Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:3.10 commit in: /
Date: Thu, 25 Feb 2016 20:31:15
Message-Id: 1456432260.7cadd67192ac4963f002a414373dce7cd7eea829.mpagano@gentoo
1 commit: 7cadd67192ac4963f002a414373dce7cd7eea829
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Thu Feb 25 20:31:00 2016 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Thu Feb 25 20:31:00 2016 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=7cadd671
7
8 Linux patch 3.10.98
9
10 0000_README | 4 +
11 1097_linux-3.10.98.patch | 1792 ++++++++++++++++++++++++++++++++++++++++++++++
12 2 files changed, 1796 insertions(+)
13
14 diff --git a/0000_README b/0000_README
15 index f3215a3..180e0a0 100644
16 --- a/0000_README
17 +++ b/0000_README
18 @@ -430,6 +430,10 @@ Patch: 1096_linux-3.10.97.patch
19 From: http://www.kernel.org
20 Desc: Linux 3.10.97
21
22 +Patch: 1097_linux-3.10.98.patch
23 +From: http://www.kernel.org
24 +Desc: Linux 3.10.98
25 +
26 Patch: 1500_XATTR_USER_PREFIX.patch
27 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
28 Desc: Support for namespace user.pax.* on tmpfs.
29
30 diff --git a/1097_linux-3.10.98.patch b/1097_linux-3.10.98.patch
31 new file mode 100644
32 index 0000000..332f8fe
33 --- /dev/null
34 +++ b/1097_linux-3.10.98.patch
35 @@ -0,0 +1,1792 @@
36 +diff --git a/Makefile b/Makefile
37 +index f26470169c70..dadd1edc6f84 100644
38 +--- a/Makefile
39 ++++ b/Makefile
40 +@@ -1,6 +1,6 @@
41 + VERSION = 3
42 + PATCHLEVEL = 10
43 +-SUBLEVEL = 97
44 ++SUBLEVEL = 98
45 + EXTRAVERSION =
46 + NAME = TOSSUG Baby Fish
47 +
48 +diff --git a/arch/arm/common/icst.c b/arch/arm/common/icst.c
49 +index 2dc6da70ae59..d7ed252708c5 100644
50 +--- a/arch/arm/common/icst.c
51 ++++ b/arch/arm/common/icst.c
52 +@@ -16,7 +16,7 @@
53 + */
54 + #include <linux/module.h>
55 + #include <linux/kernel.h>
56 +-
57 ++#include <asm/div64.h>
58 + #include <asm/hardware/icst.h>
59 +
60 + /*
61 +@@ -29,7 +29,11 @@ EXPORT_SYMBOL(icst525_s2div);
62 +
63 + unsigned long icst_hz(const struct icst_params *p, struct icst_vco vco)
64 + {
65 +- return p->ref * 2 * (vco.v + 8) / ((vco.r + 2) * p->s2div[vco.s]);
66 ++ u64 dividend = p->ref * 2 * (u64)(vco.v + 8);
67 ++ u32 divisor = (vco.r + 2) * p->s2div[vco.s];
68 ++
69 ++ do_div(dividend, divisor);
70 ++ return (unsigned long)dividend;
71 + }
72 +
73 + EXPORT_SYMBOL(icst_hz);
74 +@@ -58,6 +62,7 @@ icst_hz_to_vco(const struct icst_params *p, unsigned long freq)
75 +
76 + if (f > p->vco_min && f <= p->vco_max)
77 + break;
78 ++ i++;
79 + } while (i < 8);
80 +
81 + if (i >= 8)
82 +diff --git a/arch/m32r/kernel/setup.c b/arch/m32r/kernel/setup.c
83 +index 0392112a5d70..a5ecef7188ba 100644
84 +--- a/arch/m32r/kernel/setup.c
85 ++++ b/arch/m32r/kernel/setup.c
86 +@@ -81,7 +81,10 @@ static struct resource code_resource = {
87 + };
88 +
89 + unsigned long memory_start;
90 ++EXPORT_SYMBOL(memory_start);
91 ++
92 + unsigned long memory_end;
93 ++EXPORT_SYMBOL(memory_end);
94 +
95 + void __init setup_arch(char **);
96 + int get_cpuinfo(char *);
97 +diff --git a/arch/x86/include/asm/segment.h b/arch/x86/include/asm/segment.h
98 +index c48a95035a77..4dde707a6ff7 100644
99 +--- a/arch/x86/include/asm/segment.h
100 ++++ b/arch/x86/include/asm/segment.h
101 +@@ -212,8 +212,19 @@
102 + #define TLS_SIZE (GDT_ENTRY_TLS_ENTRIES * 8)
103 +
104 + #ifdef __KERNEL__
105 ++
106 ++/*
107 ++ * early_idt_handler_array is an array of entry points referenced in the
108 ++ * early IDT. For simplicity, it's a real array with one entry point
109 ++ * every nine bytes. That leaves room for an optional 'push $0' if the
110 ++ * vector has no error code (two bytes), a 'push $vector_number' (two
111 ++ * bytes), and a jump to the common entry code (up to five bytes).
112 ++ */
113 ++#define EARLY_IDT_HANDLER_SIZE 9
114 ++
115 + #ifndef __ASSEMBLY__
116 +-extern const char early_idt_handlers[NUM_EXCEPTION_VECTORS][2+2+5];
117 ++
118 ++extern const char early_idt_handler_array[NUM_EXCEPTION_VECTORS][EARLY_IDT_HANDLER_SIZE];
119 +
120 + /*
121 + * Load a segment. Fall back on loading the zero
122 +diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c
123 +index 55b67614ed94..3b861b7661ee 100644
124 +--- a/arch/x86/kernel/head64.c
125 ++++ b/arch/x86/kernel/head64.c
126 +@@ -162,7 +162,7 @@ void __init x86_64_start_kernel(char * real_mode_data)
127 + clear_bss();
128 +
129 + for (i = 0; i < NUM_EXCEPTION_VECTORS; i++)
130 +- set_intr_gate(i, &early_idt_handlers[i]);
131 ++ set_intr_gate(i, &early_idt_handler_array[i]);
132 + load_idt((const struct desc_ptr *)&idt_descr);
133 +
134 + copy_bootdata(__va(real_mode_data));
135 +diff --git a/arch/x86/kernel/head_32.S b/arch/x86/kernel/head_32.S
136 +index df63cae573e0..8060c8b95b3a 100644
137 +--- a/arch/x86/kernel/head_32.S
138 ++++ b/arch/x86/kernel/head_32.S
139 +@@ -499,21 +499,22 @@ check_x87:
140 + __INIT
141 + setup_once:
142 + /*
143 +- * Set up a idt with 256 entries pointing to ignore_int,
144 +- * interrupt gates. It doesn't actually load idt - that needs
145 +- * to be done on each CPU. Interrupts are enabled elsewhere,
146 +- * when we can be relatively sure everything is ok.
147 ++ * Set up a idt with 256 interrupt gates that push zero if there
148 ++ * is no error code and then jump to early_idt_handler_common.
149 ++ * It doesn't actually load the idt - that needs to be done on
150 ++ * each CPU. Interrupts are enabled elsewhere, when we can be
151 ++ * relatively sure everything is ok.
152 + */
153 +
154 + movl $idt_table,%edi
155 +- movl $early_idt_handlers,%eax
156 ++ movl $early_idt_handler_array,%eax
157 + movl $NUM_EXCEPTION_VECTORS,%ecx
158 + 1:
159 + movl %eax,(%edi)
160 + movl %eax,4(%edi)
161 + /* interrupt gate, dpl=0, present */
162 + movl $(0x8E000000 + __KERNEL_CS),2(%edi)
163 +- addl $9,%eax
164 ++ addl $EARLY_IDT_HANDLER_SIZE,%eax
165 + addl $8,%edi
166 + loop 1b
167 +
168 +@@ -545,26 +546,28 @@ setup_once:
169 + andl $0,setup_once_ref /* Once is enough, thanks */
170 + ret
171 +
172 +-ENTRY(early_idt_handlers)
173 ++ENTRY(early_idt_handler_array)
174 + # 36(%esp) %eflags
175 + # 32(%esp) %cs
176 + # 28(%esp) %eip
177 + # 24(%rsp) error code
178 + i = 0
179 + .rept NUM_EXCEPTION_VECTORS
180 +- .if (EXCEPTION_ERRCODE_MASK >> i) & 1
181 +- ASM_NOP2
182 +- .else
183 ++ .ifeq (EXCEPTION_ERRCODE_MASK >> i) & 1
184 + pushl $0 # Dummy error code, to make stack frame uniform
185 + .endif
186 + pushl $i # 20(%esp) Vector number
187 +- jmp early_idt_handler
188 ++ jmp early_idt_handler_common
189 + i = i + 1
190 ++ .fill early_idt_handler_array + i*EARLY_IDT_HANDLER_SIZE - ., 1, 0xcc
191 + .endr
192 +-ENDPROC(early_idt_handlers)
193 ++ENDPROC(early_idt_handler_array)
194 +
195 +- /* This is global to keep gas from relaxing the jumps */
196 +-ENTRY(early_idt_handler)
197 ++early_idt_handler_common:
198 ++ /*
199 ++ * The stack is the hardware frame, an error code or zero, and the
200 ++ * vector number.
201 ++ */
202 + cld
203 +
204 + cmpl $2,(%esp) # X86_TRAP_NMI
205 +@@ -624,7 +627,7 @@ ex_entry:
206 + is_nmi:
207 + addl $8,%esp /* drop vector number and error code */
208 + iret
209 +-ENDPROC(early_idt_handler)
210 ++ENDPROC(early_idt_handler_common)
211 +
212 + /* This is the default interrupt "handler" :-) */
213 + ALIGN
214 +diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
215 +index 3280489905a8..54bf9c2d0d13 100644
216 +--- a/arch/x86/kernel/head_64.S
217 ++++ b/arch/x86/kernel/head_64.S
218 +@@ -329,26 +329,28 @@ bad_address:
219 + jmp bad_address
220 +
221 + __INIT
222 +- .globl early_idt_handlers
223 +-early_idt_handlers:
224 ++ENTRY(early_idt_handler_array)
225 + # 104(%rsp) %rflags
226 + # 96(%rsp) %cs
227 + # 88(%rsp) %rip
228 + # 80(%rsp) error code
229 + i = 0
230 + .rept NUM_EXCEPTION_VECTORS
231 +- .if (EXCEPTION_ERRCODE_MASK >> i) & 1
232 +- ASM_NOP2
233 +- .else
234 ++ .ifeq (EXCEPTION_ERRCODE_MASK >> i) & 1
235 + pushq $0 # Dummy error code, to make stack frame uniform
236 + .endif
237 + pushq $i # 72(%rsp) Vector number
238 +- jmp early_idt_handler
239 ++ jmp early_idt_handler_common
240 + i = i + 1
241 ++ .fill early_idt_handler_array + i*EARLY_IDT_HANDLER_SIZE - ., 1, 0xcc
242 + .endr
243 ++ENDPROC(early_idt_handler_array)
244 +
245 +-/* This is global to keep gas from relaxing the jumps */
246 +-ENTRY(early_idt_handler)
247 ++early_idt_handler_common:
248 ++ /*
249 ++ * The stack is the hardware frame, an error code or zero, and the
250 ++ * vector number.
