Hello community,
here is the log from the commit of package kernel-source for openSUSE:Factory
checked in at 2016-08-20 12:26:50
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/kernel-source (Old)
and /work/SRC/openSUSE:Factory/.kernel-source.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kernel-source"
Changes:
--------
--- /work/SRC/openSUSE:Factory/kernel-source/kernel-debug.changes
2016-08-13 18:29:33.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.kernel-source.new/kernel-debug.changes
2016-08-20 12:26:51.000000000 +0200
@@ -1,0 +2,26 @@
+Tue Aug 16 16:32:45 CEST 2016 - jsl...@suse.cz
+
+- Linux 4.7.1 (CVE-2016-6516 bsc#991604).
+- Delete
+ patches.fixes/vfs-ioctl-prevent-double-fetch-in-dedupe-ioctl.
+- commit 61bf3f1
+
+-------------------------------------------------------------------
+Tue Aug 9 14:49:30 CEST 2016 - jthumsh...@suse.de
+
+- aacraid: Check size values after double-fetch from user
+ (CVE-2016-6480 bsc#991608).
+- Delete
+
patches.drivers/0001-aacraid-prevent-out-of-bounds-access-due-to-changing.patch.
+- commit 39024c1
+
+-------------------------------------------------------------------
+Fri Aug 5 10:50:53 CEST 2016 - jsl...@suse.cz
+
+- rpm/constraints.in: set memory minimum for binaries
+ Binary packages are sometimes built on machines with 1G. For example
+ one arm build ran in a VM with -smp 1 -m 1024. And it caused OOMs.
+ So set the minimal memory to 2G for all archs.
+- commit b3acaa2
+
+-------------------------------------------------------------------
kernel-default.changes: same change
kernel-docs.changes: same change
kernel-lpae.changes: same change
kernel-obs-build.changes: same change
kernel-obs-qa.changes: same change
kernel-pae.changes: same change
kernel-source.changes: same change
kernel-syms.changes: same change
kernel-vanilla.changes: same change
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ kernel-debug.spec ++++++
--- /var/tmp/diff_new_pack.tvfvNR/_old 2016-08-20 12:26:55.000000000 +0200
+++ /var/tmp/diff_new_pack.tvfvNR/_new 2016-08-20 12:26:55.000000000 +0200
@@ -20,7 +20,7 @@
# needssslcertforbuild
%define srcversion 4.7
-%define patchversion 4.7.0
+%define patchversion 4.7.1
%define variant %{nil}
%define vanilla_only 0
@@ -61,9 +61,9 @@
Summary: A Debug Version of the Kernel
License: GPL-2.0
Group: System/Kernel
-Version: 4.7.0
+Version: 4.7.1
%if 0%{?is_kotd}
-Release: <RELEASE>.gdf207c0
+Release: <RELEASE>.g61bf3f1
%else
Release: 0
%endif
kernel-default.spec: same change
++++++ kernel-docs.spec ++++++
--- /var/tmp/diff_new_pack.tvfvNR/_old 2016-08-20 12:26:55.000000000 +0200
+++ /var/tmp/diff_new_pack.tvfvNR/_new 2016-08-20 12:26:55.000000000 +0200
@@ -16,7 +16,7 @@
#
-%define patchversion 4.7.0
+%define patchversion 4.7.1
%define variant %{nil}
%include %_sourcedir/kernel-spec-macros
@@ -27,9 +27,9 @@
Summary: Kernel Documentation (man pages)
License: GPL-2.0
Group: Documentation/Man
-Version: 4.7.0
+Version: 4.7.1
%if 0%{?is_kotd}
-Release: <RELEASE>.gdf207c0
+Release: <RELEASE>.g61bf3f1
%else
Release: 0
%endif
++++++ kernel-lpae.spec ++++++
--- /var/tmp/diff_new_pack.tvfvNR/_old 2016-08-20 12:26:55.000000000 +0200
+++ /var/tmp/diff_new_pack.tvfvNR/_new 2016-08-20 12:26:55.000000000 +0200
@@ -20,7 +20,7 @@
# needssslcertforbuild
%define srcversion 4.7
-%define patchversion 4.7.0
+%define patchversion 4.7.1
%define variant %{nil}
%define vanilla_only 0
@@ -61,9 +61,9 @@
Summary: Kernel for LPAE enabled systems
License: GPL-2.0
Group: System/Kernel
-Version: 4.7.0
+Version: 4.7.1
%if 0%{?is_kotd}
-Release: <RELEASE>.gdf207c0
+Release: <RELEASE>.g61bf3f1
%else
Release: 0
%endif
++++++ kernel-obs-build.spec ++++++
--- /var/tmp/diff_new_pack.tvfvNR/_old 2016-08-20 12:26:55.000000000 +0200
+++ /var/tmp/diff_new_pack.tvfvNR/_new 2016-08-20 12:26:55.000000000 +0200
@@ -19,7 +19,7 @@
#!BuildIgnore: post-build-checks
-%define patchversion 4.7.0
+%define patchversion 4.7.1
%define variant %{nil}
%include %_sourcedir/kernel-spec-macros
@@ -51,9 +51,9 @@
Summary: package kernel and initrd for OBS VM builds
License: GPL-2.0
Group: SLES
-Version: 4.7.0
+Version: 4.7.1
%if 0%{?is_kotd}
-Release: <RELEASE>.gdf207c0
+Release: <RELEASE>.g61bf3f1
%else
Release: 0
%endif
++++++ kernel-obs-qa.spec ++++++
--- /var/tmp/diff_new_pack.tvfvNR/_old 2016-08-20 12:26:55.000000000 +0200
+++ /var/tmp/diff_new_pack.tvfvNR/_new 2016-08-20 12:26:55.000000000 +0200
@@ -17,7 +17,7 @@
# needsrootforbuild
-%define patchversion 4.7.0
+%define patchversion 4.7.1
%define variant %{nil}
%include %_sourcedir/kernel-spec-macros
@@ -36,9 +36,9 @@
Summary: Basic QA tests for the kernel
License: GPL-2.0
Group: SLES
-Version: 4.7.0
+Version: 4.7.1
%if 0%{?is_kotd}
-Release: <RELEASE>.gdf207c0
+Release: <RELEASE>.g61bf3f1
%else
Release: 0
%endif
++++++ kernel-pae.spec ++++++
--- /var/tmp/diff_new_pack.tvfvNR/_old 2016-08-20 12:26:55.000000000 +0200
+++ /var/tmp/diff_new_pack.tvfvNR/_new 2016-08-20 12:26:55.000000000 +0200
@@ -20,7 +20,7 @@
# needssslcertforbuild
%define srcversion 4.7
-%define patchversion 4.7.0
+%define patchversion 4.7.1
%define variant %{nil}
%define vanilla_only 0
@@ -61,9 +61,9 @@
Summary: Kernel with PAE Support
License: GPL-2.0
Group: System/Kernel
-Version: 4.7.0
+Version: 4.7.1
%if 0%{?is_kotd}
-Release: <RELEASE>.gdf207c0
+Release: <RELEASE>.g61bf3f1
%else
Release: 0
%endif
++++++ kernel-source.spec ++++++
--- /var/tmp/diff_new_pack.tvfvNR/_old 2016-08-20 12:26:55.000000000 +0200
+++ /var/tmp/diff_new_pack.tvfvNR/_new 2016-08-20 12:26:55.000000000 +0200
@@ -18,7 +18,7 @@
%define srcversion 4.7
-%define patchversion 4.7.0
+%define patchversion 4.7.1
%define variant %{nil}
%define vanilla_only 0
@@ -30,9 +30,9 @@
Summary: The Linux Kernel Sources
License: GPL-2.0
Group: Development/Sources
-Version: 4.7.0
+Version: 4.7.1
%if 0%{?is_kotd}
-Release: <RELEASE>.gdf207c0
+Release: <RELEASE>.g61bf3f1
%else
Release: 0
%endif
++++++ kernel-syms.spec ++++++
--- /var/tmp/diff_new_pack.tvfvNR/_old 2016-08-20 12:26:56.000000000 +0200
+++ /var/tmp/diff_new_pack.tvfvNR/_new 2016-08-20 12:26:56.000000000 +0200
@@ -24,10 +24,10 @@
Summary: Kernel Symbol Versions (modversions)
License: GPL-2.0
Group: Development/Sources
-Version: 4.7.0
+Version: 4.7.1
%if %using_buildservice
%if 0%{?is_kotd}
-Release: <RELEASE>.gdf207c0
+Release: <RELEASE>.g61bf3f1
%else
Release: 0
%endif
++++++ kernel-vanilla.spec ++++++
--- /var/tmp/diff_new_pack.tvfvNR/_old 2016-08-20 12:26:56.000000000 +0200
+++ /var/tmp/diff_new_pack.tvfvNR/_new 2016-08-20 12:26:56.000000000 +0200
@@ -20,7 +20,7 @@
# needssslcertforbuild
%define srcversion 4.7
-%define patchversion 4.7.0
+%define patchversion 4.7.1
%define variant %{nil}
%define vanilla_only 0
@@ -61,9 +61,9 @@
Summary: The Standard Kernel - without any SUSE patches
License: GPL-2.0
Group: System/Kernel
-Version: 4.7.0
+Version: 4.7.1
%if 0%{?is_kotd}
-Release: <RELEASE>.gdf207c0
+Release: <RELEASE>.g61bf3f1
%else
Release: 0
%endif
++++++ _constraints ++++++
--- /var/tmp/diff_new_pack.tvfvNR/_old 2016-08-20 12:26:56.000000000 +0200
+++ /var/tmp/diff_new_pack.tvfvNR/_new 2016-08-20 12:26:56.000000000 +0200
@@ -12,6 +12,9 @@
<disk>
<size unit="G">25</size>
</disk>
+ <memory>
+ <size unit="G">2</size>
+ </memory>
</hardware>
</overwrite>
++++++ constraints.in ++++++
--- /var/tmp/diff_new_pack.tvfvNR/_old 2016-08-20 12:26:56.000000000 +0200
+++ /var/tmp/diff_new_pack.tvfvNR/_new 2016-08-20 12:26:56.000000000 +0200
@@ -8,6 +8,9 @@
<disk>
<size unit="G">25</size>
</disk>
+ <memory>
+ <size unit="G">2</size>
+ </memory>
</hardware>
</overwrite>
++++++ patches.drivers.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/patches.drivers/0001-aacraid-prevent-out-of-bounds-access-due-to-changing.patch
new/patches.drivers/0001-aacraid-prevent-out-of-bounds-access-due-to-changing.patch
---
old/patches.drivers/0001-aacraid-prevent-out-of-bounds-access-due-to-changing.patch
2016-08-04 13:26:54.000000000 +0200
+++
new/patches.drivers/0001-aacraid-prevent-out-of-bounds-access-due-to-changing.patch
1970-01-01 01:00:00.000000000 +0100
@@ -1,43 +0,0 @@
-From 91a99cf6b049d5c7cae8f0fab479c2147b5d951d Mon Sep 17 00:00:00 2001
-From: Johannes Thumshirn <jthumsh...@suse.de>
-Date: Thu, 4 Aug 2016 09:38:44 +0200
-Subject: [PATCH] aacraid: prevent out-of-bounds access due to changing fip
header sizes
-References: bsc#991608, CVE-2016-6480
-Patch-mainline: Submitted to linux-s...@vger.kernel.org at 04-08-2016
-
-In aacraid's ioctl_send_fib() we do two fetches from userspace, one the
-get the fib header's size and one for the fib itself. Later we use the
-size field from the second fetch to further process the fib. If for some
-reason the size from the second fetch is different than from the first
-fix, we may encounter an out-of-bounds access in aac_fib_send(). This was
-reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was
-assigned CVE-2016-6480.
