Gentoo Archives: gentoo-commits

From: "Anthony G. Basile" <blueness@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-patchset:master commit in: 3.10.9/, 3.2.50/
Date: Thu, 29 Aug 2013 23:44:48
Message-Id: 1377819863.0e6807eeaecaa7b480734954188884619fde9cc8.blueness@gentoo
1 commit: 0e6807eeaecaa7b480734954188884619fde9cc8
2 Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
3 AuthorDate: Thu Aug 29 23:44:23 2013 +0000
4 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
5 CommitDate: Thu Aug 29 23:44:23 2013 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=0e6807ee
7
8 Grsec/PaX: 2.9.1-{3.2.50.3.10.9}-201308282054
9
10 ---
11 3.10.9/0000_README | 10 +-
12 3.10.9/1007_linux-3.10.8.patch | 1793 ------------------
13 3.10.9/1008_linux-3.10.9.patch | 37 -
14 ...420_grsecurity-2.9.1-3.10.9-201308282054.patch} | 1954 ++++++++++++++++++--
15 3.2.50/0000_README | 2 +-
16 ...420_grsecurity-2.9.1-3.2.50-201308282053.patch} | 501 ++++-
17 6 files changed, 2338 insertions(+), 1959 deletions(-)
18
19 diff --git a/3.10.9/0000_README b/3.10.9/0000_README
20 index 71cd5ee..d335961 100644
21 --- a/3.10.9/0000_README
22 +++ b/3.10.9/0000_README
23 @@ -2,15 +2,7 @@ README
24 -----------------------------------------------------------------------------
25 Individual Patch Descriptions:
26 -----------------------------------------------------------------------------
27 -Patch: 1007_linux-3.10.8.patch
28 -From: http://www.kernel.org
29 -Desc: Linux 3.10.8
30 -
31 -Patch: 1008_linux-3.10.9.patch
32 -From: http://www.kernel.org
33 -Desc: Linux 3.10.9
34 -
35 -Patch: 4420_grsecurity-2.9.1-3.10.9-201308202015.patch
36 +Patch: 4420_grsecurity-2.9.1-3.10.9-201308282054.patch
37 From: http://www.grsecurity.net
38 Desc: hardened-sources base patch from upstream grsecurity
39
40
41 diff --git a/3.10.9/1007_linux-3.10.8.patch b/3.10.9/1007_linux-3.10.8.patch
42 deleted file mode 100644
43 index bf200d8..0000000
44 --- a/3.10.9/1007_linux-3.10.8.patch
45 +++ /dev/null
46 @@ -1,1793 +0,0 @@
47 -diff --git a/Makefile b/Makefile
48 -index 33e36ab..1a21612 100644
49 ---- a/Makefile
50 -+++ b/Makefile
51 -@@ -1,6 +1,6 @@
52 - VERSION = 3
53 - PATCHLEVEL = 10
54 --SUBLEVEL = 7
55 -+SUBLEVEL = 8
56 - EXTRAVERSION =
57 - NAME = TOSSUG Baby Fish
58 -
59 -diff --git a/arch/Kconfig b/arch/Kconfig
60 -index a4429bc..00e3702 100644
61 ---- a/arch/Kconfig
62 -+++ b/arch/Kconfig
63 -@@ -404,6 +404,12 @@ config CLONE_BACKWARDS2
64 - help
65 - Architecture has the first two arguments of clone(2) swapped.
66 -
67 -+config CLONE_BACKWARDS3
68 -+ bool
69 -+ help
70 -+ Architecture has tls passed as the 3rd argument of clone(2),
71 -+ not the 5th one.
72 -+
73 - config ODD_RT_SIGACTION
74 - bool
75 - help
76 -diff --git a/arch/arm/include/asm/kvm_asm.h b/arch/arm/include/asm/kvm_asm.h
77 -index 18d5032..4bb08e3 100644
78 ---- a/arch/arm/include/asm/kvm_asm.h
79 -+++ b/arch/arm/include/asm/kvm_asm.h
80 -@@ -37,16 +37,18 @@
81 - #define c5_AIFSR 15 /* Auxilary Instrunction Fault Status R */
82 - #define c6_DFAR 16 /* Data Fault Address Register */
83 - #define c6_IFAR 17 /* Instruction Fault Address Register */
84 --#define c9_L2CTLR 18 /* Cortex A15 L2 Control Register */
85 --#define c10_PRRR 19 /* Primary Region Remap Register */
86 --#define c10_NMRR 20 /* Normal Memory Remap Register */
87 --#define c12_VBAR 21 /* Vector Base Address Register */
88 --#define c13_CID 22 /* Context ID Register */
89 --#define c13_TID_URW 23 /* Thread ID, User R/W */
90 --#define c13_TID_URO 24 /* Thread ID, User R/O */
91 --#define c13_TID_PRIV 25 /* Thread ID, Privileged */
92 --#define c14_CNTKCTL 26 /* Timer Control Register (PL1) */
93 --#define NR_CP15_REGS 27 /* Number of regs (incl. invalid) */
94 -+#define c7_PAR 18 /* Physical Address Register */
95 -+#define c7_PAR_high 19 /* PAR top 32 bits */
96 -+#define c9_L2CTLR 20 /* Cortex A15 L2 Control Register */
97 -+#define c10_PRRR 21 /* Primary Region Remap Register */
98 -+#define c10_NMRR 22 /* Normal Memory Remap Register */
99 -+#define c12_VBAR 23 /* Vector Base Address Register */
100 -+#define c13_CID 24 /* Context ID Register */
101 -+#define c13_TID_URW 25 /* Thread ID, User R/W */
102 -+#define c13_TID_URO 26 /* Thread ID, User R/O */
103 -+#define c13_TID_PRIV 27 /* Thread ID, Privileged */
104 -+#define c14_CNTKCTL 28 /* Timer Control Register (PL1) */
105 -+#define NR_CP15_REGS 29 /* Number of regs (incl. invalid) */
106 -
107 - #define ARM_EXCEPTION_RESET 0
108 - #define ARM_EXCEPTION_UNDEFINED 1
109 -diff --git a/arch/arm/include/asm/tlb.h b/arch/arm/include/asm/tlb.h
110 -index bdf2b84..aa9b4ac 100644
111 ---- a/arch/arm/include/asm/tlb.h
112 -+++ b/arch/arm/include/asm/tlb.h
113 -@@ -43,6 +43,7 @@ struct mmu_gather {
114 - struct mm_struct *mm;
115 - unsigned int fullmm;
116 - struct vm_area_struct *vma;
117 -+ unsigned long start, end;
118 - unsigned long range_start;
119 - unsigned long range_end;
120 - unsigned int nr;
121 -@@ -107,10 +108,12 @@ static inline void tlb_flush_mmu(struct mmu_gather *tlb)
122 - }
123 -
124 - static inline void
125 --tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned int fullmm)
126 -+tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned long start, unsigned long end)
127 - {
128 - tlb->mm = mm;
129 -- tlb->fullmm = fullmm;
130 -+ tlb->fullmm = !(start | (end+1));
131 -+ tlb->start = start;
132 -+ tlb->end = end;
133 - tlb->vma = NULL;
134 - tlb->max = ARRAY_SIZE(tlb->local);
135 - tlb->pages = tlb->local;
136 -diff --git a/arch/arm/kernel/perf_event.c b/arch/arm/kernel/perf_event.c
137 -index d9f5cd4..e19edc6 100644
138 ---- a/arch/arm/kernel/perf_event.c
139 -+++ b/arch/arm/kernel/perf_event.c
140 -@@ -53,7 +53,12 @@ armpmu_map_cache_event(const unsigned (*cache_map)
141 - static int
142 - armpmu_map_hw_event(const unsigned (*event_map)[PERF_COUNT_HW_MAX], u64 config)
143 - {
144 -- int mapping = (*event_map)[config];
145 -+ int mapping;
146 -+
147 -+ if (config >= PERF_COUNT_HW_MAX)
148 -+ return -ENOENT;
149 -+
150 -+ mapping = (*event_map)[config];
151 - return mapping == HW_OP_UNSUPPORTED ? -ENOENT : mapping;
152 - }
153 -
154 -@@ -253,6 +258,9 @@ validate_event(struct pmu_hw_events *hw_events,
155 - struct arm_pmu *armpmu = to_arm_pmu(event->pmu);
156 - struct pmu *leader_pmu = event->group_leader->pmu;
157 -
158 -+ if (is_software_event(event))
159 -+ return 1;
160 -+
161 - if (event->pmu != leader_pmu || event->state < PERF_EVENT_STATE_OFF)
162 - return 1;
163 -
164 -diff --git a/arch/arm/kvm/coproc.c b/arch/arm/kvm/coproc.c
165 -index 8eea97b..4a51990 100644
166 ---- a/arch/arm/kvm/coproc.c
167 -+++ b/arch/arm/kvm/coproc.c
168 -@@ -180,6 +180,10 @@ static const struct coproc_reg cp15_regs[] = {
169 - NULL, reset_unknown, c6_DFAR },
170 - { CRn( 6), CRm( 0), Op1( 0), Op2( 2), is32,
171 - NULL, reset_unknown, c6_IFAR },
172 -+
173 -+ /* PAR swapped by interrupt.S */
174 -+ { CRn( 7), Op1( 0), is64, NULL, reset_unknown64, c7_PAR },
175 -+
176 - /*
177 - * DC{C,I,CI}SW operations:
178 - */
179 -diff --git a/arch/arm/kvm/interrupts.S b/arch/arm/kvm/interrupts.S
180 -index f7793df..16cd4ba 100644
181 ---- a/arch/arm/kvm/interrupts.S
182 -+++ b/arch/arm/kvm/interrupts.S
183 -@@ -49,6 +49,7 @@ __kvm_hyp_code_start:
184 - ENTRY(__kvm_tlb_flush_vmid_ipa)
185 - push {r2, r3}
186 -
187 -+ dsb ishst
188 - add r0, r0, #KVM_VTTBR
189 - ldrd r2, r3, [r0]
190 - mcrr p15, 6, r2, r3, c2 @ Write VTTBR
191 -@@ -291,6 +292,7 @@ THUMB( orr r2, r2, #PSR_T_BIT )
192 - ldr r2, =BSYM(panic)
193 - msr ELR_hyp, r2
194 - ldr r0, =\panic_str
195 -+ clrex @ Clear exclusive monitor
196 - eret
197 - .endm
198 -
199 -@@ -414,6 +416,10 @@ guest_trap:
200 - mrcne p15, 4, r2, c6, c0, 4 @ HPFAR
201 - bne 3f
202 -
203 -+ /* Preserve PAR */
204 -+ mrrc p15, 0, r0, r1, c7 @ PAR
205 -+ push {r0, r1}
206 -+
207 - /* Resolve IPA using the xFAR */
208 - mcr p15, 0, r2, c7, c8, 0 @ ATS1CPR
209 - isb
210 -@@ -424,13 +430,20 @@ guest_trap:
211 - lsl r2, r2, #4
212 - orr r2, r2, r1, lsl #24
213 -
214 -+ /* Restore PAR */
215 -+ pop {r0, r1}
216 -+ mcrr p15, 0, r0, r1, c7 @ PAR
217 -+
218 - 3: load_vcpu @ Load VCPU pointer to r0
219 - str r2, [r0, #VCPU_HPFAR]
220 -
221 - 1: mov r1, #ARM_EXCEPTION_HVC
222 - b __kvm_vcpu_return
223 -
224 --4: pop {r0, r1, r2} @ Failed translation, return to guest
225 -+4: pop {r0, r1} @ Failed translation, return to guest
226 -+ mcrr p15, 0, r0, r1, c7 @ PAR
227 -+ clrex
228 -+ pop {r0, r1, r2}
229 - eret
230 -
231 - /*
232 -@@ -456,6 +469,7 @@ switch_to_guest_vfp:
233 -
234 - pop {r3-r7}
235 - pop {r0-r2}
236 -+ clrex
237 - eret
238 - #endif
239 -
240 -diff --git a/arch/arm/kvm/interrupts_head.S b/arch/arm/kvm/interrupts_head.S
241 -index 3c8f2f0..2b44b95 100644
242 ---- a/arch/arm/kvm/interrupts_head.S
243 -+++ b/arch/arm/kvm/interrupts_head.S
244 -@@ -302,11 +302,14 @@ vcpu .req r0 @ vcpu pointer always in r0
245 - .endif
246 -
247 - mrc p15, 0, r2, c14, c1, 0 @ CNTKCTL
248 -+ mrrc p15, 0, r4, r5, c7 @ PAR
249 -
250 - .if \store_to_vcpu == 0
251 -- push {r2}
252 -+ push {r2,r4-r5}
253 - .else
254 - str r2, [vcpu, #CP15_OFFSET(c14_CNTKCTL)]
255 -+ add r12, vcpu, #CP15_OFFSET(c7_PAR)
256 -+ strd r4, r5, [r12]
257 - .endif
258 - .endm
259 -
260 -@@ -319,12 +322,15 @@ vcpu .req r0 @ vcpu pointer always in r0
261 - */
262 - .macro write_cp15_state read_from_vcpu
263 - .if \read_from_vcpu == 0
264 -- pop {r2}
265 -+ pop {r2,r4-r5}
266 - .else
267 - ldr r2, [vcpu, #CP15_OFFSET(c14_CNTKCTL)]
268 -+ add r12, vcpu, #CP15_OFFSET(c7_PAR)
269 -+ ldrd r4, r5, [r12]
270 - .endif
271 -
272 - mcr p15, 0, r2, c14, c1, 0 @ CNTKCTL
273 -+ mcrr p15, 0, r4, r5, c7 @ PAR
274 -
275 - .if \read_from_vcpu == 0
276 - pop {r2-r12}
277 -diff --git a/arch/arm64/include/asm/tlb.h b/arch/arm64/include/asm/tlb.h
278 -index 654f096..5546653 100644
279 ---- a/arch/arm64/include/asm/tlb.h
280 -+++ b/arch/arm64/include/asm/tlb.h
281 -@@ -35,6 +35,7 @@ struct mmu_gather {
282 - struct mm_struct *mm;
283 - unsigned int fullmm;
284 - struct vm_area_struct *vma;
285 -+ unsigned long start, end;
286 - unsigned long range_start;
287 - unsigned long range_end;
288 - unsigned int nr;
289 -@@ -97,10 +98,12 @@ static inline void tlb_flush_mmu(struct mmu_gather *tlb)
290 - }
291 -
292 - static inline void
293 --tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned int fullmm)
294 -+tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned long start, unsigned long end)
295 - {
296 - tlb->mm = mm;
297 -- tlb->fullmm = fullmm;
298 -+ tlb->fullmm = !(start | (end+1));
299 -+ tlb->start = start;
300 -+ tlb->end = end;
301 - tlb->vma = NULL;
302 - tlb->max = ARRAY_SIZE(tlb->local);
303 - tlb->pages = tlb->local;
304 -diff --git a/arch/ia64/include/asm/tlb.h b/arch/ia64/include/asm/tlb.h
305 -index ef3a9de..bc5efc7 100644
306 ---- a/arch/ia64/include/asm/tlb.h
307 -+++ b/arch/ia64/include/asm/tlb.h
308 -@@ -22,7 +22,7 @@
309 - * unmapping a portion of the virtual address space, these hooks are called according to
310 - * the following template:
311 - *
312 -- * tlb <- tlb_gather_mmu(mm, full_mm_flush); // start unmap for address space MM
313 -+ * tlb <- tlb_gather_mmu(mm, start, end); // start unmap for address space MM
314 - * {
315 - * for each vma that needs a shootdown do {
316 - * tlb_start_vma(tlb, vma);
317 -@@ -58,6 +58,7 @@ struct mmu_gather {
318 - unsigned int max;
319 - unsigned char fullmm; /* non-zero means full mm flush */
320 - unsigned char need_flush; /* really unmapped some PTEs? */
321 -+ unsigned long start, end;
322 - unsigned long start_addr;
323 - unsigned long end_addr;
324 - struct page **pages;
325 -@@ -155,13 +156,15 @@ static inline void __tlb_alloc_page(struct mmu_gather *tlb)
326 -
327 -
328 - static inline void
329 --tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned int full_mm_flush)
330 -+tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned long start, unsigned long end)
331 - {
332 - tlb->mm = mm;
333 - tlb->max = ARRAY_SIZE(tlb->local);
334 - tlb->pages = tlb->local;
335 - tlb->nr = 0;
336 -- tlb->fullmm = full_mm_flush;
337 -+ tlb->fullmm = !(start | (end+1));
338 -+ tlb->start = start;
339 -+ tlb->end = end;
340 - tlb->start_addr = ~0UL;
341 - }
342 -
343 -diff --git a/arch/m68k/emu/natfeat.c b/arch/m68k/emu/natfeat.c
344 -index 2291a7d..fa277ae 100644
345 ---- a/arch/m68k/emu/natfeat.c
346 -+++ b/arch/m68k/emu/natfeat.c
347 -@@ -18,9 +18,11 @@
348 - #include <asm/machdep.h>
349 - #include <asm/natfeat.h>
350 -
351 -+extern long nf_get_id2(const char *feature_name);
352 -+
353 - asm("\n"
354 --" .global nf_get_id,nf_call\n"
355 --"nf_get_id:\n"
356 -+" .global nf_get_id2,nf_call\n"
357 -+"nf_get_id2:\n"
358 - " .short 0x7300\n"
359 - " rts\n"
360 - "nf_call:\n"
361 -@@ -29,12 +31,25 @@ asm("\n"
362 - "1: moveq.l #0,%d0\n"
363 - " rts\n"
364 - " .section __ex_table,\"a\"\n"
365 --" .long nf_get_id,1b\n"
366 -+" .long nf_get_id2,1b\n"
367 - " .long nf_call,1b\n"
368 - " .previous");
369 --EXPORT_SYMBOL_GPL(nf_get_id);
370 - EXPORT_SYMBOL_GPL(nf_call);
371 -
372 -+long nf_get_id(const char *feature_name)
373 -+{
374 -+ /* feature_name may be in vmalloc()ed memory, so make a copy */
375 -+ char name_copy[32];
376 -+ size_t n;
377 -+
378 -+ n = strlcpy(name_copy, feature_name, sizeof(name_copy));
379 -+ if (n >= sizeof(name_copy))
380 -+ return 0;
381 -+
382 -+ return nf_get_id2(name_copy);
383 -+}
384 -+EXPORT_SYMBOL_GPL(nf_get_id);
385 -+
386 - void nfprint(const char *fmt, ...)
387 - {
388 - static char buf[256];
389 -diff --git a/arch/m68k/include/asm/div64.h b/arch/m68k/include/asm/div64.h
390 -index 444ea8a..ef881cf 100644
391 ---- a/arch/m68k/include/asm/div64.h
392 -+++ b/arch/m68k/include/asm/div64.h
393 -@@ -15,16 +15,17 @@
394 - unsigned long long n64; \
395 - } __n; \
396 - unsigned long __rem, __upper; \
397 -+ unsigned long __base = (base); \
398 - \
399 - __n.n64 = (n); \
400 - if ((__upper = __n.n32[0])) { \
401 - asm ("divul.l %2,%1:%0" \
402 -- : "=d" (__n.n32[0]), "=d" (__upper) \
403 -- : "d" (base), "0" (__n.n32[0])); \
404 -+ : "=d" (__n.n32[0]), "=d" (__upper) \
405 -+ : "d" (__base), "0" (__n.n32[0])); \
406 - } \
407 - asm ("divu.l %2,%1:%0" \
408 -- : "=d" (__n.n32[1]), "=d" (__rem) \
409 -- : "d" (base), "1" (__upper), "0" (__n.n32[1])); \
410 -+ : "=d" (__n.n32[1]), "=d" (__rem) \
411 -+ : "d" (__base), "1" (__upper), "0" (__n.n32[1])); \
412 - (n) = __n.n64; \
413 - __rem; \
414 - })
415 -diff --git a/arch/microblaze/Kconfig b/arch/microblaze/Kconfig
416 -index d22a4ec..4fab522 100644
417 ---- a/arch/microblaze/Kconfig
418 -+++ b/arch/microblaze/Kconfig
419 -@@ -28,7 +28,7 @@ config MICROBLAZE
420 - select GENERIC_CLOCKEVENTS
421 - select GENERIC_IDLE_POLL_SETUP
422 - select MODULES_USE_ELF_RELA
423 -- select CLONE_BACKWARDS
424 -+ select CLONE_BACKWARDS3
425 -
426 - config SWAP
427 - def_bool n
428 -diff --git a/arch/s390/include/asm/tlb.h b/arch/s390/include/asm/tlb.h
429 -index b75d7d6..6d6d92b 100644
430 ---- a/arch/s390/include/asm/tlb.h
431 -+++ b/arch/s390/include/asm/tlb.h
432 -@@ -32,6 +32,7 @@ struct mmu_gather {
433 - struct mm_struct *mm;
434 - struct mmu_table_batch *batch;
435 - unsigned int fullmm;
436 -+ unsigned long start, end;
437 - };
438 -
439 - struct mmu_table_batch {
440 -@@ -48,10 +49,13 @@ extern void tlb_remove_table(struct mmu_gather *tlb, void *table);
441 -
442 - static inline void tlb_gather_mmu(struct mmu_gather *tlb,
443 - struct mm_struct *mm,
444 -- unsigned int full_mm_flush)
445 -+ unsigned long start,
446 -+ unsigned long end)
447 - {
448 - tlb->mm = mm;
449 -- tlb->fullmm = full_mm_flush;
450 -+ tlb->start = start;
451 -+ tlb->end = end;
452 -+ tlb->fullmm = !(start | (end+1));
453 - tlb->batch = NULL;
454 - if (tlb->fullmm)
455 - __tlb_flush_mm(mm);
456 -diff --git a/arch/sh/include/asm/tlb.h b/arch/sh/include/asm/tlb.h
457 -index e61d43d..362192e 100644
458 ---- a/arch/sh/include/asm/tlb.h
459 -+++ b/arch/sh/include/asm/tlb.h
460 -@@ -36,10 +36,12 @@ static inline void init_tlb_gather(struct mmu_gather *tlb)
461 - }
462 -
463 - static inline void
464 --tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned int full_mm_flush)
465 -+tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned long start, unsigned long end)
466 - {
467 - tlb->mm = mm;
468 -- tlb->fullmm = full_mm_flush;
469 -+ tlb->start = start;
470 -+ tlb->end = end;
471 -+ tlb->fullmm = !(start | (end+1));
472 -
473 - init_tlb_gather(tlb);
474 - }
475 -diff --git a/arch/um/include/asm/tlb.h b/arch/um/include/asm/tlb.h
476 -index 4febacd..29b0301 100644
477 ---- a/arch/um/include/asm/tlb.h
478 -+++ b/arch/um/include/asm/tlb.h
479 -@@ -45,10 +45,12 @@ static inline void init_tlb_gather(struct mmu_gather *tlb)
480 - }
481 -
482 - static inline void
483 --tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned int full_mm_flush)
484 -+tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned long start, unsigned long end)
485 - {
486 - tlb->mm = mm;
487 -- tlb->fullmm = full_mm_flush;
488 -+ tlb->start = start;
489 -+ tlb->end = end;
490 -+ tlb->fullmm = !(start | (end+1));
491 -
492 - init_tlb_gather(tlb);
493 - }
494 -diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore.c b/arch/x86/kernel/cpu/perf_event_intel_uncore.c
495 -index 52441a2..8aac56b 100644
496 ---- a/arch/x86/kernel/cpu/perf_event_intel_uncore.c
497 -+++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.c
498 -@@ -314,8 +314,8 @@ static struct uncore_event_desc snbep_uncore_imc_events[] = {
499 - static struct uncore_event_desc snbep_uncore_qpi_events[] = {
500 - INTEL_UNCORE_EVENT_DESC(clockticks, "event=0x14"),
501 - INTEL_UNCORE_EVENT_DESC(txl_flits_active, "event=0x00,umask=0x06"),
502 -- INTEL_UNCORE_EVENT_DESC(drs_data, "event=0x02,umask=0x08"),
503 -- INTEL_UNCORE_EVENT_DESC(ncb_data, "event=0x03,umask=0x04"),
504 -+ INTEL_UNCORE_EVENT_DESC(drs_data, "event=0x102,umask=0x08"),
505 -+ INTEL_UNCORE_EVENT_DESC(ncb_data, "event=0x103,umask=0x04"),
506 - { /* end: all zeroes */ },
507 - };
508 -
509 -diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c
510 -index dbded5a..48f8375 100644
511 ---- a/arch/x86/kernel/sys_x86_64.c
512 -+++ b/arch/x86/kernel/sys_x86_64.c
513 -@@ -101,7 +101,7 @@ static void find_start_end(unsigned long flags, unsigned long *begin,
514 - *begin = new_begin;
515 - }
516 - } else {
517 -- *begin = TASK_UNMAPPED_BASE;
518 -+ *begin = mmap_legacy_base();
519 - *end = TASK_SIZE;
520 - }
521 - }
522 -diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
523 -index 845df68..c1af323 100644
524 ---- a/arch/x86/mm/mmap.c
525 -+++ b/arch/x86/mm/mmap.c
526 -@@ -98,7 +98,7 @@ static unsigned long mmap_base(void)
527 - * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
528 - * does, but not when emulating X86_32
529 - */
530 --static unsigned long mmap_legacy_base(void)
531 -+unsigned long mmap_legacy_base(void)
532 - {
533 - if (mmap_is_ia32())
534 - return TASK_UNMAPPED_BASE;
535 -diff --git a/block/cfq-iosched.c b/block/cfq-iosched.c
536 -index d5cd313..d5bbdcf 100644
537 ---- a/block/cfq-iosched.c
538 -+++ b/block/cfq-iosched.c
539 -@@ -4347,18 +4347,28 @@ static void cfq_exit_queue(struct elevator_queue *e)
540 - kfree(cfqd);
541 - }
542 -
543 --static int cfq_init_queue(struct request_queue *q)
544 -+static int cfq_init_queue(struct request_queue *q, struct elevator_type *e)
545 - {
546 - struct cfq_data *cfqd;
547 - struct blkcg_gq *blkg __maybe_unused;
548 - int i, ret;
549 -+ struct elevator_queue *eq;
550 -+
551 -+ eq = elevator_alloc(q, e);
552 -+ if (!eq)
553 -+ return -ENOMEM;
554 -
555 - cfqd = kmalloc_node(sizeof(*cfqd), GFP_KERNEL | __GFP_ZERO, q->node);
556 -- if (!cfqd)
557 -+ if (!cfqd) {
558 -+ kobject_put(&eq->kobj);
559 - return -ENOMEM;
560 -+ }
561 -+ eq->elevator_data = cfqd;
562 -
563 - cfqd->queue = q;
564 -- q->elevator->elevator_data = cfqd;
565 -+ spin_lock_irq(q->queue_lock);
566 -+ q->elevator = eq;
567 -+ spin_unlock_irq(q->queue_lock);
568 -
569 - /* Init root service tree */
570 - cfqd->grp_service_tree = CFQ_RB_ROOT;
571 -@@ -4433,6 +4443,7 @@ static int cfq_init_queue(struct request_queue *q)
572 -
573 - out_free:
574 - kfree(cfqd);
575 -+ kobject_put(&eq->kobj);
576 - return ret;
577 - }
578 -
579 -diff --git a/block/deadline-iosched.c b/block/deadline-iosched.c
580 -index ba19a3a..20614a3 100644
581 ---- a/block/deadline-iosched.c
582 -+++ b/block/deadline-iosched.c
583 -@@ -337,13 +337,21 @@ static void deadline_exit_queue(struct elevator_queue *e)
584 - /*
585 - * initialize elevator private data (deadline_data).
586 - */
587 --static int deadline_init_queue(struct request_queue *q)
588 -+static int deadline_init_queue(struct request_queue *q, struct elevator_type *e)
589 - {
590 - struct deadline_data *dd;
591 -+ struct elevator_queue *eq;
592 -+
593 -+ eq = elevator_alloc(q, e);
594 -+ if (!eq)
595 -+ return -ENOMEM;
596 -
597 - dd = kmalloc_node(sizeof(*dd), GFP_KERNEL | __GFP_ZERO, q->node);
598 -- if (!dd)
599 -+ if (!dd) {
600 -+ kobject_put(&eq->kobj);
601 - return -ENOMEM;
602 -+ }
603 -+ eq->elevator_data = dd;
604 -
605 - INIT_LIST_HEAD(&dd->fifo_list[READ]);
606 - INIT_LIST_HEAD(&dd->fifo_list[WRITE]);
607 -@@ -355,7 +363,9 @@ static int deadline_init_queue(struct request_queue *q)
608 - dd->front_merges = 1;
609 - dd->fifo_batch = fifo_batch;
610 -
611 -- q->elevator->elevator_data = dd;
612 -+ spin_lock_irq(q->queue_lock);
613 -+ q->elevator = eq;
614 -+ spin_unlock_irq(q->queue_lock);
615 - return 0;
616 - }
617 -
618 -diff --git a/block/elevator.c b/block/elevator.c
619 -index eba5b04..668394d 100644
620 ---- a/block/elevator.c
621 -+++ b/block/elevator.c
622 -@@ -150,7 +150,7 @@ void __init load_default_elevator_module(void)
623 -
624 - static struct kobj_type elv_ktype;
625 -
626 --static struct elevator_queue *elevator_alloc(struct request_queue *q,
627 -+struct elevator_queue *elevator_alloc(struct request_queue *q,
628 - struct elevator_type *e)
629 - {
630 - struct elevator_queue *eq;
631 -@@ -170,6 +170,7 @@ err:
632 - elevator_put(e);
633 - return NULL;
634 - }
635 -+EXPORT_SYMBOL(elevator_alloc);
636 -
637 - static void elevator_release(struct kobject *kobj)
638 - {
639 -@@ -221,16 +222,7 @@ int elevator_init(struct request_queue *q, char *name)
640 - }
641 - }
642 -
643 -- q->elevator = elevator_alloc(q, e);
644 -- if (!q->elevator)
645 -- return -ENOMEM;
646 --
647 -- err = e->ops.elevator_init_fn(q);
648 -- if (err) {
649 -- kobject_put(&q->elevator->kobj);
650 -- return err;
651 -- }
652 --
653 -+ err = e->ops.elevator_init_fn(q, e);
654 - return 0;
655 - }
656 - EXPORT_SYMBOL(elevator_init);
657 -@@ -935,16 +927,9 @@ static int elevator_switch(struct request_queue *q, struct elevator_type *new_e)
658 - spin_unlock_irq(q->queue_lock);
659 -
660 - /* allocate, init and register new elevator */
661 -- err = -ENOMEM;
662 -- q->elevator = elevator_alloc(q, new_e);
663 -- if (!q->elevator)
664 -- goto fail_init;
665 --
666 -- err = new_e->ops.elevator_init_fn(q);
667 -- if (err) {
668 -- kobject_put(&q->elevator->kobj);
669 -+ err = new_e->ops.elevator_init_fn(q, new_e);
670 -+ if (err)
671 - goto fail_init;
672 -- }
673 -
674 - if (registered) {
675 - err = elv_register_queue(q);
676 -diff --git a/block/noop-iosched.c b/block/noop-iosched.c
677 -index 5d1bf70..3de89d4 100644
678 ---- a/block/noop-iosched.c
679 -+++ b/block/noop-iosched.c
680 -@@ -59,16 +59,27 @@ noop_latter_request(struct request_queue *q, struct request *rq)
681 - return list_entry(rq->queuelist.next, struct request, queuelist);
682 - }
683 -
684 --static int noop_init_queue(struct request_queue *q)
685 -+static int noop_init_queue(struct request_queue *q, struct elevator_type *e)
686 - {
687 - struct noop_data *nd;
688 -+ struct elevator_queue *eq;
689 -+
690 -+ eq = elevator_alloc(q, e);
691 -+ if (!eq)
692 -+ return -ENOMEM;
693 -
694 - nd = kmalloc_node(sizeof(*nd), GFP_KERNEL, q->node);
695 -- if (!nd)
696 -+ if (!nd) {
697 -+ kobject_put(&eq->kobj);
698 - return -ENOMEM;
699 -+ }
700 -+ eq->elevator_data = nd;
701 -
702 - INIT_LIST_HEAD(&nd->queue);
703 -- q->elevator->elevator_data = nd;
704 -+
705 -+ spin_lock_irq(q->queue_lock);
706 -+ q->elevator = eq;
707 -+ spin_unlock_irq(q->queue_lock);
708 - return 0;
709 - }
710 -
711 -diff --git a/drivers/net/can/usb/peak_usb/pcan_usb.c b/drivers/net/can/usb/peak_usb/pcan_usb.c
712 -index 25723d8..925ab8e 100644
713 ---- a/drivers/net/can/usb/peak_usb/pcan_usb.c
714 -+++ b/drivers/net/can/usb/peak_usb/pcan_usb.c
715 -@@ -649,7 +649,7 @@ static int pcan_usb_decode_data(struct pcan_usb_msg_context *mc, u8 status_len)
716 - if ((mc->ptr + rec_len) > mc->end)
717 - goto decode_failed;
718 -
719 -- memcpy(cf->data, mc->ptr, rec_len);
720 -+ memcpy(cf->data, mc->ptr, cf->can_dlc);
721 - mc->ptr += rec_len;
722 - }
723 -
724 -diff --git a/drivers/net/wireless/iwlegacy/4965-mac.c b/drivers/net/wireless/iwlegacy/4965-mac.c
725 -index 9a95045..900f5f8 100644
726 ---- a/drivers/net/wireless/iwlegacy/4965-mac.c
727 -+++ b/drivers/net/wireless/iwlegacy/4965-mac.c
728 -@@ -4442,12 +4442,12 @@ il4965_irq_tasklet(struct il_priv *il)
729 - * is killed. Hence update the killswitch state here. The
730 - * rfkill handler will care about restarting if needed.