251 ++ */
252 + cld
253 +
254 + cmpl $2,(%rsp) # X86_TRAP_NMI
255 +@@ -420,7 +422,7 @@ ENTRY(early_idt_handler)
256 + is_nmi:
257 + addq $16,%rsp # drop vector number and error code
258 + INTERRUPT_RETURN
259 +-ENDPROC(early_idt_handler)
260 ++ENDPROC(early_idt_handler_common)
261 +
262 + __INITDATA
263 +
264 +diff --git a/block/blk-core.c b/block/blk-core.c
265 +index 5a750b18172e..9ae84ae05e6a 100644
266 +--- a/block/blk-core.c
267 ++++ b/block/blk-core.c
268 +@@ -3097,6 +3097,9 @@ int blk_pre_runtime_suspend(struct request_queue *q)
269 + {
270 + int ret = 0;
271 +
272 ++ if (!q->dev)
273 ++ return ret;
274 ++
275 + spin_lock_irq(q->queue_lock);
276 + if (q->nr_pending) {
277 + ret = -EBUSY;
278 +@@ -3124,6 +3127,9 @@ EXPORT_SYMBOL(blk_pre_runtime_suspend);
279 + */
280 + void blk_post_runtime_suspend(struct request_queue *q, int err)
281 + {
282 ++ if (!q->dev)
283 ++ return;
284 ++
285 + spin_lock_irq(q->queue_lock);
286 + if (!err) {
287 + q->rpm_status = RPM_SUSPENDED;
288 +@@ -3148,6 +3154,9 @@ EXPORT_SYMBOL(blk_post_runtime_suspend);
289 + */
290 + void blk_pre_runtime_resume(struct request_queue *q)
291 + {
292 ++ if (!q->dev)
293 ++ return;
294 ++
295 + spin_lock_irq(q->queue_lock);
296 + q->rpm_status = RPM_RESUMING;
297 + spin_unlock_irq(q->queue_lock);
298 +@@ -3170,6 +3179,9 @@ EXPORT_SYMBOL(blk_pre_runtime_resume);
299 + */
300 + void blk_post_runtime_resume(struct request_queue *q, int err)
301 + {
302 ++ if (!q->dev)
303 ++ return;
304 ++
305 + spin_lock_irq(q->queue_lock);
306 + if (!err) {
307 + q->rpm_status = RPM_ACTIVE;
308 +diff --git a/drivers/iio/adc/ad7793.c b/drivers/iio/adc/ad7793.c
309 +index 334e31ff7a4e..6bd0c1ade9f2 100644
310 +--- a/drivers/iio/adc/ad7793.c
311 ++++ b/drivers/iio/adc/ad7793.c
312 +@@ -101,7 +101,7 @@
313 + #define AD7795_CH_AIN1M_AIN1M 8 /* AIN1(-) - AIN1(-) */
314 +
315 + /* ID Register Bit Designations (AD7793_REG_ID) */
316 +-#define AD7785_ID 0xB
317 ++#define AD7785_ID 0x3
318 + #define AD7792_ID 0xA
319 + #define AD7793_ID 0xB
320 + #define AD7794_ID 0xF
321 +diff --git a/drivers/iio/dac/ad5064.c b/drivers/iio/dac/ad5064.c
322 +index aa26d50ab638..4eda4ea037b7 100644
323 +--- a/drivers/iio/dac/ad5064.c
324 ++++ b/drivers/iio/dac/ad5064.c
325 +@@ -602,10 +602,16 @@ static int ad5064_i2c_write(struct ad5064_state *st, unsigned int cmd,
326 + unsigned int addr, unsigned int val)
327 + {
328 + struct i2c_client *i2c = to_i2c_client(st->dev);
329 ++ int ret;
330 +
331 + st->data.i2c[0] = (cmd << 4) | addr;
332 + put_unaligned_be16(val, &st->data.i2c[1]);
333 +- return i2c_master_send(i2c, st->data.i2c, 3);
334 ++
335 ++ ret = i2c_master_send(i2c, st->data.i2c, 3);
336 ++ if (ret < 0)
337 ++ return ret;
338 ++
339 ++ return 0;
340 + }
341 +
342 + static int ad5064_i2c_probe(struct i2c_client *i2c,
343 +diff --git a/drivers/iio/dac/mcp4725.c b/drivers/iio/dac/mcp4725.c
344 +index a612ec766d96..029207bbf03d 100644
345 +--- a/drivers/iio/dac/mcp4725.c
346 ++++ b/drivers/iio/dac/mcp4725.c
347 +@@ -166,6 +166,7 @@ static int mcp4725_probe(struct i2c_client *client,
348 + data->client = client;
349 +
350 + indio_dev->dev.parent = &client->dev;
351 ++ indio_dev->name = id->name;
352 + indio_dev->info = &mcp4725_info;
353 + indio_dev->channels = &mcp4725_channel;
354 + indio_dev->num_channels = 1;
355 +diff --git a/drivers/iio/imu/adis_buffer.c b/drivers/iio/imu/adis_buffer.c
356 +index 99d8e0b0dd34..d0538bcdc1b8 100644
357 +--- a/drivers/iio/imu/adis_buffer.c
358 ++++ b/drivers/iio/imu/adis_buffer.c
359 +@@ -43,7 +43,7 @@ int adis_update_scan_mode(struct iio_dev *indio_dev,
360 + return -ENOMEM;
361 +
362 + rx = adis->buffer;
363 +- tx = rx + indio_dev->scan_bytes;
364 ++ tx = rx + scan_count;
365 +
366 + spi_message_init(&adis->msg);
367 +
368 +diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c
369 +index 02099afb6c79..77f06d001a66 100644
370 +--- a/drivers/input/mouse/elantech.c
371 ++++ b/drivers/input/mouse/elantech.c
372 +@@ -1081,7 +1081,7 @@ static int elantech_set_input_params(struct psmouse *psmouse)
373 + input_set_abs_params(dev, ABS_TOOL_WIDTH, ETP_WMIN_V2,
374 + ETP_WMAX_V2, 0, 0);
375 + }
376 +- input_mt_init_slots(dev, 2, 0);
377 ++ input_mt_init_slots(dev, 2, INPUT_MT_SEMI_MT);
378 + input_set_abs_params(dev, ABS_MT_POSITION_X, x_min, x_max, 0, 0);
379 + input_set_abs_params(dev, ABS_MT_POSITION_Y, y_min, y_max, 0, 0);
380 + break;
381 +@@ -1357,6 +1357,13 @@ static const struct dmi_system_id no_hw_res_dmi_table[] = {
382 + DMI_MATCH(DMI_PRODUCT_NAME, "U2442"),
383 + },
384 + },
385 ++ {
386 ++ /* Fujitsu LIFEBOOK U745 does not work with crc_enabled == 0 */
387 ++ .matches = {
388 ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),
389 ++ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK U745"),
390 ++ },
391 ++ },
392 + #endif
393 + { }
394 + };
395 +diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h
396 +index 4de2571938b8..5102b4f68f18 100644
397 +--- a/drivers/input/serio/i8042-x86ia64io.h
398 ++++ b/drivers/input/serio/i8042-x86ia64io.h
399 +@@ -258,6 +258,13 @@ static const struct dmi_system_id __initconst i8042_dmi_nomux_table[] = {
400 + },
401 + },
402 + {
403 ++ /* Fujitsu Lifebook U745 */
404 ++ .matches = {
405 ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),
406 ++ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK U745"),
407 ++ },
408 ++ },
409 ++ {
410 + /* Fujitsu T70H */
411 + .matches = {
412 + DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),
413 +diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c
414 +index a7967ceb79e6..3d4622cae2cf 100644
415 +--- a/drivers/iommu/dmar.c
416 ++++ b/drivers/iommu/dmar.c
417 +@@ -968,7 +968,7 @@ void dmar_disable_qi(struct intel_iommu *iommu)
418 +
419 + raw_spin_lock_irqsave(&iommu->register_lock, flags);
420 +
421 +- sts = dmar_readq(iommu->reg + DMAR_GSTS_REG);
422 ++ sts = readl(iommu->reg + DMAR_GSTS_REG);
423 + if (!(sts & DMA_GSTS_QIES))
424 + goto end;
425 +
426 +diff --git a/drivers/iommu/intel_irq_remapping.c b/drivers/iommu/intel_irq_remapping.c
427 +index 45011f63ad16..990cc298824a 100644
428 +--- a/drivers/iommu/intel_irq_remapping.c
429 ++++ b/drivers/iommu/intel_irq_remapping.c
430 +@@ -495,7 +495,7 @@ static void iommu_disable_irq_remapping(struct intel_iommu *iommu)
431 +
432 + raw_spin_lock_irqsave(&iommu->register_lock, flags);
433 +
434 +- sts = dmar_readq(iommu->reg + DMAR_GSTS_REG);
435 ++ sts = readl(iommu->reg + DMAR_GSTS_REG);
436 + if (!(sts & DMA_GSTS_IRES))
437 + goto end;
438 +
439 +diff --git a/drivers/net/wan/x25_asy.c b/drivers/net/wan/x25_asy.c
440 +index 5895f1978691..e98de425f8e0 100644
441 +--- a/drivers/net/wan/x25_asy.c
442 ++++ b/drivers/net/wan/x25_asy.c
443 +@@ -545,16 +545,12 @@ static void x25_asy_receive_buf(struct tty_struct *tty,
444 +
445 + static int x25_asy_open_tty(struct tty_struct *tty)
446 + {
447 +- struct x25_asy *sl = tty->disc_data;
448 ++ struct x25_asy *sl;
449 + int err;
450 +
451 + if (tty->ops->write == NULL)
452 + return -EOPNOTSUPP;
453 +
454 +- /* First make sure we're not already connected. */
455 +- if (sl && sl->magic == X25_ASY_MAGIC)
456 +- return -EEXIST;
457 +-
458 + /* OK. Find a free X.25 channel to use. */
459 + sl = x25_asy_alloc();
460 + if (sl == NULL)
461 +diff --git a/drivers/platform/x86/intel_scu_ipcutil.c b/drivers/platform/x86/intel_scu_ipcutil.c
462 +index 02bc5a6343c3..aa454241489c 100644
463 +--- a/drivers/platform/x86/intel_scu_ipcutil.c
464 ++++ b/drivers/platform/x86/intel_scu_ipcutil.c
465 +@@ -49,7 +49,7 @@ struct scu_ipc_data {
466 +
467 + static int scu_reg_access(u32 cmd, struct scu_ipc_data *data)
468 + {
469 +- int count = data->count;
470 ++ unsigned int count = data->count;
471 +
472 + if (count == 0 || count == 3 || count > 4)
473 + return -EINVAL;
474 +diff --git a/drivers/scsi/device_handler/scsi_dh_rdac.c b/drivers/scsi/device_handler/scsi_dh_rdac.c
475 +index 69c915aa77c2..d661fcda1932 100644
476 +--- a/drivers/scsi/device_handler/scsi_dh_rdac.c
477 ++++ b/drivers/scsi/device_handler/scsi_dh_rdac.c
478 +@@ -569,7 +569,7 @@ static int mode_select_handle_sense(struct scsi_device *sdev,
479 + /*
480 + * Command Lock contention
481 + */
482 +- err = SCSI_DH_RETRY;
483 ++ err = SCSI_DH_IMM_RETRY;
484 + break;
485 + default:
486 + break;
487 +@@ -619,6 +619,8 @@ retry:
488 + err = mode_select_handle_sense(sdev, h->sense);
489 + if (err == SCSI_DH_RETRY && retry_cnt--)
490 + goto retry;
491 ++ if (err == SCSI_DH_IMM_RETRY)
492 ++ goto retry;
493 + }
494 + if (err == SCSI_DH_OK) {
495 + h->state = RDAC_STATE_ACTIVE;
496 +diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
497 +index 3cafe0d784b8..3020f1ff4abb 100644
498 +--- a/drivers/scsi/hosts.c
499 ++++ b/drivers/scsi/hosts.c
500 +@@ -305,6 +305,17 @@ static void scsi_host_dev_release(struct device *dev)
501 + kfree(queuedata);
502 + }
503 +
504 ++ if (shost->shost_state == SHOST_CREATED) {
505 ++ /*
506 ++ * Free the shost_dev device name here if scsi_host_alloc()
507 ++ * and scsi_host_put() have been called but neither
508 ++ * scsi_host_add() nor scsi_host_remove() has been called.