-
-Reported-by: Pengfei Wang <wpengfein...@gmail.com>
-Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)'
-Cc: sta...@vger.kernel.org
-Signed-off-by: Johannes Thumshirn <jthumsh...@suse.de>
----
- drivers/scsi/aacraid/commctrl.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
-index 4b3bb52..2d4acd1 100644
---- a/drivers/scsi/aacraid/commctrl.c
-+++ b/drivers/scsi/aacraid/commctrl.c
-@@ -118,6 +118,12 @@ static int ioctl_send_fib(struct aac_dev * dev, void
__user *arg)
- goto cleanup;
- }
-
-+ if (size != le16_to_cpu(kfib->header.Size)
-+ + sizeof(struct aac_fibhdr)) {
-+ retval = -EINVAL;
-+ goto cleanup;
-+ }
-+
- if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) {
- aac_adapter_interrupt(dev);
- /*
---
-1.8.5.6
-
++++++ patches.fixes.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/patches.fixes/aacraid-check-size-values-after-double-fetch-from-user.patch
new/patches.fixes/aacraid-check-size-values-after-double-fetch-from-user.patch
---
old/patches.fixes/aacraid-check-size-values-after-double-fetch-from-user.patch
1970-01-01 01:00:00.000000000 +0100
+++
new/patches.fixes/aacraid-check-size-values-after-double-fetch-from-user.patch
2016-08-16 16:32:45.000000000 +0200
@@ -0,0 +1,66 @@
+From: Dave Carroll <david.carr...@microsemi.com>
+Date: Fri, 5 Aug 2016 13:44:10 -0600
+Subject: aacraid: Check size values after double-fetch from user
+Git-commit: fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3
+Patch-mainline: v4.8-rc2
+References: CVE-2016-6480 bsc#991608
+
+In aacraid's ioctl_send_fib() we do two fetches from userspace, one the
+get the fib header's size and one for the fib itself. Later we use the
+size field from the second fetch to further process the fib. If for some
+reason the size from the second fetch is different than from the first
+fix, we may encounter an out-of- bounds access in aac_fib_send(). We
+also check the sender size to insure it is not out of bounds. This was
+reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was
+assigned CVE-2016-6480.
+
+Reported-by: Pengfei Wang <wpengfein...@gmail.com>
+Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)'
+Cc: sta...@vger.kernel.org
+Signed-off-by: Dave Carroll <david.carr...@microsemi.com>
+Reviewed-by: Johannes Thumshirn <jthumsh...@suse.de>
+Signed-off-by: Martin K. Petersen <martin.peter...@oracle.com>
+Acked-by: Johannes Thumshirn <jthumsh...@suse.com>
+---
+ drivers/scsi/aacraid/commctrl.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
+index b381b37..5648b71 100644
+--- a/drivers/scsi/aacraid/commctrl.c
++++ b/drivers/scsi/aacraid/commctrl.c
+@@ -63,7 +63,7 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user
*arg)
+ struct fib *fibptr;
+ struct hw_fib * hw_fib = (struct hw_fib *)0;
+ dma_addr_t hw_fib_pa = (dma_addr_t)0LL;
+- unsigned size;
++ unsigned int size, osize;
+ int retval;
+
+ if (dev->in_reset) {
+@@ -87,7 +87,8 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user
*arg)
+ * will not overrun the buffer when we copy the memory. Return
+ * an error if we would.
+ */
+- size = le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr);
++ osize = size = le16_to_cpu(kfib->header.Size) +
++ sizeof(struct aac_fibhdr);
+ if (size < le16_to_cpu(kfib->header.SenderSize))
+ size = le16_to_cpu(kfib->header.SenderSize);
+ if (size > dev->max_fib_size) {
+@@ -118,6 +119,14 @@ static int ioctl_send_fib(struct aac_dev * dev, void
__user *arg)
+ goto cleanup;
+ }
+
++ /* Sanity check the second copy */
++ if ((osize != le16_to_cpu(kfib->header.Size) +
++ sizeof(struct aac_fibhdr))
++ || (size < le16_to_cpu(kfib->header.SenderSize))) {
++ retval = -EINVAL;
++ goto cleanup;
++ }
++
+ if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) {
+ aac_adapter_interrupt(dev);
+ /*
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/patches.fixes/vfs-ioctl-prevent-double-fetch-in-dedupe-ioctl
new/patches.fixes/vfs-ioctl-prevent-double-fetch-in-dedupe-ioctl
--- old/patches.fixes/vfs-ioctl-prevent-double-fetch-in-dedupe-ioctl
2016-08-04 14:36:10.000000000 +0200
+++ new/patches.fixes/vfs-ioctl-prevent-double-fetch-in-dedupe-ioctl
1970-01-01 01:00:00.000000000 +0100
@@ -1,30 +0,0 @@
-From 10eec60ce79187686e052092e5383c99b4420a20 Mon Sep 17 00:00:00 2001
-From: Scott Bauer <sba...@plzdonthack.me>
-Date: Wed, 27 Jul 2016 19:11:29 -0600
-Subject: [PATCH] vfs: ioctl: prevent double-fetch in dedupe ioctl
-Patch-mainline: 4.8-rc1
-Git-commit: 10eec60ce79187686e052092e5383c99b4420a20
-References: CVE-2016-6516,bsc#991604
-
-This prevents a double-fetch from user space that can lead to to an
-undersized allocation and heap overflow.
