commit: 20f00980e88516e9663fcebc708948c1824b56b2
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sun Jul 5 16:33:00 2015 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sun Jul 5 16:33:19 2015 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=20f00980
Grsec/PaX: 3.1-{3.2.69,3.14.47,4.0.7}-201507050833
3.14.46/1045_linux-3.14.46.patch | 829 ------------
{3.14.46 => 3.14.47}/0000_README | 6 +-
3.14.47/1046_linux-3.14.47.patch | 1395 ++++++++++++++++++++
.../4420_grsecurity-3.1-3.14.47-201507050832.patch | 154 ++-
.../4425_grsec_remove_EI_PAX.patch | 0
.../4427_force_XATTR_PAX_tmpfs.patch | 0
.../4430_grsec-remove-localversion-grsec.patch | 0
.../4435_grsec-mute-warnings.patch | 0
.../4440_grsec-remove-protected-paths.patch | 0
.../4450_grsec-kconfig-default-gids.patch | 0
.../4465_selinux-avc_audit-log-curr_ip.patch | 0
.../4470_disable-compat_vdso.patch | 0
.../4475_emutramp_default_on.patch | 0
3.2.69/0000_README | 2 +-
... 4420_grsecurity-3.1-3.2.69-201507050830.patch} | 37 +-
4.0.7/0000_README | 6 +-
4.0.7/1006_linux-4.0.7.patch | 707 ----------
...> 4420_grsecurity-3.1-4.0.7-201507050833.patch} | 103 +-
18 files changed, 1630 insertions(+), 1609 deletions(-)
diff --git a/3.14.46/1045_linux-3.14.46.patch b/3.14.46/1045_linux-3.14.46.patch
deleted file mode 100644
index 12790dc..0000000
--- a/3.14.46/1045_linux-3.14.46.patch
+++ /dev/null
@@ -1,829 +0,0 @@
-diff --git a/Makefile b/Makefile
-index c92186c..def39fd 100644
---- a/Makefile
-+++ b/Makefile
-@@ -1,6 +1,6 @@
- VERSION = 3
- PATCHLEVEL = 14
--SUBLEVEL = 45
-+SUBLEVEL = 46
- EXTRAVERSION =
- NAME = Remembering Coco
-
-diff --git a/arch/arm/include/asm/kvm_host.h b/arch/arm/include/asm/kvm_host.h
-index 09af149..530f56e 100644
---- a/arch/arm/include/asm/kvm_host.h
-+++ b/arch/arm/include/asm/kvm_host.h
-@@ -42,7 +42,7 @@
-
- struct kvm_vcpu;
- u32 *kvm_vcpu_reg(struct kvm_vcpu *vcpu, u8 reg_num, u32 mode);
--int kvm_target_cpu(void);
-+int __attribute_const__ kvm_target_cpu(void);
- int kvm_reset_vcpu(struct kvm_vcpu *vcpu);
- void kvm_reset_coprocs(struct kvm_vcpu *vcpu);
-
-diff --git a/arch/arm/include/asm/kvm_mmu.h b/arch/arm/include/asm/kvm_mmu.h
-index 7b362bc..0cbdb8e 100644
---- a/arch/arm/include/asm/kvm_mmu.h
-+++ b/arch/arm/include/asm/kvm_mmu.h
-@@ -127,6 +127,18 @@ static inline void kvm_set_s2pmd_writable(pmd_t *pmd)
- (__boundary - 1 < (end) - 1)? __boundary: (end); \
- })
-
-+static inline bool kvm_page_empty(void *ptr)
-+{
-+ struct page *ptr_page = virt_to_page(ptr);
-+ return page_count(ptr_page) == 1;
-+}
-+
-+
-+#define kvm_pte_table_empty(ptep) kvm_page_empty(ptep)
-+#define kvm_pmd_table_empty(pmdp) kvm_page_empty(pmdp)
-+#define kvm_pud_table_empty(pudp) (0)
-+
-+
- struct kvm;
-
- #define kvm_flush_dcache_to_poc(a,l) __cpuc_flush_dcache_area((a), (l))
-diff --git a/arch/arm/kernel/hyp-stub.S b/arch/arm/kernel/hyp-stub.S
-index 797b1a6..7e666cf 100644
---- a/arch/arm/kernel/hyp-stub.S
-+++ b/arch/arm/kernel/hyp-stub.S
-@@ -134,9 +134,7 @@ ENTRY(__hyp_stub_install_secondary)
- mcr p15, 4, r7, c1, c1, 3 @ HSTR
-
- THUMB( orr r7, #(1 << 30) ) @ HSCTLR.TE
--#ifdef CONFIG_CPU_BIG_ENDIAN
-- orr r7, #(1 << 9) @ HSCTLR.EE
--#endif
-+ARM_BE8(orr r7, r7, #(1 << 25)) @ HSCTLR.EE
- mcr p15, 4, r7, c1, c0, 0 @ HSCTLR
-
- mrc p15, 4, r7, c1, c1, 1 @ HDCR
-diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c
-index bd18bb8..df6e75e 100644
---- a/arch/arm/kvm/arm.c
-+++ b/arch/arm/kvm/arm.c
-@@ -82,7 +82,7 @@ struct kvm_vcpu *kvm_arm_get_running_vcpu(void)
- /**
- * kvm_arm_get_running_vcpus - get the per-CPU array of currently running
vcpus.
- */
--struct kvm_vcpu __percpu **kvm_get_running_vcpus(void)
-+struct kvm_vcpu * __percpu *kvm_get_running_vcpus(void)
- {
- return &kvm_arm_running_vcpu;
- }
-@@ -155,16 +155,6 @@ int kvm_arch_vcpu_fault(struct kvm_vcpu *vcpu, struct
vm_fault *vmf)
- return VM_FAULT_SIGBUS;
- }
-
--void kvm_arch_free_memslot(struct kvm *kvm, struct kvm_memory_slot *free,
-- struct kvm_memory_slot *dont)
--{
--}
--
--int kvm_arch_create_memslot(struct kvm *kvm, struct kvm_memory_slot *slot,
-- unsigned long npages)
--{
-- return 0;
--}
-
- /**
- * kvm_arch_destroy_vm - destroy the VM data structure
-@@ -224,33 +214,6 @@ long kvm_arch_dev_ioctl(struct file *filp,
- return -EINVAL;
- }
-
--void kvm_arch_memslots_updated(struct kvm *kvm)
--{
--}
--
--int kvm_arch_prepare_memory_region(struct kvm *kvm,
-- struct kvm_memory_slot *memslot,
-- struct kvm_userspace_memory_region *mem,
-- enum kvm_mr_change change)
--{
-- return 0;
--}
--
--void kvm_arch_commit_memory_region(struct kvm *kvm,
-- struct kvm_userspace_memory_region *mem,
-- const struct kvm_memory_slot *old,
-- enum kvm_mr_change change)
--{
--}
--
--void kvm_arch_flush_shadow_all(struct kvm *kvm)
--{
--}
--
--void kvm_arch_flush_shadow_memslot(struct kvm *kvm,
-- struct kvm_memory_slot *slot)
--{
--}
-
- struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm, unsigned int id)
- {
-diff --git a/arch/arm/kvm/coproc.c b/arch/arm/kvm/coproc.c
-index c58a351..7c73290 100644
---- a/arch/arm/kvm/coproc.c
-+++ b/arch/arm/kvm/coproc.c
-@@ -742,7 +742,7 @@ static bool is_valid_cache(u32 val)
- u32 level, ctype;
-
- if (val >= CSSELR_MAX)
-- return -ENOENT;
-+ return false;
-
- /* Bottom bit is Instruction or Data bit. Next 3 bits are level. */
- level = (val >> 1);
-diff --git a/arch/arm/kvm/mmu.c b/arch/arm/kvm/mmu.c
-index c93ef38..70ed2c1 100644
---- a/arch/arm/kvm/mmu.c
-+++ b/arch/arm/kvm/mmu.c
-@@ -90,103 +90,115 @@ static void *mmu_memory_cache_alloc(struct
kvm_mmu_memory_cache *mc)
- return p;
- }
-
--static bool page_empty(void *ptr)
-+static void clear_pgd_entry(struct kvm *kvm, pgd_t *pgd, phys_addr_t addr)
- {
-- struct page *ptr_page = virt_to_page(ptr);
-- return page_count(ptr_page) == 1;
-+ pud_t *pud_table __maybe_unused = pud_offset(pgd, 0);
-+ pgd_clear(pgd);
-+ kvm_tlb_flush_vmid_ipa(kvm, addr);
-+ pud_free(NULL, pud_table);
-+ put_page(virt_to_page(pgd));
- }
-
- static void clear_pud_entry(struct kvm *kvm, pud_t *pud, phys_addr_t addr)
- {
-- if (pud_huge(*pud)) {
-- pud_clear(pud);
-- kvm_tlb_flush_vmid_ipa(kvm, addr);
-- } else {
-- pmd_t *pmd_table = pmd_offset(pud, 0);
-- pud_clear(pud);
-- kvm_tlb_flush_vmid_ipa(kvm, addr);
-- pmd_free(NULL, pmd_table);
-- }
-+ pmd_t *pmd_table = pmd_offset(pud, 0);
-+ VM_BUG_ON(pud_huge(*pud));
-+ pud_clear(pud);
-+ kvm_tlb_flush_vmid_ipa(kvm, addr);
-+ pmd_free(NULL, pmd_table);
- put_page(virt_to_page(pud));
- }
-
- static void clear_pmd_entry(struct kvm *kvm, pmd_t *pmd, phys_addr_t addr)
- {
-- if (kvm_pmd_huge(*pmd)) {
-- pmd_clear(pmd);
-- kvm_tlb_flush_vmid_ipa(kvm, addr);
-- } else {
-- pte_t *pte_table = pte_offset_kernel(pmd, 0);
-- pmd_clear(pmd);
-- kvm_tlb_flush_vmid_ipa(kvm, addr);
-- pte_free_kernel(NULL, pte_table);
-- }
-+ pte_t *pte_table = pte_offset_kernel(pmd, 0);
-+ VM_BUG_ON(kvm_pmd_huge(*pmd));
-+ pmd_clear(pmd);
-+ kvm_tlb_flush_vmid_ipa(kvm, addr);
-+ pte_free_kernel(NULL, pte_table);
- put_page(virt_to_page(pmd));
- }
-
--static void clear_pte_entry(struct kvm *kvm, pte_t *pte, phys_addr_t addr)
-+static void unmap_ptes(struct kvm *kvm, pmd_t *pmd,
-+ phys_addr_t addr, phys_addr_t end)
- {
-- if (pte_present(*pte)) {
-- kvm_set_pte(pte, __pte(0));
-- put_page(virt_to_page(pte));
-- kvm_tlb_flush_vmid_ipa(kvm, addr);
-+ phys_addr_t start_addr = addr;
-+ pte_t *pte, *start_pte;
-+
-+ start_pte = pte = pte_offset_kernel(pmd, addr);
-+ do {
-+ if (!pte_none(*pte)) {
-+ kvm_set_pte(pte, __pte(0));
-+ put_page(virt_to_page(pte));
-+ kvm_tlb_flush_vmid_ipa(kvm, addr);
-+ }
-+ } while (pte++, addr += PAGE_SIZE, addr != end);
-+
-+ if (kvm_pte_table_empty(start_pte))
-+ clear_pmd_entry(kvm, pmd, start_addr);
- }
--}
-
--static void unmap_range(struct kvm *kvm, pgd_t *pgdp,
-- unsigned long long start, u64 size)
-+static void unmap_pmds(struct kvm *kvm, pud_t *pud,
-+ phys_addr_t addr, phys_addr_t end)
- {
-- pgd_t *pgd;
-- pud_t *pud;
-- pmd_t *pmd;
-- pte_t *pte;
-- unsigned long long addr = start, end = start + size;
-- u64 next;
--
-- while (addr < end) {
-- pgd = pgdp + pgd_index(addr);
-- pud = pud_offset(pgd, addr);
-- if (pud_none(*pud)) {
-- addr = kvm_pud_addr_end(addr, end);
-- continue;
-- }
-+ phys_addr_t next, start_addr = addr;
-+ pmd_t *pmd, *start_pmd;
-
-- if (pud_huge(*pud)) {
-- /*
-- * If we are dealing with a huge pud, just clear it and
-- * move on.
-- */
-- clear_pud_entry(kvm, pud, addr);
-- addr = kvm_pud_addr_end(addr, end);
-- continue;
-+ start_pmd = pmd = pmd_offset(pud, addr);
-+ do {
-+ next = kvm_pmd_addr_end(addr, end);
-+ if (!pmd_none(*pmd)) {
-+ if (kvm_pmd_huge(*pmd)) {
-+ pmd_clear(pmd);
-+ kvm_tlb_flush_vmid_ipa(kvm, addr);
-+ put_page(virt_to_page(pmd));
-+ } else {
-+ unmap_ptes(kvm, pmd, addr, next);
-+ }
- }
-+ } while (pmd++, addr = next, addr != end);
-
-- pmd = pmd_offset(pud, addr);
-- if (pmd_none(*pmd)) {
-- addr = kvm_pmd_addr_end(addr, end);
-- continue;
-- }
-+ if (kvm_pmd_table_empty(start_pmd))
-+ clear_pud_entry(kvm, pud, start_addr);
-+}
-
-- if (!kvm_pmd_huge(*pmd)) {
-- pte = pte_offset_kernel(pmd, addr);
-- clear_pte_entry(kvm, pte, addr);
-- next = addr + PAGE_SIZE;
-- }
-+static void unmap_puds(struct kvm *kvm, pgd_t *pgd,
-+ phys_addr_t addr, phys_addr_t end)
-+{
-+ phys_addr_t next, start_addr = addr;
-+ pud_t *pud, *start_pud;
-
-- /*
-- * If the pmd entry is to be cleared, walk back up the ladder
-- */
-- if (kvm_pmd_huge(*pmd) || page_empty(pte)) {
-- clear_pmd_entry(kvm, pmd, addr);
-- next = kvm_pmd_addr_end(addr, end);
-- if (page_empty(pmd) && !page_empty(pud)) {
-- clear_pud_entry(kvm, pud, addr);
-- next = kvm_pud_addr_end(addr, end);
-+ start_pud = pud = pud_offset(pgd, addr);
-+ do {
-+ next = kvm_pud_addr_end(addr, end);
-+ if (!pud_none(*pud)) {
-+ if (pud_huge(*pud)) {
-+ pud_clear(pud);
-+ kvm_tlb_flush_vmid_ipa(kvm, addr);
-+ put_page(virt_to_page(pud));
-+ } else {
-+ unmap_pmds(kvm, pud, addr, next);
- }
- }
-+ } while (pud++, addr = next, addr != end);
-
-- addr = next;
-- }
-+ if (kvm_pud_table_empty(start_pud))
-+ clear_pgd_entry(kvm, pgd, start_addr);
-+}
-+
-+
-+static void unmap_range(struct kvm *kvm, pgd_t *pgdp,
-+ phys_addr_t start, u64 size)
-+{
-+ pgd_t *pgd;
-+ phys_addr_t addr = start, end = start + size;
-+ phys_addr_t next;
-+
-+ pgd = pgdp + pgd_index(addr);
-+ do {
-+ next = kvm_pgd_addr_end(addr, end);
-+ unmap_puds(kvm, pgd, addr, next);
-+ } while (pgd++, addr = next, addr != end);
- }
-
- static void stage2_flush_ptes(struct kvm *kvm, pmd_t *pmd,
-@@ -747,6 +759,7 @@ static int user_mem_abort(struct kvm_vcpu *vcpu,
phys_addr_t fault_ipa,
- struct kvm_mmu_memory_cache *memcache = &vcpu->arch.mmu_page_cache;
- struct vm_area_struct *vma;
- pfn_t pfn;
-+ pgprot_t mem_type = PAGE_S2;
-
- write_fault = kvm_is_write_fault(kvm_vcpu_get_hsr(vcpu));
- if (fault_status == FSC_PERM && !write_fault) {
-@@ -797,6 +810,9 @@ static int user_mem_abort(struct kvm_vcpu *vcpu,
phys_addr_t fault_ipa,
- if (is_error_pfn(pfn))
- return -EFAULT;
-
-+ if (kvm_is_mmio_pfn(pfn))
-+ mem_type = PAGE_S2_DEVICE;
-+
- spin_lock(&kvm->mmu_lock);
- if (mmu_notifier_retry(kvm, mmu_seq))
- goto out_unlock;
-@@ -804,7 +820,7 @@ static int user_mem_abort(struct kvm_vcpu *vcpu,
phys_addr_t fault_ipa,
- hugetlb = transparent_hugepage_adjust(&pfn, &fault_ipa);
-
- if (hugetlb) {
-- pmd_t new_pmd = pfn_pmd(pfn, PAGE_S2);
-+ pmd_t new_pmd = pfn_pmd(pfn, mem_type);
- new_pmd = pmd_mkhuge(new_pmd);
- if (writable) {
- kvm_set_s2pmd_writable(&new_pmd);
-@@ -813,13 +829,14 @@ static int user_mem_abort(struct kvm_vcpu *vcpu,
phys_addr_t fault_ipa,
- coherent_cache_guest_page(vcpu, hva & PMD_MASK, PMD_SIZE);
- ret = stage2_set_pmd_huge(kvm, memcache, fault_ipa, &new_pmd);
- } else {
-- pte_t new_pte = pfn_pte(pfn, PAGE_S2);
-+ pte_t new_pte = pfn_pte(pfn, mem_type);
- if (writable) {
- kvm_set_s2pte_writable(&new_pte);
- kvm_set_pfn_dirty(pfn);
- }
- coherent_cache_guest_page(vcpu, hva, PAGE_SIZE);
-- ret = stage2_set_pte(kvm, memcache, fault_ipa, &new_pte, false);
-+ ret = stage2_set_pte(kvm, memcache, fault_ipa, &new_pte,
-+ mem_type == PAGE_S2_DEVICE);
- }
-
-
-@@ -1099,3 +1116,49 @@ out:
- free_hyp_pgds();
- return err;
- }
-+
-+void kvm_arch_commit_memory_region(struct kvm *kvm,
-+ struct kvm_userspace_memory_region *mem,
-+ const struct kvm_memory_slot *old,
-+ enum kvm_mr_change change)
-+{
-+ gpa_t gpa = old->base_gfn << PAGE_SHIFT;
-+ phys_addr_t size = old->npages << PAGE_SHIFT;
-+ if (change == KVM_MR_DELETE || change == KVM_MR_MOVE) {
-+ spin_lock(&kvm->mmu_lock);
-+ unmap_stage2_range(kvm, gpa, size);
-+ spin_unlock(&kvm->mmu_lock);
-+ }
-+}
-+
-+int kvm_arch_prepare_memory_region(struct kvm *kvm,
-+ struct kvm_memory_slot *memslot,
-+ struct kvm_userspace_memory_region *mem,
-+ enum kvm_mr_change change)
-+{
-+ return 0;
-+}
-+
-+void kvm_arch_free_memslot(struct kvm *kvm, struct kvm_memory_slot *free,
-+ struct kvm_memory_slot *dont)
-+{
-+}
-+
-+int kvm_arch_create_memslot(struct kvm *kvm, struct kvm_memory_slot *slot,
-+ unsigned long npages)
-+{
-+ return 0;
-+}
-+
-+void kvm_arch_memslots_updated(struct kvm *kvm)
-+{
-+}
-+
-+void kvm_arch_flush_shadow_all(struct kvm *kvm)
-+{
-+}
-+
-+void kvm_arch_flush_shadow_memslot(struct kvm *kvm,
-+ struct kvm_memory_slot *slot)
-+{
-+}
-diff --git a/arch/arm64/include/asm/kvm_host.h
b/arch/arm64/include/asm/kvm_host.h
-index 0a1d697..3fb0946 100644
---- a/arch/arm64/include/asm/kvm_host.h
-+++ b/arch/arm64/include/asm/kvm_host.h
-@@ -42,7 +42,7 @@
- #define KVM_VCPU_MAX_FEATURES 2
-
- struct kvm_vcpu;
--int kvm_target_cpu(void);
-+int __attribute_const__ kvm_target_cpu(void);
- int kvm_reset_vcpu(struct kvm_vcpu *vcpu);
- int kvm_arch_dev_ioctl_check_extension(long ext);
-
-@@ -177,7 +177,7 @@ static inline int kvm_test_age_hva(struct kvm *kvm,
unsigned long hva)
- }
-
- struct kvm_vcpu *kvm_arm_get_running_vcpu(void);
--struct kvm_vcpu __percpu **kvm_get_running_vcpus(void);
-+struct kvm_vcpu * __percpu *kvm_get_running_vcpus(void);
-
- u64 kvm_call_hyp(void *hypfn, ...);
-
-diff --git a/arch/arm64/include/asm/kvm_mmu.h
b/arch/arm64/include/asm/kvm_mmu.h
-index 7d29847..8e138c7 100644
---- a/arch/arm64/include/asm/kvm_mmu.h
-+++ b/arch/arm64/include/asm/kvm_mmu.h
-@@ -125,6 +125,21 @@ static inline void kvm_set_s2pmd_writable(pmd_t *pmd)
- #define kvm_pud_addr_end(addr, end) pud_addr_end(addr, end)
- #define kvm_pmd_addr_end(addr, end) pmd_addr_end(addr, end)
-
-+static inline bool kvm_page_empty(void *ptr)
-+{
-+ struct page *ptr_page = virt_to_page(ptr);
-+ return page_count(ptr_page) == 1;
-+}
-+
-+#define kvm_pte_table_empty(ptep) kvm_page_empty(ptep)
-+#ifndef CONFIG_ARM64_64K_PAGES
-+#define kvm_pmd_table_empty(pmdp) kvm_page_empty(pmdp)
-+#else
-+#define kvm_pmd_table_empty(pmdp) (0)
-+#endif
-+#define kvm_pud_table_empty(pudp) (0)
-+
-+
- struct kvm;
-
- #define kvm_flush_dcache_to_poc(a,l) __flush_dcache_area((a), (l))
-diff --git a/arch/arm64/kvm/hyp.S b/arch/arm64/kvm/hyp.S
-index b0d1512..5dfc8331 100644
---- a/arch/arm64/kvm/hyp.S