509 ++ * This avoids that the memory allocated for the shost_dev
510 ++ * name is leaked.
511 ++ */
512 ++ kfree(dev_name(&shost->shost_dev));
513 ++ }
514 ++
515 + scsi_destroy_command_freelist(shost);
516 + if (shost->bqt)
517 + blk_free_tags(shost->bqt);
518 +diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
519 +index 9e2dd478dd15..135d7b56fbe6 100644
520 +--- a/drivers/scsi/scsi_sysfs.c
521 ++++ b/drivers/scsi/scsi_sysfs.c
522 +@@ -789,7 +789,7 @@ sdev_store_queue_ramp_up_period(struct device *dev,
523 + return -EINVAL;
524 +
525 + sdev->queue_ramp_up_period = msecs_to_jiffies(period);
526 +- return period;
527 ++ return count;
528 + }
529 +
530 + static struct device_attribute sdev_attr_queue_ramp_up_period =
531 +@@ -1030,31 +1030,25 @@ static void __scsi_remove_target(struct scsi_target *starget)
532 + void scsi_remove_target(struct device *dev)
533 + {
534 + struct Scsi_Host *shost = dev_to_shost(dev->parent);
535 +- struct scsi_target *starget, *last = NULL;
536 ++ struct scsi_target *starget, *last_target = NULL;
537 + unsigned long flags;
538 +
539 +- /* remove targets being careful to lookup next entry before
540 +- * deleting the last
541 +- */
542 ++restart:
543 + spin_lock_irqsave(shost->host_lock, flags);
544 + list_for_each_entry(starget, &shost->__targets, siblings) {
545 +- if (starget->state == STARGET_DEL)
546 ++ if (starget->state == STARGET_DEL ||
547 ++ starget == last_target)
548 + continue;
549 + if (starget->dev.parent == dev || &starget->dev == dev) {
550 +- /* assuming new targets arrive at the end */
551 + kref_get(&starget->reap_ref);
552 ++ last_target = starget;
553 + spin_unlock_irqrestore(shost->host_lock, flags);
554 +- if (last)
555 +- scsi_target_reap(last);
556 +- last = starget;
557 + __scsi_remove_target(starget);
558 +- spin_lock_irqsave(shost->host_lock, flags);
559 ++ scsi_target_reap(starget);
560 ++ goto restart;
561 + }
562 + }
563 + spin_unlock_irqrestore(shost->host_lock, flags);
564 +-
565 +- if (last)
566 +- scsi_target_reap(last);
567 + }
568 + EXPORT_SYMBOL(scsi_remove_target);
569 +
570 +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
571 +index 26b543bc4f53..4afce0e838a2 100644
572 +--- a/drivers/scsi/sd.c
573 ++++ b/drivers/scsi/sd.c
574 +@@ -3090,8 +3090,8 @@ static int sd_suspend(struct device *dev)
575 + struct scsi_disk *sdkp = scsi_disk_get_from_dev(dev);
576 + int ret = 0;
577 +
578 +- if (!sdkp)
579 +- return 0; /* this can happen */
580 ++ if (!sdkp) /* E.g.: runtime suspend following sd_remove() */
581 ++ return 0;
582 +
583 + if (sdkp->WCE) {
584 + sd_printk(KERN_NOTICE, sdkp, "Synchronizing SCSI cache\n");
585 +@@ -3115,6 +3115,9 @@ static int sd_resume(struct device *dev)
586 + struct scsi_disk *sdkp = scsi_disk_get_from_dev(dev);
587 + int ret = 0;
588 +
589 ++ if (!sdkp) /* E.g.: runtime resume at the start of sd_probe() */
590 ++ return 0;
591 ++
592 + if (!sdkp->device->manage_start_stop)
593 + goto done;
594 +
595 +diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
596 +index 721d839d6c54..0be16bf5f0cd 100644
597 +--- a/drivers/scsi/sg.c
598 ++++ b/drivers/scsi/sg.c
599 +@@ -1258,7 +1258,7 @@ sg_mmap(struct file *filp, struct vm_area_struct *vma)
600 + }
601 +
602 + sfp->mmap_called = 1;
603 +- vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP;
604 ++ vma->vm_flags |= VM_IO | VM_DONTEXPAND | VM_DONTDUMP;
605 + vma->vm_private_data = sfp;
606 + vma->vm_ops = &sg_mmap_vm_ops;
607 + return 0;
608 +diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c
609 +index 119d67f9c47e..1ac9943cbb93 100644
610 +--- a/drivers/scsi/sr.c
611 ++++ b/drivers/scsi/sr.c
612 +@@ -142,6 +142,9 @@ static int sr_runtime_suspend(struct device *dev)
613 + {
614 + struct scsi_cd *cd = dev_get_drvdata(dev);
615 +
616 ++ if (!cd) /* E.g.: runtime suspend following sr_remove() */
617 ++ return 0;
618 ++
619 + if (cd->media_present)
620 + return -EBUSY;
621 + else
622 +@@ -1006,6 +1009,7 @@ static int sr_remove(struct device *dev)
623 +
624 + blk_queue_prep_rq(cd->device->request_queue, scsi_prep_fn);
625 + del_gendisk(cd->disk);
626 ++ dev_set_drvdata(dev, NULL);
627 +
628 + mutex_lock(&sr_ref_mutex);
629 + kref_put(&cd->kref, sr_kref_release);
630 +diff --git a/drivers/staging/iio/adc/lpc32xx_adc.c b/drivers/staging/iio/adc/lpc32xx_adc.c
631 +index 2f2f7fdd0691..9cbe2dd70499 100644
632 +--- a/drivers/staging/iio/adc/lpc32xx_adc.c
633 ++++ b/drivers/staging/iio/adc/lpc32xx_adc.c
634 +@@ -76,7 +76,7 @@ static int lpc32xx_read_raw(struct iio_dev *indio_dev,
635 +
636 + if (mask == IIO_CHAN_INFO_RAW) {
637 + mutex_lock(&indio_dev->mlock);
638 +- clk_enable(info->clk);
639 ++ clk_prepare_enable(info->clk);
640 + /* Measurement setup */
641 + __raw_writel(AD_INTERNAL | (chan->address) | AD_REFp | AD_REFm,
642 + LPC32XX_ADC_SELECT(info->adc_base));
643 +@@ -84,7 +84,7 @@ static int lpc32xx_read_raw(struct iio_dev *indio_dev,
644 + __raw_writel(AD_PDN_CTRL | AD_STROBE,
645 + LPC32XX_ADC_CTRL(info->adc_base));
646 + wait_for_completion(&info->completion); /* set by ISR */
647 +- clk_disable(info->clk);
648 ++ clk_disable_unprepare(info->clk);
649 + *val = info->value;
650 + mutex_unlock(&indio_dev->mlock);
651 +
652 +diff --git a/drivers/staging/speakup/selection.c b/drivers/staging/speakup/selection.c
653 +index b9359753784e..364978e63d8d 100644
654 +--- a/drivers/staging/speakup/selection.c
655 ++++ b/drivers/staging/speakup/selection.c
656 +@@ -139,7 +139,9 @@ static void __speakup_paste_selection(struct work_struct *work)
657 + struct tty_ldisc *ld;
658 + DECLARE_WAITQUEUE(wait, current);
659 +
660 +- ld = tty_ldisc_ref_wait(tty);
661 ++ ld = tty_ldisc_ref(tty);
662 ++ if (!ld)
663 ++ goto tty_unref;
664 +
665 + /* FIXME: this is completely unsafe */
666 + add_wait_queue(&vc->paste_wait, &wait);
667 +@@ -158,6 +160,7 @@ static void __speakup_paste_selection(struct work_struct *work)
668 + current->state = TASK_RUNNING;
669 +
670 + tty_ldisc_deref(ld);
671 ++tty_unref:
672 + tty_kref_put(tty);
673 + }
674 +
675 +diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
676 +index 06cd916f91fe..d74da9598d58 100644
677 +--- a/drivers/target/iscsi/iscsi_target.c
678 ++++ b/drivers/target/iscsi/iscsi_target.c
679 +@@ -3960,6 +3960,17 @@ reject:
680 + return iscsit_add_reject(conn, ISCSI_REASON_BOOKMARK_NO_RESOURCES, buf);
681 + }
682 +
683 ++static bool iscsi_target_check_conn_state(struct iscsi_conn *conn)
684 ++{
685 ++ bool ret;
686 ++
687 ++ spin_lock_bh(&conn->state_lock);
688 ++ ret = (conn->conn_state != TARG_CONN_STATE_LOGGED_IN);
689 ++ spin_unlock_bh(&conn->state_lock);
690 ++
691 ++ return ret;
692 ++}
693 ++
694 + int iscsi_target_rx_thread(void *arg)
695 + {
696 + int ret, rc;
697 +@@ -3977,7 +3988,7 @@ int iscsi_target_rx_thread(void *arg)
698 + * incoming iscsi/tcp socket I/O, and/or failing the connection.
699 + */
700 + rc = wait_for_completion_interruptible(&conn->rx_login_comp);
701 +- if (rc < 0)
702 ++ if (rc < 0 || iscsi_target_check_conn_state(conn))
703 + return 0;
704 +
705 + if (conn->conn_transport->transport_type == ISCSI_INFINIBAND) {
706 +diff --git a/drivers/target/iscsi/iscsi_target_configfs.c b/drivers/target/iscsi/iscsi_target_configfs.c
707 +index c45b3365d63d..200d779d0c03 100644
708 +--- a/drivers/target/iscsi/iscsi_target_configfs.c
709 ++++ b/drivers/target/iscsi/iscsi_target_configfs.c
710 +@@ -1730,7 +1730,8 @@ static void lio_tpg_release_fabric_acl(
711 + }
712 +
713 + /*
714 +- * Called with spin_lock_bh(struct se_portal_group->session_lock) held..
715 ++ * Called with spin_lock_irq(struct se_portal_group->session_lock) held
716 ++ * or not held.
