d_inode->i_mutex); dput(path.dentry); path.dentry = dentry; -@@ -2180,11 +2200,14 @@ static unsigned int unix_dgram_poll(struct file *file, struct socket *sock, +@@ -2188,11 +2208,14 @@ static unsigned int unix_dgram_poll(struct file *file, struct socket *sock, writable = unix_writable(sk); other = unix_peer_get(sk); if (other) { @@ -114656,7 +114442,7 @@ index 8705ee3..cf68ef1 100644 sock_put(other); } -@@ -2276,9 +2299,13 @@ static int unix_seq_show(struct seq_file *seq, void *v) +@@ -2284,9 +2307,13 @@ static int unix_seq_show(struct seq_file *seq, void *v) seq_puts(seq, "Num RefCount Protocol Flags Type St " "Inode Path\n"); else { @@ -114671,7 +114457,7 @@ index 8705ee3..cf68ef1 100644 seq_printf(seq, "%pK: %08X %08X %08X %04X %02X %5lu", s, -@@ -2303,10 +2330,29 @@ static int unix_seq_show(struct seq_file *seq, void *v) +@@ -2311,10 +2338,29 @@ static int unix_seq_show(struct seq_file *seq, void *v) seq_putc(seq, '@'); i++; } @@ -119101,7 +118887,7 @@ index 6ce2778..f25c378 100644 fail: diff --git a/sound/synth/emux/emux_seq.c b/sound/synth/emux/emux_seq.c -index 7778b8e..3d619fc 100644 +index a020920..55579f6 100644 --- a/sound/synth/emux/emux_seq.c +++ b/sound/synth/emux/emux_seq.c @@ -33,13 +33,13 @@ static int snd_emux_unuse(void *private_data, struct snd_seq_port_subscribe *inf @@ -121166,10 +120952,10 @@ index 0000000..457d54e +} diff --git a/tools/gcc/kernexec_plugin.c b/tools/gcc/kernexec_plugin.c new file mode 100644 -index 0000000..b0d8255 +index 0000000..4838c8a --- /dev/null +++ b/tools/gcc/kernexec_plugin.c -@@ -0,0 +1,547 @@ +@@ -0,0 +1,551 @@ +/* + * Copyright 2011-2015 by the PaX Team + * Licensed under the GPL v2 @@ -121204,10 +120990,12 @@ index 0000000..b0d8255 + */ +static void kernexec_reload_fptr_mask(gimple_stmt_iterator *gsi) +{ ++ gimple stmt; + gasm *asm_movabs_stmt; + + // build asm volatile("movabs $0x8000000000000000, %%r12\n\t" : : : ); -+ asm_movabs_stmt = gimple_build_asm_vec("movabs $0x8000000000000000, %%r12\n\t", NULL, NULL, NULL, NULL); ++ stmt = gimple_build_asm_vec("movabs $0x8000000000000000, %%r12\n\t", NULL, NULL, NULL, NULL); ++ asm_movabs_stmt = as_a_gasm(stmt); + gimple_asm_set_volatile(asm_movabs_stmt, true); + gsi_insert_after(gsi, asm_movabs_stmt, GSI_CONTINUE_LINKING); + update_stmt(asm_movabs_stmt); @@ -121301,6 +121089,7 @@ index 0000000..b0d8255 + +static void kernexec_instrument_fptr_or(gimple_stmt_iterator *gsi) +{ ++ gimple stmt; + gasm *asm_or_stmt; + gcall *call_stmt; + tree old_fptr, new_fptr, input, output; @@ -121332,7 +121121,8 @@ index 0000000..b0d8255 + vec_safe_push(inputs, input); + vec_safe_push(outputs, output); +#endif -+ asm_or_stmt = gimple_build_asm_vec("orq %%r12, %0\n\t", inputs, outputs, NULL, NULL); ++ stmt = gimple_build_asm_vec("orq %%r12, %0\n\t", inputs, outputs, NULL, NULL); ++ asm_or_stmt = as_a_gasm(stmt); + SSA_NAME_DEF_STMT(new_fptr) = asm_or_stmt; + gimple_asm_set_volatile(asm_or_stmt, true); + gsi_insert_before(gsi, asm_or_stmt, GSI_SAME_STMT); @@ -133447,10 +133237,10 @@ index 0000000..2a693fe + diff --git a/tools/gcc/stackleak_plugin.c b/tools/gcc/stackleak_plugin.c new file mode 100644 -index 0000000..1d296ce +index 0000000..155e2c5 --- /dev/null +++ b/tools/gcc/stackleak_plugin.c -@@ -0,0 +1,432 @@ +@@ -0,0 +1,436 @@ +/* + * Copyright 2011-2015 by the PaX Team + * Licensed under the GPL v2 @@ -133490,6 +133280,7 @@ index 0000000..1d296ce + +static void stackleak_check_alloca(gimple_stmt_iterator *gsi) +{ ++ gimple stmt; + gcall *check_alloca; + tree alloca_size; + cgraph_node_ptr node; @@ -133498,7 +133289,8 @@ index 0000000..1d296ce + + // insert call to void pax_check_alloca(unsigned long size) + alloca_size = gimple_call_arg(gsi_stmt(*gsi), 0); -+ check_alloca = gimple_build_call(check_function_decl, 1, alloca_size); ++ stmt = gimple_build_call(check_function_decl, 1, alloca_size); ++ check_alloca = as_a_gcall(stmt); + gsi_insert_before(gsi, check_alloca, GSI_SAME_STMT); + + // update the cgraph @@ -133511,13 +133303,15 @@ index 0000000..1d296ce + +static void stackleak_add_instrumentation(gimple_stmt_iterator *gsi) +{ ++ gimple stmt; + gcall *track_stack; + cgraph_node_ptr node; + int frequency; + basic_block bb; + + // insert call to void pax_track_stack(void) -+ track_stack = gimple_build_call(track_function_decl, 0); ++ stmt = gimple_build_call(track_function_decl, 0); ++ track_stack = as_a_gcall(stmt); + gsi_insert_after(gsi, track_stack, GSI_CONTINUE_LINKING); + + // update the cgraph diff --git a/kernel-sources/grsecurity/grsecurity-3.1-3.2.70-201508102127.patch.sig b/kernel-sources/grsecurity/grsecurity-3.1-3.2.70-201508102127.patch.sig new file mode 100644 index 0000000..abb4b97 Binary files /dev/null and b/kernel-sources/grsecurity/grsecurity-3.1-3.2.70-201508102127.patch.sig differ