diff options
| -rw-r--r-- | 3.12.4/1003_linux-3.12.4.patch | 4725 | ||||
| -rw-r--r-- | 3.12.5/0000_README (renamed from 3.12.4/0000_README) | 6 | ||||
| -rw-r--r-- | 3.12.5/4420_grsecurity-3.0-3.12.5-201312132204.patch (renamed from 3.12.4/4420_grsecurity-3.0-3.12.4-201312081754.patch) | 2468 | ||||
| -rw-r--r-- | 3.12.5/4425_grsec_remove_EI_PAX.patch (renamed from 3.12.4/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
| -rw-r--r-- | 3.12.5/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.12.4/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
| -rw-r--r-- | 3.12.5/4430_grsec-remove-localversion-grsec.patch (renamed from 3.12.4/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
| -rw-r--r-- | 3.12.5/4435_grsec-mute-warnings.patch (renamed from 3.12.4/4435_grsec-mute-warnings.patch) | 0 | ||||
| -rw-r--r-- | 3.12.5/4440_grsec-remove-protected-paths.patch (renamed from 3.12.4/4440_grsec-remove-protected-paths.patch) | 0 | ||||
| -rw-r--r-- | 3.12.5/4450_grsec-kconfig-default-gids.patch (renamed from 3.12.4/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
| -rw-r--r-- | 3.12.5/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.12.4/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
| -rw-r--r-- | 3.12.5/4470_disable-compat_vdso.patch (renamed from 3.12.4/4470_disable-compat_vdso.patch) | 0 | ||||
| -rw-r--r-- | 3.12.5/4475_emutramp_default_on.patch (renamed from 3.12.4/4475_emutramp_default_on.patch) | 0 | ||||
| -rw-r--r-- | 3.2.53/0000_README | 2 | ||||
| -rw-r--r-- | 3.2.53/4420_grsecurity-3.0-3.2.53-201312132200.patch (renamed from 3.2.53/4420_grsecurity-3.0-3.2.53-201312081752.patch) | 2375 |
14 files changed, 3945 insertions, 5631 deletions
diff --git a/3.12.4/1003_linux-3.12.4.patch b/3.12.4/1003_linux-3.12.4.patch deleted file mode 100644 index 819cfed..0000000 --- a/3.12.4/1003_linux-3.12.4.patch +++ /dev/null @@ -1,4725 +0,0 @@ -diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt -index a46d785..7d8dc93 100644 ---- a/Documentation/networking/ip-sysctl.txt -+++ b/Documentation/networking/ip-sysctl.txt -@@ -588,9 +588,6 @@ tcp_limit_output_bytes - INTEGER - typical pfifo_fast qdiscs. - tcp_limit_output_bytes limits the number of bytes on qdisc - or device to reduce artificial RTT/cwnd and reduce bufferbloat. -- Note: For GSO/TSO enabled flows, we try to have at least two -- packets in flight. Reducing tcp_limit_output_bytes might also -- reduce the size of individual GSO packet (64KB being the max) - Default: 131072 - - tcp_challenge_ack_limit - INTEGER -diff --git a/Makefile b/Makefile -index b28bc57..3b7165e 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 3 - PATCHLEVEL = 12 --SUBLEVEL = 3 -+SUBLEVEL = 4 - EXTRAVERSION = - NAME = One Giant Leap for Frogkind - -diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c -index 516593e..26328e8 100644 ---- a/arch/x86/net/bpf_jit_comp.c -+++ b/arch/x86/net/bpf_jit_comp.c -@@ -788,5 +788,7 @@ void bpf_jit_free(struct sk_filter *fp) - if (fp->bpf_func != sk_run_filter) { - INIT_WORK(&fp->work, bpf_jit_free_deferred); - schedule_work(&fp->work); -+ } else { -+ kfree(fp); - } - } -diff --git a/block/blk-core.c b/block/blk-core.c -index 0c611d8..fce4b93 100644 ---- a/block/blk-core.c -+++ b/block/blk-core.c -@@ -741,9 +741,17 @@ blk_init_allocated_queue(struct request_queue *q, request_fn_proc *rfn, - - q->sg_reserved_size = INT_MAX; - -+ /* Protect q->elevator from elevator_change */ -+ mutex_lock(&q->sysfs_lock); -+ - /* init elevator */ -- if (elevator_init(q, NULL)) -+ if (elevator_init(q, NULL)) { -+ mutex_unlock(&q->sysfs_lock); - return NULL; -+ } -+ -+ mutex_unlock(&q->sysfs_lock); -+ - return q; - } - EXPORT_SYMBOL(blk_init_allocated_queue); -diff --git a/block/elevator.c b/block/elevator.c -index 2bcbd8c..b7ff286 100644 ---- a/block/elevator.c -+++ b/block/elevator.c -@@ -186,6 +186,12 @@ int elevator_init(struct request_queue *q, char *name) - struct elevator_type *e = NULL; - int err; - -+ /* -+ * q->sysfs_lock must be held to provide mutual exclusion between -+ * elevator_switch() and here. -+ */ -+ lockdep_assert_held(&q->sysfs_lock); -+ - if (unlikely(q->elevator)) - return 0; - -@@ -959,7 +965,7 @@ fail_init: - /* - * Switch this queue to the given IO scheduler. - */ --int elevator_change(struct request_queue *q, const char *name) -+static int __elevator_change(struct request_queue *q, const char *name) - { - char elevator_name[ELV_NAME_MAX]; - struct elevator_type *e; -@@ -981,6 +987,18 @@ int elevator_change(struct request_queue *q, const char *name) - - return elevator_switch(q, e); - } -+ -+int elevator_change(struct request_queue *q, const char *name) -+{ -+ int ret; -+ -+ /* Protect q->elevator from elevator_init() */ -+ mutex_lock(&q->sysfs_lock); -+ ret = __elevator_change(q, name); -+ mutex_unlock(&q->sysfs_lock); -+ -+ return ret; -+} - EXPORT_SYMBOL(elevator_change); - - ssize_t elv_iosched_store(struct request_queue *q, const char *name, -@@ -991,7 +1009,7 @@ ssize_t elv_iosched_store(struct request_queue *q, const char *name, - if (!q->elevator) - return count; - -- ret = elevator_change(q, name); -+ ret = __elevator_change(q, name); - if (!ret) - return count; - -diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c -index 0262210..8502462 100644 ---- a/crypto/algif_hash.c -+++ b/crypto/algif_hash.c -@@ -114,6 +114,9 @@ static ssize_t hash_sendpage(struct socket *sock, struct page *page, - struct hash_ctx *ctx = ask->private; - int err; - -+ if (flags & MSG_SENDPAGE_NOTLAST) -+ flags |= MSG_MORE; -+ - lock_sock(sk); - sg_init_table(ctx->sgl.sg, 1); - sg_set_page(ctx->sgl.sg, page, size, offset); -@@ -161,8 +164,6 @@ static int hash_recvmsg(struct kiocb *unused, struct socket *sock, - else if (len < ds) - msg->msg_flags |= MSG_TRUNC; - -- msg->msg_namelen = 0; -- - lock_sock(sk); - if (ctx->more) { - ctx->more = 0; -diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c -index a1c4f0a..a19c027 100644 ---- a/crypto/algif_skcipher.c -+++ b/crypto/algif_skcipher.c -@@ -378,6 +378,9 @@ static ssize_t skcipher_sendpage(struct socket *sock, struct page *page, - struct skcipher_sg_list *sgl; - int err = -EINVAL; - -+ if (flags & MSG_SENDPAGE_NOTLAST) -+ flags |= MSG_MORE; -+ - lock_sock(sk); - if (!ctx->more && ctx->used) - goto unlock; -@@ -432,7 +435,6 @@ static int skcipher_recvmsg(struct kiocb *unused, struct socket *sock, - long copied = 0; - - lock_sock(sk); -- msg->msg_namelen = 0; - for (iov = msg->msg_iov, iovlen = msg->msg_iovlen; iovlen > 0; - iovlen--, iov++) { - unsigned long seglen = iov->iov_len; -diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c -index 272f009..1bdf104 100644 ---- a/drivers/atm/idt77252.c -+++ b/drivers/atm/idt77252.c -@@ -3511,7 +3511,7 @@ static int init_card(struct atm_dev *dev) - tmp = dev_get_by_name(&init_net, tname); /* jhs: was "tmp = dev_get(tname);" */ - if (tmp) { - memcpy(card->atmdev->esi, tmp->dev_addr, 6); -- -+ dev_put(tmp); - printk("%s: ESI %pM\n", card->name, card->atmdev->esi); - } - /* -diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c -index c73fc2b..18c5b9b 100644 ---- a/drivers/connector/cn_proc.c -+++ b/drivers/connector/cn_proc.c -@@ -32,11 +32,23 @@ - #include <linux/atomic.h> - #include <linux/pid_namespace.h> - --#include <asm/unaligned.h> -- - #include <linux/cn_proc.h> - --#define CN_PROC_MSG_SIZE (sizeof(struct cn_msg) + sizeof(struct proc_event)) -+/* -+ * Size of a cn_msg followed by a proc_event structure. Since the -+ * sizeof struct cn_msg is a multiple of 4 bytes, but not 8 bytes, we -+ * add one 4-byte word to the size here, and then start the actual -+ * cn_msg structure 4 bytes into the stack buffer. The result is that -+ * the immediately following proc_event structure is aligned to 8 bytes. -+ */ -+#define CN_PROC_MSG_SIZE (sizeof(struct cn_msg) + sizeof(struct proc_event) + 4) -+ -+/* See comment above; we test our assumption about sizeof struct cn_msg here. */ -+static inline struct cn_msg *buffer_to_cn_msg(__u8 *buffer) -+{ -+ BUILD_BUG_ON(sizeof(struct cn_msg) != 20); -+ return (struct cn_msg *)(buffer + 4); -+} - - static atomic_t proc_event_num_listeners = ATOMIC_INIT(0); - static struct cb_id cn_proc_event_id = { CN_IDX_PROC, CN_VAL_PROC }; -@@ -56,19 +68,19 @@ void proc_fork_connector(struct task_struct *task) - { - struct cn_msg *msg; - struct proc_event *ev; -- __u8 buffer[CN_PROC_MSG_SIZE]; -+ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8); - struct timespec ts; - struct task_struct *parent; - - if (atomic_read(&proc_event_num_listeners) < 1) - return; - -- msg = (struct cn_msg *)buffer; -+ msg = buffer_to_cn_msg(buffer); - ev = (struct proc_event *)msg->data; - memset(&ev->event_data, 0, sizeof(ev->event_data)); - get_seq(&msg->seq, &ev->cpu); - ktime_get_ts(&ts); /* get high res monotonic timestamp */ -- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); -+ ev->timestamp_ns = timespec_to_ns(&ts); - ev->what = PROC_EVENT_FORK; - rcu_read_lock(); - parent = rcu_dereference(task->real_parent); -@@ -91,17 +103,17 @@ void proc_exec_connector(struct task_struct *task) - struct cn_msg *msg; - struct proc_event *ev; - struct timespec ts; -- __u8 buffer[CN_PROC_MSG_SIZE]; -+ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8); - - if (atomic_read(&proc_event_num_listeners) < 1) - return; - -- msg = (struct cn_msg *)buffer; -+ msg = buffer_to_cn_msg(buffer); - ev = (struct proc_event *)msg->data; - memset(&ev->event_data, 0, sizeof(ev->event_data)); - get_seq(&msg->seq, &ev->cpu); - ktime_get_ts(&ts); /* get high res monotonic timestamp */ -- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); -+ ev->timestamp_ns = timespec_to_ns(&ts); - ev->what = PROC_EVENT_EXEC; - ev->event_data.exec.process_pid = task->pid; - ev->event_data.exec.process_tgid = task->tgid; -@@ -117,14 +129,14 @@ void proc_id_connector(struct task_struct *task, int which_id) - { - struct cn_msg *msg; - struct proc_event *ev; -- __u8 buffer[CN_PROC_MSG_SIZE]; -+ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8); - struct timespec ts; - const struct cred *cred; - - if (atomic_read(&proc_event_num_listeners) < 1) - return; - -- msg = (struct cn_msg *)buffer; -+ msg = buffer_to_cn_msg(buffer); - ev = (struct proc_event *)msg->data; - memset(&ev->event_data, 0, sizeof(ev->event_data)); - ev->what = which_id; -@@ -145,7 +157,7 @@ void proc_id_connector(struct task_struct *task, int which_id) - rcu_read_unlock(); - get_seq(&msg->seq, &ev->cpu); - ktime_get_ts(&ts); /* get high res monotonic timestamp */ -- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); -+ ev->timestamp_ns = timespec_to_ns(&ts); - - memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); - msg->ack = 0; /* not used */ -@@ -159,17 +171,17 @@ void proc_sid_connector(struct task_struct *task) - struct cn_msg *msg; - struct proc_event *ev; - struct timespec ts; -- __u8 buffer[CN_PROC_MSG_SIZE]; -+ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8); - - if (atomic_read(&proc_event_num_listeners) < 1) - return; - -- msg = (struct cn_msg *)buffer; -+ msg = buffer_to_cn_msg(buffer); - ev = (struct proc_event *)msg->data; - memset(&ev->event_data, 0, sizeof(ev->event_data)); - get_seq(&msg->seq, &ev->cpu); - ktime_get_ts(&ts); /* get high res monotonic timestamp */ -- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); -+ ev->timestamp_ns = timespec_to_ns(&ts); - ev->what = PROC_EVENT_SID; - ev->event_data.sid.process_pid = task->pid; - ev->event_data.sid.process_tgid = task->tgid; -@@ -186,17 +198,17 @@ void proc_ptrace_connector(struct task_struct *task, int ptrace_id) - struct cn_msg *msg; - struct proc_event *ev; - struct timespec ts; -- __u8 buffer[CN_PROC_MSG_SIZE]; -+ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8); - - if (atomic_read(&proc_event_num_listeners) < 1) - return; - -- msg = (struct cn_msg *)buffer; -+ msg = buffer_to_cn_msg(buffer); - ev = (struct proc_event *)msg->data; - memset(&ev->event_data, 0, sizeof(ev->event_data)); - get_seq(&msg->seq, &ev->cpu); - ktime_get_ts(&ts); /* get high res monotonic timestamp */ -- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); -+ ev->timestamp_ns = timespec_to_ns(&ts); - ev->what = PROC_EVENT_PTRACE; - ev->event_data.ptrace.process_pid = task->pid; - ev->event_data.ptrace.process_tgid = task->tgid; -@@ -221,17 +233,17 @@ void proc_comm_connector(struct task_struct *task) - struct cn_msg *msg; - struct proc_event *ev; - struct timespec ts; -- __u8 buffer[CN_PROC_MSG_SIZE]; -+ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8); - - if (atomic_read(&proc_event_num_listeners) < 1) - return; - -- msg = (struct cn_msg *)buffer; -+ msg = buffer_to_cn_msg(buffer); - ev = (struct proc_event *)msg->data; - memset(&ev->event_data, 0, sizeof(ev->event_data)); - get_seq(&msg->seq, &ev->cpu); - ktime_get_ts(&ts); /* get high res monotonic timestamp */ -- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); -+ ev->timestamp_ns = timespec_to_ns(&ts); - ev->what = PROC_EVENT_COMM; - ev->event_data.comm.process_pid = task->pid; - ev->event_data.comm.process_tgid = task->tgid; -@@ -248,18 +260,18 @@ void proc_coredump_connector(struct task_struct *task) - { - struct cn_msg *msg; - struct proc_event *ev; -- __u8 buffer[CN_PROC_MSG_SIZE]; -+ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8); - struct timespec ts; - - if (atomic_read(&proc_event_num_listeners) < 1) - return; - -- msg = (struct cn_msg *)buffer; -+ msg = buffer_to_cn_msg(buffer); - ev = (struct proc_event *)msg->data; - memset(&ev->event_data, 0, sizeof(ev->event_data)); - get_seq(&msg->seq, &ev->cpu); - ktime_get_ts(&ts); /* get high res monotonic timestamp */ -- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); -+ ev->timestamp_ns = timespec_to_ns(&ts); - ev->what = PROC_EVENT_COREDUMP; - ev->event_data.coredump.process_pid = task->pid; - ev->event_data.coredump.process_tgid = task->tgid; -@@ -275,18 +287,18 @@ void proc_exit_connector(struct task_struct *task) - { - struct cn_msg *msg; - struct proc_event *ev; -- __u8 buffer[CN_PROC_MSG_SIZE]; -+ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8); - struct timespec ts; - - if (atomic_read(&proc_event_num_listeners) < 1) - return; - -- msg = (struct cn_msg *)buffer; -+ msg = buffer_to_cn_msg(buffer); - ev = (struct proc_event *)msg->data; - memset(&ev->event_data, 0, sizeof(ev->event_data)); - get_seq(&msg->seq, &ev->cpu); - ktime_get_ts(&ts); /* get high res monotonic timestamp */ -- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); -+ ev->timestamp_ns = timespec_to_ns(&ts); - ev->what = PROC_EVENT_EXIT; - ev->event_data.exit.process_pid = task->pid; - ev->event_data.exit.process_tgid = task->tgid; -@@ -312,18 +324,18 @@ static void cn_proc_ack(int err, int rcvd_seq, int rcvd_ack) - { - struct cn_msg *msg; - struct proc_event *ev; -- __u8 buffer[CN_PROC_MSG_SIZE]; -+ __u8 buffer[CN_PROC_MSG_SIZE] __aligned(8); - struct timespec ts; - - if (atomic_read(&proc_event_num_listeners) < 1) - return; - -- msg = (struct cn_msg *)buffer; -+ msg = buffer_to_cn_msg(buffer); - ev = (struct proc_event *)msg->data; - memset(&ev->event_data, 0, sizeof(ev->event_data)); - msg->seq = rcvd_seq; - ktime_get_ts(&ts); /* get high res monotonic timestamp */ -- put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); -+ ev->timestamp_ns = timespec_to_ns(&ts); - ev->cpu = -1; - ev->what = PROC_EVENT_NONE; - ev->event_data.ack.err = err; -diff --git a/drivers/gpu/drm/radeon/r600_hdmi.c b/drivers/gpu/drm/radeon/r600_hdmi.c -index 06022e3..615c5b2 100644 ---- a/drivers/gpu/drm/radeon/r600_hdmi.c -+++ b/drivers/gpu/drm/radeon/r600_hdmi.c -@@ -24,6 +24,7 @@ - * Authors: Christian König - */ - #include <linux/hdmi.h> -+#include <linux/gcd.h> - #include <drm/drmP.h> - #include <drm/radeon_drm.h> - #include "radeon.h" -@@ -57,35 +58,57 @@ enum r600_hdmi_iec_status_bits { - static const struct radeon_hdmi_acr r600_hdmi_predefined_acr[] = { - /* 32kHz 44.1kHz 48kHz */ - /* Clock N CTS N CTS N CTS */ -- { 25175, 4576, 28125, 7007, 31250, 6864, 28125 }, /* 25,20/1.001 MHz */ -+ { 25175, 4096, 25175, 28224, 125875, 6144, 25175 }, /* 25,20/1.001 MHz */ - { 25200, 4096, 25200, 6272, 28000, 6144, 25200 }, /* 25.20 MHz */ - { 27000, 4096, 27000, 6272, 30000, 6144, 27000 }, /* 27.00 MHz */ - { 27027, 4096, 27027, 6272, 30030, 6144, 27027 }, /* 27.00*1.001 MHz */ - { 54000, 4096, 54000, 6272, 60000, 6144, 54000 }, /* 54.00 MHz */ - { 54054, 4096, 54054, 6272, 60060, 6144, 54054 }, /* 54.00*1.001 MHz */ -- { 74176, 11648, 210937, 17836, 234375, 11648, 140625 }, /* 74.25/1.001 MHz */ -+ { 74176, 4096, 74176, 5733, 75335, 6144, 74176 }, /* 74.25/1.001 MHz */ - { 74250, 4096, 74250, 6272, 82500, 6144, 74250 }, /* 74.25 MHz */ -- { 148352, 11648, 421875, 8918, 234375, 5824, 140625 }, /* 148.50/1.001 MHz */ -+ { 148352, 4096, 148352, 5733, 150670, 6144, 148352 }, /* 148.50/1.001 MHz */ - { 148500, 4096, 148500, 6272, 165000, 6144, 148500 }, /* 148.50 MHz */ -- { 0, 4096, 0, 6272, 0, 6144, 0 } /* Other */ - }; - -+ - /* -- * calculate CTS value if it's not found in the table -+ * calculate CTS and N values if they are not found in the table - */ --static void r600_hdmi_calc_cts(uint32_t clock, int *CTS, int N, int freq) -+static void r600_hdmi_calc_cts(uint32_t clock, int *CTS, int *N, int freq) - { -- u64 n; -- u32 d; -- -- if (*CTS == 0) { -- n = (u64)clock * (u64)N * 1000ULL; -- d = 128 * freq; -- do_div(n, d); -- *CTS = n; -- } -- DRM_DEBUG("Using ACR timing N=%d CTS=%d for frequency %d\n", -- N, *CTS, freq); -+ int n, cts; -+ unsigned long div, mul; -+ -+ /* Safe, but overly large values */ -+ n = 128 * freq; -+ cts = clock * 1000; -+ -+ /* Smallest valid fraction */ -+ div = gcd(n, cts); -+ -+ n /= div; -+ cts /= div; -+ -+ /* -+ * The optimal N is 128*freq/1000. Calculate the closest larger -+ * value that doesn't truncate any bits. -+ */ -+ mul = ((128*freq/1000) + (n-1))/n; -+ -+ n *= mul; -+ cts *= mul; -+ -+ /* Check that we are in spec (not always possible) */ -+ if (n < (128*freq/1500)) -+ printk(KERN_WARNING "Calculated ACR N value is too small. You may experience audio problems.\n"); -+ if (n > (128*freq/300)) -+ printk(KERN_WARNING "Calculated ACR N value is too large. You may experience audio problems.\n"); -+ -+ *N = n; -+ *CTS = cts; -+ -+ DRM_DEBUG("Calculated ACR timing N=%d CTS=%d for frequency %d\n", -+ *N, *CTS, freq); - } - - struct radeon_hdmi_acr r600_hdmi_acr(uint32_t clock) -@@ -93,15 +116,16 @@ struct radeon_hdmi_acr r600_hdmi_acr(uint32_t clock) - struct radeon_hdmi_acr res; - u8 i; - -- for (i = 0; r600_hdmi_predefined_acr[i].clock != clock && -- r600_hdmi_predefined_acr[i].clock != 0; i++) -- ; -- res = r600_hdmi_predefined_acr[i]; -+ /* Precalculated values for common clocks */ -+ for (i = 0; i < ARRAY_SIZE(r600_hdmi_predefined_acr); i++) { -+ if (r600_hdmi_predefined_acr[i].clock == clock) -+ return r600_hdmi_predefined_acr[i]; -+ } - -- /* In case some CTS are missing */ -- r600_hdmi_calc_cts(clock, &res.cts_32khz, res.n_32khz, 32000); -- r600_hdmi_calc_cts(clock, &res.cts_44_1khz, res.n_44_1khz, 44100); -- r600_hdmi_calc_cts(clock, &res.cts_48khz, res.n_48khz, 48000); -+ /* And odd clocks get manually calculated */ -+ r600_hdmi_calc_cts(clock, &res.cts_32khz, &res.n_32khz, 32000); -+ r600_hdmi_calc_cts(clock, &res.cts_44_1khz, &res.n_44_1khz, 44100); -+ r600_hdmi_calc_cts(clock, &res.cts_48khz, &res.n_48khz, 48000); - - return res; - } -diff --git a/drivers/hid/hid-elo.c b/drivers/hid/hid-elo.c -index f042a6c..55e4920 100644 ---- a/drivers/hid/hid-elo.c -+++ b/drivers/hid/hid-elo.c -@@ -181,7 +181,40 @@ fail: - */ - static bool elo_broken_firmware(struct usb_device *dev) - { -- return use_fw_quirk && le16_to_cpu(dev->descriptor.bcdDevice) == 0x10d; -+ struct usb_device *hub = dev->parent; -+ struct usb_device *child = NULL; -+ u16 fw_lvl = le16_to_cpu(dev->descriptor.bcdDevice); -+ u16 child_vid, child_pid; -+ int i; -+ -+ if (!use_fw_quirk) -+ return false; -+ if (fw_lvl != 0x10d) -+ return false; -+ -+ /* iterate sibling devices of the touch controller */ -+ usb_hub_for_each_child(hub, i, child) { -+ child_vid = le16_to_cpu(child->descriptor.idVendor); -+ child_pid = le16_to_cpu(child->descriptor.idProduct); -+ -+ /* -+ * If one of the devices below is present attached as a sibling of -+ * the touch controller then this is a newer IBM 4820 monitor that -+ * does not need the IBM-requested workaround if fw level is -+ * 0x010d - aka 'M'. -+ * No other HW can have this combination. -+ */ -+ if (child_vid==0x04b3) { -+ switch (child_pid) { -+ case 0x4676: /* 4820 21x Video */ -+ case 0x4677: /* 4820 51x Video */ -+ case 0x4678: /* 4820 2Lx Video */ -+ case 0x4679: /* 4820 5Lx Video */ -+ return false; -+ } -+ } -+ } -+ return true; - } - - static int elo_probe(struct hid_device *hdev, const struct hid_device_id *id) -diff --git a/drivers/hid/hid-lg.c b/drivers/hid/hid-lg.c -index 1bfd292..06eb45f 100644 ---- a/drivers/hid/hid-lg.c -+++ b/drivers/hid/hid-lg.c -@@ -47,6 +47,7 @@ - #define DFP_RDESC_ORIG_SIZE 97 - #define FV_RDESC_ORIG_SIZE 130 - #define MOMO_RDESC_ORIG_SIZE 87 -+#define MOMO2_RDESC_ORIG_SIZE 87 - - /* Fixed report descriptors for Logitech Driving Force (and Pro) - * wheel controllers -@@ -284,6 +285,54 @@ static __u8 momo_rdesc_fixed[] = { - 0xC0 /* End Collection */ - }; - -+static __u8 momo2_rdesc_fixed[] = { -+0x05, 0x01, /* Usage Page (Desktop), */ -+0x09, 0x04, /* Usage (Joystik), */ -+0xA1, 0x01, /* Collection (Application), */ -+0xA1, 0x02, /* Collection (Logical), */ -+0x95, 0x01, /* Report Count (1), */ -+0x75, 0x0A, /* Report Size (10), */ -+0x15, 0x00, /* Logical Minimum (0), */ -+0x26, 0xFF, 0x03, /* Logical Maximum (1023), */ -+0x35, 0x00, /* Physical Minimum (0), */ -+0x46, 0xFF, 0x03, /* Physical Maximum (1023), */ -+0x09, 0x30, /* Usage (X), */ -+0x81, 0x02, /* Input (Variable), */ -+0x95, 0x0A, /* Report Count (10), */ -+0x75, 0x01, /* Report Size (1), */ -+0x25, 0x01, /* Logical Maximum (1), */ -+0x45, 0x01, /* Physical Maximum (1), */ -+0x05, 0x09, /* Usage Page (Button), */ -+0x19, 0x01, /* Usage Minimum (01h), */ -+0x29, 0x0A, /* Usage Maximum (0Ah), */ -+0x81, 0x02, /* Input (Variable), */ -+0x06, 0x00, 0xFF, /* Usage Page (FF00h), */ -+0x09, 0x00, /* Usage (00h), */ -+0x95, 0x04, /* Report Count (4), */ -+0x81, 0x02, /* Input (Variable), */ -+0x95, 0x01, /* Report Count (1), */ -+0x75, 0x08, /* Report Size (8), */ -+0x26, 0xFF, 0x00, /* Logical Maximum (255), */ -+0x46, 0xFF, 0x00, /* Physical Maximum (255), */ -+0x09, 0x01, /* Usage (01h), */ -+0x81, 0x02, /* Input (Variable), */ -+0x05, 0x01, /* Usage Page (Desktop), */ -+0x09, 0x31, /* Usage (Y), */ -+0x81, 0x02, /* Input (Variable), */ -+0x09, 0x32, /* Usage (Z), */ -+0x81, 0x02, /* Input (Variable), */ -+0x06, 0x00, 0xFF, /* Usage Page (FF00h), */ -+0x09, 0x00, /* Usage (00h), */ -+0x81, 0x02, /* Input (Variable), */ -+0xC0, /* End Collection, */ -+0xA1, 0x02, /* Collection (Logical), */ -+0x09, 0x02, /* Usage (02h), */ -+0x95, 0x07, /* Report Count (7), */ -+0x91, 0x02, /* Output (Variable), */ -+0xC0, /* End Collection, */ -+0xC0 /* End Collection */ -+}; -+ - /* - * Certain Logitech keyboards send in report #3 keys which are far - * above the logical maximum described in descriptor. This extends -@@ -343,6 +392,15 @@ static __u8 *lg_report_fixup(struct hid_device *hdev, __u8 *rdesc, - } - break; - -+ case USB_DEVICE_ID_LOGITECH_MOMO_WHEEL2: -+ if (*rsize == MOMO2_RDESC_ORIG_SIZE) { -+ hid_info(hdev, -+ "fixing up Logitech Momo Racing Force (Black) report descriptor\n"); -+ rdesc = momo2_rdesc_fixed; -+ *rsize = sizeof(momo2_rdesc_fixed); -+ } -+ break; -+ - case USB_DEVICE_ID_LOGITECH_VIBRATION_WHEEL: - if (*rsize == FV_RDESC_ORIG_SIZE) { - hid_info(hdev, -diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c -index 15e9b57..40203ad 100644 ---- a/drivers/iommu/intel-iommu.c -+++ b/drivers/iommu/intel-iommu.c -@@ -782,7 +782,11 @@ static struct dma_pte *pfn_to_dma_pte(struct dmar_domain *domain, - int offset; - - BUG_ON(!domain->pgd); -- BUG_ON(addr_width < BITS_PER_LONG && pfn >> addr_width); -+ -+ if (addr_width < BITS_PER_LONG && pfn >> addr_width) -+ /* Address beyond IOMMU's addressing capabilities. */ -+ return NULL; -+ - parent = domain->pgd; - - while (level > 0) { -diff --git a/drivers/iommu/intel_irq_remapping.c b/drivers/iommu/intel_irq_remapping.c -index f71673d..b97d70b 100644 ---- a/drivers/iommu/intel_irq_remapping.c -+++ b/drivers/iommu/intel_irq_remapping.c -@@ -525,12 +525,13 @@ static int __init intel_irq_remapping_supported(void) - if (disable_irq_remap) - return 0; - if (irq_remap_broken) { -- WARN_TAINT(1, TAINT_FIRMWARE_WORKAROUND, -- "This system BIOS has enabled interrupt remapping\n" -- "on a chipset that contains an erratum making that\n" -- "feature unstable. To maintain system stability\n" -- "interrupt remapping is being disabled. Please\n" -- "contact your BIOS vendor for an update\n"); -+ printk(KERN_WARNING -+ "This system BIOS has enabled interrupt remapping\n" -+ "on a chipset that contains an erratum making that\n" -+ "feature unstable. To maintain system stability\n" -+ "interrupt remapping is being disabled. Please\n" -+ "contact your BIOS vendor for an update\n"); -+ add_taint(TAINT_FIRMWARE_WORKAROUND, LOCKDEP_STILL_OK); - disable_irq_remap = 1; - return 0; - } -diff --git a/drivers/isdn/isdnloop/isdnloop.c b/drivers/isdn/isdnloop/isdnloop.c -index baf2686..02125e6 100644 ---- a/drivers/isdn/isdnloop/isdnloop.c -+++ b/drivers/isdn/isdnloop/isdnloop.c -@@ -1083,8 +1083,10 @@ isdnloop_start(isdnloop_card *card, isdnloop_sdef *sdefp) - spin_unlock_irqrestore(&card->isdnloop_lock, flags); - return -ENOMEM; - } -- for (i = 0; i < 3; i++) -- strcpy(card->s0num[i], sdef.num[i]); -+ for (i = 0; i < 3; i++) { -+ strlcpy(card->s0num[i], sdef.num[i], -+ sizeof(card->s0num[0])); -+ } - break; - case ISDN_PTYPE_1TR6: - if (isdnloop_fake(card, "DRV1.04TC-1TR6-CAPI-CNS-BASIS-29.11.95", -@@ -1097,7 +1099,7 @@ isdnloop_start(isdnloop_card *card, isdnloop_sdef *sdefp) - spin_unlock_irqrestore(&card->isdnloop_lock, flags); - return -ENOMEM; - } -- strcpy(card->s0num[0], sdef.num[0]); -+ strlcpy(card->s0num[0], sdef.num[0], sizeof(card->s0num[0])); - card->s0num[1][0] = '\0'; - card->s0num[2][0] = '\0'; - break; -diff --git a/drivers/isdn/mISDN/socket.c b/drivers/isdn/mISDN/socket.c -index e47dcb9..5cefb47 100644 ---- a/drivers/isdn/mISDN/socket.c -+++ b/drivers/isdn/mISDN/socket.c -@@ -117,7 +117,6 @@ mISDN_sock_recvmsg(struct kiocb *iocb, struct socket *sock, - { - struct sk_buff *skb; - struct sock *sk = sock->sk; -- struct sockaddr_mISDN *maddr; - - int copied, err; - -@@ -135,9 +134,9 @@ mISDN_sock_recvmsg(struct kiocb *iocb, struct socket *sock, - if (!skb) - return err; - -- if (msg->msg_namelen >= sizeof(struct sockaddr_mISDN)) { -- msg->msg_namelen = sizeof(struct sockaddr_mISDN); -- maddr = (struct sockaddr_mISDN *)msg->msg_name; -+ if (msg->msg_name) { -+ struct sockaddr_mISDN *maddr = msg->msg_name; -+ - maddr->family = AF_ISDN; - maddr->dev = _pms(sk)->dev->id; - if ((sk->sk_protocol == ISDN_P_LAPD_TE) || -@@ -150,11 +149,7 @@ mISDN_sock_recvmsg(struct kiocb *iocb, struct socket *sock, - maddr->sapi = _pms(sk)->ch.addr & 0xFF; - maddr->tei = (_pms(sk)->ch.addr >> 8) & 0xFF; - } -- } else { -- if (msg->msg_namelen) -- printk(KERN_WARNING "%s: too small namelen %d\n", -- __func__, msg->msg_namelen); -- msg->msg_namelen = 0; -+ msg->msg_namelen = sizeof(*maddr); - } - - copied = skb->len + MISDN_HEADER_LEN; -diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c -index e4109f6..8a0665d 100644 ---- a/drivers/md/raid5.c -+++ b/drivers/md/raid5.c -@@ -5214,15 +5214,18 @@ raid5_show_group_thread_cnt(struct mddev *mddev, char *page) - return 0; - } - --static int alloc_thread_groups(struct r5conf *conf, int cnt); -+static int alloc_thread_groups(struct r5conf *conf, int cnt, -+ int *group_cnt, -+ int *worker_cnt_per_group, -+ struct r5worker_group **worker_groups); - static ssize_t - raid5_store_group_thread_cnt(struct mddev *mddev, const char *page, size_t len) - { - struct r5conf *conf = mddev->private; - unsigned long new; - int err; -- struct r5worker_group *old_groups; -- int old_group_cnt; -+ struct r5worker_group *new_groups, *old_groups; -+ int group_cnt, worker_cnt_per_group; - - if (len >= PAGE_SIZE) - return -EINVAL; -@@ -5238,17 +5241,19 @@ raid5_store_group_thread_cnt(struct mddev *mddev, const char *page, size_t len) - mddev_suspend(mddev); - - old_groups = conf->worker_groups; -- old_group_cnt = conf->worker_cnt_per_group; -- - if (old_groups) - flush_workqueue(raid5_wq); - -- conf->worker_groups = NULL; -- err = alloc_thread_groups(conf, new); -- if (err) { -- conf->worker_groups = old_groups; -- conf->worker_cnt_per_group = old_group_cnt; -- } else { -+ err = alloc_thread_groups(conf, new, -+ &group_cnt, &worker_cnt_per_group, -+ &new_groups); -+ if (!err) { -+ spin_lock_irq(&conf->device_lock); -+ conf->group_cnt = group_cnt; -+ conf->worker_cnt_per_group = worker_cnt_per_group; -+ conf->worker_groups = new_groups; -+ spin_unlock_irq(&conf->device_lock); -+ - if (old_groups) - kfree(old_groups[0].workers); - kfree(old_groups); -@@ -5278,33 +5283,36 @@ static struct attribute_group raid5_attrs_group = { - .attrs = raid5_attrs, - }; - --static int alloc_thread_groups(struct r5conf *conf, int cnt) -+static int alloc_thread_groups(struct r5conf *conf, int cnt, -+ int *group_cnt, -+ int *worker_cnt_per_group, -+ struct r5worker_group **worker_groups) - { - int i, j; - ssize_t size; - struct r5worker *workers; - -- conf->worker_cnt_per_group = cnt; -+ *worker_cnt_per_group = cnt; - if (cnt == 0) { -- conf->worker_groups = NULL; -+ *group_cnt = 0; -+ *worker_groups = NULL; - return 0; - } -- conf->group_cnt = num_possible_nodes(); -+ *group_cnt = num_possible_nodes(); - size = sizeof(struct r5worker) * cnt; -- workers = kzalloc(size * conf->group_cnt, GFP_NOIO); -- conf->worker_groups = kzalloc(sizeof(struct r5worker_group) * -- conf->group_cnt, GFP_NOIO); -- if (!conf->worker_groups || !workers) { -+ workers = kzalloc(size * *group_cnt, GFP_NOIO); -+ *worker_groups = kzalloc(sizeof(struct r5worker_group) * -+ *group_cnt, GFP_NOIO); -+ if (!*worker_groups || !workers) { - kfree(workers); -- kfree(conf->worker_groups); -- conf->worker_groups = NULL; -+ kfree(*worker_groups); - return -ENOMEM; - } - -- for (i = 0; i < conf->group_cnt; i++) { -+ for (i = 0; i < *group_cnt; i++) { - struct r5worker_group *group; - -- group = &conf->worker_groups[i]; -+ group = &(*worker_groups)[i]; - INIT_LIST_HEAD(&group->handle_list); - group->conf = conf; - group->workers = workers + i * cnt; -@@ -5462,6 +5470,8 @@ static struct r5conf *setup_conf(struct mddev *mddev) - struct md_rdev *rdev; - struct disk_info *disk; - char pers_name[6]; -+ int group_cnt, worker_cnt_per_group; -+ struct r5worker_group *new_group; - - if (mddev->new_level != 5 - && mddev->new_level != 4 -@@ -5496,7 +5506,12 @@ static struct r5conf *setup_conf(struct mddev *mddev) - if (conf == NULL) - goto abort; - /* Don't enable multi-threading by default*/ -- if (alloc_thread_groups(conf, 0)) -+ if (!alloc_thread_groups(conf, 0, &group_cnt, &worker_cnt_per_group, -+ &new_group)) { -+ conf->group_cnt = group_cnt; -+ conf->worker_cnt_per_group = worker_cnt_per_group; -+ conf->worker_groups = new_group; -+ } else - goto abort; - spin_lock_init(&conf->device_lock); - seqcount_init(&conf->gen_lock); -diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c -index e883bfe..dd8057d 100644 ---- a/drivers/net/bonding/bond_main.c -+++ b/drivers/net/bonding/bond_main.c -@@ -3395,20 +3395,20 @@ static void bond_set_rx_mode(struct net_device *bond_dev) - struct bonding *bond = netdev_priv(bond_dev); - struct slave *slave; - -- ASSERT_RTNL(); -- -+ rcu_read_lock(); - if (USES_PRIMARY(bond->params.mode)) { -- slave = rtnl_dereference(bond->curr_active_slave); -+ slave = rcu_dereference(bond->curr_active_slave); - if (slave) { - dev_uc_sync(slave->dev, bond_dev); - dev_mc_sync(slave->dev, bond_dev); - } - } else { -- bond_for_each_slave(bond, slave) { -+ bond_for_each_slave_rcu(bond, slave) { - dev_uc_sync_multiple(slave->dev, bond_dev); - dev_mc_sync_multiple(slave->dev, bond_dev); - } - } -+ rcu_read_unlock(); - } - - static int bond_neigh_init(struct neighbour *n) -diff --git a/drivers/net/bonding/bond_sysfs.c b/drivers/net/bonding/bond_sysfs.c -index c29b836..b60f95b 100644 ---- a/drivers/net/bonding/bond_sysfs.c -+++ b/drivers/net/bonding/bond_sysfs.c -@@ -587,8 +587,9 @@ static ssize_t bonding_store_arp_interval(struct device *d, - goto out; - } - if (bond->params.mode == BOND_MODE_ALB || -- bond->params.mode == BOND_MODE_TLB) { -- pr_info("%s: ARP monitoring cannot be used with ALB/TLB. Only MII monitoring is supported on %s.\n", -+ bond->params.mode == BOND_MODE_TLB || -+ bond->params.mode == BOND_MODE_8023AD) { -+ pr_info("%s: ARP monitoring cannot be used with ALB/TLB/802.3ad. Only MII monitoring is supported on %s.\n", - bond->dev->name, bond->dev->name); - ret = -EINVAL; - goto out; -@@ -759,6 +760,8 @@ static ssize_t bonding_store_downdelay(struct device *d, - int new_value, ret = count; - struct bonding *bond = to_bond(d); - -+ if (!rtnl_trylock()) -+ return restart_syscall(); - if (!(bond->params.miimon)) { - pr_err("%s: Unable to set down delay as MII monitoring is disabled\n", - bond->dev->name); -@@ -792,6 +795,7 @@ static ssize_t bonding_store_downdelay(struct device *d, - } - - out: -+ rtnl_unlock(); - return ret; - } - static DEVICE_ATTR(downdelay, S_IRUGO | S_IWUSR, -@@ -814,6 +818,8 @@ static ssize_t bonding_store_updelay(struct device *d, - int new_value, ret = count; - struct bonding *bond = to_bond(d); - -+ if (!rtnl_trylock()) -+ return restart_syscall(); - if (!(bond->params.miimon)) { - pr_err("%s: Unable to set up delay as MII monitoring is disabled\n", - bond->dev->name); -@@ -847,6 +853,7 @@ static ssize_t bonding_store_updelay(struct device *d, - } - - out: -+ rtnl_unlock(); - return ret; - } - static DEVICE_ATTR(updelay, S_IRUGO | S_IWUSR, -diff --git a/drivers/net/ethernet/marvell/mv643xx_eth.c b/drivers/net/ethernet/marvell/mv643xx_eth.c -index 2c210ec..f2f6d85 100644 ---- a/drivers/net/ethernet/marvell/mv643xx_eth.c -+++ b/drivers/net/ethernet/marvell/mv643xx_eth.c -@@ -2890,6 +2890,8 @@ static int mv643xx_eth_probe(struct platform_device *pdev) - PHY_INTERFACE_MODE_GMII); - if (!mp->phy) - err = -ENODEV; -+ else -+ phy_addr_set(mp, mp->phy->addr); - } else if (pd->phy_addr != MV643XX_ETH_PHY_NONE) { - mp->phy = phy_scan(mp, pd->phy_addr); - -diff --git a/drivers/net/ethernet/mellanox/mlx4/en_main.c b/drivers/net/ethernet/mellanox/mlx4/en_main.c -index a071cda..0d087b0 100644 ---- a/drivers/net/ethernet/mellanox/mlx4/en_main.c -+++ b/drivers/net/ethernet/mellanox/mlx4/en_main.c -@@ -264,6 +264,10 @@ static void *mlx4_en_add(struct mlx4_dev *dev) - mlx4_foreach_port(i, dev, MLX4_PORT_TYPE_ETH) - mdev->port_cnt++; - -+ /* Initialize time stamp mechanism */ -+ if (mdev->dev->caps.flags2 & MLX4_DEV_CAP_FLAG2_TS) -+ mlx4_en_init_timestamp(mdev); -+ - mlx4_foreach_port(i, dev, MLX4_PORT_TYPE_ETH) { - if (!dev->caps.comp_pool) { - mdev->profile.prof[i].rx_ring_num = -@@ -301,10 +305,6 @@ static void *mlx4_en_add(struct mlx4_dev *dev) - mdev->pndev[i] = NULL; - } - -- /* Initialize time stamp mechanism */ -- if (mdev->dev->caps.flags2 & MLX4_DEV_CAP_FLAG2_TS) -- mlx4_en_init_timestamp(mdev); -- - return mdev; - - err_mr: -diff --git a/drivers/net/ethernet/realtek/8139cp.c b/drivers/net/ethernet/realtek/8139cp.c -index d2e5919..0095af5 100644 ---- a/drivers/net/ethernet/realtek/8139cp.c -+++ b/drivers/net/ethernet/realtek/8139cp.c -@@ -678,9 +678,6 @@ static void cp_tx (struct cp_private *cp) - le32_to_cpu(txd->opts1) & 0xffff, - PCI_DMA_TODEVICE); - -- bytes_compl += skb->len; -- pkts_compl++; -- - if (status & LastFrag) { - if (status & (TxError | TxFIFOUnder)) { - netif_dbg(cp, tx_err, cp->dev, -@@ -702,6 +699,8 @@ static void cp_tx (struct cp_private *cp) - netif_dbg(cp, tx_done, cp->dev, - "tx done, slot %d\n", tx_tail); - } -+ bytes_compl += skb->len; -+ pkts_compl++; - dev_kfree_skb_irq(skb); - } - -diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c -index 3397cee..fb3f8dc 100644 ---- a/drivers/net/ethernet/realtek/r8169.c -+++ b/drivers/net/ethernet/realtek/r8169.c -@@ -3465,6 +3465,11 @@ static void rtl8168g_1_hw_phy_config(struct rtl8169_private *tp) - rtl_writephy(tp, 0x14, 0x9065); - rtl_writephy(tp, 0x14, 0x1065); - -+ /* Check ALDPS bit, disable it if enabled */ -+ rtl_writephy(tp, 0x1f, 0x0a43); -+ if (rtl_readphy(tp, 0x10) & 0x0004) -+ rtl_w1w0_phy(tp, 0x10, 0x0000, 0x0004); -+ - rtl_writephy(tp, 0x1f, 0x0000); - } - -diff --git a/drivers/net/ethernet/smsc/smc91x.h b/drivers/net/ethernet/smsc/smc91x.h -index 98eedb9..fc3e25c 100644 ---- a/drivers/net/ethernet/smsc/smc91x.h -+++ b/drivers/net/ethernet/smsc/smc91x.h -@@ -46,7 +46,8 @@ - defined(CONFIG_MACH_LITTLETON) ||\ - defined(CONFIG_MACH_ZYLONITE2) ||\ - defined(CONFIG_ARCH_VIPER) ||\ -- defined(CONFIG_MACH_STARGATE2) -+ defined(CONFIG_MACH_STARGATE2) ||\ -+ defined(CONFIG_ARCH_VERSATILE) - - #include <asm/mach-types.h> - -@@ -154,6 +155,8 @@ static inline void SMC_outw(u16 val, void __iomem *ioaddr, int reg) - #define SMC_outl(v, a, r) writel(v, (a) + (r)) - #define SMC_insl(a, r, p, l) readsl((a) + (r), p, l) - #define SMC_outsl(a, r, p, l) writesl((a) + (r), p, l) -+#define SMC_insw(a, r, p, l) readsw((a) + (r), p, l) -+#define SMC_outsw(a, r, p, l) writesw((a) + (r), p, l) - #define SMC_IRQ_FLAGS (-1) /* from resource */ - - /* We actually can't write halfwords properly if not word aligned */ -@@ -206,23 +209,6 @@ SMC_outw(u16 val, void __iomem *ioaddr, int reg) - #define RPC_LSA_DEFAULT RPC_LED_TX_RX - #define RPC_LSB_DEFAULT RPC_LED_100_10 - --#elif defined(CONFIG_ARCH_VERSATILE) -- --#define SMC_CAN_USE_8BIT 1 --#define SMC_CAN_USE_16BIT 1 --#define SMC_CAN_USE_32BIT 1 --#define SMC_NOWAIT 1 -- --#define SMC_inb(a, r) readb((a) + (r)) --#define SMC_inw(a, r) readw((a) + (r)) --#define SMC_inl(a, r) readl((a) + (r)) --#define SMC_outb(v, a, r) writeb(v, (a) + (r)) --#define SMC_outw(v, a, r) writew(v, (a) + (r)) --#define SMC_outl(v, a, r) writel(v, (a) + (r)) --#define SMC_insl(a, r, p, l) readsl((a) + (r), p, l) --#define SMC_outsl(a, r, p, l) writesl((a) + (r), p, l) --#define SMC_IRQ_FLAGS (-1) /* from resource */ -- - #elif defined(CONFIG_MN10300) - - /* -diff --git a/drivers/net/ethernet/via/via-velocity.c b/drivers/net/ethernet/via/via-velocity.c -index d022bf9..ad61d26 100644 ---- a/drivers/net/ethernet/via/via-velocity.c -+++ b/drivers/net/ethernet/via/via-velocity.c -@@ -2172,16 +2172,13 @@ static int velocity_poll(struct napi_struct *napi, int budget) - unsigned int rx_done; - unsigned long flags; - -- spin_lock_irqsave(&vptr->lock, flags); - /* - * Do rx and tx twice for performance (taken from the VIA - * out-of-tree driver). - */ -- rx_done = velocity_rx_srv(vptr, budget / 2); -- velocity_tx_srv(vptr); -- rx_done += velocity_rx_srv(vptr, budget - rx_done); -+ rx_done = velocity_rx_srv(vptr, budget); -+ spin_lock_irqsave(&vptr->lock, flags); - velocity_tx_srv(vptr); -- - /* If budget not fully consumed, exit the polling mode */ - if (rx_done < budget) { - napi_complete(napi); -@@ -2342,6 +2339,8 @@ static int velocity_change_mtu(struct net_device *dev, int new_mtu) - if (ret < 0) - goto out_free_tmp_vptr_1; - -+ napi_disable(&vptr->napi); -+ - spin_lock_irqsave(&vptr->lock, flags); - - netif_stop_queue(dev); -@@ -2362,6 +2361,8 @@ static int velocity_change_mtu(struct net_device *dev, int new_mtu) - - velocity_give_many_rx_descs(vptr); - -+ napi_enable(&vptr->napi); -+ - mac_enable_int(vptr->mac_regs); - netif_start_queue(dev); - -diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c -index 9dccb1e..dc76670 100644 ---- a/drivers/net/macvtap.c -+++ b/drivers/net/macvtap.c -@@ -628,6 +628,7 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m, - const struct iovec *iv, unsigned long total_len, - size_t count, int noblock) - { -+ int good_linear = SKB_MAX_HEAD(NET_IP_ALIGN); - struct sk_buff *skb; - struct macvlan_dev *vlan; - unsigned long len = total_len; -@@ -670,6 +671,8 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m, - - if (m && m->msg_control && sock_flag(&q->sk, SOCK_ZEROCOPY)) { - copylen = vnet_hdr.hdr_len ? vnet_hdr.hdr_len : GOODCOPY_LEN; -+ if (copylen > good_linear) -+ copylen = good_linear; - linear = copylen; - if (iov_pages(iv, vnet_hdr_len + copylen, count) - <= MAX_SKB_FRAGS) -@@ -678,7 +681,10 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m, - - if (!zerocopy) { - copylen = len; -- linear = vnet_hdr.hdr_len; -+ if (vnet_hdr.hdr_len > good_linear) -+ linear = good_linear; -+ else -+ linear = vnet_hdr.hdr_len; - } - - skb = macvtap_alloc_skb(&q->sk, NET_IP_ALIGN, copylen, -diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c -index 5f66e30..82ee6ed 100644 ---- a/drivers/net/ppp/pppoe.c -+++ b/drivers/net/ppp/pppoe.c -@@ -979,8 +979,6 @@ static int pppoe_recvmsg(struct kiocb *iocb, struct socket *sock, - if (error < 0) - goto end; - -- m->msg_namelen = 0; -- - if (skb) { - total_len = min_t(size_t, total_len, skb->len); - error = skb_copy_datagram_iovec(skb, 0, m->msg_iov, total_len); -diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c -index 50e43e6..6327df2 100644 ---- a/drivers/net/team/team.c -+++ b/drivers/net/team/team.c -@@ -1366,6 +1366,8 @@ static int team_user_linkup_option_get(struct team *team, - return 0; - } - -+static void __team_carrier_check(struct team *team); -+ - static int team_user_linkup_option_set(struct team *team, - struct team_gsetter_ctx *ctx) - { -@@ -1373,6 +1375,7 @@ static int team_user_linkup_option_set(struct team *team, - - port->user.linkup = ctx->data.bool_val; - team_refresh_port_linkup(port); -+ __team_carrier_check(port->team); - return 0; - } - -@@ -1392,6 +1395,7 @@ static int team_user_linkup_en_option_set(struct team *team, - - port->user.linkup_enabled = ctx->data.bool_val; - team_refresh_port_linkup(port); -+ __team_carrier_check(port->team); - return 0; - } - -diff --git a/drivers/net/tun.c b/drivers/net/tun.c -index 7cb105c..782e38b 100644 ---- a/drivers/net/tun.c -+++ b/drivers/net/tun.c -@@ -981,6 +981,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, - struct sk_buff *skb; - size_t len = total_len, align = NET_SKB_PAD, linear; - struct virtio_net_hdr gso = { 0 }; -+ int good_linear; - int offset = 0; - int copylen; - bool zerocopy = false; -@@ -1021,12 +1022,16 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, - return -EINVAL; - } - -+ good_linear = SKB_MAX_HEAD(align); -+ - if (msg_control) { - /* There are 256 bytes to be copied in skb, so there is - * enough room for skb expand head in case it is used. - * The rest of the buffer is mapped from userspace. - */ - copylen = gso.hdr_len ? gso.hdr_len : GOODCOPY_LEN; -+ if (copylen > good_linear) -+ copylen = good_linear; - linear = copylen; - if (iov_pages(iv, offset + copylen, count) <= MAX_SKB_FRAGS) - zerocopy = true; -@@ -1034,7 +1039,10 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, - - if (!zerocopy) { - copylen = len; -- linear = gso.hdr_len; -+ if (gso.hdr_len > good_linear) -+ linear = good_linear; -+ else -+ linear = gso.hdr_len; - } - - skb = tun_alloc_skb(tfile, align, copylen, linear, noblock); -diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c -index 90a429b..8494bb5 100644 ---- a/drivers/net/usb/usbnet.c -+++ b/drivers/net/usb/usbnet.c -@@ -204,9 +204,6 @@ static void intr_complete (struct urb *urb) - break; - } - -- if (!netif_running (dev->net)) -- return; -- - status = usb_submit_urb (urb, GFP_ATOMIC); - if (status != 0) - netif_err(dev, timer, dev->net, -diff --git a/drivers/net/wireless/rt2x00/rt2800.h b/drivers/net/wireless/rt2x00/rt2800.h -index fa33b5e..e3eb952 100644 ---- a/drivers/net/wireless/rt2x00/rt2800.h -+++ b/drivers/net/wireless/rt2x00/rt2800.h -@@ -52,6 +52,7 @@ - * RF3322 2.4G 2T2R(RT3352/RT3371/RT3372/RT3391/RT3392) - * RF3053 2.4G/5G 3T3R(RT3883/RT3563/RT3573/RT3593/RT3662) - * RF5592 2.4G/5G 2T2R -+ * RF3070 2.4G 1T1R - * RF5360 2.4G 1T1R - * RF5370 2.4G 1T1R - * RF5390 2.4G 1T1R -@@ -70,6 +71,7 @@ - #define RF3322 0x000c - #define RF3053 0x000d - #define RF5592 0x000f -+#define RF3070 0x3070 - #define RF3290 0x3290 - #define RF5360 0x5360 - #define RF5370 0x5370 -diff --git a/drivers/net/wireless/rt2x00/rt2800lib.c b/drivers/net/wireless/rt2x00/rt2800lib.c -index 1400787..446eade 100644 ---- a/drivers/net/wireless/rt2x00/rt2800lib.c -+++ b/drivers/net/wireless/rt2x00/rt2800lib.c -@@ -3152,6 +3152,7 @@ static void rt2800_config_channel(struct rt2x00_dev *rt2x00dev, - case RF3322: - rt2800_config_channel_rf3322(rt2x00dev, conf, rf, info); - break; -+ case RF3070: - case RF5360: - case RF5370: - case RF5372: -@@ -3166,7 +3167,8 @@ static void rt2800_config_channel(struct rt2x00_dev *rt2x00dev, - rt2800_config_channel_rf2xxx(rt2x00dev, conf, rf, info); - } - -- if (rt2x00_rf(rt2x00dev, RF3290) || -+ if (rt2x00_rf(rt2x00dev, RF3070) || -+ rt2x00_rf(rt2x00dev, RF3290) || - rt2x00_rf(rt2x00dev, RF3322) || - rt2x00_rf(rt2x00dev, RF5360) || - rt2x00_rf(rt2x00dev, RF5370) || -@@ -4264,6 +4266,7 @@ void rt2800_vco_calibration(struct rt2x00_dev *rt2x00dev) - rt2800_rfcsr_write(rt2x00dev, 7, rfcsr); - break; - case RF3053: -+ case RF3070: - case RF3290: - case RF5360: - case RF5370: -@@ -7024,6 +7027,7 @@ static int rt2800_init_eeprom(struct rt2x00_dev *rt2x00dev) - case RF3022: - case RF3052: - case RF3053: -+ case RF3070: - case RF3290: - case RF3320: - case RF3322: -@@ -7546,6 +7550,7 @@ static int rt2800_probe_hw_mode(struct rt2x00_dev *rt2x00dev) - rt2x00_rf(rt2x00dev, RF2020) || - rt2x00_rf(rt2x00dev, RF3021) || - rt2x00_rf(rt2x00dev, RF3022) || -+ rt2x00_rf(rt2x00dev, RF3070) || - rt2x00_rf(rt2x00dev, RF3290) || - rt2x00_rf(rt2x00dev, RF3320) || - rt2x00_rf(rt2x00dev, RF3322) || -@@ -7674,6 +7679,7 @@ static int rt2800_probe_hw_mode(struct rt2x00_dev *rt2x00dev) - case RF3320: - case RF3052: - case RF3053: -+ case RF3070: - case RF3290: - case RF5360: - case RF5370: -diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c -index 900da4b..6255850 100644 ---- a/drivers/net/xen-netback/netback.c -+++ b/drivers/net/xen-netback/netback.c -@@ -39,6 +39,7 @@ - #include <linux/udp.h> - - #include <net/tcp.h> -+#include <net/ip6_checksum.h> - - #include <xen/xen.h> - #include <xen/events.h> -diff --git a/drivers/usb/musb/davinci.c b/drivers/usb/musb/davinci.c -index ed0834e..ab69245 100644 ---- a/drivers/usb/musb/davinci.c -+++ b/drivers/usb/musb/davinci.c -@@ -509,7 +509,7 @@ static u64 davinci_dmamask = DMA_BIT_MASK(32); - - static int davinci_probe(struct platform_device *pdev) - { -- struct resource musb_resources[2]; -+ struct resource musb_resources[3]; - struct musb_hdrc_platform_data *pdata = dev_get_platdata(&pdev->dev); - struct platform_device *musb; - struct davinci_glue *glue; -@@ -567,6 +567,15 @@ static int davinci_probe(struct platform_device *pdev) - musb_resources[1].end = pdev->resource[1].end; - musb_resources[1].flags = pdev->resource[1].flags; - -+ /* -+ * For DM6467 3 resources are passed. A placeholder for the 3rd -+ * resource is always there, so it's safe to always copy it... -+ */ -+ musb_resources[2].name = pdev->resource[2].name; -+ musb_resources[2].start = pdev->resource[2].start; -+ musb_resources[2].end = pdev->resource[2].end; -+ musb_resources[2].flags = pdev->resource[2].flags; -+ - ret = platform_device_add_resources(musb, musb_resources, - ARRAY_SIZE(musb_resources)); - if (ret) { -diff --git a/drivers/usb/wusbcore/wa-xfer.c b/drivers/usb/wusbcore/wa-xfer.c -index 6ad02f5..3dcf66f 100644 ---- a/drivers/usb/wusbcore/wa-xfer.c -+++ b/drivers/usb/wusbcore/wa-xfer.c -@@ -91,7 +91,8 @@ - #include "wusbhc.h" - - enum { -- WA_SEGS_MAX = 255, -+ /* [WUSB] section 8.3.3 allocates 7 bits for the segment index. */ -+ WA_SEGS_MAX = 128, - }; - - enum wa_seg_status { -@@ -446,7 +447,7 @@ static ssize_t __wa_xfer_setup_sizes(struct wa_xfer *xfer, - } - xfer->seg_size = (xfer->seg_size / maxpktsize) * maxpktsize; - xfer->segs = DIV_ROUND_UP(urb->transfer_buffer_length, xfer->seg_size); -- if (xfer->segs >= WA_SEGS_MAX) { -+ if (xfer->segs > WA_SEGS_MAX) { - dev_err(dev, "BUG? ops, number of segments %d bigger than %d\n", - (int)(urb->transfer_buffer_length / xfer->seg_size), - WA_SEGS_MAX); -diff --git a/drivers/video/kyro/fbdev.c b/drivers/video/kyro/fbdev.c -index 6157f74..ec7fc87 100644 ---- a/drivers/video/kyro/fbdev.c -+++ b/drivers/video/kyro/fbdev.c -@@ -625,15 +625,15 @@ static int kyrofb_ioctl(struct fb_info *info, - } - break; - case KYRO_IOCTL_UVSTRIDE: -- if (copy_to_user(argp, &deviceInfo.ulOverlayUVStride, sizeof(unsigned long))) -+ if (copy_to_user(argp, &deviceInfo.ulOverlayUVStride, sizeof(deviceInfo.ulOverlayUVStride))) - return -EFAULT; - break; - case KYRO_IOCTL_STRIDE: -- if (copy_to_user(argp, &deviceInfo.ulOverlayStride, sizeof(unsigned long))) -+ if (copy_to_user(argp, &deviceInfo.ulOverlayStride, sizeof(deviceInfo.ulOverlayStride))) - return -EFAULT; - break; - case KYRO_IOCTL_OVERLAY_OFFSET: -- if (copy_to_user(argp, &deviceInfo.ulOverlayOffset, sizeof(unsigned long))) -+ if (copy_to_user(argp, &deviceInfo.ulOverlayOffset, sizeof(deviceInfo.ulOverlayOffset))) - return -EFAULT; - break; - } -diff --git a/fs/aio.c b/fs/aio.c -index 067e3d3..6efb7f6 100644 ---- a/fs/aio.c -+++ b/fs/aio.c -@@ -36,10 +36,10 @@ - #include <linux/eventfd.h> - #include <linux/blkdev.h> - #include <linux/compat.h> --#include <linux/anon_inodes.h> - #include <linux/migrate.h> - #include <linux/ramfs.h> - #include <linux/percpu-refcount.h> -+#include <linux/mount.h> - - #include <asm/kmap_types.h> - #include <asm/uaccess.h> -@@ -80,6 +80,8 @@ struct kioctx { - struct percpu_ref users; - atomic_t dead; - -+ struct percpu_ref reqs; -+ - unsigned long user_id; - - struct __percpu kioctx_cpu *cpu; -@@ -107,7 +109,6 @@ struct kioctx { - struct page **ring_pages; - long nr_pages; - -- struct rcu_head rcu_head; - struct work_struct free_work; - - struct { -@@ -152,12 +153,67 @@ unsigned long aio_max_nr = 0x10000; /* system wide maximum number of aio request - static struct kmem_cache *kiocb_cachep; - static struct kmem_cache *kioctx_cachep; - -+static struct vfsmount *aio_mnt; -+ -+static const struct file_operations aio_ring_fops; -+static const struct address_space_operations aio_ctx_aops; -+ -+static struct file *aio_private_file(struct kioctx *ctx, loff_t nr_pages) -+{ -+ struct qstr this = QSTR_INIT("[aio]", 5); -+ struct file *file; -+ struct path path; -+ struct inode *inode = alloc_anon_inode(aio_mnt->mnt_sb); -+ if (IS_ERR(inode)) -+ return ERR_CAST(inode); -+ -+ inode->i_mapping->a_ops = &aio_ctx_aops; -+ inode->i_mapping->private_data = ctx; -+ inode->i_size = PAGE_SIZE * nr_pages; -+ -+ path.dentry = d_alloc_pseudo(aio_mnt->mnt_sb, &this); -+ if (!path.dentry) { -+ iput(inode); -+ return ERR_PTR(-ENOMEM); -+ } -+ path.mnt = mntget(aio_mnt); -+ -+ d_instantiate(path.dentry, inode); -+ file = alloc_file(&path, FMODE_READ | FMODE_WRITE, &aio_ring_fops); -+ if (IS_ERR(file)) { -+ path_put(&path); -+ return file; -+ } -+ -+ file->f_flags = O_RDWR; -+ file->private_data = ctx; -+ return file; -+} -+ -+static struct dentry *aio_mount(struct file_system_type *fs_type, -+ int flags, const char *dev_name, void *data) -+{ -+ static const struct dentry_operations ops = { -+ .d_dname = simple_dname, -+ }; -+ return mount_pseudo(fs_type, "aio:", NULL, &ops, 0xa10a10a1); -+} -+ - /* aio_setup - * Creates the slab caches used by the aio routines, panic on - * failure as this is done early during the boot sequence. - */ - static int __init aio_setup(void) - { -+ static struct file_system_type aio_fs = { -+ .name = "aio", -+ .mount = aio_mount, -+ .kill_sb = kill_anon_super, -+ }; -+ aio_mnt = kern_mount(&aio_fs); -+ if (IS_ERR(aio_mnt)) -+ panic("Failed to create aio fs mount."); -+ - kiocb_cachep = KMEM_CACHE(kiocb, SLAB_HWCACHE_ALIGN|SLAB_PANIC); - kioctx_cachep = KMEM_CACHE(kioctx,SLAB_HWCACHE_ALIGN|SLAB_PANIC); - -@@ -195,8 +251,10 @@ static void aio_free_ring(struct kioctx *ctx) - - put_aio_ring_file(ctx); - -- if (ctx->ring_pages && ctx->ring_pages != ctx->internal_pages) -+ if (ctx->ring_pages && ctx->ring_pages != ctx->internal_pages) { - kfree(ctx->ring_pages); -+ ctx->ring_pages = NULL; -+ } - } - - static int aio_ring_mmap(struct file *file, struct vm_area_struct *vma) -@@ -283,16 +341,12 @@ static int aio_setup_ring(struct kioctx *ctx) - if (nr_pages < 0) - return -EINVAL; - -- file = anon_inode_getfile_private("[aio]", &aio_ring_fops, ctx, O_RDWR); -+ file = aio_private_file(ctx, nr_pages); - if (IS_ERR(file)) { - ctx->aio_ring_file = NULL; - return -EAGAIN; - } - -- file->f_inode->i_mapping->a_ops = &aio_ctx_aops; -- file->f_inode->i_mapping->private_data = ctx; -- file->f_inode->i_size = PAGE_SIZE * (loff_t)nr_pages; -- - for (i = 0; i < nr_pages; i++) { - struct page *page; - page = find_or_create_page(file->f_inode->i_mapping, -@@ -313,8 +367,10 @@ static int aio_setup_ring(struct kioctx *ctx) - if (nr_pages > AIO_RING_PAGES) { - ctx->ring_pages = kcalloc(nr_pages, sizeof(struct page *), - GFP_KERNEL); -- if (!ctx->ring_pages) -+ if (!ctx->ring_pages) { -+ put_aio_ring_file(ctx); - return -ENOMEM; -+ } - } - - ctx->mmap_size = nr_pages * PAGE_SIZE; -@@ -412,26 +468,34 @@ static int kiocb_cancel(struct kioctx *ctx, struct kiocb *kiocb) - return cancel(kiocb); - } - --static void free_ioctx_rcu(struct rcu_head *head) -+static void free_ioctx(struct work_struct *work) - { -- struct kioctx *ctx = container_of(head, struct kioctx, rcu_head); -+ struct kioctx *ctx = container_of(work, struct kioctx, free_work); - -+ pr_debug("freeing %p\n", ctx); -+ -+ aio_free_ring(ctx); - free_percpu(ctx->cpu); - kmem_cache_free(kioctx_cachep, ctx); - } - -+static void free_ioctx_reqs(struct percpu_ref *ref) -+{ -+ struct kioctx *ctx = container_of(ref, struct kioctx, reqs); -+ -+ INIT_WORK(&ctx->free_work, free_ioctx); -+ schedule_work(&ctx->free_work); -+} -+ - /* - * When this function runs, the kioctx has been removed from the "hash table" - * and ctx->users has dropped to 0, so we know no more kiocbs can be submitted - - * now it's safe to cancel any that need to be. - */ --static void free_ioctx(struct work_struct *work) -+static void free_ioctx_users(struct percpu_ref *ref) - { -- struct kioctx *ctx = container_of(work, struct kioctx, free_work); -- struct aio_ring *ring; -+ struct kioctx *ctx = container_of(ref, struct kioctx, users); - struct kiocb *req; -- unsigned cpu, avail; -- DEFINE_WAIT(wait); - - spin_lock_irq(&ctx->ctx_lock); - -@@ -445,54 +509,8 @@ static void free_ioctx(struct work_struct *work) - - spin_unlock_irq(&ctx->ctx_lock); - -- for_each_possible_cpu(cpu) { -- struct kioctx_cpu *kcpu = per_cpu_ptr(ctx->cpu, cpu); -- -- atomic_add(kcpu->reqs_available, &ctx->reqs_available); -- kcpu->reqs_available = 0; -- } -- -- while (1) { -- prepare_to_wait(&ctx->wait, &wait, TASK_UNINTERRUPTIBLE); -- -- ring = kmap_atomic(ctx->ring_pages[0]); -- avail = (ring->head <= ring->tail) -- ? ring->tail - ring->head -- : ctx->nr_events - ring->head + ring->tail; -- -- atomic_add(avail, &ctx->reqs_available); -- ring->head = ring->tail; -- kunmap_atomic(ring); -- -- if (atomic_read(&ctx->reqs_available) >= ctx->nr_events - 1) -- break; -- -- schedule(); -- } -- finish_wait(&ctx->wait, &wait); -- -- WARN_ON(atomic_read(&ctx->reqs_available) > ctx->nr_events - 1); -- -- aio_free_ring(ctx); -- -- pr_debug("freeing %p\n", ctx); -- -- /* -- * Here the call_rcu() is between the wait_event() for reqs_active to -- * hit 0, and freeing the ioctx. -- * -- * aio_complete() decrements reqs_active, but it has to touch the ioctx -- * after to issue a wakeup so we use rcu. -- */ -- call_rcu(&ctx->rcu_head, free_ioctx_rcu); --} -- --static void free_ioctx_ref(struct percpu_ref *ref) --{ -- struct kioctx *ctx = container_of(ref, struct kioctx, users); -- -- INIT_WORK(&ctx->free_work, free_ioctx); -- schedule_work(&ctx->free_work); -+ percpu_ref_kill(&ctx->reqs); -+ percpu_ref_put(&ctx->reqs); - } - - static int ioctx_add_table(struct kioctx *ctx, struct mm_struct *mm) -@@ -551,6 +569,16 @@ static int ioctx_add_table(struct kioctx *ctx, struct mm_struct *mm) - } - } - -+static void aio_nr_sub(unsigned nr) -+{ -+ spin_lock(&aio_nr_lock); -+ if (WARN_ON(aio_nr - nr > aio_nr)) -+ aio_nr = 0; -+ else -+ aio_nr -= nr; -+ spin_unlock(&aio_nr_lock); -+} -+ - /* ioctx_alloc - * Allocates and initializes an ioctx. Returns an ERR_PTR if it failed. - */ -@@ -588,8 +616,11 @@ static struct kioctx *ioctx_alloc(unsigned nr_events) - - ctx->max_reqs = nr_events; - -- if (percpu_ref_init(&ctx->users, free_ioctx_ref)) -- goto out_freectx; -+ if (percpu_ref_init(&ctx->users, free_ioctx_users)) -+ goto err; -+ -+ if (percpu_ref_init(&ctx->reqs, free_ioctx_reqs)) -+ goto err; - - spin_lock_init(&ctx->ctx_lock); - spin_lock_init(&ctx->completion_lock); -@@ -600,10 +631,10 @@ static struct kioctx *ioctx_alloc(unsigned nr_events) - - ctx->cpu = alloc_percpu(struct kioctx_cpu); - if (!ctx->cpu) -- goto out_freeref; -+ goto err; - - if (aio_setup_ring(ctx) < 0) -- goto out_freepcpu; -+ goto err; - - atomic_set(&ctx->reqs_available, ctx->nr_events - 1); - ctx->req_batch = (ctx->nr_events - 1) / (num_possible_cpus() * 4); -@@ -615,7 +646,8 @@ static struct kioctx *ioctx_alloc(unsigned nr_events) - if (aio_nr + nr_events > (aio_max_nr * 2UL) || - aio_nr + nr_events < aio_nr) { - spin_unlock(&aio_nr_lock); -- goto out_cleanup; -+ err = -EAGAIN; -+ goto err_ctx; - } - aio_nr += ctx->max_reqs; - spin_unlock(&aio_nr_lock); -@@ -624,23 +656,20 @@ static struct kioctx *ioctx_alloc(unsigned nr_events) - - err = ioctx_add_table(ctx, mm); - if (err) -- goto out_cleanup_put; -+ goto err_cleanup; - - pr_debug("allocated ioctx %p[%ld]: mm=%p mask=0x%x\n", - ctx, ctx->user_id, mm, ctx->nr_events); - return ctx; - --out_cleanup_put: -- percpu_ref_put(&ctx->users); --out_cleanup: -- err = -EAGAIN; -+err_cleanup: -+ aio_nr_sub(ctx->max_reqs); -+err_ctx: - aio_free_ring(ctx); --out_freepcpu: -+err: - free_percpu(ctx->cpu); --out_freeref: -+ free_percpu(ctx->reqs.pcpu_count); - free_percpu(ctx->users.pcpu_count); --out_freectx: -- put_aio_ring_file(ctx); - kmem_cache_free(kioctx_cachep, ctx); - pr_debug("error allocating ioctx %d\n", err); - return ERR_PTR(err); -@@ -675,10 +704,7 @@ static void kill_ioctx(struct mm_struct *mm, struct kioctx *ctx) - * -EAGAIN with no ioctxs actually in use (as far as userspace - * could tell). - */ -- spin_lock(&aio_nr_lock); -- BUG_ON(aio_nr - ctx->max_reqs > aio_nr); -- aio_nr -= ctx->max_reqs; -- spin_unlock(&aio_nr_lock); -+ aio_nr_sub(ctx->max_reqs); - - if (ctx->mmap_size) - vm_munmap(ctx->mmap_base, ctx->mmap_size); -@@ -810,6 +836,8 @@ static inline struct kiocb *aio_get_req(struct kioctx *ctx) - if (unlikely(!req)) - goto out_put; - -+ percpu_ref_get(&ctx->reqs); -+ - req->ki_ctx = ctx; - return req; - out_put: -@@ -879,12 +907,6 @@ void aio_complete(struct kiocb *iocb, long res, long res2) - return; - } - -- /* -- * Take rcu_read_lock() in case the kioctx is being destroyed, as we -- * need to issue a wakeup after incrementing reqs_available. -- */ -- rcu_read_lock(); -- - if (iocb->ki_list.next) { - unsigned long flags; - -@@ -959,7 +981,7 @@ void aio_complete(struct kiocb *iocb, long res, long res2) - if (waitqueue_active(&ctx->wait)) - wake_up(&ctx->wait); - -- rcu_read_unlock(); -+ percpu_ref_put(&ctx->reqs); - } - EXPORT_SYMBOL(aio_complete); - -@@ -1370,6 +1392,7 @@ static int io_submit_one(struct kioctx *ctx, struct iocb __user *user_iocb, - return 0; - out_put_req: - put_reqs_available(ctx, 1); -+ percpu_ref_put(&ctx->reqs); - kiocb_free(req); - return ret; - } -diff --git a/fs/anon_inodes.c b/fs/anon_inodes.c -index 85c9618..22f9698 100644 ---- a/fs/anon_inodes.c -+++ b/fs/anon_inodes.c -@@ -24,7 +24,6 @@ - - static struct vfsmount *anon_inode_mnt __read_mostly; - static struct inode *anon_inode_inode; --static const struct file_operations anon_inode_fops; - - /* - * anon_inodefs_dname() is called from d_path(). -@@ -39,51 +38,6 @@ static const struct dentry_operations anon_inodefs_dentry_operations = { - .d_dname = anon_inodefs_dname, - }; - --/* -- * nop .set_page_dirty method so that people can use .page_mkwrite on -- * anon inodes. -- */ --static int anon_set_page_dirty(struct page *page) --{ -- return 0; --}; -- --static const struct address_space_operations anon_aops = { -- .set_page_dirty = anon_set_page_dirty, --}; -- --/* -- * A single inode exists for all anon_inode files. Contrary to pipes, -- * anon_inode inodes have no associated per-instance data, so we need -- * only allocate one of them. -- */ --static struct inode *anon_inode_mkinode(struct super_block *s) --{ -- struct inode *inode = new_inode_pseudo(s); -- -- if (!inode) -- return ERR_PTR(-ENOMEM); -- -- inode->i_ino = get_next_ino(); -- inode->i_fop = &anon_inode_fops; -- -- inode->i_mapping->a_ops = &anon_aops; -- -- /* -- * Mark the inode dirty from the very beginning, -- * that way it will never be moved to the dirty -- * list because mark_inode_dirty() will think -- * that it already _is_ on the dirty list. -- */ -- inode->i_state = I_DIRTY; -- inode->i_mode = S_IRUSR | S_IWUSR; -- inode->i_uid = current_fsuid(); -- inode->i_gid = current_fsgid(); -- inode->i_flags |= S_PRIVATE; -- inode->i_atime = inode->i_mtime = inode->i_ctime = CURRENT_TIME; -- return inode; --} -- - static struct dentry *anon_inodefs_mount(struct file_system_type *fs_type, - int flags, const char *dev_name, void *data) - { -@@ -92,7 +46,7 @@ static struct dentry *anon_inodefs_mount(struct file_system_type *fs_type, - &anon_inodefs_dentry_operations, ANON_INODE_FS_MAGIC); - if (!IS_ERR(root)) { - struct super_block *s = root->d_sb; -- anon_inode_inode = anon_inode_mkinode(s); -+ anon_inode_inode = alloc_anon_inode(s); - if (IS_ERR(anon_inode_inode)) { - dput(root); - deactivate_locked_super(s); -@@ -134,7 +88,7 @@ struct file *anon_inode_getfile_private(const char *name, - if (fops->owner && !try_module_get(fops->owner)) - return ERR_PTR(-ENOENT); - -- inode = anon_inode_mkinode(anon_inode_mnt->mnt_sb); -+ inode = alloc_anon_inode(anon_inode_mnt->mnt_sb); - if (IS_ERR(inode)) { - file = ERR_PTR(-ENOMEM); - goto err_module; -diff --git a/fs/libfs.c b/fs/libfs.c -index 3a3a9b5..193e0c2 100644 ---- a/fs/libfs.c -+++ b/fs/libfs.c -@@ -993,3 +993,46 @@ EXPORT_SYMBOL_GPL(simple_attr_open); - EXPORT_SYMBOL_GPL(simple_attr_release); - EXPORT_SYMBOL_GPL(simple_attr_read); - EXPORT_SYMBOL_GPL(simple_attr_write); -+ -+/* -+ * nop .set_page_dirty method so that people can use .page_mkwrite on -+ * anon inodes. -+ */ -+static int anon_set_page_dirty(struct page *page) -+{ -+ return 0; -+}; -+ -+/* -+ * A single inode exists for all anon_inode files. Contrary to pipes, -+ * anon_inode inodes have no associated per-instance data, so we need -+ * only allocate one of them. -+ */ -+struct inode *alloc_anon_inode(struct super_block *s) -+{ -+ static const struct address_space_operations anon_aops = { -+ .set_page_dirty = anon_set_page_dirty, -+ }; -+ struct inode *inode = new_inode_pseudo(s); -+ -+ if (!inode) -+ return ERR_PTR(-ENOMEM); -+ -+ inode->i_ino = get_next_ino(); -+ inode->i_mapping->a_ops = &anon_aops; -+ -+ /* -+ * Mark the inode dirty from the very beginning, -+ * that way it will never be moved to the dirty -+ * list because mark_inode_dirty() will think -+ * that it already _is_ on the dirty list. -+ */ -+ inode->i_state = I_DIRTY; -+ inode->i_mode = S_IRUSR | S_IWUSR; -+ inode->i_uid = current_fsuid(); -+ inode->i_gid = current_fsgid(); -+ inode->i_flags |= S_PRIVATE; -+ inode->i_atime = inode->i_mtime = inode->i_ctime = CURRENT_TIME; -+ return inode; -+} -+EXPORT_SYMBOL(alloc_anon_inode); -diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c -index 668e8f4..2e1e6c3 100644 ---- a/fs/xfs/xfs_ioctl.c -+++ b/fs/xfs/xfs_ioctl.c -@@ -1717,6 +1717,12 @@ xfs_file_ioctl( - if (mp->m_flags & XFS_MOUNT_RDONLY) - return -XFS_ERROR(EROFS); - -+ if (!capable(CAP_SYS_ADMIN)) -+ return -EPERM; -+ -+ if (mp->m_flags & XFS_MOUNT_RDONLY) -+ return -XFS_ERROR(EROFS); -+ - if (copy_from_user(&eofb, arg, sizeof(eofb))) - return -XFS_ERROR(EFAULT); - -diff --git a/include/linux/fs.h b/include/linux/fs.h -index 3f40547..fefa7b0 100644 ---- a/include/linux/fs.h -+++ b/include/linux/fs.h -@@ -2562,6 +2562,7 @@ extern int simple_write_begin(struct file *file, struct address_space *mapping, - extern int simple_write_end(struct file *file, struct address_space *mapping, - loff_t pos, unsigned len, unsigned copied, - struct page *page, void *fsdata); -+extern struct inode *alloc_anon_inode(struct super_block *); - - extern struct dentry *simple_lookup(struct inode *, struct dentry *, unsigned int flags); - extern ssize_t generic_read_dir(struct file *, char __user *, size_t, loff_t *); -diff --git a/include/linux/net.h b/include/linux/net.h -index 4f27575..8bd9d92 100644 ---- a/include/linux/net.h -+++ b/include/linux/net.h -@@ -163,6 +163,14 @@ struct proto_ops { - #endif - int (*sendmsg) (struct kiocb *iocb, struct socket *sock, - struct msghdr *m, size_t total_len); -+ /* Notes for implementing recvmsg: -+ * =============================== -+ * msg->msg_namelen should get updated by the recvmsg handlers -+ * iff msg_name != NULL. It is by default 0 to prevent -+ * returning uninitialized memory to user space. The recvfrom -+ * handlers can assume that msg.msg_name is either NULL or has -+ * a minimum size of sizeof(struct sockaddr_storage). -+ */ - int (*recvmsg) (struct kiocb *iocb, struct socket *sock, - struct msghdr *m, size_t total_len, - int flags); -diff --git a/include/linux/random.h b/include/linux/random.h -index 6312dd9..bf9085e 100644 ---- a/include/linux/random.h -+++ b/include/linux/random.h -@@ -50,9 +50,9 @@ static inline void prandom_seed_state(struct rnd_state *state, u64 seed) - { - u32 i = (seed >> 32) ^ (seed << 10) ^ seed; - -- state->s1 = __seed(i, 1); -- state->s2 = __seed(i, 7); -- state->s3 = __seed(i, 15); -+ state->s1 = __seed(i, 2); -+ state->s2 = __seed(i, 8); -+ state->s3 = __seed(i, 16); - } - - #ifdef CONFIG_ARCH_RANDOM -diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h -index c2d8933..f66f346 100644 ---- a/include/linux/skbuff.h -+++ b/include/linux/skbuff.h -@@ -333,11 +333,6 @@ typedef unsigned int sk_buff_data_t; - typedef unsigned char *sk_buff_data_t; - #endif - --#if defined(CONFIG_NF_DEFRAG_IPV4) || defined(CONFIG_NF_DEFRAG_IPV4_MODULE) || \ -- defined(CONFIG_NF_DEFRAG_IPV6) || defined(CONFIG_NF_DEFRAG_IPV6_MODULE) --#define NET_SKBUFF_NF_DEFRAG_NEEDED 1 --#endif -- - /** - * struct sk_buff - socket buffer - * @next: Next buffer in list -@@ -370,7 +365,6 @@ typedef unsigned char *sk_buff_data_t; - * @protocol: Packet protocol from driver - * @destructor: Destruct function - * @nfct: Associated connection, if any -- * @nfct_reasm: netfilter conntrack re-assembly pointer - * @nf_bridge: Saved data about a bridged frame - see br_netfilter.c - * @skb_iif: ifindex of device we arrived on - * @tc_index: Traffic control index -@@ -459,9 +453,6 @@ struct sk_buff { - #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) - struct nf_conntrack *nfct; - #endif --#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED -- struct sk_buff *nfct_reasm; --#endif - #ifdef CONFIG_BRIDGE_NETFILTER - struct nf_bridge_info *nf_bridge; - #endif -@@ -2605,18 +2596,6 @@ static inline void nf_conntrack_get(struct nf_conntrack *nfct) - atomic_inc(&nfct->use); - } - #endif --#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED --static inline void nf_conntrack_get_reasm(struct sk_buff *skb) --{ -- if (skb) -- atomic_inc(&skb->users); --} --static inline void nf_conntrack_put_reasm(struct sk_buff *skb) --{ -- if (skb) -- kfree_skb(skb); --} --#endif - #ifdef CONFIG_BRIDGE_NETFILTER - static inline void nf_bridge_put(struct nf_bridge_info *nf_bridge) - { -@@ -2635,10 +2614,6 @@ static inline void nf_reset(struct sk_buff *skb) - nf_conntrack_put(skb->nfct); - skb->nfct = NULL; - #endif --#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED -- nf_conntrack_put_reasm(skb->nfct_reasm); -- skb->nfct_reasm = NULL; --#endif - #ifdef CONFIG_BRIDGE_NETFILTER - nf_bridge_put(skb->nf_bridge); - skb->nf_bridge = NULL; -@@ -2660,10 +2635,6 @@ static inline void __nf_copy(struct sk_buff *dst, const struct sk_buff *src) - nf_conntrack_get(src->nfct); - dst->nfctinfo = src->nfctinfo; - #endif --#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED -- dst->nfct_reasm = src->nfct_reasm; -- nf_conntrack_get_reasm(src->nfct_reasm); --#endif - #ifdef CONFIG_BRIDGE_NETFILTER - dst->nf_bridge = src->nf_bridge; - nf_bridge_get(src->nf_bridge); -@@ -2675,9 +2646,6 @@ static inline void nf_copy(struct sk_buff *dst, const struct sk_buff *src) - #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) - nf_conntrack_put(dst->nfct); - #endif --#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED -- nf_conntrack_put_reasm(dst->nfct_reasm); --#endif - #ifdef CONFIG_BRIDGE_NETFILTER - nf_bridge_put(dst->nf_bridge); - #endif -diff --git a/include/linux/vm_event_item.h b/include/linux/vm_event_item.h -index 1855f0a..c557c6d 100644 ---- a/include/linux/vm_event_item.h -+++ b/include/linux/vm_event_item.h -@@ -39,6 +39,7 @@ enum vm_event_item { PGPGIN, PGPGOUT, PSWPIN, PSWPOUT, - PAGEOUTRUN, ALLOCSTALL, PGROTATED, - #ifdef CONFIG_NUMA_BALANCING - NUMA_PTE_UPDATES, -+ NUMA_HUGE_PTE_UPDATES, - NUMA_HINT_FAULTS, - NUMA_HINT_FAULTS_LOCAL, - NUMA_PAGE_MIGRATE, -diff --git a/include/net/ip.h b/include/net/ip.h -index 5e52688..301f10c 100644 ---- a/include/net/ip.h -+++ b/include/net/ip.h -@@ -464,7 +464,7 @@ extern int compat_ip_getsockopt(struct sock *sk, int level, - int optname, char __user *optval, int __user *optlen); - extern int ip_ra_control(struct sock *sk, unsigned char on, void (*destructor)(struct sock *)); - --extern int ip_recv_error(struct sock *sk, struct msghdr *msg, int len); -+extern int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len); - extern void ip_icmp_error(struct sock *sk, struct sk_buff *skb, int err, - __be16 port, u32 info, u8 *payload); - extern void ip_local_error(struct sock *sk, int err, __be32 daddr, __be16 dport, -diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h -index 9c4d37e..772252d 100644 ---- a/include/net/ip_vs.h -+++ b/include/net/ip_vs.h -@@ -109,7 +109,6 @@ extern int ip_vs_conn_tab_size; - struct ip_vs_iphdr { - __u32 len; /* IPv4 simply where L4 starts - IPv6 where L4 Transport Header starts */ -- __u32 thoff_reasm; /* Transport Header Offset in nfct_reasm skb */ - __u16 fragoffs; /* IPv6 fragment offset, 0 if first frag (or not frag)*/ - __s16 protocol; - __s32 flags; -@@ -117,34 +116,12 @@ struct ip_vs_iphdr { - union nf_inet_addr daddr; - }; - --/* Dependency to module: nf_defrag_ipv6 */ --#if defined(CONFIG_NF_DEFRAG_IPV6) || defined(CONFIG_NF_DEFRAG_IPV6_MODULE) --static inline struct sk_buff *skb_nfct_reasm(const struct sk_buff *skb) --{ -- return skb->nfct_reasm; --} --static inline void *frag_safe_skb_hp(const struct sk_buff *skb, int offset, -- int len, void *buffer, -- const struct ip_vs_iphdr *ipvsh) --{ -- if (unlikely(ipvsh->fragoffs && skb_nfct_reasm(skb))) -- return skb_header_pointer(skb_nfct_reasm(skb), -- ipvsh->thoff_reasm, len, buffer); -- -- return skb_header_pointer(skb, offset, len, buffer); --} --#else --static inline struct sk_buff *skb_nfct_reasm(const struct sk_buff *skb) --{ -- return NULL; --} - static inline void *frag_safe_skb_hp(const struct sk_buff *skb, int offset, - int len, void *buffer, - const struct ip_vs_iphdr *ipvsh) - { - return skb_header_pointer(skb, offset, len, buffer); - } --#endif - - static inline void - ip_vs_fill_ip4hdr(const void *nh, struct ip_vs_iphdr *iphdr) -@@ -171,19 +148,12 @@ ip_vs_fill_iph_skb(int af, const struct sk_buff *skb, struct ip_vs_iphdr *iphdr) - (struct ipv6hdr *)skb_network_header(skb); - iphdr->saddr.in6 = iph->saddr; - iphdr->daddr.in6 = iph->daddr; -- /* ipv6_find_hdr() updates len, flags, thoff_reasm */ -- iphdr->thoff_reasm = 0; -+ /* ipv6_find_hdr() updates len, flags */ - iphdr->len = 0; - iphdr->flags = 0; - iphdr->protocol = ipv6_find_hdr(skb, &iphdr->len, -1, - &iphdr->fragoffs, - &iphdr->flags); -- /* get proto from re-assembled packet and it's offset */ -- if (skb_nfct_reasm(skb)) -- iphdr->protocol = ipv6_find_hdr(skb_nfct_reasm(skb), -- &iphdr->thoff_reasm, -- -1, NULL, NULL); -- - } else - #endif - { -diff --git a/include/net/ipv6.h b/include/net/ipv6.h -index bbf1c8f..1f96efd 100644 ---- a/include/net/ipv6.h -+++ b/include/net/ipv6.h -@@ -802,8 +802,10 @@ extern int compat_ipv6_getsockopt(struct sock *sk, - extern int ip6_datagram_connect(struct sock *sk, - struct sockaddr *addr, int addr_len); - --extern int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len); --extern int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len); -+extern int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, -+ int *addr_len); -+extern int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len, -+ int *addr_len); - extern void ipv6_icmp_error(struct sock *sk, struct sk_buff *skb, int err, __be16 port, - u32 info, u8 *payload); - extern void ipv6_local_error(struct sock *sk, int err, struct flowi6 *fl6, u32 info); -diff --git a/include/net/netfilter/ipv6/nf_defrag_ipv6.h b/include/net/netfilter/ipv6/nf_defrag_ipv6.h -index fd79c9a..17920d8 100644 ---- a/include/net/netfilter/ipv6/nf_defrag_ipv6.h -+++ b/include/net/netfilter/ipv6/nf_defrag_ipv6.h -@@ -6,10 +6,7 @@ extern void nf_defrag_ipv6_enable(void); - extern int nf_ct_frag6_init(void); - extern void nf_ct_frag6_cleanup(void); - extern struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user); --extern void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb, -- struct net_device *in, -- struct net_device *out, -- int (*okfn)(struct sk_buff *)); -+extern void nf_ct_frag6_consume_orig(struct sk_buff *skb); - - struct inet_frags_ctl; - -diff --git a/include/net/ping.h b/include/net/ping.h -index 5db0224..2b496e9 100644 ---- a/include/net/ping.h -+++ b/include/net/ping.h -@@ -31,7 +31,8 @@ - - /* Compatibility glue so we can support IPv6 when it's compiled as a module */ - struct pingv6_ops { -- int (*ipv6_recv_error)(struct sock *sk, struct msghdr *msg, int len); -+ int (*ipv6_recv_error)(struct sock *sk, struct msghdr *msg, int len, -+ int *addr_len); - int (*ip6_datagram_recv_ctl)(struct sock *sk, struct msghdr *msg, - struct sk_buff *skb); - int (*icmpv6_err_convert)(u8 type, u8 code, int *err); -diff --git a/include/uapi/linux/pkt_sched.h b/include/uapi/linux/pkt_sched.h -index 9b82913..66f925d 100644 ---- a/include/uapi/linux/pkt_sched.h -+++ b/include/uapi/linux/pkt_sched.h -@@ -759,13 +759,14 @@ enum { - - TCA_FQ_RATE_ENABLE, /* enable/disable rate limiting */ - -- TCA_FQ_FLOW_DEFAULT_RATE,/* for sockets with unspecified sk_rate, -- * use the following rate -- */ -+ TCA_FQ_FLOW_DEFAULT_RATE,/* obsolete, do not use */ - - TCA_FQ_FLOW_MAX_RATE, /* per flow max rate */ - - TCA_FQ_BUCKETS_LOG, /* log2(number of buckets) */ -+ -+ TCA_FQ_FLOW_REFILL_DELAY, /* flow credit refill delay in usec */ -+ - __TCA_FQ_MAX - }; - -diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c -index bb22151..af8d1d4 100644 ---- a/kernel/time/ntp.c -+++ b/kernel/time/ntp.c -@@ -475,6 +475,7 @@ static void sync_cmos_clock(struct work_struct *work) - * called as close as possible to 500 ms before the new second starts. - * This code is run on a timer. If the clock is set, that timer - * may not expire at the correct time. Thus, we adjust... -+ * We want the clock to be within a couple of ticks from the target. - */ - if (!ntp_synced()) { - /* -@@ -485,7 +486,7 @@ static void sync_cmos_clock(struct work_struct *work) - } - - getnstimeofday(&now); -- if (abs(now.tv_nsec - (NSEC_PER_SEC / 2)) <= tick_nsec / 2) { -+ if (abs(now.tv_nsec - (NSEC_PER_SEC / 2)) <= tick_nsec * 5) { - struct timespec adjust = now; - - fail = -ENODEV; -diff --git a/lib/random32.c b/lib/random32.c -index 52280d5..01e8890 100644 ---- a/lib/random32.c -+++ b/lib/random32.c -@@ -141,7 +141,7 @@ void prandom_seed(u32 entropy) - */ - for_each_possible_cpu (i) { - struct rnd_state *state = &per_cpu(net_rand_state, i); -- state->s1 = __seed(state->s1 ^ entropy, 1); -+ state->s1 = __seed(state->s1 ^ entropy, 2); - } - } - EXPORT_SYMBOL(prandom_seed); -@@ -158,9 +158,9 @@ static int __init prandom_init(void) - struct rnd_state *state = &per_cpu(net_rand_state,i); - - #define LCG(x) ((x) * 69069) /* super-duper LCG */ -- state->s1 = __seed(LCG(i + jiffies), 1); -- state->s2 = __seed(LCG(state->s1), 7); -- state->s3 = __seed(LCG(state->s2), 15); -+ state->s1 = __seed(LCG(i + jiffies), 2); -+ state->s2 = __seed(LCG(state->s1), 8); -+ state->s3 = __seed(LCG(state->s2), 16); - - /* "warm it up" */ - prandom_u32_state(state); -@@ -187,9 +187,9 @@ static int __init prandom_reseed(void) - u32 seeds[3]; - - get_random_bytes(&seeds, sizeof(seeds)); -- state->s1 = __seed(seeds[0], 1); -- state->s2 = __seed(seeds[1], 7); -- state->s3 = __seed(seeds[2], 15); -+ state->s1 = __seed(seeds[0], 2); -+ state->s2 = __seed(seeds[1], 8); -+ state->s3 = __seed(seeds[2], 16); - - /* mix it in */ - prandom_u32_state(state); -diff --git a/mm/mprotect.c b/mm/mprotect.c -index 412ba2b..6c3f56f 100644 ---- a/mm/mprotect.c -+++ b/mm/mprotect.c -@@ -138,6 +138,7 @@ static inline unsigned long change_pmd_range(struct vm_area_struct *vma, - pmd_t *pmd; - unsigned long next; - unsigned long pages = 0; -+ unsigned long nr_huge_updates = 0; - bool all_same_node; - - pmd = pmd_offset(pud, addr); -@@ -148,7 +149,8 @@ static inline unsigned long change_pmd_range(struct vm_area_struct *vma, - split_huge_page_pmd(vma, addr, pmd); - else if (change_huge_pmd(vma, pmd, addr, newprot, - prot_numa)) { -- pages++; -+ pages += HPAGE_PMD_NR; -+ nr_huge_updates++; - continue; - } - /* fall through */ -@@ -168,6 +170,9 @@ static inline unsigned long change_pmd_range(struct vm_area_struct *vma, - change_pmd_protnuma(vma->vm_mm, addr, pmd); - } while (pmd++, addr = next, addr != end); - -+ if (nr_huge_updates) -+ count_vm_numa_events(NUMA_HUGE_PTE_UPDATES, nr_huge_updates); -+ - return pages; - } - -diff --git a/mm/vmstat.c b/mm/vmstat.c -index 9bb3145..5a442a7 100644 ---- a/mm/vmstat.c -+++ b/mm/vmstat.c -@@ -812,6 +812,7 @@ const char * const vmstat_text[] = { - - #ifdef CONFIG_NUMA_BALANCING - "numa_pte_updates", -+ "numa_huge_pte_updates", - "numa_hint_faults", - "numa_hint_faults_local", - "numa_pages_migrated", -diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c -index 7fee50d..7d424ac 100644 ---- a/net/appletalk/ddp.c -+++ b/net/appletalk/ddp.c -@@ -1735,7 +1735,6 @@ static int atalk_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr - size_t size, int flags) - { - struct sock *sk = sock->sk; -- struct sockaddr_at *sat = (struct sockaddr_at *)msg->msg_name; - struct ddpehdr *ddp; - int copied = 0; - int offset = 0; -@@ -1764,14 +1763,13 @@ static int atalk_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr - } - err = skb_copy_datagram_iovec(skb, offset, msg->msg_iov, copied); - -- if (!err) { -- if (sat) { -- sat->sat_family = AF_APPLETALK; -- sat->sat_port = ddp->deh_sport; -- sat->sat_addr.s_node = ddp->deh_snode; -- sat->sat_addr.s_net = ddp->deh_snet; -- } -- msg->msg_namelen = sizeof(*sat); -+ if (!err && msg->msg_name) { -+ struct sockaddr_at *sat = msg->msg_name; -+ sat->sat_family = AF_APPLETALK; -+ sat->sat_port = ddp->deh_sport; -+ sat->sat_addr.s_node = ddp->deh_snode; -+ sat->sat_addr.s_net = ddp->deh_snet; -+ msg->msg_namelen = sizeof(*sat); - } - - skb_free_datagram(sk, skb); /* Free the datagram. */ -diff --git a/net/atm/common.c b/net/atm/common.c -index 737bef5..7b49100 100644 ---- a/net/atm/common.c -+++ b/net/atm/common.c -@@ -531,8 +531,6 @@ int vcc_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, - struct sk_buff *skb; - int copied, error = -EINVAL; - -- msg->msg_namelen = 0; -- - if (sock->state != SS_CONNECTED) - return -ENOTCONN; - -diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c -index 4b4d2b7..78c474f 100644 ---- a/net/ax25/af_ax25.c -+++ b/net/ax25/af_ax25.c -@@ -1636,11 +1636,11 @@ static int ax25_recvmsg(struct kiocb *iocb, struct socket *sock, - - skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied); - -- if (msg->msg_namelen != 0) { -- struct sockaddr_ax25 *sax = (struct sockaddr_ax25 *)msg->msg_name; -+ if (msg->msg_name) { - ax25_digi digi; - ax25_address src; - const unsigned char *mac = skb_mac_header(skb); -+ struct sockaddr_ax25 *sax = msg->msg_name; - - memset(sax, 0, sizeof(struct full_sockaddr_ax25)); - ax25_addr_parse(mac + 1, skb->data - mac - 1, &src, NULL, -diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c -index 9096137..6629cdc 100644 ---- a/net/bluetooth/af_bluetooth.c -+++ b/net/bluetooth/af_bluetooth.c -@@ -221,8 +221,6 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock, - if (flags & (MSG_OOB)) - return -EOPNOTSUPP; - -- msg->msg_namelen = 0; -- - skb = skb_recv_datagram(sk, flags, noblock, &err); - if (!skb) { - if (sk->sk_shutdown & RCV_SHUTDOWN) -@@ -287,8 +285,6 @@ int bt_sock_stream_recvmsg(struct kiocb *iocb, struct socket *sock, - if (flags & MSG_OOB) - return -EOPNOTSUPP; - -- msg->msg_namelen = 0; -- - BT_DBG("sk %p size %zu", sk, size); - - lock_sock(sk); -diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c -index 9bd7d95..fa4bf66 100644 ---- a/net/bluetooth/hci_sock.c -+++ b/net/bluetooth/hci_sock.c -@@ -752,8 +752,6 @@ static int hci_sock_recvmsg(struct kiocb *iocb, struct socket *sock, - if (!skb) - return err; - -- msg->msg_namelen = 0; -- - copied = skb->len; - if (len < copied) { - msg->msg_flags |= MSG_TRUNC; -diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c -index 30b3721..c1c6028 100644 ---- a/net/bluetooth/rfcomm/sock.c -+++ b/net/bluetooth/rfcomm/sock.c -@@ -608,7 +608,6 @@ static int rfcomm_sock_recvmsg(struct kiocb *iocb, struct socket *sock, - - if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { - rfcomm_dlc_accept(d); -- msg->msg_namelen = 0; - return 0; - } - -diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c -index 96bd388..d021e44 100644 ---- a/net/bluetooth/sco.c -+++ b/net/bluetooth/sco.c -@@ -715,7 +715,6 @@ static int sco_sock_recvmsg(struct kiocb *iocb, struct socket *sock, - test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { - sco_conn_defer_accept(pi->conn->hcon, pi->setting); - sk->sk_state = BT_CONFIG; -- msg->msg_namelen = 0; - - release_sock(sk); - return 0; -diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c -index c41d5fb..547504c 100644 ---- a/net/bridge/br_if.c -+++ b/net/bridge/br_if.c -@@ -172,6 +172,8 @@ void br_dev_delete(struct net_device *dev, struct list_head *head) - del_nbp(p); - } - -+ br_fdb_delete_by_port(br, NULL, 1); -+ - del_timer_sync(&br->gc_timer); - - br_sysfs_delbr(br->dev); -diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c -index 05a41c7..d6be3ed 100644 ---- a/net/caif/caif_socket.c -+++ b/net/caif/caif_socket.c -@@ -286,8 +286,6 @@ static int caif_seqpkt_recvmsg(struct kiocb *iocb, struct socket *sock, - if (m->msg_flags&MSG_OOB) - goto read_error; - -- m->msg_namelen = 0; -- - skb = skb_recv_datagram(sk, flags, 0 , &ret); - if (!skb) - goto read_error; -@@ -361,8 +359,6 @@ static int caif_stream_recvmsg(struct kiocb *iocb, struct socket *sock, - if (flags&MSG_OOB) - goto out; - -- msg->msg_namelen = 0; -- - /* - * Lock the socket to prevent queue disordering - * while sleeps in memcpy_tomsg -diff --git a/net/compat.c b/net/compat.c -index 8903258..dd32e34 100644 ---- a/net/compat.c -+++ b/net/compat.c -@@ -72,7 +72,7 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) - __get_user(kmsg->msg_flags, &umsg->msg_flags)) - return -EFAULT; - if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) -- return -EINVAL; -+ kmsg->msg_namelen = sizeof(struct sockaddr_storage); - kmsg->msg_name = compat_ptr(tmp1); - kmsg->msg_iov = compat_ptr(tmp2); - kmsg->msg_control = compat_ptr(tmp3); -@@ -93,7 +93,8 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, - if (err < 0) - return err; - } -- kern_msg->msg_name = kern_address; -+ if (kern_msg->msg_name) -+ kern_msg->msg_name = kern_address; - } else - kern_msg->msg_name = NULL; - -diff --git a/net/core/dev.c b/net/core/dev.c -index 3430b1e..3d13874 100644 ---- a/net/core/dev.c -+++ b/net/core/dev.c -@@ -1691,13 +1691,9 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb) - kfree_skb(skb); - return NET_RX_DROP; - } -- skb->protocol = eth_type_trans(skb, dev); - -- /* eth_type_trans() can set pkt_type. -- * call skb_scrub_packet() after it to clear pkt_type _after_ calling -- * eth_type_trans(). -- */ - skb_scrub_packet(skb, true); -+ skb->protocol = eth_type_trans(skb, dev); - - return netif_rx(skb); - } -@@ -4819,7 +4815,7 @@ static void dev_change_rx_flags(struct net_device *dev, int flags) - { - const struct net_device_ops *ops = dev->netdev_ops; - -- if ((dev->flags & IFF_UP) && ops->ndo_change_rx_flags) -+ if (ops->ndo_change_rx_flags) - ops->ndo_change_rx_flags(dev, flags); - } - -diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c -index 2e65413..f409e0b 100644 ---- a/net/core/fib_rules.c -+++ b/net/core/fib_rules.c -@@ -460,7 +460,8 @@ static int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr* nlh) - if (frh->action && (frh->action != rule->action)) - continue; - -- if (frh->table && (frh_get_table(frh, tb) != rule->table)) -+ if (frh_get_table(frh, tb) && -+ (frh_get_table(frh, tb) != rule->table)) - continue; - - if (tb[FRA_PRIORITY] && -diff --git a/net/core/iovec.c b/net/core/iovec.c -index b77eeec..7d84ea1 100644 ---- a/net/core/iovec.c -+++ b/net/core/iovec.c -@@ -48,7 +48,8 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr_storage *a - if (err < 0) - return err; - } -- m->msg_name = address; -+ if (m->msg_name) -+ m->msg_name = address; - } else { - m->msg_name = NULL; - } -diff --git a/net/core/pktgen.c b/net/core/pktgen.c -index 261357a..a797fff 100644 ---- a/net/core/pktgen.c -+++ b/net/core/pktgen.c -@@ -2527,6 +2527,8 @@ static int process_ipsec(struct pktgen_dev *pkt_dev, - if (x) { - int ret; - __u8 *eth; -+ struct iphdr *iph; -+ - nhead = x->props.header_len - skb_headroom(skb); - if (nhead > 0) { - ret = pskb_expand_head(skb, nhead, 0, GFP_ATOMIC); -@@ -2548,6 +2550,11 @@ static int process_ipsec(struct pktgen_dev *pkt_dev, - eth = (__u8 *) skb_push(skb, ETH_HLEN); - memcpy(eth, pkt_dev->hh, 12); - *(u16 *) ð[12] = protocol; -+ -+ /* Update IPv4 header len as well as checksum value */ -+ iph = ip_hdr(skb); -+ iph->tot_len = htons(skb->len - ETH_HLEN); -+ ip_send_check(iph); - } - } - return 1; -diff --git a/net/core/skbuff.c b/net/core/skbuff.c -index d81cff1..c28c7fe 100644 ---- a/net/core/skbuff.c -+++ b/net/core/skbuff.c -@@ -580,9 +580,6 @@ static void skb_release_head_state(struct sk_buff *skb) - #if IS_ENABLED(CONFIG_NF_CONNTRACK) - nf_conntrack_put(skb->nfct); - #endif --#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED -- nf_conntrack_put_reasm(skb->nfct_reasm); --#endif - #ifdef CONFIG_BRIDGE_NETFILTER - nf_bridge_put(skb->nf_bridge); - #endif -@@ -2758,6 +2755,7 @@ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features) - struct sk_buff *segs = NULL; - struct sk_buff *tail = NULL; - struct sk_buff *fskb = skb_shinfo(skb)->frag_list; -+ skb_frag_t *skb_frag = skb_shinfo(skb)->frags; - unsigned int mss = skb_shinfo(skb)->gso_size; - unsigned int doffset = skb->data - skb_mac_header(skb); - unsigned int offset = doffset; -@@ -2797,16 +2795,38 @@ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features) - if (hsize > len || !sg) - hsize = len; - -- if (!hsize && i >= nfrags) { -- BUG_ON(fskb->len != len); -+ if (!hsize && i >= nfrags && skb_headlen(fskb) && -+ (skb_headlen(fskb) == len || sg)) { -+ BUG_ON(skb_headlen(fskb) > len); -+ -+ i = 0; -+ nfrags = skb_shinfo(fskb)->nr_frags; -+ skb_frag = skb_shinfo(fskb)->frags; -+ pos += skb_headlen(fskb); -+ -+ while (pos < offset + len) { -+ BUG_ON(i >= nfrags); -+ -+ size = skb_frag_size(skb_frag); -+ if (pos + size > offset + len) -+ break; -+ -+ i++; -+ pos += size; -+ skb_frag++; -+ } - -- pos += len; - nskb = skb_clone(fskb, GFP_ATOMIC); - fskb = fskb->next; - - if (unlikely(!nskb)) - goto err; - -+ if (unlikely(pskb_trim(nskb, len))) { -+ kfree_skb(nskb); -+ goto err; -+ } -+ - hsize = skb_end_offset(nskb); - if (skb_cow_head(nskb, doffset + headroom)) { - kfree_skb(nskb); -@@ -2850,7 +2870,7 @@ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features) - nskb->data - tnl_hlen, - doffset + tnl_hlen); - -- if (fskb != skb_shinfo(skb)->frag_list) -+ if (nskb->len == len + doffset) - goto perform_csum_check; - - if (!sg) { -@@ -2868,8 +2888,28 @@ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features) - - skb_shinfo(nskb)->tx_flags = skb_shinfo(skb)->tx_flags & SKBTX_SHARED_FRAG; - -- while (pos < offset + len && i < nfrags) { -- *frag = skb_shinfo(skb)->frags[i]; -+ while (pos < offset + len) { -+ if (i >= nfrags) { -+ BUG_ON(skb_headlen(fskb)); -+ -+ i = 0; -+ nfrags = skb_shinfo(fskb)->nr_frags; -+ skb_frag = skb_shinfo(fskb)->frags; -+ -+ BUG_ON(!nfrags); -+ -+ fskb = fskb->next; -+ } -+ -+ if (unlikely(skb_shinfo(nskb)->nr_frags >= -+ MAX_SKB_FRAGS)) { -+ net_warn_ratelimited( -+ "skb_segment: too many frags: %u %u\n", -+ pos, mss); -+ goto err; -+ } -+ -+ *frag = *skb_frag; - __skb_frag_ref(frag); - size = skb_frag_size(frag); - -@@ -2882,6 +2922,7 @@ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features) - - if (pos + size <= offset + len) { - i++; -+ skb_frag++; - pos += size; - } else { - skb_frag_size_sub(frag, pos + size - (offset + len)); -@@ -2891,25 +2932,6 @@ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features) - frag++; - } - -- if (pos < offset + len) { -- struct sk_buff *fskb2 = fskb; -- -- BUG_ON(pos + fskb->len != offset + len); -- -- pos += fskb->len; -- fskb = fskb->next; -- -- if (fskb2->next) { -- fskb2 = skb_clone(fskb2, GFP_ATOMIC); -- if (!fskb2) -- goto err; -- } else -- skb_get(fskb2); -- -- SKB_FRAG_ASSERT(nskb); -- skb_shinfo(nskb)->frag_list = fskb2; -- } -- - skip_fraglist: - nskb->data_len = len - hsize; - nskb->len += nskb->data_len; -diff --git a/net/ieee802154/6lowpan.c b/net/ieee802154/6lowpan.c -index ff41b4d..008f337 100644 ---- a/net/ieee802154/6lowpan.c -+++ b/net/ieee802154/6lowpan.c -@@ -957,7 +957,7 @@ lowpan_process_data(struct sk_buff *skb) - * Traffic class carried in-line - * ECN + DSCP (1 byte), Flow Label is elided - */ -- case 1: /* 10b */ -+ case 2: /* 10b */ - if (lowpan_fetch_skb_u8(skb, &tmp)) - goto drop; - -@@ -968,7 +968,7 @@ lowpan_process_data(struct sk_buff *skb) - * Flow Label carried in-line - * ECN + 2-bit Pad + Flow Label (3 bytes), DSCP is elided - */ -- case 2: /* 01b */ -+ case 1: /* 01b */ - if (lowpan_fetch_skb_u8(skb, &tmp)) - goto drop; - -diff --git a/net/ieee802154/dgram.c b/net/ieee802154/dgram.c -index 581a595..1865fdf 100644 ---- a/net/ieee802154/dgram.c -+++ b/net/ieee802154/dgram.c -@@ -315,9 +315,8 @@ static int dgram_recvmsg(struct kiocb *iocb, struct sock *sk, - if (saddr) { - saddr->family = AF_IEEE802154; - saddr->addr = mac_cb(skb)->sa; -- } -- if (addr_len) - *addr_len = sizeof(*saddr); -+ } - - if (flags & MSG_TRUNC) - copied = skb->len; -diff --git a/net/ipv4/datagram.c b/net/ipv4/datagram.c -index b28e863..19e3637 100644 ---- a/net/ipv4/datagram.c -+++ b/net/ipv4/datagram.c -@@ -57,7 +57,7 @@ int ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len) - if (IS_ERR(rt)) { - err = PTR_ERR(rt); - if (err == -ENETUNREACH) -- IP_INC_STATS_BH(sock_net(sk), IPSTATS_MIB_OUTNOROUTES); -+ IP_INC_STATS(sock_net(sk), IPSTATS_MIB_OUTNOROUTES); - goto out; - } - -diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c -index d9c4f11..23e6ab0 100644 ---- a/net/ipv4/ip_sockglue.c -+++ b/net/ipv4/ip_sockglue.c -@@ -368,7 +368,7 @@ void ip_local_error(struct sock *sk, int err, __be32 daddr, __be16 port, u32 inf - /* - * Handle MSG_ERRQUEUE - */ --int ip_recv_error(struct sock *sk, struct msghdr *msg, int len) -+int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) - { - struct sock_exterr_skb *serr; - struct sk_buff *skb, *skb2; -@@ -405,6 +405,7 @@ int ip_recv_error(struct sock *sk, struct msghdr *msg, int len) - serr->addr_offset); - sin->sin_port = serr->port; - memset(&sin->sin_zero, 0, sizeof(sin->sin_zero)); -+ *addr_len = sizeof(*sin); - } - - memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err)); -diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c -index 63a6d6d..254f11c 100644 ---- a/net/ipv4/ip_tunnel.c -+++ b/net/ipv4/ip_tunnel.c -@@ -454,6 +454,8 @@ int ip_tunnel_rcv(struct ip_tunnel *tunnel, struct sk_buff *skb, - tstats->rx_bytes += skb->len; - u64_stats_update_end(&tstats->syncp); - -+ skb_scrub_packet(skb, !net_eq(tunnel->net, dev_net(tunnel->dev))); -+ - if (tunnel->dev->type == ARPHRD_ETHER) { - skb->protocol = eth_type_trans(skb, tunnel->dev); - skb_postpull_rcsum(skb, eth_hdr(skb), ETH_HLEN); -@@ -461,8 +463,6 @@ int ip_tunnel_rcv(struct ip_tunnel *tunnel, struct sk_buff *skb, - skb->dev = tunnel->dev; - } - -- skb_scrub_packet(skb, !net_eq(tunnel->net, dev_net(tunnel->dev))); -- - gro_cells_receive(&tunnel->gro_cells, skb); - return 0; - -diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c -index 6e87f85..26847e1 100644 ---- a/net/ipv4/ip_vti.c -+++ b/net/ipv4/ip_vti.c -@@ -190,6 +190,7 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev) - if (!rt->dst.xfrm || - rt->dst.xfrm->props.mode != XFRM_MODE_TUNNEL) { - dev->stats.tx_carrier_errors++; -+ ip_rt_put(rt); - goto tx_error_icmp; - } - tdev = rt->dst.dev; -diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c -index d7d9882..c482f7c 100644 ---- a/net/ipv4/ping.c -+++ b/net/ipv4/ping.c -@@ -769,7 +769,7 @@ int ping_v4_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, - err = PTR_ERR(rt); - rt = NULL; - if (err == -ENETUNREACH) -- IP_INC_STATS_BH(net, IPSTATS_MIB_OUTNOROUTES); -+ IP_INC_STATS(net, IPSTATS_MIB_OUTNOROUTES); - goto out; - } - -@@ -827,8 +827,6 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, - { - struct inet_sock *isk = inet_sk(sk); - int family = sk->sk_family; -- struct sockaddr_in *sin; -- struct sockaddr_in6 *sin6; - struct sk_buff *skb; - int copied, err; - -@@ -838,19 +836,13 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, - if (flags & MSG_OOB) - goto out; - -- if (addr_len) { -- if (family == AF_INET) -- *addr_len = sizeof(*sin); -- else if (family == AF_INET6 && addr_len) -- *addr_len = sizeof(*sin6); -- } -- - if (flags & MSG_ERRQUEUE) { - if (family == AF_INET) { -- return ip_recv_error(sk, msg, len); -+ return ip_recv_error(sk, msg, len, addr_len); - #if IS_ENABLED(CONFIG_IPV6) - } else if (family == AF_INET6) { -- return pingv6_ops.ipv6_recv_error(sk, msg, len); -+ return pingv6_ops.ipv6_recv_error(sk, msg, len, -+ addr_len); - #endif - } - } -@@ -874,11 +866,15 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, - - /* Copy the address and add cmsg data. */ - if (family == AF_INET) { -- sin = (struct sockaddr_in *) msg->msg_name; -- sin->sin_family = AF_INET; -- sin->sin_port = 0 /* skb->h.uh->source */; -- sin->sin_addr.s_addr = ip_hdr(skb)->saddr; -- memset(sin->sin_zero, 0, sizeof(sin->sin_zero)); -+ struct sockaddr_in *sin = (struct sockaddr_in *)msg->msg_name; -+ -+ if (sin) { -+ sin->sin_family = AF_INET; -+ sin->sin_port = 0 /* skb->h.uh->source */; -+ sin->sin_addr.s_addr = ip_hdr(skb)->saddr; -+ memset(sin->sin_zero, 0, sizeof(sin->sin_zero)); -+ *addr_len = sizeof(*sin); -+ } - - if (isk->cmsg_flags) - ip_cmsg_recv(msg, skb); -@@ -887,17 +883,21 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, - } else if (family == AF_INET6) { - struct ipv6_pinfo *np = inet6_sk(sk); - struct ipv6hdr *ip6 = ipv6_hdr(skb); -- sin6 = (struct sockaddr_in6 *) msg->msg_name; -- sin6->sin6_family = AF_INET6; -- sin6->sin6_port = 0; -- sin6->sin6_addr = ip6->saddr; -- -- sin6->sin6_flowinfo = 0; -- if (np->sndflow) -- sin6->sin6_flowinfo = ip6_flowinfo(ip6); -- -- sin6->sin6_scope_id = ipv6_iface_scope_id(&sin6->sin6_addr, -- IP6CB(skb)->iif); -+ struct sockaddr_in6 *sin6 = -+ (struct sockaddr_in6 *)msg->msg_name; -+ -+ if (sin6) { -+ sin6->sin6_family = AF_INET6; -+ sin6->sin6_port = 0; -+ sin6->sin6_addr = ip6->saddr; -+ sin6->sin6_flowinfo = 0; -+ if (np->sndflow) -+ sin6->sin6_flowinfo = ip6_flowinfo(ip6); -+ sin6->sin6_scope_id = -+ ipv6_iface_scope_id(&sin6->sin6_addr, -+ IP6CB(skb)->iif); -+ *addr_len = sizeof(*sin6); -+ } - - if (inet6_sk(sk)->rxopt.all) - pingv6_ops.ip6_datagram_recv_ctl(sk, msg, skb); -diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c -index 193db03..7d3db78 100644 ---- a/net/ipv4/raw.c -+++ b/net/ipv4/raw.c -@@ -694,11 +694,8 @@ static int raw_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, - if (flags & MSG_OOB) - goto out; - -- if (addr_len) -- *addr_len = sizeof(*sin); -- - if (flags & MSG_ERRQUEUE) { -- err = ip_recv_error(sk, msg, len); -+ err = ip_recv_error(sk, msg, len, addr_len); - goto out; - } - -@@ -724,6 +721,7 @@ static int raw_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, - sin->sin_addr.s_addr = ip_hdr(skb)->saddr; - sin->sin_port = 0; - memset(&sin->sin_zero, 0, sizeof(sin->sin_zero)); -+ *addr_len = sizeof(*sin); - } - if (inet->cmsg_flags) - ip_cmsg_recv(msg, skb); -diff --git a/net/ipv4/route.c b/net/ipv4/route.c -index 6011615..62290b5 100644 ---- a/net/ipv4/route.c -+++ b/net/ipv4/route.c -@@ -1772,8 +1772,12 @@ local_input: - rth->dst.error= -err; - rth->rt_flags &= ~RTCF_LOCAL; - } -- if (do_cache) -- rt_cache_route(&FIB_RES_NH(res), rth); -+ if (do_cache) { -+ if (unlikely(!rt_cache_route(&FIB_RES_NH(res), rth))) { -+ rth->dst.flags |= DST_NOCACHE; -+ rt_add_uncached_list(rth); -+ } -+ } - skb_dst_set(skb, &rth->dst); - err = 0; - goto out; -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index 6e5617b..be5246e 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -806,12 +806,6 @@ static unsigned int tcp_xmit_size_goal(struct sock *sk, u32 mss_now, - xmit_size_goal = min_t(u32, gso_size, - sk->sk_gso_max_size - 1 - hlen); - -- /* TSQ : try to have at least two segments in flight -- * (one in NIC TX ring, another in Qdisc) -- */ -- xmit_size_goal = min_t(u32, xmit_size_goal, -- sysctl_tcp_limit_output_bytes >> 1); -- - xmit_size_goal = tcp_bound_to_half_wnd(tp, xmit_size_goal); - - /* We try hard to avoid divides here */ -diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c -index b14266b..5031f68 100644 ---- a/net/ipv4/tcp_ipv4.c -+++ b/net/ipv4/tcp_ipv4.c -@@ -177,7 +177,7 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len) - if (IS_ERR(rt)) { - err = PTR_ERR(rt); - if (err == -ENETUNREACH) -- IP_INC_STATS_BH(sock_net(sk), IPSTATS_MIB_OUTNOROUTES); -+ IP_INC_STATS(sock_net(sk), IPSTATS_MIB_OUTNOROUTES); - return err; - } - -diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c -index 52f3c6b..3107114 100644 ---- a/net/ipv4/tcp_metrics.c -+++ b/net/ipv4/tcp_metrics.c -@@ -659,10 +659,13 @@ void tcp_fastopen_cache_get(struct sock *sk, u16 *mss, - void tcp_fastopen_cache_set(struct sock *sk, u16 mss, - struct tcp_fastopen_cookie *cookie, bool syn_lost) - { -+ struct dst_entry *dst = __sk_dst_get(sk); - struct tcp_metrics_block *tm; - -+ if (!dst) -+ return; - rcu_read_lock(); -- tm = tcp_get_metrics(sk, __sk_dst_get(sk), true); -+ tm = tcp_get_metrics(sk, dst, true); - if (tm) { - struct tcp_fastopen_metrics *tfom = &tm->tcpm_fastopen; - -diff --git a/net/ipv4/tcp_offload.c b/net/ipv4/tcp_offload.c -index 533c58a..910ab81 100644 ---- a/net/ipv4/tcp_offload.c -+++ b/net/ipv4/tcp_offload.c -@@ -272,33 +272,32 @@ static struct sk_buff **tcp4_gro_receive(struct sk_buff **head, struct sk_buff * - { - const struct iphdr *iph = skb_gro_network_header(skb); - __wsum wsum; -- __sum16 sum; -+ -+ /* Don't bother verifying checksum if we're going to flush anyway. */ -+ if (NAPI_GRO_CB(skb)->flush) -+ goto skip_csum; -+ -+ wsum = skb->csum; - - switch (skb->ip_summed) { -+ case CHECKSUM_NONE: -+ wsum = skb_checksum(skb, skb_gro_offset(skb), skb_gro_len(skb), -+ 0); -+ -+ /* fall through */ -+ - case CHECKSUM_COMPLETE: - if (!tcp_v4_check(skb_gro_len(skb), iph->saddr, iph->daddr, -- skb->csum)) { -+ wsum)) { - skb->ip_summed = CHECKSUM_UNNECESSARY; - break; - } --flush: -+ - NAPI_GRO_CB(skb)->flush = 1; - return NULL; -- -- case CHECKSUM_NONE: -- wsum = csum_tcpudp_nofold(iph->saddr, iph->daddr, -- skb_gro_len(skb), IPPROTO_TCP, 0); -- sum = csum_fold(skb_checksum(skb, -- skb_gro_offset(skb), -- skb_gro_len(skb), -- wsum)); -- if (sum) -- goto flush; -- -- skb->ip_summed = CHECKSUM_UNNECESSARY; -- break; - } - -+skip_csum: - return tcp_gro_receive(head, skb); - } - -diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c -index d46f214..e912634 100644 ---- a/net/ipv4/tcp_output.c -+++ b/net/ipv4/tcp_output.c -@@ -1875,8 +1875,12 @@ static bool tcp_write_xmit(struct sock *sk, unsigned int mss_now, int nonagle, - * - better RTT estimation and ACK scheduling - * - faster recovery - * - high rates -+ * Alas, some drivers / subsystems require a fair amount -+ * of queued bytes to ensure line rate. -+ * One example is wifi aggregation (802.11 AMPDU) - */ -- limit = max(skb->truesize, sk->sk_pacing_rate >> 10); -+ limit = max_t(unsigned int, sysctl_tcp_limit_output_bytes, -+ sk->sk_pacing_rate >> 10); - - if (atomic_read(&sk->sk_wmem_alloc) > limit) { - set_bit(TSQ_THROTTLED, &tp->tsq_flags); -@@ -3108,7 +3112,6 @@ void tcp_send_window_probe(struct sock *sk) - { - if (sk->sk_state == TCP_ESTABLISHED) { - tcp_sk(sk)->snd_wl1 = tcp_sk(sk)->rcv_nxt - 1; -- tcp_sk(sk)->snd_nxt = tcp_sk(sk)->write_seq; - tcp_xmit_probe_skb(sk, 0); - } - } -diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c -index 0ca44df..5e2c2f1 100644 ---- a/net/ipv4/udp.c -+++ b/net/ipv4/udp.c -@@ -973,7 +973,7 @@ int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, - err = PTR_ERR(rt); - rt = NULL; - if (err == -ENETUNREACH) -- IP_INC_STATS_BH(net, IPSTATS_MIB_OUTNOROUTES); -+ IP_INC_STATS(net, IPSTATS_MIB_OUTNOROUTES); - goto out; - } - -@@ -1072,6 +1072,9 @@ int udp_sendpage(struct sock *sk, struct page *page, int offset, - struct udp_sock *up = udp_sk(sk); - int ret; - -+ if (flags & MSG_SENDPAGE_NOTLAST) -+ flags |= MSG_MORE; -+ - if (!up->pending) { - struct msghdr msg = { .msg_flags = flags|MSG_MORE }; - -@@ -1209,14 +1212,8 @@ int udp_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, - int is_udplite = IS_UDPLITE(sk); - bool slow; - -- /* -- * Check any passed addresses -- */ -- if (addr_len) -- *addr_len = sizeof(*sin); -- - if (flags & MSG_ERRQUEUE) -- return ip_recv_error(sk, msg, len); -+ return ip_recv_error(sk, msg, len, addr_len); - - try_again: - skb = __skb_recv_datagram(sk, flags | (noblock ? MSG_DONTWAIT : 0), -@@ -1276,6 +1273,7 @@ try_again: - sin->sin_port = udp_hdr(skb)->source; - sin->sin_addr.s_addr = ip_hdr(skb)->saddr; - memset(sin->sin_zero, 0, sizeof(sin->sin_zero)); -+ *addr_len = sizeof(*sin); - } - if (inet->cmsg_flags) - ip_cmsg_recv(msg, skb); -diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c -index ccde542..adf9983 100644 ---- a/net/ipv4/xfrm4_policy.c -+++ b/net/ipv4/xfrm4_policy.c -@@ -104,10 +104,14 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) - const struct iphdr *iph = ip_hdr(skb); - u8 *xprth = skb_network_header(skb) + iph->ihl * 4; - struct flowi4 *fl4 = &fl->u.ip4; -+ int oif = 0; -+ -+ if (skb_dst(skb)) -+ oif = skb_dst(skb)->dev->ifindex; - - memset(fl4, 0, sizeof(struct flowi4)); - fl4->flowi4_mark = skb->mark; -- fl4->flowi4_oif = skb_dst(skb)->dev->ifindex; -+ fl4->flowi4_oif = reverse ? skb->skb_iif : oif; - - if (!ip_is_fragment(iph)) { - switch (iph->protocol) { -diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c -index 7c96100..8132b44 100644 ---- a/net/ipv6/af_inet6.c -+++ b/net/ipv6/af_inet6.c -@@ -965,10 +965,10 @@ out: - - #ifdef CONFIG_SYSCTL - sysctl_fail: -- ipv6_packet_cleanup(); -+ pingv6_exit(); - #endif - pingv6_fail: -- pingv6_exit(); -+ ipv6_packet_cleanup(); - ipv6_packet_fail: - tcpv6_exit(); - tcpv6_fail: -diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c -index 48b6bd2..c66c6df 100644 ---- a/net/ipv6/datagram.c -+++ b/net/ipv6/datagram.c -@@ -318,7 +318,7 @@ void ipv6_local_rxpmtu(struct sock *sk, struct flowi6 *fl6, u32 mtu) - /* - * Handle MSG_ERRQUEUE - */ --int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len) -+int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) - { - struct ipv6_pinfo *np = inet6_sk(sk); - struct sock_exterr_skb *serr; -@@ -369,6 +369,7 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len) - &sin->sin6_addr); - sin->sin6_scope_id = 0; - } -+ *addr_len = sizeof(*sin); - } - - memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err)); -@@ -377,6 +378,7 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len) - if (serr->ee.ee_origin != SO_EE_ORIGIN_LOCAL) { - sin->sin6_family = AF_INET6; - sin->sin6_flowinfo = 0; -+ sin->sin6_port = 0; - if (skb->protocol == htons(ETH_P_IPV6)) { - sin->sin6_addr = ipv6_hdr(skb)->saddr; - if (np->rxopt.all) -@@ -423,7 +425,8 @@ EXPORT_SYMBOL_GPL(ipv6_recv_error); - /* - * Handle IPV6_RECVPATHMTU - */ --int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len) -+int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len, -+ int *addr_len) - { - struct ipv6_pinfo *np = inet6_sk(sk); - struct sk_buff *skb; -@@ -457,6 +460,7 @@ int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len) - sin->sin6_port = 0; - sin->sin6_scope_id = mtu_info.ip6m_addr.sin6_scope_id; - sin->sin6_addr = mtu_info.ip6m_addr.sin6_addr; -+ *addr_len = sizeof(*sin); - } - - put_cmsg(msg, SOL_IPV6, IPV6_PATHMTU, sizeof(mtu_info), &mtu_info); -diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c -index 46e8843..f0ccdb7 100644 ---- a/net/ipv6/ip6_flowlabel.c -+++ b/net/ipv6/ip6_flowlabel.c -@@ -453,8 +453,10 @@ static int mem_check(struct sock *sk) - if (room > FL_MAX_SIZE - FL_MAX_PER_SOCK) - return 0; - -+ rcu_read_lock_bh(); - for_each_sk_fl_rcu(np, sfl) - count++; -+ rcu_read_unlock_bh(); - - if (room <= 0 || - ((count >= FL_MAX_PER_SOCK || -diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c -index 91fb4e8..b6fa35e 100644 ---- a/net/ipv6/ip6_output.c -+++ b/net/ipv6/ip6_output.c -@@ -116,8 +116,8 @@ static int ip6_finish_output2(struct sk_buff *skb) - } - rcu_read_unlock_bh(); - -- IP6_INC_STATS_BH(dev_net(dst->dev), -- ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES); -+ IP6_INC_STATS(dev_net(dst->dev), -+ ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES); - kfree_skb(skb); - return -EINVAL; - } -@@ -125,7 +125,8 @@ static int ip6_finish_output2(struct sk_buff *skb) - static int ip6_finish_output(struct sk_buff *skb) - { - if ((skb->len > ip6_skb_dst_mtu(skb) && !skb_is_gso(skb)) || -- dst_allfrag(skb_dst(skb))) -+ dst_allfrag(skb_dst(skb)) || -+ (IP6CB(skb)->frag_max_size && skb->len > IP6CB(skb)->frag_max_size)) - return ip6_fragment(skb, ip6_finish_output2); - else - return ip6_finish_output2(skb); -diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c -index 583b77e..c1e11b5 100644 ---- a/net/ipv6/ip6_tunnel.c -+++ b/net/ipv6/ip6_tunnel.c -@@ -1635,6 +1635,15 @@ static int ip6_tnl_changelink(struct net_device *dev, struct nlattr *tb[], - return ip6_tnl_update(t, &p); - } - -+static void ip6_tnl_dellink(struct net_device *dev, struct list_head *head) -+{ -+ struct net *net = dev_net(dev); -+ struct ip6_tnl_net *ip6n = net_generic(net, ip6_tnl_net_id); -+ -+ if (dev != ip6n->fb_tnl_dev) -+ unregister_netdevice_queue(dev, head); -+} -+ - static size_t ip6_tnl_get_size(const struct net_device *dev) - { - return -@@ -1699,6 +1708,7 @@ static struct rtnl_link_ops ip6_link_ops __read_mostly = { - .validate = ip6_tnl_validate, - .newlink = ip6_tnl_newlink, - .changelink = ip6_tnl_changelink, -+ .dellink = ip6_tnl_dellink, - .get_size = ip6_tnl_get_size, - .fill_info = ip6_tnl_fill_info, - }; -@@ -1715,9 +1725,9 @@ static struct xfrm6_tunnel ip6ip6_handler __read_mostly = { - .priority = 1, - }; - --static void __net_exit ip6_tnl_destroy_tunnels(struct ip6_tnl_net *ip6n) -+static void __net_exit ip6_tnl_destroy_tunnels(struct net *net) - { -- struct net *net = dev_net(ip6n->fb_tnl_dev); -+ struct ip6_tnl_net *ip6n = net_generic(net, ip6_tnl_net_id); - struct net_device *dev, *aux; - int h; - struct ip6_tnl *t; -@@ -1785,10 +1795,8 @@ err_alloc_dev: - - static void __net_exit ip6_tnl_exit_net(struct net *net) - { -- struct ip6_tnl_net *ip6n = net_generic(net, ip6_tnl_net_id); -- - rtnl_lock(); -- ip6_tnl_destroy_tunnels(ip6n); -+ ip6_tnl_destroy_tunnels(net); - rtnl_unlock(); - } - -diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c -index d6e4dd8..83ab37c 100644 ---- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c -+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c -@@ -169,63 +169,13 @@ out: - return nf_conntrack_confirm(skb); - } - --static unsigned int __ipv6_conntrack_in(struct net *net, -- unsigned int hooknum, -- struct sk_buff *skb, -- const struct net_device *in, -- const struct net_device *out, -- int (*okfn)(struct sk_buff *)) --{ -- struct sk_buff *reasm = skb->nfct_reasm; -- const struct nf_conn_help *help; -- struct nf_conn *ct; -- enum ip_conntrack_info ctinfo; -- -- /* This packet is fragmented and has reassembled packet. */ -- if (reasm) { -- /* Reassembled packet isn't parsed yet ? */ -- if (!reasm->nfct) { -- unsigned int ret; -- -- ret = nf_conntrack_in(net, PF_INET6, hooknum, reasm); -- if (ret != NF_ACCEPT) -- return ret; -- } -- -- /* Conntrack helpers need the entire reassembled packet in the -- * POST_ROUTING hook. In case of unconfirmed connections NAT -- * might reassign a helper, so the entire packet is also -- * required. -- */ -- ct = nf_ct_get(reasm, &ctinfo); -- if (ct != NULL && !nf_ct_is_untracked(ct)) { -- help = nfct_help(ct); -- if ((help && help->helper) || !nf_ct_is_confirmed(ct)) { -- nf_conntrack_get_reasm(reasm); -- NF_HOOK_THRESH(NFPROTO_IPV6, hooknum, reasm, -- (struct net_device *)in, -- (struct net_device *)out, -- okfn, NF_IP6_PRI_CONNTRACK + 1); -- return NF_DROP_ERR(-ECANCELED); -- } -- } -- -- nf_conntrack_get(reasm->nfct); -- skb->nfct = reasm->nfct; -- skb->nfctinfo = reasm->nfctinfo; -- return NF_ACCEPT; -- } -- -- return nf_conntrack_in(net, PF_INET6, hooknum, skb); --} -- - static unsigned int ipv6_conntrack_in(unsigned int hooknum, - struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) - { -- return __ipv6_conntrack_in(dev_net(in), hooknum, skb, in, out, okfn); -+ return nf_conntrack_in(dev_net(in), PF_INET6, hooknum, skb); - } - - static unsigned int ipv6_conntrack_local(unsigned int hooknum, -@@ -239,7 +189,7 @@ static unsigned int ipv6_conntrack_local(unsigned int hooknum, - net_notice_ratelimited("ipv6_conntrack_local: packet too short\n"); - return NF_ACCEPT; - } -- return __ipv6_conntrack_in(dev_net(out), hooknum, skb, in, out, okfn); -+ return nf_conntrack_in(dev_net(out), PF_INET6, hooknum, skb); - } - - static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = { -diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c -index dffdc1a..253566a 100644 ---- a/net/ipv6/netfilter/nf_conntrack_reasm.c -+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c -@@ -621,31 +621,16 @@ ret_orig: - return skb; - } - --void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb, -- struct net_device *in, struct net_device *out, -- int (*okfn)(struct sk_buff *)) -+void nf_ct_frag6_consume_orig(struct sk_buff *skb) - { - struct sk_buff *s, *s2; -- unsigned int ret = 0; - - for (s = NFCT_FRAG6_CB(skb)->orig; s;) { -- nf_conntrack_put_reasm(s->nfct_reasm); -- nf_conntrack_get_reasm(skb); -- s->nfct_reasm = skb; -- - s2 = s->next; - s->next = NULL; -- -- if (ret != -ECANCELED) -- ret = NF_HOOK_THRESH(NFPROTO_IPV6, hooknum, s, -- in, out, okfn, -- NF_IP6_PRI_CONNTRACK_DEFRAG + 1); -- else -- kfree_skb(s); -- -+ consume_skb(s); - s = s2; - } -- nf_conntrack_put_reasm(skb); - } - - static int nf_ct_net_init(struct net *net) -diff --git a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c -index aacd121..581dd9e 100644 ---- a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c -+++ b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c -@@ -75,8 +75,11 @@ static unsigned int ipv6_defrag(unsigned int hooknum, - if (reasm == skb) - return NF_ACCEPT; - -- nf_ct_frag6_output(hooknum, reasm, (struct net_device *)in, -- (struct net_device *)out, okfn); -+ nf_ct_frag6_consume_orig(reasm); -+ -+ NF_HOOK_THRESH(NFPROTO_IPV6, hooknum, reasm, -+ (struct net_device *) in, (struct net_device *) out, -+ okfn, NF_IP6_PRI_CONNTRACK_DEFRAG + 1); - - return NF_STOLEN; - } -diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c -index 18f19df..7856e96 100644 ---- a/net/ipv6/ping.c -+++ b/net/ipv6/ping.c -@@ -57,7 +57,8 @@ static struct inet_protosw pingv6_protosw = { - - - /* Compatibility glue so we can support IPv6 when it's compiled as a module */ --static int dummy_ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len) -+static int dummy_ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, -+ int *addr_len) - { - return -EAFNOSUPPORT; - } -diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c -index a4ed241..430067c 100644 ---- a/net/ipv6/raw.c -+++ b/net/ipv6/raw.c -@@ -466,14 +466,11 @@ static int rawv6_recvmsg(struct kiocb *iocb, struct sock *sk, - if (flags & MSG_OOB) - return -EOPNOTSUPP; - -- if (addr_len) -- *addr_len=sizeof(*sin6); -- - if (flags & MSG_ERRQUEUE) -- return ipv6_recv_error(sk, msg, len); -+ return ipv6_recv_error(sk, msg, len, addr_len); - - if (np->rxpmtu && np->rxopt.bits.rxpmtu) -- return ipv6_recv_rxpmtu(sk, msg, len); -+ return ipv6_recv_rxpmtu(sk, msg, len, addr_len); - - skb = skb_recv_datagram(sk, flags, noblock, &err); - if (!skb) -@@ -507,6 +504,7 @@ static int rawv6_recvmsg(struct kiocb *iocb, struct sock *sk, - sin6->sin6_flowinfo = 0; - sin6->sin6_scope_id = ipv6_iface_scope_id(&sin6->sin6_addr, - IP6CB(skb)->iif); -+ *addr_len = sizeof(*sin6); - } - - sock_recv_ts_and_drops(msg, sk, skb); -diff --git a/net/ipv6/route.c b/net/ipv6/route.c -index 04e17b3..77308af 100644 ---- a/net/ipv6/route.c -+++ b/net/ipv6/route.c -@@ -731,8 +731,11 @@ int rt6_route_rcv(struct net_device *dev, u8 *opt, int len, - prefix = &prefix_buf; - } - -- rt = rt6_get_route_info(net, prefix, rinfo->prefix_len, gwaddr, -- dev->ifindex); -+ if (rinfo->prefix_len == 0) -+ rt = rt6_get_dflt_router(gwaddr, dev); -+ else -+ rt = rt6_get_route_info(net, prefix, rinfo->prefix_len, -+ gwaddr, dev->ifindex); - - if (rt && !lifetime) { - ip6_del_rt(rt); -diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c -index 1926945..b433884 100644 ---- a/net/ipv6/sit.c -+++ b/net/ipv6/sit.c -@@ -1594,6 +1594,15 @@ static const struct nla_policy ipip6_policy[IFLA_IPTUN_MAX + 1] = { - #endif - }; - -+static void ipip6_dellink(struct net_device *dev, struct list_head *head) -+{ -+ struct net *net = dev_net(dev); -+ struct sit_net *sitn = net_generic(net, sit_net_id); -+ -+ if (dev != sitn->fb_tunnel_dev) -+ unregister_netdevice_queue(dev, head); -+} -+ - static struct rtnl_link_ops sit_link_ops __read_mostly = { - .kind = "sit", - .maxtype = IFLA_IPTUN_MAX, -@@ -1605,6 +1614,7 @@ static struct rtnl_link_ops sit_link_ops __read_mostly = { - .changelink = ipip6_changelink, - .get_size = ipip6_get_size, - .fill_info = ipip6_fill_info, -+ .dellink = ipip6_dellink, - }; - - static struct xfrm_tunnel sit_handler __read_mostly = { -@@ -1619,9 +1629,10 @@ static struct xfrm_tunnel ipip_handler __read_mostly = { - .priority = 2, - }; - --static void __net_exit sit_destroy_tunnels(struct sit_net *sitn, struct list_head *head) -+static void __net_exit sit_destroy_tunnels(struct net *net, -+ struct list_head *head) - { -- struct net *net = dev_net(sitn->fb_tunnel_dev); -+ struct sit_net *sitn = net_generic(net, sit_net_id); - struct net_device *dev, *aux; - int prio; - -@@ -1696,11 +1707,10 @@ err_alloc_dev: - - static void __net_exit sit_exit_net(struct net *net) - { -- struct sit_net *sitn = net_generic(net, sit_net_id); - LIST_HEAD(list); - - rtnl_lock(); -- sit_destroy_tunnels(sitn, &list); -+ sit_destroy_tunnels(net, &list); - unregister_netdevice_many(&list); - rtnl_unlock(); - } -diff --git a/net/ipv6/tcpv6_offload.c b/net/ipv6/tcpv6_offload.c -index 2ec6bf6..a7a2384 100644 ---- a/net/ipv6/tcpv6_offload.c -+++ b/net/ipv6/tcpv6_offload.c -@@ -37,34 +37,32 @@ static struct sk_buff **tcp6_gro_receive(struct sk_buff **head, - { - const struct ipv6hdr *iph = skb_gro_network_header(skb); - __wsum wsum; -- __sum16 sum; -+ -+ /* Don't bother verifying checksum if we're going to flush anyway. */ -+ if (NAPI_GRO_CB(skb)->flush) -+ goto skip_csum; -+ -+ wsum = skb->csum; - - switch (skb->ip_summed) { -+ case CHECKSUM_NONE: -+ wsum = skb_checksum(skb, skb_gro_offset(skb), skb_gro_len(skb), -+ wsum); -+ -+ /* fall through */ -+ - case CHECKSUM_COMPLETE: - if (!tcp_v6_check(skb_gro_len(skb), &iph->saddr, &iph->daddr, -- skb->csum)) { -+ wsum)) { - skb->ip_summed = CHECKSUM_UNNECESSARY; - break; - } --flush: -+ - NAPI_GRO_CB(skb)->flush = 1; - return NULL; -- -- case CHECKSUM_NONE: -- wsum = ~csum_unfold(csum_ipv6_magic(&iph->saddr, &iph->daddr, -- skb_gro_len(skb), -- IPPROTO_TCP, 0)); -- sum = csum_fold(skb_checksum(skb, -- skb_gro_offset(skb), -- skb_gro_len(skb), -- wsum)); -- if (sum) -- goto flush; -- -- skb->ip_summed = CHECKSUM_UNNECESSARY; -- break; - } - -+skip_csum: - return tcp_gro_receive(head, skb); - } - -diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c -index 1878609..3d2758d 100644 ---- a/net/ipv6/udp.c -+++ b/net/ipv6/udp.c -@@ -374,14 +374,11 @@ int udpv6_recvmsg(struct kiocb *iocb, struct sock *sk, - int is_udp4; - bool slow; - -- if (addr_len) -- *addr_len = sizeof(struct sockaddr_in6); -- - if (flags & MSG_ERRQUEUE) -- return ipv6_recv_error(sk, msg, len); -+ return ipv6_recv_error(sk, msg, len, addr_len); - - if (np->rxpmtu && np->rxopt.bits.rxpmtu) -- return ipv6_recv_rxpmtu(sk, msg, len); -+ return ipv6_recv_rxpmtu(sk, msg, len, addr_len); - - try_again: - skb = __skb_recv_datagram(sk, flags | (noblock ? MSG_DONTWAIT : 0), -@@ -462,7 +459,7 @@ try_again: - ipv6_iface_scope_id(&sin6->sin6_addr, - IP6CB(skb)->iif); - } -- -+ *addr_len = sizeof(*sin6); - } - if (is_udp4) { - if (inet->cmsg_flags) -diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c -index 6055951..34c6fff 100644 ---- a/net/ipv6/udp_offload.c -+++ b/net/ipv6/udp_offload.c -@@ -88,7 +88,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, - - /* Check if there is enough headroom to insert fragment header. */ - tnl_hlen = skb_tnl_header_len(skb); -- if (skb_headroom(skb) < (tnl_hlen + frag_hdr_sz)) { -+ if (skb->mac_header < (tnl_hlen + frag_hdr_sz)) { - if (gso_pskb_expand_head(skb, tnl_hlen + frag_hdr_sz)) - goto out; - } -diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c -index 08ed277..550b195 100644 ---- a/net/ipv6/xfrm6_policy.c -+++ b/net/ipv6/xfrm6_policy.c -@@ -135,10 +135,14 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) - struct ipv6_opt_hdr *exthdr; - const unsigned char *nh = skb_network_header(skb); - u8 nexthdr = nh[IP6CB(skb)->nhoff]; -+ int oif = 0; -+ -+ if (skb_dst(skb)) -+ oif = skb_dst(skb)->dev->ifindex; - - memset(fl6, 0, sizeof(struct flowi6)); - fl6->flowi6_mark = skb->mark; -- fl6->flowi6_oif = skb_dst(skb)->dev->ifindex; -+ fl6->flowi6_oif = reverse ? skb->skb_iif : oif; - - fl6->daddr = reverse ? hdr->saddr : hdr->daddr; - fl6->saddr = reverse ? hdr->daddr : hdr->saddr; -diff --git a/net/ipx/af_ipx.c b/net/ipx/af_ipx.c -index 7a1e0fc..e096025 100644 ---- a/net/ipx/af_ipx.c -+++ b/net/ipx/af_ipx.c -@@ -1823,8 +1823,6 @@ static int ipx_recvmsg(struct kiocb *iocb, struct socket *sock, - if (skb->tstamp.tv64) - sk->sk_stamp = skb->tstamp; - -- msg->msg_namelen = sizeof(*sipx); -- - if (sipx) { - sipx->sipx_family = AF_IPX; - sipx->sipx_port = ipx->ipx_source.sock; -@@ -1832,6 +1830,7 @@ static int ipx_recvmsg(struct kiocb *iocb, struct socket *sock, - sipx->sipx_network = IPX_SKB_CB(skb)->ipx_source_net; - sipx->sipx_type = ipx->ipx_type; - sipx->sipx_zero = 0; -+ msg->msg_namelen = sizeof(*sipx); - } - rc = copied; - -diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c -index 0578d4f..a5e62ef5 100644 ---- a/net/irda/af_irda.c -+++ b/net/irda/af_irda.c -@@ -1385,8 +1385,6 @@ static int irda_recvmsg_dgram(struct kiocb *iocb, struct socket *sock, - - IRDA_DEBUG(4, "%s()\n", __func__); - -- msg->msg_namelen = 0; -- - skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT, - flags & MSG_DONTWAIT, &err); - if (!skb) -@@ -1451,8 +1449,6 @@ static int irda_recvmsg_stream(struct kiocb *iocb, struct socket *sock, - target = sock_rcvlowat(sk, flags & MSG_WAITALL, size); - timeo = sock_rcvtimeo(sk, noblock); - -- msg->msg_namelen = 0; -- - do { - int chunk; - struct sk_buff *skb = skb_dequeue(&sk->sk_receive_queue); -diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c -index 168aff5..c4b7218 100644 ---- a/net/iucv/af_iucv.c -+++ b/net/iucv/af_iucv.c -@@ -1324,8 +1324,6 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock, - int err = 0; - u32 offset; - -- msg->msg_namelen = 0; -- - if ((sk->sk_state == IUCV_DISCONN) && - skb_queue_empty(&iucv->backlog_skb_q) && - skb_queue_empty(&sk->sk_receive_queue) && -diff --git a/net/key/af_key.c b/net/key/af_key.c -index 911ef03..545f047 100644 ---- a/net/key/af_key.c -+++ b/net/key/af_key.c -@@ -3616,7 +3616,6 @@ static int pfkey_recvmsg(struct kiocb *kiocb, - if (flags & ~(MSG_PEEK|MSG_DONTWAIT|MSG_TRUNC|MSG_CMSG_COMPAT)) - goto out; - -- msg->msg_namelen = 0; - skb = skb_recv_datagram(sk, flags, flags & MSG_DONTWAIT, &err); - if (skb == NULL) - goto out; -diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c -index 571db8d..da1a1ce 100644 ---- a/net/l2tp/l2tp_ip.c -+++ b/net/l2tp/l2tp_ip.c -@@ -518,9 +518,6 @@ static int l2tp_ip_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m - if (flags & MSG_OOB) - goto out; - -- if (addr_len) -- *addr_len = sizeof(*sin); -- - skb = skb_recv_datagram(sk, flags, noblock, &err); - if (!skb) - goto out; -@@ -543,6 +540,7 @@ static int l2tp_ip_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m - sin->sin_addr.s_addr = ip_hdr(skb)->saddr; - sin->sin_port = 0; - memset(&sin->sin_zero, 0, sizeof(sin->sin_zero)); -+ *addr_len = sizeof(*sin); - } - if (inet->cmsg_flags) - ip_cmsg_recv(msg, skb); -diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c -index b8a6039..e6e8408 100644 ---- a/net/l2tp/l2tp_ip6.c -+++ b/net/l2tp/l2tp_ip6.c -@@ -665,7 +665,7 @@ static int l2tp_ip6_recvmsg(struct kiocb *iocb, struct sock *sk, - *addr_len = sizeof(*lsa); - - if (flags & MSG_ERRQUEUE) -- return ipv6_recv_error(sk, msg, len); -+ return ipv6_recv_error(sk, msg, len, addr_len); - - skb = skb_recv_datagram(sk, flags, noblock, &err); - if (!skb) -diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c -index 8c46b27..44441c0 100644 ---- a/net/l2tp/l2tp_ppp.c -+++ b/net/l2tp/l2tp_ppp.c -@@ -197,8 +197,6 @@ static int pppol2tp_recvmsg(struct kiocb *iocb, struct socket *sock, - if (sk->sk_state & PPPOX_BOUND) - goto end; - -- msg->msg_namelen = 0; -- - err = 0; - skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT, - flags & MSG_DONTWAIT, &err); -diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c -index 6cba486..7b01b9f 100644 ---- a/net/llc/af_llc.c -+++ b/net/llc/af_llc.c -@@ -720,8 +720,6 @@ static int llc_ui_recvmsg(struct kiocb *iocb, struct socket *sock, - int target; /* Read at least this many bytes */ - long timeo; - -- msg->msg_namelen = 0; -- - lock_sock(sk); - copied = -ENOTCONN; - if (unlikely(sk->sk_type == SOCK_STREAM && sk->sk_state == TCP_LISTEN)) -diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c -index 74fd00c..3581736 100644 ---- a/net/netfilter/ipvs/ip_vs_core.c -+++ b/net/netfilter/ipvs/ip_vs_core.c -@@ -1139,12 +1139,6 @@ ip_vs_out(unsigned int hooknum, struct sk_buff *skb, int af) - ip_vs_fill_iph_skb(af, skb, &iph); - #ifdef CONFIG_IP_VS_IPV6 - if (af == AF_INET6) { -- if (!iph.fragoffs && skb_nfct_reasm(skb)) { -- struct sk_buff *reasm = skb_nfct_reasm(skb); -- /* Save fw mark for coming frags */ -- reasm->ipvs_property = 1; -- reasm->mark = skb->mark; -- } - if (unlikely(iph.protocol == IPPROTO_ICMPV6)) { - int related; - int verdict = ip_vs_out_icmp_v6(skb, &related, -@@ -1614,12 +1608,6 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af) - - #ifdef CONFIG_IP_VS_IPV6 - if (af == AF_INET6) { -- if (!iph.fragoffs && skb_nfct_reasm(skb)) { -- struct sk_buff *reasm = skb_nfct_reasm(skb); -- /* Save fw mark for coming frags. */ -- reasm->ipvs_property = 1; -- reasm->mark = skb->mark; -- } - if (unlikely(iph.protocol == IPPROTO_ICMPV6)) { - int related; - int verdict = ip_vs_in_icmp_v6(skb, &related, hooknum, -@@ -1671,9 +1659,8 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af) - /* sorry, all this trouble for a no-hit :) */ - IP_VS_DBG_PKT(12, af, pp, skb, 0, - "ip_vs_in: packet continues traversal as normal"); -- if (iph.fragoffs && !skb_nfct_reasm(skb)) { -+ if (iph.fragoffs) { - /* Fragment that couldn't be mapped to a conn entry -- * and don't have any pointer to a reasm skb - * is missing module nf_defrag_ipv6 - */ - IP_VS_DBG_RL("Unhandled frag, load nf_defrag_ipv6\n"); -@@ -1756,38 +1743,6 @@ ip_vs_local_request4(unsigned int hooknum, struct sk_buff *skb, - #ifdef CONFIG_IP_VS_IPV6 - - /* -- * AF_INET6 fragment handling -- * Copy info from first fragment, to the rest of them. -- */ --static unsigned int --ip_vs_preroute_frag6(unsigned int hooknum, struct sk_buff *skb, -- const struct net_device *in, -- const struct net_device *out, -- int (*okfn)(struct sk_buff *)) --{ -- struct sk_buff *reasm = skb_nfct_reasm(skb); -- struct net *net; -- -- /* Skip if not a "replay" from nf_ct_frag6_output or first fragment. -- * ipvs_property is set when checking first fragment -- * in ip_vs_in() and ip_vs_out(). -- */ -- if (reasm) -- IP_VS_DBG(2, "Fragment recv prop:%d\n", reasm->ipvs_property); -- if (!reasm || !reasm->ipvs_property) -- return NF_ACCEPT; -- -- net = skb_net(skb); -- if (!net_ipvs(net)->enable) -- return NF_ACCEPT; -- -- /* Copy stored fw mark, saved in ip_vs_{in,out} */ -- skb->mark = reasm->mark; -- -- return NF_ACCEPT; --} -- --/* - * AF_INET6 handler in NF_INET_LOCAL_IN chain - * Schedule and forward packets from remote clients - */ -@@ -1924,14 +1879,6 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = { - .priority = 100, - }, - #ifdef CONFIG_IP_VS_IPV6 -- /* After mangle & nat fetch 2:nd fragment and following */ -- { -- .hook = ip_vs_preroute_frag6, -- .owner = THIS_MODULE, -- .pf = NFPROTO_IPV6, -- .hooknum = NF_INET_PRE_ROUTING, -- .priority = NF_IP6_PRI_NAT_DST + 1, -- }, - /* After packet filtering, change source only for VS/NAT */ - { - .hook = ip_vs_reply6, -diff --git a/net/netfilter/ipvs/ip_vs_pe_sip.c b/net/netfilter/ipvs/ip_vs_pe_sip.c -index 9ef22bd..bed5f70 100644 ---- a/net/netfilter/ipvs/ip_vs_pe_sip.c -+++ b/net/netfilter/ipvs/ip_vs_pe_sip.c -@@ -65,7 +65,6 @@ static int get_callid(const char *dptr, unsigned int dataoff, - static int - ip_vs_sip_fill_param(struct ip_vs_conn_param *p, struct sk_buff *skb) - { -- struct sk_buff *reasm = skb_nfct_reasm(skb); - struct ip_vs_iphdr iph; - unsigned int dataoff, datalen, matchoff, matchlen; - const char *dptr; -@@ -79,15 +78,10 @@ ip_vs_sip_fill_param(struct ip_vs_conn_param *p, struct sk_buff *skb) - /* todo: IPv6 fragments: - * I think this only should be done for the first fragment. /HS - */ -- if (reasm) { -- skb = reasm; -- dataoff = iph.thoff_reasm + sizeof(struct udphdr); -- } else -- dataoff = iph.len + sizeof(struct udphdr); -+ dataoff = iph.len + sizeof(struct udphdr); - - if (dataoff >= skb->len) - return -EINVAL; -- /* todo: Check if this will mess-up the reasm skb !!! /HS */ - retc = skb_linearize(skb); - if (retc < 0) - return retc; -diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c -index 8df7f64..6135635 100644 ---- a/net/netlink/af_netlink.c -+++ b/net/netlink/af_netlink.c -@@ -2335,8 +2335,6 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock, - } - #endif - -- msg->msg_namelen = 0; -- - copied = data_skb->len; - if (len < copied) { - msg->msg_flags |= MSG_TRUNC; -diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c -index 698814b..53c19a3 100644 ---- a/net/netrom/af_netrom.c -+++ b/net/netrom/af_netrom.c -@@ -1179,10 +1179,9 @@ static int nr_recvmsg(struct kiocb *iocb, struct socket *sock, - sax->sax25_family = AF_NETROM; - skb_copy_from_linear_data_offset(skb, 7, sax->sax25_call.ax25_call, - AX25_ADDR_LEN); -+ msg->msg_namelen = sizeof(*sax); - } - -- msg->msg_namelen = sizeof(*sax); -- - skb_free_datagram(sk, skb); - - release_sock(sk); -diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c -index d308402..824c605 100644 ---- a/net/nfc/llcp_sock.c -+++ b/net/nfc/llcp_sock.c -@@ -807,8 +807,6 @@ static int llcp_sock_recvmsg(struct kiocb *iocb, struct socket *sock, - - pr_debug("%p %zu\n", sk, len); - -- msg->msg_namelen = 0; -- - lock_sock(sk); - - if (sk->sk_state == LLCP_CLOSED && -diff --git a/net/nfc/rawsock.c b/net/nfc/rawsock.c -index 313bf1b..5d11f4a 100644 ---- a/net/nfc/rawsock.c -+++ b/net/nfc/rawsock.c -@@ -241,8 +241,6 @@ static int rawsock_recvmsg(struct kiocb *iocb, struct socket *sock, - if (!skb) - return rc; - -- msg->msg_namelen = 0; -- - copied = skb->len; - if (len < copied) { - msg->msg_flags |= MSG_TRUNC; -diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c -index 2e8286b..ba2548b 100644 ---- a/net/packet/af_packet.c -+++ b/net/packet/af_packet.c -@@ -244,11 +244,15 @@ static void __fanout_link(struct sock *sk, struct packet_sock *po); - static void register_prot_hook(struct sock *sk) - { - struct packet_sock *po = pkt_sk(sk); -+ - if (!po->running) { -- if (po->fanout) -+ if (po->fanout) { - __fanout_link(sk, po); -- else -+ } else { - dev_add_pack(&po->prot_hook); -+ rcu_assign_pointer(po->cached_dev, po->prot_hook.dev); -+ } -+ - sock_hold(sk); - po->running = 1; - } -@@ -266,10 +270,13 @@ static void __unregister_prot_hook(struct sock *sk, bool sync) - struct packet_sock *po = pkt_sk(sk); - - po->running = 0; -- if (po->fanout) -+ if (po->fanout) { - __fanout_unlink(sk, po); -- else -+ } else { - __dev_remove_pack(&po->prot_hook); -+ RCU_INIT_POINTER(po->cached_dev, NULL); -+ } -+ - __sock_put(sk); - - if (sync) { -@@ -432,9 +439,9 @@ static void prb_shutdown_retire_blk_timer(struct packet_sock *po, - - pkc = tx_ring ? &po->tx_ring.prb_bdqc : &po->rx_ring.prb_bdqc; - -- spin_lock(&rb_queue->lock); -+ spin_lock_bh(&rb_queue->lock); - pkc->delete_blk_timer = 1; -- spin_unlock(&rb_queue->lock); -+ spin_unlock_bh(&rb_queue->lock); - - prb_del_retire_blk_timer(pkc); - } -@@ -2052,12 +2059,24 @@ static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb, - return tp_len; - } - -+static struct net_device *packet_cached_dev_get(struct packet_sock *po) -+{ -+ struct net_device *dev; -+ -+ rcu_read_lock(); -+ dev = rcu_dereference(po->cached_dev); -+ if (dev) -+ dev_hold(dev); -+ rcu_read_unlock(); -+ -+ return dev; -+} -+ - static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) - { - struct sk_buff *skb; - struct net_device *dev; - __be16 proto; -- bool need_rls_dev = false; - int err, reserve = 0; - void *ph; - struct sockaddr_ll *saddr = (struct sockaddr_ll *)msg->msg_name; -@@ -2070,7 +2089,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) - mutex_lock(&po->pg_vec_lock); - - if (saddr == NULL) { -- dev = po->prot_hook.dev; -+ dev = packet_cached_dev_get(po); - proto = po->num; - addr = NULL; - } else { -@@ -2084,19 +2103,17 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) - proto = saddr->sll_protocol; - addr = saddr->sll_addr; - dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex); -- need_rls_dev = true; - } - - err = -ENXIO; - if (unlikely(dev == NULL)) - goto out; -- -- reserve = dev->hard_header_len; -- - err = -ENETDOWN; - if (unlikely(!(dev->flags & IFF_UP))) - goto out_put; - -+ reserve = dev->hard_header_len; -+ - size_max = po->tx_ring.frame_size - - (po->tp_hdrlen - sizeof(struct sockaddr_ll)); - -@@ -2173,8 +2190,7 @@ out_status: - __packet_set_status(po, ph, status); - kfree_skb(skb); - out_put: -- if (need_rls_dev) -- dev_put(dev); -+ dev_put(dev); - out: - mutex_unlock(&po->pg_vec_lock); - return err; -@@ -2212,7 +2228,6 @@ static int packet_snd(struct socket *sock, - struct sk_buff *skb; - struct net_device *dev; - __be16 proto; -- bool need_rls_dev = false; - unsigned char *addr; - int err, reserve = 0; - struct virtio_net_hdr vnet_hdr = { 0 }; -@@ -2228,7 +2243,7 @@ static int packet_snd(struct socket *sock, - */ - - if (saddr == NULL) { -- dev = po->prot_hook.dev; -+ dev = packet_cached_dev_get(po); - proto = po->num; - addr = NULL; - } else { -@@ -2240,19 +2255,17 @@ static int packet_snd(struct socket *sock, - proto = saddr->sll_protocol; - addr = saddr->sll_addr; - dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex); -- need_rls_dev = true; - } - - err = -ENXIO; -- if (dev == NULL) -+ if (unlikely(dev == NULL)) - goto out_unlock; -- if (sock->type == SOCK_RAW) -- reserve = dev->hard_header_len; -- - err = -ENETDOWN; -- if (!(dev->flags & IFF_UP)) -+ if (unlikely(!(dev->flags & IFF_UP))) - goto out_unlock; - -+ if (sock->type == SOCK_RAW) -+ reserve = dev->hard_header_len; - if (po->has_vnet_hdr) { - vnet_hdr_len = sizeof(vnet_hdr); - -@@ -2386,15 +2399,14 @@ static int packet_snd(struct socket *sock, - if (err > 0 && (err = net_xmit_errno(err)) != 0) - goto out_unlock; - -- if (need_rls_dev) -- dev_put(dev); -+ dev_put(dev); - - return len; - - out_free: - kfree_skb(skb); - out_unlock: -- if (dev && need_rls_dev) -+ if (dev) - dev_put(dev); - out: - return err; -@@ -2614,6 +2626,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol, - po = pkt_sk(sk); - sk->sk_family = PF_PACKET; - po->num = proto; -+ RCU_INIT_POINTER(po->cached_dev, NULL); - - sk->sk_destruct = packet_sock_destruct; - sk_refcnt_debug_inc(sk); -@@ -2660,7 +2673,6 @@ static int packet_recvmsg(struct kiocb *iocb, struct socket *sock, - struct sock *sk = sock->sk; - struct sk_buff *skb; - int copied, err; -- struct sockaddr_ll *sll; - int vnet_hdr_len = 0; - - err = -EINVAL; -@@ -2744,22 +2756,10 @@ static int packet_recvmsg(struct kiocb *iocb, struct socket *sock, - goto out_free; - } - -- /* -- * If the address length field is there to be filled in, we fill -- * it in now. -+ /* You lose any data beyond the buffer you gave. If it worries -+ * a user program they can ask the device for its MTU -+ * anyway. - */ -- -- sll = &PACKET_SKB_CB(skb)->sa.ll; -- if (sock->type == SOCK_PACKET) -- msg->msg_namelen = sizeof(struct sockaddr_pkt); -- else -- msg->msg_namelen = sll->sll_halen + offsetof(struct sockaddr_ll, sll_addr); -- -- /* -- * You lose any data beyond the buffer you gave. If it worries a -- * user program they can ask the device for its MTU anyway. -- */ -- - copied = skb->len; - if (copied > len) { - copied = len; -@@ -2772,9 +2772,20 @@ static int packet_recvmsg(struct kiocb *iocb, struct socket *sock, - - sock_recv_ts_and_drops(msg, sk, skb); - -- if (msg->msg_name) -+ if (msg->msg_name) { -+ /* If the address length field is there to be filled -+ * in, we fill it in now. -+ */ -+ if (sock->type == SOCK_PACKET) { -+ msg->msg_namelen = sizeof(struct sockaddr_pkt); -+ } else { -+ struct sockaddr_ll *sll = &PACKET_SKB_CB(skb)->sa.ll; -+ msg->msg_namelen = sll->sll_halen + -+ offsetof(struct sockaddr_ll, sll_addr); -+ } - memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa, - msg->msg_namelen); -+ } - - if (pkt_sk(sk)->auxdata) { - struct tpacket_auxdata aux; -diff --git a/net/packet/internal.h b/net/packet/internal.h -index c4e4b45..1035fa2 100644 ---- a/net/packet/internal.h -+++ b/net/packet/internal.h -@@ -113,6 +113,7 @@ struct packet_sock { - unsigned int tp_loss:1; - unsigned int tp_tx_has_off:1; - unsigned int tp_tstamp; -+ struct net_device __rcu *cached_dev; - struct packet_type prot_hook ____cacheline_aligned_in_smp; - }; - -diff --git a/net/phonet/datagram.c b/net/phonet/datagram.c -index 12c30f3..38946b2 100644 ---- a/net/phonet/datagram.c -+++ b/net/phonet/datagram.c -@@ -139,9 +139,6 @@ static int pn_recvmsg(struct kiocb *iocb, struct sock *sk, - MSG_CMSG_COMPAT)) - goto out_nofree; - -- if (addr_len) -- *addr_len = sizeof(sa); -- - skb = skb_recv_datagram(sk, flags, noblock, &rval); - if (skb == NULL) - goto out_nofree; -@@ -162,8 +159,10 @@ static int pn_recvmsg(struct kiocb *iocb, struct sock *sk, - - rval = (flags & MSG_TRUNC) ? skb->len : copylen; - -- if (msg->msg_name != NULL) -- memcpy(msg->msg_name, &sa, sizeof(struct sockaddr_pn)); -+ if (msg->msg_name != NULL) { -+ memcpy(msg->msg_name, &sa, sizeof(sa)); -+ *addr_len = sizeof(sa); -+ } - - out: - skb_free_datagram(sk, skb); -diff --git a/net/rds/recv.c b/net/rds/recv.c -index 9f0f17c..de339b2 100644 ---- a/net/rds/recv.c -+++ b/net/rds/recv.c -@@ -410,8 +410,6 @@ int rds_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, - - rdsdebug("size %zu flags 0x%x timeo %ld\n", size, msg_flags, timeo); - -- msg->msg_namelen = 0; -- - if (msg_flags & MSG_OOB) - goto out; - -diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c -index e98fcfb..33af772 100644 ---- a/net/rose/af_rose.c -+++ b/net/rose/af_rose.c -@@ -1216,7 +1216,6 @@ static int rose_recvmsg(struct kiocb *iocb, struct socket *sock, - { - struct sock *sk = sock->sk; - struct rose_sock *rose = rose_sk(sk); -- struct sockaddr_rose *srose = (struct sockaddr_rose *)msg->msg_name; - size_t copied; - unsigned char *asmptr; - struct sk_buff *skb; -@@ -1252,8 +1251,11 @@ static int rose_recvmsg(struct kiocb *iocb, struct socket *sock, - - skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied); - -- if (srose != NULL) { -- memset(srose, 0, msg->msg_namelen); -+ if (msg->msg_name) { -+ struct sockaddr_rose *srose; -+ -+ memset(msg->msg_name, 0, sizeof(struct full_sockaddr_rose)); -+ srose = msg->msg_name; - srose->srose_family = AF_ROSE; - srose->srose_addr = rose->dest_addr; - srose->srose_call = rose->dest_call; -diff --git a/net/rxrpc/ar-recvmsg.c b/net/rxrpc/ar-recvmsg.c -index 4b48687..898492a 100644 ---- a/net/rxrpc/ar-recvmsg.c -+++ b/net/rxrpc/ar-recvmsg.c -@@ -143,10 +143,13 @@ int rxrpc_recvmsg(struct kiocb *iocb, struct socket *sock, - - /* copy the peer address and timestamp */ - if (!continue_call) { -- if (msg->msg_name && msg->msg_namelen > 0) -+ if (msg->msg_name) { -+ size_t len = -+ sizeof(call->conn->trans->peer->srx); - memcpy(msg->msg_name, -- &call->conn->trans->peer->srx, -- sizeof(call->conn->trans->peer->srx)); -+ &call->conn->trans->peer->srx, len); -+ msg->msg_namelen = len; -+ } - sock_recv_ts_and_drops(msg, &rx->sk, skb); - } - -diff --git a/net/sched/sch_fq.c b/net/sched/sch_fq.c -index a9dfdda..2e55f81 100644 ---- a/net/sched/sch_fq.c -+++ b/net/sched/sch_fq.c -@@ -88,7 +88,7 @@ struct fq_sched_data { - struct fq_flow internal; /* for non classified or high prio packets */ - u32 quantum; - u32 initial_quantum; -- u32 flow_default_rate;/* rate per flow : bytes per second */ -+ u32 flow_refill_delay; - u32 flow_max_rate; /* optional max rate per flow */ - u32 flow_plimit; /* max packets per flow */ - struct rb_root *fq_root; -@@ -115,6 +115,7 @@ static struct fq_flow detached, throttled; - static void fq_flow_set_detached(struct fq_flow *f) - { - f->next = &detached; -+ f->age = jiffies; - } - - static bool fq_flow_is_detached(const struct fq_flow *f) -@@ -209,21 +210,15 @@ static void fq_gc(struct fq_sched_data *q, - } - } - --static const u8 prio2band[TC_PRIO_MAX + 1] = { -- 1, 2, 2, 2, 1, 2, 0, 0 , 1, 1, 1, 1, 1, 1, 1, 1 --}; -- - static struct fq_flow *fq_classify(struct sk_buff *skb, struct fq_sched_data *q) - { - struct rb_node **p, *parent; - struct sock *sk = skb->sk; - struct rb_root *root; - struct fq_flow *f; -- int band; - - /* warning: no starvation prevention... */ -- band = prio2band[skb->priority & TC_PRIO_MAX]; -- if (unlikely(band == 0)) -+ if (unlikely((skb->priority & TC_PRIO_MAX) == TC_PRIO_CONTROL)) - return &q->internal; - - if (unlikely(!sk)) { -@@ -372,17 +367,20 @@ static int fq_enqueue(struct sk_buff *skb, struct Qdisc *sch) - } - - f->qlen++; -- flow_queue_add(f, skb); - if (skb_is_retransmit(skb)) - q->stat_tcp_retrans++; - sch->qstats.backlog += qdisc_pkt_len(skb); - if (fq_flow_is_detached(f)) { - fq_flow_add_tail(&q->new_flows, f); -- if (q->quantum > f->credit) -- f->credit = q->quantum; -+ if (time_after(jiffies, f->age + q->flow_refill_delay)) -+ f->credit = max_t(u32, f->credit, q->quantum); - q->inactive_flows--; - qdisc_unthrottled(sch); - } -+ -+ /* Note: this overwrites f->age */ -+ flow_queue_add(f, skb); -+ - if (unlikely(f == &q->internal)) { - q->stat_internal_packets++; - qdisc_unthrottled(sch); -@@ -460,7 +458,6 @@ begin: - fq_flow_add_tail(&q->old_flows, f); - } else { - fq_flow_set_detached(f); -- f->age = jiffies; - q->inactive_flows++; - } - goto begin; -@@ -614,6 +611,7 @@ static const struct nla_policy fq_policy[TCA_FQ_MAX + 1] = { - [TCA_FQ_FLOW_DEFAULT_RATE] = { .type = NLA_U32 }, - [TCA_FQ_FLOW_MAX_RATE] = { .type = NLA_U32 }, - [TCA_FQ_BUCKETS_LOG] = { .type = NLA_U32 }, -+ [TCA_FQ_FLOW_REFILL_DELAY] = { .type = NLA_U32 }, - }; - - static int fq_change(struct Qdisc *sch, struct nlattr *opt) -@@ -655,7 +653,8 @@ static int fq_change(struct Qdisc *sch, struct nlattr *opt) - q->initial_quantum = nla_get_u32(tb[TCA_FQ_INITIAL_QUANTUM]); - - if (tb[TCA_FQ_FLOW_DEFAULT_RATE]) -- q->flow_default_rate = nla_get_u32(tb[TCA_FQ_FLOW_DEFAULT_RATE]); -+ pr_warn_ratelimited("sch_fq: defrate %u ignored.\n", -+ nla_get_u32(tb[TCA_FQ_FLOW_DEFAULT_RATE])); - - if (tb[TCA_FQ_FLOW_MAX_RATE]) - q->flow_max_rate = nla_get_u32(tb[TCA_FQ_FLOW_MAX_RATE]); -@@ -669,6 +668,12 @@ static int fq_change(struct Qdisc *sch, struct nlattr *opt) - err = -EINVAL; - } - -+ if (tb[TCA_FQ_FLOW_REFILL_DELAY]) { -+ u32 usecs_delay = nla_get_u32(tb[TCA_FQ_FLOW_REFILL_DELAY]) ; -+ -+ q->flow_refill_delay = usecs_to_jiffies(usecs_delay); -+ } -+ - if (!err) - err = fq_resize(q, fq_log); - -@@ -704,7 +709,7 @@ static int fq_init(struct Qdisc *sch, struct nlattr *opt) - q->flow_plimit = 100; - q->quantum = 2 * psched_mtu(qdisc_dev(sch)); - q->initial_quantum = 10 * psched_mtu(qdisc_dev(sch)); -- q->flow_default_rate = 0; -+ q->flow_refill_delay = msecs_to_jiffies(40); - q->flow_max_rate = ~0U; - q->rate_enable = 1; - q->new_flows.first = NULL; -@@ -731,15 +736,16 @@ static int fq_dump(struct Qdisc *sch, struct sk_buff *skb) - if (opts == NULL) - goto nla_put_failure; - -- /* TCA_FQ_FLOW_DEFAULT_RATE is not used anymore, -- * do not bother giving its value -- */ -+ /* TCA_FQ_FLOW_DEFAULT_RATE is not used anymore */ -+ - if (nla_put_u32(skb, TCA_FQ_PLIMIT, sch->limit) || - nla_put_u32(skb, TCA_FQ_FLOW_PLIMIT, q->flow_plimit) || - nla_put_u32(skb, TCA_FQ_QUANTUM, q->quantum) || - nla_put_u32(skb, TCA_FQ_INITIAL_QUANTUM, q->initial_quantum) || - nla_put_u32(skb, TCA_FQ_RATE_ENABLE, q->rate_enable) || - nla_put_u32(skb, TCA_FQ_FLOW_MAX_RATE, q->flow_max_rate) || -+ nla_put_u32(skb, TCA_FQ_FLOW_REFILL_DELAY, -+ jiffies_to_usecs(q->flow_refill_delay)) || - nla_put_u32(skb, TCA_FQ_BUCKETS_LOG, q->fq_trees_log)) - goto nla_put_failure; - -diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c -index 1aaf1b6..6ddda28 100644 ---- a/net/sched/sch_tbf.c -+++ b/net/sched/sch_tbf.c -@@ -21,6 +21,7 @@ - #include <net/netlink.h> - #include <net/sch_generic.h> - #include <net/pkt_sched.h> -+#include <net/tcp.h> - - - /* Simple Token Bucket Filter. -@@ -117,6 +118,22 @@ struct tbf_sched_data { - }; - - -+/* -+ * Return length of individual segments of a gso packet, -+ * including all headers (MAC, IP, TCP/UDP) -+ */ -+static unsigned int skb_gso_seglen(const struct sk_buff *skb) -+{ -+ unsigned int hdr_len = skb_transport_header(skb) - skb_mac_header(skb); -+ const struct skb_shared_info *shinfo = skb_shinfo(skb); -+ -+ if (likely(shinfo->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6))) -+ hdr_len += tcp_hdrlen(skb); -+ else -+ hdr_len += sizeof(struct udphdr); -+ return hdr_len + shinfo->gso_size; -+} -+ - /* GSO packet is too big, segment it so that tbf can transmit - * each segment in time - */ -@@ -136,12 +153,8 @@ static int tbf_segment(struct sk_buff *skb, struct Qdisc *sch) - while (segs) { - nskb = segs->next; - segs->next = NULL; -- if (likely(segs->len <= q->max_size)) { -- qdisc_skb_cb(segs)->pkt_len = segs->len; -- ret = qdisc_enqueue(segs, q->qdisc); -- } else { -- ret = qdisc_reshape_fail(skb, sch); -- } -+ qdisc_skb_cb(segs)->pkt_len = segs->len; -+ ret = qdisc_enqueue(segs, q->qdisc); - if (ret != NET_XMIT_SUCCESS) { - if (net_xmit_drop_count(ret)) - sch->qstats.drops++; -@@ -163,7 +176,7 @@ static int tbf_enqueue(struct sk_buff *skb, struct Qdisc *sch) - int ret; - - if (qdisc_pkt_len(skb) > q->max_size) { -- if (skb_is_gso(skb)) -+ if (skb_is_gso(skb) && skb_gso_seglen(skb) <= q->max_size) - return tbf_segment(skb, sch); - return qdisc_reshape_fail(skb, sch); - } -@@ -316,6 +329,11 @@ static int tbf_change(struct Qdisc *sch, struct nlattr *opt) - if (max_size < 0) - goto done; - -+ if (max_size < psched_mtu(qdisc_dev(sch))) -+ pr_warn_ratelimited("sch_tbf: burst %u is lower than device %s mtu (%u) !\n", -+ max_size, qdisc_dev(sch)->name, -+ psched_mtu(qdisc_dev(sch))); -+ - if (q->qdisc != &noop_qdisc) { - err = fifo_set_limit(q->qdisc, qopt->limit); - if (err) -diff --git a/net/socket.c b/net/socket.c -index c226ace..e83c416 100644 ---- a/net/socket.c -+++ b/net/socket.c -@@ -221,12 +221,13 @@ static int move_addr_to_user(struct sockaddr_storage *kaddr, int klen, - int err; - int len; - -+ BUG_ON(klen > sizeof(struct sockaddr_storage)); - err = get_user(len, ulen); - if (err) - return err; - if (len > klen) - len = klen; -- if (len < 0 || len > sizeof(struct sockaddr_storage)) -+ if (len < 0) - return -EINVAL; - if (len) { - if (audit_sockaddr(klen, kaddr)) -@@ -1840,8 +1841,10 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size, - msg.msg_iov = &iov; - iov.iov_len = size; - iov.iov_base = ubuf; -- msg.msg_name = (struct sockaddr *)&address; -- msg.msg_namelen = sizeof(address); -+ /* Save some cycles and don't copy the address if not needed */ -+ msg.msg_name = addr ? (struct sockaddr *)&address : NULL; -+ /* We assume all kernel code knows the size of sockaddr_storage */ -+ msg.msg_namelen = 0; - if (sock->file->f_flags & O_NONBLOCK) - flags |= MSG_DONTWAIT; - err = sock_recvmsg(sock, &msg, size, flags); -@@ -1970,7 +1973,7 @@ static int copy_msghdr_from_user(struct msghdr *kmsg, - if (copy_from_user(kmsg, umsg, sizeof(struct msghdr))) - return -EFAULT; - if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) -- return -EINVAL; -+ kmsg->msg_namelen = sizeof(struct sockaddr_storage); - return 0; - } - -@@ -2221,16 +2224,14 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, - goto out; - } - -- /* -- * Save the user-mode address (verify_iovec will change the -- * kernel msghdr to use the kernel address space) -+ /* Save the user-mode address (verify_iovec will change the -+ * kernel msghdr to use the kernel address space) - */ -- - uaddr = (__force void __user *)msg_sys->msg_name; - uaddr_len = COMPAT_NAMELEN(msg); -- if (MSG_CMSG_COMPAT & flags) { -+ if (MSG_CMSG_COMPAT & flags) - err = verify_compat_iovec(msg_sys, iov, &addr, VERIFY_WRITE); -- } else -+ else - err = verify_iovec(msg_sys, iov, &addr, VERIFY_WRITE); - if (err < 0) - goto out_freeiov; -@@ -2239,6 +2240,9 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, - cmsg_ptr = (unsigned long)msg_sys->msg_control; - msg_sys->msg_flags = flags & (MSG_CMSG_CLOEXEC|MSG_CMSG_COMPAT); - -+ /* We assume all kernel code knows the size of sockaddr_storage */ -+ msg_sys->msg_namelen = 0; -+ - if (sock->file->f_flags & O_NONBLOCK) - flags |= MSG_DONTWAIT; - err = (nosec ? sock_recvmsg_nosec : sock_recvmsg)(sock, msg_sys, -diff --git a/net/tipc/socket.c b/net/tipc/socket.c -index 6cc7ddd..dffdbea 100644 ---- a/net/tipc/socket.c -+++ b/net/tipc/socket.c -@@ -984,9 +984,6 @@ static int recv_msg(struct kiocb *iocb, struct socket *sock, - goto exit; - } - -- /* will be updated in set_orig_addr() if needed */ -- m->msg_namelen = 0; -- - timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT); - restart: - -@@ -1095,9 +1092,6 @@ static int recv_stream(struct kiocb *iocb, struct socket *sock, - goto exit; - } - -- /* will be updated in set_orig_addr() if needed */ -- m->msg_namelen = 0; -- - target = sock_rcvlowat(sk, flags & MSG_WAITALL, buf_len); - timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT); - -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index c1f403b..01625cc 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -1754,7 +1754,6 @@ static void unix_copy_addr(struct msghdr *msg, struct sock *sk) - { - struct unix_sock *u = unix_sk(sk); - -- msg->msg_namelen = 0; - if (u->addr) { - msg->msg_namelen = u->addr->len; - memcpy(msg->msg_name, u->addr->name, u->addr->len); -@@ -1778,8 +1777,6 @@ static int unix_dgram_recvmsg(struct kiocb *iocb, struct socket *sock, - if (flags&MSG_OOB) - goto out; - -- msg->msg_namelen = 0; -- - err = mutex_lock_interruptible(&u->readlock); - if (err) { - err = sock_intr_errno(sock_rcvtimeo(sk, noblock)); -@@ -1924,8 +1921,6 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock, - target = sock_rcvlowat(sk, flags&MSG_WAITALL, size); - timeo = sock_rcvtimeo(sk, flags&MSG_DONTWAIT); - -- msg->msg_namelen = 0; -- - /* Lock the socket to prevent queue disordering - * while sleeps in memcpy_tomsg - */ -diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c -index 545c08b..5adfd94 100644 ---- a/net/vmw_vsock/af_vsock.c -+++ b/net/vmw_vsock/af_vsock.c -@@ -1662,8 +1662,6 @@ vsock_stream_recvmsg(struct kiocb *kiocb, - vsk = vsock_sk(sk); - err = 0; - -- msg->msg_namelen = 0; -- - lock_sock(sk); - - if (sk->sk_state != SS_CONNECTED) { -diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c -index 9d69866..687360d 100644 ---- a/net/vmw_vsock/vmci_transport.c -+++ b/net/vmw_vsock/vmci_transport.c -@@ -1746,8 +1746,6 @@ static int vmci_transport_dgram_dequeue(struct kiocb *kiocb, - if (flags & MSG_OOB || flags & MSG_ERRQUEUE) - return -EOPNOTSUPP; - -- msg->msg_namelen = 0; -- - /* Retrieve the head sk_buff from the socket's receive queue. */ - err = 0; - skb = skb_recv_datagram(&vsk->sk, flags, noblock, &err); -diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c -index 45a3ab5..7622789 100644 ---- a/net/x25/af_x25.c -+++ b/net/x25/af_x25.c -@@ -1340,10 +1340,9 @@ static int x25_recvmsg(struct kiocb *iocb, struct socket *sock, - if (sx25) { - sx25->sx25_family = AF_X25; - sx25->sx25_addr = x25->dest_addr; -+ msg->msg_namelen = sizeof(*sx25); - } - -- msg->msg_namelen = sizeof(struct sockaddr_x25); -- - x25_check_rbuf(sk); - rc = copied; - out_free_dgram: diff --git a/3.12.4/0000_README b/3.12.5/0000_README index 3cb0775..374fa29 100644 --- a/3.12.4/0000_README +++ b/3.12.5/0000_README @@ -2,11 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 1003_linux-3.12.4.patch -From: http://www.kernel.org -Desc: Linux 3.12.4 - -Patch: 4420_grsecurity-3.0-3.12.4-201312081754.patch +Patch: 4420_grsecurity-3.0-3.12.5-201312132204.