731 - */
732 -- if (!test_bit(S_ALIVE, &il->status)) {
733 -- if (hw_rf_kill)
734 -- set_bit(S_RFKILL, &il->status);
735 -- else
736 -- clear_bit(S_RFKILL, &il->status);
737 -+ if (hw_rf_kill) {
738 -+ set_bit(S_RFKILL, &il->status);
739 -+ } else {
740 -+ clear_bit(S_RFKILL, &il->status);
741 - wiphy_rfkill_set_hw_state(il->hw->wiphy, hw_rf_kill);
742 -+ il_force_reset(il, true);
743 - }
744 -
745 - handled |= CSR_INT_BIT_RF_KILL;
746 -@@ -5316,6 +5316,9 @@ il4965_alive_start(struct il_priv *il)
747 -
748 - il->active_rate = RATES_MASK;
749 -
750 -+ il_power_update_mode(il, true);
751 -+ D_INFO("Updated power mode\n");
752 -+
753 - if (il_is_associated(il)) {
754 - struct il_rxon_cmd *active_rxon =
755 - (struct il_rxon_cmd *)&il->active;
756 -@@ -5346,9 +5349,6 @@ il4965_alive_start(struct il_priv *il)
757 - D_INFO("ALIVE processing complete.\n");
758 - wake_up(&il->wait_command_queue);
759 -
760 -- il_power_update_mode(il, true);
761 -- D_INFO("Updated power mode\n");
762 --
763 - return;
764 -
765 - restart:
766 -diff --git a/drivers/net/wireless/iwlegacy/common.c b/drivers/net/wireless/iwlegacy/common.c
767 -index e9a3cbc..9c9ebad 100644
768 ---- a/drivers/net/wireless/iwlegacy/common.c
769 -+++ b/drivers/net/wireless/iwlegacy/common.c
770 -@@ -4660,6 +4660,7 @@ il_force_reset(struct il_priv *il, bool external)
771 -
772 - return 0;
773 - }
774 -+EXPORT_SYMBOL(il_force_reset);
775 -
776 - int
777 - il_mac_change_interface(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
778 -diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
779 -index a635988..5b44cd4 100644
780 ---- a/drivers/usb/core/quirks.c
781 -+++ b/drivers/usb/core/quirks.c
782 -@@ -78,6 +78,12 @@ static const struct usb_device_id usb_quirk_list[] = {
783 - { USB_DEVICE(0x04d8, 0x000c), .driver_info =
784 - USB_QUIRK_CONFIG_INTF_STRINGS },
785 -
786 -+ /* CarrolTouch 4000U */
787 -+ { USB_DEVICE(0x04e7, 0x0009), .driver_info = USB_QUIRK_RESET_RESUME },
788 -+
789 -+ /* CarrolTouch 4500U */
790 -+ { USB_DEVICE(0x04e7, 0x0030), .driver_info = USB_QUIRK_RESET_RESUME },
791 -+
792 - /* Samsung Android phone modem - ID conflict with SPH-I500 */
793 - { USB_DEVICE(0x04e8, 0x6601), .driver_info =
794 - USB_QUIRK_CONFIG_INTF_STRINGS },
795 -diff --git a/drivers/usb/host/ehci-sched.c b/drivers/usb/host/ehci-sched.c
796 -index f80d033..8e3c878 100644
797 ---- a/drivers/usb/host/ehci-sched.c
798 -+++ b/drivers/usb/host/ehci-sched.c
799 -@@ -1391,21 +1391,20 @@ iso_stream_schedule (
800 -
801 - /* Behind the scheduling threshold? */
802 - if (unlikely(start < next)) {
803 -+ unsigned now2 = (now - base) & (mod - 1);
804 -
805 - /* USB_ISO_ASAP: Round up to the first available slot */
806 - if (urb->transfer_flags & URB_ISO_ASAP)
807 - start += (next - start + period - 1) & -period;
808 -
809 - /*
810 -- * Not ASAP: Use the next slot in the stream. If
811 -- * the entire URB falls before the threshold, fail.
812 -+ * Not ASAP: Use the next slot in the stream,
813 -+ * no matter what.
814 - */
815 -- else if (start + span - period < next) {
816 -- ehci_dbg(ehci, "iso urb late %p (%u+%u < %u)\n",
817 -+ else if (start + span - period < now2) {
818 -+ ehci_dbg(ehci, "iso underrun %p (%u+%u < %u)\n",
819 - urb, start + base,
820 -- span - period, next + base);
821 -- status = -EXDEV;
822 -- goto fail;
823 -+ span - period, now2 + base);
824 - }
825 - }
826 -
827 -diff --git a/drivers/usb/serial/keyspan.c b/drivers/usb/serial/keyspan.c
828 -index 3549d07..07fbdf0 100644
829 ---- a/drivers/usb/serial/keyspan.c
830 -+++ b/drivers/usb/serial/keyspan.c
831 -@@ -2315,7 +2315,7 @@ static int keyspan_startup(struct usb_serial *serial)
832 - if (d_details == NULL) {
833 - dev_err(&serial->dev->dev, "%s - unknown product id %x\n",
834 - __func__, le16_to_cpu(serial->dev->descriptor.idProduct));
835 -- return 1;
836 -+ return -ENODEV;
837 - }
838 -
839 - /* Setup private data for serial driver */
840 -diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c
841 -index f27c621..5050cc8 100644
842 ---- a/drivers/usb/serial/mos7720.c
843 -+++ b/drivers/usb/serial/mos7720.c
844 -@@ -90,6 +90,7 @@ struct urbtracker {
845 - struct list_head urblist_entry;
846 - struct kref ref_count;
847 - struct urb *urb;
848 -+ struct usb_ctrlrequest *setup;
849 - };
850 -
851 - enum mos7715_pp_modes {
852 -@@ -271,6 +272,7 @@ static void destroy_urbtracker(struct kref *kref)
853 - struct mos7715_parport *mos_parport = urbtrack->mos_parport;
854 -
855 - usb_free_urb(urbtrack->urb);
856 -+ kfree(urbtrack->setup);
857 - kfree(urbtrack);
858 - kref_put(&mos_parport->ref_count, destroy_mos_parport);
859 - }
860 -@@ -355,7 +357,6 @@ static int write_parport_reg_nonblock(struct mos7715_parport *mos_parport,
861 - struct urbtracker *urbtrack;
862 - int ret_val;
863 - unsigned long flags;
864 -- struct usb_ctrlrequest setup;
865 - struct usb_serial *serial = mos_parport->serial;
866 - struct usb_device *usbdev = serial->dev;
867 -
868 -@@ -373,14 +374,20 @@ static int write_parport_reg_nonblock(struct mos7715_parport *mos_parport,
869 - kfree(urbtrack);
870 - return -ENOMEM;
871 - }
872 -- setup.bRequestType = (__u8)0x40;
873 -- setup.bRequest = (__u8)0x0e;
874 -- setup.wValue = get_reg_value(reg, dummy);
875 -- setup.wIndex = get_reg_index(reg);
876 -- setup.wLength = 0;
877 -+ urbtrack->setup = kmalloc(sizeof(*urbtrack->setup), GFP_KERNEL);
878 -+ if (!urbtrack->setup) {
879 -+ usb_free_urb(urbtrack->urb);
880 -+ kfree(urbtrack);
881 -+ return -ENOMEM;
882 -+ }
883 -+ urbtrack->setup->bRequestType = (__u8)0x40;
884 -+ urbtrack->setup->bRequest = (__u8)0x0e;
885 -+ urbtrack->setup->wValue = get_reg_value(reg, dummy);
886 -+ urbtrack->setup->wIndex = get_reg_index(reg);
887 -+ urbtrack->setup->wLength = 0;
888 - usb_fill_control_urb(urbtrack->urb, usbdev,
889 - usb_sndctrlpipe(usbdev, 0),
890 -- (unsigned char *)&setup,
891 -+ (unsigned char *)urbtrack->setup,
892 - NULL, 0, async_complete, urbtrack);
893 - kref_init(&urbtrack->ref_count);
894 - INIT_LIST_HEAD(&urbtrack->urblist_entry);
895 -diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c
896 -index b92d333..2c1749d 100644
897 ---- a/drivers/usb/serial/mos7840.c
898 -+++ b/drivers/usb/serial/mos7840.c
899 -@@ -2208,7 +2208,7 @@ static int mos7810_check(struct usb_serial *serial)
900 - static int mos7840_probe(struct usb_serial *serial,
901 - const struct usb_device_id *id)
902 - {
903 -- u16 product = serial->dev->descriptor.idProduct;
904 -+ u16 product = le16_to_cpu(serial->dev->descriptor.idProduct);
905 - u8 *buf;
906 - int device_type;
907 -
908 -diff --git a/drivers/usb/serial/ti_usb_3410_5052.c b/drivers/usb/serial/ti_usb_3410_5052.c
909 -index 01f79f1..32bdd5e 100644
910 ---- a/drivers/usb/serial/ti_usb_3410_5052.c
911 -+++ b/drivers/usb/serial/ti_usb_3410_5052.c
912 -@@ -1536,14 +1536,15 @@ static int ti_download_firmware(struct ti_device *tdev)
913 - char buf[32];
914 -
915 - /* try ID specific firmware first, then try generic firmware */
916 -- sprintf(buf, "ti_usb-v%04x-p%04x.fw", dev->descriptor.idVendor,
917 -- dev->descriptor.idProduct);
918 -+ sprintf(buf, "ti_usb-v%04x-p%04x.fw",
919 -+ le16_to_cpu(dev->descriptor.idVendor),
920 -+ le16_to_cpu(dev->descriptor.idProduct));
921 - status = request_firmware(&fw_p, buf, &dev->dev);
922 -
923 - if (status != 0) {
924 - buf[0] = '\0';
925 -- if (dev->descriptor.idVendor == MTS_VENDOR_ID) {
926 -- switch (dev->descriptor.idProduct) {
927 -+ if (le16_to_cpu(dev->descriptor.idVendor) == MTS_VENDOR_ID) {
928 -+ switch (le16_to_cpu(dev->descriptor.idProduct)) {
929 - case MTS_CDMA_PRODUCT_ID:
930 - strcpy(buf, "mts_cdma.fw");
931 - break;
932 -diff --git a/drivers/usb/serial/usb_wwan.c b/drivers/usb/serial/usb_wwan.c
933 -index ece326e..db0cf53 100644
934 ---- a/drivers/usb/serial/usb_wwan.c
935 -+++ b/drivers/usb/serial/usb_wwan.c
936 -@@ -291,18 +291,18 @@ static void usb_wwan_indat_callback(struct urb *urb)
937 - tty_flip_buffer_push(&port->port);
938 - } else
939 - dev_dbg(dev, "%s: empty read urb received\n", __func__);
940 --
941 -- /* Resubmit urb so we continue receiving */
942 -- err = usb_submit_urb(urb, GFP_ATOMIC);
943 -- if (err) {
944 -- if (err != -EPERM) {
945 -- dev_err(dev, "%s: resubmit read urb failed. (%d)\n", __func__, err);
946 -- /* busy also in error unless we are killed */
947 -- usb_mark_last_busy(port->serial->dev);
948 -- }
949 -- } else {
950 -+ }
951 -+ /* Resubmit urb so we continue receiving */
952 -+ err = usb_submit_urb(urb, GFP_ATOMIC);
953 -+ if (err) {
954 -+ if (err != -EPERM) {
955 -+ dev_err(dev, "%s: resubmit read urb failed. (%d)\n",
956 -+ __func__, err);
957 -+ /* busy also in error unless we are killed */
958 - usb_mark_last_busy(port->serial->dev);
959 - }
960 -+ } else {
961 -+ usb_mark_last_busy(port->serial->dev);
962 - }
963 - }
964 -
965 -diff --git a/drivers/usb/wusbcore/wa-xfer.c b/drivers/usb/wusbcore/wa-xfer.c
966 -index 6ef94bc..028fc83 100644
967 ---- a/drivers/usb/wusbcore/wa-xfer.c
968 -+++ b/drivers/usb/wusbcore/wa-xfer.c
969 -@@ -1110,6 +1110,12 @@ int wa_urb_dequeue(struct wahc *wa, struct urb *urb)
970 - }
971 - spin_lock_irqsave(&xfer->lock, flags);
972 - rpipe = xfer->ep->hcpriv;
973 -+ if (rpipe == NULL) {
974 -+ pr_debug("%s: xfer id 0x%08X has no RPIPE. %s",
975 -+ __func__, wa_xfer_id(xfer),
976 -+ "Probably already aborted.\n" );
977 -+ goto out_unlock;
978 -+ }
979 - /* Check the delayed list -> if there, release and complete */
980 - spin_lock_irqsave(&wa->xfer_list_lock, flags2);
981 - if (!list_empty(&xfer->list_node) && xfer->seg == NULL)
982 -@@ -1493,8 +1499,7 @@ static void wa_xfer_result_cb(struct urb *urb)
983 - break;
984 - }
985 - usb_status = xfer_result->bTransferStatus & 0x3f;
986 -- if (usb_status == WA_XFER_STATUS_ABORTED
987 -- || usb_status == WA_XFER_STATUS_NOT_FOUND)
988 -+ if (usb_status == WA_XFER_STATUS_NOT_FOUND)
989 - /* taken care of already */
990 - break;
991 - xfer_id = xfer_result->dwTransferID;
992 -diff --git a/fs/exec.c b/fs/exec.c
993 -index ffd7a81..1f44670 100644
994 ---- a/fs/exec.c
995 -+++ b/fs/exec.c
996 -@@ -607,7 +607,7 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
997 - return -ENOMEM;
998 -
999 - lru_add_drain();
1000 -- tlb_gather_mmu(&tlb, mm, 0);
1001 -+ tlb_gather_mmu(&tlb, mm, old_start, old_end);
1002 - if (new_end > old_start) {
1003 - /*
1004 - * when the old and new regions overlap clear from new_end.
1005 -@@ -624,7 +624,7 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
1006 - free_pgd_range(&tlb, old_start, old_end, new_end,
1007 - vma->vm_next ? vma->vm_next->vm_start : USER_PGTABLES_CEILING);
1008 - }
1009 -- tlb_finish_mmu(&tlb, new_end, old_end);
1010 -+ tlb_finish_mmu(&tlb, old_start, old_end);
1011 -
1012 - /*
1013 - * Shrink the vma to just the new range. Always succeeds.
1014 -diff --git a/fs/ext4/ext4_jbd2.c b/fs/ext4/ext4_jbd2.c
1015 -index 451eb40..1c88061 100644
1016 ---- a/fs/ext4/ext4_jbd2.c
1017 -+++ b/fs/ext4/ext4_jbd2.c
1018 -@@ -219,10 +219,10 @@ int __ext4_handle_dirty_metadata(const char *where, unsigned int line,
1019 - set_buffer_prio(bh);
1020 - if (ext4_handle_valid(handle)) {
1021 - err = jbd2_journal_dirty_metadata(handle, bh);
1022 -- if (err) {
1023 -- /* Errors can only happen if there is a bug */
1024 -- handle->h_err = err;
1025 -- __ext4_journal_stop(where, line, handle);
1026 -+ /* Errors can only happen if there is a bug */
1027 -+ if (WARN_ON_ONCE(err)) {
1028 -+ ext4_journal_abort_handle(where, line, __func__, bh,
1029 -+ handle, err);
1030 - }
1031 - } else {
1032 - if (inode)
1033 -diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
1034 -index 3e636d8..65fc60a 100644
1035 ---- a/fs/proc/task_mmu.c
1036 -+++ b/fs/proc/task_mmu.c
1037 -@@ -792,14 +792,14 @@ typedef struct {
1038 - } pagemap_entry_t;
1039 -
1040 - struct pagemapread {
1041 -- int pos, len;
1042 -+ int pos, len; /* units: PM_ENTRY_BYTES, not bytes */
1043 - pagemap_entry_t *buffer;
1044 - };
1045 -
1046 - #define PAGEMAP_WALK_SIZE (PMD_SIZE)
1047 - #define PAGEMAP_WALK_MASK (PMD_MASK)
1048 -
1049 --#define PM_ENTRY_BYTES sizeof(u64)
1050 -+#define PM_ENTRY_BYTES sizeof(pagemap_entry_t)
1051 - #define PM_STATUS_BITS 3
1052 - #define PM_STATUS_OFFSET (64 - PM_STATUS_BITS)
1053 - #define PM_STATUS_MASK (((1LL << PM_STATUS_BITS) - 1) << PM_STATUS_OFFSET)
1054 -@@ -1038,8 +1038,8 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
1055 - if (!count)
1056 - goto out_task;
1057 -
1058 -- pm.len = PM_ENTRY_BYTES * (PAGEMAP_WALK_SIZE >> PAGE_SHIFT);
1059 -- pm.buffer = kmalloc(pm.len, GFP_TEMPORARY);
1060 -+ pm.len = (PAGEMAP_WALK_SIZE >> PAGE_SHIFT);
1061 -+ pm.buffer = kmalloc(pm.len * PM_ENTRY_BYTES, GFP_TEMPORARY);
1062 - ret = -ENOMEM;
1063 - if (!pm.buffer)
1064 - goto out_task;
1065 -diff --git a/include/asm-generic/tlb.h b/include/asm-generic/tlb.h
1066 -index 13821c3..5672d7e 100644
1067 ---- a/include/asm-generic/tlb.h
1068 -+++ b/include/asm-generic/tlb.h
1069 -@@ -112,7 +112,7 @@ struct mmu_gather {
1070 -
1071 - #define HAVE_GENERIC_MMU_GATHER
1072 -
1073 --void tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, bool fullmm);
1074 -+void tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned long start, unsigned long end);
1075 - void tlb_flush_mmu(struct mmu_gather *tlb);
1076 - void tlb_finish_mmu(struct mmu_gather *tlb, unsigned long start,
1077 - unsigned long end);
1078 -diff --git a/include/linux/elevator.h b/include/linux/elevator.h
1079 -index acd0312..306dd8c 100644
1080 ---- a/include/linux/elevator.h
1081 -+++ b/include/linux/elevator.h
1082 -@@ -7,6 +7,7 @@
1083 - #ifdef CONFIG_BLOCK
1084 -
1085 - struct io_cq;
1086 -+struct elevator_type;
1087 -
1088 - typedef int (elevator_merge_fn) (struct request_queue *, struct request **,
1089 - struct bio *);
1090 -@@ -35,7 +36,8 @@ typedef void (elevator_put_req_fn) (struct request *);
1091 - typedef void (elevator_activate_req_fn) (struct request_queue *, struct request *);
1092 - typedef void (elevator_deactivate_req_fn) (struct request_queue *, struct request *);
1093 -
1094 --typedef int (elevator_init_fn) (struct request_queue *);
1095 -+typedef int (elevator_init_fn) (struct request_queue *,
1096 -+ struct elevator_type *e);
1097 - typedef void (elevator_exit_fn) (struct elevator_queue *);
1098 -
1099 - struct elevator_ops
1100 -@@ -155,6 +157,8 @@ extern int elevator_init(struct request_queue *, char *);
1101 - extern void elevator_exit(struct elevator_queue *);
1102 - extern int elevator_change(struct request_queue *, const char *);
1103 - extern bool elv_rq_merge_ok(struct request *, struct bio *);
1104 -+extern struct elevator_queue *elevator_alloc(struct request_queue *,
1105 -+ struct elevator_type *);
1106 -
1107 - /*
1108 - * Helper functions.
1109 -diff --git a/include/linux/sched.h b/include/linux/sched.h
1110 -index 178a8d9..3aeb14b 100644
1111 ---- a/include/linux/sched.h
1112 -+++ b/include/linux/sched.h
1113 -@@ -314,6 +314,7 @@ struct nsproxy;
1114 - struct user_namespace;
1115 -
1116 - #ifdef CONFIG_MMU
1117 -+extern unsigned long mmap_legacy_base(void);
1118 - extern void arch_pick_mmap_layout(struct mm_struct *mm);
1119 - extern unsigned long
1120 - arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
1121 -diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
1122 -index 4147d70..84662ec 100644
1123 ---- a/include/linux/syscalls.h
1124 -+++ b/include/linux/syscalls.h
1125 -@@ -802,9 +802,14 @@ asmlinkage long sys_vfork(void);
1126 - asmlinkage long sys_clone(unsigned long, unsigned long, int __user *, int,
1127 - int __user *);
1128 - #else
1129 -+#ifdef CONFIG_CLONE_BACKWARDS3
1130 -+asmlinkage long sys_clone(unsigned long, unsigned long, int, int __user *,
1131 -+ int __user *, int);
1132 -+#else
1133 - asmlinkage long sys_clone(unsigned long, unsigned long, int __user *,
1134 - int __user *, int);
1135 - #endif
1136 -+#endif
1137 -
1138 - asmlinkage long sys_execve(const char __user *filename,
1139 - const char __user *const __user *argv,
1140 -diff --git a/kernel/cpuset.c b/kernel/cpuset.c
1141 -index 64b3f79..6948e94 100644
1142 ---- a/kernel/cpuset.c
1143 -+++ b/kernel/cpuset.c
1144 -@@ -1502,11 +1502,13 @@ static int cpuset_write_u64(struct cgroup *cgrp, struct cftype *cft, u64 val)
1145 - {
1146 - struct cpuset *cs = cgroup_cs(cgrp);
1147 - cpuset_filetype_t type = cft->private;
1148 -- int retval = -ENODEV;
1149 -+ int retval = 0;
1150 -
1151 - mutex_lock(&cpuset_mutex);
1152 -- if (!is_cpuset_online(cs))
1153 -+ if (!is_cpuset_online(cs)) {
1154 -+ retval = -ENODEV;
1155 - goto out_unlock;
1156 -+ }
1157 -
1158 - switch (type) {
1159 - case FILE_CPU_EXCLUSIVE:
1160 -diff --git a/kernel/fork.c b/kernel/fork.c
1161 -index 987b28a..ffbc090 100644
1162 ---- a/kernel/fork.c
1163 -+++ b/kernel/fork.c
1164 -@@ -1675,6 +1675,12 @@ SYSCALL_DEFINE5(clone, unsigned long, newsp, unsigned long, clone_flags,
1165 - int __user *, parent_tidptr,
1166 - int __user *, child_tidptr,
1167 - int, tls_val)
1168 -+#elif defined(CONFIG_CLONE_BACKWARDS3)
1169 -+SYSCALL_DEFINE6(clone, unsigned long, clone_flags, unsigned long, newsp,
1170 -+ int, stack_size,
1171 -+ int __user *, parent_tidptr,
1172 -+ int __user *, child_tidptr,
1173 -+ int, tls_val)
1174 - #else
1175 - SYSCALL_DEFINE5(clone, unsigned long, clone_flags, unsigned long, newsp,
1176 - int __user *, parent_tidptr,
1177 -diff --git a/kernel/power/qos.c b/kernel/power/qos.c
1178 -index 587ddde..25cf89b 100644
1179 ---- a/kernel/power/qos.c
1180 -+++ b/kernel/power/qos.c
1181 -@@ -293,6 +293,15 @@ int pm_qos_request_active(struct pm_qos_request *req)
1182 - }
1183 - EXPORT_SYMBOL_GPL(pm_qos_request_active);
1184 -
1185 -+static void __pm_qos_update_request(struct pm_qos_request *req,
1186 -+ s32 new_value)
1187 -+{
1188 -+ if (new_value != req->node.prio)
1189 -+ pm_qos_update_target(
1190 -+ pm_qos_array[req->pm_qos_class]->constraints,
1191 -+ &req->node, PM_QOS_UPDATE_REQ, new_value);
1192 -+}
1193 -+
1194 - /**
1195 - * pm_qos_work_fn - the timeout handler of pm_qos_update_request_timeout
1196 - * @work: work struct for the delayed work (timeout)
1197 -@@ -305,7 +314,7 @@ static void pm_qos_work_fn(struct work_struct *work)
1198 - struct pm_qos_request,
1199 - work);
1200 -
1201 -- pm_qos_update_request(req, PM_QOS_DEFAULT_VALUE);
1202 -+ __pm_qos_update_request(req, PM_QOS_DEFAULT_VALUE);
1203 - }
1204 -
1205 - /**
1206 -@@ -365,6 +374,8 @@ void pm_qos_update_request(struct pm_qos_request *req,
1207 - pm_qos_update_target(
1208 - pm_qos_array[req->pm_qos_class]->constraints,
1209 - &req->node, PM_QOS_UPDATE_REQ, new_value);
1210 -+
1211 -+ __pm_qos_update_request(req, new_value);
1212 - }
1213 - EXPORT_SYMBOL_GPL(pm_qos_update_request);
1214 -
1215 -diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
1216 -index c61a614..03b73be 100644
1217 ---- a/kernel/sched/fair.c
1218 -+++ b/kernel/sched/fair.c
1219 -@@ -1984,6 +1984,7 @@ entity_tick(struct cfs_rq *cfs_rq, struct sched_entity *curr, int queued)
1220 - */
1221 - update_entity_load_avg(curr, 1);
1222 - update_cfs_rq_blocked_load(cfs_rq, 1);
1223 -+ update_cfs_shares(cfs_rq);
1224 -
1225 - #ifdef CONFIG_SCHED_HRTICK
1226 - /*
1227 -diff --git a/mm/hugetlb.c b/mm/hugetlb.c
1228 -index 5cf99bf..7c5eb85 100644
1229 ---- a/mm/hugetlb.c
1230 -+++ b/mm/hugetlb.c
1231 -@@ -2490,7 +2490,7 @@ void unmap_hugepage_range(struct vm_area_struct *vma, unsigned long start,
1232 -
1233 - mm = vma->vm_mm;
1234 -
1235 -- tlb_gather_mmu(&tlb, mm, 0);
1236 -+ tlb_gather_mmu(&tlb, mm, start, end);
1237 - __unmap_hugepage_range(&tlb, vma, start, end, ref_page);
1238 - tlb_finish_mmu(&tlb, start, end);
1239 - }
1240 -diff --git a/mm/memcontrol.c b/mm/memcontrol.c
1241 -index 15b0409..82a187a 100644
1242 ---- a/mm/memcontrol.c
1243 -+++ b/mm/memcontrol.c
1244 -@@ -3186,11 +3186,11 @@ int memcg_register_cache(struct mem_cgroup *memcg, struct kmem_cache *s,
1245 - if (!s->memcg_params)
1246 - return -ENOMEM;
1247 -
1248 -- INIT_WORK(&s->memcg_params->destroy,
1249 -- kmem_cache_destroy_work_func);
1250 - if (memcg) {
1251 - s->memcg_params->memcg = memcg;
1252 - s->memcg_params->root_cache = root_cache;
1253 -+ INIT_WORK(&s->memcg_params->destroy,
1254 -+ kmem_cache_destroy_work_func);
1255 - } else
1256 - s->memcg_params->is_root_cache = true;
1257 -
1258 -diff --git a/mm/memory.c b/mm/memory.c
1259 -index 5e50800..5a35443 100644
1260 ---- a/mm/memory.c
1261 -+++ b/mm/memory.c
1262 -@@ -211,14 +211,15 @@ static int tlb_next_batch(struct mmu_gather *tlb)
1263 - * tear-down from @mm. The @fullmm argument is used when @mm is without
1264 - * users and we're going to destroy the full address space (exit/execve).
1265 - */
1266 --void tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, bool fullmm)
1267 -+void tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned long start, unsigned long end)
1268 - {
1269 - tlb->mm = mm;
1270 -
1271 -- tlb->fullmm = fullmm;
1272 -+ /* Is it from 0 to ~0? */
1273 -+ tlb->fullmm = !(start | (end+1));
1274 - tlb->need_flush_all = 0;
1275 -- tlb->start = -1UL;
1276 -- tlb->end = 0;
1277 -+ tlb->start = start;
1278 -+ tlb->end = end;
1279 - tlb->need_flush = 0;
1280 - tlb->local.next = NULL;
1281 - tlb->local.nr = 0;
1282 -@@ -258,8 +259,6 @@ void tlb_finish_mmu(struct mmu_gather *tlb, unsigned long start, unsigned long e
1283 - {
1284 - struct mmu_gather_batch *batch, *next;
1285 -
1286 -- tlb->start = start;
1287 -- tlb->end = end;
1288 - tlb_flush_mmu(tlb);
1289 -
1290 - /* keep the page table cache within bounds */
1291 -@@ -1101,7 +1100,6 @@ static unsigned long zap_pte_range(struct mmu_gather *tlb,
1292 - spinlock_t *ptl;
1293 - pte_t *start_pte;
1294 - pte_t *pte;
1295 -- unsigned long range_start = addr;
1296 -
1297 - again:
1298 - init_rss_vec(rss);
1299 -@@ -1204,17 +1202,25 @@ again:
1300 - * and page-free while holding it.