717 + *
718 + * Also, this function calls iscsit_inc_session_usage_count() on the
719 + * struct iscsi_session in question.
720 +@@ -1738,19 +1739,32 @@ static void lio_tpg_release_fabric_acl(
721 + static int lio_tpg_shutdown_session(struct se_session *se_sess)
722 + {
723 + struct iscsi_session *sess = se_sess->fabric_sess_ptr;
724 ++ struct se_portal_group *se_tpg = se_sess->se_tpg;
725 ++ bool local_lock = false;
726 ++
727 ++ if (!spin_is_locked(&se_tpg->session_lock)) {
728 ++ spin_lock_irq(&se_tpg->session_lock);
729 ++ local_lock = true;
730 ++ }
731 +
732 + spin_lock(&sess->conn_lock);
733 + if (atomic_read(&sess->session_fall_back_to_erl0) ||
734 + atomic_read(&sess->session_logout) ||
735 + (sess->time2retain_timer_flags & ISCSI_TF_EXPIRED)) {
736 + spin_unlock(&sess->conn_lock);
737 ++ if (local_lock)
738 ++ spin_unlock_irq(&sess->conn_lock);
739 + return 0;
740 + }
741 + atomic_set(&sess->session_reinstatement, 1);
742 + spin_unlock(&sess->conn_lock);
743 +
744 + iscsit_stop_time2retain_timer(sess);
745 ++ spin_unlock_irq(&se_tpg->session_lock);
746 ++
747 + iscsit_stop_session(sess, 1, 1);
748 ++ if (!local_lock)
749 ++ spin_lock_irq(&se_tpg->session_lock);
750 +
751 + return 1;
752 + }
753 +diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c
754 +index 77c276acccb6..2a61a01142e9 100644
755 +--- a/drivers/target/iscsi/iscsi_target_nego.c
756 ++++ b/drivers/target/iscsi/iscsi_target_nego.c
757 +@@ -384,6 +384,7 @@ err:
758 + if (login->login_complete) {
759 + if (conn->rx_thread && conn->rx_thread_active) {
760 + send_sig(SIGINT, conn->rx_thread, 1);
761 ++ complete(&conn->rx_login_comp);
762 + kthread_stop(conn->rx_thread);
763 + }
764 + if (conn->tx_thread && conn->tx_thread_active) {
765 +diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
766 +index 7cb36813aac2..deee2b81afff 100644
767 +--- a/drivers/tty/pty.c
768 ++++ b/drivers/tty/pty.c
769 +@@ -623,7 +623,14 @@ static void pty_unix98_remove(struct tty_driver *driver, struct tty_struct *tty)
770 + /* this is called once with whichever end is closed last */
771 + static void pty_unix98_shutdown(struct tty_struct *tty)
772 + {
773 +- devpts_kill_index(tty->driver_data, tty->index);
774 ++ struct inode *ptmx_inode;
775 ++
776 ++ if (tty->driver->subtype == PTY_TYPE_MASTER)
777 ++ ptmx_inode = tty->driver_data;
778 ++ else
779 ++ ptmx_inode = tty->link->driver_data;
780 ++ devpts_kill_index(ptmx_inode, tty->index);
781 ++ devpts_del_ref(ptmx_inode);
782 + }
783 +
784 + static const struct tty_operations ptm_unix98_ops = {
785 +@@ -714,6 +721,18 @@ static int ptmx_open(struct inode *inode, struct file *filp)
786 + set_bit(TTY_PTY_LOCK, &tty->flags); /* LOCK THE SLAVE */
787 + tty->driver_data = inode;
788 +
789 ++ /*
790 ++ * In the case where all references to ptmx inode are dropped and we
791 ++ * still have /dev/tty opened pointing to the master/slave pair (ptmx
792 ++ * is closed/released before /dev/tty), we must make sure that the inode
793 ++ * is still valid when we call the final pty_unix98_shutdown, thus we
794 ++ * hold an additional reference to the ptmx inode. For the same /dev/tty
795 ++ * last close case, we also need to make sure the super_block isn't
796 ++ * destroyed (devpts instance unmounted), before /dev/tty is closed and
797 ++ * on its release devpts_kill_index is called.
798 ++ */
799 ++ devpts_add_ref(inode);
800 ++
801 + tty_add_file(tty, filp);
802 +
803 + slave_inode = devpts_pty_new(inode,
804 +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
805 +index 9dd6fa3a1260..507677b9bdc7 100644
806 +--- a/drivers/usb/host/xhci.c
807 ++++ b/drivers/usb/host/xhci.c
808 +@@ -1502,7 +1502,9 @@ int xhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status)
809 + if (temp == 0xffffffff || (xhci->xhc_state & XHCI_STATE_HALTED)) {
810 + xhci_dbg(xhci, "HW died, freeing TD.\n");
811 + urb_priv = urb->hcpriv;
812 +- for (i = urb_priv->td_cnt; i < urb_priv->length; i++) {
813 ++ for (i = urb_priv->td_cnt;
814 ++ i < urb_priv->length && xhci->devs[urb->dev->slot_id];
815 ++ i++) {
816 + td = urb_priv->td[i];
817 + if (!list_empty(&td->td_list))
818 + list_del_init(&td->td_list);
819 +diff --git a/fs/aio.c b/fs/aio.c
820 +index ded94c4fa30d..9798d4edfd8f 100644
821 +--- a/fs/aio.c
822 ++++ b/fs/aio.c
823 +@@ -977,12 +977,17 @@ static ssize_t aio_setup_vectored_rw(int rw, struct kiocb *kiocb, bool compat)
824 +
825 + static ssize_t aio_setup_single_vector(int rw, struct kiocb *kiocb)
826 + {
827 +- if (unlikely(!access_ok(!rw, kiocb->ki_buf, kiocb->ki_nbytes)))
828 +- return -EFAULT;
829 ++ size_t len = kiocb->ki_nbytes;
830 ++
831 ++ if (len > MAX_RW_COUNT)
832 ++ len = MAX_RW_COUNT;
833 ++
834 ++ if (unlikely(!access_ok(!rw, kiocb->ki_buf, len)))
835 ++ return -EFAULT;
836 +
837 + kiocb->ki_iovec = &kiocb->ki_inline_vec;
838 + kiocb->ki_iovec->iov_base = kiocb->ki_buf;
839 +- kiocb->ki_iovec->iov_len = kiocb->ki_nbytes;
840 ++ kiocb->ki_iovec->iov_len = len;
841 + kiocb->ki_nr_segs = 1;
842 + return 0;
843 + }
844 +diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c
845 +index d85f90c92bb4..bca854b44056 100644
846 +--- a/fs/btrfs/backref.c
847 ++++ b/fs/btrfs/backref.c
848 +@@ -1228,7 +1228,8 @@ char *btrfs_ref_to_path(struct btrfs_root *fs_root, struct btrfs_path *path,
849 + read_extent_buffer(eb, dest + bytes_left,
850 + name_off, name_len);
851 + if (eb != eb_in) {
852 +- btrfs_tree_read_unlock_blocking(eb);
853 ++ if (!path->skip_locking)
854 ++ btrfs_tree_read_unlock_blocking(eb);
855 + free_extent_buffer(eb);
856 + }
857 + ret = inode_ref_info(parent, 0, fs_root, path, &found_key);
858 +@@ -1247,9 +1248,10 @@ char *btrfs_ref_to_path(struct btrfs_root *fs_root, struct btrfs_path *path,
859 + eb = path->nodes[0];
860 + /* make sure we can use eb after releasing the path */
861 + if (eb != eb_in) {
862 +- atomic_inc(&eb->refs);
863 +- btrfs_tree_read_lock(eb);
864 +- btrfs_set_lock_blocking_rw(eb, BTRFS_READ_LOCK);
865 ++ if (!path->skip_locking)
866 ++ btrfs_set_lock_blocking_rw(eb, BTRFS_READ_LOCK);
867 ++ path->nodes[0] = NULL;
868 ++ path->locks[0] = 0;
869 + }
870 + btrfs_release_path(path);
871 + iref = btrfs_item_ptr(eb, slot, struct btrfs_inode_ref);
872 +diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c
873 +index 5c807b23ca67..182e82f22b3a 100644
874 +--- a/fs/cifs/cifsencrypt.c
875 ++++ b/fs/cifs/cifsencrypt.c
876 +@@ -591,7 +591,7 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct nls_table *nls_cp)
877 +
878 + ses->auth_key.response = kmalloc(baselen + tilen, GFP_KERNEL);
879 + if (!ses->auth_key.response) {
880 +- rc = ENOMEM;
881 ++ rc = -ENOMEM;
882 + ses->auth_key.len = 0;
883 + goto setup_ntlmv2_rsp_ret;
884 + }
885 +diff --git a/fs/devpts/inode.c b/fs/devpts/inode.c
886 +index a726b9f29cb7..61af24e379ad 100644
887 +--- a/fs/devpts/inode.c
888 ++++ b/fs/devpts/inode.c
889 +@@ -564,6 +564,26 @@ void devpts_kill_index(struct inode *ptmx_inode, int idx)
890 + mutex_unlock(&allocated_ptys_lock);
891 + }
892 +
893 ++/*
894 ++ * pty code needs to hold extra references in case of last /dev/tty close
895 ++ */
896 ++
897 ++void devpts_add_ref(struct inode *ptmx_inode)
898 ++{
899 ++ struct super_block *sb = pts_sb_from_inode(ptmx_inode);
900 ++
901 ++ atomic_inc(&sb->s_active);
902 ++ ihold(ptmx_inode);
903 ++}
904 ++
905 ++void devpts_del_ref(struct inode *ptmx_inode)
906 ++{
907 ++ struct super_block *sb = pts_sb_from_inode(ptmx_inode);
908 ++
909 ++ iput(ptmx_inode);
910 ++ deactivate_super(sb);
911 ++}
912 ++
913 + /**
914 + * devpts_pty_new -- create a new inode in /dev/pts/