-+++ b/arch/arm64/kvm/hyp.S
-@@ -830,7 +830,7 @@ el1_trap:
- mrs x2, far_el2
-
- 2: mrs x0, tpidr_el2
-- str x1, [x0, #VCPU_ESR_EL2]
-+ str w1, [x0, #VCPU_ESR_EL2]
- str x2, [x0, #VCPU_FAR_EL2]
- str x3, [x0, #VCPU_HPFAR_EL2]
-
-diff --git a/arch/arm64/kvm/sys_regs.c b/arch/arm64/kvm/sys_regs.c
-index 0324458..7691b25 100644
---- a/arch/arm64/kvm/sys_regs.c
-+++ b/arch/arm64/kvm/sys_regs.c
-@@ -836,7 +836,7 @@ static bool is_valid_cache(u32 val)
- u32 level, ctype;
-
- if (val >= CSSELR_MAX)
-- return -ENOENT;
-+ return false;
-
- /* Bottom bit is Instruction or Data bit. Next 3 bits are level. */
- level = (val >> 1);
-@@ -962,7 +962,7 @@ static unsigned int num_demux_regs(void)
-
- static int write_demux_regids(u64 __user *uindices)
- {
-- u64 val = KVM_REG_ARM | KVM_REG_SIZE_U32 | KVM_REG_ARM_DEMUX;
-+ u64 val = KVM_REG_ARM64 | KVM_REG_SIZE_U32 | KVM_REG_ARM_DEMUX;
- unsigned int i;
-
- val |= KVM_REG_ARM_DEMUX_ID_CCSIDR;
-diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
-index 26b03e1..8ff2b3c 100644
---- a/drivers/bluetooth/ath3k.c
-+++ b/drivers/bluetooth/ath3k.c
-@@ -79,6 +79,7 @@ static const struct usb_device_id ath3k_table[] = {
- { USB_DEVICE(0x0489, 0xe057) },
- { USB_DEVICE(0x0489, 0xe056) },
- { USB_DEVICE(0x0489, 0xe05f) },
-+ { USB_DEVICE(0x0489, 0xe076) },
- { USB_DEVICE(0x0489, 0xe078) },
- { USB_DEVICE(0x04c5, 0x1330) },
- { USB_DEVICE(0x04CA, 0x3004) },
-@@ -109,6 +110,7 @@ static const struct usb_device_id ath3k_table[] = {
- { USB_DEVICE(0x13d3, 0x3402) },
- { USB_DEVICE(0x13d3, 0x3408) },
- { USB_DEVICE(0x13d3, 0x3432) },
-+ { USB_DEVICE(0x13d3, 0x3474) },
-
- /* Atheros AR5BBU12 with sflash firmware */
- { USB_DEVICE(0x0489, 0xE02C) },
-@@ -133,6 +135,7 @@ static const struct usb_device_id ath3k_blist_tbl[] = {
- { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0489, 0xe076), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
-@@ -163,6 +166,7 @@ static const struct usb_device_id ath3k_blist_tbl[] = {
- { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
-
- /* Atheros AR5BBU22 with sflash firmware */
- { USB_DEVICE(0x0489, 0xE036), .driver_info = BTUSB_ATH3012 },
-diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
-index 9eb1669..c0e7a9aa9 100644
---- a/drivers/bluetooth/btusb.c
-+++ b/drivers/bluetooth/btusb.c
-@@ -157,6 +157,7 @@ static const struct usb_device_id blacklist_table[] = {
- { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0489, 0xe076), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
-@@ -187,6 +188,7 @@ static const struct usb_device_id blacklist_table[] = {
- { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
-
- /* Atheros AR5BBU12 with sflash firmware */
- { USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },
-diff --git a/drivers/crypto/caam/caamrng.c b/drivers/crypto/caam/caamrng.c
-index 28486b1..ae6dae8 100644
---- a/drivers/crypto/caam/caamrng.c
-+++ b/drivers/crypto/caam/caamrng.c
-@@ -56,7 +56,7 @@
-
- /* Buffer, its dma address and lock */
- struct buf_data {
-- u8 buf[RN_BUF_SIZE];
-+ u8 buf[RN_BUF_SIZE] ____cacheline_aligned;
- dma_addr_t addr;
- struct completion filled;
- u32 hw_desc[DESC_JOB_O_LEN];
-diff --git a/drivers/gpu/drm/mgag200/mgag200_mode.c
b/drivers/gpu/drm/mgag200/mgag200_mode.c
-index 9683747..f2511a0 100644
---- a/drivers/gpu/drm/mgag200/mgag200_mode.c
-+++ b/drivers/gpu/drm/mgag200/mgag200_mode.c
-@@ -1529,6 +1529,11 @@ static int mga_vga_mode_valid(struct drm_connector
*connector,
- return MODE_BANDWIDTH;
- }
-
-+ if ((mode->hdisplay % 8) != 0 || (mode->hsync_start % 8) != 0 ||
-+ (mode->hsync_end % 8) != 0 || (mode->htotal % 8) != 0) {
-+ return MODE_H_ILLEGAL;
-+ }
-+
- if (mode->crtc_hdisplay > 2048 || mode->crtc_hsync_start > 4096 ||
- mode->crtc_hsync_end > 4096 || mode->crtc_htotal > 4096 ||
- mode->crtc_vdisplay > 2048 || mode->crtc_vsync_start > 4096 ||
-diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
-index 8f580fd..ce21132 100644
---- a/drivers/scsi/lpfc/lpfc_sli.c
-+++ b/drivers/scsi/lpfc/lpfc_sli.c
-@@ -265,6 +265,16 @@ lpfc_sli4_eq_get(struct lpfc_queue *q)
- return NULL;
-
- q->hba_index = idx;
-+
-+ /*
-+ * insert barrier for instruction interlock : data from the hardware
-+ * must have the valid bit checked before it can be copied and acted
-+ * upon. Given what was seen in lpfc_sli4_cq_get() of speculative
-+ * instructions allowing action on content before valid bit checked,
-+ * add barrier here as well. May not be needed as "content" is a
-+ * single 32-bit entity here (vs multi word structure for cq's).
-+ */
-+ mb();
- return eqe;
- }
-
-@@ -370,6 +380,17 @@ lpfc_sli4_cq_get(struct lpfc_queue *q)
-
- cqe = q->qe[q->hba_index].cqe;
- q->hba_index = idx;
-+
-+ /*
-+ * insert barrier for instruction interlock : data from the hardware
-+ * must have the valid bit checked before it can be copied and acted
-+ * upon. Speculative instructions were allowing a bcopy at the start
-+ * of lpfc_sli4_fp_handle_wcqe(), which is called immediately
-+ * after our return, to copy data before the valid bit check above
-+ * was done. As such, some of the copied data was stale. The barrier
-+ * ensures the check is before any data is copied.
-+ */
-+ mb();
- return cqe;
- }
-
-diff --git a/fs/pipe.c b/fs/pipe.c
-index 78fd0d0..46f1ab2 100644
---- a/fs/pipe.c
-+++ b/fs/pipe.c
-@@ -117,25 +117,27 @@ void pipe_wait(struct pipe_inode_info *pipe)
- }
-
- static int
--pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
-- int atomic)
-+pipe_iov_copy_from_user(void *addr, int *offset, struct iovec *iov,
-+ size_t *remaining, int atomic)
- {
- unsigned long copy;
-
-- while (len > 0) {
-+ while (*remaining > 0) {
- while (!iov->iov_len)
- iov++;
-- copy = min_t(unsigned long, len, iov->iov_len);
-+ copy = min_t(unsigned long, *remaining, iov->iov_len);
-
- if (atomic) {
-- if (__copy_from_user_inatomic(to, iov->iov_base, copy))
-+ if (__copy_from_user_inatomic(addr + *offset,
-+ iov->iov_base, copy))
- return -EFAULT;
- } else {
-- if (copy_from_user(to, iov->iov_base, copy))
-+ if (copy_from_user(addr + *offset,
-+ iov->iov_base, copy))
- return -EFAULT;
- }
-- to += copy;
-- len -= copy;
-+ *offset += copy;
-+ *remaining -= copy;
- iov->iov_base += copy;
- iov->iov_len -= copy;
- }
-@@ -143,25 +145,27 @@ pipe_iov_copy_from_user(void *to, struct iovec *iov,
unsigned long len,
- }
-
- static int
--pipe_iov_copy_to_user(struct iovec *iov, const void *from, unsigned long len,
-- int atomic)
-+pipe_iov_copy_to_user(struct iovec *iov, void *addr, int *offset,
-+ size_t *remaining, int atomic)
- {
- unsigned long copy;
-
-- while (len > 0) {
-+ while (*remaining > 0) {
- while (!iov->iov_len)
- iov++;
-- copy = min_t(unsigned long, len, iov->iov_len);
-+ copy = min_t(unsigned long, *remaining, iov->iov_len);
-
- if (atomic) {
-- if (__copy_to_user_inatomic(iov->iov_base, from, copy))
-+ if (__copy_to_user_inatomic(iov->iov_base,
-+ addr + *offset, copy))
- return -EFAULT;
- } else {
-- if (copy_to_user(iov->iov_base, from, copy))
-+ if (copy_to_user(iov->iov_base,
-+ addr + *offset, copy))
- return -EFAULT;
- }
-- from += copy;
-- len -= copy;
-+ *offset += copy;
-+ *remaining -= copy;
- iov->iov_base += copy;
- iov->iov_len -= copy;
- }
-@@ -395,7 +399,7 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
- struct pipe_buffer *buf = pipe->bufs + curbuf;
- const struct pipe_buf_operations *ops = buf->ops;
- void *addr;
-- size_t chars = buf->len;
-+ size_t chars = buf->len, remaining;
- int error, atomic;
-
- if (chars > total_len)
-@@ -409,9 +413,11 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
- }
-
- atomic = !iov_fault_in_pages_write(iov, chars);
-+ remaining = chars;
- redo:
- addr = ops->map(pipe, buf, atomic);
-- error = pipe_iov_copy_to_user(iov, addr + buf->offset,
chars, atomic);
-+ error = pipe_iov_copy_to_user(iov, addr, &buf->offset,
-+ &remaining, atomic);
- ops->unmap(pipe, buf, addr);
- if (unlikely(error)) {
- /*
-@@ -426,7 +432,6 @@ redo:
- break;
- }
- ret += chars;
-- buf->offset += chars;
- buf->len -= chars;
-
- /* Was it a packet buffer? Clean up and exit */
-@@ -531,6 +536,7 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov,
- if (ops->can_merge && offset + chars <= PAGE_SIZE) {
- int error, atomic = 1;
- void *addr;
-+ size_t remaining = chars;
-
- error = ops->confirm(pipe, buf);
- if (error)
-@@ -539,8 +545,8 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov,
- iov_fault_in_pages_read(iov, chars);
- redo1:
- addr = ops->map(pipe, buf, atomic);
-- error = pipe_iov_copy_from_user(offset + addr, iov,
-- chars, atomic);
-+ error = pipe_iov_copy_from_user(addr, &offset, iov,
-+ &remaining, atomic);
- ops->unmap(pipe, buf, addr);
- ret = error;
- do_wakeup = 1;
-@@ -575,6 +581,8 @@ redo1:
- struct page *page = pipe->tmp_page;
- char *src;
- int error, atomic = 1;
-+ int offset = 0;
-+ size_t remaining;
-
- if (!page) {
- page = alloc_page(GFP_HIGHUSER);
-@@ -595,14 +603,15 @@ redo1:
- chars = total_len;
-
- iov_fault_in_pages_read(iov, chars);
-+ remaining = chars;
- redo2:
- if (atomic)
- src = kmap_atomic(page);
- else
- src = kmap(page);
-
-- error = pipe_iov_copy_from_user(src, iov, chars,
-- atomic);
-+ error = pipe_iov_copy_from_user(src, &offset, iov,
-+ &remaining, atomic);
- if (atomic)
- kunmap_atomic(src);
- else
-diff --git a/kernel/trace/trace_events_filter.c
b/kernel/trace/trace_events_filter.c
-index 8a86319..cb347e8 100644
---- a/kernel/trace/trace_events_filter.c
-+++ b/kernel/trace/trace_events_filter.c
-@@ -1399,19 +1399,24 @@ static int check_preds(struct filter_parse_state *ps)
- {
- int n_normal_preds = 0, n_logical_preds = 0;
- struct postfix_elt *elt;
-+ int cnt = 0;
-
- list_for_each_entry(elt, &ps->postfix, list) {
-- if (elt->op == OP_NONE)
-+ if (elt->op == OP_NONE) {
-+ cnt++;
- continue;
-+ }
-
-+ cnt--;
- if (elt->op == OP_AND || elt->op == OP_OR) {
- n_logical_preds++;
- continue;
- }
- n_normal_preds++;
-+ WARN_ON_ONCE(cnt < 0);
- }
-
-- if (!n_normal_preds || n_logical_preds >= n_normal_preds) {
-+ if (cnt != 1 || !n_normal_preds || n_logical_preds >= n_normal_preds) {
- parse_error(ps, FILT_ERR_INVALID_FILTER, 0);
- return -EINVAL;
- }
-diff --git a/virt/kvm/arm/vgic.c b/virt/kvm/arm/vgic.c
-index 4eec2d4..1316e55 100644
---- a/virt/kvm/arm/vgic.c
-+++ b/virt/kvm/arm/vgic.c
-@@ -1654,7 +1654,7 @@ out:
- return ret;
- }
-
--static bool vgic_ioaddr_overlap(struct kvm *kvm)
-+static int vgic_ioaddr_overlap(struct kvm *kvm)
- {
- phys_addr_t dist = kvm->arch.vgic.vgic_dist_base;
- phys_addr_t cpu = kvm->arch.vgic.vgic_cpu_base;
diff --git a/3.14.46/0000_README b/3.14.47/0000_README
similarity index 93%
rename from 3.14.46/0000_README
rename to 3.14.47/0000_README
index de59c28..b3b9e28 100644
--- a/3.14.46/0000_README
+++ b/3.14.47/0000_README
@@ -2,11 +2,11 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 1045_linux-3.14.46.patch
+Patch: 1046_linux-3.14.47.patch
From: http://www.kernel.org
-Desc: Linux 3.14.46
+Desc: Linux 3.14.47
-Patch: 4420_grsecurity-3.1-3.14.46-201506300711.patch
+Patch: 4420_grsecurity-3.1-3.14.47-201507050832.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.14.47/1046_linux-3.14.47.patch b/3.14.47/1046_linux-3.14.47.patch
new file mode 100644
index 0000000..4dc0c5a
--- /dev/null
+++ b/3.14.47/1046_linux-3.14.47.patch
@@ -0,0 +1,1395 @@
+diff --git a/Documentation/virtual/kvm/api.txt
b/Documentation/virtual/kvm/api.txt
+index 6cd63a9..bc6d617 100644
+--- a/Documentation/virtual/kvm/api.txt
++++ b/Documentation/virtual/kvm/api.txt
+@@ -2344,7 +2344,8 @@ should be created before this ioctl is invoked.
+
+ Possible features:
+ - KVM_ARM_VCPU_POWER_OFF: Starts the CPU in a power-off state.
+- Depends on KVM_CAP_ARM_PSCI.
++ Depends on KVM_CAP_ARM_PSCI. If not set, the CPU will be powered on
++ and execute guest code when KVM_RUN is called.
+ - KVM_ARM_VCPU_EL1_32BIT: Starts the CPU in a 32bit mode.
+ Depends on KVM_CAP_ARM_EL1_32BIT (arm64 only).
+
+diff --git a/Makefile b/Makefile
+index def39fd..f9041e6 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 3
+ PATCHLEVEL = 14
+-SUBLEVEL = 46
++SUBLEVEL = 47
+ EXTRAVERSION =
+ NAME = Remembering Coco
+
+diff --git a/arch/arm/include/asm/kvm_emulate.h
b/arch/arm/include/asm/kvm_emulate.h
+index 0fa90c9..853e2be 100644
+--- a/arch/arm/include/asm/kvm_emulate.h
++++ b/arch/arm/include/asm/kvm_emulate.h
+@@ -33,6 +33,11 @@ void kvm_inject_undefined(struct kvm_vcpu *vcpu);
+ void kvm_inject_dabt(struct kvm_vcpu *vcpu, unsigned long addr);
+ void kvm_inject_pabt(struct kvm_vcpu *vcpu, unsigned long addr);
+
++static inline void vcpu_reset_hcr(struct kvm_vcpu *vcpu)
++{
++ vcpu->arch.hcr = HCR_GUEST_MASK;
++}
++
+ static inline bool vcpu_mode_is_32bit(struct kvm_vcpu *vcpu)
+ {
+ return 1;
+diff --git a/arch/arm/include/asm/kvm_mmu.h b/arch/arm/include/asm/kvm_mmu.h
+index 0cbdb8e..9f79231 100644
+--- a/arch/arm/include/asm/kvm_mmu.h
++++ b/arch/arm/include/asm/kvm_mmu.h
+@@ -47,6 +47,7 @@ int create_hyp_io_mappings(void *from, void *to,
phys_addr_t);
+ void free_boot_hyp_pgd(void);
+ void free_hyp_pgds(void);
+
++void stage2_unmap_vm(struct kvm *kvm);
+ int kvm_alloc_stage2_pgd(struct kvm *kvm);
+ void kvm_free_stage2_pgd(struct kvm *kvm);
+ int kvm_phys_addr_ioremap(struct kvm *kvm, phys_addr_t guest_ipa,
+@@ -78,17 +79,6 @@ static inline void kvm_set_pte(pte_t *pte, pte_t new_pte)
+ flush_pmd_entry(pte);
+ }
+
+-static inline bool kvm_is_write_fault(unsigned long hsr)
+-{
+- unsigned long hsr_ec = hsr >> HSR_EC_SHIFT;
+- if (hsr_ec == HSR_EC_IABT)
+- return false;
+- else if ((hsr & HSR_ISV) && !(hsr & HSR_WNR))
+- return false;
+- else
+- return true;
+-}
+-
+ static inline void kvm_clean_pgd(pgd_t *pgd)
+ {
+ clean_dcache_area(pgd, PTRS_PER_S2_PGD * sizeof(pgd_t));
+diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c
+index df6e75e..2e74a61 100644
+--- a/arch/arm/kvm/arm.c
++++ b/arch/arm/kvm/arm.c
+@@ -220,6 +220,11 @@ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm,
unsigned int id)
+ int err;
+ struct kvm_vcpu *vcpu;
+
++ if (irqchip_in_kernel(kvm) && vgic_initialized(kvm)) {
++ err = -EBUSY;
++ goto out;
++ }
++
+ vcpu = kmem_cache_zalloc(kvm_vcpu_cache, GFP_KERNEL);
+ if (!vcpu) {
+ err = -ENOMEM;
+@@ -427,9 +432,9 @@ static void update_vttbr(struct kvm *kvm)
+
+ /* update vttbr to be used with the new vmid */
+ pgd_phys = virt_to_phys(kvm->arch.pgd);
++ BUG_ON(pgd_phys & ~VTTBR_BADDR_MASK);
+ vmid = ((u64)(kvm->arch.vmid) << VTTBR_VMID_SHIFT) & VTTBR_VMID_MASK;
+- kvm->arch.vttbr = pgd_phys & VTTBR_BADDR_MASK;
+- kvm->arch.vttbr |= vmid;
++ kvm->arch.vttbr = pgd_phys | vmid;
+
+ spin_unlock(&kvm_vmid_lock);
+ }
+@@ -676,10 +681,21 @@ static int kvm_arch_vcpu_ioctl_vcpu_init(struct kvm_vcpu
*vcpu,
+ return ret;
+
+ /*
++ * Ensure a rebooted VM will fault in RAM pages and detect if the
++ * guest MMU is turned off and flush the caches as needed.
++ */
++ if (vcpu->arch.has_run_once)
++ stage2_unmap_vm(vcpu->kvm);
++
++ vcpu_reset_hcr(vcpu);
++
++ /*
+ * Handle the "start in power-off" case by marking the VCPU as paused.