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.12.4/4420_grsecurity-3.0-3.12.4-201312081754.patch b/3.12.5/4420_grsecurity-3.0-3.12.5-201312132204.patch index fa9c2c7..013a53f 100644 --- a/3.12.4/4420_grsecurity-3.0-3.12.4-201312081754.patch +++ b/3.12.5/4420_grsecurity-3.0-3.12.5-201312132204.patch @@ -281,7 +281,7 @@ index fcbb736..5508d8c 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index 3b7165e..9112a63 100644 +index 986f3cd..8691deb 100644 --- a/Makefile +++ b/Makefile @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -1968,7 +1968,7 @@ index 5689c18..eea12f9 100644 #define L_PTE_DIRTY_HIGH (1 << (55 - 32)) diff --git a/arch/arm/include/asm/pgtable.h b/arch/arm/include/asm/pgtable.h -index be956db..c8f25e2 100644 +index 1571d12..b8a9b43 100644 --- a/arch/arm/include/asm/pgtable.h +++ b/arch/arm/include/asm/pgtable.h @@ -33,6 +33,9 @@ @@ -4123,7 +4123,7 @@ index f123d6e..04bf569 100644 return __arm_ioremap_caller(phys_addr, size, mtype, __builtin_return_address(0)); diff --git a/arch/arm/mm/mmap.c b/arch/arm/mm/mmap.c -index 0c63562..7128a90 100644 +index 304661d..53a6b19 100644 --- a/arch/arm/mm/mmap.c +++ b/arch/arm/mm/mmap.c @@ -59,6 +59,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, @@ -7242,7 +7242,7 @@ index 2a625fb..9908930 100644 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n", me->arch.unwind_section, table, end, gp); diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c -index 5dfd248..64914ac 100644 +index 0d3a9d4..44975d0 100644 --- a/arch/parisc/kernel/sys_parisc.c +++ b/arch/parisc/kernel/sys_parisc.c @@ -33,9 +33,11 @@ @@ -7266,29 +7266,26 @@ index 5dfd248..64914ac 100644 return vm_unmapped_area(&info); } -@@ -61,10 +64,11 @@ static int get_offset(struct address_space *mapping) - return (unsigned long) mapping >> 8; +@@ -69,15 +72,17 @@ static unsigned long shared_align_offset(struct file *filp, unsigned long pgoff) } --static unsigned long get_shared_area(struct address_space *mapping, -- unsigned long addr, unsigned long len, unsigned long pgoff) -+static unsigned long get_shared_area(struct file *filp, struct address_space *mapping, -+ unsigned long addr, unsigned long len, unsigned long pgoff, unsigned long flags) + static unsigned long get_shared_area(struct file *filp, unsigned long addr, +- unsigned long len, unsigned long pgoff) ++ unsigned long len, unsigned long pgoff, unsigned long flags) { struct vm_unmapped_area_info info; + unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags); info.flags = 0; info.length = len; -@@ -72,6 +76,7 @@ static unsigned long get_shared_area(struct address_space *mapping, + info.low_limit = PAGE_ALIGN(addr); info.high_limit = TASK_SIZE; info.align_mask = PAGE_MASK & (SHMLBA - 1); - info.align_offset = (get_offset(mapping) + pgoff) << PAGE_SHIFT; + info.threadstack_offset = offset; + info.align_offset = shared_align_offset(filp, pgoff); return vm_unmapped_area(&info); } - -@@ -86,15 +91,22 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -93,13 +98,20 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, return -EINVAL; return addr; } @@ -7303,16 +7300,13 @@ index 5dfd248..64914ac 100644 + + } + - if (filp) { -- addr = get_shared_area(filp->f_mapping, addr, len, pgoff); -+ addr = get_shared_area(filp, filp->f_mapping, addr, len, pgoff, flags); - } else if(flags & MAP_SHARED) { -- addr = get_shared_area(NULL, addr, len, pgoff); -+ addr = get_shared_area(filp, NULL, addr, len, pgoff, flags); - } else { + if (filp || (flags & MAP_SHARED)) +- addr = get_shared_area(filp, addr, len, pgoff); ++ addr = get_shared_area(filp, addr, len, pgoff, flags); + else - addr = get_unshared_area(addr, len); -+ addr = get_unshared_area(filp, addr, len, flags); - } ++ addr = get_unshared_area(addr, len, flags); + return addr; } diff --git a/arch/parisc/kernel/traps.c b/arch/parisc/kernel/traps.c @@ -11748,10 +11742,10 @@ index 78d91af..8ceb94b 100644 This option helps catch unintended modifications to loadable kernel module's text and read-only data. It also prevents execution diff --git a/arch/x86/Makefile b/arch/x86/Makefile -index 41250fb..863762e 100644 +index eda00f9..c511701 100644 --- a/arch/x86/Makefile +++ b/arch/x86/Makefile -@@ -46,14 +46,12 @@ ifeq ($(CONFIG_X86_32),y) +@@ -49,14 +49,12 @@ ifeq ($(CONFIG_X86_32),y) # CPU-specific tuning. Anything which can be shared with UML should go here. include $(srctree)/arch/x86/Makefile_32.cpu KBUILD_CFLAGS += $(cflags-y) @@ -11767,7 +11761,7 @@ index 41250fb..863762e 100644 KBUILD_AFLAGS += -m64 KBUILD_CFLAGS += -m64 -@@ -83,6 +81,9 @@ else +@@ -89,6 +87,9 @@ else KBUILD_CFLAGS += -maccumulate-outgoing-args endif @@ -11777,7 +11771,7 @@ index 41250fb..863762e 100644 ifdef CONFIG_CC_STACKPROTECTOR cc_has_sp := $(srctree)/scripts/gcc-x86_$(BITS)-has-stack-protector.sh ifeq ($(shell $(CONFIG_SHELL) $(cc_has_sp) $(CC) $(KBUILD_CPPFLAGS) $(biarch)),y) -@@ -241,3 +242,12 @@ define archhelp +@@ -247,3 +248,12 @@ define archhelp echo ' FDINITRD=file initrd for the booted kernel' echo ' kvmconfig - Enable additional options for guest kernel support' endef @@ -12159,7 +12153,7 @@ index 43eda28..5ab5fdb 100644 unsigned int v; diff --git a/arch/x86/crypto/aes-x86_64-asm_64.S b/arch/x86/crypto/aes-x86_64-asm_64.S -index 9105655..5e37f27 100644 +index 9105655..41779c1 100644 --- a/arch/x86/crypto/aes-x86_64-asm_64.S +++ b/arch/x86/crypto/aes-x86_64-asm_64.S @@ -8,6 +8,8 @@ @@ -12175,13 +12169,13 @@ index 9105655..5e37f27 100644 je B192; \ leaq 32(r9),r9; -+#define ret pax_force_retaddr 0, 1; ret ++#define ret pax_force_retaddr; ret + #define epilogue(FUNC,r1,r2,r3,r4,r5,r6,r7,r8,r9) \ movq r1,r2; \ movq r3,r4; \ diff --git a/arch/x86/crypto/aesni-intel_asm.S b/arch/x86/crypto/aesni-intel_asm.S -index 477e9d7..3ab339f 100644 +index 477e9d7..c92c7d8 100644 --- a/arch/x86/crypto/aesni-intel_asm.S +++ b/arch/x86/crypto/aesni-intel_asm.S @@ -31,6 +31,7 @@ @@ -12192,19 +12186,240 @@ index 477e9d7..3ab339f 100644 #ifdef __x86_64__ .data -@@ -1441,6 +1442,7 @@ _return_T_done_decrypt: +@@ -205,7 +206,7 @@ enc: .octa 0x2 + * num_initial_blocks = b mod 4 + * encrypt the initial num_initial_blocks blocks and apply ghash on + * the ciphertext +-* %r10, %r11, %r12, %rax, %xmm5, %xmm6, %xmm7, %xmm8, %xmm9 registers ++* %r10, %r11, %r15, %rax, %xmm5, %xmm6, %xmm7, %xmm8, %xmm9 registers + * are clobbered + * arg1, %arg2, %arg3, %r14 are used as a pointer only, not modified + */ +@@ -214,8 +215,8 @@ enc: .octa 0x2 + .macro INITIAL_BLOCKS_DEC num_initial_blocks TMP1 TMP2 TMP3 TMP4 TMP5 XMM0 XMM1 \ + XMM2 XMM3 XMM4 XMMDst TMP6 TMP7 i i_seq operation + mov arg7, %r10 # %r10 = AAD +- mov arg8, %r12 # %r12 = aadLen +- mov %r12, %r11 ++ mov arg8, %r15 # %r15 = aadLen ++ mov %r15, %r11 + pxor %xmm\i, %xmm\i + _get_AAD_loop\num_initial_blocks\operation: + movd (%r10), \TMP1 +@@ -223,15 +224,15 @@ _get_AAD_loop\num_initial_blocks\operation: + psrldq $4, %xmm\i + pxor \TMP1, %xmm\i + add $4, %r10 +- sub $4, %r12 ++ sub $4, %r15 + jne _get_AAD_loop\num_initial_blocks\operation + cmp $16, %r11 + je _get_AAD_loop2_done\num_initial_blocks\operation +- mov $16, %r12 ++ mov $16, %r15 + _get_AAD_loop2\num_initial_blocks\operation: + psrldq $4, %xmm\i +- sub $4, %r12 +- cmp %r11, %r12 ++ sub $4, %r15 ++ cmp %r11, %r15 + jne _get_AAD_loop2\num_initial_blocks\operation + _get_AAD_loop2_done\num_initial_blocks\operation: + movdqa SHUF_MASK(%rip), %xmm14 +@@ -443,7 +444,7 @@ _initial_blocks_done\num_initial_blocks\operation: + * num_initial_blocks = b mod 4 + * encrypt the initial num_initial_blocks blocks and apply ghash on + * the ciphertext +-* %r10, %r11, %r12, %rax, %xmm5, %xmm6, %xmm7, %xmm8, %xmm9 registers ++* %r10, %r11, %r15, %rax, %xmm5, %xmm6, %xmm7, %xmm8, %xmm9 registers + * are clobbered + * arg1, %arg2, %arg3, %r14 are used as a pointer only, not modified + */ +@@ -452,8 +453,8 @@ _initial_blocks_done\num_initial_blocks\operation: + .macro INITIAL_BLOCKS_ENC num_initial_blocks TMP1 TMP2 TMP3 TMP4 TMP5 XMM0 XMM1 \ + XMM2 XMM3 XMM4 XMMDst TMP6 TMP7 i i_seq operation + mov arg7, %r10 # %r10 = AAD +- mov arg8, %r12 # %r12 = aadLen +- mov %r12, %r11 ++ mov arg8, %r15 # %r15 = aadLen ++ mov %r15, %r11 + pxor %xmm\i, %xmm\i + _get_AAD_loop\num_initial_blocks\operation: + movd (%r10), \TMP1 +@@ -461,15 +462,15 @@ _get_AAD_loop\num_initial_blocks\operation: + psrldq $4, %xmm\i + pxor \TMP1, %xmm\i + add $4, %r10 +- sub $4, %r12 ++ sub $4, %r15 + jne _get_AAD_loop\num_initial_blocks\operation + cmp $16, %r11 + je _get_AAD_loop2_done\num_initial_blocks\operation +- mov $16, %r12 ++ mov $16, %r15 + _get_AAD_loop2\num_initial_blocks\operation: + psrldq $4, %xmm\i +- sub $4, %r12 +- cmp %r11, %r12 ++ sub $4, %r15 ++ cmp %r11, %r15 + jne _get_AAD_loop2\num_initial_blocks\operation + _get_AAD_loop2_done\num_initial_blocks\operation: + movdqa SHUF_MASK(%rip), %xmm14 +@@ -1269,7 +1270,7 @@ TMP7 XMM1 XMM2 XMM3 XMM4 XMMDst + * + *****************************************************************************/ + ENTRY(aesni_gcm_dec) +- push %r12 ++ push %r15 + push %r13 + push %r14 + mov %rsp, %r14 +@@ -1279,8 +1280,8 @@ ENTRY(aesni_gcm_dec) + */ + sub $VARIABLE_OFFSET, %rsp + and $~63, %rsp # align rsp to 64 bytes +- mov %arg6, %r12 +- movdqu (%r12), %xmm13 # %xmm13 = HashKey ++ mov %arg6, %r15 ++ movdqu (%r15), %xmm13 # %xmm13 = HashKey + movdqa SHUF_MASK(%rip), %xmm2 + PSHUFB_XMM %xmm2, %xmm13 + +@@ -1308,10 +1309,10 @@ ENTRY(aesni_gcm_dec) + movdqa %xmm13, HashKey(%rsp) # store HashKey<<1 (mod poly) + mov %arg4, %r13 # save the number of bytes of plaintext/ciphertext + and $-16, %r13 # %r13 = %r13 - (%r13 mod 16) +- mov %r13, %r12 +- and $(3<<4), %r12 ++ mov %r13, %r15 ++ and $(3<<4), %r15 + jz _initial_num_blocks_is_0_decrypt +- cmp $(2<<4), %r12 ++ cmp $(2<<4), %r15 + jb _initial_num_blocks_is_1_decrypt + je _initial_num_blocks_is_2_decrypt + _initial_num_blocks_is_3_decrypt: +@@ -1361,16 +1362,16 @@ _zero_cipher_left_decrypt: + sub $16, %r11 + add %r13, %r11 + movdqu (%arg3,%r11,1), %xmm1 # receive the last <16 byte block +- lea SHIFT_MASK+16(%rip), %r12 +- sub %r13, %r12 ++ lea SHIFT_MASK+16(%rip), %r15 ++ sub %r13, %r15 + # adjust the shuffle mask pointer to be able to shift 16-%r13 bytes + # (%r13 is the number of bytes in plaintext mod 16) +- movdqu (%r12), %xmm2 # get the appropriate shuffle mask ++ movdqu (%r15), %xmm2 # get the appropriate shuffle mask + PSHUFB_XMM %xmm2, %xmm1 # right shift 16-%r13 butes + + movdqa %xmm1, %xmm2 + pxor %xmm1, %xmm0 # Ciphertext XOR E(K, Yn) +- movdqu ALL_F-SHIFT_MASK(%r12), %xmm1 ++ movdqu ALL_F-SHIFT_MASK(%r15), %xmm1 + # get the appropriate mask to mask out top 16-%r13 bytes of %xmm0 + pand %xmm1, %xmm0 # mask out top 16-%r13 bytes of %xmm0 + pand %xmm1, %xmm2 +@@ -1399,9 +1400,9 @@ _less_than_8_bytes_left_decrypt: + sub $1, %r13 + jne _less_than_8_bytes_left_decrypt + _multiple_of_16_bytes_decrypt: +- mov arg8, %r12 # %r13 = aadLen (number of bytes) +- shl $3, %r12 # convert into number of bits +- movd %r12d, %xmm15 # len(A) in %xmm15 ++ mov arg8, %r15 # %r13 = aadLen (number of bytes) ++ shl $3, %r15 # convert into number of bits ++ movd %r15d, %xmm15 # len(A) in %xmm15 + shl $3, %arg4 # len(C) in bits (*128) + MOVQ_R64_XMM %arg4, %xmm1 + pslldq $8, %xmm15 # %xmm15 = len(A)||0x0000000000000000 +@@ -1440,7 +1441,8 @@ _return_T_done_decrypt: + mov %r14, %rsp pop %r14 pop %r13 - pop %r12 -+ pax_force_retaddr 0, 1 +- pop %r12 ++ pop %r15 ++ pax_force_retaddr ret ENDPROC(aesni_gcm_dec) -@@ -1705,6 +1707,7 @@ _return_T_done_encrypt: +@@ -1529,7 +1531,7 @@ ENDPROC(aesni_gcm_dec) + * poly = x^128 + x^127 + x^126 + x^121 + 1 + ***************************************************************************/ + ENTRY(aesni_gcm_enc) +- push %r12 ++ push %r15 + push %r13 + push %r14 + mov %rsp, %r14 +@@ -1539,8 +1541,8 @@ ENTRY(aesni_gcm_enc) + # + sub $VARIABLE_OFFSET, %rsp + and $~63, %rsp +- mov %arg6, %r12 +- movdqu (%r12), %xmm13 ++ mov %arg6, %r15 ++ movdqu (%r15), %xmm13 + movdqa SHUF_MASK(%rip), %xmm2 + PSHUFB_XMM %xmm2, %xmm13 + +@@ -1564,13 +1566,13 @@ ENTRY(aesni_gcm_enc) + movdqa %xmm13, HashKey(%rsp) + mov %arg4, %r13 # %xmm13 holds HashKey<<1 (mod poly) + and $-16, %r13 +- mov %r13, %r12 ++ mov %r13, %r15 + + # Encrypt first few blocks + +- and $(3<<4), %r12 ++ and $(3<<4), %r15 + jz _initial_num_blocks_is_0_encrypt +- cmp $(2<<4), %r12 ++ cmp $(2<<4), %r15 + jb _initial_num_blocks_is_1_encrypt + je _initial_num_blocks_is_2_encrypt + _initial_num_blocks_is_3_encrypt: +@@ -1623,14 +1625,14 @@ _zero_cipher_left_encrypt: + sub $16, %r11 + add %r13, %r11 + movdqu (%arg3,%r11,1), %xmm1 # receive the last <16 byte blocks +- lea SHIFT_MASK+16(%rip), %r12 +- sub %r13, %r12 ++ lea SHIFT_MASK+16(%rip), %r15 ++ sub %r13, %r15 + # adjust the shuffle mask pointer to be able to shift 16-r13 bytes + # (%r13 is the number of bytes in plaintext mod 16) +- movdqu (%r12), %xmm2 # get the appropriate shuffle mask ++ movdqu (%r15), %xmm2 # get the appropriate shuffle mask + PSHUFB_XMM %xmm2, %xmm1 # shift right 16-r13 byte + pxor %xmm1, %xmm0 # Plaintext XOR Encrypt(K, Yn) +- movdqu ALL_F-SHIFT_MASK(%r12), %xmm1 ++ movdqu ALL_F-SHIFT_MASK(%r15), %xmm1 + # get the appropriate mask to mask out top 16-r13 bytes of xmm0 + pand %xmm1, %xmm0 # mask out top 16-r13 bytes of xmm0 + movdqa SHUF_MASK(%rip), %xmm10 +@@ -1663,9 +1665,9 @@ _less_than_8_bytes_left_encrypt: + sub $1, %r13 + jne _less_than_8_bytes_left_encrypt + _multiple_of_16_bytes_encrypt: +- mov arg8, %r12 # %r12 = addLen (number of bytes) +- shl $3, %r12 +- movd %r12d, %xmm15 # len(A) in %xmm15 ++ mov arg8, %r15 # %r15 = addLen (number of bytes) ++ shl $3, %r15 ++ movd %r15d, %xmm15 # len(A) in %xmm15 + shl $3, %arg4 # len(C) in bits (*128) + MOVQ_R64_XMM %arg4, %xmm1 + pslldq $8, %xmm15 # %xmm15 = len(A)||0x0000000000000000 +@@ -1704,7 +1706,8 @@ _return_T_done_encrypt: + mov %r14, %rsp pop %r14 pop %r13 - pop %r12 -+ pax_force_retaddr 0, 1 +- pop %r12 ++ pop %r15 ++ pax_force_retaddr ret ENDPROC(aesni_gcm_enc) @@ -12212,7 +12427,7 @@ index 477e9d7..3ab339f 100644 pxor %xmm1, %xmm0 movaps %xmm0, (TKEYP) add $0x10, TKEYP -+ pax_force_retaddr_bts ++ pax_force_retaddr ret ENDPROC(_key_expansion_128) ENDPROC(_key_expansion_256a) @@ -12220,7 +12435,7 @@ index 477e9d7..3ab339f 100644 shufps $0b01001110, %xmm2, %xmm1 movaps %xmm1, 0x10(TKEYP) add $0x20, TKEYP -+ pax_force_retaddr_bts ++ pax_force_retaddr ret ENDPROC(_key_expansion_192a) @@ -12228,7 +12443,7 @@ index 477e9d7..3ab339f 100644 movaps %xmm0, (TKEYP) add $0x10, TKEYP -+ pax_force_retaddr_bts ++ pax_force_retaddr ret ENDPROC(_key_expansion_192b) @@ -12236,7 +12451,7 @@ index 477e9d7..3ab339f 100644 pxor %xmm1, %xmm2 movaps %xmm2, (TKEYP) add $0x10, TKEYP -+ pax_force_retaddr_bts ++ pax_force_retaddr ret ENDPROC(_key_expansion_256b) @@ -12244,7 +12459,7 @@ index 477e9d7..3ab339f 100644 #ifndef __x86_64__ popl KEYP #endif -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret ENDPROC(aesni_set_key) @@ -12252,7 +12467,7 @@ index 477e9d7..3ab339f 100644 popl KLEN popl KEYP #endif -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret ENDPROC(aesni_enc) @@ -12260,7 +12475,7 @@ index 477e9d7..3ab339f 100644 AESENC KEY STATE movaps 0x70(TKEYP), KEY AESENCLAST KEY STATE -+ pax_force_retaddr_bts ++ pax_force_retaddr ret ENDPROC(_aesni_enc1) @@ -12268,7 +12483,7 @@ index 477e9d7..3ab339f 100644 AESENCLAST KEY STATE2 AESENCLAST KEY STATE3 AESENCLAST KEY STATE4 -+ pax_force_retaddr_bts ++ pax_force_retaddr ret ENDPROC(_aesni_enc4) @@ -12276,7 +12491,7 @@ index 477e9d7..3ab339f 100644 popl KLEN popl KEYP #endif -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret ENDPROC(aesni_dec) @@ -12284,7 +12499,7 @@ index 477e9d7..3ab339f 100644 AESDEC KEY STATE movaps 0x70(TKEYP), KEY AESDECLAST KEY STATE -+ pax_force_retaddr_bts ++ pax_force_retaddr ret ENDPROC(_aesni_dec1) @@ -12292,7 +12507,7 @@ index 477e9d7..3ab339f 100644 AESDECLAST KEY STATE2 AESDECLAST KEY STATE3 AESDECLAST KEY STATE4 -+ pax_force_retaddr_bts ++ pax_force_retaddr ret ENDPROC(_aesni_dec4) @@ -12300,7 +12515,7 @@ index 477e9d7..3ab339f 100644 popl KEYP popl LEN #endif -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret ENDPROC(aesni_ecb_enc) @@ -12308,7 +12523,7 @@ index 477e9d7..3ab339f 100644 popl KEYP popl LEN #endif -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret ENDPROC(aesni_ecb_dec) @@ -12316,7 +12531,7 @@ index 477e9d7..3ab339f 100644 popl LEN popl IVP #endif -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret ENDPROC(aesni_cbc_enc) @@ -12324,7 +12539,7 @@ index 477e9d7..3ab339f 100644 popl LEN popl IVP #endif -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret ENDPROC(aesni_cbc_dec) @@ -12332,7 +12547,7 @@ index 477e9d7..3ab339f 100644 mov $1, TCTR_LOW MOVQ_R64_XMM TCTR_LOW INC MOVQ_R64_XMM CTR TCTR_LOW -+ pax_force_retaddr_bts ++ pax_force_retaddr ret ENDPROC(_aesni_inc_init) @@ -12340,7 +12555,7 @@ index 477e9d7..3ab339f 100644 .Linc_low: movaps CTR, IV PSHUFB_XMM BSWAP_MASK IV -+ pax_force_retaddr_bts ++ pax_force_retaddr ret ENDPROC(_aesni_inc) @@ -12348,7 +12563,7 @@ index 477e9d7..3ab339f 100644 .Lctr_enc_ret: movups IV, (IVP) .Lctr_enc_just_ret: -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret ENDPROC(aesni_ctr_enc) @@ -12356,12 +12571,12 @@ index 477e9d7..3ab339f 100644 pxor INC, STATE4 movdqu STATE4, 0x70(OUTP) -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret ENDPROC(aesni_xts_crypt8) diff --git a/arch/x86/crypto/blowfish-x86_64-asm_64.S b/arch/x86/crypto/blowfish-x86_64-asm_64.S -index 246c670..4d1ed00 100644 +index 246c670..466e2d6 100644 --- a/arch/x86/crypto/blowfish-x86_64-asm_64.S +++ b/arch/x86/crypto/blowfish-x86_64-asm_64.S @@ -21,6 +21,7 @@ @@ -12376,11 +12591,11 @@ index 246c670..4d1ed00 100644 jnz .L__enc_xor; write_block(); -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; .L__enc_xor: xor_block(); -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; ENDPROC(__blowfish_enc_blk) @@ -12388,7 +12603,7 @@ index 246c670..4d1ed00 100644 movq %r11, %rbp; -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; ENDPROC(blowfish_dec_blk) @@ -12396,7 +12611,7 @@ index 246c670..4d1ed00 100644 popq %rbx; popq %rbp; -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; .L__enc_xor4: @@ -12404,7 +12619,7 @@ index 246c670..4d1ed00 100644 popq %rbx; popq %rbp; -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; ENDPROC(__blowfish_enc_blk_4way) @@ -12412,11 +12627,11 @@ index 246c670..4d1ed00 100644 popq %rbx; popq %rbp; -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; ENDPROC(blowfish_dec_blk_4way) diff --git a/arch/x86/crypto/camellia-aesni-avx-asm_64.S b/arch/x86/crypto/camellia-aesni-avx-asm_64.S -index ce71f92..2dd5b1e 100644 +index ce71f92..1dce7ec 100644 --- a/arch/x86/crypto/camellia-aesni-avx-asm_64.S +++ b/arch/x86/crypto/camellia-aesni-avx-asm_64.S @@ -16,6 +16,7 @@ @@ -12431,7 +12646,7 @@ index ce71f92..2dd5b1e 100644 roundsm16(%xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7, %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14, %xmm15, %rcx, (%r9)); -+ pax_force_retaddr_bts ++ pax_force_retaddr ret; ENDPROC(roundsm16_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd) @@ -12439,7 +12654,7 @@ index ce71f92..2dd5b1e 100644 roundsm16(%xmm4, %xmm5, %xmm6, %xmm7, %xmm0, %xmm1, %xmm2, %xmm3, %xmm12, %xmm13, %xmm14, %xmm15, %xmm8, %xmm9, %xmm10, %xmm11, %rax, (%r9)); -+ pax_force_retaddr_bts ++ pax_force_retaddr ret; ENDPROC(roundsm16_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab) @@ -12447,7 +12662,7 @@ index ce71f92..2dd5b1e 100644 %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14, %xmm15, (key_table)(CTX, %r8, 8), (%rax), 1 * 16(%rax)); -+ pax_force_retaddr_bts ++ pax_force_retaddr ret; .align 8 @@ -12455,7 +12670,7 @@ index ce71f92..2dd5b1e 100644 %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14, %xmm15, (key_table)(CTX), (%rax), 1 * 16(%rax)); -+ pax_force_retaddr_bts ++ pax_force_retaddr ret; .align 8 @@ -12463,7 +12678,7 @@ index ce71f92..2dd5b1e 100644 %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9, %xmm8, %rsi); -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; ENDPROC(camellia_ecb_enc_16way) @@ -12471,7 +12686,7 @@ index ce71f92..2dd5b1e 100644 %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9, %xmm8, %rsi); -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; ENDPROC(camellia_ecb_dec_16way) @@ -12479,7 +12694,7 @@ index ce71f92..2dd5b1e 100644 %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9, %xmm8, %rsi); -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; ENDPROC(camellia_cbc_dec_16way) @@ -12487,7 +12702,7 @@ index ce71f92..2dd5b1e 100644 %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9, %xmm8, %rsi); -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; ENDPROC(camellia_ctr_16way) @@ -12495,12 +12710,12 @@ index ce71f92..2dd5b1e 100644 %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9, %xmm8, %rsi); -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; ENDPROC(camellia_xts_crypt_16way) diff --git a/arch/x86/crypto/camellia-aesni-avx2-asm_64.S b/arch/x86/crypto/camellia-aesni-avx2-asm_64.S -index 0e0b886..8fc756a 100644 +index 0e0b886..5a3123c 100644 --- a/arch/x86/crypto/camellia-aesni-avx2-asm_64.S +++ b/arch/x86/crypto/camellia-aesni-avx2-asm_64.S @@ -11,6 +11,7 @@ @@ -12515,7 +12730,7 @@ index 0e0b886..8fc756a 100644 roundsm32(%ymm0, %ymm1, %ymm2, %ymm3, %ymm4, %ymm5, %ymm6, %ymm7, %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14, %ymm15, %rcx, (%r9)); -+ pax_force_retaddr_bts ++ pax_force_retaddr ret; ENDPROC(roundsm32_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd) @@ -12523,7 +12738,7 @@ index 0e0b886..8fc756a 100644 roundsm32(%ymm4, %ymm5, %ymm6, %ymm7, %ymm0, %ymm1, %ymm2, %ymm3, %ymm12, %ymm13, %ymm14, %ymm15, %ymm8, %ymm9, %ymm10, %ymm11, %rax, (%r9)); -+ pax_force_retaddr_bts ++ pax_force_retaddr ret; ENDPROC(roundsm32_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab) @@ -12531,7 +12746,7 @@ index 0e0b886..8fc756a 100644 %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14, %ymm15, (key_table)(CTX, %r8, 8), (%rax), 1 * 32(%rax)); -+ pax_force_retaddr_bts ++ pax_force_retaddr ret; .align 8 @@ -12539,7 +12754,7 @@ index 0e0b886..8fc756a 100644 %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14, %ymm15, (key_table)(CTX), (%rax), 1 * 32(%rax)); -+ pax_force_retaddr_bts ++ pax_force_retaddr ret; .align 8 @@ -12547,7 +12762,7 @@ index 0e0b886..8fc756a 100644 vzeroupper; -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; ENDPROC(camellia_ecb_enc_32way) @@ -12555,7 +12770,7 @@ index 0e0b886..8fc756a 100644 vzeroupper; -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; ENDPROC(camellia_ecb_dec_32way) @@ -12563,7 +12778,7 @@ index 0e0b886..8fc756a 100644 vzeroupper; -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; ENDPROC(camellia_cbc_dec_32way) @@ -12571,7 +12786,7 @@ index 0e0b886..8fc756a 100644 vzeroupper; -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; ENDPROC(camellia_ctr_32way) @@ -12579,12 +12794,12 @@ index 0e0b886..8fc756a 100644 vzeroupper; -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; ENDPROC(camellia_xts_crypt_32way) diff --git a/arch/x86/crypto/camellia-x86_64-asm_64.S b/arch/x86/crypto/camellia-x86_64-asm_64.S -index 310319c..ce174a4 100644 +index 310319c..db3d7b5 100644 --- a/arch/x86/crypto/camellia-x86_64-asm_64.S +++ b/arch/x86/crypto/camellia-x86_64-asm_64.S @@ -21,6 +21,7 @@ @@ -12599,14 +12814,14 @@ index 310319c..ce174a4 100644 enc_outunpack(mov, RT1); movq RRBP, %rbp; -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; .L__enc_xor: enc_outunpack(xor, RT1); movq RRBP, %rbp; -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; ENDPROC(__camellia_enc_blk) @@ -12614,7 +12829,7 @@ index 310319c..ce174a4 100644 dec_outunpack(); movq RRBP, %rbp; -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; ENDPROC(camellia_dec_blk) @@ -12622,7 +12837,7 @@ index 310319c..ce174a4 100644 movq RRBP, %rbp; popq %rbx; -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; .L__enc2_xor: @@ -12630,7 +12845,7 @@ index 310319c..ce174a4 100644 movq RRBP, %rbp; popq %rbx; -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; ENDPROC(__camellia_enc_blk_2way) @@ -12638,11 +12853,11 @@ index 310319c..ce174a4 100644 movq RRBP, %rbp; movq RXOR, %rbx; -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; ENDPROC(camellia_dec_blk_2way) diff --git a/arch/x86/crypto/cast5-avx-x86_64-asm_64.S b/arch/x86/crypto/cast5-avx-x86_64-asm_64.S -index c35fd5d..c1ee236 100644 +index c35fd5d..2d8c7db 100644 --- a/arch/x86/crypto/cast5-avx-x86_64-asm_64.S +++ b/arch/x86/crypto/cast5-avx-x86_64-asm_64.S @@ -24,6 +24,7 @@ @@ -12657,7 +12872,7 @@ index c35fd5d..c1ee236 100644 outunpack_blocks(RR3, RL3, RTMP, RX, RKM); outunpack_blocks(RR4, RL4, RTMP, RX, RKM); -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; ENDPROC(__cast5_enc_blk16) @@ -12665,7 +12880,7 @@ index c35fd5d..c1ee236 100644 outunpack_blocks(RR3, RL3, RTMP, RX, RKM); outunpack_blocks(RR4, RL4, RTMP, RX, RKM); -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; .L__skip_dec: @@ -12685,23 +12900,103 @@ index c35fd5d..c1ee236 100644 ret; ENDPROC(cast5_ecb_dec_16way) -@@ -469,6 +474,7 @@ ENTRY(cast5_cbc_dec_16way) +@@ -430,10 +435,10 @@ ENTRY(cast5_cbc_dec_16way) + * %rdx: src + */ - popq %r12; +- pushq %r12; ++ pushq %r14; + + movq %rsi, %r11; +- movq %rdx, %r12; ++ movq %rdx, %r14; + + vmovdqu (0*16)(%rdx), RL1; + vmovdqu (1*16)(%rdx), RR1; +@@ -447,16 +452,16 @@ ENTRY(cast5_cbc_dec_16way) + call __cast5_dec_blk16; + + /* xor with src */ +- vmovq (%r12), RX; ++ vmovq (%r14), RX; + vpshufd $0x4f, RX, RX; + vpxor RX, RR1, RR1; +- vpxor 0*16+8(%r12), RL1, RL1; +- vpxor 1*16+8(%r12), RR2, RR2; +- vpxor 2*16+8(%r12), RL2, RL2; +- vpxor 3*16+8(%r12), RR3, RR3; +- vpxor 4*16+8(%r12), RL3, RL3; +- vpxor 5*16+8(%r12), RR4, RR4; +- vpxor 6*16+8(%r12), RL4, RL4; ++ vpxor 0*16+8(%r14), RL1, RL1; ++ vpxor 1*16+8(%r14), RR2, RR2; ++ vpxor 2*16+8(%r14), RL2, RL2; ++ vpxor 3*16+8(%r14), RR3, RR3; ++ vpxor 4*16+8(%r14), RL3, RL3; ++ vpxor 5*16+8(%r14), RR4, RR4; ++ vpxor 6*16+8(%r14), RL4, RL4; + + vmovdqu RR1, (0*16)(%r11); + vmovdqu RL1, (1*16)(%r11); +@@ -467,8 +472,9 @@ ENTRY(cast5_cbc_dec_16way) + vmovdqu RR4, (6*16)(%r11); + vmovdqu RL4, (7*16)(%r11); + +- popq %r12; ++ popq %r14; + pax_force_retaddr ret; ENDPROC(cast5_cbc_dec_16way) -@@ -542,5 +548,6 @@ ENTRY(cast5_ctr_16way) +@@ -480,10 +486,10 @@ ENTRY(cast5_ctr_16way) + * %rcx: iv (big endian, 64bit) + */ - popq %r12; +- pushq %r12; ++ pushq %r14; + + movq %rsi, %r11; +- movq %rdx, %r12; ++ movq %rdx, %r14; + + vpcmpeqd RTMP, RTMP, RTMP; + vpsrldq $8, RTMP, RTMP; /* low: -1, high: 0 */ +@@ -523,14 +529,14 @@ ENTRY(cast5_ctr_16way) + call __cast5_enc_blk16; + + /* dst = src ^ iv */ +- vpxor (0*16)(%r12), RR1, RR1; +- vpxor (1*16)(%r12), RL1, RL1; +- vpxor (2*16)(%r12), RR2, RR2; +- vpxor (3*16)(%r12), RL2, RL2; +- vpxor (4*16)(%r12), RR3, RR3; +- vpxor (5*16)(%r12), RL3, RL3; +- vpxor (6*16)(%r12), RR4, RR4; +- vpxor (7*16)(%r12), RL4, RL4; ++ vpxor (0*16)(%r14), RR1, RR1; ++ vpxor (1*16)(%r14), RL1, RL1; ++ vpxor (2*16)(%r14), RR2, RR2; ++ vpxor (3*16)(%r14), RL2, RL2; ++ vpxor (4*16)(%r14), RR3, RR3; ++ vpxor (5*16)(%r14), RL3, RL3; ++ vpxor (6*16)(%r14), RR4, RR4; ++ vpxor (7*16)(%r14), RL4, RL4; + vmovdqu RR1, (0*16)(%r11); + vmovdqu RL1, (1*16)(%r11); + vmovdqu RR2, (2*16)(%r11); +@@ -540,7 +546,8 @@ ENTRY(cast5_ctr_16way) + vmovdqu RR4, (6*16)(%r11); + vmovdqu RL4, (7*16)(%r11); + +- popq %r12; ++ popq %r14; + pax_force_retaddr ret; ENDPROC(cast5_ctr_16way) diff --git a/arch/x86/crypto/cast6-avx-x86_64-asm_64.S b/arch/x86/crypto/cast6-avx-x86_64-asm_64.S -index e3531f8..18ded3a 100644 +index e3531f8..e123f35 100644 --- a/arch/x86/crypto/cast6-avx-x86_64-asm_64.S +++ b/arch/x86/crypto/cast6-avx-x86_64-asm_64.S @@ -24,6 +24,7 @@ @@ -12716,7 +13011,7 @@ index e3531f8..18ded3a 100644 outunpack_blocks(RA1, RB1, RC1, RD1, RTMP, RX, RKRF, RKM); outunpack_blocks(RA2, RB2, RC2, RD2, RTMP, RX, RKRF, RKM); -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; ENDPROC(__cast6_enc_blk8) @@ -12724,7 +13019,7 @@ index e3531f8..18ded3a 100644 outunpack_blocks(RA1, RB1, RC1, RD1, RTMP, RX, RKRF, RKM); outunpack_blocks(RA2, RB2, RC2, RD2, RTMP, RX, RKRF, RKM); -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; ENDPROC(__cast6_dec_blk8) @@ -12744,17 +13039,52 @@ index e3531f8..18ded3a 100644 ret; ENDPROC(cast6_ecb_dec_8way) -@@ -399,6 +404,7 @@ ENTRY(cast6_cbc_dec_8way) +@@ -386,19 +391,20 @@ ENTRY(cast6_cbc_dec_8way) + * %rdx: src + */ + +- pushq %r12; ++ pushq %r14; + + movq %rsi, %r11; +- movq %rdx, %r12; ++ movq %rdx, %r14; - popq %r12; + load_8way(%rdx, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); + + call __cast6_dec_blk8; + +- store_cbc_8way(%r12, %r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); ++ store_cbc_8way(%r14, %r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); + +- popq %r12; ++ popq %r14; + pax_force_retaddr ret; ENDPROC(cast6_cbc_dec_8way) -@@ -424,6 +430,7 @@ ENTRY(cast6_ctr_8way) +@@ -410,20 +416,21 @@ ENTRY(cast6_ctr_8way) + * %rcx: iv (little endian, 128bit) + */ + +- pushq %r12; ++ pushq %r14; + + movq %rsi, %r11; +- movq %rdx, %r12; ++ movq %rdx, %r14; + + load_ctr_8way(%rcx, .Lbswap128_mask, RA1, RB1, RC1, RD1, RA2, RB2, RC2, + RD2, RX, RKR, RKM); + + call __cast6_enc_blk8; - popq %r12; +- store_ctr_8way(%r12, %r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); ++ store_ctr_8way(%r14, %r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); + +- popq %r12; ++ popq %r14; + pax_force_retaddr ret; @@ -12776,7 +13106,7 @@ index e3531f8..18ded3a 100644 ret; ENDPROC(cast6_xts_dec_8way) diff --git a/arch/x86/crypto/crc32c-pcl-intel-asm_64.S b/arch/x86/crypto/crc32c-pcl-intel-asm_64.S -index dbc4339..3d868c5 100644 +index dbc4339..de6e120 100644 --- a/arch/x86/crypto/crc32c-pcl-intel-asm_64.S +++ b/arch/x86/crypto/crc32c-pcl-intel-asm_64.S @@ -45,6 +45,7 @@ @@ -12791,7 +13121,7 @@ index dbc4339..3d868c5 100644 popq %rsi popq %rdi popq %rbx -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret ################################################################ @@ -12839,7 +13169,7 @@ index 586f41a..d02851e 100644 ret ENDPROC(clmul_ghash_setkey) diff --git a/arch/x86/crypto/salsa20-x86_64-asm_64.S b/arch/x86/crypto/salsa20-x86_64-asm_64.S -index 9279e0b..9270820 100644 +index 9279e0b..c4b3d2c 100644 --- a/arch/x86/crypto/salsa20-x86_64-asm_64.S +++ b/arch/x86/crypto/salsa20-x86_64-asm_64.S @@ -1,4 +1,5 @@ @@ -12852,7 +13182,7 @@ index 9279e0b..9270820 100644 add %r11,%rsp mov %rdi,%rax mov %rsi,%rdx -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret # bytesatleast65: ._bytesatleast65: @@ -13056,7 +13386,7 @@ index acc066c..1559cc4 100644 ret; ENDPROC(serpent_dec_blk_8way) diff --git a/arch/x86/crypto/sha1_ssse3_asm.S b/arch/x86/crypto/sha1_ssse3_asm.S -index a410950..3356d42 100644 +index a410950..9dfe7ad 100644 --- a/arch/x86/crypto/sha1_ssse3_asm.S +++ b/arch/x86/crypto/sha1_ssse3_asm.S @@ -29,6 +29,7 @@ @@ -13067,16 +13397,35 @@ index a410950..3356d42 100644 #define CTX %rdi // arg1 #define BUF %rsi // arg2 -@@ -104,6 +105,7 @@ - pop %r12 +@@ -75,9 +76,9 @@ + + push %rbx + push %rbp +- push %r12 ++ push %r14 + +- mov %rsp, %r12 ++ mov %rsp, %r14 + sub $64, %rsp # allocate workspace + and $~15, %rsp # align stack + +@@ -99,11 +100,12 @@ + xor %rax, %rax + rep stosq + +- mov %r12, %rsp # deallocate workspace ++ mov %r14, %rsp # deallocate workspace + +- pop %r12 ++ pop %r14 pop %rbp pop %rbx -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret ENDPROC(\name) diff --git a/arch/x86/crypto/sha256-avx-asm.S b/arch/x86/crypto/sha256-avx-asm.S -index 642f156..4ab07b9 100644 +index 642f156..51a513c 100644 --- a/arch/x86/crypto/sha256-avx-asm.S +++ b/arch/x86/crypto/sha256-avx-asm.S @@ -49,6 +49,7 @@ @@ -13091,12 +13440,12 @@ index 642f156..4ab07b9 100644 popq %r13 popq %rbp popq %rbx -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret ENDPROC(sha256_transform_avx) diff --git a/arch/x86/crypto/sha256-avx2-asm.S b/arch/x86/crypto/sha256-avx2-asm.S -index 9e86944..2e7f95a 100644 +index 9e86944..3795e6a 100644 --- a/arch/x86/crypto/sha256-avx2-asm.S +++ b/arch/x86/crypto/sha256-avx2-asm.S @@ -50,6 +50,7 @@ @@ -13111,12 +13460,12 @@ index 9e86944..2e7f95a 100644 popq %r12 popq %rbp popq %rbx -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret ENDPROC(sha256_transform_rorx) diff --git a/arch/x86/crypto/sha256-ssse3-asm.S b/arch/x86/crypto/sha256-ssse3-asm.S -index f833b74..c36ed14 100644 +index f833b74..8c62a9e 100644 --- a/arch/x86/crypto/sha256-ssse3-asm.S +++ b/arch/x86/crypto/sha256-ssse3-asm.S @@ -47,6 +47,7 @@ @@ -13131,12 +13480,12 @@ index f833b74..c36ed14 100644 popq %rbp popq %rbx -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret ENDPROC(sha256_transform_ssse3) diff --git a/arch/x86/crypto/sha512-avx-asm.S b/arch/x86/crypto/sha512-avx-asm.S -index 974dde9..4533d34 100644 +index 974dde9..a823ff9 100644 --- a/arch/x86/crypto/sha512-avx-asm.S +++ b/arch/x86/crypto/sha512-avx-asm.S @@ -49,6 +49,7 @@ @@ -13151,12 +13500,12 @@ index 974dde9..4533d34 100644 mov frame_RSPSAVE(%rsp), %rsp nowork: -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret ENDPROC(sha512_transform_avx) diff --git a/arch/x86/crypto/sha512-avx2-asm.S b/arch/x86/crypto/sha512-avx2-asm.S -index 568b961..061ef1d 100644 +index 568b961..ed20c37 100644 --- a/arch/x86/crypto/sha512-avx2-asm.S +++ b/arch/x86/crypto/sha512-avx2-asm.S @@ -51,6 +51,7 @@ @@ -13171,12 +13520,12 @@ index 568b961..061ef1d 100644 # Restore Stack Pointer mov frame_RSPSAVE(%rsp), %rsp -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret ENDPROC(sha512_transform_rorx) diff --git a/arch/x86/crypto/sha512-ssse3-asm.S b/arch/x86/crypto/sha512-ssse3-asm.S -index fb56855..e23914f 100644 +index fb56855..6edd768 100644 --- a/arch/x86/crypto/sha512-ssse3-asm.S +++ b/arch/x86/crypto/sha512-ssse3-asm.S @@ -48,6 +48,7 @@ @@ -13191,12 +13540,12 @@ index fb56855..e23914f 100644 mov frame_RSPSAVE(%rsp), %rsp nowork: -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret ENDPROC(sha512_transform_ssse3) diff --git a/arch/x86/crypto/twofish-avx-x86_64-asm_64.S b/arch/x86/crypto/twofish-avx-x86_64-asm_64.S -index 0505813..63b1d00 100644 +index 0505813..b067311 100644 --- a/arch/x86/crypto/twofish-avx-x86_64-asm_64.S +++ b/arch/x86/crypto/twofish-avx-x86_64-asm_64.S @@ -24,6 +24,7 @@ @@ -13211,7 +13560,7 @@ index 0505813..63b1d00 100644 outunpack_blocks(RC1, RD1, RA1, RB1, RK1, RX0, RY0, RK2); outunpack_blocks(RC2, RD2, RA2, RB2, RK1, RX0, RY0, RK2); -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; ENDPROC(__twofish_enc_blk8) @@ -13219,7 +13568,7 @@ index 0505813..63b1d00 100644 outunpack_blocks(RA1, RB1, RC1, RD1, RK1, RX0, RY0, RK2); outunpack_blocks(RA2, RB2, RC2, RD2, RK1, RX0, RY0, RK2); -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; ENDPROC(__twofish_dec_blk8) @@ -13227,7 +13576,7 @@ index 0505813..63b1d00 100644 store_8way(%r11, RC1, RD1, RA1, RB1, RC2, RD2, RA2, RB2); -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; ENDPROC(twofish_ecb_enc_8way) @@ -13235,23 +13584,58 @@ index 0505813..63b1d00 100644 store_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; ENDPROC(twofish_ecb_dec_8way) -@@ -383,6 +388,7 @@ ENTRY(twofish_cbc_dec_8way) +@@ -370,19 +375,20 @@ ENTRY(twofish_cbc_dec_8way) + * %rdx: src + */ - popq %r12; +- pushq %r12; ++ pushq %r14; -+ pax_force_retaddr 0, 1 + movq %rsi, %r11; +- movq %rdx, %r12; ++ movq %rdx, %r14; + + load_8way(%rdx, RC1, RD1, RA1, RB1, RC2, RD2, RA2, RB2); + + call __twofish_dec_blk8; + +- store_cbc_8way(%r12, %r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); ++ store_cbc_8way(%r14, %r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); + +- popq %r12; ++ popq %r14; + ++ pax_force_retaddr ret; ENDPROC(twofish_cbc_dec_8way) -@@ -408,6 +414,7 @@ ENTRY(twofish_ctr_8way) +@@ -394,20 +400,21 @@ ENTRY(twofish_ctr_8way) + * %rcx: iv (little endian, 128bit) + */ - popq %r12; +- pushq %r12; ++ pushq %r14; -+ pax_force_retaddr 0, 1 + movq %rsi, %r11; +- movq %rdx, %r12; ++ movq %rdx, %r14; + + load_ctr_8way(%rcx, .Lbswap128_mask, RA1, RB1, RC1, RD1, RA2, RB2, RC2, + RD2, RX0, RX1, RY0); + + call __twofish_enc_blk8; + +- store_ctr_8way(%r12, %r11, RC1, RD1, RA1, RB1, RC2, RD2, RA2, RB2); ++ store_ctr_8way(%r14, %r11, RC1, RD1, RA1, RB1, RC2, RD2, RA2, RB2); + +- popq %r12; ++ popq %r14; + ++ pax_force_retaddr ret; ENDPROC(twofish_ctr_8way) @@ -13259,7 +13643,7 @@ index 0505813..63b1d00 100644 /* dst <= regs xor IVs(in dst) */ store_xts_8way(%r11, RC1, RD1, RA1, RB1, RC2, RD2, RA2, RB2); -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; ENDPROC(twofish_xts_enc_8way) @@ -13267,11 +13651,11 @@ index 0505813..63b1d00 100644 /* dst <= regs xor IVs(in dst) */ store_xts_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; ENDPROC(twofish_xts_dec_8way) diff --git a/arch/x86/crypto/twofish-x86_64-asm_64-3way.S b/arch/x86/crypto/twofish-x86_64-asm_64-3way.S -index 1c3b7ce..b365c5e 100644 +index 1c3b7ce..02f578d 100644 --- a/arch/x86/crypto/twofish-x86_64-asm_64-3way.S +++ b/arch/x86/crypto/twofish-x86_64-asm_64-3way.S @@ -21,6 +21,7 @@ @@ -13286,7 +13670,7 @@ index 1c3b7ce..b365c5e 100644 popq %r13; popq %r14; popq %r15; -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; .L__enc_xor3: @@ -13294,7 +13678,7 @@ index 1c3b7ce..b365c5e 100644 popq %r13; popq %r14; popq %r15; -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; ENDPROC(__twofish_enc_blk_3way) @@ -13302,11 +13686,11 @@ index 1c3b7ce..b365c5e 100644 popq %r13; popq %r14; popq %r15; -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret; ENDPROC(twofish_dec_blk_3way) diff --git a/arch/x86/crypto/twofish-x86_64-asm_64.S b/arch/x86/crypto/twofish-x86_64-asm_64.S -index a039d21..29e7615 100644 +index a039d21..524b8b2 100644 --- a/arch/x86/crypto/twofish-x86_64-asm_64.S +++ b/arch/x86/crypto/twofish-x86_64-asm_64.S @@ -22,6 +22,7 @@ @@ -13321,7 +13705,7 @@ index a039d21..29e7615 100644 popq R1 movq $1,%rax -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret ENDPROC(twofish_enc_blk) @@ -13329,7 +13713,7 @@ index a039d21..29e7615 100644 popq R1 movq $1,%rax -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret ENDPROC(twofish_dec_blk) diff --git a/arch/x86/ia32/ia32_aout.c b/arch/x86/ia32/ia32_aout.c @@ -13399,7 +13783,7 @@ index 665a730..8e7a67a 100644 err |= copy_siginfo_to_user32(&frame->info, &ksig->info); diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S -index 4299eb0..904b82a 100644 +index 4299eb0..c0687a7 100644 --- a/arch/x86/ia32/ia32entry.S +++ b/arch/x86/ia32/ia32entry.S @@ -15,8 +15,10 @@ @@ -13413,6 +13797,24 @@ index 4299eb0..904b82a 100644 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */ #include <linux/elf-em.h> +@@ -62,12 +64,12 @@ + */ + .macro LOAD_ARGS32 offset, _r9=0 + .if \_r9 +- movl \offset+16(%rsp),%r9d ++ movl \offset+R9(%rsp),%r9d + .endif +- movl \offset+40(%rsp),%ecx +- movl \offset+48(%rsp),%edx +- movl \offset+56(%rsp),%esi +- movl \offset+64(%rsp),%edi ++ movl \offset+RCX(%rsp),%ecx ++ movl \offset+RDX(%rsp),%edx ++ movl \offset+RSI(%rsp),%esi ++ movl \offset+RDI(%rsp),%edi + movl %eax,%eax /* zero extension */ + .endm + @@ -96,6 +98,32 @@ ENTRY(native_irq_enable_sysexit) ENDPROC(native_irq_enable_sysexit) #endif @@ -13514,7 +13916,7 @@ index 4299eb0..904b82a 100644 CFI_REMEMBER_STATE jnz sysenter_tracesys cmpq $(IA32_NR_syscalls-1),%rax -@@ -162,12 +209,15 @@ sysenter_do_call: +@@ -162,15 +209,18 @@ sysenter_do_call: sysenter_dispatch: call *ia32_sys_call_table(,%rax,8) movq %rax,RAX-ARGOFFSET(%rsp) @@ -13530,8 +13932,13 @@ index 4299eb0..904b82a 100644 + pax_erase_kstack + andl $~TS_COMPAT,TI_status(%r11) /* clear IF, that popfq doesn't enable interrupts early */ - andl $~0x200,EFLAGS-R11(%rsp) - movl RIP-R11(%rsp),%edx /* User %eip */ +- andl $~0x200,EFLAGS-R11(%rsp) +- movl RIP-R11(%rsp),%edx /* User %eip */ ++ andl $~X86_EFLAGS_IF,EFLAGS(%rsp) ++ movl RIP(%rsp),%edx /* User %eip */ + CFI_REGISTER rip,rdx + RESTORE_ARGS 0,24,0,0,0,0 + xorq %r8,%r8 @@ -193,6 +243,9 @@ sysexit_from_sys_call: movl %eax,%esi /* 2nd arg: syscall number */ movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */ @@ -13640,7 +14047,7 @@ index 4299eb0..904b82a 100644 CFI_REMEMBER_STATE jnz cstar_tracesys cmpq $IA32_NR_syscalls-1,%rax -@@ -319,12 +395,15 @@ cstar_do_call: +@@ -319,13 +395,16 @@ cstar_do_call: cstar_dispatch: call *ia32_sys_call_table(,%rax,8) movq %rax,RAX-ARGOFFSET(%rsp) @@ -13652,12 +14059,14 @@ index 4299eb0..904b82a 100644 jnz sysretl_audit sysretl_from_sys_call: - andl $~TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET) +- RESTORE_ARGS 0,-ARG_SKIP,0,0,0 + pax_exit_kernel_user + pax_erase_kstack + andl $~TS_COMPAT,TI_status(%r11) - RESTORE_ARGS 0,-ARG_SKIP,0,0,0 ++ RESTORE_ARGS 0,-ORIG_RAX,0,0,0 movl RIP-ARGOFFSET(%rsp),%ecx CFI_REGISTER rip,rcx + movl EFLAGS-ARGOFFSET(%rsp),%r11d @@ -352,7 +431,7 @@ sysretl_audit: cstar_tracesys: @@ -13747,7 +14156,7 @@ index 8e0ceec..af13504 100644 SET_GID(gid, from_kgid_munged(current_user_ns(), stat->gid)); if (!access_ok(VERIFY_WRITE, ubuf, sizeof(struct stat64)) || diff --git a/arch/x86/include/asm/alternative-asm.h b/arch/x86/include/asm/alternative-asm.h -index 372231c..a5aa1a1 100644 +index 372231c..51b537d 100644 --- a/arch/x86/include/asm/alternative-asm.h +++ b/arch/x86/include/asm/alternative-asm.h @@ -18,6 +18,45 @@ @@ -13773,13 +14182,13 @@ index 372231c..a5aa1a1 100644 + .if \reload + pax_set_fptr_mask + .endif -+ orq %r10,\rip(%rsp) ++ orq %r12,\rip(%rsp) + .endm + .macro pax_force_fptr ptr -+ orq %r10,\ptr ++ orq %r12,\ptr + .endm + .macro pax_set_fptr_mask -+ movabs $0x8000000000000000,%r10 ++ movabs $0x8000000000000000,%r12 + .endm +#endif +#else @@ -14881,6 +15290,178 @@ index 9863ee3..4a1f8e1 100644 else if (pg_flags == _PGMT_WC) return _PAGE_CACHE_WC; else if (pg_flags == _PGMT_UC_MINUS) +diff --git a/arch/x86/include/asm/calling.h b/arch/x86/include/asm/calling.h +index 0fa6750..cb7b2c3 100644 +--- a/arch/x86/include/asm/calling.h ++++ b/arch/x86/include/asm/calling.h +@@ -80,103 +80,113 @@ For 32-bit we have the following conventions - kernel is built with + #define RSP 152 + #define SS 160 + +-#define ARGOFFSET R11 +-#define SWFRAME ORIG_RAX ++#define ARGOFFSET R15 + + .macro SAVE_ARGS addskip=0, save_rcx=1, save_r891011=1 +- subq $9*8+\addskip, %rsp +- CFI_ADJUST_CFA_OFFSET 9*8+\addskip +- movq_cfi rdi, 8*8 +- movq_cfi rsi, 7*8 +- movq_cfi rdx, 6*8 ++ subq $ORIG_RAX-ARGOFFSET+\addskip, %rsp ++ CFI_ADJUST_CFA_OFFSET ORIG_RAX-ARGOFFSET+\addskip ++ movq_cfi rdi, RDI ++ movq_cfi rsi, RSI ++ movq_cfi rdx, RDX + + .if \save_rcx +- movq_cfi rcx, 5*8 ++ movq_cfi rcx, RCX + .endif + +- movq_cfi rax, 4*8 ++ movq_cfi rax, RAX + + .if \save_r891011 +- movq_cfi r8, 3*8 +- movq_cfi r9, 2*8 +- movq_cfi r10, 1*8 +- movq_cfi r11, 0*8 ++ movq_cfi r8, R8 ++ movq_cfi r9, R9 ++ movq_cfi r10, R10 ++ movq_cfi r11, R11 + .endif + ++#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR ++ movq_cfi r12, R12 ++#endif ++ + .endm + +-#define ARG_SKIP (9*8) ++#define ARG_SKIP ORIG_RAX + + .macro RESTORE_ARGS rstor_rax=1, addskip=0, rstor_rcx=1, rstor_r11=1, \ + rstor_r8910=1, rstor_rdx=1 ++ ++#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR ++ movq_cfi_restore R12, r12 ++#endif ++ + .if \rstor_r11 +- movq_cfi_restore 0*8, r11 ++ movq_cfi_restore R11, r11 + .endif + + .if \rstor_r8910 +- movq_cfi_restore 1*8, r10 +- movq_cfi_restore 2*8, r9 +- movq_cfi_restore 3*8, r8 ++ movq_cfi_restore R10, r10 ++ movq_cfi_restore R9, r9 ++ movq_cfi_restore R8, r8 + .endif + + .if \rstor_rax +- movq_cfi_restore 4*8, rax ++ movq_cfi_restore RAX, rax + .endif + + .if \rstor_rcx +- movq_cfi_restore 5*8, rcx ++ movq_cfi_restore RCX, rcx + .endif + + .if \rstor_rdx +- movq_cfi_restore 6*8, rdx ++ movq_cfi_restore RDX, rdx + .endif + +- movq_cfi_restore 7*8, rsi +- movq_cfi_restore 8*8, rdi ++ movq_cfi_restore RSI, rsi ++ movq_cfi_restore RDI, rdi + +- .if ARG_SKIP+\addskip > 0 +- addq $ARG_SKIP+\addskip, %rsp +- CFI_ADJUST_CFA_OFFSET -(ARG_SKIP+\addskip) ++ .if ORIG_RAX+\addskip > 0 ++ addq $ORIG_RAX+\addskip, %rsp ++ CFI_ADJUST_CFA_OFFSET -(ORIG_RAX+\addskip) + .endif + .endm + +- .macro LOAD_ARGS offset, skiprax=0 +- movq \offset(%rsp), %r11 +- movq \offset+8(%rsp), %r10 +- movq \offset+16(%rsp), %r9 +- movq \offset+24(%rsp), %r8 +- movq \offset+40(%rsp), %rcx +- movq \offset+48(%rsp), %rdx +- movq \offset+56(%rsp), %rsi +- movq \offset+64(%rsp), %rdi ++ .macro LOAD_ARGS skiprax=0 ++ movq R11(%rsp), %r11 ++ movq R10(%rsp), %r10 ++ movq R9(%rsp), %r9 ++ movq R8(%rsp), %r8 ++ movq RCX(%rsp), %rcx ++ movq RDX(%rsp), %rdx ++ movq RSI(%rsp), %rsi ++ movq RDI(%rsp), %rdi + .if \skiprax + .else +- movq \offset+72(%rsp), %rax ++ movq RAX(%rsp), %rax + .endif + .endm + +-#define REST_SKIP (6*8) +- + .macro SAVE_REST +- subq $REST_SKIP, %rsp +- CFI_ADJUST_CFA_OFFSET REST_SKIP +- movq_cfi rbx, 5*8 +- movq_cfi rbp, 4*8 +- movq_cfi r12, 3*8 +- movq_cfi r13, 2*8 +- movq_cfi r14, 1*8 +- movq_cfi r15, 0*8 ++ movq_cfi rbx, RBX ++ movq_cfi rbp, RBP ++ ++#ifndef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR ++ movq_cfi r12, R12 ++#endif ++ ++ movq_cfi r13, R13 ++ movq_cfi r14, R14 ++ movq_cfi r15, R15 + .endm + + .macro RESTORE_REST +- movq_cfi_restore 0*8, r15 +- movq_cfi_restore 1*8, r14 +- movq_cfi_restore 2*8, r13 +- movq_cfi_restore 3*8, r12 +- movq_cfi_restore 4*8, rbp +- movq_cfi_restore 5*8, rbx +- addq $REST_SKIP, %rsp +- CFI_ADJUST_CFA_OFFSET -(REST_SKIP) ++ movq_cfi_restore R15, r15 ++ movq_cfi_restore R14, r14 ++ movq_cfi_restore R13, r13 ++ ++#ifndef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR ++ movq_cfi_restore R12, r12 ++#endif ++ ++ movq_cfi_restore RBP, rbp ++ movq_cfi_restore RBX, rbx + .endm + + .macro SAVE_ALL diff --git a/arch/x86/include/asm/checksum_32.h b/arch/x86/include/asm/checksum_32.h index f50de69..2b0a458 100644 --- a/arch/x86/include/asm/checksum_32.h @@ -18961,6 +19542,18 @@ index bbae024..e1528f9 100644 #define BIOS_END 0x00100000 #define BIOS_ROM_BASE 0xffe00000 +diff --git a/arch/x86/include/uapi/asm/ptrace-abi.h b/arch/x86/include/uapi/asm/ptrace-abi.h +index 7b0a55a..ad115bf 100644 +--- a/arch/x86/include/uapi/asm/ptrace-abi.h ++++ b/arch/x86/include/uapi/asm/ptrace-abi.h +@@ -49,7 +49,6 @@ + #define EFLAGS 144 + #define RSP 152 + #define SS 160 +-#define ARGOFFSET R11 + #endif /* __ASSEMBLY__ */ + + /* top of stack page */ diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile index a5408b9..5133813 100644 --- a/arch/x86/kernel/Makefile @@ -21406,7 +21999,7 @@ index f0dcb0c..9f39b80 100644 /* diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S -index b077f4c..feb26c1 100644 +index b077f4c..8e0df9f 100644 --- a/arch/x86/kernel/entry_64.S +++ b/arch/x86/kernel/entry_64.S @@ -59,6 +59,8 @@ @@ -21924,27 +22517,84 @@ index b077f4c..feb26c1 100644 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET #ifdef CONFIG_TRACE_IRQFLAGS -@@ -375,8 +808,8 @@ ENDPROC(native_usergs_sysret64) +@@ -320,7 +753,7 @@ ENDPROC(native_usergs_sysret64) + .endm + + .macro TRACE_IRQS_IRETQ_DEBUG offset=ARGOFFSET +- bt $9,EFLAGS-\offset(%rsp) /* interrupts off? */ ++ bt $X86_EFLAGS_IF_BIT,EFLAGS-\offset(%rsp) /* interrupts off? */ + jnc 1f + TRACE_IRQS_ON_DEBUG + 1: +@@ -358,27 +791,6 @@ ENDPROC(native_usergs_sysret64) + movq \tmp,R11+\offset(%rsp) .endm - .macro UNFAKE_STACK_FRAME +- .macro FAKE_STACK_FRAME child_rip +- /* push in order ss, rsp, eflags, cs, rip */ +- xorl %eax, %eax +- pushq_cfi $__KERNEL_DS /* ss */ +- /*CFI_REL_OFFSET ss,0*/ +- pushq_cfi %rax /* rsp */ +- CFI_REL_OFFSET rsp,0 +- pushq_cfi $(X86_EFLAGS_IF|X86_EFLAGS_FIXED) /* eflags - interrupts on */ +- /*CFI_REL_OFFSET rflags,0*/ +- pushq_cfi $__KERNEL_CS /* cs */ +- /*CFI_REL_OFFSET cs,0*/ +- pushq_cfi \child_rip /* rip */ +- CFI_REL_OFFSET rip,0 +- pushq_cfi %rax /* orig rax */ +- .endm +- +- .macro UNFAKE_STACK_FRAME - addq $8*6, %rsp - CFI_ADJUST_CFA_OFFSET -(6*8) -+ addq $8*6 + ARG_SKIP, %rsp -+ CFI_ADJUST_CFA_OFFSET -(6*8 + ARG_SKIP) - .endm - +- .endm +- /* -@@ -463,7 +896,7 @@ ENDPROC(native_usergs_sysret64) + * initial frame state for interrupts (and exceptions without error code) + */ +@@ -445,25 +857,26 @@ ENDPROC(native_usergs_sysret64) + /* save partial stack frame */ + .macro SAVE_ARGS_IRQ + cld +- /* start from rbp in pt_regs and jump over */ +- movq_cfi rdi, (RDI-RBP) +- movq_cfi rsi, (RSI-RBP) +- movq_cfi rdx, (RDX-RBP) +- movq_cfi rcx, (RCX-RBP) +- movq_cfi rax, (RAX-RBP) +- movq_cfi r8, (R8-RBP) +- movq_cfi r9, (R9-RBP) +- movq_cfi r10, (R10-RBP) +- movq_cfi r11, (R11-RBP) ++ /* start from r15 in pt_regs and jump over */ ++ movq_cfi rdi, RDI ++ movq_cfi rsi, RSI ++ movq_cfi rdx, RDX ++ movq_cfi rcx, RCX ++ movq_cfi rax, RAX ++ movq_cfi r8, R8 ++ movq_cfi r9, R9 ++ movq_cfi r10, R10 ++ movq_cfi r11, R11 ++ movq_cfi r12, R12 + + /* Save rbp so that we can unwind from get_irq_regs() */ +- movq_cfi rbp, 0 ++ movq_cfi rbp, RBP + + /* Save previous stack value */ movq %rsp, %rsi - leaq -RBP(%rsp),%rdi /* arg1 for handler */ +- leaq -RBP(%rsp),%rdi /* arg1 for handler */ - testl $3, CS-RBP(%rsi) -+ testb $3, CS-RBP(%rsi) ++ movq %rsp,%rdi /* arg1 for handler */ ++ testb $3, CS(%rsi) je 1f SWAPGS /* -@@ -514,9 +947,10 @@ ENTRY(save_paranoid) +@@ -514,9 +927,10 @@ ENTRY(save_paranoid) js 1f /* negative -> in kernel */ SWAPGS xorl %ebx,%ebx @@ -21957,7 +22607,7 @@ index b077f4c..feb26c1 100644 .popsection /* -@@ -538,7 +972,7 @@ ENTRY(ret_from_fork) +@@ -538,7 +952,7 @@ ENTRY(ret_from_fork) RESTORE_REST @@ -21966,7 +22616,15 @@ index b077f4c..feb26c1 100644 jz 1f testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET -@@ -556,7 +990,7 @@ ENTRY(ret_from_fork) +@@ -548,15 +962,13 @@ ENTRY(ret_from_fork) + jmp ret_from_sys_call # go to the SYSRET fastpath + + 1: +- subq $REST_SKIP, %rsp # leave space for volatiles +- CFI_ADJUST_CFA_OFFSET REST_SKIP + movq %rbp, %rdi + call *%rbx + movl $0, RAX(%rsp) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -21975,7 +22633,7 @@ index b077f4c..feb26c1 100644 /* * System call entry. Up to 6 arguments in registers are supported. -@@ -593,7 +1027,7 @@ END(ret_from_fork) +@@ -593,7 +1005,7 @@ END(ret_from_fork) ENTRY(system_call) CFI_STARTPROC simple CFI_SIGNAL_FRAME @@ -21984,7 +22642,7 @@ index b077f4c..feb26c1 100644 CFI_REGISTER rip,rcx /*CFI_REGISTER rflags,r11*/ SWAPGS_UNSAFE_STACK -@@ -606,16 +1040,23 @@ GLOBAL(system_call_after_swapgs) +@@ -606,16 +1018,23 @@ GLOBAL(system_call_after_swapgs) movq %rsp,PER_CPU_VAR(old_rsp) movq PER_CPU_VAR(kernel_stack),%rsp @@ -22010,16 +22668,7 @@ index b077f4c..feb26c1 100644 jnz tracesys system_call_fastpath: #if __SYSCALL_MASK == ~0 -@@ -625,7 +1066,7 @@ system_call_fastpath: - cmpl $__NR_syscall_max,%eax - #endif - ja badsys -- movq %r10,%rcx -+ movq R10-ARGOFFSET(%rsp),%rcx - call *sys_call_table(,%rax,8) # XXX: rip relative - movq %rax,RAX-ARGOFFSET(%rsp) - /* -@@ -639,10 +1080,13 @@ sysret_check: +@@ -639,10 +1058,13 @@ sysret_check: LOCKDEP_SYS_EXIT DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF @@ -22034,15 +22683,7 @@ index b077f4c..feb26c1 100644 /* * sysretq will re-enable interrupts: */ -@@ -694,14 +1138,18 @@ badsys: - * jump back to the normal fast path. - */ - auditsys: -- movq %r10,%r9 /* 6th arg: 4th syscall arg */ -+ movq R10-ARGOFFSET(%rsp),%r9 /* 6th arg: 4th syscall arg */ - movq %rdx,%r8 /* 5th arg: 3rd syscall arg */ - movq %rsi,%rcx /* 4th arg: 2nd syscall arg */ - movq %rdi,%rdx /* 3rd arg: 1st syscall arg */ +@@ -701,6 +1123,9 @@ auditsys: movq %rax,%rsi /* 2nd arg: syscall number */ movl $AUDIT_ARCH_X86_64,%edi /* 1st arg: audit arch */ call __audit_syscall_entry @@ -22050,11 +22691,9 @@ index b077f4c..feb26c1 100644 + pax_erase_kstack + LOAD_ARGS 0 /* reload call-clobbered registers */ -+ pax_set_fptr_mask jmp system_call_fastpath - /* -@@ -722,7 +1170,7 @@ sysret_audit: +@@ -722,7 +1147,7 @@ sysret_audit: /* Do syscall tracing */ tracesys: #ifdef CONFIG_AUDITSYSCALL @@ -22063,7 +22702,7 @@ index b077f4c..feb26c1 100644 jz auditsys #endif SAVE_REST -@@ -730,12 +1178,16 @@ tracesys: +@@ -730,12 +1155,15 @@ tracesys: FIXUP_TOP_OF_STACK %rdi movq %rsp,%rdi call syscall_trace_enter @@ -22075,21 +22714,12 @@ index b077f4c..feb26c1 100644 * We don't reload %rax because syscall_trace_enter() returned * the value it wants us to use in the table lookup. */ - LOAD_ARGS ARGOFFSET, 1 -+ pax_set_fptr_mask +- LOAD_ARGS ARGOFFSET, 1 ++ LOAD_ARGS 1 RESTORE_REST #if __SYSCALL_MASK == ~0 cmpq $__NR_syscall_max,%rax -@@ -744,7 +1196,7 @@ tracesys: - cmpl $__NR_syscall_max,%eax - #endif - ja int_ret_from_sys_call /* RAX(%rsp) set to -ENOSYS above */ -- movq %r10,%rcx /* fixup for C */ -+ movq R10-ARGOFFSET(%rsp),%rcx /* fixup for C */ - call *sys_call_table(,%rax,8) - movq %rax,RAX-ARGOFFSET(%rsp) - /* Use IRET because user could have changed frame */ -@@ -765,7 +1217,9 @@ GLOBAL(int_with_check) +@@ -765,7 +1193,9 @@ GLOBAL(int_with_check) andl %edi,%edx jnz int_careful andl $~TS_COMPAT,TI_status(%rcx) @@ -22100,7 +22730,7 @@ index b077f4c..feb26c1 100644 /* Either reschedule or signal or syscall exit tracking needed. */ /* First do a reschedule test. */ -@@ -811,7 +1265,7 @@ int_restore_rest: +@@ -811,7 +1241,7 @@ int_restore_rest: TRACE_IRQS_OFF jmp int_with_check CFI_ENDPROC @@ -22109,19 +22739,20 @@ index b077f4c..feb26c1 100644 .macro FORK_LIKE func ENTRY(stub_\func) -@@ -824,9 +1278,10 @@ ENTRY(stub_\func) +@@ -824,9 +1254,10 @@ ENTRY(stub_\func) DEFAULT_FRAME 0 8 /* offset 8: return address */ call sys_\func RESTORE_TOP_OF_STACK %r11, 8 +- ret $REST_SKIP /* pop extended registers */ + pax_force_retaddr - ret $REST_SKIP /* pop extended registers */ ++ ret CFI_ENDPROC -END(stub_\func) +ENDPROC(stub_\func) .endm .macro FIXED_FRAME label,func -@@ -836,9 +1291,10 @@ ENTRY(\label) +@@ -836,9 +1267,10 @@ ENTRY(\label) FIXUP_TOP_OF_STACK %r11, 8-ARGOFFSET call \func RESTORE_TOP_OF_STACK %r11, 8-ARGOFFSET @@ -22133,19 +22764,27 @@ index b077f4c..feb26c1 100644 .endm FORK_LIKE clone -@@ -855,9 +1311,10 @@ ENTRY(ptregscall_common) - movq_cfi_restore R12+8, r12 - movq_cfi_restore RBP+8, rbp - movq_cfi_restore RBX+8, rbx -+ pax_force_retaddr - ret $REST_SKIP /* pop extended registers */ - CFI_ENDPROC +@@ -846,19 +1278,6 @@ END(\label) + FORK_LIKE vfork + FIXED_FRAME stub_iopl, sys_iopl + +-ENTRY(ptregscall_common) +- DEFAULT_FRAME 1 8 /* offset 8: return address */ +- RESTORE_TOP_OF_STACK %r11, 8 +- movq_cfi_restore R15+8, r15 +- movq_cfi_restore R14+8, r14 +- movq_cfi_restore R13+8, r13 +- movq_cfi_restore R12+8, r12 +- movq_cfi_restore RBP+8, rbp +- movq_cfi_restore RBX+8, rbx +- ret $REST_SKIP /* pop extended registers */ +- CFI_ENDPROC -END(ptregscall_common) -+ENDPROC(ptregscall_common) - +- ENTRY(stub_execve) CFI_STARTPROC -@@ -870,7 +1327,7 @@ ENTRY(stub_execve) + addq $8, %rsp +@@ -870,7 +1289,7 @@ ENTRY(stub_execve) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -22154,7 +22793,7 @@ index b077f4c..feb26c1 100644 /* * sigreturn is special because it needs to restore all registers on return. -@@ -887,7 +1344,7 @@ ENTRY(stub_rt_sigreturn) +@@ -887,7 +1306,7 @@ ENTRY(stub_rt_sigreturn) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -22163,7 +22802,7 @@ index b077f4c..feb26c1 100644 #ifdef CONFIG_X86_X32_ABI ENTRY(stub_x32_rt_sigreturn) -@@ -901,7 +1358,7 @@ ENTRY(stub_x32_rt_sigreturn) +@@ -901,7 +1320,7 @@ ENTRY(stub_x32_rt_sigreturn) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -22172,7 +22811,7 @@ index b077f4c..feb26c1 100644 ENTRY(stub_x32_execve) CFI_STARTPROC -@@ -915,7 +1372,7 @@ ENTRY(stub_x32_execve) +@@ -915,7 +1334,7 @@ ENTRY(stub_x32_execve) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -22181,7 +22820,7 @@ index b077f4c..feb26c1 100644 #endif -@@ -952,7 +1409,7 @@ vector=vector+1 +@@ -952,7 +1371,7 @@ vector=vector+1 2: jmp common_interrupt .endr CFI_ENDPROC @@ -22190,9 +22829,14 @@ index b077f4c..feb26c1 100644 .previous END(interrupt) -@@ -972,6 +1429,16 @@ END(interrupt) - subq $ORIG_RAX-RBP, %rsp - CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP +@@ -969,9 +1388,19 @@ END(interrupt) + /* 0(%rsp): ~(interrupt number) */ + .macro interrupt func + /* reserve pt_regs for scratch regs and rbp */ +- subq $ORIG_RAX-RBP, %rsp +- CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP ++ subq $ORIG_RAX, %rsp ++ CFI_ADJUST_CFA_OFFSET ORIG_RAX SAVE_ARGS_IRQ +#ifdef CONFIG_PAX_MEMORY_UDEREF + testb $3, CS(%rdi) @@ -22207,7 +22851,17 @@ index b077f4c..feb26c1 100644 call \func .endm -@@ -1004,7 +1471,7 @@ ret_from_intr: +@@ -997,14 +1426,14 @@ ret_from_intr: + + /* Restore saved previous stack */ + popq %rsi +- CFI_DEF_CFA rsi,SS+8-RBP /* reg/off reset after def_cfa_expr */ +- leaq ARGOFFSET-RBP(%rsi), %rsp ++ CFI_DEF_CFA rsi,SS+8 /* reg/off reset after def_cfa_expr */ ++ movq %rsi, %rsp + CFI_DEF_CFA_REGISTER rsp +- CFI_ADJUST_CFA_OFFSET RBP-ARGOFFSET ++ CFI_ADJUST_CFA_OFFSET -ARGOFFSET exit_intr: GET_THREAD_INFO(%rcx) @@ -22216,7 +22870,7 @@ index b077f4c..feb26c1 100644 je retint_kernel /* Interrupt came from user space */ -@@ -1026,12 +1493,16 @@ retint_swapgs: /* return to user-space */ +@@ -1026,12 +1455,16 @@ retint_swapgs: /* return to user-space */ * The iretq could re-enable interrupts: */ DISABLE_INTERRUPTS(CLBR_ANY) @@ -22233,7 +22887,7 @@ index b077f4c..feb26c1 100644 /* * The iretq could re-enable interrupts: */ -@@ -1114,7 +1585,7 @@ ENTRY(retint_kernel) +@@ -1114,7 +1547,7 @@ ENTRY(retint_kernel) #endif CFI_ENDPROC @@ -22242,7 +22896,7 @@ index b077f4c..feb26c1 100644 /* * End of kprobes section */ -@@ -1132,7 +1603,7 @@ ENTRY(\sym) +@@ -1132,7 +1565,7 @@ ENTRY(\sym) interrupt \do_sym jmp ret_from_intr CFI_ENDPROC @@ -22251,7 +22905,7 @@ index b077f4c..feb26c1 100644 .endm #ifdef CONFIG_TRACING -@@ -1215,12 +1686,22 @@ ENTRY(\sym) +@@ -1215,12 +1648,22 @@ ENTRY(\sym) CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 call error_entry DEFAULT_FRAME 0 @@ -22275,7 +22929,7 @@ index b077f4c..feb26c1 100644 .endm .macro paranoidzeroentry sym do_sym -@@ -1233,15 +1714,25 @@ ENTRY(\sym) +@@ -1233,15 +1676,25 @@ ENTRY(\sym) CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 call save_paranoid TRACE_IRQS_OFF @@ -22299,11 +22953,11 @@ index b077f4c..feb26c1 100644 .endm -#define INIT_TSS_IST(x) PER_CPU_VAR(init_tss) + (TSS_ist + ((x) - 1) * 8) -+#define INIT_TSS_IST(x) (TSS_ist + ((x) - 1) * 8)(%r12) ++#define INIT_TSS_IST(x) (TSS_ist + ((x) - 1) * 8)(%r13) .macro paranoidzeroentry_ist sym do_sym ist ENTRY(\sym) INTR_FRAME -@@ -1252,14 +1743,30 @@ ENTRY(\sym) +@@ -1252,14 +1705,30 @@ ENTRY(\sym) CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 call save_paranoid TRACE_IRQS_OFF_DEBUG @@ -22320,10 +22974,10 @@ index b077f4c..feb26c1 100644 movq %rsp,%rdi /* pt_regs pointer */ xorl %esi,%esi /* no error code */ +#ifdef CONFIG_SMP -+ imul $TSS_size, PER_CPU_VAR(cpu_number), %r12d -+ lea init_tss(%r12), %r12 ++ imul $TSS_size, PER_CPU_VAR(cpu_number), %r13d ++ lea init_tss(%r13), %r13 +#else -+ lea init_tss(%rip), %r12 ++ lea init_tss(%rip), %r13 +#endif subq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist) call \do_sym @@ -22335,7 +22989,7 @@ index b077f4c..feb26c1 100644 .endm .macro errorentry sym do_sym -@@ -1271,13 +1778,23 @@ ENTRY(\sym) +@@ -1271,13 +1740,23 @@ ENTRY(\sym) CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 call error_entry DEFAULT_FRAME 0 @@ -22360,7 +23014,7 @@ index b077f4c..feb26c1 100644 .endm /* error code is on the stack already */ -@@ -1291,13 +1808,23 @@ ENTRY(\sym) +@@ -1291,13 +1770,23 @@ ENTRY(\sym) call save_paranoid DEFAULT_FRAME 0 TRACE_IRQS_OFF @@ -22385,7 +23039,7 @@ index b077f4c..feb26c1 100644 .endm zeroentry divide_error do_divide_error -@@ -1327,9 +1854,10 @@ gs_change: +@@ -1327,9 +1816,10 @@ gs_change: 2: mfence /* workaround */ SWAPGS popfq_cfi @@ -22397,7 +23051,7 @@ index b077f4c..feb26c1 100644 _ASM_EXTABLE(gs_change,bad_gs) .section .fixup,"ax" -@@ -1357,9 +1885,10 @@ ENTRY(call_softirq) +@@ -1357,9 +1847,10 @@ ENTRY(call_softirq) CFI_DEF_CFA_REGISTER rsp CFI_ADJUST_CFA_OFFSET -8 decl PER_CPU_VAR(irq_count) @@ -22409,7 +23063,7 @@ index b077f4c..feb26c1 100644 #ifdef CONFIG_XEN zeroentry xen_hypervisor_callback xen_do_hypervisor_callback -@@ -1397,7 +1926,7 @@ ENTRY(xen_do_hypervisor_callback) # do_hypervisor_callback(struct *pt_regs) +@@ -1397,7 +1888,7 @@ ENTRY(xen_do_hypervisor_callback) # do_hypervisor_callback(struct *pt_regs) decl PER_CPU_VAR(irq_count) jmp error_exit CFI_ENDPROC @@ -22418,7 +23072,7 @@ index b077f4c..feb26c1 100644 /* * Hypervisor uses this for application faults while it executes. -@@ -1456,7 +1985,7 @@ ENTRY(xen_failsafe_callback) +@@ -1456,7 +1947,7 @@ ENTRY(xen_failsafe_callback) SAVE_ALL jmp error_exit CFI_ENDPROC @@ -22427,7 +23081,7 @@ index b077f4c..feb26c1 100644 apicinterrupt3 HYPERVISOR_CALLBACK_VECTOR \ xen_hvm_callback_vector xen_evtchn_do_upcall -@@ -1508,18 +2037,33 @@ ENTRY(paranoid_exit) +@@ -1508,18 +1999,33 @@ ENTRY(paranoid_exit) DEFAULT_FRAME DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF_DEBUG @@ -22463,7 +23117,7 @@ index b077f4c..feb26c1 100644 jmp irq_return paranoid_userspace: GET_THREAD_INFO(%rcx) -@@ -1548,7 +2092,7 @@ paranoid_schedule: +@@ -1548,7 +2054,7 @@ paranoid_schedule: TRACE_IRQS_OFF jmp paranoid_userspace CFI_ENDPROC @@ -22472,7 +23126,7 @@ index b077f4c..feb26c1 100644 /* * Exception entry point. This expects an error code/orig_rax on the stack. -@@ -1575,12 +2119,13 @@ ENTRY(error_entry) +@@ -1575,12 +2081,13 @@ ENTRY(error_entry) movq_cfi r14, R14+8 movq_cfi r15, R15+8 xorl %ebx,%ebx @@ -22487,7 +23141,7 @@ index b077f4c..feb26c1 100644 ret /* -@@ -1607,7 +2152,7 @@ bstep_iret: +@@ -1607,7 +2114,7 @@ bstep_iret: movq %rcx,RIP+8(%rsp) jmp error_swapgs CFI_ENDPROC @@ -22496,7 +23150,7 @@ index b077f4c..feb26c1 100644 /* ebx: no swapgs flag (1: don't need swapgs, 0: need it) */ -@@ -1618,7 +2163,7 @@ ENTRY(error_exit) +@@ -1618,7 +2125,7 @@ ENTRY(error_exit) DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF GET_THREAD_INFO(%rcx) @@ -22505,7 +23159,7 @@ index b077f4c..feb26c1 100644 jne retint_kernel LOCKDEP_SYS_EXIT_IRQ movl TI_flags(%rcx),%edx -@@ -1627,7 +2172,7 @@ ENTRY(error_exit) +@@ -1627,7 +2134,7 @@ ENTRY(error_exit) jnz retint_careful jmp retint_swapgs CFI_ENDPROC @@ -22514,7 +23168,7 @@ index b077f4c..feb26c1 100644 /* * Test if a given stack is an NMI stack or not. -@@ -1685,9 +2230,11 @@ ENTRY(nmi) +@@ -1685,9 +2192,11 @@ ENTRY(nmi) * If %cs was not the kernel segment, then the NMI triggered in user * space, which means it is definitely not nested. */ @@ -22527,7 +23181,7 @@ index b077f4c..feb26c1 100644 /* * Check the special variable on the stack to see if NMIs are * executing. -@@ -1721,8 +2268,7 @@ nested_nmi: +@@ -1721,8 +2230,7 @@ nested_nmi: 1: /* Set up the interrupted NMIs stack to jump to repeat_nmi */ @@ -22537,7 +23191,7 @@ index b077f4c..feb26c1 100644 CFI_ADJUST_CFA_OFFSET 1*8 leaq -10*8(%rsp), %rdx pushq_cfi $__KERNEL_DS -@@ -1740,6 +2286,7 @@ nested_nmi_out: +@@ -1740,6 +2248,7 @@ nested_nmi_out: CFI_RESTORE rdx /* No need to check faults here */ @@ -22545,17 +23199,29 @@ index b077f4c..feb26c1 100644 INTERRUPT_RETURN CFI_RESTORE_STATE -@@ -1856,6 +2403,8 @@ end_repeat_nmi: +@@ -1852,9 +2361,11 @@ end_repeat_nmi: + * NMI itself takes a page fault, the page fault that was preempted + * will read the information from the NMI page fault and not the + * origin fault. Save it off and restore it if it changes. +- * Use the r12 callee-saved register. ++ * Use the r13 callee-saved register. */ - movq %cr2, %r12 - -+ pax_enter_kernel_nmi +- movq %cr2, %r12 ++ movq %cr2, %r13 + ++ pax_enter_kernel_nmi + /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */ movq %rsp,%rdi - movq $-1,%rsi -@@ -1868,26 +2417,31 @@ end_repeat_nmi: - movq %r12, %cr2 +@@ -1863,31 +2374,36 @@ end_repeat_nmi: + + /* Did the NMI take a page fault? Restore cr2 if it did */ + movq %cr2, %rcx +- cmpq %rcx, %r12 ++ cmpq %rcx, %r13 + je 1f +- movq %r12, %cr2 ++ movq %r13, %cr2 1: - testl %ebx,%ebx /* swapgs needed? */ @@ -26670,7 +27336,7 @@ index b110fe6..d9c19f2 100644 out: diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c -index 5439117..d08f3d4 100644 +index 5439117..f4d21f7 100644 --- a/arch/x86/kvm/lapic.c +++ b/arch/x86/kvm/lapic.c @@ -55,7 +55,7 @@ @@ -26682,6 +27348,117 @@ index 5439117..d08f3d4 100644 #define APIC_LVT_NUM 6 /* 14 is the version for Xeon and Pentium 8.4.8*/ +@@ -143,6 +143,8 @@ static inline int kvm_apic_id(struct kvm_lapic *apic) + return (kvm_apic_get_reg(apic, APIC_ID) >> 24) & 0xff; + } + ++#define KVM_X2APIC_CID_BITS 0 ++ + static void recalculate_apic_map(struct kvm *kvm) + { + struct kvm_apic_map *new, *old = NULL; +@@ -180,7 +182,8 @@ static void recalculate_apic_map(struct kvm *kvm) + if (apic_x2apic_mode(apic)) { + new->ldr_bits = 32; + new->cid_shift = 16; +- new->cid_mask = new->lid_mask = 0xffff; ++ new->cid_mask = (1 << KVM_X2APIC_CID_BITS) - 1; ++ new->lid_mask = 0xffff; + } else if (kvm_apic_sw_enabled(apic) && + !new->cid_mask /* flat mode */ && + kvm_apic_get_reg(apic, APIC_DFR) == APIC_DFR_CLUSTER) { +@@ -841,7 +844,8 @@ static u32 apic_get_tmcct(struct kvm_lapic *apic) + ASSERT(apic != NULL); + + /* if initial count is 0, current count should also be 0 */ +- if (kvm_apic_get_reg(apic, APIC_TMICT) == 0) ++ if (kvm_apic_get_reg(apic, APIC_TMICT) == 0 || ++ apic->lapic_timer.period == 0) + return 0; + + remaining = hrtimer_get_remaining(&apic->lapic_timer.timer); +@@ -1691,7 +1695,6 @@ static void apic_sync_pv_eoi_from_guest(struct kvm_vcpu *vcpu, + void kvm_lapic_sync_from_vapic(struct kvm_vcpu *vcpu) + { + u32 data; +- void *vapic; + + if (test_bit(KVM_APIC_PV_EOI_PENDING, &vcpu->arch.apic_attention)) + apic_sync_pv_eoi_from_guest(vcpu, vcpu->arch.apic); +@@ -1699,9 +1702,8 @@ void kvm_lapic_sync_from_vapic(struct kvm_vcpu *vcpu) + if (!test_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention)) + return; + +- vapic = kmap_atomic(vcpu->arch.apic->vapic_page); +- data = *(u32 *)(vapic + offset_in_page(vcpu->arch.apic->vapic_addr)); +- kunmap_atomic(vapic); ++ kvm_read_guest_cached(vcpu->kvm, &vcpu->arch.apic->vapic_cache, &data, ++ sizeof(u32)); + + apic_set_tpr(vcpu->arch.apic, data & 0xff); + } +@@ -1737,7 +1739,6 @@ void kvm_lapic_sync_to_vapic(struct kvm_vcpu *vcpu) + u32 data, tpr; + int max_irr, max_isr; + struct kvm_lapic *apic = vcpu->arch.apic; +- void *vapic; + + apic_sync_pv_eoi_to_guest(vcpu, apic); + +@@ -1753,18 +1754,24 @@ void kvm_lapic_sync_to_vapic(struct kvm_vcpu *vcpu) + max_isr = 0; + data = (tpr & 0xff) | ((max_isr & 0xf0) << 8) | (max_irr << 24); + +- vapic = kmap_atomic(vcpu->arch.apic->vapic_page); +- *(u32 *)(vapic + offset_in_page(vcpu->arch.apic->vapic_addr)) = data; +- kunmap_atomic(vapic); ++ kvm_write_guest_cached(vcpu->kvm, &vcpu->arch.apic->vapic_cache, &data, ++ sizeof(u32)); + } + +-void kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr) ++int kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr) + { +- vcpu->arch.apic->vapic_addr = vapic_addr; +- if (vapic_addr) ++ if (vapic_addr) { ++ if (kvm_gfn_to_hva_cache_init(vcpu->kvm, ++ &vcpu->arch.apic->vapic_cache, ++ vapic_addr, sizeof(u32))) ++ return -EINVAL; + __set_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention); +- else ++ } else { + __clear_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention); ++ } ++ ++ vcpu->arch.apic->vapic_addr = vapic_addr; ++ return 0; + } + + int kvm_x2apic_msr_write(struct kvm_vcpu *vcpu, u32 msr, u64 data) +diff --git a/arch/x86/kvm/lapic.h b/arch/x86/kvm/lapic.h +index c730ac9..c8b0d0d 100644 +--- a/arch/x86/kvm/lapic.h ++++ b/arch/x86/kvm/lapic.h +@@ -34,7 +34,7 @@ struct kvm_lapic { + */ + void *regs; + gpa_t vapic_addr; +- struct page *vapic_page; ++ struct gfn_to_hva_cache vapic_cache; + unsigned long pending_events; + unsigned int sipi_vector; + }; +@@ -76,7 +76,7 @@ void kvm_set_lapic_tscdeadline_msr(struct kvm_vcpu *vcpu, u64 data); + void kvm_apic_write_nodecode(struct kvm_vcpu *vcpu, u32 offset); + void kvm_apic_set_eoi_accelerated(struct kvm_vcpu *vcpu, int vector); + +-void kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr); ++int kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr); + void kvm_lapic_sync_from_vapic(struct kvm_vcpu *vcpu); + void kvm_lapic_sync_to_vapic(struct kvm_vcpu *vcpu); + diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h index ad75d77..a679d32 100644 --- a/arch/x86/kvm/paging_tmpl.h @@ -26883,7 +27660,7 @@ index 2b2fce1..da76be4 100644 vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index e5ca72a..83d5177 100644 +index e5ca72a..0f30b12 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -1779,8 +1779,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data) @@ -26906,7 +27683,17 @@ index e5ca72a..83d5177 100644 if (copy_to_user(user_msr_list->indices, &msrs_to_save, num_msrs_to_save * sizeof(u32))) goto out; -@@ -5462,7 +5464,7 @@ static struct notifier_block pvclock_gtod_notifier = { +@@ -3192,8 +3194,7 @@ long kvm_arch_vcpu_ioctl(struct file *filp, + r = -EFAULT; + if (copy_from_user(&va, argp, sizeof va)) + goto out; +- r = 0; +- kvm_lapic_set_vapic_addr(vcpu, va.vapic_addr); ++ r = kvm_lapic_set_vapic_addr(vcpu, va.vapic_addr); + break; + } + case KVM_X86_SETUP_MCE: { +@@ -5462,7 +5463,7 @@ static struct notifier_block pvclock_gtod_notifier = { }; #endif @@ -26915,6 +27702,64 @@ index e5ca72a..83d5177 100644 { int r; struct kvm_x86_ops *ops = opaque; +@@ -5718,36 +5719,6 @@ static void post_kvm_run_save(struct kvm_vcpu *vcpu) + !kvm_event_needs_reinjection(vcpu); + } + +-static int vapic_enter(struct kvm_vcpu *vcpu) +-{ +- struct kvm_lapic *apic = vcpu->arch.apic; +- struct page *page; +- +- if (!apic || !apic->vapic_addr) +- return 0; +- +- page = gfn_to_page(vcpu->kvm, apic->vapic_addr >> PAGE_SHIFT); +- if (is_error_page(page)) +- return -EFAULT; +- +- vcpu->arch.apic->vapic_page = page; +- return 0; +-} +- +-static void vapic_exit(struct kvm_vcpu *vcpu) +-{ +- struct kvm_lapic *apic = vcpu->arch.apic; +- int idx; +- +- if (!apic || !apic->vapic_addr) +- return; +- +- idx = srcu_read_lock(&vcpu->kvm->srcu); +- kvm_release_page_dirty(apic->vapic_page); +- mark_page_dirty(vcpu->kvm, apic->vapic_addr >> PAGE_SHIFT); +- srcu_read_unlock(&vcpu->kvm->srcu, idx); +-} +- + static void update_cr8_intercept(struct kvm_vcpu *vcpu) + { + int max_irr, tpr; +@@ -6047,11 +6018,6 @@ static int __vcpu_run(struct kvm_vcpu *vcpu) + struct kvm *kvm = vcpu->kvm; + + vcpu->srcu_idx = srcu_read_lock(&kvm->srcu); +- r = vapic_enter(vcpu); +- if (r) { +- srcu_read_unlock(&kvm->srcu, vcpu->srcu_idx); +- return r; +- } + + r = 1; + while (r > 0) { +@@ -6110,8 +6076,6 @@ static int __vcpu_run(struct kvm_vcpu *vcpu) + + srcu_read_unlock(&kvm->srcu, vcpu->srcu_idx); + +- vapic_exit(vcpu); +- + return r; + } + diff --git a/arch/x86/lguest/boot.c b/arch/x86/lguest/boot.c index bdf8532..f63c587 100644 --- a/arch/x86/lguest/boot.c @@ -27719,7 +28564,7 @@ index 1e572c5..2a162cd 100644 CFI_ENDPROC diff --git a/arch/x86/lib/copy_page_64.S b/arch/x86/lib/copy_page_64.S -index 176cca6..1166c50 100644 +index 176cca6..e0d658e 100644 --- a/arch/x86/lib/copy_page_64.S +++ b/arch/x86/lib/copy_page_64.S @@ -9,6 +9,7 @@ copy_page_rep: @@ -27730,74 +28575,68 @@ index 176cca6..1166c50 100644 ret CFI_ENDPROC ENDPROC(copy_page_rep) -@@ -20,12 +21,14 @@ ENDPROC(copy_page_rep) - - ENTRY(copy_page) - CFI_STARTPROC -- subq $2*8, %rsp -- CFI_ADJUST_CFA_OFFSET 2*8 -+ subq $3*8, %rsp -+ CFI_ADJUST_CFA_OFFSET 3*8 +@@ -24,8 +25,8 @@ ENTRY(copy_page) + CFI_ADJUST_CFA_OFFSET 2*8 movq %rbx, (%rsp) CFI_REL_OFFSET rbx, 0 - movq %r12, 1*8(%rsp) - CFI_REL_OFFSET r12, 1*8 -+ movq %r13, 2*8(%rsp) -+ CFI_REL_OFFSET r13, 2*8 +- movq %r12, 1*8(%rsp) +- CFI_REL_OFFSET r12, 1*8 ++ movq %r13, 1*8(%rsp) ++ CFI_REL_OFFSET r13, 1*8 movl $(4096/64)-5, %ecx .p2align 4 -@@ -36,7 +39,7 @@ ENTRY(copy_page) - movq 0x8*2(%rsi), %rdx - movq 0x8*3(%rsi), %r8 +@@ -38,7 +39,7 @@ ENTRY(copy_page) movq 0x8*4(%rsi), %r9 -- movq 0x8*5(%rsi), %r10 -+ movq 0x8*5(%rsi), %r13 + movq 0x8*5(%rsi), %r10 movq 0x8*6(%rsi), %r11 - movq 0x8*7(%rsi), %r12 +- movq 0x8*7(%rsi), %r12 ++ movq 0x8*7(%rsi), %r13 + + prefetcht0 5*64(%rsi) -@@ -47,7 +50,7 @@ ENTRY(copy_page) - movq %rdx, 0x8*2(%rdi) - movq %r8, 0x8*3(%rdi) +@@ -49,7 +50,7 @@ ENTRY(copy_page) movq %r9, 0x8*4(%rdi) -- movq %r10, 0x8*5(%rdi) -+ movq %r13, 0x8*5(%rdi) + movq %r10, 0x8*5(%rdi) movq %r11, 0x8*6(%rdi) - movq %r12, 0x8*7(%rdi) +- movq %r12, 0x8*7(%rdi) ++ movq %r13, 0x8*7(%rdi) -@@ -66,7 +69,7 @@ ENTRY(copy_page) - movq 0x8*2(%rsi), %rdx - movq 0x8*3(%rsi), %r8 + leaq 64 (%rsi), %rsi + leaq 64 (%rdi), %rdi +@@ -68,7 +69,7 @@ ENTRY(copy_page) movq 0x8*4(%rsi), %r9 -- movq 0x8*5(%rsi), %r10 -+ movq 0x8*5(%rsi), %r13 + movq 0x8*5(%rsi), %r10 movq 0x8*6(%rsi), %r11 - movq 0x8*7(%rsi), %r12 +- movq 0x8*7(%rsi), %r12 ++ movq 0x8*7(%rsi), %r13 -@@ -75,7 +78,7 @@ ENTRY(copy_page) - movq %rdx, 0x8*2(%rdi) - movq %r8, 0x8*3(%rdi) + movq %rax, 0x8*0(%rdi) + movq %rbx, 0x8*1(%rdi) +@@ -77,7 +78,7 @@ ENTRY(copy_page) movq %r9, 0x8*4(%rdi) -- movq %r10, 0x8*5(%rdi) -+ movq %r13, 0x8*5(%rdi) + movq %r10, 0x8*5(%rdi) movq %r11, 0x8*6(%rdi) - movq %r12, 0x8*7(%rdi) +- movq %r12, 0x8*7(%rdi) ++ movq %r13, 0x8*7(%rdi) -@@ -87,8 +90,11 @@ ENTRY(copy_page) + leaq 64(%rdi), %rdi + leaq 64(%rsi), %rsi +@@ -85,10 +86,11 @@ ENTRY(copy_page) + + movq (%rsp), %rbx CFI_RESTORE rbx - movq 1*8(%rsp), %r12 - CFI_RESTORE r12 -- addq $2*8, %rsp -- CFI_ADJUST_CFA_OFFSET -2*8 -+ movq 2*8(%rsp), %r13 +- movq 1*8(%rsp), %r12 +- CFI_RESTORE r12 ++ movq 1*8(%rsp), %r13 + CFI_RESTORE r13 -+ addq $3*8, %rsp -+ CFI_ADJUST_CFA_OFFSET -3*8 + addq $2*8, %rsp + CFI_ADJUST_CFA_OFFSET -2*8 + pax_force_retaddr ret .Lcopy_page_end: CFI_ENDPROC -@@ -99,7 +105,7 @@ ENDPROC(copy_page) +@@ -99,7 +101,7 @@ ENDPROC(copy_page) #include <asm/cpufeature.h> @@ -27807,7 +28646,7 @@ index 176cca6..1166c50 100644 .byte (copy_page_rep - copy_page) - (2f - 1b) /* offset */ 2: diff --git a/arch/x86/lib/copy_user_64.S b/arch/x86/lib/copy_user_64.S -index a30ca15..6b3f4e1 100644 +index a30ca15..407412b 100644 --- a/arch/x86/lib/copy_user_64.S +++ b/arch/x86/lib/copy_user_64.S @@ -18,31 +18,7 @@ @@ -27904,30 +28743,6 @@ index a30ca15..6b3f4e1 100644 ASM_STAC cmpl $8,%edx jb 20f /* less then 8 bytes, go to byte copy loop */ -@@ -141,19 +72,19 @@ ENTRY(copy_user_generic_unrolled) - jz 17f - 1: movq (%rsi),%r8 - 2: movq 1*8(%rsi),%r9 --3: movq 2*8(%rsi),%r10 -+3: movq 2*8(%rsi),%rax - 4: movq 3*8(%rsi),%r11 - 5: movq %r8,(%rdi) - 6: movq %r9,1*8(%rdi) --7: movq %r10,2*8(%rdi) -+7: movq %rax,2*8(%rdi) - 8: movq %r11,3*8(%rdi) - 9: movq 4*8(%rsi),%r8 - 10: movq 5*8(%rsi),%r9 --11: movq 6*8(%rsi),%r10 -+11: movq 6*8(%rsi),%rax - 12: movq 7*8(%rsi),%r11 - 13: movq %r8,4*8(%rdi) - 14: movq %r9,5*8(%rdi) --15: movq %r10,6*8(%rdi) -+15: movq %rax,6*8(%rdi) - 16: movq %r11,7*8(%rdi) - leaq 64(%rsi),%rsi - leaq 64(%rdi),%rdi @@ -180,6 +111,8 @@ ENTRY(copy_user_generic_unrolled) jnz 21b 23: xor %eax,%eax @@ -27972,7 +28787,7 @@ index a30ca15..6b3f4e1 100644 .section .fixup,"ax" diff --git a/arch/x86/lib/copy_user_nocache_64.S b/arch/x86/lib/copy_user_nocache_64.S -index 6a4f43c..55d26f2 100644 +index 6a4f43c..c70fb52 100644 --- a/arch/x86/lib/copy_user_nocache_64.S +++ b/arch/x86/lib/copy_user_nocache_64.S @@ -8,6 +8,7 @@ @@ -28008,30 +28823,6 @@ index 6a4f43c..55d26f2 100644 ASM_STAC cmpl $8,%edx jb 20f /* less then 8 bytes, go to byte copy loop */ -@@ -59,19 +71,19 @@ ENTRY(__copy_user_nocache) - jz 17f - 1: movq (%rsi),%r8 - 2: movq 1*8(%rsi),%r9 --3: movq 2*8(%rsi),%r10 -+3: movq 2*8(%rsi),%rax - 4: movq 3*8(%rsi),%r11 - 5: movnti %r8,(%rdi) - 6: movnti %r9,1*8(%rdi) --7: movnti %r10,2*8(%rdi) -+7: movnti %rax,2*8(%rdi) - 8: movnti %r11,3*8(%rdi) - 9: movq 4*8(%rsi),%r8 - 10: movq 5*8(%rsi),%r9 --11: movq 6*8(%rsi),%r10 -+11: movq 6*8(%rsi),%rax - 12: movq 7*8(%rsi),%r11 - 13: movnti %r8,4*8(%rdi) - 14: movnti %r9,5*8(%rdi) --15: movnti %r10,6*8(%rdi) -+15: movnti %rax,6*8(%rdi) - 16: movnti %r11,7*8(%rdi) - leaq 64(%rsi),%rsi - leaq 64(%rdi),%rdi @@ -98,7 +110,9 @@ ENTRY(__copy_user_nocache) jnz 21b 23: xorl %eax,%eax @@ -28043,7 +28834,7 @@ index 6a4f43c..55d26f2 100644 .section .fixup,"ax" diff --git a/arch/x86/lib/csum-copy_64.S b/arch/x86/lib/csum-copy_64.S -index 2419d5f..953ee51 100644 +index 2419d5f..fe52d0e 100644 --- a/arch/x86/lib/csum-copy_64.S +++ b/arch/x86/lib/csum-copy_64.S @@ -9,6 +9,7 @@ @@ -28054,11 +28845,62 @@ index 2419d5f..953ee51 100644 /* * Checksum copy with exception handling. +@@ -56,8 +57,8 @@ ENTRY(csum_partial_copy_generic) + CFI_ADJUST_CFA_OFFSET 7*8 + movq %rbx, 2*8(%rsp) + CFI_REL_OFFSET rbx, 2*8 +- movq %r12, 3*8(%rsp) +- CFI_REL_OFFSET r12, 3*8 ++ movq %r15, 3*8(%rsp) ++ CFI_REL_OFFSET r15, 3*8 + movq %r14, 4*8(%rsp) + CFI_REL_OFFSET r14, 4*8 + movq %r13, 5*8(%rsp) +@@ -72,16 +73,16 @@ ENTRY(csum_partial_copy_generic) + movl %edx, %ecx + + xorl %r9d, %r9d +- movq %rcx, %r12 ++ movq %rcx, %r15 + +- shrq $6, %r12 ++ shrq $6, %r15 + jz .Lhandle_tail /* < 64 */ + + clc + + /* main loop. clear in 64 byte blocks */ + /* r9: zero, r8: temp2, rbx: temp1, rax: sum, rcx: saved length */ +- /* r11: temp3, rdx: temp4, r12 loopcnt */ ++ /* r11: temp3, rdx: temp4, r15 loopcnt */ + /* r10: temp5, rbp: temp6, r14 temp7, r13 temp8 */ + .p2align 4 + .Lloop: +@@ -115,7 +116,7 @@ ENTRY(csum_partial_copy_generic) + adcq %r14, %rax + adcq %r13, %rax + +- decl %r12d ++ decl %r15d + + dest + movq %rbx, (%rsi) +@@ -210,8 +211,8 @@ ENTRY(csum_partial_copy_generic) + .Lende: + movq 2*8(%rsp), %rbx + CFI_RESTORE rbx +- movq 3*8(%rsp), %r12 +- CFI_RESTORE r12 ++ movq 3*8(%rsp), %r15 ++ CFI_RESTORE r15 + movq 4*8(%rsp), %r14 + CFI_RESTORE r14 + movq 5*8(%rsp), %r13 @@ -220,6 +221,7 @@ ENTRY(csum_partial_copy_generic) CFI_RESTORE rbp addq $7*8, %rsp CFI_ADJUST_CFA_OFFSET -7*8 -+ pax_force_retaddr 0, 1 ++ pax_force_retaddr ret CFI_RESTORE_STATE @@ -28298,7 +29140,7 @@ index 05a95e7..326f2fa 100644 CFI_ENDPROC ENDPROC(__iowrite32_copy) diff --git a/arch/x86/lib/memcpy_64.S b/arch/x86/lib/memcpy_64.S -index 56313a3..9b59269 100644 +index 56313a3..0db417e 100644 --- a/arch/x86/lib/memcpy_64.S +++ b/arch/x86/lib/memcpy_64.S @@ -24,7 +24,7 @@ @@ -28332,48 +29174,9 @@ index 56313a3..9b59269 100644 ret .Lmemcpy_e_e: .previous -@@ -76,13 +78,13 @@ ENTRY(memcpy) - */ - movq 0*8(%rsi), %r8 - movq 1*8(%rsi), %r9 -- movq 2*8(%rsi), %r10 -+ movq 2*8(%rsi), %rcx - movq 3*8(%rsi), %r11 - leaq 4*8(%rsi), %rsi - - movq %r8, 0*8(%rdi) - movq %r9, 1*8(%rdi) -- movq %r10, 2*8(%rdi) -+ movq %rcx, 2*8(%rdi) - movq %r11, 3*8(%rdi) - leaq 4*8(%rdi), %rdi - jae .Lcopy_forward_loop -@@ -105,12 +107,12 @@ ENTRY(memcpy) - subq $0x20, %rdx - movq -1*8(%rsi), %r8 - movq -2*8(%rsi), %r9 -- movq -3*8(%rsi), %r10 -+ movq -3*8(%rsi), %rcx - movq -4*8(%rsi), %r11 - leaq -4*8(%rsi), %rsi - movq %r8, -1*8(%rdi) - movq %r9, -2*8(%rdi) -- movq %r10, -3*8(%rdi) -+ movq %rcx, -3*8(%rdi) - movq %r11, -4*8(%rdi) - leaq -4*8(%rdi), %rdi - jae .Lcopy_backward_loop -@@ -130,12 +132,13 @@ ENTRY(memcpy) - */ - movq 0*8(%rsi), %r8 - movq 1*8(%rsi), %r9 -- movq -2*8(%rsi, %rdx), %r10 -+ movq -2*8(%rsi, %rdx), %rcx - movq -1*8(%rsi, %rdx), %r11 - movq %r8, 0*8(%rdi) +@@ -136,6 +138,7 @@ ENTRY(memcpy) movq %r9, 1*8(%rdi) -- movq %r10, -2*8(%rdi, %rdx) -+ movq %rcx, -2*8(%rdi, %rdx) + movq %r10, -2*8(%rdi, %rdx) movq %r11, -1*8(%rdi, %rdx) + pax_force_retaddr retq @@ -28404,121 +29207,9 @@ index 56313a3..9b59269 100644 CFI_ENDPROC ENDPROC(memcpy) diff --git a/arch/x86/lib/memmove_64.S b/arch/x86/lib/memmove_64.S -index 65268a6..5aa7815 100644 +index 65268a6..dd1de11 100644 --- a/arch/x86/lib/memmove_64.S +++ b/arch/x86/lib/memmove_64.S -@@ -61,13 +61,13 @@ ENTRY(memmove) - 5: - sub $0x20, %rdx - movq 0*8(%rsi), %r11 -- movq 1*8(%rsi), %r10 -+ movq 1*8(%rsi), %rcx - movq 2*8(%rsi), %r9 - movq 3*8(%rsi), %r8 - leaq 4*8(%rsi), %rsi - - movq %r11, 0*8(%rdi) -- movq %r10, 1*8(%rdi) -+ movq %rcx, 1*8(%rdi) - movq %r9, 2*8(%rdi) - movq %r8, 3*8(%rdi) - leaq 4*8(%rdi), %rdi -@@ -81,10 +81,10 @@ ENTRY(memmove) - 4: - movq %rdx, %rcx - movq -8(%rsi, %rdx), %r11 -- lea -8(%rdi, %rdx), %r10 -+ lea -8(%rdi, %rdx), %r9 - shrq $3, %rcx - rep movsq -- movq %r11, (%r10) -+ movq %r11, (%r9) - jmp 13f - .Lmemmove_end_forward: - -@@ -95,14 +95,14 @@ ENTRY(memmove) - 7: - movq %rdx, %rcx - movq (%rsi), %r11 -- movq %rdi, %r10 -+ movq %rdi, %r9 - leaq -8(%rsi, %rdx), %rsi - leaq -8(%rdi, %rdx), %rdi - shrq $3, %rcx - std - rep movsq - cld -- movq %r11, (%r10) -+ movq %r11, (%r9) - jmp 13f - - /* -@@ -127,13 +127,13 @@ ENTRY(memmove) - 8: - subq $0x20, %rdx - movq -1*8(%rsi), %r11 -- movq -2*8(%rsi), %r10 -+ movq -2*8(%rsi), %rcx - movq -3*8(%rsi), %r9 - movq -4*8(%rsi), %r8 - leaq -4*8(%rsi), %rsi - - movq %r11, -1*8(%rdi) -- movq %r10, -2*8(%rdi) -+ movq %rcx, -2*8(%rdi) - movq %r9, -3*8(%rdi) - movq %r8, -4*8(%rdi) - leaq -4*8(%rdi), %rdi -@@ -151,11 +151,11 @@ ENTRY(memmove) - * Move data from 16 bytes to 31 bytes. - */ - movq 0*8(%rsi), %r11 -- movq 1*8(%rsi), %r10 -+ movq 1*8(%rsi), %rcx - movq -2*8(%rsi, %rdx), %r9 - movq -1*8(%rsi, %rdx), %r8 - movq %r11, 0*8(%rdi) -- movq %r10, 1*8(%rdi) -+ movq %rcx, 1*8(%rdi) - movq %r9, -2*8(%rdi, %rdx) - movq %r8, -1*8(%rdi, %rdx) - jmp 13f -@@ -167,9 +167,9 @@ ENTRY(memmove) - * Move data from 8 bytes to 15 bytes. - */ - movq 0*8(%rsi), %r11 -- movq -1*8(%rsi, %rdx), %r10 -+ movq -1*8(%rsi, %rdx), %r9 - movq %r11, 0*8(%rdi) -- movq %r10, -1*8(%rdi, %rdx) -+ movq %r9, -1*8(%rdi, %rdx) - jmp 13f - 10: - cmpq $4, %rdx -@@ -178,9 +178,9 @@ ENTRY(memmove) - * Move data from 4 bytes to 7 bytes. - */ - movl (%rsi), %r11d -- movl -4(%rsi, %rdx), %r10d -+ movl -4(%rsi, %rdx), %r9d - movl %r11d, (%rdi) -- movl %r10d, -4(%rdi, %rdx) -+ movl %r9d, -4(%rdi, %rdx) - jmp 13f - 11: - cmp $2, %rdx -@@ -189,9 +189,9 @@ ENTRY(memmove) - * Move data from 2 bytes to 3 bytes. - */ - movw (%rsi), %r11w -- movw -2(%rsi, %rdx), %r10w -+ movw -2(%rsi, %rdx), %r9w - movw %r11w, (%rdi) -- movw %r10w, -2(%rdi, %rdx) -+ movw %r9w, -2(%rdi, %rdx) - jmp 13f - 12: - cmp $1, %rdx @@ -202,14 +202,16 @@ ENTRY(memmove) movb (%rsi), %r11b movb %r11b, (%rdi) @@ -28538,7 +29229,7 @@ index 65268a6..5aa7815 100644 .Lmemmove_end_forward_efs: .previous diff --git a/arch/x86/lib/memset_64.S b/arch/x86/lib/memset_64.S -index 2dcb380..50a78bc 100644 +index 2dcb380..2eb79fe 100644 --- a/arch/x86/lib/memset_64.S +++ b/arch/x86/lib/memset_64.S @@ -16,7 +16,7 @@ @@ -28574,21 +29265,10 @@ index 2dcb380..50a78bc 100644 ret .Lmemset_e_e: .previous -@@ -59,7 +61,7 @@ - ENTRY(memset) - ENTRY(__memset) - CFI_STARTPROC -- movq %rdi,%r10 -+ movq %rdi,%r11 - - /* expand byte value */ - movzbl %sil,%ecx -@@ -117,7 +119,8 @@ ENTRY(__memset) - jnz .Lloop_1 +@@ -118,6 +120,7 @@ ENTRY(__memset) .Lende: -- movq %r10,%rax -+ movq %r11,%rax + movq %r10,%rax + pax_force_retaddr ret @@ -28913,7 +29593,7 @@ index c9f2d9b..e7fd2c0 100644 from += 64; to += 64; diff --git a/arch/x86/lib/msr-reg.S b/arch/x86/lib/msr-reg.S -index f6d13ee..aca5f0b 100644 +index f6d13ee..d789440 100644 --- a/arch/x86/lib/msr-reg.S +++ b/arch/x86/lib/msr-reg.S @@ -3,6 +3,7 @@ @@ -28924,34 +29604,8 @@ index f6d13ee..aca5f0b 100644 #ifdef CONFIG_X86_64 /* -@@ -16,7 +17,7 @@ ENTRY(\op\()_safe_regs) - CFI_STARTPROC - pushq_cfi %rbx - pushq_cfi %rbp -- movq %rdi, %r10 /* Save pointer */ -+ movq %rdi, %r9 /* Save pointer */ - xorl %r11d, %r11d /* Return value */ - movl (%rdi), %eax - movl 4(%rdi), %ecx -@@ -27,16 +28,17 @@ ENTRY(\op\()_safe_regs) - movl 28(%rdi), %edi - CFI_REMEMBER_STATE - 1: \op --2: movl %eax, (%r10) -+2: movl %eax, (%r9) - movl %r11d, %eax /* Return value */ -- movl %ecx, 4(%r10) -- movl %edx, 8(%r10) -- movl %ebx, 12(%r10) -- movl %ebp, 20(%r10) -- movl %esi, 24(%r10) -- movl %edi, 28(%r10) -+ movl %ecx, 4(%r9) -+ movl %edx, 8(%r9) -+ movl %ebx, 12(%r9) -+ movl %ebp, 20(%r9) -+ movl %esi, 24(%r9) -+ movl %edi, 28(%r9) +@@ -37,6 +38,7 @@ ENTRY(\op\()_safe_regs) + movl %edi, 28(%r10) popq_cfi %rbp popq_cfi %rbx + pax_force_retaddr @@ -29221,7 +29875,7 @@ index 5dff5f0..cadebf4 100644 CFI_ENDPROC ENDPROC(call_rwsem_downgrade_wake) diff --git a/arch/x86/lib/thunk_64.S b/arch/x86/lib/thunk_64.S -index a63efd6..ccecad8 100644 +index a63efd6..8149fbe 100644 --- a/arch/x86/lib/thunk_64.S +++ b/arch/x86/lib/thunk_64.S @@ -8,6 +8,7 @@ @@ -29232,10 +29886,30 @@ index a63efd6..ccecad8 100644 /* rdi: arg1 ... normal C conventions. rax is saved/restored. */ .macro THUNK name, func, put_ret_addr_in_rdi=0 -@@ -41,5 +42,6 @@ - SAVE_ARGS +@@ -15,11 +16,11 @@ + \name: + CFI_STARTPROC + +- /* this one pushes 9 elems, the next one would be %rIP */ +- SAVE_ARGS ++ /* this one pushes 15+1 elems, the next one would be %rIP */ ++ SAVE_ARGS 8 + + .if \put_ret_addr_in_rdi +- movq_cfi_restore 9*8, rdi ++ movq_cfi_restore RIP, rdi + .endif + + call \func +@@ -38,8 +39,9 @@ + + /* SAVE_ARGS below is used only for the .cfi directives it contains. */ + CFI_STARTPROC +- SAVE_ARGS ++ SAVE_ARGS 8 restore: - RESTORE_ARGS +- RESTORE_ARGS ++ RESTORE_ARGS 1,8 + pax_force_retaddr ret CFI_ENDPROC @@ -30698,7 +31372,7 @@ index 3aaeffc..42ea9fb 100644 + return ret ? -EFAULT : 0; +} diff --git a/arch/x86/mm/gup.c b/arch/x86/mm/gup.c -index dd74e46..7d26398 100644 +index dd74e46..0970b01 100644 --- a/arch/x86/mm/gup.c +++ b/arch/x86/mm/gup.c @@ -255,7 +255,7 @@ int __get_user_pages_fast(unsigned long start, int nr_pages, int write, @@ -30710,6 +31384,17 @@ index dd74e46..7d26398 100644 (void __user *)start, len))) return 0; +@@ -331,6 +331,10 @@ int get_user_pages_fast(unsigned long start, int nr_pages, int write, + goto slow_irqon; + #endif + ++ if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ, ++ (void __user *)start, len))) ++ return 0; ++ + /* + * XXX: batch / limit 'nr', to avoid large irq off latency + * needs some instrumenting to determine the common sizes used by diff --git a/arch/x86/mm/highmem_32.c b/arch/x86/mm/highmem_32.c index 4500142..53a363c 100644 --- a/arch/x86/mm/highmem_32.c @@ -34858,10 +35543,10 @@ index 81a94a3..b711c74 100644 } diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c -index db6dfcf..770d1f0 100644 +index ab58556..ed19dd2 100644 --- a/drivers/ata/libata-scsi.c +++ b/drivers/ata/libata-scsi.c -@@ -4113,7 +4113,7 @@ int ata_sas_port_init(struct ata_port *ap) +@@ -4114,7 +4114,7 @@ int ata_sas_port_init(struct ata_port *ap) if (rc) return rc; @@ -37581,7 +38266,7 @@ index f897d51..15da295 100644 if (policy->cpu != 0) return -ENODEV; diff --git a/drivers/cpuidle/cpuidle.c b/drivers/cpuidle/cpuidle.c -index d75040d..4738ca5 100644 +index 22c07fb..9dff5ac 100644 --- a/drivers/cpuidle/cpuidle.c +++ b/drivers/cpuidle/cpuidle.c @@ -252,7 +252,7 @@ static int poll_idle(struct cpuidle_device *dev, @@ -37981,10 +38666,10 @@ index 5145fa3..0d3babd 100644 return efivars_register(&generic_efivars, &generic_ops, efi_kobj); } diff --git a/drivers/firmware/efi/efivars.c b/drivers/firmware/efi/efivars.c -index 8a7432a..28fb839 100644 +index 8c5a61a..cf07bd0 100644 --- a/drivers/firmware/efi/efivars.c +++ b/drivers/firmware/efi/efivars.c -@@ -452,7 +452,7 @@ efivar_create_sysfs_entry(struct efivar_entry *new_var) +@@ -456,7 +456,7 @@ efivar_create_sysfs_entry(struct efivar_entry *new_var) static int create_efivars_bin_attributes(void) { @@ -45864,7 +46549,7 @@ index c9382d6..6619864 100644 error = bus_register(&fcoe_bus_type); if (error) diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c -index df0c3c7..b00e1d0 100644 +index 3cafe0d..f1e87f8 100644 --- a/drivers/scsi/hosts.c +++ b/drivers/scsi/hosts.c @@ -42,7 +42,7 @@ @@ -45886,10 +46571,10 @@ index df0c3c7..b00e1d0 100644 /* These three are default values which can be overridden */ diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c -index 891c86b..dd1224a0 100644 +index 0eb0940..3ca9b79 100644 --- a/drivers/scsi/hpsa.c +++ b/drivers/scsi/hpsa.c -@@ -578,7 +578,7 @@ static inline u32 next_command(struct ctlr_info *h, u8 q) +@@ -579,7 +579,7 @@ static inline u32 next_command(struct ctlr_info *h, u8 q) unsigned long flags; if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant))) @@ -45898,7 +46583,7 @@ index 891c86b..dd1224a0 100644 if ((rq->head[rq->current_entry] & 1) == rq->wraparound) { a = rq->head[rq->current_entry]; -@@ -3444,7 +3444,7 @@ static void start_io(struct ctlr_info *h) +@@ -3445,7 +3445,7 @@ static void start_io(struct ctlr_info *h) while (!list_empty(&h->reqQ)) { c = list_entry(h->reqQ.next, struct CommandList, list); /* can't do anything if fifo is full */ @@ -45907,7 +46592,7 @@ index 891c86b..dd1224a0 100644 dev_warn(&h->pdev->dev, "fifo full\n"); break; } -@@ -3466,7 +3466,7 @@ static void start_io(struct ctlr_info *h) +@@ -3467,7 +3467,7 @@ static void start_io(struct ctlr_info *h) /* Tell the controller execute command */ spin_unlock_irqrestore(&h->lock, flags); @@ -45916,7 +46601,7 @@ index 891c86b..dd1224a0 100644 spin_lock_irqsave(&h->lock, flags); } spin_unlock_irqrestore(&h->lock, flags); -@@ -3474,17 +3474,17 @@ static void start_io(struct ctlr_info *h) +@@ -3475,17 +3475,17 @@ static void start_io(struct ctlr_info *h) static inline unsigned long get_next_completion(struct ctlr_info *h, u8 q) { @@ -45937,7 +46622,7 @@ index 891c86b..dd1224a0 100644 (h->interrupts_enabled == 0); } -@@ -4386,7 +4386,7 @@ static int hpsa_pci_init(struct ctlr_info *h) +@@ -4387,7 +4387,7 @@ static int hpsa_pci_init(struct ctlr_info *h) if (prod_index < 0) return -ENODEV; h->product_name = products[prod_index].product_name; @@ -45946,7 +46631,7 @@ index 891c86b..dd1224a0 100644 pci_disable_link_state(h->pdev, PCIE_LINK_STATE_L0S | PCIE_LINK_STATE_L1 | PCIE_LINK_STATE_CLKPM); -@@ -4668,7 +4668,7 @@ static void controller_lockup_detected(struct ctlr_info *h) +@@ -4669,7 +4669,7 @@ static void controller_lockup_detected(struct ctlr_info *h) assert_spin_locked(&lockup_detector_lock); remove_ctlr_from_lockup_detector_list(h); @@ -45955,7 +46640,7 @@ index 891c86b..dd1224a0 100644 spin_lock_irqsave(&h->lock, flags); h->lockup_detected = readl(h->vaddr + SA5_SCRATCHPAD_OFFSET); spin_unlock_irqrestore(&h->lock, flags); -@@ -4845,7 +4845,7 @@ reinit_after_soft_reset: +@@ -4846,7 +4846,7 @@ reinit_after_soft_reset: } /* make sure the board interrupts are off */ @@ -45964,7 +46649,7 @@ index 891c86b..dd1224a0 100644 if (hpsa_request_irq(h, do_hpsa_intr_msi, do_hpsa_intr_intx)) goto clean2; -@@ -4879,7 +4879,7 @@ reinit_after_soft_reset: +@@ -4880,7 +4880,7 @@ reinit_after_soft_reset: * fake ones to scoop up any residual completions. */ spin_lock_irqsave(&h->lock, flags); @@ -45973,7 +46658,7 @@ index 891c86b..dd1224a0 100644 spin_unlock_irqrestore(&h->lock, flags); free_irqs(h); rc = hpsa_request_irq(h, hpsa_msix_discard_completions, -@@ -4898,9 +4898,9 @@ reinit_after_soft_reset: +@@ -4899,9 +4899,9 @@ reinit_after_soft_reset: dev_info(&h->pdev->dev, "Board READY.\n"); dev_info(&h->pdev->dev, "Waiting for stale completions to drain.\n"); @@ -45985,7 +46670,7 @@ index 891c86b..dd1224a0 100644 rc = controller_reset_failed(h->cfgtable); if (rc) -@@ -4921,7 +4921,7 @@ reinit_after_soft_reset: +@@ -4922,7 +4922,7 @@ reinit_after_soft_reset: } /* Turn the interrupts on so we can service requests */ @@ -45994,7 +46679,7 @@ index 891c86b..dd1224a0 100644 hpsa_hba_inquiry(h); hpsa_register_scsi(h); /* hook ourselves into SCSI subsystem */ -@@ -4976,7 +4976,7 @@ static void hpsa_shutdown(struct pci_dev *pdev) +@@ -4977,7 +4977,7 @@ static void hpsa_shutdown(struct pci_dev *pdev) * To write all data in the battery backed cache to disks */ hpsa_flush_cache(h); @@ -46003,7 +46688,7 @@ index 891c86b..dd1224a0 100644 hpsa_free_irqs_and_disable_msix(h); } -@@ -5144,7 +5144,7 @@ static void hpsa_enter_performant_mode(struct ctlr_info *h, u32 use_short_tags) +@@ -5145,7 +5145,7 @@ static void hpsa_enter_performant_mode(struct ctlr_info *h, u32 use_short_tags) return; } /* Change the access methods to the performant access methods */ @@ -46171,7 +46856,7 @@ index 5879929..32b241d 100644 } EXPORT_SYMBOL(fc_exch_update_stats); diff --git a/drivers/scsi/libsas/sas_ata.c b/drivers/scsi/libsas/sas_ata.c -index 161c98e..6d563b3 100644 +index d289583..b745eec 100644 --- a/drivers/scsi/libsas/sas_ata.c +++ b/drivers/scsi/libsas/sas_ata.c @@ -554,7 +554,7 @@ static struct ata_port_operations sas_sata_ops = { @@ -46412,7 +47097,7 @@ index 7f0af4f..193ac3e 100644 unsigned long flags; diff --git a/drivers/scsi/pmcraid.c b/drivers/scsi/pmcraid.c -index 1eb7b028..b2a6080 100644 +index a38f71b..f3bc572 100644 --- a/drivers/scsi/pmcraid.c +++ b/drivers/scsi/pmcraid.c @@ -200,8 +200,8 @@ static int pmcraid_slave_alloc(struct scsi_device *scsi_dev) @@ -46456,7 +47141,7 @@ index 1eb7b028..b2a6080 100644 pinstance->num_hrrq; if (request_size) { -@@ -4483,7 +4483,7 @@ static void pmcraid_worker_function(struct work_struct *workp) +@@ -4484,7 +4484,7 @@ static void pmcraid_worker_function(struct work_struct *workp) pinstance = container_of(workp, struct pmcraid_instance, worker_q); /* add resources only after host is added into system */ @@ -46465,7 +47150,7 @@ index 1eb7b028..b2a6080 100644 return; fw_version = be16_to_cpu(pinstance->inq_data->fw_version); -@@ -5310,8 +5310,8 @@ static int pmcraid_init_instance(struct pci_dev *pdev, struct Scsi_Host *host, +@@ -5311,8 +5311,8 @@ static int pmcraid_init_instance(struct pci_dev *pdev, struct Scsi_Host *host, init_waitqueue_head(&pinstance->reset_wait_q); atomic_set(&pinstance->outstanding_cmds, 0); @@ -46476,7 +47161,7 @@ index 1eb7b028..b2a6080 100644 INIT_LIST_HEAD(&pinstance->free_res_q); INIT_LIST_HEAD(&pinstance->used_res_q); -@@ -6024,7 +6024,7 @@ static int pmcraid_probe(struct pci_dev *pdev, +@@ -6025,7 +6025,7 @@ static int pmcraid_probe(struct pci_dev *pdev, /* Schedule worker thread to handle CCN and take care of adding and * removing devices to OS */ @@ -46780,10 +47465,10 @@ index f379c7f..e8fc69c 100644 transport_setup_device(&rport->dev); diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c -index 5693f6d7..b0bf05a 100644 +index 2634d69..fcf7a81 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c -@@ -2934,7 +2934,7 @@ static int sd_probe(struct device *dev) +@@ -2940,7 +2940,7 @@ static int sd_probe(struct device *dev) sdkp->disk = gd; sdkp->index = index; atomic_set(&sdkp->openers, 0); @@ -47728,10 +48413,10 @@ index c0f76da..d974c32 100644 dlci_get(dlci->gsm->dlci[0]); mux_get(dlci->gsm); diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c -index ff58293..71c87bc 100644 +index 4d6f430..0810fa9 100644 --- a/drivers/tty/n_tty.c +++ b/drivers/tty/n_tty.c -@@ -2502,6 +2502,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops) +@@ -2504,6 +2504,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops) { *ops = tty_ldisc_N_TTY; ops->owner = NULL; @@ -52899,7 +53584,7 @@ index 89dec7f..361b0d75 100644 fd_offset + ex.a_text); if (error != N_DATADDR(ex)) { diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c -index 4c94a79..f428019 100644 +index 4c94a79..2610454 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -34,6 +34,7 @@ @@ -53415,15 +54100,20 @@ index 4c94a79..f428019 100644 struct elfhdr elf_ex; struct elfhdr interp_elf_ex; } *loc; -+ unsigned long pax_task_size = TASK_SIZE; ++ unsigned long pax_task_size; loc = kmalloc(sizeof(*loc), GFP_KERNEL); if (!loc) { -@@ -723,11 +1068,81 @@ static int load_elf_binary(struct linux_binprm *bprm) +@@ -723,11 +1068,82 @@ static int load_elf_binary(struct linux_binprm *bprm) goto out_free_dentry; /* OK, This is the point of no return */ - current->mm->def_flags = def_flags; ++ current->mm->def_flags = 0; + + /* Do this immediately, since STACK_TOP as used in setup_arg_pages + may depend on the personality. */ + SET_PERSONALITY(loc->elf_ex); + +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR) + current->mm->pax_flags = 0UL; @@ -53442,8 +54132,6 @@ index 4c94a79..f428019 100644 + current->mm->delta_stack = 0UL; +#endif + -+ current->mm->def_flags = 0; -+ +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR) + if (0 > pax_parse_pax_flags(&loc->elf_ex, elf_phdata, bprm->file)) { + send_sig(SIGKILL, current, 0); @@ -53471,19 +54159,17 @@ index 4c94a79..f428019 100644 + current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE; + pax_task_size = SEGMEXEC_TASK_SIZE; + current->mm->def_flags |= VM_NOHUGEPAGE; -+ } ++ } else +#endif + ++ pax_task_size = TASK_SIZE; ++ +#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC) + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) { + set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu()); + put_cpu(); + } +#endif - - /* Do this immediately, since STACK_TOP as used in setup_arg_pages - may depend on the personality. */ - SET_PERSONALITY(loc->elf_ex); + +#ifdef CONFIG_PAX_ASLR + if (current->mm->pax_flags & MF_PAX_RANDMMAP) { @@ -53502,7 +54188,7 @@ index 4c94a79..f428019 100644 if (elf_read_implies_exec(loc->elf_ex, executable_stack)) current->personality |= READ_IMPLIES_EXEC; -@@ -817,6 +1232,20 @@ static int load_elf_binary(struct linux_binprm *bprm) +@@ -817,6 +1233,20 @@ static int load_elf_binary(struct linux_binprm *bprm) #else load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr); #endif @@ -53523,7 +54209,7 @@ index 4c94a79..f428019 100644 } error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt, -@@ -849,9 +1278,9 @@ static int load_elf_binary(struct linux_binprm *bprm) +@@ -849,9 +1279,9 @@ static int load_elf_binary(struct linux_binprm *bprm) * allowed task size. Note that p_filesz must always be * <= p_memsz so it is only necessary to check p_memsz. */ @@ -53536,7 +54222,7 @@ index 4c94a79..f428019 100644 /* set_brk can never work. Avoid overflows. */ send_sig(SIGKILL, current, 0); retval = -EINVAL; -@@ -890,17 +1319,45 @@ static int load_elf_binary(struct linux_binprm *bprm) +@@ -890,17 +1320,45 @@ static int load_elf_binary(struct linux_binprm *bprm) goto out_free_dentry; } if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) { @@ -53588,7 +54274,7 @@ index 4c94a79..f428019 100644 load_bias); if (!IS_ERR((void *)elf_entry)) { /* -@@ -1122,7 +1579,7 @@ static bool always_dump_vma(struct vm_area_struct *vma) +@@ -1122,7 +1580,7 @@ static bool always_dump_vma(struct vm_area_struct *vma) * Decide what to dump of a segment, part, all or none. */ static unsigned long vma_dump_size(struct vm_area_struct *vma, @@ -53597,7 +54283,7 @@ index 4c94a79..f428019 100644 { #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type)) -@@ -1160,7 +1617,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma, +@@ -1160,7 +1618,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma, if (vma->vm_file == NULL) return 0; @@ -53606,7 +54292,7 @@ index 4c94a79..f428019 100644 goto whole; /* -@@ -1385,9 +1842,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm) +@@ -1385,9 +1843,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm) { elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv; int i = 0; @@ -53618,7 +54304,7 @@ index 4c94a79..f428019 100644 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv); } -@@ -1396,7 +1853,7 @@ static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata, +@@ -1396,7 +1854,7 @@ static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata, { mm_segment_t old_fs = get_fs(); set_fs(KERNEL_DS); @@ -53627,7 +54313,7 @@ index 4c94a79..f428019 100644 set_fs(old_fs); fill_note(note, "CORE", NT_SIGINFO, sizeof(*csigdata), csigdata); } -@@ -2023,14 +2480,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum, +@@ -2023,14 +2481,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum, } static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma, @@ -53644,7 +54330,7 @@ index 4c94a79..f428019 100644 return size; } -@@ -2123,7 +2580,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2123,7 +2581,7 @@ static int elf_core_dump(struct coredump_params *cprm) dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE); @@ -53653,7 +54339,7 @@ index 4c94a79..f428019 100644 offset += elf_core_extra_data_size(); e_shoff = offset; -@@ -2137,10 +2594,12 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2137,10 +2595,12 @@ static int elf_core_dump(struct coredump_params *cprm) offset = dataoff; size += sizeof(*elf); @@ -53666,7 +54352,7 @@ index 4c94a79..f428019 100644 if (size > cprm->limit || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note))) goto end_coredump; -@@ -2154,7 +2613,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2154,7 +2614,7 @@ static int elf_core_dump(struct coredump_params *cprm) phdr.p_offset = offset; phdr.p_vaddr = vma->vm_start; phdr.p_paddr = 0; @@ -53675,7 +54361,7 @@ index 4c94a79..f428019 100644 phdr.p_memsz = vma->vm_end - vma->vm_start; offset += phdr.p_filesz; phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0; -@@ -2165,6 +2624,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2165,6 +2625,7 @@ static int elf_core_dump(struct coredump_params *cprm) phdr.p_align = ELF_EXEC_PAGESIZE; size += sizeof(phdr); @@ -53683,7 +54369,7 @@ index 4c94a79..f428019 100644 if (size > cprm->limit || !dump_write(cprm->file, &phdr, sizeof(phdr))) goto end_coredump; -@@ -2189,7 +2649,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2189,7 +2650,7 @@ static int elf_core_dump(struct coredump_params *cprm) unsigned long addr; unsigned long end; @@ -53692,7 +54378,7 @@ index 4c94a79..f428019 100644 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) { struct page *page; -@@ -2198,6 +2658,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2198,6 +2659,7 @@ static int elf_core_dump(struct coredump_params *cprm) page = get_dump_page(addr); if (page) { void *kaddr = kmap(page); @@ -53700,7 +54386,7 @@ index 4c94a79..f428019 100644 stop = ((size += PAGE_SIZE) > cprm->limit) || !dump_write(cprm->file, kaddr, PAGE_SIZE); -@@ -2215,6 +2676,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2215,6 +2677,7 @@ static int elf_core_dump(struct coredump_params *cprm) if (e_phnum == PN_XNUM) { size += sizeof(*shdr4extnum); @@ -53708,7 +54394,7 @@ index 4c94a79..f428019 100644 if (size > cprm->limit || !dump_write(cprm->file, shdr4extnum, sizeof(*shdr4extnum))) -@@ -2235,6 +2697,167 @@ out: +@@ -2235,6 +2698,167 @@ out: #endif /* CONFIG_ELF_CORE */ @@ -54070,6 +54756,19 @@ index e913328..a34fb36 100644 /* Wake up anybody who may be waiting on this transaction */ wake_up(&root->fs_info->transaction_wait); wake_up(&root->fs_info->transaction_blocked_wait); +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index 79f057c..e14e1f7 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -3375,7 +3375,7 @@ static int log_one_extent(struct btrfs_trans_handle *trans, + btrfs_set_token_file_extent_type(leaf, fi, + BTRFS_FILE_EXTENT_REG, + &token); +- if (em->block_start == 0) ++ if (em->block_start == EXTENT_MAP_HOLE) + skip_csum = true; + } + diff --git a/fs/buffer.c b/fs/buffer.c index 6024877..7bd000a 100644 --- a/fs/buffer.c @@ -54433,6 +55132,28 @@ index c8e03f8..75362f6 100644 #endif GLOBAL_EXTERN atomic_t smBufAllocCount; GLOBAL_EXTERN atomic_t midCount; +diff --git a/fs/cifs/file.c b/fs/cifs/file.c +index 7ddddf2..2e12dbc 100644 +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -1900,10 +1900,14 @@ static int cifs_writepages(struct address_space *mapping, + index = mapping->writeback_index; /* Start from prev offset */ + end = -1; + } else { +- index = wbc->range_start >> PAGE_CACHE_SHIFT; +- end = wbc->range_end >> PAGE_CACHE_SHIFT; +- if (wbc->range_start == 0 && wbc->range_end == LLONG_MAX) ++ if (wbc->range_start == 0 && wbc->range_end == LLONG_MAX) { + range_whole = true; ++ index = 0; ++ end = ULONG_MAX; ++ } else { ++ index = wbc->range_start >> PAGE_CACHE_SHIFT; ++ end = wbc->range_end >> PAGE_CACHE_SHIFT; ++ } + scanned = true; + } + retry: diff --git a/fs/cifs/link.c b/fs/cifs/link.c index 7e36ceb..109252f 100644 --- a/fs/cifs/link.c @@ -55069,9 +55790,18 @@ index 9bdeca1..2a9b08d 100644 EXPORT_SYMBOL(dump_write); diff --git a/fs/dcache.c b/fs/dcache.c -index 89f9671..5977a84 100644 +index 89f9671..d2dce57 100644 --- a/fs/dcache.c +++ b/fs/dcache.c +@@ -1570,7 +1570,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name) + */ + dentry->d_iname[DNAME_INLINE_LEN-1] = 0; + if (name->len > DNAME_INLINE_LEN-1) { +- dname = kmalloc(name->len + 1, GFP_KERNEL); ++ dname = kmalloc(round_up(name->len + 1, sizeof(unsigned long)), GFP_KERNEL); + if (!dname) { + kmem_cache_free(dentry_cache, dentry); + return NULL; @@ -2893,6 +2893,7 @@ static int prepend_path(const struct path *path, restart: bptr = *buffer; @@ -59289,7 +60019,7 @@ index d420331..2dbb3fd 100644 } putname(tmp); diff --git a/fs/pipe.c b/fs/pipe.c -index d2c45e1..009fe1c 100644 +index 0e0752e..7cfdd50 100644 --- a/fs/pipe.c +++ b/fs/pipe.c @@ -56,7 +56,7 @@ unsigned int pipe_min_size = PAGE_SIZE; @@ -59370,7 +60100,16 @@ index d2c45e1..009fe1c 100644 mask |= POLLERR; } -@@ -734,17 +734,17 @@ pipe_release(struct inode *inode, struct file *file) +@@ -731,7 +731,7 @@ static void put_pipe_info(struct inode *inode, struct pipe_inode_info *pipe) + int kill = 0; + + spin_lock(&inode->i_lock); +- if (!