915 + * @ptmx_inode: inode of the master
916 +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
917 +index fa7d2e668c3a..cf0a70486618 100644
918 +--- a/fs/ext4/resize.c
919 ++++ b/fs/ext4/resize.c
920 +@@ -181,7 +181,7 @@ static struct ext4_new_flex_group_data *alloc_flex_gd(unsigned long flexbg_size)
921 + if (flex_gd == NULL)
922 + goto out3;
923 +
924 +- if (flexbg_size >= UINT_MAX / sizeof(struct ext4_new_flex_group_data))
925 ++ if (flexbg_size >= UINT_MAX / sizeof(struct ext4_new_group_data))
926 + goto out2;
927 + flex_gd->count = flexbg_size;
928 +
929 +diff --git a/fs/fuse/file.c b/fs/fuse/file.c
930 +index 4fafb8484bbc..35f604b5f408 100644
931 +--- a/fs/fuse/file.c
932 ++++ b/fs/fuse/file.c
933 +@@ -993,6 +993,7 @@ static ssize_t fuse_fill_write_pages(struct fuse_req *req,
934 +
935 + mark_page_accessed(page);
936 +
937 ++ iov_iter_advance(ii, tmp);
938 + if (!tmp) {
939 + unlock_page(page);
940 + page_cache_release(page);
941 +@@ -1005,7 +1006,6 @@ static ssize_t fuse_fill_write_pages(struct fuse_req *req,
942 + req->page_descs[req->num_pages].length = tmp;
943 + req->num_pages++;
944 +
945 +- iov_iter_advance(ii, tmp);
946 + count += tmp;
947 + pos += tmp;
948 + offset += tmp;
949 +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
950 +index 78679b489484..d8ac734a1e44 100644
951 +--- a/fs/nfs/nfs4proc.c
952 ++++ b/fs/nfs/nfs4proc.c
953 +@@ -1005,6 +1005,7 @@ static void __update_open_stateid(struct nfs4_state *state, nfs4_stateid *open_s
954 + * Protect the call to nfs4_state_set_mode_locked and
955 + * serialise the stateid update
956 + */
957 ++ spin_lock(&state->owner->so_lock);
958 + write_seqlock(&state->seqlock);
959 + if (deleg_stateid != NULL) {
960 + nfs4_stateid_copy(&state->stateid, deleg_stateid);
961 +@@ -1013,7 +1014,6 @@ static void __update_open_stateid(struct nfs4_state *state, nfs4_stateid *open_s
962 + if (open_stateid != NULL)
963 + nfs_set_open_stateid_locked(state, open_stateid, fmode);
964 + write_sequnlock(&state->seqlock);
965 +- spin_lock(&state->owner->so_lock);
966 + update_open_stateflags(state, fmode);
967 + spin_unlock(&state->owner->so_lock);
968 + }
969 +diff --git a/fs/proc/array.c b/fs/proc/array.c
970 +index 09f0d9c374a3..5c45eb5e4e0d 100644
971 +--- a/fs/proc/array.c
972 ++++ b/fs/proc/array.c
973 +@@ -398,7 +398,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
974 +
975 + state = *get_task_state(task);
976 + vsize = eip = esp = 0;
977 +- permitted = ptrace_may_access(task, PTRACE_MODE_READ | PTRACE_MODE_NOAUDIT);
978 ++ permitted = ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS | PTRACE_MODE_NOAUDIT);
979 + mm = get_task_mm(task);
980 + if (mm) {
981 + vsize = task_vsize(mm);
982 +diff --git a/fs/proc/base.c b/fs/proc/base.c
983 +index 8fc784aef0b8..7b5d453ebf53 100644
984 +--- a/fs/proc/base.c
985 ++++ b/fs/proc/base.c
986 +@@ -239,7 +239,7 @@ out:
987 +
988 + static int proc_pid_auxv(struct task_struct *task, char *buffer)
989 + {
990 +- struct mm_struct *mm = mm_access(task, PTRACE_MODE_READ);
991 ++ struct mm_struct *mm = mm_access(task, PTRACE_MODE_READ_FSCREDS);
992 + int res = PTR_ERR(mm);
993 + if (mm && !IS_ERR(mm)) {
994 + unsigned int nwords = 0;
995 +@@ -269,7 +269,7 @@ static int proc_pid_wchan(struct task_struct *task, char *buffer)
996 + wchan = get_wchan(task);
997 +
998 + if (lookup_symbol_name(wchan, symname) < 0)
999 +- if (!ptrace_may_access(task, PTRACE_MODE_READ))
1000 ++ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS))
1001 + return 0;
1002 + else
1003 + return sprintf(buffer, "%lu", wchan);
1004 +@@ -283,7 +283,7 @@ static int lock_trace(struct task_struct *task)
1005 + int err = mutex_lock_killable(&task->signal->cred_guard_mutex);
1006 + if (err)
1007 + return err;
1008 +- if (!ptrace_may_access(task, PTRACE_MODE_ATTACH)) {
1009 ++ if (!ptrace_may_access(task, PTRACE_MODE_ATTACH_FSCREDS)) {
1010 + mutex_unlock(&task->signal->cred_guard_mutex);
1011 + return -EPERM;
1012 + }
1013 +@@ -557,7 +557,7 @@ static int proc_fd_access_allowed(struct inode *inode)
1014 + */
1015 + task = get_proc_task(inode);
1016 + if (task) {
1017 +- allowed = ptrace_may_access(task, PTRACE_MODE_READ);
1018 ++ allowed = ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS);
1019 + put_task_struct(task);
1020 + }
1021 + return allowed;
1022 +@@ -592,7 +592,7 @@ static bool has_pid_permissions(struct pid_namespace *pid,
1023 + return true;
1024 + if (in_group_p(pid->pid_gid))
1025 + return true;
1026 +- return ptrace_may_access(task, PTRACE_MODE_READ);
1027 ++ return ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS);
1028 + }
1029 +
1030 +
1031 +@@ -707,7 +707,7 @@ static int __mem_open(struct inode *inode, struct file *file, unsigned int mode)
1032 + if (!task)
1033 + return -ESRCH;
1034 +
1035 +- mm = mm_access(task, mode);
1036 ++ mm = mm_access(task, mode | PTRACE_MODE_FSCREDS);
1037 + put_task_struct(task);
1038 +
1039 + if (IS_ERR(mm))
1040 +@@ -1761,7 +1761,7 @@ static int map_files_d_revalidate(struct dentry *dentry, unsigned int flags)
1041 + if (!task)
1042 + goto out_notask;
1043 +
1044 +- mm = mm_access(task, PTRACE_MODE_READ);
1045 ++ mm = mm_access(task, PTRACE_MODE_READ_FSCREDS);
1046 + if (IS_ERR_OR_NULL(mm))
1047 + goto out;
1048 +
1049 +@@ -1896,7 +1896,7 @@ static struct dentry *proc_map_files_lookup(struct inode *dir,
1050 + goto out;
1051 +
1052 + result = ERR_PTR(-EACCES);
1053 +- if (!ptrace_may_access(task, PTRACE_MODE_READ))
1054 ++ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS))
1055 + goto out_put_task;
1056 +
1057 + result = ERR_PTR(-ENOENT);
1058 +@@ -1952,7 +1952,7 @@ proc_map_files_readdir(struct file *filp, void *dirent, filldir_t filldir)
1059 + goto out;
1060 +
1061 + ret = -EACCES;
1062 +- if (!ptrace_may_access(task, PTRACE_MODE_READ))
1063 ++ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS))
1064 + goto out_put_task;
1065 +
1066 + ret = 0;
1067 +@@ -2488,7 +2488,7 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole)
1068 + if (result)
1069 + return result;
1070 +
1071 +- if (!ptrace_may_access(task, PTRACE_MODE_READ)) {
1072 ++ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) {
1073 + result = -EACCES;
1074 + goto out_unlock;
1075 + }
1076 +diff --git a/fs/proc/namespaces.c b/fs/proc/namespaces.c
1077 +index 54bdc6701e9f..ac49a8d4aaf8 100644
1078 +--- a/fs/proc/namespaces.c
1079 ++++ b/fs/proc/namespaces.c
1080 +@@ -125,7 +125,7 @@ static void *proc_ns_follow_link(struct dentry *dentry, struct nameidata *nd)
1081 + if (!task)
1082 + goto out;
1083 +
1084 +- if (!ptrace_may_access(task, PTRACE_MODE_READ))
1085 ++ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS))
1086 + goto out_put_task;
1087 +
1088 + ns_path.dentry = proc_ns_get_dentry(sb, task, ei->ns.ns_ops);
1089 +@@ -158,7 +158,7 @@ static int proc_ns_readlink(struct dentry *dentry, char __user *buffer, int bufl
1090 + if (!task)
1091 + goto out;
1092 +
1093 +- if (!ptrace_may_access(task, PTRACE_MODE_READ))
1094 ++ if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS))
1095 + goto out_put_task;
1096 +
1097 + len = -ENOENT;
1098 +diff --git a/fs/udf/inode.c b/fs/udf/inode.c
1099 +index 789814f27438..5c1120a5fa42 100644
1100 +--- a/fs/udf/inode.c
1101 ++++ b/fs/udf/inode.c
1102 +@@ -2055,14 +2055,29 @@ void udf_write_aext(struct inode *inode, struct extent_position *epos,
1103 + epos->offset += adsize;
1104 + }
1105 +
1106 ++/*
1107 ++ * Only 1 indirect extent in a row really makes sense but allow upto 16 in case
1108 ++ * someone does some weird stuff.