+ */
+- if (__test_and_clear_bit(KVM_ARM_VCPU_POWER_OFF, vcpu->arch.features))
++ if (test_bit(KVM_ARM_VCPU_POWER_OFF, vcpu->arch.features))
+ vcpu->arch.pause = true;
++ else
++ vcpu->arch.pause = false;
+
+ return 0;
+ }
+@@ -825,7 +841,8 @@ static int hyp_init_cpu_notify(struct notifier_block *self,
+ switch (action) {
+ case CPU_STARTING:
+ case CPU_STARTING_FROZEN:
+- cpu_init_hyp_mode(NULL);
++ if (__hyp_get_vectors() == hyp_default_vectors)
++ cpu_init_hyp_mode(NULL);
+ break;
+ }
+
+diff --git a/arch/arm/kvm/guest.c b/arch/arm/kvm/guest.c
+index b23a59c..2786eae 100644
+--- a/arch/arm/kvm/guest.c
++++ b/arch/arm/kvm/guest.c
+@@ -38,7 +38,6 @@ struct kvm_stats_debugfs_item debugfs_entries[] = {
+
+ int kvm_arch_vcpu_setup(struct kvm_vcpu *vcpu)
+ {
+- vcpu->arch.hcr = HCR_GUEST_MASK;
+ return 0;
+ }
+
+diff --git a/arch/arm/kvm/mmu.c b/arch/arm/kvm/mmu.c
+index 70ed2c1..524b4b5 100644
+--- a/arch/arm/kvm/mmu.c
++++ b/arch/arm/kvm/mmu.c
+@@ -197,7 +197,8 @@ static void unmap_range(struct kvm *kvm, pgd_t *pgdp,
+ pgd = pgdp + pgd_index(addr);
+ do {
+ next = kvm_pgd_addr_end(addr, end);
+- unmap_puds(kvm, pgd, addr, next);
++ if (!pgd_none(*pgd))
++ unmap_puds(kvm, pgd, addr, next);
+ } while (pgd++, addr = next, addr != end);
+ }
+
+@@ -555,6 +556,71 @@ static void unmap_stage2_range(struct kvm *kvm,
phys_addr_t start, u64 size)
+ unmap_range(kvm, kvm->arch.pgd, start, size);
+ }
+
++static void stage2_unmap_memslot(struct kvm *kvm,
++ struct kvm_memory_slot *memslot)
++{
++ hva_t hva = memslot->userspace_addr;
++ phys_addr_t addr = memslot->base_gfn << PAGE_SHIFT;
++ phys_addr_t size = PAGE_SIZE * memslot->npages;
++ hva_t reg_end = hva + size;
++
++ /*
++ * A memory region could potentially cover multiple VMAs, and any holes
++ * between them, so iterate over all of them to find out if we should
++ * unmap any of them.
++ *
++ * +--------------------------------------------+
++ * +---------------+----------------+ +----------------+
++ * | : VMA 1 | VMA 2 | | VMA 3 : |
++ * +---------------+----------------+ +----------------+
++ * | memory region |
++ * +--------------------------------------------+
++ */
++ do {
++ struct vm_area_struct *vma = find_vma(current->mm, hva);
++ hva_t vm_start, vm_end;
++
++ if (!vma || vma->vm_start >= reg_end)
++ break;
++
++ /*
++ * Take the intersection of this VMA with the memory region
++ */
++ vm_start = max(hva, vma->vm_start);
++ vm_end = min(reg_end, vma->vm_end);
++
++ if (!(vma->vm_flags & VM_PFNMAP)) {
++ gpa_t gpa = addr + (vm_start - memslot->userspace_addr);
++ unmap_stage2_range(kvm, gpa, vm_end - vm_start);
++ }
++ hva = vm_end;
++ } while (hva < reg_end);
++}
++
++/**
++ * stage2_unmap_vm - Unmap Stage-2 RAM mappings
++ * @kvm: The struct kvm pointer
++ *
++ * Go through the memregions and unmap any reguler RAM
++ * backing memory already mapped to the VM.
++ */
++void stage2_unmap_vm(struct kvm *kvm)
++{
++ struct kvm_memslots *slots;
++ struct kvm_memory_slot *memslot;
++ int idx;
++
++ idx = srcu_read_lock(&kvm->srcu);
++ spin_lock(&kvm->mmu_lock);
++
++ slots = kvm_memslots(kvm);
++ kvm_for_each_memslot(memslot, slots)
++ stage2_unmap_memslot(kvm, memslot);
++
++ spin_unlock(&kvm->mmu_lock);
++ srcu_read_unlock(&kvm->srcu, idx);
++}
++
+ /**
+ * kvm_free_stage2_pgd - free all stage-2 tables
+ * @kvm: The KVM struct pointer for the VM.
+@@ -746,6 +812,19 @@ static bool transparent_hugepage_adjust(pfn_t *pfnp,
phys_addr_t *ipap)
+ return false;
+ }
+
++static bool kvm_is_write_fault(struct kvm_vcpu *vcpu)
++{
++ if (kvm_vcpu_trap_is_iabt(vcpu))
++ return false;
++
++ return kvm_vcpu_dabt_iswrite(vcpu);
++}
++
++static bool kvm_is_device_pfn(unsigned long pfn)
++{
++ return !pfn_valid(pfn);
++}
++
+ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa,
+ struct kvm_memory_slot *memslot,
+ unsigned long fault_status)
+@@ -761,7 +840,7 @@ static int user_mem_abort(struct kvm_vcpu *vcpu,
phys_addr_t fault_ipa,
+ pfn_t pfn;
+ pgprot_t mem_type = PAGE_S2;
+
+- write_fault = kvm_is_write_fault(kvm_vcpu_get_hsr(vcpu));
++ write_fault = kvm_is_write_fault(vcpu);
+ if (fault_status == FSC_PERM && !write_fault) {
+ kvm_err("Unexpected L2 read permission error\n");
+ return -EFAULT;
+@@ -770,6 +849,12 @@ static int user_mem_abort(struct kvm_vcpu *vcpu,
phys_addr_t fault_ipa,
+ /* Let's check if we will get back a huge page backed by hugetlbfs */
+ down_read(¤t->mm->mmap_sem);
+ vma = find_vma_intersection(current->mm, hva, hva + 1);
++ if (unlikely(!vma)) {
++ kvm_err("Failed to find VMA for hva 0x%lx\n", hva);
++ up_read(¤t->mm->mmap_sem);
++ return -EFAULT;
++ }
++
+ if (is_vm_hugetlb_page(vma)) {
+ hugetlb = true;
+ gfn = (fault_ipa & PMD_MASK) >> PAGE_SHIFT;
+@@ -810,7 +895,7 @@ static int user_mem_abort(struct kvm_vcpu *vcpu,
phys_addr_t fault_ipa,
+ if (is_error_pfn(pfn))
+ return -EFAULT;
+
+- if (kvm_is_mmio_pfn(pfn))
++ if (kvm_is_device_pfn(pfn))
+ mem_type = PAGE_S2_DEVICE;
+
+ spin_lock(&kvm->mmu_lock);
+@@ -836,7 +921,7 @@ static int user_mem_abort(struct kvm_vcpu *vcpu,
phys_addr_t fault_ipa,
+ }
+ coherent_cache_guest_page(vcpu, hva, PAGE_SIZE);
+ ret = stage2_set_pte(kvm, memcache, fault_ipa, &new_pte,
+- mem_type == PAGE_S2_DEVICE);
++ pgprot_val(mem_type) == pgprot_val(PAGE_S2_DEVICE));
+ }
+
+
+@@ -912,6 +997,9 @@ int kvm_handle_guest_abort(struct kvm_vcpu *vcpu, struct
kvm_run *run)
+
+ memslot = gfn_to_memslot(vcpu->kvm, gfn);
+
++ /* Userspace should not be able to register out-of-bounds IPAs */
++ VM_BUG_ON(fault_ipa >= KVM_PHYS_SIZE);
++
+ ret = user_mem_abort(vcpu, fault_ipa, memslot, fault_status);
+ if (ret == 0)
+ ret = 1;
+@@ -1136,6 +1224,14 @@ int kvm_arch_prepare_memory_region(struct kvm *kvm,
+ struct kvm_userspace_memory_region *mem,
+ enum kvm_mr_change change)
+ {
++ /*
++ * Prevent userspace from creating a memory region outside of the IPA
++ * space addressable by the KVM guest IPA space.
++ */
++ if (memslot->base_gfn + memslot->npages >=
++ (KVM_PHYS_SIZE >> PAGE_SHIFT))
++ return -EFAULT;
++
+ return 0;
+ }
+
+diff --git a/arch/arm/mach-dove/board-dt.c b/arch/arm/mach-dove/board-dt.c
+index 49fa9ab..7a7a09a5 100644
+--- a/arch/arm/mach-dove/board-dt.c
++++ b/arch/arm/mach-dove/board-dt.c
+@@ -26,7 +26,7 @@ static void __init dove_dt_init(void)
+ #ifdef CONFIG_CACHE_TAUROS2
+ tauros2_init(0);
+ #endif
+- BUG_ON(mvebu_mbus_dt_init());
++ BUG_ON(mvebu_mbus_dt_init(false));
+ of_platform_populate(NULL, of_default_bus_match_table, NULL, NULL);
+ }
+
+diff --git a/arch/arm/mach-imx/clk-imx6q.c b/arch/arm/mach-imx/clk-imx6q.c
+index 01a5765..b509556 100644
+--- a/arch/arm/mach-imx/clk-imx6q.c
++++ b/arch/arm/mach-imx/clk-imx6q.c
+@@ -406,7 +406,7 @@ static void __init imx6q_clocks_init(struct device_node
*ccm_node)
+ clk[gpmi_io] = imx_clk_gate2("gpmi_io", "enfc",
base + 0x78, 28);
+ clk[gpmi_apb] = imx_clk_gate2("gpmi_apb", "usdhc3",
base + 0x78, 30);
+ clk[rom] = imx_clk_gate2("rom", "ahb",
base + 0x7c, 0);
+- clk[sata] = imx_clk_gate2("sata", "ipg",
base + 0x7c, 4);
++ clk[sata] = imx_clk_gate2("sata", "ahb",
base + 0x7c, 4);
+ clk[sdma] = imx_clk_gate2("sdma", "ahb",
base + 0x7c, 6);
+ clk[spba] = imx_clk_gate2("spba", "ipg",
base + 0x7c, 12);
+ clk[spdif] = imx_clk_gate2("spdif", "spdif_podf",
base + 0x7c, 14);
+diff --git a/arch/arm/mach-kirkwood/board-dt.c
b/arch/arm/mach-kirkwood/board-dt.c
+index 7818815..79e629d 100644
+--- a/arch/arm/mach-kirkwood/board-dt.c
++++ b/arch/arm/mach-kirkwood/board-dt.c
+@@ -116,7 +116,7 @@ static void __init kirkwood_dt_init(void)
+ */
+ writel(readl(CPU_CONFIG) & ~CPU_CONFIG_ERROR_PROP, CPU_CONFIG);
+
+- BUG_ON(mvebu_mbus_dt_init());
++ BUG_ON(mvebu_mbus_dt_init(false));
+
+ kirkwood_l2_init();
+
+diff --git a/arch/arm/mach-mvebu/armada-370-xp.c
b/arch/arm/mach-mvebu/armada-370-xp.c
+index f6c9d1d..79c3766a 100644
+--- a/arch/arm/mach-mvebu/armada-370-xp.c
++++ b/arch/arm/mach-mvebu/armada-370-xp.c
+@@ -41,7 +41,7 @@ static void __init armada_370_xp_timer_and_clk_init(void)
+ of_clk_init(NULL);
+ clocksource_of_init();
+ coherency_init();
+- BUG_ON(mvebu_mbus_dt_init());
++ BUG_ON(mvebu_mbus_dt_init(coherency_available()));
+ #ifdef CONFIG_CACHE_L2X0
+ l2x0_of_init(0, ~0UL);
+ #endif
+diff --git a/arch/arm/mach-mvebu/coherency.c b/arch/arm/mach-mvebu/coherency.c
+index c295c10..49bad4d 100644
+--- a/arch/arm/mach-mvebu/coherency.c
++++ b/arch/arm/mach-mvebu/coherency.c
+@@ -121,6 +121,20 @@ static struct notifier_block mvebu_hwcc_platform_nb = {
+ .notifier_call = mvebu_hwcc_platform_notifier,
+ };
+
++/*
++ * Keep track of whether we have IO hardware coherency enabled or not.
++ * On Armada 370's we will not be using it for example. We need to make
++ * that available [through coherency_available()] so the mbus controller
++ * doesn't enable the IO coherency bit in the attribute bits of the
++ * chip selects.
++ */
++static int coherency_enabled;
++
++int coherency_available(void)
++{
++ return coherency_enabled;
++}
++
+ int __init coherency_init(void)
+ {
+ struct device_node *np;
+@@ -164,6 +178,7 @@ int __init coherency_init(void)
+ coherency_base = of_iomap(np, 0);
+ coherency_cpu_base = of_iomap(np, 1);
+ set_cpu_coherent(cpu_logical_map(smp_processor_id()), 0);
++ coherency_enabled = 1;
+ of_node_put(np);
+ }
+
+diff --git a/arch/arm/mach-mvebu/coherency.h b/arch/arm/mach-mvebu/coherency.h
+index 760226c..63e18c6 100644
+--- a/arch/arm/mach-mvebu/coherency.h
++++ b/arch/arm/mach-mvebu/coherency.h
+@@ -17,6 +17,7 @@
+ extern unsigned long coherency_phys_base;
+
+ int set_cpu_coherent(unsigned int cpu_id, int smp_group_id);
++int coherency_available(void);
+ int coherency_init(void);
+
+ #endif /* __MACH_370_XP_COHERENCY_H */
+diff --git a/arch/arm64/include/asm/kvm_arm.h
b/arch/arm64/include/asm/kvm_arm.h
+index 00fbaa7..ea68925 100644
+--- a/arch/arm64/include/asm/kvm_arm.h
++++ b/arch/arm64/include/asm/kvm_arm.h
+@@ -18,6 +18,7 @@
+ #ifndef __ARM64_KVM_ARM_H__
+ #define __ARM64_KVM_ARM_H__
+
++#include <asm/memory.h>
+ #include <asm/types.h>
+
+ /* Hyp Configuration Register (HCR) bits */
+@@ -122,6 +123,17 @@
+ #define VTCR_EL2_T0SZ_MASK 0x3f
+ #define VTCR_EL2_T0SZ_40B 24
+
++/*
++ * We configure the Stage-2 page tables to always restrict the IPA space to be
++ * 40 bits wide (T0SZ = 24). Systems with a PARange smaller than 40 bits are
++ * not known to exist and will break with this configuration.
++ *
++ * Note that when using 4K pages, we concatenate two first level page tables
++ * together.
++ *
++ * The magic numbers used for VTTBR_X in this patch can be found in Tables
++ * D4-23 and D4-25 in ARM DDI 0487A.b.
++ */
+ #ifdef CONFIG_ARM64_64K_PAGES
+ /*
+ * Stage2 translation configuration:
+@@ -151,9 +163,9 @@
+ #endif
+
+ #define VTTBR_BADDR_SHIFT (VTTBR_X - 1)
+-#define VTTBR_BADDR_MASK (((1LLU << (40 - VTTBR_X)) - 1) <<
VTTBR_BADDR_SHIFT)
+-#define VTTBR_VMID_SHIFT (48LLU)
+-#define VTTBR_VMID_MASK (0xffLLU << VTTBR_VMID_SHIFT)
++#define VTTBR_BADDR_MASK (((UL(1) << (PHYS_MASK_SHIFT - VTTBR_X)) - 1) <<
VTTBR_BADDR_SHIFT)
++#define VTTBR_VMID_SHIFT (UL(48))
++#define VTTBR_VMID_MASK (UL(0xFF) << VTTBR_VMID_SHIFT)
+
+ /* Hyp System Trap Register */
+ #define HSTR_EL2_TTEE (1 << 16)
+@@ -176,13 +188,13 @@
+
+ /* Exception Syndrome Register (ESR) bits */
+ #define ESR_EL2_EC_SHIFT (26)
+-#define ESR_EL2_EC (0x3fU << ESR_EL2_EC_SHIFT)
+-#define ESR_EL2_IL (1U << 25)
++#define ESR_EL2_EC (UL(0x3f) << ESR_EL2_EC_SHIFT)
++#define ESR_EL2_IL (UL(1) << 25)
+ #define ESR_EL2_ISS (ESR_EL2_IL - 1)
+ #define ESR_EL2_ISV_SHIFT (24)
+-#define ESR_EL2_ISV (1U << ESR_EL2_ISV_SHIFT)
++#define ESR_EL2_ISV (UL(1) << ESR_EL2_ISV_SHIFT)
+ #define ESR_EL2_SAS_SHIFT (22)
+-#define ESR_EL2_SAS (3U << ESR_EL2_SAS_SHIFT)
++#define ESR_EL2_SAS (UL(3) << ESR_EL2_SAS_SHIFT)
+ #define ESR_EL2_SSE (1 << 21)
+ #define ESR_EL2_SRT_SHIFT (16)
+ #define ESR_EL2_SRT_MASK (0x1f << ESR_EL2_SRT_SHIFT)
+@@ -196,16 +208,16 @@
+ #define ESR_EL2_FSC_TYPE (0x3c)
+
+ #define ESR_EL2_CV_SHIFT (24)
+-#define ESR_EL2_CV (1U << ESR_EL2_CV_SHIFT)
++#define ESR_EL2_CV (UL(1) << ESR_EL2_CV_SHIFT)
+ #define ESR_EL2_COND_SHIFT (20)
+-#define ESR_EL2_COND (0xfU << ESR_EL2_COND_SHIFT)
++#define ESR_EL2_COND (UL(0xf) << ESR_EL2_COND_SHIFT)
+
+
+ #define FSC_FAULT (0x04)
+ #define FSC_PERM (0x0c)
+
+ /* Hyp Prefetch Fault Address Register (HPFAR/HDFAR) */
+-#define HPFAR_MASK (~0xFUL)
++#define HPFAR_MASK (~UL(0xf))
+
+ #define ESR_EL2_EC_UNKNOWN (0x00)
+ #define ESR_EL2_EC_WFI (0x01)
+diff --git a/arch/arm64/include/asm/kvm_emulate.h
b/arch/arm64/include/asm/kvm_emulate.h
+index dd8ecfc3..681cb90 100644
+--- a/arch/arm64/include/asm/kvm_emulate.h
++++ b/arch/arm64/include/asm/kvm_emulate.h
+@@ -38,6 +38,11 @@ void kvm_inject_undefined(struct kvm_vcpu *vcpu);
+ void kvm_inject_dabt(struct kvm_vcpu *vcpu, unsigned long addr);
+ void kvm_inject_pabt(struct kvm_vcpu *vcpu, unsigned long addr);
+
++static inline void vcpu_reset_hcr(struct kvm_vcpu *vcpu)
++{
++ vcpu->arch.hcr_el2 = HCR_GUEST_FLAGS;
++}
++
+ static inline unsigned long *vcpu_pc(const struct kvm_vcpu *vcpu)
+ {
+ return (unsigned long *)&vcpu_gp_regs(vcpu)->regs.pc;
+diff --git a/arch/arm64/include/asm/kvm_mmu.h
b/arch/arm64/include/asm/kvm_mmu.h
+index 8e138c7..0d51874 100644
+--- a/arch/arm64/include/asm/kvm_mmu.h
++++ b/arch/arm64/include/asm/kvm_mmu.h
+@@ -59,10 +59,9 @@
+ #define KERN_TO_HYP(kva) ((unsigned long)kva - PAGE_OFFSET +
HYP_PAGE_OFFSET)
+
+ /*
+- * Align KVM with the kernel's view of physical memory. Should be
+- * 40bit IPA, with PGD being 8kB aligned in the 4KB page configuration.
++ * We currently only support a 40bit IPA.
