Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Anthony G. Basile" <blueness@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-patchset:master commit in: 4.6.4/, 4.6.3/
Date: Tue, 12 Jul 2016 18:56:41
Message-Id: 1468349969.e541c2b69dd1103c5b8377a64ea8cb82d646558c.blueness@gentoo
1 commit: e541c2b69dd1103c5b8377a64ea8cb82d646558c
2 Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
3 AuthorDate: Tue Jul 12 18:59:29 2016 +0000
4 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
5 CommitDate: Tue Jul 12 18:59:29 2016 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=e541c2b6
7
8 grsecurity-3.1-4.6.4-201607112205
9
10 4.6.3/1002_linux-4.6.3.patch | 4713 --------------------
11 {4.6.3 => 4.6.4}/0000_README | 6 +-
12 .../4420_grsecurity-3.1-4.6.4-201607112205.patch | 182 +-
13 {4.6.3 => 4.6.4}/4425_grsec_remove_EI_PAX.patch | 0
14 {4.6.3 => 4.6.4}/4427_force_XATTR_PAX_tmpfs.patch | 0
15 .../4430_grsec-remove-localversion-grsec.patch | 0
16 {4.6.3 => 4.6.4}/4435_grsec-mute-warnings.patch | 0
17 .../4440_grsec-remove-protected-paths.patch | 0
18 .../4450_grsec-kconfig-default-gids.patch | 0
19 .../4465_selinux-avc_audit-log-curr_ip.patch | 0
20 {4.6.3 => 4.6.4}/4470_disable-compat_vdso.patch | 0
21 {4.6.3 => 4.6.4}/4475_emutramp_default_on.patch | 0
22 12 files changed, 152 insertions(+), 4749 deletions(-)
23
24 diff --git a/4.6.3/1002_linux-4.6.3.patch b/4.6.3/1002_linux-4.6.3.patch
25 deleted file mode 100644
26 index f999198..0000000
27 --- a/4.6.3/1002_linux-4.6.3.patch
28 +++ /dev/null
29 @@ -1,4713 +0,0 @@
30 -diff --git a/Makefile b/Makefile
31 -index 93068c2..c62b531 100644
32 ---- a/Makefile
33 -+++ b/Makefile
34 -@@ -1,6 +1,6 @@
35 - VERSION = 4
36 - PATCHLEVEL = 6
37 --SUBLEVEL = 2
38 -+SUBLEVEL = 3
39 - EXTRAVERSION =
40 - NAME = Charred Weasel
41 -
42 -diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
43 -index ef9119f..4d93758 100644
44 ---- a/arch/arm/kernel/ptrace.c
45 -+++ b/arch/arm/kernel/ptrace.c
46 -@@ -733,8 +733,8 @@ static int vfp_set(struct task_struct *target,
47 - if (ret)
48 - return ret;
49 -
50 -- vfp_flush_hwstate(thread);
51 - thread->vfpstate.hard = new_vfp;
52 -+ vfp_flush_hwstate(thread);
53 -
54 - return 0;
55 - }
56 -diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h
57 -index 24ed037..83d48a5 100644
58 ---- a/arch/arm64/include/asm/elf.h
59 -+++ b/arch/arm64/include/asm/elf.h
60 -@@ -160,14 +160,14 @@ extern int arch_setup_additional_pages(struct linux_binprm *bprm,
61 - #define STACK_RND_MASK (0x3ffff >> (PAGE_SHIFT - 12))
62 - #endif
63 -
64 --#ifdef CONFIG_COMPAT
65 --
66 - #ifdef __AARCH64EB__
67 - #define COMPAT_ELF_PLATFORM ("v8b")
68 - #else
69 - #define COMPAT_ELF_PLATFORM ("v8l")
70 - #endif
71 -
72 -+#ifdef CONFIG_COMPAT
73 -+
74 - #define COMPAT_ELF_ET_DYN_BASE (2 * TASK_SIZE_32 / 3)
75 -
76 - /* AArch32 registers. */
77 -diff --git a/arch/arm64/kernel/cpuinfo.c b/arch/arm64/kernel/cpuinfo.c
78 -index f0c3fb7..2d2d7cb 100644
79 ---- a/arch/arm64/kernel/cpuinfo.c
80 -+++ b/arch/arm64/kernel/cpuinfo.c
81 -@@ -22,6 +22,8 @@
82 -
83 - #include <linux/bitops.h>
84 - #include <linux/bug.h>
85 -+#include <linux/compat.h>
86 -+#include <linux/elf.h>
87 - #include <linux/init.h>
88 - #include <linux/kernel.h>
89 - #include <linux/personality.h>
90 -@@ -104,6 +106,7 @@ static const char *const compat_hwcap2_str[] = {
91 - static int c_show(struct seq_file *m, void *v)
92 - {
93 - int i, j;
94 -+ bool compat = personality(current->personality) == PER_LINUX32;
95 -
96 - for_each_online_cpu(i) {
97 - struct cpuinfo_arm64 *cpuinfo = &per_cpu(cpu_data, i);
98 -@@ -115,6 +118,9 @@ static int c_show(struct seq_file *m, void *v)
99 - * "processor". Give glibc what it expects.
100 - */
101 - seq_printf(m, "processor\t: %d\n", i);
102 -+ if (compat)
103 -+ seq_printf(m, "model name\t: ARMv8 Processor rev %d (%s)\n",
104 -+ MIDR_REVISION(midr), COMPAT_ELF_PLATFORM);
105 -
106 - seq_printf(m, "BogoMIPS\t: %lu.%02lu\n",
107 - loops_per_jiffy / (500000UL/HZ),
108 -@@ -127,7 +133,7 @@ static int c_show(struct seq_file *m, void *v)
109 - * software which does already (at least for 32-bit).
110 - */
111 - seq_puts(m, "Features\t:");
112 -- if (personality(current->personality) == PER_LINUX32) {
113 -+ if (compat) {
114 - #ifdef CONFIG_COMPAT
115 - for (j = 0; compat_hwcap_str[j]; j++)
116 - if (compat_elf_hwcap & (1 << j))
117 -diff --git a/arch/arm64/kvm/hyp/vgic-v3-sr.c b/arch/arm64/kvm/hyp/vgic-v3-sr.c
118 -index fff7cd4..3129df9 100644
119 ---- a/arch/arm64/kvm/hyp/vgic-v3-sr.c
120 -+++ b/arch/arm64/kvm/hyp/vgic-v3-sr.c
121 -@@ -190,12 +190,11 @@ void __hyp_text __vgic_v3_save_state(struct kvm_vcpu *vcpu)
122 - if (!(vcpu->arch.vgic_cpu.live_lrs & (1UL << i)))
123 - continue;
124 -
125 -- if (cpu_if->vgic_elrsr & (1 << i)) {
126 -+ if (cpu_if->vgic_elrsr & (1 << i))
127 - cpu_if->vgic_lr[i] &= ~ICH_LR_STATE;
128 -- continue;
129 -- }
130 -+ else
131 -+ cpu_if->vgic_lr[i] = __gic_v3_get_lr(i);
132 -
133 -- cpu_if->vgic_lr[i] = __gic_v3_get_lr(i);
134 - __gic_v3_set_lr(0, i);
135 - }
136 -
137 -diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
138 -index 3ae4a28..10b79e9 100644
139 ---- a/arch/arm64/mm/fault.c
140 -+++ b/arch/arm64/mm/fault.c
141 -@@ -109,7 +109,7 @@ int ptep_set_access_flags(struct vm_area_struct *vma,
142 - * PTE_RDONLY is cleared by default in the asm below, so set it in
143 - * back if necessary (read-only or clean PTE).
144 - */
145 -- if (!pte_write(entry) || !dirty)
146 -+ if (!pte_write(entry) || !pte_sw_dirty(entry))
147 - pte_val(entry) |= PTE_RDONLY;
148 -
149 - /*
150 -diff --git a/arch/parisc/kernel/unaligned.c b/arch/parisc/kernel/unaligned.c
151 -index d7c0acb..8d49614 100644
152 ---- a/arch/parisc/kernel/unaligned.c
153 -+++ b/arch/parisc/kernel/unaligned.c
154 -@@ -666,7 +666,7 @@ void handle_unaligned(struct pt_regs *regs)
155 - break;
156 - }
157 -
158 -- if (modify && R1(regs->iir))
159 -+ if (ret == 0 && modify && R1(regs->iir))
160 - regs->gr[R1(regs->iir)] = newbase;
161 -
162 -
163 -@@ -677,6 +677,14 @@ void handle_unaligned(struct pt_regs *regs)
164 -
165 - if (ret)
166 - {
167 -+ /*
168 -+ * The unaligned handler failed.
169 -+ * If we were called by __get_user() or __put_user() jump
170 -+ * to it's exception fixup handler instead of crashing.
171 -+ */
172 -+ if (!user_mode(regs) && fixup_exception(regs))
173 -+ return;
174 -+
175 - printk(KERN_CRIT "Unaligned handler failed, ret = %d\n", ret);
176 - die_if_kernel("Unaligned data reference", regs, 28);
177 -
178 -diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h
179 -index f5f4c66..166d863 100644
180 ---- a/arch/powerpc/include/asm/reg.h
181 -+++ b/arch/powerpc/include/asm/reg.h
182 -@@ -715,7 +715,7 @@
183 - #define MMCR0_FCWAIT 0x00000002UL /* freeze counter in WAIT state */
184 - #define MMCR0_FCHV 0x00000001UL /* freeze conditions in hypervisor mode */
185 - #define SPRN_MMCR1 798
186 --#define SPRN_MMCR2 769
187 -+#define SPRN_MMCR2 785
188 - #define SPRN_MMCRA 0x312
189 - #define MMCRA_SDSYNC 0x80000000UL /* SDAR synced with SIAR */
190 - #define MMCRA_SDAR_DCACHE_MISS 0x40000000UL
191 -@@ -752,13 +752,13 @@
192 - #define SPRN_PMC6 792
193 - #define SPRN_PMC7 793
194 - #define SPRN_PMC8 794
195 --#define SPRN_SIAR 780
196 --#define SPRN_SDAR 781
197 - #define SPRN_SIER 784
198 - #define SIER_SIPR 0x2000000 /* Sampled MSR_PR */
199 - #define SIER_SIHV 0x1000000 /* Sampled MSR_HV */
200 - #define SIER_SIAR_VALID 0x0400000 /* SIAR contents valid */
201 - #define SIER_SDAR_VALID 0x0200000 /* SDAR contents valid */
202 -+#define SPRN_SIAR 796
203 -+#define SPRN_SDAR 797
204 - #define SPRN_TACR 888
205 - #define SPRN_TCSCR 889
206 - #define SPRN_CSIGR 890
207 -diff --git a/arch/powerpc/kernel/prom_init.c b/arch/powerpc/kernel/prom_init.c
208 -index da51925..ccd2037 100644
209 ---- a/arch/powerpc/kernel/prom_init.c
210 -+++ b/arch/powerpc/kernel/prom_init.c
211 -@@ -656,6 +656,7 @@ unsigned char ibm_architecture_vec[] = {
212 - W(0xffff0000), W(0x003e0000), /* POWER6 */
213 - W(0xffff0000), W(0x003f0000), /* POWER7 */
214 - W(0xffff0000), W(0x004b0000), /* POWER8E */
215 -+ W(0xffff0000), W(0x004c0000), /* POWER8NVL */
216 - W(0xffff0000), W(0x004d0000), /* POWER8 */
217 - W(0xffffffff), W(0x0f000004), /* all 2.07-compliant */
218 - W(0xffffffff), W(0x0f000003), /* all 2.06-compliant */
219 -diff --git a/arch/powerpc/mm/hash_utils_64.c b/arch/powerpc/mm/hash_utils_64.c
220 -index 7635b1c..f4acba2 100644
221 ---- a/arch/powerpc/mm/hash_utils_64.c
222 -+++ b/arch/powerpc/mm/hash_utils_64.c
223 -@@ -159,6 +159,19 @@ static struct mmu_psize_def mmu_psize_defaults_gp[] = {
224 - },
225 - };
226 -
227 -+/*
228 -+ * 'R' and 'C' update notes:
229 -+ * - Under pHyp or KVM, the updatepp path will not set C, thus it *will*
230 -+ * create writeable HPTEs without C set, because the hcall H_PROTECT
231 -+ * that we use in that case will not update C
232 -+ * - The above is however not a problem, because we also don't do that
233 -+ * fancy "no flush" variant of eviction and we use H_REMOVE which will
234 -+ * do the right thing and thus we don't have the race I described earlier
235 -+ *
236 -+ * - Under bare metal, we do have the race, so we need R and C set
237 -+ * - We make sure R is always set and never lost
238 -+ * - C is _PAGE_DIRTY, and *should* always be set for a writeable mapping
239 -+ */
240 - unsigned long htab_convert_pte_flags(unsigned long pteflags)
241 - {
242 - unsigned long rflags = 0;
243 -@@ -180,9 +193,14 @@ unsigned long htab_convert_pte_flags(unsigned long pteflags)
244 - rflags |= 0x1;
245 - }
246 - /*
247 -- * Always add "C" bit for perf. Memory coherence is always enabled
248 -+ * We can't allow hardware to update hpte bits. Hence always
249 -+ * set 'R' bit and set 'C' if it is a write fault
250 -+ * Memory coherence is always enabled
251 - */
252 -- rflags |= HPTE_R_C | HPTE_R_M;
253 -+ rflags |= HPTE_R_R | HPTE_R_M;
254 -+
255 -+ if (pteflags & _PAGE_DIRTY)
256 -+ rflags |= HPTE_R_C;
257 - /*
258 - * Add in WIG bits
259 - */
260 -diff --git a/arch/powerpc/platforms/pseries/eeh_pseries.c b/arch/powerpc/platforms/pseries/eeh_pseries.c
261 -index ac3ffd9..405baaf 100644
262 ---- a/arch/powerpc/platforms/pseries/eeh_pseries.c
263 -+++ b/arch/powerpc/platforms/pseries/eeh_pseries.c
264 -@@ -615,29 +615,50 @@ static int pseries_eeh_configure_bridge(struct eeh_pe *pe)
265 - {
266 - int config_addr;
267 - int ret;
268 -+ /* Waiting 0.2s maximum before skipping configuration */
269 -+ int max_wait = 200;
270 -
271 - /* Figure out the PE address */
272 - config_addr = pe->config_addr;
273 - if (pe->addr)
274 - config_addr = pe->addr;
275 -
276 -- /* Use new configure-pe function, if supported */
277 -- if (ibm_configure_pe != RTAS_UNKNOWN_SERVICE) {
278 -- ret = rtas_call(ibm_configure_pe, 3, 1, NULL,
279 -- config_addr, BUID_HI(pe->phb->buid),
280 -- BUID_LO(pe->phb->buid));
281 -- } else if (ibm_configure_bridge != RTAS_UNKNOWN_SERVICE) {
282 -- ret = rtas_call(ibm_configure_bridge, 3, 1, NULL,
283 -- config_addr, BUID_HI(pe->phb->buid),
284 -- BUID_LO(pe->phb->buid));
285 -- } else {
286 -- return -EFAULT;
287 -- }
288 -+ while (max_wait > 0) {
289 -+ /* Use new configure-pe function, if supported */
290 -+ if (ibm_configure_pe != RTAS_UNKNOWN_SERVICE) {
291 -+ ret = rtas_call(ibm_configure_pe, 3, 1, NULL,
292 -+ config_addr, BUID_HI(pe->phb->buid),
293 -+ BUID_LO(pe->phb->buid));
294 -+ } else if (ibm_configure_bridge != RTAS_UNKNOWN_SERVICE) {
295 -+ ret = rtas_call(ibm_configure_bridge, 3, 1, NULL,
296 -+ config_addr, BUID_HI(pe->phb->buid),
297 -+ BUID_LO(pe->phb->buid));
298 -+ } else {
299 -+ return -EFAULT;
300 -+ }
301 -
302 -- if (ret)
303 -- pr_warn("%s: Unable to configure bridge PHB#%d-PE#%x (%d)\n",
304 -- __func__, pe->phb->global_number, pe->addr, ret);
305 -+ if (!ret)
306 -+ return ret;
307 -+
308 -+ /*
309 -+ * If RTAS returns a delay value that's above 100ms, cut it
310 -+ * down to 100ms in case firmware made a mistake. For more
311 -+ * on how these delay values work see rtas_busy_delay_time
312 -+ */
313 -+ if (ret > RTAS_EXTENDED_DELAY_MIN+2 &&
314 -+ ret <= RTAS_EXTENDED_DELAY_MAX)
315 -+ ret = RTAS_EXTENDED_DELAY_MIN+2;
316 -+
317 -+ max_wait -= rtas_busy_delay_time(ret);
318 -+
319 -+ if (max_wait < 0)
320 -+ break;
321 -+
322 -+ rtas_busy_delay(ret);
323 -+ }
324 -
325 -+ pr_warn("%s: Unable to configure bridge PHB#%d-PE#%x (%d)\n",
326 -+ __func__, pe->phb->global_number, pe->addr, ret);
327 - return ret;
328 - }
329 -
330 -diff --git a/arch/s390/net/bpf_jit.h b/arch/s390/net/bpf_jit.h
331 -index f010c93..fda605d 100644
332 ---- a/arch/s390/net/bpf_jit.h
333 -+++ b/arch/s390/net/bpf_jit.h
334 -@@ -37,7 +37,7 @@ extern u8 sk_load_word[], sk_load_half[], sk_load_byte[];
335 - * | | |
336 - * +---------------+ |
337 - * | 8 byte skbp | |
338 -- * R15+170 -> +---------------+ |
339 -+ * R15+176 -> +---------------+ |
340 - * | 8 byte hlen | |
341 - * R15+168 -> +---------------+ |
342 - * | 4 byte align | |
343 -@@ -58,7 +58,7 @@ extern u8 sk_load_word[], sk_load_half[], sk_load_byte[];
344 - #define STK_OFF (STK_SPACE - STK_160_UNUSED)
345 - #define STK_OFF_TMP 160 /* Offset of tmp buffer on stack */
346 - #define STK_OFF_HLEN 168 /* Offset of SKB header length on stack */
347 --#define STK_OFF_SKBP 170 /* Offset of SKB pointer on stack */
348 -+#define STK_OFF_SKBP 176 /* Offset of SKB pointer on stack */
349 -
350 - #define STK_OFF_R6 (160 - 11 * 8) /* Offset of r6 on stack */
351 - #define STK_OFF_TCCNT (160 - 12 * 8) /* Offset of tail_call_cnt on stack */
352 -diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
353 -index 3c0bfc1..2662fcc 100644
354 ---- a/arch/s390/net/bpf_jit_comp.c
355 -+++ b/arch/s390/net/bpf_jit_comp.c
356 -@@ -45,7 +45,7 @@ struct bpf_jit {
357 - int labels[1]; /* Labels for local jumps */
358 - };
359 -
360 --#define BPF_SIZE_MAX 0x7ffff /* Max size for program (20 bit signed displ) */
361 -+#define BPF_SIZE_MAX 0xffff /* Max size for program (16 bit branches) */
362 -
363 - #define SEEN_SKB 1 /* skb access */
364 - #define SEEN_MEM 2 /* use mem[] for temporary storage */
365 -@@ -446,7 +446,7 @@ static void bpf_jit_prologue(struct bpf_jit *jit)
366 - emit_load_skb_data_hlen(jit);
367 - if (jit->seen & SEEN_SKB_CHANGE)
368 - /* stg %b1,ST_OFF_SKBP(%r0,%r15) */
369 -- EMIT6_DISP_LH(0xe3000000, 0x0024, REG_W1, REG_0, REG_15,
370 -+ EMIT6_DISP_LH(0xe3000000, 0x0024, BPF_REG_1, REG_0, REG_15,
371 - STK_OFF_SKBP);
372 - }
373 -
374 -diff --git a/arch/sparc/include/asm/head_64.h b/arch/sparc/include/asm/head_64.h
375 -index 10e9dab..f0700cf 100644
376 ---- a/arch/sparc/include/asm/head_64.h
377 -+++ b/arch/sparc/include/asm/head_64.h
378 -@@ -15,6 +15,10 @@
379 -
380 - #define PTREGS_OFF (STACK_BIAS + STACKFRAME_SZ)
381 -
382 -+#define RTRAP_PSTATE (PSTATE_TSO|PSTATE_PEF|PSTATE_PRIV|PSTATE_IE)
383 -+#define RTRAP_PSTATE_IRQOFF (PSTATE_TSO|PSTATE_PEF|PSTATE_PRIV)
384 -+#define RTRAP_PSTATE_AG_IRQOFF (PSTATE_TSO|PSTATE_PEF|PSTATE_PRIV|PSTATE_AG)
385 -+
386 - #define __CHEETAH_ID 0x003e0014
387 - #define __JALAPENO_ID 0x003e0016
388 - #define __SERRANO_ID 0x003e0022
389 -diff --git a/arch/sparc/include/asm/pgtable_64.h b/arch/sparc/include/asm/pgtable_64.h
390 -index f089cfa..5a189bf 100644
391 ---- a/arch/sparc/include/asm/pgtable_64.h
392 -+++ b/arch/sparc/include/asm/pgtable_64.h
393 -@@ -375,7 +375,7 @@ static inline pgprot_t pgprot_noncached(pgprot_t prot)
394 - #define pgprot_noncached pgprot_noncached
395 -
396 - #if defined(CONFIG_HUGETLB_PAGE) || defined(CONFIG_TRANSPARENT_HUGEPAGE)
397 --static inline pte_t pte_mkhuge(pte_t pte)
398 -+static inline unsigned long __pte_huge_mask(void)
399 - {
400 - unsigned long mask;
401 -
402 -@@ -390,8 +390,19 @@ static inline pte_t pte_mkhuge(pte_t pte)
403 - : "=r" (mask)
404 - : "i" (_PAGE_SZHUGE_4U), "i" (_PAGE_SZHUGE_4V));
405 -
406 -- return __pte(pte_val(pte) | mask);
407 -+ return mask;
408 -+}
409 -+
410 -+static inline pte_t pte_mkhuge(pte_t pte)
411 -+{
412 -+ return __pte(pte_val(pte) | __pte_huge_mask());
413 -+}
414 -+
415 -+static inline bool is_hugetlb_pte(pte_t pte)
416 -+{
417 -+ return !!(pte_val(pte) & __pte_huge_mask());
418 - }
419 -+
420 - #ifdef CONFIG_TRANSPARENT_HUGEPAGE
421 - static inline pmd_t pmd_mkhuge(pmd_t pmd)
422 - {
423 -@@ -403,6 +414,11 @@ static inline pmd_t pmd_mkhuge(pmd_t pmd)
424 - return __pmd(pte_val(pte));
425 - }
426 - #endif
427 -+#else
428 -+static inline bool is_hugetlb_pte(pte_t pte)
429 -+{
430 -+ return false;
431 -+}
432 - #endif
433 -
434 - static inline pte_t pte_mkdirty(pte_t pte)
435 -@@ -858,6 +874,19 @@ static inline unsigned long pud_pfn(pud_t pud)
436 - void tlb_batch_add(struct mm_struct *mm, unsigned long vaddr,
437 - pte_t *ptep, pte_t orig, int fullmm);
438 -
439 -+static void maybe_tlb_batch_add(struct mm_struct *mm, unsigned long vaddr,
440 -+ pte_t *ptep, pte_t orig, int fullmm)
441 -+{
442 -+ /* It is more efficient to let flush_tlb_kernel_range()
443 -+ * handle init_mm tlb flushes.
444 -+ *
445 -+ * SUN4V NOTE: _PAGE_VALID is the same value in both the SUN4U
446 -+ * and SUN4V pte layout, so this inline test is fine.
447 -+ */
448 -+ if (likely(mm != &init_mm) && pte_accessible(mm, orig))
449 -+ tlb_batch_add(mm, vaddr, ptep, orig, fullmm);
450 -+}
451 -+
452 - #define __HAVE_ARCH_PMDP_HUGE_GET_AND_CLEAR
453 - static inline pmd_t pmdp_huge_get_and_clear(struct mm_struct *mm,
454 - unsigned long addr,
455 -@@ -874,15 +903,7 @@ static inline void __set_pte_at(struct mm_struct *mm, unsigned long addr,
456 - pte_t orig = *ptep;
457 -
458 - *ptep = pte;
459 --
460 -- /* It is more efficient to let flush_tlb_kernel_range()
461 -- * handle init_mm tlb flushes.
462 -- *
463 -- * SUN4V NOTE: _PAGE_VALID is the same value in both the SUN4U
464 -- * and SUN4V pte layout, so this inline test is fine.
465 -- */
466 -- if (likely(mm != &init_mm) && pte_accessible(mm, orig))
467 -- tlb_batch_add(mm, addr, ptep, orig, fullmm);
468 -+ maybe_tlb_batch_add(mm, addr, ptep, orig, fullmm);
469 - }
470 -
471 - #define set_pte_at(mm,addr,ptep,pte) \
472 -diff --git a/arch/sparc/include/asm/tlbflush_64.h b/arch/sparc/include/asm/tlbflush_64.h
473 -index dea1cfa..a8e192e 100644
474 ---- a/arch/sparc/include/asm/tlbflush_64.h
475 -+++ b/arch/sparc/include/asm/tlbflush_64.h
476 -@@ -8,6 +8,7 @@
477 - #define TLB_BATCH_NR 192
478 -
479 - struct tlb_batch {
480 -+ bool huge;
481 - struct mm_struct *mm;
482 - unsigned long tlb_nr;
483 - unsigned long active;
484 -@@ -16,7 +17,7 @@ struct tlb_batch {
485 -
486 - void flush_tsb_kernel_range(unsigned long start, unsigned long end);
487 - void flush_tsb_user(struct tlb_batch *tb);
488 --void flush_tsb_user_page(struct mm_struct *mm, unsigned long vaddr);
489 -+void flush_tsb_user_page(struct mm_struct *mm, unsigned long vaddr, bool huge);
490 -
491 - /* TLB flush operations. */
492 -
493 -diff --git a/arch/sparc/include/asm/ttable.h b/arch/sparc/include/asm/ttable.h
494 -index 71b5a67..781b9f1 100644
495 ---- a/arch/sparc/include/asm/ttable.h
496 -+++ b/arch/sparc/include/asm/ttable.h
497 -@@ -589,8 +589,8 @@ user_rtt_fill_64bit: \
498 - restored; \
499 - nop; nop; nop; nop; nop; nop; \
500 - nop; nop; nop; nop; nop; \
501 -- ba,a,pt %xcc, user_rtt_fill_fixup; \
502 -- ba,a,pt %xcc, user_rtt_fill_fixup; \
503 -+ ba,a,pt %xcc, user_rtt_fill_fixup_dax; \
504 -+ ba,a,pt %xcc, user_rtt_fill_fixup_mna; \
505 - ba,a,pt %xcc, user_rtt_fill_fixup;
506 -
507 -
508 -@@ -652,8 +652,8 @@ user_rtt_fill_32bit: \
509 - restored; \
510 - nop; nop; nop; nop; nop; \
511 - nop; nop; nop; \
512 -- ba,a,pt %xcc, user_rtt_fill_fixup; \
513 -- ba,a,pt %xcc, user_rtt_fill_fixup; \
514 -+ ba,a,pt %xcc, user_rtt_fill_fixup_dax; \
515 -+ ba,a,pt %xcc, user_rtt_fill_fixup_mna; \
516 - ba,a,pt %xcc, user_rtt_fill_fixup;
517 -
518 -
519 -diff --git a/arch/sparc/kernel/Makefile b/arch/sparc/kernel/Makefile
520 -index 7cf9c6e..fdb1332 100644
521 ---- a/arch/sparc/kernel/Makefile
522 -+++ b/arch/sparc/kernel/Makefile
523 -@@ -21,6 +21,7 @@ CFLAGS_REMOVE_perf_event.o := -pg
524 - CFLAGS_REMOVE_pcr.o := -pg
525 - endif
526 -
527 -+obj-$(CONFIG_SPARC64) += urtt_fill.o
528 - obj-$(CONFIG_SPARC32) += entry.o wof.o wuf.o
529 - obj-$(CONFIG_SPARC32) += etrap_32.o
530 - obj-$(CONFIG_SPARC32) += rtrap_32.o
531 -diff --git a/arch/sparc/kernel/rtrap_64.S b/arch/sparc/kernel/rtrap_64.S
532 -index d08bdaf..216948c 100644
533 ---- a/arch/sparc/kernel/rtrap_64.S
534 -+++ b/arch/sparc/kernel/rtrap_64.S
535 -@@ -14,10 +14,6 @@
536 - #include <asm/visasm.h>
537 - #include <asm/processor.h>
538 -
539 --#define RTRAP_PSTATE (PSTATE_TSO|PSTATE_PEF|PSTATE_PRIV|PSTATE_IE)
540 --#define RTRAP_PSTATE_IRQOFF (PSTATE_TSO|PSTATE_PEF|PSTATE_PRIV)
541 --#define RTRAP_PSTATE_AG_IRQOFF (PSTATE_TSO|PSTATE_PEF|PSTATE_PRIV|PSTATE_AG)
542 --
543 - #ifdef CONFIG_CONTEXT_TRACKING
544 - # define SCHEDULE_USER schedule_user
545 - #else
546 -@@ -242,52 +238,17 @@ rt_continue: ldx [%sp + PTREGS_OFF + PT_V9_G1], %g1
547 - wrpr %g1, %cwp
548 - ba,a,pt %xcc, user_rtt_fill_64bit
549 -
550 --user_rtt_fill_fixup:
551 -- rdpr %cwp, %g1
552 -- add %g1, 1, %g1
553 -- wrpr %g1, 0x0, %cwp
554 --
555 -- rdpr %wstate, %g2
556 -- sll %g2, 3, %g2
557 -- wrpr %g2, 0x0, %wstate
558 --
559 -- /* We know %canrestore and %otherwin are both zero. */
560 --
561 -- sethi %hi(sparc64_kern_pri_context), %g2
562 -- ldx [%g2 + %lo(sparc64_kern_pri_context)], %g2
563 -- mov PRIMARY_CONTEXT, %g1
564 --
565 --661: stxa %g2, [%g1] ASI_DMMU
566 -- .section .sun4v_1insn_patch, "ax"
567 -- .word 661b
568 -- stxa %g2, [%g1] ASI_MMU
569 -- .previous
570 --
571 -- sethi %hi(KERNBASE), %g1
572 -- flush %g1
573 -+user_rtt_fill_fixup_dax:
574 -+ ba,pt %xcc, user_rtt_fill_fixup_common
575 -+ mov 1, %g3
576 -
577 -- or %g4, FAULT_CODE_WINFIXUP, %g4
578 -- stb %g4, [%g6 + TI_FAULT_CODE]
579 -- stx %g5, [%g6 + TI_FAULT_ADDR]
580 -+user_rtt_fill_fixup_mna:
581 -+ ba,pt %xcc, user_rtt_fill_fixup_common
582 -+ mov 2, %g3
583 -
584 -- mov %g6, %l1
585 -- wrpr %g0, 0x0, %tl
586 --
587 --661: nop
588 -- .section .sun4v_1insn_patch, "ax"
589 -- .word 661b
590 -- SET_GL(0)
591 -- .previous
592 --
593 -- wrpr %g0, RTRAP_PSTATE, %pstate
594 --
595 -- mov %l1, %g6
596 -- ldx [%g6 + TI_TASK], %g4
597 -- LOAD_PER_CPU_BASE(%g5, %g6, %g1, %g2, %g3)
598 -- call do_sparc64_fault
599 -- add %sp, PTREGS_OFF, %o0
600 -- ba,pt %xcc, rtrap
601 -- nop
602 -+user_rtt_fill_fixup:
603 -+ ba,pt %xcc, user_rtt_fill_fixup_common
604 -+ clr %g3
605 -
606 - user_rtt_pre_restore:
607 - add %g1, 1, %g1
608 -diff --git a/arch/sparc/kernel/signal32.c b/arch/sparc/kernel/signal32.c
609 -index 3c25241..ebd0bfe 100644
610 ---- a/arch/sparc/kernel/signal32.c
611 -+++ b/arch/sparc/kernel/signal32.c
612 -@@ -138,12 +138,24 @@ int copy_siginfo_from_user32(siginfo_t *to, compat_siginfo_t __user *from)
613 - return 0;
614 - }
615 -
616 -+/* Checks if the fp is valid. We always build signal frames which are
617 -+ * 16-byte aligned, therefore we can always enforce that the restore
618 -+ * frame has that property as well.