1301 - */
1302 - if (force_flush) {
1303 -+ unsigned long old_end;
1304 -+
1305 - force_flush = 0;
1306 -
1307 --#ifdef HAVE_GENERIC_MMU_GATHER
1308 -- tlb->start = range_start;
1309 -+ /*
1310 -+ * Flush the TLB just for the previous segment,
1311 -+ * then update the range to be the remaining
1312 -+ * TLB range.
1313 -+ */
1314 -+ old_end = tlb->end;
1315 - tlb->end = addr;
1316 --#endif
1317 -+
1318 - tlb_flush_mmu(tlb);
1319 -- if (addr != end) {
1320 -- range_start = addr;
1321 -+
1322 -+ tlb->start = addr;
1323 -+ tlb->end = old_end;
1324 -+
1325 -+ if (addr != end)
1326 - goto again;
1327 -- }
1328 - }
1329 -
1330 - return addr;
1331 -@@ -1399,7 +1405,7 @@ void zap_page_range(struct vm_area_struct *vma, unsigned long start,
1332 - unsigned long end = start + size;
1333 -
1334 - lru_add_drain();
1335 -- tlb_gather_mmu(&tlb, mm, 0);
1336 -+ tlb_gather_mmu(&tlb, mm, start, end);
1337 - update_hiwater_rss(mm);
1338 - mmu_notifier_invalidate_range_start(mm, start, end);
1339 - for ( ; vma && vma->vm_start < end; vma = vma->vm_next)
1340 -@@ -1425,7 +1431,7 @@ static void zap_page_range_single(struct vm_area_struct *vma, unsigned long addr
1341 - unsigned long end = address + size;
1342 -
1343 - lru_add_drain();
1344 -- tlb_gather_mmu(&tlb, mm, 0);
1345 -+ tlb_gather_mmu(&tlb, mm, address, end);
1346 - update_hiwater_rss(mm);
1347 - mmu_notifier_invalidate_range_start(mm, address, end);
1348 - unmap_single_vma(&tlb, vma, address, end, details);
1349 -diff --git a/mm/mmap.c b/mm/mmap.c
1350 -index 7dbe397..8d25fdc 100644
1351 ---- a/mm/mmap.c
1352 -+++ b/mm/mmap.c
1353 -@@ -2356,7 +2356,7 @@ static void unmap_region(struct mm_struct *mm,
1354 - struct mmu_gather tlb;
1355 -
1356 - lru_add_drain();
1357 -- tlb_gather_mmu(&tlb, mm, 0);
1358 -+ tlb_gather_mmu(&tlb, mm, start, end);
1359 - update_hiwater_rss(mm);
1360 - unmap_vmas(&tlb, vma, start, end);
1361 - free_pgtables(&tlb, vma, prev ? prev->vm_end : FIRST_USER_ADDRESS,
1362 -@@ -2735,7 +2735,7 @@ void exit_mmap(struct mm_struct *mm)
1363 -
1364 - lru_add_drain();
1365 - flush_cache_mm(mm);
1366 -- tlb_gather_mmu(&tlb, mm, 1);
1367 -+ tlb_gather_mmu(&tlb, mm, 0, -1);
1368 - /* update_hiwater_rss(mm) here? but nobody should be looking */
1369 - /* Use -1 here to ensure all VMAs in the mm are unmapped */
1370 - unmap_vmas(&tlb, vma, 0, -1);
1371 -diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
1372 -index 741448b..55a42f9 100644
1373 ---- a/net/mac80211/mlme.c
1374 -+++ b/net/mac80211/mlme.c
1375 -@@ -237,8 +237,9 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata,
1376 - struct ieee80211_channel *channel,
1377 - const struct ieee80211_ht_operation *ht_oper,
1378 - const struct ieee80211_vht_operation *vht_oper,
1379 -- struct cfg80211_chan_def *chandef, bool verbose)
1380 -+ struct cfg80211_chan_def *chandef, bool tracking)
1381 - {
1382 -+ struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
1383 - struct cfg80211_chan_def vht_chandef;
1384 - u32 ht_cfreq, ret;
1385 -
1386 -@@ -257,7 +258,7 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata,
1387 - ht_cfreq = ieee80211_channel_to_frequency(ht_oper->primary_chan,
1388 - channel->band);
1389 - /* check that channel matches the right operating channel */
1390 -- if (channel->center_freq != ht_cfreq) {
1391 -+ if (!tracking && channel->center_freq != ht_cfreq) {
1392 - /*
1393 - * It's possible that some APs are confused here;
1394 - * Netgear WNDR3700 sometimes reports 4 higher than
1395 -@@ -265,11 +266,10 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata,
1396 - * since we look at probe response/beacon data here
1397 - * it should be OK.
1398 - */
1399 -- if (verbose)
1400 -- sdata_info(sdata,
1401 -- "Wrong control channel: center-freq: %d ht-cfreq: %d ht->primary_chan: %d band: %d - Disabling HT\n",
1402 -- channel->center_freq, ht_cfreq,
1403 -- ht_oper->primary_chan, channel->band);
1404 -+ sdata_info(sdata,
1405 -+ "Wrong control channel: center-freq: %d ht-cfreq: %d ht->primary_chan: %d band: %d - Disabling HT\n",
1406 -+ channel->center_freq, ht_cfreq,
1407 -+ ht_oper->primary_chan, channel->band);
1408 - ret = IEEE80211_STA_DISABLE_HT | IEEE80211_STA_DISABLE_VHT;
1409 - goto out;
1410 - }
1411 -@@ -323,7 +323,7 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata,
1412 - channel->band);
1413 - break;
1414 - default:
1415 -- if (verbose)
1416 -+ if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT))
1417 - sdata_info(sdata,
1418 - "AP VHT operation IE has invalid channel width (%d), disable VHT\n",
1419 - vht_oper->chan_width);
1420 -@@ -332,7 +332,7 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata,
1421 - }
1422 -
1423 - if (!cfg80211_chandef_valid(&vht_chandef)) {
1424 -- if (verbose)
1425 -+ if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT))
1426 - sdata_info(sdata,
1427 - "AP VHT information is invalid, disable VHT\n");
1428 - ret = IEEE80211_STA_DISABLE_VHT;
1429 -@@ -345,7 +345,7 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata,
1430 - }
1431 -
1432 - if (!cfg80211_chandef_compatible(chandef, &vht_chandef)) {
1433 -- if (verbose)
1434 -+ if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT))
1435 - sdata_info(sdata,
1436 - "AP VHT information doesn't match HT, disable VHT\n");
1437 - ret = IEEE80211_STA_DISABLE_VHT;
1438 -@@ -361,18 +361,27 @@ out:
1439 - if (ret & IEEE80211_STA_DISABLE_VHT)
1440 - vht_chandef = *chandef;
1441 -
1442 -+ /*
1443 -+ * Ignore the DISABLED flag when we're already connected and only
1444 -+ * tracking the APs beacon for bandwidth changes - otherwise we
1445 -+ * might get disconnected here if we connect to an AP, update our
1446 -+ * regulatory information based on the AP's country IE and the
1447 -+ * information we have is wrong/outdated and disables the channel
1448 -+ * that we're actually using for the connection to the AP.
1449 -+ */
1450 - while (!cfg80211_chandef_usable(sdata->local->hw.wiphy, chandef,
1451 -- IEEE80211_CHAN_DISABLED)) {
1452 -+ tracking ? 0 :
1453 -+ IEEE80211_CHAN_DISABLED)) {
1454 - if (WARN_ON(chandef->width == NL80211_CHAN_WIDTH_20_NOHT)) {
1455 - ret = IEEE80211_STA_DISABLE_HT |
1456 - IEEE80211_STA_DISABLE_VHT;
1457 -- goto out;
1458 -+ break;
1459 - }
1460 -
1461 - ret |= chandef_downgrade(chandef);
1462 - }
1463 -
1464 -- if (chandef->width != vht_chandef.width && verbose)
1465 -+ if (chandef->width != vht_chandef.width && !tracking)
1466 - sdata_info(sdata,
1467 - "capabilities/regulatory prevented using AP HT/VHT configuration, downgraded\n");
1468 -
1469 -@@ -412,7 +421,7 @@ static int ieee80211_config_bw(struct ieee80211_sub_if_data *sdata,
1470 -
1471 - /* calculate new channel (type) based on HT/VHT operation IEs */
1472 - flags = ieee80211_determine_chantype(sdata, sband, chan, ht_oper,
1473 -- vht_oper, &chandef, false);
1474 -+ vht_oper, &chandef, true);
1475 -
1476 - /*
1477 - * Downgrade the new channel if we associated with restricted
1478 -@@ -3906,7 +3915,7 @@ static int ieee80211_prep_channel(struct ieee80211_sub_if_data *sdata,
1479 - ifmgd->flags |= ieee80211_determine_chantype(sdata, sband,
1480 - cbss->channel,
1481 - ht_oper, vht_oper,
1482 -- &chandef, true);
1483 -+ &chandef, false);
1484 -
1485 - sdata->needed_rx_chains = min(ieee80211_ht_vht_rx_chains(sdata, cbss),
1486 - local->rx_chains);
1487 -diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
1488 -index 1076fe1..ba6e55d 100644
1489 ---- a/net/netlink/genetlink.c
1490 -+++ b/net/netlink/genetlink.c
1491 -@@ -789,6 +789,10 @@ static int ctrl_dumpfamily(struct sk_buff *skb, struct netlink_callback *cb)
1492 - struct net *net = sock_net(skb->sk);
1493 - int chains_to_skip = cb->args[0];
1494 - int fams_to_skip = cb->args[1];
1495 -+ bool need_locking = chains_to_skip || fams_to_skip;
1496 -+
1497 -+ if (need_locking)
1498 -+ genl_lock();
1499 -
1500 - for (i = chains_to_skip; i < GENL_FAM_TAB_SIZE; i++) {
1501 - n = 0;
1502 -@@ -810,6 +814,9 @@ errout:
1503 - cb->args[0] = i;
1504 - cb->args[1] = n;
1505 -
1506 -+ if (need_locking)
1507 -+ genl_unlock();
1508 -+
1509 - return skb->len;
1510 - }
1511 -
1512 -diff --git a/net/wireless/core.c b/net/wireless/core.c
1513 -index 73405e0..64fcbae 100644
1514 ---- a/net/wireless/core.c
1515 -+++ b/net/wireless/core.c
1516 -@@ -876,6 +876,7 @@ void cfg80211_leave(struct cfg80211_registered_device *rdev,
1517 - cfg80211_leave_mesh(rdev, dev);
1518 - break;
1519 - case NL80211_IFTYPE_AP:
1520 -+ case NL80211_IFTYPE_P2P_GO:
1521 - cfg80211_stop_ap(rdev, dev);
1522 - break;
1523 - default:
1524 -diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
1525 -index db8ead9..448c034 100644
1526 ---- a/net/wireless/nl80211.c
1527 -+++ b/net/wireless/nl80211.c
1528 -@@ -471,10 +471,12 @@ static int nl80211_prepare_wdev_dump(struct sk_buff *skb,
1529 - goto out_unlock;
1530 - }
1531 - *rdev = wiphy_to_dev((*wdev)->wiphy);
1532 -- cb->args[0] = (*rdev)->wiphy_idx;
1533 -+ /* 0 is the first index - add 1 to parse only once */
1534 -+ cb->args[0] = (*rdev)->wiphy_idx + 1;
1535 - cb->args[1] = (*wdev)->identifier;
1536 - } else {
1537 -- struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0]);
1538 -+ /* subtract the 1 again here */
1539 -+ struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1540 - struct wireless_dev *tmp;
1541 -
1542 - if (!wiphy) {
1543 -diff --git a/sound/pci/hda/hda_generic.c b/sound/pci/hda/hda_generic.c
1544 -index 24400cf..ad22dec 100644
1545 ---- a/sound/pci/hda/hda_generic.c
1546 -+++ b/sound/pci/hda/hda_generic.c
1547 -@@ -519,7 +519,7 @@ static bool same_amp_caps(struct hda_codec *codec, hda_nid_t nid1,
1548 - }
1549 -
1550 - #define nid_has_mute(codec, nid, dir) \
1551 -- check_amp_caps(codec, nid, dir, AC_AMPCAP_MUTE)
1552 -+ check_amp_caps(codec, nid, dir, (AC_AMPCAP_MUTE | AC_AMPCAP_MIN_MUTE))
1553 - #define nid_has_volume(codec, nid, dir) \
1554 - check_amp_caps(codec, nid, dir, AC_AMPCAP_NUM_STEPS)
1555 -
1556 -@@ -621,7 +621,7 @@ static int get_amp_val_to_activate(struct hda_codec *codec, hda_nid_t nid,
1557 - if (enable)
1558 - val = (caps & AC_AMPCAP_OFFSET) >> AC_AMPCAP_OFFSET_SHIFT;
1559 - }
1560 -- if (caps & AC_AMPCAP_MUTE) {
1561 -+ if (caps & (AC_AMPCAP_MUTE | AC_AMPCAP_MIN_MUTE)) {
1562 - if (!enable)
1563 - val |= HDA_AMP_MUTE;
1564 - }
1565 -@@ -645,7 +645,7 @@ static unsigned int get_amp_mask_to_modify(struct hda_codec *codec,
1566 - {
1567 - unsigned int mask = 0xff;
1568 -
1569 -- if (caps & AC_AMPCAP_MUTE) {
1570 -+ if (caps & (AC_AMPCAP_MUTE | AC_AMPCAP_MIN_MUTE)) {
1571 - if (is_ctl_associated(codec, nid, dir, idx, NID_PATH_MUTE_CTL))
1572 - mask &= ~0x80;
1573 - }
1574 -diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
1575 -index 051c03d..57f9f2a 100644
1576 ---- a/sound/pci/hda/patch_realtek.c
1577 -+++ b/sound/pci/hda/patch_realtek.c
1578 -@@ -1027,6 +1027,7 @@ enum {
1579 - ALC880_FIXUP_GPIO2,
1580 - ALC880_FIXUP_MEDION_RIM,
1581 - ALC880_FIXUP_LG,
1582 -+ ALC880_FIXUP_LG_LW25,
1583 - ALC880_FIXUP_W810,
1584 - ALC880_FIXUP_EAPD_COEF,
1585 - ALC880_FIXUP_TCL_S700,
1586 -@@ -1085,6 +1086,14 @@ static const struct hda_fixup alc880_fixups[] = {
1587 - { }
1588 - }
1589 - },
1590 -+ [ALC880_FIXUP_LG_LW25] = {
1591 -+ .type = HDA_FIXUP_PINS,
1592 -+ .v.pins = (const struct hda_pintbl[]) {
1593 -+ { 0x1a, 0x0181344f }, /* line-in */
1594 -+ { 0x1b, 0x0321403f }, /* headphone */
1595 -+ { }
1596 -+ }
1597 -+ },
1598 - [ALC880_FIXUP_W810] = {
1599 - .type = HDA_FIXUP_PINS,
1600 - .v.pins = (const struct hda_pintbl[]) {
1601 -@@ -1337,6 +1346,7 @@ static const struct snd_pci_quirk alc880_fixup_tbl[] = {
1602 - SND_PCI_QUIRK(0x1854, 0x003b, "LG", ALC880_FIXUP_LG),
1603 - SND_PCI_QUIRK(0x1854, 0x005f, "LG P1 Express", ALC880_FIXUP_LG),
1604 - SND_PCI_QUIRK(0x1854, 0x0068, "LG w1", ALC880_FIXUP_LG),
1605 -+ SND_PCI_QUIRK(0x1854, 0x0077, "LG LW25", ALC880_FIXUP_LG_LW25),
1606 - SND_PCI_QUIRK(0x19db, 0x4188, "TCL S700", ALC880_FIXUP_TCL_S700),
1607 -
1608 - /* Below is the copied entries from alc880_quirks.c.
1609 -@@ -4200,6 +4210,7 @@ static const struct snd_pci_quirk alc662_fixup_tbl[] = {
1610 - SND_PCI_QUIRK(0x1025, 0x0308, "Acer Aspire 8942G", ALC662_FIXUP_ASPIRE),
1611 - SND_PCI_QUIRK(0x1025, 0x031c, "Gateway NV79", ALC662_FIXUP_SKU_IGNORE),
1612 - SND_PCI_QUIRK(0x1025, 0x0349, "eMachines eM250", ALC662_FIXUP_INV_DMIC),
1613 -+ SND_PCI_QUIRK(0x1025, 0x034a, "Gateway LT27", ALC662_FIXUP_INV_DMIC),
1614 - SND_PCI_QUIRK(0x1025, 0x038b, "Acer Aspire 8943G", ALC662_FIXUP_ASPIRE),
1615 - SND_PCI_QUIRK(0x1028, 0x05d8, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE),
1616 - SND_PCI_QUIRK(0x1028, 0x05db, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE),
1617 -diff --git a/sound/soc/codecs/cs42l52.c b/sound/soc/codecs/cs42l52.c
1618 -index 987f728..ee25f32 100644
1619 ---- a/sound/soc/codecs/cs42l52.c
1620 -+++ b/sound/soc/codecs/cs42l52.c
1621 -@@ -451,7 +451,7 @@ static const struct snd_kcontrol_new cs42l52_snd_controls[] = {
1622 - SOC_ENUM("Beep Pitch", beep_pitch_enum),
1623 - SOC_ENUM("Beep on Time", beep_ontime_enum),
1624 - SOC_ENUM("Beep off Time", beep_offtime_enum),
1625 -- SOC_SINGLE_TLV("Beep Volume", CS42L52_BEEP_VOL, 0, 0x1f, 0x07, hl_tlv),
1626 -+ SOC_SINGLE_SX_TLV("Beep Volume", CS42L52_BEEP_VOL, 0, 0x07, 0x1f, hl_tlv),
1627 - SOC_SINGLE("Beep Mixer Switch", CS42L52_BEEP_TONE_CTL, 5, 1, 1),
1628 - SOC_ENUM("Beep Treble Corner Freq", beep_treble_enum),
1629 - SOC_ENUM("Beep Bass Corner Freq", beep_bass_enum),
1630 -diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
1631 -index c7051c4..3606383 100644
1632 ---- a/sound/soc/soc-dapm.c
1633 -+++ b/sound/soc/soc-dapm.c
1634 -@@ -682,13 +682,14 @@ static int dapm_new_mux(struct snd_soc_dapm_widget *w)
1635 - return -EINVAL;
1636 - }
1637 -
1638 -- path = list_first_entry(&w->sources, struct snd_soc_dapm_path,
1639 -- list_sink);
1640 -- if (!path) {
1641 -+ if (list_empty(&w->sources)) {
1642 - dev_err(dapm->dev, "ASoC: mux %s has no paths\n", w->name);
1643 - return -EINVAL;
1644 - }
1645 -
1646 -+ path = list_first_entry(&w->sources, struct snd_soc_dapm_path,
1647 -+ list_sink);
1648 -+
1649 - ret = dapm_create_or_share_mixmux_kcontrol(w, 0, path);
1650 - if (ret < 0)
1651 - return ret;
1652 -diff --git a/sound/soc/tegra/tegra30_i2s.c b/sound/soc/tegra/tegra30_i2s.c
1653 -index 31d092d..a5432b1 100644
1654 ---- a/sound/soc/tegra/tegra30_i2s.c
1655 -+++ b/sound/soc/tegra/tegra30_i2s.c
1656 -@@ -228,7 +228,7 @@ static int tegra30_i2s_hw_params(struct snd_pcm_substream *substream,
1657 - reg = TEGRA30_I2S_CIF_RX_CTRL;
1658 - } else {
1659 - val |= TEGRA30_AUDIOCIF_CTRL_DIRECTION_TX;
1660 -- reg = TEGRA30_I2S_CIF_RX_CTRL;
1661 -+ reg = TEGRA30_I2S_CIF_TX_CTRL;
1662 - }
1663 -
1664 - regmap_write(i2s->regmap, reg, val);
1665 -diff --git a/sound/usb/6fire/midi.c b/sound/usb/6fire/midi.c
1666 -index 2672242..f3dd726 100644
1667 ---- a/sound/usb/6fire/midi.c
1668 -+++ b/sound/usb/6fire/midi.c
1669 -@@ -19,6 +19,10 @@
1670 - #include "chip.h"
1671 - #include "comm.h"
1672 -
1673 -+enum {
1674 -+ MIDI_BUFSIZE = 64
1675 -+};
1676 -+
1677 - static void usb6fire_midi_out_handler(struct urb *urb)
1678 - {
1679 - struct midi_runtime *rt = urb->context;
1680 -@@ -156,6 +160,12 @@ int usb6fire_midi_init(struct sfire_chip *chip)
1681 - if (!rt)
1682 - return -ENOMEM;
1683 -
1684 -+ rt->out_buffer = kzalloc(MIDI_BUFSIZE, GFP_KERNEL);
1685 -+ if (!rt->out_buffer) {
1686 -+ kfree(rt);
1687 -+ return -ENOMEM;
1688 -+ }
1689 -+
1690 - rt->chip = chip;
1691 - rt->in_received = usb6fire_midi_in_received;
1692 - rt->out_buffer[0] = 0x80; /* 'send midi' command */
1693 -@@ -169,6 +179,7 @@ int usb6fire_midi_init(struct sfire_chip *chip)
1694 -
1695 - ret = snd_rawmidi_new(chip->card, "6FireUSB", 0, 1, 1, &rt->instance);
1696 - if (ret < 0) {
1697 -+ kfree(rt->out_buffer);
1698 - kfree(rt);
1699 - snd_printk(KERN_ERR PREFIX "unable to create midi.\n");
1700 - return ret;
1701 -@@ -197,6 +208,9 @@ void usb6fire_midi_abort(struct sfire_chip *chip)
1702 -
1703 - void usb6fire_midi_destroy(struct sfire_chip *chip)
1704 - {
1705 -- kfree(chip->midi);
1706 -+ struct midi_runtime *rt = chip->midi;
1707 -+
1708 -+ kfree(rt->out_buffer);
1709 -+ kfree(rt);
1710 - chip->midi = NULL;
1711 - }
1712 -diff --git a/sound/usb/6fire/midi.h b/sound/usb/6fire/midi.h
1713 -index c321006..84851b9 100644
1714 ---- a/sound/usb/6fire/midi.h
1715 -+++ b/sound/usb/6fire/midi.h
1716 -@@ -16,10 +16,6 @@
1717 -
1718 - #include "common.h"
1719 -
1720 --enum {
1721 -- MIDI_BUFSIZE = 64
1722 --};
1723 --
1724 - struct midi_runtime {
1725 - struct sfire_chip *chip;
1726 - struct snd_rawmidi *instance;
1727 -@@ -32,7 +28,7 @@ struct midi_runtime {
1728 - struct snd_rawmidi_substream *out;
1729 - struct urb out_urb;
1730 - u8 out_serial; /* serial number of out packet */
1731 -- u8 out_buffer[MIDI_BUFSIZE];
1732 -+ u8 *out_buffer;
1733 - int buffer_offset;
1734 -
1735 - void (*in_received)(struct midi_runtime *rt, u8 *data, int length);
1736 -diff --git a/sound/usb/6fire/pcm.c b/sound/usb/6fire/pcm.c
1737 -index 074aaf7..25f9e61 100644
1738 ---- a/sound/usb/6fire/pcm.c
1739 -+++ b/sound/usb/6fire/pcm.c
1740 -@@ -580,6 +580,33 @@ static void usb6fire_pcm_init_urb(struct pcm_urb *urb,
1741 - urb->instance.number_of_packets = PCM_N_PACKETS_PER_URB;
1742 - }
1743 -
1744 -+static int usb6fire_pcm_buffers_init(struct pcm_runtime *rt)
1745 -+{
1746 -+ int i;
1747 -+
1748 -+ for (i = 0; i < PCM_N_URBS; i++) {
1749 -+ rt->out_urbs[i].buffer = kzalloc(PCM_N_PACKETS_PER_URB
1750 -+ * PCM_MAX_PACKET_SIZE, GFP_KERNEL);
1751 -+ if (!rt->out_urbs[i].buffer)
1752 -+ return -ENOMEM;
1753 -+ rt->in_urbs[i].buffer = kzalloc(PCM_N_PACKETS_PER_URB
1754 -+ * PCM_MAX_PACKET_SIZE, GFP_KERNEL);
1755 -+ if (!rt->in_urbs[i].buffer)
1756 -+ return -ENOMEM;
1757 -+ }
1758 -+ return 0;
1759 -+}
1760 -+
1761 -+static void usb6fire_pcm_buffers_destroy(struct pcm_runtime *rt)
1762 -+{
1763 -+ int i;
1764 -+
1765 -+ for (i = 0; i < PCM_N_URBS; i++) {
1766 -+ kfree(rt->out_urbs[i].buffer);
1767 -+ kfree(rt->in_urbs[i].buffer);
1768 -+ }
1769 -+}
1770 -+
1771 - int usb6fire_pcm_init(struct sfire_chip *chip)
1772 - {
1773 - int i;
1774 -@@ -591,6 +618,13 @@ int usb6fire_pcm_init(struct sfire_chip *chip)
1775 - if (!rt)
1776 - return -ENOMEM;
1777 -
1778 -+ ret = usb6fire_pcm_buffers_init(rt);
1779 -+ if (ret) {
1780 -+ usb6fire_pcm_buffers_destroy(rt);
1781 -+ kfree(rt);
1782 -+ return ret;
1783 -+ }
1784 -+
1785 - rt->chip = chip;
1786 - rt->stream_state = STREAM_DISABLED;
1787 - rt->rate = ARRAY_SIZE(rates);
1788 -@@ -612,6 +646,7 @@ int usb6fire_pcm_init(struct sfire_chip *chip)
1789 -
1790 - ret = snd_pcm_new(chip->card, "DMX6FireUSB", 0, 1, 1, &pcm);
1791 - if (ret < 0) {
1792 -+ usb6fire_pcm_buffers_destroy(rt);
1793 - kfree(rt);
1794 - snd_printk(KERN_ERR PREFIX "cannot create pcm instance.\n");
1795 - return ret;
1796 -@@ -627,6 +662,7 @@ int usb6fire_pcm_init(struct sfire_chip *chip)
1797 - snd_dma_continuous_data(GFP_KERNEL),
1798 - MAX_BUFSIZE, MAX_BUFSIZE);
1799 - if (ret) {
1800 -+ usb6fire_pcm_buffers_destroy(rt);
1801 - kfree(rt);
1802 - snd_printk(KERN_ERR PREFIX
1803 - "error preallocating pcm buffers.\n");
1804 -@@ -671,6 +707,9 @@ void usb6fire_pcm_abort(struct sfire_chip *chip)
1805 -
1806 - void usb6fire_pcm_destroy(struct sfire_chip *chip)
1807 - {
1808 -- kfree(chip->pcm);
1809 -+ struct pcm_runtime *rt = chip->pcm;
1810 -+
1811 -+ usb6fire_pcm_buffers_destroy(rt);
1812 -+ kfree(rt);
1813 - chip->pcm = NULL;
1814 - }
1815 -diff --git a/sound/usb/6fire/pcm.h b/sound/usb/6fire/pcm.h
1816 -index 9b01133..f5779d6 100644
1817 ---- a/sound/usb/6fire/pcm.h
1818 -+++ b/sound/usb/6fire/pcm.h
1819 -@@ -32,7 +32,7 @@ struct pcm_urb {
1820 - struct urb instance;
1821 - struct usb_iso_packet_descriptor packets[PCM_N_PACKETS_PER_URB];
1822 - /* END DO NOT SEPARATE */
1823 -- u8 buffer[PCM_N_PACKETS_PER_URB * PCM_MAX_PACKET_SIZE];
1824 -+ u8 *buffer;
1825 -
1826 - struct pcm_urb *peer;
1827 - };
1828 -diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
1829 -index d543808..95558ef 100644
1830 ---- a/sound/usb/mixer.c
1831 -+++ b/sound/usb/mixer.c
1832 -@@ -888,6 +888,7 @@ static void volume_control_quirks(struct usb_mixer_elem_info *cval,
1833 - case USB_ID(0x046d, 0x081b): /* HD Webcam c310 */
1834 - case USB_ID(0x046d, 0x081d): /* HD Webcam c510 */
1835 - case USB_ID(0x046d, 0x0825): /* HD Webcam c270 */
1836 -+ case USB_ID(0x046d, 0x0826): /* HD Webcam c525 */
1837 - case USB_ID(0x046d, 0x0991):
1838 - /* Most audio usb devices lie about volume resolution.
1839 - * Most Logitech webcams have res = 384.