+ */
+-#define KVM_PHYS_SHIFT PHYS_MASK_SHIFT
++#define KVM_PHYS_SHIFT (40)
+ #define KVM_PHYS_SIZE (1UL << KVM_PHYS_SHIFT)
+ #define KVM_PHYS_MASK (KVM_PHYS_SIZE - 1UL)
+
+@@ -75,6 +74,7 @@ int create_hyp_io_mappings(void *from, void *to,
phys_addr_t);
+ void free_boot_hyp_pgd(void);
+ void free_hyp_pgds(void);
+
++void stage2_unmap_vm(struct kvm *kvm);
+ int kvm_alloc_stage2_pgd(struct kvm *kvm);
+ void kvm_free_stage2_pgd(struct kvm *kvm);
+ int kvm_phys_addr_ioremap(struct kvm *kvm, phys_addr_t guest_ipa,
+@@ -93,19 +93,6 @@ void kvm_clear_hyp_idmap(void);
+ #define kvm_set_pte(ptep, pte) set_pte(ptep, pte)
+ #define kvm_set_pmd(pmdp, pmd) set_pmd(pmdp, pmd)
+
+-static inline bool kvm_is_write_fault(unsigned long esr)
+-{
+- unsigned long esr_ec = esr >> ESR_EL2_EC_SHIFT;
+-
+- if (esr_ec == ESR_EL2_EC_IABT)
+- return false;
+-
+- if ((esr & ESR_EL2_ISV) && !(esr & ESR_EL2_WNR))
+- return false;
+-
+- return true;
+-}
+-
+ static inline void kvm_clean_pgd(pgd_t *pgd) {}
+ static inline void kvm_clean_pmd_entry(pmd_t *pmd) {}
+ static inline void kvm_clean_pte(pte_t *pte) {}
+diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c
+index 0874557..a8d81fa 100644
+--- a/arch/arm64/kvm/guest.c
++++ b/arch/arm64/kvm/guest.c
+@@ -38,7 +38,6 @@ struct kvm_stats_debugfs_item debugfs_entries[] = {
+
+ int kvm_arch_vcpu_setup(struct kvm_vcpu *vcpu)
+ {
+- vcpu->arch.hcr_el2 = HCR_GUEST_FLAGS;
+ return 0;
+ }
+
+diff --git a/arch/arm64/mm/dma-mapping.c b/arch/arm64/mm/dma-mapping.c
+index 3974881..b76159a 100644
+--- a/arch/arm64/mm/dma-mapping.c
++++ b/arch/arm64/mm/dma-mapping.c
+@@ -54,8 +54,7 @@ static void *arm64_swiotlb_alloc_coherent(struct device
*dev, size_t size,
+
+ *dma_handle = phys_to_dma(dev, page_to_phys(page));
+ addr = page_address(page);
+- if (flags & __GFP_ZERO)
+- memset(addr, 0, size);
++ memset(addr, 0, size);
+ return addr;
+ } else {
+ return swiotlb_alloc_coherent(dev, size, dma_handle, flags);
+diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
+index 2f645c9..5dab54a 100644
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -160,7 +160,7 @@ config SBUS
+
+ config NEED_DMA_MAP_STATE
+ def_bool y
+- depends on X86_64 || INTEL_IOMMU || DMA_API_DEBUG
++ depends on X86_64 || INTEL_IOMMU || DMA_API_DEBUG || SWIOTLB
+
+ config NEED_SG_DMA_LENGTH
+ def_bool y
+diff --git a/arch/x86/kernel/cpu/microcode/intel_early.c
b/arch/x86/kernel/cpu/microcode/intel_early.c
+index 18f7391..43a07bf 100644
+--- a/arch/x86/kernel/cpu/microcode/intel_early.c
++++ b/arch/x86/kernel/cpu/microcode/intel_early.c
+@@ -321,7 +321,7 @@ get_matching_model_microcode(int cpu, unsigned long start,
+ unsigned int mc_saved_count = mc_saved_data->mc_saved_count;
+ int i;
+
+- while (leftover) {
++ while (leftover && mc_saved_count < ARRAY_SIZE(mc_saved_tmp)) {
+ mc_header = (struct microcode_header_intel *)ucode_ptr;
+
+ mc_size = get_totalsize(mc_header);
+diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
+index a1f5b18..490fee1 100644
+--- a/arch/x86/kernel/kprobes/core.c
++++ b/arch/x86/kernel/kprobes/core.c
+@@ -326,13 +326,16 @@ int __kprobes __copy_instruction(u8 *dest, u8 *src)
+ {
+ struct insn insn;
+ kprobe_opcode_t buf[MAX_INSN_SIZE];
++ int length;
+
+ kernel_insn_init(&insn, (void *)recover_probed_instruction(buf,
(unsigned long)src));
+ insn_get_length(&insn);
++ length = insn.length;
++
+ /* Another subsystem puts a breakpoint, failed to recover */
+ if (insn.opcode.bytes[0] == BREAKPOINT_INSTRUCTION)
+ return 0;
+- memcpy(dest, insn.kaddr, insn.length);
++ memcpy(dest, insn.kaddr, length);
+
+ #ifdef CONFIG_X86_64
+ if (insn_rip_relative(&insn)) {
+@@ -362,7 +365,7 @@ int __kprobes __copy_instruction(u8 *dest, u8 *src)
+ *(s32 *) disp = (s32) newdisp;
+ }
+ #endif
+- return insn.length;
++ return length;
+ }
+
+ static int __kprobes arch_copy_kprobe(struct kprobe *p)
+diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
+index 9643eda6..0746334 100644
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -495,8 +495,10 @@ static void skip_emulated_instruction(struct kvm_vcpu
*vcpu)
+ {
+ struct vcpu_svm *svm = to_svm(vcpu);
+
+- if (svm->vmcb->control.next_rip != 0)
++ if (svm->vmcb->control.next_rip != 0) {
++ WARN_ON(!static_cpu_has(X86_FEATURE_NRIPS));
+ svm->next_rip = svm->vmcb->control.next_rip;
++ }
+
+ if (!svm->next_rip) {
+ if (emulate_instruction(vcpu, EMULTYPE_SKIP) !=
+@@ -4246,7 +4248,9 @@ static int svm_check_intercept(struct kvm_vcpu *vcpu,
+ break;
+ }
+
+- vmcb->control.next_rip = info->next_rip;
++ /* TODO: Advertise NRIPS to guest hypervisor unconditionally */
++ if (static_cpu_has(X86_FEATURE_NRIPS))
++ vmcb->control.next_rip = info->next_rip;
+ vmcb->control.exit_code = icpt_info.exit_code;
+ vmexit = nested_svm_exit_handled(svm);
+
+diff --git a/drivers/bus/mvebu-mbus.c b/drivers/bus/mvebu-mbus.c
+index e990dee..1aa0130 100644
+--- a/drivers/bus/mvebu-mbus.c
++++ b/drivers/bus/mvebu-mbus.c
+@@ -701,7 +701,6 @@ static int __init mvebu_mbus_common_init(struct
mvebu_mbus_state *mbus,
+ phys_addr_t sdramwins_phys_base,
+ size_t sdramwins_size)
+ {
+- struct device_node *np;
+ int win;
+
+ mbus->mbuswins_base = ioremap(mbuswins_phys_base, mbuswins_size);
+@@ -714,12 +713,6 @@ static int __init mvebu_mbus_common_init(struct
mvebu_mbus_state *mbus,
+ return -ENOMEM;
+ }
+
+- np = of_find_compatible_node(NULL, NULL, "marvell,coherency-fabric");
+- if (np) {
+- mbus->hw_io_coherency = 1;
+- of_node_put(np);
+- }
+-
+ for (win = 0; win < mbus->soc->num_wins; win++)
+ mvebu_mbus_disable_window(mbus, win);
+
+@@ -889,7 +882,7 @@ static void __init mvebu_mbus_get_pcie_resources(struct
device_node *np,
+ }
+ }
+
+-int __init mvebu_mbus_dt_init(void)
++int __init mvebu_mbus_dt_init(bool is_coherent)
+ {
+ struct resource mbuswins_res, sdramwins_res;
+ struct device_node *np, *controller;
+@@ -928,6 +921,8 @@ int __init mvebu_mbus_dt_init(void)
+ return -EINVAL;
+ }
+
++ mbus_state.hw_io_coherency = is_coherent;
++
+ /* Get optional pcie-{mem,io}-aperture properties */
+ mvebu_mbus_get_pcie_resources(np, &mbus_state.pcie_mem_aperture,
+ &mbus_state.pcie_io_aperture);
+diff --git a/drivers/edac/sb_edac.c b/drivers/edac/sb_edac.c
+index c611bcc..3e623ab 100644
+--- a/drivers/edac/sb_edac.c
++++ b/drivers/edac/sb_edac.c
+@@ -765,7 +765,7 @@ static void get_memory_layout(const struct mem_ctl_info
*mci)
+ u32 reg;
+ u64 limit, prv = 0;
+ u64 tmp_mb;
+- u32 mb, kb;
++ u32 gb, mb;
+ u32 rir_way;
+
+ /*
+@@ -775,15 +775,17 @@ static void get_memory_layout(const struct mem_ctl_info
*mci)
+ pvt->tolm = pvt->info.get_tolm(pvt);
+ tmp_mb = (1 + pvt->tolm) >> 20;
+
+- mb = div_u64_rem(tmp_mb, 1000, &kb);
+- edac_dbg(0, "TOLM: %u.%03u GB (0x%016Lx)\n", mb, kb, (u64)pvt->tolm);
++ gb = div_u64_rem(tmp_mb, 1024, &mb);
++ edac_dbg(0, "TOLM: %u.%03u GB (0x%016Lx)\n",
++ gb, (mb*1000)/1024, (u64)pvt->tolm);
+
+ /* Address range is already 45:25 */
+ pvt->tohm = pvt->info.get_tohm(pvt);
+ tmp_mb = (1 + pvt->tohm) >> 20;
+
+- mb = div_u64_rem(tmp_mb, 1000, &kb);
+- edac_dbg(0, "TOHM: %u.%03u GB (0x%016Lx)\n", mb, kb, (u64)pvt->tohm);
++ gb = div_u64_rem(tmp_mb, 1024, &mb);
++ edac_dbg(0, "TOHM: %u.%03u GB (0x%016Lx)\n",
++ gb, (mb*1000)/1024, (u64)pvt->tohm);
+
+ /*
+ * Step 2) Get SAD range and SAD Interleave list
+@@ -805,11 +807,11 @@ static void get_memory_layout(const struct mem_ctl_info
*mci)
+ break;
+
+ tmp_mb = (limit + 1) >> 20;
+- mb = div_u64_rem(tmp_mb, 1000, &kb);
++ gb = div_u64_rem(tmp_mb, 1024, &mb);
+ edac_dbg(0, "SAD#%d %s up to %u.%03u GB (0x%016Lx) Interleave:
%s reg=0x%08x\n",
+ n_sads,
+ get_dram_attr(reg),
+- mb, kb,
++ gb, (mb*1000)/1024,
+ ((u64)tmp_mb) << 20L,
+ INTERLEAVE_MODE(reg) ? "8:6" : "[8:6]XOR[18:16]",
+ reg);
+@@ -840,9 +842,9 @@ static void get_memory_layout(const struct mem_ctl_info
*mci)
+ break;
+ tmp_mb = (limit + 1) >> 20;
+
+- mb = div_u64_rem(tmp_mb, 1000, &kb);
++ gb = div_u64_rem(tmp_mb, 1024, &mb);
+ edac_dbg(0, "TAD#%d: up to %u.%03u GB (0x%016Lx), socket
interleave %d, memory interleave %d, TGT: %d, %d, %d, %d, reg=0x%08x\n",
+- n_tads, mb, kb,
++ n_tads, gb, (mb*1000)/1024,
+ ((u64)tmp_mb) << 20L,
+ (u32)TAD_SOCK(reg),
+ (u32)TAD_CH(reg),
+@@ -865,10 +867,10 @@ static void get_memory_layout(const struct mem_ctl_info
*mci)
+ tad_ch_nilv_offset[j],
+ ®);
+ tmp_mb = TAD_OFFSET(reg) >> 20;
+- mb = div_u64_rem(tmp_mb, 1000, &kb);
++ gb = div_u64_rem(tmp_mb, 1024, &mb);
+ edac_dbg(0, "TAD CH#%d, offset #%d: %u.%03u GB
(0x%016Lx), reg=0x%08x\n",
+ i, j,
+- mb, kb,
++ gb, (mb*1000)/1024,
+ ((u64)tmp_mb) << 20L,
+ reg);
+ }
+@@ -890,10 +892,10 @@ static void get_memory_layout(const struct mem_ctl_info
*mci)
+
+ tmp_mb = RIR_LIMIT(reg) >> 20;
+ rir_way = 1 << RIR_WAY(reg);
+- mb = div_u64_rem(tmp_mb, 1000, &kb);
++ gb = div_u64_rem(tmp_mb, 1024, &mb);
+ edac_dbg(0, "CH#%d RIR#%d, limit: %u.%03u GB
(0x%016Lx), way: %d, reg=0x%08x\n",
+ i, j,
+- mb, kb,
++ gb, (mb*1000)/1024,
+ ((u64)tmp_mb) << 20L,
+ rir_way,
+ reg);
+@@ -904,10 +906,10 @@ static void get_memory_layout(const struct mem_ctl_info
*mci)
+ ®);
+ tmp_mb = RIR_OFFSET(reg) << 6;
+
+- mb = div_u64_rem(tmp_mb, 1000, &kb);
++ gb = div_u64_rem(tmp_mb, 1024, &mb);
+ edac_dbg(0, "CH#%d RIR#%d INTL#%d, offset
%u.%03u GB (0x%016Lx), tgt: %d, reg=0x%08x\n",
+ i, j, k,
+- mb, kb,
++ gb, (mb*1000)/1024,
+ ((u64)tmp_mb) << 20L,
+ (u32)RIR_RNK_TGT(reg),
+ reg);
+@@ -945,7 +947,7 @@ static int get_memory_error_data(struct mem_ctl_info *mci,
+ u8 ch_way, sck_way, pkg, sad_ha = 0;
+ u32 tad_offset;
+ u32 rir_way;
+- u32 mb, kb;
++ u32 mb, gb;
+ u64 ch_addr, offset, limit = 0, prv = 0;
+
+
+@@ -1183,10 +1185,10 @@ static int get_memory_error_data(struct mem_ctl_info
*mci,
+ continue;
+
+ limit = RIR_LIMIT(reg);
+- mb = div_u64_rem(limit >> 20, 1000, &kb);
++ gb = div_u64_rem(limit >> 20, 1024, &mb);
+ edac_dbg(0, "RIR#%d, limit: %u.%03u GB (0x%016Lx), way: %d\n",
+ n_rir,
+- mb, kb,
++ gb, (mb*1000)/1024,
+ limit,
+ 1 << RIR_WAY(reg));
+ if (ch_addr <= limit)
+diff --git a/drivers/net/ethernet/mellanox/mlx4/en_tx.c
b/drivers/net/ethernet/mellanox/mlx4/en_tx.c
+index 019a04a..a467261 100644
+--- a/drivers/net/ethernet/mellanox/mlx4/en_tx.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_tx.c
+@@ -810,8 +810,11 @@ netdev_tx_t mlx4_en_xmit(struct sk_buff *skb, struct
net_device *dev)
+ tx_desc->ctrl.fence_size = (real_size / 16) & 0x3f;
+ tx_desc->ctrl.srcrb_flags = priv->ctrl_flags;
+ if (likely(skb->ip_summed == CHECKSUM_PARTIAL)) {
+- tx_desc->ctrl.srcrb_flags |= cpu_to_be32(MLX4_WQE_CTRL_IP_CSUM |
+-
MLX4_WQE_CTRL_TCP_UDP_CSUM);
++ if (!skb->encapsulation)
++ tx_desc->ctrl.srcrb_flags |=
cpu_to_be32(MLX4_WQE_CTRL_IP_CSUM |
++
MLX4_WQE_CTRL_TCP_UDP_CSUM);
++ else
++ tx_desc->ctrl.srcrb_flags |=
cpu_to_be32(MLX4_WQE_CTRL_IP_CSUM);
+ ring->tx_csum++;
+ }
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 528bff5..85d370e 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -3984,10 +3984,6 @@ static int hpsa_kdump_hard_reset_controller(struct
pci_dev *pdev)
+
+ /* Save the PCI command register */
+ pci_read_config_word(pdev, 4, &command_register);
+- /* Turn the board off. This is so that later pci_restore_state()
+- * won't turn the board on before the rest of config space is ready.
+- */
+- pci_disable_device(pdev);
+ pci_save_state(pdev);
+
+ /* find the first memory BAR, so we can find the cfg table */
+@@ -4035,11 +4031,6 @@ static int hpsa_kdump_hard_reset_controller(struct
pci_dev *pdev)
+ goto unmap_cfgtable;
+
+ pci_restore_state(pdev);
+- rc = pci_enable_device(pdev);
+- if (rc) {
+- dev_warn(&pdev->dev, "failed to enable device.\n");
+- goto unmap_cfgtable;
+- }
+ pci_write_config_word(pdev, 4, command_register);
+
+ /* Some devices (notably the HP Smart Array 5i Controller)
+@@ -4525,6 +4516,23 @@ static int hpsa_init_reset_devices(struct pci_dev *pdev)
+ if (!reset_devices)
+ return 0;
+
++ /* kdump kernel is loading, we don't know in which state is
++ * the pci interface. The dev->enable_cnt is equal zero
++ * so we call enable+disable, wait a while and switch it on.
++ */
++ rc = pci_enable_device(pdev);
++ if (rc) {
++ dev_warn(&pdev->dev, "Failed to enable PCI device\n");
++ return -ENODEV;
++ }
++ pci_disable_device(pdev);
++ msleep(260); /* a randomly chosen number */
++ rc = pci_enable_device(pdev);
++ if (rc) {
++ dev_warn(&pdev->dev, "failed to enable device.\n");
++ return -ENODEV;
++ }
++ pci_set_master(pdev);
+ /* Reset the controller with a PCI power-cycle or via doorbell */
+ rc = hpsa_kdump_hard_reset_controller(pdev);
+
+@@ -4533,10 +4541,11 @@ static int hpsa_init_reset_devices(struct pci_dev
*pdev)
+ * "performant mode". Or, it might be 640x, which can't reset
+ * due to concerns about shared bbwc between 6402/6404 pair.
+ */
+- if (rc == -ENOTSUPP)
+- return rc; /* just try to do the kdump anyhow. */
+- if (rc)
+- return -ENODEV;
++ if (rc) {
++ if (rc != -ENOTSUPP) /* just try to do the kdump anyhow. */
++ rc = -ENODEV;
++ goto out_disable;
++ }
+
+ /* Now try to get the controller to respond to a no-op */
+ dev_warn(&pdev->dev, "Waiting for controller to respond to no-op\n");
+@@ -4547,7 +4556,11 @@ static int hpsa_init_reset_devices(struct pci_dev *pdev)
+ dev_warn(&pdev->dev, "no-op failed%s\n",
+ (i < 11 ? "; re-trying" : ""));
+ }
+- return 0;
++
++out_disable:
++
++ pci_disable_device(pdev);
++ return rc;
+ }
+
+ static int hpsa_allocate_cmd_pool(struct ctlr_info *h)
+@@ -4690,6 +4703,7 @@ static void
hpsa_undo_allocations_after_kdump_soft_reset(struct ctlr_info *h)
+ iounmap(h->transtable);
+ if (h->cfgtable)
+ iounmap(h->cfgtable);
++ pci_disable_device(h->pdev);
+ pci_release_regions(h->pdev);
+ kfree(h);
+ }
+diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
+index 93de3ba..f8ffee4 100644
+--- a/fs/btrfs/ctree.c
++++ b/fs/btrfs/ctree.c
+@@ -2963,7 +2963,7 @@ done:
+ */
+ if (!p->leave_spinning)
+ btrfs_set_path_blocking(p);
+- if (ret < 0)
++ if (ret < 0 && !p->skip_release_on_error)
+ btrfs_release_path(p);
+ return ret;
+ }
+diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
+index d3511cc..3b39eb4 100644
+--- a/fs/btrfs/ctree.h
++++ b/fs/btrfs/ctree.h
+@@ -608,6 +608,7 @@ struct btrfs_path {
+ unsigned int skip_locking:1;
+ unsigned int leave_spinning:1;
+ unsigned int search_commit_root:1;
++ unsigned int skip_release_on_error:1;
+ };
+
+ /*
+@@ -3609,6 +3610,10 @@ struct btrfs_dir_item *btrfs_lookup_xattr(struct
btrfs_trans_handle *trans,
+ int verify_dir_item(struct btrfs_root *root,
+ struct extent_buffer *leaf,
+ struct btrfs_dir_item *dir_item);
++struct btrfs_dir_item *btrfs_match_dir_item_name(struct btrfs_root *root,
++ struct btrfs_path *path,
++ const char *name,
++ int name_len);
+
+ /* orphan.c */
+ int btrfs_insert_orphan_item(struct btrfs_trans_handle *trans,
+diff --git a/fs/btrfs/dir-item.c b/fs/btrfs/dir-item.c
+index a0691df..9521a93 100644
+--- a/fs/btrfs/dir-item.c
++++ b/fs/btrfs/dir-item.c
+@@ -21,10 +21,6 @@
+ #include "hash.h"
+ #include "transaction.h"
+
+-static struct btrfs_dir_item *btrfs_match_dir_item_name(struct btrfs_root
*root,
+- struct btrfs_path *path,
+- const char *name, int name_len);
+-
+ /*
+ * insert a name into a directory, doing overflow properly if there is a hash
+ * collision. data_size indicates how big the item inserted should be. On
+@@ -383,9 +379,9 @@ struct btrfs_dir_item *btrfs_lookup_xattr(struct
btrfs_trans_handle *trans,
+ * this walks through all the entries in a dir item and finds one
+ * for a specific name.
+ */
+-static struct btrfs_dir_item *btrfs_match_dir_item_name(struct btrfs_root
*root,
+- struct btrfs_path *path,
+- const char *name, int name_len)
++struct btrfs_dir_item *btrfs_match_dir_item_name(struct btrfs_root *root,
++ struct btrfs_path *path,
++ const char *name, int name_len)
+ {
+ struct btrfs_dir_item *dir_item;
+ unsigned long name_ptr;
+diff --git a/fs/btrfs/xattr.c b/fs/btrfs/xattr.c
+index 488e987..618e86c 100644
+--- a/fs/btrfs/xattr.c
++++ b/fs/btrfs/xattr.c
+@@ -29,6 +29,7 @@
+ #include "xattr.h"
+ #include "disk-io.h"
+ #include "props.h"
++#include "locking.h"
+
+
+ ssize_t __btrfs_getxattr(struct inode *inode, const char *name,
+@@ -91,7 +92,7 @@ static int do_setxattr(struct btrfs_trans_handle *trans,
+ struct inode *inode, const char *name,
+ const void *value, size_t size, int flags)
+ {
+- struct btrfs_dir_item *di;
++ struct btrfs_dir_item *di = NULL;
+ struct btrfs_root *root = BTRFS_I(inode)->root;
+ struct btrfs_path *path;
+ size_t name_len = strlen(name);
+@@ -103,84 +104,119 @@ static int do_setxattr(struct btrfs_trans_handle *trans,
+ path = btrfs_alloc_path();
+ if (!path)
+ return -ENOMEM;
++ path->skip_release_on_error = 1;
++
++ if (!value) {
++ di = btrfs_lookup_xattr(trans, root, path, btrfs_ino(inode),
++ name, name_len, -1);
++ if (!di && (flags & XATTR_REPLACE))
++ ret = -ENODATA;
++ else if (di)
++ ret = btrfs_delete_one_dir_name(trans, root, path, di);
++ goto out;
++ }
+
++ /*
++ * For a replace we can't just do the insert blindly.