619 -+ */
620 -+static bool invalid_frame_pointer(void __user *fp, int fplen)
621 -+{
622 -+ if ((((unsigned long) fp) & 15) ||
623 -+ ((unsigned long)fp) > 0x100000000ULL - fplen)
624 -+ return true;
625 -+ return false;
626 -+}
627 -+
628 - void do_sigreturn32(struct pt_regs *regs)
629 - {
630 - struct signal_frame32 __user *sf;
631 - compat_uptr_t fpu_save;
632 - compat_uptr_t rwin_save;
633 -- unsigned int psr;
634 -+ unsigned int psr, ufp;
635 - unsigned int pc, npc;
636 - sigset_t set;
637 - compat_sigset_t seta;
638 -@@ -158,11 +170,16 @@ void do_sigreturn32(struct pt_regs *regs)
639 - sf = (struct signal_frame32 __user *) regs->u_regs[UREG_FP];
640 -
641 - /* 1. Make sure we are not getting garbage from the user */
642 -- if (!access_ok(VERIFY_READ, sf, sizeof(*sf)) ||
643 -- (((unsigned long) sf) & 3))
644 -+ if (invalid_frame_pointer(sf, sizeof(*sf)))
645 -+ goto segv;
646 -+
647 -+ if (get_user(ufp, &sf->info.si_regs.u_regs[UREG_FP]))
648 -+ goto segv;
649 -+
650 -+ if (ufp & 0x7)
651 - goto segv;
652 -
653 -- if (get_user(pc, &sf->info.si_regs.pc) ||
654 -+ if (__get_user(pc, &sf->info.si_regs.pc) ||
655 - __get_user(npc, &sf->info.si_regs.npc))
656 - goto segv;
657 -
658 -@@ -227,7 +244,7 @@ segv:
659 - asmlinkage void do_rt_sigreturn32(struct pt_regs *regs)
660 - {
661 - struct rt_signal_frame32 __user *sf;
662 -- unsigned int psr, pc, npc;
663 -+ unsigned int psr, pc, npc, ufp;
664 - compat_uptr_t fpu_save;
665 - compat_uptr_t rwin_save;
666 - sigset_t set;
667 -@@ -242,11 +259,16 @@ asmlinkage void do_rt_sigreturn32(struct pt_regs *regs)
668 - sf = (struct rt_signal_frame32 __user *) regs->u_regs[UREG_FP];
669 -
670 - /* 1. Make sure we are not getting garbage from the user */
671 -- if (!access_ok(VERIFY_READ, sf, sizeof(*sf)) ||
672 -- (((unsigned long) sf) & 3))
673 -+ if (invalid_frame_pointer(sf, sizeof(*sf)))
674 - goto segv;
675 -
676 -- if (get_user(pc, &sf->regs.pc) ||
677 -+ if (get_user(ufp, &sf->regs.u_regs[UREG_FP]))
678 -+ goto segv;
679 -+
680 -+ if (ufp & 0x7)
681 -+ goto segv;
682 -+
683 -+ if (__get_user(pc, &sf->regs.pc) ||
684 - __get_user(npc, &sf->regs.npc))
685 - goto segv;
686 -
687 -@@ -307,14 +329,6 @@ segv:
688 - force_sig(SIGSEGV, current);
689 - }
690 -
691 --/* Checks if the fp is valid */
692 --static int invalid_frame_pointer(void __user *fp, int fplen)
693 --{
694 -- if ((((unsigned long) fp) & 7) || ((unsigned long)fp) > 0x100000000ULL - fplen)
695 -- return 1;
696 -- return 0;
697 --}
698 --
699 - static void __user *get_sigframe(struct ksignal *ksig, struct pt_regs *regs, unsigned long framesize)
700 - {
701 - unsigned long sp;
702 -diff --git a/arch/sparc/kernel/signal_32.c b/arch/sparc/kernel/signal_32.c
703 -index 52aa5e4..c3c12ef 100644
704 ---- a/arch/sparc/kernel/signal_32.c
705 -+++ b/arch/sparc/kernel/signal_32.c
706 -@@ -60,10 +60,22 @@ struct rt_signal_frame {
707 - #define SF_ALIGNEDSZ (((sizeof(struct signal_frame) + 7) & (~7)))
708 - #define RT_ALIGNEDSZ (((sizeof(struct rt_signal_frame) + 7) & (~7)))
709 -
710 -+/* Checks if the fp is valid. We always build signal frames which are
711 -+ * 16-byte aligned, therefore we can always enforce that the restore
712 -+ * frame has that property as well.
713 -+ */
714 -+static inline bool invalid_frame_pointer(void __user *fp, int fplen)
715 -+{
716 -+ if ((((unsigned long) fp) & 15) || !__access_ok((unsigned long)fp, fplen))
717 -+ return true;
718 -+
719 -+ return false;
720 -+}
721 -+
722 - asmlinkage void do_sigreturn(struct pt_regs *regs)
723 - {
724 -+ unsigned long up_psr, pc, npc, ufp;
725 - struct signal_frame __user *sf;
726 -- unsigned long up_psr, pc, npc;
727 - sigset_t set;
728 - __siginfo_fpu_t __user *fpu_save;
729 - __siginfo_rwin_t __user *rwin_save;
730 -@@ -77,10 +89,13 @@ asmlinkage void do_sigreturn(struct pt_regs *regs)
731 - sf = (struct signal_frame __user *) regs->u_regs[UREG_FP];
732 -
733 - /* 1. Make sure we are not getting garbage from the user */
734 -- if (!access_ok(VERIFY_READ, sf, sizeof(*sf)))
735 -+ if (!invalid_frame_pointer(sf, sizeof(*sf)))
736 -+ goto segv_and_exit;
737 -+
738 -+ if (get_user(ufp, &sf->info.si_regs.u_regs[UREG_FP]))
739 - goto segv_and_exit;
740 -
741 -- if (((unsigned long) sf) & 3)
742 -+ if (ufp & 0x7)
743 - goto segv_and_exit;
744 -
745 - err = __get_user(pc, &sf->info.si_regs.pc);
746 -@@ -127,7 +142,7 @@ segv_and_exit:
747 - asmlinkage void do_rt_sigreturn(struct pt_regs *regs)
748 - {
749 - struct rt_signal_frame __user *sf;
750 -- unsigned int psr, pc, npc;
751 -+ unsigned int psr, pc, npc, ufp;
752 - __siginfo_fpu_t __user *fpu_save;
753 - __siginfo_rwin_t __user *rwin_save;
754 - sigset_t set;
755 -@@ -135,8 +150,13 @@ asmlinkage void do_rt_sigreturn(struct pt_regs *regs)
756 -
757 - synchronize_user_stack();
758 - sf = (struct rt_signal_frame __user *) regs->u_regs[UREG_FP];
759 -- if (!access_ok(VERIFY_READ, sf, sizeof(*sf)) ||
760 -- (((unsigned long) sf) & 0x03))
761 -+ if (!invalid_frame_pointer(sf, sizeof(*sf)))
762 -+ goto segv;
763 -+
764 -+ if (get_user(ufp, &sf->regs.u_regs[UREG_FP]))
765 -+ goto segv;
766 -+
767 -+ if (ufp & 0x7)
768 - goto segv;
769 -
770 - err = __get_user(pc, &sf->regs.pc);
771 -@@ -178,15 +198,6 @@ segv:
772 - force_sig(SIGSEGV, current);
773 - }
774 -
775 --/* Checks if the fp is valid */
776 --static inline int invalid_frame_pointer(void __user *fp, int fplen)
777 --{
778 -- if ((((unsigned long) fp) & 7) || !__access_ok((unsigned long)fp, fplen))
779 -- return 1;
780 --
781 -- return 0;
782 --}
783 --
784 - static inline void __user *get_sigframe(struct ksignal *ksig, struct pt_regs *regs, unsigned long framesize)
785 - {
786 - unsigned long sp = regs->u_regs[UREG_FP];
787 -diff --git a/arch/sparc/kernel/signal_64.c b/arch/sparc/kernel/signal_64.c
788 -index 39aaec1..5ee930c 100644
789 ---- a/arch/sparc/kernel/signal_64.c
790 -+++ b/arch/sparc/kernel/signal_64.c
791 -@@ -234,6 +234,17 @@ do_sigsegv:
792 - goto out;
793 - }
794 -
795 -+/* Checks if the fp is valid. We always build rt signal frames which
796 -+ * are 16-byte aligned, therefore we can always enforce that the
797 -+ * restore frame has that property as well.
798 -+ */
799 -+static bool invalid_frame_pointer(void __user *fp)
800 -+{
801 -+ if (((unsigned long) fp) & 15)
802 -+ return true;
803 -+ return false;
804 -+}
805 -+
806 - struct rt_signal_frame {
807 - struct sparc_stackf ss;
808 - siginfo_t info;
809 -@@ -246,8 +257,8 @@ struct rt_signal_frame {
810 -
811 - void do_rt_sigreturn(struct pt_regs *regs)
812 - {
813 -+ unsigned long tpc, tnpc, tstate, ufp;
814 - struct rt_signal_frame __user *sf;
815 -- unsigned long tpc, tnpc, tstate;
816 - __siginfo_fpu_t __user *fpu_save;
817 - __siginfo_rwin_t __user *rwin_save;
818 - sigset_t set;
819 -@@ -261,10 +272,16 @@ void do_rt_sigreturn(struct pt_regs *regs)
820 - (regs->u_regs [UREG_FP] + STACK_BIAS);
821 -
822 - /* 1. Make sure we are not getting garbage from the user */
823 -- if (((unsigned long) sf) & 3)
824 -+ if (invalid_frame_pointer(sf))
825 -+ goto segv;
826 -+
827 -+ if (get_user(ufp, &sf->regs.u_regs[UREG_FP]))
828 - goto segv;
829 -
830 -- err = get_user(tpc, &sf->regs.tpc);
831 -+ if ((ufp + STACK_BIAS) & 0x7)
832 -+ goto segv;
833 -+
834 -+ err = __get_user(tpc, &sf->regs.tpc);
835 - err |= __get_user(tnpc, &sf->regs.tnpc);
836 - if (test_thread_flag(TIF_32BIT)) {
837 - tpc &= 0xffffffff;
838 -@@ -308,14 +325,6 @@ segv:
839 - force_sig(SIGSEGV, current);
840 - }
841 -
842 --/* Checks if the fp is valid */
843 --static int invalid_frame_pointer(void __user *fp)
844 --{
845 -- if (((unsigned long) fp) & 15)
846 -- return 1;
847 -- return 0;
848 --}
849 --
850 - static inline void __user *get_sigframe(struct ksignal *ksig, struct pt_regs *regs, unsigned long framesize)
851 - {
852 - unsigned long sp = regs->u_regs[UREG_FP] + STACK_BIAS;
853 -diff --git a/arch/sparc/kernel/sigutil_32.c b/arch/sparc/kernel/sigutil_32.c
854 -index 0f6eebe..e5fe8ce 100644
855 ---- a/arch/sparc/kernel/sigutil_32.c
856 -+++ b/arch/sparc/kernel/sigutil_32.c
857 -@@ -48,6 +48,10 @@ int save_fpu_state(struct pt_regs *regs, __siginfo_fpu_t __user *fpu)
858 - int restore_fpu_state(struct pt_regs *regs, __siginfo_fpu_t __user *fpu)
859 - {
860 - int err;
861 -+
862 -+ if (((unsigned long) fpu) & 3)
863 -+ return -EFAULT;
864 -+
865 - #ifdef CONFIG_SMP
866 - if (test_tsk_thread_flag(current, TIF_USEDFPU))
867 - regs->psr &= ~PSR_EF;
868 -@@ -97,7 +101,10 @@ int restore_rwin_state(__siginfo_rwin_t __user *rp)
869 - struct thread_info *t = current_thread_info();
870 - int i, wsaved, err;
871 -
872 -- __get_user(wsaved, &rp->wsaved);
873 -+ if (((unsigned long) rp) & 3)
874 -+ return -EFAULT;
875 -+
876 -+ get_user(wsaved, &rp->wsaved);
877 - if (wsaved > NSWINS)
878 - return -EFAULT;
879 -
880 -diff --git a/arch/sparc/kernel/sigutil_64.c b/arch/sparc/kernel/sigutil_64.c
881 -index 387834a..36aadcb 100644
882 ---- a/arch/sparc/kernel/sigutil_64.c
883 -+++ b/arch/sparc/kernel/sigutil_64.c
884 -@@ -37,7 +37,10 @@ int restore_fpu_state(struct pt_regs *regs, __siginfo_fpu_t __user *fpu)
885 - unsigned long fprs;
886 - int err;
887 -
888 -- err = __get_user(fprs, &fpu->si_fprs);
889 -+ if (((unsigned long) fpu) & 7)
890 -+ return -EFAULT;
891 -+
892 -+ err = get_user(fprs, &fpu->si_fprs);
893 - fprs_write(0);
894 - regs->tstate &= ~TSTATE_PEF;
895 - if (fprs & FPRS_DL)
896 -@@ -72,7 +75,10 @@ int restore_rwin_state(__siginfo_rwin_t __user *rp)
897 - struct thread_info *t = current_thread_info();
898 - int i, wsaved, err;
899 -
900 -- __get_user(wsaved, &rp->wsaved);
901 -+ if (((unsigned long) rp) & 7)
902 -+ return -EFAULT;
903 -+
904 -+ get_user(wsaved, &rp->wsaved);
905 - if (wsaved > NSWINS)
906 - return -EFAULT;
907 -
908 -diff --git a/arch/sparc/kernel/urtt_fill.S b/arch/sparc/kernel/urtt_fill.S
909 -new file mode 100644
910 -index 0000000..5604a2b
911 ---- /dev/null
912 -+++ b/arch/sparc/kernel/urtt_fill.S
913 -@@ -0,0 +1,98 @@
914 -+#include <asm/thread_info.h>
915 -+#include <asm/trap_block.h>
916 -+#include <asm/spitfire.h>
917 -+#include <asm/ptrace.h>
918 -+#include <asm/head.h>
919 -+
920 -+ .text
921 -+ .align 8
922 -+ .globl user_rtt_fill_fixup_common
923 -+user_rtt_fill_fixup_common:
924 -+ rdpr %cwp, %g1
925 -+ add %g1, 1, %g1
926 -+ wrpr %g1, 0x0, %cwp
927 -+
928 -+ rdpr %wstate, %g2
929 -+ sll %g2, 3, %g2
930 -+ wrpr %g2, 0x0, %wstate
931 -+
932 -+ /* We know %canrestore and %otherwin are both zero. */
933 -+
934 -+ sethi %hi(sparc64_kern_pri_context), %g2
935 -+ ldx [%g2 + %lo(sparc64_kern_pri_context)], %g2
936 -+ mov PRIMARY_CONTEXT, %g1
937 -+
938 -+661: stxa %g2, [%g1] ASI_DMMU
939 -+ .section .sun4v_1insn_patch, "ax"
940 -+ .word 661b
941 -+ stxa %g2, [%g1] ASI_MMU
942 -+ .previous
943 -+
944 -+ sethi %hi(KERNBASE), %g1
945 -+ flush %g1
946 -+
947 -+ mov %g4, %l4
948 -+ mov %g5, %l5
949 -+ brnz,pn %g3, 1f
950 -+ mov %g3, %l3
951 -+
952 -+ or %g4, FAULT_CODE_WINFIXUP, %g4
953 -+ stb %g4, [%g6 + TI_FAULT_CODE]
954 -+ stx %g5, [%g6 + TI_FAULT_ADDR]
955 -+1:
956 -+ mov %g6, %l1
957 -+ wrpr %g0, 0x0, %tl
958 -+
959 -+661: nop
960 -+ .section .sun4v_1insn_patch, "ax"
961 -+ .word 661b
962 -+ SET_GL(0)
963 -+ .previous
964 -+
965 -+ wrpr %g0, RTRAP_PSTATE, %pstate
966 -+
967 -+ mov %l1, %g6
968 -+ ldx [%g6 + TI_TASK], %g4
969 -+ LOAD_PER_CPU_BASE(%g5, %g6, %g1, %g2, %g3)
970 -+
971 -+ brnz,pn %l3, 1f
972 -+ nop
973 -+
974 -+ call do_sparc64_fault
975 -+ add %sp, PTREGS_OFF, %o0
976 -+ ba,pt %xcc, rtrap
977 -+ nop
978 -+
979 -+1: cmp %g3, 2
980 -+ bne,pn %xcc, 2f
981 -+ nop
982 -+
983 -+ sethi %hi(tlb_type), %g1
984 -+ lduw [%g1 + %lo(tlb_type)], %g1
985 -+ cmp %g1, 3
986 -+ bne,pt %icc, 1f
987 -+ add %sp, PTREGS_OFF, %o0
988 -+ mov %l4, %o2
989 -+ call sun4v_do_mna
990 -+ mov %l5, %o1
991 -+ ba,a,pt %xcc, rtrap
992 -+1: mov %l4, %o1
993 -+ mov %l5, %o2
994 -+ call mem_address_unaligned
995 -+ nop
996 -+ ba,a,pt %xcc, rtrap
997 -+
998 -+2: sethi %hi(tlb_type), %g1
999 -+ mov %l4, %o1
1000 -+ lduw [%g1 + %lo(tlb_type)], %g1
1001 -+ mov %l5, %o2
1002 -+ cmp %g1, 3
1003 -+ bne,pt %icc, 1f
1004 -+ add %sp, PTREGS_OFF, %o0
1005 -+ call sun4v_data_access_exception
1006 -+ nop
1007 -+ ba,a,pt %xcc, rtrap
1008 -+
1009 -+1: call spitfire_data_access_exception
1010 -+ nop
1011 -+ ba,a,pt %xcc, rtrap
1012 -diff --git a/arch/sparc/mm/hugetlbpage.c b/arch/sparc/mm/hugetlbpage.c
1013 -index 4977800..ba52e64 100644
1014 ---- a/arch/sparc/mm/hugetlbpage.c
1015 -+++ b/arch/sparc/mm/hugetlbpage.c
1016 -@@ -176,17 +176,31 @@ void set_huge_pte_at(struct mm_struct *mm, unsigned long addr,
1017 - pte_t *ptep, pte_t entry)
1018 - {
1019 - int i;
1020 -+ pte_t orig[2];
1021 -+ unsigned long nptes;
1022 -
1023 - if (!pte_present(*ptep) && pte_present(entry))
1024 - mm->context.huge_pte_count++;
1025 -
1026 - addr &= HPAGE_MASK;
1027 -- for (i = 0; i < (1 << HUGETLB_PAGE_ORDER); i++) {
1028 -- set_pte_at(mm, addr, ptep, entry);
1029 -+
1030 -+ nptes = 1 << HUGETLB_PAGE_ORDER;
1031 -+ orig[0] = *ptep;
1032 -+ orig[1] = *(ptep + nptes / 2);
1033 -+ for (i = 0; i < nptes; i++) {
1034 -+ *ptep = entry;
1035 - ptep++;
1036 - addr += PAGE_SIZE;
1037 - pte_val(entry) += PAGE_SIZE;
1038 - }
1039 -+
1040 -+ /* Issue TLB flush at REAL_HPAGE_SIZE boundaries */
1041 -+ addr -= REAL_HPAGE_SIZE;
1042 -+ ptep -= nptes / 2;
1043 -+ maybe_tlb_batch_add(mm, addr, ptep, orig[1], 0);
1044 -+ addr -= REAL_HPAGE_SIZE;
1045 -+ ptep -= nptes / 2;
1046 -+ maybe_tlb_batch_add(mm, addr, ptep, orig[0], 0);
1047 - }
1048 -
1049 - pte_t huge_ptep_get_and_clear(struct mm_struct *mm, unsigned long addr,
1050 -@@ -194,19 +208,28 @@ pte_t huge_ptep_get_and_clear(struct mm_struct *mm, unsigned long addr,
1051 - {
1052 - pte_t entry;
1053 - int i;
1054 -+ unsigned long nptes;
1055 -
1056 - entry = *ptep;
1057 - if (pte_present(entry))
1058 - mm->context.huge_pte_count--;
1059 -
1060 - addr &= HPAGE_MASK;
1061 --
1062 -- for (i = 0; i < (1 << HUGETLB_PAGE_ORDER); i++) {
1063 -- pte_clear(mm, addr, ptep);
1064 -+ nptes = 1 << HUGETLB_PAGE_ORDER;
1065 -+ for (i = 0; i < nptes; i++) {
1066 -+ *ptep = __pte(0UL);
1067 - addr += PAGE_SIZE;
1068 - ptep++;
1069 - }
1070 -
1071 -+ /* Issue TLB flush at REAL_HPAGE_SIZE boundaries */
1072 -+ addr -= REAL_HPAGE_SIZE;
1073 -+ ptep -= nptes / 2;
1074 -+ maybe_tlb_batch_add(mm, addr, ptep, entry, 0);
1075 -+ addr -= REAL_HPAGE_SIZE;
1076 -+ ptep -= nptes / 2;
1077 -+ maybe_tlb_batch_add(mm, addr, ptep, entry, 0);
1078 -+
1079 - return entry;
1080 - }
1081 -
1082 -diff --git a/arch/sparc/mm/init_64.c b/arch/sparc/mm/init_64.c
1083 -index 09e8388..14bb0d5 100644
1084 ---- a/arch/sparc/mm/init_64.c
1085 -+++ b/arch/sparc/mm/init_64.c
1086 -@@ -324,18 +324,6 @@ static void __update_mmu_tsb_insert(struct mm_struct *mm, unsigned long tsb_inde
1087 - tsb_insert(tsb, tag, tte);
1088 - }
1089 -
1090 --#if defined(CONFIG_HUGETLB_PAGE) || defined(CONFIG_TRANSPARENT_HUGEPAGE)
1091 --static inline bool is_hugetlb_pte(pte_t pte)
1092 --{
1093 -- if ((tlb_type == hypervisor &&
1094 -- (pte_val(pte) & _PAGE_SZALL_4V) == _PAGE_SZHUGE_4V) ||
1095 -- (tlb_type != hypervisor &&
1096 -- (pte_val(pte) & _PAGE_SZALL_4U) == _PAGE_SZHUGE_4U))
1097 -- return true;
1098 -- return false;
1099 --}
1100 --#endif
1101 --
1102 - void update_mmu_cache(struct vm_area_struct *vma, unsigned long address, pte_t *ptep)
1103 - {
1104 - struct mm_struct *mm;
1105 -@@ -2836,9 +2824,10 @@ void hugetlb_setup(struct pt_regs *regs)
1106 - * the Data-TLB for huge pages.
1107 - */
1108 - if (tlb_type == cheetah_plus) {
1109 -+ bool need_context_reload = false;
1110 - unsigned long ctx;
1111 -
1112 -- spin_lock(&ctx_alloc_lock);
1113 -+ spin_lock_irq(&ctx_alloc_lock);
1114 - ctx = mm->context.sparc64_ctx_val;
1115 - ctx &= ~CTX_PGSZ_MASK;
1116 - ctx |= CTX_PGSZ_BASE << CTX_PGSZ0_SHIFT;
1117 -@@ -2857,9 +2846,12 @@ void hugetlb_setup(struct pt_regs *regs)
1118 - * also executing in this address space.
1119 - */
1120 - mm->context.sparc64_ctx_val = ctx;
1121 -- on_each_cpu(context_reload, mm, 0);
1122 -+ need_context_reload = true;
1123 - }
1124 -- spin_unlock(&ctx_alloc_lock);
1125 -+ spin_unlock_irq(&ctx_alloc_lock);
1126 -+
1127 -+ if (need_context_reload)
1128 -+ on_each_cpu(context_reload, mm, 0);
1129 - }
1130 - }
1131 - #endif
1132 -diff --git a/arch/sparc/mm/tlb.c b/arch/sparc/mm/tlb.c
1133 -index 9df2190..f81cd97 100644
1134 ---- a/arch/sparc/mm/tlb.c
1135 -+++ b/arch/sparc/mm/tlb.c
1136 -@@ -67,7 +67,7 @@ void arch_leave_lazy_mmu_mode(void)
1137 - }
1138 -
1139 - static void tlb_batch_add_one(struct mm_struct *mm, unsigned long vaddr,
1140 -- bool exec)
1141 -+ bool exec, bool huge)
1142 - {
1143 - struct tlb_batch *tb = &get_cpu_var(tlb_batch);
1144 - unsigned long nr;
1145 -@@ -84,13 +84,21 @@ static void tlb_batch_add_one(struct mm_struct *mm, unsigned long vaddr,
1146 - }
1147 -
1148 - if (!tb->active) {
1149 -- flush_tsb_user_page(mm, vaddr);
1150 -+ flush_tsb_user_page(mm, vaddr, huge);
1151 - global_flush_tlb_page(mm, vaddr);
1152 - goto out;
1153 - }
1154 -
1155 -- if (nr == 0)
1156 -+ if (nr == 0) {
1157 - tb->mm = mm;
1158 -+ tb->huge = huge;
1159 -+ }
1160 -+
1161 -+ if (tb->huge != huge) {
1162 -+ flush_tlb_pending();
1163 -+ tb->huge = huge;
1164 -+ nr = 0;
1165 -+ }
1166 -
1167 - tb->vaddrs[nr] = vaddr;
1168 - tb->tlb_nr = ++nr;
1169 -@@ -104,6 +112,8 @@ out:
1170 - void tlb_batch_add(struct mm_struct *mm, unsigned long vaddr,
1171 - pte_t *ptep, pte_t orig, int fullmm)
1172 - {
1173 -+ bool huge = is_hugetlb_pte(orig);
1174 -+
1175 - if (tlb_type != hypervisor &&
1176 - pte_dirty(orig)) {
1177 - unsigned long paddr, pfn = pte_pfn(orig);
1178 -@@ -129,7 +139,7 @@ void tlb_batch_add(struct mm_struct *mm, unsigned long vaddr,
1179 -
1180 - no_cache_flush:
1181 - if (!fullmm)
1182 -- tlb_batch_add_one(mm, vaddr, pte_exec(orig));
1183 -+ tlb_batch_add_one(mm, vaddr, pte_exec(orig), huge);
1184 - }
1185 -
1186 - #ifdef CONFIG_TRANSPARENT_HUGEPAGE
1187 -@@ -145,7 +155,7 @@ static void tlb_batch_pmd_scan(struct mm_struct *mm, unsigned long vaddr,
1188 - if (pte_val(*pte) & _PAGE_VALID) {
1189 - bool exec = pte_exec(*pte);
1190 -
1191 -- tlb_batch_add_one(mm, vaddr, exec);
1192 -+ tlb_batch_add_one(mm, vaddr, exec, false);
1193 - }
1194 - pte++;
1195 - vaddr += PAGE_SIZE;
1196 -@@ -185,8 +195,9 @@ void set_pmd_at(struct mm_struct *mm, unsigned long addr,
1197 - pte_t orig_pte = __pte(pmd_val(orig));
1198 - bool exec = pte_exec(orig_pte);
1199 -
1200 -- tlb_batch_add_one(mm, addr, exec);
1201 -- tlb_batch_add_one(mm, addr + REAL_HPAGE_SIZE, exec);
1202 -+ tlb_batch_add_one(mm, addr, exec, true);
1203 -+ tlb_batch_add_one(mm, addr + REAL_HPAGE_SIZE, exec,
1204 -+ true);
1205 - } else {
1206 - tlb_batch_pmd_scan(mm, addr, orig);
1207 - }
1208 -diff --git a/arch/sparc/mm/tsb.c b/arch/sparc/mm/tsb.c
1209 -index a065766..a0604a4 100644
1210 ---- a/arch/sparc/mm/tsb.c
1211 -+++ b/arch/sparc/mm/tsb.c
1212 -@@ -76,14 +76,15 @@ void flush_tsb_user(struct tlb_batch *tb)
1213 -
1214 - spin_lock_irqsave(&mm->context.lock, flags);
1215 -
1216 -- base = (unsigned long) mm->context.tsb_block[MM_TSB_BASE].tsb;
1217 -- nentries = mm->context.tsb_block[MM_TSB_BASE].tsb_nentries;
1218 -- if (tlb_type == cheetah_plus || tlb_type == hypervisor)
1219 -- base = __pa(base);
1220 -- __flush_tsb_one(tb, PAGE_SHIFT, base, nentries);
1221 --
1222 -+ if (!tb->huge) {
1223 -+ base = (unsigned long) mm->context.tsb_block[MM_TSB_BASE].tsb;
1224 -+ nentries = mm->context.tsb_block[MM_TSB_BASE].tsb_nentries;
1225 -+ if (tlb_type == cheetah_plus || tlb_type == hypervisor)
1226 -+ base = __pa(base);
1227 -+ __flush_tsb_one(tb, PAGE_SHIFT, base, nentries);
1228 -+ }
1229 - #if defined(CONFIG_HUGETLB_PAGE) || defined(CONFIG_TRANSPARENT_HUGEPAGE)
1230 -- if (mm->context.tsb_block[MM_TSB_HUGE].tsb) {
1231 -+ if (tb->huge && mm->context.tsb_block[MM_TSB_HUGE].tsb) {
1232 - base = (unsigned long) mm->context.tsb_block[MM_TSB_HUGE].tsb;
1233 - nentries = mm->context.tsb_block[MM_TSB_HUGE].tsb_nentries;
1234 - if (tlb_type == cheetah_plus || tlb_type == hypervisor)
1235 -@@ -94,20 +95,21 @@ void flush_tsb_user(struct tlb_batch *tb)
1236 - spin_unlock_irqrestore(&mm->context.lock, flags);
1237 - }
1238 -
1239 --void flush_tsb_user_page(struct mm_struct *mm, unsigned long vaddr)
1240 -+void flush_tsb_user_page(struct mm_struct *mm, unsigned long vaddr, bool huge)
1241 - {
1242 - unsigned long nentries, base, flags;
1243 -
1244 - spin_lock_irqsave(&mm->context.lock, flags);
1245 -
1246 -- base = (unsigned long) mm->context.tsb_block[MM_TSB_BASE].tsb;
1247 -- nentries = mm->context.tsb_block[MM_TSB_BASE].tsb_nentries;
1248 -- if (tlb_type == cheetah_plus || tlb_type == hypervisor)
1249 -- base = __pa(base);
1250 -- __flush_tsb_one_entry(base, vaddr, PAGE_SHIFT, nentries);
1251 --
1252 -+ if (!huge) {
1253 -+ base = (unsigned long) mm->context.tsb_block[MM_TSB_BASE].tsb;
1254 -+ nentries = mm->context.tsb_block[MM_TSB_BASE].tsb_nentries;
1255 -+ if (tlb_type == cheetah_plus || tlb_type == hypervisor)
1256 -+ base = __pa(base);
1257 -+ __flush_tsb_one_entry(base, vaddr, PAGE_SHIFT, nentries);
1258 -+ }
1259 - #if defined(CONFIG_HUGETLB_PAGE) || defined(CONFIG_TRANSPARENT_HUGEPAGE)
1260 -- if (mm->context.tsb_block[MM_TSB_HUGE].tsb) {
1261 -+ if (huge && mm->context.tsb_block[MM_TSB_HUGE].tsb) {
1262 - base = (unsigned long) mm->context.tsb_block[MM_TSB_HUGE].tsb;
1263 - nentries = mm->context.tsb_block[MM_TSB_HUGE].tsb_nentries;
1264 - if (tlb_type == cheetah_plus || tlb_type == hypervisor)
1265 -diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
1266 -index 06cbe25..87bd6b6 100644
1267 ---- a/arch/x86/kernel/traps.c
1268 -+++ b/arch/x86/kernel/traps.c
1269 -@@ -95,6 +95,12 @@ static inline void cond_local_irq_disable(struct pt_regs *regs)
1270 - local_irq_disable();
1271 - }
1272 -
1273 -+/*
1274 -+ * In IST context, we explicitly disable preemption. This serves two
1275 -+ * purposes: it makes it much less likely that we would accidentally
1276 -+ * schedule in IST context and it will force a warning if we somehow
1277 -+ * manage to schedule by accident.