-
-Fixes: 54dbc1517237 ("vfs: hoist the btrfs deduplication ioctl to the vfs")
-Signed-off-by: Scott Bauer <sba...@plzdonthack.me>
-Signed-off-by: Linus Torvalds <torva...@linux-foundation.org>
-Acked-by: Takashi Iwai <ti...@suse.de>
-
----
- fs/ioctl.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/fs/ioctl.c
-+++ b/fs/ioctl.c
-@@ -590,6 +590,7 @@ static long ioctl_file_dedupe_range(stru
- goto out;
- }
-
-+ same->dest_count = count;
- ret = vfs_dedupe_file_range(file, same);
- if (ret)
- goto out;
++++++ patches.kernel.org.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/patches.kernel.org/patch-4.7.1
new/patches.kernel.org/patch-4.7.1
--- old/patches.kernel.org/patch-4.7.1 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.kernel.org/patch-4.7.1 2016-08-16 16:32:45.000000000 +0200
@@ -0,0 +1,1189 @@
+From: Jiri Slaby <jsl...@suse.cz>
+Subject: Linux 4.7.1
+Patch-mainline: 4.7.1
+References: CVE-2016-6516 bsc#991604
+Git-commit: 554a5ccc4e4a20c5f3ec859de0842db4b4b9c77e
+Git-commit: c65d5c6c81a1f27dec5f627f67840726fcd146de
+Git-commit: 5b9554dc5bf008ae7f68a52e3d7e76c0920938a2
+Git-commit: 6a7fd522a7c94cdef0a3b08acf8e6702056e635c
+Git-commit: 646caa9c8e196880b41cd3e3d33a2ebc752bdb85
+Git-commit: f70749ca42943faa4d4dcce46dfdcaadb1d0c4b6
+Git-commit: c2c1659b4f8f9e19fe82a4fd06cca4b3d59090ce
+Git-commit: 5f070e81bee35f1b7bd1477bb223a873ff657803
+Git-commit: b30bdfa86431afbafe15284a3ad5ac19b49b88e3
+Git-commit: da7d3abe1c9e5ebac2cf86f97e9e89888a5e2094
+Git-commit: 47be61845c775643f1aa4d2a54343549f943c94c
+Git-commit: 4e390b2b2f34b8daaabf2df1df0cf8f798b87ddb
+Git-commit: 9446385f05c9af25fed53dbed3cc75763730be52
+Git-commit: 9ebce595f63a407c5cec98f98f9da8459b73740a
+Git-commit: ac7f052b9e1534c8248f814b6f0068ad8d4a06d2
+Git-commit: 4ce827b4cc58bec7952591b96cce2b28553e4d5b
+Git-commit: 4b703305d98bf7350d4b2953ee39a3aa2eeb1778
+Git-commit: 05eb6e7263185a6bb0de9501ccf2addc52429414
+Git-commit: 9b24fef9f0410fb5364245d6cc2bd044cc064007
+Git-commit: 77da160530dd1dc94f6ae15a981f24e5f0021e84
+Git-commit: f7d665627e103e82d34306c7d3f6f46f387c0d8b
+Git-commit: 615d66c37c755c49ce022c9e5ac0875d27d2603d
+Git-commit: 1f47b61fb4077936465dcde872a4e5cc4fe708da
+Git-commit: 86a574de4590ffe6fd3f3ca34cdcf655a78e36ec
+Git-commit: 0b938a2e2cf0b0a2c8bac9769111545aff0fee97
+Git-commit: a154a8cd080b437969ef194dee365bbb60a3b38a
+Git-commit: 20f06ed9f61a185c6dabd662c310bed6189470df
+Git-commit: 7de249964f5578e67b99699c5f0b405738d820a2
+Git-commit: f626300a3e776ccc9671b0dd94698fb3aa315966
+Git-commit: e3a3b626010a14fe067f163c2c43409d5afcd2a9
+Git-commit: 59d3f1ceb69b54569685d0c34dff16a1e0816b19
+Git-commit: 5fc382d87517707ad77ea4c9c12e2a3fde2c838a
+Git-commit: d3e6952cfb7ba5f4bfa29d4803ba91f96ce1204d
+Git-commit: eefc1b1d105ee4d2ce907833ce675f1e9599b5e3
+Git-commit: ea06f7176413e2538d13bb85b65387d0917943d9
+Git-commit: baedbe55884c003819f5c8c063ec3d2569414296
+Git-commit: 1533e77315220dc1d5ec3bd6d9fe32e2aa0a74c0
+Git-commit: ba66bbe5480a012108958a71cff88b23dce84956
+Git-commit: c1892c37769cf89c7e7ba57528ae2ccb5d153c9b
+Git-commit: 10eec60ce79187686e052092e5383c99b4420a20
+Git-commit: 7bc9491645118c9461bd21099c31755ff6783593
+
+Signed-off-by: Jiri Slaby <jsl...@suse.cz>
+---
+diff --git a/Documentation/cpu-freq/pcc-cpufreq.txt
b/Documentation/cpu-freq/pcc-cpufreq.txt
+index 0a94224ad296..9e3c3b33514c 100644
+--- a/Documentation/cpu-freq/pcc-cpufreq.txt
++++ b/Documentation/cpu-freq/pcc-cpufreq.txt
+@@ -159,8 +159,8 @@ to be strictly associated with a P-state.
+
+ 2.2 cpuinfo_transition_latency:
+ -------------------------------
+-The cpuinfo_transition_latency field is CPUFREQ_ETERNAL. The PCC specification
+-does not include a field to expose this value currently.
++The cpuinfo_transition_latency field is 0. The PCC specification does
++not include a field to expose this value currently.
+
+ 2.3 cpuinfo_cur_freq:
+ ---------------------
+diff --git a/Makefile b/Makefile
+index 66da9a38b13b..84335c0b2eda 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 7
+-SUBLEVEL = 0
++SUBLEVEL = 1
+ EXTRAVERSION =
+ NAME = Psychotic Stoned Sheep
+
+diff --git a/arch/arm/kernel/sys_oabi-compat.c
b/arch/arm/kernel/sys_oabi-compat.c
+index 087acb569b63..5f221acd21ae 100644
+--- a/arch/arm/kernel/sys_oabi-compat.c
++++ b/arch/arm/kernel/sys_oabi-compat.c
+@@ -279,8 +279,12 @@ asmlinkage long sys_oabi_epoll_wait(int epfd,
+ mm_segment_t fs;
+ long ret, err, i;
+
+- if (maxevents <= 0 || maxevents > (INT_MAX/sizeof(struct epoll_event)))
++ if (maxevents <= 0 ||
++ maxevents > (INT_MAX/sizeof(*kbuf)) ||
++ maxevents > (INT_MAX/sizeof(*events)))
+ return -EINVAL;
++ if (!access_ok(VERIFY_WRITE, events, sizeof(*events) * maxevents))
++ return -EFAULT;
+ kbuf = kmalloc(sizeof(*kbuf) * maxevents, GFP_KERNEL);
+ if (!kbuf)
+ return -ENOMEM;
+@@ -317,6 +321,8 @@ asmlinkage long sys_oabi_semtimedop(int semid,
+
+ if (nsops < 1 || nsops > SEMOPM)
+ return -EINVAL;
++ if (!access_ok(VERIFY_READ, tsops, sizeof(*tsops) * nsops))
++ return -EFAULT;
+ sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL);
+ if (!sops)
+ return -ENOMEM;
+diff --git a/arch/mips/kernel/scall64-n32.S b/arch/mips/kernel/scall64-n32.S
+index 9c0b387d6427..51d3988933f8 100644
+--- a/arch/mips/kernel/scall64-n32.S
++++ b/arch/mips/kernel/scall64-n32.S
+@@ -348,7 +348,7 @@ EXPORT(sysn32_call_table)
+ PTR sys_ni_syscall /* available, was setaltroot */
+ PTR sys_add_key
+ PTR sys_request_key
+- PTR sys_keyctl /* 6245 */
++ PTR compat_sys_keyctl /* 6245 */
+ PTR sys_set_thread_area
+ PTR sys_inotify_init
+ PTR sys_inotify_add_watch
+diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S
+index f4f28b1580de..6efa7136748f 100644
+--- a/arch/mips/kernel/scall64-o32.S
++++ b/arch/mips/kernel/scall64-o32.S
+@@ -504,7 +504,7 @@ EXPORT(sys32_call_table)
+ PTR sys_ni_syscall /* available, was setaltroot */
+ PTR sys_add_key /* 4280 */
+ PTR sys_request_key
+- PTR sys_keyctl
++ PTR compat_sys_keyctl
+ PTR sys_set_thread_area
+ PTR sys_inotify_init
+ PTR sys_inotify_add_watch /* 4285 */
+diff --git a/arch/x86/entry/syscalls/syscall_32.tbl
b/arch/x86/entry/syscalls/syscall_32.tbl
+index 4cddd17153fb..f848572169ea 100644
+--- a/arch/x86/entry/syscalls/syscall_32.tbl
++++ b/arch/x86/entry/syscalls/syscall_32.tbl
+@@ -294,7 +294,7 @@
+ # 285 sys_setaltroot
+ 286 i386 add_key sys_add_key
+ 287 i386 request_key sys_request_key
+-288 i386 keyctl sys_keyctl
++288 i386 keyctl sys_keyctl
compat_sys_keyctl
+ 289 i386 ioprio_set sys_ioprio_set
+ 290 i386 ioprio_get sys_ioprio_get
+ 291 i386 inotify_init sys_inotify_init
+diff --git a/arch/x86/include/asm/microcode.h
b/arch/x86/include/asm/microcode.h
+index 9d3a96c4da78..01c2d14ec05f 100644
+--- a/arch/x86/include/asm/microcode.h
++++ b/arch/x86/include/asm/microcode.h
+@@ -133,13 +133,11 @@ static inline unsigned int x86_cpuid_family(void)
+ #ifdef CONFIG_MICROCODE
+ extern void __init load_ucode_bsp(void);
+ extern void load_ucode_ap(void);
+-extern int __init save_microcode_in_initrd(void);
+ void reload_early_microcode(void);
+ extern bool get_builtin_firmware(struct cpio_data *cd, const char *name);
+ #else
+ static inline void __init load_ucode_bsp(void) { }
+ static inline void load_ucode_ap(void) { }
+-static inline int __init save_microcode_in_initrd(void) {
return 0; }
+ static inline void reload_early_microcode(void) { }
+ static inline bool
+ get_builtin_firmware(struct cpio_data *cd, const char *name) { return false;
}
+diff --git a/arch/x86/kernel/cpu/microcode/core.c
b/arch/x86/kernel/cpu/microcode/core.c
+index ac360bfbbdb6..12823b6ebd6d 100644
+--- a/arch/x86/kernel/cpu/microcode/core.c
++++ b/arch/x86/kernel/cpu/microcode/core.c
+@@ -175,7 +175,7 @@ void load_ucode_ap(void)
+ }
+ }
+
+-int __init save_microcode_in_initrd(void)
++static int __init save_microcode_in_initrd(void)
+ {
+ struct cpuinfo_x86 *c = &boot_cpu_data;
+
+@@ -691,4 +691,5 @@ int __init microcode_init(void)
+ return error;
+
+ }
++fs_initcall(save_microcode_in_initrd);
+ late_initcall(microcode_init);
+diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c
+index 372aad2b3291..dffd162db0a4 100644
+--- a/arch/x86/mm/init.c
++++ b/arch/x86/mm/init.c
+@@ -696,13 +696,6 @@ void free_initmem(void)
+ void __init free_initrd_mem(unsigned long start, unsigned long end)
+ {
+ /*
+- * Remember, initrd memory may contain microcode or other useful things.