1109 ++ */
1110 ++#define UDF_MAX_INDIR_EXTS 16
1111 ++
1112 + int8_t udf_next_aext(struct inode *inode, struct extent_position *epos,
1113 + struct kernel_lb_addr *eloc, uint32_t *elen, int inc)
1114 + {
1115 + int8_t etype;
1116 ++ unsigned int indirections = 0;
1117 +
1118 + while ((etype = udf_current_aext(inode, epos, eloc, elen, inc)) ==
1119 + (EXT_NEXT_EXTENT_ALLOCDECS >> 30)) {
1120 + int block;
1121 ++
1122 ++ if (++indirections > UDF_MAX_INDIR_EXTS) {
1123 ++ udf_err(inode->i_sb,
1124 ++ "too many indirect extents in inode %lu\n",
1125 ++ inode->i_ino);
1126 ++ return -1;
1127 ++ }
1128 ++
1129 + epos->block = *eloc;
1130 + epos->offset = sizeof(struct allocExtDesc);
1131 + brelse(epos->bh);
1132 +diff --git a/fs/udf/unicode.c b/fs/udf/unicode.c
1133 +index 44b815e57f94..685fbd8a2937 100644
1134 +--- a/fs/udf/unicode.c
1135 ++++ b/fs/udf/unicode.c
1136 +@@ -132,11 +132,15 @@ int udf_CS0toUTF8(struct ustr *utf_o, const struct ustr *ocu_i)
1137 + if (c < 0x80U)
1138 + utf_o->u_name[utf_o->u_len++] = (uint8_t)c;
1139 + else if (c < 0x800U) {
1140 ++ if (utf_o->u_len > (UDF_NAME_LEN - 4))
1141 ++ break;
1142 + utf_o->u_name[utf_o->u_len++] =
1143 + (uint8_t)(0xc0 | (c >> 6));
1144 + utf_o->u_name[utf_o->u_len++] =
1145 + (uint8_t)(0x80 | (c & 0x3f));
1146 + } else {
1147 ++ if (utf_o->u_len > (UDF_NAME_LEN - 5))
1148 ++ break;
1149 + utf_o->u_name[utf_o->u_len++] =
1150 + (uint8_t)(0xe0 | (c >> 12));
1151 + utf_o->u_name[utf_o->u_len++] =
1152 +@@ -177,17 +181,22 @@ int udf_CS0toUTF8(struct ustr *utf_o, const struct ustr *ocu_i)
1153 + static int udf_UTF8toCS0(dstring *ocu, struct ustr *utf, int length)
1154 + {
1155 + unsigned c, i, max_val, utf_char;
1156 +- int utf_cnt, u_len;
1157 ++ int utf_cnt, u_len, u_ch;
1158 +
1159 + memset(ocu, 0, sizeof(dstring) * length);
1160 + ocu[0] = 8;
1161 + max_val = 0xffU;
1162 ++ u_ch = 1;
1163 +
1164 + try_again:
1165 + u_len = 0U;
1166 + utf_char = 0U;
1167 + utf_cnt = 0U;
1168 + for (i = 0U; i < utf->u_len; i++) {
1169 ++ /* Name didn't fit? */
1170 ++ if (u_len + 1 + u_ch >= length)
1171 ++ return 0;
1172 ++
1173 + c = (uint8_t)utf->u_name[i];
1174 +
1175 + /* Complete a multi-byte UTF-8 character */
1176 +@@ -229,6 +238,7 @@ try_again:
1177 + if (max_val == 0xffU) {
1178 + max_val = 0xffffU;
1179 + ocu[0] = (uint8_t)0x10U;
1180 ++ u_ch = 2;
1181 + goto try_again;
1182 + }
1183 + goto error_out;
1184 +@@ -281,7 +291,7 @@ static int udf_CS0toNLS(struct nls_table *nls, struct ustr *utf_o,
1185 + c = (c << 8) | ocu[i++];
1186 +
1187 + len = nls->uni2char(c, &utf_o->u_name[utf_o->u_len],
1188 +- UDF_NAME_LEN - utf_o->u_len);
1189 ++ UDF_NAME_LEN - 2 - utf_o->u_len);
1190 + /* Valid character? */
1191 + if (len >= 0)
1192 + utf_o->u_len += len;
1193 +@@ -299,15 +309,19 @@ static int udf_NLStoCS0(struct nls_table *nls, dstring *ocu, struct ustr *uni,
1194 + int len;
1195 + unsigned i, max_val;
1196 + uint16_t uni_char;
1197 +- int u_len;
1198 ++ int u_len, u_ch;
1199 +
1200 + memset(ocu, 0, sizeof(dstring) * length);
1201 + ocu[0] = 8;
1202 + max_val = 0xffU;
1203 ++ u_ch = 1;
1204 +
1205 + try_again:
1206 + u_len = 0U;
1207 + for (i = 0U; i < uni->u_len; i++) {
1208 ++ /* Name didn't fit? */
1209 ++ if (u_len + 1 + u_ch >= length)
1210 ++ return 0;
1211 + len = nls->char2uni(&uni->u_name[i], uni->u_len - i, &uni_char);
1212 + if (!len)
1213 + continue;
1214 +@@ -320,6 +334,7 @@ try_again:
1215 + if (uni_char > max_val) {
1216 + max_val = 0xffffU;
1217 + ocu[0] = (uint8_t)0x10U;
1218 ++ u_ch = 2;
1219 + goto try_again;
1220 + }
1221 +
1222 +diff --git a/include/linux/compiler.h b/include/linux/compiler.h
1223 +index a2329c5e6206..a2ce6f8871c4 100644
1224 +--- a/include/linux/compiler.h
1225 ++++ b/include/linux/compiler.h
1226 +@@ -131,7 +131,7 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
1227 + */
1228 + #define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
1229 + #define __trace_if(cond) \
1230 +- if (__builtin_constant_p((cond)) ? !!(cond) : \
1231 ++ if (__builtin_constant_p(!!(cond)) ? !!(cond) : \
1232 + ({ \
1233 + int ______r; \
1234 + static struct ftrace_branch_data \
1235 +diff --git a/include/linux/devpts_fs.h b/include/linux/devpts_fs.h
1236 +index 251a2090a554..e0ee0b3000b2 100644
1237 +--- a/include/linux/devpts_fs.h
1238 ++++ b/include/linux/devpts_fs.h
1239 +@@ -19,6 +19,8 @@
1240 +
1241 + int devpts_new_index(struct inode *ptmx_inode);
1242 + void devpts_kill_index(struct inode *ptmx_inode, int idx);
1243 ++void devpts_add_ref(struct inode *ptmx_inode);
1244 ++void devpts_del_ref(struct inode *ptmx_inode);
1245 + /* mknod in devpts */
1246 + struct inode *devpts_pty_new(struct inode *ptmx_inode, dev_t device, int index,
1247 + void *priv);
1248 +@@ -32,6 +34,8 @@ void devpts_pty_kill(struct inode *inode);
1249 + /* Dummy stubs in the no-pty case */
1250 + static inline int devpts_new_index(struct inode *ptmx_inode) { return -EINVAL; }
1251 + static inline void devpts_kill_index(struct inode *ptmx_inode, int idx) { }
1252 ++static inline void devpts_add_ref(struct inode *ptmx_inode) { }
1253 ++static inline void devpts_del_ref(struct inode *ptmx_inode) { }
1254 + static inline struct inode *devpts_pty_new(struct inode *ptmx_inode,
1255 + dev_t device, int index, void *priv)
1256 + {
1257 +diff --git a/include/linux/ptrace.h b/include/linux/ptrace.h
1258 +index bb980ae6d9d3..6af8988f5ddd 100644
1259 +--- a/include/linux/ptrace.h
1260 ++++ b/include/linux/ptrace.h
1261 +@@ -56,7 +56,29 @@ extern void exit_ptrace(struct task_struct *tracer);
1262 + #define PTRACE_MODE_READ 0x01
1263 + #define PTRACE_MODE_ATTACH 0x02
1264 + #define PTRACE_MODE_NOAUDIT 0x04
1265 +-/* Returns true on success, false on denial. */
1266 ++#define PTRACE_MODE_FSCREDS 0x08
1267 ++#define PTRACE_MODE_REALCREDS 0x10
1268 ++
1269 ++/* shorthands for READ/ATTACH and FSCREDS/REALCREDS combinations */
1270 ++#define PTRACE_MODE_READ_FSCREDS (PTRACE_MODE_READ | PTRACE_MODE_FSCREDS)
1271 ++#define PTRACE_MODE_READ_REALCREDS (PTRACE_MODE_READ | PTRACE_MODE_REALCREDS)
1272 ++#define PTRACE_MODE_ATTACH_FSCREDS (PTRACE_MODE_ATTACH | PTRACE_MODE_FSCREDS)
1273 ++#define PTRACE_MODE_ATTACH_REALCREDS (PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS)
1274 ++
1275 ++/**
1276 ++ * ptrace_may_access - check whether the caller is permitted to access
1277 ++ * a target task.
1278 ++ * @task: target task
1279 ++ * @mode: selects type of access and caller credentials
1280 ++ *
1281 ++ * Returns true on success, false on denial.
1282 ++ *
1283 ++ * One of the flags PTRACE_MODE_FSCREDS and PTRACE_MODE_REALCREDS must
1284 ++ * be set in @mode to specify whether the access was requested through
1285 ++ * a filesystem syscall (should use effective capabilities and fsuid
1286 ++ * of the caller) or through an explicit syscall such as
1287 ++ * process_vm_writev or ptrace (and should use the real credentials).
1288 ++ */
1289 + extern bool ptrace_may_access(struct task_struct *task, unsigned int mode);
1290 +
1291 + static inline int ptrace_reparented(struct task_struct *child)
1292 +diff --git a/include/linux/radix-tree.h b/include/linux/radix-tree.h
1293 +index ffc444c38b0a..e02e09f85fad 100644
1294 +--- a/include/linux/radix-tree.h
1295 ++++ b/include/linux/radix-tree.h
1296 +@@ -322,12 +322,28 @@ void **radix_tree_next_chunk(struct radix_tree_root *root,
1297 + struct radix_tree_iter *iter, unsigned flags);
1298 +
1299 + /**
1300 ++ * radix_tree_iter_retry - retry this chunk of the iteration
1301 ++ * @iter: iterator state
1302 ++ *
1303 ++ * If we iterate over a tree protected only by the RCU lock, a race
1304 ++ * against deletion or creation may result in seeing a slot for which
1305 ++ * radix_tree_deref_retry() returns true. If so, call this function
1306 ++ * and continue the iteration.
1307 ++ */
1308 ++static inline __must_check
1309 ++void **radix_tree_iter_retry(struct radix_tree_iter *iter)
1310 ++{
1311 ++ iter->next_index = iter->index;
1312 ++ return NULL;
1313 ++}
1314 ++
1315 ++/**
1316 + * radix_tree_chunk_size - get current chunk size
1317 + *
1318 + * @iter: pointer to radix tree iterator
1319 + * Returns: current chunk size
1320 + */
1321 +-static __always_inline unsigned
1322 ++static __always_inline long
1323 + radix_tree_chunk_size(struct radix_tree_iter *iter)
1324 + {
1325 + return iter->next_index - iter->index;
1326 +@@ -361,9 +377,9 @@ radix_tree_next_slot(void **slot, struct radix_tree_iter *iter, unsigned flags)
1327 + return slot + offset + 1;
1328 + }
1329 + } else {
1330 +- unsigned size = radix_tree_chunk_size(iter) - 1;
1331 ++ long size = radix_tree_chunk_size(iter);
1332 +
1333 +- while (size--) {
1334 ++ while (--size > 0) {
1335 + slot++;
1336 + iter->index++;
1337 + if (likely(*slot))
1338 +diff --git a/kernel/events/core.c b/kernel/events/core.c
1339 +index d9b0aad17dbf..0f5207839673 100644
1340 +--- a/kernel/events/core.c
1341 ++++ b/kernel/events/core.c
1342 +@@ -2938,7 +2938,7 @@ find_lively_task_by_vpid(pid_t vpid)
1343 +
1344 + /* Reuse ptrace permission checks for now. */
1345 + err = -EACCES;
1346 +- if (!ptrace_may_access(task, PTRACE_MODE_READ))
1347 ++ if (!ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS))
1348 + goto errout;
1349 +
1350 + return task;
1351 +@@ -5639,6 +5639,10 @@ static int perf_tp_filter_match(struct perf_event *event,
1352 + {
1353 + void *record = data->raw->data;
1354 +
1355 ++ /* only top level events have filters set */
1356 ++ if (event->parent)
1357 ++ event = event->parent;
1358 ++
1359 + if (likely(!event->filter) || filter_match_preds(event->filter, record))
1360 + return 1;
1361 + return 0;
1362 +diff --git a/kernel/futex.c b/kernel/futex.c
1363 +index 625a4e659e7a..edc4beae4df1 100644
1364 +--- a/kernel/futex.c
1365 ++++ b/kernel/futex.c
1366 +@@ -2494,6 +2494,11 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
1367 + if (q.pi_state && (q.pi_state->owner != current)) {
1368 + spin_lock(q.lock_ptr);
1369 + ret = fixup_pi_state_owner(uaddr2, &q, current);
1370 ++ /*
1371 ++ * Drop the reference to the pi state which
1372 ++ * the requeue_pi() code acquired for us.