1278 -+ */
1279 - void ist_enter(struct pt_regs *regs)
1280 - {
1281 - if (user_mode(regs)) {
1282 -@@ -109,13 +115,7 @@ void ist_enter(struct pt_regs *regs)
1283 - rcu_nmi_enter();
1284 - }
1285 -
1286 -- /*
1287 -- * We are atomic because we're on the IST stack; or we're on
1288 -- * x86_32, in which case we still shouldn't schedule; or we're
1289 -- * on x86_64 and entered from user mode, in which case we're
1290 -- * still atomic unless ist_begin_non_atomic is called.
1291 -- */
1292 -- preempt_count_add(HARDIRQ_OFFSET);
1293 -+ preempt_disable();
1294 -
1295 - /* This code is a bit fragile. Test it. */
1296 - RCU_LOCKDEP_WARN(!rcu_is_watching(), "ist_enter didn't work");
1297 -@@ -123,7 +123,7 @@ void ist_enter(struct pt_regs *regs)
1298 -
1299 - void ist_exit(struct pt_regs *regs)
1300 - {
1301 -- preempt_count_sub(HARDIRQ_OFFSET);
1302 -+ preempt_enable_no_resched();
1303 -
1304 - if (!user_mode(regs))
1305 - rcu_nmi_exit();
1306 -@@ -154,7 +154,7 @@ void ist_begin_non_atomic(struct pt_regs *regs)
1307 - BUG_ON((unsigned long)(current_top_of_stack() -
1308 - current_stack_pointer()) >= THREAD_SIZE);
1309 -
1310 -- preempt_count_sub(HARDIRQ_OFFSET);
1311 -+ preempt_enable_no_resched();
1312 - }
1313 -
1314 - /**
1315 -@@ -164,7 +164,7 @@ void ist_begin_non_atomic(struct pt_regs *regs)
1316 - */
1317 - void ist_end_non_atomic(void)
1318 - {
1319 -- preempt_count_add(HARDIRQ_OFFSET);
1320 -+ preempt_disable();
1321 - }
1322 -
1323 - static nokprobe_inline int
1324 -diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
1325 -index 9b7798c..6b9701b 100644
1326 ---- a/arch/x86/kvm/x86.c
1327 -+++ b/arch/x86/kvm/x86.c
1328 -@@ -3032,6 +3032,11 @@ static int kvm_vcpu_ioctl_x86_set_debugregs(struct kvm_vcpu *vcpu,
1329 - if (dbgregs->flags)
1330 - return -EINVAL;
1331 -
1332 -+ if (dbgregs->dr6 & ~0xffffffffull)
1333 -+ return -EINVAL;
1334 -+ if (dbgregs->dr7 & ~0xffffffffull)
1335 -+ return -EINVAL;
1336 -+
1337 - memcpy(vcpu->arch.db, dbgregs->db, sizeof(vcpu->arch.db));
1338 - kvm_update_dr0123(vcpu);
1339 - vcpu->arch.dr6 = dbgregs->dr6;
1340 -diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
1341 -index 91a7e04..477cbf39 100644
1342 ---- a/crypto/asymmetric_keys/Kconfig
1343 -+++ b/crypto/asymmetric_keys/Kconfig
1344 -@@ -13,6 +13,7 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE
1345 - tristate "Asymmetric public-key crypto algorithm subtype"
1346 - select MPILIB
1347 - select CRYPTO_HASH_INFO
1348 -+ select CRYPTO_AKCIPHER
1349 - help
1350 - This option provides support for asymmetric public key type handling.
1351 - If signature generation and/or verification are to be used,
1352 -diff --git a/drivers/crypto/ccp/ccp-crypto-aes-xts.c b/drivers/crypto/ccp/ccp-crypto-aes-xts.c
1353 -index 52c7395..0d0d452 100644
1354 ---- a/drivers/crypto/ccp/ccp-crypto-aes-xts.c
1355 -+++ b/drivers/crypto/ccp/ccp-crypto-aes-xts.c
1356 -@@ -122,6 +122,7 @@ static int ccp_aes_xts_crypt(struct ablkcipher_request *req,
1357 - struct ccp_ctx *ctx = crypto_tfm_ctx(req->base.tfm);
1358 - struct ccp_aes_req_ctx *rctx = ablkcipher_request_ctx(req);
1359 - unsigned int unit;
1360 -+ u32 unit_size;
1361 - int ret;
1362 -
1363 - if (!ctx->u.aes.key_len)
1364 -@@ -133,11 +134,17 @@ static int ccp_aes_xts_crypt(struct ablkcipher_request *req,
1365 - if (!req->info)
1366 - return -EINVAL;
1367 -
1368 -- for (unit = 0; unit < ARRAY_SIZE(unit_size_map); unit++)
1369 -- if (!(req->nbytes & (unit_size_map[unit].size - 1)))
1370 -- break;
1371 -+ unit_size = CCP_XTS_AES_UNIT_SIZE__LAST;
1372 -+ if (req->nbytes <= unit_size_map[0].size) {
1373 -+ for (unit = 0; unit < ARRAY_SIZE(unit_size_map); unit++) {
1374 -+ if (!(req->nbytes & (unit_size_map[unit].size - 1))) {
1375 -+ unit_size = unit_size_map[unit].value;
1376 -+ break;
1377 -+ }
1378 -+ }
1379 -+ }
1380 -
1381 -- if ((unit_size_map[unit].value == CCP_XTS_AES_UNIT_SIZE__LAST) ||
1382 -+ if ((unit_size == CCP_XTS_AES_UNIT_SIZE__LAST) ||
1383 - (ctx->u.aes.key_len != AES_KEYSIZE_128)) {
1384 - /* Use the fallback to process the request for any
1385 - * unsupported unit sizes or key sizes
1386 -@@ -158,7 +165,7 @@ static int ccp_aes_xts_crypt(struct ablkcipher_request *req,
1387 - rctx->cmd.engine = CCP_ENGINE_XTS_AES_128;
1388 - rctx->cmd.u.xts.action = (encrypt) ? CCP_AES_ACTION_ENCRYPT
1389 - : CCP_AES_ACTION_DECRYPT;
1390 -- rctx->cmd.u.xts.unit_size = unit_size_map[unit].value;
1391 -+ rctx->cmd.u.xts.unit_size = unit_size;
1392 - rctx->cmd.u.xts.key = &ctx->u.aes.key_sg;
1393 - rctx->cmd.u.xts.key_len = ctx->u.aes.key_len;
1394 - rctx->cmd.u.xts.iv = &rctx->iv_sg;
1395 -diff --git a/drivers/gpio/gpio-bcm-kona.c b/drivers/gpio/gpio-bcm-kona.c
1396 -index 2fd38d5..3c5e832 100644
1397 ---- a/drivers/gpio/gpio-bcm-kona.c
1398 -+++ b/drivers/gpio/gpio-bcm-kona.c
1399 -@@ -546,11 +546,11 @@ static void bcm_kona_gpio_reset(struct bcm_kona_gpio *kona_gpio)
1400 - /* disable interrupts and clear status */
1401 - for (i = 0; i < kona_gpio->num_bank; i++) {
1402 - /* Unlock the entire bank first */
1403 -- bcm_kona_gpio_write_lock_regs(kona_gpio, i, UNLOCK_CODE);
1404 -+ bcm_kona_gpio_write_lock_regs(reg_base, i, UNLOCK_CODE);
1405 - writel(0xffffffff, reg_base + GPIO_INT_MASK(i));
1406 - writel(0xffffffff, reg_base + GPIO_INT_STATUS(i));
1407 - /* Now re-lock the bank */
1408 -- bcm_kona_gpio_write_lock_regs(kona_gpio, i, LOCK_CODE);
1409 -+ bcm_kona_gpio_write_lock_regs(reg_base, i, LOCK_CODE);
1410 - }
1411 - }
1412 -
1413 -diff --git a/drivers/gpio/gpio-zynq.c b/drivers/gpio/gpio-zynq.c
1414 -index 66d3d24..e72794e 100644
1415 ---- a/drivers/gpio/gpio-zynq.c
1416 -+++ b/drivers/gpio/gpio-zynq.c
1417 -@@ -709,11 +709,17 @@ static int zynq_gpio_probe(struct platform_device *pdev)
1418 - dev_err(&pdev->dev, "input clock not found.\n");
1419 - return PTR_ERR(gpio->clk);
1420 - }
1421 -+ ret = clk_prepare_enable(gpio->clk);
1422 -+ if (ret) {
1423 -+ dev_err(&pdev->dev, "Unable to enable clock.\n");
1424 -+ return ret;
1425 -+ }
1426 -
1427 -+ pm_runtime_set_active(&pdev->dev);
1428 - pm_runtime_enable(&pdev->dev);
1429 - ret = pm_runtime_get_sync(&pdev->dev);
1430 - if (ret < 0)
1431 -- return ret;
1432 -+ goto err_pm_dis;
1433 -
1434 - /* report a bug if gpio chip registration fails */
1435 - ret = gpiochip_add_data(chip, gpio);
1436 -@@ -745,6 +751,9 @@ err_rm_gpiochip:
1437 - gpiochip_remove(chip);
1438 - err_pm_put:
1439 - pm_runtime_put(&pdev->dev);
1440 -+err_pm_dis:
1441 -+ pm_runtime_disable(&pdev->dev);
1442 -+ clk_disable_unprepare(gpio->clk);
1443 -
1444 - return ret;
1445 - }
1446 -diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
1447 -index b747c76..cf3e712 100644
1448 ---- a/drivers/gpio/gpiolib.c
1449 -+++ b/drivers/gpio/gpiolib.c
1450 -@@ -438,7 +438,6 @@ static void gpiodevice_release(struct device *dev)
1451 - {
1452 - struct gpio_device *gdev = dev_get_drvdata(dev);
1453 -
1454 -- cdev_del(&gdev->chrdev);
1455 - list_del(&gdev->list);
1456 - ida_simple_remove(&gpio_ida, gdev->id);
1457 - kfree(gdev->label);
1458 -@@ -471,7 +470,6 @@ static int gpiochip_setup_dev(struct gpio_device *gdev)
1459 -
1460 - /* From this point, the .release() function cleans up gpio_device */
1461 - gdev->dev.release = gpiodevice_release;
1462 -- get_device(&gdev->dev);
1463 - pr_debug("%s: registered GPIOs %d to %d on device: %s (%s)\n",
1464 - __func__, gdev->base, gdev->base + gdev->ngpio - 1,
1465 - dev_name(&gdev->dev), gdev->chip->label ? : "generic");
1466 -@@ -742,6 +740,8 @@ void gpiochip_remove(struct gpio_chip *chip)
1467 - * be removed, else it will be dangling until the last user is
1468 - * gone.
1469 - */
1470 -+ cdev_del(&gdev->chrdev);
1471 -+ device_del(&gdev->dev);
1472 - put_device(&gdev->dev);
1473 - }
1474 - EXPORT_SYMBOL_GPL(gpiochip_remove);
1475 -@@ -841,7 +841,7 @@ struct gpio_chip *gpiochip_find(void *data,
1476 -
1477 - spin_lock_irqsave(&gpio_lock, flags);
1478 - list_for_each_entry(gdev, &gpio_devices, list)
1479 -- if (match(gdev->chip, data))
1480 -+ if (gdev->chip && match(gdev->chip, data))
1481 - break;
1482 -
1483 - /* No match? */
1484 -@@ -1339,10 +1339,13 @@ done:
1485 - /*
1486 - * This descriptor validation needs to be inserted verbatim into each
1487 - * function taking a descriptor, so we need to use a preprocessor
1488 -- * macro to avoid endless duplication.
1489 -+ * macro to avoid endless duplication. If the desc is NULL it is an
1490 -+ * optional GPIO and calls should just bail out.
1491 - */
1492 - #define VALIDATE_DESC(desc) do { \
1493 -- if (!desc || !desc->gdev) { \
1494 -+ if (!desc) \
1495 -+ return 0; \
1496 -+ if (!desc->gdev) { \
1497 - pr_warn("%s: invalid GPIO\n", __func__); \
1498 - return -EINVAL; \
1499 - } \
1500 -@@ -1353,7 +1356,9 @@ done:
1501 - } } while (0)
1502 -
1503 - #define VALIDATE_DESC_VOID(desc) do { \
1504 -- if (!desc || !desc->gdev) { \
1505 -+ if (!desc) \
1506 -+ return; \
1507 -+ if (!desc->gdev) { \
1508 - pr_warn("%s: invalid GPIO\n", __func__); \
1509 - return; \
1510 - } \
1511 -@@ -2001,7 +2006,14 @@ int gpiod_to_irq(const struct gpio_desc *desc)
1512 - struct gpio_chip *chip;
1513 - int offset;
1514 -
1515 -- VALIDATE_DESC(desc);
1516 -+ /*
1517 -+ * Cannot VALIDATE_DESC() here as gpiod_to_irq() consumer semantics
1518 -+ * requires this function to not return zero on an invalid descriptor
1519 -+ * but rather a negative error number.
1520 -+ */
1521 -+ if (!desc || !desc->gdev || !desc->gdev->chip)
1522 -+ return -EINVAL;
1523 -+
1524 - chip = desc->gdev->chip;
1525 - offset = gpio_chip_hwgpio(desc);
1526 - return chip->to_irq ? chip->to_irq(chip, offset) : -ENXIO;
1527 -diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
1528 -index e08f962..f30de80 100644
1529 ---- a/drivers/gpu/drm/drm_crtc.c
1530 -+++ b/drivers/gpu/drm/drm_crtc.c
1531 -@@ -3434,6 +3434,24 @@ int drm_mode_addfb2(struct drm_device *dev,
1532 - return 0;
1533 - }
1534 -
1535 -+struct drm_mode_rmfb_work {
1536 -+ struct work_struct work;
1537 -+ struct list_head fbs;
1538 -+};
1539 -+
1540 -+static void drm_mode_rmfb_work_fn(struct work_struct *w)
1541 -+{
1542 -+ struct drm_mode_rmfb_work *arg = container_of(w, typeof(*arg), work);
1543 -+
1544 -+ while (!list_empty(&arg->fbs)) {
1545 -+ struct drm_framebuffer *fb =
1546 -+ list_first_entry(&arg->fbs, typeof(*fb), filp_head);
1547 -+
1548 -+ list_del_init(&fb->filp_head);
1549 -+ drm_framebuffer_remove(fb);
1550 -+ }
1551 -+}
1552 -+
1553 - /**
1554 - * drm_mode_rmfb - remove an FB from the configuration
1555 - * @dev: drm device for the ioctl
1556 -@@ -3474,7 +3492,25 @@ int drm_mode_rmfb(struct drm_device *dev,
1557 - mutex_unlock(&dev->mode_config.fb_lock);
1558 - mutex_unlock(&file_priv->fbs_lock);
1559 -
1560 -- drm_framebuffer_unreference(fb);
1561 -+ /*
1562 -+ * we now own the reference that was stored in the fbs list
1563 -+ *
1564 -+ * drm_framebuffer_remove may fail with -EINTR on pending signals,
1565 -+ * so run this in a separate stack as there's no way to correctly
1566 -+ * handle this after the fb is already removed from the lookup table.
1567 -+ */
1568 -+ if (atomic_read(&fb->refcount.refcount) > 1) {
1569 -+ struct drm_mode_rmfb_work arg;
1570 -+
1571 -+ INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn);
1572 -+ INIT_LIST_HEAD(&arg.fbs);
1573 -+ list_add_tail(&fb->filp_head, &arg.fbs);
1574 -+
1575 -+ schedule_work(&arg.work);
1576 -+ flush_work(&arg.work);
1577 -+ destroy_work_on_stack(&arg.work);
1578 -+ } else
1579 -+ drm_framebuffer_unreference(fb);
1580 -
1581 - return 0;
1582 -
1583 -@@ -3627,7 +3663,6 @@ out_err1:
1584 - return ret;
1585 - }
1586 -
1587 --
1588 - /**
1589 - * drm_fb_release - remove and free the FBs on this file
1590 - * @priv: drm file for the ioctl
1591 -@@ -3642,6 +3677,9 @@ out_err1:
1592 - void drm_fb_release(struct drm_file *priv)
1593 - {
1594 - struct drm_framebuffer *fb, *tfb;
1595 -+ struct drm_mode_rmfb_work arg;
1596 -+
1597 -+ INIT_LIST_HEAD(&arg.fbs);
1598 -
1599 - /*
1600 - * When the file gets released that means no one else can access the fb
1601 -@@ -3654,10 +3692,22 @@ void drm_fb_release(struct drm_file *priv)
1602 - * at it any more.
1603 - */
1604 - list_for_each_entry_safe(fb, tfb, &priv->fbs, filp_head) {
1605 -- list_del_init(&fb->filp_head);
1606 -+ if (atomic_read(&fb->refcount.refcount) > 1) {
1607 -+ list_move_tail(&fb->filp_head, &arg.fbs);
1608 -+ } else {
1609 -+ list_del_init(&fb->filp_head);
1610 -
1611 -- /* This drops the fpriv->fbs reference. */
1612 -- drm_framebuffer_unreference(fb);
1613 -+ /* This drops the fpriv->fbs reference. */
1614 -+ drm_framebuffer_unreference(fb);
1615 -+ }
1616 -+ }
1617 -+
1618 -+ if (!list_empty(&arg.fbs)) {
1619 -+ INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn);
1620 -+
1621 -+ schedule_work(&arg.work);
1622 -+ flush_work(&arg.work);
1623 -+ destroy_work_on_stack(&arg.work);
1624 - }
1625 - }
1626 -
1627 -diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c
1628 -index 1c21220..d1a46ef 100644
1629 ---- a/drivers/gpu/drm/i915/i915_irq.c
1630 -+++ b/drivers/gpu/drm/i915/i915_irq.c
1631 -@@ -1829,7 +1829,7 @@ static irqreturn_t cherryview_irq_handler(int irq, void *arg)
1632 - /* IRQs are synced during runtime_suspend, we don't require a wakeref */
1633 - disable_rpm_wakeref_asserts(dev_priv);
1634 -
1635 -- do {
1636 -+ for (;;) {
1637 - master_ctl = I915_READ(GEN8_MASTER_IRQ) & ~GEN8_MASTER_IRQ_CONTROL;
1638 - iir = I915_READ(VLV_IIR);
1639 -
1640 -@@ -1857,7 +1857,7 @@ static irqreturn_t cherryview_irq_handler(int irq, void *arg)
1641 -
1642 - I915_WRITE(GEN8_MASTER_IRQ, DE_MASTER_IRQ_CONTROL);
1643 - POSTING_READ(GEN8_MASTER_IRQ);
1644 -- } while (0);
1645 -+ }
1646 -
1647 - enable_rpm_wakeref_asserts(dev_priv);
1648 -
1649 -diff --git a/drivers/net/ethernet/atheros/alx/alx.h b/drivers/net/ethernet/atheros/alx/alx.h
1650 -index 8fc93c5..d02c424 100644
1651 ---- a/drivers/net/ethernet/atheros/alx/alx.h
1652 -+++ b/drivers/net/ethernet/atheros/alx/alx.h
1653 -@@ -96,6 +96,10 @@ struct alx_priv {
1654 - unsigned int rx_ringsz;
1655 - unsigned int rxbuf_size;
1656 -
1657 -+ struct page *rx_page;
1658 -+ unsigned int rx_page_offset;
1659 -+ unsigned int rx_frag_size;
1660 -+
1661 - struct napi_struct napi;
1662 - struct alx_tx_queue txq;
1663 - struct alx_rx_queue rxq;
1664 -diff --git a/drivers/net/ethernet/atheros/alx/main.c b/drivers/net/ethernet/atheros/alx/main.c
1665 -index 55b118e..8611811 100644
1666 ---- a/drivers/net/ethernet/atheros/alx/main.c
1667 -+++ b/drivers/net/ethernet/atheros/alx/main.c
1668 -@@ -70,6 +70,35 @@ static void alx_free_txbuf(struct alx_priv *alx, int entry)
1669 - }
1670 - }
1671 -
1672 -+static struct sk_buff *alx_alloc_skb(struct alx_priv *alx, gfp_t gfp)
1673 -+{
1674 -+ struct sk_buff *skb;
1675 -+ struct page *page;
1676 -+
1677 -+ if (alx->rx_frag_size > PAGE_SIZE)
1678 -+ return __netdev_alloc_skb(alx->dev, alx->rxbuf_size, gfp);
1679 -+
1680 -+ page = alx->rx_page;
1681 -+ if (!page) {
1682 -+ alx->rx_page = page = alloc_page(gfp);
1683 -+ if (unlikely(!page))
1684 -+ return NULL;
1685 -+ alx->rx_page_offset = 0;
1686 -+ }
1687 -+
1688 -+ skb = build_skb(page_address(page) + alx->rx_page_offset,
1689 -+ alx->rx_frag_size);
1690 -+ if (likely(skb)) {
1691 -+ alx->rx_page_offset += alx->rx_frag_size;
1692 -+ if (alx->rx_page_offset >= PAGE_SIZE)
1693 -+ alx->rx_page = NULL;
1694 -+ else
1695 -+ get_page(page);
1696 -+ }
1697 -+ return skb;
1698 -+}
1699 -+
1700 -+
1701 - static int alx_refill_rx_ring(struct alx_priv *alx, gfp_t gfp)
1702 - {
1703 - struct alx_rx_queue *rxq = &alx->rxq;
1704 -@@ -86,7 +115,7 @@ static int alx_refill_rx_ring(struct alx_priv *alx, gfp_t gfp)
1705 - while (!cur_buf->skb && next != rxq->read_idx) {
1706 - struct alx_rfd *rfd = &rxq->rfd[cur];
1707 -
1708 -- skb = __netdev_alloc_skb(alx->dev, alx->rxbuf_size, gfp);
1709 -+ skb = alx_alloc_skb(alx, gfp);
1710 - if (!skb)
1711 - break;
1712 - dma = dma_map_single(&alx->hw.pdev->dev,
1713 -@@ -124,6 +153,7 @@ static int alx_refill_rx_ring(struct alx_priv *alx, gfp_t gfp)
1714 - alx_write_mem16(&alx->hw, ALX_RFD_PIDX, cur);
1715 - }
1716 -
1717 -+
1718 - return count;
1719 - }
1720 -
1721 -@@ -592,6 +622,11 @@ static void alx_free_rings(struct alx_priv *alx)
1722 - kfree(alx->txq.bufs);
1723 - kfree(alx->rxq.bufs);
1724 -
1725 -+ if (alx->rx_page) {
1726 -+ put_page(alx->rx_page);
1727 -+ alx->rx_page = NULL;
1728 -+ }
1729 -+
1730 - dma_free_coherent(&alx->hw.pdev->dev,
1731 - alx->descmem.size,
1732 - alx->descmem.virt,
1733 -@@ -646,6 +681,7 @@ static int alx_request_irq(struct alx_priv *alx)
1734 - alx->dev->name, alx);
1735 - if (!err)
1736 - goto out;
1737 -+
1738 - /* fall back to legacy interrupt */
1739 - pci_disable_msi(alx->hw.pdev);
1740 - }
1741 -@@ -689,6 +725,7 @@ static int alx_init_sw(struct alx_priv *alx)
1742 - struct pci_dev *pdev = alx->hw.pdev;
1743 - struct alx_hw *hw = &alx->hw;
1744 - int err;
1745 -+ unsigned int head_size;
1746 -
1747 - err = alx_identify_hw(alx);
1748 - if (err) {
1749 -@@ -704,7 +741,12 @@ static int alx_init_sw(struct alx_priv *alx)
1750 -
1751 - hw->smb_timer = 400;
1752 - hw->mtu = alx->dev->mtu;
1753 -+
1754 - alx->rxbuf_size = ALX_MAX_FRAME_LEN(hw->mtu);
1755 -+ head_size = SKB_DATA_ALIGN(alx->rxbuf_size + NET_SKB_PAD) +
1756 -+ SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
1757 -+ alx->rx_frag_size = roundup_pow_of_two(head_size);
1758 -+
1759 - alx->tx_ringsz = 256;
1760 - alx->rx_ringsz = 512;
1761 - hw->imt = 200;
1762 -@@ -806,6 +848,7 @@ static int alx_change_mtu(struct net_device *netdev, int mtu)
1763 - {
1764 - struct alx_priv *alx = netdev_priv(netdev);
1765 - int max_frame = ALX_MAX_FRAME_LEN(mtu);
1766 -+ unsigned int head_size;
1767 -
1768 - if ((max_frame < ALX_MIN_FRAME_SIZE) ||
1769 - (max_frame > ALX_MAX_FRAME_SIZE))
1770 -@@ -817,6 +860,9 @@ static int alx_change_mtu(struct net_device *netdev, int mtu)
1771 - netdev->mtu = mtu;
1772 - alx->hw.mtu = mtu;
1773 - alx->rxbuf_size = max(max_frame, ALX_DEF_RXBUF_SIZE);
1774 -+ head_size = SKB_DATA_ALIGN(alx->rxbuf_size + NET_SKB_PAD) +
1775 -+ SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
1776 -+ alx->rx_frag_size = roundup_pow_of_two(head_size);
1777 - netdev_update_features(netdev);
1778 - if (netif_running(netdev))
1779 - alx_reinit(alx);
1780 -diff --git a/drivers/net/ethernet/ezchip/nps_enet.c b/drivers/net/ethernet/ezchip/nps_enet.c
1781 -index 085f912..06f0317 100644
1782 ---- a/drivers/net/ethernet/ezchip/nps_enet.c
1783 -+++ b/drivers/net/ethernet/ezchip/nps_enet.c
1784 -@@ -205,8 +205,10 @@ static int nps_enet_poll(struct napi_struct *napi, int budget)
1785 - * re-adding ourselves to the poll list.