++ * Do a lookup first (read-only btrfs_search_slot), and return if xattr
++ * doesn't exist. If it exists, fall down below to the insert/replace
++ * path - we can't race with a concurrent xattr delete, because the VFS
++ * locks the inode's i_mutex before calling setxattr or removexattr.
++ */
+ if (flags & XATTR_REPLACE) {
+- di = btrfs_lookup_xattr(trans, root, path, btrfs_ino(inode),
name,
+- name_len, -1);
+- if (IS_ERR(di)) {
+- ret = PTR_ERR(di);
+- goto out;
+- } else if (!di) {
++ ASSERT(mutex_is_locked(&inode->i_mutex));
++ di = btrfs_lookup_xattr(NULL, root, path, btrfs_ino(inode),
++ name, name_len, 0);
++ if (!di) {
+ ret = -ENODATA;
+ goto out;
+ }
+- ret = btrfs_delete_one_dir_name(trans, root, path, di);
+- if (ret)
+- goto out;
+ btrfs_release_path(path);
++ di = NULL;
++ }
+
++ ret = btrfs_insert_xattr_item(trans, root, path, btrfs_ino(inode),
++ name, name_len, value, size);
++ if (ret == -EOVERFLOW) {
+ /*
+- * remove the attribute
++ * We have an existing item in a leaf, split_leaf couldn't
++ * expand it. That item might have or not a dir_item that
++ * matches our target xattr, so lets check.
+ */
+- if (!value)
+- goto out;
+- } else {
+- di = btrfs_lookup_xattr(NULL, root, path, btrfs_ino(inode),
+- name, name_len, 0);
+- if (IS_ERR(di)) {
+- ret = PTR_ERR(di);
++ ret = 0;
++ btrfs_assert_tree_locked(path->nodes[0]);
++ di = btrfs_match_dir_item_name(root, path, name, name_len);
++ if (!di && !(flags & XATTR_REPLACE)) {
++ ret = -ENOSPC;
+ goto out;
+ }
+- if (!di && !value)
+- goto out;
+- btrfs_release_path(path);
++ } else if (ret == -EEXIST) {
++ ret = 0;
++ di = btrfs_match_dir_item_name(root, path, name, name_len);
++ ASSERT(di); /* logic error */
++ } else if (ret) {
++ goto out;
+ }
+
+-again:
+- ret = btrfs_insert_xattr_item(trans, root, path, btrfs_ino(inode),
+- name, name_len, value, size);
+- /*
+- * If we're setting an xattr to a new value but the new value is say
+- * exactly BTRFS_MAX_XATTR_SIZE, we could end up with EOVERFLOW getting
+- * back from split_leaf. This is because it thinks we'll be extending
+- * the existing item size, but we're asking for enough space to add the
+- * item itself. So if we get EOVERFLOW just set ret to EEXIST and let
+- * the rest of the function figure it out.
+- */
+- if (ret == -EOVERFLOW)
++ if (di && (flags & XATTR_CREATE)) {
+ ret = -EEXIST;
++ goto out;
++ }
+
+- if (ret == -EEXIST) {
+- if (flags & XATTR_CREATE)
+- goto out;
++ if (di) {
+ /*
+- * We can't use the path we already have since we won't have the
+- * proper locking for a delete, so release the path and
+- * re-lookup to delete the thing.
++ * We're doing a replace, and it must be atomic, that is, at
++ * any point in time we have either the old or the new xattr
++ * value in the tree. We don't want readers (getxattr and
++ * listxattrs) to miss a value, this is specially important
++ * for ACLs.
+ */
+- btrfs_release_path(path);
+- di = btrfs_lookup_xattr(trans, root, path, btrfs_ino(inode),
+- name, name_len, -1);
+- if (IS_ERR(di)) {
+- ret = PTR_ERR(di);
+- goto out;
+- } else if (!di) {
+- /* Shouldn't happen but just in case... */
+- btrfs_release_path(path);
+- goto again;
++ const int slot = path->slots[0];
++ struct extent_buffer *leaf = path->nodes[0];
++ const u16 old_data_len = btrfs_dir_data_len(leaf, di);
++ const u32 item_size = btrfs_item_size_nr(leaf, slot);
++ const u32 data_size = sizeof(*di) + name_len + size;
++ struct btrfs_item *item;
++ unsigned long data_ptr;
++ char *ptr;
++
++ if (size > old_data_len) {
++ if (btrfs_leaf_free_space(root, leaf) <
++ (size - old_data_len)) {
++ ret = -ENOSPC;
++ goto out;
++ }
+ }
+
+- ret = btrfs_delete_one_dir_name(trans, root, path, di);
+- if (ret)
+- goto out;
++ if (old_data_len + name_len + sizeof(*di) == item_size) {
++ /* No other xattrs packed in the same leaf item. */
++ if (size > old_data_len)
++ btrfs_extend_item(root, path,
++ size - old_data_len);
++ else if (size < old_data_len)
++ btrfs_truncate_item(root, path, data_size, 1);
++ } else {
++ /* There are other xattrs packed in the same item. */
++ ret = btrfs_delete_one_dir_name(trans, root, path, di);
++ if (ret)
++ goto out;
++ btrfs_extend_item(root, path, data_size);
++ }
+
++ item = btrfs_item_nr(slot);
++ ptr = btrfs_item_ptr(leaf, slot, char);
++ ptr += btrfs_item_size(leaf, item) - data_size;
++ di = (struct btrfs_dir_item *)ptr;
++ btrfs_set_dir_data_len(leaf, di, size);
++ data_ptr = ((unsigned long)(di + 1)) + name_len;
++ write_extent_buffer(leaf, value, data_ptr, size);
++ btrfs_mark_buffer_dirty(leaf);
++ } else {
+ /*
+- * We have a value to set, so go back and try to insert it now.
++ * Insert, and we had space for the xattr, so path->slots[0] is
++ * where our xattr dir_item is and btrfs_insert_xattr_item()
++ * filled it.
+ */
+- if (value) {
+- btrfs_release_path(path);
+- goto again;
+- }
+ }
+ out:
+ btrfs_free_path(path);
+diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
+index 7fe30f6..35f54bc 100644
+--- a/fs/ocfs2/file.c
++++ b/fs/ocfs2/file.c
+@@ -2478,9 +2478,7 @@ static ssize_t ocfs2_file_splice_write(struct
pipe_inode_info *pipe,
+ struct address_space *mapping = out->f_mapping;
+ struct inode *inode = mapping->host;
+ struct splice_desc sd = {
+- .total_len = len,
+ .flags = flags,
+- .pos = *ppos,
+ .u.file = out,
+ };
+
+@@ -2490,6 +2488,12 @@ static ssize_t ocfs2_file_splice_write(struct
pipe_inode_info *pipe,
+ out->f_path.dentry->d_name.len,
+ out->f_path.dentry->d_name.name, len);
+
++ ret = generic_write_checks(out, ppos, &len, 0);
++ if (ret)
++ return ret;
++ sd.total_len = len;
++ sd.pos = *ppos;
++
+ pipe_lock(pipe);
+
+ splice_from_pipe_begin(&sd);
+diff --git a/fs/splice.c b/fs/splice.c
+index 12028fa..f345d53 100644
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -1012,13 +1012,17 @@ generic_file_splice_write(struct pipe_inode_info
*pipe, struct file *out,
+ struct address_space *mapping = out->f_mapping;
+ struct inode *inode = mapping->host;
+ struct splice_desc sd = {
+- .total_len = len,
+ .flags = flags,
+- .pos = *ppos,
+ .u.file = out,
+ };
+ ssize_t ret;
+
++ ret = generic_write_checks(out, ppos, &len, S_ISBLK(inode->i_mode));
++ if (ret)
++ return ret;
++ sd.total_len = len;
++ sd.pos = *ppos;
++
+ pipe_lock(pipe);
+
+ splice_from_pipe_begin(&sd);
+diff --git a/include/linux/mbus.h b/include/linux/mbus.h
+index 345b8c5..550c88f 100644
+--- a/include/linux/mbus.h
++++ b/include/linux/mbus.h
+@@ -73,6 +73,6 @@ int mvebu_mbus_del_window(phys_addr_t base, size_t size);
+ int mvebu_mbus_init(const char *soc, phys_addr_t mbus_phys_base,
+ size_t mbus_size, phys_addr_t sdram_phys_base,
+ size_t sdram_size);
+-int mvebu_mbus_dt_init(void);
++int mvebu_mbus_dt_init(bool is_coherent);
+
+ #endif /* __LINUX_MBUS_H */
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index c68e5e0..99de240 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -855,7 +855,10 @@ static int nf_tables_newchain(struct sock *nlsk, struct
sk_buff *skb,
+
+ if (nla[NFTA_CHAIN_POLICY]) {
+ if ((chain != NULL &&
+- !(chain->flags & NFT_BASE_CHAIN)) ||
++ !(chain->flags & NFT_BASE_CHAIN)))
++ return -EOPNOTSUPP;
++
++ if (chain == NULL &&
+ nla[NFTA_CHAIN_HOOK] == NULL)
+ return -EOPNOTSUPP;
+
+diff --git a/net/netfilter/nfnetlink_cthelper.c
b/net/netfilter/nfnetlink_cthelper.c
+index 9e287cb..54330fb 100644
+--- a/net/netfilter/nfnetlink_cthelper.c
++++ b/net/netfilter/nfnetlink_cthelper.c
+@@ -77,6 +77,9 @@ nfnl_cthelper_parse_tuple(struct nf_conntrack_tuple *tuple,
+ if (!tb[NFCTH_TUPLE_L3PROTONUM] || !tb[NFCTH_TUPLE_L4PROTONUM])
+ return -EINVAL;
+
++ /* Not all fields are initialized so first zero the tuple */
++ memset(tuple, 0, sizeof(struct nf_conntrack_tuple));
++
+ tuple->src.l3num = ntohs(nla_get_be16(tb[NFCTH_TUPLE_L3PROTONUM]));
+ tuple->dst.protonum = nla_get_u8(tb[NFCTH_TUPLE_L4PROTONUM]);
+
+@@ -86,7 +89,7 @@ nfnl_cthelper_parse_tuple(struct nf_conntrack_tuple *tuple,
+ static int
+ nfnl_cthelper_from_nlattr(struct nlattr *attr, struct nf_conn *ct)
+ {
+- const struct nf_conn_help *help = nfct_help(ct);
++ struct nf_conn_help *help = nfct_help(ct);
+
+ if (attr == NULL)
+ return -EINVAL;
+@@ -94,7 +97,7 @@ nfnl_cthelper_from_nlattr(struct nlattr *attr, struct
nf_conn *ct)
+ if (help->helper->data_len == 0)
+ return -EINVAL;
+
+- memcpy(&help->data, nla_data(attr), help->helper->data_len);
++ memcpy(help->data, nla_data(attr), help->helper->data_len);
+ return 0;
+ }
+
+diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
+index 7350723..9695895 100644
+--- a/net/netfilter/nft_compat.c
++++ b/net/netfilter/nft_compat.c
+@@ -82,6 +82,9 @@ nft_target_set_tgchk_param(struct xt_tgchk_param *par,
+ entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0;
+ break;
+ case AF_INET6:
++ if (proto)
++ entry->e6.ipv6.flags |= IP6T_F_PROTO;
++
+ entry->e6.ipv6.proto = proto;
+ entry->e6.ipv6.invflags = inv ? IP6T_INV_PROTO : 0;
+ break;
+@@ -313,6 +316,9 @@ nft_match_set_mtchk_param(struct xt_mtchk_param *par,
const struct nft_ctx *ctx,
+ entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0;
+ break;
+ case AF_INET6:
++ if (proto)
++ entry->e6.ipv6.flags |= IP6T_F_PROTO;
++
+ entry->e6.ipv6.proto = proto;
+ entry->e6.ipv6.invflags = inv ? IP6T_INV_PROTO : 0;
+ break;
+diff --git a/virt/kvm/arm/vgic.c b/virt/kvm/arm/vgic.c
+index 1316e55..c324a52 100644
+--- a/virt/kvm/arm/vgic.c
++++ b/virt/kvm/arm/vgic.c
+@@ -674,7 +674,7 @@ static bool read_set_clear_sgi_pend_reg(struct kvm_vcpu
*vcpu,
+ {
+ struct vgic_dist *dist = &vcpu->kvm->arch.vgic;
+ int sgi;
+- int min_sgi = (offset & ~0x3) * 4;
++ int min_sgi = (offset & ~0x3);
+ int max_sgi = min_sgi + 3;
+ int vcpu_id = vcpu->vcpu_id;
+ u32 reg = 0;
+@@ -695,7 +695,7 @@ static bool write_set_clear_sgi_pend_reg(struct kvm_vcpu
*vcpu,
+ {
+ struct vgic_dist *dist = &vcpu->kvm->arch.vgic;
+ int sgi;
+- int min_sgi = (offset & ~0x3) * 4;
++ int min_sgi = (offset & ~0x3);
+ int max_sgi = min_sgi + 3;
+ int vcpu_id = vcpu->vcpu_id;
+ u32 reg;
+@@ -1387,7 +1387,8 @@ out:
+ int kvm_vgic_inject_irq(struct kvm *kvm, int cpuid, unsigned int irq_num,
+ bool level)
+ {
+- if (vgic_update_irq_state(kvm, cpuid, irq_num, level))
++ if (likely(vgic_initialized(kvm)) &&
++ vgic_update_irq_state(kvm, cpuid, irq_num, level))
+ vgic_kick_vcpus(kvm);
+
+ return 0;
+@@ -1610,7 +1611,7 @@ out:
+
+ int kvm_vgic_create(struct kvm *kvm)
+ {
+- int i, vcpu_lock_idx = -1, ret = 0;
++ int i, vcpu_lock_idx = -1, ret;
+ struct kvm_vcpu *vcpu;
+
+ mutex_lock(&kvm->lock);
+@@ -1625,6 +1626,7 @@ int kvm_vgic_create(struct kvm *kvm)
+ * vcpu->mutex. By grabbing the vcpu->mutex of all VCPUs we ensure
+ * that no other VCPUs are run while we create the vgic.
+ */
++ ret = -EBUSY;
+ kvm_for_each_vcpu(i, vcpu, kvm) {
+ if (!mutex_trylock(&vcpu->mutex))
+ goto out_unlock;
+@@ -1632,11 +1634,10 @@ int kvm_vgic_create(struct kvm *kvm)
+ }
+
+ kvm_for_each_vcpu(i, vcpu, kvm) {
+- if (vcpu->arch.has_run_once) {
+- ret = -EBUSY;
++ if (vcpu->arch.has_run_once)
+ goto out_unlock;
+- }
+ }
++ ret = 0;
+
+ spin_lock_init(&kvm->arch.vgic.lock);
+ kvm->arch.vgic.vctrl_base = vgic_vctrl_base;
diff --git a/3.14.46/4420_grsecurity-3.1-3.14.46-201506300711.patch
b/3.14.47/4420_grsecurity-3.1-3.14.47-201507050832.patch
similarity index 99%
rename from 3.14.46/4420_grsecurity-3.1-3.14.46-201506300711.patch
rename to 3.14.47/4420_grsecurity-3.1-3.14.47-201507050832.patch
index 008971f..f646996 100644
--- a/3.14.46/4420_grsecurity-3.1-3.14.46-201506300711.patch
+++ b/3.14.47/4420_grsecurity-3.1-3.14.47-201507050832.patch
@@ -295,7 +295,7 @@ index 5d91ba1..ef1d374 100644
pcd. [PARIDE]
diff --git a/Makefile b/Makefile
-index def39fd..4636aea 100644
+index f9041e6..46bcf1d 100644
--- a/Makefile
+++ b/Makefile
@@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo
$$BASH; \
@@ -3307,7 +3307,7 @@ index 7bcee5c..e2f3249 100644
__data_loc = .;
#endif
diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c
-index df6e75e..1858aa0 100644
+index 2e74a61..14d0a66 100644
--- a/arch/arm/kvm/arm.c
+++ b/arch/arm/kvm/arm.c
@@ -57,7 +57,7 @@ static unsigned long hyp_default_vectors;
@@ -3319,7 +3319,7 @@ index df6e75e..1858aa0 100644
static u8 kvm_next_vmid;
static DEFINE_SPINLOCK(kvm_vmid_lock);
-@@ -371,7 +371,7 @@ void force_vm_exit(const cpumask_t *mask)
+@@ -376,7 +376,7 @@ void force_vm_exit(const cpumask_t *mask)
*/
static bool need_new_vmid_gen(struct kvm *kvm)
{
@@ -3328,7 +3328,7 @@ index df6e75e..1858aa0 100644
}
/**
-@@ -404,7 +404,7 @@ static void update_vttbr(struct kvm *kvm)
+@@ -409,7 +409,7 @@ static void update_vttbr(struct kvm *kvm)
/* First user of a new VMID generation? */
if (unlikely(kvm_next_vmid == 0)) {
@@ -3337,7 +3337,7 @@ index df6e75e..1858aa0 100644
kvm_next_vmid = 1;
/*
-@@ -421,7 +421,7 @@ static void update_vttbr(struct kvm *kvm)
+@@ -426,7 +426,7 @@ static void update_vttbr(struct kvm *kvm)
kvm_call_hyp(__kvm_flush_vm_context);
}
@@ -3346,7 +3346,7 @@ index df6e75e..1858aa0 100644
kvm->arch.vmid = kvm_next_vmid;
kvm_next_vmid++;
-@@ -996,7 +996,7 @@ static void check_kvm_target_cpu(void *ret)
+@@ -1013,7 +1013,7 @@ static void check_kvm_target_cpu(void *ret)
/**
* Initialize Hyp-mode and memory mappings on all CPUs.
*/
@@ -12396,7 +12396,7 @@ index ad8f795..2c7eec6 100644
/*
* Memory returned by kmalloc() may be used for DMA, so we must make
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 2f645c9..7e2933c 100644
+index 5dab54a..a20467d 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -22,6 +22,7 @@ config X86_64
@@ -21769,15 +21769,13 @@ index a276fa7..3ef18f0 100644
static void microcode_fini_cpu(int cpu)
diff --git a/arch/x86/kernel/cpu/microcode/intel_early.c
b/arch/x86/kernel/cpu/microcode/intel_early.c
-index 18f7391..8c5225d 100644
+index 43a07bf..8c5225d 100644
--- a/arch/x86/kernel/cpu/microcode/intel_early.c
+++ b/arch/x86/kernel/cpu/microcode/intel_early.c
-@@ -321,7 +321,11 @@ get_matching_model_microcode(int cpu, unsigned long start,
- unsigned int mc_saved_count = mc_saved_data->mc_saved_count;
+@@ -322,6 +322,10 @@ get_matching_model_microcode(int cpu, unsigned long start,
int i;
-- while (leftover) {
-+ while (leftover && mc_saved_count < ARRAY_SIZE(mc_saved_tmp)) {
+ while (leftover && mc_saved_count < ARRAY_SIZE(mc_saved_tmp)) {
+
+ if (leftover < sizeof(mc_header))
+ break;
@@ -25816,7 +25814,7 @@ index 7ec1d5f..5a7d130 100644
}
diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
-index a1f5b18..9d9e077 100644
+index 490fee1..d7eb482 100644
--- a/arch/x86/kernel/kprobes/core.c
+++ b/arch/x86/kernel/kprobes/core.c
@@ -119,9 +119,12 @@ static void __kprobes __synthesize_relative_insn(void
*from, void *to, u8 op)
@@ -25854,17 +25852,17 @@ index a1f5b18..9d9e077 100644
}
/*
-@@ -332,7 +335,9 @@ int __kprobes __copy_instruction(u8 *dest, u8 *src)
+@@ -335,7 +338,9 @@ int __kprobes __copy_instruction(u8 *dest, u8 *src)
/* Another subsystem puts a breakpoint, failed to recover */
if (insn.opcode.bytes[0] == BREAKPOINT_INSTRUCTION)
return 0;
+ pax_open_kernel();
- memcpy(dest, insn.kaddr, insn.length);
+ memcpy(dest, insn.kaddr, length);
+ pax_close_kernel();
#ifdef CONFIG_X86_64
if (insn_rip_relative(&insn)) {
-@@ -359,7 +364,9 @@ int __kprobes __copy_instruction(u8 *dest, u8 *src)
+@@ -362,7 +367,9 @@ int __kprobes __copy_instruction(u8 *dest, u8 *src)
return 0;
}
disp = (u8 *) dest + insn_offset_displacement(&insn);
@@ -25873,8 +25871,8 @@ index a1f5b18..9d9e077 100644
+ pax_close_kernel();
}
#endif
- return insn.length;
-@@ -498,7 +505,7 @@ setup_singlestep(struct kprobe *p, struct pt_regs *regs,
struct kprobe_ctlblk *k
+ return length;
+@@ -501,7 +508,7 @@ setup_singlestep(struct kprobe *p, struct pt_regs *regs,
struct kprobe_ctlblk *k
* nor set current_kprobe, because it doesn't use single
* stepping.