--pipe->files) { ++ if (atomic_dec_and_test(&pipe->files)) { + inode->i_pipe = NULL; + kill = 1; + } +@@ -748,11 +748,11 @@ pipe_release(struct inode *inode, struct file *file) __pipe_lock(pipe); if (file->f_mode & FMODE_READ) @@ -59385,14 +60124,7 @@ index d2c45e1..009fe1c 100644 wake_up_interruptible_sync_poll(&pipe->wait, POLLIN | POLLOUT | POLLRDNORM | POLLWRNORM | POLLERR | POLLHUP); kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN); kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT); - } - spin_lock(&inode->i_lock); -- if (!--pipe->files) { -+ if (atomic_dec_and_test(&pipe->files)) { - inode->i_pipe = NULL; - kill = 1; - } -@@ -811,7 +811,7 @@ void free_pipe_info(struct pipe_inode_info *pipe) +@@ -817,7 +817,7 @@ void free_pipe_info(struct pipe_inode_info *pipe) kfree(pipe); } @@ -59401,7 +60133,7 @@ index d2c45e1..009fe1c 100644 /* * pipefs_dname() is called from d_path(). -@@ -841,8 +841,9 @@ static struct inode * get_pipe_inode(void) +@@ -847,8 +847,9 @@ static struct inode * get_pipe_inode(void) goto fail_iput; inode->i_pipe = pipe; @@ -59413,7 +60145,7 @@ index d2c45e1..009fe1c 100644 inode->i_fop = &pipefifo_fops; /* -@@ -1022,17 +1023,17 @@ static int fifo_open(struct inode *inode, struct file *filp) +@@ -1027,17 +1028,17 @@ static int fifo_open(struct inode *inode, struct file *filp) spin_lock(&inode->i_lock); if (inode->i_pipe) { pipe = inode->i_pipe; @@ -59434,7 +60166,7 @@ index d2c45e1..009fe1c 100644 spin_unlock(&inode->i_lock); free_pipe_info(pipe); pipe = inode->i_pipe; -@@ -1057,10 +1058,10 @@ static int fifo_open(struct inode *inode, struct file *filp) +@@ -1062,10 +1063,10 @@ static int fifo_open(struct inode *inode, struct file *filp) * opened, even when there is no process writing the FIFO. */ pipe->r_counter++; @@ -59447,7 +60179,7 @@ index d2c45e1..009fe1c 100644 if ((filp->f_flags & O_NONBLOCK)) { /* suppress POLLHUP until we have * seen a writer */ -@@ -1079,14 +1080,14 @@ static int fifo_open(struct inode *inode, struct file *filp) +@@ -1084,14 +1085,14 @@ static int fifo_open(struct inode *inode, struct file *filp) * errno=ENXIO when there is no process reading the FIFO. */ ret = -ENXIO; @@ -59465,7 +60197,7 @@ index d2c45e1..009fe1c 100644 if (wait_for_partner(pipe, &pipe->r_counter)) goto err_wr; } -@@ -1100,11 +1101,11 @@ static int fifo_open(struct inode *inode, struct file *filp) +@@ -1105,11 +1106,11 @@ static int fifo_open(struct inode *inode, struct file *filp) * the process can at least talk to itself. */ @@ -59480,7 +60212,7 @@ index d2c45e1..009fe1c 100644 wake_up_partner(pipe); break; -@@ -1118,20 +1119,20 @@ static int fifo_open(struct inode *inode, struct file *filp) +@@ -1123,13 +1124,13 @@ static int fifo_open(struct inode *inode, struct file *filp) return 0; err_rd: @@ -59496,14 +60228,6 @@ index d2c45e1..009fe1c 100644 wake_up_interruptible(&pipe->wait); ret = -ERESTARTSYS; goto err; - - err: - spin_lock(&inode->i_lock); -- if (!--pipe->files) { -+ if (atomic_dec_and_test(&pipe->files)) { - inode->i_pipe = NULL; - kill = 1; - } diff --git a/fs/proc/Kconfig b/fs/proc/Kconfig index 15af622..0e9f4467 100644 --- a/fs/proc/Kconfig @@ -67113,10 +67837,10 @@ index 0000000..25f54ef +}; diff --git a/grsecurity/gracl_policy.c b/grsecurity/gracl_policy.c new file mode 100644 -index 0000000..36e293f +index 0000000..361a099 --- /dev/null +++ b/grsecurity/gracl_policy.c -@@ -0,0 +1,1777 @@ +@@ -0,0 +1,1782 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -67576,12 +68300,12 @@ index 0000000..36e293f + printk(KERN_ALERT "Obtained real root device=%d, inode=%lu\n", __get_dev(gr_real_root.dentry), gr_real_root.dentry->d_inode->i_ino); +#endif + -+ fakefs_obj_rw = acl_alloc(sizeof(struct acl_object_label)); ++ fakefs_obj_rw = kzalloc(sizeof(struct acl_object_label), GFP_KERNEL); + if (fakefs_obj_rw == NULL) + return 1; + fakefs_obj_rw->mode = GR_FIND | GR_READ | GR_WRITE; + -+ fakefs_obj_rwx = acl_alloc(sizeof(struct acl_object_label)); ++ fakefs_obj_rwx = kzalloc(sizeof(struct acl_object_label), GFP_KERNEL); + if (fakefs_obj_rwx == NULL) + return 1; + fakefs_obj_rwx->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC; @@ -67659,6 +68383,11 @@ index 0000000..36e293f + } while_each_thread(task2, task); + read_unlock(&tasklist_lock); + ++ kfree(fakefs_obj_rw); ++ fakefs_obj_rw = NULL; ++ kfree(fakefs_obj_rwx); ++ fakefs_obj_rwx = NULL; ++ + /* release the reference to the real root dentry and vfsmount */ + path_put(&gr_real_root); + memset(&gr_real_root, 0, sizeof(gr_real_root)); @@ -73989,7 +74718,7 @@ index 0bc7275..4ccbf11 100644 unsigned int offset, size_t len); diff --git a/include/linux/efi.h b/include/linux/efi.h -index 5f8f176..62a0556 100644 +index 094ddd0..f1dfcd3 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -745,6 +745,7 @@ struct efivar_operations { @@ -74001,7 +74730,7 @@ index 5f8f176..62a0556 100644 struct efivars { /* diff --git a/include/linux/elf.h b/include/linux/elf.h -index 40a3c0e..4c45a38 100644 +index 40a3c0e0..4c45a38 100644 --- a/include/linux/elf.h +++ b/include/linux/elf.h @@ -24,6 +24,7 @@ extern Elf32_Dyn _DYNAMIC []; @@ -77195,7 +77924,7 @@ index cc7494a..1e27036 100644 extern bool qid_valid(struct kqid qid); diff --git a/include/linux/random.h b/include/linux/random.h -index bf9085e..128eade 100644 +index bf9085e..1e8bbcf 100644 --- a/include/linux/random.h +++ b/include/linux/random.h @@ -10,9 +10,19 @@ @@ -77220,11 +77949,23 @@ index bf9085e..128eade 100644 extern void get_random_bytes(void *buf, int nbytes); extern void get_random_bytes_arch(void *buf, int nbytes); -@@ -33,6 +43,11 @@ void prandom_seed(u32 seed); +@@ -23,16 +33,21 @@ extern int random_int_secret_init(void); + extern const struct file_operations random_fops, urandom_fops; + #endif + +-unsigned int get_random_int(void); ++unsigned int __intentional_overflow(-1) get_random_int(void); + unsigned long randomize_range(unsigned long start, unsigned long end, unsigned long len); + +-u32 prandom_u32(void); ++u32 prandom_u32(void) __intentional_overflow(-1); + void prandom_bytes(void *buf, int nbytes); + void prandom_seed(u32 seed); + u32 prandom_u32_state(struct rnd_state *); void prandom_bytes_state(struct rnd_state *state, void *buf, int nbytes); -+static inline unsigned long pax_get_random_long(void) ++static inline unsigned long __intentional_overflow(-1) pax_get_random_long(void) +{ + return prandom_u32() + (sizeof(long) > 4 ? (unsigned long)prandom_u32() << 32 : 0); +} @@ -81824,7 +82565,7 @@ index 086fe73..72c1122 100644 else new_fs = fs; diff --git a/kernel/futex.c b/kernel/futex.c -index c3a1a55..e32b4a98 100644 +index c3a1a55..1b8cfce 100644 --- a/kernel/futex.c +++ b/kernel/futex.c @@ -54,6 +54,7 @@ @@ -81847,6 +82588,15 @@ index c3a1a55..e32b4a98 100644 /* * The futex address must be "naturally" aligned. */ +@@ -288,7 +294,7 @@ again: + put_page(page); + /* serialize against __split_huge_page_splitting() */ + local_irq_disable(); +- if (likely(__get_user_pages_fast(address, 1, 1, &page) == 1)) { ++ if (likely(__get_user_pages_fast(address, 1, !ro, &page) == 1)) { + page_head = compound_head(page); + /* + * page_head is valid pointer but we must pin @@ -441,7 +447,7 @@ static int cmpxchg_futex_value_locked(u32 *curval, u32 __user *uaddr, static int get_futex_value_locked(u32 *dest, u32 __user *from) @@ -85664,7 +86414,7 @@ index 88c9c65..7497ebc 100644 .clock_get = alarm_clock_get, .timer_create = alarm_timer_create, diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c -index 947ba25..20cbade 100644 +index 5cf6c70..ac341b0 100644 --- a/kernel/time/timekeeping.c +++ b/kernel/time/timekeeping.c @@ -15,6 +15,7 @@ @@ -87232,7 +87982,7 @@ index ae4846f..b0acebe 100644 send_sig(SIGXFSZ, current, 0); return -EFBIG; diff --git a/mm/fremap.c b/mm/fremap.c -index 5bff081..d8189a9 100644 +index 5bff081..00bd91e 100644 --- a/mm/fremap.c +++ b/mm/fremap.c @@ -163,6 +163,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, @@ -87247,6 +87997,15 @@ index 5bff081..d8189a9 100644 /* * Make sure the vma is shared, that it supports prefaulting, * and that the remapped range is valid and fully within +@@ -218,6 +223,8 @@ get_write_lock: + BUG_ON(addr != start); + err = 0; + } ++ vm_flags = vma->vm_flags; ++ vma = NULL; + goto out; + } + mutex_lock(&mapping->i_mmap_mutex); diff --git a/mm/highmem.c b/mm/highmem.c index b32b70c..e512eb0 100644 --- a/mm/highmem.c @@ -94303,7 +95062,7 @@ index 4b85e6f..22f9ac9 100644 syn_set ? 0 : icsk->icsk_user_timeout, syn_set)) { /* Has it gone just too far? */ diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c -index 5e2c2f1..6473c22 100644 +index f60b1ee..40b401c 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -87,6 +87,7 @@ @@ -94354,7 +95113,7 @@ index 5e2c2f1..6473c22 100644 daddr = inet->inet_daddr; dport = inet->inet_dport; /* Open fast path for connected socket. -@@ -1141,7 +1158,7 @@ static unsigned int first_packet_length(struct sock *sk) +@@ -1144,7 +1161,7 @@ static unsigned int first_packet_length(struct sock *sk) IS_UDPLITE(sk)); UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, IS_UDPLITE(sk)); @@ -94363,7 +95122,7 @@ index 5e2c2f1..6473c22 100644 __skb_unlink(skb, rcvq); __skb_queue_tail(&list_kill, skb); } -@@ -1221,6 +1238,10 @@ try_again: +@@ -1224,6 +1241,10 @@ try_again: if (!skb) goto out; @@ -94374,7 +95133,7 @@ index 5e2c2f1..6473c22 100644 ulen = skb->len - sizeof(struct udphdr); copied = len; if (copied > ulen) -@@ -1254,7 +1275,7 @@ try_again: +@@ -1257,7 +1278,7 @@ try_again: if (unlikely(err)) { trace_kfree_skb(skb, udp_recvmsg); if (!peeked) { @@ -94383,7 +95142,7 @@ index 5e2c2f1..6473c22 100644 UDP_INC_STATS_USER(sock_net(sk), UDP_MIB_INERRORS, is_udplite); } -@@ -1542,7 +1563,7 @@ csum_error: +@@ -1545,7 +1566,7 @@ csum_error: UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_CSUMERRORS, is_udplite); drop: UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite); @@ -94392,7 +95151,7 @@ index 5e2c2f1..6473c22 100644 kfree_skb(skb); return -1; } -@@ -1561,7 +1582,7 @@ static void flush_stack(struct sock **stack, unsigned int count, +@@ -1564,7 +1585,7 @@ static void flush_stack(struct sock **stack, unsigned int count, skb1 = (i == final) ? skb : skb_clone(skb, GFP_ATOMIC); if (!skb1) { @@ -94401,7 +95160,7 @@ index 5e2c2f1..6473c22 100644 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS, IS_UDPLITE(sk)); UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, -@@ -1733,6 +1754,9 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, +@@ -1736,6 +1757,9 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, goto csum_error; UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE); @@ -94411,7 +95170,7 @@ index 5e2c2f1..6473c22 100644 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0); /* -@@ -2165,7 +2189,7 @@ static void udp4_format_sock(struct sock *sp, struct seq_file *f, +@@ -2168,7 +2192,7 @@ static void udp4_format_sock(struct sock *sp, struct seq_file *f, from_kuid_munged(seq_user_ns(f), sock_i_uid(sp)), 0, sock_i_ino(sp), atomic_read(&sp->sk_refcnt), sp, @@ -96851,7 +97610,7 @@ index 6b36561..4f21064 100644 table = kmemdup(sctp_net_table, sizeof(sctp_net_table), GFP_KERNEL); diff --git a/net/socket.c b/net/socket.c -index e83c416..17afbfa 100644 +index e83c416..9169305 100644 --- a/net/socket.c +++ b/net/socket.c @@ -88,6 +88,7 @@ @@ -97053,6 +97812,15 @@ index e83c416..17afbfa 100644 /* user mode address pointers */ struct sockaddr __user *uaddr; +@@ -2227,7 +2293,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, + /* Save the user-mode address (verify_iovec will change the + * kernel msghdr to use the kernel address space) + */ +- uaddr = (__force void __user *)msg_sys->msg_name; ++ uaddr = (void __force_user *)msg_sys->msg_name; + uaddr_len = COMPAT_NAMELEN(msg); + if (MSG_CMSG_COMPAT & flags) + err = verify_compat_iovec(msg_sys, iov, &addr, VERIFY_WRITE); @@ -2985,7 +3051,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd, old_fs = get_fs(); set_fs(KERNEL_DS); @@ -101544,10 +102312,10 @@ index 0000000..568b360 +} diff --git a/tools/gcc/kernexec_plugin.c b/tools/gcc/kernexec_plugin.c new file mode 100644 -index 0000000..698da67 +index 0000000..a25306b --- /dev/null +++ b/tools/gcc/kernexec_plugin.c -@@ -0,0 +1,471 @@ +@@ -0,0 +1,474 @@ +/* + * Copyright 2011-2013 by the PaX Team <pageexec@freemail.hu> + * Licensed under the GPL v2 @@ -101693,21 +102461,21 @@ index 0000000..698da67 +} + +/* -+ * add special KERNEXEC instrumentation: reload %r10 after it has been clobbered ++ * add special KERNEXEC instrumentation: reload %r12 after it has been clobbered + */ +static void kernexec_reload_fptr_mask(gimple_stmt_iterator *gsi) +{ + gimple asm_movabs_stmt; + -+ // build asm volatile("movabs $0x8000000000000000, %%r10\n\t" : : : ); -+ asm_movabs_stmt = gimple_build_asm_vec("movabs $0x8000000000000000, %%r10\n\t", NULL, NULL, NULL, NULL); ++ // build asm volatile("movabs $0x8000000000000000, %%r12\n\t" : : : ); ++ asm_movabs_stmt = gimple_build_asm_vec("movabs $0x8000000000000000, %%r12\n\t", NULL, NULL, NULL, NULL); + gimple_asm_set_volatile(asm_movabs_stmt, true); + gsi_insert_after(gsi, asm_movabs_stmt, GSI_CONTINUE_LINKING); + update_stmt(asm_movabs_stmt); +} + +/* -+ * find all asm() stmts that clobber r10 and add a reload of r10 ++ * find all asm() stmts that clobber r12 and add a reload of r12 + */ +static unsigned int execute_kernexec_reload(void) +{ @@ -101718,7 +102486,7 @@ index 0000000..698da67 + gimple_stmt_iterator gsi; + + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) { -+ // gimple match: __asm__ ("" : : : "r10"); ++ // gimple match: __asm__ ("" : : : "r12"); + gimple asm_stmt; + size_t nclobbers; + @@ -101727,11 +102495,11 @@ index 0000000..698da67 + if (gimple_code(asm_stmt) != GIMPLE_ASM) + continue; + -+ // ... clobbering r10 ++ // ... clobbering r12 + nclobbers = gimple_asm_nclobbers(asm_stmt); + while (nclobbers--) { + tree op = gimple_asm_clobber_op(asm_stmt, nclobbers); -+ if (strcmp(TREE_STRING_POINTER(TREE_VALUE(op)), "r10")) ++ if (strcmp(TREE_STRING_POINTER(TREE_VALUE(op)), "r12")) + continue; + kernexec_reload_fptr_mask(&gsi); +//print_gimple_stmt(stderr, asm_stmt, 0, TDF_LINENO); @@ -101814,7 +102582,7 @@ index 0000000..698da67 +#endif + new_fptr = make_ssa_name(new_fptr, NULL); + -+ // build asm volatile("orq %%r10, %0\n\t" : "=r"(new_fptr) : "0"(old_fptr)); ++ // build asm volatile("orq %%r12, %0\n\t" : "=r"(new_fptr) : "0"(old_fptr)); + input = build_tree_list(NULL_TREE, build_string(1, "0")); + input = chainon(NULL_TREE, build_tree_list(input, old_fptr)); + output = build_tree_list(NULL_TREE, build_string(2, "=r")); @@ -101826,7 +102594,7 @@ index 0000000..698da67 + vec_safe_push(inputs, input); + vec_safe_push(outputs, output); +#endif -+ asm_or_stmt = gimple_build_asm_vec("orq %%r10, %0\n\t", inputs, outputs, NULL, NULL); ++ asm_or_stmt = gimple_build_asm_vec("orq %%r12, %0\n\t", inputs, outputs, NULL, NULL); + SSA_NAME_DEF_STMT(new_fptr) = asm_or_stmt; + gimple_asm_set_volatile(asm_or_stmt, true); + gsi_insert_before(gsi, asm_or_stmt, GSI_SAME_STMT); @@ -101906,19 +102674,19 @@ index 0000000..698da67 + emit_insn_before(btsq, insn); +} + -+// add special KERNEXEC instrumentation: orq %r10,(%rsp) just before retn ++// add special KERNEXEC instrumentation: orq %r12,(%rsp) just before retn +static void kernexec_instrument_retaddr_or(rtx insn) +{ + rtx orq; + rtvec argvec, constraintvec, labelvec; + int line; + -+ // create asm volatile("orq %%r10,(%%rsp)":::) ++ // create asm volatile("orq %%r12,(%%rsp)":::) + argvec = rtvec_alloc(0); + constraintvec = rtvec_alloc(0); + labelvec = rtvec_alloc(0); + line = expand_location(RTL_LOCATION(insn)).line; -+ orq = gen_rtx_ASM_OPERANDS(VOIDmode, "orq %%r10,(%%rsp)", empty_string, 0, argvec, constraintvec, labelvec, line); ++ orq = gen_rtx_ASM_OPERANDS(VOIDmode, "orq %%r12,(%%rsp)", empty_string, 0, argvec, constraintvec, labelvec, line); + MEM_VOLATILE_P(orq) = 1; +// RTX_FRAME_RELATED_P(orq) = 1; // not for ASM_OPERANDS + emit_insn_before(orq, insn); @@ -101931,6 +102699,9 @@ index 0000000..698da67 +{ + rtx insn; + ++// if (stack_realign_drap) ++// inform(DECL_SOURCE_LOCATION(current_function_decl), "drap detected in %s\n", IDENTIFIER_POINTER(DECL_NAME(current_function_decl))); ++ + // 1. find function returns + for (insn = get_insns(); insn; insn = NEXT_INSN(insn)) { + // rtl match: (jump_insn 41 40 42 2 (return) fptr.c:42 634 {return_internal} (nil)) @@ -102002,7 +102773,7 @@ index 0000000..698da67 + } else if (!strcmp(argv[i].value, "or")) { + kernexec_instrument_fptr = kernexec_instrument_fptr_or; + kernexec_instrument_retaddr = kernexec_instrument_retaddr_or; -+ fix_register("r10", 1, 1); ++ fix_register("r12", 1, 1); + } else + error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value); + continue; @@ -102362,10 +103133,10 @@ index 0000000..679b9ef +} diff --git a/tools/gcc/size_overflow_hash.data b/tools/gcc/size_overflow_hash.data new file mode 100644 -index 0000000..3a5b4b5 +index 0000000..7dad2cd --- /dev/null +++ b/tools/gcc/size_overflow_hash.data -@@ -0,0 +1,7687 @@ +@@ -0,0 +1,7690 @@ +intel_fake_agp_alloc_by_type_1 intel_fake_agp_alloc_by_type 1 1 NULL +ocfs2_get_refcount_tree_3 ocfs2_get_refcount_tree 0 3 NULL +batadv_orig_node_del_if_4 batadv_orig_node_del_if 2 4 NULL @@ -102380,8 +103151,8 @@ index 0000000..3a5b4b5 +snd_korg1212_copy_to_92 snd_korg1212_copy_to 6 92 NULL +load_msg_95 load_msg 2 95 NULL +device_flush_iotlb_115 device_flush_iotlb 2-3 115 NULL -+ipath_verbs_send_117 ipath_verbs_send 5-3 117 NULL nohasharray -+write_all_supers_117 write_all_supers 0 117 &ipath_verbs_send_117 ++write_all_supers_117 write_all_supers 0 117 NULL nohasharray ++ipath_verbs_send_117 ipath_verbs_send 5-3 117 &write_all_supers_117 +init_q_132 init_q 4 132 NULL +ocfs2_local_alloc_slide_window_134 ocfs2_local_alloc_slide_window 0 134 NULL +memstick_alloc_host_142 memstick_alloc_host 1 142 NULL @@ -103375,8 +104146,8 @@ index 0000000..3a5b4b5 +usb_allocate_stream_buffers_8964 usb_allocate_stream_buffers 3 8964 NULL +qib_qsfp_dump_8966 qib_qsfp_dump 0-3 8966 NULL +venus_mkdir_8967 venus_mkdir 4 8967 NULL -+seq_open_net_8968 seq_open_net 4 8968 NULL nohasharray -+vol_cdev_read_8968 vol_cdev_read 3 8968 &seq_open_net_8968 ++vol_cdev_read_8968 vol_cdev_read 3 8968 NULL nohasharray ++seq_open_net_8968 seq_open_net 4 8968 &vol_cdev_read_8968 +bio_integrity_get_tag_8974 bio_integrity_get_tag 3 8974 NULL +btrfs_alloc_free_block_8986 btrfs_alloc_free_block 3-8 8986 NULL +jbd2_journal_blocks_per_page_9004 jbd2_journal_blocks_per_page 0 9004 NULL @@ -103789,8 +104560,8 @@ index 0000000..3a5b4b5 +shash_compat_setkey_12267 shash_compat_setkey 3 12267 NULL +add_sctp_bind_addr_12269 add_sctp_bind_addr 3 12269 NULL +note_last_dentry_12285 note_last_dentry 3 12285 NULL -+il_dbgfs_nvm_read_12288 il_dbgfs_nvm_read 3 12288 NULL nohasharray -+roundup_to_multiple_of_64_12288 roundup_to_multiple_of_64 0-1 12288 &il_dbgfs_nvm_read_12288 ++roundup_to_multiple_of_64_12288 roundup_to_multiple_of_64 0-1 12288 NULL nohasharray ++il_dbgfs_nvm_read_12288 il_dbgfs_nvm_read 3 12288 &roundup_to_multiple_of_64_12288 +wrap_min_12303 wrap_min 0-1-2 12303 NULL +bt_sock_recvmsg_12316 bt_sock_recvmsg 4 12316 NULL +pcbit_writecmd_12332 pcbit_writecmd 2 12332 NULL @@ -104049,8 +104820,8 @@ index 0000000..3a5b4b5 +efx_mdio_check_mmds_14486 efx_mdio_check_mmds 2 14486 NULL nohasharray +ieee80211_if_read_dot11MeshGateAnnouncementProtocol_14486 ieee80211_if_read_dot11MeshGateAnnouncementProtocol 3 14486 &efx_mdio_check_mmds_14486 +ocfs2_debug_read_14507 ocfs2_debug_read 3 14507 NULL -+ep0_write_14536 ep0_write 3 14536 NULL nohasharray -+dataflash_read_user_otp_14536 dataflash_read_user_otp 3-2 14536 &ep0_write_14536 ++dataflash_read_user_otp_14536 dataflash_read_user_otp 3-2 14536 NULL nohasharray ++ep0_write_14536 ep0_write 3 14536 &dataflash_read_user_otp_14536 +register_trace_sched_switch_14545 register_trace_sched_switch 0 14545 NULL +picolcd_debug_eeprom_read_14549 picolcd_debug_eeprom_read 3 14549 NULL +drm_vmalloc_dma_14550 drm_vmalloc_dma 1 14550 NULL @@ -104086,8 +104857,8 @@ index 0000000..3a5b4b5 +keys_proc_write_14792 keys_proc_write 3 14792 NULL +ext4_kvmalloc_14796 ext4_kvmalloc 1 14796 NULL +__kfifo_in_14797 __kfifo_in 3-0 14797 NULL -+hpet_readl_14801 hpet_readl 0 14801 NULL nohasharray -+snd_als300_gcr_read_14801 snd_als300_gcr_read 0 14801 &hpet_readl_14801 ++snd_als300_gcr_read_14801 snd_als300_gcr_read 0 14801 NULL nohasharray ++hpet_readl_14801 hpet_readl 0 14801 &snd_als300_gcr_read_14801 +changed_cb_14819 changed_cb 0 14819 NULL +do_tune_cpucache_14828 do_tune_cpucache 2 14828 NULL +mrp_attr_create_14853 mrp_attr_create 3 14853 NULL @@ -104778,8 +105549,8 @@ index 0000000..3a5b4b5 +cpulist_scnprintf_20648 cpulist_scnprintf 2-0 20648 NULL +oz_add_farewell_20652 oz_add_farewell 5 20652 NULL +oz_cdev_read_20659 oz_cdev_read 3 20659 NULL -+snd_hdsp_playback_copy_20676 snd_hdsp_playback_copy 5 20676 NULL nohasharray -+btrfs_qgroup_reserve_20676 btrfs_qgroup_reserve 0 20676 &snd_hdsp_playback_copy_20676 ++btrfs_qgroup_reserve_20676 btrfs_qgroup_reserve 0 20676 NULL nohasharray ++snd_hdsp_playback_copy_20676 snd_hdsp_playback_copy 5 20676 &btrfs_qgroup_reserve_20676 +get_user_page_nowait_20682 get_user_page_nowait 3 20682 NULL nohasharray +dvb_dmxdev_buffer_read_20682 dvb_dmxdev_buffer_read 0-4 20682 &get_user_page_nowait_20682 +cpumask_size_20683 cpumask_size 0 20683 NULL @@ -105444,8 +106215,8 @@ index 0000000..3a5b4b5 +read_sb_page_26119 read_sb_page 5 26119 NULL +__fswab64_26155 __fswab64 0 26155 NULL +copy_oldmem_page_26164 copy_oldmem_page 3 26164 NULL -+gfs2_xattr_acl_get_26166 gfs2_xattr_acl_get 0 26166 NULL nohasharray -+ath6kl_roam_table_read_26166 ath6kl_roam_table_read 3 26166 &gfs2_xattr_acl_get_26166 ++ath6kl_roam_table_read_26166 ath6kl_roam_table_read 3 26166 NULL nohasharray ++gfs2_xattr_acl_get_26166 gfs2_xattr_acl_get 0 26166 &ath6kl_roam_table_read_26166 +disk_devt_26180 disk_devt 0 26180 NULL +cgroup_setxattr_26188 cgroup_setxattr 4 26188 NULL +ieee80211_if_fmt_dot11MeshTTL_26198 ieee80211_if_fmt_dot11MeshTTL 3 26198 NULL @@ -105771,8 +106542,8 @@ index 0000000..3a5b4b5 +xz_dec_init_29029 xz_dec_init 2 29029 NULL +i915_gem_object_bind_to_vm_29035 i915_gem_object_bind_to_vm 0 29035 NULL +ieee80211_if_read_ht_opmode_29044 ieee80211_if_read_ht_opmode 3 29044 NULL -+ProcessGetHostMibs_29049 ProcessGetHostMibs 0 29049 NULL nohasharray -+rxrpc_sendmsg_29049 rxrpc_sendmsg 4 29049 &ProcessGetHostMibs_29049 ++rxrpc_sendmsg_29049 rxrpc_sendmsg 4 29049 NULL nohasharray ++ProcessGetHostMibs_29049 ProcessGetHostMibs 0 29049 &rxrpc_sendmsg_29049 +btrfs_root_bytenr_29058 btrfs_root_bytenr 0 29058 NULL +iso_packets_buffer_init_29061 iso_packets_buffer_init 3-4 29061 NULL +roundup_64_29066 roundup_64 2-0-1 29066 NULL @@ -105875,7 +106646,8 @@ index 0000000..3a5b4b5 +lov_ost_pool_extend_29914 lov_ost_pool_extend 2 29914 NULL +write_file_queue_29922 write_file_queue 3 29922 NULL +ext4_xattr_set_acl_29930 ext4_xattr_set_acl 4 29930 NULL -+__btrfs_getxattr_29947 __btrfs_getxattr 0 29947 NULL ++__btrfs_getxattr_29947 __btrfs_getxattr 0 29947 NULL nohasharray ++ipv6_recv_error_29947 ipv6_recv_error 3 29947 &__btrfs_getxattr_29947 +diva_os_get_context_size_29983 diva_os_get_context_size 0 29983 NULL +arch_setup_dmar_msi_29992 arch_setup_dmar_msi 1 29992 NULL +vmci_host_setup_notify_30002 vmci_host_setup_notify 2 30002 NULL @@ -106382,8 +107154,8 @@ index 0000000..3a5b4b5 +av7110_vbi_write_34384 av7110_vbi_write 3 34384 NULL +usbvision_v4l2_read_34386 usbvision_v4l2_read 3 34386 NULL +read_rbu_image_type_34387 read_rbu_image_type 6 34387 NULL -+iwl_calib_set_34400 iwl_calib_set 3 34400 NULL nohasharray -+ivtv_read_pos_34400 ivtv_read_pos 3 34400 &iwl_calib_set_34400 ++ivtv_read_pos_34400 ivtv_read_pos 3 34400 NULL nohasharray ++iwl_calib_set_34400 iwl_calib_set 3 34400 &ivtv_read_pos_34400 +wd_exp_mode_write_34407 wd_exp_mode_write 3 34407 NULL +nl80211_send_disassoc_34424 nl80211_send_disassoc 4 34424 NULL +security_socket_create_34439 security_socket_create 0 34439 NULL @@ -106393,13 +107165,13 @@ index 0000000..3a5b4b5 +i2o_parm_field_get_34477 i2o_parm_field_get 5 34477 NULL +ocfs2_block_group_clear_bits_34484 ocfs2_block_group_clear_bits 0 34484 NULL +security_inode_permission_34488 security_inode_permission 0 34488 NULL -+SyS_pwritev_34494 SyS_pwritev 3 34494 NULL nohasharray -+__ffs64_34494 __ffs64 1-0 34494 &SyS_pwritev_34494 ++__ffs64_34494 __ffs64 1-0 34494 NULL nohasharray ++SyS_pwritev_34494 SyS_pwritev 3 34494 &__ffs64_34494 +qp_alloc_res_34496 qp_alloc_res 5 34496 NULL +lu_buf_check_and_alloc_34505 lu_buf_check_and_alloc 2 34505 NULL +snd_pcm_hw_param_value_34525 snd_pcm_hw_param_value 0 34525 NULL -+ext4_fallocate_34537 ext4_fallocate 4-3 34537 NULL nohasharray -+tracing_stats_read_34537 tracing_stats_read 3 34537 &ext4_fallocate_34537 ++tracing_stats_read_34537 tracing_stats_read 3 34537 NULL nohasharray ++ext4_fallocate_34537 ext4_fallocate 4-3 34537 &tracing_stats_read_34537 +hugetlbfs_read_actor_34547 hugetlbfs_read_actor 4-5-2-0 34547 NULL +dbBackSplit_34561 dbBackSplit 0 34561 NULL +alloc_ieee80211_rsl_34564 alloc_ieee80211_rsl 1 34564 NULL nohasharray @@ -106412,8 +107184,8 @@ index 0000000..3a5b4b5 +cw1200_queue_init_34599 cw1200_queue_init 4 34599 &ceph_msgpool_init_34599 +__add_prelim_ref_34600 __add_prelim_ref 0 34600 NULL +brcmf_cfg80211_mgmt_tx_34608 brcmf_cfg80211_mgmt_tx 7 34608 NULL -+__jffs2_ref_totlen_34609 __jffs2_ref_totlen 0 34609 NULL nohasharray -+mtd_write_34609 mtd_write 0 34609 &__jffs2_ref_totlen_34609 ++mtd_write_34609 mtd_write 0 34609 NULL nohasharray ++__jffs2_ref_totlen_34609 __jffs2_ref_totlen 0 34609 &mtd_write_34609 +apei_get_nvs_resources_34616 apei_get_nvs_resources 0 34616 NULL +__cfg80211_disconnected_34622 __cfg80211_disconnected 3 34622 NULL +cnic_alloc_dma_34641 cnic_alloc_dma 3 34641 NULL @@ -106876,11 +107648,11 @@ index 0000000..3a5b4b5 +snd_pcm_playback_rewind_38249 snd_pcm_playback_rewind 0-2 38249 NULL +from_dblock_38256 from_dblock 0-1 38256 NULL +vmci_qp_broker_set_page_store_38260 vmci_qp_broker_set_page_store 3-2 38260 NULL -+SYSC_msgrcv_38268 SYSC_msgrcv 3 38268 NULL nohasharray -+ieee80211_if_read_auto_open_plinks_38268 ieee80211_if_read_auto_open_plinks 3 38268 &SYSC_msgrcv_38268 nohasharray -+mthca_alloc_icm_table_38268 mthca_alloc_icm_table 4-3 38268 &ieee80211_if_read_auto_open_plinks_38268 -+xfs_bmdr_to_bmbt_38275 xfs_bmdr_to_bmbt 5 38275 NULL nohasharray -+xfs_bmbt_to_bmdr_38275 xfs_bmbt_to_bmdr 3 38275 &xfs_bmdr_to_bmbt_38275 ++ieee80211_if_read_auto_open_plinks_38268 ieee80211_if_read_auto_open_plinks 3 38268 NULL nohasharray ++SYSC_msgrcv_38268 SYSC_msgrcv 3 38268 &ieee80211_if_read_auto_open_plinks_38268 nohasharray ++mthca_alloc_icm_table_38268 mthca_alloc_icm_table 4-3 38268 &SYSC_msgrcv_38268 ++xfs_bmbt_to_bmdr_38275 xfs_bmbt_to_bmdr 3 38275 NULL nohasharray ++xfs_bmdr_to_bmbt_38275 xfs_bmdr_to_bmbt 5 38275 &xfs_bmbt_to_bmdr_38275 +ftdi_process_packet_38281 ftdi_process_packet 4 38281 NULL +gpa_to_gfn_38291 gpa_to_gfn 0-1 38291 NULL +ucma_query_path_38305 ucma_query_path 3 38305 NULL @@ -106953,8 +107725,8 @@ index 0000000..3a5b4b5 +ext3_trim_all_free_38929 ext3_trim_all_free 4-3-2 38929 NULL +il_dbgfs_sram_write_38942 il_dbgfs_sram_write 3 38942 NULL +__ath6kl_wmi_send_mgmt_cmd_38971 __ath6kl_wmi_send_mgmt_cmd 7 38971 NULL -+C_SYSC_preadv64_38977 C_SYSC_preadv64 3 38977 NULL nohasharray -+usb_maxpacket_38977 usb_maxpacket 0 38977 &C_SYSC_preadv64_38977 ++usb_maxpacket_38977 usb_maxpacket 0 38977 NULL nohasharray ++C_SYSC_preadv64_38977 C_SYSC_preadv64 3 38977 &usb_maxpacket_38977 +OSDSetBlock_38986 OSDSetBlock 2-4 38986 NULL +lpfc_idiag_extacc_write_38998 lpfc_idiag_extacc_write 3 38998 NULL +udf_new_block_38999 udf_new_block 4 38999 NULL @@ -107019,8 +107791,8 @@ index 0000000..3a5b4b5 +ext_depth_39607 ext_depth 0 39607 NULL +nfs_idmap_get_key_39616 nfs_idmap_get_key 2 39616 NULL +sdio_readb_39618 sdio_readb 0 39618 NULL -+set_dev_class_39645 set_dev_class 4 39645 NULL nohasharray -+dm_exception_table_init_39645 dm_exception_table_init 2 39645 &set_dev_class_39645 ++dm_exception_table_init_39645 dm_exception_table_init 2 39645 NULL nohasharray ++set_dev_class_39645 set_dev_class 4 39645 &dm_exception_table_init_39645 +snd_rme32_capture_copy_39653 snd_rme32_capture_copy 5 39653 NULL +tcp_try_rmem_schedule_39657 tcp_try_rmem_schedule 3 39657 NULL +kvm_read_guest_cached_39666 kvm_read_guest_cached 4 39666 NULL @@ -107463,8 +108235,8 @@ index 0000000..3a5b4b5 +usb_alloc_urb_43436 usb_alloc_urb 1 43436 NULL +ath6kl_wmi_roam_tbl_event_rx_43440 ath6kl_wmi_roam_tbl_event_rx 3 43440 NULL +ocfs2_rotate_tree_left_43442 ocfs2_rotate_tree_left 0 43442 NULL -+usemap_size_43443 usemap_size 0-2-1 43443 NULL nohasharray -+usb_string_43443 usb_string 0 43443 &usemap_size_43443 ++usb_string_43443 usb_string 0 43443 NULL nohasharray ++usemap_size_43443 usemap_size 0-2-1 43443 &usb_string_43443 +get_vm_area_size_43444 get_vm_area_size 0 43444 NULL +nvme_trans_device_id_page_43466 nvme_trans_device_id_page 4 43466 NULL +calculate_discard_block_size_43480 calculate_discard_block_size 0 43480 NULL nohasharray @@ -107534,6 +108306,7 @@ index 0000000..3a5b4b5 +xlog_recover_add_to_cont_trans_44102 xlog_recover_add_to_cont_trans 4 44102 NULL +skb_frag_dma_map_44112 skb_frag_dma_map 0 44112 NULL +tracing_set_trace_read_44122 tracing_set_trace_read 3 44122 NULL ++hwif_to_node_44127 hwif_to_node 0 44127 NULL +SyS_process_vm_writev_44129 SyS_process_vm_writev 3-5 44129 NULL +vmw_gmr_bind_44130 vmw_gmr_bind 3 44130 NULL +lookup_extent_data_ref_44136 lookup_extent_data_ref 0 44136 NULL @@ -107579,7 +108352,6 @@ index 0000000..3a5b4b5 +osst_do_scsi_44410 osst_do_scsi 4 44410 NULL +check_user_page_hwpoison_44412 check_user_page_hwpoison 1 44412 NULL +ieee80211_if_read_rc_rateidx_mcs_mask_5ghz_44423 ieee80211_if_read_rc_rateidx_mcs_mask_5ghz 3 44423 NULL -+prandom_u32_state_44445 prandom_u32_state 0 44445 NULL +iwl_dbgfs_bf_params_write_44450 iwl_dbgfs_bf_params_write 3 44450 NULL +write_file_debug_44476 write_file_debug 3 44476 NULL +btrfs_chunk_item_size_44478 btrfs_chunk_item_size 0-1 44478 NULL @@ -107743,6 +108515,7 @@ index 0000000..3a5b4b5 +ll_max_readahead_mb_seq_write_45815 ll_max_readahead_mb_seq_write 3 45815 NULL +fm_v4l2_init_video_device_45821 fm_v4l2_init_video_device 2 45821 NULL +memcg_update_cache_size_45828 memcg_update_cache_size 2 45828 NULL ++ipv6_recv_rxpmtu_45830 ipv6_recv_rxpmtu 3 45830 NULL +task_state_char_45839 task_state_char 1 45839 NULL +__ip_select_ident_45851 __ip_select_ident 3 45851 NULL +x509_process_extension_45854 x509_process_extension 5 45854 NULL @@ -107771,8 +108544,8 @@ index 0000000..3a5b4b5 +dma_tx_errors_read_46060 dma_tx_errors_read 3 46060 &__ocfs2_move_extent_46060 +sel_commit_bools_write_46077 sel_commit_bools_write 3 46077 NULL +arizona_set_irq_wake_46101 arizona_set_irq_wake 2 46101 NULL -+memcg_update_array_size_46111 memcg_update_array_size 1 46111 NULL nohasharray -+il3945_ucode_general_stats_read_46111 il3945_ucode_general_stats_read 3 46111 &memcg_update_array_size_46111 ++il3945_ucode_general_stats_read_46111 il3945_ucode_general_stats_read 3 46111 NULL nohasharray ++memcg_update_array_size_46111 memcg_update_array_size 1 46111 &il3945_ucode_general_stats_read_46111 +C_SYSC_writev_46113 C_SYSC_writev 3 46113 NULL +mlx4_ib_alloc_fast_reg_page_list_46119 mlx4_ib_alloc_fast_reg_page_list 2 46119 NULL +paging32_walk_addr_nested_46121 paging32_walk_addr_nested 3 46121 NULL @@ -107792,8 +108565,8 @@ index 0000000..3a5b4b5 +mpi_read_raw_data_46248 mpi_read_raw_data 2 46248 NULL +ReadReg_46277 ReadReg 0 46277 NULL +sg_proc_write_dressz_46316 sg_proc_write_dressz 3 46316 NULL -+__hwahc_dev_set_key_46328 __hwahc_dev_set_key 5 46328 NULL nohasharray -+compat_SyS_readv_46328 compat_SyS_readv 3 46328 &__hwahc_dev_set_key_46328 ++compat_SyS_readv_46328 compat_SyS_readv 3 46328 NULL nohasharray ++__hwahc_dev_set_key_46328 __hwahc_dev_set_key 5 46328 &compat_SyS_readv_46328 +iwl_dbgfs_chain_noise_read_46355 iwl_dbgfs_chain_noise_read 3 46355 NULL +smk_write_direct_46363 smk_write_direct 3 46363 NULL +__iommu_calculate_agaw_46366 __iommu_calculate_agaw 2 46366 NULL @@ -108011,8 +108784,8 @@ index 0000000..3a5b4b5 +set_discoverable_48141 set_discoverable 4 48141 NULL +dn_fib_count_nhs_48145 dn_fib_count_nhs 0 48145 NULL +get_cur_inode_state_48149 get_cur_inode_state 0 48149 NULL -+_add_to_r4w_48152 _add_to_r4w 4 48152 NULL nohasharray -+bitmap_onto_48152 bitmap_onto 4 48152 &_add_to_r4w_48152 ++bitmap_onto_48152 bitmap_onto 4 48152 NULL nohasharray ++_add_to_r4w_48152 _add_to_r4w 4 48152 &bitmap_onto_48152 +isr_dma1_done_read_48159 isr_dma1_done_read 3 48159 NULL +c4iw_id_table_alloc_48163 c4iw_id_table_alloc 3 48163 NULL +ocfs2_find_next_zero_bit_unaligned_48170 ocfs2_find_next_zero_bit_unaligned 2-3 48170 NULL nohasharray @@ -108093,8 +108866,8 @@ index 0000000..3a5b4b5 +vc_do_resize_48842 vc_do_resize 4-3 48842 NULL +comedi_buf_write_alloc_48846 comedi_buf_write_alloc 0-2 48846 NULL +suspend_dtim_interval_write_48854 suspend_dtim_interval_write 3 48854 NULL -+C_SYSC_pwritev64_48864 C_SYSC_pwritev64 3 48864 NULL nohasharray -+viafb_dvp1_proc_write_48864 viafb_dvp1_proc_write 3 48864 &C_SYSC_pwritev64_48864 ++viafb_dvp1_proc_write_48864 viafb_dvp1_proc_write 3 48864 NULL nohasharray ++C_SYSC_pwritev64_48864 C_SYSC_pwritev64 3 48864 &viafb_dvp1_proc_write_48864 +__ffs_ep0_read_events_48868 __ffs_ep0_read_events 3 48868 NULL +ext2_alloc_branch_48889 ext2_alloc_branch 4 48889 NULL +crypto_cipher_ctxsize_48890 crypto_cipher_ctxsize 0 48890 NULL @@ -108349,8 +109122,8 @@ index 0000000..3a5b4b5 +dpcm_show_state_50827 dpcm_show_state 0 50827 NULL +acpi_ev_install_gpe_block_50829 acpi_ev_install_gpe_block 2 50829 NULL +SetArea_50835 SetArea 4 50835 NULL nohasharray -+create_mem_extents_50835 create_mem_extents 0 50835 &SetArea_50835 nohasharray -+mask_from_50835 mask_from 0-1-2 50835 &create_mem_extents_50835 ++mask_from_50835 mask_from 0-1-2 50835 &SetArea_50835 nohasharray ++create_mem_extents_50835 create_mem_extents 0 50835 &mask_from_50835 +videobuf_dma_init_user_50839 videobuf_dma_init_user 3-4 50839 NULL +btrfs_search_slot_for_read_50843 btrfs_search_slot_for_read 0 50843 NULL +self_check_write_50856 self_check_write 0-5 50856 NULL @@ -108441,8 +109214,8 @@ index 0000000..3a5b4b5 +load_pdptrs_51541 load_pdptrs 3 51541 NULL +__alloc_eip_netdev_51549 __alloc_eip_netdev 1 51549 NULL +ixgb_get_eeprom_len_51586 ixgb_get_eeprom_len 0 51586 NULL -+get_cur_path_51589 get_cur_path 0 51589 NULL nohasharray -+snd_interval_refine_first_51589 snd_interval_refine_first 0 51589 &get_cur_path_51589 ++snd_interval_refine_first_51589 snd_interval_refine_first 0 51589 NULL nohasharray ++get_cur_path_51589 get_cur_path 0 51589 &snd_interval_refine_first_51589 +aac_convert_sgraw2_51598 aac_convert_sgraw2 4 51598 NULL +table_size_to_number_of_entries_51613 table_size_to_number_of_entries 0-1 51613 NULL +extent_fiemap_51621 extent_fiemap 3 51621 NULL @@ -108478,8 +109251,8 @@ index 0000000..3a5b4b5 +get_indirect_ea_51869 get_indirect_ea 4 51869 NULL +user_read_51881 user_read 3 51881 NULL +dbAdjCtl_51888 dbAdjCtl 0 51888 NULL -+SyS_mq_timedsend_51896 SyS_mq_timedsend 3 51896 NULL nohasharray -+virt_to_phys_51896 virt_to_phys 0 51896 &SyS_mq_timedsend_51896 ++virt_to_phys_51896 virt_to_phys 0 51896 NULL nohasharray ++SyS_mq_timedsend_51896 SyS_mq_timedsend 3 51896 &virt_to_phys_51896 +commit_fs_roots_51898 commit_fs_roots 0 51898 NULL +wmi_set_ie_51919 wmi_set_ie 3 51919 NULL +dbg_status_buf_51930 dbg_status_buf 2 51930 NULL @@ -108689,8 +109462,8 @@ index 0000000..3a5b4b5 +nr_sendmsg_53656 nr_sendmsg 4 53656 NULL +fuse_fill_write_pages_53682 fuse_fill_write_pages 0-4 53682 NULL +v4l2_event_subscribe_53687 v4l2_event_subscribe 3 53687 NULL -+bdev_logical_block_size_53690 bdev_logical_block_size 0 53690 NULL nohasharray -+igb_alloc_q_vector_53690 igb_alloc_q_vector 6-4 53690 &bdev_logical_block_size_53690 ++igb_alloc_q_vector_53690 igb_alloc_q_vector 6-4 53690 NULL nohasharray ++bdev_logical_block_size_53690 bdev_logical_block_size 0 53690 &igb_alloc_q_vector_53690 +find_overflow_devnum_53711 find_overflow_devnum 0 53711 NULL +bio_integrity_split_53714 bio_integrity_split 3 53714 NULL +__ocfs2_resv_find_window_53721 __ocfs2_resv_find_window 3 53721 NULL @@ -108891,8 +109664,8 @@ index 0000000..3a5b4b5 +lov_get_stripecnt_55297 lov_get_stripecnt 0-3 55297 NULL +gsm_control_modem_55303 gsm_control_modem 3 55303 NULL +wimax_msg_len_55304 wimax_msg_len 0 55304 NULL -+__get_vm_area_node_55305 __get_vm_area_node 6 55305 NULL nohasharray -+qp_alloc_guest_work_55305 qp_alloc_guest_work 5-3 55305 &__get_vm_area_node_55305 ++qp_alloc_guest_work_55305 qp_alloc_guest_work 5-3 55305 NULL nohasharray ++__get_vm_area_node_55305 __get_vm_area_node 6 55305 &qp_alloc_guest_work_55305 +__vxge_hw_vpath_initialize_55328 __vxge_hw_vpath_initialize 2 55328 NULL +do_shmat_55336 do_shmat 5 55336 NULL +vme_user_read_55338 vme_user_read 3 55338 NULL @@ -109075,8 +109848,8 @@ index 0000000..3a5b4b5 +__bitmap_clear_bits_56912 __bitmap_clear_bits 3 56912 NULL +strcspn_56913 strcspn 0 56913 NULL +__kfifo_out_56927 __kfifo_out 0-3 56927 NULL -+CopyBufferToControlPacket_56933 CopyBufferToControlPacket 0 56933 NULL nohasharray -+journal_init_revoke_56933 journal_init_revoke 2 56933 &CopyBufferToControlPacket_56933 ++journal_init_revoke_56933 journal_init_revoke 2 56933 NULL nohasharray ++CopyBufferToControlPacket_56933 CopyBufferToControlPacket 0 56933 &journal_init_revoke_56933 +nouveau_xtensa_create__56952 nouveau_xtensa_create_ 8 56952 NULL +diva_get_driver_info_56967 diva_get_driver_info 0 56967 NULL +nouveau_device_create__56984 nouveau_device_create_ 6 56984 NULL @@ -109192,8 +109965,8 @@ index 0000000..3a5b4b5 +kiblnd_create_tx_pool_57846 kiblnd_create_tx_pool 2 57846 NULL +process_all_new_xattrs_57881 process_all_new_xattrs 0 57881 NULL +xt_alloc_table_info_57903 xt_alloc_table_info 1 57903 NULL -+iio_read_first_n_kfifo_57910 iio_read_first_n_kfifo 2 57910 NULL nohasharray -+atomic_add_return_unchecked_57910 atomic_add_return_unchecked 0-1 57910 &iio_read_first_n_kfifo_57910 ++atomic_add_return_unchecked_57910 atomic_add_return_unchecked 0-1 57910 NULL nohasharray ++iio_read_first_n_kfifo_57910 iio_read_first_n_kfifo 2 57910 &atomic_add_return_unchecked_57910 +memcg_caches_array_size_57918 memcg_caches_array_size 0-1 57918 NULL +twl_i2c_write_57923 twl_i2c_write 3-4 57923 NULL +__snd_gf1_look16_57925 __snd_gf1_look16 0 57925 NULL @@ -109432,8 +110205,8 @@ index 0000000..3a5b4b5 +xlog_bread_offset_60030 xlog_bread_offset 3 60030 NULL +bio_integrity_hw_sectors_60039 bio_integrity_hw_sectors 0-2 60039 NULL +do_ip6t_set_ctl_60040 do_ip6t_set_ctl 4 60040 NULL -+vcs_size_60050 vcs_size 0 60050 NULL nohasharray -+pin_2_irq_60050 pin_2_irq 0-3 60050 &vcs_size_60050 ++pin_2_irq_60050 pin_2_irq 0-3 60050 NULL nohasharray ++vcs_size_60050 vcs_size 0 60050 &pin_2_irq_60050 +gru_alloc_gts_60056 gru_alloc_gts 3-2 60056 NULL +open_cur_inode_file_60057 open_cur_inode_file 0 60057 NULL +compat_writev_60063 compat_writev 3 60063 NULL @@ -109662,6 +110435,7 @@ index 0000000..3a5b4b5 +ipath_user_sdma_pin_pages_62100 ipath_user_sdma_pin_pages 3-5-4 62100 NULL +jffs2_security_setxattr_62107 jffs2_security_setxattr 4 62107 NULL +btrfs_direct_IO_62114 btrfs_direct_IO 4 62114 NULL ++ip_recv_error_62117 ip_recv_error 3 62117 NULL +generic_block_fiemap_62122 generic_block_fiemap 4 62122 NULL +llc_ui_header_len_62131 llc_ui_header_len 0 62131 NULL +qib_diag_write_62133 qib_diag_write 3 62133 NULL nohasharray @@ -110055,10 +110829,10 @@ index 0000000..3a5b4b5 +nvme_trans_standard_inquiry_page_65526 nvme_trans_standard_inquiry_page 4 65526 NULL diff --git a/tools/gcc/size_overflow_plugin.c b/tools/gcc/size_overflow_plugin.c new file mode 100644 -index 0000000..a3f9702 +index 0000000..c1967f6 --- /dev/null +++ b/tools/gcc/size_overflow_plugin.c -@@ -0,0 +1,3870 @@ +@@ -0,0 +1,3922 @@ +/* + * Copyright 2011, 2012, 2013 by Emese Revfy <re.emese@gmail.com> + * Licensed under the GPL v2, or (at your option) v3 @@ -110119,6 +110893,10 @@ index 0000000..a3f9702 +#define MIN_CHECK true +#define MAX_CHECK false + ++#define TURN_OFF_ASM_STR "# size_overflow MARK_TURN_OFF\n\t" ++#define YES_ASM_STR "# size_overflow MARK_YES\n\t" ++#define OK_ASM_STR "# size_overflow\n\t" ++ +#if BUILDING_GCC_VERSION == 4005 +#define DECL_CHAIN(NODE) (TREE_CHAIN(DECL_MINIMAL_CHECK(NODE))) +#endif @@ -110184,7 +110962,7 @@ index 0000000..a3f9702 +static tree dup_assign(struct pointer_set_t *visited, gimple oldstmt, const_tree node, tree rhs1, tree rhs2, tree __unused rhs3); + +static struct plugin_info size_overflow_plugin_info = { -+ .version = "20131203beta", ++ .version = "20131211beta", + .help = "no-size-overflow\tturn off size overflow checking\n", +}; + @@ -111670,7 +112448,7 @@ index 0000000..a3f9702 + break; + case DImode: + if (LONG_TYPE_SIZE == GET_MODE_BITSIZE(SImode)) -+ new_type = intDI_type_node; ++ new_type = TYPE_UNSIGNED(type) ? unsigned_intDI_type_node : intDI_type_node; + else + new_type = intTI_type_node; + break; @@ -112252,36 +113030,43 @@ index 0000000..a3f9702 + return false; +} + ++static const char *get_asm_string(const_gimple stmt) ++{ ++ if (!stmt) ++ return NULL; ++ if (gimple_code(stmt) != GIMPLE_ASM) ++ return NULL; ++ ++ return gimple_asm_string(stmt); ++} ++ +static bool is_size_overflow_intentional_asm_turn_off(const_gimple stmt) +{ + const char *str; + -+ if (!stmt) ++ str = get_asm_string(stmt); ++ if (!str) + return false; -+ -+ str = gimple_asm_string(stmt); -+ return !strcmp(str, "# size_overflow MARK_TURN_OFF\n\t"); ++ return !strcmp(str, TURN_OFF_ASM_STR); +} + +static bool is_size_overflow_intentional_asm_yes(const_gimple stmt) +{ + const char *str; + -+ if (!stmt) ++ str = get_asm_string(stmt); ++ if (!str) + return false; -+ -+ str = gimple_asm_string(stmt); -+ return !strcmp(str, "# size_overflow MARK_YES\n\t"); ++ return !strcmp(str, YES_ASM_STR); +} + +static bool is_size_overflow_asm(const_gimple stmt) +{ + const char *str; + -+ if (!stmt) ++ str = get_asm_string(stmt); ++ if (!str) + return false; -+ -+ str = gimple_asm_string(stmt); + return !strncmp(str, "# size_overflow", 15); +} + @@ -112370,8 +113155,6 @@ index 0000000..a3f9702 + */ +static bool is_intentional_attribute_from_gimple(struct interesting_node *cur_node) +{ -+ const_tree input, output; -+ + if (!cur_node->intentional_mark_from_gimple) + return false; + @@ -112383,10 +113166,6 @@ index 0000000..a3f9702 + // skip param decls + if (gimple_asm_noutputs(cur_node->intentional_mark_from_gimple) == 0) + return true; -+ input = gimple_asm_input_op(cur_node->intentional_mark_from_gimple, 0); -+ output = gimple_asm_output_op(cur_node->intentional_mark_from_gimple, 0); -+ -+ replace_size_overflow_asm_with_assign(cur_node->intentional_mark_from_gimple, TREE_VALUE(output), TREE_VALUE(input)); + return true; +} + @@ -112399,6 +113178,9 @@ index 0000000..a3f9702 +{ + const_tree fndecl; + ++ if (is_intentional_attribute_from_gimple(cur_node)) ++ return; ++ + if (is_turn_off_intentional_attr(DECL_ORIGIN(current_function_decl))) { + cur_node->intentional_attr_cur_fndecl = MARK_TURN_OFF; + return; @@ -112423,9 +113205,6 @@ index 0000000..a3f9702 + else if (is_yes_intentional_attr(fndecl, cur_node->num)) + cur_node->intentional_attr_decl = MARK_YES; + -+ if (is_intentional_attribute_from_gimple(cur_node)) -+ return; -+ + cur_node->intentional_attr_cur_fndecl = search_last_nodes_intentional(cur_node); + print_missing_intentional(cur_node->intentional_attr_decl, cur_node->intentional_attr_cur_fndecl, cur_node->fndecl, cur_node->num); +} @@ -112511,13 +113290,8 @@ index 0000000..a3f9702 +// a size_overflow asm stmt in the control flow doesn't stop the recursion +static void handle_asm_stmt(struct pointer_set_t *visited, struct interesting_node *cur_node, tree lhs, const_gimple stmt) +{ -+ const_tree asm_lhs; -+ + if (!is_size_overflow_asm(stmt)) -+ return walk_use_def(visited, cur_node, SSA_NAME_VAR(lhs)); -+ -+ asm_lhs = gimple_asm_input_op(stmt, 0); -+ walk_use_def(visited, cur_node, TREE_VALUE(asm_lhs)); ++ walk_use_def(visited, cur_node, SSA_NAME_VAR(lhs)); +} + +/* collect the parm_decls and fndecls (for checking a missing size_overflow attribute (ret or arg) or intentional_overflow) @@ -112578,39 +113352,58 @@ index 0000000..a3f9702 + pointer_set_destroy(visited); +} + -+/* This function calls the main recursion function (expand) that duplicates the stmts. Before that it checks the intentional_overflow attribute and asm stmts, -+ * it decides