1786 - */
1787 -
1788 -- if (priv->tx_skb && !tx_ctrl_ct)
1789 -+ if (priv->tx_skb && !tx_ctrl_ct) {
1790 -+ nps_enet_reg_set(priv, NPS_ENET_REG_BUF_INT_ENABLE, 0);
1791 - napi_reschedule(napi);
1792 -+ }
1793 - }
1794 -
1795 - return work_done;
1796 -diff --git a/drivers/net/ethernet/marvell/mvneta_bm.c b/drivers/net/ethernet/marvell/mvneta_bm.c
1797 -index 01fccec..466939f 100644
1798 ---- a/drivers/net/ethernet/marvell/mvneta_bm.c
1799 -+++ b/drivers/net/ethernet/marvell/mvneta_bm.c
1800 -@@ -189,6 +189,7 @@ struct mvneta_bm_pool *mvneta_bm_pool_use(struct mvneta_bm *priv, u8 pool_id,
1801 - SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
1802 - hwbm_pool->construct = mvneta_bm_construct;
1803 - hwbm_pool->priv = new_pool;
1804 -+ spin_lock_init(&hwbm_pool->lock);
1805 -
1806 - /* Create new pool */
1807 - err = mvneta_bm_pool_create(priv, new_pool);
1808 -diff --git a/drivers/net/ethernet/rocker/rocker_ofdpa.c b/drivers/net/ethernet/rocker/rocker_ofdpa.c
1809 -index 0e758bc..1ca7963 100644
1810 ---- a/drivers/net/ethernet/rocker/rocker_ofdpa.c
1811 -+++ b/drivers/net/ethernet/rocker/rocker_ofdpa.c
1812 -@@ -2727,7 +2727,7 @@ static int ofdpa_port_obj_fib4_add(struct rocker_port *rocker_port,
1813 -
1814 - return ofdpa_port_fib_ipv4(ofdpa_port, trans,
1815 - htonl(fib4->dst), fib4->dst_len,
1816 -- &fib4->fi, fib4->tb_id, 0);
1817 -+ fib4->fi, fib4->tb_id, 0);
1818 - }
1819 -
1820 - static int ofdpa_port_obj_fib4_del(struct rocker_port *rocker_port,
1821 -@@ -2737,7 +2737,7 @@ static int ofdpa_port_obj_fib4_del(struct rocker_port *rocker_port,
1822 -
1823 - return ofdpa_port_fib_ipv4(ofdpa_port, NULL,
1824 - htonl(fib4->dst), fib4->dst_len,
1825 -- &fib4->fi, fib4->tb_id,
1826 -+ fib4->fi, fib4->tb_id,
1827 - OFDPA_OP_FLAG_REMOVE);
1828 - }
1829 -
1830 -diff --git a/drivers/net/ethernet/sfc/ef10.c b/drivers/net/ethernet/sfc/ef10.c
1831 -index 1681084..1f30912 100644
1832 ---- a/drivers/net/ethernet/sfc/ef10.c
1833 -+++ b/drivers/net/ethernet/sfc/ef10.c
1834 -@@ -619,6 +619,17 @@ fail:
1835 - return rc;
1836 - }
1837 -
1838 -+static void efx_ef10_forget_old_piobufs(struct efx_nic *efx)
1839 -+{
1840 -+ struct efx_channel *channel;
1841 -+ struct efx_tx_queue *tx_queue;
1842 -+
1843 -+ /* All our existing PIO buffers went away */
1844 -+ efx_for_each_channel(channel, efx)
1845 -+ efx_for_each_channel_tx_queue(tx_queue, channel)
1846 -+ tx_queue->piobuf = NULL;
1847 -+}
1848 -+
1849 - #else /* !EFX_USE_PIO */
1850 -
1851 - static int efx_ef10_alloc_piobufs(struct efx_nic *efx, unsigned int n)
1852 -@@ -635,6 +646,10 @@ static void efx_ef10_free_piobufs(struct efx_nic *efx)
1853 - {
1854 - }
1855 -
1856 -+static void efx_ef10_forget_old_piobufs(struct efx_nic *efx)
1857 -+{
1858 -+}
1859 -+
1860 - #endif /* EFX_USE_PIO */
1861 -
1862 - static void efx_ef10_remove(struct efx_nic *efx)
1863 -@@ -1018,6 +1033,7 @@ static void efx_ef10_reset_mc_allocations(struct efx_nic *efx)
1864 - nic_data->must_realloc_vis = true;
1865 - nic_data->must_restore_filters = true;
1866 - nic_data->must_restore_piobufs = true;
1867 -+ efx_ef10_forget_old_piobufs(efx);
1868 - nic_data->rx_rss_context = EFX_EF10_RSS_CONTEXT_INVALID;
1869 -
1870 - /* Driver-created vswitches and vports must be re-created */
1871 -diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c
1872 -index 06704ca..8683a21 100644
1873 ---- a/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c
1874 -+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c
1875 -@@ -209,7 +209,7 @@ int stmmac_mdio_register(struct net_device *ndev)
1876 - return -ENOMEM;
1877 -
1878 - if (mdio_bus_data->irqs)
1879 -- memcpy(new_bus->irq, mdio_bus_data, sizeof(new_bus->irq));
1880 -+ memcpy(new_bus->irq, mdio_bus_data->irqs, sizeof(new_bus->irq));
1881 -
1882 - #ifdef CONFIG_OF
1883 - if (priv->device->of_node)
1884 -diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c
1885 -index 7b0a644..9fcb489 100644
1886 ---- a/drivers/net/geneve.c
1887 -+++ b/drivers/net/geneve.c
1888 -@@ -336,15 +336,15 @@ static int geneve_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
1889 -
1890 - /* Need Geneve and inner Ethernet header to be present */
1891 - if (unlikely(!pskb_may_pull(skb, GENEVE_BASE_HLEN)))
1892 -- goto error;
1893 -+ goto drop;
1894 -
1895 - /* Return packets with reserved bits set */
1896 - geneveh = geneve_hdr(skb);
1897 - if (unlikely(geneveh->ver != GENEVE_VER))
1898 -- goto error;
1899 -+ goto drop;
1900 -
1901 - if (unlikely(geneveh->proto_type != htons(ETH_P_TEB)))
1902 -- goto error;
1903 -+ goto drop;
1904 -
1905 - gs = rcu_dereference_sk_user_data(sk);
1906 - if (!gs)
1907 -@@ -367,10 +367,6 @@ drop:
1908 - /* Consume bad packet */
1909 - kfree_skb(skb);
1910 - return 0;
1911 --
1912 --error:
1913 -- /* Let the UDP layer deal with the skb */
1914 -- return 1;
1915 - }
1916 -
1917 - static struct socket *geneve_create_sock(struct net *net, bool ipv6,
1918 -diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
1919 -index 92eaab95..9e803bb 100644
1920 ---- a/drivers/net/macsec.c
1921 -+++ b/drivers/net/macsec.c
1922 -@@ -1645,7 +1645,7 @@ static int macsec_add_rxsa(struct sk_buff *skb, struct genl_info *info)
1923 - if (tb_sa[MACSEC_SA_ATTR_ACTIVE])
1924 - rx_sa->active = !!nla_get_u8(tb_sa[MACSEC_SA_ATTR_ACTIVE]);
1925 -
1926 -- nla_memcpy(rx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEY], MACSEC_KEYID_LEN);
1927 -+ nla_memcpy(rx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEYID], MACSEC_KEYID_LEN);
1928 - rx_sa->sc = rx_sc;
1929 - rcu_assign_pointer(rx_sc->sa[assoc_num], rx_sa);
1930 -
1931 -@@ -1784,7 +1784,7 @@ static int macsec_add_txsa(struct sk_buff *skb, struct genl_info *info)
1932 - return -ENOMEM;
1933 - }
1934 -
1935 -- nla_memcpy(tx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEY], MACSEC_KEYID_LEN);
1936 -+ nla_memcpy(tx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEYID], MACSEC_KEYID_LEN);
1937 -
1938 - spin_lock_bh(&tx_sa->lock);
1939 - tx_sa->next_pn = nla_get_u32(tb_sa[MACSEC_SA_ATTR_PN]);
1940 -diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
1941 -index a0f64cb..2ace126 100644
1942 ---- a/drivers/net/team/team.c
1943 -+++ b/drivers/net/team/team.c
1944 -@@ -990,7 +990,7 @@ static void team_port_disable(struct team *team,
1945 - #define TEAM_ENC_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \
1946 - NETIF_F_RXCSUM | NETIF_F_ALL_TSO)
1947 -
1948 --static void __team_compute_features(struct team *team)
1949 -+static void ___team_compute_features(struct team *team)
1950 - {
1951 - struct team_port *port;
1952 - u32 vlan_features = TEAM_VLAN_FEATURES & NETIF_F_ALL_FOR_ALL;
1953 -@@ -1021,15 +1021,20 @@ static void __team_compute_features(struct team *team)
1954 - team->dev->priv_flags &= ~IFF_XMIT_DST_RELEASE;
1955 - if (dst_release_flag == (IFF_XMIT_DST_RELEASE | IFF_XMIT_DST_RELEASE_PERM))
1956 - team->dev->priv_flags |= IFF_XMIT_DST_RELEASE;
1957 -+}
1958 -
1959 -+static void __team_compute_features(struct team *team)
1960 -+{
1961 -+ ___team_compute_features(team);
1962 - netdev_change_features(team->dev);
1963 - }
1964 -
1965 - static void team_compute_features(struct team *team)
1966 - {
1967 - mutex_lock(&team->lock);
1968 -- __team_compute_features(team);
1969 -+ ___team_compute_features(team);
1970 - mutex_unlock(&team->lock);
1971 -+ netdev_change_features(team->dev);
1972 - }
1973 -
1974 - static int team_port_enter(struct team *team, struct team_port *port)
1975 -diff --git a/drivers/net/tun.c b/drivers/net/tun.c
1976 -index 2c9e45f5..dda4905 100644
1977 ---- a/drivers/net/tun.c
1978 -+++ b/drivers/net/tun.c
1979 -@@ -568,11 +568,13 @@ static void tun_detach_all(struct net_device *dev)
1980 - for (i = 0; i < n; i++) {
1981 - tfile = rtnl_dereference(tun->tfiles[i]);
1982 - BUG_ON(!tfile);
1983 -+ tfile->socket.sk->sk_shutdown = RCV_SHUTDOWN;
1984 - tfile->socket.sk->sk_data_ready(tfile->socket.sk);
1985 - RCU_INIT_POINTER(tfile->tun, NULL);
1986 - --tun->numqueues;
1987 - }
1988 - list_for_each_entry(tfile, &tun->disabled, next) {
1989 -+ tfile->socket.sk->sk_shutdown = RCV_SHUTDOWN;
1990 - tfile->socket.sk->sk_data_ready(tfile->socket.sk);
1991 - RCU_INIT_POINTER(tfile->tun, NULL);
1992 - }
1993 -@@ -628,6 +630,7 @@ static int tun_attach(struct tun_struct *tun, struct file *file, bool skip_filte
1994 - goto out;
1995 - }
1996 - tfile->queue_index = tun->numqueues;
1997 -+ tfile->socket.sk->sk_shutdown &= ~RCV_SHUTDOWN;
1998 - rcu_assign_pointer(tfile->tun, tun);
1999 - rcu_assign_pointer(tun->tfiles[tun->numqueues], tfile);
2000 - tun->numqueues++;
2001 -@@ -1425,9 +1428,6 @@ static ssize_t tun_do_read(struct tun_struct *tun, struct tun_file *tfile,
2002 - if (!iov_iter_count(to))
2003 - return 0;
2004 -
2005 -- if (tun->dev->reg_state != NETREG_REGISTERED)
2006 -- return -EIO;
2007 --
2008 - /* Read frames from queue */
2009 - skb = __skb_recv_datagram(tfile->socket.sk, noblock ? MSG_DONTWAIT : 0,
2010 - &peeked, &off, &err);
2011 -diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
2012 -index 8ac261a..7e29b55 100644
2013 ---- a/drivers/net/vxlan.c
2014 -+++ b/drivers/net/vxlan.c
2015 -@@ -1262,7 +1262,7 @@ static int vxlan_rcv(struct sock *sk, struct sk_buff *skb)
2016 -
2017 - /* Need Vxlan and inner Ethernet header to be present */
2018 - if (!pskb_may_pull(skb, VXLAN_HLEN))
2019 -- return 1;
2020 -+ goto drop;
2021 -
2022 - unparsed = *vxlan_hdr(skb);
2023 - /* VNI flag always required to be set */
2024 -@@ -1271,7 +1271,7 @@ static int vxlan_rcv(struct sock *sk, struct sk_buff *skb)
2025 - ntohl(vxlan_hdr(skb)->vx_flags),
2026 - ntohl(vxlan_hdr(skb)->vx_vni));
2027 - /* Return non vxlan pkt */
2028 -- return 1;
2029 -+ goto drop;
2030 - }
2031 - unparsed.vx_flags &= ~VXLAN_HF_VNI;
2032 - unparsed.vx_vni &= ~VXLAN_VNI_MASK;
2033 -@@ -2959,6 +2959,9 @@ static int vxlan_newlink(struct net *src_net, struct net_device *dev,
2034 - if (data[IFLA_VXLAN_REMCSUM_NOPARTIAL])
2035 - conf.flags |= VXLAN_F_REMCSUM_NOPARTIAL;
2036 -
2037 -+ if (tb[IFLA_MTU])
2038 -+ conf.mtu = nla_get_u32(tb[IFLA_MTU]);
2039 -+
2040 - err = vxlan_dev_configure(src_net, dev, &conf);
2041 - switch (err) {
2042 - case -ENODEV:
2043 -diff --git a/drivers/perf/arm_pmu.c b/drivers/perf/arm_pmu.c
2044 -index f700908..0e537fd 100644
2045 ---- a/drivers/perf/arm_pmu.c
2046 -+++ b/drivers/perf/arm_pmu.c
2047 -@@ -987,9 +987,6 @@ int arm_pmu_device_probe(struct platform_device *pdev,
2048 -
2049 - armpmu_init(pmu);
2050 -
2051 -- if (!__oprofile_cpu_pmu)
2052 -- __oprofile_cpu_pmu = pmu;
2053 --
2054 - pmu->plat_device = pdev;
2055 -
2056 - if (node && (of_id = of_match_node(of_table, pdev->dev.of_node))) {
2057 -@@ -1025,6 +1022,9 @@ int arm_pmu_device_probe(struct platform_device *pdev,
2058 - if (ret)
2059 - goto out_destroy;
2060 -
2061 -+ if (!__oprofile_cpu_pmu)
2062 -+ __oprofile_cpu_pmu = pmu;
2063 -+
2064 - pr_info("enabled with %s PMU driver, %d counters available\n",
2065 - pmu->name, pmu->num_events);
2066 -
2067 -diff --git a/drivers/pinctrl/mediatek/pinctrl-mtk-common.c b/drivers/pinctrl/mediatek/pinctrl-mtk-common.c
2068 -index 6ab8c3c..fba2dd9 100644
2069 ---- a/drivers/pinctrl/mediatek/pinctrl-mtk-common.c
2070 -+++ b/drivers/pinctrl/mediatek/pinctrl-mtk-common.c
2071 -@@ -1256,9 +1256,10 @@ static void mtk_eint_irq_handler(struct irq_desc *desc)
2072 - const struct mtk_desc_pin *pin;
2073 -
2074 - chained_irq_enter(chip, desc);
2075 -- for (eint_num = 0; eint_num < pctl->devdata->ap_num; eint_num += 32) {
2076 -+ for (eint_num = 0;
2077 -+ eint_num < pctl->devdata->ap_num;
2078 -+ eint_num += 32, reg += 4) {
2079 - status = readl(reg);
2080 -- reg += 4;
2081 - while (status) {
2082 - offset = __ffs(status);
2083 - index = eint_num + offset;
2084 -diff --git a/drivers/scsi/scsi_devinfo.c b/drivers/scsi/scsi_devinfo.c
2085 -index 3408578..ff41c31 100644
2086 ---- a/drivers/scsi/scsi_devinfo.c
2087 -+++ b/drivers/scsi/scsi_devinfo.c
2088 -@@ -230,6 +230,7 @@ static struct {
2089 - {"PIONEER", "CD-ROM DRM-624X", NULL, BLIST_FORCELUN | BLIST_SINGLELUN},
2090 - {"Promise", "VTrak E610f", NULL, BLIST_SPARSELUN | BLIST_NO_RSOC},
2091 - {"Promise", "", NULL, BLIST_SPARSELUN},
2092 -+ {"QEMU", "QEMU CD-ROM", NULL, BLIST_SKIP_VPD_PAGES},
2093 - {"QNAP", "iSCSI Storage", NULL, BLIST_MAX_1024},
2094 - {"SYNOLOGY", "iSCSI Storage", NULL, BLIST_MAX_1024},
2095 - {"QUANTUM", "XP34301", "1071", BLIST_NOTQ},
2096 -diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
2097 -index 8106515..f704d02 100644
2098 ---- a/drivers/scsi/scsi_lib.c
2099 -+++ b/drivers/scsi/scsi_lib.c
2100 -@@ -911,9 +911,12 @@ void scsi_io_completion(struct scsi_cmnd *cmd, unsigned int good_bytes)
2101 - }
2102 -
2103 - /*
2104 -- * If we finished all bytes in the request we are done now.
2105 -+ * special case: failed zero length commands always need to
2106 -+ * drop down into the retry code. Otherwise, if we finished
2107 -+ * all bytes in the request we are done now.
2108 - */
2109 -- if (!scsi_end_request(req, error, good_bytes, 0))
2110 -+ if (!(blk_rq_bytes(req) == 0 && error) &&
2111 -+ !scsi_end_request(req, error, good_bytes, 0))
2112 - return;
2113 -
2114 - /*
2115 -diff --git a/fs/dcache.c b/fs/dcache.c
2116 -index d5ecc6e..44008e3 100644
2117 ---- a/fs/dcache.c
2118 -+++ b/fs/dcache.c
2119 -@@ -1619,7 +1619,7 @@ struct dentry *d_alloc(struct dentry * parent, const struct qstr *name)
2120 - struct dentry *dentry = __d_alloc(parent->d_sb, name);
2121 - if (!dentry)
2122 - return NULL;
2123 --
2124 -+ dentry->d_flags |= DCACHE_RCUACCESS;
2125 - spin_lock(&parent->d_lock);
2126 - /*
2127 - * don't need child lock because it is not subject
2128 -@@ -2338,7 +2338,6 @@ static void __d_rehash(struct dentry * entry, struct hlist_bl_head *b)
2129 - {
2130 - BUG_ON(!d_unhashed(entry));
2131 - hlist_bl_lock(b);
2132 -- entry->d_flags |= DCACHE_RCUACCESS;
2133 - hlist_bl_add_head_rcu(&entry->d_hash, b);
2134 - hlist_bl_unlock(b);
2135 - }
2136 -@@ -2637,6 +2636,7 @@ static void __d_move(struct dentry *dentry, struct dentry *target,
2137 - /* ... and switch them in the tree */
2138 - if (IS_ROOT(dentry)) {
2139 - /* splicing a tree */
2140 -+ dentry->d_flags |= DCACHE_RCUACCESS;
2141 - dentry->d_parent = target->d_parent;
2142 - target->d_parent = target;
2143 - list_del_init(&target->d_child);
2144 -diff --git a/fs/ecryptfs/kthread.c b/fs/ecryptfs/kthread.c
2145 -index 866bb18..e818f5a 100644
2146 ---- a/fs/ecryptfs/kthread.c
2147 -+++ b/fs/ecryptfs/kthread.c
2148 -@@ -25,6 +25,7 @@
2149 - #include <linux/slab.h>
2150 - #include <linux/wait.h>
2151 - #include <linux/mount.h>
2152 -+#include <linux/file.h>
2153 - #include "ecryptfs_kernel.h"
2154 -
2155 - struct ecryptfs_open_req {
2156 -@@ -147,7 +148,7 @@ int ecryptfs_privileged_open(struct file **lower_file,
2157 - flags |= IS_RDONLY(d_inode(lower_dentry)) ? O_RDONLY : O_RDWR;
2158 - (*lower_file) = dentry_open(&req.path, flags, cred);
2159 - if (!IS_ERR(*lower_file))
2160 -- goto out;
2161 -+ goto have_file;
2162 - if ((flags & O_ACCMODE) == O_RDONLY) {
2163 - rc = PTR_ERR((*lower_file));
2164 - goto out;
2165 -@@ -165,8 +166,16 @@ int ecryptfs_privileged_open(struct file **lower_file,
2166 - mutex_unlock(&ecryptfs_kthread_ctl.mux);
2167 - wake_up(&ecryptfs_kthread_ctl.wait);
2168 - wait_for_completion(&req.done);
2169 -- if (IS_ERR(*lower_file))
2170 -+ if (IS_ERR(*lower_file)) {
2171 - rc = PTR_ERR(*lower_file);
2172 -+ goto out;
2173 -+ }
2174 -+have_file:
2175 -+ if ((*lower_file)->f_op->mmap == NULL) {
2176 -+ fput(*lower_file);
2177 -+ *lower_file = NULL;
2178 -+ rc = -EMEDIUMTYPE;
2179 -+ }
2180 - out:
2181 - return rc;
2182 - }
2183 -diff --git a/fs/proc/root.c b/fs/proc/root.c
2184 -index 361ab4e..ec649c9 100644
2185 ---- a/fs/proc/root.c
2186 -+++ b/fs/proc/root.c
2187 -@@ -121,6 +121,13 @@ static struct dentry *proc_mount(struct file_system_type *fs_type,
2188 - if (IS_ERR(sb))
2189 - return ERR_CAST(sb);
2190 -
2191 -+ /*
2192 -+ * procfs isn't actually a stacking filesystem; however, there is
2193 -+ * too much magic going on inside it to permit stacking things on
2194 -+ * top of it
2195 -+ */
2196 -+ sb->s_stack_depth = FILESYSTEM_MAX_STACK_DEPTH;
2197 -+
2198 - if (!proc_parse_options(options, ns)) {
2199 - deactivate_locked_super(sb);
2200 - return ERR_PTR(-EINVAL);
2201 -diff --git a/include/linux/irqchip/arm-gic-v3.h b/include/linux/irqchip/arm-gic-v3.h
2202 -index d5d798b..e984250 100644
2203 ---- a/include/linux/irqchip/arm-gic-v3.h
2204 -+++ b/include/linux/irqchip/arm-gic-v3.h
2205 -@@ -301,7 +301,7 @@
2206 - #define ICC_SGI1R_AFFINITY_1_SHIFT 16
2207 - #define ICC_SGI1R_AFFINITY_1_MASK (0xff << ICC_SGI1R_AFFINITY_1_SHIFT)
2208 - #define ICC_SGI1R_SGI_ID_SHIFT 24
2209 --#define ICC_SGI1R_SGI_ID_MASK (0xff << ICC_SGI1R_SGI_ID_SHIFT)
2210 -+#define ICC_SGI1R_SGI_ID_MASK (0xfULL << ICC_SGI1R_SGI_ID_SHIFT)
2211 - #define ICC_SGI1R_AFFINITY_2_SHIFT 32
2212 - #define ICC_SGI1R_AFFINITY_2_MASK (0xffULL << ICC_SGI1R_AFFINITY_1_SHIFT)
2213 - #define ICC_SGI1R_IRQ_ROUTING_MODE_BIT 40
2214 -diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
2215 -index 80a305b..4dd9306 100644
2216 ---- a/include/linux/netfilter/x_tables.h
2217 -+++ b/include/linux/netfilter/x_tables.h
2218 -@@ -242,11 +242,18 @@ void xt_unregister_match(struct xt_match *target);
2219 - int xt_register_matches(struct xt_match *match, unsigned int n);
2220 - void xt_unregister_matches(struct xt_match *match, unsigned int n);
2221 -
2222 -+int xt_check_entry_offsets(const void *base, const char *elems,
2223 -+ unsigned int target_offset,
2224 -+ unsigned int next_offset);
2225 -+
2226 - int xt_check_match(struct xt_mtchk_param *, unsigned int size, u_int8_t proto,
2227 - bool inv_proto);
2228 - int xt_check_target(struct xt_tgchk_param *, unsigned int size, u_int8_t proto,
2229 - bool inv_proto);
2230 -
2231 -+void *xt_copy_counters_from_user(const void __user *user, unsigned int len,
2232 -+ struct xt_counters_info *info, bool compat);
2233 -+
2234 - struct xt_table *xt_register_table(struct net *net,
2235 - const struct xt_table *table,
2236 - struct xt_table_info *bootstrap,
2237 -@@ -480,7 +487,7 @@ void xt_compat_init_offsets(u_int8_t af, unsigned int number);
2238 - int xt_compat_calc_jump(u_int8_t af, unsigned int offset);
2239 -
2240 - int xt_compat_match_offset(const struct xt_match *match);
2241 --int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
2242 -+void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
2243 - unsigned int *size);
2244 - int xt_compat_match_to_user(const struct xt_entry_match *m,
2245 - void __user **dstptr, unsigned int *size);
2246 -@@ -490,6 +497,9 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
2247 - unsigned int *size);
2248 - int xt_compat_target_to_user(const struct xt_entry_target *t,
2249 - void __user **dstptr, unsigned int *size);
2250 -+int xt_compat_check_entry_offsets(const void *base, const char *elems,
2251 -+ unsigned int target_offset,
2252 -+ unsigned int next_offset);
2253 -
2254 - #endif /* CONFIG_COMPAT */
2255 - #endif /* _X_TABLES_H */
2256 -diff --git a/include/net/switchdev.h b/include/net/switchdev.h
2257 -index 51d77b2..985619a 100644
2258 ---- a/include/net/switchdev.h
2259 -+++ b/include/net/switchdev.h
2260 -@@ -97,7 +97,7 @@ struct switchdev_obj_ipv4_fib {
2261 - struct switchdev_obj obj;
2262 - u32 dst;
2263 - int dst_len;
2264 -- struct fib_info fi;
2265 -+ struct fib_info *fi;
2266 - u8 tos;
2267 - u8 type;
2268 - u32 nlflags;
2269 -diff --git a/include/uapi/linux/libc-compat.h b/include/uapi/linux/libc-compat.h
2270 -index d5e38c7..e4f048e 100644
2271 ---- a/include/uapi/linux/libc-compat.h
2272 -+++ b/include/uapi/linux/libc-compat.h
2273 -@@ -52,7 +52,7 @@
2274 - #if defined(__GLIBC__)
2275 -
2276 - /* Coordinate with glibc net/if.h header. */
2277 --#if defined(_NET_IF_H)
2278 -+#if defined(_NET_IF_H) && defined(__USE_MISC)
2279 -
2280 - /* GLIBC headers included first so don't define anything
2281 - * that would already be defined. */
2282 -diff --git a/kernel/bpf/inode.c b/kernel/bpf/inode.c
2283 -index 8f94ca1..b2aefa2 100644
2284 ---- a/kernel/bpf/inode.c
2285 -+++ b/kernel/bpf/inode.c
2286 -@@ -378,7 +378,7 @@ static int bpf_fill_super(struct super_block *sb, void *data, int silent)
2287 - static struct dentry *bpf_mount(struct file_system_type *type, int flags,
2288 - const char *dev_name, void *data)
2289 - {
2290 -- return mount_ns(type, flags, current->nsproxy->mnt_ns, bpf_fill_super);
2291 -+ return mount_nodev(type, flags, data, bpf_fill_super);
2292 - }
2293 -
2294 - static struct file_system_type bpf_fs_type = {
2295 -@@ -386,7 +386,6 @@ static struct file_system_type bpf_fs_type = {
2296 - .name = "bpf",
2297 - .mount = bpf_mount,
2298 - .kill_sb = kill_litter_super,
2299 -- .fs_flags = FS_USERNS_MOUNT,
2300 - };
2301 -
2302 - MODULE_ALIAS_FS("bpf");
2303 -diff --git a/kernel/sched/core.c b/kernel/sched/core.c
2304 -index d1f7149..11546a6 100644
2305 ---- a/kernel/sched/core.c
2306 -+++ b/kernel/sched/core.c
2307 -@@ -3047,7 +3047,8 @@ static noinline void __schedule_bug(struct task_struct *prev)
2308 - static inline void schedule_debug(struct task_struct *prev)
2309 - {
2310 - #ifdef CONFIG_SCHED_STACK_END_CHECK
2311 -- BUG_ON(task_stack_end_corrupted(prev));
2312 -+ if (task_stack_end_corrupted(prev))
2313 -+ panic("corrupted stack end detected inside scheduler\n");
2314 - #endif
2315 -
2316 - if (unlikely(in_atomic_preempt_off())) {
2317 -diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
2318 -index 3e4ffb3..d028941 100644
2319 ---- a/kernel/trace/bpf_trace.c
2320 -+++ b/kernel/trace/bpf_trace.c
2321 -@@ -194,7 +194,7 @@ static u64 bpf_perf_event_read(u64 r1, u64 index, u64 r3, u64 r4, u64 r5)
2322 - if (unlikely(index >= array->map.max_entries))
2323 - return -E2BIG;
2324 -
2325 -- file = (struct file *)array->ptrs[index];
2326 -+ file = READ_ONCE(array->ptrs[index]);
2327 - if (unlikely(!file))
2328 - return -ENOENT;
2329 -
2330 -@@ -238,7 +238,7 @@ static u64 bpf_perf_event_output(u64 r1, u64 r2, u64 index, u64 r4, u64 size)
2331 - if (unlikely(index >= array->map.max_entries))
2332 - return -E2BIG;
2333 -
2334 -- file = (struct file *)array->ptrs[index];
2335 -+ file = READ_ONCE(array->ptrs[index]);
2336 - if (unlikely(!file))
2337 - return -ENOENT;
2338 -
2339 -diff --git a/mm/memcontrol.c b/mm/memcontrol.c
2340 -index fe787f5..a2e79b8 100644
2341 ---- a/mm/memcontrol.c
2342 -+++ b/mm/memcontrol.c
2343 -@@ -2877,6 +2877,7 @@ static void memcg_offline_kmem(struct mem_cgroup *memcg)
2344 - * ordering is imposed by list_lru_node->lock taken by
2345 - * memcg_drain_all_list_lrus().
2346 - */
2347 -+ rcu_read_lock(); /* can be called from css_free w/o cgroup_mutex */
2348 - css_for_each_descendant_pre(css, &memcg->css) {
2349 - child = mem_cgroup_from_css(css);
2350 - BUG_ON(child->kmemcg_id != kmemcg_id);
2351 -@@ -2884,6 +2885,8 @@ static void memcg_offline_kmem(struct mem_cgroup *memcg)
2352 - if (!memcg->use_hierarchy)
2353 - break;
2354 - }
2355 -+ rcu_read_unlock();
2356 -+
2357 - memcg_drain_all_list_lrus(kmemcg_id, parent->kmemcg_id);
2358 -
2359 - memcg_free_cache_id(kmemcg_id);
2360 -diff --git a/mm/swap_state.c b/mm/swap_state.c
2361 -index 366ce35..1155a68 100644
2362 ---- a/mm/swap_state.c
2363 -+++ b/mm/swap_state.c
2364 -@@ -252,7 +252,10 @@ static inline void free_swap_cache(struct page *page)
2365 - void free_page_and_swap_cache(struct page *page)
2366 - {
2367 - free_swap_cache(page);
2368 -- put_page(page);
2369 -+ if (is_huge_zero_page(page))
2370 -+ put_huge_zero_page();
2371 -+ else
2372 -+ put_page(page);
2373 - }
2374 -
2375 - /*
2376 -diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
2377 -index dcea4f4..c18080a 100644
2378 ---- a/net/bridge/br_fdb.c
2379 -+++ b/net/bridge/br_fdb.c
2380 -@@ -279,6 +279,8 @@ void br_fdb_change_mac_address(struct net_bridge *br, const u8 *newaddr)
2381 - * change from under us.
2382 - */
2383 - list_for_each_entry(v, &vg->vlan_list, vlist) {
2384 -+ if (!br_vlan_should_use(v))
2385 -+ continue;
2386 - f = __br_fdb_get(br, br->dev->dev_addr, v->vid);
2387 - if (f && f->is_local && !f->dst)
2388 - fdb_delete_local(br, NULL, f);
2389 -diff --git a/net/core/hwbm.c b/net/core/hwbm.c
2390 -index 941c284..2cab489 100644
2391 ---- a/net/core/hwbm.c
2392 -+++ b/net/core/hwbm.c
2393 -@@ -55,18 +55,21 @@ int hwbm_pool_add(struct hwbm_pool *bm_pool, unsigned int buf_num, gfp_t gfp)
2394 - spin_lock_irqsave(&bm_pool->lock, flags);
2395 - if (bm_pool->buf_num == bm_pool->size) {
2396 - pr_warn("pool already filled\n");
2397 -+ spin_unlock_irqrestore(&bm_pool->lock, flags);
2398 - return bm_pool->buf_num;
2399 - }
2400 -
2401 - if (buf_num + bm_pool->buf_num > bm_pool->size) {
2402 - pr_warn("cannot allocate %d buffers for pool\n",
2403 - buf_num);
2404 -+ spin_unlock_irqrestore(&bm_pool->lock, flags);
2405 - return 0;
2406 - }
2407 -
2408 - if ((buf_num + bm_pool->buf_num) < bm_pool->buf_num) {
2409 - pr_warn("Adding %d buffers to the %d current buffers will overflow\n",
2410 - buf_num, bm_pool->buf_num);
2411 -+ spin_unlock_irqrestore(&bm_pool->lock, flags);
2412 - return 0;
2413 - }
2414 -
2415 -diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
2416 -index 9e48199..7ad0e56 100644
2417 ---- a/net/ipv4/af_inet.c
2418 -+++ b/net/ipv4/af_inet.c
2419 -@@ -1660,6 +1660,14 @@ static __net_init int inet_init_net(struct net *net)
2420 - */
2421 - net->ipv4.ping_group_range.range[0] = make_kgid(&init_user_ns, 1);
2422 - net->ipv4.ping_group_range.range[1] = make_kgid(&init_user_ns, 0);
2423 -+
2424 -+ /* Default values for sysctl-controlled parameters.
2425 -+ * We set them here, in case sysctl is not compiled.
2426 -+ */
2427 -+ net->ipv4.sysctl_ip_default_ttl = IPDEFTTL;
2428 -+ net->ipv4.sysctl_ip_dynaddr = 0;
2429 -+ net->ipv4.sysctl_ip_early_demux = 1;
2430 -+
2431 - return 0;
2432 - }
2433 -
2434 -diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
2435 -index 4133b0f..85d60c6 100644
2436 ---- a/net/ipv4/netfilter/arp_tables.c
2437 -+++ b/net/ipv4/netfilter/arp_tables.c
2438 -@@ -367,6 +367,18 @@ static inline bool unconditional(const struct arpt_entry *e)
2439 - memcmp(&e->arp, &uncond, sizeof(uncond)) == 0;
2440 - }
2441 -
2442 -+static bool find_jump_target(const struct xt_table_info *t,
2443 -+ const struct arpt_entry *target)
2444 -+{
2445 -+ struct arpt_entry *iter;
2446 -+
2447 -+ xt_entry_foreach(iter, t->entries, t->size) {
2448 -+ if (iter == target)
2449 -+ return true;
2450 -+ }
2451 -+ return false;
2452 -+}
2453 -+
2454 - /* Figures out from what hook each rule can be called: returns 0 if
2455 - * there are loops. Puts hook bitmask in comefrom.