1840
1841 diff --git a/3.10.9/1008_linux-3.10.9.patch b/3.10.9/1008_linux-3.10.9.patch
1842 deleted file mode 100644
1843 index e91b33a..0000000
1844 --- a/3.10.9/1008_linux-3.10.9.patch
1845 +++ /dev/null
1846 @@ -1,37 +0,0 @@
1847 -diff --git a/Makefile b/Makefile
1848 -index 1a21612..4b31d62 100644
1849 ---- a/Makefile
1850 -+++ b/Makefile
1851 -@@ -1,6 +1,6 @@
1852 - VERSION = 3
1853 - PATCHLEVEL = 10
1854 --SUBLEVEL = 8
1855 -+SUBLEVEL = 9
1856 - EXTRAVERSION =
1857 - NAME = TOSSUG Baby Fish
1858 -
1859 -diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
1860 -index ba6e55d..1076fe1 100644
1861 ---- a/net/netlink/genetlink.c
1862 -+++ b/net/netlink/genetlink.c
1863 -@@ -789,10 +789,6 @@ static int ctrl_dumpfamily(struct sk_buff *skb, struct netlink_callback *cb)
1864 - struct net *net = sock_net(skb->sk);
1865 - int chains_to_skip = cb->args[0];
1866 - int fams_to_skip = cb->args[1];
1867 -- bool need_locking = chains_to_skip || fams_to_skip;
1868 --
1869 -- if (need_locking)
1870 -- genl_lock();
1871 -
1872 - for (i = chains_to_skip; i < GENL_FAM_TAB_SIZE; i++) {
1873 - n = 0;
1874 -@@ -814,9 +810,6 @@ errout:
1875 - cb->args[0] = i;
1876 - cb->args[1] = n;
1877 -
1878 -- if (need_locking)
1879 -- genl_unlock();
1880 --
1881 - return skb->len;
1882 - }
1883 -
1884
1885 diff --git a/3.10.9/4420_grsecurity-2.9.1-3.10.9-201308202015.patch b/3.10.9/4420_grsecurity-2.9.1-3.10.9-201308282054.patch
1886 similarity index 98%
1887 rename from 3.10.9/4420_grsecurity-2.9.1-3.10.9-201308202015.patch
1888 rename to 3.10.9/4420_grsecurity-2.9.1-3.10.9-201308282054.patch
1889 index 24d81a0..ed67d72 100644
1890 --- a/3.10.9/4420_grsecurity-2.9.1-3.10.9-201308202015.patch
1891 +++ b/3.10.9/4420_grsecurity-2.9.1-3.10.9-201308282054.patch
1892 @@ -1968,7 +1968,7 @@ index 86b8fe3..e25f975 100644
1893 #define L_PTE_DIRTY_HIGH (1 << (55 - 32))
1894
1895 diff --git a/arch/arm/include/asm/pgtable.h b/arch/arm/include/asm/pgtable.h
1896 -index 9bcd262..fba731c 100644
1897 +index 9bcd262..1ff999b 100644
1898 --- a/arch/arm/include/asm/pgtable.h
1899 +++ b/arch/arm/include/asm/pgtable.h
1900 @@ -30,6 +30,9 @@
1901 @@ -1991,20 +1991,18 @@ index 9bcd262..fba731c 100644
1902 extern void __pte_error(const char *file, int line, pte_t);
1903 extern void __pmd_error(const char *file, int line, pmd_t);
1904 extern void __pgd_error(const char *file, int line, pgd_t);
1905 -@@ -53,6 +59,50 @@ extern void __pgd_error(const char *file, int line, pgd_t);
1906 +@@ -53,6 +59,48 @@ extern void __pgd_error(const char *file, int line, pgd_t);
1907 #define pmd_ERROR(pmd) __pmd_error(__FILE__, __LINE__, pmd)
1908 #define pgd_ERROR(pgd) __pgd_error(__FILE__, __LINE__, pgd)
1909
1910 +#define __HAVE_ARCH_PAX_OPEN_KERNEL
1911 +#define __HAVE_ARCH_PAX_CLOSE_KERNEL
1912 +
1913 -+#ifdef CONFIG_PAX_KERNEXEC
1914 ++#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
1915 +#include <asm/domain.h>
1916 +#include <linux/thread_info.h>
1917 +#include <linux/preempt.h>
1918 -+#endif
1919 +
1920 -+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
1921 +static inline int test_domain(int domain, int domaintype)
1922 +{
1923 + return ((current_thread_info()->cpu_domain) & domain_val(domain, 3)) == domain_val(domain, domaintype);
1924 @@ -2042,7 +2040,7 @@ index 9bcd262..fba731c 100644
1925 /*
1926 * This is the lowest virtual address we can permit any user space
1927 * mapping to be mapped at. This is particularly important for
1928 -@@ -72,8 +122,8 @@ extern void __pgd_error(const char *file, int line, pgd_t);
1929 +@@ -72,8 +120,8 @@ extern void __pgd_error(const char *file, int line, pgd_t);
1930 /*
1931 * The pgprot_* and protection_map entries will be fixed up in runtime
1932 * to include the cachable and bufferable bits based on memory policy,
1933 @@ -2053,7 +2051,7 @@ index 9bcd262..fba731c 100644
1934 */
1935 #define _L_PTE_DEFAULT L_PTE_PRESENT | L_PTE_YOUNG
1936
1937 -@@ -257,7 +307,7 @@ static inline pte_t pte_mkspecial(pte_t pte) { return pte; }
1938 +@@ -257,7 +305,7 @@ static inline pte_t pte_mkspecial(pte_t pte) { return pte; }
1939 static inline pte_t pte_modify(pte_t pte, pgprot_t newprot)
1940 {
1941 const pteval_t mask = L_PTE_XN | L_PTE_RDONLY | L_PTE_USER |
1942 @@ -3737,7 +3735,7 @@ index 6f4585b..7b6f52b 100644
1943 goto fault; \
1944 } while (0)
1945 diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
1946 -index 5dbf13f..ee1ec24 100644
1947 +index 5dbf13f..a2d1876 100644
1948 --- a/arch/arm/mm/fault.c
1949 +++ b/arch/arm/mm/fault.c
1950 @@ -25,6 +25,7 @@
1951 @@ -3840,7 +3838,7 @@ index 5dbf13f..ee1ec24 100644
1952 printk(KERN_ALERT "Unhandled fault: %s (0x%03x) at 0x%08lx\n",
1953 inf->name, fsr, addr);
1954
1955 -@@ -569,15 +631,67 @@ hook_ifault_code(int nr, int (*fn)(unsigned long, unsigned int, struct pt_regs *
1956 +@@ -569,15 +631,68 @@ hook_ifault_code(int nr, int (*fn)(unsigned long, unsigned int, struct pt_regs *
1957 ifsr_info[nr].name = name;
1958 }
1959
1960 @@ -3852,18 +3850,19 @@ index 5dbf13f..ee1ec24 100644
1961 {
1962 const struct fsr_info *inf = ifsr_info + fsr_fs(ifsr);
1963 struct siginfo info;
1964 -
1965 ++ unsigned long pc = instruction_pointer(regs);
1966 ++
1967 + if (user_mode(regs)) {
1968 + unsigned long sigpage = current->mm->context.sigpage;
1969 +
1970 -+ if (sigpage <= addr && addr < sigpage + 7*4) {
1971 -+ if (addr < sigpage + 3*4)
1972 ++ if (sigpage <= pc && pc < sigpage + 7*4) {
1973 ++ if (pc < sigpage + 3*4)
1974 + sys_sigreturn(regs);
1975 + else
1976 + sys_rt_sigreturn(regs);
1977 + return;
1978 + }
1979 -+ if (addr == 0xffff0fe0UL) {
1980 ++ if (pc == 0xffff0fe0UL) {
1981 + /*
1982 + * PaX: __kuser_get_tls emulation
1983 + */
1984 @@ -3878,11 +3877,11 @@ index 5dbf13f..ee1ec24 100644
1985 + if (current->signal->curr_ip)
1986 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to execute %s memory at %08lx\n", &current->signal->curr_ip, current->comm, task_pid_nr(current),
1987 + from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()),
1988 -+ addr >= TASK_SIZE ? "non-executable kernel" : "userland", addr);
1989 ++ pc >= TASK_SIZE ? "non-executable kernel" : "userland", pc);
1990 + else
1991 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to execute %s memory at %08lx\n", current->comm, task_pid_nr(current),
1992 + from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()),
1993 -+ addr >= TASK_SIZE ? "non-executable kernel" : "userland", addr);
1994 ++ pc >= TASK_SIZE ? "non-executable kernel" : "userland", pc);
1995 + goto die;
1996 + }
1997 +#endif
1998 @@ -3891,7 +3890,7 @@ index 5dbf13f..ee1ec24 100644
1999 + if (fsr_fs(ifsr) == FAULT_CODE_DEBUG) {
2000 + unsigned int bkpt;
2001 +
2002 -+ if (!probe_kernel_address((unsigned int *)addr, bkpt) && bkpt == 0xe12f1073) {
2003 ++ if (!probe_kernel_address((unsigned int *)pc, bkpt) && cpu_to_le32(bkpt) == 0xe12f1073) {
2004 + current->thread.error_code = ifsr;
2005 + current->thread.trap_no = 0;
2006 + pax_report_refcount_overflow(regs);
2007 @@ -3900,7 +3899,7 @@ index 5dbf13f..ee1ec24 100644
2008 + }
2009 + }
2010 +#endif
2011 -+
2012 +
2013 if (!inf->fn(addr, ifsr | FSR_LNX_PF, regs))
2014 return;
2015
2016 @@ -5347,10 +5346,10 @@ index 4efe96a..60e8699 100644
2017 #define SMP_CACHE_BYTES L1_CACHE_BYTES
2018
2019 diff --git a/arch/mips/include/asm/atomic.h b/arch/mips/include/asm/atomic.h
2020 -index 08b6079..eb272cf 100644
2021 +index 08b6079..e94e6da 100644
2022 --- a/arch/mips/include/asm/atomic.h
2023 +++ b/arch/mips/include/asm/atomic.h
2024 -@@ -21,6 +21,10 @@
2025 +@@ -21,15 +21,39 @@
2026 #include <asm/cmpxchg.h>
2027 #include <asm/war.h>
2028
2029 @@ -5360,24 +5359,887 @@ index 08b6079..eb272cf 100644
2030 +
2031 #define ATOMIC_INIT(i) { (i) }
2032
2033 ++#ifdef CONFIG_64BIT
2034 ++#define _ASM_EXTABLE(from, to) \
2035 ++" .section __ex_table,\"a\"\n" \
2036 ++" .dword " #from ", " #to"\n" \
2037 ++" .previous\n"
2038 ++#else
2039 ++#define _ASM_EXTABLE(from, to) \
2040 ++" .section __ex_table,\"a\"\n" \
2041 ++" .word " #from ", " #to"\n" \
2042 ++" .previous\n"
2043 ++#endif
2044 ++
2045 /*
2046 -@@ -759,6 +763,16 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
2047 + * atomic_read - read atomic variable
2048 + * @v: pointer of type atomic_t
2049 + *
2050 + * Atomically reads the value of @v.
2051 */
2052 - #define atomic64_add_negative(i, v) (atomic64_add_return(i, (v)) < 0)
2053 +-#define atomic_read(v) (*(volatile int *)&(v)->counter)
2054 ++static inline int atomic_read(const atomic_t *v)
2055 ++{
2056 ++ return (*(volatile const int *) &v->counter);
2057 ++}
2058 ++
2059 ++static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
2060 ++{
2061 ++ return (*(volatile const int *) &v->counter);
2062 ++}
2063
2064 -+#define atomic64_read_unchecked(v) atomic64_read(v)
2065 -+#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
2066 -+#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
2067 -+#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
2068 -+#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
2069 -+#define atomic64_inc_unchecked(v) atomic64_inc(v)
2070 -+#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
2071 -+#define atomic64_dec_unchecked(v) atomic64_dec(v)
2072 -+#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
2073 + /*
2074 + * atomic_set - set atomic variable
2075 +@@ -38,7 +62,15 @@
2076 + *
2077 + * Atomically sets the value of @v to @i.
2078 + */
2079 +-#define atomic_set(v, i) ((v)->counter = (i))
2080 ++static inline void atomic_set(atomic_t *v, int i)
2081 ++{
2082 ++ v->counter = i;
2083 ++}
2084 +
2085 - #endif /* CONFIG_64BIT */
2086 ++static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
2087 ++{
2088 ++ v->counter = i;
2089 ++}
2090 +
2091 + /*
2092 + * atomic_add - add integer to atomic variable
2093 +@@ -47,7 +79,67 @@
2094 + *
2095 + * Atomically adds @i to @v.
2096 + */
2097 +-static __inline__ void atomic_add(int i, atomic_t * v)
2098 ++static __inline__ void atomic_add(int i, atomic_t *v)
2099 ++{
2100 ++ int temp;
2101 ++
2102 ++ if (kernel_uses_llsc && R10000_LLSC_WAR) {
2103 ++ __asm__ __volatile__(
2104 ++ " .set mips3 \n"
2105 ++ "1: ll %0, %1 # atomic_add \n"
2106 ++#ifdef CONFIG_PAX_REFCOUNT
2107 ++ /* Exception on overflow. */
2108 ++ "2: add %0, %2 \n"
2109 ++#else
2110 ++ " addu %0, %2 \n"
2111 ++#endif
2112 ++ " sc %0, %1 \n"
2113 ++ " beqzl %0, 1b \n"
2114 ++#ifdef CONFIG_PAX_REFCOUNT
2115 ++ "3: \n"
2116 ++ _ASM_EXTABLE(2b, 3b)
2117 ++#endif
2118 ++ " .set mips0 \n"
2119 ++ : "=&r" (temp), "+m" (v->counter)
2120 ++ : "Ir" (i));
2121 ++ } else if (kernel_uses_llsc) {
2122 ++ __asm__ __volatile__(
2123 ++ " .set mips3 \n"
2124 ++ "1: ll %0, %1 # atomic_add \n"
2125 ++#ifdef CONFIG_PAX_REFCOUNT
2126 ++ /* Exception on overflow. */
2127 ++ "2: add %0, %2 \n"
2128 ++#else
2129 ++ " addu %0, %2 \n"
2130 ++#endif
2131 ++ " sc %0, %1 \n"
2132 ++ " beqz %0, 1b \n"
2133 ++#ifdef CONFIG_PAX_REFCOUNT
2134 ++ "3: \n"
2135 ++ _ASM_EXTABLE(2b, 3b)
2136 ++#endif
2137 ++ " .set mips0 \n"
2138 ++ : "=&r" (temp), "+m" (v->counter)
2139 ++ : "Ir" (i));
2140 ++ } else {
2141 ++ unsigned long flags;
2142 ++
2143 ++ raw_local_irq_save(flags);
2144 ++ __asm__ __volatile__(
2145 ++#ifdef CONFIG_PAX_REFCOUNT
2146 ++ /* Exception on overflow. */
2147 ++ "1: add %0, %1 \n"
2148 ++ "2: \n"
2149 ++ _ASM_EXTABLE(1b, 2b)
2150 ++#else
2151 ++ " addu %0, %1 \n"
2152 ++#endif
2153 ++ : "+r" (v->counter) : "Ir" (i));
2154 ++ raw_local_irq_restore(flags);
2155 ++ }
2156 ++}
2157 ++
2158 ++static __inline__ void atomic_add_unchecked(int i, atomic_unchecked_t *v)
2159 + {
2160 + if (kernel_uses_llsc && R10000_LLSC_WAR) {
2161 + int temp;
2162 +@@ -90,7 +182,67 @@ static __inline__ void atomic_add(int i, atomic_t * v)
2163 + *
2164 + * Atomically subtracts @i from @v.
2165 + */
2166 +-static __inline__ void atomic_sub(int i, atomic_t * v)
2167 ++static __inline__ void atomic_sub(int i, atomic_t *v)
2168 ++{
2169 ++ int temp;
2170 ++
2171 ++ if (kernel_uses_llsc && R10000_LLSC_WAR) {
2172 ++ __asm__ __volatile__(
2173 ++ " .set mips3 \n"
2174 ++ "1: ll %0, %1 # atomic64_sub \n"
2175 ++#ifdef CONFIG_PAX_REFCOUNT
2176 ++ /* Exception on overflow. */
2177 ++ "2: sub %0, %2 \n"
2178 ++#else
2179 ++ " subu %0, %2 \n"
2180 ++#endif
2181 ++ " sc %0, %1 \n"
2182 ++ " beqzl %0, 1b \n"
2183 ++#ifdef CONFIG_PAX_REFCOUNT
2184 ++ "3: \n"
2185 ++ _ASM_EXTABLE(2b, 3b)
2186 ++#endif
2187 ++ " .set mips0 \n"
2188 ++ : "=&r" (temp), "+m" (v->counter)
2189 ++ : "Ir" (i));
2190 ++ } else if (kernel_uses_llsc) {
2191 ++ __asm__ __volatile__(
2192 ++ " .set mips3 \n"
2193 ++ "1: ll %0, %1 # atomic64_sub \n"
2194 ++#ifdef CONFIG_PAX_REFCOUNT
2195 ++ /* Exception on overflow. */
2196 ++ "2: sub %0, %2 \n"
2197 ++#else
2198 ++ " subu %0, %2 \n"
2199 ++#endif
2200 ++ " sc %0, %1 \n"
2201 ++ " beqz %0, 1b \n"
2202 ++#ifdef CONFIG_PAX_REFCOUNT
2203 ++ "3: \n"
2204 ++ _ASM_EXTABLE(2b, 3b)
2205 ++#endif
2206 ++ " .set mips0 \n"
2207 ++ : "=&r" (temp), "+m" (v->counter)
2208 ++ : "Ir" (i));
2209 ++ } else {
2210 ++ unsigned long flags;
2211 ++
2212 ++ raw_local_irq_save(flags);
2213 ++ __asm__ __volatile__(
2214 ++#ifdef CONFIG_PAX_REFCOUNT
2215 ++ /* Exception on overflow. */
2216 ++ "1: sub %0, %1 \n"
2217 ++ "2: \n"
2218 ++ _ASM_EXTABLE(1b, 2b)
2219 ++#else
2220 ++ " subu %0, %1 \n"
2221 ++#endif
2222 ++ : "+r" (v->counter) : "Ir" (i));
2223 ++ raw_local_irq_restore(flags);
2224 ++ }
2225 ++}
2226 ++
2227 ++static __inline__ void atomic_sub_unchecked(long i, atomic_unchecked_t *v)
2228 + {
2229 + if (kernel_uses_llsc && R10000_LLSC_WAR) {
2230 + int temp;
2231 +@@ -129,7 +281,93 @@ static __inline__ void atomic_sub(int i, atomic_t * v)
2232 + /*
2233 + * Same as above, but return the result value
2234 + */
2235 +-static __inline__ int atomic_add_return(int i, atomic_t * v)
2236 ++static __inline__ int atomic_add_return(int i, atomic_t *v)
2237 ++{
2238 ++ int result;
2239 ++ int temp;
2240 ++
2241 ++ smp_mb__before_llsc();
2242 ++
2243 ++ if (kernel_uses_llsc && R10000_LLSC_WAR) {
2244 ++ __asm__ __volatile__(
2245 ++ " .set mips3 \n"
2246 ++ "1: ll %1, %2 # atomic_add_return \n"
2247 ++#ifdef CONFIG_PAX_REFCOUNT
2248 ++ "2: add %0, %1, %3 \n"
2249 ++#else
2250 ++ " addu %0, %1, %3 \n"
2251 ++#endif
2252 ++ " sc %0, %2 \n"
2253 ++ " beqzl %0, 1b \n"
2254 ++#ifdef CONFIG_PAX_REFCOUNT
2255 ++ " b 4f \n"
2256 ++ " .set noreorder \n"
2257 ++ "3: b 5f \n"
2258 ++ " move %0, %1 \n"
2259 ++ " .set reorder \n"
2260 ++ _ASM_EXTABLE(2b, 3b)
2261 ++#endif
2262 ++ "4: addu %0, %1, %3 \n"
2263 ++#ifdef CONFIG_PAX_REFCOUNT
2264 ++ "5: \n"
2265 ++#endif
2266 ++ " .set mips0 \n"
2267 ++ : "=&r" (result), "=&r" (temp), "+m" (v->counter)
2268 ++ : "Ir" (i));
2269 ++ } else if (kernel_uses_llsc) {
2270 ++ __asm__ __volatile__(
2271 ++ " .set mips3 \n"
2272 ++ "1: ll %1, %2 # atomic_add_return \n"
2273 ++#ifdef CONFIG_PAX_REFCOUNT
2274 ++ "2: add %0, %1, %3 \n"
2275 ++#else
2276 ++ " addu %0, %1, %3 \n"
2277 ++#endif
2278 ++ " sc %0, %2 \n"
2279 ++ " bnez %0, 4f \n"
2280 ++ " b 1b \n"
2281 ++#ifdef CONFIG_PAX_REFCOUNT
2282 ++ " .set noreorder \n"
2283 ++ "3: b 5f \n"
2284 ++ " move %0, %1 \n"
2285 ++ " .set reorder \n"
2286 ++ _ASM_EXTABLE(2b, 3b)
2287 ++#endif
2288 ++ "4: addu %0, %1, %3 \n"
2289 ++#ifdef CONFIG_PAX_REFCOUNT
2290 ++ "5: \n"
2291 ++#endif
2292 ++ " .set mips0 \n"
2293 ++ : "=&r" (result), "=&r" (temp), "+m" (v->counter)
2294 ++ : "Ir" (i));
2295 ++ } else {
2296 ++ unsigned long flags;
2297 ++
2298 ++ raw_local_irq_save(flags);
2299 ++ __asm__ __volatile__(
2300 ++ " lw %0, %1 \n"
2301 ++#ifdef CONFIG_PAX_REFCOUNT
2302 ++ /* Exception on overflow. */
2303 ++ "1: add %0, %2 \n"
2304 ++#else
2305 ++ " addu %0, %2 \n"
2306 ++#endif
2307 ++ " sw %0, %1 \n"
2308 ++#ifdef CONFIG_PAX_REFCOUNT
2309 ++ /* Note: Dest reg is not modified on overflow */
2310 ++ "2: \n"
2311 ++ _ASM_EXTABLE(1b, 2b)
2312 ++#endif
2313 ++ : "=&r" (result), "+m" (v->counter) : "Ir" (i));
2314 ++ raw_local_irq_restore(flags);
2315 ++ }
2316 ++
2317 ++ smp_llsc_mb();
2318 ++
2319 ++ return result;
2320 ++}
2321 ++
2322 ++static __inline__ int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
2323 + {
2324 + int result;
2325 +
2326 +@@ -178,7 +416,93 @@ static __inline__ int atomic_add_return(int i, atomic_t * v)
2327 + return result;
2328 + }
2329 +
2330 +-static __inline__ int atomic_sub_return(int i, atomic_t * v)
2331 ++static __inline__ int atomic_sub_return(int i, atomic_t *v)
2332 ++{
2333 ++ int result;
2334 ++ int temp;
2335 ++
2336 ++ smp_mb__before_llsc();
2337 ++
2338 ++ if (kernel_uses_llsc && R10000_LLSC_WAR) {
2339 ++ __asm__ __volatile__(
2340 ++ " .set mips3 \n"
2341 ++ "1: ll %1, %2 # atomic_sub_return \n"
2342 ++#ifdef CONFIG_PAX_REFCOUNT
2343 ++ "2: sub %0, %1, %3 \n"
2344 ++#else
2345 ++ " subu %0, %1, %3 \n"
2346 ++#endif
2347 ++ " sc %0, %2 \n"
2348 ++ " beqzl %0, 1b \n"
2349 ++#ifdef CONFIG_PAX_REFCOUNT
2350 ++ " b 4f \n"
2351 ++ " .set noreorder \n"
2352 ++ "3: b 5f \n"
2353 ++ " move %0, %1 \n"
2354 ++ " .set reorder \n"
2355 ++ _ASM_EXTABLE(2b, 3b)
2356 ++#endif
2357 ++ "4: subu %0, %1, %3 \n"
2358 ++#ifdef CONFIG_PAX_REFCOUNT
2359 ++ "5: \n"
2360 ++#endif
2361 ++ " .set mips0 \n"
2362 ++ : "=&r" (result), "=&r" (temp), "=m" (v->counter)
2363 ++ : "Ir" (i), "m" (v->counter)
2364 ++ : "memory");
2365 ++ } else if (kernel_uses_llsc) {
2366 ++ __asm__ __volatile__(
2367 ++ " .set mips3 \n"
2368 ++ "1: ll %1, %2 # atomic_sub_return \n"
2369 ++#ifdef CONFIG_PAX_REFCOUNT
2370 ++ "2: sub %0, %1, %3 \n"
2371 ++#else
2372 ++ " subu %0, %1, %3 \n"
2373 ++#endif
2374 ++ " sc %0, %2 \n"
2375 ++ " bnez %0, 4f \n"
2376 ++ " b 1b \n"
2377 ++#ifdef CONFIG_PAX_REFCOUNT
2378 ++ " .set noreorder \n"
2379 ++ "3: b 5f \n"
2380 ++ " move %0, %1 \n"
2381 ++ " .set reorder \n"
2382 ++ _ASM_EXTABLE(2b, 3b)
2383 ++#endif
2384 ++ "4: subu %0, %1, %3 \n"
2385 ++#ifdef CONFIG_PAX_REFCOUNT
2386 ++ "5: \n"
2387 ++#endif
2388 ++ " .set mips0 \n"
2389 ++ : "=&r" (result), "=&r" (temp), "+m" (v->counter)
2390 ++ : "Ir" (i));
2391 ++ } else {
2392 ++ unsigned long flags;
2393 ++
2394 ++ raw_local_irq_save(flags);
2395 ++ __asm__ __volatile__(
2396 ++ " lw %0, %1 \n"
2397 ++#ifdef CONFIG_PAX_REFCOUNT
2398 ++ /* Exception on overflow. */
2399 ++ "1: sub %0, %2 \n"
2400 ++#else
2401 ++ " subu %0, %2 \n"
2402 ++#endif
2403 ++ " sw %0, %1 \n"
2404 ++#ifdef CONFIG_PAX_REFCOUNT
2405 ++ /* Note: Dest reg is not modified on overflow */
2406 ++ "2: \n"
2407 ++ _ASM_EXTABLE(1b, 2b)
2408 ++#endif
2409 ++ : "=&r" (result), "+m" (v->counter) : "Ir" (i));
2410 ++ raw_local_irq_restore(flags);
2411 ++ }
2412 ++
2413 ++ smp_llsc_mb();
2414 ++
2415 ++ return result;
2416 ++}
2417 ++static __inline__ int atomic_sub_return_unchecked(int i, atomic_unchecked_t *v)
2418 + {
2419 + int result;
2420 +
2421 +@@ -238,7 +562,7 @@ static __inline__ int atomic_sub_return(int i, atomic_t * v)
2422 + * Atomically test @v and subtract @i if @v is greater or equal than @i.
2423 + * The function returns the old value of @v minus @i.
2424 + */
2425 +-static __inline__ int atomic_sub_if_positive(int i, atomic_t * v)
2426 ++static __inline__ int atomic_sub_if_positive(int i, atomic_t *v)
2427 + {
2428 + int result;
2429 +
2430 +@@ -295,8 +619,26 @@ static __inline__ int atomic_sub_if_positive(int i, atomic_t * v)
2431 + return result;
2432 + }
2433 +
2434 +-#define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
2435 +-#define atomic_xchg(v, new) (xchg(&((v)->counter), (new)))
2436 ++static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
2437 ++{
2438 ++ return cmpxchg(&v->counter, old, new);
2439 ++}
2440 ++
2441 ++static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old,
2442 ++ int new)
2443 ++{
2444 ++ return cmpxchg(&(v->counter), old, new);
2445 ++}
2446 ++
2447 ++static inline int atomic_xchg(atomic_t *v, int new)
2448 ++{
2449 ++ return xchg(&v->counter, new);
2450 ++}
2451 ++
2452 ++static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
2453 ++{
2454 ++ return xchg(&(v->counter), new);
2455 ++}
2456 +
2457 + /**
2458 + * __atomic_add_unless - add unless the number is a given value
2459 +@@ -324,6 +666,7 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
2460 +
2461 + #define atomic_dec_return(v) atomic_sub_return(1, (v))
2462 + #define atomic_inc_return(v) atomic_add_return(1, (v))
2463 ++#define atomic_inc_return_unchecked(v) atomic_add_return_unchecked(1, (v))
2464 +
2465 + /*
2466 + * atomic_sub_and_test - subtract value from variable and test result
2467 +@@ -345,6 +688,7 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
2468 + * other cases.
2469 + */
2470 + #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0)
2471 ++#define atomic_inc_and_test_unchecked(v) (atomic_add_return_unchecked(1, (v)) == 0)
2472 +
2473 + /*
2474 + * atomic_dec_and_test - decrement by 1 and test
2475 +@@ -369,6 +713,7 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
2476 + * Atomically increments @v by 1.
2477 + */
2478 + #define atomic_inc(v) atomic_add(1, (v))
2479 ++#define atomic_inc_unchecked(v) atomic_add_unchecked(1, (v))
2480 +
2481 + /*
2482 + * atomic_dec - decrement and test
2483 +@@ -377,6 +722,7 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
2484 + * Atomically decrements @v by 1.
2485 + */
2486 + #define atomic_dec(v) atomic_sub(1, (v))
2487 ++#define atomic_dec_unchecked(v) atomic_sub_return_unchecked(1, (v))
2488 +
2489 + /*
2490 + * atomic_add_negative - add and test if negative
2491 +@@ -398,14 +744,30 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
2492 + * @v: pointer of type atomic64_t
2493 + *
2494 + */
2495 +-#define atomic64_read(v) (*(volatile long *)&(v)->counter)
2496 ++static inline long atomic64_read(const atomic64_t *v)
2497 ++{
2498 ++ return (*(volatile const long *) &v->counter);
2499 ++}
2500 ++
2501 ++static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
2502 ++{
2503 ++ return (*(volatile const long *) &v->counter);
2504 ++}
2505 +
2506 + /*
2507 + * atomic64_set - set atomic variable
2508 + * @v: pointer of type atomic64_t
2509 + * @i: required value
2510 + */
2511 +-#define atomic64_set(v, i) ((v)->counter = (i))
2512 ++static inline void atomic64_set(atomic64_t *v, long i)
2513 ++{
2514 ++ v->counter = i;
2515 ++}
2516 ++
2517 ++static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
2518 ++{
2519 ++ v->counter = i;
2520 ++}
2521 +
2522 + /*
2523 + * atomic64_add - add integer to atomic variable
2524 +@@ -414,7 +776,66 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
2525 + *
2526 + * Atomically adds @i to @v.
2527 + */
2528 +-static __inline__ void atomic64_add(long i, atomic64_t * v)
2529 ++static __inline__ void atomic64_add(long i, atomic64_t *v)
2530 ++{
2531 ++ long temp;
2532 ++
2533 ++ if (kernel_uses_llsc && R10000_LLSC_WAR) {
2534 ++ __asm__ __volatile__(
2535 ++ " .set mips3 \n"
2536 ++ "1: lld %0, %1 # atomic64_add \n"
2537 ++#ifdef CONFIG_PAX_REFCOUNT
2538 ++ /* Exception on overflow. */
2539 ++ "2: dadd %0, %2 \n"
2540 ++#else
2541 ++ " daddu %0, %2 \n"
2542 ++#endif
2543 ++ " scd %0, %1 \n"
2544 ++ " beqzl %0, 1b \n"
2545 ++#ifdef CONFIG_PAX_REFCOUNT
2546 ++ "3: \n"
2547 ++ _ASM_EXTABLE(2b, 3b)
2548 ++#endif
2549 ++ " .set mips0 \n"
2550 ++ : "=&r" (temp), "+m" (v->counter)
2551 ++ : "Ir" (i));
2552 ++ } else if (kernel_uses_llsc) {
2553 ++ __asm__ __volatile__(
2554 ++ " .set mips3 \n"
2555 ++ "1: lld %0, %1 # atomic64_add \n"
2556 ++#ifdef CONFIG_PAX_REFCOUNT
2557 ++ /* Exception on overflow. */
2558 ++ "2: dadd %0, %2 \n"
2559 ++#else
2560 ++ " daddu %0, %2 \n"
2561 ++#endif
2562 ++ " scd %0, %1 \n"
2563 ++ " beqz %0, 1b \n"
2564 ++#ifdef CONFIG_PAX_REFCOUNT
2565 ++ "3: \n"
2566 ++ _ASM_EXTABLE(2b, 3b)
2567 ++#endif
2568 ++ " .set mips0 \n"
2569 ++ : "=&r" (temp), "+m" (v->counter)
2570 ++ : "Ir" (i));
2571 ++ } else {
2572 ++ unsigned long flags;
2573 ++
2574 ++ raw_local_irq_save(flags);
2575 ++ __asm__ __volatile__(
2576 ++#ifdef CONFIG_PAX_REFCOUNT
2577 ++ /* Exception on overflow. */
2578 ++ "1: dadd %0, %1 \n"
2579 ++ "2: \n"
2580 ++ _ASM_EXTABLE(1b, 2b)
2581 ++#else
2582 ++ " daddu %0, %1 \n"
2583 ++#endif
2584 ++ : "+r" (v->counter) : "Ir" (i));
2585 ++ raw_local_irq_restore(flags);
2586 ++ }
2587 ++}
2588 ++static __inline__ void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
2589 + {
2590 + if (kernel_uses_llsc && R10000_LLSC_WAR) {
2591 + long temp;
2592 +@@ -457,7 +878,67 @@ static __inline__ void atomic64_add(long i, atomic64_t * v)
2593 + *
2594 + * Atomically subtracts @i from @v.