whether the duplication is necessary or not and it searches for missing size_overflow attributes. After expand() it changes the orig node to the duplicated node -+ * in the original stmt (first stmt) and it inserts the overflow check for the arg of the callee or for the return value. -+ * If there is a mark_turn_off intentional attribute on the caller or the callee then there is no duplication and missing size_overflow attribute check anywhere. ++enum precond { ++ NO_ATTRIBUTE_SEARCH, NO_CHECK_INSERT, NONE ++}; ++ ++/* If there is a mark_turn_off intentional attribute on the caller or the callee then there is no duplication and missing size_overflow attribute check anywhere. + * There is only missing size_overflow attribute checking if the intentional_overflow attribute is the mark_no type. + * Stmt duplication is unnecessary if there are no binary/ternary assignements or if the unary assignment isn't a cast. + * It skips the possible error codes too. If the def_stmts trace back to a constant and there are no binary/ternary assigments then we assume that it is some kind of error code. + */ -+static struct next_cgraph_node *handle_interesting_stmt(struct next_cgraph_node *cnodes, struct interesting_node *cur_node, struct cgraph_node *caller_node) ++static enum precond check_preconditions(struct interesting_node *cur_node) +{ -+ struct pointer_set_t *visited; + bool interesting_conditions[3] = {false, false, false}; -+ tree new_node, orig_node = cur_node->node; + + set_last_nodes(cur_node); + + check_intentional_attribute_ipa(cur_node); + if (cur_node->intentional_attr_decl == MARK_TURN_OFF || cur_node->intentional_attr_cur_fndecl == MARK_TURN_OFF) -+ return cnodes; ++ return NO_ATTRIBUTE_SEARCH; + + search_interesting_conditions(cur_node, interesting_conditions); + + // error code + if (interesting_conditions[CAST] && interesting_conditions[FROM_CONST] && !interesting_conditions[NOT_UNARY]) -+ return cnodes; ++ return NO_ATTRIBUTE_SEARCH; + -+ cnodes = search_overflow_attribute(cnodes, cur_node); ++ // unnecessary overflow check ++ if (!interesting_conditions[CAST] && !interesting_conditions[NOT_UNARY]) ++ return NO_CHECK_INSERT; + + if (cur_node->intentional_attr_cur_fndecl != MARK_NO) ++ return NO_CHECK_INSERT; ++ ++ return NONE; ++} ++ ++/* This function calls the main recursion function (expand) that duplicates the stmts. Before that it checks the intentional_overflow attribute and asm stmts, ++ * it decides whether the duplication is necessary or not and it searches for missing size_overflow attributes. After expand() it changes the orig node to the duplicated node ++ * in the original stmt (first stmt) and it inserts the overflow check for the arg of the callee or for the return value. ++ */ ++static struct next_cgraph_node *handle_interesting_stmt(struct next_cgraph_node *cnodes, struct interesting_node *cur_node, struct cgraph_node *caller_node) ++{ ++ enum precond ret; ++ struct pointer_set_t *visited; ++ tree new_node, orig_node = cur_node->node; ++ ++ ret = check_preconditions(cur_node); ++ if (ret == NO_ATTRIBUTE_SEARCH) + return cnodes; + -+ // unnecessary overflow check -+ if (!interesting_conditions[CAST] && !interesting_conditions[NOT_UNARY]) ++ cnodes = search_overflow_attribute(cnodes, cur_node); ++ ++ if (ret == NO_CHECK_INSERT) + return cnodes; + + visited = pointer_set_create(); @@ -112822,9 +113615,6 @@ index 0000000..a3f9702 + imm_use_iterator imm_iter; + unsigned int argnum; + -+ if (is_size_overflow_intentional_asm_turn_off(intentional_asm)) -+ return head; -+ + gcc_assert(TREE_CODE(node) == SSA_NAME); + + if (pointer_set_insert(visited, node)) @@ -112879,8 +113669,6 @@ index 0000000..a3f9702 + gimple_stmt_iterator gsi; + tree input, output; + -+ if (gimple_code(stmt) != GIMPLE_ASM) -+ return; + if (!is_size_overflow_asm(stmt)) + return; + @@ -112913,13 +113701,19 @@ index 0000000..a3f9702 + + gcc_assert(gimple_asm_ninputs(stmt) == 1); + ++ if (gimple_asm_noutputs(stmt) == 0 && is_size_overflow_intentional_asm_turn_off(stmt)) ++ return head; ++ + if (gimple_asm_noutputs(stmt) == 0) { -+ const_tree input = gimple_asm_input_op(stmt, 0); ++ const_tree input; ++ ++ if (!is_size_overflow_intentional_asm_turn_off(stmt)) ++ return head; + ++ input = gimple_asm_input_op(stmt, 0); + remove_size_overflow_asm(stmt); + if (is_gimple_constant(TREE_VALUE(input))) + return head; -+ + visited = pointer_set_create(); + head = get_interesting_ret_or_call(visited, head, TREE_VALUE(input), intentional_asm); + pointer_set_destroy(visited); @@ -113326,6 +114120,9 @@ index 0000000..a3f9702 + case GIMPLE_NOP: + return search_intentional(visited, SSA_NAME_VAR(lhs)); + case GIMPLE_ASM: ++ if (is_size_overflow_intentional_asm_turn_off(def_stmt)) ++ return MARK_TURN_OFF; ++ return MARK_NO; + case GIMPLE_CALL: + return MARK_NO; + case GIMPLE_PHI: @@ -113347,10 +114144,9 @@ index 0000000..a3f9702 +} + +// Check the intentional_overflow attribute and create the asm comment string for the size_overflow asm stmt. -+static const char *check_intentional_attribute_gimple(const_tree arg, const_gimple stmt, unsigned int argnum) ++static enum mark check_intentional_attribute_gimple(const_tree arg, const_gimple stmt, unsigned int argnum) +{ + const_tree fndecl; -+ const char *asm_str; + struct pointer_set_t *visited; + enum mark cur_fndecl_attr, decl_attr = MARK_NO; + @@ -113360,7 +114156,7 @@ index 0000000..a3f9702 + else if (is_yes_intentional_attr(fndecl, argnum)) + decl_attr = MARK_YES; + else if (is_turn_off_intentional_attr(fndecl) || is_turn_off_intentional_attr(DECL_ORIGIN(current_function_decl))) { -+ return "# size_overflow MARK_TURN_OFF\n\t"; ++ return MARK_TURN_OFF; + } + + visited = pointer_set_create(); @@ -113369,18 +114165,13 @@ index 0000000..a3f9702 + + switch (cur_fndecl_attr) { + case MARK_NO: -+ asm_str = "# size_overflow\n\t"; -+ break; ++ return MARK_NO; + case MARK_TURN_OFF: -+ asm_str = "# size_overflow MARK_TURN_OFF\n\t"; -+ break; ++ return MARK_TURN_OFF; + default: -+ asm_str = "# size_overflow MARK_YES\n\t"; + print_missing_intentional(decl_attr, cur_fndecl_attr, fndecl, argnum); -+ break; ++ return MARK_YES; + } -+ -+ return asm_str; +} + +static void check_missing_size_overflow_attribute(tree var) @@ -113516,6 +114307,21 @@ index 0000000..a3f9702 + update_stmt(stmt); +} + ++static const char *convert_mark_to_str(enum mark mark) ++{ ++ switch (mark) { ++ case MARK_NO: ++ return OK_ASM_STR; ++ case MARK_YES: ++ case MARK_NOT_INTENTIONAL: ++ return YES_ASM_STR; ++ case MARK_TURN_OFF: ++ return TURN_OFF_ASM_STR; ++ } ++ ++ gcc_unreachable(); ++} ++ +/* Create the input of the size_overflow asm stmt. + * When the arg of the callee function is a parm_decl it creates this kind of size_overflow asm stmt: + * __asm__("# size_overflow MARK_YES" : : "rm" size_1(D)); @@ -113529,6 +114335,8 @@ index 0000000..a3f9702 + return; + } + ++ gcc_assert(!is_size_overflow_intentional_asm_turn_off(asm_data->def_stmt)); ++ + asm_data->input = create_new_var(TREE_TYPE(asm_data->output)); + asm_data->input = make_ssa_name(asm_data->input, asm_data->def_stmt); + @@ -113541,7 +114349,11 @@ index 0000000..a3f9702 + create_output_from_phi(stmt, argnum, asm_data); + break; + case GIMPLE_NOP: { -+ const char *str = check_intentional_attribute_gimple(asm_data->output, stmt, argnum); ++ enum mark mark; ++ const char *str; ++ ++ mark = check_intentional_attribute_gimple(asm_data->output, stmt, argnum); ++ str = convert_mark_to_str(mark); + + asm_data->input = asm_data->output; + asm_data->output = NULL; @@ -113571,19 +114383,24 @@ index 0000000..a3f9702 +{ + struct asm_data asm_data; + const char *str; ++ enum mark mark; + + if (is_gimple_constant(output_node)) + return; + ++ asm_data.output = output_node; ++ mark = check_intentional_attribute_gimple(asm_data.output, stmt, argnum); ++ if (mark == MARK_TURN_OFF) ++ return; ++ + search_missing_size_overflow_attribute_gimple(stmt, argnum); + -+ asm_data.output = output_node; + asm_data.def_stmt = get_def_stmt(asm_data.output); + create_asm_input(stmt, argnum, &asm_data); + if (asm_data.input == NULL_TREE) + return; + -+ str = check_intentional_attribute_gimple(asm_data.output, stmt, argnum); ++ str = convert_mark_to_str(mark); + create_asm_stmt(str, build_string(1, "0"), build_string(3, "=rm"), &asm_data); +} + @@ -113680,16 +114497,22 @@ index 0000000..a3f9702 + if (mark != MARK_TURN_OFF) + return false; + -+ asm_data.input = gimple_call_lhs(stmt); -+ if (asm_data.input == NULL_TREE) { ++ asm_data.def_stmt = stmt; ++ asm_data.output = gimple_call_lhs(stmt); ++ ++ if (asm_data.output == NULL_TREE) { + asm_data.input = gimple_call_arg(stmt, 0); + if (is_gimple_constant(asm_data.input)) + return false; ++ asm_data.output = NULL; ++ create_asm_stmt(TURN_OFF_ASM_STR, build_string(2, "rm"), NULL, &asm_data); ++ return true; + } + -+ asm_data.output = NULL; -+ asm_data.def_stmt = stmt; -+ create_asm_stmt("# size_overflow MARK_TURN_OFF\n\t", build_string(2, "rm"), NULL, &asm_data); ++ create_asm_input(stmt, 0, &asm_data); ++ gcc_assert(asm_data.input != NULL_TREE); ++ ++ create_asm_stmt(TURN_OFF_ASM_STR, build_string(1, "0"), build_string(3, "=rm"), &asm_data); + return true; +} + @@ -113739,6 +114562,9 @@ index 0000000..a3f9702 + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) { + gimple stmt = gsi_stmt(gsi); + ++ if (is_size_overflow_asm(stmt)) ++ continue; ++ + if (is_gimple_call(stmt)) + handle_interesting_function(stmt); + else if (gimple_code(stmt) == GIMPLE_RETURN) @@ -114588,7 +115414,7 @@ index 96b919d..c49bb74 100644 + #endif diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c -index 1cf9ccb..b9236e2 100644 +index 1cf9ccb..4a8abb5 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -75,12 +75,17 @@ LIST_HEAD(vm_list); @@ -114629,7 +115455,17 @@ index 1cf9ccb..b9236e2 100644 .release = kvm_vcpu_release, .unlocked_ioctl = kvm_vcpu_ioctl, #ifdef CONFIG_COMPAT -@@ -2550,7 +2555,7 @@ static int kvm_vm_mmap(struct file *file, struct vm_area_struct *vma) +@@ -1893,6 +1898,9 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, u32 id) + int r; + struct kvm_vcpu *vcpu, *v; + ++ if (id >= KVM_MAX_VCPUS) ++ return -EINVAL; ++ + vcpu = kvm_arch_vcpu_create(kvm, id); + if (IS_ERR(vcpu)) + return PTR_ERR(vcpu); +@@ -2550,7 +2558,7 @@ static int kvm_vm_mmap(struct file *file, struct vm_area_struct *vma) return 0; } @@ -114638,7 +115474,7 @@ index 1cf9ccb..b9236e2 100644 .release = kvm_vm_release, .unlocked_ioctl = kvm_vm_ioctl, #ifdef CONFIG_COMPAT -@@ -2651,7 +2656,7 @@ out: +@@ -2651,7 +2659,7 @@ out: return r; } @@ -114647,7 +115483,7 @@ index 1cf9ccb..b9236e2 100644 .unlocked_ioctl = kvm_dev_ioctl, .compat_ioctl = kvm_dev_ioctl, .llseek = noop_llseek, -@@ -2677,7 +2682,7 @@ static void hardware_enable_nolock(void *junk) +@@ -2677,7 +2685,7 @@ static void hardware_enable_nolock(void *junk) if (r) { cpumask_clear_cpu(cpu, cpus_hardware_enabled); @@ -114656,7 +115492,7 @@ index 1cf9ccb..b9236e2 100644 printk(KERN_INFO "kvm: enabling virtualization on " "CPU%d failed\n", cpu); } -@@ -2731,10 +2736,10 @@ static int hardware_enable_all(void) +@@ -2731,10 +2739,10 @@ static int hardware_enable_all(void) kvm_usage_count++; if (kvm_usage_count == 1) { @@ -114669,7 +115505,7 @@ index 1cf9ccb..b9236e2 100644 hardware_disable_all_nolock(); r = -EBUSY; } -@@ -3168,7 +3173,7 @@ static void kvm_sched_out(struct preempt_notifier *pn, +@@ -3168,7 +3176,7 @@ static void kvm_sched_out(struct preempt_notifier *pn, kvm_arch_vcpu_put(vcpu); } @@ -114678,7 +115514,7 @@ index 1cf9ccb..b9236e2 100644 struct module *module) { int r; -@@ -3215,7 +3220,7 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, +@@ -3215,7 +3223,7 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, if (!vcpu_align) vcpu_align = __alignof__(struct kvm_vcpu); kvm_vcpu_cache = kmem_cache_create("kvm_vcpu", vcpu_size, vcpu_align, @@ -114687,7 +115523,7 @@ index 1cf9ccb..b9236e2 100644 if (!kvm_vcpu_cache) { r = -ENOMEM; goto out_free_3; -@@ -3225,9 +3230,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, +@@ -3225,9 +3233,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, if (r) goto out_free; @@ -114699,7 +115535,7 @@ index 1cf9ccb..b9236e2 100644 r = misc_register(&kvm_dev); if (r) { -@@ -3237,9 +3244,6 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, +@@ -3237,9 +3247,6 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, register_syscore_ops(&kvm_syscore_ops); diff --git a/3.12.4/4425_grsec_remove_EI_PAX.patch b/3.12.5/4425_grsec_remove_EI_PAX.patch index cf65d90..cf65d90 100644 --- a/3.12.4/4425_grsec_remove_EI_PAX.patch +++ b/3.12.5/4425_grsec_remove_EI_PAX.patch diff --git a/3.12.4/4427_force_XATTR_PAX_tmpfs.patch b/3.12.5/4427_force_XATTR_PAX_tmpfs.patch index 23e60cd..23e60cd 100644 --- a/3.12.4/4427_force_XATTR_PAX_tmpfs.patch +++ b/3.12.5/4427_force_XATTR_PAX_tmpfs.patch diff --git a/3.12.4/4430_grsec-remove-localversion-grsec.patch b/3.12.5/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.12.4/4430_grsec-remove-localversion-grsec.patch +++ b/3.12.5/4430_grsec-remove-localversion-grsec.patch diff --git a/3.12.4/4435_grsec-mute-warnings.patch b/3.12.5/4435_grsec-mute-warnings.patch index ed941d5..ed941d5 100644 --- a/3.12.4/4435_grsec-mute-warnings.patch +++ b/3.12.5/4435_grsec-mute-warnings.patch diff --git a/3.12.4/4440_grsec-remove-protected-paths.patch b/3.12.5/4440_grsec-remove-protected-paths.patch index 05710b1..05710b1 100644 --- a/3.12.4/4440_grsec-remove-protected-paths.patch +++ b/3.12.5/4440_grsec-remove-protected-paths.patch diff --git a/3.12.4/4450_grsec-kconfig-default-gids.patch b/3.12.5/4450_grsec-kconfig-default-gids.patch index aa9d567..aa9d567 100644 --- a/3.12.4/4450_grsec-kconfig-default-gids.patch +++ b/3.12.5/4450_grsec-kconfig-default-gids.patch diff --git a/3.12.4/4465_selinux-avc_audit-log-curr_ip.patch b/3.12.5/4465_selinux-avc_audit-log-curr_ip.patch index 6490fca..6490fca 100644 --- a/3.12.4/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.12.5/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.12.4/4470_disable-compat_vdso.patch b/3.12.5/4470_disable-compat_vdso.patch index 209dfae..209dfae 100644 --- a/3.12.4/4470_disable-compat_vdso.patch +++ b/3.12.5/4470_disable-compat_vdso.patch diff --git a/3.12.4/4475_emutramp_default_on.patch b/3.12.5/4475_emutramp_default_on.patch index 30f6978..30f6978 100644 --- a/3.12.4/4475_emutramp_default_on.patch +++ b/3.12.5/4475_emutramp_default_on.patch diff --git a/3.2.53/0000_README b/3.2.53/0000_README index 3a69687..09b1794 100644 --- a/3.2.53/0000_README +++ b/3.2.53/0000_README @@ -130,7 +130,7 @@ Patch: 1052_linux-3.2.53.patch From: http://www.kernel.org Desc: Linux 3.2.53 -Patch: 4420_grsecurity-3.0-3.2.53-201312081752.patch +Patch: 4420_grsecurity-3.0-3.2.53-201312132200.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.53/4420_grsecurity-3.0-3.2.53-201312081752.patch b/3.2.53/4420_grsecurity-3.0-3.2.53-201312132200.patch index eb4e1a1..e78690c 100644 --- a/3.2.53/4420_grsecurity-3.0-3.2.53-201312081752.patch +++ b/3.2.53/4420_grsecurity-3.0-3.2.53-201312132200.patch @@ -3386,6 +3386,18 @@ index c539c68..c95d3db 100644 { .notifier_call = err_inject_cpu_callback, }; +diff --git a/arch/ia64/kernel/irq_ia64.c b/arch/ia64/kernel/irq_ia64.c +index 782c3a35..3540c5e 100644 +--- a/arch/ia64/kernel/irq_ia64.c ++++ b/arch/ia64/kernel/irq_ia64.c +@@ -23,7 +23,6 @@ + #include <linux/ioport.h> + #include <linux/kernel_stat.h> + #include <linux/ptrace.h> +-#include <linux/random.h> /* for rand_initialize_irq() */ + #include <linux/signal.h> + #include <linux/smp.h> + #include <linux/threads.h> diff --git a/arch/ia64/kernel/mca.c b/arch/ia64/kernel/mca.c index 9b97303..69464a9 100644 --- a/arch/ia64/kernel/mca.c @@ -23358,7 +23370,7 @@ index f5302da..6ee193e 100644 /* instruction has only one source operand, destination is implicit (e.g. mul, div, imul, idiv) */ diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c -index 54abb40..a192606 100644 +index 54abb40..fbcaf81 100644 --- a/arch/x86/kvm/lapic.c +++ b/arch/x86/kvm/lapic.c @@ -53,7 +53,7 @@ @@ -23370,6 +23382,15 @@ index 54abb40..a192606 100644 #define APIC_LVT_NUM 6 /* 14 is the version for Xeon and Pentium 8.4.8*/ +@@ -537,7 +537,7 @@ static u32 apic_get_tmcct(struct kvm_lapic *apic) + ASSERT(apic != NULL); + + /* if initial count is 0, current count should also be 0 */ +- if (apic_get_reg(apic, APIC_TMICT) == 0) ++ if (apic_get_reg(apic, APIC_TMICT) == 0 || apic->lapic_timer.period == 0) + return 0; + + remaining = hrtimer_get_remaining(&apic->lapic_timer.timer); diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c index f1b36cf..af8a124 100644 --- a/arch/x86/kvm/mmu.c @@ -33713,51 +33734,365 @@ index da3cfee..a5a6606 100644 *ppos = i; diff --git a/drivers/char/random.c b/drivers/char/random.c -index c244f0e..255f226 100644 +index c244f0e..bb09210 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c -@@ -269,8 +269,13 @@ +@@ -255,10 +255,8 @@ + #include <linux/fips.h> + #include <linux/ptrace.h> + #include <linux/kmemcheck.h> +- +-#ifdef CONFIG_GENERIC_HARDIRQS +-# include <linux/irq.h> +-#endif ++#include <linux/workqueue.h> ++#include <linux/irq.h> + + #include <asm/processor.h> + #include <asm/uaccess.h> +@@ -266,129 +264,151 @@ + #include <asm/irq_regs.h> + #include <asm/io.h> + ++#define CREATE_TRACE_POINTS ++#include <trace/events/random.h> ++ /* * Configuration information */ +-#define INPUT_POOL_WORDS 128 +-#define OUTPUT_POOL_WORDS 32 +-#define SEC_XFER_SIZE 512 +-#define EXTRACT_SIZE 10 +#ifdef CONFIG_GRKERNSEC_RANDNET -+#define INPUT_POOL_WORDS 512 -+#define OUTPUT_POOL_WORDS 128 ++#define INPUT_POOL_SHIFT 14 ++#define INPUT_POOL_WORDS (1 << (INPUT_POOL_SHIFT-5)) ++#define OUTPUT_POOL_SHIFT 12 ++#define OUTPUT_POOL_WORDS (1 << (OUTPUT_POOL_SHIFT-5)) +#else - #define INPUT_POOL_WORDS 128 - #define OUTPUT_POOL_WORDS 32 ++#define INPUT_POOL_SHIFT 12 ++#define INPUT_POOL_WORDS (1 << (INPUT_POOL_SHIFT-5)) ++#define OUTPUT_POOL_SHIFT 10 ++#define OUTPUT_POOL_WORDS (1 << (OUTPUT_POOL_SHIFT-5)) +#endif - #define SEC_XFER_SIZE 512 - #define EXTRACT_SIZE 10 ++#define SEC_XFER_SIZE 512 ++#define EXTRACT_SIZE 10 + + #define LONGS(x) (((x) + sizeof(unsigned long) - 1)/sizeof(unsigned long)) + + /* ++ * To allow fractional bits to be tracked, the entropy_count field is ++ * denominated in units of 1/8th bits. ++ * ++ * 2*(ENTROPY_SHIFT + log2(poolbits)) must <= 31, or the multiply in ++ * credit_entropy_bits() needs to be 64 bits wide. ++ */ ++#define ENTROPY_SHIFT 3 ++#define ENTROPY_BITS(r) ((r)->entropy_count >> ENTROPY_SHIFT) ++ ++/* + * The minimum number of bits of entropy before we wake up a read on + * /dev/random. Should be enough to do a significant reseed. + */ +-static int random_read_wakeup_thresh = 64; ++static int random_read_wakeup_bits = 64; + + /* + * If the entropy count falls under this number of bits, then we + * should wake up processes which are selecting or polling on write + * access to /dev/random. + */ +-static int random_write_wakeup_thresh = 128; ++static int random_write_wakeup_bits = 28 * OUTPUT_POOL_WORDS; + + /* +- * When the input pool goes over trickle_thresh, start dropping most +- * samples to avoid wasting CPU time and reduce lock contention. ++ * The minimum number of seconds between urandom pool reseeding. We ++ * do this to limit the amount of entropy that can be drained from the ++ * input pool even if there are heavy demands on /dev/urandom. + */ +- +-static int trickle_thresh __read_mostly = INPUT_POOL_WORDS * 28; +- +-static DEFINE_PER_CPU(int, trickle_count); ++static int random_min_urandom_seed = 60; -@@ -310,10 +315,17 @@ static struct poolinfo { - int poolwords; + /* +- * A pool of size .poolwords is stirred with a primitive polynomial +- * of degree .poolwords over GF(2). The taps for various sizes are +- * defined below. They are chosen to be evenly spaced (minimum RMS +- * distance from evenly spaced; the numbers in the comments are a +- * scaled squared error sum) except for the last tap, which is 1 to +- * get the twisting happening as fast as possible. ++ * Originally, we used a primitive polynomial of degree .poolwords ++ * over GF(2). The taps for various sizes are defined below. They ++ * were chosen to be evenly spaced except for the last tap, which is 1 ++ * to get the twisting happening as fast as possible. ++ * ++ * For the purposes of better mixing, we use the CRC-32 polynomial as ++ * well to make a (modified) twisted Generalized Feedback Shift ++ * Register. (See M. Matsumoto & Y. Kurita, 1992. Twisted GFSR ++ * generators. ACM Transactions on Modeling and Computer Simulation ++ * 2(3):179-194. Also see M. Matsumoto & Y. Kurita, 1994. Twisted ++ * GFSR generators II. ACM Transactions on Modeling and Computer ++ * Simulation 4:254-266) ++ * ++ * Thanks to Colin Plumb for suggesting this. ++ * ++ * The mixing operation is much less sensitive than the output hash, ++ * where we use SHA-1. All that we want of mixing operation is that ++ * it be a good non-cryptographic hash; i.e. it not produce collisions ++ * when fed "random" data of the sort we expect to see. As long as ++ * the pool state differs for different inputs, we have preserved the ++ * input entropy and done a good job. The fact that an intelligent ++ * attacker can construct inputs that will produce controlled ++ * alterations to the pool's state is not important because we don't ++ * consider such inputs to contribute any randomness. The only ++ * property we need with respect to them is that the attacker can't ++ * increase his/her knowledge of the pool's state. Since all ++ * additions are reversible (knowing the final state and the input, ++ * you can reconstruct the initial state), if an attacker has any ++ * uncertainty about the initial state, he/she can only shuffle that ++ * uncertainty about, but never cause any collisions (which would ++ * decrease the uncertainty). ++ * ++ * Our mixing functions were analyzed by Lacharme, Roeck, Strubel, and ++ * Videau in their paper, "The Linux Pseudorandom Number Generator ++ * Revisited" (see: http://eprint.iacr.org/2012/251.pdf). In their ++ * paper, they point out that we are not using a true Twisted GFSR, ++ * since Matsumoto & Kurita used a trinomial feedback polynomial (that ++ * is, with only three taps, instead of the six that we are using). ++ * As a result, the resulting polynomial is neither primitive nor ++ * irreducible, and hence does not have a maximal period over ++ * GF(2**32). They suggest a slight change to the generator ++ * polynomial which improves the resulting TGFSR polynomial to be ++ * irreducible, which we have made here. + */ + static struct poolinfo { +- int poolwords; ++ int poolbitshift, poolwords, poolbytes, poolbits, poolfracbits; ++#define S(x) ilog2(x)+5, (x), (x)*4, (x)*32, (x) << (ENTROPY_SHIFT+5) int tap1, tap2, tap3, tap4, tap5; } poolinfo_table[] = { +- /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */ +- { 128, 103, 76, 51, 25, 1 }, +- /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */ +- { 32, 26, 20, 14, 7, 1 }, +#ifdef CONFIG_GRKERNSEC_RANDNET -+ /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */ -+ { 512, 411, 308, 208, 104, 1 }, -+ /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */ -+ { 128, 103, 76, 51, 25, 1 }, ++ /* x^512 + x^411 + x^308 + x^208 + x^104 + x + 1 -- 225 */ ++ { S(512), 411, 308, 208, 104, 1 }, ++ /* was: x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 */ ++ /* x^128 + x^104 + x^76 + x^51 +x^25 + x + 1 */ ++ { S(128), 104, 76, 51, 25, 1 }, +#else - /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */ - { 128, 103, 76, 51, 25, 1 }, - /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */ - { 32, 26, 20, 14, 7, 1 }, ++ /* was: x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 */ ++ /* x^128 + x^104 + x^76 + x^51 +x^25 + x + 1 */ ++ { S(128), 104, 76, 51, 25, 1 }, ++ /* was: x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 */ ++ /* x^32 + x^26 + x^19 + x^14 + x^7 + x + 1 */ ++ { S(32), 26, 19, 14, 7, 1 }, +#endif #if 0 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */ - { 2048, 1638, 1231, 819, 411, 1 }, -@@ -434,6 +446,7 @@ struct entropy_store { +- { 2048, 1638, 1231, 819, 411, 1 }, ++ { S(2048), 1638, 1231, 819, 411, 1 }, + + /* x^1024 + x^817 + x^615 + x^412 + x^204 + x + 1 -- 290 */ +- { 1024, 817, 615, 412, 204, 1 }, ++ { S(1024), 817, 615, 412, 204, 1 }, + + /* x^1024 + x^819 + x^616 + x^410 + x^207 + x^2 + 1 -- 115 */ +- { 1024, 819, 616, 410, 207, 2 }, ++ { S(1024), 819, 616, 410, 207, 2 }, + + /* x^512 + x^411 + x^308 + x^208 + x^104 + x + 1 -- 225 */ +- { 512, 411, 308, 208, 104, 1 }, ++ { S(512), 411, 308, 208, 104, 1 }, + + /* x^512 + x^409 + x^307 + x^206 + x^102 + x^2 + 1 -- 95 */ +- { 512, 409, 307, 206, 102, 2 }, ++ { S(512), 409, 307, 206, 102, 2 }, + /* x^512 + x^409 + x^309 + x^205 + x^103 + x^2 + 1 -- 95 */ +- { 512, 409, 309, 205, 103, 2 }, ++ { S(512), 409, 309, 205, 103, 2 }, + + /* x^256 + x^205 + x^155 + x^101 + x^52 + x + 1 -- 125 */ +- { 256, 205, 155, 101, 52, 1 }, ++ { S(256), 205, 155, 101, 52, 1 }, + + /* x^128 + x^103 + x^78 + x^51 + x^27 + x^2 + 1 -- 70 */ +- { 128, 103, 78, 51, 27, 2 }, ++ { S(128), 103, 78, 51, 27, 2 }, + + /* x^64 + x^52 + x^39 + x^26 + x^14 + x + 1 -- 15 */ +- { 64, 52, 39, 26, 14, 1 }, ++ { S(64), 52, 39, 26, 14, 1 }, + #endif + }; + +-#define POOLBITS poolwords*32 +-#define POOLBYTES poolwords*4 +- +-/* +- * For the purposes of better mixing, we use the CRC-32 polynomial as +- * well to make a twisted Generalized Feedback Shift Reigster +- * +- * (See M. Matsumoto & Y. Kurita, 1992. Twisted GFSR generators. ACM +- * Transactions on Modeling and Computer Simulation 2(3):179-194. +- * Also see M. Matsumoto & Y. Kurita, 1994. Twisted GFSR generators +- * II. ACM Transactions on Mdeling and Computer Simulation 4:254-266) +- * +- * Thanks to Colin Plumb for suggesting this. +- * +- * We have not analyzed the resultant polynomial to prove it primitive; +- * in fact it almost certainly isn't. Nonetheless, the irreducible factors +- * of a random large-degree polynomial over GF(2) are more than large enough +- * that periodicity is not a concern. +- * +- * The input hash is much less sensitive than the output hash. All +- * that we want of it is that it be a good non-cryptographic hash; +- * i.e. it not produce collisions when fed "random" data of the sort +- * we expect to see. As long as the pool state differs for different +- * inputs, we have preserved the input entropy and done a good job. +- * The fact that an intelligent attacker can construct inputs that +- * will produce controlled alterations to the pool's state is not +- * important because we don't consider such inputs to contribute any +- * randomness. The only property we need with respect to them is that +- * the attacker can't increase his/her knowledge of the pool's state. +- * Since all additions are reversible (knowing the final state and the +- * input, you can reconstruct the initial state), if an attacker has +- * any uncertainty about the initial state, he/she can only shuffle +- * that uncertainty about, but never cause any collisions (which would +- * decrease the uncertainty). +- * +- * The chosen system lets the state of the pool be (essentially) the input +- * modulo the generator polymnomial. Now, for random primitive polynomials, +- * this is a universal class of hash functions, meaning that the chance +- * of a collision is limited by the attacker's knowledge of the generator +- * polynomail, so if it is chosen at random, an attacker can never force +- * a collision. Here, we use a fixed polynomial, but we *can* assume that +- * ###--> it is unknown to the processes generating the input entropy. <-### +- * Because of this important property, this is a good, collision-resistant +- * hash; hash collisions will occur no more often than chance. +- */ +- + /* + * Static global variables + */ +@@ -396,21 +416,6 @@ static DECLARE_WAIT_QUEUE_HEAD(random_read_wait); + static DECLARE_WAIT_QUEUE_HEAD(random_write_wait); + static struct fasync_struct *fasync; + +-#if 0 +-static int debug; +-module_param(debug, bool, 0644); +-#define DEBUG_ENT(fmt, arg...) do { \ +- if (debug) \ +- printk(KERN_DEBUG "random %04d %04d %04d: " \ +- fmt,\ +- input_pool.entropy_count,\ +- blocking_pool.entropy_count,\ +- nonblocking_pool.entropy_count,\ +- ## arg); } while (0) +-#else +-#define DEBUG_ENT(fmt, arg...) do {} while (0) +-#endif +- + /********************************************************************** + * + * OS independent entropy store. Here are the functions which handle +@@ -421,22 +426,26 @@ module_param(debug, bool, 0644); + struct entropy_store; + struct entropy_store { + /* read-only data: */ +- struct poolinfo *poolinfo; ++ const struct poolinfo *poolinfo; + __u32 *pool; + const char *name; + struct entropy_store *pull; +- int limit; ++ struct work_struct push_work; + + /* read-write data: */ ++ unsigned long last_pulled; + spinlock_t lock; +- unsigned add_ptr; +- unsigned input_rotate; ++ unsigned short add_ptr; ++ unsigned short input_rotate; int entropy_count; int entropy_total; unsigned int initialized:1; -+ bool last_data_init; ++ unsigned int limit:1; ++ unsigned int last_data_init:1; __u8 last_data[EXTRACT_SIZE]; }; -@@ -524,8 +537,8 @@ static void __mix_pool_bytes(struct entropy_store *r, const void *in, - input_rotate += i ? 7 : 14; ++static void push_to_pool(struct work_struct *work); + static __u32 input_pool_data[INPUT_POOL_WORDS]; + static __u32 blocking_pool_data[OUTPUT_POOL_WORDS]; + static __u32 nonblocking_pool_data[OUTPUT_POOL_WORDS]; +@@ -445,7 +454,7 @@ static struct entropy_store input_pool = { + .poolinfo = &poolinfo_table[0], + .name = "input", + .limit = 1, +- .lock = __SPIN_LOCK_UNLOCKED(&input_pool.lock), ++ .lock = __SPIN_LOCK_UNLOCKED(input_pool.lock), + .pool = input_pool_data + }; + +@@ -454,16 +463,20 @@ static struct entropy_store blocking_pool = { + .name = "blocking", + .limit = 1, + .pull = &input_pool, +- .lock = __SPIN_LOCK_UNLOCKED(&blocking_pool.lock), +- .pool = blocking_pool_data ++ .lock = __SPIN_LOCK_UNLOCKED(blocking_pool.lock), ++ .pool = blocking_pool_data, ++ .push_work = __WORK_INITIALIZER(blocking_pool.push_work, ++ push_to_pool), + }; + + static struct entropy_store nonblocking_pool = { + .poolinfo = &poolinfo_table[1], + .name = "nonblocking", + .pull = &input_pool, +- .lock = __SPIN_LOCK_UNLOCKED(&nonblocking_pool.lock), +- .pool = nonblocking_pool_data ++ .lock = __SPIN_LOCK_UNLOCKED(nonblocking_pool.lock), ++ .pool = nonblocking_pool_data, ++ .push_work = __WORK_INITIALIZER(nonblocking_pool.push_work, ++ push_to_pool), + }; + + static __u32 const twist_table[8] = { +@@ -480,8 +493,8 @@ static __u32 const twist_table[8] = { + * it's cheap to do so and helps slightly in the expected case where + * the entropy is concentrated in the low-order bits. + */ +-static void __mix_pool_bytes(struct entropy_store *r, const void *in, +- int nbytes, __u8 out[64]) ++static void _mix_pool_bytes(struct entropy_store *r, const void *in, ++ int nbytes, __u8 out[64]) + { + unsigned long i, j, tap1, tap2, tap3, tap4, tap5; + int input_rotate; +@@ -501,7 +514,7 @@ static void __mix_pool_bytes(struct entropy_store *r, const void *in, + + /* mix one byte at a time to simplify size handling and churn faster */ + while (nbytes--) { +- w = rol32(*bytes++, input_rotate & 31); ++ w = rol32(*bytes++, input_rotate); + i = (i - 1) & wordmask; + + /* XOR in the various taps */ +@@ -521,11 +534,11 @@ static void __mix_pool_bytes(struct entropy_store *r, const void *in, + * rotation, so that successive passes spread the + * input bits across the pool evenly. + */ +- input_rotate += i ? 7 : 14; ++ input_rotate = (input_rotate + (i ? 7 : 14)) & 31; } - ACCESS_ONCE(r->input_rotate) = input_rotate; @@ -33767,51 +34102,608 @@ index c244f0e..255f226 100644 smp_wmb(); if (out) -@@ -877,6 +890,7 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min, - int reserved) +@@ -533,13 +546,21 @@ static void __mix_pool_bytes(struct entropy_store *r, const void *in, + ((__u32 *)out)[j] = r->pool[(i - j) & wordmask]; + } + ++static void __mix_pool_bytes(struct entropy_store *r, const void *in, ++ int nbytes, __u8 out[64]) ++{ ++ trace_mix_pool_bytes_nolock(r->name, nbytes, _RET_IP_); ++ _mix_pool_bytes(r, in, nbytes, out); ++} ++ + static void mix_pool_bytes(struct entropy_store *r, const void *in, +- int nbytes, __u8 out[64]) ++ int nbytes, __u8 out[64]) { unsigned long flags; -+ int wakeup_write = 0; - /* Hold lock while accounting */ ++ trace_mix_pool_bytes(r->name, nbytes, _RET_IP_); spin_lock_irqsave(&r->lock, flags); -@@ -906,10 +920,8 @@ retry: - goto retry; - } +- __mix_pool_bytes(r, in, nbytes, out); ++ _mix_pool_bytes(r, in, nbytes, out); + spin_unlock_irqrestore(&r->lock, flags); + } + +@@ -556,58 +577,151 @@ struct fast_pool { + * collector. It's hardcoded for an 128 bit pool and assumes that any + * locks that might be needed are taken by the caller. + */ +-static void fast_mix(struct fast_pool *f, const void *in, int nbytes) ++static void fast_mix(struct fast_pool *f, __u32 input[4]) + { +- const char *bytes = in; + __u32 w; +- unsigned i = f->count; + unsigned input_rotate = f->rotate; + +- while (nbytes--) { +- w = rol32(*bytes++, input_rotate & 31) ^ f->pool[i & 3] ^ +- f->pool[(i + 1) & 3]; +- f->pool[i & 3] = (w >> 3) ^ twist_table[w & 7]; +- input_rotate += (i++ & 3) ? 7 : 14; +- } +- f->count = i; ++ w = rol32(input[0], input_rotate) ^ f->pool[0] ^ f->pool[3]; ++ f->pool[0] = (w >> 3) ^ twist_table[w & 7]; ++ input_rotate = (input_rotate + 14) & 31; ++ w = rol32(input[1], input_rotate) ^ f->pool[1] ^ f->pool[0]; ++ f->pool[1] = (w >> 3) ^ twist_table[w & 7]; ++ input_rotate = (input_rotate + 7) & 31; ++ w = rol32(input[2], input_rotate) ^ f->pool[2] ^ f->pool[1]; ++ f->pool[2] = (w >> 3) ^ twist_table[w & 7]; ++ input_rotate = (input_rotate + 7) & 31; ++ w = rol32(input[3], input_rotate) ^ f->pool[3] ^ f->pool[2]; ++ f->pool[3] = (w >> 3) ^ twist_table[w & 7]; ++ input_rotate = (input_rotate + 7) & 31; ++ + f->rotate = input_rotate; ++ f->count++; + } + + /* +- * Credit (or debit) the entropy store with n bits of entropy ++ * Credit (or debit) the entropy store with n bits of entropy. ++ * Use credit_entropy_bits_safe() if the value comes from userspace ++ * or otherwise should be checked for extreme values. + */ + static void credit_entropy_bits(struct entropy_store *r, int nbits) + { + int entropy_count, orig; ++ const int pool_size = r->poolinfo->poolfracbits; ++ int nfrac = nbits << ENTROPY_SHIFT; + + if (!nbits) + return; + +- DEBUG_ENT("added %d entropy credits to %s\n", nbits, r->name); + retry: + entropy_count = orig = ACCESS_ONCE(r->entropy_count); +- entropy_count += nbits; ++ if (nfrac < 0) { ++ /* Debit */ ++ entropy_count += nfrac; ++ } else { ++ /* ++ * Credit: we have to account for the possibility of ++ * overwriting already present entropy. Even in the ++ * ideal case of pure Shannon entropy, new contributions ++ * approach the full value asymptotically: ++ * ++ * entropy <- entropy + (pool_size - entropy) * ++ * (1 - exp(-add_entropy/pool_size)) ++ * ++ * For add_entropy <= pool_size/2 then ++ * (1 - exp(-add_entropy/pool_size)) >= ++ * (add_entropy/pool_size)*0.7869... ++ * so we can approximate the exponential with ++ * 3/4*add_entropy/pool_size and still be on the ++ * safe side by adding at most pool_size/2 at a time. ++ * ++ * The use of pool_size-2 in the while statement is to ++ * prevent rounding artifacts from making the loop ++ * arbitrarily long; this limits the loop to log2(pool_size)*2 ++ * turns no matter how large nbits is. ++ */ ++ int pnfrac = nfrac; ++ const int s = r->poolinfo->poolbitshift + ENTROPY_SHIFT + 2; ++ /* The +2 corresponds to the /4 in the denominator */ ++ ++ do { ++ unsigned int anfrac = min(pnfrac, pool_size/2); ++ unsigned int add = ++ ((pool_size - entropy_count)*anfrac*3) >> s; ++ ++ entropy_count += add; ++ pnfrac -= anfrac; ++ } while (unlikely(entropy_count < pool_size-2 && pnfrac)); ++ } ++ + if (entropy_count < 0) { +- DEBUG_ENT("negative entropy/overflow\n"); ++ pr_warn("random: negative entropy/overflow: pool %s count %d\n", ++ r->name, entropy_count); ++ WARN_ON(1); + entropy_count = 0; +- } else if (entropy_count > r->poolinfo->POOLBITS) +- entropy_count = r->poolinfo->POOLBITS; ++ } else if (entropy_count > pool_size) ++ entropy_count = pool_size; + if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig) + goto retry; + +- if (!r->initialized && nbits > 0) { +- r->entropy_total += nbits; +- if (r->entropy_total > 128) +- r->initialized = 1; ++ r->entropy_total += nbits; ++ if (!r->initialized && r->entropy_total > 128) { ++ r->initialized = 1; ++ r->entropy_total = 0; ++ if (r == &nonblocking_pool) { ++ prandom_reseed_late(); ++ pr_notice("random: %s pool is initialized\n", r->name); ++ } + } + +- /* should we wake readers? */ +- if (r == &input_pool && entropy_count >= random_read_wakeup_thresh) { +- wake_up_interruptible(&random_read_wait); +- kill_fasync(&fasync, SIGIO, POLL_IN); ++ trace_credit_entropy_bits(r->name, nbits, ++ entropy_count >> ENTROPY_SHIFT, ++ r->entropy_total, _RET_IP_); ++ ++ if (r == &input_pool) { ++ int entropy_bits = entropy_count >> ENTROPY_SHIFT; ++ ++ /* should we wake readers? */ ++ if (entropy_bits >= random_read_wakeup_bits) { ++ wake_up_interruptible(&random_read_wait); ++ kill_fasync(&fasync, SIGIO, POLL_IN); ++ } ++ /* If the input pool is getting full, send some ++ * entropy to the two output pools, flipping back and ++ * forth between them, until the output pools are 75% ++ * full. ++ */ ++ if (entropy_bits > random_write_wakeup_bits && ++ r->initialized && ++ r->entropy_total >= 2*random_read_wakeup_bits) { ++ static struct entropy_store *last = &blocking_pool; ++ struct entropy_store *other = &blocking_pool; ++ ++ if (last == &blocking_pool) ++ other = &nonblocking_pool; ++ if (other->entropy_count <= ++ 3 * other->poolinfo->poolfracbits / 4) ++ last = other; ++ if (last->entropy_count <= ++ 3 * last->poolinfo->poolfracbits / 4) { ++ schedule_work(&last->push_work); ++ r->entropy_total = 0; ++ } ++ } + } + } + ++static void credit_entropy_bits_safe(struct entropy_store *r, int nbits) ++{ ++ const int nbits_max = (int)(~0U >> (ENTROPY_SHIFT + 1)); ++ ++ /* Cap the value to avoid overflows */ ++ nbits = min(nbits, nbits_max); ++ nbits = max(nbits, -nbits_max); ++ ++ credit_entropy_bits(r, nbits); ++} ++ + /********************************************************************* + * + * Entropy input management +@@ -621,42 +735,7 @@ struct timer_rand_state { + unsigned dont_count_entropy:1; + }; + +-#ifndef CONFIG_GENERIC_HARDIRQS +- +-static struct timer_rand_state *irq_timer_state[NR_IRQS]; +- +-static struct timer_rand_state *get_timer_rand_state(unsigned int irq) +-{ +- return irq_timer_state[irq]; +-} +- +-static void set_timer_rand_state(unsigned int irq, +- struct timer_rand_state *state) +-{ +- irq_timer_state[irq] = state; +-} +- +-#else +- +-static struct timer_rand_state *get_timer_rand_state(unsigned int irq) +-{ +- struct irq_desc *desc; +- +- desc = irq_to_desc(irq); +- +- return desc->timer_rand_state; +-} +- +-static void set_timer_rand_state(unsigned int irq, +- struct timer_rand_state *state) +-{ +- struct irq_desc *desc; +- +- desc = irq_to_desc(irq); +- +- desc->timer_rand_state = state; +-} +-#endif ++#define INIT_TIMER_RAND_STATE { INITIAL_JIFFIES, }; + + /* + * Add device- or boot-specific data to the input and nonblocking +@@ -669,15 +748,22 @@ static void set_timer_rand_state(unsigned int irq, + void add_device_randomness(const void *buf, unsigned int size) + { + unsigned long time = random_get_entropy() ^ jiffies; ++ unsigned long flags; + +- mix_pool_bytes(&input_pool, buf, size, NULL); +- mix_pool_bytes(&input_pool, &time, sizeof(time), NULL); +- mix_pool_bytes(&nonblocking_pool, buf, size, NULL); +- mix_pool_bytes(&nonblocking_pool, &time, sizeof(time), NULL); ++ trace_add_device_randomness(size, _RET_IP_); ++ spin_lock_irqsave(&input_pool.lock, flags); ++ _mix_pool_bytes(&input_pool, buf, size, NULL); ++ _mix_pool_bytes(&input_pool, &time, sizeof(time), NULL); ++ spin_unlock_irqrestore(&input_pool.lock, flags); ++ ++ spin_lock_irqsave(&nonblocking_pool.lock, flags); ++ _mix_pool_bytes(&nonblocking_pool, buf, size, NULL); ++ _mix_pool_bytes(&nonblocking_pool, &time, sizeof(time), NULL); ++ spin_unlock_irqrestore(&nonblocking_pool.lock, flags); + } + EXPORT_SYMBOL(add_device_randomness); + +-static struct timer_rand_state input_timer_state; ++static struct timer_rand_state input_timer_state = INIT_TIMER_RAND_STATE; + + /* + * This function adds entropy to the entropy "pool" by using timing +@@ -691,6 +777,7 @@ static struct timer_rand_state input_timer_state; + */ + static void add_timer_randomness(struct timer_rand_state *state, unsigned num) + { ++ struct entropy_store *r; + struct { + long jiffies; + unsigned cycles; +@@ -699,15 +786,12 @@ static void add_timer_randomness(struct timer_rand_state *state, unsigned num) + long delta, delta2, delta3; + + preempt_disable(); +- /* if over the trickle threshold, use only 1 in 4096 samples */ +- if (input_pool.entropy_count > trickle_thresh && +- ((__this_cpu_inc_return(trickle_count) - 1) & 0xfff)) +- goto out; + + sample.jiffies = jiffies; + sample.cycles = random_get_entropy(); + sample.num = num; +- mix_pool_bytes(&input_pool, &sample, sizeof(sample), NULL); ++ r = nonblocking_pool.initialized ? &input_pool : &nonblocking_pool; ++ mix_pool_bytes(r, &sample, sizeof(sample), NULL); + + /* + * Calculate number of bits of randomness we probably added. +@@ -741,10 +825,8 @@ static void add_timer_randomness(struct timer_rand_state *state, unsigned num) + * Round down by 1 bit on general principles, + * and limit entropy entimate to 12 bits. + */ +- credit_entropy_bits(&input_pool, +- min_t(int, fls(delta>>1), 11)); ++ credit_entropy_bits(r, min_t(int, fls(delta>>1), 11)); + } +-out: + preempt_enable(); + } + +@@ -757,10 +839,10 @@ void add_input_randomness(unsigned int type, unsigned int code, + if (value == last_value) + return; + +- DEBUG_ENT("input event\n"); + last_value = value; + add_timer_randomness(&input_timer_state, + (type << 4) ^ code ^ (code >> 4) ^ value); ++ trace_add_input_randomness(ENTROPY_BITS(&input_pool)); + } + EXPORT_SYMBOL_GPL(add_input_randomness); + +@@ -772,20 +854,21 @@ void add_interrupt_randomness(int irq, int irq_flags) + struct fast_pool *fast_pool = &__get_cpu_var(irq_randomness); + struct pt_regs *regs = get_irq_regs(); + unsigned long now = jiffies; +- __u32 input[4], cycles = random_get_entropy(); ++ cycles_t cycles = random_get_entropy(); ++ __u32 input[4], c_high, j_high; ++ __u64 ip; + +- input[0] = cycles ^ jiffies; +- input[1] = irq; +- if (regs) { +- __u64 ip = instruction_pointer(regs); +- input[2] = ip; +- input[3] = ip >> 32; +- } ++ c_high = (sizeof(cycles) > 4) ? cycles >> 32 : 0; ++ j_high = (sizeof(now) > 4) ? now >> 32 : 0; ++ input[0] = cycles ^ j_high ^ irq; ++ input[1] = now ^ c_high; ++ ip = regs ? instruction_pointer(regs) : _RET_IP_; ++ input[2] = ip; ++ input[3] = ip >> 32; + +- fast_mix(fast_pool, input, sizeof(input)); ++ fast_mix(fast_pool, input); + +- if ((fast_pool->count & 1023) && +- !time_after(now, fast_pool->last + HZ)) ++ if ((fast_pool->count & 63) && !time_after(now, fast_pool->last + HZ)) + return; + + fast_pool->last = now; +@@ -814,10 +897,8 @@ void add_disk_randomness(struct gendisk *disk) + if (!disk || !disk->random) + return; + /* first major is 1, so we get >= 0x200 here */ +- DEBUG_ENT("disk event %d:%d\n", +- MAJOR(disk_devt(disk)), MINOR(disk_devt(disk))); +- + add_timer_randomness(disk->random, 0x100 + disk_devt(disk)); ++ trace_add_disk_randomness(disk_devt(disk), ENTROPY_BITS(&input_pool)); + } + #endif + +@@ -835,97 +916,110 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, + * from the primary pool to the secondary extraction pool. We make + * sure we pull enough for a 'catastrophic reseed'. + */ ++static void _xfer_secondary_pool(struct entropy_store *r, size_t nbytes); + static void xfer_secondary_pool(struct entropy_store *r, size_t nbytes) + { ++ if (r->limit == 0 && random_min_urandom_seed) { ++ unsigned long now = jiffies; ++ ++ if (time_before(now, ++ r->last_pulled + random_min_urandom_seed * HZ)) ++ return; ++ r->last_pulled = now; ++ } ++ if (r->pull && ++ r->entropy_count < (nbytes << (ENTROPY_SHIFT + 3)) && ++ r->entropy_count < r->poolinfo->poolfracbits) ++ _xfer_secondary_pool(r, nbytes); ++} ++ ++static void _xfer_secondary_pool(struct entropy_store *r, size_t nbytes) ++{ + __u32 tmp[OUTPUT_POOL_WORDS]; + +- if (r->pull && r->entropy_count < nbytes * 8 && +- r->entropy_count < r->poolinfo->POOLBITS) { +- /* If we're limited, always leave two wakeup worth's BITS */ +- int rsvd = r->limit ? 0 : random_read_wakeup_thresh/4; +- int bytes = nbytes; ++ /* For /dev/random's pool, always leave two wakeups' worth */ ++ int rsvd_bytes = r->limit ? 0 : random_read_wakeup_bits / 4; ++ int bytes = nbytes; + +- /* pull at least as many as BYTES as wakeup BITS */ +- bytes = max_t(int, bytes, random_read_wakeup_thresh / 8); +- /* but never more than the buffer size */ +- bytes = min_t(int, bytes, sizeof(tmp)); ++ /* pull at least as much as a wakeup */ ++ bytes = max_t(int, bytes, random_read_wakeup_bits / 8); ++ /* but never more than the buffer size */ ++ bytes = min_t(int, bytes, sizeof(tmp)); + +- DEBUG_ENT("going to reseed %s with %d bits " +- "(%d of %d requested)\n", +- r->name, bytes * 8, nbytes * 8, r->entropy_count); +- +- bytes = extract_entropy(r->pull, tmp, bytes, +- random_read_wakeup_thresh / 8, rsvd); +- mix_pool_bytes(r, tmp, bytes, NULL); +- credit_entropy_bits(r, bytes*8); +- } ++ trace_xfer_secondary_pool(r->name, bytes * 8, nbytes * 8, ++ ENTROPY_BITS(r), ENTROPY_BITS(r->pull)); ++ bytes = extract_entropy(r->pull, tmp, bytes, ++ random_read_wakeup_bits / 8, rsvd_bytes); ++ mix_pool_bytes(r, tmp, bytes, NULL); ++ credit_entropy_bits(r, bytes*8); + } + + /* +- * These functions extracts randomness from the "entropy pool", and +- * returns it in a buffer. +- * +- * The min parameter specifies the minimum amount we can pull before +- * failing to avoid races that defeat catastrophic reseeding while the +- * reserved parameter indicates how much entropy we must leave in the +- * pool after each pull to avoid starving other readers. +- * +- * Note: extract_entropy() assumes that .poolwords is a multiple of 16 words. ++ * Used as a workqueue function so that when the input pool is getting ++ * full, we can "spill over" some entropy to the output pools. That ++ * way the output pools can store some of the excess entropy instead ++ * of letting it go to waste. + */ ++static void push_to_pool(struct work_struct *work) ++{ ++ struct entropy_store *r = container_of(work, struct entropy_store, ++ push_work); ++ BUG_ON(!r); ++ _xfer_secondary_pool(r, random_read_wakeup_bits/8); ++ trace_push_to_pool(r->name, r->entropy_count >> ENTROPY_SHIFT, ++ r->pull->entropy_count >> ENTROPY_SHIFT); ++} ++/* ++ * This function decides how many bytes to actually take from the ++ * given pool, and also debits the entropy count accordingly. ++ */ + static size_t account(struct entropy_store *r, size_t nbytes, int min, + int reserved) + { +- unsigned long flags; ++ int have_bytes; ++ int entropy_count, orig; ++ size_t ibytes; + +- /* Hold lock while accounting */ +- spin_lock_irqsave(&r->lock, flags); +- +- BUG_ON(r->entropy_count > r->poolinfo->POOLBITS); +- DEBUG_ENT("trying to extract %d bits from %s\n", +- nbytes * 8, r->name); ++ BUG_ON(r->entropy_count > r->poolinfo->poolfracbits); + + /* Can we pull enough? */ +- if (r->entropy_count / 8 < min + reserved) { +- nbytes = 0; +- } else { +- int entropy_count, orig; + retry: +- entropy_count = orig = ACCESS_ONCE(r->entropy_count); +- /* If limited, never pull more than available */ +- if (r->limit && nbytes + reserved >= entropy_count / 8) +- nbytes = entropy_count/8 - reserved; ++ entropy_count = orig = ACCESS_ONCE(r->entropy_count); ++ have_bytes = entropy_count >> (ENTROPY_SHIFT + 3); ++ ibytes = nbytes; ++ /* If limited, never pull more than available */ ++ if (r->limit) ++ ibytes = min_t(size_t, ibytes, have_bytes - reserved); ++ if (ibytes < min) ++ ibytes = 0; ++ entropy_count = max_t(int, 0, ++ entropy_count - (ibytes << (ENTROPY_SHIFT + 3))); ++ if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig) ++ goto retry; + +- if (entropy_count / 8 >= nbytes + reserved) { +- entropy_count -= nbytes*8; +- if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig) +- goto retry; +- } else { +- entropy_count = reserved; +- if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig) +- goto retry; +- } +- - if (entropy_count < random_write_wakeup_thresh) { - wake_up_interruptible(&random_write_wait); - kill_fasync(&fasync, SIGIO, POLL_OUT); - } -+ if (entropy_count < random_write_wakeup_thresh) -+ wakeup_write = 1; ++ trace_debit_entropy(r->name, 8 * ibytes); ++ if (ibytes && ++ (r->entropy_count >> ENTROPY_SHIFT) < random_write_wakeup_bits) { ++ wake_up_interruptible(&random_write_wait); ++ kill_fasync(&fasync, SIGIO, POLL_OUT); } - DEBUG_ENT("debiting %d entropy credits from %s%s\n", -@@ -917,6 +929,11 @@ retry: +- DEBUG_ENT("debiting %d entropy credits from %s%s\n", +- nbytes * 8, r->name, r->limit ? "" : " (unlimited)"); +- +- spin_unlock_irqrestore(&r->lock, flags); +- +- return nbytes; ++ return ibytes; + } - spin_unlock_irqrestore(&r->lock, flags); ++/* ++ * This function does the actual extraction for extract_entropy and ++ * extract_entropy_user. ++ * ++ * Note: we assume that .poolwords is a multiple of 16 words. ++ */ + static void extract_buf(struct entropy_store *r, __u8 *out) + { + int i; + union { + __u32 w[5]; +- unsigned long l[LONGS(EXTRACT_SIZE)]; ++ unsigned long l[LONGS(20)]; + } hash; + __u32 workspace[SHA_WORKSPACE_WORDS]; + __u8 extract[64]; +@@ -938,6 +1032,17 @@ static void extract_buf(struct entropy_store *r, __u8 *out) + sha_transform(hash.w, (__u8 *)(r->pool + i), workspace); -+ if (wakeup_write) { -+ wake_up_interruptible(&random_write_wait); -+ kill_fasync(&fasync, SIGIO, POLL_OUT); + /* ++ * If we have an architectural hardware random number ++ * generator, mix that in, too. ++ */ ++ for (i = 0; i < LONGS(20); i++) { ++ unsigned long v; ++ if (!arch_get_random_long(&v)) ++ break; ++ hash.l[i] ^= v; + } + - return nbytes; ++ /* + * We mix the hash back into the pool to prevent backtracking + * attacks (where the attacker knows the state of the pool + * plus the current outputs, and attempts to find previous +@@ -966,27 +1071,43 @@ static void extract_buf(struct entropy_store *r, __u8 *out) + hash.w[1] ^= hash.w[4]; + hash.w[2] ^= rol32(hash.w[2], 16); + +- /* +- * If we have a architectural hardware random number +- * generator, mix that in, too. +- */ +- for (i = 0; i < LONGS(EXTRACT_SIZE); i++) { +- unsigned long v; +- if (!arch_get_random_long(&v)) +- break; +- hash.l[i] ^= v; +- } +- + memcpy(out, &hash, EXTRACT_SIZE); + memset(&hash, 0, sizeof(hash)); } -@@ -986,6 +1003,21 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, ++/* ++ * This function extracts randomness from the "entropy pool", and ++ * returns it in a buffer. ++ * ++ * The min parameter specifies the minimum amount we can pull before ++ * failing to avoid races that defeat catastrophic reseeding while the ++ * reserved parameter indicates how much entropy we must leave in the ++ * pool after each pull to avoid starving other readers. ++ */ + static ssize_t extract_entropy(struct entropy_store *r, void *buf, + size_t nbytes, int min, int reserved) { ssize_t ret = 0, i; __u8 tmp[EXTRACT_SIZE]; + unsigned long flags; -+ + + /* if last_data isn't primed, we need EXTRACT_SIZE extra bytes */ + if (fips_enabled) { + spin_lock_irqsave(&r->lock, flags); + if (!r->last_data_init) { -+ r->last_data_init = true; ++ r->last_data_init = 1; + spin_unlock_irqrestore(&r->lock, flags); ++ trace_extract_entropy(r->name, EXTRACT_SIZE, ++ ENTROPY_BITS(r), _RET_IP_); + xfer_secondary_pool(r, EXTRACT_SIZE); + extract_buf(r, tmp); + spin_lock_irqsave(&r->lock, flags); @@ -33819,10 +34711,12 @@ index c244f0e..255f226 100644 + } + spin_unlock_irqrestore(&r->lock, flags); + } - ++ ++ trace_extract_entropy(r->name, nbytes, ENTROPY_BITS(r), _RET_IP_); xfer_secondary_pool(r, nbytes); nbytes = account(r, nbytes, min, reserved); -@@ -994,8 +1026,6 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, + +@@ -994,8 +1115,6 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, extract_buf(r, tmp); if (fips_enabled) { @@ -33831,7 +34725,25 @@ index c244f0e..255f226 100644 spin_lock_irqsave(&r->lock, flags); if (!memcmp(tmp, r->last_data, EXTRACT_SIZE)) panic("Hardware RNG duplicated output!