2456 - */
2457 -@@ -439,6 +451,8 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
2458 - size = e->next_offset;
2459 - e = (struct arpt_entry *)
2460 - (entry0 + pos + size);
2461 -+ if (pos + size >= newinfo->size)
2462 -+ return 0;
2463 - e->counters.pcnt = pos;
2464 - pos += size;
2465 - } else {
2466 -@@ -458,9 +472,15 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
2467 - /* This a jump; chase it. */
2468 - duprintf("Jump rule %u -> %u\n",
2469 - pos, newpos);
2470 -+ e = (struct arpt_entry *)
2471 -+ (entry0 + newpos);
2472 -+ if (!find_jump_target(newinfo, e))
2473 -+ return 0;
2474 - } else {
2475 - /* ... this is a fallthru */
2476 - newpos = pos + e->next_offset;
2477 -+ if (newpos >= newinfo->size)
2478 -+ return 0;
2479 - }
2480 - e = (struct arpt_entry *)
2481 - (entry0 + newpos);
2482 -@@ -474,23 +494,6 @@ next:
2483 - return 1;
2484 - }
2485 -
2486 --static inline int check_entry(const struct arpt_entry *e)
2487 --{
2488 -- const struct xt_entry_target *t;
2489 --
2490 -- if (!arp_checkentry(&e->arp))
2491 -- return -EINVAL;
2492 --
2493 -- if (e->target_offset + sizeof(struct xt_entry_target) > e->next_offset)
2494 -- return -EINVAL;
2495 --
2496 -- t = arpt_get_target_c(e);
2497 -- if (e->target_offset + t->u.target_size > e->next_offset)
2498 -- return -EINVAL;
2499 --
2500 -- return 0;
2501 --}
2502 --
2503 - static inline int check_target(struct arpt_entry *e, const char *name)
2504 - {
2505 - struct xt_entry_target *t = arpt_get_target(e);
2506 -@@ -586,7 +589,11 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e,
2507 - return -EINVAL;
2508 - }
2509 -
2510 -- err = check_entry(e);
2511 -+ if (!arp_checkentry(&e->arp))
2512 -+ return -EINVAL;
2513 -+
2514 -+ err = xt_check_entry_offsets(e, e->elems, e->target_offset,
2515 -+ e->next_offset);
2516 - if (err)
2517 - return err;
2518 -
2519 -@@ -691,10 +698,8 @@ static int translate_table(struct xt_table_info *newinfo, void *entry0,
2520 - }
2521 - }
2522 -
2523 -- if (!mark_source_chains(newinfo, repl->valid_hooks, entry0)) {
2524 -- duprintf("Looping hook\n");
2525 -+ if (!mark_source_chains(newinfo, repl->valid_hooks, entry0))
2526 - return -ELOOP;
2527 -- }
2528 -
2529 - /* Finally, each sanity check must pass */
2530 - i = 0;
2531 -@@ -1126,55 +1131,17 @@ static int do_add_counters(struct net *net, const void __user *user,
2532 - unsigned int i;
2533 - struct xt_counters_info tmp;
2534 - struct xt_counters *paddc;
2535 -- unsigned int num_counters;
2536 -- const char *name;
2537 -- int size;
2538 -- void *ptmp;
2539 - struct xt_table *t;
2540 - const struct xt_table_info *private;
2541 - int ret = 0;
2542 - struct arpt_entry *iter;
2543 - unsigned int addend;
2544 --#ifdef CONFIG_COMPAT
2545 -- struct compat_xt_counters_info compat_tmp;
2546 -
2547 -- if (compat) {
2548 -- ptmp = &compat_tmp;
2549 -- size = sizeof(struct compat_xt_counters_info);
2550 -- } else
2551 --#endif
2552 -- {
2553 -- ptmp = &tmp;
2554 -- size = sizeof(struct xt_counters_info);
2555 -- }
2556 -+ paddc = xt_copy_counters_from_user(user, len, &tmp, compat);
2557 -+ if (IS_ERR(paddc))
2558 -+ return PTR_ERR(paddc);
2559 -
2560 -- if (copy_from_user(ptmp, user, size) != 0)
2561 -- return -EFAULT;
2562 --
2563 --#ifdef CONFIG_COMPAT
2564 -- if (compat) {
2565 -- num_counters = compat_tmp.num_counters;
2566 -- name = compat_tmp.name;
2567 -- } else
2568 --#endif
2569 -- {
2570 -- num_counters = tmp.num_counters;
2571 -- name = tmp.name;
2572 -- }
2573 --
2574 -- if (len != size + num_counters * sizeof(struct xt_counters))
2575 -- return -EINVAL;
2576 --
2577 -- paddc = vmalloc(len - size);
2578 -- if (!paddc)
2579 -- return -ENOMEM;
2580 --
2581 -- if (copy_from_user(paddc, user + size, len - size) != 0) {
2582 -- ret = -EFAULT;
2583 -- goto free;
2584 -- }
2585 --
2586 -- t = xt_find_table_lock(net, NFPROTO_ARP, name);
2587 -+ t = xt_find_table_lock(net, NFPROTO_ARP, tmp.name);
2588 - if (IS_ERR_OR_NULL(t)) {
2589 - ret = t ? PTR_ERR(t) : -ENOENT;
2590 - goto free;
2591 -@@ -1182,7 +1149,7 @@ static int do_add_counters(struct net *net, const void __user *user,
2592 -
2593 - local_bh_disable();
2594 - private = t->private;
2595 -- if (private->number != num_counters) {
2596 -+ if (private->number != tmp.num_counters) {
2597 - ret = -EINVAL;
2598 - goto unlock_up_free;
2599 - }
2600 -@@ -1209,6 +1176,18 @@ static int do_add_counters(struct net *net, const void __user *user,
2601 - }
2602 -
2603 - #ifdef CONFIG_COMPAT
2604 -+struct compat_arpt_replace {
2605 -+ char name[XT_TABLE_MAXNAMELEN];
2606 -+ u32 valid_hooks;
2607 -+ u32 num_entries;
2608 -+ u32 size;
2609 -+ u32 hook_entry[NF_ARP_NUMHOOKS];
2610 -+ u32 underflow[NF_ARP_NUMHOOKS];
2611 -+ u32 num_counters;
2612 -+ compat_uptr_t counters;
2613 -+ struct compat_arpt_entry entries[0];
2614 -+};
2615 -+
2616 - static inline void compat_release_entry(struct compat_arpt_entry *e)
2617 - {
2618 - struct xt_entry_target *t;
2619 -@@ -1217,20 +1196,17 @@ static inline void compat_release_entry(struct compat_arpt_entry *e)
2620 - module_put(t->u.kernel.target->me);
2621 - }
2622 -
2623 --static inline int
2624 -+static int
2625 - check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
2626 - struct xt_table_info *newinfo,
2627 - unsigned int *size,
2628 - const unsigned char *base,
2629 -- const unsigned char *limit,
2630 -- const unsigned int *hook_entries,
2631 -- const unsigned int *underflows,
2632 -- const char *name)
2633 -+ const unsigned char *limit)
2634 - {
2635 - struct xt_entry_target *t;
2636 - struct xt_target *target;
2637 - unsigned int entry_offset;
2638 -- int ret, off, h;
2639 -+ int ret, off;
2640 -
2641 - duprintf("check_compat_entry_size_and_hooks %p\n", e);
2642 - if ((unsigned long)e % __alignof__(struct compat_arpt_entry) != 0 ||
2643 -@@ -1247,8 +1223,11 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
2644 - return -EINVAL;
2645 - }
2646 -
2647 -- /* For purposes of check_entry casting the compat entry is fine */
2648 -- ret = check_entry((struct arpt_entry *)e);
2649 -+ if (!arp_checkentry(&e->arp))
2650 -+ return -EINVAL;
2651 -+
2652 -+ ret = xt_compat_check_entry_offsets(e, e->elems, e->target_offset,
2653 -+ e->next_offset);
2654 - if (ret)
2655 - return ret;
2656 -
2657 -@@ -1272,17 +1251,6 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
2658 - if (ret)
2659 - goto release_target;
2660 -
2661 -- /* Check hooks & underflows */
2662 -- for (h = 0; h < NF_ARP_NUMHOOKS; h++) {
2663 -- if ((unsigned char *)e - base == hook_entries[h])
2664 -- newinfo->hook_entry[h] = hook_entries[h];
2665 -- if ((unsigned char *)e - base == underflows[h])
2666 -- newinfo->underflow[h] = underflows[h];
2667 -- }
2668 --
2669 -- /* Clear counters and comefrom */
2670 -- memset(&e->counters, 0, sizeof(e->counters));
2671 -- e->comefrom = 0;
2672 - return 0;
2673 -
2674 - release_target:
2675 -@@ -1291,18 +1259,17 @@ out:
2676 - return ret;
2677 - }
2678 -
2679 --static int
2680 -+static void
2681 - compat_copy_entry_from_user(struct compat_arpt_entry *e, void **dstptr,
2682 -- unsigned int *size, const char *name,
2683 -+ unsigned int *size,
2684 - struct xt_table_info *newinfo, unsigned char *base)
2685 - {
2686 - struct xt_entry_target *t;
2687 - struct xt_target *target;
2688 - struct arpt_entry *de;
2689 - unsigned int origsize;
2690 -- int ret, h;
2691 -+ int h;
2692 -
2693 -- ret = 0;
2694 - origsize = *size;
2695 - de = (struct arpt_entry *)*dstptr;
2696 - memcpy(de, e, sizeof(struct arpt_entry));
2697 -@@ -1323,148 +1290,82 @@ compat_copy_entry_from_user(struct compat_arpt_entry *e, void **dstptr,
2698 - if ((unsigned char *)de - base < newinfo->underflow[h])
2699 - newinfo->underflow[h] -= origsize - *size;
2700 - }
2701 -- return ret;
2702 - }
2703 -
2704 --static int translate_compat_table(const char *name,
2705 -- unsigned int valid_hooks,
2706 -- struct xt_table_info **pinfo,
2707 -+static int translate_compat_table(struct xt_table_info **pinfo,
2708 - void **pentry0,
2709 -- unsigned int total_size,
2710 -- unsigned int number,
2711 -- unsigned int *hook_entries,
2712 -- unsigned int *underflows)
2713 -+ const struct compat_arpt_replace *compatr)
2714 - {
2715 - unsigned int i, j;
2716 - struct xt_table_info *newinfo, *info;
2717 - void *pos, *entry0, *entry1;
2718 - struct compat_arpt_entry *iter0;
2719 -- struct arpt_entry *iter1;
2720 -+ struct arpt_replace repl;
2721 - unsigned int size;
2722 - int ret = 0;
2723 -
2724 - info = *pinfo;
2725 - entry0 = *pentry0;
2726 -- size = total_size;
2727 -- info->number = number;
2728 --
2729 -- /* Init all hooks to impossible value. */
2730 -- for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
2731 -- info->hook_entry[i] = 0xFFFFFFFF;
2732 -- info->underflow[i] = 0xFFFFFFFF;
2733 -- }
2734 -+ size = compatr->size;
2735 -+ info->number = compatr->num_entries;
2736 -
2737 - duprintf("translate_compat_table: size %u\n", info->size);
2738 - j = 0;
2739 - xt_compat_lock(NFPROTO_ARP);
2740 -- xt_compat_init_offsets(NFPROTO_ARP, number);
2741 -+ xt_compat_init_offsets(NFPROTO_ARP, compatr->num_entries);
2742 - /* Walk through entries, checking offsets. */
2743 -- xt_entry_foreach(iter0, entry0, total_size) {
2744 -+ xt_entry_foreach(iter0, entry0, compatr->size) {
2745 - ret = check_compat_entry_size_and_hooks(iter0, info, &size,
2746 - entry0,
2747 -- entry0 + total_size,
2748 -- hook_entries,
2749 -- underflows,
2750 -- name);
2751 -+ entry0 + compatr->size);
2752 - if (ret != 0)
2753 - goto out_unlock;
2754 - ++j;
2755 - }
2756 -
2757 - ret = -EINVAL;
2758 -- if (j != number) {
2759 -+ if (j != compatr->num_entries) {
2760 - duprintf("translate_compat_table: %u not %u entries\n",
2761 -- j, number);
2762 -+ j, compatr->num_entries);
2763 - goto out_unlock;
2764 - }
2765 -
2766 -- /* Check hooks all assigned */
2767 -- for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
2768 -- /* Only hooks which are valid */
2769 -- if (!(valid_hooks & (1 << i)))
2770 -- continue;
2771 -- if (info->hook_entry[i] == 0xFFFFFFFF) {
2772 -- duprintf("Invalid hook entry %u %u\n",
2773 -- i, hook_entries[i]);
2774 -- goto out_unlock;
2775 -- }
2776 -- if (info->underflow[i] == 0xFFFFFFFF) {
2777 -- duprintf("Invalid underflow %u %u\n",
2778 -- i, underflows[i]);
2779 -- goto out_unlock;
2780 -- }
2781 -- }
2782 --
2783 - ret = -ENOMEM;
2784 - newinfo = xt_alloc_table_info(size);
2785 - if (!newinfo)
2786 - goto out_unlock;
2787 -
2788 -- newinfo->number = number;
2789 -+ newinfo->number = compatr->num_entries;
2790 - for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
2791 - newinfo->hook_entry[i] = info->hook_entry[i];
2792 - newinfo->underflow[i] = info->underflow[i];
2793 - }
2794 - entry1 = newinfo->entries;
2795 - pos = entry1;
2796 -- size = total_size;
2797 -- xt_entry_foreach(iter0, entry0, total_size) {
2798 -- ret = compat_copy_entry_from_user(iter0, &pos, &size,
2799 -- name, newinfo, entry1);
2800 -- if (ret != 0)
2801 -- break;
2802 -- }
2803 -+ size = compatr->size;
2804 -+ xt_entry_foreach(iter0, entry0, compatr->size)
2805 -+ compat_copy_entry_from_user(iter0, &pos, &size,
2806 -+ newinfo, entry1);
2807 -+
2808 -+ /* all module references in entry0 are now gone */
2809 -+
2810 - xt_compat_flush_offsets(NFPROTO_ARP);
2811 - xt_compat_unlock(NFPROTO_ARP);
2812 -- if (ret)
2813 -- goto free_newinfo;
2814 -
2815 -- ret = -ELOOP;
2816 -- if (!mark_source_chains(newinfo, valid_hooks, entry1))
2817 -- goto free_newinfo;
2818 -+ memcpy(&repl, compatr, sizeof(*compatr));
2819 -
2820 -- i = 0;
2821 -- xt_entry_foreach(iter1, entry1, newinfo->size) {
2822 -- iter1->counters.pcnt = xt_percpu_counter_alloc();
2823 -- if (IS_ERR_VALUE(iter1->counters.pcnt)) {
2824 -- ret = -ENOMEM;
2825 -- break;
2826 -- }
2827 --
2828 -- ret = check_target(iter1, name);
2829 -- if (ret != 0) {
2830 -- xt_percpu_counter_free(iter1->counters.pcnt);
2831 -- break;
2832 -- }
2833 -- ++i;
2834 -- if (strcmp(arpt_get_target(iter1)->u.user.name,
2835 -- XT_ERROR_TARGET) == 0)
2836 -- ++newinfo->stacksize;
2837 -- }
2838 -- if (ret) {
2839 -- /*
2840 -- * The first i matches need cleanup_entry (calls ->destroy)
2841 -- * because they had called ->check already. The other j-i
2842 -- * entries need only release.
2843 -- */
2844 -- int skip = i;
2845 -- j -= i;
2846 -- xt_entry_foreach(iter0, entry0, newinfo->size) {
2847 -- if (skip-- > 0)
2848 -- continue;
2849 -- if (j-- == 0)
2850 -- break;
2851 -- compat_release_entry(iter0);
2852 -- }
2853 -- xt_entry_foreach(iter1, entry1, newinfo->size) {
2854 -- if (i-- == 0)
2855 -- break;
2856 -- cleanup_entry(iter1);
2857 -- }
2858 -- xt_free_table_info(newinfo);
2859 -- return ret;
2860 -+ for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
2861 -+ repl.hook_entry[i] = newinfo->hook_entry[i];
2862 -+ repl.underflow[i] = newinfo->underflow[i];
2863 - }
2864 -
2865 -+ repl.num_counters = 0;
2866 -+ repl.counters = NULL;
2867 -+ repl.size = newinfo->size;
2868 -+ ret = translate_table(newinfo, entry1, &repl);
2869 -+ if (ret)
2870 -+ goto free_newinfo;
2871 -+
2872 - *pinfo = newinfo;
2873 - *pentry0 = entry1;
2874 - xt_free_table_info(info);
2875 -@@ -1472,31 +1373,18 @@ static int translate_compat_table(const char *name,
2876 -
2877 - free_newinfo:
2878 - xt_free_table_info(newinfo);
2879 --out:
2880 -- xt_entry_foreach(iter0, entry0, total_size) {
2881 -+ return ret;
2882 -+out_unlock:
2883 -+ xt_compat_flush_offsets(NFPROTO_ARP);
2884 -+ xt_compat_unlock(NFPROTO_ARP);
2885 -+ xt_entry_foreach(iter0, entry0, compatr->size) {
2886 - if (j-- == 0)
2887 - break;
2888 - compat_release_entry(iter0);
2889 - }
2890 - return ret;
2891 --out_unlock:
2892 -- xt_compat_flush_offsets(NFPROTO_ARP);
2893 -- xt_compat_unlock(NFPROTO_ARP);
2894 -- goto out;
2895 - }
2896 -
2897 --struct compat_arpt_replace {
2898 -- char name[XT_TABLE_MAXNAMELEN];
2899 -- u32 valid_hooks;
2900 -- u32 num_entries;
2901 -- u32 size;
2902 -- u32 hook_entry[NF_ARP_NUMHOOKS];
2903 -- u32 underflow[NF_ARP_NUMHOOKS];
2904 -- u32 num_counters;
2905 -- compat_uptr_t counters;
2906 -- struct compat_arpt_entry entries[0];
2907 --};
2908 --
2909 - static int compat_do_replace(struct net *net, void __user *user,
2910 - unsigned int len)
2911 - {
2912 -@@ -1529,10 +1417,7 @@ static int compat_do_replace(struct net *net, void __user *user,
2913 - goto free_newinfo;
2914 - }
2915 -
2916 -- ret = translate_compat_table(tmp.name, tmp.valid_hooks,
2917 -- &newinfo, &loc_cpu_entry, tmp.size,
2918 -- tmp.num_entries, tmp.hook_entry,
2919 -- tmp.underflow);
2920 -+ ret = translate_compat_table(&newinfo, &loc_cpu_entry, &tmp);
2921 - if (ret != 0)
2922 - goto free_newinfo;
2923 -
2924 -diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
2925 -index 631c100..0984ea3 100644
2926 ---- a/net/ipv4/netfilter/ip_tables.c
2927 -+++ b/net/ipv4/netfilter/ip_tables.c
2928 -@@ -443,6 +443,18 @@ ipt_do_table(struct sk_buff *skb,
2929 - #endif
2930 - }
2931 -
2932 -+static bool find_jump_target(const struct xt_table_info *t,
2933 -+ const struct ipt_entry *target)
2934 -+{
2935 -+ struct ipt_entry *iter;
2936 -+
2937 -+ xt_entry_foreach(iter, t->entries, t->size) {
2938 -+ if (iter == target)
2939 -+ return true;
2940 -+ }
2941 -+ return false;
2942 -+}
2943 -+
2944 - /* Figures out from what hook each rule can be called: returns 0 if
2945 - there are loops. Puts hook bitmask in comefrom. */
2946 - static int
2947 -@@ -520,6 +532,8 @@ mark_source_chains(const struct xt_table_info *newinfo,
2948 - size = e->next_offset;
2949 - e = (struct ipt_entry *)
2950 - (entry0 + pos + size);
2951 -+ if (pos + size >= newinfo->size)
2952 -+ return 0;
2953 - e->counters.pcnt = pos;
2954 - pos += size;
2955 - } else {
2956 -@@ -538,9 +552,15 @@ mark_source_chains(const struct xt_table_info *newinfo,
2957 - /* This a jump; chase it. */
2958 - duprintf("Jump rule %u -> %u\n",
2959 - pos, newpos);
2960 -+ e = (struct ipt_entry *)
2961 -+ (entry0 + newpos);
2962 -+ if (!find_jump_target(newinfo, e))
2963 -+ return 0;
2964 - } else {
2965 - /* ... this is a fallthru */
2966 - newpos = pos + e->next_offset;
2967 -+ if (newpos >= newinfo->size)
2968 -+ return 0;
2969 - }
2970 - e = (struct ipt_entry *)
2971 - (entry0 + newpos);
2972 -@@ -568,25 +588,6 @@ static void cleanup_match(struct xt_entry_match *m, struct net *net)
2973 - }
2974 -
2975 - static int
2976 --check_entry(const struct ipt_entry *e)
2977 --{
2978 -- const struct xt_entry_target *t;
2979 --
2980 -- if (!ip_checkentry(&e->ip))
2981 -- return -EINVAL;
2982 --
2983 -- if (e->target_offset + sizeof(struct xt_entry_target) >
2984 -- e->next_offset)
2985 -- return -EINVAL;
2986 --
2987 -- t = ipt_get_target_c(e);
2988 -- if (e->target_offset + t->u.target_size > e->next_offset)
2989 -- return -EINVAL;
2990 --
2991 -- return 0;
2992 --}
2993 --
2994 --static int
2995 - check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
2996 - {
2997 - const struct ipt_ip *ip = par->entryinfo;
2998 -@@ -750,7 +751,11 @@ check_entry_size_and_hooks(struct ipt_entry *e,
2999 - return -EINVAL;
3000 - }
3001 -
3002 -- err = check_entry(e);
3003 -+ if (!ip_checkentry(&e->ip))
3004 -+ return -EINVAL;
3005 -+
3006 -+ err = xt_check_entry_offsets(e, e->elems, e->target_offset,
3007 -+ e->next_offset);
3008 - if (err)
3009 - return err;
3010 -
3011 -@@ -1309,55 +1314,17 @@ do_add_counters(struct net *net, const void __user *user,
3012 - unsigned int i;
3013 - struct xt_counters_info tmp;
3014 - struct xt_counters *paddc;
3015 -- unsigned int num_counters;
3016 -- const char *name;
3017 -- int size;
3018 -- void *ptmp;
3019 - struct xt_table *t;
3020 - const struct xt_table_info *private;
3021 - int ret = 0;
3022 - struct ipt_entry *iter;
3023 - unsigned int addend;
3024 --#ifdef CONFIG_COMPAT
3025 -- struct compat_xt_counters_info compat_tmp;
3026 -
3027 -- if (compat) {
3028 -- ptmp = &compat_tmp;
3029 -- size = sizeof(struct compat_xt_counters_info);
3030 -- } else
3031 --#endif
3032 -- {
3033 -- ptmp = &tmp;
3034 -- size = sizeof(struct xt_counters_info);
3035 -- }
3036 --
3037 -- if (copy_from_user(ptmp, user, size) != 0)
3038 -- return -EFAULT;
3039 --
3040 --#ifdef CONFIG_COMPAT
3041 -- if (compat) {
3042 -- num_counters = compat_tmp.num_counters;
3043 -- name = compat_tmp.name;
3044 -- } else
3045 --#endif
3046 -- {
3047 -- num_counters = tmp.num_counters;
3048 -- name = tmp.name;
3049 -- }
3050 -+ paddc = xt_copy_counters_from_user(user, len, &tmp, compat);
3051 -+ if (IS_ERR(paddc))
3052 -+ return PTR_ERR(paddc);
3053 -
3054 -- if (len != size + num_counters * sizeof(struct xt_counters))
3055 -- return -EINVAL;
3056 --
3057 -- paddc = vmalloc(len - size);
3058 -- if (!paddc)
3059 -- return -ENOMEM;
3060 --
3061 -- if (copy_from_user(paddc, user + size, len - size) != 0) {
3062 -- ret = -EFAULT;
3063 -- goto free;
3064 -- }
3065 --
3066 -- t = xt_find_table_lock(net, AF_INET, name);
3067 -+ t = xt_find_table_lock(net, AF_INET, tmp.name);
3068 - if (IS_ERR_OR_NULL(t)) {
3069 - ret = t ? PTR_ERR(t) : -ENOENT;
3070 - goto free;
3071 -@@ -1365,7 +1332,7 @@ do_add_counters(struct net *net, const void __user *user,
3072 -
3073 - local_bh_disable();
3074 - private = t->private;
3075 -- if (private->number != num_counters) {
3076 -+ if (private->number != tmp.num_counters) {
3077 - ret = -EINVAL;
3078 - goto unlock_up_free;
3079 - }
3080 -@@ -1444,7 +1411,6 @@ compat_copy_entry_to_user(struct ipt_entry *e, void __user **dstptr,
3081 -
3082 - static int
3083 - compat_find_calc_match(struct xt_entry_match *m,
3084 -- const char *name,
3085 - const struct ipt_ip *ip,
3086 - int *size)
3087 - {
3088 -@@ -1479,17 +1445,14 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
3089 - struct xt_table_info *newinfo,
3090 - unsigned int *size,
3091 - const unsigned char *base,
3092 -- const unsigned char *limit,
3093 -- const unsigned int *hook_entries,
3094 -- const unsigned int *underflows,
3095 -- const char *name)
3096 -+ const unsigned char *limit)
3097 - {
3098 - struct xt_entry_match *ematch;
3099 - struct xt_entry_target *t;
3100 - struct xt_target *target;
3101 - unsigned int entry_offset;
3102 - unsigned int j;
3103 -- int ret, off, h;
3104 -+ int ret, off;
3105 -
3106 - duprintf("check_compat_entry_size_and_hooks %p\n", e);
3107 - if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0 ||
3108 -@@ -1506,8 +1469,11 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
3109 - return -EINVAL;
3110 - }
3111 -
3112 -- /* For purposes of check_entry casting the compat entry is fine */
3113 -- ret = check_entry((struct ipt_entry *)e);
3114 -+ if (!ip_checkentry(&e->ip))
3115 -+ return -EINVAL;
3116 -+
3117 -+ ret = xt_compat_check_entry_offsets(e, e->elems,
3118 -+ e->target_offset, e->next_offset);
3119 - if (ret)
3120 - return ret;
3121 -
3122 -@@ -1515,7 +1481,7 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
3123 - entry_offset = (void *)e - (void *)base;
3124 - j = 0;
3125 - xt_ematch_foreach(ematch, e) {
3126 -- ret = compat_find_calc_match(ematch, name, &e->ip, &off);
3127 -+ ret = compat_find_calc_match(ematch, &e->ip, &off);
3128 - if (ret != 0)
3129 - goto release_matches;
3130 - ++j;
3131 -@@ -1538,17 +1504,6 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
3132 - if (ret)
3133 - goto out;
3134 -
3135 -- /* Check hooks & underflows */
3136 -- for (h = 0; h < NF_INET_NUMHOOKS; h++) {
3137 -- if ((unsigned char *)e - base == hook_entries[h])
3138 -- newinfo->hook_entry[h] = hook_entries[h];
3139 -- if ((unsigned char *)e - base == underflows[h])
3140 -- newinfo->underflow[h] = underflows[h];
3141 -- }
3142 --
3143 -- /* Clear counters and comefrom */
3144 -- memset(&e->counters, 0, sizeof(e->counters));
3145 -- e->comefrom = 0;
3146 - return 0;
3147 -
3148 - out:
3149 -@@ -1562,19 +1517,18 @@ release_matches:
3150 - return ret;
3151 - }
3152 -
3153 --static int
3154 -+static void
3155 - compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr,
3156 -- unsigned int *size, const char *name,
3157 -+ unsigned int *size,
3158 - struct xt_table_info *newinfo, unsigned char *base)
3159 - {
3160 - struct xt_entry_target *t;
3161 - struct xt_target *target;
3162 - struct ipt_entry *de;
3163 - unsigned int origsize;
3164 -- int ret, h;
3165 -+ int h;
3166 - struct xt_entry_match *ematch;
3167 -
3168 -- ret = 0;
3169 - origsize = *size;
3170 - de = (struct ipt_entry *)*dstptr;
3171 - memcpy(de, e, sizeof(struct ipt_entry));
3172 -@@ -1583,201 +1537,105 @@ compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr,
3173 - *dstptr += sizeof(struct ipt_entry);
3174 - *size += sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
3175 -
3176 -- xt_ematch_foreach(ematch, e) {
3177 -- ret = xt_compat_match_from_user(ematch, dstptr, size);
3178 -- if (ret != 0)
3179 -- return ret;
3180 -- }
3181 -+ xt_ematch_foreach(ematch, e)
3182 -+ xt_compat_match_from_user(ematch, dstptr, size);
3183 -+
3184 - de->target_offset = e->target_offset - (origsize - *size);
3185 - t = compat_ipt_get_target(e);
3186 - target = t->u.kernel.target;
3187 - xt_compat_target_from_user(t, dstptr, size);
3188 -
3189 - de->next_offset = e->next_offset - (origsize - *size);
3190 -+
3191 - for (h = 0; h < NF_INET_NUMHOOKS; h++) {
3192 - if ((unsigned char *)de - base < newinfo->hook_entry[h])
3193 - newinfo->hook_entry[h] -= origsize - *size;
3194 - if ((unsigned char *)de - base < newinfo->underflow[h])
3195 - newinfo->underflow[h] -= origsize - *size;
3196 - }
3197 -- return ret;
3198 --}
3199 --
3200 --static int
3201 --compat_check_entry(struct ipt_entry *e, struct net *net, const char *name)
3202 --{
3203 -- struct xt_entry_match *ematch;
3204 -- struct xt_mtchk_param mtpar;
3205 -- unsigned int j;
3206 -- int ret = 0;
3207 --
3208 -- e->counters.pcnt = xt_percpu_counter_alloc();
3209 -- if (IS_ERR_VALUE(e->counters.pcnt))
3210 -- return -ENOMEM;
3211 --
3212 -- j = 0;
3213 -- mtpar.net = net;
3214 -- mtpar.table = name;
3215 -- mtpar.entryinfo = &e->ip;
3216 -- mtpar.hook_mask = e->comefrom;
3217 -- mtpar.family = NFPROTO_IPV4;
3218 -- xt_ematch_foreach(ematch, e) {
3219 -- ret = check_match(ematch, &mtpar);
3220 -- if (ret != 0)
3221 -- goto cleanup_matches;
3222 -- ++j;
3223 -- }
3224 --
3225 -- ret = check_target(e, net, name);
3226 -- if (ret)
3227 -- goto cleanup_matches;
3228 -- return 0;
3229 --
3230 -- cleanup_matches:
3231 -- xt_ematch_foreach(ematch, e) {
3232 -- if (j-- == 0)
3233 -- break;
3234 -- cleanup_match(ematch, net);
3235 -- }
3236 --
3237 -- xt_percpu_counter_free(e->counters.pcnt);
3238 --
3239 -- return ret;
3240 - }
3241 -
3242 - static int
3243 - translate_compat_table(struct net *net,
3244 -- const char *name,
3245 -- unsigned int valid_hooks,
3246 - struct xt_table_info **pinfo,
3247 - void **pentry0,
3248 -- unsigned int total_size,
3249 -- unsigned int number,
3250 -- unsigned int *hook_entries,
3251 -- unsigned int *underflows)
3252 -+ const struct compat_ipt_replace *compatr)
3253 - {
3254 - unsigned int i, j;
3255 - struct xt_table_info *newinfo, *info;
3256 - void *pos, *entry0, *entry1;
3257 - struct compat_ipt_entry *iter0;
3258 -- struct ipt_entry *iter1;
3259 -+ struct ipt_replace repl;
3260 - unsigned int size;
3261 - int ret;
3262 -
3263 - info = *pinfo;
3264 - entry0 = *pentry0;
3265 -- size = total_size;
3266 -- info->number = number;
3267 --
3268 -- /* Init all hooks to impossible value. */
3269 -- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
3270 -- info->hook_entry[i] = 0xFFFFFFFF;
3271 -- info->underflow[i] = 0xFFFFFFFF;
3272 -- }
3273 -+ size = compatr->size;
3274 -+ info->number = compatr->num_entries;
3275 -
3276 - duprintf("translate_compat_table: size %u\n", info->size);
3277 - j = 0;
3278 - xt_compat_lock(AF_INET);
3279 -- xt_compat_init_offsets(AF_INET, number);
3280 -+ xt_compat_init_offsets(AF_INET, compatr->num_entries);
3281 - /* Walk through entries, checking offsets. */
3282 -- xt_entry_foreach(iter0, entry0, total_size) {
3283 -+ xt_entry_foreach(iter0, entry0, compatr->size) {
3284 - ret = check_compat_entry_size_and_hooks(iter0, info, &size,
3285 - entry0,
3286 -- entry0 + total_size,
3287 -- hook_entries,
3288 -- underflows,
3289 -- name);
3290 -+ entry0 + compatr->size);
3291 - if (ret != 0)
3292 - goto out_unlock;
3293 - ++j;
3294 - }
3295 -
3296 - ret = -EINVAL;
3297 -- if (j != number) {
3298 -+ if (j != compatr->num_entries) {
3299 - duprintf("translate_compat_table: %u not %u entries\n",
3300 -- j, number);
3301 -+ j, compatr->num_entries);
3302 - goto out_unlock;
3303 - }
3304 -
3305 -- /* Check hooks all assigned */
3306 -- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
3307 -- /* Only hooks which are valid */
3308 -- if (!(valid_hooks & (1 << i)))
3309 -- continue;
3310 -- if (info->hook_entry[i] == 0xFFFFFFFF) {
3311 -- duprintf("Invalid hook entry %u %u\n",
3312 -- i, hook_entries[i]);
3313 -- goto out_unlock;
3314 -- }
3315 -- if (info->underflow[i] == 0xFFFFFFFF) {
3316 -- duprintf("Invalid underflow %u %u\n",
3317 -- i, underflows[i]);
3318 -- goto out_unlock;
3319 -- }
3320 -- }
3321 --
3322 - ret = -ENOMEM;
3323 - newinfo = xt_alloc_table_info(size);
3324 - if (!newinfo)
3325 - goto out_unlock;
3326 -
3327 -- newinfo->number = number;
3328 -+ newinfo->number = compatr->num_entries;
3329 - for (i = 0; i < NF_INET_NUMHOOKS; i++) {
3330 -- newinfo->hook_entry[i] = info->hook_entry[i];
3331 -- newinfo->underflow[i] = info->underflow[i];
3332 -+ newinfo->hook_entry[i] = compatr->hook_entry[i];
3333 -+ newinfo->underflow[i] = compatr->underflow[i];
3334 - }
3335 - entry1 = newinfo->entries;
3336 - pos = entry1;
3337 -- size = total_size;
3338 -- xt_entry_foreach(iter0, entry0, total_size) {
3339 -- ret = compat_copy_entry_from_user(iter0, &pos, &size,
3340 -- name, newinfo, entry1);
3341 -- if (ret != 0)
3342 -- break;
3343 -- }
3344 -+ size = compatr->size;
3345 -+ xt_entry_foreach(iter0, entry0, compatr->size)
3346 -+ compat_copy_entry_from_user(iter0, &pos, &size,
3347 -+ newinfo, entry1);
3348 -+
3349 -+ /* all module references in entry0 are now gone.