2595 + */
2596 +-static __inline__ void atomic64_sub(long i, atomic64_t * v)
2597 ++static __inline__ void atomic64_sub(long i, atomic64_t *v)
2598 ++{
2599 ++ long temp;
2600 ++
2601 ++ if (kernel_uses_llsc && R10000_LLSC_WAR) {
2602 ++ __asm__ __volatile__(
2603 ++ " .set mips3 \n"
2604 ++ "1: lld %0, %1 # atomic64_sub \n"
2605 ++#ifdef CONFIG_PAX_REFCOUNT
2606 ++ /* Exception on overflow. */
2607 ++ "2: dsub %0, %2 \n"
2608 ++#else
2609 ++ " dsubu %0, %2 \n"
2610 ++#endif
2611 ++ " scd %0, %1 \n"
2612 ++ " beqzl %0, 1b \n"
2613 ++#ifdef CONFIG_PAX_REFCOUNT
2614 ++ "3: \n"
2615 ++ _ASM_EXTABLE(2b, 3b)
2616 ++#endif
2617 ++ " .set mips0 \n"
2618 ++ : "=&r" (temp), "+m" (v->counter)
2619 ++ : "Ir" (i));
2620 ++ } else if (kernel_uses_llsc) {
2621 ++ __asm__ __volatile__(
2622 ++ " .set mips3 \n"
2623 ++ "1: lld %0, %1 # atomic64_sub \n"
2624 ++#ifdef CONFIG_PAX_REFCOUNT
2625 ++ /* Exception on overflow. */
2626 ++ "2: dsub %0, %2 \n"
2627 ++#else
2628 ++ " dsubu %0, %2 \n"
2629 ++#endif
2630 ++ " scd %0, %1 \n"
2631 ++ " beqz %0, 1b \n"
2632 ++#ifdef CONFIG_PAX_REFCOUNT
2633 ++ "3: \n"
2634 ++ _ASM_EXTABLE(2b, 3b)
2635 ++#endif
2636 ++ " .set mips0 \n"
2637 ++ : "=&r" (temp), "+m" (v->counter)
2638 ++ : "Ir" (i));
2639 ++ } else {
2640 ++ unsigned long flags;
2641 ++
2642 ++ raw_local_irq_save(flags);
2643 ++ __asm__ __volatile__(
2644 ++#ifdef CONFIG_PAX_REFCOUNT
2645 ++ /* Exception on overflow. */
2646 ++ "1: dsub %0, %1 \n"
2647 ++ "2: \n"
2648 ++ _ASM_EXTABLE(1b, 2b)
2649 ++#else
2650 ++ " dsubu %0, %1 \n"
2651 ++#endif
2652 ++ : "+r" (v->counter) : "Ir" (i));
2653 ++ raw_local_irq_restore(flags);
2654 ++ }
2655 ++}
2656 ++
2657 ++static __inline__ void atomic64_sub_unchecked(long i, atomic64_unchecked_t *v)
2658 + {
2659 + if (kernel_uses_llsc && R10000_LLSC_WAR) {
2660 + long temp;
2661 +@@ -496,7 +977,93 @@ static __inline__ void atomic64_sub(long i, atomic64_t * v)
2662 + /*
2663 + * Same as above, but return the result value
2664 + */
2665 +-static __inline__ long atomic64_add_return(long i, atomic64_t * v)
2666 ++static __inline__ long atomic64_add_return(long i, atomic64_t *v)
2667 ++{
2668 ++ long result;
2669 ++ long temp;
2670 ++
2671 ++ smp_mb__before_llsc();
2672 ++
2673 ++ if (kernel_uses_llsc && R10000_LLSC_WAR) {
2674 ++ __asm__ __volatile__(
2675 ++ " .set mips3 \n"
2676 ++ "1: lld %1, %2 # atomic64_add_return \n"
2677 ++#ifdef CONFIG_PAX_REFCOUNT
2678 ++ "2: dadd %0, %1, %3 \n"
2679 ++#else
2680 ++ " daddu %0, %1, %3 \n"
2681 ++#endif
2682 ++ " scd %0, %2 \n"
2683 ++ " beqzl %0, 1b \n"
2684 ++#ifdef CONFIG_PAX_REFCOUNT
2685 ++ " b 4f \n"
2686 ++ " .set noreorder \n"
2687 ++ "3: b 5f \n"
2688 ++ " move %0, %1 \n"
2689 ++ " .set reorder \n"
2690 ++ _ASM_EXTABLE(2b, 3b)
2691 ++#endif
2692 ++ "4: daddu %0, %1, %3 \n"
2693 ++#ifdef CONFIG_PAX_REFCOUNT
2694 ++ "5: \n"
2695 ++#endif
2696 ++ " .set mips0 \n"
2697 ++ : "=&r" (result), "=&r" (temp), "+m" (v->counter)
2698 ++ : "Ir" (i));
2699 ++ } else if (kernel_uses_llsc) {
2700 ++ __asm__ __volatile__(
2701 ++ " .set mips3 \n"
2702 ++ "1: lld %1, %2 # atomic64_add_return \n"
2703 ++#ifdef CONFIG_PAX_REFCOUNT
2704 ++ "2: dadd %0, %1, %3 \n"
2705 ++#else
2706 ++ " daddu %0, %1, %3 \n"
2707 ++#endif
2708 ++ " scd %0, %2 \n"
2709 ++ " bnez %0, 4f \n"
2710 ++ " b 1b \n"
2711 ++#ifdef CONFIG_PAX_REFCOUNT
2712 ++ " .set noreorder \n"
2713 ++ "3: b 5f \n"
2714 ++ " move %0, %1 \n"
2715 ++ " .set reorder \n"
2716 ++ _ASM_EXTABLE(2b, 3b)
2717 ++#endif
2718 ++ "4: daddu %0, %1, %3 \n"
2719 ++#ifdef CONFIG_PAX_REFCOUNT
2720 ++ "5: \n"
2721 ++#endif
2722 ++ " .set mips0 \n"
2723 ++ : "=&r" (result), "=&r" (temp), "=m" (v->counter)
2724 ++ : "Ir" (i), "m" (v->counter)
2725 ++ : "memory");
2726 ++ } else {
2727 ++ unsigned long flags;
2728 ++
2729 ++ raw_local_irq_save(flags);
2730 ++ __asm__ __volatile__(
2731 ++ " ld %0, %1 \n"
2732 ++#ifdef CONFIG_PAX_REFCOUNT
2733 ++ /* Exception on overflow. */
2734 ++ "1: dadd %0, %2 \n"
2735 ++#else
2736 ++ " daddu %0, %2 \n"
2737 ++#endif
2738 ++ " sd %0, %1 \n"
2739 ++#ifdef CONFIG_PAX_REFCOUNT
2740 ++ /* Note: Dest reg is not modified on overflow */
2741 ++ "2: \n"
2742 ++ _ASM_EXTABLE(1b, 2b)
2743 ++#endif
2744 ++ : "=&r" (result), "+m" (v->counter) : "Ir" (i));
2745 ++ raw_local_irq_restore(flags);
2746 ++ }
2747 ++
2748 ++ smp_llsc_mb();
2749 ++
2750 ++ return result;
2751 ++}
2752 ++static __inline__ long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
2753 + {
2754 + long result;
2755 +
2756 +@@ -546,7 +1113,97 @@ static __inline__ long atomic64_add_return(long i, atomic64_t * v)
2757 + return result;
2758 + }
2759 +
2760 +-static __inline__ long atomic64_sub_return(long i, atomic64_t * v)
2761 ++static __inline__ long atomic64_sub_return(long i, atomic64_t *v)
2762 ++{
2763 ++ long result;
2764 ++ long temp;
2765 ++
2766 ++ smp_mb__before_llsc();
2767 ++
2768 ++ if (kernel_uses_llsc && R10000_LLSC_WAR) {
2769 ++ long temp;
2770 ++
2771 ++ __asm__ __volatile__(
2772 ++ " .set mips3 \n"
2773 ++ "1: lld %1, %2 # atomic64_sub_return \n"
2774 ++#ifdef CONFIG_PAX_REFCOUNT
2775 ++ "2: dsub %0, %1, %3 \n"
2776 ++#else
2777 ++ " dsubu %0, %1, %3 \n"
2778 ++#endif
2779 ++ " scd %0, %2 \n"
2780 ++ " beqzl %0, 1b \n"
2781 ++#ifdef CONFIG_PAX_REFCOUNT
2782 ++ " b 4f \n"
2783 ++ " .set noreorder \n"
2784 ++ "3: b 5f \n"
2785 ++ " move %0, %1 \n"
2786 ++ " .set reorder \n"
2787 ++ _ASM_EXTABLE(2b, 3b)
2788 ++#endif
2789 ++ "4: dsubu %0, %1, %3 \n"
2790 ++#ifdef CONFIG_PAX_REFCOUNT
2791 ++ "5: \n"
2792 ++#endif
2793 ++ " .set mips0 \n"
2794 ++ : "=&r" (result), "=&r" (temp), "=m" (v->counter)
2795 ++ : "Ir" (i), "m" (v->counter)
2796 ++ : "memory");
2797 ++ } else if (kernel_uses_llsc) {
2798 ++ __asm__ __volatile__(
2799 ++ " .set mips3 \n"
2800 ++ "1: lld %1, %2 # atomic64_sub_return \n"
2801 ++#ifdef CONFIG_PAX_REFCOUNT
2802 ++ "2: dsub %0, %1, %3 \n"
2803 ++#else
2804 ++ " dsubu %0, %1, %3 \n"
2805 ++#endif
2806 ++ " scd %0, %2 \n"
2807 ++ " bnez %0, 4f \n"
2808 ++ " b 1b \n"
2809 ++#ifdef CONFIG_PAX_REFCOUNT
2810 ++ " .set noreorder \n"
2811 ++ "3: b 5f \n"
2812 ++ " move %0, %1 \n"
2813 ++ " .set reorder \n"
2814 ++ _ASM_EXTABLE(2b, 3b)
2815 ++#endif
2816 ++ "4: dsubu %0, %1, %3 \n"
2817 ++#ifdef CONFIG_PAX_REFCOUNT
2818 ++ "5: \n"
2819 ++#endif
2820 ++ " .set mips0 \n"
2821 ++ : "=&r" (result), "=&r" (temp), "=m" (v->counter)
2822 ++ : "Ir" (i), "m" (v->counter)
2823 ++ : "memory");
2824 ++ } else {
2825 ++ unsigned long flags;
2826 ++
2827 ++ raw_local_irq_save(flags);
2828 ++ __asm__ __volatile__(
2829 ++ " ld %0, %1 \n"
2830 ++#ifdef CONFIG_PAX_REFCOUNT
2831 ++ /* Exception on overflow. */
2832 ++ "1: dsub %0, %2 \n"
2833 ++#else
2834 ++ " dsubu %0, %2 \n"
2835 ++#endif
2836 ++ " sd %0, %1 \n"
2837 ++#ifdef CONFIG_PAX_REFCOUNT
2838 ++ /* Note: Dest reg is not modified on overflow */
2839 ++ "2: \n"
2840 ++ _ASM_EXTABLE(1b, 2b)
2841 ++#endif
2842 ++ : "=&r" (result), "+m" (v->counter) : "Ir" (i));
2843 ++ raw_local_irq_restore(flags);
2844 ++ }
2845 ++
2846 ++ smp_llsc_mb();
2847 ++
2848 ++ return result;
2849 ++}
2850 ++
2851 ++static __inline__ long atomic64_sub_return_unchecked(long i, atomic64_unchecked_t *v)
2852 + {
2853 + long result;
2854 +
2855 +@@ -605,7 +1262,7 @@ static __inline__ long atomic64_sub_return(long i, atomic64_t * v)
2856 + * Atomically test @v and subtract @i if @v is greater or equal than @i.
2857 + * The function returns the old value of @v minus @i.
2858 + */
2859 +-static __inline__ long atomic64_sub_if_positive(long i, atomic64_t * v)
2860 ++static __inline__ long atomic64_sub_if_positive(long i, atomic64_t *v)
2861 + {
2862 + long result;
2863 +
2864 +@@ -662,9 +1319,26 @@ static __inline__ long atomic64_sub_if_positive(long i, atomic64_t * v)
2865 + return result;
2866 + }
2867 +
2868 +-#define atomic64_cmpxchg(v, o, n) \
2869 +- ((__typeof__((v)->counter))cmpxchg(&((v)->counter), (o), (n)))
2870 +-#define atomic64_xchg(v, new) (xchg(&((v)->counter), (new)))
2871 ++static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
2872 ++{
2873 ++ return cmpxchg(&v->counter, old, new);
2874 ++}
2875 ++
2876 ++static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old,
2877 ++ long new)
2878 ++{
2879 ++ return cmpxchg(&(v->counter), old, new);
2880 ++}
2881 ++
2882 ++static inline long atomic64_xchg(atomic64_t *v, long new)
2883 ++{
2884 ++ return xchg(&v->counter, new);
2885 ++}
2886 ++
2887 ++static inline long atomic64_xchg_unchecked(atomic64_unchecked_t *v, long new)
2888 ++{
2889 ++ return xchg(&(v->counter), new);
2890 ++}
2891 +
2892 + /**
2893 + * atomic64_add_unless - add unless the number is a given value
2894 +@@ -694,6 +1368,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
2895 +
2896 + #define atomic64_dec_return(v) atomic64_sub_return(1, (v))
2897 + #define atomic64_inc_return(v) atomic64_add_return(1, (v))
2898 ++#define atomic64_inc_return_unchecked(v) atomic64_add_return_unchecked(1, (v))
2899
2900 /*
2901 + * atomic64_sub_and_test - subtract value from variable and test result
2902 +@@ -715,6 +1390,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
2903 + * other cases.
2904 + */
2905 + #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
2906 ++#define atomic64_inc_and_test_unchecked(v) atomic64_add_return_unchecked(1, (v)) == 0)
2907 +
2908 + /*
2909 + * atomic64_dec_and_test - decrement by 1 and test
2910 +@@ -739,6 +1415,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
2911 + * Atomically increments @v by 1.
2912 + */
2913 + #define atomic64_inc(v) atomic64_add(1, (v))
2914 ++#define atomic64_inc_unchecked(v) atomic64_add_unchecked(1, (v))
2915 +
2916 + /*
2917 + * atomic64_dec - decrement and test
2918 +@@ -747,6 +1424,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
2919 + * Atomically decrements @v by 1.
2920 + */
2921 + #define atomic64_dec(v) atomic64_sub(1, (v))
2922 ++#define atomic64_dec_unchecked(v) atomic64_sub_unchecked(1, (v))
2923 +
2924 + /*
2925 + * atomic64_add_negative - add and test if negative
2926 diff --git a/arch/mips/include/asm/cache.h b/arch/mips/include/asm/cache.h
2927 index b4db69f..8f3b093 100644
2928 --- a/arch/mips/include/asm/cache.h
2929 @@ -5721,6 +6583,29 @@ index 74f485d..47d2c38 100644
2930 LONG_L t0, TI_FLAGS($28) # syscall tracing enabled?
2931 and t0, t1, t0
2932 bnez t0, trace_a_syscall
2933 +diff --git a/arch/mips/kernel/traps.c b/arch/mips/kernel/traps.c
2934 +index a75ae40..0d0f56a 100644
2935 +--- a/arch/mips/kernel/traps.c
2936 ++++ b/arch/mips/kernel/traps.c
2937 +@@ -675,7 +675,17 @@ asmlinkage void do_ov(struct pt_regs *regs)
2938 + {
2939 + siginfo_t info;
2940 +
2941 +- die_if_kernel("Integer overflow", regs);
2942 ++ if (unlikely(!user_mode(regs))) {
2943 ++
2944 ++#ifdef CONFIG_PAX_REFCOUNT
2945 ++ if (fixup_exception(regs)) {
2946 ++ pax_report_refcount_overflow(regs);
2947 ++ return;
2948 ++ }
2949 ++#endif
2950 ++
2951 ++ die("Integer overflow", regs);
2952 ++ }
2953 +
2954 + info.si_code = FPE_INTOVF;
2955 + info.si_signo = SIGFPE;
2956 diff --git a/arch/mips/mm/fault.c b/arch/mips/mm/fault.c
2957 index 0fead53..eeb00a6 100644
2958 --- a/arch/mips/mm/fault.c
2959 @@ -16806,15 +17691,17 @@ index a1df6e8..e002940 100644
2960 #endif
2961 #endif /* _ASM_X86_THREAD_INFO_H */
2962 diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h
2963 -index 50a7fc0..7c437a7 100644
2964 +index 50a7fc0..45844c0 100644
2965 --- a/arch/x86/include/asm/tlbflush.h
2966 +++ b/arch/x86/include/asm/tlbflush.h
2967 -@@ -17,18 +17,40 @@
2968 +@@ -17,18 +17,44 @@
2969
2970 static inline void __native_flush_tlb(void)
2971 {
2972 + if (static_cpu_has(X86_FEATURE_INVPCID)) {
2973 + unsigned long descriptor[2];
2974 ++
2975 ++ descriptor[0] = PCID_KERNEL;
2976 + asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_ALL_MONGLOBAL) : "memory");
2977 + return;
2978 + }
2979 @@ -16838,15 +17725,17 @@ index 50a7fc0..7c437a7 100644
2980 - unsigned long cr4;
2981 + if (static_cpu_has(X86_FEATURE_INVPCID)) {
2982 + unsigned long descriptor[2];
2983 -+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_ALL_GLOBAL) : "memory");
2984 -+ } else {
2985 -+ unsigned long cr4;
2986
2987 - cr4 = native_read_cr4();
2988 - /* clear PGE */
2989 - native_write_cr4(cr4 & ~X86_CR4_PGE);
2990 - /* write old PGE again and flush TLBs */
2991 - native_write_cr4(cr4);
2992 ++ descriptor[0] = PCID_KERNEL;
2993 ++ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_ALL_GLOBAL) : "memory");
2994 ++ } else {
2995 ++ unsigned long cr4;
2996 ++
2997 + cr4 = native_read_cr4();
2998 + /* clear PGE */
2999 + native_write_cr4(cr4 & ~X86_CR4_PGE);
3000 @@ -16856,7 +17745,7 @@ index 50a7fc0..7c437a7 100644
3001 }
3002
3003 static inline void __native_flush_tlb_global(void)
3004 -@@ -49,6 +71,42 @@ static inline void __native_flush_tlb_global(void)
3005 +@@ -49,6 +75,42 @@ static inline void __native_flush_tlb_global(void)
3006
3007 static inline void __native_flush_tlb_single(unsigned long addr)
3008 {
3009 @@ -17350,7 +18239,7 @@ index 7f760a9..04b1c65 100644
3010 }
3011
3012 diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h
3013 -index 142810c..1f2a0a7 100644
3014 +index 142810c..1dbe82f 100644
3015 --- a/arch/x86/include/asm/uaccess_64.h
3016 +++ b/arch/x86/include/asm/uaccess_64.h
3017 @@ -10,6 +10,9 @@
3018 @@ -17669,8 +18558,9 @@ index 142810c..1f2a0a7 100644
3019 }
3020 }
3021
3022 - static __must_check __always_inline int
3023 +-static __must_check __always_inline int
3024 -__copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
3025 ++static __must_check __always_inline unsigned long
3026 +__copy_from_user_inatomic(void *dst, const void __user *src, unsigned long size)
3027 {
3028 - return copy_user_generic(dst, (__force const void *)src, size);
3029 @@ -38535,10 +39425,112 @@ index 8c04943..4370ed9 100644
3030 err = drm_debugfs_create_files(dc->debugfs_files,
3031 ARRAY_SIZE(debugfs_files),
3032 diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
3033 -index 402f486..f862d7e 100644
3034 +index 402f486..5340852 100644
3035 --- a/drivers/hid/hid-core.c
3036 +++ b/drivers/hid/hid-core.c
3037 -@@ -2275,7 +2275,7 @@ EXPORT_SYMBOL_GPL(hid_ignore);
3038 +@@ -63,6 +63,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type,
3039 + struct hid_report_enum *report_enum = device->report_enum + type;
3040 + struct hid_report *report;
3041 +
3042 ++ if (id >= HID_MAX_IDS)
3043 ++ return NULL;
3044 + if (report_enum->report_id_hash[id])
3045 + return report_enum->report_id_hash[id];
3046 +
3047 +@@ -404,8 +406,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item)
3048 +
3049 + case HID_GLOBAL_ITEM_TAG_REPORT_ID:
3050 + parser->global.report_id = item_udata(item);
3051 +- if (parser->global.report_id == 0) {
3052 +- hid_err(parser->device, "report_id 0 is invalid\n");
3053 ++ if (parser->global.report_id == 0 ||
3054 ++ parser->global.report_id >= HID_MAX_IDS) {
3055 ++ hid_err(parser->device, "report_id %u is invalid\n",
3056 ++ parser->global.report_id);
3057 + return -1;
3058 + }
3059 + return 0;
3060 +@@ -575,7 +579,7 @@ static void hid_close_report(struct hid_device *device)
3061 + for (i = 0; i < HID_REPORT_TYPES; i++) {
3062 + struct hid_report_enum *report_enum = device->report_enum + i;
3063 +
3064 +- for (j = 0; j < 256; j++) {
3065 ++ for (j = 0; j < HID_MAX_IDS; j++) {
3066 + struct hid_report *report = report_enum->report_id_hash[j];
3067 + if (report)
3068 + hid_free_report(report);
3069 +@@ -755,6 +759,56 @@ int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size)
3070 + }
3071 + EXPORT_SYMBOL_GPL(hid_parse_report);
3072 +
3073 ++static const char * const hid_report_names[] = {
3074 ++ "HID_INPUT_REPORT",
3075 ++ "HID_OUTPUT_REPORT",
3076 ++ "HID_FEATURE_REPORT",
3077 ++};
3078 ++/**
3079 ++ * hid_validate_report - validate existing device report
3080 ++ *
3081 ++ * @device: hid device
3082 ++ * @type: which report type to examine
3083 ++ * @id: which report ID to examine (0 for first)
3084 ++ * @fields: expected number of fields
3085 ++ * @report_counts: expected number of values per field
3086 ++ *
3087 ++ * Validate the report details after parsing.
3088 ++ */
3089 ++struct hid_report *hid_validate_report(struct hid_device *hid,
3090 ++ unsigned int type, unsigned int id,
3091 ++ unsigned int fields,
3092 ++ unsigned int report_counts)
3093 ++{
3094 ++ struct hid_report *report;
3095 ++ unsigned int i;
3096 ++
3097 ++ if (type > HID_FEATURE_REPORT) {
3098 ++ hid_err(hid, "invalid HID report %u\n", type);
3099 ++ return NULL;
3100 ++ }
3101 ++
3102 ++ report = hid->report_enum[type].report_id_hash[id];
3103 ++ if (!report) {
3104 ++ hid_err(hid, "missing %s %u\n", hid_report_names[type], id);
3105 ++ return NULL;
3106 ++ }
3107 ++ if (report->maxfield < fields) {
3108 ++ hid_err(hid, "not enough fields in %s %u\n",
3109 ++ hid_report_names[type], id);
3110 ++ return NULL;
3111 ++ }
3112 ++ for (i = 0; i < fields; i++) {
3113 ++ if (report->field[i]->report_count < report_counts) {
3114 ++ hid_err(hid, "not enough values in %s %u fields\n",
3115 ++ hid_report_names[type], id);
3116 ++ return NULL;
3117 ++ }
3118 ++ }
3119 ++ return report;
3120 ++}
3121 ++EXPORT_SYMBOL_GPL(hid_validate_report);
3122 ++
3123 + /**
3124 + * hid_open_report - open a driver-specific device report
3125 + *
3126 +@@ -1152,7 +1206,12 @@ EXPORT_SYMBOL_GPL(hid_output_report);
3127 +
3128 + int hid_set_field(struct hid_field *field, unsigned offset, __s32 value)
3129 + {
3130 +- unsigned size = field->report_size;
3131 ++ unsigned size;
3132 ++
3133 ++ if (!field)
3134 ++ return -1;
3135 ++
3136 ++ size = field->report_size;
3137 +
3138 + hid_dump_input(field->report->device, field->usage + offset, value);
3139 +
3140 +@@ -2275,7 +2334,7 @@ EXPORT_SYMBOL_GPL(hid_ignore);
3141
3142 int hid_add_device(struct hid_device *hdev)
3143 {
3144 @@ -38547,7 +39539,7 @@ index 402f486..f862d7e 100644
3145 int ret;
3146
3147 if (WARN_ON(hdev->status & HID_STAT_ADDED))
3148 -@@ -2309,7 +2309,7 @@ int hid_add_device(struct hid_device *hdev)
3149 +@@ -2309,7 +2368,7 @@ int hid_add_device(struct hid_device *hdev)
3150 /* XXX hack, any other cleaner solution after the driver core
3151 * is converted to allow more than 20 bytes as the device name? */
3152 dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
3153 @@ -38556,6 +39548,349 @@ index 402f486..f862d7e 100644
3154
3155 hid_debug_register(hdev, dev_name(&hdev->dev));
3156 ret = device_add(&hdev->dev);
3157 +diff --git a/drivers/hid/hid-lenovo-tpkbd.c b/drivers/hid/hid-lenovo-tpkbd.c
3158 +index 07837f5..b697ada 100644
3159 +--- a/drivers/hid/hid-lenovo-tpkbd.c
3160 ++++ b/drivers/hid/hid-lenovo-tpkbd.c
3161 +@@ -341,6 +341,11 @@ static int tpkbd_probe_tp(struct hid_device *hdev)
3162 + char *name_mute, *name_micmute;
3163 + int ret;
3164 +
3165 ++ /* Validate required reports. */
3166 ++ if (!hid_validate_report(hdev, HID_OUTPUT_REPORT, 4, 4, 1) ||
3167 ++ !hid_validate_report(hdev, HID_OUTPUT_REPORT, 3, 1, 2))
3168 ++ return -ENODEV;
3169 ++
3170 + if (sysfs_create_group(&hdev->dev.kobj,
3171 + &tpkbd_attr_group_pointer)) {
3172 + hid_warn(hdev, "Could not create sysfs group\n");
3173 +diff --git a/drivers/hid/hid-lg2ff.c b/drivers/hid/hid-lg2ff.c
3174 +index b3cd150..9805197 100644
3175 +--- a/drivers/hid/hid-lg2ff.c
3176 ++++ b/drivers/hid/hid-lg2ff.c
3177 +@@ -64,26 +64,13 @@ int lg2ff_init(struct hid_device *hid)
3178 + struct hid_report *report;
3179 + struct hid_input *hidinput = list_entry(hid->inputs.next,
3180 + struct hid_input, list);
3181 +- struct list_head *report_list =
3182 +- &hid->report_enum[HID_OUTPUT_REPORT].report_list;
3183 + struct input_dev *dev = hidinput->input;
3184 + int error;
3185 +
3186 +- if (list_empty(report_list)) {
3187 +- hid_err(hid, "no output report found\n");
3188 ++ /* Check that the report looks ok */
3189 ++ report = hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7);
3190 ++ if (!report)
3191 + return -ENODEV;
3192 +- }
3193 +-
3194 +- report = list_entry(report_list->next, struct hid_report, list);
3195 +-
3196 +- if (report->maxfield < 1) {
3197 +- hid_err(hid, "output report is empty\n");
3198 +- return -ENODEV;
3199 +- }
3200 +- if (report->field[0]->report_count < 7) {
3201 +- hid_err(hid, "not enough values in the field\n");
3202 +- return -ENODEV;
3203 +- }
3204 +
3205 + lg2ff = kmalloc(sizeof(struct lg2ff_device), GFP_KERNEL);
3206 + if (!lg2ff)
3207 +diff --git a/drivers/hid/hid-lg3ff.c b/drivers/hid/hid-lg3ff.c
3208 +index e52f181..53ac79b 100644
3209 +--- a/drivers/hid/hid-lg3ff.c
3210 ++++ b/drivers/hid/hid-lg3ff.c
3211 +@@ -66,10 +66,11 @@ static int hid_lg3ff_play(struct input_dev *dev, void *data,
3212 + int x, y;
3213 +
3214 + /*
3215 +- * Maxusage should always be 63 (maximum fields)
3216 +- * likely a better way to ensure this data is clean
3217 ++ * Available values in the field should always be 63, but we only use up to
3218 ++ * 35. Instead, clear the entire area, however big it is.