\n"); -@@ -1036,7 +1066,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, +@@ -1015,12 +1134,17 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, + return ret; + } + ++/* ++ * This function extracts randomness from the "entropy pool", and ++ * returns it in a userspace buffer. ++ */ + static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, + size_t nbytes) + { + ssize_t ret = 0, i; + __u8 tmp[EXTRACT_SIZE]; + ++ trace_extract_entropy_user(r->name, nbytes, ENTROPY_BITS(r), _RET_IP_); + xfer_secondary_pool(r, nbytes); + nbytes = account(r, nbytes, 0, 0); + +@@ -1036,7 +1160,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, extract_buf(r, tmp); i = min_t(int, nbytes, EXTRACT_SIZE); @@ -33840,15 +34752,241 @@ index c244f0e..255f226 100644 ret = -EFAULT; break; } -@@ -1113,6 +1143,7 @@ static void init_std_data(struct entropy_store *r) - - r->entropy_count = 0; - r->entropy_total = 0; -+ r->last_data_init = false; +@@ -1055,11 +1179,18 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, + /* + * This function is the exported kernel interface. It returns some + * number of good random numbers, suitable for key generation, seeding +- * TCP sequence numbers, etc. It does not use the hw random number +- * generator, if available; use get_random_bytes_arch() for that. ++ * TCP sequence numbers, etc. It does not rely on the hardware random ++ * number generator. For random bytes direct from the hardware RNG ++ * (when available), use get_random_bytes_arch(). + */ + void get_random_bytes(void *buf, int nbytes) + { ++ if (unlikely(nonblocking_pool.initialized == 0)) ++ printk(KERN_NOTICE "random: %pF get_random_bytes called " ++ "with %d bits of entropy available\n", ++ (void *) _RET_IP_, ++ nonblocking_pool.entropy_total); ++ trace_get_random_bytes(nbytes, _RET_IP_); + extract_entropy(&nonblocking_pool, buf, nbytes, 0, 0); + } + EXPORT_SYMBOL(get_random_bytes); +@@ -1078,6 +1209,7 @@ void get_random_bytes_arch(void *buf, int nbytes) + { + char *p = buf; + ++ trace_get_random_bytes_arch(nbytes, _RET_IP_); + while (nbytes) { + unsigned long v; + int chunk = min(nbytes, (int)sizeof(unsigned long)); +@@ -1111,12 +1243,11 @@ static void init_std_data(struct entropy_store *r) + ktime_t now = ktime_get_real(); + unsigned long rv; + +- r->entropy_count = 0; +- r->entropy_total = 0; ++ r->last_pulled = jiffies; mix_pool_bytes(r, &now, sizeof(now), NULL); - for (i = r->poolinfo->POOLBYTES; i > 0; i -= sizeof(rv)) { +- for (i = r->poolinfo->POOLBYTES; i > 0; i -= sizeof(rv)) { ++ for (i = r->poolinfo->poolbytes; i > 0; i -= sizeof(rv)) { if (!arch_get_random_long(&rv)) -@@ -1387,7 +1418,7 @@ EXPORT_SYMBOL(generate_random_uuid); +- break; ++ rv = random_get_entropy(); + mix_pool_bytes(r, &rv, sizeof(rv), NULL); + } + mix_pool_bytes(r, utsname(), sizeof(*(utsname())), NULL); +@@ -1139,25 +1270,7 @@ static int rand_initialize(void) + init_std_data(&nonblocking_pool); + return 0; + } +-module_init(rand_initialize); +- +-void rand_initialize_irq(int irq) +-{ +- struct timer_rand_state *state; +- +- state = get_timer_rand_state(irq); +- +- if (state) +- return; +- +- /* +- * If kzalloc returns null, we just won't use that entropy +- * source. +- */ +- state = kzalloc(sizeof(struct timer_rand_state), GFP_KERNEL); +- if (state) +- set_timer_rand_state(irq, state); +-} ++early_initcall(rand_initialize); + + #ifdef CONFIG_BLOCK + void rand_initialize_disk(struct gendisk *disk) +@@ -1169,71 +1282,59 @@ void rand_initialize_disk(struct gendisk *disk) + * source. + */ + state = kzalloc(sizeof(struct timer_rand_state), GFP_KERNEL); +- if (state) ++ if (state) { ++ state->last_time = INITIAL_JIFFIES; + disk->random = state; ++ } + } + #endif + + static ssize_t + random_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos) + { +- ssize_t n, retval = 0, count = 0; ++ ssize_t n; + + if (nbytes == 0) + return 0; + +- while (nbytes > 0) { +- n = nbytes; +- if (n > SEC_XFER_SIZE) +- n = SEC_XFER_SIZE; +- +- DEBUG_ENT("reading %d bits\n", n*8); +- +- n = extract_entropy_user(&blocking_pool, buf, n); +- +- DEBUG_ENT("read got %d bits (%d still needed)\n", +- n*8, (nbytes-n)*8); +- +- if (n == 0) { +- if (file->f_flags & O_NONBLOCK) { +- retval = -EAGAIN; +- break; +- } +- +- DEBUG_ENT("sleeping?\n"); +- +- wait_event_interruptible(random_read_wait, +- input_pool.entropy_count >= +- random_read_wakeup_thresh); +- +- DEBUG_ENT("awake\n"); +- +- if (signal_pending(current)) { +- retval = -ERESTARTSYS; +- break; +- } +- +- continue; +- } +- +- if (n < 0) { +- retval = n; +- break; +- } +- count += n; +- buf += n; +- nbytes -= n; +- break; /* This break makes the device work */ +- /* like a named pipe */ ++ nbytes = min_t(size_t, nbytes, SEC_XFER_SIZE); ++ while (1) { ++ n = extract_entropy_user(&blocking_pool, buf, nbytes); ++ if (n < 0) ++ return n; ++ trace_random_read(n*8, (nbytes-n)*8, ++ ENTROPY_BITS(&blocking_pool), ++ ENTROPY_BITS(&input_pool)); ++ if (n > 0) ++ return n; ++ /* Pool is (near) empty. Maybe wait and retry. */ ++ ++ if (file->f_flags & O_NONBLOCK) ++ return -EAGAIN; ++ ++ wait_event_interruptible(random_read_wait, ++ ENTROPY_BITS(&input_pool) >= ++ random_read_wakeup_bits); ++ if (signal_pending(current)) ++ return -ERESTARTSYS; + } +- +- return (count ? count : retval); + } + + static ssize_t + urandom_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos) + { +- return extract_entropy_user(&nonblocking_pool, buf, nbytes); ++ int ret; ++ ++ if (unlikely(nonblocking_pool.initialized == 0)) ++ printk_once(KERN_NOTICE "random: %s urandom read " ++ "with %d bits of entropy available\n", ++ current->comm, nonblocking_pool.entropy_total); ++ ++ ret = extract_entropy_user(&nonblocking_pool, buf, nbytes); ++ ++ trace_urandom_read(8 * nbytes, ENTROPY_BITS(&nonblocking_pool), ++ ENTROPY_BITS(&input_pool)); ++ return ret; + } + + static unsigned int +@@ -1244,9 +1345,9 @@ random_poll(struct file *file, poll_table * wait) + poll_wait(file, &random_read_wait, wait); + poll_wait(file, &random_write_wait, wait); + mask = 0; +- if (input_pool.entropy_count >= random_read_wakeup_thresh) ++ if (ENTROPY_BITS(&input_pool) >= random_read_wakeup_bits) + mask |= POLLIN | POLLRDNORM; +- if (input_pool.entropy_count < random_write_wakeup_thresh) ++ if (ENTROPY_BITS(&input_pool) < random_write_wakeup_bits) + mask |= POLLOUT | POLLWRNORM; + return mask; + } +@@ -1297,7 +1398,8 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg) + switch (cmd) { + case RNDGETENTCNT: + /* inherently racy, no point locking */ +- if (put_user(input_pool.entropy_count, p)) ++ ent_count = ENTROPY_BITS(&input_pool); ++ if (put_user(ent_count, p)) + return -EFAULT; + return 0; + case RNDADDTOENTCNT: +@@ -1305,7 +1407,7 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg) + return -EPERM; + if (get_user(ent_count, p)) + return -EFAULT; +- credit_entropy_bits(&input_pool, ent_count); ++ credit_entropy_bits_safe(&input_pool, ent_count); + return 0; + case RNDADDENTROPY: + if (!capable(CAP_SYS_ADMIN)) +@@ -1320,14 +1422,19 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg) + size); + if (retval < 0) + return retval; +- credit_entropy_bits(&input_pool, ent_count); ++ credit_entropy_bits_safe(&input_pool, ent_count); + return 0; + case RNDZAPENTCNT: + case RNDCLEARPOOL: +- /* Clear the entropy pool counters. */ ++ /* ++ * Clear the entropy pool counters. We no longer clear ++ * the entropy pool, as that's silly. ++ */ + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; +- rand_initialize(); ++ input_pool.entropy_count = 0; ++ nonblocking_pool.entropy_count = 0; ++ blocking_pool.entropy_count = 0; + return 0; + default: + return -EINVAL; +@@ -1387,23 +1494,23 @@ EXPORT_SYMBOL(generate_random_uuid); #include <linux/sysctl.h> static int min_read_thresh = 8, min_write_thresh; @@ -33857,8 +34995,21 @@ index c244f0e..255f226 100644 static int max_write_thresh = INPUT_POOL_WORDS * 32; static char sysctl_bootid[16]; -@@ -1403,7 +1434,7 @@ static char sysctl_bootid[16]; - static int proc_do_uuid(ctl_table *table, int write, + /* +- * These functions is used to return both the bootid UUID, and random ++ * This function is used to return both the bootid UUID, and random + * UUID. The difference is in whether table->data is NULL; if it is, + * then a new UUID is generated and returned to the user. + * +- * If the user accesses this via the proc interface, it will be returned +- * as an ASCII string in the standard UUID format. If accesses via the +- * sysctl system call, it is returned as 16 bytes of binary data. ++ * If the user accesses this via the proc interface, the UUID will be ++ * returned as an ASCII string in the standard UUID format; if via the ++ * sysctl system call, as 16 bytes of binary data. + */ +-static int proc_do_uuid(ctl_table *table, int write, ++static int proc_do_uuid(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { - ctl_table fake_table; @@ -33866,6 +35017,89 @@ index c244f0e..255f226 100644 unsigned char buf[64], tmp_uuid[16], *uuid; uuid = table->data; +@@ -1427,8 +1534,26 @@ static int proc_do_uuid(ctl_table *table, int write, + return proc_dostring(&fake_table, write, buffer, lenp, ppos); + } + ++/* ++ * Return entropy available scaled to integral bits ++ */ ++static int proc_do_entropy(ctl_table *table, int write, ++ void __user *buffer, size_t *lenp, loff_t *ppos) ++{ ++ ctl_table_no_const fake_table; ++ int entropy_count; ++ ++ entropy_count = *(int *)table->data >> ENTROPY_SHIFT; ++ ++ fake_table.data = &entropy_count; ++ fake_table.maxlen = sizeof(entropy_count); ++ ++ return proc_dointvec(&fake_table, write, buffer, lenp, ppos); ++} ++ + static int sysctl_poolsize = INPUT_POOL_WORDS * 32; +-ctl_table random_table[] = { ++extern struct ctl_table random_table[]; ++struct ctl_table random_table[] = { + { + .procname = "poolsize", + .data = &sysctl_poolsize, +@@ -1440,12 +1565,12 @@ ctl_table random_table[] = { + .procname = "entropy_avail", + .maxlen = sizeof(int), + .mode = 0444, +- .proc_handler = proc_dointvec, ++ .proc_handler = proc_do_entropy, + .data = &input_pool.entropy_count, + }, + { + .procname = "read_wakeup_threshold", +- .data = &random_read_wakeup_thresh, ++ .data = &random_read_wakeup_bits, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, +@@ -1454,7 +1579,7 @@ ctl_table random_table[] = { + }, + { + .procname = "write_wakeup_threshold", +- .data = &random_write_wakeup_thresh, ++ .data = &random_write_wakeup_bits, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, +@@ -1462,6 +1587,13 @@ ctl_table random_table[] = { + .extra2 = &max_write_thresh, + }, + { ++ .procname = "urandom_min_reseed_secs", ++ .data = &random_min_urandom_seed, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ }, ++ { + .procname = "boot_id", + .data = &sysctl_bootid, + .maxlen = 16, +@@ -1492,7 +1624,7 @@ int random_int_secret_init(void) + * value is not cryptographically secure but for several uses the cost of + * depleting entropy is too high + */ +-DEFINE_PER_CPU(__u32 [MD5_DIGEST_WORDS], get_random_int_hash); ++static DEFINE_PER_CPU(__u32 [MD5_DIGEST_WORDS], get_random_int_hash); + unsigned int get_random_int(void) + { + __u32 *hash; +@@ -1510,6 +1642,7 @@ unsigned int get_random_int(void) + + return ret; + } ++EXPORT_SYMBOL(get_random_int); + + /* + * randomize_range() returns a start address such that diff --git a/drivers/char/sonypi.c b/drivers/char/sonypi.c index 1ee8ce7..b778bef 100644 --- a/drivers/char/sonypi.c @@ -40112,6 +41346,20 @@ index a8c08f3..155fe3d 100644 INIT_LIST_HEAD(&c->context_list); #endif +diff --git a/drivers/mfd/ab3100-core.c b/drivers/mfd/ab3100-core.c +index 4eec7b7..f468a4e 100644 +--- a/drivers/mfd/ab3100-core.c ++++ b/drivers/mfd/ab3100-core.c +@@ -937,9 +937,6 @@ static int __devinit ab3100_probe(struct i2c_client *client, + + err = request_threaded_irq(client->irq, NULL, ab3100_irq_handler, + IRQF_ONESHOT, "ab3100-core", ab3100); +- /* This real unpredictable IRQ is of course sampled for entropy */ +- rand_initialize_irq(client->irq); +- + if (err) + goto exit_no_irq; + diff --git a/drivers/mfd/janz-cmodio.c b/drivers/mfd/janz-cmodio.c index 5c2a06a..8fa077c 100644 --- a/drivers/mfd/janz-cmodio.c @@ -43476,6 +44724,28 @@ index dee1a09..24adab6 100644 break; default: return -EINVAL; +diff --git a/drivers/scsi/fcoe/fcoe_ctlr.c b/drivers/scsi/fcoe/fcoe_ctlr.c +index e7522dc..f585e84 100644 +--- a/drivers/scsi/fcoe/fcoe_ctlr.c ++++ b/drivers/scsi/fcoe/fcoe_ctlr.c +@@ -2030,7 +2030,7 @@ static void fcoe_ctlr_vn_restart(struct fcoe_ctlr *fip) + */ + port_id = fip->port_id; + if (fip->probe_tries) +- port_id = prandom32(&fip->rnd_state) & 0xffff; ++ port_id = prandom_u32_state(&fip->rnd_state) & 0xffff; + else if (!port_id) + port_id = fip->lp->wwpn & 0xffff; + if (!port_id || port_id == 0xffff) +@@ -2055,7 +2055,7 @@ static void fcoe_ctlr_vn_restart(struct fcoe_ctlr *fip) + static void fcoe_ctlr_vn_start(struct fcoe_ctlr *fip) + { + fip->probe_tries = 0; +- prandom32_seed(&fip->rnd_state, fip->lp->wwpn); ++ prandom_seed_state(&fip->rnd_state, fip->lp->wwpn); + fcoe_ctlr_vn_restart(fip); + } + diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c index ee77a58..af9d518 100644 --- a/drivers/scsi/hosts.c @@ -65484,10 +66754,10 @@ index 0000000..25f54ef +}; diff --git a/grsecurity/gracl_policy.c b/grsecurity/gracl_policy.c new file mode 100644 -index 0000000..b1f3247 +index 0000000..b4a4084 --- /dev/null +++ b/grsecurity/gracl_policy.c -@@ -0,0 +1,1776 @@ +@@ -0,0 +1,1781 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -65946,12 +67216,12 @@ index 0000000..b1f3247 + printk(KERN_ALERT "Obtained real root device=%d, inode=%lu\n", __get_dev(gr_real_root.dentry), gr_real_root.dentry->d_inode->i_ino); +#endif + -+ fakefs_obj_rw = acl_alloc(sizeof(struct acl_object_label)); ++ fakefs_obj_rw = kzalloc(sizeof(struct acl_object_label), GFP_KERNEL); + if (fakefs_obj_rw == NULL) + return 1; + fakefs_obj_rw->mode = GR_FIND | GR_READ | GR_WRITE; + -+ fakefs_obj_rwx = acl_alloc(sizeof(struct acl_object_label)); ++ fakefs_obj_rwx = kzalloc(sizeof(struct acl_object_label), GFP_KERNEL); + if (fakefs_obj_rwx == NULL) + return 1; + fakefs_obj_rwx->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC; @@ -66029,6 +67299,11 @@ index 0000000..b1f3247 + } while_each_thread(task2, task); + read_unlock(&tasklist_lock); + ++ kfree(fakefs_obj_rw); ++ fakefs_obj_rw = NULL; ++ kfree(fakefs_obj_rwx); ++ fakefs_obj_rwx = NULL; ++ + /* release the reference to the real root dentry and vfsmount */ + path_put(&gr_real_root); + memset(&gr_real_root, 0, sizeof(gr_real_root)); @@ -74322,6 +75597,18 @@ index bff29c5..7437762 100644 /* * irq_chip specific flags +diff --git a/include/linux/irqdesc.h b/include/linux/irqdesc.h +index f1e2527..9a323d1 100644 +--- a/include/linux/irqdesc.h ++++ b/include/linux/irqdesc.h +@@ -39,7 +39,6 @@ struct module; + */ + struct irq_desc { + struct irq_data irq_data; +- struct timer_rand_state *timer_rand_state; + unsigned int __percpu *kstat_irqs; + irq_flow_handler_t handle_irq; + #ifdef CONFIG_IRQ_PREFLOW_FASTEOI diff --git a/include/linux/jiffies.h b/include/linux/jiffies.h index 265e2c3..cdd6f29 100644 --- a/include/linux/jiffies.h @@ -75713,12 +77000,23 @@ index 800f113..13b3715 100644 } diff --git a/include/linux/random.h b/include/linux/random.h -index 7e77cee..207b34e 100644 +index 7e77cee..c8a8a43 100644 --- a/include/linux/random.h +++ b/include/linux/random.h -@@ -51,9 +51,19 @@ struct rnd_state { - extern void rand_initialize_irq(int irq); +@@ -41,19 +41,27 @@ struct rand_pool_info { + }; + + struct rnd_state { +- __u32 s1, s2, s3; ++ __u32 s1, s2, s3, s4; + }; + + /* Exported functions */ + + #ifdef __KERNEL__ +-extern void rand_initialize_irq(int irq); +- extern void add_device_randomness(const void *, unsigned int); + +static inline void add_latent_entropy(void) @@ -75738,25 +77036,71 @@ index 7e77cee..207b34e 100644 extern void get_random_bytes(void *buf, int nbytes); extern void get_random_bytes_arch(void *buf, int nbytes); -@@ -72,12 +82,17 @@ void srandom32(u32 seed); - - u32 prandom32(struct rnd_state *); - +@@ -67,10 +75,25 @@ extern const struct file_operations random_fops, urandom_fops; + unsigned int get_random_int(void); + unsigned long randomize_range(unsigned long start, unsigned long end, unsigned long len); + +-u32 random32(void); +-void srandom32(u32 seed); ++u32 prandom_u32(void); ++void prandom_bytes(void *buf, int nbytes); ++void prandom_seed(u32 seed); ++void prandom_reseed_late(void); + +-u32 prandom32(struct rnd_state *); ++/* ++ * These macros are preserved for backward compatibility and should be ++ * removed as soon as a transition is finished. ++ */ ++#define random32() prandom_u32() ++#define srandom32(seed) prandom_seed(seed) ++ ++u32 prandom_u32_state(struct rnd_state *state); ++void prandom_bytes_state(struct rnd_state *state, void *buf, int nbytes); ++ +static inline unsigned long pax_get_random_long(void) +{ + return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0); +} -+ + /* * Handle minimum values for seeds +@@ -81,17 +104,18 @@ static inline u32 __seed(u32 x, u32 m) + } + + /** +- * prandom32_seed - set seed for prandom32(). ++ * prandom_seed_state - set seed for prandom_u32_state(). + * @state: pointer to state structure to receive the seed. + * @seed: arbitrary 64-bit value to use as a seed. */ - static inline u32 __seed(u32 x, u32 m) +-static inline void prandom32_seed(struct rnd_state *state, u64 seed) ++static inline void prandom_seed_state(struct rnd_state *state, u64 seed) { -- return (x < m) ? x + m : x; -+ return (x <= m) ? x + m + 1 : x; + u32 i = (seed >> 32) ^ (seed << 10) ^ seed; + +- state->s1 = __seed(i, 1); +- state->s2 = __seed(i, 7); +- state->s3 = __seed(i, 15); ++ state->s1 = __seed(i, 2U); ++ state->s2 = __seed(i, 8U); ++ state->s3 = __seed(i, 16U); ++ state->s4 = __seed(i, 128U); } - /** + #ifdef CONFIG_ARCH_RANDOM +@@ -107,6 +131,11 @@ static inline int arch_get_random_int(unsigned int *v) + } + #endif + ++static inline u32 next_pseudo_random32(u32 seed) ++{ ++ return seed * 1664525 + 1013904223; ++} ++ + #endif /* __KERNEL___ */ + + #endif /* _LINUX_RANDOM_H */ diff --git a/include/linux/rculist.h b/include/linux/rculist.h index 3863352..4ec4bfb 100644 --- a/include/linux/rculist.h @@ -78403,6 +79747,327 @@ index 1c09820..7f5ec79 100644 TP_ARGS(irq, action, ret), +diff --git a/include/trace/events/random.h b/include/trace/events/random.h +new file mode 100644 +index 0000000..805af6d +--- /dev/null ++++ b/include/trace/events/random.h +@@ -0,0 +1,315 @@ ++#undef TRACE_SYSTEM ++#define TRACE_SYSTEM random ++ ++#if !defined(_TRACE_RANDOM_H) || defined(TRACE_HEADER_MULTI_READ) ++#define _TRACE_RANDOM_H ++ ++#include <linux/writeback.h> ++#include <linux/tracepoint.h> ++ ++TRACE_EVENT(add_device_randomness, ++ TP_PROTO(int bytes, unsigned long IP), ++ ++ TP_ARGS(bytes, IP), ++ ++ TP_STRUCT__entry( ++ __field( int, bytes ) ++ __field(unsigned long, IP ) ++ ), ++ ++ TP_fast_assign( ++ __entry->bytes = bytes; ++ __entry->IP = IP; ++ ), ++ ++ TP_printk("bytes %d caller %pF", ++ __entry->bytes, (void *)__entry->IP) ++); ++ ++DECLARE_EVENT_CLASS(random__mix_pool_bytes, ++ TP_PROTO(const char *pool_name, int bytes, unsigned long IP), ++ ++ TP_ARGS(pool_name, bytes, IP), ++ ++ TP_STRUCT__entry( ++ __field( const char *, pool_name ) ++ __field( int, bytes ) ++ __field(unsigned long, IP ) ++ ), ++ ++ TP_fast_assign( ++ __entry->pool_name = pool_name; ++ __entry->bytes = bytes; ++ __entry->IP = IP; ++ ), ++ ++ TP_printk("%s pool: bytes %d caller %pF", ++ __entry->pool_name, __entry->bytes, (void *)__entry->IP) ++); ++ ++DEFINE_EVENT(random__mix_pool_bytes, mix_pool_bytes, ++ TP_PROTO(const char *pool_name, int bytes, unsigned long IP), ++ ++ TP_ARGS(pool_name, bytes, IP) ++); ++ ++DEFINE_EVENT(random__mix_pool_bytes, mix_pool_bytes_nolock, ++ TP_PROTO(const char *pool_name, int bytes, unsigned long IP), ++ ++ TP_ARGS(pool_name, bytes, IP) ++); ++ ++TRACE_EVENT(credit_entropy_bits, ++ TP_PROTO(const char *pool_name, int bits, int entropy_count, ++ int entropy_total, unsigned long IP), ++ ++ TP_ARGS(pool_name, bits, entropy_count, entropy_total, IP), ++ ++ TP_STRUCT__entry( ++ __field( const char *, pool_name ) ++ __field( int, bits ) ++ __field( int, entropy_count ) ++ __field( int, entropy_total ) ++ __field(unsigned long, IP ) ++ ), ++ ++ TP_fast_assign( ++ __entry->pool_name = pool_name; ++ __entry->bits = bits; ++ __entry->entropy_count = entropy_count; ++ __entry->entropy_total = entropy_total; ++ __entry->IP = IP; ++ ), ++ ++ TP_printk("%s pool: bits %d entropy_count %d entropy_total %d " ++ "caller %pF", __entry->pool_name, __entry->bits, ++ __entry->entropy_count, __entry->entropy_total, ++ (void *)__entry->IP) ++); ++ ++TRACE_EVENT(push_to_pool, ++ TP_PROTO(const char *pool_name, int pool_bits, int input_bits), ++ ++ TP_ARGS(pool_name, pool_bits, input_bits), ++ ++ TP_STRUCT__entry( ++ __field( const char *, pool_name ) ++ __field( int, pool_bits ) ++ __field( int, input_bits ) ++ ), ++ ++ TP_fast_assign( ++ __entry->pool_name = pool_name; ++ __entry->pool_bits = pool_bits; ++ __entry->input_bits = input_bits; ++ ), ++ ++ TP_printk("%s: pool_bits %d input_pool_bits %d", ++ __entry->pool_name, __entry->pool_bits, ++ __entry->input_bits) ++); ++ ++TRACE_EVENT(debit_entropy, ++ TP_PROTO(const char *pool_name, int debit_bits), ++ ++ TP_ARGS(pool_name, debit_bits), ++ ++ TP_STRUCT__entry( ++ __field( const char *, pool_name ) ++ __field( int, debit_bits ) ++ ), ++ ++ TP_fast_assign( ++ __entry->pool_name = pool_name; ++ __entry->debit_bits = debit_bits; ++ ), ++ ++ TP_printk("%s: debit_bits %d", __entry->pool_name, ++ __entry->debit_bits) ++); ++ ++TRACE_EVENT(add_input_randomness, ++ TP_PROTO(int input_bits), ++ ++ TP_ARGS(input_bits), ++ ++ TP_STRUCT__entry( ++ __field( int, input_bits ) ++ ), ++ ++ TP_fast_assign( ++ __entry->input_bits = input_bits; ++ ), ++ ++ TP_printk("input_pool_bits %d", __entry->input_bits) ++); ++ ++TRACE_EVENT(add_disk_randomness, ++ TP_PROTO(dev_t dev, int input_bits), ++ ++ TP_ARGS(dev, input_bits), ++ ++ TP_STRUCT__entry( ++ __field( dev_t, dev ) ++ __field( int, input_bits ) ++ ), ++ ++ TP_fast_assign( ++ __entry->dev = dev; ++ __entry->input_bits = input_bits; ++ ), ++ ++ TP_printk("dev %d,%d input_pool_bits %d", MAJOR(__entry->dev), ++ MINOR(__entry->dev), __entry->input_bits) ++); ++ ++TRACE_EVENT(xfer_secondary_pool, ++ TP_PROTO(const char *pool_name, int xfer_bits, int request_bits, ++ int pool_entropy, int input_entropy), ++ ++ TP_ARGS(pool_name, xfer_bits, request_bits, pool_entropy, ++ input_entropy), ++ ++ TP_STRUCT__entry( ++ __field( const char *, pool_name ) ++ __field( int, xfer_bits ) ++ __field( int, request_bits ) ++ __field( int, pool_entropy ) ++ __field( int, input_entropy ) ++ ), ++ ++ TP_fast_assign( ++ __entry->pool_name = pool_name; ++ __entry->xfer_bits = xfer_bits; ++ __entry->request_bits = request_bits; ++ __entry->pool_entropy = pool_entropy; ++ __entry->input_entropy = input_entropy; ++ ), ++ ++ TP_printk("pool %s xfer_bits %d request_bits %d pool_entropy %d " ++ "input_entropy %d", __entry->pool_name, __entry->xfer_bits, ++ __entry->request_bits, __entry->pool_entropy, ++ __entry->input_entropy) ++); ++ ++DECLARE_EVENT_CLASS(random__get_random_bytes, ++ TP_PROTO(int nbytes, unsigned long IP), ++ ++ TP_ARGS(nbytes, IP), ++ ++ TP_STRUCT__entry( ++ __field( int, nbytes ) ++ __field(unsigned long, IP ) ++ ), ++ ++ TP_fast_assign( ++ __entry->nbytes = nbytes; ++ __entry->IP = IP; ++ ), ++ ++ TP_printk("nbytes %d caller %pF", __entry->nbytes, (void *)__entry->IP) ++); ++ ++DEFINE_EVENT(random__get_random_bytes, get_random_bytes, ++ TP_PROTO(int nbytes, unsigned long IP), ++ ++ TP_ARGS(nbytes, IP) ++); ++ ++DEFINE_EVENT(random__get_random_bytes, get_random_bytes_arch, ++ TP_PROTO(int nbytes, unsigned long IP), ++ ++ TP_ARGS(nbytes, IP) ++); ++ ++DECLARE_EVENT_CLASS(random__extract_entropy, ++ TP_PROTO(const char *pool_name, int nbytes, int entropy_count, ++ unsigned long IP), ++ ++ TP_ARGS(pool_name, nbytes, entropy_count, IP), ++ ++ TP_STRUCT__entry( ++ __field( const char *, pool_name ) ++ __field( int, nbytes ) ++ __field( int, entropy_count ) ++ __field(unsigned long, IP ) ++ ), ++ ++ TP_fast_assign( ++ __entry->pool_name = pool_name; ++ __entry->nbytes = nbytes; ++ __entry->entropy_count = entropy_count; ++ __entry->IP = IP; ++ ), ++ ++ TP_printk("%s pool: nbytes %d entropy_count %d caller %pF", ++ __entry->pool_name, __entry->nbytes, __entry->entropy_count, ++ (void *)__entry->IP) ++); ++ ++ ++DEFINE_EVENT(random__extract_entropy, extract_entropy, ++ TP_PROTO(const char *pool_name, int nbytes, int entropy_count, ++ unsigned long IP), ++ ++ TP_ARGS(pool_name, nbytes, entropy_count, IP) ++); ++ ++DEFINE_EVENT(random__extract_entropy, extract_entropy_user, ++ TP_PROTO(const char *pool_name, int nbytes, int entropy_count, ++ unsigned long IP), ++ ++ TP_ARGS(pool_name, nbytes, entropy_count, IP) ++); ++ ++TRACE_EVENT(random_read, ++ TP_PROTO(int got_bits, int need_bits, int pool_left, int input_left), ++ ++ TP_ARGS(got_bits, need_bits, pool_left, input_left), ++ ++ TP_STRUCT__entry( ++ __field( int, got_bits ) ++ __field( int, need_bits ) ++ __field( int, pool_left ) ++ __field( int, input_left ) ++ ), ++ ++ TP_fast_assign( ++ __entry->got_bits = got_bits; ++ __entry->need_bits = need_bits; ++ __entry->pool_left = pool_left; ++ __entry->input_left = input_left; ++ ), ++ ++ TP_printk("got_bits %d still_needed_bits %d " ++ "blocking_pool_entropy_left %d input_entropy_left %d", ++ __entry->got_bits, __entry->got_bits, __entry->pool_left, ++ __entry->input_left) ++); ++ ++TRACE_EVENT(urandom_read, ++ TP_PROTO(int got_bits, int pool_left, int input_left), ++ ++ TP_ARGS(got_bits, pool_left, input_left), ++ ++ TP_STRUCT__entry( ++ __field( int, got_bits ) ++ __field( int, pool_left ) ++ __field( int, input_left ) ++ ), ++ ++ TP_fast_assign( ++ __entry->got_bits = got_bits; ++ __entry->pool_left = pool_left; ++ __entry->input_left = input_left; ++ ), ++ ++ TP_printk("got_bits %d nonblocking_pool_entropy_left %d " ++ "input_entropy_left %d", __entry->got_bits, ++ __entry->pool_left, __entry->input_left) ++); ++ ++#endif /* _TRACE_RANDOM_H */ ++ ++/* This part must be outside protection */ ++#include <trace/define_trace.h> diff --git a/include/video/udlfb.h b/include/video/udlfb.h index c41f308..6918de3 100644 --- a/include/video/udlfb.h @@ -80547,7 +82212,7 @@ index ce0c182..c6ec99a 100644 else new_fs = fs; diff --git a/kernel/futex.c b/kernel/futex.c -index 1d0538e..04de80f 100644 +index 1d0538e..9a6f6fb 100644 --- a/kernel/futex.c +++ b/kernel/futex.c @@ -54,6 +54,7 @@ @@ -80570,6 +82235,15 @@ index 1d0538e..04de80f 100644 /* * The futex address must be "naturally" aligned. */ +@@ -285,7 +291,7 @@ again: + put_page(page); + /* serialize against __split_huge_page_splitting() */ + local_irq_disable(); +- if (likely(__get_user_pages_fast(address, 1, 1, &page) == 1)) { ++ if (likely(__get_user_pages_fast(address, 1, !ro, &page) == 1)) { + page_head = compound_head(page); + /* + * page_head is valid pointer but we must pin @@ -438,7 +444,7 @@ static int cmpxchg_futex_value_locked(u32 *curval, u32 __user *uaddr, static int get_futex_value_locked(u32 *dest, u32 __user *from) @@ -80659,6 +82333,41 @@ index 60f7e32..d703ad4 100644 .notifier_call = hrtimer_cpu_notify, }; +diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c +index 52bdd58..56002b5 100644 +--- a/kernel/irq/manage.c ++++ b/kernel/irq/manage.c +@@ -900,22 +900,6 @@ __setup_irq(unsigned int irq, struct irq_desc *desc, struct irqaction *new) + return -ENOSYS; + if (!try_module_get(desc->owner)) + return -ENODEV; +- /* +- * Some drivers like serial.c use request_irq() heavily, +- * so we have to be careful not to interfere with a +- * running system. +- */ +- if (new->flags & IRQF_SAMPLE_RANDOM) { +- /* +- * This function might sleep, we want to call it first, +- * outside of the atomic block. +- * Yes, this might clear the entropy pool if the wrong +- * driver is attempted to be loaded, without actually +- * installing a new handler, but is this really a problem, +- * only the sysadmin is able to do this. +- */ +- rand_initialize_irq(irq); +- } + + /* + * Check whether the interrupt nests into another interrupt +@@ -1361,7 +1345,6 @@ EXPORT_SYMBOL(free_irq); + * Flags: + * + * IRQF_SHARED Interrupt is shared +- * IRQF_SAMPLE_RANDOM The interrupt can be used for entropy + * IRQF_TRIGGER_* Specify active edge(s) or level + * + */ diff --git a/kernel/jump_label.c b/kernel/jump_label.c index 66ff710..794bc5a 100644 --- a/kernel/jump_label.c @@ -86308,6 +88017,495 @@ index d9df745..e73c2fe 100644 static inline void *ptr_to_indirect(void *ptr) { +diff --git a/lib/random32.c b/lib/random32.c +index fc3545a..1e5b2df 100644 +--- a/lib/random32.c ++++ b/lib/random32.c +@@ -2,19 +2,19 @@ + This is a maximally equidistributed combined Tausworthe generator + based on code from GNU Scientific Library 1.5 (30 Jun 2004) + +- x_n = (s1_n ^ s2_n ^ s3_n) ++ lfsr113 version: + +- s1_{n+1} = (((s1_n & 4294967294) <<12) ^ (((s1_n <<13) ^ s1_n) >>19)) +- s2_{n+1} = (((s2_n & 4294967288) << 4) ^ (((s2_n << 2) ^ s2_n) >>25)) +- s3_{n+1} = (((s3_n & 4294967280) <<17) ^ (((s3_n << 3) ^ s3_n) >>11)) ++ x_n = (s1_n ^ s2_n ^ s3_n ^ s4_n) + +- The period of this generator is about 2^88. ++ s1_{n+1} = (((s1_n & 4294967294) << 18) ^ (((s1_n << 6) ^ s1_n) >> 13)) ++ s2_{n+1} = (((s2_n & 4294967288) << 2) ^ (((s2_n << 2) ^ s2_n) >> 27)) ++ s3_{n+1} = (((s3_n & 4294967280) << 7) ^ (((s3_n << 13) ^ s3_n) >> 21)) ++ s4_{n+1} = (((s4_n & 4294967168) << 13) ^ (((s4_n << 3) ^ s4_n) >> 12)) ++ ++ The period of this generator is about 2^113 (see erratum paper). + + From: P. L'Ecuyer, "Maximally Equidistributed Combined Tausworthe +- Generators", Mathematics of Computation, 65, 213 (1996), 203--213. +- +- This is available on the net from L'Ecuyer's home page, +- ++ Generators", Mathematics of Computation, 65, 213 (1996), 203--213: + http://www.iro.umontreal.ca/~lecuyer/myftp/papers/tausme.ps + ftp://ftp.iro.umontreal.ca/pub/simulation/lecuyer/papers/tausme.ps + +@@ -29,61 +29,148 @@ + that paper.) + + This affects the seeding procedure by imposing the requirement +- s1 > 1, s2 > 7, s3 > 15. ++ s1 > 1, s2 > 7, s3 > 15, s4 > 127. + + */ + + #include <linux/types.h> + #include <linux/percpu.h> +-#include <linux/module.h> ++#include <linux/export.h> + #include <linux/jiffies.h> + #include <linux/random.h> ++#include <linux/sched.h> ++ ++#ifdef CONFIG_RANDOM32_SELFTEST ++static void __init prandom_state_selftest(void); ++#endif + + static DEFINE_PER_CPU(struct rnd_state, net_rand_state); + + /** +- * prandom32 - seeded pseudo-random number generator. ++ * prandom_u32_state - seeded pseudo-random number generator. + * @state: pointer to state structure holding seeded state. + * + * This is used for pseudo-randomness with no outside seeding. +- * For more random results, use random32(). ++ * For more random results, use prandom_u32(). + */ +-u32 prandom32(struct rnd_state *state) ++u32 prandom_u32_state(struct rnd_state *state) + { + #define TAUSWORTHE(s,a,b,c,d) ((s&c)<<d) ^ (((s <<a) ^ s)>>b) + +- state->s1 = TAUSWORTHE(state->s1, 13, 19, 4294967294UL, 12); +- state->s2 = TAUSWORTHE(state->s2, 2, 25, 4294967288UL, 4); +- state->s3 = TAUSWORTHE(state->s3, 3, 11, 4294967280UL, 17); ++ state->s1 = TAUSWORTHE(state->s1, 6U, 13U, 4294967294U, 18U); ++ state->s2 = TAUSWORTHE(state->s2, 2U, 27U, 4294967288U, 2U); ++ state->s3 = TAUSWORTHE(state->s3, 13U, 21U, 4294967280U, 7U); ++ state->s4 = TAUSWORTHE(state->s4, 3U, 12U, 4294967168U, 13U); + +- return (state->s1 ^ state->s2 ^ state->s3); ++ return (state->s1 ^ state->s2 ^ state->s3 ^ state->s4); + } +-EXPORT_SYMBOL(prandom32); ++EXPORT_SYMBOL(prandom_u32_state); + + /** +- * random32 - pseudo random number generator ++ * prandom_u32 - pseudo random number generator + * + * A 32 bit pseudo-random number is generated using a fast + * algorithm suitable for simulation. This algorithm is NOT + * considered safe for cryptographic use. + */ +-u32 random32(void) ++u32 prandom_u32(void) + { + unsigned long r; + struct rnd_state *state = &get_cpu_var(net_rand_state); +- r = prandom32(state); ++ r = prandom_u32_state(state); + put_cpu_var(state); + return r; + } +-EXPORT_SYMBOL(random32); ++EXPORT_SYMBOL(prandom_u32); ++ ++/* ++ * prandom_bytes_state - get the requested number of pseudo-random bytes ++ * ++ * @state: pointer to state structure holding seeded state. ++ * @buf: where to copy the pseudo-random bytes to ++ * @bytes: the requested number of bytes ++ * ++ * This is used for pseudo-randomness with no outside seeding. ++ * For more random results, use prandom_bytes(). ++ */ ++void prandom_bytes_state(struct rnd_state *state, void *buf, int bytes) ++{ ++ unsigned char *p = buf; ++ int i; ++ ++ for (i = 0; i < round_down(bytes, sizeof(u32)); i += sizeof(u32)) { ++ u32 random = prandom_u32_state(state); ++ int j; ++ ++ for (j = 0; j < sizeof(u32); j++) { ++ p[i + j] = random; ++ random >>= BITS_PER_BYTE; ++ } ++ } ++ if (i < bytes) { ++ u32 random = prandom_u32_state(state); ++ ++ for (; i < bytes; i++) { ++ p[i] = random; ++ random >>= BITS_PER_BYTE; ++ } ++ } ++} ++EXPORT_SYMBOL(prandom_bytes_state); ++ ++/** ++ * prandom_bytes - get the requested number of pseudo-random bytes ++ * @buf: where to copy the pseudo-random bytes to ++ * @bytes: the requested number of bytes ++ */ ++void prandom_bytes(void *buf, int bytes) ++{ ++ struct rnd_state *state = &get_cpu_var(net_rand_state); ++ ++ prandom_bytes_state(state, buf, bytes); ++ put_cpu_var(state); ++} ++EXPORT_SYMBOL(prandom_bytes); ++ ++static void prandom_warmup(struct rnd_state *state) ++{ ++ /* Calling RNG ten times to satify recurrence condition */ ++ prandom_u32_state(state); ++ prandom_u32_state(state); ++ prandom_u32_state(state); ++ prandom_u32_state(state); ++ prandom_u32_state(state); ++ prandom_u32_state(state); ++ prandom_u32_state(state); ++ prandom_u32_state(state); ++ prandom_u32_state(state); ++ prandom_u32_state(state); ++} ++ ++static void prandom_seed_very_weak(struct rnd_state *state, u32 seed) ++{ ++ /* Note: This sort of seeding is ONLY used in test cases and ++ * during boot at the time from core_initcall until late_initcall ++ * as we don't have a stronger entropy source available yet. ++ * After late_initcall, we reseed entire state, we have to (!), ++ * otherwise an attacker just needs to search 32 bit space to ++ * probe for our internal 128 bit state if he knows a couple ++ * of prandom32 outputs! ++ */ ++#define LCG(x) ((x) * 69069U) /* super-duper LCG */ ++ state->s1 = __seed(LCG(seed), 2U); ++ state->s2 = __seed(LCG(state->s1), 8U); ++ state->s3 = __seed(LCG(state->s2), 16U); ++ state->s4 = __seed(LCG(state->s3), 128U); ++} + + /** +- * srandom32 - add entropy to pseudo random number generator ++ * prandom_seed - add entropy to pseudo random number generator + * @seed: seed value + * +- * Add some additional seeding to the random32() pool. ++ * Add some additional seeding to the prandom pool. + */ +-void srandom32(u32 entropy) ++void prandom_seed(u32 entropy) + { + int i; + /* +@@ -92,59 +179,264 @@ void srandom32(u32 entropy) + */ + for_each_possible_cpu (i) { + struct rnd_state *state = &per_cpu(net_rand_state, i); +- state->s1 = __seed(state->s1 ^ entropy, 1); ++ ++ state->s1 = __seed(state->s1 ^ entropy, 2U); ++ prandom_warmup(state); + } + } +-EXPORT_SYMBOL(srandom32); ++EXPORT_SYMBOL(prandom_seed); + + /* + * Generate some initially weak seeding values to allow +- * to start the random32() engine. ++ * to start the prandom_u32() engine. + */ +-static int __init random32_init(void) ++static int __init prandom_init(void) + { + int i; + ++#ifdef CONFIG_RANDOM32_SELFTEST ++ prandom_state_selftest(); ++#endif ++ + for_each_possible_cpu(i) { + struct rnd_state *state = &per_cpu(net_rand_state,i); + +-#define LCG(x) ((x) * 69069) /* super-duper LCG */ +- state->s1 = __seed(LCG(i + jiffies), 1); +- state->s2 = __seed(LCG(state->s1), 7); +- state->s3 = __seed(LCG(state->s2), 15); +- +- /* "warm it up" */ +- prandom32(state); +- prandom32(state); +- prandom32(state); +- prandom32(state); +- prandom32(state); +- prandom32(state); ++ prandom_seed_very_weak(state, (i + jiffies) ^ random_get_entropy()); ++ prandom_warmup(state); + } + return 0; + } +-core_initcall(random32_init); ++core_initcall(prandom_init); ++ ++static void __prandom_timer(unsigned long dontcare); ++static DEFINE_TIMER(seed_timer, __prandom_timer, 0, 0); ++ ++static void __prandom_timer(unsigned long dontcare) ++{ ++ u32 entropy; ++ unsigned long expires; ++ ++ get_random_bytes(&entropy, sizeof(entropy)); ++ prandom_seed(entropy); ++ ++ /* reseed every ~60 seconds, in [40 .. 80) interval with slack */ ++ expires = 40 + (prandom_u32() % 40); ++ seed_timer.expires = jiffies + msecs_to_jiffies(expires * MSEC_PER_SEC); ++ ++ add_timer(&seed_timer); ++} ++ ++static void __init __prandom_start_seed_timer(void) ++{ ++ set_timer_slack(&seed_timer, HZ); ++ seed_timer.expires = jiffies + msecs_to_jiffies(40 * MSEC_PER_SEC); ++ add_timer(&seed_timer); ++} + + /* + * Generate better values after random number generator + * is fully initialized. + */ +-static int __init random32_reseed(void) ++static void __prandom_reseed(bool late) + { + int i; ++ unsigned long flags; ++ static bool latch = false; ++ static DEFINE_SPINLOCK(lock); ++ ++ /* only allow initial seeding (late == false) once */ ++ spin_lock_irqsave(&lock, flags); ++ if (latch && !late) ++ goto out; ++ latch = true; + + for_each_possible_cpu(i) { + struct rnd_state *state = &per_cpu(net_rand_state,i); +- u32 seeds[3]; ++ u32 seeds[4]; + + get_random_bytes(&seeds, sizeof(seeds)); +- state->s1 = __seed(seeds[0], 1); +- state->s2 = __seed(seeds[1], 7); +- state->s3 = __seed(seeds[2], 15); ++ state->s1 = __seed(seeds[0], 2U); ++ state->s2 = __seed(seeds[1], 8U); ++ state->s3 = __seed(seeds[2], 16U); ++ state->s4 = __seed(seeds[3], 128U); + +- /* mix it in */ +- prandom32(state); ++ prandom_warmup(state); + } ++out: ++ spin_unlock_irqrestore(&lock, flags); ++} ++ ++void prandom_reseed_late(void) ++{ ++ __prandom_reseed(true); ++} ++ ++static int __init prandom_reseed(void) ++{ ++ __prandom_reseed(false); ++ __prandom_start_seed_timer(); + return 0; + } +-late_initcall(random32_reseed); ++late_initcall(prandom_reseed); ++ ++#ifdef CONFIG_RANDOM32_SELFTEST ++static struct prandom_test1 { ++ u32 seed; ++ u32 result; ++} test1[] = { ++ { 1U, 3484351685U }, ++ { 2U, 2623130059U }, ++ { 3U, 3125133893U }, ++ { 4U, 984847254U }, ++}; ++ ++static struct prandom_test2 { ++ u32 seed; ++ u32 iteration; ++ u32 result; ++} test2[] = { ++ /* Test cases against taus113 from GSL library. */ ++ { 931557656U, 959U, 2975593782U }, ++ { 1339693295U, 876U, 3887776532U }, ++ { 1545556285U, 961U, 1615538833U }, ++ { 601730776U, 723U, 1776162651U }, ++ { 1027516047U, 687U, 511983079U }, ++ { 416526298U, 700U, 916156552U }, ++ { 1395522032U, 652U, 2222063676U }, ++ { 366221443U, 617U, 2992857763U }, ++ { 1539836965U, 714U, 3783265725U }, ++ { 556206671U, 994U, 799626459U }, ++ { 684907218U, 799U, 367789491U }, ++ { 2121230701U, 931U, 2115467001U }, ++ { 1668516451U, 644U, 3620590685U }, ++ { 768046066U, 883U, 2034077390U }, ++ { 1989159136U, 833U, 1195767305U }, ++ { 536585145U, 996U, 3577259204U }, ++ { 1008129373U, 642U, 1478080776U }, ++ { 1740775604U, 939U, 1264980372U }, ++ { 1967883163U, 508U, 10734624U }, ++ { 1923019697U, 730U, 3821419629U }, ++ { 442079932U, 560U, 3440032343U }, ++ { 1961302714U, 845U, 841962572U }, ++ { 2030205964U, 962U, 1325144227U }, ++ { 1160407529U, 507U, 240940858U }, ++ { 635482502U, 779U, 4200489746U }, ++ { 1252788931U, 699U, 867195434U }, ++ { 1961817131U, 719U, 668237657U }, ++ { 1071468216U, 983U, 917876630U }, ++ { 1281848367U, 932U, 1003100039U }, ++ { 582537119U, 780U, 1127273778U }, ++ { 1973672777U, 853U, 1071368872U }, ++ { 1896756996U, 762U, 1127851055U }, ++ { 847917054U, 500U, 1717499075U }, ++ { 1240520510U, 951U, 2849576657U }, ++ { 1685071682U, 567U, 1961810396U }, ++ { 1516232129U, 557U, 3173877U }, ++ { 1208118903U, 612U, 1613145022U }, ++ { 1817269927U, 693U, 4279122573U }, ++ { 1510091701U, 717U, 638191229U }, ++ { 365916850U, 807U, 600424314U }, ++ { 399324359U, 702U, 1803598116U }, ++ { 1318480274U, 779U, 2074237022U }, ++ { 697758115U, 840U, 1483639402U }, ++ { 1696507773U, 840U, 577415447U }, ++ { 2081979121U, 981U, 3041486449U }, ++ { 955646687U, 742U, 3846494357U }, ++ { 1250683506U, 749U, 836419859U }, ++ { 595003102U, 534U, 366794109U }, ++ { 47485338U, 558U, 3521120834U }, ++ { 619433479U, 610U, 3991783875U }, ++ { 704096520U, 518U, 4139493852U }, ++ { 1712224984U, 606U, 2393312003U }, ++ { 1318233152U, 922U, 3880361134U }, ++ { 855572992U, 761U, 1472974787U }, ++ { 64721421U, 703U, 683860550U }, ++ { 678931758U, 840U, 380616043U }, ++ { 692711973U, 778U, 1382361947U }, ++ { 677703619U, 530U, 2826914161U }, ++ { 92393223U, 586U, 1522128471U }, ++ { 1222592920U, 743U, 3466726667U }, ++ { 358288986U, 695U, 1091956998U }, ++ { 1935056945U, 958U, 514864477U }, ++ { 735675993U, 990U, 1294239989U }, ++ { 1560089402U, 897U, 2238551287U }, ++ { 70616361U, 829U, 22483098U }, ++ { 368234700U, 731U, 2913875084U }, ++ { 20221190U, 879U, 1564152970U }, ++ { 539444654U, 682U, 1835141259U }, ++ { 1314987297U, 840U, 1801114136U }, ++ { 2019295544U, 645U, 3286438930U }, ++ { 469023838U, 716U, 1637918202U }, ++ { 1843754496U, 653U, 2562092152U }, ++ { 400672036U, 809U, 4264212785U }, ++ { 404722249U, 965U, 2704116999U }, ++ { 600702209U, 758U, 584979986U }, ++ { 519953954U, 667U, 2574436237U }, ++ { 1658071126U, 694U, 2214569490U }, ++ { 420480037U, 749U, 3430010866U }, ++ { 690103647U, 969U, 3700758083U }, ++ { 1029424799U, 937U, 3787746841U }, ++ { 2012608669U, 506U, 3362628973U }, ++ { 1535432887U, 998U, 42610943U }, ++ { 1330635533U, 857U, 3040806504U }, ++ { 1223800550U, 539U, 3954229517U }, ++ { 1322411537U, 680U, 3223250324U }, ++ { 1877847898U, 945U, 2915147143U }, ++ { 1646356099U, 874U, 965988280U }, ++ { 805687536U, 744U, 4032277920U }, ++ { 1948093210U, 633U, 1346597684U }, ++ { 392609744U, 783U, 1636083295U }, ++ { 690241304U, 770U, 1201031298U }, ++ { 1360302965U, 696U, 1665394461U }, ++ { 1220090946U, 780U, 1316922812U }, ++ { 447092251U, 500U, 3438743375U }, ++ { 1613868791U, 592U, 828546883U }, ++ { 523430951U, 548U, 2552392304U }, ++ { 726692899U, 810U, 1656872867U }, ++ { 1364340021U, 836U, 3710513486U }, ++ { 1986257729U, 931U, 935013962U }, ++ { 407983964U, 921U, 728767059U }, ++}; ++ ++static void __init prandom_state_selftest(void) ++{ ++ int i, j, errors = 0, runs = 0; ++ bool error = false; ++ ++ for (i = 0; i < ARRAY_SIZE(test1); i++) { ++ struct rnd_state state; ++ ++ prandom_seed_very_weak(&state, test1[i].seed); ++ prandom_warmup(&state); ++ ++ if (test1[i].result != prandom_u32_state(&state)) ++ error = true; ++ } ++ ++ if (error) ++ pr_warn("prandom: seed boundary self test failed\n"); ++ else ++ pr_info("prandom: seed boundary self test passed\n"); ++ ++ for (i = 0; i < ARRAY_SIZE(test2); i++) { ++ struct rnd_state state; ++ ++ prandom_seed_very_weak(&state, test2[i].seed); ++ prandom_warmup(&state); ++ ++ for (j = 0; j < test2[i].iteration - 1; j++) ++ prandom_u32_state(&state); ++ ++ if (test2[i].result != prandom_u32_state(&state)) ++ errors++; ++ ++ runs++; ++ cond_resched(); ++ } ++ ++ if (errors) ++ pr_warn("prandom: %d/%d self tests failed\n", errors, runs); ++ else ++ pr_info("prandom: %d self tests passed\n", runs); ++} ++#endif diff --git a/lib/vsprintf.c b/lib/vsprintf.c index d74c317..1170419 100644 --- a/lib/vsprintf.c @@ -104362,10 +106560,10 @@ index 0000000..679b9ef +} diff --git a/tools/gcc/size_overflow_hash.data b/tools/gcc/size_overflow_hash.data new file mode 100644 -index 0000000..0634465 +index 0000000..a77968d --- /dev/null +++ b/tools/gcc/size_overflow_hash.data -@@ -0,0 +1,5990 @@ +@@ -0,0 +1,5989 @@ +intel_fake_agp_alloc_by_type_1 intel_fake_agp_alloc_by_type 1 1 NULL +ocfs2_get_refcount_tree_3 ocfs2_get_refcount_tree 0 3 NULL +storvsc_connect_to_vsp_22 storvsc_connect_to_vsp 2 22 NULL @@ -106025,7 +108223,6 @@ index 0000000..0634465 +smk_write_cipso_17989 smk_write_cipso 3 17989 NULL +ext4_num_overhead_clusters_18001 ext4_num_overhead_clusters 2 18001 NULL +pvr2_v4l2_read_18006 pvr2_v4l2_read 3 18006 NULL -+prandom32_18007 prandom32 0 18007 NULL +alloc_rx_desc_ring_18016 alloc_rx_desc_ring 2 18016 NULL +fill_read_18019 fill_read 0 18019 NULL +o2hb_highest_node_18034 o2hb_highest_node 2 18034 NULL @@ -114848,7 +117045,7 @@ index 547628e..74de9f2 100644 + #endif diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c -index 8bf05f0..61ba256 100644 +index 8bf05f0..e097f17 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -75,12 +75,17 @@ LIST_HEAD(vm_list); @@ -114949,7 +117146,17 @@ index 8bf05f0..61ba256 100644 .release = kvm_vcpu_release, .unlocked_ioctl = kvm_vcpu_ioctl, #ifdef CONFIG_COMPAT -@@ -2177,7 +2185,7 @@ static int kvm_vm_mmap(struct file *file, struct vm_area_struct *vma) +@@ -1683,6 +1691,9 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, u32 id) + int r; + struct kvm_vcpu *vcpu, *v; + ++ if (id >= KVM_MAX_VCPUS) ++ return -EINVAL; ++ + vcpu = kvm_arch_vcpu_create(kvm, id); + if (IS_ERR(vcpu)) + return PTR_ERR(vcpu); +@@ -2177,7 +2188,7 @@ static int kvm_vm_mmap(struct file *file, struct vm_area_struct *vma) return 0; } @@ -114958,7 +117165,7 @@ index 8bf05f0..61ba256 100644 .release = kvm_vm_release, .unlocked_ioctl = kvm_vm_ioctl, #ifdef CONFIG_COMPAT -@@ -2275,7 +2283,7 @@ out: +@@ -2275,7 +2286,7 @@ out: return r; } @@ -114967,7 +117174,7 @@ index 8bf05f0..61ba256 100644 .unlocked_ioctl = kvm_dev_ioctl, .compat_ioctl = kvm_dev_ioctl, .llseek = noop_llseek, -@@ -2301,7 +2309,7 @@ static void hardware_enable_nolock(void *junk) +@@ -2301,7 +2312,7 @@ static void hardware_enable_nolock(void *junk) if (r) { cpumask_clear_cpu(cpu, cpus_hardware_enabled); @@ -114976,7 +117183,7 @@ index 8bf05f0..61ba256 100644 printk(KERN_INFO "kvm: enabling virtualization on " "CPU%d failed\n", cpu); } -@@ -2355,10 +2363,10 @@ static int hardware_enable_all(void) +@@ -2355,10 +2366,10 @@ static int hardware_enable_all(void) kvm_usage_count++; if (kvm_usage_count == 1) { @@ -114989,7 +117196,7 @@ index 8bf05f0..61ba256 100644 hardware_disable_all_nolock(); r = -EBUSY; } -@@ -2709,7 +2717,7 @@ static void kvm_sched_out(struct preempt_notifier *pn, +@@ -2709,7 +2720,7 @@ static void kvm_sched_out(struct preempt_notifier *pn, kvm_arch_vcpu_put(vcpu); } @@ -114998,7 +117205,7 @@ index 8bf05f0..61ba256 100644 struct module *module) { int r; -@@ -2772,7 +2780,7 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, +@@ -2772,7 +2783,7 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, if (!vcpu_align) vcpu_align = __alignof__(struct kvm_vcpu); kvm_vcpu_cache = kmem_cache_create("kvm_vcpu", vcpu_size, vcpu_align, @@ -115007,7 +117214,7 @@ index 8bf05f0..61ba256 100644 if (!kvm_vcpu_cache) { r = -ENOMEM; goto out_free_3; -@@ -2782,9 +2790,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, +@@ -2782,9 +2793,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, if (r) goto out_free; @@ -115019,7 +117226,7 @@ index 8bf05f0..61ba256 100644 r = misc_register(&kvm_dev); if (r) { -@@ -2794,9 +2804,6 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, +@@ -2794,9 +2807,6 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, register_syscore_ops(&kvm_syscore_ops); |