3350 -+ * entry1/newinfo contains a 64bit ruleset that looks exactly as
3351 -+ * generated by 64bit userspace.
3352 -+ *
3353 -+ * Call standard translate_table() to validate all hook_entrys,
3354 -+ * underflows, check for loops, etc.
3355 -+ */
3356 - xt_compat_flush_offsets(AF_INET);
3357 - xt_compat_unlock(AF_INET);
3358 -- if (ret)
3359 -- goto free_newinfo;
3360 -
3361 -- ret = -ELOOP;
3362 -- if (!mark_source_chains(newinfo, valid_hooks, entry1))
3363 -- goto free_newinfo;
3364 -+ memcpy(&repl, compatr, sizeof(*compatr));
3365 -
3366 -- i = 0;
3367 -- xt_entry_foreach(iter1, entry1, newinfo->size) {
3368 -- ret = compat_check_entry(iter1, net, name);
3369 -- if (ret != 0)
3370 -- break;
3371 -- ++i;
3372 -- if (strcmp(ipt_get_target(iter1)->u.user.name,
3373 -- XT_ERROR_TARGET) == 0)
3374 -- ++newinfo->stacksize;
3375 -- }
3376 -- if (ret) {
3377 -- /*
3378 -- * The first i matches need cleanup_entry (calls ->destroy)
3379 -- * because they had called ->check already. The other j-i
3380 -- * entries need only release.
3381 -- */
3382 -- int skip = i;
3383 -- j -= i;
3384 -- xt_entry_foreach(iter0, entry0, newinfo->size) {
3385 -- if (skip-- > 0)
3386 -- continue;
3387 -- if (j-- == 0)
3388 -- break;
3389 -- compat_release_entry(iter0);
3390 -- }
3391 -- xt_entry_foreach(iter1, entry1, newinfo->size) {
3392 -- if (i-- == 0)
3393 -- break;
3394 -- cleanup_entry(iter1, net);
3395 -- }
3396 -- xt_free_table_info(newinfo);
3397 -- return ret;
3398 -+ for (i = 0; i < NF_INET_NUMHOOKS; i++) {
3399 -+ repl.hook_entry[i] = newinfo->hook_entry[i];
3400 -+ repl.underflow[i] = newinfo->underflow[i];
3401 - }
3402 -
3403 -+ repl.num_counters = 0;
3404 -+ repl.counters = NULL;
3405 -+ repl.size = newinfo->size;
3406 -+ ret = translate_table(net, newinfo, entry1, &repl);
3407 -+ if (ret)
3408 -+ goto free_newinfo;
3409 -+
3410 - *pinfo = newinfo;
3411 - *pentry0 = entry1;
3412 - xt_free_table_info(info);
3413 -@@ -1785,17 +1643,16 @@ translate_compat_table(struct net *net,
3414 -
3415 - free_newinfo:
3416 - xt_free_table_info(newinfo);
3417 --out:
3418 -- xt_entry_foreach(iter0, entry0, total_size) {
3419 -+ return ret;
3420 -+out_unlock:
3421 -+ xt_compat_flush_offsets(AF_INET);
3422 -+ xt_compat_unlock(AF_INET);
3423 -+ xt_entry_foreach(iter0, entry0, compatr->size) {
3424 - if (j-- == 0)
3425 - break;
3426 - compat_release_entry(iter0);
3427 - }
3428 - return ret;
3429 --out_unlock:
3430 -- xt_compat_flush_offsets(AF_INET);
3431 -- xt_compat_unlock(AF_INET);
3432 -- goto out;
3433 - }
3434 -
3435 - static int
3436 -@@ -1831,10 +1688,7 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len)
3437 - goto free_newinfo;
3438 - }
3439 -
3440 -- ret = translate_compat_table(net, tmp.name, tmp.valid_hooks,
3441 -- &newinfo, &loc_cpu_entry, tmp.size,
3442 -- tmp.num_entries, tmp.hook_entry,
3443 -- tmp.underflow);
3444 -+ ret = translate_compat_table(net, &newinfo, &loc_cpu_entry, &tmp);
3445 - if (ret != 0)
3446 - goto free_newinfo;
3447 -
3448 -diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
3449 -index 1e1fe60..03112a3 100644
3450 ---- a/net/ipv4/sysctl_net_ipv4.c
3451 -+++ b/net/ipv4/sysctl_net_ipv4.c
3452 -@@ -988,10 +988,6 @@ static __net_init int ipv4_sysctl_init_net(struct net *net)
3453 - if (!net->ipv4.sysctl_local_reserved_ports)
3454 - goto err_ports;
3455 -
3456 -- net->ipv4.sysctl_ip_default_ttl = IPDEFTTL;
3457 -- net->ipv4.sysctl_ip_dynaddr = 0;
3458 -- net->ipv4.sysctl_ip_early_demux = 1;
3459 --
3460 - return 0;
3461 -
3462 - err_ports:
3463 -diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
3464 -index a2e7f55..e9853df 100644
3465 ---- a/net/ipv4/udp.c
3466 -+++ b/net/ipv4/udp.c
3467 -@@ -1616,7 +1616,7 @@ int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
3468 -
3469 - /* if we're overly short, let UDP handle it */
3470 - encap_rcv = ACCESS_ONCE(up->encap_rcv);
3471 -- if (skb->len > sizeof(struct udphdr) && encap_rcv) {
3472 -+ if (encap_rcv) {
3473 - int ret;
3474 -
3475 - /* Verify checksum before giving to encap */
3476 -diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
3477 -index bc972e7..da88de8 100644
3478 ---- a/net/ipv6/ip6_output.c
3479 -+++ b/net/ipv6/ip6_output.c
3480 -@@ -1071,17 +1071,12 @@ struct dst_entry *ip6_sk_dst_lookup_flow(struct sock *sk, struct flowi6 *fl6,
3481 - const struct in6_addr *final_dst)
3482 - {
3483 - struct dst_entry *dst = sk_dst_check(sk, inet6_sk(sk)->dst_cookie);
3484 -- int err;
3485 -
3486 - dst = ip6_sk_dst_check(sk, dst, fl6);
3487 -+ if (!dst)
3488 -+ dst = ip6_dst_lookup_flow(sk, fl6, final_dst);
3489 -
3490 -- err = ip6_dst_lookup_tail(sock_net(sk), sk, &dst, fl6);
3491 -- if (err)
3492 -- return ERR_PTR(err);
3493 -- if (final_dst)
3494 -- fl6->daddr = *final_dst;
3495 --
3496 -- return xfrm_lookup_route(sock_net(sk), dst, flowi6_to_flowi(fl6), sk, 0);
3497 -+ return dst;
3498 - }
3499 - EXPORT_SYMBOL_GPL(ip6_sk_dst_lookup_flow);
3500 -
3501 -diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
3502 -index 86b67b7..9021b43 100644
3503 ---- a/net/ipv6/netfilter/ip6_tables.c
3504 -+++ b/net/ipv6/netfilter/ip6_tables.c
3505 -@@ -455,6 +455,18 @@ ip6t_do_table(struct sk_buff *skb,
3506 - #endif
3507 - }
3508 -
3509 -+static bool find_jump_target(const struct xt_table_info *t,
3510 -+ const struct ip6t_entry *target)
3511 -+{
3512 -+ struct ip6t_entry *iter;
3513 -+
3514 -+ xt_entry_foreach(iter, t->entries, t->size) {
3515 -+ if (iter == target)
3516 -+ return true;
3517 -+ }
3518 -+ return false;
3519 -+}
3520 -+
3521 - /* Figures out from what hook each rule can be called: returns 0 if
3522 - there are loops. Puts hook bitmask in comefrom. */
3523 - static int
3524 -@@ -532,6 +544,8 @@ mark_source_chains(const struct xt_table_info *newinfo,
3525 - size = e->next_offset;
3526 - e = (struct ip6t_entry *)
3527 - (entry0 + pos + size);
3528 -+ if (pos + size >= newinfo->size)
3529 -+ return 0;
3530 - e->counters.pcnt = pos;
3531 - pos += size;
3532 - } else {
3533 -@@ -550,9 +564,15 @@ mark_source_chains(const struct xt_table_info *newinfo,
3534 - /* This a jump; chase it. */
3535 - duprintf("Jump rule %u -> %u\n",
3536 - pos, newpos);
3537 -+ e = (struct ip6t_entry *)
3538 -+ (entry0 + newpos);
3539 -+ if (!find_jump_target(newinfo, e))
3540 -+ return 0;
3541 - } else {
3542 - /* ... this is a fallthru */
3543 - newpos = pos + e->next_offset;
3544 -+ if (newpos >= newinfo->size)
3545 -+ return 0;
3546 - }
3547 - e = (struct ip6t_entry *)
3548 - (entry0 + newpos);
3549 -@@ -579,25 +599,6 @@ static void cleanup_match(struct xt_entry_match *m, struct net *net)
3550 - module_put(par.match->me);
3551 - }
3552 -
3553 --static int
3554 --check_entry(const struct ip6t_entry *e)
3555 --{
3556 -- const struct xt_entry_target *t;
3557 --
3558 -- if (!ip6_checkentry(&e->ipv6))
3559 -- return -EINVAL;
3560 --
3561 -- if (e->target_offset + sizeof(struct xt_entry_target) >
3562 -- e->next_offset)
3563 -- return -EINVAL;
3564 --
3565 -- t = ip6t_get_target_c(e);
3566 -- if (e->target_offset + t->u.target_size > e->next_offset)
3567 -- return -EINVAL;
3568 --
3569 -- return 0;
3570 --}
3571 --
3572 - static int check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
3573 - {
3574 - const struct ip6t_ip6 *ipv6 = par->entryinfo;
3575 -@@ -762,7 +763,11 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
3576 - return -EINVAL;
3577 - }
3578 -
3579 -- err = check_entry(e);
3580 -+ if (!ip6_checkentry(&e->ipv6))
3581 -+ return -EINVAL;
3582 -+
3583 -+ err = xt_check_entry_offsets(e, e->elems, e->target_offset,
3584 -+ e->next_offset);
3585 - if (err)
3586 - return err;
3587 -
3588 -@@ -1321,55 +1326,16 @@ do_add_counters(struct net *net, const void __user *user, unsigned int len,
3589 - unsigned int i;
3590 - struct xt_counters_info tmp;
3591 - struct xt_counters *paddc;
3592 -- unsigned int num_counters;
3593 -- char *name;
3594 -- int size;
3595 -- void *ptmp;
3596 - struct xt_table *t;
3597 - const struct xt_table_info *private;
3598 - int ret = 0;
3599 - struct ip6t_entry *iter;
3600 - unsigned int addend;
3601 --#ifdef CONFIG_COMPAT
3602 -- struct compat_xt_counters_info compat_tmp;
3603 --
3604 -- if (compat) {
3605 -- ptmp = &compat_tmp;
3606 -- size = sizeof(struct compat_xt_counters_info);
3607 -- } else
3608 --#endif
3609 -- {
3610 -- ptmp = &tmp;
3611 -- size = sizeof(struct xt_counters_info);
3612 -- }
3613 --
3614 -- if (copy_from_user(ptmp, user, size) != 0)
3615 -- return -EFAULT;
3616 --
3617 --#ifdef CONFIG_COMPAT
3618 -- if (compat) {
3619 -- num_counters = compat_tmp.num_counters;
3620 -- name = compat_tmp.name;
3621 -- } else
3622 --#endif
3623 -- {
3624 -- num_counters = tmp.num_counters;
3625 -- name = tmp.name;
3626 -- }
3627 --
3628 -- if (len != size + num_counters * sizeof(struct xt_counters))
3629 -- return -EINVAL;
3630 --
3631 -- paddc = vmalloc(len - size);
3632 -- if (!paddc)
3633 -- return -ENOMEM;
3634 -
3635 -- if (copy_from_user(paddc, user + size, len - size) != 0) {
3636 -- ret = -EFAULT;
3637 -- goto free;
3638 -- }
3639 --
3640 -- t = xt_find_table_lock(net, AF_INET6, name);
3641 -+ paddc = xt_copy_counters_from_user(user, len, &tmp, compat);
3642 -+ if (IS_ERR(paddc))
3643 -+ return PTR_ERR(paddc);
3644 -+ t = xt_find_table_lock(net, AF_INET6, tmp.name);
3645 - if (IS_ERR_OR_NULL(t)) {
3646 - ret = t ? PTR_ERR(t) : -ENOENT;
3647 - goto free;
3648 -@@ -1377,7 +1343,7 @@ do_add_counters(struct net *net, const void __user *user, unsigned int len,
3649 -
3650 - local_bh_disable();
3651 - private = t->private;
3652 -- if (private->number != num_counters) {
3653 -+ if (private->number != tmp.num_counters) {
3654 - ret = -EINVAL;
3655 - goto unlock_up_free;
3656 - }
3657 -@@ -1456,7 +1422,6 @@ compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr,
3658 -
3659 - static int
3660 - compat_find_calc_match(struct xt_entry_match *m,
3661 -- const char *name,
3662 - const struct ip6t_ip6 *ipv6,
3663 - int *size)
3664 - {
3665 -@@ -1491,17 +1456,14 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
3666 - struct xt_table_info *newinfo,
3667 - unsigned int *size,
3668 - const unsigned char *base,
3669 -- const unsigned char *limit,
3670 -- const unsigned int *hook_entries,
3671 -- const unsigned int *underflows,
3672 -- const char *name)
3673 -+ const unsigned char *limit)
3674 - {
3675 - struct xt_entry_match *ematch;
3676 - struct xt_entry_target *t;
3677 - struct xt_target *target;
3678 - unsigned int entry_offset;
3679 - unsigned int j;
3680 -- int ret, off, h;
3681 -+ int ret, off;
3682 -
3683 - duprintf("check_compat_entry_size_and_hooks %p\n", e);
3684 - if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 ||
3685 -@@ -1518,8 +1480,11 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
3686 - return -EINVAL;
3687 - }
3688 -
3689 -- /* For purposes of check_entry casting the compat entry is fine */
3690 -- ret = check_entry((struct ip6t_entry *)e);
3691 -+ if (!ip6_checkentry(&e->ipv6))
3692 -+ return -EINVAL;
3693 -+
3694 -+ ret = xt_compat_check_entry_offsets(e, e->elems,
3695 -+ e->target_offset, e->next_offset);
3696 - if (ret)
3697 - return ret;
3698 -
3699 -@@ -1527,7 +1492,7 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
3700 - entry_offset = (void *)e - (void *)base;
3701 - j = 0;
3702 - xt_ematch_foreach(ematch, e) {
3703 -- ret = compat_find_calc_match(ematch, name, &e->ipv6, &off);
3704 -+ ret = compat_find_calc_match(ematch, &e->ipv6, &off);
3705 - if (ret != 0)
3706 - goto release_matches;
3707 - ++j;
3708 -@@ -1550,17 +1515,6 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
3709 - if (ret)
3710 - goto out;
3711 -
3712 -- /* Check hooks & underflows */
3713 -- for (h = 0; h < NF_INET_NUMHOOKS; h++) {
3714 -- if ((unsigned char *)e - base == hook_entries[h])
3715 -- newinfo->hook_entry[h] = hook_entries[h];
3716 -- if ((unsigned char *)e - base == underflows[h])
3717 -- newinfo->underflow[h] = underflows[h];
3718 -- }
3719 --
3720 -- /* Clear counters and comefrom */
3721 -- memset(&e->counters, 0, sizeof(e->counters));
3722 -- e->comefrom = 0;
3723 - return 0;
3724 -
3725 - out:
3726 -@@ -1574,18 +1528,17 @@ release_matches:
3727 - return ret;
3728 - }
3729 -
3730 --static int
3731 -+static void
3732 - compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
3733 -- unsigned int *size, const char *name,
3734 -+ unsigned int *size,
3735 - struct xt_table_info *newinfo, unsigned char *base)
3736 - {
3737 - struct xt_entry_target *t;
3738 - struct ip6t_entry *de;
3739 - unsigned int origsize;
3740 -- int ret, h;
3741 -+ int h;
3742 - struct xt_entry_match *ematch;
3743 -
3744 -- ret = 0;
3745 - origsize = *size;
3746 - de = (struct ip6t_entry *)*dstptr;
3747 - memcpy(de, e, sizeof(struct ip6t_entry));
3748 -@@ -1594,11 +1547,9 @@ compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
3749 - *dstptr += sizeof(struct ip6t_entry);
3750 - *size += sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
3751 -
3752 -- xt_ematch_foreach(ematch, e) {
3753 -- ret = xt_compat_match_from_user(ematch, dstptr, size);
3754 -- if (ret != 0)
3755 -- return ret;
3756 -- }
3757 -+ xt_ematch_foreach(ematch, e)
3758 -+ xt_compat_match_from_user(ematch, dstptr, size);
3759 -+
3760 - de->target_offset = e->target_offset - (origsize - *size);
3761 - t = compat_ip6t_get_target(e);
3762 - xt_compat_target_from_user(t, dstptr, size);
3763 -@@ -1610,183 +1561,83 @@ compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
3764 - if ((unsigned char *)de - base < newinfo->underflow[h])
3765 - newinfo->underflow[h] -= origsize - *size;
3766 - }
3767 -- return ret;
3768 --}
3769 --
3770 --static int compat_check_entry(struct ip6t_entry *e, struct net *net,
3771 -- const char *name)
3772 --{
3773 -- unsigned int j;
3774 -- int ret = 0;
3775 -- struct xt_mtchk_param mtpar;
3776 -- struct xt_entry_match *ematch;
3777 --
3778 -- e->counters.pcnt = xt_percpu_counter_alloc();
3779 -- if (IS_ERR_VALUE(e->counters.pcnt))
3780 -- return -ENOMEM;
3781 -- j = 0;
3782 -- mtpar.net = net;
3783 -- mtpar.table = name;
3784 -- mtpar.entryinfo = &e->ipv6;
3785 -- mtpar.hook_mask = e->comefrom;
3786 -- mtpar.family = NFPROTO_IPV6;
3787 -- xt_ematch_foreach(ematch, e) {
3788 -- ret = check_match(ematch, &mtpar);
3789 -- if (ret != 0)
3790 -- goto cleanup_matches;
3791 -- ++j;
3792 -- }
3793 --
3794 -- ret = check_target(e, net, name);
3795 -- if (ret)
3796 -- goto cleanup_matches;
3797 -- return 0;
3798 --
3799 -- cleanup_matches:
3800 -- xt_ematch_foreach(ematch, e) {
3801 -- if (j-- == 0)
3802 -- break;
3803 -- cleanup_match(ematch, net);
3804 -- }
3805 --
3806 -- xt_percpu_counter_free(e->counters.pcnt);
3807 --
3808 -- return ret;
3809 - }
3810 -
3811 - static int
3812 - translate_compat_table(struct net *net,
3813 -- const char *name,
3814 -- unsigned int valid_hooks,
3815 - struct xt_table_info **pinfo,
3816 - void **pentry0,
3817 -- unsigned int total_size,
3818 -- unsigned int number,
3819 -- unsigned int *hook_entries,
3820 -- unsigned int *underflows)
3821 -+ const struct compat_ip6t_replace *compatr)
3822 - {
3823 - unsigned int i, j;
3824 - struct xt_table_info *newinfo, *info;
3825 - void *pos, *entry0, *entry1;
3826 - struct compat_ip6t_entry *iter0;
3827 -- struct ip6t_entry *iter1;
3828 -+ struct ip6t_replace repl;
3829 - unsigned int size;
3830 - int ret = 0;
3831 -
3832 - info = *pinfo;
3833 - entry0 = *pentry0;
3834 -- size = total_size;
3835 -- info->number = number;
3836 --
3837 -- /* Init all hooks to impossible value. */
3838 -- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
3839 -- info->hook_entry[i] = 0xFFFFFFFF;
3840 -- info->underflow[i] = 0xFFFFFFFF;
3841 -- }
3842 -+ size = compatr->size;
3843 -+ info->number = compatr->num_entries;
3844 -
3845 - duprintf("translate_compat_table: size %u\n", info->size);
3846 - j = 0;
3847 - xt_compat_lock(AF_INET6);
3848 -- xt_compat_init_offsets(AF_INET6, number);
3849 -+ xt_compat_init_offsets(AF_INET6, compatr->num_entries);
3850 - /* Walk through entries, checking offsets. */
3851 -- xt_entry_foreach(iter0, entry0, total_size) {
3852 -+ xt_entry_foreach(iter0, entry0, compatr->size) {
3853 - ret = check_compat_entry_size_and_hooks(iter0, info, &size,
3854 - entry0,
3855 -- entry0 + total_size,
3856 -- hook_entries,
3857 -- underflows,
3858 -- name);
3859 -+ entry0 + compatr->size);
3860 - if (ret != 0)
3861 - goto out_unlock;
3862 - ++j;
3863 - }
3864 -
3865 - ret = -EINVAL;
3866 -- if (j != number) {
3867 -+ if (j != compatr->num_entries) {
3868 - duprintf("translate_compat_table: %u not %u entries\n",
3869 -- j, number);
3870 -+ j, compatr->num_entries);
3871 - goto out_unlock;
3872 - }
3873 -
3874 -- /* Check hooks all assigned */
3875 -- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
3876 -- /* Only hooks which are valid */
3877 -- if (!(valid_hooks & (1 << i)))
3878 -- continue;
3879 -- if (info->hook_entry[i] == 0xFFFFFFFF) {
3880 -- duprintf("Invalid hook entry %u %u\n",
3881 -- i, hook_entries[i]);
3882 -- goto out_unlock;
3883 -- }
3884 -- if (info->underflow[i] == 0xFFFFFFFF) {
3885 -- duprintf("Invalid underflow %u %u\n",
3886 -- i, underflows[i]);
3887 -- goto out_unlock;
3888 -- }
3889 -- }
3890 --
3891 - ret = -ENOMEM;
3892 - newinfo = xt_alloc_table_info(size);
3893 - if (!newinfo)
3894 - goto out_unlock;
3895 -
3896 -- newinfo->number = number;
3897 -+ newinfo->number = compatr->num_entries;
3898 - for (i = 0; i < NF_INET_NUMHOOKS; i++) {
3899 -- newinfo->hook_entry[i] = info->hook_entry[i];
3900 -- newinfo->underflow[i] = info->underflow[i];
3901 -+ newinfo->hook_entry[i] = compatr->hook_entry[i];
3902 -+ newinfo->underflow[i] = compatr->underflow[i];
3903 - }
3904 - entry1 = newinfo->entries;
3905 - pos = entry1;
3906 -- size = total_size;
3907 -- xt_entry_foreach(iter0, entry0, total_size) {
3908 -- ret = compat_copy_entry_from_user(iter0, &pos, &size,
3909 -- name, newinfo, entry1);
3910 -- if (ret != 0)
3911 -- break;
3912 -- }
3913 -+ size = compatr->size;
3914 -+ xt_entry_foreach(iter0, entry0, compatr->size)
3915 -+ compat_copy_entry_from_user(iter0, &pos, &size,
3916 -+ newinfo, entry1);
3917 -+
3918 -+ /* all module references in entry0 are now gone. */
3919 - xt_compat_flush_offsets(AF_INET6);
3920 - xt_compat_unlock(AF_INET6);
3921 -- if (ret)
3922 -- goto free_newinfo;
3923 -
3924 -- ret = -ELOOP;
3925 -- if (!mark_source_chains(newinfo, valid_hooks, entry1))
3926 -- goto free_newinfo;
3927 -+ memcpy(&repl, compatr, sizeof(*compatr));
3928 -
3929 -- i = 0;
3930 -- xt_entry_foreach(iter1, entry1, newinfo->size) {
3931 -- ret = compat_check_entry(iter1, net, name);
3932 -- if (ret != 0)
3933 -- break;
3934 -- ++i;
3935 -- if (strcmp(ip6t_get_target(iter1)->u.user.name,
3936 -- XT_ERROR_TARGET) == 0)
3937 -- ++newinfo->stacksize;
3938 -- }
3939 -- if (ret) {
3940 -- /*
3941 -- * The first i matches need cleanup_entry (calls ->destroy)
3942 -- * because they had called ->check already. The other j-i
3943 -- * entries need only release.
3944 -- */
3945 -- int skip = i;
3946 -- j -= i;
3947 -- xt_entry_foreach(iter0, entry0, newinfo->size) {
3948 -- if (skip-- > 0)
3949 -- continue;
3950 -- if (j-- == 0)
3951 -- break;
3952 -- compat_release_entry(iter0);
3953 -- }
3954 -- xt_entry_foreach(iter1, entry1, newinfo->size) {
3955 -- if (i-- == 0)
3956 -- break;
3957 -- cleanup_entry(iter1, net);
3958 -- }
3959 -- xt_free_table_info(newinfo);
3960 -- return ret;
3961 -+ for (i = 0; i < NF_INET_NUMHOOKS; i++) {
3962 -+ repl.hook_entry[i] = newinfo->hook_entry[i];
3963 -+ repl.underflow[i] = newinfo->underflow[i];
3964 - }
3965 -
3966 -+ repl.num_counters = 0;
3967 -+ repl.counters = NULL;
3968 -+ repl.size = newinfo->size;
3969 -+ ret = translate_table(net, newinfo, entry1, &repl);
3970 -+ if (ret)
3971 -+ goto free_newinfo;
3972 -+
3973 - *pinfo = newinfo;
3974 - *pentry0 = entry1;
3975 - xt_free_table_info(info);
3976 -@@ -1794,17 +1645,16 @@ translate_compat_table(struct net *net,
3977 -
3978 - free_newinfo:
3979 - xt_free_table_info(newinfo);
3980 --out:
3981 -- xt_entry_foreach(iter0, entry0, total_size) {
3982 -+ return ret;
3983 -+out_unlock:
3984 -+ xt_compat_flush_offsets(AF_INET6);
3985 -+ xt_compat_unlock(AF_INET6);
3986 -+ xt_entry_foreach(iter0, entry0, compatr->size) {
3987 - if (j-- == 0)
3988 - break;
3989 - compat_release_entry(iter0);
3990 - }
3991 - return ret;
3992 --out_unlock:
3993 -- xt_compat_flush_offsets(AF_INET6);
3994 -- xt_compat_unlock(AF_INET6);
3995 -- goto out;
3996 - }
3997 -
3998 - static int
3999 -@@ -1840,10 +1690,7 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len)
4000 - goto free_newinfo;
4001 - }
4002 -
4003 -- ret = translate_compat_table(net, tmp.name, tmp.valid_hooks,
4004 -- &newinfo, &loc_cpu_entry, tmp.size,
4005 -- tmp.num_entries, tmp.hook_entry,
4006 -- tmp.underflow);
4007 -+ ret = translate_compat_table(net, &newinfo, &loc_cpu_entry, &tmp);
4008 - if (ret != 0)
4009 - goto free_newinfo;
4010 -
4011 -diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
4012 -index f443c6b..f6d7516 100644
4013 ---- a/net/ipv6/tcp_ipv6.c
4014 -+++ b/net/ipv6/tcp_ipv6.c
4015 -@@ -1717,7 +1717,9 @@ static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
4016 - destp = ntohs(inet->inet_dport);
4017 - srcp = ntohs(inet->inet_sport);
4018 -
4019 -- if (icsk->icsk_pending == ICSK_TIME_RETRANS) {
4020 -+ if (icsk->icsk_pending == ICSK_TIME_RETRANS ||
4021 -+ icsk->icsk_pending == ICSK_TIME_EARLY_RETRANS ||
4022 -+ icsk->icsk_pending == ICSK_TIME_LOSS_PROBE) {
4023 - timer_active = 1;
4024 - timer_expires = icsk->icsk_timeout;
4025 - } else if (icsk->icsk_pending == ICSK_TIME_PROBE0) {
4026 -diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
4027 -index 6bc5c66..f96831d9 100644
4028 ---- a/net/ipv6/udp.c
4029 -+++ b/net/ipv6/udp.c
4030 -@@ -653,7 +653,7 @@ int udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
4031 -
4032 - /* if we're overly short, let UDP handle it */
4033 - encap_rcv = ACCESS_ONCE(up->encap_rcv);
4034 -- if (skb->len > sizeof(struct udphdr) && encap_rcv) {
4035 -+ if (encap_rcv) {
4036 - int ret;
4037 -
4038 - /* Verify checksum before giving to encap */
4039 -diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
4040 -index 6edfa99..1e40dac 100644
4041 ---- a/net/l2tp/l2tp_core.c
4042 -+++ b/net/l2tp/l2tp_core.c
4043 -@@ -1581,7 +1581,7 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
4044 - /* Mark socket as an encapsulation socket. See net/ipv4/udp.c */
4045 - tunnel->encap = encap;
4046 - if (encap == L2TP_ENCAPTYPE_UDP) {
4047 -- struct udp_tunnel_sock_cfg udp_cfg;
4048 -+ struct udp_tunnel_sock_cfg udp_cfg = { };
4049 -
4050 - udp_cfg.sk_user_data = tunnel;
4051 - udp_cfg.encap_type = UDP_ENCAP_L2TPINUDP;
4052 -diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
4053 -index 582c9cf..2675d58 100644
4054 ---- a/net/netfilter/x_tables.c
4055 -+++ b/net/netfilter/x_tables.c
4056 -@@ -416,6 +416,47 @@ int xt_check_match(struct xt_mtchk_param *par,
4057 - }
4058 - EXPORT_SYMBOL_GPL(xt_check_match);
4059 -
4060 -+/** xt_check_entry_match - check that matches end before start of target
4061 -+ *
4062 -+ * @match: beginning of xt_entry_match
4063 -+ * @target: beginning of this rules target (alleged end of matches)
4064 -+ * @alignment: alignment requirement of match structures
4065 -+ *
4066 -+ * Validates that all matches add up to the beginning of the target,
4067 -+ * and that each match covers at least the base structure size.