+- * Before we lose initrd mem, we need to find a place to hold them
+- * now that normal virtual memory is enabled.
+- */
+- save_microcode_in_initrd();
+-
+- /*
+ * end could be not aligned, and We can not align that,
+ * decompresser could be confused by aligned initrd_end
+ * We already reserve the end partial page before in
+diff --git a/arch/x86/power/hibernate_asm_64.S
b/arch/x86/power/hibernate_asm_64.S
+index 3177c2bc26f6..8eee0e9c93f0 100644
+--- a/arch/x86/power/hibernate_asm_64.S
++++ b/arch/x86/power/hibernate_asm_64.S
+@@ -24,7 +24,6 @@
+ #include <asm/frame.h>
+
+ ENTRY(swsusp_arch_suspend)
+- FRAME_BEGIN
+ movq $saved_context, %rax
+ movq %rsp, pt_regs_sp(%rax)
+ movq %rbp, pt_regs_bp(%rax)
+@@ -48,6 +47,7 @@ ENTRY(swsusp_arch_suspend)
+ movq %cr3, %rax
+ movq %rax, restore_cr3(%rip)
+
++ FRAME_BEGIN
+ call swsusp_save
+ FRAME_END
+ ret
+@@ -104,7 +104,6 @@ ENTRY(core_restore_code)
+ /* code below belongs to the image kernel */
+ .align PAGE_SIZE
+ ENTRY(restore_registers)
+- FRAME_BEGIN
+ /* go back to the original page tables */
+ movq %r9, %cr3
+
+@@ -145,6 +144,5 @@ ENTRY(restore_registers)
+ /* tell the hibernation core that we've just restored the memory */
+ movq %rax, in_suspend(%rip)
+
+- FRAME_END
+ ret
+ ENDPROC(restore_registers)
+diff --git a/block/genhd.c b/block/genhd.c
+index 9f42526b4d62..3eebd256b765 100644
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -856,6 +856,7 @@ static void disk_seqf_stop(struct seq_file *seqf, void *v)
+ if (iter) {
+ class_dev_iter_exit(iter);
+ kfree(iter);
++ seqf->private = NULL;
+ }
+ }
+
+diff --git a/crypto/gcm.c b/crypto/gcm.c
+index bec329b3de8d..d9ea5f9c0574 100644
+--- a/crypto/gcm.c
++++ b/crypto/gcm.c
+@@ -639,7 +639,9 @@ static int crypto_gcm_create_common(struct crypto_template
*tmpl,
+
+ ghash_alg = crypto_find_alg(ghash_name, &crypto_ahash_type,
+ CRYPTO_ALG_TYPE_HASH,
+- CRYPTO_ALG_TYPE_AHASH_MASK);
++ CRYPTO_ALG_TYPE_AHASH_MASK |
++ crypto_requires_sync(algt->type,
++ algt->mask));
+ if (IS_ERR(ghash_alg))
+ return PTR_ERR(ghash_alg);
+
+diff --git a/crypto/scatterwalk.c b/crypto/scatterwalk.c
+index ea5815c5e128..bc769c448d4a 100644
+--- a/crypto/scatterwalk.c
++++ b/crypto/scatterwalk.c
+@@ -72,7 +72,8 @@ static void scatterwalk_pagedone(struct scatter_walk *walk,
int out,
+
+ void scatterwalk_done(struct scatter_walk *walk, int out, int more)
+ {
+- if (!(scatterwalk_pagelen(walk) & (PAGE_SIZE - 1)) || !more)
++ if (!more || walk->offset >= walk->sg->offset + walk->sg->length ||
++ !(walk->offset & (PAGE_SIZE - 1)))
+ scatterwalk_pagedone(walk, out, more);
+ }
+ EXPORT_SYMBOL_GPL(scatterwalk_done);
+diff --git a/drivers/char/random.c b/drivers/char/random.c
+index 0158d3bff7e5..87ab9f6b4112 100644
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -723,15 +723,18 @@ retry:
+ }
+ }
+
+-static void credit_entropy_bits_safe(struct entropy_store *r, int nbits)
++static int credit_entropy_bits_safe(struct entropy_store *r, int nbits)
+ {
+ const int nbits_max = (int)(~0U >> (ENTROPY_SHIFT + 1));
+
++ if (nbits < 0)
++ return -EINVAL;
++
+ /* Cap the value to avoid overflows */
+ nbits = min(nbits, nbits_max);
+- nbits = max(nbits, -nbits_max);
+
+ credit_entropy_bits(r, nbits);
++ return 0;
+ }
+
+ /*********************************************************************
+@@ -1543,8 +1546,7 @@ static long random_ioctl(struct file *f, unsigned int
cmd, unsigned long arg)
+ return -EPERM;
+ if (get_user(ent_count, p))
+ return -EFAULT;
+- credit_entropy_bits_safe(&input_pool, ent_count);
+- return 0;
++ return credit_entropy_bits_safe(&input_pool, ent_count);
+ case RNDADDENTROPY:
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+@@ -1558,8 +1560,7 @@ static long random_ioctl(struct file *f, unsigned int
cmd, unsigned long arg)
+ size);
+ if (retval < 0)
+ return retval;
+- credit_entropy_bits_safe(&input_pool, ent_count);
+- return 0;
++ return credit_entropy_bits_safe(&input_pool, ent_count);
+ case RNDZAPENTCNT:
+ case RNDCLEARPOOL:
+ /*
+diff --git a/drivers/cpufreq/pcc-cpufreq.c b/drivers/cpufreq/pcc-cpufreq.c
+index a7ecb9a84c15..3f0ce2ae35ee 100644
+--- a/drivers/cpufreq/pcc-cpufreq.c
++++ b/drivers/cpufreq/pcc-cpufreq.c
+@@ -555,8 +555,6 @@ static int pcc_cpufreq_cpu_init(struct cpufreq_policy
*policy)
+ policy->min = policy->cpuinfo.min_freq =
+ ioread32(&pcch_hdr->minimum_frequency) * 1000;
+
+- policy->cpuinfo.transition_latency = CPUFREQ_ETERNAL;
+-
+ pr_debug("init: policy->max is %d, policy->min is %d\n",
+ policy->max, policy->min);
+ out:
+diff --git a/drivers/infiniband/hw/hfi1/Kconfig
b/drivers/infiniband/hw/hfi1/Kconfig
+index a925fb0db706..f846fd51b85b 100644
+--- a/drivers/infiniband/hw/hfi1/Kconfig
++++ b/drivers/infiniband/hw/hfi1/Kconfig
+@@ -3,7 +3,6 @@ config INFINIBAND_HFI1
+ depends on X86_64 && INFINIBAND_RDMAVT
+ select MMU_NOTIFIER
+ select CRC32
+- default m
+ ---help---
+ This is a low-level driver for Intel OPA Gen1 adapter.
+ config HFI1_DEBUG_SDMA_ORDER
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index a2afa3be17a4..4d7981946f79 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1422,7 +1422,16 @@ int bond_enslave(struct net_device *bond_dev, struct
net_device *slave_dev)
+ return -EINVAL;
+ }
+
+- if (slave_ops->ndo_set_mac_address == NULL) {
++ if (slave_dev->type == ARPHRD_INFINIBAND &&
++ BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP) {
++ netdev_warn(bond_dev, "Type (%d) supports only active-backup
mode\n",
++ slave_dev->type);
++ res = -EOPNOTSUPP;
++ goto err_undo_flags;
++ }
++
++ if (!slave_ops->ndo_set_mac_address ||
++ slave_dev->type == ARPHRD_INFINIBAND) {
+ netdev_warn(bond_dev, "The slave device specified does not
support setting the MAC address\n");
+ if (BOND_MODE(bond) == BOND_MODE_ACTIVEBACKUP &&
+ bond->params.fail_over_mac != BOND_FOM_ACTIVE) {
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_spq.c
b/drivers/net/ethernet/qlogic/qed/qed_spq.c
+index b122f6013b6c..03601dfc0642 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_spq.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_spq.c
+@@ -809,13 +809,12 @@ int qed_spq_completion(struct qed_hwfn *p_hwfn,
+ * in a bitmap and increasing the chain consumer only
+ * for the first successive completed entries.