*/
@@ -25883,7 +25881,7 @@ index a1f5b18..9d9e077 100644
preempt_enable_no_resched();
return;
}
-@@ -515,9 +522,9 @@ setup_singlestep(struct kprobe *p, struct pt_regs *regs,
struct kprobe_ctlblk *k
+@@ -518,9 +525,9 @@ setup_singlestep(struct kprobe *p, struct pt_regs *regs,
struct kprobe_ctlblk *k
regs->flags &= ~X86_EFLAGS_IF;
/* single step inline if the instruction is an int3 */
if (p->opcode == BREAKPOINT_INSTRUCTION)
@@ -25895,7 +25893,7 @@ index a1f5b18..9d9e077 100644
}
/*
-@@ -596,7 +603,7 @@ static int __kprobes kprobe_handler(struct pt_regs *regs)
+@@ -599,7 +606,7 @@ static int __kprobes kprobe_handler(struct pt_regs *regs)
setup_singlestep(p, regs, kcb, 0);
return 1;
}
@@ -25904,7 +25902,7 @@ index a1f5b18..9d9e077 100644
/*
* The breakpoint instruction was removed right
* after we hit it. Another cpu has removed
-@@ -642,6 +649,9 @@ static void __used __kprobes
kretprobe_trampoline_holder(void)
+@@ -645,6 +652,9 @@ static void __used __kprobes
kretprobe_trampoline_holder(void)
" movq %rax, 152(%rsp)\n"
RESTORE_REGS_STRING
" popfq\n"
@@ -25914,7 +25912,7 @@ index a1f5b18..9d9e077 100644
#else
" pushf\n"
SAVE_REGS_STRING
-@@ -779,7 +789,7 @@ static void __kprobes
+@@ -782,7 +792,7 @@ static void __kprobes
resume_execution(struct kprobe *p, struct pt_regs *regs, struct kprobe_ctlblk
*kcb)
{
unsigned long *tos = stack_addr(regs);
@@ -25923,7 +25921,7 @@ index a1f5b18..9d9e077 100644
unsigned long orig_ip = (unsigned long)p->addr;
kprobe_opcode_t *insn = p->ainsn.insn;
-@@ -961,7 +971,7 @@ kprobe_exceptions_notify(struct notifier_block *self,
unsigned long val, void *d
+@@ -964,7 +974,7 @@ kprobe_exceptions_notify(struct notifier_block *self,
unsigned long val, void *d
struct die_args *args = data;
int ret = NOTIFY_DONE;
@@ -28893,10 +28891,10 @@ index cba218a..1cc1bed 100644
goto error;
walker->ptep_user[walker->level - 1] = ptep_user;
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
-index 9643eda6..c9cb765 100644
+index 0746334..f6c04e8 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
-@@ -3508,7 +3508,11 @@ static void reload_tss(struct kvm_vcpu *vcpu)
+@@ -3510,7 +3510,11 @@ static void reload_tss(struct kvm_vcpu *vcpu)
int cpu = raw_smp_processor_id();
struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
@@ -28908,7 +28906,7 @@ index 9643eda6..c9cb765 100644
load_TR_desc();
}
-@@ -3911,6 +3915,10 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -3913,6 +3917,10 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
#endif
#endif
@@ -51585,7 +51583,7 @@ index f28ea07..34b16d3 100644
/* These three are default values which can be overridden */
diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
-index 528bff5..84963854 100644
+index 85d370e..7374c8c 100644
--- a/drivers/scsi/hpsa.c
+++ b/drivers/scsi/hpsa.c
@@ -571,7 +571,7 @@ static inline u32 next_command(struct ctlr_info *h, u8 q)
@@ -51636,7 +51634,7 @@ index 528bff5..84963854 100644
(h->interrupts_enabled == 0);
}
-@@ -4442,7 +4442,7 @@ static int hpsa_pci_init(struct ctlr_info *h)
+@@ -4433,7 +4433,7 @@ static int hpsa_pci_init(struct ctlr_info *h)
if (prod_index < 0)
return -ENODEV;
h->product_name = products[prod_index].product_name;
@@ -51645,7 +51643,7 @@ index 528bff5..84963854 100644
pci_disable_link_state(h->pdev, PCIE_LINK_STATE_L0S |
PCIE_LINK_STATE_L1 | PCIE_LINK_STATE_CLKPM);
-@@ -4712,7 +4712,7 @@ static void controller_lockup_detected(struct ctlr_info
*h)
+@@ -4726,7 +4726,7 @@ static void controller_lockup_detected(struct ctlr_info
*h)
{
unsigned long flags;
@@ -51654,7 +51652,7 @@ index 528bff5..84963854 100644
spin_lock_irqsave(&h->lock, flags);
h->lockup_detected = readl(h->vaddr + SA5_SCRATCHPAD_OFFSET);
spin_unlock_irqrestore(&h->lock, flags);
-@@ -4843,7 +4843,7 @@ reinit_after_soft_reset:
+@@ -4857,7 +4857,7 @@ reinit_after_soft_reset:
}
/* make sure the board interrupts are off */
@@ -51663,7 +51661,7 @@ index 528bff5..84963854 100644
if (hpsa_request_irq(h, do_hpsa_intr_msi, do_hpsa_intr_intx))
goto clean2;
-@@ -4877,7 +4877,7 @@ reinit_after_soft_reset:
+@@ -4891,7 +4891,7 @@ reinit_after_soft_reset:
* fake ones to scoop up any residual completions.
*/
spin_lock_irqsave(&h->lock, flags);
@@ -51672,7 +51670,7 @@ index 528bff5..84963854 100644
spin_unlock_irqrestore(&h->lock, flags);
free_irqs(h);
rc = hpsa_request_irq(h, hpsa_msix_discard_completions,
-@@ -4896,9 +4896,9 @@ reinit_after_soft_reset:
+@@ -4910,9 +4910,9 @@ reinit_after_soft_reset:
dev_info(&h->pdev->dev, "Board READY.\n");
dev_info(&h->pdev->dev,
"Waiting for stale completions to drain.\n");
@@ -51684,7 +51682,7 @@ index 528bff5..84963854 100644
rc = controller_reset_failed(h->cfgtable);
if (rc)
-@@ -4919,7 +4919,7 @@ reinit_after_soft_reset:
+@@ -4933,7 +4933,7 @@ reinit_after_soft_reset:
}
/* Turn the interrupts on so we can service requests */
@@ -51693,7 +51691,7 @@ index 528bff5..84963854 100644
hpsa_hba_inquiry(h);
hpsa_register_scsi(h); /* hook ourselves into SCSI subsystem */
-@@ -4988,7 +4988,7 @@ static void hpsa_shutdown(struct pci_dev *pdev)
+@@ -5002,7 +5002,7 @@ static void hpsa_shutdown(struct pci_dev *pdev)
* To write all data in the battery backed cache to disks
*/
hpsa_flush_cache(h);
@@ -51702,7 +51700,7 @@ index 528bff5..84963854 100644
hpsa_free_irqs_and_disable_msix(h);
}
-@@ -5162,7 +5162,7 @@ static void hpsa_enter_performant_mode(struct ctlr_info
*h, u32 use_short_tags)
+@@ -5176,7 +5176,7 @@ static void hpsa_enter_performant_mode(struct ctlr_info
*h, u32 use_short_tags)
return;
}
/* Change the access methods to the performant access methods */
@@ -55240,6 +55238,19 @@ index 8cfc319..4868255 100644
return 0;
}
+diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c
+index 3740a3f..466ec15 100644
+--- a/drivers/usb/gadget/configfs.c
++++ b/drivers/usb/gadget/configfs.c
+@@ -560,7 +560,7 @@ static struct config_group *function_make(
+ if (IS_ERR(fi))
+ return ERR_CAST(fi);
+
+- ret = config_item_set_name(&fi->group.cg_item, name);
++ ret = config_item_set_name(&fi->group.cg_item, "%s", name);
+ if (ret) {
+ usb_put_function_instance(fi);
+ return ERR_PTR(ret);
diff --git a/drivers/usb/gadget/f_uac1.c b/drivers/usb/gadget/f_uac1.c
index 2b4c82d..06a8ee6 100644
--- a/drivers/usb/gadget/f_uac1.c
@@ -66906,7 +66917,7 @@ index 1e86823..8e34695 100644
else if (whole->bd_holder != NULL)
return false; /* is a partition of a held device */
diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
-index 93de3ba..0e1cf23 100644
+index f8ffee4..b82e697 100644
--- a/fs/btrfs/ctree.c
+++ b/fs/btrfs/ctree.c
@@ -1216,9 +1216,12 @@ static noinline int __btrfs_cow_block(struct
btrfs_trans_handle *trans,
@@ -67968,6 +67979,28 @@ index e081acb..911df21 100644
/*
* We'll have a dentry and an inode for
+diff --git a/fs/configfs/item.c b/fs/configfs/item.c
+index 50cee7f..8238ebd 100644
+--- a/fs/configfs/item.c
++++ b/fs/configfs/item.c
+@@ -116,7 +116,7 @@ void config_item_init_type_name(struct config_item *item,
+ const char *name,
+ struct config_item_type *type)
+ {
+- config_item_set_name(item, name);
++ config_item_set_name(item, "%s", name);
+ item->ci_type = type;
+ config_item_init(item);
+ }
+@@ -125,7 +125,7 @@ EXPORT_SYMBOL(config_item_init_type_name);
+ void config_group_init_type_name(struct config_group *group, const char *name,
+ struct config_item_type *type)
+ {
+- config_item_set_name(&group->cg_item, name);
++ config_item_set_name(&group->cg_item, "%s", name);
+ group->cg_item.ci_type = type;
+ config_group_init(group);
+ }
diff --git a/fs/coredump.c b/fs/coredump.c
index a93f7e6..d58bcbe 100644
--- a/fs/coredump.c
@@ -75409,7 +75442,7 @@ index 1d641bb..9ca7f61 100644
{
const struct seq_operations *op = ((struct seq_file
*)file->private_data)->op;
diff --git a/fs/splice.c b/fs/splice.c
-index 12028fa..2cde9b2 100644
+index f345d53..f6e7484 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -196,7 +196,7 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
@@ -75491,7 +75524,7 @@ index 12028fa..2cde9b2 100644
return 0;
if (sd->flags & SPLICE_F_NONBLOCK)
-@@ -1171,7 +1171,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct
splice_desc *sd,
+@@ -1175,7 +1175,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct
splice_desc *sd,
long ret, bytes;
umode_t i_mode;
size_t len;
@@ -75500,7 +75533,7 @@ index 12028fa..2cde9b2 100644
/*
* We require the input being a regular file, as we don't want to
-@@ -1197,7 +1197,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct
splice_desc *sd,
+@@ -1201,7 +1201,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct
splice_desc *sd,
* out of the pipe right after the splice_to_pipe(). So set
* PIPE_READERS appropriately.
*/
@@ -75509,7 +75542,7 @@ index 12028fa..2cde9b2 100644
current->splice_pipe = pipe;
}
-@@ -1214,6 +1214,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct
splice_desc *sd,
+@@ -1218,6 +1218,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct
splice_desc *sd,
* Don't block on output, we have to drain the direct pipe.
*/
sd->flags &= ~SPLICE_F_NONBLOCK;
@@ -75517,7 +75550,7 @@ index 12028fa..2cde9b2 100644
while (len) {
size_t read_len;
-@@ -1227,6 +1228,15 @@ ssize_t splice_direct_to_actor(struct file *in, struct
splice_desc *sd,
+@@ -1231,6 +1232,15 @@ ssize_t splice_direct_to_actor(struct file *in, struct
splice_desc *sd,
sd->total_len = read_len;
/*
@@ -75533,7 +75566,7 @@ index 12028fa..2cde9b2 100644
* NOTE: nonblocking mode only applies to the input. We
* must not do the output in nonblocking mode as then we
* could get stuck data in the internal pipe:
-@@ -1493,6 +1503,7 @@ static int get_iovec_page_array(const struct iovec
__user *iov,
+@@ -1497,6 +1507,7 @@ static int get_iovec_page_array(const struct iovec
__user *iov,
partial[buffers].offset = off;
partial[buffers].len = plen;
@@ -75541,7 +75574,7 @@ index 12028fa..2cde9b2 100644
off = 0;
len -= plen;
-@@ -1795,9 +1806,9 @@ static int ipipe_prep(struct pipe_inode_info *pipe,
unsigned int flags)
+@@ -1799,9 +1810,9 @@ static int ipipe_prep(struct pipe_inode_info *pipe,
unsigned int flags)
ret = -ERESTARTSYS;
break;
}
@@ -75553,7 +75586,7 @@ index 12028fa..2cde9b2 100644
if (flags & SPLICE_F_NONBLOCK) {
ret = -EAGAIN;
break;
-@@ -1829,7 +1840,7 @@ static int opipe_prep(struct pipe_inode_info *pipe,
unsigned int flags)
+@@ -1833,7 +1844,7 @@ static int opipe_prep(struct pipe_inode_info *pipe,
unsigned int flags)
pipe_lock(pipe);
while (pipe->nrbufs >= pipe->buffers) {
@@ -75562,7 +75595,7 @@ index 12028fa..2cde9b2 100644
send_sig(SIGPIPE, current, 0);
ret = -EPIPE;
break;
-@@ -1842,9 +1853,9 @@ static int opipe_prep(struct pipe_inode_info *pipe,
unsigned int flags)
+@@ -1846,9 +1857,9 @@ static int opipe_prep(struct pipe_inode_info *pipe,
unsigned int flags)
ret = -ERESTARTSYS;
break;
}
@@ -75574,7 +75607,7 @@ index 12028fa..2cde9b2 100644
}
pipe_unlock(pipe);
-@@ -1880,14 +1891,14 @@ retry:
+@@ -1884,14 +1895,14 @@ retry:
pipe_double_lock(ipipe, opipe);
do {
@@ -75591,7 +75624,7 @@ index 12028fa..2cde9b2 100644
break;
/*
-@@ -1984,7 +1995,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
+@@ -1988,7 +1999,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
pipe_double_lock(ipipe, opipe);
do {
@@ -75600,7 +75633,7 @@ index 12028fa..2cde9b2 100644
send_sig(SIGPIPE, current, 0);
if (!ret)
ret = -EPIPE;
-@@ -2029,7 +2040,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
+@@ -2033,7 +2044,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
* return EAGAIN if we have the potential of some data in the
* future, otherwise just return 0
*/
@@ -81750,7 +81783,7 @@ index 0000000..4c7e00a
+}
diff --git a/grsecurity/gracl_ip.c b/grsecurity/gracl_ip.c
new file mode 100644
-index 0000000..f056b81
+index 0000000..ed6ee43
--- /dev/null
+++ b/grsecurity/gracl_ip.c
@@ -0,0 +1,386 @@
@@ -81824,7 +81857,7 @@ index 0000000..f056b81
+ "unspec", "unix", "inet", "ax25", "ipx", "appletalk", "netrom",
"bridge", "atmpvc", "x25",
+ "inet6", "rose", "decnet", "netbeui", "security", "key", "netlink",
"packet", "ash",
+ "econet", "atmsvc", "rds", "sna", "irda", "ppox", "wanpipe", "llc",
"fam_27", "fam_28",
-+ "tipc", "bluetooth", "iucv", "rxrpc", "isdn", "phonet", "ieee802154",
"ciaf"
++ "tipc", "bluetooth", "iucv", "rxrpc", "isdn", "phonet", "ieee802154",
"ciaf", "alg", "nfc", "vsock"
+ };
+
+const char *
@@ -89322,9 +89355,18 @@ index 5d5aaae..0ea9b84 100644
extern bool completion_done(struct completion *x);
diff --git a/include/linux/configfs.h b/include/linux/configfs.h
-index 34025df..d94bbbc 100644
+index 34025df..2a6ee32 100644
--- a/include/linux/configfs.h
+++ b/include/linux/configfs.h
+@@ -64,7 +64,7 @@ struct config_item {
+ struct dentry *ci_dentry;
+ };
+
+-extern int config_item_set_name(struct config_item *, const char *, ...);
++extern __printf(2, 3) int config_item_set_name(struct config_item *, const
char *, ...);
+
+ static inline char *config_item_name(struct config_item * item)
+ {
@@ -125,7 +125,7 @@ struct configfs_attribute {
const char *ca_name;
struct module *ca_owner;
@@ -114514,7 +114556,7 @@ index f042ae5..30ea486 100644
}
EXPORT_SYMBOL(nf_unregister_sockopt);
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
-index c68e5e0..3bed3f0 100644
+index 99de240..539632e 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -152,8 +152,8 @@ nf_tables_chain_type_lookup(const struct nft_af_info *afi,
@@ -114576,10 +114618,10 @@ index 108120f..5b169db 100644
queued = 0;
err = 0;
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
-index 7350723..af7fa0d 100644
+index 9695895..f0a05e6 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
-@@ -216,7 +216,7 @@ target_dump_info(struct sk_buff *skb, const struct
xt_target *t, const void *in)
+@@ -219,7 +219,7 @@ target_dump_info(struct sk_buff *skb, const struct
xt_target *t, const void *in)
/* We want to reuse existing compat_to_user */
old_fs = get_fs();
set_fs(KERNEL_DS);
@@ -114588,7 +114630,7 @@ index 7350723..af7fa0d 100644
set_fs(old_fs);
ret = nla_put(skb, NFTA_TARGET_INFO, XT_ALIGN(t->targetsize),
out);
kfree(out);
-@@ -283,14 +283,7 @@ static void nft_match_eval(const struct nft_expr *expr,
+@@ -286,14 +286,7 @@ static void nft_match_eval(const struct nft_expr *expr,
return;
}
@@ -114604,7 +114646,7 @@ index 7350723..af7fa0d 100644
}
static const struct nla_policy nft_match_policy[NFTA_MATCH_MAX + 1] = {
-@@ -403,7 +396,7 @@ match_dump_info(struct sk_buff *skb, const struct xt_match
*m, const void *in)
+@@ -409,7 +402,7 @@ match_dump_info(struct sk_buff *skb, const struct xt_match
*m, const void *in)
/* We want to reuse existing compat_to_user */
old_fs = get_fs();
set_fs(KERNEL_DS);
diff --git a/3.14.46/4425_grsec_remove_EI_PAX.patch
b/3.14.47/4425_grsec_remove_EI_PAX.patch
similarity index 100%
rename from 3.14.46/4425_grsec_remove_EI_PAX.patch
rename to 3.14.47/4425_grsec_remove_EI_PAX.patch
diff --git a/3.14.46/4427_force_XATTR_PAX_tmpfs.patch
b/3.14.47/4427_force_XATTR_PAX_tmpfs.patch
similarity index 100%
rename from 3.14.46/4427_force_XATTR_PAX_tmpfs.patch
rename to 3.14.47/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/3.14.46/4430_grsec-remove-localversion-grsec.patch
b/3.14.47/4430_grsec-remove-localversion-grsec.patch
similarity index 100%
rename from 3.14.46/4430_grsec-remove-localversion-grsec.patch
rename to 3.14.47/4430_grsec-remove-localversion-grsec.patch
diff --git a/3.14.46/4435_grsec-mute-warnings.patch
b/3.14.47/4435_grsec-mute-warnings.patch
similarity index 100%
rename from 3.14.46/4435_grsec-mute-warnings.patch
rename to 3.14.47/4435_grsec-mute-warnings.patch
diff --git a/3.14.46/4440_grsec-remove-protected-paths.patch
b/3.14.47/4440_grsec-remove-protected-paths.patch
similarity index 100%
rename from 3.14.46/4440_grsec-remove-protected-paths.patch
rename to 3.14.47/4440_grsec-remove-protected-paths.patch
diff --git a/3.14.46/4450_grsec-kconfig-default-gids.patch
b/3.14.47/4450_grsec-kconfig-default-gids.patch
similarity index 100%
rename from 3.14.46/4450_grsec-kconfig-default-gids.patch
rename to 3.14.47/4450_grsec-kconfig-default-gids.patch
diff --git a/3.14.46/4465_selinux-avc_audit-log-curr_ip.patch
b/3.14.47/4465_selinux-avc_audit-log-curr_ip.patch
similarity index 100%
rename from 3.14.46/4465_selinux-avc_audit-log-curr_ip.patch
rename to 3.14.47/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/3.14.46/4470_disable-compat_vdso.patch
b/3.14.47/4470_disable-compat_vdso.patch
similarity index 100%
rename from 3.14.46/4470_disable-compat_vdso.patch
rename to 3.14.47/4470_disable-compat_vdso.patch
diff --git a/3.14.46/4475_emutramp_default_on.patch
b/3.14.47/4475_emutramp_default_on.patch
similarity index 100%
rename from 3.14.46/4475_emutramp_default_on.patch
rename to 3.14.47/4475_emutramp_default_on.patch
diff --git a/3.2.69/0000_README b/3.2.69/0000_README
index d006716..6773701 100644
--- a/3.2.69/0000_README
+++ b/3.2.69/0000_README
@@ -194,7 +194,7 @@ Patch: 1068_linux-3.2.69.patch
From: http://www.kernel.org
Desc: Linux 3.2.69
-Patch: 4420_grsecurity-3.1-3.2.69-201506300708.patch
+Patch: 4420_grsecurity-3.1-3.2.69-201507050830.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.69/4420_grsecurity-3.1-3.2.69-201506300708.patch
b/3.2.69/4420_grsecurity-3.1-3.2.69-201507050830.patch
similarity index 99%
rename from 3.2.69/4420_grsecurity-3.1-3.2.69-201506300708.patch
rename to 3.2.69/4420_grsecurity-3.1-3.2.69-201507050830.patch
index e8aabfa..57ddd0b 100644
--- a/3.2.69/4420_grsecurity-3.1-3.2.69-201506300708.patch
+++ b/3.2.69/4420_grsecurity-3.1-3.2.69-201507050830.patch
@@ -59119,6 +59119,28 @@ index 5ef72c8..0c72810 100644
/*
* We'll have a dentry and an inode for
+diff --git a/fs/configfs/item.c b/fs/configfs/item.c
+index 50cee7f..8238ebd 100644
+--- a/fs/configfs/item.c
++++ b/fs/configfs/item.c
+@@ -116,7 +116,7 @@ void config_item_init_type_name(struct config_item *item,
+ const char *name,
+ struct config_item_type *type)
+ {
+- config_item_set_name(item, name);
++ config_item_set_name(item, "%s", name);
+ item->ci_type = type;
+ config_item_init(item);
+ }
+@@ -125,7 +125,7 @@ EXPORT_SYMBOL(config_item_init_type_name);
+ void config_group_init_type_name(struct config_group *group, const char *name,
+ struct config_item_type *type)
+ {
+- config_item_set_name(&group->cg_item, name);
++ config_item_set_name(&group->cg_item, "%s", name);
+ group->cg_item.ci_type = type;
+ config_group_init(group);
+ }
diff --git a/fs/configfs/mount.c b/fs/configfs/mount.c
index 276e15c..aeac324 100644
--- a/fs/configfs/mount.c
@@ -73326,7 +73348,7 @@ index 0000000..b916759
+}
diff --git a/grsecurity/gracl_ip.c b/grsecurity/gracl_ip.c
new file mode 100644
-index 0000000..35f8064
+index 0000000..e0bbcf4
--- /dev/null
+++ b/grsecurity/gracl_ip.c
@@ -0,0 +1,386 @@
@@ -73400,7 +73422,7 @@ index 0000000..35f8064
+ "unspec", "unix", "inet", "ax25", "ipx", "appletalk", "netrom",
"bridge", "atmpvc", "x25",
+ "inet6", "rose", "decnet", "netbeui", "security", "key", "netlink",
"packet", "ash",
+ "econet", "atmsvc", "rds", "sna", "irda", "ppox", "wanpipe", "llc",
"fam_27", "fam_28",
-+ "tipc", "bluetooth", "iucv", "rxrpc", "isdn", "phonet", "ieee802154",
"ciaf"
++ "tipc", "bluetooth", "iucv", "rxrpc", "isdn", "phonet", "ieee802154",
"ciaf", "alg", "nfc"
+ };
+
+const char *
@@ -81044,9 +81066,18 @@ index 51494e6..340575ab 100644
extern bool completion_done(struct completion *x);
diff --git a/include/linux/configfs.h b/include/linux/configfs.h
-index 3081c58..7714c00 100644
+index 3081c58..5a0b545 100644
--- a/include/linux/configfs.h
+++ b/include/linux/configfs.h
+@@ -64,7 +64,7 @@ struct config_item {
+ struct dentry *ci_dentry;
+ };
+
+-extern int config_item_set_name(struct config_item *, const char *, ...);
++extern __printf(2, 3) int config_item_set_name(struct config_item *, const
char *, ...);
+
+ static inline char *config_item_name(struct config_item * item)
+ {
@@ -125,7 +125,7 @@ struct configfs_attribute {
const char *ca_name;
struct module *ca_owner;
diff --git a/4.0.7/0000_README b/4.0.7/0000_README
index 1c85007..fc634e5 100644
--- a/4.0.7/0000_README
+++ b/4.0.7/0000_README
@@ -2,11 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 1006_linux-4.0.7.patch
-From: http://www.kernel.org
-Desc: Linux 4.0.7
-
-Patch: 4420_grsecurity-3.1-4.0.7-201506300712.patch
+Patch: 4420_grsecurity-3.1-4.0.7-201507050833.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.0.7/1006_linux-4.0.7.patch b/4.0.7/1006_linux-4.0.7.patch
deleted file mode 100644
index 0b9b646..0000000
--- a/4.0.7/1006_linux-4.0.7.patch
+++ /dev/null
@@ -1,707 +0,0 @@
-diff --git a/Makefile b/Makefile
-index af6da04..bd76a8e 100644
---- a/Makefile
-+++ b/Makefile
-@@ -1,6 +1,6 @@
- VERSION = 4
- PATCHLEVEL = 0
--SUBLEVEL = 6
-+SUBLEVEL = 7
- EXTRAVERSION =
- NAME = Hurr durr I'ma sheep
-
-diff --git a/arch/arm/mach-exynos/common.h b/arch/arm/mach-exynos/common.h
-index f70eca7..0ef8d4b 100644
---- a/arch/arm/mach-exynos/common.h
-+++ b/arch/arm/mach-exynos/common.h
-@@ -153,6 +153,8 @@ extern void exynos_enter_aftr(void);
-
- extern struct cpuidle_exynos_data cpuidle_coupled_exynos_data;
-
-+extern void exynos_set_delayed_reset_assertion(bool enable);
-+
- extern void s5p_init_cpu(void __iomem *cpuid_addr);
- extern unsigned int samsung_rev(void);
- extern void __iomem *cpu_boot_reg_base(void);
-diff --git a/arch/arm/mach-exynos/exynos.c b/arch/arm/mach-exynos/exynos.c
-index 9e9dfdf..1081ff1 100644
---- a/arch/arm/mach-exynos/exynos.c
-+++ b/arch/arm/mach-exynos/exynos.c
-@@ -166,6 +166,33 @@ static void __init exynos_init_io(void)
- exynos_map_io();
- }
-
-+/*
-+ * Set or clear the USE_DELAYED_RESET_ASSERTION option. Used by smp code
-+ * and suspend.