4068 -+ *
4069 -+ * Return: 0 on success, negative errno on failure.
4070 -+ */
4071 -+static int xt_check_entry_match(const char *match, const char *target,
4072 -+ const size_t alignment)
4073 -+{
4074 -+ const struct xt_entry_match *pos;
4075 -+ int length = target - match;
4076 -+
4077 -+ if (length == 0) /* no matches */
4078 -+ return 0;
4079 -+
4080 -+ pos = (struct xt_entry_match *)match;
4081 -+ do {
4082 -+ if ((unsigned long)pos % alignment)
4083 -+ return -EINVAL;
4084 -+
4085 -+ if (length < (int)sizeof(struct xt_entry_match))
4086 -+ return -EINVAL;
4087 -+
4088 -+ if (pos->u.match_size < sizeof(struct xt_entry_match))
4089 -+ return -EINVAL;
4090 -+
4091 -+ if (pos->u.match_size > length)
4092 -+ return -EINVAL;
4093 -+
4094 -+ length -= pos->u.match_size;
4095 -+ pos = ((void *)((char *)(pos) + (pos)->u.match_size));
4096 -+ } while (length > 0);
4097 -+
4098 -+ return 0;
4099 -+}
4100 -+
4101 - #ifdef CONFIG_COMPAT
4102 - int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta)
4103 - {
4104 -@@ -485,13 +526,14 @@ int xt_compat_match_offset(const struct xt_match *match)
4105 - }
4106 - EXPORT_SYMBOL_GPL(xt_compat_match_offset);
4107 -
4108 --int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
4109 -- unsigned int *size)
4110 -+void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
4111 -+ unsigned int *size)
4112 - {
4113 - const struct xt_match *match = m->u.kernel.match;
4114 - struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m;
4115 - int pad, off = xt_compat_match_offset(match);
4116 - u_int16_t msize = cm->u.user.match_size;
4117 -+ char name[sizeof(m->u.user.name)];
4118 -
4119 - m = *dstptr;
4120 - memcpy(m, cm, sizeof(*cm));
4121 -@@ -505,10 +547,12 @@ int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
4122 -
4123 - msize += off;
4124 - m->u.user.match_size = msize;
4125 -+ strlcpy(name, match->name, sizeof(name));
4126 -+ module_put(match->me);
4127 -+ strncpy(m->u.user.name, name, sizeof(m->u.user.name));
4128 -
4129 - *size += off;
4130 - *dstptr += msize;
4131 -- return 0;
4132 - }
4133 - EXPORT_SYMBOL_GPL(xt_compat_match_from_user);
4134 -
4135 -@@ -539,8 +583,125 @@ int xt_compat_match_to_user(const struct xt_entry_match *m,
4136 - return 0;
4137 - }
4138 - EXPORT_SYMBOL_GPL(xt_compat_match_to_user);
4139 -+
4140 -+/* non-compat version may have padding after verdict */
4141 -+struct compat_xt_standard_target {
4142 -+ struct compat_xt_entry_target t;
4143 -+ compat_uint_t verdict;
4144 -+};
4145 -+
4146 -+int xt_compat_check_entry_offsets(const void *base, const char *elems,
4147 -+ unsigned int target_offset,
4148 -+ unsigned int next_offset)
4149 -+{
4150 -+ long size_of_base_struct = elems - (const char *)base;
4151 -+ const struct compat_xt_entry_target *t;
4152 -+ const char *e = base;
4153 -+
4154 -+ if (target_offset < size_of_base_struct)
4155 -+ return -EINVAL;
4156 -+
4157 -+ if (target_offset + sizeof(*t) > next_offset)
4158 -+ return -EINVAL;
4159 -+
4160 -+ t = (void *)(e + target_offset);
4161 -+ if (t->u.target_size < sizeof(*t))
4162 -+ return -EINVAL;
4163 -+
4164 -+ if (target_offset + t->u.target_size > next_offset)
4165 -+ return -EINVAL;
4166 -+
4167 -+ if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 &&
4168 -+ COMPAT_XT_ALIGN(target_offset + sizeof(struct compat_xt_standard_target)) != next_offset)
4169 -+ return -EINVAL;
4170 -+
4171 -+ /* compat_xt_entry match has less strict aligment requirements,
4172 -+ * otherwise they are identical. In case of padding differences
4173 -+ * we need to add compat version of xt_check_entry_match.
4174 -+ */
4175 -+ BUILD_BUG_ON(sizeof(struct compat_xt_entry_match) != sizeof(struct xt_entry_match));
4176 -+
4177 -+ return xt_check_entry_match(elems, base + target_offset,
4178 -+ __alignof__(struct compat_xt_entry_match));
4179 -+}
4180 -+EXPORT_SYMBOL(xt_compat_check_entry_offsets);
4181 - #endif /* CONFIG_COMPAT */
4182 -
4183 -+/**
4184 -+ * xt_check_entry_offsets - validate arp/ip/ip6t_entry
4185 -+ *
4186 -+ * @base: pointer to arp/ip/ip6t_entry
4187 -+ * @elems: pointer to first xt_entry_match, i.e. ip(6)t_entry->elems
4188 -+ * @target_offset: the arp/ip/ip6_t->target_offset
4189 -+ * @next_offset: the arp/ip/ip6_t->next_offset
4190 -+ *
4191 -+ * validates that target_offset and next_offset are sane and that all
4192 -+ * match sizes (if any) align with the target offset.
4193 -+ *
4194 -+ * This function does not validate the targets or matches themselves, it
4195 -+ * only tests that all the offsets and sizes are correct, that all
4196 -+ * match structures are aligned, and that the last structure ends where
4197 -+ * the target structure begins.
4198 -+ *
4199 -+ * Also see xt_compat_check_entry_offsets for CONFIG_COMPAT version.
4200 -+ *
4201 -+ * The arp/ip/ip6t_entry structure @base must have passed following tests:
4202 -+ * - it must point to a valid memory location
4203 -+ * - base to base + next_offset must be accessible, i.e. not exceed allocated
4204 -+ * length.
4205 -+ *
4206 -+ * A well-formed entry looks like this:
4207 -+ *
4208 -+ * ip(6)t_entry match [mtdata] match [mtdata] target [tgdata] ip(6)t_entry
4209 -+ * e->elems[]-----' | |
4210 -+ * matchsize | |
4211 -+ * matchsize | |
4212 -+ * | |
4213 -+ * target_offset---------------------------------' |
4214 -+ * next_offset---------------------------------------------------'
4215 -+ *
4216 -+ * elems[]: flexible array member at end of ip(6)/arpt_entry struct.
4217 -+ * This is where matches (if any) and the target reside.
4218 -+ * target_offset: beginning of target.
4219 -+ * next_offset: start of the next rule; also: size of this rule.
4220 -+ * Since targets have a minimum size, target_offset + minlen <= next_offset.
4221 -+ *
4222 -+ * Every match stores its size, sum of sizes must not exceed target_offset.
4223 -+ *
4224 -+ * Return: 0 on success, negative errno on failure.
4225 -+ */
4226 -+int xt_check_entry_offsets(const void *base,
4227 -+ const char *elems,
4228 -+ unsigned int target_offset,
4229 -+ unsigned int next_offset)
4230 -+{
4231 -+ long size_of_base_struct = elems - (const char *)base;
4232 -+ const struct xt_entry_target *t;
4233 -+ const char *e = base;
4234 -+
4235 -+ /* target start is within the ip/ip6/arpt_entry struct */
4236 -+ if (target_offset < size_of_base_struct)
4237 -+ return -EINVAL;
4238 -+
4239 -+ if (target_offset + sizeof(*t) > next_offset)
4240 -+ return -EINVAL;
4241 -+
4242 -+ t = (void *)(e + target_offset);
4243 -+ if (t->u.target_size < sizeof(*t))
4244 -+ return -EINVAL;
4245 -+
4246 -+ if (target_offset + t->u.target_size > next_offset)
4247 -+ return -EINVAL;
4248 -+
4249 -+ if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 &&
4250 -+ XT_ALIGN(target_offset + sizeof(struct xt_standard_target)) != next_offset)
4251 -+ return -EINVAL;
4252 -+
4253 -+ return xt_check_entry_match(elems, base + target_offset,
4254 -+ __alignof__(struct xt_entry_match));
4255 -+}
4256 -+EXPORT_SYMBOL(xt_check_entry_offsets);
4257 -+
4258 - int xt_check_target(struct xt_tgchk_param *par,
4259 - unsigned int size, u_int8_t proto, bool inv_proto)
4260 - {
4261 -@@ -591,6 +752,80 @@ int xt_check_target(struct xt_tgchk_param *par,
4262 - }
4263 - EXPORT_SYMBOL_GPL(xt_check_target);
4264 -
4265 -+/**
4266 -+ * xt_copy_counters_from_user - copy counters and metadata from userspace
4267 -+ *
4268 -+ * @user: src pointer to userspace memory
4269 -+ * @len: alleged size of userspace memory
4270 -+ * @info: where to store the xt_counters_info metadata
4271 -+ * @compat: true if we setsockopt call is done by 32bit task on 64bit kernel
4272 -+ *
4273 -+ * Copies counter meta data from @user and stores it in @info.
4274 -+ *
4275 -+ * vmallocs memory to hold the counters, then copies the counter data
4276 -+ * from @user to the new memory and returns a pointer to it.
4277 -+ *
4278 -+ * If @compat is true, @info gets converted automatically to the 64bit
4279 -+ * representation.
4280 -+ *
4281 -+ * The metadata associated with the counters is stored in @info.
4282 -+ *
4283 -+ * Return: returns pointer that caller has to test via IS_ERR().
4284 -+ * If IS_ERR is false, caller has to vfree the pointer.
4285 -+ */
4286 -+void *xt_copy_counters_from_user(const void __user *user, unsigned int len,
4287 -+ struct xt_counters_info *info, bool compat)
4288 -+{
4289 -+ void *mem;
4290 -+ u64 size;
4291 -+
4292 -+#ifdef CONFIG_COMPAT
4293 -+ if (compat) {
4294 -+ /* structures only differ in size due to alignment */
4295 -+ struct compat_xt_counters_info compat_tmp;
4296 -+
4297 -+ if (len <= sizeof(compat_tmp))
4298 -+ return ERR_PTR(-EINVAL);
4299 -+
4300 -+ len -= sizeof(compat_tmp);
4301 -+ if (copy_from_user(&compat_tmp, user, sizeof(compat_tmp)) != 0)
4302 -+ return ERR_PTR(-EFAULT);
4303 -+
4304 -+ strlcpy(info->name, compat_tmp.name, sizeof(info->name));
4305 -+ info->num_counters = compat_tmp.num_counters;
4306 -+ user += sizeof(compat_tmp);
4307 -+ } else
4308 -+#endif
4309 -+ {
4310 -+ if (len <= sizeof(*info))
4311 -+ return ERR_PTR(-EINVAL);
4312 -+
4313 -+ len -= sizeof(*info);
4314 -+ if (copy_from_user(info, user, sizeof(*info)) != 0)
4315 -+ return ERR_PTR(-EFAULT);
4316 -+
4317 -+ info->name[sizeof(info->name) - 1] = '\0';
4318 -+ user += sizeof(*info);
4319 -+ }
4320 -+
4321 -+ size = sizeof(struct xt_counters);
4322 -+ size *= info->num_counters;
4323 -+
4324 -+ if (size != (u64)len)
4325 -+ return ERR_PTR(-EINVAL);
4326 -+
4327 -+ mem = vmalloc(len);
4328 -+ if (!mem)
4329 -+ return ERR_PTR(-ENOMEM);
4330 -+
4331 -+ if (copy_from_user(mem, user, len) == 0)
4332 -+ return mem;
4333 -+
4334 -+ vfree(mem);
4335 -+ return ERR_PTR(-EFAULT);
4336 -+}
4337 -+EXPORT_SYMBOL_GPL(xt_copy_counters_from_user);
4338 -+
4339 - #ifdef CONFIG_COMPAT
4340 - int xt_compat_target_offset(const struct xt_target *target)
4341 - {
4342 -@@ -606,6 +841,7 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
4343 - struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t;
4344 - int pad, off = xt_compat_target_offset(target);
4345 - u_int16_t tsize = ct->u.user.target_size;
4346 -+ char name[sizeof(t->u.user.name)];
4347 -
4348 - t = *dstptr;
4349 - memcpy(t, ct, sizeof(*ct));
4350 -@@ -619,6 +855,9 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
4351 -
4352 - tsize += off;
4353 - t->u.user.target_size = tsize;
4354 -+ strlcpy(name, target->name, sizeof(name));
4355 -+ module_put(target->me);
4356 -+ strncpy(t->u.user.name, name, sizeof(t->u.user.name));
4357 -
4358 - *size += off;
4359 - *dstptr += tsize;
4360 -diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
4361 -index 330ebd6..f48e3b3 100644
4362 ---- a/net/netlink/af_netlink.c
4363 -+++ b/net/netlink/af_netlink.c
4364 -@@ -2059,6 +2059,7 @@ static int netlink_dump(struct sock *sk)
4365 - struct netlink_callback *cb;
4366 - struct sk_buff *skb = NULL;
4367 - struct nlmsghdr *nlh;
4368 -+ struct module *module;
4369 - int len, err = -ENOBUFS;
4370 - int alloc_min_size;
4371 - int alloc_size;
4372 -@@ -2134,9 +2135,11 @@ static int netlink_dump(struct sock *sk)
4373 - cb->done(cb);
4374 -
4375 - nlk->cb_running = false;
4376 -+ module = cb->module;
4377 -+ skb = cb->skb;
4378 - mutex_unlock(nlk->cb_mutex);
4379 -- module_put(cb->module);
4380 -- consume_skb(cb->skb);
4381 -+ module_put(module);
4382 -+ consume_skb(skb);
4383 - return 0;
4384 -
4385 - errout_skb:
4386 -diff --git a/net/switchdev/switchdev.c b/net/switchdev/switchdev.c
4387 -index b7e01d8..59658b2 100644
4388 ---- a/net/switchdev/switchdev.c
4389 -+++ b/net/switchdev/switchdev.c
4390 -@@ -1188,6 +1188,7 @@ int switchdev_fib_ipv4_add(u32 dst, int dst_len, struct fib_info *fi,
4391 - .obj.id = SWITCHDEV_OBJ_ID_IPV4_FIB,
4392 - .dst = dst,
4393 - .dst_len = dst_len,
4394 -+ .fi = fi,
4395 - .tos = tos,
4396 - .type = type,
4397 - .nlflags = nlflags,
4398 -@@ -1196,8 +1197,6 @@ int switchdev_fib_ipv4_add(u32 dst, int dst_len, struct fib_info *fi,
4399 - struct net_device *dev;
4400 - int err = 0;
4401 -
4402 -- memcpy(&ipv4_fib.fi, fi, sizeof(ipv4_fib.fi));
4403 --
4404 - /* Don't offload route if using custom ip rules or if
4405 - * IPv4 FIB offloading has been disabled completely.
4406 - */
4407 -@@ -1242,6 +1241,7 @@ int switchdev_fib_ipv4_del(u32 dst, int dst_len, struct fib_info *fi,
4408 - .obj.id = SWITCHDEV_OBJ_ID_IPV4_FIB,
4409 - .dst = dst,
4410 - .dst_len = dst_len,
4411 -+ .fi = fi,
4412 - .tos = tos,
4413 - .type = type,
4414 - .nlflags = 0,
4415 -@@ -1250,8 +1250,6 @@ int switchdev_fib_ipv4_del(u32 dst, int dst_len, struct fib_info *fi,
4416 - struct net_device *dev;
4417 - int err = 0;
4418 -
4419 -- memcpy(&ipv4_fib.fi, fi, sizeof(ipv4_fib.fi));
4420 --
4421 - if (!(fi->fib_flags & RTNH_F_OFFLOAD))
4422 - return 0;
4423 -
4424 -diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
4425 -index d7d050f..4dfc5c1 100644
4426 ---- a/net/tipc/netlink_compat.c
4427 -+++ b/net/tipc/netlink_compat.c
4428 -@@ -802,7 +802,7 @@ static int tipc_nl_compat_name_table_dump(struct tipc_nl_compat_msg *msg,
4429 - goto out;
4430 -
4431 - tipc_tlv_sprintf(msg->rep, "%-10u %s",
4432 -- nla_get_u32(publ[TIPC_NLA_PUBL_REF]),
4433 -+ nla_get_u32(publ[TIPC_NLA_PUBL_KEY]),
4434 - scope_str[nla_get_u32(publ[TIPC_NLA_PUBL_SCOPE])]);
4435 - out:
4436 - tipc_tlv_sprintf(msg->rep, "\n");
4437 -diff --git a/net/tipc/socket.c b/net/tipc/socket.c
4438 -index 3eeb50a..5f80d3f 100644
4439 ---- a/net/tipc/socket.c
4440 -+++ b/net/tipc/socket.c
4441 -@@ -2807,6 +2807,9 @@ int tipc_nl_publ_dump(struct sk_buff *skb, struct netlink_callback *cb)
4442 - if (err)
4443 - return err;
4444 -
4445 -+ if (!attrs[TIPC_NLA_SOCK])
4446 -+ return -EINVAL;
4447 -+
4448 - err = nla_parse_nested(sock, TIPC_NLA_SOCK_MAX,
4449 - attrs[TIPC_NLA_SOCK],
4450 - tipc_nl_sock_policy);
4451 -diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
4452 -index b50ee5d..c753211 100644
4453 ---- a/net/wireless/wext-core.c
4454 -+++ b/net/wireless/wext-core.c
4455 -@@ -955,8 +955,29 @@ static int wireless_process_ioctl(struct net *net, struct ifreq *ifr,
4456 - return private(dev, iwr, cmd, info, handler);
4457 - }
4458 - /* Old driver API : call driver ioctl handler */
4459 -- if (dev->netdev_ops->ndo_do_ioctl)
4460 -- return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd);
4461 -+ if (dev->netdev_ops->ndo_do_ioctl) {
4462 -+#ifdef CONFIG_COMPAT
4463 -+ if (info->flags & IW_REQUEST_FLAG_COMPAT) {
4464 -+ int ret = 0;
4465 -+ struct iwreq iwr_lcl;
4466 -+ struct compat_iw_point *iwp_compat = (void *) &iwr->u.data;
4467 -+
4468 -+ memcpy(&iwr_lcl, iwr, sizeof(struct iwreq));
4469 -+ iwr_lcl.u.data.pointer = compat_ptr(iwp_compat->pointer);
4470 -+ iwr_lcl.u.data.length = iwp_compat->length;
4471 -+ iwr_lcl.u.data.flags = iwp_compat->flags;
4472 -+
4473 -+ ret = dev->netdev_ops->ndo_do_ioctl(dev, (void *) &iwr_lcl, cmd);
4474 -+
4475 -+ iwp_compat->pointer = ptr_to_compat(iwr_lcl.u.data.pointer);
4476 -+ iwp_compat->length = iwr_lcl.u.data.length;
4477 -+ iwp_compat->flags = iwr_lcl.u.data.flags;
4478 -+
4479 -+ return ret;
4480 -+ } else
4481 -+#endif
4482 -+ return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd);
4483 -+ }
4484 - return -EOPNOTSUPP;
4485 - }
4486 -
4487 -diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
4488 -index 9a0d144..94089fc 100644
4489 ---- a/sound/pci/hda/hda_intel.c
4490 -+++ b/sound/pci/hda/hda_intel.c
4491 -@@ -365,8 +365,11 @@ enum {
4492 -
4493 - #define IS_SKL(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0xa170)
4494 - #define IS_SKL_LP(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x9d70)
4495 -+#define IS_KBL(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0xa171)
4496 -+#define IS_KBL_LP(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x9d71)
4497 - #define IS_BXT(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x5a98)
4498 --#define IS_SKL_PLUS(pci) (IS_SKL(pci) || IS_SKL_LP(pci) || IS_BXT(pci))
4499 -+#define IS_SKL_PLUS(pci) (IS_SKL(pci) || IS_SKL_LP(pci) || IS_BXT(pci)) || \
4500 -+ IS_KBL(pci) || IS_KBL_LP(pci)
4501 -
4502 - static char *driver_short_names[] = {
4503 - [AZX_DRIVER_ICH] = "HDA Intel",
4504 -@@ -2181,6 +2184,12 @@ static const struct pci_device_id azx_ids[] = {
4505 - /* Sunrise Point-LP */
4506 - { PCI_DEVICE(0x8086, 0x9d70),
4507 - .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_SKYLAKE },
4508 -+ /* Kabylake */
4509 -+ { PCI_DEVICE(0x8086, 0xa171),
4510 -+ .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_SKYLAKE },
4511 -+ /* Kabylake-LP */
4512 -+ { PCI_DEVICE(0x8086, 0x9d71),
4513 -+ .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_SKYLAKE },
4514 - /* Broxton-P(Apollolake) */
4515 - { PCI_DEVICE(0x8086, 0x5a98),
4516 - .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_BROXTON },
4517 -diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
4518 -index d53c25e..0fe18ed 100644
4519 ---- a/sound/pci/hda/patch_realtek.c
4520 -+++ b/sound/pci/hda/patch_realtek.c
4521 -@@ -346,6 +346,9 @@ static void alc_fill_eapd_coef(struct hda_codec *codec)
4522 - case 0x10ec0234:
4523 - case 0x10ec0274:
4524 - case 0x10ec0294:
4525 -+ case 0x10ec0700:
4526 -+ case 0x10ec0701:
4527 -+ case 0x10ec0703:
4528 - alc_update_coef_idx(codec, 0x10, 1<<15, 0);
4529 - break;
4530 - case 0x10ec0662:
4531 -@@ -2655,6 +2658,7 @@ enum {
4532 - ALC269_TYPE_ALC256,
4533 - ALC269_TYPE_ALC225,
4534 - ALC269_TYPE_ALC294,
4535 -+ ALC269_TYPE_ALC700,
4536 - };
4537 -
4538 - /*
4539 -@@ -2686,6 +2690,7 @@ static int alc269_parse_auto_config(struct hda_codec *codec)
4540 - case ALC269_TYPE_ALC256:
4541 - case ALC269_TYPE_ALC225:
4542 - case ALC269_TYPE_ALC294:
4543 -+ case ALC269_TYPE_ALC700:
4544 - ssids = alc269_ssids;
4545 - break;
4546 - default:
4547 -@@ -3618,13 +3623,20 @@ static void alc269_fixup_hp_line1_mic1_led(struct hda_codec *codec,
4548 - static void alc_headset_mode_unplugged(struct hda_codec *codec)
4549 - {
4550 - static struct coef_fw coef0255[] = {
4551 -- WRITE_COEF(0x1b, 0x0c0b), /* LDO and MISC control */
4552 - WRITE_COEF(0x45, 0xd089), /* UAJ function set to menual mode */
4553 - UPDATE_COEFEX(0x57, 0x05, 1<<14, 0), /* Direct Drive HP Amp control(Set to verb control)*/
4554 - WRITE_COEF(0x06, 0x6104), /* Set MIC2 Vref gate with HP */
4555 - WRITE_COEFEX(0x57, 0x03, 0x8aa6), /* Direct Drive HP Amp control */
4556 - {}
4557 - };
4558 -+ static struct coef_fw coef0255_1[] = {
4559 -+ WRITE_COEF(0x1b, 0x0c0b), /* LDO and MISC control */
4560 -+ {}
4561 -+ };
4562 -+ static struct coef_fw coef0256[] = {
4563 -+ WRITE_COEF(0x1b, 0x0c4b), /* LDO and MISC control */
4564 -+ {}
4565 -+ };
4566 - static struct coef_fw coef0233[] = {
4567 - WRITE_COEF(0x1b, 0x0c0b),
4568 - WRITE_COEF(0x45, 0xc429),
4569 -@@ -3677,7 +3689,11 @@ static void alc_headset_mode_unplugged(struct hda_codec *codec)
4570 -
4571 - switch (codec->core.vendor_id) {
4572 - case 0x10ec0255:
4573 -+ alc_process_coef_fw(codec, coef0255_1);
4574 -+ alc_process_coef_fw(codec, coef0255);
4575 -+ break;
4576 - case 0x10ec0256:
4577 -+ alc_process_coef_fw(codec, coef0256);
4578 - alc_process_coef_fw(codec, coef0255);
4579 - break;
4580 - case 0x10ec0233:
4581 -@@ -3896,6 +3912,12 @@ static void alc_headset_mode_ctia(struct hda_codec *codec)
4582 - WRITE_COEFEX(0x57, 0x03, 0x8ea6),
4583 - {}
4584 - };
4585 -+ static struct coef_fw coef0256[] = {
4586 -+ WRITE_COEF(0x45, 0xd489), /* Set to CTIA type */
4587 -+ WRITE_COEF(0x1b, 0x0c6b),
4588 -+ WRITE_COEFEX(0x57, 0x03, 0x8ea6),
4589 -+ {}
4590 -+ };
4591 - static struct coef_fw coef0233[] = {
4592 - WRITE_COEF(0x45, 0xd429),
4593 - WRITE_COEF(0x1b, 0x0c2b),
4594 -@@ -3936,9 +3958,11 @@ static void alc_headset_mode_ctia(struct hda_codec *codec)
4595 -
4596 - switch (codec->core.vendor_id) {
4597 - case 0x10ec0255:
4598 -- case 0x10ec0256:
4599 - alc_process_coef_fw(codec, coef0255);
4600 - break;
4601 -+ case 0x10ec0256:
4602 -+ alc_process_coef_fw(codec, coef0256);
4603 -+ break;
4604 - case 0x10ec0233:
4605 - case 0x10ec0283:
4606 - alc_process_coef_fw(codec, coef0233);
4607 -@@ -3978,6 +4002,12 @@ static void alc_headset_mode_omtp(struct hda_codec *codec)
4608 - WRITE_COEFEX(0x57, 0x03, 0x8ea6),
4609 - {}
4610 - };
4611 -+ static struct coef_fw coef0256[] = {
4612 -+ WRITE_COEF(0x45, 0xe489), /* Set to OMTP Type */
4613 -+ WRITE_COEF(0x1b, 0x0c6b),
4614 -+ WRITE_COEFEX(0x57, 0x03, 0x8ea6),
4615 -+ {}
4616 -+ };
4617 - static struct coef_fw coef0233[] = {
4618 - WRITE_COEF(0x45, 0xe429),
4619 - WRITE_COEF(0x1b, 0x0c2b),
4620 -@@ -4018,9 +4048,11 @@ static void alc_headset_mode_omtp(struct hda_codec *codec)
4621 -
4622 - switch (codec->core.vendor_id) {
4623 - case 0x10ec0255:
4624 -- case 0x10ec0256:
4625 - alc_process_coef_fw(codec, coef0255);
4626 - break;
4627 -+ case 0x10ec0256:
4628 -+ alc_process_coef_fw(codec, coef0256);
4629 -+ break;
4630 - case 0x10ec0233:
4631 - case 0x10ec0283:
4632 - alc_process_coef_fw(codec, coef0233);
4633 -@@ -4266,7 +4298,7 @@ static void alc_fixup_headset_mode_no_hp_mic(struct hda_codec *codec,
4634 - static void alc255_set_default_jack_type(struct hda_codec *codec)
4635 - {
4636 - /* Set to iphone type */
4637 -- static struct coef_fw fw[] = {
4638 -+ static struct coef_fw alc255fw[] = {
4639 - WRITE_COEF(0x1b, 0x880b),
4640 - WRITE_COEF(0x45, 0xd089),
4641 - WRITE_COEF(0x1b, 0x080b),
4642 -@@ -4274,7 +4306,22 @@ static void alc255_set_default_jack_type(struct hda_codec *codec)
4643 - WRITE_COEF(0x1b, 0x0c0b),
4644 - {}
4645 - };
4646 -- alc_process_coef_fw(codec, fw);
4647 -+ static struct coef_fw alc256fw[] = {
4648 -+ WRITE_COEF(0x1b, 0x884b),
4649 -+ WRITE_COEF(0x45, 0xd089),
4650 -+ WRITE_COEF(0x1b, 0x084b),
4651 -+ WRITE_COEF(0x46, 0x0004),
4652 -+ WRITE_COEF(0x1b, 0x0c4b),
4653 -+ {}
4654 -+ };
4655 -+ switch (codec->core.vendor_id) {
4656 -+ case 0x10ec0255:
4657 -+ alc_process_coef_fw(codec, alc255fw);
4658 -+ break;
4659 -+ case 0x10ec0256:
4660 -+ alc_process_coef_fw(codec, alc256fw);
4661 -+ break;
4662 -+ }
4663 - msleep(30);
4664 - }
4665 -
4666 -@@ -5587,6 +5634,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
4667 - SND_PCI_QUIRK(0x17aa, 0x2218, "Thinkpad X1 Carbon 2nd", ALC292_FIXUP_TPT440_DOCK),
4668 - SND_PCI_QUIRK(0x17aa, 0x2223, "ThinkPad T550", ALC292_FIXUP_TPT440_DOCK),
4669 - SND_PCI_QUIRK(0x17aa, 0x2226, "ThinkPad X250", ALC292_FIXUP_TPT440_DOCK),
4670 -+ SND_PCI_QUIRK(0x17aa, 0x2231, "Thinkpad T560", ALC292_FIXUP_TPT460),
4671 - SND_PCI_QUIRK(0x17aa, 0x2233, "Thinkpad", ALC292_FIXUP_TPT460),
4672 - SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
4673 - SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
4674 -@@ -5775,6 +5823,10 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = {
4675 - {0x12, 0x90a60180},
4676 - {0x14, 0x90170130},
4677 - {0x21, 0x02211040}),
4678 -+ SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell Inspiron 5565", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
4679 -+ {0x12, 0x90a60180},
4680 -+ {0x14, 0x90170120},
4681 -+ {0x21, 0x02211030}),
4682 - SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
4683 - {0x12, 0x90a60160},