+ */
+- bitmap_set(p_spq->p_comp_bitmap, pos, SPQ_RING_SIZE);
++ __set_bit(pos, p_spq->p_comp_bitmap);
+
+ while (test_bit(p_spq->comp_bitmap_idx,
+ p_spq->p_comp_bitmap)) {
+- bitmap_clear(p_spq->p_comp_bitmap,
+- p_spq->comp_bitmap_idx,
+- SPQ_RING_SIZE);
++ __clear_bit(p_spq->comp_bitmap_idx,
++ p_spq->p_comp_bitmap);
+ p_spq->comp_bitmap_idx++;
+ qed_chain_return_produced(&p_spq->chain);
+ }
+diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
+index 8bcd78f94966..a70b6c460178 100644
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -942,7 +942,6 @@ static struct sk_buff *macsec_decrypt(struct sk_buff *skb,
+ }
+
+ macsec_skb_cb(skb)->req = req;
+- macsec_skb_cb(skb)->rx_sa = rx_sa;
+ skb->dev = dev;
+ aead_request_set_callback(req, 0, macsec_decrypt_done, skb);
+
+@@ -1169,6 +1168,8 @@ static rx_handler_result_t macsec_handle_frame(struct
sk_buff **pskb)
+ }
+ }
+
++ macsec_skb_cb(skb)->rx_sa = rx_sa;
++
+ /* Disabled && !changed text => skip validation */
+ if (hdr->tci_an & MACSEC_TCI_C ||
+ secy->validate_frames != MACSEC_VALIDATE_DISABLED)
+diff --git a/drivers/tty/serial/mvebu-uart.c b/drivers/tty/serial/mvebu-uart.c
+index ce362bd51de7..45b57c294d13 100644
+--- a/drivers/tty/serial/mvebu-uart.c
++++ b/drivers/tty/serial/mvebu-uart.c
+@@ -300,6 +300,8 @@ static int mvebu_uart_startup(struct uart_port *port)
+ static void mvebu_uart_shutdown(struct uart_port *port)
+ {
+ writel(0, port->membase + UART_CTRL);
++
++ free_irq(port->irq, port);
+ }
+
+ static void mvebu_uart_set_termios(struct uart_port *port,
+diff --git a/fs/dcache.c b/fs/dcache.c
+index d6847d7b123d..1ed81bb80500 100644
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -622,7 +622,6 @@ static struct dentry *dentry_kill(struct dentry *dentry)
+
+ failed:
+ spin_unlock(&dentry->d_lock);
+- cpu_relax();
+ return dentry; /* try again with same dentry */
+ }
+
+@@ -796,6 +795,8 @@ void dput(struct dentry *dentry)
+ return;
+
+ repeat:
++ might_sleep();
++
+ rcu_read_lock();
+ if (likely(fast_dput(dentry))) {
+ rcu_read_unlock();
+@@ -829,8 +830,10 @@ repeat:
+
+ kill_it:
+ dentry = dentry_kill(dentry);
+- if (dentry)
++ if (dentry) {
++ cond_resched();
+ goto repeat;
++ }
+ }
+ EXPORT_SYMBOL(dput);
+
+diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
+index 3020fd70c392..1ea505434a6e 100644
+--- a/fs/ext4/balloc.c
++++ b/fs/ext4/balloc.c
+@@ -208,6 +208,9 @@ static int ext4_init_block_bitmap(struct super_block *sb,
+ memset(bh->b_data, 0, sb->s_blocksize);
+
+ bit_max = ext4_num_base_meta_clusters(sb, block_group);
++ if ((bit_max >> 3) >= bh->b_size)
++ return -EFSCORRUPTED;
++
+ for (bit = 0; bit < bit_max; bit++)
+ ext4_set_bit(bit, bh->b_data);
+
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
+index 2a2eef9c14e4..d7ccb7f51dfc 100644
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -381,9 +381,13 @@ static int ext4_valid_extent(struct inode *inode, struct
ext4_extent *ext)
+ ext4_fsblk_t block = ext4_ext_pblock(ext);
+ int len = ext4_ext_get_actual_len(ext);
+ ext4_lblk_t lblock = le32_to_cpu(ext->ee_block);
+- ext4_lblk_t last = lblock + len - 1;
+
+- if (len == 0 || lblock > last)
++ /*
++ * We allow neither:
++ * - zero length
++ * - overflow/wrap-around
++ */
++ if (lblock + len <= lblock)
+ return 0;
+ return ext4_data_block_valid(EXT4_SB(inode->i_sb), block, len);
+ }
+@@ -474,6 +478,10 @@ static int __ext4_ext_check(const char *function,
unsigned int line,
+ error_msg = "invalid extent entries";
+ goto corrupted;
+ }
++ if (unlikely(depth > 32)) {
++ error_msg = "too large eh_depth";
++ goto corrupted;
++ }
+ /* Verify checksum on non-root extent tree nodes */
+ if (ext_depth(inode) != depth &&
+ !ext4_extent_block_csum_verify(inode, eh)) {
+diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
+index f7140ca66e3b..b747ec09c1ac 100644
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -205,9 +205,9 @@ void ext4_evict_inode(struct inode *inode)
+ * Note that directories do not have this problem because they
+ * don't use page cache.
+ */
+- if (ext4_should_journal_data(inode) &&
+- (S_ISLNK(inode->i_mode) || S_ISREG(inode->i_mode)) &&
+- inode->i_ino != EXT4_JOURNAL_INO) {
++ if (inode->i_ino != EXT4_JOURNAL_INO &&
++ ext4_should_journal_data(inode) &&
++ (S_ISLNK(inode->i_mode) || S_ISREG(inode->i_mode))) {
+ journal_t *journal = EXT4_SB(inode->i_sb)->s_journal;
+ tid_t commit_tid = EXT4_I(inode)->i_datasync_tid;
+
+@@ -2748,13 +2748,36 @@ retry:
+ done = true;
+ }
+ }
+- ext4_journal_stop(handle);
++ /*
++ * Caution: If the handle is synchronous,
++ * ext4_journal_stop() can wait for transaction commit
++ * to finish which may depend on writeback of pages to
++ * complete or on page lock to be released. In that
++ * case, we have to wait until after after we have
++ * submitted all the IO, released page locks we hold,
++ * and dropped io_end reference (for extent conversion
++ * to be able to complete) before stopping the handle.
++ */
++ if (!ext4_handle_valid(handle) || handle->h_sync == 0) {
++ ext4_journal_stop(handle);
++ handle = NULL;
++ }
+ /* Submit prepared bio */
+ ext4_io_submit(&mpd.io_submit);
+ /* Unlock pages we didn't use */
+ mpage_release_unused_pages(&mpd, give_up_on_write);
+- /* Drop our io_end reference we got from init */
+- ext4_put_io_end(mpd.io_submit.io_end);
++ /*
++ * Drop our io_end reference we got from init. We have
++ * to be careful and use deferred io_end finishing if
++ * we are still holding the transaction as we can
++ * release the last reference to io_end which may end
++ * up doing unwritten extent conversion.
++ */
++ if (handle) {
++ ext4_put_io_end_defer(mpd.io_submit.io_end);
++ ext4_journal_stop(handle);
++ } else
++ ext4_put_io_end(mpd.io_submit.io_end);
+
+ if (ret == -ENOSPC && sbi->s_journal) {
+ /*
+diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
+index c1ab3ec30423..7f42eda52523 100644
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -2939,7 +2939,7 @@ ext4_mb_mark_diskspace_used(struct
ext4_allocation_context *ac,
+ ext4_error(sb, "Allocating blocks %llu-%llu which overlap "
+ "fs metadata", block, block+len);
+ /* File system mounted not to panic on error
+- * Fix the bitmap and repeat the block allocation
++ * Fix the bitmap and return EFSCORRUPTED
+ * We leak some of the blocks here.
+ */
+ ext4_lock_group(sb, ac->ac_b_ex.fe_group);
+@@ -2948,7 +2948,7 @@ ext4_mb_mark_diskspace_used(struct
ext4_allocation_context *ac,
+ ext4_unlock_group(sb, ac->ac_b_ex.fe_group);
+ err = ext4_handle_dirty_metadata(handle, NULL, bitmap_bh);
+ if (!err)
+- err = -EAGAIN;
++ err = -EFSCORRUPTED;
+ goto out_err;
+ }
+
+@@ -4513,18 +4513,7 @@ repeat:
+ }
+ if (likely(ac->ac_status == AC_STATUS_FOUND)) {
+ *errp = ext4_mb_mark_diskspace_used(ac, handle, reserv_clstrs);
+- if (*errp == -EAGAIN) {
+- /*
+- * drop the reference that we took
+- * in ext4_mb_use_best_found
+- */
+- ext4_mb_release_context(ac);
+- ac->ac_b_ex.fe_group = 0;
+- ac->ac_b_ex.fe_start = 0;
+- ac->ac_b_ex.fe_len = 0;
+- ac->ac_status = AC_STATUS_CONTINUE;
+- goto repeat;
+- } else if (*errp) {
++ if (*errp) {
+ ext4_discard_allocated_blocks(ac);
+ goto errout;
+ } else {
+diff --git a/fs/ext4/super.c b/fs/ext4/super.c
+index 3822a5aedc61..639bd756a8d8 100644
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -2278,6 +2278,16 @@ static void ext4_orphan_cleanup(struct super_block *sb,
+ while (es->s_last_orphan) {
+ struct inode *inode;
+
++ /*
++ * We may have encountered an error during cleanup; if
++ * so, skip the rest.