3219 + */
3220 +- memset(report->field[0]->value, 0, sizeof(__s32)*report->field[0]->maxusage);
3221 ++ memset(report->field[0]->value, 0,
3222 ++ sizeof(__s32) * report->field[0]->report_count);
3223 +
3224 + switch (effect->type) {
3225 + case FF_CONSTANT:
3226 +@@ -129,32 +130,14 @@ static const signed short ff3_joystick_ac[] = {
3227 + int lg3ff_init(struct hid_device *hid)
3228 + {
3229 + struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list);
3230 +- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list;
3231 + struct input_dev *dev = hidinput->input;
3232 +- struct hid_report *report;
3233 +- struct hid_field *field;
3234 + const signed short *ff_bits = ff3_joystick_ac;
3235 + int error;
3236 + int i;
3237 +
3238 +- /* Find the report to use */
3239 +- if (list_empty(report_list)) {
3240 +- hid_err(hid, "No output report found\n");
3241 +- return -1;
3242 +- }
3243 +-
3244 + /* Check that the report looks ok */
3245 +- report = list_entry(report_list->next, struct hid_report, list);
3246 +- if (!report) {
3247 +- hid_err(hid, "NULL output report\n");
3248 +- return -1;
3249 +- }
3250 +-
3251 +- field = report->field[0];
3252 +- if (!field) {
3253 +- hid_err(hid, "NULL field\n");
3254 +- return -1;
3255 +- }
3256 ++ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 35))
3257 ++ return -ENODEV;
3258 +
3259 + /* Assume single fixed device G940 */
3260 + for (i = 0; ff_bits[i] >= 0; i++)
3261 +diff --git a/drivers/hid/hid-lg4ff.c b/drivers/hid/hid-lg4ff.c
3262 +index 0ddae2a..8b89f0f 100644
3263 +--- a/drivers/hid/hid-lg4ff.c
3264 ++++ b/drivers/hid/hid-lg4ff.c
3265 +@@ -484,34 +484,16 @@ static enum led_brightness lg4ff_led_get_brightness(struct led_classdev *led_cde
3266 + int lg4ff_init(struct hid_device *hid)
3267 + {
3268 + struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list);
3269 +- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list;
3270 + struct input_dev *dev = hidinput->input;
3271 +- struct hid_report *report;
3272 +- struct hid_field *field;
3273 + struct lg4ff_device_entry *entry;
3274 + struct lg_drv_data *drv_data;
3275 + struct usb_device_descriptor *udesc;
3276 + int error, i, j;
3277 + __u16 bcdDevice, rev_maj, rev_min;
3278 +
3279 +- /* Find the report to use */
3280 +- if (list_empty(report_list)) {
3281 +- hid_err(hid, "No output report found\n");
3282 +- return -1;
3283 +- }
3284 +-
3285 + /* Check that the report looks ok */
3286 +- report = list_entry(report_list->next, struct hid_report, list);
3287 +- if (!report) {
3288 +- hid_err(hid, "NULL output report\n");
3289 ++ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7))
3290 + return -1;
3291 +- }
3292 +-
3293 +- field = report->field[0];
3294 +- if (!field) {
3295 +- hid_err(hid, "NULL field\n");
3296 +- return -1;
3297 +- }
3298 +
3299 + /* Check what wheel has been connected */
3300 + for (i = 0; i < ARRAY_SIZE(lg4ff_devices); i++) {
3301 +diff --git a/drivers/hid/hid-lgff.c b/drivers/hid/hid-lgff.c
3302 +index d7ea8c8..a84fb40 100644
3303 +--- a/drivers/hid/hid-lgff.c
3304 ++++ b/drivers/hid/hid-lgff.c
3305 +@@ -128,27 +128,14 @@ static void hid_lgff_set_autocenter(struct input_dev *dev, u16 magnitude)
3306 + int lgff_init(struct hid_device* hid)
3307 + {
3308 + struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list);
3309 +- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list;
3310 + struct input_dev *dev = hidinput->input;
3311 +- struct hid_report *report;
3312 +- struct hid_field *field;
3313 + const signed short *ff_bits = ff_joystick;
3314 + int error;
3315 + int i;
3316 +
3317 +- /* Find the report to use */
3318 +- if (list_empty(report_list)) {
3319 +- hid_err(hid, "No output report found\n");
3320 +- return -1;
3321 +- }
3322 +-
3323 + /* Check that the report looks ok */
3324 +- report = list_entry(report_list->next, struct hid_report, list);
3325 +- field = report->field[0];
3326 +- if (!field) {
3327 +- hid_err(hid, "NULL field\n");
3328 +- return -1;
3329 +- }
3330 ++ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7))
3331 ++ return -ENODEV;
3332 +
3333 + for (i = 0; i < ARRAY_SIZE(devices); i++) {
3334 + if (dev->id.vendor == devices[i].idVendor &&
3335 +diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c
3336 +index 5207591a..6c9197f 100644
3337 +--- a/drivers/hid/hid-logitech-dj.c
3338 ++++ b/drivers/hid/hid-logitech-dj.c
3339 +@@ -421,7 +421,7 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev,
3340 + struct hid_report *report;
3341 + struct hid_report_enum *output_report_enum;
3342 + u8 *data = (u8 *)(&dj_report->device_index);
3343 +- int i;
3344 ++ unsigned int i, length;
3345 +
3346 + output_report_enum = &hdev->report_enum[HID_OUTPUT_REPORT];
3347 + report = output_report_enum->report_id_hash[REPORT_ID_DJ_SHORT];
3348 +@@ -431,7 +431,9 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev,
3349 + return -ENODEV;
3350 + }
3351 +
3352 +- for (i = 0; i < report->field[0]->report_count; i++)
3353 ++ length = min_t(size_t, sizeof(*dj_report) - 1,
3354 ++ report->field[0]->report_count);
3355 ++ for (i = 0; i < length; i++)
3356 + report->field[0]->value[i] = data[i];
3357 +
3358 + hid_hw_request(hdev, report, HID_REQ_SET_REPORT);
3359 +@@ -738,6 +740,12 @@ static int logi_dj_probe(struct hid_device *hdev,
3360 + goto hid_parse_fail;
3361 + }
3362 +
3363 ++ if (!hid_validate_report(hdev, HID_OUTPUT_REPORT, REPORT_ID_DJ_SHORT,
3364 ++ 1, 3)) {
3365 ++ retval = -ENODEV;
3366 ++ goto hid_parse_fail;
3367 ++ }
3368 ++
3369 + /* Starts the usb device and connects to upper interfaces hiddev and
3370 + * hidraw */
3371 + retval = hid_hw_start(hdev, HID_CONNECT_DEFAULT);
3372 +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
3373 +index d39a5ce..4892dfc 100644
3374 +--- a/drivers/hid/hid-multitouch.c
3375 ++++ b/drivers/hid/hid-multitouch.c
3376 +@@ -330,9 +330,18 @@ static void mt_feature_mapping(struct hid_device *hdev,
3377 + break;
3378 + }
3379 + }
3380 ++ /* Ignore if value index is out of bounds. */
3381 ++ if (td->inputmode_index < 0 ||
3382 ++ td->inputmode_index >= field->report_count) {
3383 ++ dev_err(&hdev->dev, "HID_DG_INPUTMODE out of range\n");
3384 ++ td->inputmode = -1;
3385 ++ }
3386 +
3387 + break;
3388 + case HID_DG_CONTACTMAX:
3389 ++ /* Ignore if value count is out of bounds. */
3390 ++ if (field->report_count < 1)
3391 ++ break;
3392 + td->maxcontact_report_id = field->report->id;
3393 + td->maxcontacts = field->value[0];
3394 + if (!td->maxcontacts &&
3395 +@@ -743,15 +752,21 @@ static void mt_touch_report(struct hid_device *hid, struct hid_report *report)
3396 + unsigned count;
3397 + int r, n;
3398 +
3399 ++ if (report->maxfield == 0)
3400 ++ return;
3401 ++
3402 + /*
3403 + * Includes multi-packet support where subsequent
3404 + * packets are sent with zero contactcount.
3405 + */
3406 +- if (td->cc_index >= 0) {
3407 +- struct hid_field *field = report->field[td->cc_index];
3408 +- int value = field->value[td->cc_value_index];
3409 +- if (value)
3410 +- td->num_expected = value;
3411 ++ if (td->cc_index >= 0 && td->cc_index < report->maxfield) {
3412 ++ field = report->field[td->cc_index];
3413 ++ if (td->cc_value_index >= 0 &&
3414 ++ td->cc_value_index < field->report_count) {
3415 ++ int value = field->value[td->cc_value_index];
3416 ++ if (value)
3417 ++ td->num_expected = value;
3418 ++ }
3419 + }
3420 +
3421 + for (r = 0; r < report->maxfield; r++) {
3422 +diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c
3423 +index ef95102..5482156 100644
3424 +--- a/drivers/hid/hid-ntrig.c
3425 ++++ b/drivers/hid/hid-ntrig.c
3426 +@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev)
3427 + struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT].
3428 + report_id_hash[0x0d];
3429 +
3430 +- if (!report)
3431 ++ if (!report || report->maxfield < 1 ||
3432 ++ report->field[0]->report_count < 1)
3433 + return -EINVAL;
3434 +
3435 + hid_hw_request(hdev, report, HID_REQ_GET_REPORT);
3436 +diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
3437 +index b48092d..72bba1e 100644
3438 +--- a/drivers/hid/hid-picolcd_core.c
3439 ++++ b/drivers/hid/hid-picolcd_core.c
3440 +@@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev,
3441 + buf += 10;
3442 + cnt -= 10;
3443 + }
3444 +- if (!report)
3445 ++ if (!report || report->maxfield < 1)
3446 + return -EINVAL;
3447 +
3448 + while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r'))
3449 +diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c
3450 +index d29112f..2dcd7d9 100644
3451 +--- a/drivers/hid/hid-pl.c
3452 ++++ b/drivers/hid/hid-pl.c
3453 +@@ -132,8 +132,14 @@ static int plff_init(struct hid_device *hid)
3454 + strong = &report->field[0]->value[2];
3455 + weak = &report->field[0]->value[3];
3456 + debug("detected single-field device");
3457 +- } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 &&
3458 +- report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) {
3459 ++ } else if (report->field[0]->maxusage == 1 &&
3460 ++ report->field[0]->usage[0].hid ==
3461 ++ (HID_UP_LED | 0x43) &&
3462 ++ report->maxfield >= 4 &&
3463 ++ report->field[0]->report_count >= 1 &&
3464 ++ report->field[1]->report_count >= 1 &&
3465 ++ report->field[2]->report_count >= 1 &&
3466 ++ report->field[3]->report_count >= 1) {
3467 + report->field[0]->value[0] = 0x00;
3468 + report->field[1]->value[0] = 0x00;
3469 + strong = &report->field[2]->value[0];
3470 +diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c
3471 +index ca749810..aa34755 100644
3472 +--- a/drivers/hid/hid-sensor-hub.c
3473 ++++ b/drivers/hid/hid-sensor-hub.c
3474 +@@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id,
3475 +
3476 + mutex_lock(&data->mutex);
3477 + report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT);
3478 +- if (!report || (field_index >= report->maxfield)) {
3479 ++ if (!report || (field_index >= report->maxfield) ||
3480 ++ report->field[field_index]->report_count < 1) {
3481 + ret = -EINVAL;
3482 + goto done_proc;
3483 + }
3484 +diff --git a/drivers/hid/hid-steelseries.c b/drivers/hid/hid-steelseries.c
3485 +index d164911..ef42e86 100644
3486 +--- a/drivers/hid/hid-steelseries.c
3487 ++++ b/drivers/hid/hid-steelseries.c
3488 +@@ -249,6 +249,11 @@ static int steelseries_srws1_probe(struct hid_device *hdev,
3489 + goto err_free;
3490 + }
3491 +
3492 ++ if (!hid_validate_report(hdev, HID_OUTPUT_REPORT, 0, 1, 16)) {
3493 ++ ret = -ENODEV;
3494 ++ goto err_free;
3495 ++ }
3496 ++
3497 + ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT);
3498 + if (ret) {
3499 + hid_err(hdev, "hw start failed\n");
3500 diff --git a/drivers/hid/hid-wiimote-debug.c b/drivers/hid/hid-wiimote-debug.c
3501 index 90124ff..3761764 100644
3502 --- a/drivers/hid/hid-wiimote-debug.c
3503 @@ -38569,6 +39904,66 @@ index 90124ff..3761764 100644
3504 return -EFAULT;
3505
3506 *off += size;
3507 +diff --git a/drivers/hid/hid-zpff.c b/drivers/hid/hid-zpff.c
3508 +index 6ec28a3..b124991 100644
3509 +--- a/drivers/hid/hid-zpff.c
3510 ++++ b/drivers/hid/hid-zpff.c
3511 +@@ -68,22 +68,12 @@ static int zpff_init(struct hid_device *hid)
3512 + struct hid_report *report;
3513 + struct hid_input *hidinput = list_entry(hid->inputs.next,
3514 + struct hid_input, list);
3515 +- struct list_head *report_list =
3516 +- &hid->report_enum[HID_OUTPUT_REPORT].report_list;
3517 + struct input_dev *dev = hidinput->input;
3518 + int error;
3519 +
3520 +- if (list_empty(report_list)) {
3521 +- hid_err(hid, "no output report found\n");
3522 ++ report = hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 4, 1);
3523 ++ if (!report)
3524 + return -ENODEV;
3525 +- }
3526 +-
3527 +- report = list_entry(report_list->next, struct hid_report, list);
3528 +-
3529 +- if (report->maxfield < 4) {
3530 +- hid_err(hid, "not enough fields in report\n");
3531 +- return -ENODEV;
3532 +- }
3533 +
3534 + zpff = kzalloc(sizeof(struct zpff_device), GFP_KERNEL);
3535 + if (!zpff)
3536 +diff --git a/drivers/hid/uhid.c b/drivers/hid/uhid.c
3537 +index fc307e0..2b255e8 100644
3538 +--- a/drivers/hid/uhid.c
3539 ++++ b/drivers/hid/uhid.c
3540 +@@ -47,7 +47,7 @@ struct uhid_device {
3541 + struct mutex report_lock;
3542 + wait_queue_head_t report_wait;
3543 + atomic_t report_done;
3544 +- atomic_t report_id;
3545 ++ atomic_unchecked_t report_id;
3546 + struct uhid_event report_buf;
3547 + };
3548 +
3549 +@@ -187,7 +187,7 @@ static int uhid_hid_get_raw(struct hid_device *hid, unsigned char rnum,
3550 +
3551 + spin_lock_irqsave(&uhid->qlock, flags);
3552 + ev->type = UHID_FEATURE;
3553 +- ev->u.feature.id = atomic_inc_return(&uhid->report_id);
3554 ++ ev->u.feature.id = atomic_inc_return_unchecked(&uhid->report_id);
3555 + ev->u.feature.rnum = rnum;
3556 + ev->u.feature.rtype = report_type;
3557 +
3558 +@@ -471,7 +471,7 @@ static int uhid_dev_feature_answer(struct uhid_device *uhid,
3559 + spin_lock_irqsave(&uhid->qlock, flags);
3560 +
3561 + /* id for old report; drop it silently */
3562 +- if (atomic_read(&uhid->report_id) != ev->u.feature_answer.id)
3563 ++ if (atomic_read_unchecked(&uhid->report_id) != ev->u.feature_answer.id)
3564 + goto unlock;
3565 + if (atomic_read(&uhid->report_done))
3566 + goto unlock;
3567 diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c
3568 index 0b122f8..b1d8160 100644
3569 --- a/drivers/hv/channel.c
3570 @@ -39908,6 +41303,19 @@ index 600c79b..3752bab 100644
3571 tty_port_tty_set(&cs->port, NULL);
3572
3573 mutex_unlock(&cs->mutex);
3574 +diff --git a/drivers/isdn/gigaset/usb-gigaset.c b/drivers/isdn/gigaset/usb-gigaset.c
3575 +index d0a41cb..f0cdb8c 100644
3576 +--- a/drivers/isdn/gigaset/usb-gigaset.c
3577 ++++ b/drivers/isdn/gigaset/usb-gigaset.c
3578 +@@ -547,7 +547,7 @@ static int gigaset_brkchars(struct cardstate *cs, const unsigned char buf[6])
3579 + gigaset_dbg_buffer(DEBUG_USBREQ, "brkchars", 6, buf);
3580 + memcpy(cs->hw.usb->bchars, buf, 6);
3581 + return usb_control_msg(udev, usb_sndctrlpipe(udev, 0), 0x19, 0x41,
3582 +- 0, 0, &buf, 6, 2000);
3583 ++ 0, 0, buf, 6, 2000);
3584 + }
3585 +
3586 + static void gigaset_freebcshw(struct bc_state *bcs)
3587 diff --git a/drivers/isdn/hardware/avm/b1.c b/drivers/isdn/hardware/avm/b1.c
3588 index 4d9b195..455075c 100644
3589 --- a/drivers/isdn/hardware/avm/b1.c
3590 @@ -39930,6 +41338,19 @@ index 4d9b195..455075c 100644
3591 return -EFAULT;
3592 } else {
3593 memcpy(buf, dp, left);
3594 +diff --git a/drivers/isdn/i4l/isdn_common.c b/drivers/isdn/i4l/isdn_common.c
3595 +index 9bb12ba..d4262f7 100644
3596 +--- a/drivers/isdn/i4l/isdn_common.c
3597 ++++ b/drivers/isdn/i4l/isdn_common.c
3598 +@@ -1651,6 +1651,8 @@ isdn_ioctl(struct file *file, uint cmd, ulong arg)
3599 + } else
3600 + return -EINVAL;
3601 + case IIOCDBGVAR:
3602 ++ if (!capable(CAP_SYS_RAWIO))
3603 ++ return -EPERM;
3604 + if (arg) {
3605 + if (copy_to_user(argp, &dev, sizeof(ulong)))
3606 + return -EFAULT;
3607 diff --git a/drivers/isdn/i4l/isdn_tty.c b/drivers/isdn/i4l/isdn_tty.c
3608 index 3c5f249..5fac4d0 100644
3609 --- a/drivers/isdn/i4l/isdn_tty.c
3610 @@ -42807,6 +44228,22 @@ index ae30343..a117806 100644
3611
3612 struct ath_nf_limits {
3613 s16 max;
3614 +diff --git a/drivers/net/wireless/hostap/hostap_ioctl.c b/drivers/net/wireless/hostap/hostap_ioctl.c
3615 +index ac07473..e509030 100644
3616 +--- a/drivers/net/wireless/hostap/hostap_ioctl.c
3617 ++++ b/drivers/net/wireless/hostap/hostap_ioctl.c
3618 +@@ -523,9 +523,9 @@ static int prism2_ioctl_giwaplist(struct net_device *dev,
3619 +
3620 + data->length = prism2_ap_get_sta_qual(local, addr, qual, IW_MAX_AP, 1);
3621 +
3622 +- memcpy(extra, &addr, sizeof(struct sockaddr) * data->length);
3623 ++ memcpy(extra, addr, sizeof(struct sockaddr) * data->length);
3624 + data->flags = 1; /* has quality information */
3625 +- memcpy(extra + sizeof(struct sockaddr) * data->length, &qual,
3626 ++ memcpy(extra + sizeof(struct sockaddr) * data->length, qual,
3627 + sizeof(struct iw_quality) * data->length);
3628 +
3629 + kfree(addr);
3630 diff --git a/drivers/net/wireless/iwlegacy/3945-mac.c b/drivers/net/wireless/iwlegacy/3945-mac.c
3631 index b37a582..680835d 100644
3632 --- a/drivers/net/wireless/iwlegacy/3945-mac.c
3633 @@ -46639,6 +48076,29 @@ index d53547d..6a22d02 100644
3634 if (atomic_read(&urb->reject))
3635 wake_up(&usb_kill_urb_queue);
3636 usb_put_urb(urb);
3637 +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
3638 +index da2905a..834a569 100644
3639 +--- a/drivers/usb/core/hub.c
3640 ++++ b/drivers/usb/core/hub.c
3641 +@@ -27,6 +27,7 @@
3642 + #include <linux/freezer.h>
3643 + #include <linux/random.h>
3644 + #include <linux/pm_qos.h>
3645 ++#include <linux/grsecurity.h>
3646 +
3647 + #include <asm/uaccess.h>
3648 + #include <asm/byteorder.h>
3649 +@@ -4424,6 +4425,10 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1,
3650 + goto done;
3651 + return;
3652 + }
3653 ++
3654 ++ if (gr_handle_new_usb())
3655 ++ goto done;
3656 ++
3657 + if (hub_is_superspeed(hub->hdev))
3658 + unit_load = 150;
3659 + else
3660 diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
3661 index 444d30e..f15c850 100644
3662 --- a/drivers/usb/core/message.c
3663 @@ -46678,6 +48138,19 @@ index b10da72..43aa0b2 100644
3664
3665 INIT_LIST_HEAD(&dev->ep0.urb_list);
3666 dev->ep0.desc.bLength = USB_DT_ENDPOINT_SIZE;
3667 +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
3668 +index f77083f..f3e2e34 100644
3669 +--- a/drivers/usb/dwc3/gadget.c
3670 ++++ b/drivers/usb/dwc3/gadget.c
3671 +@@ -550,8 +550,6 @@ static int __dwc3_gadget_ep_enable(struct dwc3_ep *dep,
3672 + if (!usb_endpoint_xfer_isoc(desc))
3673 + return 0;
3674 +
3675 +- memset(&trb_link, 0, sizeof(trb_link));
3676 +-
3677 + /* Link TRB for ISOC. The HWO bit is never reset */
3678 + trb_st_hw = &dep->trb_pool[0];
3679 +
3680 diff --git a/drivers/usb/early/ehci-dbgp.c b/drivers/usb/early/ehci-dbgp.c
3681 index 5e29dde..eca992f 100644
3682 --- a/drivers/usb/early/ehci-dbgp.c
3683 @@ -50272,6 +51745,19 @@ index 88714ae..16c2e11 100644
3684
3685
3686 static inline u32 get_pll_internal_frequency(u32 ref_freq,
3687 +diff --git a/drivers/xen/events.c b/drivers/xen/events.c
3688 +index 6a6bbe4..c733886 100644
3689 +--- a/drivers/xen/events.c
3690 ++++ b/drivers/xen/events.c
3691 +@@ -346,7 +346,7 @@ static void init_evtchn_cpu_bindings(void)
3692 +
3693 + for_each_possible_cpu(i)
3694 + memset(per_cpu(cpu_evtchn_mask, i),
3695 +- (i == 0) ? ~0 : 0, sizeof(*per_cpu(cpu_evtchn_mask, i)));
3696 ++ (i == 0) ? ~0 : 0, NR_EVENT_CHANNELS/8);
3697 + }
3698 +
3699 + static inline void clear_evtchn(int port)
3700 diff --git a/drivers/xen/xenfs/xenstored.c b/drivers/xen/xenfs/xenstored.c
3701 index fef20db..d28b1ab 100644
3702 --- a/drivers/xen/xenfs/xenstored.c
3703 @@ -51538,10 +53024,38 @@ index d50bbe5..af3b649 100644
3704 goto err;
3705 }
3706 diff --git a/fs/bio.c b/fs/bio.c
3707 -index 94bbc04..6fe78a4 100644
3708 +index 94bbc04..599e3cf 100644
3709 --- a/fs/bio.c
3710 +++ b/fs/bio.c
3711 -@@ -1096,7 +1096,7 @@ struct bio *bio_copy_user_iov(struct request_queue *q,
3712 +@@ -1045,12 +1045,22 @@ static int __bio_copy_iov(struct bio *bio, struct bio_vec *iovecs,
3713 + int bio_uncopy_user(struct bio *bio)
3714 + {
3715 + struct bio_map_data *bmd = bio->bi_private;
3716 +- int ret = 0;
3717 ++ struct bio_vec *bvec;
3718 ++ int ret = 0, i;
3719 +
3720 +- if (!bio_flagged(bio, BIO_NULL_MAPPED))
3721 +- ret = __bio_copy_iov(bio, bmd->iovecs, bmd->sgvecs,
3722 +- bmd->nr_sgvecs, bio_data_dir(bio) == READ,
3723 +- 0, bmd->is_our_pages);
3724 ++ if (!bio_flagged(bio, BIO_NULL_MAPPED)) {
3725 ++ /*
3726 ++ * if we're in a workqueue, the request is orphaned, so
3727 ++ * don't copy into a random user address space, just free.
3728 ++ */
3729 ++ if (current->mm)
3730 ++ ret = __bio_copy_iov(bio, bmd->iovecs, bmd->sgvecs,
3731 ++ bmd->nr_sgvecs, bio_data_dir(bio) == READ,
3732 ++ 0, bmd->is_our_pages);
3733 ++ else if (bmd->is_our_pages)
3734 ++ bio_for_each_segment_all(bvec, bio, i)
3735 ++ __free_page(bvec->bv_page);
3736 ++ }
3737 + bio_free_map_data(bmd);
3738 + bio_put(bio);
3739 + return ret;
3740 +@@ -1096,7 +1106,7 @@ struct bio *bio_copy_user_iov(struct request_queue *q,
3741 /*
3742 * Overflow, abort
3743 */
3744 @@ -51550,7 +53064,7 @@ index 94bbc04..6fe78a4 100644
3745 return ERR_PTR(-EINVAL);
3746
3747 nr_pages += end - start;
3748 -@@ -1230,7 +1230,7 @@ static struct bio *__bio_map_user_iov(struct request_queue *q,
3749 +@@ -1230,7 +1240,7 @@ static struct bio *__bio_map_user_iov(struct request_queue *q,
3750 /*
3751 * Overflow, abort
3752 */
3753 @@ -51559,7 +53073,7 @@ index 94bbc04..6fe78a4 100644
3754 return ERR_PTR(-EINVAL);
3755
3756 nr_pages += end - start;
3757 -@@ -1492,7 +1492,7 @@ static void bio_copy_kern_endio(struct bio *bio, int err)
3758 +@@ -1492,7 +1502,7 @@ static void bio_copy_kern_endio(struct bio *bio, int err)
3759 const int read = bio_data_dir(bio) == READ;
3760 struct bio_map_data *bmd = bio->bi_private;
3761 int i;
3762 @@ -56560,9 +58074,18 @@ index aa411c3..c260a84 100644
3763 "inode 0x%lx or driver bug.", vdir->i_ino);
3764 goto err_out;
3765 diff --git a/fs/ntfs/file.c b/fs/ntfs/file.c
3766 -index c5670b8..01a3656 100644
3767 +index c5670b8..2b43d9b 100644
3768 --- a/fs/ntfs/file.c
3769 +++ b/fs/ntfs/file.c
3770 +@@ -1282,7 +1282,7 @@ static inline size_t ntfs_copy_from_user(struct page **pages,
3771 + char *addr;
3772 + size_t total = 0;
3773 + unsigned len;
3774 +- int left;
3775 ++ unsigned left;
3776 +
3777 + do {
3778 + len = PAGE_CACHE_SIZE - ofs;
3779 @@ -2241,6 +2241,6 @@ const struct inode_operations ntfs_file_inode_ops = {
3780 #endif /* NTFS_RW */
3781 };
3782 @@ -59456,10 +60979,10 @@ index ca9ecaa..60100c7 100644
3783 kfree(s);
3784 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
3785 new file mode 100644
3786 -index 0000000..712a85d
3787 +index 0000000..76e84b9
3788 --- /dev/null
3789 +++ b/grsecurity/Kconfig
3790 -@@ -0,0 +1,1043 @@
3791 +@@ -0,0 +1,1063 @@
3792 +#
3793 +# grecurity configuration
3794 +#
3795 @@ -60431,6 +61954,26 @@ index 0000000..712a85d
3796 + option with name "socket_server_gid" is created.
3797 +
3798 +endmenu
3799 ++
3800 ++menu "Physical Protections"
3801 ++depends on GRKERNSEC
3802 ++
3803 ++config GRKERNSEC_DENYUSB
3804 ++ bool "Deny new USB connections after toggle"
3805 ++ default y if GRKERNSEC_CONFIG_AUTO
3806 ++ help
3807 ++ If you say Y here, a new sysctl option with name "deny_new_usb"
3808 ++ will be created. Setting its value to 1 will prevent any new
3809 ++ USB devices from being recognized by the OS. Any attempted USB
3810 ++ device insertion will be logged. This option is intended to be
3811 ++ used against custom USB devices designed to exploit vulnerabilities
3812 ++ in various USB device drivers.
3813 ++
3814 ++ For greatest effectiveness, this sysctl should be set after any
3815 ++ relevant init scripts. Once set, it cannot be unset.