-+ *
-+ * This is necessary only on Exynos4 SoCs. When system is running
-+ * USE_DELAYED_RESET_ASSERTION should be set so the ARM CLK clock down
-+ * feature could properly detect global idle state when secondary CPU is
-+ * powered down.
-+ *
-+ * However this should not be set when such system is going into suspend.
-+ */
-+void exynos_set_delayed_reset_assertion(bool enable)
-+{
-+ if (soc_is_exynos4()) {
-+ unsigned int tmp, core_id;
-+
-+ for (core_id = 0; core_id < num_possible_cpus(); core_id++) {
-+ tmp = pmu_raw_readl(EXYNOS_ARM_CORE_OPTION(core_id));
-+ if (enable)
-+ tmp |= S5P_USE_DELAYED_RESET_ASSERTION;
-+ else
-+ tmp &= ~(S5P_USE_DELAYED_RESET_ASSERTION);
-+ pmu_raw_writel(tmp, EXYNOS_ARM_CORE_OPTION(core_id));
-+ }
-+ }
-+}
-+
- static const struct of_device_id exynos_dt_pmu_match[] = {
- { .compatible = "samsung,exynos3250-pmu" },
- { .compatible = "samsung,exynos4210-pmu" },
-diff --git a/arch/arm/mach-exynos/platsmp.c b/arch/arm/mach-exynos/platsmp.c
-index d2e9f12..d45e8cd 100644
---- a/arch/arm/mach-exynos/platsmp.c
-+++ b/arch/arm/mach-exynos/platsmp.c
-@@ -34,30 +34,6 @@
-
- extern void exynos4_secondary_startup(void);
-
--/*
-- * Set or clear the USE_DELAYED_RESET_ASSERTION option, set on Exynos4 SoCs
-- * during hot-(un)plugging CPUx.
-- *
-- * The feature can be cleared safely during first boot of secondary CPU.
-- *
-- * Exynos4 SoCs require setting USE_DELAYED_RESET_ASSERTION during powering
-- * down a CPU so the CPU idle clock down feature could properly detect global
-- * idle state when CPUx is off.
-- */
--static void exynos_set_delayed_reset_assertion(u32 core_id, bool enable)
--{
-- if (soc_is_exynos4()) {
-- unsigned int tmp;
--
-- tmp = pmu_raw_readl(EXYNOS_ARM_CORE_OPTION(core_id));
-- if (enable)
-- tmp |= S5P_USE_DELAYED_RESET_ASSERTION;
-- else
-- tmp &= ~(S5P_USE_DELAYED_RESET_ASSERTION);
-- pmu_raw_writel(tmp, EXYNOS_ARM_CORE_OPTION(core_id));
-- }
--}
--
- #ifdef CONFIG_HOTPLUG_CPU
- static inline void cpu_leave_lowpower(u32 core_id)
- {
-@@ -73,8 +49,6 @@ static inline void cpu_leave_lowpower(u32 core_id)
- : "=&r" (v)
- : "Ir" (CR_C), "Ir" (0x40)
- : "cc");
--
-- exynos_set_delayed_reset_assertion(core_id, false);
- }
-
- static inline void platform_do_lowpower(unsigned int cpu, int *spurious)
-@@ -87,14 +61,6 @@ static inline void platform_do_lowpower(unsigned int cpu,
int *spurious)
- /* Turn the CPU off on next WFI instruction. */
- exynos_cpu_power_down(core_id);
-
-- /*
-- * Exynos4 SoCs require setting
-- * USE_DELAYED_RESET_ASSERTION so the CPU idle
-- * clock down feature could properly detect
-- * global idle state when CPUx is off.
-- */
-- exynos_set_delayed_reset_assertion(core_id, true);
--
- wfi();
-
- if (pen_release == core_id) {
-@@ -354,9 +320,6 @@ static int exynos_boot_secondary(unsigned int cpu, struct
task_struct *idle)
- udelay(10);
- }
-
-- /* No harm if this is called during first boot of secondary CPU */
-- exynos_set_delayed_reset_assertion(core_id, false);
--
- /*
- * now the secondary core is starting up let it run its
- * calibrations, then wait for it to finish
-@@ -403,6 +366,8 @@ static void __init exynos_smp_prepare_cpus(unsigned int
max_cpus)
-
- exynos_sysram_init();
-
-+ exynos_set_delayed_reset_assertion(true);
-+
- if (read_cpuid_part() == ARM_CPU_PART_CORTEX_A9)
- scu_enable(scu_base_addr());
-
-diff --git a/arch/arm/mach-exynos/suspend.c b/arch/arm/mach-exynos/suspend.c
-index 318d127..582ef2d 100644
---- a/arch/arm/mach-exynos/suspend.c
-+++ b/arch/arm/mach-exynos/suspend.c
-@@ -235,6 +235,8 @@ static void exynos_pm_enter_sleep_mode(void)
-
- static void exynos_pm_prepare(void)
- {
-+ exynos_set_delayed_reset_assertion(false);
-+
- /* Set wake-up mask registers */
- exynos_pm_set_wakeup_mask();
-
-@@ -383,6 +385,7 @@ early_wakeup:
-
- /* Clear SLEEP mode set in INFORM1 */
- pmu_raw_writel(0x0, S5P_INFORM1);
-+ exynos_set_delayed_reset_assertion(true);
- }
-
- static void exynos3250_pm_resume(void)
-diff --git a/arch/powerpc/kernel/idle_power7.S
b/arch/powerpc/kernel/idle_power7.S
-index 05adc8b..401d8d0 100644
---- a/arch/powerpc/kernel/idle_power7.S
-+++ b/arch/powerpc/kernel/idle_power7.S
-@@ -500,9 +500,11 @@ BEGIN_FTR_SECTION
- CHECK_HMI_INTERRUPT
- END_FTR_SECTION_IFSET(CPU_FTR_HVMODE)
- ld r1,PACAR1(r13)
-+ ld r6,_CCR(r1)
- ld r4,_MSR(r1)
- ld r5,_NIP(r1)
- addi r1,r1,INT_FRAME_SIZE
-+ mtcr r6
- mtspr SPRN_SRR1,r4
- mtspr SPRN_SRR0,r5
- rfid
-diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
-index 4e3d5a9..03189d8 100644
---- a/arch/x86/kernel/kprobes/core.c
-+++ b/arch/x86/kernel/kprobes/core.c
-@@ -354,6 +354,7 @@ int __copy_instruction(u8 *dest, u8 *src)
- {
- struct insn insn;
- kprobe_opcode_t buf[MAX_INSN_SIZE];
-+ int length;
- unsigned long recovered_insn =
- recover_probed_instruction(buf, (unsigned long)src);
-
-@@ -361,16 +362,18 @@ int __copy_instruction(u8 *dest, u8 *src)
- return 0;
- kernel_insn_init(&insn, (void *)recovered_insn, MAX_INSN_SIZE);
- insn_get_length(&insn);
-+ length = insn.length;
-+
- /* Another subsystem puts a breakpoint, failed to recover */
- if (insn.opcode.bytes[0] == BREAKPOINT_INSTRUCTION)
- return 0;
-- memcpy(dest, insn.kaddr, insn.length);
-+ memcpy(dest, insn.kaddr, length);
-
- #ifdef CONFIG_X86_64
- if (insn_rip_relative(&insn)) {
- s64 newdisp;
- u8 *disp;
-- kernel_insn_init(&insn, dest, insn.length);
-+ kernel_insn_init(&insn, dest, length);
- insn_get_displacement(&insn);
- /*
- * The copied instruction uses the %rip-relative addressing
-@@ -394,7 +397,7 @@ int __copy_instruction(u8 *dest, u8 *src)
- *(s32 *) disp = (s32) newdisp;
- }
- #endif
-- return insn.length;
-+ return length;
- }
-
- static int arch_copy_kprobe(struct kprobe *p)
-diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
-index 4ee827d..3cb2b58 100644
---- a/arch/x86/kvm/lapic.c
-+++ b/arch/x86/kvm/lapic.c
-@@ -1064,6 +1064,17 @@ static void update_divide_count(struct kvm_lapic *apic)
- apic->divide_count);
- }
-
-+static void apic_update_lvtt(struct kvm_lapic *apic)
-+{
-+ u32 timer_mode = kvm_apic_get_reg(apic, APIC_LVTT) &
-+ apic->lapic_timer.timer_mode_mask;
-+
-+ if (apic->lapic_timer.timer_mode != timer_mode) {
-+ apic->lapic_timer.timer_mode = timer_mode;
-+ hrtimer_cancel(&apic->lapic_timer.timer);
-+ }
-+}
-+
- static void apic_timer_expired(struct kvm_lapic *apic)
- {
- struct kvm_vcpu *vcpu = apic->vcpu;
-@@ -1272,6 +1283,7 @@ static int apic_reg_write(struct kvm_lapic *apic, u32
reg, u32 val)
- apic_set_reg(apic, APIC_LVTT + 0x10 * i,
- lvt_val | APIC_LVT_MASKED);
- }
-+ apic_update_lvtt(apic);
- atomic_set(&apic->lapic_timer.pending, 0);
-
- }
-@@ -1304,20 +1316,13 @@ static int apic_reg_write(struct kvm_lapic *apic, u32
reg, u32 val)
-
- break;
-
-- case APIC_LVTT: {
-- u32 timer_mode = val & apic->lapic_timer.timer_mode_mask;
--
-- if (apic->lapic_timer.timer_mode != timer_mode) {
-- apic->lapic_timer.timer_mode = timer_mode;
-- hrtimer_cancel(&apic->lapic_timer.timer);
-- }
--
-+ case APIC_LVTT:
- if (!kvm_apic_sw_enabled(apic))
- val |= APIC_LVT_MASKED;
- val &= (apic_lvt_mask[0] | apic->lapic_timer.timer_mode_mask);
- apic_set_reg(apic, APIC_LVTT, val);
-+ apic_update_lvtt(apic);
- break;
-- }
-
- case APIC_TMICT:
- if (apic_lvtt_tscdeadline(apic))
-@@ -1552,7 +1557,7 @@ void kvm_lapic_reset(struct kvm_vcpu *vcpu)
-
- for (i = 0; i < APIC_LVT_NUM; i++)
- apic_set_reg(apic, APIC_LVTT + 0x10 * i, APIC_LVT_MASKED);
-- apic->lapic_timer.timer_mode = 0;
-+ apic_update_lvtt(apic);
- apic_set_reg(apic, APIC_LVT0,
- SET_APIC_DELIVERY_MODE(0, APIC_MODE_EXTINT));
-
-@@ -1778,6 +1783,7 @@ void kvm_apic_post_state_restore(struct kvm_vcpu *vcpu,
-
- apic_update_ppr(apic);
- hrtimer_cancel(&apic->lapic_timer.timer);
-+ apic_update_lvtt(apic);
- update_divide_count(apic);
- start_apic_timer(apic);
- apic->irr_pending = true;
-diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
-index 288547a..f26ebc5 100644
---- a/drivers/bluetooth/ath3k.c
-+++ b/drivers/bluetooth/ath3k.c
-@@ -80,6 +80,7 @@ static const struct usb_device_id ath3k_table[] = {
- { USB_DEVICE(0x0489, 0xe057) },
- { USB_DEVICE(0x0489, 0xe056) },
- { USB_DEVICE(0x0489, 0xe05f) },
-+ { USB_DEVICE(0x0489, 0xe076) },
- { USB_DEVICE(0x0489, 0xe078) },
- { USB_DEVICE(0x04c5, 0x1330) },
- { USB_DEVICE(0x04CA, 0x3004) },
-@@ -111,6 +112,7 @@ static const struct usb_device_id ath3k_table[] = {
- { USB_DEVICE(0x13d3, 0x3408) },
- { USB_DEVICE(0x13d3, 0x3423) },
- { USB_DEVICE(0x13d3, 0x3432) },
-+ { USB_DEVICE(0x13d3, 0x3474) },
-
- /* Atheros AR5BBU12 with sflash firmware */
- { USB_DEVICE(0x0489, 0xE02C) },
-@@ -135,6 +137,7 @@ static const struct usb_device_id ath3k_blist_tbl[] = {
- { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0489, 0xe076), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
-@@ -166,6 +169,7 @@ static const struct usb_device_id ath3k_blist_tbl[] = {
- { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
-
- /* Atheros AR5BBU22 with sflash firmware */
- { USB_DEVICE(0x0489, 0xE036), .driver_info = BTUSB_ATH3012 },
-diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
-index 2c527da..4fc4157 100644
---- a/drivers/bluetooth/btusb.c
-+++ b/drivers/bluetooth/btusb.c
-@@ -174,6 +174,7 @@ static const struct usb_device_id blacklist_table[] = {
- { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x0489, 0xe076), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
-@@ -205,6 +206,7 @@ static const struct usb_device_id blacklist_table[] = {
- { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
-
- /* Atheros AR5BBU12 with sflash firmware */
- { USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },
-diff --git a/drivers/clk/at91/clk-pll.c b/drivers/clk/at91/clk-pll.c
-index 6ec79db..cbbe403 100644
---- a/drivers/clk/at91/clk-pll.c
-+++ b/drivers/clk/at91/clk-pll.c
-@@ -173,8 +173,7 @@ static long clk_pll_get_best_div_mul(struct clk_pll *pll,
unsigned long rate,
- int i = 0;
-
- /* Check if parent_rate is a valid input rate */
-- if (parent_rate < characteristics->input.min ||
-- parent_rate > characteristics->input.max)
-+ if (parent_rate < characteristics->input.min)
- return -ERANGE;
-
- /*
-@@ -187,6 +186,15 @@ static long clk_pll_get_best_div_mul(struct clk_pll *pll,
unsigned long rate,
- if (!mindiv)
- mindiv = 1;
-
-+ if (parent_rate > characteristics->input.max) {
-+ tmpdiv = DIV_ROUND_UP(parent_rate, characteristics->input.max);
-+ if (tmpdiv > PLL_DIV_MAX)
-+ return -ERANGE;
-+
-+ if (tmpdiv > mindiv)
-+ mindiv = tmpdiv;
-+ }
-+
- /*
- * Calculate the maximum divider which is limited by PLL register
- * layout (limited by the MUL or DIV field size).
-diff --git a/drivers/clk/at91/pmc.h b/drivers/clk/at91/pmc.h
-index 69abb08..eb8e5dc 100644
---- a/drivers/clk/at91/pmc.h
-+++ b/drivers/clk/at91/pmc.h
-@@ -121,7 +121,7 @@ extern void __init of_at91sam9x5_clk_smd_setup(struct
device_node *np,
- struct at91_pmc *pmc);
- #endif
-
--#if defined(CONFIG_HAVE_AT91_SMD)
-+#if defined(CONFIG_HAVE_AT91_H32MX)
- extern void __init of_sama5d4_clk_h32mx_setup(struct device_node *np,
- struct at91_pmc *pmc);
- #endif
-diff --git a/drivers/crypto/caam/caamhash.c b/drivers/crypto/caam/caamhash.c
-index f347ab7..08b0da2 100644
---- a/drivers/crypto/caam/caamhash.c
-+++ b/drivers/crypto/caam/caamhash.c
-@@ -1543,6 +1543,8 @@ static int ahash_init(struct ahash_request *req)
-
- state->current_buf = 0;
- state->buf_dma = 0;
-+ state->buflen_0 = 0;
-+ state->buflen_1 = 0;
-
- return 0;
- }
-diff --git a/drivers/crypto/caam/caamrng.c b/drivers/crypto/caam/caamrng.c
-index ae31e55..a48dc25 100644
---- a/drivers/crypto/caam/caamrng.c
-+++ b/drivers/crypto/caam/caamrng.c
-@@ -56,7 +56,7 @@
-
- /* Buffer, its dma address and lock */
- struct buf_data {
-- u8 buf[RN_BUF_SIZE];
-+ u8 buf[RN_BUF_SIZE] ____cacheline_aligned;
- dma_addr_t addr;
- struct completion filled;
- u32 hw_desc[DESC_JOB_O_LEN];
-diff --git a/drivers/gpu/drm/i915/i915_drv.c b/drivers/gpu/drm/i915/i915_drv.c
-index ec4d932..169123a 100644
---- a/drivers/gpu/drm/i915/i915_drv.c
-+++ b/drivers/gpu/drm/i915/i915_drv.c
-@@ -693,6 +693,16 @@ static int i915_drm_resume(struct drm_device *dev)
- intel_init_pch_refclk(dev);
- drm_mode_config_reset(dev);
-
-+ /*
-+ * Interrupts have to be enabled before any batches are run.