++ */
++ if (EXT4_SB(sb)->s_mount_state & EXT4_ERROR_FS) {
++ jbd_debug(1, "Skipping orphan recovery on fs with
errors.\n");
++ es->s_last_orphan = 0;
++ break;
++ }
++
+ inode = ext4_orphan_get(sb, le32_to_cpu(es->s_last_orphan));
+ if (IS_ERR(inode)) {
+ es->s_last_orphan = 0;
+@@ -3416,6 +3426,13 @@ static int ext4_fill_super(struct super_block *sb, void
*data, int silent)
+ goto failed_mount;
+ }
+
++ if (le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks) > (blocksize / 4)) {
++ ext4_msg(sb, KERN_ERR,
++ "Number of reserved GDT blocks insanely large: %d",
++ le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks));
++ goto failed_mount;
++ }
++
+ if (sbi->s_mount_opt & EXT4_MOUNT_DAX) {
+ err = bdev_dax_supported(sb, blocksize);
+ if (err)
+diff --git a/fs/fuse/file.c b/fs/fuse/file.c
+index 9154f8679024..6cac3dc33521 100644
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -417,6 +417,15 @@ static int fuse_flush(struct file *file, fl_owner_t id)
+ fuse_sync_writes(inode);
+ inode_unlock(inode);
+
++ if (test_bit(AS_ENOSPC, &file->f_mapping->flags) &&
++ test_and_clear_bit(AS_ENOSPC, &file->f_mapping->flags))
++ err = -ENOSPC;
++ if (test_bit(AS_EIO, &file->f_mapping->flags) &&
++ test_and_clear_bit(AS_EIO, &file->f_mapping->flags))
++ err = -EIO;
++ if (err)
++ return err;
++
+ req = fuse_get_req_nofail_nopages(fc, file);
+ memset(&inarg, 0, sizeof(inarg));
+ inarg.fh = ff->fh;
+@@ -462,6 +471,21 @@ int fuse_fsync_common(struct file *file, loff_t start,
loff_t end,
+ goto out;
+
+ fuse_sync_writes(inode);
++
++ /*
++ * Due to implementation of fuse writeback
++ * filemap_write_and_wait_range() does not catch errors.
++ * We have to do this directly after fuse_sync_writes()
++ */
++ if (test_bit(AS_ENOSPC, &file->f_mapping->flags) &&
++ test_and_clear_bit(AS_ENOSPC, &file->f_mapping->flags))
++ err = -ENOSPC;
++ if (test_bit(AS_EIO, &file->f_mapping->flags) &&
++ test_and_clear_bit(AS_EIO, &file->f_mapping->flags))
++ err = -EIO;
++ if (err)
++ goto out;
++
+ err = sync_inode_metadata(inode, 1);
+ if (err)
+ goto out;
+diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
+index 9961d8432ce3..9b7cb37b4ba8 100644
+--- a/fs/fuse/inode.c
++++ b/fs/fuse/inode.c
+@@ -942,7 +942,7 @@ static void fuse_send_init(struct fuse_conn *fc, struct
fuse_req *req)
+ arg->flags |= FUSE_ASYNC_READ | FUSE_POSIX_LOCKS | FUSE_ATOMIC_O_TRUNC |
+ FUSE_EXPORT_SUPPORT | FUSE_BIG_WRITES | FUSE_DONT_MASK |
+ FUSE_SPLICE_WRITE | FUSE_SPLICE_MOVE | FUSE_SPLICE_READ |
+- FUSE_FLOCK_LOCKS | FUSE_IOCTL_DIR | FUSE_AUTO_INVAL_DATA |
++ FUSE_FLOCK_LOCKS | FUSE_HAS_IOCTL_DIR | FUSE_AUTO_INVAL_DATA |
+ FUSE_DO_READDIRPLUS | FUSE_READDIRPLUS_AUTO | FUSE_ASYNC_DIO |
+ FUSE_WRITEBACK_CACHE | FUSE_NO_OPEN_SUPPORT |
+ FUSE_PARALLEL_DIROPS;
+diff --git a/fs/inode.c b/fs/inode.c
+index 4ccbc21b30ce..9ea421948742 100644
+--- a/fs/inode.c
++++ b/fs/inode.c
+@@ -345,7 +345,7 @@ EXPORT_SYMBOL(inc_nlink);
+ void address_space_init_once(struct address_space *mapping)
+ {
+ memset(mapping, 0, sizeof(*mapping));
+- INIT_RADIX_TREE(&mapping->page_tree, GFP_ATOMIC);
++ INIT_RADIX_TREE(&mapping->page_tree, GFP_ATOMIC | __GFP_ACCOUNT);
+ spin_lock_init(&mapping->tree_lock);
+ init_rwsem(&mapping->i_mmap_rwsem);
+ INIT_LIST_HEAD(&mapping->private_list);
+@@ -1740,8 +1740,8 @@ static int __remove_privs(struct dentry *dentry, int
kill)
+ */
+ int file_remove_privs(struct file *file)
+ {
+- struct dentry *dentry = file->f_path.dentry;
+- struct inode *inode = d_inode(dentry);
++ struct dentry *dentry = file_dentry(file);
++ struct inode *inode = file_inode(file);
+ int kill;
+ int error = 0;
+
+@@ -1749,7 +1749,7 @@ int file_remove_privs(struct file *file)
+ if (IS_NOSEC(inode))
+ return 0;
+
+- kill = file_needs_remove_privs(file);
++ kill = dentry_needs_remove_privs(dentry);
+ if (kill < 0)
+ return kill;
+ if (kill)
+diff --git a/fs/ioctl.c b/fs/ioctl.c
+index 116a333e9c77..0f56deb24ce6 100644
+--- a/fs/ioctl.c
++++ b/fs/ioctl.c
+@@ -590,6 +590,7 @@ static long ioctl_file_dedupe_range(struct file *file,
void __user *arg)
+ goto out;
+ }
+
++ same->dest_count = count;
+ ret = vfs_dedupe_file_range(file, same);
+ if (ret)
+ goto out;
+diff --git a/ipc/msg.c b/ipc/msg.c
+index 1471db9a7e61..c6521c205cb4 100644
+--- a/ipc/msg.c
++++ b/ipc/msg.c
+@@ -680,7 +680,7 @@ long do_msgsnd(int msqid, long mtype, void __user *mtext,
+ rcu_read_lock();
+ ipc_lock_object(&msq->q_perm);
+
+- ipc_rcu_putref(msq, ipc_rcu_free);
++ ipc_rcu_putref(msq, msg_rcu_free);
+ /* raced with RMID? */
+ if (!ipc_valid_object(&msq->q_perm)) {
+ err = -EIDRM;
+diff --git a/ipc/sem.c b/ipc/sem.c
+index b3757ea0694b..5d2f875e8e2e 100644
+--- a/ipc/sem.c
++++ b/ipc/sem.c
+@@ -449,7 +449,7 @@ static inline struct sem_array
*sem_obtain_object_check(struct ipc_namespace *ns
+ static inline void sem_lock_and_putref(struct sem_array *sma)
+ {
+ sem_lock(sma, NULL, -1);
+- ipc_rcu_putref(sma, ipc_rcu_free);
++ ipc_rcu_putref(sma, sem_rcu_free);
+ }
+
+ static inline void sem_rmid(struct ipc_namespace *ns, struct sem_array *s)
+@@ -1392,7 +1392,7 @@ static int semctl_main(struct ipc_namespace *ns, int
semid, int semnum,
+ rcu_read_unlock();
+ sem_io = ipc_alloc(sizeof(ushort)*nsems);
+ if (sem_io == NULL) {
+- ipc_rcu_putref(sma, ipc_rcu_free);
++ ipc_rcu_putref(sma, sem_rcu_free);
+ return -ENOMEM;
+ }
+
+@@ -1426,20 +1426,20 @@ static int semctl_main(struct ipc_namespace *ns, int
semid, int semnum,
+ if (nsems > SEMMSL_FAST) {
+ sem_io = ipc_alloc(sizeof(ushort)*nsems);
+ if (sem_io == NULL) {
+- ipc_rcu_putref(sma, ipc_rcu_free);
++ ipc_rcu_putref(sma, sem_rcu_free);
+ return -ENOMEM;
+ }
+ }
+
+ if (copy_from_user(sem_io, p, nsems*sizeof(ushort))) {
+- ipc_rcu_putref(sma, ipc_rcu_free);
++ ipc_rcu_putref(sma, sem_rcu_free);
+ err = -EFAULT;
+ goto out_free;
+ }
+
+ for (i = 0; i < nsems; i++) {
+ if (sem_io[i] > SEMVMX) {
+- ipc_rcu_putref(sma, ipc_rcu_free);
++ ipc_rcu_putref(sma, sem_rcu_free);
+ err = -ERANGE;
+ goto out_free;
+ }
+@@ -1731,7 +1731,7 @@ static struct sem_undo *find_alloc_undo(struct
ipc_namespace *ns, int semid)
+ /* step 2: allocate new undo structure */
+ new = kzalloc(sizeof(struct sem_undo) + sizeof(short)*nsems,
GFP_KERNEL);
+ if (!new) {
+- ipc_rcu_putref(sma, ipc_rcu_free);
++ ipc_rcu_putref(sma, sem_rcu_free);
+ return ERR_PTR(-ENOMEM);
+ }
+
+diff --git a/lib/radix-tree.c b/lib/radix-tree.c
+index 8b7d8459bb9d..bc7852f95443 100644
+--- a/lib/radix-tree.c
++++ b/lib/radix-tree.c
+@@ -274,10 +274,11 @@ radix_tree_node_alloc(struct radix_tree_root *root)
+
+ /*
+ * Even if the caller has preloaded, try to allocate from the
+- * cache first for the new node to get accounted.