3816 ++
3817 ++endmenu
3818 ++
3819 +menu "Sysctl Support"
3820 +depends on GRKERNSEC && SYSCTL
3821 +
3822 @@ -60505,10 +62048,10 @@ index 0000000..712a85d
3823 +endmenu
3824 diff --git a/grsecurity/Makefile b/grsecurity/Makefile
3825 new file mode 100644
3826 -index 0000000..36845aa
3827 +index 0000000..b0b77d5
3828 --- /dev/null
3829 +++ b/grsecurity/Makefile
3830 -@@ -0,0 +1,42 @@
3831 +@@ -0,0 +1,43 @@
3832 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
3833 +# during 2001-2009 it has been completely redesigned by Brad Spengler
3834 +# into an RBAC system
3835 @@ -60521,7 +62064,8 @@ index 0000000..36845aa
3836 +
3837 +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
3838 + grsec_mount.o grsec_sig.o grsec_sysctl.o \
3839 -+ grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
3840 ++ grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o \
3841 ++ grsec_usb.o
3842 +
3843 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \
3844 + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
3845 @@ -67806,10 +69350,10 @@ index 0000000..8ca18bf
3846 +}
3847 diff --git a/grsecurity/grsec_init.c b/grsecurity/grsec_init.c
3848 new file mode 100644
3849 -index 0000000..ab2d875
3850 +index 0000000..836f38f
3851 --- /dev/null
3852 +++ b/grsecurity/grsec_init.c
3853 -@@ -0,0 +1,279 @@
3854 +@@ -0,0 +1,280 @@
3855 +#include <linux/kernel.h>
3856 +#include <linux/sched.h>
3857 +#include <linux/mm.h>
3858 @@ -67838,6 +69382,7 @@ index 0000000..ab2d875
3859 +int grsec_enable_chdir;
3860 +int grsec_enable_mount;
3861 +int grsec_enable_rofs;
3862 ++int grsec_deny_new_usb;
3863 +int grsec_enable_chroot_findtask;
3864 +int grsec_enable_chroot_mount;
3865 +int grsec_enable_chroot_shmat;
3866 @@ -69205,10 +70750,10 @@ index 0000000..4030d57
3867 +}
3868 diff --git a/grsecurity/grsec_sysctl.c b/grsecurity/grsec_sysctl.c
3869 new file mode 100644
3870 -index 0000000..7624d1c
3871 +index 0000000..301c665
3872 --- /dev/null
3873 +++ b/grsecurity/grsec_sysctl.c
3874 -@@ -0,0 +1,460 @@
3875 +@@ -0,0 +1,471 @@
3876 +#include <linux/kernel.h>
3877 +#include <linux/sched.h>
3878 +#include <linux/sysctl.h>
3879 @@ -69666,6 +71211,17 @@ index 0000000..7624d1c
3880 + .extra2 = &one,
3881 + },
3882 +#endif
3883 ++#ifdef CONFIG_GRKERNSEC_DENYUSB
3884 ++ {
3885 ++ .procname = "deny_new_usb",
3886 ++ .data = &grsec_deny_new_usb,
3887 ++ .maxlen = sizeof(int),
3888 ++ .mode = 0600,
3889 ++ .proc_handler = &proc_dointvec_minmax,
3890 ++ .extra1 = &one,
3891 ++ .extra2 = &one,
3892 ++ },
3893 ++#endif
3894 + { }
3895 +};
3896 +#endif
3897 @@ -69770,6 +71326,27 @@ index 0000000..ee57dcf
3898 +#endif
3899 + return 1;
3900 +}
3901 +diff --git a/grsecurity/grsec_usb.c b/grsecurity/grsec_usb.c
3902 +new file mode 100644
3903 +index 0000000..ae02d8e
3904 +--- /dev/null
3905 ++++ b/grsecurity/grsec_usb.c
3906 +@@ -0,0 +1,15 @@
3907 ++#include <linux/kernel.h>
3908 ++#include <linux/grinternal.h>
3909 ++#include <linux/module.h>
3910 ++
3911 ++int gr_handle_new_usb(void)
3912 ++{
3913 ++#ifdef CONFIG_GRKERNSEC_DENYUSB
3914 ++ if (grsec_deny_new_usb) {
3915 ++ printk(KERN_ALERT "grsec: denied insert of new USB device\n");
3916 ++ return 1;
3917 ++ }
3918 ++#endif
3919 ++ return 0;
3920 ++}
3921 ++EXPORT_SYMBOL_GPL(gr_handle_new_usb);
3922 diff --git a/grsecurity/grsum.c b/grsecurity/grsum.c
3923 new file mode 100644
3924 index 0000000..9f7b1ac
3925 @@ -72156,10 +73733,10 @@ index 0000000..be66033
3926 +#endif
3927 diff --git a/include/linux/grinternal.h b/include/linux/grinternal.h
3928 new file mode 100644
3929 -index 0000000..fd8598b
3930 +index 0000000..e337683
3931 --- /dev/null
3932 +++ b/include/linux/grinternal.h
3933 -@@ -0,0 +1,228 @@
3934 +@@ -0,0 +1,229 @@
3935 +#ifndef __GRINTERNAL_H
3936 +#define __GRINTERNAL_H
3937 +
3938 @@ -72208,6 +73785,7 @@ index 0000000..fd8598b
3939 +extern int grsec_enable_forkfail;
3940 +extern int grsec_enable_time;
3941 +extern int grsec_enable_rofs;
3942 ++extern int grsec_deny_new_usb;
3943 +extern int grsec_enable_chroot_shmat;
3944 +extern int grsec_enable_chroot_mount;
3945 +extern int grsec_enable_chroot_double;
3946 @@ -72509,10 +74087,10 @@ index 0000000..a4396b5
3947 +#define GR_BRUTE_SUID_MSG "bruteforce prevention initiated due to crash of %.950s against uid %u, banning suid/sgid execs for %u minutes. Please investigate the crash report for "
3948 diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
3949 new file mode 100644
3950 -index 0000000..3676b0b
3951 +index 0000000..d6f5a21
3952 --- /dev/null
3953 +++ b/include/linux/grsecurity.h
3954 -@@ -0,0 +1,242 @@
3955 +@@ -0,0 +1,244 @@
3956 +#ifndef GR_SECURITY_H
3957 +#define GR_SECURITY_H
3958 +#include <linux/fs.h>
3959 @@ -72534,6 +74112,8 @@ index 0000000..3676b0b
3960 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
3961 +#endif
3962 +
3963 ++int gr_handle_new_usb(void);
3964 ++
3965 +void gr_handle_brute_attach(unsigned long mm_flags);
3966 +void gr_handle_brute_check(void);
3967 +void gr_handle_kernel_exploit(void);
3968 @@ -72780,6 +74360,35 @@ index 0000000..e7ffaaf
3969 + const int protocol);
3970 +
3971 +#endif
3972 +diff --git a/include/linux/hid.h b/include/linux/hid.h
3973 +index 0c48991..76e41d8 100644
3974 +--- a/include/linux/hid.h
3975 ++++ b/include/linux/hid.h
3976 +@@ -393,10 +393,12 @@ struct hid_report {
3977 + struct hid_device *device; /* associated device */
3978 + };
3979 +
3980 ++#define HID_MAX_IDS 256
3981 ++
3982 + struct hid_report_enum {
3983 + unsigned numbered;
3984 + struct list_head report_list;
3985 +- struct hid_report *report_id_hash[256];
3986 ++ struct hid_report *report_id_hash[HID_MAX_IDS];
3987 + };
3988 +
3989 + #define HID_REPORT_TYPES 3
3990 +@@ -747,6 +749,10 @@ void hid_output_report(struct hid_report *report, __u8 *data);
3991 + struct hid_device *hid_allocate_device(void);
3992 + struct hid_report *hid_register_report(struct hid_device *device, unsigned type, unsigned id);
3993 + int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size);
3994 ++struct hid_report *hid_validate_report(struct hid_device *hid,
3995 ++ unsigned int type, unsigned int id,
3996 ++ unsigned int fields,
3997 ++ unsigned int report_counts);
3998 + int hid_open_report(struct hid_device *device);
3999 + int hid_check_keys_pressed(struct hid_device *hid);
4000 + int hid_connect(struct hid_device *hid, unsigned int connect_mask);
4001 diff --git a/include/linux/highmem.h b/include/linux/highmem.h
4002 index 7fb31da..08b5114 100644
4003 --- a/include/linux/highmem.h
4004 @@ -78484,7 +80093,7 @@ index e76e495..cbfe63a 100644
4005
4006 /*
4007 diff --git a/kernel/events/internal.h b/kernel/events/internal.h
4008 -index ca65997..cc8cee4 100644
4009 +index ca65997..60df03d 100644
4010 --- a/kernel/events/internal.h
4011 +++ b/kernel/events/internal.h
4012 @@ -81,10 +81,10 @@ static inline unsigned long perf_data_size(struct ring_buffer *rb)
4013 @@ -78492,11 +80101,12 @@ index ca65997..cc8cee4 100644
4014 }
4015
4016 -#define DEFINE_OUTPUT_COPY(func_name, memcpy_func) \
4017 +-static inline unsigned int \
4018 +#define DEFINE_OUTPUT_COPY(func_name, memcpy_func, user) \
4019 - static inline unsigned int \
4020 ++static inline unsigned long \
4021 func_name(struct perf_output_handle *handle, \
4022 - const void *buf, unsigned int len) \
4023 -+ const void user *buf, unsigned int len) \
4024 ++ const void user *buf, unsigned long len) \
4025 { \
4026 unsigned long size, written; \
4027 \
4028 @@ -78521,6 +80131,19 @@ index ca65997..cc8cee4 100644
4029
4030 /* Callchain handling */
4031 extern struct perf_callchain_entry *
4032 +diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
4033 +index f356974..cb8c570 100644
4034 +--- a/kernel/events/uprobes.c
4035 ++++ b/kernel/events/uprobes.c
4036 +@@ -1556,7 +1556,7 @@ static int is_trap_at_addr(struct mm_struct *mm, unsigned long vaddr)
4037 + {
4038 + struct page *page;
4039 + uprobe_opcode_t opcode;
4040 +- int result;
4041 ++ long result;
4042 +
4043 + pagefault_disable();
4044 + result = __copy_from_user_inatomic(&opcode, (void __user*)vaddr,
4045 diff --git a/kernel/exit.c b/kernel/exit.c
4046 index 7bb73f9..d7978ed 100644
4047 --- a/kernel/exit.c
4048 @@ -78906,7 +80529,7 @@ index ffbc090..08ceeee 100644
4049 else
4050 new_fs = fs;
4051 diff --git a/kernel/futex.c b/kernel/futex.c
4052 -index 49dacfb..5c6b450 100644
4053 +index 49dacfb..2ac4526 100644
4054 --- a/kernel/futex.c
4055 +++ b/kernel/futex.c
4056 @@ -54,6 +54,7 @@
4057 @@ -78929,6 +80552,15 @@ index 49dacfb..5c6b450 100644
4058 /*
4059 * The futex address must be "naturally" aligned.
4060 */
4061 +@@ -440,7 +446,7 @@ static int cmpxchg_futex_value_locked(u32 *curval, u32 __user *uaddr,
4062 +
4063 + static int get_futex_value_locked(u32 *dest, u32 __user *from)
4064 + {
4065 +- int ret;
4066 ++ unsigned long ret;
4067 +
4068 + pagefault_disable();
4069 + ret = __copy_from_user_inatomic(dest, from, sizeof(u32));
4070 @@ -2733,6 +2739,7 @@ static int __init futex_init(void)
4071 {
4072 u32 curval;
4073 @@ -84210,7 +85842,7 @@ index 5025174..9d67dcd 100644
4074 bdi_destroy(bdi);
4075 return err;
4076 diff --git a/mm/filemap.c b/mm/filemap.c
4077 -index 7905fe7..e60faa8 100644
4078 +index 7905fe7..f59502b 100644
4079 --- a/mm/filemap.c
4080 +++ b/mm/filemap.c
4081 @@ -1766,7 +1766,7 @@ int generic_file_mmap(struct file * file, struct vm_area_struct * vma)
4082 @@ -84222,6 +85854,42 @@ index 7905fe7..e60faa8 100644
4083 file_accessed(file);
4084 vma->vm_ops = &generic_file_vm_ops;
4085 return 0;
4086 +@@ -1948,7 +1948,7 @@ static size_t __iovec_copy_from_user_inatomic(char *vaddr,
4087 +
4088 + while (bytes) {
4089 + char __user *buf = iov->iov_base + base;
4090 +- int copy = min(bytes, iov->iov_len - base);
4091 ++ size_t copy = min(bytes, iov->iov_len - base);
4092 +
4093 + base = 0;
4094 + left = __copy_from_user_inatomic(vaddr, buf, copy);
4095 +@@ -1977,7 +1977,7 @@ size_t iov_iter_copy_from_user_atomic(struct page *page,
4096 + BUG_ON(!in_atomic());
4097 + kaddr = kmap_atomic(page);
4098 + if (likely(i->nr_segs == 1)) {
4099 +- int left;
4100 ++ size_t left;
4101 + char __user *buf = i->iov->iov_base + i->iov_offset;
4102 + left = __copy_from_user_inatomic(kaddr + offset, buf, bytes);
4103 + copied = bytes - left;
4104 +@@ -2005,7 +2005,7 @@ size_t iov_iter_copy_from_user(struct page *page,
4105 +
4106 + kaddr = kmap(page);
4107 + if (likely(i->nr_segs == 1)) {
4108 +- int left;
4109 ++ size_t left;
4110 + char __user *buf = i->iov->iov_base + i->iov_offset;
4111 + left = __copy_from_user(kaddr + offset, buf, bytes);
4112 + copied = bytes - left;
4113 +@@ -2035,7 +2035,7 @@ void iov_iter_advance(struct iov_iter *i, size_t bytes)
4114 + * zero-length segments (without overruning the iovec).
4115 + */
4116 + while (bytes || unlikely(i->count && !iov->iov_len)) {
4117 +- int copy;
4118 ++ size_t copy;
4119 +
4120 + copy = min(bytes, iov->iov_len - base);
4121 + BUG_ON(!i->count || i->count < copy);
4122 @@ -2106,6 +2106,7 @@ inline int generic_write_checks(struct file *file, loff_t *pos, size_t *count, i
4123 *pos = i_size_read(inode);
4124
4125 @@ -90212,9 +91880,18 @@ index a08bd2b..c59bd7c 100644
4126 if (extfilt)
4127 filter_mask = nla_get_u32(extfilt);
4128 diff --git a/net/core/scm.c b/net/core/scm.c
4129 -index 03795d0..eaf7368 100644
4130 +index 03795d0..98d6bdb 100644
4131 --- a/net/core/scm.c
4132 +++ b/net/core/scm.c
4133 +@@ -54,7 +54,7 @@ static __inline__ int scm_check_creds(struct ucred *creds)
4134 + return -EINVAL;
4135 +
4136 + if ((creds->pid == task_tgid_vnr(current) ||
4137 +- ns_capable(current->nsproxy->pid_ns->user_ns, CAP_SYS_ADMIN)) &&
4138 ++ ns_capable(task_active_pid_ns(current)->user_ns, CAP_SYS_ADMIN)) &&
4139 + ((uid_eq(uid, cred->uid) || uid_eq(uid, cred->euid) ||
4140 + uid_eq(uid, cred->suid)) || nsown_capable(CAP_SETUID)) &&
4141 + ((gid_eq(gid, cred->gid) || gid_eq(gid, cred->egid) ||
4142 @@ -210,7 +210,7 @@ EXPORT_SYMBOL(__scm_send);
4143 int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
4144 {
4145 @@ -90526,6 +92203,19 @@ index a55eecc..dd8428c 100644
4146 return -EFAULT;
4147
4148 *lenp = len;
4149 +diff --git a/net/ieee802154/6lowpan.c b/net/ieee802154/6lowpan.c
4150 +index 55e1fd5..fd602b8 100644
4151 +--- a/net/ieee802154/6lowpan.c
4152 ++++ b/net/ieee802154/6lowpan.c
4153 +@@ -459,7 +459,7 @@ static int lowpan_header_create(struct sk_buff *skb,
4154 + hc06_ptr += 3;
4155 + } else {
4156 + /* compress nothing */
4157 +- memcpy(hc06_ptr, &hdr, 4);
4158 ++ memcpy(hc06_ptr, hdr, 4);
4159 + /* replace the top byte with new ECN | DSCP format */
4160 + *hc06_ptr = tmp;
4161 + hc06_ptr += 4;
4162 diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
4163 index d01be2a..8976537 100644
4164 --- a/net/ipv4/af_inet.c
4165 @@ -91688,7 +93378,7 @@ index 9a459be..086b866 100644
4166 return -ENOMEM;
4167 }
4168 diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
4169 -index fb8c94c..fb18024 100644
4170 +index fb8c94c..80a31d8 100644
4171 --- a/net/ipv6/addrconf.c
4172 +++ b/net/ipv6/addrconf.c
4173 @@ -621,7 +621,7 @@ static int inet6_netconf_dump_devconf(struct sk_buff *skb,
4174 @@ -91700,7 +93390,24 @@ index fb8c94c..fb18024 100644
4175 net->dev_base_seq;
4176 hlist_for_each_entry_rcu(dev, head, index_hlist) {
4177 if (idx < s_idx)
4178 -@@ -2380,7 +2380,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg)
4179 +@@ -1124,12 +1124,10 @@ retry:
4180 + if (ifp->flags & IFA_F_OPTIMISTIC)
4181 + addr_flags |= IFA_F_OPTIMISTIC;
4182 +
4183 +- ift = !max_addresses ||
4184 +- ipv6_count_addresses(idev) < max_addresses ?
4185 +- ipv6_add_addr(idev, &addr, tmp_plen,
4186 +- ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK,
4187 +- addr_flags) : NULL;
4188 +- if (IS_ERR_OR_NULL(ift)) {
4189 ++ ift = ipv6_add_addr(idev, &addr, tmp_plen,
4190 ++ ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK,
4191 ++ addr_flags);
4192 ++ if (IS_ERR(ift)) {
4193 + in6_ifa_put(ifp);
4194 + in6_dev_put(idev);
4195 + pr_info("%s: retry temporary address regeneration\n", __func__);
4196 +@@ -2380,7 +2378,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg)
4197 p.iph.ihl = 5;
4198 p.iph.protocol = IPPROTO_IPV6;
4199 p.iph.ttl = 64;
4200 @@ -91709,7 +93416,7 @@ index fb8c94c..fb18024 100644
4201
4202 if (ops->ndo_do_ioctl) {
4203 mm_segment_t oldfs = get_fs();
4204 -@@ -4002,7 +4002,7 @@ static int inet6_dump_addr(struct sk_buff *skb, struct netlink_callback *cb,
4205 +@@ -4002,7 +4000,7 @@ static int inet6_dump_addr(struct sk_buff *skb, struct netlink_callback *cb,
4206 s_ip_idx = ip_idx = cb->args[2];
4207
4208 rcu_read_lock();
4209 @@ -91718,7 +93425,7 @@ index fb8c94c..fb18024 100644
4210 for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) {
4211 idx = 0;
4212 head = &net->dev_index_head[h];
4213 -@@ -4587,7 +4587,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
4214 +@@ -4587,7 +4585,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
4215 dst_free(&ifp->rt->dst);
4216 break;
4217 }
4218 @@ -91727,7 +93434,7 @@ index fb8c94c..fb18024 100644
4219 }
4220
4221 static void ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
4222 -@@ -4607,7 +4607,7 @@ int addrconf_sysctl_forward(ctl_table *ctl, int write,
4223 +@@ -4607,7 +4605,7 @@ int addrconf_sysctl_forward(ctl_table *ctl, int write,
4224 int *valp = ctl->data;
4225 int val = *valp;
4226 loff_t pos = *ppos;
4227 @@ -91736,7 +93443,7 @@ index fb8c94c..fb18024 100644
4228 int ret;
4229
4230 /*
4231 -@@ -4689,7 +4689,7 @@ int addrconf_sysctl_disable(ctl_table *ctl, int write,
4232 +@@ -4689,7 +4687,7 @@ int addrconf_sysctl_disable(ctl_table *ctl, int write,
4233 int *valp = ctl->data;
4234 int val = *valp;
4235 loff_t pos = *ppos;
4236 @@ -91938,9 +93645,18 @@ index dffdc1a..ccc6678 100644
4237 return -ENOMEM;
4238 }
4239 diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
4240 -index eedff8c..6e13a47 100644
4241 +index eedff8c..7d7e24a 100644
4242 --- a/net/ipv6/raw.c
4243 +++ b/net/ipv6/raw.c
4244 +@@ -108,7 +108,7 @@ found:
4245 + */
4246 + static int icmpv6_filter(const struct sock *sk, const struct sk_buff *skb)
4247 + {
4248 +- struct icmp6hdr *_hdr;
4249 ++ struct icmp6hdr _hdr;
4250 + const struct icmp6hdr *hdr;
4251 +
4252 + hdr = skb_header_pointer(skb, skb_transport_offset(skb),
4253 @@ -378,7 +378,7 @@ static inline int rawv6_rcv_skb(struct sock *sk, struct sk_buff *skb)
4254 {
4255 if ((raw6_sk(sk)->checksum || rcu_access_pointer(sk->sk_filter)) &&
4256 @@ -92939,9 +94655,18 @@ index 0ab9636..cea3c6a 100644
4257 {
4258 if (users > 0)
4259 diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
4260 -index a99b6c3..3841268 100644
4261 +index a99b6c3..cb372f9 100644
4262 --- a/net/netfilter/nf_conntrack_proto_dccp.c
4263 +++ b/net/netfilter/nf_conntrack_proto_dccp.c
4264 +@@ -428,7 +428,7 @@ static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb,
4265 + const char *msg;
4266 + u_int8_t state;
4267 +
4268 +- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
4269 ++ dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
4270 + BUG_ON(dh == NULL);
4271 +
4272 + state = dccp_state_table[CT_DCCP_ROLE_CLIENT][dh->dccph_type][CT_DCCP_NONE];
4273 @@ -457,7 +457,7 @@ static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb,
4274 out_invalid:
4275 if (LOG_INVALID(net, IPPROTO_DCCP))
4276 @@ -92951,6 +94676,24 @@ index a99b6c3..3841268 100644
4277 return false;
4278 }
4279
4280 +@@ -486,7 +486,7 @@ static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb,
4281 + u_int8_t type, old_state, new_state;
4282 + enum ct_dccp_roles role;
4283 +
4284 +- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
4285 ++ dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
4286 + BUG_ON(dh == NULL);
4287 + type = dh->dccph_type;
4288 +
4289 +@@ -577,7 +577,7 @@ static int dccp_error(struct net *net, struct nf_conn *tmpl,
4290 + unsigned int cscov;
4291 + const char *msg;
4292 +
4293 +- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
4294 ++ dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
4295 + if (dh == NULL) {
4296 + msg = "nf_ct_dccp: short packet ";
4297 + goto out_invalid;
4298 @@ -614,7 +614,7 @@ static int dccp_error(struct net *net, struct nf_conn *tmpl,
4299
4300 out_invalid:
4301 @@ -95557,7 +97300,7 @@ index f5eb43d..1814de8 100644
4302 shdr = (Elf_Shdr *)((char *)ehdr + _r(&ehdr->e_shoff));
4303 shstrtab_sec = shdr + r2(&ehdr->e_shstrndx);
4304 diff --git a/security/Kconfig b/security/Kconfig
4305 -index e9c6ac7..3e3f362 100644
4306 +index e9c6ac7..c5d45c8 100644
4307 --- a/security/Kconfig
4308 +++ b/security/Kconfig
4309 @@ -4,6 +4,959 @@
4310 @@ -96396,7 +98139,7 @@ index e9c6ac7..3e3f362 100644
4311 +config PAX_REFCOUNT
4312 + bool "Prevent various kernel object reference counter overflows"
4313 + default y if GRKERNSEC_CONFIG_AUTO
4314 -+ depends on GRKERNSEC && ((ARM && (CPU_V6 || CPU_V6K || CPU_V7)) || SPARC64 || X86)
4315 ++ depends on GRKERNSEC && ((ARM && (CPU_V6 || CPU_V6K || CPU_V7)) || MIPS || SPARC64 || X86)
4316 + help
4317 + By saying Y here the kernel will detect and prevent overflowing
4318 + various (but not all) kinds of object reference counters. Such
4319 @@ -99033,10 +100776,10 @@ index 0000000..568b360
4320 +}
4321 diff --git a/tools/gcc/kernexec_plugin.c b/tools/gcc/kernexec_plugin.c
4322 new file mode 100644
4323 -index 0000000..0408e06
4324 +index 0000000..257529f
4325 --- /dev/null
4326 +++ b/tools/gcc/kernexec_plugin.c
4327 -@@ -0,0 +1,465 @@
4328 +@@ -0,0 +1,471 @@
4329 +/*
4330 + * Copyright 2011-2013 by the PaX Team <pageexec@××××××××.hu>
4331 + * Licensed under the GPL v2
4332 @@ -99088,7 +100831,7 @@ index 0000000..0408e06
4333 +int plugin_is_GPL_compatible;
4334 +
4335 +static struct plugin_info kernexec_plugin_info = {
4336 -+ .version = "201302112000",
4337 ++ .version = "201308230150",
4338 + .help = "method=[bts|or]\tinstrumentation method\n"
4339 +};
4340 +
4341 @@ -99239,7 +100982,7 @@ index 0000000..0408e06
4342 +static void kernexec_instrument_fptr_bts(gimple_stmt_iterator *gsi)
4343 +{
4344 + gimple assign_intptr, assign_new_fptr, call_stmt;
4345 -+ tree intptr, old_fptr, new_fptr, kernexec_mask;
4346 ++ tree intptr, orptr, old_fptr, new_fptr, kernexec_mask;
4347 +
4348 + call_stmt = gsi_stmt(*gsi);
4349 + old_fptr = gimple_call_fn(call_stmt);
4350 @@ -99248,16 +100991,20 @@ index 0000000..0408e06
4351 + intptr = create_tmp_var(long_unsigned_type_node, "kernexec_bts");
4352 +#if BUILDING_GCC_VERSION <= 4007
4353 + add_referenced_var(intptr);
4354 -+ mark_sym_for_renaming(intptr);
4355 +#endif
4356 ++ intptr = make_ssa_name(intptr, NULL);
4357 + assign_intptr = gimple_build_assign(intptr, fold_convert(long_unsigned_type_node, old_fptr));
4358 ++ SSA_NAME_DEF_STMT(intptr) = assign_intptr;
4359 + gsi_insert_before(gsi, assign_intptr, GSI_SAME_STMT);
4360 + update_stmt(assign_intptr);
4361 +
4362 + // apply logical or to temporary unsigned long and bitmask
4363 + kernexec_mask = build_int_cstu(long_long_unsigned_type_node, 0x8000000000000000LL);
4364 +// kernexec_mask = build_int_cstu(long_long_unsigned_type_node, 0xffffffff80000000LL);
4365 -+ assign_intptr = gimple_build_assign(intptr, fold_build2(BIT_IOR_EXPR, long_long_unsigned_type_node, intptr, kernexec_mask));
4366 ++ orptr = fold_build2(BIT_IOR_EXPR, long_long_unsigned_type_node, intptr, kernexec_mask);
4367 ++ intptr = make_ssa_name(SSA_NAME_VAR(intptr), NULL);
4368 ++ assign_intptr = gimple_build_assign(intptr, orptr);
4369 ++ SSA_NAME_DEF_STMT(intptr) = assign_intptr;
4370 + gsi_insert_before(gsi, assign_intptr, GSI_SAME_STMT);
4371 + update_stmt(assign_intptr);
4372 +
4373 @@ -99265,9 +101012,10 @@ index 0000000..0408e06
4374 + new_fptr = create_tmp_var(TREE_TYPE(old_fptr), "kernexec_fptr");
4375 +#if BUILDING_GCC_VERSION <= 4007
4376 + add_referenced_var(new_fptr);
4377 -+ mark_sym_for_renaming(new_fptr);
4378 +#endif
4379 ++ new_fptr = make_ssa_name(new_fptr, NULL);
4380 + assign_new_fptr = gimple_build_assign(new_fptr, fold_convert(TREE_TYPE(old_fptr), intptr));
4381 ++ SSA_NAME_DEF_STMT(new_fptr) = assign_new_fptr;
4382 + gsi_insert_before(gsi, assign_new_fptr, GSI_SAME_STMT);
4383 + update_stmt(assign_new_fptr);
4384 +
4385 @@ -99295,8 +101043,8 @@ index 0000000..0408e06
4386 + new_fptr = create_tmp_var(TREE_TYPE(old_fptr), "kernexec_or");
4387 +#if BUILDING_GCC_VERSION <= 4007
4388 + add_referenced_var(new_fptr);
4389 -+ mark_sym_for_renaming(new_fptr);
4390 +#endif
4391 ++ new_fptr = make_ssa_name(new_fptr, NULL);
4392 +
4393 + // build asm volatile("orq %%r10, %0\n\t" : "=r"(new_fptr) : "0"(old_fptr));
4394 + input = build_tree_list(NULL_TREE, build_string(2, "0"));
4395 @@ -99311,6 +101059,7 @@ index 0000000..0408e06
4396 + vec_safe_push(outputs, output);
4397 +#endif
4398 + asm_or_stmt = gimple_build_asm_vec("orq %%r10, %0\n\t", inputs, outputs, NULL, NULL);
4399 ++ SSA_NAME_DEF_STMT(new_fptr) = asm_or_stmt;
4400 + gimple_asm_set_volatile(asm_or_stmt, true);
4401 + gsi_insert_before(gsi, asm_or_stmt, GSI_SAME_STMT);
4402 + update_stmt(asm_or_stmt);
4403 @@ -99504,10 +101253,10 @@ index 0000000..0408e06
4404 +}
4405 diff --git a/tools/gcc/latent_entropy_plugin.c b/tools/gcc/latent_entropy_plugin.c
4406 new file mode 100644
4407 -index 0000000..b5395ba
4408 +index 0000000..2ef6fd9
4409 --- /dev/null
4410 +++ b/tools/gcc/latent_entropy_plugin.c
4411 -@@ -0,0 +1,327 @@
4412 +@@ -0,0 +1,321 @@
4413 +/*
4414 + * Copyright 2012-2013 by the PaX Team <pageexec@××××××××.hu>
4415 + * Licensed under the GPL v2
4416 @@ -99559,7 +101308,7 @@ index 0000000..b5395ba
4417 +static tree latent_entropy_decl;
4418 +
4419 +static struct plugin_info latent_entropy_plugin_info = {
4420 -+ .version = "201303102320",
4421 ++ .version = "201308230230",
4422 + .help = NULL
4423 +};
4424 +
4425 @@ -99668,13 +101417,10 @@ index 0000000..b5395ba
4426 + op = get_op(&rhs);
4427 + addxorrol = fold_build2_loc(UNKNOWN_LOCATION, op, unsigned_intDI_type_node, local_entropy, rhs);
4428 + assign = gimple_build_assign(local_entropy, addxorrol);
4429 -+#if BUILDING_GCC_VERSION <= 4007
4430 -+ find_referenced_vars_in(assign);
4431 -+#endif
4432 -+//debug_bb(bb);
4433 + gsi = gsi_after_labels(bb);
4434 + gsi_insert_before(&gsi, assign, GSI_NEW_STMT);
4435 + update_stmt(assign);
4436 ++//debug_bb(bb);
4437 +}
4438 +
4439 +static void perturb_latent_entropy(basic_block bb, tree rhs)
4440 @@ -99687,13 +101433,14 @@ index 0000000..b5395ba
4441 + temp = create_tmp_var(unsigned_intDI_type_node, "temp_latent_entropy");
4442 +#if BUILDING_GCC_VERSION <= 4007
4443 + add_referenced_var(temp);
4444 -+ mark_sym_for_renaming(temp);
4445 +#endif
4446 +
4447 + // 2. read...
4448 ++ temp = make_ssa_name(temp, NULL);
4449 + assign = gimple_build_assign(temp, latent_entropy_decl);
4450 ++ SSA_NAME_DEF_STMT(temp) = assign;
4451 +#if BUILDING_GCC_VERSION <= 4007
4452 -+ find_referenced_vars_in(assign);
4453 ++ add_referenced_var(latent_entropy_decl);
4454 +#endif
4455 + gsi = gsi_after_labels(bb);
4456 + gsi_insert_after(&gsi, assign, GSI_NEW_STMT);
4457 @@ -99701,18 +101448,14 @@ index 0000000..b5395ba
4458 +
4459 + // 3. ...modify...