1373 ++ */
1374 ++ free_pi_state(q.pi_state);
1375 + spin_unlock(q.lock_ptr);
1376 + }
1377 + } else {
1378 +@@ -2620,7 +2625,7 @@ SYSCALL_DEFINE3(get_robust_list, int, pid,
1379 + }
1380 +
1381 + ret = -EPERM;
1382 +- if (!ptrace_may_access(p, PTRACE_MODE_READ))
1383 ++ if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
1384 + goto err_unlock;
1385 +
1386 + head = p->robust_list;
1387 +diff --git a/kernel/futex_compat.c b/kernel/futex_compat.c
1388 +index f9f44fd4d34d..3888617a1f9e 100644
1389 +--- a/kernel/futex_compat.c
1390 ++++ b/kernel/futex_compat.c
1391 +@@ -155,7 +155,7 @@ COMPAT_SYSCALL_DEFINE3(get_robust_list, int, pid,
1392 + }
1393 +
1394 + ret = -EPERM;
1395 +- if (!ptrace_may_access(p, PTRACE_MODE_READ))
1396 ++ if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
1397 + goto err_unlock;
1398 +
1399 + head = p->compat_robust_list;
1400 +diff --git a/kernel/kcmp.c b/kernel/kcmp.c
1401 +index 0aa69ea1d8fd..3a47fa998fe0 100644
1402 +--- a/kernel/kcmp.c
1403 ++++ b/kernel/kcmp.c
1404 +@@ -122,8 +122,8 @@ SYSCALL_DEFINE5(kcmp, pid_t, pid1, pid_t, pid2, int, type,
1405 + &task2->signal->cred_guard_mutex);
1406 + if (ret)
1407 + goto err;
1408 +- if (!ptrace_may_access(task1, PTRACE_MODE_READ) ||
1409 +- !ptrace_may_access(task2, PTRACE_MODE_READ)) {
1410 ++ if (!ptrace_may_access(task1, PTRACE_MODE_READ_REALCREDS) ||
1411 ++ !ptrace_may_access(task2, PTRACE_MODE_READ_REALCREDS)) {
1412 + ret = -EPERM;
1413 + goto err_unlock;
1414 + }
1415 +diff --git a/kernel/module.c b/kernel/module.c
1416 +index fd2afdf48a89..70a4754c001f 100644
1417 +--- a/kernel/module.c
1418 ++++ b/kernel/module.c
1419 +@@ -3398,6 +3398,11 @@ static inline int is_arm_mapping_symbol(const char *str)
1420 + && (str[2] == '\0' || str[2] == '.');
1421 + }
1422 +
1423 ++static const char *symname(struct module *mod, unsigned int symnum)
1424 ++{
1425 ++ return mod->strtab + mod->symtab[symnum].st_name;
1426 ++}
1427 ++
1428 + static const char *get_ksymbol(struct module *mod,
1429 + unsigned long addr,
1430 + unsigned long *size,
1431 +@@ -3420,15 +3425,15 @@ static const char *get_ksymbol(struct module *mod,
1432 +
1433 + /* We ignore unnamed symbols: they're uninformative
1434 + * and inserted at a whim. */
1435 ++ if (*symname(mod, i) == '\0'
1436 ++ || is_arm_mapping_symbol(symname(mod, i)))
1437 ++ continue;
1438 ++
1439 + if (mod->symtab[i].st_value <= addr
1440 +- && mod->symtab[i].st_value > mod->symtab[best].st_value
1441 +- && *(mod->strtab + mod->symtab[i].st_name) != '\0'
1442 +- && !is_arm_mapping_symbol(mod->strtab + mod->symtab[i].st_name))
1443 ++ && mod->symtab[i].st_value > mod->symtab[best].st_value)
1444 + best = i;
1445 + if (mod->symtab[i].st_value > addr
1446 +- && mod->symtab[i].st_value < nextval
1447 +- && *(mod->strtab + mod->symtab[i].st_name) != '\0'
1448 +- && !is_arm_mapping_symbol(mod->strtab + mod->symtab[i].st_name))
1449 ++ && mod->symtab[i].st_value < nextval)
1450 + nextval = mod->symtab[i].st_value;
1451 + }
1452 +
1453 +@@ -3439,7 +3444,7 @@ static const char *get_ksymbol(struct module *mod,
1454 + *size = nextval - mod->symtab[best].st_value;
1455 + if (offset)
1456 + *offset = addr - mod->symtab[best].st_value;
1457 +- return mod->strtab + mod->symtab[best].st_name;
1458 ++ return symname(mod, best);
1459 + }
1460 +
1461 + /* For kallsyms to ask for address resolution. NULL means not found. Careful
1462 +@@ -3540,8 +3545,7 @@ int module_get_kallsym(unsigned int symnum, unsigned long *value, char *type,
1463 + if (symnum < mod->num_symtab) {
1464 + *value = mod->symtab[symnum].st_value;
1465 + *type = mod->symtab[symnum].st_info;
1466 +- strlcpy(name, mod->strtab + mod->symtab[symnum].st_name,
1467 +- KSYM_NAME_LEN);
1468 ++ strlcpy(name, symname(mod, symnum), KSYM_NAME_LEN);
1469 + strlcpy(module_name, mod->name, MODULE_NAME_LEN);
1470 + *exported = is_exported(name, *value, mod);
1471 + preempt_enable();
1472 +@@ -3558,7 +3562,7 @@ static unsigned long mod_find_symname(struct module *mod, const char *name)
1473 + unsigned int i;
1474 +
1475 + for (i = 0; i < mod->num_symtab; i++)
1476 +- if (strcmp(name, mod->strtab+mod->symtab[i].st_name) == 0 &&
1477 ++ if (strcmp(name, symname(mod, i)) == 0 &&
1478 + mod->symtab[i].st_info != 'U')
1479 + return mod->symtab[i].st_value;
1480 + return 0;
1481 +@@ -3602,7 +3606,7 @@ int module_kallsyms_on_each_symbol(int (*fn)(void *, const char *,
1482 + if (mod->state == MODULE_STATE_UNFORMED)
1483 + continue;
1484 + for (i = 0; i < mod->num_symtab; i++) {
1485 +- ret = fn(data, mod->strtab + mod->symtab[i].st_name,
1486 ++ ret = fn(data, symname(mod, i),
1487 + mod, mod->symtab[i].st_value);
1488 + if (ret != 0)
1489 + return ret;
1490 +diff --git a/kernel/ptrace.c b/kernel/ptrace.c
1491 +index 30ab20623bca..72b0b3e0e065 100644
1492 +--- a/kernel/ptrace.c
1493 ++++ b/kernel/ptrace.c
1494 +@@ -225,6 +225,14 @@ static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode)
1495 + static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
1496 + {
1497 + const struct cred *cred = current_cred(), *tcred;
1498 ++ int dumpable = 0;
1499 ++ kuid_t caller_uid;
1500 ++ kgid_t caller_gid;
1501 ++
1502 ++ if (!(mode & PTRACE_MODE_FSCREDS) == !(mode & PTRACE_MODE_REALCREDS)) {
1503 ++ WARN(1, "denying ptrace access check without PTRACE_MODE_*CREDS\n");
1504 ++ return -EPERM;
1505 ++ }
1506 +
1507 + /* May we inspect the given task?
1508 + * This check is used both for attaching with ptrace
1509 +@@ -234,18 +242,33 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
1510 + * because setting up the necessary parent/child relationship
1511 + * or halting the specified task is impossible.
1512 + */
1513 +- int dumpable = 0;
1514 ++
1515 + /* Don't let security modules deny introspection */
1516 + if (same_thread_group(task, current))
1517 + return 0;
1518 + rcu_read_lock();
1519 ++ if (mode & PTRACE_MODE_FSCREDS) {
1520 ++ caller_uid = cred->fsuid;
1521 ++ caller_gid = cred->fsgid;
1522 ++ } else {
1523 ++ /*
1524 ++ * Using the euid would make more sense here, but something
1525 ++ * in userland might rely on the old behavior, and this
1526 ++ * shouldn't be a security problem since
1527 ++ * PTRACE_MODE_REALCREDS implies that the caller explicitly
1528 ++ * used a syscall that requests access to another process
1529 ++ * (and not a filesystem syscall to procfs).
1530 ++ */
1531 ++ caller_uid = cred->uid;
1532 ++ caller_gid = cred->gid;
1533 ++ }
1534 + tcred = __task_cred(task);
1535 +- if (uid_eq(cred->uid, tcred->euid) &&
1536 +- uid_eq(cred->uid, tcred->suid) &&
1537 +- uid_eq(cred->uid, tcred->uid) &&
1538 +- gid_eq(cred->gid, tcred->egid) &&
1539 +- gid_eq(cred->gid, tcred->sgid) &&
1540 +- gid_eq(cred->gid, tcred->gid))
1541 ++ if (uid_eq(caller_uid, tcred->euid) &&
1542 ++ uid_eq(caller_uid, tcred->suid) &&
1543 ++ uid_eq(caller_uid, tcred->uid) &&
1544 ++ gid_eq(caller_gid, tcred->egid) &&
1545 ++ gid_eq(caller_gid, tcred->sgid) &&
1546 ++ gid_eq(caller_gid, tcred->gid))
1547 + goto ok;
1548 + if (ptrace_has_cap(tcred->user_ns, mode))
1549 + goto ok;
1550 +@@ -312,7 +335,7 @@ static int ptrace_attach(struct task_struct *task, long request,
1551 + goto out;
1552 +
1553 + task_lock(task);
1554 +- retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH);
1555 ++ retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS);
1556 + task_unlock(task);
1557 + if (retval)
1558 + goto unlock_creds;
1559 +diff --git a/lib/dma-debug.c b/lib/dma-debug.c
1560 +index d87a17a819d0..eb43517bf261 100644
1561 +--- a/lib/dma-debug.c
1562 ++++ b/lib/dma-debug.c
1563 +@@ -962,7 +962,7 @@ static inline bool overlap(void *addr, unsigned long len, void *start, void *end
1564 +
1565 + static void check_for_illegal_area(struct device *dev, void *addr, unsigned long len)
1566 + {
1567 +- if (overlap(addr, len, _text, _etext) ||
1568 ++ if (overlap(addr, len, _stext, _etext) ||
1569 + overlap(addr, len, __start_rodata, __end_rodata))
1570 + err_printk(dev, NULL, "DMA-API: device driver maps memory from kernel text or rodata [addr=%p] [len=%lu]\n", addr, len);
1571 + }
1572 +diff --git a/lib/klist.c b/lib/klist.c
1573 +index 358a368a2947..2e59aecbec0d 100644
1574 +--- a/lib/klist.c
1575 ++++ b/lib/klist.c
1576 +@@ -282,9 +282,9 @@ void klist_iter_init_node(struct klist *k, struct klist_iter *i,
1577 + struct klist_node *n)
1578 + {
1579 + i->i_klist = k;
1580 +- i->i_cur = n;
1581 +- if (n)
1582 +- kref_get(&n->n_ref);
1583 ++ i->i_cur = NULL;
1584 ++ if (n && kref_get_unless_zero(&n->n_ref))
1585 ++ i->i_cur = n;
1586 + }
1587 + EXPORT_SYMBOL_GPL(klist_iter_init_node);
1588 +
1589 +diff --git a/lib/radix-tree.c b/lib/radix-tree.c
1590 +index e7964296fd50..936a02c1c77b 100644
1591 +--- a/lib/radix-tree.c
1592 ++++ b/lib/radix-tree.c
1593 +@@ -1015,9 +1015,13 @@ radix_tree_gang_lookup(struct radix_tree_root *root, void **results,
1594 + return 0;
1595 +
1596 + radix_tree_for_each_slot(slot, root, &iter, first_index) {
1597 +- results[ret] = indirect_to_ptr(rcu_dereference_raw(*slot));
1598 ++ results[ret] = rcu_dereference_raw(*slot);
1599 + if (!results[ret])
1600 + continue;
1601 ++ if (radix_tree_is_indirect_ptr(results[ret])) {
1602 ++ slot = radix_tree_iter_retry(&iter);
1603 ++ continue;
1604 ++ }
1605 + if (++ret == max_items)
1606 + break;
1607 + }
1608 +@@ -1094,9 +1098,13 @@ radix_tree_gang_lookup_tag(struct radix_tree_root *root, void **results,
1609 + return 0;
1610 +
1611 + radix_tree_for_each_tagged(slot, root, &iter, first_index, tag) {
1612 +- results[ret] = indirect_to_ptr(rcu_dereference_raw(*slot));
1613 ++ results[ret] = rcu_dereference_raw(*slot);
1614 + if (!results[ret])
1615 + continue;
1616 ++ if (radix_tree_is_indirect_ptr(results[ret])) {
1617 ++ slot = radix_tree_iter_retry(&iter);
1618 ++ continue;
1619 ++ }
1620 + if (++ret == max_items)
1621 + break;
1622 + }
1623 +diff --git a/mm/memcontrol.c b/mm/memcontrol.c
1624 +index eaa3accb01e7..437ae2cbe102 100644
1625 +--- a/mm/memcontrol.c
1626 ++++ b/mm/memcontrol.c
1627 +@@ -5790,16 +5790,17 @@ static void mem_cgroup_usage_unregister_event(struct cgroup *cgrp,
1628 + swap_buffers:
1629 + /* Swap primary and spare array */
1630 + thresholds->spare = thresholds->primary;
1631 +- /* If all events are unregistered, free the spare array */
1632 +- if (!new) {
1633 +- kfree(thresholds->spare);
1634 +- thresholds->spare = NULL;
1635 +- }
1636 +
1637 + rcu_assign_pointer(thresholds->primary, new);
1638 +
1639 + /* To be sure that nobody uses thresholds */
1640 + synchronize_rcu();
1641 ++
1642 ++ /* If all events are unregistered, free the spare array */
1643 ++ if (!new) {
1644 ++ kfree(thresholds->spare);
1645 ++ thresholds->spare = NULL;
1646 ++ }
1647 + unlock:
1648 + mutex_unlock(&memcg->thresholds_lock);
1649 + }
1650 +diff --git a/mm/memory-failure.c b/mm/memory-failure.c
1651 +index f97d709594e6..37df20faddd5 100644
1652 +--- a/mm/memory-failure.c
1653 ++++ b/mm/memory-failure.c
1654 +@@ -1472,7 +1472,7 @@ static int get_any_page(struct page *page, unsigned long pfn, int flags)
1655 + * Did it turn free?