++ * cache first for the new node to get accounted to the memory
++ * cgroup.
+ */
+ ret = kmem_cache_alloc(radix_tree_node_cachep,
+- gfp_mask | __GFP_ACCOUNT | __GFP_NOWARN);
++ gfp_mask | __GFP_NOWARN);
+ if (ret)
+ goto out;
+
+@@ -300,8 +301,7 @@ radix_tree_node_alloc(struct radix_tree_root *root)
+ kmemleak_update_trace(ret);
+ goto out;
+ }
+- ret = kmem_cache_alloc(radix_tree_node_cachep,
+- gfp_mask | __GFP_ACCOUNT);
++ ret = kmem_cache_alloc(radix_tree_node_cachep, gfp_mask);
+ out:
+ BUG_ON(radix_tree_is_internal_node(ret));
+ return ret;
+@@ -348,6 +348,12 @@ static int __radix_tree_preload(gfp_t gfp_mask)
+ struct radix_tree_node *node;
+ int ret = -ENOMEM;
+
++ /*
++ * Nodes preloaded by one cgroup can be be used by another cgroup, so
++ * they should never be accounted to any particular memory cgroup.
++ */
++ gfp_mask &= ~__GFP_ACCOUNT;
++
+ preempt_disable();
+ rtp = this_cpu_ptr(&radix_tree_preloads);
+ while (rtp->nr < RADIX_TREE_PRELOAD_SIZE) {
+diff --git a/mm/memcontrol.c b/mm/memcontrol.c
+index 5339c89dff63..ca847d96a980 100644
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -4083,14 +4083,32 @@ static struct cftype mem_cgroup_legacy_files[] = {
+
+ static DEFINE_IDR(mem_cgroup_idr);
+
+-static void mem_cgroup_id_get(struct mem_cgroup *memcg)
++static void mem_cgroup_id_get_many(struct mem_cgroup *memcg, unsigned int n)
+ {
+- atomic_inc(&memcg->id.ref);
++ atomic_add(n, &memcg->id.ref);
+ }
+
+-static void mem_cgroup_id_put(struct mem_cgroup *memcg)
++static struct mem_cgroup *mem_cgroup_id_get_online(struct mem_cgroup *memcg)
+ {
+- if (atomic_dec_and_test(&memcg->id.ref)) {
++ while (!atomic_inc_not_zero(&memcg->id.ref)) {
++ /*
++ * The root cgroup cannot be destroyed, so it's refcount must
++ * always be >= 1.
++ */
++ if (WARN_ON_ONCE(memcg == root_mem_cgroup)) {
++ VM_BUG_ON(1);
++ break;
++ }
++ memcg = parent_mem_cgroup(memcg);
++ if (!memcg)
++ memcg = root_mem_cgroup;
++ }
++ return memcg;
++}
++
++static void mem_cgroup_id_put_many(struct mem_cgroup *memcg, unsigned int n)
++{
++ if (atomic_sub_and_test(n, &memcg->id.ref)) {
+ idr_remove(&mem_cgroup_idr, memcg->id.id);
+ memcg->id.id = 0;
+
+@@ -4099,6 +4117,16 @@ static void mem_cgroup_id_put(struct mem_cgroup *memcg)
+ }
+ }
+
++static inline void mem_cgroup_id_get(struct mem_cgroup *memcg)
++{
++ mem_cgroup_id_get_many(memcg, 1);
++}
++
++static inline void mem_cgroup_id_put(struct mem_cgroup *memcg)
++{
++ mem_cgroup_id_put_many(memcg, 1);
++}
++
+ /**
+ * mem_cgroup_from_id - look up a memcg from a memcg id
+ * @id: the memcg id to look up
+@@ -4736,6 +4764,8 @@ static void __mem_cgroup_clear_mc(void)
+ if (!mem_cgroup_is_root(mc.from))
+ page_counter_uncharge(&mc.from->memsw, mc.moved_swap);
+
++ mem_cgroup_id_put_many(mc.from, mc.moved_swap);
++
+ /*
+ * we charged both to->memory and to->memsw, so we
+ * should uncharge to->memory.
+@@ -4743,9 +4773,9 @@ static void __mem_cgroup_clear_mc(void)
+ if (!mem_cgroup_is_root(mc.to))
+ page_counter_uncharge(&mc.to->memory, mc.moved_swap);
+
+- css_put_many(&mc.from->css, mc.moved_swap);
++ mem_cgroup_id_get_many(mc.to, mc.moved_swap);
++ css_put_many(&mc.to->css, mc.moved_swap);
+
+- /* we've already done css_get(mc.to) */
+ mc.moved_swap = 0;
+ }
+ memcg_oom_recover(from);
+@@ -5805,7 +5835,7 @@ subsys_initcall(mem_cgroup_init);
+ */
+ void mem_cgroup_swapout(struct page *page, swp_entry_t entry)
+ {
+- struct mem_cgroup *memcg;
++ struct mem_cgroup *memcg, *swap_memcg;
+ unsigned short oldid;
+
+ VM_BUG_ON_PAGE(PageLRU(page), page);
+@@ -5820,16 +5850,27 @@ void mem_cgroup_swapout(struct page *page, swp_entry_t
entry)
+ if (!memcg)
+ return;
+
+- mem_cgroup_id_get(memcg);
+- oldid = swap_cgroup_record(entry, mem_cgroup_id(memcg));
++ /*
++ * In case the memcg owning these pages has been offlined and doesn't
++ * have an ID allocated to it anymore, charge the closest online
++ * ancestor for the swap instead and transfer the memory+swap charge.
++ */
++ swap_memcg = mem_cgroup_id_get_online(memcg);
++ oldid = swap_cgroup_record(entry, mem_cgroup_id(swap_memcg));
+ VM_BUG_ON_PAGE(oldid, page);
+- mem_cgroup_swap_statistics(memcg, true);
++ mem_cgroup_swap_statistics(swap_memcg, true);
+
+ page->mem_cgroup = NULL;
+
+ if (!mem_cgroup_is_root(memcg))
+ page_counter_uncharge(&memcg->memory, 1);
+
++ if (memcg != swap_memcg) {
++ if (!mem_cgroup_is_root(swap_memcg))
++ page_counter_charge(&swap_memcg->memsw, 1);
++ page_counter_uncharge(&memcg->memsw, 1);
++ }
++
+ /*
+ * Interrupts should be disabled here because the caller holds the
+ * mapping->tree_lock lock which is taken with interrupts-off. It is
+@@ -5868,11 +5909,14 @@ int mem_cgroup_try_charge_swap(struct page *page,
swp_entry_t entry)
+ if (!memcg)
+ return 0;
+
++ memcg = mem_cgroup_id_get_online(memcg);
++
+ if (!mem_cgroup_is_root(memcg) &&
+- !page_counter_try_charge(&memcg->swap, 1, &counter))
++ !page_counter_try_charge(&memcg->swap, 1, &counter)) {
++ mem_cgroup_id_put(memcg);
+ return -ENOMEM;
++ }
+
+- mem_cgroup_id_get(memcg);
+ oldid = swap_cgroup_record(entry, mem_cgroup_id(memcg));
+ VM_BUG_ON_PAGE(oldid, page);
+ mem_cgroup_swap_statistics(memcg, true);
+diff --git a/mm/mempool.c b/mm/mempool.c
+index 8f65464da5de..47a659dedd44 100644
+--- a/mm/mempool.c
++++ b/mm/mempool.c
+@@ -306,7 +306,7 @@ EXPORT_SYMBOL(mempool_resize);
+ * returns NULL. Note that due to preallocation, this function
+ * *never* fails when called from process contexts. (it might
+ * fail if called from an IRQ context.)
+- * Note: neither __GFP_NOMEMALLOC nor __GFP_ZERO are supported.
++ * Note: using __GFP_ZERO is not supported.
+ */
+ void *mempool_alloc(mempool_t *pool, gfp_t gfp_mask)
+ {
+@@ -315,27 +315,16 @@ void *mempool_alloc(mempool_t *pool, gfp_t gfp_mask)
+ wait_queue_t wait;
+ gfp_t gfp_temp;
+
+- /* If oom killed, memory reserves are essential to prevent livelock */
+- VM_WARN_ON_ONCE(gfp_mask & __GFP_NOMEMALLOC);
+- /* No element size to zero on allocation */
+ VM_WARN_ON_ONCE(gfp_mask & __GFP_ZERO);
+-
+ might_sleep_if(gfp_mask & __GFP_DIRECT_RECLAIM);
+
++ gfp_mask |= __GFP_NOMEMALLOC; /* don't allocate emergency reserves */
+ gfp_mask |= __GFP_NORETRY; /* don't loop in __alloc_pages */
+ gfp_mask |= __GFP_NOWARN; /* failures are OK */
+
+ gfp_temp = gfp_mask & ~(__GFP_DIRECT_RECLAIM|__GFP_IO);
+
+ repeat_alloc:
+- if (likely(pool->curr_nr)) {
+- /*
+- * Don't allocate from emergency reserves if there are
+- * elements available. This check is racy, but it will
+- * be rechecked each loop.