4460 + addxorrol = fold_build2_loc(UNKNOWN_LOCATION, get_op(NULL), unsigned_intDI_type_node, temp, rhs);
4461 ++ temp = make_ssa_name(SSA_NAME_VAR(temp), NULL);
4462 + assign = gimple_build_assign(temp, addxorrol);
4463 -+#if BUILDING_GCC_VERSION <= 4007
4464 -+ find_referenced_vars_in(assign);
4465 -+#endif
4466 ++ SSA_NAME_DEF_STMT(temp) = assign;
4467 + gsi_insert_after(&gsi, assign, GSI_NEW_STMT);
4468 + update_stmt(assign);
4469 +
4470 + // 4. ...write latent_entropy
4471 + assign = gimple_build_assign(latent_entropy_decl, temp);
4472 -+#if BUILDING_GCC_VERSION <= 4007
4473 -+ find_referenced_vars_in(assign);
4474 -+#endif
4475 + gsi_insert_after(&gsi, assign, GSI_NEW_STMT);
4476 + update_stmt(assign);
4477 +}
4478 @@ -99763,21 +101506,21 @@ index 0000000..b5395ba
4479 +
4480 + assign = gimple_build_assign(local_entropy, build_int_cstu(unsigned_intDI_type_node, get_random_const()));
4481 +// gimple_set_location(assign, loc);
4482 -+#if BUILDING_GCC_VERSION <= 4007
4483 -+ find_referenced_vars_in(assign);
4484 -+#endif
4485 + gsi_insert_after(&gsi, assign, GSI_NEW_STMT);
4486 + update_stmt(assign);
4487 ++//debug_bb(bb);
4488 + bb = bb->next_bb;
4489 +
4490 + // 3. instrument each BB with an operation on the local entropy variable
4491 + while (bb != EXIT_BLOCK_PTR) {
4492 + perturb_local_entropy(bb, local_entropy);
4493 ++//debug_bb(bb);
4494 + bb = bb->next_bb;
4495 + };
4496 +
4497 + // 4. mix local entropy into the global entropy variable
4498 + perturb_latent_entropy(EXIT_BLOCK_PTR->prev_bb, local_entropy);
4499 ++//debug_bb(EXIT_BLOCK_PTR->prev_bb);
4500 + return 0;
4501 +}
4502 +
4503 @@ -106193,10 +107936,10 @@ index 0000000..b04803b
4504 +alloc_dr_65495 alloc_dr 2 65495 NULL
4505 diff --git a/tools/gcc/size_overflow_plugin.c b/tools/gcc/size_overflow_plugin.c
4506 new file mode 100644
4507 -index 0000000..9db0d0e
4508 +index 0000000..03d0c84
4509 --- /dev/null
4510 +++ b/tools/gcc/size_overflow_plugin.c
4511 -@@ -0,0 +1,2114 @@
4512 +@@ -0,0 +1,2113 @@
4513 +/*
4514 + * Copyright 2011, 2012, 2013 by Emese Revfy <re.emese@×××××.com>
4515 + * Licensed under the GPL v2, or (at your option) v3
4516 @@ -106286,7 +108029,7 @@ index 0000000..9db0d0e
4517 +static void print_missing_msg(tree func, unsigned int argnum);
4518 +
4519 +static struct plugin_info size_overflow_plugin_info = {
4520 -+ .version = "20130410beta",
4521 ++ .version = "20130822beta",
4522 + .help = "no-size-overflow\tturn off size overflow checking\n",
4523 +};
4524 +
4525 @@ -106666,7 +108409,6 @@ index 0000000..9db0d0e
4526 +
4527 +#if BUILDING_GCC_VERSION <= 4007
4528 + add_referenced_var(new_var);
4529 -+ mark_sym_for_renaming(new_var);
4530 +#endif
4531 + return new_var;
4532 +}
4533
4534 diff --git a/3.2.50/0000_README b/3.2.50/0000_README
4535 index a654e82..8d5d81f 100644
4536 --- a/3.2.50/0000_README
4537 +++ b/3.2.50/0000_README
4538 @@ -118,7 +118,7 @@ Patch: 1049_linux-3.2.50.patch
4539 From: http://www.kernel.org
4540 Desc: Linux 3.2.50
4541
4542 -Patch: 4420_grsecurity-2.9.1-3.2.50-201308202017.patch
4543 +Patch: 4420_grsecurity-2.9.1-3.2.50-201308282053.patch
4544 From: http://www.grsecurity.net
4545 Desc: hardened-sources base patch from upstream grsecurity
4546
4547
4548 diff --git a/3.2.50/4420_grsecurity-2.9.1-3.2.50-201308202017.patch b/3.2.50/4420_grsecurity-2.9.1-3.2.50-201308282053.patch
4549 similarity index 99%
4550 rename from 3.2.50/4420_grsecurity-2.9.1-3.2.50-201308202017.patch
4551 rename to 3.2.50/4420_grsecurity-2.9.1-3.2.50-201308282053.patch
4552 index 01378eb..581a30c 100644
4553 --- a/3.2.50/4420_grsecurity-2.9.1-3.2.50-201308202017.patch
4554 +++ b/3.2.50/4420_grsecurity-2.9.1-3.2.50-201308282053.patch
4555 @@ -35590,10 +35590,112 @@ index 8a8725c2..afed796 100644
4556 marker = list_first_entry(&queue->head,
4557 struct vmw_marker, head);
4558 diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
4559 -index 611aafc..d6aafa2 100644
4560 +index 611aafc..3f9bbc0 100644
4561 --- a/drivers/hid/hid-core.c
4562 +++ b/drivers/hid/hid-core.c
4563 -@@ -2034,7 +2034,7 @@ static bool hid_ignore(struct hid_device *hdev)
4564 +@@ -59,6 +59,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type,
4565 + struct hid_report_enum *report_enum = device->report_enum + type;
4566 + struct hid_report *report;
4567 +
4568 ++ if (id >= HID_MAX_IDS)
4569 ++ return NULL;
4570 + if (report_enum->report_id_hash[id])
4571 + return report_enum->report_id_hash[id];
4572 +
4573 +@@ -380,8 +382,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item)
4574 +
4575 + case HID_GLOBAL_ITEM_TAG_REPORT_ID:
4576 + parser->global.report_id = item_udata(item);
4577 +- if (parser->global.report_id == 0) {
4578 +- dbg_hid("report_id 0 is invalid\n");
4579 ++ if (parser->global.report_id == 0 ||
4580 ++ parser->global.report_id >= HID_MAX_IDS) {
4581 ++ dbg_hid("report_id %u is invalid\n",
4582 ++ parser->global.report_id);
4583 + return -1;
4584 + }
4585 + return 0;
4586 +@@ -552,7 +556,7 @@ static void hid_device_release(struct device *dev)
4587 + for (i = 0; i < HID_REPORT_TYPES; i++) {
4588 + struct hid_report_enum *report_enum = device->report_enum + i;
4589 +
4590 +- for (j = 0; j < 256; j++) {
4591 ++ for (j = 0; j < HID_MAX_IDS; j++) {
4592 + struct hid_report *report = report_enum->report_id_hash[j];
4593 + if (report)
4594 + hid_free_report(report);
4595 +@@ -710,6 +714,56 @@ err:
4596 + }
4597 + EXPORT_SYMBOL_GPL(hid_parse_report);
4598 +
4599 ++static const char * const hid_report_names[] = {
4600 ++ "HID_INPUT_REPORT",
4601 ++ "HID_OUTPUT_REPORT",
4602 ++ "HID_FEATURE_REPORT",
4603 ++};
4604 ++/**
4605 ++ * hid_validate_report - validate existing device report
4606 ++ *
4607 ++ * @device: hid device
4608 ++ * @type: which report type to examine
4609 ++ * @id: which report ID to examine (0 for first)
4610 ++ * @fields: expected number of fields
4611 ++ * @report_counts: expected number of values per field
4612 ++ *
4613 ++ * Validate the report details after parsing.
4614 ++ */
4615 ++struct hid_report *hid_validate_report(struct hid_device *hid,
4616 ++ unsigned int type, unsigned int id,
4617 ++ unsigned int fields,
4618 ++ unsigned int report_counts)
4619 ++{
4620 ++ struct hid_report *report;
4621 ++ unsigned int i;
4622 ++
4623 ++ if (type > HID_FEATURE_REPORT) {
4624 ++ hid_err(hid, "invalid HID report %u\n", type);
4625 ++ return NULL;
4626 ++ }
4627 ++
4628 ++ report = hid->report_enum[type].report_id_hash[id];
4629 ++ if (!report) {
4630 ++ hid_err(hid, "missing %s %u\n", hid_report_names[type], id);
4631 ++ return NULL;
4632 ++ }
4633 ++ if (report->maxfield < fields) {
4634 ++ hid_err(hid, "not enough fields in %s %u\n",
4635 ++ hid_report_names[type], id);
4636 ++ return NULL;
4637 ++ }
4638 ++ for (i = 0; i < fields; i++) {
4639 ++ if (report->field[i]->report_count < report_counts) {
4640 ++ hid_err(hid, "not enough values in %s %u fields\n",
4641 ++ hid_report_names[type], id);
4642 ++ return NULL;
4643 ++ }
4644 ++ }
4645 ++ return report;
4646 ++}
4647 ++EXPORT_SYMBOL_GPL(hid_validate_report);
4648 ++
4649 + /*
4650 + * Convert a signed n-bit integer to signed 32-bit integer. Common
4651 + * cases are done through the compiler, the screwed things has to be
4652 +@@ -990,7 +1044,12 @@ EXPORT_SYMBOL_GPL(hid_output_report);
4653 +
4654 + int hid_set_field(struct hid_field *field, unsigned offset, __s32 value)
4655 + {
4656 +- unsigned size = field->report_size;
4657 ++ unsigned size;
4658 ++
4659 ++ if (!field)
4660 ++ return -1;
4661 ++
4662 ++ size = field->report_size;
4663 +
4664 + hid_dump_input(field->report->device, field->usage + offset, value);
4665 +
4666 +@@ -2034,7 +2093,7 @@ static bool hid_ignore(struct hid_device *hdev)
4667
4668 int hid_add_device(struct hid_device *hdev)
4669 {
4670 @@ -35602,7 +35704,7 @@ index 611aafc..d6aafa2 100644
4671 int ret;
4672
4673 if (WARN_ON(hdev->status & HID_STAT_ADDED))
4674 -@@ -2049,7 +2049,7 @@ int hid_add_device(struct hid_device *hdev)
4675 +@@ -2049,7 +2108,7 @@ int hid_add_device(struct hid_device *hdev)
4676 /* XXX hack, any other cleaner solution after the driver core
4677 * is converted to allow more than 20 bytes as the device name? */
4678 dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
4679 @@ -35611,6 +35713,253 @@ index 611aafc..d6aafa2 100644
4680
4681 hid_debug_register(hdev, dev_name(&hdev->dev));
4682 ret = device_add(&hdev->dev);
4683 +diff --git a/drivers/hid/hid-lg2ff.c b/drivers/hid/hid-lg2ff.c
4684 +index 3c31bc6..f7b432a 100644
4685 +--- a/drivers/hid/hid-lg2ff.c
4686 ++++ b/drivers/hid/hid-lg2ff.c
4687 +@@ -66,26 +66,13 @@ int lg2ff_init(struct hid_device *hid)
4688 + struct hid_report *report;
4689 + struct hid_input *hidinput = list_entry(hid->inputs.next,
4690 + struct hid_input, list);
4691 +- struct list_head *report_list =
4692 +- &hid->report_enum[HID_OUTPUT_REPORT].report_list;
4693 + struct input_dev *dev = hidinput->input;
4694 + int error;
4695 +
4696 +- if (list_empty(report_list)) {
4697 +- hid_err(hid, "no output report found\n");
4698 ++ /* Check that the report looks ok */
4699 ++ report = hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7);
4700 ++ if (!report)
4701 + return -ENODEV;
4702 +- }
4703 +-
4704 +- report = list_entry(report_list->next, struct hid_report, list);
4705 +-
4706 +- if (report->maxfield < 1) {
4707 +- hid_err(hid, "output report is empty\n");
4708 +- return -ENODEV;
4709 +- }
4710 +- if (report->field[0]->report_count < 7) {
4711 +- hid_err(hid, "not enough values in the field\n");
4712 +- return -ENODEV;
4713 +- }
4714 +
4715 + lg2ff = kmalloc(sizeof(struct lg2ff_device), GFP_KERNEL);
4716 + if (!lg2ff)
4717 +diff --git a/drivers/hid/hid-lg3ff.c b/drivers/hid/hid-lg3ff.c
4718 +index f98644c..8590851 100644
4719 +--- a/drivers/hid/hid-lg3ff.c
4720 ++++ b/drivers/hid/hid-lg3ff.c
4721 +@@ -68,10 +68,11 @@ static int hid_lg3ff_play(struct input_dev *dev, void *data,
4722 + int x, y;
4723 +
4724 + /*
4725 +- * Maxusage should always be 63 (maximum fields)
4726 +- * likely a better way to ensure this data is clean
4727 ++ * Available values in the field should always be 63, but we only use up to
4728 ++ * 35. Instead, clear the entire area, however big it is.
4729 + */
4730 +- memset(report->field[0]->value, 0, sizeof(__s32)*report->field[0]->maxusage);
4731 ++ memset(report->field[0]->value, 0,
4732 ++ sizeof(__s32) * report->field[0]->report_count);
4733 +
4734 + switch (effect->type) {
4735 + case FF_CONSTANT:
4736 +@@ -131,32 +132,14 @@ static const signed short ff3_joystick_ac[] = {
4737 + int lg3ff_init(struct hid_device *hid)
4738 + {
4739 + struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list);
4740 +- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list;
4741 + struct input_dev *dev = hidinput->input;
4742 +- struct hid_report *report;
4743 +- struct hid_field *field;
4744 + const signed short *ff_bits = ff3_joystick_ac;
4745 + int error;
4746 + int i;
4747 +
4748 +- /* Find the report to use */
4749 +- if (list_empty(report_list)) {
4750 +- hid_err(hid, "No output report found\n");
4751 +- return -1;
4752 +- }
4753 +-
4754 + /* Check that the report looks ok */
4755 +- report = list_entry(report_list->next, struct hid_report, list);
4756 +- if (!report) {
4757 +- hid_err(hid, "NULL output report\n");
4758 +- return -1;
4759 +- }
4760 +-
4761 +- field = report->field[0];
4762 +- if (!field) {
4763 +- hid_err(hid, "NULL field\n");
4764 +- return -1;
4765 +- }
4766 ++ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 35))
4767 ++ return -ENODEV;
4768 +
4769 + /* Assume single fixed device G940 */
4770 + for (i = 0; ff_bits[i] >= 0; i++)
4771 +diff --git a/drivers/hid/hid-lg4ff.c b/drivers/hid/hid-lg4ff.c
4772 +index 103f30d..b9a39e5 100644
4773 +--- a/drivers/hid/hid-lg4ff.c
4774 ++++ b/drivers/hid/hid-lg4ff.c
4775 +@@ -339,33 +339,15 @@ static ssize_t lg4ff_range_store(struct device *dev, struct device_attribute *at
4776 + int lg4ff_init(struct hid_device *hid)
4777 + {
4778 + struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list);
4779 +- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list;
4780 + struct input_dev *dev = hidinput->input;
4781 +- struct hid_report *report;
4782 +- struct hid_field *field;
4783 + struct lg4ff_device_entry *entry;
4784 + struct usb_device_descriptor *udesc;
4785 + int error, i, j;
4786 + __u16 bcdDevice, rev_maj, rev_min;
4787 +
4788 +- /* Find the report to use */
4789 +- if (list_empty(report_list)) {
4790 +- hid_err(hid, "No output report found\n");
4791 +- return -1;
4792 +- }
4793 +-
4794 + /* Check that the report looks ok */
4795 +- report = list_entry(report_list->next, struct hid_report, list);
4796 +- if (!report) {
4797 +- hid_err(hid, "NULL output report\n");
4798 ++ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7))
4799 + return -1;
4800 +- }
4801 +-
4802 +- field = report->field[0];
4803 +- if (!field) {
4804 +- hid_err(hid, "NULL field\n");
4805 +- return -1;
4806 +- }
4807 +
4808 + /* Check what wheel has been connected */
4809 + for (i = 0; i < ARRAY_SIZE(lg4ff_devices); i++) {
4810 +diff --git a/drivers/hid/hid-lgff.c b/drivers/hid/hid-lgff.c
4811 +index 27bc54f..6d25789 100644
4812 +--- a/drivers/hid/hid-lgff.c
4813 ++++ b/drivers/hid/hid-lgff.c
4814 +@@ -130,27 +130,14 @@ static void hid_lgff_set_autocenter(struct input_dev *dev, u16 magnitude)
4815 + int lgff_init(struct hid_device* hid)
4816 + {
4817 + struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list);
4818 +- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list;
4819 + struct input_dev *dev = hidinput->input;
4820 +- struct hid_report *report;
4821 +- struct hid_field *field;
4822 + const signed short *ff_bits = ff_joystick;
4823 + int error;
4824 + int i;
4825 +
4826 +- /* Find the report to use */
4827 +- if (list_empty(report_list)) {
4828 +- hid_err(hid, "No output report found\n");
4829 +- return -1;
4830 +- }
4831 +-
4832 + /* Check that the report looks ok */
4833 +- report = list_entry(report_list->next, struct hid_report, list);
4834 +- field = report->field[0];
4835 +- if (!field) {
4836 +- hid_err(hid, "NULL field\n");
4837 +- return -1;
4838 +- }
4839 ++ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7))
4840 ++ return -ENODEV;
4841 +
4842 + for (i = 0; i < ARRAY_SIZE(devices); i++) {
4843 + if (dev->id.vendor == devices[i].idVendor &&
4844 +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
4845 +index 13af0f1..dc797c9 100644
4846 +--- a/drivers/hid/hid-multitouch.c
4847 ++++ b/drivers/hid/hid-multitouch.c
4848 +@@ -195,6 +195,9 @@ static void mt_feature_mapping(struct hid_device *hdev,
4849 + td->inputmode = field->report->id;
4850 + break;
4851 + case HID_DG_CONTACTMAX:
4852 ++ /* Ignore if value count is out of bounds. */
4853 ++ if (field->report_count < 1)
4854 ++ break;
4855 + td->maxcontacts = field->value[0];
4856 + if (td->mtclass->maxcontacts)
4857 + /* check if the maxcontacts is given by the class */
4858 +@@ -506,7 +509,6 @@ static int mt_event(struct hid_device *hid, struct hid_field *field,
4859 + if (field->index == td->last_field_index
4860 + && td->num_received >= td->num_expected)
4861 + mt_emit_event(td, field->hidinput->input);
4862 +-
4863 + }
4864 +
4865 + /* we have handled the hidinput part, now remains hiddev */
4866 +diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c
4867 +index 9fae2eb..48cba85 100644
4868 +--- a/drivers/hid/hid-ntrig.c
4869 ++++ b/drivers/hid/hid-ntrig.c
4870 +@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev)
4871 + struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT].
4872 + report_id_hash[0x0d];
4873 +
4874 +- if (!report)
4875 ++ if (!report || report->maxfield < 1 ||
4876 ++ report->field[0]->report_count < 1)
4877 + return -EINVAL;
4878 +
4879 + usbhid_submit_report(hdev, report, USB_DIR_IN);
4880 +diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c
4881 +index 070f93a..12786cd 100644
4882 +--- a/drivers/hid/hid-pl.c
4883 ++++ b/drivers/hid/hid-pl.c
4884 +@@ -129,8 +129,14 @@ static int plff_init(struct hid_device *hid)
4885 + strong = &report->field[0]->value[2];
4886 + weak = &report->field[0]->value[3];
4887 + debug("detected single-field device");
4888 +- } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 &&
4889 +- report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) {
4890 ++ } else if (report->field[0]->maxusage == 1 &&
4891 ++ report->field[0]->usage[0].hid ==
4892 ++ (HID_UP_LED | 0x43) &&
4893 ++ report->maxfield >= 4 &&
4894 ++ report->field[0]->report_count >= 1 &&
4895 ++ report->field[1]->report_count >= 1 &&
4896 ++ report->field[2]->report_count >= 1 &&
4897 ++ report->field[3]->report_count >= 1) {
4898 + report->field[0]->value[0] = 0x00;
4899 + report->field[1]->value[0] = 0x00;
4900 + strong = &report->field[2]->value[0];
4901 +diff --git a/drivers/hid/hid-zpff.c b/drivers/hid/hid-zpff.c
4902 +index f6ba81d..f7e37f7 100644
4903 +--- a/drivers/hid/hid-zpff.c
4904 ++++ b/drivers/hid/hid-zpff.c
4905 +@@ -70,22 +70,12 @@ static int zpff_init(struct hid_device *hid)
4906 + struct hid_report *report;
4907 + struct hid_input *hidinput = list_entry(hid->inputs.next,
4908 + struct hid_input, list);
4909 +- struct list_head *report_list =
4910 +- &hid->report_enum[HID_OUTPUT_REPORT].report_list;
4911 + struct input_dev *dev = hidinput->input;
4912 + int error;
4913 +
4914 +- if (list_empty(report_list)) {
4915 +- hid_err(hid, "no output report found\n");
4916 ++ report = hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 4, 1);
4917 ++ if (!report)
4918 + return -ENODEV;
4919 +- }
4920 +-
4921 +- report = list_entry(report_list->next, struct hid_report, list);
4922 +-
4923 +- if (report->maxfield < 4) {
4924 +- hid_err(hid, "not enough fields in report\n");
4925 +- return -ENODEV;
4926 +- }
4927 +
4928 + zpff = kzalloc(sizeof(struct zpff_device), GFP_KERNEL);
4929 + if (!zpff)
4930 diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
4931 index 4ef02b2..8a96831 100644
4932 --- a/drivers/hid/usbhid/hiddev.c
4933 @@ -40799,6 +41148,22 @@ index 62dc461..5250f0b 100644
4934
4935 /* dongle iscan controller */
4936 struct brcmf_cfg80211_iscan_ctrl {
4937 +diff --git a/drivers/net/wireless/hostap/hostap_ioctl.c b/drivers/net/wireless/hostap/hostap_ioctl.c
4938 +index 045a936..271e818 100644
4939 +--- a/drivers/net/wireless/hostap/hostap_ioctl.c
4940 ++++ b/drivers/net/wireless/hostap/hostap_ioctl.c
4941 +@@ -522,9 +522,9 @@ static int prism2_ioctl_giwaplist(struct net_device *dev,
4942 +
4943 + data->length = prism2_ap_get_sta_qual(local, addr, qual, IW_MAX_AP, 1);
4944 +
4945 +- memcpy(extra, &addr, sizeof(struct sockaddr) * data->length);
4946 ++ memcpy(extra, addr, sizeof(struct sockaddr) * data->length);
4947 + data->flags = 1; /* has quality information */
4948 +- memcpy(extra + sizeof(struct sockaddr) * data->length, &qual,
4949 ++ memcpy(extra + sizeof(struct sockaddr) * data->length, qual,
4950 + sizeof(struct iw_quality) * data->length);
4951 +
4952 + kfree(addr);
4953 diff --git a/drivers/net/wireless/iwlegacy/iwl3945-base.c b/drivers/net/wireless/iwlegacy/iwl3945-base.c
4954 index b3d9f3f..9931f58 100644
4955 --- a/drivers/net/wireless/iwlegacy/iwl3945-base.c
4956 @@ -49268,10 +49633,38 @@ index 7423cb9..9379ddd 100644
4957 static int __init init_misc_binfmt(void)
4958 {
4959 diff --git a/fs/bio.c b/fs/bio.c
4960 -index 4fc4dbb..bae9dce 100644
4961 +index 4fc4dbb..0cf9d6d 100644
4962 --- a/fs/bio.c
4963 +++ b/fs/bio.c
4964 -@@ -838,7 +838,7 @@ struct bio *bio_copy_user_iov(struct request_queue *q,
4965 +@@ -787,12 +787,22 @@ static int __bio_copy_iov(struct bio *bio, struct bio_vec *iovecs,
4966 + int bio_uncopy_user(struct bio *bio)
4967 + {
4968 + struct bio_map_data *bmd = bio->bi_private;
4969 +- int ret = 0;
4970 ++ struct bio_vec *bvec;
4971 ++ int ret = 0, i;
4972 +
4973 +- if (!bio_flagged(bio, BIO_NULL_MAPPED))
4974 +- ret = __bio_copy_iov(bio, bmd->iovecs, bmd->sgvecs,
4975 +- bmd->nr_sgvecs, bio_data_dir(bio) == READ,
4976 +- 0, bmd->is_our_pages);
4977 ++ if (!bio_flagged(bio, BIO_NULL_MAPPED)) {
4978 ++ /*
4979 ++ * if we're in a workqueue, the request is orphaned, so
4980 ++ * don't copy into a random user address space, just free.
4981 ++ */
4982 ++ if (current->mm)
4983 ++ ret = __bio_copy_iov(bio, bmd->iovecs, bmd->sgvecs,
4984 ++ bmd->nr_sgvecs, bio_data_dir(bio) == READ,
4985 ++ 0, bmd->is_our_pages);
4986 ++ else if (bmd->is_our_pages)
4987 ++ __bio_for_each_segment(bvec, bio, i, 0)
4988 ++ __free_page(bvec->bv_page);
4989 ++ }
4990 + bio_free_map_data(bmd);
4991 + bio_put(bio);
4992 + return ret;
4993 +@@ -838,7 +848,7 @@ struct bio *bio_copy_user_iov(struct request_queue *q,
4994 /*
4995 * Overflow, abort
4996 */
4997 @@ -49280,7 +49673,7 @@ index 4fc4dbb..bae9dce 100644
4998 return ERR_PTR(-EINVAL);
4999
5000 nr_pages += end - start;
5001 -@@ -972,7 +972,7 @@ static struct bio *__bio_map_user_iov(struct request_queue *q,
5002 +@@ -972,7 +982,7 @@ static struct bio *__bio_map_user_iov(struct request_queue *q,
5003 /*
5004 * Overflow, abort
5005 */
5006 @@ -49289,7 +49682,7 @@ index 4fc4dbb..bae9dce 100644
5007 return ERR_PTR(-EINVAL);
5008
5009 nr_pages += end - start;
5010 -@@ -1234,7 +1234,7 @@ static void bio_copy_kern_endio(struct bio *bio, int err)
5011 +@@ -1234,7 +1244,7 @@ static void bio_copy_kern_endio(struct bio *bio, int err)
5012 const int read = bio_data_dir(bio) == READ;
5013 struct bio_map_data *bmd = bio->bi_private;
5014 int i;
5015 @@ -49607,9 +50000,27 @@ index 9895400..78a67e7 100644
5016 }
5017
5018 diff --git a/fs/ceph/super.c b/fs/ceph/super.c
5019 -index de268a8..06e0541 100644
5020 +index de268a8..2a158be 100644
5021 --- a/fs/ceph/super.c
5022 +++ b/fs/ceph/super.c
5023 +@@ -785,7 +785,7 @@ static int ceph_compare_super(struct super_block *sb, void *data)
5024 + /*
5025 + * construct our own bdi so we can control readahead, etc.
5026 + */
5027 +-static atomic_long_t bdi_seq = ATOMIC_LONG_INIT(0);
5028 ++static atomic_long_unchecked_t bdi_seq = ATOMIC_LONG_INIT(0);
5029 +
5030 + static int ceph_register_bdi(struct super_block *sb,
5031 + struct ceph_fs_client *fsc)
5032 +@@ -802,7 +802,7 @@ static int ceph_register_bdi(struct super_block *sb,
5033 + default_backing_dev_info.ra_pages;
5034 +
5035 + err = bdi_register(&fsc->backing_dev_info, NULL, "ceph-%d",
5036 +- atomic_long_inc_return(&bdi_seq));
5037 ++ atomic_long_inc_return_unchecked(&bdi_seq));
5038 + if (!err)
5039 + sb->s_bdi = &fsc->backing_dev_info;
5040 + return err;
5041 @@ -901,6 +901,7 @@ static struct file_system_type ceph_fs_type = {
5042 .kill_sb = ceph_kill_sb,
5043 .fs_flags = FS_RENAME_DOES_D_MOVE,
5044 @@ -71398,6 +71809,35 @@ index 0000000..e7ffaaf
5045 + const int protocol);
5046 +
5047 +#endif
5048 +diff --git a/include/linux/hid.h b/include/linux/hid.h
5049 +index 331e2ef..37c06bd 100644
5050 +--- a/include/linux/hid.h
5051 ++++ b/include/linux/hid.h
5052 +@@ -416,10 +416,12 @@ struct hid_report {
5053 + struct hid_device *device; /* associated device */
5054 + };
5055 +
5056 ++#define HID_MAX_IDS 256
5057 ++
5058 + struct hid_report_enum {
5059 + unsigned numbered;
5060 + struct list_head report_list;
5061 +- struct hid_report *report_id_hash[256];
5062 ++ struct hid_report *report_id_hash[HID_MAX_IDS];
5063 + };
5064 +
5065 + #define HID_REPORT_TYPES 3
5066 +@@ -716,6 +718,10 @@ void hid_output_report(struct hid_report *report, __u8 *data);
5067 + struct hid_device *hid_allocate_device(void);
5068 + struct hid_report *hid_register_report(struct hid_device *device, unsigned type, unsigned id);
5069 + int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size);
5070 ++struct hid_report *hid_validate_report(struct hid_device *hid,
5071 ++ unsigned int type, unsigned int id,
5072 ++ unsigned int fields,
5073 ++ unsigned int report_counts);
5074 + int hid_check_keys_pressed(struct hid_device *hid);
5075 + int hid_connect(struct hid_device *hid, unsigned int connect_mask);
5076 + void hid_disconnect(struct hid_device *hid);
5077 diff --git a/include/linux/highmem.h b/include/linux/highmem.h
5078 index 52e9620..26c34b1 100644
5079 --- a/include/linux/highmem.h
5080 @@ -79040,7 +79480,7 @@ index 962c291..31cf69d7 100644
5081 .clock_get = thread_cpu_clock_get,
5082 .timer_create = thread_cpu_timer_create,
5083 diff --git a/kernel/posix-timers.c b/kernel/posix-timers.c
5084 -index e885be1..380fe76 100644
5085 +index e885be1..f005738 100644
5086 --- a/kernel/posix-timers.c
5087 +++ b/kernel/posix-timers.c
5088 @@ -43,6 +43,7 @@
5089 @@ -79123,6 +79563,15 @@ index e885be1..380fe76 100644
5090 }
5091
5092 static int common_timer_create(struct k_itimer *new_timer)
5093 +@@ -539,7 +540,7 @@ SYSCALL_DEFINE3(timer_create, const clockid_t, which_clock,
5094 + struct k_clock *kc = clockid_to_kclock(which_clock);
5095 + struct k_itimer *new_timer;
5096 + int error, new_timer_id;
5097 +- sigevent_t event;
5098 ++ sigevent_t event = { };
5099 + int it_id_set = IT_ID_NOT_SET;
5100 +
5101 + if (!kc)
5102 @@ -966,6 +967,13 @@ SYSCALL_DEFINE2(clock_settime, const clockid_t, which_clock,
5103 if (copy_from_user(&new_tp, tp, sizeof (*tp)))
5104 return -EFAULT;
5105 @@ -82610,9 +83059,18 @@ index 011b110..fad8776 100644
5106
5107 config NOMMU_INITIAL_TRIM_EXCESS
5108 diff --git a/mm/backing-dev.c b/mm/backing-dev.c
5109 -index 2b49dd2..00bdcdb 100644
5110 +index 2b49dd2..0527d62 100644
5111 --- a/mm/backing-dev.c
5112 +++ b/mm/backing-dev.c
5113 +@@ -12,7 +12,7 @@
5114 + #include <linux/device.h>
5115 + #include <trace/events/writeback.h>
5116 +
5117 +-static atomic_long_t bdi_seq = ATOMIC_LONG_INIT(0);
5118 ++static atomic_long_unchecked_t bdi_seq = ATOMIC_LONG_INIT(0);
5119 +
5120 + struct backing_dev_info default_backing_dev_info = {
5121 + .name = "default",
5122 @@ -759,7 +759,6 @@ EXPORT_SYMBOL(bdi_destroy);
5123 int bdi_setup_and_register(struct backing_dev_info *bdi, char *name,
5124 unsigned int cap)
5125 @@ -82627,7 +83085,7 @@ index 2b49dd2..00bdcdb 100644
5126
5127 - sprintf(tmp, "%.28s%s", name, "-%d");
5128 - err = bdi_register(bdi, NULL, tmp, atomic_long_inc_return(&bdi_seq));
5129 -+ err = bdi_register(bdi, NULL, "%.28s-%ld", name, atomic_long_inc_return(&bdi_seq));
5130 ++ err = bdi_register(bdi, NULL, "%.28s-%ld", name, atomic_long_inc_return_unchecked(&bdi_seq));
5131 if (err) {
5132 bdi_destroy(bdi);
5133 return err;
5134 @@ -90563,10 +91021,27 @@ index 5decc93..79830d4 100644
5135
5136 int udp4_seq_show(struct seq_file *seq, void *v)
5137 diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
5138 -index 314bda2..9503a4f 100644
5139 +index 314bda2..19a815f 100644
5140 --- a/net/ipv6/addrconf.c
5141 +++ b/net/ipv6/addrconf.c
5142 -@@ -2159,7 +2159,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg)
5143 +@@ -913,12 +913,10 @@ retry:
5144 + if (ifp->flags & IFA_F_OPTIMISTIC)
5145 + addr_flags |= IFA_F_OPTIMISTIC;
5146 +
5147 +- ift = !max_addresses ||
5148 +- ipv6_count_addresses(idev) < max_addresses ?
5149 +- ipv6_add_addr(idev, &addr, tmp_plen,
5150 +- ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK,
5151 +- addr_flags) : NULL;
5152 +- if (!ift || IS_ERR(ift)) {
5153 ++ ift = ipv6_add_addr(idev, &addr, tmp_plen,
5154 ++ ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK,
5155 ++ addr_flags);
5156 ++ if (IS_ERR(ift)) {
5157 + in6_ifa_put(ifp);
5158 + in6_dev_put(idev);
5159 + printk(KERN_INFO
5160 +@@ -2159,7 +2157,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg)
5161 p.iph.ihl = 5;
5162 p.iph.protocol = IPPROTO_IPV6;
5163 p.iph.ttl = 64;