-+ * If not the GPU will hang. i915_gem_init_hw() will initiate
-+ * batches to update/restore the context.
-+ *
-+ * Modeset enabling in intel_modeset_init_hw() also needs
-+ * working interrupts.
-+ */
-+ intel_runtime_pm_enable_interrupts(dev_priv);
-+
- mutex_lock(&dev->struct_mutex);
- if (i915_gem_init_hw(dev)) {
- DRM_ERROR("failed to re-initialize GPU, declaring
wedged!\n");
-@@ -700,9 +710,6 @@ static int i915_drm_resume(struct drm_device *dev)
- }
- mutex_unlock(&dev->struct_mutex);
-
-- /* We need working interrupts for modeset enabling ... */
-- intel_runtime_pm_enable_interrupts(dev_priv);
--
- intel_modeset_init_hw(dev);
-
- spin_lock_irq(&dev_priv->irq_lock);
-diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
-index 7a628e4..9536ec3 100644
---- a/drivers/gpu/drm/i915/i915_gem.c
-+++ b/drivers/gpu/drm/i915/i915_gem.c
-@@ -2732,6 +2732,9 @@ void i915_gem_reset(struct drm_device *dev)
- void
- i915_gem_retire_requests_ring(struct intel_engine_cs *ring)
- {
-+ if (list_empty(&ring->request_list))
-+ return;
-+
- WARN_ON(i915_verify_lists(ring->dev));
-
- /* Retire requests first as we use it above for the early return.
-@@ -3088,8 +3091,8 @@ int i915_vma_unbind(struct i915_vma *vma)
- } else if (vma->ggtt_view.pages) {
- sg_free_table(vma->ggtt_view.pages);
- kfree(vma->ggtt_view.pages);
-- vma->ggtt_view.pages = NULL;
- }
-+ vma->ggtt_view.pages = NULL;
- }
-
- drm_mm_remove_node(&vma->node);
-diff --git a/drivers/gpu/drm/mgag200/mgag200_mode.c
b/drivers/gpu/drm/mgag200/mgag200_mode.c
-index 9872ba9..2ffeda3 100644
---- a/drivers/gpu/drm/mgag200/mgag200_mode.c
-+++ b/drivers/gpu/drm/mgag200/mgag200_mode.c
-@@ -1526,6 +1526,11 @@ static int mga_vga_mode_valid(struct drm_connector
*connector,
- return MODE_BANDWIDTH;
- }
-
-+ if ((mode->hdisplay % 8) != 0 || (mode->hsync_start % 8) != 0 ||
-+ (mode->hsync_end % 8) != 0 || (mode->htotal % 8) != 0) {
-+ return MODE_H_ILLEGAL;
-+ }
-+
- if (mode->crtc_hdisplay > 2048 || mode->crtc_hsync_start > 4096 ||
- mode->crtc_hsync_end > 4096 || mode->crtc_htotal > 4096 ||
- mode->crtc_vdisplay > 2048 || mode->crtc_vsync_start > 4096 ||
-diff --git a/drivers/gpu/drm/radeon/radeon_kms.c
b/drivers/gpu/drm/radeon/radeon_kms.c
-index 686411e..b82f2dd 100644
---- a/drivers/gpu/drm/radeon/radeon_kms.c
-+++ b/drivers/gpu/drm/radeon/radeon_kms.c
-@@ -547,6 +547,9 @@ static int radeon_info_ioctl(struct drm_device *dev, void
*data, struct drm_file
- else
- *value = 1;
- break;
-+ case RADEON_INFO_VA_UNMAP_WORKING:
-+ *value = true;
-+ break;
- default:
- DRM_DEBUG_KMS("Invalid request %d\n", info->request);
- return -EINVAL;
-diff --git a/drivers/infiniband/ulp/isert/ib_isert.c
b/drivers/infiniband/ulp/isert/ib_isert.c
-index 147029a..ac72ece 100644
---- a/drivers/infiniband/ulp/isert/ib_isert.c
-+++ b/drivers/infiniband/ulp/isert/ib_isert.c
-@@ -2316,7 +2316,6 @@ isert_build_rdma_wr(struct isert_conn *isert_conn,
struct isert_cmd *isert_cmd,
- page_off = offset % PAGE_SIZE;
-
- send_wr->sg_list = ib_sge;
-- send_wr->num_sge = sg_nents;
- send_wr->wr_id = (uintptr_t)&isert_cmd->tx_desc;
- /*
- * Perform mapping of TCM scatterlist memory ib_sge dma_addr.
-@@ -2336,14 +2335,17 @@ isert_build_rdma_wr(struct isert_conn *isert_conn,
struct isert_cmd *isert_cmd,
- ib_sge->addr, ib_sge->length, ib_sge->lkey);
- page_off = 0;
- data_left -= ib_sge->length;
-+ if (!data_left)
-+ break;
- ib_sge++;
- isert_dbg("Incrementing ib_sge pointer to %p\n", ib_sge);
- }
-
-+ send_wr->num_sge = ++i;
- isert_dbg("Set outgoing sg_list: %p num_sg: %u from TCM SGLs\n",
- send_wr->sg_list, send_wr->num_sge);
-
-- return sg_nents;
-+ return send_wr->num_sge;
- }
-
- static int
-@@ -3311,6 +3313,7 @@ static void isert_free_conn(struct iscsi_conn *conn)
- {
- struct isert_conn *isert_conn = conn->context;
-
-+ isert_wait4flush(isert_conn);
- isert_put_conn(isert_conn);
- }
-
-diff --git a/drivers/md/dm.c b/drivers/md/dm.c
-index 9b4e30a..beda011 100644
---- a/drivers/md/dm.c
-+++ b/drivers/md/dm.c
-@@ -1889,8 +1889,8 @@ static int map_request(struct dm_target *ti, struct
request *rq,
- dm_kill_unmapped_request(rq, r);
- return r;
- }
-- if (IS_ERR(clone))
-- return DM_MAPIO_REQUEUE;
-+ if (r != DM_MAPIO_REMAPPED)
-+ return r;
- if (setup_clone(clone, rq, tio, GFP_KERNEL)) {
- /* -ENOMEM */
- ti->type->release_clone_rq(clone);
-diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c
-index 75345c1..5c91df5 100644
---- a/drivers/net/wireless/b43/main.c
-+++ b/drivers/net/wireless/b43/main.c
-@@ -5365,6 +5365,10 @@ static void b43_supported_bands(struct b43_wldev *dev,
bool *have_2ghz_phy,
- *have_5ghz_phy = true;
- return;
- case 0x4321: /* BCM4306 */
-+ /* There are 14e4:4321 PCI devs with 2.4 GHz BCM4321 (N-PHY) */
-+ if (dev->phy.type != B43_PHYTYPE_G)
-+ break;
-+ /* fall through */
- case 0x4313: /* BCM4311 */
- case 0x431a: /* BCM4318 */
- case 0x432a: /* BCM4321 */
-diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
-index 220c0fd..50faef4 100644
---- a/drivers/usb/class/cdc-acm.c
-+++ b/drivers/usb/class/cdc-acm.c
-@@ -1468,6 +1468,11 @@ skip_countries:
- goto alloc_fail8;
- }
-
-+ if (quirks & CLEAR_HALT_CONDITIONS) {
-+ usb_clear_halt(usb_dev, usb_rcvbulkpipe(usb_dev,
epread->bEndpointAddress));
-+ usb_clear_halt(usb_dev, usb_sndbulkpipe(usb_dev,
epwrite->bEndpointAddress));
-+ }
-+
- return 0;
- alloc_fail8:
- if (acm->country_codes) {
-@@ -1747,6 +1752,10 @@ static const struct usb_device_id acm_ids[] = {
- .driver_info = NO_UNION_NORMAL, /* reports zero length descriptor */
- },
-
-+ { USB_DEVICE(0x2912, 0x0001), /* ATOL FPrint */
-+ .driver_info = CLEAR_HALT_CONDITIONS,
-+ },
-+
- /* Nokia S60 phones expose two ACM channels. The first is
- * a modem and is picked up by the standard AT-command
- * information below. The second is 'vendor-specific' but
-diff --git a/drivers/usb/class/cdc-acm.h b/drivers/usb/class/cdc-acm.h
-index ffeb3c8..b3b6c9d 100644
---- a/drivers/usb/class/cdc-acm.h
-+++ b/drivers/usb/class/cdc-acm.h
-@@ -133,3 +133,4 @@ struct acm {
- #define NO_DATA_INTERFACE BIT(4)
- #define IGNORE_DEVICE BIT(5)
- #define QUIRK_CONTROL_LINE_STATE BIT(6)
-+#define CLEAR_HALT_CONDITIONS BIT(7)
-diff --git a/include/uapi/drm/radeon_drm.h b/include/uapi/drm/radeon_drm.h
-index 50d0fb4..76d2ede 100644
---- a/include/uapi/drm/radeon_drm.h
-+++ b/include/uapi/drm/radeon_drm.h
-@@ -1034,6 +1034,7 @@ struct drm_radeon_cs {
- #define RADEON_INFO_VRAM_USAGE 0x1e
- #define RADEON_INFO_GTT_USAGE 0x1f
- #define RADEON_INFO_ACTIVE_CU_COUNT 0x20
-+#define RADEON_INFO_VA_UNMAP_WORKING 0x25
-
- struct drm_radeon_info {
- uint32_t request;
-diff --git a/kernel/trace/trace_events_filter.c
b/kernel/trace/trace_events_filter.c
-index ced69da..7f2e97c 100644
---- a/kernel/trace/trace_events_filter.c
-+++ b/kernel/trace/trace_events_filter.c
-@@ -1369,19 +1369,26 @@ static int check_preds(struct filter_parse_state *ps)
- {
- int n_normal_preds = 0, n_logical_preds = 0;
- struct postfix_elt *elt;
-+ int cnt = 0;
-
- list_for_each_entry(elt, &ps->postfix, list) {
-- if (elt->op == OP_NONE)
-+ if (elt->op == OP_NONE) {
-+ cnt++;
- continue;
-+ }
-
- if (elt->op == OP_AND || elt->op == OP_OR) {
- n_logical_preds++;
-+ cnt--;
- continue;
- }
-+ if (elt->op != OP_NOT)
-+ cnt--;
- n_normal_preds++;
-+ WARN_ON_ONCE(cnt < 0);
- }
-
-- if (!n_normal_preds || n_logical_preds >= n_normal_preds) {
-+ if (cnt != 1 || !n_normal_preds || n_logical_preds >= n_normal_preds) {
- parse_error(ps, FILT_ERR_INVALID_FILTER, 0);
- return -EINVAL;
- }
-diff --git a/sound/pci/hda/patch_sigmatel.c b/sound/pci/hda/patch_sigmatel.c
-index 87eff31..60b3100 100644
---- a/sound/pci/hda/patch_sigmatel.c
-+++ b/sound/pci/hda/patch_sigmatel.c
-@@ -100,6 +100,7 @@ enum {
- STAC_HP_ENVY_BASS,
- STAC_HP_BNB13_EQ,
- STAC_HP_ENVY_TS_BASS,
-+ STAC_HP_ENVY_TS_DAC_BIND,
- STAC_92HD83XXX_GPIO10_EAPD,
- STAC_92HD83XXX_MODELS
- };
-@@ -2170,6 +2171,22 @@ static void stac92hd83xxx_fixup_gpio10_eapd(struct
hda_codec *codec,
- spec->eapd_switch = 0;
- }
-
-+static void hp_envy_ts_fixup_dac_bind(struct hda_codec *codec,
-+ const struct hda_fixup *fix,
-+ int action)
-+{
-+ struct sigmatel_spec *spec = codec->spec;
-+ static hda_nid_t preferred_pairs[] = {
-+ 0xd, 0x13,
-+ 0
-+ };
-+
-+ if (action != HDA_FIXUP_ACT_PRE_PROBE)
-+ return;
-+
-+ spec->gen.preferred_dacs = preferred_pairs;
-+}
-+
- static const struct hda_verb hp_bnb13_eq_verbs[] = {
- /* 44.1KHz base */
- { 0x22, 0x7A6, 0x3E },
-@@ -2685,6 +2702,12 @@ static const struct hda_fixup stac92hd83xxx_fixups[] = {
- {}
- },
- },
-+ [STAC_HP_ENVY_TS_DAC_BIND] = {
-+ .type = HDA_FIXUP_FUNC,
-+ .v.func = hp_envy_ts_fixup_dac_bind,
-+ .chained = true,
-+ .chain_id = STAC_HP_ENVY_TS_BASS,
-+ },
- [STAC_92HD83XXX_GPIO10_EAPD] = {
- .type = HDA_FIXUP_FUNC,
- .v.func = stac92hd83xxx_fixup_gpio10_eapd,
-@@ -2763,6 +2786,8 @@ static const struct snd_pci_quirk
stac92hd83xxx_fixup_tbl[] = {
- "HP bNB13", STAC_HP_BNB13_EQ),
- SND_PCI_QUIRK(PCI_VENDOR_ID_HP, 0x190e,
- "HP ENVY TS", STAC_HP_ENVY_TS_BASS),
-+ SND_PCI_QUIRK(PCI_VENDOR_ID_HP, 0x1967,
-+ "HP ENVY TS", STAC_HP_ENVY_TS_DAC_BIND),
- SND_PCI_QUIRK(PCI_VENDOR_ID_HP, 0x1940,
- "HP bNB13", STAC_HP_BNB13_EQ),
- SND_PCI_QUIRK(PCI_VENDOR_ID_HP, 0x1941,
diff --git a/4.0.7/4420_grsecurity-3.1-4.0.7-201506300712.patch
b/4.0.7/4420_grsecurity-3.1-4.0.7-201507050833.patch
similarity index 99%
rename from 4.0.7/4420_grsecurity-3.1-4.0.7-201506300712.patch
rename to 4.0.7/4420_grsecurity-3.1-4.0.7-201507050833.patch
index 37bee2c..c471dac 100644
--- a/4.0.7/4420_grsecurity-3.1-4.0.7-201506300712.patch
+++ b/4.0.7/4420_grsecurity-3.1-4.0.7-201507050833.patch
@@ -50607,10 +50607,59 @@ index ce2e2cf..f81e500 100644
__u32 protocols;
diff --git a/drivers/nfc/st21nfca/st21nfca.c b/drivers/nfc/st21nfca/st21nfca.c
-index 24d3d24..ff70d28 100644
+index 24d3d24..b662ba0 100644
--- a/drivers/nfc/st21nfca/st21nfca.c
+++ b/drivers/nfc/st21nfca/st21nfca.c
-@@ -588,7 +588,7 @@ static int st21nfca_get_iso14443_3_uid(struct nfc_hci_dev
*hdev, u8 *gate,
+@@ -148,14 +148,14 @@ static int st21nfca_hci_load_session(struct nfc_hci_dev
*hdev)
+ ST21NFCA_DEVICE_MGNT_GATE,
+ ST21NFCA_DEVICE_MGNT_PIPE);
+ if (r < 0)
+- goto free_info;
++ return r;
+
+ /* Get pipe list */
+ r = nfc_hci_send_cmd(hdev, ST21NFCA_DEVICE_MGNT_GATE,
+ ST21NFCA_DM_GETINFO, pipe_list, sizeof(pipe_list),
+ &skb_pipe_list);
+ if (r < 0)
+- goto free_info;
++ return r;
+
+ /* Complete the existing gate_pipe table */
+ for (i = 0; i < skb_pipe_list->len; i++) {
+@@ -181,6 +181,7 @@ static int st21nfca_hci_load_session(struct nfc_hci_dev
*hdev)
+ info->src_host_id != ST21NFCA_ESE_HOST_ID) {
+ pr_err("Unexpected apdu_reader pipe on host %x\n",
+ info->src_host_id);
++ kfree_skb(skb_pipe_info);
+ continue;
+ }
+
+@@ -200,6 +201,7 @@ static int st21nfca_hci_load_session(struct nfc_hci_dev
*hdev)
+ hdev->pipes[st21nfca_gates[j].pipe].dest_host =
+ info->src_host_id;
+ }
++ kfree_skb(skb_pipe_info);
+ }
+
+ /*
+@@ -214,13 +216,12 @@ static int st21nfca_hci_load_session(struct nfc_hci_dev
*hdev)
+ st21nfca_gates[i].gate,
+ st21nfca_gates[i].pipe);
+ if (r < 0)
+- goto free_info;
++ goto free_list;
+ }
+ }
+
+ memcpy(hdev->init_data.gates, st21nfca_gates, sizeof(st21nfca_gates));
+-free_info:
+- kfree_skb(skb_pipe_info);
++free_list:
+ kfree_skb(skb_pipe_list);
+ return r;
+ }
+@@ -588,7 +589,7 @@ static int st21nfca_get_iso14443_3_uid(struct nfc_hci_dev
*hdev, u8 *gate,
goto exit;
}
@@ -55636,6 +55685,19 @@ index 8cfc319..4868255 100644
return 0;
}
+diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c
+index 0495c94..289e201 100644
+--- a/drivers/usb/gadget/configfs.c
++++ b/drivers/usb/gadget/configfs.c
+@@ -571,7 +571,7 @@ static struct config_group *function_make(
+ if (IS_ERR(fi))
+ return ERR_CAST(fi);
+
+- ret = config_item_set_name(&fi->group.cg_item, name);
++ ret = config_item_set_name(&fi->group.cg_item, "%s", name);
+ if (ret) {
+ usb_put_function_instance(fi);
+ return ERR_PTR(ret);
diff --git a/drivers/usb/gadget/function/f_uac1.c
b/drivers/usb/gadget/function/f_uac1.c
index 9719abf..789d5d9 100644
--- a/drivers/usb/gadget/function/f_uac1.c
@@ -68286,6 +68348,28 @@ index cf0db00..c7f70e8 100644
/*
* We'll have a dentry and an inode for
+diff --git a/fs/configfs/item.c b/fs/configfs/item.c
+index e65f9ff..3ed264d 100644
+--- a/fs/configfs/item.c
++++ b/fs/configfs/item.c
+@@ -116,7 +116,7 @@ void config_item_init_type_name(struct config_item *item,
+ const char *name,
+ struct config_item_type *type)
+ {
+- config_item_set_name(item, name);
++ config_item_set_name(item, "%s", name);
+ item->ci_type = type;
+ config_item_init(item);
+ }
+@@ -125,7 +125,7 @@ EXPORT_SYMBOL(config_item_init_type_name);
+ void config_group_init_type_name(struct config_group *group, const char *name,
+ struct config_item_type *type)
+ {
+- config_item_set_name(&group->cg_item, name);
++ config_item_set_name(&group->cg_item, "%s", name);
+ group->cg_item.ci_type = type;
+ config_group_init(group);
+ }
diff --git a/fs/coredump.c b/fs/coredump.c
index bbbe139..b76fae5 100644
--- a/fs/coredump.c
@@ -81317,7 +81401,7 @@ index 0000000..8ee8e4f
+}
diff --git a/grsecurity/gracl_ip.c b/grsecurity/gracl_ip.c
new file mode 100644
-index 0000000..f056b81
+index 0000000..ed6ee43
--- /dev/null
+++ b/grsecurity/gracl_ip.c
@@ -0,0 +1,386 @@
@@ -81391,7 +81475,7 @@ index 0000000..f056b81
+ "unspec", "unix", "inet", "ax25", "ipx", "appletalk", "netrom",
"bridge", "atmpvc", "x25",
+ "inet6", "rose", "decnet", "netbeui", "security", "key", "netlink",
"packet", "ash",
+ "econet", "atmsvc", "rds", "sna", "irda", "ppox", "wanpipe", "llc",
"fam_27", "fam_28",
-+ "tipc", "bluetooth", "iucv", "rxrpc", "isdn", "phonet", "ieee802154",
"ciaf"
++ "tipc", "bluetooth", "iucv", "rxrpc", "isdn", "phonet", "ieee802154",
"ciaf", "alg", "nfc", "vsock"
+ };
+
+const char *
@@ -89034,9 +89118,18 @@ index 5d5aaae..0ea9b84 100644
extern bool completion_done(struct completion *x);
diff --git a/include/linux/configfs.h b/include/linux/configfs.h
-index 34025df..d94bbbc 100644
+index 34025df..2a6ee32 100644
--- a/include/linux/configfs.h
+++ b/include/linux/configfs.h
+@@ -64,7 +64,7 @@ struct config_item {
+ struct dentry *ci_dentry;
+ };
+
+-extern int config_item_set_name(struct config_item *, const char *, ...);
++extern __printf(2, 3) int config_item_set_name(struct config_item *, const
char *, ...);
+
+ static inline char *config_item_name(struct config_item * item)
+ {
@@ -125,7 +125,7 @@ struct configfs_attribute {
const char *ca_name;
struct module *ca_owner;