+- */
+- gfp_temp |= __GFP_NOMEMALLOC;
+- }
+
+ element = pool->alloc(gfp_temp, pool->pool_data);
+ if (likely(element != NULL))
+@@ -359,12 +348,11 @@ repeat_alloc:
+ * We use gfp mask w/o direct reclaim or IO for the first round. If
+ * alloc failed with that and @pool was empty, retry immediately.
+ */
+- if ((gfp_temp & ~__GFP_NOMEMALLOC) != gfp_mask) {
++ if (gfp_temp != gfp_mask) {
+ spin_unlock_irqrestore(&pool->lock, flags);
+ gfp_temp = gfp_mask;
+ goto repeat_alloc;
+ }
+- gfp_temp = gfp_mask;
+
+ /* We must not sleep if !__GFP_DIRECT_RECLAIM */
+ if (!(gfp_mask & __GFP_DIRECT_RECLAIM)) {
+diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
+index 43d2cd862bc2..28d5ec269e48 100644
+--- a/net/bridge/br_input.c
++++ b/net/bridge/br_input.c
+@@ -288,6 +288,14 @@ rx_handler_result_t br_handle_frame(struct sk_buff **pskb)
+ case 0x01: /* IEEE MAC (Pause) */
+ goto drop;
+
++ case 0x0E: /* 802.1AB LLDP */
++ fwd_mask |= p->br->group_fwd_mask;
++ if (fwd_mask & (1u << dest[5]))
++ goto forward;
++ *pskb = skb;
++ __br_handle_local_finish(skb);
++ return RX_HANDLER_PASS;
++
+ default:
+ /* Allow selective forwarding for most other protocols
*/
+ fwd_mask |= p->br->group_fwd_mask;
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index e00e972c4e6a..700b72ca5912 100644
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -236,7 +236,8 @@ void tcp_select_initial_window(int __space, __u32 mss,
+ /* Set window scaling on max possible window
+ * See RFC1323 for an explanation of the limit to 14
+ */
+- space = max_t(u32, sysctl_tcp_rmem[2], sysctl_rmem_max);
++ space = max_t(u32, space, sysctl_tcp_rmem[2]);
++ space = max_t(u32, space, sysctl_rmem_max);
+ space = min_t(u32, space, *window_clamp);
+ while (space > 65535 && (*rcv_wscale) < 14) {
+ space >>= 1;
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
+index 4aed8fc23d32..e61f7cd65d08 100644
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -1581,9 +1581,7 @@ int udp_queue_rcv_skb(struct sock *sk, struct sk_buff
*skb)
+ udp_lib_checksum_complete(skb))
+ goto csum_error;
+
+- if (sk_filter(sk, skb))
+- goto drop;
+- if (unlikely(skb->len < sizeof(struct udphdr)))
++ if (sk_filter_trim_cap(sk, skb, sizeof(struct udphdr)))
+ goto drop;
+
+ udp_csum_pull_header(skb);
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index 47f837a58e0a..047c75a798b1 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -3562,6 +3562,10 @@ restart:
+ if (state != INET6_IFADDR_STATE_DEAD) {
+ __ipv6_ifa_notify(RTM_DELADDR, ifa);
+ inet6addr_notifier_call_chain(NETDEV_DOWN, ifa);
++ } else {
++ if (idev->cnf.forwarding)
++ addrconf_leave_anycast(ifa);
++ addrconf_leave_solict(ifa->idev, &ifa->addr);
+ }
+
+ write_lock_bh(&idev->lock);
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
+index acc09705618b..42a2edf7c9ef 100644
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -618,9 +618,7 @@ int udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff
*skb)
+ udp_lib_checksum_complete(skb))
+ goto csum_error;
+
+- if (sk_filter(sk, skb))
+- goto drop;
+- if (unlikely(skb->len < sizeof(struct udphdr)))
++ if (sk_filter_trim_cap(sk, skb, sizeof(struct udphdr)))
+ goto drop;
+
+ udp_csum_pull_header(skb);
+diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
+index 923abd6b3064..8d2f7c9b491d 100644
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -1024,8 +1024,11 @@ static int irda_connect(struct socket *sock, struct
sockaddr *uaddr,
+ }
+
+ /* Check if we have opened a local TSAP */
+- if (!self->tsap)
+- irda_open_tsap(self, LSAP_ANY, addr->sir_name);
++ if (!self->tsap) {
++ err = irda_open_tsap(self, LSAP_ANY, addr->sir_name);
++ if (err)
++ goto out;
++ }
+
+ /* Move to connecting socket, start sending Connect Requests */
+ sock->state = SS_CONNECTING;
+diff --git a/net/sctp/input.c b/net/sctp/input.c
+index 47cf4604d19c..f093322560e6 100644
+--- a/net/sctp/input.c
++++ b/net/sctp/input.c
+@@ -328,6 +328,7 @@ int sctp_backlog_rcv(struct sock *sk, struct sk_buff *skb)
+ */
+
+ sk = rcvr->sk;
++ local_bh_disable();
+ bh_lock_sock(sk);
+
+ if (sock_owned_by_user(sk)) {
+@@ -339,6 +340,7 @@ int sctp_backlog_rcv(struct sock *sk, struct sk_buff *skb)
+ sctp_inq_push(inqueue, chunk);
+
+ bh_unlock_sock(sk);
++ local_bh_enable();
+
+ /* If the chunk was backloged again, don't drop refs */
+ if (backloged)
+diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c
+index 9d87bba0ff1d..b335ffcef0b9 100644
+--- a/net/sctp/inqueue.c
++++ b/net/sctp/inqueue.c
+@@ -89,12 +89,10 @@ void sctp_inq_push(struct sctp_inq *q, struct sctp_chunk
*chunk)
+ * Eventually, we should clean up inqueue to not rely
+ * on the BH related data structures.
+ */
+- local_bh_disable();
+ list_add_tail(&chunk->list, &q->in_chunk_list);
+ if (chunk->asoc)
+ chunk->asoc->stats.ipackets++;
+ q->immediate.func(&q->immediate);
+- local_bh_enable();
+ }
+
+ /* Peek at the next chunk on the inqeue. */
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index 67154b848aa9..7f5689a93de9 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -4301,6 +4301,7 @@ int sctp_transport_walk_start(struct rhashtable_iter
*iter)
+
+ err = rhashtable_walk_start(iter);
+ if (err && err != -EAGAIN) {
++ rhashtable_walk_stop(iter);
+ rhashtable_walk_exit(iter);
+ return err;
+ }
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index ad4fa49ad1db..9068369f8a1b 100644
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -331,6 +331,7 @@ static int aa_fs_seq_hash_show(struct seq_file *seq, void
*v)
+ seq_printf(seq, "%.2x", profile->hash[i]);
+ seq_puts(seq, "\n");
+ }
++ aa_put_profile(profile);
+
+ return 0;
+ }
++++++ series.conf ++++++
--- /var/tmp/diff_new_pack.tvfvNR/_old 2016-08-20 12:26:56.000000000 +0200
+++ /var/tmp/diff_new_pack.tvfvNR/_new 2016-08-20 12:26:56.000000000 +0200
@@ -27,6 +27,7 @@
# DO NOT MODIFY THEM!
# Send separate patches upstream if you find a problem...
########################################################
+ patches.kernel.org/patch-4.7.1
########################################################
# Build fixes that apply to the vanilla kernel too.
@@ -169,7 +170,6 @@
########################################################
# VM/FS patches
########################################################
- patches.fixes/vfs-ioctl-prevent-double-fetch-in-dedupe-ioctl
# Patches to export btrfs anonymous devices (VFS portion)
patches.suse/vfs-add-super_operations-get_inode_dev
@@ -319,7 +319,7 @@
patches.fixes/scsi-ibmvscsi-module_alias.patch
# boo#991608 CVE-2016-6480
-
patches.drivers/0001-aacraid-prevent-out-of-bounds-access-due-to-changing.patch
+
patches.fixes/aacraid-check-size-values-after-double-fetch-from-user.patch
########################################################
# DRM/Video
++++++ source-timestamp ++++++
--- /var/tmp/diff_new_pack.tvfvNR/_old 2016-08-20 12:26:56.000000000 +0200
+++ /var/tmp/diff_new_pack.tvfvNR/_new 2016-08-20 12:26:56.000000000 +0200
@@ -1,3 +1,3 @@
-2016-08-04 14:44:37 +0200
-GIT Revision: df207c00a9afabbe17c41deb04f870c3d7873c2e
+2016-08-16 16:32:45 +0200
+GIT Revision: 61bf3f108f9ae068b81f1ba3ee3fcc224bf7aed2
GIT Branch: stable