1656 + */
1657 + ret = __get_any_page(page, pfn, 0);
1658 +- if (!PageLRU(page)) {
1659 ++ if (ret == 1 && !PageLRU(page)) {
1660 + /* Drop page reference which is from __get_any_page() */
1661 + put_page(page);
1662 + pr_info("soft_offline: %#lx: unknown non LRU page type %lx\n",
1663 +diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c
1664 +index d85d3a0e06ce..7f1bf93fa87f 100644
1665 +--- a/mm/memory_hotplug.c
1666 ++++ b/mm/memory_hotplug.c
1667 +@@ -1209,23 +1209,30 @@ int is_mem_section_removable(unsigned long start_pfn, unsigned long nr_pages)
1668 + */
1669 + static int test_pages_in_a_zone(unsigned long start_pfn, unsigned long end_pfn)
1670 + {
1671 +- unsigned long pfn;
1672 ++ unsigned long pfn, sec_end_pfn;
1673 + struct zone *zone = NULL;
1674 + struct page *page;
1675 + int i;
1676 +- for (pfn = start_pfn;
1677 ++ for (pfn = start_pfn, sec_end_pfn = SECTION_ALIGN_UP(start_pfn);
1678 + pfn < end_pfn;
1679 +- pfn += MAX_ORDER_NR_PAGES) {
1680 +- i = 0;
1681 +- /* This is just a CONFIG_HOLES_IN_ZONE check.*/
1682 +- while ((i < MAX_ORDER_NR_PAGES) && !pfn_valid_within(pfn + i))
1683 +- i++;
1684 +- if (i == MAX_ORDER_NR_PAGES)
1685 ++ pfn = sec_end_pfn + 1, sec_end_pfn += PAGES_PER_SECTION) {
1686 ++ /* Make sure the memory section is present first */
1687 ++ if (!present_section_nr(pfn_to_section_nr(pfn)))
1688 + continue;
1689 +- page = pfn_to_page(pfn + i);
1690 +- if (zone && page_zone(page) != zone)
1691 +- return 0;
1692 +- zone = page_zone(page);
1693 ++ for (; pfn < sec_end_pfn && pfn < end_pfn;
1694 ++ pfn += MAX_ORDER_NR_PAGES) {
1695 ++ i = 0;
1696 ++ /* This is just a CONFIG_HOLES_IN_ZONE check.*/
1697 ++ while ((i < MAX_ORDER_NR_PAGES) &&
1698 ++ !pfn_valid_within(pfn + i))
1699 ++ i++;
1700 ++ if (i == MAX_ORDER_NR_PAGES)
1701 ++ continue;
1702 ++ page = pfn_to_page(pfn + i);
1703 ++ if (zone && page_zone(page) != zone)
1704 ++ return 0;
1705 ++ zone = page_zone(page);
1706 ++ }
1707 + }
1708 + return 1;
1709 + }
1710 +diff --git a/mm/process_vm_access.c b/mm/process_vm_access.c
1711 +index fd26d0433509..e739825be8b3 100644
1712 +--- a/mm/process_vm_access.c
1713 ++++ b/mm/process_vm_access.c
1714 +@@ -298,7 +298,7 @@ static ssize_t process_vm_rw_core(pid_t pid, const struct iovec *lvec,
1715 + goto free_proc_pages;
1716 + }
1717 +
1718 +- mm = mm_access(task, PTRACE_MODE_ATTACH);
1719 ++ mm = mm_access(task, PTRACE_MODE_ATTACH_REALCREDS);
1720 + if (!mm || IS_ERR(mm)) {
1721 + rc = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH;
1722 + /*
1723 +diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
1724 +index 9ec416552cc5..8d69df16f6a8 100644
1725 +--- a/net/ipv6/ip6mr.c
1726 ++++ b/net/ipv6/ip6mr.c
1727 +@@ -336,7 +336,7 @@ static struct mr6_table *ip6mr_new_table(struct net *net, u32 id)
1728 +
1729 + static void ip6mr_free_table(struct mr6_table *mrt)
1730 + {
1731 +- del_timer(&mrt->ipmr_expire_timer);
1732 ++ del_timer_sync(&mrt->ipmr_expire_timer);
1733 + mroute_clean_tables(mrt, true);
1734 + kfree(mrt);
1735 + }
1736 +diff --git a/scripts/bloat-o-meter b/scripts/bloat-o-meter
1737 +index 6129020c41a9..81228a443122 100755
1738 +--- a/scripts/bloat-o-meter
1739 ++++ b/scripts/bloat-o-meter
1740 +@@ -55,8 +55,8 @@ for name in common:
1741 + delta.sort()
1742 + delta.reverse()
1743 +
1744 +-print "add/remove: %s/%s grow/shrink: %s/%s up/down: %s/%s (%s)" % \
1745 +- (add, remove, grow, shrink, up, -down, up-down)
1746 +-print "%-40s %7s %7s %+7s" % ("function", "old", "new", "delta")
1747 ++print("add/remove: %s/%s grow/shrink: %s/%s up/down: %s/%s (%s)" % \
1748 ++ (add, remove, grow, shrink, up, -down, up-down))
1749 ++print("%-40s %7s %7s %+7s" % ("function", "old", "new", "delta"))
1750 + for d, n in delta:
1751 +- if d: print "%-40s %7s %7s %+7d" % (n, old.get(n,"-"), new.get(n,"-"), d)
1752 ++ if d: print("%-40s %7s %7s %+7d" % (n, old.get(n,"-"), new.get(n,"-"), d))
1753 +diff --git a/security/commoncap.c b/security/commoncap.c
1754 +index c9219a66b7c6..4fd7bf2b19e1 100644
1755 +--- a/security/commoncap.c
1756 ++++ b/security/commoncap.c
1757 +@@ -142,12 +142,17 @@ int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
1758 + {
1759 + int ret = 0;
1760 + const struct cred *cred, *child_cred;
1761 ++ const kernel_cap_t *caller_caps;
1762 +
1763 + rcu_read_lock();
1764 + cred = current_cred();
1765 + child_cred = __task_cred(child);
1766 ++ if (mode & PTRACE_MODE_FSCREDS)
1767 ++ caller_caps = &cred->cap_effective;
1768 ++ else
1769 ++ caller_caps = &cred->cap_permitted;
1770 + if (cred->user_ns == child_cred->user_ns &&
1771 +- cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
1772 ++ cap_issubset(child_cred->cap_permitted, *caller_caps))
1773 + goto out;
1774 + if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE))
1775 + goto out;
1776 +diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c
1777 +index 67c91d226552..ee0522a8f730 100644
1778 +--- a/sound/core/seq/seq_ports.c
1779 ++++ b/sound/core/seq/seq_ports.c
1780 +@@ -540,19 +540,22 @@ static void delete_and_unsubscribe_port(struct snd_seq_client *client,
1781 + bool is_src, bool ack)
1782 + {
1783 + struct snd_seq_port_subs_info *grp;
1784 ++ struct list_head *list;
1785 ++ bool empty;
1786 +
1787 + grp = is_src ? &port->c_src : &port->c_dest;
1788 ++ list = is_src ? &subs->src_list : &subs->dest_list;
1789 + down_write(&grp->list_mutex);
1790 + write_lock_irq(&grp->list_lock);
1791 +- if (is_src)
1792 +- list_del(&subs->src_list);
1793 +- else
1794 +- list_del(&subs->dest_list);
1795 ++ empty = list_empty(list);
1796 ++ if (!empty)
1797 ++ list_del_init(list);
1798 + grp->exclusive = 0;
1799 + write_unlock_irq(&grp->list_lock);
1800 + up_write(&grp->list_mutex);
1801 +
1802 +- unsubscribe_port(client, port, grp, &subs->info, ack);
1803 ++ if (!empty)
1804 ++ unsubscribe_port(client, port, grp, &subs->info, ack);
1805 + }
1806 +
1807 + /* connect two ports */
1808 +diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c
1809 +index 82b0606dcb8a..c3efcf2f816b 100644
1810 +--- a/tools/lib/traceevent/event-parse.c
1811 ++++ b/tools/lib/traceevent/event-parse.c
1812 +@@ -4190,13 +4190,12 @@ static void pretty_print(struct trace_seq *s, void *data, int size, struct event
1813 + sizeof(long) != 8) {
1814 + char *p;
1815 +
1816 +- ls = 2;
1817 + /* make %l into %ll */
1818 +- p = strchr(format, 'l');
1819 +- if (p)
1820 ++ if (ls == 1 && (p = strchr(format, 'l')))
1821 + memmove(p+1, p, strlen(p)+1);
1822 + else if (strcmp(format, "%p") == 0)
1823 + strcpy(format, "0x%llx");
1824 ++ ls = 2;
1825 + }
1826 + switch (ls) {
1827 + case -2:
Report Message
Find on MARC Find on Google Groups