4684 - {0x14, 0x90170120},
4685 -@@ -6053,6 +6105,14 @@ static int patch_alc269(struct hda_codec *codec)
4686 - case 0x10ec0294:
4687 - spec->codec_variant = ALC269_TYPE_ALC294;
4688 - break;
4689 -+ case 0x10ec0700:
4690 -+ case 0x10ec0701:
4691 -+ case 0x10ec0703:
4692 -+ spec->codec_variant = ALC269_TYPE_ALC700;
4693 -+ spec->gen.mixer_nid = 0; /* ALC700 does not have any loopback mixer path */
4694 -+ alc_update_coef_idx(codec, 0x4a, 0, 1 << 15); /* Combo jack auto trigger control */
4695 -+ break;
4696 -+
4697 - }
4698 -
4699 - if (snd_hda_codec_read(codec, 0x51, 0, AC_VERB_PARAMETERS, 0) == 0x10ec5505) {
4700 -@@ -7008,6 +7068,9 @@ static const struct hda_device_id snd_hda_id_realtek[] = {
4701 - HDA_CODEC_ENTRY(0x10ec0670, "ALC670", patch_alc662),
4702 - HDA_CODEC_ENTRY(0x10ec0671, "ALC671", patch_alc662),
4703 - HDA_CODEC_ENTRY(0x10ec0680, "ALC680", patch_alc680),
4704 -+ HDA_CODEC_ENTRY(0x10ec0700, "ALC700", patch_alc269),
4705 -+ HDA_CODEC_ENTRY(0x10ec0701, "ALC701", patch_alc269),
4706 -+ HDA_CODEC_ENTRY(0x10ec0703, "ALC703", patch_alc269),
4707 - HDA_CODEC_ENTRY(0x10ec0867, "ALC891", patch_alc882),
4708 - HDA_CODEC_ENTRY(0x10ec0880, "ALC880", patch_alc880),
4709 - HDA_CODEC_ENTRY(0x10ec0882, "ALC882", patch_alc882),
4710 -diff --git a/virt/kvm/arm/hyp/vgic-v2-sr.c b/virt/kvm/arm/hyp/vgic-v2-sr.c
4711 -index 674bdf8..501849a 100644
4712 ---- a/virt/kvm/arm/hyp/vgic-v2-sr.c
4713 -+++ b/virt/kvm/arm/hyp/vgic-v2-sr.c
4714 -@@ -93,12 +93,11 @@ static void __hyp_text save_lrs(struct kvm_vcpu *vcpu, void __iomem *base)
4715 - if (!(vcpu->arch.vgic_cpu.live_lrs & (1UL << i)))
4716 - continue;
4717 -
4718 -- if (cpu_if->vgic_elrsr & (1UL << i)) {
4719 -+ if (cpu_if->vgic_elrsr & (1UL << i))
4720 - cpu_if->vgic_lr[i] &= ~GICH_LR_STATE;
4721 -- continue;
4722 -- }
4723 -+ else
4724 -+ cpu_if->vgic_lr[i] = readl_relaxed(base + GICH_LR0 + (i * 4));
4725 -
4726 -- cpu_if->vgic_lr[i] = readl_relaxed(base + GICH_LR0 + (i * 4));
4727 - writel_relaxed(0, base + GICH_LR0 + (i * 4));
4728 - }
4729 - }
4730 -diff --git a/virt/kvm/irqchip.c b/virt/kvm/irqchip.c
4731 -index fe84e1a..8db197b 100644
4732 ---- a/virt/kvm/irqchip.c
4733 -+++ b/virt/kvm/irqchip.c
4734 -@@ -40,7 +40,7 @@ int kvm_irq_map_gsi(struct kvm *kvm,
4735 -
4736 - irq_rt = srcu_dereference_check(kvm->irq_routing, &kvm->irq_srcu,
4737 - lockdep_is_held(&kvm->irq_lock));
4738 -- if (gsi < irq_rt->nr_rt_entries) {
4739 -+ if (irq_rt && gsi < irq_rt->nr_rt_entries) {
4740 - hlist_for_each_entry(e, &irq_rt->map[gsi], link) {
4741 - entries[n] = *e;
4742 - ++n;
4743
4744 diff --git a/4.6.3/0000_README b/4.6.4/0000_README
4745 similarity index 92%
4746 rename from 4.6.3/0000_README
4747 rename to 4.6.4/0000_README
4748 index 585f483..55247f8 100644
4749 --- a/4.6.3/0000_README
4750 +++ b/4.6.4/0000_README
4751 @@ -2,11 +2,7 @@ README
4752 -----------------------------------------------------------------------------
4753 Individual Patch Descriptions:
4754 -----------------------------------------------------------------------------
4755 -Patch: 1002_linux-4.6.3.patch
4756 -From: http://www.kernel.org
4757 -Desc: Linux 4.6.3
4758 -
4759 -Patch: 4420_grsecurity-3.1-4.6.3-201607070721.patch
4760 +Patch: 4420_grsecurity-3.1-4.6.4-201607112205.patch
4761 From: http://www.grsecurity.net
4762 Desc: hardened-sources base patch from upstream grsecurity
4763
4764
4765 diff --git a/4.6.3/4420_grsecurity-3.1-4.6.3-201607070721.patch b/4.6.4/4420_grsecurity-3.1-4.6.4-201607112205.patch
4766 similarity index 99%
4767 rename from 4.6.3/4420_grsecurity-3.1-4.6.3-201607070721.patch
4768 rename to 4.6.4/4420_grsecurity-3.1-4.6.4-201607112205.patch
4769 index b3964cb..95ffa2d 100644
4770 --- a/4.6.3/4420_grsecurity-3.1-4.6.3-201607070721.patch
4771 +++ b/4.6.4/4420_grsecurity-3.1-4.6.4-201607112205.patch
4772 @@ -420,7 +420,7 @@ index fcddfd5..71afd6b 100644
4773
4774 A toggle value indicating if modules are allowed to be loaded
4775 diff --git a/Makefile b/Makefile
4776 -index c62b531..e158b54 100644
4777 +index cd37442..4c8e887 100644
4778 --- a/Makefile
4779 +++ b/Makefile
4780 @@ -298,7 +298,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
4781 @@ -39799,10 +39799,10 @@ index 7921251..ba86330 100644
4782 static void cryptd_queue_worker(struct work_struct *work);
4783
4784 diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c
4785 -index 43fe85f..215a174 100644
4786 +index 7097a33..e946ace 100644
4787 --- a/crypto/crypto_user.c
4788 +++ b/crypto/crypto_user.c
4789 -@@ -504,7 +504,7 @@ static int crypto_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
4790 +@@ -505,7 +505,7 @@ static int crypto_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
4791 dump_alloc += CRYPTO_REPORT_MAXSIZE;
4792
4793 {
4794 @@ -42021,7 +42021,7 @@ index 92d6fc0..e4e1e27 100644
4795 }
4796
4797 diff --git a/drivers/block/drbd/drbd_int.h b/drivers/block/drbd/drbd_int.h
4798 -index 7a1cf7e..538f666 100644
4799 +index 7a1cf7e..0330e12 100644
4800 --- a/drivers/block/drbd/drbd_int.h
4801 +++ b/drivers/block/drbd/drbd_int.h
4802 @@ -382,7 +382,7 @@ struct drbd_epoch {
4803 @@ -42033,6 +42033,17 @@ index 7a1cf7e..538f666 100644
4804 atomic_t active; /* increased on every req. added, and dec on every finished. */
4805 unsigned long flags;
4806 };
4807 +@@ -586,8 +586,8 @@ struct drbd_md {
4808 + u32 flags;
4809 + u32 md_size_sect;
4810 +
4811 +- s32 al_offset; /* signed relative sector offset to activity log */
4812 +- s32 bm_offset; /* signed relative sector offset to bitmap */
4813 ++ s32 al_offset __intentional_overflow(0); /* signed relative sector offset to activity log */
4814 ++ s32 bm_offset __intentional_overflow(0); /* signed relative sector offset to bitmap */
4815 +
4816 + /* cached value of bdev->disk_conf->meta_dev_idx (see below) */
4817 + s32 meta_dev_idx;
4818 @@ -951,7 +951,7 @@ struct drbd_device {
4819 unsigned int al_tr_number;
4820 int al_tr_cycle;
4821 @@ -70517,7 +70528,7 @@ index 1e7e139..c2031dd 100644
4822
4823 /*
4824 diff --git a/drivers/scsi/bfa/bfa_fcs.h b/drivers/scsi/bfa/bfa_fcs.h
4825 -index 06dc215..543c5aa 100644
4826 +index 06dc215..543c5aaa 100644
4827 --- a/drivers/scsi/bfa/bfa_fcs.h
4828 +++ b/drivers/scsi/bfa/bfa_fcs.h
4829 @@ -67,8 +67,10 @@ struct bfa_fcs_s;
4830 @@ -78569,7 +78580,7 @@ index a7de8e8..e1ef134 100644
4831 spin_lock_init(&uhci->lock);
4832 setup_timer(&uhci->fsbr_timer, uhci_fsbr_timeout,
4833 diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
4834 -index 48672fa..9245081 100644
4835 +index c10972f..7a2d5db5 100644
4836 --- a/drivers/usb/host/xhci-pci.c
4837 +++ b/drivers/usb/host/xhci-pci.c
4838 @@ -32,7 +32,7 @@
4839 @@ -78582,10 +78593,10 @@ index 48672fa..9245081 100644
4840 /* Device for a quirk */
4841 #define PCI_VENDOR_ID_FRESCO_LOGIC 0x1b73
4842 diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
4843 -index 99b4ff4..83b36b4 100644
4844 +index 8b5b2ac..052a44e 100644
4845 --- a/drivers/usb/host/xhci-ring.c
4846 +++ b/drivers/usb/host/xhci-ring.c
4847 -@@ -1861,9 +1861,9 @@ td_cleanup:
4848 +@@ -1878,9 +1878,9 @@ td_cleanup:
4849 * unsigned). Play it safe and say we didn't transfer anything.
4850 */
4851 if (urb->actual_length > urb->transfer_buffer_length) {
4852 @@ -78597,7 +78608,7 @@ index 99b4ff4..83b36b4 100644
4853 urb->actual_length = 0;
4854 if (td->urb->transfer_flags & URB_SHORT_NOT_OK)
4855 *status = -EREMOTEIO;
4856 -@@ -1942,10 +1942,15 @@ static int process_ctrl_td(struct xhci_hcd *xhci, struct xhci_td *td,
4857 +@@ -1959,10 +1959,15 @@ static int process_ctrl_td(struct xhci_hcd *xhci, struct xhci_td *td,
4858 return finish_td(xhci, td, event_trb, event, ep, status, false);
4859 case COMP_STOP:
4860 /* Did we stop at data stage? */
4861 @@ -78617,7 +78628,7 @@ index 99b4ff4..83b36b4 100644
4862 /* fall through */
4863 case COMP_STOP_INVAL:
4864 return finish_td(xhci, td, event_trb, event, ep, status, false);
4865 -@@ -1959,12 +1964,15 @@ static int process_ctrl_td(struct xhci_hcd *xhci, struct xhci_td *td,
4866 +@@ -1976,12 +1981,15 @@ static int process_ctrl_td(struct xhci_hcd *xhci, struct xhci_td *td,
4867 /* else fall through */
4868 case COMP_STALL:
4869 /* Did we transfer part of the data (middle) phase? */
4870 @@ -78639,7 +78650,7 @@ index 99b4ff4..83b36b4 100644
4871 td->urb->actual_length = 0;
4872
4873 return finish_td(xhci, td, event_trb, event, ep, status, false);
4874 -@@ -1997,9 +2005,12 @@ static int process_ctrl_td(struct xhci_hcd *xhci, struct xhci_td *td,
4875 +@@ -2014,9 +2022,12 @@ static int process_ctrl_td(struct xhci_hcd *xhci, struct xhci_td *td,
4876 * the last TRB.
4877 */
4878 td->urb_length_set = true;
4879 @@ -78655,7 +78666,7 @@ index 99b4ff4..83b36b4 100644
4880 xhci_dbg(xhci, "Waiting for status "
4881 "stage event\n");
4882 return 0;
4883 -@@ -2194,11 +2205,7 @@ static int process_bulk_intr_td(struct xhci_hcd *xhci, struct xhci_td *td,
4884 +@@ -2211,11 +2222,7 @@ static int process_bulk_intr_td(struct xhci_hcd *xhci, struct xhci_td *td,
4885 /* Fast path - was this the last TRB in the TD for this URB? */
4886 } else if (event_trb == td->last_trb) {
4887 if (EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)) != 0) {
4888 @@ -78668,7 +78679,7 @@ index 99b4ff4..83b36b4 100644
4889 xhci_warn(xhci, "HC gave bad length "
4890 "of %d bytes left\n",
4891 EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)));
4892 -@@ -2207,7 +2214,10 @@ static int process_bulk_intr_td(struct xhci_hcd *xhci, struct xhci_td *td,
4893 +@@ -2224,7 +2231,10 @@ static int process_bulk_intr_td(struct xhci_hcd *xhci, struct xhci_td *td,
4894 *status = -EREMOTEIO;
4895 else
4896 *status = 0;
4897 @@ -78681,10 +78692,10 @@ index 99b4ff4..83b36b4 100644
4898 if (*status == -EINPROGRESS) {
4899 if (td->urb->transfer_flags & URB_SHORT_NOT_OK)
4900 diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
4901 -index 9e71c96..f9b2333 100644
4902 +index 3272805..a3f7895 100644
4903 --- a/drivers/usb/host/xhci.c
4904 +++ b/drivers/usb/host/xhci.c
4905 -@@ -4875,7 +4875,7 @@ int xhci_gen_setup(struct usb_hcd *hcd, xhci_get_quirks_t get_quirks)
4906 +@@ -4878,7 +4878,7 @@ int xhci_gen_setup(struct usb_hcd *hcd, xhci_get_quirks_t get_quirks)
4907 int retval;
4908
4909 /* Accept arbitrarily long scatter-gather lists */
4910 @@ -98514,6 +98525,39 @@ index 8580831..36166e5 100644
4911 retval = sysfs_create_mount_point(kernel_kobj, "debug");
4912 if (retval)
4913 return retval;
4914 +diff --git a/fs/ecryptfs/file.c b/fs/ecryptfs/file.c
4915 +index f024040..27794b1 100644
4916 +--- a/fs/ecryptfs/file.c
4917 ++++ b/fs/ecryptfs/file.c
4918 +@@ -169,6 +169,19 @@ out:
4919 + return rc;
4920 + }
4921 +
4922 ++static int ecryptfs_mmap(struct file *file, struct vm_area_struct *vma)
4923 ++{
4924 ++ struct file *lower_file = ecryptfs_file_to_lower(file);
4925 ++ /*
4926 ++ * Don't allow mmap on top of file systems that don't support it
4927 ++ * natively. If FILESYSTEM_MAX_STACK_DEPTH > 2 or ecryptfs
4928 ++ * allows recursive mounting, this will need to be extended.
4929 ++ */
4930 ++ if (!lower_file->f_op->mmap)
4931 ++ return -ENODEV;
4932 ++ return generic_file_mmap(file, vma);
4933 ++}
4934 ++
4935 + /**
4936 + * ecryptfs_open
4937 + * @inode: inode speciying file to open
4938 +@@ -403,7 +416,7 @@ const struct file_operations ecryptfs_main_fops = {
4939 + #ifdef CONFIG_COMPAT
4940 + .compat_ioctl = ecryptfs_compat_ioctl,
4941 + #endif
4942 +- .mmap = generic_file_mmap,
4943 ++ .mmap = ecryptfs_mmap,
4944 + .open = ecryptfs_open,
4945 + .flush = ecryptfs_flush,
4946 + .release = ecryptfs_release,
4947 diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c
4948 index 224b49e..980370c 100644
4949 --- a/fs/ecryptfs/inode.c
4950 @@ -133239,7 +133283,7 @@ index f3f302f..a001305 100644
4951 /* Helper routines for sys_msgsnd and sys_msgrcv */
4952 extern long do_msgsnd(int msqid, long mtype, void __user *mtext,
4953 diff --git a/include/linux/net.h b/include/linux/net.h
4954 -index f840d77..f7a95d98 100644
4955 +index 9d90efe6..55eeb64 100644
4956 --- a/include/linux/net.h
4957 +++ b/include/linux/net.h
4958 @@ -195,7 +195,7 @@ struct net_proto_family {
4959 @@ -135063,7 +135107,7 @@ index c441407..f487b83 100644
4960 /*
4961 * Callback to arch code if there's nosmp or maxcpus=0 on the
4962 diff --git a/include/linux/sock_diag.h b/include/linux/sock_diag.h
4963 -index 4018b48..68baf26 100644
4964 +index a0596ca0..6c9245f 100644
4965 --- a/include/linux/sock_diag.h
4966 +++ b/include/linux/sock_diag.h
4967 @@ -16,7 +16,7 @@ struct sock_diag_handler {
4968 @@ -139598,7 +139642,7 @@ index 2a20c0d..3eb7d03 100644
4969 #ifdef CONFIG_MODULE_UNLOAD
4970 {
4971 diff --git a/kernel/events/core.c b/kernel/events/core.c
4972 -index c0ded24..9a8ef89 100644
4973 +index a69c90c..9344bfe 100644
4974 --- a/kernel/events/core.c
4975 +++ b/kernel/events/core.c
4976 @@ -350,8 +350,15 @@ static struct srcu_struct pmus_srcu;
4977 @@ -154052,7 +154096,7 @@ index 3937b1b..b18d1cb 100644
4978 fle->object = flo;
4979 else
4980 diff --git a/net/core/neighbour.c b/net/core/neighbour.c
4981 -index f18ae91..f033693 100644
4982 +index 769cece..425d3bd 100644
4983 --- a/net/core/neighbour.c
4984 +++ b/net/core/neighbour.c
4985 @@ -860,7 +860,7 @@ static void neigh_probe(struct neighbour *neigh)
4986 @@ -154118,7 +154162,7 @@ index f18ae91..f033693 100644
4987 nla_put(skb, NDA_CACHEINFO, sizeof(ci), &ci))
4988 goto nla_put_failure;
4989
4990 -@@ -2870,7 +2870,7 @@ static int proc_unres_qlen(struct ctl_table *ctl, int write,
4991 +@@ -2874,7 +2874,7 @@ static int proc_unres_qlen(struct ctl_table *ctl, int write,
4992 void __user *buffer, size_t *lenp, loff_t *ppos)
4993 {
4994 int size, ret;
4995 @@ -154127,7 +154171,7 @@ index f18ae91..f033693 100644
4996
4997 tmp.extra1 = &zero;
4998 tmp.extra2 = &unres_qlen_max;
4999 -@@ -2932,7 +2932,7 @@ static int neigh_proc_dointvec_zero_intmax(struct ctl_table *ctl, int write,
5000 +@@ -2936,7 +2936,7 @@ static int neigh_proc_dointvec_zero_intmax(struct ctl_table *ctl, int write,
5001 void __user *buffer,
5002 size_t *lenp, loff_t *ppos)
5003 {
5004 @@ -157090,7 +157134,7 @@ index 6f32944..03cad65 100644
5005 table = kmemdup(ipv6_route_table_template,
5006 sizeof(ipv6_route_table_template),
5007 diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
5008 -index 8338430..602490e 100644
5009 +index 6c53e4e..6e83866 100644
5010 --- a/net/ipv6/sit.c
5011 +++ b/net/ipv6/sit.c
5012 @@ -74,7 +74,7 @@ static void ipip6_tunnel_setup(struct net_device *dev);
5013 @@ -184835,10 +184879,10 @@ index 0000000..00c7430
5014 +}
5015 diff --git a/scripts/gcc-plugins/size_overflow_plugin/size_overflow_hash.data b/scripts/gcc-plugins/size_overflow_plugin/size_overflow_hash.data
5016 new file mode 100644
5017 -index 0000000..bdcfd9a
5018 +index 0000000..e6b58b6
5019 --- /dev/null
5020 +++ b/scripts/gcc-plugins/size_overflow_plugin/size_overflow_hash.data
5021 -@@ -0,0 +1,21989 @@
5022 +@@ -0,0 +1,21990 @@
5023 +enable_so_recv_ctrl_pipe_us_data_0 recv_ctrl_pipe us_data 0 0 NULL
5024 +enable_so___earlyonly_bootmem_alloc_fndecl_3 __earlyonly_bootmem_alloc fndecl 2-3-4 3 NULL
5025 +enable_so_v9fs_xattr_get_acl_fndecl_4 v9fs_xattr_get_acl fndecl 5 4 NULL
5026 @@ -184976,6 +185020,7 @@ index 0000000..bdcfd9a
5027 +enable_so_fcp_resid_bnx2fc_cmd_412 fcp_resid bnx2fc_cmd 0 412 NULL
5028 +enable_so_base_cbuf_417 base cbuf 0 417 NULL
5029 +enable_so_mp_config_acpi_gsi_fndecl_419 mp_config_acpi_gsi fndecl 2 419 NULL
5030 ++enable_so_apparmor_setprocattr_fndecl_421 apparmor_setprocattr fndecl 4 421 NULL
5031 +enable_so_fat_short2uni_fndecl_423 fat_short2uni fndecl 0 423 NULL
5032 +enable_so_vol_reg_size_tas571x_chip_426 vol_reg_size tas571x_chip 0 426 NULL
5033 +enable_so_status_netdev_desc_430 status netdev_desc 0 430 NULL
5034 @@ -212148,7 +212193,7 @@ index f72f48f..769a657 100755
5035 # Find all available archs
5036 find_all_archs()
5037 diff --git a/security/Kconfig b/security/Kconfig
5038 -index e452378..e634654 100644
5039 +index e4523789..e634654 100644
5040 --- a/security/Kconfig
5041 +++ b/security/Kconfig
5042 @@ -4,6 +4,994 @@
5043 @@ -213184,7 +213229,7 @@ index c28b0f2..3b9fee0 100644
5044
5045 struct dentry *dents[AAFS_NS_SIZEOF];
5046 diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
5047 -index dec607c..37fe357 100644
5048 +index dec607c..53d479f 100644
5049 --- a/security/apparmor/lsm.c
5050 +++ b/security/apparmor/lsm.c
5051 @@ -176,7 +176,7 @@ static int common_perm_dir_dentry(int op, struct path *dir,
5052 @@ -213216,7 +213261,82 @@ index dec607c..37fe357 100644
5053 struct path_cond cond = { d_backing_inode(old_dentry)->i_uid,
5054 d_backing_inode(old_dentry)->i_mode
5055 };
5056 -@@ -677,11 +677,11 @@ static const struct kernel_param_ops param_ops_aalockpolicy = {
5057 +@@ -523,34 +523,34 @@ static int apparmor_setprocattr(struct task_struct *task, char *name,
5058 + {
5059 + struct common_audit_data sa;
5060 + struct apparmor_audit_data aad = {0,};
5061 +- char *command, *args = value;
5062 ++ char *command, *largs = NULL, *args = value;
5063 + size_t arg_size;
5064 + int error;
5065 +
5066 + if (size == 0)
5067 + return -EINVAL;
5068 +- /* args points to a PAGE_SIZE buffer, AppArmor requires that
5069 +- * the buffer must be null terminated or have size <= PAGE_SIZE -1
5070 +- * so that AppArmor can null terminate them
5071 +- */
5072 +- if (args[size - 1] != '\0') {
5073 +- if (size == PAGE_SIZE)
5074 +- return -EINVAL;
5075 +- args[size] = '\0';
5076 +- }
5077 +-
5078 + /* task can only write its own attributes */
5079 + if (current != task)
5080 + return -EACCES;
5081 +
5082 +- args = value;
5083 ++ /* AppArmor requires that the buffer must be null terminated atm */
5084 ++ if (args[size - 1] != '\0') {
5085 ++ /* null terminate */
5086 ++ largs = args = kmalloc(size + 1, GFP_KERNEL);
5087 ++ if (!args)
5088 ++ return -ENOMEM;
5089 ++ memcpy(args, value, size);
5090 ++ args[size] = '\0';
5091 ++ }
5092 ++
5093 ++ error = -EINVAL;
5094 + args = strim(args);
5095 + command = strsep(&args, " ");
5096 + if (!args)
5097 +- return -EINVAL;
5098 ++ goto out;
5099 + args = skip_spaces(args);
5100 + if (!*args)
5101 +- return -EINVAL;
5102 ++ goto out;
5103 +
5104 + arg_size = size - (args - (char *) value);
5105 + if (strcmp(name, "current") == 0) {
5106 +@@ -576,10 +576,12 @@ static int apparmor_setprocattr(struct task_struct *task, char *name,
5107 + goto fail;
5108 + } else
5109 + /* only support the "current" and "exec" process attributes */
5110 +- return -EINVAL;
5111 ++ goto fail;
5112 +
5113 + if (!error)
5114 + error = size;
5115 ++out:
5116 ++ kfree(largs);
5117 + return error;
5118 +
5119 + fail:
5120 +@@ -588,9 +590,9 @@ fail:
5121 + aad.profile = aa_current_profile();
5122 + aad.op = OP_SETPROCATTR;
5123 + aad.info = name;
5124 +- aad.error = -EINVAL;
5125 ++ aad.error = error = -EINVAL;
5126 + aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL);
5127 +- return -EINVAL;
5128 ++ goto out;
5129 + }
5130 +
5131 + static int apparmor_task_setrlimit(struct task_struct *task,
5132 +@@ -677,11 +679,11 @@ static const struct kernel_param_ops param_ops_aalockpolicy = {
5133 .get = param_get_aalockpolicy
5134 };
5135
5136 @@ -213232,7 +213352,7 @@ index dec607c..37fe357 100644
5137
5138 /* Flag values, also controllable via /sys/module/apparmor/parameters
5139 * We define special types as we want to do additional mediation.
5140 -@@ -791,7 +791,7 @@ static int param_get_aauint(char *buffer, const struct kernel_param *kp)
5141 +@@ -791,7 +793,7 @@ static int param_get_aauint(char *buffer, const struct kernel_param *kp)
5142 return param_get_uint(buffer, kp);
5143 }
5144
5145 @@ -213241,7 +213361,7 @@ index dec607c..37fe357 100644
5146 {
5147 if (!capable(CAP_MAC_ADMIN))
5148 return -EPERM;
5149 -@@ -802,7 +802,7 @@ static int param_get_audit(char *buffer, struct kernel_param *kp)
5150 +@@ -802,7 +804,7 @@ static int param_get_audit(char *buffer, struct kernel_param *kp)
5151 return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]);
5152 }
5153
5154 @@ -213250,7 +213370,7 @@ index dec607c..37fe357 100644
5155 {
5156 int i;
5157 if (!capable(CAP_MAC_ADMIN))
5158 -@@ -824,7 +824,7 @@ static int param_set_audit(const char *val, struct kernel_param *kp)
5159 +@@ -824,7 +826,7 @@ static int param_set_audit(const char *val, struct kernel_param *kp)
5160 return -EINVAL;
5161 }
5162
5163 @@ -213259,7 +213379,7 @@ index dec607c..37fe357 100644
5164 {
5165 if (!capable(CAP_MAC_ADMIN))
5166 return -EPERM;
5167 -@@ -835,7 +835,7 @@ static int param_get_mode(char *buffer, struct kernel_param *kp)
5168 +@@ -835,7 +837,7 @@ static int param_get_mode(char *buffer, struct kernel_param *kp)
5169 return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]);
5170 }
5171
5172
5173 diff --git a/4.6.3/4425_grsec_remove_EI_PAX.patch b/4.6.4/4425_grsec_remove_EI_PAX.patch
5174 similarity index 100%
5175 rename from 4.6.3/4425_grsec_remove_EI_PAX.patch
5176 rename to 4.6.4/4425_grsec_remove_EI_PAX.patch
5177
5178 diff --git a/4.6.3/4427_force_XATTR_PAX_tmpfs.patch b/4.6.4/4427_force_XATTR_PAX_tmpfs.patch
5179 similarity index 100%
5180 rename from 4.6.3/4427_force_XATTR_PAX_tmpfs.patch
5181 rename to 4.6.4/4427_force_XATTR_PAX_tmpfs.patch
5182
5183 diff --git a/4.6.3/4430_grsec-remove-localversion-grsec.patch b/4.6.4/4430_grsec-remove-localversion-grsec.patch
5184 similarity index 100%
5185 rename from 4.6.3/4430_grsec-remove-localversion-grsec.patch
5186 rename to 4.6.4/4430_grsec-remove-localversion-grsec.patch
5187
5188 diff --git a/4.6.3/4435_grsec-mute-warnings.patch b/4.6.4/4435_grsec-mute-warnings.patch
5189 similarity index 100%
5190 rename from 4.6.3/4435_grsec-mute-warnings.patch
5191 rename to 4.6.4/4435_grsec-mute-warnings.patch
5192
5193 diff --git a/4.6.3/4440_grsec-remove-protected-paths.patch b/4.6.4/4440_grsec-remove-protected-paths.patch
5194 similarity index 100%
5195 rename from 4.6.3/4440_grsec-remove-protected-paths.patch
5196 rename to 4.6.4/4440_grsec-remove-protected-paths.patch
5197
5198 diff --git a/4.6.3/4450_grsec-kconfig-default-gids.patch b/4.6.4/4450_grsec-kconfig-default-gids.patch
5199 similarity index 100%
5200 rename from 4.6.3/4450_grsec-kconfig-default-gids.patch
5201 rename to 4.6.4/4450_grsec-kconfig-default-gids.patch
5202
5203 diff --git a/4.6.3/4465_selinux-avc_audit-log-curr_ip.patch b/4.6.4/4465_selinux-avc_audit-log-curr_ip.patch
5204 similarity index 100%
5205 rename from 4.6.3/4465_selinux-avc_audit-log-curr_ip.patch
5206 rename to 4.6.4/4465_selinux-avc_audit-log-curr_ip.patch
5207
5208 diff --git a/4.6.3/4470_disable-compat_vdso.patch b/4.6.4/4470_disable-compat_vdso.patch
5209 similarity index 100%
5210 rename from 4.6.3/4470_disable-compat_vdso.patch
5211 rename to 4.6.4/4470_disable-compat_vdso.patch
5212
5213 diff --git a/4.6.3/4475_emutramp_default_on.patch b/4.6.4/4475_emutramp_default_on.patch
5214 similarity index 100%
5215 rename from 4.6.3/4475_emutramp_default_on.patch
5216 rename to 4.6.4/4475_emutramp_default_on.patch
Report Message
Find on MARC Find on Google Groups